xmrig | 79d4ef3012f4bc2798991e0e80150aed87c08d43738c813704c6118653650666

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
Size

1.9MB
MD5

c7a96f0aab9b690a2a04cb13885ec2f0
SHA1

067c8530b0cbbc9d9c5c686ffec36abfd96148eb
SHA256

79d4ef3012f4bc2798991e0e80150aed87c08d43738c813704c6118653650666
SHA512

8e29e2fdea780fdb899ebe58dc156f10ef68da3253f546d666fe2f031fd830fa2de241c76068d91102960ae938d6646cc98b3d7697a8637495e417a8a0c445ac
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIHbAYhbc8lFad+tsytA7W79KvYKZP3wUaAQL:knw9oUUEEDlGUJ8Y9c87MQUnH7viifMT

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/588-11-0x00007FF629150000-0x00007FF629541000-memory.dmp	xmrig
behavioral2/memory/1760-446-0x00007FF764840000-0x00007FF764C31000-memory.dmp	xmrig
behavioral2/memory/3204-449-0x00007FF61BD00000-0x00007FF61C0F1000-memory.dmp	xmrig
behavioral2/memory/3600-468-0x00007FF775400000-0x00007FF7757F1000-memory.dmp	xmrig
behavioral2/memory/1652-482-0x00007FF6236C0000-0x00007FF623AB1000-memory.dmp	xmrig
behavioral2/memory/228-505-0x00007FF7A89D0000-0x00007FF7A8DC1000-memory.dmp	xmrig
behavioral2/memory/4164-510-0x00007FF685DA0000-0x00007FF686191000-memory.dmp	xmrig
behavioral2/memory/3800-518-0x00007FF732DA0000-0x00007FF733191000-memory.dmp	xmrig
behavioral2/memory/4780-523-0x00007FF6B8500000-0x00007FF6B88F1000-memory.dmp	xmrig
behavioral2/memory/1804-529-0x00007FF659790000-0x00007FF659B81000-memory.dmp	xmrig
behavioral2/memory/3852-526-0x00007FF67D890000-0x00007FF67DC81000-memory.dmp	xmrig
behavioral2/memory/3888-534-0x00007FF6F07D0000-0x00007FF6F0BC1000-memory.dmp	xmrig
behavioral2/memory/3260-540-0x00007FF7ADBC0000-0x00007FF7ADFB1000-memory.dmp	xmrig
behavioral2/memory/444-543-0x00007FF66F020000-0x00007FF66F411000-memory.dmp	xmrig
behavioral2/memory/752-545-0x00007FF66B730000-0x00007FF66BB21000-memory.dmp	xmrig
behavioral2/memory/4796-539-0x00007FF7E0390000-0x00007FF7E0781000-memory.dmp	xmrig
behavioral2/memory/4800-498-0x00007FF7E0EC0000-0x00007FF7E12B1000-memory.dmp	xmrig
behavioral2/memory/4400-495-0x00007FF695D00000-0x00007FF6960F1000-memory.dmp	xmrig
behavioral2/memory/1640-492-0x00007FF730500000-0x00007FF7308F1000-memory.dmp	xmrig
behavioral2/memory/3184-476-0x00007FF62E1B0000-0x00007FF62E5A1000-memory.dmp	xmrig
behavioral2/memory/2940-452-0x00007FF7696F0000-0x00007FF769AE1000-memory.dmp	xmrig
behavioral2/memory/4620-1985-0x00007FF66D450000-0x00007FF66D841000-memory.dmp	xmrig
behavioral2/memory/1396-1986-0x00007FF75EF50000-0x00007FF75F341000-memory.dmp	xmrig
behavioral2/memory/2684-1992-0x00007FF61D150000-0x00007FF61D541000-memory.dmp	xmrig
behavioral2/memory/588-1997-0x00007FF629150000-0x00007FF629541000-memory.dmp	xmrig
behavioral2/memory/1396-2001-0x00007FF75EF50000-0x00007FF75F341000-memory.dmp	xmrig
behavioral2/memory/4620-2000-0x00007FF66D450000-0x00007FF66D841000-memory.dmp	xmrig
behavioral2/memory/2684-2003-0x00007FF61D150000-0x00007FF61D541000-memory.dmp	xmrig
behavioral2/memory/3204-2009-0x00007FF61BD00000-0x00007FF61C0F1000-memory.dmp	xmrig
behavioral2/memory/1760-2011-0x00007FF764840000-0x00007FF764C31000-memory.dmp	xmrig
behavioral2/memory/3184-2013-0x00007FF62E1B0000-0x00007FF62E5A1000-memory.dmp	xmrig
behavioral2/memory/1640-2017-0x00007FF730500000-0x00007FF7308F1000-memory.dmp	xmrig
behavioral2/memory/1652-2016-0x00007FF6236C0000-0x00007FF623AB1000-memory.dmp	xmrig
behavioral2/memory/2940-2007-0x00007FF7696F0000-0x00007FF769AE1000-memory.dmp	xmrig
behavioral2/memory/3600-2005-0x00007FF775400000-0x00007FF7757F1000-memory.dmp	xmrig
behavioral2/memory/3888-2027-0x00007FF6F07D0000-0x00007FF6F0BC1000-memory.dmp	xmrig
behavioral2/memory/228-2039-0x00007FF7A89D0000-0x00007FF7A8DC1000-memory.dmp	xmrig
behavioral2/memory/4800-2042-0x00007FF7E0EC0000-0x00007FF7E12B1000-memory.dmp	xmrig
behavioral2/memory/752-2044-0x00007FF66B730000-0x00007FF66BB21000-memory.dmp	xmrig
behavioral2/memory/4400-2041-0x00007FF695D00000-0x00007FF6960F1000-memory.dmp	xmrig
behavioral2/memory/4164-2037-0x00007FF685DA0000-0x00007FF686191000-memory.dmp	xmrig
behavioral2/memory/3800-2034-0x00007FF732DA0000-0x00007FF733191000-memory.dmp	xmrig
behavioral2/memory/4780-2033-0x00007FF6B8500000-0x00007FF6B88F1000-memory.dmp	xmrig
behavioral2/memory/1804-2031-0x00007FF659790000-0x00007FF659B81000-memory.dmp	xmrig
behavioral2/memory/3852-2029-0x00007FF67D890000-0x00007FF67DC81000-memory.dmp	xmrig
behavioral2/memory/4796-2024-0x00007FF7E0390000-0x00007FF7E0781000-memory.dmp	xmrig
behavioral2/memory/3260-2023-0x00007FF7ADBC0000-0x00007FF7ADFB1000-memory.dmp	xmrig
behavioral2/memory/444-2020-0x00007FF66F020000-0x00007FF66F411000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
588	pFqqqyu.exe
4620	BINQFuI.exe
1396	MTzuxqV.exe
2684	LLMXUYi.exe
1760	vBlsTkI.exe
3204	Ivfwvvf.exe
2940	gtyMWWJ.exe
3600	egVzdML.exe
3184	RjaLCfY.exe
1652	VviaTjJ.exe
1640	mZHVxng.exe
4400	DBLIXsG.exe
4800	ZPpJZEA.exe
228	KTxecbq.exe
4164	oGGGThz.exe
3800	RJUtyHC.exe
4780	hhJwITH.exe
3852	kYujoqp.exe
1804	pSLuKYd.exe
3888	ySrlKTY.exe
4796	LFJdnly.exe
3260	QZTgYqM.exe
444	hpgkCxW.exe
752	WBjYQFo.exe
4360	ZqJVaNG.exe
828	XzHrZhT.exe
2316	WYchjmd.exe
3440	vAGEoOn.exe
2080	WfBKxJY.exe
4928	ysLtQda.exe
1088	PGcmnqd.exe
4192	LOvaWgn.exe
3952	eToewPP.exe
4628	qDZuvGf.exe
3156	jjbPKyf.exe
1364	oIOeRSF.exe
4216	mhnIqJZ.exe
3504	YwOWWWK.exe
3344	hPQzYgk.exe
1780	smzEsjw.exe
2336	fYIJTRL.exe
4168	ZPvlXxn.exe
2436	GdUQZst.exe
3064	fTeSehC.exe
4912	GCkhzQk.exe
2600	QPGUkfj.exe
2524	noTpXBy.exe
3720	UbTtlYC.exe
4456	nXpcEZE.exe
3104	nXFzrkP.exe
2984	gDHPhzf.exe
4916	EfqJbZb.exe
2012	SRzXcrE.exe
3652	RylMRmp.exe
112	RGPTxPT.exe
3192	CbgQwhw.exe
3368	TFWlLWI.exe
4888	masXewd.exe
2508	tfBeonu.exe
740	AsoMyuK.exe
4720	GWLdAPI.exe
2504	bjuLRms.exe
1588	WTgwqjm.exe
460	zkAEAdt.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1580-0-0x00007FF669A70000-0x00007FF669E61000-memory.dmp	upx
behavioral2/files/0x000b000000023b7f-5.dat	upx
behavioral2/memory/588-11-0x00007FF629150000-0x00007FF629541000-memory.dmp	upx
behavioral2/files/0x000a000000023b84-10.dat	upx
behavioral2/memory/1396-21-0x00007FF75EF50000-0x00007FF75F341000-memory.dmp	upx
behavioral2/files/0x000a000000023b87-35.dat	upx
behavioral2/files/0x000a000000023b89-45.dat	upx
behavioral2/files/0x000a000000023b8b-55.dat	upx
behavioral2/files/0x000a000000023b8e-70.dat	upx
behavioral2/files/0x000a000000023b8f-75.dat	upx
behavioral2/files/0x000a000000023b91-83.dat	upx
behavioral2/files/0x000a000000023b94-100.dat	upx
behavioral2/files/0x000a000000023b98-118.dat	upx
behavioral2/files/0x000a000000023b9a-130.dat	upx
behavioral2/files/0x000a000000023b9d-143.dat	upx
behavioral2/files/0x000a000000023b9f-155.dat	upx
behavioral2/files/0x000a000000023ba1-165.dat	upx
behavioral2/files/0x000a000000023ba0-160.dat	upx
behavioral2/files/0x000a000000023b9e-150.dat	upx
behavioral2/files/0x000a000000023b9c-140.dat	upx
behavioral2/files/0x000a000000023b9b-135.dat	upx
behavioral2/memory/1760-446-0x00007FF764840000-0x00007FF764C31000-memory.dmp	upx
behavioral2/files/0x000a000000023b99-125.dat	upx
behavioral2/files/0x000a000000023b97-115.dat	upx
behavioral2/memory/3204-449-0x00007FF61BD00000-0x00007FF61C0F1000-memory.dmp	upx
behavioral2/memory/3600-468-0x00007FF775400000-0x00007FF7757F1000-memory.dmp	upx
behavioral2/memory/1652-482-0x00007FF6236C0000-0x00007FF623AB1000-memory.dmp	upx
behavioral2/memory/228-505-0x00007FF7A89D0000-0x00007FF7A8DC1000-memory.dmp	upx
behavioral2/memory/4164-510-0x00007FF685DA0000-0x00007FF686191000-memory.dmp	upx
behavioral2/memory/3800-518-0x00007FF732DA0000-0x00007FF733191000-memory.dmp	upx
behavioral2/memory/4780-523-0x00007FF6B8500000-0x00007FF6B88F1000-memory.dmp	upx
behavioral2/memory/1804-529-0x00007FF659790000-0x00007FF659B81000-memory.dmp	upx
behavioral2/memory/3852-526-0x00007FF67D890000-0x00007FF67DC81000-memory.dmp	upx
behavioral2/memory/3888-534-0x00007FF6F07D0000-0x00007FF6F0BC1000-memory.dmp	upx
behavioral2/memory/3260-540-0x00007FF7ADBC0000-0x00007FF7ADFB1000-memory.dmp	upx
behavioral2/memory/444-543-0x00007FF66F020000-0x00007FF66F411000-memory.dmp	upx
behavioral2/memory/752-545-0x00007FF66B730000-0x00007FF66BB21000-memory.dmp	upx
behavioral2/memory/4796-539-0x00007FF7E0390000-0x00007FF7E0781000-memory.dmp	upx
behavioral2/memory/4800-498-0x00007FF7E0EC0000-0x00007FF7E12B1000-memory.dmp	upx
behavioral2/memory/4400-495-0x00007FF695D00000-0x00007FF6960F1000-memory.dmp	upx
behavioral2/memory/1640-492-0x00007FF730500000-0x00007FF7308F1000-memory.dmp	upx
behavioral2/memory/3184-476-0x00007FF62E1B0000-0x00007FF62E5A1000-memory.dmp	upx
behavioral2/memory/2940-452-0x00007FF7696F0000-0x00007FF769AE1000-memory.dmp	upx
behavioral2/files/0x000a000000023b96-110.dat	upx
behavioral2/files/0x000a000000023b95-105.dat	upx
behavioral2/files/0x000a000000023b93-95.dat	upx
behavioral2/files/0x000a000000023b92-90.dat	upx
behavioral2/files/0x000a000000023b90-80.dat	upx
behavioral2/files/0x000a000000023b8d-65.dat	upx
behavioral2/files/0x000a000000023b8c-60.dat	upx
behavioral2/files/0x000a000000023b8a-50.dat	upx
behavioral2/files/0x000a000000023b88-40.dat	upx
behavioral2/files/0x000a000000023b86-33.dat	upx
behavioral2/files/0x000a000000023b85-25.dat	upx
behavioral2/memory/2684-22-0x00007FF61D150000-0x00007FF61D541000-memory.dmp	upx
behavioral2/files/0x000a000000023b83-16.dat	upx
behavioral2/memory/4620-14-0x00007FF66D450000-0x00007FF66D841000-memory.dmp	upx
behavioral2/memory/4620-1985-0x00007FF66D450000-0x00007FF66D841000-memory.dmp	upx
behavioral2/memory/1396-1986-0x00007FF75EF50000-0x00007FF75F341000-memory.dmp	upx
behavioral2/memory/2684-1992-0x00007FF61D150000-0x00007FF61D541000-memory.dmp	upx
behavioral2/memory/588-1997-0x00007FF629150000-0x00007FF629541000-memory.dmp	upx
behavioral2/memory/1396-2001-0x00007FF75EF50000-0x00007FF75F341000-memory.dmp	upx
behavioral2/memory/4620-2000-0x00007FF66D450000-0x00007FF66D841000-memory.dmp	upx
behavioral2/memory/2684-2003-0x00007FF61D150000-0x00007FF61D541000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\dKPFdSK.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\DPcoMMN.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\hhJwITH.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\VnRiKcw.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\kVLuPdb.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\cjEgCFo.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\opbjOLi.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\CBibxnS.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\hNsrfdh.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\IdADHcd.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\dpbRaRn.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\RJUtyHC.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\YycHPpR.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\AUalseg.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\VZNNxNi.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\hpBRYVd.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\KyKhOQZ.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\otuAApc.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\ztgoDOh.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\FVnNrGQ.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\apAscXD.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\YkHXCSl.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\uJfOZbC.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\NqAWLLM.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\nUpZEap.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\AFAWqGi.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\khxEkHH.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\gtyMWWJ.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\PEGASzx.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\difgIJU.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\gvZAhwO.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\kYqNraO.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\AzpcWeo.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\ysguJlq.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\GdqFYMN.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\JsVXFnH.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\flUBBFy.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\zLbHbsj.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\NDcrTXZ.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\ZbEmsOx.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\Ivfwvvf.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\JIMQXsW.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\OVzLuwz.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\unkvVUt.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\MFBpKmx.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\fEmxIHc.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\TlwLTqK.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\LxcMfXN.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\WdfLMle.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\EuHoveJ.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\DAXVQYc.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\kUlHaNz.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\GCkhzQk.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\XYfsPAV.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\hVpPQOG.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\qSXcoQi.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\HVIIpqk.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\hpgkCxW.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\NXDRvQh.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\judPcUF.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\adgDgYL.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\zHsIaEE.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\UkrGdLb.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
File created	C:\Windows\System32\KTxecbq.exe	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	4408	dwm.exe
Token: SeChangeNotifyPrivilege	4408	dwm.exe
Token: 33	4408	dwm.exe
Token: SeIncBasePriorityPrivilege	4408	dwm.exe
Token: SeShutdownPrivilege	4408	dwm.exe
Token: SeCreatePagefilePrivilege	4408	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 588	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	84
PID 1580 wrote to memory of 588	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	84
PID 1580 wrote to memory of 4620	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	85
PID 1580 wrote to memory of 4620	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	85
PID 1580 wrote to memory of 1396	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	86
PID 1580 wrote to memory of 1396	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	86
PID 1580 wrote to memory of 2684	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	87
PID 1580 wrote to memory of 2684	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	87
PID 1580 wrote to memory of 1760	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	88
PID 1580 wrote to memory of 1760	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	88
PID 1580 wrote to memory of 3204	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	89
PID 1580 wrote to memory of 3204	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	89
PID 1580 wrote to memory of 2940	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	90
PID 1580 wrote to memory of 2940	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	90
PID 1580 wrote to memory of 3600	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	91
PID 1580 wrote to memory of 3600	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	91
PID 1580 wrote to memory of 3184	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	92
PID 1580 wrote to memory of 3184	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	92
PID 1580 wrote to memory of 1652	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	93
PID 1580 wrote to memory of 1652	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	93
PID 1580 wrote to memory of 1640	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	94
PID 1580 wrote to memory of 1640	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	94
PID 1580 wrote to memory of 4400	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	95
PID 1580 wrote to memory of 4400	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	95
PID 1580 wrote to memory of 4800	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	96
PID 1580 wrote to memory of 4800	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	96
PID 1580 wrote to memory of 228	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	97
PID 1580 wrote to memory of 228	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	97
PID 1580 wrote to memory of 4164	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	98
PID 1580 wrote to memory of 4164	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	98
PID 1580 wrote to memory of 3800	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	99
PID 1580 wrote to memory of 3800	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	99
PID 1580 wrote to memory of 4780	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	100
PID 1580 wrote to memory of 4780	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	100
PID 1580 wrote to memory of 3852	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	101
PID 1580 wrote to memory of 3852	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	101
PID 1580 wrote to memory of 1804	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	102
PID 1580 wrote to memory of 1804	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	102
PID 1580 wrote to memory of 3888	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	103
PID 1580 wrote to memory of 3888	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	103
PID 1580 wrote to memory of 4796	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	104
PID 1580 wrote to memory of 4796	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	104
PID 1580 wrote to memory of 3260	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	105
PID 1580 wrote to memory of 3260	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	105
PID 1580 wrote to memory of 444	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	106
PID 1580 wrote to memory of 444	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	106
PID 1580 wrote to memory of 752	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	107
PID 1580 wrote to memory of 752	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	107
PID 1580 wrote to memory of 4360	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	108
PID 1580 wrote to memory of 4360	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	108
PID 1580 wrote to memory of 828	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	109
PID 1580 wrote to memory of 828	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	109
PID 1580 wrote to memory of 2316	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	110
PID 1580 wrote to memory of 2316	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	110
PID 1580 wrote to memory of 3440	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	111
PID 1580 wrote to memory of 3440	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	111
PID 1580 wrote to memory of 2080	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	112
PID 1580 wrote to memory of 2080	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	112
PID 1580 wrote to memory of 4928	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	113
PID 1580 wrote to memory of 4928	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	113
PID 1580 wrote to memory of 1088	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	114
PID 1580 wrote to memory of 1088	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	114
PID 1580 wrote to memory of 4192	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	115
PID 1580 wrote to memory of 4192	1580	c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe	115

C:\Users\Admin\AppData\Local\Temp\c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\c7a96f0aab9b690a2a04cb13885ec2f0_NEIKI.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\System32\pFqqqyu.exe
  C:\Windows\System32\pFqqqyu.exe
  2⤵
  - Executes dropped EXE
  PID:588
- C:\Windows\System32\BINQFuI.exe
  C:\Windows\System32\BINQFuI.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Windows\System32\MTzuxqV.exe
  C:\Windows\System32\MTzuxqV.exe
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\System32\LLMXUYi.exe
  C:\Windows\System32\LLMXUYi.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System32\vBlsTkI.exe
  C:\Windows\System32\vBlsTkI.exe
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\System32\Ivfwvvf.exe
  C:\Windows\System32\Ivfwvvf.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System32\gtyMWWJ.exe
  C:\Windows\System32\gtyMWWJ.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System32\egVzdML.exe
  C:\Windows\System32\egVzdML.exe
  2⤵
  - Executes dropped EXE
  PID:3600
- C:\Windows\System32\RjaLCfY.exe
  C:\Windows\System32\RjaLCfY.exe
  2⤵
  - Executes dropped EXE
  PID:3184
- C:\Windows\System32\VviaTjJ.exe
  C:\Windows\System32\VviaTjJ.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System32\mZHVxng.exe
  C:\Windows\System32\mZHVxng.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System32\DBLIXsG.exe
  C:\Windows\System32\DBLIXsG.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System32\ZPpJZEA.exe
  C:\Windows\System32\ZPpJZEA.exe
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Windows\System32\KTxecbq.exe
  C:\Windows\System32\KTxecbq.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System32\oGGGThz.exe
  C:\Windows\System32\oGGGThz.exe
  2⤵
  - Executes dropped EXE
  PID:4164
- C:\Windows\System32\RJUtyHC.exe
  C:\Windows\System32\RJUtyHC.exe
  2⤵
  - Executes dropped EXE
  PID:3800
- C:\Windows\System32\hhJwITH.exe
  C:\Windows\System32\hhJwITH.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System32\kYujoqp.exe
  C:\Windows\System32\kYujoqp.exe
  2⤵
  - Executes dropped EXE
  PID:3852
- C:\Windows\System32\pSLuKYd.exe
  C:\Windows\System32\pSLuKYd.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System32\ySrlKTY.exe
  C:\Windows\System32\ySrlKTY.exe
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\System32\LFJdnly.exe
  C:\Windows\System32\LFJdnly.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System32\QZTgYqM.exe
  C:\Windows\System32\QZTgYqM.exe
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Windows\System32\hpgkCxW.exe
  C:\Windows\System32\hpgkCxW.exe
  2⤵
  - Executes dropped EXE
  PID:444
- C:\Windows\System32\WBjYQFo.exe
  C:\Windows\System32\WBjYQFo.exe
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Windows\System32\ZqJVaNG.exe
  C:\Windows\System32\ZqJVaNG.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System32\XzHrZhT.exe
  C:\Windows\System32\XzHrZhT.exe
  2⤵
  - Executes dropped EXE
  PID:828
- C:\Windows\System32\WYchjmd.exe
  C:\Windows\System32\WYchjmd.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System32\vAGEoOn.exe
  C:\Windows\System32\vAGEoOn.exe
  2⤵
  - Executes dropped EXE
  PID:3440
- C:\Windows\System32\WfBKxJY.exe
  C:\Windows\System32\WfBKxJY.exe
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\System32\ysLtQda.exe
  C:\Windows\System32\ysLtQda.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System32\PGcmnqd.exe
  C:\Windows\System32\PGcmnqd.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System32\LOvaWgn.exe
  C:\Windows\System32\LOvaWgn.exe
  2⤵
  - Executes dropped EXE
  PID:4192
- C:\Windows\System32\eToewPP.exe
  C:\Windows\System32\eToewPP.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System32\qDZuvGf.exe
  C:\Windows\System32\qDZuvGf.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System32\jjbPKyf.exe
  C:\Windows\System32\jjbPKyf.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System32\oIOeRSF.exe
  C:\Windows\System32\oIOeRSF.exe
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Windows\System32\mhnIqJZ.exe
  C:\Windows\System32\mhnIqJZ.exe
  2⤵
  - Executes dropped EXE
  PID:4216
- C:\Windows\System32\YwOWWWK.exe
  C:\Windows\System32\YwOWWWK.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System32\hPQzYgk.exe
  C:\Windows\System32\hPQzYgk.exe
  2⤵
  - Executes dropped EXE
  PID:3344
- C:\Windows\System32\smzEsjw.exe
  C:\Windows\System32\smzEsjw.exe
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\System32\fYIJTRL.exe
  C:\Windows\System32\fYIJTRL.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System32\ZPvlXxn.exe
  C:\Windows\System32\ZPvlXxn.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System32\GdUQZst.exe
  C:\Windows\System32\GdUQZst.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System32\fTeSehC.exe
  C:\Windows\System32\fTeSehC.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\System32\GCkhzQk.exe
  C:\Windows\System32\GCkhzQk.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System32\QPGUkfj.exe
  C:\Windows\System32\QPGUkfj.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System32\noTpXBy.exe
  C:\Windows\System32\noTpXBy.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System32\UbTtlYC.exe
  C:\Windows\System32\UbTtlYC.exe
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Windows\System32\nXpcEZE.exe
  C:\Windows\System32\nXpcEZE.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System32\nXFzrkP.exe
  C:\Windows\System32\nXFzrkP.exe
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Windows\System32\gDHPhzf.exe
  C:\Windows\System32\gDHPhzf.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System32\EfqJbZb.exe
  C:\Windows\System32\EfqJbZb.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System32\SRzXcrE.exe
  C:\Windows\System32\SRzXcrE.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System32\RylMRmp.exe
  C:\Windows\System32\RylMRmp.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System32\RGPTxPT.exe
  C:\Windows\System32\RGPTxPT.exe
  2⤵
  - Executes dropped EXE
  PID:112
- C:\Windows\System32\CbgQwhw.exe
  C:\Windows\System32\CbgQwhw.exe
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Windows\System32\TFWlLWI.exe
  C:\Windows\System32\TFWlLWI.exe
  2⤵
  - Executes dropped EXE
  PID:3368
- C:\Windows\System32\masXewd.exe
  C:\Windows\System32\masXewd.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System32\tfBeonu.exe
  C:\Windows\System32\tfBeonu.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System32\AsoMyuK.exe
  C:\Windows\System32\AsoMyuK.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System32\GWLdAPI.exe
  C:\Windows\System32\GWLdAPI.exe
  2⤵
  - Executes dropped EXE
  PID:4720
- C:\Windows\System32\bjuLRms.exe
  C:\Windows\System32\bjuLRms.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System32\WTgwqjm.exe
  C:\Windows\System32\WTgwqjm.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System32\zkAEAdt.exe
  C:\Windows\System32\zkAEAdt.exe
  2⤵
  - Executes dropped EXE
  PID:460
- C:\Windows\System32\FVoikCI.exe
  C:\Windows\System32\FVoikCI.exe
  2⤵
  PID:4072
- C:\Windows\System32\grkZADq.exe
  C:\Windows\System32\grkZADq.exe
  2⤵
  PID:3960
- C:\Windows\System32\MMTySfM.exe
  C:\Windows\System32\MMTySfM.exe
  2⤵
  PID:4212
- C:\Windows\System32\bpQBFVr.exe
  C:\Windows\System32\bpQBFVr.exe
  2⤵
  PID:1596
- C:\Windows\System32\XSWhLqq.exe
  C:\Windows\System32\XSWhLqq.exe
  2⤵
  PID:1524
- C:\Windows\System32\iaAWvzH.exe
  C:\Windows\System32\iaAWvzH.exe
  2⤵
  PID:4024
- C:\Windows\System32\WLcRcZG.exe
  C:\Windows\System32\WLcRcZG.exe
  2⤵
  PID:1304
- C:\Windows\System32\pbWakNq.exe
  C:\Windows\System32\pbWakNq.exe
  2⤵
  PID:1572
- C:\Windows\System32\oJOvwmG.exe
  C:\Windows\System32\oJOvwmG.exe
  2⤵
  PID:3256
- C:\Windows\System32\gJhCttW.exe
  C:\Windows\System32\gJhCttW.exe
  2⤵
  PID:2556
- C:\Windows\System32\IVcQaIl.exe
  C:\Windows\System32\IVcQaIl.exe
  2⤵
  PID:2968
- C:\Windows\System32\PsLSWjQ.exe
  C:\Windows\System32\PsLSWjQ.exe
  2⤵
  PID:744
- C:\Windows\System32\iZaEogB.exe
  C:\Windows\System32\iZaEogB.exe
  2⤵
  PID:384
- C:\Windows\System32\GvLCvFs.exe
  C:\Windows\System32\GvLCvFs.exe
  2⤵
  PID:1944
- C:\Windows\System32\enBlftp.exe
  C:\Windows\System32\enBlftp.exe
  2⤵
  PID:3640
- C:\Windows\System32\LEABvmY.exe
  C:\Windows\System32\LEABvmY.exe
  2⤵
  PID:4308
- C:\Windows\System32\YKupVSP.exe
  C:\Windows\System32\YKupVSP.exe
  2⤵
  PID:5072
- C:\Windows\System32\KqiqjIU.exe
  C:\Windows\System32\KqiqjIU.exe
  2⤵
  PID:656
- C:\Windows\System32\aspcsAz.exe
  C:\Windows\System32\aspcsAz.exe
  2⤵
  PID:2088
- C:\Windows\System32\fdZCwvw.exe
  C:\Windows\System32\fdZCwvw.exe
  2⤵
  PID:2300
- C:\Windows\System32\NHSAlTT.exe
  C:\Windows\System32\NHSAlTT.exe
  2⤵
  PID:5132
- C:\Windows\System32\VUAyTdM.exe
  C:\Windows\System32\VUAyTdM.exe
  2⤵
  PID:5160
- C:\Windows\System32\fvLzQgx.exe
  C:\Windows\System32\fvLzQgx.exe
  2⤵
  PID:5184
- C:\Windows\System32\tCpubGU.exe
  C:\Windows\System32\tCpubGU.exe
  2⤵
  PID:5220
- C:\Windows\System32\jROqEft.exe
  C:\Windows\System32\jROqEft.exe
  2⤵
  PID:5244
- C:\Windows\System32\WdfLMle.exe
  C:\Windows\System32\WdfLMle.exe
  2⤵
  PID:5272
- C:\Windows\System32\wHCYdkb.exe
  C:\Windows\System32\wHCYdkb.exe
  2⤵
  PID:5300
- C:\Windows\System32\XYfsPAV.exe
  C:\Windows\System32\XYfsPAV.exe
  2⤵
  PID:5328
- C:\Windows\System32\ewKYHLS.exe
  C:\Windows\System32\ewKYHLS.exe
  2⤵
  PID:5356
- C:\Windows\System32\tQDcTnR.exe
  C:\Windows\System32\tQDcTnR.exe
  2⤵
  PID:5384
- C:\Windows\System32\ILPCnBj.exe
  C:\Windows\System32\ILPCnBj.exe
  2⤵
  PID:5412
- C:\Windows\System32\EuHoveJ.exe
  C:\Windows\System32\EuHoveJ.exe
  2⤵
  PID:5440
- C:\Windows\System32\hSLVyOR.exe
  C:\Windows\System32\hSLVyOR.exe
  2⤵
  PID:5464
- C:\Windows\System32\xRjiMUJ.exe
  C:\Windows\System32\xRjiMUJ.exe
  2⤵
  PID:5500
- C:\Windows\System32\XPCbdva.exe
  C:\Windows\System32\XPCbdva.exe
  2⤵
  PID:5520
- C:\Windows\System32\goEQzxg.exe
  C:\Windows\System32\goEQzxg.exe
  2⤵
  PID:5552
- C:\Windows\System32\RnhbFFd.exe
  C:\Windows\System32\RnhbFFd.exe
  2⤵
  PID:5580
- C:\Windows\System32\WCFyiaw.exe
  C:\Windows\System32\WCFyiaw.exe
  2⤵
  PID:5608
- C:\Windows\System32\oUamIcq.exe
  C:\Windows\System32\oUamIcq.exe
  2⤵
  PID:5636
- C:\Windows\System32\bnzrVMf.exe
  C:\Windows\System32\bnzrVMf.exe
  2⤵
  PID:5664
- C:\Windows\System32\bCwCbBh.exe
  C:\Windows\System32\bCwCbBh.exe
  2⤵
  PID:5692
- C:\Windows\System32\mijGsJG.exe
  C:\Windows\System32\mijGsJG.exe
  2⤵
  PID:5720
- C:\Windows\System32\SlClRPz.exe
  C:\Windows\System32\SlClRPz.exe
  2⤵
  PID:5748
- C:\Windows\System32\EjaszFA.exe
  C:\Windows\System32\EjaszFA.exe
  2⤵
  PID:5776
- C:\Windows\System32\cnTgnBV.exe
  C:\Windows\System32\cnTgnBV.exe
  2⤵
  PID:5812
- C:\Windows\System32\CHYZVWm.exe
  C:\Windows\System32\CHYZVWm.exe
  2⤵
  PID:5828
- C:\Windows\System32\pjcrfwm.exe
  C:\Windows\System32\pjcrfwm.exe
  2⤵
  PID:5856
- C:\Windows\System32\GcgTahG.exe
  C:\Windows\System32\GcgTahG.exe
  2⤵
  PID:5884
- C:\Windows\System32\BesTxiC.exe
  C:\Windows\System32\BesTxiC.exe
  2⤵
  PID:5912
- C:\Windows\System32\SoMufyS.exe
  C:\Windows\System32\SoMufyS.exe
  2⤵
  PID:5940
- C:\Windows\System32\xggMtHy.exe
  C:\Windows\System32\xggMtHy.exe
  2⤵
  PID:5968
- C:\Windows\System32\FZudytG.exe
  C:\Windows\System32\FZudytG.exe
  2⤵
  PID:5996
- C:\Windows\System32\nkoUCrH.exe
  C:\Windows\System32\nkoUCrH.exe
  2⤵
  PID:6024
- C:\Windows\System32\qTvdcsA.exe
  C:\Windows\System32\qTvdcsA.exe
  2⤵
  PID:6052
- C:\Windows\System32\IAGzBTm.exe
  C:\Windows\System32\IAGzBTm.exe
  2⤵
  PID:6080
- C:\Windows\System32\BLNCZTQ.exe
  C:\Windows\System32\BLNCZTQ.exe
  2⤵
  PID:6108
- C:\Windows\System32\GovLDZY.exe
  C:\Windows\System32\GovLDZY.exe
  2⤵
  PID:6136
- C:\Windows\System32\LxVoMVi.exe
  C:\Windows\System32\LxVoMVi.exe
  2⤵
  PID:4224
- C:\Windows\System32\ZWwexnG.exe
  C:\Windows\System32\ZWwexnG.exe
  2⤵
  PID:3872
- C:\Windows\System32\RguIElZ.exe
  C:\Windows\System32\RguIElZ.exe
  2⤵
  PID:5152
- C:\Windows\System32\ONfSHcK.exe
  C:\Windows\System32\ONfSHcK.exe
  2⤵
  PID:5208
- C:\Windows\System32\YUxiiNQ.exe
  C:\Windows\System32\YUxiiNQ.exe
  2⤵
  PID:5260
- C:\Windows\System32\vLEyhZr.exe
  C:\Windows\System32\vLEyhZr.exe
  2⤵
  PID:5432
- C:\Windows\System32\ztgoDOh.exe
  C:\Windows\System32\ztgoDOh.exe
  2⤵
  PID:5476
- C:\Windows\System32\YyRsyEN.exe
  C:\Windows\System32\YyRsyEN.exe
  2⤵
  PID:1388
- C:\Windows\System32\vUWFiYo.exe
  C:\Windows\System32\vUWFiYo.exe
  2⤵
  PID:5536
- C:\Windows\System32\VnRiKcw.exe
  C:\Windows\System32\VnRiKcw.exe
  2⤵
  PID:5596
- C:\Windows\System32\zjElXPR.exe
  C:\Windows\System32\zjElXPR.exe
  2⤵
  PID:5628
- C:\Windows\System32\EgNZtPv.exe
  C:\Windows\System32\EgNZtPv.exe
  2⤵
  PID:5680
- C:\Windows\System32\AtgBnqB.exe
  C:\Windows\System32\AtgBnqB.exe
  2⤵
  PID:5732
- C:\Windows\System32\PEGASzx.exe
  C:\Windows\System32\PEGASzx.exe
  2⤵
  PID:5764
- C:\Windows\System32\RIBcCyp.exe
  C:\Windows\System32\RIBcCyp.exe
  2⤵
  PID:5792
- C:\Windows\System32\gruRuDF.exe
  C:\Windows\System32\gruRuDF.exe
  2⤵
  PID:5796
- C:\Windows\System32\glJJuej.exe
  C:\Windows\System32\glJJuej.exe
  2⤵
  PID:5852
- C:\Windows\System32\amyDGdt.exe
  C:\Windows\System32\amyDGdt.exe
  2⤵
  PID:5928
- C:\Windows\System32\ujPtOIL.exe
  C:\Windows\System32\ujPtOIL.exe
  2⤵
  PID:4084
- C:\Windows\System32\flUBBFy.exe
  C:\Windows\System32\flUBBFy.exe
  2⤵
  PID:4532
- C:\Windows\System32\AzpcWeo.exe
  C:\Windows\System32\AzpcWeo.exe
  2⤵
  PID:6132
- C:\Windows\System32\oQQeUrJ.exe
  C:\Windows\System32\oQQeUrJ.exe
  2⤵
  PID:1492
- C:\Windows\System32\npBkYQV.exe
  C:\Windows\System32\npBkYQV.exe
  2⤵
  PID:1816
- C:\Windows\System32\FSnDSKr.exe
  C:\Windows\System32\FSnDSKr.exe
  2⤵
  PID:5180
- C:\Windows\System32\BCblYSG.exe
  C:\Windows\System32\BCblYSG.exe
  2⤵
  PID:5376
- C:\Windows\System32\oXRQyQm.exe
  C:\Windows\System32\oXRQyQm.exe
  2⤵
  PID:1392
- C:\Windows\System32\vpbZTyJ.exe
  C:\Windows\System32\vpbZTyJ.exe
  2⤵
  PID:2688
- C:\Windows\System32\kDwiyUg.exe
  C:\Windows\System32\kDwiyUg.exe
  2⤵
  PID:5624
- C:\Windows\System32\KQUZKGS.exe
  C:\Windows\System32\KQUZKGS.exe
  2⤵
  PID:1600
- C:\Windows\System32\kCKXuJF.exe
  C:\Windows\System32\kCKXuJF.exe
  2⤵
  PID:5768
- C:\Windows\System32\jeocpoI.exe
  C:\Windows\System32\jeocpoI.exe
  2⤵
  PID:3120
- C:\Windows\System32\nwytvcq.exe
  C:\Windows\System32\nwytvcq.exe
  2⤵
  PID:6120
- C:\Windows\System32\ilpGtUZ.exe
  C:\Windows\System32\ilpGtUZ.exe
  2⤵
  PID:5200
- C:\Windows\System32\SUyyFjd.exe
  C:\Windows\System32\SUyyFjd.exe
  2⤵
  PID:2900
- C:\Windows\System32\JIMQXsW.exe
  C:\Windows\System32\JIMQXsW.exe
  2⤵
  PID:5952
- C:\Windows\System32\TSVgoYI.exe
  C:\Windows\System32\TSVgoYI.exe
  2⤵
  PID:1152
- C:\Windows\System32\bdNTaje.exe
  C:\Windows\System32\bdNTaje.exe
  2⤵
  PID:4564
- C:\Windows\System32\zVNHGib.exe
  C:\Windows\System32\zVNHGib.exe
  2⤵
  PID:5452
- C:\Windows\System32\KdHoeNL.exe
  C:\Windows\System32\KdHoeNL.exe
  2⤵
  PID:5924
- C:\Windows\System32\fEmxIHc.exe
  C:\Windows\System32\fEmxIHc.exe
  2⤵
  PID:5544
- C:\Windows\System32\kVLuPdb.exe
  C:\Windows\System32\kVLuPdb.exe
  2⤵
  PID:2136
- C:\Windows\System32\UZfmykt.exe
  C:\Windows\System32\UZfmykt.exe
  2⤵
  PID:4688
- C:\Windows\System32\fYaiRyC.exe
  C:\Windows\System32\fYaiRyC.exe
  2⤵
  PID:1692
- C:\Windows\System32\omQYTtY.exe
  C:\Windows\System32\omQYTtY.exe
  2⤵
  PID:6156
- C:\Windows\System32\bfOIKQt.exe
  C:\Windows\System32\bfOIKQt.exe
  2⤵
  PID:6176
- C:\Windows\System32\zuUtxqi.exe
  C:\Windows\System32\zuUtxqi.exe
  2⤵
  PID:6204
- C:\Windows\System32\zDtNgRB.exe
  C:\Windows\System32\zDtNgRB.exe
  2⤵
  PID:6268
- C:\Windows\System32\VwYYIHV.exe
  C:\Windows\System32\VwYYIHV.exe
  2⤵
  PID:6296
- C:\Windows\System32\kTcLwtZ.exe
  C:\Windows\System32\kTcLwtZ.exe
  2⤵
  PID:6320
- C:\Windows\System32\nUpZEap.exe
  C:\Windows\System32\nUpZEap.exe
  2⤵
  PID:6336
- C:\Windows\System32\gGGchnI.exe
  C:\Windows\System32\gGGchnI.exe
  2⤵
  PID:6356
- C:\Windows\System32\xOsVGNq.exe
  C:\Windows\System32\xOsVGNq.exe
  2⤵
  PID:6396
- C:\Windows\System32\dvOMDsz.exe
  C:\Windows\System32\dvOMDsz.exe
  2⤵
  PID:6420
- C:\Windows\System32\yKYSkqx.exe
  C:\Windows\System32\yKYSkqx.exe
  2⤵
  PID:6440
- C:\Windows\System32\XOWXVRd.exe
  C:\Windows\System32\XOWXVRd.exe
  2⤵
  PID:6472
- C:\Windows\System32\dIfUXCW.exe
  C:\Windows\System32\dIfUXCW.exe
  2⤵
  PID:6528
- C:\Windows\System32\cjEgCFo.exe
  C:\Windows\System32\cjEgCFo.exe
  2⤵
  PID:6572
- C:\Windows\System32\POjcwjH.exe
  C:\Windows\System32\POjcwjH.exe
  2⤵
  PID:6588
- C:\Windows\System32\MjBCtrJ.exe
  C:\Windows\System32\MjBCtrJ.exe
  2⤵
  PID:6612
- C:\Windows\System32\opbjOLi.exe
  C:\Windows\System32\opbjOLi.exe
  2⤵
  PID:6632
- C:\Windows\System32\JtdTskh.exe
  C:\Windows\System32\JtdTskh.exe
  2⤵
  PID:6652
- C:\Windows\System32\iLBnilv.exe
  C:\Windows\System32\iLBnilv.exe
  2⤵
  PID:6696
- C:\Windows\System32\QiXbctg.exe
  C:\Windows\System32\QiXbctg.exe
  2⤵
  PID:6728
- C:\Windows\System32\YnsKkDW.exe
  C:\Windows\System32\YnsKkDW.exe
  2⤵
  PID:6760
- C:\Windows\System32\mKDksPv.exe
  C:\Windows\System32\mKDksPv.exe
  2⤵
  PID:6792
- C:\Windows\System32\WNQOlMh.exe
  C:\Windows\System32\WNQOlMh.exe
  2⤵
  PID:6812
- C:\Windows\System32\tkKZuCD.exe
  C:\Windows\System32\tkKZuCD.exe
  2⤵
  PID:6836
- C:\Windows\System32\njYuSyY.exe
  C:\Windows\System32\njYuSyY.exe
  2⤵
  PID:6864
- C:\Windows\System32\DJcuQaO.exe
  C:\Windows\System32\DJcuQaO.exe
  2⤵
  PID:6896
- C:\Windows\System32\Sadyisi.exe
  C:\Windows\System32\Sadyisi.exe
  2⤵
  PID:6916
- C:\Windows\System32\ixtmivU.exe
  C:\Windows\System32\ixtmivU.exe
  2⤵
  PID:6944
- C:\Windows\System32\JyxOBEz.exe
  C:\Windows\System32\JyxOBEz.exe
  2⤵
  PID:6964
- C:\Windows\System32\fcdYHCt.exe
  C:\Windows\System32\fcdYHCt.exe
  2⤵
  PID:7000
- C:\Windows\System32\uoIoEFC.exe
  C:\Windows\System32\uoIoEFC.exe
  2⤵
  PID:7040
- C:\Windows\System32\QNTeVnR.exe
  C:\Windows\System32\QNTeVnR.exe
  2⤵
  PID:7064
- C:\Windows\System32\Zxqwals.exe
  C:\Windows\System32\Zxqwals.exe
  2⤵
  PID:7120
- C:\Windows\System32\EoQyMPI.exe
  C:\Windows\System32\EoQyMPI.exe
  2⤵
  PID:7140
- C:\Windows\System32\TygotCF.exe
  C:\Windows\System32\TygotCF.exe
  2⤵
  PID:7164
- C:\Windows\System32\BWKijrk.exe
  C:\Windows\System32\BWKijrk.exe
  2⤵
  PID:6200
- C:\Windows\System32\YRNbNqm.exe
  C:\Windows\System32\YRNbNqm.exe
  2⤵
  PID:1712
- C:\Windows\System32\MgLXdcw.exe
  C:\Windows\System32\MgLXdcw.exe
  2⤵
  PID:6224
- C:\Windows\System32\xSqIsWo.exe
  C:\Windows\System32\xSqIsWo.exe
  2⤵
  PID:5684
- C:\Windows\System32\PevuubQ.exe
  C:\Windows\System32\PevuubQ.exe
  2⤵
  PID:6352
- C:\Windows\System32\ysguJlq.exe
  C:\Windows\System32\ysguJlq.exe
  2⤵
  PID:6488
- C:\Windows\System32\JTXvfMJ.exe
  C:\Windows\System32\JTXvfMJ.exe
  2⤵
  PID:6504
- C:\Windows\System32\LxacNkG.exe
  C:\Windows\System32\LxacNkG.exe
  2⤵
  PID:6600
- C:\Windows\System32\HZwmmbG.exe
  C:\Windows\System32\HZwmmbG.exe
  2⤵
  PID:6620
- C:\Windows\System32\BDACoBG.exe
  C:\Windows\System32\BDACoBG.exe
  2⤵
  PID:6752
- C:\Windows\System32\AQbCdBQ.exe
  C:\Windows\System32\AQbCdBQ.exe
  2⤵
  PID:6832
- C:\Windows\System32\OVzLuwz.exe
  C:\Windows\System32\OVzLuwz.exe
  2⤵
  PID:6828
- C:\Windows\System32\BBZEzHf.exe
  C:\Windows\System32\BBZEzHf.exe
  2⤵
  PID:6960
- C:\Windows\System32\vdAruap.exe
  C:\Windows\System32\vdAruap.exe
  2⤵
  PID:6996
- C:\Windows\System32\gzzeeaa.exe
  C:\Windows\System32\gzzeeaa.exe
  2⤵
  PID:7052
- C:\Windows\System32\foMkVwa.exe
  C:\Windows\System32\foMkVwa.exe
  2⤵
  PID:5032
- C:\Windows\System32\PLxYqaQ.exe
  C:\Windows\System32\PLxYqaQ.exe
  2⤵
  PID:6184
- C:\Windows\System32\ScbBauM.exe
  C:\Windows\System32\ScbBauM.exe
  2⤵
  PID:6232
- C:\Windows\System32\uncgBYv.exe
  C:\Windows\System32\uncgBYv.exe
  2⤵
  PID:6384
- C:\Windows\System32\xXnjIuj.exe
  C:\Windows\System32\xXnjIuj.exe
  2⤵
  PID:6568
- C:\Windows\System32\yExWDzM.exe
  C:\Windows\System32\yExWDzM.exe
  2⤵
  PID:6644
- C:\Windows\System32\EDxwUCe.exe
  C:\Windows\System32\EDxwUCe.exe
  2⤵
  PID:6928
- C:\Windows\System32\YycHPpR.exe
  C:\Windows\System32\YycHPpR.exe
  2⤵
  PID:7128
- C:\Windows\System32\iiHZPpx.exe
  C:\Windows\System32\iiHZPpx.exe
  2⤵
  PID:6280
- C:\Windows\System32\YmecXcM.exe
  C:\Windows\System32\YmecXcM.exe
  2⤵
  PID:6520
- C:\Windows\System32\APcGnWF.exe
  C:\Windows\System32\APcGnWF.exe
  2⤵
  PID:6888
- C:\Windows\System32\RkpEpSM.exe
  C:\Windows\System32\RkpEpSM.exe
  2⤵
  PID:7100
- C:\Windows\System32\aFJgimg.exe
  C:\Windows\System32\aFJgimg.exe
  2⤵
  PID:7024
- C:\Windows\System32\AoXGDeJ.exe
  C:\Windows\System32\AoXGDeJ.exe
  2⤵
  PID:7196
- C:\Windows\System32\TsmFXFT.exe
  C:\Windows\System32\TsmFXFT.exe
  2⤵
  PID:7236
- C:\Windows\System32\PIETMrj.exe
  C:\Windows\System32\PIETMrj.exe
  2⤵
  PID:7256
- C:\Windows\System32\coqJybb.exe
  C:\Windows\System32\coqJybb.exe
  2⤵
  PID:7276
- C:\Windows\System32\nRsaDWw.exe
  C:\Windows\System32\nRsaDWw.exe
  2⤵
  PID:7308
- C:\Windows\System32\FvTXqwn.exe
  C:\Windows\System32\FvTXqwn.exe
  2⤵
  PID:7336
- C:\Windows\System32\jvWGaAb.exe
  C:\Windows\System32\jvWGaAb.exe
  2⤵
  PID:7360
- C:\Windows\System32\UwhEGNS.exe
  C:\Windows\System32\UwhEGNS.exe
  2⤵
  PID:7420
- C:\Windows\System32\jJNhcHl.exe
  C:\Windows\System32\jJNhcHl.exe
  2⤵
  PID:7440
- C:\Windows\System32\AbbBfWK.exe
  C:\Windows\System32\AbbBfWK.exe
  2⤵
  PID:7472
- C:\Windows\System32\gTLbBgt.exe
  C:\Windows\System32\gTLbBgt.exe
  2⤵
  PID:7500
- C:\Windows\System32\FecSaJJ.exe
  C:\Windows\System32\FecSaJJ.exe
  2⤵
  PID:7532
- C:\Windows\System32\eCyTnes.exe
  C:\Windows\System32\eCyTnes.exe
  2⤵
  PID:7552
- C:\Windows\System32\onllZEr.exe
  C:\Windows\System32\onllZEr.exe
  2⤵
  PID:7580
- C:\Windows\System32\cASNkvm.exe
  C:\Windows\System32\cASNkvm.exe
  2⤵
  PID:7596
- C:\Windows\System32\unkvVUt.exe
  C:\Windows\System32\unkvVUt.exe
  2⤵
  PID:7628
- C:\Windows\System32\OxFslbj.exe
  C:\Windows\System32\OxFslbj.exe
  2⤵
  PID:7668
- C:\Windows\System32\GIoCBnx.exe
  C:\Windows\System32\GIoCBnx.exe
  2⤵
  PID:7692
- C:\Windows\System32\vqjKEzM.exe
  C:\Windows\System32\vqjKEzM.exe
  2⤵
  PID:7712
- C:\Windows\System32\DSXVglG.exe
  C:\Windows\System32\DSXVglG.exe
  2⤵
  PID:7732
- C:\Windows\System32\bCnXOXD.exe
  C:\Windows\System32\bCnXOXD.exe
  2⤵
  PID:7760
- C:\Windows\System32\YLACWHx.exe
  C:\Windows\System32\YLACWHx.exe
  2⤵
  PID:7804
- C:\Windows\System32\YpjcgZH.exe
  C:\Windows\System32\YpjcgZH.exe
  2⤵
  PID:7836
- C:\Windows\System32\cJqwXtt.exe
  C:\Windows\System32\cJqwXtt.exe
  2⤵
  PID:7864
- C:\Windows\System32\PELboSG.exe
  C:\Windows\System32\PELboSG.exe
  2⤵
  PID:7888
- C:\Windows\System32\NXDRvQh.exe
  C:\Windows\System32\NXDRvQh.exe
  2⤵
  PID:7912
- C:\Windows\System32\OOWvrdq.exe
  C:\Windows\System32\OOWvrdq.exe
  2⤵
  PID:7948
- C:\Windows\System32\vBBammP.exe
  C:\Windows\System32\vBBammP.exe
  2⤵
  PID:7976
- C:\Windows\System32\fvVkqIv.exe
  C:\Windows\System32\fvVkqIv.exe
  2⤵
  PID:7992
- C:\Windows\System32\BfSeciS.exe
  C:\Windows\System32\BfSeciS.exe
  2⤵
  PID:8024
- C:\Windows\System32\wqlGaTi.exe
  C:\Windows\System32\wqlGaTi.exe
  2⤵
  PID:8060
- C:\Windows\System32\cPtWRSl.exe
  C:\Windows\System32\cPtWRSl.exe
  2⤵
  PID:8080
- C:\Windows\System32\FrGpAiD.exe
  C:\Windows\System32\FrGpAiD.exe
  2⤵
  PID:8096
- C:\Windows\System32\vMALZnc.exe
  C:\Windows\System32\vMALZnc.exe
  2⤵
  PID:8120
- C:\Windows\System32\vTXftqJ.exe
  C:\Windows\System32\vTXftqJ.exe
  2⤵
  PID:8168
- C:\Windows\System32\JcZJVAv.exe
  C:\Windows\System32\JcZJVAv.exe
  2⤵
  PID:6720
- C:\Windows\System32\qUcXDgq.exe
  C:\Windows\System32\qUcXDgq.exe
  2⤵
  PID:7212
- C:\Windows\System32\qQcnpII.exe
  C:\Windows\System32\qQcnpII.exe
  2⤵
  PID:7304
- C:\Windows\System32\tFWYvKw.exe
  C:\Windows\System32\tFWYvKw.exe
  2⤵
  PID:7352
- C:\Windows\System32\RAbsazT.exe
  C:\Windows\System32\RAbsazT.exe
  2⤵
  PID:7400
- C:\Windows\System32\reKbjoO.exe
  C:\Windows\System32\reKbjoO.exe
  2⤵
  PID:7492
- C:\Windows\System32\kIayLmm.exe
  C:\Windows\System32\kIayLmm.exe
  2⤵
  PID:7512
- C:\Windows\System32\BjoQfxc.exe
  C:\Windows\System32\BjoQfxc.exe
  2⤵
  PID:7564
- C:\Windows\System32\OLAWDqB.exe
  C:\Windows\System32\OLAWDqB.exe
  2⤵
  PID:7604
- C:\Windows\System32\XrlngOX.exe
  C:\Windows\System32\XrlngOX.exe
  2⤵
  PID:7724
- C:\Windows\System32\AIECKyG.exe
  C:\Windows\System32\AIECKyG.exe
  2⤵
  PID:7772
- C:\Windows\System32\IgsDkTe.exe
  C:\Windows\System32\IgsDkTe.exe
  2⤵
  PID:7860
- C:\Windows\System32\FVKGJJp.exe
  C:\Windows\System32\FVKGJJp.exe
  2⤵
  PID:7908
- C:\Windows\System32\OSGEbWc.exe
  C:\Windows\System32\OSGEbWc.exe
  2⤵
  PID:7988
- C:\Windows\System32\judPcUF.exe
  C:\Windows\System32\judPcUF.exe
  2⤵
  PID:8036
- C:\Windows\System32\KWbbTfP.exe
  C:\Windows\System32\KWbbTfP.exe
  2⤵
  PID:8092
- C:\Windows\System32\NXCaNlG.exe
  C:\Windows\System32\NXCaNlG.exe
  2⤵
  PID:7208
- C:\Windows\System32\zfgHFQr.exe
  C:\Windows\System32\zfgHFQr.exe
  2⤵
  PID:7380
- C:\Windows\System32\IrbGePs.exe
  C:\Windows\System32\IrbGePs.exe
  2⤵
  PID:7560
- C:\Windows\System32\XzJRIsF.exe
  C:\Windows\System32\XzJRIsF.exe
  2⤵
  PID:7700
- C:\Windows\System32\JBKUqJo.exe
  C:\Windows\System32\JBKUqJo.exe
  2⤵
  PID:7832
- C:\Windows\System32\GhBdoHU.exe
  C:\Windows\System32\GhBdoHU.exe
  2⤵
  PID:7944
- C:\Windows\System32\GuPrCMX.exe
  C:\Windows\System32\GuPrCMX.exe
  2⤵
  PID:8004
- C:\Windows\System32\IYmNcaZ.exe
  C:\Windows\System32\IYmNcaZ.exe
  2⤵
  PID:6344
- C:\Windows\System32\DkpUkSY.exe
  C:\Windows\System32\DkpUkSY.exe
  2⤵
  PID:7460
- C:\Windows\System32\rdSAXvF.exe
  C:\Windows\System32\rdSAXvF.exe
  2⤵
  PID:7616
- C:\Windows\System32\rWGdvYL.exe
  C:\Windows\System32\rWGdvYL.exe
  2⤵
  PID:7248
- C:\Windows\System32\SJMyuws.exe
  C:\Windows\System32\SJMyuws.exe
  2⤵
  PID:8212
- C:\Windows\System32\wXkyIHW.exe
  C:\Windows\System32\wXkyIHW.exe
  2⤵
  PID:8240
- C:\Windows\System32\IgYfjrp.exe
  C:\Windows\System32\IgYfjrp.exe
  2⤵
  PID:8260
- C:\Windows\System32\jswBWdd.exe
  C:\Windows\System32\jswBWdd.exe
  2⤵
  PID:8284
- C:\Windows\System32\BRJGhpv.exe
  C:\Windows\System32\BRJGhpv.exe
  2⤵
  PID:8316
- C:\Windows\System32\DlPfQdV.exe
  C:\Windows\System32\DlPfQdV.exe
  2⤵
  PID:8340
- C:\Windows\System32\hFhbDPW.exe
  C:\Windows\System32\hFhbDPW.exe
  2⤵
  PID:8376
- C:\Windows\System32\hVpPQOG.exe
  C:\Windows\System32\hVpPQOG.exe
  2⤵
  PID:8412
- C:\Windows\System32\GdqFYMN.exe
  C:\Windows\System32\GdqFYMN.exe
  2⤵
  PID:8456
- C:\Windows\System32\uDLCvor.exe
  C:\Windows\System32\uDLCvor.exe
  2⤵
  PID:8480
- C:\Windows\System32\AdhTzlJ.exe
  C:\Windows\System32\AdhTzlJ.exe
  2⤵
  PID:8508
- C:\Windows\System32\DOLlXPS.exe
  C:\Windows\System32\DOLlXPS.exe
  2⤵
  PID:8628
- C:\Windows\System32\xjkoBSI.exe
  C:\Windows\System32\xjkoBSI.exe
  2⤵
  PID:8676
- C:\Windows\System32\apAscXD.exe
  C:\Windows\System32\apAscXD.exe
  2⤵
  PID:8716
- C:\Windows\System32\tNIOonv.exe
  C:\Windows\System32\tNIOonv.exe
  2⤵
  PID:8736
- C:\Windows\System32\qSXcoQi.exe
  C:\Windows\System32\qSXcoQi.exe
  2⤵
  PID:8756
- C:\Windows\System32\AUalseg.exe
  C:\Windows\System32\AUalseg.exe
  2⤵
  PID:8780
- C:\Windows\System32\NeydRQO.exe
  C:\Windows\System32\NeydRQO.exe
  2⤵
  PID:8820
- C:\Windows\System32\CjLvVZu.exe
  C:\Windows\System32\CjLvVZu.exe
  2⤵
  PID:8848
- C:\Windows\System32\oKSvLvX.exe
  C:\Windows\System32\oKSvLvX.exe
  2⤵
  PID:8876
- C:\Windows\System32\wHMahPg.exe
  C:\Windows\System32\wHMahPg.exe
  2⤵
  PID:8904
- C:\Windows\System32\aMRwCTi.exe
  C:\Windows\System32\aMRwCTi.exe
  2⤵
  PID:8920
- C:\Windows\System32\AFAWqGi.exe
  C:\Windows\System32\AFAWqGi.exe
  2⤵
  PID:8940
- C:\Windows\System32\HajkYFq.exe
  C:\Windows\System32\HajkYFq.exe
  2⤵
  PID:8964
- C:\Windows\System32\IORSiCj.exe
  C:\Windows\System32\IORSiCj.exe
  2⤵
  PID:9016
- C:\Windows\System32\aXyykjM.exe
  C:\Windows\System32\aXyykjM.exe
  2⤵
  PID:9040
- C:\Windows\System32\UNvXIsy.exe
  C:\Windows\System32\UNvXIsy.exe
  2⤵
  PID:9068
- C:\Windows\System32\HYMIaKC.exe
  C:\Windows\System32\HYMIaKC.exe
  2⤵
  PID:9104
- C:\Windows\System32\uzwJqfr.exe
  C:\Windows\System32\uzwJqfr.exe
  2⤵
  PID:9124
- C:\Windows\System32\spQwwvt.exe
  C:\Windows\System32\spQwwvt.exe
  2⤵
  PID:9160
- C:\Windows\System32\QUWwalx.exe
  C:\Windows\System32\QUWwalx.exe
  2⤵
  PID:9196
- C:\Windows\System32\vweTkbH.exe
  C:\Windows\System32\vweTkbH.exe
  2⤵
  PID:7872
- C:\Windows\System32\NJfXkJz.exe
  C:\Windows\System32\NJfXkJz.exe
  2⤵
  PID:8232
- C:\Windows\System32\KwfLxUv.exe
  C:\Windows\System32\KwfLxUv.exe
  2⤵
  PID:8280
- C:\Windows\System32\khxEkHH.exe
  C:\Windows\System32\khxEkHH.exe
  2⤵
  PID:8336
- C:\Windows\System32\RVTknpk.exe
  C:\Windows\System32\RVTknpk.exe
  2⤵
  PID:8396
- C:\Windows\System32\MLepkfs.exe
  C:\Windows\System32\MLepkfs.exe
  2⤵
  PID:8496
- C:\Windows\System32\CBibxnS.exe
  C:\Windows\System32\CBibxnS.exe
  2⤵
  PID:8536
- C:\Windows\System32\XnAOBpP.exe
  C:\Windows\System32\XnAOBpP.exe
  2⤵
  PID:8560
- C:\Windows\System32\OHfwdrZ.exe
  C:\Windows\System32\OHfwdrZ.exe
  2⤵
  PID:8604
- C:\Windows\System32\DAXVQYc.exe
  C:\Windows\System32\DAXVQYc.exe
  2⤵
  PID:8520
- C:\Windows\System32\BfKQFoC.exe
  C:\Windows\System32\BfKQFoC.exe
  2⤵
  PID:8492
- C:\Windows\System32\udVOYzS.exe
  C:\Windows\System32\udVOYzS.exe
  2⤵
  PID:8684
- C:\Windows\System32\UuFxBLq.exe
  C:\Windows\System32\UuFxBLq.exe
  2⤵
  PID:8748
- C:\Windows\System32\cnMRpwZ.exe
  C:\Windows\System32\cnMRpwZ.exe
  2⤵
  PID:7156
- C:\Windows\System32\qBtOKzV.exe
  C:\Windows\System32\qBtOKzV.exe
  2⤵
  PID:8912
- C:\Windows\System32\difgIJU.exe
  C:\Windows\System32\difgIJU.exe
  2⤵
  PID:8936
- C:\Windows\System32\xVADCpT.exe
  C:\Windows\System32\xVADCpT.exe
  2⤵
  PID:9012
- C:\Windows\System32\IDKvxan.exe
  C:\Windows\System32\IDKvxan.exe
  2⤵
  PID:9096
- C:\Windows\System32\xezgmJu.exe
  C:\Windows\System32\xezgmJu.exe
  2⤵
  PID:9148
- C:\Windows\System32\OmCOwfN.exe
  C:\Windows\System32\OmCOwfN.exe
  2⤵
  PID:4900
- C:\Windows\System32\YcYKpHN.exe
  C:\Windows\System32\YcYKpHN.exe
  2⤵
  PID:8252
- C:\Windows\System32\WuqqAvS.exe
  C:\Windows\System32\WuqqAvS.exe
  2⤵
  PID:8328
- C:\Windows\System32\ueQGmob.exe
  C:\Windows\System32\ueQGmob.exe
  2⤵
  PID:8592
- C:\Windows\System32\vtAiGDN.exe
  C:\Windows\System32\vtAiGDN.exe
  2⤵
  PID:8436
- C:\Windows\System32\knGIHeu.exe
  C:\Windows\System32\knGIHeu.exe
  2⤵
  PID:8664
- C:\Windows\System32\pavFNoD.exe
  C:\Windows\System32\pavFNoD.exe
  2⤵
  PID:8752
- C:\Windows\System32\FEWTfdt.exe
  C:\Windows\System32\FEWTfdt.exe
  2⤵
  PID:8888
- C:\Windows\System32\MFBpKmx.exe
  C:\Windows\System32\MFBpKmx.exe
  2⤵
  PID:9048
- C:\Windows\System32\FTaULiT.exe
  C:\Windows\System32\FTaULiT.exe
  2⤵
  PID:9208
- C:\Windows\System32\iJDTSAP.exe
  C:\Windows\System32\iJDTSAP.exe
  2⤵
  PID:8452
- C:\Windows\System32\CxKwehZ.exe
  C:\Windows\System32\CxKwehZ.exe
  2⤵
  PID:8688
- C:\Windows\System32\qTsGKOx.exe
  C:\Windows\System32\qTsGKOx.exe
  2⤵
  PID:8952
- C:\Windows\System32\FBAkvHb.exe
  C:\Windows\System32\FBAkvHb.exe
  2⤵
  PID:8312
- C:\Windows\System32\zApydul.exe
  C:\Windows\System32\zApydul.exe
  2⤵
  PID:9056
- C:\Windows\System32\CXKCVcg.exe
  C:\Windows\System32\CXKCVcg.exe
  2⤵
  PID:9224
- C:\Windows\System32\ydxEvfc.exe
  C:\Windows\System32\ydxEvfc.exe
  2⤵
  PID:9240
- C:\Windows\System32\wahInVz.exe
  C:\Windows\System32\wahInVz.exe
  2⤵
  PID:9260
- C:\Windows\System32\FnqnAxM.exe
  C:\Windows\System32\FnqnAxM.exe
  2⤵
  PID:9300
- C:\Windows\System32\VLbRPiq.exe
  C:\Windows\System32\VLbRPiq.exe
  2⤵
  PID:9336
- C:\Windows\System32\mYMyzNP.exe
  C:\Windows\System32\mYMyzNP.exe
  2⤵
  PID:9368
- C:\Windows\System32\PwAkyHr.exe
  C:\Windows\System32\PwAkyHr.exe
  2⤵
  PID:9392
- C:\Windows\System32\adgDgYL.exe
  C:\Windows\System32\adgDgYL.exe
  2⤵
  PID:9412
- C:\Windows\System32\BETfivg.exe
  C:\Windows\System32\BETfivg.exe
  2⤵
  PID:9440
- C:\Windows\System32\kUXrLBR.exe
  C:\Windows\System32\kUXrLBR.exe
  2⤵
  PID:9496
- C:\Windows\System32\aIhQpMC.exe
  C:\Windows\System32\aIhQpMC.exe
  2⤵
  PID:9520
- C:\Windows\System32\xbVqguC.exe
  C:\Windows\System32\xbVqguC.exe
  2⤵
  PID:9568
- C:\Windows\System32\CVDOPDm.exe
  C:\Windows\System32\CVDOPDm.exe
  2⤵
  PID:9592
- C:\Windows\System32\wmfUMkF.exe
  C:\Windows\System32\wmfUMkF.exe
  2⤵
  PID:9612
- C:\Windows\System32\rRlzHCG.exe
  C:\Windows\System32\rRlzHCG.exe
  2⤵
  PID:9656
- C:\Windows\System32\ptfBLAd.exe
  C:\Windows\System32\ptfBLAd.exe
  2⤵
  PID:9700
- C:\Windows\System32\hTeOARn.exe
  C:\Windows\System32\hTeOARn.exe
  2⤵
  PID:9720
- C:\Windows\System32\NBCHKVi.exe
  C:\Windows\System32\NBCHKVi.exe
  2⤵
  PID:9740
- C:\Windows\System32\LFWsTzF.exe
  C:\Windows\System32\LFWsTzF.exe
  2⤵
  PID:9764
- C:\Windows\System32\TlwLTqK.exe
  C:\Windows\System32\TlwLTqK.exe
  2⤵
  PID:9816
- C:\Windows\System32\orzgdzI.exe
  C:\Windows\System32\orzgdzI.exe
  2⤵
  PID:9848
- C:\Windows\System32\NuDAdsU.exe
  C:\Windows\System32\NuDAdsU.exe
  2⤵
  PID:9872
- C:\Windows\System32\BafCvxU.exe
  C:\Windows\System32\BafCvxU.exe
  2⤵
  PID:9900
- C:\Windows\System32\Aikoedu.exe
  C:\Windows\System32\Aikoedu.exe
  2⤵
  PID:9928
- C:\Windows\System32\AHLfkYy.exe
  C:\Windows\System32\AHLfkYy.exe
  2⤵
  PID:9956
- C:\Windows\System32\wuiDHbI.exe
  C:\Windows\System32\wuiDHbI.exe
  2⤵
  PID:9972
- C:\Windows\System32\WFyJcEX.exe
  C:\Windows\System32\WFyJcEX.exe
  2⤵
  PID:9992
- C:\Windows\System32\mRZoiWN.exe
  C:\Windows\System32\mRZoiWN.exe
  2⤵
  PID:10036
- C:\Windows\System32\fRsfytA.exe
  C:\Windows\System32\fRsfytA.exe
  2⤵
  PID:10052
- C:\Windows\System32\WagsAGv.exe
  C:\Windows\System32\WagsAGv.exe
  2⤵
  PID:10096
- C:\Windows\System32\VZNNxNi.exe
  C:\Windows\System32\VZNNxNi.exe
  2⤵
  PID:10124
- C:\Windows\System32\jXjfRrf.exe
  C:\Windows\System32\jXjfRrf.exe
  2⤵
  PID:10148
- C:\Windows\System32\dgoPTBt.exe
  C:\Windows\System32\dgoPTBt.exe
  2⤵
  PID:10168
- C:\Windows\System32\GjjoUdc.exe
  C:\Windows\System32\GjjoUdc.exe
  2⤵
  PID:10200
- C:\Windows\System32\oEpRYMY.exe
  C:\Windows\System32\oEpRYMY.exe
  2⤵
  PID:10232
- C:\Windows\System32\gKhBuWQ.exe
  C:\Windows\System32\gKhBuWQ.exe
  2⤵
  PID:9256
- C:\Windows\System32\JveOiNg.exe
  C:\Windows\System32\JveOiNg.exe
  2⤵
  PID:9280
- C:\Windows\System32\pkiZhqx.exe
  C:\Windows\System32\pkiZhqx.exe
  2⤵
  PID:9364
- C:\Windows\System32\CFRpytW.exe
  C:\Windows\System32\CFRpytW.exe
  2⤵
  PID:9380
- C:\Windows\System32\BYqonOT.exe
  C:\Windows\System32\BYqonOT.exe
  2⤵
  PID:9508
- C:\Windows\System32\uNzTQaN.exe
  C:\Windows\System32\uNzTQaN.exe
  2⤵
  PID:9560
- C:\Windows\System32\jNIqGkP.exe
  C:\Windows\System32\jNIqGkP.exe
  2⤵
  PID:9636
- C:\Windows\System32\gvZAhwO.exe
  C:\Windows\System32\gvZAhwO.exe
  2⤵
  PID:9736
- C:\Windows\System32\ZrJnbhP.exe
  C:\Windows\System32\ZrJnbhP.exe
  2⤵
  PID:9856
- C:\Windows\System32\CiaPRis.exe
  C:\Windows\System32\CiaPRis.exe
  2⤵
  PID:9920
- C:\Windows\System32\zcTnzsU.exe
  C:\Windows\System32\zcTnzsU.exe
  2⤵
  PID:9940
- C:\Windows\System32\dKPFdSK.exe
  C:\Windows\System32\dKPFdSK.exe
  2⤵
  PID:10028
- C:\Windows\System32\lbaOydY.exe
  C:\Windows\System32\lbaOydY.exe
  2⤵
  PID:10112
- C:\Windows\System32\lWpJqmG.exe
  C:\Windows\System32\lWpJqmG.exe
  2⤵
  PID:10216
- C:\Windows\System32\MqidtDB.exe
  C:\Windows\System32\MqidtDB.exe
  2⤵
  PID:8652
- C:\Windows\System32\hpBRYVd.exe
  C:\Windows\System32\hpBRYVd.exe
  2⤵
  PID:9436
- C:\Windows\System32\wFcSmMz.exe
  C:\Windows\System32\wFcSmMz.exe
  2⤵
  PID:9732
- C:\Windows\System32\FhVCvNJ.exe
  C:\Windows\System32\FhVCvNJ.exe
  2⤵
  PID:9812
- C:\Windows\System32\AQKsDtU.exe
  C:\Windows\System32\AQKsDtU.exe
  2⤵
  PID:10144
- C:\Windows\System32\XbVHoDp.exe
  C:\Windows\System32\XbVHoDp.exe
  2⤵
  PID:8588
- C:\Windows\System32\DKLQZEc.exe
  C:\Windows\System32\DKLQZEc.exe
  2⤵
  PID:9608
- C:\Windows\System32\uxESmQd.exe
  C:\Windows\System32\uxESmQd.exe
  2⤵
  PID:10248
- C:\Windows\System32\FWIKcbU.exe
  C:\Windows\System32\FWIKcbU.exe
  2⤵
  PID:10272
- C:\Windows\System32\IKshCoA.exe
  C:\Windows\System32\IKshCoA.exe
  2⤵
  PID:10300
- C:\Windows\System32\WapTcpK.exe
  C:\Windows\System32\WapTcpK.exe
  2⤵
  PID:10320
- C:\Windows\System32\EnfRMCb.exe
  C:\Windows\System32\EnfRMCb.exe
  2⤵
  PID:10368
- C:\Windows\System32\GOnTUxV.exe
  C:\Windows\System32\GOnTUxV.exe
  2⤵
  PID:10472
- C:\Windows\System32\OEdJUhJ.exe
  C:\Windows\System32\OEdJUhJ.exe
  2⤵
  PID:10488
- C:\Windows\System32\JFYWLIJ.exe
  C:\Windows\System32\JFYWLIJ.exe
  2⤵
  PID:10504
- C:\Windows\System32\uuVeheC.exe
  C:\Windows\System32\uuVeheC.exe
  2⤵
  PID:10520
- C:\Windows\System32\bJJLrhv.exe
  C:\Windows\System32\bJJLrhv.exe
  2⤵
  PID:10536
- C:\Windows\System32\emzifxs.exe
  C:\Windows\System32\emzifxs.exe
  2⤵
  PID:10552
- C:\Windows\System32\UpDWvYv.exe
  C:\Windows\System32\UpDWvYv.exe
  2⤵
  PID:10568
- C:\Windows\System32\CmvFaRM.exe
  C:\Windows\System32\CmvFaRM.exe
  2⤵
  PID:10584
- C:\Windows\System32\xoMphmY.exe
  C:\Windows\System32\xoMphmY.exe
  2⤵
  PID:10600
- C:\Windows\System32\jXejGFq.exe
  C:\Windows\System32\jXejGFq.exe
  2⤵
  PID:10616
- C:\Windows\System32\zHsIaEE.exe
  C:\Windows\System32\zHsIaEE.exe
  2⤵
  PID:10632
- C:\Windows\System32\MPVLjbE.exe
  C:\Windows\System32\MPVLjbE.exe
  2⤵
  PID:10648
- C:\Windows\System32\nwunHMo.exe
  C:\Windows\System32\nwunHMo.exe
  2⤵
  PID:10664
- C:\Windows\System32\rodVath.exe
  C:\Windows\System32\rodVath.exe
  2⤵
  PID:10680
- C:\Windows\System32\DcVxdgx.exe
  C:\Windows\System32\DcVxdgx.exe
  2⤵
  PID:10700
- C:\Windows\System32\lhqeXsz.exe
  C:\Windows\System32\lhqeXsz.exe
  2⤵
  PID:10724
- C:\Windows\System32\EBAdepr.exe
  C:\Windows\System32\EBAdepr.exe
  2⤵
  PID:10764
- C:\Windows\System32\mUSooaU.exe
  C:\Windows\System32\mUSooaU.exe
  2⤵
  PID:10788
- C:\Windows\System32\OVykRza.exe
  C:\Windows\System32\OVykRza.exe
  2⤵
  PID:10836
- C:\Windows\System32\xmbvVFY.exe
  C:\Windows\System32\xmbvVFY.exe
  2⤵
  PID:10880
- C:\Windows\System32\TUIYwcx.exe
  C:\Windows\System32\TUIYwcx.exe
  2⤵
  PID:10996
- C:\Windows\System32\DHYstQO.exe
  C:\Windows\System32\DHYstQO.exe
  2⤵
  PID:11020
- C:\Windows\System32\BDZGBKR.exe
  C:\Windows\System32\BDZGBKR.exe
  2⤵
  PID:11092
- C:\Windows\System32\svAdkSL.exe
  C:\Windows\System32\svAdkSL.exe
  2⤵
  PID:11152
- C:\Windows\System32\SpkpPSD.exe
  C:\Windows\System32\SpkpPSD.exe
  2⤵
  PID:11224
- C:\Windows\System32\lWymenM.exe
  C:\Windows\System32\lWymenM.exe
  2⤵
  PID:9944
- C:\Windows\System32\EbdpxzN.exe
  C:\Windows\System32\EbdpxzN.exe
  2⤵
  PID:3000
- C:\Windows\System32\gqarTJM.exe
  C:\Windows\System32\gqarTJM.exe
  2⤵
  PID:3816
- C:\Windows\System32\yWOVEZE.exe
  C:\Windows\System32\yWOVEZE.exe
  2⤵
  PID:10408
- C:\Windows\System32\VDCmZWX.exe
  C:\Windows\System32\VDCmZWX.exe
  2⤵
  PID:10428
- C:\Windows\System32\ISWojIm.exe
  C:\Windows\System32\ISWojIm.exe
  2⤵
  PID:10452
- C:\Windows\System32\EVOvFJC.exe
  C:\Windows\System32\EVOvFJC.exe
  2⤵
  PID:10512
- C:\Windows\System32\oykPVnp.exe
  C:\Windows\System32\oykPVnp.exe
  2⤵
  PID:10548
- C:\Windows\System32\ASMkKWn.exe
  C:\Windows\System32\ASMkKWn.exe
  2⤵
  PID:10732
- C:\Windows\System32\OLYXIhS.exe
  C:\Windows\System32\OLYXIhS.exe
  2⤵
  PID:10756
- C:\Windows\System32\RdpmYPW.exe
  C:\Windows\System32\RdpmYPW.exe
  2⤵
  PID:10592
- C:\Windows\System32\qmlKZOy.exe
  C:\Windows\System32\qmlKZOy.exe
  2⤵
  PID:10496
- C:\Windows\System32\QBUQQOH.exe
  C:\Windows\System32\QBUQQOH.exe
  2⤵
  PID:10776
- C:\Windows\System32\ziHuirK.exe
  C:\Windows\System32\ziHuirK.exe
  2⤵
  PID:11060
- C:\Windows\System32\fCeSDZi.exe
  C:\Windows\System32\fCeSDZi.exe
  2⤵
  PID:10972
- C:\Windows\System32\EURzdIG.exe
  C:\Windows\System32\EURzdIG.exe
  2⤵
  PID:11044
- C:\Windows\System32\HYLQcku.exe
  C:\Windows\System32\HYLQcku.exe
  2⤵
  PID:11184
- C:\Windows\System32\sQyLhQq.exe
  C:\Windows\System32\sQyLhQq.exe
  2⤵
  PID:11260
- C:\Windows\System32\PypElXj.exe
  C:\Windows\System32\PypElXj.exe
  2⤵
  PID:2240
- C:\Windows\System32\vVWHFsy.exe
  C:\Windows\System32\vVWHFsy.exe
  2⤵
  PID:10660
- C:\Windows\System32\keMZTxZ.exe
  C:\Windows\System32\keMZTxZ.exe
  2⤵
  PID:10692
- C:\Windows\System32\kUlHaNz.exe
  C:\Windows\System32\kUlHaNz.exe
  2⤵
  PID:10752
- C:\Windows\System32\UkrGdLb.exe
  C:\Windows\System32\UkrGdLb.exe
  2⤵
  PID:10624
- C:\Windows\System32\ZAtWwYT.exe
  C:\Windows\System32\ZAtWwYT.exe
  2⤵
  PID:11100
- C:\Windows\System32\bzWAOVD.exe
  C:\Windows\System32\bzWAOVD.exe
  2⤵
  PID:11232
- C:\Windows\System32\TWIVQcF.exe
  C:\Windows\System32\TWIVQcF.exe
  2⤵
  PID:10644
- C:\Windows\System32\ilCZQDz.exe
  C:\Windows\System32\ilCZQDz.exe
  2⤵
  PID:10532
- C:\Windows\System32\VPSlLEe.exe
  C:\Windows\System32\VPSlLEe.exe
  2⤵
  PID:448
- C:\Windows\System32\PbzSSHQ.exe
  C:\Windows\System32\PbzSSHQ.exe
  2⤵
  PID:11140
- C:\Windows\System32\qVWLBAh.exe
  C:\Windows\System32\qVWLBAh.exe
  2⤵
  PID:11008
- C:\Windows\System32\zMmYoZd.exe
  C:\Windows\System32\zMmYoZd.exe
  2⤵
  PID:11276
- C:\Windows\System32\KyKhOQZ.exe
  C:\Windows\System32\KyKhOQZ.exe
  2⤵
  PID:11312
- C:\Windows\System32\cnYfOXW.exe
  C:\Windows\System32\cnYfOXW.exe
  2⤵
  PID:11340
- C:\Windows\System32\eFJezoN.exe
  C:\Windows\System32\eFJezoN.exe
  2⤵
  PID:11364
- C:\Windows\System32\IdADHcd.exe
  C:\Windows\System32\IdADHcd.exe
  2⤵
  PID:11384
- C:\Windows\System32\VPXMTmc.exe
  C:\Windows\System32\VPXMTmc.exe
  2⤵
  PID:11424
- C:\Windows\System32\rfyiQCk.exe
  C:\Windows\System32\rfyiQCk.exe
  2⤵
  PID:11456
- C:\Windows\System32\GsNAvUI.exe
  C:\Windows\System32\GsNAvUI.exe
  2⤵
  PID:11476
- C:\Windows\System32\lZkQXar.exe
  C:\Windows\System32\lZkQXar.exe
  2⤵
  PID:11496
- C:\Windows\System32\DPcoMMN.exe
  C:\Windows\System32\DPcoMMN.exe
  2⤵
  PID:11536
- C:\Windows\System32\dHWOWlM.exe
  C:\Windows\System32\dHWOWlM.exe
  2⤵
  PID:11560
- C:\Windows\System32\IMIdcqc.exe
  C:\Windows\System32\IMIdcqc.exe
  2⤵
  PID:11580
- C:\Windows\System32\iWJhnoj.exe
  C:\Windows\System32\iWJhnoj.exe
  2⤵
  PID:11604
- C:\Windows\System32\TeJIshB.exe
  C:\Windows\System32\TeJIshB.exe
  2⤵
  PID:11656
- C:\Windows\System32\YkHXCSl.exe
  C:\Windows\System32\YkHXCSl.exe
  2⤵
  PID:11680
- C:\Windows\System32\OTzRvsQ.exe
  C:\Windows\System32\OTzRvsQ.exe
  2⤵
  PID:11704
- C:\Windows\System32\igjCiCr.exe
  C:\Windows\System32\igjCiCr.exe
  2⤵
  PID:11724
- C:\Windows\System32\szOSdEJ.exe
  C:\Windows\System32\szOSdEJ.exe
  2⤵
  PID:11764
- C:\Windows\System32\KeAeFyy.exe
  C:\Windows\System32\KeAeFyy.exe
  2⤵
  PID:11788
- C:\Windows\System32\kzVoTox.exe
  C:\Windows\System32\kzVoTox.exe
  2⤵
  PID:11808
- C:\Windows\System32\sgkXoCg.exe
  C:\Windows\System32\sgkXoCg.exe
  2⤵
  PID:11848
- C:\Windows\System32\kQgwgUo.exe
  C:\Windows\System32\kQgwgUo.exe
  2⤵
  PID:11864
- C:\Windows\System32\sdeuSyI.exe
  C:\Windows\System32\sdeuSyI.exe
  2⤵
  PID:11904
- C:\Windows\System32\UQxROAl.exe
  C:\Windows\System32\UQxROAl.exe
  2⤵
  PID:11932
- C:\Windows\System32\DhBzrEh.exe
  C:\Windows\System32\DhBzrEh.exe
  2⤵
  PID:11956
- C:\Windows\System32\limdLXU.exe
  C:\Windows\System32\limdLXU.exe
  2⤵
  PID:11976
- C:\Windows\System32\IfnCUkQ.exe
  C:\Windows\System32\IfnCUkQ.exe
  2⤵
  PID:11996
- C:\Windows\System32\IqrRlue.exe
  C:\Windows\System32\IqrRlue.exe
  2⤵
  PID:12024
- C:\Windows\System32\OfuyVGg.exe
  C:\Windows\System32\OfuyVGg.exe
  2⤵
  PID:12048
- C:\Windows\System32\rvOKekB.exe
  C:\Windows\System32\rvOKekB.exe
  2⤵
  PID:12068
- C:\Windows\System32\zLbHbsj.exe
  C:\Windows\System32\zLbHbsj.exe
  2⤵
  PID:12136
- C:\Windows\System32\WxVlQNG.exe
  C:\Windows\System32\WxVlQNG.exe
  2⤵
  PID:12180
- C:\Windows\System32\UGlrwSI.exe
  C:\Windows\System32\UGlrwSI.exe
  2⤵
  PID:12224
- C:\Windows\System32\QeiuzZU.exe
  C:\Windows\System32\QeiuzZU.exe
  2⤵
  PID:12240
- C:\Windows\System32\AywbaLi.exe
  C:\Windows\System32\AywbaLi.exe
  2⤵
  PID:12284
- C:\Windows\System32\ijQhDZk.exe
  C:\Windows\System32\ijQhDZk.exe
  2⤵
  PID:11284
- C:\Windows\System32\UXOSwnG.exe
  C:\Windows\System32\UXOSwnG.exe
  2⤵
  PID:11356
- C:\Windows\System32\DHlHdVB.exe
  C:\Windows\System32\DHlHdVB.exe
  2⤵
  PID:11376
- C:\Windows\System32\ujERRMn.exe
  C:\Windows\System32\ujERRMn.exe
  2⤵
  PID:11440
- C:\Windows\System32\wAvuEMs.exe
  C:\Windows\System32\wAvuEMs.exe
  2⤵
  PID:11552
- C:\Windows\System32\IRBkMIF.exe
  C:\Windows\System32\IRBkMIF.exe
  2⤵
  PID:11592
- C:\Windows\System32\nxOhEIP.exe
  C:\Windows\System32\nxOhEIP.exe
  2⤵
  PID:11696
- C:\Windows\System32\DnnkcJZ.exe
  C:\Windows\System32\DnnkcJZ.exe
  2⤵
  PID:11740
- C:\Windows\System32\xuHBivm.exe
  C:\Windows\System32\xuHBivm.exe
  2⤵
  PID:11800
- C:\Windows\System32\lZZZEZL.exe
  C:\Windows\System32\lZZZEZL.exe
  2⤵
  PID:11840
- C:\Windows\System32\dpbRaRn.exe
  C:\Windows\System32\dpbRaRn.exe
  2⤵
  PID:11916
- C:\Windows\System32\VkYzKta.exe
  C:\Windows\System32\VkYzKta.exe
  2⤵
  PID:11944
- C:\Windows\System32\cGdPuKh.exe
  C:\Windows\System32\cGdPuKh.exe
  2⤵
  PID:12104
- C:\Windows\System32\EoqACjD.exe
  C:\Windows\System32\EoqACjD.exe
  2⤵
  PID:12124
- C:\Windows\System32\DhlFnhC.exe
  C:\Windows\System32\DhlFnhC.exe
  2⤵
  PID:12212
- C:\Windows\System32\ATEEmub.exe
  C:\Windows\System32\ATEEmub.exe
  2⤵
  PID:12280
- C:\Windows\System32\fFAAJWQ.exe
  C:\Windows\System32\fFAAJWQ.exe
  2⤵
  PID:11352
- C:\Windows\System32\ZchFoFQ.exe
  C:\Windows\System32\ZchFoFQ.exe
  2⤵
  PID:10404
- C:\Windows\System32\udgpQpf.exe
  C:\Windows\System32\udgpQpf.exe
  2⤵
  PID:11664
- C:\Windows\System32\JPYNwfX.exe
  C:\Windows\System32\JPYNwfX.exe
  2⤵
  PID:11828
- C:\Windows\System32\HVIIpqk.exe
  C:\Windows\System32\HVIIpqk.exe
  2⤵
  PID:11964
- C:\Windows\System32\lSYNNed.exe
  C:\Windows\System32\lSYNNed.exe
  2⤵
  PID:12132
- C:\Windows\System32\MOowEXP.exe
  C:\Windows\System32\MOowEXP.exe
  2⤵
  PID:11336
- C:\Windows\System32\IQdhvLK.exe
  C:\Windows\System32\IQdhvLK.exe
  2⤵
  PID:11512
- C:\Windows\System32\ZmnuaDF.exe
  C:\Windows\System32\ZmnuaDF.exe
  2⤵
  PID:11804
- C:\Windows\System32\bhzgCkz.exe
  C:\Windows\System32\bhzgCkz.exe
  2⤵
  PID:10564
- C:\Windows\System32\hfeJyMF.exe
  C:\Windows\System32\hfeJyMF.exe
  2⤵
  PID:12292
- C:\Windows\System32\usnnvWX.exe
  C:\Windows\System32\usnnvWX.exe
  2⤵
  PID:12320
- C:\Windows\System32\RJANoqR.exe
  C:\Windows\System32\RJANoqR.exe
  2⤵
  PID:12340
- C:\Windows\System32\jnTiXSj.exe
  C:\Windows\System32\jnTiXSj.exe
  2⤵
  PID:12392
- C:\Windows\System32\RyrtbKH.exe
  C:\Windows\System32\RyrtbKH.exe
  2⤵
  PID:12408
- C:\Windows\System32\MjWEscs.exe
  C:\Windows\System32\MjWEscs.exe
  2⤵
  PID:12428
- C:\Windows\System32\KBhEQZp.exe
  C:\Windows\System32\KBhEQZp.exe
  2⤵
  PID:12456
- C:\Windows\System32\CzZAoHA.exe
  C:\Windows\System32\CzZAoHA.exe
  2⤵
  PID:12476
- C:\Windows\System32\jYCzirb.exe
  C:\Windows\System32\jYCzirb.exe
  2⤵
  PID:12512
- C:\Windows\System32\EGDxFQj.exe
  C:\Windows\System32\EGDxFQj.exe
  2⤵
  PID:12532
- C:\Windows\System32\ACWuGJW.exe
  C:\Windows\System32\ACWuGJW.exe
  2⤵
  PID:12568
- C:\Windows\System32\NDcrTXZ.exe
  C:\Windows\System32\NDcrTXZ.exe
  2⤵
  PID:12592
- C:\Windows\System32\wzTPSgs.exe
  C:\Windows\System32\wzTPSgs.exe
  2⤵
  PID:12616
- C:\Windows\System32\KuXBUCp.exe
  C:\Windows\System32\KuXBUCp.exe
  2⤵
  PID:12664
- C:\Windows\System32\jxWXDkv.exe
  C:\Windows\System32\jxWXDkv.exe
  2⤵
  PID:12696
- C:\Windows\System32\upkTUao.exe
  C:\Windows\System32\upkTUao.exe
  2⤵
  PID:12716
- C:\Windows\System32\RCYtivY.exe
  C:\Windows\System32\RCYtivY.exe
  2⤵
  PID:12736
- C:\Windows\System32\bJsUjee.exe
  C:\Windows\System32\bJsUjee.exe
  2⤵
  PID:12784
- C:\Windows\System32\PwiVXKa.exe
  C:\Windows\System32\PwiVXKa.exe
  2⤵
  PID:12832
- C:\Windows\System32\UyDgiNJ.exe
  C:\Windows\System32\UyDgiNJ.exe
  2⤵
  PID:12852
- C:\Windows\System32\DHWPFFO.exe
  C:\Windows\System32\DHWPFFO.exe
  2⤵
  PID:12876
- C:\Windows\System32\MlRPutQ.exe
  C:\Windows\System32\MlRPutQ.exe
  2⤵
  PID:12900
- C:\Windows\System32\hNsrfdh.exe
  C:\Windows\System32\hNsrfdh.exe
  2⤵
  PID:12924
- C:\Windows\System32\IQkxLWY.exe
  C:\Windows\System32\IQkxLWY.exe
  2⤵
  PID:12960
- C:\Windows\System32\IYtPijZ.exe
  C:\Windows\System32\IYtPijZ.exe
  2⤵
  PID:12988
- C:\Windows\System32\plpCNPf.exe
  C:\Windows\System32\plpCNPf.exe
  2⤵
  PID:13020
- C:\Windows\System32\UNwDsDj.exe
  C:\Windows\System32\UNwDsDj.exe
  2⤵
  PID:13040
- C:\Windows\System32\nNfRkSt.exe
  C:\Windows\System32\nNfRkSt.exe
  2⤵
  PID:13060
- C:\Windows\System32\vlGFuky.exe
  C:\Windows\System32\vlGFuky.exe
  2⤵
  PID:13080
- C:\Windows\System32\oisJydx.exe
  C:\Windows\System32\oisJydx.exe
  2⤵
  PID:13112
- C:\Windows\System32\iOtOwVW.exe
  C:\Windows\System32\iOtOwVW.exe
  2⤵
  PID:13140
- C:\Windows\System32\cSKxrzv.exe
  C:\Windows\System32\cSKxrzv.exe
  2⤵
  PID:13192
- C:\Windows\System32\uJfOZbC.exe
  C:\Windows\System32\uJfOZbC.exe
  2⤵
  PID:13212
- C:\Windows\System32\oEAtzpI.exe
  C:\Windows\System32\oEAtzpI.exe
  2⤵
  PID:13240
- C:\Windows\System32\ZbEmsOx.exe
  C:\Windows\System32\ZbEmsOx.exe
  2⤵
  PID:13260
- C:\Windows\System32\ttxypdz.exe
  C:\Windows\System32\ttxypdz.exe
  2⤵
  PID:13284
- C:\Windows\System32\HRadKgy.exe
  C:\Windows\System32\HRadKgy.exe
  2⤵
  PID:11436
- C:\Windows\System32\iCiBHFh.exe
  C:\Windows\System32\iCiBHFh.exe
  2⤵
  PID:12332
- C:\Windows\System32\YJUMPja.exe
  C:\Windows\System32\YJUMPja.exe
  2⤵
  PID:12368
- C:\Windows\System32\kSQUPdQ.exe
  C:\Windows\System32\kSQUPdQ.exe
  2⤵
  PID:12472
- C:\Windows\System32\SITHrMs.exe
  C:\Windows\System32\SITHrMs.exe
  2⤵
  PID:12540
- C:\Windows\System32\mFXAHim.exe
  C:\Windows\System32\mFXAHim.exe
  2⤵
  PID:3456
- C:\Windows\System32\QxnEuaL.exe
  C:\Windows\System32\QxnEuaL.exe
  2⤵
  PID:4176
- C:\Windows\System32\vhHOQEJ.exe
  C:\Windows\System32\vhHOQEJ.exe
  2⤵
  PID:12652
- C:\Windows\System32\HOymCOI.exe
  C:\Windows\System32\HOymCOI.exe
  2⤵
  PID:1584
- C:\Windows\System32\sRNdieQ.exe
  C:\Windows\System32\sRNdieQ.exe
  2⤵
  PID:12764
- C:\Windows\System32\gywzGdd.exe
  C:\Windows\System32\gywzGdd.exe
  2⤵
  PID:12796
- C:\Windows\System32\ODyaubw.exe
  C:\Windows\System32\ODyaubw.exe
  2⤵
  PID:12892
- C:\Windows\System32\PXEIgfZ.exe
  C:\Windows\System32\PXEIgfZ.exe
  2⤵
  PID:12952
- C:\Windows\System32\uOOteDh.exe
  C:\Windows\System32\uOOteDh.exe
  2⤵
  PID:13000
- C:\Windows\System32\gyPqGIi.exe
  C:\Windows\System32\gyPqGIi.exe
  2⤵
  PID:12264
- C:\Windows\System32\geVuEnZ.exe
  C:\Windows\System32\geVuEnZ.exe
  2⤵
  PID:13076
- C:\Windows\System32\nhYVXfv.exe
  C:\Windows\System32\nhYVXfv.exe
  2⤵
  PID:13160
- C:\Windows\System32\PmBWBCh.exe
  C:\Windows\System32\PmBWBCh.exe
  2⤵
  PID:13232
- C:\Windows\System32\TMMlghH.exe
  C:\Windows\System32\TMMlghH.exe
  2⤵
  PID:13272
- C:\Windows\System32\kYqNraO.exe
  C:\Windows\System32\kYqNraO.exe
  2⤵
  PID:12440
- C:\Windows\System32\LBpgsJy.exe
  C:\Windows\System32\LBpgsJy.exe
  2⤵
  PID:12548

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BINQFuI.exe

Filesize
1.9MB

MD5
f8e5ad76485c93101306ef96671bf44c

SHA1
e722d88d49f67747780dd941f3eeb3ace53279b0

SHA256
5e663a5a9c3a0e4075d1ad54d9268d4694f4bdb05b28e751fe2c07bfdc251681

SHA512
28e2bd4f646ddbe118c3ef8f64e5129a33f9b88d446e6c7e03da40c91f11f6b9291437b7eb8600da22f8114cbff9a97c8410120ee6663058ec0924fdd85f1aae

Download Submit
C:\Windows\System32\DBLIXsG.exe

Filesize
1.9MB

MD5
e891777d4b84982e03df163d3a5af795

SHA1
3e2cecc80c39eca150a7534444918e0824890b55

SHA256
a037042d899c1b317203b5f1780e5777038dae8ea533bb0abae2820740803f01

SHA512
03fa6bf59035cfe1d7da3d2b65e2af183a4ab9a508cf9baac2bd4e767c1dbf057dc94870a8f844226f6fb04d6506182fa415868d0835b672bc63cc6180f8f7a9

Download Submit
C:\Windows\System32\Ivfwvvf.exe

Filesize
1.9MB

MD5
1b7872d11f2d0a9f57455a33483917a8

SHA1
111364b33d3c8580eb4798c633dcbeda4e2ba647

SHA256
e276c270aba0b89f57c41406a62a24039cbcff30a868882bda15d0e05fb4df98

SHA512
2993653b39eb71e8fdcccfddbc3171fea469ffc01d856a6a9a991abe2caff2cb2413552d47a77f575525657174d5564cd101dc5133ff54e71b2913297ddf22d7

Download Submit
C:\Windows\System32\KTxecbq.exe

Filesize
1.9MB

MD5
f9d485f2050cf4859a46429b3f7fb15a

SHA1
1d44347795e4446b12dec4ae7d3ad98fcd1b7baf

SHA256
9701c9f010d2fa2c8cc7dda2c2f9de1cd83422db0dffd107a0281e6e9a680916

SHA512
13651b24e51555e643b14a07faeba88800ffc8753304cedd6766bb3c05add109d7315464b371a2a5720382bcb31d4ff196b4a871366d62bae10bfc0f8bfecd99

Download Submit
C:\Windows\System32\LFJdnly.exe

Filesize
1.9MB

MD5
5e77aa63c63e2fb1fe356344d9ace7e0

SHA1
4b40a29e4cd303314a666670302cd2fb1e2599af

SHA256
07e18c62291129cee55526036b5b2a4e8b16787484cc2d61ee7addaae5b87154

SHA512
cec46ee5cb00dbd262578434ce06ff9341de450f5e14bbb96ab4f8fc5bcc054c1d60d81c570729658452a3ad65b3b364bb6c2a6331b4f69c611a0dae72c25033

Download Submit
C:\Windows\System32\LLMXUYi.exe

Filesize
1.9MB

MD5
aa8189fb261a73f5d67098e6f00fcca6

SHA1
3abf34b950f62ed57fa1ae90263fb434be36baa8

SHA256
a4ed73e8fc5961b3eaddef60b2144610cda283036a9702d617cc29ea19b0c6a4

SHA512
3296298c9b7549ce5379019c6a2e3a8913afa04a16b365eda90330343fdc6e50a97e9b809cec20e29568da0c17c65a869a026315f36055070d8246a5c928981f

Download Submit
C:\Windows\System32\LOvaWgn.exe

Filesize
1.9MB

MD5
9d27aebcd5188a00439d172cfd341c41

SHA1
deb752da1a8f87196e429cc3dca05c2b31d05ca2

SHA256
1167124c4b9f54f8d9edc128dd7dfa6f5448d248951f45bc285d1479ab3632b2

SHA512
e187f6d3340aa5953f694ecf8a211e9ab9481a81839e053276961db02c6ebecf3711902806ec9c9d2254d5525fbca454af7b373ecc620ab51461317265d611ec

Download Submit
C:\Windows\System32\MTzuxqV.exe

Filesize
1.9MB

MD5
92083a6e3e96c586449a87e428e3b404

SHA1
8a6ca548b2dad71fcf2cc7ab3cfc7dc3f1905288

SHA256
fb192292f0e574cfe4043a4a1e9651454e2d23d6049078e784faf416f092e973

SHA512
f6f1ed19558313023cf623f4b7157741f90f60f46c22e1e0a92202e7418e544f0c1fa96ff44975dab23bc2d79bf2e9c4963c15b742f2b2102d2df4ee259f6294

Download Submit
C:\Windows\System32\PGcmnqd.exe

Filesize
1.9MB

MD5
3a2ad8f3c1bd3f8681a2f76cc4306f23

SHA1
a07541b1bb59f4be178b68f3f47098a8acbcec34

SHA256
b8eb6da84dff9287f0ebe3a8ff8b999df8c7b24ce7a1c9c32d019f8251df5328

SHA512
94b752ac1a47cbcdfb1ea5889967c7eac72c502c3416822b142ba4975f470a2a2746d3d93bf367a96234d94fe0e4c13048b2f3ea54ab6979e09b1dffe18131fc

Download Submit
C:\Windows\System32\QZTgYqM.exe

Filesize
1.9MB

MD5
e903c68907e584c06bd5b04b7c7d1927

SHA1
4aa3fc9fca0f55a75e14d4e792b2cce58ccdf938

SHA256
fc96023b1a9595bace02e23a0cad795d920dc6c0760562cb60fd642213dddc4e

SHA512
968263d4b7a3d11a2684ec04e85ba056ad35658ac79e913050f60884388c4fffe52a492bcccb56169460fe5132621ee87d5b0cb4423c84be4fc4b8e919b9528d

Download Submit
C:\Windows\System32\RJUtyHC.exe

Filesize
1.9MB

MD5
6db911f9b0442003e68c69a3f315fcb4

SHA1
e0100053695fbd3f0da3a44b779eae1488815162

SHA256
0ffddb71a385df023a64fb3ba4891d972fd6faa3e312491dae5c8000e5e3317e

SHA512
a8b2ffadd326d5de3aefa5fbde7433e3a81829aec7ceae133bd1ba4c68f2c5135117b8e55a5c462afc39a9267df968aadb8e6e8b61589c4c37be0fafd41ba236

Download Submit
C:\Windows\System32\RjaLCfY.exe

Filesize
1.9MB

MD5
39245fdbf51293b38f8f8db38386e75f

SHA1
be40ae9b03886f388f8903ae3c281cb73aaaa341

SHA256
e8d759bbd22c9d0d9c385d8edd3b7b6b59c878c346c7e78fe063043a737f30cf

SHA512
f72a32cfcf21a648139cf9194543fd594dc62bf2829d5ab7cdacf05cf005a103312243f41d711d6807317ba2a2a3f0a09935cbddb2e23935375f7c68f81a44ef

Download Submit
C:\Windows\System32\VviaTjJ.exe

Filesize
1.9MB

MD5
a0f3c401e9faf04660dc80750d18ecf3

SHA1
a85892a09a9b3f8f4fdf8c9006570cc7733f9254

SHA256
b8412b7bf4dfa2f79e2acdc2c435fbda36d097305623e78f908b4447c173766e

SHA512
279e2df21e23d2bc7c924d4f2294841aad0fa2b67ed4fcbc2b21cd86e4ee3ee4334879169a0afacba5f9334eee5bd9443367143f1582671b3ce4c58542affc62

Download Submit
C:\Windows\System32\WBjYQFo.exe

Filesize
1.9MB

MD5
cd2402f223f826811d8e47fce699c320

SHA1
4fc1e1a7cf1d89963d80a09be7f669eeb937d1e8

SHA256
aa0a364901c54b9c4afe2dbc01ca4583a68bab595328c17a8b93acc993d8c797

SHA512
c5e2b5afa3666a38e8f68693e2d9906aad028b6a4df9a709b69b74841c2ba61bb44397eda1905263d9c4e8de873ed58082acfe0b28f1fe51b518a8ee15979cc8

Download Submit
C:\Windows\System32\WYchjmd.exe

Filesize
1.9MB

MD5
eb8d8855d82f63029ce29ce237bee260

SHA1
5f74d3e220cc5b3e1775478dcd530f835a7afc88

SHA256
158805c2596caabeb85bda82e5b2219b1e1c0eeadd309d15317a7cf31b9db0e3

SHA512
13574b344b5df10a4288199660769f7e1123e3976cba2af8f82486c3b45858808d0aa9ff1a7172d647902b434b7b1ccbf4507bc27381d6ec604c14795df58737

Download Submit
C:\Windows\System32\WfBKxJY.exe

Filesize
1.9MB

MD5
782335be3224ff7f5bf6f55359addf23

SHA1
091a0d41a150663447742df18d1d3f59a0c0d7cb

SHA256
6bffda0f63816dac44cd9b0161fa43ef0df0a9af579953a4a909bab0399c744a

SHA512
c176bd474ae6617c890b51632d79b8bfd1abbe254cc930e8fad9b757c32b0871d400676139c769d428df6816d363a37289099730d60a699f5e153502b8e5279e

Download Submit
C:\Windows\System32\XzHrZhT.exe

Filesize
1.9MB

MD5
da74eefc5edd176606cc6adea2a068ef

SHA1
5582d1a34482c43da06ecce393fc84b59b895dcf

SHA256
e216dd8f47728fdf8bd41273276ca4138d43bae338d5bd06d9a9e5a35b7c91c3

SHA512
3e679178191c764a66d1d135cfd5f29cceaaadbcea12a8a130c1daaa35ed06055eb7720e4dd85321d1ac24da109e16b75d159a4983ae107d3041e4183f6294bb

Download Submit
C:\Windows\System32\ZPpJZEA.exe

Filesize
1.9MB

MD5
4fa4cfbd4243b8ce7b2b1ca2cdde20bc

SHA1
f64cf423be0f9f94b3e4811e1f685881da2df1a8

SHA256
5332b027a1527d43a119fa4f82d2a9f2675c29c489ed29bd10c9b488a35daa5a

SHA512
9b71dd2e6d7d7e03d4fd47ea3734acda51120414164f13a378d37287f2604201c4d9ba4aab0a434227a04d63cfc6f60af183444ac3fb4f52af6651e0b9d544bc

Download Submit
C:\Windows\System32\ZqJVaNG.exe

Filesize
1.9MB

MD5
5e5f1ed55b80f9f6f61bc331f39b838b

SHA1
3d52ab8ce44261f1fb93f22794f308cd3621f487

SHA256
6df9ea42da1dd8e83ddb1844dce9a079b51560bf7cd012fbb9942c0fa3a2b251

SHA512
73c14357649c7a3433333ce2389c910b1a22b42f03878aa3b64a23f0eb9a734a658b69067ef1afb662040d503596c2437d1da7db63595968ba4592827bb53f20

Download Submit
C:\Windows\System32\egVzdML.exe

Filesize
1.9MB

MD5
faed7325bc6bcf209bad9906653a796a

SHA1
df9e8517fc0454abdc2c62b4f6693e3554b3c25e

SHA256
5891b20f5e1a7e624afae037720eaaa85a19d7e1045f2fa83629840fce61248d

SHA512
aa3596c4a68661f30c7379a6c9afb80cbf746743e9dc6b1bcf1acf651fadea4aa1c4c747161c7358180af450ba257ab3718d4271d7e712508943582607e2cdb3

Download Submit
C:\Windows\System32\gtyMWWJ.exe

Filesize
1.9MB

MD5
4a9ae04fb1630e78b9586d5a5cebe8ab

SHA1
d1a4ecde90a2457d3f569354952c8d703fede003

SHA256
16da5126afe7f825a0d56287518ca77386a9966ca43e78fbb668a5876bacd929

SHA512
303437445301b9dab57cffacb6486f34053e7638aee56cedc0de78c1af52b6a014d25204221bc895b244bbbbf9d7168c52d16456e3064ec2583742a8afa7a821

Download Submit
C:\Windows\System32\hhJwITH.exe

Filesize
1.9MB

MD5
454aa5687848649a6d47863a0720382d

SHA1
05f6dfb51fc404b5f85e64c3f0c375e1cb9b27a3

SHA256
b90b19c73ff13763c64600f473e4b2871810166f5e921b317654b869364d7f44

SHA512
ccc3e90d3ff82a8ff711c137a12ef1e14e5c97b39cfb51a25066f5049105b06600ce6552b5f7413dbb9348c64be2f1b39b339eb543f31d2d209cb60f75d76a40

Download Submit
C:\Windows\System32\hpgkCxW.exe

Filesize
1.9MB

MD5
25afa455c304d15bf501dec7407c77ed

SHA1
ca93ffc65c98227983a226baacd04b7e94c63ad3

SHA256
06b7b58ac79f942693aa9e79a4071dd5332232455bc0c2f3910d68b19c63736f

SHA512
4cc0b71b7be65721ae2262e9b8c2c70ff6591ac57efa115080f1553e38f544db8a43c7c06d307e760422c96b350fa60e5530f5e98239996da9906cb4892c38d6

Download Submit
C:\Windows\System32\kYujoqp.exe

Filesize
1.9MB

MD5
ce7b41cf7146112bb5226753c653c818

SHA1
f5b2751ee2d859e1f4edbfabcbcb121c04779c3d

SHA256
27c9f707e694a3c27e20d8be099293b8be6e517519ed7f7584b0d3f0b0ba5041

SHA512
995afb9cf78ce79597d1c6e48acd1abf96503d943db5d4ca4ad58cc55204bde97ff1e8e045c3b1533b4e5180899f9951d86c1d10168ad33612055de6fcd9aea7

Download Submit
C:\Windows\System32\mZHVxng.exe

Filesize
1.9MB

MD5
5702ac8821deeb5ef864f833765aff91

SHA1
e5969ec80f3bc10ddc807dff422110f675e480f0

SHA256
298a88a4365a89c0b30e8d1b2edfc67ce31cd706e35bf3a9c7c1fcf9b08981d8

SHA512
5e8f3f7357247035c543145a3f514533eff8264a88d29253bb05a865d31360eeefe247450d5bc9acf00a60d8ff3aff9fc22905440f9377e82544db6b0f916626

Download Submit
C:\Windows\System32\oGGGThz.exe

Filesize
1.9MB

MD5
37d4bd2a85e72197f19a2dea4e666910

SHA1
f57005f4c278114a04307c8724d1eddfbb9ca4fd

SHA256
17f426379f5832b1e134d5e6ffb591a80d4fa3820c52f794b9730fe9eda3eec2

SHA512
e298e09c0712870fafc13bffa97441897eedcb30f2013d6efbe975612f5337fc75f82deda757b84c508b2b211202e15c049d951320d1f936ceebad4e75167278

Download Submit
C:\Windows\System32\pFqqqyu.exe

Filesize
1.9MB

MD5
cd6ea3a95d5d0a84727ccd2534cc1d06

SHA1
15b87eac37265fb89791dab1a9b31c7fe07d857c

SHA256
8a8eba792bdd13d54b5810e362992133a0cfee445eeb8aeb528e38ded3bf7c2b

SHA512
13a705b07d6bd42530659b118f8606129f46789c9ee1df2a28818178d57b74267d8f91a71a2cfd1b31631a83fba5e2f1820e22eee9906c29da6d9bd30afda4b0

Download Submit
C:\Windows\System32\pSLuKYd.exe

Filesize
1.9MB

MD5
a25c19c9c30a9d2ef0fd6a027548cdd3

SHA1
8a57b56a8c63f9527033148d7d6116172473fb39

SHA256
42181e519fc87a92c9ce0ab2ca05a503ad37b9429fef38ecf5c1da6246e40264

SHA512
1bcc8c302736cece8ea8528dee11f72c7f2e2ed523b6330b3c76ae74cc8347b7bc1c50e8dd1bfbb94d710cfc734687d52581aca33d458f0b54a4fe57cf5d1e43

Download Submit
C:\Windows\System32\vAGEoOn.exe

Filesize
1.9MB

MD5
4e7add88d0a3627bdd24ee0440743827

SHA1
e78365b0a3034f18c54fe99cfec14e64cb885771

SHA256
0ba02394a15ea4c05fdaecc4f89eb2a327816825f210d869827c181a8ceaa915

SHA512
178338308db0543315f1ae508c47300b0eb77b58eca3f442e527dc15712aa70e4bfe0dcb7e5cf8eba3feca48c3b378918d358d19e0026e0b944a66160c002a03

Download Submit
C:\Windows\System32\vBlsTkI.exe

Filesize
1.9MB

MD5
d8628fc884e11fb49051a356c9488638

SHA1
6e790fb82b860237e665fde513067568aab0d3d1

SHA256
82a7cd9e33f5e4f20278ed7ce14970fd075f2d20de3f4a234164fcf43181cd77

SHA512
7beb1020bccba8fef6e39e22d2403c5aca4577f4a23f529304b43d501a188c3f9c1cb9b518bcd2cf2fd3b370009e58043eee52419ebe031de136d832334491ca

Download Submit
C:\Windows\System32\ySrlKTY.exe

Filesize
1.9MB

MD5
d904963e9d7d69c85aa15d7e97cbe504

SHA1
27de29ec7646954b14de0c1130180738ec2183fa

SHA256
9bdbfc0691be4d23aaae9beb93c1abff54b587868ce0c8fa5b199018e973d2c0

SHA512
24226628b5f4b5791bdba2a05e7cd7910b5b10a73724b6c69d1894cd2a4e91c4af4e1ac40e1b4be5e1309203a87f5d68e4c99f2ea371ad2159cb07830e90ec94

Download Submit
C:\Windows\System32\ysLtQda.exe

Filesize
1.9MB

MD5
2a19305c709370dcb4a02bd3da1db594

SHA1
267f8bde9373e7973bdedb5c49392632acaa4aa3

SHA256
c1478556795eb11b7191c4efe84e00b52fe58c572688d17a5c6559c3aa916832

SHA512
97c6630da88f6fc8e8971221088fa11f293abccd63f12d418dc92326187a9100550d1f283be858b46e40f23482face1a8ad52df5da952f8aa16495261db531e6

Download Submit
memory/228-2039-0x00007FF7A89D0000-0x00007FF7A8DC1000-memory.dmp

Filesize
3.9MB

Download
memory/228-505-0x00007FF7A89D0000-0x00007FF7A8DC1000-memory.dmp

Filesize
3.9MB

Download
memory/444-2020-0x00007FF66F020000-0x00007FF66F411000-memory.dmp

Filesize
3.9MB

Download
memory/444-543-0x00007FF66F020000-0x00007FF66F411000-memory.dmp

Filesize
3.9MB

Download
memory/588-11-0x00007FF629150000-0x00007FF629541000-memory.dmp

Filesize
3.9MB

Download
memory/588-1997-0x00007FF629150000-0x00007FF629541000-memory.dmp

Filesize
3.9MB

Download
memory/752-2044-0x00007FF66B730000-0x00007FF66BB21000-memory.dmp

Filesize
3.9MB

Download
memory/752-545-0x00007FF66B730000-0x00007FF66BB21000-memory.dmp

Filesize
3.9MB

Download
memory/1396-2001-0x00007FF75EF50000-0x00007FF75F341000-memory.dmp

Filesize
3.9MB

Download
memory/1396-1986-0x00007FF75EF50000-0x00007FF75F341000-memory.dmp

Filesize
3.9MB

Download
memory/1396-21-0x00007FF75EF50000-0x00007FF75F341000-memory.dmp

Filesize
3.9MB

Download
memory/1580-0-0x00007FF669A70000-0x00007FF669E61000-memory.dmp

Filesize
3.9MB

Download
memory/1580-1-0x000001E1C9FF0000-0x000001E1CA000000-memory.dmp

Filesize
64KB

Download
memory/1640-492-0x00007FF730500000-0x00007FF7308F1000-memory.dmp

Filesize
3.9MB

Download
memory/1640-2017-0x00007FF730500000-0x00007FF7308F1000-memory.dmp

Filesize
3.9MB

Download
memory/1652-2016-0x00007FF6236C0000-0x00007FF623AB1000-memory.dmp

Filesize
3.9MB

Download
memory/1652-482-0x00007FF6236C0000-0x00007FF623AB1000-memory.dmp

Filesize
3.9MB

Download
memory/1760-2011-0x00007FF764840000-0x00007FF764C31000-memory.dmp

Filesize
3.9MB

Download
memory/1760-446-0x00007FF764840000-0x00007FF764C31000-memory.dmp

Filesize
3.9MB

Download
memory/1804-529-0x00007FF659790000-0x00007FF659B81000-memory.dmp

Filesize
3.9MB

Download
memory/1804-2031-0x00007FF659790000-0x00007FF659B81000-memory.dmp

Filesize
3.9MB

Download
memory/2684-2003-0x00007FF61D150000-0x00007FF61D541000-memory.dmp

Filesize
3.9MB

Download
memory/2684-22-0x00007FF61D150000-0x00007FF61D541000-memory.dmp

Filesize
3.9MB

Download
memory/2684-1992-0x00007FF61D150000-0x00007FF61D541000-memory.dmp

Filesize
3.9MB

Download
memory/2940-2007-0x00007FF7696F0000-0x00007FF769AE1000-memory.dmp

Filesize
3.9MB

Download
memory/2940-452-0x00007FF7696F0000-0x00007FF769AE1000-memory.dmp

Filesize
3.9MB

Download
memory/3184-2013-0x00007FF62E1B0000-0x00007FF62E5A1000-memory.dmp

Filesize
3.9MB

Download
memory/3184-476-0x00007FF62E1B0000-0x00007FF62E5A1000-memory.dmp

Filesize
3.9MB

Download
memory/3204-449-0x00007FF61BD00000-0x00007FF61C0F1000-memory.dmp

Filesize
3.9MB

Download
memory/3204-2009-0x00007FF61BD00000-0x00007FF61C0F1000-memory.dmp

Filesize
3.9MB

Download
memory/3260-2023-0x00007FF7ADBC0000-0x00007FF7ADFB1000-memory.dmp

Filesize
3.9MB

Download
memory/3260-540-0x00007FF7ADBC0000-0x00007FF7ADFB1000-memory.dmp

Filesize
3.9MB

Download
memory/3600-2005-0x00007FF775400000-0x00007FF7757F1000-memory.dmp

Filesize
3.9MB

Download
memory/3600-468-0x00007FF775400000-0x00007FF7757F1000-memory.dmp

Filesize
3.9MB

Download
memory/3800-2034-0x00007FF732DA0000-0x00007FF733191000-memory.dmp

Filesize
3.9MB

Download
memory/3800-518-0x00007FF732DA0000-0x00007FF733191000-memory.dmp

Filesize
3.9MB

Download
memory/3852-526-0x00007FF67D890000-0x00007FF67DC81000-memory.dmp

Filesize
3.9MB

Download
memory/3852-2029-0x00007FF67D890000-0x00007FF67DC81000-memory.dmp

Filesize
3.9MB

Download
memory/3888-534-0x00007FF6F07D0000-0x00007FF6F0BC1000-memory.dmp

Filesize
3.9MB

Download
memory/3888-2027-0x00007FF6F07D0000-0x00007FF6F0BC1000-memory.dmp

Filesize
3.9MB

Download
memory/4164-510-0x00007FF685DA0000-0x00007FF686191000-memory.dmp

Filesize
3.9MB

Download
memory/4164-2037-0x00007FF685DA0000-0x00007FF686191000-memory.dmp

Filesize
3.9MB

Download
memory/4400-2041-0x00007FF695D00000-0x00007FF6960F1000-memory.dmp

Filesize
3.9MB

Download
memory/4400-495-0x00007FF695D00000-0x00007FF6960F1000-memory.dmp

Filesize
3.9MB

Download
memory/4620-2000-0x00007FF66D450000-0x00007FF66D841000-memory.dmp

Filesize
3.9MB

Download
memory/4620-1985-0x00007FF66D450000-0x00007FF66D841000-memory.dmp

Filesize
3.9MB

Download
memory/4620-14-0x00007FF66D450000-0x00007FF66D841000-memory.dmp

Filesize
3.9MB

Download
memory/4780-523-0x00007FF6B8500000-0x00007FF6B88F1000-memory.dmp

Filesize
3.9MB

Download
memory/4780-2033-0x00007FF6B8500000-0x00007FF6B88F1000-memory.dmp

Filesize
3.9MB

Download
memory/4796-539-0x00007FF7E0390000-0x00007FF7E0781000-memory.dmp

Filesize
3.9MB

Download
memory/4796-2024-0x00007FF7E0390000-0x00007FF7E0781000-memory.dmp

Filesize
3.9MB

Download
memory/4800-2042-0x00007FF7E0EC0000-0x00007FF7E12B1000-memory.dmp

Filesize
3.9MB

Download
memory/4800-498-0x00007FF7E0EC0000-0x00007FF7E12B1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads