xmrig | 3c6a3ef6cf21318653d8f2072c6e5ed2e693c10676db5c54fe2c73543824c12e

Analysis

max time kernel
101s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
Size

2.9MB
MD5

11c766dc1b08f844e0807bc282fe2a50
SHA1

37f99b36030abe40493531935e37eedae3285af0
SHA256

3c6a3ef6cf21318653d8f2072c6e5ed2e693c10676db5c54fe2c73543824c12e
SHA512

103436ac98bffcb3926a5a6c15b25de1b0da343c54a9c62321e669a2f4af2d2350467deb8e319de9c8664e225068661f533200151171ed2b87ed18a7a8daf4cd
SSDEEP

49152:N0wjnJMOWh50kC1/dVFdx6e0EALKWVTffZiPAcRq6jHjcz8DzzxTMS8Tg0FdC6Ro:N0GnJMOWPClFdx6e0EALKWVTffZiPAcH

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1784-0-0x00007FF623860000-0x00007FF623C55000-memory.dmp	xmrig
behavioral2/files/0x0008000000022f51-4.dat	xmrig
behavioral2/memory/2536-9-0x00007FF737230000-0x00007FF737625000-memory.dmp	xmrig
behavioral2/files/0x00090000000233f0-11.dat	xmrig
behavioral2/files/0x00080000000233f5-10.dat	xmrig
behavioral2/memory/2768-17-0x00007FF6A9D20000-0x00007FF6AA115000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f7-29.dat	xmrig
behavioral2/files/0x00070000000233f8-32.dat	xmrig
behavioral2/files/0x00070000000233f9-37.dat	xmrig
behavioral2/files/0x00070000000233fa-44.dat	xmrig
behavioral2/files/0x00070000000233fd-59.dat	xmrig
behavioral2/files/0x0007000000023401-79.dat	xmrig
behavioral2/files/0x0007000000023403-89.dat	xmrig
behavioral2/files/0x000700000002340b-129.dat	xmrig
behavioral2/files/0x000700000002340e-144.dat	xmrig
behavioral2/files/0x0007000000023412-164.dat	xmrig
behavioral2/files/0x0007000000023411-159.dat	xmrig
behavioral2/files/0x0007000000023410-154.dat	xmrig
behavioral2/files/0x000700000002340f-149.dat	xmrig
behavioral2/files/0x000700000002340d-139.dat	xmrig
behavioral2/files/0x000700000002340c-134.dat	xmrig
behavioral2/files/0x000700000002340a-124.dat	xmrig
behavioral2/files/0x0007000000023409-119.dat	xmrig
behavioral2/files/0x0007000000023408-114.dat	xmrig
behavioral2/files/0x0007000000023407-109.dat	xmrig
behavioral2/files/0x0007000000023406-104.dat	xmrig
behavioral2/files/0x0007000000023405-99.dat	xmrig
behavioral2/files/0x0007000000023404-94.dat	xmrig
behavioral2/files/0x0007000000023402-84.dat	xmrig
behavioral2/files/0x0007000000023400-74.dat	xmrig
behavioral2/files/0x00070000000233ff-69.dat	xmrig
behavioral2/files/0x00070000000233fe-64.dat	xmrig
behavioral2/files/0x00070000000233fc-54.dat	xmrig
behavioral2/files/0x00070000000233fb-49.dat	xmrig
behavioral2/files/0x00080000000233f6-24.dat	xmrig
behavioral2/memory/4300-18-0x00007FF674DA0000-0x00007FF675195000-memory.dmp	xmrig
behavioral2/memory/436-819-0x00007FF77EC80000-0x00007FF77F075000-memory.dmp	xmrig
behavioral2/memory/2512-823-0x00007FF65BFA0000-0x00007FF65C395000-memory.dmp	xmrig
behavioral2/memory/2520-829-0x00007FF7E7810000-0x00007FF7E7C05000-memory.dmp	xmrig
behavioral2/memory/3036-834-0x00007FF601110000-0x00007FF601505000-memory.dmp	xmrig
behavioral2/memory/2616-838-0x00007FF70CFC0000-0x00007FF70D3B5000-memory.dmp	xmrig
behavioral2/memory/2388-846-0x00007FF7AEE30000-0x00007FF7AF225000-memory.dmp	xmrig
behavioral2/memory/2208-854-0x00007FF7A1C60000-0x00007FF7A2055000-memory.dmp	xmrig
behavioral2/memory/1284-861-0x00007FF668D90000-0x00007FF669185000-memory.dmp	xmrig
behavioral2/memory/748-865-0x00007FF7AC0D0000-0x00007FF7AC4C5000-memory.dmp	xmrig
behavioral2/memory/1968-869-0x00007FF6324C0000-0x00007FF6328B5000-memory.dmp	xmrig
behavioral2/memory/4424-888-0x00007FF641870000-0x00007FF641C65000-memory.dmp	xmrig
behavioral2/memory/5064-896-0x00007FF63D100000-0x00007FF63D4F5000-memory.dmp	xmrig
behavioral2/memory/4480-899-0x00007FF70AF50000-0x00007FF70B345000-memory.dmp	xmrig
behavioral2/memory/5068-901-0x00007FF7DFA10000-0x00007FF7DFE05000-memory.dmp	xmrig
behavioral2/memory/4024-906-0x00007FF6FAAD0000-0x00007FF6FAEC5000-memory.dmp	xmrig
behavioral2/memory/344-893-0x00007FF6BA6B0000-0x00007FF6BAAA5000-memory.dmp	xmrig
behavioral2/memory/2540-892-0x00007FF60D2E0000-0x00007FF60D6D5000-memory.dmp	xmrig
behavioral2/memory/2764-914-0x00007FF6B6A10000-0x00007FF6B6E05000-memory.dmp	xmrig
behavioral2/memory/1964-917-0x00007FF78BEB0000-0x00007FF78C2A5000-memory.dmp	xmrig
behavioral2/memory/1808-911-0x00007FF777400000-0x00007FF7777F5000-memory.dmp	xmrig
behavioral2/memory/4368-925-0x00007FF63EE80000-0x00007FF63F275000-memory.dmp	xmrig
behavioral2/memory/2536-1912-0x00007FF737230000-0x00007FF737625000-memory.dmp	xmrig
behavioral2/memory/4300-1913-0x00007FF674DA0000-0x00007FF675195000-memory.dmp	xmrig
behavioral2/memory/2536-1914-0x00007FF737230000-0x00007FF737625000-memory.dmp	xmrig
behavioral2/memory/2768-1915-0x00007FF6A9D20000-0x00007FF6AA115000-memory.dmp	xmrig
behavioral2/memory/436-1917-0x00007FF77EC80000-0x00007FF77F075000-memory.dmp	xmrig
behavioral2/memory/4300-1916-0x00007FF674DA0000-0x00007FF675195000-memory.dmp	xmrig
behavioral2/memory/2616-1923-0x00007FF70CFC0000-0x00007FF70D3B5000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2536	KcEauPA.exe
2768	wwpMxoB.exe
4300	EcgjzEH.exe
436	gowmzUS.exe
2512	tLJPtXF.exe
2520	hyDKany.exe
3036	agWTWgy.exe
2616	sorWgjQ.exe
2388	nKfWuWn.exe
2208	QyyHugA.exe
1284	GVeMuWi.exe
748	XsdgMDq.exe
1968	Nsddagh.exe
4424	TAtHGwv.exe
2540	tVVLIze.exe
344	eDvtCuE.exe
5064	vwsaXcr.exe
4480	HqREPAi.exe
5068	nKirsLi.exe
4024	fsfRAsx.exe
1808	IGqCxwV.exe
2764	fYDLcOQ.exe
1964	duriTIz.exe
4368	JFPcfrp.exe
4408	apAsDGo.exe
1932	joLSYRO.exe
4072	rCNzeDZ.exe
4208	rYSXvtW.exe
3448	SwnFCia.exe
4268	NrERroh.exe
1664	QpMGYHa.exe
4888	MvbWgks.exe
3556	NHdvRwv.exe
1948	rfhyCUS.exe
4904	SWtVRet.exe
1492	LuqEJVM.exe
3352	bvJUuqt.exe
4816	xXPoVin.exe
4660	PxRUCtg.exe
544	PNVMRnM.exe
3704	UOtgONc.exe
1068	sRJZoHM.exe
5048	tiqcHej.exe
3096	mThpnmg.exe
2788	xDnwQeG.exe
4236	PTWrKYX.exe
4140	lBfvMqt.exe
1112	zBSxLyE.exe
1944	qaHIroY.exe
2004	EdvBPUd.exe
1996	zVeqGVW.exe
4364	ciJNJNO.exe
648	jTHHAMm.exe
2948	HHylcAD.exe
3664	WZNHuDX.exe
3052	pPnlfmu.exe
1408	xYKfUuB.exe
4920	MCqwPhZ.exe
3888	GfCPEgR.exe
1556	xebZmQg.exe
5028	IvKLvMQ.exe
5052	TDEcleO.exe
3924	MNYHCoG.exe
1632	OyTmnyh.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1784-0-0x00007FF623860000-0x00007FF623C55000-memory.dmp	upx
behavioral2/files/0x0008000000022f51-4.dat	upx
behavioral2/memory/2536-9-0x00007FF737230000-0x00007FF737625000-memory.dmp	upx
behavioral2/files/0x00090000000233f0-11.dat	upx
behavioral2/files/0x00080000000233f5-10.dat	upx
behavioral2/memory/2768-17-0x00007FF6A9D20000-0x00007FF6AA115000-memory.dmp	upx
behavioral2/files/0x00070000000233f7-29.dat	upx
behavioral2/files/0x00070000000233f8-32.dat	upx
behavioral2/files/0x00070000000233f9-37.dat	upx
behavioral2/files/0x00070000000233fa-44.dat	upx
behavioral2/files/0x00070000000233fd-59.dat	upx
behavioral2/files/0x0007000000023401-79.dat	upx
behavioral2/files/0x0007000000023403-89.dat	upx
behavioral2/files/0x000700000002340b-129.dat	upx
behavioral2/files/0x000700000002340e-144.dat	upx
behavioral2/files/0x0007000000023412-164.dat	upx
behavioral2/files/0x0007000000023411-159.dat	upx
behavioral2/files/0x0007000000023410-154.dat	upx
behavioral2/files/0x000700000002340f-149.dat	upx
behavioral2/files/0x000700000002340d-139.dat	upx
behavioral2/files/0x000700000002340c-134.dat	upx
behavioral2/files/0x000700000002340a-124.dat	upx
behavioral2/files/0x0007000000023409-119.dat	upx
behavioral2/files/0x0007000000023408-114.dat	upx
behavioral2/files/0x0007000000023407-109.dat	upx
behavioral2/files/0x0007000000023406-104.dat	upx
behavioral2/files/0x0007000000023405-99.dat	upx
behavioral2/files/0x0007000000023404-94.dat	upx
behavioral2/files/0x0007000000023402-84.dat	upx
behavioral2/files/0x0007000000023400-74.dat	upx
behavioral2/files/0x00070000000233ff-69.dat	upx
behavioral2/files/0x00070000000233fe-64.dat	upx
behavioral2/files/0x00070000000233fc-54.dat	upx
behavioral2/files/0x00070000000233fb-49.dat	upx
behavioral2/files/0x00080000000233f6-24.dat	upx
behavioral2/memory/4300-18-0x00007FF674DA0000-0x00007FF675195000-memory.dmp	upx
behavioral2/memory/436-819-0x00007FF77EC80000-0x00007FF77F075000-memory.dmp	upx
behavioral2/memory/2512-823-0x00007FF65BFA0000-0x00007FF65C395000-memory.dmp	upx
behavioral2/memory/2520-829-0x00007FF7E7810000-0x00007FF7E7C05000-memory.dmp	upx
behavioral2/memory/3036-834-0x00007FF601110000-0x00007FF601505000-memory.dmp	upx
behavioral2/memory/2616-838-0x00007FF70CFC0000-0x00007FF70D3B5000-memory.dmp	upx
behavioral2/memory/2388-846-0x00007FF7AEE30000-0x00007FF7AF225000-memory.dmp	upx
behavioral2/memory/2208-854-0x00007FF7A1C60000-0x00007FF7A2055000-memory.dmp	upx
behavioral2/memory/1284-861-0x00007FF668D90000-0x00007FF669185000-memory.dmp	upx
behavioral2/memory/748-865-0x00007FF7AC0D0000-0x00007FF7AC4C5000-memory.dmp	upx
behavioral2/memory/1968-869-0x00007FF6324C0000-0x00007FF6328B5000-memory.dmp	upx
behavioral2/memory/4424-888-0x00007FF641870000-0x00007FF641C65000-memory.dmp	upx
behavioral2/memory/5064-896-0x00007FF63D100000-0x00007FF63D4F5000-memory.dmp	upx
behavioral2/memory/4480-899-0x00007FF70AF50000-0x00007FF70B345000-memory.dmp	upx
behavioral2/memory/5068-901-0x00007FF7DFA10000-0x00007FF7DFE05000-memory.dmp	upx
behavioral2/memory/4024-906-0x00007FF6FAAD0000-0x00007FF6FAEC5000-memory.dmp	upx
behavioral2/memory/344-893-0x00007FF6BA6B0000-0x00007FF6BAAA5000-memory.dmp	upx
behavioral2/memory/2540-892-0x00007FF60D2E0000-0x00007FF60D6D5000-memory.dmp	upx
behavioral2/memory/2764-914-0x00007FF6B6A10000-0x00007FF6B6E05000-memory.dmp	upx
behavioral2/memory/1964-917-0x00007FF78BEB0000-0x00007FF78C2A5000-memory.dmp	upx
behavioral2/memory/1808-911-0x00007FF777400000-0x00007FF7777F5000-memory.dmp	upx
behavioral2/memory/4368-925-0x00007FF63EE80000-0x00007FF63F275000-memory.dmp	upx
behavioral2/memory/2536-1912-0x00007FF737230000-0x00007FF737625000-memory.dmp	upx
behavioral2/memory/4300-1913-0x00007FF674DA0000-0x00007FF675195000-memory.dmp	upx
behavioral2/memory/2536-1914-0x00007FF737230000-0x00007FF737625000-memory.dmp	upx
behavioral2/memory/2768-1915-0x00007FF6A9D20000-0x00007FF6AA115000-memory.dmp	upx
behavioral2/memory/436-1917-0x00007FF77EC80000-0x00007FF77F075000-memory.dmp	upx
behavioral2/memory/4300-1916-0x00007FF674DA0000-0x00007FF675195000-memory.dmp	upx
behavioral2/memory/2616-1923-0x00007FF70CFC0000-0x00007FF70D3B5000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\pJUGIwJ.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\AIayIBh.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\kDkMfKm.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\iEuIujr.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\bLoUewa.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\JZeDejs.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\OPmRpWJ.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\zWyUcpA.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\gOJErTT.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\VvWGPDX.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\IZjIICB.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\ZFhesRN.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\utIeTcA.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\AFbpLKz.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\TVrlBcL.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\rzNoKUJ.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\UtqDndp.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\JswMbuX.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\akwmNzf.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\WUBOQSh.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\NQnPqXs.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\OyTmnyh.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\qfCHBXu.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\YuEEulH.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\ciJNJNO.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\AdgJPzZ.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\xqGFtsq.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\bqFhlcs.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\kxZweFC.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\TUbTlIS.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\LhAIfjq.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\UheiRJH.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\qsfPwWa.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\ZiUFtyx.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\LAyQVXv.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\AMIfOIA.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\InGAKfI.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\IUortNe.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\Nsddagh.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\XlSzVbi.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\ACOZGQO.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\YzbKqbH.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\KHYXVII.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\HMxbyHn.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\ZpqumiS.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\EgDIqsw.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\lOPGPib.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\DaiTBhB.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\FRCjNEH.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\LPJTqhx.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\qXEPQQv.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\CiWPCtT.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\KcoUYTL.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\gHqjiMY.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\zOgApMZ.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\RvFErbK.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\TONWTzI.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\njbTEMN.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\tficwnP.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\uWndSrm.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\JTweedm.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\Pxbuntt.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\RNVGprc.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
File created	C:\Windows\System32\xtCGCRm.exe	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13136	dwm.exe
Token: SeChangeNotifyPrivilege	13136	dwm.exe
Token: 33	13136	dwm.exe
Token: SeIncBasePriorityPrivilege	13136	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 2536	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	83
PID 1784 wrote to memory of 2536	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	83
PID 1784 wrote to memory of 2768	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	84
PID 1784 wrote to memory of 2768	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	84
PID 1784 wrote to memory of 4300	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	85
PID 1784 wrote to memory of 4300	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	85
PID 1784 wrote to memory of 436	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	86
PID 1784 wrote to memory of 436	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	86
PID 1784 wrote to memory of 2512	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	87
PID 1784 wrote to memory of 2512	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	87
PID 1784 wrote to memory of 2520	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	88
PID 1784 wrote to memory of 2520	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	88
PID 1784 wrote to memory of 3036	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	89
PID 1784 wrote to memory of 3036	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	89
PID 1784 wrote to memory of 2616	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	90
PID 1784 wrote to memory of 2616	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	90
PID 1784 wrote to memory of 2388	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	91
PID 1784 wrote to memory of 2388	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	91
PID 1784 wrote to memory of 2208	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	92
PID 1784 wrote to memory of 2208	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	92
PID 1784 wrote to memory of 1284	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	93
PID 1784 wrote to memory of 1284	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	93
PID 1784 wrote to memory of 748	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	94
PID 1784 wrote to memory of 748	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	94
PID 1784 wrote to memory of 1968	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	95
PID 1784 wrote to memory of 1968	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	95
PID 1784 wrote to memory of 4424	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	96
PID 1784 wrote to memory of 4424	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	96
PID 1784 wrote to memory of 2540	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	97
PID 1784 wrote to memory of 2540	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	97
PID 1784 wrote to memory of 344	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	98
PID 1784 wrote to memory of 344	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	98
PID 1784 wrote to memory of 5064	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	99
PID 1784 wrote to memory of 5064	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	99
PID 1784 wrote to memory of 4480	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	100
PID 1784 wrote to memory of 4480	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	100
PID 1784 wrote to memory of 5068	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	101
PID 1784 wrote to memory of 5068	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	101
PID 1784 wrote to memory of 4024	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	102
PID 1784 wrote to memory of 4024	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	102
PID 1784 wrote to memory of 1808	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	103
PID 1784 wrote to memory of 1808	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	103
PID 1784 wrote to memory of 2764	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	104
PID 1784 wrote to memory of 2764	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	104
PID 1784 wrote to memory of 1964	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	105
PID 1784 wrote to memory of 1964	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	105
PID 1784 wrote to memory of 4368	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	106
PID 1784 wrote to memory of 4368	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	106
PID 1784 wrote to memory of 4408	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	107
PID 1784 wrote to memory of 4408	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	107
PID 1784 wrote to memory of 1932	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	108
PID 1784 wrote to memory of 1932	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	108
PID 1784 wrote to memory of 4072	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	109
PID 1784 wrote to memory of 4072	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	109
PID 1784 wrote to memory of 4208	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	110
PID 1784 wrote to memory of 4208	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	110
PID 1784 wrote to memory of 3448	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	111
PID 1784 wrote to memory of 3448	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	111
PID 1784 wrote to memory of 4268	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	112
PID 1784 wrote to memory of 4268	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	112
PID 1784 wrote to memory of 1664	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	113
PID 1784 wrote to memory of 1664	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	113
PID 1784 wrote to memory of 4888	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	114
PID 1784 wrote to memory of 4888	1784	11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe	114

C:\Users\Admin\AppData\Local\Temp\11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\11c766dc1b08f844e0807bc282fe2a50_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\System32\KcEauPA.exe
  C:\Windows\System32\KcEauPA.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System32\wwpMxoB.exe
  C:\Windows\System32\wwpMxoB.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System32\EcgjzEH.exe
  C:\Windows\System32\EcgjzEH.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System32\gowmzUS.exe
  C:\Windows\System32\gowmzUS.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System32\tLJPtXF.exe
  C:\Windows\System32\tLJPtXF.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System32\hyDKany.exe
  C:\Windows\System32\hyDKany.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System32\agWTWgy.exe
  C:\Windows\System32\agWTWgy.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System32\sorWgjQ.exe
  C:\Windows\System32\sorWgjQ.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System32\nKfWuWn.exe
  C:\Windows\System32\nKfWuWn.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System32\QyyHugA.exe
  C:\Windows\System32\QyyHugA.exe
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\System32\GVeMuWi.exe
  C:\Windows\System32\GVeMuWi.exe
  2⤵
  - Executes dropped EXE
  PID:1284
- C:\Windows\System32\XsdgMDq.exe
  C:\Windows\System32\XsdgMDq.exe
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\System32\Nsddagh.exe
  C:\Windows\System32\Nsddagh.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System32\TAtHGwv.exe
  C:\Windows\System32\TAtHGwv.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System32\tVVLIze.exe
  C:\Windows\System32\tVVLIze.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System32\eDvtCuE.exe
  C:\Windows\System32\eDvtCuE.exe
  2⤵
  - Executes dropped EXE
  PID:344
- C:\Windows\System32\vwsaXcr.exe
  C:\Windows\System32\vwsaXcr.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System32\HqREPAi.exe
  C:\Windows\System32\HqREPAi.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System32\nKirsLi.exe
  C:\Windows\System32\nKirsLi.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System32\fsfRAsx.exe
  C:\Windows\System32\fsfRAsx.exe
  2⤵
  - Executes dropped EXE
  PID:4024
- C:\Windows\System32\IGqCxwV.exe
  C:\Windows\System32\IGqCxwV.exe
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\System32\fYDLcOQ.exe
  C:\Windows\System32\fYDLcOQ.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System32\duriTIz.exe
  C:\Windows\System32\duriTIz.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System32\JFPcfrp.exe
  C:\Windows\System32\JFPcfrp.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System32\apAsDGo.exe
  C:\Windows\System32\apAsDGo.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System32\joLSYRO.exe
  C:\Windows\System32\joLSYRO.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System32\rCNzeDZ.exe
  C:\Windows\System32\rCNzeDZ.exe
  2⤵
  - Executes dropped EXE
  PID:4072
- C:\Windows\System32\rYSXvtW.exe
  C:\Windows\System32\rYSXvtW.exe
  2⤵
  - Executes dropped EXE
  PID:4208
- C:\Windows\System32\SwnFCia.exe
  C:\Windows\System32\SwnFCia.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System32\NrERroh.exe
  C:\Windows\System32\NrERroh.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System32\QpMGYHa.exe
  C:\Windows\System32\QpMGYHa.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System32\MvbWgks.exe
  C:\Windows\System32\MvbWgks.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System32\NHdvRwv.exe
  C:\Windows\System32\NHdvRwv.exe
  2⤵
  - Executes dropped EXE
  PID:3556
- C:\Windows\System32\rfhyCUS.exe
  C:\Windows\System32\rfhyCUS.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System32\SWtVRet.exe
  C:\Windows\System32\SWtVRet.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System32\LuqEJVM.exe
  C:\Windows\System32\LuqEJVM.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\System32\bvJUuqt.exe
  C:\Windows\System32\bvJUuqt.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\System32\xXPoVin.exe
  C:\Windows\System32\xXPoVin.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System32\PxRUCtg.exe
  C:\Windows\System32\PxRUCtg.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System32\PNVMRnM.exe
  C:\Windows\System32\PNVMRnM.exe
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\System32\UOtgONc.exe
  C:\Windows\System32\UOtgONc.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System32\sRJZoHM.exe
  C:\Windows\System32\sRJZoHM.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System32\tiqcHej.exe
  C:\Windows\System32\tiqcHej.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System32\mThpnmg.exe
  C:\Windows\System32\mThpnmg.exe
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Windows\System32\xDnwQeG.exe
  C:\Windows\System32\xDnwQeG.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System32\PTWrKYX.exe
  C:\Windows\System32\PTWrKYX.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System32\lBfvMqt.exe
  C:\Windows\System32\lBfvMqt.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System32\zBSxLyE.exe
  C:\Windows\System32\zBSxLyE.exe
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Windows\System32\qaHIroY.exe
  C:\Windows\System32\qaHIroY.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System32\EdvBPUd.exe
  C:\Windows\System32\EdvBPUd.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System32\zVeqGVW.exe
  C:\Windows\System32\zVeqGVW.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\System32\ciJNJNO.exe
  C:\Windows\System32\ciJNJNO.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System32\jTHHAMm.exe
  C:\Windows\System32\jTHHAMm.exe
  2⤵
  - Executes dropped EXE
  PID:648
- C:\Windows\System32\HHylcAD.exe
  C:\Windows\System32\HHylcAD.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System32\WZNHuDX.exe
  C:\Windows\System32\WZNHuDX.exe
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\System32\pPnlfmu.exe
  C:\Windows\System32\pPnlfmu.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System32\xYKfUuB.exe
  C:\Windows\System32\xYKfUuB.exe
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\System32\MCqwPhZ.exe
  C:\Windows\System32\MCqwPhZ.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System32\GfCPEgR.exe
  C:\Windows\System32\GfCPEgR.exe
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\System32\xebZmQg.exe
  C:\Windows\System32\xebZmQg.exe
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\System32\IvKLvMQ.exe
  C:\Windows\System32\IvKLvMQ.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System32\TDEcleO.exe
  C:\Windows\System32\TDEcleO.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System32\MNYHCoG.exe
  C:\Windows\System32\MNYHCoG.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System32\OyTmnyh.exe
  C:\Windows\System32\OyTmnyh.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\System32\isPLIoe.exe
  C:\Windows\System32\isPLIoe.exe
  2⤵
  PID:4256
- C:\Windows\System32\CiWPCtT.exe
  C:\Windows\System32\CiWPCtT.exe
  2⤵
  PID:1064
- C:\Windows\System32\gMKeaoa.exe
  C:\Windows\System32\gMKeaoa.exe
  2⤵
  PID:4312
- C:\Windows\System32\srqxzJf.exe
  C:\Windows\System32\srqxzJf.exe
  2⤵
  PID:4632
- C:\Windows\System32\juYbUsr.exe
  C:\Windows\System32\juYbUsr.exe
  2⤵
  PID:4100
- C:\Windows\System32\zWyUcpA.exe
  C:\Windows\System32\zWyUcpA.exe
  2⤵
  PID:920
- C:\Windows\System32\kRknWFC.exe
  C:\Windows\System32\kRknWFC.exe
  2⤵
  PID:3428
- C:\Windows\System32\UtqDndp.exe
  C:\Windows\System32\UtqDndp.exe
  2⤵
  PID:3500
- C:\Windows\System32\DFtywmv.exe
  C:\Windows\System32\DFtywmv.exe
  2⤵
  PID:3320
- C:\Windows\System32\OsRLtwo.exe
  C:\Windows\System32\OsRLtwo.exe
  2⤵
  PID:1848
- C:\Windows\System32\OxyayiS.exe
  C:\Windows\System32\OxyayiS.exe
  2⤵
  PID:2436
- C:\Windows\System32\xsCkogJ.exe
  C:\Windows\System32\xsCkogJ.exe
  2⤵
  PID:4532
- C:\Windows\System32\WnsCpdv.exe
  C:\Windows\System32\WnsCpdv.exe
  2⤵
  PID:2200
- C:\Windows\System32\uHiGYAL.exe
  C:\Windows\System32\uHiGYAL.exe
  2⤵
  PID:4148
- C:\Windows\System32\kDkMfKm.exe
  C:\Windows\System32\kDkMfKm.exe
  2⤵
  PID:4864
- C:\Windows\System32\ALaZrPs.exe
  C:\Windows\System32\ALaZrPs.exe
  2⤵
  PID:1936
- C:\Windows\System32\GRuKOaz.exe
  C:\Windows\System32\GRuKOaz.exe
  2⤵
  PID:3684
- C:\Windows\System32\rdHnQGE.exe
  C:\Windows\System32\rdHnQGE.exe
  2⤵
  PID:4692
- C:\Windows\System32\CFENgWT.exe
  C:\Windows\System32\CFENgWT.exe
  2⤵
  PID:440
- C:\Windows\System32\XemWDXi.exe
  C:\Windows\System32\XemWDXi.exe
  2⤵
  PID:3092
- C:\Windows\System32\fdlgXiG.exe
  C:\Windows\System32\fdlgXiG.exe
  2⤵
  PID:3432
- C:\Windows\System32\vspMPIY.exe
  C:\Windows\System32\vspMPIY.exe
  2⤵
  PID:5128
- C:\Windows\System32\yEtnpvN.exe
  C:\Windows\System32\yEtnpvN.exe
  2⤵
  PID:5156
- C:\Windows\System32\awnldet.exe
  C:\Windows\System32\awnldet.exe
  2⤵
  PID:5184
- C:\Windows\System32\xlmooUm.exe
  C:\Windows\System32\xlmooUm.exe
  2⤵
  PID:5212
- C:\Windows\System32\QnpDYMy.exe
  C:\Windows\System32\QnpDYMy.exe
  2⤵
  PID:5240
- C:\Windows\System32\dEfeKGS.exe
  C:\Windows\System32\dEfeKGS.exe
  2⤵
  PID:5268
- C:\Windows\System32\FRCjNEH.exe
  C:\Windows\System32\FRCjNEH.exe
  2⤵
  PID:5296
- C:\Windows\System32\UQcCNRI.exe
  C:\Windows\System32\UQcCNRI.exe
  2⤵
  PID:5324
- C:\Windows\System32\hOwhvGb.exe
  C:\Windows\System32\hOwhvGb.exe
  2⤵
  PID:5360
- C:\Windows\System32\BTSmgyr.exe
  C:\Windows\System32\BTSmgyr.exe
  2⤵
  PID:5380
- C:\Windows\System32\eDKpQyT.exe
  C:\Windows\System32\eDKpQyT.exe
  2⤵
  PID:5416
- C:\Windows\System32\ByElvoO.exe
  C:\Windows\System32\ByElvoO.exe
  2⤵
  PID:5444
- C:\Windows\System32\OdCcNVS.exe
  C:\Windows\System32\OdCcNVS.exe
  2⤵
  PID:5464
- C:\Windows\System32\dtgLZeG.exe
  C:\Windows\System32\dtgLZeG.exe
  2⤵
  PID:5500
- C:\Windows\System32\GYcBJRu.exe
  C:\Windows\System32\GYcBJRu.exe
  2⤵
  PID:5520
- C:\Windows\System32\DgmvwCK.exe
  C:\Windows\System32\DgmvwCK.exe
  2⤵
  PID:5560
- C:\Windows\System32\qyivkcS.exe
  C:\Windows\System32\qyivkcS.exe
  2⤵
  PID:5576
- C:\Windows\System32\GTpvpEe.exe
  C:\Windows\System32\GTpvpEe.exe
  2⤵
  PID:5604
- C:\Windows\System32\vrNKRyL.exe
  C:\Windows\System32\vrNKRyL.exe
  2⤵
  PID:5632
- C:\Windows\System32\Emtjzjb.exe
  C:\Windows\System32\Emtjzjb.exe
  2⤵
  PID:5668
- C:\Windows\System32\xguCmWL.exe
  C:\Windows\System32\xguCmWL.exe
  2⤵
  PID:5696
- C:\Windows\System32\ukBqORT.exe
  C:\Windows\System32\ukBqORT.exe
  2⤵
  PID:5716
- C:\Windows\System32\RDTcBVF.exe
  C:\Windows\System32\RDTcBVF.exe
  2⤵
  PID:5752
- C:\Windows\System32\eGnLhUK.exe
  C:\Windows\System32\eGnLhUK.exe
  2⤵
  PID:5772
- C:\Windows\System32\wGlZehF.exe
  C:\Windows\System32\wGlZehF.exe
  2⤵
  PID:5808
- C:\Windows\System32\nKuxXQi.exe
  C:\Windows\System32\nKuxXQi.exe
  2⤵
  PID:5836
- C:\Windows\System32\CHruriI.exe
  C:\Windows\System32\CHruriI.exe
  2⤵
  PID:5856
- C:\Windows\System32\lhpimSc.exe
  C:\Windows\System32\lhpimSc.exe
  2⤵
  PID:5884
- C:\Windows\System32\TUpfyKA.exe
  C:\Windows\System32\TUpfyKA.exe
  2⤵
  PID:5920
- C:\Windows\System32\qfEdzxA.exe
  C:\Windows\System32\qfEdzxA.exe
  2⤵
  PID:5948
- C:\Windows\System32\fjnwckD.exe
  C:\Windows\System32\fjnwckD.exe
  2⤵
  PID:5968
- C:\Windows\System32\fkAhxci.exe
  C:\Windows\System32\fkAhxci.exe
  2⤵
  PID:5996
- C:\Windows\System32\XDTAczz.exe
  C:\Windows\System32\XDTAczz.exe
  2⤵
  PID:6032
- C:\Windows\System32\AMIfOIA.exe
  C:\Windows\System32\AMIfOIA.exe
  2⤵
  PID:6052
- C:\Windows\System32\SdAoCHw.exe
  C:\Windows\System32\SdAoCHw.exe
  2⤵
  PID:6080
- C:\Windows\System32\ZpqumiS.exe
  C:\Windows\System32\ZpqumiS.exe
  2⤵
  PID:6116
- C:\Windows\System32\LHCFqCt.exe
  C:\Windows\System32\LHCFqCt.exe
  2⤵
  PID:6136
- C:\Windows\System32\BGDejBy.exe
  C:\Windows\System32\BGDejBy.exe
  2⤵
  PID:2184
- C:\Windows\System32\vwRpyFg.exe
  C:\Windows\System32\vwRpyFg.exe
  2⤵
  PID:3420
- C:\Windows\System32\umzSPXo.exe
  C:\Windows\System32\umzSPXo.exe
  2⤵
  PID:5092
- C:\Windows\System32\vgGHfOT.exe
  C:\Windows\System32\vgGHfOT.exe
  2⤵
  PID:4264
- C:\Windows\System32\sONsKMA.exe
  C:\Windows\System32\sONsKMA.exe
  2⤵
  PID:4676
- C:\Windows\System32\iARjeuT.exe
  C:\Windows\System32\iARjeuT.exe
  2⤵
  PID:5144
- C:\Windows\System32\dzameFd.exe
  C:\Windows\System32\dzameFd.exe
  2⤵
  PID:5224
- C:\Windows\System32\NQnPqXs.exe
  C:\Windows\System32\NQnPqXs.exe
  2⤵
  PID:5292
- C:\Windows\System32\rrGeiMJ.exe
  C:\Windows\System32\rrGeiMJ.exe
  2⤵
  PID:5348
- C:\Windows\System32\pcPYXRR.exe
  C:\Windows\System32\pcPYXRR.exe
  2⤵
  PID:5396
- C:\Windows\System32\ShzqVCI.exe
  C:\Windows\System32\ShzqVCI.exe
  2⤵
  PID:5476
- C:\Windows\System32\fAXUzak.exe
  C:\Windows\System32\fAXUzak.exe
  2⤵
  PID:5536
- C:\Windows\System32\kfaGKWK.exe
  C:\Windows\System32\kfaGKWK.exe
  2⤵
  PID:5592
- C:\Windows\System32\EeWLjJR.exe
  C:\Windows\System32\EeWLjJR.exe
  2⤵
  PID:5664
- C:\Windows\System32\ZDTEuqh.exe
  C:\Windows\System32\ZDTEuqh.exe
  2⤵
  PID:5740
- C:\Windows\System32\RZdYjJL.exe
  C:\Windows\System32\RZdYjJL.exe
  2⤵
  PID:5796
- C:\Windows\System32\ltsIHDS.exe
  C:\Windows\System32\ltsIHDS.exe
  2⤵
  PID:5868
- C:\Windows\System32\ZFhesRN.exe
  C:\Windows\System32\ZFhesRN.exe
  2⤵
  PID:5936
- C:\Windows\System32\fBRjXzY.exe
  C:\Windows\System32\fBRjXzY.exe
  2⤵
  PID:5984
- C:\Windows\System32\InGAKfI.exe
  C:\Windows\System32\InGAKfI.exe
  2⤵
  PID:6064
- C:\Windows\System32\JqvHZtj.exe
  C:\Windows\System32\JqvHZtj.exe
  2⤵
  PID:6132
- C:\Windows\System32\eHCHvmb.exe
  C:\Windows\System32\eHCHvmb.exe
  2⤵
  PID:2544
- C:\Windows\System32\vPzahPj.exe
  C:\Windows\System32\vPzahPj.exe
  2⤵
  PID:4004
- C:\Windows\System32\GsafrhV.exe
  C:\Windows\System32\GsafrhV.exe
  2⤵
  PID:5200
- C:\Windows\System32\dCbziiP.exe
  C:\Windows\System32\dCbziiP.exe
  2⤵
  PID:5312
- C:\Windows\System32\BFwKvTr.exe
  C:\Windows\System32\BFwKvTr.exe
  2⤵
  PID:5496
- C:\Windows\System32\BcBfnYW.exe
  C:\Windows\System32\BcBfnYW.exe
  2⤵
  PID:5648
- C:\Windows\System32\eTZYzTx.exe
  C:\Windows\System32\eTZYzTx.exe
  2⤵
  PID:5764
- C:\Windows\System32\iEuDwiQ.exe
  C:\Windows\System32\iEuDwiQ.exe
  2⤵
  PID:5964
- C:\Windows\System32\TudyBEN.exe
  C:\Windows\System32\TudyBEN.exe
  2⤵
  PID:6112
- C:\Windows\System32\qsfPwWa.exe
  C:\Windows\System32\qsfPwWa.exe
  2⤵
  PID:6168
- C:\Windows\System32\pKbNxwJ.exe
  C:\Windows\System32\pKbNxwJ.exe
  2⤵
  PID:6196
- C:\Windows\System32\iSLqEmS.exe
  C:\Windows\System32\iSLqEmS.exe
  2⤵
  PID:6224
- C:\Windows\System32\pvyyfri.exe
  C:\Windows\System32\pvyyfri.exe
  2⤵
  PID:6252
- C:\Windows\System32\LPJTqhx.exe
  C:\Windows\System32\LPJTqhx.exe
  2⤵
  PID:6280
- C:\Windows\System32\eIcHzsq.exe
  C:\Windows\System32\eIcHzsq.exe
  2⤵
  PID:6308
- C:\Windows\System32\ZrDJgmV.exe
  C:\Windows\System32\ZrDJgmV.exe
  2⤵
  PID:6336
- C:\Windows\System32\ojfKqlJ.exe
  C:\Windows\System32\ojfKqlJ.exe
  2⤵
  PID:6364
- C:\Windows\System32\DvCuhVt.exe
  C:\Windows\System32\DvCuhVt.exe
  2⤵
  PID:6392
- C:\Windows\System32\wjJGGww.exe
  C:\Windows\System32\wjJGGww.exe
  2⤵
  PID:6420
- C:\Windows\System32\VMYlKzS.exe
  C:\Windows\System32\VMYlKzS.exe
  2⤵
  PID:6448
- C:\Windows\System32\eokheZJ.exe
  C:\Windows\System32\eokheZJ.exe
  2⤵
  PID:6476
- C:\Windows\System32\kFUPonz.exe
  C:\Windows\System32\kFUPonz.exe
  2⤵
  PID:6504
- C:\Windows\System32\FmDcCtC.exe
  C:\Windows\System32\FmDcCtC.exe
  2⤵
  PID:6532
- C:\Windows\System32\LWAJffK.exe
  C:\Windows\System32\LWAJffK.exe
  2⤵
  PID:6560
- C:\Windows\System32\MgSqOGF.exe
  C:\Windows\System32\MgSqOGF.exe
  2⤵
  PID:6588
- C:\Windows\System32\XAYUzNr.exe
  C:\Windows\System32\XAYUzNr.exe
  2⤵
  PID:6616
- C:\Windows\System32\qzlPTeG.exe
  C:\Windows\System32\qzlPTeG.exe
  2⤵
  PID:6644
- C:\Windows\System32\kxZweFC.exe
  C:\Windows\System32\kxZweFC.exe
  2⤵
  PID:6672
- C:\Windows\System32\utIeTcA.exe
  C:\Windows\System32\utIeTcA.exe
  2⤵
  PID:6700
- C:\Windows\System32\gwkuTXN.exe
  C:\Windows\System32\gwkuTXN.exe
  2⤵
  PID:6728
- C:\Windows\System32\HPymCTE.exe
  C:\Windows\System32\HPymCTE.exe
  2⤵
  PID:6756
- C:\Windows\System32\DcgKGTj.exe
  C:\Windows\System32\DcgKGTj.exe
  2⤵
  PID:6784
- C:\Windows\System32\iEuIujr.exe
  C:\Windows\System32\iEuIujr.exe
  2⤵
  PID:6812
- C:\Windows\System32\xPxedPZ.exe
  C:\Windows\System32\xPxedPZ.exe
  2⤵
  PID:6840
- C:\Windows\System32\DORxyjm.exe
  C:\Windows\System32\DORxyjm.exe
  2⤵
  PID:6868
- C:\Windows\System32\BEoOiqe.exe
  C:\Windows\System32\BEoOiqe.exe
  2⤵
  PID:6896
- C:\Windows\System32\AdgJPzZ.exe
  C:\Windows\System32\AdgJPzZ.exe
  2⤵
  PID:6924
- C:\Windows\System32\IZjIICB.exe
  C:\Windows\System32\IZjIICB.exe
  2⤵
  PID:6952
- C:\Windows\System32\YsbRUVJ.exe
  C:\Windows\System32\YsbRUVJ.exe
  2⤵
  PID:6980
- C:\Windows\System32\hoHqjFF.exe
  C:\Windows\System32\hoHqjFF.exe
  2⤵
  PID:7008
- C:\Windows\System32\sPSjvNt.exe
  C:\Windows\System32\sPSjvNt.exe
  2⤵
  PID:7036
- C:\Windows\System32\sVlkFlp.exe
  C:\Windows\System32\sVlkFlp.exe
  2⤵
  PID:7064
- C:\Windows\System32\GwkrblQ.exe
  C:\Windows\System32\GwkrblQ.exe
  2⤵
  PID:7092
- C:\Windows\System32\ZaViZEe.exe
  C:\Windows\System32\ZaViZEe.exe
  2⤵
  PID:7120
- C:\Windows\System32\UPKXSCR.exe
  C:\Windows\System32\UPKXSCR.exe
  2⤵
  PID:7148
- C:\Windows\System32\xqGFtsq.exe
  C:\Windows\System32\xqGFtsq.exe
  2⤵
  PID:1832
- C:\Windows\System32\aGvNidh.exe
  C:\Windows\System32\aGvNidh.exe
  2⤵
  PID:5280
- C:\Windows\System32\LAyQVXv.exe
  C:\Windows\System32\LAyQVXv.exe
  2⤵
  PID:5620
- C:\Windows\System32\SdgfTQh.exe
  C:\Windows\System32\SdgfTQh.exe
  2⤵
  PID:5896
- C:\Windows\System32\yGPAUtW.exe
  C:\Windows\System32\yGPAUtW.exe
  2⤵
  PID:6180
- C:\Windows\System32\MVGgAWw.exe
  C:\Windows\System32\MVGgAWw.exe
  2⤵
  PID:3916
- C:\Windows\System32\XlSzVbi.exe
  C:\Windows\System32\XlSzVbi.exe
  2⤵
  PID:6304
- C:\Windows\System32\Bqflgdp.exe
  C:\Windows\System32\Bqflgdp.exe
  2⤵
  PID:6352
- C:\Windows\System32\ZQozVPQ.exe
  C:\Windows\System32\ZQozVPQ.exe
  2⤵
  PID:6432
- C:\Windows\System32\dUkjybY.exe
  C:\Windows\System32\dUkjybY.exe
  2⤵
  PID:6500
- C:\Windows\System32\ubaLLrI.exe
  C:\Windows\System32\ubaLLrI.exe
  2⤵
  PID:6556
- C:\Windows\System32\FbjpCWF.exe
  C:\Windows\System32\FbjpCWF.exe
  2⤵
  PID:6604
- C:\Windows\System32\JlXJRND.exe
  C:\Windows\System32\JlXJRND.exe
  2⤵
  PID:6684
- C:\Windows\System32\cavaipU.exe
  C:\Windows\System32\cavaipU.exe
  2⤵
  PID:6752
- C:\Windows\System32\ZwOnLbE.exe
  C:\Windows\System32\ZwOnLbE.exe
  2⤵
  PID:6800
- C:\Windows\System32\bAMLEKq.exe
  C:\Windows\System32\bAMLEKq.exe
  2⤵
  PID:6892
- C:\Windows\System32\EgDIqsw.exe
  C:\Windows\System32\EgDIqsw.exe
  2⤵
  PID:6936
- C:\Windows\System32\McJIoHK.exe
  C:\Windows\System32\McJIoHK.exe
  2⤵
  PID:7004
- C:\Windows\System32\UPktMri.exe
  C:\Windows\System32\UPktMri.exe
  2⤵
  PID:7052
- C:\Windows\System32\IqflYSG.exe
  C:\Windows\System32\IqflYSG.exe
  2⤵
  PID:7108
- C:\Windows\System32\njbTEMN.exe
  C:\Windows\System32\njbTEMN.exe
  2⤵
  PID:3852
- C:\Windows\System32\uvqklmt.exe
  C:\Windows\System32\uvqklmt.exe
  2⤵
  PID:5788
- C:\Windows\System32\wMjyDEC.exe
  C:\Windows\System32\wMjyDEC.exe
  2⤵
  PID:6236
- C:\Windows\System32\KmNxmCG.exe
  C:\Windows\System32\KmNxmCG.exe
  2⤵
  PID:6324
- C:\Windows\System32\UuCqlpF.exe
  C:\Windows\System32\UuCqlpF.exe
  2⤵
  PID:6472
- C:\Windows\System32\KrZvrJP.exe
  C:\Windows\System32\KrZvrJP.exe
  2⤵
  PID:6632
- C:\Windows\System32\jtKYGpk.exe
  C:\Windows\System32\jtKYGpk.exe
  2⤵
  PID:2424
- C:\Windows\System32\kXnfUyU.exe
  C:\Windows\System32\kXnfUyU.exe
  2⤵
  PID:6880
- C:\Windows\System32\KcoUYTL.exe
  C:\Windows\System32\KcoUYTL.exe
  2⤵
  PID:7032
- C:\Windows\System32\aJDshRM.exe
  C:\Windows\System32\aJDshRM.exe
  2⤵
  PID:7164
- C:\Windows\System32\QnAiRXR.exe
  C:\Windows\System32\QnAiRXR.exe
  2⤵
  PID:6208
- C:\Windows\System32\qgMIuCx.exe
  C:\Windows\System32\qgMIuCx.exe
  2⤵
  PID:7184
- C:\Windows\System32\ZiUFtyx.exe
  C:\Windows\System32\ZiUFtyx.exe
  2⤵
  PID:7212
- C:\Windows\System32\qmPUvBr.exe
  C:\Windows\System32\qmPUvBr.exe
  2⤵
  PID:7240
- C:\Windows\System32\Pxbuntt.exe
  C:\Windows\System32\Pxbuntt.exe
  2⤵
  PID:7268
- C:\Windows\System32\aKYzequ.exe
  C:\Windows\System32\aKYzequ.exe
  2⤵
  PID:7296
- C:\Windows\System32\blrmDRm.exe
  C:\Windows\System32\blrmDRm.exe
  2⤵
  PID:7324
- C:\Windows\System32\PYoFxlW.exe
  C:\Windows\System32\PYoFxlW.exe
  2⤵
  PID:7352
- C:\Windows\System32\xStUemp.exe
  C:\Windows\System32\xStUemp.exe
  2⤵
  PID:7380
- C:\Windows\System32\tVgPStZ.exe
  C:\Windows\System32\tVgPStZ.exe
  2⤵
  PID:7408
- C:\Windows\System32\wVDMvaq.exe
  C:\Windows\System32\wVDMvaq.exe
  2⤵
  PID:7436
- C:\Windows\System32\udvhtVf.exe
  C:\Windows\System32\udvhtVf.exe
  2⤵
  PID:7464
- C:\Windows\System32\CbFaaeK.exe
  C:\Windows\System32\CbFaaeK.exe
  2⤵
  PID:7492
- C:\Windows\System32\EkUWWxZ.exe
  C:\Windows\System32\EkUWWxZ.exe
  2⤵
  PID:7520
- C:\Windows\System32\wvmgvOk.exe
  C:\Windows\System32\wvmgvOk.exe
  2⤵
  PID:7548
- C:\Windows\System32\bBNwVwD.exe
  C:\Windows\System32\bBNwVwD.exe
  2⤵
  PID:7576
- C:\Windows\System32\GuysxEo.exe
  C:\Windows\System32\GuysxEo.exe
  2⤵
  PID:7604
- C:\Windows\System32\RNVGprc.exe
  C:\Windows\System32\RNVGprc.exe
  2⤵
  PID:7632
- C:\Windows\System32\BnmaUQK.exe
  C:\Windows\System32\BnmaUQK.exe
  2⤵
  PID:7660
- C:\Windows\System32\EdXamop.exe
  C:\Windows\System32\EdXamop.exe
  2⤵
  PID:7688
- C:\Windows\System32\VglBVRi.exe
  C:\Windows\System32\VglBVRi.exe
  2⤵
  PID:7716
- C:\Windows\System32\WdRWnbI.exe
  C:\Windows\System32\WdRWnbI.exe
  2⤵
  PID:7744
- C:\Windows\System32\MiptFUn.exe
  C:\Windows\System32\MiptFUn.exe
  2⤵
  PID:7772
- C:\Windows\System32\nZKcYZE.exe
  C:\Windows\System32\nZKcYZE.exe
  2⤵
  PID:7800
- C:\Windows\System32\ICEbjEf.exe
  C:\Windows\System32\ICEbjEf.exe
  2⤵
  PID:7828
- C:\Windows\System32\zQFVHSZ.exe
  C:\Windows\System32\zQFVHSZ.exe
  2⤵
  PID:7856
- C:\Windows\System32\JNmgxxk.exe
  C:\Windows\System32\JNmgxxk.exe
  2⤵
  PID:7884
- C:\Windows\System32\cHOZEGP.exe
  C:\Windows\System32\cHOZEGP.exe
  2⤵
  PID:7924
- C:\Windows\System32\grhDPaI.exe
  C:\Windows\System32\grhDPaI.exe
  2⤵
  PID:7940
- C:\Windows\System32\hgVHrQy.exe
  C:\Windows\System32\hgVHrQy.exe
  2⤵
  PID:7968
- C:\Windows\System32\UNvhTwU.exe
  C:\Windows\System32\UNvhTwU.exe
  2⤵
  PID:8036
- C:\Windows\System32\xtCGCRm.exe
  C:\Windows\System32\xtCGCRm.exe
  2⤵
  PID:8052
- C:\Windows\System32\pJUGIwJ.exe
  C:\Windows\System32\pJUGIwJ.exe
  2⤵
  PID:8076
- C:\Windows\System32\PBqQCDr.exe
  C:\Windows\System32\PBqQCDr.exe
  2⤵
  PID:8100
- C:\Windows\System32\jRxllCI.exe
  C:\Windows\System32\jRxllCI.exe
  2⤵
  PID:8132
- C:\Windows\System32\WlXxwgE.exe
  C:\Windows\System32\WlXxwgE.exe
  2⤵
  PID:8164
- C:\Windows\System32\IASPRSD.exe
  C:\Windows\System32\IASPRSD.exe
  2⤵
  PID:8188
- C:\Windows\System32\GDAtDoC.exe
  C:\Windows\System32\GDAtDoC.exe
  2⤵
  PID:6404
- C:\Windows\System32\dvsNWwP.exe
  C:\Windows\System32\dvsNWwP.exe
  2⤵
  PID:6712
- C:\Windows\System32\iHvJwAv.exe
  C:\Windows\System32\iHvJwAv.exe
  2⤵
  PID:6920
- C:\Windows\System32\XDsMyfX.exe
  C:\Windows\System32\XDsMyfX.exe
  2⤵
  PID:7196
- C:\Windows\System32\zzrAoxR.exe
  C:\Windows\System32\zzrAoxR.exe
  2⤵
  PID:7236
- C:\Windows\System32\rKSoGAX.exe
  C:\Windows\System32\rKSoGAX.exe
  2⤵
  PID:7336
- C:\Windows\System32\xVwhZQq.exe
  C:\Windows\System32\xVwhZQq.exe
  2⤵
  PID:7376
- C:\Windows\System32\SpCHAsv.exe
  C:\Windows\System32\SpCHAsv.exe
  2⤵
  PID:7432
- C:\Windows\System32\FnizHVj.exe
  C:\Windows\System32\FnizHVj.exe
  2⤵
  PID:4772
- C:\Windows\System32\vtbMvwT.exe
  C:\Windows\System32\vtbMvwT.exe
  2⤵
  PID:2092
- C:\Windows\System32\PKZwkKN.exe
  C:\Windows\System32\PKZwkKN.exe
  2⤵
  PID:7564
- C:\Windows\System32\VrSHNYu.exe
  C:\Windows\System32\VrSHNYu.exe
  2⤵
  PID:7628
- C:\Windows\System32\zYCPJyB.exe
  C:\Windows\System32\zYCPJyB.exe
  2⤵
  PID:7700
- C:\Windows\System32\KlVPAdc.exe
  C:\Windows\System32\KlVPAdc.exe
  2⤵
  PID:7756
- C:\Windows\System32\KLDfmhN.exe
  C:\Windows\System32\KLDfmhN.exe
  2⤵
  PID:7784
- C:\Windows\System32\hWNxnIJ.exe
  C:\Windows\System32\hWNxnIJ.exe
  2⤵
  PID:7824
- C:\Windows\System32\WRljwYv.exe
  C:\Windows\System32\WRljwYv.exe
  2⤵
  PID:7844
- C:\Windows\System32\UFXQbJn.exe
  C:\Windows\System32\UFXQbJn.exe
  2⤵
  PID:7880
- C:\Windows\System32\OFTREhg.exe
  C:\Windows\System32\OFTREhg.exe
  2⤵
  PID:7916
- C:\Windows\System32\LdoFxHg.exe
  C:\Windows\System32\LdoFxHg.exe
  2⤵
  PID:4492
- C:\Windows\System32\AkFOmQG.exe
  C:\Windows\System32\AkFOmQG.exe
  2⤵
  PID:7980
- C:\Windows\System32\PFMiprv.exe
  C:\Windows\System32\PFMiprv.exe
  2⤵
  PID:8032
- C:\Windows\System32\xosoPOO.exe
  C:\Windows\System32\xosoPOO.exe
  2⤵
  PID:8092
- C:\Windows\System32\HAedZkt.exe
  C:\Windows\System32\HAedZkt.exe
  2⤵
  PID:8184
- C:\Windows\System32\uFrKsfG.exe
  C:\Windows\System32\uFrKsfG.exe
  2⤵
  PID:332
- C:\Windows\System32\fdDsBQt.exe
  C:\Windows\System32\fdDsBQt.exe
  2⤵
  PID:864
- C:\Windows\System32\frwXbwi.exe
  C:\Windows\System32\frwXbwi.exe
  2⤵
  PID:3028
- C:\Windows\System32\GQGTzno.exe
  C:\Windows\System32\GQGTzno.exe
  2⤵
  PID:1600
- C:\Windows\System32\CuuMgYi.exe
  C:\Windows\System32\CuuMgYi.exe
  2⤵
  PID:7796
- C:\Windows\System32\wJMPWhQ.exe
  C:\Windows\System32\wJMPWhQ.exe
  2⤵
  PID:5084
- C:\Windows\System32\fnRkXlw.exe
  C:\Windows\System32\fnRkXlw.exe
  2⤵
  PID:8176
- C:\Windows\System32\PQnnvnm.exe
  C:\Windows\System32\PQnnvnm.exe
  2⤵
  PID:3048
- C:\Windows\System32\YNjdVET.exe
  C:\Windows\System32\YNjdVET.exe
  2⤵
  PID:4916
- C:\Windows\System32\pljkpII.exe
  C:\Windows\System32\pljkpII.exe
  2⤵
  PID:7932
- C:\Windows\System32\mlRUizj.exe
  C:\Windows\System32\mlRUizj.exe
  2⤵
  PID:7280
- C:\Windows\System32\FAzUsrv.exe
  C:\Windows\System32\FAzUsrv.exe
  2⤵
  PID:7544
- C:\Windows\System32\qMPsHRm.exe
  C:\Windows\System32\qMPsHRm.exe
  2⤵
  PID:1616
- C:\Windows\System32\JpIxEmN.exe
  C:\Windows\System32\JpIxEmN.exe
  2⤵
  PID:7340
- C:\Windows\System32\hBTrgSp.exe
  C:\Windows\System32\hBTrgSp.exe
  2⤵
  PID:7788
- C:\Windows\System32\ztXZdYI.exe
  C:\Windows\System32\ztXZdYI.exe
  2⤵
  PID:7420
- C:\Windows\System32\AIayIBh.exe
  C:\Windows\System32\AIayIBh.exe
  2⤵
  PID:448
- C:\Windows\System32\vYLbIPD.exe
  C:\Windows\System32\vYLbIPD.exe
  2⤵
  PID:6828
- C:\Windows\System32\gHqjiMY.exe
  C:\Windows\System32\gHqjiMY.exe
  2⤵
  PID:8212
- C:\Windows\System32\XnMsiHi.exe
  C:\Windows\System32\XnMsiHi.exe
  2⤵
  PID:8240
- C:\Windows\System32\uewtURF.exe
  C:\Windows\System32\uewtURF.exe
  2⤵
  PID:8256
- C:\Windows\System32\HMxbyHn.exe
  C:\Windows\System32\HMxbyHn.exe
  2⤵
  PID:8300
- C:\Windows\System32\PRaIvkT.exe
  C:\Windows\System32\PRaIvkT.exe
  2⤵
  PID:8328
- C:\Windows\System32\xVdPAWO.exe
  C:\Windows\System32\xVdPAWO.exe
  2⤵
  PID:8360
- C:\Windows\System32\HWSpRvB.exe
  C:\Windows\System32\HWSpRvB.exe
  2⤵
  PID:8384
- C:\Windows\System32\AaYTMUO.exe
  C:\Windows\System32\AaYTMUO.exe
  2⤵
  PID:8412
- C:\Windows\System32\zOgApMZ.exe
  C:\Windows\System32\zOgApMZ.exe
  2⤵
  PID:8428
- C:\Windows\System32\bHmNDwv.exe
  C:\Windows\System32\bHmNDwv.exe
  2⤵
  PID:8468
- C:\Windows\System32\ASBYLEZ.exe
  C:\Windows\System32\ASBYLEZ.exe
  2⤵
  PID:8484
- C:\Windows\System32\KNXlIWd.exe
  C:\Windows\System32\KNXlIWd.exe
  2⤵
  PID:8512
- C:\Windows\System32\hbxssQP.exe
  C:\Windows\System32\hbxssQP.exe
  2⤵
  PID:8540
- C:\Windows\System32\JLuXoSM.exe
  C:\Windows\System32\JLuXoSM.exe
  2⤵
  PID:8576
- C:\Windows\System32\jZlkgOB.exe
  C:\Windows\System32\jZlkgOB.exe
  2⤵
  PID:8596
- C:\Windows\System32\HgoIGDV.exe
  C:\Windows\System32\HgoIGDV.exe
  2⤵
  PID:8636
- C:\Windows\System32\kZZaXbz.exe
  C:\Windows\System32\kZZaXbz.exe
  2⤵
  PID:8668
- C:\Windows\System32\tbBnZLX.exe
  C:\Windows\System32\tbBnZLX.exe
  2⤵
  PID:8696
- C:\Windows\System32\MPJsXHS.exe
  C:\Windows\System32\MPJsXHS.exe
  2⤵
  PID:8724
- C:\Windows\System32\yDGenWF.exe
  C:\Windows\System32\yDGenWF.exe
  2⤵
  PID:8740
- C:\Windows\System32\xXfxKOs.exe
  C:\Windows\System32\xXfxKOs.exe
  2⤵
  PID:8780
- C:\Windows\System32\bqFhlcs.exe
  C:\Windows\System32\bqFhlcs.exe
  2⤵
  PID:8808
- C:\Windows\System32\uXhfwlZ.exe
  C:\Windows\System32\uXhfwlZ.exe
  2⤵
  PID:8836
- C:\Windows\System32\GSzRgcJ.exe
  C:\Windows\System32\GSzRgcJ.exe
  2⤵
  PID:8864
- C:\Windows\System32\JDQLyvR.exe
  C:\Windows\System32\JDQLyvR.exe
  2⤵
  PID:8892
- C:\Windows\System32\sFbKtAq.exe
  C:\Windows\System32\sFbKtAq.exe
  2⤵
  PID:8920
- C:\Windows\System32\TkJXRYv.exe
  C:\Windows\System32\TkJXRYv.exe
  2⤵
  PID:8948
- C:\Windows\System32\eEVlCER.exe
  C:\Windows\System32\eEVlCER.exe
  2⤵
  PID:8968
- C:\Windows\System32\noLdoIx.exe
  C:\Windows\System32\noLdoIx.exe
  2⤵
  PID:9016
- C:\Windows\System32\NIcZYUD.exe
  C:\Windows\System32\NIcZYUD.exe
  2⤵
  PID:9036
- C:\Windows\System32\SjJOGSE.exe
  C:\Windows\System32\SjJOGSE.exe
  2⤵
  PID:9068
- C:\Windows\System32\zjqmeKU.exe
  C:\Windows\System32\zjqmeKU.exe
  2⤵
  PID:9096
- C:\Windows\System32\OuZivwZ.exe
  C:\Windows\System32\OuZivwZ.exe
  2⤵
  PID:9124
- C:\Windows\System32\xSCrhWH.exe
  C:\Windows\System32\xSCrhWH.exe
  2⤵
  PID:9152
- C:\Windows\System32\mafhVmI.exe
  C:\Windows\System32\mafhVmI.exe
  2⤵
  PID:9180
- C:\Windows\System32\wjJaflW.exe
  C:\Windows\System32\wjJaflW.exe
  2⤵
  PID:8084
- C:\Windows\System32\DQhNAwm.exe
  C:\Windows\System32\DQhNAwm.exe
  2⤵
  PID:8248
- C:\Windows\System32\xSJBKel.exe
  C:\Windows\System32\xSJBKel.exe
  2⤵
  PID:8324
- C:\Windows\System32\UQheKIY.exe
  C:\Windows\System32\UQheKIY.exe
  2⤵
  PID:8404
- C:\Windows\System32\sJFLjBb.exe
  C:\Windows\System32\sJFLjBb.exe
  2⤵
  PID:8476
- C:\Windows\System32\WaKzuaa.exe
  C:\Windows\System32\WaKzuaa.exe
  2⤵
  PID:8564
- C:\Windows\System32\qCGlRMm.exe
  C:\Windows\System32\qCGlRMm.exe
  2⤵
  PID:8588
- C:\Windows\System32\sdEWiOX.exe
  C:\Windows\System32\sdEWiOX.exe
  2⤵
  PID:8648
- C:\Windows\System32\CmnfznQ.exe
  C:\Windows\System32\CmnfznQ.exe
  2⤵
  PID:8736
- C:\Windows\System32\RvFErbK.exe
  C:\Windows\System32\RvFErbK.exe
  2⤵
  PID:8824
- C:\Windows\System32\tJEEQWI.exe
  C:\Windows\System32\tJEEQWI.exe
  2⤵
  PID:8860
- C:\Windows\System32\rucZiNf.exe
  C:\Windows\System32\rucZiNf.exe
  2⤵
  PID:8932
- C:\Windows\System32\rxueZAY.exe
  C:\Windows\System32\rxueZAY.exe
  2⤵
  PID:3480
- C:\Windows\System32\UxSjopD.exe
  C:\Windows\System32\UxSjopD.exe
  2⤵
  PID:9012
- C:\Windows\System32\YwponkN.exe
  C:\Windows\System32\YwponkN.exe
  2⤵
  PID:9024
- C:\Windows\System32\MBnjnyo.exe
  C:\Windows\System32\MBnjnyo.exe
  2⤵
  PID:9088
- C:\Windows\System32\KceCRqq.exe
  C:\Windows\System32\KceCRqq.exe
  2⤵
  PID:9164
- C:\Windows\System32\HRiHMeL.exe
  C:\Windows\System32\HRiHMeL.exe
  2⤵
  PID:9196
- C:\Windows\System32\McJdzub.exe
  C:\Windows\System32\McJdzub.exe
  2⤵
  PID:8380
- C:\Windows\System32\TUbTlIS.exe
  C:\Windows\System32\TUbTlIS.exe
  2⤵
  PID:3800
- C:\Windows\System32\tficwnP.exe
  C:\Windows\System32\tficwnP.exe
  2⤵
  PID:8732
- C:\Windows\System32\pqbwZLn.exe
  C:\Windows\System32\pqbwZLn.exe
  2⤵
  PID:8912
- C:\Windows\System32\OmvkAuM.exe
  C:\Windows\System32\OmvkAuM.exe
  2⤵
  PID:8984
- C:\Windows\System32\ZolIooA.exe
  C:\Windows\System32\ZolIooA.exe
  2⤵
  PID:9116
- C:\Windows\System32\yVNvmpX.exe
  C:\Windows\System32\yVNvmpX.exe
  2⤵
  PID:8480
- C:\Windows\System32\DeCxPyB.exe
  C:\Windows\System32\DeCxPyB.exe
  2⤵
  PID:8716
- C:\Windows\System32\zVfPbOW.exe
  C:\Windows\System32\zVfPbOW.exe
  2⤵
  PID:9080
- C:\Windows\System32\lkHnkik.exe
  C:\Windows\System32\lkHnkik.exe
  2⤵
  PID:1552
- C:\Windows\System32\tPscBTq.exe
  C:\Windows\System32\tPscBTq.exe
  2⤵
  PID:8204
- C:\Windows\System32\xJhCoJv.exe
  C:\Windows\System32\xJhCoJv.exe
  2⤵
  PID:9244
- C:\Windows\System32\KcAkhRi.exe
  C:\Windows\System32\KcAkhRi.exe
  2⤵
  PID:9276
- C:\Windows\System32\KhjzyDv.exe
  C:\Windows\System32\KhjzyDv.exe
  2⤵
  PID:9300
- C:\Windows\System32\gOJErTT.exe
  C:\Windows\System32\gOJErTT.exe
  2⤵
  PID:9316
- C:\Windows\System32\dHBBPIW.exe
  C:\Windows\System32\dHBBPIW.exe
  2⤵
  PID:9348
- C:\Windows\System32\EAsTbDz.exe
  C:\Windows\System32\EAsTbDz.exe
  2⤵
  PID:9384
- C:\Windows\System32\TrQMmqa.exe
  C:\Windows\System32\TrQMmqa.exe
  2⤵
  PID:9412
- C:\Windows\System32\jsyvHIK.exe
  C:\Windows\System32\jsyvHIK.exe
  2⤵
  PID:9428
- C:\Windows\System32\HwLgAZI.exe
  C:\Windows\System32\HwLgAZI.exe
  2⤵
  PID:9456
- C:\Windows\System32\vTxvUOm.exe
  C:\Windows\System32\vTxvUOm.exe
  2⤵
  PID:9496
- C:\Windows\System32\AFbpLKz.exe
  C:\Windows\System32\AFbpLKz.exe
  2⤵
  PID:9524
- C:\Windows\System32\XhFqqRC.exe
  C:\Windows\System32\XhFqqRC.exe
  2⤵
  PID:9540
- C:\Windows\System32\tZyBgRw.exe
  C:\Windows\System32\tZyBgRw.exe
  2⤵
  PID:9560
- C:\Windows\System32\MYyxFyJ.exe
  C:\Windows\System32\MYyxFyJ.exe
  2⤵
  PID:9604
- C:\Windows\System32\AGDpXNA.exe
  C:\Windows\System32\AGDpXNA.exe
  2⤵
  PID:9624
- C:\Windows\System32\YcQiwdP.exe
  C:\Windows\System32\YcQiwdP.exe
  2⤵
  PID:9648
- C:\Windows\System32\rMqaWjw.exe
  C:\Windows\System32\rMqaWjw.exe
  2⤵
  PID:9692
- C:\Windows\System32\xCSBFeY.exe
  C:\Windows\System32\xCSBFeY.exe
  2⤵
  PID:9720
- C:\Windows\System32\HoHiTGG.exe
  C:\Windows\System32\HoHiTGG.exe
  2⤵
  PID:9736
- C:\Windows\System32\JCcroUs.exe
  C:\Windows\System32\JCcroUs.exe
  2⤵
  PID:9776
- C:\Windows\System32\iGyqZUN.exe
  C:\Windows\System32\iGyqZUN.exe
  2⤵
  PID:9804
- C:\Windows\System32\oivFGrH.exe
  C:\Windows\System32\oivFGrH.exe
  2⤵
  PID:9832
- C:\Windows\System32\GMnlgoY.exe
  C:\Windows\System32\GMnlgoY.exe
  2⤵
  PID:9848
- C:\Windows\System32\SrCLzfF.exe
  C:\Windows\System32\SrCLzfF.exe
  2⤵
  PID:9872
- C:\Windows\System32\UciRTsz.exe
  C:\Windows\System32\UciRTsz.exe
  2⤵
  PID:9908
- C:\Windows\System32\crLIynR.exe
  C:\Windows\System32\crLIynR.exe
  2⤵
  PID:9936
- C:\Windows\System32\RwXMWHW.exe
  C:\Windows\System32\RwXMWHW.exe
  2⤵
  PID:9972
- C:\Windows\System32\ZlJTolr.exe
  C:\Windows\System32\ZlJTolr.exe
  2⤵
  PID:9988
- C:\Windows\System32\UcGcXUN.exe
  C:\Windows\System32\UcGcXUN.exe
  2⤵
  PID:10020
- C:\Windows\System32\NBybpkV.exe
  C:\Windows\System32\NBybpkV.exe
  2⤵
  PID:10044
- C:\Windows\System32\SHeizMh.exe
  C:\Windows\System32\SHeizMh.exe
  2⤵
  PID:10084
- C:\Windows\System32\trUXJBq.exe
  C:\Windows\System32\trUXJBq.exe
  2⤵
  PID:10104
- C:\Windows\System32\pVqtxAp.exe
  C:\Windows\System32\pVqtxAp.exe
  2⤵
  PID:10144
- C:\Windows\System32\JswMbuX.exe
  C:\Windows\System32\JswMbuX.exe
  2⤵
  PID:10160
- C:\Windows\System32\ayHOSSx.exe
  C:\Windows\System32\ayHOSSx.exe
  2⤵
  PID:10200
- C:\Windows\System32\FIehlyc.exe
  C:\Windows\System32\FIehlyc.exe
  2⤵
  PID:10228
- C:\Windows\System32\ZulFLmH.exe
  C:\Windows\System32\ZulFLmH.exe
  2⤵
  PID:9260
- C:\Windows\System32\akwmNzf.exe
  C:\Windows\System32\akwmNzf.exe
  2⤵
  PID:9292
- C:\Windows\System32\HelaKZD.exe
  C:\Windows\System32\HelaKZD.exe
  2⤵
  PID:9356
- C:\Windows\System32\CNPtqds.exe
  C:\Windows\System32\CNPtqds.exe
  2⤵
  PID:9424
- C:\Windows\System32\OkKyCED.exe
  C:\Windows\System32\OkKyCED.exe
  2⤵
  PID:9484
- C:\Windows\System32\NOdeszy.exe
  C:\Windows\System32\NOdeszy.exe
  2⤵
  PID:9580
- C:\Windows\System32\TGOhakV.exe
  C:\Windows\System32\TGOhakV.exe
  2⤵
  PID:9644
- C:\Windows\System32\pwExAAM.exe
  C:\Windows\System32\pwExAAM.exe
  2⤵
  PID:9716
- C:\Windows\System32\QgjejgX.exe
  C:\Windows\System32\QgjejgX.exe
  2⤵
  PID:9768
- C:\Windows\System32\VvWGPDX.exe
  C:\Windows\System32\VvWGPDX.exe
  2⤵
  PID:9816
- C:\Windows\System32\RCmEvJM.exe
  C:\Windows\System32\RCmEvJM.exe
  2⤵
  PID:9864
- C:\Windows\System32\VKDAmYk.exe
  C:\Windows\System32\VKDAmYk.exe
  2⤵
  PID:9964
- C:\Windows\System32\ZTprGgD.exe
  C:\Windows\System32\ZTprGgD.exe
  2⤵
  PID:10036
- C:\Windows\System32\eINyiea.exe
  C:\Windows\System32\eINyiea.exe
  2⤵
  PID:10092
- C:\Windows\System32\gGbNpwH.exe
  C:\Windows\System32\gGbNpwH.exe
  2⤵
  PID:10184
- C:\Windows\System32\VOACWUQ.exe
  C:\Windows\System32\VOACWUQ.exe
  2⤵
  PID:8532
- C:\Windows\System32\pJuAgib.exe
  C:\Windows\System32\pJuAgib.exe
  2⤵
  PID:9256
- C:\Windows\System32\NrDvorm.exe
  C:\Windows\System32\NrDvorm.exe
  2⤵
  PID:9444
- C:\Windows\System32\lqTGIiM.exe
  C:\Windows\System32\lqTGIiM.exe
  2⤵
  PID:9600
- C:\Windows\System32\sWUsmaj.exe
  C:\Windows\System32\sWUsmaj.exe
  2⤵
  PID:9728
- C:\Windows\System32\ACOZGQO.exe
  C:\Windows\System32\ACOZGQO.exe
  2⤵
  PID:9948
- C:\Windows\System32\WrTYCWR.exe
  C:\Windows\System32\WrTYCWR.exe
  2⤵
  PID:10136
- C:\Windows\System32\WimGlbL.exe
  C:\Windows\System32\WimGlbL.exe
  2⤵
  PID:10216
- C:\Windows\System32\bMoyTsg.exe
  C:\Windows\System32\bMoyTsg.exe
  2⤵
  PID:9688
- C:\Windows\System32\aubZHVp.exe
  C:\Windows\System32\aubZHVp.exe
  2⤵
  PID:10076
- C:\Windows\System32\gTqMWsS.exe
  C:\Windows\System32\gTqMWsS.exe
  2⤵
  PID:9328
- C:\Windows\System32\OPMZqxW.exe
  C:\Windows\System32\OPMZqxW.exe
  2⤵
  PID:9308
- C:\Windows\System32\ArjomHn.exe
  C:\Windows\System32\ArjomHn.exe
  2⤵
  PID:10256
- C:\Windows\System32\zbodRUW.exe
  C:\Windows\System32\zbodRUW.exe
  2⤵
  PID:10284
- C:\Windows\System32\kAgdicS.exe
  C:\Windows\System32\kAgdicS.exe
  2⤵
  PID:10300
- C:\Windows\System32\QmBfZse.exe
  C:\Windows\System32\QmBfZse.exe
  2⤵
  PID:10340
- C:\Windows\System32\iPbmipf.exe
  C:\Windows\System32\iPbmipf.exe
  2⤵
  PID:10368
- C:\Windows\System32\ICXpwsW.exe
  C:\Windows\System32\ICXpwsW.exe
  2⤵
  PID:10396
- C:\Windows\System32\spPqeId.exe
  C:\Windows\System32\spPqeId.exe
  2⤵
  PID:10424
- C:\Windows\System32\XjDoumV.exe
  C:\Windows\System32\XjDoumV.exe
  2⤵
  PID:10452
- C:\Windows\System32\UwHyfgA.exe
  C:\Windows\System32\UwHyfgA.exe
  2⤵
  PID:10480
- C:\Windows\System32\TVrlBcL.exe
  C:\Windows\System32\TVrlBcL.exe
  2⤵
  PID:10508
- C:\Windows\System32\CPIqAqU.exe
  C:\Windows\System32\CPIqAqU.exe
  2⤵
  PID:10536
- C:\Windows\System32\GtZdPwN.exe
  C:\Windows\System32\GtZdPwN.exe
  2⤵
  PID:10564
- C:\Windows\System32\IUortNe.exe
  C:\Windows\System32\IUortNe.exe
  2⤵
  PID:10592
- C:\Windows\System32\jZzEcBO.exe
  C:\Windows\System32\jZzEcBO.exe
  2⤵
  PID:10620
- C:\Windows\System32\xrdbaBH.exe
  C:\Windows\System32\xrdbaBH.exe
  2⤵
  PID:10648
- C:\Windows\System32\OCRXZFe.exe
  C:\Windows\System32\OCRXZFe.exe
  2⤵
  PID:10676
- C:\Windows\System32\DCnjLPx.exe
  C:\Windows\System32\DCnjLPx.exe
  2⤵
  PID:10704
- C:\Windows\System32\WcPSrEX.exe
  C:\Windows\System32\WcPSrEX.exe
  2⤵
  PID:10732
- C:\Windows\System32\lgBnDkM.exe
  C:\Windows\System32\lgBnDkM.exe
  2⤵
  PID:10760
- C:\Windows\System32\AeNbMyE.exe
  C:\Windows\System32\AeNbMyE.exe
  2⤵
  PID:10788
- C:\Windows\System32\kwSRaDn.exe
  C:\Windows\System32\kwSRaDn.exe
  2⤵
  PID:10808
- C:\Windows\System32\lOPGPib.exe
  C:\Windows\System32\lOPGPib.exe
  2⤵
  PID:10848
- C:\Windows\System32\bLoUewa.exe
  C:\Windows\System32\bLoUewa.exe
  2⤵
  PID:10884
- C:\Windows\System32\HAvtdAe.exe
  C:\Windows\System32\HAvtdAe.exe
  2⤵
  PID:10908
- C:\Windows\System32\TpkbxFm.exe
  C:\Windows\System32\TpkbxFm.exe
  2⤵
  PID:10936
- C:\Windows\System32\LAqQxWA.exe
  C:\Windows\System32\LAqQxWA.exe
  2⤵
  PID:10964
- C:\Windows\System32\YAQslEv.exe
  C:\Windows\System32\YAQslEv.exe
  2⤵
  PID:10992
- C:\Windows\System32\NETLrmq.exe
  C:\Windows\System32\NETLrmq.exe
  2⤵
  PID:11024
- C:\Windows\System32\UiSugjj.exe
  C:\Windows\System32\UiSugjj.exe
  2⤵
  PID:11048
- C:\Windows\System32\uWndSrm.exe
  C:\Windows\System32\uWndSrm.exe
  2⤵
  PID:11076
- C:\Windows\System32\YzbKqbH.exe
  C:\Windows\System32\YzbKqbH.exe
  2⤵
  PID:11104
- C:\Windows\System32\bGsiuEA.exe
  C:\Windows\System32\bGsiuEA.exe
  2⤵
  PID:11136
- C:\Windows\System32\WUBOQSh.exe
  C:\Windows\System32\WUBOQSh.exe
  2⤵
  PID:11160
- C:\Windows\System32\RNvJtan.exe
  C:\Windows\System32\RNvJtan.exe
  2⤵
  PID:11188
- C:\Windows\System32\BivNvEO.exe
  C:\Windows\System32\BivNvEO.exe
  2⤵
  PID:11224
- C:\Windows\System32\JgvqHBj.exe
  C:\Windows\System32\JgvqHBj.exe
  2⤵
  PID:11244
- C:\Windows\System32\fFwhpQk.exe
  C:\Windows\System32\fFwhpQk.exe
  2⤵
  PID:9796
- C:\Windows\System32\VKgwtra.exe
  C:\Windows\System32\VKgwtra.exe
  2⤵
  PID:10292
- C:\Windows\System32\qfCHBXu.exe
  C:\Windows\System32\qfCHBXu.exe
  2⤵
  PID:10360
- C:\Windows\System32\RsnnsAy.exe
  C:\Windows\System32\RsnnsAy.exe
  2⤵
  PID:10448
- C:\Windows\System32\SooFSZS.exe
  C:\Windows\System32\SooFSZS.exe
  2⤵
  PID:3992
- C:\Windows\System32\KwOdoLY.exe
  C:\Windows\System32\KwOdoLY.exe
  2⤵
  PID:10116
- C:\Windows\System32\BySzNXq.exe
  C:\Windows\System32\BySzNXq.exe
  2⤵
  PID:10636
- C:\Windows\System32\weYeuGQ.exe
  C:\Windows\System32\weYeuGQ.exe
  2⤵
  PID:10692
- C:\Windows\System32\ARlniDb.exe
  C:\Windows\System32\ARlniDb.exe
  2⤵
  PID:10752
- C:\Windows\System32\tHzzowG.exe
  C:\Windows\System32\tHzzowG.exe
  2⤵
  PID:10832
- C:\Windows\System32\rfOXKVQ.exe
  C:\Windows\System32\rfOXKVQ.exe
  2⤵
  PID:10904
- C:\Windows\System32\PWZdaOP.exe
  C:\Windows\System32\PWZdaOP.exe
  2⤵
  PID:10960
- C:\Windows\System32\ZEsorUO.exe
  C:\Windows\System32\ZEsorUO.exe
  2⤵
  PID:11016
- C:\Windows\System32\HANUiQu.exe
  C:\Windows\System32\HANUiQu.exe
  2⤵
  PID:11064
- C:\Windows\System32\RoaQrDO.exe
  C:\Windows\System32\RoaQrDO.exe
  2⤵
  PID:11144
- C:\Windows\System32\qNmJExv.exe
  C:\Windows\System32\qNmJExv.exe
  2⤵
  PID:11200
- C:\Windows\System32\MjnyOQM.exe
  C:\Windows\System32\MjnyOQM.exe
  2⤵
  PID:11252
- C:\Windows\System32\RqVLJVr.exe
  C:\Windows\System32\RqVLJVr.exe
  2⤵
  PID:10432
- C:\Windows\System32\rWQfgNa.exe
  C:\Windows\System32\rWQfgNa.exe
  2⤵
  PID:10532
- C:\Windows\System32\ocdSkFa.exe
  C:\Windows\System32\ocdSkFa.exe
  2⤵
  PID:10720
- C:\Windows\System32\cbGyZJQ.exe
  C:\Windows\System32\cbGyZJQ.exe
  2⤵
  PID:10892
- C:\Windows\System32\HaKqWYw.exe
  C:\Windows\System32\HaKqWYw.exe
  2⤵
  PID:11008
- C:\Windows\System32\vsdOPDo.exe
  C:\Windows\System32\vsdOPDo.exe
  2⤵
  PID:11184
- C:\Windows\System32\VuCLSVI.exe
  C:\Windows\System32\VuCLSVI.exe
  2⤵
  PID:10408
- C:\Windows\System32\wvARGuE.exe
  C:\Windows\System32\wvARGuE.exe
  2⤵
  PID:10768
- C:\Windows\System32\YuEEulH.exe
  C:\Windows\System32\YuEEulH.exe
  2⤵
  PID:2816
- C:\Windows\System32\QShHZZv.exe
  C:\Windows\System32\QShHZZv.exe
  2⤵
  PID:11040
- C:\Windows\System32\uHuEWOH.exe
  C:\Windows\System32\uHuEWOH.exe
  2⤵
  PID:11300
- C:\Windows\System32\SpiXXHY.exe
  C:\Windows\System32\SpiXXHY.exe
  2⤵
  PID:11328
- C:\Windows\System32\QAURoVk.exe
  C:\Windows\System32\QAURoVk.exe
  2⤵
  PID:11356
- C:\Windows\System32\KPWfOYY.exe
  C:\Windows\System32\KPWfOYY.exe
  2⤵
  PID:11396
- C:\Windows\System32\bkCqYpT.exe
  C:\Windows\System32\bkCqYpT.exe
  2⤵
  PID:11436
- C:\Windows\System32\wDiEzol.exe
  C:\Windows\System32\wDiEzol.exe
  2⤵
  PID:11464
- C:\Windows\System32\qXEPQQv.exe
  C:\Windows\System32\qXEPQQv.exe
  2⤵
  PID:11496
- C:\Windows\System32\XHgklwx.exe
  C:\Windows\System32\XHgklwx.exe
  2⤵
  PID:11544
- C:\Windows\System32\sfkZTUD.exe
  C:\Windows\System32\sfkZTUD.exe
  2⤵
  PID:11572
- C:\Windows\System32\LhAIfjq.exe
  C:\Windows\System32\LhAIfjq.exe
  2⤵
  PID:11600
- C:\Windows\System32\rikekpp.exe
  C:\Windows\System32\rikekpp.exe
  2⤵
  PID:11628
- C:\Windows\System32\KfVNOXB.exe
  C:\Windows\System32\KfVNOXB.exe
  2⤵
  PID:11656
- C:\Windows\System32\FvWzjlh.exe
  C:\Windows\System32\FvWzjlh.exe
  2⤵
  PID:11684
- C:\Windows\System32\dfYivzd.exe
  C:\Windows\System32\dfYivzd.exe
  2⤵
  PID:11712
- C:\Windows\System32\DaiTBhB.exe
  C:\Windows\System32\DaiTBhB.exe
  2⤵
  PID:11740
- C:\Windows\System32\sszyvlW.exe
  C:\Windows\System32\sszyvlW.exe
  2⤵
  PID:11768
- C:\Windows\System32\MGBKdPb.exe
  C:\Windows\System32\MGBKdPb.exe
  2⤵
  PID:11796
- C:\Windows\System32\spauOQB.exe
  C:\Windows\System32\spauOQB.exe
  2⤵
  PID:11820
- C:\Windows\System32\mLSQrPm.exe
  C:\Windows\System32\mLSQrPm.exe
  2⤵
  PID:11844
- C:\Windows\System32\JNJevDw.exe
  C:\Windows\System32\JNJevDw.exe
  2⤵
  PID:11880
- C:\Windows\System32\fNKzlFr.exe
  C:\Windows\System32\fNKzlFr.exe
  2⤵
  PID:11900
- C:\Windows\System32\fJiIXYt.exe
  C:\Windows\System32\fJiIXYt.exe
  2⤵
  PID:11944
- C:\Windows\System32\ipsJOnv.exe
  C:\Windows\System32\ipsJOnv.exe
  2⤵
  PID:11980
- C:\Windows\System32\ANRFuKP.exe
  C:\Windows\System32\ANRFuKP.exe
  2⤵
  PID:12016
- C:\Windows\System32\Uzjthiz.exe
  C:\Windows\System32\Uzjthiz.exe
  2⤵
  PID:12044
- C:\Windows\System32\fdhuEQw.exe
  C:\Windows\System32\fdhuEQw.exe
  2⤵
  PID:12072
- C:\Windows\System32\TPiotCD.exe
  C:\Windows\System32\TPiotCD.exe
  2⤵
  PID:12100
- C:\Windows\System32\JZeDejs.exe
  C:\Windows\System32\JZeDejs.exe
  2⤵
  PID:12128
- C:\Windows\System32\zDfFcsb.exe
  C:\Windows\System32\zDfFcsb.exe
  2⤵
  PID:12156
- C:\Windows\System32\YfcWWcH.exe
  C:\Windows\System32\YfcWWcH.exe
  2⤵
  PID:12184
- C:\Windows\System32\faXdCaU.exe
  C:\Windows\System32\faXdCaU.exe
  2⤵
  PID:12212
- C:\Windows\System32\RALhYqi.exe
  C:\Windows\System32\RALhYqi.exe
  2⤵
  PID:12244
- C:\Windows\System32\oNHuTaT.exe
  C:\Windows\System32\oNHuTaT.exe
  2⤵
  PID:12276
- C:\Windows\System32\MjpwbgF.exe
  C:\Windows\System32\MjpwbgF.exe
  2⤵
  PID:4768
- C:\Windows\System32\YnyeDVk.exe
  C:\Windows\System32\YnyeDVk.exe
  2⤵
  PID:11376
- C:\Windows\System32\KHYXVII.exe
  C:\Windows\System32\KHYXVII.exe
  2⤵
  PID:11556
- C:\Windows\System32\SnpYkcu.exe
  C:\Windows\System32\SnpYkcu.exe
  2⤵
  PID:11616
- C:\Windows\System32\NNfGfEs.exe
  C:\Windows\System32\NNfGfEs.exe
  2⤵
  PID:11680
- C:\Windows\System32\IYfOctN.exe
  C:\Windows\System32\IYfOctN.exe
  2⤵
  PID:11732
- C:\Windows\System32\sNDegwa.exe
  C:\Windows\System32\sNDegwa.exe
  2⤵
  PID:11828
- C:\Windows\System32\MOqIhtI.exe
  C:\Windows\System32\MOqIhtI.exe
  2⤵
  PID:11876
- C:\Windows\System32\UsPweIB.exe
  C:\Windows\System32\UsPweIB.exe
  2⤵
  PID:11976
- C:\Windows\System32\OpYpwlz.exe
  C:\Windows\System32\OpYpwlz.exe
  2⤵
  PID:12040
- C:\Windows\System32\UWLxwpp.exe
  C:\Windows\System32\UWLxwpp.exe
  2⤵
  PID:12124
- C:\Windows\System32\rrMeSDY.exe
  C:\Windows\System32\rrMeSDY.exe
  2⤵
  PID:12208
- C:\Windows\System32\bpQFjIq.exe
  C:\Windows\System32\bpQFjIq.exe
  2⤵
  PID:12268
- C:\Windows\System32\ljKDMsR.exe
  C:\Windows\System32\ljKDMsR.exe
  2⤵
  PID:11412
- C:\Windows\System32\QZyypRF.exe
  C:\Windows\System32\QZyypRF.exe
  2⤵
  PID:4348
- C:\Windows\System32\JCJyDVe.exe
  C:\Windows\System32\JCJyDVe.exe
  2⤵
  PID:640
- C:\Windows\System32\fwguYTc.exe
  C:\Windows\System32\fwguYTc.exe
  2⤵
  PID:11584
- C:\Windows\System32\sMGaxeo.exe
  C:\Windows\System32\sMGaxeo.exe
  2⤵
  PID:11724
- C:\Windows\System32\rzNoKUJ.exe
  C:\Windows\System32\rzNoKUJ.exe
  2⤵
  PID:11872
- C:\Windows\System32\DewszRo.exe
  C:\Windows\System32\DewszRo.exe
  2⤵
  PID:12068
- C:\Windows\System32\XNgnUOI.exe
  C:\Windows\System32\XNgnUOI.exe
  2⤵
  PID:12240
- C:\Windows\System32\DFIRCQp.exe
  C:\Windows\System32\DFIRCQp.exe
  2⤵
  PID:4968
- C:\Windows\System32\TcwmEen.exe
  C:\Windows\System32\TcwmEen.exe
  2⤵
  PID:11792
- C:\Windows\System32\muRSjmT.exe
  C:\Windows\System32\muRSjmT.exe
  2⤵
  PID:12152
- C:\Windows\System32\nezCsvn.exe
  C:\Windows\System32\nezCsvn.exe
  2⤵
  PID:11540
- C:\Windows\System32\aRzcscW.exe
  C:\Windows\System32\aRzcscW.exe
  2⤵
  PID:11348
- C:\Windows\System32\zpkExDP.exe
  C:\Windows\System32\zpkExDP.exe
  2⤵
  PID:12296
- C:\Windows\System32\rHKqHbN.exe
  C:\Windows\System32\rHKqHbN.exe
  2⤵
  PID:12324
- C:\Windows\System32\Washztg.exe
  C:\Windows\System32\Washztg.exe
  2⤵
  PID:12352
- C:\Windows\System32\vxMhWci.exe
  C:\Windows\System32\vxMhWci.exe
  2⤵
  PID:12380
- C:\Windows\System32\OPmRpWJ.exe
  C:\Windows\System32\OPmRpWJ.exe
  2⤵
  PID:12420
- C:\Windows\System32\zxyHZYQ.exe
  C:\Windows\System32\zxyHZYQ.exe
  2⤵
  PID:12472
- C:\Windows\System32\xNkMweX.exe
  C:\Windows\System32\xNkMweX.exe
  2⤵
  PID:12504
- C:\Windows\System32\CMCeNjR.exe
  C:\Windows\System32\CMCeNjR.exe
  2⤵
  PID:12544
- C:\Windows\System32\UnlpPmS.exe
  C:\Windows\System32\UnlpPmS.exe
  2⤵
  PID:12580
- C:\Windows\System32\hYqUTSk.exe
  C:\Windows\System32\hYqUTSk.exe
  2⤵
  PID:12608
- C:\Windows\System32\yjJXSty.exe
  C:\Windows\System32\yjJXSty.exe
  2⤵
  PID:12640
- C:\Windows\System32\NxJgVDV.exe
  C:\Windows\System32\NxJgVDV.exe
  2⤵
  PID:12672
- C:\Windows\System32\czZcBAZ.exe
  C:\Windows\System32\czZcBAZ.exe
  2⤵
  PID:12700
- C:\Windows\System32\lWJjynJ.exe
  C:\Windows\System32\lWJjynJ.exe
  2⤵
  PID:12728
- C:\Windows\System32\ItnknCy.exe
  C:\Windows\System32\ItnknCy.exe
  2⤵
  PID:12756
- C:\Windows\System32\YSXEtLm.exe
  C:\Windows\System32\YSXEtLm.exe
  2⤵
  PID:12796
- C:\Windows\System32\JTweedm.exe
  C:\Windows\System32\JTweedm.exe
  2⤵
  PID:12812
- C:\Windows\System32\bPmYLeO.exe
  C:\Windows\System32\bPmYLeO.exe
  2⤵
  PID:12848
- C:\Windows\System32\WBppeDz.exe
  C:\Windows\System32\WBppeDz.exe
  2⤵
  PID:12876
- C:\Windows\System32\VBdoFdR.exe
  C:\Windows\System32\VBdoFdR.exe
  2⤵
  PID:12904
- C:\Windows\System32\tecpQTG.exe
  C:\Windows\System32\tecpQTG.exe
  2⤵
  PID:12956
- C:\Windows\System32\aqKhLfD.exe
  C:\Windows\System32\aqKhLfD.exe
  2⤵
  PID:13000
- C:\Windows\System32\bevoRFq.exe
  C:\Windows\System32\bevoRFq.exe
  2⤵
  PID:13028
- C:\Windows\System32\WRKmBAY.exe
  C:\Windows\System32\WRKmBAY.exe
  2⤵
  PID:13056
- C:\Windows\System32\iCmRgjW.exe
  C:\Windows\System32\iCmRgjW.exe
  2⤵
  PID:13084
- C:\Windows\System32\hmRtWLO.exe
  C:\Windows\System32\hmRtWLO.exe
  2⤵
  PID:13112
- C:\Windows\System32\OezDJiD.exe
  C:\Windows\System32\OezDJiD.exe
  2⤵
  PID:13144
- C:\Windows\System32\NsIbtwv.exe
  C:\Windows\System32\NsIbtwv.exe
  2⤵
  PID:13172
- C:\Windows\System32\gCQRvuc.exe
  C:\Windows\System32\gCQRvuc.exe
  2⤵
  PID:13196
- C:\Windows\System32\sfxNPWQ.exe
  C:\Windows\System32\sfxNPWQ.exe
  2⤵
  PID:13228
- C:\Windows\System32\QiecjNK.exe
  C:\Windows\System32\QiecjNK.exe
  2⤵
  PID:13248
- C:\Windows\System32\ansYgPO.exe
  C:\Windows\System32\ansYgPO.exe
  2⤵
  PID:13284
- C:\Windows\System32\StCcyXd.exe
  C:\Windows\System32\StCcyXd.exe
  2⤵
  PID:12292
- C:\Windows\System32\YDuaRSR.exe
  C:\Windows\System32\YDuaRSR.exe
  2⤵
  PID:12368
- C:\Windows\System32\brYSiOy.exe
  C:\Windows\System32\brYSiOy.exe
  2⤵
  PID:12444
- C:\Windows\System32\trrMGNA.exe
  C:\Windows\System32\trrMGNA.exe
  2⤵
  PID:12524
- C:\Windows\System32\UheiRJH.exe
  C:\Windows\System32\UheiRJH.exe
  2⤵
  PID:12576
- C:\Windows\System32\ZPrUHdx.exe
  C:\Windows\System32\ZPrUHdx.exe
  2⤵
  PID:12636
- C:\Windows\System32\VbRMGlm.exe
  C:\Windows\System32\VbRMGlm.exe
  2⤵
  PID:12696
- C:\Windows\System32\oyTLDit.exe
  C:\Windows\System32\oyTLDit.exe
  2⤵
  PID:12768
- C:\Windows\System32\iRxeOJu.exe
  C:\Windows\System32\iRxeOJu.exe
  2⤵
  PID:12448

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\EcgjzEH.exe

Filesize
2.9MB

MD5
b3dd15cf98cdfc3f65976db9c564e1f7

SHA1
de2ed11a51cfae2c99dfea088d76408b5c0779aa

SHA256
dc91df7b5fb7bb0c1faf363bed5a204236048ffe971424f50a70938104f55cef

SHA512
25ed03b36849b1d3eb37628d380fa5e7b183cd70087fe9065b34561e672496479dbe5a5422a918c6fcf1d748b9a7c844b090e3fc00f92638fa84c7b09855a3b2

Download Submit
C:\Windows\System32\GVeMuWi.exe

Filesize
2.9MB

MD5
e4ff78a00ffe44db524b69f2443c5d35

SHA1
8aed0c802a347c28f445a2dce442b86a0e45c22e

SHA256
502d4b1f04ac687c3ab81cd657e0c6be263a2095bb196500acb1e9d5f3cdfcdd

SHA512
f0d145ec07705d9cad96a7fa67d08bf1fc18811a3181d721b4d1c9f6c1f64b31ba961eff522d79e7d50687a76a1e36cfa55c1128bbf9dfb803b20db1dafd0c1b

Download Submit
C:\Windows\System32\HqREPAi.exe

Filesize
2.9MB

MD5
511c622aacb845c4befa367326e8da4a

SHA1
06ff1f001e6e0a043a5a2852fd268b80a3d6c994

SHA256
60ced7631197e7a3901f359449bed8d321a6d2367c357d6aee10ef46abb1af65

SHA512
70db3b2222498304741429c5656f5aba93e3b46117e64494f05fc08c399a3e972e922f8a1677ea467eb44e0cb7dfd626d8efc0a1a6b9ca2efafc95dfa597ba96

Download Submit
C:\Windows\System32\IGqCxwV.exe

Filesize
2.9MB

MD5
963c36e9a462c31ee597798037d2b916

SHA1
de50439aecdb9e8cebb0bc149f0467c29b0c875d

SHA256
95f0d76cd5c5e6bb2b93abdb46f3c4f6b8bd4a9888751345428760aa006cf253

SHA512
e3fed2cb6ed7979a8057af1bbaceca1c18a9b7d6685f41dd79012973fdb8009fe1d8a0db9ee876c82288de8b484d0175baf90c40015ea5df22ab3c8f0bc67a6a

Download Submit
C:\Windows\System32\JFPcfrp.exe

Filesize
2.9MB

MD5
8304232c04c0901eac07cf1c42af0a3f

SHA1
5533762b5c197796b74427ecc953a0c4c9f1da94

SHA256
b7f4073889ae04e0e77197263a2ec1f1447fa32643f7d28a8bc87ee3cc936476

SHA512
c7eedf48960ed085f4d0d582fd73ca346972d88343215dea794dfb8b9ea8c251c1c1fa26715fbcd3a7cd66e730d6bb2d2bd5ba2f1d57b253034125c94c8ac515

Download Submit
C:\Windows\System32\KcEauPA.exe

Filesize
2.9MB

MD5
88ce943a570b1b31e797a621ccbd4bea

SHA1
cdf7087354c7cc03e1b02e7b3a11b4da8d4c8690

SHA256
8d4771785420d107a4722fb664c6fc1dfbe3b5f1ad1d1e9116ab579a53b66190

SHA512
42036b5c581f492b3f16a1f423ace40f61c97346faf25baef87f51001a442a970b7d4bdf09d7908cb5f3ae9a6458209fae7caa337a1af4dd2a13850bddbccc96

Download Submit
C:\Windows\System32\MvbWgks.exe

Filesize
2.9MB

MD5
8fdc7dfaa5bef15265172154e535e997

SHA1
ec7aa003631f8ddffc53f2006f610547c725fca7

SHA256
d0d0c3af304d714393ae8b0b1fcb4464cd07385990e9adfbe2779656b90b29ce

SHA512
66aeacc16ed1c2a23db8a5da331ab884d2165ee236797385ca1250487be05d5aea15592428be7893c904287424602de18e5c44e7785849c1cee002f7770274bd

Download Submit
C:\Windows\System32\NrERroh.exe

Filesize
2.9MB

MD5
df57e810663ad0312a7fef2b32c8cab7

SHA1
5168da1e26864dff474e7acb7839051757edee02

SHA256
9e7df44b676eca0c5f382aa6039705918a3d2fea1920157edd9d79f6496363bd

SHA512
5dd4f34758e9f5d8e6ec9f55c7ff93cf1a986666e0c9e565a141460b741f9b10424422f6f0049ffaed0af92101995a33c40b14a1058a9ec2d8d6d80a10cbbd04

Download Submit
C:\Windows\System32\Nsddagh.exe

Filesize
2.9MB

MD5
bd1b4535517b9d7e6999742719e6d71d

SHA1
f31444dc7086488c3388d2ced2f97a44338a2067

SHA256
389fa8bd49682843801a7ed0fa20ec517e0787a2881921a1a9daa9167af0ba89

SHA512
3d5ada29322c66a5a03fb368cb93c8b4271409a8a661823895f05af93c80489b8b60e1408fb65603bf7d1f580ca674cf27ca9b824627c6083832dd208d1376d5

Download Submit
C:\Windows\System32\QpMGYHa.exe

Filesize
2.9MB

MD5
672f4e5300e251849f8e0f008e753d2d

SHA1
73c37b29ea7a94a9c6d151277c6b3152bfd1be73

SHA256
d053a44682555b59101616dc62e6c9b707003cc7cdd0d2a2392e8e5f193eafbf

SHA512
bcd5d07ab80e319c82f2c8b66b5ecba31babc832bcb909537f9307192062c2c32d23aa797d0716f3d9b09c2d7109b79d6ba6b0494803a4d5e9d63f12db5179a4

Download Submit
C:\Windows\System32\QyyHugA.exe

Filesize
2.9MB

MD5
2d5ce818bd0b597c207e4d88545c63f8

SHA1
b5c85b4a07dd68ea3e9d02a41292a5b943221666

SHA256
24e9e40a523a9c3bd36d66ff3a586da291328014c62414537d0bd98c3ff45bc8

SHA512
4cc1a03ce7411d66ea4d3c888218232f36d8c8e7e99ad371366a95f2293ebafcb1b907883c1256f97fd12dc90f6931f117f2f6067dd5a04a7868ecf571aff526

Download Submit
C:\Windows\System32\SwnFCia.exe

Filesize
2.9MB

MD5
df63accd1452a002e6cecb01f841ccda

SHA1
644bc7364a83aa3bb584f4ea123b255ff44998fb

SHA256
9871e17047f8494e44a54aacc2690196882287776dfce1ff83bbf4d6f1878868

SHA512
60a1e20c78cfb3a2a07a91814d5f6a1e99da6bc3371207445139946d13b998e04c094a870068ead23a9c6524464ee806d5d3bafc08d6755a5a6ec8cd18a56b02

Download Submit
C:\Windows\System32\TAtHGwv.exe

Filesize
2.9MB

MD5
fde261d0e7c4515420bc96e2580d1e22

SHA1
19045d99ecd34c40f9887b02d4ee8b81c792b48f

SHA256
16ecadd507e5a54d8c1b9a93b462acc2f520fcf03a03dc6b268a24f14663515c

SHA512
3b8b46b2e011d3c9b452e52706466a252f7899ccc8dcbc7008dd20b5d27ac0ceef398421892c985ff949ec859516f19b0cc927ac510254c81a1c6bb5f8504434

Download Submit
C:\Windows\System32\XsdgMDq.exe

Filesize
2.9MB

MD5
a53824093452c43361bc3fdb36cdcdf8

SHA1
0da5272101290f127f5a9e1d96e29c9c57e26adb

SHA256
b293cdbb10c2c92c32c8ae43c68f0f1d4a556edfbe4581c9a8a531dbed4d13cc

SHA512
410cafb3daf6812296d6f322d0edc80c48d2c1d695a9e5f8fa044739c27b4961f9be7b38f68ce9d4dff8077f2e8256eb5bc2ad30493e7b9bec8f12f40334a861

Download Submit
C:\Windows\System32\agWTWgy.exe

Filesize
2.9MB

MD5
428a195c065814ae6ed07d5fb34c76f5

SHA1
742798cab674d0e2badd840b1d6ddfc6d69db658

SHA256
d2e62d4b6fda0d26e656f89f4c18348220b6d4b9e3b2818e840d325383bcaec8

SHA512
c6b46cb2ec5a0f97d3138bd3aa4c83b0bea8340a01d54cf9806b628420e847e559993c9dac1612f04688271b3be7f5922b2ae099599103f68f3b03802215dcf7

Download Submit
C:\Windows\System32\apAsDGo.exe

Filesize
2.9MB

MD5
609f52ec219455dbe3fb29d9f1593b44

SHA1
e975454947de99761322f174469e0b0cbd681432

SHA256
516184f8cc4c4e036b87c1e2c8d9268b151db090644454bab729f6ea2ee9a6b8

SHA512
3ffaf551abfe212ffbe15ba2192b1820d6b1e93fbd1cb9165be5259fe9787b14311ed431ff019b9e6b07a70bc9800c27555bc1a7f01901d7c98b340a97411de3

Download Submit
C:\Windows\System32\duriTIz.exe

Filesize
2.9MB

MD5
42be334d2ad059a4b1f7d25c091e32a2

SHA1
88d4954ab8c144e577e143dd4cbdff4aae52b438

SHA256
ab07c74a7280d9d1d4629ac911118073c2504810d0dec18aeecf1e59c9ed1ad4

SHA512
545180edbd94b9f55f69531a2b5f695b9b0ab9a967352aa0424f8a9dc9bbb4bc32f5b8cccdcd9fd7f91fb4a90cc1d0e1ec0dff6e2f1beb639d688b2ad14e163a

Download Submit
C:\Windows\System32\eDvtCuE.exe

Filesize
2.9MB

MD5
9684c0e27e68181402b79f4d3f31ac24

SHA1
fa05ab29b71cbceed732cf1f4cb1efd54b8c1f8d

SHA256
37be14850367ab13efc203317fd8ddffbbba66f9a26afcf0e88becfd1e3655c4

SHA512
49621f76dbf88548b26dad18eaf38a73441346117fa8ac0321f1508bab958dae0e5f538fd792d27755de03b14d73b10206766026de1204be4b0d83779f1942fa

Download Submit
C:\Windows\System32\fYDLcOQ.exe

Filesize
2.9MB

MD5
d138ac1d6f9dc68a10796faa62f7d695

SHA1
634bc77576e802e2f4387c1c59c174c5371acbad

SHA256
a606525e1703745b151f86849f05ddd0aac1130de7dfec5e8eeb60bff79ff0ba

SHA512
211e4b736e37abccb56950e02279257a2bcae3289ad19bb26c488aef93d59815d6bf718ae3dfe87ce7bd9b32c0cba200f15d9529de6f646b8c8b59835fe21127

Download Submit
C:\Windows\System32\fsfRAsx.exe

Filesize
2.9MB

MD5
845c54eecd9194e163f1144bdf00922a

SHA1
ddf0833f07e00377a7d63ec38bfc9d59056b71bb

SHA256
21bd21e59f25dafd745e01c46dc647777b9b2dea2396cc3e45041e0fd200d002

SHA512
5a1973ece3a95cc342d3502e36192f82e291063eca9c7a38a36930b153c8f90e8c5914ecfa464f4e47c6e02cbcc1636696aa00097b96a89891f2b7324da28c9e

Download Submit
C:\Windows\System32\gowmzUS.exe

Filesize
2.9MB

MD5
7b6da08a556b2015a1f5821811ad03ba

SHA1
7ff6c309bc256d74217651d368837db099411da1

SHA256
55e8429b847dac514e542d50953901cc93d7f228e856ce1475141cc2c72ae1e9

SHA512
e05d380a4d0437ff93745a02ada71529f8f79910c1d1efc5e91e9839473d81efd6c1aa1dafc4ab4136702687bf4408837199aee9385c4923089193d244cb8e62

Download Submit
C:\Windows\System32\hyDKany.exe

Filesize
2.9MB

MD5
4899cc8fe93282fe172e15352a6e0578

SHA1
41a8d4e596555dd5631cfa381e1e107036a4b40b

SHA256
a79c3355670764f5458900192b95f882186c49b4a8fdb34502ce784c796f5581

SHA512
4f115349c69945fad22870b9c718410b20fdfccc76469658505e25a17e4e6f60420715409aa798663e11aca2fa2d0d702c2eabcce95ccbb977717f5e2a0523b6

Download Submit
C:\Windows\System32\joLSYRO.exe

Filesize
2.9MB

MD5
1a50deec985c8ca2826c7320c7e94288

SHA1
36ff24ebe965c6d76d811d5900129a9ffa9b80ae

SHA256
e2172ebe26156bf17566748d46c03c0a04ae2cab0284f7b373527e1c154d362f

SHA512
0d82472d01638936e3659d5d08f2ed7135e341e5e29bc9ea1b009a7d67a3adc0356d4e6a605b01d0ff37280b395451ee2162b5fb4b8acf7ab07b467dbc0a525a

Download Submit
C:\Windows\System32\nKfWuWn.exe

Filesize
2.9MB

MD5
766a886b275ffd3e758095bd9629ee7d

SHA1
abed242d5498df2c0ea9f24fc27a021c9de3e11e

SHA256
a486b93e46ba10fffdaccff9673f76b96ec57a3858b886a06d81dfb68113c1d4

SHA512
6fed27e21d8e57a912c786b7f8b087ddf003229aa44bfeb8936a4968fbdd1787b04dfd7d888c0ebbfb7007f3f0219330a75496699820350d76fcf0affee97f60

Download Submit
C:\Windows\System32\nKirsLi.exe

Filesize
2.9MB

MD5
f9b534550f4b1de91fda112373858cdb

SHA1
ca7472642743d68c1fa0df40aa97a85c594a4054

SHA256
0a2cd6362286a6d2773f27836668081c40b0c66d0d4bd825d0b6f11719323c50

SHA512
58469763e7855a7da599e3bc757ad6209ddb0022cbe4ba985a0f16c10fbcca0447c80ba6f35fa3dc105dc35cacb40c14229eae5626be36d517e8cb419519df50

Download Submit
C:\Windows\System32\rCNzeDZ.exe

Filesize
2.9MB

MD5
e951eecd679ab615f2c54e74f189d23f

SHA1
59b11e27508a5dd38c527a2020595c83b2dcba7f

SHA256
c78c9c6b55f6f3d7c7c758fdd649dce65cda78f57caa4dd1defce14d7ae5b80d

SHA512
cbeb818ee0ec5c19b221d1364e7a40868eae78aed87cd43c892f0957882a0ebf0398abc3baf665b094322728ed49a345979d5aa5c951fc86bcef39b2162fa1dd

Download Submit
C:\Windows\System32\rYSXvtW.exe

Filesize
2.9MB

MD5
3830df8c0f2eacb3346fe271cc18a1b1

SHA1
f18053c7699e7231ca2e4f939e6c6295dbafc87f

SHA256
9df805273b14a857d5b97ccaa29eb56ab96962e72911392bb646f9e383804b8d

SHA512
067c1288588776c5fb327f4e823cd2cfd0d59f8ed8c8c2fa5ec51121b0a7a5779b823560728d3dcac011a5caed8a6a8aa3d937051c4291c169d279f652ec3377

Download Submit
C:\Windows\System32\sorWgjQ.exe

Filesize
2.9MB

MD5
288c072cf84140ae31ac500e17d96e8a

SHA1
3c2ef4b6057082bc9e164224f4d8e2328020afed

SHA256
df4cf0dff2f0afa6151a6e46c0559df2ad2eedebbad0051730d50cab464af2fb

SHA512
427345154545e465c9155472f48f381434a35307d2a8a13f55fc7ef0d5c7f2314af8d329f597d5ef8e38c7218314d5e1ac3b660e32b2bc3b729063914e199b35

Download Submit
C:\Windows\System32\tLJPtXF.exe

Filesize
2.9MB

MD5
2e8968f20d5ede9233f2ca39791ca2c4

SHA1
13f8ffd2888f9cfc95e43598a0ca129100871810

SHA256
0eb9fdf7e77a56284b70b1244745a5e794157f7146767d9019e4e15c69a5c4b3

SHA512
b68050d0612fbcb4bfbf106a51fc691c76bb73e86699e3289920764fd78ad7be23fbb4a484f3c49d8225a1c8cd2e7fe8c306a67264d2955c796b21be8c48c396

Download Submit
C:\Windows\System32\tVVLIze.exe

Filesize
2.9MB

MD5
f3bfb373091f48218ce3a5cad7791c4d

SHA1
db6d0aa405cd27e166af83be453b6bb6f652e58b

SHA256
68fae172f28566de4c2ceb7545d899bd948950944e61203fef163b138698a583

SHA512
796acf410b4cd0e83867c90f526ea584eb5236c29671e13ee3158ccb446a8c5714087c728e3629f2cc487fdffd225c901c323150ed1fdcbd468a301f77498f7b

Download Submit
C:\Windows\System32\vwsaXcr.exe

Filesize
2.9MB

MD5
0bd4916db2832a86163deff17728840d

SHA1
ff91310206de9294fcf9b179ed2611ad9f88db35

SHA256
6018411eb79e1fd1599432ebb981d2e47833bb88097ff3fb889566866bd7c572

SHA512
e41e16ccab6f88b39803b6f30a0acdab80f3c417f77ef5f522f1f60107c9e42d6fe14f87eaac56bc7d81f0d6bdc50b261b89eebc86e45af91fc7532f7eb724cf

Download Submit
C:\Windows\System32\wwpMxoB.exe

Filesize
2.9MB

MD5
1bf4b06c24e5030bbe2e8b1d963c9cd1

SHA1
d93a894da1a0dd108a8aafd3fcbdd8ac8cbbf8c2

SHA256
31d61c128769cd949295791486f380ac349aac62aab820883c6a905823334c06

SHA512
e8b710bdc2e3aaaa4de784cc6578b3991c59a0bf362a261b7920f49b80527378b1546471f18badc4a8650de770d9870231d0c8bffcba83ff94316c9062e1b45e

Download Submit
memory/344-893-0x00007FF6BA6B0000-0x00007FF6BAAA5000-memory.dmp

Filesize
4.0MB

Download
memory/344-1924-0x00007FF6BA6B0000-0x00007FF6BAAA5000-memory.dmp

Filesize
4.0MB

Download
memory/436-819-0x00007FF77EC80000-0x00007FF77F075000-memory.dmp

Filesize
4.0MB

Download
memory/436-1917-0x00007FF77EC80000-0x00007FF77F075000-memory.dmp

Filesize
4.0MB

Download
memory/748-865-0x00007FF7AC0D0000-0x00007FF7AC4C5000-memory.dmp

Filesize
4.0MB

Download
memory/748-1925-0x00007FF7AC0D0000-0x00007FF7AC4C5000-memory.dmp

Filesize
4.0MB

Download
memory/1284-1919-0x00007FF668D90000-0x00007FF669185000-memory.dmp

Filesize
4.0MB

Download
memory/1284-861-0x00007FF668D90000-0x00007FF669185000-memory.dmp

Filesize
4.0MB

Download
memory/1784-1-0x0000018388AC0000-0x0000018388AD0000-memory.dmp

Filesize
64KB

Download
memory/1784-0-0x00007FF623860000-0x00007FF623C55000-memory.dmp

Filesize
4.0MB

Download
memory/1808-911-0x00007FF777400000-0x00007FF7777F5000-memory.dmp

Filesize
4.0MB

Download
memory/1808-1936-0x00007FF777400000-0x00007FF7777F5000-memory.dmp

Filesize
4.0MB

Download
memory/1964-917-0x00007FF78BEB0000-0x00007FF78C2A5000-memory.dmp

Filesize
4.0MB

Download
memory/1964-1935-0x00007FF78BEB0000-0x00007FF78C2A5000-memory.dmp

Filesize
4.0MB

Download
memory/1968-869-0x00007FF6324C0000-0x00007FF6328B5000-memory.dmp

Filesize
4.0MB

Download
memory/1968-1926-0x00007FF6324C0000-0x00007FF6328B5000-memory.dmp

Filesize
4.0MB

Download
memory/2208-854-0x00007FF7A1C60000-0x00007FF7A2055000-memory.dmp

Filesize
4.0MB

Download
memory/2208-1920-0x00007FF7A1C60000-0x00007FF7A2055000-memory.dmp

Filesize
4.0MB

Download
memory/2388-846-0x00007FF7AEE30000-0x00007FF7AF225000-memory.dmp

Filesize
4.0MB

Download
memory/2388-1922-0x00007FF7AEE30000-0x00007FF7AF225000-memory.dmp

Filesize
4.0MB

Download
memory/2512-823-0x00007FF65BFA0000-0x00007FF65C395000-memory.dmp

Filesize
4.0MB

Download
memory/2512-1921-0x00007FF65BFA0000-0x00007FF65C395000-memory.dmp

Filesize
4.0MB

Download
memory/2520-829-0x00007FF7E7810000-0x00007FF7E7C05000-memory.dmp

Filesize
4.0MB

Download
memory/2520-1918-0x00007FF7E7810000-0x00007FF7E7C05000-memory.dmp

Filesize
4.0MB

Download
memory/2536-9-0x00007FF737230000-0x00007FF737625000-memory.dmp

Filesize
4.0MB

Download
memory/2536-1912-0x00007FF737230000-0x00007FF737625000-memory.dmp

Filesize
4.0MB

Download
memory/2536-1914-0x00007FF737230000-0x00007FF737625000-memory.dmp

Filesize
4.0MB

Download
memory/2540-892-0x00007FF60D2E0000-0x00007FF60D6D5000-memory.dmp

Filesize
4.0MB

Download
memory/2540-1929-0x00007FF60D2E0000-0x00007FF60D6D5000-memory.dmp

Filesize
4.0MB

Download
memory/2616-838-0x00007FF70CFC0000-0x00007FF70D3B5000-memory.dmp

Filesize
4.0MB

Download
memory/2616-1923-0x00007FF70CFC0000-0x00007FF70D3B5000-memory.dmp

Filesize
4.0MB

Download
memory/2764-1934-0x00007FF6B6A10000-0x00007FF6B6E05000-memory.dmp

Filesize
4.0MB

Download
memory/2764-914-0x00007FF6B6A10000-0x00007FF6B6E05000-memory.dmp

Filesize
4.0MB

Download
memory/2768-1915-0x00007FF6A9D20000-0x00007FF6AA115000-memory.dmp

Filesize
4.0MB

Download
memory/2768-17-0x00007FF6A9D20000-0x00007FF6AA115000-memory.dmp

Filesize
4.0MB

Download
memory/3036-1930-0x00007FF601110000-0x00007FF601505000-memory.dmp

Filesize
4.0MB

Download
memory/3036-834-0x00007FF601110000-0x00007FF601505000-memory.dmp

Filesize
4.0MB

Download
memory/4024-906-0x00007FF6FAAD0000-0x00007FF6FAEC5000-memory.dmp

Filesize
4.0MB

Download
memory/4024-1933-0x00007FF6FAAD0000-0x00007FF6FAEC5000-memory.dmp

Filesize
4.0MB

Download
memory/4300-1913-0x00007FF674DA0000-0x00007FF675195000-memory.dmp

Filesize
4.0MB

Download
memory/4300-1916-0x00007FF674DA0000-0x00007FF675195000-memory.dmp

Filesize
4.0MB

Download
memory/4300-18-0x00007FF674DA0000-0x00007FF675195000-memory.dmp

Filesize
4.0MB

Download
memory/4368-925-0x00007FF63EE80000-0x00007FF63F275000-memory.dmp

Filesize
4.0MB

Download
memory/4368-1937-0x00007FF63EE80000-0x00007FF63F275000-memory.dmp

Filesize
4.0MB

Download
memory/4424-1928-0x00007FF641870000-0x00007FF641C65000-memory.dmp

Filesize
4.0MB

Download
memory/4424-888-0x00007FF641870000-0x00007FF641C65000-memory.dmp

Filesize
4.0MB

Download
memory/4480-1931-0x00007FF70AF50000-0x00007FF70B345000-memory.dmp

Filesize
4.0MB

Download
memory/4480-899-0x00007FF70AF50000-0x00007FF70B345000-memory.dmp

Filesize
4.0MB

Download
memory/5064-1927-0x00007FF63D100000-0x00007FF63D4F5000-memory.dmp

Filesize
4.0MB

Download
memory/5064-896-0x00007FF63D100000-0x00007FF63D4F5000-memory.dmp

Filesize
4.0MB

Download
memory/5068-1932-0x00007FF7DFA10000-0x00007FF7DFE05000-memory.dmp

Filesize
4.0MB

Download
memory/5068-901-0x00007FF7DFA10000-0x00007FF7DFE05000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads