xmrig | b85271352eb5f3ac0504f19fa7317a0f4514df9dad93324f745e6ba8d17d989c

Analysis

max time kernel
118s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
Size

2.7MB
MD5

71ab4cebc945315b161f87fdb7693b60
SHA1

928a635d9c94fe45695ca12ed563b420b640563a
SHA256

b85271352eb5f3ac0504f19fa7317a0f4514df9dad93324f745e6ba8d17d989c
SHA512

5e08c7c2d83ee737544f96272b2610bf0c4d9c21618880e6bfe002a7c491ace58265b0a77e8c1d51a910bdf2f5a96e16ee12fb9d22f6ef18002be55d5d4e453f
SSDEEP

49152:N0wjnJMOWh50kC1/dVFdx6e0EALKWVTffZiPAcRq6jHjcz8Dz8MVyc5K1jiiJ0:N0GnJMOWPClFdx6e0EALKWVTffZiPAcr

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1960-0-0x00007FF68C110000-0x00007FF68C505000-memory.dmp	xmrig
behavioral2/files/0x0008000000023467-5.dat	xmrig
behavioral2/files/0x000700000002346f-9.dat	xmrig
behavioral2/files/0x000700000002346e-10.dat	xmrig
behavioral2/files/0x0007000000023470-21.dat	xmrig
behavioral2/files/0x0007000000023472-29.dat	xmrig
behavioral2/files/0x0007000000023474-41.dat	xmrig
behavioral2/files/0x0007000000023475-48.dat	xmrig
behavioral2/files/0x0007000000023476-53.dat	xmrig
behavioral2/files/0x0007000000023479-68.dat	xmrig
behavioral2/files/0x000700000002347a-73.dat	xmrig
behavioral2/files/0x000700000002347c-83.dat	xmrig
behavioral2/files/0x000700000002347e-93.dat	xmrig
behavioral2/files/0x0007000000023481-111.dat	xmrig
behavioral2/files/0x0007000000023488-140.dat	xmrig
behavioral2/files/0x000700000002348a-153.dat	xmrig
behavioral2/memory/1476-523-0x00007FF68F230000-0x00007FF68F625000-memory.dmp	xmrig
behavioral2/memory/4272-552-0x00007FF6C33C0000-0x00007FF6C37B5000-memory.dmp	xmrig
behavioral2/memory/836-568-0x00007FF64ABA0000-0x00007FF64AF95000-memory.dmp	xmrig
behavioral2/memory/4872-572-0x00007FF779150000-0x00007FF779545000-memory.dmp	xmrig
behavioral2/memory/1160-579-0x00007FF747EB0000-0x00007FF7482A5000-memory.dmp	xmrig
behavioral2/memory/4596-589-0x00007FF76D0A0000-0x00007FF76D495000-memory.dmp	xmrig
behavioral2/memory/920-597-0x00007FF68E800000-0x00007FF68EBF5000-memory.dmp	xmrig
behavioral2/memory/1096-586-0x00007FF77F8E0000-0x00007FF77FCD5000-memory.dmp	xmrig
behavioral2/memory/2912-585-0x00007FF77F8A0000-0x00007FF77FC95000-memory.dmp	xmrig
behavioral2/memory/3884-573-0x00007FF7D5D80000-0x00007FF7D6175000-memory.dmp	xmrig
behavioral2/memory/4220-603-0x00007FF71F1E0000-0x00007FF71F5D5000-memory.dmp	xmrig
behavioral2/memory/3184-608-0x00007FF77CE70000-0x00007FF77D265000-memory.dmp	xmrig
behavioral2/memory/544-611-0x00007FF7A8110000-0x00007FF7A8505000-memory.dmp	xmrig
behavioral2/memory/4636-618-0x00007FF63B1F0000-0x00007FF63B5E5000-memory.dmp	xmrig
behavioral2/memory/3736-614-0x00007FF72F520000-0x00007FF72F915000-memory.dmp	xmrig
behavioral2/memory/1436-630-0x00007FF76BF10000-0x00007FF76C305000-memory.dmp	xmrig
behavioral2/memory/868-636-0x00007FF7FF310000-0x00007FF7FF705000-memory.dmp	xmrig
behavioral2/memory/3416-643-0x00007FF60A630000-0x00007FF60AA25000-memory.dmp	xmrig
behavioral2/memory/2352-657-0x00007FF69EA40000-0x00007FF69EE35000-memory.dmp	xmrig
behavioral2/memory/1904-659-0x00007FF659D10000-0x00007FF65A105000-memory.dmp	xmrig
behavioral2/memory/4568-627-0x00007FF779850000-0x00007FF779C45000-memory.dmp	xmrig
behavioral2/memory/840-559-0x00007FF733E10000-0x00007FF734205000-memory.dmp	xmrig
behavioral2/files/0x000700000002348c-163.dat	xmrig
behavioral2/files/0x000700000002348b-158.dat	xmrig
behavioral2/files/0x0007000000023489-148.dat	xmrig
behavioral2/files/0x0007000000023487-138.dat	xmrig
behavioral2/files/0x0007000000023486-133.dat	xmrig
behavioral2/files/0x0007000000023485-128.dat	xmrig
behavioral2/files/0x0007000000023484-123.dat	xmrig
behavioral2/files/0x0007000000023483-118.dat	xmrig
behavioral2/files/0x0007000000023482-116.dat	xmrig
behavioral2/files/0x0007000000023480-103.dat	xmrig
behavioral2/files/0x000700000002347f-99.dat	xmrig
behavioral2/files/0x000700000002347d-88.dat	xmrig
behavioral2/files/0x000700000002347b-81.dat	xmrig
behavioral2/files/0x0007000000023478-63.dat	xmrig
behavioral2/files/0x0007000000023477-58.dat	xmrig
behavioral2/files/0x0007000000023473-46.dat	xmrig
behavioral2/memory/1936-38-0x00007FF7A2660000-0x00007FF7A2A55000-memory.dmp	xmrig
behavioral2/files/0x0007000000023471-27.dat	xmrig
behavioral2/memory/2588-18-0x00007FF74BBC0000-0x00007FF74BFB5000-memory.dmp	xmrig
behavioral2/memory/1960-1928-0x00007FF68C110000-0x00007FF68C505000-memory.dmp	xmrig
behavioral2/memory/1936-1929-0x00007FF7A2660000-0x00007FF7A2A55000-memory.dmp	xmrig
behavioral2/memory/2588-1930-0x00007FF74BBC0000-0x00007FF74BFB5000-memory.dmp	xmrig
behavioral2/memory/3416-1931-0x00007FF60A630000-0x00007FF60AA25000-memory.dmp	xmrig
behavioral2/memory/1936-1932-0x00007FF7A2660000-0x00007FF7A2A55000-memory.dmp	xmrig
behavioral2/memory/2352-1933-0x00007FF69EA40000-0x00007FF69EE35000-memory.dmp	xmrig
behavioral2/memory/1476-1934-0x00007FF68F230000-0x00007FF68F625000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2588	vIhZCdb.exe
3416	lZSrEzV.exe
1936	OMFKqOX.exe
2352	ZKhivZB.exe
1476	PdunXnt.exe
4272	dVrTMwM.exe
840	qRSuMTN.exe
1904	jdSusqW.exe
836	DvWdIUX.exe
4872	lxbkUEN.exe
3884	EkWFbJI.exe
1160	UfgZOsi.exe
2912	cneDGnl.exe
1096	wlNsHsH.exe
4596	kHAaySw.exe
920	fKvkcTv.exe
4220	IrhlGJF.exe
3184	ZkEULYD.exe
544	onUgtVg.exe
3736	VtMyhoh.exe
4636	BneNvhH.exe
4568	IqxKbSP.exe
1436	brieVSv.exe
868	QtJyvgl.exe
3196	ohDlwGl.exe
5108	ZvpnXUl.exe
3944	jgyLCwD.exe
1868	vhMGRvn.exe
4856	PAUnTZH.exe
3284	NoENHIt.exe
3784	HwkWchB.exe
4520	VPzAfae.exe
3380	nIFjCJq.exe
1992	sEyXMlk.exe
2232	qxmqbUD.exe
1744	adLRadn.exe
2000	Ligodvl.exe
784	VDPuUng.exe
3068	KvdfOGX.exe
3716	vlcLLTW.exe
224	DzOqAbf.exe
4408	cMAXusP.exe
2400	pTmzjwa.exe
3064	qihwWVD.exe
2160	QWhOdBy.exe
5052	UrJELbb.exe
5020	jNZRmPd.exe
3636	NUdzDJf.exe
756	oRnIKTj.exe
2020	UmQOryX.exe
1672	KUOjDJa.exe
3908	YNWHFPo.exe
5088	VVucxFo.exe
4208	dtwLHjf.exe
4776	tgcoUzO.exe
3780	NQiEpZL.exe
436	kiEYDRC.exe
5068	LdIbHiW.exe
2608	rmtXolF.exe
4380	RpyikIz.exe
4368	jSSXKIw.exe
4880	rCSWIld.exe
3376	SbAjhdq.exe
2204	HpgeEKx.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1960-0-0x00007FF68C110000-0x00007FF68C505000-memory.dmp	upx
behavioral2/files/0x0008000000023467-5.dat	upx
behavioral2/files/0x000700000002346f-9.dat	upx
behavioral2/files/0x000700000002346e-10.dat	upx
behavioral2/files/0x0007000000023470-21.dat	upx
behavioral2/files/0x0007000000023472-29.dat	upx
behavioral2/files/0x0007000000023474-41.dat	upx
behavioral2/files/0x0007000000023475-48.dat	upx
behavioral2/files/0x0007000000023476-53.dat	upx
behavioral2/files/0x0007000000023479-68.dat	upx
behavioral2/files/0x000700000002347a-73.dat	upx
behavioral2/files/0x000700000002347c-83.dat	upx
behavioral2/files/0x000700000002347e-93.dat	upx
behavioral2/files/0x0007000000023481-111.dat	upx
behavioral2/files/0x0007000000023488-140.dat	upx
behavioral2/files/0x000700000002348a-153.dat	upx
behavioral2/memory/1476-523-0x00007FF68F230000-0x00007FF68F625000-memory.dmp	upx
behavioral2/memory/4272-552-0x00007FF6C33C0000-0x00007FF6C37B5000-memory.dmp	upx
behavioral2/memory/836-568-0x00007FF64ABA0000-0x00007FF64AF95000-memory.dmp	upx
behavioral2/memory/4872-572-0x00007FF779150000-0x00007FF779545000-memory.dmp	upx
behavioral2/memory/1160-579-0x00007FF747EB0000-0x00007FF7482A5000-memory.dmp	upx
behavioral2/memory/4596-589-0x00007FF76D0A0000-0x00007FF76D495000-memory.dmp	upx
behavioral2/memory/920-597-0x00007FF68E800000-0x00007FF68EBF5000-memory.dmp	upx
behavioral2/memory/1096-586-0x00007FF77F8E0000-0x00007FF77FCD5000-memory.dmp	upx
behavioral2/memory/2912-585-0x00007FF77F8A0000-0x00007FF77FC95000-memory.dmp	upx
behavioral2/memory/3884-573-0x00007FF7D5D80000-0x00007FF7D6175000-memory.dmp	upx
behavioral2/memory/4220-603-0x00007FF71F1E0000-0x00007FF71F5D5000-memory.dmp	upx
behavioral2/memory/3184-608-0x00007FF77CE70000-0x00007FF77D265000-memory.dmp	upx
behavioral2/memory/544-611-0x00007FF7A8110000-0x00007FF7A8505000-memory.dmp	upx
behavioral2/memory/4636-618-0x00007FF63B1F0000-0x00007FF63B5E5000-memory.dmp	upx
behavioral2/memory/3736-614-0x00007FF72F520000-0x00007FF72F915000-memory.dmp	upx
behavioral2/memory/1436-630-0x00007FF76BF10000-0x00007FF76C305000-memory.dmp	upx
behavioral2/memory/868-636-0x00007FF7FF310000-0x00007FF7FF705000-memory.dmp	upx
behavioral2/memory/3416-643-0x00007FF60A630000-0x00007FF60AA25000-memory.dmp	upx
behavioral2/memory/2352-657-0x00007FF69EA40000-0x00007FF69EE35000-memory.dmp	upx
behavioral2/memory/1904-659-0x00007FF659D10000-0x00007FF65A105000-memory.dmp	upx
behavioral2/memory/4568-627-0x00007FF779850000-0x00007FF779C45000-memory.dmp	upx
behavioral2/memory/840-559-0x00007FF733E10000-0x00007FF734205000-memory.dmp	upx
behavioral2/files/0x000700000002348c-163.dat	upx
behavioral2/files/0x000700000002348b-158.dat	upx
behavioral2/files/0x0007000000023489-148.dat	upx
behavioral2/files/0x0007000000023487-138.dat	upx
behavioral2/files/0x0007000000023486-133.dat	upx
behavioral2/files/0x0007000000023485-128.dat	upx
behavioral2/files/0x0007000000023484-123.dat	upx
behavioral2/files/0x0007000000023483-118.dat	upx
behavioral2/files/0x0007000000023482-116.dat	upx
behavioral2/files/0x0007000000023480-103.dat	upx
behavioral2/files/0x000700000002347f-99.dat	upx
behavioral2/files/0x000700000002347d-88.dat	upx
behavioral2/files/0x000700000002347b-81.dat	upx
behavioral2/files/0x0007000000023478-63.dat	upx
behavioral2/files/0x0007000000023477-58.dat	upx
behavioral2/files/0x0007000000023473-46.dat	upx
behavioral2/memory/1936-38-0x00007FF7A2660000-0x00007FF7A2A55000-memory.dmp	upx
behavioral2/files/0x0007000000023471-27.dat	upx
behavioral2/memory/2588-18-0x00007FF74BBC0000-0x00007FF74BFB5000-memory.dmp	upx
behavioral2/memory/1960-1928-0x00007FF68C110000-0x00007FF68C505000-memory.dmp	upx
behavioral2/memory/1936-1929-0x00007FF7A2660000-0x00007FF7A2A55000-memory.dmp	upx
behavioral2/memory/2588-1930-0x00007FF74BBC0000-0x00007FF74BFB5000-memory.dmp	upx
behavioral2/memory/3416-1931-0x00007FF60A630000-0x00007FF60AA25000-memory.dmp	upx
behavioral2/memory/1936-1932-0x00007FF7A2660000-0x00007FF7A2A55000-memory.dmp	upx
behavioral2/memory/2352-1933-0x00007FF69EA40000-0x00007FF69EE35000-memory.dmp	upx
behavioral2/memory/1476-1934-0x00007FF68F230000-0x00007FF68F625000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\fwMLKfP.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\sogKNPz.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\tyAOSRr.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\onUgtVg.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\qxmqbUD.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\llvRORi.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\LSRDpXQ.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\xUpLYgk.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\lZSrEzV.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\uVEYNSP.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\hdbZHbk.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\yzOaKSM.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\QXFvMmN.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\qcgVcQc.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\FtmqxNk.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\OiLsKVb.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\WadXYas.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\hSnVWBz.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\vhMGRvn.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\iqkwSDb.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\sdrmVLV.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\CfTibkm.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\znnYjhE.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\yiuwEpn.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\oIhaYHm.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\RiUBugb.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\oqIFHdm.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\TlgHngf.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\jSSXKIw.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\tqxPtXt.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\jmWmCzR.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\AIEUqZW.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\wSKcLoo.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\eMuTvsd.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\UnalLAp.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\vlcLLTW.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\vuDAckg.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\tpPwBLC.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\hPXtYIS.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\lGpfizj.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\WnkzFQZ.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\MDfGuOo.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\YlvXrOM.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\NUdzDJf.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\ElOWnRX.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\mtUoqZs.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\lseJxDJ.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\SfRykQw.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\yPIfAnM.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\WDWqnPe.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\qHuyOQc.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\ZcgcuYM.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\gahGVQs.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\cdIdxHF.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\QWhOdBy.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\RHqfFug.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\yydFynZ.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\gQCqoja.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\bVWrTap.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\GdKNTGl.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\SbAjhdq.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\LHixHHB.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\ckqXwOY.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
File created	C:\Windows\System32\JOVGheo.exe	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	2868	dwm.exe
Token: SeChangeNotifyPrivilege	2868	dwm.exe
Token: 33	2868	dwm.exe
Token: SeIncBasePriorityPrivilege	2868	dwm.exe
Token: SeShutdownPrivilege	2868	dwm.exe
Token: SeCreatePagefilePrivilege	2868	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2588	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	86
PID 1960 wrote to memory of 2588	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	86
PID 1960 wrote to memory of 3416	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	87
PID 1960 wrote to memory of 3416	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	87
PID 1960 wrote to memory of 1936	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	88
PID 1960 wrote to memory of 1936	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	88
PID 1960 wrote to memory of 2352	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	89
PID 1960 wrote to memory of 2352	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	89
PID 1960 wrote to memory of 1476	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	90
PID 1960 wrote to memory of 1476	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	90
PID 1960 wrote to memory of 4272	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	91
PID 1960 wrote to memory of 4272	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	91
PID 1960 wrote to memory of 840	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	92
PID 1960 wrote to memory of 840	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	92
PID 1960 wrote to memory of 1904	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	93
PID 1960 wrote to memory of 1904	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	93
PID 1960 wrote to memory of 836	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	94
PID 1960 wrote to memory of 836	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	94
PID 1960 wrote to memory of 4872	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	95
PID 1960 wrote to memory of 4872	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	95
PID 1960 wrote to memory of 3884	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	96
PID 1960 wrote to memory of 3884	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	96
PID 1960 wrote to memory of 1160	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	97
PID 1960 wrote to memory of 1160	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	97
PID 1960 wrote to memory of 2912	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	98
PID 1960 wrote to memory of 2912	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	98
PID 1960 wrote to memory of 1096	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	99
PID 1960 wrote to memory of 1096	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	99
PID 1960 wrote to memory of 4596	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	100
PID 1960 wrote to memory of 4596	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	100
PID 1960 wrote to memory of 920	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	101
PID 1960 wrote to memory of 920	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	101
PID 1960 wrote to memory of 4220	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	102
PID 1960 wrote to memory of 4220	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	102
PID 1960 wrote to memory of 3184	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	103
PID 1960 wrote to memory of 3184	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	103
PID 1960 wrote to memory of 544	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	104
PID 1960 wrote to memory of 544	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	104
PID 1960 wrote to memory of 3736	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	105
PID 1960 wrote to memory of 3736	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	105
PID 1960 wrote to memory of 4636	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	106
PID 1960 wrote to memory of 4636	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	106
PID 1960 wrote to memory of 4568	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	107
PID 1960 wrote to memory of 4568	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	107
PID 1960 wrote to memory of 1436	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	108
PID 1960 wrote to memory of 1436	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	108
PID 1960 wrote to memory of 868	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	109
PID 1960 wrote to memory of 868	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	109
PID 1960 wrote to memory of 3196	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	110
PID 1960 wrote to memory of 3196	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	110
PID 1960 wrote to memory of 5108	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	111
PID 1960 wrote to memory of 5108	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	111
PID 1960 wrote to memory of 3944	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	112
PID 1960 wrote to memory of 3944	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	112
PID 1960 wrote to memory of 1868	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	113
PID 1960 wrote to memory of 1868	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	113
PID 1960 wrote to memory of 4856	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	114
PID 1960 wrote to memory of 4856	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	114
PID 1960 wrote to memory of 3284	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	115
PID 1960 wrote to memory of 3284	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	115
PID 1960 wrote to memory of 3784	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	116
PID 1960 wrote to memory of 3784	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	116
PID 1960 wrote to memory of 4520	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	117
PID 1960 wrote to memory of 4520	1960	71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe	117

C:\Users\Admin\AppData\Local\Temp\71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\71ab4cebc945315b161f87fdb7693b60_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\System32\vIhZCdb.exe
  C:\Windows\System32\vIhZCdb.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System32\lZSrEzV.exe
  C:\Windows\System32\lZSrEzV.exe
  2⤵
  - Executes dropped EXE
  PID:3416
- C:\Windows\System32\OMFKqOX.exe
  C:\Windows\System32\OMFKqOX.exe
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\System32\ZKhivZB.exe
  C:\Windows\System32\ZKhivZB.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System32\PdunXnt.exe
  C:\Windows\System32\PdunXnt.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System32\dVrTMwM.exe
  C:\Windows\System32\dVrTMwM.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System32\qRSuMTN.exe
  C:\Windows\System32\qRSuMTN.exe
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\System32\jdSusqW.exe
  C:\Windows\System32\jdSusqW.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System32\DvWdIUX.exe
  C:\Windows\System32\DvWdIUX.exe
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\System32\lxbkUEN.exe
  C:\Windows\System32\lxbkUEN.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System32\EkWFbJI.exe
  C:\Windows\System32\EkWFbJI.exe
  2⤵
  - Executes dropped EXE
  PID:3884
- C:\Windows\System32\UfgZOsi.exe
  C:\Windows\System32\UfgZOsi.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System32\cneDGnl.exe
  C:\Windows\System32\cneDGnl.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System32\wlNsHsH.exe
  C:\Windows\System32\wlNsHsH.exe
  2⤵
  - Executes dropped EXE
  PID:1096
- C:\Windows\System32\kHAaySw.exe
  C:\Windows\System32\kHAaySw.exe
  2⤵
  - Executes dropped EXE
  PID:4596
- C:\Windows\System32\fKvkcTv.exe
  C:\Windows\System32\fKvkcTv.exe
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\System32\IrhlGJF.exe
  C:\Windows\System32\IrhlGJF.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System32\ZkEULYD.exe
  C:\Windows\System32\ZkEULYD.exe
  2⤵
  - Executes dropped EXE
  PID:3184
- C:\Windows\System32\onUgtVg.exe
  C:\Windows\System32\onUgtVg.exe
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\System32\VtMyhoh.exe
  C:\Windows\System32\VtMyhoh.exe
  2⤵
  - Executes dropped EXE
  PID:3736
- C:\Windows\System32\BneNvhH.exe
  C:\Windows\System32\BneNvhH.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System32\IqxKbSP.exe
  C:\Windows\System32\IqxKbSP.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System32\brieVSv.exe
  C:\Windows\System32\brieVSv.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System32\QtJyvgl.exe
  C:\Windows\System32\QtJyvgl.exe
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\System32\ohDlwGl.exe
  C:\Windows\System32\ohDlwGl.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System32\ZvpnXUl.exe
  C:\Windows\System32\ZvpnXUl.exe
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\System32\jgyLCwD.exe
  C:\Windows\System32\jgyLCwD.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System32\vhMGRvn.exe
  C:\Windows\System32\vhMGRvn.exe
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\System32\PAUnTZH.exe
  C:\Windows\System32\PAUnTZH.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System32\NoENHIt.exe
  C:\Windows\System32\NoENHIt.exe
  2⤵
  - Executes dropped EXE
  PID:3284
- C:\Windows\System32\HwkWchB.exe
  C:\Windows\System32\HwkWchB.exe
  2⤵
  - Executes dropped EXE
  PID:3784
- C:\Windows\System32\VPzAfae.exe
  C:\Windows\System32\VPzAfae.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System32\nIFjCJq.exe
  C:\Windows\System32\nIFjCJq.exe
  2⤵
  - Executes dropped EXE
  PID:3380
- C:\Windows\System32\sEyXMlk.exe
  C:\Windows\System32\sEyXMlk.exe
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\System32\qxmqbUD.exe
  C:\Windows\System32\qxmqbUD.exe
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\System32\adLRadn.exe
  C:\Windows\System32\adLRadn.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System32\Ligodvl.exe
  C:\Windows\System32\Ligodvl.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System32\VDPuUng.exe
  C:\Windows\System32\VDPuUng.exe
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\System32\KvdfOGX.exe
  C:\Windows\System32\KvdfOGX.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System32\vlcLLTW.exe
  C:\Windows\System32\vlcLLTW.exe
  2⤵
  - Executes dropped EXE
  PID:3716
- C:\Windows\System32\DzOqAbf.exe
  C:\Windows\System32\DzOqAbf.exe
  2⤵
  - Executes dropped EXE
  PID:224
- C:\Windows\System32\cMAXusP.exe
  C:\Windows\System32\cMAXusP.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System32\pTmzjwa.exe
  C:\Windows\System32\pTmzjwa.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System32\qihwWVD.exe
  C:\Windows\System32\qihwWVD.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\System32\QWhOdBy.exe
  C:\Windows\System32\QWhOdBy.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System32\UrJELbb.exe
  C:\Windows\System32\UrJELbb.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System32\jNZRmPd.exe
  C:\Windows\System32\jNZRmPd.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System32\NUdzDJf.exe
  C:\Windows\System32\NUdzDJf.exe
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Windows\System32\oRnIKTj.exe
  C:\Windows\System32\oRnIKTj.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System32\UmQOryX.exe
  C:\Windows\System32\UmQOryX.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System32\KUOjDJa.exe
  C:\Windows\System32\KUOjDJa.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\System32\YNWHFPo.exe
  C:\Windows\System32\YNWHFPo.exe
  2⤵
  - Executes dropped EXE
  PID:3908
- C:\Windows\System32\VVucxFo.exe
  C:\Windows\System32\VVucxFo.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System32\dtwLHjf.exe
  C:\Windows\System32\dtwLHjf.exe
  2⤵
  - Executes dropped EXE
  PID:4208
- C:\Windows\System32\tgcoUzO.exe
  C:\Windows\System32\tgcoUzO.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System32\NQiEpZL.exe
  C:\Windows\System32\NQiEpZL.exe
  2⤵
  - Executes dropped EXE
  PID:3780
- C:\Windows\System32\kiEYDRC.exe
  C:\Windows\System32\kiEYDRC.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System32\LdIbHiW.exe
  C:\Windows\System32\LdIbHiW.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System32\rmtXolF.exe
  C:\Windows\System32\rmtXolF.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System32\RpyikIz.exe
  C:\Windows\System32\RpyikIz.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System32\jSSXKIw.exe
  C:\Windows\System32\jSSXKIw.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System32\rCSWIld.exe
  C:\Windows\System32\rCSWIld.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System32\SbAjhdq.exe
  C:\Windows\System32\SbAjhdq.exe
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Windows\System32\HpgeEKx.exe
  C:\Windows\System32\HpgeEKx.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System32\iTWsHzI.exe
  C:\Windows\System32\iTWsHzI.exe
  2⤵
  PID:1820
- C:\Windows\System32\RRaHBmi.exe
  C:\Windows\System32\RRaHBmi.exe
  2⤵
  PID:2936
- C:\Windows\System32\wpnvQCH.exe
  C:\Windows\System32\wpnvQCH.exe
  2⤵
  PID:3040
- C:\Windows\System32\SpvIPgW.exe
  C:\Windows\System32\SpvIPgW.exe
  2⤵
  PID:5136
- C:\Windows\System32\VKkfyKf.exe
  C:\Windows\System32\VKkfyKf.exe
  2⤵
  PID:5164
- C:\Windows\System32\EUhlyQJ.exe
  C:\Windows\System32\EUhlyQJ.exe
  2⤵
  PID:5192
- C:\Windows\System32\tqxPtXt.exe
  C:\Windows\System32\tqxPtXt.exe
  2⤵
  PID:5220
- C:\Windows\System32\DBEJYgT.exe
  C:\Windows\System32\DBEJYgT.exe
  2⤵
  PID:5248
- C:\Windows\System32\Txwwavv.exe
  C:\Windows\System32\Txwwavv.exe
  2⤵
  PID:5288
- C:\Windows\System32\meyClVB.exe
  C:\Windows\System32\meyClVB.exe
  2⤵
  PID:5304
- C:\Windows\System32\mjNMFte.exe
  C:\Windows\System32\mjNMFte.exe
  2⤵
  PID:5332
- C:\Windows\System32\yyzFbcQ.exe
  C:\Windows\System32\yyzFbcQ.exe
  2⤵
  PID:5360
- C:\Windows\System32\FhVEEGZ.exe
  C:\Windows\System32\FhVEEGZ.exe
  2⤵
  PID:5388
- C:\Windows\System32\sdrmVLV.exe
  C:\Windows\System32\sdrmVLV.exe
  2⤵
  PID:5416
- C:\Windows\System32\qHuyOQc.exe
  C:\Windows\System32\qHuyOQc.exe
  2⤵
  PID:5444
- C:\Windows\System32\uiRjyAe.exe
  C:\Windows\System32\uiRjyAe.exe
  2⤵
  PID:5472
- C:\Windows\System32\iqkwSDb.exe
  C:\Windows\System32\iqkwSDb.exe
  2⤵
  PID:5500
- C:\Windows\System32\zMeiVCj.exe
  C:\Windows\System32\zMeiVCj.exe
  2⤵
  PID:5528
- C:\Windows\System32\PKlATHh.exe
  C:\Windows\System32\PKlATHh.exe
  2⤵
  PID:5556
- C:\Windows\System32\UiTJRwg.exe
  C:\Windows\System32\UiTJRwg.exe
  2⤵
  PID:5584
- C:\Windows\System32\sWcRXko.exe
  C:\Windows\System32\sWcRXko.exe
  2⤵
  PID:5612
- C:\Windows\System32\YkWFARE.exe
  C:\Windows\System32\YkWFARE.exe
  2⤵
  PID:5640
- C:\Windows\System32\noJFOXq.exe
  C:\Windows\System32\noJFOXq.exe
  2⤵
  PID:5664
- C:\Windows\System32\QhQxgmu.exe
  C:\Windows\System32\QhQxgmu.exe
  2⤵
  PID:5696
- C:\Windows\System32\KUpOWeL.exe
  C:\Windows\System32\KUpOWeL.exe
  2⤵
  PID:5724
- C:\Windows\System32\ZoCXfnS.exe
  C:\Windows\System32\ZoCXfnS.exe
  2⤵
  PID:5752
- C:\Windows\System32\igwYDGC.exe
  C:\Windows\System32\igwYDGC.exe
  2⤵
  PID:5780
- C:\Windows\System32\XkPvGkD.exe
  C:\Windows\System32\XkPvGkD.exe
  2⤵
  PID:5808
- C:\Windows\System32\PlPaXQi.exe
  C:\Windows\System32\PlPaXQi.exe
  2⤵
  PID:5836
- C:\Windows\System32\rxmlVQE.exe
  C:\Windows\System32\rxmlVQE.exe
  2⤵
  PID:5864
- C:\Windows\System32\totXrQz.exe
  C:\Windows\System32\totXrQz.exe
  2⤵
  PID:5892
- C:\Windows\System32\KGBfdlb.exe
  C:\Windows\System32\KGBfdlb.exe
  2⤵
  PID:5920
- C:\Windows\System32\gMJMHwr.exe
  C:\Windows\System32\gMJMHwr.exe
  2⤵
  PID:5948
- C:\Windows\System32\zxPEaiG.exe
  C:\Windows\System32\zxPEaiG.exe
  2⤵
  PID:5976
- C:\Windows\System32\zQszOHQ.exe
  C:\Windows\System32\zQszOHQ.exe
  2⤵
  PID:6000
- C:\Windows\System32\RUtlJpI.exe
  C:\Windows\System32\RUtlJpI.exe
  2⤵
  PID:6032
- C:\Windows\System32\nDwGfXW.exe
  C:\Windows\System32\nDwGfXW.exe
  2⤵
  PID:6060
- C:\Windows\System32\DzpfWYF.exe
  C:\Windows\System32\DzpfWYF.exe
  2⤵
  PID:6096
- C:\Windows\System32\FeJJsSW.exe
  C:\Windows\System32\FeJJsSW.exe
  2⤵
  PID:6116
- C:\Windows\System32\LHixHHB.exe
  C:\Windows\System32\LHixHHB.exe
  2⤵
  PID:1620
- C:\Windows\System32\QXFvMmN.exe
  C:\Windows\System32\QXFvMmN.exe
  2⤵
  PID:2080
- C:\Windows\System32\ibpfWmO.exe
  C:\Windows\System32\ibpfWmO.exe
  2⤵
  PID:2916
- C:\Windows\System32\RZcQHJk.exe
  C:\Windows\System32\RZcQHJk.exe
  2⤵
  PID:4512
- C:\Windows\System32\VPJJoJw.exe
  C:\Windows\System32\VPJJoJw.exe
  2⤵
  PID:1028
- C:\Windows\System32\lyITwaH.exe
  C:\Windows\System32\lyITwaH.exe
  2⤵
  PID:752
- C:\Windows\System32\JKETOar.exe
  C:\Windows\System32\JKETOar.exe
  2⤵
  PID:5212
- C:\Windows\System32\ryaIyfi.exe
  C:\Windows\System32\ryaIyfi.exe
  2⤵
  PID:5260
- C:\Windows\System32\loKwbqx.exe
  C:\Windows\System32\loKwbqx.exe
  2⤵
  PID:5324
- C:\Windows\System32\WMeSSPx.exe
  C:\Windows\System32\WMeSSPx.exe
  2⤵
  PID:5396
- C:\Windows\System32\mHFABvw.exe
  C:\Windows\System32\mHFABvw.exe
  2⤵
  PID:5452
- C:\Windows\System32\wkfeBWg.exe
  C:\Windows\System32\wkfeBWg.exe
  2⤵
  PID:5508
- C:\Windows\System32\JqolRxv.exe
  C:\Windows\System32\JqolRxv.exe
  2⤵
  PID:5592
- C:\Windows\System32\iHDmnkr.exe
  C:\Windows\System32\iHDmnkr.exe
  2⤵
  PID:5652
- C:\Windows\System32\kHQkMIg.exe
  C:\Windows\System32\kHQkMIg.exe
  2⤵
  PID:5708
- C:\Windows\System32\VbILOrr.exe
  C:\Windows\System32\VbILOrr.exe
  2⤵
  PID:5772
- C:\Windows\System32\EdyTbmp.exe
  C:\Windows\System32\EdyTbmp.exe
  2⤵
  PID:5856
- C:\Windows\System32\CfTibkm.exe
  C:\Windows\System32\CfTibkm.exe
  2⤵
  PID:5912
- C:\Windows\System32\llvRORi.exe
  C:\Windows\System32\llvRORi.exe
  2⤵
  PID:5984
- C:\Windows\System32\vdsevLT.exe
  C:\Windows\System32\vdsevLT.exe
  2⤵
  PID:6044
- C:\Windows\System32\ZKWgSAZ.exe
  C:\Windows\System32\ZKWgSAZ.exe
  2⤵
  PID:6104
- C:\Windows\System32\zlemCJl.exe
  C:\Windows\System32\zlemCJl.exe
  2⤵
  PID:4488
- C:\Windows\System32\ZlmiTVb.exe
  C:\Windows\System32\ZlmiTVb.exe
  2⤵
  PID:2420
- C:\Windows\System32\jYDSzhM.exe
  C:\Windows\System32\jYDSzhM.exe
  2⤵
  PID:5148
- C:\Windows\System32\NUsPdKK.exe
  C:\Windows\System32\NUsPdKK.exe
  2⤵
  PID:5372
- C:\Windows\System32\JMWMgIe.exe
  C:\Windows\System32\JMWMgIe.exe
  2⤵
  PID:5484
- C:\Windows\System32\znnYjhE.exe
  C:\Windows\System32\znnYjhE.exe
  2⤵
  PID:5604
- C:\Windows\System32\tBhzbjE.exe
  C:\Windows\System32\tBhzbjE.exe
  2⤵
  PID:5792
- C:\Windows\System32\QpoCJhy.exe
  C:\Windows\System32\QpoCJhy.exe
  2⤵
  PID:2164
- C:\Windows\System32\mJSnPuP.exe
  C:\Windows\System32\mJSnPuP.exe
  2⤵
  PID:6080
- C:\Windows\System32\BrSEvux.exe
  C:\Windows\System32\BrSEvux.exe
  2⤵
  PID:6152
- C:\Windows\System32\EnyaFSW.exe
  C:\Windows\System32\EnyaFSW.exe
  2⤵
  PID:6180
- C:\Windows\System32\TIfLRnn.exe
  C:\Windows\System32\TIfLRnn.exe
  2⤵
  PID:6208
- C:\Windows\System32\dcFNUcH.exe
  C:\Windows\System32\dcFNUcH.exe
  2⤵
  PID:6236
- C:\Windows\System32\ZgUgsDn.exe
  C:\Windows\System32\ZgUgsDn.exe
  2⤵
  PID:6260
- C:\Windows\System32\cFlrlzv.exe
  C:\Windows\System32\cFlrlzv.exe
  2⤵
  PID:6300
- C:\Windows\System32\WJwOKre.exe
  C:\Windows\System32\WJwOKre.exe
  2⤵
  PID:6320
- C:\Windows\System32\uhoGsib.exe
  C:\Windows\System32\uhoGsib.exe
  2⤵
  PID:6360
- C:\Windows\System32\KukNqdK.exe
  C:\Windows\System32\KukNqdK.exe
  2⤵
  PID:6376
- C:\Windows\System32\BFWABpl.exe
  C:\Windows\System32\BFWABpl.exe
  2⤵
  PID:6404
- C:\Windows\System32\AtHKxAX.exe
  C:\Windows\System32\AtHKxAX.exe
  2⤵
  PID:6432
- C:\Windows\System32\quHdRbm.exe
  C:\Windows\System32\quHdRbm.exe
  2⤵
  PID:6456
- C:\Windows\System32\MCXLkRd.exe
  C:\Windows\System32\MCXLkRd.exe
  2⤵
  PID:6488
- C:\Windows\System32\RHqfFug.exe
  C:\Windows\System32\RHqfFug.exe
  2⤵
  PID:6512
- C:\Windows\System32\wShXpCc.exe
  C:\Windows\System32\wShXpCc.exe
  2⤵
  PID:6544
- C:\Windows\System32\HYupYbi.exe
  C:\Windows\System32\HYupYbi.exe
  2⤵
  PID:6568
- C:\Windows\System32\lTxgXHW.exe
  C:\Windows\System32\lTxgXHW.exe
  2⤵
  PID:6600
- C:\Windows\System32\TpmVCeg.exe
  C:\Windows\System32\TpmVCeg.exe
  2⤵
  PID:6628
- C:\Windows\System32\awfsWJW.exe
  C:\Windows\System32\awfsWJW.exe
  2⤵
  PID:6652
- C:\Windows\System32\gehsYsx.exe
  C:\Windows\System32\gehsYsx.exe
  2⤵
  PID:6680
- C:\Windows\System32\BQHKsSM.exe
  C:\Windows\System32\BQHKsSM.exe
  2⤵
  PID:6956
- C:\Windows\System32\nOuBIYw.exe
  C:\Windows\System32\nOuBIYw.exe
  2⤵
  PID:6996
- C:\Windows\System32\HfASRgE.exe
  C:\Windows\System32\HfASRgE.exe
  2⤵
  PID:7016
- C:\Windows\System32\vuDAckg.exe
  C:\Windows\System32\vuDAckg.exe
  2⤵
  PID:7044
- C:\Windows\System32\JGaxCfw.exe
  C:\Windows\System32\JGaxCfw.exe
  2⤵
  PID:7072
- C:\Windows\System32\YdAJlIl.exe
  C:\Windows\System32\YdAJlIl.exe
  2⤵
  PID:7100
- C:\Windows\System32\OLDiQpK.exe
  C:\Windows\System32\OLDiQpK.exe
  2⤵
  PID:7128
- C:\Windows\System32\yVYHvCN.exe
  C:\Windows\System32\yVYHvCN.exe
  2⤵
  PID:7156
- C:\Windows\System32\tpPwBLC.exe
  C:\Windows\System32\tpPwBLC.exe
  2⤵
  PID:5176
- C:\Windows\System32\AUqbpWP.exe
  C:\Windows\System32\AUqbpWP.exe
  2⤵
  PID:5408
- C:\Windows\System32\qAZXcDJ.exe
  C:\Windows\System32\qAZXcDJ.exe
  2⤵
  PID:5716
- C:\Windows\System32\xxUDWcZ.exe
  C:\Windows\System32\xxUDWcZ.exe
  2⤵
  PID:5876
- C:\Windows\System32\yydFynZ.exe
  C:\Windows\System32\yydFynZ.exe
  2⤵
  PID:6172
- C:\Windows\System32\hJkNKTQ.exe
  C:\Windows\System32\hJkNKTQ.exe
  2⤵
  PID:1788
- C:\Windows\System32\ufhTJcu.exe
  C:\Windows\System32\ufhTJcu.exe
  2⤵
  PID:6332
- C:\Windows\System32\SQbgzWf.exe
  C:\Windows\System32\SQbgzWf.exe
  2⤵
  PID:6388
- C:\Windows\System32\jthqfYn.exe
  C:\Windows\System32\jthqfYn.exe
  2⤵
  PID:6464
- C:\Windows\System32\oeOJhWI.exe
  C:\Windows\System32\oeOJhWI.exe
  2⤵
  PID:6608
- C:\Windows\System32\ZNkvdrE.exe
  C:\Windows\System32\ZNkvdrE.exe
  2⤵
  PID:380
- C:\Windows\System32\hPXtYIS.exe
  C:\Windows\System32\hPXtYIS.exe
  2⤵
  PID:4800
- C:\Windows\System32\jZWnRfT.exe
  C:\Windows\System32\jZWnRfT.exe
  2⤵
  PID:2524
- C:\Windows\System32\lklBsBT.exe
  C:\Windows\System32\lklBsBT.exe
  2⤵
  PID:3872
- C:\Windows\System32\JuaBIXd.exe
  C:\Windows\System32\JuaBIXd.exe
  2⤵
  PID:4504
- C:\Windows\System32\YszBUcY.exe
  C:\Windows\System32\YszBUcY.exe
  2⤵
  PID:4452
- C:\Windows\System32\majVpFP.exe
  C:\Windows\System32\majVpFP.exe
  2⤵
  PID:4864
- C:\Windows\System32\xTMZkMp.exe
  C:\Windows\System32\xTMZkMp.exe
  2⤵
  PID:4024
- C:\Windows\System32\YbxFBVz.exe
  C:\Windows\System32\YbxFBVz.exe
  2⤵
  PID:3648
- C:\Windows\System32\HlPAvjt.exe
  C:\Windows\System32\HlPAvjt.exe
  2⤵
  PID:3448
- C:\Windows\System32\bTaSTPS.exe
  C:\Windows\System32\bTaSTPS.exe
  2⤵
  PID:6732
- C:\Windows\System32\yiuwEpn.exe
  C:\Windows\System32\yiuwEpn.exe
  2⤵
  PID:6752
- C:\Windows\System32\GVpCuPp.exe
  C:\Windows\System32\GVpCuPp.exe
  2⤵
  PID:6800
- C:\Windows\System32\RsktOGK.exe
  C:\Windows\System32\RsktOGK.exe
  2⤵
  PID:6816
- C:\Windows\System32\ZwNiJYM.exe
  C:\Windows\System32\ZwNiJYM.exe
  2⤵
  PID:6836
- C:\Windows\System32\KLQVfKQ.exe
  C:\Windows\System32\KLQVfKQ.exe
  2⤵
  PID:6856
- C:\Windows\System32\moowbPI.exe
  C:\Windows\System32\moowbPI.exe
  2⤵
  PID:6872
- C:\Windows\System32\eTCMgPv.exe
  C:\Windows\System32\eTCMgPv.exe
  2⤵
  PID:6888
- C:\Windows\System32\UUrDaGF.exe
  C:\Windows\System32\UUrDaGF.exe
  2⤵
  PID:6908
- C:\Windows\System32\VNdjFzO.exe
  C:\Windows\System32\VNdjFzO.exe
  2⤵
  PID:6668
- C:\Windows\System32\XFpoziU.exe
  C:\Windows\System32\XFpoziU.exe
  2⤵
  PID:4876
- C:\Windows\System32\lZoJPIw.exe
  C:\Windows\System32\lZoJPIw.exe
  2⤵
  PID:3640
- C:\Windows\System32\tErYPUF.exe
  C:\Windows\System32\tErYPUF.exe
  2⤵
  PID:2136
- C:\Windows\System32\xHDjEQA.exe
  C:\Windows\System32\xHDjEQA.exe
  2⤵
  PID:220
- C:\Windows\System32\HxzrXMz.exe
  C:\Windows\System32\HxzrXMz.exe
  2⤵
  PID:6128
- C:\Windows\System32\izpHlzl.exe
  C:\Windows\System32\izpHlzl.exe
  2⤵
  PID:6424
- C:\Windows\System32\bchVTbK.exe
  C:\Windows\System32\bchVTbK.exe
  2⤵
  PID:6412
- C:\Windows\System32\oIhaYHm.exe
  C:\Windows\System32\oIhaYHm.exe
  2⤵
  PID:4544
- C:\Windows\System32\BCNVXyd.exe
  C:\Windows\System32\BCNVXyd.exe
  2⤵
  PID:948
- C:\Windows\System32\zDrMlIn.exe
  C:\Windows\System32\zDrMlIn.exe
  2⤵
  PID:2620
- C:\Windows\System32\kSzxLpT.exe
  C:\Windows\System32\kSzxLpT.exe
  2⤵
  PID:3824
- C:\Windows\System32\JppaZIS.exe
  C:\Windows\System32\JppaZIS.exe
  2⤵
  PID:2976
- C:\Windows\System32\uxcNZRl.exe
  C:\Windows\System32\uxcNZRl.exe
  2⤵
  PID:3952
- C:\Windows\System32\GkznBWn.exe
  C:\Windows\System32\GkznBWn.exe
  2⤵
  PID:1164
- C:\Windows\System32\IgbSvZA.exe
  C:\Windows\System32\IgbSvZA.exe
  2⤵
  PID:3708
- C:\Windows\System32\yDkHnRa.exe
  C:\Windows\System32\yDkHnRa.exe
  2⤵
  PID:4556
- C:\Windows\System32\NPSRFOu.exe
  C:\Windows\System32\NPSRFOu.exe
  2⤵
  PID:6660
- C:\Windows\System32\LazPceh.exe
  C:\Windows\System32\LazPceh.exe
  2⤵
  PID:6740
- C:\Windows\System32\MPxINNF.exe
  C:\Windows\System32\MPxINNF.exe
  2⤵
  PID:6864
- C:\Windows\System32\eXTGVWm.exe
  C:\Windows\System32\eXTGVWm.exe
  2⤵
  PID:6924
- C:\Windows\System32\qcgVcQc.exe
  C:\Windows\System32\qcgVcQc.exe
  2⤵
  PID:2024
- C:\Windows\System32\VdNkfLX.exe
  C:\Windows\System32\VdNkfLX.exe
  2⤵
  PID:7148
- C:\Windows\System32\zuXCiQs.exe
  C:\Windows\System32\zuXCiQs.exe
  2⤵
  PID:2076
- C:\Windows\System32\xTkHsQv.exe
  C:\Windows\System32\xTkHsQv.exe
  2⤵
  PID:3892
- C:\Windows\System32\LNHnGkb.exe
  C:\Windows\System32\LNHnGkb.exe
  2⤵
  PID:4584
- C:\Windows\System32\UmvIMNr.exe
  C:\Windows\System32\UmvIMNr.exe
  2⤵
  PID:1604
- C:\Windows\System32\fSzdeVR.exe
  C:\Windows\System32\fSzdeVR.exe
  2⤵
  PID:2800
- C:\Windows\System32\Mfwavjv.exe
  C:\Windows\System32\Mfwavjv.exe
  2⤵
  PID:3924
- C:\Windows\System32\xrLyvSQ.exe
  C:\Windows\System32\xrLyvSQ.exe
  2⤵
  PID:6848
- C:\Windows\System32\VYUOycg.exe
  C:\Windows\System32\VYUOycg.exe
  2⤵
  PID:4932
- C:\Windows\System32\ZcgcuYM.exe
  C:\Windows\System32\ZcgcuYM.exe
  2⤵
  PID:7108
- C:\Windows\System32\RiUBugb.exe
  C:\Windows\System32\RiUBugb.exe
  2⤵
  PID:1572
- C:\Windows\System32\FAhURKo.exe
  C:\Windows\System32\FAhURKo.exe
  2⤵
  PID:6852
- C:\Windows\System32\lGpfizj.exe
  C:\Windows\System32\lGpfizj.exe
  2⤵
  PID:3200
- C:\Windows\System32\izIAppr.exe
  C:\Windows\System32\izIAppr.exe
  2⤵
  PID:3968
- C:\Windows\System32\EMsHiGc.exe
  C:\Windows\System32\EMsHiGc.exe
  2⤵
  PID:7184
- C:\Windows\System32\LALihYl.exe
  C:\Windows\System32\LALihYl.exe
  2⤵
  PID:7212
- C:\Windows\System32\XbkhHNy.exe
  C:\Windows\System32\XbkhHNy.exe
  2⤵
  PID:7256
- C:\Windows\System32\DDrNCiS.exe
  C:\Windows\System32\DDrNCiS.exe
  2⤵
  PID:7284
- C:\Windows\System32\tlwiPIr.exe
  C:\Windows\System32\tlwiPIr.exe
  2⤵
  PID:7320
- C:\Windows\System32\IiIRUBF.exe
  C:\Windows\System32\IiIRUBF.exe
  2⤵
  PID:7364
- C:\Windows\System32\pSLYlqZ.exe
  C:\Windows\System32\pSLYlqZ.exe
  2⤵
  PID:7392
- C:\Windows\System32\DautVTC.exe
  C:\Windows\System32\DautVTC.exe
  2⤵
  PID:7432
- C:\Windows\System32\yKsOIJS.exe
  C:\Windows\System32\yKsOIJS.exe
  2⤵
  PID:7452
- C:\Windows\System32\WnkzFQZ.exe
  C:\Windows\System32\WnkzFQZ.exe
  2⤵
  PID:7480
- C:\Windows\System32\ogzChnv.exe
  C:\Windows\System32\ogzChnv.exe
  2⤵
  PID:7508
- C:\Windows\System32\CxaJXHf.exe
  C:\Windows\System32\CxaJXHf.exe
  2⤵
  PID:7544
- C:\Windows\System32\wCnbSeM.exe
  C:\Windows\System32\wCnbSeM.exe
  2⤵
  PID:7576
- C:\Windows\System32\wHGdTlj.exe
  C:\Windows\System32\wHGdTlj.exe
  2⤵
  PID:7616
- C:\Windows\System32\Tgemmdf.exe
  C:\Windows\System32\Tgemmdf.exe
  2⤵
  PID:7660
- C:\Windows\System32\OUAJvPE.exe
  C:\Windows\System32\OUAJvPE.exe
  2⤵
  PID:7684
- C:\Windows\System32\GYpkQuP.exe
  C:\Windows\System32\GYpkQuP.exe
  2⤵
  PID:7716
- C:\Windows\System32\EoLPnnH.exe
  C:\Windows\System32\EoLPnnH.exe
  2⤵
  PID:7748
- C:\Windows\System32\uRPpsgZ.exe
  C:\Windows\System32\uRPpsgZ.exe
  2⤵
  PID:7780
- C:\Windows\System32\gyrvepo.exe
  C:\Windows\System32\gyrvepo.exe
  2⤵
  PID:7808
- C:\Windows\System32\krOLMis.exe
  C:\Windows\System32\krOLMis.exe
  2⤵
  PID:7836
- C:\Windows\System32\rQNQKgE.exe
  C:\Windows\System32\rQNQKgE.exe
  2⤵
  PID:7872
- C:\Windows\System32\FVrmEKW.exe
  C:\Windows\System32\FVrmEKW.exe
  2⤵
  PID:7920
- C:\Windows\System32\VuYXOMQ.exe
  C:\Windows\System32\VuYXOMQ.exe
  2⤵
  PID:7940
- C:\Windows\System32\UbYMwhq.exe
  C:\Windows\System32\UbYMwhq.exe
  2⤵
  PID:7968
- C:\Windows\System32\oqIFHdm.exe
  C:\Windows\System32\oqIFHdm.exe
  2⤵
  PID:7996
- C:\Windows\System32\MDfGuOo.exe
  C:\Windows\System32\MDfGuOo.exe
  2⤵
  PID:8024
- C:\Windows\System32\poinTDr.exe
  C:\Windows\System32\poinTDr.exe
  2⤵
  PID:8044
- C:\Windows\System32\gahGVQs.exe
  C:\Windows\System32\gahGVQs.exe
  2⤵
  PID:8060
- C:\Windows\System32\HstQOrB.exe
  C:\Windows\System32\HstQOrB.exe
  2⤵
  PID:8076
- C:\Windows\System32\TubZWae.exe
  C:\Windows\System32\TubZWae.exe
  2⤵
  PID:8116
- C:\Windows\System32\NgIYvNc.exe
  C:\Windows\System32\NgIYvNc.exe
  2⤵
  PID:8168
- C:\Windows\System32\EUprxzu.exe
  C:\Windows\System32\EUprxzu.exe
  2⤵
  PID:7180
- C:\Windows\System32\zugpNmk.exe
  C:\Windows\System32\zugpNmk.exe
  2⤵
  PID:7244
- C:\Windows\System32\RAvWwBF.exe
  C:\Windows\System32\RAvWwBF.exe
  2⤵
  PID:7348
- C:\Windows\System32\aIWgnrD.exe
  C:\Windows\System32\aIWgnrD.exe
  2⤵
  PID:7416
- C:\Windows\System32\VLfgqHT.exe
  C:\Windows\System32\VLfgqHT.exe
  2⤵
  PID:7504
- C:\Windows\System32\PigWWyF.exe
  C:\Windows\System32\PigWWyF.exe
  2⤵
  PID:7584
- C:\Windows\System32\DjwExDs.exe
  C:\Windows\System32\DjwExDs.exe
  2⤵
  PID:5300
- C:\Windows\System32\OyamcAx.exe
  C:\Windows\System32\OyamcAx.exe
  2⤵
  PID:7804
- C:\Windows\System32\Nglgqjv.exe
  C:\Windows\System32\Nglgqjv.exe
  2⤵
  PID:7848
- C:\Windows\System32\MWpajVI.exe
  C:\Windows\System32\MWpajVI.exe
  2⤵
  PID:7864
- C:\Windows\System32\ZeaYufu.exe
  C:\Windows\System32\ZeaYufu.exe
  2⤵
  PID:7408
- C:\Windows\System32\AWExuEi.exe
  C:\Windows\System32\AWExuEi.exe
  2⤵
  PID:7964
- C:\Windows\System32\DtloBkj.exe
  C:\Windows\System32\DtloBkj.exe
  2⤵
  PID:6648
- C:\Windows\System32\RHIPycb.exe
  C:\Windows\System32\RHIPycb.exe
  2⤵
  PID:8068
- C:\Windows\System32\BzlidIM.exe
  C:\Windows\System32\BzlidIM.exe
  2⤵
  PID:8188
- C:\Windows\System32\MOGhvlk.exe
  C:\Windows\System32\MOGhvlk.exe
  2⤵
  PID:7280
- C:\Windows\System32\mdxZFKV.exe
  C:\Windows\System32\mdxZFKV.exe
  2⤵
  PID:7448
- C:\Windows\System32\EduiuzE.exe
  C:\Windows\System32\EduiuzE.exe
  2⤵
  PID:7760
- C:\Windows\System32\qgjvmcO.exe
  C:\Windows\System32\qgjvmcO.exe
  2⤵
  PID:7344
- C:\Windows\System32\aOaFkzG.exe
  C:\Windows\System32\aOaFkzG.exe
  2⤵
  PID:6480
- C:\Windows\System32\zlVvKFO.exe
  C:\Windows\System32\zlVvKFO.exe
  2⤵
  PID:8052
- C:\Windows\System32\EtbCigP.exe
  C:\Windows\System32\EtbCigP.exe
  2⤵
  PID:7376
- C:\Windows\System32\NCbOsAF.exe
  C:\Windows\System32\NCbOsAF.exe
  2⤵
  PID:2864
- C:\Windows\System32\BPksBls.exe
  C:\Windows\System32\BPksBls.exe
  2⤵
  PID:8020
- C:\Windows\System32\jmWmCzR.exe
  C:\Windows\System32\jmWmCzR.exe
  2⤵
  PID:7824
- C:\Windows\System32\woUwhfN.exe
  C:\Windows\System32\woUwhfN.exe
  2⤵
  PID:6844
- C:\Windows\System32\buUgpZZ.exe
  C:\Windows\System32\buUgpZZ.exe
  2⤵
  PID:8208
- C:\Windows\System32\aaRcFoU.exe
  C:\Windows\System32\aaRcFoU.exe
  2⤵
  PID:8240
- C:\Windows\System32\KUPSKih.exe
  C:\Windows\System32\KUPSKih.exe
  2⤵
  PID:8264
- C:\Windows\System32\bTYKGnA.exe
  C:\Windows\System32\bTYKGnA.exe
  2⤵
  PID:8292
- C:\Windows\System32\xwfFsbx.exe
  C:\Windows\System32\xwfFsbx.exe
  2⤵
  PID:8320
- C:\Windows\System32\CgADaXr.exe
  C:\Windows\System32\CgADaXr.exe
  2⤵
  PID:8348
- C:\Windows\System32\yyrzISL.exe
  C:\Windows\System32\yyrzISL.exe
  2⤵
  PID:8376
- C:\Windows\System32\uhbTOLK.exe
  C:\Windows\System32\uhbTOLK.exe
  2⤵
  PID:8404
- C:\Windows\System32\gPtmkui.exe
  C:\Windows\System32\gPtmkui.exe
  2⤵
  PID:8440
- C:\Windows\System32\EYTuxSX.exe
  C:\Windows\System32\EYTuxSX.exe
  2⤵
  PID:8476
- C:\Windows\System32\ryOdqTu.exe
  C:\Windows\System32\ryOdqTu.exe
  2⤵
  PID:8508
- C:\Windows\System32\WDWqnPe.exe
  C:\Windows\System32\WDWqnPe.exe
  2⤵
  PID:8532
- C:\Windows\System32\pgwFDQj.exe
  C:\Windows\System32\pgwFDQj.exe
  2⤵
  PID:8560
- C:\Windows\System32\DaXAEOI.exe
  C:\Windows\System32\DaXAEOI.exe
  2⤵
  PID:8588
- C:\Windows\System32\gQCqoja.exe
  C:\Windows\System32\gQCqoja.exe
  2⤵
  PID:8616
- C:\Windows\System32\AeTgtIy.exe
  C:\Windows\System32\AeTgtIy.exe
  2⤵
  PID:8644
- C:\Windows\System32\PrCqAGy.exe
  C:\Windows\System32\PrCqAGy.exe
  2⤵
  PID:8676
- C:\Windows\System32\KWIVglv.exe
  C:\Windows\System32\KWIVglv.exe
  2⤵
  PID:8704
- C:\Windows\System32\bVWrTap.exe
  C:\Windows\System32\bVWrTap.exe
  2⤵
  PID:8732
- C:\Windows\System32\mDLJHzv.exe
  C:\Windows\System32\mDLJHzv.exe
  2⤵
  PID:8760
- C:\Windows\System32\gRTEoIq.exe
  C:\Windows\System32\gRTEoIq.exe
  2⤵
  PID:8792
- C:\Windows\System32\FtmqxNk.exe
  C:\Windows\System32\FtmqxNk.exe
  2⤵
  PID:8820
- C:\Windows\System32\RnCHJAo.exe
  C:\Windows\System32\RnCHJAo.exe
  2⤵
  PID:8848
- C:\Windows\System32\xHkCgkv.exe
  C:\Windows\System32\xHkCgkv.exe
  2⤵
  PID:8876
- C:\Windows\System32\hvwCWsr.exe
  C:\Windows\System32\hvwCWsr.exe
  2⤵
  PID:8904
- C:\Windows\System32\ablRXeu.exe
  C:\Windows\System32\ablRXeu.exe
  2⤵
  PID:8932
- C:\Windows\System32\jjsbUed.exe
  C:\Windows\System32\jjsbUed.exe
  2⤵
  PID:8960
- C:\Windows\System32\fxFnzvh.exe
  C:\Windows\System32\fxFnzvh.exe
  2⤵
  PID:8988
- C:\Windows\System32\fYIoRAb.exe
  C:\Windows\System32\fYIoRAb.exe
  2⤵
  PID:9016
- C:\Windows\System32\ByvMXZK.exe
  C:\Windows\System32\ByvMXZK.exe
  2⤵
  PID:9060
- C:\Windows\System32\tyAOSRr.exe
  C:\Windows\System32\tyAOSRr.exe
  2⤵
  PID:9088
- C:\Windows\System32\gRacaxl.exe
  C:\Windows\System32\gRacaxl.exe
  2⤵
  PID:9124
- C:\Windows\System32\OiLsKVb.exe
  C:\Windows\System32\OiLsKVb.exe
  2⤵
  PID:9164
- C:\Windows\System32\SFwEQGp.exe
  C:\Windows\System32\SFwEQGp.exe
  2⤵
  PID:9200
- C:\Windows\System32\AETyRLG.exe
  C:\Windows\System32\AETyRLG.exe
  2⤵
  PID:8312
- C:\Windows\System32\PfWsGBM.exe
  C:\Windows\System32\PfWsGBM.exe
  2⤵
  PID:8388
- C:\Windows\System32\mAVVkLs.exe
  C:\Windows\System32\mAVVkLs.exe
  2⤵
  PID:8556
- C:\Windows\System32\FSFrtVt.exe
  C:\Windows\System32\FSFrtVt.exe
  2⤵
  PID:8672
- C:\Windows\System32\WroacZu.exe
  C:\Windows\System32\WroacZu.exe
  2⤵
  PID:8756
- C:\Windows\System32\JzsJNDx.exe
  C:\Windows\System32\JzsJNDx.exe
  2⤵
  PID:8832
- C:\Windows\System32\bfKQMTE.exe
  C:\Windows\System32\bfKQMTE.exe
  2⤵
  PID:8900
- C:\Windows\System32\CKJgVRE.exe
  C:\Windows\System32\CKJgVRE.exe
  2⤵
  PID:8972
- C:\Windows\System32\oOjUfVo.exe
  C:\Windows\System32\oOjUfVo.exe
  2⤵
  PID:9028
- C:\Windows\System32\YlvXrOM.exe
  C:\Windows\System32\YlvXrOM.exe
  2⤵
  PID:9072
- C:\Windows\System32\HUHOUsk.exe
  C:\Windows\System32\HUHOUsk.exe
  2⤵
  PID:9192
- C:\Windows\System32\bVlLeIC.exe
  C:\Windows\System32\bVlLeIC.exe
  2⤵
  PID:8284
- C:\Windows\System32\wFVihum.exe
  C:\Windows\System32\wFVihum.exe
  2⤵
  PID:8728
- C:\Windows\System32\XDBAEYz.exe
  C:\Windows\System32\XDBAEYz.exe
  2⤵
  PID:8944
- C:\Windows\System32\nGqZGsi.exe
  C:\Windows\System32\nGqZGsi.exe
  2⤵
  PID:9108
- C:\Windows\System32\lhHpxid.exe
  C:\Windows\System32\lhHpxid.exe
  2⤵
  PID:8460
- C:\Windows\System32\dZIHNpF.exe
  C:\Windows\System32\dZIHNpF.exe
  2⤵
  PID:8888
- C:\Windows\System32\daHFYXP.exe
  C:\Windows\System32\daHFYXP.exe
  2⤵
  PID:8248
- C:\Windows\System32\sMNAeJf.exe
  C:\Windows\System32\sMNAeJf.exe
  2⤵
  PID:9240
- C:\Windows\System32\iIkddKI.exe
  C:\Windows\System32\iIkddKI.exe
  2⤵
  PID:9264
- C:\Windows\System32\xSivXbn.exe
  C:\Windows\System32\xSivXbn.exe
  2⤵
  PID:9300
- C:\Windows\System32\UQmwTuQ.exe
  C:\Windows\System32\UQmwTuQ.exe
  2⤵
  PID:9332
- C:\Windows\System32\uWiOuJX.exe
  C:\Windows\System32\uWiOuJX.exe
  2⤵
  PID:9360
- C:\Windows\System32\GHkmels.exe
  C:\Windows\System32\GHkmels.exe
  2⤵
  PID:9376
- C:\Windows\System32\TslsIQl.exe
  C:\Windows\System32\TslsIQl.exe
  2⤵
  PID:9412
- C:\Windows\System32\LwibspR.exe
  C:\Windows\System32\LwibspR.exe
  2⤵
  PID:9448
- C:\Windows\System32\vfSRDuD.exe
  C:\Windows\System32\vfSRDuD.exe
  2⤵
  PID:9484
- C:\Windows\System32\VapHhCJ.exe
  C:\Windows\System32\VapHhCJ.exe
  2⤵
  PID:9516
- C:\Windows\System32\GBMSLfQ.exe
  C:\Windows\System32\GBMSLfQ.exe
  2⤵
  PID:9552
- C:\Windows\System32\sxnMNTW.exe
  C:\Windows\System32\sxnMNTW.exe
  2⤵
  PID:9572
- C:\Windows\System32\kuoiJTd.exe
  C:\Windows\System32\kuoiJTd.exe
  2⤵
  PID:9600
- C:\Windows\System32\JdfKIyB.exe
  C:\Windows\System32\JdfKIyB.exe
  2⤵
  PID:9628
- C:\Windows\System32\FapVpjH.exe
  C:\Windows\System32\FapVpjH.exe
  2⤵
  PID:9656
- C:\Windows\System32\IYnMltB.exe
  C:\Windows\System32\IYnMltB.exe
  2⤵
  PID:9684
- C:\Windows\System32\eDIZylb.exe
  C:\Windows\System32\eDIZylb.exe
  2⤵
  PID:9708
- C:\Windows\System32\ynpqEnZ.exe
  C:\Windows\System32\ynpqEnZ.exe
  2⤵
  PID:9728
- C:\Windows\System32\cXBmnzE.exe
  C:\Windows\System32\cXBmnzE.exe
  2⤵
  PID:9764
- C:\Windows\System32\yzOaKSM.exe
  C:\Windows\System32\yzOaKSM.exe
  2⤵
  PID:9780
- C:\Windows\System32\ElOWnRX.exe
  C:\Windows\System32\ElOWnRX.exe
  2⤵
  PID:9824
- C:\Windows\System32\PKRCHuw.exe
  C:\Windows\System32\PKRCHuw.exe
  2⤵
  PID:9852
- C:\Windows\System32\SfTalZx.exe
  C:\Windows\System32\SfTalZx.exe
  2⤵
  PID:9880
- C:\Windows\System32\OIlrcGW.exe
  C:\Windows\System32\OIlrcGW.exe
  2⤵
  PID:9900
- C:\Windows\System32\ajcvXVe.exe
  C:\Windows\System32\ajcvXVe.exe
  2⤵
  PID:9924
- C:\Windows\System32\JocyVmr.exe
  C:\Windows\System32\JocyVmr.exe
  2⤵
  PID:9964
- C:\Windows\System32\YJUaNHA.exe
  C:\Windows\System32\YJUaNHA.exe
  2⤵
  PID:9992
- C:\Windows\System32\ztoXjuz.exe
  C:\Windows\System32\ztoXjuz.exe
  2⤵
  PID:10020
- C:\Windows\System32\Udpfjhk.exe
  C:\Windows\System32\Udpfjhk.exe
  2⤵
  PID:10040
- C:\Windows\System32\wzQCsDT.exe
  C:\Windows\System32\wzQCsDT.exe
  2⤵
  PID:10076
- C:\Windows\System32\YxINPIi.exe
  C:\Windows\System32\YxINPIi.exe
  2⤵
  PID:10104
- C:\Windows\System32\XFbxTaJ.exe
  C:\Windows\System32\XFbxTaJ.exe
  2⤵
  PID:10128
- C:\Windows\System32\ZvjckiR.exe
  C:\Windows\System32\ZvjckiR.exe
  2⤵
  PID:10156
- C:\Windows\System32\bsgiopV.exe
  C:\Windows\System32\bsgiopV.exe
  2⤵
  PID:10192
- C:\Windows\System32\EacFQvW.exe
  C:\Windows\System32\EacFQvW.exe
  2⤵
  PID:10220
- C:\Windows\System32\buDHNwP.exe
  C:\Windows\System32\buDHNwP.exe
  2⤵
  PID:9084
- C:\Windows\System32\HZkyxCT.exe
  C:\Windows\System32\HZkyxCT.exe
  2⤵
  PID:9252
- C:\Windows\System32\srOYQBQ.exe
  C:\Windows\System32\srOYQBQ.exe
  2⤵
  PID:9344
- C:\Windows\System32\rdwZmBm.exe
  C:\Windows\System32\rdwZmBm.exe
  2⤵
  PID:9388
- C:\Windows\System32\uVEYNSP.exe
  C:\Windows\System32\uVEYNSP.exe
  2⤵
  PID:9444
- C:\Windows\System32\tPsMZqz.exe
  C:\Windows\System32\tPsMZqz.exe
  2⤵
  PID:9540
- C:\Windows\System32\LdGoeuq.exe
  C:\Windows\System32\LdGoeuq.exe
  2⤵
  PID:9592
- C:\Windows\System32\OTpTJGK.exe
  C:\Windows\System32\OTpTJGK.exe
  2⤵
  PID:9668
- C:\Windows\System32\wVrccoc.exe
  C:\Windows\System32\wVrccoc.exe
  2⤵
  PID:9756
- C:\Windows\System32\OjfBDVM.exe
  C:\Windows\System32\OjfBDVM.exe
  2⤵
  PID:9820
- C:\Windows\System32\VeTGwQP.exe
  C:\Windows\System32\VeTGwQP.exe
  2⤵
  PID:9864
- C:\Windows\System32\NHbMUNY.exe
  C:\Windows\System32\NHbMUNY.exe
  2⤵
  PID:9908
- C:\Windows\System32\CsuHfTR.exe
  C:\Windows\System32\CsuHfTR.exe
  2⤵
  PID:10008
- C:\Windows\System32\uTZUBea.exe
  C:\Windows\System32\uTZUBea.exe
  2⤵
  PID:10088
- C:\Windows\System32\QPhWbHk.exe
  C:\Windows\System32\QPhWbHk.exe
  2⤵
  PID:10152
- C:\Windows\System32\AFiVflx.exe
  C:\Windows\System32\AFiVflx.exe
  2⤵
  PID:10212
- C:\Windows\System32\zxtuszi.exe
  C:\Windows\System32\zxtuszi.exe
  2⤵
  PID:9328
- C:\Windows\System32\NNNPlRU.exe
  C:\Windows\System32\NNNPlRU.exe
  2⤵
  PID:9476
- C:\Windows\System32\rAWCTKJ.exe
  C:\Windows\System32\rAWCTKJ.exe
  2⤵
  PID:9620
- C:\Windows\System32\ThcxYyF.exe
  C:\Windows\System32\ThcxYyF.exe
  2⤵
  PID:9796
- C:\Windows\System32\QzSEEjg.exe
  C:\Windows\System32\QzSEEjg.exe
  2⤵
  PID:9888
- C:\Windows\System32\RxohagE.exe
  C:\Windows\System32\RxohagE.exe
  2⤵
  PID:10064
- C:\Windows\System32\HXIDFIQ.exe
  C:\Windows\System32\HXIDFIQ.exe
  2⤵
  PID:10188
- C:\Windows\System32\mheAUuY.exe
  C:\Windows\System32\mheAUuY.exe
  2⤵
  PID:9596
- C:\Windows\System32\KZDAcqS.exe
  C:\Windows\System32\KZDAcqS.exe
  2⤵
  PID:9892
- C:\Windows\System32\QVBJKyY.exe
  C:\Windows\System32\QVBJKyY.exe
  2⤵
  PID:10120
- C:\Windows\System32\fwMLKfP.exe
  C:\Windows\System32\fwMLKfP.exe
  2⤵
  PID:9256
- C:\Windows\System32\tdwPxxG.exe
  C:\Windows\System32\tdwPxxG.exe
  2⤵
  PID:10252
- C:\Windows\System32\QURmkaw.exe
  C:\Windows\System32\QURmkaw.exe
  2⤵
  PID:10276
- C:\Windows\System32\AqEOuIO.exe
  C:\Windows\System32\AqEOuIO.exe
  2⤵
  PID:10304
- C:\Windows\System32\soyptYz.exe
  C:\Windows\System32\soyptYz.exe
  2⤵
  PID:10332
- C:\Windows\System32\raAJulz.exe
  C:\Windows\System32\raAJulz.exe
  2⤵
  PID:10356
- C:\Windows\System32\QncUbDU.exe
  C:\Windows\System32\QncUbDU.exe
  2⤵
  PID:10388
- C:\Windows\System32\SboMIbW.exe
  C:\Windows\System32\SboMIbW.exe
  2⤵
  PID:10412
- C:\Windows\System32\AIEUqZW.exe
  C:\Windows\System32\AIEUqZW.exe
  2⤵
  PID:10448
- C:\Windows\System32\ckqXwOY.exe
  C:\Windows\System32\ckqXwOY.exe
  2⤵
  PID:10480
- C:\Windows\System32\GdKNTGl.exe
  C:\Windows\System32\GdKNTGl.exe
  2⤵
  PID:10508
- C:\Windows\System32\qUGKpvy.exe
  C:\Windows\System32\qUGKpvy.exe
  2⤵
  PID:10532
- C:\Windows\System32\RkedyIQ.exe
  C:\Windows\System32\RkedyIQ.exe
  2⤵
  PID:10552
- C:\Windows\System32\wNSepoi.exe
  C:\Windows\System32\wNSepoi.exe
  2⤵
  PID:10592
- C:\Windows\System32\RLppxdP.exe
  C:\Windows\System32\RLppxdP.exe
  2⤵
  PID:10620
- C:\Windows\System32\QZNPvtr.exe
  C:\Windows\System32\QZNPvtr.exe
  2⤵
  PID:10640
- C:\Windows\System32\cdIdxHF.exe
  C:\Windows\System32\cdIdxHF.exe
  2⤵
  PID:10668
- C:\Windows\System32\BKIOoKB.exe
  C:\Windows\System32\BKIOoKB.exe
  2⤵
  PID:10712
- C:\Windows\System32\dBlhYHB.exe
  C:\Windows\System32\dBlhYHB.exe
  2⤵
  PID:10732
- C:\Windows\System32\FavGyOx.exe
  C:\Windows\System32\FavGyOx.exe
  2⤵
  PID:10772
- C:\Windows\System32\kSWtzWd.exe
  C:\Windows\System32\kSWtzWd.exe
  2⤵
  PID:10788
- C:\Windows\System32\ZaEEcdg.exe
  C:\Windows\System32\ZaEEcdg.exe
  2⤵
  PID:10804
- C:\Windows\System32\fRmasOt.exe
  C:\Windows\System32\fRmasOt.exe
  2⤵
  PID:10824
- C:\Windows\System32\DGWGzgj.exe
  C:\Windows\System32\DGWGzgj.exe
  2⤵
  PID:10868
- C:\Windows\System32\iAFKAsJ.exe
  C:\Windows\System32\iAFKAsJ.exe
  2⤵
  PID:10892
- C:\Windows\System32\DdSgXCk.exe
  C:\Windows\System32\DdSgXCk.exe
  2⤵
  PID:10928
- C:\Windows\System32\OXEXONL.exe
  C:\Windows\System32\OXEXONL.exe
  2⤵
  PID:10952
- C:\Windows\System32\wSKcLoo.exe
  C:\Windows\System32\wSKcLoo.exe
  2⤵
  PID:10988
- C:\Windows\System32\XNdsjfB.exe
  C:\Windows\System32\XNdsjfB.exe
  2⤵
  PID:11008
- C:\Windows\System32\kYmxXbd.exe
  C:\Windows\System32\kYmxXbd.exe
  2⤵
  PID:11032
- C:\Windows\System32\IKLgdzM.exe
  C:\Windows\System32\IKLgdzM.exe
  2⤵
  PID:11072
- C:\Windows\System32\xxlnoyE.exe
  C:\Windows\System32\xxlnoyE.exe
  2⤵
  PID:11088
- C:\Windows\System32\ehelXeI.exe
  C:\Windows\System32\ehelXeI.exe
  2⤵
  PID:11128
- C:\Windows\System32\mtUoqZs.exe
  C:\Windows\System32\mtUoqZs.exe
  2⤵
  PID:11156
- C:\Windows\System32\rGwExmy.exe
  C:\Windows\System32\rGwExmy.exe
  2⤵
  PID:11172
- C:\Windows\System32\AJIqfih.exe
  C:\Windows\System32\AJIqfih.exe
  2⤵
  PID:11212
- C:\Windows\System32\UWCCRJl.exe
  C:\Windows\System32\UWCCRJl.exe
  2⤵
  PID:11240
- C:\Windows\System32\CPyKDnr.exe
  C:\Windows\System32\CPyKDnr.exe
  2⤵
  PID:9844
- C:\Windows\System32\fJEyNKT.exe
  C:\Windows\System32\fJEyNKT.exe
  2⤵
  PID:10284
- C:\Windows\System32\flJzhAp.exe
  C:\Windows\System32\flJzhAp.exe
  2⤵
  PID:10408
- C:\Windows\System32\ARVmsvi.exe
  C:\Windows\System32\ARVmsvi.exe
  2⤵
  PID:10424
- C:\Windows\System32\BzixcqH.exe
  C:\Windows\System32\BzixcqH.exe
  2⤵
  PID:10504
- C:\Windows\System32\oHdaMto.exe
  C:\Windows\System32\oHdaMto.exe
  2⤵
  PID:10544
- C:\Windows\System32\JOVGheo.exe
  C:\Windows\System32\JOVGheo.exe
  2⤵
  PID:10632
- C:\Windows\System32\QKeYKIw.exe
  C:\Windows\System32\QKeYKIw.exe
  2⤵
  PID:10688
- C:\Windows\System32\lfNhaze.exe
  C:\Windows\System32\lfNhaze.exe
  2⤵
  PID:10760
- C:\Windows\System32\eplGNhL.exe
  C:\Windows\System32\eplGNhL.exe
  2⤵
  PID:10832
- C:\Windows\System32\GDIKpJr.exe
  C:\Windows\System32\GDIKpJr.exe
  2⤵
  PID:10904
- C:\Windows\System32\VAhqfUu.exe
  C:\Windows\System32\VAhqfUu.exe
  2⤵
  PID:11004
- C:\Windows\System32\cKqMGuz.exe
  C:\Windows\System32\cKqMGuz.exe
  2⤵
  PID:11080
- C:\Windows\System32\QzXCxGX.exe
  C:\Windows\System32\QzXCxGX.exe
  2⤵
  PID:11168
- C:\Windows\System32\HPXYZUd.exe
  C:\Windows\System32\HPXYZUd.exe
  2⤵
  PID:11224
- C:\Windows\System32\ufOYzRN.exe
  C:\Windows\System32\ufOYzRN.exe
  2⤵
  PID:10340
- C:\Windows\System32\dGtAIRp.exe
  C:\Windows\System32\dGtAIRp.exe
  2⤵
  PID:10568
- C:\Windows\System32\HodFDBT.exe
  C:\Windows\System32\HodFDBT.exe
  2⤵
  PID:10628
- C:\Windows\System32\Gijxcoj.exe
  C:\Windows\System32\Gijxcoj.exe
  2⤵
  PID:10796
- C:\Windows\System32\lDdafxS.exe
  C:\Windows\System32\lDdafxS.exe
  2⤵
  PID:10980
- C:\Windows\System32\gOAcPmm.exe
  C:\Windows\System32\gOAcPmm.exe
  2⤵
  PID:11164
- C:\Windows\System32\rDtMXBP.exe
  C:\Windows\System32\rDtMXBP.exe
  2⤵
  PID:10292
- C:\Windows\System32\cXnefXB.exe
  C:\Windows\System32\cXnefXB.exe
  2⤵
  PID:10112
- C:\Windows\System32\KzbKhhF.exe
  C:\Windows\System32\KzbKhhF.exe
  2⤵
  PID:11060
- C:\Windows\System32\XgKRZeH.exe
  C:\Windows\System32\XgKRZeH.exe
  2⤵
  PID:9400
- C:\Windows\System32\DDDWvWR.exe
  C:\Windows\System32\DDDWvWR.exe
  2⤵
  PID:10724
- C:\Windows\System32\oTJNvdF.exe
  C:\Windows\System32\oTJNvdF.exe
  2⤵
  PID:11288
- C:\Windows\System32\yQnrPWt.exe
  C:\Windows\System32\yQnrPWt.exe
  2⤵
  PID:11304
- C:\Windows\System32\hdbZHbk.exe
  C:\Windows\System32\hdbZHbk.exe
  2⤵
  PID:11344
- C:\Windows\System32\dgIzEGv.exe
  C:\Windows\System32\dgIzEGv.exe
  2⤵
  PID:11364
- C:\Windows\System32\RVhvZpB.exe
  C:\Windows\System32\RVhvZpB.exe
  2⤵
  PID:11400
- C:\Windows\System32\BPEwiyn.exe
  C:\Windows\System32\BPEwiyn.exe
  2⤵
  PID:11428
- C:\Windows\System32\RsBimvp.exe
  C:\Windows\System32\RsBimvp.exe
  2⤵
  PID:11456
- C:\Windows\System32\SrYNuDJ.exe
  C:\Windows\System32\SrYNuDJ.exe
  2⤵
  PID:11484
- C:\Windows\System32\MObeLJn.exe
  C:\Windows\System32\MObeLJn.exe
  2⤵
  PID:11512
- C:\Windows\System32\eqNABMM.exe
  C:\Windows\System32\eqNABMM.exe
  2⤵
  PID:11540
- C:\Windows\System32\OxZbvmf.exe
  C:\Windows\System32\OxZbvmf.exe
  2⤵
  PID:11568
- C:\Windows\System32\olfibED.exe
  C:\Windows\System32\olfibED.exe
  2⤵
  PID:11600
- C:\Windows\System32\qWdEimF.exe
  C:\Windows\System32\qWdEimF.exe
  2⤵
  PID:11616
- C:\Windows\System32\kpECNil.exe
  C:\Windows\System32\kpECNil.exe
  2⤵
  PID:11648
- C:\Windows\System32\lRdBkOO.exe
  C:\Windows\System32\lRdBkOO.exe
  2⤵
  PID:11684
- C:\Windows\System32\HukMIyg.exe
  C:\Windows\System32\HukMIyg.exe
  2⤵
  PID:11712
- C:\Windows\System32\LSRDpXQ.exe
  C:\Windows\System32\LSRDpXQ.exe
  2⤵
  PID:11728
- C:\Windows\System32\YdDWmnt.exe
  C:\Windows\System32\YdDWmnt.exe
  2⤵
  PID:11768
- C:\Windows\System32\GBFAlQA.exe
  C:\Windows\System32\GBFAlQA.exe
  2⤵
  PID:11796
- C:\Windows\System32\sogKNPz.exe
  C:\Windows\System32\sogKNPz.exe
  2⤵
  PID:11824
- C:\Windows\System32\EmxhCtc.exe
  C:\Windows\System32\EmxhCtc.exe
  2⤵
  PID:11852
- C:\Windows\System32\GWngfXY.exe
  C:\Windows\System32\GWngfXY.exe
  2⤵
  PID:11880
- C:\Windows\System32\OsmfdnZ.exe
  C:\Windows\System32\OsmfdnZ.exe
  2⤵
  PID:11912
- C:\Windows\System32\hcZUvSO.exe
  C:\Windows\System32\hcZUvSO.exe
  2⤵
  PID:11936
- C:\Windows\System32\dCvqkLE.exe
  C:\Windows\System32\dCvqkLE.exe
  2⤵
  PID:11964
- C:\Windows\System32\LnXxoFW.exe
  C:\Windows\System32\LnXxoFW.exe
  2⤵
  PID:11992
- C:\Windows\System32\cLvIcRM.exe
  C:\Windows\System32\cLvIcRM.exe
  2⤵
  PID:12020
- C:\Windows\System32\kInfBFn.exe
  C:\Windows\System32\kInfBFn.exe
  2⤵
  PID:12048
- C:\Windows\System32\MqXiSaT.exe
  C:\Windows\System32\MqXiSaT.exe
  2⤵
  PID:12076
- C:\Windows\System32\jUjqFUN.exe
  C:\Windows\System32\jUjqFUN.exe
  2⤵
  PID:12096
- C:\Windows\System32\rOFsesX.exe
  C:\Windows\System32\rOFsesX.exe
  2⤵
  PID:12124
- C:\Windows\System32\xGIaJmB.exe
  C:\Windows\System32\xGIaJmB.exe
  2⤵
  PID:12148
- C:\Windows\System32\tEYeGDp.exe
  C:\Windows\System32\tEYeGDp.exe
  2⤵
  PID:12176
- C:\Windows\System32\CrjditM.exe
  C:\Windows\System32\CrjditM.exe
  2⤵
  PID:12216
- C:\Windows\System32\CKWUMtt.exe
  C:\Windows\System32\CKWUMtt.exe
  2⤵
  PID:12244
- C:\Windows\System32\WadXYas.exe
  C:\Windows\System32\WadXYas.exe
  2⤵
  PID:12272
- C:\Windows\System32\QkIheNY.exe
  C:\Windows\System32\QkIheNY.exe
  2⤵
  PID:11280
- C:\Windows\System32\pSUJSBT.exe
  C:\Windows\System32\pSUJSBT.exe
  2⤵
  PID:11328
- C:\Windows\System32\PuHgwkq.exe
  C:\Windows\System32\PuHgwkq.exe
  2⤵
  PID:11388
- C:\Windows\System32\XxXCnsA.exe
  C:\Windows\System32\XxXCnsA.exe
  2⤵
  PID:11452
- C:\Windows\System32\bLeCyPV.exe
  C:\Windows\System32\bLeCyPV.exe
  2⤵
  PID:11532
- C:\Windows\System32\urOoHno.exe
  C:\Windows\System32\urOoHno.exe
  2⤵
  PID:11612
- C:\Windows\System32\wyHChWd.exe
  C:\Windows\System32\wyHChWd.exe
  2⤵
  PID:11664
- C:\Windows\System32\WBFnpZo.exe
  C:\Windows\System32\WBFnpZo.exe
  2⤵
  PID:11720
- C:\Windows\System32\GTdlMQE.exe
  C:\Windows\System32\GTdlMQE.exe
  2⤵
  PID:11792
- C:\Windows\System32\tqlvDqU.exe
  C:\Windows\System32\tqlvDqU.exe
  2⤵
  PID:11864
- C:\Windows\System32\gaKmvFJ.exe
  C:\Windows\System32\gaKmvFJ.exe
  2⤵
  PID:11900
- C:\Windows\System32\pCmSOyK.exe
  C:\Windows\System32\pCmSOyK.exe
  2⤵
  PID:12004
- C:\Windows\System32\MpluoLM.exe
  C:\Windows\System32\MpluoLM.exe
  2⤵
  PID:12060
- C:\Windows\System32\yvNwVvo.exe
  C:\Windows\System32\yvNwVvo.exe
  2⤵
  PID:12104
- C:\Windows\System32\feuhHJp.exe
  C:\Windows\System32\feuhHJp.exe
  2⤵
  PID:12168
- C:\Windows\System32\ppEFgtZ.exe
  C:\Windows\System32\ppEFgtZ.exe
  2⤵
  PID:12236
- C:\Windows\System32\NLgGQln.exe
  C:\Windows\System32\NLgGQln.exe
  2⤵
  PID:10848
- C:\Windows\System32\DpYrsoh.exe
  C:\Windows\System32\DpYrsoh.exe
  2⤵
  PID:11468
- C:\Windows\System32\sZsyulI.exe
  C:\Windows\System32\sZsyulI.exe
  2⤵
  PID:11640
- C:\Windows\System32\nviKoBB.exe
  C:\Windows\System32\nviKoBB.exe
  2⤵
  PID:11764
- C:\Windows\System32\pJqTXwD.exe
  C:\Windows\System32\pJqTXwD.exe
  2⤵
  PID:11928
- C:\Windows\System32\sODXDfP.exe
  C:\Windows\System32\sODXDfP.exe
  2⤵
  PID:12068
- C:\Windows\System32\iOuJiVg.exe
  C:\Windows\System32\iOuJiVg.exe
  2⤵
  PID:12136
- C:\Windows\System32\pSUACHX.exe
  C:\Windows\System32\pSUACHX.exe
  2⤵
  PID:12268
- C:\Windows\System32\cNhdcYO.exe
  C:\Windows\System32\cNhdcYO.exe
  2⤵
  PID:11844
- C:\Windows\System32\QhHKXvA.exe
  C:\Windows\System32\QhHKXvA.exe
  2⤵
  PID:12132
- C:\Windows\System32\UOnCPnJ.exe
  C:\Windows\System32\UOnCPnJ.exe
  2⤵
  PID:11440
- C:\Windows\System32\eTlFJNg.exe
  C:\Windows\System32\eTlFJNg.exe
  2⤵
  PID:11564
- C:\Windows\System32\brMAhQQ.exe
  C:\Windows\System32\brMAhQQ.exe
  2⤵
  PID:12324
- C:\Windows\System32\uBJwXTs.exe
  C:\Windows\System32\uBJwXTs.exe
  2⤵
  PID:12344
- C:\Windows\System32\TKYRNMh.exe
  C:\Windows\System32\TKYRNMh.exe
  2⤵
  PID:12380
- C:\Windows\System32\Ozboefd.exe
  C:\Windows\System32\Ozboefd.exe
  2⤵
  PID:12408
- C:\Windows\System32\ssvRTON.exe
  C:\Windows\System32\ssvRTON.exe
  2⤵
  PID:12432
- C:\Windows\System32\pFqrJtO.exe
  C:\Windows\System32\pFqrJtO.exe
  2⤵
  PID:12456
- C:\Windows\System32\ZxrLwGJ.exe
  C:\Windows\System32\ZxrLwGJ.exe
  2⤵
  PID:12484
- C:\Windows\System32\pYeoAth.exe
  C:\Windows\System32\pYeoAth.exe
  2⤵
  PID:12516
- C:\Windows\System32\OAKUqQm.exe
  C:\Windows\System32\OAKUqQm.exe
  2⤵
  PID:12548
- C:\Windows\System32\qZxesqe.exe
  C:\Windows\System32\qZxesqe.exe
  2⤵
  PID:12576
- C:\Windows\System32\hSnVWBz.exe
  C:\Windows\System32\hSnVWBz.exe
  2⤵
  PID:12604
- C:\Windows\System32\RrPjAir.exe
  C:\Windows\System32\RrPjAir.exe
  2⤵
  PID:12632
- C:\Windows\System32\nRyIOkL.exe
  C:\Windows\System32\nRyIOkL.exe
  2⤵
  PID:12660
- C:\Windows\System32\yBJYFAB.exe
  C:\Windows\System32\yBJYFAB.exe
  2⤵
  PID:12688
- C:\Windows\System32\hnfocAA.exe
  C:\Windows\System32\hnfocAA.exe
  2⤵
  PID:12716
- C:\Windows\System32\fdScKpt.exe
  C:\Windows\System32\fdScKpt.exe
  2⤵
  PID:12732
- C:\Windows\System32\pGOjZHa.exe
  C:\Windows\System32\pGOjZHa.exe
  2⤵
  PID:12760
- C:\Windows\System32\qWwtSlO.exe
  C:\Windows\System32\qWwtSlO.exe
  2⤵
  PID:12800
- C:\Windows\System32\YmdMadr.exe
  C:\Windows\System32\YmdMadr.exe
  2⤵
  PID:12828
- C:\Windows\System32\XRLjzyn.exe
  C:\Windows\System32\XRLjzyn.exe
  2⤵
  PID:12856
- C:\Windows\System32\JKwuBza.exe
  C:\Windows\System32\JKwuBza.exe
  2⤵
  PID:12884
- C:\Windows\System32\GSgSJkk.exe
  C:\Windows\System32\GSgSJkk.exe
  2⤵
  PID:12912
- C:\Windows\System32\JAlxsyx.exe
  C:\Windows\System32\JAlxsyx.exe
  2⤵
  PID:12940
- C:\Windows\System32\xUpLYgk.exe
  C:\Windows\System32\xUpLYgk.exe
  2⤵
  PID:12960
- C:\Windows\System32\iVwSeAs.exe
  C:\Windows\System32\iVwSeAs.exe
  2⤵
  PID:12996
- C:\Windows\System32\VvkhQEk.exe
  C:\Windows\System32\VvkhQEk.exe
  2⤵
  PID:13036
- C:\Windows\System32\SvahdOH.exe
  C:\Windows\System32\SvahdOH.exe
  2⤵
  PID:13052
- C:\Windows\System32\qgLjKKQ.exe
  C:\Windows\System32\qgLjKKQ.exe
  2⤵
  PID:13080
- C:\Windows\System32\EjVpAuy.exe
  C:\Windows\System32\EjVpAuy.exe
  2⤵
  PID:13108
- C:\Windows\System32\HqADpaL.exe
  C:\Windows\System32\HqADpaL.exe
  2⤵
  PID:13136
- C:\Windows\System32\pjDjnFI.exe
  C:\Windows\System32\pjDjnFI.exe
  2⤵
  PID:13156
- C:\Windows\System32\kYfmdEm.exe
  C:\Windows\System32\kYfmdEm.exe
  2⤵
  PID:13184
- C:\Windows\System32\AtwNxQl.exe
  C:\Windows\System32\AtwNxQl.exe
  2⤵
  PID:13236
- C:\Windows\System32\fOFDTKd.exe
  C:\Windows\System32\fOFDTKd.exe
  2⤵
  PID:13276
- C:\Windows\System32\yjSzCnT.exe
  C:\Windows\System32\yjSzCnT.exe
  2⤵
  PID:11784
- C:\Windows\System32\lseJxDJ.exe
  C:\Windows\System32\lseJxDJ.exe
  2⤵
  PID:12352
- C:\Windows\System32\VEeabbs.exe
  C:\Windows\System32\VEeabbs.exe
  2⤵
  PID:12376
- C:\Windows\System32\ANqEdSX.exe
  C:\Windows\System32\ANqEdSX.exe
  2⤵
  PID:12444
- C:\Windows\System32\PglhCVT.exe
  C:\Windows\System32\PglhCVT.exe
  2⤵
  PID:12512
- C:\Windows\System32\NWgkVDw.exe
  C:\Windows\System32\NWgkVDw.exe
  2⤵
  PID:12560
- C:\Windows\System32\OgPasSv.exe
  C:\Windows\System32\OgPasSv.exe
  2⤵
  PID:12628
- C:\Windows\System32\cyVBZWe.exe
  C:\Windows\System32\cyVBZWe.exe
  2⤵
  PID:12700
- C:\Windows\System32\rtNpREq.exe
  C:\Windows\System32\rtNpREq.exe
  2⤵
  PID:12772
- C:\Windows\System32\eMJHruh.exe
  C:\Windows\System32\eMJHruh.exe
  2⤵
  PID:12816
- C:\Windows\System32\fUbqlil.exe
  C:\Windows\System32\fUbqlil.exe
  2⤵
  PID:12868
- C:\Windows\System32\whQLhFv.exe
  C:\Windows\System32\whQLhFv.exe
  2⤵
  PID:12924
- C:\Windows\System32\mfaWmzv.exe
  C:\Windows\System32\mfaWmzv.exe
  2⤵
  PID:12988
- C:\Windows\System32\FIYzlEB.exe
  C:\Windows\System32\FIYzlEB.exe
  2⤵
  PID:13076
- C:\Windows\System32\SfRykQw.exe
  C:\Windows\System32\SfRykQw.exe
  2⤵
  PID:13144
- C:\Windows\System32\gOPTTZX.exe
  C:\Windows\System32\gOPTTZX.exe
  2⤵
  PID:13180
- C:\Windows\System32\MDNQnPg.exe
  C:\Windows\System32\MDNQnPg.exe
  2⤵
  PID:13288

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BneNvhH.exe

Filesize
2.7MB

MD5
ee8e22493173f5171d2a66508062264b

SHA1
e413b93c55c0f432ee22af95229813d4063041a1

SHA256
976eec40c25f45599f21aec7934b9d00b4dc81a67de00d1d6f6899c7900f7712

SHA512
d9d57b09ff325b2866406208eae7b9fcec4c208212b74d54296d4dba0f5ec2dda02935b321a38fdf23a9d65b5ad402f4b9901079598c6a7ccac34fc8e78c70b0

Download Submit
C:\Windows\System32\DvWdIUX.exe

Filesize
2.7MB

MD5
91c64f8866db194aa6af22c68e17aa03

SHA1
29fe74457883d9227cfb44ae28c8ca47160d9014

SHA256
1bc1ca3dbd5aa0bfc39054595ff184285a918c549ff897e0b706f27151903e36

SHA512
ac0044276d66ca58c86499ed21f3ecb3e303b3cd868d20ac005fa26c1035abe0f76bbd4a83ab2ef34d4acbd94f150d5791ea94214a5c7137fed0697a7298170b

Download Submit
C:\Windows\System32\EkWFbJI.exe

Filesize
2.7MB

MD5
17974959409e19480d228890bbe92f88

SHA1
c2ccf8a37a8f08da94f98c72b35b28f771dce363

SHA256
fd17aef6c1de6f4f78565d30873f25ed5633e404d54e7cad8846ea1806fd47eb

SHA512
e407e9ebf3ca79809695835e02aa0cb204da7f7068e359a964d08bffa9cda8b2a4c413496097e1a8f0b5c502f3b2477b4d7b651d9b18b08a18c700f526b27ca9

Download Submit
C:\Windows\System32\HwkWchB.exe

Filesize
2.7MB

MD5
6421a9bce15828cd7e9fdb6a93b706b6

SHA1
1302c6947bd64767bec9863b045cecfbc51b9fac

SHA256
3ba8bf4277f8eb766fe7f130d3c61758deea89dc3aa5c6252b0ef7b19fb14381

SHA512
600efb953685f199689394a3af44a51c9977cd26e617d7229d9f92cd9e0e045896d07c478532780ad4a2110e945e52284566fa7693e51f10c31f047a00e76ba4

Download Submit
C:\Windows\System32\IqxKbSP.exe

Filesize
2.7MB

MD5
04c8ebd9a6c2fc8396cdd0dfe7aa8b11

SHA1
7c2fb27c59b81443efd8d1979e2b25709f967cee

SHA256
948b745487f324248f059d807179d42a152e6020823a51c271474cf465487425

SHA512
cf132ff3f25749274a652e2f2b93aaa8c1272e2f6362b31c5097cc8cab39c6aa019e152d52477b8135b0a4d1058d9bb126ab8cb1556408945667834b0832cd53

Download Submit
C:\Windows\System32\IrhlGJF.exe

Filesize
2.7MB

MD5
2fd4d71a7165f887cdce58bbb3e7d462

SHA1
6e1f6c92c8276b7d5e120d458596f5303e8a8828

SHA256
22e99042e5c5fb631b41d82d7a4bd5f0325d9a8e7caed11cc4faf4afec604b29

SHA512
d59dff0a366b6503a7b5cad38065d84baa135a2174b0d2771d4c0ce07d533e88421da2111e01112e995f75353f7ba88e68e7a31bd07b56a343615450ca5b9621

Download Submit
C:\Windows\System32\NoENHIt.exe

Filesize
2.7MB

MD5
1ebb99db7a5792d4104108fc46c546b0

SHA1
b3776d16a47bdb7e07c94a3f86a6408434116cd1

SHA256
47cf638faa9c7bd15e127b98a02a7e91914219c0edc9dde31827c2ffd685b88b

SHA512
41d2ec6031527002d7a0dbd4704dbdd4af3158757ef1e247db6378014d290a5e1d948ea4738ed88f872827536b15a8b825ab53abe64225e501d2b9fe867b6574

Download Submit
C:\Windows\System32\OMFKqOX.exe

Filesize
2.7MB

MD5
e728a6beaf40688a9b9d7b5ce2ae73cf

SHA1
00a542867d890bef59e31029fd79290a986d6dc1

SHA256
d753f3052ae96e1b6697fffb1ebc879a6f8c713fe2507ce0625d94128c0e17bc

SHA512
08a41bab185465c7726e47e1f6988263e607bb7c6d9ac28e3e6876d3f07c0d95646343a39d654cdd0d936d462a365d03f6402921d5af6f5dc89f6392d9c8341a

Download Submit
C:\Windows\System32\PAUnTZH.exe

Filesize
2.7MB

MD5
9b9f8cfec45328b3b11fc60f61096057

SHA1
b0edd7cb0fce508ed1a3902138b8472400d47f94

SHA256
48d8115341344212dc05154372afeb2960aebdf688a466bb65c2e8ca042357e8

SHA512
06f0a9e08a16fcffbc7cda5b7ebbb5ac741a84b0bf6f506fd47788cb3d2fd64612e4a087e327aa50c36378b2ece22b635919ae7becac5708a0c67540633344e5

Download Submit
C:\Windows\System32\PdunXnt.exe

Filesize
2.7MB

MD5
c69d4f95d27faf20fd30c712349fe99c

SHA1
de67f9f69d01ef592df0534dfbd3329d87907114

SHA256
4261d0b989a643ba6b5dc4a99d5b8a22d11e6c12096d95dad871d7807c1c6771

SHA512
c3dfc5754a9c51fb0426012fa3a9b696250f1a6f80bb4a574b6ee3b8093bb4f8a98c6c281de0091a0dcb9999d8eb27ec84deaada6b229bd24a061ee77e9b0c11

Download Submit
C:\Windows\System32\QtJyvgl.exe

Filesize
2.7MB

MD5
62441ac15e56edd9665a7d3243b62b46

SHA1
0a60362918e46026fa1521653ec095bab8e61db8

SHA256
375fee31bee0b9be80267a92dfc6ac0bbbb37bc4e4f1455c01e24e43b19ce424

SHA512
7ba9487dfca34305ecd9fb72b672f26f06b54479175427ef39ec7f99847960deada744569c65b961b1c9b0c18b5cf5f345358babce223c0f47faae912651f5fa

Download Submit
C:\Windows\System32\UfgZOsi.exe

Filesize
2.7MB

MD5
22e809e2dda71d8e2126f6397bfcaf3b

SHA1
e188f6ea8545550199d8ee5cb3a19b38a1a1ff2c

SHA256
eadc0787ec61ed280cc561db0ec6c0d2ec0dcba9ec9325ba8ac4840625f949df

SHA512
44970dcc0ed77750203c75e5fa3ffb460652b3839418536771af90d96a29ae56f1a89190c45bd2c1ec4aecf7eb6f277df37a3f909e6e11d591b713eeb39d06e4

Download Submit
C:\Windows\System32\VPzAfae.exe

Filesize
2.7MB

MD5
c8351fbcf658fd459b08ca6e3a8fe206

SHA1
87719996f0412f60778b007e01b8df0f92cb4d08

SHA256
7a7ffd022c18ad9831a06240084cb2aeb5c4d44c63c56d7603a5e1b67763dbb0

SHA512
4035b3fa08eb78773c8741bbf41a23a60ba65e2f258904faae187f15a47451ba02db83003b5754d25376c45868ed89de07c94e7dba525be9d3e8862145e6d50c

Download Submit
C:\Windows\System32\VtMyhoh.exe

Filesize
2.7MB

MD5
c48aa3c2b39f4fa30ad96dfec069d96e

SHA1
03da96f2c32bf201aba47220682e340a3cdf8f06

SHA256
9ffa1fa0061c64834346cb4828cab0021c0cf2ce1578e62a63fe4097585676ac

SHA512
a49c261e671203097f7032106e860fa19416ae2c35d1d2407016faceaf019136c9070397688ccf035188517209487c37b5ae4caa5fa87847e1b68fe6c9f727e0

Download Submit
C:\Windows\System32\ZKhivZB.exe

Filesize
2.7MB

MD5
edfc3f9df683c2413915c2ac45431cb3

SHA1
15de9934cdea0ecb3c7d7fb6d99ebe6516cbf60c

SHA256
b93cf6a527ec342533d7d4a5f3bc77b5c070b03f48198f6dc7bb8997eee14e0a

SHA512
762110358a945dfa226fbb90ef2d2e389e27bf07cf92b4d5c64d7eb7d31269ff19927469d823480792ebdf3222f60e20c54a7877d4e5965e5933a47b34090842

Download Submit
C:\Windows\System32\ZkEULYD.exe

Filesize
2.7MB

MD5
c8e316c9faeb153b642fdf7bc4290079

SHA1
81f6db95b3ca69e443305a4fd3c183a00b8af40d

SHA256
7f3c83ddc5a67d26678b8fd85754cd1c4f4c133f9fee80af85fc1208a2f45835

SHA512
fbe2062b9a4811c76625d9ff58755b6e4c9cd722bc02e80d548d381a15e6a7f3905acdad1f4ca766816c4c7af93cd462d4f3b75039a46c5e50211c064597103d

Download Submit
C:\Windows\System32\ZvpnXUl.exe

Filesize
2.7MB

MD5
7bc7bd1e5e21aca4ff03a0a42eba25aa

SHA1
0b71be8c39ae1ed690eacefc4115488339bc88bf

SHA256
7988636ef17d047c04b1a2780167adbb2ccf8b25a791db08ff21848a4af4c8e3

SHA512
9b84135db8d584466fe9f662a66577f830601571169f3524f1625ff95634ef5df2734d9a60775bb358fa9c23d2dfdc26761a8534ff60afca166ac6fc54b10ef8

Download Submit
C:\Windows\System32\brieVSv.exe

Filesize
2.7MB

MD5
08d00d0746f88ab31eb70d1b28ebfbd9

SHA1
e0b899e4d6b1909c6327f7bf5e241f4bafb197cf

SHA256
240bf441f1c79abb12edcd19f8bf516b377284d2e5800b8ac9ae8da26eaa324b

SHA512
b27d2e7adcab14970c256584d5548475253a00c74320a633895917f36e536f7aec10af81b9535344d30b35ccf469d8185f51a60a7d11ea609e6103b6f6376506

Download Submit
C:\Windows\System32\cneDGnl.exe

Filesize
2.7MB

MD5
be90c97d9615003e07d2d5d1062d89fc

SHA1
3b28ff89bab0ab62aa6289b2917357c688bd9d30

SHA256
e913055f430d6cbb36ba403c91af526ea7405ee8b79037e2d14296895bfb368e

SHA512
31fa64f81cb154d616e1ba7b69e4f9ca0bb1a54913c8b1774108a7b29e450182d37b3ac7977bc3bd75e3dc7c0242cd9876867e8d2e2f69fe44e4c2b2af8a8c62

Download Submit
C:\Windows\System32\dVrTMwM.exe

Filesize
2.7MB

MD5
1edade744e15f427094c8e1ac11c3009

SHA1
3721c504c8626f8aab492c7ae942bd7e5c609e7b

SHA256
403a75b64455fa5f73965a031b7aff2ec2a37ddd998add7798f3a80d78bd5350

SHA512
b619d083bf6dd60b002b1f7427490463f1feb954ab55f430a07a2c6c547f344622d50ab063bf9fce8b6bd07b339e08625a2039a1153a133059e20eceed17eb99

Download Submit
C:\Windows\System32\fKvkcTv.exe

Filesize
2.7MB

MD5
e74b1200833d5d136e3ac7fa779ba8cf

SHA1
2875299af3442da87a6045b37cebac32bb62e087

SHA256
b75f868cb3b82d3d24912f0f758b3ce001553354a0f81d2000a73e806e922e05

SHA512
136d6e4d867510996abd1b009f17afe90f63390ae92523e28e8aad51fb8838464f329144c194587d8b4c44a1d471cc01f808e5ebc73987325ca6c2cdd1ee7a6c

Download Submit
C:\Windows\System32\jdSusqW.exe

Filesize
2.7MB

MD5
10a135dbce28c2c8452eebe9a47fc907

SHA1
1d0bd5d37a0180479d5a5961b61a40bcf71b5b32

SHA256
c897ac5f3ae6355ebf9a175de1ea9b63ce9049d5110d0d5d777f2ffe132128ba

SHA512
f0e23e01f9100dfea9544838ea2a6e5e1586a386a63ecb464b6e3e1aad23c7e57408b76b3750f91f0ea1bbed8e3be3a933bf0a86cba197f153e4a6c16dedf95a

Download Submit
C:\Windows\System32\jgyLCwD.exe

Filesize
2.7MB

MD5
f3ec52923511cea455dec4137883d1bc

SHA1
165277b719c93a872042507cc8642f93ebdd9d75

SHA256
49945426e22e4c51f4b5302092febb5ed3103205bc99b92715833e041985b1a7

SHA512
d1f40a5abf223d0b1368d0eb0287934b9f144baa160e71142f408153bd78de48fa8c22081a04859cce229424b54b09e7c1b74e86762ce40aed781a02d19e9913

Download Submit
C:\Windows\System32\kHAaySw.exe

Filesize
2.7MB

MD5
893a3c61b818a1958fd65d9cb2548068

SHA1
a4cc0a28356688279eb8e696b1ffde89028940a4

SHA256
1f58c9872b78a90fabf637fbbc0425fb798f6df90440048f068c890369a37e76

SHA512
94bf88f369c3765108630d4abc16a10b6f69fcff9f50b03adcabb060167bf0e771721b3b561cba6bfd59ffcbca3590a5fdc55503f53352f2589d0d5a3554aee4

Download Submit
C:\Windows\System32\lZSrEzV.exe

Filesize
2.7MB

MD5
e81afbb0a3321eb273e31d7491cb07bb

SHA1
705a91d994306beb06f6c61c155d55ffab99cc06

SHA256
790b6f0fae808699973adf79d56df49e6a7ebb2a2c18d36891fe095ce70820df

SHA512
359c8be8e666dac5b66604ac4f3d8668cf0e03aa32b04a3c8fd4c336a3f6b61cf98ee50a27eec0a5ccdc18f75b2e84c433e39a8a59d95b6f19e6b044a253faec

Download Submit
C:\Windows\System32\lxbkUEN.exe

Filesize
2.7MB

MD5
f3618e415ea41f7cb3ec4d77d9802cc7

SHA1
506305994ecd24701fdb7b45188208b5ec9f84d3

SHA256
8036744f9aad8b260d34556d8836c887b2750c3d9b31089c806a0bcc686000a6

SHA512
cf5afe23b71a5868a67100265abe9c136facb843a998be8e7ae6c39edbe8b3cdd5c22f9f3baea7147ecadb52efba270ee8543c2ecee704ca5a5f8e3d8ab96fea

Download Submit
C:\Windows\System32\ohDlwGl.exe

Filesize
2.7MB

MD5
cff535dedf549392e18e5ddaddf9f8dc

SHA1
ce0d274f6b9c572f11014ab922357aec2f16d80d

SHA256
3669deeb600d77b972a3661e081befc302d24ff5effc9227708c26ba337267cb

SHA512
db3697a99e3a76a8557b9024d77e659caf1f75f5f1da089cf7ad452844fc569ecab75afbdfbc6a7f57e30c7a7051357cd8bba24eb278531c5d4aa14101d8e579

Download Submit
C:\Windows\System32\onUgtVg.exe

Filesize
2.7MB

MD5
d097263b9740625ebd307fb16a72359a

SHA1
91eb3fb3b99a200c7222040e10ba6f2cecdf688a

SHA256
b263ffe60027e679410400236a8fae569dd0d4f545529b4970ac34a1be08fbe3

SHA512
7ff6fa01861e3db102788c58d0d04898950da8d78443ccaf809548b154b03c2bce2ed0d09d416169f93c4c45bd2ae5e065fbfa05fbb70a2b8b4072b87a80de08

Download Submit
C:\Windows\System32\qRSuMTN.exe

Filesize
2.7MB

MD5
6406a2443904b888626b0c59390e9225

SHA1
7a746de7441a71b5e8c27755cc9258fcd3fa4b23

SHA256
1d2d26c390c7e7185550e3025ff436461fc59f33788935e3e50f53d94ddb938e

SHA512
8d0bf21ab29164edc3ade6652b06b0183a3b00213c4e6a1482229c470a4001c6d5b04b8041ee5d80738c7e94de56391ea7ab8ac9a04d7be544b6830e4028fdfa

Download Submit
C:\Windows\System32\vIhZCdb.exe

Filesize
2.7MB

MD5
6905560d042ceb44dcc5f9d0fd715029

SHA1
90c8fa2cb4d269c4520856fd7765c9b2a958863e

SHA256
aef63887e997541c9fc345ec18487aa45a54341ab8744f278dd80d5bdaf7504d

SHA512
5aab46f92d6fb95d7cc5c4549b6e19e8f7c08b6b328b3cae03ad8162e31c912df3ae7192c7ce8f5b6c71cb27708c8b505865be98401dfeeae24d774287478906

Download Submit
C:\Windows\System32\vhMGRvn.exe

Filesize
2.7MB

MD5
b175588abdb0125da37870c95127a984

SHA1
e3036b222823d5637728af3efa7f0fda03a1891e

SHA256
36a21d38ec1c6d98c2016b827816532bebfd5db2e44300e450e012cb75857273

SHA512
b57ada850166fe632b6e6a91b74753476dd468cf6b5cc1218425423c4831971e19e316caa4fa3fbfc4c312eb81ac919b8a8c90f1fed6a1d32744f7c40e56273e

Download Submit
C:\Windows\System32\wlNsHsH.exe

Filesize
2.7MB

MD5
4e5d763b46c16051467bae8d9f8571de

SHA1
d30c969ce8ec710977e499140d0e36fa3cb122a8

SHA256
1890e2af30c1fec0ccf5163f1be3b58de58642c0030fc9a21d7a4956334dffd0

SHA512
99121d220cda6993855162cbbb0b4773bce009e199e8d6433493817d6dedb30db560801f282a40220bb34765dfcc389caceca76c8100287c10d20bb09592691c

Download Submit
memory/544-1953-0x00007FF7A8110000-0x00007FF7A8505000-memory.dmp

Filesize
4.0MB

Download
memory/544-611-0x00007FF7A8110000-0x00007FF7A8505000-memory.dmp

Filesize
4.0MB

Download
memory/836-1939-0x00007FF64ABA0000-0x00007FF64AF95000-memory.dmp

Filesize
4.0MB

Download
memory/836-568-0x00007FF64ABA0000-0x00007FF64AF95000-memory.dmp

Filesize
4.0MB

Download
memory/840-1937-0x00007FF733E10000-0x00007FF734205000-memory.dmp

Filesize
4.0MB

Download
memory/840-559-0x00007FF733E10000-0x00007FF734205000-memory.dmp

Filesize
4.0MB

Download
memory/868-1949-0x00007FF7FF310000-0x00007FF7FF705000-memory.dmp

Filesize
4.0MB

Download
memory/868-636-0x00007FF7FF310000-0x00007FF7FF705000-memory.dmp

Filesize
4.0MB

Download
memory/920-1951-0x00007FF68E800000-0x00007FF68EBF5000-memory.dmp

Filesize
4.0MB

Download
memory/920-597-0x00007FF68E800000-0x00007FF68EBF5000-memory.dmp

Filesize
4.0MB

Download
memory/1096-1943-0x00007FF77F8E0000-0x00007FF77FCD5000-memory.dmp

Filesize
4.0MB

Download
memory/1096-586-0x00007FF77F8E0000-0x00007FF77FCD5000-memory.dmp

Filesize
4.0MB

Download
memory/1160-1940-0x00007FF747EB0000-0x00007FF7482A5000-memory.dmp

Filesize
4.0MB

Download
memory/1160-579-0x00007FF747EB0000-0x00007FF7482A5000-memory.dmp

Filesize
4.0MB

Download
memory/1436-1952-0x00007FF76BF10000-0x00007FF76C305000-memory.dmp

Filesize
4.0MB

Download
memory/1436-630-0x00007FF76BF10000-0x00007FF76C305000-memory.dmp

Filesize
4.0MB

Download
memory/1476-523-0x00007FF68F230000-0x00007FF68F625000-memory.dmp

Filesize
4.0MB

Download
memory/1476-1934-0x00007FF68F230000-0x00007FF68F625000-memory.dmp

Filesize
4.0MB

Download
memory/1904-1936-0x00007FF659D10000-0x00007FF65A105000-memory.dmp

Filesize
4.0MB

Download
memory/1904-659-0x00007FF659D10000-0x00007FF65A105000-memory.dmp

Filesize
4.0MB

Download
memory/1936-1932-0x00007FF7A2660000-0x00007FF7A2A55000-memory.dmp

Filesize
4.0MB

Download
memory/1936-38-0x00007FF7A2660000-0x00007FF7A2A55000-memory.dmp

Filesize
4.0MB

Download
memory/1936-1929-0x00007FF7A2660000-0x00007FF7A2A55000-memory.dmp

Filesize
4.0MB

Download
memory/1960-1-0x0000026529EC0000-0x0000026529ED0000-memory.dmp

Filesize
64KB

Download
memory/1960-1928-0x00007FF68C110000-0x00007FF68C505000-memory.dmp

Filesize
4.0MB

Download
memory/1960-0-0x00007FF68C110000-0x00007FF68C505000-memory.dmp

Filesize
4.0MB

Download
memory/2352-657-0x00007FF69EA40000-0x00007FF69EE35000-memory.dmp

Filesize
4.0MB

Download
memory/2352-1933-0x00007FF69EA40000-0x00007FF69EE35000-memory.dmp

Filesize
4.0MB

Download
memory/2588-18-0x00007FF74BBC0000-0x00007FF74BFB5000-memory.dmp

Filesize
4.0MB

Download
memory/2588-1930-0x00007FF74BBC0000-0x00007FF74BFB5000-memory.dmp

Filesize
4.0MB

Download
memory/2912-1941-0x00007FF77F8A0000-0x00007FF77FC95000-memory.dmp

Filesize
4.0MB

Download
memory/2912-585-0x00007FF77F8A0000-0x00007FF77FC95000-memory.dmp

Filesize
4.0MB

Download
memory/3184-608-0x00007FF77CE70000-0x00007FF77D265000-memory.dmp

Filesize
4.0MB

Download
memory/3184-1950-0x00007FF77CE70000-0x00007FF77D265000-memory.dmp

Filesize
4.0MB

Download
memory/3416-643-0x00007FF60A630000-0x00007FF60AA25000-memory.dmp

Filesize
4.0MB

Download
memory/3416-1931-0x00007FF60A630000-0x00007FF60AA25000-memory.dmp

Filesize
4.0MB

Download
memory/3736-614-0x00007FF72F520000-0x00007FF72F915000-memory.dmp

Filesize
4.0MB

Download
memory/3736-1947-0x00007FF72F520000-0x00007FF72F915000-memory.dmp

Filesize
4.0MB

Download
memory/3884-1938-0x00007FF7D5D80000-0x00007FF7D6175000-memory.dmp

Filesize
4.0MB

Download
memory/3884-573-0x00007FF7D5D80000-0x00007FF7D6175000-memory.dmp

Filesize
4.0MB

Download
memory/4220-603-0x00007FF71F1E0000-0x00007FF71F5D5000-memory.dmp

Filesize
4.0MB

Download
memory/4220-1948-0x00007FF71F1E0000-0x00007FF71F5D5000-memory.dmp

Filesize
4.0MB

Download
memory/4272-1935-0x00007FF6C33C0000-0x00007FF6C37B5000-memory.dmp

Filesize
4.0MB

Download
memory/4272-552-0x00007FF6C33C0000-0x00007FF6C37B5000-memory.dmp

Filesize
4.0MB

Download
memory/4568-1945-0x00007FF779850000-0x00007FF779C45000-memory.dmp

Filesize
4.0MB

Download
memory/4568-627-0x00007FF779850000-0x00007FF779C45000-memory.dmp

Filesize
4.0MB

Download
memory/4596-1944-0x00007FF76D0A0000-0x00007FF76D495000-memory.dmp

Filesize
4.0MB

Download
memory/4596-589-0x00007FF76D0A0000-0x00007FF76D495000-memory.dmp

Filesize
4.0MB

Download
memory/4636-1946-0x00007FF63B1F0000-0x00007FF63B5E5000-memory.dmp

Filesize
4.0MB

Download
memory/4636-618-0x00007FF63B1F0000-0x00007FF63B5E5000-memory.dmp

Filesize
4.0MB

Download
memory/4872-572-0x00007FF779150000-0x00007FF779545000-memory.dmp

Filesize
4.0MB

Download
memory/4872-1942-0x00007FF779150000-0x00007FF779545000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads