xmrig | 55470078ca861711b7af53fc3972c8c6c9b565ac04a1954e1f3e306d93596537

Analysis

max time kernel
142s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
Size

2.9MB
MD5

8d3656bf3ae9d36b1c42316948e1d030
SHA1

99a493ce7cd3e83e41de52ab2b65b85f8d618eda
SHA256

55470078ca861711b7af53fc3972c8c6c9b565ac04a1954e1f3e306d93596537
SHA512

b1edef7d7bcc8d1831014093623c2bb037d58471da4bbcd49dd9d9f5c4e5c4a7d1fd0b39a2ea83ed359585dad26015f8c0edee155e6fa530bd39fbdd7f3e7805
SSDEEP

49152:N0wjnJMOWh50kC1/dVFdx6e0EALKWVTffZiPAcRq6jHjcz8Dzcdy/cgdBrS9L:N0GnJMOWPClFdx6e0EALKWVTffZiPAc8

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1228-0-0x00007FF6E5050000-0x00007FF6E5445000-memory.dmp	xmrig
behavioral2/memory/2128-11-0x00007FF614920000-0x00007FF614D15000-memory.dmp	xmrig
behavioral2/files/0x0007000000023466-12.dat	xmrig
behavioral2/files/0x0007000000023467-17.dat	xmrig
behavioral2/files/0x0007000000023469-23.dat	xmrig
behavioral2/files/0x000700000002346b-35.dat	xmrig
behavioral2/files/0x000700000002346c-42.dat	xmrig
behavioral2/files/0x0007000000023471-67.dat	xmrig
behavioral2/files/0x0007000000023473-77.dat	xmrig
behavioral2/files/0x0007000000023475-87.dat	xmrig
behavioral2/files/0x000700000002347a-112.dat	xmrig
behavioral2/files/0x0007000000023484-162.dat	xmrig
behavioral2/memory/3472-792-0x00007FF6212D0000-0x00007FF6216C5000-memory.dmp	xmrig
behavioral2/memory/3548-794-0x00007FF67A540000-0x00007FF67A935000-memory.dmp	xmrig
behavioral2/memory/3880-793-0x00007FF7E4980000-0x00007FF7E4D75000-memory.dmp	xmrig
behavioral2/memory/4280-795-0x00007FF69B750000-0x00007FF69BB45000-memory.dmp	xmrig
behavioral2/memory/412-796-0x00007FF62F410000-0x00007FF62F805000-memory.dmp	xmrig
behavioral2/memory/1372-797-0x00007FF6B75B0000-0x00007FF6B79A5000-memory.dmp	xmrig
behavioral2/memory/3968-813-0x00007FF6670D0000-0x00007FF6674C5000-memory.dmp	xmrig
behavioral2/memory/3428-821-0x00007FF60BF00000-0x00007FF60C2F5000-memory.dmp	xmrig
behavioral2/memory/2380-824-0x00007FF61C250000-0x00007FF61C645000-memory.dmp	xmrig
behavioral2/memory/4832-830-0x00007FF6AA260000-0x00007FF6AA655000-memory.dmp	xmrig
behavioral2/memory/3024-817-0x00007FF6BEBB0000-0x00007FF6BEFA5000-memory.dmp	xmrig
behavioral2/memory/4920-832-0x00007FF756880000-0x00007FF756C75000-memory.dmp	xmrig
behavioral2/memory/1540-852-0x00007FF7EA3A0000-0x00007FF7EA795000-memory.dmp	xmrig
behavioral2/memory/4104-863-0x00007FF6E5230000-0x00007FF6E5625000-memory.dmp	xmrig
behavioral2/memory/4372-857-0x00007FF652390000-0x00007FF652785000-memory.dmp	xmrig
behavioral2/memory/4320-853-0x00007FF77ECE0000-0x00007FF77F0D5000-memory.dmp	xmrig
behavioral2/memory/1808-848-0x00007FF781330000-0x00007FF781725000-memory.dmp	xmrig
behavioral2/memory/1644-844-0x00007FF67A330000-0x00007FF67A725000-memory.dmp	xmrig
behavioral2/memory/2248-836-0x00007FF74C910000-0x00007FF74CD05000-memory.dmp	xmrig
behavioral2/memory/4468-834-0x00007FF625320000-0x00007FF625715000-memory.dmp	xmrig
behavioral2/memory/992-807-0x00007FF612EB0000-0x00007FF6132A5000-memory.dmp	xmrig
behavioral2/memory/3980-803-0x00007FF6FF210000-0x00007FF6FF605000-memory.dmp	xmrig
behavioral2/memory/464-801-0x00007FF630A90000-0x00007FF630E85000-memory.dmp	xmrig
behavioral2/files/0x0007000000023483-157.dat	xmrig
behavioral2/files/0x0007000000023482-152.dat	xmrig
behavioral2/files/0x0007000000023481-147.dat	xmrig
behavioral2/files/0x0007000000023480-142.dat	xmrig
behavioral2/files/0x000700000002347f-137.dat	xmrig
behavioral2/files/0x000700000002347e-132.dat	xmrig
behavioral2/files/0x000700000002347d-127.dat	xmrig
behavioral2/files/0x000700000002347c-122.dat	xmrig
behavioral2/files/0x000700000002347b-118.dat	xmrig
behavioral2/files/0x0007000000023479-107.dat	xmrig
behavioral2/files/0x0007000000023478-102.dat	xmrig
behavioral2/files/0x0007000000023477-97.dat	xmrig
behavioral2/files/0x0007000000023476-92.dat	xmrig
behavioral2/files/0x0007000000023474-82.dat	xmrig
behavioral2/files/0x0007000000023472-72.dat	xmrig
behavioral2/files/0x0007000000023470-62.dat	xmrig
behavioral2/files/0x000700000002346f-57.dat	xmrig
behavioral2/files/0x000700000002346e-52.dat	xmrig
behavioral2/files/0x000700000002346d-47.dat	xmrig
behavioral2/files/0x000700000002346a-33.dat	xmrig
behavioral2/files/0x0007000000023468-25.dat	xmrig
behavioral2/files/0x000b00000002345d-6.dat	xmrig
behavioral2/memory/1228-1903-0x00007FF6E5050000-0x00007FF6E5445000-memory.dmp	xmrig
behavioral2/memory/2128-1905-0x00007FF614920000-0x00007FF614D15000-memory.dmp	xmrig
behavioral2/memory/3472-1906-0x00007FF6212D0000-0x00007FF6216C5000-memory.dmp	xmrig
behavioral2/memory/3548-1907-0x00007FF67A540000-0x00007FF67A935000-memory.dmp	xmrig
behavioral2/memory/4104-1912-0x00007FF6E5230000-0x00007FF6E5625000-memory.dmp	xmrig
behavioral2/memory/464-1911-0x00007FF630A90000-0x00007FF630E85000-memory.dmp	xmrig
behavioral2/memory/1372-1910-0x00007FF6B75B0000-0x00007FF6B79A5000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2128	CWmCFjr.exe
3472	fOLXVjs.exe
3880	dRDTTQm.exe
4104	GOUAxLw.exe
3548	TvkeGDT.exe
4280	wclGtIl.exe
412	pkrMywm.exe
1372	BcmDkPx.exe
464	RpgNeLK.exe
3980	XFjOMOn.exe
992	aNFJBEi.exe
3968	QpYUFAW.exe
3024	WqoaDro.exe
3428	jPscZaj.exe
2380	TsIJEpN.exe
4832	TKeRizU.exe
4920	rzkGOEJ.exe
4468	pUzFqrP.exe
2248	KoRVLdY.exe
1644	LAulnrr.exe
1808	lJBJXyJ.exe
1540	hqPaQIl.exe
4320	tRkiPQF.exe
4372	tqEIfOS.exe
5084	MpyXyKw.exe
2272	AuPMHuD.exe
5020	KQbczQA.exe
536	IEQABEG.exe
1324	kqmZjra.exe
3328	NnkHucQ.exe
2416	PwWrCTp.exe
4948	yAJJsho.exe
3248	UBEYvjv.exe
4492	rluRDWR.exe
800	KdBbogE.exe
1624	utBXIRl.exe
2236	DudTpbL.exe
448	QpXLrGY.exe
1320	eaSXZpv.exe
3160	OSniCgA.exe
2540	caCbPIF.exe
2268	ChKpGdZ.exe
4432	KuHDFgK.exe
688	EUtaufI.exe
3516	grAPXzU.exe
380	vvuOGYE.exe
1948	OiNScKI.exe
4348	YmxJcct.exe
4336	JvSLBog.exe
3480	irNRLPb.exe
968	BKDgLaq.exe
4684	cropACB.exe
1480	SLshQgz.exe
1076	lgGOAnf.exe
1508	eagvUUi.exe
2068	zcRSkTL.exe
3672	SGnFnAe.exe
4204	GawZOha.exe
1632	dqbtsUp.exe
1136	CcMGuQV.exe
4612	LwZHKAV.exe
1664	lhfTJIJ.exe
1844	iCAQwRz.exe
3044	LibskEg.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1228-0-0x00007FF6E5050000-0x00007FF6E5445000-memory.dmp	upx
behavioral2/memory/2128-11-0x00007FF614920000-0x00007FF614D15000-memory.dmp	upx
behavioral2/files/0x0007000000023466-12.dat	upx
behavioral2/files/0x0007000000023467-17.dat	upx
behavioral2/files/0x0007000000023469-23.dat	upx
behavioral2/files/0x000700000002346b-35.dat	upx
behavioral2/files/0x000700000002346c-42.dat	upx
behavioral2/files/0x0007000000023471-67.dat	upx
behavioral2/files/0x0007000000023473-77.dat	upx
behavioral2/files/0x0007000000023475-87.dat	upx
behavioral2/files/0x000700000002347a-112.dat	upx
behavioral2/files/0x0007000000023484-162.dat	upx
behavioral2/memory/3472-792-0x00007FF6212D0000-0x00007FF6216C5000-memory.dmp	upx
behavioral2/memory/3548-794-0x00007FF67A540000-0x00007FF67A935000-memory.dmp	upx
behavioral2/memory/3880-793-0x00007FF7E4980000-0x00007FF7E4D75000-memory.dmp	upx
behavioral2/memory/4280-795-0x00007FF69B750000-0x00007FF69BB45000-memory.dmp	upx
behavioral2/memory/412-796-0x00007FF62F410000-0x00007FF62F805000-memory.dmp	upx
behavioral2/memory/1372-797-0x00007FF6B75B0000-0x00007FF6B79A5000-memory.dmp	upx
behavioral2/memory/3968-813-0x00007FF6670D0000-0x00007FF6674C5000-memory.dmp	upx
behavioral2/memory/3428-821-0x00007FF60BF00000-0x00007FF60C2F5000-memory.dmp	upx
behavioral2/memory/2380-824-0x00007FF61C250000-0x00007FF61C645000-memory.dmp	upx
behavioral2/memory/4832-830-0x00007FF6AA260000-0x00007FF6AA655000-memory.dmp	upx
behavioral2/memory/3024-817-0x00007FF6BEBB0000-0x00007FF6BEFA5000-memory.dmp	upx
behavioral2/memory/4920-832-0x00007FF756880000-0x00007FF756C75000-memory.dmp	upx
behavioral2/memory/1540-852-0x00007FF7EA3A0000-0x00007FF7EA795000-memory.dmp	upx
behavioral2/memory/4104-863-0x00007FF6E5230000-0x00007FF6E5625000-memory.dmp	upx
behavioral2/memory/4372-857-0x00007FF652390000-0x00007FF652785000-memory.dmp	upx
behavioral2/memory/4320-853-0x00007FF77ECE0000-0x00007FF77F0D5000-memory.dmp	upx
behavioral2/memory/1808-848-0x00007FF781330000-0x00007FF781725000-memory.dmp	upx
behavioral2/memory/1644-844-0x00007FF67A330000-0x00007FF67A725000-memory.dmp	upx
behavioral2/memory/2248-836-0x00007FF74C910000-0x00007FF74CD05000-memory.dmp	upx
behavioral2/memory/4468-834-0x00007FF625320000-0x00007FF625715000-memory.dmp	upx
behavioral2/memory/992-807-0x00007FF612EB0000-0x00007FF6132A5000-memory.dmp	upx
behavioral2/memory/3980-803-0x00007FF6FF210000-0x00007FF6FF605000-memory.dmp	upx
behavioral2/memory/464-801-0x00007FF630A90000-0x00007FF630E85000-memory.dmp	upx
behavioral2/files/0x0007000000023483-157.dat	upx
behavioral2/files/0x0007000000023482-152.dat	upx
behavioral2/files/0x0007000000023481-147.dat	upx
behavioral2/files/0x0007000000023480-142.dat	upx
behavioral2/files/0x000700000002347f-137.dat	upx
behavioral2/files/0x000700000002347e-132.dat	upx
behavioral2/files/0x000700000002347d-127.dat	upx
behavioral2/files/0x000700000002347c-122.dat	upx
behavioral2/files/0x000700000002347b-118.dat	upx
behavioral2/files/0x0007000000023479-107.dat	upx
behavioral2/files/0x0007000000023478-102.dat	upx
behavioral2/files/0x0007000000023477-97.dat	upx
behavioral2/files/0x0007000000023476-92.dat	upx
behavioral2/files/0x0007000000023474-82.dat	upx
behavioral2/files/0x0007000000023472-72.dat	upx
behavioral2/files/0x0007000000023470-62.dat	upx
behavioral2/files/0x000700000002346f-57.dat	upx
behavioral2/files/0x000700000002346e-52.dat	upx
behavioral2/files/0x000700000002346d-47.dat	upx
behavioral2/files/0x000700000002346a-33.dat	upx
behavioral2/files/0x0007000000023468-25.dat	upx
behavioral2/files/0x000b00000002345d-6.dat	upx
behavioral2/memory/1228-1903-0x00007FF6E5050000-0x00007FF6E5445000-memory.dmp	upx
behavioral2/memory/2128-1905-0x00007FF614920000-0x00007FF614D15000-memory.dmp	upx
behavioral2/memory/3472-1906-0x00007FF6212D0000-0x00007FF6216C5000-memory.dmp	upx
behavioral2/memory/3548-1907-0x00007FF67A540000-0x00007FF67A935000-memory.dmp	upx
behavioral2/memory/4104-1912-0x00007FF6E5230000-0x00007FF6E5625000-memory.dmp	upx
behavioral2/memory/464-1911-0x00007FF630A90000-0x00007FF630E85000-memory.dmp	upx
behavioral2/memory/1372-1910-0x00007FF6B75B0000-0x00007FF6B79A5000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\ZcHvhGb.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\nEfXYJC.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\PBJmwdt.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\VXlvwxA.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\NaksFri.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\DIZQLbY.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\SGnFnAe.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\fbLXLkE.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\adsJUwx.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\UusiSeA.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\hcJQfFm.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\WOBxaex.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\rKMBnFY.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\WhtETDQ.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\VnUCpAx.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\pkrMywm.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\KdBbogE.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\DCkgAFX.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\UTfwLSK.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\GlSsbui.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\tTyxdgN.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\yKcaWEu.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\IEQABEG.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\sZApHOT.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\vMpPfjv.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\nBUUIdL.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\uKvILid.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\JocBkHm.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\kneNnZc.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\mPdCOYn.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\BkScYhp.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\mIniaog.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\YMXmTkZ.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\ivzbGKC.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\LgfokHV.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\dtznsjR.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\vsDmScm.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\GhShHon.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\XezfzBX.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\CgQeDhZ.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\wAmraqf.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\PyxIEWV.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\ZTrkTlM.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\nZKPbga.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\nbrWaJx.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\tFUdkdM.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\NAdberB.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\bVdbEDE.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\zcRSkTL.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\QLIscrd.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\jBrForU.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\HdwRbKd.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\HmjBVXn.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\LAulnrr.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\STUCnWL.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\ifwgPqc.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\KaarsAp.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\NDyFKfx.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\TMNhmAp.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\aMexuzx.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\UmSCcCQ.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\XhYGyHf.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\cuWbDkM.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
File created	C:\Windows\System32\KJbzRfx.exe	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	9276	dwm.exe
Token: SeChangeNotifyPrivilege	9276	dwm.exe
Token: 33	9276	dwm.exe
Token: SeIncBasePriorityPrivilege	9276	dwm.exe
Token: SeShutdownPrivilege	9276	dwm.exe
Token: SeCreatePagefilePrivilege	9276	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 2128	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	83
PID 1228 wrote to memory of 2128	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	83
PID 1228 wrote to memory of 3472	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	84
PID 1228 wrote to memory of 3472	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	84
PID 1228 wrote to memory of 3880	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	85
PID 1228 wrote to memory of 3880	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	85
PID 1228 wrote to memory of 4104	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	86
PID 1228 wrote to memory of 4104	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	86
PID 1228 wrote to memory of 3548	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	87
PID 1228 wrote to memory of 3548	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	87
PID 1228 wrote to memory of 4280	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	88
PID 1228 wrote to memory of 4280	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	88
PID 1228 wrote to memory of 412	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	89
PID 1228 wrote to memory of 412	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	89
PID 1228 wrote to memory of 1372	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	90
PID 1228 wrote to memory of 1372	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	90
PID 1228 wrote to memory of 464	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	91
PID 1228 wrote to memory of 464	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	91
PID 1228 wrote to memory of 3980	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	92
PID 1228 wrote to memory of 3980	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	92
PID 1228 wrote to memory of 992	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	93
PID 1228 wrote to memory of 992	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	93
PID 1228 wrote to memory of 3968	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	94
PID 1228 wrote to memory of 3968	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	94
PID 1228 wrote to memory of 3024	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	95
PID 1228 wrote to memory of 3024	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	95
PID 1228 wrote to memory of 3428	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	96
PID 1228 wrote to memory of 3428	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	96
PID 1228 wrote to memory of 2380	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	97
PID 1228 wrote to memory of 2380	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	97
PID 1228 wrote to memory of 4832	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	98
PID 1228 wrote to memory of 4832	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	98
PID 1228 wrote to memory of 4920	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	99
PID 1228 wrote to memory of 4920	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	99
PID 1228 wrote to memory of 4468	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	100
PID 1228 wrote to memory of 4468	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	100
PID 1228 wrote to memory of 2248	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	101
PID 1228 wrote to memory of 2248	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	101
PID 1228 wrote to memory of 1644	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	102
PID 1228 wrote to memory of 1644	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	102
PID 1228 wrote to memory of 1808	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	103
PID 1228 wrote to memory of 1808	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	103
PID 1228 wrote to memory of 1540	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	104
PID 1228 wrote to memory of 1540	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	104
PID 1228 wrote to memory of 4320	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	105
PID 1228 wrote to memory of 4320	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	105
PID 1228 wrote to memory of 4372	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	106
PID 1228 wrote to memory of 4372	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	106
PID 1228 wrote to memory of 5084	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	107
PID 1228 wrote to memory of 5084	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	107
PID 1228 wrote to memory of 2272	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	108
PID 1228 wrote to memory of 2272	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	108
PID 1228 wrote to memory of 5020	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	109
PID 1228 wrote to memory of 5020	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	109
PID 1228 wrote to memory of 536	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	110
PID 1228 wrote to memory of 536	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	110
PID 1228 wrote to memory of 1324	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	111
PID 1228 wrote to memory of 1324	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	111
PID 1228 wrote to memory of 3328	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	112
PID 1228 wrote to memory of 3328	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	112
PID 1228 wrote to memory of 2416	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	113
PID 1228 wrote to memory of 2416	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	113
PID 1228 wrote to memory of 4948	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	114
PID 1228 wrote to memory of 4948	1228	8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe	114

C:\Users\Admin\AppData\Local\Temp\8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8d3656bf3ae9d36b1c42316948e1d030_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\System32\CWmCFjr.exe
  C:\Windows\System32\CWmCFjr.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System32\fOLXVjs.exe
  C:\Windows\System32\fOLXVjs.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System32\dRDTTQm.exe
  C:\Windows\System32\dRDTTQm.exe
  2⤵
  - Executes dropped EXE
  PID:3880
- C:\Windows\System32\GOUAxLw.exe
  C:\Windows\System32\GOUAxLw.exe
  2⤵
  - Executes dropped EXE
  PID:4104
- C:\Windows\System32\TvkeGDT.exe
  C:\Windows\System32\TvkeGDT.exe
  2⤵
  - Executes dropped EXE
  PID:3548
- C:\Windows\System32\wclGtIl.exe
  C:\Windows\System32\wclGtIl.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System32\pkrMywm.exe
  C:\Windows\System32\pkrMywm.exe
  2⤵
  - Executes dropped EXE
  PID:412
- C:\Windows\System32\BcmDkPx.exe
  C:\Windows\System32\BcmDkPx.exe
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\System32\RpgNeLK.exe
  C:\Windows\System32\RpgNeLK.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System32\XFjOMOn.exe
  C:\Windows\System32\XFjOMOn.exe
  2⤵
  - Executes dropped EXE
  PID:3980
- C:\Windows\System32\aNFJBEi.exe
  C:\Windows\System32\aNFJBEi.exe
  2⤵
  - Executes dropped EXE
  PID:992
- C:\Windows\System32\QpYUFAW.exe
  C:\Windows\System32\QpYUFAW.exe
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Windows\System32\WqoaDro.exe
  C:\Windows\System32\WqoaDro.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System32\jPscZaj.exe
  C:\Windows\System32\jPscZaj.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System32\TsIJEpN.exe
  C:\Windows\System32\TsIJEpN.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System32\TKeRizU.exe
  C:\Windows\System32\TKeRizU.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System32\rzkGOEJ.exe
  C:\Windows\System32\rzkGOEJ.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System32\pUzFqrP.exe
  C:\Windows\System32\pUzFqrP.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System32\KoRVLdY.exe
  C:\Windows\System32\KoRVLdY.exe
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\System32\LAulnrr.exe
  C:\Windows\System32\LAulnrr.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System32\lJBJXyJ.exe
  C:\Windows\System32\lJBJXyJ.exe
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\System32\hqPaQIl.exe
  C:\Windows\System32\hqPaQIl.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System32\tRkiPQF.exe
  C:\Windows\System32\tRkiPQF.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System32\tqEIfOS.exe
  C:\Windows\System32\tqEIfOS.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System32\MpyXyKw.exe
  C:\Windows\System32\MpyXyKw.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System32\AuPMHuD.exe
  C:\Windows\System32\AuPMHuD.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System32\KQbczQA.exe
  C:\Windows\System32\KQbczQA.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System32\IEQABEG.exe
  C:\Windows\System32\IEQABEG.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System32\kqmZjra.exe
  C:\Windows\System32\kqmZjra.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\System32\NnkHucQ.exe
  C:\Windows\System32\NnkHucQ.exe
  2⤵
  - Executes dropped EXE
  PID:3328
- C:\Windows\System32\PwWrCTp.exe
  C:\Windows\System32\PwWrCTp.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System32\yAJJsho.exe
  C:\Windows\System32\yAJJsho.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System32\UBEYvjv.exe
  C:\Windows\System32\UBEYvjv.exe
  2⤵
  - Executes dropped EXE
  PID:3248
- C:\Windows\System32\rluRDWR.exe
  C:\Windows\System32\rluRDWR.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System32\KdBbogE.exe
  C:\Windows\System32\KdBbogE.exe
  2⤵
  - Executes dropped EXE
  PID:800
- C:\Windows\System32\utBXIRl.exe
  C:\Windows\System32\utBXIRl.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System32\DudTpbL.exe
  C:\Windows\System32\DudTpbL.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System32\QpXLrGY.exe
  C:\Windows\System32\QpXLrGY.exe
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Windows\System32\eaSXZpv.exe
  C:\Windows\System32\eaSXZpv.exe
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Windows\System32\OSniCgA.exe
  C:\Windows\System32\OSniCgA.exe
  2⤵
  - Executes dropped EXE
  PID:3160
- C:\Windows\System32\caCbPIF.exe
  C:\Windows\System32\caCbPIF.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System32\ChKpGdZ.exe
  C:\Windows\System32\ChKpGdZ.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System32\KuHDFgK.exe
  C:\Windows\System32\KuHDFgK.exe
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Windows\System32\EUtaufI.exe
  C:\Windows\System32\EUtaufI.exe
  2⤵
  - Executes dropped EXE
  PID:688
- C:\Windows\System32\grAPXzU.exe
  C:\Windows\System32\grAPXzU.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Windows\System32\vvuOGYE.exe
  C:\Windows\System32\vvuOGYE.exe
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\System32\OiNScKI.exe
  C:\Windows\System32\OiNScKI.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System32\YmxJcct.exe
  C:\Windows\System32\YmxJcct.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System32\JvSLBog.exe
  C:\Windows\System32\JvSLBog.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System32\irNRLPb.exe
  C:\Windows\System32\irNRLPb.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System32\BKDgLaq.exe
  C:\Windows\System32\BKDgLaq.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System32\cropACB.exe
  C:\Windows\System32\cropACB.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System32\SLshQgz.exe
  C:\Windows\System32\SLshQgz.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\System32\lgGOAnf.exe
  C:\Windows\System32\lgGOAnf.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System32\eagvUUi.exe
  C:\Windows\System32\eagvUUi.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System32\zcRSkTL.exe
  C:\Windows\System32\zcRSkTL.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System32\SGnFnAe.exe
  C:\Windows\System32\SGnFnAe.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System32\GawZOha.exe
  C:\Windows\System32\GawZOha.exe
  2⤵
  - Executes dropped EXE
  PID:4204
- C:\Windows\System32\dqbtsUp.exe
  C:\Windows\System32\dqbtsUp.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\System32\CcMGuQV.exe
  C:\Windows\System32\CcMGuQV.exe
  2⤵
  - Executes dropped EXE
  PID:1136
- C:\Windows\System32\LwZHKAV.exe
  C:\Windows\System32\LwZHKAV.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System32\lhfTJIJ.exe
  C:\Windows\System32\lhfTJIJ.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System32\iCAQwRz.exe
  C:\Windows\System32\iCAQwRz.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System32\LibskEg.exe
  C:\Windows\System32\LibskEg.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System32\rKzqotG.exe
  C:\Windows\System32\rKzqotG.exe
  2⤵
  PID:3112
- C:\Windows\System32\CwhHrTk.exe
  C:\Windows\System32\CwhHrTk.exe
  2⤵
  PID:3180
- C:\Windows\System32\bTKoYmN.exe
  C:\Windows\System32\bTKoYmN.exe
  2⤵
  PID:2728
- C:\Windows\System32\vcGfutm.exe
  C:\Windows\System32\vcGfutm.exe
  2⤵
  PID:3832
- C:\Windows\System32\OrFUdot.exe
  C:\Windows\System32\OrFUdot.exe
  2⤵
  PID:388
- C:\Windows\System32\BvSTtKO.exe
  C:\Windows\System32\BvSTtKO.exe
  2⤵
  PID:4772
- C:\Windows\System32\WBSiLDn.exe
  C:\Windows\System32\WBSiLDn.exe
  2⤵
  PID:4248
- C:\Windows\System32\JjXtosq.exe
  C:\Windows\System32\JjXtosq.exe
  2⤵
  PID:2072
- C:\Windows\System32\dZmJtUy.exe
  C:\Windows\System32\dZmJtUy.exe
  2⤵
  PID:5036
- C:\Windows\System32\OftibyK.exe
  C:\Windows\System32\OftibyK.exe
  2⤵
  PID:4924
- C:\Windows\System32\EcwGGIQ.exe
  C:\Windows\System32\EcwGGIQ.exe
  2⤵
  PID:5124
- C:\Windows\System32\oUmXVXg.exe
  C:\Windows\System32\oUmXVXg.exe
  2⤵
  PID:5152
- C:\Windows\System32\sGPYKpn.exe
  C:\Windows\System32\sGPYKpn.exe
  2⤵
  PID:5180
- C:\Windows\System32\lhKOHUK.exe
  C:\Windows\System32\lhKOHUK.exe
  2⤵
  PID:5208
- C:\Windows\System32\oaydHLo.exe
  C:\Windows\System32\oaydHLo.exe
  2⤵
  PID:5236
- C:\Windows\System32\VNBrBUa.exe
  C:\Windows\System32\VNBrBUa.exe
  2⤵
  PID:5264
- C:\Windows\System32\iFMSZAV.exe
  C:\Windows\System32\iFMSZAV.exe
  2⤵
  PID:5292
- C:\Windows\System32\wEFjjSO.exe
  C:\Windows\System32\wEFjjSO.exe
  2⤵
  PID:5320
- C:\Windows\System32\CSrFYIs.exe
  C:\Windows\System32\CSrFYIs.exe
  2⤵
  PID:5348
- C:\Windows\System32\EdwXrdw.exe
  C:\Windows\System32\EdwXrdw.exe
  2⤵
  PID:5376
- C:\Windows\System32\UzxLgIZ.exe
  C:\Windows\System32\UzxLgIZ.exe
  2⤵
  PID:5404
- C:\Windows\System32\QQXYwVy.exe
  C:\Windows\System32\QQXYwVy.exe
  2⤵
  PID:5432
- C:\Windows\System32\gpymJXw.exe
  C:\Windows\System32\gpymJXw.exe
  2⤵
  PID:5460
- C:\Windows\System32\akSIeKH.exe
  C:\Windows\System32\akSIeKH.exe
  2⤵
  PID:5488
- C:\Windows\System32\HAUGGHu.exe
  C:\Windows\System32\HAUGGHu.exe
  2⤵
  PID:5516
- C:\Windows\System32\UzHrqeH.exe
  C:\Windows\System32\UzHrqeH.exe
  2⤵
  PID:5544
- C:\Windows\System32\dOsAYUi.exe
  C:\Windows\System32\dOsAYUi.exe
  2⤵
  PID:5572
- C:\Windows\System32\zaeNjXp.exe
  C:\Windows\System32\zaeNjXp.exe
  2⤵
  PID:5600
- C:\Windows\System32\jJSERMZ.exe
  C:\Windows\System32\jJSERMZ.exe
  2⤵
  PID:5628
- C:\Windows\System32\qIRrHIJ.exe
  C:\Windows\System32\qIRrHIJ.exe
  2⤵
  PID:5656
- C:\Windows\System32\aMexuzx.exe
  C:\Windows\System32\aMexuzx.exe
  2⤵
  PID:5684
- C:\Windows\System32\sAnHZwM.exe
  C:\Windows\System32\sAnHZwM.exe
  2⤵
  PID:5712
- C:\Windows\System32\nLQvhkS.exe
  C:\Windows\System32\nLQvhkS.exe
  2⤵
  PID:5740
- C:\Windows\System32\UxXXZyS.exe
  C:\Windows\System32\UxXXZyS.exe
  2⤵
  PID:5768
- C:\Windows\System32\LKMJtJM.exe
  C:\Windows\System32\LKMJtJM.exe
  2⤵
  PID:5796
- C:\Windows\System32\VoVjEWy.exe
  C:\Windows\System32\VoVjEWy.exe
  2⤵
  PID:5824
- C:\Windows\System32\EPTMOiX.exe
  C:\Windows\System32\EPTMOiX.exe
  2⤵
  PID:5852
- C:\Windows\System32\vGXAqrk.exe
  C:\Windows\System32\vGXAqrk.exe
  2⤵
  PID:5880
- C:\Windows\System32\ujWLDqG.exe
  C:\Windows\System32\ujWLDqG.exe
  2⤵
  PID:5908
- C:\Windows\System32\CgQeDhZ.exe
  C:\Windows\System32\CgQeDhZ.exe
  2⤵
  PID:5936
- C:\Windows\System32\sZApHOT.exe
  C:\Windows\System32\sZApHOT.exe
  2⤵
  PID:5964
- C:\Windows\System32\uUFdIrb.exe
  C:\Windows\System32\uUFdIrb.exe
  2⤵
  PID:5992
- C:\Windows\System32\ISIgoxz.exe
  C:\Windows\System32\ISIgoxz.exe
  2⤵
  PID:6020
- C:\Windows\System32\XnkyUvG.exe
  C:\Windows\System32\XnkyUvG.exe
  2⤵
  PID:6048
- C:\Windows\System32\VXyqiNM.exe
  C:\Windows\System32\VXyqiNM.exe
  2⤵
  PID:6076
- C:\Windows\System32\eZIqqCZ.exe
  C:\Windows\System32\eZIqqCZ.exe
  2⤵
  PID:6104
- C:\Windows\System32\WCinWXL.exe
  C:\Windows\System32\WCinWXL.exe
  2⤵
  PID:6132
- C:\Windows\System32\baVetyi.exe
  C:\Windows\System32\baVetyi.exe
  2⤵
  PID:4716
- C:\Windows\System32\qKMorLw.exe
  C:\Windows\System32\qKMorLw.exe
  2⤵
  PID:4560
- C:\Windows\System32\UKTEohK.exe
  C:\Windows\System32\UKTEohK.exe
  2⤵
  PID:2816
- C:\Windows\System32\QmVNFJr.exe
  C:\Windows\System32\QmVNFJr.exe
  2⤵
  PID:2300
- C:\Windows\System32\bPFgTMw.exe
  C:\Windows\System32\bPFgTMw.exe
  2⤵
  PID:1532
- C:\Windows\System32\nZKPbga.exe
  C:\Windows\System32\nZKPbga.exe
  2⤵
  PID:2032
- C:\Windows\System32\ifwgPqc.exe
  C:\Windows\System32\ifwgPqc.exe
  2⤵
  PID:2200
- C:\Windows\System32\RRDZvMb.exe
  C:\Windows\System32\RRDZvMb.exe
  2⤵
  PID:5196
- C:\Windows\System32\oVyHnHM.exe
  C:\Windows\System32\oVyHnHM.exe
  2⤵
  PID:5244
- C:\Windows\System32\ABVyAKN.exe
  C:\Windows\System32\ABVyAKN.exe
  2⤵
  PID:5312
- C:\Windows\System32\cMJzvfc.exe
  C:\Windows\System32\cMJzvfc.exe
  2⤵
  PID:5392
- C:\Windows\System32\ZJqcDKa.exe
  C:\Windows\System32\ZJqcDKa.exe
  2⤵
  PID:5440
- C:\Windows\System32\BdORhsO.exe
  C:\Windows\System32\BdORhsO.exe
  2⤵
  PID:5496
- C:\Windows\System32\sacQsgU.exe
  C:\Windows\System32\sacQsgU.exe
  2⤵
  PID:5588
- C:\Windows\System32\rKMBnFY.exe
  C:\Windows\System32\rKMBnFY.exe
  2⤵
  PID:5636
- C:\Windows\System32\YbymnQf.exe
  C:\Windows\System32\YbymnQf.exe
  2⤵
  PID:5720
- C:\Windows\System32\qXrRzwi.exe
  C:\Windows\System32\qXrRzwi.exe
  2⤵
  PID:5784
- C:\Windows\System32\MxqRpEx.exe
  C:\Windows\System32\MxqRpEx.exe
  2⤵
  PID:5832
- C:\Windows\System32\GkyLBWB.exe
  C:\Windows\System32\GkyLBWB.exe
  2⤵
  PID:5900
- C:\Windows\System32\CmNWcfB.exe
  C:\Windows\System32\CmNWcfB.exe
  2⤵
  PID:5980
- C:\Windows\System32\kGqnSwq.exe
  C:\Windows\System32\kGqnSwq.exe
  2⤵
  PID:6028
- C:\Windows\System32\UUAstVz.exe
  C:\Windows\System32\UUAstVz.exe
  2⤵
  PID:6112
- C:\Windows\System32\WOBxaex.exe
  C:\Windows\System32\WOBxaex.exe
  2⤵
  PID:1392
- C:\Windows\System32\vlOTudg.exe
  C:\Windows\System32\vlOTudg.exe
  2⤵
  PID:1344
- C:\Windows\System32\gIfSVZI.exe
  C:\Windows\System32\gIfSVZI.exe
  2⤵
  PID:4228
- C:\Windows\System32\pAhbCrh.exe
  C:\Windows\System32\pAhbCrh.exe
  2⤵
  PID:5216
- C:\Windows\System32\CLuBrKj.exe
  C:\Windows\System32\CLuBrKj.exe
  2⤵
  PID:5328
- C:\Windows\System32\TZGuXjf.exe
  C:\Windows\System32\TZGuXjf.exe
  2⤵
  PID:5504
- C:\Windows\System32\buSOQkc.exe
  C:\Windows\System32\buSOQkc.exe
  2⤵
  PID:5676
- C:\Windows\System32\EIhQdas.exe
  C:\Windows\System32\EIhQdas.exe
  2⤵
  PID:5788
- C:\Windows\System32\QLIscrd.exe
  C:\Windows\System32\QLIscrd.exe
  2⤵
  PID:6152
- C:\Windows\System32\KcJSsmX.exe
  C:\Windows\System32\KcJSsmX.exe
  2⤵
  PID:6180
- C:\Windows\System32\KaarsAp.exe
  C:\Windows\System32\KaarsAp.exe
  2⤵
  PID:6208
- C:\Windows\System32\hOUbjad.exe
  C:\Windows\System32\hOUbjad.exe
  2⤵
  PID:6236
- C:\Windows\System32\VSjgAsX.exe
  C:\Windows\System32\VSjgAsX.exe
  2⤵
  PID:6264
- C:\Windows\System32\YeEvauC.exe
  C:\Windows\System32\YeEvauC.exe
  2⤵
  PID:6292
- C:\Windows\System32\tPADgZH.exe
  C:\Windows\System32\tPADgZH.exe
  2⤵
  PID:6320
- C:\Windows\System32\NaksFri.exe
  C:\Windows\System32\NaksFri.exe
  2⤵
  PID:6348
- C:\Windows\System32\nFUPfvr.exe
  C:\Windows\System32\nFUPfvr.exe
  2⤵
  PID:6376
- C:\Windows\System32\kMSOCkC.exe
  C:\Windows\System32\kMSOCkC.exe
  2⤵
  PID:6404
- C:\Windows\System32\VrDXmSI.exe
  C:\Windows\System32\VrDXmSI.exe
  2⤵
  PID:6432
- C:\Windows\System32\CCWltpL.exe
  C:\Windows\System32\CCWltpL.exe
  2⤵
  PID:6460
- C:\Windows\System32\CCiMyeL.exe
  C:\Windows\System32\CCiMyeL.exe
  2⤵
  PID:6500
- C:\Windows\System32\RqMaSnd.exe
  C:\Windows\System32\RqMaSnd.exe
  2⤵
  PID:6516
- C:\Windows\System32\ZvtyAjX.exe
  C:\Windows\System32\ZvtyAjX.exe
  2⤵
  PID:6544
- C:\Windows\System32\bWMLDcw.exe
  C:\Windows\System32\bWMLDcw.exe
  2⤵
  PID:6572
- C:\Windows\System32\UMPrNHu.exe
  C:\Windows\System32\UMPrNHu.exe
  2⤵
  PID:6600
- C:\Windows\System32\uognDpN.exe
  C:\Windows\System32\uognDpN.exe
  2⤵
  PID:6628
- C:\Windows\System32\jedHmWa.exe
  C:\Windows\System32\jedHmWa.exe
  2⤵
  PID:6656
- C:\Windows\System32\OAJYdio.exe
  C:\Windows\System32\OAJYdio.exe
  2⤵
  PID:6684
- C:\Windows\System32\IYwTLZf.exe
  C:\Windows\System32\IYwTLZf.exe
  2⤵
  PID:6712
- C:\Windows\System32\qcmFJjR.exe
  C:\Windows\System32\qcmFJjR.exe
  2⤵
  PID:6740
- C:\Windows\System32\dEXUDEa.exe
  C:\Windows\System32\dEXUDEa.exe
  2⤵
  PID:6768
- C:\Windows\System32\CyQEswA.exe
  C:\Windows\System32\CyQEswA.exe
  2⤵
  PID:6796
- C:\Windows\System32\STUCnWL.exe
  C:\Windows\System32\STUCnWL.exe
  2⤵
  PID:6824
- C:\Windows\System32\fbLXLkE.exe
  C:\Windows\System32\fbLXLkE.exe
  2⤵
  PID:6852
- C:\Windows\System32\gAwlThg.exe
  C:\Windows\System32\gAwlThg.exe
  2⤵
  PID:6880
- C:\Windows\System32\cEUpVWX.exe
  C:\Windows\System32\cEUpVWX.exe
  2⤵
  PID:6908
- C:\Windows\System32\jEoXhoG.exe
  C:\Windows\System32\jEoXhoG.exe
  2⤵
  PID:6936
- C:\Windows\System32\cAHnzep.exe
  C:\Windows\System32\cAHnzep.exe
  2⤵
  PID:6964
- C:\Windows\System32\HtAAPFY.exe
  C:\Windows\System32\HtAAPFY.exe
  2⤵
  PID:6992
- C:\Windows\System32\srQsCul.exe
  C:\Windows\System32\srQsCul.exe
  2⤵
  PID:7020
- C:\Windows\System32\kvPXnCV.exe
  C:\Windows\System32\kvPXnCV.exe
  2⤵
  PID:7048
- C:\Windows\System32\ptkMKdR.exe
  C:\Windows\System32\ptkMKdR.exe
  2⤵
  PID:7076
- C:\Windows\System32\hfcqikn.exe
  C:\Windows\System32\hfcqikn.exe
  2⤵
  PID:7104
- C:\Windows\System32\jBrForU.exe
  C:\Windows\System32\jBrForU.exe
  2⤵
  PID:7132
- C:\Windows\System32\sLcClHz.exe
  C:\Windows\System32\sLcClHz.exe
  2⤵
  PID:7160
- C:\Windows\System32\aNCAWzx.exe
  C:\Windows\System32\aNCAWzx.exe
  2⤵
  PID:6012
- C:\Windows\System32\qKHPkPP.exe
  C:\Windows\System32\qKHPkPP.exe
  2⤵
  PID:4660
- C:\Windows\System32\pJaLupB.exe
  C:\Windows\System32\pJaLupB.exe
  2⤵
  PID:1476
- C:\Windows\System32\LlzEMMf.exe
  C:\Windows\System32\LlzEMMf.exe
  2⤵
  PID:5480
- C:\Windows\System32\ZcHvhGb.exe
  C:\Windows\System32\ZcHvhGb.exe
  2⤵
  PID:5896
- C:\Windows\System32\ivzbGKC.exe
  C:\Windows\System32\ivzbGKC.exe
  2⤵
  PID:6188
- C:\Windows\System32\DCkgAFX.exe
  C:\Windows\System32\DCkgAFX.exe
  2⤵
  PID:6256
- C:\Windows\System32\rkdAxNE.exe
  C:\Windows\System32\rkdAxNE.exe
  2⤵
  PID:6336
- C:\Windows\System32\XWXuvjo.exe
  C:\Windows\System32\XWXuvjo.exe
  2⤵
  PID:6384
- C:\Windows\System32\crWQztN.exe
  C:\Windows\System32\crWQztN.exe
  2⤵
  PID:6452
- C:\Windows\System32\kpfcmwh.exe
  C:\Windows\System32\kpfcmwh.exe
  2⤵
  PID:6532
- C:\Windows\System32\VPisWgu.exe
  C:\Windows\System32\VPisWgu.exe
  2⤵
  PID:6580
- C:\Windows\System32\xNCAfgq.exe
  C:\Windows\System32\xNCAfgq.exe
  2⤵
  PID:6648
- C:\Windows\System32\TmyNScG.exe
  C:\Windows\System32\TmyNScG.exe
  2⤵
  PID:6728
- C:\Windows\System32\ZYBesFf.exe
  C:\Windows\System32\ZYBesFf.exe
  2⤵
  PID:6804
- C:\Windows\System32\FtGEXZs.exe
  C:\Windows\System32\FtGEXZs.exe
  2⤵
  PID:6844
- C:\Windows\System32\snXowwD.exe
  C:\Windows\System32\snXowwD.exe
  2⤵
  PID:6924
- C:\Windows\System32\CTGYLqm.exe
  C:\Windows\System32\CTGYLqm.exe
  2⤵
  PID:6972
- C:\Windows\System32\HMmnwBH.exe
  C:\Windows\System32\HMmnwBH.exe
  2⤵
  PID:7040
- C:\Windows\System32\PZUMSEo.exe
  C:\Windows\System32\PZUMSEo.exe
  2⤵
  PID:7120
- C:\Windows\System32\wYQyXMb.exe
  C:\Windows\System32\wYQyXMb.exe
  2⤵
  PID:5916
- C:\Windows\System32\pTamlNU.exe
  C:\Windows\System32\pTamlNU.exe
  2⤵
  PID:4000
- C:\Windows\System32\hrVcFUr.exe
  C:\Windows\System32\hrVcFUr.exe
  2⤵
  PID:6160
- C:\Windows\System32\FEyqChB.exe
  C:\Windows\System32\FEyqChB.exe
  2⤵
  PID:6272
- C:\Windows\System32\QLbwsyH.exe
  C:\Windows\System32\QLbwsyH.exe
  2⤵
  PID:6448
- C:\Windows\System32\LVuRxrH.exe
  C:\Windows\System32\LVuRxrH.exe
  2⤵
  PID:6620
- C:\Windows\System32\XsDrIDF.exe
  C:\Windows\System32\XsDrIDF.exe
  2⤵
  PID:6732
- C:\Windows\System32\rssnXbP.exe
  C:\Windows\System32\rssnXbP.exe
  2⤵
  PID:6888
- C:\Windows\System32\katsbTl.exe
  C:\Windows\System32\katsbTl.exe
  2⤵
  PID:7092
- C:\Windows\System32\YMXmTkZ.exe
  C:\Windows\System32\YMXmTkZ.exe
  2⤵
  PID:4528
- C:\Windows\System32\kneNnZc.exe
  C:\Windows\System32\kneNnZc.exe
  2⤵
  PID:6252
- C:\Windows\System32\wqYUOis.exe
  C:\Windows\System32\wqYUOis.exe
  2⤵
  PID:6664
- C:\Windows\System32\BzJAHUt.exe
  C:\Windows\System32\BzJAHUt.exe
  2⤵
  PID:6928
- C:\Windows\System32\nMcOMTd.exe
  C:\Windows\System32\nMcOMTd.exe
  2⤵
  PID:7176
- C:\Windows\System32\VzWMzlU.exe
  C:\Windows\System32\VzWMzlU.exe
  2⤵
  PID:7204
- C:\Windows\System32\qZWTTXO.exe
  C:\Windows\System32\qZWTTXO.exe
  2⤵
  PID:7232
- C:\Windows\System32\UmSCcCQ.exe
  C:\Windows\System32\UmSCcCQ.exe
  2⤵
  PID:7260
- C:\Windows\System32\vYLsttD.exe
  C:\Windows\System32\vYLsttD.exe
  2⤵
  PID:7288
- C:\Windows\System32\RTONiCT.exe
  C:\Windows\System32\RTONiCT.exe
  2⤵
  PID:7316
- C:\Windows\System32\mzDwhVN.exe
  C:\Windows\System32\mzDwhVN.exe
  2⤵
  PID:7344
- C:\Windows\System32\skLXDJe.exe
  C:\Windows\System32\skLXDJe.exe
  2⤵
  PID:7372
- C:\Windows\System32\EcdIutQ.exe
  C:\Windows\System32\EcdIutQ.exe
  2⤵
  PID:7400
- C:\Windows\System32\WECbGMB.exe
  C:\Windows\System32\WECbGMB.exe
  2⤵
  PID:7428
- C:\Windows\System32\SxmMCHV.exe
  C:\Windows\System32\SxmMCHV.exe
  2⤵
  PID:7456
- C:\Windows\System32\SbqWfYr.exe
  C:\Windows\System32\SbqWfYr.exe
  2⤵
  PID:7484
- C:\Windows\System32\VaerHzo.exe
  C:\Windows\System32\VaerHzo.exe
  2⤵
  PID:7512
- C:\Windows\System32\ZFCIDtW.exe
  C:\Windows\System32\ZFCIDtW.exe
  2⤵
  PID:7540
- C:\Windows\System32\SMDixEC.exe
  C:\Windows\System32\SMDixEC.exe
  2⤵
  PID:7568
- C:\Windows\System32\rYrHmMX.exe
  C:\Windows\System32\rYrHmMX.exe
  2⤵
  PID:7596
- C:\Windows\System32\QnGJbcp.exe
  C:\Windows\System32\QnGJbcp.exe
  2⤵
  PID:7624
- C:\Windows\System32\XqMqRSv.exe
  C:\Windows\System32\XqMqRSv.exe
  2⤵
  PID:7652
- C:\Windows\System32\NDyFKfx.exe
  C:\Windows\System32\NDyFKfx.exe
  2⤵
  PID:7680
- C:\Windows\System32\Mihgmsh.exe
  C:\Windows\System32\Mihgmsh.exe
  2⤵
  PID:7708
- C:\Windows\System32\wGLmzdo.exe
  C:\Windows\System32\wGLmzdo.exe
  2⤵
  PID:7736
- C:\Windows\System32\gPZZOEb.exe
  C:\Windows\System32\gPZZOEb.exe
  2⤵
  PID:7764
- C:\Windows\System32\TaJoaBy.exe
  C:\Windows\System32\TaJoaBy.exe
  2⤵
  PID:7792
- C:\Windows\System32\rPuNuKv.exe
  C:\Windows\System32\rPuNuKv.exe
  2⤵
  PID:7820
- C:\Windows\System32\jMJmddp.exe
  C:\Windows\System32\jMJmddp.exe
  2⤵
  PID:7848
- C:\Windows\System32\JadENrg.exe
  C:\Windows\System32\JadENrg.exe
  2⤵
  PID:7876
- C:\Windows\System32\LgfokHV.exe
  C:\Windows\System32\LgfokHV.exe
  2⤵
  PID:7904
- C:\Windows\System32\xBOiJQK.exe
  C:\Windows\System32\xBOiJQK.exe
  2⤵
  PID:7932
- C:\Windows\System32\UTfwLSK.exe
  C:\Windows\System32\UTfwLSK.exe
  2⤵
  PID:7960
- C:\Windows\System32\kkcbPFy.exe
  C:\Windows\System32\kkcbPFy.exe
  2⤵
  PID:7988
- C:\Windows\System32\ulhvuNN.exe
  C:\Windows\System32\ulhvuNN.exe
  2⤵
  PID:8016
- C:\Windows\System32\FxurARg.exe
  C:\Windows\System32\FxurARg.exe
  2⤵
  PID:8120
- C:\Windows\System32\SdawPbN.exe
  C:\Windows\System32\SdawPbN.exe
  2⤵
  PID:8148
- C:\Windows\System32\dbyOWxe.exe
  C:\Windows\System32\dbyOWxe.exe
  2⤵
  PID:8180
- C:\Windows\System32\AcokoiS.exe
  C:\Windows\System32\AcokoiS.exe
  2⤵
  PID:6424
- C:\Windows\System32\RrAGRRy.exe
  C:\Windows\System32\RrAGRRy.exe
  2⤵
  PID:7084
- C:\Windows\System32\nbrWaJx.exe
  C:\Windows\System32\nbrWaJx.exe
  2⤵
  PID:7220
- C:\Windows\System32\mcUqyaF.exe
  C:\Windows\System32\mcUqyaF.exe
  2⤵
  PID:7304
- C:\Windows\System32\INoYCiI.exe
  C:\Windows\System32\INoYCiI.exe
  2⤵
  PID:7324
- C:\Windows\System32\XhYGyHf.exe
  C:\Windows\System32\XhYGyHf.exe
  2⤵
  PID:7504
- C:\Windows\System32\iUqsGgg.exe
  C:\Windows\System32\iUqsGgg.exe
  2⤵
  PID:7532
- C:\Windows\System32\yGsOxci.exe
  C:\Windows\System32\yGsOxci.exe
  2⤵
  PID:7588
- C:\Windows\System32\aXFjgBf.exe
  C:\Windows\System32\aXFjgBf.exe
  2⤵
  PID:7640
- C:\Windows\System32\rSvYuus.exe
  C:\Windows\System32\rSvYuus.exe
  2⤵
  PID:1932
- C:\Windows\System32\qWIEFbr.exe
  C:\Windows\System32\qWIEFbr.exe
  2⤵
  PID:7696
- C:\Windows\System32\WvZPmnE.exe
  C:\Windows\System32\WvZPmnE.exe
  2⤵
  PID:7716
- C:\Windows\System32\aclVBEj.exe
  C:\Windows\System32\aclVBEj.exe
  2⤵
  PID:7808
- C:\Windows\System32\UqwctZl.exe
  C:\Windows\System32\UqwctZl.exe
  2⤵
  PID:7892
- C:\Windows\System32\EDvpLNd.exe
  C:\Windows\System32\EDvpLNd.exe
  2⤵
  PID:2528
- C:\Windows\System32\tFUdkdM.exe
  C:\Windows\System32\tFUdkdM.exe
  2⤵
  PID:1972
- C:\Windows\System32\InJjoHm.exe
  C:\Windows\System32\InJjoHm.exe
  2⤵
  PID:4456
- C:\Windows\System32\JYKhHYS.exe
  C:\Windows\System32\JYKhHYS.exe
  2⤵
  PID:1756
- C:\Windows\System32\csVgCFM.exe
  C:\Windows\System32\csVgCFM.exe
  2⤵
  PID:8116
- C:\Windows\System32\ZZzbzWk.exe
  C:\Windows\System32\ZZzbzWk.exe
  2⤵
  PID:4848
- C:\Windows\System32\mPdCOYn.exe
  C:\Windows\System32\mPdCOYn.exe
  2⤵
  PID:5112
- C:\Windows\System32\obEBacx.exe
  C:\Windows\System32\obEBacx.exe
  2⤵
  PID:1008
- C:\Windows\System32\naktcPB.exe
  C:\Windows\System32\naktcPB.exe
  2⤵
  PID:696
- C:\Windows\System32\vmTJMkk.exe
  C:\Windows\System32\vmTJMkk.exe
  2⤵
  PID:3280
- C:\Windows\System32\KpoSAto.exe
  C:\Windows\System32\KpoSAto.exe
  2⤵
  PID:4300
- C:\Windows\System32\FnnGYhS.exe
  C:\Windows\System32\FnnGYhS.exe
  2⤵
  PID:7388
- C:\Windows\System32\dEPfOzS.exe
  C:\Windows\System32\dEPfOzS.exe
  2⤵
  PID:7448
- C:\Windows\System32\cgtzkOe.exe
  C:\Windows\System32\cgtzkOe.exe
  2⤵
  PID:7580
- C:\Windows\System32\qrPWbAj.exe
  C:\Windows\System32\qrPWbAj.exe
  2⤵
  PID:7688
- C:\Windows\System32\bKscVRd.exe
  C:\Windows\System32\bKscVRd.exe
  2⤵
  PID:2544
- C:\Windows\System32\wAmraqf.exe
  C:\Windows\System32\wAmraqf.exe
  2⤵
  PID:7952
- C:\Windows\System32\mpzCQLj.exe
  C:\Windows\System32\mpzCQLj.exe
  2⤵
  PID:7996
- C:\Windows\System32\BBtPmZh.exe
  C:\Windows\System32\BBtPmZh.exe
  2⤵
  PID:4892
- C:\Windows\System32\UFMXViQ.exe
  C:\Windows\System32\UFMXViQ.exe
  2⤵
  PID:908
- C:\Windows\System32\qXmMBbq.exe
  C:\Windows\System32\qXmMBbq.exe
  2⤵
  PID:2640
- C:\Windows\System32\EImuZfO.exe
  C:\Windows\System32\EImuZfO.exe
  2⤵
  PID:7380
- C:\Windows\System32\BhczBcI.exe
  C:\Windows\System32\BhczBcI.exe
  2⤵
  PID:2880
- C:\Windows\System32\BnufUME.exe
  C:\Windows\System32\BnufUME.exe
  2⤵
  PID:8004
- C:\Windows\System32\LZCaLJg.exe
  C:\Windows\System32\LZCaLJg.exe
  2⤵
  PID:3824
- C:\Windows\System32\bMfrcMH.exe
  C:\Windows\System32\bMfrcMH.exe
  2⤵
  PID:8208
- C:\Windows\System32\LdOKgQo.exe
  C:\Windows\System32\LdOKgQo.exe
  2⤵
  PID:8236
- C:\Windows\System32\dauqttp.exe
  C:\Windows\System32\dauqttp.exe
  2⤵
  PID:8264
- C:\Windows\System32\FHFZwJk.exe
  C:\Windows\System32\FHFZwJk.exe
  2⤵
  PID:8292
- C:\Windows\System32\lFyOQDL.exe
  C:\Windows\System32\lFyOQDL.exe
  2⤵
  PID:8320
- C:\Windows\System32\GlSsbui.exe
  C:\Windows\System32\GlSsbui.exe
  2⤵
  PID:8348
- C:\Windows\System32\uNshqcO.exe
  C:\Windows\System32\uNshqcO.exe
  2⤵
  PID:8376
- C:\Windows\System32\YRGGWWs.exe
  C:\Windows\System32\YRGGWWs.exe
  2⤵
  PID:8404
- C:\Windows\System32\WwvXnMC.exe
  C:\Windows\System32\WwvXnMC.exe
  2⤵
  PID:8432
- C:\Windows\System32\EXBtvte.exe
  C:\Windows\System32\EXBtvte.exe
  2⤵
  PID:8460
- C:\Windows\System32\tBMpmZi.exe
  C:\Windows\System32\tBMpmZi.exe
  2⤵
  PID:8488
- C:\Windows\System32\adsJUwx.exe
  C:\Windows\System32\adsJUwx.exe
  2⤵
  PID:8516
- C:\Windows\System32\sRHuMTm.exe
  C:\Windows\System32\sRHuMTm.exe
  2⤵
  PID:8544
- C:\Windows\System32\ZSWrIOA.exe
  C:\Windows\System32\ZSWrIOA.exe
  2⤵
  PID:8572
- C:\Windows\System32\ngwNqvv.exe
  C:\Windows\System32\ngwNqvv.exe
  2⤵
  PID:8600
- C:\Windows\System32\zNPImil.exe
  C:\Windows\System32\zNPImil.exe
  2⤵
  PID:8628
- C:\Windows\System32\pmtHknX.exe
  C:\Windows\System32\pmtHknX.exe
  2⤵
  PID:8672
- C:\Windows\System32\mVsiaWP.exe
  C:\Windows\System32\mVsiaWP.exe
  2⤵
  PID:8692
- C:\Windows\System32\xcWpRSj.exe
  C:\Windows\System32\xcWpRSj.exe
  2⤵
  PID:8720
- C:\Windows\System32\OjMcBHm.exe
  C:\Windows\System32\OjMcBHm.exe
  2⤵
  PID:8748
- C:\Windows\System32\KeNFgJz.exe
  C:\Windows\System32\KeNFgJz.exe
  2⤵
  PID:8784
- C:\Windows\System32\zZYnQzN.exe
  C:\Windows\System32\zZYnQzN.exe
  2⤵
  PID:8804
- C:\Windows\System32\HjdgKKl.exe
  C:\Windows\System32\HjdgKKl.exe
  2⤵
  PID:8832
- C:\Windows\System32\afCskFW.exe
  C:\Windows\System32\afCskFW.exe
  2⤵
  PID:8872
- C:\Windows\System32\rKRsGkg.exe
  C:\Windows\System32\rKRsGkg.exe
  2⤵
  PID:8892
- C:\Windows\System32\JCtYljA.exe
  C:\Windows\System32\JCtYljA.exe
  2⤵
  PID:8920
- C:\Windows\System32\xJfOqWY.exe
  C:\Windows\System32\xJfOqWY.exe
  2⤵
  PID:8948
- C:\Windows\System32\NAdberB.exe
  C:\Windows\System32\NAdberB.exe
  2⤵
  PID:8976
- C:\Windows\System32\JRNFuxh.exe
  C:\Windows\System32\JRNFuxh.exe
  2⤵
  PID:9008
- C:\Windows\System32\AUvFUiG.exe
  C:\Windows\System32\AUvFUiG.exe
  2⤵
  PID:9032
- C:\Windows\System32\JNkRKbn.exe
  C:\Windows\System32\JNkRKbn.exe
  2⤵
  PID:9072
- C:\Windows\System32\xAoBkIO.exe
  C:\Windows\System32\xAoBkIO.exe
  2⤵
  PID:9108
- C:\Windows\System32\mVhCbbd.exe
  C:\Windows\System32\mVhCbbd.exe
  2⤵
  PID:9132
- C:\Windows\System32\cuWbDkM.exe
  C:\Windows\System32\cuWbDkM.exe
  2⤵
  PID:9172
- C:\Windows\System32\lbCkHuJ.exe
  C:\Windows\System32\lbCkHuJ.exe
  2⤵
  PID:9196
- C:\Windows\System32\DEOhtPN.exe
  C:\Windows\System32\DEOhtPN.exe
  2⤵
  PID:7520
- C:\Windows\System32\ApPJpfl.exe
  C:\Windows\System32\ApPJpfl.exe
  2⤵
  PID:3164
- C:\Windows\System32\RsfQsTP.exe
  C:\Windows\System32\RsfQsTP.exe
  2⤵
  PID:8252
- C:\Windows\System32\OmcimFp.exe
  C:\Windows\System32\OmcimFp.exe
  2⤵
  PID:8284
- C:\Windows\System32\ZUerwli.exe
  C:\Windows\System32\ZUerwli.exe
  2⤵
  PID:8368
- C:\Windows\System32\tbNxvcS.exe
  C:\Windows\System32\tbNxvcS.exe
  2⤵
  PID:8424
- C:\Windows\System32\xJzTFMm.exe
  C:\Windows\System32\xJzTFMm.exe
  2⤵
  PID:8552
- C:\Windows\System32\GLWpASU.exe
  C:\Windows\System32\GLWpASU.exe
  2⤵
  PID:8620
- C:\Windows\System32\JWGtbky.exe
  C:\Windows\System32\JWGtbky.exe
  2⤵
  PID:8704
- C:\Windows\System32\ZDVqSfF.exe
  C:\Windows\System32\ZDVqSfF.exe
  2⤵
  PID:8772
- C:\Windows\System32\NzkBJfb.exe
  C:\Windows\System32\NzkBJfb.exe
  2⤵
  PID:8816
- C:\Windows\System32\tdkZzWL.exe
  C:\Windows\System32\tdkZzWL.exe
  2⤵
  PID:8868
- C:\Windows\System32\PEvGFxr.exe
  C:\Windows\System32\PEvGFxr.exe
  2⤵
  PID:8968
- C:\Windows\System32\yRatPwc.exe
  C:\Windows\System32\yRatPwc.exe
  2⤵
  PID:9052
- C:\Windows\System32\deyaoNQ.exe
  C:\Windows\System32\deyaoNQ.exe
  2⤵
  PID:8100
- C:\Windows\System32\PrhpMVW.exe
  C:\Windows\System32\PrhpMVW.exe
  2⤵
  PID:9016
- C:\Windows\System32\DhOXqKx.exe
  C:\Windows\System32\DhOXqKx.exe
  2⤵
  PID:8340
- C:\Windows\System32\fIAyQsf.exe
  C:\Windows\System32\fIAyQsf.exe
  2⤵
  PID:8580
- C:\Windows\System32\heOmAtf.exe
  C:\Windows\System32\heOmAtf.exe
  2⤵
  PID:8736
- C:\Windows\System32\IPHCmLl.exe
  C:\Windows\System32\IPHCmLl.exe
  2⤵
  PID:8908
- C:\Windows\System32\WhtETDQ.exe
  C:\Windows\System32\WhtETDQ.exe
  2⤵
  PID:9068
- C:\Windows\System32\uxUbukn.exe
  C:\Windows\System32\uxUbukn.exe
  2⤵
  PID:4688
- C:\Windows\System32\Idhgjgq.exe
  C:\Windows\System32\Idhgjgq.exe
  2⤵
  PID:8112
- C:\Windows\System32\pDzFMwk.exe
  C:\Windows\System32\pDzFMwk.exe
  2⤵
  PID:8944
- C:\Windows\System32\QnQDkdD.exe
  C:\Windows\System32\QnQDkdD.exe
  2⤵
  PID:8228
- C:\Windows\System32\jpkviXU.exe
  C:\Windows\System32\jpkviXU.exe
  2⤵
  PID:8104
- C:\Windows\System32\VpMsESo.exe
  C:\Windows\System32\VpMsESo.exe
  2⤵
  PID:8136
- C:\Windows\System32\pRjJeRa.exe
  C:\Windows\System32\pRjJeRa.exe
  2⤵
  PID:9264
- C:\Windows\System32\GuUhtWI.exe
  C:\Windows\System32\GuUhtWI.exe
  2⤵
  PID:9288
- C:\Windows\System32\GtUdGnX.exe
  C:\Windows\System32\GtUdGnX.exe
  2⤵
  PID:9316
- C:\Windows\System32\ZUHQNUu.exe
  C:\Windows\System32\ZUHQNUu.exe
  2⤵
  PID:9360
- C:\Windows\System32\NdfSpUK.exe
  C:\Windows\System32\NdfSpUK.exe
  2⤵
  PID:9396
- C:\Windows\System32\UusiSeA.exe
  C:\Windows\System32\UusiSeA.exe
  2⤵
  PID:9424
- C:\Windows\System32\IJyIKWK.exe
  C:\Windows\System32\IJyIKWK.exe
  2⤵
  PID:9452
- C:\Windows\System32\YRzkOVH.exe
  C:\Windows\System32\YRzkOVH.exe
  2⤵
  PID:9480
- C:\Windows\System32\fwHwnYS.exe
  C:\Windows\System32\fwHwnYS.exe
  2⤵
  PID:9512
- C:\Windows\System32\kXrQump.exe
  C:\Windows\System32\kXrQump.exe
  2⤵
  PID:9540
- C:\Windows\System32\PjtLpJf.exe
  C:\Windows\System32\PjtLpJf.exe
  2⤵
  PID:9572
- C:\Windows\System32\LfSNCgq.exe
  C:\Windows\System32\LfSNCgq.exe
  2⤵
  PID:9600
- C:\Windows\System32\zUIPpIV.exe
  C:\Windows\System32\zUIPpIV.exe
  2⤵
  PID:9632
- C:\Windows\System32\qmKbVPn.exe
  C:\Windows\System32\qmKbVPn.exe
  2⤵
  PID:9660
- C:\Windows\System32\MPKnRcM.exe
  C:\Windows\System32\MPKnRcM.exe
  2⤵
  PID:9688
- C:\Windows\System32\BvGZeGa.exe
  C:\Windows\System32\BvGZeGa.exe
  2⤵
  PID:9716
- C:\Windows\System32\mGZkZCl.exe
  C:\Windows\System32\mGZkZCl.exe
  2⤵
  PID:9744
- C:\Windows\System32\HbvnMtk.exe
  C:\Windows\System32\HbvnMtk.exe
  2⤵
  PID:9772
- C:\Windows\System32\WYwZETT.exe
  C:\Windows\System32\WYwZETT.exe
  2⤵
  PID:9800
- C:\Windows\System32\FFWsSPV.exe
  C:\Windows\System32\FFWsSPV.exe
  2⤵
  PID:9816
- C:\Windows\System32\hGPQYVv.exe
  C:\Windows\System32\hGPQYVv.exe
  2⤵
  PID:9836
- C:\Windows\System32\WRNsKQT.exe
  C:\Windows\System32\WRNsKQT.exe
  2⤵
  PID:9868
- C:\Windows\System32\vEDwLWA.exe
  C:\Windows\System32\vEDwLWA.exe
  2⤵
  PID:9904
- C:\Windows\System32\tTyxdgN.exe
  C:\Windows\System32\tTyxdgN.exe
  2⤵
  PID:9940
- C:\Windows\System32\KunHjTe.exe
  C:\Windows\System32\KunHjTe.exe
  2⤵
  PID:9968
- C:\Windows\System32\dpnWDFT.exe
  C:\Windows\System32\dpnWDFT.exe
  2⤵
  PID:9996
- C:\Windows\System32\MLXARry.exe
  C:\Windows\System32\MLXARry.exe
  2⤵
  PID:10024
- C:\Windows\System32\GnUSFhe.exe
  C:\Windows\System32\GnUSFhe.exe
  2⤵
  PID:10044
- C:\Windows\System32\WGqyjEx.exe
  C:\Windows\System32\WGqyjEx.exe
  2⤵
  PID:10080
- C:\Windows\System32\ywjjtVX.exe
  C:\Windows\System32\ywjjtVX.exe
  2⤵
  PID:10108
- C:\Windows\System32\JSTAshl.exe
  C:\Windows\System32\JSTAshl.exe
  2⤵
  PID:10140
- C:\Windows\System32\VJdGOLg.exe
  C:\Windows\System32\VJdGOLg.exe
  2⤵
  PID:10168
- C:\Windows\System32\FDDPFrV.exe
  C:\Windows\System32\FDDPFrV.exe
  2⤵
  PID:10196
- C:\Windows\System32\JVXagzH.exe
  C:\Windows\System32\JVXagzH.exe
  2⤵
  PID:10228
- C:\Windows\System32\MNcyOWl.exe
  C:\Windows\System32\MNcyOWl.exe
  2⤵
  PID:9236
- C:\Windows\System32\SuwExoT.exe
  C:\Windows\System32\SuwExoT.exe
  2⤵
  PID:9168
- C:\Windows\System32\ffJsaDq.exe
  C:\Windows\System32\ffJsaDq.exe
  2⤵
  PID:9324
- C:\Windows\System32\vESZgJN.exe
  C:\Windows\System32\vESZgJN.exe
  2⤵
  PID:9444
- C:\Windows\System32\lvGDjFA.exe
  C:\Windows\System32\lvGDjFA.exe
  2⤵
  PID:9476
- C:\Windows\System32\CeIymtJ.exe
  C:\Windows\System32\CeIymtJ.exe
  2⤵
  PID:9552
- C:\Windows\System32\fgTvTVW.exe
  C:\Windows\System32\fgTvTVW.exe
  2⤵
  PID:9612
- C:\Windows\System32\HsxGgvr.exe
  C:\Windows\System32\HsxGgvr.exe
  2⤵
  PID:9672
- C:\Windows\System32\PwFITHF.exe
  C:\Windows\System32\PwFITHF.exe
  2⤵
  PID:9728
- C:\Windows\System32\zGOPPqW.exe
  C:\Windows\System32\zGOPPqW.exe
  2⤵
  PID:9784
- C:\Windows\System32\DdTJUOx.exe
  C:\Windows\System32\DdTJUOx.exe
  2⤵
  PID:9844
- C:\Windows\System32\NlfAXnI.exe
  C:\Windows\System32\NlfAXnI.exe
  2⤵
  PID:2704
- C:\Windows\System32\JBRFskQ.exe
  C:\Windows\System32\JBRFskQ.exe
  2⤵
  PID:9912
- C:\Windows\System32\uxtmpJI.exe
  C:\Windows\System32\uxtmpJI.exe
  2⤵
  PID:9964
- C:\Windows\System32\xgmvVsf.exe
  C:\Windows\System32\xgmvVsf.exe
  2⤵
  PID:10040
- C:\Windows\System32\fhjfdBs.exe
  C:\Windows\System32\fhjfdBs.exe
  2⤵
  PID:2960
- C:\Windows\System32\OhBsnER.exe
  C:\Windows\System32\OhBsnER.exe
  2⤵
  PID:10152
- C:\Windows\System32\gGtXhnL.exe
  C:\Windows\System32\gGtXhnL.exe
  2⤵
  PID:10188
- C:\Windows\System32\tstZVDR.exe
  C:\Windows\System32\tstZVDR.exe
  2⤵
  PID:9228
- C:\Windows\System32\AgVyCxM.exe
  C:\Windows\System32\AgVyCxM.exe
  2⤵
  PID:9436
- C:\Windows\System32\XMFdPsT.exe
  C:\Windows\System32\XMFdPsT.exe
  2⤵
  PID:7756
- C:\Windows\System32\LPAieSA.exe
  C:\Windows\System32\LPAieSA.exe
  2⤵
  PID:7700
- C:\Windows\System32\bVdbEDE.exe
  C:\Windows\System32\bVdbEDE.exe
  2⤵
  PID:3040
- C:\Windows\System32\sQhaRSv.exe
  C:\Windows\System32\sQhaRSv.exe
  2⤵
  PID:9900
- C:\Windows\System32\PfAzIRh.exe
  C:\Windows\System32\PfAzIRh.exe
  2⤵
  PID:10016
- C:\Windows\System32\TgGJNtf.exe
  C:\Windows\System32\TgGJNtf.exe
  2⤵
  PID:10136
- C:\Windows\System32\BMfMJjr.exe
  C:\Windows\System32\BMfMJjr.exe
  2⤵
  PID:7444
- C:\Windows\System32\EtWYQbJ.exe
  C:\Windows\System32\EtWYQbJ.exe
  2⤵
  PID:5012
- C:\Windows\System32\WCzVdEJ.exe
  C:\Windows\System32\WCzVdEJ.exe
  2⤵
  PID:2212
- C:\Windows\System32\UyEAoIi.exe
  C:\Windows\System32\UyEAoIi.exe
  2⤵
  PID:10132
- C:\Windows\System32\qvHqPnK.exe
  C:\Windows\System32\qvHqPnK.exe
  2⤵
  PID:9756
- C:\Windows\System32\xWjQedq.exe
  C:\Windows\System32\xWjQedq.exe
  2⤵
  PID:10104
- C:\Windows\System32\nJnVphr.exe
  C:\Windows\System32\nJnVphr.exe
  2⤵
  PID:10252
- C:\Windows\System32\AflXsIj.exe
  C:\Windows\System32\AflXsIj.exe
  2⤵
  PID:10280
- C:\Windows\System32\CTlGbce.exe
  C:\Windows\System32\CTlGbce.exe
  2⤵
  PID:10308
- C:\Windows\System32\IezVgau.exe
  C:\Windows\System32\IezVgau.exe
  2⤵
  PID:10336
- C:\Windows\System32\IJfOfyB.exe
  C:\Windows\System32\IJfOfyB.exe
  2⤵
  PID:10364
- C:\Windows\System32\AaUnMed.exe
  C:\Windows\System32\AaUnMed.exe
  2⤵
  PID:10396
- C:\Windows\System32\SZSvoMX.exe
  C:\Windows\System32\SZSvoMX.exe
  2⤵
  PID:10420
- C:\Windows\System32\oVpnlri.exe
  C:\Windows\System32\oVpnlri.exe
  2⤵
  PID:10456
- C:\Windows\System32\CEXBGWA.exe
  C:\Windows\System32\CEXBGWA.exe
  2⤵
  PID:10480
- C:\Windows\System32\nmbRHOq.exe
  C:\Windows\System32\nmbRHOq.exe
  2⤵
  PID:10516
- C:\Windows\System32\UKlKFpk.exe
  C:\Windows\System32\UKlKFpk.exe
  2⤵
  PID:10572
- C:\Windows\System32\xIeoKyK.exe
  C:\Windows\System32\xIeoKyK.exe
  2⤵
  PID:10592
- C:\Windows\System32\UAStvLt.exe
  C:\Windows\System32\UAStvLt.exe
  2⤵
  PID:10620
- C:\Windows\System32\HedtvqZ.exe
  C:\Windows\System32\HedtvqZ.exe
  2⤵
  PID:10648
- C:\Windows\System32\XuSWJev.exe
  C:\Windows\System32\XuSWJev.exe
  2⤵
  PID:10692
- C:\Windows\System32\nEfXYJC.exe
  C:\Windows\System32\nEfXYJC.exe
  2⤵
  PID:10720
- C:\Windows\System32\CwWRHrx.exe
  C:\Windows\System32\CwWRHrx.exe
  2⤵
  PID:10748
- C:\Windows\System32\kJWXoxB.exe
  C:\Windows\System32\kJWXoxB.exe
  2⤵
  PID:10780
- C:\Windows\System32\BkScYhp.exe
  C:\Windows\System32\BkScYhp.exe
  2⤵
  PID:10808
- C:\Windows\System32\PBJmwdt.exe
  C:\Windows\System32\PBJmwdt.exe
  2⤵
  PID:10852
- C:\Windows\System32\BKXsshs.exe
  C:\Windows\System32\BKXsshs.exe
  2⤵
  PID:10892
- C:\Windows\System32\iiYVXcO.exe
  C:\Windows\System32\iiYVXcO.exe
  2⤵
  PID:10924
- C:\Windows\System32\wfdJhsl.exe
  C:\Windows\System32\wfdJhsl.exe
  2⤵
  PID:10968
- C:\Windows\System32\NXqYgWS.exe
  C:\Windows\System32\NXqYgWS.exe
  2⤵
  PID:11000
- C:\Windows\System32\LBpXxWy.exe
  C:\Windows\System32\LBpXxWy.exe
  2⤵
  PID:11032
- C:\Windows\System32\gMszThK.exe
  C:\Windows\System32\gMszThK.exe
  2⤵
  PID:11064
- C:\Windows\System32\mMvLhAi.exe
  C:\Windows\System32\mMvLhAi.exe
  2⤵
  PID:11096
- C:\Windows\System32\hpEhpvF.exe
  C:\Windows\System32\hpEhpvF.exe
  2⤵
  PID:11112
- C:\Windows\System32\sCTccTY.exe
  C:\Windows\System32\sCTccTY.exe
  2⤵
  PID:11168
- C:\Windows\System32\hfVNYio.exe
  C:\Windows\System32\hfVNYio.exe
  2⤵
  PID:11216
- C:\Windows\System32\ruJfNqb.exe
  C:\Windows\System32\ruJfNqb.exe
  2⤵
  PID:11252
- C:\Windows\System32\AFyQSnz.exe
  C:\Windows\System32\AFyQSnz.exe
  2⤵
  PID:10332
- C:\Windows\System32\wTnQoFd.exe
  C:\Windows\System32\wTnQoFd.exe
  2⤵
  PID:10404
- C:\Windows\System32\hgKRZhV.exe
  C:\Windows\System32\hgKRZhV.exe
  2⤵
  PID:10472
- C:\Windows\System32\BPVdzuh.exe
  C:\Windows\System32\BPVdzuh.exe
  2⤵
  PID:10560
- C:\Windows\System32\wlGwUwx.exe
  C:\Windows\System32\wlGwUwx.exe
  2⤵
  PID:10632
- C:\Windows\System32\TcCOWdi.exe
  C:\Windows\System32\TcCOWdi.exe
  2⤵
  PID:10708
- C:\Windows\System32\OmISVes.exe
  C:\Windows\System32\OmISVes.exe
  2⤵
  PID:10756
- C:\Windows\System32\VXlvwxA.exe
  C:\Windows\System32\VXlvwxA.exe
  2⤵
  PID:10876
- C:\Windows\System32\FDGRmnA.exe
  C:\Windows\System32\FDGRmnA.exe
  2⤵
  PID:10944
- C:\Windows\System32\HdwRbKd.exe
  C:\Windows\System32\HdwRbKd.exe
  2⤵
  PID:1656
- C:\Windows\System32\wbGcXDZ.exe
  C:\Windows\System32\wbGcXDZ.exe
  2⤵
  PID:11092
- C:\Windows\System32\VnUCpAx.exe
  C:\Windows\System32\VnUCpAx.exe
  2⤵
  PID:11152
- C:\Windows\System32\uSjbUlo.exe
  C:\Windows\System32\uSjbUlo.exe
  2⤵
  PID:9212
- C:\Windows\System32\OCSmIPD.exe
  C:\Windows\System32\OCSmIPD.exe
  2⤵
  PID:10448
- C:\Windows\System32\JBeCdzS.exe
  C:\Windows\System32\JBeCdzS.exe
  2⤵
  PID:10500
- C:\Windows\System32\ndwQGxE.exe
  C:\Windows\System32\ndwQGxE.exe
  2⤵
  PID:10772
- C:\Windows\System32\baARmyL.exe
  C:\Windows\System32\baARmyL.exe
  2⤵
  PID:1316
- C:\Windows\System32\lXiOifr.exe
  C:\Windows\System32\lXiOifr.exe
  2⤵
  PID:11108
- C:\Windows\System32\PyxIEWV.exe
  C:\Windows\System32\PyxIEWV.exe
  2⤵
  PID:10376
- C:\Windows\System32\QACZRzD.exe
  C:\Windows\System32\QACZRzD.exe
  2⤵
  PID:10764
- C:\Windows\System32\bVuLBzZ.exe
  C:\Windows\System32\bVuLBzZ.exe
  2⤵
  PID:4884
- C:\Windows\System32\KnwZvui.exe
  C:\Windows\System32\KnwZvui.exe
  2⤵
  PID:10528
- C:\Windows\System32\vxqIvGC.exe
  C:\Windows\System32\vxqIvGC.exe
  2⤵
  PID:11280
- C:\Windows\System32\cxCSqcP.exe
  C:\Windows\System32\cxCSqcP.exe
  2⤵
  PID:11308
- C:\Windows\System32\SACUBqC.exe
  C:\Windows\System32\SACUBqC.exe
  2⤵
  PID:11336
- C:\Windows\System32\faqFmeT.exe
  C:\Windows\System32\faqFmeT.exe
  2⤵
  PID:11364
- C:\Windows\System32\vnlcOkj.exe
  C:\Windows\System32\vnlcOkj.exe
  2⤵
  PID:11392
- C:\Windows\System32\FxAzhQx.exe
  C:\Windows\System32\FxAzhQx.exe
  2⤵
  PID:11428
- C:\Windows\System32\GdmIMNo.exe
  C:\Windows\System32\GdmIMNo.exe
  2⤵
  PID:11456
- C:\Windows\System32\mCrXavq.exe
  C:\Windows\System32\mCrXavq.exe
  2⤵
  PID:11492
- C:\Windows\System32\Fhaukmc.exe
  C:\Windows\System32\Fhaukmc.exe
  2⤵
  PID:11512
- C:\Windows\System32\xzbWFoM.exe
  C:\Windows\System32\xzbWFoM.exe
  2⤵
  PID:11544
- C:\Windows\System32\gRAhhuU.exe
  C:\Windows\System32\gRAhhuU.exe
  2⤵
  PID:11580
- C:\Windows\System32\flJhIwQ.exe
  C:\Windows\System32\flJhIwQ.exe
  2⤵
  PID:11600
- C:\Windows\System32\GSkKVvb.exe
  C:\Windows\System32\GSkKVvb.exe
  2⤵
  PID:11636
- C:\Windows\System32\CZgQXup.exe
  C:\Windows\System32\CZgQXup.exe
  2⤵
  PID:11664
- C:\Windows\System32\uUsDhSF.exe
  C:\Windows\System32\uUsDhSF.exe
  2⤵
  PID:11692
- C:\Windows\System32\flxqOsP.exe
  C:\Windows\System32\flxqOsP.exe
  2⤵
  PID:11720
- C:\Windows\System32\bYkhbww.exe
  C:\Windows\System32\bYkhbww.exe
  2⤵
  PID:11748
- C:\Windows\System32\jXgMNju.exe
  C:\Windows\System32\jXgMNju.exe
  2⤵
  PID:11780
- C:\Windows\System32\wuMPmRN.exe
  C:\Windows\System32\wuMPmRN.exe
  2⤵
  PID:11804
- C:\Windows\System32\bHruIbH.exe
  C:\Windows\System32\bHruIbH.exe
  2⤵
  PID:11836
- C:\Windows\System32\ypynXlB.exe
  C:\Windows\System32\ypynXlB.exe
  2⤵
  PID:11864
- C:\Windows\System32\JocBkHm.exe
  C:\Windows\System32\JocBkHm.exe
  2⤵
  PID:11880
- C:\Windows\System32\hcJQfFm.exe
  C:\Windows\System32\hcJQfFm.exe
  2⤵
  PID:11920
- C:\Windows\System32\dtznsjR.exe
  C:\Windows\System32\dtznsjR.exe
  2⤵
  PID:11948
- C:\Windows\System32\Qarlhyu.exe
  C:\Windows\System32\Qarlhyu.exe
  2⤵
  PID:11976
- C:\Windows\System32\eMJmVdu.exe
  C:\Windows\System32\eMJmVdu.exe
  2⤵
  PID:12004
- C:\Windows\System32\vMpPfjv.exe
  C:\Windows\System32\vMpPfjv.exe
  2⤵
  PID:12040
- C:\Windows\System32\kxfwXKA.exe
  C:\Windows\System32\kxfwXKA.exe
  2⤵
  PID:12060
- C:\Windows\System32\IhGvtJd.exe
  C:\Windows\System32\IhGvtJd.exe
  2⤵
  PID:12088
- C:\Windows\System32\lKRJDjH.exe
  C:\Windows\System32\lKRJDjH.exe
  2⤵
  PID:12116
- C:\Windows\System32\nfQGCBo.exe
  C:\Windows\System32\nfQGCBo.exe
  2⤵
  PID:12144
- C:\Windows\System32\HDYtjyT.exe
  C:\Windows\System32\HDYtjyT.exe
  2⤵
  PID:12176
- C:\Windows\System32\BDhFQNN.exe
  C:\Windows\System32\BDhFQNN.exe
  2⤵
  PID:12216
- C:\Windows\System32\cGNCTMN.exe
  C:\Windows\System32\cGNCTMN.exe
  2⤵
  PID:12244
- C:\Windows\System32\WwtDExE.exe
  C:\Windows\System32\WwtDExE.exe
  2⤵
  PID:12272
- C:\Windows\System32\EdBsZJz.exe
  C:\Windows\System32\EdBsZJz.exe
  2⤵
  PID:10744
- C:\Windows\System32\pBpmHCp.exe
  C:\Windows\System32\pBpmHCp.exe
  2⤵
  PID:11348
- C:\Windows\System32\ftsYBWV.exe
  C:\Windows\System32\ftsYBWV.exe
  2⤵
  PID:11424
- C:\Windows\System32\CfgftIB.exe
  C:\Windows\System32\CfgftIB.exe
  2⤵
  PID:11484
- C:\Windows\System32\kWbRujS.exe
  C:\Windows\System32\kWbRujS.exe
  2⤵
  PID:11532
- C:\Windows\System32\TftbSiB.exe
  C:\Windows\System32\TftbSiB.exe
  2⤵
  PID:11608
- C:\Windows\System32\gbmKpBD.exe
  C:\Windows\System32\gbmKpBD.exe
  2⤵
  PID:11660
- C:\Windows\System32\vsDmScm.exe
  C:\Windows\System32\vsDmScm.exe
  2⤵
  PID:11732
- C:\Windows\System32\CXtMjjb.exe
  C:\Windows\System32\CXtMjjb.exe
  2⤵
  PID:11788
- C:\Windows\System32\XLKLnBn.exe
  C:\Windows\System32\XLKLnBn.exe
  2⤵
  PID:11860
- C:\Windows\System32\nzPTqjo.exe
  C:\Windows\System32\nzPTqjo.exe
  2⤵
  PID:11944
- C:\Windows\System32\fQQNIqv.exe
  C:\Windows\System32\fQQNIqv.exe
  2⤵
  PID:11996
- C:\Windows\System32\RWXFcRc.exe
  C:\Windows\System32\RWXFcRc.exe
  2⤵
  PID:12052
- C:\Windows\System32\LnQJQfL.exe
  C:\Windows\System32\LnQJQfL.exe
  2⤵
  PID:12128
- C:\Windows\System32\tseGtsX.exe
  C:\Windows\System32\tseGtsX.exe
  2⤵
  PID:12212
- C:\Windows\System32\TiYxalL.exe
  C:\Windows\System32\TiYxalL.exe
  2⤵
  PID:12284
- C:\Windows\System32\GhShHon.exe
  C:\Windows\System32\GhShHon.exe
  2⤵
  PID:11412
- C:\Windows\System32\mIniaog.exe
  C:\Windows\System32\mIniaog.exe
  2⤵
  PID:11524
- C:\Windows\System32\KJbzRfx.exe
  C:\Windows\System32\KJbzRfx.exe
  2⤵
  PID:11688
- C:\Windows\System32\SVxbREp.exe
  C:\Windows\System32\SVxbREp.exe
  2⤵
  PID:11856
- C:\Windows\System32\yTvzlAA.exe
  C:\Windows\System32\yTvzlAA.exe
  2⤵
  PID:11960
- C:\Windows\System32\rqxhNsl.exe
  C:\Windows\System32\rqxhNsl.exe
  2⤵
  PID:12156
- C:\Windows\System32\jjdscKK.exe
  C:\Windows\System32\jjdscKK.exe
  2⤵
  PID:11356
- C:\Windows\System32\jymEWxO.exe
  C:\Windows\System32\jymEWxO.exe
  2⤵
  PID:11656
- C:\Windows\System32\ObjqOGe.exe
  C:\Windows\System32\ObjqOGe.exe
  2⤵
  PID:3116
- C:\Windows\System32\mlWGqTq.exe
  C:\Windows\System32\mlWGqTq.exe
  2⤵
  PID:11972
- C:\Windows\System32\ODUWbUh.exe
  C:\Windows\System32\ODUWbUh.exe
  2⤵
  PID:12256
- C:\Windows\System32\gHPbdtr.exe
  C:\Windows\System32\gHPbdtr.exe
  2⤵
  PID:1140
- C:\Windows\System32\OSvKtxp.exe
  C:\Windows\System32\OSvKtxp.exe
  2⤵
  PID:11500
- C:\Windows\System32\lQmEpHt.exe
  C:\Windows\System32\lQmEpHt.exe
  2⤵
  PID:12296
- C:\Windows\System32\neWEZUr.exe
  C:\Windows\System32\neWEZUr.exe
  2⤵
  PID:12316
- C:\Windows\System32\UjobsgY.exe
  C:\Windows\System32\UjobsgY.exe
  2⤵
  PID:12340
- C:\Windows\System32\FngWMCb.exe
  C:\Windows\System32\FngWMCb.exe
  2⤵
  PID:12368
- C:\Windows\System32\yKcaWEu.exe
  C:\Windows\System32\yKcaWEu.exe
  2⤵
  PID:12384
- C:\Windows\System32\GazOiKu.exe
  C:\Windows\System32\GazOiKu.exe
  2⤵
  PID:12424
- C:\Windows\System32\qKeCsuo.exe
  C:\Windows\System32\qKeCsuo.exe
  2⤵
  PID:12460
- C:\Windows\System32\lSEulbl.exe
  C:\Windows\System32\lSEulbl.exe
  2⤵
  PID:12500
- C:\Windows\System32\gKrbULY.exe
  C:\Windows\System32\gKrbULY.exe
  2⤵
  PID:12528
- C:\Windows\System32\TZOQnZi.exe
  C:\Windows\System32\TZOQnZi.exe
  2⤵
  PID:12564
- C:\Windows\System32\IhFFecQ.exe
  C:\Windows\System32\IhFFecQ.exe
  2⤵
  PID:12628
- C:\Windows\System32\QYfjiub.exe
  C:\Windows\System32\QYfjiub.exe
  2⤵
  PID:12648
- C:\Windows\System32\ggVGYHO.exe
  C:\Windows\System32\ggVGYHO.exe
  2⤵
  PID:12668
- C:\Windows\System32\qWAyZRX.exe
  C:\Windows\System32\qWAyZRX.exe
  2⤵
  PID:12704
- C:\Windows\System32\DMYHLSh.exe
  C:\Windows\System32\DMYHLSh.exe
  2⤵
  PID:12732
- C:\Windows\System32\TMNhmAp.exe
  C:\Windows\System32\TMNhmAp.exe
  2⤵
  PID:12748
- C:\Windows\System32\TEXNapN.exe
  C:\Windows\System32\TEXNapN.exe
  2⤵
  PID:12776
- C:\Windows\System32\XrhImmK.exe
  C:\Windows\System32\XrhImmK.exe
  2⤵
  PID:12804
- C:\Windows\System32\ojVTdNQ.exe
  C:\Windows\System32\ojVTdNQ.exe
  2⤵
  PID:12844
- C:\Windows\System32\fnThWzX.exe
  C:\Windows\System32\fnThWzX.exe
  2⤵
  PID:12872
- C:\Windows\System32\uUKdFJi.exe
  C:\Windows\System32\uUKdFJi.exe
  2⤵
  PID:12888
- C:\Windows\System32\HmjBVXn.exe
  C:\Windows\System32\HmjBVXn.exe
  2⤵
  PID:12916
- C:\Windows\System32\MSMCQnw.exe
  C:\Windows\System32\MSMCQnw.exe
  2⤵
  PID:12944
- C:\Windows\System32\SyqzDIQ.exe
  C:\Windows\System32\SyqzDIQ.exe
  2⤵
  PID:12976
- C:\Windows\System32\eoAikZI.exe
  C:\Windows\System32\eoAikZI.exe
  2⤵
  PID:13004
- C:\Windows\System32\nvchBYD.exe
  C:\Windows\System32\nvchBYD.exe
  2⤵
  PID:13044
- C:\Windows\System32\ocoQzHQ.exe
  C:\Windows\System32\ocoQzHQ.exe
  2⤵
  PID:13072
- C:\Windows\System32\jbXdnxf.exe
  C:\Windows\System32\jbXdnxf.exe
  2⤵
  PID:13100
- C:\Windows\System32\fIcfEDE.exe
  C:\Windows\System32\fIcfEDE.exe
  2⤵
  PID:13128
- C:\Windows\System32\arhCYjY.exe
  C:\Windows\System32\arhCYjY.exe
  2⤵
  PID:13156
- C:\Windows\System32\qSCBcQc.exe
  C:\Windows\System32\qSCBcQc.exe
  2⤵
  PID:13184
- C:\Windows\System32\xgNOZgo.exe
  C:\Windows\System32\xgNOZgo.exe
  2⤵
  PID:13212
- C:\Windows\System32\qlVuehp.exe
  C:\Windows\System32\qlVuehp.exe
  2⤵
  PID:13240
- C:\Windows\System32\eyBJiwm.exe
  C:\Windows\System32\eyBJiwm.exe
  2⤵
  PID:13256
- C:\Windows\System32\OtSyZSG.exe
  C:\Windows\System32\OtSyZSG.exe
  2⤵
  PID:13272
- C:\Windows\System32\WvQQJvS.exe
  C:\Windows\System32\WvQQJvS.exe
  2⤵
  PID:4332
- C:\Windows\System32\bKrNFhQ.exe
  C:\Windows\System32\bKrNFhQ.exe
  2⤵
  PID:12352
- C:\Windows\System32\nVzGTtE.exe
  C:\Windows\System32\nVzGTtE.exe
  2⤵
  PID:12404
- C:\Windows\System32\hrMKCZi.exe
  C:\Windows\System32\hrMKCZi.exe
  2⤵
  PID:12476
- C:\Windows\System32\TWRGHMT.exe
  C:\Windows\System32\TWRGHMT.exe
  2⤵
  PID:12596
- C:\Windows\System32\nBUUIdL.exe
  C:\Windows\System32\nBUUIdL.exe
  2⤵
  PID:12656
- C:\Windows\System32\qiqMRwY.exe
  C:\Windows\System32\qiqMRwY.exe
  2⤵
  PID:12788
- C:\Windows\System32\zbeewrc.exe
  C:\Windows\System32\zbeewrc.exe
  2⤵
  PID:12820
- C:\Windows\System32\vQWbexn.exe
  C:\Windows\System32\vQWbexn.exe
  2⤵
  PID:12880
- C:\Windows\System32\NVPtnqc.exe
  C:\Windows\System32\NVPtnqc.exe
  2⤵
  PID:12932
- C:\Windows\System32\GKalgdm.exe
  C:\Windows\System32\GKalgdm.exe
  2⤵
  PID:13040
- C:\Windows\System32\dgalgfN.exe
  C:\Windows\System32\dgalgfN.exe
  2⤵
  PID:13084
- C:\Windows\System32\DOFywUB.exe
  C:\Windows\System32\DOFywUB.exe
  2⤵
  PID:13140
- C:\Windows\System32\OKXeCgo.exe
  C:\Windows\System32\OKXeCgo.exe
  2⤵
  PID:13208
- C:\Windows\System32\sLLrOiD.exe
  C:\Windows\System32\sLLrOiD.exe
  2⤵
  PID:13268

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:9276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AuPMHuD.exe

Filesize
2.9MB

MD5
57a9538251c44f863369fc7c7eacafe8

SHA1
cf040304d9c37bd4ec665e6593aac42d937a7b5a

SHA256
ca88f0f76d874694fce9f42fc4a57d166a64707a25fed8442cb97696dbe80a65

SHA512
7e66be3f470fd5389c08a5ad38529620b932ba5512ebc814f1a134f8a80b46b6e69071e22772115cd7d745160843427f33080a13dab08f2578746cb80c96a580

Download Submit
C:\Windows\System32\BcmDkPx.exe

Filesize
2.9MB

MD5
470354ed27c9b0357d918e0d1bbcb606

SHA1
f0451724103ed1e3479844deae9feeeca1e89e8c

SHA256
5f6e93eeabe0b7fbb2e0507d64c3c89611d6657b5308c4c1f0d0eaf0c807f256

SHA512
794dff893ec585d8e5bfeafc4d52dda8fc9ee08538ac2854635c9cd8218a0f70dd87d3ecd3ad2c8f5e74406008ee495bd40c5f6bceaca0628e7e288865d668a2

Download Submit
C:\Windows\System32\CWmCFjr.exe

Filesize
2.9MB

MD5
557c0f923f2b6d668266cecc50a4252c

SHA1
9fa4504643056950dda99c155dc16477d4261e8d

SHA256
3ff534f583cdd2e1ffacf0771ef4246699690aed04e53626e8c99b5ee5db7b54

SHA512
736007102253f92fb7c019792f236859a8e402b127a0165ea4a8f948b31d47024ae325d3fe8d493a262983e999f3b185f881a968f4cb947f91fdbbc5cad2edbf

Download Submit
C:\Windows\System32\GOUAxLw.exe

Filesize
2.9MB

MD5
89ec62a105f7ab6907c332f8d64dbbd4

SHA1
7f5ee888c69e172880a55df1dc9c8745805876a9

SHA256
a581e9be4128a6cc2f3b6cd4299fbfe9ef812f64b9dbaeb8e5250cb8272c38c9

SHA512
2e636b649510dde0509ca29dd39b719134dac21a77dff12aff6deac7e75205c84b1d61391181c8965ea2f35178a25910496d54a9000a76d7808bb0ca0503c3af

Download Submit
C:\Windows\System32\IEQABEG.exe

Filesize
2.9MB

MD5
194f51864b4728800bb91d428452188a

SHA1
1e55678bf912dbea466140d807abe17446c7b0bb

SHA256
16b42f4f883f36f1a260bef4e815f5e2fba23ce42dca87937006894acb9e90f2

SHA512
07a4016838fc3fb30c5ef9625a3723ec5bfa0ff2655a3b0793f7e794e680440dee95ec4e7b1ba278ff77e1385a565afc10e483028c1f12298e21d3e8cbc1dad2

Download Submit
C:\Windows\System32\KQbczQA.exe

Filesize
2.9MB

MD5
f03d8e0b7ade08c0ecbeaa0e5ff20e82

SHA1
5d7e01b7fd337293f3071d76d22eb79f66a90a2f

SHA256
aeebfba14d6294b12fdca29754e8e4f023b83adca990ce0fbe389d635c76381d

SHA512
41cb1059a267370523dd8a20c1484f39e2d6ef8e953120c32c65b5708646a0af9ee8fc7e48349a64ce7020938de47c4efbe863f7d226504a9083ec6593601132

Download Submit
C:\Windows\System32\KoRVLdY.exe

Filesize
2.9MB

MD5
0ac91e86d50c69510c6c9ddc6843be95

SHA1
1250a58a175fe5b4dc14c39e76edbab89cdd6134

SHA256
b92072eda8182e1fbc956ee69ebc4dfa45659b9e3382b030e587ff9148aa3348

SHA512
9538b5ba4ac9b9dd1683a7355641faeb01d3a94dc4afa409697cce2a974377146808eb75979bd7f4cb8a3360b34e30fdae658454dc73ce3d7e943275359208b8

Download Submit
C:\Windows\System32\LAulnrr.exe

Filesize
2.9MB

MD5
5f681e3f6a18a5bf4be7193a2534e54a

SHA1
6f83b890836ec7e7c0598b07c49d51cd477ff5c1

SHA256
1207f9db98bc70cd6fa876d9de28511df4b2a4fbdfda2ae4a15557a8b9e95520

SHA512
3f6e6cae46a73068277f01438dde8f6b059689df876eb5f4271ea8fbf1940430d36927defefbf2572478b5002c2bf8fd56e825966a0b5867e191feb543d746ac

Download Submit
C:\Windows\System32\MpyXyKw.exe

Filesize
2.9MB

MD5
48fde105b1c447d9db808069a7423c91

SHA1
0583376b62d5d5c2fb9be99962b5b79fc033d46d

SHA256
40801011bfa1bf25c7826dd1e1d5ee8f0f70bca6ad110c77b69fa38ed2d26c1f

SHA512
c887f9916194b21f3fb567e14fc52d08da3fba1350ce9343f3bd21f071d3c79d87ebe754704568a0296464161f1e827689a2b99542ebd80cb00d7582d38ad360

Download Submit
C:\Windows\System32\NnkHucQ.exe

Filesize
2.9MB

MD5
3e88da3b39e8726d8280c9827d734b32

SHA1
329eb627dd50761a5e07913e730468a43927a047

SHA256
4c8e4272bf8bc8ba729b681b99d53897745af17635927da144cf9c6b20765fd6

SHA512
6ba52854055932693c3a291912a257e8e2c60d86b24a958605c6cb9db9da541466cffe6c1289880af4edd6853bfc244ae5d623630339c1dfdca22b6563636d66

Download Submit
C:\Windows\System32\PwWrCTp.exe

Filesize
2.9MB

MD5
d70742fed14de8fc6286e49b290a420b

SHA1
d3a5bd6bd325c71945a4ce0a66b1c036a8ee7155

SHA256
df7c8be4459383bcc2c2acdf03e4540f598cb049969bc5d993a1ac7cedf51780

SHA512
f67526aa90ebc59fd5efac25d695268e8154d6170ca6580be16778c19201fe6968fc0c080fda0497b7d31bbfe7b4e2191223dcc5c90a6ead088cee6675e2ad8f

Download Submit
C:\Windows\System32\QpYUFAW.exe

Filesize
2.9MB

MD5
fa378d04934c540ad30ccfaed616b2c3

SHA1
1a8a09fa0581e0549e40d577d6f4dc315cbed40c

SHA256
2acaee3489d2badb031e36209a77f95261a2466e002d35ecc9db467448d17e31

SHA512
eee8a59a69486818bdc30abffb7c908bc24701eaf76986708189ca678e2d279759d74d85e2ebb972be88d55bca95501b139e1b55aa64131c2ad4fc6d4e945b35

Download Submit
C:\Windows\System32\RpgNeLK.exe

Filesize
2.9MB

MD5
967732abba2f5ad12a1da4e460d35263

SHA1
6499c05dd01c73b16b3686511e31d3ad8afa01f5

SHA256
cc01438e1c753505b6764c1947ef69566d15d471a6805ce37ee852588e3f89e8

SHA512
26afa6bb34cd98f65b21fe4d3981fdc8d7965f771db9275a257d1a5e9526e770596e0826526bea38fb64ea6488eb716e4f52020dccc1855051cb246054815b80

Download Submit
C:\Windows\System32\TKeRizU.exe

Filesize
2.9MB

MD5
49f6ed815aeab88db8251a2735ff8326

SHA1
78d8da1df3047752d73c1eca7393e6bf4ddd6f64

SHA256
faf32faba755fbbd57040992e9d94bbe3e9303fe676e5e97be365c620b629222

SHA512
44773e1317da0d7b5e8162612c414656fa9c630a79c8aac0bd926e6482a541c5d7eda20de45204fe9f6ff07bb6c3f15027f87e24db8efb8de504e8eedf4f3932

Download Submit
C:\Windows\System32\TsIJEpN.exe

Filesize
2.9MB

MD5
f651fb3c26eaf5c6015b61aa3f020510

SHA1
4070a87db17e736c39a32bd70a41257a57189e47

SHA256
5d21c64f1a50e7238bb0b9c84eae30c3157370e01717d0300f64147172d0bc42

SHA512
d73a7c800c565aa8cdd0f857883290d13063ebaacadb5712d06444ef8db7c860ce84b4925e16b49adbd7d6199cf014dd7119276e549419a8fd2c315deb9d1024

Download Submit
C:\Windows\System32\TvkeGDT.exe

Filesize
2.9MB

MD5
0bcffb015a2688319812c8ecc6853078

SHA1
8db677fba3d4e027198edbf94e8f83f319dbdae5

SHA256
79c00dde1212d9c6b17b9bbf133b9bd3c09bad2c4df412399356ae7431d098df

SHA512
a6d184be467a6983dbb567550cee6f7d9a860564819d3960ad0d826caaf890de049950a01e4cd523e43461b2b67531412db78ff9ed583964ed220a5374ab2a4d

Download Submit
C:\Windows\System32\WqoaDro.exe

Filesize
2.9MB

MD5
c81c745fc5c50fcc77f0a05faaf2f73b

SHA1
58a7ef1216712841564076d1275a3c0282aaf541

SHA256
c2fbeee42d93627c419db14bb549253859fc514f487d9accb9b9626488104b2c

SHA512
6da7ed99c9240feda03157ce0310d300db012a23003d785fb916bf1ea4d6ab2de0d5a57a3866a3b3a66b248cbc477186df8b96238cce3509ab6e45e1d9fda9e9

Download Submit
C:\Windows\System32\XFjOMOn.exe

Filesize
2.9MB

MD5
0a334f19500075bf2816e05c18adf4bb

SHA1
e97ffe339910ba16f08ed9316f96f3f560e57fa8

SHA256
c3c96e0fcd5a36d576ab28ec625d665d872f6cc534b618c91c20d83df3169481

SHA512
20a0cc5605070687689950d894e53a1b7d498e9dd148a6b519589a8aac668756db2efadc686798e438df966bd8dd384ef43deb304341eb641d31d964f4c41978

Download Submit
C:\Windows\System32\aNFJBEi.exe

Filesize
2.9MB

MD5
8c9caa0a7e10663c716e7c38a23e689b

SHA1
5174789495480230f1140dbb34c59d7f27a494d3

SHA256
057c526fd267ab29449b97b07832a49ea1678678ddd4f6c8426d9822b338f6ab

SHA512
2d7804d8b4456dca27fe654f8ae41f9d06fa51b3b54538ba0d0d08bc02ef2672dd733c988261bc275db80d173235c9da85ce3f76e694a6f254eadc087a23da48

Download Submit
C:\Windows\System32\dRDTTQm.exe

Filesize
2.9MB

MD5
20946c67ac2345da416dc825f72c361c

SHA1
5ccd256c03c13f493123b09313c74966c7e6f465

SHA256
d20a64b79badc423bbf4b7cb3ceead2b2e49cca965ed2d99a8d389e19c6a594e

SHA512
a05e4a9587f19c8c432ad9423674b2b9a2b14421e61174167354b366ac1e7ea4ccdf6d78fb2926bbea90422edd0b7e0a70590e7e0de5845b992a67d03390c570

Download Submit
C:\Windows\System32\fOLXVjs.exe

Filesize
2.9MB

MD5
f87439a2ef54193429879df38983f609

SHA1
8ce65dd1c51ece9b377780034d119089b33b666e

SHA256
4d66a0fbcfb4a3cf8769174a22f30f1bc8e4bfcca8d98edb2ab45dc29f0e30e5

SHA512
9ec268a8f753148b88b42f743d96a63524e86a408383ed080c710aa38475d5f5ec038277f4803e3babc110cade3e5c536aa9de01f364bc82e70af9e5dc86fc8d

Download Submit
C:\Windows\System32\hqPaQIl.exe

Filesize
2.9MB

MD5
335060e94a578e201115097f488f209b

SHA1
28b97b40e56fba7f17a8c8fc2814b5353f43cd4c

SHA256
72de48527bad92029dea95fa49c31b667814b514310801709b68072eca966ddd

SHA512
e4bbf5c877cbbcbc93c5758dd7ffe7d48ec10854ad3fe79d93cfe1e31d134b7bb2aa5d46a033f4ef8b2e909081e638fb7293ea23e1128afc1ca517cbdf02e69f

Download Submit
C:\Windows\System32\jPscZaj.exe

Filesize
2.9MB

MD5
de239be9f2f40bcc6135102778c4b6b7

SHA1
558ef7e279da5c566315618e21097ab872f306ef

SHA256
dc5a2250fc4df2880ea2638a92dc8116648a7ec94fb34b2155a1ae3b819a0eba

SHA512
b74110004be9ca4756b368ab8c14c525409c0cf7a90d17abb8f47afbd83d42164359233ee0ad0e3dac99aad998a6e643029588db1f3cedf5b16eccfe1817ccd8

Download Submit
C:\Windows\System32\kqmZjra.exe

Filesize
2.9MB

MD5
06bc52318df2d9f21a1cc34b328f182c

SHA1
992d311907e677207cb618d490c2ff964dbf7bee

SHA256
be02615ef3091023d985e1a66d0e1cdda63440f7fa2412e673bd14d40c6ca4e6

SHA512
2e39f8a7c9fb8db23a134df88ade6eed353f54ca0c7126230df6e7cf699026275b0520b623a0ed8c6deb004be6e4abc9e6ca2271d46d634896d2f8ff5f866fbd

Download Submit
C:\Windows\System32\lJBJXyJ.exe

Filesize
2.9MB

MD5
84b2d6315f44ddfc47cb9ee203b3b252

SHA1
a6a02dda2eb4e5396675678b4e79cc0baea49af0

SHA256
c0da05b9cba777de0f8cc53dfab2d857fa975261c77988e18e4e66e69b8a2e18

SHA512
10c1722bf74d9d0522ec0050cfaa910c452106a6fb28b2ecc1eb0d7d7cc17e95760247dff2dcbc3a7a18cc6d7252bba84330f006accaf6c8a8fd71a54685059d

Download Submit
C:\Windows\System32\pUzFqrP.exe

Filesize
2.9MB

MD5
1ce730d0fddd1aaf729d6f9e581b49b7

SHA1
df3b5a61e64a10a4dec99299ba39f69ef9f36fcc

SHA256
9939cdbede6608862f98c53cfc013bd43b0ff03b68c8df149a5d479d74db953e

SHA512
c604e9c595fba60fc5ea07a632c9dcb98c593fb3bdac50b5551cc1e8447915c797e05ad347490d19f62226a269ef601591920e99fcd0da2ca604feacff94da04

Download Submit
C:\Windows\System32\pkrMywm.exe

Filesize
2.9MB

MD5
5f5a7ed1de3d7893227293f15cce9425

SHA1
0e0c3a1191247ab9c1371a75317bc53229f4de6f

SHA256
677fd2b70ce371260c62e23ca6b52517ed6fa8e1d5f8dcbac85a26759ea1fdb8

SHA512
ee299f9075b75cae1e16faaeea07358f45e5c2d6aa3691babf27a2e211d6c4c56694443f6bae7d3ff5d5c0de3a0e7afadb692f16571d22e60239f6b038e67a14

Download Submit
C:\Windows\System32\rzkGOEJ.exe

Filesize
2.9MB

MD5
e268d624e219244c6bbb92bba63f2b01

SHA1
fd1001f67fd2645efc198c3b8676817f06ec4d79

SHA256
6660bcedce416bc12b425a4a5291732122f68dcf65096ae089a1cc995f21cda2

SHA512
128a98e580f8cc4b024394d22b2d71a65161b48bb55163a3339b2df798ca3995501e2b29aea12abfb34b4f74f256a38bb664a7ea079e9eb4ff451a1a8709d5a6

Download Submit
C:\Windows\System32\tRkiPQF.exe

Filesize
2.9MB

MD5
5cb69794813999f9c519fb4652b3fa6b

SHA1
d1b1057c6f60cfa7692800beaa00855e1bd1c3ac

SHA256
a9540aa443c5e69d66d1fc33b4b2c6e3fc2058d81ff97b9b4ee1c534dfd18eae

SHA512
cfaf974cbbabf7d440412517cd6e5b6028bd041fdb46d0327a8067dbcf5d4d72bea557ce8d40518685d815abe52721d0e7f9196945f12a2d59771c4368152fbd

Download Submit
C:\Windows\System32\tqEIfOS.exe

Filesize
2.9MB

MD5
0ccfa868755b0143706e5ff188c4e688

SHA1
166fd1f0e9a8d8cc40e4e72c1bce2abd34a9d84e

SHA256
a47c7f33a89d1516999cc544f5025e7f558e46843484da084c5d2f280cb07d69

SHA512
ee570da47ebba26831562df9a07d11da358cfd0ae360c2f3a8eff7bf39dbe2bf0a342b9f752300f31f76bf9dd4f8f6d1e762f63f5a5ae6e193b6038f54306378

Download Submit
C:\Windows\System32\wclGtIl.exe

Filesize
2.9MB

MD5
e6e367b55998b1f82c2e98d5b1800bf0

SHA1
13db40553daacc22812e107eacc5f4b1f8961a15

SHA256
2cfee2e3abd1648dd93e29c86c4dda6ebb75d2ea5586b5050509d42e6010d867

SHA512
97b3d99e883c6965d58f3ce0e7adb27d79c95b5bd7a5812de579eb20ba85aafaa96d870547cfaf96d844ad7c3b56b62290d746211f65fe4f03430c4dd8f9581a

Download Submit
C:\Windows\System32\yAJJsho.exe

Filesize
2.9MB

MD5
7b08eddfd29d911b1331ac3f7db74275

SHA1
e650624ef3c952a627c6bdf76f92e5ab2e135e87

SHA256
6dc446e9d4593a5bb047780340cd3a57eb2e8a645bb0fcf256c8148f4b70ac64

SHA512
4f5c50a9b0a631d1061c923a48cfbebe5cc160a4695b294c82a9bf0251ee1e154f1b13fecb9bea58659b32b760907b244fc61c49d0815c6db4e2f2b4a32650fe

Download Submit
memory/412-1909-0x00007FF62F410000-0x00007FF62F805000-memory.dmp

Filesize
4.0MB

Download
memory/412-796-0x00007FF62F410000-0x00007FF62F805000-memory.dmp

Filesize
4.0MB

Download
memory/464-801-0x00007FF630A90000-0x00007FF630E85000-memory.dmp

Filesize
4.0MB

Download
memory/464-1911-0x00007FF630A90000-0x00007FF630E85000-memory.dmp

Filesize
4.0MB

Download
memory/992-1913-0x00007FF612EB0000-0x00007FF6132A5000-memory.dmp

Filesize
4.0MB

Download
memory/992-807-0x00007FF612EB0000-0x00007FF6132A5000-memory.dmp

Filesize
4.0MB

Download
memory/1228-1-0x000002686E750000-0x000002686E760000-memory.dmp

Filesize
64KB

Download
memory/1228-0-0x00007FF6E5050000-0x00007FF6E5445000-memory.dmp

Filesize
4.0MB

Download
memory/1228-1903-0x00007FF6E5050000-0x00007FF6E5445000-memory.dmp

Filesize
4.0MB

Download
memory/1372-797-0x00007FF6B75B0000-0x00007FF6B79A5000-memory.dmp

Filesize
4.0MB

Download
memory/1372-1910-0x00007FF6B75B0000-0x00007FF6B79A5000-memory.dmp

Filesize
4.0MB

Download
memory/1540-852-0x00007FF7EA3A0000-0x00007FF7EA795000-memory.dmp

Filesize
4.0MB

Download
memory/1540-1924-0x00007FF7EA3A0000-0x00007FF7EA795000-memory.dmp

Filesize
4.0MB

Download
memory/1644-844-0x00007FF67A330000-0x00007FF67A725000-memory.dmp

Filesize
4.0MB

Download
memory/1644-1926-0x00007FF67A330000-0x00007FF67A725000-memory.dmp

Filesize
4.0MB

Download
memory/1808-848-0x00007FF781330000-0x00007FF781725000-memory.dmp

Filesize
4.0MB

Download
memory/1808-1927-0x00007FF781330000-0x00007FF781725000-memory.dmp

Filesize
4.0MB

Download
memory/2128-1905-0x00007FF614920000-0x00007FF614D15000-memory.dmp

Filesize
4.0MB

Download
memory/2128-11-0x00007FF614920000-0x00007FF614D15000-memory.dmp

Filesize
4.0MB

Download
memory/2248-836-0x00007FF74C910000-0x00007FF74CD05000-memory.dmp

Filesize
4.0MB

Download
memory/2248-1925-0x00007FF74C910000-0x00007FF74CD05000-memory.dmp

Filesize
4.0MB

Download
memory/2380-824-0x00007FF61C250000-0x00007FF61C645000-memory.dmp

Filesize
4.0MB

Download
memory/2380-1918-0x00007FF61C250000-0x00007FF61C645000-memory.dmp

Filesize
4.0MB

Download
memory/3024-817-0x00007FF6BEBB0000-0x00007FF6BEFA5000-memory.dmp

Filesize
4.0MB

Download
memory/3024-1917-0x00007FF6BEBB0000-0x00007FF6BEFA5000-memory.dmp

Filesize
4.0MB

Download
memory/3428-821-0x00007FF60BF00000-0x00007FF60C2F5000-memory.dmp

Filesize
4.0MB

Download
memory/3428-1922-0x00007FF60BF00000-0x00007FF60C2F5000-memory.dmp

Filesize
4.0MB

Download
memory/3472-1906-0x00007FF6212D0000-0x00007FF6216C5000-memory.dmp

Filesize
4.0MB

Download
memory/3472-792-0x00007FF6212D0000-0x00007FF6216C5000-memory.dmp

Filesize
4.0MB

Download
memory/3548-1907-0x00007FF67A540000-0x00007FF67A935000-memory.dmp

Filesize
4.0MB

Download
memory/3548-794-0x00007FF67A540000-0x00007FF67A935000-memory.dmp

Filesize
4.0MB

Download
memory/3880-793-0x00007FF7E4980000-0x00007FF7E4D75000-memory.dmp

Filesize
4.0MB

Download
memory/3880-1914-0x00007FF7E4980000-0x00007FF7E4D75000-memory.dmp

Filesize
4.0MB

Download
memory/3968-813-0x00007FF6670D0000-0x00007FF6674C5000-memory.dmp

Filesize
4.0MB

Download
memory/3968-1920-0x00007FF6670D0000-0x00007FF6674C5000-memory.dmp

Filesize
4.0MB

Download
memory/3980-803-0x00007FF6FF210000-0x00007FF6FF605000-memory.dmp

Filesize
4.0MB

Download
memory/3980-1923-0x00007FF6FF210000-0x00007FF6FF605000-memory.dmp

Filesize
4.0MB

Download
memory/4104-1912-0x00007FF6E5230000-0x00007FF6E5625000-memory.dmp

Filesize
4.0MB

Download
memory/4104-863-0x00007FF6E5230000-0x00007FF6E5625000-memory.dmp

Filesize
4.0MB

Download
memory/4280-795-0x00007FF69B750000-0x00007FF69BB45000-memory.dmp

Filesize
4.0MB

Download
memory/4280-1908-0x00007FF69B750000-0x00007FF69BB45000-memory.dmp

Filesize
4.0MB

Download
memory/4320-1915-0x00007FF77ECE0000-0x00007FF77F0D5000-memory.dmp

Filesize
4.0MB

Download
memory/4320-853-0x00007FF77ECE0000-0x00007FF77F0D5000-memory.dmp

Filesize
4.0MB

Download
memory/4372-857-0x00007FF652390000-0x00007FF652785000-memory.dmp

Filesize
4.0MB

Download
memory/4372-1921-0x00007FF652390000-0x00007FF652785000-memory.dmp

Filesize
4.0MB

Download
memory/4468-1928-0x00007FF625320000-0x00007FF625715000-memory.dmp

Filesize
4.0MB

Download
memory/4468-834-0x00007FF625320000-0x00007FF625715000-memory.dmp

Filesize
4.0MB

Download
memory/4832-1916-0x00007FF6AA260000-0x00007FF6AA655000-memory.dmp

Filesize
4.0MB

Download
memory/4832-830-0x00007FF6AA260000-0x00007FF6AA655000-memory.dmp

Filesize
4.0MB

Download
memory/4920-832-0x00007FF756880000-0x00007FF756C75000-memory.dmp

Filesize
4.0MB

Download
memory/4920-1919-0x00007FF756880000-0x00007FF756C75000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads