xmrig | eb4cd84c6d56cf00edbb2f4c6df8114c40a0a55542e61ab520217a7f4027369c

Analysis

max time kernel
125s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
Size

2.7MB
MD5

c8fd50b35f071b60144080808c025d00
SHA1

1a27a68302ffbc10e8e3d49a777cab621c2e3107
SHA256

eb4cd84c6d56cf00edbb2f4c6df8114c40a0a55542e61ab520217a7f4027369c
SHA512

59408fcdd7fde194affedefa79575097624d115cea37d0da5252c91ac9459de9b1f8c33b0eb0a0b6c55d1224c65cff894193ed282139f8f504f0e8da35e346c9
SSDEEP

49152:N0wjnJMOWh50kC1/dVFdx6e0EALKWVTffZiPAcRq6jHjcz8DzcCNfeT5J0aXiJvJ:N0GnJMOWPClFdx6e0EALKWVTffZiPAcn

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1216-0-0x00007FF65D620000-0x00007FF65DA15000-memory.dmp	xmrig
behavioral2/files/0x0009000000023546-5.dat	xmrig
behavioral2/files/0x000800000002354c-8.dat	xmrig
behavioral2/files/0x000700000002354d-14.dat	xmrig
behavioral2/files/0x000700000002354e-22.dat	xmrig
behavioral2/memory/1956-28-0x00007FF7FF110000-0x00007FF7FF505000-memory.dmp	xmrig
behavioral2/files/0x0007000000023550-34.dat	xmrig
behavioral2/files/0x0007000000023551-38.dat	xmrig
behavioral2/files/0x0007000000023552-44.dat	xmrig
behavioral2/files/0x0007000000023554-52.dat	xmrig
behavioral2/files/0x0007000000023555-59.dat	xmrig
behavioral2/files/0x0007000000023557-66.dat	xmrig
behavioral2/files/0x0007000000023558-74.dat	xmrig
behavioral2/files/0x000700000002355a-84.dat	xmrig
behavioral2/files/0x000700000002355f-109.dat	xmrig
behavioral2/memory/4300-760-0x00007FF799E30000-0x00007FF79A225000-memory.dmp	xmrig
behavioral2/files/0x000700000002356a-164.dat	xmrig
behavioral2/files/0x0007000000023569-159.dat	xmrig
behavioral2/files/0x0007000000023568-157.dat	xmrig
behavioral2/files/0x0007000000023567-150.dat	xmrig
behavioral2/files/0x0007000000023566-144.dat	xmrig
behavioral2/files/0x0007000000023565-139.dat	xmrig
behavioral2/files/0x0007000000023564-134.dat	xmrig
behavioral2/files/0x0007000000023563-129.dat	xmrig
behavioral2/files/0x0007000000023562-124.dat	xmrig
behavioral2/files/0x0007000000023561-119.dat	xmrig
behavioral2/files/0x0007000000023560-114.dat	xmrig
behavioral2/files/0x000700000002355e-104.dat	xmrig
behavioral2/files/0x000700000002355d-99.dat	xmrig
behavioral2/files/0x000700000002355c-94.dat	xmrig
behavioral2/files/0x000700000002355b-89.dat	xmrig
behavioral2/files/0x0007000000023559-82.dat	xmrig
behavioral2/memory/2292-761-0x00007FF6CB5E0000-0x00007FF6CB9D5000-memory.dmp	xmrig
behavioral2/files/0x0007000000023556-64.dat	xmrig
behavioral2/files/0x0007000000023553-49.dat	xmrig
behavioral2/files/0x000700000002354f-29.dat	xmrig
behavioral2/memory/1428-26-0x00007FF713540000-0x00007FF713935000-memory.dmp	xmrig
behavioral2/memory/3112-10-0x00007FF7F4AF0000-0x00007FF7F4EE5000-memory.dmp	xmrig
behavioral2/memory/884-762-0x00007FF631540000-0x00007FF631935000-memory.dmp	xmrig
behavioral2/memory/3624-763-0x00007FF6F8C50000-0x00007FF6F9045000-memory.dmp	xmrig
behavioral2/memory/4912-764-0x00007FF7BC8C0000-0x00007FF7BCCB5000-memory.dmp	xmrig
behavioral2/memory/4692-765-0x00007FF748B30000-0x00007FF748F25000-memory.dmp	xmrig
behavioral2/memory/2788-771-0x00007FF6330E0000-0x00007FF6334D5000-memory.dmp	xmrig
behavioral2/memory/1060-775-0x00007FF7CA960000-0x00007FF7CAD55000-memory.dmp	xmrig
behavioral2/memory/2560-777-0x00007FF652EB0000-0x00007FF6532A5000-memory.dmp	xmrig
behavioral2/memory/3276-783-0x00007FF7B7390000-0x00007FF7B7785000-memory.dmp	xmrig
behavioral2/memory/4416-788-0x00007FF76D4D0000-0x00007FF76D8C5000-memory.dmp	xmrig
behavioral2/memory/1584-768-0x00007FF78EC70000-0x00007FF78F065000-memory.dmp	xmrig
behavioral2/memory/1104-793-0x00007FF705C80000-0x00007FF706075000-memory.dmp	xmrig
behavioral2/memory/4920-806-0x00007FF6F8460000-0x00007FF6F8855000-memory.dmp	xmrig
behavioral2/memory/3048-803-0x00007FF690FA0000-0x00007FF691395000-memory.dmp	xmrig
behavioral2/memory/4356-798-0x00007FF62E4A0000-0x00007FF62E895000-memory.dmp	xmrig
behavioral2/memory/4408-824-0x00007FF6E5630000-0x00007FF6E5A25000-memory.dmp	xmrig
behavioral2/memory/864-826-0x00007FF7842E0000-0x00007FF7846D5000-memory.dmp	xmrig
behavioral2/memory/4796-833-0x00007FF64D8B0000-0x00007FF64DCA5000-memory.dmp	xmrig
behavioral2/memory/3936-838-0x00007FF78C760000-0x00007FF78CB55000-memory.dmp	xmrig
behavioral2/memory/1184-843-0x00007FF69E340000-0x00007FF69E735000-memory.dmp	xmrig
behavioral2/memory/4300-1876-0x00007FF799E30000-0x00007FF79A225000-memory.dmp	xmrig
behavioral2/memory/864-1878-0x00007FF7842E0000-0x00007FF7846D5000-memory.dmp	xmrig
behavioral2/memory/3112-1877-0x00007FF7F4AF0000-0x00007FF7F4EE5000-memory.dmp	xmrig
behavioral2/memory/1428-1879-0x00007FF713540000-0x00007FF713935000-memory.dmp	xmrig
behavioral2/memory/4796-1880-0x00007FF64D8B0000-0x00007FF64DCA5000-memory.dmp	xmrig
behavioral2/memory/4912-1883-0x00007FF7BC8C0000-0x00007FF7BCCB5000-memory.dmp	xmrig
behavioral2/memory/1956-1882-0x00007FF7FF110000-0x00007FF7FF505000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3112	mdytEKD.exe
864	aMVsrzn.exe
1428	NMwDDHJ.exe
1956	fcnNFjD.exe
4796	WphHpmS.exe
3936	aeSFqRj.exe
4300	ZQupwHw.exe
1184	GAnPuHx.exe
2292	olDlbAA.exe
884	voFvNat.exe
3624	GWmsiNF.exe
4912	DttOPrA.exe
4692	VLVCEDt.exe
1584	kixChnV.exe
2788	vMOkUKB.exe
1060	VJOXWLk.exe
2560	LwnvDrS.exe
3276	pmDCFdt.exe
4416	zegEByW.exe
1104	JNNGWMF.exe
4356	fUuXmfH.exe
3048	JSwyREL.exe
4920	YfqqARz.exe
4408	vEPlrnS.exe
1668	MBGWHxV.exe
4612	vJVDnjl.exe
3628	mdJvHsQ.exe
1504	vLDYWuu.exe
4540	tnrbMZt.exe
3696	AbxuDfL.exe
2504	bCbIKGu.exe
4708	wLgbaSo.exe
2848	AlWtFjW.exe
1716	mxdEEta.exe
764	eAWhXmj.exe
4444	ekaSIOz.exe
3168	sUmcxsn.exe
1952	DTfcahy.exe
4388	gdRWaal.exe
1092	ZNPPXhi.exe
1736	xeoEaqL.exe
3444	Zuadmgv.exe
1580	KYTTAnw.exe
1016	eGvTBKf.exe
3860	gRVVGbO.exe
728	DwHuySl.exe
3832	ujAeeJt.exe
2484	XqGhBog.exe
548	jcTexyx.exe
772	NIgajCJ.exe
1608	FMzbuyO.exe
3772	vpwcjGK.exe
2948	pKnvUOw.exe
2496	nNBimOX.exe
3108	xqZhwJt.exe
4272	fGKMEoN.exe
1532	VxcqSZP.exe
2352	cxBJzgw.exe
1288	FNNXXBw.exe
1868	mcbdcyA.exe
5144	xqeuSJY.exe
5172	NrVkJxP.exe
5200	fUfWBLl.exe
5224	kegmcLa.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1216-0-0x00007FF65D620000-0x00007FF65DA15000-memory.dmp	upx
behavioral2/files/0x0009000000023546-5.dat	upx
behavioral2/files/0x000800000002354c-8.dat	upx
behavioral2/files/0x000700000002354d-14.dat	upx
behavioral2/files/0x000700000002354e-22.dat	upx
behavioral2/memory/1956-28-0x00007FF7FF110000-0x00007FF7FF505000-memory.dmp	upx
behavioral2/files/0x0007000000023550-34.dat	upx
behavioral2/files/0x0007000000023551-38.dat	upx
behavioral2/files/0x0007000000023552-44.dat	upx
behavioral2/files/0x0007000000023554-52.dat	upx
behavioral2/files/0x0007000000023555-59.dat	upx
behavioral2/files/0x0007000000023557-66.dat	upx
behavioral2/files/0x0007000000023558-74.dat	upx
behavioral2/files/0x000700000002355a-84.dat	upx
behavioral2/files/0x000700000002355f-109.dat	upx
behavioral2/memory/4300-760-0x00007FF799E30000-0x00007FF79A225000-memory.dmp	upx
behavioral2/files/0x000700000002356a-164.dat	upx
behavioral2/files/0x0007000000023569-159.dat	upx
behavioral2/files/0x0007000000023568-157.dat	upx
behavioral2/files/0x0007000000023567-150.dat	upx
behavioral2/files/0x0007000000023566-144.dat	upx
behavioral2/files/0x0007000000023565-139.dat	upx
behavioral2/files/0x0007000000023564-134.dat	upx
behavioral2/files/0x0007000000023563-129.dat	upx
behavioral2/files/0x0007000000023562-124.dat	upx
behavioral2/files/0x0007000000023561-119.dat	upx
behavioral2/files/0x0007000000023560-114.dat	upx
behavioral2/files/0x000700000002355e-104.dat	upx
behavioral2/files/0x000700000002355d-99.dat	upx
behavioral2/files/0x000700000002355c-94.dat	upx
behavioral2/files/0x000700000002355b-89.dat	upx
behavioral2/files/0x0007000000023559-82.dat	upx
behavioral2/memory/2292-761-0x00007FF6CB5E0000-0x00007FF6CB9D5000-memory.dmp	upx
behavioral2/files/0x0007000000023556-64.dat	upx
behavioral2/files/0x0007000000023553-49.dat	upx
behavioral2/files/0x000700000002354f-29.dat	upx
behavioral2/memory/1428-26-0x00007FF713540000-0x00007FF713935000-memory.dmp	upx
behavioral2/memory/3112-10-0x00007FF7F4AF0000-0x00007FF7F4EE5000-memory.dmp	upx
behavioral2/memory/884-762-0x00007FF631540000-0x00007FF631935000-memory.dmp	upx
behavioral2/memory/3624-763-0x00007FF6F8C50000-0x00007FF6F9045000-memory.dmp	upx
behavioral2/memory/4912-764-0x00007FF7BC8C0000-0x00007FF7BCCB5000-memory.dmp	upx
behavioral2/memory/4692-765-0x00007FF748B30000-0x00007FF748F25000-memory.dmp	upx
behavioral2/memory/2788-771-0x00007FF6330E0000-0x00007FF6334D5000-memory.dmp	upx
behavioral2/memory/1060-775-0x00007FF7CA960000-0x00007FF7CAD55000-memory.dmp	upx
behavioral2/memory/2560-777-0x00007FF652EB0000-0x00007FF6532A5000-memory.dmp	upx
behavioral2/memory/3276-783-0x00007FF7B7390000-0x00007FF7B7785000-memory.dmp	upx
behavioral2/memory/4416-788-0x00007FF76D4D0000-0x00007FF76D8C5000-memory.dmp	upx
behavioral2/memory/1584-768-0x00007FF78EC70000-0x00007FF78F065000-memory.dmp	upx
behavioral2/memory/1104-793-0x00007FF705C80000-0x00007FF706075000-memory.dmp	upx
behavioral2/memory/4920-806-0x00007FF6F8460000-0x00007FF6F8855000-memory.dmp	upx
behavioral2/memory/3048-803-0x00007FF690FA0000-0x00007FF691395000-memory.dmp	upx
behavioral2/memory/4356-798-0x00007FF62E4A0000-0x00007FF62E895000-memory.dmp	upx
behavioral2/memory/4408-824-0x00007FF6E5630000-0x00007FF6E5A25000-memory.dmp	upx
behavioral2/memory/864-826-0x00007FF7842E0000-0x00007FF7846D5000-memory.dmp	upx
behavioral2/memory/4796-833-0x00007FF64D8B0000-0x00007FF64DCA5000-memory.dmp	upx
behavioral2/memory/3936-838-0x00007FF78C760000-0x00007FF78CB55000-memory.dmp	upx
behavioral2/memory/1184-843-0x00007FF69E340000-0x00007FF69E735000-memory.dmp	upx
behavioral2/memory/4300-1876-0x00007FF799E30000-0x00007FF79A225000-memory.dmp	upx
behavioral2/memory/864-1878-0x00007FF7842E0000-0x00007FF7846D5000-memory.dmp	upx
behavioral2/memory/3112-1877-0x00007FF7F4AF0000-0x00007FF7F4EE5000-memory.dmp	upx
behavioral2/memory/1428-1879-0x00007FF713540000-0x00007FF713935000-memory.dmp	upx
behavioral2/memory/4796-1880-0x00007FF64D8B0000-0x00007FF64DCA5000-memory.dmp	upx
behavioral2/memory/4912-1883-0x00007FF7BC8C0000-0x00007FF7BCCB5000-memory.dmp	upx
behavioral2/memory/1956-1882-0x00007FF7FF110000-0x00007FF7FF505000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\xarFTAd.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\uroQzSY.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\mdJvHsQ.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\YnkSRzY.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\ABcyswG.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\KPHecGr.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\oWRdYbi.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\hpfXJaZ.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\YPGdncM.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\cLLMvpb.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\uqGQCvR.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\ZUNTRwe.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\HaofGRi.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\sLKoImj.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\rFdsKSj.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\YGtcApk.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\GbZOkcQ.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\dhyMLZY.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\BBZoMFw.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\xevcbkz.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\ZOdhVAb.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\WPCKbvB.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\UUaUQTR.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\cPEMMNs.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\VMoPcHh.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\XURuyac.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\EQAuWBM.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\UZsOQaa.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\pIpzdkp.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\xofXuUk.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\MmRVdVp.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\nBsDhFp.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\MXYzhmu.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\tBuzTKE.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\TPOgFKs.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\csLIKCo.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\zHigrEc.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\GXtAigr.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\fOkmAEZ.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\oppqOuJ.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\iFYuRhI.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\VxcqSZP.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\ygSoeij.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\ZodxawQ.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\LVRlqrY.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\acsmkEk.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\yfPFmFS.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\NXYotvd.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\dXGinrg.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\SItZgaP.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\hqnOBjQ.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\swqOClm.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\zegEByW.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\DnIHpoN.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\BJRVyMO.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\hZFbYhO.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\PsLlCbl.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\rcbPwBY.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\GdiPOlp.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\EWDffxf.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\mFvIZsc.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\CmQaICg.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\vpwcjGK.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
File created	C:\Windows\System32\SwGeCJV.exe	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	3324	dwm.exe
Token: SeChangeNotifyPrivilege	3324	dwm.exe
Token: 33	3324	dwm.exe
Token: SeIncBasePriorityPrivilege	3324	dwm.exe
Token: SeShutdownPrivilege	3324	dwm.exe
Token: SeCreatePagefilePrivilege	3324	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 3112	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	90
PID 1216 wrote to memory of 3112	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	90
PID 1216 wrote to memory of 864	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	91
PID 1216 wrote to memory of 864	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	91
PID 1216 wrote to memory of 1428	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	92
PID 1216 wrote to memory of 1428	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	92
PID 1216 wrote to memory of 1956	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	93
PID 1216 wrote to memory of 1956	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	93
PID 1216 wrote to memory of 4796	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	94
PID 1216 wrote to memory of 4796	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	94
PID 1216 wrote to memory of 3936	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	95
PID 1216 wrote to memory of 3936	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	95
PID 1216 wrote to memory of 4300	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	96
PID 1216 wrote to memory of 4300	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	96
PID 1216 wrote to memory of 1184	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	97
PID 1216 wrote to memory of 1184	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	97
PID 1216 wrote to memory of 2292	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	98
PID 1216 wrote to memory of 2292	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	98
PID 1216 wrote to memory of 884	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	99
PID 1216 wrote to memory of 884	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	99
PID 1216 wrote to memory of 3624	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	100
PID 1216 wrote to memory of 3624	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	100
PID 1216 wrote to memory of 4912	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	101
PID 1216 wrote to memory of 4912	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	101
PID 1216 wrote to memory of 4692	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	102
PID 1216 wrote to memory of 4692	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	102
PID 1216 wrote to memory of 1584	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	103
PID 1216 wrote to memory of 1584	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	103
PID 1216 wrote to memory of 2788	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	104
PID 1216 wrote to memory of 2788	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	104
PID 1216 wrote to memory of 1060	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	105
PID 1216 wrote to memory of 1060	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	105
PID 1216 wrote to memory of 2560	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	106
PID 1216 wrote to memory of 2560	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	106
PID 1216 wrote to memory of 3276	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	107
PID 1216 wrote to memory of 3276	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	107
PID 1216 wrote to memory of 4416	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	108
PID 1216 wrote to memory of 4416	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	108
PID 1216 wrote to memory of 1104	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	109
PID 1216 wrote to memory of 1104	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	109
PID 1216 wrote to memory of 4356	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	110
PID 1216 wrote to memory of 4356	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	110
PID 1216 wrote to memory of 3048	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	111
PID 1216 wrote to memory of 3048	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	111
PID 1216 wrote to memory of 4920	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	112
PID 1216 wrote to memory of 4920	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	112
PID 1216 wrote to memory of 4408	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	113
PID 1216 wrote to memory of 4408	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	113
PID 1216 wrote to memory of 1668	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	114
PID 1216 wrote to memory of 1668	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	114
PID 1216 wrote to memory of 4612	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	115
PID 1216 wrote to memory of 4612	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	115
PID 1216 wrote to memory of 3628	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	116
PID 1216 wrote to memory of 3628	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	116
PID 1216 wrote to memory of 1504	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	117
PID 1216 wrote to memory of 1504	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	117
PID 1216 wrote to memory of 4540	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	118
PID 1216 wrote to memory of 4540	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	118
PID 1216 wrote to memory of 3696	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	119
PID 1216 wrote to memory of 3696	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	119
PID 1216 wrote to memory of 2504	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	120
PID 1216 wrote to memory of 2504	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	120
PID 1216 wrote to memory of 4708	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	121
PID 1216 wrote to memory of 4708	1216	c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe	121

C:\Users\Admin\AppData\Local\Temp\c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c8fd50b35f071b60144080808c025d00_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\System32\mdytEKD.exe
  C:\Windows\System32\mdytEKD.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System32\aMVsrzn.exe
  C:\Windows\System32\aMVsrzn.exe
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Windows\System32\NMwDDHJ.exe
  C:\Windows\System32\NMwDDHJ.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System32\fcnNFjD.exe
  C:\Windows\System32\fcnNFjD.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System32\WphHpmS.exe
  C:\Windows\System32\WphHpmS.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System32\aeSFqRj.exe
  C:\Windows\System32\aeSFqRj.exe
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Windows\System32\ZQupwHw.exe
  C:\Windows\System32\ZQupwHw.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System32\GAnPuHx.exe
  C:\Windows\System32\GAnPuHx.exe
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\System32\olDlbAA.exe
  C:\Windows\System32\olDlbAA.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System32\voFvNat.exe
  C:\Windows\System32\voFvNat.exe
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\System32\GWmsiNF.exe
  C:\Windows\System32\GWmsiNF.exe
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Windows\System32\DttOPrA.exe
  C:\Windows\System32\DttOPrA.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System32\VLVCEDt.exe
  C:\Windows\System32\VLVCEDt.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System32\kixChnV.exe
  C:\Windows\System32\kixChnV.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\System32\vMOkUKB.exe
  C:\Windows\System32\vMOkUKB.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System32\VJOXWLk.exe
  C:\Windows\System32\VJOXWLk.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\System32\LwnvDrS.exe
  C:\Windows\System32\LwnvDrS.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System32\pmDCFdt.exe
  C:\Windows\System32\pmDCFdt.exe
  2⤵
  - Executes dropped EXE
  PID:3276
- C:\Windows\System32\zegEByW.exe
  C:\Windows\System32\zegEByW.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System32\JNNGWMF.exe
  C:\Windows\System32\JNNGWMF.exe
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\System32\fUuXmfH.exe
  C:\Windows\System32\fUuXmfH.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System32\JSwyREL.exe
  C:\Windows\System32\JSwyREL.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System32\YfqqARz.exe
  C:\Windows\System32\YfqqARz.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System32\vEPlrnS.exe
  C:\Windows\System32\vEPlrnS.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System32\MBGWHxV.exe
  C:\Windows\System32\MBGWHxV.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System32\vJVDnjl.exe
  C:\Windows\System32\vJVDnjl.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System32\mdJvHsQ.exe
  C:\Windows\System32\mdJvHsQ.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System32\vLDYWuu.exe
  C:\Windows\System32\vLDYWuu.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System32\tnrbMZt.exe
  C:\Windows\System32\tnrbMZt.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System32\AbxuDfL.exe
  C:\Windows\System32\AbxuDfL.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System32\bCbIKGu.exe
  C:\Windows\System32\bCbIKGu.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System32\wLgbaSo.exe
  C:\Windows\System32\wLgbaSo.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System32\AlWtFjW.exe
  C:\Windows\System32\AlWtFjW.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System32\mxdEEta.exe
  C:\Windows\System32\mxdEEta.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System32\eAWhXmj.exe
  C:\Windows\System32\eAWhXmj.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System32\ekaSIOz.exe
  C:\Windows\System32\ekaSIOz.exe
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Windows\System32\sUmcxsn.exe
  C:\Windows\System32\sUmcxsn.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System32\DTfcahy.exe
  C:\Windows\System32\DTfcahy.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System32\gdRWaal.exe
  C:\Windows\System32\gdRWaal.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System32\ZNPPXhi.exe
  C:\Windows\System32\ZNPPXhi.exe
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\System32\xeoEaqL.exe
  C:\Windows\System32\xeoEaqL.exe
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\System32\Zuadmgv.exe
  C:\Windows\System32\Zuadmgv.exe
  2⤵
  - Executes dropped EXE
  PID:3444
- C:\Windows\System32\KYTTAnw.exe
  C:\Windows\System32\KYTTAnw.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System32\eGvTBKf.exe
  C:\Windows\System32\eGvTBKf.exe
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\System32\gRVVGbO.exe
  C:\Windows\System32\gRVVGbO.exe
  2⤵
  - Executes dropped EXE
  PID:3860
- C:\Windows\System32\DwHuySl.exe
  C:\Windows\System32\DwHuySl.exe
  2⤵
  - Executes dropped EXE
  PID:728
- C:\Windows\System32\ujAeeJt.exe
  C:\Windows\System32\ujAeeJt.exe
  2⤵
  - Executes dropped EXE
  PID:3832
- C:\Windows\System32\XqGhBog.exe
  C:\Windows\System32\XqGhBog.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System32\jcTexyx.exe
  C:\Windows\System32\jcTexyx.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System32\NIgajCJ.exe
  C:\Windows\System32\NIgajCJ.exe
  2⤵
  - Executes dropped EXE
  PID:772
- C:\Windows\System32\FMzbuyO.exe
  C:\Windows\System32\FMzbuyO.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System32\vpwcjGK.exe
  C:\Windows\System32\vpwcjGK.exe
  2⤵
  - Executes dropped EXE
  PID:3772
- C:\Windows\System32\pKnvUOw.exe
  C:\Windows\System32\pKnvUOw.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System32\nNBimOX.exe
  C:\Windows\System32\nNBimOX.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\System32\xqZhwJt.exe
  C:\Windows\System32\xqZhwJt.exe
  2⤵
  - Executes dropped EXE
  PID:3108
- C:\Windows\System32\fGKMEoN.exe
  C:\Windows\System32\fGKMEoN.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System32\VxcqSZP.exe
  C:\Windows\System32\VxcqSZP.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\System32\cxBJzgw.exe
  C:\Windows\System32\cxBJzgw.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System32\FNNXXBw.exe
  C:\Windows\System32\FNNXXBw.exe
  2⤵
  - Executes dropped EXE
  PID:1288
- C:\Windows\System32\mcbdcyA.exe
  C:\Windows\System32\mcbdcyA.exe
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\System32\xqeuSJY.exe
  C:\Windows\System32\xqeuSJY.exe
  2⤵
  - Executes dropped EXE
  PID:5144
- C:\Windows\System32\NrVkJxP.exe
  C:\Windows\System32\NrVkJxP.exe
  2⤵
  - Executes dropped EXE
  PID:5172
- C:\Windows\System32\fUfWBLl.exe
  C:\Windows\System32\fUfWBLl.exe
  2⤵
  - Executes dropped EXE
  PID:5200
- C:\Windows\System32\kegmcLa.exe
  C:\Windows\System32\kegmcLa.exe
  2⤵
  - Executes dropped EXE
  PID:5224
- C:\Windows\System32\TRNBYUN.exe
  C:\Windows\System32\TRNBYUN.exe
  2⤵
  PID:5256
- C:\Windows\System32\oGPVPjl.exe
  C:\Windows\System32\oGPVPjl.exe
  2⤵
  PID:5284
- C:\Windows\System32\VXpcBSU.exe
  C:\Windows\System32\VXpcBSU.exe
  2⤵
  PID:5312
- C:\Windows\System32\GnUoaJf.exe
  C:\Windows\System32\GnUoaJf.exe
  2⤵
  PID:5340
- C:\Windows\System32\btjGMFm.exe
  C:\Windows\System32\btjGMFm.exe
  2⤵
  PID:5368
- C:\Windows\System32\oaUsMtj.exe
  C:\Windows\System32\oaUsMtj.exe
  2⤵
  PID:5396
- C:\Windows\System32\GdiPOlp.exe
  C:\Windows\System32\GdiPOlp.exe
  2⤵
  PID:5424
- C:\Windows\System32\YPGdncM.exe
  C:\Windows\System32\YPGdncM.exe
  2⤵
  PID:5464
- C:\Windows\System32\Pishglw.exe
  C:\Windows\System32\Pishglw.exe
  2⤵
  PID:5480
- C:\Windows\System32\aZakKDS.exe
  C:\Windows\System32\aZakKDS.exe
  2⤵
  PID:5508
- C:\Windows\System32\XpZylIP.exe
  C:\Windows\System32\XpZylIP.exe
  2⤵
  PID:5536
- C:\Windows\System32\nGazxqK.exe
  C:\Windows\System32\nGazxqK.exe
  2⤵
  PID:5564
- C:\Windows\System32\GHRRunk.exe
  C:\Windows\System32\GHRRunk.exe
  2⤵
  PID:5592
- C:\Windows\System32\PGosfxL.exe
  C:\Windows\System32\PGosfxL.exe
  2⤵
  PID:5620
- C:\Windows\System32\MUucBeE.exe
  C:\Windows\System32\MUucBeE.exe
  2⤵
  PID:5648
- C:\Windows\System32\qvIkCdZ.exe
  C:\Windows\System32\qvIkCdZ.exe
  2⤵
  PID:5676
- C:\Windows\System32\VUeUnSu.exe
  C:\Windows\System32\VUeUnSu.exe
  2⤵
  PID:5700
- C:\Windows\System32\SBbpUVD.exe
  C:\Windows\System32\SBbpUVD.exe
  2⤵
  PID:5732
- C:\Windows\System32\MLUlToH.exe
  C:\Windows\System32\MLUlToH.exe
  2⤵
  PID:5768
- C:\Windows\System32\fWnRdaG.exe
  C:\Windows\System32\fWnRdaG.exe
  2⤵
  PID:5788
- C:\Windows\System32\rFdsKSj.exe
  C:\Windows\System32\rFdsKSj.exe
  2⤵
  PID:5816
- C:\Windows\System32\sWafzdB.exe
  C:\Windows\System32\sWafzdB.exe
  2⤵
  PID:5844
- C:\Windows\System32\vCbvDVc.exe
  C:\Windows\System32\vCbvDVc.exe
  2⤵
  PID:5872
- C:\Windows\System32\tkPduxH.exe
  C:\Windows\System32\tkPduxH.exe
  2⤵
  PID:5900
- C:\Windows\System32\CPoAmYc.exe
  C:\Windows\System32\CPoAmYc.exe
  2⤵
  PID:5928
- C:\Windows\System32\vshDoRs.exe
  C:\Windows\System32\vshDoRs.exe
  2⤵
  PID:5956
- C:\Windows\System32\AmfUNAg.exe
  C:\Windows\System32\AmfUNAg.exe
  2⤵
  PID:5984
- C:\Windows\System32\mxdbxfb.exe
  C:\Windows\System32\mxdbxfb.exe
  2⤵
  PID:6012
- C:\Windows\System32\RUAoEjc.exe
  C:\Windows\System32\RUAoEjc.exe
  2⤵
  PID:6040
- C:\Windows\System32\BoESyjb.exe
  C:\Windows\System32\BoESyjb.exe
  2⤵
  PID:6068
- C:\Windows\System32\lOuprWS.exe
  C:\Windows\System32\lOuprWS.exe
  2⤵
  PID:6104
- C:\Windows\System32\wEANHcZ.exe
  C:\Windows\System32\wEANHcZ.exe
  2⤵
  PID:6124
- C:\Windows\System32\hAbSysa.exe
  C:\Windows\System32\hAbSysa.exe
  2⤵
  PID:1064
- C:\Windows\System32\UapnAUD.exe
  C:\Windows\System32\UapnAUD.exe
  2⤵
  PID:776
- C:\Windows\System32\TmFboug.exe
  C:\Windows\System32\TmFboug.exe
  2⤵
  PID:3388
- C:\Windows\System32\tQsjuwR.exe
  C:\Windows\System32\tQsjuwR.exe
  2⤵
  PID:3208
- C:\Windows\System32\gKQQwpw.exe
  C:\Windows\System32\gKQQwpw.exe
  2⤵
  PID:924
- C:\Windows\System32\hReoVMk.exe
  C:\Windows\System32\hReoVMk.exe
  2⤵
  PID:5124
- C:\Windows\System32\LDkfXmm.exe
  C:\Windows\System32\LDkfXmm.exe
  2⤵
  PID:5208
- C:\Windows\System32\IDgLvqh.exe
  C:\Windows\System32\IDgLvqh.exe
  2⤵
  PID:5268
- C:\Windows\System32\CfkTTBA.exe
  C:\Windows\System32\CfkTTBA.exe
  2⤵
  PID:5320
- C:\Windows\System32\PcDFBTq.exe
  C:\Windows\System32\PcDFBTq.exe
  2⤵
  PID:5416
- C:\Windows\System32\KJGJbXQ.exe
  C:\Windows\System32\KJGJbXQ.exe
  2⤵
  PID:5472
- C:\Windows\System32\tDbybuS.exe
  C:\Windows\System32\tDbybuS.exe
  2⤵
  PID:5516
- C:\Windows\System32\yhmfDcs.exe
  C:\Windows\System32\yhmfDcs.exe
  2⤵
  PID:5584
- C:\Windows\System32\xFwDkBD.exe
  C:\Windows\System32\xFwDkBD.exe
  2⤵
  PID:5628
- C:\Windows\System32\ryUTpQO.exe
  C:\Windows\System32\ryUTpQO.exe
  2⤵
  PID:5716
- C:\Windows\System32\QpdaFsb.exe
  C:\Windows\System32\QpdaFsb.exe
  2⤵
  PID:5784
- C:\Windows\System32\lCLpiIz.exe
  C:\Windows\System32\lCLpiIz.exe
  2⤵
  PID:5892
- C:\Windows\System32\IGJPozq.exe
  C:\Windows\System32\IGJPozq.exe
  2⤵
  PID:5912
- C:\Windows\System32\IcFtANe.exe
  C:\Windows\System32\IcFtANe.exe
  2⤵
  PID:5964
- C:\Windows\System32\FEbMzrA.exe
  C:\Windows\System32\FEbMzrA.exe
  2⤵
  PID:6048
- C:\Windows\System32\QwqTNPV.exe
  C:\Windows\System32\QwqTNPV.exe
  2⤵
  PID:6096
- C:\Windows\System32\OwQvZiO.exe
  C:\Windows\System32\OwQvZiO.exe
  2⤵
  PID:2632
- C:\Windows\System32\SBgJxCS.exe
  C:\Windows\System32\SBgJxCS.exe
  2⤵
  PID:3456
- C:\Windows\System32\PthOKzk.exe
  C:\Windows\System32\PthOKzk.exe
  2⤵
  PID:5156
- C:\Windows\System32\xIJOoOi.exe
  C:\Windows\System32\xIJOoOi.exe
  2⤵
  PID:5332
- C:\Windows\System32\HhgtxBk.exe
  C:\Windows\System32\HhgtxBk.exe
  2⤵
  PID:5528
- C:\Windows\System32\SDnnaMt.exe
  C:\Windows\System32\SDnnaMt.exe
  2⤵
  PID:5612
- C:\Windows\System32\bukiuEt.exe
  C:\Windows\System32\bukiuEt.exe
  2⤵
  PID:5764
- C:\Windows\System32\HrKlBfm.exe
  C:\Windows\System32\HrKlBfm.exe
  2⤵
  PID:5976
- C:\Windows\System32\RYMHoWn.exe
  C:\Windows\System32\RYMHoWn.exe
  2⤵
  PID:6152
- C:\Windows\System32\SPTggmA.exe
  C:\Windows\System32\SPTggmA.exe
  2⤵
  PID:6180
- C:\Windows\System32\nQYwOEn.exe
  C:\Windows\System32\nQYwOEn.exe
  2⤵
  PID:6208
- C:\Windows\System32\EWDffxf.exe
  C:\Windows\System32\EWDffxf.exe
  2⤵
  PID:6236
- C:\Windows\System32\YnkSRzY.exe
  C:\Windows\System32\YnkSRzY.exe
  2⤵
  PID:6264
- C:\Windows\System32\IwCkRCQ.exe
  C:\Windows\System32\IwCkRCQ.exe
  2⤵
  PID:6292
- C:\Windows\System32\pJfROST.exe
  C:\Windows\System32\pJfROST.exe
  2⤵
  PID:6320
- C:\Windows\System32\SZiZQop.exe
  C:\Windows\System32\SZiZQop.exe
  2⤵
  PID:6348
- C:\Windows\System32\yEkFlTS.exe
  C:\Windows\System32\yEkFlTS.exe
  2⤵
  PID:6376
- C:\Windows\System32\bPwHOiT.exe
  C:\Windows\System32\bPwHOiT.exe
  2⤵
  PID:6404
- C:\Windows\System32\VpYjKWC.exe
  C:\Windows\System32\VpYjKWC.exe
  2⤵
  PID:6432
- C:\Windows\System32\HMfWRdh.exe
  C:\Windows\System32\HMfWRdh.exe
  2⤵
  PID:6460
- C:\Windows\System32\IgywNgi.exe
  C:\Windows\System32\IgywNgi.exe
  2⤵
  PID:6488
- C:\Windows\System32\LTMMxOj.exe
  C:\Windows\System32\LTMMxOj.exe
  2⤵
  PID:6516
- C:\Windows\System32\BDKxKEt.exe
  C:\Windows\System32\BDKxKEt.exe
  2⤵
  PID:6544
- C:\Windows\System32\GStBJUR.exe
  C:\Windows\System32\GStBJUR.exe
  2⤵
  PID:6568
- C:\Windows\System32\LvIbRiQ.exe
  C:\Windows\System32\LvIbRiQ.exe
  2⤵
  PID:6600
- C:\Windows\System32\CNclBse.exe
  C:\Windows\System32\CNclBse.exe
  2⤵
  PID:6628
- C:\Windows\System32\Gfjtzgl.exe
  C:\Windows\System32\Gfjtzgl.exe
  2⤵
  PID:6656
- C:\Windows\System32\wasUaku.exe
  C:\Windows\System32\wasUaku.exe
  2⤵
  PID:6684
- C:\Windows\System32\SerPoWb.exe
  C:\Windows\System32\SerPoWb.exe
  2⤵
  PID:6712
- C:\Windows\System32\ZHJJbnr.exe
  C:\Windows\System32\ZHJJbnr.exe
  2⤵
  PID:6740
- C:\Windows\System32\yfPFmFS.exe
  C:\Windows\System32\yfPFmFS.exe
  2⤵
  PID:6768
- C:\Windows\System32\VElzHdN.exe
  C:\Windows\System32\VElzHdN.exe
  2⤵
  PID:6796
- C:\Windows\System32\IQmdckv.exe
  C:\Windows\System32\IQmdckv.exe
  2⤵
  PID:6824
- C:\Windows\System32\TFaBYcR.exe
  C:\Windows\System32\TFaBYcR.exe
  2⤵
  PID:6852
- C:\Windows\System32\KiYcvMJ.exe
  C:\Windows\System32\KiYcvMJ.exe
  2⤵
  PID:6880
- C:\Windows\System32\oCwkgaM.exe
  C:\Windows\System32\oCwkgaM.exe
  2⤵
  PID:6912
- C:\Windows\System32\RxkeSZe.exe
  C:\Windows\System32\RxkeSZe.exe
  2⤵
  PID:6936
- C:\Windows\System32\RNBQtpu.exe
  C:\Windows\System32\RNBQtpu.exe
  2⤵
  PID:6972
- C:\Windows\System32\ajGvfOx.exe
  C:\Windows\System32\ajGvfOx.exe
  2⤵
  PID:6992
- C:\Windows\System32\xbCdhZK.exe
  C:\Windows\System32\xbCdhZK.exe
  2⤵
  PID:7020
- C:\Windows\System32\YGtcApk.exe
  C:\Windows\System32\YGtcApk.exe
  2⤵
  PID:7048
- C:\Windows\System32\cLLMvpb.exe
  C:\Windows\System32\cLLMvpb.exe
  2⤵
  PID:7076
- C:\Windows\System32\woAiJrg.exe
  C:\Windows\System32\woAiJrg.exe
  2⤵
  PID:7104
- C:\Windows\System32\cLhdvsG.exe
  C:\Windows\System32\cLhdvsG.exe
  2⤵
  PID:7132
- C:\Windows\System32\OOBawty.exe
  C:\Windows\System32\OOBawty.exe
  2⤵
  PID:7160
- C:\Windows\System32\AyjezqI.exe
  C:\Windows\System32\AyjezqI.exe
  2⤵
  PID:3720
- C:\Windows\System32\JSABEoj.exe
  C:\Windows\System32\JSABEoj.exe
  2⤵
  PID:5304
- C:\Windows\System32\XqriwDs.exe
  C:\Windows\System32\XqriwDs.exe
  2⤵
  PID:5544
- C:\Windows\System32\UZsOQaa.exe
  C:\Windows\System32\UZsOQaa.exe
  2⤵
  PID:5880
- C:\Windows\System32\TeymfoA.exe
  C:\Windows\System32\TeymfoA.exe
  2⤵
  PID:6160
- C:\Windows\System32\rQMysEZ.exe
  C:\Windows\System32\rQMysEZ.exe
  2⤵
  PID:6248
- C:\Windows\System32\tBuzTKE.exe
  C:\Windows\System32\tBuzTKE.exe
  2⤵
  PID:6300
- C:\Windows\System32\BtTxgGL.exe
  C:\Windows\System32\BtTxgGL.exe
  2⤵
  PID:6384
- C:\Windows\System32\ugZigQt.exe
  C:\Windows\System32\ugZigQt.exe
  2⤵
  PID:6440
- C:\Windows\System32\htqXchE.exe
  C:\Windows\System32\htqXchE.exe
  2⤵
  PID:6508
- C:\Windows\System32\grQocpV.exe
  C:\Windows\System32\grQocpV.exe
  2⤵
  PID:6576
- C:\Windows\System32\PiIFpHg.exe
  C:\Windows\System32\PiIFpHg.exe
  2⤵
  PID:6640
- C:\Windows\System32\WdDluNS.exe
  C:\Windows\System32\WdDluNS.exe
  2⤵
  PID:6704
- C:\Windows\System32\AmUvaJP.exe
  C:\Windows\System32\AmUvaJP.exe
  2⤵
  PID:6788
- C:\Windows\System32\tihpXJd.exe
  C:\Windows\System32\tihpXJd.exe
  2⤵
  PID:6860
- C:\Windows\System32\BLvTfQV.exe
  C:\Windows\System32\BLvTfQV.exe
  2⤵
  PID:6900
- C:\Windows\System32\jrUzSUA.exe
  C:\Windows\System32\jrUzSUA.exe
  2⤵
  PID:6948
- C:\Windows\System32\wfMBTKf.exe
  C:\Windows\System32\wfMBTKf.exe
  2⤵
  PID:7012
- C:\Windows\System32\SwGeCJV.exe
  C:\Windows\System32\SwGeCJV.exe
  2⤵
  PID:7096
- C:\Windows\System32\jskGDkC.exe
  C:\Windows\System32\jskGDkC.exe
  2⤵
  PID:7140
- C:\Windows\System32\UNeKyWO.exe
  C:\Windows\System32\UNeKyWO.exe
  2⤵
  PID:1896
- C:\Windows\System32\hPwUeyN.exe
  C:\Windows\System32\hPwUeyN.exe
  2⤵
  PID:5660
- C:\Windows\System32\SXkJppG.exe
  C:\Windows\System32\SXkJppG.exe
  2⤵
  PID:3004
- C:\Windows\System32\usAUDjq.exe
  C:\Windows\System32\usAUDjq.exe
  2⤵
  PID:6340
- C:\Windows\System32\nENfWvs.exe
  C:\Windows\System32\nENfWvs.exe
  2⤵
  PID:6468
- C:\Windows\System32\tpnmYtL.exe
  C:\Windows\System32\tpnmYtL.exe
  2⤵
  PID:6592
- C:\Windows\System32\cqyYBJf.exe
  C:\Windows\System32\cqyYBJf.exe
  2⤵
  PID:6720
- C:\Windows\System32\SjcgamM.exe
  C:\Windows\System32\SjcgamM.exe
  2⤵
  PID:6892
- C:\Windows\System32\SeqAJob.exe
  C:\Windows\System32\SeqAJob.exe
  2⤵
  PID:7032
- C:\Windows\System32\mugBBNP.exe
  C:\Windows\System32\mugBBNP.exe
  2⤵
  PID:3380
- C:\Windows\System32\PALKWcB.exe
  C:\Windows\System32\PALKWcB.exe
  2⤵
  PID:7180
- C:\Windows\System32\HKKCorG.exe
  C:\Windows\System32\HKKCorG.exe
  2⤵
  PID:7208
- C:\Windows\System32\ygSoeij.exe
  C:\Windows\System32\ygSoeij.exe
  2⤵
  PID:7232
- C:\Windows\System32\yNYgRmw.exe
  C:\Windows\System32\yNYgRmw.exe
  2⤵
  PID:7276
- C:\Windows\System32\NPEURUN.exe
  C:\Windows\System32\NPEURUN.exe
  2⤵
  PID:7292
- C:\Windows\System32\KxOjtku.exe
  C:\Windows\System32\KxOjtku.exe
  2⤵
  PID:7320
- C:\Windows\System32\SKlVCdR.exe
  C:\Windows\System32\SKlVCdR.exe
  2⤵
  PID:7348
- C:\Windows\System32\CtPwdpa.exe
  C:\Windows\System32\CtPwdpa.exe
  2⤵
  PID:7376
- C:\Windows\System32\knFVBMm.exe
  C:\Windows\System32\knFVBMm.exe
  2⤵
  PID:7404
- C:\Windows\System32\BnGUNag.exe
  C:\Windows\System32\BnGUNag.exe
  2⤵
  PID:7432
- C:\Windows\System32\HETpuSZ.exe
  C:\Windows\System32\HETpuSZ.exe
  2⤵
  PID:7472
- C:\Windows\System32\DdsBroA.exe
  C:\Windows\System32\DdsBroA.exe
  2⤵
  PID:7488
- C:\Windows\System32\hkRbdeM.exe
  C:\Windows\System32\hkRbdeM.exe
  2⤵
  PID:7528
- C:\Windows\System32\RVzANBO.exe
  C:\Windows\System32\RVzANBO.exe
  2⤵
  PID:7544
- C:\Windows\System32\pvnMAoZ.exe
  C:\Windows\System32\pvnMAoZ.exe
  2⤵
  PID:7568
- C:\Windows\System32\GyyiFjq.exe
  C:\Windows\System32\GyyiFjq.exe
  2⤵
  PID:7600
- C:\Windows\System32\YrbkMUP.exe
  C:\Windows\System32\YrbkMUP.exe
  2⤵
  PID:7628
- C:\Windows\System32\xqGlhIN.exe
  C:\Windows\System32\xqGlhIN.exe
  2⤵
  PID:7656
- C:\Windows\System32\dyyVkDc.exe
  C:\Windows\System32\dyyVkDc.exe
  2⤵
  PID:7696
- C:\Windows\System32\idmfrcG.exe
  C:\Windows\System32\idmfrcG.exe
  2⤵
  PID:7712
- C:\Windows\System32\PJZjZlh.exe
  C:\Windows\System32\PJZjZlh.exe
  2⤵
  PID:7752
- C:\Windows\System32\tBghset.exe
  C:\Windows\System32\tBghset.exe
  2⤵
  PID:7768
- C:\Windows\System32\ghyZkda.exe
  C:\Windows\System32\ghyZkda.exe
  2⤵
  PID:7796
- C:\Windows\System32\vLcoNsx.exe
  C:\Windows\System32\vLcoNsx.exe
  2⤵
  PID:7836
- C:\Windows\System32\cCtdAeg.exe
  C:\Windows\System32\cCtdAeg.exe
  2⤵
  PID:7852
- C:\Windows\System32\PpgZptx.exe
  C:\Windows\System32\PpgZptx.exe
  2⤵
  PID:7876
- C:\Windows\System32\ZYboFaW.exe
  C:\Windows\System32\ZYboFaW.exe
  2⤵
  PID:7908
- C:\Windows\System32\eGsNsIL.exe
  C:\Windows\System32\eGsNsIL.exe
  2⤵
  PID:7936
- C:\Windows\System32\ABcyswG.exe
  C:\Windows\System32\ABcyswG.exe
  2⤵
  PID:7964
- C:\Windows\System32\zpELSKN.exe
  C:\Windows\System32\zpELSKN.exe
  2⤵
  PID:7992
- C:\Windows\System32\QBulyyA.exe
  C:\Windows\System32\QBulyyA.exe
  2⤵
  PID:8020
- C:\Windows\System32\OmsMEjN.exe
  C:\Windows\System32\OmsMEjN.exe
  2⤵
  PID:8048
- C:\Windows\System32\LjShXna.exe
  C:\Windows\System32\LjShXna.exe
  2⤵
  PID:8076
- C:\Windows\System32\vpBACae.exe
  C:\Windows\System32\vpBACae.exe
  2⤵
  PID:8104
- C:\Windows\System32\YOyXWHO.exe
  C:\Windows\System32\YOyXWHO.exe
  2⤵
  PID:8132
- C:\Windows\System32\bAGgtPC.exe
  C:\Windows\System32\bAGgtPC.exe
  2⤵
  PID:8160
- C:\Windows\System32\BZedBJi.exe
  C:\Windows\System32\BZedBJi.exe
  2⤵
  PID:8184
- C:\Windows\System32\dRTRJuQ.exe
  C:\Windows\System32\dRTRJuQ.exe
  2⤵
  PID:4112
- C:\Windows\System32\MdJXCpC.exe
  C:\Windows\System32\MdJXCpC.exe
  2⤵
  PID:6752
- C:\Windows\System32\BchJCHQ.exe
  C:\Windows\System32\BchJCHQ.exe
  2⤵
  PID:7248
- C:\Windows\System32\dkOkDSR.exe
  C:\Windows\System32\dkOkDSR.exe
  2⤵
  PID:7368
- C:\Windows\System32\lNMVwrK.exe
  C:\Windows\System32\lNMVwrK.exe
  2⤵
  PID:1976
- C:\Windows\System32\VeBDZyo.exe
  C:\Windows\System32\VeBDZyo.exe
  2⤵
  PID:7484
- C:\Windows\System32\KPHecGr.exe
  C:\Windows\System32\KPHecGr.exe
  2⤵
  PID:7536
- C:\Windows\System32\UkekXXr.exe
  C:\Windows\System32\UkekXXr.exe
  2⤵
  PID:4616
- C:\Windows\System32\nYGNKEa.exe
  C:\Windows\System32\nYGNKEa.exe
  2⤵
  PID:7608
- C:\Windows\System32\NpEdnpb.exe
  C:\Windows\System32\NpEdnpb.exe
  2⤵
  PID:7764
- C:\Windows\System32\rKzPFzO.exe
  C:\Windows\System32\rKzPFzO.exe
  2⤵
  PID:4628
- C:\Windows\System32\yyBWiwf.exe
  C:\Windows\System32\yyBWiwf.exe
  2⤵
  PID:7864
- C:\Windows\System32\mSZDHWb.exe
  C:\Windows\System32\mSZDHWb.exe
  2⤵
  PID:2692
- C:\Windows\System32\QhvFiMp.exe
  C:\Windows\System32\QhvFiMp.exe
  2⤵
  PID:4472
- C:\Windows\System32\NXYotvd.exe
  C:\Windows\System32\NXYotvd.exe
  2⤵
  PID:1340
- C:\Windows\System32\bnJtJPi.exe
  C:\Windows\System32\bnJtJPi.exe
  2⤵
  PID:7972
- C:\Windows\System32\RwTrdZS.exe
  C:\Windows\System32\RwTrdZS.exe
  2⤵
  PID:8028
- C:\Windows\System32\wZCRCtb.exe
  C:\Windows\System32\wZCRCtb.exe
  2⤵
  PID:432
- C:\Windows\System32\rLOpWiR.exe
  C:\Windows\System32\rLOpWiR.exe
  2⤵
  PID:6312
- C:\Windows\System32\gbAJBeK.exe
  C:\Windows\System32\gbAJBeK.exe
  2⤵
  PID:7192
- C:\Windows\System32\nJXiTem.exe
  C:\Windows\System32\nJXiTem.exe
  2⤵
  PID:6804
- C:\Windows\System32\iQrDWfM.exe
  C:\Windows\System32\iQrDWfM.exe
  2⤵
  PID:4608
- C:\Windows\System32\pIpzdkp.exe
  C:\Windows\System32\pIpzdkp.exe
  2⤵
  PID:7312
- C:\Windows\System32\gDqbahq.exe
  C:\Windows\System32\gDqbahq.exe
  2⤵
  PID:7412
- C:\Windows\System32\wGWurgV.exe
  C:\Windows\System32\wGWurgV.exe
  2⤵
  PID:7556
- C:\Windows\System32\eqONach.exe
  C:\Windows\System32\eqONach.exe
  2⤵
  PID:7788
- C:\Windows\System32\kxUmkTZ.exe
  C:\Windows\System32\kxUmkTZ.exe
  2⤵
  PID:396
- C:\Windows\System32\TagTTKb.exe
  C:\Windows\System32\TagTTKb.exe
  2⤵
  PID:3996
- C:\Windows\System32\CEgqkAS.exe
  C:\Windows\System32\CEgqkAS.exe
  2⤵
  PID:8068
- C:\Windows\System32\UznwXAw.exe
  C:\Windows\System32\UznwXAw.exe
  2⤵
  PID:1944
- C:\Windows\System32\oJTdQAt.exe
  C:\Windows\System32\oJTdQAt.exe
  2⤵
  PID:7584
- C:\Windows\System32\PvvirpQ.exe
  C:\Windows\System32\PvvirpQ.exe
  2⤵
  PID:7200
- C:\Windows\System32\XUjzooi.exe
  C:\Windows\System32\XUjzooi.exe
  2⤵
  PID:7640
- C:\Windows\System32\ZtzcxHT.exe
  C:\Windows\System32\ZtzcxHT.exe
  2⤵
  PID:4288
- C:\Windows\System32\BkCxKAo.exe
  C:\Windows\System32\BkCxKAo.exe
  2⤵
  PID:6620
- C:\Windows\System32\vGkpoBn.exe
  C:\Windows\System32\vGkpoBn.exe
  2⤵
  PID:7416
- C:\Windows\System32\xofXuUk.exe
  C:\Windows\System32\xofXuUk.exe
  2⤵
  PID:7900
- C:\Windows\System32\xjWCYee.exe
  C:\Windows\System32\xjWCYee.exe
  2⤵
  PID:5072
- C:\Windows\System32\XfkOGDz.exe
  C:\Windows\System32\XfkOGDz.exe
  2⤵
  PID:8208
- C:\Windows\System32\zMRyXJV.exe
  C:\Windows\System32\zMRyXJV.exe
  2⤵
  PID:8236
- C:\Windows\System32\PDIbhPA.exe
  C:\Windows\System32\PDIbhPA.exe
  2⤵
  PID:8264
- C:\Windows\System32\NtBpvYg.exe
  C:\Windows\System32\NtBpvYg.exe
  2⤵
  PID:8280
- C:\Windows\System32\JTJesvW.exe
  C:\Windows\System32\JTJesvW.exe
  2⤵
  PID:8320
- C:\Windows\System32\likXlnv.exe
  C:\Windows\System32\likXlnv.exe
  2⤵
  PID:8336
- C:\Windows\System32\UkqzDqO.exe
  C:\Windows\System32\UkqzDqO.exe
  2⤵
  PID:8380
- C:\Windows\System32\cPvESjP.exe
  C:\Windows\System32\cPvESjP.exe
  2⤵
  PID:8404
- C:\Windows\System32\jTGLcdb.exe
  C:\Windows\System32\jTGLcdb.exe
  2⤵
  PID:8420
- C:\Windows\System32\EaIWUaf.exe
  C:\Windows\System32\EaIWUaf.exe
  2⤵
  PID:8444
- C:\Windows\System32\bgQPnfP.exe
  C:\Windows\System32\bgQPnfP.exe
  2⤵
  PID:8480
- C:\Windows\System32\lxdfAFD.exe
  C:\Windows\System32\lxdfAFD.exe
  2⤵
  PID:8520
- C:\Windows\System32\GbZOkcQ.exe
  C:\Windows\System32\GbZOkcQ.exe
  2⤵
  PID:8548
- C:\Windows\System32\VClocVA.exe
  C:\Windows\System32\VClocVA.exe
  2⤵
  PID:8580
- C:\Windows\System32\EAHTpei.exe
  C:\Windows\System32\EAHTpei.exe
  2⤵
  PID:8600
- C:\Windows\System32\IgZEugQ.exe
  C:\Windows\System32\IgZEugQ.exe
  2⤵
  PID:8644
- C:\Windows\System32\MmRVdVp.exe
  C:\Windows\System32\MmRVdVp.exe
  2⤵
  PID:8672
- C:\Windows\System32\OGmSLTQ.exe
  C:\Windows\System32\OGmSLTQ.exe
  2⤵
  PID:8688
- C:\Windows\System32\QoesWRV.exe
  C:\Windows\System32\QoesWRV.exe
  2⤵
  PID:8716
- C:\Windows\System32\BfIbsOo.exe
  C:\Windows\System32\BfIbsOo.exe
  2⤵
  PID:8744
- C:\Windows\System32\LjQdNfY.exe
  C:\Windows\System32\LjQdNfY.exe
  2⤵
  PID:8776
- C:\Windows\System32\gshHWhW.exe
  C:\Windows\System32\gshHWhW.exe
  2⤵
  PID:8808
- C:\Windows\System32\vusBInh.exe
  C:\Windows\System32\vusBInh.exe
  2⤵
  PID:8836
- C:\Windows\System32\OXJpWQe.exe
  C:\Windows\System32\OXJpWQe.exe
  2⤵
  PID:8864
- C:\Windows\System32\JyOVZlA.exe
  C:\Windows\System32\JyOVZlA.exe
  2⤵
  PID:8896
- C:\Windows\System32\jzkjMQi.exe
  C:\Windows\System32\jzkjMQi.exe
  2⤵
  PID:8936
- C:\Windows\System32\yBFCKhO.exe
  C:\Windows\System32\yBFCKhO.exe
  2⤵
  PID:8976
- C:\Windows\System32\yMjhhdw.exe
  C:\Windows\System32\yMjhhdw.exe
  2⤵
  PID:8996
- C:\Windows\System32\uqGQCvR.exe
  C:\Windows\System32\uqGQCvR.exe
  2⤵
  PID:9024
- C:\Windows\System32\GXtAigr.exe
  C:\Windows\System32\GXtAigr.exe
  2⤵
  PID:9052
- C:\Windows\System32\lPVUKTO.exe
  C:\Windows\System32\lPVUKTO.exe
  2⤵
  PID:9080
- C:\Windows\System32\XiUIgsy.exe
  C:\Windows\System32\XiUIgsy.exe
  2⤵
  PID:9108
- C:\Windows\System32\suaCHzu.exe
  C:\Windows\System32\suaCHzu.exe
  2⤵
  PID:9136
- C:\Windows\System32\EvAYjaj.exe
  C:\Windows\System32\EvAYjaj.exe
  2⤵
  PID:9176
- C:\Windows\System32\cWSGxXI.exe
  C:\Windows\System32\cWSGxXI.exe
  2⤵
  PID:9192
- C:\Windows\System32\WCDbLYs.exe
  C:\Windows\System32\WCDbLYs.exe
  2⤵
  PID:8220
- C:\Windows\System32\mFyfVdu.exe
  C:\Windows\System32\mFyfVdu.exe
  2⤵
  PID:8276
- C:\Windows\System32\kTIKBre.exe
  C:\Windows\System32\kTIKBre.exe
  2⤵
  PID:8348
- C:\Windows\System32\aALKElC.exe
  C:\Windows\System32\aALKElC.exe
  2⤵
  PID:8388
- C:\Windows\System32\dauSexT.exe
  C:\Windows\System32\dauSexT.exe
  2⤵
  PID:8492
- C:\Windows\System32\fshlrXY.exe
  C:\Windows\System32\fshlrXY.exe
  2⤵
  PID:8532
- C:\Windows\System32\sJxcdix.exe
  C:\Windows\System32\sJxcdix.exe
  2⤵
  PID:5000
- C:\Windows\System32\odAtRBT.exe
  C:\Windows\System32\odAtRBT.exe
  2⤵
  PID:8568
- C:\Windows\System32\UaUuFSh.exe
  C:\Windows\System32\UaUuFSh.exe
  2⤵
  PID:8620
- C:\Windows\System32\oWRdYbi.exe
  C:\Windows\System32\oWRdYbi.exe
  2⤵
  PID:8704
- C:\Windows\System32\YcjbFim.exe
  C:\Windows\System32\YcjbFim.exe
  2⤵
  PID:8760
- C:\Windows\System32\jFnAcNp.exe
  C:\Windows\System32\jFnAcNp.exe
  2⤵
  PID:8912
- C:\Windows\System32\dCCbgbw.exe
  C:\Windows\System32\dCCbgbw.exe
  2⤵
  PID:8988
- C:\Windows\System32\lkYBACf.exe
  C:\Windows\System32\lkYBACf.exe
  2⤵
  PID:9020
- C:\Windows\System32\oHadUAn.exe
  C:\Windows\System32\oHadUAn.exe
  2⤵
  PID:9064
- C:\Windows\System32\XNTOTpC.exe
  C:\Windows\System32\XNTOTpC.exe
  2⤵
  PID:9168
- C:\Windows\System32\kXkEZkI.exe
  C:\Windows\System32\kXkEZkI.exe
  2⤵
  PID:6396
- C:\Windows\System32\FMoLJJF.exe
  C:\Windows\System32\FMoLJJF.exe
  2⤵
  PID:8376
- C:\Windows\System32\FtsaMTu.exe
  C:\Windows\System32\FtsaMTu.exe
  2⤵
  PID:8168
- C:\Windows\System32\gAWteOI.exe
  C:\Windows\System32\gAWteOI.exe
  2⤵
  PID:8608
- C:\Windows\System32\ggdvSRj.exe
  C:\Windows\System32\ggdvSRj.exe
  2⤵
  PID:8768
- C:\Windows\System32\TyEvphN.exe
  C:\Windows\System32\TyEvphN.exe
  2⤵
  PID:8948
- C:\Windows\System32\QqivyCF.exe
  C:\Windows\System32\QqivyCF.exe
  2⤵
  PID:9128
- C:\Windows\System32\evplrHv.exe
  C:\Windows\System32\evplrHv.exe
  2⤵
  PID:9204
- C:\Windows\System32\iJspzcF.exe
  C:\Windows\System32\iJspzcF.exe
  2⤵
  PID:8476
- C:\Windows\System32\QWJaAkA.exe
  C:\Windows\System32\QWJaAkA.exe
  2⤵
  PID:9072
- C:\Windows\System32\idlzzVs.exe
  C:\Windows\System32\idlzzVs.exe
  2⤵
  PID:8332
- C:\Windows\System32\kfgfgQa.exe
  C:\Windows\System32\kfgfgQa.exe
  2⤵
  PID:8844
- C:\Windows\System32\PgWasag.exe
  C:\Windows\System32\PgWasag.exe
  2⤵
  PID:9220
- C:\Windows\System32\MqaZtdq.exe
  C:\Windows\System32\MqaZtdq.exe
  2⤵
  PID:9240
- C:\Windows\System32\UeBMxUJ.exe
  C:\Windows\System32\UeBMxUJ.exe
  2⤵
  PID:9268
- C:\Windows\System32\PyzrcQa.exe
  C:\Windows\System32\PyzrcQa.exe
  2⤵
  PID:9320
- C:\Windows\System32\iwpvwJr.exe
  C:\Windows\System32\iwpvwJr.exe
  2⤵
  PID:9352
- C:\Windows\System32\DXJyMMz.exe
  C:\Windows\System32\DXJyMMz.exe
  2⤵
  PID:9380
- C:\Windows\System32\UJELGED.exe
  C:\Windows\System32\UJELGED.exe
  2⤵
  PID:9412
- C:\Windows\System32\dhyMLZY.exe
  C:\Windows\System32\dhyMLZY.exe
  2⤵
  PID:9428
- C:\Windows\System32\DnIHpoN.exe
  C:\Windows\System32\DnIHpoN.exe
  2⤵
  PID:9456
- C:\Windows\System32\VWJlTkc.exe
  C:\Windows\System32\VWJlTkc.exe
  2⤵
  PID:9484
- C:\Windows\System32\kxwhErM.exe
  C:\Windows\System32\kxwhErM.exe
  2⤵
  PID:9524
- C:\Windows\System32\rzuOBCx.exe
  C:\Windows\System32\rzuOBCx.exe
  2⤵
  PID:9540
- C:\Windows\System32\dXGinrg.exe
  C:\Windows\System32\dXGinrg.exe
  2⤵
  PID:9580
- C:\Windows\System32\cNKhQJN.exe
  C:\Windows\System32\cNKhQJN.exe
  2⤵
  PID:9608
- C:\Windows\System32\GXnRrGM.exe
  C:\Windows\System32\GXnRrGM.exe
  2⤵
  PID:9636
- C:\Windows\System32\cBnNXTy.exe
  C:\Windows\System32\cBnNXTy.exe
  2⤵
  PID:9664
- C:\Windows\System32\eoIfBXY.exe
  C:\Windows\System32\eoIfBXY.exe
  2⤵
  PID:9680
- C:\Windows\System32\jqknkAL.exe
  C:\Windows\System32\jqknkAL.exe
  2⤵
  PID:9712
- C:\Windows\System32\nyEmEYE.exe
  C:\Windows\System32\nyEmEYE.exe
  2⤵
  PID:9740
- C:\Windows\System32\CIWnSIy.exe
  C:\Windows\System32\CIWnSIy.exe
  2⤵
  PID:9768
- C:\Windows\System32\gqXOKZN.exe
  C:\Windows\System32\gqXOKZN.exe
  2⤵
  PID:9800
- C:\Windows\System32\IbgCGjB.exe
  C:\Windows\System32\IbgCGjB.exe
  2⤵
  PID:9836
- C:\Windows\System32\ipeqEBH.exe
  C:\Windows\System32\ipeqEBH.exe
  2⤵
  PID:9852
- C:\Windows\System32\fyxWUVe.exe
  C:\Windows\System32\fyxWUVe.exe
  2⤵
  PID:9880
- C:\Windows\System32\UwtqArk.exe
  C:\Windows\System32\UwtqArk.exe
  2⤵
  PID:9920
- C:\Windows\System32\BNYcoVf.exe
  C:\Windows\System32\BNYcoVf.exe
  2⤵
  PID:9948
- C:\Windows\System32\oITUAnI.exe
  C:\Windows\System32\oITUAnI.exe
  2⤵
  PID:9976
- C:\Windows\System32\FjgcGvw.exe
  C:\Windows\System32\FjgcGvw.exe
  2⤵
  PID:10000
- C:\Windows\System32\JhOESLH.exe
  C:\Windows\System32\JhOESLH.exe
  2⤵
  PID:10016
- C:\Windows\System32\iDHuWjZ.exe
  C:\Windows\System32\iDHuWjZ.exe
  2⤵
  PID:10044
- C:\Windows\System32\cnVVvFE.exe
  C:\Windows\System32\cnVVvFE.exe
  2⤵
  PID:10088
- C:\Windows\System32\kMVnlNK.exe
  C:\Windows\System32\kMVnlNK.exe
  2⤵
  PID:10112
- C:\Windows\System32\UZvIsPq.exe
  C:\Windows\System32\UZvIsPq.exe
  2⤵
  PID:10148
- C:\Windows\System32\nBsDhFp.exe
  C:\Windows\System32\nBsDhFp.exe
  2⤵
  PID:10168
- C:\Windows\System32\DlnYgde.exe
  C:\Windows\System32\DlnYgde.exe
  2⤵
  PID:10204
- C:\Windows\System32\uFwpnZe.exe
  C:\Windows\System32\uFwpnZe.exe
  2⤵
  PID:10220
- C:\Windows\System32\AzsuuBZ.exe
  C:\Windows\System32\AzsuuBZ.exe
  2⤵
  PID:9228
- C:\Windows\System32\bmdKGEh.exe
  C:\Windows\System32\bmdKGEh.exe
  2⤵
  PID:9300
- C:\Windows\System32\PMwaDLE.exe
  C:\Windows\System32\PMwaDLE.exe
  2⤵
  PID:9400
- C:\Windows\System32\ZodxawQ.exe
  C:\Windows\System32\ZodxawQ.exe
  2⤵
  PID:9420
- C:\Windows\System32\txBHgSo.exe
  C:\Windows\System32\txBHgSo.exe
  2⤵
  PID:9480
- C:\Windows\System32\ZZtHAyv.exe
  C:\Windows\System32\ZZtHAyv.exe
  2⤵
  PID:9532
- C:\Windows\System32\fpZjOWD.exe
  C:\Windows\System32\fpZjOWD.exe
  2⤵
  PID:9672
- C:\Windows\System32\cCUhFEf.exe
  C:\Windows\System32\cCUhFEf.exe
  2⤵
  PID:9692
- C:\Windows\System32\ePMkIyS.exe
  C:\Windows\System32\ePMkIyS.exe
  2⤵
  PID:9756
- C:\Windows\System32\YjIdWEa.exe
  C:\Windows\System32\YjIdWEa.exe
  2⤵
  PID:9816
- C:\Windows\System32\IxQSnZr.exe
  C:\Windows\System32\IxQSnZr.exe
  2⤵
  PID:9912
- C:\Windows\System32\XDraKUt.exe
  C:\Windows\System32\XDraKUt.exe
  2⤵
  PID:9944
- C:\Windows\System32\fOkmAEZ.exe
  C:\Windows\System32\fOkmAEZ.exe
  2⤵
  PID:9984
- C:\Windows\System32\jpeJrvN.exe
  C:\Windows\System32\jpeJrvN.exe
  2⤵
  PID:10008
- C:\Windows\System32\WWqWkZa.exe
  C:\Windows\System32\WWqWkZa.exe
  2⤵
  PID:10144
- C:\Windows\System32\YSavLBX.exe
  C:\Windows\System32\YSavLBX.exe
  2⤵
  PID:10188
- C:\Windows\System32\okNtAdv.exe
  C:\Windows\System32\okNtAdv.exe
  2⤵
  PID:9376
- C:\Windows\System32\BBZoMFw.exe
  C:\Windows\System32\BBZoMFw.exe
  2⤵
  PID:9444
- C:\Windows\System32\bASCPiw.exe
  C:\Windows\System32\bASCPiw.exe
  2⤵
  PID:9628
- C:\Windows\System32\cPEMMNs.exe
  C:\Windows\System32\cPEMMNs.exe
  2⤵
  PID:9824
- C:\Windows\System32\QzSmmIl.exe
  C:\Windows\System32\QzSmmIl.exe
  2⤵
  PID:9972
- C:\Windows\System32\nfjSWFW.exe
  C:\Windows\System32\nfjSWFW.exe
  2⤵
  PID:10120
- C:\Windows\System32\xkFVyEE.exe
  C:\Windows\System32\xkFVyEE.exe
  2⤵
  PID:10212
- C:\Windows\System32\JGaMsMf.exe
  C:\Windows\System32\JGaMsMf.exe
  2⤵
  PID:9520
- C:\Windows\System32\cemPQIc.exe
  C:\Windows\System32\cemPQIc.exe
  2⤵
  PID:9864
- C:\Windows\System32\WOsGHsv.exe
  C:\Windows\System32\WOsGHsv.exe
  2⤵
  PID:10176
- C:\Windows\System32\nqdzcXN.exe
  C:\Windows\System32\nqdzcXN.exe
  2⤵
  PID:10028
- C:\Windows\System32\nBtBnny.exe
  C:\Windows\System32\nBtBnny.exe
  2⤵
  PID:10252
- C:\Windows\System32\HlpOkEV.exe
  C:\Windows\System32\HlpOkEV.exe
  2⤵
  PID:10280
- C:\Windows\System32\SqjJDZN.exe
  C:\Windows\System32\SqjJDZN.exe
  2⤵
  PID:10324
- C:\Windows\System32\sodRRHa.exe
  C:\Windows\System32\sodRRHa.exe
  2⤵
  PID:10348
- C:\Windows\System32\LVRlqrY.exe
  C:\Windows\System32\LVRlqrY.exe
  2⤵
  PID:10376
- C:\Windows\System32\MXYzhmu.exe
  C:\Windows\System32\MXYzhmu.exe
  2⤵
  PID:10400
- C:\Windows\System32\jawFWVj.exe
  C:\Windows\System32\jawFWVj.exe
  2⤵
  PID:10432
- C:\Windows\System32\cEVcJYQ.exe
  C:\Windows\System32\cEVcJYQ.exe
  2⤵
  PID:10464
- C:\Windows\System32\qBfxgVZ.exe
  C:\Windows\System32\qBfxgVZ.exe
  2⤵
  PID:10496
- C:\Windows\System32\oppqOuJ.exe
  C:\Windows\System32\oppqOuJ.exe
  2⤵
  PID:10512
- C:\Windows\System32\UlSUlix.exe
  C:\Windows\System32\UlSUlix.exe
  2⤵
  PID:10540
- C:\Windows\System32\HaofGRi.exe
  C:\Windows\System32\HaofGRi.exe
  2⤵
  PID:10568
- C:\Windows\System32\fHqnWXA.exe
  C:\Windows\System32\fHqnWXA.exe
  2⤵
  PID:10600
- C:\Windows\System32\pcCjgcG.exe
  C:\Windows\System32\pcCjgcG.exe
  2⤵
  PID:10628
- C:\Windows\System32\SiYjWHn.exe
  C:\Windows\System32\SiYjWHn.exe
  2⤵
  PID:10660
- C:\Windows\System32\hpfXJaZ.exe
  C:\Windows\System32\hpfXJaZ.exe
  2⤵
  PID:10696
- C:\Windows\System32\MBjPRtY.exe
  C:\Windows\System32\MBjPRtY.exe
  2⤵
  PID:10712
- C:\Windows\System32\kuqKZPW.exe
  C:\Windows\System32\kuqKZPW.exe
  2⤵
  PID:10752
- C:\Windows\System32\kXACzmJ.exe
  C:\Windows\System32\kXACzmJ.exe
  2⤵
  PID:10772
- C:\Windows\System32\LcLGqAG.exe
  C:\Windows\System32\LcLGqAG.exe
  2⤵
  PID:10812
- C:\Windows\System32\xZLLZog.exe
  C:\Windows\System32\xZLLZog.exe
  2⤵
  PID:10836
- C:\Windows\System32\HWpgeGK.exe
  C:\Windows\System32\HWpgeGK.exe
  2⤵
  PID:10864
- C:\Windows\System32\klVKhdd.exe
  C:\Windows\System32\klVKhdd.exe
  2⤵
  PID:10880
- C:\Windows\System32\VnJrpvX.exe
  C:\Windows\System32\VnJrpvX.exe
  2⤵
  PID:10912
- C:\Windows\System32\ZUNTRwe.exe
  C:\Windows\System32\ZUNTRwe.exe
  2⤵
  PID:10936
- C:\Windows\System32\yDAqSps.exe
  C:\Windows\System32\yDAqSps.exe
  2⤵
  PID:10960
- C:\Windows\System32\BJRVyMO.exe
  C:\Windows\System32\BJRVyMO.exe
  2⤵
  PID:10988
- C:\Windows\System32\nLeJsfI.exe
  C:\Windows\System32\nLeJsfI.exe
  2⤵
  PID:11024
- C:\Windows\System32\dVyIlgb.exe
  C:\Windows\System32\dVyIlgb.exe
  2⤵
  PID:11048
- C:\Windows\System32\yaEGjLh.exe
  C:\Windows\System32\yaEGjLh.exe
  2⤵
  PID:11080
- C:\Windows\System32\SykQoPS.exe
  C:\Windows\System32\SykQoPS.exe
  2⤵
  PID:11116
- C:\Windows\System32\TUgjElB.exe
  C:\Windows\System32\TUgjElB.exe
  2⤵
  PID:11144
- C:\Windows\System32\ejyOYTT.exe
  C:\Windows\System32\ejyOYTT.exe
  2⤵
  PID:11160
- C:\Windows\System32\crLMlHz.exe
  C:\Windows\System32\crLMlHz.exe
  2⤵
  PID:11188
- C:\Windows\System32\oJzHanA.exe
  C:\Windows\System32\oJzHanA.exe
  2⤵
  PID:11228
- C:\Windows\System32\xupkCFm.exe
  C:\Windows\System32\xupkCFm.exe
  2⤵
  PID:11248
- C:\Windows\System32\iFYuRhI.exe
  C:\Windows\System32\iFYuRhI.exe
  2⤵
  PID:9388
- C:\Windows\System32\zsTPltq.exe
  C:\Windows\System32\zsTPltq.exe
  2⤵
  PID:10300
- C:\Windows\System32\AGdyYXa.exe
  C:\Windows\System32\AGdyYXa.exe
  2⤵
  PID:10372
- C:\Windows\System32\HebhsWP.exe
  C:\Windows\System32\HebhsWP.exe
  2⤵
  PID:10484
- C:\Windows\System32\zAXUdIj.exe
  C:\Windows\System32\zAXUdIj.exe
  2⤵
  PID:10532
- C:\Windows\System32\gTJIvQL.exe
  C:\Windows\System32\gTJIvQL.exe
  2⤵
  PID:10608
- C:\Windows\System32\BDHLkcG.exe
  C:\Windows\System32\BDHLkcG.exe
  2⤵
  PID:10680
- C:\Windows\System32\SItZgaP.exe
  C:\Windows\System32\SItZgaP.exe
  2⤵
  PID:10748
- C:\Windows\System32\NohLsZj.exe
  C:\Windows\System32\NohLsZj.exe
  2⤵
  PID:10780
- C:\Windows\System32\lhmDBcj.exe
  C:\Windows\System32\lhmDBcj.exe
  2⤵
  PID:10828
- C:\Windows\System32\bkMxKWQ.exe
  C:\Windows\System32\bkMxKWQ.exe
  2⤵
  PID:10896
- C:\Windows\System32\yjQzRqP.exe
  C:\Windows\System32\yjQzRqP.exe
  2⤵
  PID:11004
- C:\Windows\System32\mFvIZsc.exe
  C:\Windows\System32\mFvIZsc.exe
  2⤵
  PID:11088
- C:\Windows\System32\ACrFUKk.exe
  C:\Windows\System32\ACrFUKk.exe
  2⤵
  PID:11108
- C:\Windows\System32\aCabmaP.exe
  C:\Windows\System32\aCabmaP.exe
  2⤵
  PID:11180
- C:\Windows\System32\sLKoImj.exe
  C:\Windows\System32\sLKoImj.exe
  2⤵
  PID:11236
- C:\Windows\System32\hqnOBjQ.exe
  C:\Windows\System32\hqnOBjQ.exe
  2⤵
  PID:10272
- C:\Windows\System32\smQzuKn.exe
  C:\Windows\System32\smQzuKn.exe
  2⤵
  PID:10508
- C:\Windows\System32\QpRQbYc.exe
  C:\Windows\System32\QpRQbYc.exe
  2⤵
  PID:10636
- C:\Windows\System32\egTsuYH.exe
  C:\Windows\System32\egTsuYH.exe
  2⤵
  PID:10784
- C:\Windows\System32\MViznET.exe
  C:\Windows\System32\MViznET.exe
  2⤵
  PID:10904
- C:\Windows\System32\OObAXfk.exe
  C:\Windows\System32\OObAXfk.exe
  2⤵
  PID:11132
- C:\Windows\System32\YthHSXP.exe
  C:\Windows\System32\YthHSXP.exe
  2⤵
  PID:9700
- C:\Windows\System32\AhISjmy.exe
  C:\Windows\System32\AhISjmy.exe
  2⤵
  PID:10640
- C:\Windows\System32\BWppJvf.exe
  C:\Windows\System32\BWppJvf.exe
  2⤵
  PID:10924
- C:\Windows\System32\PPbrcOS.exe
  C:\Windows\System32\PPbrcOS.exe
  2⤵
  PID:10504
- C:\Windows\System32\jtDaLtP.exe
  C:\Windows\System32\jtDaLtP.exe
  2⤵
  PID:10268
- C:\Windows\System32\xbDgMMH.exe
  C:\Windows\System32\xbDgMMH.exe
  2⤵
  PID:11272
- C:\Windows\System32\wqCMkYg.exe
  C:\Windows\System32\wqCMkYg.exe
  2⤵
  PID:11288
- C:\Windows\System32\XURuyac.exe
  C:\Windows\System32\XURuyac.exe
  2⤵
  PID:11312
- C:\Windows\System32\BOJwQwI.exe
  C:\Windows\System32\BOJwQwI.exe
  2⤵
  PID:11344
- C:\Windows\System32\IQqzVPy.exe
  C:\Windows\System32\IQqzVPy.exe
  2⤵
  PID:11384
- C:\Windows\System32\tJMwgdy.exe
  C:\Windows\System32\tJMwgdy.exe
  2⤵
  PID:11412
- C:\Windows\System32\IvwVRNF.exe
  C:\Windows\System32\IvwVRNF.exe
  2⤵
  PID:11440
- C:\Windows\System32\cfrEwHh.exe
  C:\Windows\System32\cfrEwHh.exe
  2⤵
  PID:11476
- C:\Windows\System32\slVIwrx.exe
  C:\Windows\System32\slVIwrx.exe
  2⤵
  PID:11528
- C:\Windows\System32\ZMbGhJs.exe
  C:\Windows\System32\ZMbGhJs.exe
  2⤵
  PID:11552
- C:\Windows\System32\xevcbkz.exe
  C:\Windows\System32\xevcbkz.exe
  2⤵
  PID:11588
- C:\Windows\System32\lGJorXm.exe
  C:\Windows\System32\lGJorXm.exe
  2⤵
  PID:11632
- C:\Windows\System32\ZOdhVAb.exe
  C:\Windows\System32\ZOdhVAb.exe
  2⤵
  PID:11676
- C:\Windows\System32\ZjwJTky.exe
  C:\Windows\System32\ZjwJTky.exe
  2⤵
  PID:11708
- C:\Windows\System32\eDDZNIL.exe
  C:\Windows\System32\eDDZNIL.exe
  2⤵
  PID:11736
- C:\Windows\System32\nJltERU.exe
  C:\Windows\System32\nJltERU.exe
  2⤵
  PID:11752
- C:\Windows\System32\eTWWLJF.exe
  C:\Windows\System32\eTWWLJF.exe
  2⤵
  PID:11796
- C:\Windows\System32\WPfAJTX.exe
  C:\Windows\System32\WPfAJTX.exe
  2⤵
  PID:11836
- C:\Windows\System32\RyppRrD.exe
  C:\Windows\System32\RyppRrD.exe
  2⤵
  PID:11852
- C:\Windows\System32\ZBPeEiD.exe
  C:\Windows\System32\ZBPeEiD.exe
  2⤵
  PID:11884
- C:\Windows\System32\KolNdmW.exe
  C:\Windows\System32\KolNdmW.exe
  2⤵
  PID:11928
- C:\Windows\System32\xarFTAd.exe
  C:\Windows\System32\xarFTAd.exe
  2⤵
  PID:11956
- C:\Windows\System32\syNbOGg.exe
  C:\Windows\System32\syNbOGg.exe
  2⤵
  PID:11972
- C:\Windows\System32\TydCFni.exe
  C:\Windows\System32\TydCFni.exe
  2⤵
  PID:12000
- C:\Windows\System32\hdDuyho.exe
  C:\Windows\System32\hdDuyho.exe
  2⤵
  PID:12048
- C:\Windows\System32\SdpUrXz.exe
  C:\Windows\System32\SdpUrXz.exe
  2⤵
  PID:12092
- C:\Windows\System32\SFfvyVf.exe
  C:\Windows\System32\SFfvyVf.exe
  2⤵
  PID:12112
- C:\Windows\System32\nhrvQSd.exe
  C:\Windows\System32\nhrvQSd.exe
  2⤵
  PID:12160
- C:\Windows\System32\WNCSWgi.exe
  C:\Windows\System32\WNCSWgi.exe
  2⤵
  PID:12180
- C:\Windows\System32\WPCKbvB.exe
  C:\Windows\System32\WPCKbvB.exe
  2⤵
  PID:12212
- C:\Windows\System32\kzkRTPT.exe
  C:\Windows\System32\kzkRTPT.exe
  2⤵
  PID:12232
- C:\Windows\System32\swqOClm.exe
  C:\Windows\System32\swqOClm.exe
  2⤵
  PID:12272
- C:\Windows\System32\IdxfwAv.exe
  C:\Windows\System32\IdxfwAv.exe
  2⤵
  PID:11280
- C:\Windows\System32\HGTYdCO.exe
  C:\Windows\System32\HGTYdCO.exe
  2⤵
  PID:11308
- C:\Windows\System32\wbDnjjL.exe
  C:\Windows\System32\wbDnjjL.exe
  2⤵
  PID:11400
- C:\Windows\System32\lSdUnXg.exe
  C:\Windows\System32\lSdUnXg.exe
  2⤵
  PID:11428
- C:\Windows\System32\ydzPSyx.exe
  C:\Windows\System32\ydzPSyx.exe
  2⤵
  PID:11496
- C:\Windows\System32\OqjsGsS.exe
  C:\Windows\System32\OqjsGsS.exe
  2⤵
  PID:11644
- C:\Windows\System32\DTdtmXL.exe
  C:\Windows\System32\DTdtmXL.exe
  2⤵
  PID:11700
- C:\Windows\System32\jJUkzoh.exe
  C:\Windows\System32\jJUkzoh.exe
  2⤵
  PID:11820
- C:\Windows\System32\gkIpoox.exe
  C:\Windows\System32\gkIpoox.exe
  2⤵
  PID:11864
- C:\Windows\System32\whWzFRl.exe
  C:\Windows\System32\whWzFRl.exe
  2⤵
  PID:11900
- C:\Windows\System32\uroQzSY.exe
  C:\Windows\System32\uroQzSY.exe
  2⤵
  PID:11968
- C:\Windows\System32\eJTsvUN.exe
  C:\Windows\System32\eJTsvUN.exe
  2⤵
  PID:12024
- C:\Windows\System32\LRmTrbM.exe
  C:\Windows\System32\LRmTrbM.exe
  2⤵
  PID:12188
- C:\Windows\System32\TnQyCkw.exe
  C:\Windows\System32\TnQyCkw.exe
  2⤵
  PID:12244
- C:\Windows\System32\tozdJJZ.exe
  C:\Windows\System32\tozdJJZ.exe
  2⤵
  PID:12260
- C:\Windows\System32\ZazJvIA.exe
  C:\Windows\System32\ZazJvIA.exe
  2⤵
  PID:11396
- C:\Windows\System32\tppJGWv.exe
  C:\Windows\System32\tppJGWv.exe
  2⤵
  PID:11620
- C:\Windows\System32\EQrtptJ.exe
  C:\Windows\System32\EQrtptJ.exe
  2⤵
  PID:11764
- C:\Windows\System32\UIBDlES.exe
  C:\Windows\System32\UIBDlES.exe
  2⤵
  PID:11892
- C:\Windows\System32\KgkHLnB.exe
  C:\Windows\System32\KgkHLnB.exe
  2⤵
  PID:11992
- C:\Windows\System32\lbHJSIC.exe
  C:\Windows\System32\lbHJSIC.exe
  2⤵
  PID:12220
- C:\Windows\System32\ggBLjve.exe
  C:\Windows\System32\ggBLjve.exe
  2⤵
  PID:11724
- C:\Windows\System32\hZFbYhO.exe
  C:\Windows\System32\hZFbYhO.exe
  2⤵
  PID:11940
- C:\Windows\System32\vnuDjhf.exe
  C:\Windows\System32\vnuDjhf.exe
  2⤵
  PID:12228
- C:\Windows\System32\nVRIIBK.exe
  C:\Windows\System32\nVRIIBK.exe
  2⤵
  PID:12104
- C:\Windows\System32\PhlhoLf.exe
  C:\Windows\System32\PhlhoLf.exe
  2⤵
  PID:12324
- C:\Windows\System32\ovJWmrJ.exe
  C:\Windows\System32\ovJWmrJ.exe
  2⤵
  PID:12340
- C:\Windows\System32\acsmkEk.exe
  C:\Windows\System32\acsmkEk.exe
  2⤵
  PID:12356
- C:\Windows\System32\yonPCVd.exe
  C:\Windows\System32\yonPCVd.exe
  2⤵
  PID:12396
- C:\Windows\System32\TPOgFKs.exe
  C:\Windows\System32\TPOgFKs.exe
  2⤵
  PID:12436
- C:\Windows\System32\jpOdfqZ.exe
  C:\Windows\System32\jpOdfqZ.exe
  2⤵
  PID:12464
- C:\Windows\System32\XKrZVbm.exe
  C:\Windows\System32\XKrZVbm.exe
  2⤵
  PID:12500
- C:\Windows\System32\kQPzAoU.exe
  C:\Windows\System32\kQPzAoU.exe
  2⤵
  PID:12516
- C:\Windows\System32\ZWnqRZJ.exe
  C:\Windows\System32\ZWnqRZJ.exe
  2⤵
  PID:12560
- C:\Windows\System32\yhNxwsN.exe
  C:\Windows\System32\yhNxwsN.exe
  2⤵
  PID:12592
- C:\Windows\System32\dXWQQtP.exe
  C:\Windows\System32\dXWQQtP.exe
  2⤵
  PID:12620
- C:\Windows\System32\ObmfHUc.exe
  C:\Windows\System32\ObmfHUc.exe
  2⤵
  PID:12640
- C:\Windows\System32\gGJhUxJ.exe
  C:\Windows\System32\gGJhUxJ.exe
  2⤵
  PID:12676
- C:\Windows\System32\UUaUQTR.exe
  C:\Windows\System32\UUaUQTR.exe
  2⤵
  PID:12692
- C:\Windows\System32\jrvzwFl.exe
  C:\Windows\System32\jrvzwFl.exe
  2⤵
  PID:12744
- C:\Windows\System32\GZTJaAJ.exe
  C:\Windows\System32\GZTJaAJ.exe
  2⤵
  PID:12768
- C:\Windows\System32\kRTuQeM.exe
  C:\Windows\System32\kRTuQeM.exe
  2⤵
  PID:12796
- C:\Windows\System32\YOAuuvD.exe
  C:\Windows\System32\YOAuuvD.exe
  2⤵
  PID:12812
- C:\Windows\System32\eSGjEbL.exe
  C:\Windows\System32\eSGjEbL.exe
  2⤵
  PID:12840
- C:\Windows\System32\GJFiYfO.exe
  C:\Windows\System32\GJFiYfO.exe
  2⤵
  PID:12868
- C:\Windows\System32\MIpNSzp.exe
  C:\Windows\System32\MIpNSzp.exe
  2⤵
  PID:12916
- C:\Windows\System32\BGKFpWB.exe
  C:\Windows\System32\BGKFpWB.exe
  2⤵
  PID:12936
- C:\Windows\System32\mbOiIwr.exe
  C:\Windows\System32\mbOiIwr.exe
  2⤵
  PID:12952
- C:\Windows\System32\bZiYDaO.exe
  C:\Windows\System32\bZiYDaO.exe
  2⤵
  PID:12992
- C:\Windows\System32\PsLlCbl.exe
  C:\Windows\System32\PsLlCbl.exe
  2⤵
  PID:13008
- C:\Windows\System32\smsDbTp.exe
  C:\Windows\System32\smsDbTp.exe
  2⤵
  PID:13040
- C:\Windows\System32\jLYgdBV.exe
  C:\Windows\System32\jLYgdBV.exe
  2⤵
  PID:13076
- C:\Windows\System32\BgoEdEc.exe
  C:\Windows\System32\BgoEdEc.exe
  2⤵
  PID:13096
- C:\Windows\System32\ewxkAqu.exe
  C:\Windows\System32\ewxkAqu.exe
  2⤵
  PID:13132
- C:\Windows\System32\unXXgsR.exe
  C:\Windows\System32\unXXgsR.exe
  2⤵
  PID:13160
- C:\Windows\System32\JiOBWhq.exe
  C:\Windows\System32\JiOBWhq.exe
  2⤵
  PID:13188
- C:\Windows\System32\qUKuhoh.exe
  C:\Windows\System32\qUKuhoh.exe
  2⤵
  PID:13208
- C:\Windows\System32\jdSoGXm.exe
  C:\Windows\System32\jdSoGXm.exe
  2⤵
  PID:13244
- C:\Windows\System32\xFfLzpD.exe
  C:\Windows\System32\xFfLzpD.exe
  2⤵
  PID:13272
- C:\Windows\System32\CmQaICg.exe
  C:\Windows\System32\CmQaICg.exe
  2⤵
  PID:13288
- C:\Windows\System32\oxdrpxK.exe
  C:\Windows\System32\oxdrpxK.exe
  2⤵
  PID:11424
- C:\Windows\System32\wuoqFMY.exe
  C:\Windows\System32\wuoqFMY.exe
  2⤵
  PID:12368
- C:\Windows\System32\CdGtZBy.exe
  C:\Windows\System32\CdGtZBy.exe
  2⤵
  PID:1472
- C:\Windows\System32\ulfTqbT.exe
  C:\Windows\System32\ulfTqbT.exe
  2⤵
  PID:3768
- C:\Windows\System32\lrwtEoQ.exe
  C:\Windows\System32\lrwtEoQ.exe
  2⤵
  PID:12448
- C:\Windows\System32\vOpyXds.exe
  C:\Windows\System32\vOpyXds.exe
  2⤵
  PID:12536
- C:\Windows\System32\mKyXmgF.exe
  C:\Windows\System32\mKyXmgF.exe
  2⤵
  PID:12616
- C:\Windows\System32\YnMDKCn.exe
  C:\Windows\System32\YnMDKCn.exe
  2⤵
  PID:12700
- C:\Windows\System32\OrSdiLa.exe
  C:\Windows\System32\OrSdiLa.exe
  2⤵
  PID:12760
- C:\Windows\System32\EbfQuGR.exe
  C:\Windows\System32\EbfQuGR.exe
  2⤵
  PID:12824
- C:\Windows\System32\AOEpasl.exe
  C:\Windows\System32\AOEpasl.exe
  2⤵
  PID:12904
- C:\Windows\System32\SScvXsC.exe
  C:\Windows\System32\SScvXsC.exe
  2⤵
  PID:12980
- C:\Windows\System32\rcbPwBY.exe
  C:\Windows\System32\rcbPwBY.exe
  2⤵
  PID:13048
- C:\Windows\System32\NKsRTCN.exe
  C:\Windows\System32\NKsRTCN.exe
  2⤵
  PID:13068
- C:\Windows\System32\rWoYgtT.exe
  C:\Windows\System32\rWoYgtT.exe
  2⤵
  PID:4636
- C:\Windows\System32\UZVrFDU.exe
  C:\Windows\System32\UZVrFDU.exe
  2⤵
  PID:13216
- C:\Windows\System32\gxqYEQw.exe
  C:\Windows\System32\gxqYEQw.exe
  2⤵
  PID:13300
- C:\Windows\System32\rCizfPs.exe
  C:\Windows\System32\rCizfPs.exe
  2⤵
  PID:12332
- C:\Windows\System32\SPBQNVS.exe
  C:\Windows\System32\SPBQNVS.exe
  2⤵
  PID:4688
- C:\Windows\System32\HgmQVHu.exe
  C:\Windows\System32\HgmQVHu.exe
  2⤵
  PID:12512
- C:\Windows\System32\EQAuWBM.exe
  C:\Windows\System32\EQAuWBM.exe
  2⤵
  PID:12756
- C:\Windows\System32\FvgKKrM.exe
  C:\Windows\System32\FvgKKrM.exe
  2⤵
  PID:12808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4156,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=3812 /prefetch:8
1⤵
PID:7216

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AbxuDfL.exe

Filesize
2.7MB

MD5
221e5121e42f25c581a3ac957f5ca240

SHA1
b60286f22be058b66bddb103ae265263c857d77a

SHA256
7fe58080f012f9c57367751de755df52118a5da3145b07125c847a7160368c72

SHA512
b4b589a1f2c7e52cdedbf43596d62cbbf4019c43ee482dd0c65d711cb4502a2a3ee0f27a908a5dd89364810aa50cc8d8d51696b3fbdd007dbfe33618606b1b02

Download Submit
C:\Windows\System32\DttOPrA.exe

Filesize
2.7MB

MD5
63ef6d1412a0487555b5f34388ecd7ac

SHA1
9a74526521f4132da46e56a43cb8d1aab9329d36

SHA256
63aeba1112e7a988fb435e87474398359cd400604dad9005227d79e0f89fb1eb

SHA512
07835fe8a52c8f8cd564df730438d2a0db9ea4534bf22760b7519e7ed5207b28ce9e52db5fa30ae44581e1deca91de219e5fbf5419796778ebf6e377258cd1ff

Download Submit
C:\Windows\System32\GAnPuHx.exe

Filesize
2.7MB

MD5
b3addd1fcc37663de1771ec4ccf0ebf2

SHA1
7ad3a967c7748a85e8af9d6f6abb978f279e7653

SHA256
220618154a2d9703043817aa4e133984fa6fb46da539434eb0ace72ac7edc31e

SHA512
f8748a0f9ad01ed5a3020fadc224f8b02bf9224cec5644f73b319f2c85cc8a8cb9b21b316512d8dd0a82fe3521a28d2453547410ad6089114882a83761f1e2f1

Download Submit
C:\Windows\System32\GWmsiNF.exe

Filesize
2.7MB

MD5
7bd22b89a4589539fd9fdd7e4f83c88f

SHA1
81940767a0c1fc77a7d8b8f4ce1b4566dfe65be4

SHA256
c5ec28f6fcad9e32491423056cbbfe7dac73b983326d9d4309437cd098abeba1

SHA512
1f2f39f660d6188c64c6e740d4ddbe800de0fee8c4f74a7b84ce6e172501cbbd3d6dba9c08d3be1ccdeedd02d1f25a746a5b46861dc0971ac87458663faec05b

Download Submit
C:\Windows\System32\JNNGWMF.exe

Filesize
2.7MB

MD5
d855b0a20124e437873dc6e70333be5e

SHA1
8eadfd09bdf0da2483d43dd0e16ab25268c04b33

SHA256
510abf83ad2b19922f1d788f8c3456860d87413d503265acbefc8772df853d79

SHA512
7b7b06d76c2d4dc2c548bddc88993b084f81e3721427c48d4c9ba62d18b0405765ad0470dbfc305aa7fbb388d5d84d1d3e46648ff0129cc9e5138eee1befda64

Download Submit
C:\Windows\System32\JSwyREL.exe

Filesize
2.7MB

MD5
d73c655bfc5f148dad7a878ff2b8cf68

SHA1
6154f6170e12c9146902cab483bb4632382c528d

SHA256
8c64715191efda58801a746a9e174bc92cd720350229ca6899b8e280a9155376

SHA512
8bb9bdec1d14667421eb93a3cc4f72483c5bae270d1ce72ef5521d32b670b720f3600e0a80c2a790e538a29d2c3afe7635b60700692e36e968c71241a7e30471

Download Submit
C:\Windows\System32\LwnvDrS.exe

Filesize
2.7MB

MD5
704537420cb2a6aac34bf03d80310fea

SHA1
402668f9c14e3e439c1f7259cab1ce2a7adf7659

SHA256
8885488fa30af2505d32380d21650164a8bb5d9a5adb29622494d438e36a60ad

SHA512
e4054f8dfc4caa136641ff794f542fa5223e966a5009c3ea3d0d365e3cf516660dc5519f52fb57027b56bc9ecceee0f3c7289c8027a412bf7e6da6508562f497

Download Submit
C:\Windows\System32\MBGWHxV.exe

Filesize
2.7MB

MD5
d196ac7f2a7541f5f411518dc96a21d6

SHA1
cf1ce199d71a3af536f29460306520d732c83055

SHA256
8396bb1c530185497ce71fb2c7a49ad4d0584ff5039f288de6fc1f0e57d6e397

SHA512
cfdfeee657cb6218fc5946eae810cb5071936a239d1b766ebff92a0dac0bbe1e19cb09b8e104435bbdcfa05e2a0c4bed466044e1ddf14bd69caee80a2757f1fd

Download Submit
C:\Windows\System32\NMwDDHJ.exe

Filesize
2.7MB

MD5
915868d8adcd6f1b07d460f10019e55e

SHA1
0ea3c5f49b895a0623c2af34b77d3fd92512efef

SHA256
9e3dff250f7ba4afc560df914939b622f85be36c8b8083e19f2cf3377f506ce7

SHA512
5c63ff759b563e54235e421a31d184d9ac47f250b32f80baf0dff9c8660785bf87ee72151956e82bd59d2bf3320bc217bb50254ee8e22274583715c596d833b9

Download Submit
C:\Windows\System32\VJOXWLk.exe

Filesize
2.7MB

MD5
3eace6156615e5b70b77387908434914

SHA1
69a871e5448ee12860fd409c9e8abb68bc2d679c

SHA256
7d16a68c859a8a5e44f19bed1eb3e65c763537c5cb590ac807642b9b7b442613

SHA512
02804e9f13db3aa64e3aa89f34b1aecfe9ec7c01de36511ff6ab8f255da1c7a4b19820c08af02fd48533faa95e7e31ac529924a3aba1d2f76aea8597ac4d15a8

Download Submit
C:\Windows\System32\VLVCEDt.exe

Filesize
2.7MB

MD5
dd32ca6b73f535659946099d45d6b649

SHA1
14efaabce6d6351dd1371b07721172f698a5d2f1

SHA256
35a6e222b122d371377e36ee160d7890f62c42fd8b67bc6f3c25c6327e185ff5

SHA512
36b7533c5e1ad57029333609a43bf9ba8c044c58a06eb32d1d3835628694325f5a176361c274c3e2aa60d5f89aa2c0a8a133e5cc810df1aabaeb9b1a3b8cdec6

Download Submit
C:\Windows\System32\WphHpmS.exe

Filesize
2.7MB

MD5
a8a8fdd302c14edacdb3539f139a822d

SHA1
53377b81aa214551a704bf4a52aaca5d6964eb30

SHA256
f9640b2fbd90043f921cb83695ac0df84595fe5cd10a0bf4c9b03d0268aa6994

SHA512
4fa4349e2a0a9e74010470b3380d3a252db1b13411a6a5495c2fe3e426eb53f440daaf10516eb3aa8e503ccff12d90617837b6289f33be87e4c0a323383c4497

Download Submit
C:\Windows\System32\YfqqARz.exe

Filesize
2.7MB

MD5
246b61e2aaa371f977f3503bd7356c90

SHA1
d4b0b26b310ba0632305cd63dc07b1b260548f06

SHA256
0cd882f61e36c96ed8d51c0b542898c27aa0681c2945f7a5c6ee799d5b8d9afc

SHA512
52f1b2d9058afa79431282b650d57d4c303446163c932985c263e84b68a9002b6f20e13b7af3c9a6f7a6c418ccc10c04a2e21a1e3f222282631e3b5973f23f8f

Download Submit
C:\Windows\System32\ZQupwHw.exe

Filesize
2.7MB

MD5
b29424011235b8dce98cec0df1349030

SHA1
587b28c0bc9366cbb1f45043d0cd3265e8de214c

SHA256
8862a47158637d393d726080d285ce4155d43b871f46d08e88c495eb56d1b4c6

SHA512
3d6a34c8628999d2432ad3e2126e5deacc85f68bc0800df7482a05ef2fc71511c9910644f2c53a3b60bfc33db71ab9210f9eaf312dec2a56d02b6231e2997d8b

Download Submit
C:\Windows\System32\aMVsrzn.exe

Filesize
2.7MB

MD5
ccd73c9b1c676bd7cc177864fd2bdade

SHA1
b846aef600f8e982fa33146ef0f16571bbaac682

SHA256
1afe58ab7848f5183b3e1562ace7402a75c4a8706aeeae6225bb36bdf4c220af

SHA512
163a5bd015e1d205ef68d47ec3197f4bb577d5d4ccc0ce338a0b80584381e5879279276bd5e893f7414781aaf6fd94b7fccf016305cc3c8a9eed90240e261136

Download Submit
C:\Windows\System32\aeSFqRj.exe

Filesize
2.7MB

MD5
845bced69960a8c01d6ba0e0fc623504

SHA1
8544205af166d4c1e210cfb8f7f7edd22df12a16

SHA256
22530b3580c702fb8f33ac970f1be7234388cc787d8b95c9ec5fee9da9dc6a8a

SHA512
cdec8b6aa3fd3da792bc004f8199747c5a50c90f152968f854456aaf3a5999342dffd2a2bfb8a9b6201d6cce92bdf69b22b6502f76cbd6b65be94223d3430892

Download Submit
C:\Windows\System32\bCbIKGu.exe

Filesize
2.7MB

MD5
1bf302a656a06077116fac182aed580b

SHA1
8fdb8bab2cbd796f3fb2777a835ec0d61a5ab7d2

SHA256
12fe0cbfc7abab3427640f6aa8c10f2b2af10b6ffb4720292fa42010599f1b3e

SHA512
c179400207259cc2498feba128d4e1c782bcc9e0bef0cd15df9036fef2b6a63dc88cc87bef19f734933d245b6f5cda8a13146eb0fd0b6605136b0e1cbdd491f7

Download Submit
C:\Windows\System32\fUuXmfH.exe

Filesize
2.7MB

MD5
7038e8bad56df9dd869a7ff4a0024d4b

SHA1
921ec73d29deb87ca61c8660d8f5996581675c2f

SHA256
2f107429506f2388826cd961ed8d775fd5c8caac1fbc2849382d81a3cca084c0

SHA512
aa1359d4a1fb376d1c09f22ddbf9533db04f873963612e42dd1e4afae8b7c2294bfeabbbde1cafec4e058b7e3ad19fb86968f039b124730c14ed55f048872e46

Download Submit
C:\Windows\System32\fcnNFjD.exe

Filesize
2.7MB

MD5
8f8c61b74a0adbc74053246372c2c601

SHA1
2aeb60af457da35dfeb535313f9a50faefd375b1

SHA256
bf9165e324e302fa2070df47abe9d0846d2feea404771eb3754baa567f7da241

SHA512
d4088dd440a1626528ddb2b5d7df974e5ce2edfd0e1c250f4f5ee83bd0b7d5779c9edfd0af7af9005e9ac40d39ea956161cc198a58cb578cbf3c91359f4c417d

Download Submit
C:\Windows\System32\kixChnV.exe

Filesize
2.7MB

MD5
7b66fff28c92c04d435a058b03324bef

SHA1
ea6bfe7ffef6df7da8502f831a375c91b59b1b67

SHA256
6f852c6eb61620545e3221e39e47e690159142c3fcb80b81a93a14ec4c4d9cb8

SHA512
daa046706481131caa84506180051d2ebe97be99786504b2c8914ac0a2ddc098e62227479ecb8c74cdab61ad76adf495768e9c08ac89160b793137e3b54e9912

Download Submit
C:\Windows\System32\mdJvHsQ.exe

Filesize
2.7MB

MD5
71e5271aca1fb6ec804bbed87f056f98

SHA1
996b1a22a51cb7c59de8309f79fbb00703b3f6ed

SHA256
7b83e6adb93c35eaa3a2d097d8f81f88e617adc7cc57f8f81b0adb63ca7d19aa

SHA512
c9d764237dcd8e5f1cc555ad8b16751de16e6f19d659b4985e1a87a73111e3294b7e2c0e88cc30967de38c689edf9cdbc2b98b3909dba57e8acb1897ca759281

Download Submit
C:\Windows\System32\mdytEKD.exe

Filesize
2.7MB

MD5
fa808a1fa1e7f2c1ece41af638e1920b

SHA1
94d4b767b3d3079fe3df83b4b730c13f4bafc7f8

SHA256
220d633be958dac660cd55f41d2c52844c25544323eac94a6779a3ebe6dfb054

SHA512
03ac33a9aa872f8a69de18cadd5e16feb63f335d2b6b9fcecb1c2a4b9438259c612991bf6ed6b300b70d25c358dcb1736e36659ede8eca4dc38ab32985371d49

Download Submit
C:\Windows\System32\olDlbAA.exe

Filesize
2.7MB

MD5
a53fe7fd5e1a132a21cbf5b190dae86f

SHA1
5ef43a13b0f2262d3f99346ec76097a7e2491a6a

SHA256
36cf25759593200cbe86336bb3a4539230e444676091babb19bafe56b7b75331

SHA512
8b147c81bf1ba2719b7562a1b21b7960cef6c84e2b6a3c3251d43b594bc355c17d1675258572dd883f02ba1a170fe8b71106ab3d3197ec05679fd0658af06616

Download Submit
C:\Windows\System32\pmDCFdt.exe

Filesize
2.7MB

MD5
690549d41dfc10027ea6c49ba7a25721

SHA1
9c9b71912a9f8a33453fff5fab6d29c649082c0c

SHA256
a1887bb8d5e53493d2d2a1bf741286b3971295633de78a217be1cd375b6c6fb0

SHA512
183080d70d4c596d7ebcd65ab476312a140b23a396e474f746d26978cd00f63667747650358f839e7fe2854bc4db451e943aeaba51f6d162e48d149a1648e5f6

Download Submit
C:\Windows\System32\tnrbMZt.exe

Filesize
2.7MB

MD5
a55b4ad892940e1379225760e698a005

SHA1
0e60bbe812817de0c8ce5346efd385acd665e8da

SHA256
3c3dfe59ef9d423ea50c4c12b424f2f81e8eae152d4e190d7f1ee9858893f4d1

SHA512
e25ffceccfc35df2d8e4c3ee675271db6101cb7418d7a582a2d41cc9bb01b66ac92c7a7862779df71cd3c77121f678cb0efc71114479b643c917e415c203bdf9

Download Submit
C:\Windows\System32\vEPlrnS.exe

Filesize
2.7MB

MD5
cbec5cae136fab324c5a1635b445507b

SHA1
99a607560bc646cbc6252fb194b5073be43a79cc

SHA256
434790ffa38f7f985ac42b261cba9f7ab6631f722f4153cfdf7080e4c1d74866

SHA512
55f24eaa408990e3fa4ebbf194121c45b39a9a1900ad7cae420a63fd2c552a66391340d01f73acbb1ea2e181276a4ab610da24b1deec23b6b47a2588b54be6cc

Download Submit
C:\Windows\System32\vJVDnjl.exe

Filesize
2.7MB

MD5
f8dc62f475c08700e81dba16b0889b58

SHA1
fe1032f98086d67ab25c92ee7dcd8d0e3d140e47

SHA256
7c28caa06a50ad1f097302cf6016c79ca1757d5fd83e6181573e59ca309b576d

SHA512
fe20c3727d45c380f5bc5bbe13634570f7c3a1ca8f631970d438575b2e263f881059d21436e3daf4b42d9b90a9ebb37391b2c78ee16b54cc5851854a2e484b88

Download Submit
C:\Windows\System32\vLDYWuu.exe

Filesize
2.7MB

MD5
f636976e3265b3437f9c55046ba30352

SHA1
ce5e2e124f4964743e33a1beba3d6119170b617f

SHA256
229e214ae3aee5c7eb54791d00ea4806cc0bce3d8c4247e1596244cd4b53ad1a

SHA512
73556cb24a593bd2535705caf5b08d852e4a042acb3282514ea065033c3a7812e1fd60c43b2b1c8d501e1cbb51e3ea3b21a2bc8af9ecfc44a24c9eace3cb51d4

Download Submit
C:\Windows\System32\vMOkUKB.exe

Filesize
2.7MB

MD5
5d68a7a54c337c1aa0992099e2a3d21e

SHA1
e4a7716fa3194ba67063efb5039d36cc3d1b4e90

SHA256
481b76dab4ef05083145540af001cd87e34b99e8b5063a2aca0433eda51a4daf

SHA512
c7c052c099b2a763a2f0ed73936ac9fe747a364566ce3ac937113fa34cdb6121aecbd7e7b9e64698be6a1bc826b2b5450db8b4951564c2fa67f77e60a6aeb81c

Download Submit
C:\Windows\System32\voFvNat.exe

Filesize
2.7MB

MD5
9600486f81cf95a710ee2a1a33f380e2

SHA1
2174557ff26cd76ebc28d17377839c416f938ae5

SHA256
a00572a4d87fdaf9d9a1a4e0db8171f2ae747a880d2850305a097fef91e403f8

SHA512
f0c5d56406bdb1de9d37d05499298e9886c91e158df2e85ad2e64e645adbfd0862b09d9ff8c2762f6aa118d03a2ebfaf81c6459810593cac7370a8ecb4eaa69d

Download Submit
C:\Windows\System32\wLgbaSo.exe

Filesize
2.7MB

MD5
a58c9d14680b382188c78273c1f31176

SHA1
f6e8eb6a5adc7b3ea85519c2caa5b75fd17cc57f

SHA256
403c39c63384179a6f459e7defde34eb9c759b8899bb3a36f6d9dd279b4b7ab0

SHA512
779c6f5c09f6c0269a8e011fe85991081916bdeddb1b6461a2f1d2ea2f07cbc6e772a54a103869461aa125d81046a66b93d20332164cdfc31af6c5a77d7d13a2

Download Submit
C:\Windows\System32\zegEByW.exe

Filesize
2.7MB

MD5
7e6f843c3ad3e684853cc91c5b60fecc

SHA1
4e0395620da731ac0dec2a1430ca674162d2b35d

SHA256
0f1fc0e700dd975071d2524e3cc7be4c179e9cc4ff5154f9ee47fc5c6c15e7bd

SHA512
afd20eb72b4ab9e82fd4b45675972675d90935d8f4968057d83a527febc2468f8ff7052715630f56cd32e63b3988e46620495b2ed0ebaff4b5bc962588ab4cd4

Download Submit
memory/864-826-0x00007FF7842E0000-0x00007FF7846D5000-memory.dmp

Filesize
4.0MB

Download
memory/864-1878-0x00007FF7842E0000-0x00007FF7846D5000-memory.dmp

Filesize
4.0MB

Download
memory/884-762-0x00007FF631540000-0x00007FF631935000-memory.dmp

Filesize
4.0MB

Download
memory/884-1886-0x00007FF631540000-0x00007FF631935000-memory.dmp

Filesize
4.0MB

Download
memory/1060-1892-0x00007FF7CA960000-0x00007FF7CAD55000-memory.dmp

Filesize
4.0MB

Download
memory/1060-775-0x00007FF7CA960000-0x00007FF7CAD55000-memory.dmp

Filesize
4.0MB

Download
memory/1104-1898-0x00007FF705C80000-0x00007FF706075000-memory.dmp

Filesize
4.0MB

Download
memory/1104-793-0x00007FF705C80000-0x00007FF706075000-memory.dmp

Filesize
4.0MB

Download
memory/1184-1888-0x00007FF69E340000-0x00007FF69E735000-memory.dmp

Filesize
4.0MB

Download
memory/1184-843-0x00007FF69E340000-0x00007FF69E735000-memory.dmp

Filesize
4.0MB

Download
memory/1216-0-0x00007FF65D620000-0x00007FF65DA15000-memory.dmp

Filesize
4.0MB

Download
memory/1216-1-0x0000028143F10000-0x0000028143F20000-memory.dmp

Filesize
64KB

Download
memory/1428-1879-0x00007FF713540000-0x00007FF713935000-memory.dmp

Filesize
4.0MB

Download
memory/1428-26-0x00007FF713540000-0x00007FF713935000-memory.dmp

Filesize
4.0MB

Download
memory/1584-1893-0x00007FF78EC70000-0x00007FF78F065000-memory.dmp

Filesize
4.0MB

Download
memory/1584-768-0x00007FF78EC70000-0x00007FF78F065000-memory.dmp

Filesize
4.0MB

Download
memory/1956-1882-0x00007FF7FF110000-0x00007FF7FF505000-memory.dmp

Filesize
4.0MB

Download
memory/1956-28-0x00007FF7FF110000-0x00007FF7FF505000-memory.dmp

Filesize
4.0MB

Download
memory/2292-761-0x00007FF6CB5E0000-0x00007FF6CB9D5000-memory.dmp

Filesize
4.0MB

Download
memory/2292-1889-0x00007FF6CB5E0000-0x00007FF6CB9D5000-memory.dmp

Filesize
4.0MB

Download
memory/2560-777-0x00007FF652EB0000-0x00007FF6532A5000-memory.dmp

Filesize
4.0MB

Download
memory/2560-1891-0x00007FF652EB0000-0x00007FF6532A5000-memory.dmp

Filesize
4.0MB

Download
memory/2788-771-0x00007FF6330E0000-0x00007FF6334D5000-memory.dmp

Filesize
4.0MB

Download
memory/2788-1887-0x00007FF6330E0000-0x00007FF6334D5000-memory.dmp

Filesize
4.0MB

Download
memory/3048-1900-0x00007FF690FA0000-0x00007FF691395000-memory.dmp

Filesize
4.0MB

Download
memory/3048-803-0x00007FF690FA0000-0x00007FF691395000-memory.dmp

Filesize
4.0MB

Download
memory/3112-1877-0x00007FF7F4AF0000-0x00007FF7F4EE5000-memory.dmp

Filesize
4.0MB

Download
memory/3112-10-0x00007FF7F4AF0000-0x00007FF7F4EE5000-memory.dmp

Filesize
4.0MB

Download
memory/3276-1896-0x00007FF7B7390000-0x00007FF7B7785000-memory.dmp

Filesize
4.0MB

Download
memory/3276-783-0x00007FF7B7390000-0x00007FF7B7785000-memory.dmp

Filesize
4.0MB

Download
memory/3624-1885-0x00007FF6F8C50000-0x00007FF6F9045000-memory.dmp

Filesize
4.0MB

Download
memory/3624-763-0x00007FF6F8C50000-0x00007FF6F9045000-memory.dmp

Filesize
4.0MB

Download
memory/3936-1881-0x00007FF78C760000-0x00007FF78CB55000-memory.dmp

Filesize
4.0MB

Download
memory/3936-838-0x00007FF78C760000-0x00007FF78CB55000-memory.dmp

Filesize
4.0MB

Download
memory/4300-1876-0x00007FF799E30000-0x00007FF79A225000-memory.dmp

Filesize
4.0MB

Download
memory/4300-1884-0x00007FF799E30000-0x00007FF79A225000-memory.dmp

Filesize
4.0MB

Download
memory/4300-760-0x00007FF799E30000-0x00007FF79A225000-memory.dmp

Filesize
4.0MB

Download
memory/4356-1897-0x00007FF62E4A0000-0x00007FF62E895000-memory.dmp

Filesize
4.0MB

Download
memory/4356-798-0x00007FF62E4A0000-0x00007FF62E895000-memory.dmp

Filesize
4.0MB

Download
memory/4408-1899-0x00007FF6E5630000-0x00007FF6E5A25000-memory.dmp

Filesize
4.0MB

Download
memory/4408-824-0x00007FF6E5630000-0x00007FF6E5A25000-memory.dmp

Filesize
4.0MB

Download
memory/4416-1894-0x00007FF76D4D0000-0x00007FF76D8C5000-memory.dmp

Filesize
4.0MB

Download
memory/4416-788-0x00007FF76D4D0000-0x00007FF76D8C5000-memory.dmp

Filesize
4.0MB

Download
memory/4692-765-0x00007FF748B30000-0x00007FF748F25000-memory.dmp

Filesize
4.0MB

Download
memory/4692-1890-0x00007FF748B30000-0x00007FF748F25000-memory.dmp

Filesize
4.0MB

Download
memory/4796-1880-0x00007FF64D8B0000-0x00007FF64DCA5000-memory.dmp

Filesize
4.0MB

Download
memory/4796-833-0x00007FF64D8B0000-0x00007FF64DCA5000-memory.dmp

Filesize
4.0MB

Download
memory/4912-1883-0x00007FF7BC8C0000-0x00007FF7BCCB5000-memory.dmp

Filesize
4.0MB

Download
memory/4912-764-0x00007FF7BC8C0000-0x00007FF7BCCB5000-memory.dmp

Filesize
4.0MB

Download
memory/4920-1895-0x00007FF6F8460000-0x00007FF6F8855000-memory.dmp

Filesize
4.0MB

Download
memory/4920-806-0x00007FF6F8460000-0x00007FF6F8855000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads