xmrig | 4c24bad0fa6b2d0cbe4bc64d11a62156043ad673fda0dd47c509728184fa29c1

Analysis

max time kernel
139s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 10:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
Size

3.2MB
MD5

c3cbf1fb39d298740684f32749ee8440
SHA1

2867c9d59bcdf192e8e349cae81b2e90c719e6ef
SHA256

4c24bad0fa6b2d0cbe4bc64d11a62156043ad673fda0dd47c509728184fa29c1
SHA512

f72c0350aa0df9724c8fa711249135635a75ad079ae5d0ff5c262086a7feed44ff01f5c317779bbcce89baefba44bdec16f471e5f20f69a7998e2f4d09e44c0e
SSDEEP

98304:N0GnJMOWPClFdx6e0EALKWVTffZiPAcRq6jHjc40Z:NFWPClFkZ

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/760-0-0x00007FF6455A0000-0x00007FF645995000-memory.dmp	xmrig
behavioral2/files/0x0008000000022f51-4.dat	xmrig
behavioral2/files/0x000800000002340c-14.dat	xmrig
behavioral2/files/0x000700000002340e-21.dat	xmrig
behavioral2/memory/4480-29-0x00007FF6EF6A0000-0x00007FF6EFA95000-memory.dmp	xmrig
behavioral2/files/0x0007000000023410-35.dat	xmrig
behavioral2/files/0x0007000000023411-39.dat	xmrig
behavioral2/memory/892-41-0x00007FF64BC60000-0x00007FF64C055000-memory.dmp	xmrig
behavioral2/files/0x0007000000023416-66.dat	xmrig
behavioral2/files/0x0007000000023418-76.dat	xmrig
behavioral2/files/0x000700000002341a-86.dat	xmrig
behavioral2/files/0x000700000002341c-96.dat	xmrig
behavioral2/files/0x000700000002342b-169.dat	xmrig
behavioral2/files/0x000700000002342a-167.dat	xmrig
behavioral2/files/0x0007000000023429-161.dat	xmrig
behavioral2/files/0x0007000000023428-156.dat	xmrig
behavioral2/files/0x0007000000023427-152.dat	xmrig
behavioral2/files/0x0007000000023426-147.dat	xmrig
behavioral2/files/0x0007000000023425-142.dat	xmrig
behavioral2/files/0x0007000000023424-137.dat	xmrig
behavioral2/files/0x0007000000023423-131.dat	xmrig
behavioral2/files/0x0007000000023422-127.dat	xmrig
behavioral2/files/0x0007000000023421-122.dat	xmrig
behavioral2/files/0x0007000000023420-117.dat	xmrig
behavioral2/files/0x000700000002341f-112.dat	xmrig
behavioral2/files/0x000700000002341e-107.dat	xmrig
behavioral2/files/0x000700000002341d-101.dat	xmrig
behavioral2/files/0x000700000002341b-91.dat	xmrig
behavioral2/files/0x0007000000023419-81.dat	xmrig
behavioral2/files/0x0007000000023417-71.dat	xmrig
behavioral2/files/0x0007000000023415-61.dat	xmrig
behavioral2/files/0x0007000000023414-56.dat	xmrig
behavioral2/files/0x0007000000023413-51.dat	xmrig
behavioral2/files/0x0007000000023412-46.dat	xmrig
behavioral2/memory/544-42-0x00007FF7E1EF0000-0x00007FF7E22E5000-memory.dmp	xmrig
behavioral2/files/0x000700000002340f-33.dat	xmrig
behavioral2/memory/3220-30-0x00007FF739850000-0x00007FF739C45000-memory.dmp	xmrig
behavioral2/memory/3016-26-0x00007FF7DAFE0000-0x00007FF7DB3D5000-memory.dmp	xmrig
behavioral2/files/0x000700000002340d-24.dat	xmrig
behavioral2/memory/1556-17-0x00007FF7DA0A0000-0x00007FF7DA495000-memory.dmp	xmrig
behavioral2/memory/2936-10-0x00007FF674E30000-0x00007FF675225000-memory.dmp	xmrig
behavioral2/memory/2684-1025-0x00007FF6258E0000-0x00007FF625CD5000-memory.dmp	xmrig
behavioral2/memory/4728-1032-0x00007FF62A780000-0x00007FF62AB75000-memory.dmp	xmrig
behavioral2/memory/2416-1053-0x00007FF6B7AF0000-0x00007FF6B7EE5000-memory.dmp	xmrig
behavioral2/memory/1432-1065-0x00007FF7FB3C0000-0x00007FF7FB7B5000-memory.dmp	xmrig
behavioral2/memory/1688-1068-0x00007FF6A75C0000-0x00007FF6A79B5000-memory.dmp	xmrig
behavioral2/memory/640-1073-0x00007FF688700000-0x00007FF688AF5000-memory.dmp	xmrig
behavioral2/memory/1108-1081-0x00007FF660FC0000-0x00007FF6613B5000-memory.dmp	xmrig
behavioral2/memory/3264-1085-0x00007FF6999A0000-0x00007FF699D95000-memory.dmp	xmrig
behavioral2/memory/4788-1090-0x00007FF66D610000-0x00007FF66DA05000-memory.dmp	xmrig
behavioral2/memory/3996-1084-0x00007FF618BC0000-0x00007FF618FB5000-memory.dmp	xmrig
behavioral2/memory/4088-1089-0x00007FF775780000-0x00007FF775B75000-memory.dmp	xmrig
behavioral2/memory/4704-1079-0x00007FF7FE980000-0x00007FF7FED75000-memory.dmp	xmrig
behavioral2/memory/4948-1070-0x00007FF78CA30000-0x00007FF78CE25000-memory.dmp	xmrig
behavioral2/memory/1740-1046-0x00007FF67B820000-0x00007FF67BC15000-memory.dmp	xmrig
behavioral2/memory/1872-1042-0x00007FF6B4B80000-0x00007FF6B4F75000-memory.dmp	xmrig
behavioral2/memory/3252-1040-0x00007FF6347D0000-0x00007FF634BC5000-memory.dmp	xmrig
behavioral2/memory/1840-1039-0x00007FF7CB8B0000-0x00007FF7CBCA5000-memory.dmp	xmrig
behavioral2/memory/1556-1919-0x00007FF7DA0A0000-0x00007FF7DA495000-memory.dmp	xmrig
behavioral2/memory/3016-1920-0x00007FF7DAFE0000-0x00007FF7DB3D5000-memory.dmp	xmrig
behavioral2/memory/2936-1921-0x00007FF674E30000-0x00007FF675225000-memory.dmp	xmrig
behavioral2/memory/1556-1922-0x00007FF7DA0A0000-0x00007FF7DA495000-memory.dmp	xmrig
behavioral2/memory/4480-1923-0x00007FF6EF6A0000-0x00007FF6EFA95000-memory.dmp	xmrig
behavioral2/memory/3220-1925-0x00007FF739850000-0x00007FF739C45000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2936	ldMSdTs.exe
3016	qXMgnVO.exe
1556	oAlXbYf.exe
4480	vtiLpeY.exe
3220	cmYEAdF.exe
892	GSpsPaW.exe
544	wXZxYvL.exe
2684	ShSJxBQ.exe
4728	FmCznSJ.exe
1840	bJzppno.exe
3252	xQzMwkc.exe
1872	bpYEKAK.exe
1740	GqmtgoJ.exe
2416	KAtxHYm.exe
1432	pdYxWcM.exe
1688	HhNaLho.exe
4948	mtsdOgY.exe
640	RlSkHoc.exe
4704	KDuDzRl.exe
1108	XUCpYNr.exe
3996	zlGvUQC.exe
3264	IaSDocF.exe
4088	qdtMwmN.exe
4788	AHIgcAy.exe
1380	KRvhELS.exe
4604	QVpwuAI.exe
4956	OdYVgkJ.exe
888	jLMoigc.exe
2700	UeJbWqA.exe
2356	KuPeuwB.exe
3940	QfbCKgY.exe
2012	qrHrqDQ.exe
1720	rxmzhct.exe
2476	PfbwYFu.exe
1020	itUWsTZ.exe
2164	zoGZIqR.exe
4004	jEfTtZr.exe
1264	hjHpOYf.exe
1208	YKRhdkv.exe
2268	HMbqkCx.exe
4544	rcHbndS.exe
3672	GaliNlH.exe
4984	JWhoPrI.exe
2696	AAQoBzd.exe
3068	qBbkwUp.exe
4776	OwQIIBs.exe
1400	zRxpRdf.exe
3544	WVlStcP.exe
2420	ySfGMqR.exe
4516	VpQSDmd.exe
2284	ZcnKglj.exe
4224	rqAAOXV.exe
4452	GgayFsc.exe
4908	FiOLZwJ.exe
1256	zyOUGlf.exe
1392	QQlOQSy.exe
3512	XwOXfqz.exe
1232	BikLFkF.exe
744	lyiETus.exe
4628	eOTeQzH.exe
3300	LfazNfW.exe
2592	DpiZfKJ.exe
4768	YxWRLGr.exe
4276	Mkcfgus.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/760-0-0x00007FF6455A0000-0x00007FF645995000-memory.dmp	upx
behavioral2/files/0x0008000000022f51-4.dat	upx
behavioral2/files/0x000800000002340c-14.dat	upx
behavioral2/files/0x000700000002340e-21.dat	upx
behavioral2/memory/4480-29-0x00007FF6EF6A0000-0x00007FF6EFA95000-memory.dmp	upx
behavioral2/files/0x0007000000023410-35.dat	upx
behavioral2/files/0x0007000000023411-39.dat	upx
behavioral2/memory/892-41-0x00007FF64BC60000-0x00007FF64C055000-memory.dmp	upx
behavioral2/files/0x0007000000023416-66.dat	upx
behavioral2/files/0x0007000000023418-76.dat	upx
behavioral2/files/0x000700000002341a-86.dat	upx
behavioral2/files/0x000700000002341c-96.dat	upx
behavioral2/files/0x000700000002342b-169.dat	upx
behavioral2/files/0x000700000002342a-167.dat	upx
behavioral2/files/0x0007000000023429-161.dat	upx
behavioral2/files/0x0007000000023428-156.dat	upx
behavioral2/files/0x0007000000023427-152.dat	upx
behavioral2/files/0x0007000000023426-147.dat	upx
behavioral2/files/0x0007000000023425-142.dat	upx
behavioral2/files/0x0007000000023424-137.dat	upx
behavioral2/files/0x0007000000023423-131.dat	upx
behavioral2/files/0x0007000000023422-127.dat	upx
behavioral2/files/0x0007000000023421-122.dat	upx
behavioral2/files/0x0007000000023420-117.dat	upx
behavioral2/files/0x000700000002341f-112.dat	upx
behavioral2/files/0x000700000002341e-107.dat	upx
behavioral2/files/0x000700000002341d-101.dat	upx
behavioral2/files/0x000700000002341b-91.dat	upx
behavioral2/files/0x0007000000023419-81.dat	upx
behavioral2/files/0x0007000000023417-71.dat	upx
behavioral2/files/0x0007000000023415-61.dat	upx
behavioral2/files/0x0007000000023414-56.dat	upx
behavioral2/files/0x0007000000023413-51.dat	upx
behavioral2/files/0x0007000000023412-46.dat	upx
behavioral2/memory/544-42-0x00007FF7E1EF0000-0x00007FF7E22E5000-memory.dmp	upx
behavioral2/files/0x000700000002340f-33.dat	upx
behavioral2/memory/3220-30-0x00007FF739850000-0x00007FF739C45000-memory.dmp	upx
behavioral2/memory/3016-26-0x00007FF7DAFE0000-0x00007FF7DB3D5000-memory.dmp	upx
behavioral2/files/0x000700000002340d-24.dat	upx
behavioral2/memory/1556-17-0x00007FF7DA0A0000-0x00007FF7DA495000-memory.dmp	upx
behavioral2/memory/2936-10-0x00007FF674E30000-0x00007FF675225000-memory.dmp	upx
behavioral2/memory/2684-1025-0x00007FF6258E0000-0x00007FF625CD5000-memory.dmp	upx
behavioral2/memory/4728-1032-0x00007FF62A780000-0x00007FF62AB75000-memory.dmp	upx
behavioral2/memory/2416-1053-0x00007FF6B7AF0000-0x00007FF6B7EE5000-memory.dmp	upx
behavioral2/memory/1432-1065-0x00007FF7FB3C0000-0x00007FF7FB7B5000-memory.dmp	upx
behavioral2/memory/1688-1068-0x00007FF6A75C0000-0x00007FF6A79B5000-memory.dmp	upx
behavioral2/memory/640-1073-0x00007FF688700000-0x00007FF688AF5000-memory.dmp	upx
behavioral2/memory/1108-1081-0x00007FF660FC0000-0x00007FF6613B5000-memory.dmp	upx
behavioral2/memory/3264-1085-0x00007FF6999A0000-0x00007FF699D95000-memory.dmp	upx
behavioral2/memory/4788-1090-0x00007FF66D610000-0x00007FF66DA05000-memory.dmp	upx
behavioral2/memory/3996-1084-0x00007FF618BC0000-0x00007FF618FB5000-memory.dmp	upx
behavioral2/memory/4088-1089-0x00007FF775780000-0x00007FF775B75000-memory.dmp	upx
behavioral2/memory/4704-1079-0x00007FF7FE980000-0x00007FF7FED75000-memory.dmp	upx
behavioral2/memory/4948-1070-0x00007FF78CA30000-0x00007FF78CE25000-memory.dmp	upx
behavioral2/memory/1740-1046-0x00007FF67B820000-0x00007FF67BC15000-memory.dmp	upx
behavioral2/memory/1872-1042-0x00007FF6B4B80000-0x00007FF6B4F75000-memory.dmp	upx
behavioral2/memory/3252-1040-0x00007FF6347D0000-0x00007FF634BC5000-memory.dmp	upx
behavioral2/memory/1840-1039-0x00007FF7CB8B0000-0x00007FF7CBCA5000-memory.dmp	upx
behavioral2/memory/1556-1919-0x00007FF7DA0A0000-0x00007FF7DA495000-memory.dmp	upx
behavioral2/memory/3016-1920-0x00007FF7DAFE0000-0x00007FF7DB3D5000-memory.dmp	upx
behavioral2/memory/2936-1921-0x00007FF674E30000-0x00007FF675225000-memory.dmp	upx
behavioral2/memory/1556-1922-0x00007FF7DA0A0000-0x00007FF7DA495000-memory.dmp	upx
behavioral2/memory/4480-1923-0x00007FF6EF6A0000-0x00007FF6EFA95000-memory.dmp	upx
behavioral2/memory/3220-1925-0x00007FF739850000-0x00007FF739C45000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\GaliNlH.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\TQKrGVj.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\HeHvcei.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\vxUbnQu.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\IBjwFlQ.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\TvjTaiq.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\IDoCstA.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\KsQoWOt.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\cfpqSrh.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\YkPrjij.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\dqqtddR.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\BxrvjxU.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\jSTViex.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\WQROlbz.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\sevYAOm.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\WkmwDlY.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\ViSXOLq.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\mWaQIGL.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\TznlSMz.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\iBXLkmL.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\gIVXWqd.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\cOnYKAe.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\KGurVFI.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\MNuqQoV.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\XwNEPnD.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\dMHODvj.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\BVmKFbT.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\EPxjPzm.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\QdaLNkS.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\JuloioK.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\URzsFBj.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\vanwcaU.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\ethMkCs.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\lolVbwR.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\QvYqCAb.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\PfrCszl.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\bSADGXH.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\RYbvyKI.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\qyWijxb.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\JqrvIeG.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\Utbubsm.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\DVRcGIZ.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\mgYMeJQ.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\ySfGMqR.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\YHnFsVc.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\voffFot.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\zrRqkEU.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\VrCDxbR.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\HsDfnhe.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\CkAYOSU.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\htOxXAm.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\rNBorLR.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\MYzeIHy.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\VKUdnHy.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\thgyaGn.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\GebIsiP.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\hZxWKhX.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\ZjWTrgo.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\iFPXEJH.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\KRvhELS.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\hjlKdhE.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\mmLuPgT.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\ZYjxNhj.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
File created	C:\Windows\System32\HMbqkCx.exe	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13256	dwm.exe
Token: SeChangeNotifyPrivilege	13256	dwm.exe
Token: 33	13256	dwm.exe
Token: SeIncBasePriorityPrivilege	13256	dwm.exe
Token: SeShutdownPrivilege	13256	dwm.exe
Token: SeCreatePagefilePrivilege	13256	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 760 wrote to memory of 2936	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	82
PID 760 wrote to memory of 2936	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	82
PID 760 wrote to memory of 1556	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	83
PID 760 wrote to memory of 1556	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	83
PID 760 wrote to memory of 3016	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	84
PID 760 wrote to memory of 3016	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	84
PID 760 wrote to memory of 4480	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	85
PID 760 wrote to memory of 4480	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	85
PID 760 wrote to memory of 3220	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	86
PID 760 wrote to memory of 3220	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	86
PID 760 wrote to memory of 892	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	87
PID 760 wrote to memory of 892	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	87
PID 760 wrote to memory of 544	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	88
PID 760 wrote to memory of 544	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	88
PID 760 wrote to memory of 2684	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	89
PID 760 wrote to memory of 2684	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	89
PID 760 wrote to memory of 4728	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	90
PID 760 wrote to memory of 4728	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	90
PID 760 wrote to memory of 1840	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	91
PID 760 wrote to memory of 1840	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	91
PID 760 wrote to memory of 3252	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	92
PID 760 wrote to memory of 3252	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	92
PID 760 wrote to memory of 1872	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	93
PID 760 wrote to memory of 1872	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	93
PID 760 wrote to memory of 1740	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	94
PID 760 wrote to memory of 1740	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	94
PID 760 wrote to memory of 2416	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	95
PID 760 wrote to memory of 2416	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	95
PID 760 wrote to memory of 1432	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	96
PID 760 wrote to memory of 1432	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	96
PID 760 wrote to memory of 1688	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	97
PID 760 wrote to memory of 1688	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	97
PID 760 wrote to memory of 4948	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	98
PID 760 wrote to memory of 4948	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	98
PID 760 wrote to memory of 640	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	99
PID 760 wrote to memory of 640	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	99
PID 760 wrote to memory of 4704	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	100
PID 760 wrote to memory of 4704	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	100
PID 760 wrote to memory of 1108	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	101
PID 760 wrote to memory of 1108	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	101
PID 760 wrote to memory of 3996	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	102
PID 760 wrote to memory of 3996	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	102
PID 760 wrote to memory of 3264	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	103
PID 760 wrote to memory of 3264	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	103
PID 760 wrote to memory of 4088	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	104
PID 760 wrote to memory of 4088	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	104
PID 760 wrote to memory of 4788	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	105
PID 760 wrote to memory of 4788	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	105
PID 760 wrote to memory of 1380	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	106
PID 760 wrote to memory of 1380	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	106
PID 760 wrote to memory of 4604	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	107
PID 760 wrote to memory of 4604	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	107
PID 760 wrote to memory of 4956	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	108
PID 760 wrote to memory of 4956	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	108
PID 760 wrote to memory of 888	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	109
PID 760 wrote to memory of 888	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	109
PID 760 wrote to memory of 2700	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	110
PID 760 wrote to memory of 2700	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	110
PID 760 wrote to memory of 2356	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	111
PID 760 wrote to memory of 2356	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	111
PID 760 wrote to memory of 3940	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	112
PID 760 wrote to memory of 3940	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	112
PID 760 wrote to memory of 2012	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	113
PID 760 wrote to memory of 2012	760	c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe	113

C:\Users\Admin\AppData\Local\Temp\c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c3cbf1fb39d298740684f32749ee8440_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:760
- C:\Windows\System32\ldMSdTs.exe
  C:\Windows\System32\ldMSdTs.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System32\oAlXbYf.exe
  C:\Windows\System32\oAlXbYf.exe
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\System32\qXMgnVO.exe
  C:\Windows\System32\qXMgnVO.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System32\vtiLpeY.exe
  C:\Windows\System32\vtiLpeY.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System32\cmYEAdF.exe
  C:\Windows\System32\cmYEAdF.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System32\GSpsPaW.exe
  C:\Windows\System32\GSpsPaW.exe
  2⤵
  - Executes dropped EXE
  PID:892
- C:\Windows\System32\wXZxYvL.exe
  C:\Windows\System32\wXZxYvL.exe
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\System32\ShSJxBQ.exe
  C:\Windows\System32\ShSJxBQ.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System32\FmCznSJ.exe
  C:\Windows\System32\FmCznSJ.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System32\bJzppno.exe
  C:\Windows\System32\bJzppno.exe
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Windows\System32\xQzMwkc.exe
  C:\Windows\System32\xQzMwkc.exe
  2⤵
  - Executes dropped EXE
  PID:3252
- C:\Windows\System32\bpYEKAK.exe
  C:\Windows\System32\bpYEKAK.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System32\GqmtgoJ.exe
  C:\Windows\System32\GqmtgoJ.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System32\KAtxHYm.exe
  C:\Windows\System32\KAtxHYm.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System32\pdYxWcM.exe
  C:\Windows\System32\pdYxWcM.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System32\HhNaLho.exe
  C:\Windows\System32\HhNaLho.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System32\mtsdOgY.exe
  C:\Windows\System32\mtsdOgY.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System32\RlSkHoc.exe
  C:\Windows\System32\RlSkHoc.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System32\KDuDzRl.exe
  C:\Windows\System32\KDuDzRl.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System32\XUCpYNr.exe
  C:\Windows\System32\XUCpYNr.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\System32\zlGvUQC.exe
  C:\Windows\System32\zlGvUQC.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\System32\IaSDocF.exe
  C:\Windows\System32\IaSDocF.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System32\qdtMwmN.exe
  C:\Windows\System32\qdtMwmN.exe
  2⤵
  - Executes dropped EXE
  PID:4088
- C:\Windows\System32\AHIgcAy.exe
  C:\Windows\System32\AHIgcAy.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System32\KRvhELS.exe
  C:\Windows\System32\KRvhELS.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System32\QVpwuAI.exe
  C:\Windows\System32\QVpwuAI.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System32\OdYVgkJ.exe
  C:\Windows\System32\OdYVgkJ.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System32\jLMoigc.exe
  C:\Windows\System32\jLMoigc.exe
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\System32\UeJbWqA.exe
  C:\Windows\System32\UeJbWqA.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System32\KuPeuwB.exe
  C:\Windows\System32\KuPeuwB.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System32\QfbCKgY.exe
  C:\Windows\System32\QfbCKgY.exe
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Windows\System32\qrHrqDQ.exe
  C:\Windows\System32\qrHrqDQ.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System32\rxmzhct.exe
  C:\Windows\System32\rxmzhct.exe
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\System32\PfbwYFu.exe
  C:\Windows\System32\PfbwYFu.exe
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\System32\itUWsTZ.exe
  C:\Windows\System32\itUWsTZ.exe
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\System32\zoGZIqR.exe
  C:\Windows\System32\zoGZIqR.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\System32\jEfTtZr.exe
  C:\Windows\System32\jEfTtZr.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\System32\hjHpOYf.exe
  C:\Windows\System32\hjHpOYf.exe
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\System32\YKRhdkv.exe
  C:\Windows\System32\YKRhdkv.exe
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\System32\HMbqkCx.exe
  C:\Windows\System32\HMbqkCx.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System32\rcHbndS.exe
  C:\Windows\System32\rcHbndS.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System32\GaliNlH.exe
  C:\Windows\System32\GaliNlH.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System32\JWhoPrI.exe
  C:\Windows\System32\JWhoPrI.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System32\AAQoBzd.exe
  C:\Windows\System32\AAQoBzd.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System32\qBbkwUp.exe
  C:\Windows\System32\qBbkwUp.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System32\OwQIIBs.exe
  C:\Windows\System32\OwQIIBs.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System32\zRxpRdf.exe
  C:\Windows\System32\zRxpRdf.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\System32\WVlStcP.exe
  C:\Windows\System32\WVlStcP.exe
  2⤵
  - Executes dropped EXE
  PID:3544
- C:\Windows\System32\ySfGMqR.exe
  C:\Windows\System32\ySfGMqR.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System32\VpQSDmd.exe
  C:\Windows\System32\VpQSDmd.exe
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Windows\System32\ZcnKglj.exe
  C:\Windows\System32\ZcnKglj.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System32\rqAAOXV.exe
  C:\Windows\System32\rqAAOXV.exe
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Windows\System32\GgayFsc.exe
  C:\Windows\System32\GgayFsc.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System32\FiOLZwJ.exe
  C:\Windows\System32\FiOLZwJ.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System32\zyOUGlf.exe
  C:\Windows\System32\zyOUGlf.exe
  2⤵
  - Executes dropped EXE
  PID:1256
- C:\Windows\System32\QQlOQSy.exe
  C:\Windows\System32\QQlOQSy.exe
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\System32\XwOXfqz.exe
  C:\Windows\System32\XwOXfqz.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System32\BikLFkF.exe
  C:\Windows\System32\BikLFkF.exe
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Windows\System32\lyiETus.exe
  C:\Windows\System32\lyiETus.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System32\eOTeQzH.exe
  C:\Windows\System32\eOTeQzH.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System32\LfazNfW.exe
  C:\Windows\System32\LfazNfW.exe
  2⤵
  - Executes dropped EXE
  PID:3300
- C:\Windows\System32\DpiZfKJ.exe
  C:\Windows\System32\DpiZfKJ.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System32\YxWRLGr.exe
  C:\Windows\System32\YxWRLGr.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System32\Mkcfgus.exe
  C:\Windows\System32\Mkcfgus.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System32\dRnJeEK.exe
  C:\Windows\System32\dRnJeEK.exe
  2⤵
  PID:3148
- C:\Windows\System32\eWKvMxn.exe
  C:\Windows\System32\eWKvMxn.exe
  2⤵
  PID:2296
- C:\Windows\System32\cPcCoza.exe
  C:\Windows\System32\cPcCoza.exe
  2⤵
  PID:1692
- C:\Windows\System32\ooqQwFv.exe
  C:\Windows\System32\ooqQwFv.exe
  2⤵
  PID:5044
- C:\Windows\System32\HgFnQXR.exe
  C:\Windows\System32\HgFnQXR.exe
  2⤵
  PID:3668
- C:\Windows\System32\EySRSCI.exe
  C:\Windows\System32\EySRSCI.exe
  2⤵
  PID:456
- C:\Windows\System32\TyUzuHz.exe
  C:\Windows\System32\TyUzuHz.exe
  2⤵
  PID:1824
- C:\Windows\System32\cOnYKAe.exe
  C:\Windows\System32\cOnYKAe.exe
  2⤵
  PID:972
- C:\Windows\System32\PhdQGBk.exe
  C:\Windows\System32\PhdQGBk.exe
  2⤵
  PID:4584
- C:\Windows\System32\PVixwSL.exe
  C:\Windows\System32\PVixwSL.exe
  2⤵
  PID:4220
- C:\Windows\System32\SiSZwbA.exe
  C:\Windows\System32\SiSZwbA.exe
  2⤵
  PID:4764
- C:\Windows\System32\IDoCstA.exe
  C:\Windows\System32\IDoCstA.exe
  2⤵
  PID:4572
- C:\Windows\System32\ksIiGqm.exe
  C:\Windows\System32\ksIiGqm.exe
  2⤵
  PID:4156
- C:\Windows\System32\RmcHqqH.exe
  C:\Windows\System32\RmcHqqH.exe
  2⤵
  PID:2828
- C:\Windows\System32\gkZnMYw.exe
  C:\Windows\System32\gkZnMYw.exe
  2⤵
  PID:5128
- C:\Windows\System32\jSTViex.exe
  C:\Windows\System32\jSTViex.exe
  2⤵
  PID:5156
- C:\Windows\System32\gvModqE.exe
  C:\Windows\System32\gvModqE.exe
  2⤵
  PID:5184
- C:\Windows\System32\lnsYrkF.exe
  C:\Windows\System32\lnsYrkF.exe
  2⤵
  PID:5224
- C:\Windows\System32\syhudZB.exe
  C:\Windows\System32\syhudZB.exe
  2⤵
  PID:5248
- C:\Windows\System32\pgZEbbB.exe
  C:\Windows\System32\pgZEbbB.exe
  2⤵
  PID:5268
- C:\Windows\System32\oTkMJIL.exe
  C:\Windows\System32\oTkMJIL.exe
  2⤵
  PID:5296
- C:\Windows\System32\AhAZtFr.exe
  C:\Windows\System32\AhAZtFr.exe
  2⤵
  PID:5324
- C:\Windows\System32\BSPfZQD.exe
  C:\Windows\System32\BSPfZQD.exe
  2⤵
  PID:5352
- C:\Windows\System32\kBfqXav.exe
  C:\Windows\System32\kBfqXav.exe
  2⤵
  PID:5380
- C:\Windows\System32\LnjwnYE.exe
  C:\Windows\System32\LnjwnYE.exe
  2⤵
  PID:5408
- C:\Windows\System32\DOuTxSm.exe
  C:\Windows\System32\DOuTxSm.exe
  2⤵
  PID:5436
- C:\Windows\System32\ysmmEXl.exe
  C:\Windows\System32\ysmmEXl.exe
  2⤵
  PID:5464
- C:\Windows\System32\HgLcMvA.exe
  C:\Windows\System32\HgLcMvA.exe
  2⤵
  PID:5492
- C:\Windows\System32\dNufzsC.exe
  C:\Windows\System32\dNufzsC.exe
  2⤵
  PID:5520
- C:\Windows\System32\kcgmlnd.exe
  C:\Windows\System32\kcgmlnd.exe
  2⤵
  PID:5548
- C:\Windows\System32\ZAdMeJN.exe
  C:\Windows\System32\ZAdMeJN.exe
  2⤵
  PID:5576
- C:\Windows\System32\jciNquX.exe
  C:\Windows\System32\jciNquX.exe
  2⤵
  PID:5604
- C:\Windows\System32\hjlKdhE.exe
  C:\Windows\System32\hjlKdhE.exe
  2⤵
  PID:5632
- C:\Windows\System32\YAJcZTc.exe
  C:\Windows\System32\YAJcZTc.exe
  2⤵
  PID:5660
- C:\Windows\System32\LshMlKL.exe
  C:\Windows\System32\LshMlKL.exe
  2⤵
  PID:5688
- C:\Windows\System32\WCKiFxR.exe
  C:\Windows\System32\WCKiFxR.exe
  2⤵
  PID:5716
- C:\Windows\System32\EfvDXub.exe
  C:\Windows\System32\EfvDXub.exe
  2⤵
  PID:5744
- C:\Windows\System32\ZGgVLHR.exe
  C:\Windows\System32\ZGgVLHR.exe
  2⤵
  PID:5780
- C:\Windows\System32\nVfHPBC.exe
  C:\Windows\System32\nVfHPBC.exe
  2⤵
  PID:5800
- C:\Windows\System32\UxqJcBO.exe
  C:\Windows\System32\UxqJcBO.exe
  2⤵
  PID:5828
- C:\Windows\System32\Rvoenyt.exe
  C:\Windows\System32\Rvoenyt.exe
  2⤵
  PID:5856
- C:\Windows\System32\TvjTaiq.exe
  C:\Windows\System32\TvjTaiq.exe
  2⤵
  PID:5884
- C:\Windows\System32\LQnfSxt.exe
  C:\Windows\System32\LQnfSxt.exe
  2⤵
  PID:5912
- C:\Windows\System32\wqbrcmS.exe
  C:\Windows\System32\wqbrcmS.exe
  2⤵
  PID:5940
- C:\Windows\System32\HfXNyKk.exe
  C:\Windows\System32\HfXNyKk.exe
  2⤵
  PID:5968
- C:\Windows\System32\xjCHsol.exe
  C:\Windows\System32\xjCHsol.exe
  2⤵
  PID:5996
- C:\Windows\System32\UaruKxL.exe
  C:\Windows\System32\UaruKxL.exe
  2⤵
  PID:6024
- C:\Windows\System32\ivHcJMy.exe
  C:\Windows\System32\ivHcJMy.exe
  2⤵
  PID:6052
- C:\Windows\System32\CDAFSEi.exe
  C:\Windows\System32\CDAFSEi.exe
  2⤵
  PID:6080
- C:\Windows\System32\gnIxeSh.exe
  C:\Windows\System32\gnIxeSh.exe
  2⤵
  PID:6108
- C:\Windows\System32\qqfdxVN.exe
  C:\Windows\System32\qqfdxVN.exe
  2⤵
  PID:6136
- C:\Windows\System32\edvaoRc.exe
  C:\Windows\System32\edvaoRc.exe
  2⤵
  PID:3752
- C:\Windows\System32\gvPooPp.exe
  C:\Windows\System32\gvPooPp.exe
  2⤵
  PID:4128
- C:\Windows\System32\znUEtMF.exe
  C:\Windows\System32\znUEtMF.exe
  2⤵
  PID:1092
- C:\Windows\System32\psasgcZ.exe
  C:\Windows\System32\psasgcZ.exe
  2⤵
  PID:3204
- C:\Windows\System32\LhqUDsF.exe
  C:\Windows\System32\LhqUDsF.exe
  2⤵
  PID:2496
- C:\Windows\System32\ryJzixB.exe
  C:\Windows\System32\ryJzixB.exe
  2⤵
  PID:4900
- C:\Windows\System32\tlAlaNz.exe
  C:\Windows\System32\tlAlaNz.exe
  2⤵
  PID:3464
- C:\Windows\System32\mnvfZEN.exe
  C:\Windows\System32\mnvfZEN.exe
  2⤵
  PID:5164
- C:\Windows\System32\RsDTmPb.exe
  C:\Windows\System32\RsDTmPb.exe
  2⤵
  PID:5232
- C:\Windows\System32\uFoSeRm.exe
  C:\Windows\System32\uFoSeRm.exe
  2⤵
  PID:5312
- C:\Windows\System32\NnRNPiR.exe
  C:\Windows\System32\NnRNPiR.exe
  2⤵
  PID:5360
- C:\Windows\System32\LZEaGWh.exe
  C:\Windows\System32\LZEaGWh.exe
  2⤵
  PID:5428
- C:\Windows\System32\OKHbiwb.exe
  C:\Windows\System32\OKHbiwb.exe
  2⤵
  PID:5508
- C:\Windows\System32\JCfydxb.exe
  C:\Windows\System32\JCfydxb.exe
  2⤵
  PID:5556
- C:\Windows\System32\qmqDEbG.exe
  C:\Windows\System32\qmqDEbG.exe
  2⤵
  PID:5624
- C:\Windows\System32\PmWgMyu.exe
  C:\Windows\System32\PmWgMyu.exe
  2⤵
  PID:5704
- C:\Windows\System32\FEGDgEs.exe
  C:\Windows\System32\FEGDgEs.exe
  2⤵
  PID:5752
- C:\Windows\System32\BFERPuG.exe
  C:\Windows\System32\BFERPuG.exe
  2⤵
  PID:5820
- C:\Windows\System32\eHPIORv.exe
  C:\Windows\System32\eHPIORv.exe
  2⤵
  PID:5900
- C:\Windows\System32\qtwqdyZ.exe
  C:\Windows\System32\qtwqdyZ.exe
  2⤵
  PID:5960
- C:\Windows\System32\sibjqXh.exe
  C:\Windows\System32\sibjqXh.exe
  2⤵
  PID:6032
- C:\Windows\System32\ZUYHbcr.exe
  C:\Windows\System32\ZUYHbcr.exe
  2⤵
  PID:6096
- C:\Windows\System32\lPrAbBn.exe
  C:\Windows\System32\lPrAbBn.exe
  2⤵
  PID:4652
- C:\Windows\System32\AWLiAUW.exe
  C:\Windows\System32\AWLiAUW.exe
  2⤵
  PID:3844
- C:\Windows\System32\cmVDIig.exe
  C:\Windows\System32\cmVDIig.exe
  2⤵
  PID:968
- C:\Windows\System32\LGOmwNX.exe
  C:\Windows\System32\LGOmwNX.exe
  2⤵
  PID:1972
- C:\Windows\System32\wSYHvCn.exe
  C:\Windows\System32\wSYHvCn.exe
  2⤵
  PID:5276
- C:\Windows\System32\DISqfnW.exe
  C:\Windows\System32\DISqfnW.exe
  2⤵
  PID:5480
- C:\Windows\System32\YWUFPEg.exe
  C:\Windows\System32\YWUFPEg.exe
  2⤵
  PID:5676
- C:\Windows\System32\CatuWQL.exe
  C:\Windows\System32\CatuWQL.exe
  2⤵
  PID:6164
- C:\Windows\System32\TQKrGVj.exe
  C:\Windows\System32\TQKrGVj.exe
  2⤵
  PID:6200
- C:\Windows\System32\zPbRSqp.exe
  C:\Windows\System32\zPbRSqp.exe
  2⤵
  PID:6220
- C:\Windows\System32\CtICwFS.exe
  C:\Windows\System32\CtICwFS.exe
  2⤵
  PID:6248
- C:\Windows\System32\KsQoWOt.exe
  C:\Windows\System32\KsQoWOt.exe
  2⤵
  PID:6276
- C:\Windows\System32\AJKIIJZ.exe
  C:\Windows\System32\AJKIIJZ.exe
  2⤵
  PID:6304
- C:\Windows\System32\bBmREgw.exe
  C:\Windows\System32\bBmREgw.exe
  2⤵
  PID:6332
- C:\Windows\System32\rOxsKgY.exe
  C:\Windows\System32\rOxsKgY.exe
  2⤵
  PID:6360
- C:\Windows\System32\jKpQXMh.exe
  C:\Windows\System32\jKpQXMh.exe
  2⤵
  PID:6388
- C:\Windows\System32\ADKnbqY.exe
  C:\Windows\System32\ADKnbqY.exe
  2⤵
  PID:6416
- C:\Windows\System32\ICCHAcC.exe
  C:\Windows\System32\ICCHAcC.exe
  2⤵
  PID:6444
- C:\Windows\System32\qyWijxb.exe
  C:\Windows\System32\qyWijxb.exe
  2⤵
  PID:6472
- C:\Windows\System32\nIxysyN.exe
  C:\Windows\System32\nIxysyN.exe
  2⤵
  PID:6500
- C:\Windows\System32\KGurVFI.exe
  C:\Windows\System32\KGurVFI.exe
  2⤵
  PID:6528
- C:\Windows\System32\xHIscoV.exe
  C:\Windows\System32\xHIscoV.exe
  2⤵
  PID:6556
- C:\Windows\System32\uHsLaDT.exe
  C:\Windows\System32\uHsLaDT.exe
  2⤵
  PID:6584
- C:\Windows\System32\DfRKexP.exe
  C:\Windows\System32\DfRKexP.exe
  2⤵
  PID:6612
- C:\Windows\System32\ewmpiVu.exe
  C:\Windows\System32\ewmpiVu.exe
  2⤵
  PID:6640
- C:\Windows\System32\xvQCdqR.exe
  C:\Windows\System32\xvQCdqR.exe
  2⤵
  PID:6668
- C:\Windows\System32\JViYkvn.exe
  C:\Windows\System32\JViYkvn.exe
  2⤵
  PID:6696
- C:\Windows\System32\CWpMgoM.exe
  C:\Windows\System32\CWpMgoM.exe
  2⤵
  PID:6724
- C:\Windows\System32\ByCHGyS.exe
  C:\Windows\System32\ByCHGyS.exe
  2⤵
  PID:6752
- C:\Windows\System32\uJNMEBo.exe
  C:\Windows\System32\uJNMEBo.exe
  2⤵
  PID:6780
- C:\Windows\System32\LtXBExM.exe
  C:\Windows\System32\LtXBExM.exe
  2⤵
  PID:6808
- C:\Windows\System32\WQROlbz.exe
  C:\Windows\System32\WQROlbz.exe
  2⤵
  PID:6836
- C:\Windows\System32\VgUxCny.exe
  C:\Windows\System32\VgUxCny.exe
  2⤵
  PID:6864
- C:\Windows\System32\mmLuPgT.exe
  C:\Windows\System32\mmLuPgT.exe
  2⤵
  PID:6892
- C:\Windows\System32\QhuRYQm.exe
  C:\Windows\System32\QhuRYQm.exe
  2⤵
  PID:6920
- C:\Windows\System32\FNSNTGH.exe
  C:\Windows\System32\FNSNTGH.exe
  2⤵
  PID:6948
- C:\Windows\System32\YjokeNg.exe
  C:\Windows\System32\YjokeNg.exe
  2⤵
  PID:6976
- C:\Windows\System32\VdoRkTS.exe
  C:\Windows\System32\VdoRkTS.exe
  2⤵
  PID:7004
- C:\Windows\System32\YpIKwco.exe
  C:\Windows\System32\YpIKwco.exe
  2⤵
  PID:7032
- C:\Windows\System32\RIBqeZm.exe
  C:\Windows\System32\RIBqeZm.exe
  2⤵
  PID:7060
- C:\Windows\System32\xIqpGQJ.exe
  C:\Windows\System32\xIqpGQJ.exe
  2⤵
  PID:7088
- C:\Windows\System32\kXGceqY.exe
  C:\Windows\System32\kXGceqY.exe
  2⤵
  PID:7116
- C:\Windows\System32\xUvLDSa.exe
  C:\Windows\System32\xUvLDSa.exe
  2⤵
  PID:7144
- C:\Windows\System32\rdWrHLD.exe
  C:\Windows\System32\rdWrHLD.exe
  2⤵
  PID:5668
- C:\Windows\System32\FpLzKkb.exe
  C:\Windows\System32\FpLzKkb.exe
  2⤵
  PID:5872
- C:\Windows\System32\aszqPGp.exe
  C:\Windows\System32\aszqPGp.exe
  2⤵
  PID:6004
- C:\Windows\System32\IyNyGTo.exe
  C:\Windows\System32\IyNyGTo.exe
  2⤵
  PID:6128
- C:\Windows\System32\HWIVvXp.exe
  C:\Windows\System32\HWIVvXp.exe
  2⤵
  PID:1904
- C:\Windows\System32\zjgyyLK.exe
  C:\Windows\System32\zjgyyLK.exe
  2⤵
  PID:5316
- C:\Windows\System32\dmeyXTl.exe
  C:\Windows\System32\dmeyXTl.exe
  2⤵
  PID:6160
- C:\Windows\System32\cfpqSrh.exe
  C:\Windows\System32\cfpqSrh.exe
  2⤵
  PID:6236
- C:\Windows\System32\vrgOmEE.exe
  C:\Windows\System32\vrgOmEE.exe
  2⤵
  PID:6284
- C:\Windows\System32\mWaQIGL.exe
  C:\Windows\System32\mWaQIGL.exe
  2⤵
  PID:6352
- C:\Windows\System32\tWjqvKK.exe
  C:\Windows\System32\tWjqvKK.exe
  2⤵
  PID:6432
- C:\Windows\System32\esIPLrX.exe
  C:\Windows\System32\esIPLrX.exe
  2⤵
  PID:6480
- C:\Windows\System32\ZYjxNhj.exe
  C:\Windows\System32\ZYjxNhj.exe
  2⤵
  PID:6548
- C:\Windows\System32\vOYYBmf.exe
  C:\Windows\System32\vOYYBmf.exe
  2⤵
  PID:6628
- C:\Windows\System32\MYzeIHy.exe
  C:\Windows\System32\MYzeIHy.exe
  2⤵
  PID:6676
- C:\Windows\System32\yevQGaj.exe
  C:\Windows\System32\yevQGaj.exe
  2⤵
  PID:6744
- C:\Windows\System32\rpecxDn.exe
  C:\Windows\System32\rpecxDn.exe
  2⤵
  PID:6788
- C:\Windows\System32\MWVSojV.exe
  C:\Windows\System32\MWVSojV.exe
  2⤵
  PID:6856
- C:\Windows\System32\JuloioK.exe
  C:\Windows\System32\JuloioK.exe
  2⤵
  PID:6936
- C:\Windows\System32\dGyyZoR.exe
  C:\Windows\System32\dGyyZoR.exe
  2⤵
  PID:6984
- C:\Windows\System32\yJctpmg.exe
  C:\Windows\System32\yJctpmg.exe
  2⤵
  PID:7052
- C:\Windows\System32\URzsFBj.exe
  C:\Windows\System32\URzsFBj.exe
  2⤵
  PID:7132
- C:\Windows\System32\xGDDQZE.exe
  C:\Windows\System32\xGDDQZE.exe
  2⤵
  PID:5708
- C:\Windows\System32\oRjulBv.exe
  C:\Windows\System32\oRjulBv.exe
  2⤵
  PID:6116
- C:\Windows\System32\sHuWRCs.exe
  C:\Windows\System32\sHuWRCs.exe
  2⤵
  PID:5472
- C:\Windows\System32\CCRtiCq.exe
  C:\Windows\System32\CCRtiCq.exe
  2⤵
  PID:6240
- C:\Windows\System32\leRgYlm.exe
  C:\Windows\System32\leRgYlm.exe
  2⤵
  PID:6396
- C:\Windows\System32\OVgpRcf.exe
  C:\Windows\System32\OVgpRcf.exe
  2⤵
  PID:6600
- C:\Windows\System32\jWvSxMw.exe
  C:\Windows\System32\jWvSxMw.exe
  2⤵
  PID:6716
- C:\Windows\System32\fFqaxva.exe
  C:\Windows\System32\fFqaxva.exe
  2⤵
  PID:6824
- C:\Windows\System32\tEEAzvS.exe
  C:\Windows\System32\tEEAzvS.exe
  2⤵
  PID:6968
- C:\Windows\System32\WLsaWGp.exe
  C:\Windows\System32\WLsaWGp.exe
  2⤵
  PID:7192
- C:\Windows\System32\nwqFzQL.exe
  C:\Windows\System32\nwqFzQL.exe
  2⤵
  PID:7220
- C:\Windows\System32\MNuqQoV.exe
  C:\Windows\System32\MNuqQoV.exe
  2⤵
  PID:7248
- C:\Windows\System32\shFoYcf.exe
  C:\Windows\System32\shFoYcf.exe
  2⤵
  PID:7276
- C:\Windows\System32\KexOcAq.exe
  C:\Windows\System32\KexOcAq.exe
  2⤵
  PID:7304
- C:\Windows\System32\LmLjIMt.exe
  C:\Windows\System32\LmLjIMt.exe
  2⤵
  PID:7332
- C:\Windows\System32\TChjSGA.exe
  C:\Windows\System32\TChjSGA.exe
  2⤵
  PID:7360
- C:\Windows\System32\gXAskVP.exe
  C:\Windows\System32\gXAskVP.exe
  2⤵
  PID:7396
- C:\Windows\System32\FNFjweU.exe
  C:\Windows\System32\FNFjweU.exe
  2⤵
  PID:7416
- C:\Windows\System32\WJXBAiZ.exe
  C:\Windows\System32\WJXBAiZ.exe
  2⤵
  PID:7444
- C:\Windows\System32\jOVzUyq.exe
  C:\Windows\System32\jOVzUyq.exe
  2⤵
  PID:7472
- C:\Windows\System32\iibvLnP.exe
  C:\Windows\System32\iibvLnP.exe
  2⤵
  PID:7500
- C:\Windows\System32\iuUpJob.exe
  C:\Windows\System32\iuUpJob.exe
  2⤵
  PID:7528
- C:\Windows\System32\YDyItwT.exe
  C:\Windows\System32\YDyItwT.exe
  2⤵
  PID:7556
- C:\Windows\System32\akudBFh.exe
  C:\Windows\System32\akudBFh.exe
  2⤵
  PID:7584
- C:\Windows\System32\kcGYdXc.exe
  C:\Windows\System32\kcGYdXc.exe
  2⤵
  PID:7612
- C:\Windows\System32\vtrABpM.exe
  C:\Windows\System32\vtrABpM.exe
  2⤵
  PID:7640
- C:\Windows\System32\lrPQIfu.exe
  C:\Windows\System32\lrPQIfu.exe
  2⤵
  PID:7680
- C:\Windows\System32\IDUTDIq.exe
  C:\Windows\System32\IDUTDIq.exe
  2⤵
  PID:7696
- C:\Windows\System32\UWUrtNw.exe
  C:\Windows\System32\UWUrtNw.exe
  2⤵
  PID:7724
- C:\Windows\System32\jgDgHOa.exe
  C:\Windows\System32\jgDgHOa.exe
  2⤵
  PID:7760
- C:\Windows\System32\fNzQMuL.exe
  C:\Windows\System32\fNzQMuL.exe
  2⤵
  PID:7788
- C:\Windows\System32\RjPayyP.exe
  C:\Windows\System32\RjPayyP.exe
  2⤵
  PID:7808
- C:\Windows\System32\MESVVwt.exe
  C:\Windows\System32\MESVVwt.exe
  2⤵
  PID:7836
- C:\Windows\System32\gayZvxU.exe
  C:\Windows\System32\gayZvxU.exe
  2⤵
  PID:7864
- C:\Windows\System32\NZjdhvb.exe
  C:\Windows\System32\NZjdhvb.exe
  2⤵
  PID:7892
- C:\Windows\System32\aUabFTa.exe
  C:\Windows\System32\aUabFTa.exe
  2⤵
  PID:7920
- C:\Windows\System32\BtfejVY.exe
  C:\Windows\System32\BtfejVY.exe
  2⤵
  PID:7948
- C:\Windows\System32\vanwcaU.exe
  C:\Windows\System32\vanwcaU.exe
  2⤵
  PID:7976
- C:\Windows\System32\YHnFsVc.exe
  C:\Windows\System32\YHnFsVc.exe
  2⤵
  PID:8004
- C:\Windows\System32\UUsgkLm.exe
  C:\Windows\System32\UUsgkLm.exe
  2⤵
  PID:8040
- C:\Windows\System32\MXwAfRX.exe
  C:\Windows\System32\MXwAfRX.exe
  2⤵
  PID:8060
- C:\Windows\System32\HMnSYfL.exe
  C:\Windows\System32\HMnSYfL.exe
  2⤵
  PID:8088
- C:\Windows\System32\cnYWWhu.exe
  C:\Windows\System32\cnYWWhu.exe
  2⤵
  PID:8124
- C:\Windows\System32\aVuPxqJ.exe
  C:\Windows\System32\aVuPxqJ.exe
  2⤵
  PID:8144
- C:\Windows\System32\gwkfMHA.exe
  C:\Windows\System32\gwkfMHA.exe
  2⤵
  PID:8172
- C:\Windows\System32\SevkdMU.exe
  C:\Windows\System32\SevkdMU.exe
  2⤵
  PID:7104
- C:\Windows\System32\rPQRGQI.exe
  C:\Windows\System32\rPQRGQI.exe
  2⤵
  PID:5932
- C:\Windows\System32\nYVgmvy.exe
  C:\Windows\System32\nYVgmvy.exe
  2⤵
  PID:6208
- C:\Windows\System32\NBYNwDT.exe
  C:\Windows\System32\NBYNwDT.exe
  2⤵
  PID:6648
- C:\Windows\System32\HeHvcei.exe
  C:\Windows\System32\HeHvcei.exe
  2⤵
  PID:6956
- C:\Windows\System32\FJnFWsO.exe
  C:\Windows\System32\FJnFWsO.exe
  2⤵
  PID:7212
- C:\Windows\System32\IKvRPBo.exe
  C:\Windows\System32\IKvRPBo.exe
  2⤵
  PID:7296
- C:\Windows\System32\voffFot.exe
  C:\Windows\System32\voffFot.exe
  2⤵
  PID:7368
- C:\Windows\System32\HcAMAzI.exe
  C:\Windows\System32\HcAMAzI.exe
  2⤵
  PID:7404
- C:\Windows\System32\gjMrzMJ.exe
  C:\Windows\System32\gjMrzMJ.exe
  2⤵
  PID:7452
- C:\Windows\System32\ethMkCs.exe
  C:\Windows\System32\ethMkCs.exe
  2⤵
  PID:7536
- C:\Windows\System32\etipHpY.exe
  C:\Windows\System32\etipHpY.exe
  2⤵
  PID:7592
- C:\Windows\System32\qloTKjW.exe
  C:\Windows\System32\qloTKjW.exe
  2⤵
  PID:7672
- C:\Windows\System32\EwXOokp.exe
  C:\Windows\System32\EwXOokp.exe
  2⤵
  PID:7744
- C:\Windows\System32\pFENzVO.exe
  C:\Windows\System32\pFENzVO.exe
  2⤵
  PID:4876
- C:\Windows\System32\LPXoZFS.exe
  C:\Windows\System32\LPXoZFS.exe
  2⤵
  PID:7844
- C:\Windows\System32\sNHaFxl.exe
  C:\Windows\System32\sNHaFxl.exe
  2⤵
  PID:7908
- C:\Windows\System32\vPIgxrw.exe
  C:\Windows\System32\vPIgxrw.exe
  2⤵
  PID:816
- C:\Windows\System32\lSdEHrg.exe
  C:\Windows\System32\lSdEHrg.exe
  2⤵
  PID:8028
- C:\Windows\System32\fkSgvQq.exe
  C:\Windows\System32\fkSgvQq.exe
  2⤵
  PID:8104
- C:\Windows\System32\zrRqkEU.exe
  C:\Windows\System32\zrRqkEU.exe
  2⤵
  PID:8140
- C:\Windows\System32\LvVHyvC.exe
  C:\Windows\System32\LvVHyvC.exe
  2⤵
  PID:1792
- C:\Windows\System32\IsWySYw.exe
  C:\Windows\System32\IsWySYw.exe
  2⤵
  PID:6712
- C:\Windows\System32\fQjsGaB.exe
  C:\Windows\System32\fQjsGaB.exe
  2⤵
  PID:7180
- C:\Windows\System32\TznlSMz.exe
  C:\Windows\System32\TznlSMz.exe
  2⤵
  PID:7312
- C:\Windows\System32\wslMlEz.exe
  C:\Windows\System32\wslMlEz.exe
  2⤵
  PID:7492
- C:\Windows\System32\UQYicDh.exe
  C:\Windows\System32\UQYicDh.exe
  2⤵
  PID:7656
- C:\Windows\System32\YkPrjij.exe
  C:\Windows\System32\YkPrjij.exe
  2⤵
  PID:7776
- C:\Windows\System32\GmYEuWL.exe
  C:\Windows\System32\GmYEuWL.exe
  2⤵
  PID:7928
- C:\Windows\System32\AHsNfoe.exe
  C:\Windows\System32\AHsNfoe.exe
  2⤵
  PID:8204
- C:\Windows\System32\njtCSan.exe
  C:\Windows\System32\njtCSan.exe
  2⤵
  PID:8232
- C:\Windows\System32\dGAaODq.exe
  C:\Windows\System32\dGAaODq.exe
  2⤵
  PID:8260
- C:\Windows\System32\QWgZLBQ.exe
  C:\Windows\System32\QWgZLBQ.exe
  2⤵
  PID:8288
- C:\Windows\System32\XwNEPnD.exe
  C:\Windows\System32\XwNEPnD.exe
  2⤵
  PID:8316
- C:\Windows\System32\HxOTPsg.exe
  C:\Windows\System32\HxOTPsg.exe
  2⤵
  PID:8344
- C:\Windows\System32\lolVbwR.exe
  C:\Windows\System32\lolVbwR.exe
  2⤵
  PID:8372
- C:\Windows\System32\PiyRyzE.exe
  C:\Windows\System32\PiyRyzE.exe
  2⤵
  PID:8400
- C:\Windows\System32\MiTJQXV.exe
  C:\Windows\System32\MiTJQXV.exe
  2⤵
  PID:8436
- C:\Windows\System32\cDcZrHi.exe
  C:\Windows\System32\cDcZrHi.exe
  2⤵
  PID:8464
- C:\Windows\System32\BXzPUdU.exe
  C:\Windows\System32\BXzPUdU.exe
  2⤵
  PID:8484
- C:\Windows\System32\INvDovE.exe
  C:\Windows\System32\INvDovE.exe
  2⤵
  PID:8512
- C:\Windows\System32\FdrpmnP.exe
  C:\Windows\System32\FdrpmnP.exe
  2⤵
  PID:8540
- C:\Windows\System32\AiAOpqY.exe
  C:\Windows\System32\AiAOpqY.exe
  2⤵
  PID:8568
- C:\Windows\System32\iNnXgBU.exe
  C:\Windows\System32\iNnXgBU.exe
  2⤵
  PID:8596
- C:\Windows\System32\CSJGbRI.exe
  C:\Windows\System32\CSJGbRI.exe
  2⤵
  PID:8624
- C:\Windows\System32\PYXZEfo.exe
  C:\Windows\System32\PYXZEfo.exe
  2⤵
  PID:8660
- C:\Windows\System32\TtnahVY.exe
  C:\Windows\System32\TtnahVY.exe
  2⤵
  PID:8680
- C:\Windows\System32\GVIwtLP.exe
  C:\Windows\System32\GVIwtLP.exe
  2⤵
  PID:8716
- C:\Windows\System32\JXqjmJs.exe
  C:\Windows\System32\JXqjmJs.exe
  2⤵
  PID:8736
- C:\Windows\System32\UsKRgQO.exe
  C:\Windows\System32\UsKRgQO.exe
  2⤵
  PID:8764
- C:\Windows\System32\retsOXk.exe
  C:\Windows\System32\retsOXk.exe
  2⤵
  PID:8792
- C:\Windows\System32\mgYMeJQ.exe
  C:\Windows\System32\mgYMeJQ.exe
  2⤵
  PID:8820
- C:\Windows\System32\rcfvKCY.exe
  C:\Windows\System32\rcfvKCY.exe
  2⤵
  PID:8848
- C:\Windows\System32\XwnChNX.exe
  C:\Windows\System32\XwnChNX.exe
  2⤵
  PID:8876
- C:\Windows\System32\oCKtuvn.exe
  C:\Windows\System32\oCKtuvn.exe
  2⤵
  PID:8904
- C:\Windows\System32\dqqtddR.exe
  C:\Windows\System32\dqqtddR.exe
  2⤵
  PID:8932
- C:\Windows\System32\VeQeyeY.exe
  C:\Windows\System32\VeQeyeY.exe
  2⤵
  PID:8960
- C:\Windows\System32\PPFOPEF.exe
  C:\Windows\System32\PPFOPEF.exe
  2⤵
  PID:8988
- C:\Windows\System32\QTEADbL.exe
  C:\Windows\System32\QTEADbL.exe
  2⤵
  PID:9016
- C:\Windows\System32\inwnjcT.exe
  C:\Windows\System32\inwnjcT.exe
  2⤵
  PID:9044
- C:\Windows\System32\dSkvjqm.exe
  C:\Windows\System32\dSkvjqm.exe
  2⤵
  PID:9080
- C:\Windows\System32\jbtkQfR.exe
  C:\Windows\System32\jbtkQfR.exe
  2⤵
  PID:9108
- C:\Windows\System32\HJrKRQx.exe
  C:\Windows\System32\HJrKRQx.exe
  2⤵
  PID:9128
- C:\Windows\System32\leOBvvB.exe
  C:\Windows\System32\leOBvvB.exe
  2⤵
  PID:9156
- C:\Windows\System32\aVLHLBR.exe
  C:\Windows\System32\aVLHLBR.exe
  2⤵
  PID:9184
- C:\Windows\System32\DBJrWcm.exe
  C:\Windows\System32\DBJrWcm.exe
  2⤵
  PID:9212
- C:\Windows\System32\EVSKyra.exe
  C:\Windows\System32\EVSKyra.exe
  2⤵
  PID:8080
- C:\Windows\System32\jLYItlx.exe
  C:\Windows\System32\jLYItlx.exe
  2⤵
  PID:6172
- C:\Windows\System32\VDuvvEJ.exe
  C:\Windows\System32\VDuvvEJ.exe
  2⤵
  PID:4564
- C:\Windows\System32\BdFxOlk.exe
  C:\Windows\System32\BdFxOlk.exe
  2⤵
  PID:820
- C:\Windows\System32\ELcUwzA.exe
  C:\Windows\System32\ELcUwzA.exe
  2⤵
  PID:8212
- C:\Windows\System32\FUDjEln.exe
  C:\Windows\System32\FUDjEln.exe
  2⤵
  PID:8304
- C:\Windows\System32\pIGAtBF.exe
  C:\Windows\System32\pIGAtBF.exe
  2⤵
  PID:8324
- C:\Windows\System32\fYObWxh.exe
  C:\Windows\System32\fYObWxh.exe
  2⤵
  PID:8392
- C:\Windows\System32\jfptgnW.exe
  C:\Windows\System32\jfptgnW.exe
  2⤵
  PID:8432
- C:\Windows\System32\vxUbnQu.exe
  C:\Windows\System32\vxUbnQu.exe
  2⤵
  PID:8520
- C:\Windows\System32\ihShrPT.exe
  C:\Windows\System32\ihShrPT.exe
  2⤵
  PID:3676
- C:\Windows\System32\CzWxSbH.exe
  C:\Windows\System32\CzWxSbH.exe
  2⤵
  PID:8616
- C:\Windows\System32\WinqQee.exe
  C:\Windows\System32\WinqQee.exe
  2⤵
  PID:8656
- C:\Windows\System32\FmdmtpM.exe
  C:\Windows\System32\FmdmtpM.exe
  2⤵
  PID:8700
- C:\Windows\System32\ZDrxvkG.exe
  C:\Windows\System32\ZDrxvkG.exe
  2⤵
  PID:2316
- C:\Windows\System32\bvtaWTW.exe
  C:\Windows\System32\bvtaWTW.exe
  2⤵
  PID:8808
- C:\Windows\System32\sevYAOm.exe
  C:\Windows\System32\sevYAOm.exe
  2⤵
  PID:8836
- C:\Windows\System32\iWLtiHq.exe
  C:\Windows\System32\iWLtiHq.exe
  2⤵
  PID:3128
- C:\Windows\System32\vFQRpSc.exe
  C:\Windows\System32\vFQRpSc.exe
  2⤵
  PID:8980
- C:\Windows\System32\Uqernqh.exe
  C:\Windows\System32\Uqernqh.exe
  2⤵
  PID:9024
- C:\Windows\System32\KuXwoqs.exe
  C:\Windows\System32\KuXwoqs.exe
  2⤵
  PID:9104
- C:\Windows\System32\BEDuKCH.exe
  C:\Windows\System32\BEDuKCH.exe
  2⤵
  PID:9148
- C:\Windows\System32\ddkqWWT.exe
  C:\Windows\System32\ddkqWWT.exe
  2⤵
  PID:4484
- C:\Windows\System32\VKUdnHy.exe
  C:\Windows\System32\VKUdnHy.exe
  2⤵
  PID:1696
- C:\Windows\System32\DPiuKnZ.exe
  C:\Windows\System32\DPiuKnZ.exe
  2⤵
  PID:3800
- C:\Windows\System32\QDUDffh.exe
  C:\Windows\System32\QDUDffh.exe
  2⤵
  PID:4072
- C:\Windows\System32\yCeQABD.exe
  C:\Windows\System32\yCeQABD.exe
  2⤵
  PID:7768
- C:\Windows\System32\cNravti.exe
  C:\Windows\System32\cNravti.exe
  2⤵
  PID:8220
- C:\Windows\System32\aaaspgo.exe
  C:\Windows\System32\aaaspgo.exe
  2⤵
  PID:4196
- C:\Windows\System32\SQdpyhq.exe
  C:\Windows\System32\SQdpyhq.exe
  2⤵
  PID:2856
- C:\Windows\System32\LYazAPv.exe
  C:\Windows\System32\LYazAPv.exe
  2⤵
  PID:8576
- C:\Windows\System32\nakMYRc.exe
  C:\Windows\System32\nakMYRc.exe
  2⤵
  PID:8864
- C:\Windows\System32\VrCDxbR.exe
  C:\Windows\System32\VrCDxbR.exe
  2⤵
  PID:1844
- C:\Windows\System32\wvxiioz.exe
  C:\Windows\System32\wvxiioz.exe
  2⤵
  PID:9008
- C:\Windows\System32\tzPJKaL.exe
  C:\Windows\System32\tzPJKaL.exe
  2⤵
  PID:9068
- C:\Windows\System32\LCOYUwa.exe
  C:\Windows\System32\LCOYUwa.exe
  2⤵
  PID:9172
- C:\Windows\System32\RVQtdaN.exe
  C:\Windows\System32\RVQtdaN.exe
  2⤵
  PID:9192
- C:\Windows\System32\thgyaGn.exe
  C:\Windows\System32\thgyaGn.exe
  2⤵
  PID:7516
- C:\Windows\System32\TWBOCbO.exe
  C:\Windows\System32\TWBOCbO.exe
  2⤵
  PID:8452
- C:\Windows\System32\VsxMMcl.exe
  C:\Windows\System32\VsxMMcl.exe
  2⤵
  PID:1780
- C:\Windows\System32\vghOIfw.exe
  C:\Windows\System32\vghOIfw.exe
  2⤵
  PID:1192
- C:\Windows\System32\JhmJvtc.exe
  C:\Windows\System32\JhmJvtc.exe
  2⤵
  PID:2116
- C:\Windows\System32\HsDfnhe.exe
  C:\Windows\System32\HsDfnhe.exe
  2⤵
  PID:9220
- C:\Windows\System32\hYBWEEf.exe
  C:\Windows\System32\hYBWEEf.exe
  2⤵
  PID:9240
- C:\Windows\System32\ysrqZuR.exe
  C:\Windows\System32\ysrqZuR.exe
  2⤵
  PID:9268
- C:\Windows\System32\QEJXBNk.exe
  C:\Windows\System32\QEJXBNk.exe
  2⤵
  PID:9296
- C:\Windows\System32\sYnLRoQ.exe
  C:\Windows\System32\sYnLRoQ.exe
  2⤵
  PID:9324
- C:\Windows\System32\kQdsfSQ.exe
  C:\Windows\System32\kQdsfSQ.exe
  2⤵
  PID:9352
- C:\Windows\System32\iXWCeAe.exe
  C:\Windows\System32\iXWCeAe.exe
  2⤵
  PID:9380
- C:\Windows\System32\PTlDDDQ.exe
  C:\Windows\System32\PTlDDDQ.exe
  2⤵
  PID:9408
- C:\Windows\System32\aeEjMxY.exe
  C:\Windows\System32\aeEjMxY.exe
  2⤵
  PID:9436
- C:\Windows\System32\iXyDSwU.exe
  C:\Windows\System32\iXyDSwU.exe
  2⤵
  PID:9464
- C:\Windows\System32\ptqAlqH.exe
  C:\Windows\System32\ptqAlqH.exe
  2⤵
  PID:9492
- C:\Windows\System32\sNmWUlw.exe
  C:\Windows\System32\sNmWUlw.exe
  2⤵
  PID:9532
- C:\Windows\System32\vphIFeU.exe
  C:\Windows\System32\vphIFeU.exe
  2⤵
  PID:9548
- C:\Windows\System32\CxoJnfJ.exe
  C:\Windows\System32\CxoJnfJ.exe
  2⤵
  PID:9576
- C:\Windows\System32\ONegNom.exe
  C:\Windows\System32\ONegNom.exe
  2⤵
  PID:9604
- C:\Windows\System32\uxXWfZv.exe
  C:\Windows\System32\uxXWfZv.exe
  2⤵
  PID:9632
- C:\Windows\System32\SBdGvxo.exe
  C:\Windows\System32\SBdGvxo.exe
  2⤵
  PID:9660
- C:\Windows\System32\fDgjprJ.exe
  C:\Windows\System32\fDgjprJ.exe
  2⤵
  PID:9688
- C:\Windows\System32\wrzccZD.exe
  C:\Windows\System32\wrzccZD.exe
  2⤵
  PID:9728
- C:\Windows\System32\FcVSfTl.exe
  C:\Windows\System32\FcVSfTl.exe
  2⤵
  PID:9752
- C:\Windows\System32\gXiSwoD.exe
  C:\Windows\System32\gXiSwoD.exe
  2⤵
  PID:9780
- C:\Windows\System32\ugeTLkO.exe
  C:\Windows\System32\ugeTLkO.exe
  2⤵
  PID:9800
- C:\Windows\System32\CYRUlEL.exe
  C:\Windows\System32\CYRUlEL.exe
  2⤵
  PID:9828
- C:\Windows\System32\XADzqjc.exe
  C:\Windows\System32\XADzqjc.exe
  2⤵
  PID:9856
- C:\Windows\System32\LhdZwRX.exe
  C:\Windows\System32\LhdZwRX.exe
  2⤵
  PID:9884
- C:\Windows\System32\HMxIlMb.exe
  C:\Windows\System32\HMxIlMb.exe
  2⤵
  PID:9912
- C:\Windows\System32\JOehyEq.exe
  C:\Windows\System32\JOehyEq.exe
  2⤵
  PID:9940
- C:\Windows\System32\CkAYOSU.exe
  C:\Windows\System32\CkAYOSU.exe
  2⤵
  PID:9968
- C:\Windows\System32\JHropPX.exe
  C:\Windows\System32\JHropPX.exe
  2⤵
  PID:9996
- C:\Windows\System32\ZNgcbKt.exe
  C:\Windows\System32\ZNgcbKt.exe
  2⤵
  PID:10024
- C:\Windows\System32\lEbGXOA.exe
  C:\Windows\System32\lEbGXOA.exe
  2⤵
  PID:10060
- C:\Windows\System32\wARONYg.exe
  C:\Windows\System32\wARONYg.exe
  2⤵
  PID:10088
- C:\Windows\System32\dyJENDO.exe
  C:\Windows\System32\dyJENDO.exe
  2⤵
  PID:10116
- C:\Windows\System32\pAAIDzO.exe
  C:\Windows\System32\pAAIDzO.exe
  2⤵
  PID:10136
- C:\Windows\System32\vIjKfNw.exe
  C:\Windows\System32\vIjKfNw.exe
  2⤵
  PID:10164
- C:\Windows\System32\fqQbrAx.exe
  C:\Windows\System32\fqQbrAx.exe
  2⤵
  PID:10192
- C:\Windows\System32\bzCRmck.exe
  C:\Windows\System32\bzCRmck.exe
  2⤵
  PID:10220
- C:\Windows\System32\XziSlOv.exe
  C:\Windows\System32\XziSlOv.exe
  2⤵
  PID:8756
- C:\Windows\System32\IZWcutA.exe
  C:\Windows\System32\IZWcutA.exe
  2⤵
  PID:8668
- C:\Windows\System32\fvaSgMW.exe
  C:\Windows\System32\fvaSgMW.exe
  2⤵
  PID:9276
- C:\Windows\System32\dMHODvj.exe
  C:\Windows\System32\dMHODvj.exe
  2⤵
  PID:9344
- C:\Windows\System32\WkmwDlY.exe
  C:\Windows\System32\WkmwDlY.exe
  2⤵
  PID:9424
- C:\Windows\System32\PqVBMbn.exe
  C:\Windows\System32\PqVBMbn.exe
  2⤵
  PID:9472
- C:\Windows\System32\iBXLkmL.exe
  C:\Windows\System32\iBXLkmL.exe
  2⤵
  PID:9544
- C:\Windows\System32\spEGiFg.exe
  C:\Windows\System32\spEGiFg.exe
  2⤵
  PID:9620
- C:\Windows\System32\xKfLHMb.exe
  C:\Windows\System32\xKfLHMb.exe
  2⤵
  PID:9652
- C:\Windows\System32\AJiGQJh.exe
  C:\Windows\System32\AJiGQJh.exe
  2⤵
  PID:9720
- C:\Windows\System32\qRFKzQc.exe
  C:\Windows\System32\qRFKzQc.exe
  2⤵
  PID:9788
- C:\Windows\System32\CLziLnH.exe
  C:\Windows\System32\CLziLnH.exe
  2⤵
  PID:9900
- C:\Windows\System32\ViSXOLq.exe
  C:\Windows\System32\ViSXOLq.exe
  2⤵
  PID:9948
- C:\Windows\System32\UWfwSIY.exe
  C:\Windows\System32\UWfwSIY.exe
  2⤵
  PID:10084
- C:\Windows\System32\PDebzaC.exe
  C:\Windows\System32\PDebzaC.exe
  2⤵
  PID:10144
- C:\Windows\System32\ruaCGDv.exe
  C:\Windows\System32\ruaCGDv.exe
  2⤵
  PID:10212
- C:\Windows\System32\Jmgdjqc.exe
  C:\Windows\System32\Jmgdjqc.exe
  2⤵
  PID:8240
- C:\Windows\System32\AAUvenO.exe
  C:\Windows\System32\AAUvenO.exe
  2⤵
  PID:9360
- C:\Windows\System32\JqrvIeG.exe
  C:\Windows\System32\JqrvIeG.exe
  2⤵
  PID:9556
- C:\Windows\System32\vOckUBA.exe
  C:\Windows\System32\vOckUBA.exe
  2⤵
  PID:9704
- C:\Windows\System32\vBbsPDU.exe
  C:\Windows\System32\vBbsPDU.exe
  2⤵
  PID:3332
- C:\Windows\System32\tQoLnBm.exe
  C:\Windows\System32\tQoLnBm.exe
  2⤵
  PID:9760
- C:\Windows\System32\gIVXWqd.exe
  C:\Windows\System32\gIVXWqd.exe
  2⤵
  PID:8952
- C:\Windows\System32\MWVsdIs.exe
  C:\Windows\System32\MWVsdIs.exe
  2⤵
  PID:9976
- C:\Windows\System32\NcnVIZh.exe
  C:\Windows\System32\NcnVIZh.exe
  2⤵
  PID:10200
- C:\Windows\System32\ksJnrad.exe
  C:\Windows\System32\ksJnrad.exe
  2⤵
  PID:5060
- C:\Windows\System32\dnYkKRF.exe
  C:\Windows\System32\dnYkKRF.exe
  2⤵
  PID:9540
- C:\Windows\System32\xkuGxIr.exe
  C:\Windows\System32\xkuGxIr.exe
  2⤵
  PID:9768
- C:\Windows\System32\uHKXXjG.exe
  C:\Windows\System32\uHKXXjG.exe
  2⤵
  PID:10068
- C:\Windows\System32\UNbJCBI.exe
  C:\Windows\System32\UNbJCBI.exe
  2⤵
  PID:9596
- C:\Windows\System32\JQWhEqZ.exe
  C:\Windows\System32\JQWhEqZ.exe
  2⤵
  PID:9316
- C:\Windows\System32\BxrvjxU.exe
  C:\Windows\System32\BxrvjxU.exe
  2⤵
  PID:4548
- C:\Windows\System32\ANhtCvw.exe
  C:\Windows\System32\ANhtCvw.exe
  2⤵
  PID:10264
- C:\Windows\System32\bMNZlWs.exe
  C:\Windows\System32\bMNZlWs.exe
  2⤵
  PID:10300
- C:\Windows\System32\hmEePrg.exe
  C:\Windows\System32\hmEePrg.exe
  2⤵
  PID:10328
- C:\Windows\System32\EaCFrgx.exe
  C:\Windows\System32\EaCFrgx.exe
  2⤵
  PID:10344
- C:\Windows\System32\TBLXOJm.exe
  C:\Windows\System32\TBLXOJm.exe
  2⤵
  PID:10372
- C:\Windows\System32\ylyytdB.exe
  C:\Windows\System32\ylyytdB.exe
  2⤵
  PID:10412
- C:\Windows\System32\DYeNkYJ.exe
  C:\Windows\System32\DYeNkYJ.exe
  2⤵
  PID:10448
- C:\Windows\System32\oDcbjri.exe
  C:\Windows\System32\oDcbjri.exe
  2⤵
  PID:10476
- C:\Windows\System32\QvYqCAb.exe
  C:\Windows\System32\QvYqCAb.exe
  2⤵
  PID:10504
- C:\Windows\System32\ZfvYjCI.exe
  C:\Windows\System32\ZfvYjCI.exe
  2⤵
  PID:10532
- C:\Windows\System32\ynxifjE.exe
  C:\Windows\System32\ynxifjE.exe
  2⤵
  PID:10548
- C:\Windows\System32\cQbjZeI.exe
  C:\Windows\System32\cQbjZeI.exe
  2⤵
  PID:10588
- C:\Windows\System32\tyGKKLy.exe
  C:\Windows\System32\tyGKKLy.exe
  2⤵
  PID:10616
- C:\Windows\System32\olRjXhI.exe
  C:\Windows\System32\olRjXhI.exe
  2⤵
  PID:10640
- C:\Windows\System32\OEcJhds.exe
  C:\Windows\System32\OEcJhds.exe
  2⤵
  PID:10672
- C:\Windows\System32\AZocRMN.exe
  C:\Windows\System32\AZocRMN.exe
  2⤵
  PID:10700
- C:\Windows\System32\NoItPWt.exe
  C:\Windows\System32\NoItPWt.exe
  2⤵
  PID:10732
- C:\Windows\System32\PfrCszl.exe
  C:\Windows\System32\PfrCszl.exe
  2⤵
  PID:10760
- C:\Windows\System32\VZlLKHX.exe
  C:\Windows\System32\VZlLKHX.exe
  2⤵
  PID:10796
- C:\Windows\System32\YNtsimc.exe
  C:\Windows\System32\YNtsimc.exe
  2⤵
  PID:10844
- C:\Windows\System32\CDkUAXv.exe
  C:\Windows\System32\CDkUAXv.exe
  2⤵
  PID:10868
- C:\Windows\System32\dxdwKtW.exe
  C:\Windows\System32\dxdwKtW.exe
  2⤵
  PID:10892
- C:\Windows\System32\vqqUtOT.exe
  C:\Windows\System32\vqqUtOT.exe
  2⤵
  PID:10932
- C:\Windows\System32\vJTVdrd.exe
  C:\Windows\System32\vJTVdrd.exe
  2⤵
  PID:10960
- C:\Windows\System32\fknkWnf.exe
  C:\Windows\System32\fknkWnf.exe
  2⤵
  PID:10988
- C:\Windows\System32\dIALhhj.exe
  C:\Windows\System32\dIALhhj.exe
  2⤵
  PID:11016
- C:\Windows\System32\UqEoodD.exe
  C:\Windows\System32\UqEoodD.exe
  2⤵
  PID:11048
- C:\Windows\System32\Rcgyepw.exe
  C:\Windows\System32\Rcgyepw.exe
  2⤵
  PID:11072
- C:\Windows\System32\nZszQgm.exe
  C:\Windows\System32\nZszQgm.exe
  2⤵
  PID:11100
- C:\Windows\System32\DjQgDIN.exe
  C:\Windows\System32\DjQgDIN.exe
  2⤵
  PID:11128
- C:\Windows\System32\cDzhKqY.exe
  C:\Windows\System32\cDzhKqY.exe
  2⤵
  PID:11152
- C:\Windows\System32\jgPBQta.exe
  C:\Windows\System32\jgPBQta.exe
  2⤵
  PID:11184
- C:\Windows\System32\rUBwawq.exe
  C:\Windows\System32\rUBwawq.exe
  2⤵
  PID:11200
- C:\Windows\System32\ZMRkHyP.exe
  C:\Windows\System32\ZMRkHyP.exe
  2⤵
  PID:11236
- C:\Windows\System32\iHlUbaa.exe
  C:\Windows\System32\iHlUbaa.exe
  2⤵
  PID:9052
- C:\Windows\System32\QljGbjA.exe
  C:\Windows\System32\QljGbjA.exe
  2⤵
  PID:10320
- C:\Windows\System32\aJMxXep.exe
  C:\Windows\System32\aJMxXep.exe
  2⤵
  PID:10356
- C:\Windows\System32\ETsARrU.exe
  C:\Windows\System32\ETsARrU.exe
  2⤵
  PID:10420
- C:\Windows\System32\jXYpnEi.exe
  C:\Windows\System32\jXYpnEi.exe
  2⤵
  PID:10464
- C:\Windows\System32\WZOHmBy.exe
  C:\Windows\System32\WZOHmBy.exe
  2⤵
  PID:10012
- C:\Windows\System32\pPjvoVy.exe
  C:\Windows\System32\pPjvoVy.exe
  2⤵
  PID:10520
- C:\Windows\System32\aCoeuIL.exe
  C:\Windows\System32\aCoeuIL.exe
  2⤵
  PID:10544
- C:\Windows\System32\KugOiqg.exe
  C:\Windows\System32\KugOiqg.exe
  2⤵
  PID:10648
- C:\Windows\System32\pVCKrsQ.exe
  C:\Windows\System32\pVCKrsQ.exe
  2⤵
  PID:10712
- C:\Windows\System32\wbnAVuT.exe
  C:\Windows\System32\wbnAVuT.exe
  2⤵
  PID:10756
- C:\Windows\System32\CIZvMsf.exe
  C:\Windows\System32\CIZvMsf.exe
  2⤵
  PID:10808
- C:\Windows\System32\vrPDaeo.exe
  C:\Windows\System32\vrPDaeo.exe
  2⤵
  PID:10916
- C:\Windows\System32\BDFdPPc.exe
  C:\Windows\System32\BDFdPPc.exe
  2⤵
  PID:11000
- C:\Windows\System32\EKcwneO.exe
  C:\Windows\System32\EKcwneO.exe
  2⤵
  PID:11064
- C:\Windows\System32\lYNvfUg.exe
  C:\Windows\System32\lYNvfUg.exe
  2⤵
  PID:11160
- C:\Windows\System32\XsIxKYO.exe
  C:\Windows\System32\XsIxKYO.exe
  2⤵
  PID:11220
- C:\Windows\System32\ICjxrvI.exe
  C:\Windows\System32\ICjxrvI.exe
  2⤵
  PID:10280
- C:\Windows\System32\BTIcGPW.exe
  C:\Windows\System32\BTIcGPW.exe
  2⤵
  PID:10444
- C:\Windows\System32\EopsEjC.exe
  C:\Windows\System32\EopsEjC.exe
  2⤵
  PID:10432
- C:\Windows\System32\foXNYJe.exe
  C:\Windows\System32\foXNYJe.exe
  2⤵
  PID:10608
- C:\Windows\System32\bSADGXH.exe
  C:\Windows\System32\bSADGXH.exe
  2⤵
  PID:10788
- C:\Windows\System32\dFvgScx.exe
  C:\Windows\System32\dFvgScx.exe
  2⤵
  PID:11012
- C:\Windows\System32\vwrIuCe.exe
  C:\Windows\System32\vwrIuCe.exe
  2⤵
  PID:11148
- C:\Windows\System32\ftZzATP.exe
  C:\Windows\System32\ftZzATP.exe
  2⤵
  PID:11256
- C:\Windows\System32\ytSOkim.exe
  C:\Windows\System32\ytSOkim.exe
  2⤵
  PID:10516
- C:\Windows\System32\UKKwGay.exe
  C:\Windows\System32\UKKwGay.exe
  2⤵
  PID:10948
- C:\Windows\System32\qWUqFXK.exe
  C:\Windows\System32\qWUqFXK.exe
  2⤵
  PID:11196
- C:\Windows\System32\GebIsiP.exe
  C:\Windows\System32\GebIsiP.exe
  2⤵
  PID:10972
- C:\Windows\System32\QcKXJyI.exe
  C:\Windows\System32\QcKXJyI.exe
  2⤵
  PID:11292
- C:\Windows\System32\znqEIDL.exe
  C:\Windows\System32\znqEIDL.exe
  2⤵
  PID:11312
- C:\Windows\System32\msLzHKf.exe
  C:\Windows\System32\msLzHKf.exe
  2⤵
  PID:11336
- C:\Windows\System32\oPdOLnB.exe
  C:\Windows\System32\oPdOLnB.exe
  2⤵
  PID:11368
- C:\Windows\System32\nzUFvxK.exe
  C:\Windows\System32\nzUFvxK.exe
  2⤵
  PID:11400
- C:\Windows\System32\qKbQWWU.exe
  C:\Windows\System32\qKbQWWU.exe
  2⤵
  PID:11432
- C:\Windows\System32\jnMGbad.exe
  C:\Windows\System32\jnMGbad.exe
  2⤵
  PID:11460
- C:\Windows\System32\uFTLeea.exe
  C:\Windows\System32\uFTLeea.exe
  2⤵
  PID:11496
- C:\Windows\System32\OsdSRmE.exe
  C:\Windows\System32\OsdSRmE.exe
  2⤵
  PID:11520
- C:\Windows\System32\WCgWmUs.exe
  C:\Windows\System32\WCgWmUs.exe
  2⤵
  PID:11536
- C:\Windows\System32\SPHQwqQ.exe
  C:\Windows\System32\SPHQwqQ.exe
  2⤵
  PID:11564
- C:\Windows\System32\NjdyWmW.exe
  C:\Windows\System32\NjdyWmW.exe
  2⤵
  PID:11592
- C:\Windows\System32\BVmKFbT.exe
  C:\Windows\System32\BVmKFbT.exe
  2⤵
  PID:11632
- C:\Windows\System32\gUOqfRD.exe
  C:\Windows\System32\gUOqfRD.exe
  2⤵
  PID:11656
- C:\Windows\System32\IBjwFlQ.exe
  C:\Windows\System32\IBjwFlQ.exe
  2⤵
  PID:11684
- C:\Windows\System32\KdEKRnF.exe
  C:\Windows\System32\KdEKRnF.exe
  2⤵
  PID:11716
- C:\Windows\System32\lJYzCpY.exe
  C:\Windows\System32\lJYzCpY.exe
  2⤵
  PID:11732
- C:\Windows\System32\HZTKgYD.exe
  C:\Windows\System32\HZTKgYD.exe
  2⤵
  PID:11760
- C:\Windows\System32\dUPpHDL.exe
  C:\Windows\System32\dUPpHDL.exe
  2⤵
  PID:11804
- C:\Windows\System32\kMBeeEP.exe
  C:\Windows\System32\kMBeeEP.exe
  2⤵
  PID:11832
- C:\Windows\System32\hZxWKhX.exe
  C:\Windows\System32\hZxWKhX.exe
  2⤵
  PID:11848
- C:\Windows\System32\jVukbgE.exe
  C:\Windows\System32\jVukbgE.exe
  2⤵
  PID:11876
- C:\Windows\System32\kawKTAq.exe
  C:\Windows\System32\kawKTAq.exe
  2⤵
  PID:11904
- C:\Windows\System32\IggapFp.exe
  C:\Windows\System32\IggapFp.exe
  2⤵
  PID:11932
- C:\Windows\System32\TeZVFkU.exe
  C:\Windows\System32\TeZVFkU.exe
  2⤵
  PID:11956
- C:\Windows\System32\FDmKzSb.exe
  C:\Windows\System32\FDmKzSb.exe
  2⤵
  PID:11992
- C:\Windows\System32\yMLsQCy.exe
  C:\Windows\System32\yMLsQCy.exe
  2⤵
  PID:12016
- C:\Windows\System32\lYiXmPH.exe
  C:\Windows\System32\lYiXmPH.exe
  2⤵
  PID:12040
- C:\Windows\System32\vbsOoDB.exe
  C:\Windows\System32\vbsOoDB.exe
  2⤵
  PID:12080
- C:\Windows\System32\OBvuxee.exe
  C:\Windows\System32\OBvuxee.exe
  2⤵
  PID:12104
- C:\Windows\System32\TvNQNOU.exe
  C:\Windows\System32\TvNQNOU.exe
  2⤵
  PID:12132
- C:\Windows\System32\Utbubsm.exe
  C:\Windows\System32\Utbubsm.exe
  2⤵
  PID:12176
- C:\Windows\System32\gLbsSDB.exe
  C:\Windows\System32\gLbsSDB.exe
  2⤵
  PID:12200
- C:\Windows\System32\urkwkGd.exe
  C:\Windows\System32\urkwkGd.exe
  2⤵
  PID:12228
- C:\Windows\System32\htOxXAm.exe
  C:\Windows\System32\htOxXAm.exe
  2⤵
  PID:12244
- C:\Windows\System32\PSKNwxX.exe
  C:\Windows\System32\PSKNwxX.exe
  2⤵
  PID:12264
- C:\Windows\System32\OOETIeo.exe
  C:\Windows\System32\OOETIeo.exe
  2⤵
  PID:10668
- C:\Windows\System32\PGCOCUJ.exe
  C:\Windows\System32\PGCOCUJ.exe
  2⤵
  PID:11280
- C:\Windows\System32\kFQdwGg.exe
  C:\Windows\System32\kFQdwGg.exe
  2⤵
  PID:11416
- C:\Windows\System32\YOpukyQ.exe
  C:\Windows\System32\YOpukyQ.exe
  2⤵
  PID:11476
- C:\Windows\System32\RYbvyKI.exe
  C:\Windows\System32\RYbvyKI.exe
  2⤵
  PID:11560
- C:\Windows\System32\BBoObhp.exe
  C:\Windows\System32\BBoObhp.exe
  2⤵
  PID:11620
- C:\Windows\System32\iaBGrwo.exe
  C:\Windows\System32\iaBGrwo.exe
  2⤵
  PID:11680
- C:\Windows\System32\zyJmdqr.exe
  C:\Windows\System32\zyJmdqr.exe
  2⤵
  PID:11724
- C:\Windows\System32\DVRcGIZ.exe
  C:\Windows\System32\DVRcGIZ.exe
  2⤵
  PID:11816
- C:\Windows\System32\wKTyInZ.exe
  C:\Windows\System32\wKTyInZ.exe
  2⤵
  PID:11864
- C:\Windows\System32\EyLDBzk.exe
  C:\Windows\System32\EyLDBzk.exe
  2⤵
  PID:11940
- C:\Windows\System32\yVVtidx.exe
  C:\Windows\System32\yVVtidx.exe
  2⤵
  PID:11988
- C:\Windows\System32\pHroQEB.exe
  C:\Windows\System32\pHroQEB.exe
  2⤵
  PID:12068
- C:\Windows\System32\WkZSJJf.exe
  C:\Windows\System32\WkZSJJf.exe
  2⤵
  PID:12116
- C:\Windows\System32\EPxjPzm.exe
  C:\Windows\System32\EPxjPzm.exe
  2⤵
  PID:12184
- C:\Windows\System32\zdMrUzq.exe
  C:\Windows\System32\zdMrUzq.exe
  2⤵
  PID:12260
- C:\Windows\System32\FzBMwUb.exe
  C:\Windows\System32\FzBMwUb.exe
  2⤵
  PID:4648
- C:\Windows\System32\lQyAkVd.exe
  C:\Windows\System32\lQyAkVd.exe
  2⤵
  PID:11112
- C:\Windows\System32\UFzmGIR.exe
  C:\Windows\System32\UFzmGIR.exe
  2⤵
  PID:11412
- C:\Windows\System32\pCNCocp.exe
  C:\Windows\System32\pCNCocp.exe
  2⤵
  PID:11576
- C:\Windows\System32\nsWBoCS.exe
  C:\Windows\System32\nsWBoCS.exe
  2⤵
  PID:11708
- C:\Windows\System32\NrORRPj.exe
  C:\Windows\System32\NrORRPj.exe
  2⤵
  PID:11840
- C:\Windows\System32\zvcFsQE.exe
  C:\Windows\System32\zvcFsQE.exe
  2⤵
  PID:11972
- C:\Windows\System32\PykSyOR.exe
  C:\Windows\System32\PykSyOR.exe
  2⤵
  PID:12088
- C:\Windows\System32\iSmJVfE.exe
  C:\Windows\System32\iSmJVfE.exe
  2⤵
  PID:12236
- C:\Windows\System32\QvwmJTr.exe
  C:\Windows\System32\QvwmJTr.exe
  2⤵
  PID:11388
- C:\Windows\System32\EduRadL.exe
  C:\Windows\System32\EduRadL.exe
  2⤵
  PID:11796
- C:\Windows\System32\DpummJJ.exe
  C:\Windows\System32\DpummJJ.exe
  2⤵
  PID:920
- C:\Windows\System32\gTTKTxx.exe
  C:\Windows\System32\gTTKTxx.exe
  2⤵
  PID:12036
- C:\Windows\System32\nWDRfmU.exe
  C:\Windows\System32\nWDRfmU.exe
  2⤵
  PID:12048
- C:\Windows\System32\iHXlOyP.exe
  C:\Windows\System32\iHXlOyP.exe
  2⤵
  PID:12304
- C:\Windows\System32\SMumzBq.exe
  C:\Windows\System32\SMumzBq.exe
  2⤵
  PID:12344
- C:\Windows\System32\IdjUyul.exe
  C:\Windows\System32\IdjUyul.exe
  2⤵
  PID:12360
- C:\Windows\System32\uydtxEr.exe
  C:\Windows\System32\uydtxEr.exe
  2⤵
  PID:12388
- C:\Windows\System32\rNBorLR.exe
  C:\Windows\System32\rNBorLR.exe
  2⤵
  PID:12416
- C:\Windows\System32\ACRCiHZ.exe
  C:\Windows\System32\ACRCiHZ.exe
  2⤵
  PID:12436
- C:\Windows\System32\iFaIWdK.exe
  C:\Windows\System32\iFaIWdK.exe
  2⤵
  PID:12480
- C:\Windows\System32\XblPTEc.exe
  C:\Windows\System32\XblPTEc.exe
  2⤵
  PID:12500
- C:\Windows\System32\ZrKoVug.exe
  C:\Windows\System32\ZrKoVug.exe
  2⤵
  PID:12528
- C:\Windows\System32\pDgeRqY.exe
  C:\Windows\System32\pDgeRqY.exe
  2⤵
  PID:12564
- C:\Windows\System32\dvGcOvJ.exe
  C:\Windows\System32\dvGcOvJ.exe
  2⤵
  PID:12588
- C:\Windows\System32\ahxZEYF.exe
  C:\Windows\System32\ahxZEYF.exe
  2⤵
  PID:12640
- C:\Windows\System32\jKpIwLy.exe
  C:\Windows\System32\jKpIwLy.exe
  2⤵
  PID:12656
- C:\Windows\System32\BzIFiwp.exe
  C:\Windows\System32\BzIFiwp.exe
  2⤵
  PID:12684
- C:\Windows\System32\jBLefDH.exe
  C:\Windows\System32\jBLefDH.exe
  2⤵
  PID:12700
- C:\Windows\System32\xQOVClj.exe
  C:\Windows\System32\xQOVClj.exe
  2⤵
  PID:12728
- C:\Windows\System32\QdaLNkS.exe
  C:\Windows\System32\QdaLNkS.exe
  2⤵
  PID:12768
- C:\Windows\System32\APIaNek.exe
  C:\Windows\System32\APIaNek.exe
  2⤵
  PID:12792
- C:\Windows\System32\mqHysYJ.exe
  C:\Windows\System32\mqHysYJ.exe
  2⤵
  PID:12816
- C:\Windows\System32\WpasNSZ.exe
  C:\Windows\System32\WpasNSZ.exe
  2⤵
  PID:12852
- C:\Windows\System32\nYgBOqA.exe
  C:\Windows\System32\nYgBOqA.exe
  2⤵
  PID:12868
- C:\Windows\System32\oAzGzLy.exe
  C:\Windows\System32\oAzGzLy.exe
  2⤵
  PID:12908
- C:\Windows\System32\wmSSouE.exe
  C:\Windows\System32\wmSSouE.exe
  2⤵
  PID:12932
- C:\Windows\System32\CsjbVwT.exe
  C:\Windows\System32\CsjbVwT.exe
  2⤵
  PID:12964
- C:\Windows\System32\FuZlWAj.exe
  C:\Windows\System32\FuZlWAj.exe
  2⤵
  PID:12992
- C:\Windows\System32\PZTGEmE.exe
  C:\Windows\System32\PZTGEmE.exe
  2⤵
  PID:13024
- C:\Windows\System32\mnQoTDM.exe
  C:\Windows\System32\mnQoTDM.exe
  2⤵
  PID:13048
- C:\Windows\System32\agxiONX.exe
  C:\Windows\System32\agxiONX.exe
  2⤵
  PID:13076
- C:\Windows\System32\aArOMve.exe
  C:\Windows\System32\aArOMve.exe
  2⤵
  PID:13104
- C:\Windows\System32\tdEMSoX.exe
  C:\Windows\System32\tdEMSoX.exe
  2⤵
  PID:13132
- C:\Windows\System32\bRlFTDd.exe
  C:\Windows\System32\bRlFTDd.exe
  2⤵
  PID:13160
- C:\Windows\System32\lzvqgmJ.exe
  C:\Windows\System32\lzvqgmJ.exe
  2⤵
  PID:13188
- C:\Windows\System32\eaOlnLu.exe
  C:\Windows\System32\eaOlnLu.exe
  2⤵
  PID:13220
- C:\Windows\System32\NhxnGOp.exe
  C:\Windows\System32\NhxnGOp.exe
  2⤵
  PID:13244
- C:\Windows\System32\LVpTvVq.exe
  C:\Windows\System32\LVpTvVq.exe
  2⤵
  PID:13260
- C:\Windows\System32\WNVrSfi.exe
  C:\Windows\System32\WNVrSfi.exe
  2⤵
  PID:13292

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AHIgcAy.exe

Filesize
3.2MB

MD5
abdb64c11bc27c45d404354e66d57699

SHA1
3d2fdf638e1d9d0dec48f3e927d3f4f815512fe6

SHA256
e9e76830009944d32a5457a4f9430c4093bcfed68a143437e5448a222c0c1b7b

SHA512
1d0d31e1324a2f3f310dffeb342bfa6ce2e64cf03fc6e590202c6a26766263c0d7ff08fc655822d42db84669ee2a77b546b8e0b75d03caea78e0bf5f057faac5

Download Submit
C:\Windows\System32\FmCznSJ.exe

Filesize
3.2MB

MD5
dfde15d620bb0af51c87b2cd2d2d344b

SHA1
f897a534039a7aa627ea75fc01ab3916590e59ca

SHA256
1543ccd0a4e7c4fc776e43cbcf316bd97c8eca0ad2b4d720dc9eef18d22055dc

SHA512
2ccb3453381c5f151d9430b8d06e7ac8559b0473672da0d0291fd0a1e005165594f86f4dfdd4d0fdb52c0faa1086a70020d9b7ae47fe1b3757cb5c1abd1a0a3a

Download Submit
C:\Windows\System32\GSpsPaW.exe

Filesize
3.2MB

MD5
acbef0e635672db3a31bc6df9519d957

SHA1
5642912107d680a53f600c4de19bbc99eff21fcd

SHA256
9036ea4e8ddb1d4c96808c7b7f4b18ca2ba0f576c12cd5e7cd7dde0c8ffca321

SHA512
7e5acc768b0c885b6170dac7c30231eeecfeea9e1bea860e0105931ff23db038999eb5b89adf7039203d351a75a66f3a05bb4857af3824e0316b7e317215bb6e

Download Submit
C:\Windows\System32\GqmtgoJ.exe

Filesize
3.2MB

MD5
721db42ca589673cf78cc03be658957e

SHA1
163b323086abe2c755a36ba4f7081a3ec1b3387d

SHA256
09a1ec5a399e082884cf0831c5f5956fdec44d1d731c42696547c4a8fed068f2

SHA512
c10bf8a1c8827c61e76144d1b1436b4833f4c994c5557f8d8627fc93881af37c72c7b2151b76922bdb95b981308e08978f6bb34ecfbaae3f00a291c1abd2ba11

Download Submit
C:\Windows\System32\HhNaLho.exe

Filesize
3.2MB

MD5
23ded40af3af9f5571bc71885f0bb46e

SHA1
3a00aecbf111d75d31aedc1ed15715206686aa30

SHA256
597eed163ed4972c59e6c632c7cb2e843cfd8a7c5fb82a8ca9cdef1b0bdee263

SHA512
120a8cf21a43ed635755c94e980fab569855b8dedd7a3e49962b952384992dca20876490c846f8b3c6f0d48fcc102f91481132542b3ce17590db6a80c87fb30f

Download Submit
C:\Windows\System32\IaSDocF.exe

Filesize
3.2MB

MD5
fa457d3b8b0eee6374c84ab507ae16de

SHA1
dff24b4340805a78f16ebdd7a05dc40e7205fe1e

SHA256
d4211bfb7611bb56fc93f9cfdc28745d93a9b58090b45587ad078459a9340c2f

SHA512
e7f8bed151f9b668e50b1f90c582d286fe16171c84a2098a055dfbecf8ef248659faef2f338d04fc4d2718fbd0b230916e5aa377eededa9eb83407b07a8f9bd2

Download Submit
C:\Windows\System32\KAtxHYm.exe

Filesize
3.2MB

MD5
bec5aa25a754b590d9681e82a898d829

SHA1
15faf8cee1c6059d16ea81d9d18293409f49b61a

SHA256
4d991ef5c87fbe91d090655a40773d61308ec898affcb444be29d9b3e29643da

SHA512
2a213156a1a1bc76b0bd7c9a2082af2dcae1079c79731e6c8c49106d7fdf28c439cea43e0619ee2b4c2db640d7069e0eddb025d0cabbbb9ed7977cb4a5afda4b

Download Submit
C:\Windows\System32\KDuDzRl.exe

Filesize
3.2MB

MD5
043434bcaabd031e4fd757c15dadb76a

SHA1
39366a83bc87457e74a1f78212fe65e78b6b26a2

SHA256
d6728ca37d64289ed87595fb48f1c16123f321ff5cc0bbfdc8a7e87f49febc4b

SHA512
9a0de852933ad91310eb9e06d7f1e78b55a4ca1b80a3c5b9b443a6b5b7810dc3946988bda3814900c43d00c2df3272493f49d497a389d3f9717636bbfadb8da3

Download Submit
C:\Windows\System32\KRvhELS.exe

Filesize
3.2MB

MD5
fee852f6704b05dc289f55971f336321

SHA1
e6599adb862be6c963c0ba8bdbc50f4b1e3f8c6f

SHA256
0ebbed21477a287ee0501780d4f0ef5267488bc5cc1fd37827973422d4005dba

SHA512
154b5478e4b4dc3d6ebf556db53ec80947ca27462206dec7c4bee88835960aa3dfe94d297b846af585580c611bbf70098eee97c3a13134c1a4c4f0ef6815662f

Download Submit
C:\Windows\System32\KuPeuwB.exe

Filesize
3.2MB

MD5
fed8a2710e88224259669531d1fdab66

SHA1
0a3a337c08427fb5bc7b9f140953a4fea1ed6a8d

SHA256
c64590fb623cda2c09b1b6feab527efe9d07eedb25a71f71fd647b720751fee3

SHA512
43ba7b836036c77c7778a3175f49a626f6e7cbc3139a51ef0c494766f56d0c6e4b7da6ed4cb5b1ec412fab6a7541f6026c9de1807e188ca2b0279c36a82f8af3

Download Submit
C:\Windows\System32\OdYVgkJ.exe

Filesize
3.2MB

MD5
03cf9fb488a71d73f1f46739f74c02fd

SHA1
b5c463930b1a75b7e76ba1d8da997a06ed4f72f3

SHA256
8b2aed2be219c58ddea1bf3a2f699f93c1da60bc009b575879932228d4ece75b

SHA512
1a26f8bcc329f2599097f017aaacfa2e0caab2cc5320b0212d5e0ed004a2be4573dd2de29c895a56342bda2860b0caa26a36d4261fee2324d3cf292397e6a1b8

Download Submit
C:\Windows\System32\QVpwuAI.exe

Filesize
3.2MB

MD5
274c3d922843e7d0921044e01d4a7ad0

SHA1
4aee5d0ab53a3532961d4c0e3a9be9106cce3311

SHA256
c4bb985ba2416cca0959bfdfc81ebf93a4dc492617f64f482c61554ea8276681

SHA512
a62b156614435aa53661c0d77eec1e99e3dca0e242390b1939a209e1440c7b25844cbc116ba3caef6e101c2a093d728760a7069b2515f328e5efc8ff66bed1da

Download Submit
C:\Windows\System32\QfbCKgY.exe

Filesize
3.2MB

MD5
083d39454fb90821660b61e25e1af208

SHA1
2267b7d733515ffe3233609079224bea6df8d8dd

SHA256
bd1ba35678d1e37146bb451c59d296345938f224ce71801765851430a5e56576

SHA512
c74c8c1de148029f10c7269f7403b536380b41c48aa245967f665274b857689d6b5eef753aa0289549be2325021813704df5fe98ff1c05d08aa5a70375a3db93

Download Submit
C:\Windows\System32\RlSkHoc.exe

Filesize
3.2MB

MD5
daac981394fc6739a03c26fc963ef8bd

SHA1
319b882b012837d5ac93534ae6deb011d40e9817

SHA256
13d735e8a6fd88544fb558cd00d80c3c6b10cbd994dd9b77b2c0595a583581cd

SHA512
b67ac6128a2e6961592e8171f406a51cb2aa0908b0c9617945158bc6d46c68885296b30f436312cfdf75c5556cea20e10df4e42355b121e82a977672259e6c46

Download Submit
C:\Windows\System32\ShSJxBQ.exe

Filesize
3.2MB

MD5
a0cee6f9b1c6a9fcce364f96a3527ccd

SHA1
40358aeb727a717d7e3496a955883de2852eae15

SHA256
2c2a461136b1e85fd26ea118b84a8ec53741541706cd9221bcc8113be345bde5

SHA512
7bd1f2e2a1ae5e1ce87d9019223a0f9ef16a231156696504da074977a5cb413e1d92f1c27a26c559ab4fdc749c1f460b78793154bad61a2f5038185f8fe35315

Download Submit
C:\Windows\System32\UeJbWqA.exe

Filesize
3.2MB

MD5
701459cfd28f1b24d4059dba3d790a49

SHA1
97b238016466269b73742b1cdf29335789ca743e

SHA256
8fd89e5275270d40e950f35691f238dd703a5f73b480fa405528a520f82aadf5

SHA512
6d5410ba69f23eb2f35d6daf228c709bbb356a96d95baa3dd7b86f26545b4213fb9437db17e14cfec0153569ffeefa6f6f4b78d19d2cbfc1ecdaab6398954a71

Download Submit
C:\Windows\System32\XUCpYNr.exe

Filesize
3.2MB

MD5
c40282ed4796b0a975377b6ccaebf433

SHA1
468b425d2439480a2fb3525282e75dfaba576811

SHA256
eb21884cbb09e1951967b6d3708764c9e0c38c55f0411da6c2ed93dba6d1f417

SHA512
e878310cfc7d9a2d85978cbdf5ba695719becd416e65c78acaf3602ff8a4c26dc3c7ee88b19adbde7ab0eca654eaa9c070499af06fc671908b59be15373856f5

Download Submit
C:\Windows\System32\bJzppno.exe

Filesize
3.2MB

MD5
c0b1552963e383daebc6f22c6a58b255

SHA1
f903aaf50ba39c7d5a663195b114e6135a9b63ae

SHA256
b1384bc473e9ef49a8f57df847941a067a21b06d5614ed92bb100baf37cbe885

SHA512
999b230d013da58233f10f9610b9d240dc075fab4022776da106fe743cffa2cc8c54a861d57975b7e28b53e03643e450c4f12125da240872f540c3987c5d4278

Download Submit
C:\Windows\System32\bpYEKAK.exe

Filesize
3.2MB

MD5
53a1db0295d15be01eb648c489cb414b

SHA1
f0ffae99d92ee14b2eee1b241df7ab9f05e8395a

SHA256
701b139b0e44828d4b12db9cc77d4b4787c73824c3b94cc9bd03d9522cead47e

SHA512
87be725d25ed6a851aae41dcf67e23878cfd86b52fca7dd246c24657f1963afc48f1601dcaf66da68a072abeb51b9f292f66fd287cf85e88f74da556d6b962e7

Download Submit
C:\Windows\System32\cmYEAdF.exe

Filesize
3.2MB

MD5
b653483544d9292aeade500b41b68c1f

SHA1
14092082844269d40929d4defbc9971328418af9

SHA256
1fb8bd82e3e7004d4cd59c81d517a4a2ae605d8635999622ee2b8e4be32a1a28

SHA512
bd0cee16cd9cf556ca4026d02b7a92e0be31d04080b25d10933aeac8b42e5ade3b781b224038ae5876b3ce253249aa34ecdc1dc3946d4530f17ba78d893e333d

Download Submit
C:\Windows\System32\jLMoigc.exe

Filesize
3.2MB

MD5
23efa81655a0d8b095b269e3ef1c31f6

SHA1
2195c16da67bc8d67c85d4b935c06fd185f3647a

SHA256
9602cde6e83037a6284df79c7db64bf4ff5206a227bf601e280a3fd7cc8a4bda

SHA512
21b2dfb5b4856f80b30a5c53a158e2981b702de270c011cbef2bc91dae8ba95fabaa09631a2ce1c66b475df0309a937aa53684adfb87c4e303769509a2024b10

Download Submit
C:\Windows\System32\ldMSdTs.exe

Filesize
3.2MB

MD5
fe90294119ba41cd101839c87cbea854

SHA1
ca895fec01f51818927188824fb1621fb4ae75ea

SHA256
c43f25f44991818eeee6847d1ef9a53044c4498aaf0b6e99915539963290ec51

SHA512
b1b550273e0ab3b4872386aeb379508bac39f201c5b8e04f71260d46b5c9218ce2393af7caae44db52a29542808b2df770509765e2d4ecfc2f2c2a4c5ca1a09b

Download Submit
C:\Windows\System32\mtsdOgY.exe

Filesize
3.2MB

MD5
992fb14b5e0b3d659eb845e79b22023f

SHA1
a1926b19d58f78d84edf88fa6a4ad3846b832439

SHA256
e44cc147532df62afe577a76310c59360f54a35f3487ebbcddc7ed2a988a80a8

SHA512
e405de4082f829ccfd51783a92dcea954d165e75aab57e6fa2cb65d63a0df9f19862c3d1c12c75eb56a6ff628f593fbb6faffc448b964ad83a92f67b7afa38bb

Download Submit
C:\Windows\System32\oAlXbYf.exe

Filesize
3.2MB

MD5
99d4956a23a70571cd20eb06b2e0cb9c

SHA1
aa93c39ca1ddaec1743a916f3603316aa61bb697

SHA256
59422fe945e4448e377d3c58df3fcab11cec79019e778dd77cd74f8358810acf

SHA512
53fd8a279aa7c68004a9836ba64a0619140924bbe348b0edd77e114744a1df30793708591cbb348360c34fe4bb311c10bbf7a0f24a38cffcb8c07b17c05016c0

Download Submit
C:\Windows\System32\pdYxWcM.exe

Filesize
3.2MB

MD5
09f1052f4e6d2ff0786655a1271a76c4

SHA1
7f3a646acfe2b2205c5d5ccc1999cbb5b830fe1d

SHA256
ae1b52dd74125357ce2278db494b0ad9dd698e4fbee0f018dddf4961c5b10b0e

SHA512
81ddc0bd089933fe6ca8d17323acc324e158a7fb019c1dddf5530a1bb65e60388d38967b5679f1536084e8f6a648290459d33a9dacb9d5f52bbefa92de3c3727

Download Submit
C:\Windows\System32\qXMgnVO.exe

Filesize
3.2MB

MD5
f5085706626c63e778160476b2cea2f9

SHA1
5edaa6334dca84ace79731f137005a45d80a5d5c

SHA256
bb2ce09f86bc70dfe9ad6d578c8fbcb262961bbc3aa9cb51e778ddd69a3be2b4

SHA512
b909c95b331bf2b40f125533d3f09d6578fe4de52449be947f039c647be77ed00fdba6c2e7239130e688e76e1bbf31aab6356df1f3af2b1c39d71fac8ee4a171

Download Submit
C:\Windows\System32\qdtMwmN.exe

Filesize
3.2MB

MD5
0b351264bf7fe634a3ffa9fc00ded8fa

SHA1
fefa0669094abc84847839b01207500d547031cb

SHA256
56af89e863014436391403c0c250d81881efd3e7313d7e2b73cd31236c76344e

SHA512
7ab0b2d228a2f3f376f528a8d220e2760199175a564e6efb3025efcf894c0a97e19b46a3dfd51a2fe905607218ff5c2c6cc1cc5b0f3e0d11cadf3e8828f97cdd

Download Submit
C:\Windows\System32\qrHrqDQ.exe

Filesize
3.2MB

MD5
458475d6fd39e2b8f7eb707cae2a1fb4

SHA1
cb9793822f008c00c4713a7bfb8aca6bf954dede

SHA256
c7dfef43ff1507180a2f05d42f3774206eacd00011b8fb41d55df5f25c53c64f

SHA512
ce78909347ce3e2ed5cdf59f55f3bbc54c4d7ff669ee3cd76b3190037bcbd729de28b56733dbc00fbbc4727abd358be1b80f77a2e37580f972ca175d94ac6ee6

Download Submit
C:\Windows\System32\rxmzhct.exe

Filesize
3.2MB

MD5
5a8344b5b389a8b156b450a6d436f47c

SHA1
295df7b6c197d171f95f32dfc29bc1b3e5264cc3

SHA256
04821d133dced562f618a2f6fea298cf7f8f22e3ad1de0c14908c2f925c3420d

SHA512
8fcffe693c3bc3b0ea81f8fdef650de1dc7af6167fbf1102a421bfcb968bb0429d6af474bc5e44a0c0c09448159b3d92d35cc7b1ce737f381cb088cda6712bfd

Download Submit
C:\Windows\System32\vtiLpeY.exe

Filesize
3.2MB

MD5
1557059b3fc6dec762733dee3a9a2c79

SHA1
ff5edaf50dcaebb5ad51dd17bc3ca26228f49dd6

SHA256
daea32049c18b8efad81991a40c34754f74c29affa5c3970c64e192dd88f1776

SHA512
2c7ed10c315f70c94cd6219ae3ec3822229e58bd4ef93e2759b7accd29d25e6a1dd55c61dcbab6727b829be3b0014042d26eb7d6bf5e1a1dfa5b78742b121f28

Download Submit
C:\Windows\System32\wXZxYvL.exe

Filesize
3.2MB

MD5
da61809d108439a2b48acffd3d4c4640

SHA1
1ed6a77f838281bbf33f03fa9cfd3179296987bc

SHA256
8f2b1f0616e4d453b82e70b223d3d807a710488a6b628c3571eac2b4501f59a8

SHA512
96593d126b3f57c3396a0453bdb89c20b69af4843d6174fb33276ff891c0a50bccfcf8108d82c1e88059bfabb229f18dcae9f881ece07b56bc9f4f9273e4a24a

Download Submit
C:\Windows\System32\xQzMwkc.exe

Filesize
3.2MB

MD5
13237d422025ed0e988cdfa497430f1c

SHA1
f1e2cd3be76bc638864cf8b16cae45d2d68ec6ec

SHA256
908d03f1bdc3683ff4cd25e265e325ea8dd2b249bb4ddc83573e99fc1fe53c49

SHA512
3d67afc9d8b5c8a204578e0838b7d1dca247b3d3f8a0955454b647470f2620cb469a1adc6a925aaad259812fabafba75a3a9fa6774a9f084dcb8bfe397d3a217

Download Submit
C:\Windows\System32\zlGvUQC.exe

Filesize
3.2MB

MD5
9a1027c2b6d8ba583a8a94bbab1e26eb

SHA1
ce23dad5f8605b7c74c8f2671cb4c9ea6457c706

SHA256
0fa15eeb34cc5222980a810cae42964e98e5e22f8cc4548622b5dd12d2d72ec4

SHA512
52f7212e0197725ded3f90ad1b9a38ac820830e981e66e0e85fdae26c86428573c1bbc23518ce4398e2e2bf11a23efc1cf2e45bc7e857c9818c57a787569eb3d

Download Submit
memory/544-1944-0x00007FF7E1EF0000-0x00007FF7E22E5000-memory.dmp

Filesize
4.0MB

Download
memory/544-1945-0x00007FF7E1EF0000-0x00007FF7E22E5000-memory.dmp

Filesize
4.0MB

Download
memory/544-42-0x00007FF7E1EF0000-0x00007FF7E22E5000-memory.dmp

Filesize
4.0MB

Download
memory/640-1073-0x00007FF688700000-0x00007FF688AF5000-memory.dmp

Filesize
4.0MB

Download
memory/640-1937-0x00007FF688700000-0x00007FF688AF5000-memory.dmp

Filesize
4.0MB

Download
memory/760-1-0x0000026EE1820000-0x0000026EE1830000-memory.dmp

Filesize
64KB

Download
memory/760-0-0x00007FF6455A0000-0x00007FF645995000-memory.dmp

Filesize
4.0MB

Download
memory/892-1926-0x00007FF64BC60000-0x00007FF64C055000-memory.dmp

Filesize
4.0MB

Download
memory/892-41-0x00007FF64BC60000-0x00007FF64C055000-memory.dmp

Filesize
4.0MB

Download
memory/1108-1936-0x00007FF660FC0000-0x00007FF6613B5000-memory.dmp

Filesize
4.0MB

Download
memory/1108-1081-0x00007FF660FC0000-0x00007FF6613B5000-memory.dmp

Filesize
4.0MB

Download
memory/1432-1065-0x00007FF7FB3C0000-0x00007FF7FB7B5000-memory.dmp

Filesize
4.0MB

Download
memory/1432-1929-0x00007FF7FB3C0000-0x00007FF7FB7B5000-memory.dmp

Filesize
4.0MB

Download
memory/1556-17-0x00007FF7DA0A0000-0x00007FF7DA495000-memory.dmp

Filesize
4.0MB

Download
memory/1556-1919-0x00007FF7DA0A0000-0x00007FF7DA495000-memory.dmp

Filesize
4.0MB

Download
memory/1556-1922-0x00007FF7DA0A0000-0x00007FF7DA495000-memory.dmp

Filesize
4.0MB

Download
memory/1688-1939-0x00007FF6A75C0000-0x00007FF6A79B5000-memory.dmp

Filesize
4.0MB

Download
memory/1688-1068-0x00007FF6A75C0000-0x00007FF6A79B5000-memory.dmp

Filesize
4.0MB

Download
memory/1740-1046-0x00007FF67B820000-0x00007FF67BC15000-memory.dmp

Filesize
4.0MB

Download
memory/1740-1931-0x00007FF67B820000-0x00007FF67BC15000-memory.dmp

Filesize
4.0MB

Download
memory/1840-1940-0x00007FF7CB8B0000-0x00007FF7CBCA5000-memory.dmp

Filesize
4.0MB

Download
memory/1840-1039-0x00007FF7CB8B0000-0x00007FF7CBCA5000-memory.dmp

Filesize
4.0MB

Download
memory/1872-1932-0x00007FF6B4B80000-0x00007FF6B4F75000-memory.dmp

Filesize
4.0MB

Download
memory/1872-1042-0x00007FF6B4B80000-0x00007FF6B4F75000-memory.dmp

Filesize
4.0MB

Download
memory/2416-1930-0x00007FF6B7AF0000-0x00007FF6B7EE5000-memory.dmp

Filesize
4.0MB

Download
memory/2416-1053-0x00007FF6B7AF0000-0x00007FF6B7EE5000-memory.dmp

Filesize
4.0MB

Download
memory/2684-1941-0x00007FF6258E0000-0x00007FF625CD5000-memory.dmp

Filesize
4.0MB

Download
memory/2684-1025-0x00007FF6258E0000-0x00007FF625CD5000-memory.dmp

Filesize
4.0MB

Download
memory/2936-10-0x00007FF674E30000-0x00007FF675225000-memory.dmp

Filesize
4.0MB

Download
memory/2936-1921-0x00007FF674E30000-0x00007FF675225000-memory.dmp

Filesize
4.0MB

Download
memory/3016-1920-0x00007FF7DAFE0000-0x00007FF7DB3D5000-memory.dmp

Filesize
4.0MB

Download
memory/3016-1924-0x00007FF7DAFE0000-0x00007FF7DB3D5000-memory.dmp

Filesize
4.0MB

Download
memory/3016-26-0x00007FF7DAFE0000-0x00007FF7DB3D5000-memory.dmp

Filesize
4.0MB

Download
memory/3220-30-0x00007FF739850000-0x00007FF739C45000-memory.dmp

Filesize
4.0MB

Download
memory/3220-1925-0x00007FF739850000-0x00007FF739C45000-memory.dmp

Filesize
4.0MB

Download
memory/3252-1933-0x00007FF6347D0000-0x00007FF634BC5000-memory.dmp

Filesize
4.0MB

Download
memory/3252-1040-0x00007FF6347D0000-0x00007FF634BC5000-memory.dmp

Filesize
4.0MB

Download
memory/3264-1927-0x00007FF6999A0000-0x00007FF699D95000-memory.dmp

Filesize
4.0MB

Download
memory/3264-1085-0x00007FF6999A0000-0x00007FF699D95000-memory.dmp

Filesize
4.0MB

Download
memory/3996-1935-0x00007FF618BC0000-0x00007FF618FB5000-memory.dmp

Filesize
4.0MB

Download
memory/3996-1084-0x00007FF618BC0000-0x00007FF618FB5000-memory.dmp

Filesize
4.0MB

Download
memory/4088-1942-0x00007FF775780000-0x00007FF775B75000-memory.dmp

Filesize
4.0MB

Download
memory/4088-1089-0x00007FF775780000-0x00007FF775B75000-memory.dmp

Filesize
4.0MB

Download
memory/4480-29-0x00007FF6EF6A0000-0x00007FF6EFA95000-memory.dmp

Filesize
4.0MB

Download
memory/4480-1923-0x00007FF6EF6A0000-0x00007FF6EFA95000-memory.dmp

Filesize
4.0MB

Download
memory/4704-1079-0x00007FF7FE980000-0x00007FF7FED75000-memory.dmp

Filesize
4.0MB

Download
memory/4704-1928-0x00007FF7FE980000-0x00007FF7FED75000-memory.dmp

Filesize
4.0MB

Download
memory/4728-1032-0x00007FF62A780000-0x00007FF62AB75000-memory.dmp

Filesize
4.0MB

Download
memory/4728-1934-0x00007FF62A780000-0x00007FF62AB75000-memory.dmp

Filesize
4.0MB

Download
memory/4788-1090-0x00007FF66D610000-0x00007FF66DA05000-memory.dmp

Filesize
4.0MB

Download
memory/4788-1943-0x00007FF66D610000-0x00007FF66DA05000-memory.dmp

Filesize
4.0MB

Download
memory/4948-1938-0x00007FF78CA30000-0x00007FF78CE25000-memory.dmp

Filesize
4.0MB

Download
memory/4948-1070-0x00007FF78CA30000-0x00007FF78CE25000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads