xmrig | 1349908d3959a7dbc7a45a6a8df4a6c8da8fd52f2de0258113d50433d287c9d7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
Size

1.9MB
MD5

871f1b2c9d4609e93422610da4625da0
SHA1

10a2ddbb6279cec0e915a2c8f9c52c89ec5e7ce6
SHA256

1349908d3959a7dbc7a45a6a8df4a6c8da8fd52f2de0258113d50433d287c9d7
SHA512

ce7a7cd3762819aaef1ec3c2cd3dc83ce91e6b60f103b33ebcf2071a2cd7742fa16c4295785a363ecdbb8709576d0f18e078c4c3341cb924742f654a02e6c852
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5Pbcq92zMWfmDzrmXYVCY+li7Sa60kRoD2GXE:knw9oUUEEDl37jcq4QXDT6hXi0+O

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/3496-14-0x00007FF6C1A40000-0x00007FF6C1E31000-memory.dmp	xmrig
behavioral2/memory/2396-43-0x00007FF7590D0000-0x00007FF7594C1000-memory.dmp	xmrig
behavioral2/memory/1828-46-0x00007FF7733B0000-0x00007FF7737A1000-memory.dmp	xmrig
behavioral2/memory/5056-464-0x00007FF78B580000-0x00007FF78B971000-memory.dmp	xmrig
behavioral2/memory/4592-468-0x00007FF6F7E90000-0x00007FF6F8281000-memory.dmp	xmrig
behavioral2/memory/452-474-0x00007FF6D98A0000-0x00007FF6D9C91000-memory.dmp	xmrig
behavioral2/memory/2584-482-0x00007FF79CD30000-0x00007FF79D121000-memory.dmp	xmrig
behavioral2/memory/4396-483-0x00007FF775880000-0x00007FF775C71000-memory.dmp	xmrig
behavioral2/memory/4920-485-0x00007FF7D4480000-0x00007FF7D4871000-memory.dmp	xmrig
behavioral2/memory/2264-494-0x00007FF6F1DA0000-0x00007FF6F2191000-memory.dmp	xmrig
behavioral2/memory/2024-498-0x00007FF7F8450000-0x00007FF7F8841000-memory.dmp	xmrig
behavioral2/memory/60-480-0x00007FF7F6B20000-0x00007FF7F6F11000-memory.dmp	xmrig
behavioral2/memory/2528-477-0x00007FF7F50A0000-0x00007FF7F5491000-memory.dmp	xmrig
behavioral2/memory/2296-47-0x00007FF7B2A50000-0x00007FF7B2E41000-memory.dmp	xmrig
behavioral2/memory/1212-45-0x00007FF7E4410000-0x00007FF7E4801000-memory.dmp	xmrig
behavioral2/memory/5016-506-0x00007FF763650000-0x00007FF763A41000-memory.dmp	xmrig
behavioral2/memory/4924-508-0x00007FF6B1180000-0x00007FF6B1571000-memory.dmp	xmrig
behavioral2/memory/1592-513-0x00007FF641EB0000-0x00007FF6422A1000-memory.dmp	xmrig
behavioral2/memory/4160-532-0x00007FF6E9EC0000-0x00007FF6EA2B1000-memory.dmp	xmrig
behavioral2/memory/4948-505-0x00007FF765300000-0x00007FF7656F1000-memory.dmp	xmrig
behavioral2/memory/840-500-0x00007FF66F960000-0x00007FF66FD51000-memory.dmp	xmrig
behavioral2/memory/3496-2011-0x00007FF6C1A40000-0x00007FF6C1E31000-memory.dmp	xmrig
behavioral2/memory/4204-2032-0x00007FF6A27B0000-0x00007FF6A2BA1000-memory.dmp	xmrig
behavioral2/memory/1900-2033-0x00007FF694840000-0x00007FF694C31000-memory.dmp	xmrig
behavioral2/memory/3052-2052-0x00007FF783DF0000-0x00007FF7841E1000-memory.dmp	xmrig
behavioral2/memory/3496-2054-0x00007FF6C1A40000-0x00007FF6C1E31000-memory.dmp	xmrig
behavioral2/memory/4204-2056-0x00007FF6A27B0000-0x00007FF6A2BA1000-memory.dmp	xmrig
behavioral2/memory/1212-2058-0x00007FF7E4410000-0x00007FF7E4801000-memory.dmp	xmrig
behavioral2/memory/1828-2062-0x00007FF7733B0000-0x00007FF7737A1000-memory.dmp	xmrig
behavioral2/memory/2296-2064-0x00007FF7B2A50000-0x00007FF7B2E41000-memory.dmp	xmrig
behavioral2/memory/2396-2060-0x00007FF7590D0000-0x00007FF7594C1000-memory.dmp	xmrig
behavioral2/memory/4396-2080-0x00007FF775880000-0x00007FF775C71000-memory.dmp	xmrig
behavioral2/memory/2584-2082-0x00007FF79CD30000-0x00007FF79D121000-memory.dmp	xmrig
behavioral2/memory/5016-2092-0x00007FF763650000-0x00007FF763A41000-memory.dmp	xmrig
behavioral2/memory/4948-2090-0x00007FF765300000-0x00007FF7656F1000-memory.dmp	xmrig
behavioral2/memory/1592-2098-0x00007FF641EB0000-0x00007FF6422A1000-memory.dmp	xmrig
behavioral2/memory/4924-2094-0x00007FF6B1180000-0x00007FF6B1571000-memory.dmp	xmrig
behavioral2/memory/4160-2096-0x00007FF6E9EC0000-0x00007FF6EA2B1000-memory.dmp	xmrig
behavioral2/memory/452-2086-0x00007FF6D98A0000-0x00007FF6D9C91000-memory.dmp	xmrig
behavioral2/memory/2528-2085-0x00007FF7F50A0000-0x00007FF7F5491000-memory.dmp	xmrig
behavioral2/memory/4920-2078-0x00007FF7D4480000-0x00007FF7D4871000-memory.dmp	xmrig
behavioral2/memory/2264-2076-0x00007FF6F1DA0000-0x00007FF6F2191000-memory.dmp	xmrig
behavioral2/memory/1900-2074-0x00007FF694840000-0x00007FF694C31000-memory.dmp	xmrig
behavioral2/memory/2024-2072-0x00007FF7F8450000-0x00007FF7F8841000-memory.dmp	xmrig
behavioral2/memory/5056-2070-0x00007FF78B580000-0x00007FF78B971000-memory.dmp	xmrig
behavioral2/memory/840-2068-0x00007FF66F960000-0x00007FF66FD51000-memory.dmp	xmrig
behavioral2/memory/60-2088-0x00007FF7F6B20000-0x00007FF7F6F11000-memory.dmp	xmrig
behavioral2/memory/4592-2066-0x00007FF6F7E90000-0x00007FF6F8281000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3052	npscueT.exe
3496	ijfglKS.exe
4204	LRxKbBm.exe
2396	BLDWwkS.exe
1212	iiKzvFI.exe
1828	xEMezBI.exe
2296	cyyzvyD.exe
1900	AubUTJt.exe
5056	LyTGbeW.exe
4592	pCrSxkv.exe
452	uHGmgbt.exe
2528	vmYYbzq.exe
60	YCFKncp.exe
2584	RMqAMJi.exe
4396	UJetukN.exe
4920	GMMzLzu.exe
2264	qooGkTj.exe
2024	nwExMLf.exe
840	kQfqgRF.exe
4948	umFBMpa.exe
5016	SRPjPSr.exe
4924	HrjOjlE.exe
1592	LqUArbD.exe
4160	tuUKRnN.exe
2204	LMXIjXP.exe
2348	rejoVFV.exe
1172	twALEZx.exe
1180	aHNlFLC.exe
5032	YhgwEfa.exe
1400	TGggbzi.exe
4820	tPTHCDi.exe
4776	QjSTrWW.exe
4712	QPvJqEM.exe
2780	LtgTrAu.exe
4272	QeDVjzC.exe
3692	JAWALCs.exe
4488	sLDZARP.exe
2276	WhyILYE.exe
1948	djIihWb.exe
4264	gssoaxi.exe
948	XxLxsRX.exe
1248	MbVziaC.exe
1800	uuFUJpD.exe
4452	DvrRZQR.exe
376	tFSdpZv.exe
4328	BleEbro.exe
4472	ptJczKA.exe
4716	GNfniSb.exe
4352	YTiMSfa.exe
1516	GnkoTsK.exe
908	hfxByvt.exe
2140	XZEZiDQ.exe
4880	HUspysX.exe
3172	shkQeZD.exe
3220	iEKASVI.exe
3224	zyBGYJJ.exe
4544	veyWCVM.exe
32	wTYvqVr.exe
860	wDCbNoT.exe
2008	nXwCJdE.exe
4080	kpkHefY.exe
4792	GoCxnvC.exe
1616	ivFidGw.exe
4980	DNhqwPI.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2564-0-0x00007FF62BB50000-0x00007FF62BF41000-memory.dmp	upx
behavioral2/files/0x000d000000023383-4.dat	upx
behavioral2/files/0x00090000000233f3-11.dat	upx
behavioral2/files/0x0007000000023402-10.dat	upx
behavioral2/memory/3496-14-0x00007FF6C1A40000-0x00007FF6C1E31000-memory.dmp	upx
behavioral2/files/0x0007000000023403-24.dat	upx
behavioral2/files/0x0007000000023406-39.dat	upx
behavioral2/files/0x0007000000023407-42.dat	upx
behavioral2/memory/2396-43-0x00007FF7590D0000-0x00007FF7594C1000-memory.dmp	upx
behavioral2/memory/1828-46-0x00007FF7733B0000-0x00007FF7737A1000-memory.dmp	upx
behavioral2/memory/1900-48-0x00007FF694840000-0x00007FF694C31000-memory.dmp	upx
behavioral2/files/0x0007000000023408-54.dat	upx
behavioral2/files/0x0007000000023409-59.dat	upx
behavioral2/files/0x000700000002340f-89.dat	upx
behavioral2/files/0x0007000000023414-114.dat	upx
behavioral2/files/0x0007000000023416-127.dat	upx
behavioral2/files/0x000700000002341e-164.dat	upx
behavioral2/memory/5056-464-0x00007FF78B580000-0x00007FF78B971000-memory.dmp	upx
behavioral2/memory/4592-468-0x00007FF6F7E90000-0x00007FF6F8281000-memory.dmp	upx
behavioral2/memory/452-474-0x00007FF6D98A0000-0x00007FF6D9C91000-memory.dmp	upx
behavioral2/memory/2584-482-0x00007FF79CD30000-0x00007FF79D121000-memory.dmp	upx
behavioral2/memory/4396-483-0x00007FF775880000-0x00007FF775C71000-memory.dmp	upx
behavioral2/memory/4920-485-0x00007FF7D4480000-0x00007FF7D4871000-memory.dmp	upx
behavioral2/memory/2264-494-0x00007FF6F1DA0000-0x00007FF6F2191000-memory.dmp	upx
behavioral2/memory/2024-498-0x00007FF7F8450000-0x00007FF7F8841000-memory.dmp	upx
behavioral2/memory/60-480-0x00007FF7F6B20000-0x00007FF7F6F11000-memory.dmp	upx
behavioral2/memory/2528-477-0x00007FF7F50A0000-0x00007FF7F5491000-memory.dmp	upx
behavioral2/files/0x000700000002341f-169.dat	upx
behavioral2/files/0x000700000002341d-159.dat	upx
behavioral2/files/0x000700000002341c-154.dat	upx
behavioral2/files/0x000700000002341b-149.dat	upx
behavioral2/files/0x000700000002341a-144.dat	upx
behavioral2/files/0x0007000000023419-139.dat	upx
behavioral2/files/0x0007000000023418-134.dat	upx
behavioral2/files/0x0007000000023417-129.dat	upx
behavioral2/files/0x0007000000023415-119.dat	upx
behavioral2/files/0x0007000000023413-109.dat	upx
behavioral2/files/0x0007000000023412-107.dat	upx
behavioral2/files/0x0007000000023411-99.dat	upx
behavioral2/files/0x0007000000023410-94.dat	upx
behavioral2/files/0x000700000002340e-84.dat	upx
behavioral2/files/0x000700000002340d-79.dat	upx
behavioral2/files/0x000700000002340c-74.dat	upx
behavioral2/files/0x000700000002340b-69.dat	upx
behavioral2/files/0x000700000002340a-64.dat	upx
behavioral2/memory/2296-47-0x00007FF7B2A50000-0x00007FF7B2E41000-memory.dmp	upx
behavioral2/memory/1212-45-0x00007FF7E4410000-0x00007FF7E4801000-memory.dmp	upx
behavioral2/files/0x0007000000023405-34.dat	upx
behavioral2/files/0x0007000000023404-29.dat	upx
behavioral2/memory/4204-17-0x00007FF6A27B0000-0x00007FF6A2BA1000-memory.dmp	upx
behavioral2/memory/3052-12-0x00007FF783DF0000-0x00007FF7841E1000-memory.dmp	upx
behavioral2/memory/5016-506-0x00007FF763650000-0x00007FF763A41000-memory.dmp	upx
behavioral2/memory/4924-508-0x00007FF6B1180000-0x00007FF6B1571000-memory.dmp	upx
behavioral2/memory/1592-513-0x00007FF641EB0000-0x00007FF6422A1000-memory.dmp	upx
behavioral2/memory/4160-532-0x00007FF6E9EC0000-0x00007FF6EA2B1000-memory.dmp	upx
behavioral2/memory/4948-505-0x00007FF765300000-0x00007FF7656F1000-memory.dmp	upx
behavioral2/memory/840-500-0x00007FF66F960000-0x00007FF66FD51000-memory.dmp	upx
behavioral2/memory/3496-2011-0x00007FF6C1A40000-0x00007FF6C1E31000-memory.dmp	upx
behavioral2/memory/4204-2032-0x00007FF6A27B0000-0x00007FF6A2BA1000-memory.dmp	upx
behavioral2/memory/1900-2033-0x00007FF694840000-0x00007FF694C31000-memory.dmp	upx
behavioral2/memory/3052-2052-0x00007FF783DF0000-0x00007FF7841E1000-memory.dmp	upx
behavioral2/memory/3496-2054-0x00007FF6C1A40000-0x00007FF6C1E31000-memory.dmp	upx
behavioral2/memory/4204-2056-0x00007FF6A27B0000-0x00007FF6A2BA1000-memory.dmp	upx
behavioral2/memory/1212-2058-0x00007FF7E4410000-0x00007FF7E4801000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\UJetukN.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\QjSTrWW.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\QeDVjzC.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\sNQyUJX.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\WCuRsNe.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\hNPCquM.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\KeKBgxl.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\uQqRYwb.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\gQhBrzz.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\aDUPrBG.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\xrDzMCE.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\GZBfnzM.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\GqgHKqW.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\NlyOxZL.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\qVYCZPt.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\zueQjQC.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\OwlBWkY.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\HrjOjlE.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\sLDZARP.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\djIihWb.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\zyBGYJJ.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\dUXduHY.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\DxlRTSf.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\DLXHsfh.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\RtKlqLv.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\IzObLCh.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\fWbmEnH.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\UCvbDta.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\XSWQwNv.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\nsbVDfV.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\qzRvVFt.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\UwrlYOx.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\Aolohdz.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\ihGxyNY.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\MUEiGvH.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\sQWrduI.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\VzkUPGR.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\zyRtinF.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\xfckyeo.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\GyZssuy.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\JAWALCs.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\PZXECqh.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\MVrhosI.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\ccdkLRx.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\MlcGLni.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\qVcfrpw.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\SMDFMDV.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\tHDZKTg.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\WhyILYE.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\ebFxyqg.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\lJyzTNQ.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\yaodIxb.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\CQCNkrZ.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\KrriWDZ.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\imcCwaX.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\GMpDccA.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\CIEyEUe.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\nXhcAEF.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\uRfDdqJ.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\XvrOKJI.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\iiKzvFI.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\qAHVQxF.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\oDzVVOL.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
File created	C:\Windows\System32\cDhQzfW.exe	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12872	dwm.exe
Token: SeChangeNotifyPrivilege	12872	dwm.exe
Token: 33	12872	dwm.exe
Token: SeIncBasePriorityPrivilege	12872	dwm.exe
Token: SeShutdownPrivilege	12872	dwm.exe
Token: SeCreatePagefilePrivilege	12872	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 3052	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	86
PID 2564 wrote to memory of 3052	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	86
PID 2564 wrote to memory of 3496	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	87
PID 2564 wrote to memory of 3496	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	87
PID 2564 wrote to memory of 4204	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	88
PID 2564 wrote to memory of 4204	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	88
PID 2564 wrote to memory of 2396	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	89
PID 2564 wrote to memory of 2396	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	89
PID 2564 wrote to memory of 1212	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	90
PID 2564 wrote to memory of 1212	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	90
PID 2564 wrote to memory of 1828	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	91
PID 2564 wrote to memory of 1828	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	91
PID 2564 wrote to memory of 2296	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	92
PID 2564 wrote to memory of 2296	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	92
PID 2564 wrote to memory of 1900	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	93
PID 2564 wrote to memory of 1900	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	93
PID 2564 wrote to memory of 5056	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	94
PID 2564 wrote to memory of 5056	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	94
PID 2564 wrote to memory of 4592	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	95
PID 2564 wrote to memory of 4592	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	95
PID 2564 wrote to memory of 452	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	96
PID 2564 wrote to memory of 452	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	96
PID 2564 wrote to memory of 2528	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	97
PID 2564 wrote to memory of 2528	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	97
PID 2564 wrote to memory of 60	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	98
PID 2564 wrote to memory of 60	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	98
PID 2564 wrote to memory of 2584	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	99
PID 2564 wrote to memory of 2584	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	99
PID 2564 wrote to memory of 4396	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	100
PID 2564 wrote to memory of 4396	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	100
PID 2564 wrote to memory of 4920	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	101
PID 2564 wrote to memory of 4920	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	101
PID 2564 wrote to memory of 2264	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	102
PID 2564 wrote to memory of 2264	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	102
PID 2564 wrote to memory of 2024	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	103
PID 2564 wrote to memory of 2024	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	103
PID 2564 wrote to memory of 840	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	104
PID 2564 wrote to memory of 840	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	104
PID 2564 wrote to memory of 4948	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	105
PID 2564 wrote to memory of 4948	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	105
PID 2564 wrote to memory of 5016	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	106
PID 2564 wrote to memory of 5016	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	106
PID 2564 wrote to memory of 4924	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	107
PID 2564 wrote to memory of 4924	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	107
PID 2564 wrote to memory of 1592	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	108
PID 2564 wrote to memory of 1592	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	108
PID 2564 wrote to memory of 4160	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	109
PID 2564 wrote to memory of 4160	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	109
PID 2564 wrote to memory of 2204	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	110
PID 2564 wrote to memory of 2204	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	110
PID 2564 wrote to memory of 2348	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	111
PID 2564 wrote to memory of 2348	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	111
PID 2564 wrote to memory of 1172	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	112
PID 2564 wrote to memory of 1172	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	112
PID 2564 wrote to memory of 1180	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	113
PID 2564 wrote to memory of 1180	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	113
PID 2564 wrote to memory of 5032	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	114
PID 2564 wrote to memory of 5032	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	114
PID 2564 wrote to memory of 1400	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	115
PID 2564 wrote to memory of 1400	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	115
PID 2564 wrote to memory of 4820	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	116
PID 2564 wrote to memory of 4820	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	116
PID 2564 wrote to memory of 4776	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	117
PID 2564 wrote to memory of 4776	2564	871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe	117

C:\Users\Admin\AppData\Local\Temp\871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\871f1b2c9d4609e93422610da4625da0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\System32\npscueT.exe
  C:\Windows\System32\npscueT.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System32\ijfglKS.exe
  C:\Windows\System32\ijfglKS.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System32\LRxKbBm.exe
  C:\Windows\System32\LRxKbBm.exe
  2⤵
  - Executes dropped EXE
  PID:4204
- C:\Windows\System32\BLDWwkS.exe
  C:\Windows\System32\BLDWwkS.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System32\iiKzvFI.exe
  C:\Windows\System32\iiKzvFI.exe
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\System32\xEMezBI.exe
  C:\Windows\System32\xEMezBI.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\System32\cyyzvyD.exe
  C:\Windows\System32\cyyzvyD.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System32\AubUTJt.exe
  C:\Windows\System32\AubUTJt.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System32\LyTGbeW.exe
  C:\Windows\System32\LyTGbeW.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System32\pCrSxkv.exe
  C:\Windows\System32\pCrSxkv.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System32\uHGmgbt.exe
  C:\Windows\System32\uHGmgbt.exe
  2⤵
  - Executes dropped EXE
  PID:452
- C:\Windows\System32\vmYYbzq.exe
  C:\Windows\System32\vmYYbzq.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System32\YCFKncp.exe
  C:\Windows\System32\YCFKncp.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System32\RMqAMJi.exe
  C:\Windows\System32\RMqAMJi.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System32\UJetukN.exe
  C:\Windows\System32\UJetukN.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System32\GMMzLzu.exe
  C:\Windows\System32\GMMzLzu.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System32\qooGkTj.exe
  C:\Windows\System32\qooGkTj.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System32\nwExMLf.exe
  C:\Windows\System32\nwExMLf.exe
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\System32\kQfqgRF.exe
  C:\Windows\System32\kQfqgRF.exe
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\System32\umFBMpa.exe
  C:\Windows\System32\umFBMpa.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System32\SRPjPSr.exe
  C:\Windows\System32\SRPjPSr.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System32\HrjOjlE.exe
  C:\Windows\System32\HrjOjlE.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System32\LqUArbD.exe
  C:\Windows\System32\LqUArbD.exe
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\System32\tuUKRnN.exe
  C:\Windows\System32\tuUKRnN.exe
  2⤵
  - Executes dropped EXE
  PID:4160
- C:\Windows\System32\LMXIjXP.exe
  C:\Windows\System32\LMXIjXP.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System32\rejoVFV.exe
  C:\Windows\System32\rejoVFV.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System32\twALEZx.exe
  C:\Windows\System32\twALEZx.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System32\aHNlFLC.exe
  C:\Windows\System32\aHNlFLC.exe
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\System32\YhgwEfa.exe
  C:\Windows\System32\YhgwEfa.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System32\TGggbzi.exe
  C:\Windows\System32\TGggbzi.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\System32\tPTHCDi.exe
  C:\Windows\System32\tPTHCDi.exe
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Windows\System32\QjSTrWW.exe
  C:\Windows\System32\QjSTrWW.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System32\QPvJqEM.exe
  C:\Windows\System32\QPvJqEM.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\System32\LtgTrAu.exe
  C:\Windows\System32\LtgTrAu.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System32\QeDVjzC.exe
  C:\Windows\System32\QeDVjzC.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System32\JAWALCs.exe
  C:\Windows\System32\JAWALCs.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System32\sLDZARP.exe
  C:\Windows\System32\sLDZARP.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System32\WhyILYE.exe
  C:\Windows\System32\WhyILYE.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System32\djIihWb.exe
  C:\Windows\System32\djIihWb.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System32\gssoaxi.exe
  C:\Windows\System32\gssoaxi.exe
  2⤵
  - Executes dropped EXE
  PID:4264
- C:\Windows\System32\XxLxsRX.exe
  C:\Windows\System32\XxLxsRX.exe
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Windows\System32\MbVziaC.exe
  C:\Windows\System32\MbVziaC.exe
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\System32\uuFUJpD.exe
  C:\Windows\System32\uuFUJpD.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System32\DvrRZQR.exe
  C:\Windows\System32\DvrRZQR.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System32\tFSdpZv.exe
  C:\Windows\System32\tFSdpZv.exe
  2⤵
  - Executes dropped EXE
  PID:376
- C:\Windows\System32\BleEbro.exe
  C:\Windows\System32\BleEbro.exe
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\System32\ptJczKA.exe
  C:\Windows\System32\ptJczKA.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System32\GNfniSb.exe
  C:\Windows\System32\GNfniSb.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System32\YTiMSfa.exe
  C:\Windows\System32\YTiMSfa.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System32\GnkoTsK.exe
  C:\Windows\System32\GnkoTsK.exe
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\System32\hfxByvt.exe
  C:\Windows\System32\hfxByvt.exe
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Windows\System32\XZEZiDQ.exe
  C:\Windows\System32\XZEZiDQ.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System32\HUspysX.exe
  C:\Windows\System32\HUspysX.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System32\shkQeZD.exe
  C:\Windows\System32\shkQeZD.exe
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Windows\System32\iEKASVI.exe
  C:\Windows\System32\iEKASVI.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System32\zyBGYJJ.exe
  C:\Windows\System32\zyBGYJJ.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System32\veyWCVM.exe
  C:\Windows\System32\veyWCVM.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System32\wTYvqVr.exe
  C:\Windows\System32\wTYvqVr.exe
  2⤵
  - Executes dropped EXE
  PID:32
- C:\Windows\System32\wDCbNoT.exe
  C:\Windows\System32\wDCbNoT.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System32\nXwCJdE.exe
  C:\Windows\System32\nXwCJdE.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System32\kpkHefY.exe
  C:\Windows\System32\kpkHefY.exe
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Windows\System32\GoCxnvC.exe
  C:\Windows\System32\GoCxnvC.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System32\ivFidGw.exe
  C:\Windows\System32\ivFidGw.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System32\DNhqwPI.exe
  C:\Windows\System32\DNhqwPI.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System32\vnNojsE.exe
  C:\Windows\System32\vnNojsE.exe
  2⤵
  PID:2184
- C:\Windows\System32\Rivzfox.exe
  C:\Windows\System32\Rivzfox.exe
  2⤵
  PID:4324
- C:\Windows\System32\fDgBaBF.exe
  C:\Windows\System32\fDgBaBF.exe
  2⤵
  PID:4268
- C:\Windows\System32\GLXUKGZ.exe
  C:\Windows\System32\GLXUKGZ.exe
  2⤵
  PID:952
- C:\Windows\System32\ZEpbpGd.exe
  C:\Windows\System32\ZEpbpGd.exe
  2⤵
  PID:1560
- C:\Windows\System32\sUDZcbz.exe
  C:\Windows\System32\sUDZcbz.exe
  2⤵
  PID:4404
- C:\Windows\System32\ShGhytJ.exe
  C:\Windows\System32\ShGhytJ.exe
  2⤵
  PID:3192
- C:\Windows\System32\sAueXZU.exe
  C:\Windows\System32\sAueXZU.exe
  2⤵
  PID:3512
- C:\Windows\System32\dfScstQ.exe
  C:\Windows\System32\dfScstQ.exe
  2⤵
  PID:620
- C:\Windows\System32\IGaNBgA.exe
  C:\Windows\System32\IGaNBgA.exe
  2⤵
  PID:2172
- C:\Windows\System32\TQxxfJU.exe
  C:\Windows\System32\TQxxfJU.exe
  2⤵
  PID:2756
- C:\Windows\System32\jRAvide.exe
  C:\Windows\System32\jRAvide.exe
  2⤵
  PID:3080
- C:\Windows\System32\kQHBwlN.exe
  C:\Windows\System32\kQHBwlN.exe
  2⤵
  PID:3344
- C:\Windows\System32\UayPxSS.exe
  C:\Windows\System32\UayPxSS.exe
  2⤵
  PID:3328
- C:\Windows\System32\apNjPyj.exe
  C:\Windows\System32\apNjPyj.exe
  2⤵
  PID:2028
- C:\Windows\System32\sQWrduI.exe
  C:\Windows\System32\sQWrduI.exe
  2⤵
  PID:4868
- C:\Windows\System32\gtsqPWf.exe
  C:\Windows\System32\gtsqPWf.exe
  2⤵
  PID:1476
- C:\Windows\System32\MYMVNGa.exe
  C:\Windows\System32\MYMVNGa.exe
  2⤵
  PID:460
- C:\Windows\System32\kscgszi.exe
  C:\Windows\System32\kscgszi.exe
  2⤵
  PID:5152
- C:\Windows\System32\jAClyfT.exe
  C:\Windows\System32\jAClyfT.exe
  2⤵
  PID:5184
- C:\Windows\System32\XYRkzmz.exe
  C:\Windows\System32\XYRkzmz.exe
  2⤵
  PID:5208
- C:\Windows\System32\XmtnrpS.exe
  C:\Windows\System32\XmtnrpS.exe
  2⤵
  PID:5236
- C:\Windows\System32\bIvvOYZ.exe
  C:\Windows\System32\bIvvOYZ.exe
  2⤵
  PID:5264
- C:\Windows\System32\yGXmYqI.exe
  C:\Windows\System32\yGXmYqI.exe
  2⤵
  PID:5280
- C:\Windows\System32\HeiKSYX.exe
  C:\Windows\System32\HeiKSYX.exe
  2⤵
  PID:5320
- C:\Windows\System32\FYySkyn.exe
  C:\Windows\System32\FYySkyn.exe
  2⤵
  PID:5336
- C:\Windows\System32\dUXduHY.exe
  C:\Windows\System32\dUXduHY.exe
  2⤵
  PID:5364
- C:\Windows\System32\ZittnEW.exe
  C:\Windows\System32\ZittnEW.exe
  2⤵
  PID:5392
- C:\Windows\System32\qMtNEjy.exe
  C:\Windows\System32\qMtNEjy.exe
  2⤵
  PID:5420
- C:\Windows\System32\kwcXWrb.exe
  C:\Windows\System32\kwcXWrb.exe
  2⤵
  PID:5448
- C:\Windows\System32\gmpkNCA.exe
  C:\Windows\System32\gmpkNCA.exe
  2⤵
  PID:5488
- C:\Windows\System32\znxUaPT.exe
  C:\Windows\System32\znxUaPT.exe
  2⤵
  PID:5504
- C:\Windows\System32\JVNCRwa.exe
  C:\Windows\System32\JVNCRwa.exe
  2⤵
  PID:5544
- C:\Windows\System32\oFxvIEb.exe
  C:\Windows\System32\oFxvIEb.exe
  2⤵
  PID:5560
- C:\Windows\System32\ewrhxNi.exe
  C:\Windows\System32\ewrhxNi.exe
  2⤵
  PID:5600
- C:\Windows\System32\sZyHXmk.exe
  C:\Windows\System32\sZyHXmk.exe
  2⤵
  PID:5616
- C:\Windows\System32\LZYxPpE.exe
  C:\Windows\System32\LZYxPpE.exe
  2⤵
  PID:5644
- C:\Windows\System32\GZBfnzM.exe
  C:\Windows\System32\GZBfnzM.exe
  2⤵
  PID:5672
- C:\Windows\System32\GMpDccA.exe
  C:\Windows\System32\GMpDccA.exe
  2⤵
  PID:5700
- C:\Windows\System32\avkHFiz.exe
  C:\Windows\System32\avkHFiz.exe
  2⤵
  PID:5740
- C:\Windows\System32\wEoNVeN.exe
  C:\Windows\System32\wEoNVeN.exe
  2⤵
  PID:5756
- C:\Windows\System32\TSqiPCD.exe
  C:\Windows\System32\TSqiPCD.exe
  2⤵
  PID:5796
- C:\Windows\System32\IGbCdiO.exe
  C:\Windows\System32\IGbCdiO.exe
  2⤵
  PID:5812
- C:\Windows\System32\uNVHwlD.exe
  C:\Windows\System32\uNVHwlD.exe
  2⤵
  PID:5840
- C:\Windows\System32\PnFtlcp.exe
  C:\Windows\System32\PnFtlcp.exe
  2⤵
  PID:5880
- C:\Windows\System32\wBUNIYf.exe
  C:\Windows\System32\wBUNIYf.exe
  2⤵
  PID:5896
- C:\Windows\System32\QchCjEv.exe
  C:\Windows\System32\QchCjEv.exe
  2⤵
  PID:5936
- C:\Windows\System32\wRzyBZs.exe
  C:\Windows\System32\wRzyBZs.exe
  2⤵
  PID:5960
- C:\Windows\System32\uQqRYwb.exe
  C:\Windows\System32\uQqRYwb.exe
  2⤵
  PID:5980
- C:\Windows\System32\JQomzgf.exe
  C:\Windows\System32\JQomzgf.exe
  2⤵
  PID:6008
- C:\Windows\System32\jojFtTY.exe
  C:\Windows\System32\jojFtTY.exe
  2⤵
  PID:6048
- C:\Windows\System32\ZWVyedC.exe
  C:\Windows\System32\ZWVyedC.exe
  2⤵
  PID:6076
- C:\Windows\System32\UyMtzLe.exe
  C:\Windows\System32\UyMtzLe.exe
  2⤵
  PID:6092
- C:\Windows\System32\WLynsKG.exe
  C:\Windows\System32\WLynsKG.exe
  2⤵
  PID:6120
- C:\Windows\System32\qAHVQxF.exe
  C:\Windows\System32\qAHVQxF.exe
  2⤵
  PID:4412
- C:\Windows\System32\GqgHKqW.exe
  C:\Windows\System32\GqgHKqW.exe
  2⤵
  PID:3628
- C:\Windows\System32\iKnffye.exe
  C:\Windows\System32\iKnffye.exe
  2⤵
  PID:1548
- C:\Windows\System32\aUiRDWq.exe
  C:\Windows\System32\aUiRDWq.exe
  2⤵
  PID:3252
- C:\Windows\System32\UqggROi.exe
  C:\Windows\System32\UqggROi.exe
  2⤵
  PID:5144
- C:\Windows\System32\RwVsXUz.exe
  C:\Windows\System32\RwVsXUz.exe
  2⤵
  PID:5224
- C:\Windows\System32\glWFldC.exe
  C:\Windows\System32\glWFldC.exe
  2⤵
  PID:5244
- C:\Windows\System32\DwkrzTx.exe
  C:\Windows\System32\DwkrzTx.exe
  2⤵
  PID:5304
- C:\Windows\System32\nGjszSK.exe
  C:\Windows\System32\nGjszSK.exe
  2⤵
  PID:5380
- C:\Windows\System32\vpbqxRM.exe
  C:\Windows\System32\vpbqxRM.exe
  2⤵
  PID:5432
- C:\Windows\System32\hlyaxUS.exe
  C:\Windows\System32\hlyaxUS.exe
  2⤵
  PID:5500
- C:\Windows\System32\gQhBrzz.exe
  C:\Windows\System32\gQhBrzz.exe
  2⤵
  PID:5556
- C:\Windows\System32\PCBXDVv.exe
  C:\Windows\System32\PCBXDVv.exe
  2⤵
  PID:5628
- C:\Windows\System32\GYjAVqa.exe
  C:\Windows\System32\GYjAVqa.exe
  2⤵
  PID:1096
- C:\Windows\System32\VRhySne.exe
  C:\Windows\System32\VRhySne.exe
  2⤵
  PID:5828
- C:\Windows\System32\dolcPcn.exe
  C:\Windows\System32\dolcPcn.exe
  2⤵
  PID:5864
- C:\Windows\System32\bzNVKSM.exe
  C:\Windows\System32\bzNVKSM.exe
  2⤵
  PID:5888
- C:\Windows\System32\XVDbKsX.exe
  C:\Windows\System32\XVDbKsX.exe
  2⤵
  PID:4816
- C:\Windows\System32\YIhjtiF.exe
  C:\Windows\System32\YIhjtiF.exe
  2⤵
  PID:6040
- C:\Windows\System32\bXCEQke.exe
  C:\Windows\System32\bXCEQke.exe
  2⤵
  PID:6104
- C:\Windows\System32\JHabIeS.exe
  C:\Windows\System32\JHabIeS.exe
  2⤵
  PID:1036
- C:\Windows\System32\uhbgeFe.exe
  C:\Windows\System32\uhbgeFe.exe
  2⤵
  PID:4696
- C:\Windows\System32\wkuHsmd.exe
  C:\Windows\System32\wkuHsmd.exe
  2⤵
  PID:5028
- C:\Windows\System32\WIuPeuU.exe
  C:\Windows\System32\WIuPeuU.exe
  2⤵
  PID:3852
- C:\Windows\System32\WIMyhhL.exe
  C:\Windows\System32\WIMyhhL.exe
  2⤵
  PID:5332
- C:\Windows\System32\LeguFFt.exe
  C:\Windows\System32\LeguFFt.exe
  2⤵
  PID:3212
- C:\Windows\System32\MiAjHMU.exe
  C:\Windows\System32\MiAjHMU.exe
  2⤵
  PID:2220
- C:\Windows\System32\hPxpEow.exe
  C:\Windows\System32\hPxpEow.exe
  2⤵
  PID:1712
- C:\Windows\System32\xjqxmFu.exe
  C:\Windows\System32\xjqxmFu.exe
  2⤵
  PID:4092
- C:\Windows\System32\mFHaFnZ.exe
  C:\Windows\System32\mFHaFnZ.exe
  2⤵
  PID:384
- C:\Windows\System32\UlLwyVK.exe
  C:\Windows\System32\UlLwyVK.exe
  2⤵
  PID:4372
- C:\Windows\System32\ucjWQDi.exe
  C:\Windows\System32\ucjWQDi.exe
  2⤵
  PID:5948
- C:\Windows\System32\Pbqrxgx.exe
  C:\Windows\System32\Pbqrxgx.exe
  2⤵
  PID:2380
- C:\Windows\System32\oDzVVOL.exe
  C:\Windows\System32\oDzVVOL.exe
  2⤵
  PID:3356
- C:\Windows\System32\hjJtfbr.exe
  C:\Windows\System32\hjJtfbr.exe
  2⤵
  PID:5124
- C:\Windows\System32\MYbTHHK.exe
  C:\Windows\System32\MYbTHHK.exe
  2⤵
  PID:404
- C:\Windows\System32\amtpjFs.exe
  C:\Windows\System32\amtpjFs.exe
  2⤵
  PID:5248
- C:\Windows\System32\apZqeqn.exe
  C:\Windows\System32\apZqeqn.exe
  2⤵
  PID:6148
- C:\Windows\System32\NFoBWIu.exe
  C:\Windows\System32\NFoBWIu.exe
  2⤵
  PID:6176
- C:\Windows\System32\xyEIDqF.exe
  C:\Windows\System32\xyEIDqF.exe
  2⤵
  PID:6244
- C:\Windows\System32\GdfiZjv.exe
  C:\Windows\System32\GdfiZjv.exe
  2⤵
  PID:6268
- C:\Windows\System32\XSWQwNv.exe
  C:\Windows\System32\XSWQwNv.exe
  2⤵
  PID:6292
- C:\Windows\System32\BDpExNM.exe
  C:\Windows\System32\BDpExNM.exe
  2⤵
  PID:6336
- C:\Windows\System32\iHnLMAz.exe
  C:\Windows\System32\iHnLMAz.exe
  2⤵
  PID:6368
- C:\Windows\System32\RQtViTH.exe
  C:\Windows\System32\RQtViTH.exe
  2⤵
  PID:6388
- C:\Windows\System32\NlmDovq.exe
  C:\Windows\System32\NlmDovq.exe
  2⤵
  PID:6408
- C:\Windows\System32\PZXECqh.exe
  C:\Windows\System32\PZXECqh.exe
  2⤵
  PID:6444
- C:\Windows\System32\RIHUgVB.exe
  C:\Windows\System32\RIHUgVB.exe
  2⤵
  PID:6492
- C:\Windows\System32\eoCZQIW.exe
  C:\Windows\System32\eoCZQIW.exe
  2⤵
  PID:6532
- C:\Windows\System32\AMmanIM.exe
  C:\Windows\System32\AMmanIM.exe
  2⤵
  PID:6548
- C:\Windows\System32\bDZbvyQ.exe
  C:\Windows\System32\bDZbvyQ.exe
  2⤵
  PID:6576
- C:\Windows\System32\OCuAvaU.exe
  C:\Windows\System32\OCuAvaU.exe
  2⤵
  PID:6604
- C:\Windows\System32\SMKPPYw.exe
  C:\Windows\System32\SMKPPYw.exe
  2⤵
  PID:6624
- C:\Windows\System32\dKnaogz.exe
  C:\Windows\System32\dKnaogz.exe
  2⤵
  PID:6652
- C:\Windows\System32\mMZlonj.exe
  C:\Windows\System32\mMZlonj.exe
  2⤵
  PID:6692
- C:\Windows\System32\pRuMuTI.exe
  C:\Windows\System32\pRuMuTI.exe
  2⤵
  PID:6732
- C:\Windows\System32\uYwiThX.exe
  C:\Windows\System32\uYwiThX.exe
  2⤵
  PID:6760
- C:\Windows\System32\ECphbcN.exe
  C:\Windows\System32\ECphbcN.exe
  2⤵
  PID:6788
- C:\Windows\System32\XxhqSDd.exe
  C:\Windows\System32\XxhqSDd.exe
  2⤵
  PID:6804
- C:\Windows\System32\BMyLlZb.exe
  C:\Windows\System32\BMyLlZb.exe
  2⤵
  PID:6844
- C:\Windows\System32\mkewyYC.exe
  C:\Windows\System32\mkewyYC.exe
  2⤵
  PID:6860
- C:\Windows\System32\GUSLTmt.exe
  C:\Windows\System32\GUSLTmt.exe
  2⤵
  PID:6880
- C:\Windows\System32\RyqIrHy.exe
  C:\Windows\System32\RyqIrHy.exe
  2⤵
  PID:6904
- C:\Windows\System32\mKDWfli.exe
  C:\Windows\System32\mKDWfli.exe
  2⤵
  PID:6956
- C:\Windows\System32\hZUMAcY.exe
  C:\Windows\System32\hZUMAcY.exe
  2⤵
  PID:6984
- C:\Windows\System32\PVxjOYS.exe
  C:\Windows\System32\PVxjOYS.exe
  2⤵
  PID:7004
- C:\Windows\System32\QBwFjQa.exe
  C:\Windows\System32\QBwFjQa.exe
  2⤵
  PID:7020
- C:\Windows\System32\JDJBfHE.exe
  C:\Windows\System32\JDJBfHE.exe
  2⤵
  PID:7048
- C:\Windows\System32\iPcETlJ.exe
  C:\Windows\System32\iPcETlJ.exe
  2⤵
  PID:7096
- C:\Windows\System32\WKDTrqL.exe
  C:\Windows\System32\WKDTrqL.exe
  2⤵
  PID:7112
- C:\Windows\System32\EoCfLAv.exe
  C:\Windows\System32\EoCfLAv.exe
  2⤵
  PID:7132
- C:\Windows\System32\fABOboa.exe
  C:\Windows\System32\fABOboa.exe
  2⤵
  PID:5464
- C:\Windows\System32\qtZehQT.exe
  C:\Windows\System32\qtZehQT.exe
  2⤵
  PID:6084
- C:\Windows\System32\kTbKwLs.exe
  C:\Windows\System32\kTbKwLs.exe
  2⤵
  PID:1544
- C:\Windows\System32\GrnBjeJ.exe
  C:\Windows\System32\GrnBjeJ.exe
  2⤵
  PID:4068
- C:\Windows\System32\tjICSJG.exe
  C:\Windows\System32\tjICSJG.exe
  2⤵
  PID:5716
- C:\Windows\System32\kXbPjth.exe
  C:\Windows\System32\kXbPjth.exe
  2⤵
  PID:2764
- C:\Windows\System32\MVrhosI.exe
  C:\Windows\System32\MVrhosI.exe
  2⤵
  PID:4772
- C:\Windows\System32\mMTlCju.exe
  C:\Windows\System32\mMTlCju.exe
  2⤵
  PID:6316
- C:\Windows\System32\VLnlySJ.exe
  C:\Windows\System32\VLnlySJ.exe
  2⤵
  PID:6352
- C:\Windows\System32\mKDeepV.exe
  C:\Windows\System32\mKDeepV.exe
  2⤵
  PID:6400
- C:\Windows\System32\MrFzPcO.exe
  C:\Windows\System32\MrFzPcO.exe
  2⤵
  PID:6460
- C:\Windows\System32\rNwzrID.exe
  C:\Windows\System32\rNwzrID.exe
  2⤵
  PID:6564
- C:\Windows\System32\rzExxlD.exe
  C:\Windows\System32\rzExxlD.exe
  2⤵
  PID:6616
- C:\Windows\System32\ztkgjUE.exe
  C:\Windows\System32\ztkgjUE.exe
  2⤵
  PID:6700
- C:\Windows\System32\nsbVDfV.exe
  C:\Windows\System32\nsbVDfV.exe
  2⤵
  PID:6744
- C:\Windows\System32\hVLwuPw.exe
  C:\Windows\System32\hVLwuPw.exe
  2⤵
  PID:6800
- C:\Windows\System32\GaRkMUn.exe
  C:\Windows\System32\GaRkMUn.exe
  2⤵
  PID:6888
- C:\Windows\System32\xgPyvrI.exe
  C:\Windows\System32\xgPyvrI.exe
  2⤵
  PID:6980
- C:\Windows\System32\fDdlcgu.exe
  C:\Windows\System32\fDdlcgu.exe
  2⤵
  PID:7060
- C:\Windows\System32\CnbJPgz.exe
  C:\Windows\System32\CnbJPgz.exe
  2⤵
  PID:7108
- C:\Windows\System32\sscTeiy.exe
  C:\Windows\System32\sscTeiy.exe
  2⤵
  PID:5528
- C:\Windows\System32\ykqSuji.exe
  C:\Windows\System32\ykqSuji.exe
  2⤵
  PID:1624
- C:\Windows\System32\QTAgUcZ.exe
  C:\Windows\System32\QTAgUcZ.exe
  2⤵
  PID:4416
- C:\Windows\System32\thkrABN.exe
  C:\Windows\System32\thkrABN.exe
  2⤵
  PID:2292
- C:\Windows\System32\snkXpjf.exe
  C:\Windows\System32\snkXpjf.exe
  2⤵
  PID:6288
- C:\Windows\System32\xVQUAFO.exe
  C:\Windows\System32\xVQUAFO.exe
  2⤵
  PID:6436
- C:\Windows\System32\qzRvVFt.exe
  C:\Windows\System32\qzRvVFt.exe
  2⤵
  PID:6644
- C:\Windows\System32\CIEyEUe.exe
  C:\Windows\System32\CIEyEUe.exe
  2⤵
  PID:6784
- C:\Windows\System32\HyhnjEr.exe
  C:\Windows\System32\HyhnjEr.exe
  2⤵
  PID:1500
- C:\Windows\System32\jJUBisP.exe
  C:\Windows\System32\jJUBisP.exe
  2⤵
  PID:7040
- C:\Windows\System32\GhUsRPi.exe
  C:\Windows\System32\GhUsRPi.exe
  2⤵
  PID:7156
- C:\Windows\System32\ccdkLRx.exe
  C:\Windows\System32\ccdkLRx.exe
  2⤵
  PID:6260
- C:\Windows\System32\UwrlYOx.exe
  C:\Windows\System32\UwrlYOx.exe
  2⤵
  PID:6404
- C:\Windows\System32\ebFxyqg.exe
  C:\Windows\System32\ebFxyqg.exe
  2⤵
  PID:6932
- C:\Windows\System32\srdDhTO.exe
  C:\Windows\System32\srdDhTO.exe
  2⤵
  PID:3308
- C:\Windows\System32\DVOIqQt.exe
  C:\Windows\System32\DVOIqQt.exe
  2⤵
  PID:6640
- C:\Windows\System32\AvAdmVv.exe
  C:\Windows\System32\AvAdmVv.exe
  2⤵
  PID:7140
- C:\Windows\System32\wmoTime.exe
  C:\Windows\System32\wmoTime.exe
  2⤵
  PID:6664
- C:\Windows\System32\cOuZFCp.exe
  C:\Windows\System32\cOuZFCp.exe
  2⤵
  PID:7188
- C:\Windows\System32\YDIhLHV.exe
  C:\Windows\System32\YDIhLHV.exe
  2⤵
  PID:7212
- C:\Windows\System32\SAdppMY.exe
  C:\Windows\System32\SAdppMY.exe
  2⤵
  PID:7260
- C:\Windows\System32\JlaYtWG.exe
  C:\Windows\System32\JlaYtWG.exe
  2⤵
  PID:7280
- C:\Windows\System32\vMxDPhU.exe
  C:\Windows\System32\vMxDPhU.exe
  2⤵
  PID:7300
- C:\Windows\System32\xuuGNAt.exe
  C:\Windows\System32\xuuGNAt.exe
  2⤵
  PID:7348
- C:\Windows\System32\yFiphHZ.exe
  C:\Windows\System32\yFiphHZ.exe
  2⤵
  PID:7368
- C:\Windows\System32\wdEMwNC.exe
  C:\Windows\System32\wdEMwNC.exe
  2⤵
  PID:7384
- C:\Windows\System32\VvIutSE.exe
  C:\Windows\System32\VvIutSE.exe
  2⤵
  PID:7412
- C:\Windows\System32\tHLwGqo.exe
  C:\Windows\System32\tHLwGqo.exe
  2⤵
  PID:7464
- C:\Windows\System32\tpXooUW.exe
  C:\Windows\System32\tpXooUW.exe
  2⤵
  PID:7500
- C:\Windows\System32\SkievXm.exe
  C:\Windows\System32\SkievXm.exe
  2⤵
  PID:7516
- C:\Windows\System32\MlcGLni.exe
  C:\Windows\System32\MlcGLni.exe
  2⤵
  PID:7540
- C:\Windows\System32\XaFJoEx.exe
  C:\Windows\System32\XaFJoEx.exe
  2⤵
  PID:7564
- C:\Windows\System32\hWqrSFb.exe
  C:\Windows\System32\hWqrSFb.exe
  2⤵
  PID:7600
- C:\Windows\System32\ZOfeyUn.exe
  C:\Windows\System32\ZOfeyUn.exe
  2⤵
  PID:7640
- C:\Windows\System32\hGGKgNe.exe
  C:\Windows\System32\hGGKgNe.exe
  2⤵
  PID:7656
- C:\Windows\System32\zpdTirF.exe
  C:\Windows\System32\zpdTirF.exe
  2⤵
  PID:7684
- C:\Windows\System32\xpojuSM.exe
  C:\Windows\System32\xpojuSM.exe
  2⤵
  PID:7712
- C:\Windows\System32\qVcfrpw.exe
  C:\Windows\System32\qVcfrpw.exe
  2⤵
  PID:7740
- C:\Windows\System32\bmcXeqf.exe
  C:\Windows\System32\bmcXeqf.exe
  2⤵
  PID:7756
- C:\Windows\System32\AcUoVsH.exe
  C:\Windows\System32\AcUoVsH.exe
  2⤵
  PID:7808
- C:\Windows\System32\odzNpAB.exe
  C:\Windows\System32\odzNpAB.exe
  2⤵
  PID:7832
- C:\Windows\System32\jqmXojU.exe
  C:\Windows\System32\jqmXojU.exe
  2⤵
  PID:7852
- C:\Windows\System32\VzkUPGR.exe
  C:\Windows\System32\VzkUPGR.exe
  2⤵
  PID:7880
- C:\Windows\System32\WIHUvLx.exe
  C:\Windows\System32\WIHUvLx.exe
  2⤵
  PID:7904
- C:\Windows\System32\VsmKZoh.exe
  C:\Windows\System32\VsmKZoh.exe
  2⤵
  PID:7940
- C:\Windows\System32\wIbiQwc.exe
  C:\Windows\System32\wIbiQwc.exe
  2⤵
  PID:7964
- C:\Windows\System32\hztUWpz.exe
  C:\Windows\System32\hztUWpz.exe
  2⤵
  PID:7984
- C:\Windows\System32\pVXBhDL.exe
  C:\Windows\System32\pVXBhDL.exe
  2⤵
  PID:8012
- C:\Windows\System32\JAKtEgk.exe
  C:\Windows\System32\JAKtEgk.exe
  2⤵
  PID:8036
- C:\Windows\System32\uCYjGJu.exe
  C:\Windows\System32\uCYjGJu.exe
  2⤵
  PID:8064
- C:\Windows\System32\lJyzTNQ.exe
  C:\Windows\System32\lJyzTNQ.exe
  2⤵
  PID:8084
- C:\Windows\System32\vpHuFAS.exe
  C:\Windows\System32\vpHuFAS.exe
  2⤵
  PID:8124
- C:\Windows\System32\YTxXxbR.exe
  C:\Windows\System32\YTxXxbR.exe
  2⤵
  PID:8168
- C:\Windows\System32\EhOLUrA.exe
  C:\Windows\System32\EhOLUrA.exe
  2⤵
  PID:8188
- C:\Windows\System32\hzdajwA.exe
  C:\Windows\System32\hzdajwA.exe
  2⤵
  PID:7232
- C:\Windows\System32\oeOcBdv.exe
  C:\Windows\System32\oeOcBdv.exe
  2⤵
  PID:7276
- C:\Windows\System32\sNQyUJX.exe
  C:\Windows\System32\sNQyUJX.exe
  2⤵
  PID:7356
- C:\Windows\System32\SswgSZS.exe
  C:\Windows\System32\SswgSZS.exe
  2⤵
  PID:7400
- C:\Windows\System32\TkGsAIV.exe
  C:\Windows\System32\TkGsAIV.exe
  2⤵
  PID:7488
- C:\Windows\System32\SdutrwD.exe
  C:\Windows\System32\SdutrwD.exe
  2⤵
  PID:7528
- C:\Windows\System32\NEMauRt.exe
  C:\Windows\System32\NEMauRt.exe
  2⤵
  PID:7560
- C:\Windows\System32\asKDaPk.exe
  C:\Windows\System32\asKDaPk.exe
  2⤵
  PID:7616
- C:\Windows\System32\ftvuRfK.exe
  C:\Windows\System32\ftvuRfK.exe
  2⤵
  PID:7732
- C:\Windows\System32\XcOhkCU.exe
  C:\Windows\System32\XcOhkCU.exe
  2⤵
  PID:7820
- C:\Windows\System32\SDdZeFo.exe
  C:\Windows\System32\SDdZeFo.exe
  2⤵
  PID:7844
- C:\Windows\System32\gzIGiSd.exe
  C:\Windows\System32\gzIGiSd.exe
  2⤵
  PID:7928
- C:\Windows\System32\pRAIgUz.exe
  C:\Windows\System32\pRAIgUz.exe
  2⤵
  PID:7992
- C:\Windows\System32\sWCxotE.exe
  C:\Windows\System32\sWCxotE.exe
  2⤵
  PID:7976
- C:\Windows\System32\UKdMDxK.exe
  C:\Windows\System32\UKdMDxK.exe
  2⤵
  PID:8080
- C:\Windows\System32\NoXiNBJ.exe
  C:\Windows\System32\NoXiNBJ.exe
  2⤵
  PID:8152
- C:\Windows\System32\mFxcMJf.exe
  C:\Windows\System32\mFxcMJf.exe
  2⤵
  PID:4340
- C:\Windows\System32\GJqLywe.exe
  C:\Windows\System32\GJqLywe.exe
  2⤵
  PID:7376
- C:\Windows\System32\eblLvCZ.exe
  C:\Windows\System32\eblLvCZ.exe
  2⤵
  PID:7548
- C:\Windows\System32\KPUcEzx.exe
  C:\Windows\System32\KPUcEzx.exe
  2⤵
  PID:7668
- C:\Windows\System32\RZjDyyr.exe
  C:\Windows\System32\RZjDyyr.exe
  2⤵
  PID:7864
- C:\Windows\System32\jWnKTLQ.exe
  C:\Windows\System32\jWnKTLQ.exe
  2⤵
  PID:7948
- C:\Windows\System32\yumAJRy.exe
  C:\Windows\System32\yumAJRy.exe
  2⤵
  PID:8056
- C:\Windows\System32\ufeyPDD.exe
  C:\Windows\System32\ufeyPDD.exe
  2⤵
  PID:796
- C:\Windows\System32\WCuRsNe.exe
  C:\Windows\System32\WCuRsNe.exe
  2⤵
  PID:7496
- C:\Windows\System32\sbOMjqz.exe
  C:\Windows\System32\sbOMjqz.exe
  2⤵
  PID:7796
- C:\Windows\System32\zyCTblX.exe
  C:\Windows\System32\zyCTblX.exe
  2⤵
  PID:8176
- C:\Windows\System32\IXVBYkW.exe
  C:\Windows\System32\IXVBYkW.exe
  2⤵
  PID:7620
- C:\Windows\System32\azpvHcC.exe
  C:\Windows\System32\azpvHcC.exe
  2⤵
  PID:8020
- C:\Windows\System32\SLbKnop.exe
  C:\Windows\System32\SLbKnop.exe
  2⤵
  PID:8208
- C:\Windows\System32\usDwDCI.exe
  C:\Windows\System32\usDwDCI.exe
  2⤵
  PID:8236
- C:\Windows\System32\SWGQeWM.exe
  C:\Windows\System32\SWGQeWM.exe
  2⤵
  PID:8268
- C:\Windows\System32\axWIfbY.exe
  C:\Windows\System32\axWIfbY.exe
  2⤵
  PID:8296
- C:\Windows\System32\hyemcQE.exe
  C:\Windows\System32\hyemcQE.exe
  2⤵
  PID:8324
- C:\Windows\System32\zyRtinF.exe
  C:\Windows\System32\zyRtinF.exe
  2⤵
  PID:8348
- C:\Windows\System32\czHrYzg.exe
  C:\Windows\System32\czHrYzg.exe
  2⤵
  PID:8380
- C:\Windows\System32\BFgEaVD.exe
  C:\Windows\System32\BFgEaVD.exe
  2⤵
  PID:8396
- C:\Windows\System32\FIrOXxx.exe
  C:\Windows\System32\FIrOXxx.exe
  2⤵
  PID:8420
- C:\Windows\System32\PqwNfPi.exe
  C:\Windows\System32\PqwNfPi.exe
  2⤵
  PID:8444
- C:\Windows\System32\BcpkwQa.exe
  C:\Windows\System32\BcpkwQa.exe
  2⤵
  PID:8468
- C:\Windows\System32\pDNzWCW.exe
  C:\Windows\System32\pDNzWCW.exe
  2⤵
  PID:8512
- C:\Windows\System32\yrwVHzj.exe
  C:\Windows\System32\yrwVHzj.exe
  2⤵
  PID:8536
- C:\Windows\System32\XiEGaKS.exe
  C:\Windows\System32\XiEGaKS.exe
  2⤵
  PID:8556
- C:\Windows\System32\hutEFAt.exe
  C:\Windows\System32\hutEFAt.exe
  2⤵
  PID:8592
- C:\Windows\System32\rfuGWCA.exe
  C:\Windows\System32\rfuGWCA.exe
  2⤵
  PID:8608
- C:\Windows\System32\ChydsbX.exe
  C:\Windows\System32\ChydsbX.exe
  2⤵
  PID:8640
- C:\Windows\System32\Wgdxuqg.exe
  C:\Windows\System32\Wgdxuqg.exe
  2⤵
  PID:8660
- C:\Windows\System32\GWUUEzS.exe
  C:\Windows\System32\GWUUEzS.exe
  2⤵
  PID:8680
- C:\Windows\System32\hFEZojn.exe
  C:\Windows\System32\hFEZojn.exe
  2⤵
  PID:8812
- C:\Windows\System32\rsIIrne.exe
  C:\Windows\System32\rsIIrne.exe
  2⤵
  PID:8832
- C:\Windows\System32\Aolohdz.exe
  C:\Windows\System32\Aolohdz.exe
  2⤵
  PID:8848
- C:\Windows\System32\OHtqnyz.exe
  C:\Windows\System32\OHtqnyz.exe
  2⤵
  PID:8864
- C:\Windows\System32\ntMJHcg.exe
  C:\Windows\System32\ntMJHcg.exe
  2⤵
  PID:8880
- C:\Windows\System32\QySrKvd.exe
  C:\Windows\System32\QySrKvd.exe
  2⤵
  PID:8896
- C:\Windows\System32\yxbrytV.exe
  C:\Windows\System32\yxbrytV.exe
  2⤵
  PID:8912
- C:\Windows\System32\cLEnHPo.exe
  C:\Windows\System32\cLEnHPo.exe
  2⤵
  PID:8928
- C:\Windows\System32\ftcaCDy.exe
  C:\Windows\System32\ftcaCDy.exe
  2⤵
  PID:8944
- C:\Windows\System32\XHXKZBl.exe
  C:\Windows\System32\XHXKZBl.exe
  2⤵
  PID:9008
- C:\Windows\System32\nAwZgOJ.exe
  C:\Windows\System32\nAwZgOJ.exe
  2⤵
  PID:9024
- C:\Windows\System32\ogBKjik.exe
  C:\Windows\System32\ogBKjik.exe
  2⤵
  PID:9040
- C:\Windows\System32\dyNWEvi.exe
  C:\Windows\System32\dyNWEvi.exe
  2⤵
  PID:9056
- C:\Windows\System32\JcQOeNF.exe
  C:\Windows\System32\JcQOeNF.exe
  2⤵
  PID:9072
- C:\Windows\System32\NjbGmyO.exe
  C:\Windows\System32\NjbGmyO.exe
  2⤵
  PID:9096
- C:\Windows\System32\EEbmdWs.exe
  C:\Windows\System32\EEbmdWs.exe
  2⤵
  PID:9168
- C:\Windows\System32\iKPBSMy.exe
  C:\Windows\System32\iKPBSMy.exe
  2⤵
  PID:8288
- C:\Windows\System32\oYIbhws.exe
  C:\Windows\System32\oYIbhws.exe
  2⤵
  PID:8484
- C:\Windows\System32\ZNJejFL.exe
  C:\Windows\System32\ZNJejFL.exe
  2⤵
  PID:8572
- C:\Windows\System32\aGiPLfr.exe
  C:\Windows\System32\aGiPLfr.exe
  2⤵
  PID:8600
- C:\Windows\System32\WTAgxWn.exe
  C:\Windows\System32\WTAgxWn.exe
  2⤵
  PID:8764
- C:\Windows\System32\BLiIzla.exe
  C:\Windows\System32\BLiIzla.exe
  2⤵
  PID:8728
- C:\Windows\System32\bWnCZvL.exe
  C:\Windows\System32\bWnCZvL.exe
  2⤵
  PID:8740
- C:\Windows\System32\CwkdWBY.exe
  C:\Windows\System32\CwkdWBY.exe
  2⤵
  PID:8668
- C:\Windows\System32\MCziheW.exe
  C:\Windows\System32\MCziheW.exe
  2⤵
  PID:8964
- C:\Windows\System32\XJxBuCe.exe
  C:\Windows\System32\XJxBuCe.exe
  2⤵
  PID:8968
- C:\Windows\System32\uIzaxYl.exe
  C:\Windows\System32\uIzaxYl.exe
  2⤵
  PID:8824
- C:\Windows\System32\OETwokJ.exe
  C:\Windows\System32\OETwokJ.exe
  2⤵
  PID:8904
- C:\Windows\System32\AOMsIOi.exe
  C:\Windows\System32\AOMsIOi.exe
  2⤵
  PID:8876
- C:\Windows\System32\fKuWbFn.exe
  C:\Windows\System32\fKuWbFn.exe
  2⤵
  PID:8984
- C:\Windows\System32\vxVepxf.exe
  C:\Windows\System32\vxVepxf.exe
  2⤵
  PID:9124
- C:\Windows\System32\UfkJSfK.exe
  C:\Windows\System32\UfkJSfK.exe
  2⤵
  PID:9208
- C:\Windows\System32\NRekJJR.exe
  C:\Windows\System32\NRekJJR.exe
  2⤵
  PID:8388
- C:\Windows\System32\wLMOclU.exe
  C:\Windows\System32\wLMOclU.exe
  2⤵
  PID:8496
- C:\Windows\System32\TxvlRTy.exe
  C:\Windows\System32\TxvlRTy.exe
  2⤵
  PID:8756
- C:\Windows\System32\kEuCsdw.exe
  C:\Windows\System32\kEuCsdw.exe
  2⤵
  PID:8872
- C:\Windows\System32\eUdXyrZ.exe
  C:\Windows\System32\eUdXyrZ.exe
  2⤵
  PID:8648
- C:\Windows\System32\wuablYX.exe
  C:\Windows\System32\wuablYX.exe
  2⤵
  PID:8760
- C:\Windows\System32\aYxgsOF.exe
  C:\Windows\System32\aYxgsOF.exe
  2⤵
  PID:8992
- C:\Windows\System32\XeDLULH.exe
  C:\Windows\System32\XeDLULH.exe
  2⤵
  PID:9048
- C:\Windows\System32\UDUWezR.exe
  C:\Windows\System32\UDUWezR.exe
  2⤵
  PID:9196
- C:\Windows\System32\TOxmgRe.exe
  C:\Windows\System32\TOxmgRe.exe
  2⤵
  PID:8408
- C:\Windows\System32\vPJLPKS.exe
  C:\Windows\System32\vPJLPKS.exe
  2⤵
  PID:2400
- C:\Windows\System32\NKMxIXx.exe
  C:\Windows\System32\NKMxIXx.exe
  2⤵
  PID:8708
- C:\Windows\System32\vMbfuzh.exe
  C:\Windows\System32\vMbfuzh.exe
  2⤵
  PID:9064
- C:\Windows\System32\wRvSeJs.exe
  C:\Windows\System32\wRvSeJs.exe
  2⤵
  PID:3724
- C:\Windows\System32\FgsPNWy.exe
  C:\Windows\System32\FgsPNWy.exe
  2⤵
  PID:9228
- C:\Windows\System32\KbKiMFn.exe
  C:\Windows\System32\KbKiMFn.exe
  2⤵
  PID:9252
- C:\Windows\System32\aZgkdtM.exe
  C:\Windows\System32\aZgkdtM.exe
  2⤵
  PID:9272
- C:\Windows\System32\UxmDPGw.exe
  C:\Windows\System32\UxmDPGw.exe
  2⤵
  PID:9300
- C:\Windows\System32\BtZYqMV.exe
  C:\Windows\System32\BtZYqMV.exe
  2⤵
  PID:9340
- C:\Windows\System32\QQzayZB.exe
  C:\Windows\System32\QQzayZB.exe
  2⤵
  PID:9372
- C:\Windows\System32\CnNiAzQ.exe
  C:\Windows\System32\CnNiAzQ.exe
  2⤵
  PID:9400
- C:\Windows\System32\BXQXalK.exe
  C:\Windows\System32\BXQXalK.exe
  2⤵
  PID:9428
- C:\Windows\System32\IOdDWwU.exe
  C:\Windows\System32\IOdDWwU.exe
  2⤵
  PID:9444
- C:\Windows\System32\WtfPifz.exe
  C:\Windows\System32\WtfPifz.exe
  2⤵
  PID:9464
- C:\Windows\System32\aDUPrBG.exe
  C:\Windows\System32\aDUPrBG.exe
  2⤵
  PID:9504
- C:\Windows\System32\nUGpPsO.exe
  C:\Windows\System32\nUGpPsO.exe
  2⤵
  PID:9544
- C:\Windows\System32\wonRwnV.exe
  C:\Windows\System32\wonRwnV.exe
  2⤵
  PID:9576
- C:\Windows\System32\WMJEuRR.exe
  C:\Windows\System32\WMJEuRR.exe
  2⤵
  PID:9592
- C:\Windows\System32\ghZeRZk.exe
  C:\Windows\System32\ghZeRZk.exe
  2⤵
  PID:9648
- C:\Windows\System32\VYhVgfK.exe
  C:\Windows\System32\VYhVgfK.exe
  2⤵
  PID:9668
- C:\Windows\System32\uTVYjrS.exe
  C:\Windows\System32\uTVYjrS.exe
  2⤵
  PID:9696
- C:\Windows\System32\hLEatcy.exe
  C:\Windows\System32\hLEatcy.exe
  2⤵
  PID:9720
- C:\Windows\System32\fSeTYhC.exe
  C:\Windows\System32\fSeTYhC.exe
  2⤵
  PID:9748
- C:\Windows\System32\JTwhhLX.exe
  C:\Windows\System32\JTwhhLX.exe
  2⤵
  PID:9768
- C:\Windows\System32\dquCVTP.exe
  C:\Windows\System32\dquCVTP.exe
  2⤵
  PID:9792
- C:\Windows\System32\liWPxpV.exe
  C:\Windows\System32\liWPxpV.exe
  2⤵
  PID:9836
- C:\Windows\System32\nXhcAEF.exe
  C:\Windows\System32\nXhcAEF.exe
  2⤵
  PID:9864
- C:\Windows\System32\qrvesuG.exe
  C:\Windows\System32\qrvesuG.exe
  2⤵
  PID:9888
- C:\Windows\System32\SdnlxBv.exe
  C:\Windows\System32\SdnlxBv.exe
  2⤵
  PID:9908
- C:\Windows\System32\niROXLl.exe
  C:\Windows\System32\niROXLl.exe
  2⤵
  PID:9936
- C:\Windows\System32\NNFLqll.exe
  C:\Windows\System32\NNFLqll.exe
  2⤵
  PID:9956
- C:\Windows\System32\IaqElSW.exe
  C:\Windows\System32\IaqElSW.exe
  2⤵
  PID:9980
- C:\Windows\System32\cqNXfhi.exe
  C:\Windows\System32\cqNXfhi.exe
  2⤵
  PID:9996
- C:\Windows\System32\XkNdjqg.exe
  C:\Windows\System32\XkNdjqg.exe
  2⤵
  PID:10012
- C:\Windows\System32\nfLatca.exe
  C:\Windows\System32\nfLatca.exe
  2⤵
  PID:10048
- C:\Windows\System32\XJzKqio.exe
  C:\Windows\System32\XJzKqio.exe
  2⤵
  PID:10100
- C:\Windows\System32\tHwWbzF.exe
  C:\Windows\System32\tHwWbzF.exe
  2⤵
  PID:10120
- C:\Windows\System32\brNiErO.exe
  C:\Windows\System32\brNiErO.exe
  2⤵
  PID:10160
- C:\Windows\System32\dXOmPkn.exe
  C:\Windows\System32\dXOmPkn.exe
  2⤵
  PID:10188
- C:\Windows\System32\eVWiUqD.exe
  C:\Windows\System32\eVWiUqD.exe
  2⤵
  PID:10228
- C:\Windows\System32\LzEMYan.exe
  C:\Windows\System32\LzEMYan.exe
  2⤵
  PID:8248
- C:\Windows\System32\ihGxyNY.exe
  C:\Windows\System32\ihGxyNY.exe
  2⤵
  PID:9264
- C:\Windows\System32\LPqNnbG.exe
  C:\Windows\System32\LPqNnbG.exe
  2⤵
  PID:9316
- C:\Windows\System32\vQwHuTs.exe
  C:\Windows\System32\vQwHuTs.exe
  2⤵
  PID:9416
- C:\Windows\System32\TthSVDU.exe
  C:\Windows\System32\TthSVDU.exe
  2⤵
  PID:9456
- C:\Windows\System32\FZVhOVj.exe
  C:\Windows\System32\FZVhOVj.exe
  2⤵
  PID:9524
- C:\Windows\System32\CFMCsVa.exe
  C:\Windows\System32\CFMCsVa.exe
  2⤵
  PID:9608
- C:\Windows\System32\JvjisoS.exe
  C:\Windows\System32\JvjisoS.exe
  2⤵
  PID:9004
- C:\Windows\System32\yrvKuqK.exe
  C:\Windows\System32\yrvKuqK.exe
  2⤵
  PID:9756
- C:\Windows\System32\RzQaMHn.exe
  C:\Windows\System32\RzQaMHn.exe
  2⤵
  PID:9816
- C:\Windows\System32\WZHhdHP.exe
  C:\Windows\System32\WZHhdHP.exe
  2⤵
  PID:9860
- C:\Windows\System32\azzSstF.exe
  C:\Windows\System32\azzSstF.exe
  2⤵
  PID:9948
- C:\Windows\System32\AolmQXp.exe
  C:\Windows\System32\AolmQXp.exe
  2⤵
  PID:9964
- C:\Windows\System32\GWSavjd.exe
  C:\Windows\System32\GWSavjd.exe
  2⤵
  PID:10076
- C:\Windows\System32\qopTZZO.exe
  C:\Windows\System32\qopTZZO.exe
  2⤵
  PID:10176
- C:\Windows\System32\tFlOnZb.exe
  C:\Windows\System32\tFlOnZb.exe
  2⤵
  PID:10172
- C:\Windows\System32\omGnZpn.exe
  C:\Windows\System32\omGnZpn.exe
  2⤵
  PID:10212
- C:\Windows\System32\IiGPwsu.exe
  C:\Windows\System32\IiGPwsu.exe
  2⤵
  PID:9488
- C:\Windows\System32\SMDFMDV.exe
  C:\Windows\System32\SMDFMDV.exe
  2⤵
  PID:9588
- C:\Windows\System32\svIoqxF.exe
  C:\Windows\System32\svIoqxF.exe
  2⤵
  PID:9736
- C:\Windows\System32\hTLQqwO.exe
  C:\Windows\System32\hTLQqwO.exe
  2⤵
  PID:9900
- C:\Windows\System32\slkefgh.exe
  C:\Windows\System32\slkefgh.exe
  2⤵
  PID:10068
- C:\Windows\System32\nXEvyKb.exe
  C:\Windows\System32\nXEvyKb.exe
  2⤵
  PID:10112
- C:\Windows\System32\xctJKfw.exe
  C:\Windows\System32\xctJKfw.exe
  2⤵
  PID:9520
- C:\Windows\System32\XtzfVLJ.exe
  C:\Windows\System32\XtzfVLJ.exe
  2⤵
  PID:1684
- C:\Windows\System32\yaodIxb.exe
  C:\Windows\System32\yaodIxb.exe
  2⤵
  PID:9968
- C:\Windows\System32\PdNwJRB.exe
  C:\Windows\System32\PdNwJRB.exe
  2⤵
  PID:9660
- C:\Windows\System32\DxlRTSf.exe
  C:\Windows\System32\DxlRTSf.exe
  2⤵
  PID:10144
- C:\Windows\System32\KgVgJMu.exe
  C:\Windows\System32\KgVgJMu.exe
  2⤵
  PID:10252
- C:\Windows\System32\lcBEnFj.exe
  C:\Windows\System32\lcBEnFj.exe
  2⤵
  PID:10272
- C:\Windows\System32\yfVbRvP.exe
  C:\Windows\System32\yfVbRvP.exe
  2⤵
  PID:10312
- C:\Windows\System32\xhJRbDR.exe
  C:\Windows\System32\xhJRbDR.exe
  2⤵
  PID:10340
- C:\Windows\System32\nDHaEAR.exe
  C:\Windows\System32\nDHaEAR.exe
  2⤵
  PID:10368
- C:\Windows\System32\cDhQzfW.exe
  C:\Windows\System32\cDhQzfW.exe
  2⤵
  PID:10400
- C:\Windows\System32\zVhifXy.exe
  C:\Windows\System32\zVhifXy.exe
  2⤵
  PID:10420
- C:\Windows\System32\isPEfIy.exe
  C:\Windows\System32\isPEfIy.exe
  2⤵
  PID:10440
- C:\Windows\System32\YStKeQz.exe
  C:\Windows\System32\YStKeQz.exe
  2⤵
  PID:10460
- C:\Windows\System32\mtsrVcz.exe
  C:\Windows\System32\mtsrVcz.exe
  2⤵
  PID:10484
- C:\Windows\System32\ccsXjZB.exe
  C:\Windows\System32\ccsXjZB.exe
  2⤵
  PID:10532
- C:\Windows\System32\SuwULLK.exe
  C:\Windows\System32\SuwULLK.exe
  2⤵
  PID:10552
- C:\Windows\System32\bRruxjA.exe
  C:\Windows\System32\bRruxjA.exe
  2⤵
  PID:10580
- C:\Windows\System32\UZDUOZq.exe
  C:\Windows\System32\UZDUOZq.exe
  2⤵
  PID:10620
- C:\Windows\System32\bosdJDO.exe
  C:\Windows\System32\bosdJDO.exe
  2⤵
  PID:10648
- C:\Windows\System32\dQpNzzT.exe
  C:\Windows\System32\dQpNzzT.exe
  2⤵
  PID:10664
- C:\Windows\System32\dWxQECt.exe
  C:\Windows\System32\dWxQECt.exe
  2⤵
  PID:10684
- C:\Windows\System32\iIDtXUP.exe
  C:\Windows\System32\iIDtXUP.exe
  2⤵
  PID:10712
- C:\Windows\System32\qSaAzUt.exe
  C:\Windows\System32\qSaAzUt.exe
  2⤵
  PID:10760
- C:\Windows\System32\dvQgtGl.exe
  C:\Windows\System32\dvQgtGl.exe
  2⤵
  PID:10800
- C:\Windows\System32\qKAPXNs.exe
  C:\Windows\System32\qKAPXNs.exe
  2⤵
  PID:10816
- C:\Windows\System32\tXpwNku.exe
  C:\Windows\System32\tXpwNku.exe
  2⤵
  PID:10840
- C:\Windows\System32\TEUgybz.exe
  C:\Windows\System32\TEUgybz.exe
  2⤵
  PID:10860
- C:\Windows\System32\GyZssuy.exe
  C:\Windows\System32\GyZssuy.exe
  2⤵
  PID:10888
- C:\Windows\System32\kOjRMju.exe
  C:\Windows\System32\kOjRMju.exe
  2⤵
  PID:10928
- C:\Windows\System32\VaFpwOT.exe
  C:\Windows\System32\VaFpwOT.exe
  2⤵
  PID:10948
- C:\Windows\System32\cbQnTQP.exe
  C:\Windows\System32\cbQnTQP.exe
  2⤵
  PID:10964
- C:\Windows\System32\nclLtNM.exe
  C:\Windows\System32\nclLtNM.exe
  2⤵
  PID:10988
- C:\Windows\System32\XmngYAH.exe
  C:\Windows\System32\XmngYAH.exe
  2⤵
  PID:11016
- C:\Windows\System32\bhCOOnV.exe
  C:\Windows\System32\bhCOOnV.exe
  2⤵
  PID:11044
- C:\Windows\System32\vUpzSnH.exe
  C:\Windows\System32\vUpzSnH.exe
  2⤵
  PID:11084
- C:\Windows\System32\uwAFYsP.exe
  C:\Windows\System32\uwAFYsP.exe
  2⤵
  PID:11128
- C:\Windows\System32\jcxEIOl.exe
  C:\Windows\System32\jcxEIOl.exe
  2⤵
  PID:11144
- C:\Windows\System32\hOaIfry.exe
  C:\Windows\System32\hOaIfry.exe
  2⤵
  PID:11172
- C:\Windows\System32\TVPHHMg.exe
  C:\Windows\System32\TVPHHMg.exe
  2⤵
  PID:11192
- C:\Windows\System32\fnPHVFb.exe
  C:\Windows\System32\fnPHVFb.exe
  2⤵
  PID:11216
- C:\Windows\System32\ZMBCvzK.exe
  C:\Windows\System32\ZMBCvzK.exe
  2⤵
  PID:11236
- C:\Windows\System32\DLXHsfh.exe
  C:\Windows\System32\DLXHsfh.exe
  2⤵
  PID:10292
- C:\Windows\System32\LLsjGiv.exe
  C:\Windows\System32\LLsjGiv.exe
  2⤵
  PID:10360
- C:\Windows\System32\veMlXgW.exe
  C:\Windows\System32\veMlXgW.exe
  2⤵
  PID:10428
- C:\Windows\System32\CTvMdyd.exe
  C:\Windows\System32\CTvMdyd.exe
  2⤵
  PID:10472
- C:\Windows\System32\mRbBDTj.exe
  C:\Windows\System32\mRbBDTj.exe
  2⤵
  PID:10576
- C:\Windows\System32\YCnVloh.exe
  C:\Windows\System32\YCnVloh.exe
  2⤵
  PID:10616
- C:\Windows\System32\WkpNegH.exe
  C:\Windows\System32\WkpNegH.exe
  2⤵
  PID:10660
- C:\Windows\System32\rFYtzBX.exe
  C:\Windows\System32\rFYtzBX.exe
  2⤵
  PID:10752
- C:\Windows\System32\BtbAUBu.exe
  C:\Windows\System32\BtbAUBu.exe
  2⤵
  PID:10828
- C:\Windows\System32\iDeAHxZ.exe
  C:\Windows\System32\iDeAHxZ.exe
  2⤵
  PID:10872
- C:\Windows\System32\ynuuwRO.exe
  C:\Windows\System32\ynuuwRO.exe
  2⤵
  PID:10908
- C:\Windows\System32\xchCAYp.exe
  C:\Windows\System32\xchCAYp.exe
  2⤵
  PID:11004
- C:\Windows\System32\HRfvZFx.exe
  C:\Windows\System32\HRfvZFx.exe
  2⤵
  PID:10976
- C:\Windows\System32\fAxpDhH.exe
  C:\Windows\System32\fAxpDhH.exe
  2⤵
  PID:11060
- C:\Windows\System32\xGfjqbY.exe
  C:\Windows\System32\xGfjqbY.exe
  2⤵
  PID:11124
- C:\Windows\System32\dRbohfb.exe
  C:\Windows\System32\dRbohfb.exe
  2⤵
  PID:11208
- C:\Windows\System32\oGgDCbn.exe
  C:\Windows\System32\oGgDCbn.exe
  2⤵
  PID:10288
- C:\Windows\System32\twlLuAW.exe
  C:\Windows\System32\twlLuAW.exe
  2⤵
  PID:10380
- C:\Windows\System32\qvXQWDj.exe
  C:\Windows\System32\qvXQWDj.exe
  2⤵
  PID:10632
- C:\Windows\System32\vxVSeOU.exe
  C:\Windows\System32\vxVSeOU.exe
  2⤵
  PID:10808
- C:\Windows\System32\rwQSqcY.exe
  C:\Windows\System32\rwQSqcY.exe
  2⤵
  PID:9776
- C:\Windows\System32\SMdCFQh.exe
  C:\Windows\System32\SMdCFQh.exe
  2⤵
  PID:11000
- C:\Windows\System32\iKnxNvn.exe
  C:\Windows\System32\iKnxNvn.exe
  2⤵
  PID:11108
- C:\Windows\System32\QaWeOgL.exe
  C:\Windows\System32\QaWeOgL.exe
  2⤵
  PID:11244
- C:\Windows\System32\wVSoiIl.exe
  C:\Windows\System32\wVSoiIl.exe
  2⤵
  PID:10336
- C:\Windows\System32\RCbyFlD.exe
  C:\Windows\System32\RCbyFlD.exe
  2⤵
  PID:10852
- C:\Windows\System32\aXoYjHB.exe
  C:\Windows\System32\aXoYjHB.exe
  2⤵
  PID:11032
- C:\Windows\System32\JtSCQAn.exe
  C:\Windows\System32\JtSCQAn.exe
  2⤵
  PID:11292
- C:\Windows\System32\ytwAeIm.exe
  C:\Windows\System32\ytwAeIm.exe
  2⤵
  PID:11320
- C:\Windows\System32\MDGVgNC.exe
  C:\Windows\System32\MDGVgNC.exe
  2⤵
  PID:11348
- C:\Windows\System32\CBcoctx.exe
  C:\Windows\System32\CBcoctx.exe
  2⤵
  PID:11380
- C:\Windows\System32\dSuAJlc.exe
  C:\Windows\System32\dSuAJlc.exe
  2⤵
  PID:11396
- C:\Windows\System32\FvdVmpm.exe
  C:\Windows\System32\FvdVmpm.exe
  2⤵
  PID:11420
- C:\Windows\System32\WngjSpC.exe
  C:\Windows\System32\WngjSpC.exe
  2⤵
  PID:11456
- C:\Windows\System32\cwjjYMC.exe
  C:\Windows\System32\cwjjYMC.exe
  2⤵
  PID:11476
- C:\Windows\System32\ynFGrBk.exe
  C:\Windows\System32\ynFGrBk.exe
  2⤵
  PID:11500
- C:\Windows\System32\JBlMcgn.exe
  C:\Windows\System32\JBlMcgn.exe
  2⤵
  PID:11524
- C:\Windows\System32\OwlBWkY.exe
  C:\Windows\System32\OwlBWkY.exe
  2⤵
  PID:11584
- C:\Windows\System32\pnyrUsZ.exe
  C:\Windows\System32\pnyrUsZ.exe
  2⤵
  PID:11604
- C:\Windows\System32\eXKjIYT.exe
  C:\Windows\System32\eXKjIYT.exe
  2⤵
  PID:11624
- C:\Windows\System32\WDGWhWO.exe
  C:\Windows\System32\WDGWhWO.exe
  2⤵
  PID:11648
- C:\Windows\System32\VmnQNyt.exe
  C:\Windows\System32\VmnQNyt.exe
  2⤵
  PID:11668
- C:\Windows\System32\SrzowYN.exe
  C:\Windows\System32\SrzowYN.exe
  2⤵
  PID:11700
- C:\Windows\System32\HNARuAV.exe
  C:\Windows\System32\HNARuAV.exe
  2⤵
  PID:11724
- C:\Windows\System32\VlqlZpe.exe
  C:\Windows\System32\VlqlZpe.exe
  2⤵
  PID:11776
- C:\Windows\System32\tnfgdOE.exe
  C:\Windows\System32\tnfgdOE.exe
  2⤵
  PID:11812
- C:\Windows\System32\AXvHoTp.exe
  C:\Windows\System32\AXvHoTp.exe
  2⤵
  PID:11844
- C:\Windows\System32\Qocgzik.exe
  C:\Windows\System32\Qocgzik.exe
  2⤵
  PID:11872
- C:\Windows\System32\BrVgYjw.exe
  C:\Windows\System32\BrVgYjw.exe
  2⤵
  PID:11900
- C:\Windows\System32\oywdUjM.exe
  C:\Windows\System32\oywdUjM.exe
  2⤵
  PID:11928
- C:\Windows\System32\SrxinNa.exe
  C:\Windows\System32\SrxinNa.exe
  2⤵
  PID:11944
- C:\Windows\System32\NGbhobs.exe
  C:\Windows\System32\NGbhobs.exe
  2⤵
  PID:11980
- C:\Windows\System32\dNNZBDA.exe
  C:\Windows\System32\dNNZBDA.exe
  2⤵
  PID:12008
- C:\Windows\System32\oogiUaN.exe
  C:\Windows\System32\oogiUaN.exe
  2⤵
  PID:12036
- C:\Windows\System32\xfckyeo.exe
  C:\Windows\System32\xfckyeo.exe
  2⤵
  PID:12064
- C:\Windows\System32\ObHNVfb.exe
  C:\Windows\System32\ObHNVfb.exe
  2⤵
  PID:12096
- C:\Windows\System32\npFyfgJ.exe
  C:\Windows\System32\npFyfgJ.exe
  2⤵
  PID:12120
- C:\Windows\System32\HWPWIMF.exe
  C:\Windows\System32\HWPWIMF.exe
  2⤵
  PID:12152
- C:\Windows\System32\CSaqRBC.exe
  C:\Windows\System32\CSaqRBC.exe
  2⤵
  PID:12176
- C:\Windows\System32\YYRiuvE.exe
  C:\Windows\System32\YYRiuvE.exe
  2⤵
  PID:12196
- C:\Windows\System32\KZrimVf.exe
  C:\Windows\System32\KZrimVf.exe
  2⤵
  PID:12236
- C:\Windows\System32\zqGOZYF.exe
  C:\Windows\System32\zqGOZYF.exe
  2⤵
  PID:12264
- C:\Windows\System32\adUFKSa.exe
  C:\Windows\System32\adUFKSa.exe
  2⤵
  PID:10940
- C:\Windows\System32\oCDnVfx.exe
  C:\Windows\System32\oCDnVfx.exe
  2⤵
  PID:11284
- C:\Windows\System32\ovdnxVh.exe
  C:\Windows\System32\ovdnxVh.exe
  2⤵
  PID:11344
- C:\Windows\System32\BjpPyfW.exe
  C:\Windows\System32\BjpPyfW.exe
  2⤵
  PID:11392
- C:\Windows\System32\LqleyeY.exe
  C:\Windows\System32\LqleyeY.exe
  2⤵
  PID:11512
- C:\Windows\System32\ACBTSWt.exe
  C:\Windows\System32\ACBTSWt.exe
  2⤵
  PID:11508
- C:\Windows\System32\SmYHMnI.exe
  C:\Windows\System32\SmYHMnI.exe
  2⤵
  PID:11600
- C:\Windows\System32\zMvXVwU.exe
  C:\Windows\System32\zMvXVwU.exe
  2⤵
  PID:11640
- C:\Windows\System32\WKjhCni.exe
  C:\Windows\System32\WKjhCni.exe
  2⤵
  PID:11720
- C:\Windows\System32\cMPDdNr.exe
  C:\Windows\System32\cMPDdNr.exe
  2⤵
  PID:11788
- C:\Windows\System32\dYrkCcT.exe
  C:\Windows\System32\dYrkCcT.exe
  2⤵
  PID:11840
- C:\Windows\System32\ZpYkBSN.exe
  C:\Windows\System32\ZpYkBSN.exe
  2⤵
  PID:11884
- C:\Windows\System32\PNHhHCY.exe
  C:\Windows\System32\PNHhHCY.exe
  2⤵
  PID:11940
- C:\Windows\System32\zXIcIbG.exe
  C:\Windows\System32\zXIcIbG.exe
  2⤵
  PID:12056
- C:\Windows\System32\uRrucaG.exe
  C:\Windows\System32\uRrucaG.exe
  2⤵
  PID:12112
- C:\Windows\System32\xrDzMCE.exe
  C:\Windows\System32\xrDzMCE.exe
  2⤵
  PID:12164
- C:\Windows\System32\HkrZHLb.exe
  C:\Windows\System32\HkrZHLb.exe
  2⤵
  PID:12228
- C:\Windows\System32\nGuIiMn.exe
  C:\Windows\System32\nGuIiMn.exe
  2⤵
  PID:11280
- C:\Windows\System32\hNPCquM.exe
  C:\Windows\System32\hNPCquM.exe
  2⤵
  PID:11412
- C:\Windows\System32\aAWLlsx.exe
  C:\Windows\System32\aAWLlsx.exe
  2⤵
  PID:11496
- C:\Windows\System32\ItXukYl.exe
  C:\Windows\System32\ItXukYl.exe
  2⤵
  PID:11620
- C:\Windows\System32\vkyeCtg.exe
  C:\Windows\System32\vkyeCtg.exe
  2⤵
  PID:11988
- C:\Windows\System32\QEoXlep.exe
  C:\Windows\System32\QEoXlep.exe
  2⤵
  PID:12076
- C:\Windows\System32\yTwFXzP.exe
  C:\Windows\System32\yTwFXzP.exe
  2⤵
  PID:12220
- C:\Windows\System32\NlyOxZL.exe
  C:\Windows\System32\NlyOxZL.exe
  2⤵
  PID:11228
- C:\Windows\System32\aFecNdK.exe
  C:\Windows\System32\aFecNdK.exe
  2⤵
  PID:11744
- C:\Windows\System32\nKSCWzn.exe
  C:\Windows\System32\nKSCWzn.exe
  2⤵
  PID:12248
- C:\Windows\System32\KTVhdDq.exe
  C:\Windows\System32\KTVhdDq.exe
  2⤵
  PID:4864
- C:\Windows\System32\WEVhFdg.exe
  C:\Windows\System32\WEVhFdg.exe
  2⤵
  PID:4964
- C:\Windows\System32\INWJtaO.exe
  C:\Windows\System32\INWJtaO.exe
  2⤵
  PID:12144
- C:\Windows\System32\hGDFiBe.exe
  C:\Windows\System32\hGDFiBe.exe
  2⤵
  PID:3016
- C:\Windows\System32\NZGCqAJ.exe
  C:\Windows\System32\NZGCqAJ.exe
  2⤵
  PID:12316
- C:\Windows\System32\RdHZpBe.exe
  C:\Windows\System32\RdHZpBe.exe
  2⤵
  PID:12344
- C:\Windows\System32\dwHZpeb.exe
  C:\Windows\System32\dwHZpeb.exe
  2⤵
  PID:12380
- C:\Windows\System32\PSPRQbq.exe
  C:\Windows\System32\PSPRQbq.exe
  2⤵
  PID:12404
- C:\Windows\System32\QtXcGxn.exe
  C:\Windows\System32\QtXcGxn.exe
  2⤵
  PID:12420
- C:\Windows\System32\eZdVyHZ.exe
  C:\Windows\System32\eZdVyHZ.exe
  2⤵
  PID:12444
- C:\Windows\System32\TMIPQlW.exe
  C:\Windows\System32\TMIPQlW.exe
  2⤵
  PID:12492
- C:\Windows\System32\maiCwZy.exe
  C:\Windows\System32\maiCwZy.exe
  2⤵
  PID:12512
- C:\Windows\System32\hCVWvYT.exe
  C:\Windows\System32\hCVWvYT.exe
  2⤵
  PID:12540
- C:\Windows\System32\KNbreQh.exe
  C:\Windows\System32\KNbreQh.exe
  2⤵
  PID:12584
- C:\Windows\System32\JEhDmqh.exe
  C:\Windows\System32\JEhDmqh.exe
  2⤵
  PID:12608
- C:\Windows\System32\oovouLC.exe
  C:\Windows\System32\oovouLC.exe
  2⤵
  PID:12628
- C:\Windows\System32\VgmgBUC.exe
  C:\Windows\System32\VgmgBUC.exe
  2⤵
  PID:12660
- C:\Windows\System32\bECHMES.exe
  C:\Windows\System32\bECHMES.exe
  2⤵
  PID:12696
- C:\Windows\System32\LJfjhoQ.exe
  C:\Windows\System32\LJfjhoQ.exe
  2⤵
  PID:12720
- C:\Windows\System32\EvAuwIm.exe
  C:\Windows\System32\EvAuwIm.exe
  2⤵
  PID:12740
- C:\Windows\System32\NPObVMH.exe
  C:\Windows\System32\NPObVMH.exe
  2⤵
  PID:12760
- C:\Windows\System32\yvxYJqO.exe
  C:\Windows\System32\yvxYJqO.exe
  2⤵
  PID:12788
- C:\Windows\System32\PklPOUk.exe
  C:\Windows\System32\PklPOUk.exe
  2⤵
  PID:12824
- C:\Windows\System32\uwTrKmN.exe
  C:\Windows\System32\uwTrKmN.exe
  2⤵
  PID:12848
- C:\Windows\System32\lRrbzSa.exe
  C:\Windows\System32\lRrbzSa.exe
  2⤵
  PID:12880
- C:\Windows\System32\OueKhlN.exe
  C:\Windows\System32\OueKhlN.exe
  2⤵
  PID:12920
- C:\Windows\System32\tPanEyS.exe
  C:\Windows\System32\tPanEyS.exe
  2⤵
  PID:12956
- C:\Windows\System32\oVZXruW.exe
  C:\Windows\System32\oVZXruW.exe
  2⤵
  PID:12976
- C:\Windows\System32\gnVUHVf.exe
  C:\Windows\System32\gnVUHVf.exe
  2⤵
  PID:12992
- C:\Windows\System32\KeKBgxl.exe
  C:\Windows\System32\KeKBgxl.exe
  2⤵
  PID:13020
- C:\Windows\System32\Wgsoryr.exe
  C:\Windows\System32\Wgsoryr.exe
  2⤵
  PID:13048
- C:\Windows\System32\gfBabVZ.exe
  C:\Windows\System32\gfBabVZ.exe
  2⤵
  PID:13072
- C:\Windows\System32\ZrUNjPC.exe
  C:\Windows\System32\ZrUNjPC.exe
  2⤵
  PID:13096
- C:\Windows\System32\yJqjJqc.exe
  C:\Windows\System32\yJqjJqc.exe
  2⤵
  PID:13124
- C:\Windows\System32\YoNqdSX.exe
  C:\Windows\System32\YoNqdSX.exe
  2⤵
  PID:13156
- C:\Windows\System32\xgHFCFm.exe
  C:\Windows\System32\xgHFCFm.exe
  2⤵
  PID:13176
- C:\Windows\System32\nKGRKQl.exe
  C:\Windows\System32\nKGRKQl.exe
  2⤵
  PID:13208
- C:\Windows\System32\ArtcXKd.exe
  C:\Windows\System32\ArtcXKd.exe
  2⤵
  PID:13240
- C:\Windows\System32\ETTkiYs.exe
  C:\Windows\System32\ETTkiYs.exe
  2⤵
  PID:13272
- C:\Windows\System32\WxaPRHJ.exe
  C:\Windows\System32\WxaPRHJ.exe
  2⤵
  PID:12108
- C:\Windows\System32\KjeHCea.exe
  C:\Windows\System32\KjeHCea.exe
  2⤵
  PID:12312

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AubUTJt.exe

Filesize
1.9MB

MD5
72b024c96cacee886264ea1ccdcb7880

SHA1
b543d439d083c01d196292556e2a9d155b90106b

SHA256
78a9fab53912e6d01b6fc8a173e8d06607a0d9ebc0a246eb99e86de968872af4

SHA512
7375c37d8be746c0f2f83ad6a4b64b8530a3b8e9d665a840b208c9719ae66c3a9470a079401f4539c09eca6ddb73f6598fb2f4d36758b7d8dfb095f31f8163f6

Download Submit
C:\Windows\System32\BLDWwkS.exe

Filesize
1.9MB

MD5
1f62cf925980ea329802b164240c982e

SHA1
8d93635ec78f7e97f8356be9b18e133062761227

SHA256
2524d0e1e2f87c59607fc8af4ec1ed04dd0eac82ec57bcd419330124bea0fb5f

SHA512
ddbd59b69351643c324fe2f77eb1da538e62cdeac500bac8248899a416bfcce65a59f5a12843a25598d728883097a56d8157487e85ca778b4c6ac5d7876ec227

Download Submit
C:\Windows\System32\GMMzLzu.exe

Filesize
1.9MB

MD5
6127d64cf5edcb547e4b40c56b573bb2

SHA1
817d0d613bfc44b36b431c8f9e7182cba088a32f

SHA256
cbc38b7cf461ad3f5cb0360fb839af346ee88054622b4fdeda16220fcd2e9b0a

SHA512
3b039afee14c32e94a5acc443ba02e22e0dd7911dd6126a61d254103fc8cc35000697b2a029fefef859ff7f498fa57089b337d9b6208c0ad5f91a19be7bb3b21

Download Submit
C:\Windows\System32\HrjOjlE.exe

Filesize
1.9MB

MD5
16f138478cda35856384ec81328c26d5

SHA1
cf2b719e8747cf31ae7b845c9286182fb8f98204

SHA256
a41be0382f4604380ff4eabeb19f4248f76a2c9b179703e72ba65deacd0c2049

SHA512
4eafd9957fb82e56d80e4982930e20fc85852f0661dfd0187b9995f2aafbebe2eb424fb161acc353acdbda39ff866f39db959da41007424af8114ed3aedfaf20

Download Submit
C:\Windows\System32\LMXIjXP.exe

Filesize
1.9MB

MD5
fa37c2b04d005537dd729107f0eb4847

SHA1
1d85129f1d1998fed20fccef862b93c5906ccd2c

SHA256
283f9bc655c7d07d47512f54dbb5a1e43fd1f3ba543122bf514a7074d2458922

SHA512
bac0eff473ac4cc719450f6eabe39a5a852bb372e8cccc3f60958cc1d9038ecbc06bc1b135457964383d26bf069bd7ad638b948ca13bfd2702177a4a0a97366e

Download Submit
C:\Windows\System32\LRxKbBm.exe

Filesize
1.9MB

MD5
77fdbc2a4661aaa0ebdb760c0c4b4aca

SHA1
f6aff653d9455816ee6c894b6624421d19a32575

SHA256
d9e4efacd5e9859f0a7f1f627edb50e97983c24d4414f25c882b9200f1b7d3fd

SHA512
c27bc59907855fd5207300f9f5ba676182815dea06e51419b32e9501ad839b8730150f9e85304bd9b5c4d9644fa05dd77bb9ab3f4773dbc6b2b9fa8fd7a26d5b

Download Submit
C:\Windows\System32\LqUArbD.exe

Filesize
1.9MB

MD5
f37ee70e0d54ade72e4722bdf84c927a

SHA1
daa26cb5a169ff64c5766b91c45b43ee8d79161f

SHA256
d898aa4f2df2534b134697983b460171e32ed30c143f4a8d625b7c6fa2d4c5e4

SHA512
cd11e3dad31edc8241262ba1b45590d3afb547cc2a6d0b9c31fede250e136b4c4536d1d33b4863e4ebb28681727ba7324441037067853eb61c30477cfe26c513

Download Submit
C:\Windows\System32\LyTGbeW.exe

Filesize
1.9MB

MD5
478259c8659d69a0a18c11c25be6ffc2

SHA1
7103c7f1f2df850bd644764560f23e592a3f29a1

SHA256
3e8d5293ba56fde87f2628fc78dca2b0ca3a3ea3c44c7f6dddcc474ab5514714

SHA512
d4fc3a9c895be4d0a32d3442f2ae184bb68da39e81fc2eb6016ccc816f90252d861809ad976ef56322ac1b5bd42833000be72f14339ddfabdadd90591599fd82

Download Submit
C:\Windows\System32\QjSTrWW.exe

Filesize
1.9MB

MD5
1324f4a411955a274ab18f444ad19390

SHA1
c5a90cee21b66bbac98c7a8fbb2b7b375f976d2e

SHA256
bda3fe6aacf24f67741080ddc18ab11104d294abc3e9d1193713b065f2e3b1c1

SHA512
f46abb4b4a9bfdc5f85c70dfec19282eea974f91c8d9e35492f8f4a294643d6faa31c357fe94833ef36fa6a1ba683eea81b0b121e1ffbaccc1636ca9d2e8869a

Download Submit
C:\Windows\System32\RMqAMJi.exe

Filesize
1.9MB

MD5
591568cf3a406b2f6c820b3ee4722c54

SHA1
30bd9553afeb355f5610cc160189ef203327c146

SHA256
1a7a0591c5a80ab4f6e03f6e7f532be337b1dbc4d8cff3a6383b63f9e9348b04

SHA512
14ac237087c0f45fcecb981b8c33bf2a0fbdb7770a36d96fa791f499c1963e364d110cec95759b077bfc4e7b002c24ad4f2f27002708e89ae9f2c72766946226

Download Submit
C:\Windows\System32\SRPjPSr.exe

Filesize
1.9MB

MD5
bb4c618b46c90ede70bfa6804c85516d

SHA1
cecbdffda12adcf158b41efefbf19aae1983dfc2

SHA256
aa360f0e10ac74e5c6e0e5b5405ebd7ec580729a9e8ed00118f4d19d7daa6745

SHA512
d1ee7d2612c74ce9fc1ac527e77bc93008593a9e458a66c840039d0091e103e3469041fe5491f5fe865af7f7f60be07e3037e03179f04a6396f0961648732586

Download Submit
C:\Windows\System32\TGggbzi.exe

Filesize
1.9MB

MD5
de6a4d2cccbf08ab83d0eb0ed39f6f39

SHA1
df7764be87f397a2649da1f9b39295bebb98eec7

SHA256
ef0314fd8df1e040247594196c6cdd568d0a52068b315d6efc0c1813577f542c

SHA512
1eaea0b105b4b706ad439b47b65588d927713db93935f746e631dde2f1fe747b30faa164f520aeda2c1b2e7ea56f5ea13393c09d32bfed15f6f4418dc646ac9e

Download Submit
C:\Windows\System32\UJetukN.exe

Filesize
1.9MB

MD5
b45bd77cb19001f2dc066d740fa297f4

SHA1
024b787a099b761a4e532d44cda4e982c4a80aef

SHA256
6078ea133dc3c61f81fb8b5d95f4803aaaf8cd7075a8e079d9cff81135086db6

SHA512
983fe6882ce78a930ebe3cca4becf3fbd11e7bd8da18225269f886226db383c9dbe29ec5f15202b61ff7d996ed2b1e3d52f7fefbf727278942c8f810e3400b9d

Download Submit
C:\Windows\System32\YCFKncp.exe

Filesize
1.9MB

MD5
2120fe813ae7ac0ff7405ff0aa6c569b

SHA1
9a29de2ad8cc674cdbc93dc85b4b4adaf94bbf36

SHA256
9d7df0287e1a1434f42e6748f8d319d0ca7d954a967d56e51bf98ae078293c82

SHA512
8f9155010e35890873aa4f2665aefa61cc008becefd79d6d57ac3795ad7a0d80ac0f6164ecbf8e3ff5e9f91ad8981174b6a763093da645446355e09153aad084

Download Submit
C:\Windows\System32\YhgwEfa.exe

Filesize
1.9MB

MD5
1f54c6a9265ab49ff1f2971f221fc464

SHA1
6bb9026d30209cf1d65e955ac82671d1cfc52069

SHA256
f1023da5c39ba412bcb5034c808ad53b03a4bedfea3f2ea66ccb7c621953a916

SHA512
3f968068165720e55cb9e3a795f8b5ffe2c3b9f1f4d8517532af8b42fd5100a0265a7a1af83e4a5665f62a2c471c65390a71fc5edaee5faa2f406cd69bfce1bf

Download Submit
C:\Windows\System32\aHNlFLC.exe

Filesize
1.9MB

MD5
77a7f2d42ffda0335e65c2c1c6c93abc

SHA1
39354a32b73741bd21817ae8546b37744c2b7133

SHA256
542efdc91e0c2a8431093048cad5861f7549795b4b1125319426ccbf6117c6d3

SHA512
e733ce41f243a360421473a9b22778ea836be43a38090c3c4c30a481deba08542cd14617e2e4b2057c0bd40f102e3f814f0f85bf5788355773355ed3ff007160

Download Submit
C:\Windows\System32\cyyzvyD.exe

Filesize
1.9MB

MD5
1f7f43c33d144529ecff759ff37e2bd9

SHA1
c5def687d39c3742dd1763e08b6240523b1d26bf

SHA256
b7cb7a1a00cb410e3def69a22961b5ebed6ee981b27311e7d941c93ad07b8485

SHA512
179f7b57823bdf81edb71c54c4b8dff72241ad53e9c4d8c9b17323caffbb20efa70305d3e6f3b075f3dcfee59ad3551a04ca7c7f12e00ef910604cce8e5ff5d7

Download Submit
C:\Windows\System32\iiKzvFI.exe

Filesize
1.9MB

MD5
41abe03add446fd1d41e4a52ce2d754b

SHA1
33838074bf6aaeb695f2a82ca9ab9f50570b1671

SHA256
85e3eb9db1092b65e0ae76577fb45204490875527fb0e0181575d41ca6a9554f

SHA512
1a147faeb392a67415522c3f82de5a69aa9072692fac05d5d46c9ba4970acc4489bfe9555597a2c552e9880f75d698a1a37bd48ffbf6ed799dc13cff1c519290

Download Submit
C:\Windows\System32\ijfglKS.exe

Filesize
1.9MB

MD5
062145906a67434f0b01124b4abc286d

SHA1
3471d880e1853eea03aac10d0388b8320748fd9a

SHA256
c33d41c018bce317cc6fdf2f031a8e4a9e0beb9dc0ec5f657a1a748351ebe16d

SHA512
f555d839db63b2a45a7ca94fa7c5377131d3df25e493a06795cb9fd9e2dd41e2c7b53ef026d63716e323646f3937ea3afcb8c3bc502efe8716aec4bd2fd7ace6

Download Submit
C:\Windows\System32\kQfqgRF.exe

Filesize
1.9MB

MD5
1096ccd3fb2e12c2c5dd4dabed1d0dab

SHA1
1c59930d059b086643b7bb453066b1895f01f988

SHA256
e79473b44c85a54c44e2ae5feabfaa9bbbd382f416a67671071f970c92636381

SHA512
5bc3856daf3b64c4edbcba3005318836319421a0e1241da12e0747607d4b6241f6ea4c84349c5cbb142cb49d1349686c25b841bc4138ee175a887393a7921b89

Download Submit
C:\Windows\System32\npscueT.exe

Filesize
1.9MB

MD5
01ef869495545bae37b4713aea9470d7

SHA1
9bcafe3a403f30751ea5a74787eda56841c26b0f

SHA256
94295fadab28ef99cbf4298c5ae912677eb005211b0bc77ae6e11d50bfd27c76

SHA512
b575ed9fb581ce1e166b41377624b740b07d1928ceb7dfb13969e91f22d27eba3dd0e0ae657cec5b1e24c76fcfa51cd0351eca94991b95d9a3a95155e32d324b

Download Submit
C:\Windows\System32\nwExMLf.exe

Filesize
1.9MB

MD5
14d05c36639d96b4588d75b841ea1a47

SHA1
60fee3fa8846935f120a1919de2f0ca9b95c0db1

SHA256
f04b804c768cd13a5d0cd3fce24754d355f46c77aa65e9706df10c4500b9ae74

SHA512
07e3c225949058d37a8a96c763781a31d2b724096065314563c2e2cf4de6d1f856c99190b11acd189f7457ef784ed3b2a8fa5deafd169e507136e2652cf75766

Download Submit
C:\Windows\System32\pCrSxkv.exe

Filesize
1.9MB

MD5
d2e63ceb6df93f6b872071fa301feccc

SHA1
f4ec80dba1a04e87397d44270ab634add55ac725

SHA256
d89d92659ec79d37fe89f8733232bd323215a8e7171c14f56aa91ecd06b4c5ea

SHA512
8608304432b8bfad7b14cd96e38a515c490905cddae0f1a34249fa4d304e10ed74c1223309c2299df6cab44b233b15a02437eced0890d781603dc9ddc599b9a1

Download Submit
C:\Windows\System32\qooGkTj.exe

Filesize
1.9MB

MD5
909a9ea334ceb3c725e671cc884b98b2

SHA1
e70ff11ee8fda0cc9a17c6660f3eaabad7586f81

SHA256
f69b770b008d8264133f36fd76a73f1743eece1e1841489d4bc89cf4140df335

SHA512
1fe57bab5d0358c96233da39a0537bf38953df2aff542072a43064f01b120088d5750775fbdc33a862bc6685aa9787bb996e1c860b19d528fcc6225fcb23394f

Download Submit
C:\Windows\System32\rejoVFV.exe

Filesize
1.9MB

MD5
53bfe38fe47e0de1ab105ca5f818d8f7

SHA1
bff1699dedc0409952d1232e1e9c14c73df1ed70

SHA256
e4ebe466b363cf585f8be6eac921872f09ff75aa07fd9f8d0113a0c5f7dfdeca

SHA512
7d7a846268fceced7b2b71f9143566a5601d3fcb4720778a423f1b32d94766dabfa43c331541dbba566478dee312b6defbc4cfe37a619d26a150684bf26fde62

Download Submit
C:\Windows\System32\tPTHCDi.exe

Filesize
1.9MB

MD5
a7b36ea5986d944c1d5c0638438cf4a4

SHA1
649219e033415f36395712f469e9f05d3b5daae5

SHA256
5d020600f7ccba09e9f869ef5c5f75d17eea02fc6a4e2db38d64f5cbd5d49551

SHA512
9b54f6cd5bd15649a6c5e0ac936dcb8a13592d5e888b4b8ffa1d2bbb17c4a953ed5b2a5fc3bb912bb62bfd4e597594dee4c2dd7eb1f7ad6bf1f36eb1ef040d5b

Download Submit
C:\Windows\System32\tuUKRnN.exe

Filesize
1.9MB

MD5
8239ca67428fe372949dc0573c06f569

SHA1
5a33cafab3c3e0494db142df0d48d2a4e39b73e4

SHA256
419fe060b943bdf79f0259fe90a68473025b03f16a8cea215a58d8d777d2a50d

SHA512
9d5ef02f736797af85ab23ec0fe896c3bededa41115e97b4b472c92a1877a90ba489a4d94f7b64f8754016f4a6946db2e2b75883131716a69a65c35666623b5b

Download Submit
C:\Windows\System32\twALEZx.exe

Filesize
1.9MB

MD5
147ceddfc8d1f5b4d47b721d28878c8d

SHA1
73aeeee991cf53ef4a39f246e51f3fa6aaec81bc

SHA256
1ad3b9a3baffa5c8d042f1d3cc0805fe5022a0ea8acec1966d3fe2b6ca82c742

SHA512
06c38b060e858e0eb0851e060f5b0447ed646aadaaa6278529fd76983403af0367af971e50230d88fba8c7b43ce49288535195848c0eb595cb22e9231596080b

Download Submit
C:\Windows\System32\uHGmgbt.exe

Filesize
1.9MB

MD5
bc7af5f2df7a5ea6f584fb1099ec339c

SHA1
d3d569c151995a01f69a44e5d05a38646125adfe

SHA256
86daf485de2f7b62877397085f299f23d941255336ab2e6cdee29ab0f5e275cd

SHA512
e2bc6b57d825bed1ce29271f98c5291f5bdaf0e3acce04aedf85e8bc83c627a41d7c8f123ec9edd4f88289b955b242a38c56668cd5e1e7e823862b1fac907966

Download Submit
C:\Windows\System32\umFBMpa.exe

Filesize
1.9MB

MD5
45956e7172e97fa8629efcd4fcf734f9

SHA1
15d2b8bf4fe6de92d5e000cafbc9cb97d4940e0a

SHA256
aea028c548a8ad1ef9270d5733771281ce3ec5aefd7874f5c6a31020f2df786a

SHA512
8218b063f8206b2d86b1dbd979d39f68136768a3eb81a2b21d80f6c6b9e699c0dd2c5a39face79cd9ab73b9d8afbb14789ea07056d73d77fd14a0931d4fd9405

Download Submit
C:\Windows\System32\vmYYbzq.exe

Filesize
1.9MB

MD5
497dfb1641e08ce7b1aa8b4264979120

SHA1
14040f810d0abd98a7b3b8c6922b33ffbae2ad51

SHA256
abd593cc1c1274ecfc019468605fb795e0e33e4cb0b5ec94f8879fa8935ea207

SHA512
8428e10bcb27d02b0bc91bd5e72b7d2b4b219fe56f879c8d3cd95158e7590de46777761c5f8cd08fa0cde8d2e1cdb2ce7e7043e1dfb46c508ad519c835ba2956

Download Submit
C:\Windows\System32\xEMezBI.exe

Filesize
1.9MB

MD5
474ed8aece7488e78030dad21cbe3ad4

SHA1
7b27ca0d06cc392698f784ea9135afdf4c4b156c

SHA256
1c50824f71c612bf24d7c503eb00a7c9d0b48b213afa9a575fd26d27ce2765c9

SHA512
ca85c2c3b0ba6f67e043bc726a03d8828f658170f6db1d7a8bd446cd288d516aa0ae1bd2bfad812437be57efae393b15da9983b24e2b37a6ca4d5ab3bba4e71d

Download Submit
memory/60-2088-0x00007FF7F6B20000-0x00007FF7F6F11000-memory.dmp

Filesize
3.9MB

Download
memory/60-480-0x00007FF7F6B20000-0x00007FF7F6F11000-memory.dmp

Filesize
3.9MB

Download
memory/452-2086-0x00007FF6D98A0000-0x00007FF6D9C91000-memory.dmp

Filesize
3.9MB

Download
memory/452-474-0x00007FF6D98A0000-0x00007FF6D9C91000-memory.dmp

Filesize
3.9MB

Download
memory/840-500-0x00007FF66F960000-0x00007FF66FD51000-memory.dmp

Filesize
3.9MB

Download
memory/840-2068-0x00007FF66F960000-0x00007FF66FD51000-memory.dmp

Filesize
3.9MB

Download
memory/1212-45-0x00007FF7E4410000-0x00007FF7E4801000-memory.dmp

Filesize
3.9MB

Download
memory/1212-2058-0x00007FF7E4410000-0x00007FF7E4801000-memory.dmp

Filesize
3.9MB

Download
memory/1592-513-0x00007FF641EB0000-0x00007FF6422A1000-memory.dmp

Filesize
3.9MB

Download
memory/1592-2098-0x00007FF641EB0000-0x00007FF6422A1000-memory.dmp

Filesize
3.9MB

Download
memory/1828-2062-0x00007FF7733B0000-0x00007FF7737A1000-memory.dmp

Filesize
3.9MB

Download
memory/1828-46-0x00007FF7733B0000-0x00007FF7737A1000-memory.dmp

Filesize
3.9MB

Download
memory/1900-48-0x00007FF694840000-0x00007FF694C31000-memory.dmp

Filesize
3.9MB

Download
memory/1900-2074-0x00007FF694840000-0x00007FF694C31000-memory.dmp

Filesize
3.9MB

Download
memory/1900-2033-0x00007FF694840000-0x00007FF694C31000-memory.dmp

Filesize
3.9MB

Download
memory/2024-498-0x00007FF7F8450000-0x00007FF7F8841000-memory.dmp

Filesize
3.9MB

Download
memory/2024-2072-0x00007FF7F8450000-0x00007FF7F8841000-memory.dmp

Filesize
3.9MB

Download
memory/2264-494-0x00007FF6F1DA0000-0x00007FF6F2191000-memory.dmp

Filesize
3.9MB

Download
memory/2264-2076-0x00007FF6F1DA0000-0x00007FF6F2191000-memory.dmp

Filesize
3.9MB

Download
memory/2296-47-0x00007FF7B2A50000-0x00007FF7B2E41000-memory.dmp

Filesize
3.9MB

Download
memory/2296-2064-0x00007FF7B2A50000-0x00007FF7B2E41000-memory.dmp

Filesize
3.9MB

Download
memory/2396-43-0x00007FF7590D0000-0x00007FF7594C1000-memory.dmp

Filesize
3.9MB

Download
memory/2396-2060-0x00007FF7590D0000-0x00007FF7594C1000-memory.dmp

Filesize
3.9MB

Download
memory/2528-2085-0x00007FF7F50A0000-0x00007FF7F5491000-memory.dmp

Filesize
3.9MB

Download
memory/2528-477-0x00007FF7F50A0000-0x00007FF7F5491000-memory.dmp

Filesize
3.9MB

Download
memory/2564-1-0x000002A142C00000-0x000002A142C10000-memory.dmp

Filesize
64KB

Download
memory/2564-0-0x00007FF62BB50000-0x00007FF62BF41000-memory.dmp

Filesize
3.9MB

Download
memory/2584-482-0x00007FF79CD30000-0x00007FF79D121000-memory.dmp

Filesize
3.9MB

Download
memory/2584-2082-0x00007FF79CD30000-0x00007FF79D121000-memory.dmp

Filesize
3.9MB

Download
memory/3052-12-0x00007FF783DF0000-0x00007FF7841E1000-memory.dmp

Filesize
3.9MB

Download
memory/3052-2052-0x00007FF783DF0000-0x00007FF7841E1000-memory.dmp

Filesize
3.9MB

Download
memory/3496-2054-0x00007FF6C1A40000-0x00007FF6C1E31000-memory.dmp

Filesize
3.9MB

Download
memory/3496-2011-0x00007FF6C1A40000-0x00007FF6C1E31000-memory.dmp

Filesize
3.9MB

Download
memory/3496-14-0x00007FF6C1A40000-0x00007FF6C1E31000-memory.dmp

Filesize
3.9MB

Download
memory/4160-532-0x00007FF6E9EC0000-0x00007FF6EA2B1000-memory.dmp

Filesize
3.9MB

Download
memory/4160-2096-0x00007FF6E9EC0000-0x00007FF6EA2B1000-memory.dmp

Filesize
3.9MB

Download
memory/4204-2056-0x00007FF6A27B0000-0x00007FF6A2BA1000-memory.dmp

Filesize
3.9MB

Download
memory/4204-2032-0x00007FF6A27B0000-0x00007FF6A2BA1000-memory.dmp

Filesize
3.9MB

Download
memory/4204-17-0x00007FF6A27B0000-0x00007FF6A2BA1000-memory.dmp

Filesize
3.9MB

Download
memory/4396-2080-0x00007FF775880000-0x00007FF775C71000-memory.dmp

Filesize
3.9MB

Download
memory/4396-483-0x00007FF775880000-0x00007FF775C71000-memory.dmp

Filesize
3.9MB

Download
memory/4592-2066-0x00007FF6F7E90000-0x00007FF6F8281000-memory.dmp

Filesize
3.9MB

Download
memory/4592-468-0x00007FF6F7E90000-0x00007FF6F8281000-memory.dmp

Filesize
3.9MB

Download
memory/4920-485-0x00007FF7D4480000-0x00007FF7D4871000-memory.dmp

Filesize
3.9MB

Download
memory/4920-2078-0x00007FF7D4480000-0x00007FF7D4871000-memory.dmp

Filesize
3.9MB

Download
memory/4924-2094-0x00007FF6B1180000-0x00007FF6B1571000-memory.dmp

Filesize
3.9MB

Download
memory/4924-508-0x00007FF6B1180000-0x00007FF6B1571000-memory.dmp

Filesize
3.9MB

Download
memory/4948-2090-0x00007FF765300000-0x00007FF7656F1000-memory.dmp

Filesize
3.9MB

Download
memory/4948-505-0x00007FF765300000-0x00007FF7656F1000-memory.dmp

Filesize
3.9MB

Download
memory/5016-506-0x00007FF763650000-0x00007FF763A41000-memory.dmp

Filesize
3.9MB

Download
memory/5016-2092-0x00007FF763650000-0x00007FF763A41000-memory.dmp

Filesize
3.9MB

Download
memory/5056-2070-0x00007FF78B580000-0x00007FF78B971000-memory.dmp

Filesize
3.9MB

Download
memory/5056-464-0x00007FF78B580000-0x00007FF78B971000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads