xmrig | 860ec4ebe8d67348064b3f944f157605cd333bf33d7100f5c7beda02b7d07876

Analysis

max time kernel
125s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
Size

3.2MB
MD5

d500348802e9500598968d5dfb5a1f50
SHA1

9d434d312610747d461ba81d07f2092d4e66c544
SHA256

860ec4ebe8d67348064b3f944f157605cd333bf33d7100f5c7beda02b7d07876
SHA512

04df563a06cb9d1a8c5300ecc9a3f8cd833514228c9bc9c5faf28ef2d7174adfdc60af8de492825a259845dd8264c170ba4432b5e510772f65208f24ca4744e2
SSDEEP

98304:N0GnJMOWPClFdx6e0EALKWVTffZiPAcRq6jHjc40R:NFWPClFkR

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3544-0-0x00007FF6E12C0000-0x00007FF6E16B5000-memory.dmp	xmrig
behavioral2/files/0x0009000000023553-4.dat	xmrig
behavioral2/files/0x000700000002355a-9.dat	xmrig
behavioral2/memory/2356-14-0x00007FF79AE30000-0x00007FF79B225000-memory.dmp	xmrig
behavioral2/files/0x0008000000023559-12.dat	xmrig
behavioral2/memory/864-11-0x00007FF73C120000-0x00007FF73C515000-memory.dmp	xmrig
behavioral2/files/0x000700000002355b-25.dat	xmrig
behavioral2/files/0x0008000000023557-30.dat	xmrig
behavioral2/files/0x000700000002355f-43.dat	xmrig
behavioral2/files/0x000700000002355e-50.dat	xmrig
behavioral2/files/0x0007000000023562-71.dat	xmrig
behavioral2/files/0x0007000000023563-72.dat	xmrig
behavioral2/files/0x0007000000023565-77.dat	xmrig
behavioral2/files/0x000700000002356a-112.dat	xmrig
behavioral2/files/0x000700000002356d-125.dat	xmrig
behavioral2/files/0x0007000000023572-150.dat	xmrig
behavioral2/files/0x0007000000023574-165.dat	xmrig
behavioral2/memory/312-808-0x00007FF684EA0000-0x00007FF685295000-memory.dmp	xmrig
behavioral2/memory/2596-811-0x00007FF640C20000-0x00007FF641015000-memory.dmp	xmrig
behavioral2/memory/5024-812-0x00007FF737540000-0x00007FF737935000-memory.dmp	xmrig
behavioral2/memory/556-817-0x00007FF7AB600000-0x00007FF7AB9F5000-memory.dmp	xmrig
behavioral2/memory/4952-823-0x00007FF77D6C0000-0x00007FF77DAB5000-memory.dmp	xmrig
behavioral2/memory/2508-827-0x00007FF747000000-0x00007FF7473F5000-memory.dmp	xmrig
behavioral2/memory/1472-830-0x00007FF76F410000-0x00007FF76F805000-memory.dmp	xmrig
behavioral2/memory/3164-836-0x00007FF6C2B80000-0x00007FF6C2F75000-memory.dmp	xmrig
behavioral2/memory/5052-834-0x00007FF6D53C0000-0x00007FF6D57B5000-memory.dmp	xmrig
behavioral2/memory/4432-839-0x00007FF714A00000-0x00007FF714DF5000-memory.dmp	xmrig
behavioral2/files/0x0007000000023577-173.dat	xmrig
behavioral2/files/0x0007000000023575-170.dat	xmrig
behavioral2/files/0x0007000000023576-168.dat	xmrig
behavioral2/files/0x0007000000023573-160.dat	xmrig
behavioral2/memory/4900-843-0x00007FF717340000-0x00007FF717735000-memory.dmp	xmrig
behavioral2/memory/3256-847-0x00007FF7A5F60000-0x00007FF7A6355000-memory.dmp	xmrig
behavioral2/memory/4036-849-0x00007FF6671E0000-0x00007FF6675D5000-memory.dmp	xmrig
behavioral2/files/0x0007000000023571-147.dat	xmrig
behavioral2/files/0x0007000000023570-142.dat	xmrig
behavioral2/files/0x000700000002356f-137.dat	xmrig
behavioral2/files/0x000700000002356e-132.dat	xmrig
behavioral2/files/0x000700000002356c-122.dat	xmrig
behavioral2/files/0x000700000002356b-117.dat	xmrig
behavioral2/files/0x0007000000023569-107.dat	xmrig
behavioral2/files/0x0007000000023568-102.dat	xmrig
behavioral2/files/0x0007000000023567-97.dat	xmrig
behavioral2/files/0x0007000000023566-92.dat	xmrig
behavioral2/files/0x0007000000023564-87.dat	xmrig
behavioral2/memory/4272-83-0x00007FF7B5850000-0x00007FF7B5C45000-memory.dmp	xmrig
behavioral2/memory/3588-79-0x00007FF6CDB40000-0x00007FF6CDF35000-memory.dmp	xmrig
behavioral2/files/0x0007000000023561-75.dat	xmrig
behavioral2/memory/3204-74-0x00007FF78D6E0000-0x00007FF78DAD5000-memory.dmp	xmrig
behavioral2/memory/5048-68-0x00007FF735F90000-0x00007FF736385000-memory.dmp	xmrig
behavioral2/memory/3528-65-0x00007FF7C17B0000-0x00007FF7C1BA5000-memory.dmp	xmrig
behavioral2/memory/1144-57-0x00007FF6FFE50000-0x00007FF700245000-memory.dmp	xmrig
behavioral2/files/0x0007000000023560-55.dat	xmrig
behavioral2/memory/2980-47-0x00007FF6DA710000-0x00007FF6DAB05000-memory.dmp	xmrig
behavioral2/files/0x000700000002355d-42.dat	xmrig
behavioral2/files/0x000700000002355c-41.dat	xmrig
behavioral2/memory/4600-35-0x00007FF6736A0000-0x00007FF673A95000-memory.dmp	xmrig
behavioral2/memory/408-24-0x00007FF77AD00000-0x00007FF77B0F5000-memory.dmp	xmrig
behavioral2/memory/2356-1832-0x00007FF79AE30000-0x00007FF79B225000-memory.dmp	xmrig
behavioral2/memory/408-1833-0x00007FF77AD00000-0x00007FF77B0F5000-memory.dmp	xmrig
behavioral2/memory/4600-1834-0x00007FF6736A0000-0x00007FF673A95000-memory.dmp	xmrig
behavioral2/memory/5048-1835-0x00007FF735F90000-0x00007FF736385000-memory.dmp	xmrig
behavioral2/memory/3544-1836-0x00007FF6E12C0000-0x00007FF6E16B5000-memory.dmp	xmrig
behavioral2/memory/864-1837-0x00007FF73C120000-0x00007FF73C515000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
864	hAYMptT.exe
2356	JsAbNeN.exe
408	RilAEMY.exe
4600	ctouctl.exe
2980	pZwgDTW.exe
1144	IISielN.exe
3204	GObspbL.exe
3588	EgklLCc.exe
3528	BIlmfCK.exe
4272	VkcSFNi.exe
312	YkQlHqu.exe
5048	jxDGgrV.exe
2596	bdLdSvK.exe
4900	XCBjGKh.exe
3256	mzYvejm.exe
4036	bKzvKNt.exe
5024	YfbJETE.exe
556	VZMIPge.exe
4952	TnZAnlf.exe
2508	NMPLDBD.exe
1472	OwDHxTH.exe
5052	xfsSLoL.exe
3164	PHhgZzW.exe
4432	beqevQj.exe
3576	fPExHFM.exe
4868	azZPaJN.exe
3276	HYWiVdb.exe
2416	tUmWoPe.exe
3500	yrxTiLV.exe
4988	AFeoZoz.exe
4928	qOxZPgo.exe
2136	WQbQwlC.exe
728	OeIkkfb.exe
4572	ZCyvdOe.exe
4312	xxFSquH.exe
3968	gvUJZju.exe
1136	AUvYMII.exe
3940	wJkryaK.exe
4052	yWINYYg.exe
4324	fCggJNW.exe
3280	rIjSPnZ.exe
4404	WZpAqHB.exe
4372	UvefIkZ.exe
4436	kLcpKWo.exe
4480	SOOokJb.exe
524	cORXvfZ.exe
1676	hblHLpw.exe
1508	XKJCout.exe
4800	ncFfAWp.exe
3444	SlCzLvB.exe
2600	RIGUnDU.exe
4112	DqfqROC.exe
4296	SWKkqVV.exe
1500	UuFfoTs.exe
4416	JRZbZUI.exe
4456	SdqlNXO.exe
3408	qTTVKwp.exe
2072	KSszWyw.exe
5132	TirYJrC.exe
5148	CiVFdts.exe
5176	CdgakRr.exe
5216	bKauiZL.exe
5244	TlhJlbq.exe
5260	nyVdpPS.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3544-0-0x00007FF6E12C0000-0x00007FF6E16B5000-memory.dmp	upx
behavioral2/files/0x0009000000023553-4.dat	upx
behavioral2/files/0x000700000002355a-9.dat	upx
behavioral2/memory/2356-14-0x00007FF79AE30000-0x00007FF79B225000-memory.dmp	upx
behavioral2/files/0x0008000000023559-12.dat	upx
behavioral2/memory/864-11-0x00007FF73C120000-0x00007FF73C515000-memory.dmp	upx
behavioral2/files/0x000700000002355b-25.dat	upx
behavioral2/files/0x0008000000023557-30.dat	upx
behavioral2/files/0x000700000002355f-43.dat	upx
behavioral2/files/0x000700000002355e-50.dat	upx
behavioral2/files/0x0007000000023562-71.dat	upx
behavioral2/files/0x0007000000023563-72.dat	upx
behavioral2/files/0x0007000000023565-77.dat	upx
behavioral2/files/0x000700000002356a-112.dat	upx
behavioral2/files/0x000700000002356d-125.dat	upx
behavioral2/files/0x0007000000023572-150.dat	upx
behavioral2/files/0x0007000000023574-165.dat	upx
behavioral2/memory/312-808-0x00007FF684EA0000-0x00007FF685295000-memory.dmp	upx
behavioral2/memory/2596-811-0x00007FF640C20000-0x00007FF641015000-memory.dmp	upx
behavioral2/memory/5024-812-0x00007FF737540000-0x00007FF737935000-memory.dmp	upx
behavioral2/memory/556-817-0x00007FF7AB600000-0x00007FF7AB9F5000-memory.dmp	upx
behavioral2/memory/4952-823-0x00007FF77D6C0000-0x00007FF77DAB5000-memory.dmp	upx
behavioral2/memory/2508-827-0x00007FF747000000-0x00007FF7473F5000-memory.dmp	upx
behavioral2/memory/1472-830-0x00007FF76F410000-0x00007FF76F805000-memory.dmp	upx
behavioral2/memory/3164-836-0x00007FF6C2B80000-0x00007FF6C2F75000-memory.dmp	upx
behavioral2/memory/5052-834-0x00007FF6D53C0000-0x00007FF6D57B5000-memory.dmp	upx
behavioral2/memory/4432-839-0x00007FF714A00000-0x00007FF714DF5000-memory.dmp	upx
behavioral2/files/0x0007000000023577-173.dat	upx
behavioral2/files/0x0007000000023575-170.dat	upx
behavioral2/files/0x0007000000023576-168.dat	upx
behavioral2/files/0x0007000000023573-160.dat	upx
behavioral2/memory/4900-843-0x00007FF717340000-0x00007FF717735000-memory.dmp	upx
behavioral2/memory/3256-847-0x00007FF7A5F60000-0x00007FF7A6355000-memory.dmp	upx
behavioral2/memory/4036-849-0x00007FF6671E0000-0x00007FF6675D5000-memory.dmp	upx
behavioral2/files/0x0007000000023571-147.dat	upx
behavioral2/files/0x0007000000023570-142.dat	upx
behavioral2/files/0x000700000002356f-137.dat	upx
behavioral2/files/0x000700000002356e-132.dat	upx
behavioral2/files/0x000700000002356c-122.dat	upx
behavioral2/files/0x000700000002356b-117.dat	upx
behavioral2/files/0x0007000000023569-107.dat	upx
behavioral2/files/0x0007000000023568-102.dat	upx
behavioral2/files/0x0007000000023567-97.dat	upx
behavioral2/files/0x0007000000023566-92.dat	upx
behavioral2/files/0x0007000000023564-87.dat	upx
behavioral2/memory/4272-83-0x00007FF7B5850000-0x00007FF7B5C45000-memory.dmp	upx
behavioral2/memory/3588-79-0x00007FF6CDB40000-0x00007FF6CDF35000-memory.dmp	upx
behavioral2/files/0x0007000000023561-75.dat	upx
behavioral2/memory/3204-74-0x00007FF78D6E0000-0x00007FF78DAD5000-memory.dmp	upx
behavioral2/memory/5048-68-0x00007FF735F90000-0x00007FF736385000-memory.dmp	upx
behavioral2/memory/3528-65-0x00007FF7C17B0000-0x00007FF7C1BA5000-memory.dmp	upx
behavioral2/memory/1144-57-0x00007FF6FFE50000-0x00007FF700245000-memory.dmp	upx
behavioral2/files/0x0007000000023560-55.dat	upx
behavioral2/memory/2980-47-0x00007FF6DA710000-0x00007FF6DAB05000-memory.dmp	upx
behavioral2/files/0x000700000002355d-42.dat	upx
behavioral2/files/0x000700000002355c-41.dat	upx
behavioral2/memory/4600-35-0x00007FF6736A0000-0x00007FF673A95000-memory.dmp	upx
behavioral2/memory/408-24-0x00007FF77AD00000-0x00007FF77B0F5000-memory.dmp	upx
behavioral2/memory/2356-1832-0x00007FF79AE30000-0x00007FF79B225000-memory.dmp	upx
behavioral2/memory/408-1833-0x00007FF77AD00000-0x00007FF77B0F5000-memory.dmp	upx
behavioral2/memory/4600-1834-0x00007FF6736A0000-0x00007FF673A95000-memory.dmp	upx
behavioral2/memory/5048-1835-0x00007FF735F90000-0x00007FF736385000-memory.dmp	upx
behavioral2/memory/3544-1836-0x00007FF6E12C0000-0x00007FF6E16B5000-memory.dmp	upx
behavioral2/memory/864-1837-0x00007FF73C120000-0x00007FF73C515000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\YACNAKR.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\rXytIkt.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\JDsathU.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\CdgakRr.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\OEQdgxn.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\XvacfFY.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\FFORswx.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\fXFAErH.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\ESOvazn.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\gUDXMCj.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\hWyimHt.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\AkzmZyj.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\HYWiVdb.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\dNwTqsS.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\bTNZcMk.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\ugLOLEh.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\MeoRQTr.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\yxXFpYN.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\psIPiyZ.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\RsjAuNT.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\SWRRVhL.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\xfsSLoL.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\mtUOOXO.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\LOALIii.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\cmVPXLD.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\DHphqey.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\lpvKoUQ.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\YlsceGW.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\WnwnpLM.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\qCpUjJZ.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\gCyypbl.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\hPxFewQ.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\IWGJGwJ.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\AQjybtT.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\RKnAbwh.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\BDtzRJX.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\YQpSPVF.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\ZNiKuQg.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\RijsdKj.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\AbtTbdt.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\IECAaGI.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\JsAbNeN.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\PHhgZzW.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\ojzVBel.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\aZNTAFI.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\zvUZlaG.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\navohYH.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\gCEAqva.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\fnVtjCa.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\GjYeEbT.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\SdqlNXO.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\gIGtspX.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\lPGFniy.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\yNdUPde.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\wWNOVaV.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\CCpGono.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\QIDBgLp.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\OXBBJHR.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\ECMleyn.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\FBLxkMY.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\jHHOgUa.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\eMSGJdN.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\CMJDEgq.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
File created	C:\Windows\System32\LEwnpLw.exe	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	3540	dwm.exe
Token: SeChangeNotifyPrivilege	3540	dwm.exe
Token: 33	3540	dwm.exe
Token: SeIncBasePriorityPrivilege	3540	dwm.exe
Token: SeShutdownPrivilege	3540	dwm.exe
Token: SeCreatePagefilePrivilege	3540	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 864	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	90
PID 3544 wrote to memory of 864	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	90
PID 3544 wrote to memory of 2356	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	91
PID 3544 wrote to memory of 2356	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	91
PID 3544 wrote to memory of 408	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	92
PID 3544 wrote to memory of 408	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	92
PID 3544 wrote to memory of 4600	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	93
PID 3544 wrote to memory of 4600	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	93
PID 3544 wrote to memory of 2980	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	94
PID 3544 wrote to memory of 2980	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	94
PID 3544 wrote to memory of 1144	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	95
PID 3544 wrote to memory of 1144	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	95
PID 3544 wrote to memory of 3204	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	96
PID 3544 wrote to memory of 3204	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	96
PID 3544 wrote to memory of 3588	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	97
PID 3544 wrote to memory of 3588	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	97
PID 3544 wrote to memory of 3528	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	98
PID 3544 wrote to memory of 3528	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	98
PID 3544 wrote to memory of 4272	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	99
PID 3544 wrote to memory of 4272	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	99
PID 3544 wrote to memory of 312	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	100
PID 3544 wrote to memory of 312	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	100
PID 3544 wrote to memory of 5048	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	101
PID 3544 wrote to memory of 5048	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	101
PID 3544 wrote to memory of 2596	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	102
PID 3544 wrote to memory of 2596	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	102
PID 3544 wrote to memory of 4900	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	103
PID 3544 wrote to memory of 4900	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	103
PID 3544 wrote to memory of 3256	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	104
PID 3544 wrote to memory of 3256	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	104
PID 3544 wrote to memory of 4036	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	105
PID 3544 wrote to memory of 4036	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	105
PID 3544 wrote to memory of 5024	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	106
PID 3544 wrote to memory of 5024	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	106
PID 3544 wrote to memory of 556	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	107
PID 3544 wrote to memory of 556	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	107
PID 3544 wrote to memory of 4952	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	108
PID 3544 wrote to memory of 4952	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	108
PID 3544 wrote to memory of 2508	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	109
PID 3544 wrote to memory of 2508	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	109
PID 3544 wrote to memory of 1472	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	110
PID 3544 wrote to memory of 1472	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	110
PID 3544 wrote to memory of 5052	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	111
PID 3544 wrote to memory of 5052	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	111
PID 3544 wrote to memory of 3164	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	112
PID 3544 wrote to memory of 3164	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	112
PID 3544 wrote to memory of 4432	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	113
PID 3544 wrote to memory of 4432	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	113
PID 3544 wrote to memory of 3576	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	114
PID 3544 wrote to memory of 3576	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	114
PID 3544 wrote to memory of 4868	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	115
PID 3544 wrote to memory of 4868	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	115
PID 3544 wrote to memory of 3276	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	116
PID 3544 wrote to memory of 3276	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	116
PID 3544 wrote to memory of 2416	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	117
PID 3544 wrote to memory of 2416	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	117
PID 3544 wrote to memory of 3500	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	118
PID 3544 wrote to memory of 3500	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	118
PID 3544 wrote to memory of 4988	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	119
PID 3544 wrote to memory of 4988	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	119
PID 3544 wrote to memory of 4928	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	120
PID 3544 wrote to memory of 4928	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	120
PID 3544 wrote to memory of 2136	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	121
PID 3544 wrote to memory of 2136	3544	d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe	121

C:\Users\Admin\AppData\Local\Temp\d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d500348802e9500598968d5dfb5a1f50_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Windows\System32\hAYMptT.exe
  C:\Windows\System32\hAYMptT.exe
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Windows\System32\JsAbNeN.exe
  C:\Windows\System32\JsAbNeN.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System32\RilAEMY.exe
  C:\Windows\System32\RilAEMY.exe
  2⤵
  - Executes dropped EXE
  PID:408
- C:\Windows\System32\ctouctl.exe
  C:\Windows\System32\ctouctl.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System32\pZwgDTW.exe
  C:\Windows\System32\pZwgDTW.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System32\IISielN.exe
  C:\Windows\System32\IISielN.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\System32\GObspbL.exe
  C:\Windows\System32\GObspbL.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System32\EgklLCc.exe
  C:\Windows\System32\EgklLCc.exe
  2⤵
  - Executes dropped EXE
  PID:3588
- C:\Windows\System32\BIlmfCK.exe
  C:\Windows\System32\BIlmfCK.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System32\VkcSFNi.exe
  C:\Windows\System32\VkcSFNi.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System32\YkQlHqu.exe
  C:\Windows\System32\YkQlHqu.exe
  2⤵
  - Executes dropped EXE
  PID:312
- C:\Windows\System32\jxDGgrV.exe
  C:\Windows\System32\jxDGgrV.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System32\bdLdSvK.exe
  C:\Windows\System32\bdLdSvK.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System32\XCBjGKh.exe
  C:\Windows\System32\XCBjGKh.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System32\mzYvejm.exe
  C:\Windows\System32\mzYvejm.exe
  2⤵
  - Executes dropped EXE
  PID:3256
- C:\Windows\System32\bKzvKNt.exe
  C:\Windows\System32\bKzvKNt.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System32\YfbJETE.exe
  C:\Windows\System32\YfbJETE.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System32\VZMIPge.exe
  C:\Windows\System32\VZMIPge.exe
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\System32\TnZAnlf.exe
  C:\Windows\System32\TnZAnlf.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System32\NMPLDBD.exe
  C:\Windows\System32\NMPLDBD.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System32\OwDHxTH.exe
  C:\Windows\System32\OwDHxTH.exe
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\System32\xfsSLoL.exe
  C:\Windows\System32\xfsSLoL.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System32\PHhgZzW.exe
  C:\Windows\System32\PHhgZzW.exe
  2⤵
  - Executes dropped EXE
  PID:3164
- C:\Windows\System32\beqevQj.exe
  C:\Windows\System32\beqevQj.exe
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Windows\System32\fPExHFM.exe
  C:\Windows\System32\fPExHFM.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System32\azZPaJN.exe
  C:\Windows\System32\azZPaJN.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System32\HYWiVdb.exe
  C:\Windows\System32\HYWiVdb.exe
  2⤵
  - Executes dropped EXE
  PID:3276
- C:\Windows\System32\tUmWoPe.exe
  C:\Windows\System32\tUmWoPe.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System32\yrxTiLV.exe
  C:\Windows\System32\yrxTiLV.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System32\AFeoZoz.exe
  C:\Windows\System32\AFeoZoz.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System32\qOxZPgo.exe
  C:\Windows\System32\qOxZPgo.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System32\WQbQwlC.exe
  C:\Windows\System32\WQbQwlC.exe
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\System32\OeIkkfb.exe
  C:\Windows\System32\OeIkkfb.exe
  2⤵
  - Executes dropped EXE
  PID:728
- C:\Windows\System32\ZCyvdOe.exe
  C:\Windows\System32\ZCyvdOe.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System32\xxFSquH.exe
  C:\Windows\System32\xxFSquH.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\System32\gvUJZju.exe
  C:\Windows\System32\gvUJZju.exe
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Windows\System32\AUvYMII.exe
  C:\Windows\System32\AUvYMII.exe
  2⤵
  - Executes dropped EXE
  PID:1136
- C:\Windows\System32\wJkryaK.exe
  C:\Windows\System32\wJkryaK.exe
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Windows\System32\yWINYYg.exe
  C:\Windows\System32\yWINYYg.exe
  2⤵
  - Executes dropped EXE
  PID:4052
- C:\Windows\System32\fCggJNW.exe
  C:\Windows\System32\fCggJNW.exe
  2⤵
  - Executes dropped EXE
  PID:4324
- C:\Windows\System32\rIjSPnZ.exe
  C:\Windows\System32\rIjSPnZ.exe
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\System32\WZpAqHB.exe
  C:\Windows\System32\WZpAqHB.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System32\UvefIkZ.exe
  C:\Windows\System32\UvefIkZ.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System32\kLcpKWo.exe
  C:\Windows\System32\kLcpKWo.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System32\SOOokJb.exe
  C:\Windows\System32\SOOokJb.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System32\cORXvfZ.exe
  C:\Windows\System32\cORXvfZ.exe
  2⤵
  - Executes dropped EXE
  PID:524
- C:\Windows\System32\hblHLpw.exe
  C:\Windows\System32\hblHLpw.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System32\XKJCout.exe
  C:\Windows\System32\XKJCout.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System32\ncFfAWp.exe
  C:\Windows\System32\ncFfAWp.exe
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Windows\System32\SlCzLvB.exe
  C:\Windows\System32\SlCzLvB.exe
  2⤵
  - Executes dropped EXE
  PID:3444
- C:\Windows\System32\RIGUnDU.exe
  C:\Windows\System32\RIGUnDU.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System32\DqfqROC.exe
  C:\Windows\System32\DqfqROC.exe
  2⤵
  - Executes dropped EXE
  PID:4112
- C:\Windows\System32\SWKkqVV.exe
  C:\Windows\System32\SWKkqVV.exe
  2⤵
  - Executes dropped EXE
  PID:4296
- C:\Windows\System32\UuFfoTs.exe
  C:\Windows\System32\UuFfoTs.exe
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\System32\JRZbZUI.exe
  C:\Windows\System32\JRZbZUI.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System32\SdqlNXO.exe
  C:\Windows\System32\SdqlNXO.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System32\qTTVKwp.exe
  C:\Windows\System32\qTTVKwp.exe
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Windows\System32\KSszWyw.exe
  C:\Windows\System32\KSszWyw.exe
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\System32\TirYJrC.exe
  C:\Windows\System32\TirYJrC.exe
  2⤵
  - Executes dropped EXE
  PID:5132
- C:\Windows\System32\CiVFdts.exe
  C:\Windows\System32\CiVFdts.exe
  2⤵
  - Executes dropped EXE
  PID:5148
- C:\Windows\System32\CdgakRr.exe
  C:\Windows\System32\CdgakRr.exe
  2⤵
  - Executes dropped EXE
  PID:5176
- C:\Windows\System32\bKauiZL.exe
  C:\Windows\System32\bKauiZL.exe
  2⤵
  - Executes dropped EXE
  PID:5216
- C:\Windows\System32\TlhJlbq.exe
  C:\Windows\System32\TlhJlbq.exe
  2⤵
  - Executes dropped EXE
  PID:5244
- C:\Windows\System32\nyVdpPS.exe
  C:\Windows\System32\nyVdpPS.exe
  2⤵
  - Executes dropped EXE
  PID:5260
- C:\Windows\System32\gTafKJp.exe
  C:\Windows\System32\gTafKJp.exe
  2⤵
  PID:5300
- C:\Windows\System32\oAlHulP.exe
  C:\Windows\System32\oAlHulP.exe
  2⤵
  PID:5316
- C:\Windows\System32\HvmqWwy.exe
  C:\Windows\System32\HvmqWwy.exe
  2⤵
  PID:5356
- C:\Windows\System32\wAzbsqN.exe
  C:\Windows\System32\wAzbsqN.exe
  2⤵
  PID:5372
- C:\Windows\System32\KXKsBhR.exe
  C:\Windows\System32\KXKsBhR.exe
  2⤵
  PID:5400
- C:\Windows\System32\VUNuijo.exe
  C:\Windows\System32\VUNuijo.exe
  2⤵
  PID:5428
- C:\Windows\System32\asyepTa.exe
  C:\Windows\System32\asyepTa.exe
  2⤵
  PID:5468
- C:\Windows\System32\SCSXube.exe
  C:\Windows\System32\SCSXube.exe
  2⤵
  PID:5484
- C:\Windows\System32\npAYOsu.exe
  C:\Windows\System32\npAYOsu.exe
  2⤵
  PID:5524
- C:\Windows\System32\WmEdyGE.exe
  C:\Windows\System32\WmEdyGE.exe
  2⤵
  PID:5552
- C:\Windows\System32\PBQciUP.exe
  C:\Windows\System32\PBQciUP.exe
  2⤵
  PID:5568
- C:\Windows\System32\EuzQFgk.exe
  C:\Windows\System32\EuzQFgk.exe
  2⤵
  PID:5596
- C:\Windows\System32\wGqdbrz.exe
  C:\Windows\System32\wGqdbrz.exe
  2⤵
  PID:5624
- C:\Windows\System32\megRHFq.exe
  C:\Windows\System32\megRHFq.exe
  2⤵
  PID:5664
- C:\Windows\System32\eMSGJdN.exe
  C:\Windows\System32\eMSGJdN.exe
  2⤵
  PID:5692
- C:\Windows\System32\bOmInER.exe
  C:\Windows\System32\bOmInER.exe
  2⤵
  PID:5720
- C:\Windows\System32\dqLJJPc.exe
  C:\Windows\System32\dqLJJPc.exe
  2⤵
  PID:5736
- C:\Windows\System32\smrNeIp.exe
  C:\Windows\System32\smrNeIp.exe
  2⤵
  PID:5780
- C:\Windows\System32\veOmGMD.exe
  C:\Windows\System32\veOmGMD.exe
  2⤵
  PID:5808
- C:\Windows\System32\khnzhtk.exe
  C:\Windows\System32\khnzhtk.exe
  2⤵
  PID:5824
- C:\Windows\System32\mGuYQBx.exe
  C:\Windows\System32\mGuYQBx.exe
  2⤵
  PID:5864
- C:\Windows\System32\gXHriqE.exe
  C:\Windows\System32\gXHriqE.exe
  2⤵
  PID:5880
- C:\Windows\System32\lehEBdQ.exe
  C:\Windows\System32\lehEBdQ.exe
  2⤵
  PID:5908
- C:\Windows\System32\QIDBgLp.exe
  C:\Windows\System32\QIDBgLp.exe
  2⤵
  PID:5936
- C:\Windows\System32\EBnlnuz.exe
  C:\Windows\System32\EBnlnuz.exe
  2⤵
  PID:5976
- C:\Windows\System32\MADaLvi.exe
  C:\Windows\System32\MADaLvi.exe
  2⤵
  PID:6004
- C:\Windows\System32\PYBMnON.exe
  C:\Windows\System32\PYBMnON.exe
  2⤵
  PID:6020
- C:\Windows\System32\RrHuGPs.exe
  C:\Windows\System32\RrHuGPs.exe
  2⤵
  PID:6048
- C:\Windows\System32\LlmpWom.exe
  C:\Windows\System32\LlmpWom.exe
  2⤵
  PID:6088
- C:\Windows\System32\uKHUahb.exe
  C:\Windows\System32\uKHUahb.exe
  2⤵
  PID:6116
- C:\Windows\System32\ojzVBel.exe
  C:\Windows\System32\ojzVBel.exe
  2⤵
  PID:6132
- C:\Windows\System32\ugLOLEh.exe
  C:\Windows\System32\ugLOLEh.exe
  2⤵
  PID:1696
- C:\Windows\System32\CcOzjWz.exe
  C:\Windows\System32\CcOzjWz.exe
  2⤵
  PID:4908
- C:\Windows\System32\yNsgJRU.exe
  C:\Windows\System32\yNsgJRU.exe
  2⤵
  PID:3668
- C:\Windows\System32\gFRabeE.exe
  C:\Windows\System32\gFRabeE.exe
  2⤵
  PID:3560
- C:\Windows\System32\QkIWiYF.exe
  C:\Windows\System32\QkIWiYF.exe
  2⤵
  PID:5160
- C:\Windows\System32\ZQpQGhw.exe
  C:\Windows\System32\ZQpQGhw.exe
  2⤵
  PID:5208
- C:\Windows\System32\fXFAErH.exe
  C:\Windows\System32\fXFAErH.exe
  2⤵
  PID:5292
- C:\Windows\System32\VAquPuL.exe
  C:\Windows\System32\VAquPuL.exe
  2⤵
  PID:5332
- C:\Windows\System32\SvAwGUz.exe
  C:\Windows\System32\SvAwGUz.exe
  2⤵
  PID:5424
- C:\Windows\System32\QZtLhvV.exe
  C:\Windows\System32\QZtLhvV.exe
  2⤵
  PID:5444
- C:\Windows\System32\jVwzVeE.exe
  C:\Windows\System32\jVwzVeE.exe
  2⤵
  PID:5532
- C:\Windows\System32\zOWaUIv.exe
  C:\Windows\System32\zOWaUIv.exe
  2⤵
  PID:5592
- C:\Windows\System32\AQjybtT.exe
  C:\Windows\System32\AQjybtT.exe
  2⤵
  PID:5672
- C:\Windows\System32\xDIKfxL.exe
  C:\Windows\System32\xDIKfxL.exe
  2⤵
  PID:5700
- C:\Windows\System32\RKnAbwh.exe
  C:\Windows\System32\RKnAbwh.exe
  2⤵
  PID:5816
- C:\Windows\System32\CKEzjet.exe
  C:\Windows\System32\CKEzjet.exe
  2⤵
  PID:5872
- C:\Windows\System32\zbkrFnt.exe
  C:\Windows\System32\zbkrFnt.exe
  2⤵
  PID:5948
- C:\Windows\System32\ZmfMXZe.exe
  C:\Windows\System32\ZmfMXZe.exe
  2⤵
  PID:5988
- C:\Windows\System32\rYyKlPX.exe
  C:\Windows\System32\rYyKlPX.exe
  2⤵
  PID:6080
- C:\Windows\System32\uTKggSg.exe
  C:\Windows\System32\uTKggSg.exe
  2⤵
  PID:6108
- C:\Windows\System32\fiYTZNs.exe
  C:\Windows\System32\fiYTZNs.exe
  2⤵
  PID:4268
- C:\Windows\System32\apNZRGo.exe
  C:\Windows\System32\apNZRGo.exe
  2⤵
  PID:4448
- C:\Windows\System32\PFFlxwH.exe
  C:\Windows\System32\PFFlxwH.exe
  2⤵
  PID:5236
- C:\Windows\System32\KwQaVDh.exe
  C:\Windows\System32\KwQaVDh.exe
  2⤵
  PID:5308
- C:\Windows\System32\EacWtOo.exe
  C:\Windows\System32\EacWtOo.exe
  2⤵
  PID:5580
- C:\Windows\System32\pFBYVKJ.exe
  C:\Windows\System32\pFBYVKJ.exe
  2⤵
  PID:5656
- C:\Windows\System32\vUPlozV.exe
  C:\Windows\System32\vUPlozV.exe
  2⤵
  PID:5772
- C:\Windows\System32\CmSOTSJ.exe
  C:\Windows\System32\CmSOTSJ.exe
  2⤵
  PID:6032
- C:\Windows\System32\RsgpLhN.exe
  C:\Windows\System32\RsgpLhN.exe
  2⤵
  PID:6152
- C:\Windows\System32\pToCWWT.exe
  C:\Windows\System32\pToCWWT.exe
  2⤵
  PID:6180
- C:\Windows\System32\PnxKTAT.exe
  C:\Windows\System32\PnxKTAT.exe
  2⤵
  PID:6196
- C:\Windows\System32\ZIsqZti.exe
  C:\Windows\System32\ZIsqZti.exe
  2⤵
  PID:6224
- C:\Windows\System32\CMJDEgq.exe
  C:\Windows\System32\CMJDEgq.exe
  2⤵
  PID:6264
- C:\Windows\System32\RsZPmjj.exe
  C:\Windows\System32\RsZPmjj.exe
  2⤵
  PID:6292
- C:\Windows\System32\yGhSwNQ.exe
  C:\Windows\System32\yGhSwNQ.exe
  2⤵
  PID:6320
- C:\Windows\System32\oXooBYO.exe
  C:\Windows\System32\oXooBYO.exe
  2⤵
  PID:6348
- C:\Windows\System32\AMQKrJe.exe
  C:\Windows\System32\AMQKrJe.exe
  2⤵
  PID:6376
- C:\Windows\System32\jfIXwsZ.exe
  C:\Windows\System32\jfIXwsZ.exe
  2⤵
  PID:6392
- C:\Windows\System32\QBHjVXr.exe
  C:\Windows\System32\QBHjVXr.exe
  2⤵
  PID:6432
- C:\Windows\System32\jOPBfGE.exe
  C:\Windows\System32\jOPBfGE.exe
  2⤵
  PID:6448
- C:\Windows\System32\uCdEtmO.exe
  C:\Windows\System32\uCdEtmO.exe
  2⤵
  PID:6476
- C:\Windows\System32\OytEbCT.exe
  C:\Windows\System32\OytEbCT.exe
  2⤵
  PID:6516
- C:\Windows\System32\iwjsdPt.exe
  C:\Windows\System32\iwjsdPt.exe
  2⤵
  PID:6544
- C:\Windows\System32\dNwTqsS.exe
  C:\Windows\System32\dNwTqsS.exe
  2⤵
  PID:6560
- C:\Windows\System32\TwhHKdC.exe
  C:\Windows\System32\TwhHKdC.exe
  2⤵
  PID:6600
- C:\Windows\System32\ZjWEtEe.exe
  C:\Windows\System32\ZjWEtEe.exe
  2⤵
  PID:6616
- C:\Windows\System32\WGCBTcn.exe
  C:\Windows\System32\WGCBTcn.exe
  2⤵
  PID:6644
- C:\Windows\System32\MtTvLVY.exe
  C:\Windows\System32\MtTvLVY.exe
  2⤵
  PID:6684
- C:\Windows\System32\vxNQdHC.exe
  C:\Windows\System32\vxNQdHC.exe
  2⤵
  PID:6700
- C:\Windows\System32\XzuKtWQ.exe
  C:\Windows\System32\XzuKtWQ.exe
  2⤵
  PID:6728
- C:\Windows\System32\SdlyzJj.exe
  C:\Windows\System32\SdlyzJj.exe
  2⤵
  PID:6768
- C:\Windows\System32\iAoImDJ.exe
  C:\Windows\System32\iAoImDJ.exe
  2⤵
  PID:6784
- C:\Windows\System32\QLedWzI.exe
  C:\Windows\System32\QLedWzI.exe
  2⤵
  PID:6824
- C:\Windows\System32\uOSYMoh.exe
  C:\Windows\System32\uOSYMoh.exe
  2⤵
  PID:6840
- C:\Windows\System32\NsAyFrV.exe
  C:\Windows\System32\NsAyFrV.exe
  2⤵
  PID:6868
- C:\Windows\System32\xGyqMiN.exe
  C:\Windows\System32\xGyqMiN.exe
  2⤵
  PID:6896
- C:\Windows\System32\gdLcaKC.exe
  C:\Windows\System32\gdLcaKC.exe
  2⤵
  PID:6936
- C:\Windows\System32\BDtzRJX.exe
  C:\Windows\System32\BDtzRJX.exe
  2⤵
  PID:6952
- C:\Windows\System32\hHiLBmY.exe
  C:\Windows\System32\hHiLBmY.exe
  2⤵
  PID:6980
- C:\Windows\System32\mtUOOXO.exe
  C:\Windows\System32\mtUOOXO.exe
  2⤵
  PID:7008
- C:\Windows\System32\qCpUjJZ.exe
  C:\Windows\System32\qCpUjJZ.exe
  2⤵
  PID:7048
- C:\Windows\System32\guEuyei.exe
  C:\Windows\System32\guEuyei.exe
  2⤵
  PID:7064
- C:\Windows\System32\YzZTzRj.exe
  C:\Windows\System32\YzZTzRj.exe
  2⤵
  PID:7092
- C:\Windows\System32\DYLIbTD.exe
  C:\Windows\System32\DYLIbTD.exe
  2⤵
  PID:7132
- C:\Windows\System32\AazTCvy.exe
  C:\Windows\System32\AazTCvy.exe
  2⤵
  PID:7148
- C:\Windows\System32\sPDIUYf.exe
  C:\Windows\System32\sPDIUYf.exe
  2⤵
  PID:5124
- C:\Windows\System32\WbXtZRs.exe
  C:\Windows\System32\WbXtZRs.exe
  2⤵
  PID:5348
- C:\Windows\System32\DMoKtST.exe
  C:\Windows\System32\DMoKtST.exe
  2⤵
  PID:5612
- C:\Windows\System32\FKySnHb.exe
  C:\Windows\System32\FKySnHb.exe
  2⤵
  PID:6100
- C:\Windows\System32\OCYvlSp.exe
  C:\Windows\System32\OCYvlSp.exe
  2⤵
  PID:6188
- C:\Windows\System32\SqjqBGM.exe
  C:\Windows\System32\SqjqBGM.exe
  2⤵
  PID:6272
- C:\Windows\System32\hriUNaO.exe
  C:\Windows\System32\hriUNaO.exe
  2⤵
  PID:6300
- C:\Windows\System32\TGtzMTi.exe
  C:\Windows\System32\TGtzMTi.exe
  2⤵
  PID:6384
- C:\Windows\System32\yjFamZi.exe
  C:\Windows\System32\yjFamZi.exe
  2⤵
  PID:6440
- C:\Windows\System32\OvAGwNS.exe
  C:\Windows\System32\OvAGwNS.exe
  2⤵
  PID:6524
- C:\Windows\System32\wkSdYKc.exe
  C:\Windows\System32\wkSdYKc.exe
  2⤵
  PID:6584
- C:\Windows\System32\peAILbm.exe
  C:\Windows\System32\peAILbm.exe
  2⤵
  PID:6660
- C:\Windows\System32\MeBvsaF.exe
  C:\Windows\System32\MeBvsaF.exe
  2⤵
  PID:6740
- C:\Windows\System32\gTELakW.exe
  C:\Windows\System32\gTELakW.exe
  2⤵
  PID:6816
- C:\Windows\System32\IleJviL.exe
  C:\Windows\System32\IleJviL.exe
  2⤵
  PID:6832
- C:\Windows\System32\ezjjIEE.exe
  C:\Windows\System32\ezjjIEE.exe
  2⤵
  PID:6912
- C:\Windows\System32\DVTfYAo.exe
  C:\Windows\System32\DVTfYAo.exe
  2⤵
  PID:6996
- C:\Windows\System32\CKrxwgM.exe
  C:\Windows\System32\CKrxwgM.exe
  2⤵
  PID:7032
- C:\Windows\System32\GQhDCGR.exe
  C:\Windows\System32\GQhDCGR.exe
  2⤵
  PID:7104
- C:\Windows\System32\riQCzvX.exe
  C:\Windows\System32\riQCzvX.exe
  2⤵
  PID:1736
- C:\Windows\System32\BfNNFft.exe
  C:\Windows\System32\BfNNFft.exe
  2⤵
  PID:5904
- C:\Windows\System32\owzVeYy.exe
  C:\Windows\System32\owzVeYy.exe
  2⤵
  PID:6248
- C:\Windows\System32\McYLbmL.exe
  C:\Windows\System32\McYLbmL.exe
  2⤵
  PID:6360
- C:\Windows\System32\OHHrBuz.exe
  C:\Windows\System32\OHHrBuz.exe
  2⤵
  PID:6488
- C:\Windows\System32\JzadnOx.exe
  C:\Windows\System32\JzadnOx.exe
  2⤵
  PID:6656
- C:\Windows\System32\YQpSPVF.exe
  C:\Windows\System32\YQpSPVF.exe
  2⤵
  PID:6780
- C:\Windows\System32\hdRcbxL.exe
  C:\Windows\System32\hdRcbxL.exe
  2⤵
  PID:6944
- C:\Windows\System32\gIGtspX.exe
  C:\Windows\System32\gIGtspX.exe
  2⤵
  PID:7088
- C:\Windows\System32\bnYxxQC.exe
  C:\Windows\System32\bnYxxQC.exe
  2⤵
  PID:7188
- C:\Windows\System32\kxzXgdr.exe
  C:\Windows\System32\kxzXgdr.exe
  2⤵
  PID:7228
- C:\Windows\System32\BMBJIBB.exe
  C:\Windows\System32\BMBJIBB.exe
  2⤵
  PID:7244
- C:\Windows\System32\cXZwIKo.exe
  C:\Windows\System32\cXZwIKo.exe
  2⤵
  PID:7284
- C:\Windows\System32\XlvVpct.exe
  C:\Windows\System32\XlvVpct.exe
  2⤵
  PID:7300
- C:\Windows\System32\MHiZjVz.exe
  C:\Windows\System32\MHiZjVz.exe
  2⤵
  PID:7340
- C:\Windows\System32\UNChuJv.exe
  C:\Windows\System32\UNChuJv.exe
  2⤵
  PID:7356
- C:\Windows\System32\iADqyMm.exe
  C:\Windows\System32\iADqyMm.exe
  2⤵
  PID:7396
- C:\Windows\System32\iPjervk.exe
  C:\Windows\System32\iPjervk.exe
  2⤵
  PID:7412
- C:\Windows\System32\caOSvqC.exe
  C:\Windows\System32\caOSvqC.exe
  2⤵
  PID:7440
- C:\Windows\System32\qhaadUT.exe
  C:\Windows\System32\qhaadUT.exe
  2⤵
  PID:7480
- C:\Windows\System32\CdYROJg.exe
  C:\Windows\System32\CdYROJg.exe
  2⤵
  PID:7496
- C:\Windows\System32\GwkBcJU.exe
  C:\Windows\System32\GwkBcJU.exe
  2⤵
  PID:7536
- C:\Windows\System32\moHGZMQ.exe
  C:\Windows\System32\moHGZMQ.exe
  2⤵
  PID:7564
- C:\Windows\System32\SsMCrLj.exe
  C:\Windows\System32\SsMCrLj.exe
  2⤵
  PID:7592
- C:\Windows\System32\OXBBJHR.exe
  C:\Windows\System32\OXBBJHR.exe
  2⤵
  PID:7620
- C:\Windows\System32\RKqDQdn.exe
  C:\Windows\System32\RKqDQdn.exe
  2⤵
  PID:7636
- C:\Windows\System32\UcemJxI.exe
  C:\Windows\System32\UcemJxI.exe
  2⤵
  PID:7676
- C:\Windows\System32\bTNZcMk.exe
  C:\Windows\System32\bTNZcMk.exe
  2⤵
  PID:7692
- C:\Windows\System32\yWEIkzC.exe
  C:\Windows\System32\yWEIkzC.exe
  2⤵
  PID:7732
- C:\Windows\System32\eIzlcDg.exe
  C:\Windows\System32\eIzlcDg.exe
  2⤵
  PID:7748
- C:\Windows\System32\LOALIii.exe
  C:\Windows\System32\LOALIii.exe
  2⤵
  PID:7784
- C:\Windows\System32\IBKViXK.exe
  C:\Windows\System32\IBKViXK.exe
  2⤵
  PID:7804
- C:\Windows\System32\RxGhyct.exe
  C:\Windows\System32\RxGhyct.exe
  2⤵
  PID:7844
- C:\Windows\System32\sBZcNjn.exe
  C:\Windows\System32\sBZcNjn.exe
  2⤵
  PID:7872
- C:\Windows\System32\SZjyHLq.exe
  C:\Windows\System32\SZjyHLq.exe
  2⤵
  PID:7888
- C:\Windows\System32\pyOhOqP.exe
  C:\Windows\System32\pyOhOqP.exe
  2⤵
  PID:7928
- C:\Windows\System32\LEwnpLw.exe
  C:\Windows\System32\LEwnpLw.exe
  2⤵
  PID:7944
- C:\Windows\System32\raIXzyn.exe
  C:\Windows\System32\raIXzyn.exe
  2⤵
  PID:7984
- C:\Windows\System32\NolpISM.exe
  C:\Windows\System32\NolpISM.exe
  2⤵
  PID:8000
- C:\Windows\System32\IWrkCxV.exe
  C:\Windows\System32\IWrkCxV.exe
  2⤵
  PID:8028
- C:\Windows\System32\MVuwIBz.exe
  C:\Windows\System32\MVuwIBz.exe
  2⤵
  PID:8056
- C:\Windows\System32\XiaTrEn.exe
  C:\Windows\System32\XiaTrEn.exe
  2⤵
  PID:8084
- C:\Windows\System32\ESOvazn.exe
  C:\Windows\System32\ESOvazn.exe
  2⤵
  PID:8112
- C:\Windows\System32\DulIsXg.exe
  C:\Windows\System32\DulIsXg.exe
  2⤵
  PID:8152
- C:\Windows\System32\BjgYWDR.exe
  C:\Windows\System32\BjgYWDR.exe
  2⤵
  PID:8180
- C:\Windows\System32\aWZqtgj.exe
  C:\Windows\System32\aWZqtgj.exe
  2⤵
  PID:7160
- C:\Windows\System32\lPGFniy.exe
  C:\Windows\System32\lPGFniy.exe
  2⤵
  PID:6312
- C:\Windows\System32\MeoRQTr.exe
  C:\Windows\System32\MeoRQTr.exe
  2⤵
  PID:6612
- C:\Windows\System32\jBKjrcm.exe
  C:\Windows\System32\jBKjrcm.exe
  2⤵
  PID:7020
- C:\Windows\System32\hWyimHt.exe
  C:\Windows\System32\hWyimHt.exe
  2⤵
  PID:7184
- C:\Windows\System32\vWoKMQl.exe
  C:\Windows\System32\vWoKMQl.exe
  2⤵
  PID:7276
- C:\Windows\System32\mmIEqJR.exe
  C:\Windows\System32\mmIEqJR.exe
  2⤵
  PID:5068
- C:\Windows\System32\pFaqcev.exe
  C:\Windows\System32\pFaqcev.exe
  2⤵
  PID:7380
- C:\Windows\System32\ctDeOOr.exe
  C:\Windows\System32\ctDeOOr.exe
  2⤵
  PID:3616
- C:\Windows\System32\pNwslBa.exe
  C:\Windows\System32\pNwslBa.exe
  2⤵
  PID:7464
- C:\Windows\System32\FoWrKoC.exe
  C:\Windows\System32\FoWrKoC.exe
  2⤵
  PID:3896
- C:\Windows\System32\nJHdODp.exe
  C:\Windows\System32\nJHdODp.exe
  2⤵
  PID:7604
- C:\Windows\System32\hwbQlwd.exe
  C:\Windows\System32\hwbQlwd.exe
  2⤵
  PID:7632
- C:\Windows\System32\gUDXMCj.exe
  C:\Windows\System32\gUDXMCj.exe
  2⤵
  PID:7708
- C:\Windows\System32\sqqIygQ.exe
  C:\Windows\System32\sqqIygQ.exe
  2⤵
  PID:7744
- C:\Windows\System32\FqeXnTY.exe
  C:\Windows\System32\FqeXnTY.exe
  2⤵
  PID:7836
- C:\Windows\System32\zgVjVYD.exe
  C:\Windows\System32\zgVjVYD.exe
  2⤵
  PID:7856
- C:\Windows\System32\ZHEPomq.exe
  C:\Windows\System32\ZHEPomq.exe
  2⤵
  PID:3868
- C:\Windows\System32\iExamDE.exe
  C:\Windows\System32\iExamDE.exe
  2⤵
  PID:7968
- C:\Windows\System32\JGRSBXO.exe
  C:\Windows\System32\JGRSBXO.exe
  2⤵
  PID:8044
- C:\Windows\System32\XrAoPdF.exe
  C:\Windows\System32\XrAoPdF.exe
  2⤵
  PID:2936
- C:\Windows\System32\iQDiJrV.exe
  C:\Windows\System32\iQDiJrV.exe
  2⤵
  PID:6444
- C:\Windows\System32\csjRRHl.exe
  C:\Windows\System32\csjRRHl.exe
  2⤵
  PID:7176
- C:\Windows\System32\PyucvfV.exe
  C:\Windows\System32\PyucvfV.exe
  2⤵
  PID:636
- C:\Windows\System32\eDZQYhx.exe
  C:\Windows\System32\eDZQYhx.exe
  2⤵
  PID:7408
- C:\Windows\System32\HDQneTu.exe
  C:\Windows\System32\HDQneTu.exe
  2⤵
  PID:7508
- C:\Windows\System32\CPMtUmT.exe
  C:\Windows\System32\CPMtUmT.exe
  2⤵
  PID:720
- C:\Windows\System32\FHJAQal.exe
  C:\Windows\System32\FHJAQal.exe
  2⤵
  PID:7796
- C:\Windows\System32\gynMtXb.exe
  C:\Windows\System32\gynMtXb.exe
  2⤵
  PID:1572
- C:\Windows\System32\rwGmXln.exe
  C:\Windows\System32\rwGmXln.exe
  2⤵
  PID:4596
- C:\Windows\System32\iIoaLMB.exe
  C:\Windows\System32\iIoaLMB.exe
  2⤵
  PID:7956
- C:\Windows\System32\ZKCVpYc.exe
  C:\Windows\System32\ZKCVpYc.exe
  2⤵
  PID:4664
- C:\Windows\System32\qKqwYTj.exe
  C:\Windows\System32\qKqwYTj.exe
  2⤵
  PID:392
- C:\Windows\System32\FWLzjWY.exe
  C:\Windows\System32\FWLzjWY.exe
  2⤵
  PID:2068
- C:\Windows\System32\DioqTKX.exe
  C:\Windows\System32\DioqTKX.exe
  2⤵
  PID:7212
- C:\Windows\System32\VEQITBn.exe
  C:\Windows\System32\VEQITBn.exe
  2⤵
  PID:4164
- C:\Windows\System32\tdWJoPB.exe
  C:\Windows\System32\tdWJoPB.exe
  2⤵
  PID:8136
- C:\Windows\System32\WEAvBjN.exe
  C:\Windows\System32\WEAvBjN.exe
  2⤵
  PID:1320
- C:\Windows\System32\hdkZtpW.exe
  C:\Windows\System32\hdkZtpW.exe
  2⤵
  PID:2272
- C:\Windows\System32\IODRohI.exe
  C:\Windows\System32\IODRohI.exe
  2⤵
  PID:8172
- C:\Windows\System32\smRosgM.exe
  C:\Windows\System32\smRosgM.exe
  2⤵
  PID:6856
- C:\Windows\System32\EqrcWeZ.exe
  C:\Windows\System32\EqrcWeZ.exe
  2⤵
  PID:7756
- C:\Windows\System32\OGIIlYb.exe
  C:\Windows\System32\OGIIlYb.exe
  2⤵
  PID:2464
- C:\Windows\System32\fGbUEFA.exe
  C:\Windows\System32\fGbUEFA.exe
  2⤵
  PID:536
- C:\Windows\System32\MjCCkuO.exe
  C:\Windows\System32\MjCCkuO.exe
  2⤵
  PID:8208
- C:\Windows\System32\CdgmzIk.exe
  C:\Windows\System32\CdgmzIk.exe
  2⤵
  PID:8228
- C:\Windows\System32\XxaFwqY.exe
  C:\Windows\System32\XxaFwqY.exe
  2⤵
  PID:8252
- C:\Windows\System32\navohYH.exe
  C:\Windows\System32\navohYH.exe
  2⤵
  PID:8288
- C:\Windows\System32\GuDyWbo.exe
  C:\Windows\System32\GuDyWbo.exe
  2⤵
  PID:8324
- C:\Windows\System32\ouDbjIU.exe
  C:\Windows\System32\ouDbjIU.exe
  2⤵
  PID:8340
- C:\Windows\System32\lpvKoUQ.exe
  C:\Windows\System32\lpvKoUQ.exe
  2⤵
  PID:8380
- C:\Windows\System32\zYtyRHd.exe
  C:\Windows\System32\zYtyRHd.exe
  2⤵
  PID:8408
- C:\Windows\System32\OuxbHnb.exe
  C:\Windows\System32\OuxbHnb.exe
  2⤵
  PID:8444
- C:\Windows\System32\ozIoExz.exe
  C:\Windows\System32\ozIoExz.exe
  2⤵
  PID:8472
- C:\Windows\System32\TzcWoIh.exe
  C:\Windows\System32\TzcWoIh.exe
  2⤵
  PID:8500
- C:\Windows\System32\euZGJTR.exe
  C:\Windows\System32\euZGJTR.exe
  2⤵
  PID:8528
- C:\Windows\System32\LuCALeP.exe
  C:\Windows\System32\LuCALeP.exe
  2⤵
  PID:8556
- C:\Windows\System32\AkzmZyj.exe
  C:\Windows\System32\AkzmZyj.exe
  2⤵
  PID:8584
- C:\Windows\System32\FFORswx.exe
  C:\Windows\System32\FFORswx.exe
  2⤵
  PID:8600
- C:\Windows\System32\TaABDMh.exe
  C:\Windows\System32\TaABDMh.exe
  2⤵
  PID:8640
- C:\Windows\System32\WcUECzj.exe
  C:\Windows\System32\WcUECzj.exe
  2⤵
  PID:8656
- C:\Windows\System32\BtMwJNX.exe
  C:\Windows\System32\BtMwJNX.exe
  2⤵
  PID:8696
- C:\Windows\System32\gtFVcZG.exe
  C:\Windows\System32\gtFVcZG.exe
  2⤵
  PID:8712
- C:\Windows\System32\OTUJQgS.exe
  C:\Windows\System32\OTUJQgS.exe
  2⤵
  PID:8752
- C:\Windows\System32\mKKzNvr.exe
  C:\Windows\System32\mKKzNvr.exe
  2⤵
  PID:8784
- C:\Windows\System32\DmdeGbC.exe
  C:\Windows\System32\DmdeGbC.exe
  2⤵
  PID:8812
- C:\Windows\System32\pSwwAZS.exe
  C:\Windows\System32\pSwwAZS.exe
  2⤵
  PID:8840
- C:\Windows\System32\vcgmyRB.exe
  C:\Windows\System32\vcgmyRB.exe
  2⤵
  PID:8868
- C:\Windows\System32\bepcXqn.exe
  C:\Windows\System32\bepcXqn.exe
  2⤵
  PID:8900
- C:\Windows\System32\BuCMjVS.exe
  C:\Windows\System32\BuCMjVS.exe
  2⤵
  PID:8932
- C:\Windows\System32\kaZdSDk.exe
  C:\Windows\System32\kaZdSDk.exe
  2⤵
  PID:8968
- C:\Windows\System32\FVnUciK.exe
  C:\Windows\System32\FVnUciK.exe
  2⤵
  PID:8984
- C:\Windows\System32\ccLTGCQ.exe
  C:\Windows\System32\ccLTGCQ.exe
  2⤵
  PID:9004
- C:\Windows\System32\zMbuWpc.exe
  C:\Windows\System32\zMbuWpc.exe
  2⤵
  PID:9040
- C:\Windows\System32\lamJMvK.exe
  C:\Windows\System32\lamJMvK.exe
  2⤵
  PID:9072
- C:\Windows\System32\nBhKkak.exe
  C:\Windows\System32\nBhKkak.exe
  2⤵
  PID:9100
- C:\Windows\System32\OVlFguX.exe
  C:\Windows\System32\OVlFguX.exe
  2⤵
  PID:9128
- C:\Windows\System32\lTlVOvY.exe
  C:\Windows\System32\lTlVOvY.exe
  2⤵
  PID:9156
- C:\Windows\System32\cKfpcdK.exe
  C:\Windows\System32\cKfpcdK.exe
  2⤵
  PID:9172
- C:\Windows\System32\qfuncmL.exe
  C:\Windows\System32\qfuncmL.exe
  2⤵
  PID:9200
- C:\Windows\System32\UUpkEgB.exe
  C:\Windows\System32\UUpkEgB.exe
  2⤵
  PID:8240
- C:\Windows\System32\bLROFYz.exe
  C:\Windows\System32\bLROFYz.exe
  2⤵
  PID:8312
- C:\Windows\System32\EDthGcO.exe
  C:\Windows\System32\EDthGcO.exe
  2⤵
  PID:8364
- C:\Windows\System32\kkNhmWE.exe
  C:\Windows\System32\kkNhmWE.exe
  2⤵
  PID:8440
- C:\Windows\System32\gCEAqva.exe
  C:\Windows\System32\gCEAqva.exe
  2⤵
  PID:8512
- C:\Windows\System32\pcZhYQU.exe
  C:\Windows\System32\pcZhYQU.exe
  2⤵
  PID:8576
- C:\Windows\System32\ECMleyn.exe
  C:\Windows\System32\ECMleyn.exe
  2⤵
  PID:8636
- C:\Windows\System32\vPNYJMh.exe
  C:\Windows\System32\vPNYJMh.exe
  2⤵
  PID:8704
- C:\Windows\System32\YLxwheh.exe
  C:\Windows\System32\YLxwheh.exe
  2⤵
  PID:8776
- C:\Windows\System32\alfUbJu.exe
  C:\Windows\System32\alfUbJu.exe
  2⤵
  PID:8824
- C:\Windows\System32\zIHKeXt.exe
  C:\Windows\System32\zIHKeXt.exe
  2⤵
  PID:8880
- C:\Windows\System32\GoDgrTf.exe
  C:\Windows\System32\GoDgrTf.exe
  2⤵
  PID:8976
- C:\Windows\System32\pILumKR.exe
  C:\Windows\System32\pILumKR.exe
  2⤵
  PID:9036
- C:\Windows\System32\aXYqFPT.exe
  C:\Windows\System32\aXYqFPT.exe
  2⤵
  PID:7776
- C:\Windows\System32\ThlsMKZ.exe
  C:\Windows\System32\ThlsMKZ.exe
  2⤵
  PID:9120
- C:\Windows\System32\NDalLPf.exe
  C:\Windows\System32\NDalLPf.exe
  2⤵
  PID:8888
- C:\Windows\System32\qMUlpxZ.exe
  C:\Windows\System32\qMUlpxZ.exe
  2⤵
  PID:9164
- C:\Windows\System32\YEEdtjD.exe
  C:\Windows\System32\YEEdtjD.exe
  2⤵
  PID:8304
- C:\Windows\System32\WqquyMJ.exe
  C:\Windows\System32\WqquyMJ.exe
  2⤵
  PID:8468
- C:\Windows\System32\xCLEUMM.exe
  C:\Windows\System32\xCLEUMM.exe
  2⤵
  PID:8620
- C:\Windows\System32\fRMHSjv.exe
  C:\Windows\System32\fRMHSjv.exe
  2⤵
  PID:8860
- C:\Windows\System32\cLTZNbI.exe
  C:\Windows\System32\cLTZNbI.exe
  2⤵
  PID:8856
- C:\Windows\System32\yxXFpYN.exe
  C:\Windows\System32\yxXFpYN.exe
  2⤵
  PID:9088
- C:\Windows\System32\eCCWrNO.exe
  C:\Windows\System32\eCCWrNO.exe
  2⤵
  PID:9168
- C:\Windows\System32\yNdUPde.exe
  C:\Windows\System32\yNdUPde.exe
  2⤵
  PID:8768
- C:\Windows\System32\xfWKhZI.exe
  C:\Windows\System32\xfWKhZI.exe
  2⤵
  PID:4836
- C:\Windows\System32\aCMqgJM.exe
  C:\Windows\System32\aCMqgJM.exe
  2⤵
  PID:8592
- C:\Windows\System32\xqsUmVf.exe
  C:\Windows\System32\xqsUmVf.exe
  2⤵
  PID:9012
- C:\Windows\System32\mDelqxo.exe
  C:\Windows\System32\mDelqxo.exe
  2⤵
  PID:9240
- C:\Windows\System32\CEEahSC.exe
  C:\Windows\System32\CEEahSC.exe
  2⤵
  PID:9264
- C:\Windows\System32\whhjAqr.exe
  C:\Windows\System32\whhjAqr.exe
  2⤵
  PID:9292
- C:\Windows\System32\AZGHOtb.exe
  C:\Windows\System32\AZGHOtb.exe
  2⤵
  PID:9320
- C:\Windows\System32\wsUJXCc.exe
  C:\Windows\System32\wsUJXCc.exe
  2⤵
  PID:9348
- C:\Windows\System32\vdDDWbn.exe
  C:\Windows\System32\vdDDWbn.exe
  2⤵
  PID:9376
- C:\Windows\System32\hXySnxF.exe
  C:\Windows\System32\hXySnxF.exe
  2⤵
  PID:9400
- C:\Windows\System32\KkuBXWq.exe
  C:\Windows\System32\KkuBXWq.exe
  2⤵
  PID:9432
- C:\Windows\System32\qPReHkJ.exe
  C:\Windows\System32\qPReHkJ.exe
  2⤵
  PID:9452
- C:\Windows\System32\UmHgBqQ.exe
  C:\Windows\System32\UmHgBqQ.exe
  2⤵
  PID:9492
- C:\Windows\System32\OEQdgxn.exe
  C:\Windows\System32\OEQdgxn.exe
  2⤵
  PID:9516
- C:\Windows\System32\XvacfFY.exe
  C:\Windows\System32\XvacfFY.exe
  2⤵
  PID:9544
- C:\Windows\System32\UeWrzpv.exe
  C:\Windows\System32\UeWrzpv.exe
  2⤵
  PID:9572
- C:\Windows\System32\azCDizE.exe
  C:\Windows\System32\azCDizE.exe
  2⤵
  PID:9600
- C:\Windows\System32\Rfhhqvd.exe
  C:\Windows\System32\Rfhhqvd.exe
  2⤵
  PID:9632
- C:\Windows\System32\jftgqaD.exe
  C:\Windows\System32\jftgqaD.exe
  2⤵
  PID:9660
- C:\Windows\System32\sZqgRTR.exe
  C:\Windows\System32\sZqgRTR.exe
  2⤵
  PID:9696
- C:\Windows\System32\TopLbor.exe
  C:\Windows\System32\TopLbor.exe
  2⤵
  PID:9716
- C:\Windows\System32\DQcEXaQ.exe
  C:\Windows\System32\DQcEXaQ.exe
  2⤵
  PID:9744
- C:\Windows\System32\ytwFbKK.exe
  C:\Windows\System32\ytwFbKK.exe
  2⤵
  PID:9760
- C:\Windows\System32\uydAkYw.exe
  C:\Windows\System32\uydAkYw.exe
  2⤵
  PID:9800
- C:\Windows\System32\NjYOFIk.exe
  C:\Windows\System32\NjYOFIk.exe
  2⤵
  PID:9828
- C:\Windows\System32\RZQuRsD.exe
  C:\Windows\System32\RZQuRsD.exe
  2⤵
  PID:9856
- C:\Windows\System32\zHoKUbY.exe
  C:\Windows\System32\zHoKUbY.exe
  2⤵
  PID:9884
- C:\Windows\System32\hvkuywT.exe
  C:\Windows\System32\hvkuywT.exe
  2⤵
  PID:9912
- C:\Windows\System32\HDXHNlX.exe
  C:\Windows\System32\HDXHNlX.exe
  2⤵
  PID:9944
- C:\Windows\System32\jrbcWsL.exe
  C:\Windows\System32\jrbcWsL.exe
  2⤵
  PID:9972
- C:\Windows\System32\wNQaGzI.exe
  C:\Windows\System32\wNQaGzI.exe
  2⤵
  PID:10004
- C:\Windows\System32\VfiuptN.exe
  C:\Windows\System32\VfiuptN.exe
  2⤵
  PID:10032
- C:\Windows\System32\Azbclyp.exe
  C:\Windows\System32\Azbclyp.exe
  2⤵
  PID:10060
- C:\Windows\System32\UwOiIOZ.exe
  C:\Windows\System32\UwOiIOZ.exe
  2⤵
  PID:10088
- C:\Windows\System32\PRoCZPb.exe
  C:\Windows\System32\PRoCZPb.exe
  2⤵
  PID:10128
- C:\Windows\System32\FBLxkMY.exe
  C:\Windows\System32\FBLxkMY.exe
  2⤵
  PID:10152
- C:\Windows\System32\MNkJvGF.exe
  C:\Windows\System32\MNkJvGF.exe
  2⤵
  PID:10172
- C:\Windows\System32\KQbThZs.exe
  C:\Windows\System32\KQbThZs.exe
  2⤵
  PID:10200
- C:\Windows\System32\GDBSuds.exe
  C:\Windows\System32\GDBSuds.exe
  2⤵
  PID:10232
- C:\Windows\System32\ydEXrmD.exe
  C:\Windows\System32\ydEXrmD.exe
  2⤵
  PID:9252
- C:\Windows\System32\MhjXfDO.exe
  C:\Windows\System32\MhjXfDO.exe
  2⤵
  PID:9308
- C:\Windows\System32\yJZLkpl.exe
  C:\Windows\System32\yJZLkpl.exe
  2⤵
  PID:9368
- C:\Windows\System32\IlrByHD.exe
  C:\Windows\System32\IlrByHD.exe
  2⤵
  PID:9428
- C:\Windows\System32\psIPiyZ.exe
  C:\Windows\System32\psIPiyZ.exe
  2⤵
  PID:9528
- C:\Windows\System32\ZNiKuQg.exe
  C:\Windows\System32\ZNiKuQg.exe
  2⤵
  PID:9564
- C:\Windows\System32\KffCSsp.exe
  C:\Windows\System32\KffCSsp.exe
  2⤵
  PID:9656
- C:\Windows\System32\KzdkBCP.exe
  C:\Windows\System32\KzdkBCP.exe
  2⤵
  PID:9728
- C:\Windows\System32\HDshYul.exe
  C:\Windows\System32\HDshYul.exe
  2⤵
  PID:9792
- C:\Windows\System32\oBaNZII.exe
  C:\Windows\System32\oBaNZII.exe
  2⤵
  PID:9840
- C:\Windows\System32\PHOjZAd.exe
  C:\Windows\System32\PHOjZAd.exe
  2⤵
  PID:9908
- C:\Windows\System32\dNvypSF.exe
  C:\Windows\System32\dNvypSF.exe
  2⤵
  PID:9984
- C:\Windows\System32\wkwcsKS.exe
  C:\Windows\System32\wkwcsKS.exe
  2⤵
  PID:10052
- C:\Windows\System32\vbQoPcX.exe
  C:\Windows\System32\vbQoPcX.exe
  2⤵
  PID:10112
- C:\Windows\System32\qXNYZyF.exe
  C:\Windows\System32\qXNYZyF.exe
  2⤵
  PID:10192
- C:\Windows\System32\gbyJenL.exe
  C:\Windows\System32\gbyJenL.exe
  2⤵
  PID:9276
- C:\Windows\System32\HrcsuiP.exe
  C:\Windows\System32\HrcsuiP.exe
  2⤵
  PID:9416
- C:\Windows\System32\jBSHjGs.exe
  C:\Windows\System32\jBSHjGs.exe
  2⤵
  PID:9584
- C:\Windows\System32\fUgHqXV.exe
  C:\Windows\System32\fUgHqXV.exe
  2⤵
  PID:9712
- C:\Windows\System32\icUFkSB.exe
  C:\Windows\System32\icUFkSB.exe
  2⤵
  PID:9816
- C:\Windows\System32\EobJFRQ.exe
  C:\Windows\System32\EobJFRQ.exe
  2⤵
  PID:10044
- C:\Windows\System32\riJFFWU.exe
  C:\Windows\System32\riJFFWU.exe
  2⤵
  PID:9232
- C:\Windows\System32\QypTICk.exe
  C:\Windows\System32\QypTICk.exe
  2⤵
  PID:9532
- C:\Windows\System32\LJNhPeb.exe
  C:\Windows\System32\LJNhPeb.exe
  2⤵
  PID:9940
- C:\Windows\System32\mZCqOdL.exe
  C:\Windows\System32\mZCqOdL.exe
  2⤵
  PID:9340
- C:\Windows\System32\WbGYsEJ.exe
  C:\Windows\System32\WbGYsEJ.exe
  2⤵
  PID:9704
- C:\Windows\System32\wxQfQOI.exe
  C:\Windows\System32\wxQfQOI.exe
  2⤵
  PID:10248
- C:\Windows\System32\oyCOPsn.exe
  C:\Windows\System32\oyCOPsn.exe
  2⤵
  PID:10268
- C:\Windows\System32\XySLQgj.exe
  C:\Windows\System32\XySLQgj.exe
  2⤵
  PID:10300
- C:\Windows\System32\njPRVDH.exe
  C:\Windows\System32\njPRVDH.exe
  2⤵
  PID:10332
- C:\Windows\System32\ugeOqdH.exe
  C:\Windows\System32\ugeOqdH.exe
  2⤵
  PID:10360
- C:\Windows\System32\gCyypbl.exe
  C:\Windows\System32\gCyypbl.exe
  2⤵
  PID:10376
- C:\Windows\System32\GbMhUzN.exe
  C:\Windows\System32\GbMhUzN.exe
  2⤵
  PID:10416
- C:\Windows\System32\eGqLfGZ.exe
  C:\Windows\System32\eGqLfGZ.exe
  2⤵
  PID:10444
- C:\Windows\System32\Akoycjz.exe
  C:\Windows\System32\Akoycjz.exe
  2⤵
  PID:10464
- C:\Windows\System32\vAZSVmv.exe
  C:\Windows\System32\vAZSVmv.exe
  2⤵
  PID:10504
- C:\Windows\System32\yaFRjVy.exe
  C:\Windows\System32\yaFRjVy.exe
  2⤵
  PID:10532
- C:\Windows\System32\FCtOYpW.exe
  C:\Windows\System32\FCtOYpW.exe
  2⤵
  PID:10548
- C:\Windows\System32\SzaBUIp.exe
  C:\Windows\System32\SzaBUIp.exe
  2⤵
  PID:10588
- C:\Windows\System32\kvAllPl.exe
  C:\Windows\System32\kvAllPl.exe
  2⤵
  PID:10616
- C:\Windows\System32\mLknKSj.exe
  C:\Windows\System32\mLknKSj.exe
  2⤵
  PID:10644
- C:\Windows\System32\PNOjpRC.exe
  C:\Windows\System32\PNOjpRC.exe
  2⤵
  PID:10672
- C:\Windows\System32\AHhSamO.exe
  C:\Windows\System32\AHhSamO.exe
  2⤵
  PID:10700
- C:\Windows\System32\oIUtnGi.exe
  C:\Windows\System32\oIUtnGi.exe
  2⤵
  PID:10732
- C:\Windows\System32\xoIYmrl.exe
  C:\Windows\System32\xoIYmrl.exe
  2⤵
  PID:10760
- C:\Windows\System32\CcIcUDb.exe
  C:\Windows\System32\CcIcUDb.exe
  2⤵
  PID:10788
- C:\Windows\System32\ikNBuCS.exe
  C:\Windows\System32\ikNBuCS.exe
  2⤵
  PID:10816
- C:\Windows\System32\EKVRqoP.exe
  C:\Windows\System32\EKVRqoP.exe
  2⤵
  PID:10844
- C:\Windows\System32\UfSUmYk.exe
  C:\Windows\System32\UfSUmYk.exe
  2⤵
  PID:10864
- C:\Windows\System32\FzQVqTI.exe
  C:\Windows\System32\FzQVqTI.exe
  2⤵
  PID:10888
- C:\Windows\System32\UmQEozv.exe
  C:\Windows\System32\UmQEozv.exe
  2⤵
  PID:10916
- C:\Windows\System32\RsjAuNT.exe
  C:\Windows\System32\RsjAuNT.exe
  2⤵
  PID:10956
- C:\Windows\System32\lQzIVUt.exe
  C:\Windows\System32\lQzIVUt.exe
  2⤵
  PID:10984
- C:\Windows\System32\bMWcTuF.exe
  C:\Windows\System32\bMWcTuF.exe
  2⤵
  PID:11012
- C:\Windows\System32\AsMZsbW.exe
  C:\Windows\System32\AsMZsbW.exe
  2⤵
  PID:11032
- C:\Windows\System32\HHlMIML.exe
  C:\Windows\System32\HHlMIML.exe
  2⤵
  PID:11068
- C:\Windows\System32\HXqjiem.exe
  C:\Windows\System32\HXqjiem.exe
  2⤵
  PID:11096
- C:\Windows\System32\ksMBtor.exe
  C:\Windows\System32\ksMBtor.exe
  2⤵
  PID:11124
- C:\Windows\System32\GQvkBeO.exe
  C:\Windows\System32\GQvkBeO.exe
  2⤵
  PID:11140
- C:\Windows\System32\xpFDSvy.exe
  C:\Windows\System32\xpFDSvy.exe
  2⤵
  PID:11180
- C:\Windows\System32\MrZRBgi.exe
  C:\Windows\System32\MrZRBgi.exe
  2⤵
  PID:11208
- C:\Windows\System32\PZFyHYO.exe
  C:\Windows\System32\PZFyHYO.exe
  2⤵
  PID:11224
- C:\Windows\System32\BmBgVPS.exe
  C:\Windows\System32\BmBgVPS.exe
  2⤵
  PID:11256
- C:\Windows\System32\SWRRVhL.exe
  C:\Windows\System32\SWRRVhL.exe
  2⤵
  PID:10324
- C:\Windows\System32\tmIwBGi.exe
  C:\Windows\System32\tmIwBGi.exe
  2⤵
  PID:10368
- C:\Windows\System32\NCYtuTK.exe
  C:\Windows\System32\NCYtuTK.exe
  2⤵
  PID:10436
- C:\Windows\System32\TtRprcn.exe
  C:\Windows\System32\TtRprcn.exe
  2⤵
  PID:10488
- C:\Windows\System32\hQPulny.exe
  C:\Windows\System32\hQPulny.exe
  2⤵
  PID:10572
- C:\Windows\System32\wkYZfOz.exe
  C:\Windows\System32\wkYZfOz.exe
  2⤵
  PID:10604
- C:\Windows\System32\iPQQnHP.exe
  C:\Windows\System32\iPQQnHP.exe
  2⤵
  PID:10684
- C:\Windows\System32\QmIdKRb.exe
  C:\Windows\System32\QmIdKRb.exe
  2⤵
  PID:10784
- C:\Windows\System32\hWwEahb.exe
  C:\Windows\System32\hWwEahb.exe
  2⤵
  PID:10836
- C:\Windows\System32\oQJpnpR.exe
  C:\Windows\System32\oQJpnpR.exe
  2⤵
  PID:10884
- C:\Windows\System32\NodZFYs.exe
  C:\Windows\System32\NodZFYs.exe
  2⤵
  PID:10968
- C:\Windows\System32\mYSThmn.exe
  C:\Windows\System32\mYSThmn.exe
  2⤵
  PID:11004
- C:\Windows\System32\hPxFewQ.exe
  C:\Windows\System32\hPxFewQ.exe
  2⤵
  PID:11116
- C:\Windows\System32\nyoGguh.exe
  C:\Windows\System32\nyoGguh.exe
  2⤵
  PID:11168
- C:\Windows\System32\IwaEzgH.exe
  C:\Windows\System32\IwaEzgH.exe
  2⤵
  PID:11216
- C:\Windows\System32\WVXyBFx.exe
  C:\Windows\System32\WVXyBFx.exe
  2⤵
  PID:10284
- C:\Windows\System32\zxrpPne.exe
  C:\Windows\System32\zxrpPne.exe
  2⤵
  PID:10460
- C:\Windows\System32\BzOYRta.exe
  C:\Windows\System32\BzOYRta.exe
  2⤵
  PID:10632
- C:\Windows\System32\VBjgjgE.exe
  C:\Windows\System32\VBjgjgE.exe
  2⤵
  PID:10800
- C:\Windows\System32\AViiPTL.exe
  C:\Windows\System32\AViiPTL.exe
  2⤵
  PID:10996
- C:\Windows\System32\wfkkPbe.exe
  C:\Windows\System32\wfkkPbe.exe
  2⤵
  PID:11064
- C:\Windows\System32\geiqpib.exe
  C:\Windows\System32\geiqpib.exe
  2⤵
  PID:11220
- C:\Windows\System32\cmVPXLD.exe
  C:\Windows\System32\cmVPXLD.exe
  2⤵
  PID:10524
- C:\Windows\System32\LMEWySk.exe
  C:\Windows\System32\LMEWySk.exe
  2⤵
  PID:10908
- C:\Windows\System32\DzNxJcx.exe
  C:\Windows\System32\DzNxJcx.exe
  2⤵
  PID:11204
- C:\Windows\System32\TBeaPHY.exe
  C:\Windows\System32\TBeaPHY.exe
  2⤵
  PID:11052
- C:\Windows\System32\iaLVwVV.exe
  C:\Windows\System32\iaLVwVV.exe
  2⤵
  PID:11276
- C:\Windows\System32\iaBYWNO.exe
  C:\Windows\System32\iaBYWNO.exe
  2⤵
  PID:11308
- C:\Windows\System32\kTryHRi.exe
  C:\Windows\System32\kTryHRi.exe
  2⤵
  PID:11336
- C:\Windows\System32\oviAkbR.exe
  C:\Windows\System32\oviAkbR.exe
  2⤵
  PID:11364
- C:\Windows\System32\dffVoWc.exe
  C:\Windows\System32\dffVoWc.exe
  2⤵
  PID:11400
- C:\Windows\System32\dhprwvb.exe
  C:\Windows\System32\dhprwvb.exe
  2⤵
  PID:11436
- C:\Windows\System32\YqylwpV.exe
  C:\Windows\System32\YqylwpV.exe
  2⤵
  PID:11480
- C:\Windows\System32\WbdKHDR.exe
  C:\Windows\System32\WbdKHDR.exe
  2⤵
  PID:11532
- C:\Windows\System32\wWNOVaV.exe
  C:\Windows\System32\wWNOVaV.exe
  2⤵
  PID:11568
- C:\Windows\System32\mbyCNiQ.exe
  C:\Windows\System32\mbyCNiQ.exe
  2⤵
  PID:11600
- C:\Windows\System32\spWIGiU.exe
  C:\Windows\System32\spWIGiU.exe
  2⤵
  PID:11628
- C:\Windows\System32\xTdbALZ.exe
  C:\Windows\System32\xTdbALZ.exe
  2⤵
  PID:11656
- C:\Windows\System32\qOgZPTQ.exe
  C:\Windows\System32\qOgZPTQ.exe
  2⤵
  PID:11692
- C:\Windows\System32\INyvXeI.exe
  C:\Windows\System32\INyvXeI.exe
  2⤵
  PID:11720
- C:\Windows\System32\otxTROY.exe
  C:\Windows\System32\otxTROY.exe
  2⤵
  PID:11748
- C:\Windows\System32\ZMAmxrP.exe
  C:\Windows\System32\ZMAmxrP.exe
  2⤵
  PID:11792
- C:\Windows\System32\gVFfJLj.exe
  C:\Windows\System32\gVFfJLj.exe
  2⤵
  PID:11820
- C:\Windows\System32\rOweSzZ.exe
  C:\Windows\System32\rOweSzZ.exe
  2⤵
  PID:11848
- C:\Windows\System32\zyhPsWI.exe
  C:\Windows\System32\zyhPsWI.exe
  2⤵
  PID:11884
- C:\Windows\System32\lGDrAUX.exe
  C:\Windows\System32\lGDrAUX.exe
  2⤵
  PID:11912
- C:\Windows\System32\uFpbogw.exe
  C:\Windows\System32\uFpbogw.exe
  2⤵
  PID:11940
- C:\Windows\System32\rFzDXMM.exe
  C:\Windows\System32\rFzDXMM.exe
  2⤵
  PID:11968
- C:\Windows\System32\emFUfWj.exe
  C:\Windows\System32\emFUfWj.exe
  2⤵
  PID:12004
- C:\Windows\System32\XVZdTrd.exe
  C:\Windows\System32\XVZdTrd.exe
  2⤵
  PID:12032
- C:\Windows\System32\RijsdKj.exe
  C:\Windows\System32\RijsdKj.exe
  2⤵
  PID:12060
- C:\Windows\System32\CCpGono.exe
  C:\Windows\System32\CCpGono.exe
  2⤵
  PID:12088
- C:\Windows\System32\QhsoKRi.exe
  C:\Windows\System32\QhsoKRi.exe
  2⤵
  PID:12116
- C:\Windows\System32\hryVmUB.exe
  C:\Windows\System32\hryVmUB.exe
  2⤵
  PID:12144
- C:\Windows\System32\tzjKPHb.exe
  C:\Windows\System32\tzjKPHb.exe
  2⤵
  PID:12172
- C:\Windows\System32\lGXvyQF.exe
  C:\Windows\System32\lGXvyQF.exe
  2⤵
  PID:12208
- C:\Windows\System32\kcrxcmN.exe
  C:\Windows\System32\kcrxcmN.exe
  2⤵
  PID:12240
- C:\Windows\System32\LgZaHBw.exe
  C:\Windows\System32\LgZaHBw.exe
  2⤵
  PID:12272
- C:\Windows\System32\rEEauyv.exe
  C:\Windows\System32\rEEauyv.exe
  2⤵
  PID:11300
- C:\Windows\System32\gTTRjCg.exe
  C:\Windows\System32\gTTRjCg.exe
  2⤵
  PID:11360
- C:\Windows\System32\DHphqey.exe
  C:\Windows\System32\DHphqey.exe
  2⤵
  PID:11452
- C:\Windows\System32\aIIAXYX.exe
  C:\Windows\System32\aIIAXYX.exe
  2⤵
  PID:11560
- C:\Windows\System32\blxBJhU.exe
  C:\Windows\System32\blxBJhU.exe
  2⤵
  PID:11648
- C:\Windows\System32\VlOJoIA.exe
  C:\Windows\System32\VlOJoIA.exe
  2⤵
  PID:11732
- C:\Windows\System32\dfwTSGs.exe
  C:\Windows\System32\dfwTSGs.exe
  2⤵
  PID:11812
- C:\Windows\System32\hcPbiCA.exe
  C:\Windows\System32\hcPbiCA.exe
  2⤵
  PID:11896
- C:\Windows\System32\wZeyXPp.exe
  C:\Windows\System32\wZeyXPp.exe
  2⤵
  PID:11960
- C:\Windows\System32\fTWSmSH.exe
  C:\Windows\System32\fTWSmSH.exe
  2⤵
  PID:12016
- C:\Windows\System32\fnVtjCa.exe
  C:\Windows\System32\fnVtjCa.exe
  2⤵
  PID:12076
- C:\Windows\System32\jrUXRun.exe
  C:\Windows\System32\jrUXRun.exe
  2⤵
  PID:12168
- C:\Windows\System32\NNZczkb.exe
  C:\Windows\System32\NNZczkb.exe
  2⤵
  PID:12232
- C:\Windows\System32\kRrywcm.exe
  C:\Windows\System32\kRrywcm.exe
  2⤵
  PID:11292
- C:\Windows\System32\GTLXokR.exe
  C:\Windows\System32\GTLXokR.exe
  2⤵
  PID:11524
- C:\Windows\System32\ZadCMHu.exe
  C:\Windows\System32\ZadCMHu.exe
  2⤵
  PID:11712
- C:\Windows\System32\pdMZRpG.exe
  C:\Windows\System32\pdMZRpG.exe
  2⤵
  PID:11872
- C:\Windows\System32\YVJyKVD.exe
  C:\Windows\System32\YVJyKVD.exe
  2⤵
  PID:12044
- C:\Windows\System32\uutSGcS.exe
  C:\Windows\System32\uutSGcS.exe
  2⤵
  PID:2232
- C:\Windows\System32\kAkssrf.exe
  C:\Windows\System32\kAkssrf.exe
  2⤵
  PID:2236
- C:\Windows\System32\TJWJjyA.exe
  C:\Windows\System32\TJWJjyA.exe
  2⤵
  PID:12284
- C:\Windows\System32\YACNAKR.exe
  C:\Windows\System32\YACNAKR.exe
  2⤵
  PID:11688
- C:\Windows\System32\oWAYQIa.exe
  C:\Windows\System32\oWAYQIa.exe
  2⤵
  PID:12140
- C:\Windows\System32\drLmovx.exe
  C:\Windows\System32\drLmovx.exe
  2⤵
  PID:11432
- C:\Windows\System32\vzppwIF.exe
  C:\Windows\System32\vzppwIF.exe
  2⤵
  PID:4856
- C:\Windows\System32\TUseRbs.exe
  C:\Windows\System32\TUseRbs.exe
  2⤵
  PID:12296
- C:\Windows\System32\squJtrP.exe
  C:\Windows\System32\squJtrP.exe
  2⤵
  PID:12324
- C:\Windows\System32\AbtTbdt.exe
  C:\Windows\System32\AbtTbdt.exe
  2⤵
  PID:12360
- C:\Windows\System32\iCnuFrv.exe
  C:\Windows\System32\iCnuFrv.exe
  2⤵
  PID:12388
- C:\Windows\System32\rmyzjtj.exe
  C:\Windows\System32\rmyzjtj.exe
  2⤵
  PID:12416
- C:\Windows\System32\CzcQrWq.exe
  C:\Windows\System32\CzcQrWq.exe
  2⤵
  PID:12444
- C:\Windows\System32\wicjYoB.exe
  C:\Windows\System32\wicjYoB.exe
  2⤵
  PID:12472
- C:\Windows\System32\YvXNOdy.exe
  C:\Windows\System32\YvXNOdy.exe
  2⤵
  PID:12500
- C:\Windows\System32\jWalgbS.exe
  C:\Windows\System32\jWalgbS.exe
  2⤵
  PID:12528
- C:\Windows\System32\CwpYyxR.exe
  C:\Windows\System32\CwpYyxR.exe
  2⤵
  PID:12556
- C:\Windows\System32\rXytIkt.exe
  C:\Windows\System32\rXytIkt.exe
  2⤵
  PID:12584
- C:\Windows\System32\QXObzMC.exe
  C:\Windows\System32\QXObzMC.exe
  2⤵
  PID:12636
- C:\Windows\System32\yOHqZjo.exe
  C:\Windows\System32\yOHqZjo.exe
  2⤵
  PID:12680
- C:\Windows\System32\yVtPVgz.exe
  C:\Windows\System32\yVtPVgz.exe
  2⤵
  PID:12708
- C:\Windows\System32\TvZySOi.exe
  C:\Windows\System32\TvZySOi.exe
  2⤵
  PID:12724
- C:\Windows\System32\JJRBMmb.exe
  C:\Windows\System32\JJRBMmb.exe
  2⤵
  PID:12768
- C:\Windows\System32\sZgSfxr.exe
  C:\Windows\System32\sZgSfxr.exe
  2⤵
  PID:12796
- C:\Windows\System32\radoCAy.exe
  C:\Windows\System32\radoCAy.exe
  2⤵
  PID:12832
- C:\Windows\System32\MXBlPGx.exe
  C:\Windows\System32\MXBlPGx.exe
  2⤵
  PID:12864
- C:\Windows\System32\hOOtQDZ.exe
  C:\Windows\System32\hOOtQDZ.exe
  2⤵
  PID:12892
- C:\Windows\System32\yZcnFDO.exe
  C:\Windows\System32\yZcnFDO.exe
  2⤵
  PID:12924
- C:\Windows\System32\bBTohlp.exe
  C:\Windows\System32\bBTohlp.exe
  2⤵
  PID:12952
- C:\Windows\System32\deeJqBU.exe
  C:\Windows\System32\deeJqBU.exe
  2⤵
  PID:12984
- C:\Windows\System32\voceSOS.exe
  C:\Windows\System32\voceSOS.exe
  2⤵
  PID:13012
- C:\Windows\System32\dEstAsu.exe
  C:\Windows\System32\dEstAsu.exe
  2⤵
  PID:13028
- C:\Windows\System32\mNNzYPz.exe
  C:\Windows\System32\mNNzYPz.exe
  2⤵
  PID:13044
- C:\Windows\System32\UfdHbFk.exe
  C:\Windows\System32\UfdHbFk.exe
  2⤵
  PID:13084
- C:\Windows\System32\nvknXfc.exe
  C:\Windows\System32\nvknXfc.exe
  2⤵
  PID:13120
- C:\Windows\System32\hawnEtm.exe
  C:\Windows\System32\hawnEtm.exe
  2⤵
  PID:13156
- C:\Windows\System32\IECAaGI.exe
  C:\Windows\System32\IECAaGI.exe
  2⤵
  PID:13188
- C:\Windows\System32\XAWoIox.exe
  C:\Windows\System32\XAWoIox.exe
  2⤵
  PID:13216
- C:\Windows\System32\bLrLIFD.exe
  C:\Windows\System32\bLrLIFD.exe
  2⤵
  PID:13244
- C:\Windows\System32\nttTcbL.exe
  C:\Windows\System32\nttTcbL.exe
  2⤵
  PID:13272
- C:\Windows\System32\IWGJGwJ.exe
  C:\Windows\System32\IWGJGwJ.exe
  2⤵
  PID:13300
- C:\Windows\System32\cVxKoNz.exe
  C:\Windows\System32\cVxKoNz.exe
  2⤵
  PID:12320
- C:\Windows\System32\rdWuuGs.exe
  C:\Windows\System32\rdWuuGs.exe
  2⤵
  PID:12380
- C:\Windows\System32\EwrrSNx.exe
  C:\Windows\System32\EwrrSNx.exe
  2⤵
  PID:12456
- C:\Windows\System32\JDsathU.exe
  C:\Windows\System32\JDsathU.exe
  2⤵
  PID:12520
- C:\Windows\System32\PNiyXkl.exe
  C:\Windows\System32\PNiyXkl.exe
  2⤵
  PID:12576
- C:\Windows\System32\mWQukhW.exe
  C:\Windows\System32\mWQukhW.exe
  2⤵
  PID:12668
- C:\Windows\System32\IgIhiUt.exe
  C:\Windows\System32\IgIhiUt.exe
  2⤵
  PID:12720
- C:\Windows\System32\npnmkrt.exe
  C:\Windows\System32\npnmkrt.exe
  2⤵
  PID:12788
- C:\Windows\System32\THSvvIC.exe
  C:\Windows\System32\THSvvIC.exe
  2⤵
  PID:12860
- C:\Windows\System32\BdLOAEl.exe
  C:\Windows\System32\BdLOAEl.exe
  2⤵
  PID:12916
- C:\Windows\System32\SUgxiTq.exe
  C:\Windows\System32\SUgxiTq.exe
  2⤵
  PID:12996
- C:\Windows\System32\nHkRrcH.exe
  C:\Windows\System32\nHkRrcH.exe
  2⤵
  PID:13056
- C:\Windows\System32\yTEHOUH.exe
  C:\Windows\System32\yTEHOUH.exe
  2⤵
  PID:13148
- C:\Windows\System32\jHHOgUa.exe
  C:\Windows\System32\jHHOgUa.exe
  2⤵
  PID:13176
- C:\Windows\System32\ituYfap.exe
  C:\Windows\System32\ituYfap.exe
  2⤵
  PID:13256
- C:\Windows\System32\yvNOVMN.exe
  C:\Windows\System32\yvNOVMN.exe
  2⤵
  PID:12352
- C:\Windows\System32\AgIxIPk.exe
  C:\Windows\System32\AgIxIPk.exe
  2⤵
  PID:12552
- C:\Windows\System32\wsbVOAz.exe
  C:\Windows\System32\wsbVOAz.exe
  2⤵
  PID:12816
- C:\Windows\System32\VdpItmI.exe
  C:\Windows\System32\VdpItmI.exe
  2⤵
  PID:12980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4252,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:8
1⤵
PID:8072

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AFeoZoz.exe

Filesize
3.2MB

MD5
d0ec5c5b584e0907ffd75dd433e7e613

SHA1
0c2786bdfad9f19b653e27141efadebd7e24c245

SHA256
62cdcc127427b95030e285abab717086956ed62053fe4dac127f4328914641f6

SHA512
f97a518711f6142e8e6fef1fa773c6bc21fa88853dc9fa11787e289f13929dec462f1b45bf2bcc94c40be801836b6b0588c04c599d0118109f5cc76690f0cc74

Download Submit
C:\Windows\System32\BIlmfCK.exe

Filesize
3.2MB

MD5
14bf49c9c3cddbd37023e11668c9d6d9

SHA1
ac68a633d9ae6e0fb0ce4bb341afaa1e35d43ac8

SHA256
270f719a5d3b2741ad47d626fdea5088c997abc9393bf1d86417f65e07d4ebba

SHA512
b9af30fc8452f915a0ef8ceae998ef198899f175c78f56c11d04f37ac86fbf89dfa2fcee155d415c986cad8025ade643b2e5b3bdf516ef5bb91f2fe4048021cd

Download Submit
C:\Windows\System32\EgklLCc.exe

Filesize
3.2MB

MD5
3a37ae313fc9acf0ed2560a75f724266

SHA1
214532bd371c1572e30ba65643aa00bae806c406

SHA256
449a4a79cf1b187dbbfeb0169a9ddf19c328a901acfdeb005e39c3d900ab5fb0

SHA512
9ad8119140c2bc74476e8b1b1df261bfa20cda74667803cc95b1b79a938b40dbaae6601d8772917d869c2e864ea6dd1e7d4df82f6b243190894578d80cddbdea

Download Submit
C:\Windows\System32\GObspbL.exe

Filesize
3.2MB

MD5
812991893bc377914aa956cbfbda9e78

SHA1
b817d46971cbe03c701b4ac2e63b0522258f343d

SHA256
e65ae06fbe91acaed2c54f004ebc91ffe98f1c0f3c3914edb1201996947ace06

SHA512
d846a4297aa00b0893aa0224e2c399b55e346e9621d0194e9154718a7920b2ba6e944b1dd22d0284e107bc7b2998d26f8b9a7dc2f2b30b71b78bb60c256291dc

Download Submit
C:\Windows\System32\HYWiVdb.exe

Filesize
3.2MB

MD5
b34abd8c8b62761bd77070e80d6f8d7f

SHA1
5fffac5102b76812b54930085585fe3bf26ce1fd

SHA256
c295b10e0bf217a58e4542c5b9830bb9258cedc9a571931b2736e8842620e910

SHA512
4314c4bf4653cafe9abf0153c9ec3b10d3d012111e231b1e479c4169dcd7309919050ea80b2bea52417cdff7995e3a30a622d979dafc96a2c4fa70c632beb499

Download Submit
C:\Windows\System32\IISielN.exe

Filesize
3.2MB

MD5
792cb6666f391251d1ea719c998b50a3

SHA1
ceeb288a2d1db18064400fcf336b262a62adb4cc

SHA256
f88888808c2a760de0bbee44fc1ac366657bb680ea38b4faa070912f7fda8a30

SHA512
51e4917ecd0e8f3185e323bc0f79a4b756e62c607104565e14ecadcd50a44cf2cc0fc7f009149380f3f05297345a2497bbae7f6be9320071139c807b63cebe5c

Download Submit
C:\Windows\System32\JsAbNeN.exe

Filesize
3.2MB

MD5
1bd429c54e783c04ba3a71785d6e1631

SHA1
81c76856955747feded966ff98f4fad2bbea58b3

SHA256
a7dbf72e8af8ae69bc2cb6e6b3ea34a2afce1b7cd860fe0b26a00ba039030297

SHA512
fa1582934725f2e409032d33efadf3d6fbded82600eef7c197c4d8dc9ec7d19b9946e3858c79e9e091d855bdfa03fa5c9a62680a9ca1f02dadfcb69e46d3118d

Download Submit
C:\Windows\System32\NMPLDBD.exe

Filesize
3.2MB

MD5
45fc8f4a2d3cfbddd4a828b2d84de758

SHA1
daafca4cd6f00504b792462ae848d2599b3882f0

SHA256
ca1e2e4f08ed3ec5e836f08e2485f1e40c04241fd1453457320ca4d94b56b872

SHA512
e4e965d23ee3ef5adb62ee0843cce8c47e8d52ed5686dc6e647849f5f19499b2b30e1dc3bd3653410d199af5ea94d3b1c605b46f4af25621051720d4c08455a7

Download Submit
C:\Windows\System32\OeIkkfb.exe

Filesize
3.2MB

MD5
992788c0bb21a53cc9c3ccd13bf34ccd

SHA1
59e23b5b0170f856afef75fa2e0265714ce1bb8d

SHA256
43a1077018920a26ec3221dd482aa77861ddd72da2f865a717ad8d8f85f2dce5

SHA512
740b88e5e1c054443f60b6a6e2ea9028d11ad60df78daabca82033d3b48c779aa416a2fbc3af9d31b5fcd46a9dc32f772c9bc96c11845bcc63c6c640defc83dc

Download Submit
C:\Windows\System32\OwDHxTH.exe

Filesize
3.2MB

MD5
4a8ce252a003a5d4f12ae4c6927f04b9

SHA1
68e2b24fb8d37b896bbeff22f0ac8ab039056062

SHA256
5b8aea145d0e34d7901dca450fa61506f43446913f5d62e66a84e0f1569fcad6

SHA512
4895bad0eb0ee7e35a8e810fb497862a574bf9217a52d6b2992081f40dd6abeea3d5cec818fa2f85dc208c63dfc7e3b5242ff063795a004f48fee5d4527cb41a

Download Submit
C:\Windows\System32\PHhgZzW.exe

Filesize
3.2MB

MD5
6a92b3174503538bea0c660a1458babc

SHA1
dc10a5ea0609100bf52d7bc38d05bc4706c7b47a

SHA256
f9a94b929483b551e18e6bfff95e79163b4980ebfa548796bde795479a2ba6f8

SHA512
dae0c88841622f3bdb4d42bf9bb168989db2e0e6b39720919be23ca59bc7f78fe62f566a6e3b1cab6d51433f6212cee593f76c5f15f0464b610ebf54375843f6

Download Submit
C:\Windows\System32\RilAEMY.exe

Filesize
3.2MB

MD5
cc7c5a16fa9da6150b9de3d4633e16a2

SHA1
ee379338407988c03049e98defcf0d206c86dbab

SHA256
ba7f4da0693876d7620023ffbf7b258eff506dcb7078daff74836cd51e73afb9

SHA512
148e3e389bcdbabe520d2ab92fa4fd2ae7d5741e47eec3e0d2fccadede6ab11a72b8b5ad2e0826f7014041f228cfa1b81c8916acb7645daa773edbcfc4ad5003

Download Submit
C:\Windows\System32\TnZAnlf.exe

Filesize
3.2MB

MD5
eddd6b669bca39c39b20f2b1e01ce323

SHA1
c1ff4ad636bc701ce329d160de7f8da06b654a7b

SHA256
24de07be9c35517f038c692a59b495905a5dce0fb8f3e40a7e1e8bcf845b740b

SHA512
bf4e60da121b0a7ea7aa90f0ed3302ad98d603af079604f252fcd7aa555ee6481931f7d5dd11d29a05ec3aee446c9a8440608b2b91d2514fa95e833b2f1e0938

Download Submit
C:\Windows\System32\VZMIPge.exe

Filesize
3.2MB

MD5
e162dcc146ec28573069e770319b1398

SHA1
076c4597420a3d14579b322e78bf1cfef106ffa5

SHA256
e8204f4e5b649b99416b14d0ba58690071b489b5014130e2d3ca4dadadc25e4d

SHA512
bbb7ad1e5e958691769873ca51eb4107f1aba5be08e80c35e9e0a1e3861c0f017a49e5ce38ef138e4bf6659e5ca4567fe2576a62f65ad4f5b9014984c06f65fb

Download Submit
C:\Windows\System32\VkcSFNi.exe

Filesize
3.2MB

MD5
6f294810287a96125fd6780fabb513d4

SHA1
7886ce5a0cd2578e02d8d7db294196e362545d12

SHA256
6647ae78b9597f3b5a3d0b1f6474371539a0711120fac4108b92321fce5e62dc

SHA512
99b6dbd9118b2fc6dd32f3da73b3249652cea46eb9336f34aab1c5cd0ecd5e5529cc42202382c3ebd5c0101b388af211e12c913cccc42a0f2ec26dddeda205df

Download Submit
C:\Windows\System32\WQbQwlC.exe

Filesize
3.2MB

MD5
15d25b705e9a3b3544587cb8ab0d2ee8

SHA1
2f65ecc6e8e08670bc5f58f954ad80f1060cc7b7

SHA256
743b92f1e3b6fe96efd5994605538bb54de8f8682b9ee3e589e02a5797cde164

SHA512
02a3fe7746967be5b5817067b6b49c1816d30ee3a5cdd9dbf5dfe2ea62e7a2aa9e501b954099ff4cf621ee63337a9d160092eb04b4b19cdc87e6dbb012d1ea17

Download Submit
C:\Windows\System32\XCBjGKh.exe

Filesize
3.2MB

MD5
c507ff4710aa4e56e6d60f7090c6997c

SHA1
acb373012d9ef2e6aae6dd4b319329c07feae5ed

SHA256
3986e33b1c777126b7a7b782b08c3fc0cf305e670d0a8482565e79551184652f

SHA512
94b570df09825b86e0cde01a729f997d9246b5da1d5e78cd5b08d77fa914675e7c74f1e6919c53bf8d3540f53b2263445531c4439ad53b4964cfdaaa18a45be8

Download Submit
C:\Windows\System32\YfbJETE.exe

Filesize
3.2MB

MD5
3ceb1cd7e62642c52f311e9a7dbd33ff

SHA1
86283cca09bd5905a09cbd86052bc11600f74b07

SHA256
ba8030acb9d87d75d57aa12d6243343ab527d9ae8ec71eb88300ee08ef518d1f

SHA512
8b64ef6936a59f5ef075a5db29a3ad9b535cde68c62f99a5ec275a2f3135857850eab7bc623e187a24a9e559fdd4ad64b6c2dc2e0b83b2290430e0c21442141d

Download Submit
C:\Windows\System32\YkQlHqu.exe

Filesize
3.2MB

MD5
f53b05c5449abd2690b8398c5b380e37

SHA1
8d93b64b1d605cff5d32849eb38b524b4b7c3bba

SHA256
0ae49543d1906524e98b6e4563c8677034b9371be4404e7ab6d8b564dfafe8d9

SHA512
997e6c12f01890c59a4912a70b3d3b9d4b47f32b294de45126991e77a2ebaee3e32daab12e971fbb6dc2b310252d97d939b500a5997fd980675d5e824a9e3d76

Download Submit
C:\Windows\System32\azZPaJN.exe

Filesize
3.2MB

MD5
3ac6b5c35a192e8bc24b0a0ed3b8a483

SHA1
f01cd033f2ed9c76bd5782aee1c1bd40e7433ef3

SHA256
4ae66a4518e9390681471cd9f1964653cb0a6025183198475ea6937d8a98c133

SHA512
f95f4caa03a732885d653a1ea2fb20f0110f24c59f822ee2f1b64a7b609f9fa2de73e7cf4d2d6c751609395c1abfc9080c3a32f1f975be945942dedba48f0b3a

Download Submit
C:\Windows\System32\bKzvKNt.exe

Filesize
3.2MB

MD5
d751603ddef2c4a16428ba30142d76f8

SHA1
96a51244ec19e2795e75d2ee936412119ac04167

SHA256
9bfd1e072d681b627ddf946bf67abdb4aa95725be01806beb7cbe524e5a2ef55

SHA512
48b5b473a9d63445ccea85bd8e1316c83ff7c9521ecbccaa92eaa4096471fb5e84cee5e47faca96adedbeaaa234718731d5ff3f00374c0ec477f5a9e344eca29

Download Submit
C:\Windows\System32\bdLdSvK.exe

Filesize
3.2MB

MD5
b36d2ce046975b370c520defa17154b2

SHA1
ceb29b2b5867232544fd3a20787ebdb8fb869c63

SHA256
43cc223a0d666aae0308543b72caec1809ee653d0fa31e8d7f2662de10a91c6c

SHA512
0d012ceb36c8ec1c2b0863637a58ff8a4134713d3626464b3f78425ca57936c4f33f5e82bcce8b6249a835db62bc4cfb63febd4cbff383e60e968dd7b416d66e

Download Submit
C:\Windows\System32\beqevQj.exe

Filesize
3.2MB

MD5
11f08cd4a31467f25527bbe42d7fda89

SHA1
7eeea6bfe499b4f0f61cdbc8140cd06a4fda8555

SHA256
28a02645ef63cab2ed5a9be77204580dd9471010168a891d3b8863d6339274ae

SHA512
8fdb2776c910b99b69cb726a5bfcf6a65c5ef1af75f2f2c60e3fb2e838db253d41cb6885c9686c5bd166a9e76d31c8884931924fca048b04cee7bf50ca81cac9

Download Submit
C:\Windows\System32\ctouctl.exe

Filesize
3.2MB

MD5
89fc1ce689ef72c1337d5d9c1a08d7f3

SHA1
6fa786d1fe441e2ff462048aa76fb06aa7dd6bae

SHA256
26b7509236b45965dc3ebb1ea9fe90356780e407995448de9c62fba9f130c161

SHA512
e4031e8348b497307ff4644b72cd01412d36898c380db0a5b1e966b1c4a7b6a90e0d7998f1fee54051dd9ad11a6b5fa074bf468d59600ad581f1c00615a6ceeb

Download Submit
C:\Windows\System32\fPExHFM.exe

Filesize
3.2MB

MD5
6327be2cd6d45dd965148dbe9a869489

SHA1
f2e42ffe492388ea9fec71ee5211ff18a93a4f63

SHA256
cc7441e1cdae6c1c98cf95a89a79cec6a2f850ae72647b644524336960d2d4dd

SHA512
f7c3eba540aa0afa2fdc5af8153b8a9447775195962734ac3d856893f7e1e3eeb8ff0428f4a2c68d6f5e0f1153211b20ad7d104d9bb491a6c6697abea37d228b

Download Submit
C:\Windows\System32\hAYMptT.exe

Filesize
3.2MB

MD5
083297401bddfc66f1f6d9bd6f122867

SHA1
5bca43b3115b4ee49b138ba7af1ae06544222e7e

SHA256
2ab9d2c8f33387b25b2485d21c4f6682af2aef7583f3edc32a1f20045e99afeb

SHA512
a7da0077c29c2e622ec6422541451cc52e68e4f5e908619576aac4d86d62490ad836ead838f1bb925da6ab56a868db3e945fe21c6ecc923eb4a13362df0152f0

Download Submit
C:\Windows\System32\jxDGgrV.exe

Filesize
3.2MB

MD5
c7bbb92c6b25faa9ebb9070462a17d26

SHA1
f82ce33606af77ac362ba68dc51120b0126a8f07

SHA256
a599ac44c570d7a8644fcd9ada344ca149a761caa8b178860ff1d72466a2726c

SHA512
f918a7ec28066661dc0f4d20353fb0df2232c86705327f73b89ec11249e547844dbc876c20928c382b627c54aa33abe161fe3e6063362ef2f83a1e99d5280417

Download Submit
C:\Windows\System32\mzYvejm.exe

Filesize
3.2MB

MD5
a9b1a17c5ead9c89a30ce94b78e8db88

SHA1
a200b805cf66e6ffcd119603763519f8158f0b97

SHA256
02469d72c9ae06da995e7f720acd69b7b6d55bc30d480fb70d0a37b2d2648e5b

SHA512
683ce8b0ae725d2f152dd7bcbee9acefd80c9529cbf7c9a5309749b48b44029643ed5114e9d37b8e54c80863eddabcfa509ab3a2dc106fafd4e9837c2d98c417

Download Submit
C:\Windows\System32\pZwgDTW.exe

Filesize
3.2MB

MD5
b3f22b3e60c8643247a255b4b0a1770c

SHA1
60161bb94f36474f2dd1df65a40b36adfd0404d9

SHA256
9eab34a719362de6a64a96ab5ec2466dbd888646dc16a22c645bfdb07fdd0823

SHA512
f5628384ab0167d218c6fe2c8bf465f0118e9fcf51cbd7394cbae93e54278350a77f39d683c485375787cd359670689af4d429b919cbecbeec689e62ea54246f

Download Submit
C:\Windows\System32\qOxZPgo.exe

Filesize
3.2MB

MD5
ccc06e69f4fb4c3324aa78dc5e9c3077

SHA1
2d1d7b90156412e71ff25757b7b68188c3bdca7d

SHA256
2d61636190f8054213e5c7750731c22c38cf5ea43e13d0e6ca5c157e04a30218

SHA512
84673c04a3bd0c6fc7a3de44257e5f21f8080e80e2ac743c0815d288dad1054acf3109bcd96ebf4f2d1d9775069f02b1544994575ab0b238b6c8ae0cf9a105be

Download Submit
C:\Windows\System32\tUmWoPe.exe

Filesize
3.2MB

MD5
041e171e8ae52653994acfd561449ec0

SHA1
43f2e2077eb39363b15a7dc1f8253e9873aaa258

SHA256
ab67f4d3af816adb8d9079c66bb490cb29bb250dcacd6c90e0023fb6bb4329fa

SHA512
5597a757d713e25e8578216a82792678f8942a2f25185c6dc837d93b34e0e2b1d648cc43e9275d233f747898383ce2e7699628b1d9b98be1defa5a094b2b1b4c

Download Submit
C:\Windows\System32\xfsSLoL.exe

Filesize
3.2MB

MD5
62fc975dc2ae5580efc591a32e7094d3

SHA1
9bc3de1a5515c22ccfd5a7e584de486601c6e294

SHA256
22eb7a47781e81ec48c517c390c94279114a9528575d4cd97bc125df8cfa316b

SHA512
de6a98f369e20142c63c56cdfc0d24ffafe02a61e4f625bd9d70d6188488c5496c87bf994aab6b5d095eb679e46242e4f8011d540437f0c109b229b6a2abfbbd

Download Submit
C:\Windows\System32\yrxTiLV.exe

Filesize
3.2MB

MD5
3e5480e83fd1c4cf1b1caddf1294e976

SHA1
146f3923539485a254f691a531a190fc255ef97e

SHA256
a39a7755fd4d3cd6adbbd59c2e50ca453e49ce09d91d51998346a90180dda03d

SHA512
cd59ba61ab1b51301bbe6edc4c41cee66e31dde0a448b99082c4b1df943abd3116435561616ca6b25e807f9da8f500519ad814f012a0a8d1d4a8b99c60ddb2e8

Download Submit
memory/312-1857-0x00007FF684EA0000-0x00007FF685295000-memory.dmp

Filesize
4.0MB

Download
memory/312-808-0x00007FF684EA0000-0x00007FF685295000-memory.dmp

Filesize
4.0MB

Download
memory/408-24-0x00007FF77AD00000-0x00007FF77B0F5000-memory.dmp

Filesize
4.0MB

Download
memory/408-1833-0x00007FF77AD00000-0x00007FF77B0F5000-memory.dmp

Filesize
4.0MB

Download
memory/408-1839-0x00007FF77AD00000-0x00007FF77B0F5000-memory.dmp

Filesize
4.0MB

Download
memory/556-817-0x00007FF7AB600000-0x00007FF7AB9F5000-memory.dmp

Filesize
4.0MB

Download
memory/556-1860-0x00007FF7AB600000-0x00007FF7AB9F5000-memory.dmp

Filesize
4.0MB

Download
memory/864-1837-0x00007FF73C120000-0x00007FF73C515000-memory.dmp

Filesize
4.0MB

Download
memory/864-11-0x00007FF73C120000-0x00007FF73C515000-memory.dmp

Filesize
4.0MB

Download
memory/1144-1843-0x00007FF6FFE50000-0x00007FF700245000-memory.dmp

Filesize
4.0MB

Download
memory/1144-57-0x00007FF6FFE50000-0x00007FF700245000-memory.dmp

Filesize
4.0MB

Download
memory/1472-830-0x00007FF76F410000-0x00007FF76F805000-memory.dmp

Filesize
4.0MB

Download
memory/1472-1852-0x00007FF76F410000-0x00007FF76F805000-memory.dmp

Filesize
4.0MB

Download
memory/2356-1838-0x00007FF79AE30000-0x00007FF79B225000-memory.dmp

Filesize
4.0MB

Download
memory/2356-1832-0x00007FF79AE30000-0x00007FF79B225000-memory.dmp

Filesize
4.0MB

Download
memory/2356-14-0x00007FF79AE30000-0x00007FF79B225000-memory.dmp

Filesize
4.0MB

Download
memory/2508-1847-0x00007FF747000000-0x00007FF7473F5000-memory.dmp

Filesize
4.0MB

Download
memory/2508-827-0x00007FF747000000-0x00007FF7473F5000-memory.dmp

Filesize
4.0MB

Download
memory/2596-1850-0x00007FF640C20000-0x00007FF641015000-memory.dmp

Filesize
4.0MB

Download
memory/2596-811-0x00007FF640C20000-0x00007FF641015000-memory.dmp

Filesize
4.0MB

Download
memory/2980-1840-0x00007FF6DA710000-0x00007FF6DAB05000-memory.dmp

Filesize
4.0MB

Download
memory/2980-47-0x00007FF6DA710000-0x00007FF6DAB05000-memory.dmp

Filesize
4.0MB

Download
memory/3164-1859-0x00007FF6C2B80000-0x00007FF6C2F75000-memory.dmp

Filesize
4.0MB

Download
memory/3164-836-0x00007FF6C2B80000-0x00007FF6C2F75000-memory.dmp

Filesize
4.0MB

Download
memory/3204-74-0x00007FF78D6E0000-0x00007FF78DAD5000-memory.dmp

Filesize
4.0MB

Download
memory/3204-1841-0x00007FF78D6E0000-0x00007FF78DAD5000-memory.dmp

Filesize
4.0MB

Download
memory/3256-1849-0x00007FF7A5F60000-0x00007FF7A6355000-memory.dmp

Filesize
4.0MB

Download
memory/3256-847-0x00007FF7A5F60000-0x00007FF7A6355000-memory.dmp

Filesize
4.0MB

Download
memory/3528-65-0x00007FF7C17B0000-0x00007FF7C1BA5000-memory.dmp

Filesize
4.0MB

Download
memory/3528-1846-0x00007FF7C17B0000-0x00007FF7C1BA5000-memory.dmp

Filesize
4.0MB

Download
memory/3544-1836-0x00007FF6E12C0000-0x00007FF6E16B5000-memory.dmp

Filesize
4.0MB

Download
memory/3544-0-0x00007FF6E12C0000-0x00007FF6E16B5000-memory.dmp

Filesize
4.0MB

Download
memory/3544-1-0x0000021D78180000-0x0000021D78190000-memory.dmp

Filesize
64KB

Download
memory/3588-1844-0x00007FF6CDB40000-0x00007FF6CDF35000-memory.dmp

Filesize
4.0MB

Download
memory/3588-79-0x00007FF6CDB40000-0x00007FF6CDF35000-memory.dmp

Filesize
4.0MB

Download
memory/4036-1848-0x00007FF6671E0000-0x00007FF6675D5000-memory.dmp

Filesize
4.0MB

Download
memory/4036-849-0x00007FF6671E0000-0x00007FF6675D5000-memory.dmp

Filesize
4.0MB

Download
memory/4272-1842-0x00007FF7B5850000-0x00007FF7B5C45000-memory.dmp

Filesize
4.0MB

Download
memory/4272-83-0x00007FF7B5850000-0x00007FF7B5C45000-memory.dmp

Filesize
4.0MB

Download
memory/4432-1854-0x00007FF714A00000-0x00007FF714DF5000-memory.dmp

Filesize
4.0MB

Download
memory/4432-839-0x00007FF714A00000-0x00007FF714DF5000-memory.dmp

Filesize
4.0MB

Download
memory/4600-1845-0x00007FF6736A0000-0x00007FF673A95000-memory.dmp

Filesize
4.0MB

Download
memory/4600-1834-0x00007FF6736A0000-0x00007FF673A95000-memory.dmp

Filesize
4.0MB

Download
memory/4600-35-0x00007FF6736A0000-0x00007FF673A95000-memory.dmp

Filesize
4.0MB

Download
memory/4900-1851-0x00007FF717340000-0x00007FF717735000-memory.dmp

Filesize
4.0MB

Download
memory/4900-843-0x00007FF717340000-0x00007FF717735000-memory.dmp

Filesize
4.0MB

Download
memory/4952-1855-0x00007FF77D6C0000-0x00007FF77DAB5000-memory.dmp

Filesize
4.0MB

Download
memory/4952-823-0x00007FF77D6C0000-0x00007FF77DAB5000-memory.dmp

Filesize
4.0MB

Download
memory/5024-1856-0x00007FF737540000-0x00007FF737935000-memory.dmp

Filesize
4.0MB

Download
memory/5024-812-0x00007FF737540000-0x00007FF737935000-memory.dmp

Filesize
4.0MB

Download
memory/5048-68-0x00007FF735F90000-0x00007FF736385000-memory.dmp

Filesize
4.0MB

Download
memory/5048-1858-0x00007FF735F90000-0x00007FF736385000-memory.dmp

Filesize
4.0MB

Download
memory/5048-1835-0x00007FF735F90000-0x00007FF736385000-memory.dmp

Filesize
4.0MB

Download
memory/5052-1853-0x00007FF6D53C0000-0x00007FF6D57B5000-memory.dmp

Filesize
4.0MB

Download
memory/5052-834-0x00007FF6D53C0000-0x00007FF6D57B5000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads