xmrig | 7d677afd01e4a92a6bb8fc21dce5a3618fd9841fbebbe801be99ebf66d7f3e2f

Analysis

max time kernel
124s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 14:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
Size

3.0MB
MD5

e1445a881198d62845b51abd109dde70
SHA1

2808b9f76f80f3915a84d61a67c95f75526101fb
SHA256

7d677afd01e4a92a6bb8fc21dce5a3618fd9841fbebbe801be99ebf66d7f3e2f
SHA512

265f7aab4cc32d5acc315d9d37968d701a9bcd8f31f75026ffdd7ba152b1bfebdf9630d9434c1c2288d2984c98c6a655c2ada07f8664fdaef8e43d5979dedec5
SSDEEP

49152:N0wjnJMOWh50kC1/dVFdx6e0EALKWVTffZiPAcRq6jHjcz8DzHUJ8YhOX0zEfAaY:N0GnJMOWPClFdx6e0EALKWVTffZiPAcQ

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3136-0-0x00007FF6A4F50000-0x00007FF6A5345000-memory.dmp	xmrig
behavioral2/files/0x0008000000022f51-4.dat	xmrig
behavioral2/files/0x0007000000023413-12.dat	xmrig
behavioral2/memory/224-11-0x00007FF6FD6F0000-0x00007FF6FDAE5000-memory.dmp	xmrig
behavioral2/files/0x0007000000023414-15.dat	xmrig
behavioral2/memory/1516-22-0x00007FF787BE0000-0x00007FF787FD5000-memory.dmp	xmrig
behavioral2/memory/1524-23-0x00007FF76E240000-0x00007FF76E635000-memory.dmp	xmrig
behavioral2/memory/920-26-0x00007FF6669D0000-0x00007FF666DC5000-memory.dmp	xmrig
behavioral2/files/0x0007000000023415-24.dat	xmrig
behavioral2/files/0x0007000000023416-28.dat	xmrig
behavioral2/files/0x0007000000023418-36.dat	xmrig
behavioral2/memory/1964-29-0x00007FF761D90000-0x00007FF762185000-memory.dmp	xmrig
behavioral2/files/0x0008000000023410-41.dat	xmrig
behavioral2/memory/3152-39-0x00007FF64A8F0000-0x00007FF64ACE5000-memory.dmp	xmrig
behavioral2/files/0x0007000000023419-50.dat	xmrig
behavioral2/memory/1624-47-0x00007FF771310000-0x00007FF771705000-memory.dmp	xmrig
behavioral2/files/0x000700000002341a-53.dat	xmrig
behavioral2/files/0x000700000002341c-58.dat	xmrig
behavioral2/memory/884-64-0x00007FF6C2790000-0x00007FF6C2B85000-memory.dmp	xmrig
behavioral2/memory/4584-70-0x00007FF6F9EA0000-0x00007FF6FA295000-memory.dmp	xmrig
behavioral2/files/0x000700000002341e-75.dat	xmrig
behavioral2/memory/4172-80-0x00007FF7AF770000-0x00007FF7AFB65000-memory.dmp	xmrig
behavioral2/files/0x0007000000023420-86.dat	xmrig
behavioral2/files/0x0007000000023422-97.dat	xmrig
behavioral2/files/0x0007000000023424-107.dat	xmrig
behavioral2/files/0x0007000000023428-129.dat	xmrig
behavioral2/files/0x000700000002342d-154.dat	xmrig
behavioral2/files/0x0007000000023430-169.dat	xmrig
behavioral2/memory/3136-754-0x00007FF6A4F50000-0x00007FF6A5345000-memory.dmp	xmrig
behavioral2/memory/1328-760-0x00007FF7D6140000-0x00007FF7D6535000-memory.dmp	xmrig
behavioral2/memory/668-766-0x00007FF6AF010000-0x00007FF6AF405000-memory.dmp	xmrig
behavioral2/memory/5040-763-0x00007FF75A2C0000-0x00007FF75A6B5000-memory.dmp	xmrig
behavioral2/memory/3360-770-0x00007FF6DD650000-0x00007FF6DDA45000-memory.dmp	xmrig
behavioral2/memory/1808-779-0x00007FF7BD2F0000-0x00007FF7BD6E5000-memory.dmp	xmrig
behavioral2/memory/2112-791-0x00007FF7B78A0000-0x00007FF7B7C95000-memory.dmp	xmrig
behavioral2/memory/3056-796-0x00007FF7266A0000-0x00007FF726A95000-memory.dmp	xmrig
behavioral2/memory/3696-800-0x00007FF7BE030000-0x00007FF7BE425000-memory.dmp	xmrig
behavioral2/memory/3552-794-0x00007FF629ED0000-0x00007FF62A2C5000-memory.dmp	xmrig
behavioral2/memory/2192-787-0x00007FF79F800000-0x00007FF79FBF5000-memory.dmp	xmrig
behavioral2/memory/744-774-0x00007FF7AF2F0000-0x00007FF7AF6E5000-memory.dmp	xmrig
behavioral2/files/0x0007000000023431-174.dat	xmrig
behavioral2/files/0x000700000002342f-164.dat	xmrig
behavioral2/files/0x000700000002342e-159.dat	xmrig
behavioral2/files/0x000700000002342c-149.dat	xmrig
behavioral2/files/0x000700000002342b-144.dat	xmrig
behavioral2/files/0x000700000002342a-139.dat	xmrig
behavioral2/files/0x0007000000023429-134.dat	xmrig
behavioral2/files/0x0007000000023427-124.dat	xmrig
behavioral2/files/0x0007000000023426-119.dat	xmrig
behavioral2/files/0x0007000000023425-114.dat	xmrig
behavioral2/files/0x0007000000023423-104.dat	xmrig
behavioral2/files/0x0007000000023421-94.dat	xmrig
behavioral2/files/0x000700000002341f-88.dat	xmrig
behavioral2/memory/4868-82-0x00007FF635390000-0x00007FF635785000-memory.dmp	xmrig
behavioral2/memory/4396-77-0x00007FF71CF90000-0x00007FF71D385000-memory.dmp	xmrig
behavioral2/files/0x000700000002341d-72.dat	xmrig
behavioral2/files/0x000700000002341b-61.dat	xmrig
behavioral2/memory/3236-59-0x00007FF7FAA10000-0x00007FF7FAE05000-memory.dmp	xmrig
behavioral2/memory/1524-1420-0x00007FF76E240000-0x00007FF76E635000-memory.dmp	xmrig
behavioral2/memory/1624-1941-0x00007FF771310000-0x00007FF771705000-memory.dmp	xmrig
behavioral2/memory/884-1942-0x00007FF6C2790000-0x00007FF6C2B85000-memory.dmp	xmrig
behavioral2/memory/4868-1943-0x00007FF635390000-0x00007FF635785000-memory.dmp	xmrig
behavioral2/memory/3136-1944-0x00007FF6A4F50000-0x00007FF6A5345000-memory.dmp	xmrig
behavioral2/memory/224-1945-0x00007FF6FD6F0000-0x00007FF6FDAE5000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
224	jAGeWgl.exe
1516	tTsKMmU.exe
920	YGcyzxd.exe
1524	imvruMq.exe
1964	WLZZBoR.exe
3152	pHPuYZZ.exe
1624	yDkgFZM.exe
3236	FjGHzad.exe
884	aqmxuEF.exe
4396	LxBCsuq.exe
4584	kPHkQuT.exe
4172	EomhRdA.exe
4868	nAewjhY.exe
1328	UctUfRl.exe
5040	hUousCu.exe
668	yOZqgnR.exe
3360	ORcWpsl.exe
744	eRfaADc.exe
1808	zTCOcgJ.exe
2192	DAxfKfk.exe
2112	oAGrAAX.exe
3552	IvUVJcM.exe
3056	QVSwbNf.exe
3696	ZfpRbZA.exe
4020	uOrSiJQ.exe
1924	YArJuXS.exe
1900	DIVKrIV.exe
4660	kBOMcRF.exe
2820	LiutyLr.exe
2660	ARNxVkw.exe
3960	gmmnxoa.exe
1072	pGslDMW.exe
2080	NiPJCPE.exe
2144	sWNeHhu.exe
1508	ObyAspK.exe
4988	IulMZJn.exe
116	WPEDaGo.exe
1492	nLdsrWR.exe
4884	TAszQKe.exe
4608	lwILGgt.exe
232	oFlHcWQ.exe
3084	feSImGS.exe
4980	TnAnqFv.exe
532	NxDICyw.exe
1552	CBBuKzs.exe
1176	QVVPTJo.exe
976	LVVgubX.exe
1676	cYifiNN.exe
2132	QxnqfYM.exe
2340	ZhhNtau.exe
4008	LKmbfOV.exe
1412	uPeWPaK.exe
3328	GRMgsNv.exe
3276	adUANmo.exe
4928	lVIolMg.exe
1484	txkvnbn.exe
1636	FtNkeqQ.exe
1452	qZyslXC.exe
4032	AwCCzJN.exe
2156	SbGiDdF.exe
424	rYpFPhh.exe
2788	LkOjehB.exe
3060	gFEQJaD.exe
3488	aErJzmC.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3136-0-0x00007FF6A4F50000-0x00007FF6A5345000-memory.dmp	upx
behavioral2/files/0x0008000000022f51-4.dat	upx
behavioral2/files/0x0007000000023413-12.dat	upx
behavioral2/memory/224-11-0x00007FF6FD6F0000-0x00007FF6FDAE5000-memory.dmp	upx
behavioral2/files/0x0007000000023414-15.dat	upx
behavioral2/memory/1516-22-0x00007FF787BE0000-0x00007FF787FD5000-memory.dmp	upx
behavioral2/memory/1524-23-0x00007FF76E240000-0x00007FF76E635000-memory.dmp	upx
behavioral2/memory/920-26-0x00007FF6669D0000-0x00007FF666DC5000-memory.dmp	upx
behavioral2/files/0x0007000000023415-24.dat	upx
behavioral2/files/0x0007000000023416-28.dat	upx
behavioral2/files/0x0007000000023418-36.dat	upx
behavioral2/memory/1964-29-0x00007FF761D90000-0x00007FF762185000-memory.dmp	upx
behavioral2/files/0x0008000000023410-41.dat	upx
behavioral2/memory/3152-39-0x00007FF64A8F0000-0x00007FF64ACE5000-memory.dmp	upx
behavioral2/files/0x0007000000023419-50.dat	upx
behavioral2/memory/1624-47-0x00007FF771310000-0x00007FF771705000-memory.dmp	upx
behavioral2/files/0x000700000002341a-53.dat	upx
behavioral2/files/0x000700000002341c-58.dat	upx
behavioral2/memory/884-64-0x00007FF6C2790000-0x00007FF6C2B85000-memory.dmp	upx
behavioral2/memory/4584-70-0x00007FF6F9EA0000-0x00007FF6FA295000-memory.dmp	upx
behavioral2/files/0x000700000002341e-75.dat	upx
behavioral2/memory/4172-80-0x00007FF7AF770000-0x00007FF7AFB65000-memory.dmp	upx
behavioral2/files/0x0007000000023420-86.dat	upx
behavioral2/files/0x0007000000023422-97.dat	upx
behavioral2/files/0x0007000000023424-107.dat	upx
behavioral2/files/0x0007000000023428-129.dat	upx
behavioral2/files/0x000700000002342d-154.dat	upx
behavioral2/files/0x0007000000023430-169.dat	upx
behavioral2/memory/3136-754-0x00007FF6A4F50000-0x00007FF6A5345000-memory.dmp	upx
behavioral2/memory/1328-760-0x00007FF7D6140000-0x00007FF7D6535000-memory.dmp	upx
behavioral2/memory/668-766-0x00007FF6AF010000-0x00007FF6AF405000-memory.dmp	upx
behavioral2/memory/5040-763-0x00007FF75A2C0000-0x00007FF75A6B5000-memory.dmp	upx
behavioral2/memory/3360-770-0x00007FF6DD650000-0x00007FF6DDA45000-memory.dmp	upx
behavioral2/memory/1808-779-0x00007FF7BD2F0000-0x00007FF7BD6E5000-memory.dmp	upx
behavioral2/memory/2112-791-0x00007FF7B78A0000-0x00007FF7B7C95000-memory.dmp	upx
behavioral2/memory/3056-796-0x00007FF7266A0000-0x00007FF726A95000-memory.dmp	upx
behavioral2/memory/3696-800-0x00007FF7BE030000-0x00007FF7BE425000-memory.dmp	upx
behavioral2/memory/3552-794-0x00007FF629ED0000-0x00007FF62A2C5000-memory.dmp	upx
behavioral2/memory/2192-787-0x00007FF79F800000-0x00007FF79FBF5000-memory.dmp	upx
behavioral2/memory/744-774-0x00007FF7AF2F0000-0x00007FF7AF6E5000-memory.dmp	upx
behavioral2/files/0x0007000000023431-174.dat	upx
behavioral2/files/0x000700000002342f-164.dat	upx
behavioral2/files/0x000700000002342e-159.dat	upx
behavioral2/files/0x000700000002342c-149.dat	upx
behavioral2/files/0x000700000002342b-144.dat	upx
behavioral2/files/0x000700000002342a-139.dat	upx
behavioral2/files/0x0007000000023429-134.dat	upx
behavioral2/files/0x0007000000023427-124.dat	upx
behavioral2/files/0x0007000000023426-119.dat	upx
behavioral2/files/0x0007000000023425-114.dat	upx
behavioral2/files/0x0007000000023423-104.dat	upx
behavioral2/files/0x0007000000023421-94.dat	upx
behavioral2/files/0x000700000002341f-88.dat	upx
behavioral2/memory/4868-82-0x00007FF635390000-0x00007FF635785000-memory.dmp	upx
behavioral2/memory/4396-77-0x00007FF71CF90000-0x00007FF71D385000-memory.dmp	upx
behavioral2/files/0x000700000002341d-72.dat	upx
behavioral2/files/0x000700000002341b-61.dat	upx
behavioral2/memory/3236-59-0x00007FF7FAA10000-0x00007FF7FAE05000-memory.dmp	upx
behavioral2/memory/1524-1420-0x00007FF76E240000-0x00007FF76E635000-memory.dmp	upx
behavioral2/memory/1624-1941-0x00007FF771310000-0x00007FF771705000-memory.dmp	upx
behavioral2/memory/884-1942-0x00007FF6C2790000-0x00007FF6C2B85000-memory.dmp	upx
behavioral2/memory/4868-1943-0x00007FF635390000-0x00007FF635785000-memory.dmp	upx
behavioral2/memory/3136-1944-0x00007FF6A4F50000-0x00007FF6A5345000-memory.dmp	upx
behavioral2/memory/224-1945-0x00007FF6FD6F0000-0x00007FF6FDAE5000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\xEoaurJ.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\aRtzozZ.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\JjkEkrB.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\iFgylkc.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\awxBJWh.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\wwRTYss.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\izMcaYb.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\DPhLzFZ.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\tDCHhoU.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\DIrLBsl.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\lVIolMg.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\uVOVytf.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\eYKlGkR.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\xdxPrBq.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\GYdzgTB.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\uZZizLd.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\vKJDKBz.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\AvRWAAi.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\ZNILolH.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\IATYTFu.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\xWMbWNC.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\xBKADOu.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\PCnBZpS.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\sNSHNSM.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\caVeIHO.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\zSVbdXv.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\oiqWvQb.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\edhUbiT.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\DjQyQAg.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\iBEdzOx.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\qZSXraC.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\rhVOkTS.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\Wydacst.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\lrfrpEi.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\BBMUhwz.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\FHZuhup.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\uOUzaGH.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\TypRYeq.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\zXXKJut.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\RILsMPu.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\Hcuwfco.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\VkBQysa.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\wFEjtIg.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\BOgqwLp.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\xeBloRD.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\LRJYjvB.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\OFIQxUn.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\fyfsqka.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\IyCuJqy.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\YuGUUkn.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\JHMqnkL.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\eItCHdC.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\LKmbfOV.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\VuKZlGX.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\UiPxEKJ.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\fABmDYj.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\iLYmnBT.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\vhlgkQS.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\VoiKsxX.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\xIvZPYF.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\RJwzoCr.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\BYbYYFq.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\NkTnAsw.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
File created	C:\Windows\System32\TFVdXmy.exe	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	14312	dwm.exe
Token: SeChangeNotifyPrivilege	14312	dwm.exe
Token: 33	14312	dwm.exe
Token: SeIncBasePriorityPrivilege	14312	dwm.exe
Token: SeShutdownPrivilege	14312	dwm.exe
Token: SeCreatePagefilePrivilege	14312	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 224	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	84
PID 3136 wrote to memory of 224	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	84
PID 3136 wrote to memory of 1516	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	85
PID 3136 wrote to memory of 1516	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	85
PID 3136 wrote to memory of 920	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	86
PID 3136 wrote to memory of 920	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	86
PID 3136 wrote to memory of 1524	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	87
PID 3136 wrote to memory of 1524	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	87
PID 3136 wrote to memory of 1964	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	88
PID 3136 wrote to memory of 1964	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	88
PID 3136 wrote to memory of 3152	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	89
PID 3136 wrote to memory of 3152	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	89
PID 3136 wrote to memory of 1624	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	92
PID 3136 wrote to memory of 1624	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	92
PID 3136 wrote to memory of 3236	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	93
PID 3136 wrote to memory of 3236	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	93
PID 3136 wrote to memory of 884	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	94
PID 3136 wrote to memory of 884	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	94
PID 3136 wrote to memory of 4396	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	95
PID 3136 wrote to memory of 4396	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	95
PID 3136 wrote to memory of 4584	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	96
PID 3136 wrote to memory of 4584	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	96
PID 3136 wrote to memory of 4172	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	97
PID 3136 wrote to memory of 4172	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	97
PID 3136 wrote to memory of 4868	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	98
PID 3136 wrote to memory of 4868	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	98
PID 3136 wrote to memory of 5040	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	99
PID 3136 wrote to memory of 5040	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	99
PID 3136 wrote to memory of 1328	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	100
PID 3136 wrote to memory of 1328	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	100
PID 3136 wrote to memory of 668	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	102
PID 3136 wrote to memory of 668	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	102
PID 3136 wrote to memory of 3360	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	103
PID 3136 wrote to memory of 3360	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	103
PID 3136 wrote to memory of 744	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	104
PID 3136 wrote to memory of 744	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	104
PID 3136 wrote to memory of 1808	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	105
PID 3136 wrote to memory of 1808	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	105
PID 3136 wrote to memory of 2192	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	106
PID 3136 wrote to memory of 2192	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	106
PID 3136 wrote to memory of 2112	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	107
PID 3136 wrote to memory of 2112	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	107
PID 3136 wrote to memory of 3552	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	108
PID 3136 wrote to memory of 3552	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	108
PID 3136 wrote to memory of 3056	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	109
PID 3136 wrote to memory of 3056	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	109
PID 3136 wrote to memory of 3696	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	110
PID 3136 wrote to memory of 3696	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	110
PID 3136 wrote to memory of 4020	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	111
PID 3136 wrote to memory of 4020	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	111
PID 3136 wrote to memory of 1924	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	112
PID 3136 wrote to memory of 1924	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	112
PID 3136 wrote to memory of 1900	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	113
PID 3136 wrote to memory of 1900	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	113
PID 3136 wrote to memory of 4660	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	114
PID 3136 wrote to memory of 4660	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	114
PID 3136 wrote to memory of 2820	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	115
PID 3136 wrote to memory of 2820	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	115
PID 3136 wrote to memory of 2660	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	116
PID 3136 wrote to memory of 2660	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	116
PID 3136 wrote to memory of 3960	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	117
PID 3136 wrote to memory of 3960	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	117
PID 3136 wrote to memory of 1072	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	118
PID 3136 wrote to memory of 1072	3136	e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe	118

C:\Users\Admin\AppData\Local\Temp\e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e1445a881198d62845b51abd109dde70_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Windows\System32\jAGeWgl.exe
  C:\Windows\System32\jAGeWgl.exe
  2⤵
  - Executes dropped EXE
  PID:224
- C:\Windows\System32\tTsKMmU.exe
  C:\Windows\System32\tTsKMmU.exe
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\System32\YGcyzxd.exe
  C:\Windows\System32\YGcyzxd.exe
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\System32\imvruMq.exe
  C:\Windows\System32\imvruMq.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System32\WLZZBoR.exe
  C:\Windows\System32\WLZZBoR.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System32\pHPuYZZ.exe
  C:\Windows\System32\pHPuYZZ.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System32\yDkgFZM.exe
  C:\Windows\System32\yDkgFZM.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System32\FjGHzad.exe
  C:\Windows\System32\FjGHzad.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Windows\System32\aqmxuEF.exe
  C:\Windows\System32\aqmxuEF.exe
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\System32\LxBCsuq.exe
  C:\Windows\System32\LxBCsuq.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System32\kPHkQuT.exe
  C:\Windows\System32\kPHkQuT.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System32\EomhRdA.exe
  C:\Windows\System32\EomhRdA.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System32\nAewjhY.exe
  C:\Windows\System32\nAewjhY.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System32\hUousCu.exe
  C:\Windows\System32\hUousCu.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System32\UctUfRl.exe
  C:\Windows\System32\UctUfRl.exe
  2⤵
  - Executes dropped EXE
  PID:1328
- C:\Windows\System32\yOZqgnR.exe
  C:\Windows\System32\yOZqgnR.exe
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Windows\System32\ORcWpsl.exe
  C:\Windows\System32\ORcWpsl.exe
  2⤵
  - Executes dropped EXE
  PID:3360
- C:\Windows\System32\eRfaADc.exe
  C:\Windows\System32\eRfaADc.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System32\zTCOcgJ.exe
  C:\Windows\System32\zTCOcgJ.exe
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\System32\DAxfKfk.exe
  C:\Windows\System32\DAxfKfk.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System32\oAGrAAX.exe
  C:\Windows\System32\oAGrAAX.exe
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\System32\IvUVJcM.exe
  C:\Windows\System32\IvUVJcM.exe
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\System32\QVSwbNf.exe
  C:\Windows\System32\QVSwbNf.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System32\ZfpRbZA.exe
  C:\Windows\System32\ZfpRbZA.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System32\uOrSiJQ.exe
  C:\Windows\System32\uOrSiJQ.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\System32\YArJuXS.exe
  C:\Windows\System32\YArJuXS.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System32\DIVKrIV.exe
  C:\Windows\System32\DIVKrIV.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System32\kBOMcRF.exe
  C:\Windows\System32\kBOMcRF.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System32\LiutyLr.exe
  C:\Windows\System32\LiutyLr.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System32\ARNxVkw.exe
  C:\Windows\System32\ARNxVkw.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System32\gmmnxoa.exe
  C:\Windows\System32\gmmnxoa.exe
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Windows\System32\pGslDMW.exe
  C:\Windows\System32\pGslDMW.exe
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\System32\NiPJCPE.exe
  C:\Windows\System32\NiPJCPE.exe
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\System32\sWNeHhu.exe
  C:\Windows\System32\sWNeHhu.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\System32\ObyAspK.exe
  C:\Windows\System32\ObyAspK.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System32\IulMZJn.exe
  C:\Windows\System32\IulMZJn.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System32\WPEDaGo.exe
  C:\Windows\System32\WPEDaGo.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System32\nLdsrWR.exe
  C:\Windows\System32\nLdsrWR.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\System32\TAszQKe.exe
  C:\Windows\System32\TAszQKe.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System32\lwILGgt.exe
  C:\Windows\System32\lwILGgt.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System32\oFlHcWQ.exe
  C:\Windows\System32\oFlHcWQ.exe
  2⤵
  - Executes dropped EXE
  PID:232
- C:\Windows\System32\feSImGS.exe
  C:\Windows\System32\feSImGS.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Windows\System32\TnAnqFv.exe
  C:\Windows\System32\TnAnqFv.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System32\NxDICyw.exe
  C:\Windows\System32\NxDICyw.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System32\CBBuKzs.exe
  C:\Windows\System32\CBBuKzs.exe
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\System32\QVVPTJo.exe
  C:\Windows\System32\QVVPTJo.exe
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\System32\LVVgubX.exe
  C:\Windows\System32\LVVgubX.exe
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\System32\cYifiNN.exe
  C:\Windows\System32\cYifiNN.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System32\QxnqfYM.exe
  C:\Windows\System32\QxnqfYM.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System32\ZhhNtau.exe
  C:\Windows\System32\ZhhNtau.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System32\LKmbfOV.exe
  C:\Windows\System32\LKmbfOV.exe
  2⤵
  - Executes dropped EXE
  PID:4008
- C:\Windows\System32\uPeWPaK.exe
  C:\Windows\System32\uPeWPaK.exe
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\System32\GRMgsNv.exe
  C:\Windows\System32\GRMgsNv.exe
  2⤵
  - Executes dropped EXE
  PID:3328
- C:\Windows\System32\adUANmo.exe
  C:\Windows\System32\adUANmo.exe
  2⤵
  - Executes dropped EXE
  PID:3276
- C:\Windows\System32\lVIolMg.exe
  C:\Windows\System32\lVIolMg.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System32\txkvnbn.exe
  C:\Windows\System32\txkvnbn.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\System32\FtNkeqQ.exe
  C:\Windows\System32\FtNkeqQ.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System32\qZyslXC.exe
  C:\Windows\System32\qZyslXC.exe
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\System32\AwCCzJN.exe
  C:\Windows\System32\AwCCzJN.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System32\SbGiDdF.exe
  C:\Windows\System32\SbGiDdF.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System32\rYpFPhh.exe
  C:\Windows\System32\rYpFPhh.exe
  2⤵
  - Executes dropped EXE
  PID:424
- C:\Windows\System32\LkOjehB.exe
  C:\Windows\System32\LkOjehB.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System32\gFEQJaD.exe
  C:\Windows\System32\gFEQJaD.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System32\aErJzmC.exe
  C:\Windows\System32\aErJzmC.exe
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Windows\System32\CNGvymw.exe
  C:\Windows\System32\CNGvymw.exe
  2⤵
  PID:1312
- C:\Windows\System32\JtlQTNY.exe
  C:\Windows\System32\JtlQTNY.exe
  2⤵
  PID:3556
- C:\Windows\System32\rzSUgzx.exe
  C:\Windows\System32\rzSUgzx.exe
  2⤵
  PID:2868
- C:\Windows\System32\Lfcckub.exe
  C:\Windows\System32\Lfcckub.exe
  2⤵
  PID:3928
- C:\Windows\System32\FBFnCDC.exe
  C:\Windows\System32\FBFnCDC.exe
  2⤵
  PID:1088
- C:\Windows\System32\DYlFJmP.exe
  C:\Windows\System32\DYlFJmP.exe
  2⤵
  PID:4284
- C:\Windows\System32\eeBwJde.exe
  C:\Windows\System32\eeBwJde.exe
  2⤵
  PID:4720
- C:\Windows\System32\WaOCPtB.exe
  C:\Windows\System32\WaOCPtB.exe
  2⤵
  PID:1592
- C:\Windows\System32\pWuyGwS.exe
  C:\Windows\System32\pWuyGwS.exe
  2⤵
  PID:4488
- C:\Windows\System32\bEbxICv.exe
  C:\Windows\System32\bEbxICv.exe
  2⤵
  PID:4384
- C:\Windows\System32\xdxPrBq.exe
  C:\Windows\System32\xdxPrBq.exe
  2⤵
  PID:5148
- C:\Windows\System32\rikORdE.exe
  C:\Windows\System32\rikORdE.exe
  2⤵
  PID:5176
- C:\Windows\System32\LOGlBvb.exe
  C:\Windows\System32\LOGlBvb.exe
  2⤵
  PID:5204
- C:\Windows\System32\LrtwBVV.exe
  C:\Windows\System32\LrtwBVV.exe
  2⤵
  PID:5232
- C:\Windows\System32\XoJtupU.exe
  C:\Windows\System32\XoJtupU.exe
  2⤵
  PID:5260
- C:\Windows\System32\WNjjFhR.exe
  C:\Windows\System32\WNjjFhR.exe
  2⤵
  PID:5288
- C:\Windows\System32\QjCbJBv.exe
  C:\Windows\System32\QjCbJBv.exe
  2⤵
  PID:5316
- C:\Windows\System32\BbLbnNo.exe
  C:\Windows\System32\BbLbnNo.exe
  2⤵
  PID:5344
- C:\Windows\System32\TmtIHDj.exe
  C:\Windows\System32\TmtIHDj.exe
  2⤵
  PID:5372
- C:\Windows\System32\pdbKtXB.exe
  C:\Windows\System32\pdbKtXB.exe
  2⤵
  PID:5400
- C:\Windows\System32\lyBvgoP.exe
  C:\Windows\System32\lyBvgoP.exe
  2⤵
  PID:5428
- C:\Windows\System32\pyYIOyt.exe
  C:\Windows\System32\pyYIOyt.exe
  2⤵
  PID:5456
- C:\Windows\System32\JjkEkrB.exe
  C:\Windows\System32\JjkEkrB.exe
  2⤵
  PID:5484
- C:\Windows\System32\NOdyDLs.exe
  C:\Windows\System32\NOdyDLs.exe
  2⤵
  PID:5512
- C:\Windows\System32\ucboXSx.exe
  C:\Windows\System32\ucboXSx.exe
  2⤵
  PID:5540
- C:\Windows\System32\VwukXTT.exe
  C:\Windows\System32\VwukXTT.exe
  2⤵
  PID:5568
- C:\Windows\System32\sAPIACQ.exe
  C:\Windows\System32\sAPIACQ.exe
  2⤵
  PID:5596
- C:\Windows\System32\zrgltNV.exe
  C:\Windows\System32\zrgltNV.exe
  2⤵
  PID:5624
- C:\Windows\System32\XsJFVYF.exe
  C:\Windows\System32\XsJFVYF.exe
  2⤵
  PID:5652
- C:\Windows\System32\OWpXWYz.exe
  C:\Windows\System32\OWpXWYz.exe
  2⤵
  PID:5680
- C:\Windows\System32\nQAMsMT.exe
  C:\Windows\System32\nQAMsMT.exe
  2⤵
  PID:5708
- C:\Windows\System32\UUgATUQ.exe
  C:\Windows\System32\UUgATUQ.exe
  2⤵
  PID:5736
- C:\Windows\System32\NhyUEXe.exe
  C:\Windows\System32\NhyUEXe.exe
  2⤵
  PID:5764
- C:\Windows\System32\tDCHhoU.exe
  C:\Windows\System32\tDCHhoU.exe
  2⤵
  PID:5792
- C:\Windows\System32\GHNhDGf.exe
  C:\Windows\System32\GHNhDGf.exe
  2⤵
  PID:5820
- C:\Windows\System32\GkBvxOI.exe
  C:\Windows\System32\GkBvxOI.exe
  2⤵
  PID:5848
- C:\Windows\System32\oZAPAGt.exe
  C:\Windows\System32\oZAPAGt.exe
  2⤵
  PID:5876
- C:\Windows\System32\VuKZlGX.exe
  C:\Windows\System32\VuKZlGX.exe
  2⤵
  PID:5904
- C:\Windows\System32\XXfvQqO.exe
  C:\Windows\System32\XXfvQqO.exe
  2⤵
  PID:5932
- C:\Windows\System32\HWAFFaC.exe
  C:\Windows\System32\HWAFFaC.exe
  2⤵
  PID:5960
- C:\Windows\System32\WMWcoKD.exe
  C:\Windows\System32\WMWcoKD.exe
  2⤵
  PID:5988
- C:\Windows\System32\XKgxfsO.exe
  C:\Windows\System32\XKgxfsO.exe
  2⤵
  PID:6016
- C:\Windows\System32\QiIrzVp.exe
  C:\Windows\System32\QiIrzVp.exe
  2⤵
  PID:6044
- C:\Windows\System32\PPedWmO.exe
  C:\Windows\System32\PPedWmO.exe
  2⤵
  PID:6072
- C:\Windows\System32\HWJOjNQ.exe
  C:\Windows\System32\HWJOjNQ.exe
  2⤵
  PID:6100
- C:\Windows\System32\xIvZPYF.exe
  C:\Windows\System32\xIvZPYF.exe
  2⤵
  PID:6128
- C:\Windows\System32\DmcPvlh.exe
  C:\Windows\System32\DmcPvlh.exe
  2⤵
  PID:1520
- C:\Windows\System32\QDmCEkU.exe
  C:\Windows\System32\QDmCEkU.exe
  2⤵
  PID:3976
- C:\Windows\System32\XNphkYt.exe
  C:\Windows\System32\XNphkYt.exe
  2⤵
  PID:3012
- C:\Windows\System32\CJVVLfb.exe
  C:\Windows\System32\CJVVLfb.exe
  2⤵
  PID:4044
- C:\Windows\System32\BAhhdYx.exe
  C:\Windows\System32\BAhhdYx.exe
  2⤵
  PID:5132
- C:\Windows\System32\xZrHlVQ.exe
  C:\Windows\System32\xZrHlVQ.exe
  2⤵
  PID:5200
- C:\Windows\System32\fvNMFTe.exe
  C:\Windows\System32\fvNMFTe.exe
  2⤵
  PID:5248
- C:\Windows\System32\UiPxEKJ.exe
  C:\Windows\System32\UiPxEKJ.exe
  2⤵
  PID:5328
- C:\Windows\System32\lvGoqih.exe
  C:\Windows\System32\lvGoqih.exe
  2⤵
  PID:5396
- C:\Windows\System32\vLsbHlP.exe
  C:\Windows\System32\vLsbHlP.exe
  2⤵
  PID:5480
- C:\Windows\System32\kjOWrUr.exe
  C:\Windows\System32\kjOWrUr.exe
  2⤵
  PID:5524
- C:\Windows\System32\eOrQTlC.exe
  C:\Windows\System32\eOrQTlC.exe
  2⤵
  PID:5592
- C:\Windows\System32\xMrNdxf.exe
  C:\Windows\System32\xMrNdxf.exe
  2⤵
  PID:5640
- C:\Windows\System32\MIdEUeQ.exe
  C:\Windows\System32\MIdEUeQ.exe
  2⤵
  PID:5720
- C:\Windows\System32\wBAgYat.exe
  C:\Windows\System32\wBAgYat.exe
  2⤵
  PID:5788
- C:\Windows\System32\DNoCsly.exe
  C:\Windows\System32\DNoCsly.exe
  2⤵
  PID:5844
- C:\Windows\System32\fEKsmZt.exe
  C:\Windows\System32\fEKsmZt.exe
  2⤵
  PID:5916
- C:\Windows\System32\VCydQjw.exe
  C:\Windows\System32\VCydQjw.exe
  2⤵
  PID:5984
- C:\Windows\System32\OFIQxUn.exe
  C:\Windows\System32\OFIQxUn.exe
  2⤵
  PID:6032
- C:\Windows\System32\wsGQnwH.exe
  C:\Windows\System32\wsGQnwH.exe
  2⤵
  PID:6112
- C:\Windows\System32\JOZoyoE.exe
  C:\Windows\System32\JOZoyoE.exe
  2⤵
  PID:396
- C:\Windows\System32\SyfmhZr.exe
  C:\Windows\System32\SyfmhZr.exe
  2⤵
  PID:2880
- C:\Windows\System32\CcDrMSO.exe
  C:\Windows\System32\CcDrMSO.exe
  2⤵
  PID:5228
- C:\Windows\System32\jldIFhN.exe
  C:\Windows\System32\jldIFhN.exe
  2⤵
  PID:5384
- C:\Windows\System32\sEKnpyk.exe
  C:\Windows\System32\sEKnpyk.exe
  2⤵
  PID:5508
- C:\Windows\System32\dXjrYHA.exe
  C:\Windows\System32\dXjrYHA.exe
  2⤵
  PID:5668
- C:\Windows\System32\KRZimQf.exe
  C:\Windows\System32\KRZimQf.exe
  2⤵
  PID:5836
- C:\Windows\System32\vBjrmdK.exe
  C:\Windows\System32\vBjrmdK.exe
  2⤵
  PID:5972
- C:\Windows\System32\RJwzoCr.exe
  C:\Windows\System32\RJwzoCr.exe
  2⤵
  PID:6156
- C:\Windows\System32\owBitNB.exe
  C:\Windows\System32\owBitNB.exe
  2⤵
  PID:6184
- C:\Windows\System32\ilyZsNE.exe
  C:\Windows\System32\ilyZsNE.exe
  2⤵
  PID:6212
- C:\Windows\System32\iFgylkc.exe
  C:\Windows\System32\iFgylkc.exe
  2⤵
  PID:6240
- C:\Windows\System32\wrLHwev.exe
  C:\Windows\System32\wrLHwev.exe
  2⤵
  PID:6268
- C:\Windows\System32\qlpPDan.exe
  C:\Windows\System32\qlpPDan.exe
  2⤵
  PID:6296
- C:\Windows\System32\rNnswIh.exe
  C:\Windows\System32\rNnswIh.exe
  2⤵
  PID:6324
- C:\Windows\System32\Eyfyoee.exe
  C:\Windows\System32\Eyfyoee.exe
  2⤵
  PID:6352
- C:\Windows\System32\THtFwRg.exe
  C:\Windows\System32\THtFwRg.exe
  2⤵
  PID:6380
- C:\Windows\System32\ysXyxkL.exe
  C:\Windows\System32\ysXyxkL.exe
  2⤵
  PID:6408
- C:\Windows\System32\iIdQuIp.exe
  C:\Windows\System32\iIdQuIp.exe
  2⤵
  PID:6444
- C:\Windows\System32\cZPfyEG.exe
  C:\Windows\System32\cZPfyEG.exe
  2⤵
  PID:6464
- C:\Windows\System32\EAMpxZE.exe
  C:\Windows\System32\EAMpxZE.exe
  2⤵
  PID:6492
- C:\Windows\System32\pDpyVAy.exe
  C:\Windows\System32\pDpyVAy.exe
  2⤵
  PID:6520
- C:\Windows\System32\PulWAQu.exe
  C:\Windows\System32\PulWAQu.exe
  2⤵
  PID:6548
- C:\Windows\System32\KaRBxKD.exe
  C:\Windows\System32\KaRBxKD.exe
  2⤵
  PID:6576
- C:\Windows\System32\BhKAWoi.exe
  C:\Windows\System32\BhKAWoi.exe
  2⤵
  PID:6604
- C:\Windows\System32\UzFnKPK.exe
  C:\Windows\System32\UzFnKPK.exe
  2⤵
  PID:6632
- C:\Windows\System32\OEgjtJO.exe
  C:\Windows\System32\OEgjtJO.exe
  2⤵
  PID:6660
- C:\Windows\System32\yXgansq.exe
  C:\Windows\System32\yXgansq.exe
  2⤵
  PID:6688
- C:\Windows\System32\LsZCSeG.exe
  C:\Windows\System32\LsZCSeG.exe
  2⤵
  PID:6716
- C:\Windows\System32\bHJSEfC.exe
  C:\Windows\System32\bHJSEfC.exe
  2⤵
  PID:6744
- C:\Windows\System32\mKkrdUh.exe
  C:\Windows\System32\mKkrdUh.exe
  2⤵
  PID:6772
- C:\Windows\System32\pwPzkmg.exe
  C:\Windows\System32\pwPzkmg.exe
  2⤵
  PID:6800
- C:\Windows\System32\KUcwFnM.exe
  C:\Windows\System32\KUcwFnM.exe
  2⤵
  PID:6836
- C:\Windows\System32\htfvUrR.exe
  C:\Windows\System32\htfvUrR.exe
  2⤵
  PID:6864
- C:\Windows\System32\WRbsXCh.exe
  C:\Windows\System32\WRbsXCh.exe
  2⤵
  PID:6884
- C:\Windows\System32\GYdzgTB.exe
  C:\Windows\System32\GYdzgTB.exe
  2⤵
  PID:6912
- C:\Windows\System32\LdlicQE.exe
  C:\Windows\System32\LdlicQE.exe
  2⤵
  PID:6948
- C:\Windows\System32\JNpJVYG.exe
  C:\Windows\System32\JNpJVYG.exe
  2⤵
  PID:6968
- C:\Windows\System32\JWaxwXO.exe
  C:\Windows\System32\JWaxwXO.exe
  2⤵
  PID:6996
- C:\Windows\System32\GkZvNhp.exe
  C:\Windows\System32\GkZvNhp.exe
  2⤵
  PID:7024
- C:\Windows\System32\gTBUAUu.exe
  C:\Windows\System32\gTBUAUu.exe
  2⤵
  PID:7052
- C:\Windows\System32\awxBJWh.exe
  C:\Windows\System32\awxBJWh.exe
  2⤵
  PID:7080
- C:\Windows\System32\YcqpNTy.exe
  C:\Windows\System32\YcqpNTy.exe
  2⤵
  PID:7108
- C:\Windows\System32\DNcXnYu.exe
  C:\Windows\System32\DNcXnYu.exe
  2⤵
  PID:7136
- C:\Windows\System32\cWiHHFF.exe
  C:\Windows\System32\cWiHHFF.exe
  2⤵
  PID:7164
- C:\Windows\System32\YbnjDbq.exe
  C:\Windows\System32\YbnjDbq.exe
  2⤵
  PID:3984
- C:\Windows\System32\ggpYpBQ.exe
  C:\Windows\System32\ggpYpBQ.exe
  2⤵
  PID:5304
- C:\Windows\System32\nzlfaga.exe
  C:\Windows\System32\nzlfaga.exe
  2⤵
  PID:5748
- C:\Windows\System32\LgeRpmz.exe
  C:\Windows\System32\LgeRpmz.exe
  2⤵
  PID:6152
- C:\Windows\System32\uVOVytf.exe
  C:\Windows\System32\uVOVytf.exe
  2⤵
  PID:6200
- C:\Windows\System32\MZzbPZo.exe
  C:\Windows\System32\MZzbPZo.exe
  2⤵
  PID:6280
- C:\Windows\System32\sOSGGwD.exe
  C:\Windows\System32\sOSGGwD.exe
  2⤵
  PID:6340
- C:\Windows\System32\ufEdHtW.exe
  C:\Windows\System32\ufEdHtW.exe
  2⤵
  PID:6396
- C:\Windows\System32\JGQSQtj.exe
  C:\Windows\System32\JGQSQtj.exe
  2⤵
  PID:6456
- C:\Windows\System32\ncRYIaO.exe
  C:\Windows\System32\ncRYIaO.exe
  2⤵
  PID:6532
- C:\Windows\System32\vNpqiBu.exe
  C:\Windows\System32\vNpqiBu.exe
  2⤵
  PID:6600
- C:\Windows\System32\CWgCApo.exe
  C:\Windows\System32\CWgCApo.exe
  2⤵
  PID:6684
- C:\Windows\System32\IIfWQor.exe
  C:\Windows\System32\IIfWQor.exe
  2⤵
  PID:6704
- C:\Windows\System32\lgsBrHT.exe
  C:\Windows\System32\lgsBrHT.exe
  2⤵
  PID:6788
- C:\Windows\System32\KNUhMac.exe
  C:\Windows\System32\KNUhMac.exe
  2⤵
  PID:6848
- C:\Windows\System32\ESSXuxw.exe
  C:\Windows\System32\ESSXuxw.exe
  2⤵
  PID:6900
- C:\Windows\System32\QuZTHzh.exe
  C:\Windows\System32\QuZTHzh.exe
  2⤵
  PID:6980
- C:\Windows\System32\QcKdgMa.exe
  C:\Windows\System32\QcKdgMa.exe
  2⤵
  PID:7036
- C:\Windows\System32\aELzltc.exe
  C:\Windows\System32\aELzltc.exe
  2⤵
  PID:2964
- C:\Windows\System32\GqZyuQG.exe
  C:\Windows\System32\GqZyuQG.exe
  2⤵
  PID:7148
- C:\Windows\System32\ntNDjxd.exe
  C:\Windows\System32\ntNDjxd.exe
  2⤵
  PID:5356
- C:\Windows\System32\AsVVMTB.exe
  C:\Windows\System32\AsVVMTB.exe
  2⤵
  PID:5956
- C:\Windows\System32\QgYYZJj.exe
  C:\Windows\System32\QgYYZJj.exe
  2⤵
  PID:6308
- C:\Windows\System32\wFEjtIg.exe
  C:\Windows\System32\wFEjtIg.exe
  2⤵
  PID:6460
- C:\Windows\System32\xgYjIdd.exe
  C:\Windows\System32\xgYjIdd.exe
  2⤵
  PID:1060
- C:\Windows\System32\MuSvWip.exe
  C:\Windows\System32\MuSvWip.exe
  2⤵
  PID:6672
- C:\Windows\System32\SnvepcQ.exe
  C:\Windows\System32\SnvepcQ.exe
  2⤵
  PID:6796
- C:\Windows\System32\ZyPGnzv.exe
  C:\Windows\System32\ZyPGnzv.exe
  2⤵
  PID:6960
- C:\Windows\System32\SYNLoWG.exe
  C:\Windows\System32\SYNLoWG.exe
  2⤵
  PID:7068
- C:\Windows\System32\ZCHrKqw.exe
  C:\Windows\System32\ZCHrKqw.exe
  2⤵
  PID:4880
- C:\Windows\System32\zLuccNg.exe
  C:\Windows\System32\zLuccNg.exe
  2⤵
  PID:6228
- C:\Windows\System32\qIkcWRr.exe
  C:\Windows\System32\qIkcWRr.exe
  2⤵
  PID:6560
- C:\Windows\System32\iBEdzOx.exe
  C:\Windows\System32\iBEdzOx.exe
  2⤵
  PID:7188
- C:\Windows\System32\seDJncf.exe
  C:\Windows\System32\seDJncf.exe
  2⤵
  PID:7216
- C:\Windows\System32\uOUzaGH.exe
  C:\Windows\System32\uOUzaGH.exe
  2⤵
  PID:7244
- C:\Windows\System32\flqEHuP.exe
  C:\Windows\System32\flqEHuP.exe
  2⤵
  PID:7272
- C:\Windows\System32\TypRYeq.exe
  C:\Windows\System32\TypRYeq.exe
  2⤵
  PID:7300
- C:\Windows\System32\qXNklvv.exe
  C:\Windows\System32\qXNklvv.exe
  2⤵
  PID:7328
- C:\Windows\System32\BWcOOcP.exe
  C:\Windows\System32\BWcOOcP.exe
  2⤵
  PID:7356
- C:\Windows\System32\MgGSlFM.exe
  C:\Windows\System32\MgGSlFM.exe
  2⤵
  PID:7384
- C:\Windows\System32\EpBYJQT.exe
  C:\Windows\System32\EpBYJQT.exe
  2⤵
  PID:7412
- C:\Windows\System32\VCOMhCA.exe
  C:\Windows\System32\VCOMhCA.exe
  2⤵
  PID:7440
- C:\Windows\System32\umOImti.exe
  C:\Windows\System32\umOImti.exe
  2⤵
  PID:7468
- C:\Windows\System32\evNWaIC.exe
  C:\Windows\System32\evNWaIC.exe
  2⤵
  PID:7496
- C:\Windows\System32\zqgpaFk.exe
  C:\Windows\System32\zqgpaFk.exe
  2⤵
  PID:7524
- C:\Windows\System32\kJwLKId.exe
  C:\Windows\System32\kJwLKId.exe
  2⤵
  PID:7552
- C:\Windows\System32\fvpNweL.exe
  C:\Windows\System32\fvpNweL.exe
  2⤵
  PID:7580
- C:\Windows\System32\wwRTYss.exe
  C:\Windows\System32\wwRTYss.exe
  2⤵
  PID:7608
- C:\Windows\System32\GjuVXpV.exe
  C:\Windows\System32\GjuVXpV.exe
  2⤵
  PID:7636
- C:\Windows\System32\IjxKSvl.exe
  C:\Windows\System32\IjxKSvl.exe
  2⤵
  PID:7664
- C:\Windows\System32\GHZQZKj.exe
  C:\Windows\System32\GHZQZKj.exe
  2⤵
  PID:7732
- C:\Windows\System32\ueEZPTj.exe
  C:\Windows\System32\ueEZPTj.exe
  2⤵
  PID:7752
- C:\Windows\System32\qZlCThj.exe
  C:\Windows\System32\qZlCThj.exe
  2⤵
  PID:7784
- C:\Windows\System32\PKsXXBX.exe
  C:\Windows\System32\PKsXXBX.exe
  2⤵
  PID:7828
- C:\Windows\System32\YNnglRo.exe
  C:\Windows\System32\YNnglRo.exe
  2⤵
  PID:7856
- C:\Windows\System32\uZZizLd.exe
  C:\Windows\System32\uZZizLd.exe
  2⤵
  PID:7880
- C:\Windows\System32\CpDMndE.exe
  C:\Windows\System32\CpDMndE.exe
  2⤵
  PID:7900
- C:\Windows\System32\aoEyMJX.exe
  C:\Windows\System32\aoEyMJX.exe
  2⤵
  PID:7928
- C:\Windows\System32\teMElZS.exe
  C:\Windows\System32\teMElZS.exe
  2⤵
  PID:7976
- C:\Windows\System32\nELQYjx.exe
  C:\Windows\System32\nELQYjx.exe
  2⤵
  PID:8004
- C:\Windows\System32\HgaaJYx.exe
  C:\Windows\System32\HgaaJYx.exe
  2⤵
  PID:8044
- C:\Windows\System32\cfvGJbE.exe
  C:\Windows\System32\cfvGJbE.exe
  2⤵
  PID:8068
- C:\Windows\System32\SmztWBx.exe
  C:\Windows\System32\SmztWBx.exe
  2⤵
  PID:8088
- C:\Windows\System32\fmueHet.exe
  C:\Windows\System32\fmueHet.exe
  2⤵
  PID:4648
- C:\Windows\System32\fABmDYj.exe
  C:\Windows\System32\fABmDYj.exe
  2⤵
  PID:3988
- C:\Windows\System32\izMcaYb.exe
  C:\Windows\System32\izMcaYb.exe
  2⤵
  PID:6256
- C:\Windows\System32\bWTbUQp.exe
  C:\Windows\System32\bWTbUQp.exe
  2⤵
  PID:7172
- C:\Windows\System32\cUPOuKw.exe
  C:\Windows\System32\cUPOuKw.exe
  2⤵
  PID:7240
- C:\Windows\System32\NhUWXNu.exe
  C:\Windows\System32\NhUWXNu.exe
  2⤵
  PID:7340
- C:\Windows\System32\QNWorBl.exe
  C:\Windows\System32\QNWorBl.exe
  2⤵
  PID:7396
- C:\Windows\System32\exKjnyF.exe
  C:\Windows\System32\exKjnyF.exe
  2⤵
  PID:7452
- C:\Windows\System32\pvUqXhM.exe
  C:\Windows\System32\pvUqXhM.exe
  2⤵
  PID:7520
- C:\Windows\System32\qKJHyVR.exe
  C:\Windows\System32\qKJHyVR.exe
  2⤵
  PID:7564
- C:\Windows\System32\NoQyMxL.exe
  C:\Windows\System32\NoQyMxL.exe
  2⤵
  PID:7604
- C:\Windows\System32\LNHWMVo.exe
  C:\Windows\System32\LNHWMVo.exe
  2⤵
  PID:7648
- C:\Windows\System32\itKtBHU.exe
  C:\Windows\System32\itKtBHU.exe
  2⤵
  PID:3232
- C:\Windows\System32\xzPrknz.exe
  C:\Windows\System32\xzPrknz.exe
  2⤵
  PID:4716
- C:\Windows\System32\JnkJXGg.exe
  C:\Windows\System32\JnkJXGg.exe
  2⤵
  PID:4276
- C:\Windows\System32\ylXQVoy.exe
  C:\Windows\System32\ylXQVoy.exe
  2⤵
  PID:7812
- C:\Windows\System32\vbRfqWH.exe
  C:\Windows\System32\vbRfqWH.exe
  2⤵
  PID:7948
- C:\Windows\System32\SaUQjHk.exe
  C:\Windows\System32\SaUQjHk.exe
  2⤵
  PID:7992
- C:\Windows\System32\XyViedT.exe
  C:\Windows\System32\XyViedT.exe
  2⤵
  PID:8084
- C:\Windows\System32\sNSHNSM.exe
  C:\Windows\System32\sNSHNSM.exe
  2⤵
  PID:7864
- C:\Windows\System32\caVeIHO.exe
  C:\Windows\System32\caVeIHO.exe
  2⤵
  PID:8100
- C:\Windows\System32\sOqJLKT.exe
  C:\Windows\System32\sOqJLKT.exe
  2⤵
  PID:4168
- C:\Windows\System32\xRUapba.exe
  C:\Windows\System32\xRUapba.exe
  2⤵
  PID:2208
- C:\Windows\System32\jfNDlZi.exe
  C:\Windows\System32\jfNDlZi.exe
  2⤵
  PID:7288
- C:\Windows\System32\pFOfYMU.exe
  C:\Windows\System32\pFOfYMU.exe
  2⤵
  PID:7424
- C:\Windows\System32\MruwxiY.exe
  C:\Windows\System32\MruwxiY.exe
  2⤵
  PID:4352
- C:\Windows\System32\ADGANUP.exe
  C:\Windows\System32\ADGANUP.exe
  2⤵
  PID:2824
- C:\Windows\System32\pKTYFFs.exe
  C:\Windows\System32\pKTYFFs.exe
  2⤵
  PID:7848
- C:\Windows\System32\EtrmPnZ.exe
  C:\Windows\System32\EtrmPnZ.exe
  2⤵
  PID:8028
- C:\Windows\System32\WwbEHdA.exe
  C:\Windows\System32\WwbEHdA.exe
  2⤵
  PID:7808
- C:\Windows\System32\bAhaIGm.exe
  C:\Windows\System32\bAhaIGm.exe
  2⤵
  PID:4192
- C:\Windows\System32\JfmKIOU.exe
  C:\Windows\System32\JfmKIOU.exe
  2⤵
  PID:7700
- C:\Windows\System32\yNECEcf.exe
  C:\Windows\System32\yNECEcf.exe
  2⤵
  PID:8156
- C:\Windows\System32\hbwtIFI.exe
  C:\Windows\System32\hbwtIFI.exe
  2⤵
  PID:7540
- C:\Windows\System32\vKJDKBz.exe
  C:\Windows\System32\vKJDKBz.exe
  2⤵
  PID:7284
- C:\Windows\System32\QHJOyxH.exe
  C:\Windows\System32\QHJOyxH.exe
  2⤵
  PID:8208
- C:\Windows\System32\OQPwXWZ.exe
  C:\Windows\System32\OQPwXWZ.exe
  2⤵
  PID:8236
- C:\Windows\System32\zjXlXap.exe
  C:\Windows\System32\zjXlXap.exe
  2⤵
  PID:8252
- C:\Windows\System32\yIWKiuL.exe
  C:\Windows\System32\yIWKiuL.exe
  2⤵
  PID:8280
- C:\Windows\System32\bWcxmFq.exe
  C:\Windows\System32\bWcxmFq.exe
  2⤵
  PID:8320
- C:\Windows\System32\SLIqliQ.exe
  C:\Windows\System32\SLIqliQ.exe
  2⤵
  PID:8344
- C:\Windows\System32\XjuAykm.exe
  C:\Windows\System32\XjuAykm.exe
  2⤵
  PID:8376
- C:\Windows\System32\GaSWdOD.exe
  C:\Windows\System32\GaSWdOD.exe
  2⤵
  PID:8404
- C:\Windows\System32\aGuVIqD.exe
  C:\Windows\System32\aGuVIqD.exe
  2⤵
  PID:8452
- C:\Windows\System32\eDZPUIN.exe
  C:\Windows\System32\eDZPUIN.exe
  2⤵
  PID:8468
- C:\Windows\System32\jZuaSFe.exe
  C:\Windows\System32\jZuaSFe.exe
  2⤵
  PID:8520
- C:\Windows\System32\CLJamjL.exe
  C:\Windows\System32\CLJamjL.exe
  2⤵
  PID:8564
- C:\Windows\System32\WihUAhz.exe
  C:\Windows\System32\WihUAhz.exe
  2⤵
  PID:8584
- C:\Windows\System32\cnnJSME.exe
  C:\Windows\System32\cnnJSME.exe
  2⤵
  PID:8612
- C:\Windows\System32\oEknkes.exe
  C:\Windows\System32\oEknkes.exe
  2⤵
  PID:8632
- C:\Windows\System32\UjAZiOW.exe
  C:\Windows\System32\UjAZiOW.exe
  2⤵
  PID:8656
- C:\Windows\System32\meoAwHI.exe
  C:\Windows\System32\meoAwHI.exe
  2⤵
  PID:8696
- C:\Windows\System32\teMhASV.exe
  C:\Windows\System32\teMhASV.exe
  2⤵
  PID:8724
- C:\Windows\System32\pAteGpu.exe
  C:\Windows\System32\pAteGpu.exe
  2⤵
  PID:8752
- C:\Windows\System32\ovZhFPT.exe
  C:\Windows\System32\ovZhFPT.exe
  2⤵
  PID:8772
- C:\Windows\System32\otwFzZP.exe
  C:\Windows\System32\otwFzZP.exe
  2⤵
  PID:8808
- C:\Windows\System32\GNAiiHH.exe
  C:\Windows\System32\GNAiiHH.exe
  2⤵
  PID:8828
- C:\Windows\System32\vSBAzGR.exe
  C:\Windows\System32\vSBAzGR.exe
  2⤵
  PID:8864
- C:\Windows\System32\xYGXXwz.exe
  C:\Windows\System32\xYGXXwz.exe
  2⤵
  PID:8880
- C:\Windows\System32\IiKeCIm.exe
  C:\Windows\System32\IiKeCIm.exe
  2⤵
  PID:8920
- C:\Windows\System32\jnVGBFj.exe
  C:\Windows\System32\jnVGBFj.exe
  2⤵
  PID:8948
- C:\Windows\System32\aIdbrbJ.exe
  C:\Windows\System32\aIdbrbJ.exe
  2⤵
  PID:8964
- C:\Windows\System32\MftZjPb.exe
  C:\Windows\System32\MftZjPb.exe
  2⤵
  PID:8992
- C:\Windows\System32\zSVbdXv.exe
  C:\Windows\System32\zSVbdXv.exe
  2⤵
  PID:9036
- C:\Windows\System32\AYluech.exe
  C:\Windows\System32\AYluech.exe
  2⤵
  PID:9060
- C:\Windows\System32\qHDPCFq.exe
  C:\Windows\System32\qHDPCFq.exe
  2⤵
  PID:9088
- C:\Windows\System32\hgujyPj.exe
  C:\Windows\System32\hgujyPj.exe
  2⤵
  PID:9108
- C:\Windows\System32\LqohvOy.exe
  C:\Windows\System32\LqohvOy.exe
  2⤵
  PID:9144
- C:\Windows\System32\BacqdWP.exe
  C:\Windows\System32\BacqdWP.exe
  2⤵
  PID:9172
- C:\Windows\System32\hIpoDzJ.exe
  C:\Windows\System32\hIpoDzJ.exe
  2⤵
  PID:9200
- C:\Windows\System32\sGpHVNU.exe
  C:\Windows\System32\sGpHVNU.exe
  2⤵
  PID:8220
- C:\Windows\System32\pLyJJGT.exe
  C:\Windows\System32\pLyJJGT.exe
  2⤵
  PID:8260
- C:\Windows\System32\qZSXraC.exe
  C:\Windows\System32\qZSXraC.exe
  2⤵
  PID:8292
- C:\Windows\System32\HMuiGAl.exe
  C:\Windows\System32\HMuiGAl.exe
  2⤵
  PID:8420
- C:\Windows\System32\oPYsAiA.exe
  C:\Windows\System32\oPYsAiA.exe
  2⤵
  PID:8460
- C:\Windows\System32\ShKkmYY.exe
  C:\Windows\System32\ShKkmYY.exe
  2⤵
  PID:8556
- C:\Windows\System32\GhgzTkL.exe
  C:\Windows\System32\GhgzTkL.exe
  2⤵
  PID:8624
- C:\Windows\System32\ApjFgzk.exe
  C:\Windows\System32\ApjFgzk.exe
  2⤵
  PID:8672
- C:\Windows\System32\pwROlsr.exe
  C:\Windows\System32\pwROlsr.exe
  2⤵
  PID:8704
- C:\Windows\System32\fgwPZwd.exe
  C:\Windows\System32\fgwPZwd.exe
  2⤵
  PID:8760
- C:\Windows\System32\nbrKRxr.exe
  C:\Windows\System32\nbrKRxr.exe
  2⤵
  PID:8800
- C:\Windows\System32\UYVeIxZ.exe
  C:\Windows\System32\UYVeIxZ.exe
  2⤵
  PID:3576
- C:\Windows\System32\wwsMdGT.exe
  C:\Windows\System32\wwsMdGT.exe
  2⤵
  PID:8900
- C:\Windows\System32\aDZiSFv.exe
  C:\Windows\System32\aDZiSFv.exe
  2⤵
  PID:8976
- C:\Windows\System32\scJNnKV.exe
  C:\Windows\System32\scJNnKV.exe
  2⤵
  PID:9052
- C:\Windows\System32\AvRWAAi.exe
  C:\Windows\System32\AvRWAAi.exe
  2⤵
  PID:9124
- C:\Windows\System32\SEjgAPK.exe
  C:\Windows\System32\SEjgAPK.exe
  2⤵
  PID:9196
- C:\Windows\System32\rhVOkTS.exe
  C:\Windows\System32\rhVOkTS.exe
  2⤵
  PID:6908
- C:\Windows\System32\QNSHalk.exe
  C:\Windows\System32\QNSHalk.exe
  2⤵
  PID:8464
- C:\Windows\System32\WulYvJv.exe
  C:\Windows\System32\WulYvJv.exe
  2⤵
  PID:8608
- C:\Windows\System32\hDsukYz.exe
  C:\Windows\System32\hDsukYz.exe
  2⤵
  PID:8796
- C:\Windows\System32\DONkvWY.exe
  C:\Windows\System32\DONkvWY.exe
  2⤵
  PID:2348
- C:\Windows\System32\nAoxtWO.exe
  C:\Windows\System32\nAoxtWO.exe
  2⤵
  PID:8424
- C:\Windows\System32\wnspeEX.exe
  C:\Windows\System32\wnspeEX.exe
  2⤵
  PID:9184
- C:\Windows\System32\xOjtVJT.exe
  C:\Windows\System32\xOjtVJT.exe
  2⤵
  PID:8388
- C:\Windows\System32\xuCMTtK.exe
  C:\Windows\System32\xuCMTtK.exe
  2⤵
  PID:8668
- C:\Windows\System32\DuOfVhY.exe
  C:\Windows\System32\DuOfVhY.exe
  2⤵
  PID:9072
- C:\Windows\System32\EWRzzwj.exe
  C:\Windows\System32\EWRzzwj.exe
  2⤵
  PID:1408
- C:\Windows\System32\ohGwsXv.exe
  C:\Windows\System32\ohGwsXv.exe
  2⤵
  PID:9224
- C:\Windows\System32\KqfXonx.exe
  C:\Windows\System32\KqfXonx.exe
  2⤵
  PID:9240
- C:\Windows\System32\tJxzNJq.exe
  C:\Windows\System32\tJxzNJq.exe
  2⤵
  PID:9260
- C:\Windows\System32\UgLwdyh.exe
  C:\Windows\System32\UgLwdyh.exe
  2⤵
  PID:9292
- C:\Windows\System32\yhLiUjt.exe
  C:\Windows\System32\yhLiUjt.exe
  2⤵
  PID:9324
- C:\Windows\System32\bOjhBzx.exe
  C:\Windows\System32\bOjhBzx.exe
  2⤵
  PID:9344
- C:\Windows\System32\hxHzovw.exe
  C:\Windows\System32\hxHzovw.exe
  2⤵
  PID:9376
- C:\Windows\System32\RnkORes.exe
  C:\Windows\System32\RnkORes.exe
  2⤵
  PID:9408
- C:\Windows\System32\gtcgdrq.exe
  C:\Windows\System32\gtcgdrq.exe
  2⤵
  PID:9444
- C:\Windows\System32\VngUUXj.exe
  C:\Windows\System32\VngUUXj.exe
  2⤵
  PID:9464
- C:\Windows\System32\mrmtXLD.exe
  C:\Windows\System32\mrmtXLD.exe
  2⤵
  PID:9492
- C:\Windows\System32\JyeEiil.exe
  C:\Windows\System32\JyeEiil.exe
  2⤵
  PID:9508
- C:\Windows\System32\ECGiClE.exe
  C:\Windows\System32\ECGiClE.exe
  2⤵
  PID:9524
- C:\Windows\System32\qJEcMZF.exe
  C:\Windows\System32\qJEcMZF.exe
  2⤵
  PID:9576
- C:\Windows\System32\ohgHzdQ.exe
  C:\Windows\System32\ohgHzdQ.exe
  2⤵
  PID:9592
- C:\Windows\System32\CKmmTuF.exe
  C:\Windows\System32\CKmmTuF.exe
  2⤵
  PID:9632
- C:\Windows\System32\iaxxyir.exe
  C:\Windows\System32\iaxxyir.exe
  2⤵
  PID:9660
- C:\Windows\System32\hzzusGk.exe
  C:\Windows\System32\hzzusGk.exe
  2⤵
  PID:9708
- C:\Windows\System32\byxWOIt.exe
  C:\Windows\System32\byxWOIt.exe
  2⤵
  PID:9748
- C:\Windows\System32\VSTSEmp.exe
  C:\Windows\System32\VSTSEmp.exe
  2⤵
  PID:9780
- C:\Windows\System32\FCKMhUe.exe
  C:\Windows\System32\FCKMhUe.exe
  2⤵
  PID:9808
- C:\Windows\System32\ZNILolH.exe
  C:\Windows\System32\ZNILolH.exe
  2⤵
  PID:9836
- C:\Windows\System32\EoFScUG.exe
  C:\Windows\System32\EoFScUG.exe
  2⤵
  PID:9852
- C:\Windows\System32\DAIzVJZ.exe
  C:\Windows\System32\DAIzVJZ.exe
  2⤵
  PID:9892
- C:\Windows\System32\VQZAlkB.exe
  C:\Windows\System32\VQZAlkB.exe
  2⤵
  PID:9920
- C:\Windows\System32\SSSTpfV.exe
  C:\Windows\System32\SSSTpfV.exe
  2⤵
  PID:9948
- C:\Windows\System32\iLYmnBT.exe
  C:\Windows\System32\iLYmnBT.exe
  2⤵
  PID:9976
- C:\Windows\System32\fyfsqka.exe
  C:\Windows\System32\fyfsqka.exe
  2⤵
  PID:9996
- C:\Windows\System32\IxnmeOK.exe
  C:\Windows\System32\IxnmeOK.exe
  2⤵
  PID:10012
- C:\Windows\System32\atRlMDH.exe
  C:\Windows\System32\atRlMDH.exe
  2⤵
  PID:10072
- C:\Windows\System32\SiHqtrT.exe
  C:\Windows\System32\SiHqtrT.exe
  2⤵
  PID:10092
- C:\Windows\System32\hmGyJdH.exe
  C:\Windows\System32\hmGyJdH.exe
  2⤵
  PID:10124
- C:\Windows\System32\Ktaqecb.exe
  C:\Windows\System32\Ktaqecb.exe
  2⤵
  PID:10156
- C:\Windows\System32\WzfVDUZ.exe
  C:\Windows\System32\WzfVDUZ.exe
  2⤵
  PID:10184
- C:\Windows\System32\NxaMGJh.exe
  C:\Windows\System32\NxaMGJh.exe
  2⤵
  PID:10204
- C:\Windows\System32\LakuPyx.exe
  C:\Windows\System32\LakuPyx.exe
  2⤵
  PID:10232
- C:\Windows\System32\vhlgkQS.exe
  C:\Windows\System32\vhlgkQS.exe
  2⤵
  PID:9280
- C:\Windows\System32\mMQSWuX.exe
  C:\Windows\System32\mMQSWuX.exe
  2⤵
  PID:9368
- C:\Windows\System32\AzLwCBy.exe
  C:\Windows\System32\AzLwCBy.exe
  2⤵
  PID:9384
- C:\Windows\System32\LWQMMeV.exe
  C:\Windows\System32\LWQMMeV.exe
  2⤵
  PID:9460
- C:\Windows\System32\BOgqwLp.exe
  C:\Windows\System32\BOgqwLp.exe
  2⤵
  PID:9516
- C:\Windows\System32\hvyRriL.exe
  C:\Windows\System32\hvyRriL.exe
  2⤵
  PID:9588
- C:\Windows\System32\qSrCndk.exe
  C:\Windows\System32\qSrCndk.exe
  2⤵
  PID:9652
- C:\Windows\System32\FOkDjZJ.exe
  C:\Windows\System32\FOkDjZJ.exe
  2⤵
  PID:9744
- C:\Windows\System32\pJDuhyF.exe
  C:\Windows\System32\pJDuhyF.exe
  2⤵
  PID:9804
- C:\Windows\System32\KeJKgZl.exe
  C:\Windows\System32\KeJKgZl.exe
  2⤵
  PID:9872
- C:\Windows\System32\RPHCogv.exe
  C:\Windows\System32\RPHCogv.exe
  2⤵
  PID:9912
- C:\Windows\System32\BnGvfvC.exe
  C:\Windows\System32\BnGvfvC.exe
  2⤵
  PID:9984
- C:\Windows\System32\rYZxuxp.exe
  C:\Windows\System32\rYZxuxp.exe
  2⤵
  PID:10044
- C:\Windows\System32\nqYbdYE.exe
  C:\Windows\System32\nqYbdYE.exe
  2⤵
  PID:10140
- C:\Windows\System32\ZnDRAYf.exe
  C:\Windows\System32\ZnDRAYf.exe
  2⤵
  PID:10172
- C:\Windows\System32\VPDAMzl.exe
  C:\Windows\System32\VPDAMzl.exe
  2⤵
  PID:9252
- C:\Windows\System32\GHzJdJF.exe
  C:\Windows\System32\GHzJdJF.exe
  2⤵
  PID:9452
- C:\Windows\System32\RuYijmj.exe
  C:\Windows\System32\RuYijmj.exe
  2⤵
  PID:9500
- C:\Windows\System32\JXdrgOS.exe
  C:\Windows\System32\JXdrgOS.exe
  2⤵
  PID:9688
- C:\Windows\System32\JHMqnkL.exe
  C:\Windows\System32\JHMqnkL.exe
  2⤵
  PID:9844
- C:\Windows\System32\siprXZy.exe
  C:\Windows\System32\siprXZy.exe
  2⤵
  PID:10024
- C:\Windows\System32\xrjdjeO.exe
  C:\Windows\System32\xrjdjeO.exe
  2⤵
  PID:10148
- C:\Windows\System32\mUtGsde.exe
  C:\Windows\System32\mUtGsde.exe
  2⤵
  PID:4312
- C:\Windows\System32\XlzuEBq.exe
  C:\Windows\System32\XlzuEBq.exe
  2⤵
  PID:9832
- C:\Windows\System32\KKeZzMH.exe
  C:\Windows\System32\KKeZzMH.exe
  2⤵
  PID:10216
- C:\Windows\System32\rJLqZtv.exe
  C:\Windows\System32\rJLqZtv.exe
  2⤵
  PID:9504
- C:\Windows\System32\aVnpied.exe
  C:\Windows\System32\aVnpied.exe
  2⤵
  PID:10084
- C:\Windows\System32\uCGrkFM.exe
  C:\Windows\System32\uCGrkFM.exe
  2⤵
  PID:10260
- C:\Windows\System32\mACulrf.exe
  C:\Windows\System32\mACulrf.exe
  2⤵
  PID:10288
- C:\Windows\System32\DdGXPdO.exe
  C:\Windows\System32\DdGXPdO.exe
  2⤵
  PID:10320
- C:\Windows\System32\XmMsEoN.exe
  C:\Windows\System32\XmMsEoN.exe
  2⤵
  PID:10340
- C:\Windows\System32\OUNEngG.exe
  C:\Windows\System32\OUNEngG.exe
  2⤵
  PID:10372
- C:\Windows\System32\hMBUEzy.exe
  C:\Windows\System32\hMBUEzy.exe
  2⤵
  PID:10388
- C:\Windows\System32\JZEAbvp.exe
  C:\Windows\System32\JZEAbvp.exe
  2⤵
  PID:10428
- C:\Windows\System32\SHmAvaS.exe
  C:\Windows\System32\SHmAvaS.exe
  2⤵
  PID:10456
- C:\Windows\System32\HwqjaEA.exe
  C:\Windows\System32\HwqjaEA.exe
  2⤵
  PID:10484
- C:\Windows\System32\TWgvoGi.exe
  C:\Windows\System32\TWgvoGi.exe
  2⤵
  PID:10512
- C:\Windows\System32\IyCuJqy.exe
  C:\Windows\System32\IyCuJqy.exe
  2⤵
  PID:10540
- C:\Windows\System32\aVrqcZY.exe
  C:\Windows\System32\aVrqcZY.exe
  2⤵
  PID:10560
- C:\Windows\System32\BPJutAk.exe
  C:\Windows\System32\BPJutAk.exe
  2⤵
  PID:10604
- C:\Windows\System32\uOYJVuz.exe
  C:\Windows\System32\uOYJVuz.exe
  2⤵
  PID:10644
- C:\Windows\System32\suyPzmv.exe
  C:\Windows\System32\suyPzmv.exe
  2⤵
  PID:10672
- C:\Windows\System32\PtspEft.exe
  C:\Windows\System32\PtspEft.exe
  2⤵
  PID:10700
- C:\Windows\System32\fyewXdQ.exe
  C:\Windows\System32\fyewXdQ.exe
  2⤵
  PID:10728
- C:\Windows\System32\eYKlGkR.exe
  C:\Windows\System32\eYKlGkR.exe
  2⤵
  PID:10756
- C:\Windows\System32\wBreBAm.exe
  C:\Windows\System32\wBreBAm.exe
  2⤵
  PID:10784
- C:\Windows\System32\eUzGGhU.exe
  C:\Windows\System32\eUzGGhU.exe
  2⤵
  PID:10804
- C:\Windows\System32\DsUyqEc.exe
  C:\Windows\System32\DsUyqEc.exe
  2⤵
  PID:10836
- C:\Windows\System32\lGBSvUw.exe
  C:\Windows\System32\lGBSvUw.exe
  2⤵
  PID:10868
- C:\Windows\System32\gnVUAzg.exe
  C:\Windows\System32\gnVUAzg.exe
  2⤵
  PID:10896
- C:\Windows\System32\Aqteuve.exe
  C:\Windows\System32\Aqteuve.exe
  2⤵
  PID:10932
- C:\Windows\System32\rDIoonr.exe
  C:\Windows\System32\rDIoonr.exe
  2⤵
  PID:10956
- C:\Windows\System32\bLwKguv.exe
  C:\Windows\System32\bLwKguv.exe
  2⤵
  PID:10984
- C:\Windows\System32\YUmauYS.exe
  C:\Windows\System32\YUmauYS.exe
  2⤵
  PID:11012
- C:\Windows\System32\IATYTFu.exe
  C:\Windows\System32\IATYTFu.exe
  2⤵
  PID:11028
- C:\Windows\System32\RMUtQJM.exe
  C:\Windows\System32\RMUtQJM.exe
  2⤵
  PID:11072
- C:\Windows\System32\nHepLzW.exe
  C:\Windows\System32\nHepLzW.exe
  2⤵
  PID:11096
- C:\Windows\System32\XbYPanz.exe
  C:\Windows\System32\XbYPanz.exe
  2⤵
  PID:11112
- C:\Windows\System32\GmnqMnU.exe
  C:\Windows\System32\GmnqMnU.exe
  2⤵
  PID:11152
- C:\Windows\System32\nHJzLEI.exe
  C:\Windows\System32\nHJzLEI.exe
  2⤵
  PID:11168
- C:\Windows\System32\RthayuA.exe
  C:\Windows\System32\RthayuA.exe
  2⤵
  PID:11208
- C:\Windows\System32\BRyExdA.exe
  C:\Windows\System32\BRyExdA.exe
  2⤵
  PID:11236
- C:\Windows\System32\qwpoonB.exe
  C:\Windows\System32\qwpoonB.exe
  2⤵
  PID:10244
- C:\Windows\System32\aEaYTXW.exe
  C:\Windows\System32\aEaYTXW.exe
  2⤵
  PID:10308
- C:\Windows\System32\WkRDJGz.exe
  C:\Windows\System32\WkRDJGz.exe
  2⤵
  PID:10384
- C:\Windows\System32\wgkMKIv.exe
  C:\Windows\System32\wgkMKIv.exe
  2⤵
  PID:10412
- C:\Windows\System32\gsHFdIh.exe
  C:\Windows\System32\gsHFdIh.exe
  2⤵
  PID:10496
- C:\Windows\System32\PGbfvsX.exe
  C:\Windows\System32\PGbfvsX.exe
  2⤵
  PID:10548
- C:\Windows\System32\bPipzGE.exe
  C:\Windows\System32\bPipzGE.exe
  2⤵
  PID:10640
- C:\Windows\System32\YCPXBrZ.exe
  C:\Windows\System32\YCPXBrZ.exe
  2⤵
  PID:10712
- C:\Windows\System32\eUfYhgH.exe
  C:\Windows\System32\eUfYhgH.exe
  2⤵
  PID:10776
- C:\Windows\System32\EelaCjG.exe
  C:\Windows\System32\EelaCjG.exe
  2⤵
  PID:10852
- C:\Windows\System32\EAdMaam.exe
  C:\Windows\System32\EAdMaam.exe
  2⤵
  PID:10924
- C:\Windows\System32\zSLusON.exe
  C:\Windows\System32\zSLusON.exe
  2⤵
  PID:10996
- C:\Windows\System32\ARaWTVM.exe
  C:\Windows\System32\ARaWTVM.exe
  2⤵
  PID:11044
- C:\Windows\System32\KDzaIcR.exe
  C:\Windows\System32\KDzaIcR.exe
  2⤵
  PID:11132
- C:\Windows\System32\PAwHEKH.exe
  C:\Windows\System32\PAwHEKH.exe
  2⤵
  PID:11180
- C:\Windows\System32\IrAaByI.exe
  C:\Windows\System32\IrAaByI.exe
  2⤵
  PID:11232
- C:\Windows\System32\tEpwXoD.exe
  C:\Windows\System32\tEpwXoD.exe
  2⤵
  PID:10088
- C:\Windows\System32\AybOLgJ.exe
  C:\Windows\System32\AybOLgJ.exe
  2⤵
  PID:10536
- C:\Windows\System32\SIEjPTm.exe
  C:\Windows\System32\SIEjPTm.exe
  2⤵
  PID:10780
- C:\Windows\System32\FydWVOQ.exe
  C:\Windows\System32\FydWVOQ.exe
  2⤵
  PID:11036
- C:\Windows\System32\vFavexj.exe
  C:\Windows\System32\vFavexj.exe
  2⤵
  PID:10280
- C:\Windows\System32\KVASBSL.exe
  C:\Windows\System32\KVASBSL.exe
  2⤵
  PID:10524
- C:\Windows\System32\tpZglnn.exe
  C:\Windows\System32\tpZglnn.exe
  2⤵
  PID:10476
- C:\Windows\System32\rNZFRRm.exe
  C:\Windows\System32\rNZFRRm.exe
  2⤵
  PID:10844
- C:\Windows\System32\gynWVqE.exe
  C:\Windows\System32\gynWVqE.exe
  2⤵
  PID:11284
- C:\Windows\System32\AqBfmby.exe
  C:\Windows\System32\AqBfmby.exe
  2⤵
  PID:11312
- C:\Windows\System32\DPhLzFZ.exe
  C:\Windows\System32\DPhLzFZ.exe
  2⤵
  PID:11340
- C:\Windows\System32\SzAJTWG.exe
  C:\Windows\System32\SzAJTWG.exe
  2⤵
  PID:11368
- C:\Windows\System32\zbfjLdI.exe
  C:\Windows\System32\zbfjLdI.exe
  2⤵
  PID:11396
- C:\Windows\System32\kITSGmr.exe
  C:\Windows\System32\kITSGmr.exe
  2⤵
  PID:11428
- C:\Windows\System32\ZRkUbTB.exe
  C:\Windows\System32\ZRkUbTB.exe
  2⤵
  PID:11456
- C:\Windows\System32\oelQAqS.exe
  C:\Windows\System32\oelQAqS.exe
  2⤵
  PID:11484
- C:\Windows\System32\JAPwlJH.exe
  C:\Windows\System32\JAPwlJH.exe
  2⤵
  PID:11512
- C:\Windows\System32\vWaIYrH.exe
  C:\Windows\System32\vWaIYrH.exe
  2⤵
  PID:11540
- C:\Windows\System32\IAYxSHO.exe
  C:\Windows\System32\IAYxSHO.exe
  2⤵
  PID:11584
- C:\Windows\System32\gfksarZ.exe
  C:\Windows\System32\gfksarZ.exe
  2⤵
  PID:11600
- C:\Windows\System32\VjXOSjs.exe
  C:\Windows\System32\VjXOSjs.exe
  2⤵
  PID:11628
- C:\Windows\System32\xeBloRD.exe
  C:\Windows\System32\xeBloRD.exe
  2⤵
  PID:11656
- C:\Windows\System32\MUAdnxz.exe
  C:\Windows\System32\MUAdnxz.exe
  2⤵
  PID:11684
- C:\Windows\System32\rNUdUlj.exe
  C:\Windows\System32\rNUdUlj.exe
  2⤵
  PID:11716
- C:\Windows\System32\lIZImuL.exe
  C:\Windows\System32\lIZImuL.exe
  2⤵
  PID:11740
- C:\Windows\System32\qHHxULQ.exe
  C:\Windows\System32\qHHxULQ.exe
  2⤵
  PID:11768
- C:\Windows\System32\zXXKJut.exe
  C:\Windows\System32\zXXKJut.exe
  2⤵
  PID:11796
- C:\Windows\System32\QLKSuxJ.exe
  C:\Windows\System32\QLKSuxJ.exe
  2⤵
  PID:11824
- C:\Windows\System32\TOOvgGO.exe
  C:\Windows\System32\TOOvgGO.exe
  2⤵
  PID:11852
- C:\Windows\System32\YuGUUkn.exe
  C:\Windows\System32\YuGUUkn.exe
  2⤵
  PID:11880
- C:\Windows\System32\zdMchDn.exe
  C:\Windows\System32\zdMchDn.exe
  2⤵
  PID:11908
- C:\Windows\System32\HIYsJBY.exe
  C:\Windows\System32\HIYsJBY.exe
  2⤵
  PID:11936
- C:\Windows\System32\vbNbfJF.exe
  C:\Windows\System32\vbNbfJF.exe
  2⤵
  PID:11968
- C:\Windows\System32\DEsykPF.exe
  C:\Windows\System32\DEsykPF.exe
  2⤵
  PID:11992
- C:\Windows\System32\xEoaurJ.exe
  C:\Windows\System32\xEoaurJ.exe
  2⤵
  PID:12028
- C:\Windows\System32\ZFKSRNy.exe
  C:\Windows\System32\ZFKSRNy.exe
  2⤵
  PID:12048
- C:\Windows\System32\lMAykKa.exe
  C:\Windows\System32\lMAykKa.exe
  2⤵
  PID:12076
- C:\Windows\System32\fQcTApo.exe
  C:\Windows\System32\fQcTApo.exe
  2⤵
  PID:12108
- C:\Windows\System32\roNPmsK.exe
  C:\Windows\System32\roNPmsK.exe
  2⤵
  PID:12136
- C:\Windows\System32\WjHTABK.exe
  C:\Windows\System32\WjHTABK.exe
  2⤵
  PID:12164
- C:\Windows\System32\SubcZYE.exe
  C:\Windows\System32\SubcZYE.exe
  2⤵
  PID:12192
- C:\Windows\System32\gcHvmDW.exe
  C:\Windows\System32\gcHvmDW.exe
  2⤵
  PID:12220
- C:\Windows\System32\GXKCuEa.exe
  C:\Windows\System32\GXKCuEa.exe
  2⤵
  PID:12248
- C:\Windows\System32\RIKCQxg.exe
  C:\Windows\System32\RIKCQxg.exe
  2⤵
  PID:12276
- C:\Windows\System32\oiqWvQb.exe
  C:\Windows\System32\oiqWvQb.exe
  2⤵
  PID:11308
- C:\Windows\System32\RBVrqqi.exe
  C:\Windows\System32\RBVrqqi.exe
  2⤵
  PID:11364
- C:\Windows\System32\OoHqdtZ.exe
  C:\Windows\System32\OoHqdtZ.exe
  2⤵
  PID:11440
- C:\Windows\System32\QIJsFmo.exe
  C:\Windows\System32\QIJsFmo.exe
  2⤵
  PID:11504
- C:\Windows\System32\Wydacst.exe
  C:\Windows\System32\Wydacst.exe
  2⤵
  PID:11576
- C:\Windows\System32\PUKirQk.exe
  C:\Windows\System32\PUKirQk.exe
  2⤵
  PID:11596
- C:\Windows\System32\FluRfjO.exe
  C:\Windows\System32\FluRfjO.exe
  2⤵
  PID:11668
- C:\Windows\System32\AIjqeDP.exe
  C:\Windows\System32\AIjqeDP.exe
  2⤵
  PID:11760
- C:\Windows\System32\eItCHdC.exe
  C:\Windows\System32\eItCHdC.exe
  2⤵
  PID:11816
- C:\Windows\System32\vSGgVMz.exe
  C:\Windows\System32\vSGgVMz.exe
  2⤵
  PID:11876
- C:\Windows\System32\fMOPOif.exe
  C:\Windows\System32\fMOPOif.exe
  2⤵
  PID:11952
- C:\Windows\System32\znzsZwK.exe
  C:\Windows\System32\znzsZwK.exe
  2⤵
  PID:12012
- C:\Windows\System32\RILsMPu.exe
  C:\Windows\System32\RILsMPu.exe
  2⤵
  PID:12072
- C:\Windows\System32\YOgopPV.exe
  C:\Windows\System32\YOgopPV.exe
  2⤵
  PID:12148
- C:\Windows\System32\bAgLxaN.exe
  C:\Windows\System32\bAgLxaN.exe
  2⤵
  PID:12212
- C:\Windows\System32\mLlBqpO.exe
  C:\Windows\System32\mLlBqpO.exe
  2⤵
  PID:11268
- C:\Windows\System32\JrLeFKW.exe
  C:\Windows\System32\JrLeFKW.exe
  2⤵
  PID:11420
- C:\Windows\System32\PMdXXsW.exe
  C:\Windows\System32\PMdXXsW.exe
  2⤵
  PID:11560
- C:\Windows\System32\JXqRNrW.exe
  C:\Windows\System32\JXqRNrW.exe
  2⤵
  PID:11724
- C:\Windows\System32\dgFbkTa.exe
  C:\Windows\System32\dgFbkTa.exe
  2⤵
  PID:11864
- C:\Windows\System32\FxzQbwK.exe
  C:\Windows\System32\FxzQbwK.exe
  2⤵
  PID:12008
- C:\Windows\System32\FAfErRy.exe
  C:\Windows\System32\FAfErRy.exe
  2⤵
  PID:12176
- C:\Windows\System32\lSVEjwd.exe
  C:\Windows\System32\lSVEjwd.exe
  2⤵
  PID:11336
- C:\Windows\System32\LhFljUC.exe
  C:\Windows\System32\LhFljUC.exe
  2⤵
  PID:11648
- C:\Windows\System32\DmHrkZa.exe
  C:\Windows\System32\DmHrkZa.exe
  2⤵
  PID:11988
- C:\Windows\System32\osoIRjJ.exe
  C:\Windows\System32\osoIRjJ.exe
  2⤵
  PID:11480
- C:\Windows\System32\IuLGHuM.exe
  C:\Windows\System32\IuLGHuM.exe
  2⤵
  PID:12264
- C:\Windows\System32\ARUEILB.exe
  C:\Windows\System32\ARUEILB.exe
  2⤵
  PID:12296
- C:\Windows\System32\aRtzozZ.exe
  C:\Windows\System32\aRtzozZ.exe
  2⤵
  PID:12328
- C:\Windows\System32\qbKgXmn.exe
  C:\Windows\System32\qbKgXmn.exe
  2⤵
  PID:12388
- C:\Windows\System32\wlpTUuy.exe
  C:\Windows\System32\wlpTUuy.exe
  2⤵
  PID:12420
- C:\Windows\System32\DIrLBsl.exe
  C:\Windows\System32\DIrLBsl.exe
  2⤵
  PID:12456
- C:\Windows\System32\lMRdzZu.exe
  C:\Windows\System32\lMRdzZu.exe
  2⤵
  PID:12488
- C:\Windows\System32\CWeqWCJ.exe
  C:\Windows\System32\CWeqWCJ.exe
  2⤵
  PID:12520
- C:\Windows\System32\HutZAgq.exe
  C:\Windows\System32\HutZAgq.exe
  2⤵
  PID:12536
- C:\Windows\System32\FEtoHxU.exe
  C:\Windows\System32\FEtoHxU.exe
  2⤵
  PID:12564
- C:\Windows\System32\jEWdkan.exe
  C:\Windows\System32\jEWdkan.exe
  2⤵
  PID:12600
- C:\Windows\System32\kECwWLN.exe
  C:\Windows\System32\kECwWLN.exe
  2⤵
  PID:12636
- C:\Windows\System32\Whszxax.exe
  C:\Windows\System32\Whszxax.exe
  2⤵
  PID:12656
- C:\Windows\System32\BYbYYFq.exe
  C:\Windows\System32\BYbYYFq.exe
  2⤵
  PID:12684
- C:\Windows\System32\lrfrpEi.exe
  C:\Windows\System32\lrfrpEi.exe
  2⤵
  PID:12724
- C:\Windows\System32\vipRIdx.exe
  C:\Windows\System32\vipRIdx.exe
  2⤵
  PID:12752
- C:\Windows\System32\nAKkONo.exe
  C:\Windows\System32\nAKkONo.exe
  2⤵
  PID:12780
- C:\Windows\System32\pCQHwbe.exe
  C:\Windows\System32\pCQHwbe.exe
  2⤵
  PID:12808
- C:\Windows\System32\UAERmDQ.exe
  C:\Windows\System32\UAERmDQ.exe
  2⤵
  PID:12836
- C:\Windows\System32\lSbXODh.exe
  C:\Windows\System32\lSbXODh.exe
  2⤵
  PID:12864
- C:\Windows\System32\DKytLaJ.exe
  C:\Windows\System32\DKytLaJ.exe
  2⤵
  PID:12892
- C:\Windows\System32\NSQalQA.exe
  C:\Windows\System32\NSQalQA.exe
  2⤵
  PID:12920
- C:\Windows\System32\JtShkSU.exe
  C:\Windows\System32\JtShkSU.exe
  2⤵
  PID:12960
- C:\Windows\System32\VoiKsxX.exe
  C:\Windows\System32\VoiKsxX.exe
  2⤵
  PID:12984
- C:\Windows\System32\OpOQAmO.exe
  C:\Windows\System32\OpOQAmO.exe
  2⤵
  PID:13004
- C:\Windows\System32\CsFoeqP.exe
  C:\Windows\System32\CsFoeqP.exe
  2⤵
  PID:13032
- C:\Windows\System32\xWMbWNC.exe
  C:\Windows\System32\xWMbWNC.exe
  2⤵
  PID:13060
- C:\Windows\System32\UMzyRja.exe
  C:\Windows\System32\UMzyRja.exe
  2⤵
  PID:13096
- C:\Windows\System32\UeLwKKw.exe
  C:\Windows\System32\UeLwKKw.exe
  2⤵
  PID:13148
- C:\Windows\System32\DeJQRNI.exe
  C:\Windows\System32\DeJQRNI.exe
  2⤵
  PID:13180
- C:\Windows\System32\PUyjJrj.exe
  C:\Windows\System32\PUyjJrj.exe
  2⤵
  PID:13212
- C:\Windows\System32\edhUbiT.exe
  C:\Windows\System32\edhUbiT.exe
  2⤵
  PID:13240
- C:\Windows\System32\kpolbsB.exe
  C:\Windows\System32\kpolbsB.exe
  2⤵
  PID:13268
- C:\Windows\System32\DjQyQAg.exe
  C:\Windows\System32\DjQyQAg.exe
  2⤵
  PID:13296
- C:\Windows\System32\ctgahaY.exe
  C:\Windows\System32\ctgahaY.exe
  2⤵
  PID:12316
- C:\Windows\System32\RodQDPI.exe
  C:\Windows\System32\RodQDPI.exe
  2⤵
  PID:12400
- C:\Windows\System32\hDbWiZM.exe
  C:\Windows\System32\hDbWiZM.exe
  2⤵
  PID:3596
- C:\Windows\System32\VpKUWIF.exe
  C:\Windows\System32\VpKUWIF.exe
  2⤵
  PID:12508
- C:\Windows\System32\fZvepvy.exe
  C:\Windows\System32\fZvepvy.exe
  2⤵
  PID:12580
- C:\Windows\System32\Hcuwfco.exe
  C:\Windows\System32\Hcuwfco.exe
  2⤵
  PID:12628
- C:\Windows\System32\oWHqols.exe
  C:\Windows\System32\oWHqols.exe
  2⤵
  PID:12736
- C:\Windows\System32\ahWfWdk.exe
  C:\Windows\System32\ahWfWdk.exe
  2⤵
  PID:1264
- C:\Windows\System32\JAxHhUv.exe
  C:\Windows\System32\JAxHhUv.exe
  2⤵
  PID:12764
- C:\Windows\System32\ubGciKW.exe
  C:\Windows\System32\ubGciKW.exe
  2⤵
  PID:12828
- C:\Windows\System32\XOQwvnL.exe
  C:\Windows\System32\XOQwvnL.exe
  2⤵
  PID:12888
- C:\Windows\System32\KuljyLo.exe
  C:\Windows\System32\KuljyLo.exe
  2⤵
  PID:12376
- C:\Windows\System32\xPXUyri.exe
  C:\Windows\System32\xPXUyri.exe
  2⤵
  PID:12992
- C:\Windows\System32\uIOwLPu.exe
  C:\Windows\System32\uIOwLPu.exe
  2⤵
  PID:13168
- C:\Windows\System32\VLSqUPe.exe
  C:\Windows\System32\VLSqUPe.exe
  2⤵
  PID:13260
- C:\Windows\System32\NYpPOjp.exe
  C:\Windows\System32\NYpPOjp.exe
  2⤵
  PID:12096
- C:\Windows\System32\DMYZBNu.exe
  C:\Windows\System32\DMYZBNu.exe
  2⤵
  PID:12504
- C:\Windows\System32\BAiajYQ.exe
  C:\Windows\System32\BAiajYQ.exe
  2⤵
  PID:12668
- C:\Windows\System32\FZkNuBv.exe
  C:\Windows\System32\FZkNuBv.exe
  2⤵
  PID:4756
- C:\Windows\System32\KydNlpY.exe
  C:\Windows\System32\KydNlpY.exe
  2⤵
  PID:12940
- C:\Windows\System32\DETWblI.exe
  C:\Windows\System32\DETWblI.exe
  2⤵
  PID:12464
- C:\Windows\System32\sSoiTLy.exe
  C:\Windows\System32\sSoiTLy.exe
  2⤵
  PID:12416
- C:\Windows\System32\VlrbitF.exe
  C:\Windows\System32\VlrbitF.exe
  2⤵
  PID:12744
- C:\Windows\System32\ZjyyTHD.exe
  C:\Windows\System32\ZjyyTHD.exe
  2⤵
  PID:13132
- C:\Windows\System32\QLObZLo.exe
  C:\Windows\System32\QLObZLo.exe
  2⤵
  PID:12856
- C:\Windows\System32\LxsSeIH.exe
  C:\Windows\System32\LxsSeIH.exe
  2⤵
  PID:12696
- C:\Windows\System32\NkTnAsw.exe
  C:\Windows\System32\NkTnAsw.exe
  2⤵
  PID:13344
- C:\Windows\System32\mPLdFaM.exe
  C:\Windows\System32\mPLdFaM.exe
  2⤵
  PID:13372
- C:\Windows\System32\tSVgdaB.exe
  C:\Windows\System32\tSVgdaB.exe
  2⤵
  PID:13400
- C:\Windows\System32\ZXRktqv.exe
  C:\Windows\System32\ZXRktqv.exe
  2⤵
  PID:13700

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:14312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\ARNxVkw.exe

Filesize
3.0MB

MD5
cc1bb35cd746e48f1736c207c84fc0a5

SHA1
a905628fcf73f1fbdd6fa027f9b1abed18b17448

SHA256
a94c60a164da7916b833290d389b9f0654ba8c6b1cc2f7571f8e7cffe3d09b04

SHA512
037e57dae6b4cf72b38a32b2bbd46a15d04487db73aa9d8986c7923a492bd0fca55e332569c88496228c88f917054e369c3835d412b5a573281656455fbca0ba

Download Submit
C:\Windows\System32\DAxfKfk.exe

Filesize
3.0MB

MD5
ac53601c466530b1158de0a184e37944

SHA1
710019c8f02025c3da16db427325c3c0bcb864db

SHA256
7a4b44f75422d273b1d95656262f04e9f36fd91b2751c43d284942f61121458d

SHA512
df6e13df65cbe9c4583ba240f2e3cb68c509970a9b583fab7a351d2b3218781c33d6e0a440e5eddf46ed40bb0938345056b177faf70e13e8d7264e1c05691574

Download Submit
C:\Windows\System32\DIVKrIV.exe

Filesize
3.0MB

MD5
ba6eef86e821620d27fe6c93779a0ba2

SHA1
13b219fd6193325e46ac5fc531ec8e0cdbeb3411

SHA256
716997d990137d5c5409600de0ac489ad32105907183e2313ae04d111f38b238

SHA512
8136a579cd634455f81f044903f1a89e737f10941bc2185659e4e5efb508c91f1f5dc9bffdb52afbcd1590b151bf2f2a00fcd4b179bd9c03e0b1e5ace3454127

Download Submit
C:\Windows\System32\EomhRdA.exe

Filesize
3.0MB

MD5
d7e5050830deea3fe953c4d18a1462d8

SHA1
99beffac08f7b0a774d39fa8e2c47ddf74791d1b

SHA256
db2ef17e7e319bb027fdb7fadc1af14a4405a3fb4e16c8509c1517830036dd5b

SHA512
c543997b41a6ec0f858d2e892406affc6d852d3a54441eec3e204a7d6e10d43c20a6ee4527016b862ccf309c683f08035ab1b625349872ad2a0056f7db3ecba9

Download Submit
C:\Windows\System32\FjGHzad.exe

Filesize
3.0MB

MD5
7cd828a0099706c205f5f6f3fafa303c

SHA1
c35602f62c53db0346afc80c48551d2c145b1b8e

SHA256
76c5700c99ae4659258faa64080ec73d80aab00a12751d3cd10d2122d2479404

SHA512
abc2e8baa39cd157db0cdd946343bc3761961005d6e520cfd73ad1275b4292f5741915c8ce11b0e633db9b3af7ef5e526f287d08efbf10f729a5bb0a73f3de43

Download Submit
C:\Windows\System32\IvUVJcM.exe

Filesize
3.0MB

MD5
4136e701f61fbebbf4a8e363abd9addf

SHA1
06b7c4add687b17180fee4c74edda36c88f854e0

SHA256
f8b9a9035d87b57f3c9acdc2f26e8fd0c1ada2e77e1bdb4c4b193a577cf35722

SHA512
2d2ba2daacb6c16025483298b5c5cb122a5ca06dfd20d8c73d3d23a4c33e9eafea56080eb63c365ec78d3ee9a582c13aa77dd22a020d4c3890da9753a2cb2242

Download Submit
C:\Windows\System32\LiutyLr.exe

Filesize
3.0MB

MD5
0d83dbbfd1c50ae1f55693b2a1b4a30a

SHA1
b74b61f760674ea5deb469c65586fb8d4568773e

SHA256
363edcf9d0de9c812399eae8e8449f086d07ae197094901003436eedbc9c9f62

SHA512
5b3e61fd55a49415898046a16ae46a56ee041728898742a05db32b3f9859058abf63c045180f8225ffcc3e71d912dc85272ce6360d2bbd4c3986c1b4c1461b1f

Download Submit
C:\Windows\System32\LxBCsuq.exe

Filesize
3.0MB

MD5
53cc5189bc90f46e7525381d21835f3d

SHA1
077a71fca5e66d6e2465f7a15938c41e7185d406

SHA256
3919f50bbac8fbc0c6a6e5252998a43c7e7a891ea5f637a3e6bd30fc682989c2

SHA512
a2779fc20a497517b4779060d8b36f48115ff57dcfb92c26a9fa3ef93a33a52d2216c124ce6d43654b80367b6e0245c2da5ee2d76ef08a150d61c658c56aba0c

Download Submit
C:\Windows\System32\ORcWpsl.exe

Filesize
3.0MB

MD5
b09591abbdcdd3a7366e4554aac796e1

SHA1
d3f27300dfb535665042924d8e134b8777121ab1

SHA256
1f013f4cab6023a8c0565e9dae89dbe1c33e4648adeafd93fe62449a1861993c

SHA512
e1a24c18914d872120d1643af561bbf62096aeffa29af1e3a3055d9570ecc1222ecee8aa4f3c6b66d2069ac833ef22f304c027c841f79749dfaa105582930e25

Download Submit
C:\Windows\System32\QVSwbNf.exe

Filesize
3.0MB

MD5
8344410519e820483a4dcdb57f00d0b2

SHA1
3fd79caf004f75a6e57321f5be8d4bd1952c6558

SHA256
ca0b1966972656db8c2aebc82af44c41ea0bd97d1cc249a4ef599f9ae86e0fec

SHA512
4f59482b9168311e5200667931d6dfce213420a8402ccded0d532c892998e057180c611c548cedcf333c55077cea063d0891ceee74a991a42cc2a68910e8e849

Download Submit
C:\Windows\System32\UctUfRl.exe

Filesize
3.0MB

MD5
860719146854505b80cbf4f1b77d9906

SHA1
c9dfa9495445d509d1ceb47f17a48bbe5b0a121b

SHA256
7bfd8a5b697195e14c254920e4ca0a17385b70a815bd8d893bdf47f7db6c17ca

SHA512
d32e3fc41cb84e53f11a1f223a892473ffa96b9f4eb1b9461671f95fe5b77e899ba2143ba1ab983caa61c8d63ab87efd128e1cffcef8c1728e622ca1832efdda

Download Submit
C:\Windows\System32\WLZZBoR.exe

Filesize
3.0MB

MD5
57a784aa7b0041f10639096f287c0d14

SHA1
4d8fdcc4c9098d8ff7cabc006983caee26d51138

SHA256
1990583101f815884fab8a10da3aa93ef5fb82e67922de5c6d9baa2cb7fca4cb

SHA512
0961b74d8b95d0080690a4631285da4e02db293d64f5156b25a457244608a5c2a9b6f1eacbb57c44bc89f49ecf3b1aea408677aaab766a11408a2546bd78def2

Download Submit
C:\Windows\System32\YArJuXS.exe

Filesize
3.0MB

MD5
8df0bf15d103efb130dde9cab82b272c

SHA1
8038a05274ab195c4c7f47d1e1ce9a6103060679

SHA256
3a0d916c78d97a6a4c8e3a5b0f79812b9e6e8eb27c9f6a4f7fb5dbbc3a29c4ef

SHA512
e2e49684257fb377e43b5485ec5542059826f640506c8afda49f1666f390b5f6e486d0e19be95b325f7ca992f58ecbbf782f3dc6482f6fd2c2f431f1f1660116

Download Submit
C:\Windows\System32\YGcyzxd.exe

Filesize
3.0MB

MD5
05815cd80204059645af331f3fb758d0

SHA1
377142357f194bcf4acb2afbc68193bad12f6498

SHA256
4f7276eb06e0661abd7399d16c0f7d86b4037d10248352220c318ee4d1f3872f

SHA512
38bc45ce914badb1d5c19e6c0c01b6dcfd964820ee11071e2cba2e8d3abb20ed013f4ef1388cdc33108a894d8fd940a003be94e5727ffd3352135a558c2b1666

Download Submit
C:\Windows\System32\ZfpRbZA.exe

Filesize
3.0MB

MD5
614a06d2105c7d02f6ae35218f16b753

SHA1
f8f2a92cdc980bbf33e705fc254b2a1e86001f3c

SHA256
eda6599d22e0ee2b410e9d71333d9f4ffeab460d51cfdae5892c61fc1e543c11

SHA512
74e4a772e723e82cf73e543424dae335255f22350c8e3cb6247390a7b73f3968ba505611e82dae4f6c3a7bb3309456ddfb9ebb75ee1c926677c1a45dba037965

Download Submit
C:\Windows\System32\aqmxuEF.exe

Filesize
3.0MB

MD5
8107aa86ca375c15f4d9f724854159b0

SHA1
8913a9cd377ee55fb1653c08437c8b91d2982909

SHA256
84aee4f078592f5f4aa433dded3cabd0763e467a3c3afcecf021781e512ba567

SHA512
259061263094d079691208487ea9060e23f013688dac5da82943ad0acc980f13acbaa6c30cf46dfdfdd7ffa613d750038c835e33f33eebca234d989f5bb60a2b

Download Submit
C:\Windows\System32\eRfaADc.exe

Filesize
3.0MB

MD5
7c50c73b9f62be851d89b92ceed3e5f9

SHA1
d6235dcaca4c012eb2e735d2886813fe08321d6d

SHA256
4ecd51ad7e5a29dfb34e42a4616cbbc00fedba65a7b4e36740791f3b388e7601

SHA512
0c618c400f34b8e93c262f6dcc73b89bfbf719e6d72a5402962834f5fd4bb2d5492abb57c1a281c8a5db780db6a9421f134e0db88586c4f01be890bb9b45d087

Download Submit
C:\Windows\System32\gmmnxoa.exe

Filesize
3.0MB

MD5
3a278274bad2522efe298ee12af710b4

SHA1
fffd447b19eb7dc89d634ce4155d37aeef12d5fc

SHA256
9c4526cd95dc30d11d497f295a4a5ade8e375d8e5b37f443dc8392358fe20515

SHA512
aeb7f1991e3549893d13508acb18fb5429a73c8beb274ee49e32feb6bb6fb81116b46a423d000f4b67dc403b8eb30f614f4f8da6095b53aeab7085fe8ccc1c23

Download Submit
C:\Windows\System32\hUousCu.exe

Filesize
3.0MB

MD5
ffcc74f7a16288513858c944e944c64f

SHA1
954601a79fdc503d04db3c0e8650ba29aac4055d

SHA256
410d63f19ee6e6b1fadfa5cf6f2a7a8840b65efd35be441ff28e369e734ca8a5

SHA512
cd74a1a71d45630a3d714f804d84d165da2c39d622a7ed26ffdab8852ba6b73d4086123c6060e63a4d13ee34ce8adebc8f89b533cac931bf47991eadd07cba2f

Download Submit
C:\Windows\System32\imvruMq.exe

Filesize
3.0MB

MD5
4b2f47f31e8f802134b9127eff7565c3

SHA1
0690ba47e67828b855d76433de9c9f12af543ec9

SHA256
2c7bba176b89c25d8520f5d8411113aed07f3e1c273a22933439d767d8345c40

SHA512
1483b58f278422d463608523cbe47433391b4af4b7a95e9caca744d78ab43ad92695b0c395fed8991b72dfcf0b15fa86e5f847d73058e59221ef2c09511f6cc1

Download Submit
C:\Windows\System32\jAGeWgl.exe

Filesize
3.0MB

MD5
e81734286d6e5f5455df6ba241b222e6

SHA1
023fea055f20f1fb2fd172b3809909fb3f232fbd

SHA256
6b8037e3c34656adcb8831b4066bd708cd596a9999a62eae0b112f222445e991

SHA512
50e362c1c68580f769038b9f6efca90c3077f4e89d2f225a578d2e0f357e93ab96ef4a5aaaf83cb6404701bd9a8649cc2efec8d14e8ba06cc4c6165d5d771f8a

Download Submit
C:\Windows\System32\kBOMcRF.exe

Filesize
3.0MB

MD5
8167e4b59ed055df9b9593d7e60b76b4

SHA1
094dcea99da634c727c81871014ccf80bea4e4d6

SHA256
e4ffbfc708f19603ecf16ae721423e9e122dae78b10720214baf551eb08f1a17

SHA512
356ca6b707654c72089315d870617c0fe210efc6f41efc172c5db079376e59c8bd8fbeb8c234081b336b3db2436618cda25ebe99e084bbb44f026960b6bf9353

Download Submit
C:\Windows\System32\kPHkQuT.exe

Filesize
3.0MB

MD5
87a8a0072770b5147fe936094c0a16f1

SHA1
3acc418b9095a6de5b762f636fc16774d0bb08f0

SHA256
63d4f5c419039d83dd3b9e92b8f5335303a177a1f2991e06d8255a7c5403513d

SHA512
d8201cc422407c5d2e38c7c2406d5a7bd9964352c936363e88c76ecdedc37eaf0b23883387da8ffb1e05d830cc47653de1f9fe20848213bfd0a0fdfa60b6869e

Download Submit
C:\Windows\System32\nAewjhY.exe

Filesize
3.0MB

MD5
732227d6eb4ecad160bc2ecc4307cd2a

SHA1
fb98d3828ea5a5ed03b35bca1c3c8ecbab4aac9c

SHA256
3584f20b275da5174c0f5b39570357453ab923d37f72fcef9d99b25ccabd410d

SHA512
b8871475041260c9bab447b6b3b24156bb287f097157f65ca1ca578d0cef84504d401c15d11158bc637ea8b225e786ae5b62512845957273c039f9c48fde4d34

Download Submit
C:\Windows\System32\oAGrAAX.exe

Filesize
3.0MB

MD5
cabe2917f73a73a4f92812350bb796bc

SHA1
4a450e76de127a21b3e48dc4a15677b07dd7d4d2

SHA256
e989b6b1ef5a7251cdc5dff0e4120d73b3a4914a4043ca9dadb2a33d6446709e

SHA512
99b32a7e6cc010975e3b546bf50605a16c2e53b0f3d0bee0dad5186956e5b71f205ddffc6f00a7f037dca3c437ea58af3c5d24f9ac7985666a1d89b05dd0ba31

Download Submit
C:\Windows\System32\pGslDMW.exe

Filesize
3.0MB

MD5
dd65af499177aad4762eea4d3188a8b2

SHA1
3c93e532a3d60ad48f5d76382cf7c4aa5ef412c2

SHA256
cc9fa9943dada830c1a5e9c2bcabdc162f72b47db60e4ec32cef6ab0ff21c254

SHA512
e464ceefe04bb3b351620ecb8ff974a18d03e530533dfd3e8928711af5664e030bc0edb9f89d3514305c5ed3aa0dd79d455a51f905606b3701dd6c5ff6049899

Download Submit
C:\Windows\System32\pHPuYZZ.exe

Filesize
3.0MB

MD5
b1d7a2f7ae8cdedd2d18a600773037cf

SHA1
1e7147c08ca129e3e91afc5621eb92d1ce7f3f9c

SHA256
0dbe06be560c28b4a438576c61f3a041a79f9ec4f245a4db8e84fe74661d38bb

SHA512
e937d8d4cf6ec74fdfac44419b56c2cfd7b2bc3bec3256e95410eddb8ca398a2a9dce019b8a1ef1939b14ffa0d82e92ec800cccf726cfe82b4958a2ec31c2246

Download Submit
C:\Windows\System32\tTsKMmU.exe

Filesize
3.0MB

MD5
71c90f53a6eaa2e068a0c668fc94734a

SHA1
ace204c6510581a518dcddcad2e34b8c3a436cac

SHA256
74780b746cdf3fc7e94ad6c5d9ae14489730f0084872748ffeff9027f2b1d37f

SHA512
927d22072ae157136686aa2835c60046a55160f59bf19f3f6588c5f58c23bc1af2c829d948316858c160b9ae275b39b2b4717268585bed692d1705b7d3d0d067

Download Submit
C:\Windows\System32\uOrSiJQ.exe

Filesize
3.0MB

MD5
f9078903db10081bf6340503581ba4f4

SHA1
bd085d78848912dfc11d0fe98421314fda6f46be

SHA256
7130588b825fdeade9fd156284665e4e9c7a79ce35fdf04a15126955ab3ce6d8

SHA512
c80eaba34c049864326629114b3b5e26c2e1a9c8fd2f45308bfa138fbafaee2a923165b772eb1e78ec55668183dda0cba247ab6efae497a9866bdd999849f028

Download Submit
C:\Windows\System32\yDkgFZM.exe

Filesize
3.0MB

MD5
577c3750ff76406ceca5a08427a7bacd

SHA1
2257cfcff3d59af99ab9a8a5e63195c9106f7501

SHA256
3c4b6d1bf6b9c7345f09172c89aa10d3094791a03231f2c2bc82be763abfe696

SHA512
df3a48ee6b5901e2e5bd2b5d122246183d96bc7a016295b81bb468b3ef8dade85ac77e44c4d36355ba1f0c00d0986d00a627d75f5211001b116f848f4126625d

Download Submit
C:\Windows\System32\yOZqgnR.exe

Filesize
3.0MB

MD5
71dfcbaf324ba8117cf25c748d0904d6

SHA1
aab9c1ce9a96d206ecf2eec85c155ad65b76f3a5

SHA256
0663bc06921a93bc41e17e8014eecdf4cf528d7dbea1b351c95ba71fbf28cf09

SHA512
e8b72ce4b83a326c85257dae7b05dc92cf940a2407efb37d3d7db3f5ed52281d443e70462347245108958236bc09ae3496419e5ee3014c3ee6bbf34f0b4ecc2a

Download Submit
C:\Windows\System32\zTCOcgJ.exe

Filesize
3.0MB

MD5
393884ed5e83af0c565ee597bcf474d3

SHA1
db664c4c598c65f6960d137a7f40534f8bc3fd89

SHA256
b9923f269c84f125d9a15944f20c00663e6dd4226ec42989c30539d9bd395454

SHA512
943ae9828dd6d26ce62da23f84366aba57369288acaf23a3e26a68173d18e571fb3d9a9ae3d97aeb748b974c2e3cf13c7114803f711b28b88c43ae4859d3cb76

Download Submit
memory/224-1945-0x00007FF6FD6F0000-0x00007FF6FDAE5000-memory.dmp

Filesize
4.0MB

Download
memory/224-11-0x00007FF6FD6F0000-0x00007FF6FDAE5000-memory.dmp

Filesize
4.0MB

Download
memory/668-1959-0x00007FF6AF010000-0x00007FF6AF405000-memory.dmp

Filesize
4.0MB

Download
memory/668-766-0x00007FF6AF010000-0x00007FF6AF405000-memory.dmp

Filesize
4.0MB

Download
memory/744-1961-0x00007FF7AF2F0000-0x00007FF7AF6E5000-memory.dmp

Filesize
4.0MB

Download
memory/744-774-0x00007FF7AF2F0000-0x00007FF7AF6E5000-memory.dmp

Filesize
4.0MB

Download
memory/884-1954-0x00007FF6C2790000-0x00007FF6C2B85000-memory.dmp

Filesize
4.0MB

Download
memory/884-1942-0x00007FF6C2790000-0x00007FF6C2B85000-memory.dmp

Filesize
4.0MB

Download
memory/884-64-0x00007FF6C2790000-0x00007FF6C2B85000-memory.dmp

Filesize
4.0MB

Download
memory/920-26-0x00007FF6669D0000-0x00007FF666DC5000-memory.dmp

Filesize
4.0MB

Download
memory/920-1947-0x00007FF6669D0000-0x00007FF666DC5000-memory.dmp

Filesize
4.0MB

Download
memory/1328-760-0x00007FF7D6140000-0x00007FF7D6535000-memory.dmp

Filesize
4.0MB

Download
memory/1328-1958-0x00007FF7D6140000-0x00007FF7D6535000-memory.dmp

Filesize
4.0MB

Download
memory/1516-22-0x00007FF787BE0000-0x00007FF787FD5000-memory.dmp

Filesize
4.0MB

Download
memory/1516-1946-0x00007FF787BE0000-0x00007FF787FD5000-memory.dmp

Filesize
4.0MB

Download
memory/1524-23-0x00007FF76E240000-0x00007FF76E635000-memory.dmp

Filesize
4.0MB

Download
memory/1524-1420-0x00007FF76E240000-0x00007FF76E635000-memory.dmp

Filesize
4.0MB

Download
memory/1524-1948-0x00007FF76E240000-0x00007FF76E635000-memory.dmp

Filesize
4.0MB

Download
memory/1624-47-0x00007FF771310000-0x00007FF771705000-memory.dmp

Filesize
4.0MB

Download
memory/1624-1951-0x00007FF771310000-0x00007FF771705000-memory.dmp

Filesize
4.0MB

Download
memory/1624-1941-0x00007FF771310000-0x00007FF771705000-memory.dmp

Filesize
4.0MB

Download
memory/1808-779-0x00007FF7BD2F0000-0x00007FF7BD6E5000-memory.dmp

Filesize
4.0MB

Download
memory/1808-1962-0x00007FF7BD2F0000-0x00007FF7BD6E5000-memory.dmp

Filesize
4.0MB

Download
memory/1964-29-0x00007FF761D90000-0x00007FF762185000-memory.dmp

Filesize
4.0MB

Download
memory/1964-1950-0x00007FF761D90000-0x00007FF762185000-memory.dmp

Filesize
4.0MB

Download
memory/2112-791-0x00007FF7B78A0000-0x00007FF7B7C95000-memory.dmp

Filesize
4.0MB

Download
memory/2112-1965-0x00007FF7B78A0000-0x00007FF7B7C95000-memory.dmp

Filesize
4.0MB

Download
memory/2192-787-0x00007FF79F800000-0x00007FF79FBF5000-memory.dmp

Filesize
4.0MB

Download
memory/2192-1964-0x00007FF79F800000-0x00007FF79FBF5000-memory.dmp

Filesize
4.0MB

Download
memory/3056-1966-0x00007FF7266A0000-0x00007FF726A95000-memory.dmp

Filesize
4.0MB

Download
memory/3056-796-0x00007FF7266A0000-0x00007FF726A95000-memory.dmp

Filesize
4.0MB

Download
memory/3136-1-0x000002C72A7C0000-0x000002C72A7D0000-memory.dmp

Filesize
64KB

Download
memory/3136-754-0x00007FF6A4F50000-0x00007FF6A5345000-memory.dmp

Filesize
4.0MB

Download
memory/3136-0-0x00007FF6A4F50000-0x00007FF6A5345000-memory.dmp

Filesize
4.0MB

Download
memory/3136-1944-0x00007FF6A4F50000-0x00007FF6A5345000-memory.dmp

Filesize
4.0MB

Download
memory/3152-39-0x00007FF64A8F0000-0x00007FF64ACE5000-memory.dmp

Filesize
4.0MB

Download
memory/3152-1949-0x00007FF64A8F0000-0x00007FF64ACE5000-memory.dmp

Filesize
4.0MB

Download
memory/3236-59-0x00007FF7FAA10000-0x00007FF7FAE05000-memory.dmp

Filesize
4.0MB

Download
memory/3236-1952-0x00007FF7FAA10000-0x00007FF7FAE05000-memory.dmp

Filesize
4.0MB

Download
memory/3360-770-0x00007FF6DD650000-0x00007FF6DDA45000-memory.dmp

Filesize
4.0MB

Download
memory/3360-1963-0x00007FF6DD650000-0x00007FF6DDA45000-memory.dmp

Filesize
4.0MB

Download
memory/3552-1967-0x00007FF629ED0000-0x00007FF62A2C5000-memory.dmp

Filesize
4.0MB

Download
memory/3552-794-0x00007FF629ED0000-0x00007FF62A2C5000-memory.dmp

Filesize
4.0MB

Download
memory/3696-1968-0x00007FF7BE030000-0x00007FF7BE425000-memory.dmp

Filesize
4.0MB

Download
memory/3696-800-0x00007FF7BE030000-0x00007FF7BE425000-memory.dmp

Filesize
4.0MB

Download
memory/4172-80-0x00007FF7AF770000-0x00007FF7AFB65000-memory.dmp

Filesize
4.0MB

Download
memory/4172-1956-0x00007FF7AF770000-0x00007FF7AFB65000-memory.dmp

Filesize
4.0MB

Download
memory/4396-77-0x00007FF71CF90000-0x00007FF71D385000-memory.dmp

Filesize
4.0MB

Download
memory/4396-1953-0x00007FF71CF90000-0x00007FF71D385000-memory.dmp

Filesize
4.0MB

Download
memory/4584-1955-0x00007FF6F9EA0000-0x00007FF6FA295000-memory.dmp

Filesize
4.0MB

Download
memory/4584-70-0x00007FF6F9EA0000-0x00007FF6FA295000-memory.dmp

Filesize
4.0MB

Download
memory/4868-82-0x00007FF635390000-0x00007FF635785000-memory.dmp

Filesize
4.0MB

Download
memory/4868-1960-0x00007FF635390000-0x00007FF635785000-memory.dmp

Filesize
4.0MB

Download
memory/4868-1943-0x00007FF635390000-0x00007FF635785000-memory.dmp

Filesize
4.0MB

Download
memory/5040-763-0x00007FF75A2C0000-0x00007FF75A6B5000-memory.dmp

Filesize
4.0MB

Download
memory/5040-1957-0x00007FF75A2C0000-0x00007FF75A6B5000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads