xmrig | 9cb8747ba67331e50b2260f313a8b54686e18ae31f1d9696009b4c5c8e0ab529

Analysis

max time kernel
136s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
Size

3.3MB
MD5

a072dae51223d90fcdecca710ac4fd60
SHA1

30aa79b5e9e084d1941f27f5eec24aeca08d7381
SHA256

9cb8747ba67331e50b2260f313a8b54686e18ae31f1d9696009b4c5c8e0ab529
SHA512

c0b1ece9c1397e7c4109da0783f52fc8850779a1f1b5ec82df8207669aaa04c1fd83f918baeb4d47746c883656809dcf29d8b910c166cc264161a2949f0fc688
SSDEEP

98304:N0GnJMOWPClFdx6e0EALKWVTffZiPAcRq6jHjc40V:NFWPClFkV

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3512-0-0x00007FF6AB100000-0x00007FF6AB4F5000-memory.dmp	xmrig
behavioral2/files/0x000b000000023414-6.dat	xmrig
behavioral2/memory/4520-12-0x00007FF675290000-0x00007FF675685000-memory.dmp	xmrig
behavioral2/memory/1888-14-0x00007FF615460000-0x00007FF615855000-memory.dmp	xmrig
behavioral2/files/0x0007000000023422-9.dat	xmrig
behavioral2/files/0x0007000000023423-23.dat	xmrig
behavioral2/memory/2460-26-0x00007FF7C4390000-0x00007FF7C4785000-memory.dmp	xmrig
behavioral2/files/0x0007000000023424-29.dat	xmrig
behavioral2/memory/2316-28-0x00007FF7E2A60000-0x00007FF7E2E55000-memory.dmp	xmrig
behavioral2/files/0x000900000002341d-11.dat	xmrig
behavioral2/files/0x0007000000023425-35.dat	xmrig
behavioral2/files/0x0007000000023426-41.dat	xmrig
behavioral2/files/0x000800000002341f-46.dat	xmrig
behavioral2/files/0x0007000000023428-56.dat	xmrig
behavioral2/memory/3224-61-0x00007FF6BC750000-0x00007FF6BCB45000-memory.dmp	xmrig
behavioral2/files/0x000700000002342a-68.dat	xmrig
behavioral2/files/0x000700000002342b-75.dat	xmrig
behavioral2/files/0x000700000002342c-80.dat	xmrig
behavioral2/files/0x000700000002342d-85.dat	xmrig
behavioral2/files/0x000700000002342e-90.dat	xmrig
behavioral2/files/0x000700000002342f-95.dat	xmrig
behavioral2/files/0x0007000000023434-120.dat	xmrig
behavioral2/files/0x000700000002343a-150.dat	xmrig
behavioral2/memory/3688-658-0x00007FF6C2B50000-0x00007FF6C2F45000-memory.dmp	xmrig
behavioral2/memory/2164-659-0x00007FF69D320000-0x00007FF69D715000-memory.dmp	xmrig
behavioral2/memory/564-660-0x00007FF7BE5F0000-0x00007FF7BE9E5000-memory.dmp	xmrig
behavioral2/memory/4668-661-0x00007FF6BE390000-0x00007FF6BE785000-memory.dmp	xmrig
behavioral2/files/0x000700000002343e-171.dat	xmrig
behavioral2/files/0x000700000002343d-166.dat	xmrig
behavioral2/files/0x000700000002343c-161.dat	xmrig
behavioral2/files/0x000700000002343b-155.dat	xmrig
behavioral2/files/0x0007000000023439-145.dat	xmrig
behavioral2/memory/5028-662-0x00007FF6E3C10000-0x00007FF6E4005000-memory.dmp	xmrig
behavioral2/files/0x0007000000023438-140.dat	xmrig
behavioral2/memory/1572-663-0x00007FF7B15F0000-0x00007FF7B19E5000-memory.dmp	xmrig
behavioral2/files/0x0007000000023437-135.dat	xmrig
behavioral2/files/0x0007000000023436-130.dat	xmrig
behavioral2/files/0x0007000000023435-125.dat	xmrig
behavioral2/files/0x0007000000023433-115.dat	xmrig
behavioral2/files/0x0007000000023432-110.dat	xmrig
behavioral2/files/0x0007000000023431-105.dat	xmrig
behavioral2/files/0x0007000000023430-100.dat	xmrig
behavioral2/memory/2672-65-0x00007FF616690000-0x00007FF616A85000-memory.dmp	xmrig
behavioral2/files/0x0007000000023429-62.dat	xmrig
behavioral2/memory/1432-59-0x00007FF6CB400000-0x00007FF6CB7F5000-memory.dmp	xmrig
behavioral2/files/0x0007000000023427-51.dat	xmrig
behavioral2/memory/3480-45-0x00007FF720FF0000-0x00007FF7213E5000-memory.dmp	xmrig
behavioral2/memory/3044-37-0x00007FF764540000-0x00007FF764935000-memory.dmp	xmrig
behavioral2/memory/2596-664-0x00007FF664790000-0x00007FF664B85000-memory.dmp	xmrig
behavioral2/memory/2556-666-0x00007FF66CC70000-0x00007FF66D065000-memory.dmp	xmrig
behavioral2/memory/2368-665-0x00007FF6E2200000-0x00007FF6E25F5000-memory.dmp	xmrig
behavioral2/memory/2380-667-0x00007FF7CDA90000-0x00007FF7CDE85000-memory.dmp	xmrig
behavioral2/memory/3176-673-0x00007FF784780000-0x00007FF784B75000-memory.dmp	xmrig
behavioral2/memory/652-696-0x00007FF626BE0000-0x00007FF626FD5000-memory.dmp	xmrig
behavioral2/memory/4424-686-0x00007FF7EE3D0000-0x00007FF7EE7C5000-memory.dmp	xmrig
behavioral2/memory/3112-683-0x00007FF7B94C0000-0x00007FF7B98B5000-memory.dmp	xmrig
behavioral2/memory/4168-678-0x00007FF6F0320000-0x00007FF6F0715000-memory.dmp	xmrig
behavioral2/memory/3512-1305-0x00007FF6AB100000-0x00007FF6AB4F5000-memory.dmp	xmrig
behavioral2/memory/3512-1893-0x00007FF6AB100000-0x00007FF6AB4F5000-memory.dmp	xmrig
behavioral2/memory/2672-1894-0x00007FF616690000-0x00007FF616A85000-memory.dmp	xmrig
behavioral2/memory/4520-1895-0x00007FF675290000-0x00007FF675685000-memory.dmp	xmrig
behavioral2/memory/1888-1896-0x00007FF615460000-0x00007FF615855000-memory.dmp	xmrig
behavioral2/memory/2460-1897-0x00007FF7C4390000-0x00007FF7C4785000-memory.dmp	xmrig
behavioral2/memory/2316-1898-0x00007FF7E2A60000-0x00007FF7E2E55000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4520	zImTKOf.exe
1888	biEFlds.exe
2460	swIaHEG.exe
2316	DvNMrNJ.exe
3044	QMmfPvX.exe
3480	FMxDvsb.exe
1432	qnnUyNE.exe
3688	UanlooS.exe
3224	IjWOrBn.exe
2672	hDurOyN.exe
2164	ssGzinq.exe
564	phRoiuj.exe
652	lOykmPD.exe
4668	yFuyqIk.exe
5028	lxCYBYQ.exe
1572	klJzIVn.exe
2596	fgrEemM.exe
2368	buWqYxj.exe
2556	iYjwNut.exe
2380	TKrwFAu.exe
3176	aGBqgAj.exe
4168	hYdqlzP.exe
3112	nShEWkr.exe
4424	BxipFlR.exe
3752	JnnZyTQ.exe
3340	AUsXdLY.exe
1176	GAuErWB.exe
724	nKhKzuE.exe
3220	tWwaAeJ.exe
2104	mxLVsJt.exe
3236	XLzsDsF.exe
4476	cZLanUm.exe
3532	GcrzNcF.exe
2928	tvtsxeR.exe
1116	bolwlmz.exe
2612	khumJjN.exe
4824	ZlwhSxS.exe
1608	GQWjmQl.exe
4588	eYPTIPU.exe
4708	EUIfPMc.exe
2592	ONmvLsw.exe
876	kRKakEv.exe
4428	SKSvYBc.exe
1656	KAHwbTR.exe
4556	hkrtqjT.exe
2036	LajPkci.exe
3048	dWbdOhQ.exe
3628	QDcflmb.exe
4112	OOrWqsp.exe
60	CqeOnnm.exe
4964	XzDEMRm.exe
4864	FDXOyTd.exe
1180	FSLworK.exe
4848	RqfAGve.exe
1756	oidRwXb.exe
3580	ifgcASe.exe
2168	udZTUwE.exe
3484	tsOePUJ.exe
1108	etsflnS.exe
620	jheiLRt.exe
4492	ycXFTbb.exe
404	YhQZKUT.exe
4272	imdPWFc.exe
848	DOfvhJR.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3512-0-0x00007FF6AB100000-0x00007FF6AB4F5000-memory.dmp	upx
behavioral2/files/0x000b000000023414-6.dat	upx
behavioral2/memory/4520-12-0x00007FF675290000-0x00007FF675685000-memory.dmp	upx
behavioral2/memory/1888-14-0x00007FF615460000-0x00007FF615855000-memory.dmp	upx
behavioral2/files/0x0007000000023422-9.dat	upx
behavioral2/files/0x0007000000023423-23.dat	upx
behavioral2/memory/2460-26-0x00007FF7C4390000-0x00007FF7C4785000-memory.dmp	upx
behavioral2/files/0x0007000000023424-29.dat	upx
behavioral2/memory/2316-28-0x00007FF7E2A60000-0x00007FF7E2E55000-memory.dmp	upx
behavioral2/files/0x000900000002341d-11.dat	upx
behavioral2/files/0x0007000000023425-35.dat	upx
behavioral2/files/0x0007000000023426-41.dat	upx
behavioral2/files/0x000800000002341f-46.dat	upx
behavioral2/files/0x0007000000023428-56.dat	upx
behavioral2/memory/3224-61-0x00007FF6BC750000-0x00007FF6BCB45000-memory.dmp	upx
behavioral2/files/0x000700000002342a-68.dat	upx
behavioral2/files/0x000700000002342b-75.dat	upx
behavioral2/files/0x000700000002342c-80.dat	upx
behavioral2/files/0x000700000002342d-85.dat	upx
behavioral2/files/0x000700000002342e-90.dat	upx
behavioral2/files/0x000700000002342f-95.dat	upx
behavioral2/files/0x0007000000023434-120.dat	upx
behavioral2/files/0x000700000002343a-150.dat	upx
behavioral2/memory/3688-658-0x00007FF6C2B50000-0x00007FF6C2F45000-memory.dmp	upx
behavioral2/memory/2164-659-0x00007FF69D320000-0x00007FF69D715000-memory.dmp	upx
behavioral2/memory/564-660-0x00007FF7BE5F0000-0x00007FF7BE9E5000-memory.dmp	upx
behavioral2/memory/4668-661-0x00007FF6BE390000-0x00007FF6BE785000-memory.dmp	upx
behavioral2/files/0x000700000002343e-171.dat	upx
behavioral2/files/0x000700000002343d-166.dat	upx
behavioral2/files/0x000700000002343c-161.dat	upx
behavioral2/files/0x000700000002343b-155.dat	upx
behavioral2/files/0x0007000000023439-145.dat	upx
behavioral2/memory/5028-662-0x00007FF6E3C10000-0x00007FF6E4005000-memory.dmp	upx
behavioral2/files/0x0007000000023438-140.dat	upx
behavioral2/memory/1572-663-0x00007FF7B15F0000-0x00007FF7B19E5000-memory.dmp	upx
behavioral2/files/0x0007000000023437-135.dat	upx
behavioral2/files/0x0007000000023436-130.dat	upx
behavioral2/files/0x0007000000023435-125.dat	upx
behavioral2/files/0x0007000000023433-115.dat	upx
behavioral2/files/0x0007000000023432-110.dat	upx
behavioral2/files/0x0007000000023431-105.dat	upx
behavioral2/files/0x0007000000023430-100.dat	upx
behavioral2/memory/2672-65-0x00007FF616690000-0x00007FF616A85000-memory.dmp	upx
behavioral2/files/0x0007000000023429-62.dat	upx
behavioral2/memory/1432-59-0x00007FF6CB400000-0x00007FF6CB7F5000-memory.dmp	upx
behavioral2/files/0x0007000000023427-51.dat	upx
behavioral2/memory/3480-45-0x00007FF720FF0000-0x00007FF7213E5000-memory.dmp	upx
behavioral2/memory/3044-37-0x00007FF764540000-0x00007FF764935000-memory.dmp	upx
behavioral2/memory/2596-664-0x00007FF664790000-0x00007FF664B85000-memory.dmp	upx
behavioral2/memory/2556-666-0x00007FF66CC70000-0x00007FF66D065000-memory.dmp	upx
behavioral2/memory/2368-665-0x00007FF6E2200000-0x00007FF6E25F5000-memory.dmp	upx
behavioral2/memory/2380-667-0x00007FF7CDA90000-0x00007FF7CDE85000-memory.dmp	upx
behavioral2/memory/3176-673-0x00007FF784780000-0x00007FF784B75000-memory.dmp	upx
behavioral2/memory/652-696-0x00007FF626BE0000-0x00007FF626FD5000-memory.dmp	upx
behavioral2/memory/4424-686-0x00007FF7EE3D0000-0x00007FF7EE7C5000-memory.dmp	upx
behavioral2/memory/3112-683-0x00007FF7B94C0000-0x00007FF7B98B5000-memory.dmp	upx
behavioral2/memory/4168-678-0x00007FF6F0320000-0x00007FF6F0715000-memory.dmp	upx
behavioral2/memory/3512-1305-0x00007FF6AB100000-0x00007FF6AB4F5000-memory.dmp	upx
behavioral2/memory/3512-1893-0x00007FF6AB100000-0x00007FF6AB4F5000-memory.dmp	upx
behavioral2/memory/2672-1894-0x00007FF616690000-0x00007FF616A85000-memory.dmp	upx
behavioral2/memory/4520-1895-0x00007FF675290000-0x00007FF675685000-memory.dmp	upx
behavioral2/memory/1888-1896-0x00007FF615460000-0x00007FF615855000-memory.dmp	upx
behavioral2/memory/2460-1897-0x00007FF7C4390000-0x00007FF7C4785000-memory.dmp	upx
behavioral2/memory/2316-1898-0x00007FF7E2A60000-0x00007FF7E2E55000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\AUsXdLY.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\VUOyYha.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\hjmJmoj.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\wExjWDu.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\kiXnZTk.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\xFkzsTK.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\CVXPcGe.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\TBYALWr.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\ljaossq.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\znIOZOn.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\sAVQiEW.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\yElXurp.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\OQuvplf.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\BCNusio.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\tWwaAeJ.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\ENDSQGe.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\pIGZVCf.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\gaziCCK.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\TWSVGBG.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\otDnftX.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\LdqUrvg.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\tjkWpXo.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\HgaWkBj.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\EMLGlZs.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\DLVjkvR.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\RwJxbti.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\NJUMewC.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\kVPzcyr.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\VGeqPCP.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\OOrWqsp.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\VOlXwqd.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\tWRqioj.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\jvWaPRH.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\tioNbqH.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\YPfbFQg.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\JdsRTcU.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\FEsnBgW.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\EtCjdmI.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\btAtEbj.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\gebobgL.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\TReHCdC.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\iHFDyZU.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\JrKbiso.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\FHcDbZJ.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\tDRwUvW.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\JKdFXbA.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\WQnFOPj.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\uWFIpSf.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\FGKkvJu.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\PYKrtQw.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\nNjRmPX.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\luLOImu.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\iRYkVfm.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\enQpFxE.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\FMWqqOn.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\HUpuuQq.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\YhQZKUT.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\wmwfPSh.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\bQKLXTe.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\bZxYwTj.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\rRHKSna.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\iYjwNut.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\QDcflmb.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
File created	C:\Windows\System32\TbKZCQH.exe	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	14056	dwm.exe
Token: SeChangeNotifyPrivilege	14056	dwm.exe
Token: 33	14056	dwm.exe
Token: SeIncBasePriorityPrivilege	14056	dwm.exe
Token: SeShutdownPrivilege	14056	dwm.exe
Token: SeCreatePagefilePrivilege	14056	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 4520	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	84
PID 3512 wrote to memory of 4520	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	84
PID 3512 wrote to memory of 1888	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	85
PID 3512 wrote to memory of 1888	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	85
PID 3512 wrote to memory of 2460	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	86
PID 3512 wrote to memory of 2460	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	86
PID 3512 wrote to memory of 2316	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	87
PID 3512 wrote to memory of 2316	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	87
PID 3512 wrote to memory of 3044	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	88
PID 3512 wrote to memory of 3044	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	88
PID 3512 wrote to memory of 3480	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	89
PID 3512 wrote to memory of 3480	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	89
PID 3512 wrote to memory of 1432	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	90
PID 3512 wrote to memory of 1432	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	90
PID 3512 wrote to memory of 3688	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	91
PID 3512 wrote to memory of 3688	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	91
PID 3512 wrote to memory of 3224	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	92
PID 3512 wrote to memory of 3224	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	92
PID 3512 wrote to memory of 2672	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	93
PID 3512 wrote to memory of 2672	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	93
PID 3512 wrote to memory of 2164	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	94
PID 3512 wrote to memory of 2164	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	94
PID 3512 wrote to memory of 564	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	95
PID 3512 wrote to memory of 564	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	95
PID 3512 wrote to memory of 652	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	96
PID 3512 wrote to memory of 652	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	96
PID 3512 wrote to memory of 4668	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	97
PID 3512 wrote to memory of 4668	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	97
PID 3512 wrote to memory of 5028	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	98
PID 3512 wrote to memory of 5028	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	98
PID 3512 wrote to memory of 1572	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	99
PID 3512 wrote to memory of 1572	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	99
PID 3512 wrote to memory of 2596	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	100
PID 3512 wrote to memory of 2596	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	100
PID 3512 wrote to memory of 2368	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	101
PID 3512 wrote to memory of 2368	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	101
PID 3512 wrote to memory of 2556	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	102
PID 3512 wrote to memory of 2556	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	102
PID 3512 wrote to memory of 2380	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	103
PID 3512 wrote to memory of 2380	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	103
PID 3512 wrote to memory of 3176	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	104
PID 3512 wrote to memory of 3176	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	104
PID 3512 wrote to memory of 4168	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	105
PID 3512 wrote to memory of 4168	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	105
PID 3512 wrote to memory of 3112	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	106
PID 3512 wrote to memory of 3112	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	106
PID 3512 wrote to memory of 4424	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	107
PID 3512 wrote to memory of 4424	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	107
PID 3512 wrote to memory of 3752	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	108
PID 3512 wrote to memory of 3752	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	108
PID 3512 wrote to memory of 3340	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	109
PID 3512 wrote to memory of 3340	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	109
PID 3512 wrote to memory of 1176	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	110
PID 3512 wrote to memory of 1176	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	110
PID 3512 wrote to memory of 724	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	111
PID 3512 wrote to memory of 724	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	111
PID 3512 wrote to memory of 3220	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	112
PID 3512 wrote to memory of 3220	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	112
PID 3512 wrote to memory of 2104	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	113
PID 3512 wrote to memory of 2104	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	113
PID 3512 wrote to memory of 3236	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	114
PID 3512 wrote to memory of 3236	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	114
PID 3512 wrote to memory of 4476	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	115
PID 3512 wrote to memory of 4476	3512	a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe	115

C:\Users\Admin\AppData\Local\Temp\a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a072dae51223d90fcdecca710ac4fd60_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Windows\System32\zImTKOf.exe
  C:\Windows\System32\zImTKOf.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System32\biEFlds.exe
  C:\Windows\System32\biEFlds.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\System32\swIaHEG.exe
  C:\Windows\System32\swIaHEG.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System32\DvNMrNJ.exe
  C:\Windows\System32\DvNMrNJ.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System32\QMmfPvX.exe
  C:\Windows\System32\QMmfPvX.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System32\FMxDvsb.exe
  C:\Windows\System32\FMxDvsb.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System32\qnnUyNE.exe
  C:\Windows\System32\qnnUyNE.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System32\UanlooS.exe
  C:\Windows\System32\UanlooS.exe
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\System32\IjWOrBn.exe
  C:\Windows\System32\IjWOrBn.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System32\hDurOyN.exe
  C:\Windows\System32\hDurOyN.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System32\ssGzinq.exe
  C:\Windows\System32\ssGzinq.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\System32\phRoiuj.exe
  C:\Windows\System32\phRoiuj.exe
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Windows\System32\lOykmPD.exe
  C:\Windows\System32\lOykmPD.exe
  2⤵
  - Executes dropped EXE
  PID:652
- C:\Windows\System32\yFuyqIk.exe
  C:\Windows\System32\yFuyqIk.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Windows\System32\lxCYBYQ.exe
  C:\Windows\System32\lxCYBYQ.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System32\klJzIVn.exe
  C:\Windows\System32\klJzIVn.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System32\fgrEemM.exe
  C:\Windows\System32\fgrEemM.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System32\buWqYxj.exe
  C:\Windows\System32\buWqYxj.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System32\iYjwNut.exe
  C:\Windows\System32\iYjwNut.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System32\TKrwFAu.exe
  C:\Windows\System32\TKrwFAu.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System32\aGBqgAj.exe
  C:\Windows\System32\aGBqgAj.exe
  2⤵
  - Executes dropped EXE
  PID:3176
- C:\Windows\System32\hYdqlzP.exe
  C:\Windows\System32\hYdqlzP.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System32\nShEWkr.exe
  C:\Windows\System32\nShEWkr.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System32\BxipFlR.exe
  C:\Windows\System32\BxipFlR.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System32\JnnZyTQ.exe
  C:\Windows\System32\JnnZyTQ.exe
  2⤵
  - Executes dropped EXE
  PID:3752
- C:\Windows\System32\AUsXdLY.exe
  C:\Windows\System32\AUsXdLY.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\System32\GAuErWB.exe
  C:\Windows\System32\GAuErWB.exe
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\System32\nKhKzuE.exe
  C:\Windows\System32\nKhKzuE.exe
  2⤵
  - Executes dropped EXE
  PID:724
- C:\Windows\System32\tWwaAeJ.exe
  C:\Windows\System32\tWwaAeJ.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System32\mxLVsJt.exe
  C:\Windows\System32\mxLVsJt.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System32\XLzsDsF.exe
  C:\Windows\System32\XLzsDsF.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Windows\System32\cZLanUm.exe
  C:\Windows\System32\cZLanUm.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System32\GcrzNcF.exe
  C:\Windows\System32\GcrzNcF.exe
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Windows\System32\tvtsxeR.exe
  C:\Windows\System32\tvtsxeR.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System32\bolwlmz.exe
  C:\Windows\System32\bolwlmz.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System32\khumJjN.exe
  C:\Windows\System32\khumJjN.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System32\ZlwhSxS.exe
  C:\Windows\System32\ZlwhSxS.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System32\GQWjmQl.exe
  C:\Windows\System32\GQWjmQl.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System32\eYPTIPU.exe
  C:\Windows\System32\eYPTIPU.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System32\EUIfPMc.exe
  C:\Windows\System32\EUIfPMc.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System32\ONmvLsw.exe
  C:\Windows\System32\ONmvLsw.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System32\kRKakEv.exe
  C:\Windows\System32\kRKakEv.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System32\SKSvYBc.exe
  C:\Windows\System32\SKSvYBc.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System32\KAHwbTR.exe
  C:\Windows\System32\KAHwbTR.exe
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\System32\hkrtqjT.exe
  C:\Windows\System32\hkrtqjT.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System32\LajPkci.exe
  C:\Windows\System32\LajPkci.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System32\dWbdOhQ.exe
  C:\Windows\System32\dWbdOhQ.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System32\QDcflmb.exe
  C:\Windows\System32\QDcflmb.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System32\OOrWqsp.exe
  C:\Windows\System32\OOrWqsp.exe
  2⤵
  - Executes dropped EXE
  PID:4112
- C:\Windows\System32\CqeOnnm.exe
  C:\Windows\System32\CqeOnnm.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System32\XzDEMRm.exe
  C:\Windows\System32\XzDEMRm.exe
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\Windows\System32\FDXOyTd.exe
  C:\Windows\System32\FDXOyTd.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System32\FSLworK.exe
  C:\Windows\System32\FSLworK.exe
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\System32\RqfAGve.exe
  C:\Windows\System32\RqfAGve.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System32\oidRwXb.exe
  C:\Windows\System32\oidRwXb.exe
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\System32\ifgcASe.exe
  C:\Windows\System32\ifgcASe.exe
  2⤵
  - Executes dropped EXE
  PID:3580
- C:\Windows\System32\udZTUwE.exe
  C:\Windows\System32\udZTUwE.exe
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\System32\tsOePUJ.exe
  C:\Windows\System32\tsOePUJ.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System32\etsflnS.exe
  C:\Windows\System32\etsflnS.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\System32\jheiLRt.exe
  C:\Windows\System32\jheiLRt.exe
  2⤵
  - Executes dropped EXE
  PID:620
- C:\Windows\System32\ycXFTbb.exe
  C:\Windows\System32\ycXFTbb.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System32\YhQZKUT.exe
  C:\Windows\System32\YhQZKUT.exe
  2⤵
  - Executes dropped EXE
  PID:404
- C:\Windows\System32\imdPWFc.exe
  C:\Windows\System32\imdPWFc.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System32\DOfvhJR.exe
  C:\Windows\System32\DOfvhJR.exe
  2⤵
  - Executes dropped EXE
  PID:848
- C:\Windows\System32\NBBBwSd.exe
  C:\Windows\System32\NBBBwSd.exe
  2⤵
  PID:732
- C:\Windows\System32\EMLGlZs.exe
  C:\Windows\System32\EMLGlZs.exe
  2⤵
  PID:3028
- C:\Windows\System32\OTYbQCH.exe
  C:\Windows\System32\OTYbQCH.exe
  2⤵
  PID:4696
- C:\Windows\System32\ZADWIFL.exe
  C:\Windows\System32\ZADWIFL.exe
  2⤵
  PID:3612
- C:\Windows\System32\YwntAQK.exe
  C:\Windows\System32\YwntAQK.exe
  2⤵
  PID:4288
- C:\Windows\System32\HtvIVbv.exe
  C:\Windows\System32\HtvIVbv.exe
  2⤵
  PID:3700
- C:\Windows\System32\kRfRRks.exe
  C:\Windows\System32\kRfRRks.exe
  2⤵
  PID:4344
- C:\Windows\System32\WLAGFEr.exe
  C:\Windows\System32\WLAGFEr.exe
  2⤵
  PID:512
- C:\Windows\System32\QhbWMnE.exe
  C:\Windows\System32\QhbWMnE.exe
  2⤵
  PID:1348
- C:\Windows\System32\hbwiQys.exe
  C:\Windows\System32\hbwiQys.exe
  2⤵
  PID:2304
- C:\Windows\System32\TbKZCQH.exe
  C:\Windows\System32\TbKZCQH.exe
  2⤵
  PID:3768
- C:\Windows\System32\diSIDTE.exe
  C:\Windows\System32\diSIDTE.exe
  2⤵
  PID:1732
- C:\Windows\System32\xvhGxGN.exe
  C:\Windows\System32\xvhGxGN.exe
  2⤵
  PID:1676
- C:\Windows\System32\ECpiSIh.exe
  C:\Windows\System32\ECpiSIh.exe
  2⤵
  PID:5140
- C:\Windows\System32\Guyqpko.exe
  C:\Windows\System32\Guyqpko.exe
  2⤵
  PID:5168
- C:\Windows\System32\RKTIfOh.exe
  C:\Windows\System32\RKTIfOh.exe
  2⤵
  PID:5196
- C:\Windows\System32\CDNgZnh.exe
  C:\Windows\System32\CDNgZnh.exe
  2⤵
  PID:5224
- C:\Windows\System32\MYlwVlK.exe
  C:\Windows\System32\MYlwVlK.exe
  2⤵
  PID:5252
- C:\Windows\System32\jBHbhQb.exe
  C:\Windows\System32\jBHbhQb.exe
  2⤵
  PID:5280
- C:\Windows\System32\sLdiNbf.exe
  C:\Windows\System32\sLdiNbf.exe
  2⤵
  PID:5308
- C:\Windows\System32\yezbKwA.exe
  C:\Windows\System32\yezbKwA.exe
  2⤵
  PID:5336
- C:\Windows\System32\wkxuknt.exe
  C:\Windows\System32\wkxuknt.exe
  2⤵
  PID:5364
- C:\Windows\System32\qgsMQtS.exe
  C:\Windows\System32\qgsMQtS.exe
  2⤵
  PID:5392
- C:\Windows\System32\ggNjjhB.exe
  C:\Windows\System32\ggNjjhB.exe
  2⤵
  PID:5420
- C:\Windows\System32\GULJNTg.exe
  C:\Windows\System32\GULJNTg.exe
  2⤵
  PID:5448
- C:\Windows\System32\uWFIpSf.exe
  C:\Windows\System32\uWFIpSf.exe
  2⤵
  PID:5476
- C:\Windows\System32\blQopLi.exe
  C:\Windows\System32\blQopLi.exe
  2⤵
  PID:5504
- C:\Windows\System32\FiFhTtw.exe
  C:\Windows\System32\FiFhTtw.exe
  2⤵
  PID:5532
- C:\Windows\System32\ugahdwh.exe
  C:\Windows\System32\ugahdwh.exe
  2⤵
  PID:5560
- C:\Windows\System32\CdtouuN.exe
  C:\Windows\System32\CdtouuN.exe
  2⤵
  PID:5588
- C:\Windows\System32\NOcQxYQ.exe
  C:\Windows\System32\NOcQxYQ.exe
  2⤵
  PID:5616
- C:\Windows\System32\RmXLCny.exe
  C:\Windows\System32\RmXLCny.exe
  2⤵
  PID:5644
- C:\Windows\System32\EfMvzPX.exe
  C:\Windows\System32\EfMvzPX.exe
  2⤵
  PID:5672
- C:\Windows\System32\mcLUWau.exe
  C:\Windows\System32\mcLUWau.exe
  2⤵
  PID:5700
- C:\Windows\System32\JdsRTcU.exe
  C:\Windows\System32\JdsRTcU.exe
  2⤵
  PID:5728
- C:\Windows\System32\uMeeTTd.exe
  C:\Windows\System32\uMeeTTd.exe
  2⤵
  PID:5756
- C:\Windows\System32\DSiMGgT.exe
  C:\Windows\System32\DSiMGgT.exe
  2⤵
  PID:5784
- C:\Windows\System32\MXJXcCM.exe
  C:\Windows\System32\MXJXcCM.exe
  2⤵
  PID:5812
- C:\Windows\System32\SCDAFgN.exe
  C:\Windows\System32\SCDAFgN.exe
  2⤵
  PID:5840
- C:\Windows\System32\apzkSwh.exe
  C:\Windows\System32\apzkSwh.exe
  2⤵
  PID:5868
- C:\Windows\System32\LjDcKTW.exe
  C:\Windows\System32\LjDcKTW.exe
  2⤵
  PID:5896
- C:\Windows\System32\yqQnVWE.exe
  C:\Windows\System32\yqQnVWE.exe
  2⤵
  PID:5924
- C:\Windows\System32\zvWucvL.exe
  C:\Windows\System32\zvWucvL.exe
  2⤵
  PID:5952
- C:\Windows\System32\UpMgnGD.exe
  C:\Windows\System32\UpMgnGD.exe
  2⤵
  PID:5980
- C:\Windows\System32\Bhlbaaw.exe
  C:\Windows\System32\Bhlbaaw.exe
  2⤵
  PID:6008
- C:\Windows\System32\iHFDyZU.exe
  C:\Windows\System32\iHFDyZU.exe
  2⤵
  PID:6036
- C:\Windows\System32\xJkqbcf.exe
  C:\Windows\System32\xJkqbcf.exe
  2⤵
  PID:6064
- C:\Windows\System32\Hpzmulj.exe
  C:\Windows\System32\Hpzmulj.exe
  2⤵
  PID:6092
- C:\Windows\System32\EbWlVsF.exe
  C:\Windows\System32\EbWlVsF.exe
  2⤵
  PID:6120
- C:\Windows\System32\kcHTeSS.exe
  C:\Windows\System32\kcHTeSS.exe
  2⤵
  PID:1712
- C:\Windows\System32\JrKbiso.exe
  C:\Windows\System32\JrKbiso.exe
  2⤵
  PID:4952
- C:\Windows\System32\pLGyqsR.exe
  C:\Windows\System32\pLGyqsR.exe
  2⤵
  PID:536
- C:\Windows\System32\AjCvRcU.exe
  C:\Windows\System32\AjCvRcU.exe
  2⤵
  PID:4208
- C:\Windows\System32\gIBjgFj.exe
  C:\Windows\System32\gIBjgFj.exe
  2⤵
  PID:5132
- C:\Windows\System32\pLwScVA.exe
  C:\Windows\System32\pLwScVA.exe
  2⤵
  PID:5212
- C:\Windows\System32\VUOyYha.exe
  C:\Windows\System32\VUOyYha.exe
  2⤵
  PID:5260
- C:\Windows\System32\MSdnRoU.exe
  C:\Windows\System32\MSdnRoU.exe
  2⤵
  PID:5328
- C:\Windows\System32\BLYkyye.exe
  C:\Windows\System32\BLYkyye.exe
  2⤵
  PID:5408
- C:\Windows\System32\BHvNXJY.exe
  C:\Windows\System32\BHvNXJY.exe
  2⤵
  PID:5456
- C:\Windows\System32\zyqqZxq.exe
  C:\Windows\System32\zyqqZxq.exe
  2⤵
  PID:5524
- C:\Windows\System32\UFkHZxL.exe
  C:\Windows\System32\UFkHZxL.exe
  2⤵
  PID:5604
- C:\Windows\System32\GdKoWfs.exe
  C:\Windows\System32\GdKoWfs.exe
  2⤵
  PID:5652
- C:\Windows\System32\HXIGkAt.exe
  C:\Windows\System32\HXIGkAt.exe
  2⤵
  PID:5708
- C:\Windows\System32\jYPiniI.exe
  C:\Windows\System32\jYPiniI.exe
  2⤵
  PID:5764
- C:\Windows\System32\yesceEl.exe
  C:\Windows\System32\yesceEl.exe
  2⤵
  PID:5832
- C:\Windows\System32\pMFOzCx.exe
  C:\Windows\System32\pMFOzCx.exe
  2⤵
  PID:5912
- C:\Windows\System32\tnJWfIo.exe
  C:\Windows\System32\tnJWfIo.exe
  2⤵
  PID:5960
- C:\Windows\System32\GiRQhLN.exe
  C:\Windows\System32\GiRQhLN.exe
  2⤵
  PID:6028
- C:\Windows\System32\FTFusZd.exe
  C:\Windows\System32\FTFusZd.exe
  2⤵
  PID:6108
- C:\Windows\System32\wThzTgd.exe
  C:\Windows\System32\wThzTgd.exe
  2⤵
  PID:4016
- C:\Windows\System32\hoescWG.exe
  C:\Windows\System32\hoescWG.exe
  2⤵
  PID:4056
- C:\Windows\System32\FDOrFRb.exe
  C:\Windows\System32\FDOrFRb.exe
  2⤵
  PID:5232
- C:\Windows\System32\ODAslXC.exe
  C:\Windows\System32\ODAslXC.exe
  2⤵
  PID:5344
- C:\Windows\System32\FVjsMda.exe
  C:\Windows\System32\FVjsMda.exe
  2⤵
  PID:5520
- C:\Windows\System32\zRvDtQY.exe
  C:\Windows\System32\zRvDtQY.exe
  2⤵
  PID:5636
- C:\Windows\System32\dEHVCLS.exe
  C:\Windows\System32\dEHVCLS.exe
  2⤵
  PID:5804
- C:\Windows\System32\FGKkvJu.exe
  C:\Windows\System32\FGKkvJu.exe
  2⤵
  PID:5916
- C:\Windows\System32\NnPCXvU.exe
  C:\Windows\System32\NnPCXvU.exe
  2⤵
  PID:6072
- C:\Windows\System32\KbhtiNV.exe
  C:\Windows\System32\KbhtiNV.exe
  2⤵
  PID:5184
- C:\Windows\System32\LdqUrvg.exe
  C:\Windows\System32\LdqUrvg.exe
  2⤵
  PID:6160
- C:\Windows\System32\YWqBkSb.exe
  C:\Windows\System32\YWqBkSb.exe
  2⤵
  PID:6188
- C:\Windows\System32\rhoAFIN.exe
  C:\Windows\System32\rhoAFIN.exe
  2⤵
  PID:6216
- C:\Windows\System32\hrhZZTt.exe
  C:\Windows\System32\hrhZZTt.exe
  2⤵
  PID:6244
- C:\Windows\System32\nNjRmPX.exe
  C:\Windows\System32\nNjRmPX.exe
  2⤵
  PID:6272
- C:\Windows\System32\nIzEibk.exe
  C:\Windows\System32\nIzEibk.exe
  2⤵
  PID:6300
- C:\Windows\System32\FHcDbZJ.exe
  C:\Windows\System32\FHcDbZJ.exe
  2⤵
  PID:6328
- C:\Windows\System32\xdGyxtD.exe
  C:\Windows\System32\xdGyxtD.exe
  2⤵
  PID:6356
- C:\Windows\System32\vghktst.exe
  C:\Windows\System32\vghktst.exe
  2⤵
  PID:6384
- C:\Windows\System32\CNHOMtR.exe
  C:\Windows\System32\CNHOMtR.exe
  2⤵
  PID:6412
- C:\Windows\System32\wmwfPSh.exe
  C:\Windows\System32\wmwfPSh.exe
  2⤵
  PID:6440
- C:\Windows\System32\ddBbmju.exe
  C:\Windows\System32\ddBbmju.exe
  2⤵
  PID:6468
- C:\Windows\System32\GrJBcGW.exe
  C:\Windows\System32\GrJBcGW.exe
  2⤵
  PID:6496
- C:\Windows\System32\DLVjkvR.exe
  C:\Windows\System32\DLVjkvR.exe
  2⤵
  PID:6524
- C:\Windows\System32\QtmkZCH.exe
  C:\Windows\System32\QtmkZCH.exe
  2⤵
  PID:6552
- C:\Windows\System32\VWNZDOM.exe
  C:\Windows\System32\VWNZDOM.exe
  2⤵
  PID:6580
- C:\Windows\System32\vtkrbum.exe
  C:\Windows\System32\vtkrbum.exe
  2⤵
  PID:6608
- C:\Windows\System32\YmNlRdJ.exe
  C:\Windows\System32\YmNlRdJ.exe
  2⤵
  PID:6636
- C:\Windows\System32\YHvHRXm.exe
  C:\Windows\System32\YHvHRXm.exe
  2⤵
  PID:6664
- C:\Windows\System32\EIQwgKV.exe
  C:\Windows\System32\EIQwgKV.exe
  2⤵
  PID:6692
- C:\Windows\System32\OQJEVAn.exe
  C:\Windows\System32\OQJEVAn.exe
  2⤵
  PID:6720
- C:\Windows\System32\CKhzVkD.exe
  C:\Windows\System32\CKhzVkD.exe
  2⤵
  PID:6748
- C:\Windows\System32\sLJIimU.exe
  C:\Windows\System32\sLJIimU.exe
  2⤵
  PID:6776
- C:\Windows\System32\oVSHTmv.exe
  C:\Windows\System32\oVSHTmv.exe
  2⤵
  PID:6804
- C:\Windows\System32\JLsIPBy.exe
  C:\Windows\System32\JLsIPBy.exe
  2⤵
  PID:6832
- C:\Windows\System32\GBoKRQA.exe
  C:\Windows\System32\GBoKRQA.exe
  2⤵
  PID:6860
- C:\Windows\System32\tJcGYgU.exe
  C:\Windows\System32\tJcGYgU.exe
  2⤵
  PID:6888
- C:\Windows\System32\ZiIdRiR.exe
  C:\Windows\System32\ZiIdRiR.exe
  2⤵
  PID:6916
- C:\Windows\System32\gvVSIPu.exe
  C:\Windows\System32\gvVSIPu.exe
  2⤵
  PID:6944
- C:\Windows\System32\qXZUNhJ.exe
  C:\Windows\System32\qXZUNhJ.exe
  2⤵
  PID:6972
- C:\Windows\System32\oorHlJb.exe
  C:\Windows\System32\oorHlJb.exe
  2⤵
  PID:7000
- C:\Windows\System32\cgJkoor.exe
  C:\Windows\System32\cgJkoor.exe
  2⤵
  PID:7028
- C:\Windows\System32\zZkkOMH.exe
  C:\Windows\System32\zZkkOMH.exe
  2⤵
  PID:7056
- C:\Windows\System32\WQNsddi.exe
  C:\Windows\System32\WQNsddi.exe
  2⤵
  PID:7084
- C:\Windows\System32\zDtbbWw.exe
  C:\Windows\System32\zDtbbWw.exe
  2⤵
  PID:7112
- C:\Windows\System32\zdTNGjJ.exe
  C:\Windows\System32\zdTNGjJ.exe
  2⤵
  PID:7140
- C:\Windows\System32\HuSbnkf.exe
  C:\Windows\System32\HuSbnkf.exe
  2⤵
  PID:5244
- C:\Windows\System32\byPhdJj.exe
  C:\Windows\System32\byPhdJj.exe
  2⤵
  PID:5624
- C:\Windows\System32\ENDSQGe.exe
  C:\Windows\System32\ENDSQGe.exe
  2⤵
  PID:1928
- C:\Windows\System32\ZFigQFi.exe
  C:\Windows\System32\ZFigQFi.exe
  2⤵
  PID:6148
- C:\Windows\System32\uDSDGpl.exe
  C:\Windows\System32\uDSDGpl.exe
  2⤵
  PID:6204
- C:\Windows\System32\GrxVzTq.exe
  C:\Windows\System32\GrxVzTq.exe
  2⤵
  PID:6252
- C:\Windows\System32\OLklULa.exe
  C:\Windows\System32\OLklULa.exe
  2⤵
  PID:6320
- C:\Windows\System32\xbJWYYj.exe
  C:\Windows\System32\xbJWYYj.exe
  2⤵
  PID:6376
- C:\Windows\System32\RKZzEIQ.exe
  C:\Windows\System32\RKZzEIQ.exe
  2⤵
  PID:6432
- C:\Windows\System32\hjmJmoj.exe
  C:\Windows\System32\hjmJmoj.exe
  2⤵
  PID:6488
- C:\Windows\System32\ZFnQnEH.exe
  C:\Windows\System32\ZFnQnEH.exe
  2⤵
  PID:6544
- C:\Windows\System32\jdLWmNE.exe
  C:\Windows\System32\jdLWmNE.exe
  2⤵
  PID:6624
- C:\Windows\System32\CIFfczC.exe
  C:\Windows\System32\CIFfczC.exe
  2⤵
  PID:6672
- C:\Windows\System32\ewvXlsf.exe
  C:\Windows\System32\ewvXlsf.exe
  2⤵
  PID:6740
- C:\Windows\System32\LmgQMKg.exe
  C:\Windows\System32\LmgQMKg.exe
  2⤵
  PID:6820
- C:\Windows\System32\oFsZJKc.exe
  C:\Windows\System32\oFsZJKc.exe
  2⤵
  PID:6868
- C:\Windows\System32\ljaossq.exe
  C:\Windows\System32\ljaossq.exe
  2⤵
  PID:4988
- C:\Windows\System32\SEVCeXH.exe
  C:\Windows\System32\SEVCeXH.exe
  2⤵
  PID:7128
- C:\Windows\System32\PYKrtQw.exe
  C:\Windows\System32\PYKrtQw.exe
  2⤵
  PID:5428
- C:\Windows\System32\VOlXwqd.exe
  C:\Windows\System32\VOlXwqd.exe
  2⤵
  PID:6100
- C:\Windows\System32\kdGLzRc.exe
  C:\Windows\System32\kdGLzRc.exe
  2⤵
  PID:388
- C:\Windows\System32\jVFPrqd.exe
  C:\Windows\System32\jVFPrqd.exe
  2⤵
  PID:3620
- C:\Windows\System32\aNwByNM.exe
  C:\Windows\System32\aNwByNM.exe
  2⤵
  PID:6336
- C:\Windows\System32\nFRTyhY.exe
  C:\Windows\System32\nFRTyhY.exe
  2⤵
  PID:6428
- C:\Windows\System32\bhHHVla.exe
  C:\Windows\System32\bhHHVla.exe
  2⤵
  PID:6540
- C:\Windows\System32\jPddooP.exe
  C:\Windows\System32\jPddooP.exe
  2⤵
  PID:6712
- C:\Windows\System32\YUxrUng.exe
  C:\Windows\System32\YUxrUng.exe
  2⤵
  PID:6708
- C:\Windows\System32\UIEOERM.exe
  C:\Windows\System32\UIEOERM.exe
  2⤵
  PID:2400
- C:\Windows\System32\xikoXNS.exe
  C:\Windows\System32\xikoXNS.exe
  2⤵
  PID:6964
- C:\Windows\System32\RJrTgWP.exe
  C:\Windows\System32\RJrTgWP.exe
  2⤵
  PID:4608
- C:\Windows\System32\VnBEYYo.exe
  C:\Windows\System32\VnBEYYo.exe
  2⤵
  PID:3800
- C:\Windows\System32\wExjWDu.exe
  C:\Windows\System32\wExjWDu.exe
  2⤵
  PID:3460
- C:\Windows\System32\FmgdrWc.exe
  C:\Windows\System32\FmgdrWc.exe
  2⤵
  PID:412
- C:\Windows\System32\AtFsRjc.exe
  C:\Windows\System32\AtFsRjc.exe
  2⤵
  PID:7156
- C:\Windows\System32\ZuUMXBj.exe
  C:\Windows\System32\ZuUMXBj.exe
  2⤵
  PID:1944
- C:\Windows\System32\WfclYCG.exe
  C:\Windows\System32\WfclYCG.exe
  2⤵
  PID:2336
- C:\Windows\System32\gSspxXY.exe
  C:\Windows\System32\gSspxXY.exe
  2⤵
  PID:2212
- C:\Windows\System32\UuDolgw.exe
  C:\Windows\System32\UuDolgw.exe
  2⤵
  PID:4432
- C:\Windows\System32\znIOZOn.exe
  C:\Windows\System32\znIOZOn.exe
  2⤵
  PID:6236
- C:\Windows\System32\LOHJGQm.exe
  C:\Windows\System32\LOHJGQm.exe
  2⤵
  PID:7180
- C:\Windows\System32\lcYuVKt.exe
  C:\Windows\System32\lcYuVKt.exe
  2⤵
  PID:7208
- C:\Windows\System32\OJWJqhV.exe
  C:\Windows\System32\OJWJqhV.exe
  2⤵
  PID:7232
- C:\Windows\System32\hRzEUQD.exe
  C:\Windows\System32\hRzEUQD.exe
  2⤵
  PID:7252
- C:\Windows\System32\gRegRbt.exe
  C:\Windows\System32\gRegRbt.exe
  2⤵
  PID:7288
- C:\Windows\System32\luLOImu.exe
  C:\Windows\System32\luLOImu.exe
  2⤵
  PID:7320
- C:\Windows\System32\jSKXAUW.exe
  C:\Windows\System32\jSKXAUW.exe
  2⤵
  PID:7348
- C:\Windows\System32\mgdWkXd.exe
  C:\Windows\System32\mgdWkXd.exe
  2⤵
  PID:7384
- C:\Windows\System32\ECKSbkt.exe
  C:\Windows\System32\ECKSbkt.exe
  2⤵
  PID:7412
- C:\Windows\System32\ArMSHLG.exe
  C:\Windows\System32\ArMSHLG.exe
  2⤵
  PID:7448
- C:\Windows\System32\CICIrvz.exe
  C:\Windows\System32\CICIrvz.exe
  2⤵
  PID:7476
- C:\Windows\System32\OOoOVlm.exe
  C:\Windows\System32\OOoOVlm.exe
  2⤵
  PID:7500
- C:\Windows\System32\AnVTtrL.exe
  C:\Windows\System32\AnVTtrL.exe
  2⤵
  PID:7528
- C:\Windows\System32\NIbreBe.exe
  C:\Windows\System32\NIbreBe.exe
  2⤵
  PID:7556
- C:\Windows\System32\wjwNGkh.exe
  C:\Windows\System32\wjwNGkh.exe
  2⤵
  PID:7584
- C:\Windows\System32\xSGJyOU.exe
  C:\Windows\System32\xSGJyOU.exe
  2⤵
  PID:7624
- C:\Windows\System32\sbLjulz.exe
  C:\Windows\System32\sbLjulz.exe
  2⤵
  PID:7644
- C:\Windows\System32\IYpgqqD.exe
  C:\Windows\System32\IYpgqqD.exe
  2⤵
  PID:7672
- C:\Windows\System32\rPOhfdu.exe
  C:\Windows\System32\rPOhfdu.exe
  2⤵
  PID:7704
- C:\Windows\System32\FOlikeg.exe
  C:\Windows\System32\FOlikeg.exe
  2⤵
  PID:7732
- C:\Windows\System32\mkhbCLF.exe
  C:\Windows\System32\mkhbCLF.exe
  2⤵
  PID:7776
- C:\Windows\System32\DkWhFsb.exe
  C:\Windows\System32\DkWhFsb.exe
  2⤵
  PID:7796
- C:\Windows\System32\pdEpRJt.exe
  C:\Windows\System32\pdEpRJt.exe
  2⤵
  PID:7852
- C:\Windows\System32\mNVefan.exe
  C:\Windows\System32\mNVefan.exe
  2⤵
  PID:7888
- C:\Windows\System32\WtCiFCm.exe
  C:\Windows\System32\WtCiFCm.exe
  2⤵
  PID:7916
- C:\Windows\System32\VRROxqn.exe
  C:\Windows\System32\VRROxqn.exe
  2⤵
  PID:7940
- C:\Windows\System32\fEBfHTk.exe
  C:\Windows\System32\fEBfHTk.exe
  2⤵
  PID:7984
- C:\Windows\System32\ATcGohb.exe
  C:\Windows\System32\ATcGohb.exe
  2⤵
  PID:8024
- C:\Windows\System32\jqoAhbp.exe
  C:\Windows\System32\jqoAhbp.exe
  2⤵
  PID:8060
- C:\Windows\System32\OFnLokI.exe
  C:\Windows\System32\OFnLokI.exe
  2⤵
  PID:8088
- C:\Windows\System32\FEsnBgW.exe
  C:\Windows\System32\FEsnBgW.exe
  2⤵
  PID:8116
- C:\Windows\System32\sCpChtp.exe
  C:\Windows\System32\sCpChtp.exe
  2⤵
  PID:8144
- C:\Windows\System32\yCEVLjs.exe
  C:\Windows\System32\yCEVLjs.exe
  2⤵
  PID:8172
- C:\Windows\System32\iXExIQA.exe
  C:\Windows\System32\iXExIQA.exe
  2⤵
  PID:7200
- C:\Windows\System32\sYmKFaS.exe
  C:\Windows\System32\sYmKFaS.exe
  2⤵
  PID:7264
- C:\Windows\System32\EVENsbE.exe
  C:\Windows\System32\EVENsbE.exe
  2⤵
  PID:7336
- C:\Windows\System32\FSKHtwU.exe
  C:\Windows\System32\FSKHtwU.exe
  2⤵
  PID:7396
- C:\Windows\System32\XSVwvBE.exe
  C:\Windows\System32\XSVwvBE.exe
  2⤵
  PID:7484
- C:\Windows\System32\kdyIQPi.exe
  C:\Windows\System32\kdyIQPi.exe
  2⤵
  PID:7516
- C:\Windows\System32\tyoeMvE.exe
  C:\Windows\System32\tyoeMvE.exe
  2⤵
  PID:7596
- C:\Windows\System32\suFPaUI.exe
  C:\Windows\System32\suFPaUI.exe
  2⤵
  PID:7372
- C:\Windows\System32\TsnxvqI.exe
  C:\Windows\System32\TsnxvqI.exe
  2⤵
  PID:7656
- C:\Windows\System32\gzHBLck.exe
  C:\Windows\System32\gzHBLck.exe
  2⤵
  PID:7724
- C:\Windows\System32\lqjXNlZ.exe
  C:\Windows\System32\lqjXNlZ.exe
  2⤵
  PID:7788
- C:\Windows\System32\iRYkVfm.exe
  C:\Windows\System32\iRYkVfm.exe
  2⤵
  PID:7836
- C:\Windows\System32\gxblkaE.exe
  C:\Windows\System32\gxblkaE.exe
  2⤵
  PID:7956
- C:\Windows\System32\WfxTGeb.exe
  C:\Windows\System32\WfxTGeb.exe
  2⤵
  PID:8052
- C:\Windows\System32\wMapfFy.exe
  C:\Windows\System32\wMapfFy.exe
  2⤵
  PID:8080
- C:\Windows\System32\IbqzKCf.exe
  C:\Windows\System32\IbqzKCf.exe
  2⤵
  PID:8156
- C:\Windows\System32\PnvyRVU.exe
  C:\Windows\System32\PnvyRVU.exe
  2⤵
  PID:6936
- C:\Windows\System32\IDZQrTj.exe
  C:\Windows\System32\IDZQrTj.exe
  2⤵
  PID:7604
- C:\Windows\System32\ahbixiG.exe
  C:\Windows\System32\ahbixiG.exe
  2⤵
  PID:7816
- C:\Windows\System32\dSqneHV.exe
  C:\Windows\System32\dSqneHV.exe
  2⤵
  PID:7376
- C:\Windows\System32\rKLqZuz.exe
  C:\Windows\System32\rKLqZuz.exe
  2⤵
  PID:7576
- C:\Windows\System32\clzWglR.exe
  C:\Windows\System32\clzWglR.exe
  2⤵
  PID:7612
- C:\Windows\System32\BAgqtcu.exe
  C:\Windows\System32\BAgqtcu.exe
  2⤵
  PID:7700
- C:\Windows\System32\vXukfiT.exe
  C:\Windows\System32\vXukfiT.exe
  2⤵
  PID:7808
- C:\Windows\System32\KUNqJDW.exe
  C:\Windows\System32\KUNqJDW.exe
  2⤵
  PID:8112
- C:\Windows\System32\ODMjXuY.exe
  C:\Windows\System32\ODMjXuY.exe
  2⤵
  PID:2088
- C:\Windows\System32\Yyjrnfa.exe
  C:\Windows\System32\Yyjrnfa.exe
  2⤵
  PID:2448
- C:\Windows\System32\RwJxbti.exe
  C:\Windows\System32\RwJxbti.exe
  2⤵
  PID:7760
- C:\Windows\System32\ZLcUfTv.exe
  C:\Windows\System32\ZLcUfTv.exe
  2⤵
  PID:7176
- C:\Windows\System32\RneDFmV.exe
  C:\Windows\System32\RneDFmV.exe
  2⤵
  PID:7640
- C:\Windows\System32\nDOgAiB.exe
  C:\Windows\System32\nDOgAiB.exe
  2⤵
  PID:7436
- C:\Windows\System32\CqXGVZO.exe
  C:\Windows\System32\CqXGVZO.exe
  2⤵
  PID:8216
- C:\Windows\System32\AdHFDDa.exe
  C:\Windows\System32\AdHFDDa.exe
  2⤵
  PID:8240
- C:\Windows\System32\UdhNjbo.exe
  C:\Windows\System32\UdhNjbo.exe
  2⤵
  PID:8260
- C:\Windows\System32\BFwaQQs.exe
  C:\Windows\System32\BFwaQQs.exe
  2⤵
  PID:8300
- C:\Windows\System32\mMiERpM.exe
  C:\Windows\System32\mMiERpM.exe
  2⤵
  PID:8332
- C:\Windows\System32\oFLValW.exe
  C:\Windows\System32\oFLValW.exe
  2⤵
  PID:8356
- C:\Windows\System32\tVejQZg.exe
  C:\Windows\System32\tVejQZg.exe
  2⤵
  PID:8384
- C:\Windows\System32\xkMTxcI.exe
  C:\Windows\System32\xkMTxcI.exe
  2⤵
  PID:8412
- C:\Windows\System32\IpSERSV.exe
  C:\Windows\System32\IpSERSV.exe
  2⤵
  PID:8436
- C:\Windows\System32\ODLFnVb.exe
  C:\Windows\System32\ODLFnVb.exe
  2⤵
  PID:8472
- C:\Windows\System32\qYxZvLX.exe
  C:\Windows\System32\qYxZvLX.exe
  2⤵
  PID:8496
- C:\Windows\System32\QWvWhha.exe
  C:\Windows\System32\QWvWhha.exe
  2⤵
  PID:8524
- C:\Windows\System32\XOzQlOd.exe
  C:\Windows\System32\XOzQlOd.exe
  2⤵
  PID:8540
- C:\Windows\System32\hDDpZaJ.exe
  C:\Windows\System32\hDDpZaJ.exe
  2⤵
  PID:8580
- C:\Windows\System32\llUmXdT.exe
  C:\Windows\System32\llUmXdT.exe
  2⤵
  PID:8600
- C:\Windows\System32\tWRqioj.exe
  C:\Windows\System32\tWRqioj.exe
  2⤵
  PID:8636
- C:\Windows\System32\PWMMtUQ.exe
  C:\Windows\System32\PWMMtUQ.exe
  2⤵
  PID:8664
- C:\Windows\System32\pOpAwbl.exe
  C:\Windows\System32\pOpAwbl.exe
  2⤵
  PID:8692
- C:\Windows\System32\RCFYzcG.exe
  C:\Windows\System32\RCFYzcG.exe
  2⤵
  PID:8720
- C:\Windows\System32\gjLNQmf.exe
  C:\Windows\System32\gjLNQmf.exe
  2⤵
  PID:8740
- C:\Windows\System32\KLqbNoR.exe
  C:\Windows\System32\KLqbNoR.exe
  2⤵
  PID:8764
- C:\Windows\System32\IEyZOLL.exe
  C:\Windows\System32\IEyZOLL.exe
  2⤵
  PID:8804
- C:\Windows\System32\UHaXevZ.exe
  C:\Windows\System32\UHaXevZ.exe
  2⤵
  PID:8832
- C:\Windows\System32\GxXFpVV.exe
  C:\Windows\System32\GxXFpVV.exe
  2⤵
  PID:8852
- C:\Windows\System32\WTGTXRT.exe
  C:\Windows\System32\WTGTXRT.exe
  2⤵
  PID:8892
- C:\Windows\System32\hNTqQeJ.exe
  C:\Windows\System32\hNTqQeJ.exe
  2⤵
  PID:8944
- C:\Windows\System32\bThfQta.exe
  C:\Windows\System32\bThfQta.exe
  2⤵
  PID:8972
- C:\Windows\System32\mUAcBel.exe
  C:\Windows\System32\mUAcBel.exe
  2⤵
  PID:9004
- C:\Windows\System32\sAVQiEW.exe
  C:\Windows\System32\sAVQiEW.exe
  2⤵
  PID:9036
- C:\Windows\System32\wYeKAgD.exe
  C:\Windows\System32\wYeKAgD.exe
  2⤵
  PID:9072
- C:\Windows\System32\kiXnZTk.exe
  C:\Windows\System32\kiXnZTk.exe
  2⤵
  PID:9100
- C:\Windows\System32\urzVUXx.exe
  C:\Windows\System32\urzVUXx.exe
  2⤵
  PID:9116
- C:\Windows\System32\jiAEtmi.exe
  C:\Windows\System32\jiAEtmi.exe
  2⤵
  PID:9156
- C:\Windows\System32\ScXAALa.exe
  C:\Windows\System32\ScXAALa.exe
  2⤵
  PID:9184
- C:\Windows\System32\nXrGHsS.exe
  C:\Windows\System32\nXrGHsS.exe
  2⤵
  PID:9204
- C:\Windows\System32\NJUMewC.exe
  C:\Windows\System32\NJUMewC.exe
  2⤵
  PID:8224
- C:\Windows\System32\CrwxRKW.exe
  C:\Windows\System32\CrwxRKW.exe
  2⤵
  PID:8320
- C:\Windows\System32\oaWsBWh.exe
  C:\Windows\System32\oaWsBWh.exe
  2⤵
  PID:8368
- C:\Windows\System32\lOIDcfD.exe
  C:\Windows\System32\lOIDcfD.exe
  2⤵
  PID:8420
- C:\Windows\System32\QpSvKoT.exe
  C:\Windows\System32\QpSvKoT.exe
  2⤵
  PID:8488
- C:\Windows\System32\YJIkVez.exe
  C:\Windows\System32\YJIkVez.exe
  2⤵
  PID:8576
- C:\Windows\System32\gWYjGDs.exe
  C:\Windows\System32\gWYjGDs.exe
  2⤵
  PID:8620
- C:\Windows\System32\PATwXiq.exe
  C:\Windows\System32\PATwXiq.exe
  2⤵
  PID:8712
- C:\Windows\System32\enQpFxE.exe
  C:\Windows\System32\enQpFxE.exe
  2⤵
  PID:8776
- C:\Windows\System32\TEidHHZ.exe
  C:\Windows\System32\TEidHHZ.exe
  2⤵
  PID:8864
- C:\Windows\System32\wfjnMaz.exe
  C:\Windows\System32\wfjnMaz.exe
  2⤵
  PID:8900
- C:\Windows\System32\wplsBZN.exe
  C:\Windows\System32\wplsBZN.exe
  2⤵
  PID:9012
- C:\Windows\System32\aoSsDZj.exe
  C:\Windows\System32\aoSsDZj.exe
  2⤵
  PID:9052
- C:\Windows\System32\pvchMPf.exe
  C:\Windows\System32\pvchMPf.exe
  2⤵
  PID:9112
- C:\Windows\System32\mVzbWfv.exe
  C:\Windows\System32\mVzbWfv.exe
  2⤵
  PID:8280
- C:\Windows\System32\rYjTIHf.exe
  C:\Windows\System32\rYjTIHf.exe
  2⤵
  PID:8380
- C:\Windows\System32\DXcGQCG.exe
  C:\Windows\System32\DXcGQCG.exe
  2⤵
  PID:8464
- C:\Windows\System32\tjkWpXo.exe
  C:\Windows\System32\tjkWpXo.exe
  2⤵
  PID:8608
- C:\Windows\System32\zjHsePt.exe
  C:\Windows\System32\zjHsePt.exe
  2⤵
  PID:8792
- C:\Windows\System32\JQTzNaw.exe
  C:\Windows\System32\JQTzNaw.exe
  2⤵
  PID:8984
- C:\Windows\System32\hjZQNHM.exe
  C:\Windows\System32\hjZQNHM.exe
  2⤵
  PID:9108
- C:\Windows\System32\ilxHCxH.exe
  C:\Windows\System32\ilxHCxH.exe
  2⤵
  PID:8568
- C:\Windows\System32\RBxUcWm.exe
  C:\Windows\System32\RBxUcWm.exe
  2⤵
  PID:8848
- C:\Windows\System32\ZINFDuj.exe
  C:\Windows\System32\ZINFDuj.exe
  2⤵
  PID:8728
- C:\Windows\System32\BmFMlrH.exe
  C:\Windows\System32\BmFMlrH.exe
  2⤵
  PID:9232
- C:\Windows\System32\MmHCmbc.exe
  C:\Windows\System32\MmHCmbc.exe
  2⤵
  PID:9256
- C:\Windows\System32\iVJPxbV.exe
  C:\Windows\System32\iVJPxbV.exe
  2⤵
  PID:9284
- C:\Windows\System32\FMAAzar.exe
  C:\Windows\System32\FMAAzar.exe
  2⤵
  PID:9316
- C:\Windows\System32\gBptzqm.exe
  C:\Windows\System32\gBptzqm.exe
  2⤵
  PID:9344
- C:\Windows\System32\ecozmWt.exe
  C:\Windows\System32\ecozmWt.exe
  2⤵
  PID:9372
- C:\Windows\System32\RxmBKjV.exe
  C:\Windows\System32\RxmBKjV.exe
  2⤵
  PID:9400
- C:\Windows\System32\wHthOeT.exe
  C:\Windows\System32\wHthOeT.exe
  2⤵
  PID:9436
- C:\Windows\System32\bWcpsSD.exe
  C:\Windows\System32\bWcpsSD.exe
  2⤵
  PID:9472
- C:\Windows\System32\GwqdxOB.exe
  C:\Windows\System32\GwqdxOB.exe
  2⤵
  PID:9500
- C:\Windows\System32\XqdGYQx.exe
  C:\Windows\System32\XqdGYQx.exe
  2⤵
  PID:9528
- C:\Windows\System32\RJSgUhY.exe
  C:\Windows\System32\RJSgUhY.exe
  2⤵
  PID:9560
- C:\Windows\System32\gZVUgtD.exe
  C:\Windows\System32\gZVUgtD.exe
  2⤵
  PID:9592
- C:\Windows\System32\lbbgGNM.exe
  C:\Windows\System32\lbbgGNM.exe
  2⤵
  PID:9640
- C:\Windows\System32\qzVarsS.exe
  C:\Windows\System32\qzVarsS.exe
  2⤵
  PID:9680
- C:\Windows\System32\nudFCnm.exe
  C:\Windows\System32\nudFCnm.exe
  2⤵
  PID:9724
- C:\Windows\System32\wGRyRQv.exe
  C:\Windows\System32\wGRyRQv.exe
  2⤵
  PID:9756
- C:\Windows\System32\xpRSYrg.exe
  C:\Windows\System32\xpRSYrg.exe
  2⤵
  PID:9784
- C:\Windows\System32\yElXurp.exe
  C:\Windows\System32\yElXurp.exe
  2⤵
  PID:9848
- C:\Windows\System32\ALsIkFK.exe
  C:\Windows\System32\ALsIkFK.exe
  2⤵
  PID:9880
- C:\Windows\System32\BLWjiqS.exe
  C:\Windows\System32\BLWjiqS.exe
  2⤵
  PID:9944
- C:\Windows\System32\annpHDO.exe
  C:\Windows\System32\annpHDO.exe
  2⤵
  PID:9976
- C:\Windows\System32\mAJBTKl.exe
  C:\Windows\System32\mAJBTKl.exe
  2⤵
  PID:10012
- C:\Windows\System32\MaunGom.exe
  C:\Windows\System32\MaunGom.exe
  2⤵
  PID:10032
- C:\Windows\System32\eEQhsbj.exe
  C:\Windows\System32\eEQhsbj.exe
  2⤵
  PID:10060
- C:\Windows\System32\tDRwUvW.exe
  C:\Windows\System32\tDRwUvW.exe
  2⤵
  PID:10092
- C:\Windows\System32\WTzUyvm.exe
  C:\Windows\System32\WTzUyvm.exe
  2⤵
  PID:10120
- C:\Windows\System32\ZwMOHXj.exe
  C:\Windows\System32\ZwMOHXj.exe
  2⤵
  PID:10156
- C:\Windows\System32\jvWaPRH.exe
  C:\Windows\System32\jvWaPRH.exe
  2⤵
  PID:10204
- C:\Windows\System32\SUgKXdb.exe
  C:\Windows\System32\SUgKXdb.exe
  2⤵
  PID:10224
- C:\Windows\System32\jVaOvgP.exe
  C:\Windows\System32\jVaOvgP.exe
  2⤵
  PID:9240
- C:\Windows\System32\kVPzcyr.exe
  C:\Windows\System32\kVPzcyr.exe
  2⤵
  PID:9304
- C:\Windows\System32\CilPKNN.exe
  C:\Windows\System32\CilPKNN.exe
  2⤵
  PID:9356
- C:\Windows\System32\EieloSd.exe
  C:\Windows\System32\EieloSd.exe
  2⤵
  PID:9460
- C:\Windows\System32\xaaMKAx.exe
  C:\Windows\System32\xaaMKAx.exe
  2⤵
  PID:9516
- C:\Windows\System32\FfmswUn.exe
  C:\Windows\System32\FfmswUn.exe
  2⤵
  PID:9576
- C:\Windows\System32\BaQImWg.exe
  C:\Windows\System32\BaQImWg.exe
  2⤵
  PID:9700
- C:\Windows\System32\dJGGdhH.exe
  C:\Windows\System32\dJGGdhH.exe
  2⤵
  PID:9776
- C:\Windows\System32\ElqolLK.exe
  C:\Windows\System32\ElqolLK.exe
  2⤵
  PID:9900
- C:\Windows\System32\TIGigjk.exe
  C:\Windows\System32\TIGigjk.exe
  2⤵
  PID:10000
- C:\Windows\System32\gagXBfd.exe
  C:\Windows\System32\gagXBfd.exe
  2⤵
  PID:10044
- C:\Windows\System32\CVVtFtO.exe
  C:\Windows\System32\CVVtFtO.exe
  2⤵
  PID:9044
- C:\Windows\System32\mQRrOQO.exe
  C:\Windows\System32\mQRrOQO.exe
  2⤵
  PID:10212
- C:\Windows\System32\BQKCtqS.exe
  C:\Windows\System32\BQKCtqS.exe
  2⤵
  PID:9280
- C:\Windows\System32\oJuEDRi.exe
  C:\Windows\System32\oJuEDRi.exe
  2⤵
  PID:9488
- C:\Windows\System32\iBQwDhn.exe
  C:\Windows\System32\iBQwDhn.exe
  2⤵
  PID:9636
- C:\Windows\System32\PAMiHGp.exe
  C:\Windows\System32\PAMiHGp.exe
  2⤵
  PID:9856
- C:\Windows\System32\aLYVtIr.exe
  C:\Windows\System32\aLYVtIr.exe
  2⤵
  PID:10052
- C:\Windows\System32\RVkMNvI.exe
  C:\Windows\System32\RVkMNvI.exe
  2⤵
  PID:9428
- C:\Windows\System32\umIUdql.exe
  C:\Windows\System32\umIUdql.exe
  2⤵
  PID:9840
- C:\Windows\System32\pfPIWPe.exe
  C:\Windows\System32\pfPIWPe.exe
  2⤵
  PID:10236
- C:\Windows\System32\lDIKBhe.exe
  C:\Windows\System32\lDIKBhe.exe
  2⤵
  PID:9736
- C:\Windows\System32\lbIHyFA.exe
  C:\Windows\System32\lbIHyFA.exe
  2⤵
  PID:10260
- C:\Windows\System32\PCLbhYl.exe
  C:\Windows\System32\PCLbhYl.exe
  2⤵
  PID:10288
- C:\Windows\System32\AHaEfTs.exe
  C:\Windows\System32\AHaEfTs.exe
  2⤵
  PID:10316
- C:\Windows\System32\pIGZVCf.exe
  C:\Windows\System32\pIGZVCf.exe
  2⤵
  PID:10344
- C:\Windows\System32\mwpPKRj.exe
  C:\Windows\System32\mwpPKRj.exe
  2⤵
  PID:10376
- C:\Windows\System32\jRypoFA.exe
  C:\Windows\System32\jRypoFA.exe
  2⤵
  PID:10404
- C:\Windows\System32\fjKddpl.exe
  C:\Windows\System32\fjKddpl.exe
  2⤵
  PID:10436
- C:\Windows\System32\GMXgHap.exe
  C:\Windows\System32\GMXgHap.exe
  2⤵
  PID:10460
- C:\Windows\System32\yUXBbri.exe
  C:\Windows\System32\yUXBbri.exe
  2⤵
  PID:10488
- C:\Windows\System32\HgaWkBj.exe
  C:\Windows\System32\HgaWkBj.exe
  2⤵
  PID:10516
- C:\Windows\System32\nDJggME.exe
  C:\Windows\System32\nDJggME.exe
  2⤵
  PID:10544
- C:\Windows\System32\gaziCCK.exe
  C:\Windows\System32\gaziCCK.exe
  2⤵
  PID:10572
- C:\Windows\System32\NNDdGdO.exe
  C:\Windows\System32\NNDdGdO.exe
  2⤵
  PID:10600
- C:\Windows\System32\IsHUjKw.exe
  C:\Windows\System32\IsHUjKw.exe
  2⤵
  PID:10624
- C:\Windows\System32\BKcZNir.exe
  C:\Windows\System32\BKcZNir.exe
  2⤵
  PID:10640
- C:\Windows\System32\nKnxtJz.exe
  C:\Windows\System32\nKnxtJz.exe
  2⤵
  PID:10684
- C:\Windows\System32\xRKVwuq.exe
  C:\Windows\System32\xRKVwuq.exe
  2⤵
  PID:10728
- C:\Windows\System32\KPnWyrQ.exe
  C:\Windows\System32\KPnWyrQ.exe
  2⤵
  PID:10756
- C:\Windows\System32\kbQtFtt.exe
  C:\Windows\System32\kbQtFtt.exe
  2⤵
  PID:10780
- C:\Windows\System32\UjjIQId.exe
  C:\Windows\System32\UjjIQId.exe
  2⤵
  PID:10808
- C:\Windows\System32\kCAxdrE.exe
  C:\Windows\System32\kCAxdrE.exe
  2⤵
  PID:10836
- C:\Windows\System32\hTeSdQE.exe
  C:\Windows\System32\hTeSdQE.exe
  2⤵
  PID:10864
- C:\Windows\System32\LdNqMIc.exe
  C:\Windows\System32\LdNqMIc.exe
  2⤵
  PID:10892
- C:\Windows\System32\kYiKBbJ.exe
  C:\Windows\System32\kYiKBbJ.exe
  2⤵
  PID:10920
- C:\Windows\System32\AtsDuum.exe
  C:\Windows\System32\AtsDuum.exe
  2⤵
  PID:10948
- C:\Windows\System32\XnWMpXz.exe
  C:\Windows\System32\XnWMpXz.exe
  2⤵
  PID:10976
- C:\Windows\System32\cSLnXaK.exe
  C:\Windows\System32\cSLnXaK.exe
  2⤵
  PID:11004
- C:\Windows\System32\wSfMkHg.exe
  C:\Windows\System32\wSfMkHg.exe
  2⤵
  PID:11032
- C:\Windows\System32\uBHXCBu.exe
  C:\Windows\System32\uBHXCBu.exe
  2⤵
  PID:11060
- C:\Windows\System32\uELCVyZ.exe
  C:\Windows\System32\uELCVyZ.exe
  2⤵
  PID:11088
- C:\Windows\System32\bEhkNLk.exe
  C:\Windows\System32\bEhkNLk.exe
  2⤵
  PID:11116
- C:\Windows\System32\aqvmnDU.exe
  C:\Windows\System32\aqvmnDU.exe
  2⤵
  PID:11144
- C:\Windows\System32\qXlPTwd.exe
  C:\Windows\System32\qXlPTwd.exe
  2⤵
  PID:11176
- C:\Windows\System32\DiEwvqi.exe
  C:\Windows\System32\DiEwvqi.exe
  2⤵
  PID:11204
- C:\Windows\System32\NOMvWTH.exe
  C:\Windows\System32\NOMvWTH.exe
  2⤵
  PID:11232
- C:\Windows\System32\jVckkLl.exe
  C:\Windows\System32\jVckkLl.exe
  2⤵
  PID:11260
- C:\Windows\System32\HCkGeHZ.exe
  C:\Windows\System32\HCkGeHZ.exe
  2⤵
  PID:10300
- C:\Windows\System32\XiZeDRt.exe
  C:\Windows\System32\XiZeDRt.exe
  2⤵
  PID:10368
- C:\Windows\System32\couGtGM.exe
  C:\Windows\System32\couGtGM.exe
  2⤵
  PID:10448
- C:\Windows\System32\ASZCZCz.exe
  C:\Windows\System32\ASZCZCz.exe
  2⤵
  PID:10540
- C:\Windows\System32\UvXHmBE.exe
  C:\Windows\System32\UvXHmBE.exe
  2⤵
  PID:10584
- C:\Windows\System32\yGXcqIH.exe
  C:\Windows\System32\yGXcqIH.exe
  2⤵
  PID:10664
- C:\Windows\System32\sJDAXRQ.exe
  C:\Windows\System32\sJDAXRQ.exe
  2⤵
  PID:10736
- C:\Windows\System32\CNqOiIf.exe
  C:\Windows\System32\CNqOiIf.exe
  2⤵
  PID:10792
- C:\Windows\System32\ZUsiILS.exe
  C:\Windows\System32\ZUsiILS.exe
  2⤵
  PID:10848
- C:\Windows\System32\qIzIjbt.exe
  C:\Windows\System32\qIzIjbt.exe
  2⤵
  PID:10904
- C:\Windows\System32\gKMqnnr.exe
  C:\Windows\System32\gKMqnnr.exe
  2⤵
  PID:10968
- C:\Windows\System32\lQoKBEj.exe
  C:\Windows\System32\lQoKBEj.exe
  2⤵
  PID:11080
- C:\Windows\System32\crSFCwO.exe
  C:\Windows\System32\crSFCwO.exe
  2⤵
  PID:11140
- C:\Windows\System32\EairQFH.exe
  C:\Windows\System32\EairQFH.exe
  2⤵
  PID:11216
- C:\Windows\System32\tioNbqH.exe
  C:\Windows\System32\tioNbqH.exe
  2⤵
  PID:10280
- C:\Windows\System32\TQTUjKz.exe
  C:\Windows\System32\TQTUjKz.exe
  2⤵
  PID:10424
- C:\Windows\System32\HbrAQJD.exe
  C:\Windows\System32\HbrAQJD.exe
  2⤵
  PID:10616
- C:\Windows\System32\krrRWLL.exe
  C:\Windows\System32\krrRWLL.exe
  2⤵
  PID:10776
- C:\Windows\System32\kpNhlJO.exe
  C:\Windows\System32\kpNhlJO.exe
  2⤵
  PID:10888
- C:\Windows\System32\fGHKaPW.exe
  C:\Windows\System32\fGHKaPW.exe
  2⤵
  PID:11108
- C:\Windows\System32\YgHbWOs.exe
  C:\Windows\System32\YgHbWOs.exe
  2⤵
  PID:11256
- C:\Windows\System32\YAaDQHS.exe
  C:\Windows\System32\YAaDQHS.exe
  2⤵
  PID:10744
- C:\Windows\System32\lyLeQmI.exe
  C:\Windows\System32\lyLeQmI.exe
  2⤵
  PID:10960
- C:\Windows\System32\FMWqqOn.exe
  C:\Windows\System32\FMWqqOn.exe
  2⤵
  PID:10512
- C:\Windows\System32\LLogbOe.exe
  C:\Windows\System32\LLogbOe.exe
  2⤵
  PID:10400
- C:\Windows\System32\kFiEsSH.exe
  C:\Windows\System32\kFiEsSH.exe
  2⤵
  PID:11280
- C:\Windows\System32\vCKJDMJ.exe
  C:\Windows\System32\vCKJDMJ.exe
  2⤵
  PID:11308
- C:\Windows\System32\wGLluYg.exe
  C:\Windows\System32\wGLluYg.exe
  2⤵
  PID:11336
- C:\Windows\System32\JjMMDOp.exe
  C:\Windows\System32\JjMMDOp.exe
  2⤵
  PID:11364
- C:\Windows\System32\qyoAFGE.exe
  C:\Windows\System32\qyoAFGE.exe
  2⤵
  PID:11392
- C:\Windows\System32\thprMum.exe
  C:\Windows\System32\thprMum.exe
  2⤵
  PID:11420
- C:\Windows\System32\FmknkGO.exe
  C:\Windows\System32\FmknkGO.exe
  2⤵
  PID:11456
- C:\Windows\System32\wGKdCCW.exe
  C:\Windows\System32\wGKdCCW.exe
  2⤵
  PID:11480
- C:\Windows\System32\Arzutxi.exe
  C:\Windows\System32\Arzutxi.exe
  2⤵
  PID:11508
- C:\Windows\System32\jlSwjjG.exe
  C:\Windows\System32\jlSwjjG.exe
  2⤵
  PID:11536
- C:\Windows\System32\QXKrdjQ.exe
  C:\Windows\System32\QXKrdjQ.exe
  2⤵
  PID:11564
- C:\Windows\System32\jUXZQXn.exe
  C:\Windows\System32\jUXZQXn.exe
  2⤵
  PID:11592
- C:\Windows\System32\cVsoYcb.exe
  C:\Windows\System32\cVsoYcb.exe
  2⤵
  PID:11620
- C:\Windows\System32\bZxYwTj.exe
  C:\Windows\System32\bZxYwTj.exe
  2⤵
  PID:11648
- C:\Windows\System32\UTLOUes.exe
  C:\Windows\System32\UTLOUes.exe
  2⤵
  PID:11696
- C:\Windows\System32\HthPxKC.exe
  C:\Windows\System32\HthPxKC.exe
  2⤵
  PID:11744
- C:\Windows\System32\cKArwsR.exe
  C:\Windows\System32\cKArwsR.exe
  2⤵
  PID:11768
- C:\Windows\System32\YJdeTWR.exe
  C:\Windows\System32\YJdeTWR.exe
  2⤵
  PID:11796
- C:\Windows\System32\AzlIwtk.exe
  C:\Windows\System32\AzlIwtk.exe
  2⤵
  PID:11824
- C:\Windows\System32\zQdEgbr.exe
  C:\Windows\System32\zQdEgbr.exe
  2⤵
  PID:11860
- C:\Windows\System32\XNEJUJy.exe
  C:\Windows\System32\XNEJUJy.exe
  2⤵
  PID:11892
- C:\Windows\System32\OQuvplf.exe
  C:\Windows\System32\OQuvplf.exe
  2⤵
  PID:11920
- C:\Windows\System32\JaiCdrM.exe
  C:\Windows\System32\JaiCdrM.exe
  2⤵
  PID:11948
- C:\Windows\System32\YrrfnhO.exe
  C:\Windows\System32\YrrfnhO.exe
  2⤵
  PID:11976
- C:\Windows\System32\LzFyjlE.exe
  C:\Windows\System32\LzFyjlE.exe
  2⤵
  PID:12008
- C:\Windows\System32\UbCyGEO.exe
  C:\Windows\System32\UbCyGEO.exe
  2⤵
  PID:12036
- C:\Windows\System32\KoZRfnM.exe
  C:\Windows\System32\KoZRfnM.exe
  2⤵
  PID:12068
- C:\Windows\System32\AvsePTU.exe
  C:\Windows\System32\AvsePTU.exe
  2⤵
  PID:12096
- C:\Windows\System32\dBjDPiW.exe
  C:\Windows\System32\dBjDPiW.exe
  2⤵
  PID:12124
- C:\Windows\System32\BCNusio.exe
  C:\Windows\System32\BCNusio.exe
  2⤵
  PID:12152
- C:\Windows\System32\yQmmsjb.exe
  C:\Windows\System32\yQmmsjb.exe
  2⤵
  PID:12180
- C:\Windows\System32\vVxufgT.exe
  C:\Windows\System32\vVxufgT.exe
  2⤵
  PID:12212
- C:\Windows\System32\hvEKiEU.exe
  C:\Windows\System32\hvEKiEU.exe
  2⤵
  PID:12236
- C:\Windows\System32\NRinHga.exe
  C:\Windows\System32\NRinHga.exe
  2⤵
  PID:12272
- C:\Windows\System32\rkCueyz.exe
  C:\Windows\System32\rkCueyz.exe
  2⤵
  PID:11276
- C:\Windows\System32\YkpCgvb.exe
  C:\Windows\System32\YkpCgvb.exe
  2⤵
  PID:11356
- C:\Windows\System32\sQeHuqz.exe
  C:\Windows\System32\sQeHuqz.exe
  2⤵
  PID:11412
- C:\Windows\System32\XhjmOjm.exe
  C:\Windows\System32\XhjmOjm.exe
  2⤵
  PID:11476
- C:\Windows\System32\vGglQfU.exe
  C:\Windows\System32\vGglQfU.exe
  2⤵
  PID:11528
- C:\Windows\System32\mUVRYVF.exe
  C:\Windows\System32\mUVRYVF.exe
  2⤵
  PID:11604
- C:\Windows\System32\jighAUe.exe
  C:\Windows\System32\jighAUe.exe
  2⤵
  PID:11676
- C:\Windows\System32\PrHLmyD.exe
  C:\Windows\System32\PrHLmyD.exe
  2⤵
  PID:11760
- C:\Windows\System32\CsmDcuA.exe
  C:\Windows\System32\CsmDcuA.exe
  2⤵
  PID:11820
- C:\Windows\System32\hSyClWR.exe
  C:\Windows\System32\hSyClWR.exe
  2⤵
  PID:11904
- C:\Windows\System32\UyYKUoD.exe
  C:\Windows\System32\UyYKUoD.exe
  2⤵
  PID:11940
- C:\Windows\System32\gRlrnjO.exe
  C:\Windows\System32\gRlrnjO.exe
  2⤵
  PID:11996
- C:\Windows\System32\sGzYDmM.exe
  C:\Windows\System32\sGzYDmM.exe
  2⤵
  PID:12048
- C:\Windows\System32\LqszDaZ.exe
  C:\Windows\System32\LqszDaZ.exe
  2⤵
  PID:12120
- C:\Windows\System32\rOHcGqD.exe
  C:\Windows\System32\rOHcGqD.exe
  2⤵
  PID:11880
- C:\Windows\System32\jcEyzTt.exe
  C:\Windows\System32\jcEyzTt.exe
  2⤵
  PID:12256
- C:\Windows\System32\TWSVGBG.exe
  C:\Windows\System32\TWSVGBG.exe
  2⤵
  PID:11332
- C:\Windows\System32\gbpuNKs.exe
  C:\Windows\System32\gbpuNKs.exe
  2⤵
  PID:11500
- C:\Windows\System32\TtYUyco.exe
  C:\Windows\System32\TtYUyco.exe
  2⤵
  PID:11660
- C:\Windows\System32\QzJopDh.exe
  C:\Windows\System32\QzJopDh.exe
  2⤵
  PID:11816
- C:\Windows\System32\MVVmtxR.exe
  C:\Windows\System32\MVVmtxR.exe
  2⤵
  PID:3936
- C:\Windows\System32\ELbmEIm.exe
  C:\Windows\System32\ELbmEIm.exe
  2⤵
  PID:12116
- C:\Windows\System32\xFkzsTK.exe
  C:\Windows\System32\xFkzsTK.exe
  2⤵
  PID:12248
- C:\Windows\System32\fvIObHz.exe
  C:\Windows\System32\fvIObHz.exe
  2⤵
  PID:11556
- C:\Windows\System32\YnIYkeQ.exe
  C:\Windows\System32\YnIYkeQ.exe
  2⤵
  PID:11888
- C:\Windows\System32\RJSOwfS.exe
  C:\Windows\System32\RJSOwfS.exe
  2⤵
  PID:4292
- C:\Windows\System32\WVtqrmI.exe
  C:\Windows\System32\WVtqrmI.exe
  2⤵
  PID:11632
- C:\Windows\System32\ZQHrBRh.exe
  C:\Windows\System32\ZQHrBRh.exe
  2⤵
  PID:11452
- C:\Windows\System32\SjGxxUL.exe
  C:\Windows\System32\SjGxxUL.exe
  2⤵
  PID:12300
- C:\Windows\System32\LtzxUYB.exe
  C:\Windows\System32\LtzxUYB.exe
  2⤵
  PID:12328
- C:\Windows\System32\BZrlHUq.exe
  C:\Windows\System32\BZrlHUq.exe
  2⤵
  PID:12356
- C:\Windows\System32\RimgeNj.exe
  C:\Windows\System32\RimgeNj.exe
  2⤵
  PID:12384
- C:\Windows\System32\CdemrFE.exe
  C:\Windows\System32\CdemrFE.exe
  2⤵
  PID:12416
- C:\Windows\System32\dqEtiOJ.exe
  C:\Windows\System32\dqEtiOJ.exe
  2⤵
  PID:12448
- C:\Windows\System32\hFDAjTy.exe
  C:\Windows\System32\hFDAjTy.exe
  2⤵
  PID:12476
- C:\Windows\System32\MAwuvCy.exe
  C:\Windows\System32\MAwuvCy.exe
  2⤵
  PID:12504
- C:\Windows\System32\pqGXNCp.exe
  C:\Windows\System32\pqGXNCp.exe
  2⤵
  PID:12532
- C:\Windows\System32\pwaoeJG.exe
  C:\Windows\System32\pwaoeJG.exe
  2⤵
  PID:12560
- C:\Windows\System32\ENIIFYd.exe
  C:\Windows\System32\ENIIFYd.exe
  2⤵
  PID:12588
- C:\Windows\System32\olvLbEO.exe
  C:\Windows\System32\olvLbEO.exe
  2⤵
  PID:12616
- C:\Windows\System32\qDlvhOw.exe
  C:\Windows\System32\qDlvhOw.exe
  2⤵
  PID:12644
- C:\Windows\System32\BtAFMIw.exe
  C:\Windows\System32\BtAFMIw.exe
  2⤵
  PID:12672
- C:\Windows\System32\ShLizMz.exe
  C:\Windows\System32\ShLizMz.exe
  2⤵
  PID:12700
- C:\Windows\System32\bLgyYdw.exe
  C:\Windows\System32\bLgyYdw.exe
  2⤵
  PID:12728
- C:\Windows\System32\tqNqcmO.exe
  C:\Windows\System32\tqNqcmO.exe
  2⤵
  PID:12756
- C:\Windows\System32\ZxCvsgQ.exe
  C:\Windows\System32\ZxCvsgQ.exe
  2⤵
  PID:12784
- C:\Windows\System32\GUIbdYY.exe
  C:\Windows\System32\GUIbdYY.exe
  2⤵
  PID:12812
- C:\Windows\System32\XeoGUPS.exe
  C:\Windows\System32\XeoGUPS.exe
  2⤵
  PID:12840
- C:\Windows\System32\ARCzHDT.exe
  C:\Windows\System32\ARCzHDT.exe
  2⤵
  PID:12868
- C:\Windows\System32\psBvGvr.exe
  C:\Windows\System32\psBvGvr.exe
  2⤵
  PID:12900
- C:\Windows\System32\EtCjdmI.exe
  C:\Windows\System32\EtCjdmI.exe
  2⤵
  PID:12936
- C:\Windows\System32\rRHKSna.exe
  C:\Windows\System32\rRHKSna.exe
  2⤵
  PID:12960
- C:\Windows\System32\mSYHQiZ.exe
  C:\Windows\System32\mSYHQiZ.exe
  2⤵
  PID:12988
- C:\Windows\System32\CQuhpGe.exe
  C:\Windows\System32\CQuhpGe.exe
  2⤵
  PID:13020
- C:\Windows\System32\bTEGZgW.exe
  C:\Windows\System32\bTEGZgW.exe
  2⤵
  PID:13044
- C:\Windows\System32\JKdFXbA.exe
  C:\Windows\System32\JKdFXbA.exe
  2⤵
  PID:13072
- C:\Windows\System32\CEgFZUh.exe
  C:\Windows\System32\CEgFZUh.exe
  2⤵
  PID:13100
- C:\Windows\System32\mbCYStS.exe
  C:\Windows\System32\mbCYStS.exe
  2⤵
  PID:13128
- C:\Windows\System32\YphxElA.exe
  C:\Windows\System32\YphxElA.exe
  2⤵
  PID:13156
- C:\Windows\System32\xaqyewn.exe
  C:\Windows\System32\xaqyewn.exe
  2⤵
  PID:13184
- C:\Windows\System32\ddfreTx.exe
  C:\Windows\System32\ddfreTx.exe
  2⤵
  PID:13212
- C:\Windows\System32\XdCmGBF.exe
  C:\Windows\System32\XdCmGBF.exe
  2⤵
  PID:13240
- C:\Windows\System32\PylYQDc.exe
  C:\Windows\System32\PylYQDc.exe
  2⤵
  PID:13268
- C:\Windows\System32\MVVGYOQ.exe
  C:\Windows\System32\MVVGYOQ.exe
  2⤵
  PID:13296
- C:\Windows\System32\GDozZoH.exe
  C:\Windows\System32\GDozZoH.exe
  2⤵
  PID:12320
- C:\Windows\System32\vgjMbBF.exe
  C:\Windows\System32\vgjMbBF.exe
  2⤵
  PID:12376
- C:\Windows\System32\NIVoQlv.exe
  C:\Windows\System32\NIVoQlv.exe
  2⤵
  PID:12444
- C:\Windows\System32\LLdfzYD.exe
  C:\Windows\System32\LLdfzYD.exe
  2⤵
  PID:12516
- C:\Windows\System32\ABidrvT.exe
  C:\Windows\System32\ABidrvT.exe
  2⤵
  PID:12580
- C:\Windows\System32\ceFRelq.exe
  C:\Windows\System32\ceFRelq.exe
  2⤵
  PID:12640
- C:\Windows\System32\yWrWhNk.exe
  C:\Windows\System32\yWrWhNk.exe
  2⤵
  PID:12712
- C:\Windows\System32\rYtQuqo.exe
  C:\Windows\System32\rYtQuqo.exe
  2⤵
  PID:12780
- C:\Windows\System32\HGraLET.exe
  C:\Windows\System32\HGraLET.exe
  2⤵
  PID:12836
- C:\Windows\System32\smuZumu.exe
  C:\Windows\System32\smuZumu.exe
  2⤵
  PID:12912
- C:\Windows\System32\KpGPkQK.exe
  C:\Windows\System32\KpGPkQK.exe
  2⤵
  PID:4808
- C:\Windows\System32\npOgIEy.exe
  C:\Windows\System32\npOgIEy.exe
  2⤵
  PID:12972
- C:\Windows\System32\jydxCdE.exe
  C:\Windows\System32\jydxCdE.exe
  2⤵
  PID:13036
- C:\Windows\System32\gMXZyou.exe
  C:\Windows\System32\gMXZyou.exe
  2⤵
  PID:13096
- C:\Windows\System32\WQnFOPj.exe
  C:\Windows\System32\WQnFOPj.exe
  2⤵
  PID:13168
- C:\Windows\System32\HUpuuQq.exe
  C:\Windows\System32\HUpuuQq.exe
  2⤵
  PID:13236
- C:\Windows\System32\UAPSfYS.exe
  C:\Windows\System32\UAPSfYS.exe
  2⤵
  PID:13308
- C:\Windows\System32\VMOGHZq.exe
  C:\Windows\System32\VMOGHZq.exe
  2⤵
  PID:12428
- C:\Windows\System32\fGfHKoj.exe
  C:\Windows\System32\fGfHKoj.exe
  2⤵
  PID:12572
- C:\Windows\System32\CVXPcGe.exe
  C:\Windows\System32\CVXPcGe.exe
  2⤵
  PID:12696
- C:\Windows\System32\elxGOsu.exe
  C:\Windows\System32\elxGOsu.exe
  2⤵
  PID:12892
- C:\Windows\System32\LcepBSi.exe
  C:\Windows\System32\LcepBSi.exe
  2⤵
  PID:12952
- C:\Windows\System32\MfkuOhb.exe
  C:\Windows\System32\MfkuOhb.exe
  2⤵
  PID:13092
- C:\Windows\System32\PwviTNW.exe
  C:\Windows\System32\PwviTNW.exe
  2⤵
  PID:13264
- C:\Windows\System32\cdVXGvj.exe
  C:\Windows\System32\cdVXGvj.exe
  2⤵
  PID:12544
- C:\Windows\System32\OwrLJoD.exe
  C:\Windows\System32\OwrLJoD.exe
  2⤵
  PID:12832
- C:\Windows\System32\pcCzJpq.exe
  C:\Windows\System32\pcCzJpq.exe
  2⤵
  PID:12496
- C:\Windows\System32\VGeqPCP.exe
  C:\Windows\System32\VGeqPCP.exe
  2⤵
  PID:13344
- C:\Windows\System32\TBYALWr.exe
  C:\Windows\System32\TBYALWr.exe
  2⤵
  PID:13384
- C:\Windows\System32\PnyATdb.exe
  C:\Windows\System32\PnyATdb.exe
  2⤵
  PID:13404
- C:\Windows\System32\IMMrHZb.exe
  C:\Windows\System32\IMMrHZb.exe
  2⤵
  PID:13472
- C:\Windows\System32\cNoOdOZ.exe
  C:\Windows\System32\cNoOdOZ.exe
  2⤵
  PID:13508

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:14056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AUsXdLY.exe

Filesize
3.3MB

MD5
3020dca040be738b07dab56264a46682

SHA1
b2b440ba611ee91dae80c9d476f133a7bfe751ff

SHA256
6d80a2aa045b7f69006338d012cb7917d464973e51c859ea6da615acad565e0c

SHA512
5d958267d97dfbbaffafe7cc1a09098af7275853b43543174dfca38875b9d340e7f6c3df5a734003f4e96e94ac26da22c42f7465348725e015dcdbabebe5ead7

Download Submit
C:\Windows\System32\BxipFlR.exe

Filesize
3.3MB

MD5
2a10d88947cab823b34439c5171757cf

SHA1
e4f5f0603d9fb4a62f2ab14fa3acda1e96810b5f

SHA256
48ec355f3f906f99ec7e24859a0dd0b0569f3e7a87a1653d7a2559e75df13100

SHA512
71778a7b9dbe2cc37e8454c3fda2134966943a83e1447d328472d61c096a123cf7fe1af3e622dc7178e4cc35f12ba8f76c8b8b721e0adc711766483272145a03

Download Submit
C:\Windows\System32\DvNMrNJ.exe

Filesize
3.3MB

MD5
b7f773ead5c57f6d80a49c1fe73fd84d

SHA1
ed8e2f4cf1a02dd228ad82c39b4faba0a9cd3af2

SHA256
cd9c93dff7de22bf8d5944f7a1a90ff46c759ad420461b633d5b81e9fdb4a80a

SHA512
40ada84478a8decb21d2fcabbba2861357476ebe9e6c23e95c9197449b04d9774c2e7bf14350cce22e61af7566478c7f7db7a6766aa312d1f5ec57e15f1aeedb

Download Submit
C:\Windows\System32\FMxDvsb.exe

Filesize
3.3MB

MD5
4b50cd985816323ba19b2ce691f261d0

SHA1
3b02cffa06642981717dc03a83681f9b3069df51

SHA256
ed55b9365ab213253b41059e9b9c515d5f3d70aa357bd41fe02e2c8eb9f3c660

SHA512
296e183dd1d99494e7b02c118633644c4989810ce5b0159acddd8f8cc3921e1b2829a9ec63d1cfd9e7959e1b5aa3650d2e94f65253695789fa97595ca106964c

Download Submit
C:\Windows\System32\GAuErWB.exe

Filesize
3.3MB

MD5
a1529d2eb08f2baf8044581c135f01b3

SHA1
70614be916332f6488c91d7c11ed04b0d4aaf14d

SHA256
004fc7d564cf20d20b78abc8e622f5ed7fd81bceaddd9e657cfff80574911031

SHA512
e4010e84f0608037670ecdb4cbf700cde3485d103935caa2e5b077eea017a2e05f72d17455173aa503d1fd838771f259cf30f040f1939facfdbaddbffb095496

Download Submit
C:\Windows\System32\IjWOrBn.exe

Filesize
3.3MB

MD5
53a4d1707be2f2174cf8cfd1c8c1ef13

SHA1
733a0c9e76dfe8a5faeafd2b29b2440b503aa79c

SHA256
17c79c275e16d6433780e874107df05c5be3181ee950a18f9b7d33ce4b0fde35

SHA512
c6034b35a7539dc6ccef25fdf9217a54311057d2f32fbe39834a1ab9c33f28ef25f519c270ee1949bdbe5d6df212ec04d39398fc7817d25badb7e8352de65dc7

Download Submit
C:\Windows\System32\JnnZyTQ.exe

Filesize
3.3MB

MD5
eb09dbfe6077684a26f448a996b2ade9

SHA1
44479646e39e0a6fec9ea22756273776314c5c26

SHA256
85a6ada6b8849bc8e889ae2672bf70722c0f1dd7eb470b58b36608afdf1131a1

SHA512
d7e5e373f9d0b459f0520bf2b9073a8530118ed10d85f58e16d2a03f175bb95708f6e4008c7afc169a2b877a2aaa0bb03e4c808a39dc573889dabcfaeddbd158

Download Submit
C:\Windows\System32\QMmfPvX.exe

Filesize
3.3MB

MD5
be764f4fd497c8d3af1d5b8b91467f4b

SHA1
6a05a7e84303f2263744dd465d8dc4083e98b12c

SHA256
b65218a6bfb9d7fadc3b1fa448bdeb2aa00b92dc3e86d50d7ce6eff7da66b0ca

SHA512
291a6be4b00516d25b669643c6d05bcc8f93c842f0f5ca2ec1562d48282aa8931a850e9422dd4d904926e6dcc3dc280057825b1b7a2d7d66d0704973dcb5b62b

Download Submit
C:\Windows\System32\TKrwFAu.exe

Filesize
3.3MB

MD5
61e48539c7fffcf8c22b0dce0a8838d0

SHA1
f1e542d8a81c8c271b833f640992a583d0a78e0b

SHA256
5dc07ec571c57c51cecb439484c1769c3d5b33365218f88cd3e6feea115e1e0d

SHA512
9e749968c0c02bd8e791a56ceee27c94240e4fa126942c899657e720fb64cef27ddc550f1a6750f9cec29a7295e15906ec30c8abb562dc79a28c1ae46db7223e

Download Submit
C:\Windows\System32\UanlooS.exe

Filesize
3.3MB

MD5
9fff5db206d6e411b2736af29f013ac6

SHA1
6a55fea0d99561cc67bfdffa5a9dc47ee1ed4f8f

SHA256
b9536ac23dcf97ea3e4ac6d57514bcf265a1ab128879c0c2c67435974e21864f

SHA512
06ab706f1e4cde7fb3e4980f5632f20ce7f764e5458efbbe2f447f845647f414604e012fbbae4680d3ea37db2c14a9a1764e891d01cee2ec02c7197dba64cef7

Download Submit
C:\Windows\System32\XLzsDsF.exe

Filesize
3.3MB

MD5
5f86eb873097d4a5d0b576e3eb7449fa

SHA1
bfe7afadd59e5b3063599af33d2c2be4ae62fb0c

SHA256
632380e96ef0142a2b1c328edfd065bbf67da8ea67cbf7a0cd634fe355dba444

SHA512
b732a484b4cd8590ac170ae41056ed4ff6e38774e32b4b3905a924d6fedc281950040f0188865b1ce8a4991946ba7df715d77039fd942b20ca51fd5d93c6ddc7

Download Submit
C:\Windows\System32\aGBqgAj.exe

Filesize
3.3MB

MD5
581e76779d3da4b86ca1bde96499bfeb

SHA1
51e31f1b7b70eed5e6f455079b049d1e3f854085

SHA256
293fa41b3847ef8c9e592e96ba4e66120086ad7e5ca65e93a437e585f34975f4

SHA512
60bff4d4596af19f03c500dd7674266b97d00daeadd353718f68a4a7c2169997235d53c15c6a36ef67cdc88469e517adf47301faf79a6df00fca3db11ccd0ea2

Download Submit
C:\Windows\System32\biEFlds.exe

Filesize
3.3MB

MD5
e89f524b3f00719da8c06d7b47d65ed9

SHA1
0ab9dc96915d8474077d56e194375688f7e21b5d

SHA256
c2180d329db783947a36074b76c947afd1ab84f451d6a835ae66dfdcd76006a5

SHA512
007894c4a89a2828fa231490b7768a77b7a78592dad09d773c25b6288aa6065894d14f7dee31cad64da294d1ab500cffbb8c31c146380b90f1741c7899375a7a

Download Submit
C:\Windows\System32\buWqYxj.exe

Filesize
3.3MB

MD5
dd569475cd8882487ed475455cdde44f

SHA1
23ee922c3fe1369d1250cdd8c7156864f314cb9b

SHA256
931e381d132eaf20bef539de494ef529c922a42355068f4322e09bf4173d17d7

SHA512
b49c9467e9a11e2ae45c33efa8117249e795edfe9286f460214c6f0725a3072400a088377019dc2aa2600baee5f21eed0647e1f9961999d2d49a5593f8be140b

Download Submit
C:\Windows\System32\cZLanUm.exe

Filesize
3.3MB

MD5
15ded30746d404a438c893853ce26a44

SHA1
4163f41f0876313fee32799c78802e25465a72f6

SHA256
23a86835398997cd78b433798b8e0043d27b7824b73e41ef312616cb2e65e613

SHA512
6945284a682abad8fb33e5ab7f50f123e3f5f3a4c26fff8102b91515699e93eafd8681c206800b3fa48e6edfa0a489e22aa423f47093e964b3e18d5d0accfc96

Download Submit
C:\Windows\System32\fgrEemM.exe

Filesize
3.3MB

MD5
20579c02d835af3d5efe92d876d9bd34

SHA1
70b72ef463730f630b2b09ce2284064c611dd685

SHA256
6cfe771dc5d70bba2d64b5e7cc4cb9429a95f2ee19aeaa86606b3ba697b13485

SHA512
f5e581ad0562ce8716a647923329fc28baa52075cc58b3d683cf0eb8be92ccbe60382d7d957ed9e178dbd8916197e428896b23f147467963a6654186701e422f

Download Submit
C:\Windows\System32\hDurOyN.exe

Filesize
3.3MB

MD5
3dbb73f3deea205fed3931a50e937879

SHA1
8cdffe4e14256ed366edefd045438263c47503f3

SHA256
e6894ff2c0585aacd9f4767fbc3e18a06bc80ee17bba1dea5608daebb027b1d5

SHA512
35bc46103d91e3112867c0807cb21622351c5577313eb4d8d8a35077bf2dadfe469fbd82720561b2976198b55c9aea081817fa0f1402f1df4ac379e0996791fe

Download Submit
C:\Windows\System32\hYdqlzP.exe

Filesize
3.3MB

MD5
f24f858aede98461fbaa6599b9e49852

SHA1
188a83d1914845c5aca8f2cd16db7cf9f2f4ac35

SHA256
57c975e90cf65934aa48aa24b52cd42bd77e9436a0c5708e547e980903d41993

SHA512
ad35fe6cb3ea3feb7a2a51688ff3473566ea7b93100a17d895585aa76196431821e47a07144409904b55d8a137365bb2d2844919bddb16298060e501da256ee3

Download Submit
C:\Windows\System32\iYjwNut.exe

Filesize
3.3MB

MD5
10dda6019c77d2c0d85e4c5e06f44269

SHA1
9cea36915fdf19eb4ddf1efdebdf6a4b53fd1079

SHA256
82e0fac7cdab6ee1f5e1a30df5a1a236b68bf54fe2a922a1f45b09752f755c87

SHA512
6b16f3d8be970dffe8507435d382787f200e4672a10e2183d8654988d15561f499f25c27c8a64226fe95782a39c05c061d189ea6b61e51436037bb0754845060

Download Submit
C:\Windows\System32\klJzIVn.exe

Filesize
3.3MB

MD5
24e6f7de8a6db3ce4b814ba49deedc84

SHA1
4aae80460a69cf23ef36869e0483810a6f67356f

SHA256
aa86027727e135558f575be18623d17a942998214010e005bdb47b026a1fdc4d

SHA512
54c47813160abac6744186761b01c1ba1c2a84b7e56a9eb451ed84a9f4b1e2a08d6188de229493bb8e4df59e8a922142943eff2e1b63d55b7600fa8efb7e44a4

Download Submit
C:\Windows\System32\lOykmPD.exe

Filesize
3.3MB

MD5
dbc7c174d65da1ea54ef95c6ac28c7d5

SHA1
a6b4e549f5489d332708b52ed3f8e648f260a395

SHA256
d676cec2c14ff817d5f998ec531c9fe7f35293b77cc4440e8295966768f604a7

SHA512
903bcd99a5128757da9578933d59d6a531a1a42001c54ba9f5737bb016b397ef33fc9f4dd235b1c4df9f1cc907d381497728fbeaa05e6814ba009579f6c3a3f9

Download Submit
C:\Windows\System32\lxCYBYQ.exe

Filesize
3.3MB

MD5
ec04600d2230fe4b6d951957528aa326

SHA1
b90ef7eb95a518b724690eb9bbe740c6aa485e24

SHA256
4d2f1f0c113b54d787cf4e406c0d5799f28d2f6bf4379777d1ba873cd62313bd

SHA512
05c6930be9144337b966e4143c7e28b54cc55bc166af98761203dcd7952a2a8f2c45d5e57c3aa99ded2d3ae9117c15dd3ffd7cee7d5469f6ad377ee6b09183ae

Download Submit
C:\Windows\System32\mxLVsJt.exe

Filesize
3.3MB

MD5
5e7354ed8bcef5a8cc74678c796c404f

SHA1
3edc691e35bf05d47e4738eafd0f73c02e7b205c

SHA256
3db482a86ff47bbc8cb7786608b48ec697bbf26281152c2d9da66fa30614a52b

SHA512
34d5b3bc37a1f3810cc9ad16caa8fb186e265b7e23c0905c4d2416a2f480e20741ae76c9c2b25ec2778fd57d959c0a1a9e58566c9eb45e16102518d25b09c456

Download Submit
C:\Windows\System32\nKhKzuE.exe

Filesize
3.3MB

MD5
ccda4b6fb142e2c753f41acd8fdc4f57

SHA1
8811cc44e4dd91332495a27a55f0ec330daaa46b

SHA256
3dc24e549f4b6aedbf1127bbb816c801b9fc4734457cddf8e6d480e4547ab00b

SHA512
d1730589307ff306566eec600a424eaa9058bdb663cc2fb649f7b03d7092e6ef03a6c9c98afea5e8fae445c3e314bd306dded772d486f862ecfa1b65d4606abb

Download Submit
C:\Windows\System32\nShEWkr.exe

Filesize
3.3MB

MD5
4d8a0fbbf87cef3f35b6f4c542ade790

SHA1
d81a6bcead097aac2eb1af7e2315121d020b8119

SHA256
e132fb9a6b2e264aef413d9c709ba768f887ffb86a5abff6ee9cc5f80d53c216

SHA512
7c876450fa68b107db4f4fc2e4a5a8f0b0afc523f0ff029119cd989084e9924ad6ac5e9c148b14d06f1e806733d3e4f1569510668280dc3d3e2f62e4e7341ace

Download Submit
C:\Windows\System32\phRoiuj.exe

Filesize
3.3MB

MD5
74098a800d475385305e44eda757c8ab

SHA1
296e526869afd5a07a6c692036ef3aefd5592fd3

SHA256
67095b49450730bdae52a6f33ff90634ff17dcc6a5624921e0310312d76443a5

SHA512
fc3580c0f1ede66a5e250571528658ddbabde217bc0022afa9d3b2c69dc7becc1b2b5e1f5d6e4c65bdff3dd68a9fb710b916c65c9c8fd5fd79431b885a494ade

Download Submit
C:\Windows\System32\qnnUyNE.exe

Filesize
3.3MB

MD5
61704c9504b4356e136f499488c60947

SHA1
f6325445dd4173b13840b0eb9325a57720b771fa

SHA256
c2f3d77a60f4499efb4ad11225c0d9831b3db10bc6c9970eb4b3383199148896

SHA512
a890f4cc035a0356a70518c43c86985de029de72f2226b9a7e04158cb7ece59d56fb181c26e121adb025adc4da9d3b2ea6f5ad8d52c7ace9bbf08a294b19576e

Download Submit
C:\Windows\System32\ssGzinq.exe

Filesize
3.3MB

MD5
13088b5c899c8e2fd87bccd5593455f8

SHA1
21c86c15b4c60416f29b238c89bd68279d50760b

SHA256
041044c5acc2790384657629fa7948c6053d0c3c7c6ae18f5819e51b35be9b94

SHA512
cfaef39b5465e5237e221c5cedfc863f64c3f1671d9c1cea67ccbc220fbcd2a6671219686333c23ca8747fdc27dc121814603c48508541147cfe9fc23a3d0feb

Download Submit
C:\Windows\System32\swIaHEG.exe

Filesize
3.3MB

MD5
fae1039e15deb55790087e11fca22e7a

SHA1
6836689d7978a60510c4f94e5d633778d606139e

SHA256
e13dc9374f7540fd65ceafa89612836323a613a0a80126e1264a67a09dc34ca0

SHA512
c67d8530bdb69ba9eb298b3e0d3f5f6fd988db54202b1cc7ef2142bb4f0a70c3191514983560ea18c8debcbda3e5f694cd6d59165666ccc9ec7360a8d7d88931

Download Submit
C:\Windows\System32\tWwaAeJ.exe

Filesize
3.3MB

MD5
2ee63df5ca18e691797c7a794bfd37b2

SHA1
77c94003ebe3d055939ee84eaebccb91041e8902

SHA256
3499443ec65cc77695729fd8d4ddffc50de2358e535e760fa88efcdae06a67ea

SHA512
8847022117d1c7cf597fc78192199c4aa259b6aeb795657af4ce4a46a23cae37ecd424374d754fefb9f25dbcba92d4c12c987d9ce602abf9ac2853c655a4d1df

Download Submit
C:\Windows\System32\yFuyqIk.exe

Filesize
3.3MB

MD5
2b2b3520c48eb3eef2d053ea2fd01e00

SHA1
c4d682448f56327f1ef810248c21ecbbe38c1e3e

SHA256
0e8bb815bb56a8b927e939402579b41f7c7f20ae0b2859198a83662d66b49d03

SHA512
3bd090a223f496c8ea13d5484b8a7d757af5235d87538e815b6d6340e3f932d0bf25a183c16a4f63f2004b5ca85ecbf6cc91384805c51e7c688eebb6b6a2a4fc

Download Submit
C:\Windows\System32\zImTKOf.exe

Filesize
3.3MB

MD5
dccb99092e856e7055aad4f771d517c9

SHA1
eec4ec2ffe23533b1ea14ffe8a1f317c2e031b19

SHA256
e97756cbd97173a340f0bcd6005e687ed57c36d13ad2e540c24fb671ec1ba9d4

SHA512
015db12345b36db50b1661cce93fba8a378e54a66271a245d6353decc7bebf75ecc78c4a9fc01a67958bafa591cadf14aac165b1508c9e7d939f9ce105d76ef6

Download Submit
memory/564-1905-0x00007FF7BE5F0000-0x00007FF7BE9E5000-memory.dmp

Filesize
4.0MB

Download
memory/564-660-0x00007FF7BE5F0000-0x00007FF7BE9E5000-memory.dmp

Filesize
4.0MB

Download
memory/652-1906-0x00007FF626BE0000-0x00007FF626FD5000-memory.dmp

Filesize
4.0MB

Download
memory/652-696-0x00007FF626BE0000-0x00007FF626FD5000-memory.dmp

Filesize
4.0MB

Download
memory/1432-1901-0x00007FF6CB400000-0x00007FF6CB7F5000-memory.dmp

Filesize
4.0MB

Download
memory/1432-59-0x00007FF6CB400000-0x00007FF6CB7F5000-memory.dmp

Filesize
4.0MB

Download
memory/1572-663-0x00007FF7B15F0000-0x00007FF7B19E5000-memory.dmp

Filesize
4.0MB

Download
memory/1572-1909-0x00007FF7B15F0000-0x00007FF7B19E5000-memory.dmp

Filesize
4.0MB

Download
memory/1888-14-0x00007FF615460000-0x00007FF615855000-memory.dmp

Filesize
4.0MB

Download
memory/1888-1896-0x00007FF615460000-0x00007FF615855000-memory.dmp

Filesize
4.0MB

Download
memory/2164-1910-0x00007FF69D320000-0x00007FF69D715000-memory.dmp

Filesize
4.0MB

Download
memory/2164-659-0x00007FF69D320000-0x00007FF69D715000-memory.dmp

Filesize
4.0MB

Download
memory/2316-1898-0x00007FF7E2A60000-0x00007FF7E2E55000-memory.dmp

Filesize
4.0MB

Download
memory/2316-28-0x00007FF7E2A60000-0x00007FF7E2E55000-memory.dmp

Filesize
4.0MB

Download
memory/2368-665-0x00007FF6E2200000-0x00007FF6E25F5000-memory.dmp

Filesize
4.0MB

Download
memory/2368-1912-0x00007FF6E2200000-0x00007FF6E25F5000-memory.dmp

Filesize
4.0MB

Download
memory/2380-667-0x00007FF7CDA90000-0x00007FF7CDE85000-memory.dmp

Filesize
4.0MB

Download
memory/2380-1914-0x00007FF7CDA90000-0x00007FF7CDE85000-memory.dmp

Filesize
4.0MB

Download
memory/2460-26-0x00007FF7C4390000-0x00007FF7C4785000-memory.dmp

Filesize
4.0MB

Download
memory/2460-1897-0x00007FF7C4390000-0x00007FF7C4785000-memory.dmp

Filesize
4.0MB

Download
memory/2556-666-0x00007FF66CC70000-0x00007FF66D065000-memory.dmp

Filesize
4.0MB

Download
memory/2556-1913-0x00007FF66CC70000-0x00007FF66D065000-memory.dmp

Filesize
4.0MB

Download
memory/2596-1911-0x00007FF664790000-0x00007FF664B85000-memory.dmp

Filesize
4.0MB

Download
memory/2596-664-0x00007FF664790000-0x00007FF664B85000-memory.dmp

Filesize
4.0MB

Download
memory/2672-1907-0x00007FF616690000-0x00007FF616A85000-memory.dmp

Filesize
4.0MB

Download
memory/2672-65-0x00007FF616690000-0x00007FF616A85000-memory.dmp

Filesize
4.0MB

Download
memory/2672-1894-0x00007FF616690000-0x00007FF616A85000-memory.dmp

Filesize
4.0MB

Download
memory/3044-37-0x00007FF764540000-0x00007FF764935000-memory.dmp

Filesize
4.0MB

Download
memory/3044-1899-0x00007FF764540000-0x00007FF764935000-memory.dmp

Filesize
4.0MB

Download
memory/3112-1916-0x00007FF7B94C0000-0x00007FF7B98B5000-memory.dmp

Filesize
4.0MB

Download
memory/3112-683-0x00007FF7B94C0000-0x00007FF7B98B5000-memory.dmp

Filesize
4.0MB

Download
memory/3176-1918-0x00007FF784780000-0x00007FF784B75000-memory.dmp

Filesize
4.0MB

Download
memory/3176-673-0x00007FF784780000-0x00007FF784B75000-memory.dmp

Filesize
4.0MB

Download
memory/3224-1903-0x00007FF6BC750000-0x00007FF6BCB45000-memory.dmp

Filesize
4.0MB

Download
memory/3224-61-0x00007FF6BC750000-0x00007FF6BCB45000-memory.dmp

Filesize
4.0MB

Download
memory/3480-1900-0x00007FF720FF0000-0x00007FF7213E5000-memory.dmp

Filesize
4.0MB

Download
memory/3480-45-0x00007FF720FF0000-0x00007FF7213E5000-memory.dmp

Filesize
4.0MB

Download
memory/3512-1893-0x00007FF6AB100000-0x00007FF6AB4F5000-memory.dmp

Filesize
4.0MB

Download
memory/3512-1305-0x00007FF6AB100000-0x00007FF6AB4F5000-memory.dmp

Filesize
4.0MB

Download
memory/3512-0-0x00007FF6AB100000-0x00007FF6AB4F5000-memory.dmp

Filesize
4.0MB

Download
memory/3512-1-0x00000220A2B80000-0x00000220A2B90000-memory.dmp

Filesize
64KB

Download
memory/3688-658-0x00007FF6C2B50000-0x00007FF6C2F45000-memory.dmp

Filesize
4.0MB

Download
memory/3688-1902-0x00007FF6C2B50000-0x00007FF6C2F45000-memory.dmp

Filesize
4.0MB

Download
memory/4168-1917-0x00007FF6F0320000-0x00007FF6F0715000-memory.dmp

Filesize
4.0MB

Download
memory/4168-678-0x00007FF6F0320000-0x00007FF6F0715000-memory.dmp

Filesize
4.0MB

Download
memory/4424-1915-0x00007FF7EE3D0000-0x00007FF7EE7C5000-memory.dmp

Filesize
4.0MB

Download
memory/4424-686-0x00007FF7EE3D0000-0x00007FF7EE7C5000-memory.dmp

Filesize
4.0MB

Download
memory/4520-12-0x00007FF675290000-0x00007FF675685000-memory.dmp

Filesize
4.0MB

Download
memory/4520-1895-0x00007FF675290000-0x00007FF675685000-memory.dmp

Filesize
4.0MB

Download
memory/4668-661-0x00007FF6BE390000-0x00007FF6BE785000-memory.dmp

Filesize
4.0MB

Download
memory/4668-1904-0x00007FF6BE390000-0x00007FF6BE785000-memory.dmp

Filesize
4.0MB

Download
memory/5028-662-0x00007FF6E3C10000-0x00007FF6E4005000-memory.dmp

Filesize
4.0MB

Download
memory/5028-1908-0x00007FF6E3C10000-0x00007FF6E4005000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads