xmrig | 86b00a316956374517eda162854de7beae86f5ff4d98144846ad4eddd0690f5f

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 11:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
Size

2.0MB
MD5

eb15c70333ec795e7dc72083a0e7f080
SHA1

89d1883be927863822180d12b45d2efb85fb26e1
SHA256

86b00a316956374517eda162854de7beae86f5ff4d98144846ad4eddd0690f5f
SHA512

36ef6ef5bf4449b58a54f5530a6c343d4ec728cd87519b4b3846abb134b039e68fb302281f7f00bc320c782b984f066818b7b32b2e98ef899ee903692600845f
SSDEEP

49152:knw9oUUEEDl37jcq4faV2MgTA0ImOSInFhEcIQzv:kQUEER

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/2488-17-0x00007FF632610000-0x00007FF632A01000-memory.dmp	xmrig
behavioral2/memory/2592-47-0x00007FF6E6780000-0x00007FF6E6B71000-memory.dmp	xmrig
behavioral2/memory/4832-59-0x00007FF69B800000-0x00007FF69BBF1000-memory.dmp	xmrig
behavioral2/memory/3644-307-0x00007FF7B2740000-0x00007FF7B2B31000-memory.dmp	xmrig
behavioral2/memory/1076-309-0x00007FF643000000-0x00007FF6433F1000-memory.dmp	xmrig
behavioral2/memory/3784-317-0x00007FF64C8A0000-0x00007FF64CC91000-memory.dmp	xmrig
behavioral2/memory/908-326-0x00007FF7A42C0000-0x00007FF7A46B1000-memory.dmp	xmrig
behavioral2/memory/3496-329-0x00007FF63D860000-0x00007FF63DC51000-memory.dmp	xmrig
behavioral2/memory/5064-337-0x00007FF646850000-0x00007FF646C41000-memory.dmp	xmrig
behavioral2/memory/2624-330-0x00007FF622AA0000-0x00007FF622E91000-memory.dmp	xmrig
behavioral2/memory/1448-341-0x00007FF60F080000-0x00007FF60F471000-memory.dmp	xmrig
behavioral2/memory/1032-344-0x00007FF6B5C30000-0x00007FF6B6021000-memory.dmp	xmrig
behavioral2/memory/1404-340-0x00007FF6F5F20000-0x00007FF6F6311000-memory.dmp	xmrig
behavioral2/memory/1148-339-0x00007FF79B6A0000-0x00007FF79BA91000-memory.dmp	xmrig
behavioral2/memory/460-328-0x00007FF7453B0000-0x00007FF7457A1000-memory.dmp	xmrig
behavioral2/memory/4604-327-0x00007FF736B90000-0x00007FF736F81000-memory.dmp	xmrig
behavioral2/memory/3488-325-0x00007FF705270000-0x00007FF705661000-memory.dmp	xmrig
behavioral2/memory/4652-323-0x00007FF602310000-0x00007FF602701000-memory.dmp	xmrig
behavioral2/memory/4708-316-0x00007FF624F10000-0x00007FF625301000-memory.dmp	xmrig
behavioral2/memory/3240-315-0x00007FF7CEE80000-0x00007FF7CF271000-memory.dmp	xmrig
behavioral2/memory/1896-69-0x00007FF7AA3D0000-0x00007FF7AA7C1000-memory.dmp	xmrig
behavioral2/memory/4108-62-0x00007FF70A8A0000-0x00007FF70AC91000-memory.dmp	xmrig
behavioral2/memory/3048-50-0x00007FF720E70000-0x00007FF721261000-memory.dmp	xmrig
behavioral2/memory/2300-1971-0x00007FF72AB40000-0x00007FF72AF31000-memory.dmp	xmrig
behavioral2/memory/2300-2015-0x00007FF72AB40000-0x00007FF72AF31000-memory.dmp	xmrig
behavioral2/memory/2488-2017-0x00007FF632610000-0x00007FF632A01000-memory.dmp	xmrig
behavioral2/memory/2592-2019-0x00007FF6E6780000-0x00007FF6E6B71000-memory.dmp	xmrig
behavioral2/memory/3048-2021-0x00007FF720E70000-0x00007FF721261000-memory.dmp	xmrig
behavioral2/memory/1148-2023-0x00007FF79B6A0000-0x00007FF79BA91000-memory.dmp	xmrig
behavioral2/memory/4832-2025-0x00007FF69B800000-0x00007FF69BBF1000-memory.dmp	xmrig
behavioral2/memory/4108-2027-0x00007FF70A8A0000-0x00007FF70AC91000-memory.dmp	xmrig
behavioral2/memory/1896-2029-0x00007FF7AA3D0000-0x00007FF7AA7C1000-memory.dmp	xmrig
behavioral2/memory/1404-2031-0x00007FF6F5F20000-0x00007FF6F6311000-memory.dmp	xmrig
behavioral2/memory/1448-2033-0x00007FF60F080000-0x00007FF60F471000-memory.dmp	xmrig
behavioral2/memory/3644-2035-0x00007FF7B2740000-0x00007FF7B2B31000-memory.dmp	xmrig
behavioral2/memory/4708-2043-0x00007FF624F10000-0x00007FF625301000-memory.dmp	xmrig
behavioral2/memory/3784-2045-0x00007FF64C8A0000-0x00007FF64CC91000-memory.dmp	xmrig
behavioral2/memory/3240-2041-0x00007FF7CEE80000-0x00007FF7CF271000-memory.dmp	xmrig
behavioral2/memory/1076-2039-0x00007FF643000000-0x00007FF6433F1000-memory.dmp	xmrig
behavioral2/memory/1032-2037-0x00007FF6B5C30000-0x00007FF6B6021000-memory.dmp	xmrig
behavioral2/memory/4652-2047-0x00007FF602310000-0x00007FF602701000-memory.dmp	xmrig
behavioral2/memory/460-2055-0x00007FF7453B0000-0x00007FF7457A1000-memory.dmp	xmrig
behavioral2/memory/908-2051-0x00007FF7A42C0000-0x00007FF7A46B1000-memory.dmp	xmrig
behavioral2/memory/3496-2057-0x00007FF63D860000-0x00007FF63DC51000-memory.dmp	xmrig
behavioral2/memory/2624-2059-0x00007FF622AA0000-0x00007FF622E91000-memory.dmp	xmrig
behavioral2/memory/4604-2053-0x00007FF736B90000-0x00007FF736F81000-memory.dmp	xmrig
behavioral2/memory/5064-2061-0x00007FF646850000-0x00007FF646C41000-memory.dmp	xmrig
behavioral2/memory/3488-2049-0x00007FF705270000-0x00007FF705661000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2300	NBZcAtL.exe
2488	glXCuYF.exe
2592	knWZhDV.exe
3048	luujxbk.exe
1148	sTWlRWi.exe
4832	pfxoFlP.exe
4108	KCHiuKm.exe
1896	vTJCnWA.exe
1404	PJulNDS.exe
3644	xBcbUbT.exe
1448	TpLUAxG.exe
1032	kZSXpps.exe
1076	CULPpwa.exe
3240	tRAuoSU.exe
4708	kKIgqoP.exe
3784	RiVTGFz.exe
4652	KfEpAQM.exe
3488	pebFPsA.exe
908	yJyEwoF.exe
4604	QOittbf.exe
460	qflmhTj.exe
3496	YycEQwh.exe
2624	yrEOFoq.exe
5064	VzbsESb.exe
4060	WmpsEtT.exe
3424	ixoKfae.exe
4860	ETSgKnE.exe
4344	twFfDxg.exe
1880	tgpJHKj.exe
4936	lbWfgxF.exe
1412	BXELbYe.exe
4520	iGFqIWs.exe
3156	cRsfdij.exe
5008	zvJuUJD.exe
1420	AXSxAtM.exe
408	ngHXIgW.exe
4356	epxXTqL.exe
3264	wTDUzOD.exe
1664	IpwrSfu.exe
4812	STDvcGj.exe
4924	XlLRZqX.exe
3908	HFnFBfO.exe
1080	PhHhfkN.exe
3148	LqIdTWI.exe
3700	QEyHJHD.exe
4380	KefZdnw.exe
3732	GapwEWa.exe
2456	FHPPWvP.exe
4636	AhdoIsP.exe
4052	TkIxjAK.exe
3756	OmyVWyR.exe
3296	jaLLPGR.exe
1968	KnDHkQQ.exe
3060	ToEtQBw.exe
660	gOQmAcv.exe
4552	azIpKUS.exe
956	UgjVGkW.exe
1528	pvRRAlc.exe
4304	xgALVhm.exe
4844	nFQyePU.exe
5020	bLpyZuX.exe
3776	tBgBQRJ.exe
2956	mlvsbyN.exe
4040	QVHwGcY.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4168-0-0x00007FF768F80000-0x00007FF769371000-memory.dmp	upx
behavioral2/files/0x0008000000023445-5.dat	upx
behavioral2/files/0x0007000000023449-9.dat	upx
behavioral2/files/0x000700000002344b-19.dat	upx
behavioral2/files/0x000700000002344a-18.dat	upx
behavioral2/files/0x000700000002344c-28.dat	upx
behavioral2/files/0x000700000002344d-33.dat	upx
behavioral2/files/0x000700000002344e-36.dat	upx
behavioral2/memory/2488-17-0x00007FF632610000-0x00007FF632A01000-memory.dmp	upx
behavioral2/memory/2300-8-0x00007FF72AB40000-0x00007FF72AF31000-memory.dmp	upx
behavioral2/files/0x000700000002344f-41.dat	upx
behavioral2/memory/2592-47-0x00007FF6E6780000-0x00007FF6E6B71000-memory.dmp	upx
behavioral2/files/0x0007000000023450-54.dat	upx
behavioral2/memory/4832-59-0x00007FF69B800000-0x00007FF69BBF1000-memory.dmp	upx
behavioral2/files/0x0007000000023451-66.dat	upx
behavioral2/files/0x0007000000023455-78.dat	upx
behavioral2/files/0x0007000000023457-88.dat	upx
behavioral2/files/0x0007000000023459-96.dat	upx
behavioral2/files/0x000700000002345a-103.dat	upx
behavioral2/files/0x000700000002345c-113.dat	upx
behavioral2/files/0x000700000002345e-121.dat	upx
behavioral2/files/0x0007000000023462-141.dat	upx
behavioral2/files/0x0007000000023467-166.dat	upx
behavioral2/memory/3644-307-0x00007FF7B2740000-0x00007FF7B2B31000-memory.dmp	upx
behavioral2/memory/1076-309-0x00007FF643000000-0x00007FF6433F1000-memory.dmp	upx
behavioral2/memory/3784-317-0x00007FF64C8A0000-0x00007FF64CC91000-memory.dmp	upx
behavioral2/memory/908-326-0x00007FF7A42C0000-0x00007FF7A46B1000-memory.dmp	upx
behavioral2/memory/3496-329-0x00007FF63D860000-0x00007FF63DC51000-memory.dmp	upx
behavioral2/memory/5064-337-0x00007FF646850000-0x00007FF646C41000-memory.dmp	upx
behavioral2/memory/2624-330-0x00007FF622AA0000-0x00007FF622E91000-memory.dmp	upx
behavioral2/memory/1448-341-0x00007FF60F080000-0x00007FF60F471000-memory.dmp	upx
behavioral2/memory/1032-344-0x00007FF6B5C30000-0x00007FF6B6021000-memory.dmp	upx
behavioral2/memory/1404-340-0x00007FF6F5F20000-0x00007FF6F6311000-memory.dmp	upx
behavioral2/memory/1148-339-0x00007FF79B6A0000-0x00007FF79BA91000-memory.dmp	upx
behavioral2/memory/460-328-0x00007FF7453B0000-0x00007FF7457A1000-memory.dmp	upx
behavioral2/memory/4604-327-0x00007FF736B90000-0x00007FF736F81000-memory.dmp	upx
behavioral2/memory/3488-325-0x00007FF705270000-0x00007FF705661000-memory.dmp	upx
behavioral2/memory/4652-323-0x00007FF602310000-0x00007FF602701000-memory.dmp	upx
behavioral2/memory/4708-316-0x00007FF624F10000-0x00007FF625301000-memory.dmp	upx
behavioral2/memory/3240-315-0x00007FF7CEE80000-0x00007FF7CF271000-memory.dmp	upx
behavioral2/files/0x0007000000023466-163.dat	upx
behavioral2/files/0x0007000000023465-158.dat	upx
behavioral2/files/0x0007000000023464-153.dat	upx
behavioral2/files/0x0007000000023463-148.dat	upx
behavioral2/files/0x0007000000023461-138.dat	upx
behavioral2/files/0x0007000000023460-133.dat	upx
behavioral2/files/0x000700000002345f-128.dat	upx
behavioral2/files/0x000700000002345d-118.dat	upx
behavioral2/files/0x000700000002345b-108.dat	upx
behavioral2/files/0x0007000000023458-93.dat	upx
behavioral2/files/0x0007000000023456-83.dat	upx
behavioral2/files/0x0007000000023453-74.dat	upx
behavioral2/files/0x0007000000023454-71.dat	upx
behavioral2/memory/1896-69-0x00007FF7AA3D0000-0x00007FF7AA7C1000-memory.dmp	upx
behavioral2/files/0x0007000000023452-68.dat	upx
behavioral2/memory/4108-62-0x00007FF70A8A0000-0x00007FF70AC91000-memory.dmp	upx
behavioral2/memory/3048-50-0x00007FF720E70000-0x00007FF721261000-memory.dmp	upx
behavioral2/memory/2300-1971-0x00007FF72AB40000-0x00007FF72AF31000-memory.dmp	upx
behavioral2/memory/2300-2015-0x00007FF72AB40000-0x00007FF72AF31000-memory.dmp	upx
behavioral2/memory/2488-2017-0x00007FF632610000-0x00007FF632A01000-memory.dmp	upx
behavioral2/memory/2592-2019-0x00007FF6E6780000-0x00007FF6E6B71000-memory.dmp	upx
behavioral2/memory/3048-2021-0x00007FF720E70000-0x00007FF721261000-memory.dmp	upx
behavioral2/memory/1148-2023-0x00007FF79B6A0000-0x00007FF79BA91000-memory.dmp	upx
behavioral2/memory/4832-2025-0x00007FF69B800000-0x00007FF69BBF1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\GapwEWa.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\UqOuQes.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\beBZpJH.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\gMCSvKO.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\krowKVU.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\aVflAIg.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\FDKuicC.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\jkLdiyQ.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\jPzYxXB.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\mmFHjfA.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\blZyJwE.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\MfMWmVM.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\ZgDQjhA.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\vRDGHTQ.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\SuxCEki.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\CsqGunM.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\VrJmTji.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\weEgRVA.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\GvlGDBC.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\oMrYyMB.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\NIFFPAE.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\nmMOhgf.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\vyKFKRF.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\TzRlMRE.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\rWZdICa.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\WyeSttW.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\itZGZxS.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\aMEXHWA.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\iKruRsN.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\rfQWTAi.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\dYDJobb.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\feaFGYZ.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\QteViYO.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\glXCuYF.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\LcOXBce.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\dLPksYD.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\omVoPNM.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\BsDlBtd.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\evOumkk.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\YLScnDj.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\sRBjuUH.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\KefZdnw.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\tBgBQRJ.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\fxyezJW.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\NGgvBKO.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\HbXbzgk.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\KilgxWh.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\yKDpUHW.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\iDAyRdL.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\ZVVPNKR.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\aIbVJxp.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\LTFadpk.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\dKawzYH.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\JEOkhDg.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\SxlkMEc.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\RiVTGFz.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\ZBCLnMC.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\EpFuvXo.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\gkfgUMK.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\LgUOcwp.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\ZnAcjRj.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\WmpsEtT.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\BBtjkAg.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
File created	C:\Windows\System32\PmUnRpe.exe	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13252	dwm.exe
Token: SeChangeNotifyPrivilege	13252	dwm.exe
Token: 33	13252	dwm.exe
Token: SeIncBasePriorityPrivilege	13252	dwm.exe
Token: SeShutdownPrivilege	13252	dwm.exe
Token: SeCreatePagefilePrivilege	13252	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 2300	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	85
PID 4168 wrote to memory of 2300	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	85
PID 4168 wrote to memory of 2488	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	86
PID 4168 wrote to memory of 2488	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	86
PID 4168 wrote to memory of 2592	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	87
PID 4168 wrote to memory of 2592	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	87
PID 4168 wrote to memory of 3048	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	88
PID 4168 wrote to memory of 3048	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	88
PID 4168 wrote to memory of 1148	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	89
PID 4168 wrote to memory of 1148	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	89
PID 4168 wrote to memory of 4832	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	90
PID 4168 wrote to memory of 4832	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	90
PID 4168 wrote to memory of 4108	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	91
PID 4168 wrote to memory of 4108	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	91
PID 4168 wrote to memory of 1896	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	92
PID 4168 wrote to memory of 1896	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	92
PID 4168 wrote to memory of 1404	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	93
PID 4168 wrote to memory of 1404	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	93
PID 4168 wrote to memory of 3644	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	94
PID 4168 wrote to memory of 3644	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	94
PID 4168 wrote to memory of 1448	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	95
PID 4168 wrote to memory of 1448	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	95
PID 4168 wrote to memory of 1076	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	96
PID 4168 wrote to memory of 1076	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	96
PID 4168 wrote to memory of 1032	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	97
PID 4168 wrote to memory of 1032	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	97
PID 4168 wrote to memory of 3240	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	98
PID 4168 wrote to memory of 3240	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	98
PID 4168 wrote to memory of 4708	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	99
PID 4168 wrote to memory of 4708	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	99
PID 4168 wrote to memory of 3784	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	100
PID 4168 wrote to memory of 3784	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	100
PID 4168 wrote to memory of 4652	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	101
PID 4168 wrote to memory of 4652	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	101
PID 4168 wrote to memory of 3488	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	102
PID 4168 wrote to memory of 3488	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	102
PID 4168 wrote to memory of 908	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	103
PID 4168 wrote to memory of 908	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	103
PID 4168 wrote to memory of 4604	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	104
PID 4168 wrote to memory of 4604	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	104
PID 4168 wrote to memory of 460	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	105
PID 4168 wrote to memory of 460	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	105
PID 4168 wrote to memory of 3496	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	106
PID 4168 wrote to memory of 3496	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	106
PID 4168 wrote to memory of 2624	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	107
PID 4168 wrote to memory of 2624	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	107
PID 4168 wrote to memory of 5064	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	108
PID 4168 wrote to memory of 5064	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	108
PID 4168 wrote to memory of 4060	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	109
PID 4168 wrote to memory of 4060	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	109
PID 4168 wrote to memory of 3424	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	110
PID 4168 wrote to memory of 3424	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	110
PID 4168 wrote to memory of 4860	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	111
PID 4168 wrote to memory of 4860	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	111
PID 4168 wrote to memory of 4344	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	112
PID 4168 wrote to memory of 4344	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	112
PID 4168 wrote to memory of 1880	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	113
PID 4168 wrote to memory of 1880	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	113
PID 4168 wrote to memory of 4936	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	114
PID 4168 wrote to memory of 4936	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	114
PID 4168 wrote to memory of 1412	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	115
PID 4168 wrote to memory of 1412	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	115
PID 4168 wrote to memory of 4520	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	116
PID 4168 wrote to memory of 4520	4168	eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe	116

C:\Users\Admin\AppData\Local\Temp\eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\eb15c70333ec795e7dc72083a0e7f080_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Windows\System32\NBZcAtL.exe
  C:\Windows\System32\NBZcAtL.exe
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\System32\glXCuYF.exe
  C:\Windows\System32\glXCuYF.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System32\knWZhDV.exe
  C:\Windows\System32\knWZhDV.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System32\luujxbk.exe
  C:\Windows\System32\luujxbk.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System32\sTWlRWi.exe
  C:\Windows\System32\sTWlRWi.exe
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\System32\pfxoFlP.exe
  C:\Windows\System32\pfxoFlP.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System32\KCHiuKm.exe
  C:\Windows\System32\KCHiuKm.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System32\vTJCnWA.exe
  C:\Windows\System32\vTJCnWA.exe
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Windows\System32\PJulNDS.exe
  C:\Windows\System32\PJulNDS.exe
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\System32\xBcbUbT.exe
  C:\Windows\System32\xBcbUbT.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System32\TpLUAxG.exe
  C:\Windows\System32\TpLUAxG.exe
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\System32\CULPpwa.exe
  C:\Windows\System32\CULPpwa.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System32\kZSXpps.exe
  C:\Windows\System32\kZSXpps.exe
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\System32\tRAuoSU.exe
  C:\Windows\System32\tRAuoSU.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System32\kKIgqoP.exe
  C:\Windows\System32\kKIgqoP.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System32\RiVTGFz.exe
  C:\Windows\System32\RiVTGFz.exe
  2⤵
  - Executes dropped EXE
  PID:3784
- C:\Windows\System32\KfEpAQM.exe
  C:\Windows\System32\KfEpAQM.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System32\pebFPsA.exe
  C:\Windows\System32\pebFPsA.exe
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Windows\System32\yJyEwoF.exe
  C:\Windows\System32\yJyEwoF.exe
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Windows\System32\QOittbf.exe
  C:\Windows\System32\QOittbf.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System32\qflmhTj.exe
  C:\Windows\System32\qflmhTj.exe
  2⤵
  - Executes dropped EXE
  PID:460
- C:\Windows\System32\YycEQwh.exe
  C:\Windows\System32\YycEQwh.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System32\yrEOFoq.exe
  C:\Windows\System32\yrEOFoq.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System32\VzbsESb.exe
  C:\Windows\System32\VzbsESb.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System32\WmpsEtT.exe
  C:\Windows\System32\WmpsEtT.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System32\ixoKfae.exe
  C:\Windows\System32\ixoKfae.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System32\ETSgKnE.exe
  C:\Windows\System32\ETSgKnE.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System32\twFfDxg.exe
  C:\Windows\System32\twFfDxg.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System32\tgpJHKj.exe
  C:\Windows\System32\tgpJHKj.exe
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\System32\lbWfgxF.exe
  C:\Windows\System32\lbWfgxF.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System32\BXELbYe.exe
  C:\Windows\System32\BXELbYe.exe
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\System32\iGFqIWs.exe
  C:\Windows\System32\iGFqIWs.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System32\cRsfdij.exe
  C:\Windows\System32\cRsfdij.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System32\zvJuUJD.exe
  C:\Windows\System32\zvJuUJD.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System32\AXSxAtM.exe
  C:\Windows\System32\AXSxAtM.exe
  2⤵
  - Executes dropped EXE
  PID:1420
- C:\Windows\System32\ngHXIgW.exe
  C:\Windows\System32\ngHXIgW.exe
  2⤵
  - Executes dropped EXE
  PID:408
- C:\Windows\System32\epxXTqL.exe
  C:\Windows\System32\epxXTqL.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System32\wTDUzOD.exe
  C:\Windows\System32\wTDUzOD.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System32\IpwrSfu.exe
  C:\Windows\System32\IpwrSfu.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System32\STDvcGj.exe
  C:\Windows\System32\STDvcGj.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System32\XlLRZqX.exe
  C:\Windows\System32\XlLRZqX.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System32\HFnFBfO.exe
  C:\Windows\System32\HFnFBfO.exe
  2⤵
  - Executes dropped EXE
  PID:3908
- C:\Windows\System32\PhHhfkN.exe
  C:\Windows\System32\PhHhfkN.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System32\LqIdTWI.exe
  C:\Windows\System32\LqIdTWI.exe
  2⤵
  - Executes dropped EXE
  PID:3148
- C:\Windows\System32\QEyHJHD.exe
  C:\Windows\System32\QEyHJHD.exe
  2⤵
  - Executes dropped EXE
  PID:3700
- C:\Windows\System32\KefZdnw.exe
  C:\Windows\System32\KefZdnw.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System32\GapwEWa.exe
  C:\Windows\System32\GapwEWa.exe
  2⤵
  - Executes dropped EXE
  PID:3732
- C:\Windows\System32\FHPPWvP.exe
  C:\Windows\System32\FHPPWvP.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System32\AhdoIsP.exe
  C:\Windows\System32\AhdoIsP.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System32\TkIxjAK.exe
  C:\Windows\System32\TkIxjAK.exe
  2⤵
  - Executes dropped EXE
  PID:4052
- C:\Windows\System32\OmyVWyR.exe
  C:\Windows\System32\OmyVWyR.exe
  2⤵
  - Executes dropped EXE
  PID:3756
- C:\Windows\System32\jaLLPGR.exe
  C:\Windows\System32\jaLLPGR.exe
  2⤵
  - Executes dropped EXE
  PID:3296
- C:\Windows\System32\KnDHkQQ.exe
  C:\Windows\System32\KnDHkQQ.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System32\ToEtQBw.exe
  C:\Windows\System32\ToEtQBw.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System32\gOQmAcv.exe
  C:\Windows\System32\gOQmAcv.exe
  2⤵
  - Executes dropped EXE
  PID:660
- C:\Windows\System32\azIpKUS.exe
  C:\Windows\System32\azIpKUS.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System32\UgjVGkW.exe
  C:\Windows\System32\UgjVGkW.exe
  2⤵
  - Executes dropped EXE
  PID:956
- C:\Windows\System32\pvRRAlc.exe
  C:\Windows\System32\pvRRAlc.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\System32\xgALVhm.exe
  C:\Windows\System32\xgALVhm.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System32\nFQyePU.exe
  C:\Windows\System32\nFQyePU.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System32\bLpyZuX.exe
  C:\Windows\System32\bLpyZuX.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System32\tBgBQRJ.exe
  C:\Windows\System32\tBgBQRJ.exe
  2⤵
  - Executes dropped EXE
  PID:3776
- C:\Windows\System32\mlvsbyN.exe
  C:\Windows\System32\mlvsbyN.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System32\QVHwGcY.exe
  C:\Windows\System32\QVHwGcY.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System32\GOYTEIT.exe
  C:\Windows\System32\GOYTEIT.exe
  2⤵
  PID:1056
- C:\Windows\System32\kCzBmLD.exe
  C:\Windows\System32\kCzBmLD.exe
  2⤵
  PID:2476
- C:\Windows\System32\LgmbBAB.exe
  C:\Windows\System32\LgmbBAB.exe
  2⤵
  PID:4756
- C:\Windows\System32\NuiFhGE.exe
  C:\Windows\System32\NuiFhGE.exe
  2⤵
  PID:4372
- C:\Windows\System32\soDeNgp.exe
  C:\Windows\System32\soDeNgp.exe
  2⤵
  PID:1696
- C:\Windows\System32\fxyezJW.exe
  C:\Windows\System32\fxyezJW.exe
  2⤵
  PID:4056
- C:\Windows\System32\VHqArlS.exe
  C:\Windows\System32\VHqArlS.exe
  2⤵
  PID:4396
- C:\Windows\System32\FKHFDtj.exe
  C:\Windows\System32\FKHFDtj.exe
  2⤵
  PID:2012
- C:\Windows\System32\jOmoEzd.exe
  C:\Windows\System32\jOmoEzd.exe
  2⤵
  PID:5040
- C:\Windows\System32\NsXizmB.exe
  C:\Windows\System32\NsXizmB.exe
  2⤵
  PID:4760
- C:\Windows\System32\ZBCLnMC.exe
  C:\Windows\System32\ZBCLnMC.exe
  2⤵
  PID:4392
- C:\Windows\System32\GBrTTbN.exe
  C:\Windows\System32\GBrTTbN.exe
  2⤵
  PID:5112
- C:\Windows\System32\aNfSCjR.exe
  C:\Windows\System32\aNfSCjR.exe
  2⤵
  PID:3232
- C:\Windows\System32\bqNHofN.exe
  C:\Windows\System32\bqNHofN.exe
  2⤵
  PID:1668
- C:\Windows\System32\GMydVvr.exe
  C:\Windows\System32\GMydVvr.exe
  2⤵
  PID:4080
- C:\Windows\System32\gXTSxMr.exe
  C:\Windows\System32\gXTSxMr.exe
  2⤵
  PID:872
- C:\Windows\System32\bauPbZl.exe
  C:\Windows\System32\bauPbZl.exe
  2⤵
  PID:1824
- C:\Windows\System32\QBkvyeq.exe
  C:\Windows\System32\QBkvyeq.exe
  2⤵
  PID:2220
- C:\Windows\System32\OzuPkOr.exe
  C:\Windows\System32\OzuPkOr.exe
  2⤵
  PID:3956
- C:\Windows\System32\bRLlFjG.exe
  C:\Windows\System32\bRLlFjG.exe
  2⤵
  PID:2524
- C:\Windows\System32\VZemqHd.exe
  C:\Windows\System32\VZemqHd.exe
  2⤵
  PID:5156
- C:\Windows\System32\rGIBpaV.exe
  C:\Windows\System32\rGIBpaV.exe
  2⤵
  PID:5184
- C:\Windows\System32\XfTdzuB.exe
  C:\Windows\System32\XfTdzuB.exe
  2⤵
  PID:5236
- C:\Windows\System32\qIimdMx.exe
  C:\Windows\System32\qIimdMx.exe
  2⤵
  PID:5256
- C:\Windows\System32\BBtjkAg.exe
  C:\Windows\System32\BBtjkAg.exe
  2⤵
  PID:5280
- C:\Windows\System32\uIlJBhQ.exe
  C:\Windows\System32\uIlJBhQ.exe
  2⤵
  PID:5308
- C:\Windows\System32\aDPArKI.exe
  C:\Windows\System32\aDPArKI.exe
  2⤵
  PID:5340
- C:\Windows\System32\brarZTR.exe
  C:\Windows\System32\brarZTR.exe
  2⤵
  PID:5368
- C:\Windows\System32\iWYfqfc.exe
  C:\Windows\System32\iWYfqfc.exe
  2⤵
  PID:5400
- C:\Windows\System32\kaMMRJU.exe
  C:\Windows\System32\kaMMRJU.exe
  2⤵
  PID:5428
- C:\Windows\System32\LTFadpk.exe
  C:\Windows\System32\LTFadpk.exe
  2⤵
  PID:5468
- C:\Windows\System32\DcADEay.exe
  C:\Windows\System32\DcADEay.exe
  2⤵
  PID:5484
- C:\Windows\System32\gTWySIM.exe
  C:\Windows\System32\gTWySIM.exe
  2⤵
  PID:5512
- C:\Windows\System32\UDRBKfj.exe
  C:\Windows\System32\UDRBKfj.exe
  2⤵
  PID:5540
- C:\Windows\System32\wPvLiNe.exe
  C:\Windows\System32\wPvLiNe.exe
  2⤵
  PID:5568
- C:\Windows\System32\XZyewyX.exe
  C:\Windows\System32\XZyewyX.exe
  2⤵
  PID:5600
- C:\Windows\System32\ZzUTDNG.exe
  C:\Windows\System32\ZzUTDNG.exe
  2⤵
  PID:5632
- C:\Windows\System32\iDAyRdL.exe
  C:\Windows\System32\iDAyRdL.exe
  2⤵
  PID:5660
- C:\Windows\System32\ZVVPNKR.exe
  C:\Windows\System32\ZVVPNKR.exe
  2⤵
  PID:5688
- C:\Windows\System32\ggajRUk.exe
  C:\Windows\System32\ggajRUk.exe
  2⤵
  PID:5716
- C:\Windows\System32\VkhiCjQ.exe
  C:\Windows\System32\VkhiCjQ.exe
  2⤵
  PID:5748
- C:\Windows\System32\JRUKwAT.exe
  C:\Windows\System32\JRUKwAT.exe
  2⤵
  PID:5772
- C:\Windows\System32\kWUXZkB.exe
  C:\Windows\System32\kWUXZkB.exe
  2⤵
  PID:5824
- C:\Windows\System32\FzbDkll.exe
  C:\Windows\System32\FzbDkll.exe
  2⤵
  PID:5872
- C:\Windows\System32\LuxKYln.exe
  C:\Windows\System32\LuxKYln.exe
  2⤵
  PID:5892
- C:\Windows\System32\dKawzYH.exe
  C:\Windows\System32\dKawzYH.exe
  2⤵
  PID:5908
- C:\Windows\System32\LFPBLzY.exe
  C:\Windows\System32\LFPBLzY.exe
  2⤵
  PID:5936
- C:\Windows\System32\HAgMuLf.exe
  C:\Windows\System32\HAgMuLf.exe
  2⤵
  PID:5952
- C:\Windows\System32\UBCmfYG.exe
  C:\Windows\System32\UBCmfYG.exe
  2⤵
  PID:5976
- C:\Windows\System32\nqjAfVy.exe
  C:\Windows\System32\nqjAfVy.exe
  2⤵
  PID:6008
- C:\Windows\System32\vqLtgLC.exe
  C:\Windows\System32\vqLtgLC.exe
  2⤵
  PID:6032
- C:\Windows\System32\NzryMcC.exe
  C:\Windows\System32\NzryMcC.exe
  2⤵
  PID:6052
- C:\Windows\System32\jenBtQW.exe
  C:\Windows\System32\jenBtQW.exe
  2⤵
  PID:6068
- C:\Windows\System32\uFstOqx.exe
  C:\Windows\System32\uFstOqx.exe
  2⤵
  PID:6096
- C:\Windows\System32\bNNuoyx.exe
  C:\Windows\System32\bNNuoyx.exe
  2⤵
  PID:6132
- C:\Windows\System32\wGVMBJr.exe
  C:\Windows\System32\wGVMBJr.exe
  2⤵
  PID:5124
- C:\Windows\System32\sCpuIhi.exe
  C:\Windows\System32\sCpuIhi.exe
  2⤵
  PID:5180
- C:\Windows\System32\YlcPuyr.exe
  C:\Windows\System32\YlcPuyr.exe
  2⤵
  PID:3012
- C:\Windows\System32\qAgNmNm.exe
  C:\Windows\System32\qAgNmNm.exe
  2⤵
  PID:5204
- C:\Windows\System32\vAGMvSk.exe
  C:\Windows\System32\vAGMvSk.exe
  2⤵
  PID:5244
- C:\Windows\System32\OntUGTz.exe
  C:\Windows\System32\OntUGTz.exe
  2⤵
  PID:5300
- C:\Windows\System32\qHMozZb.exe
  C:\Windows\System32\qHMozZb.exe
  2⤵
  PID:5348
- C:\Windows\System32\QmETNVo.exe
  C:\Windows\System32\QmETNVo.exe
  2⤵
  PID:5532
- C:\Windows\System32\IHhgKlL.exe
  C:\Windows\System32\IHhgKlL.exe
  2⤵
  PID:5624
- C:\Windows\System32\mJPalkh.exe
  C:\Windows\System32\mJPalkh.exe
  2⤵
  PID:3376
- C:\Windows\System32\hchNaVJ.exe
  C:\Windows\System32\hchNaVJ.exe
  2⤵
  PID:3292
- C:\Windows\System32\fyNmsEm.exe
  C:\Windows\System32\fyNmsEm.exe
  2⤵
  PID:752
- C:\Windows\System32\NZhsBLD.exe
  C:\Windows\System32\NZhsBLD.exe
  2⤵
  PID:3768
- C:\Windows\System32\SKZRRkN.exe
  C:\Windows\System32\SKZRRkN.exe
  2⤵
  PID:5800
- C:\Windows\System32\likoxKz.exe
  C:\Windows\System32\likoxKz.exe
  2⤵
  PID:5856
- C:\Windows\System32\rClGRAk.exe
  C:\Windows\System32\rClGRAk.exe
  2⤵
  PID:5888
- C:\Windows\System32\ESQhCPl.exe
  C:\Windows\System32\ESQhCPl.exe
  2⤵
  PID:5916
- C:\Windows\System32\HoejYtR.exe
  C:\Windows\System32\HoejYtR.exe
  2⤵
  PID:5948
- C:\Windows\System32\BQPKycy.exe
  C:\Windows\System32\BQPKycy.exe
  2⤵
  PID:6024
- C:\Windows\System32\UjiUEJF.exe
  C:\Windows\System32\UjiUEJF.exe
  2⤵
  PID:6088
- C:\Windows\System32\igYHuDB.exe
  C:\Windows\System32\igYHuDB.exe
  2⤵
  PID:6060
- C:\Windows\System32\ilzBXcn.exe
  C:\Windows\System32\ilzBXcn.exe
  2⤵
  PID:5408
- C:\Windows\System32\PBbgKww.exe
  C:\Windows\System32\PBbgKww.exe
  2⤵
  PID:5316
- C:\Windows\System32\WdsBlai.exe
  C:\Windows\System32\WdsBlai.exe
  2⤵
  PID:5272
- C:\Windows\System32\MIbyAFf.exe
  C:\Windows\System32\MIbyAFf.exe
  2⤵
  PID:5448
- C:\Windows\System32\kvrkAiZ.exe
  C:\Windows\System32\kvrkAiZ.exe
  2⤵
  PID:5704
- C:\Windows\System32\VZICjzc.exe
  C:\Windows\System32\VZICjzc.exe
  2⤵
  PID:5764
- C:\Windows\System32\jlMHjfR.exe
  C:\Windows\System32\jlMHjfR.exe
  2⤵
  PID:4220
- C:\Windows\System32\lAwkfQk.exe
  C:\Windows\System32\lAwkfQk.exe
  2⤵
  PID:5880
- C:\Windows\System32\gYNoKhw.exe
  C:\Windows\System32\gYNoKhw.exe
  2⤵
  PID:428
- C:\Windows\System32\mwkhzBY.exe
  C:\Windows\System32\mwkhzBY.exe
  2⤵
  PID:6076
- C:\Windows\System32\LcOXBce.exe
  C:\Windows\System32\LcOXBce.exe
  2⤵
  PID:1212
- C:\Windows\System32\VmEVpIM.exe
  C:\Windows\System32\VmEVpIM.exe
  2⤵
  PID:2200
- C:\Windows\System32\nuxChBf.exe
  C:\Windows\System32\nuxChBf.exe
  2⤵
  PID:5556
- C:\Windows\System32\LXsOPXr.exe
  C:\Windows\System32\LXsOPXr.exe
  2⤵
  PID:4540
- C:\Windows\System32\FHKZzzN.exe
  C:\Windows\System32\FHKZzzN.exe
  2⤵
  PID:3044
- C:\Windows\System32\giibtuo.exe
  C:\Windows\System32\giibtuo.exe
  2⤵
  PID:5296
- C:\Windows\System32\dkBqVSu.exe
  C:\Windows\System32\dkBqVSu.exe
  2⤵
  PID:6044
- C:\Windows\System32\bsxBuKN.exe
  C:\Windows\System32\bsxBuKN.exe
  2⤵
  PID:6152
- C:\Windows\System32\UqOuQes.exe
  C:\Windows\System32\UqOuQes.exe
  2⤵
  PID:6176
- C:\Windows\System32\GeBisZR.exe
  C:\Windows\System32\GeBisZR.exe
  2⤵
  PID:6204
- C:\Windows\System32\vYdwXZf.exe
  C:\Windows\System32\vYdwXZf.exe
  2⤵
  PID:6220
- C:\Windows\System32\lnoWbcz.exe
  C:\Windows\System32\lnoWbcz.exe
  2⤵
  PID:6288
- C:\Windows\System32\EnzzHFQ.exe
  C:\Windows\System32\EnzzHFQ.exe
  2⤵
  PID:6384
- C:\Windows\System32\GxOoRFr.exe
  C:\Windows\System32\GxOoRFr.exe
  2⤵
  PID:6400
- C:\Windows\System32\xBehmfF.exe
  C:\Windows\System32\xBehmfF.exe
  2⤵
  PID:6420
- C:\Windows\System32\LtFfMwl.exe
  C:\Windows\System32\LtFfMwl.exe
  2⤵
  PID:6452
- C:\Windows\System32\BDSvqer.exe
  C:\Windows\System32\BDSvqer.exe
  2⤵
  PID:6472
- C:\Windows\System32\weEgRVA.exe
  C:\Windows\System32\weEgRVA.exe
  2⤵
  PID:6496
- C:\Windows\System32\KeTqlwg.exe
  C:\Windows\System32\KeTqlwg.exe
  2⤵
  PID:6520
- C:\Windows\System32\UlPZWbx.exe
  C:\Windows\System32\UlPZWbx.exe
  2⤵
  PID:6544
- C:\Windows\System32\xHQHDLA.exe
  C:\Windows\System32\xHQHDLA.exe
  2⤵
  PID:6564
- C:\Windows\System32\lmVBqZQ.exe
  C:\Windows\System32\lmVBqZQ.exe
  2⤵
  PID:6588
- C:\Windows\System32\LdpjyNW.exe
  C:\Windows\System32\LdpjyNW.exe
  2⤵
  PID:6624
- C:\Windows\System32\zlyefeR.exe
  C:\Windows\System32\zlyefeR.exe
  2⤵
  PID:6652
- C:\Windows\System32\vPhlXBD.exe
  C:\Windows\System32\vPhlXBD.exe
  2⤵
  PID:6672
- C:\Windows\System32\VxEfspv.exe
  C:\Windows\System32\VxEfspv.exe
  2⤵
  PID:6696
- C:\Windows\System32\JvQHoIm.exe
  C:\Windows\System32\JvQHoIm.exe
  2⤵
  PID:6724
- C:\Windows\System32\wgzcuRG.exe
  C:\Windows\System32\wgzcuRG.exe
  2⤵
  PID:6752
- C:\Windows\System32\hnuutHK.exe
  C:\Windows\System32\hnuutHK.exe
  2⤵
  PID:6772
- C:\Windows\System32\zTQNevh.exe
  C:\Windows\System32\zTQNevh.exe
  2⤵
  PID:6796
- C:\Windows\System32\BdVlAsp.exe
  C:\Windows\System32\BdVlAsp.exe
  2⤵
  PID:6852
- C:\Windows\System32\sFBOwvl.exe
  C:\Windows\System32\sFBOwvl.exe
  2⤵
  PID:6880
- C:\Windows\System32\RaWamxN.exe
  C:\Windows\System32\RaWamxN.exe
  2⤵
  PID:6896
- C:\Windows\System32\saIJrVs.exe
  C:\Windows\System32\saIJrVs.exe
  2⤵
  PID:6920
- C:\Windows\System32\MzvzbRM.exe
  C:\Windows\System32\MzvzbRM.exe
  2⤵
  PID:6952
- C:\Windows\System32\PomOXgi.exe
  C:\Windows\System32\PomOXgi.exe
  2⤵
  PID:7004
- C:\Windows\System32\QFaFmIz.exe
  C:\Windows\System32\QFaFmIz.exe
  2⤵
  PID:7044
- C:\Windows\System32\itZGZxS.exe
  C:\Windows\System32\itZGZxS.exe
  2⤵
  PID:7076
- C:\Windows\System32\Ncvdear.exe
  C:\Windows\System32\Ncvdear.exe
  2⤵
  PID:7100
- C:\Windows\System32\WojOLCb.exe
  C:\Windows\System32\WojOLCb.exe
  2⤵
  PID:7144
- C:\Windows\System32\xyCKhRV.exe
  C:\Windows\System32\xyCKhRV.exe
  2⤵
  PID:2720
- C:\Windows\System32\ttVthxO.exe
  C:\Windows\System32\ttVthxO.exe
  2⤵
  PID:6148
- C:\Windows\System32\cndkLgR.exe
  C:\Windows\System32\cndkLgR.exe
  2⤵
  PID:2676
- C:\Windows\System32\ETFqNyH.exe
  C:\Windows\System32\ETFqNyH.exe
  2⤵
  PID:6212
- C:\Windows\System32\EJSiDLu.exe
  C:\Windows\System32\EJSiDLu.exe
  2⤵
  PID:6296
- C:\Windows\System32\QCteuQD.exe
  C:\Windows\System32\QCteuQD.exe
  2⤵
  PID:6432
- C:\Windows\System32\pteKvnU.exe
  C:\Windows\System32\pteKvnU.exe
  2⤵
  PID:6464
- C:\Windows\System32\dpZZCPj.exe
  C:\Windows\System32\dpZZCPj.exe
  2⤵
  PID:6528
- C:\Windows\System32\lsswRwZ.exe
  C:\Windows\System32\lsswRwZ.exe
  2⤵
  PID:6560
- C:\Windows\System32\NWqbnXA.exe
  C:\Windows\System32\NWqbnXA.exe
  2⤵
  PID:6620
- C:\Windows\System32\OeixqvU.exe
  C:\Windows\System32\OeixqvU.exe
  2⤵
  PID:6680
- C:\Windows\System32\XkFgDNE.exe
  C:\Windows\System32\XkFgDNE.exe
  2⤵
  PID:6788
- C:\Windows\System32\EcVzdah.exe
  C:\Windows\System32\EcVzdah.exe
  2⤵
  PID:6840
- C:\Windows\System32\EfkTPXD.exe
  C:\Windows\System32\EfkTPXD.exe
  2⤵
  PID:6988
- C:\Windows\System32\iyUzLcR.exe
  C:\Windows\System32\iyUzLcR.exe
  2⤵
  PID:6972
- C:\Windows\System32\LPEsUDI.exe
  C:\Windows\System32\LPEsUDI.exe
  2⤵
  PID:7012
- C:\Windows\System32\awmJqWz.exe
  C:\Windows\System32\awmJqWz.exe
  2⤵
  PID:2204
- C:\Windows\System32\WVakyZn.exe
  C:\Windows\System32\WVakyZn.exe
  2⤵
  PID:3932
- C:\Windows\System32\beBZpJH.exe
  C:\Windows\System32\beBZpJH.exe
  2⤵
  PID:5968
- C:\Windows\System32\nSFrAWG.exe
  C:\Windows\System32\nSFrAWG.exe
  2⤵
  PID:3152
- C:\Windows\System32\WDIZZqk.exe
  C:\Windows\System32\WDIZZqk.exe
  2⤵
  PID:6348
- C:\Windows\System32\jZhzaRs.exe
  C:\Windows\System32\jZhzaRs.exe
  2⤵
  PID:3356
- C:\Windows\System32\ZAyfdFC.exe
  C:\Windows\System32\ZAyfdFC.exe
  2⤵
  PID:6668
- C:\Windows\System32\XtZSexw.exe
  C:\Windows\System32\XtZSexw.exe
  2⤵
  PID:6704
- C:\Windows\System32\rdhARzp.exe
  C:\Windows\System32\rdhARzp.exe
  2⤵
  PID:2552
- C:\Windows\System32\RYQHZDz.exe
  C:\Windows\System32\RYQHZDz.exe
  2⤵
  PID:2612
- C:\Windows\System32\rLlkOOQ.exe
  C:\Windows\System32\rLlkOOQ.exe
  2⤵
  PID:6904
- C:\Windows\System32\heBgXfa.exe
  C:\Windows\System32\heBgXfa.exe
  2⤵
  PID:6192
- C:\Windows\System32\WgLkHLu.exe
  C:\Windows\System32\WgLkHLu.exe
  2⤵
  PID:4996
- C:\Windows\System32\EvvzVeB.exe
  C:\Windows\System32\EvvzVeB.exe
  2⤵
  PID:6928
- C:\Windows\System32\RzwruRc.exe
  C:\Windows\System32\RzwruRc.exe
  2⤵
  PID:7096
- C:\Windows\System32\hZHhBbE.exe
  C:\Windows\System32\hZHhBbE.exe
  2⤵
  PID:6960
- C:\Windows\System32\dLPksYD.exe
  C:\Windows\System32\dLPksYD.exe
  2⤵
  PID:6504
- C:\Windows\System32\lFIubOZ.exe
  C:\Windows\System32\lFIubOZ.exe
  2⤵
  PID:7176
- C:\Windows\System32\OLAOasg.exe
  C:\Windows\System32\OLAOasg.exe
  2⤵
  PID:7216
- C:\Windows\System32\UQZkQAD.exe
  C:\Windows\System32\UQZkQAD.exe
  2⤵
  PID:7236
- C:\Windows\System32\qMxgULD.exe
  C:\Windows\System32\qMxgULD.exe
  2⤵
  PID:7284
- C:\Windows\System32\pQqCPMU.exe
  C:\Windows\System32\pQqCPMU.exe
  2⤵
  PID:7324
- C:\Windows\System32\mMRYkXh.exe
  C:\Windows\System32\mMRYkXh.exe
  2⤵
  PID:7356
- C:\Windows\System32\zSjAtIN.exe
  C:\Windows\System32\zSjAtIN.exe
  2⤵
  PID:7376
- C:\Windows\System32\IMfaIOS.exe
  C:\Windows\System32\IMfaIOS.exe
  2⤵
  PID:7408
- C:\Windows\System32\BVHHwUR.exe
  C:\Windows\System32\BVHHwUR.exe
  2⤵
  PID:7440
- C:\Windows\System32\fvRnpDS.exe
  C:\Windows\System32\fvRnpDS.exe
  2⤵
  PID:7464
- C:\Windows\System32\phVenZP.exe
  C:\Windows\System32\phVenZP.exe
  2⤵
  PID:7492
- C:\Windows\System32\omVoPNM.exe
  C:\Windows\System32\omVoPNM.exe
  2⤵
  PID:7520
- C:\Windows\System32\NXcaluq.exe
  C:\Windows\System32\NXcaluq.exe
  2⤵
  PID:7544
- C:\Windows\System32\csUWUca.exe
  C:\Windows\System32\csUWUca.exe
  2⤵
  PID:7560
- C:\Windows\System32\gWOxANl.exe
  C:\Windows\System32\gWOxANl.exe
  2⤵
  PID:7596
- C:\Windows\System32\HsTBhXN.exe
  C:\Windows\System32\HsTBhXN.exe
  2⤵
  PID:7616
- C:\Windows\System32\pLyQliP.exe
  C:\Windows\System32\pLyQliP.exe
  2⤵
  PID:7656
- C:\Windows\System32\Eguwect.exe
  C:\Windows\System32\Eguwect.exe
  2⤵
  PID:7672
- C:\Windows\System32\ubiWpTP.exe
  C:\Windows\System32\ubiWpTP.exe
  2⤵
  PID:7708
- C:\Windows\System32\YcQJReX.exe
  C:\Windows\System32\YcQJReX.exe
  2⤵
  PID:7728
- C:\Windows\System32\cNFYZOS.exe
  C:\Windows\System32\cNFYZOS.exe
  2⤵
  PID:7760
- C:\Windows\System32\thFzPin.exe
  C:\Windows\System32\thFzPin.exe
  2⤵
  PID:7784
- C:\Windows\System32\FzRVARb.exe
  C:\Windows\System32\FzRVARb.exe
  2⤵
  PID:7812
- C:\Windows\System32\uqvVUQv.exe
  C:\Windows\System32\uqvVUQv.exe
  2⤵
  PID:7844
- C:\Windows\System32\wvdToPl.exe
  C:\Windows\System32\wvdToPl.exe
  2⤵
  PID:7860
- C:\Windows\System32\mmFHjfA.exe
  C:\Windows\System32\mmFHjfA.exe
  2⤵
  PID:7884
- C:\Windows\System32\kozDrOV.exe
  C:\Windows\System32\kozDrOV.exe
  2⤵
  PID:7920
- C:\Windows\System32\TiSjBBA.exe
  C:\Windows\System32\TiSjBBA.exe
  2⤵
  PID:7968
- C:\Windows\System32\PmUnRpe.exe
  C:\Windows\System32\PmUnRpe.exe
  2⤵
  PID:7992
- C:\Windows\System32\hqrSBDq.exe
  C:\Windows\System32\hqrSBDq.exe
  2⤵
  PID:8008
- C:\Windows\System32\CEDAYsB.exe
  C:\Windows\System32\CEDAYsB.exe
  2⤵
  PID:8036
- C:\Windows\System32\BsDlBtd.exe
  C:\Windows\System32\BsDlBtd.exe
  2⤵
  PID:8064
- C:\Windows\System32\zQHJMkp.exe
  C:\Windows\System32\zQHJMkp.exe
  2⤵
  PID:8080
- C:\Windows\System32\SAcSbFb.exe
  C:\Windows\System32\SAcSbFb.exe
  2⤵
  PID:8104
- C:\Windows\System32\rSbVfRV.exe
  C:\Windows\System32\rSbVfRV.exe
  2⤵
  PID:8164
- C:\Windows\System32\eosFFYD.exe
  C:\Windows\System32\eosFFYD.exe
  2⤵
  PID:8188
- C:\Windows\System32\aGNTRpS.exe
  C:\Windows\System32\aGNTRpS.exe
  2⤵
  PID:6792
- C:\Windows\System32\wkBMVpA.exe
  C:\Windows\System32\wkBMVpA.exe
  2⤵
  PID:7204
- C:\Windows\System32\FvPWrpA.exe
  C:\Windows\System32\FvPWrpA.exe
  2⤵
  PID:7264
- C:\Windows\System32\FkLZBhX.exe
  C:\Windows\System32\FkLZBhX.exe
  2⤵
  PID:7392
- C:\Windows\System32\WzXjEaD.exe
  C:\Windows\System32\WzXjEaD.exe
  2⤵
  PID:7452
- C:\Windows\System32\tSmbYxh.exe
  C:\Windows\System32\tSmbYxh.exe
  2⤵
  PID:7512
- C:\Windows\System32\SpCHIca.exe
  C:\Windows\System32\SpCHIca.exe
  2⤵
  PID:7568
- C:\Windows\System32\NLJrpYh.exe
  C:\Windows\System32\NLJrpYh.exe
  2⤵
  PID:7624
- C:\Windows\System32\eXhioos.exe
  C:\Windows\System32\eXhioos.exe
  2⤵
  PID:7688
- C:\Windows\System32\IYwuZSX.exe
  C:\Windows\System32\IYwuZSX.exe
  2⤵
  PID:7720
- C:\Windows\System32\WPaULuj.exe
  C:\Windows\System32\WPaULuj.exe
  2⤵
  PID:7824
- C:\Windows\System32\ZWYAsiC.exe
  C:\Windows\System32\ZWYAsiC.exe
  2⤵
  PID:7868
- C:\Windows\System32\QEXnfLY.exe
  C:\Windows\System32\QEXnfLY.exe
  2⤵
  PID:7940
- C:\Windows\System32\WEnKkDm.exe
  C:\Windows\System32\WEnKkDm.exe
  2⤵
  PID:7988
- C:\Windows\System32\NHNJsgE.exe
  C:\Windows\System32\NHNJsgE.exe
  2⤵
  PID:7980
- C:\Windows\System32\WLyNjce.exe
  C:\Windows\System32\WLyNjce.exe
  2⤵
  PID:8088
- C:\Windows\System32\IgylNHK.exe
  C:\Windows\System32\IgylNHK.exe
  2⤵
  PID:8140
- C:\Windows\System32\nZarbJx.exe
  C:\Windows\System32\nZarbJx.exe
  2⤵
  PID:7268
- C:\Windows\System32\MRlhvpb.exe
  C:\Windows\System32\MRlhvpb.exe
  2⤵
  PID:7396
- C:\Windows\System32\FgMBGbS.exe
  C:\Windows\System32\FgMBGbS.exe
  2⤵
  PID:7552
- C:\Windows\System32\xjumLom.exe
  C:\Windows\System32\xjumLom.exe
  2⤵
  PID:7880
- C:\Windows\System32\blZyJwE.exe
  C:\Windows\System32\blZyJwE.exe
  2⤵
  PID:7876
- C:\Windows\System32\ECsYnaB.exe
  C:\Windows\System32\ECsYnaB.exe
  2⤵
  PID:8100
- C:\Windows\System32\LKXtZlf.exe
  C:\Windows\System32\LKXtZlf.exe
  2⤵
  PID:7336
- C:\Windows\System32\buEmniM.exe
  C:\Windows\System32\buEmniM.exe
  2⤵
  PID:7484
- C:\Windows\System32\GvlGDBC.exe
  C:\Windows\System32\GvlGDBC.exe
  2⤵
  PID:7748
- C:\Windows\System32\hMdRVZZ.exe
  C:\Windows\System32\hMdRVZZ.exe
  2⤵
  PID:7976
- C:\Windows\System32\BKxjlHT.exe
  C:\Windows\System32\BKxjlHT.exe
  2⤵
  PID:7964
- C:\Windows\System32\eUOkxKI.exe
  C:\Windows\System32\eUOkxKI.exe
  2⤵
  PID:7536
- C:\Windows\System32\vZnnqbf.exe
  C:\Windows\System32\vZnnqbf.exe
  2⤵
  PID:8236
- C:\Windows\System32\AVpMcLP.exe
  C:\Windows\System32\AVpMcLP.exe
  2⤵
  PID:8260
- C:\Windows\System32\ZVwrTPW.exe
  C:\Windows\System32\ZVwrTPW.exe
  2⤵
  PID:8292
- C:\Windows\System32\yZybWME.exe
  C:\Windows\System32\yZybWME.exe
  2⤵
  PID:8312
- C:\Windows\System32\MAvVRyl.exe
  C:\Windows\System32\MAvVRyl.exe
  2⤵
  PID:8336
- C:\Windows\System32\HhoJPon.exe
  C:\Windows\System32\HhoJPon.exe
  2⤵
  PID:8352
- C:\Windows\System32\GocpnbY.exe
  C:\Windows\System32\GocpnbY.exe
  2⤵
  PID:8396
- C:\Windows\System32\XYFvfWK.exe
  C:\Windows\System32\XYFvfWK.exe
  2⤵
  PID:8416
- C:\Windows\System32\TrTKnyJ.exe
  C:\Windows\System32\TrTKnyJ.exe
  2⤵
  PID:8440
- C:\Windows\System32\urFQrel.exe
  C:\Windows\System32\urFQrel.exe
  2⤵
  PID:8456
- C:\Windows\System32\cptzepY.exe
  C:\Windows\System32\cptzepY.exe
  2⤵
  PID:8504
- C:\Windows\System32\AzbLFLy.exe
  C:\Windows\System32\AzbLFLy.exe
  2⤵
  PID:8528
- C:\Windows\System32\SgdCIuK.exe
  C:\Windows\System32\SgdCIuK.exe
  2⤵
  PID:8556
- C:\Windows\System32\pGKeOsv.exe
  C:\Windows\System32\pGKeOsv.exe
  2⤵
  PID:8584
- C:\Windows\System32\VnpEnFq.exe
  C:\Windows\System32\VnpEnFq.exe
  2⤵
  PID:8604
- C:\Windows\System32\mOVWaqA.exe
  C:\Windows\System32\mOVWaqA.exe
  2⤵
  PID:8628
- C:\Windows\System32\mXUcNmW.exe
  C:\Windows\System32\mXUcNmW.exe
  2⤵
  PID:8660
- C:\Windows\System32\ZLaFmIf.exe
  C:\Windows\System32\ZLaFmIf.exe
  2⤵
  PID:8704
- C:\Windows\System32\olDdUDT.exe
  C:\Windows\System32\olDdUDT.exe
  2⤵
  PID:8732
- C:\Windows\System32\pWGuWut.exe
  C:\Windows\System32\pWGuWut.exe
  2⤵
  PID:8776
- C:\Windows\System32\NGgvBKO.exe
  C:\Windows\System32\NGgvBKO.exe
  2⤵
  PID:8804
- C:\Windows\System32\RYGlxAe.exe
  C:\Windows\System32\RYGlxAe.exe
  2⤵
  PID:8828
- C:\Windows\System32\SIYojUT.exe
  C:\Windows\System32\SIYojUT.exe
  2⤵
  PID:8856
- C:\Windows\System32\xBMnEYW.exe
  C:\Windows\System32\xBMnEYW.exe
  2⤵
  PID:8876
- C:\Windows\System32\PoLCxJv.exe
  C:\Windows\System32\PoLCxJv.exe
  2⤵
  PID:8896
- C:\Windows\System32\lEpCeWE.exe
  C:\Windows\System32\lEpCeWE.exe
  2⤵
  PID:8952
- C:\Windows\System32\fIBqDFx.exe
  C:\Windows\System32\fIBqDFx.exe
  2⤵
  PID:8968
- C:\Windows\System32\gJuUNpI.exe
  C:\Windows\System32\gJuUNpI.exe
  2⤵
  PID:9004
- C:\Windows\System32\zkNaHDi.exe
  C:\Windows\System32\zkNaHDi.exe
  2⤵
  PID:9048
- C:\Windows\System32\cXzGyzd.exe
  C:\Windows\System32\cXzGyzd.exe
  2⤵
  PID:9128
- C:\Windows\System32\opcfzGX.exe
  C:\Windows\System32\opcfzGX.exe
  2⤵
  PID:9144
- C:\Windows\System32\aIbVJxp.exe
  C:\Windows\System32\aIbVJxp.exe
  2⤵
  PID:9160
- C:\Windows\System32\YjbrnCM.exe
  C:\Windows\System32\YjbrnCM.exe
  2⤵
  PID:9176
- C:\Windows\System32\YKLyVGY.exe
  C:\Windows\System32\YKLyVGY.exe
  2⤵
  PID:8244
- C:\Windows\System32\WsFNiIL.exe
  C:\Windows\System32\WsFNiIL.exe
  2⤵
  PID:8252
- C:\Windows\System32\Xsxlhcu.exe
  C:\Windows\System32\Xsxlhcu.exe
  2⤵
  PID:8360
- C:\Windows\System32\FsBQChY.exe
  C:\Windows\System32\FsBQChY.exe
  2⤵
  PID:8452
- C:\Windows\System32\MowOVgX.exe
  C:\Windows\System32\MowOVgX.exe
  2⤵
  PID:8432
- C:\Windows\System32\lcmWrSo.exe
  C:\Windows\System32\lcmWrSo.exe
  2⤵
  PID:8448
- C:\Windows\System32\ldSIwrO.exe
  C:\Windows\System32\ldSIwrO.exe
  2⤵
  PID:8500
- C:\Windows\System32\aVflAIg.exe
  C:\Windows\System32\aVflAIg.exe
  2⤵
  PID:8564
- C:\Windows\System32\GClxwes.exe
  C:\Windows\System32\GClxwes.exe
  2⤵
  PID:8620
- C:\Windows\System32\UawNoiB.exe
  C:\Windows\System32\UawNoiB.exe
  2⤵
  PID:8760
- C:\Windows\System32\GDWdzmX.exe
  C:\Windows\System32\GDWdzmX.exe
  2⤵
  PID:8816
- C:\Windows\System32\auCHTvJ.exe
  C:\Windows\System32\auCHTvJ.exe
  2⤵
  PID:8868
- C:\Windows\System32\UTcQcxk.exe
  C:\Windows\System32\UTcQcxk.exe
  2⤵
  PID:8980
- C:\Windows\System32\HbXbzgk.exe
  C:\Windows\System32\HbXbzgk.exe
  2⤵
  PID:9076
- C:\Windows\System32\rKhdPkk.exe
  C:\Windows\System32\rKhdPkk.exe
  2⤵
  PID:9080
- C:\Windows\System32\EpFuvXo.exe
  C:\Windows\System32\EpFuvXo.exe
  2⤵
  PID:9168
- C:\Windows\System32\pFfFLoz.exe
  C:\Windows\System32\pFfFLoz.exe
  2⤵
  PID:7312
- C:\Windows\System32\bjeyYVR.exe
  C:\Windows\System32\bjeyYVR.exe
  2⤵
  PID:8256
- C:\Windows\System32\feXHCxH.exe
  C:\Windows\System32\feXHCxH.exe
  2⤵
  PID:8428
- C:\Windows\System32\GGvCdqY.exe
  C:\Windows\System32\GGvCdqY.exe
  2⤵
  PID:8596
- C:\Windows\System32\AvaRcCY.exe
  C:\Windows\System32\AvaRcCY.exe
  2⤵
  PID:8544
- C:\Windows\System32\bybewwR.exe
  C:\Windows\System32\bybewwR.exe
  2⤵
  PID:8740
- C:\Windows\System32\XnDatkx.exe
  C:\Windows\System32\XnDatkx.exe
  2⤵
  PID:9060
- C:\Windows\System32\uDyMdqd.exe
  C:\Windows\System32\uDyMdqd.exe
  2⤵
  PID:9156
- C:\Windows\System32\QPxaJTk.exe
  C:\Windows\System32\QPxaJTk.exe
  2⤵
  PID:8372
- C:\Windows\System32\aMEXHWA.exe
  C:\Windows\System32\aMEXHWA.exe
  2⤵
  PID:8476
- C:\Windows\System32\OEIJyzC.exe
  C:\Windows\System32\OEIJyzC.exe
  2⤵
  PID:9084
- C:\Windows\System32\MfMWmVM.exe
  C:\Windows\System32\MfMWmVM.exe
  2⤵
  PID:2768
- C:\Windows\System32\pWjQaYZ.exe
  C:\Windows\System32\pWjQaYZ.exe
  2⤵
  PID:8272
- C:\Windows\System32\bFSBgCW.exe
  C:\Windows\System32\bFSBgCW.exe
  2⤵
  PID:9236
- C:\Windows\System32\QglsJxf.exe
  C:\Windows\System32\QglsJxf.exe
  2⤵
  PID:9276
- C:\Windows\System32\chWFrfV.exe
  C:\Windows\System32\chWFrfV.exe
  2⤵
  PID:9304
- C:\Windows\System32\evOumkk.exe
  C:\Windows\System32\evOumkk.exe
  2⤵
  PID:9320
- C:\Windows\System32\JEOkhDg.exe
  C:\Windows\System32\JEOkhDg.exe
  2⤵
  PID:9344
- C:\Windows\System32\TlCQSEG.exe
  C:\Windows\System32\TlCQSEG.exe
  2⤵
  PID:9372
- C:\Windows\System32\oMrYyMB.exe
  C:\Windows\System32\oMrYyMB.exe
  2⤵
  PID:9400
- C:\Windows\System32\pjiZdVc.exe
  C:\Windows\System32\pjiZdVc.exe
  2⤵
  PID:9432
- C:\Windows\System32\nrFwMlM.exe
  C:\Windows\System32\nrFwMlM.exe
  2⤵
  PID:9452
- C:\Windows\System32\SkJdUbr.exe
  C:\Windows\System32\SkJdUbr.exe
  2⤵
  PID:9480
- C:\Windows\System32\qxFCttz.exe
  C:\Windows\System32\qxFCttz.exe
  2⤵
  PID:9504
- C:\Windows\System32\ZgDQjhA.exe
  C:\Windows\System32\ZgDQjhA.exe
  2⤵
  PID:9544
- C:\Windows\System32\VwjctUQ.exe
  C:\Windows\System32\VwjctUQ.exe
  2⤵
  PID:9576
- C:\Windows\System32\bausydI.exe
  C:\Windows\System32\bausydI.exe
  2⤵
  PID:9600
- C:\Windows\System32\FdIPryW.exe
  C:\Windows\System32\FdIPryW.exe
  2⤵
  PID:9640
- C:\Windows\System32\xhicpMn.exe
  C:\Windows\System32\xhicpMn.exe
  2⤵
  PID:9668
- C:\Windows\System32\PRMnPpU.exe
  C:\Windows\System32\PRMnPpU.exe
  2⤵
  PID:9688
- C:\Windows\System32\QFfiWtw.exe
  C:\Windows\System32\QFfiWtw.exe
  2⤵
  PID:9712
- C:\Windows\System32\QaCcWTx.exe
  C:\Windows\System32\QaCcWTx.exe
  2⤵
  PID:9744
- C:\Windows\System32\RflqnAP.exe
  C:\Windows\System32\RflqnAP.exe
  2⤵
  PID:9784
- C:\Windows\System32\RIMQqPc.exe
  C:\Windows\System32\RIMQqPc.exe
  2⤵
  PID:9812
- C:\Windows\System32\EVbkLnP.exe
  C:\Windows\System32\EVbkLnP.exe
  2⤵
  PID:9836
- C:\Windows\System32\brsAmBN.exe
  C:\Windows\System32\brsAmBN.exe
  2⤵
  PID:9856
- C:\Windows\System32\Igvwjfl.exe
  C:\Windows\System32\Igvwjfl.exe
  2⤵
  PID:9876
- C:\Windows\System32\BBOzUlR.exe
  C:\Windows\System32\BBOzUlR.exe
  2⤵
  PID:9904
- C:\Windows\System32\YLScnDj.exe
  C:\Windows\System32\YLScnDj.exe
  2⤵
  PID:9928
- C:\Windows\System32\ARaGXoD.exe
  C:\Windows\System32\ARaGXoD.exe
  2⤵
  PID:9988
- C:\Windows\System32\MNBjoBH.exe
  C:\Windows\System32\MNBjoBH.exe
  2⤵
  PID:10012
- C:\Windows\System32\kbFYNfO.exe
  C:\Windows\System32\kbFYNfO.exe
  2⤵
  PID:10036
- C:\Windows\System32\EilpyeB.exe
  C:\Windows\System32\EilpyeB.exe
  2⤵
  PID:10064
- C:\Windows\System32\FKGzoCv.exe
  C:\Windows\System32\FKGzoCv.exe
  2⤵
  PID:10080
- C:\Windows\System32\RkPDyGo.exe
  C:\Windows\System32\RkPDyGo.exe
  2⤵
  PID:10104
- C:\Windows\System32\SVeFinC.exe
  C:\Windows\System32\SVeFinC.exe
  2⤵
  PID:10128
- C:\Windows\System32\iJOsiGM.exe
  C:\Windows\System32\iJOsiGM.exe
  2⤵
  PID:10180
- C:\Windows\System32\gkfgUMK.exe
  C:\Windows\System32\gkfgUMK.exe
  2⤵
  PID:10208
- C:\Windows\System32\lCxslTS.exe
  C:\Windows\System32\lCxslTS.exe
  2⤵
  PID:10224
- C:\Windows\System32\HocWyDc.exe
  C:\Windows\System32\HocWyDc.exe
  2⤵
  PID:9228
- C:\Windows\System32\XmVOeGp.exe
  C:\Windows\System32\XmVOeGp.exe
  2⤵
  PID:9288
- C:\Windows\System32\nsseKUc.exe
  C:\Windows\System32\nsseKUc.exe
  2⤵
  PID:9384
- C:\Windows\System32\anGmAnR.exe
  C:\Windows\System32\anGmAnR.exe
  2⤵
  PID:9412
- C:\Windows\System32\sRBjuUH.exe
  C:\Windows\System32\sRBjuUH.exe
  2⤵
  PID:9460
- C:\Windows\System32\wXrTzTJ.exe
  C:\Windows\System32\wXrTzTJ.exe
  2⤵
  PID:9520
- C:\Windows\System32\iKruRsN.exe
  C:\Windows\System32\iKruRsN.exe
  2⤵
  PID:9552
- C:\Windows\System32\vxuTzmD.exe
  C:\Windows\System32\vxuTzmD.exe
  2⤵
  PID:9608
- C:\Windows\System32\nqREuuV.exe
  C:\Windows\System32\nqREuuV.exe
  2⤵
  PID:9684
- C:\Windows\System32\etrQTQk.exe
  C:\Windows\System32\etrQTQk.exe
  2⤵
  PID:9804
- C:\Windows\System32\CJiukiX.exe
  C:\Windows\System32\CJiukiX.exe
  2⤵
  PID:9896
- C:\Windows\System32\CkaHOlr.exe
  C:\Windows\System32\CkaHOlr.exe
  2⤵
  PID:9972
- C:\Windows\System32\MyVWrVv.exe
  C:\Windows\System32\MyVWrVv.exe
  2⤵
  PID:10024
- C:\Windows\System32\cuGDiUY.exe
  C:\Windows\System32\cuGDiUY.exe
  2⤵
  PID:10112
- C:\Windows\System32\VBfmwrQ.exe
  C:\Windows\System32\VBfmwrQ.exe
  2⤵
  PID:10156
- C:\Windows\System32\SgfbpXx.exe
  C:\Windows\System32\SgfbpXx.exe
  2⤵
  PID:10216
- C:\Windows\System32\NIFFPAE.exe
  C:\Windows\System32\NIFFPAE.exe
  2⤵
  PID:9264
- C:\Windows\System32\qjkBlwh.exe
  C:\Windows\System32\qjkBlwh.exe
  2⤵
  PID:9428
- C:\Windows\System32\DLzuOPn.exe
  C:\Windows\System32\DLzuOPn.exe
  2⤵
  PID:9444
- C:\Windows\System32\WcPnXfv.exe
  C:\Windows\System32\WcPnXfv.exe
  2⤵
  PID:9736
- C:\Windows\System32\buTHvBL.exe
  C:\Windows\System32\buTHvBL.exe
  2⤵
  PID:9956
- C:\Windows\System32\uotoefA.exe
  C:\Windows\System32\uotoefA.exe
  2⤵
  PID:10120
- C:\Windows\System32\AXedjlp.exe
  C:\Windows\System32\AXedjlp.exe
  2⤵
  PID:9284
- C:\Windows\System32\BoNpXPI.exe
  C:\Windows\System32\BoNpXPI.exe
  2⤵
  PID:9512
- C:\Windows\System32\qXcrUml.exe
  C:\Windows\System32\qXcrUml.exe
  2⤵
  PID:9792
- C:\Windows\System32\fVdXSUN.exe
  C:\Windows\System32\fVdXSUN.exe
  2⤵
  PID:10196
- C:\Windows\System32\LYKkVfa.exe
  C:\Windows\System32\LYKkVfa.exe
  2⤵
  PID:9940
- C:\Windows\System32\gmtzoXn.exe
  C:\Windows\System32\gmtzoXn.exe
  2⤵
  PID:10264
- C:\Windows\System32\taEGrWL.exe
  C:\Windows\System32\taEGrWL.exe
  2⤵
  PID:10292
- C:\Windows\System32\fhKBiWn.exe
  C:\Windows\System32\fhKBiWn.exe
  2⤵
  PID:10336
- C:\Windows\System32\MslhBHA.exe
  C:\Windows\System32\MslhBHA.exe
  2⤵
  PID:10364
- C:\Windows\System32\oattArM.exe
  C:\Windows\System32\oattArM.exe
  2⤵
  PID:10384
- C:\Windows\System32\CemmzAL.exe
  C:\Windows\System32\CemmzAL.exe
  2⤵
  PID:10448
- C:\Windows\System32\SbylkeG.exe
  C:\Windows\System32\SbylkeG.exe
  2⤵
  PID:10468
- C:\Windows\System32\kFRohIl.exe
  C:\Windows\System32\kFRohIl.exe
  2⤵
  PID:10492
- C:\Windows\System32\vfIZNfe.exe
  C:\Windows\System32\vfIZNfe.exe
  2⤵
  PID:10512
- C:\Windows\System32\coHGhXi.exe
  C:\Windows\System32\coHGhXi.exe
  2⤵
  PID:10540
- C:\Windows\System32\HdfdhTx.exe
  C:\Windows\System32\HdfdhTx.exe
  2⤵
  PID:10556
- C:\Windows\System32\clEhAZz.exe
  C:\Windows\System32\clEhAZz.exe
  2⤵
  PID:10596
- C:\Windows\System32\sHmGpCC.exe
  C:\Windows\System32\sHmGpCC.exe
  2⤵
  PID:10632
- C:\Windows\System32\TYvWzlA.exe
  C:\Windows\System32\TYvWzlA.exe
  2⤵
  PID:10648
- C:\Windows\System32\wgNBcrA.exe
  C:\Windows\System32\wgNBcrA.exe
  2⤵
  PID:10676
- C:\Windows\System32\qOlXmtH.exe
  C:\Windows\System32\qOlXmtH.exe
  2⤵
  PID:10728
- C:\Windows\System32\feaFGYZ.exe
  C:\Windows\System32\feaFGYZ.exe
  2⤵
  PID:10752
- C:\Windows\System32\LWDdAlk.exe
  C:\Windows\System32\LWDdAlk.exe
  2⤵
  PID:10776
- C:\Windows\System32\HFbQRVJ.exe
  C:\Windows\System32\HFbQRVJ.exe
  2⤵
  PID:10792
- C:\Windows\System32\EiQIrCC.exe
  C:\Windows\System32\EiQIrCC.exe
  2⤵
  PID:10840
- C:\Windows\System32\DEuBvCg.exe
  C:\Windows\System32\DEuBvCg.exe
  2⤵
  PID:10868
- C:\Windows\System32\QTwTnhZ.exe
  C:\Windows\System32\QTwTnhZ.exe
  2⤵
  PID:10908
- C:\Windows\System32\znNOCky.exe
  C:\Windows\System32\znNOCky.exe
  2⤵
  PID:10928
- C:\Windows\System32\OlfXfLY.exe
  C:\Windows\System32\OlfXfLY.exe
  2⤵
  PID:10944
- C:\Windows\System32\TqoXPvt.exe
  C:\Windows\System32\TqoXPvt.exe
  2⤵
  PID:10968
- C:\Windows\System32\rpjlenm.exe
  C:\Windows\System32\rpjlenm.exe
  2⤵
  PID:11000
- C:\Windows\System32\DxBnmZQ.exe
  C:\Windows\System32\DxBnmZQ.exe
  2⤵
  PID:11020
- C:\Windows\System32\goQFbvG.exe
  C:\Windows\System32\goQFbvG.exe
  2⤵
  PID:11056
- C:\Windows\System32\ETAJmWS.exe
  C:\Windows\System32\ETAJmWS.exe
  2⤵
  PID:11092
- C:\Windows\System32\nmMOhgf.exe
  C:\Windows\System32\nmMOhgf.exe
  2⤵
  PID:11112
- C:\Windows\System32\zeQNBkX.exe
  C:\Windows\System32\zeQNBkX.exe
  2⤵
  PID:11140
- C:\Windows\System32\xWlyBnv.exe
  C:\Windows\System32\xWlyBnv.exe
  2⤵
  PID:11168
- C:\Windows\System32\OwbsXlx.exe
  C:\Windows\System32\OwbsXlx.exe
  2⤵
  PID:11196
- C:\Windows\System32\onIWSmM.exe
  C:\Windows\System32\onIWSmM.exe
  2⤵
  PID:11236
- C:\Windows\System32\IaeAtoI.exe
  C:\Windows\System32\IaeAtoI.exe
  2⤵
  PID:9364
- C:\Windows\System32\bJulnLX.exe
  C:\Windows\System32\bJulnLX.exe
  2⤵
  PID:10272
- C:\Windows\System32\gHykIih.exe
  C:\Windows\System32\gHykIih.exe
  2⤵
  PID:10316
- C:\Windows\System32\oSNlhgF.exe
  C:\Windows\System32\oSNlhgF.exe
  2⤵
  PID:10376
- C:\Windows\System32\GZKOguC.exe
  C:\Windows\System32\GZKOguC.exe
  2⤵
  PID:10504
- C:\Windows\System32\mpuZhRA.exe
  C:\Windows\System32\mpuZhRA.exe
  2⤵
  PID:10552
- C:\Windows\System32\oZguRHB.exe
  C:\Windows\System32\oZguRHB.exe
  2⤵
  PID:10576
- C:\Windows\System32\imhbaiQ.exe
  C:\Windows\System32\imhbaiQ.exe
  2⤵
  PID:10640
- C:\Windows\System32\dymzuWl.exe
  C:\Windows\System32\dymzuWl.exe
  2⤵
  PID:10684
- C:\Windows\System32\iGEHjFw.exe
  C:\Windows\System32\iGEHjFw.exe
  2⤵
  PID:10760
- C:\Windows\System32\BXNAZlR.exe
  C:\Windows\System32\BXNAZlR.exe
  2⤵
  PID:10784
- C:\Windows\System32\wbNZLdi.exe
  C:\Windows\System32\wbNZLdi.exe
  2⤵
  PID:10900
- C:\Windows\System32\haASrrj.exe
  C:\Windows\System32\haASrrj.exe
  2⤵
  PID:10996
- C:\Windows\System32\rEMeMAB.exe
  C:\Windows\System32\rEMeMAB.exe
  2⤵
  PID:11072
- C:\Windows\System32\eRMaBWM.exe
  C:\Windows\System32\eRMaBWM.exe
  2⤵
  PID:11100
- C:\Windows\System32\IwcURAg.exe
  C:\Windows\System32\IwcURAg.exe
  2⤵
  PID:11156
- C:\Windows\System32\KilgxWh.exe
  C:\Windows\System32\KilgxWh.exe
  2⤵
  PID:11220
- C:\Windows\System32\FDKuicC.exe
  C:\Windows\System32\FDKuicC.exe
  2⤵
  PID:10260
- C:\Windows\System32\kXtzblg.exe
  C:\Windows\System32\kXtzblg.exe
  2⤵
  PID:10528
- C:\Windows\System32\kJKuCqv.exe
  C:\Windows\System32\kJKuCqv.exe
  2⤵
  PID:10620
- C:\Windows\System32\EGxDUMy.exe
  C:\Windows\System32\EGxDUMy.exe
  2⤵
  PID:10812
- C:\Windows\System32\EqQbRiS.exe
  C:\Windows\System32\EqQbRiS.exe
  2⤵
  PID:10656
- C:\Windows\System32\Ujgejht.exe
  C:\Windows\System32\Ujgejht.exe
  2⤵
  PID:10976
- C:\Windows\System32\LBqPbmi.exe
  C:\Windows\System32\LBqPbmi.exe
  2⤵
  PID:10664
- C:\Windows\System32\HAWYuZo.exe
  C:\Windows\System32\HAWYuZo.exe
  2⤵
  PID:11308
- C:\Windows\System32\SVPNNVO.exe
  C:\Windows\System32\SVPNNVO.exe
  2⤵
  PID:11328
- C:\Windows\System32\YaWmYaz.exe
  C:\Windows\System32\YaWmYaz.exe
  2⤵
  PID:11360
- C:\Windows\System32\LDptwVS.exe
  C:\Windows\System32\LDptwVS.exe
  2⤵
  PID:11392
- C:\Windows\System32\IVHejib.exe
  C:\Windows\System32\IVHejib.exe
  2⤵
  PID:11412
- C:\Windows\System32\bOGofAN.exe
  C:\Windows\System32\bOGofAN.exe
  2⤵
  PID:11440
- C:\Windows\System32\qRTyHrC.exe
  C:\Windows\System32\qRTyHrC.exe
  2⤵
  PID:11492
- C:\Windows\System32\uFJMIeO.exe
  C:\Windows\System32\uFJMIeO.exe
  2⤵
  PID:11516
- C:\Windows\System32\XCywpGa.exe
  C:\Windows\System32\XCywpGa.exe
  2⤵
  PID:11536
- C:\Windows\System32\SuxCEki.exe
  C:\Windows\System32\SuxCEki.exe
  2⤵
  PID:11560
- C:\Windows\System32\DlzCZWl.exe
  C:\Windows\System32\DlzCZWl.exe
  2⤵
  PID:11600
- C:\Windows\System32\xudmjVC.exe
  C:\Windows\System32\xudmjVC.exe
  2⤵
  PID:11636
- C:\Windows\System32\ZELlmXY.exe
  C:\Windows\System32\ZELlmXY.exe
  2⤵
  PID:11660
- C:\Windows\System32\KWZOUnR.exe
  C:\Windows\System32\KWZOUnR.exe
  2⤵
  PID:11692
- C:\Windows\System32\MDqcDZr.exe
  C:\Windows\System32\MDqcDZr.exe
  2⤵
  PID:11716
- C:\Windows\System32\nnQEkWe.exe
  C:\Windows\System32\nnQEkWe.exe
  2⤵
  PID:11736
- C:\Windows\System32\omXqNtO.exe
  C:\Windows\System32\omXqNtO.exe
  2⤵
  PID:11756
- C:\Windows\System32\ddufZiK.exe
  C:\Windows\System32\ddufZiK.exe
  2⤵
  PID:11780
- C:\Windows\System32\luRJrjk.exe
  C:\Windows\System32\luRJrjk.exe
  2⤵
  PID:11800
- C:\Windows\System32\qtJegJN.exe
  C:\Windows\System32\qtJegJN.exe
  2⤵
  PID:11828
- C:\Windows\System32\wwcBkme.exe
  C:\Windows\System32\wwcBkme.exe
  2⤵
  PID:11852
- C:\Windows\System32\DEgAEmL.exe
  C:\Windows\System32\DEgAEmL.exe
  2⤵
  PID:11920
- C:\Windows\System32\BZyyTGB.exe
  C:\Windows\System32\BZyyTGB.exe
  2⤵
  PID:11948
- C:\Windows\System32\bRtUGiL.exe
  C:\Windows\System32\bRtUGiL.exe
  2⤵
  PID:11972
- C:\Windows\System32\ABBbrJZ.exe
  C:\Windows\System32\ABBbrJZ.exe
  2⤵
  PID:11996
- C:\Windows\System32\UyXrNJF.exe
  C:\Windows\System32\UyXrNJF.exe
  2⤵
  PID:12016
- C:\Windows\System32\udxhpPF.exe
  C:\Windows\System32\udxhpPF.exe
  2⤵
  PID:12056
- C:\Windows\System32\MeyVwaS.exe
  C:\Windows\System32\MeyVwaS.exe
  2⤵
  PID:12084
- C:\Windows\System32\koqDeKk.exe
  C:\Windows\System32\koqDeKk.exe
  2⤵
  PID:12112
- C:\Windows\System32\iMPDqcb.exe
  C:\Windows\System32\iMPDqcb.exe
  2⤵
  PID:12132
- C:\Windows\System32\AjJlzHf.exe
  C:\Windows\System32\AjJlzHf.exe
  2⤵
  PID:12156
- C:\Windows\System32\ALgbwMQ.exe
  C:\Windows\System32\ALgbwMQ.exe
  2⤵
  PID:12172
- C:\Windows\System32\sNzEbaC.exe
  C:\Windows\System32\sNzEbaC.exe
  2⤵
  PID:12192
- C:\Windows\System32\Lqnjsnm.exe
  C:\Windows\System32\Lqnjsnm.exe
  2⤵
  PID:12216
- C:\Windows\System32\JZYcyOa.exe
  C:\Windows\System32\JZYcyOa.exe
  2⤵
  PID:12264
- C:\Windows\System32\aOgnlwR.exe
  C:\Windows\System32\aOgnlwR.exe
  2⤵
  PID:12284
- C:\Windows\System32\SJUJxic.exe
  C:\Windows\System32\SJUJxic.exe
  2⤵
  PID:10712
- C:\Windows\System32\SipCAkn.exe
  C:\Windows\System32\SipCAkn.exe
  2⤵
  PID:11084
- C:\Windows\System32\KiARUZf.exe
  C:\Windows\System32\KiARUZf.exe
  2⤵
  PID:10408
- C:\Windows\System32\wIFbAkw.exe
  C:\Windows\System32\wIFbAkw.exe
  2⤵
  PID:11348
- C:\Windows\System32\DjBBsFD.exe
  C:\Windows\System32\DjBBsFD.exe
  2⤵
  PID:11448
- C:\Windows\System32\iEJZjqN.exe
  C:\Windows\System32\iEJZjqN.exe
  2⤵
  PID:11460
- C:\Windows\System32\sJpmnjs.exe
  C:\Windows\System32\sJpmnjs.exe
  2⤵
  PID:11528
- C:\Windows\System32\rfQWTAi.exe
  C:\Windows\System32\rfQWTAi.exe
  2⤵
  PID:11584
- C:\Windows\System32\gMCSvKO.exe
  C:\Windows\System32\gMCSvKO.exe
  2⤵
  PID:11668
- C:\Windows\System32\bzJyXJY.exe
  C:\Windows\System32\bzJyXJY.exe
  2⤵
  PID:11728
- C:\Windows\System32\QteViYO.exe
  C:\Windows\System32\QteViYO.exe
  2⤵
  PID:11764
- C:\Windows\System32\vNwnHCv.exe
  C:\Windows\System32\vNwnHCv.exe
  2⤵
  PID:11868
- C:\Windows\System32\PJLZzjU.exe
  C:\Windows\System32\PJLZzjU.exe
  2⤵
  PID:4992
- C:\Windows\System32\gFQvqqx.exe
  C:\Windows\System32\gFQvqqx.exe
  2⤵
  PID:12008
- C:\Windows\System32\knSuyvc.exe
  C:\Windows\System32\knSuyvc.exe
  2⤵
  PID:12096
- C:\Windows\System32\qAiAoCG.exe
  C:\Windows\System32\qAiAoCG.exe
  2⤵
  PID:12152
- C:\Windows\System32\zJVUdSw.exe
  C:\Windows\System32\zJVUdSw.exe
  2⤵
  PID:12168
- C:\Windows\System32\KQEscRA.exe
  C:\Windows\System32\KQEscRA.exe
  2⤵
  PID:4836
- C:\Windows\System32\BYbgBTI.exe
  C:\Windows\System32\BYbgBTI.exe
  2⤵
  PID:11284
- C:\Windows\System32\vRDGHTQ.exe
  C:\Windows\System32\vRDGHTQ.exe
  2⤵
  PID:11292
- C:\Windows\System32\ZTXaOTu.exe
  C:\Windows\System32\ZTXaOTu.exe
  2⤵
  PID:11012
- C:\Windows\System32\ojUNdtL.exe
  C:\Windows\System32\ojUNdtL.exe
  2⤵
  PID:11368
- C:\Windows\System32\PzpEbZn.exe
  C:\Windows\System32\PzpEbZn.exe
  2⤵
  PID:11476
- C:\Windows\System32\kzcwEqu.exe
  C:\Windows\System32\kzcwEqu.exe
  2⤵
  PID:11576
- C:\Windows\System32\WATEgYE.exe
  C:\Windows\System32\WATEgYE.exe
  2⤵
  PID:836
- C:\Windows\System32\LgUOcwp.exe
  C:\Windows\System32\LgUOcwp.exe
  2⤵
  PID:11860
- C:\Windows\System32\SxlkMEc.exe
  C:\Windows\System32\SxlkMEc.exe
  2⤵
  PID:12128
- C:\Windows\System32\ybiSVZE.exe
  C:\Windows\System32\ybiSVZE.exe
  2⤵
  PID:12224
- C:\Windows\System32\oKgyhtv.exe
  C:\Windows\System32\oKgyhtv.exe
  2⤵
  PID:11300
- C:\Windows\System32\qPUCcNu.exe
  C:\Windows\System32\qPUCcNu.exe
  2⤵
  PID:11512
- C:\Windows\System32\chCwsnm.exe
  C:\Windows\System32\chCwsnm.exe
  2⤵
  PID:11676
- C:\Windows\System32\lPZojag.exe
  C:\Windows\System32\lPZojag.exe
  2⤵
  PID:12036
- C:\Windows\System32\gXwnOdK.exe
  C:\Windows\System32\gXwnOdK.exe
  2⤵
  PID:11272
- C:\Windows\System32\dYDJobb.exe
  C:\Windows\System32\dYDJobb.exe
  2⤵
  PID:3868
- C:\Windows\System32\sfRYHQc.exe
  C:\Windows\System32\sfRYHQc.exe
  2⤵
  PID:12308
- C:\Windows\System32\GbzFKgL.exe
  C:\Windows\System32\GbzFKgL.exe
  2⤵
  PID:12328
- C:\Windows\System32\cAcsPlS.exe
  C:\Windows\System32\cAcsPlS.exe
  2⤵
  PID:12348
- C:\Windows\System32\lagGYdS.exe
  C:\Windows\System32\lagGYdS.exe
  2⤵
  PID:12376
- C:\Windows\System32\EFPQurC.exe
  C:\Windows\System32\EFPQurC.exe
  2⤵
  PID:12396
- C:\Windows\System32\oeNwHge.exe
  C:\Windows\System32\oeNwHge.exe
  2⤵
  PID:12428
- C:\Windows\System32\jkLdiyQ.exe
  C:\Windows\System32\jkLdiyQ.exe
  2⤵
  PID:12488
- C:\Windows\System32\BAMmpcV.exe
  C:\Windows\System32\BAMmpcV.exe
  2⤵
  PID:12512
- C:\Windows\System32\QkkvdIC.exe
  C:\Windows\System32\QkkvdIC.exe
  2⤵
  PID:12540
- C:\Windows\System32\queKLhE.exe
  C:\Windows\System32\queKLhE.exe
  2⤵
  PID:12556
- C:\Windows\System32\TzRlMRE.exe
  C:\Windows\System32\TzRlMRE.exe
  2⤵
  PID:12588
- C:\Windows\System32\RzhqzHC.exe
  C:\Windows\System32\RzhqzHC.exe
  2⤵
  PID:12612
- C:\Windows\System32\ziBmMer.exe
  C:\Windows\System32\ziBmMer.exe
  2⤵
  PID:12632
- C:\Windows\System32\DOKbjQt.exe
  C:\Windows\System32\DOKbjQt.exe
  2⤵
  PID:12652
- C:\Windows\System32\wHLUYGS.exe
  C:\Windows\System32\wHLUYGS.exe
  2⤵
  PID:12716
- C:\Windows\System32\OSNGsmY.exe
  C:\Windows\System32\OSNGsmY.exe
  2⤵
  PID:12736
- C:\Windows\System32\CsqGunM.exe
  C:\Windows\System32\CsqGunM.exe
  2⤵
  PID:12752
- C:\Windows\System32\OPIVJrE.exe
  C:\Windows\System32\OPIVJrE.exe
  2⤵
  PID:12780
- C:\Windows\System32\tvxMYLS.exe
  C:\Windows\System32\tvxMYLS.exe
  2⤵
  PID:12804
- C:\Windows\System32\DENOtFP.exe
  C:\Windows\System32\DENOtFP.exe
  2⤵
  PID:12828
- C:\Windows\System32\JrPrnDt.exe
  C:\Windows\System32\JrPrnDt.exe
  2⤵
  PID:12860
- C:\Windows\System32\AaaUDGI.exe
  C:\Windows\System32\AaaUDGI.exe
  2⤵
  PID:12888
- C:\Windows\System32\ZnAcjRj.exe
  C:\Windows\System32\ZnAcjRj.exe
  2⤵
  PID:12912
- C:\Windows\System32\PbepkTL.exe
  C:\Windows\System32\PbepkTL.exe
  2⤵
  PID:12956
- C:\Windows\System32\pmqbEEr.exe
  C:\Windows\System32\pmqbEEr.exe
  2⤵
  PID:12992
- C:\Windows\System32\FEWhYbx.exe
  C:\Windows\System32\FEWhYbx.exe
  2⤵
  PID:13032
- C:\Windows\System32\GpTOwNL.exe
  C:\Windows\System32\GpTOwNL.exe
  2⤵
  PID:13048
- C:\Windows\System32\FfBdOnV.exe
  C:\Windows\System32\FfBdOnV.exe
  2⤵
  PID:13072
- C:\Windows\System32\rsDmWpV.exe
  C:\Windows\System32\rsDmWpV.exe
  2⤵
  PID:13096
- C:\Windows\System32\zPrMAeq.exe
  C:\Windows\System32\zPrMAeq.exe
  2⤵
  PID:13120
- C:\Windows\System32\HeDQyZG.exe
  C:\Windows\System32\HeDQyZG.exe
  2⤵
  PID:13160
- C:\Windows\System32\MKUgTSA.exe
  C:\Windows\System32\MKUgTSA.exe
  2⤵
  PID:13184
- C:\Windows\System32\kbIRfmc.exe
  C:\Windows\System32\kbIRfmc.exe
  2⤵
  PID:13204
- C:\Windows\System32\YUTgaAn.exe
  C:\Windows\System32\YUTgaAn.exe
  2⤵
  PID:13240
- C:\Windows\System32\upqMKhj.exe
  C:\Windows\System32\upqMKhj.exe
  2⤵
  PID:13268
- C:\Windows\System32\rWZdICa.exe
  C:\Windows\System32\rWZdICa.exe
  2⤵
  PID:13296
- C:\Windows\System32\BTVNBnP.exe
  C:\Windows\System32\BTVNBnP.exe
  2⤵
  PID:12292
- C:\Windows\System32\rSmIkaw.exe
  C:\Windows\System32\rSmIkaw.exe
  2⤵
  PID:12356
- C:\Windows\System32\GhLSvfH.exe
  C:\Windows\System32\GhLSvfH.exe
  2⤵
  PID:540
- C:\Windows\System32\gySMMQU.exe
  C:\Windows\System32\gySMMQU.exe
  2⤵
  PID:12464
- C:\Windows\System32\nUkMJRW.exe
  C:\Windows\System32\nUkMJRW.exe
  2⤵
  PID:2004
- C:\Windows\System32\AiUSRNg.exe
  C:\Windows\System32\AiUSRNg.exe
  2⤵
  PID:12496
- C:\Windows\System32\XByBoDk.exe
  C:\Windows\System32\XByBoDk.exe
  2⤵
  PID:12532
- C:\Windows\System32\uGZvrrU.exe
  C:\Windows\System32\uGZvrrU.exe
  2⤵
  PID:12596
- C:\Windows\System32\VrJmTji.exe
  C:\Windows\System32\VrJmTji.exe
  2⤵
  PID:12728
- C:\Windows\System32\lJZYDmO.exe
  C:\Windows\System32\lJZYDmO.exe
  2⤵
  PID:12764
- C:\Windows\System32\IXmxBaL.exe
  C:\Windows\System32\IXmxBaL.exe
  2⤵
  PID:12800
- C:\Windows\System32\lFjDSwq.exe
  C:\Windows\System32\lFjDSwq.exe
  2⤵
  PID:12896
- C:\Windows\System32\EqpyGhR.exe
  C:\Windows\System32\EqpyGhR.exe
  2⤵
  PID:12948
- C:\Windows\System32\KkKkjGa.exe
  C:\Windows\System32\KkKkjGa.exe
  2⤵
  PID:13040
- C:\Windows\System32\lYixnyn.exe
  C:\Windows\System32\lYixnyn.exe
  2⤵
  PID:13092
- C:\Windows\System32\jPzYxXB.exe
  C:\Windows\System32\jPzYxXB.exe
  2⤵
  PID:13156
- C:\Windows\System32\kjnSrkd.exe
  C:\Windows\System32\kjnSrkd.exe
  2⤵
  PID:13216

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BXELbYe.exe

Filesize
2.0MB

MD5
dcf8d296613b811c1ab501b79b361f11

SHA1
fe3393d18fe6346d96a2f5c8968a46339cda7e2b

SHA256
c5a5f9fca6c2c2dffb61321b3ad294e8b6eaba450b24720e40677475057d3ced

SHA512
06cf85a71755f7dbec926cdaf72e0ef59e2ac54dd7274d75f6b39815f8b779bf92b4dfc5c9b6a34761bfca7e972bd809842850b1dfcbda23602404052f8ea814

Download Submit
C:\Windows\System32\CULPpwa.exe

Filesize
2.0MB

MD5
4b91601a747a3365fbc1c3d887278f0e

SHA1
afb6e3d35af7faded1080c937bde377615c0f345

SHA256
e06133d0a5a783287a005ef13ab88bd89b62fe9c4bf3f4296b1e7c5a80d0ccb2

SHA512
0dc089f746e4eb3e125e644df3ca72886db484530d6d29f5293b4f559ba42d50955a25579f79ee9afa599bb4a7c91f222f9b2ef65b6f15d425543f201e07bf79

Download Submit
C:\Windows\System32\ETSgKnE.exe

Filesize
2.0MB

MD5
5757022b26d8adb3074e0e86a7ad6858

SHA1
905eb3b2c8301068721b060889e2a5b6c550d431

SHA256
f1d60b63269ef897251b77c2e9cda9c1d8cd185735ad5f31b3bc9d536ac83d2f

SHA512
0d69ee39cd1b0ccc58f8f3956f907158bc0ce9c5ec578d07c9d9bce5ca030cb6cb19b84cbd3315807e8935aec1efd49e09d1185fc2ddaaaf816c4c1d9e2f1a01

Download Submit
C:\Windows\System32\KCHiuKm.exe

Filesize
2.0MB

MD5
4bf9ce6bb9e678aba05c4cbbbbaee88f

SHA1
f4c63d939fde9730b6f1b7afc77c119f2abd33ff

SHA256
1b4c5a056c2df910684e7c63febbde064bb8154de82273e2ddccc879cf26af31

SHA512
27e9b002f3ab5fbeda52722a7c19edf5272cdeaa8af2ce674a5fb59fee24c925f7705a8a982ad936ec8d8d02f5eefdb88ec568aed61ea969b1a7b6b99a36b5a3

Download Submit
C:\Windows\System32\KfEpAQM.exe

Filesize
2.0MB

MD5
2426bdeee3eaf8a952033f08c9f6611c

SHA1
4681de6dce99827b969efa5cc175bb90f4cfe781

SHA256
e958e1f32ca7a4b6b09c8e40841d1038d7dd1ff73b0d87996cfe5dc725e6f41f

SHA512
9a54b51a1a1e06c07371a2f0237a7298e86957f1e77cce76ac53eeb41e3eedd97098cd9734c3a1732db5347e55e7d176f8761017153328edaac7cf8d5536c993

Download Submit
C:\Windows\System32\NBZcAtL.exe

Filesize
2.0MB

MD5
b5a3eb3ddb768f4f7ad32651e4744c70

SHA1
954ffba70f2b16c4eec88bdfc6c69fbaa0137c5c

SHA256
d37511b05502cef44bbc5303b75777c779f4d2b65f828174ae8dc55749c9cf00

SHA512
253eedfafc67094e3ac77b5b60d9b91ee4c5d3768cc176770ce969e39454eb62c1b619e3cfb741ec5cdc98ca7ce93408f99a8c2b6fc1b03cf94608643c23bc96

Download Submit
C:\Windows\System32\PJulNDS.exe

Filesize
2.0MB

MD5
0636f18cd9a1d1b1c29a9c09669cbfd2

SHA1
acb1f2d8b03cd727fd13c5e6cbb4195b1cb589ab

SHA256
729c24d8c4aa074dcd1a36798b5832700b9d2dd754d84b27b60095bbf98f8a5c

SHA512
b55a20f71378ee103f40fa12e2418d62895ae23812cd1520dc0d7b42626010c3fceac8e918fb59f9722e65fe0a381042be86531f0635818838a9460bc301503f

Download Submit
C:\Windows\System32\QOittbf.exe

Filesize
2.0MB

MD5
d9448c50bf2a45e8e242975e3957dc5d

SHA1
241cca373507a0b3fbf387dfd7ece993bc6b0d2a

SHA256
0c2764ec3b7e4fc8e183e35e5bec903276528fe0c2249eb7d0f805668de46129

SHA512
286145a710909cb54d089eb46d47c54af15dea3bd709cd7f860d8d8a0749f5e1995c5535a751d8f2a54f9fe3863f61d1c354153b8edd007f7df0e5aea49268e0

Download Submit
C:\Windows\System32\RiVTGFz.exe

Filesize
2.0MB

MD5
b5de7f09f306f08244bc9cdb4b9612df

SHA1
9761a0ee5b8dcc4f07b6320f28118814d1ac8ebe

SHA256
4ee5a5ff13917b0edcfade4ba1902d51c9f61fbbab3c1e96a6b801e3ac531c31

SHA512
ab96d987378692d6208c360dd0392f0996bc976c3523dd1fc7c75d493ca22046317e1b3294fc8a8f971a4191b5030d9ef0b223cd04912f93cdfc5ac31374b3da

Download Submit
C:\Windows\System32\TpLUAxG.exe

Filesize
2.0MB

MD5
6b45a84d8c12b68583f22c7d44b43bf0

SHA1
5e7f4ed8be72f5b1c09f4fc73c630cc5cc645c8b

SHA256
ea821396c2e20d11adc3503342ed75f312dd5d20424517cc0452580265d8caa3

SHA512
710c26725b4346b9e0fefde2ec5303e65d28c1555b77a38b1e4380fa0c2aea0bfb506760aaaece24b00376f896ab3871e04606bc0e4fe127ffd98cf510621b55

Download Submit
C:\Windows\System32\VzbsESb.exe

Filesize
2.0MB

MD5
90a490c46eb0a028051ba08da7a62d0a

SHA1
3c7ef20a781a3f80ad65a5a0a974a7d92860abe8

SHA256
802a52658dfa9dc26ef3acea0546aab0dae53dab977e236b10515556a1d284ea

SHA512
ea5a73444d14d933614c1ebe7032230aa5ff0c84d6f641cbad085aa601764b362c6a312328b36483263a7a807e805807ffaddd4ec243062c1dc6e2f19e3e9bca

Download Submit
C:\Windows\System32\WmpsEtT.exe

Filesize
2.0MB

MD5
07c07dddd38736d50333a8334aceed25

SHA1
1c523c253a57e67731985b232e7ebf62414e25aa

SHA256
7514a43d7e42e8d227c917ecf148a6f551356b64fedb6acf99112e88614e3b94

SHA512
1c82a2a34380e2dc8ff32420241ca8df796e90b669bbb5649dbd8b2a429711bdf279602161a63abfa91a7566a56d70363f66721b3bf4c0e2a21ce132bbf93b19

Download Submit
C:\Windows\System32\YycEQwh.exe

Filesize
2.0MB

MD5
fe107ba59efc116b8cbc10c967dbbc22

SHA1
72aef64a25c88508946e07ada3bd930ab8e88e18

SHA256
20d94a84717f50d04c8227c05a50a045aa4c6b0a3b8ec06a48d83d4795054a35

SHA512
88eb8cd6a9e1e96add6535d718e13f56fdf8d5654777bae87bf60c93646c0b7cf52b4112373a138feccae77976d5d0cd1de3debbc96e62cd3638a694af373f13

Download Submit
C:\Windows\System32\glXCuYF.exe

Filesize
2.0MB

MD5
21d26c68f366db7919d57ad1157d78ef

SHA1
0f5807fba81eb390ddd162a0ab668383e3420fa5

SHA256
366d103c1a194ca4cecda11d27afc20f894e2e8a2cd173c59eb85c0be0702108

SHA512
93729c03a39495634f0f110b4ecf3d63a417ad96a7c2fd2a40b314b5d38d5961a8e6d3131ea7c7b9a6783f35ae377825b2b9d7e938d112542f8168cf1e7dafa8

Download Submit
C:\Windows\System32\iGFqIWs.exe

Filesize
2.0MB

MD5
ee4209230b2050f5fd4dc855300335c4

SHA1
251c846e8383823a6b4faa4a4f7ad00928167380

SHA256
cb0dfc091c10fc4e8e2e9d0ac8b1f3e6b1e6e2d436ade3ddc5b94b5def2b80e1

SHA512
45abb8220ddde2bb8d09154519652b54ff350fa24fd7a82a7cbd6236b929528087075e0dd753d611b7cbd27f4a23e1e22e43327d3a7b3756c44b70ef877fac36

Download Submit
C:\Windows\System32\ixoKfae.exe

Filesize
2.0MB

MD5
1bd1edd7f3ff01964fd9ba9e3145de75

SHA1
23ae49a79531b6970268415370efc62f695ff5e6

SHA256
b6dcb22bf46fb748c02a6c337a7c2aa0e5f352d4979e57c6fdd2ca90b6c47387

SHA512
3e4715ded224878151031bf15364dd629a3fd8c3cc511296fa9532a645b9f213a24be8c6cdf5fe43320b574f6e8173bb5aba9b68acdd30932ac675422ae3d850

Download Submit
C:\Windows\System32\kKIgqoP.exe

Filesize
2.0MB

MD5
7a48c3897224e4b2e34f431c226d5aa1

SHA1
529c467007c36e2d3a071eb83e1c0a4bb94ad9dd

SHA256
d9f30b2125d50c1d727056b3b5dbea65045f3046aac148f8d09761d505739e7d

SHA512
39b14d9bad6effcd8c8193fc85dad66c90561fa863677edb31554933ce0fc7649b21d91fff666f4ee301968ebaa7c6a1cad2f18f81d95cfebb3565d07e16c374

Download Submit
C:\Windows\System32\kZSXpps.exe

Filesize
2.0MB

MD5
aff972e5c7a4e1136a889b34a6c9d620

SHA1
77c5b6a9dfc224b47033c39907c3fe64b46b11f2

SHA256
91467eb1ee64aac088bc31728f151548bd3a6c4c31f2c5e85f2bad1a300914fe

SHA512
0615ad5bea459fcacaf3e5b68d5184f1b2ba2f6e4d325d25e5f17fcdc0b715bf859fdfe41a192ed745893ab4ecf231485dc9846cf99f3b60ee6c72559ced8d85

Download Submit
C:\Windows\System32\knWZhDV.exe

Filesize
2.0MB

MD5
3ef01c3b5dc3fc6316d90dabd912003d

SHA1
fd299f93c8212bee8283ab07fd226c570cf2e761

SHA256
4f74131167b0ed1a15cd8a19f1261040c61004d7a4c0d584f828edd67600f628

SHA512
5a663b49436ac20a1dc2c1e26e1f0d76243df43c896b5fdef51fcbd5e47eaef820c1cf2e97471b3d23a5b34c92246315a785af495d2acfb07a7331fde7e50ef4

Download Submit
C:\Windows\System32\lbWfgxF.exe

Filesize
2.0MB

MD5
d1c2ee8167cfaebb71cdf6371139451a

SHA1
50be5e456fcae0c7acd39ca8b49722388cddacb2

SHA256
8a960db8da8c9fda3108270a3fc9da54c1df580572c21300e834ef66fc9ee38d

SHA512
0b3d9cbc26da98342c3859e1b5699ef4fff0dd71635c2e502b5becb4f0f0e4fd8c2e6cd5cc78d91accdd60cde7cf916dfea509cec3fcdf4c20a41983cb970089

Download Submit
C:\Windows\System32\luujxbk.exe

Filesize
2.0MB

MD5
69eeffc2efeb4ee86ba0a6f7c6c8bc6d

SHA1
6feb6cf0679c4ba54384e947aa152b2d30059ce9

SHA256
da8b942e4761b54b09326fad00929c66abc8bd4c11878565d546cffdb7a9a320

SHA512
a21cf1bdfee35dac3f55d3c5d43a4c78ed0635e9a8c5056dad04519c1c676e537b98a8f6f0d4d501cc3ea30cb4c15257462039424164bca303c653cfa92c620c

Download Submit
C:\Windows\System32\pebFPsA.exe

Filesize
2.0MB

MD5
6dfb593eb5b1954e7de9ad86f77b16f7

SHA1
bc85ad6746caf07d5bf56299080407cecb6891a7

SHA256
15cccd2356ede2ab760951044ceed7f31c6c1f1a741e421480d4be0e7ce24a69

SHA512
e721cf55907de04d35f60771ff938fb7f69aa28c8836249846313cdade83c282492a4dc9481e2f93251e6d69fdf9e0dc1169f7e488443623e14188dea9a7ca53

Download Submit
C:\Windows\System32\pfxoFlP.exe

Filesize
2.0MB

MD5
c1b1b3c2c0c6fe56f327ec683927f17f

SHA1
86136c7d7053b242cb4bfd60782b5d70e2bcbb1c

SHA256
66c8bc48477a1d061b14b6b8b3bb5c58b4e195d05839d3b485ef25102fe0175d

SHA512
61ef30f3a4c8f470db972b4f09926c6d4b177ec8a1e3f423e9703bf426b5a7e87b9696f01f4e31081d3bfcf86f00dbbbdebce9f4e8e83071fc2b7afc8fe94714

Download Submit
C:\Windows\System32\qflmhTj.exe

Filesize
2.0MB

MD5
a39d0ea5027f398738bbdab801b17e07

SHA1
18466eb47794acbf19122fc77c4e7d45117bac4a

SHA256
c2ff770962cbe354e2e7fa4ec2d2a1fa6eb29171301e7667994d6c604172b2f7

SHA512
f0c80e35eca354ad95ced07285c4142513896e36a1cfcb51f433705899744787042ee5ca3d7f495821b977133a1ccfab1340f0123bfe888ebeb6a630c023ca23

Download Submit
C:\Windows\System32\sTWlRWi.exe

Filesize
2.0MB

MD5
e520176b3cd11f85b48382af0efc7ef8

SHA1
691a65b71facc47a3b263beac4456a391a25a2d2

SHA256
cbea538584d20681a9b6849a6b15ffdcbe87135bff2c85eaf31cd01546a562f0

SHA512
616edc8b8613b8c1ca49079b777c59193b1e80c73fb16e1b365a81cca8d75321ad912c1f090f5bb7d0c4c7dc20ef7a53e6f46ec8dff836d147e2d18968be6e93

Download Submit
C:\Windows\System32\tRAuoSU.exe

Filesize
2.0MB

MD5
b6cf93abf070c85eb6f47728c20d6acb

SHA1
8122f022ff900364141ba9544e640a4fb1dfa306

SHA256
3b2527678753498fc0f8e9ea579b0cf398891e635c50f5d1b74b1caa3188bcdf

SHA512
97f6e92828fa4b4d45704bf5bdd3dc01e7a3d51534a5628ec6544823d8ac6cd7cd9c663a42168097f29a09cd03d579d41c096f2b18eddc4b586ee643d09c86ec

Download Submit
C:\Windows\System32\tgpJHKj.exe

Filesize
2.0MB

MD5
7bb98cbfdc177b555e98863a0a724777

SHA1
7b16417ed6db77f7823a5515384f93ae47125e47

SHA256
31c45a0cdc7f23ef2dd53d8b976778d27987b78f0cea9e4386874a024be17795

SHA512
8b9a93e8610ca4871e41e00e69087a3e83982095e3a99bff0ce97431621b65600c2e77f63d4321c2643bd93ce41ee7e62fddecb9c1326b15bd97edda89a56ce9

Download Submit
C:\Windows\System32\twFfDxg.exe

Filesize
2.0MB

MD5
c28cfaad70751d35beaf281ad9f60055

SHA1
b104954528fe769aa7948ede2a64f9d8b4b17994

SHA256
23fd68f5a53a1dd6ace11a11be28b7034063020ed39c4ca31605413eddccef6f

SHA512
29487505872c54bd4bcee99d0cb85255f386d34cab0154b386dd55a5997d2b1135383532c707515e6f9c58aa692f9ff3d776c3f51a337ac1b9a01f39144ec4b9

Download Submit
C:\Windows\System32\vTJCnWA.exe

Filesize
2.0MB

MD5
ac6e50886b5e4f58f9a1dee13de771e1

SHA1
05f666eafe05477b652f2de64fbba47a909cdafb

SHA256
3ac8ec07010ee9c1f91c95570402d190aefd9d0d364e1530718fac07536d79c1

SHA512
6a4307d477c481da8c1d269f2ec1e5f62f4af959a43a238b37ac2335e6d342d1121d1a49da2c56e7d2207eba05e586d4855282d775f09ec73da5d738b9572784

Download Submit
C:\Windows\System32\xBcbUbT.exe

Filesize
2.0MB

MD5
f6f411da78f50a83a5b09e6a2c43c7b8

SHA1
bd3fbf5415b70fcc1b7994011847f139bf5f91e3

SHA256
5815df7345ecdb1f7ac720cdf4054e9ba0e14640282ba52e0a19294b2ea06c6c

SHA512
fca45b8f94cabd13da4ebcff2ec7e85e8d94429e5878fc280fafc199d8f3646bdfa87a7e0720c29b6a81bfa6ecfe146cc2f87a13089b2325d7dae1797d39537a

Download Submit
C:\Windows\System32\yJyEwoF.exe

Filesize
2.0MB

MD5
73ecb85a7ed70b90f7c938e1cf78e169

SHA1
c98e17de5e4f0dc320dd0093b9f014f805bbd50b

SHA256
abe4606716dfdd80cd9b4bb8f955daccd6df41dd2aa9ec588a244676dbe82892

SHA512
8b0f5bc8095dcec32971aab3cccb33fca3dfece3e0543d5e010532a5c655517a5f6c08953e8d12c04e5dc4291e60740bb44367d6e2b351e0906c73856c50e7f6

Download Submit
C:\Windows\System32\yrEOFoq.exe

Filesize
2.0MB

MD5
f7c9123bb7542ca2990400659043627c

SHA1
873399ec8c18cbe1e1e26ca776584bfcb1961ddd

SHA256
4c335beb3d8a2e19cf68e7c8f364cee2cc6a464ff0af4f7ac3148378920b70a6

SHA512
394799137b853c8baf14362ab2c3e8416d9d0d4ee90889aed70a73b0c49e0095dd4e3c5fca1aa6392036b554448aed89f6c8a2de77381ee61d828ab8b0520168

Download Submit
memory/460-328-0x00007FF7453B0000-0x00007FF7457A1000-memory.dmp

Filesize
3.9MB

Download
memory/460-2055-0x00007FF7453B0000-0x00007FF7457A1000-memory.dmp

Filesize
3.9MB

Download
memory/908-2051-0x00007FF7A42C0000-0x00007FF7A46B1000-memory.dmp

Filesize
3.9MB

Download
memory/908-326-0x00007FF7A42C0000-0x00007FF7A46B1000-memory.dmp

Filesize
3.9MB

Download
memory/1032-344-0x00007FF6B5C30000-0x00007FF6B6021000-memory.dmp

Filesize
3.9MB

Download
memory/1032-2037-0x00007FF6B5C30000-0x00007FF6B6021000-memory.dmp

Filesize
3.9MB

Download
memory/1076-309-0x00007FF643000000-0x00007FF6433F1000-memory.dmp

Filesize
3.9MB

Download
memory/1076-2039-0x00007FF643000000-0x00007FF6433F1000-memory.dmp

Filesize
3.9MB

Download
memory/1148-339-0x00007FF79B6A0000-0x00007FF79BA91000-memory.dmp

Filesize
3.9MB

Download
memory/1148-2023-0x00007FF79B6A0000-0x00007FF79BA91000-memory.dmp

Filesize
3.9MB

Download
memory/1404-340-0x00007FF6F5F20000-0x00007FF6F6311000-memory.dmp

Filesize
3.9MB

Download
memory/1404-2031-0x00007FF6F5F20000-0x00007FF6F6311000-memory.dmp

Filesize
3.9MB

Download
memory/1448-2033-0x00007FF60F080000-0x00007FF60F471000-memory.dmp

Filesize
3.9MB

Download
memory/1448-341-0x00007FF60F080000-0x00007FF60F471000-memory.dmp

Filesize
3.9MB

Download
memory/1896-2029-0x00007FF7AA3D0000-0x00007FF7AA7C1000-memory.dmp

Filesize
3.9MB

Download
memory/1896-69-0x00007FF7AA3D0000-0x00007FF7AA7C1000-memory.dmp

Filesize
3.9MB

Download
memory/2300-2015-0x00007FF72AB40000-0x00007FF72AF31000-memory.dmp

Filesize
3.9MB

Download
memory/2300-8-0x00007FF72AB40000-0x00007FF72AF31000-memory.dmp

Filesize
3.9MB

Download
memory/2300-1971-0x00007FF72AB40000-0x00007FF72AF31000-memory.dmp

Filesize
3.9MB

Download
memory/2488-2017-0x00007FF632610000-0x00007FF632A01000-memory.dmp

Filesize
3.9MB

Download
memory/2488-17-0x00007FF632610000-0x00007FF632A01000-memory.dmp

Filesize
3.9MB

Download
memory/2592-47-0x00007FF6E6780000-0x00007FF6E6B71000-memory.dmp

Filesize
3.9MB

Download
memory/2592-2019-0x00007FF6E6780000-0x00007FF6E6B71000-memory.dmp

Filesize
3.9MB

Download
memory/2624-2059-0x00007FF622AA0000-0x00007FF622E91000-memory.dmp

Filesize
3.9MB

Download
memory/2624-330-0x00007FF622AA0000-0x00007FF622E91000-memory.dmp

Filesize
3.9MB

Download
memory/3048-50-0x00007FF720E70000-0x00007FF721261000-memory.dmp

Filesize
3.9MB

Download
memory/3048-2021-0x00007FF720E70000-0x00007FF721261000-memory.dmp

Filesize
3.9MB

Download
memory/3240-315-0x00007FF7CEE80000-0x00007FF7CF271000-memory.dmp

Filesize
3.9MB

Download
memory/3240-2041-0x00007FF7CEE80000-0x00007FF7CF271000-memory.dmp

Filesize
3.9MB

Download
memory/3488-2049-0x00007FF705270000-0x00007FF705661000-memory.dmp

Filesize
3.9MB

Download
memory/3488-325-0x00007FF705270000-0x00007FF705661000-memory.dmp

Filesize
3.9MB

Download
memory/3496-329-0x00007FF63D860000-0x00007FF63DC51000-memory.dmp

Filesize
3.9MB

Download
memory/3496-2057-0x00007FF63D860000-0x00007FF63DC51000-memory.dmp

Filesize
3.9MB

Download
memory/3644-2035-0x00007FF7B2740000-0x00007FF7B2B31000-memory.dmp

Filesize
3.9MB

Download
memory/3644-307-0x00007FF7B2740000-0x00007FF7B2B31000-memory.dmp

Filesize
3.9MB

Download
memory/3784-2045-0x00007FF64C8A0000-0x00007FF64CC91000-memory.dmp

Filesize
3.9MB

Download
memory/3784-317-0x00007FF64C8A0000-0x00007FF64CC91000-memory.dmp

Filesize
3.9MB

Download
memory/4108-62-0x00007FF70A8A0000-0x00007FF70AC91000-memory.dmp

Filesize
3.9MB

Download
memory/4108-2027-0x00007FF70A8A0000-0x00007FF70AC91000-memory.dmp

Filesize
3.9MB

Download
memory/4168-0-0x00007FF768F80000-0x00007FF769371000-memory.dmp

Filesize
3.9MB

Download
memory/4168-1-0x0000026027280000-0x0000026027290000-memory.dmp

Filesize
64KB

Download
memory/4604-327-0x00007FF736B90000-0x00007FF736F81000-memory.dmp

Filesize
3.9MB

Download
memory/4604-2053-0x00007FF736B90000-0x00007FF736F81000-memory.dmp

Filesize
3.9MB

Download
memory/4652-323-0x00007FF602310000-0x00007FF602701000-memory.dmp

Filesize
3.9MB

Download
memory/4652-2047-0x00007FF602310000-0x00007FF602701000-memory.dmp

Filesize
3.9MB

Download
memory/4708-316-0x00007FF624F10000-0x00007FF625301000-memory.dmp

Filesize
3.9MB

Download
memory/4708-2043-0x00007FF624F10000-0x00007FF625301000-memory.dmp

Filesize
3.9MB

Download
memory/4832-59-0x00007FF69B800000-0x00007FF69BBF1000-memory.dmp

Filesize
3.9MB

Download
memory/4832-2025-0x00007FF69B800000-0x00007FF69BBF1000-memory.dmp

Filesize
3.9MB

Download
memory/5064-2061-0x00007FF646850000-0x00007FF646C41000-memory.dmp

Filesize
3.9MB

Download
memory/5064-337-0x00007FF646850000-0x00007FF646C41000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads