xmrig | c1e06e0daf1a872f5851f54b69364ef95665936858ff78da0e172568ee5d6e1b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
Size

1.3MB
MD5

24d7c5fd9acf5f7a880ce327feb21310
SHA1

33c334c8c896914c69189e36cf2584a6164f8940
SHA256

c1e06e0daf1a872f5851f54b69364ef95665936858ff78da0e172568ee5d6e1b
SHA512

3342bd90bc81bc589fa552baae4282e6c955bae0d9cd8b43307da4928de89599409074060bdb6dbddb79fe6477c57df802e9e9c8426d03a1e6c999e2c3f4eb67
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIHbAYhbc9+DzRA:knw9oUUEEDlGUJ8Y9cg+

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/912-20-0x00007FF759180000-0x00007FF759571000-memory.dmp	xmrig
behavioral2/memory/5080-415-0x00007FF792170000-0x00007FF792561000-memory.dmp	xmrig
behavioral2/memory/4268-421-0x00007FF6F0990000-0x00007FF6F0D81000-memory.dmp	xmrig
behavioral2/memory/1432-429-0x00007FF67C010000-0x00007FF67C401000-memory.dmp	xmrig
behavioral2/memory/3268-433-0x00007FF6E85C0000-0x00007FF6E89B1000-memory.dmp	xmrig
behavioral2/memory/1804-441-0x00007FF662DF0000-0x00007FF6631E1000-memory.dmp	xmrig
behavioral2/memory/4708-449-0x00007FF662630000-0x00007FF662A21000-memory.dmp	xmrig
behavioral2/memory/4584-445-0x00007FF77EDE0000-0x00007FF77F1D1000-memory.dmp	xmrig
behavioral2/memory/392-440-0x00007FF70CA50000-0x00007FF70CE41000-memory.dmp	xmrig
behavioral2/memory/1472-463-0x00007FF7864B0000-0x00007FF7868A1000-memory.dmp	xmrig
behavioral2/memory/4008-469-0x00007FF654A90000-0x00007FF654E81000-memory.dmp	xmrig
behavioral2/memory/3172-475-0x00007FF7E9D60000-0x00007FF7EA151000-memory.dmp	xmrig
behavioral2/memory/1844-482-0x00007FF720A40000-0x00007FF720E31000-memory.dmp	xmrig
behavioral2/memory/812-471-0x00007FF78AF50000-0x00007FF78B341000-memory.dmp	xmrig
behavioral2/memory/976-538-0x00007FF6A8260000-0x00007FF6A8651000-memory.dmp	xmrig
behavioral2/memory/4024-542-0x00007FF7A4B30000-0x00007FF7A4F21000-memory.dmp	xmrig
behavioral2/memory/4740-459-0x00007FF7DF0B0000-0x00007FF7DF4A1000-memory.dmp	xmrig
behavioral2/memory/4032-1957-0x00007FF761210000-0x00007FF761601000-memory.dmp	xmrig
behavioral2/memory/1156-1958-0x00007FF70B5C0000-0x00007FF70B9B1000-memory.dmp	xmrig
behavioral2/memory/3592-1985-0x00007FF7B5B50000-0x00007FF7B5F41000-memory.dmp	xmrig
behavioral2/memory/4716-1983-0x00007FF6ABDF0000-0x00007FF6AC1E1000-memory.dmp	xmrig
behavioral2/memory/100-1986-0x00007FF7BF370000-0x00007FF7BF761000-memory.dmp	xmrig
behavioral2/memory/2576-1994-0x00007FF61E4E0000-0x00007FF61E8D1000-memory.dmp	xmrig
behavioral2/memory/912-2000-0x00007FF759180000-0x00007FF759571000-memory.dmp	xmrig
behavioral2/memory/1644-2002-0x00007FF756CB0000-0x00007FF7570A1000-memory.dmp	xmrig
behavioral2/memory/4032-2006-0x00007FF761210000-0x00007FF761601000-memory.dmp	xmrig
behavioral2/memory/1156-2005-0x00007FF70B5C0000-0x00007FF70B9B1000-memory.dmp	xmrig
behavioral2/memory/100-2010-0x00007FF7BF370000-0x00007FF7BF761000-memory.dmp	xmrig
behavioral2/memory/3592-2012-0x00007FF7B5B50000-0x00007FF7B5F41000-memory.dmp	xmrig
behavioral2/memory/4716-2008-0x00007FF6ABDF0000-0x00007FF6AC1E1000-memory.dmp	xmrig
behavioral2/memory/2576-2014-0x00007FF61E4E0000-0x00007FF61E8D1000-memory.dmp	xmrig
behavioral2/memory/4024-2016-0x00007FF7A4B30000-0x00007FF7A4F21000-memory.dmp	xmrig
behavioral2/memory/3268-2024-0x00007FF6E85C0000-0x00007FF6E89B1000-memory.dmp	xmrig
behavioral2/memory/4268-2022-0x00007FF6F0990000-0x00007FF6F0D81000-memory.dmp	xmrig
behavioral2/memory/5080-2020-0x00007FF792170000-0x00007FF792561000-memory.dmp	xmrig
behavioral2/memory/1432-2018-0x00007FF67C010000-0x00007FF67C401000-memory.dmp	xmrig
behavioral2/memory/4584-2026-0x00007FF77EDE0000-0x00007FF77F1D1000-memory.dmp	xmrig
behavioral2/memory/976-2059-0x00007FF6A8260000-0x00007FF6A8651000-memory.dmp	xmrig
behavioral2/memory/1844-2056-0x00007FF720A40000-0x00007FF720E31000-memory.dmp	xmrig
behavioral2/memory/1804-2042-0x00007FF662DF0000-0x00007FF6631E1000-memory.dmp	xmrig
behavioral2/memory/3172-2041-0x00007FF7E9D60000-0x00007FF7EA151000-memory.dmp	xmrig
behavioral2/memory/4008-2050-0x00007FF654A90000-0x00007FF654E81000-memory.dmp	xmrig
behavioral2/memory/392-2035-0x00007FF70CA50000-0x00007FF70CE41000-memory.dmp	xmrig
behavioral2/memory/1472-2048-0x00007FF7864B0000-0x00007FF7868A1000-memory.dmp	xmrig
behavioral2/memory/812-2045-0x00007FF78AF50000-0x00007FF78B341000-memory.dmp	xmrig
behavioral2/memory/4740-2054-0x00007FF7DF0B0000-0x00007FF7DF4A1000-memory.dmp	xmrig
behavioral2/memory/4708-2052-0x00007FF662630000-0x00007FF662A21000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1644	mRQfpWl.exe
912	LftPXkN.exe
1156	pjxDdnq.exe
4032	BkqrpXI.exe
100	ZgazOFV.exe
4716	rCgOAei.exe
3592	AnrHPJt.exe
2576	bXQmiau.exe
4024	ninymcz.exe
5080	rkXnMCd.exe
4268	ydetLUo.exe
1432	XcZPtNz.exe
3268	BPwBcTD.exe
392	MwCFOnB.exe
1804	dTwjNKO.exe
4584	uQdbndU.exe
4708	aVZkFjc.exe
4740	NzqNhOv.exe
1472	EKRtKWE.exe
4008	KtNdSyb.exe
812	wPPYeGf.exe
3172	PNnvtgY.exe
1844	mHLuhcz.exe
976	BmLOLgB.exe
2528	lqsktPw.exe
1808	PjSwqAz.exe
1428	qpLMpYb.exe
4328	mCGUsgb.exe
4860	XnlCElJ.exe
1616	DGxuGoS.exe
2016	AxBSsFX.exe
3224	ZtWTVvK.exe
4492	uGorFei.exe
4176	XyLAFrs.exe
3440	KVTVIfX.exe
2660	leZflxf.exe
4120	hNVpLTV.exe
1704	eqApMOh.exe
4756	fYeRRld.exe
2544	WJkusGL.exe
3628	lYKprfZ.exe
4108	jfuteZi.exe
2340	TwSAesg.exe
1720	xAQlafZ.exe
1140	xmlyeDT.exe
4720	jNBabmT.exe
1612	ckjCBcN.exe
2252	yAZAeya.exe
4548	LipYLLu.exe
2896	PWBmtpq.exe
748	UpUmECl.exe
4408	hsMGNkw.exe
4848	vzkjOyo.exe
552	YliWuzx.exe
1696	JAkcCZe.exe
3112	qVEDDXe.exe
1076	YwOBvsP.exe
3964	JcjKaQt.exe
1592	teBKHFs.exe
3680	mmEUegb.exe
3288	hSHELIU.exe
1196	uImHHnX.exe
1972	gaLUizb.exe
1244	UUEYfWt.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4180-0-0x00007FF6B9AF0000-0x00007FF6B9EE1000-memory.dmp	upx
behavioral2/files/0x0008000000022f51-5.dat	upx
behavioral2/files/0x000700000002340f-7.dat	upx
behavioral2/memory/912-20-0x00007FF759180000-0x00007FF759571000-memory.dmp	upx
behavioral2/memory/1156-34-0x00007FF70B5C0000-0x00007FF70B9B1000-memory.dmp	upx
behavioral2/memory/100-45-0x00007FF7BF370000-0x00007FF7BF761000-memory.dmp	upx
behavioral2/files/0x0007000000023414-43.dat	upx
behavioral2/files/0x0007000000023416-59.dat	upx
behavioral2/files/0x0007000000023417-64.dat	upx
behavioral2/files/0x0007000000023418-69.dat	upx
behavioral2/files/0x000700000002341a-77.dat	upx
behavioral2/files/0x000700000002341e-99.dat	upx
behavioral2/files/0x0007000000023420-110.dat	upx
behavioral2/files/0x0007000000023425-134.dat	upx
behavioral2/files/0x0007000000023427-144.dat	upx
behavioral2/files/0x000700000002342b-162.dat	upx
behavioral2/memory/5080-415-0x00007FF792170000-0x00007FF792561000-memory.dmp	upx
behavioral2/memory/4268-421-0x00007FF6F0990000-0x00007FF6F0D81000-memory.dmp	upx
behavioral2/memory/1432-429-0x00007FF67C010000-0x00007FF67C401000-memory.dmp	upx
behavioral2/memory/3268-433-0x00007FF6E85C0000-0x00007FF6E89B1000-memory.dmp	upx
behavioral2/memory/1804-441-0x00007FF662DF0000-0x00007FF6631E1000-memory.dmp	upx
behavioral2/memory/4708-449-0x00007FF662630000-0x00007FF662A21000-memory.dmp	upx
behavioral2/memory/4584-445-0x00007FF77EDE0000-0x00007FF77F1D1000-memory.dmp	upx
behavioral2/memory/392-440-0x00007FF70CA50000-0x00007FF70CE41000-memory.dmp	upx
behavioral2/files/0x000700000002342c-170.dat	upx
behavioral2/files/0x000700000002342a-159.dat	upx
behavioral2/files/0x0007000000023429-155.dat	upx
behavioral2/files/0x0007000000023428-149.dat	upx
behavioral2/files/0x0007000000023426-139.dat	upx
behavioral2/files/0x0007000000023424-129.dat	upx
behavioral2/files/0x0007000000023423-125.dat	upx
behavioral2/files/0x0007000000023422-119.dat	upx
behavioral2/files/0x0007000000023421-114.dat	upx
behavioral2/files/0x000700000002341f-104.dat	upx
behavioral2/files/0x000700000002341d-94.dat	upx
behavioral2/files/0x000700000002341c-89.dat	upx
behavioral2/files/0x000700000002341b-85.dat	upx
behavioral2/files/0x0007000000023419-74.dat	upx
behavioral2/files/0x0007000000023415-54.dat	upx
behavioral2/memory/2576-49-0x00007FF61E4E0000-0x00007FF61E8D1000-memory.dmp	upx
behavioral2/files/0x0007000000023413-41.dat	upx
behavioral2/memory/3592-40-0x00007FF7B5B50000-0x00007FF7B5F41000-memory.dmp	upx
behavioral2/files/0x0007000000023412-38.dat	upx
behavioral2/files/0x0007000000023411-37.dat	upx
behavioral2/memory/4716-35-0x00007FF6ABDF0000-0x00007FF6AC1E1000-memory.dmp	upx
behavioral2/files/0x0007000000023410-32.dat	upx
behavioral2/memory/4032-25-0x00007FF761210000-0x00007FF761601000-memory.dmp	upx
behavioral2/memory/1644-15-0x00007FF756CB0000-0x00007FF7570A1000-memory.dmp	upx
behavioral2/files/0x000700000002340e-10.dat	upx
behavioral2/memory/1472-463-0x00007FF7864B0000-0x00007FF7868A1000-memory.dmp	upx
behavioral2/memory/4008-469-0x00007FF654A90000-0x00007FF654E81000-memory.dmp	upx
behavioral2/memory/3172-475-0x00007FF7E9D60000-0x00007FF7EA151000-memory.dmp	upx
behavioral2/memory/1844-482-0x00007FF720A40000-0x00007FF720E31000-memory.dmp	upx
behavioral2/memory/812-471-0x00007FF78AF50000-0x00007FF78B341000-memory.dmp	upx
behavioral2/memory/976-538-0x00007FF6A8260000-0x00007FF6A8651000-memory.dmp	upx
behavioral2/memory/4024-542-0x00007FF7A4B30000-0x00007FF7A4F21000-memory.dmp	upx
behavioral2/memory/4740-459-0x00007FF7DF0B0000-0x00007FF7DF4A1000-memory.dmp	upx
behavioral2/memory/4032-1957-0x00007FF761210000-0x00007FF761601000-memory.dmp	upx
behavioral2/memory/1156-1958-0x00007FF70B5C0000-0x00007FF70B9B1000-memory.dmp	upx
behavioral2/memory/3592-1985-0x00007FF7B5B50000-0x00007FF7B5F41000-memory.dmp	upx
behavioral2/memory/4716-1983-0x00007FF6ABDF0000-0x00007FF6AC1E1000-memory.dmp	upx
behavioral2/memory/100-1986-0x00007FF7BF370000-0x00007FF7BF761000-memory.dmp	upx
behavioral2/memory/2576-1994-0x00007FF61E4E0000-0x00007FF61E8D1000-memory.dmp	upx
behavioral2/memory/912-2000-0x00007FF759180000-0x00007FF759571000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\KAViePT.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\CRTeciu.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\oAfEjuS.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\DLBnGAE.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\tGdhEra.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\HLHwPyV.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\bqebxGx.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\UJkNBsO.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\amMVcoL.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\kRAEvuJ.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\UvWOHsx.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\ftbwNnj.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\WRyhDDX.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\FmMzsZW.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\riMcvor.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\pLrleFA.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\qTxCBJk.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\kRpYQhm.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\PlTitNJ.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\WEACpki.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\SCtHqXR.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\igudSGc.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\UZjaReL.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\FeyCbQY.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\npqyJSU.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\XqyYTuQ.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\BZzERzs.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\uGorFei.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\eqApMOh.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\tEGqbzp.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\OWxOfmn.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\EKpjiXR.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\bpiBbEa.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\eCZYNwK.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\RTHtdac.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\avwWzRC.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\hWFsEeJ.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\QdgyWaZ.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\PRJgiUc.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\TNWMEWs.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\phnpNfx.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\eHETutZ.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\GPKgbcj.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\qzNWcki.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\LoUceOE.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\sGCCjFD.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\QHSSONL.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\WhMgipj.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\uyamMSq.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\ccGXRnu.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\pEixbXD.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\RgNUOxU.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\NSSULcM.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\BPmfIuK.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\WcNoDLH.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\SLtlgdF.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\lzBcjao.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\CplSRaK.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\YIKtaLo.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\BorpDBh.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\cvSDMgs.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\OxcBSzA.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\AkGgzdB.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
File created	C:\Windows\System32\slQtdyC.exe	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12840	dwm.exe
Token: SeChangeNotifyPrivilege	12840	dwm.exe
Token: 33	12840	dwm.exe
Token: SeIncBasePriorityPrivilege	12840	dwm.exe
Token: SeShutdownPrivilege	12840	dwm.exe
Token: SeCreatePagefilePrivilege	12840	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 1644	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	84
PID 4180 wrote to memory of 1644	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	84
PID 4180 wrote to memory of 912	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	85
PID 4180 wrote to memory of 912	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	85
PID 4180 wrote to memory of 1156	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	86
PID 4180 wrote to memory of 1156	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	86
PID 4180 wrote to memory of 4032	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	87
PID 4180 wrote to memory of 4032	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	87
PID 4180 wrote to memory of 100	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	88
PID 4180 wrote to memory of 100	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	88
PID 4180 wrote to memory of 4716	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	89
PID 4180 wrote to memory of 4716	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	89
PID 4180 wrote to memory of 3592	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	90
PID 4180 wrote to memory of 3592	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	90
PID 4180 wrote to memory of 2576	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	91
PID 4180 wrote to memory of 2576	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	91
PID 4180 wrote to memory of 4024	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	92
PID 4180 wrote to memory of 4024	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	92
PID 4180 wrote to memory of 5080	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	93
PID 4180 wrote to memory of 5080	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	93
PID 4180 wrote to memory of 4268	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	94
PID 4180 wrote to memory of 4268	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	94
PID 4180 wrote to memory of 1432	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	95
PID 4180 wrote to memory of 1432	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	95
PID 4180 wrote to memory of 3268	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	96
PID 4180 wrote to memory of 3268	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	96
PID 4180 wrote to memory of 392	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	97
PID 4180 wrote to memory of 392	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	97
PID 4180 wrote to memory of 1804	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	98
PID 4180 wrote to memory of 1804	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	98
PID 4180 wrote to memory of 4584	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	99
PID 4180 wrote to memory of 4584	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	99
PID 4180 wrote to memory of 4708	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	100
PID 4180 wrote to memory of 4708	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	100
PID 4180 wrote to memory of 4740	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	101
PID 4180 wrote to memory of 4740	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	101
PID 4180 wrote to memory of 1472	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	102
PID 4180 wrote to memory of 1472	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	102
PID 4180 wrote to memory of 4008	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	103
PID 4180 wrote to memory of 4008	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	103
PID 4180 wrote to memory of 812	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	104
PID 4180 wrote to memory of 812	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	104
PID 4180 wrote to memory of 3172	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	105
PID 4180 wrote to memory of 3172	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	105
PID 4180 wrote to memory of 1844	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	106
PID 4180 wrote to memory of 1844	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	106
PID 4180 wrote to memory of 976	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	107
PID 4180 wrote to memory of 976	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	107
PID 4180 wrote to memory of 2528	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	108
PID 4180 wrote to memory of 2528	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	108
PID 4180 wrote to memory of 1808	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	109
PID 4180 wrote to memory of 1808	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	109
PID 4180 wrote to memory of 1428	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	110
PID 4180 wrote to memory of 1428	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	110
PID 4180 wrote to memory of 4328	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	111
PID 4180 wrote to memory of 4328	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	111
PID 4180 wrote to memory of 4860	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	112
PID 4180 wrote to memory of 4860	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	112
PID 4180 wrote to memory of 1616	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	113
PID 4180 wrote to memory of 1616	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	113
PID 4180 wrote to memory of 2016	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	114
PID 4180 wrote to memory of 2016	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	114
PID 4180 wrote to memory of 3224	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	115
PID 4180 wrote to memory of 3224	4180	24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe	115

C:\Users\Admin\AppData\Local\Temp\24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\24d7c5fd9acf5f7a880ce327feb21310_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Windows\System32\mRQfpWl.exe
  C:\Windows\System32\mRQfpWl.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System32\LftPXkN.exe
  C:\Windows\System32\LftPXkN.exe
  2⤵
  - Executes dropped EXE
  PID:912
- C:\Windows\System32\pjxDdnq.exe
  C:\Windows\System32\pjxDdnq.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System32\BkqrpXI.exe
  C:\Windows\System32\BkqrpXI.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System32\ZgazOFV.exe
  C:\Windows\System32\ZgazOFV.exe
  2⤵
  - Executes dropped EXE
  PID:100
- C:\Windows\System32\rCgOAei.exe
  C:\Windows\System32\rCgOAei.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System32\AnrHPJt.exe
  C:\Windows\System32\AnrHPJt.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System32\bXQmiau.exe
  C:\Windows\System32\bXQmiau.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\System32\ninymcz.exe
  C:\Windows\System32\ninymcz.exe
  2⤵
  - Executes dropped EXE
  PID:4024
- C:\Windows\System32\rkXnMCd.exe
  C:\Windows\System32\rkXnMCd.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System32\ydetLUo.exe
  C:\Windows\System32\ydetLUo.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System32\XcZPtNz.exe
  C:\Windows\System32\XcZPtNz.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System32\BPwBcTD.exe
  C:\Windows\System32\BPwBcTD.exe
  2⤵
  - Executes dropped EXE
  PID:3268
- C:\Windows\System32\MwCFOnB.exe
  C:\Windows\System32\MwCFOnB.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System32\dTwjNKO.exe
  C:\Windows\System32\dTwjNKO.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System32\uQdbndU.exe
  C:\Windows\System32\uQdbndU.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System32\aVZkFjc.exe
  C:\Windows\System32\aVZkFjc.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System32\NzqNhOv.exe
  C:\Windows\System32\NzqNhOv.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System32\EKRtKWE.exe
  C:\Windows\System32\EKRtKWE.exe
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\System32\KtNdSyb.exe
  C:\Windows\System32\KtNdSyb.exe
  2⤵
  - Executes dropped EXE
  PID:4008
- C:\Windows\System32\wPPYeGf.exe
  C:\Windows\System32\wPPYeGf.exe
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Windows\System32\PNnvtgY.exe
  C:\Windows\System32\PNnvtgY.exe
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Windows\System32\mHLuhcz.exe
  C:\Windows\System32\mHLuhcz.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System32\BmLOLgB.exe
  C:\Windows\System32\BmLOLgB.exe
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\System32\lqsktPw.exe
  C:\Windows\System32\lqsktPw.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System32\PjSwqAz.exe
  C:\Windows\System32\PjSwqAz.exe
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\System32\qpLMpYb.exe
  C:\Windows\System32\qpLMpYb.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System32\mCGUsgb.exe
  C:\Windows\System32\mCGUsgb.exe
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\System32\XnlCElJ.exe
  C:\Windows\System32\XnlCElJ.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System32\DGxuGoS.exe
  C:\Windows\System32\DGxuGoS.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System32\AxBSsFX.exe
  C:\Windows\System32\AxBSsFX.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System32\ZtWTVvK.exe
  C:\Windows\System32\ZtWTVvK.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System32\uGorFei.exe
  C:\Windows\System32\uGorFei.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System32\XyLAFrs.exe
  C:\Windows\System32\XyLAFrs.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System32\KVTVIfX.exe
  C:\Windows\System32\KVTVIfX.exe
  2⤵
  - Executes dropped EXE
  PID:3440
- C:\Windows\System32\leZflxf.exe
  C:\Windows\System32\leZflxf.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System32\hNVpLTV.exe
  C:\Windows\System32\hNVpLTV.exe
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\System32\eqApMOh.exe
  C:\Windows\System32\eqApMOh.exe
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\System32\fYeRRld.exe
  C:\Windows\System32\fYeRRld.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System32\WJkusGL.exe
  C:\Windows\System32\WJkusGL.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System32\lYKprfZ.exe
  C:\Windows\System32\lYKprfZ.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System32\jfuteZi.exe
  C:\Windows\System32\jfuteZi.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System32\TwSAesg.exe
  C:\Windows\System32\TwSAesg.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System32\xAQlafZ.exe
  C:\Windows\System32\xAQlafZ.exe
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\System32\xmlyeDT.exe
  C:\Windows\System32\xmlyeDT.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System32\jNBabmT.exe
  C:\Windows\System32\jNBabmT.exe
  2⤵
  - Executes dropped EXE
  PID:4720
- C:\Windows\System32\ckjCBcN.exe
  C:\Windows\System32\ckjCBcN.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System32\yAZAeya.exe
  C:\Windows\System32\yAZAeya.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System32\LipYLLu.exe
  C:\Windows\System32\LipYLLu.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System32\PWBmtpq.exe
  C:\Windows\System32\PWBmtpq.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System32\UpUmECl.exe
  C:\Windows\System32\UpUmECl.exe
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\System32\hsMGNkw.exe
  C:\Windows\System32\hsMGNkw.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System32\vzkjOyo.exe
  C:\Windows\System32\vzkjOyo.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System32\YliWuzx.exe
  C:\Windows\System32\YliWuzx.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\System32\JAkcCZe.exe
  C:\Windows\System32\JAkcCZe.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\System32\qVEDDXe.exe
  C:\Windows\System32\qVEDDXe.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System32\YwOBvsP.exe
  C:\Windows\System32\YwOBvsP.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System32\JcjKaQt.exe
  C:\Windows\System32\JcjKaQt.exe
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Windows\System32\teBKHFs.exe
  C:\Windows\System32\teBKHFs.exe
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\System32\mmEUegb.exe
  C:\Windows\System32\mmEUegb.exe
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Windows\System32\hSHELIU.exe
  C:\Windows\System32\hSHELIU.exe
  2⤵
  - Executes dropped EXE
  PID:3288
- C:\Windows\System32\uImHHnX.exe
  C:\Windows\System32\uImHHnX.exe
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\System32\gaLUizb.exe
  C:\Windows\System32\gaLUizb.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System32\UUEYfWt.exe
  C:\Windows\System32\UUEYfWt.exe
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\System32\tBwrdOi.exe
  C:\Windows\System32\tBwrdOi.exe
  2⤵
  PID:4132
- C:\Windows\System32\jNUYIiM.exe
  C:\Windows\System32\jNUYIiM.exe
  2⤵
  PID:4936
- C:\Windows\System32\vccSUOb.exe
  C:\Windows\System32\vccSUOb.exe
  2⤵
  PID:4488
- C:\Windows\System32\JGfwyzq.exe
  C:\Windows\System32\JGfwyzq.exe
  2⤵
  PID:4232
- C:\Windows\System32\oECKEis.exe
  C:\Windows\System32\oECKEis.exe
  2⤵
  PID:2404
- C:\Windows\System32\lfjIfCU.exe
  C:\Windows\System32\lfjIfCU.exe
  2⤵
  PID:3672
- C:\Windows\System32\VBzlZBz.exe
  C:\Windows\System32\VBzlZBz.exe
  2⤵
  PID:2928
- C:\Windows\System32\DyCrtTS.exe
  C:\Windows\System32\DyCrtTS.exe
  2⤵
  PID:4228
- C:\Windows\System32\nqwdUDn.exe
  C:\Windows\System32\nqwdUDn.exe
  2⤵
  PID:4428
- C:\Windows\System32\nmuvurR.exe
  C:\Windows\System32\nmuvurR.exe
  2⤵
  PID:2312
- C:\Windows\System32\viRgtqc.exe
  C:\Windows\System32\viRgtqc.exe
  2⤵
  PID:3492
- C:\Windows\System32\yuYvdMW.exe
  C:\Windows\System32\yuYvdMW.exe
  2⤵
  PID:4840
- C:\Windows\System32\uyamMSq.exe
  C:\Windows\System32\uyamMSq.exe
  2⤵
  PID:1700
- C:\Windows\System32\ahxAkqi.exe
  C:\Windows\System32\ahxAkqi.exe
  2⤵
  PID:5100
- C:\Windows\System32\AUfuDNV.exe
  C:\Windows\System32\AUfuDNV.exe
  2⤵
  PID:4380
- C:\Windows\System32\LKCRjqZ.exe
  C:\Windows\System32\LKCRjqZ.exe
  2⤵
  PID:2564
- C:\Windows\System32\qbRGeUV.exe
  C:\Windows\System32\qbRGeUV.exe
  2⤵
  PID:4896
- C:\Windows\System32\GPKgbcj.exe
  C:\Windows\System32\GPKgbcj.exe
  2⤵
  PID:3008
- C:\Windows\System32\NWOvpzc.exe
  C:\Windows\System32\NWOvpzc.exe
  2⤵
  PID:4280
- C:\Windows\System32\VbshCBf.exe
  C:\Windows\System32\VbshCBf.exe
  2⤵
  PID:2628
- C:\Windows\System32\SLtlgdF.exe
  C:\Windows\System32\SLtlgdF.exe
  2⤵
  PID:2872
- C:\Windows\System32\mJyfIBb.exe
  C:\Windows\System32\mJyfIBb.exe
  2⤵
  PID:4852
- C:\Windows\System32\BIAjNbe.exe
  C:\Windows\System32\BIAjNbe.exe
  2⤵
  PID:440
- C:\Windows\System32\qzNWcki.exe
  C:\Windows\System32\qzNWcki.exe
  2⤵
  PID:1548
- C:\Windows\System32\enpREBE.exe
  C:\Windows\System32\enpREBE.exe
  2⤵
  PID:5132
- C:\Windows\System32\VcKJGaF.exe
  C:\Windows\System32\VcKJGaF.exe
  2⤵
  PID:5160
- C:\Windows\System32\lYEXGLR.exe
  C:\Windows\System32\lYEXGLR.exe
  2⤵
  PID:5188
- C:\Windows\System32\uYJNVWv.exe
  C:\Windows\System32\uYJNVWv.exe
  2⤵
  PID:5216
- C:\Windows\System32\wzfyozB.exe
  C:\Windows\System32\wzfyozB.exe
  2⤵
  PID:5244
- C:\Windows\System32\vTFQfWz.exe
  C:\Windows\System32\vTFQfWz.exe
  2⤵
  PID:5272
- C:\Windows\System32\cscaLVS.exe
  C:\Windows\System32\cscaLVS.exe
  2⤵
  PID:5300
- C:\Windows\System32\eDdnCnO.exe
  C:\Windows\System32\eDdnCnO.exe
  2⤵
  PID:5328
- C:\Windows\System32\bNGEtep.exe
  C:\Windows\System32\bNGEtep.exe
  2⤵
  PID:5356
- C:\Windows\System32\KAViePT.exe
  C:\Windows\System32\KAViePT.exe
  2⤵
  PID:5384
- C:\Windows\System32\onIGAgU.exe
  C:\Windows\System32\onIGAgU.exe
  2⤵
  PID:5412
- C:\Windows\System32\pLrleFA.exe
  C:\Windows\System32\pLrleFA.exe
  2⤵
  PID:5444
- C:\Windows\System32\OnQHEKc.exe
  C:\Windows\System32\OnQHEKc.exe
  2⤵
  PID:5472
- C:\Windows\System32\DmEUSme.exe
  C:\Windows\System32\DmEUSme.exe
  2⤵
  PID:5496
- C:\Windows\System32\hjadRgv.exe
  C:\Windows\System32\hjadRgv.exe
  2⤵
  PID:5524
- C:\Windows\System32\eCZYNwK.exe
  C:\Windows\System32\eCZYNwK.exe
  2⤵
  PID:5552
- C:\Windows\System32\uLeCqZV.exe
  C:\Windows\System32\uLeCqZV.exe
  2⤵
  PID:5580
- C:\Windows\System32\lzBcjao.exe
  C:\Windows\System32\lzBcjao.exe
  2⤵
  PID:5608
- C:\Windows\System32\CjWqPSi.exe
  C:\Windows\System32\CjWqPSi.exe
  2⤵
  PID:5636
- C:\Windows\System32\lcWvsto.exe
  C:\Windows\System32\lcWvsto.exe
  2⤵
  PID:5664
- C:\Windows\System32\WNuQeXt.exe
  C:\Windows\System32\WNuQeXt.exe
  2⤵
  PID:5692
- C:\Windows\System32\mjrIzUI.exe
  C:\Windows\System32\mjrIzUI.exe
  2⤵
  PID:5720
- C:\Windows\System32\yUzEXAN.exe
  C:\Windows\System32\yUzEXAN.exe
  2⤵
  PID:5748
- C:\Windows\System32\YIKtaLo.exe
  C:\Windows\System32\YIKtaLo.exe
  2⤵
  PID:5776
- C:\Windows\System32\xklOYgZ.exe
  C:\Windows\System32\xklOYgZ.exe
  2⤵
  PID:5804
- C:\Windows\System32\iqkXMAS.exe
  C:\Windows\System32\iqkXMAS.exe
  2⤵
  PID:5876
- C:\Windows\System32\pSMoTZY.exe
  C:\Windows\System32\pSMoTZY.exe
  2⤵
  PID:5908
- C:\Windows\System32\riATNcu.exe
  C:\Windows\System32\riATNcu.exe
  2⤵
  PID:5936
- C:\Windows\System32\LxfPjsn.exe
  C:\Windows\System32\LxfPjsn.exe
  2⤵
  PID:5984
- C:\Windows\System32\xcaFRxC.exe
  C:\Windows\System32\xcaFRxC.exe
  2⤵
  PID:6004
- C:\Windows\System32\EXQHByt.exe
  C:\Windows\System32\EXQHByt.exe
  2⤵
  PID:6036
- C:\Windows\System32\muRYdFB.exe
  C:\Windows\System32\muRYdFB.exe
  2⤵
  PID:6068
- C:\Windows\System32\yevoIBY.exe
  C:\Windows\System32\yevoIBY.exe
  2⤵
  PID:6084
- C:\Windows\System32\RTHtdac.exe
  C:\Windows\System32\RTHtdac.exe
  2⤵
  PID:6128
- C:\Windows\System32\OQGQOAD.exe
  C:\Windows\System32\OQGQOAD.exe
  2⤵
  PID:2224
- C:\Windows\System32\zhTbOZr.exe
  C:\Windows\System32\zhTbOZr.exe
  2⤵
  PID:4396
- C:\Windows\System32\ancawTY.exe
  C:\Windows\System32\ancawTY.exe
  2⤵
  PID:216
- C:\Windows\System32\SCtHqXR.exe
  C:\Windows\System32\SCtHqXR.exe
  2⤵
  PID:4344
- C:\Windows\System32\bJIgUvT.exe
  C:\Windows\System32\bJIgUvT.exe
  2⤵
  PID:4496
- C:\Windows\System32\mNovbCO.exe
  C:\Windows\System32\mNovbCO.exe
  2⤵
  PID:4868
- C:\Windows\System32\mHqkBmj.exe
  C:\Windows\System32\mHqkBmj.exe
  2⤵
  PID:5168
- C:\Windows\System32\pQJKWrO.exe
  C:\Windows\System32\pQJKWrO.exe
  2⤵
  PID:5252
- C:\Windows\System32\lmzctoI.exe
  C:\Windows\System32\lmzctoI.exe
  2⤵
  PID:5348
- C:\Windows\System32\UvWOHsx.exe
  C:\Windows\System32\UvWOHsx.exe
  2⤵
  PID:5400
- C:\Windows\System32\rpNzXNU.exe
  C:\Windows\System32\rpNzXNU.exe
  2⤵
  PID:4336
- C:\Windows\System32\tnBbVvM.exe
  C:\Windows\System32\tnBbVvM.exe
  2⤵
  PID:5532
- C:\Windows\System32\TWeQwHh.exe
  C:\Windows\System32\TWeQwHh.exe
  2⤵
  PID:5588
- C:\Windows\System32\HPZZnLw.exe
  C:\Windows\System32\HPZZnLw.exe
  2⤵
  PID:3604
- C:\Windows\System32\pGbsFkb.exe
  C:\Windows\System32\pGbsFkb.exe
  2⤵
  PID:3684
- C:\Windows\System32\zyJpRkY.exe
  C:\Windows\System32\zyJpRkY.exe
  2⤵
  PID:5708
- C:\Windows\System32\wUplgcO.exe
  C:\Windows\System32\wUplgcO.exe
  2⤵
  PID:3464
- C:\Windows\System32\qTxCBJk.exe
  C:\Windows\System32\qTxCBJk.exe
  2⤵
  PID:4164
- C:\Windows\System32\aGVNlng.exe
  C:\Windows\System32\aGVNlng.exe
  2⤵
  PID:4116
- C:\Windows\System32\KhiwLer.exe
  C:\Windows\System32\KhiwLer.exe
  2⤵
  PID:5796
- C:\Windows\System32\aIBpURT.exe
  C:\Windows\System32\aIBpURT.exe
  2⤵
  PID:5900
- C:\Windows\System32\ftbwNnj.exe
  C:\Windows\System32\ftbwNnj.exe
  2⤵
  PID:5972
- C:\Windows\System32\bEbAnmm.exe
  C:\Windows\System32\bEbAnmm.exe
  2⤵
  PID:6060
- C:\Windows\System32\pHeqzJm.exe
  C:\Windows\System32\pHeqzJm.exe
  2⤵
  PID:6080
- C:\Windows\System32\iojidHb.exe
  C:\Windows\System32\iojidHb.exe
  2⤵
  PID:3648
- C:\Windows\System32\itRmmln.exe
  C:\Windows\System32\itRmmln.exe
  2⤵
  PID:2604
- C:\Windows\System32\hcYdUrJ.exe
  C:\Windows\System32\hcYdUrJ.exe
  2⤵
  PID:4784
- C:\Windows\System32\SEzaIfj.exe
  C:\Windows\System32\SEzaIfj.exe
  2⤵
  PID:5176
- C:\Windows\System32\wVoQRzp.exe
  C:\Windows\System32\wVoQRzp.exe
  2⤵
  PID:5364
- C:\Windows\System32\aasxyUJ.exe
  C:\Windows\System32\aasxyUJ.exe
  2⤵
  PID:3932
- C:\Windows\System32\xaJKDgt.exe
  C:\Windows\System32\xaJKDgt.exe
  2⤵
  PID:6100
- C:\Windows\System32\vdWLUky.exe
  C:\Windows\System32\vdWLUky.exe
  2⤵
  PID:5992
- C:\Windows\System32\sAVEQhV.exe
  C:\Windows\System32\sAVEQhV.exe
  2⤵
  PID:5756
- C:\Windows\System32\MZPGXNr.exe
  C:\Windows\System32\MZPGXNr.exe
  2⤵
  PID:5712
- C:\Windows\System32\ugmRjks.exe
  C:\Windows\System32\ugmRjks.exe
  2⤵
  PID:5488
- C:\Windows\System32\ESDNnAS.exe
  C:\Windows\System32\ESDNnAS.exe
  2⤵
  PID:5224
- C:\Windows\System32\OTmSmOF.exe
  C:\Windows\System32\OTmSmOF.exe
  2⤵
  PID:5292
- C:\Windows\System32\qyGpUfg.exe
  C:\Windows\System32\qyGpUfg.exe
  2⤵
  PID:1180
- C:\Windows\System32\rjGFZHt.exe
  C:\Windows\System32\rjGFZHt.exe
  2⤵
  PID:5764
- C:\Windows\System32\hcottqY.exe
  C:\Windows\System32\hcottqY.exe
  2⤵
  PID:4040
- C:\Windows\System32\OyeBCwv.exe
  C:\Windows\System32\OyeBCwv.exe
  2⤵
  PID:5208
- C:\Windows\System32\KkgbLLp.exe
  C:\Windows\System32\KkgbLLp.exe
  2⤵
  PID:5404
- C:\Windows\System32\iWwUqlC.exe
  C:\Windows\System32\iWwUqlC.exe
  2⤵
  PID:5288
- C:\Windows\System32\WZbOoPE.exe
  C:\Windows\System32\WZbOoPE.exe
  2⤵
  PID:6064
- C:\Windows\System32\EmhCpQh.exe
  C:\Windows\System32\EmhCpQh.exe
  2⤵
  PID:5372
- C:\Windows\System32\hnWsrmU.exe
  C:\Windows\System32\hnWsrmU.exe
  2⤵
  PID:5960
- C:\Windows\System32\cokvNdl.exe
  C:\Windows\System32\cokvNdl.exe
  2⤵
  PID:6148
- C:\Windows\System32\TNhRZeo.exe
  C:\Windows\System32\TNhRZeo.exe
  2⤵
  PID:6188
- C:\Windows\System32\pMKipjm.exe
  C:\Windows\System32\pMKipjm.exe
  2⤵
  PID:6228
- C:\Windows\System32\qjewdRn.exe
  C:\Windows\System32\qjewdRn.exe
  2⤵
  PID:6272
- C:\Windows\System32\WuUAUiv.exe
  C:\Windows\System32\WuUAUiv.exe
  2⤵
  PID:6288
- C:\Windows\System32\SlYNnGm.exe
  C:\Windows\System32\SlYNnGm.exe
  2⤵
  PID:6312
- C:\Windows\System32\bQGAAYq.exe
  C:\Windows\System32\bQGAAYq.exe
  2⤵
  PID:6332
- C:\Windows\System32\qGskTnE.exe
  C:\Windows\System32\qGskTnE.exe
  2⤵
  PID:6348
- C:\Windows\System32\xBlclaV.exe
  C:\Windows\System32\xBlclaV.exe
  2⤵
  PID:6376
- C:\Windows\System32\KLayYLr.exe
  C:\Windows\System32\KLayYLr.exe
  2⤵
  PID:6392
- C:\Windows\System32\WoQZoCK.exe
  C:\Windows\System32\WoQZoCK.exe
  2⤵
  PID:6424
- C:\Windows\System32\irmfsUF.exe
  C:\Windows\System32\irmfsUF.exe
  2⤵
  PID:6480
- C:\Windows\System32\npqyJSU.exe
  C:\Windows\System32\npqyJSU.exe
  2⤵
  PID:6524
- C:\Windows\System32\cLlxgvw.exe
  C:\Windows\System32\cLlxgvw.exe
  2⤵
  PID:6548
- C:\Windows\System32\VSQFDBJ.exe
  C:\Windows\System32\VSQFDBJ.exe
  2⤵
  PID:6568
- C:\Windows\System32\TNWMEWs.exe
  C:\Windows\System32\TNWMEWs.exe
  2⤵
  PID:6592
- C:\Windows\System32\ubyzdiJ.exe
  C:\Windows\System32\ubyzdiJ.exe
  2⤵
  PID:6616
- C:\Windows\System32\FLzPuMi.exe
  C:\Windows\System32\FLzPuMi.exe
  2⤵
  PID:6632
- C:\Windows\System32\rTnVrxp.exe
  C:\Windows\System32\rTnVrxp.exe
  2⤵
  PID:6664
- C:\Windows\System32\SMwPRzv.exe
  C:\Windows\System32\SMwPRzv.exe
  2⤵
  PID:6680
- C:\Windows\System32\zIuFoaa.exe
  C:\Windows\System32\zIuFoaa.exe
  2⤵
  PID:6716
- C:\Windows\System32\MAWPwkM.exe
  C:\Windows\System32\MAWPwkM.exe
  2⤵
  PID:6740
- C:\Windows\System32\AkGgzdB.exe
  C:\Windows\System32\AkGgzdB.exe
  2⤵
  PID:6760
- C:\Windows\System32\AKxZdFu.exe
  C:\Windows\System32\AKxZdFu.exe
  2⤵
  PID:6776
- C:\Windows\System32\UhQtpwt.exe
  C:\Windows\System32\UhQtpwt.exe
  2⤵
  PID:6800
- C:\Windows\System32\ccGXRnu.exe
  C:\Windows\System32\ccGXRnu.exe
  2⤵
  PID:6816
- C:\Windows\System32\LafgHuq.exe
  C:\Windows\System32\LafgHuq.exe
  2⤵
  PID:6840
- C:\Windows\System32\siwPHKI.exe
  C:\Windows\System32\siwPHKI.exe
  2⤵
  PID:6908
- C:\Windows\System32\FvmykrP.exe
  C:\Windows\System32\FvmykrP.exe
  2⤵
  PID:6956
- C:\Windows\System32\uqJRbYA.exe
  C:\Windows\System32\uqJRbYA.exe
  2⤵
  PID:6996
- C:\Windows\System32\bOobaRz.exe
  C:\Windows\System32\bOobaRz.exe
  2⤵
  PID:7024
- C:\Windows\System32\eBUiORB.exe
  C:\Windows\System32\eBUiORB.exe
  2⤵
  PID:7056
- C:\Windows\System32\MlFHaCk.exe
  C:\Windows\System32\MlFHaCk.exe
  2⤵
  PID:7072
- C:\Windows\System32\zKNdqgF.exe
  C:\Windows\System32\zKNdqgF.exe
  2⤵
  PID:7100
- C:\Windows\System32\wLNQSks.exe
  C:\Windows\System32\wLNQSks.exe
  2⤵
  PID:7144
- C:\Windows\System32\lgBtMvE.exe
  C:\Windows\System32\lgBtMvE.exe
  2⤵
  PID:320
- C:\Windows\System32\mSxSjgt.exe
  C:\Windows\System32\mSxSjgt.exe
  2⤵
  PID:6168
- C:\Windows\System32\fkushMh.exe
  C:\Windows\System32\fkushMh.exe
  2⤵
  PID:6256
- C:\Windows\System32\RUJEZOX.exe
  C:\Windows\System32\RUJEZOX.exe
  2⤵
  PID:6280
- C:\Windows\System32\fMJmBjB.exe
  C:\Windows\System32\fMJmBjB.exe
  2⤵
  PID:6364
- C:\Windows\System32\RNgqgMM.exe
  C:\Windows\System32\RNgqgMM.exe
  2⤵
  PID:6344
- C:\Windows\System32\NMIXABr.exe
  C:\Windows\System32\NMIXABr.exe
  2⤵
  PID:6368
- C:\Windows\System32\XqyYTuQ.exe
  C:\Windows\System32\XqyYTuQ.exe
  2⤵
  PID:6564
- C:\Windows\System32\kJYPtKJ.exe
  C:\Windows\System32\kJYPtKJ.exe
  2⤵
  PID:6708
- C:\Windows\System32\TPkrtMs.exe
  C:\Windows\System32\TPkrtMs.exe
  2⤵
  PID:6704
- C:\Windows\System32\gFvCOCH.exe
  C:\Windows\System32\gFvCOCH.exe
  2⤵
  PID:6852
- C:\Windows\System32\eZzgZog.exe
  C:\Windows\System32\eZzgZog.exe
  2⤵
  PID:6824
- C:\Windows\System32\bZURmmq.exe
  C:\Windows\System32\bZURmmq.exe
  2⤵
  PID:6768
- C:\Windows\System32\JBIXiAr.exe
  C:\Windows\System32\JBIXiAr.exe
  2⤵
  PID:6988
- C:\Windows\System32\lAjcchx.exe
  C:\Windows\System32\lAjcchx.exe
  2⤵
  PID:7036
- C:\Windows\System32\mOuYTiY.exe
  C:\Windows\System32\mOuYTiY.exe
  2⤵
  PID:7096
- C:\Windows\System32\gCAAYpT.exe
  C:\Windows\System32\gCAAYpT.exe
  2⤵
  PID:7160
- C:\Windows\System32\iTuGvht.exe
  C:\Windows\System32\iTuGvht.exe
  2⤵
  PID:6284
- C:\Windows\System32\bhzHnsY.exe
  C:\Windows\System32\bhzHnsY.exe
  2⤵
  PID:6340
- C:\Windows\System32\ZSOicEQ.exe
  C:\Windows\System32\ZSOicEQ.exe
  2⤵
  PID:6580
- C:\Windows\System32\tSPWEam.exe
  C:\Windows\System32\tSPWEam.exe
  2⤵
  PID:6772
- C:\Windows\System32\cVgStRx.exe
  C:\Windows\System32\cVgStRx.exe
  2⤵
  PID:6872
- C:\Windows\System32\rUDnGgo.exe
  C:\Windows\System32\rUDnGgo.exe
  2⤵
  PID:7020
- C:\Windows\System32\smwehHN.exe
  C:\Windows\System32\smwehHN.exe
  2⤵
  PID:6400
- C:\Windows\System32\lTjcDlW.exe
  C:\Windows\System32\lTjcDlW.exe
  2⤵
  PID:6748
- C:\Windows\System32\avlydvz.exe
  C:\Windows\System32\avlydvz.exe
  2⤵
  PID:7088
- C:\Windows\System32\KgBVeWS.exe
  C:\Windows\System32\KgBVeWS.exe
  2⤵
  PID:6180
- C:\Windows\System32\VgKDVCc.exe
  C:\Windows\System32\VgKDVCc.exe
  2⤵
  PID:6728
- C:\Windows\System32\oCQerOo.exe
  C:\Windows\System32\oCQerOo.exe
  2⤵
  PID:7184
- C:\Windows\System32\kRpYQhm.exe
  C:\Windows\System32\kRpYQhm.exe
  2⤵
  PID:7200
- C:\Windows\System32\wpNotCj.exe
  C:\Windows\System32\wpNotCj.exe
  2⤵
  PID:7220
- C:\Windows\System32\LCfwmPk.exe
  C:\Windows\System32\LCfwmPk.exe
  2⤵
  PID:7244
- C:\Windows\System32\uJSCaVf.exe
  C:\Windows\System32\uJSCaVf.exe
  2⤵
  PID:7292
- C:\Windows\System32\OXCvXIv.exe
  C:\Windows\System32\OXCvXIv.exe
  2⤵
  PID:7316
- C:\Windows\System32\tWfjXSQ.exe
  C:\Windows\System32\tWfjXSQ.exe
  2⤵
  PID:7368
- C:\Windows\System32\pjcTRic.exe
  C:\Windows\System32\pjcTRic.exe
  2⤵
  PID:7384
- C:\Windows\System32\EUCJlPf.exe
  C:\Windows\System32\EUCJlPf.exe
  2⤵
  PID:7404
- C:\Windows\System32\PlTitNJ.exe
  C:\Windows\System32\PlTitNJ.exe
  2⤵
  PID:7420
- C:\Windows\System32\Fpybigk.exe
  C:\Windows\System32\Fpybigk.exe
  2⤵
  PID:7440
- C:\Windows\System32\Cfkvzfj.exe
  C:\Windows\System32\Cfkvzfj.exe
  2⤵
  PID:7460
- C:\Windows\System32\HLHwPyV.exe
  C:\Windows\System32\HLHwPyV.exe
  2⤵
  PID:7484
- C:\Windows\System32\bqebxGx.exe
  C:\Windows\System32\bqebxGx.exe
  2⤵
  PID:7524
- C:\Windows\System32\pEixbXD.exe
  C:\Windows\System32\pEixbXD.exe
  2⤵
  PID:7540
- C:\Windows\System32\DnBslAp.exe
  C:\Windows\System32\DnBslAp.exe
  2⤵
  PID:7596
- C:\Windows\System32\KtYxhil.exe
  C:\Windows\System32\KtYxhil.exe
  2⤵
  PID:7628
- C:\Windows\System32\DcfLihw.exe
  C:\Windows\System32\DcfLihw.exe
  2⤵
  PID:7652
- C:\Windows\System32\gkxrJIW.exe
  C:\Windows\System32\gkxrJIW.exe
  2⤵
  PID:7688
- C:\Windows\System32\PXtbxal.exe
  C:\Windows\System32\PXtbxal.exe
  2⤵
  PID:7736
- C:\Windows\System32\jeoKsmE.exe
  C:\Windows\System32\jeoKsmE.exe
  2⤵
  PID:7756
- C:\Windows\System32\gjIrFgj.exe
  C:\Windows\System32\gjIrFgj.exe
  2⤵
  PID:7780
- C:\Windows\System32\IUGzOSj.exe
  C:\Windows\System32\IUGzOSj.exe
  2⤵
  PID:7800
- C:\Windows\System32\GFQoVQH.exe
  C:\Windows\System32\GFQoVQH.exe
  2⤵
  PID:7832
- C:\Windows\System32\yRyMock.exe
  C:\Windows\System32\yRyMock.exe
  2⤵
  PID:7856
- C:\Windows\System32\AeXOEmI.exe
  C:\Windows\System32\AeXOEmI.exe
  2⤵
  PID:7880
- C:\Windows\System32\edrdfLh.exe
  C:\Windows\System32\edrdfLh.exe
  2⤵
  PID:7904
- C:\Windows\System32\cWQDbeM.exe
  C:\Windows\System32\cWQDbeM.exe
  2⤵
  PID:7920
- C:\Windows\System32\BdlBDhE.exe
  C:\Windows\System32\BdlBDhE.exe
  2⤵
  PID:7940
- C:\Windows\System32\rKjfeFZ.exe
  C:\Windows\System32\rKjfeFZ.exe
  2⤵
  PID:7968
- C:\Windows\System32\VUAgRLI.exe
  C:\Windows\System32\VUAgRLI.exe
  2⤵
  PID:7984
- C:\Windows\System32\ZuBujNG.exe
  C:\Windows\System32\ZuBujNG.exe
  2⤵
  PID:8012
- C:\Windows\System32\lMdpWzM.exe
  C:\Windows\System32\lMdpWzM.exe
  2⤵
  PID:8044
- C:\Windows\System32\lvJvPBh.exe
  C:\Windows\System32\lvJvPBh.exe
  2⤵
  PID:8084
- C:\Windows\System32\WsFzZzp.exe
  C:\Windows\System32\WsFzZzp.exe
  2⤵
  PID:8104
- C:\Windows\System32\wIftFkc.exe
  C:\Windows\System32\wIftFkc.exe
  2⤵
  PID:8148
- C:\Windows\System32\lbcBnyw.exe
  C:\Windows\System32\lbcBnyw.exe
  2⤵
  PID:8180
- C:\Windows\System32\tEGqbzp.exe
  C:\Windows\System32\tEGqbzp.exe
  2⤵
  PID:7216
- C:\Windows\System32\CusQjiT.exe
  C:\Windows\System32\CusQjiT.exe
  2⤵
  PID:7336
- C:\Windows\System32\KaQrqEf.exe
  C:\Windows\System32\KaQrqEf.exe
  2⤵
  PID:7352
- C:\Windows\System32\KpbObCJ.exe
  C:\Windows\System32\KpbObCJ.exe
  2⤵
  PID:7400
- C:\Windows\System32\dAvMsYf.exe
  C:\Windows\System32\dAvMsYf.exe
  2⤵
  PID:7492
- C:\Windows\System32\AHZVTAG.exe
  C:\Windows\System32\AHZVTAG.exe
  2⤵
  PID:7556
- C:\Windows\System32\HStbGgg.exe
  C:\Windows\System32\HStbGgg.exe
  2⤵
  PID:7532
- C:\Windows\System32\UxvbgZz.exe
  C:\Windows\System32\UxvbgZz.exe
  2⤵
  PID:7624
- C:\Windows\System32\husSTku.exe
  C:\Windows\System32\husSTku.exe
  2⤵
  PID:7764
- C:\Windows\System32\rKehRKf.exe
  C:\Windows\System32\rKehRKf.exe
  2⤵
  PID:7828
- C:\Windows\System32\JgMtRSV.exe
  C:\Windows\System32\JgMtRSV.exe
  2⤵
  PID:7868
- C:\Windows\System32\yloQEgD.exe
  C:\Windows\System32\yloQEgD.exe
  2⤵
  PID:7948
- C:\Windows\System32\gntBhxS.exe
  C:\Windows\System32\gntBhxS.exe
  2⤵
  PID:7896
- C:\Windows\System32\aYVndZP.exe
  C:\Windows\System32\aYVndZP.exe
  2⤵
  PID:8116
- C:\Windows\System32\UpkCFeu.exe
  C:\Windows\System32\UpkCFeu.exe
  2⤵
  PID:8176
- C:\Windows\System32\phnpNfx.exe
  C:\Windows\System32\phnpNfx.exe
  2⤵
  PID:6808
- C:\Windows\System32\rqDBdoC.exe
  C:\Windows\System32\rqDBdoC.exe
  2⤵
  PID:7380
- C:\Windows\System32\AoqtHUE.exe
  C:\Windows\System32\AoqtHUE.exe
  2⤵
  PID:7504
- C:\Windows\System32\ubxGxcw.exe
  C:\Windows\System32\ubxGxcw.exe
  2⤵
  PID:7588
- C:\Windows\System32\xLUkqgV.exe
  C:\Windows\System32\xLUkqgV.exe
  2⤵
  PID:7548
- C:\Windows\System32\rNpDQEe.exe
  C:\Windows\System32\rNpDQEe.exe
  2⤵
  PID:7964
- C:\Windows\System32\NiTycJW.exe
  C:\Windows\System32\NiTycJW.exe
  2⤵
  PID:8076
- C:\Windows\System32\dXzNygC.exe
  C:\Windows\System32\dXzNygC.exe
  2⤵
  PID:7448
- C:\Windows\System32\RqtizFk.exe
  C:\Windows\System32\RqtizFk.exe
  2⤵
  PID:7304
- C:\Windows\System32\GNraeYa.exe
  C:\Windows\System32\GNraeYa.exe
  2⤵
  PID:7776
- C:\Windows\System32\oyRDPVl.exe
  C:\Windows\System32\oyRDPVl.exe
  2⤵
  PID:8220
- C:\Windows\System32\DNSAUQz.exe
  C:\Windows\System32\DNSAUQz.exe
  2⤵
  PID:8236
- C:\Windows\System32\PRWSgGn.exe
  C:\Windows\System32\PRWSgGn.exe
  2⤵
  PID:8256
- C:\Windows\System32\ekBCSXM.exe
  C:\Windows\System32\ekBCSXM.exe
  2⤵
  PID:8276
- C:\Windows\System32\RRWOXRI.exe
  C:\Windows\System32\RRWOXRI.exe
  2⤵
  PID:8296
- C:\Windows\System32\tpUAXSl.exe
  C:\Windows\System32\tpUAXSl.exe
  2⤵
  PID:8348
- C:\Windows\System32\eacbnvv.exe
  C:\Windows\System32\eacbnvv.exe
  2⤵
  PID:8372
- C:\Windows\System32\FmMzsZW.exe
  C:\Windows\System32\FmMzsZW.exe
  2⤵
  PID:8392
- C:\Windows\System32\cmFhzvi.exe
  C:\Windows\System32\cmFhzvi.exe
  2⤵
  PID:8412
- C:\Windows\System32\sBheRtG.exe
  C:\Windows\System32\sBheRtG.exe
  2⤵
  PID:8440
- C:\Windows\System32\RgNUOxU.exe
  C:\Windows\System32\RgNUOxU.exe
  2⤵
  PID:8456
- C:\Windows\System32\OcEIFOi.exe
  C:\Windows\System32\OcEIFOi.exe
  2⤵
  PID:8484
- C:\Windows\System32\ckCDeRX.exe
  C:\Windows\System32\ckCDeRX.exe
  2⤵
  PID:8500
- C:\Windows\System32\SoKQHuy.exe
  C:\Windows\System32\SoKQHuy.exe
  2⤵
  PID:8528
- C:\Windows\System32\ynLBaFd.exe
  C:\Windows\System32\ynLBaFd.exe
  2⤵
  PID:8588
- C:\Windows\System32\zwiifaP.exe
  C:\Windows\System32\zwiifaP.exe
  2⤵
  PID:8620
- C:\Windows\System32\vRSIZIi.exe
  C:\Windows\System32\vRSIZIi.exe
  2⤵
  PID:8640
- C:\Windows\System32\HgGPaRh.exe
  C:\Windows\System32\HgGPaRh.exe
  2⤵
  PID:8676
- C:\Windows\System32\eOvFIxA.exe
  C:\Windows\System32\eOvFIxA.exe
  2⤵
  PID:8712
- C:\Windows\System32\unQuKpe.exe
  C:\Windows\System32\unQuKpe.exe
  2⤵
  PID:8732
- C:\Windows\System32\HPTYdDV.exe
  C:\Windows\System32\HPTYdDV.exe
  2⤵
  PID:8752
- C:\Windows\System32\LoUceOE.exe
  C:\Windows\System32\LoUceOE.exe
  2⤵
  PID:8768
- C:\Windows\System32\xvauOJy.exe
  C:\Windows\System32\xvauOJy.exe
  2⤵
  PID:8804
- C:\Windows\System32\UXbPvJK.exe
  C:\Windows\System32\UXbPvJK.exe
  2⤵
  PID:8836
- C:\Windows\System32\BwdbnFz.exe
  C:\Windows\System32\BwdbnFz.exe
  2⤵
  PID:8852
- C:\Windows\System32\aOgcysh.exe
  C:\Windows\System32\aOgcysh.exe
  2⤵
  PID:8884
- C:\Windows\System32\bVMycld.exe
  C:\Windows\System32\bVMycld.exe
  2⤵
  PID:8908
- C:\Windows\System32\VuyXXyD.exe
  C:\Windows\System32\VuyXXyD.exe
  2⤵
  PID:8928
- C:\Windows\System32\AEVeain.exe
  C:\Windows\System32\AEVeain.exe
  2⤵
  PID:8968
- C:\Windows\System32\NMGXdeT.exe
  C:\Windows\System32\NMGXdeT.exe
  2⤵
  PID:9000
- C:\Windows\System32\wDIXbho.exe
  C:\Windows\System32\wDIXbho.exe
  2⤵
  PID:9068
- C:\Windows\System32\MikLKhq.exe
  C:\Windows\System32\MikLKhq.exe
  2⤵
  PID:9084
- C:\Windows\System32\mNlzmEV.exe
  C:\Windows\System32\mNlzmEV.exe
  2⤵
  PID:9100
- C:\Windows\System32\UAAxpSm.exe
  C:\Windows\System32\UAAxpSm.exe
  2⤵
  PID:9120
- C:\Windows\System32\HopKItD.exe
  C:\Windows\System32\HopKItD.exe
  2⤵
  PID:9136
- C:\Windows\System32\DUwqbNL.exe
  C:\Windows\System32\DUwqbNL.exe
  2⤵
  PID:9160
- C:\Windows\System32\xLaAVmc.exe
  C:\Windows\System32\xLaAVmc.exe
  2⤵
  PID:9188
- C:\Windows\System32\slQtdyC.exe
  C:\Windows\System32\slQtdyC.exe
  2⤵
  PID:8228
- C:\Windows\System32\GmhRZnp.exe
  C:\Windows\System32\GmhRZnp.exe
  2⤵
  PID:8288
- C:\Windows\System32\UozTVeb.exe
  C:\Windows\System32\UozTVeb.exe
  2⤵
  PID:8336
- C:\Windows\System32\rYNEIqy.exe
  C:\Windows\System32\rYNEIqy.exe
  2⤵
  PID:8360
- C:\Windows\System32\oYGrrDn.exe
  C:\Windows\System32\oYGrrDn.exe
  2⤵
  PID:8452
- C:\Windows\System32\dQTwusE.exe
  C:\Windows\System32\dQTwusE.exe
  2⤵
  PID:8480
- C:\Windows\System32\TvtWURj.exe
  C:\Windows\System32\TvtWURj.exe
  2⤵
  PID:8548
- C:\Windows\System32\aHoFLDF.exe
  C:\Windows\System32\aHoFLDF.exe
  2⤵
  PID:8652
- C:\Windows\System32\fnQVjyG.exe
  C:\Windows\System32\fnQVjyG.exe
  2⤵
  PID:8728
- C:\Windows\System32\pQHoTMp.exe
  C:\Windows\System32\pQHoTMp.exe
  2⤵
  PID:8788
- C:\Windows\System32\yLJtcEu.exe
  C:\Windows\System32\yLJtcEu.exe
  2⤵
  PID:8776
- C:\Windows\System32\ZPftnkl.exe
  C:\Windows\System32\ZPftnkl.exe
  2⤵
  PID:8880
- C:\Windows\System32\avcTIpO.exe
  C:\Windows\System32\avcTIpO.exe
  2⤵
  PID:8960
- C:\Windows\System32\CHJEAZB.exe
  C:\Windows\System32\CHJEAZB.exe
  2⤵
  PID:9016
- C:\Windows\System32\EAEunwt.exe
  C:\Windows\System32\EAEunwt.exe
  2⤵
  PID:9144
- C:\Windows\System32\LpvoUwL.exe
  C:\Windows\System32\LpvoUwL.exe
  2⤵
  PID:7816
- C:\Windows\System32\CRTeciu.exe
  C:\Windows\System32\CRTeciu.exe
  2⤵
  PID:8024
- C:\Windows\System32\EMZrNtb.exe
  C:\Windows\System32\EMZrNtb.exe
  2⤵
  PID:8448
- C:\Windows\System32\riwmcng.exe
  C:\Windows\System32\riwmcng.exe
  2⤵
  PID:8636
- C:\Windows\System32\GlkXeKw.exe
  C:\Windows\System32\GlkXeKw.exe
  2⤵
  PID:8708
- C:\Windows\System32\JTOHrQN.exe
  C:\Windows\System32\JTOHrQN.exe
  2⤵
  PID:8904
- C:\Windows\System32\YSHNqlM.exe
  C:\Windows\System32\YSHNqlM.exe
  2⤵
  PID:8920
- C:\Windows\System32\vxVMiIP.exe
  C:\Windows\System32\vxVMiIP.exe
  2⤵
  PID:9076
- C:\Windows\System32\GpHcQhv.exe
  C:\Windows\System32\GpHcQhv.exe
  2⤵
  PID:9116
- C:\Windows\System32\FVvPoqJ.exe
  C:\Windows\System32\FVvPoqJ.exe
  2⤵
  PID:8596
- C:\Windows\System32\DLioLar.exe
  C:\Windows\System32\DLioLar.exe
  2⤵
  PID:9056
- C:\Windows\System32\xDItxMg.exe
  C:\Windows\System32\xDItxMg.exe
  2⤵
  PID:8984
- C:\Windows\System32\TjcGcap.exe
  C:\Windows\System32\TjcGcap.exe
  2⤵
  PID:9236
- C:\Windows\System32\jVAxYHP.exe
  C:\Windows\System32\jVAxYHP.exe
  2⤵
  PID:9260
- C:\Windows\System32\NSSULcM.exe
  C:\Windows\System32\NSSULcM.exe
  2⤵
  PID:9300
- C:\Windows\System32\FvjrIhe.exe
  C:\Windows\System32\FvjrIhe.exe
  2⤵
  PID:9332
- C:\Windows\System32\WKLNeio.exe
  C:\Windows\System32\WKLNeio.exe
  2⤵
  PID:9348
- C:\Windows\System32\mdSvHEZ.exe
  C:\Windows\System32\mdSvHEZ.exe
  2⤵
  PID:9372
- C:\Windows\System32\JXYZnGh.exe
  C:\Windows\System32\JXYZnGh.exe
  2⤵
  PID:9392
- C:\Windows\System32\kewabyb.exe
  C:\Windows\System32\kewabyb.exe
  2⤵
  PID:9416
- C:\Windows\System32\mZhXyFK.exe
  C:\Windows\System32\mZhXyFK.exe
  2⤵
  PID:9440
- C:\Windows\System32\JScRScd.exe
  C:\Windows\System32\JScRScd.exe
  2⤵
  PID:9472
- C:\Windows\System32\yQAtXjM.exe
  C:\Windows\System32\yQAtXjM.exe
  2⤵
  PID:9540
- C:\Windows\System32\eOrGFnQ.exe
  C:\Windows\System32\eOrGFnQ.exe
  2⤵
  PID:9588
- C:\Windows\System32\OIDMPZA.exe
  C:\Windows\System32\OIDMPZA.exe
  2⤵
  PID:9624
- C:\Windows\System32\ytkLRlc.exe
  C:\Windows\System32\ytkLRlc.exe
  2⤵
  PID:9664
- C:\Windows\System32\CplSRaK.exe
  C:\Windows\System32\CplSRaK.exe
  2⤵
  PID:9680
- C:\Windows\System32\eHETutZ.exe
  C:\Windows\System32\eHETutZ.exe
  2⤵
  PID:9696
- C:\Windows\System32\PERMPat.exe
  C:\Windows\System32\PERMPat.exe
  2⤵
  PID:9712
- C:\Windows\System32\FgZfjHC.exe
  C:\Windows\System32\FgZfjHC.exe
  2⤵
  PID:9728
- C:\Windows\System32\hEmOEca.exe
  C:\Windows\System32\hEmOEca.exe
  2⤵
  PID:9744
- C:\Windows\System32\jyHOKie.exe
  C:\Windows\System32\jyHOKie.exe
  2⤵
  PID:9760
- C:\Windows\System32\yTJcWWT.exe
  C:\Windows\System32\yTJcWWT.exe
  2⤵
  PID:9776
- C:\Windows\System32\KivPrlV.exe
  C:\Windows\System32\KivPrlV.exe
  2⤵
  PID:9792
- C:\Windows\System32\xPweojg.exe
  C:\Windows\System32\xPweojg.exe
  2⤵
  PID:9808
- C:\Windows\System32\YMmxjxI.exe
  C:\Windows\System32\YMmxjxI.exe
  2⤵
  PID:9824
- C:\Windows\System32\QvqfsOv.exe
  C:\Windows\System32\QvqfsOv.exe
  2⤵
  PID:9840
- C:\Windows\System32\wCTNTho.exe
  C:\Windows\System32\wCTNTho.exe
  2⤵
  PID:9856
- C:\Windows\System32\kKvOnyN.exe
  C:\Windows\System32\kKvOnyN.exe
  2⤵
  PID:9872
- C:\Windows\System32\sRbBCLn.exe
  C:\Windows\System32\sRbBCLn.exe
  2⤵
  PID:9888
- C:\Windows\System32\BzQhuXP.exe
  C:\Windows\System32\BzQhuXP.exe
  2⤵
  PID:9904
- C:\Windows\System32\aHYRsIy.exe
  C:\Windows\System32\aHYRsIy.exe
  2⤵
  PID:9920
- C:\Windows\System32\xJiNSDh.exe
  C:\Windows\System32\xJiNSDh.exe
  2⤵
  PID:9936
- C:\Windows\System32\BorpDBh.exe
  C:\Windows\System32\BorpDBh.exe
  2⤵
  PID:9952
- C:\Windows\System32\sGCCjFD.exe
  C:\Windows\System32\sGCCjFD.exe
  2⤵
  PID:9968
- C:\Windows\System32\luKINkn.exe
  C:\Windows\System32\luKINkn.exe
  2⤵
  PID:9984
- C:\Windows\System32\xuLactb.exe
  C:\Windows\System32\xuLactb.exe
  2⤵
  PID:10000
- C:\Windows\System32\rAqiibK.exe
  C:\Windows\System32\rAqiibK.exe
  2⤵
  PID:10016
- C:\Windows\System32\oPYygrm.exe
  C:\Windows\System32\oPYygrm.exe
  2⤵
  PID:10032
- C:\Windows\System32\TkPickT.exe
  C:\Windows\System32\TkPickT.exe
  2⤵
  PID:10112
- C:\Windows\System32\yspUnYy.exe
  C:\Windows\System32\yspUnYy.exe
  2⤵
  PID:9312
- C:\Windows\System32\LQsjhQn.exe
  C:\Windows\System32\LQsjhQn.exe
  2⤵
  PID:9768
- C:\Windows\System32\xcdIZuG.exe
  C:\Windows\System32\xcdIZuG.exe
  2⤵
  PID:9848
- C:\Windows\System32\wASezAh.exe
  C:\Windows\System32\wASezAh.exe
  2⤵
  PID:9604
- C:\Windows\System32\gnyhnWB.exe
  C:\Windows\System32\gnyhnWB.exe
  2⤵
  PID:9584
- C:\Windows\System32\PpeoLUS.exe
  C:\Windows\System32\PpeoLUS.exe
  2⤵
  PID:9528
- C:\Windows\System32\IUzUBAu.exe
  C:\Windows\System32\IUzUBAu.exe
  2⤵
  PID:10072
- C:\Windows\System32\nNMhaKk.exe
  C:\Windows\System32\nNMhaKk.exe
  2⤵
  PID:9708
- C:\Windows\System32\lenxBBt.exe
  C:\Windows\System32\lenxBBt.exe
  2⤵
  PID:9772
- C:\Windows\System32\LMWJeHV.exe
  C:\Windows\System32\LMWJeHV.exe
  2⤵
  PID:9884
- C:\Windows\System32\jCjNAOz.exe
  C:\Windows\System32\jCjNAOz.exe
  2⤵
  PID:10012
- C:\Windows\System32\IQaMPtL.exe
  C:\Windows\System32\IQaMPtL.exe
  2⤵
  PID:10156
- C:\Windows\System32\IJHLRBr.exe
  C:\Windows\System32\IJHLRBr.exe
  2⤵
  PID:10136
- C:\Windows\System32\pMDcsjV.exe
  C:\Windows\System32\pMDcsjV.exe
  2⤵
  PID:10192
- C:\Windows\System32\LDKHcmq.exe
  C:\Windows\System32\LDKHcmq.exe
  2⤵
  PID:9404
- C:\Windows\System32\buXYREJ.exe
  C:\Windows\System32\buXYREJ.exe
  2⤵
  PID:9616
- C:\Windows\System32\JtqdlJV.exe
  C:\Windows\System32\JtqdlJV.exe
  2⤵
  PID:9816
- C:\Windows\System32\GUGpVou.exe
  C:\Windows\System32\GUGpVou.exe
  2⤵
  PID:9556
- C:\Windows\System32\ZpVNZRV.exe
  C:\Windows\System32\ZpVNZRV.exe
  2⤵
  PID:9660
- C:\Windows\System32\BPmfIuK.exe
  C:\Windows\System32\BPmfIuK.exe
  2⤵
  PID:10148
- C:\Windows\System32\DNWkbhh.exe
  C:\Windows\System32\DNWkbhh.exe
  2⤵
  PID:10204
- C:\Windows\System32\lPLpJKN.exe
  C:\Windows\System32\lPLpJKN.exe
  2⤵
  PID:9504
- C:\Windows\System32\XZAwBwL.exe
  C:\Windows\System32\XZAwBwL.exe
  2⤵
  PID:10056
- C:\Windows\System32\OpzmEqP.exe
  C:\Windows\System32\OpzmEqP.exe
  2⤵
  PID:9268
- C:\Windows\System32\jUZeSwi.exe
  C:\Windows\System32\jUZeSwi.exe
  2⤵
  PID:10040
- C:\Windows\System32\EHjShAM.exe
  C:\Windows\System32\EHjShAM.exe
  2⤵
  PID:9568
- C:\Windows\System32\VLORNEV.exe
  C:\Windows\System32\VLORNEV.exe
  2⤵
  PID:10260
- C:\Windows\System32\FgRCikk.exe
  C:\Windows\System32\FgRCikk.exe
  2⤵
  PID:10288
- C:\Windows\System32\fMpEvqU.exe
  C:\Windows\System32\fMpEvqU.exe
  2⤵
  PID:10308
- C:\Windows\System32\GpUdupt.exe
  C:\Windows\System32\GpUdupt.exe
  2⤵
  PID:10328
- C:\Windows\System32\OxBTnHD.exe
  C:\Windows\System32\OxBTnHD.exe
  2⤵
  PID:10364
- C:\Windows\System32\LqxDsWA.exe
  C:\Windows\System32\LqxDsWA.exe
  2⤵
  PID:10408
- C:\Windows\System32\pOnLjBG.exe
  C:\Windows\System32\pOnLjBG.exe
  2⤵
  PID:10428
- C:\Windows\System32\WfMHPhb.exe
  C:\Windows\System32\WfMHPhb.exe
  2⤵
  PID:10452
- C:\Windows\System32\FbxytUu.exe
  C:\Windows\System32\FbxytUu.exe
  2⤵
  PID:10472
- C:\Windows\System32\cqhpahN.exe
  C:\Windows\System32\cqhpahN.exe
  2⤵
  PID:10516
- C:\Windows\System32\riMcvor.exe
  C:\Windows\System32\riMcvor.exe
  2⤵
  PID:10560
- C:\Windows\System32\ZkZNgqu.exe
  C:\Windows\System32\ZkZNgqu.exe
  2⤵
  PID:10588
- C:\Windows\System32\ApIwqop.exe
  C:\Windows\System32\ApIwqop.exe
  2⤵
  PID:10612
- C:\Windows\System32\FgigtXB.exe
  C:\Windows\System32\FgigtXB.exe
  2⤵
  PID:10636
- C:\Windows\System32\cPGnXrk.exe
  C:\Windows\System32\cPGnXrk.exe
  2⤵
  PID:10656
- C:\Windows\System32\VLZCLTt.exe
  C:\Windows\System32\VLZCLTt.exe
  2⤵
  PID:10676
- C:\Windows\System32\BrWsoVh.exe
  C:\Windows\System32\BrWsoVh.exe
  2⤵
  PID:10708
- C:\Windows\System32\snfWftw.exe
  C:\Windows\System32\snfWftw.exe
  2⤵
  PID:10752
- C:\Windows\System32\QHSSONL.exe
  C:\Windows\System32\QHSSONL.exe
  2⤵
  PID:10768
- C:\Windows\System32\VzIRJgW.exe
  C:\Windows\System32\VzIRJgW.exe
  2⤵
  PID:10792
- C:\Windows\System32\Azwbpoc.exe
  C:\Windows\System32\Azwbpoc.exe
  2⤵
  PID:10836
- C:\Windows\System32\hyvMTTx.exe
  C:\Windows\System32\hyvMTTx.exe
  2⤵
  PID:10860
- C:\Windows\System32\yaUdORX.exe
  C:\Windows\System32\yaUdORX.exe
  2⤵
  PID:10876
- C:\Windows\System32\nKeOtEt.exe
  C:\Windows\System32\nKeOtEt.exe
  2⤵
  PID:10904
- C:\Windows\System32\hwhftfw.exe
  C:\Windows\System32\hwhftfw.exe
  2⤵
  PID:10920
- C:\Windows\System32\rtANozI.exe
  C:\Windows\System32\rtANozI.exe
  2⤵
  PID:10936
- C:\Windows\System32\IIqnriD.exe
  C:\Windows\System32\IIqnriD.exe
  2⤵
  PID:10984
- C:\Windows\System32\ZLWKkNT.exe
  C:\Windows\System32\ZLWKkNT.exe
  2⤵
  PID:11000
- C:\Windows\System32\WEACpki.exe
  C:\Windows\System32\WEACpki.exe
  2⤵
  PID:11024
- C:\Windows\System32\ivaGhyT.exe
  C:\Windows\System32\ivaGhyT.exe
  2⤵
  PID:11068
- C:\Windows\System32\TBCfFSj.exe
  C:\Windows\System32\TBCfFSj.exe
  2⤵
  PID:11124
- C:\Windows\System32\iKWYLcv.exe
  C:\Windows\System32\iKWYLcv.exe
  2⤵
  PID:11144
- C:\Windows\System32\ERkRLzJ.exe
  C:\Windows\System32\ERkRLzJ.exe
  2⤵
  PID:11168
- C:\Windows\System32\gvGMGrs.exe
  C:\Windows\System32\gvGMGrs.exe
  2⤵
  PID:11188
- C:\Windows\System32\bMdbpsv.exe
  C:\Windows\System32\bMdbpsv.exe
  2⤵
  PID:11204
- C:\Windows\System32\pouRmFt.exe
  C:\Windows\System32\pouRmFt.exe
  2⤵
  PID:11240
- C:\Windows\System32\KQGfzku.exe
  C:\Windows\System32\KQGfzku.exe
  2⤵
  PID:10304
- C:\Windows\System32\GEuaLVD.exe
  C:\Windows\System32\GEuaLVD.exe
  2⤵
  PID:10300
- C:\Windows\System32\WBwgxSw.exe
  C:\Windows\System32\WBwgxSw.exe
  2⤵
  PID:10392
- C:\Windows\System32\ltmtGtf.exe
  C:\Windows\System32\ltmtGtf.exe
  2⤵
  PID:10468
- C:\Windows\System32\VAQMCom.exe
  C:\Windows\System32\VAQMCom.exe
  2⤵
  PID:10532
- C:\Windows\System32\tsVSmxq.exe
  C:\Windows\System32\tsVSmxq.exe
  2⤵
  PID:10568
- C:\Windows\System32\ODDfBWd.exe
  C:\Windows\System32\ODDfBWd.exe
  2⤵
  PID:3192
- C:\Windows\System32\wSNXSTP.exe
  C:\Windows\System32\wSNXSTP.exe
  2⤵
  PID:10692
- C:\Windows\System32\GFyURFZ.exe
  C:\Windows\System32\GFyURFZ.exe
  2⤵
  PID:10760
- C:\Windows\System32\mRxTOlc.exe
  C:\Windows\System32\mRxTOlc.exe
  2⤵
  PID:10816
- C:\Windows\System32\FXdDXbU.exe
  C:\Windows\System32\FXdDXbU.exe
  2⤵
  PID:10872
- C:\Windows\System32\jjorBca.exe
  C:\Windows\System32\jjorBca.exe
  2⤵
  PID:10948
- C:\Windows\System32\QAGNOKB.exe
  C:\Windows\System32\QAGNOKB.exe
  2⤵
  PID:11016
- C:\Windows\System32\wAjdtXy.exe
  C:\Windows\System32\wAjdtXy.exe
  2⤵
  PID:11048
- C:\Windows\System32\Xhdoscb.exe
  C:\Windows\System32\Xhdoscb.exe
  2⤵
  PID:11096
- C:\Windows\System32\cXAitcJ.exe
  C:\Windows\System32\cXAitcJ.exe
  2⤵
  PID:11132
- C:\Windows\System32\zLdkibs.exe
  C:\Windows\System32\zLdkibs.exe
  2⤵
  PID:4288
- C:\Windows\System32\oAfEjuS.exe
  C:\Windows\System32\oAfEjuS.exe
  2⤵
  PID:9804
- C:\Windows\System32\zSdrsWx.exe
  C:\Windows\System32\zSdrsWx.exe
  2⤵
  PID:10372
- C:\Windows\System32\avwWzRC.exe
  C:\Windows\System32\avwWzRC.exe
  2⤵
  PID:10488
- C:\Windows\System32\XpoUbxG.exe
  C:\Windows\System32\XpoUbxG.exe
  2⤵
  PID:10652
- C:\Windows\System32\rpVUgBY.exe
  C:\Windows\System32\rpVUgBY.exe
  2⤵
  PID:10844
- C:\Windows\System32\peJpOIg.exe
  C:\Windows\System32\peJpOIg.exe
  2⤵
  PID:10916
- C:\Windows\System32\UlwfHgw.exe
  C:\Windows\System32\UlwfHgw.exe
  2⤵
  PID:5084
- C:\Windows\System32\AHOfkrZ.exe
  C:\Windows\System32\AHOfkrZ.exe
  2⤵
  PID:2052
- C:\Windows\System32\WhMgipj.exe
  C:\Windows\System32\WhMgipj.exe
  2⤵
  PID:11076
- C:\Windows\System32\YkvsVbC.exe
  C:\Windows\System32\YkvsVbC.exe
  2⤵
  PID:10280
- C:\Windows\System32\upCFTCA.exe
  C:\Windows\System32\upCFTCA.exe
  2⤵
  PID:10896
- C:\Windows\System32\XimIJzR.exe
  C:\Windows\System32\XimIJzR.exe
  2⤵
  PID:11156
- C:\Windows\System32\hWFsEeJ.exe
  C:\Windows\System32\hWFsEeJ.exe
  2⤵
  PID:11228
- C:\Windows\System32\ATGTCLv.exe
  C:\Windows\System32\ATGTCLv.exe
  2⤵
  PID:740
- C:\Windows\System32\JuUPLyd.exe
  C:\Windows\System32\JuUPLyd.exe
  2⤵
  PID:11284
- C:\Windows\System32\OooKRfc.exe
  C:\Windows\System32\OooKRfc.exe
  2⤵
  PID:11324
- C:\Windows\System32\QdgyWaZ.exe
  C:\Windows\System32\QdgyWaZ.exe
  2⤵
  PID:11356
- C:\Windows\System32\mhhRmzx.exe
  C:\Windows\System32\mhhRmzx.exe
  2⤵
  PID:11376
- C:\Windows\System32\UJkNBsO.exe
  C:\Windows\System32\UJkNBsO.exe
  2⤵
  PID:11396
- C:\Windows\System32\iIuUrlO.exe
  C:\Windows\System32\iIuUrlO.exe
  2⤵
  PID:11416
- C:\Windows\System32\UKqxVcB.exe
  C:\Windows\System32\UKqxVcB.exe
  2⤵
  PID:11452
- C:\Windows\System32\TBVSsAs.exe
  C:\Windows\System32\TBVSsAs.exe
  2⤵
  PID:11468
- C:\Windows\System32\VwirHSR.exe
  C:\Windows\System32\VwirHSR.exe
  2⤵
  PID:11492
- C:\Windows\System32\igudSGc.exe
  C:\Windows\System32\igudSGc.exe
  2⤵
  PID:11508
- C:\Windows\System32\MMBrigA.exe
  C:\Windows\System32\MMBrigA.exe
  2⤵
  PID:11532
- C:\Windows\System32\QPpMYZe.exe
  C:\Windows\System32\QPpMYZe.exe
  2⤵
  PID:11560
- C:\Windows\System32\rJkDNFM.exe
  C:\Windows\System32\rJkDNFM.exe
  2⤵
  PID:11576
- C:\Windows\System32\AxWMdNG.exe
  C:\Windows\System32\AxWMdNG.exe
  2⤵
  PID:11664
- C:\Windows\System32\tJLlMBr.exe
  C:\Windows\System32\tJLlMBr.exe
  2⤵
  PID:11692
- C:\Windows\System32\qnDgGKa.exe
  C:\Windows\System32\qnDgGKa.exe
  2⤵
  PID:11720
- C:\Windows\System32\RQNZEDz.exe
  C:\Windows\System32\RQNZEDz.exe
  2⤵
  PID:11740
- C:\Windows\System32\OZMXmJa.exe
  C:\Windows\System32\OZMXmJa.exe
  2⤵
  PID:11760
- C:\Windows\System32\sDjHsAY.exe
  C:\Windows\System32\sDjHsAY.exe
  2⤵
  PID:11804
- C:\Windows\System32\BheysIG.exe
  C:\Windows\System32\BheysIG.exe
  2⤵
  PID:11824
- C:\Windows\System32\SpvkkLk.exe
  C:\Windows\System32\SpvkkLk.exe
  2⤵
  PID:11864
- C:\Windows\System32\PxszNKa.exe
  C:\Windows\System32\PxszNKa.exe
  2⤵
  PID:11884
- C:\Windows\System32\jTkCczs.exe
  C:\Windows\System32\jTkCczs.exe
  2⤵
  PID:11904
- C:\Windows\System32\cvSDMgs.exe
  C:\Windows\System32\cvSDMgs.exe
  2⤵
  PID:11924
- C:\Windows\System32\PRJgiUc.exe
  C:\Windows\System32\PRJgiUc.exe
  2⤵
  PID:11940
- C:\Windows\System32\eCwBkkg.exe
  C:\Windows\System32\eCwBkkg.exe
  2⤵
  PID:11988
- C:\Windows\System32\WcNoDLH.exe
  C:\Windows\System32\WcNoDLH.exe
  2⤵
  PID:12032
- C:\Windows\System32\jhpeMBt.exe
  C:\Windows\System32\jhpeMBt.exe
  2⤵
  PID:12060
- C:\Windows\System32\OWxOfmn.exe
  C:\Windows\System32\OWxOfmn.exe
  2⤵
  PID:12076
- C:\Windows\System32\GUWwjfE.exe
  C:\Windows\System32\GUWwjfE.exe
  2⤵
  PID:12096
- C:\Windows\System32\EKpjiXR.exe
  C:\Windows\System32\EKpjiXR.exe
  2⤵
  PID:12120
- C:\Windows\System32\cYcfwPR.exe
  C:\Windows\System32\cYcfwPR.exe
  2⤵
  PID:12188
- C:\Windows\System32\wuNZpJZ.exe
  C:\Windows\System32\wuNZpJZ.exe
  2⤵
  PID:12204
- C:\Windows\System32\QKRtwbM.exe
  C:\Windows\System32\QKRtwbM.exe
  2⤵
  PID:12220
- C:\Windows\System32\YdhbNth.exe
  C:\Windows\System32\YdhbNth.exe
  2⤵
  PID:12240
- C:\Windows\System32\tdxYGaX.exe
  C:\Windows\System32\tdxYGaX.exe
  2⤵
  PID:12280
- C:\Windows\System32\fMtNxdp.exe
  C:\Windows\System32\fMtNxdp.exe
  2⤵
  PID:10440
- C:\Windows\System32\vXxFSnL.exe
  C:\Windows\System32\vXxFSnL.exe
  2⤵
  PID:11352
- C:\Windows\System32\RjDCyYt.exe
  C:\Windows\System32\RjDCyYt.exe
  2⤵
  PID:11388
- C:\Windows\System32\EpkohCw.exe
  C:\Windows\System32\EpkohCw.exe
  2⤵
  PID:11440
- C:\Windows\System32\nyXJdbs.exe
  C:\Windows\System32\nyXJdbs.exe
  2⤵
  PID:11500
- C:\Windows\System32\QFnnmFw.exe
  C:\Windows\System32\QFnnmFw.exe
  2⤵
  PID:11612
- C:\Windows\System32\AhLTIYS.exe
  C:\Windows\System32\AhLTIYS.exe
  2⤵
  PID:11708
- C:\Windows\System32\MDSIYGV.exe
  C:\Windows\System32\MDSIYGV.exe
  2⤵
  PID:11748
- C:\Windows\System32\ATvvXpy.exe
  C:\Windows\System32\ATvvXpy.exe
  2⤵
  PID:11796
- C:\Windows\System32\aqflrqE.exe
  C:\Windows\System32\aqflrqE.exe
  2⤵
  PID:11876
- C:\Windows\System32\GQbzvJg.exe
  C:\Windows\System32\GQbzvJg.exe
  2⤵
  PID:11936
- C:\Windows\System32\NaobYWy.exe
  C:\Windows\System32\NaobYWy.exe
  2⤵
  PID:11984
- C:\Windows\System32\JxvrWiy.exe
  C:\Windows\System32\JxvrWiy.exe
  2⤵
  PID:1312
- C:\Windows\System32\DLBnGAE.exe
  C:\Windows\System32\DLBnGAE.exe
  2⤵
  PID:12020
- C:\Windows\System32\YnwWnvq.exe
  C:\Windows\System32\YnwWnvq.exe
  2⤵
  PID:12068
- C:\Windows\System32\HePFssI.exe
  C:\Windows\System32\HePFssI.exe
  2⤵
  PID:12108
- C:\Windows\System32\RavCghM.exe
  C:\Windows\System32\RavCghM.exe
  2⤵
  PID:12228
- C:\Windows\System32\WvFqiCQ.exe
  C:\Windows\System32\WvFqiCQ.exe
  2⤵
  PID:11540
- C:\Windows\System32\HvuAopz.exe
  C:\Windows\System32\HvuAopz.exe
  2⤵
  PID:11584
- C:\Windows\System32\bcpcyin.exe
  C:\Windows\System32\bcpcyin.exe
  2⤵
  PID:11728
- C:\Windows\System32\amMVcoL.exe
  C:\Windows\System32\amMVcoL.exe
  2⤵
  PID:11820
- C:\Windows\System32\xJdvxge.exe
  C:\Windows\System32\xJdvxge.exe
  2⤵
  PID:4452
- C:\Windows\System32\Rviwtsq.exe
  C:\Windows\System32\Rviwtsq.exe
  2⤵
  PID:11948
- C:\Windows\System32\HfzPvIX.exe
  C:\Windows\System32\HfzPvIX.exe
  2⤵
  PID:12268
- C:\Windows\System32\xfyhnkV.exe
  C:\Windows\System32\xfyhnkV.exe
  2⤵
  PID:11672
- C:\Windows\System32\oMpfFLH.exe
  C:\Windows\System32\oMpfFLH.exe
  2⤵
  PID:11892
- C:\Windows\System32\OzjVqtr.exe
  C:\Windows\System32\OzjVqtr.exe
  2⤵
  PID:11932
- C:\Windows\System32\anzXxjU.exe
  C:\Windows\System32\anzXxjU.exe
  2⤵
  PID:3020
- C:\Windows\System32\JuuVwkZ.exe
  C:\Windows\System32\JuuVwkZ.exe
  2⤵
  PID:3208
- C:\Windows\System32\KtLQJvQ.exe
  C:\Windows\System32\KtLQJvQ.exe
  2⤵
  PID:684
- C:\Windows\System32\Essqzmh.exe
  C:\Windows\System32\Essqzmh.exe
  2⤵
  PID:12300
- C:\Windows\System32\GSKrVpM.exe
  C:\Windows\System32\GSKrVpM.exe
  2⤵
  PID:12328
- C:\Windows\System32\uoVyJRr.exe
  C:\Windows\System32\uoVyJRr.exe
  2⤵
  PID:12352
- C:\Windows\System32\UZjaReL.exe
  C:\Windows\System32\UZjaReL.exe
  2⤵
  PID:12372
- C:\Windows\System32\CcwIwvG.exe
  C:\Windows\System32\CcwIwvG.exe
  2⤵
  PID:12392
- C:\Windows\System32\LVuJTDw.exe
  C:\Windows\System32\LVuJTDw.exe
  2⤵
  PID:12452
- C:\Windows\System32\KoNeZPB.exe
  C:\Windows\System32\KoNeZPB.exe
  2⤵
  PID:12480
- C:\Windows\System32\XIUxgAJ.exe
  C:\Windows\System32\XIUxgAJ.exe
  2⤵
  PID:12496
- C:\Windows\System32\XBxgVli.exe
  C:\Windows\System32\XBxgVli.exe
  2⤵
  PID:12524
- C:\Windows\System32\VfXSuBB.exe
  C:\Windows\System32\VfXSuBB.exe
  2⤵
  PID:12552
- C:\Windows\System32\tPjrttB.exe
  C:\Windows\System32\tPjrttB.exe
  2⤵
  PID:12568
- C:\Windows\System32\JiYRiCg.exe
  C:\Windows\System32\JiYRiCg.exe
  2⤵
  PID:12596
- C:\Windows\System32\nyapXri.exe
  C:\Windows\System32\nyapXri.exe
  2⤵
  PID:12612
- C:\Windows\System32\kRAEvuJ.exe
  C:\Windows\System32\kRAEvuJ.exe
  2⤵
  PID:12680
- C:\Windows\System32\LgTVLMs.exe
  C:\Windows\System32\LgTVLMs.exe
  2⤵
  PID:12708
- C:\Windows\System32\TUItxFE.exe
  C:\Windows\System32\TUItxFE.exe
  2⤵
  PID:12740
- C:\Windows\System32\uNkUvVJ.exe
  C:\Windows\System32\uNkUvVJ.exe
  2⤵
  PID:12764
- C:\Windows\System32\COLmBRy.exe
  C:\Windows\System32\COLmBRy.exe
  2⤵
  PID:12780
- C:\Windows\System32\heEUdAu.exe
  C:\Windows\System32\heEUdAu.exe
  2⤵
  PID:12808
- C:\Windows\System32\PSVoRWY.exe
  C:\Windows\System32\PSVoRWY.exe
  2⤵
  PID:12852
- C:\Windows\System32\qpmvMjJ.exe
  C:\Windows\System32\qpmvMjJ.exe
  2⤵
  PID:12872
- C:\Windows\System32\QXzRDyk.exe
  C:\Windows\System32\QXzRDyk.exe
  2⤵
  PID:12888
- C:\Windows\System32\bpiBbEa.exe
  C:\Windows\System32\bpiBbEa.exe
  2⤵
  PID:12912
- C:\Windows\System32\jVFjaHw.exe
  C:\Windows\System32\jVFjaHw.exe
  2⤵
  PID:12936
- C:\Windows\System32\tGdhEra.exe
  C:\Windows\System32\tGdhEra.exe
  2⤵
  PID:12976
- C:\Windows\System32\xTjIuOs.exe
  C:\Windows\System32\xTjIuOs.exe
  2⤵
  PID:13004
- C:\Windows\System32\Gjdmufe.exe
  C:\Windows\System32\Gjdmufe.exe
  2⤵
  PID:13028
- C:\Windows\System32\FmqfjTc.exe
  C:\Windows\System32\FmqfjTc.exe
  2⤵
  PID:13056
- C:\Windows\System32\GFPPeBg.exe
  C:\Windows\System32\GFPPeBg.exe
  2⤵
  PID:13096
- C:\Windows\System32\RFrkxca.exe
  C:\Windows\System32\RFrkxca.exe
  2⤵
  PID:13140
- C:\Windows\System32\xEeJXBd.exe
  C:\Windows\System32\xEeJXBd.exe
  2⤵
  PID:13172
- C:\Windows\System32\xpFOTSB.exe
  C:\Windows\System32\xpFOTSB.exe
  2⤵
  PID:13204
- C:\Windows\System32\DDhnsMa.exe
  C:\Windows\System32\DDhnsMa.exe
  2⤵
  PID:13220
- C:\Windows\System32\dosBfru.exe
  C:\Windows\System32\dosBfru.exe
  2⤵
  PID:13240
- C:\Windows\System32\tclPpwl.exe
  C:\Windows\System32\tclPpwl.exe
  2⤵
  PID:13260
- C:\Windows\System32\OxcBSzA.exe
  C:\Windows\System32\OxcBSzA.exe
  2⤵
  PID:13276
- C:\Windows\System32\RxTRwUE.exe
  C:\Windows\System32\RxTRwUE.exe
  2⤵
  PID:13300
- C:\Windows\System32\ubRuOZV.exe
  C:\Windows\System32\ubRuOZV.exe
  2⤵
  PID:5060
- C:\Windows\System32\HmQIPRe.exe
  C:\Windows\System32\HmQIPRe.exe
  2⤵
  PID:12380
- C:\Windows\System32\BZzERzs.exe
  C:\Windows\System32\BZzERzs.exe
  2⤵
  PID:12468

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AnrHPJt.exe

Filesize
1.3MB

MD5
b7051a9b56205254598d169ae8e1acb6

SHA1
0a83ead715af60a94cf573f7896aaa1485507c8a

SHA256
c474c2873bca0e9e6c1e0125156a6114af0424d931f79f65dd947c0d30c66051

SHA512
9239fc0ccce0b8e72f12263d4bf8f30e1c63b88ab7124ed00a2c1b484fc708a2947fc9f021780a893e81731bb8cbebf514e09793fbfdf42852ca698542f1b8da

Download Submit
C:\Windows\System32\AxBSsFX.exe

Filesize
1.3MB

MD5
da7e9d5e374dd0cd5627f4a2e7cde8b9

SHA1
96e88bf6da3b4662520e2302f97f86b301d3ced3

SHA256
9b87f8fd68073d0cc3c508e5ada19b83aa5973cea48af38ede4fe4d85240f1fe

SHA512
fc4bbd2862e93148523dba181bb7ada1dff6cf618e145d54e384f4e0b561d5a6b97f259d4884ecf75ea808b0dcbff5d67814ea3900a8c6e9bf5a340ed2302617

Download Submit
C:\Windows\System32\BPwBcTD.exe

Filesize
1.3MB

MD5
2419b4aa200348ec5e68083b0405b0d4

SHA1
c069c9f998c15fc971c90ecba17be9813f13d2d9

SHA256
d6933335a2e8bfe4fed3923b66853da1810874d508b88788b7a67e4ad15a83df

SHA512
6c02be796f85db27c8135fbebb1bbfa3537f02473ce2ece8c218db8c6f414d12a40791b5869692b3cd26b3593201675329035dac3b393e4405dcd2e26c04faab

Download Submit
C:\Windows\System32\BkqrpXI.exe

Filesize
1.3MB

MD5
605cb679fa066c0661044761688ac54b

SHA1
5a65f8b2f3b08b7abb30e1913dd13cfb4f602cc7

SHA256
58f932265a99481ef70dbd13db2d3cb2ab50516848e06bc4fdd3dd0efa5c843f

SHA512
2cfb70daca631fe224505ed54af9a2e5d18fc427f86fc569ced3db0da806327e76fcfcdea6a529924a1a4e51127e6449a62005550e6bb255bd0d1b9bd194555e

Download Submit
C:\Windows\System32\BmLOLgB.exe

Filesize
1.3MB

MD5
3ea0fc71142fe4a88059c69d0ccc1321

SHA1
6cba2f2579f46463cb90504e8520067953403b60

SHA256
24b57442b31da0229e1fd5a0272786bad927af80603aa94c1e941a40a307c08e

SHA512
a60cb161ecc87550c1e6540ea63c68a269f743dee19365f65567f21c23df5607431d2aff5b1ace404c7fbcaa29f66090a0466ef9ed61b4217f66c2d7b3c6d09a

Download Submit
C:\Windows\System32\DGxuGoS.exe

Filesize
1.3MB

MD5
94533893a916493733fdf942f65e6d57

SHA1
193976ba3b19c386ba3bcef42faa6e77b1af8e4b

SHA256
2ad177fed4577afe3d0fb4b5e9ab56cfdae69df14f7d6ca2b664ace8e2a38330

SHA512
60d8cd5d19f1da14076f3100d5bb814c3faef58612c1401385d293780907cf0168cd8d6aa91f60233a283e034f3ffbdf9540c43771e7f894121a15f734ef661b

Download Submit
C:\Windows\System32\EKRtKWE.exe

Filesize
1.3MB

MD5
ffb3241f9f913e6ec29a39a9887e1dfa

SHA1
661b822da7846f5114d710db409d876d42df68b7

SHA256
9408ca63a521b88aebf82abcbb3bbdb1c6e4ef44415c170f9771d28aea206c2f

SHA512
542e0ee2e24ce385f80dea7d75cbde83a279f8a9629ac4d3975dcac63add618c610f325defdb97160f4043630379312574ed452312c8f4a4780a5d842c3d1635

Download Submit
C:\Windows\System32\KtNdSyb.exe

Filesize
1.3MB

MD5
49cb3ff15fd6f095640b37483eb96cfa

SHA1
5499632261328c6db095ab2bebbf5fcfd474ebf4

SHA256
c1e398abb315d6108d8946b069a1899183d37b9e0487048380884c14a0672e5f

SHA512
de95bebbf49d93a657a6700cd24c38ebd5ee2f13dee988fc4e3d5ff2dd811bc97b8735334b8b4b996a55e46ff1cc11bb2da6ac90a90481623619adf230f01d0b

Download Submit
C:\Windows\System32\LftPXkN.exe

Filesize
1.3MB

MD5
8abc023cdd7f348eb8da10f8ad1c6d24

SHA1
3010fa41c82e67e757eb57882bb0a47bc085c019

SHA256
0e2ad507895427659ed91c6c9ca64436640b349965e80dc7a25e49458c7d4031

SHA512
077c6f4d2d52e8a6fe029e5f7a8a2b027ec1eb28ae7e9b385d6c0743d74033b9870998882d906f90bb6618d59b0d081df8e0192b47e5689863057cb2d941fd54

Download Submit
C:\Windows\System32\MwCFOnB.exe

Filesize
1.3MB

MD5
19ced1aea7a2a8d9af0ed4753f404910

SHA1
c198b3971fca54c216848fd0338dd2a729559079

SHA256
4db3bf74616881424f9505364c2e5c9acc55e0f2a09ef276f7015336cb86910d

SHA512
1186f9ef81240afc859040225220bc25c262abb91ecc8c026be1cfdbf053b0e80d96fbe3f76ad530c8fe51df03c7bb20ec0cbb1c320673ed0584315fefe96eb5

Download Submit
C:\Windows\System32\NzqNhOv.exe

Filesize
1.3MB

MD5
9536e254ff3d42ed3e678bd6bbf05c60

SHA1
3baca10e92f295747d4f4107592dc4e09f1eba58

SHA256
5a43343621682f9d64cd715fd151450be5527581e3c917e1e46e17fc17872512

SHA512
ad64a821c9d8e14b7d86820481b5b9dd4f93c224ddc55f392593fe181e9ebe0dec1c4aef04a9b195c7337b477fc3d611375661f90196f5528b83ebc4e45e0aa6

Download Submit
C:\Windows\System32\PNnvtgY.exe

Filesize
1.3MB

MD5
58f3b8941ecc26b34a2cf95c834e762e

SHA1
850c798079af0425944a215caf6e685d46cc087c

SHA256
72fdf5c506056d869983e78fd1cbe9114bf8b8e1a1076983d5aa58425395536d

SHA512
e4ab8b596badaef8d273bfed5ac73b02e83a11da69aa0b1d248ea978e40990461a49c0610de0676d0bc6bb4492839180f466a440eb08289e4f847dcefd3284f8

Download Submit
C:\Windows\System32\PjSwqAz.exe

Filesize
1.3MB

MD5
965877cc8edfb20b07e61d8bc191779f

SHA1
629bf1185dbef8303c79da0ac9cfd8f37a2fd2b3

SHA256
7e5188e9ed88d498299d43535b20271fdf01aa710598b34f6d70b4b8804d802d

SHA512
5302f3b02bac7338b981fc64335ef5288e1c95fe0ece319ce715b2c2ccdb5d2acb305af8753be48127ed9019bb5d344632875bf45c89850a051482204f8d6cdb

Download Submit
C:\Windows\System32\XcZPtNz.exe

Filesize
1.3MB

MD5
48718070f10a8fc8ff6179eeffa092d2

SHA1
fe0b9f287279312f1c08f472b03023527ebabe59

SHA256
434c854dc280ad12bab4927073d04ff60f4be54e81635678e6b78905e475a8a4

SHA512
8597fd1fc19159efc1ccda555c3b184e5ddb3f082c84d949de5f694892b2841a7997dba44270749b9a2a0781aab96ee3c792c305206a85ddb0bb0950b97e7dd7

Download Submit
C:\Windows\System32\XnlCElJ.exe

Filesize
1.3MB

MD5
84da48ede8e92cfa60285c7a47eb2ba8

SHA1
759a550f18f45607607d8c2b49f28cf407d165ab

SHA256
08f082f6ca1ff8d78a3a938780f246ab5ccf3a3b929e73e541975f05e84f64ea

SHA512
ecfd6003337c328e710daad0f94c4c67a0de2d04563975bd211a3dd4e0fc5c4275cc851bd9f1dcc71d77d83a709aad05145080b8eb13cb3beba6d8e70262d92d

Download Submit
C:\Windows\System32\ZgazOFV.exe

Filesize
1.3MB

MD5
2c2c4666b198d97903863360ac60646a

SHA1
28b55e6a47f1a2c88556bb5a5986d85cd84f71b4

SHA256
7e80e7955a909be04ebf3d8c768e604fc8fa0ba97039fb876c5775324fd5ea83

SHA512
3c1b842785586450562cac659adb9a33d5a9834c2fc4544d86edf3c008467854ec64eaada32242d8cba1b94f1cd06bf6a0b96ca6235adac5f596e2131e24a589

Download Submit
C:\Windows\System32\ZtWTVvK.exe

Filesize
1.3MB

MD5
ef0717d8237307edabf07a35254cfe07

SHA1
00b5e2c61e17dd81178105f5431f334bedc48c2f

SHA256
777ac1ae20adfa99a28427b13ecbbdfb44154b6614b11968cb46839a9cd33d9b

SHA512
99cec5dab3e51ff023025df561208e70b69ebfc0fe6a8ed628b3b48e9f0534eed04744d61f0edcddd536bc5f672347b60f6ea85e763faa09de795985f53a4509

Download Submit
C:\Windows\System32\aVZkFjc.exe

Filesize
1.3MB

MD5
de5bcd135dd390842cc25a684c2bcbc7

SHA1
0387c6b2f215874498d9b6f462e7681cd1ecbc42

SHA256
59635b0d969c158f17e43b5434d0fc011ac32e9a7fbf357ad1fb84d8791644ac

SHA512
01a46b02bfe2c22b10f6ffd3ccbd0b9de440f3e2161570cbbeb114b361fa4161238ea640035d4c66ba8253acccea1a540d35f60764247cb721f75379e39c4c93

Download Submit
C:\Windows\System32\bXQmiau.exe

Filesize
1.3MB

MD5
670703df2ab8b68e02f97f75a56b3852

SHA1
342af2bbff3610e63bad656b7981b826a29e86bd

SHA256
f418b2b5f05d5557e31727b6eb623fd59bdea444fbc7f8dc99357ff645d521a2

SHA512
6a487ef319fb007231897b59c589b83b8b00a47aaf441d2ac6df4310d54503869eca01072482853f8e0414fe7c105cd66e0648e318b48f3a12e520008635e980

Download Submit
C:\Windows\System32\dTwjNKO.exe

Filesize
1.3MB

MD5
b716e38ab20b731278289aee37cc7435

SHA1
bd4d3ad80d44c1e435bca7068a55021b9fbbdee1

SHA256
66ccfbdc0824e17a048c37d13594fe30fab41b3157b708e3b470553cc5d80e0a

SHA512
648068a9128aa9663bb6b384c00543e717fddf22d56311d693f381479fad4ab8e2be80f0ed3ef0d1bb39485a6c1450fad04bfbdcf958ecd50832fa3d529bed47

Download Submit
C:\Windows\System32\lqsktPw.exe

Filesize
1.3MB

MD5
1024ef9e95d1fd724133c2ccd4749e4b

SHA1
5ef05bded382a089e5461790e79761cd60aa7836

SHA256
13d9916c9308ae512afd13fd280c11b18b2970b5f866650ad5fdd8bc076a1e2d

SHA512
f1dd2ee27bd2f18c3fffbdfe4bfe6d94832c549012f8002c1f9b459560a9393276ecab8b06b8cb936362278adc7e63e1950d6d07223f34a80ac84d15d582e4a9

Download Submit
C:\Windows\System32\mCGUsgb.exe

Filesize
1.3MB

MD5
a3b524da11a19e114976f38be449bd31

SHA1
dbba32b3589fb3045cd80a4b17909904525ff89a

SHA256
411ad4bc16b0eb8bb79441a7cb172ae2696662c08cd797341db7d60015798371

SHA512
d9636396f8ee2a247d506fec6dde0084bd7b75feb9ca8caa45ceff2c0822404ef6ddabf0763032649a03a9c94b41ab699f8acd0f03fc477b35e1e0b27248b3e1

Download Submit
C:\Windows\System32\mHLuhcz.exe

Filesize
1.3MB

MD5
25274ef09eaa7246f8ac4ddb9fa36711

SHA1
5514f48d0a6eab62d6482fbc08f2bcb2ed4fda5d

SHA256
cd21f63f4100c7bfb746b1ade73efb9e1a7c45719624a24ecb456e043c479d67

SHA512
206ae6b571807aeb717775bb039993235849c763b698a901cd54622319129f1cd63c88b03b542d0eecd4196536a8aef4f98cc00e35d40e71386a8d6369ff5436

Download Submit
C:\Windows\System32\mRQfpWl.exe

Filesize
1.3MB

MD5
234ff2ab15d96c43b630d2e5977ed5f5

SHA1
0be4c2b07aee640a91ca47c2ce81001600c7bc95

SHA256
6050f541f8c284bf8e9bf68331dff698888a03be3a660b847f2dfd576c8f25fa

SHA512
96d0bb53dfb6f873c6cd00b31b13f78bfa49ccb7199e24b49153407cfde8ca1a2b84fd9f4210d03889515ca0bd38370c0994b25442b3855f071b827072b62367

Download Submit
C:\Windows\System32\ninymcz.exe

Filesize
1.3MB

MD5
e90a0c8a65ac169a47cdf9cc59d3b409

SHA1
b8142b11ca90df33998769b4c2fb728df4e79e9b

SHA256
afa35fe7dab6bd1b7f4f42ce218c172ee6eb7b23815c26de2a81d7f838867809

SHA512
fcb6eb8cbde9dbad75c485f848105c5a0486eec67db8c1c2ec50b5c39b6b12fdab9a48866620bde35e7a15fcfd1bca96299c6cd239f892b8f6704aca958e1352

Download Submit
C:\Windows\System32\pjxDdnq.exe

Filesize
1.3MB

MD5
22c4d674e1eef270b61819a1c1437a08

SHA1
34507c5fd953507d9f4405e05d42960ec7b3b1ba

SHA256
83398eac67657eed5c4284d2ba910a57a9cf02c9c533f2e116283df5d750ec5e

SHA512
3d14970b93c7beefbfe19cbfb452ff16e902a9496329ba78c97a549b82c8acb80178c6a90839ace3172092f07e5f3c2a5185f877081385330a9ba698f846fd60

Download Submit
C:\Windows\System32\qpLMpYb.exe

Filesize
1.3MB

MD5
c07326500e0c4592e15be16f8ea4bcb1

SHA1
5ac08391fd1bfbf772a0641d25814379bfb54c4e

SHA256
629085494e27461dad1d12da2340c7cfdda04764c7d9a409c25dd0964f802774

SHA512
47e6bf36f0954fad5e39edc37a6403c504629aec827ebad6afca547100434f495d53de8c8aeb7ba6cd33d98935a037fab5894546abc679a08cfc6976ee13f7f0

Download Submit
C:\Windows\System32\rCgOAei.exe

Filesize
1.3MB

MD5
1cf7d201f917bc6e459afd0360668692

SHA1
4199f8c9e957c5b7987bee704addca7543023316

SHA256
936ccf0a61378d7320213c106e9c4505b697352c1dcc0dce4213912ca5551b9b

SHA512
a43cc2a0df3dfdb1eb00adea1775b6ef37fca0e1d70726b7b4e2837c1332d4d31e5c784abe8d5ea7197f29e2acc77880eb0a9c205d511ec9afe3e9474d3deb54

Download Submit
C:\Windows\System32\rkXnMCd.exe

Filesize
1.3MB

MD5
e5e947dcfdbcb0bfce69196bf78575a7

SHA1
1cbe3a4b4d53b0ce60b82e10d72c1c1f5042da72

SHA256
7d8ef9cfbe6eb96f67378890022012ca46dc00357461191a2107a95938eba075

SHA512
e3de11470e1c52a44615949a7a53c2b9f57df1017da629c96fedfb4b7bb13f4ef4bf52a8874187555cc652edc5c24ee7f515ba39292f2220749b33dfb4ca9022

Download Submit
C:\Windows\System32\uQdbndU.exe

Filesize
1.3MB

MD5
652e2499af3e8533dba486b51d29fc8b

SHA1
cbae6fa0ef066c34a75798e8c2064ad250d4abd3

SHA256
6b43cfd71784479679f22eeea38372f292d97cc3fab1bc74842e69fb1745af9c

SHA512
39d2f829c2ac91534a5be4ab7664f32e1d7149c428ff03b4da175242bc8b921912aed95d013cf251a5226e3f9ee9b6a68ae0c590220c1a265ddbe0a7af628728

Download Submit
C:\Windows\System32\wPPYeGf.exe

Filesize
1.3MB

MD5
a85496c3dc085375849294673c95cd62

SHA1
c93a0785db0f8380f3435bd59debfc2fd4ed4739

SHA256
33795403adc5e652a2a8754b4f468fe3a6474951b770b1d61accdfd0d69a578a

SHA512
e8d763b82b9990959de510787e63c23251064ab460789443dd61871be75aed1ccb5b2c5440983ee735290c7844429ed8142a87a2b22945fec473ef1bdac54ecc

Download Submit
C:\Windows\System32\ydetLUo.exe

Filesize
1.3MB

MD5
6c900746480c1bc13d9c98042f093bca

SHA1
bcd061b76a5fadf8927c5ada8999917b4698ff7d

SHA256
12efc6c4daef69dce9ff6dd6fba8febc1b38d1cf504c8c716996d091bc348e4b

SHA512
21eddb8b832d6e9a169753d495754db8fb383692c34e91ce029ad2b170ababdfbe4e346c4d7abb6c62a05c82b7b04375d387cfc15a7bd8874884351ace4254cf

Download Submit
memory/100-45-0x00007FF7BF370000-0x00007FF7BF761000-memory.dmp

Filesize
3.9MB

Download
memory/100-2010-0x00007FF7BF370000-0x00007FF7BF761000-memory.dmp

Filesize
3.9MB

Download
memory/100-1986-0x00007FF7BF370000-0x00007FF7BF761000-memory.dmp

Filesize
3.9MB

Download
memory/392-2035-0x00007FF70CA50000-0x00007FF70CE41000-memory.dmp

Filesize
3.9MB

Download
memory/392-440-0x00007FF70CA50000-0x00007FF70CE41000-memory.dmp

Filesize
3.9MB

Download
memory/812-471-0x00007FF78AF50000-0x00007FF78B341000-memory.dmp

Filesize
3.9MB

Download
memory/812-2045-0x00007FF78AF50000-0x00007FF78B341000-memory.dmp

Filesize
3.9MB

Download
memory/912-20-0x00007FF759180000-0x00007FF759571000-memory.dmp

Filesize
3.9MB

Download
memory/912-2000-0x00007FF759180000-0x00007FF759571000-memory.dmp

Filesize
3.9MB

Download
memory/976-2059-0x00007FF6A8260000-0x00007FF6A8651000-memory.dmp

Filesize
3.9MB

Download
memory/976-538-0x00007FF6A8260000-0x00007FF6A8651000-memory.dmp

Filesize
3.9MB

Download
memory/1156-34-0x00007FF70B5C0000-0x00007FF70B9B1000-memory.dmp

Filesize
3.9MB

Download
memory/1156-1958-0x00007FF70B5C0000-0x00007FF70B9B1000-memory.dmp

Filesize
3.9MB

Download
memory/1156-2005-0x00007FF70B5C0000-0x00007FF70B9B1000-memory.dmp

Filesize
3.9MB

Download
memory/1432-429-0x00007FF67C010000-0x00007FF67C401000-memory.dmp

Filesize
3.9MB

Download
memory/1432-2018-0x00007FF67C010000-0x00007FF67C401000-memory.dmp

Filesize
3.9MB

Download
memory/1472-463-0x00007FF7864B0000-0x00007FF7868A1000-memory.dmp

Filesize
3.9MB

Download
memory/1472-2048-0x00007FF7864B0000-0x00007FF7868A1000-memory.dmp

Filesize
3.9MB

Download
memory/1644-2002-0x00007FF756CB0000-0x00007FF7570A1000-memory.dmp

Filesize
3.9MB

Download
memory/1644-15-0x00007FF756CB0000-0x00007FF7570A1000-memory.dmp

Filesize
3.9MB

Download
memory/1804-2042-0x00007FF662DF0000-0x00007FF6631E1000-memory.dmp

Filesize
3.9MB

Download
memory/1804-441-0x00007FF662DF0000-0x00007FF6631E1000-memory.dmp

Filesize
3.9MB

Download
memory/1844-482-0x00007FF720A40000-0x00007FF720E31000-memory.dmp

Filesize
3.9MB

Download
memory/1844-2056-0x00007FF720A40000-0x00007FF720E31000-memory.dmp

Filesize
3.9MB

Download
memory/2576-1994-0x00007FF61E4E0000-0x00007FF61E8D1000-memory.dmp

Filesize
3.9MB

Download
memory/2576-2014-0x00007FF61E4E0000-0x00007FF61E8D1000-memory.dmp

Filesize
3.9MB

Download
memory/2576-49-0x00007FF61E4E0000-0x00007FF61E8D1000-memory.dmp

Filesize
3.9MB

Download
memory/3172-475-0x00007FF7E9D60000-0x00007FF7EA151000-memory.dmp

Filesize
3.9MB

Download
memory/3172-2041-0x00007FF7E9D60000-0x00007FF7EA151000-memory.dmp

Filesize
3.9MB

Download
memory/3268-433-0x00007FF6E85C0000-0x00007FF6E89B1000-memory.dmp

Filesize
3.9MB

Download
memory/3268-2024-0x00007FF6E85C0000-0x00007FF6E89B1000-memory.dmp

Filesize
3.9MB

Download
memory/3592-1985-0x00007FF7B5B50000-0x00007FF7B5F41000-memory.dmp

Filesize
3.9MB

Download
memory/3592-2012-0x00007FF7B5B50000-0x00007FF7B5F41000-memory.dmp

Filesize
3.9MB

Download
memory/3592-40-0x00007FF7B5B50000-0x00007FF7B5F41000-memory.dmp

Filesize
3.9MB

Download
memory/4008-2050-0x00007FF654A90000-0x00007FF654E81000-memory.dmp

Filesize
3.9MB

Download
memory/4008-469-0x00007FF654A90000-0x00007FF654E81000-memory.dmp

Filesize
3.9MB

Download
memory/4024-542-0x00007FF7A4B30000-0x00007FF7A4F21000-memory.dmp

Filesize
3.9MB

Download
memory/4024-2016-0x00007FF7A4B30000-0x00007FF7A4F21000-memory.dmp

Filesize
3.9MB

Download
memory/4032-2006-0x00007FF761210000-0x00007FF761601000-memory.dmp

Filesize
3.9MB

Download
memory/4032-1957-0x00007FF761210000-0x00007FF761601000-memory.dmp

Filesize
3.9MB

Download
memory/4032-25-0x00007FF761210000-0x00007FF761601000-memory.dmp

Filesize
3.9MB

Download
memory/4180-1-0x00000134CFE00000-0x00000134CFE10000-memory.dmp

Filesize
64KB

Download
memory/4180-0-0x00007FF6B9AF0000-0x00007FF6B9EE1000-memory.dmp

Filesize
3.9MB

Download
memory/4268-421-0x00007FF6F0990000-0x00007FF6F0D81000-memory.dmp

Filesize
3.9MB

Download
memory/4268-2022-0x00007FF6F0990000-0x00007FF6F0D81000-memory.dmp

Filesize
3.9MB

Download
memory/4584-2026-0x00007FF77EDE0000-0x00007FF77F1D1000-memory.dmp

Filesize
3.9MB

Download
memory/4584-445-0x00007FF77EDE0000-0x00007FF77F1D1000-memory.dmp

Filesize
3.9MB

Download
memory/4708-2052-0x00007FF662630000-0x00007FF662A21000-memory.dmp

Filesize
3.9MB

Download
memory/4708-449-0x00007FF662630000-0x00007FF662A21000-memory.dmp

Filesize
3.9MB

Download
memory/4716-2008-0x00007FF6ABDF0000-0x00007FF6AC1E1000-memory.dmp

Filesize
3.9MB

Download
memory/4716-35-0x00007FF6ABDF0000-0x00007FF6AC1E1000-memory.dmp

Filesize
3.9MB

Download
memory/4716-1983-0x00007FF6ABDF0000-0x00007FF6AC1E1000-memory.dmp

Filesize
3.9MB

Download
memory/4740-459-0x00007FF7DF0B0000-0x00007FF7DF4A1000-memory.dmp

Filesize
3.9MB

Download
memory/4740-2054-0x00007FF7DF0B0000-0x00007FF7DF4A1000-memory.dmp

Filesize
3.9MB

Download
memory/5080-415-0x00007FF792170000-0x00007FF792561000-memory.dmp

Filesize
3.9MB

Download
memory/5080-2020-0x00007FF792170000-0x00007FF792561000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads