xmrig | a340fbfdf028ce67fcba32d5b1e550ff5b198b550e1a4773c631a3697c51d218

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2024, 21:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
Size

3.1MB
MD5

419fc566d1b836cec90db045eb351d90
SHA1

2bff58eb6886d8d5be2d67e4f2862188a02c69b9
SHA256

a340fbfdf028ce67fcba32d5b1e550ff5b198b550e1a4773c631a3697c51d218
SHA512

5b6ccb798c056acc0f6d4379edb0d39a41704294f489f40f385528268ccb4722f56fab838f7f2881b9258c45d77d54a69f075f33d82f80e65ef85dcd941fac2b
SSDEEP

98304:N0GnJMOWPClFdx6e0EALKWVTffZiPAcRq6jHjc4s:NFWPClF8

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4684-0-0x00007FF707480000-0x00007FF707875000-memory.dmp	xmrig
behavioral2/files/0x0008000000022f51-4.dat	xmrig
behavioral2/memory/1492-8-0x00007FF745320000-0x00007FF745715000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f2-12.dat	xmrig
behavioral2/files/0x00070000000233f3-11.dat	xmrig
behavioral2/files/0x00070000000233f4-23.dat	xmrig
behavioral2/memory/924-16-0x00007FF6E3310000-0x00007FF6E3705000-memory.dmp	xmrig
behavioral2/memory/2028-32-0x00007FF687E90000-0x00007FF688285000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f5-36.dat	xmrig
behavioral2/files/0x00070000000233f7-41.dat	xmrig
behavioral2/files/0x00080000000233ef-45.dat	xmrig
behavioral2/memory/3904-49-0x00007FF663960000-0x00007FF663D55000-memory.dmp	xmrig
behavioral2/files/0x00070000000233fa-57.dat	xmrig
behavioral2/files/0x00070000000233fd-72.dat	xmrig
behavioral2/files/0x0007000000023401-94.dat	xmrig
behavioral2/files/0x0007000000023403-104.dat	xmrig
behavioral2/files/0x0007000000023408-129.dat	xmrig
behavioral2/files/0x000700000002340e-159.dat	xmrig
behavioral2/files/0x0007000000023410-169.dat	xmrig
behavioral2/files/0x000700000002340f-164.dat	xmrig
behavioral2/files/0x000700000002340d-154.dat	xmrig
behavioral2/files/0x000700000002340c-149.dat	xmrig
behavioral2/files/0x000700000002340b-144.dat	xmrig
behavioral2/files/0x000700000002340a-139.dat	xmrig
behavioral2/files/0x0007000000023409-134.dat	xmrig
behavioral2/files/0x0007000000023407-124.dat	xmrig
behavioral2/files/0x0007000000023406-119.dat	xmrig
behavioral2/files/0x0007000000023405-114.dat	xmrig
behavioral2/files/0x0007000000023404-109.dat	xmrig
behavioral2/files/0x0007000000023402-99.dat	xmrig
behavioral2/files/0x0007000000023400-89.dat	xmrig
behavioral2/files/0x00070000000233ff-84.dat	xmrig
behavioral2/files/0x00070000000233fe-79.dat	xmrig
behavioral2/files/0x00070000000233fc-69.dat	xmrig
behavioral2/files/0x00070000000233fb-64.dat	xmrig
behavioral2/files/0x00070000000233f8-54.dat	xmrig
behavioral2/memory/4948-46-0x00007FF61D8E0000-0x00007FF61DCD5000-memory.dmp	xmrig
behavioral2/memory/3040-44-0x00007FF62CB30000-0x00007FF62CF25000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f6-39.dat	xmrig
behavioral2/memory/1924-38-0x00007FF7B5900000-0x00007FF7B5CF5000-memory.dmp	xmrig
behavioral2/memory/5020-35-0x00007FF609700000-0x00007FF609AF5000-memory.dmp	xmrig
behavioral2/memory/4004-897-0x00007FF61F520000-0x00007FF61F915000-memory.dmp	xmrig
behavioral2/memory/2228-900-0x00007FF784640000-0x00007FF784A35000-memory.dmp	xmrig
behavioral2/memory/3376-911-0x00007FF6A2170000-0x00007FF6A2565000-memory.dmp	xmrig
behavioral2/memory/3216-922-0x00007FF7CE080000-0x00007FF7CE475000-memory.dmp	xmrig
behavioral2/memory/3880-919-0x00007FF64F910000-0x00007FF64FD05000-memory.dmp	xmrig
behavioral2/memory/2744-925-0x00007FF6EF930000-0x00007FF6EFD25000-memory.dmp	xmrig
behavioral2/memory/212-926-0x00007FF784660000-0x00007FF784A55000-memory.dmp	xmrig
behavioral2/memory/3292-928-0x00007FF72F3C0000-0x00007FF72F7B5000-memory.dmp	xmrig
behavioral2/memory/3228-930-0x00007FF7464C0000-0x00007FF7468B5000-memory.dmp	xmrig
behavioral2/memory/5112-932-0x00007FF6DC740000-0x00007FF6DCB35000-memory.dmp	xmrig
behavioral2/memory/4764-935-0x00007FF6DBEE0000-0x00007FF6DC2D5000-memory.dmp	xmrig
behavioral2/memory/4236-941-0x00007FF675880000-0x00007FF675C75000-memory.dmp	xmrig
behavioral2/memory/5092-944-0x00007FF662B10000-0x00007FF662F05000-memory.dmp	xmrig
behavioral2/memory/3504-946-0x00007FF72CF20000-0x00007FF72D315000-memory.dmp	xmrig
behavioral2/memory/3772-940-0x00007FF677020000-0x00007FF677415000-memory.dmp	xmrig
behavioral2/memory/1572-956-0x00007FF7AFE40000-0x00007FF7B0235000-memory.dmp	xmrig
behavioral2/memory/4684-1880-0x00007FF707480000-0x00007FF707875000-memory.dmp	xmrig
behavioral2/memory/1924-1881-0x00007FF7B5900000-0x00007FF7B5CF5000-memory.dmp	xmrig
behavioral2/memory/3040-1882-0x00007FF62CB30000-0x00007FF62CF25000-memory.dmp	xmrig
behavioral2/memory/1492-1883-0x00007FF745320000-0x00007FF745715000-memory.dmp	xmrig
behavioral2/memory/924-1884-0x00007FF6E3310000-0x00007FF6E3705000-memory.dmp	xmrig
behavioral2/memory/2028-1885-0x00007FF687E90000-0x00007FF688285000-memory.dmp	xmrig
behavioral2/memory/5020-1886-0x00007FF609700000-0x00007FF609AF5000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1492	dZvQmts.exe
924	VudkRvT.exe
2028	cigpuLj.exe
5020	HLgYCgK.exe
1924	QgmKMib.exe
4948	qKJtjXC.exe
3040	NyTXcvW.exe
3904	gabWasv.exe
4004	Wryvuwb.exe
2228	RhFZEoA.exe
3376	paoEBub.exe
3880	GRTvled.exe
3216	jkSBNEp.exe
2744	HPzysAV.exe
212	dRvWpkE.exe
3292	pMgRJxR.exe
3228	LHtQFQA.exe
5112	GkQUarh.exe
4764	QQMjHOi.exe
3772	cVGsYxN.exe
4236	JtUlXpe.exe
5092	xXfVDhh.exe
3504	iRQgNOO.exe
1572	QvVCfZO.exe
760	PDRMJsY.exe
4624	RlkdtCe.exe
3988	OcmxXXn.exe
3968	iqyaJIX.exe
1680	OAcaBwx.exe
4988	FEbGGpJ.exe
3556	ZxSxldo.exe
3596	XiRtGJt.exe
3928	Zzhkjid.exe
2156	yFJNeDx.exe
3688	HHobfcc.exe
4492	xNEGgfp.exe
5004	gNgOMkF.exe
3532	IFZXJPM.exe
4732	qQSlsCP.exe
2084	yCadWHR.exe
3892	qJCmsvl.exe
1540	iPFrcnl.exe
1520	npYCEho.exe
1204	qDlGXYc.exe
2764	JEoMBaG.exe
4396	YswUxha.exe
2644	EBlUHgG.exe
4196	cIhBHUE.exe
1328	IkYRBkJ.exe
4736	ROMkzyx.exe
3424	IMIltuf.exe
4440	RrCwHgs.exe
2912	oiVdmkv.exe
3888	xpHsLLS.exe
1184	tvjUhnS.exe
2120	OqDEXgu.exe
4476	jRIshDT.exe
4116	YmKzxAL.exe
884	iDsCgKp.exe
3208	uXzNElD.exe
3640	rLcAJBM.exe
4232	kXJbTze.exe
3032	xgADiUp.exe
4400	oOUthFd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4684-0-0x00007FF707480000-0x00007FF707875000-memory.dmp	upx
behavioral2/files/0x0008000000022f51-4.dat	upx
behavioral2/memory/1492-8-0x00007FF745320000-0x00007FF745715000-memory.dmp	upx
behavioral2/files/0x00070000000233f2-12.dat	upx
behavioral2/files/0x00070000000233f3-11.dat	upx
behavioral2/files/0x00070000000233f4-23.dat	upx
behavioral2/memory/924-16-0x00007FF6E3310000-0x00007FF6E3705000-memory.dmp	upx
behavioral2/memory/2028-32-0x00007FF687E90000-0x00007FF688285000-memory.dmp	upx
behavioral2/files/0x00070000000233f5-36.dat	upx
behavioral2/files/0x00070000000233f7-41.dat	upx
behavioral2/files/0x00080000000233ef-45.dat	upx
behavioral2/memory/3904-49-0x00007FF663960000-0x00007FF663D55000-memory.dmp	upx
behavioral2/files/0x00070000000233fa-57.dat	upx
behavioral2/files/0x00070000000233fd-72.dat	upx
behavioral2/files/0x0007000000023401-94.dat	upx
behavioral2/files/0x0007000000023403-104.dat	upx
behavioral2/files/0x0007000000023408-129.dat	upx
behavioral2/files/0x000700000002340e-159.dat	upx
behavioral2/files/0x0007000000023410-169.dat	upx
behavioral2/files/0x000700000002340f-164.dat	upx
behavioral2/files/0x000700000002340d-154.dat	upx
behavioral2/files/0x000700000002340c-149.dat	upx
behavioral2/files/0x000700000002340b-144.dat	upx
behavioral2/files/0x000700000002340a-139.dat	upx
behavioral2/files/0x0007000000023409-134.dat	upx
behavioral2/files/0x0007000000023407-124.dat	upx
behavioral2/files/0x0007000000023406-119.dat	upx
behavioral2/files/0x0007000000023405-114.dat	upx
behavioral2/files/0x0007000000023404-109.dat	upx
behavioral2/files/0x0007000000023402-99.dat	upx
behavioral2/files/0x0007000000023400-89.dat	upx
behavioral2/files/0x00070000000233ff-84.dat	upx
behavioral2/files/0x00070000000233fe-79.dat	upx
behavioral2/files/0x00070000000233fc-69.dat	upx
behavioral2/files/0x00070000000233fb-64.dat	upx
behavioral2/files/0x00070000000233f8-54.dat	upx
behavioral2/memory/4948-46-0x00007FF61D8E0000-0x00007FF61DCD5000-memory.dmp	upx
behavioral2/memory/3040-44-0x00007FF62CB30000-0x00007FF62CF25000-memory.dmp	upx
behavioral2/files/0x00070000000233f6-39.dat	upx
behavioral2/memory/1924-38-0x00007FF7B5900000-0x00007FF7B5CF5000-memory.dmp	upx
behavioral2/memory/5020-35-0x00007FF609700000-0x00007FF609AF5000-memory.dmp	upx
behavioral2/memory/4004-897-0x00007FF61F520000-0x00007FF61F915000-memory.dmp	upx
behavioral2/memory/2228-900-0x00007FF784640000-0x00007FF784A35000-memory.dmp	upx
behavioral2/memory/3376-911-0x00007FF6A2170000-0x00007FF6A2565000-memory.dmp	upx
behavioral2/memory/3216-922-0x00007FF7CE080000-0x00007FF7CE475000-memory.dmp	upx
behavioral2/memory/3880-919-0x00007FF64F910000-0x00007FF64FD05000-memory.dmp	upx
behavioral2/memory/2744-925-0x00007FF6EF930000-0x00007FF6EFD25000-memory.dmp	upx
behavioral2/memory/212-926-0x00007FF784660000-0x00007FF784A55000-memory.dmp	upx
behavioral2/memory/3292-928-0x00007FF72F3C0000-0x00007FF72F7B5000-memory.dmp	upx
behavioral2/memory/3228-930-0x00007FF7464C0000-0x00007FF7468B5000-memory.dmp	upx
behavioral2/memory/5112-932-0x00007FF6DC740000-0x00007FF6DCB35000-memory.dmp	upx
behavioral2/memory/4764-935-0x00007FF6DBEE0000-0x00007FF6DC2D5000-memory.dmp	upx
behavioral2/memory/4236-941-0x00007FF675880000-0x00007FF675C75000-memory.dmp	upx
behavioral2/memory/5092-944-0x00007FF662B10000-0x00007FF662F05000-memory.dmp	upx
behavioral2/memory/3504-946-0x00007FF72CF20000-0x00007FF72D315000-memory.dmp	upx
behavioral2/memory/3772-940-0x00007FF677020000-0x00007FF677415000-memory.dmp	upx
behavioral2/memory/1572-956-0x00007FF7AFE40000-0x00007FF7B0235000-memory.dmp	upx
behavioral2/memory/4684-1880-0x00007FF707480000-0x00007FF707875000-memory.dmp	upx
behavioral2/memory/1924-1881-0x00007FF7B5900000-0x00007FF7B5CF5000-memory.dmp	upx
behavioral2/memory/3040-1882-0x00007FF62CB30000-0x00007FF62CF25000-memory.dmp	upx
behavioral2/memory/1492-1883-0x00007FF745320000-0x00007FF745715000-memory.dmp	upx
behavioral2/memory/924-1884-0x00007FF6E3310000-0x00007FF6E3705000-memory.dmp	upx
behavioral2/memory/2028-1885-0x00007FF687E90000-0x00007FF688285000-memory.dmp	upx
behavioral2/memory/5020-1886-0x00007FF609700000-0x00007FF609AF5000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\LlULkfm.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\BoyLNbo.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\Inpuatr.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\SVuzKGJ.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\XhYOQYW.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\mMXiWlQ.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\nWrytYx.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\paoEBub.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\JhkNIuj.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\aJLZkoH.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\pJKWcnr.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\UqxQjYw.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\fCZgwhE.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\nNQjuFc.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\VIpwvxt.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\CGejWpp.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\DxkWiXq.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\UneKOzj.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\rVpMwkW.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\InPwDJW.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\ZofgIPg.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\GshYlPB.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\KVWjZxD.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\imedKum.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\ZNeyCde.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\TnCucsx.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\PDpViaD.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\iaTGGbE.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\QgmKMib.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\LzeGhvh.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\CENAQmY.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\UzYKeUf.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\fzdNChC.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\Kywwysq.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\vSvrrQs.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\iqyaJIX.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\IkYRBkJ.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\ELoqtSc.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\MrrJIUo.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\VLUQtrv.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\LPyyTMt.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\fuhSyvN.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\dUIlWaq.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\JNjIMcx.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\WLPMHnk.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\gDWcmKB.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\VZStmkY.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\hAJZDNT.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\EBMtSxn.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\IViczQg.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\EZAsfCj.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\DhVvWeX.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\PHDFVfs.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\gQEmtdd.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\GRTvled.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\JtUlXpe.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\RLQJwhk.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\hwPjHay.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\YdwmfBk.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\HsgFVUp.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\UVkionS.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\fTDBeGS.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\ivVMTOP.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
File created	C:\Windows\System32\NYHWBfE.exe	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12500	dwm.exe
Token: SeChangeNotifyPrivilege	12500	dwm.exe
Token: 33	12500	dwm.exe
Token: SeIncBasePriorityPrivilege	12500	dwm.exe
Token: SeShutdownPrivilege	12500	dwm.exe
Token: SeCreatePagefilePrivilege	12500	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 1492	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	84
PID 4684 wrote to memory of 1492	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	84
PID 4684 wrote to memory of 924	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	85
PID 4684 wrote to memory of 924	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	85
PID 4684 wrote to memory of 2028	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	87
PID 4684 wrote to memory of 2028	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	87
PID 4684 wrote to memory of 5020	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	88
PID 4684 wrote to memory of 5020	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	88
PID 4684 wrote to memory of 1924	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	89
PID 4684 wrote to memory of 1924	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	89
PID 4684 wrote to memory of 4948	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	90
PID 4684 wrote to memory of 4948	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	90
PID 4684 wrote to memory of 3040	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	91
PID 4684 wrote to memory of 3040	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	91
PID 4684 wrote to memory of 3904	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	92
PID 4684 wrote to memory of 3904	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	92
PID 4684 wrote to memory of 4004	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	93
PID 4684 wrote to memory of 4004	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	93
PID 4684 wrote to memory of 2228	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	94
PID 4684 wrote to memory of 2228	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	94
PID 4684 wrote to memory of 3376	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	95
PID 4684 wrote to memory of 3376	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	95
PID 4684 wrote to memory of 3880	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	96
PID 4684 wrote to memory of 3880	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	96
PID 4684 wrote to memory of 3216	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	97
PID 4684 wrote to memory of 3216	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	97
PID 4684 wrote to memory of 2744	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	98
PID 4684 wrote to memory of 2744	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	98
PID 4684 wrote to memory of 212	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	99
PID 4684 wrote to memory of 212	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	99
PID 4684 wrote to memory of 3292	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	100
PID 4684 wrote to memory of 3292	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	100
PID 4684 wrote to memory of 3228	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	101
PID 4684 wrote to memory of 3228	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	101
PID 4684 wrote to memory of 5112	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	102
PID 4684 wrote to memory of 5112	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	102
PID 4684 wrote to memory of 4764	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	103
PID 4684 wrote to memory of 4764	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	103
PID 4684 wrote to memory of 3772	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	104
PID 4684 wrote to memory of 3772	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	104
PID 4684 wrote to memory of 4236	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	105
PID 4684 wrote to memory of 4236	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	105
PID 4684 wrote to memory of 5092	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	106
PID 4684 wrote to memory of 5092	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	106
PID 4684 wrote to memory of 3504	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	107
PID 4684 wrote to memory of 3504	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	107
PID 4684 wrote to memory of 1572	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	108
PID 4684 wrote to memory of 1572	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	108
PID 4684 wrote to memory of 760	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	109
PID 4684 wrote to memory of 760	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	109
PID 4684 wrote to memory of 4624	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	110
PID 4684 wrote to memory of 4624	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	110
PID 4684 wrote to memory of 3988	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	111
PID 4684 wrote to memory of 3988	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	111
PID 4684 wrote to memory of 3968	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	112
PID 4684 wrote to memory of 3968	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	112
PID 4684 wrote to memory of 1680	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	113
PID 4684 wrote to memory of 1680	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	113
PID 4684 wrote to memory of 4988	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	114
PID 4684 wrote to memory of 4988	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	114
PID 4684 wrote to memory of 3556	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	115
PID 4684 wrote to memory of 3556	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	115
PID 4684 wrote to memory of 3596	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	116
PID 4684 wrote to memory of 3596	4684	419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe	116

C:\Users\Admin\AppData\Local\Temp\419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\419fc566d1b836cec90db045eb351d90_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Windows\System32\dZvQmts.exe
  C:\Windows\System32\dZvQmts.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\System32\VudkRvT.exe
  C:\Windows\System32\VudkRvT.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System32\cigpuLj.exe
  C:\Windows\System32\cigpuLj.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System32\HLgYCgK.exe
  C:\Windows\System32\HLgYCgK.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System32\QgmKMib.exe
  C:\Windows\System32\QgmKMib.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System32\qKJtjXC.exe
  C:\Windows\System32\qKJtjXC.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System32\NyTXcvW.exe
  C:\Windows\System32\NyTXcvW.exe
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\System32\gabWasv.exe
  C:\Windows\System32\gabWasv.exe
  2⤵
  - Executes dropped EXE
  PID:3904
- C:\Windows\System32\Wryvuwb.exe
  C:\Windows\System32\Wryvuwb.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\System32\RhFZEoA.exe
  C:\Windows\System32\RhFZEoA.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System32\paoEBub.exe
  C:\Windows\System32\paoEBub.exe
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Windows\System32\GRTvled.exe
  C:\Windows\System32\GRTvled.exe
  2⤵
  - Executes dropped EXE
  PID:3880
- C:\Windows\System32\jkSBNEp.exe
  C:\Windows\System32\jkSBNEp.exe
  2⤵
  - Executes dropped EXE
  PID:3216
- C:\Windows\System32\HPzysAV.exe
  C:\Windows\System32\HPzysAV.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System32\dRvWpkE.exe
  C:\Windows\System32\dRvWpkE.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System32\pMgRJxR.exe
  C:\Windows\System32\pMgRJxR.exe
  2⤵
  - Executes dropped EXE
  PID:3292
- C:\Windows\System32\LHtQFQA.exe
  C:\Windows\System32\LHtQFQA.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System32\GkQUarh.exe
  C:\Windows\System32\GkQUarh.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System32\QQMjHOi.exe
  C:\Windows\System32\QQMjHOi.exe
  2⤵
  - Executes dropped EXE
  PID:4764
- C:\Windows\System32\cVGsYxN.exe
  C:\Windows\System32\cVGsYxN.exe
  2⤵
  - Executes dropped EXE
  PID:3772
- C:\Windows\System32\JtUlXpe.exe
  C:\Windows\System32\JtUlXpe.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System32\xXfVDhh.exe
  C:\Windows\System32\xXfVDhh.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System32\iRQgNOO.exe
  C:\Windows\System32\iRQgNOO.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System32\QvVCfZO.exe
  C:\Windows\System32\QvVCfZO.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System32\PDRMJsY.exe
  C:\Windows\System32\PDRMJsY.exe
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\System32\RlkdtCe.exe
  C:\Windows\System32\RlkdtCe.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System32\OcmxXXn.exe
  C:\Windows\System32\OcmxXXn.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System32\iqyaJIX.exe
  C:\Windows\System32\iqyaJIX.exe
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Windows\System32\OAcaBwx.exe
  C:\Windows\System32\OAcaBwx.exe
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\System32\FEbGGpJ.exe
  C:\Windows\System32\FEbGGpJ.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System32\ZxSxldo.exe
  C:\Windows\System32\ZxSxldo.exe
  2⤵
  - Executes dropped EXE
  PID:3556
- C:\Windows\System32\XiRtGJt.exe
  C:\Windows\System32\XiRtGJt.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System32\Zzhkjid.exe
  C:\Windows\System32\Zzhkjid.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System32\yFJNeDx.exe
  C:\Windows\System32\yFJNeDx.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System32\HHobfcc.exe
  C:\Windows\System32\HHobfcc.exe
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\System32\xNEGgfp.exe
  C:\Windows\System32\xNEGgfp.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System32\gNgOMkF.exe
  C:\Windows\System32\gNgOMkF.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System32\IFZXJPM.exe
  C:\Windows\System32\IFZXJPM.exe
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Windows\System32\qQSlsCP.exe
  C:\Windows\System32\qQSlsCP.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System32\yCadWHR.exe
  C:\Windows\System32\yCadWHR.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System32\qJCmsvl.exe
  C:\Windows\System32\qJCmsvl.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System32\iPFrcnl.exe
  C:\Windows\System32\iPFrcnl.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System32\npYCEho.exe
  C:\Windows\System32\npYCEho.exe
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\System32\qDlGXYc.exe
  C:\Windows\System32\qDlGXYc.exe
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\System32\JEoMBaG.exe
  C:\Windows\System32\JEoMBaG.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System32\YswUxha.exe
  C:\Windows\System32\YswUxha.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System32\EBlUHgG.exe
  C:\Windows\System32\EBlUHgG.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System32\cIhBHUE.exe
  C:\Windows\System32\cIhBHUE.exe
  2⤵
  - Executes dropped EXE
  PID:4196
- C:\Windows\System32\IkYRBkJ.exe
  C:\Windows\System32\IkYRBkJ.exe
  2⤵
  - Executes dropped EXE
  PID:1328
- C:\Windows\System32\ROMkzyx.exe
  C:\Windows\System32\ROMkzyx.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System32\IMIltuf.exe
  C:\Windows\System32\IMIltuf.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System32\RrCwHgs.exe
  C:\Windows\System32\RrCwHgs.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System32\oiVdmkv.exe
  C:\Windows\System32\oiVdmkv.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System32\xpHsLLS.exe
  C:\Windows\System32\xpHsLLS.exe
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\System32\tvjUhnS.exe
  C:\Windows\System32\tvjUhnS.exe
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\System32\OqDEXgu.exe
  C:\Windows\System32\OqDEXgu.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System32\jRIshDT.exe
  C:\Windows\System32\jRIshDT.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System32\YmKzxAL.exe
  C:\Windows\System32\YmKzxAL.exe
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Windows\System32\iDsCgKp.exe
  C:\Windows\System32\iDsCgKp.exe
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\System32\uXzNElD.exe
  C:\Windows\System32\uXzNElD.exe
  2⤵
  - Executes dropped EXE
  PID:3208
- C:\Windows\System32\rLcAJBM.exe
  C:\Windows\System32\rLcAJBM.exe
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Windows\System32\kXJbTze.exe
  C:\Windows\System32\kXJbTze.exe
  2⤵
  - Executes dropped EXE
  PID:4232
- C:\Windows\System32\xgADiUp.exe
  C:\Windows\System32\xgADiUp.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System32\oOUthFd.exe
  C:\Windows\System32\oOUthFd.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System32\pTdKAxG.exe
  C:\Windows\System32\pTdKAxG.exe
  2⤵
  PID:432
- C:\Windows\System32\BvpkFyo.exe
  C:\Windows\System32\BvpkFyo.exe
  2⤵
  PID:5008
- C:\Windows\System32\SeLUhHj.exe
  C:\Windows\System32\SeLUhHj.exe
  2⤵
  PID:2324
- C:\Windows\System32\DgkiiVq.exe
  C:\Windows\System32\DgkiiVq.exe
  2⤵
  PID:2404
- C:\Windows\System32\PLlWcMV.exe
  C:\Windows\System32\PLlWcMV.exe
  2⤵
  PID:5084
- C:\Windows\System32\aPenlyq.exe
  C:\Windows\System32\aPenlyq.exe
  2⤵
  PID:952
- C:\Windows\System32\uSgfanh.exe
  C:\Windows\System32\uSgfanh.exe
  2⤵
  PID:1884
- C:\Windows\System32\JHuhJwm.exe
  C:\Windows\System32\JHuhJwm.exe
  2⤵
  PID:3108
- C:\Windows\System32\LPYbSnu.exe
  C:\Windows\System32\LPYbSnu.exe
  2⤵
  PID:4556
- C:\Windows\System32\fdRtzrM.exe
  C:\Windows\System32\fdRtzrM.exe
  2⤵
  PID:4720
- C:\Windows\System32\gXeRjCW.exe
  C:\Windows\System32\gXeRjCW.exe
  2⤵
  PID:3336
- C:\Windows\System32\qKrxzEh.exe
  C:\Windows\System32\qKrxzEh.exe
  2⤵
  PID:5136
- C:\Windows\System32\WacCbmc.exe
  C:\Windows\System32\WacCbmc.exe
  2⤵
  PID:5164
- C:\Windows\System32\PhYtjNw.exe
  C:\Windows\System32\PhYtjNw.exe
  2⤵
  PID:5192
- C:\Windows\System32\lefFXpV.exe
  C:\Windows\System32\lefFXpV.exe
  2⤵
  PID:5220
- C:\Windows\System32\ivFwYcF.exe
  C:\Windows\System32\ivFwYcF.exe
  2⤵
  PID:5248
- C:\Windows\System32\MNxpLJj.exe
  C:\Windows\System32\MNxpLJj.exe
  2⤵
  PID:5276
- C:\Windows\System32\OBlDRfM.exe
  C:\Windows\System32\OBlDRfM.exe
  2⤵
  PID:5304
- C:\Windows\System32\guNrbwL.exe
  C:\Windows\System32\guNrbwL.exe
  2⤵
  PID:5332
- C:\Windows\System32\QIlHOUc.exe
  C:\Windows\System32\QIlHOUc.exe
  2⤵
  PID:5368
- C:\Windows\System32\DXnnozK.exe
  C:\Windows\System32\DXnnozK.exe
  2⤵
  PID:5388
- C:\Windows\System32\LzeGhvh.exe
  C:\Windows\System32\LzeGhvh.exe
  2⤵
  PID:5416
- C:\Windows\System32\OdDfITi.exe
  C:\Windows\System32\OdDfITi.exe
  2⤵
  PID:5444
- C:\Windows\System32\ykRYpur.exe
  C:\Windows\System32\ykRYpur.exe
  2⤵
  PID:5472
- C:\Windows\System32\uYmcmAQ.exe
  C:\Windows\System32\uYmcmAQ.exe
  2⤵
  PID:5500
- C:\Windows\System32\cVahVdC.exe
  C:\Windows\System32\cVahVdC.exe
  2⤵
  PID:5528
- C:\Windows\System32\LOBacVu.exe
  C:\Windows\System32\LOBacVu.exe
  2⤵
  PID:5556
- C:\Windows\System32\QMNrfuA.exe
  C:\Windows\System32\QMNrfuA.exe
  2⤵
  PID:5584
- C:\Windows\System32\RiKaheT.exe
  C:\Windows\System32\RiKaheT.exe
  2⤵
  PID:5612
- C:\Windows\System32\fTDBeGS.exe
  C:\Windows\System32\fTDBeGS.exe
  2⤵
  PID:5640
- C:\Windows\System32\OJrbruS.exe
  C:\Windows\System32\OJrbruS.exe
  2⤵
  PID:5668
- C:\Windows\System32\DAqaMky.exe
  C:\Windows\System32\DAqaMky.exe
  2⤵
  PID:5696
- C:\Windows\System32\qqoNfsn.exe
  C:\Windows\System32\qqoNfsn.exe
  2⤵
  PID:5724
- C:\Windows\System32\UbdlOtC.exe
  C:\Windows\System32\UbdlOtC.exe
  2⤵
  PID:5752
- C:\Windows\System32\bltHJqX.exe
  C:\Windows\System32\bltHJqX.exe
  2⤵
  PID:5780
- C:\Windows\System32\ivVMTOP.exe
  C:\Windows\System32\ivVMTOP.exe
  2⤵
  PID:5808
- C:\Windows\System32\rEpAdTl.exe
  C:\Windows\System32\rEpAdTl.exe
  2⤵
  PID:5836
- C:\Windows\System32\VLUQtrv.exe
  C:\Windows\System32\VLUQtrv.exe
  2⤵
  PID:5872
- C:\Windows\System32\imedKum.exe
  C:\Windows\System32\imedKum.exe
  2⤵
  PID:5900
- C:\Windows\System32\JhkNIuj.exe
  C:\Windows\System32\JhkNIuj.exe
  2⤵
  PID:5920
- C:\Windows\System32\phvEYWg.exe
  C:\Windows\System32\phvEYWg.exe
  2⤵
  PID:5948
- C:\Windows\System32\EnKiprj.exe
  C:\Windows\System32\EnKiprj.exe
  2⤵
  PID:5976
- C:\Windows\System32\eOmprGB.exe
  C:\Windows\System32\eOmprGB.exe
  2⤵
  PID:6012
- C:\Windows\System32\RLQJwhk.exe
  C:\Windows\System32\RLQJwhk.exe
  2⤵
  PID:6032
- C:\Windows\System32\GkYFWmM.exe
  C:\Windows\System32\GkYFWmM.exe
  2⤵
  PID:6060
- C:\Windows\System32\rVpMwkW.exe
  C:\Windows\System32\rVpMwkW.exe
  2⤵
  PID:6088
- C:\Windows\System32\QaHTHjR.exe
  C:\Windows\System32\QaHTHjR.exe
  2⤵
  PID:6116
- C:\Windows\System32\QjKmkop.exe
  C:\Windows\System32\QjKmkop.exe
  2⤵
  PID:3156
- C:\Windows\System32\vaslVWz.exe
  C:\Windows\System32\vaslVWz.exe
  2⤵
  PID:4708
- C:\Windows\System32\nNQjuFc.exe
  C:\Windows\System32\nNQjuFc.exe
  2⤵
  PID:208
- C:\Windows\System32\aJLZkoH.exe
  C:\Windows\System32\aJLZkoH.exe
  2⤵
  PID:1168
- C:\Windows\System32\NuHavhZ.exe
  C:\Windows\System32\NuHavhZ.exe
  2⤵
  PID:2400
- C:\Windows\System32\hAFpNKI.exe
  C:\Windows\System32\hAFpNKI.exe
  2⤵
  PID:2648
- C:\Windows\System32\HmEjwzK.exe
  C:\Windows\System32\HmEjwzK.exe
  2⤵
  PID:5160
- C:\Windows\System32\seGBwQH.exe
  C:\Windows\System32\seGBwQH.exe
  2⤵
  PID:5208
- C:\Windows\System32\pJKWcnr.exe
  C:\Windows\System32\pJKWcnr.exe
  2⤵
  PID:5288
- C:\Windows\System32\hxglhvf.exe
  C:\Windows\System32\hxglhvf.exe
  2⤵
  PID:5356
- C:\Windows\System32\fvNptNt.exe
  C:\Windows\System32\fvNptNt.exe
  2⤵
  PID:5404
- C:\Windows\System32\HRHWvUF.exe
  C:\Windows\System32\HRHWvUF.exe
  2⤵
  PID:5460
- C:\Windows\System32\gQxMSTx.exe
  C:\Windows\System32\gQxMSTx.exe
  2⤵
  PID:5540
- C:\Windows\System32\AXRUEGm.exe
  C:\Windows\System32\AXRUEGm.exe
  2⤵
  PID:5608
- C:\Windows\System32\hEsTDgT.exe
  C:\Windows\System32\hEsTDgT.exe
  2⤵
  PID:5656
- C:\Windows\System32\bRPMGKl.exe
  C:\Windows\System32\bRPMGKl.exe
  2⤵
  PID:5736
- C:\Windows\System32\IoVcHcj.exe
  C:\Windows\System32\IoVcHcj.exe
  2⤵
  PID:5804
- C:\Windows\System32\TLVzGyr.exe
  C:\Windows\System32\TLVzGyr.exe
  2⤵
  PID:5852
- C:\Windows\System32\tzzMALt.exe
  C:\Windows\System32\tzzMALt.exe
  2⤵
  PID:5932
- C:\Windows\System32\InPwDJW.exe
  C:\Windows\System32\InPwDJW.exe
  2⤵
  PID:6000
- C:\Windows\System32\BzLvGOk.exe
  C:\Windows\System32\BzLvGOk.exe
  2⤵
  PID:6048
- C:\Windows\System32\VOCLOEd.exe
  C:\Windows\System32\VOCLOEd.exe
  2⤵
  PID:6128
- C:\Windows\System32\hdXDkEP.exe
  C:\Windows\System32\hdXDkEP.exe
  2⤵
  PID:1764
- C:\Windows\System32\FUYNQzi.exe
  C:\Windows\System32\FUYNQzi.exe
  2⤵
  PID:1044
- C:\Windows\System32\HgHsyOk.exe
  C:\Windows\System32\HgHsyOk.exe
  2⤵
  PID:5188
- C:\Windows\System32\hqlGaqS.exe
  C:\Windows\System32\hqlGaqS.exe
  2⤵
  PID:5384
- C:\Windows\System32\NYHWBfE.exe
  C:\Windows\System32\NYHWBfE.exe
  2⤵
  PID:5456
- C:\Windows\System32\njRGLdc.exe
  C:\Windows\System32\njRGLdc.exe
  2⤵
  PID:6168
- C:\Windows\System32\YhCGUJF.exe
  C:\Windows\System32\YhCGUJF.exe
  2⤵
  PID:6196
- C:\Windows\System32\hwPjHay.exe
  C:\Windows\System32\hwPjHay.exe
  2⤵
  PID:6224
- C:\Windows\System32\hpsiikk.exe
  C:\Windows\System32\hpsiikk.exe
  2⤵
  PID:6252
- C:\Windows\System32\CHtEZuH.exe
  C:\Windows\System32\CHtEZuH.exe
  2⤵
  PID:6280
- C:\Windows\System32\TnQLSkj.exe
  C:\Windows\System32\TnQLSkj.exe
  2⤵
  PID:6308
- C:\Windows\System32\EYXlpJP.exe
  C:\Windows\System32\EYXlpJP.exe
  2⤵
  PID:6336
- C:\Windows\System32\yRjbaMX.exe
  C:\Windows\System32\yRjbaMX.exe
  2⤵
  PID:6372
- C:\Windows\System32\AoHUhkn.exe
  C:\Windows\System32\AoHUhkn.exe
  2⤵
  PID:6392
- C:\Windows\System32\RMIFNfP.exe
  C:\Windows\System32\RMIFNfP.exe
  2⤵
  PID:6420
- C:\Windows\System32\wpnycGM.exe
  C:\Windows\System32\wpnycGM.exe
  2⤵
  PID:6448
- C:\Windows\System32\XpQdYdP.exe
  C:\Windows\System32\XpQdYdP.exe
  2⤵
  PID:6476
- C:\Windows\System32\vzKxUwk.exe
  C:\Windows\System32\vzKxUwk.exe
  2⤵
  PID:6504
- C:\Windows\System32\fVqfJUY.exe
  C:\Windows\System32\fVqfJUY.exe
  2⤵
  PID:6532
- C:\Windows\System32\LPyyTMt.exe
  C:\Windows\System32\LPyyTMt.exe
  2⤵
  PID:6560
- C:\Windows\System32\fuhSyvN.exe
  C:\Windows\System32\fuhSyvN.exe
  2⤵
  PID:6596
- C:\Windows\System32\HTKgkQk.exe
  C:\Windows\System32\HTKgkQk.exe
  2⤵
  PID:6624
- C:\Windows\System32\BnrIyky.exe
  C:\Windows\System32\BnrIyky.exe
  2⤵
  PID:6652
- C:\Windows\System32\UcVjjyE.exe
  C:\Windows\System32\UcVjjyE.exe
  2⤵
  PID:6680
- C:\Windows\System32\DrlqnTT.exe
  C:\Windows\System32\DrlqnTT.exe
  2⤵
  PID:6700
- C:\Windows\System32\pKIkdas.exe
  C:\Windows\System32\pKIkdas.exe
  2⤵
  PID:6728
- C:\Windows\System32\HqTrDPO.exe
  C:\Windows\System32\HqTrDPO.exe
  2⤵
  PID:6764
- C:\Windows\System32\lbPdrOS.exe
  C:\Windows\System32\lbPdrOS.exe
  2⤵
  PID:6784
- C:\Windows\System32\GGVJgpV.exe
  C:\Windows\System32\GGVJgpV.exe
  2⤵
  PID:6812
- C:\Windows\System32\LffrmPC.exe
  C:\Windows\System32\LffrmPC.exe
  2⤵
  PID:6840
- C:\Windows\System32\hCGkpNj.exe
  C:\Windows\System32\hCGkpNj.exe
  2⤵
  PID:6868
- C:\Windows\System32\GSarMoz.exe
  C:\Windows\System32\GSarMoz.exe
  2⤵
  PID:6896
- C:\Windows\System32\QmSkCXr.exe
  C:\Windows\System32\QmSkCXr.exe
  2⤵
  PID:6924
- C:\Windows\System32\AWuZMSz.exe
  C:\Windows\System32\AWuZMSz.exe
  2⤵
  PID:6952
- C:\Windows\System32\ZofgIPg.exe
  C:\Windows\System32\ZofgIPg.exe
  2⤵
  PID:6980
- C:\Windows\System32\faAwcxV.exe
  C:\Windows\System32\faAwcxV.exe
  2⤵
  PID:7008
- C:\Windows\System32\GSYFIco.exe
  C:\Windows\System32\GSYFIco.exe
  2⤵
  PID:7036
- C:\Windows\System32\uuWhwRM.exe
  C:\Windows\System32\uuWhwRM.exe
  2⤵
  PID:7064
- C:\Windows\System32\LUnLqKR.exe
  C:\Windows\System32\LUnLqKR.exe
  2⤵
  PID:7092
- C:\Windows\System32\jvivxoa.exe
  C:\Windows\System32\jvivxoa.exe
  2⤵
  PID:7132
- C:\Windows\System32\oAgngwf.exe
  C:\Windows\System32\oAgngwf.exe
  2⤵
  PID:7148
- C:\Windows\System32\zdnEjKa.exe
  C:\Windows\System32\zdnEjKa.exe
  2⤵
  PID:5568
- C:\Windows\System32\lytbLxt.exe
  C:\Windows\System32\lytbLxt.exe
  2⤵
  PID:5764
- C:\Windows\System32\cWYkKkF.exe
  C:\Windows\System32\cWYkKkF.exe
  2⤵
  PID:5824
- C:\Windows\System32\mTsmOVX.exe
  C:\Windows\System32\mTsmOVX.exe
  2⤵
  PID:6024
- C:\Windows\System32\EdQyhjH.exe
  C:\Windows\System32\EdQyhjH.exe
  2⤵
  PID:2652
- C:\Windows\System32\oPzTTFP.exe
  C:\Windows\System32\oPzTTFP.exe
  2⤵
  PID:5148
- C:\Windows\System32\PORvmyk.exe
  C:\Windows\System32\PORvmyk.exe
  2⤵
  PID:6152
- C:\Windows\System32\UNXOoXq.exe
  C:\Windows\System32\UNXOoXq.exe
  2⤵
  PID:6220
- C:\Windows\System32\szlwHFl.exe
  C:\Windows\System32\szlwHFl.exe
  2⤵
  PID:6276
- C:\Windows\System32\hAJZDNT.exe
  C:\Windows\System32\hAJZDNT.exe
  2⤵
  PID:6348
- C:\Windows\System32\VegVeTJ.exe
  C:\Windows\System32\VegVeTJ.exe
  2⤵
  PID:6416
- C:\Windows\System32\qvQcrDV.exe
  C:\Windows\System32\qvQcrDV.exe
  2⤵
  PID:6500
- C:\Windows\System32\LSUCTZh.exe
  C:\Windows\System32\LSUCTZh.exe
  2⤵
  PID:6544
- C:\Windows\System32\oiiKBJH.exe
  C:\Windows\System32\oiiKBJH.exe
  2⤵
  PID:6608
- C:\Windows\System32\NeTNWsb.exe
  C:\Windows\System32\NeTNWsb.exe
  2⤵
  PID:6692
- C:\Windows\System32\tLvpYwh.exe
  C:\Windows\System32\tLvpYwh.exe
  2⤵
  PID:6740
- C:\Windows\System32\fzdNChC.exe
  C:\Windows\System32\fzdNChC.exe
  2⤵
  PID:6808
- C:\Windows\System32\wSnnTJJ.exe
  C:\Windows\System32\wSnnTJJ.exe
  2⤵
  PID:6856
- C:\Windows\System32\kVlaslU.exe
  C:\Windows\System32\kVlaslU.exe
  2⤵
  PID:6936
- C:\Windows\System32\unWFhKg.exe
  C:\Windows\System32\unWFhKg.exe
  2⤵
  PID:7020
- C:\Windows\System32\aHjkfkU.exe
  C:\Windows\System32\aHjkfkU.exe
  2⤵
  PID:7052
- C:\Windows\System32\WMZXXSC.exe
  C:\Windows\System32\WMZXXSC.exe
  2⤵
  PID:7124
- C:\Windows\System32\MIMpLSd.exe
  C:\Windows\System32\MIMpLSd.exe
  2⤵
  PID:5692
- C:\Windows\System32\ZNeyCde.exe
  C:\Windows\System32\ZNeyCde.exe
  2⤵
  PID:5972
- C:\Windows\System32\OrcKmXP.exe
  C:\Windows\System32\OrcKmXP.exe
  2⤵
  PID:2488
- C:\Windows\System32\AppwOZF.exe
  C:\Windows\System32\AppwOZF.exe
  2⤵
  PID:6248
- C:\Windows\System32\iipgWcj.exe
  C:\Windows\System32\iipgWcj.exe
  2⤵
  PID:6488
- C:\Windows\System32\bzeTpNG.exe
  C:\Windows\System32\bzeTpNG.exe
  2⤵
  PID:1732
- C:\Windows\System32\rDBwNMB.exe
  C:\Windows\System32\rDBwNMB.exe
  2⤵
  PID:6716
- C:\Windows\System32\EBMtSxn.exe
  C:\Windows\System32\EBMtSxn.exe
  2⤵
  PID:6828
- C:\Windows\System32\kCLGgLQ.exe
  C:\Windows\System32\kCLGgLQ.exe
  2⤵
  PID:2284
- C:\Windows\System32\NyvSlkq.exe
  C:\Windows\System32\NyvSlkq.exe
  2⤵
  PID:7180
- C:\Windows\System32\GLzIbPO.exe
  C:\Windows\System32\GLzIbPO.exe
  2⤵
  PID:7208
- C:\Windows\System32\wNrLGul.exe
  C:\Windows\System32\wNrLGul.exe
  2⤵
  PID:7236
- C:\Windows\System32\WdgLXMl.exe
  C:\Windows\System32\WdgLXMl.exe
  2⤵
  PID:7264
- C:\Windows\System32\DuTHWXS.exe
  C:\Windows\System32\DuTHWXS.exe
  2⤵
  PID:7292
- C:\Windows\System32\QiaRJuC.exe
  C:\Windows\System32\QiaRJuC.exe
  2⤵
  PID:7320
- C:\Windows\System32\FWiRzVk.exe
  C:\Windows\System32\FWiRzVk.exe
  2⤵
  PID:7348
- C:\Windows\System32\GasWizW.exe
  C:\Windows\System32\GasWizW.exe
  2⤵
  PID:7376
- C:\Windows\System32\NJdyqyq.exe
  C:\Windows\System32\NJdyqyq.exe
  2⤵
  PID:7404
- C:\Windows\System32\nOAFHNH.exe
  C:\Windows\System32\nOAFHNH.exe
  2⤵
  PID:7432
- C:\Windows\System32\xKUGiws.exe
  C:\Windows\System32\xKUGiws.exe
  2⤵
  PID:7460
- C:\Windows\System32\TnZsMHk.exe
  C:\Windows\System32\TnZsMHk.exe
  2⤵
  PID:7488
- C:\Windows\System32\yFFjNGb.exe
  C:\Windows\System32\yFFjNGb.exe
  2⤵
  PID:7516
- C:\Windows\System32\LETyNqI.exe
  C:\Windows\System32\LETyNqI.exe
  2⤵
  PID:7544
- C:\Windows\System32\IkXnsht.exe
  C:\Windows\System32\IkXnsht.exe
  2⤵
  PID:7572
- C:\Windows\System32\fJGUkgt.exe
  C:\Windows\System32\fJGUkgt.exe
  2⤵
  PID:7600
- C:\Windows\System32\KVzuTfC.exe
  C:\Windows\System32\KVzuTfC.exe
  2⤵
  PID:7628
- C:\Windows\System32\exvDjDM.exe
  C:\Windows\System32\exvDjDM.exe
  2⤵
  PID:7656
- C:\Windows\System32\nsdlsVd.exe
  C:\Windows\System32\nsdlsVd.exe
  2⤵
  PID:7684
- C:\Windows\System32\HRwMQcx.exe
  C:\Windows\System32\HRwMQcx.exe
  2⤵
  PID:7712
- C:\Windows\System32\hMqWUfg.exe
  C:\Windows\System32\hMqWUfg.exe
  2⤵
  PID:7740
- C:\Windows\System32\fNfLdNI.exe
  C:\Windows\System32\fNfLdNI.exe
  2⤵
  PID:7776
- C:\Windows\System32\jANHTfI.exe
  C:\Windows\System32\jANHTfI.exe
  2⤵
  PID:7796
- C:\Windows\System32\wcofmKk.exe
  C:\Windows\System32\wcofmKk.exe
  2⤵
  PID:7824
- C:\Windows\System32\mPPSmCo.exe
  C:\Windows\System32\mPPSmCo.exe
  2⤵
  PID:7852
- C:\Windows\System32\AUBvneV.exe
  C:\Windows\System32\AUBvneV.exe
  2⤵
  PID:7880
- C:\Windows\System32\VWIVHRp.exe
  C:\Windows\System32\VWIVHRp.exe
  2⤵
  PID:7908
- C:\Windows\System32\LlULkfm.exe
  C:\Windows\System32\LlULkfm.exe
  2⤵
  PID:7936
- C:\Windows\System32\kEPIRik.exe
  C:\Windows\System32\kEPIRik.exe
  2⤵
  PID:7964
- C:\Windows\System32\dSCpTWa.exe
  C:\Windows\System32\dSCpTWa.exe
  2⤵
  PID:8000
- C:\Windows\System32\CENAQmY.exe
  C:\Windows\System32\CENAQmY.exe
  2⤵
  PID:8020
- C:\Windows\System32\UzYKeUf.exe
  C:\Windows\System32\UzYKeUf.exe
  2⤵
  PID:8056
- C:\Windows\System32\bILIHbh.exe
  C:\Windows\System32\bILIHbh.exe
  2⤵
  PID:8076
- C:\Windows\System32\IViczQg.exe
  C:\Windows\System32\IViczQg.exe
  2⤵
  PID:8112
- C:\Windows\System32\iplmscA.exe
  C:\Windows\System32\iplmscA.exe
  2⤵
  PID:8132
- C:\Windows\System32\zwvRquW.exe
  C:\Windows\System32\zwvRquW.exe
  2⤵
  PID:8160
- C:\Windows\System32\wRyHBPM.exe
  C:\Windows\System32\wRyHBPM.exe
  2⤵
  PID:8188
- C:\Windows\System32\GshYlPB.exe
  C:\Windows\System32\GshYlPB.exe
  2⤵
  PID:3360
- C:\Windows\System32\laXvwFq.exe
  C:\Windows\System32\laXvwFq.exe
  2⤵
  PID:6180
- C:\Windows\System32\NzDsMwv.exe
  C:\Windows\System32\NzDsMwv.exe
  2⤵
  PID:6676
- C:\Windows\System32\clOPdOf.exe
  C:\Windows\System32\clOPdOf.exe
  2⤵
  PID:6976
- C:\Windows\System32\jZuqLpE.exe
  C:\Windows\System32\jZuqLpE.exe
  2⤵
  PID:7192
- C:\Windows\System32\geyRAnq.exe
  C:\Windows\System32\geyRAnq.exe
  2⤵
  PID:7260
- C:\Windows\System32\DqejHek.exe
  C:\Windows\System32\DqejHek.exe
  2⤵
  PID:7308
- C:\Windows\System32\tGpIYPx.exe
  C:\Windows\System32\tGpIYPx.exe
  2⤵
  PID:7388
- C:\Windows\System32\UneKOzj.exe
  C:\Windows\System32\UneKOzj.exe
  2⤵
  PID:7444
- C:\Windows\System32\yCfucKf.exe
  C:\Windows\System32\yCfucKf.exe
  2⤵
  PID:7500
- C:\Windows\System32\eaqjhJi.exe
  C:\Windows\System32\eaqjhJi.exe
  2⤵
  PID:7568
- C:\Windows\System32\TMoeQEx.exe
  C:\Windows\System32\TMoeQEx.exe
  2⤵
  PID:7624
- C:\Windows\System32\duSHaHc.exe
  C:\Windows\System32\duSHaHc.exe
  2⤵
  PID:7680
- C:\Windows\System32\wzOsWLu.exe
  C:\Windows\System32\wzOsWLu.exe
  2⤵
  PID:7736
- C:\Windows\System32\CssEmhq.exe
  C:\Windows\System32\CssEmhq.exe
  2⤵
  PID:2264
- C:\Windows\System32\ufyKcLG.exe
  C:\Windows\System32\ufyKcLG.exe
  2⤵
  PID:4272
- C:\Windows\System32\AqZRdtW.exe
  C:\Windows\System32\AqZRdtW.exe
  2⤵
  PID:7892
- C:\Windows\System32\MCaFLSG.exe
  C:\Windows\System32\MCaFLSG.exe
  2⤵
  PID:7960
- C:\Windows\System32\HmufhZU.exe
  C:\Windows\System32\HmufhZU.exe
  2⤵
  PID:8016
- C:\Windows\System32\gvBIZrO.exe
  C:\Windows\System32\gvBIZrO.exe
  2⤵
  PID:8068
- C:\Windows\System32\Bjalxuu.exe
  C:\Windows\System32\Bjalxuu.exe
  2⤵
  PID:8144
- C:\Windows\System32\CRkBril.exe
  C:\Windows\System32\CRkBril.exe
  2⤵
  PID:5512
- C:\Windows\System32\dUZMWqa.exe
  C:\Windows\System32\dUZMWqa.exe
  2⤵
  PID:6404
- C:\Windows\System32\pqBpLIs.exe
  C:\Windows\System32\pqBpLIs.exe
  2⤵
  PID:7220
- C:\Windows\System32\mbmDmuV.exe
  C:\Windows\System32\mbmDmuV.exe
  2⤵
  PID:7280
- C:\Windows\System32\fXRngBS.exe
  C:\Windows\System32\fXRngBS.exe
  2⤵
  PID:7416
- C:\Windows\System32\PTssMtc.exe
  C:\Windows\System32\PTssMtc.exe
  2⤵
  PID:7556
- C:\Windows\System32\rRBldTw.exe
  C:\Windows\System32\rRBldTw.exe
  2⤵
  PID:4056
- C:\Windows\System32\MowAdbP.exe
  C:\Windows\System32\MowAdbP.exe
  2⤵
  PID:2268
- C:\Windows\System32\RwbHcuW.exe
  C:\Windows\System32\RwbHcuW.exe
  2⤵
  PID:3420
- C:\Windows\System32\mkBPWcX.exe
  C:\Windows\System32\mkBPWcX.exe
  2⤵
  PID:1928
- C:\Windows\System32\XxffDcb.exe
  C:\Windows\System32\XxffDcb.exe
  2⤵
  PID:8036
- C:\Windows\System32\JQKbYuE.exe
  C:\Windows\System32\JQKbYuE.exe
  2⤵
  PID:8124
- C:\Windows\System32\jCqYtjG.exe
  C:\Windows\System32\jCqYtjG.exe
  2⤵
  PID:8184
- C:\Windows\System32\wbyOSiT.exe
  C:\Windows\System32\wbyOSiT.exe
  2⤵
  PID:4956
- C:\Windows\System32\hOuaxzC.exe
  C:\Windows\System32\hOuaxzC.exe
  2⤵
  PID:7364
- C:\Windows\System32\JPmAuhS.exe
  C:\Windows\System32\JPmAuhS.exe
  2⤵
  PID:1348
- C:\Windows\System32\zaLqKee.exe
  C:\Windows\System32\zaLqKee.exe
  2⤵
  PID:4544
- C:\Windows\System32\AJnTtuf.exe
  C:\Windows\System32\AJnTtuf.exe
  2⤵
  PID:3076
- C:\Windows\System32\mtOhHDQ.exe
  C:\Windows\System32\mtOhHDQ.exe
  2⤵
  PID:3460
- C:\Windows\System32\MlGpVVk.exe
  C:\Windows\System32\MlGpVVk.exe
  2⤵
  PID:7176
- C:\Windows\System32\pLXUHil.exe
  C:\Windows\System32\pLXUHil.exe
  2⤵
  PID:2696
- C:\Windows\System32\qmjWubk.exe
  C:\Windows\System32\qmjWubk.exe
  2⤵
  PID:3808
- C:\Windows\System32\vJYwvvq.exe
  C:\Windows\System32\vJYwvvq.exe
  2⤵
  PID:8216
- C:\Windows\System32\lauBtqU.exe
  C:\Windows\System32\lauBtqU.exe
  2⤵
  PID:8236
- C:\Windows\System32\rZtMMMM.exe
  C:\Windows\System32\rZtMMMM.exe
  2⤵
  PID:8308
- C:\Windows\System32\CdkqAZm.exe
  C:\Windows\System32\CdkqAZm.exe
  2⤵
  PID:8356
- C:\Windows\System32\jOxUGOW.exe
  C:\Windows\System32\jOxUGOW.exe
  2⤵
  PID:8408
- C:\Windows\System32\MmjYWVZ.exe
  C:\Windows\System32\MmjYWVZ.exe
  2⤵
  PID:8448
- C:\Windows\System32\GXoRKhq.exe
  C:\Windows\System32\GXoRKhq.exe
  2⤵
  PID:8468
- C:\Windows\System32\nmTLZet.exe
  C:\Windows\System32\nmTLZet.exe
  2⤵
  PID:8492
- C:\Windows\System32\CBfXPmz.exe
  C:\Windows\System32\CBfXPmz.exe
  2⤵
  PID:8524
- C:\Windows\System32\mwrUdtE.exe
  C:\Windows\System32\mwrUdtE.exe
  2⤵
  PID:8580
- C:\Windows\System32\AgVGLJk.exe
  C:\Windows\System32\AgVGLJk.exe
  2⤵
  PID:8608
- C:\Windows\System32\xBjYQxB.exe
  C:\Windows\System32\xBjYQxB.exe
  2⤵
  PID:8640
- C:\Windows\System32\rDIsgKL.exe
  C:\Windows\System32\rDIsgKL.exe
  2⤵
  PID:8660
- C:\Windows\System32\tGkaRos.exe
  C:\Windows\System32\tGkaRos.exe
  2⤵
  PID:8696
- C:\Windows\System32\DhVvWeX.exe
  C:\Windows\System32\DhVvWeX.exe
  2⤵
  PID:8732
- C:\Windows\System32\xekRpyz.exe
  C:\Windows\System32\xekRpyz.exe
  2⤵
  PID:8752
- C:\Windows\System32\IepYTWg.exe
  C:\Windows\System32\IepYTWg.exe
  2⤵
  PID:8780
- C:\Windows\System32\OzRrsuX.exe
  C:\Windows\System32\OzRrsuX.exe
  2⤵
  PID:8808
- C:\Windows\System32\DbeYDgy.exe
  C:\Windows\System32\DbeYDgy.exe
  2⤵
  PID:8836
- C:\Windows\System32\UsSRWnX.exe
  C:\Windows\System32\UsSRWnX.exe
  2⤵
  PID:8860
- C:\Windows\System32\DWpUxPN.exe
  C:\Windows\System32\DWpUxPN.exe
  2⤵
  PID:8892
- C:\Windows\System32\JIsiKVb.exe
  C:\Windows\System32\JIsiKVb.exe
  2⤵
  PID:8924
- C:\Windows\System32\siZNMZn.exe
  C:\Windows\System32\siZNMZn.exe
  2⤵
  PID:8944
- C:\Windows\System32\nPxXeXh.exe
  C:\Windows\System32\nPxXeXh.exe
  2⤵
  PID:8980
- C:\Windows\System32\VLISWVW.exe
  C:\Windows\System32\VLISWVW.exe
  2⤵
  PID:9008
- C:\Windows\System32\QxDyeJB.exe
  C:\Windows\System32\QxDyeJB.exe
  2⤵
  PID:9024
- C:\Windows\System32\okUtLwc.exe
  C:\Windows\System32\okUtLwc.exe
  2⤵
  PID:9060
- C:\Windows\System32\MqAQFVg.exe
  C:\Windows\System32\MqAQFVg.exe
  2⤵
  PID:9092
- C:\Windows\System32\AJucPFU.exe
  C:\Windows\System32\AJucPFU.exe
  2⤵
  PID:9124
- C:\Windows\System32\MDpDrfc.exe
  C:\Windows\System32\MDpDrfc.exe
  2⤵
  PID:9152
- C:\Windows\System32\GnCxjDw.exe
  C:\Windows\System32\GnCxjDw.exe
  2⤵
  PID:9180
- C:\Windows\System32\rYmVnGZ.exe
  C:\Windows\System32\rYmVnGZ.exe
  2⤵
  PID:9208
- C:\Windows\System32\yuNyRwV.exe
  C:\Windows\System32\yuNyRwV.exe
  2⤵
  PID:8204
- C:\Windows\System32\CojZztY.exe
  C:\Windows\System32\CojZztY.exe
  2⤵
  PID:8228
- C:\Windows\System32\AJmhCbm.exe
  C:\Windows\System32\AJmhCbm.exe
  2⤵
  PID:4508
- C:\Windows\System32\rBCtNIe.exe
  C:\Windows\System32\rBCtNIe.exe
  2⤵
  PID:2356
- C:\Windows\System32\fzbgNRA.exe
  C:\Windows\System32\fzbgNRA.exe
  2⤵
  PID:8396
- C:\Windows\System32\XhYOQYW.exe
  C:\Windows\System32\XhYOQYW.exe
  2⤵
  PID:8208
- C:\Windows\System32\FyOCQKq.exe
  C:\Windows\System32\FyOCQKq.exe
  2⤵
  PID:2304
- C:\Windows\System32\KHWhCee.exe
  C:\Windows\System32\KHWhCee.exe
  2⤵
  PID:3952
- C:\Windows\System32\EWTEwPL.exe
  C:\Windows\System32\EWTEwPL.exe
  2⤵
  PID:8416
- C:\Windows\System32\LGvXnlB.exe
  C:\Windows\System32\LGvXnlB.exe
  2⤵
  PID:8504
- C:\Windows\System32\YdwmfBk.exe
  C:\Windows\System32\YdwmfBk.exe
  2⤵
  PID:8556
- C:\Windows\System32\OLbrHkN.exe
  C:\Windows\System32\OLbrHkN.exe
  2⤵
  PID:8604
- C:\Windows\System32\wkiXjhp.exe
  C:\Windows\System32\wkiXjhp.exe
  2⤵
  PID:8648
- C:\Windows\System32\uuFaQRY.exe
  C:\Windows\System32\uuFaQRY.exe
  2⤵
  PID:8740
- C:\Windows\System32\zTFAeFa.exe
  C:\Windows\System32\zTFAeFa.exe
  2⤵
  PID:8800
- C:\Windows\System32\qnTASpg.exe
  C:\Windows\System32\qnTASpg.exe
  2⤵
  PID:8832
- C:\Windows\System32\LyOGkdM.exe
  C:\Windows\System32\LyOGkdM.exe
  2⤵
  PID:8912
- C:\Windows\System32\kzkGzWE.exe
  C:\Windows\System32\kzkGzWE.exe
  2⤵
  PID:8964
- C:\Windows\System32\OusQYDp.exe
  C:\Windows\System32\OusQYDp.exe
  2⤵
  PID:9052
- C:\Windows\System32\kUdnsPT.exe
  C:\Windows\System32\kUdnsPT.exe
  2⤵
  PID:9136
- C:\Windows\System32\EZAsfCj.exe
  C:\Windows\System32\EZAsfCj.exe
  2⤵
  PID:9192
- C:\Windows\System32\JNvqErW.exe
  C:\Windows\System32\JNvqErW.exe
  2⤵
  PID:8232
- C:\Windows\System32\TnCucsx.exe
  C:\Windows\System32\TnCucsx.exe
  2⤵
  PID:8304
- C:\Windows\System32\iDVTMqW.exe
  C:\Windows\System32\iDVTMqW.exe
  2⤵
  PID:1336
- C:\Windows\System32\bUpNokj.exe
  C:\Windows\System32\bUpNokj.exe
  2⤵
  PID:1172
- C:\Windows\System32\FWeiqFT.exe
  C:\Windows\System32\FWeiqFT.exe
  2⤵
  PID:8568
- C:\Windows\System32\NdbWtdc.exe
  C:\Windows\System32\NdbWtdc.exe
  2⤵
  PID:4780
- C:\Windows\System32\EtFaOtA.exe
  C:\Windows\System32\EtFaOtA.exe
  2⤵
  PID:8684
- C:\Windows\System32\VIpwvxt.exe
  C:\Windows\System32\VIpwvxt.exe
  2⤵
  PID:8820
- C:\Windows\System32\FJJBvdD.exe
  C:\Windows\System32\FJJBvdD.exe
  2⤵
  PID:8940
- C:\Windows\System32\ITHIevu.exe
  C:\Windows\System32\ITHIevu.exe
  2⤵
  PID:9172
- C:\Windows\System32\BbCVTPC.exe
  C:\Windows\System32\BbCVTPC.exe
  2⤵
  PID:8328
- C:\Windows\System32\ZSFtELD.exe
  C:\Windows\System32\ZSFtELD.exe
  2⤵
  PID:6472
- C:\Windows\System32\SwYmTqm.exe
  C:\Windows\System32\SwYmTqm.exe
  2⤵
  PID:3652
- C:\Windows\System32\HGSjpod.exe
  C:\Windows\System32\HGSjpod.exe
  2⤵
  PID:8992
- C:\Windows\System32\ELoqtSc.exe
  C:\Windows\System32\ELoqtSc.exe
  2⤵
  PID:9120
- C:\Windows\System32\KPhzazz.exe
  C:\Windows\System32\KPhzazz.exe
  2⤵
  PID:8516
- C:\Windows\System32\wjFKlLh.exe
  C:\Windows\System32\wjFKlLh.exe
  2⤵
  PID:9076
- C:\Windows\System32\QPthVCe.exe
  C:\Windows\System32\QPthVCe.exe
  2⤵
  PID:9248
- C:\Windows\System32\uPYgzsw.exe
  C:\Windows\System32\uPYgzsw.exe
  2⤵
  PID:9264
- C:\Windows\System32\sxHfUEG.exe
  C:\Windows\System32\sxHfUEG.exe
  2⤵
  PID:9292
- C:\Windows\System32\ztIvoMJ.exe
  C:\Windows\System32\ztIvoMJ.exe
  2⤵
  PID:9324
- C:\Windows\System32\kGITGXj.exe
  C:\Windows\System32\kGITGXj.exe
  2⤵
  PID:9348
- C:\Windows\System32\RsxkBvp.exe
  C:\Windows\System32\RsxkBvp.exe
  2⤵
  PID:9384
- C:\Windows\System32\JNJBRYp.exe
  C:\Windows\System32\JNJBRYp.exe
  2⤵
  PID:9416
- C:\Windows\System32\JNjIMcx.exe
  C:\Windows\System32\JNjIMcx.exe
  2⤵
  PID:9436
- C:\Windows\System32\ffRpwqI.exe
  C:\Windows\System32\ffRpwqI.exe
  2⤵
  PID:9476
- C:\Windows\System32\WAJFmlD.exe
  C:\Windows\System32\WAJFmlD.exe
  2⤵
  PID:9504
- C:\Windows\System32\siCnSkg.exe
  C:\Windows\System32\siCnSkg.exe
  2⤵
  PID:9532
- C:\Windows\System32\nLXEUPD.exe
  C:\Windows\System32\nLXEUPD.exe
  2⤵
  PID:9548
- C:\Windows\System32\stkAImP.exe
  C:\Windows\System32\stkAImP.exe
  2⤵
  PID:9584
- C:\Windows\System32\bdfETXl.exe
  C:\Windows\System32\bdfETXl.exe
  2⤵
  PID:9616
- C:\Windows\System32\OcllUYJ.exe
  C:\Windows\System32\OcllUYJ.exe
  2⤵
  PID:9644
- C:\Windows\System32\LPUVulc.exe
  C:\Windows\System32\LPUVulc.exe
  2⤵
  PID:9672
- C:\Windows\System32\dIPuVoQ.exe
  C:\Windows\System32\dIPuVoQ.exe
  2⤵
  PID:9720
- C:\Windows\System32\BrZGZUr.exe
  C:\Windows\System32\BrZGZUr.exe
  2⤵
  PID:9744
- C:\Windows\System32\EylsLcW.exe
  C:\Windows\System32\EylsLcW.exe
  2⤵
  PID:9796
- C:\Windows\System32\HunNihO.exe
  C:\Windows\System32\HunNihO.exe
  2⤵
  PID:9824
- C:\Windows\System32\YeuGcKe.exe
  C:\Windows\System32\YeuGcKe.exe
  2⤵
  PID:9856
- C:\Windows\System32\rdBIyLV.exe
  C:\Windows\System32\rdBIyLV.exe
  2⤵
  PID:9872
- C:\Windows\System32\oAxhjAu.exe
  C:\Windows\System32\oAxhjAu.exe
  2⤵
  PID:9912
- C:\Windows\System32\BnipmMh.exe
  C:\Windows\System32\BnipmMh.exe
  2⤵
  PID:9940
- C:\Windows\System32\UiJCuPe.exe
  C:\Windows\System32\UiJCuPe.exe
  2⤵
  PID:9968
- C:\Windows\System32\AHHQKmL.exe
  C:\Windows\System32\AHHQKmL.exe
  2⤵
  PID:9996
- C:\Windows\System32\gWkEKfD.exe
  C:\Windows\System32\gWkEKfD.exe
  2⤵
  PID:10024
- C:\Windows\System32\IfGJfyY.exe
  C:\Windows\System32\IfGJfyY.exe
  2⤵
  PID:10052
- C:\Windows\System32\AhsClEd.exe
  C:\Windows\System32\AhsClEd.exe
  2⤵
  PID:10080
- C:\Windows\System32\BfLwnWS.exe
  C:\Windows\System32\BfLwnWS.exe
  2⤵
  PID:10108
- C:\Windows\System32\IqVjpcF.exe
  C:\Windows\System32\IqVjpcF.exe
  2⤵
  PID:10136
- C:\Windows\System32\lMIcHYC.exe
  C:\Windows\System32\lMIcHYC.exe
  2⤵
  PID:10156
- C:\Windows\System32\zfheJJE.exe
  C:\Windows\System32\zfheJJE.exe
  2⤵
  PID:10192
- C:\Windows\System32\xJrBkkH.exe
  C:\Windows\System32\xJrBkkH.exe
  2⤵
  PID:10220
- C:\Windows\System32\DDbjrwo.exe
  C:\Windows\System32\DDbjrwo.exe
  2⤵
  PID:9084
- C:\Windows\System32\Kywwysq.exe
  C:\Windows\System32\Kywwysq.exe
  2⤵
  PID:9288
- C:\Windows\System32\ScRsQei.exe
  C:\Windows\System32\ScRsQei.exe
  2⤵
  PID:9360
- C:\Windows\System32\hYdUjpd.exe
  C:\Windows\System32\hYdUjpd.exe
  2⤵
  PID:9404
- C:\Windows\System32\uuJOeXk.exe
  C:\Windows\System32\uuJOeXk.exe
  2⤵
  PID:9484
- C:\Windows\System32\OxMeluS.exe
  C:\Windows\System32\OxMeluS.exe
  2⤵
  PID:9544
- C:\Windows\System32\uYRnUNr.exe
  C:\Windows\System32\uYRnUNr.exe
  2⤵
  PID:9612
- C:\Windows\System32\SUGcvfb.exe
  C:\Windows\System32\SUGcvfb.exe
  2⤵
  PID:9680
- C:\Windows\System32\KUrCoPB.exe
  C:\Windows\System32\KUrCoPB.exe
  2⤵
  PID:9788
- C:\Windows\System32\uTwzuen.exe
  C:\Windows\System32\uTwzuen.exe
  2⤵
  PID:9868
- C:\Windows\System32\fTvuKOE.exe
  C:\Windows\System32\fTvuKOE.exe
  2⤵
  PID:9928
- C:\Windows\System32\QCYRzVs.exe
  C:\Windows\System32\QCYRzVs.exe
  2⤵
  PID:9980
- C:\Windows\System32\JYDGZGL.exe
  C:\Windows\System32\JYDGZGL.exe
  2⤵
  PID:10044
- C:\Windows\System32\mxGBzpq.exe
  C:\Windows\System32\mxGBzpq.exe
  2⤵
  PID:10104
- C:\Windows\System32\yqxGLVl.exe
  C:\Windows\System32\yqxGLVl.exe
  2⤵
  PID:10180
- C:\Windows\System32\YrFoMIx.exe
  C:\Windows\System32\YrFoMIx.exe
  2⤵
  PID:9260
- C:\Windows\System32\ANIDnJR.exe
  C:\Windows\System32\ANIDnJR.exe
  2⤵
  PID:9424
- C:\Windows\System32\bKFGGpC.exe
  C:\Windows\System32\bKFGGpC.exe
  2⤵
  PID:9568
- C:\Windows\System32\fRRTFCB.exe
  C:\Windows\System32\fRRTFCB.exe
  2⤵
  PID:9952
- C:\Windows\System32\xmZDkPx.exe
  C:\Windows\System32\xmZDkPx.exe
  2⤵
  PID:10144
- C:\Windows\System32\dPgbZBw.exe
  C:\Windows\System32\dPgbZBw.exe
  2⤵
  PID:9408
- C:\Windows\System32\CRKBbbN.exe
  C:\Windows\System32\CRKBbbN.exe
  2⤵
  PID:4276
- C:\Windows\System32\Jghfdvx.exe
  C:\Windows\System32\Jghfdvx.exe
  2⤵
  PID:10248
- C:\Windows\System32\pfdsRuo.exe
  C:\Windows\System32\pfdsRuo.exe
  2⤵
  PID:10292
- C:\Windows\System32\ikcMFWJ.exe
  C:\Windows\System32\ikcMFWJ.exe
  2⤵
  PID:10336
- C:\Windows\System32\asRVGRF.exe
  C:\Windows\System32\asRVGRF.exe
  2⤵
  PID:10364
- C:\Windows\System32\XvsDZTq.exe
  C:\Windows\System32\XvsDZTq.exe
  2⤵
  PID:10392
- C:\Windows\System32\fyGclCj.exe
  C:\Windows\System32\fyGclCj.exe
  2⤵
  PID:10444
- C:\Windows\System32\tkFitdA.exe
  C:\Windows\System32\tkFitdA.exe
  2⤵
  PID:10484
- C:\Windows\System32\BAXNiuo.exe
  C:\Windows\System32\BAXNiuo.exe
  2⤵
  PID:10512
- C:\Windows\System32\QCKwvvK.exe
  C:\Windows\System32\QCKwvvK.exe
  2⤵
  PID:10540
- C:\Windows\System32\BEZaCbX.exe
  C:\Windows\System32\BEZaCbX.exe
  2⤵
  PID:10572
- C:\Windows\System32\ILlZNvC.exe
  C:\Windows\System32\ILlZNvC.exe
  2⤵
  PID:10592
- C:\Windows\System32\dUIlWaq.exe
  C:\Windows\System32\dUIlWaq.exe
  2⤵
  PID:10612
- C:\Windows\System32\dTfSjup.exe
  C:\Windows\System32\dTfSjup.exe
  2⤵
  PID:10632
- C:\Windows\System32\bTSvtYO.exe
  C:\Windows\System32\bTSvtYO.exe
  2⤵
  PID:10652
- C:\Windows\System32\MmoSVzy.exe
  C:\Windows\System32\MmoSVzy.exe
  2⤵
  PID:10668
- C:\Windows\System32\pwbaSid.exe
  C:\Windows\System32\pwbaSid.exe
  2⤵
  PID:10692
- C:\Windows\System32\BHQhapp.exe
  C:\Windows\System32\BHQhapp.exe
  2⤵
  PID:10768
- C:\Windows\System32\wWbJVhN.exe
  C:\Windows\System32\wWbJVhN.exe
  2⤵
  PID:10796
- C:\Windows\System32\pfOsWyS.exe
  C:\Windows\System32\pfOsWyS.exe
  2⤵
  PID:10840
- C:\Windows\System32\rAkEIVs.exe
  C:\Windows\System32\rAkEIVs.exe
  2⤵
  PID:10872
- C:\Windows\System32\SqfwreY.exe
  C:\Windows\System32\SqfwreY.exe
  2⤵
  PID:10900
- C:\Windows\System32\MrrJIUo.exe
  C:\Windows\System32\MrrJIUo.exe
  2⤵
  PID:10936
- C:\Windows\System32\BoyLNbo.exe
  C:\Windows\System32\BoyLNbo.exe
  2⤵
  PID:10968
- C:\Windows\System32\uBRFzjs.exe
  C:\Windows\System32\uBRFzjs.exe
  2⤵
  PID:11004
- C:\Windows\System32\RYLVqDn.exe
  C:\Windows\System32\RYLVqDn.exe
  2⤵
  PID:11020
- C:\Windows\System32\HLCemfH.exe
  C:\Windows\System32\HLCemfH.exe
  2⤵
  PID:11060
- C:\Windows\System32\evRVcmK.exe
  C:\Windows\System32\evRVcmK.exe
  2⤵
  PID:11088
- C:\Windows\System32\UeaiagF.exe
  C:\Windows\System32\UeaiagF.exe
  2⤵
  PID:11116
- C:\Windows\System32\UfCXjhr.exe
  C:\Windows\System32\UfCXjhr.exe
  2⤵
  PID:11144
- C:\Windows\System32\zlZmURM.exe
  C:\Windows\System32\zlZmURM.exe
  2⤵
  PID:11176
- C:\Windows\System32\Inpuatr.exe
  C:\Windows\System32\Inpuatr.exe
  2⤵
  PID:11200
- C:\Windows\System32\WLPMHnk.exe
  C:\Windows\System32\WLPMHnk.exe
  2⤵
  PID:11232
- C:\Windows\System32\cGHnxXB.exe
  C:\Windows\System32\cGHnxXB.exe
  2⤵
  PID:11260
- C:\Windows\System32\alxgkjd.exe
  C:\Windows\System32\alxgkjd.exe
  2⤵
  PID:10272
- C:\Windows\System32\oYrBaqx.exe
  C:\Windows\System32\oYrBaqx.exe
  2⤵
  PID:10372
- C:\Windows\System32\RDZgfXW.exe
  C:\Windows\System32\RDZgfXW.exe
  2⤵
  PID:10496
- C:\Windows\System32\QiCtCbI.exe
  C:\Windows\System32\QiCtCbI.exe
  2⤵
  PID:10564
- C:\Windows\System32\mMXiWlQ.exe
  C:\Windows\System32\mMXiWlQ.exe
  2⤵
  PID:10604
- C:\Windows\System32\ZMpGWhg.exe
  C:\Windows\System32\ZMpGWhg.exe
  2⤵
  PID:10624
- C:\Windows\System32\czOPjip.exe
  C:\Windows\System32\czOPjip.exe
  2⤵
  PID:10776
- C:\Windows\System32\cOQgJQj.exe
  C:\Windows\System32\cOQgJQj.exe
  2⤵
  PID:9664
- C:\Windows\System32\AdaYhsI.exe
  C:\Windows\System32\AdaYhsI.exe
  2⤵
  PID:10884
- C:\Windows\System32\MeDECYY.exe
  C:\Windows\System32\MeDECYY.exe
  2⤵
  PID:10996
- C:\Windows\System32\oLAnJCg.exe
  C:\Windows\System32\oLAnJCg.exe
  2⤵
  PID:11040
- C:\Windows\System32\wvbvgIQ.exe
  C:\Windows\System32\wvbvgIQ.exe
  2⤵
  PID:11100
- C:\Windows\System32\PGSUjGP.exe
  C:\Windows\System32\PGSUjGP.exe
  2⤵
  PID:11156
- C:\Windows\System32\ZjwuKYD.exe
  C:\Windows\System32\ZjwuKYD.exe
  2⤵
  PID:11228
- C:\Windows\System32\mMVPDUE.exe
  C:\Windows\System32\mMVPDUE.exe
  2⤵
  PID:10348
- C:\Windows\System32\zHfBGEa.exe
  C:\Windows\System32\zHfBGEa.exe
  2⤵
  PID:10536
- C:\Windows\System32\FAPRxbt.exe
  C:\Windows\System32\FAPRxbt.exe
  2⤵
  PID:10680
- C:\Windows\System32\usrlwFT.exe
  C:\Windows\System32\usrlwFT.exe
  2⤵
  PID:10852
- C:\Windows\System32\OpSqEYj.exe
  C:\Windows\System32\OpSqEYj.exe
  2⤵
  PID:11016
- C:\Windows\System32\sZHNnSq.exe
  C:\Windows\System32\sZHNnSq.exe
  2⤵
  PID:11152
- C:\Windows\System32\yhSdaDG.exe
  C:\Windows\System32\yhSdaDG.exe
  2⤵
  PID:10012
- C:\Windows\System32\miOhxsl.exe
  C:\Windows\System32\miOhxsl.exe
  2⤵
  PID:10784
- C:\Windows\System32\LiNdcqO.exe
  C:\Windows\System32\LiNdcqO.exe
  2⤵
  PID:11128
- C:\Windows\System32\WSQBuma.exe
  C:\Windows\System32\WSQBuma.exe
  2⤵
  PID:776
- C:\Windows\System32\SznyiHA.exe
  C:\Windows\System32\SznyiHA.exe
  2⤵
  PID:10932
- C:\Windows\System32\CGejWpp.exe
  C:\Windows\System32\CGejWpp.exe
  2⤵
  PID:11288
- C:\Windows\System32\HsgFVUp.exe
  C:\Windows\System32\HsgFVUp.exe
  2⤵
  PID:11320
- C:\Windows\System32\ForBjAe.exe
  C:\Windows\System32\ForBjAe.exe
  2⤵
  PID:11348
- C:\Windows\System32\FlxChBA.exe
  C:\Windows\System32\FlxChBA.exe
  2⤵
  PID:11376
- C:\Windows\System32\hFZzFLj.exe
  C:\Windows\System32\hFZzFLj.exe
  2⤵
  PID:11404
- C:\Windows\System32\DxkWiXq.exe
  C:\Windows\System32\DxkWiXq.exe
  2⤵
  PID:11432
- C:\Windows\System32\pQylUXF.exe
  C:\Windows\System32\pQylUXF.exe
  2⤵
  PID:11460
- C:\Windows\System32\gDWcmKB.exe
  C:\Windows\System32\gDWcmKB.exe
  2⤵
  PID:11488
- C:\Windows\System32\ZtabyAQ.exe
  C:\Windows\System32\ZtabyAQ.exe
  2⤵
  PID:11504
- C:\Windows\System32\EBJDoEh.exe
  C:\Windows\System32\EBJDoEh.exe
  2⤵
  PID:11544
- C:\Windows\System32\EHnXXWO.exe
  C:\Windows\System32\EHnXXWO.exe
  2⤵
  PID:11572
- C:\Windows\System32\NHgRKWk.exe
  C:\Windows\System32\NHgRKWk.exe
  2⤵
  PID:11588
- C:\Windows\System32\UMrlpJb.exe
  C:\Windows\System32\UMrlpJb.exe
  2⤵
  PID:11616
- C:\Windows\System32\GknwdeX.exe
  C:\Windows\System32\GknwdeX.exe
  2⤵
  PID:11656
- C:\Windows\System32\VZStmkY.exe
  C:\Windows\System32\VZStmkY.exe
  2⤵
  PID:11684
- C:\Windows\System32\ZNAMAgB.exe
  C:\Windows\System32\ZNAMAgB.exe
  2⤵
  PID:11700
- C:\Windows\System32\SSHVSxM.exe
  C:\Windows\System32\SSHVSxM.exe
  2⤵
  PID:11716
- C:\Windows\System32\SInpVkZ.exe
  C:\Windows\System32\SInpVkZ.exe
  2⤵
  PID:11740
- C:\Windows\System32\JEwcNDS.exe
  C:\Windows\System32\JEwcNDS.exe
  2⤵
  PID:11784
- C:\Windows\System32\wFjACZk.exe
  C:\Windows\System32\wFjACZk.exe
  2⤵
  PID:11824
- C:\Windows\System32\uvscuEr.exe
  C:\Windows\System32\uvscuEr.exe
  2⤵
  PID:11840
- C:\Windows\System32\dCQZuFI.exe
  C:\Windows\System32\dCQZuFI.exe
  2⤵
  PID:11876
- C:\Windows\System32\RFGwwUo.exe
  C:\Windows\System32\RFGwwUo.exe
  2⤵
  PID:11908
- C:\Windows\System32\poWGqET.exe
  C:\Windows\System32\poWGqET.exe
  2⤵
  PID:11936
- C:\Windows\System32\VhZcOIo.exe
  C:\Windows\System32\VhZcOIo.exe
  2⤵
  PID:11952
- C:\Windows\System32\wrEbFVT.exe
  C:\Windows\System32\wrEbFVT.exe
  2⤵
  PID:11992
- C:\Windows\System32\PHDFVfs.exe
  C:\Windows\System32\PHDFVfs.exe
  2⤵
  PID:12020
- C:\Windows\System32\PcnpUgt.exe
  C:\Windows\System32\PcnpUgt.exe
  2⤵
  PID:12044
- C:\Windows\System32\UVkionS.exe
  C:\Windows\System32\UVkionS.exe
  2⤵
  PID:12064
- C:\Windows\System32\hTndLaH.exe
  C:\Windows\System32\hTndLaH.exe
  2⤵
  PID:12112
- C:\Windows\System32\aJPELiX.exe
  C:\Windows\System32\aJPELiX.exe
  2⤵
  PID:12152
- C:\Windows\System32\uzwKprT.exe
  C:\Windows\System32\uzwKprT.exe
  2⤵
  PID:12176
- C:\Windows\System32\BqdwBoc.exe
  C:\Windows\System32\BqdwBoc.exe
  2⤵
  PID:12228
- C:\Windows\System32\DKEXlTR.exe
  C:\Windows\System32\DKEXlTR.exe
  2⤵
  PID:12252
- C:\Windows\System32\poYpJby.exe
  C:\Windows\System32\poYpJby.exe
  2⤵
  PID:12280
- C:\Windows\System32\SjcTdDT.exe
  C:\Windows\System32\SjcTdDT.exe
  2⤵
  PID:11308
- C:\Windows\System32\fRaELDI.exe
  C:\Windows\System32\fRaELDI.exe
  2⤵
  PID:11368
- C:\Windows\System32\HmFbbfv.exe
  C:\Windows\System32\HmFbbfv.exe
  2⤵
  PID:11444
- C:\Windows\System32\XxDtkrd.exe
  C:\Windows\System32\XxDtkrd.exe
  2⤵
  PID:11496
- C:\Windows\System32\zPBMUWl.exe
  C:\Windows\System32\zPBMUWl.exe
  2⤵
  PID:11584
- C:\Windows\System32\OfZpPxB.exe
  C:\Windows\System32\OfZpPxB.exe
  2⤵
  PID:11636
- C:\Windows\System32\PmqNgQo.exe
  C:\Windows\System32\PmqNgQo.exe
  2⤵
  PID:11680
- C:\Windows\System32\heenZYt.exe
  C:\Windows\System32\heenZYt.exe
  2⤵
  PID:11776
- C:\Windows\System32\xpKWRvH.exe
  C:\Windows\System32\xpKWRvH.exe
  2⤵
  PID:11864
- C:\Windows\System32\aTdWyoL.exe
  C:\Windows\System32\aTdWyoL.exe
  2⤵
  PID:11892
- C:\Windows\System32\XhUTFWL.exe
  C:\Windows\System32\XhUTFWL.exe
  2⤵
  PID:11964
- C:\Windows\System32\PDpViaD.exe
  C:\Windows\System32\PDpViaD.exe
  2⤵
  PID:12060
- C:\Windows\System32\XmNBkmH.exe
  C:\Windows\System32\XmNBkmH.exe
  2⤵
  PID:12104
- C:\Windows\System32\rmTUhEc.exe
  C:\Windows\System32\rmTUhEc.exe
  2⤵
  PID:12204
- C:\Windows\System32\wfDZEMH.exe
  C:\Windows\System32\wfDZEMH.exe
  2⤵
  PID:12240
- C:\Windows\System32\iaTGGbE.exe
  C:\Windows\System32\iaTGGbE.exe
  2⤵
  PID:11344
- C:\Windows\System32\CWCXcnu.exe
  C:\Windows\System32\CWCXcnu.exe
  2⤵
  PID:11484
- C:\Windows\System32\gQEmtdd.exe
  C:\Windows\System32\gQEmtdd.exe
  2⤵
  PID:11644
- C:\Windows\System32\CCKIAsU.exe
  C:\Windows\System32\CCKIAsU.exe
  2⤵
  PID:11836
- C:\Windows\System32\ucNlEeh.exe
  C:\Windows\System32\ucNlEeh.exe
  2⤵
  PID:12012
- C:\Windows\System32\BjpWVEK.exe
  C:\Windows\System32\BjpWVEK.exe
  2⤵
  PID:12244
- C:\Windows\System32\BetecrS.exe
  C:\Windows\System32\BetecrS.exe
  2⤵
  PID:2728
- C:\Windows\System32\QpUgPjI.exe
  C:\Windows\System32\QpUgPjI.exe
  2⤵
  PID:11428
- C:\Windows\System32\OmYIxgE.exe
  C:\Windows\System32\OmYIxgE.exe
  2⤵
  PID:11800
- C:\Windows\System32\rDHIQFV.exe
  C:\Windows\System32\rDHIQFV.exe
  2⤵
  PID:11316
- C:\Windows\System32\fYnIDTL.exe
  C:\Windows\System32\fYnIDTL.exe
  2⤵
  PID:11816
- C:\Windows\System32\nSmpWYY.exe
  C:\Windows\System32\nSmpWYY.exe
  2⤵
  PID:11580
- C:\Windows\System32\ccdChDU.exe
  C:\Windows\System32\ccdChDU.exe
  2⤵
  PID:12312
- C:\Windows\System32\BqWpHUB.exe
  C:\Windows\System32\BqWpHUB.exe
  2⤵
  PID:12340
- C:\Windows\System32\nWrytYx.exe
  C:\Windows\System32\nWrytYx.exe
  2⤵
  PID:12368
- C:\Windows\System32\BgVDJWl.exe
  C:\Windows\System32\BgVDJWl.exe
  2⤵
  PID:12396
- C:\Windows\System32\PufrEEJ.exe
  C:\Windows\System32\PufrEEJ.exe
  2⤵
  PID:12424
- C:\Windows\System32\DqQpTDE.exe
  C:\Windows\System32\DqQpTDE.exe
  2⤵
  PID:12452
- C:\Windows\System32\onyrzCp.exe
  C:\Windows\System32\onyrzCp.exe
  2⤵
  PID:12480
- C:\Windows\System32\AknHiUj.exe
  C:\Windows\System32\AknHiUj.exe
  2⤵
  PID:12508
- C:\Windows\System32\OZzZYrl.exe
  C:\Windows\System32\OZzZYrl.exe
  2⤵
  PID:12536
- C:\Windows\System32\UfAMJvJ.exe
  C:\Windows\System32\UfAMJvJ.exe
  2⤵
  PID:12568
- C:\Windows\System32\XXITrvY.exe
  C:\Windows\System32\XXITrvY.exe
  2⤵
  PID:12596
- C:\Windows\System32\kwhQDCr.exe
  C:\Windows\System32\kwhQDCr.exe
  2⤵
  PID:12624
- C:\Windows\System32\geXZzMd.exe
  C:\Windows\System32\geXZzMd.exe
  2⤵
  PID:12652
- C:\Windows\System32\FCpxrCN.exe
  C:\Windows\System32\FCpxrCN.exe
  2⤵
  PID:12680
- C:\Windows\System32\vIiqwDd.exe
  C:\Windows\System32\vIiqwDd.exe
  2⤵
  PID:12716
- C:\Windows\System32\PsUnXVU.exe
  C:\Windows\System32\PsUnXVU.exe
  2⤵
  PID:12736
- C:\Windows\System32\dnpGiMq.exe
  C:\Windows\System32\dnpGiMq.exe
  2⤵
  PID:12764
- C:\Windows\System32\wFYfcOe.exe
  C:\Windows\System32\wFYfcOe.exe
  2⤵
  PID:12792
- C:\Windows\System32\KTHFcKP.exe
  C:\Windows\System32\KTHFcKP.exe
  2⤵
  PID:12820
- C:\Windows\System32\hmmxESE.exe
  C:\Windows\System32\hmmxESE.exe
  2⤵
  PID:12848
- C:\Windows\System32\ZpKoWZG.exe
  C:\Windows\System32\ZpKoWZG.exe
  2⤵
  PID:12876
- C:\Windows\System32\KICoWlH.exe
  C:\Windows\System32\KICoWlH.exe
  2⤵
  PID:12904
- C:\Windows\System32\Fkdzizj.exe
  C:\Windows\System32\Fkdzizj.exe
  2⤵
  PID:12932
- C:\Windows\System32\lYbtkie.exe
  C:\Windows\System32\lYbtkie.exe
  2⤵
  PID:12960
- C:\Windows\System32\PkEWOPA.exe
  C:\Windows\System32\PkEWOPA.exe
  2⤵
  PID:12988
- C:\Windows\System32\rVKsaoj.exe
  C:\Windows\System32\rVKsaoj.exe
  2⤵
  PID:13016
- C:\Windows\System32\iCnaGdU.exe
  C:\Windows\System32\iCnaGdU.exe
  2⤵
  PID:13032
- C:\Windows\System32\DHDsKeC.exe
  C:\Windows\System32\DHDsKeC.exe
  2⤵
  PID:13072
- C:\Windows\System32\BQgKUOe.exe
  C:\Windows\System32\BQgKUOe.exe
  2⤵
  PID:13100
- C:\Windows\System32\xSJzBPD.exe
  C:\Windows\System32\xSJzBPD.exe
  2⤵
  PID:13128
- C:\Windows\System32\ndoyJtn.exe
  C:\Windows\System32\ndoyJtn.exe
  2⤵
  PID:13156
- C:\Windows\System32\jhqmNrp.exe
  C:\Windows\System32\jhqmNrp.exe
  2⤵
  PID:13184
- C:\Windows\System32\OUeUAEI.exe
  C:\Windows\System32\OUeUAEI.exe
  2⤵
  PID:13212
- C:\Windows\System32\ISLPzdu.exe
  C:\Windows\System32\ISLPzdu.exe
  2⤵
  PID:13240
- C:\Windows\System32\LOTfKuz.exe
  C:\Windows\System32\LOTfKuz.exe
  2⤵
  PID:13268
- C:\Windows\System32\tBhmBKG.exe
  C:\Windows\System32\tBhmBKG.exe
  2⤵
  PID:13308
- C:\Windows\System32\tEKIUph.exe
  C:\Windows\System32\tEKIUph.exe
  2⤵
  PID:12308
- C:\Windows\System32\vSvrrQs.exe
  C:\Windows\System32\vSvrrQs.exe
  2⤵
  PID:12380
- C:\Windows\System32\nfljePz.exe
  C:\Windows\System32\nfljePz.exe
  2⤵
  PID:12448
- C:\Windows\System32\oNlKgah.exe
  C:\Windows\System32\oNlKgah.exe
  2⤵
  PID:12524
- C:\Windows\System32\jEjLnfC.exe
  C:\Windows\System32\jEjLnfC.exe
  2⤵
  PID:12592
- C:\Windows\System32\tApJquM.exe
  C:\Windows\System32\tApJquM.exe
  2⤵
  PID:12668
- C:\Windows\System32\CYGPMrq.exe
  C:\Windows\System32\CYGPMrq.exe
  2⤵
  PID:12732
- C:\Windows\System32\MOjZxMI.exe
  C:\Windows\System32\MOjZxMI.exe
  2⤵
  PID:12804
- C:\Windows\System32\SVuzKGJ.exe
  C:\Windows\System32\SVuzKGJ.exe
  2⤵
  PID:12872
- C:\Windows\System32\yldWYsL.exe
  C:\Windows\System32\yldWYsL.exe
  2⤵
  PID:12928
- C:\Windows\System32\XtbfXNJ.exe
  C:\Windows\System32\XtbfXNJ.exe
  2⤵
  PID:13008
- C:\Windows\System32\CWTnCTo.exe
  C:\Windows\System32\CWTnCTo.exe
  2⤵
  PID:13068
- C:\Windows\System32\UJigAMs.exe
  C:\Windows\System32\UJigAMs.exe
  2⤵
  PID:13140
- C:\Windows\System32\vSJuBxK.exe
  C:\Windows\System32\vSJuBxK.exe
  2⤵
  PID:13204
- C:\Windows\System32\JHdHNbx.exe
  C:\Windows\System32\JHdHNbx.exe
  2⤵
  PID:13264

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\FEbGGpJ.exe

Filesize
3.1MB

MD5
5fe998d13966373a18ec115ea04dfe11

SHA1
663e184bd744e3141ff1f816ce73c5d2ef7a421d

SHA256
eec5c25fc3446a14d782690a46ccccb6f446826069e0fcd27bf0adf8b4aff46a

SHA512
f0b156058bd5e4237ab85ef17fa1f5919c3bf7d639edb485a66beff419cfa9722862fc4ddfbbfe1028708568f50ba2a32cf7c917ef2336868e814be976a24bae

Download Submit
C:\Windows\System32\GRTvled.exe

Filesize
3.1MB

MD5
33336fd5238eb90b99e249fc32cbeffd

SHA1
dce5c104aea8f1ec84bd86f72f6c7b772e9e3705

SHA256
bca3646bedfd59e59324ac3a1e51631cc67884ca8ad631dabee11680940564f9

SHA512
c16174083b1083e78b747dcd3e679d0e9d489d8bc083289427e7ba80ac5b80b902edba93e69fa725ff709fb122610904a763694f35902f3b97a4a8c8f84ce17d

Download Submit
C:\Windows\System32\GkQUarh.exe

Filesize
3.1MB

MD5
67ce0e3722a532663a8a5b807312848d

SHA1
a87d25f45866c340ee73e80c01b7fcfd99c1ab08

SHA256
9fa057d21238251bd80c9d9c7f791cd8851cbb1d865cb57ccb25ab72d5bee317

SHA512
95f666c76cc67c471f6004e63726793c9c78ff2ff2d93fd28ad98a5ef76fde4633166a3d65fe46913db726701c8e3570401c4980da7a30d6c990cf989e9339ee

Download Submit
C:\Windows\System32\HLgYCgK.exe

Filesize
3.1MB

MD5
64db3795b9501f52c75555fc85095637

SHA1
ad1c9b1d4b77ca19a1e958669c2af348ba529e21

SHA256
2b642a489c1ef171f7b20cb36f7b9f9af98130009ec23ffa6cc52e06baf4ab8c

SHA512
cc2294e21914aab80a93f83c6da25a9fc50d603d84416c68227558de01ae6a6fdc5d2728058d033759142a977a8809b997da0cdc59d59e69d719aabe90d557d9

Download Submit
C:\Windows\System32\HPzysAV.exe

Filesize
3.1MB

MD5
373511394ff2583604074605b0cd2190

SHA1
5562ac7249ef96dd6ab163d8969b7eca430982c0

SHA256
fb6d5057c008943bcf5c11b177ae5033ee9e6923f77558bb3ba017296c781ac2

SHA512
c68a30b58fbbf098f7a46e190bc07c551a0c4a5e1ddb8070a452232e1c08cff96e62765fafff2f94232a954949dbf389565ea3159c9c802da8956c3c449b16d7

Download Submit
C:\Windows\System32\JtUlXpe.exe

Filesize
3.1MB

MD5
9c41e2ce9343814a7a2216ec2ffdedde

SHA1
32f670fcf4f459eefd169fcb9c3596411bc5fbde

SHA256
a3888a27c210b54290ca08c899449a958e98588d6f9b3b4b2b93225c03d79837

SHA512
c85414d80f8b41e3eb6cb7048ff8169ef18d411bd8f7adb8a8618bc6401b865cf72b5f90417c490b3785a1fd06d5f8b901866411c64a0b9ec25f220e2cab20bb

Download Submit
C:\Windows\System32\LHtQFQA.exe

Filesize
3.1MB

MD5
a5908e732c9f8753baf8a977c4c1a1bd

SHA1
838e9f6f0b37b3daa8529dcafdd793ead0c1fab8

SHA256
672c360bfa2915bf5a299898606707691a1469dbaeb7b0746627a6eadfafd0bc

SHA512
e90bdd295e5cb5050d638b1a04add25fceab055494c78645da6ff0aaacba3591d40a438fc2be47d83a36df692d04a42c6e02f1e0875471c01f192da78399e5a5

Download Submit
C:\Windows\System32\NyTXcvW.exe

Filesize
3.1MB

MD5
2aa27a53fa86a6118c67fd9c3a453ed7

SHA1
c6c51f7e0d30beb7e7780f8b1063c9291a8eb0cf

SHA256
34b9ab5515ce2dc8d5cd703baa9538353519e2d846c943be933fd97e8c448314

SHA512
b45d7a8e015f1d6a4f5afb5224e8720a2977dee8c3c256fc78b41972fd693143a70bf61fbc5a0ff506cf277aa1919a2dc5c372aa89d2aecef3aaf90d15f5b102

Download Submit
C:\Windows\System32\OAcaBwx.exe

Filesize
3.1MB

MD5
20c200bba2389e0898ac7a5572944a2e

SHA1
adec6c973abaa97a6f04495b6af49979741a3e8f

SHA256
e1b060e7ef4a40c318e44cb44d0b8e2dd39cc0d9e1a985b186ae0add705ab1c4

SHA512
48fb820c21b35680296e49e638a910a02fa2abe32bcbc544c5000f1a93e9deb490e4f81d1ce9ed516b73a68fac89cc250dd142160ac00c696d8337218b426472

Download Submit
C:\Windows\System32\OcmxXXn.exe

Filesize
3.1MB

MD5
ecb94edd5df912a8eabd2c5a8e7edcfe

SHA1
459d0de35d26350489405e55ebe27435fceed6c4

SHA256
b9d3c2cf6ab5ce6352b1bc472a50e4ab223109081fea0c23d213b24f0ef19ffd

SHA512
86661f2540977d3820f276365702a5e8a041ff3a1484fb5a65c25aeb6283e8423b1657e33e8d08a98e832e9d47d9238927e7a9d70b9a8b98f81af4ef56ac895c

Download Submit
C:\Windows\System32\PDRMJsY.exe

Filesize
3.1MB

MD5
ca948655da4a3d0fd989e74e3a693ef7

SHA1
1b4b91c5eade8b3734cc01a554915478d67bacbe

SHA256
075263deb2b67275322c7e6858a8277e96f86335f91414ee45d87a64ddda80bd

SHA512
3ba01701c7e09e99ee6bd92d0d6d907c8e5692862d71cb3aebeb764c867062c724db20ea8bfb45f856780a4d6b3f50eb655ae3b762ae4378d91147da77bc50de

Download Submit
C:\Windows\System32\QQMjHOi.exe

Filesize
3.1MB

MD5
dad9dc15f333fad9ef3ae56d98b2f3b5

SHA1
5d8aba417bc24f0f23339722aee6c8eb058f72b7

SHA256
cd88a24329fd879fc0f746576e90bff17011063976e01e0b60a2d97643d2a6c1

SHA512
97d599666dd4453c9e6a80cd747d19eb9ad58f40cfc0e8390023364efffdbf04e3200aad5d68359c3982565d4ae7507875122e592a304e4bbfe9700f4c09ef55

Download Submit
C:\Windows\System32\QgmKMib.exe

Filesize
3.1MB

MD5
1027c0f34e76c5d67771b07abcf98ff2

SHA1
a46a9e3d5d4d1bd7575e9f4bd101d33f27b6e213

SHA256
1a668f541afd45cb3a112ff8b30ae79c60fba384b42047c5a8f72e80cbb6adef

SHA512
fb505cf52f0670d441789b20b7d13d92c8349d5eb234378820c3a9f078ea83c9d610f52d5a93d838301b09f189f9e3dd15e16853c51d0f9d03f229bfbc007f43

Download Submit
C:\Windows\System32\QvVCfZO.exe

Filesize
3.1MB

MD5
dbd5d0cd1e490b083ffb931e2f94236e

SHA1
f01d6c8cf552c8b54e6103fcf213e5e059d5c7f3

SHA256
64c89aa5ad37df052c9c99e96055726d65bd40e4b5e216710c5cc6898475c5f8

SHA512
ea1304fe422cbb7fb183eb849d10bb76edcccfd61c7d275a67bd2e628d450aa186f21622680bcee3ba305d7b9f842453243ab0f27432de5214b9f13b3991e5ba

Download Submit
C:\Windows\System32\RhFZEoA.exe

Filesize
3.1MB

MD5
cf9720f98183a2b31c42aa7cddade092

SHA1
75162a2bf3a9f017f180d77cc6938c983d97c3e2

SHA256
b9ac77e29bb9bd8b4f723276ac99a3657f0294d0476783fae01752dd28e304ea

SHA512
d61655b5a12d91e1c5baf9aa524620075aed094b5715abb887737b6512c11ecbdf12e76cb5fa3b32278c254d9fe8b5aa243b98c0948b2631db6db0a634107838

Download Submit
C:\Windows\System32\RlkdtCe.exe

Filesize
3.1MB

MD5
315dd1749f2b5d893c276748ae4313c5

SHA1
6153201b1af25c8748052e661f69107597718a5a

SHA256
72a24bd93a87c2c42489dea6a3b68302b14a5b2845d8a592980cfe847d247b69

SHA512
e9de6fdbf78adf31d0d62d8d2c60cecccb6baba62aba43126a4ee4fa5165653c2017a2e53c49dc69cf4fc679eb566552eacaea9922967d322c7b061879d17669

Download Submit
C:\Windows\System32\VudkRvT.exe

Filesize
3.1MB

MD5
b959786658e4e410bf6ccf58f5045816

SHA1
a8c22863ab40757885253a07e247bb0a6f1f4169

SHA256
7e25e46ecb54a84534064bceba483c87ba6c66f6a871d2510ba30b1f812accb4

SHA512
f02ccb8c06f725f78939921b4253c1724259188672a5080ebbb4fea53895c807511aa9a6a15ded62ab15798e46819726f193c96a96517ad4cf60dea04cafed09

Download Submit
C:\Windows\System32\Wryvuwb.exe

Filesize
3.1MB

MD5
81851f73f36eaa3fe7ef28a087796f41

SHA1
3976e4ffe248654d30e013b57f230adc3f69d769

SHA256
4980c377c818d9e11e1ba43e3a9fa5a842d2d836fb861c033a200e2284e5844f

SHA512
a36dc0b02d93e0c7159c11ae77c8aca7e14a506c361cd64bda62bf47442f538cdcb28094f052e577ca5ec34f3e7789b04c8b69aec2a894c2ab38a5deec0f3411

Download Submit
C:\Windows\System32\XiRtGJt.exe

Filesize
3.1MB

MD5
70e06e4696b6d10ea2bef76e06106dd7

SHA1
209b075d917c2ebb3b3f90b94bedcc27d1adc66c

SHA256
e5f2a6e0ca2d53968ddcb4bda93b1157d7df6bfe2bf23e09941bc8c1b2d2f756

SHA512
66acedc07145fce5a4ef9391a98041fc450f30861b2c8ff2a5d4fc7d34b9db59b9364cb360fa38740c6b60fc5764c2bad2650a09cc5a65e4b495839d547b4aae

Download Submit
C:\Windows\System32\ZxSxldo.exe

Filesize
3.1MB

MD5
6e445c8ca2ad70a5f236bb6889669cb7

SHA1
2b4617c42cf788d434f1c3c17b186ac2d1450947

SHA256
d8ce64c24d5eae91c3a6914773ff5a4a81d60736456a10237cf5a7c4b6362c0a

SHA512
6cd8aeafe34701f44a8076fc39a97abbaa02dad2bc4c18e00072509cec2d7b7ea8dbaf6aa01dacc9a017c4ff168a3159bce6006cfeb9dcd055dcdbfbb79c68db

Download Submit
C:\Windows\System32\cVGsYxN.exe

Filesize
3.1MB

MD5
08551e872211caaa6ab98cfe30f47846

SHA1
c78e0cf1bb211a9d22da3a95f0a441016504660b

SHA256
98d527312eddb47028744cef5c65f6003b6b3909e8d17173424bcc2483f0e807

SHA512
8fecfacb78afd5d746b98b76515211ba9e7ab72f6e9d1f33c25fd1ebd8f343e2c8806722a76a6973d906fc8bd9446af5a07bd0ec9a13945bdb4bb26901d533bd

Download Submit
C:\Windows\System32\cigpuLj.exe

Filesize
3.1MB

MD5
e443910a8415bb678815872eea9eb909

SHA1
b29ec12ce328ccea94fb54fa0761fd6d863d41cb

SHA256
40a31a8211c3d2de0e707cd3dda0256009ed4af587b625bff94620db0bcf5e11

SHA512
2e99db6894901efa837729351ac2bbd35d850a2263f5d5fdcea9eea07b54a64656d41b3a00ddf3a9a4ed397a83a6ccb60394d36df9181417e2dd071164ac26f4

Download Submit
C:\Windows\System32\dRvWpkE.exe

Filesize
3.1MB

MD5
0913a588b34e595e3a3926d92be19144

SHA1
9f068a25188ab5d1bf8e329b06e9a7d9192e5dd6

SHA256
512873deb81b85687a9a27a980766ad9210695b2440952dc17c5d440d6aca8b8

SHA512
4aac5589665b460e13b66fcf3eb23aab3f6409ca67dfc2688ed26412c3e2aae208d6eefee0ed11eb44e2dcee51695d70f86e0179a66b855015c6eac912898dc7

Download Submit
C:\Windows\System32\dZvQmts.exe

Filesize
3.1MB

MD5
27e8abc1aa1da19ce7b4ea1804d12770

SHA1
de518ad2f39935c65b73afa6948a8ec06017c62b

SHA256
260c5fa5f866baa8a00a753cd3bb97f6861c51fe6670ecb1ae13ef754c097bc5

SHA512
34244a199a96a4bbf211c98e953eca71dfc226e3a0805319268db056d7b833979b1cfe7f3535ab03c0711051011106608a9edff43d65026d1670a013b0db9d8b

Download Submit
C:\Windows\System32\gabWasv.exe

Filesize
3.1MB

MD5
c00865f28612e7e7b08365e155ebd17c

SHA1
f302d6dfc876894e4c8cc4472bf3289455ef1ae8

SHA256
d588e3bfbabfa8654406c44eb31d7a7c8dad83e517687a2a50d31d975cd8a93a

SHA512
28ff3c2859704d37c8c5326c74b75b18470af9925b3235620a105e43ac8807761569d0a6072d3c4ed2a49ef8c10847eba773459e30135a74bae37b9054901f1d

Download Submit
C:\Windows\System32\iRQgNOO.exe

Filesize
3.1MB

MD5
3aeff68bfe8ace9666fd3ff0c28dc1fb

SHA1
fd504dd0fef583f822f633d43eeed4f0d9c707f4

SHA256
f841f93340563181d77294659fb6dafc833dcf769c2fbb876b9d0e6f902f0d0c

SHA512
830b60acdc00a4ca793bca98be9761d8c8b07dcd0953ff87b12630533b0c259b0d675228bf87103ead7bc630615ca96717cbfbd99bebfa9e5b3c3a490e0313c5

Download Submit
C:\Windows\System32\iqyaJIX.exe

Filesize
3.1MB

MD5
9e2fec36d99828f48edc486f4a1ae0f9

SHA1
9d5362c59a83fb8bfe462198c1adf02ceaea6709

SHA256
4a857de42d5bff933c18c53e333d685451aa5f8b93fae7f4662dd5cd341a48b1

SHA512
7d367cce180a366ce938fa88a8a82953d1d94e66601dab1481b168702be9bd1d58d02e451e793e46ac90f7fbdec7da775957dabcb8fb0a14facb2dd9c11b8c44

Download Submit
C:\Windows\System32\jkSBNEp.exe

Filesize
3.1MB

MD5
5b62a4dc69ad5e87da0f9a8ee27fb0bd

SHA1
8060902bdf6aa55f65f6d5c49b39dcfedce1a0df

SHA256
cc8fba23ec9c5c2b442946ef2c96477b5fef5a4bfa6527e85e57cc81d3d73f67

SHA512
0a7239099c73d53e25dd1b7c24959ad185b4bdc3951ad31437642938da383fb836eb6eccd95b174321b3cbc67f974409d1a1f8c9218a5a5915a89c86d5403876

Download Submit
C:\Windows\System32\pMgRJxR.exe

Filesize
3.1MB

MD5
4673a6891ae29e7ecdabd1e463253430

SHA1
7c28400065dd3a4f873661d7370f507aec587f4a

SHA256
e204ce1a4e9814000005f7f6885fbc4c62c64b677e795487c89e84dc7f785256

SHA512
6a7f57fe217b57fb4f397519b898b37b2337827e6bbdeba46f6bad1845a74fa75e88b32d88d8e2e5e224507771fbd1e22c80de4338442bb4e959be9053c68985

Download Submit
C:\Windows\System32\paoEBub.exe

Filesize
3.1MB

MD5
75d12437ba91098890580c37a287d479

SHA1
aec6affa9b1f3fc57191323fd13f346bce12d8c7

SHA256
5a56a3adf7698a4f19c6a4d8c90a19cb9ccaafd0a4ea17f0703ca0ab902fa9b9

SHA512
74dce34e5c6a943c217483acc541a3521fe589dcb112c590742e2b0742a41ffcca186d88567a6fc902d67be098780c13f31084c129c0486ca083c149fb784523

Download Submit
C:\Windows\System32\qKJtjXC.exe

Filesize
3.1MB

MD5
6760498292d88a4687ff6c65097188f0

SHA1
ba29022a7c99122e25e9fe7e6c3ec298c2bc3bf7

SHA256
ceea1386524d47dfd7a7b09238beda5d4e7656c14aa6591a5d6b2d11826e699e

SHA512
e4ce20122849e1297a62003e15fe1b4c8db2111f72299d9baff235e891d50d8d918da50ce890a69741e750e4fbbb171bf4df996a546d8f4452cd8a7f2e5b6b05

Download Submit
C:\Windows\System32\xXfVDhh.exe

Filesize
3.1MB

MD5
78dfb07aba54f1f66d5801a208bae4bf

SHA1
447952b08084182ac7150321a233bd8347c9d04d

SHA256
e820dc99180dc0d4256c4d8832074f60065cf469739ce0d4056767c3c7f75560

SHA512
fb38ebe0382cd86751d4b75354a4d127bb0015a032c2a456473492ed1b81944bd5e9bb536792c40a4a8c1c129c27dd82a72a4a99bd62d4bc5999096540152c23

Download Submit
memory/212-926-0x00007FF784660000-0x00007FF784A55000-memory.dmp

Filesize
4.0MB

Download
memory/212-1896-0x00007FF784660000-0x00007FF784A55000-memory.dmp

Filesize
4.0MB

Download
memory/924-16-0x00007FF6E3310000-0x00007FF6E3705000-memory.dmp

Filesize
4.0MB

Download
memory/924-1884-0x00007FF6E3310000-0x00007FF6E3705000-memory.dmp

Filesize
4.0MB

Download
memory/1492-8-0x00007FF745320000-0x00007FF745715000-memory.dmp

Filesize
4.0MB

Download
memory/1492-1883-0x00007FF745320000-0x00007FF745715000-memory.dmp

Filesize
4.0MB

Download
memory/1572-1902-0x00007FF7AFE40000-0x00007FF7B0235000-memory.dmp

Filesize
4.0MB

Download
memory/1572-956-0x00007FF7AFE40000-0x00007FF7B0235000-memory.dmp

Filesize
4.0MB

Download
memory/1924-1887-0x00007FF7B5900000-0x00007FF7B5CF5000-memory.dmp

Filesize
4.0MB

Download
memory/1924-38-0x00007FF7B5900000-0x00007FF7B5CF5000-memory.dmp

Filesize
4.0MB

Download
memory/1924-1881-0x00007FF7B5900000-0x00007FF7B5CF5000-memory.dmp

Filesize
4.0MB

Download
memory/2028-1885-0x00007FF687E90000-0x00007FF688285000-memory.dmp

Filesize
4.0MB

Download
memory/2028-32-0x00007FF687E90000-0x00007FF688285000-memory.dmp

Filesize
4.0MB

Download
memory/2228-1892-0x00007FF784640000-0x00007FF784A35000-memory.dmp

Filesize
4.0MB

Download
memory/2228-900-0x00007FF784640000-0x00007FF784A35000-memory.dmp

Filesize
4.0MB

Download
memory/2744-1898-0x00007FF6EF930000-0x00007FF6EFD25000-memory.dmp

Filesize
4.0MB

Download
memory/2744-925-0x00007FF6EF930000-0x00007FF6EFD25000-memory.dmp

Filesize
4.0MB

Download
memory/3040-1882-0x00007FF62CB30000-0x00007FF62CF25000-memory.dmp

Filesize
4.0MB

Download
memory/3040-44-0x00007FF62CB30000-0x00007FF62CF25000-memory.dmp

Filesize
4.0MB

Download
memory/3040-1888-0x00007FF62CB30000-0x00007FF62CF25000-memory.dmp

Filesize
4.0MB

Download
memory/3216-922-0x00007FF7CE080000-0x00007FF7CE475000-memory.dmp

Filesize
4.0MB

Download
memory/3216-1894-0x00007FF7CE080000-0x00007FF7CE475000-memory.dmp

Filesize
4.0MB

Download
memory/3228-1895-0x00007FF7464C0000-0x00007FF7468B5000-memory.dmp

Filesize
4.0MB

Download
memory/3228-930-0x00007FF7464C0000-0x00007FF7468B5000-memory.dmp

Filesize
4.0MB

Download
memory/3292-1897-0x00007FF72F3C0000-0x00007FF72F7B5000-memory.dmp

Filesize
4.0MB

Download
memory/3292-928-0x00007FF72F3C0000-0x00007FF72F7B5000-memory.dmp

Filesize
4.0MB

Download
memory/3376-911-0x00007FF6A2170000-0x00007FF6A2565000-memory.dmp

Filesize
4.0MB

Download
memory/3376-1899-0x00007FF6A2170000-0x00007FF6A2565000-memory.dmp

Filesize
4.0MB

Download
memory/3504-1903-0x00007FF72CF20000-0x00007FF72D315000-memory.dmp

Filesize
4.0MB

Download
memory/3504-946-0x00007FF72CF20000-0x00007FF72D315000-memory.dmp

Filesize
4.0MB

Download
memory/3772-940-0x00007FF677020000-0x00007FF677415000-memory.dmp

Filesize
4.0MB

Download
memory/3772-1905-0x00007FF677020000-0x00007FF677415000-memory.dmp

Filesize
4.0MB

Download
memory/3880-1893-0x00007FF64F910000-0x00007FF64FD05000-memory.dmp

Filesize
4.0MB

Download
memory/3880-919-0x00007FF64F910000-0x00007FF64FD05000-memory.dmp

Filesize
4.0MB

Download
memory/3904-49-0x00007FF663960000-0x00007FF663D55000-memory.dmp

Filesize
4.0MB

Download
memory/3904-1891-0x00007FF663960000-0x00007FF663D55000-memory.dmp

Filesize
4.0MB

Download
memory/4004-897-0x00007FF61F520000-0x00007FF61F915000-memory.dmp

Filesize
4.0MB

Download
memory/4004-1890-0x00007FF61F520000-0x00007FF61F915000-memory.dmp

Filesize
4.0MB

Download
memory/4236-941-0x00007FF675880000-0x00007FF675C75000-memory.dmp

Filesize
4.0MB

Download
memory/4236-1906-0x00007FF675880000-0x00007FF675C75000-memory.dmp

Filesize
4.0MB

Download
memory/4684-1-0x0000020E89500000-0x0000020E89510000-memory.dmp

Filesize
64KB

Download
memory/4684-0-0x00007FF707480000-0x00007FF707875000-memory.dmp

Filesize
4.0MB

Download
memory/4684-1880-0x00007FF707480000-0x00007FF707875000-memory.dmp

Filesize
4.0MB

Download
memory/4764-1901-0x00007FF6DBEE0000-0x00007FF6DC2D5000-memory.dmp

Filesize
4.0MB

Download
memory/4764-935-0x00007FF6DBEE0000-0x00007FF6DC2D5000-memory.dmp

Filesize
4.0MB

Download
memory/4948-1889-0x00007FF61D8E0000-0x00007FF61DCD5000-memory.dmp

Filesize
4.0MB

Download
memory/4948-46-0x00007FF61D8E0000-0x00007FF61DCD5000-memory.dmp

Filesize
4.0MB

Download
memory/5020-1886-0x00007FF609700000-0x00007FF609AF5000-memory.dmp

Filesize
4.0MB

Download
memory/5020-35-0x00007FF609700000-0x00007FF609AF5000-memory.dmp

Filesize
4.0MB

Download
memory/5092-1904-0x00007FF662B10000-0x00007FF662F05000-memory.dmp

Filesize
4.0MB

Download
memory/5092-944-0x00007FF662B10000-0x00007FF662F05000-memory.dmp

Filesize
4.0MB

Download
memory/5112-1900-0x00007FF6DC740000-0x00007FF6DCB35000-memory.dmp

Filesize
4.0MB

Download
memory/5112-932-0x00007FF6DC740000-0x00007FF6DCB35000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads