xmrig | 37168f0eec08c5227bccc92160046ff8c3794e961b02e286421de16ae65430db

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
Size

1.8MB
MD5

4e5dca6720cc519dc90efea620311bc0
SHA1

5362b27562cab023943a233d65ff3c7c801f9a09
SHA256

37168f0eec08c5227bccc92160046ff8c3794e961b02e286421de16ae65430db
SHA512

e4098d76070b047b0d8569036a61e2257cba743707c4c79c84d2c2e953969343995881abcb5228aebb8725cf9f7588d003615247728596f23900e64e5ff5c5d7
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlOhSkEaFUG51+oAL7ZQJTVMKTbc1gsemVk8e+ogzON:knw9oUUEEDlOh516Q+oxxcdBDog66y

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 50 IoCs

miner

resource	yara_rule
behavioral2/memory/3404-80-0x00007FF71D340000-0x00007FF71D731000-memory.dmp	xmrig
behavioral2/memory/5352-90-0x00007FF75C030000-0x00007FF75C421000-memory.dmp	xmrig
behavioral2/memory/5588-92-0x00007FF680BF0000-0x00007FF680FE1000-memory.dmp	xmrig
behavioral2/memory/400-370-0x00007FF623A10000-0x00007FF623E01000-memory.dmp	xmrig
behavioral2/memory/4356-369-0x00007FF6B2260000-0x00007FF6B2651000-memory.dmp	xmrig
behavioral2/memory/4044-381-0x00007FF64B510000-0x00007FF64B901000-memory.dmp	xmrig
behavioral2/memory/624-397-0x00007FF797960000-0x00007FF797D51000-memory.dmp	xmrig
behavioral2/memory/3092-402-0x00007FF62C360000-0x00007FF62C751000-memory.dmp	xmrig
behavioral2/memory/5024-399-0x00007FF76BDA0000-0x00007FF76C191000-memory.dmp	xmrig
behavioral2/memory/3272-389-0x00007FF6F2AE0000-0x00007FF6F2ED1000-memory.dmp	xmrig
behavioral2/memory/5724-87-0x00007FF665270000-0x00007FF665661000-memory.dmp	xmrig
behavioral2/memory/1248-84-0x00007FF72D110000-0x00007FF72D501000-memory.dmp	xmrig
behavioral2/memory/4604-82-0x00007FF7C5010000-0x00007FF7C5401000-memory.dmp	xmrig
behavioral2/memory/1480-66-0x00007FF6C6570000-0x00007FF6C6961000-memory.dmp	xmrig
behavioral2/memory/2504-48-0x00007FF6AF860000-0x00007FF6AFC51000-memory.dmp	xmrig
behavioral2/memory/828-39-0x00007FF61C9C0000-0x00007FF61CDB1000-memory.dmp	xmrig
behavioral2/memory/4132-29-0x00007FF67BF60000-0x00007FF67C351000-memory.dmp	xmrig
behavioral2/memory/4132-1969-0x00007FF67BF60000-0x00007FF67C351000-memory.dmp	xmrig
behavioral2/memory/4224-1970-0x00007FF6EE070000-0x00007FF6EE461000-memory.dmp	xmrig
behavioral2/memory/2988-1971-0x00007FF69DCF0000-0x00007FF69E0E1000-memory.dmp	xmrig
behavioral2/memory/1636-1972-0x00007FF7F7DF0000-0x00007FF7F81E1000-memory.dmp	xmrig
behavioral2/memory/1480-1973-0x00007FF6C6570000-0x00007FF6C6961000-memory.dmp	xmrig
behavioral2/memory/5116-1974-0x00007FF620880000-0x00007FF620C71000-memory.dmp	xmrig
behavioral2/memory/5588-1992-0x00007FF680BF0000-0x00007FF680FE1000-memory.dmp	xmrig
behavioral2/memory/1856-1994-0x00007FF6315F0000-0x00007FF6319E1000-memory.dmp	xmrig
behavioral2/memory/5240-2009-0x00007FF66C410000-0x00007FF66C801000-memory.dmp	xmrig
behavioral2/memory/1100-2031-0x00007FF760D40000-0x00007FF761131000-memory.dmp	xmrig
behavioral2/memory/4132-2033-0x00007FF67BF60000-0x00007FF67C351000-memory.dmp	xmrig
behavioral2/memory/828-2035-0x00007FF61C9C0000-0x00007FF61CDB1000-memory.dmp	xmrig
behavioral2/memory/3404-2037-0x00007FF71D340000-0x00007FF71D731000-memory.dmp	xmrig
behavioral2/memory/1636-2041-0x00007FF7F7DF0000-0x00007FF7F81E1000-memory.dmp	xmrig
behavioral2/memory/4604-2039-0x00007FF7C5010000-0x00007FF7C5401000-memory.dmp	xmrig
behavioral2/memory/4224-2045-0x00007FF6EE070000-0x00007FF6EE461000-memory.dmp	xmrig
behavioral2/memory/2504-2043-0x00007FF6AF860000-0x00007FF6AFC51000-memory.dmp	xmrig
behavioral2/memory/1248-2048-0x00007FF72D110000-0x00007FF72D501000-memory.dmp	xmrig
behavioral2/memory/1480-2049-0x00007FF6C6570000-0x00007FF6C6961000-memory.dmp	xmrig
behavioral2/memory/2988-2055-0x00007FF69DCF0000-0x00007FF69E0E1000-memory.dmp	xmrig
behavioral2/memory/5724-2054-0x00007FF665270000-0x00007FF665661000-memory.dmp	xmrig
behavioral2/memory/5352-2051-0x00007FF75C030000-0x00007FF75C421000-memory.dmp	xmrig
behavioral2/memory/5588-2057-0x00007FF680BF0000-0x00007FF680FE1000-memory.dmp	xmrig
behavioral2/memory/5240-2059-0x00007FF66C410000-0x00007FF66C801000-memory.dmp	xmrig
behavioral2/memory/5116-2061-0x00007FF620880000-0x00007FF620C71000-memory.dmp	xmrig
behavioral2/memory/4356-2065-0x00007FF6B2260000-0x00007FF6B2651000-memory.dmp	xmrig
behavioral2/memory/3092-2087-0x00007FF62C360000-0x00007FF62C751000-memory.dmp	xmrig
behavioral2/memory/5024-2085-0x00007FF76BDA0000-0x00007FF76C191000-memory.dmp	xmrig
behavioral2/memory/4044-2083-0x00007FF64B510000-0x00007FF64B901000-memory.dmp	xmrig
behavioral2/memory/3272-2082-0x00007FF6F2AE0000-0x00007FF6F2ED1000-memory.dmp	xmrig
behavioral2/memory/400-2079-0x00007FF623A10000-0x00007FF623E01000-memory.dmp	xmrig
behavioral2/memory/624-2063-0x00007FF797960000-0x00007FF797D51000-memory.dmp	xmrig
behavioral2/memory/1856-2145-0x00007FF6315F0000-0x00007FF6319E1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1100	srmPlQl.exe
4132	gYInzIl.exe
3404	zoFycLn.exe
828	NhhEFTT.exe
1636	rKurRwk.exe
4604	aIpUWbW.exe
2504	uglgkHk.exe
1248	jpycMzk.exe
4224	GJAgGLW.exe
1480	VEfMPje.exe
5724	FVoBvjB.exe
2988	WZzpdhn.exe
5352	DylRcSW.exe
5588	ISLJpeK.exe
1856	uNGUaiJ.exe
5116	cDUUSdA.exe
5240	YHEaMEE.exe
4356	XDvteAT.exe
400	zNFCmKX.exe
4044	PlQskCm.exe
3272	nInDfcV.exe
624	AuYpvfU.exe
5024	VzNAinv.exe
3092	MaCbreC.exe
5628	CrBeDvu.exe
2148	PLyjFmM.exe
5100	NRJPSoT.exe
5704	UePCPtY.exe
3944	iHwLyvO.exe
5144	xRaSoLu.exe
3440	niOxVFZ.exe
1316	YOVyqlw.exe
2864	DaGoBJo.exe
4036	qoiMnuO.exe
3976	fUxVRmW.exe
3800	WYZrKFC.exe
1000	OzuLFKr.exe
1660	UntlnuO.exe
5580	dUoLBbG.exe
3472	ixnrWVi.exe
3808	WXBZwAa.exe
1732	vouPePp.exe
2088	lclKGLn.exe
2464	wgpdhWz.exe
5584	yjpcQmH.exe
5196	mSsQQWe.exe
3556	ayFigMe.exe
3776	XrwnvFK.exe
3932	Wvvfzut.exe
3244	iYCszDx.exe
2768	SCobdrF.exe
5084	OOzaONc.exe
1880	tfMGzQJ.exe
5200	pynajLq.exe
4952	DODirnT.exe
3256	zTQUOhp.exe
5544	OaDkjeK.exe
5184	LINlUzn.exe
1116	wGfPAZF.exe
1804	zjqndfA.exe
5796	BZiFcgw.exe
5440	WICcDvF.exe
3416	OjzAjoA.exe
992	dwiBjYv.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4788-0-0x00007FF7D9210000-0x00007FF7D9601000-memory.dmp	upx
behavioral2/files/0x0007000000023298-4.dat	upx
behavioral2/files/0x0007000000023403-9.dat	upx
behavioral2/memory/1100-13-0x00007FF760D40000-0x00007FF761131000-memory.dmp	upx
behavioral2/files/0x0007000000023405-23.dat	upx
behavioral2/files/0x0007000000023407-32.dat	upx
behavioral2/files/0x0007000000023406-36.dat	upx
behavioral2/files/0x0007000000023409-60.dat	upx
behavioral2/files/0x000700000002340b-64.dat	upx
behavioral2/memory/2988-71-0x00007FF69DCF0000-0x00007FF69E0E1000-memory.dmp	upx
behavioral2/memory/3404-80-0x00007FF71D340000-0x00007FF71D731000-memory.dmp	upx
behavioral2/files/0x0007000000023410-85.dat	upx
behavioral2/memory/5352-90-0x00007FF75C030000-0x00007FF75C421000-memory.dmp	upx
behavioral2/memory/5588-92-0x00007FF680BF0000-0x00007FF680FE1000-memory.dmp	upx
behavioral2/files/0x0007000000023412-96.dat	upx
behavioral2/memory/5240-100-0x00007FF66C410000-0x00007FF66C801000-memory.dmp	upx
behavioral2/files/0x0007000000023414-120.dat	upx
behavioral2/files/0x0007000000023415-125.dat	upx
behavioral2/files/0x0007000000023418-134.dat	upx
behavioral2/files/0x0007000000023419-145.dat	upx
behavioral2/files/0x000700000002341f-169.dat	upx
behavioral2/files/0x0007000000023420-177.dat	upx
behavioral2/memory/400-370-0x00007FF623A10000-0x00007FF623E01000-memory.dmp	upx
behavioral2/memory/4356-369-0x00007FF6B2260000-0x00007FF6B2651000-memory.dmp	upx
behavioral2/memory/4044-381-0x00007FF64B510000-0x00007FF64B901000-memory.dmp	upx
behavioral2/memory/624-397-0x00007FF797960000-0x00007FF797D51000-memory.dmp	upx
behavioral2/memory/3092-402-0x00007FF62C360000-0x00007FF62C751000-memory.dmp	upx
behavioral2/memory/5024-399-0x00007FF76BDA0000-0x00007FF76C191000-memory.dmp	upx
behavioral2/memory/3272-389-0x00007FF6F2AE0000-0x00007FF6F2ED1000-memory.dmp	upx
behavioral2/files/0x000700000002341e-168.dat	upx
behavioral2/files/0x000700000002341d-163.dat	upx
behavioral2/files/0x000700000002341c-157.dat	upx
behavioral2/files/0x000700000002341b-152.dat	upx
behavioral2/files/0x000700000002341a-148.dat	upx
behavioral2/files/0x0007000000023417-132.dat	upx
behavioral2/files/0x0007000000023416-130.dat	upx
behavioral2/files/0x0008000000023400-115.dat	upx
behavioral2/files/0x0007000000023413-110.dat	upx
behavioral2/files/0x0007000000023411-103.dat	upx
behavioral2/memory/5116-98-0x00007FF620880000-0x00007FF620C71000-memory.dmp	upx
behavioral2/memory/1856-94-0x00007FF6315F0000-0x00007FF6319E1000-memory.dmp	upx
behavioral2/memory/5724-87-0x00007FF665270000-0x00007FF665661000-memory.dmp	upx
behavioral2/memory/1248-84-0x00007FF72D110000-0x00007FF72D501000-memory.dmp	upx
behavioral2/files/0x000700000002340f-83.dat	upx
behavioral2/memory/4604-82-0x00007FF7C5010000-0x00007FF7C5401000-memory.dmp	upx
behavioral2/files/0x000700000002340d-75.dat	upx
behavioral2/files/0x000700000002340e-74.dat	upx
behavioral2/files/0x000700000002340c-68.dat	upx
behavioral2/memory/1480-66-0x00007FF6C6570000-0x00007FF6C6961000-memory.dmp	upx
behavioral2/memory/4224-58-0x00007FF6EE070000-0x00007FF6EE461000-memory.dmp	upx
behavioral2/files/0x000700000002340a-52.dat	upx
behavioral2/memory/2504-48-0x00007FF6AF860000-0x00007FF6AFC51000-memory.dmp	upx
behavioral2/memory/1636-44-0x00007FF7F7DF0000-0x00007FF7F81E1000-memory.dmp	upx
behavioral2/files/0x0007000000023408-37.dat	upx
behavioral2/memory/828-39-0x00007FF61C9C0000-0x00007FF61CDB1000-memory.dmp	upx
behavioral2/memory/4132-29-0x00007FF67BF60000-0x00007FF67C351000-memory.dmp	upx
behavioral2/files/0x0007000000023404-19.dat	upx
behavioral2/memory/4132-1969-0x00007FF67BF60000-0x00007FF67C351000-memory.dmp	upx
behavioral2/memory/4224-1970-0x00007FF6EE070000-0x00007FF6EE461000-memory.dmp	upx
behavioral2/memory/2988-1971-0x00007FF69DCF0000-0x00007FF69E0E1000-memory.dmp	upx
behavioral2/memory/1636-1972-0x00007FF7F7DF0000-0x00007FF7F81E1000-memory.dmp	upx
behavioral2/memory/1480-1973-0x00007FF6C6570000-0x00007FF6C6961000-memory.dmp	upx
behavioral2/memory/5116-1974-0x00007FF620880000-0x00007FF620C71000-memory.dmp	upx
behavioral2/memory/5588-1992-0x00007FF680BF0000-0x00007FF680FE1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\AuYpvfU.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\kfTQcdl.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\XYSjQHA.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\AHHOTPU.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\aUtqQoJ.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\cGRDTkJ.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\GelPvtA.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\HKBmxCT.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\ygcMJGm.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\sfCGHrg.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\yRiwFMk.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\cyZNSIK.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\PGAjNLb.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\PlQskCm.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\DyExdhc.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\yHrcElL.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\zoFycLn.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\OOzaONc.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\IQkXSjL.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\KwwUuTb.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\nKAGNac.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\gdKbImb.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\aTuyLOG.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\jskBVrY.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\jNAEMKx.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\TocxzeJ.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\XxXFuIO.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\MEEdShu.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\xRaSoLu.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\GNXLYOy.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\ZDfgKYs.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\zTOlpHX.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\wrVTrEy.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\KIyGHpX.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\apUaypX.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\FJLntwV.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\QAoapow.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\BdNJLgs.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\KFZQiJp.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\uUYEjhG.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\utpGFMN.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\fuIAoaa.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\dbMUkcx.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\jetFfSp.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\XDvteAT.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\RaOlBpX.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\sYbQFEl.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\XZsfhpa.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\FYOuAyd.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\SGoyhmk.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\vouPePp.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\sbCrAkv.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\NONEkng.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\ujOeHQt.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\rcJYUNY.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\XziTlxH.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\frmOKGk.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\qWSEJHc.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\IBcabCM.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\BZaFCZR.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\cbWpfaM.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\kDUdAUj.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\oggbskz.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
File created	C:\Windows\System32\zggXNbh.exe	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	5048	dwm.exe
Token: SeChangeNotifyPrivilege	5048	dwm.exe
Token: 33	5048	dwm.exe
Token: SeIncBasePriorityPrivilege	5048	dwm.exe
Token: SeShutdownPrivilege	5048	dwm.exe
Token: SeCreatePagefilePrivilege	5048	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 1100	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	83
PID 4788 wrote to memory of 1100	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	83
PID 4788 wrote to memory of 4132	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	84
PID 4788 wrote to memory of 4132	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	84
PID 4788 wrote to memory of 828	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	85
PID 4788 wrote to memory of 828	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	85
PID 4788 wrote to memory of 3404	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	86
PID 4788 wrote to memory of 3404	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	86
PID 4788 wrote to memory of 1636	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	87
PID 4788 wrote to memory of 1636	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	87
PID 4788 wrote to memory of 4604	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	88
PID 4788 wrote to memory of 4604	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	88
PID 4788 wrote to memory of 2504	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	89
PID 4788 wrote to memory of 2504	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	89
PID 4788 wrote to memory of 1248	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	90
PID 4788 wrote to memory of 1248	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	90
PID 4788 wrote to memory of 4224	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	91
PID 4788 wrote to memory of 4224	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	91
PID 4788 wrote to memory of 1480	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	92
PID 4788 wrote to memory of 1480	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	92
PID 4788 wrote to memory of 5724	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	93
PID 4788 wrote to memory of 5724	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	93
PID 4788 wrote to memory of 2988	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	94
PID 4788 wrote to memory of 2988	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	94
PID 4788 wrote to memory of 5352	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	95
PID 4788 wrote to memory of 5352	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	95
PID 4788 wrote to memory of 5588	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	96
PID 4788 wrote to memory of 5588	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	96
PID 4788 wrote to memory of 1856	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	97
PID 4788 wrote to memory of 1856	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	97
PID 4788 wrote to memory of 5116	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	98
PID 4788 wrote to memory of 5116	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	98
PID 4788 wrote to memory of 5240	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	99
PID 4788 wrote to memory of 5240	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	99
PID 4788 wrote to memory of 4356	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	100
PID 4788 wrote to memory of 4356	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	100
PID 4788 wrote to memory of 400	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	101
PID 4788 wrote to memory of 400	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	101
PID 4788 wrote to memory of 4044	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	102
PID 4788 wrote to memory of 4044	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	102
PID 4788 wrote to memory of 3272	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	103
PID 4788 wrote to memory of 3272	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	103
PID 4788 wrote to memory of 624	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	104
PID 4788 wrote to memory of 624	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	104
PID 4788 wrote to memory of 5024	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	105
PID 4788 wrote to memory of 5024	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	105
PID 4788 wrote to memory of 3092	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	106
PID 4788 wrote to memory of 3092	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	106
PID 4788 wrote to memory of 5628	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	107
PID 4788 wrote to memory of 5628	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	107
PID 4788 wrote to memory of 2148	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	108
PID 4788 wrote to memory of 2148	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	108
PID 4788 wrote to memory of 5100	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	109
PID 4788 wrote to memory of 5100	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	109
PID 4788 wrote to memory of 5704	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	110
PID 4788 wrote to memory of 5704	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	110
PID 4788 wrote to memory of 3944	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	111
PID 4788 wrote to memory of 3944	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	111
PID 4788 wrote to memory of 5144	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	112
PID 4788 wrote to memory of 5144	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	112
PID 4788 wrote to memory of 3440	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	113
PID 4788 wrote to memory of 3440	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	113
PID 4788 wrote to memory of 1316	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	114
PID 4788 wrote to memory of 1316	4788	4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe	114

C:\Users\Admin\AppData\Local\Temp\4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4e5dca6720cc519dc90efea620311bc0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\System32\srmPlQl.exe
  C:\Windows\System32\srmPlQl.exe
  2⤵
  - Executes dropped EXE
  PID:1100
- C:\Windows\System32\gYInzIl.exe
  C:\Windows\System32\gYInzIl.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System32\NhhEFTT.exe
  C:\Windows\System32\NhhEFTT.exe
  2⤵
  - Executes dropped EXE
  PID:828
- C:\Windows\System32\zoFycLn.exe
  C:\Windows\System32\zoFycLn.exe
  2⤵
  - Executes dropped EXE
  PID:3404
- C:\Windows\System32\rKurRwk.exe
  C:\Windows\System32\rKurRwk.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System32\aIpUWbW.exe
  C:\Windows\System32\aIpUWbW.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System32\uglgkHk.exe
  C:\Windows\System32\uglgkHk.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System32\jpycMzk.exe
  C:\Windows\System32\jpycMzk.exe
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\System32\GJAgGLW.exe
  C:\Windows\System32\GJAgGLW.exe
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Windows\System32\VEfMPje.exe
  C:\Windows\System32\VEfMPje.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\System32\FVoBvjB.exe
  C:\Windows\System32\FVoBvjB.exe
  2⤵
  - Executes dropped EXE
  PID:5724
- C:\Windows\System32\WZzpdhn.exe
  C:\Windows\System32\WZzpdhn.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System32\DylRcSW.exe
  C:\Windows\System32\DylRcSW.exe
  2⤵
  - Executes dropped EXE
  PID:5352
- C:\Windows\System32\ISLJpeK.exe
  C:\Windows\System32\ISLJpeK.exe
  2⤵
  - Executes dropped EXE
  PID:5588
- C:\Windows\System32\uNGUaiJ.exe
  C:\Windows\System32\uNGUaiJ.exe
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\System32\cDUUSdA.exe
  C:\Windows\System32\cDUUSdA.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System32\YHEaMEE.exe
  C:\Windows\System32\YHEaMEE.exe
  2⤵
  - Executes dropped EXE
  PID:5240
- C:\Windows\System32\XDvteAT.exe
  C:\Windows\System32\XDvteAT.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System32\zNFCmKX.exe
  C:\Windows\System32\zNFCmKX.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System32\PlQskCm.exe
  C:\Windows\System32\PlQskCm.exe
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Windows\System32\nInDfcV.exe
  C:\Windows\System32\nInDfcV.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System32\AuYpvfU.exe
  C:\Windows\System32\AuYpvfU.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System32\VzNAinv.exe
  C:\Windows\System32\VzNAinv.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System32\MaCbreC.exe
  C:\Windows\System32\MaCbreC.exe
  2⤵
  - Executes dropped EXE
  PID:3092
- C:\Windows\System32\CrBeDvu.exe
  C:\Windows\System32\CrBeDvu.exe
  2⤵
  - Executes dropped EXE
  PID:5628
- C:\Windows\System32\PLyjFmM.exe
  C:\Windows\System32\PLyjFmM.exe
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\System32\NRJPSoT.exe
  C:\Windows\System32\NRJPSoT.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System32\UePCPtY.exe
  C:\Windows\System32\UePCPtY.exe
  2⤵
  - Executes dropped EXE
  PID:5704
- C:\Windows\System32\iHwLyvO.exe
  C:\Windows\System32\iHwLyvO.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System32\xRaSoLu.exe
  C:\Windows\System32\xRaSoLu.exe
  2⤵
  - Executes dropped EXE
  PID:5144
- C:\Windows\System32\niOxVFZ.exe
  C:\Windows\System32\niOxVFZ.exe
  2⤵
  - Executes dropped EXE
  PID:3440
- C:\Windows\System32\YOVyqlw.exe
  C:\Windows\System32\YOVyqlw.exe
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\System32\DaGoBJo.exe
  C:\Windows\System32\DaGoBJo.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System32\qoiMnuO.exe
  C:\Windows\System32\qoiMnuO.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System32\fUxVRmW.exe
  C:\Windows\System32\fUxVRmW.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System32\WYZrKFC.exe
  C:\Windows\System32\WYZrKFC.exe
  2⤵
  - Executes dropped EXE
  PID:3800
- C:\Windows\System32\OzuLFKr.exe
  C:\Windows\System32\OzuLFKr.exe
  2⤵
  - Executes dropped EXE
  PID:1000
- C:\Windows\System32\UntlnuO.exe
  C:\Windows\System32\UntlnuO.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System32\dUoLBbG.exe
  C:\Windows\System32\dUoLBbG.exe
  2⤵
  - Executes dropped EXE
  PID:5580
- C:\Windows\System32\ixnrWVi.exe
  C:\Windows\System32\ixnrWVi.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System32\WXBZwAa.exe
  C:\Windows\System32\WXBZwAa.exe
  2⤵
  - Executes dropped EXE
  PID:3808
- C:\Windows\System32\vouPePp.exe
  C:\Windows\System32\vouPePp.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System32\lclKGLn.exe
  C:\Windows\System32\lclKGLn.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System32\wgpdhWz.exe
  C:\Windows\System32\wgpdhWz.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System32\yjpcQmH.exe
  C:\Windows\System32\yjpcQmH.exe
  2⤵
  - Executes dropped EXE
  PID:5584
- C:\Windows\System32\mSsQQWe.exe
  C:\Windows\System32\mSsQQWe.exe
  2⤵
  - Executes dropped EXE
  PID:5196
- C:\Windows\System32\ayFigMe.exe
  C:\Windows\System32\ayFigMe.exe
  2⤵
  - Executes dropped EXE
  PID:3556
- C:\Windows\System32\XrwnvFK.exe
  C:\Windows\System32\XrwnvFK.exe
  2⤵
  - Executes dropped EXE
  PID:3776
- C:\Windows\System32\Wvvfzut.exe
  C:\Windows\System32\Wvvfzut.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System32\iYCszDx.exe
  C:\Windows\System32\iYCszDx.exe
  2⤵
  - Executes dropped EXE
  PID:3244
- C:\Windows\System32\SCobdrF.exe
  C:\Windows\System32\SCobdrF.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System32\OOzaONc.exe
  C:\Windows\System32\OOzaONc.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System32\tfMGzQJ.exe
  C:\Windows\System32\tfMGzQJ.exe
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\System32\pynajLq.exe
  C:\Windows\System32\pynajLq.exe
  2⤵
  - Executes dropped EXE
  PID:5200
- C:\Windows\System32\DODirnT.exe
  C:\Windows\System32\DODirnT.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System32\zTQUOhp.exe
  C:\Windows\System32\zTQUOhp.exe
  2⤵
  - Executes dropped EXE
  PID:3256
- C:\Windows\System32\OaDkjeK.exe
  C:\Windows\System32\OaDkjeK.exe
  2⤵
  - Executes dropped EXE
  PID:5544
- C:\Windows\System32\LINlUzn.exe
  C:\Windows\System32\LINlUzn.exe
  2⤵
  - Executes dropped EXE
  PID:5184
- C:\Windows\System32\wGfPAZF.exe
  C:\Windows\System32\wGfPAZF.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System32\zjqndfA.exe
  C:\Windows\System32\zjqndfA.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System32\BZiFcgw.exe
  C:\Windows\System32\BZiFcgw.exe
  2⤵
  - Executes dropped EXE
  PID:5796
- C:\Windows\System32\WICcDvF.exe
  C:\Windows\System32\WICcDvF.exe
  2⤵
  - Executes dropped EXE
  PID:5440
- C:\Windows\System32\OjzAjoA.exe
  C:\Windows\System32\OjzAjoA.exe
  2⤵
  - Executes dropped EXE
  PID:3416
- C:\Windows\System32\dwiBjYv.exe
  C:\Windows\System32\dwiBjYv.exe
  2⤵
  - Executes dropped EXE
  PID:992
- C:\Windows\System32\dfHaexo.exe
  C:\Windows\System32\dfHaexo.exe
  2⤵
  PID:1148
- C:\Windows\System32\amtTWmG.exe
  C:\Windows\System32\amtTWmG.exe
  2⤵
  PID:1500
- C:\Windows\System32\OWGElzh.exe
  C:\Windows\System32\OWGElzh.exe
  2⤵
  PID:2060
- C:\Windows\System32\ESLaEht.exe
  C:\Windows\System32\ESLaEht.exe
  2⤵
  PID:5168
- C:\Windows\System32\QSNXzlI.exe
  C:\Windows\System32\QSNXzlI.exe
  2⤵
  PID:2688
- C:\Windows\System32\oggbskz.exe
  C:\Windows\System32\oggbskz.exe
  2⤵
  PID:4440
- C:\Windows\System32\kxQPKJX.exe
  C:\Windows\System32\kxQPKJX.exe
  2⤵
  PID:628
- C:\Windows\System32\oxHBhAZ.exe
  C:\Windows\System32\oxHBhAZ.exe
  2⤵
  PID:4796
- C:\Windows\System32\UZlMQJr.exe
  C:\Windows\System32\UZlMQJr.exe
  2⤵
  PID:2900
- C:\Windows\System32\qPCcSGB.exe
  C:\Windows\System32\qPCcSGB.exe
  2⤵
  PID:5688
- C:\Windows\System32\ZUyXKAk.exe
  C:\Windows\System32\ZUyXKAk.exe
  2⤵
  PID:6132
- C:\Windows\System32\kIoNzZf.exe
  C:\Windows\System32\kIoNzZf.exe
  2⤵
  PID:5044
- C:\Windows\System32\pXORQJf.exe
  C:\Windows\System32\pXORQJf.exe
  2⤵
  PID:5536
- C:\Windows\System32\jpklsOk.exe
  C:\Windows\System32\jpklsOk.exe
  2⤵
  PID:5476
- C:\Windows\System32\HQbMEul.exe
  C:\Windows\System32\HQbMEul.exe
  2⤵
  PID:956
- C:\Windows\System32\ezlcEKE.exe
  C:\Windows\System32\ezlcEKE.exe
  2⤵
  PID:3320
- C:\Windows\System32\guZPJtV.exe
  C:\Windows\System32\guZPJtV.exe
  2⤵
  PID:212
- C:\Windows\System32\jxVUJWB.exe
  C:\Windows\System32\jxVUJWB.exe
  2⤵
  PID:5684
- C:\Windows\System32\sbCrAkv.exe
  C:\Windows\System32\sbCrAkv.exe
  2⤵
  PID:4884
- C:\Windows\System32\CEXsXtY.exe
  C:\Windows\System32\CEXsXtY.exe
  2⤵
  PID:4556
- C:\Windows\System32\dfbwDxd.exe
  C:\Windows\System32\dfbwDxd.exe
  2⤵
  PID:3184
- C:\Windows\System32\BVfHiPX.exe
  C:\Windows\System32\BVfHiPX.exe
  2⤵
  PID:4460
- C:\Windows\System32\LIBCuGV.exe
  C:\Windows\System32\LIBCuGV.exe
  2⤵
  PID:3596
- C:\Windows\System32\DWgnMvw.exe
  C:\Windows\System32\DWgnMvw.exe
  2⤵
  PID:5632
- C:\Windows\System32\cCqOUay.exe
  C:\Windows\System32\cCqOUay.exe
  2⤵
  PID:6120
- C:\Windows\System32\TWUbsSx.exe
  C:\Windows\System32\TWUbsSx.exe
  2⤵
  PID:2216
- C:\Windows\System32\QhLNGqX.exe
  C:\Windows\System32\QhLNGqX.exe
  2⤵
  PID:3492
- C:\Windows\System32\GyMtUFe.exe
  C:\Windows\System32\GyMtUFe.exe
  2⤵
  PID:5360
- C:\Windows\System32\iYyGeJr.exe
  C:\Windows\System32\iYyGeJr.exe
  2⤵
  PID:4964
- C:\Windows\System32\LgYdqUH.exe
  C:\Windows\System32\LgYdqUH.exe
  2⤵
  PID:2540
- C:\Windows\System32\XziTlxH.exe
  C:\Windows\System32\XziTlxH.exe
  2⤵
  PID:5188
- C:\Windows\System32\WYacSJs.exe
  C:\Windows\System32\WYacSJs.exe
  2⤵
  PID:8
- C:\Windows\System32\kqvZDQZ.exe
  C:\Windows\System32\kqvZDQZ.exe
  2⤵
  PID:4644
- C:\Windows\System32\KbsIcme.exe
  C:\Windows\System32\KbsIcme.exe
  2⤵
  PID:3908
- C:\Windows\System32\OSMBXTz.exe
  C:\Windows\System32\OSMBXTz.exe
  2⤵
  PID:4688
- C:\Windows\System32\HBTqLfZ.exe
  C:\Windows\System32\HBTqLfZ.exe
  2⤵
  PID:6028
- C:\Windows\System32\ymRLbXM.exe
  C:\Windows\System32\ymRLbXM.exe
  2⤵
  PID:888
- C:\Windows\System32\uPZShYA.exe
  C:\Windows\System32\uPZShYA.exe
  2⤵
  PID:2432
- C:\Windows\System32\RuKLCkB.exe
  C:\Windows\System32\RuKLCkB.exe
  2⤵
  PID:3188
- C:\Windows\System32\RdlfAwy.exe
  C:\Windows\System32\RdlfAwy.exe
  2⤵
  PID:2484
- C:\Windows\System32\apUaypX.exe
  C:\Windows\System32\apUaypX.exe
  2⤵
  PID:2720
- C:\Windows\System32\OZUVJtl.exe
  C:\Windows\System32\OZUVJtl.exe
  2⤵
  PID:1800
- C:\Windows\System32\AKsVpEn.exe
  C:\Windows\System32\AKsVpEn.exe
  2⤵
  PID:2220
- C:\Windows\System32\gVIVOlH.exe
  C:\Windows\System32\gVIVOlH.exe
  2⤵
  PID:2244
- C:\Windows\System32\FBbsaqu.exe
  C:\Windows\System32\FBbsaqu.exe
  2⤵
  PID:6140
- C:\Windows\System32\KjYdypM.exe
  C:\Windows\System32\KjYdypM.exe
  2⤵
  PID:5180
- C:\Windows\System32\sxukbFj.exe
  C:\Windows\System32\sxukbFj.exe
  2⤵
  PID:2612
- C:\Windows\System32\AKTpUin.exe
  C:\Windows\System32\AKTpUin.exe
  2⤵
  PID:5344
- C:\Windows\System32\KBsKOkf.exe
  C:\Windows\System32\KBsKOkf.exe
  2⤵
  PID:4168
- C:\Windows\System32\nLCzbjl.exe
  C:\Windows\System32\nLCzbjl.exe
  2⤵
  PID:1268
- C:\Windows\System32\gdKbImb.exe
  C:\Windows\System32\gdKbImb.exe
  2⤵
  PID:1952
- C:\Windows\System32\FtjJftX.exe
  C:\Windows\System32\FtjJftX.exe
  2⤵
  PID:3528
- C:\Windows\System32\NlINYxB.exe
  C:\Windows\System32\NlINYxB.exe
  2⤵
  PID:1380
- C:\Windows\System32\hxzOnEG.exe
  C:\Windows\System32\hxzOnEG.exe
  2⤵
  PID:3020
- C:\Windows\System32\TcOpiwA.exe
  C:\Windows\System32\TcOpiwA.exe
  2⤵
  PID:408
- C:\Windows\System32\Qvwjgfp.exe
  C:\Windows\System32\Qvwjgfp.exe
  2⤵
  PID:2772
- C:\Windows\System32\PkOgIre.exe
  C:\Windows\System32\PkOgIre.exe
  2⤵
  PID:4468
- C:\Windows\System32\iSDSrbM.exe
  C:\Windows\System32\iSDSrbM.exe
  2⤵
  PID:4624
- C:\Windows\System32\NsoWYce.exe
  C:\Windows\System32\NsoWYce.exe
  2⤵
  PID:1868
- C:\Windows\System32\vEyBEOn.exe
  C:\Windows\System32\vEyBEOn.exe
  2⤵
  PID:512
- C:\Windows\System32\VbOryMX.exe
  C:\Windows\System32\VbOryMX.exe
  2⤵
  PID:4424
- C:\Windows\System32\GNXLYOy.exe
  C:\Windows\System32\GNXLYOy.exe
  2⤵
  PID:3012
- C:\Windows\System32\yowXTUH.exe
  C:\Windows\System32\yowXTUH.exe
  2⤵
  PID:5248
- C:\Windows\System32\vpmdUEz.exe
  C:\Windows\System32\vpmdUEz.exe
  2⤵
  PID:692
- C:\Windows\System32\efqdoxi.exe
  C:\Windows\System32\efqdoxi.exe
  2⤵
  PID:5596
- C:\Windows\System32\SWIiEgN.exe
  C:\Windows\System32\SWIiEgN.exe
  2⤵
  PID:3700
- C:\Windows\System32\eRiTcek.exe
  C:\Windows\System32\eRiTcek.exe
  2⤵
  PID:2160
- C:\Windows\System32\hvquKEe.exe
  C:\Windows\System32\hvquKEe.exe
  2⤵
  PID:5316
- C:\Windows\System32\TQYBVCK.exe
  C:\Windows\System32\TQYBVCK.exe
  2⤵
  PID:3880
- C:\Windows\System32\agVDnCv.exe
  C:\Windows\System32\agVDnCv.exe
  2⤵
  PID:912
- C:\Windows\System32\iNRbtMu.exe
  C:\Windows\System32\iNRbtMu.exe
  2⤵
  PID:5572
- C:\Windows\System32\RaOlBpX.exe
  C:\Windows\System32\RaOlBpX.exe
  2⤵
  PID:1288
- C:\Windows\System32\uIKitNw.exe
  C:\Windows\System32\uIKitNw.exe
  2⤵
  PID:2472
- C:\Windows\System32\FrEnogq.exe
  C:\Windows\System32\FrEnogq.exe
  2⤵
  PID:4668
- C:\Windows\System32\HpggNmc.exe
  C:\Windows\System32\HpggNmc.exe
  2⤵
  PID:1704
- C:\Windows\System32\uvJFnCi.exe
  C:\Windows\System32\uvJFnCi.exe
  2⤵
  PID:4764
- C:\Windows\System32\NONEkng.exe
  C:\Windows\System32\NONEkng.exe
  2⤵
  PID:3444
- C:\Windows\System32\JYXSWES.exe
  C:\Windows\System32\JYXSWES.exe
  2⤵
  PID:2932
- C:\Windows\System32\UCNYAkM.exe
  C:\Windows\System32\UCNYAkM.exe
  2⤵
  PID:2740
- C:\Windows\System32\ygcMJGm.exe
  C:\Windows\System32\ygcMJGm.exe
  2⤵
  PID:5368
- C:\Windows\System32\sYbQFEl.exe
  C:\Windows\System32\sYbQFEl.exe
  2⤵
  PID:5292
- C:\Windows\System32\phKdbMI.exe
  C:\Windows\System32\phKdbMI.exe
  2⤵
  PID:2444
- C:\Windows\System32\nbWLGJg.exe
  C:\Windows\System32\nbWLGJg.exe
  2⤵
  PID:5760
- C:\Windows\System32\kyDphyR.exe
  C:\Windows\System32\kyDphyR.exe
  2⤵
  PID:4432
- C:\Windows\System32\kfTQcdl.exe
  C:\Windows\System32\kfTQcdl.exe
  2⤵
  PID:2756
- C:\Windows\System32\aEfhzhJ.exe
  C:\Windows\System32\aEfhzhJ.exe
  2⤵
  PID:2228
- C:\Windows\System32\NnmioBm.exe
  C:\Windows\System32\NnmioBm.exe
  2⤵
  PID:4328
- C:\Windows\System32\ljJpELC.exe
  C:\Windows\System32\ljJpELC.exe
  2⤵
  PID:6040
- C:\Windows\System32\GWoiLWS.exe
  C:\Windows\System32\GWoiLWS.exe
  2⤵
  PID:3732
- C:\Windows\System32\MnJiAda.exe
  C:\Windows\System32\MnJiAda.exe
  2⤵
  PID:4844
- C:\Windows\System32\oeAhaBZ.exe
  C:\Windows\System32\oeAhaBZ.exe
  2⤵
  PID:6064
- C:\Windows\System32\kpKMGLF.exe
  C:\Windows\System32\kpKMGLF.exe
  2⤵
  PID:1684
- C:\Windows\System32\nGYfabl.exe
  C:\Windows\System32\nGYfabl.exe
  2⤵
  PID:4452
- C:\Windows\System32\dubJGmU.exe
  C:\Windows\System32\dubJGmU.exe
  2⤵
  PID:5464
- C:\Windows\System32\AwcZCWA.exe
  C:\Windows\System32\AwcZCWA.exe
  2⤵
  PID:3668
- C:\Windows\System32\nguxLJd.exe
  C:\Windows\System32\nguxLJd.exe
  2⤵
  PID:2660
- C:\Windows\System32\WZyjKow.exe
  C:\Windows\System32\WZyjKow.exe
  2⤵
  PID:3664
- C:\Windows\System32\TQRqQRn.exe
  C:\Windows\System32\TQRqQRn.exe
  2⤵
  PID:1780
- C:\Windows\System32\zutntsA.exe
  C:\Windows\System32\zutntsA.exe
  2⤵
  PID:3940
- C:\Windows\System32\ZDfgKYs.exe
  C:\Windows\System32\ZDfgKYs.exe
  2⤵
  PID:928
- C:\Windows\System32\zzXXxwa.exe
  C:\Windows\System32\zzXXxwa.exe
  2⤵
  PID:4508
- C:\Windows\System32\gyGsWXi.exe
  C:\Windows\System32\gyGsWXi.exe
  2⤵
  PID:5676
- C:\Windows\System32\BUFEMem.exe
  C:\Windows\System32\BUFEMem.exe
  2⤵
  PID:6192
- C:\Windows\System32\aTuyLOG.exe
  C:\Windows\System32\aTuyLOG.exe
  2⤵
  PID:6220
- C:\Windows\System32\qbYnekL.exe
  C:\Windows\System32\qbYnekL.exe
  2⤵
  PID:6244
- C:\Windows\System32\xRGNrzW.exe
  C:\Windows\System32\xRGNrzW.exe
  2⤵
  PID:6268
- C:\Windows\System32\JCpDoRs.exe
  C:\Windows\System32\JCpDoRs.exe
  2⤵
  PID:6292
- C:\Windows\System32\VugJJJl.exe
  C:\Windows\System32\VugJJJl.exe
  2⤵
  PID:6312
- C:\Windows\System32\ClxykWe.exe
  C:\Windows\System32\ClxykWe.exe
  2⤵
  PID:6332
- C:\Windows\System32\igeeWWy.exe
  C:\Windows\System32\igeeWWy.exe
  2⤵
  PID:6356
- C:\Windows\System32\ZfdncLQ.exe
  C:\Windows\System32\ZfdncLQ.exe
  2⤵
  PID:6376
- C:\Windows\System32\jqiRmft.exe
  C:\Windows\System32\jqiRmft.exe
  2⤵
  PID:6436
- C:\Windows\System32\ujOeHQt.exe
  C:\Windows\System32\ujOeHQt.exe
  2⤵
  PID:6484
- C:\Windows\System32\aDBEcuL.exe
  C:\Windows\System32\aDBEcuL.exe
  2⤵
  PID:6500
- C:\Windows\System32\dmUqUBn.exe
  C:\Windows\System32\dmUqUBn.exe
  2⤵
  PID:6524
- C:\Windows\System32\fTooFTq.exe
  C:\Windows\System32\fTooFTq.exe
  2⤵
  PID:6544
- C:\Windows\System32\IUbCtQu.exe
  C:\Windows\System32\IUbCtQu.exe
  2⤵
  PID:6588
- C:\Windows\System32\uPLzSWm.exe
  C:\Windows\System32\uPLzSWm.exe
  2⤵
  PID:6604
- C:\Windows\System32\LmpNwex.exe
  C:\Windows\System32\LmpNwex.exe
  2⤵
  PID:6628
- C:\Windows\System32\SVWhriC.exe
  C:\Windows\System32\SVWhriC.exe
  2⤵
  PID:6660
- C:\Windows\System32\PNTQiuZ.exe
  C:\Windows\System32\PNTQiuZ.exe
  2⤵
  PID:6680
- C:\Windows\System32\uufKTmb.exe
  C:\Windows\System32\uufKTmb.exe
  2⤵
  PID:6708
- C:\Windows\System32\NoRvUqU.exe
  C:\Windows\System32\NoRvUqU.exe
  2⤵
  PID:6728
- C:\Windows\System32\bNSlSLY.exe
  C:\Windows\System32\bNSlSLY.exe
  2⤵
  PID:6752
- C:\Windows\System32\rmVzAMI.exe
  C:\Windows\System32\rmVzAMI.exe
  2⤵
  PID:6804
- C:\Windows\System32\yBpHTLC.exe
  C:\Windows\System32\yBpHTLC.exe
  2⤵
  PID:6828
- C:\Windows\System32\rhOcuOF.exe
  C:\Windows\System32\rhOcuOF.exe
  2⤵
  PID:6848
- C:\Windows\System32\XYSjQHA.exe
  C:\Windows\System32\XYSjQHA.exe
  2⤵
  PID:6872
- C:\Windows\System32\jexpgyH.exe
  C:\Windows\System32\jexpgyH.exe
  2⤵
  PID:6892
- C:\Windows\System32\Zwnkztg.exe
  C:\Windows\System32\Zwnkztg.exe
  2⤵
  PID:6936
- C:\Windows\System32\wutNEJI.exe
  C:\Windows\System32\wutNEJI.exe
  2⤵
  PID:6976
- C:\Windows\System32\jkaEmBq.exe
  C:\Windows\System32\jkaEmBq.exe
  2⤵
  PID:7004
- C:\Windows\System32\sfCGHrg.exe
  C:\Windows\System32\sfCGHrg.exe
  2⤵
  PID:7040
- C:\Windows\System32\cXCjhKu.exe
  C:\Windows\System32\cXCjhKu.exe
  2⤵
  PID:7064
- C:\Windows\System32\RIDEjlX.exe
  C:\Windows\System32\RIDEjlX.exe
  2⤵
  PID:7088
- C:\Windows\System32\XZsfhpa.exe
  C:\Windows\System32\XZsfhpa.exe
  2⤵
  PID:7128
- C:\Windows\System32\xMhTULI.exe
  C:\Windows\System32\xMhTULI.exe
  2⤵
  PID:7160
- C:\Windows\System32\uhypmer.exe
  C:\Windows\System32\uhypmer.exe
  2⤵
  PID:2676
- C:\Windows\System32\vnSvYjS.exe
  C:\Windows\System32\vnSvYjS.exe
  2⤵
  PID:6168
- C:\Windows\System32\sCApymY.exe
  C:\Windows\System32\sCApymY.exe
  2⤵
  PID:6240
- C:\Windows\System32\zGkJUdP.exe
  C:\Windows\System32\zGkJUdP.exe
  2⤵
  PID:6284
- C:\Windows\System32\XjXbVvL.exe
  C:\Windows\System32\XjXbVvL.exe
  2⤵
  PID:6328
- C:\Windows\System32\aPdRKza.exe
  C:\Windows\System32\aPdRKza.exe
  2⤵
  PID:6412
- C:\Windows\System32\AHHOTPU.exe
  C:\Windows\System32\AHHOTPU.exe
  2⤵
  PID:6476
- C:\Windows\System32\Iitjnoo.exe
  C:\Windows\System32\Iitjnoo.exe
  2⤵
  PID:3900
- C:\Windows\System32\hWXemxr.exe
  C:\Windows\System32\hWXemxr.exe
  2⤵
  PID:6536
- C:\Windows\System32\xhEpASG.exe
  C:\Windows\System32\xhEpASG.exe
  2⤵
  PID:6580
- C:\Windows\System32\aUtqQoJ.exe
  C:\Windows\System32\aUtqQoJ.exe
  2⤵
  PID:6644
- C:\Windows\System32\lFKvpUb.exe
  C:\Windows\System32\lFKvpUb.exe
  2⤵
  PID:6736
- C:\Windows\System32\bKwLjIi.exe
  C:\Windows\System32\bKwLjIi.exe
  2⤵
  PID:6764
- C:\Windows\System32\oPkeJHS.exe
  C:\Windows\System32\oPkeJHS.exe
  2⤵
  PID:6720
- C:\Windows\System32\NJxiMXZ.exe
  C:\Windows\System32\NJxiMXZ.exe
  2⤵
  PID:6840
- C:\Windows\System32\FJLntwV.exe
  C:\Windows\System32\FJLntwV.exe
  2⤵
  PID:6916
- C:\Windows\System32\cGRDTkJ.exe
  C:\Windows\System32\cGRDTkJ.exe
  2⤵
  PID:6924
- C:\Windows\System32\zRDMmPE.exe
  C:\Windows\System32\zRDMmPE.exe
  2⤵
  PID:6020
- C:\Windows\System32\WMGXzSC.exe
  C:\Windows\System32\WMGXzSC.exe
  2⤵
  PID:7056
- C:\Windows\System32\GelPvtA.exe
  C:\Windows\System32\GelPvtA.exe
  2⤵
  PID:7100
- C:\Windows\System32\IBcabCM.exe
  C:\Windows\System32\IBcabCM.exe
  2⤵
  PID:6252
- C:\Windows\System32\IdioqNM.exe
  C:\Windows\System32\IdioqNM.exe
  2⤵
  PID:6540
- C:\Windows\System32\ylJhQMW.exe
  C:\Windows\System32\ylJhQMW.exe
  2⤵
  PID:6688
- C:\Windows\System32\nEixgyH.exe
  C:\Windows\System32\nEixgyH.exe
  2⤵
  PID:6820
- C:\Windows\System32\bepjZwF.exe
  C:\Windows\System32\bepjZwF.exe
  2⤵
  PID:4016
- C:\Windows\System32\yXKIPZf.exe
  C:\Windows\System32\yXKIPZf.exe
  2⤵
  PID:7060
- C:\Windows\System32\uUYEjhG.exe
  C:\Windows\System32\uUYEjhG.exe
  2⤵
  PID:7120
- C:\Windows\System32\kNRVzYN.exe
  C:\Windows\System32\kNRVzYN.exe
  2⤵
  PID:7076
- C:\Windows\System32\CNVXFUf.exe
  C:\Windows\System32\CNVXFUf.exe
  2⤵
  PID:6324
- C:\Windows\System32\KlmJJGT.exe
  C:\Windows\System32\KlmJJGT.exe
  2⤵
  PID:7012
- C:\Windows\System32\GHCkVMQ.exe
  C:\Windows\System32\GHCkVMQ.exe
  2⤵
  PID:7172
- C:\Windows\System32\XgKScgz.exe
  C:\Windows\System32\XgKScgz.exe
  2⤵
  PID:7192
- C:\Windows\System32\lqfgupd.exe
  C:\Windows\System32\lqfgupd.exe
  2⤵
  PID:7212
- C:\Windows\System32\QHerDKa.exe
  C:\Windows\System32\QHerDKa.exe
  2⤵
  PID:7232
- C:\Windows\System32\hbCNmzX.exe
  C:\Windows\System32\hbCNmzX.exe
  2⤵
  PID:7256
- C:\Windows\System32\NShWnCT.exe
  C:\Windows\System32\NShWnCT.exe
  2⤵
  PID:7288
- C:\Windows\System32\XEMzVEG.exe
  C:\Windows\System32\XEMzVEG.exe
  2⤵
  PID:7348
- C:\Windows\System32\LgZefgv.exe
  C:\Windows\System32\LgZefgv.exe
  2⤵
  PID:7372
- C:\Windows\System32\QAcFsng.exe
  C:\Windows\System32\QAcFsng.exe
  2⤵
  PID:7432
- C:\Windows\System32\jNdyuJS.exe
  C:\Windows\System32\jNdyuJS.exe
  2⤵
  PID:7468
- C:\Windows\System32\DJbDpdl.exe
  C:\Windows\System32\DJbDpdl.exe
  2⤵
  PID:7492
- C:\Windows\System32\jBAfEUv.exe
  C:\Windows\System32\jBAfEUv.exe
  2⤵
  PID:7512
- C:\Windows\System32\KVynOKT.exe
  C:\Windows\System32\KVynOKT.exe
  2⤵
  PID:7528
- C:\Windows\System32\UtKeKsI.exe
  C:\Windows\System32\UtKeKsI.exe
  2⤵
  PID:7548
- C:\Windows\System32\olEouDN.exe
  C:\Windows\System32\olEouDN.exe
  2⤵
  PID:7580
- C:\Windows\System32\UbSFvDF.exe
  C:\Windows\System32\UbSFvDF.exe
  2⤵
  PID:7620
- C:\Windows\System32\jskBVrY.exe
  C:\Windows\System32\jskBVrY.exe
  2⤵
  PID:7652
- C:\Windows\System32\XOxCrDg.exe
  C:\Windows\System32\XOxCrDg.exe
  2⤵
  PID:7676
- C:\Windows\System32\hzjNWgq.exe
  C:\Windows\System32\hzjNWgq.exe
  2⤵
  PID:7716
- C:\Windows\System32\OScbQvP.exe
  C:\Windows\System32\OScbQvP.exe
  2⤵
  PID:7744
- C:\Windows\System32\MdcgWJN.exe
  C:\Windows\System32\MdcgWJN.exe
  2⤵
  PID:7780
- C:\Windows\System32\kzAbqIZ.exe
  C:\Windows\System32\kzAbqIZ.exe
  2⤵
  PID:7800
- C:\Windows\System32\jNAEMKx.exe
  C:\Windows\System32\jNAEMKx.exe
  2⤵
  PID:7824
- C:\Windows\System32\MKhpPaX.exe
  C:\Windows\System32\MKhpPaX.exe
  2⤵
  PID:7844
- C:\Windows\System32\MEpcBWj.exe
  C:\Windows\System32\MEpcBWj.exe
  2⤵
  PID:7876
- C:\Windows\System32\AsiyzVc.exe
  C:\Windows\System32\AsiyzVc.exe
  2⤵
  PID:7900
- C:\Windows\System32\arUcSCZ.exe
  C:\Windows\System32\arUcSCZ.exe
  2⤵
  PID:7916
- C:\Windows\System32\coXBkbB.exe
  C:\Windows\System32\coXBkbB.exe
  2⤵
  PID:7940
- C:\Windows\System32\QJPxZAi.exe
  C:\Windows\System32\QJPxZAi.exe
  2⤵
  PID:8000
- C:\Windows\System32\voXZJzU.exe
  C:\Windows\System32\voXZJzU.exe
  2⤵
  PID:8028
- C:\Windows\System32\GWhJRwl.exe
  C:\Windows\System32\GWhJRwl.exe
  2⤵
  PID:8052
- C:\Windows\System32\DPOGLcc.exe
  C:\Windows\System32\DPOGLcc.exe
  2⤵
  PID:8072
- C:\Windows\System32\PmWcmgb.exe
  C:\Windows\System32\PmWcmgb.exe
  2⤵
  PID:8100
- C:\Windows\System32\HKBmxCT.exe
  C:\Windows\System32\HKBmxCT.exe
  2⤵
  PID:8124
- C:\Windows\System32\pdOhRcW.exe
  C:\Windows\System32\pdOhRcW.exe
  2⤵
  PID:8148
- C:\Windows\System32\xkWBsYw.exe
  C:\Windows\System32\xkWBsYw.exe
  2⤵
  PID:8188
- C:\Windows\System32\bdlyGOu.exe
  C:\Windows\System32\bdlyGOu.exe
  2⤵
  PID:6572
- C:\Windows\System32\bcvxUSP.exe
  C:\Windows\System32\bcvxUSP.exe
  2⤵
  PID:6908
- C:\Windows\System32\axsZOsr.exe
  C:\Windows\System32\axsZOsr.exe
  2⤵
  PID:7208
- C:\Windows\System32\AhhazcT.exe
  C:\Windows\System32\AhhazcT.exe
  2⤵
  PID:7296
- C:\Windows\System32\VIwSJPQ.exe
  C:\Windows\System32\VIwSJPQ.exe
  2⤵
  PID:7404
- C:\Windows\System32\tgxlHmm.exe
  C:\Windows\System32\tgxlHmm.exe
  2⤵
  PID:7480
- C:\Windows\System32\EQSMxKJ.exe
  C:\Windows\System32\EQSMxKJ.exe
  2⤵
  PID:7536
- C:\Windows\System32\UtGuCaC.exe
  C:\Windows\System32\UtGuCaC.exe
  2⤵
  PID:7520
- C:\Windows\System32\purkaYA.exe
  C:\Windows\System32\purkaYA.exe
  2⤵
  PID:7632
- C:\Windows\System32\JgjEOfK.exe
  C:\Windows\System32\JgjEOfK.exe
  2⤵
  PID:7740
- C:\Windows\System32\oQKvsNe.exe
  C:\Windows\System32\oQKvsNe.exe
  2⤵
  PID:7792
- C:\Windows\System32\aKrLHut.exe
  C:\Windows\System32\aKrLHut.exe
  2⤵
  PID:7896
- C:\Windows\System32\WJEuFzW.exe
  C:\Windows\System32\WJEuFzW.exe
  2⤵
  PID:7968
- C:\Windows\System32\LMrlMDH.exe
  C:\Windows\System32\LMrlMDH.exe
  2⤵
  PID:7976
- C:\Windows\System32\CmcXXiN.exe
  C:\Windows\System32\CmcXXiN.exe
  2⤵
  PID:8036
- C:\Windows\System32\vqapCgj.exe
  C:\Windows\System32\vqapCgj.exe
  2⤵
  PID:8092
- C:\Windows\System32\xSGgaLi.exe
  C:\Windows\System32\xSGgaLi.exe
  2⤵
  PID:8144
- C:\Windows\System32\UwVKTnk.exe
  C:\Windows\System32\UwVKTnk.exe
  2⤵
  PID:7152
- C:\Windows\System32\CzFHzgf.exe
  C:\Windows\System32\CzFHzgf.exe
  2⤵
  PID:7272
- C:\Windows\System32\VFyAgeX.exe
  C:\Windows\System32\VFyAgeX.exe
  2⤵
  PID:7312
- C:\Windows\System32\zggXNbh.exe
  C:\Windows\System32\zggXNbh.exe
  2⤵
  PID:7556
- C:\Windows\System32\AioMTqJ.exe
  C:\Windows\System32\AioMTqJ.exe
  2⤵
  PID:7884
- C:\Windows\System32\NadfKjI.exe
  C:\Windows\System32\NadfKjI.exe
  2⤵
  PID:7960
- C:\Windows\System32\felPJZi.exe
  C:\Windows\System32\felPJZi.exe
  2⤵
  PID:8080
- C:\Windows\System32\sMFcrdz.exe
  C:\Windows\System32\sMFcrdz.exe
  2⤵
  PID:7448
- C:\Windows\System32\utpGFMN.exe
  C:\Windows\System32\utpGFMN.exe
  2⤵
  PID:7588
- C:\Windows\System32\IQkXSjL.exe
  C:\Windows\System32\IQkXSjL.exe
  2⤵
  PID:4372
- C:\Windows\System32\uyDzwTA.exe
  C:\Windows\System32\uyDzwTA.exe
  2⤵
  PID:7452
- C:\Windows\System32\nVRMUmL.exe
  C:\Windows\System32\nVRMUmL.exe
  2⤵
  PID:8136
- C:\Windows\System32\rsQgkSC.exe
  C:\Windows\System32\rsQgkSC.exe
  2⤵
  PID:8200
- C:\Windows\System32\PwTiMzE.exe
  C:\Windows\System32\PwTiMzE.exe
  2⤵
  PID:8284
- C:\Windows\System32\pKiqKzV.exe
  C:\Windows\System32\pKiqKzV.exe
  2⤵
  PID:8300
- C:\Windows\System32\RbhjxbI.exe
  C:\Windows\System32\RbhjxbI.exe
  2⤵
  PID:8316
- C:\Windows\System32\CtNuRda.exe
  C:\Windows\System32\CtNuRda.exe
  2⤵
  PID:8332
- C:\Windows\System32\TAAqpkO.exe
  C:\Windows\System32\TAAqpkO.exe
  2⤵
  PID:8348
- C:\Windows\System32\JVCNtqO.exe
  C:\Windows\System32\JVCNtqO.exe
  2⤵
  PID:8364
- C:\Windows\System32\frmOKGk.exe
  C:\Windows\System32\frmOKGk.exe
  2⤵
  PID:8380
- C:\Windows\System32\fiWEvoO.exe
  C:\Windows\System32\fiWEvoO.exe
  2⤵
  PID:8396
- C:\Windows\System32\eYoJKwh.exe
  C:\Windows\System32\eYoJKwh.exe
  2⤵
  PID:8412
- C:\Windows\System32\QVzHsCd.exe
  C:\Windows\System32\QVzHsCd.exe
  2⤵
  PID:8428
- C:\Windows\System32\gGNDRLE.exe
  C:\Windows\System32\gGNDRLE.exe
  2⤵
  PID:8448
- C:\Windows\System32\TjLwzXT.exe
  C:\Windows\System32\TjLwzXT.exe
  2⤵
  PID:8468
- C:\Windows\System32\RDTRNUG.exe
  C:\Windows\System32\RDTRNUG.exe
  2⤵
  PID:8496
- C:\Windows\System32\QAoapow.exe
  C:\Windows\System32\QAoapow.exe
  2⤵
  PID:8580
- C:\Windows\System32\eBJAEdP.exe
  C:\Windows\System32\eBJAEdP.exe
  2⤵
  PID:8624
- C:\Windows\System32\wuwIKdZ.exe
  C:\Windows\System32\wuwIKdZ.exe
  2⤵
  PID:8648
- C:\Windows\System32\uiOSajH.exe
  C:\Windows\System32\uiOSajH.exe
  2⤵
  PID:8680
- C:\Windows\System32\mxzKopA.exe
  C:\Windows\System32\mxzKopA.exe
  2⤵
  PID:8696
- C:\Windows\System32\YqfhQhR.exe
  C:\Windows\System32\YqfhQhR.exe
  2⤵
  PID:8720
- C:\Windows\System32\LNtRlLc.exe
  C:\Windows\System32\LNtRlLc.exe
  2⤵
  PID:8780
- C:\Windows\System32\HBoOvaE.exe
  C:\Windows\System32\HBoOvaE.exe
  2⤵
  PID:8796
- C:\Windows\System32\UaVrubz.exe
  C:\Windows\System32\UaVrubz.exe
  2⤵
  PID:8880
- C:\Windows\System32\cqbjKRO.exe
  C:\Windows\System32\cqbjKRO.exe
  2⤵
  PID:8920
- C:\Windows\System32\SOkPQdY.exe
  C:\Windows\System32\SOkPQdY.exe
  2⤵
  PID:8948
- C:\Windows\System32\REdPpnz.exe
  C:\Windows\System32\REdPpnz.exe
  2⤵
  PID:8972
- C:\Windows\System32\XvwAoCb.exe
  C:\Windows\System32\XvwAoCb.exe
  2⤵
  PID:9000
- C:\Windows\System32\yRiwFMk.exe
  C:\Windows\System32\yRiwFMk.exe
  2⤵
  PID:9016
- C:\Windows\System32\cXvXvvA.exe
  C:\Windows\System32\cXvXvvA.exe
  2⤵
  PID:9044
- C:\Windows\System32\tsVKDTG.exe
  C:\Windows\System32\tsVKDTG.exe
  2⤵
  PID:9084
- C:\Windows\System32\SqCUtQb.exe
  C:\Windows\System32\SqCUtQb.exe
  2⤵
  PID:9116
- C:\Windows\System32\VIOgLcU.exe
  C:\Windows\System32\VIOgLcU.exe
  2⤵
  PID:9136
- C:\Windows\System32\SdCZJyu.exe
  C:\Windows\System32\SdCZJyu.exe
  2⤵
  PID:9156
- C:\Windows\System32\vKlEIdy.exe
  C:\Windows\System32\vKlEIdy.exe
  2⤵
  PID:9184
- C:\Windows\System32\BdNJLgs.exe
  C:\Windows\System32\BdNJLgs.exe
  2⤵
  PID:9200
- C:\Windows\System32\NjOsskX.exe
  C:\Windows\System32\NjOsskX.exe
  2⤵
  PID:8216
- C:\Windows\System32\xkkgNLM.exe
  C:\Windows\System32\xkkgNLM.exe
  2⤵
  PID:8224
- C:\Windows\System32\kPXUmTm.exe
  C:\Windows\System32\kPXUmTm.exe
  2⤵
  PID:8244
- C:\Windows\System32\qWSEJHc.exe
  C:\Windows\System32\qWSEJHc.exe
  2⤵
  PID:8388
- C:\Windows\System32\jetFfSp.exe
  C:\Windows\System32\jetFfSp.exe
  2⤵
  PID:8328
- C:\Windows\System32\ptGZCaM.exe
  C:\Windows\System32\ptGZCaM.exe
  2⤵
  PID:8436
- C:\Windows\System32\AYlmICH.exe
  C:\Windows\System32\AYlmICH.exe
  2⤵
  PID:8492
- C:\Windows\System32\WmPZYKq.exe
  C:\Windows\System32\WmPZYKq.exe
  2⤵
  PID:8508
- C:\Windows\System32\gDTayWL.exe
  C:\Windows\System32\gDTayWL.exe
  2⤵
  PID:8588
- C:\Windows\System32\fuIAoaa.exe
  C:\Windows\System32\fuIAoaa.exe
  2⤵
  PID:8716
- C:\Windows\System32\GxZnEYh.exe
  C:\Windows\System32\GxZnEYh.exe
  2⤵
  PID:8712
- C:\Windows\System32\JpUIQWM.exe
  C:\Windows\System32\JpUIQWM.exe
  2⤵
  PID:8756
- C:\Windows\System32\KTaUKaf.exe
  C:\Windows\System32\KTaUKaf.exe
  2⤵
  PID:8832
- C:\Windows\System32\aWhPSBw.exe
  C:\Windows\System32\aWhPSBw.exe
  2⤵
  PID:8872
- C:\Windows\System32\yMHqrpC.exe
  C:\Windows\System32\yMHqrpC.exe
  2⤵
  PID:8992
- C:\Windows\System32\aspVHhI.exe
  C:\Windows\System32\aspVHhI.exe
  2⤵
  PID:9040
- C:\Windows\System32\TocxzeJ.exe
  C:\Windows\System32\TocxzeJ.exe
  2⤵
  PID:9092
- C:\Windows\System32\kDUTnsd.exe
  C:\Windows\System32\kDUTnsd.exe
  2⤵
  PID:9192
- C:\Windows\System32\BRkFWfl.exe
  C:\Windows\System32\BRkFWfl.exe
  2⤵
  PID:9152
- C:\Windows\System32\OJjQool.exe
  C:\Windows\System32\OJjQool.exe
  2⤵
  PID:8444
- C:\Windows\System32\KFZQiJp.exe
  C:\Windows\System32\KFZQiJp.exe
  2⤵
  PID:8340
- C:\Windows\System32\ekSnRfn.exe
  C:\Windows\System32\ekSnRfn.exe
  2⤵
  PID:8372
- C:\Windows\System32\xUvdnZJ.exe
  C:\Windows\System32\xUvdnZJ.exe
  2⤵
  PID:8692
- C:\Windows\System32\unUNHtv.exe
  C:\Windows\System32\unUNHtv.exe
  2⤵
  PID:8868
- C:\Windows\System32\aMkVkyH.exe
  C:\Windows\System32\aMkVkyH.exe
  2⤵
  PID:9012
- C:\Windows\System32\mzZlvIq.exe
  C:\Windows\System32\mzZlvIq.exe
  2⤵
  PID:9100
- C:\Windows\System32\TOkvpbq.exe
  C:\Windows\System32\TOkvpbq.exe
  2⤵
  PID:8260
- C:\Windows\System32\zTOlpHX.exe
  C:\Windows\System32\zTOlpHX.exe
  2⤵
  PID:8644
- C:\Windows\System32\aATXLjj.exe
  C:\Windows\System32\aATXLjj.exe
  2⤵
  PID:8264
- C:\Windows\System32\MlwIjCE.exe
  C:\Windows\System32\MlwIjCE.exe
  2⤵
  PID:8636
- C:\Windows\System32\IMmaPcM.exe
  C:\Windows\System32\IMmaPcM.exe
  2⤵
  PID:9248
- C:\Windows\System32\ZiRUqfR.exe
  C:\Windows\System32\ZiRUqfR.exe
  2⤵
  PID:9268
- C:\Windows\System32\ezglvcF.exe
  C:\Windows\System32\ezglvcF.exe
  2⤵
  PID:9316
- C:\Windows\System32\lhwozUy.exe
  C:\Windows\System32\lhwozUy.exe
  2⤵
  PID:9348
- C:\Windows\System32\UAdRMmN.exe
  C:\Windows\System32\UAdRMmN.exe
  2⤵
  PID:9368
- C:\Windows\System32\mSUGdhI.exe
  C:\Windows\System32\mSUGdhI.exe
  2⤵
  PID:9392
- C:\Windows\System32\FEiTcKe.exe
  C:\Windows\System32\FEiTcKe.exe
  2⤵
  PID:9412
- C:\Windows\System32\cLDdLZJ.exe
  C:\Windows\System32\cLDdLZJ.exe
  2⤵
  PID:9436
- C:\Windows\System32\kxwKHKu.exe
  C:\Windows\System32\kxwKHKu.exe
  2⤵
  PID:9456
- C:\Windows\System32\nLiaRUY.exe
  C:\Windows\System32\nLiaRUY.exe
  2⤵
  PID:9472
- C:\Windows\System32\fDtomaE.exe
  C:\Windows\System32\fDtomaE.exe
  2⤵
  PID:9500
- C:\Windows\System32\QrnNQOg.exe
  C:\Windows\System32\QrnNQOg.exe
  2⤵
  PID:9520
- C:\Windows\System32\OsPzpgf.exe
  C:\Windows\System32\OsPzpgf.exe
  2⤵
  PID:9536
- C:\Windows\System32\VUbMYwy.exe
  C:\Windows\System32\VUbMYwy.exe
  2⤵
  PID:9560
- C:\Windows\System32\fTVFLiz.exe
  C:\Windows\System32\fTVFLiz.exe
  2⤵
  PID:9584
- C:\Windows\System32\NPwqKRi.exe
  C:\Windows\System32\NPwqKRi.exe
  2⤵
  PID:9608
- C:\Windows\System32\xjoKKNI.exe
  C:\Windows\System32\xjoKKNI.exe
  2⤵
  PID:9640
- C:\Windows\System32\gCAjZCB.exe
  C:\Windows\System32\gCAjZCB.exe
  2⤵
  PID:9728
- C:\Windows\System32\ZdDSYPg.exe
  C:\Windows\System32\ZdDSYPg.exe
  2⤵
  PID:9752
- C:\Windows\System32\gBqGTew.exe
  C:\Windows\System32\gBqGTew.exe
  2⤵
  PID:9792
- C:\Windows\System32\ApxsoQx.exe
  C:\Windows\System32\ApxsoQx.exe
  2⤵
  PID:9828
- C:\Windows\System32\hSrtjyv.exe
  C:\Windows\System32\hSrtjyv.exe
  2⤵
  PID:9856
- C:\Windows\System32\edctTLL.exe
  C:\Windows\System32\edctTLL.exe
  2⤵
  PID:9880
- C:\Windows\System32\LgHRHXC.exe
  C:\Windows\System32\LgHRHXC.exe
  2⤵
  PID:9904
- C:\Windows\System32\CqFkQbq.exe
  C:\Windows\System32\CqFkQbq.exe
  2⤵
  PID:9924
- C:\Windows\System32\XRhBJHG.exe
  C:\Windows\System32\XRhBJHG.exe
  2⤵
  PID:9956
- C:\Windows\System32\wVVHEKe.exe
  C:\Windows\System32\wVVHEKe.exe
  2⤵
  PID:9984
- C:\Windows\System32\fEWUdfy.exe
  C:\Windows\System32\fEWUdfy.exe
  2⤵
  PID:10008
- C:\Windows\System32\nmaFHkL.exe
  C:\Windows\System32\nmaFHkL.exe
  2⤵
  PID:10048
- C:\Windows\System32\BtnPBqO.exe
  C:\Windows\System32\BtnPBqO.exe
  2⤵
  PID:10080
- C:\Windows\System32\iciqsvb.exe
  C:\Windows\System32\iciqsvb.exe
  2⤵
  PID:10108
- C:\Windows\System32\JfdVqxT.exe
  C:\Windows\System32\JfdVqxT.exe
  2⤵
  PID:10136
- C:\Windows\System32\mFsyDKj.exe
  C:\Windows\System32\mFsyDKj.exe
  2⤵
  PID:10164
- C:\Windows\System32\EhEQTos.exe
  C:\Windows\System32\EhEQTos.exe
  2⤵
  PID:10180
- C:\Windows\System32\ksAytka.exe
  C:\Windows\System32\ksAytka.exe
  2⤵
  PID:10228
- C:\Windows\System32\iRUFZki.exe
  C:\Windows\System32\iRUFZki.exe
  2⤵
  PID:9224
- C:\Windows\System32\zUOHscF.exe
  C:\Windows\System32\zUOHscF.exe
  2⤵
  PID:9256
- C:\Windows\System32\LCtPCLX.exe
  C:\Windows\System32\LCtPCLX.exe
  2⤵
  PID:9340
- C:\Windows\System32\cyprlRv.exe
  C:\Windows\System32\cyprlRv.exe
  2⤵
  PID:9404
- C:\Windows\System32\yKohqgU.exe
  C:\Windows\System32\yKohqgU.exe
  2⤵
  PID:9448
- C:\Windows\System32\CGbePqW.exe
  C:\Windows\System32\CGbePqW.exe
  2⤵
  PID:9512
- C:\Windows\System32\qpnneOk.exe
  C:\Windows\System32\qpnneOk.exe
  2⤵
  PID:9624
- C:\Windows\System32\zMQZUVg.exe
  C:\Windows\System32\zMQZUVg.exe
  2⤵
  PID:9724
- C:\Windows\System32\DQIqNRT.exe
  C:\Windows\System32\DQIqNRT.exe
  2⤵
  PID:9696
- C:\Windows\System32\HqJzNAI.exe
  C:\Windows\System32\HqJzNAI.exe
  2⤵
  PID:9028
- C:\Windows\System32\IDlyiFF.exe
  C:\Windows\System32\IDlyiFF.exe
  2⤵
  PID:9892
- C:\Windows\System32\AeUJvJu.exe
  C:\Windows\System32\AeUJvJu.exe
  2⤵
  PID:9952
- C:\Windows\System32\JQzmGzA.exe
  C:\Windows\System32\JQzmGzA.exe
  2⤵
  PID:9996
- C:\Windows\System32\kzcrfig.exe
  C:\Windows\System32\kzcrfig.exe
  2⤵
  PID:10072
- C:\Windows\System32\rUWcPCW.exe
  C:\Windows\System32\rUWcPCW.exe
  2⤵
  PID:10116
- C:\Windows\System32\KSSqivM.exe
  C:\Windows\System32\KSSqivM.exe
  2⤵
  PID:4516
- C:\Windows\System32\KrKvEIY.exe
  C:\Windows\System32\KrKvEIY.exe
  2⤵
  PID:9344
- C:\Windows\System32\cujziAO.exe
  C:\Windows\System32\cujziAO.exe
  2⤵
  PID:9420
- C:\Windows\System32\zkhYbcG.exe
  C:\Windows\System32\zkhYbcG.exe
  2⤵
  PID:9556
- C:\Windows\System32\bDuAzzv.exe
  C:\Windows\System32\bDuAzzv.exe
  2⤵
  PID:9620
- C:\Windows\System32\HuBcdlv.exe
  C:\Windows\System32\HuBcdlv.exe
  2⤵
  PID:9844
- C:\Windows\System32\HDFOoTP.exe
  C:\Windows\System32\HDFOoTP.exe
  2⤵
  PID:9972
- C:\Windows\System32\AtiGNVt.exe
  C:\Windows\System32\AtiGNVt.exe
  2⤵
  PID:10096
- C:\Windows\System32\QcUyQBy.exe
  C:\Windows\System32\QcUyQBy.exe
  2⤵
  PID:9428
- C:\Windows\System32\gaEXlAk.exe
  C:\Windows\System32\gaEXlAk.exe
  2⤵
  PID:9888
- C:\Windows\System32\FQecuQc.exe
  C:\Windows\System32\FQecuQc.exe
  2⤵
  PID:10100
- C:\Windows\System32\XPOMhrt.exe
  C:\Windows\System32\XPOMhrt.exe
  2⤵
  PID:10152
- C:\Windows\System32\AhsFiMo.exe
  C:\Windows\System32\AhsFiMo.exe
  2⤵
  PID:10244
- C:\Windows\System32\pIRUHnF.exe
  C:\Windows\System32\pIRUHnF.exe
  2⤵
  PID:10264
- C:\Windows\System32\mWshmcy.exe
  C:\Windows\System32\mWshmcy.exe
  2⤵
  PID:10296
- C:\Windows\System32\aEXoRfu.exe
  C:\Windows\System32\aEXoRfu.exe
  2⤵
  PID:10316
- C:\Windows\System32\STxzmSw.exe
  C:\Windows\System32\STxzmSw.exe
  2⤵
  PID:10344
- C:\Windows\System32\PUeQOLq.exe
  C:\Windows\System32\PUeQOLq.exe
  2⤵
  PID:10372
- C:\Windows\System32\FrDwVFT.exe
  C:\Windows\System32\FrDwVFT.exe
  2⤵
  PID:10388
- C:\Windows\System32\BbbDmSV.exe
  C:\Windows\System32\BbbDmSV.exe
  2⤵
  PID:10416
- C:\Windows\System32\QflKKlE.exe
  C:\Windows\System32\QflKKlE.exe
  2⤵
  PID:10472
- C:\Windows\System32\UQmwATz.exe
  C:\Windows\System32\UQmwATz.exe
  2⤵
  PID:10512
- C:\Windows\System32\gUsuoQg.exe
  C:\Windows\System32\gUsuoQg.exe
  2⤵
  PID:10540
- C:\Windows\System32\EHkotRp.exe
  C:\Windows\System32\EHkotRp.exe
  2⤵
  PID:10572
- C:\Windows\System32\OAbulaX.exe
  C:\Windows\System32\OAbulaX.exe
  2⤵
  PID:10592
- C:\Windows\System32\XxXFuIO.exe
  C:\Windows\System32\XxXFuIO.exe
  2⤵
  PID:10616
- C:\Windows\System32\gZcaABL.exe
  C:\Windows\System32\gZcaABL.exe
  2⤵
  PID:10640
- C:\Windows\System32\dwLOupv.exe
  C:\Windows\System32\dwLOupv.exe
  2⤵
  PID:10668
- C:\Windows\System32\OXkWuXx.exe
  C:\Windows\System32\OXkWuXx.exe
  2⤵
  PID:10724
- C:\Windows\System32\eKtBxjK.exe
  C:\Windows\System32\eKtBxjK.exe
  2⤵
  PID:10756
- C:\Windows\System32\mtFRuiH.exe
  C:\Windows\System32\mtFRuiH.exe
  2⤵
  PID:10772
- C:\Windows\System32\EdxPtfQ.exe
  C:\Windows\System32\EdxPtfQ.exe
  2⤵
  PID:10800
- C:\Windows\System32\ONlMmCC.exe
  C:\Windows\System32\ONlMmCC.exe
  2⤵
  PID:10828
- C:\Windows\System32\zCBVyMd.exe
  C:\Windows\System32\zCBVyMd.exe
  2⤵
  PID:10856
- C:\Windows\System32\FQjLXgO.exe
  C:\Windows\System32\FQjLXgO.exe
  2⤵
  PID:10896
- C:\Windows\System32\ihBVfXq.exe
  C:\Windows\System32\ihBVfXq.exe
  2⤵
  PID:10924
- C:\Windows\System32\OOQOoFp.exe
  C:\Windows\System32\OOQOoFp.exe
  2⤵
  PID:10948
- C:\Windows\System32\NaXDQOg.exe
  C:\Windows\System32\NaXDQOg.exe
  2⤵
  PID:10976
- C:\Windows\System32\hPpVXaC.exe
  C:\Windows\System32\hPpVXaC.exe
  2⤵
  PID:10996
- C:\Windows\System32\JgANJNP.exe
  C:\Windows\System32\JgANJNP.exe
  2⤵
  PID:11020
- C:\Windows\System32\OReWgmf.exe
  C:\Windows\System32\OReWgmf.exe
  2⤵
  PID:11040
- C:\Windows\System32\ZmVLkSh.exe
  C:\Windows\System32\ZmVLkSh.exe
  2⤵
  PID:11056
- C:\Windows\System32\KwwUuTb.exe
  C:\Windows\System32\KwwUuTb.exe
  2⤵
  PID:11108
- C:\Windows\System32\ffWWIiE.exe
  C:\Windows\System32\ffWWIiE.exe
  2⤵
  PID:11140
- C:\Windows\System32\lGlPVla.exe
  C:\Windows\System32\lGlPVla.exe
  2⤵
  PID:11164
- C:\Windows\System32\Itoluhk.exe
  C:\Windows\System32\Itoluhk.exe
  2⤵
  PID:11184
- C:\Windows\System32\ICGWeut.exe
  C:\Windows\System32\ICGWeut.exe
  2⤵
  PID:11216
- C:\Windows\System32\YmBiCrq.exe
  C:\Windows\System32\YmBiCrq.exe
  2⤵
  PID:11244
- C:\Windows\System32\KWEBPCh.exe
  C:\Windows\System32\KWEBPCh.exe
  2⤵
  PID:3836
- C:\Windows\System32\MEEdShu.exe
  C:\Windows\System32\MEEdShu.exe
  2⤵
  PID:10292
- C:\Windows\System32\ShffDaS.exe
  C:\Windows\System32\ShffDaS.exe
  2⤵
  PID:10336
- C:\Windows\System32\iXhmtVm.exe
  C:\Windows\System32\iXhmtVm.exe
  2⤵
  PID:10444
- C:\Windows\System32\SsowDwi.exe
  C:\Windows\System32\SsowDwi.exe
  2⤵
  PID:10480
- C:\Windows\System32\nKAGNac.exe
  C:\Windows\System32\nKAGNac.exe
  2⤵
  PID:10588
- C:\Windows\System32\XmIpyWr.exe
  C:\Windows\System32\XmIpyWr.exe
  2⤵
  PID:10600
- C:\Windows\System32\YNXUVxf.exe
  C:\Windows\System32\YNXUVxf.exe
  2⤵
  PID:10684
- C:\Windows\System32\aomhceZ.exe
  C:\Windows\System32\aomhceZ.exe
  2⤵
  PID:10732
- C:\Windows\System32\xVrfSPp.exe
  C:\Windows\System32\xVrfSPp.exe
  2⤵
  PID:10824
- C:\Windows\System32\BPPllyt.exe
  C:\Windows\System32\BPPllyt.exe
  2⤵
  PID:10840
- C:\Windows\System32\CRsYXtK.exe
  C:\Windows\System32\CRsYXtK.exe
  2⤵
  PID:10956
- C:\Windows\System32\hXREIHK.exe
  C:\Windows\System32\hXREIHK.exe
  2⤵
  PID:11036
- C:\Windows\System32\YifFEMn.exe
  C:\Windows\System32\YifFEMn.exe
  2⤵
  PID:11080
- C:\Windows\System32\UAJvzIo.exe
  C:\Windows\System32\UAJvzIo.exe
  2⤵
  PID:11120
- C:\Windows\System32\WpqhAPx.exe
  C:\Windows\System32\WpqhAPx.exe
  2⤵
  PID:11256
- C:\Windows\System32\EfuUbAu.exe
  C:\Windows\System32\EfuUbAu.exe
  2⤵
  PID:9820
- C:\Windows\System32\CGTaJRj.exe
  C:\Windows\System32\CGTaJRj.exe
  2⤵
  PID:10460
- C:\Windows\System32\jLQaEye.exe
  C:\Windows\System32\jLQaEye.exe
  2⤵
  PID:10888
- C:\Windows\System32\AXsSDFq.exe
  C:\Windows\System32\AXsSDFq.exe
  2⤵
  PID:11032
- C:\Windows\System32\CvGScJd.exe
  C:\Windows\System32\CvGScJd.exe
  2⤵
  PID:11100
- C:\Windows\System32\FHWUXOe.exe
  C:\Windows\System32\FHWUXOe.exe
  2⤵
  PID:11232
- C:\Windows\System32\TktVaxZ.exe
  C:\Windows\System32\TktVaxZ.exe
  2⤵
  PID:10748
- C:\Windows\System32\jNDpwoQ.exe
  C:\Windows\System32\jNDpwoQ.exe
  2⤵
  PID:10820
- C:\Windows\System32\yMucVVI.exe
  C:\Windows\System32\yMucVVI.exe
  2⤵
  PID:10636
- C:\Windows\System32\NjCocPw.exe
  C:\Windows\System32\NjCocPw.exe
  2⤵
  PID:11048
- C:\Windows\System32\cyZNSIK.exe
  C:\Windows\System32\cyZNSIK.exe
  2⤵
  PID:10308
- C:\Windows\System32\EbroaOX.exe
  C:\Windows\System32\EbroaOX.exe
  2⤵
  PID:11316
- C:\Windows\System32\cLVpRwi.exe
  C:\Windows\System32\cLVpRwi.exe
  2⤵
  PID:11364
- C:\Windows\System32\GAHoWex.exe
  C:\Windows\System32\GAHoWex.exe
  2⤵
  PID:11388
- C:\Windows\System32\HVxmNJw.exe
  C:\Windows\System32\HVxmNJw.exe
  2⤵
  PID:11404
- C:\Windows\System32\SowfJKw.exe
  C:\Windows\System32\SowfJKw.exe
  2⤵
  PID:11432
- C:\Windows\System32\PCrnwju.exe
  C:\Windows\System32\PCrnwju.exe
  2⤵
  PID:11456
- C:\Windows\System32\mTnYNBg.exe
  C:\Windows\System32\mTnYNBg.exe
  2⤵
  PID:11504
- C:\Windows\System32\KqOEcyM.exe
  C:\Windows\System32\KqOEcyM.exe
  2⤵
  PID:11528
- C:\Windows\System32\HPLMWhl.exe
  C:\Windows\System32\HPLMWhl.exe
  2⤵
  PID:11548
- C:\Windows\System32\qLEIQvc.exe
  C:\Windows\System32\qLEIQvc.exe
  2⤵
  PID:11584
- C:\Windows\System32\tAivAfE.exe
  C:\Windows\System32\tAivAfE.exe
  2⤵
  PID:11600
- C:\Windows\System32\tImkphT.exe
  C:\Windows\System32\tImkphT.exe
  2⤵
  PID:11636
- C:\Windows\System32\LQIkdyK.exe
  C:\Windows\System32\LQIkdyK.exe
  2⤵
  PID:11668
- C:\Windows\System32\BNVwGMB.exe
  C:\Windows\System32\BNVwGMB.exe
  2⤵
  PID:11688
- C:\Windows\System32\sYGTfmE.exe
  C:\Windows\System32\sYGTfmE.exe
  2⤵
  PID:11724
- C:\Windows\System32\qRGKtYi.exe
  C:\Windows\System32\qRGKtYi.exe
  2⤵
  PID:11752
- C:\Windows\System32\OcEFCMf.exe
  C:\Windows\System32\OcEFCMf.exe
  2⤵
  PID:11780
- C:\Windows\System32\HhWwRjP.exe
  C:\Windows\System32\HhWwRjP.exe
  2⤵
  PID:11796
- C:\Windows\System32\XWnVfGh.exe
  C:\Windows\System32\XWnVfGh.exe
  2⤵
  PID:11824
- C:\Windows\System32\JlVWOHT.exe
  C:\Windows\System32\JlVWOHT.exe
  2⤵
  PID:11848
- C:\Windows\System32\mppqePr.exe
  C:\Windows\System32\mppqePr.exe
  2⤵
  PID:11872
- C:\Windows\System32\uwnqebT.exe
  C:\Windows\System32\uwnqebT.exe
  2⤵
  PID:11892
- C:\Windows\System32\UeIrJGf.exe
  C:\Windows\System32\UeIrJGf.exe
  2⤵
  PID:11964
- C:\Windows\System32\auDKxVS.exe
  C:\Windows\System32\auDKxVS.exe
  2⤵
  PID:11980
- C:\Windows\System32\rcJYUNY.exe
  C:\Windows\System32\rcJYUNY.exe
  2⤵
  PID:11996
- C:\Windows\System32\VpUWiHL.exe
  C:\Windows\System32\VpUWiHL.exe
  2⤵
  PID:12036
- C:\Windows\System32\rnUjTjJ.exe
  C:\Windows\System32\rnUjTjJ.exe
  2⤵
  PID:12052
- C:\Windows\System32\ysbzryI.exe
  C:\Windows\System32\ysbzryI.exe
  2⤵
  PID:12076
- C:\Windows\System32\OIzUNSM.exe
  C:\Windows\System32\OIzUNSM.exe
  2⤵
  PID:12108
- C:\Windows\System32\swAfTvK.exe
  C:\Windows\System32\swAfTvK.exe
  2⤵
  PID:12128
- C:\Windows\System32\BZaFCZR.exe
  C:\Windows\System32\BZaFCZR.exe
  2⤵
  PID:12160
- C:\Windows\System32\oOQESTC.exe
  C:\Windows\System32\oOQESTC.exe
  2⤵
  PID:12176
- C:\Windows\System32\msBSoXd.exe
  C:\Windows\System32\msBSoXd.exe
  2⤵
  PID:12200
- C:\Windows\System32\hdLyasf.exe
  C:\Windows\System32\hdLyasf.exe
  2⤵
  PID:12240
- C:\Windows\System32\nyUWXmT.exe
  C:\Windows\System32\nyUWXmT.exe
  2⤵
  PID:12268
- C:\Windows\System32\PwbZJTU.exe
  C:\Windows\System32\PwbZJTU.exe
  2⤵
  PID:10584
- C:\Windows\System32\vgqGaPV.exe
  C:\Windows\System32\vgqGaPV.exe
  2⤵
  PID:11176
- C:\Windows\System32\pPQZcJn.exe
  C:\Windows\System32\pPQZcJn.exe
  2⤵
  PID:11332
- C:\Windows\System32\FZCsDRO.exe
  C:\Windows\System32\FZCsDRO.exe
  2⤵
  PID:11412
- C:\Windows\System32\RdEUVlX.exe
  C:\Windows\System32\RdEUVlX.exe
  2⤵
  PID:11476
- C:\Windows\System32\QreyitP.exe
  C:\Windows\System32\QreyitP.exe
  2⤵
  PID:11596
- C:\Windows\System32\bTKXuvq.exe
  C:\Windows\System32\bTKXuvq.exe
  2⤵
  PID:11616
- C:\Windows\System32\PGAjNLb.exe
  C:\Windows\System32\PGAjNLb.exe
  2⤵
  PID:11684
- C:\Windows\System32\CLcmutg.exe
  C:\Windows\System32\CLcmutg.exe
  2⤵
  PID:11760
- C:\Windows\System32\wrVTrEy.exe
  C:\Windows\System32\wrVTrEy.exe
  2⤵
  PID:11812
- C:\Windows\System32\JhJGrpQ.exe
  C:\Windows\System32\JhJGrpQ.exe
  2⤵
  PID:11844
- C:\Windows\System32\BDWzoxA.exe
  C:\Windows\System32\BDWzoxA.exe
  2⤵
  PID:11888
- C:\Windows\System32\WfpyHOm.exe
  C:\Windows\System32\WfpyHOm.exe
  2⤵
  PID:11992
- C:\Windows\System32\tPEMOeq.exe
  C:\Windows\System32\tPEMOeq.exe
  2⤵
  PID:12060
- C:\Windows\System32\TmAuRSD.exe
  C:\Windows\System32\TmAuRSD.exe
  2⤵
  PID:12084
- C:\Windows\System32\XnsdACO.exe
  C:\Windows\System32\XnsdACO.exe
  2⤵
  PID:12212
- C:\Windows\System32\KTgVrBg.exe
  C:\Windows\System32\KTgVrBg.exe
  2⤵
  PID:12208
- C:\Windows\System32\rkWRtvV.exe
  C:\Windows\System32\rkWRtvV.exe
  2⤵
  PID:12248
- C:\Windows\System32\TArzasm.exe
  C:\Windows\System32\TArzasm.exe
  2⤵
  PID:10852
- C:\Windows\System32\waAjmxw.exe
  C:\Windows\System32\waAjmxw.exe
  2⤵
  PID:11612
- C:\Windows\System32\abmqRSx.exe
  C:\Windows\System32\abmqRSx.exe
  2⤵
  PID:11716
- C:\Windows\System32\JewUOsq.exe
  C:\Windows\System32\JewUOsq.exe
  2⤵
  PID:11976
- C:\Windows\System32\LIxWZyY.exe
  C:\Windows\System32\LIxWZyY.exe
  2⤵
  PID:12044
- C:\Windows\System32\zUIGnUJ.exe
  C:\Windows\System32\zUIGnUJ.exe
  2⤵
  PID:12184
- C:\Windows\System32\FrdbPCl.exe
  C:\Windows\System32\FrdbPCl.exe
  2⤵
  PID:10556
- C:\Windows\System32\lqjvynE.exe
  C:\Windows\System32\lqjvynE.exe
  2⤵
  PID:11792
- C:\Windows\System32\gLAmdvi.exe
  C:\Windows\System32\gLAmdvi.exe
  2⤵
  PID:11988
- C:\Windows\System32\QBnjbtE.exe
  C:\Windows\System32\QBnjbtE.exe
  2⤵
  PID:11192
- C:\Windows\System32\DLZfvpq.exe
  C:\Windows\System32\DLZfvpq.exe
  2⤵
  PID:11924
- C:\Windows\System32\RyZsCmL.exe
  C:\Windows\System32\RyZsCmL.exe
  2⤵
  PID:12296
- C:\Windows\System32\dbMUkcx.exe
  C:\Windows\System32\dbMUkcx.exe
  2⤵
  PID:12312
- C:\Windows\System32\bHiGuas.exe
  C:\Windows\System32\bHiGuas.exe
  2⤵
  PID:12352
- C:\Windows\System32\uCqyZIk.exe
  C:\Windows\System32\uCqyZIk.exe
  2⤵
  PID:12372
- C:\Windows\System32\DyExdhc.exe
  C:\Windows\System32\DyExdhc.exe
  2⤵
  PID:12412
- C:\Windows\System32\EFDLYNw.exe
  C:\Windows\System32\EFDLYNw.exe
  2⤵
  PID:12432
- C:\Windows\System32\opDiYXH.exe
  C:\Windows\System32\opDiYXH.exe
  2⤵
  PID:12468
- C:\Windows\System32\DMylFow.exe
  C:\Windows\System32\DMylFow.exe
  2⤵
  PID:12496
- C:\Windows\System32\FOlOQdM.exe
  C:\Windows\System32\FOlOQdM.exe
  2⤵
  PID:12520
- C:\Windows\System32\aNycLSI.exe
  C:\Windows\System32\aNycLSI.exe
  2⤵
  PID:12556
- C:\Windows\System32\eofWxsM.exe
  C:\Windows\System32\eofWxsM.exe
  2⤵
  PID:12576
- C:\Windows\System32\BuwMHaL.exe
  C:\Windows\System32\BuwMHaL.exe
  2⤵
  PID:12596
- C:\Windows\System32\AHUumvg.exe
  C:\Windows\System32\AHUumvg.exe
  2⤵
  PID:12620
- C:\Windows\System32\sIxaCnW.exe
  C:\Windows\System32\sIxaCnW.exe
  2⤵
  PID:12692
- C:\Windows\System32\fpMUlnY.exe
  C:\Windows\System32\fpMUlnY.exe
  2⤵
  PID:12712
- C:\Windows\System32\PhRqwEF.exe
  C:\Windows\System32\PhRqwEF.exe
  2⤵
  PID:12732
- C:\Windows\System32\TAaMAEb.exe
  C:\Windows\System32\TAaMAEb.exe
  2⤵
  PID:12764
- C:\Windows\System32\fEgagzr.exe
  C:\Windows\System32\fEgagzr.exe
  2⤵
  PID:12788
- C:\Windows\System32\chSKKnm.exe
  C:\Windows\System32\chSKKnm.exe
  2⤵
  PID:12812
- C:\Windows\System32\rmEeCsc.exe
  C:\Windows\System32\rmEeCsc.exe
  2⤵
  PID:12840
- C:\Windows\System32\qbYLrDA.exe
  C:\Windows\System32\qbYLrDA.exe
  2⤵
  PID:12876
- C:\Windows\System32\TvqRcND.exe
  C:\Windows\System32\TvqRcND.exe
  2⤵
  PID:12896
- C:\Windows\System32\XHejsQy.exe
  C:\Windows\System32\XHejsQy.exe
  2⤵
  PID:12920
- C:\Windows\System32\jtjeocp.exe
  C:\Windows\System32\jtjeocp.exe
  2⤵
  PID:12940
- C:\Windows\System32\RqBFolV.exe
  C:\Windows\System32\RqBFolV.exe
  2⤵
  PID:12960
- C:\Windows\System32\lpCcLEb.exe
  C:\Windows\System32\lpCcLEb.exe
  2⤵
  PID:12980
- C:\Windows\System32\FYOuAyd.exe
  C:\Windows\System32\FYOuAyd.exe
  2⤵
  PID:13032
- C:\Windows\System32\ZgsFmtq.exe
  C:\Windows\System32\ZgsFmtq.exe
  2⤵
  PID:13064
- C:\Windows\System32\xXgxSqn.exe
  C:\Windows\System32\xXgxSqn.exe
  2⤵
  PID:13084
- C:\Windows\System32\ufTbEal.exe
  C:\Windows\System32\ufTbEal.exe
  2⤵
  PID:13116
- C:\Windows\System32\ebTCBDG.exe
  C:\Windows\System32\ebTCBDG.exe
  2⤵
  PID:13152
- C:\Windows\System32\jfkcZNE.exe
  C:\Windows\System32\jfkcZNE.exe
  2⤵
  PID:13184
- C:\Windows\System32\VaSDXSZ.exe
  C:\Windows\System32\VaSDXSZ.exe
  2⤵
  PID:13208
- C:\Windows\System32\AKIRfKN.exe
  C:\Windows\System32\AKIRfKN.exe
  2⤵
  PID:13236
- C:\Windows\System32\KTicDKO.exe
  C:\Windows\System32\KTicDKO.exe
  2⤵
  PID:13276
- C:\Windows\System32\pMfqAeA.exe
  C:\Windows\System32\pMfqAeA.exe
  2⤵
  PID:13304
- C:\Windows\System32\TsaReJN.exe
  C:\Windows\System32\TsaReJN.exe
  2⤵
  PID:12320
- C:\Windows\System32\cbWpfaM.exe
  C:\Windows\System32\cbWpfaM.exe
  2⤵
  PID:12380
- C:\Windows\System32\kDUdAUj.exe
  C:\Windows\System32\kDUdAUj.exe
  2⤵
  PID:12396
- C:\Windows\System32\seLBGTX.exe
  C:\Windows\System32\seLBGTX.exe
  2⤵
  PID:12480
- C:\Windows\System32\SGoyhmk.exe
  C:\Windows\System32\SGoyhmk.exe
  2⤵
  PID:12572
- C:\Windows\System32\yHrcElL.exe
  C:\Windows\System32\yHrcElL.exe
  2⤵
  PID:12644
- C:\Windows\System32\cKeVQNR.exe
  C:\Windows\System32\cKeVQNR.exe
  2⤵
  PID:4876

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AuYpvfU.exe

Filesize
1.8MB

MD5
715e0b992b8abbf37ed81a62860bd43d

SHA1
c973945e1acb9e8c23ea1024eada90e4125ef2df

SHA256
6b5ab579a3792be9b457311d99ad9ddba3eb433bece923069e5e6a60772de297

SHA512
18a3a2e696837f6d9bf66d67296ae85393c7f3f5c5b91398c16bd5872956af3f6b5996a5c5d252e8e51751e5ba48bc5bf64251d82524eaac7f066dc327574317

Download Submit
C:\Windows\System32\CrBeDvu.exe

Filesize
1.8MB

MD5
ad604b228ac1a6e8f4b0a60fe1a3a1a4

SHA1
f8355a9e885be859ca6f7c9ec6dbe32fb39ff5d5

SHA256
03f0e6823aa78c09b8554fa32c933d1c0957026e3fd35beb5f403550e7552074

SHA512
22282719471d67c45d9817c16c8d767120c4c9659d4bcd8af68b65d9f6e657dbbfe7d828e5e36022e2d4fe1a09ee3c943c61ebf38f50de061d772adce241f6a8

Download Submit
C:\Windows\System32\DylRcSW.exe

Filesize
1.8MB

MD5
fce3df50affc4ec9c3ceb6c6e18bb891

SHA1
eea47e7597dab7d4793b6b52674030e65c323450

SHA256
937b610a681af17c93738b1e677c3d36effbbbf1d93331f2380f594f8a1d0c24

SHA512
e9d83552edc2471e25b90c2b6e8dfcd413aa0bfe9781347a2f39aee72da0746fd23d6378e4728ee920b1f7aac2fb815dde03b91cc9f481dfc5037c03473fea32

Download Submit
C:\Windows\System32\FVoBvjB.exe

Filesize
1.8MB

MD5
3251f27e947f3e1c4cb7b8375dd7ff04

SHA1
1de6771e8f702dd0f25313eb4e31f0f68f80db5c

SHA256
2d58b6864141fb6f3d1b1d1c7ed65d34a434b6144fe2af18b0b777bf88b78057

SHA512
4716273b1010b93434d03174aa4dd178390863f8d41a0d7313c4bca2f955ec756e1ac15901eadb77beb14fc205d6d06f22c49f4baa774a260d842586c5a5bcfc

Download Submit
C:\Windows\System32\GJAgGLW.exe

Filesize
1.8MB

MD5
a07d1a14cf2b7e006d5b2394ec4a2a66

SHA1
75dc8706a3ed358a2a35a7fa56e198fc88cd62f7

SHA256
f45329f50911998aa53581e259995722edb00ac56e08e0ae1537fa293bb94325

SHA512
d4e02c13deb6b7889ec030cf6736adfea7c281671180358a9cfae7a0440020d787b565184fda5436d6e85c822b192f2fe5c075b235c7d5ea2d7fc1d7ce71c1ae

Download Submit
C:\Windows\System32\ISLJpeK.exe

Filesize
1.8MB

MD5
b4576689ae2dcd5721f73669fc67ed44

SHA1
89616cc32373ba444fc1ad27fe406ed8e41dc165

SHA256
64218a585081c58d29bd45d5842d03c204bbb14c81fc195eee5e2316f812c93b

SHA512
3e0191d6d6fc9c62a6a2e58dad6cdbfc980976317f58127fd2517dc20053e7774740e8723794e396f5c01ff373d8413fa2d9ce57327ed45a2b4f776f6d74050c

Download Submit
C:\Windows\System32\MaCbreC.exe

Filesize
1.8MB

MD5
008ad7d50d602e5b758b9e50c7fc70a1

SHA1
507bb8b61a7c110c9ea50690366bc842abe6ec2d

SHA256
f15fddbfb8b1be6c76b104e9da445657dc7de1f4292dd36dd376dfa02a3e1b9f

SHA512
ece0c5ab1b750561ffd26403cc2b3b0b210c6002dd9a894f6bc4c8975faef5155ef529d9ab43b2a6a02b126fc498ba18c2a2a8bbb68f6a06967979ec284392bf

Download Submit
C:\Windows\System32\NRJPSoT.exe

Filesize
1.8MB

MD5
8950d92648f853290ba38a5074c8d3eb

SHA1
97f05c9592e0ae531819cdeb526f7baa5337eda8

SHA256
89176904c3caf2c0e8eed7baa6c21391996eb9a7cf49f151bdf790041474e6d4

SHA512
cecfdfa3b950327fcbe56a5c71274541174732f4f09e8aedcd00b903d231ab03ff4b8e8703ccc9d45992fa15b78a092b6162680015832a9090a11fd54bf31742

Download Submit
C:\Windows\System32\NhhEFTT.exe

Filesize
1.8MB

MD5
73d00afc2dcb7a07f1945dee4571e761

SHA1
3fb83618d22333c598a5c21682cd69cb156b68c5

SHA256
17e79a08361e2ceedfdfa5121e04eed268044630b57cdf44c23193c7ead83246

SHA512
4aa393cb63f9c0a6edaefe572ba6de104edabefb5fb1d5c6c49fbd71ce98b1d4a218ed620a0116a5eeac1e85b43110d007870eff8f5fc5dac42a1f96eccd58fd

Download Submit
C:\Windows\System32\PLyjFmM.exe

Filesize
1.8MB

MD5
c779a776ad65b848c9f252600ec3c59a

SHA1
4c15f96ae35a7aec771003ab0ec624bb4aab824b

SHA256
55732ca4f60f50ee470f7136b145ea2bc656dc5068057e9751d85e170b492c3e

SHA512
d555e9ec0ce29660b658997d6d2ced4249bff941d517261bbc73bc4e1a165395074b417d78314fefeee013118fd95a7aee3f2b94577f3f1e8a197dad39fba267

Download Submit
C:\Windows\System32\PlQskCm.exe

Filesize
1.8MB

MD5
3d86495614be3927668720e94ccf4115

SHA1
65fe115c392163765822a7b76c22e6e2bbf6d5bf

SHA256
42a3b9ea9904a307a02fc7ea22c793a5ad8c3742f4e7f8d15c854edca15e944e

SHA512
dc30258a70b0505d6691bd79dba2d2506a53ed48534875de6d0f27e1731945abe763001b39caf63f16ca20ff40ead1afc1792ceefd78a1ce4fef303c83a53920

Download Submit
C:\Windows\System32\UePCPtY.exe

Filesize
1.8MB

MD5
f58b45f110e59b64733563e4b005b2c0

SHA1
c8bda551e92dc694f3fd9bd3c62a40a64dd5b23f

SHA256
ddbe7600ba310ebebf8997b3d15dea99f9c269745456b65c6ede6a771dcc9719

SHA512
a156f800cc12e952a1f456b24f54cb5ebe35719a9cbc84dd9b3fd8a711c6388015d12f774457ece1a96cb11652bb3da535b8536cf69b6f6cf4e7fece03b7223e

Download Submit
C:\Windows\System32\VEfMPje.exe

Filesize
1.8MB

MD5
719948aa833f11eb8020122ae404580f

SHA1
2a7f15f40568216679294c69ab324c9fe0496715

SHA256
1de45e54181588ca6b5af0d40f4b5b5b98b2c163fb57216b01673924e86ba49f

SHA512
83f69acd91f3d1d8556f59482bc980fde70627a8facbc29adc9cd9d5728c029080651ac4ca811bc24f5293623ac60ecc005c6d9632499496c2c068009d35055a

Download Submit
C:\Windows\System32\VzNAinv.exe

Filesize
1.8MB

MD5
ee52f06089e4cfec79a40e7827b5ab9b

SHA1
9bbc5594ed5ebdcd3bd4b09a3e30607140636ec4

SHA256
5901930914fe08d91e9130e34364f338c919470ad772c63f0a107d39bba37b18

SHA512
503561fa8a3d549cdb89b45ea7dd008ac12027d75e2ae3d299e6667412bfdfd1c6b838a046172743f73b23151eef9be51dd4a22c43d74e058c9c265fec448479

Download Submit
C:\Windows\System32\WZzpdhn.exe

Filesize
1.8MB

MD5
18d7268682604216f1edd155486f288a

SHA1
6af77a1909ced83f9b0494e0753e74a87a630558

SHA256
3da96e94ff43677271fee2478525297da3f8a7c7951d28a3b70370890e5458e1

SHA512
60139b4a91247816f313ba4c98a1366432475c6ddd67f5a13a76a59d730ce194a95a2b7c18a5ecfafa5582dfcfeca1aae7855b67fbe4c838c48383e6d35d7deb

Download Submit
C:\Windows\System32\XDvteAT.exe

Filesize
1.8MB

MD5
435c613627d416e9707dacca1991ddc2

SHA1
a4f979c5cb9fa538f467887dfede7d29faccc930

SHA256
6bd74768956fe2884d866ac4a10ba745b9857dd06325ca078cbaf1b6c17c2086

SHA512
fbdcbcb478bd492e439e2ab836645aa42ef6b1d56cb29d864d8665905bc471bf8177e79feb7ae0edf39b4c2f65096ee83a36bbb4dbf5749504d52caecdc14344

Download Submit
C:\Windows\System32\YHEaMEE.exe

Filesize
1.8MB

MD5
f2bf2c3266950830b83daef8d1571bf7

SHA1
55989a5fc671080f922deb42f9d132086249d23e

SHA256
dc0bca2546d1fd975d451d083a9973635b7ce52d123e2c83c8d39194a5886a0b

SHA512
d3054d4735d245aa42b0e7b20bfebe4a1f9b4823bdbac231dde6564f5ae286d444271133a8dec7c11efd094c85419b102c3193c211531840b50a88e09e890978

Download Submit
C:\Windows\System32\YOVyqlw.exe

Filesize
1.8MB

MD5
f97ea4b8334900bef66526177525d42a

SHA1
eaede3beb907e7f3c69919e5226500dc7f303b2a

SHA256
3e783419799cb4c6bea09db3bc13c3dce0fd6d43909ef295140438e12da0797d

SHA512
f6d40cc13484645caa756f5570fe112db060e3ccff1e6f6f2c648e74ead0b1d9b4f3cdb634a23301e890154721aac5815c9f4e26a279c97c676be6596fb17c35

Download Submit
C:\Windows\System32\aIpUWbW.exe

Filesize
1.8MB

MD5
f5c410752ea56f01d7421c1d16226f54

SHA1
9601ce0d789fb13eff1575e927a8ce382aaf7884

SHA256
b97737c849cda5b14812e2c7ffadd6195636d60972d46a5ab9c6e86245d28472

SHA512
9114f2bfc9027ef4e9a8861af270d2b40d735797370fbb6646dc6bc4fcfe140677df28acfd8c2117da5da620f13f93c81ed91832b123c6d69bbe652a0549e69b

Download Submit
C:\Windows\System32\cDUUSdA.exe

Filesize
1.8MB

MD5
12cee0b8a88b59147984c6be1e1c1486

SHA1
1f21165fc5f64f357651b9bccd7e82b6223294b3

SHA256
1b5dc1474bbdafec095a91429b8584b0307caf871d3f14a120a0cb446f993f6c

SHA512
ed15e48a678b2bfcb6fb8fd837ab30d0c47022873143ba19357b9a835cb7943f85bf2f5ec8fe78659ce9da3499062716bb789654def08000138a221e271920a0

Download Submit
C:\Windows\System32\gYInzIl.exe

Filesize
1.8MB

MD5
2f959697f132812c0ef14ce9b87872c7

SHA1
d2063755e2e3bf2af6f2da2726ae893980949d32

SHA256
9a865384efc9256a7cf31a70e35e62581caa01fb1d773615477ed006c43aeec4

SHA512
8d16a472b5bc5199506f8c7e4ffd203b8a352603c6a23b553f3b6f6ba4d2e0a6d07afa5c94caaff0647c3e8d93d7d50358a07a647931612441f780708d23379f

Download Submit
C:\Windows\System32\iHwLyvO.exe

Filesize
1.8MB

MD5
599c9a16419c146b855383d4aa8110e9

SHA1
d7e58532d9f843c28fba011e37a9395a29cf4564

SHA256
7909adff84e4a6d50c5e10aea5161e068873ec765007deae2862254ef80569b1

SHA512
23c4f227cba85d489aab35663771e5758b9930ed89ab7a9bec6fb1177a3432fc8fa310097924b8c67d786f6ff89afbb361490beb3aa9dbaaed0f47153a8b29eb

Download Submit
C:\Windows\System32\jpycMzk.exe

Filesize
1.8MB

MD5
4525dbde5c5691a9e428f5de71055c6c

SHA1
c7b4a9059b077c364752f0750a19425d45e56eb9

SHA256
95649b42c8153b6f58803e2548df97274ae4856a680038f8a1fa2897b85a1949

SHA512
6d9c3ae5fc2319f441ae592b61cca54920b542f9fafed75f6e196451c30252f6d6ad350def6ef2165d94a0ff49c7f8211231e6ff39852c1d0845918ea0e5b99a

Download Submit
C:\Windows\System32\nInDfcV.exe

Filesize
1.8MB

MD5
9a60e7e3bd01b734b1be578adab3e5eb

SHA1
21330e11cb0fb800b129b3c666ebbb9cfe04cd5f

SHA256
70f63f1b1d11c448962e0348c52a3a58884c5bcb5de49c5ad7a4c2844fce22ae

SHA512
42778bb2a01febeb17b40ff360049d19f2db1ec7ddf4243f46d75c7520ae288e66943e00fb4fdab46302f84bfef780ae95abea8d40e9662e0b02bc72dee68c0f

Download Submit
C:\Windows\System32\niOxVFZ.exe

Filesize
1.8MB

MD5
2dc0d30fe8384155756b57269a7e5c95

SHA1
e2521dbcc2ce9de4ce41ba802293e39ec330c190

SHA256
653ffaf844631a8c163e618b80b70feb76dafc4227bd04ec32b2d9f020d3439d

SHA512
58a1936e45c24b575bedbf14418b1b35ec77090dec22d7bda3b119660320ffbb131eb186dabcadb87383edd29eca845a34b3fb2f156353b5ef491bba5efccf72

Download Submit
C:\Windows\System32\rKurRwk.exe

Filesize
1.8MB

MD5
41e6b8713179399510532d2af6eb9f52

SHA1
0ca2ff3c85998a2acc4efde2cac6677fdadfd620

SHA256
9a2c9278cdf8f6b26d3d3087a11cfa0e8c9e8ee8b12e7373eb1210c515a19e3b

SHA512
2856f844e00c2a9bbe7dffb954ed5177d591efff6908dcf8e6388ddd053a2f84fdba27a1de4335331d7af0609eaf3720922625fd9139e5b13f097d92164767f3

Download Submit
C:\Windows\System32\srmPlQl.exe

Filesize
1.8MB

MD5
74b9a2cacf91ed453f08d36ac2b27d6b

SHA1
b058ccdb6f58840acf07a267c8621b8f8f79116c

SHA256
e0b41aba451f790c8df7945fb804e83d0b796d6d89538bc1d8b217eccc92c402

SHA512
fbe71ee7dbae88f0cd9e156bcdad74a08af97d15deae24d5062d5b496f7293145b73221f124dbe52710b94955b066b199cebf6ddcbf19c7119b6d0b3fed14134

Download Submit
C:\Windows\System32\uNGUaiJ.exe

Filesize
1.8MB

MD5
8d6d5f5429d2427f35e731c7ff817267

SHA1
9230fcb065f01ef1310717924689419c11e78ad2

SHA256
6aa0973f489736f3c7b1259435a13b3c367ee33df2e2e6a37d58aa374478d210

SHA512
6035326710a66e48ebb8b2ebac7cfc97f2433d6a056617bf397afd7fa5e4ee2e82788691ef8d1ea5a00787e47f03cfc942fed1aaaffa0d0c764895a152a70635

Download Submit
C:\Windows\System32\uglgkHk.exe

Filesize
1.8MB

MD5
ca51b854fb1238e0fa7d13d372155448

SHA1
4ddef85889f7e0bbb5a2bd117c155daadec8d873

SHA256
b988326612c18204e513d80e867b9b7fcaed12b61eb2805ae082d7b5bae60089

SHA512
09e82e9ce975ad7066560dd69c2935a501088021cb2a7008e6aa8ac2e2b179163946b63b6e671724ef33285ff44a184221979bf2acde07d861ec89878f5aaa33

Download Submit
C:\Windows\System32\xRaSoLu.exe

Filesize
1.8MB

MD5
bb4b742ac27c13b8371120391d20c791

SHA1
cdf13a656d1baa08595dafeff04e90fb7af21184

SHA256
6a5a14ddd861accc43be63b7bb879900384285ff26785fb2ba63e03af84d09f1

SHA512
c4f82f9ebd1344ae9f40433bb194dd976516710e48c47248168ca082e3870415e354cd3899f41688a32d6e4c96c1dd366349b568952e941ea05d1cd8cb397045

Download Submit
C:\Windows\System32\zNFCmKX.exe

Filesize
1.8MB

MD5
f8da364d209d2e8f7104deb97c494cb8

SHA1
3aadab88dc71842d24dcab79aa8281c75c90ea86

SHA256
1c0ad15598284e86827960f57684277a2ae58102de12525c9eb2eff743427b2c

SHA512
da7e8ccdad875014d71efbbcd5a8a75e59d5d5ed4fa678293520a10747b01fd3c1885393d54acac1e2722a7c70f12dbd94af253085ecd8b373b30bc25b535862

Download Submit
C:\Windows\System32\zoFycLn.exe

Filesize
1.8MB

MD5
1c82899f24108dbecd22ae153132263d

SHA1
8d89ecf8b26088337c350e68dfd3ae09080b639b

SHA256
4c7c08fd31e31e2b2e7c9d5b6e3702709d2daa5b5eec99f579e0ddc1ed9d2bdb

SHA512
e9c8658d7d1879cf3adb4d39fb1e92b49a031254947ccf15ca6429fbe308af068d07f366f639c40ca79a25ddb38afad210b6b59c600f6375cee0bfbe22aab528

Download Submit
memory/400-370-0x00007FF623A10000-0x00007FF623E01000-memory.dmp

Filesize
3.9MB

Download
memory/400-2079-0x00007FF623A10000-0x00007FF623E01000-memory.dmp

Filesize
3.9MB

Download
memory/624-397-0x00007FF797960000-0x00007FF797D51000-memory.dmp

Filesize
3.9MB

Download
memory/624-2063-0x00007FF797960000-0x00007FF797D51000-memory.dmp

Filesize
3.9MB

Download
memory/828-39-0x00007FF61C9C0000-0x00007FF61CDB1000-memory.dmp

Filesize
3.9MB

Download
memory/828-2035-0x00007FF61C9C0000-0x00007FF61CDB1000-memory.dmp

Filesize
3.9MB

Download
memory/1100-2031-0x00007FF760D40000-0x00007FF761131000-memory.dmp

Filesize
3.9MB

Download
memory/1100-13-0x00007FF760D40000-0x00007FF761131000-memory.dmp

Filesize
3.9MB

Download
memory/1248-84-0x00007FF72D110000-0x00007FF72D501000-memory.dmp

Filesize
3.9MB

Download
memory/1248-2048-0x00007FF72D110000-0x00007FF72D501000-memory.dmp

Filesize
3.9MB

Download
memory/1480-2049-0x00007FF6C6570000-0x00007FF6C6961000-memory.dmp

Filesize
3.9MB

Download
memory/1480-66-0x00007FF6C6570000-0x00007FF6C6961000-memory.dmp

Filesize
3.9MB

Download
memory/1480-1973-0x00007FF6C6570000-0x00007FF6C6961000-memory.dmp

Filesize
3.9MB

Download
memory/1636-44-0x00007FF7F7DF0000-0x00007FF7F81E1000-memory.dmp

Filesize
3.9MB

Download
memory/1636-2041-0x00007FF7F7DF0000-0x00007FF7F81E1000-memory.dmp

Filesize
3.9MB

Download
memory/1636-1972-0x00007FF7F7DF0000-0x00007FF7F81E1000-memory.dmp

Filesize
3.9MB

Download
memory/1856-2145-0x00007FF6315F0000-0x00007FF6319E1000-memory.dmp

Filesize
3.9MB

Download
memory/1856-94-0x00007FF6315F0000-0x00007FF6319E1000-memory.dmp

Filesize
3.9MB

Download
memory/1856-1994-0x00007FF6315F0000-0x00007FF6319E1000-memory.dmp

Filesize
3.9MB

Download
memory/2504-2043-0x00007FF6AF860000-0x00007FF6AFC51000-memory.dmp

Filesize
3.9MB

Download
memory/2504-48-0x00007FF6AF860000-0x00007FF6AFC51000-memory.dmp

Filesize
3.9MB

Download
memory/2988-2055-0x00007FF69DCF0000-0x00007FF69E0E1000-memory.dmp

Filesize
3.9MB

Download
memory/2988-71-0x00007FF69DCF0000-0x00007FF69E0E1000-memory.dmp

Filesize
3.9MB

Download
memory/2988-1971-0x00007FF69DCF0000-0x00007FF69E0E1000-memory.dmp

Filesize
3.9MB

Download
memory/3092-2087-0x00007FF62C360000-0x00007FF62C751000-memory.dmp

Filesize
3.9MB

Download
memory/3092-402-0x00007FF62C360000-0x00007FF62C751000-memory.dmp

Filesize
3.9MB

Download
memory/3272-2082-0x00007FF6F2AE0000-0x00007FF6F2ED1000-memory.dmp

Filesize
3.9MB

Download
memory/3272-389-0x00007FF6F2AE0000-0x00007FF6F2ED1000-memory.dmp

Filesize
3.9MB

Download
memory/3404-2037-0x00007FF71D340000-0x00007FF71D731000-memory.dmp

Filesize
3.9MB

Download
memory/3404-80-0x00007FF71D340000-0x00007FF71D731000-memory.dmp

Filesize
3.9MB

Download
memory/4044-2083-0x00007FF64B510000-0x00007FF64B901000-memory.dmp

Filesize
3.9MB

Download
memory/4044-381-0x00007FF64B510000-0x00007FF64B901000-memory.dmp

Filesize
3.9MB

Download
memory/4132-1969-0x00007FF67BF60000-0x00007FF67C351000-memory.dmp

Filesize
3.9MB

Download
memory/4132-29-0x00007FF67BF60000-0x00007FF67C351000-memory.dmp

Filesize
3.9MB

Download
memory/4132-2033-0x00007FF67BF60000-0x00007FF67C351000-memory.dmp

Filesize
3.9MB

Download
memory/4224-58-0x00007FF6EE070000-0x00007FF6EE461000-memory.dmp

Filesize
3.9MB

Download
memory/4224-2045-0x00007FF6EE070000-0x00007FF6EE461000-memory.dmp

Filesize
3.9MB

Download
memory/4224-1970-0x00007FF6EE070000-0x00007FF6EE461000-memory.dmp

Filesize
3.9MB

Download
memory/4356-2065-0x00007FF6B2260000-0x00007FF6B2651000-memory.dmp

Filesize
3.9MB

Download
memory/4356-369-0x00007FF6B2260000-0x00007FF6B2651000-memory.dmp

Filesize
3.9MB

Download
memory/4604-2039-0x00007FF7C5010000-0x00007FF7C5401000-memory.dmp

Filesize
3.9MB

Download
memory/4604-82-0x00007FF7C5010000-0x00007FF7C5401000-memory.dmp

Filesize
3.9MB

Download
memory/4788-1-0x000001C59D800000-0x000001C59D810000-memory.dmp

Filesize
64KB

Download
memory/4788-0-0x00007FF7D9210000-0x00007FF7D9601000-memory.dmp

Filesize
3.9MB

Download
memory/5024-399-0x00007FF76BDA0000-0x00007FF76C191000-memory.dmp

Filesize
3.9MB

Download
memory/5024-2085-0x00007FF76BDA0000-0x00007FF76C191000-memory.dmp

Filesize
3.9MB

Download
memory/5116-1974-0x00007FF620880000-0x00007FF620C71000-memory.dmp

Filesize
3.9MB

Download
memory/5116-2061-0x00007FF620880000-0x00007FF620C71000-memory.dmp

Filesize
3.9MB

Download
memory/5116-98-0x00007FF620880000-0x00007FF620C71000-memory.dmp

Filesize
3.9MB

Download
memory/5240-2059-0x00007FF66C410000-0x00007FF66C801000-memory.dmp

Filesize
3.9MB

Download
memory/5240-2009-0x00007FF66C410000-0x00007FF66C801000-memory.dmp

Filesize
3.9MB

Download
memory/5240-100-0x00007FF66C410000-0x00007FF66C801000-memory.dmp

Filesize
3.9MB

Download
memory/5352-2051-0x00007FF75C030000-0x00007FF75C421000-memory.dmp

Filesize
3.9MB

Download
memory/5352-90-0x00007FF75C030000-0x00007FF75C421000-memory.dmp

Filesize
3.9MB

Download
memory/5588-2057-0x00007FF680BF0000-0x00007FF680FE1000-memory.dmp

Filesize
3.9MB

Download
memory/5588-1992-0x00007FF680BF0000-0x00007FF680FE1000-memory.dmp

Filesize
3.9MB

Download
memory/5588-92-0x00007FF680BF0000-0x00007FF680FE1000-memory.dmp

Filesize
3.9MB

Download
memory/5724-2054-0x00007FF665270000-0x00007FF665661000-memory.dmp

Filesize
3.9MB

Download
memory/5724-87-0x00007FF665270000-0x00007FF665661000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads