xmrig | 6b142d379f2cd98e1058a9ccb98a71def262d78c905758e5f95242228f1b3aea

Analysis

max time kernel
125s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
Size

2.6MB
MD5

5336159c4cc6a9787d3037d900e84e30
SHA1

6c2aaf83caf89f88cb9fb1fb41e0699ae23f5f50
SHA256

6b142d379f2cd98e1058a9ccb98a71def262d78c905758e5f95242228f1b3aea
SHA512

dca509908d5782197ec6e0aea1bd376772a7257536d34813536eaf0487763ab556051b6a8d78f2179db0854d5fd4238fb514afdb4f946680896a0e0d5cf9d17e
SSDEEP

49152:N0wjnJMOWh50kC1/dVFdx6e0EALKWVTffZiPAcRq6jHjcz8DzJuJeof7irqm:N0GnJMOWPClFdx6e0EALKWVTffZiPAcf

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/864-0-0x00007FF788820000-0x00007FF788C15000-memory.dmp	xmrig
behavioral2/files/0x0007000000023522-7.dat	xmrig
behavioral2/files/0x0007000000023521-8.dat	xmrig
behavioral2/files/0x000800000002351d-10.dat	xmrig
behavioral2/memory/4488-9-0x00007FF72FD30000-0x00007FF730125000-memory.dmp	xmrig
behavioral2/memory/3176-12-0x00007FF7F6AE0000-0x00007FF7F6ED5000-memory.dmp	xmrig
behavioral2/memory/3024-23-0x00007FF740D60000-0x00007FF741155000-memory.dmp	xmrig
behavioral2/files/0x0007000000023523-22.dat	xmrig
behavioral2/files/0x0007000000023524-26.dat	xmrig
behavioral2/files/0x0007000000023526-43.dat	xmrig
behavioral2/files/0x0007000000023527-47.dat	xmrig
behavioral2/files/0x0007000000023525-54.dat	xmrig
behavioral2/memory/3416-62-0x00007FF680160000-0x00007FF680555000-memory.dmp	xmrig
behavioral2/memory/3932-65-0x00007FF716320000-0x00007FF716715000-memory.dmp	xmrig
behavioral2/memory/4292-68-0x00007FF64BCF0000-0x00007FF64C0E5000-memory.dmp	xmrig
behavioral2/memory/3800-69-0x00007FF6B99C0000-0x00007FF6B9DB5000-memory.dmp	xmrig
behavioral2/memory/5056-77-0x00007FF667380000-0x00007FF667775000-memory.dmp	xmrig
behavioral2/files/0x0007000000023530-103.dat	xmrig
behavioral2/files/0x0007000000023533-116.dat	xmrig
behavioral2/files/0x0007000000023539-148.dat	xmrig
behavioral2/memory/4488-768-0x00007FF72FD30000-0x00007FF730125000-memory.dmp	xmrig
behavioral2/memory/1160-769-0x00007FF615270000-0x00007FF615665000-memory.dmp	xmrig
behavioral2/memory/3480-772-0x00007FF636DE0000-0x00007FF6371D5000-memory.dmp	xmrig
behavioral2/memory/2676-771-0x00007FF76E1D0000-0x00007FF76E5C5000-memory.dmp	xmrig
behavioral2/memory/2792-770-0x00007FF646B20000-0x00007FF646F15000-memory.dmp	xmrig
behavioral2/files/0x000700000002353e-173.dat	xmrig
behavioral2/files/0x000700000002353d-168.dat	xmrig
behavioral2/files/0x000700000002353c-163.dat	xmrig
behavioral2/files/0x000700000002353b-158.dat	xmrig
behavioral2/files/0x000700000002353a-153.dat	xmrig
behavioral2/files/0x0007000000023538-143.dat	xmrig
behavioral2/files/0x0007000000023537-138.dat	xmrig
behavioral2/files/0x0007000000023536-133.dat	xmrig
behavioral2/files/0x0007000000023535-128.dat	xmrig
behavioral2/files/0x0007000000023534-123.dat	xmrig
behavioral2/files/0x0007000000023532-113.dat	xmrig
behavioral2/files/0x0007000000023531-108.dat	xmrig
behavioral2/files/0x000700000002352f-98.dat	xmrig
behavioral2/files/0x000700000002352e-93.dat	xmrig
behavioral2/files/0x000700000002352d-88.dat	xmrig
behavioral2/files/0x000700000002352c-83.dat	xmrig
behavioral2/files/0x000700000002352b-81.dat	xmrig
behavioral2/memory/1504-74-0x00007FF654D20000-0x00007FF655115000-memory.dmp	xmrig
behavioral2/memory/648-73-0x00007FF6A26E0000-0x00007FF6A2AD5000-memory.dmp	xmrig
behavioral2/files/0x000700000002352a-70.dat	xmrig
behavioral2/files/0x0007000000023529-67.dat	xmrig
behavioral2/memory/3200-56-0x00007FF6D2740000-0x00007FF6D2B35000-memory.dmp	xmrig
behavioral2/files/0x0007000000023528-59.dat	xmrig
behavioral2/memory/3672-45-0x00007FF7044B0000-0x00007FF7048A5000-memory.dmp	xmrig
behavioral2/files/0x000800000002351e-39.dat	xmrig
behavioral2/memory/4440-35-0x00007FF6AD090000-0x00007FF6AD485000-memory.dmp	xmrig
behavioral2/memory/380-773-0x00007FF6B8470000-0x00007FF6B8865000-memory.dmp	xmrig
behavioral2/memory/756-781-0x00007FF6073D0000-0x00007FF6077C5000-memory.dmp	xmrig
behavioral2/memory/4652-816-0x00007FF6709F0000-0x00007FF670DE5000-memory.dmp	xmrig
behavioral2/memory/4828-803-0x00007FF7B2D70000-0x00007FF7B3165000-memory.dmp	xmrig
behavioral2/memory/3756-792-0x00007FF7CBCF0000-0x00007FF7CC0E5000-memory.dmp	xmrig
behavioral2/memory/5060-831-0x00007FF77A150000-0x00007FF77A545000-memory.dmp	xmrig
behavioral2/memory/4560-825-0x00007FF6B9230000-0x00007FF6B9625000-memory.dmp	xmrig
behavioral2/memory/864-1201-0x00007FF788820000-0x00007FF788C15000-memory.dmp	xmrig
behavioral2/memory/3200-1884-0x00007FF6D2740000-0x00007FF6D2B35000-memory.dmp	xmrig
behavioral2/memory/3416-1885-0x00007FF680160000-0x00007FF680555000-memory.dmp	xmrig
behavioral2/memory/648-1886-0x00007FF6A26E0000-0x00007FF6A2AD5000-memory.dmp	xmrig
behavioral2/memory/5056-1887-0x00007FF667380000-0x00007FF667775000-memory.dmp	xmrig
behavioral2/memory/864-1888-0x00007FF788820000-0x00007FF788C15000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4488	OmZXsab.exe
3176	mBfMFQE.exe
3024	ezyknie.exe
4440	ZsyVepV.exe
3672	MyrvEag.exe
3932	PZXOVgr.exe
4292	zfycGEc.exe
3200	RSkBHPp.exe
3800	KwtxYdz.exe
3416	JIjbfzw.exe
648	pXzAzcA.exe
1504	RCuaKCm.exe
5056	huKrmaD.exe
1160	gNaieKy.exe
2792	nskGGmP.exe
2676	PBQSYmq.exe
3480	dvzyAMf.exe
380	uAOqYkX.exe
756	taBoHRi.exe
3756	llnuwlY.exe
4828	RPNEUnS.exe
4652	GFoWsAq.exe
4560	ZKmvMXY.exe
5060	ozDOvTs.exe
4320	FGTGlqI.exe
3284	iJDlfEn.exe
832	noeLzxA.exe
1508	VZgwsTh.exe
4912	HypKwTF.exe
2844	DBkxemc.exe
4516	gQmMwzZ.exe
2160	eAnfiTg.exe
388	lYFsvCH.exe
4536	dSJsgvA.exe
4288	mBPeWSU.exe
2720	pVflmAR.exe
3732	ZqffYuW.exe
724	KUQwCrY.exe
804	aECAPRE.exe
676	lQLTFKR.exe
3220	yoVMEyR.exe
1856	UCDFyLS.exe
460	FZDpcNU.exe
4380	RNAXapN.exe
2620	VzcGUrm.exe
4932	wByEDHZ.exe
4960	xOfeBVX.exe
5144	gEgBbqZ.exe
5172	UfzvXTv.exe
5200	dDRcxSG.exe
5228	nXDRYFN.exe
5256	eNjkCvN.exe
5272	vnpniuY.exe
5312	NeNZths.exe
5328	MZZpCRZ.exe
5368	tLfDDlH.exe
5384	TRradeF.exe
5412	wpbFafr.exe
5452	qJZXcdT.exe
5480	rzbFTlv.exe
5496	jhzvMOM.exe
5524	WtaNwMA.exe
5564	tVeAwFp.exe
5580	HibZFoL.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/864-0-0x00007FF788820000-0x00007FF788C15000-memory.dmp	upx
behavioral2/files/0x0007000000023522-7.dat	upx
behavioral2/files/0x0007000000023521-8.dat	upx
behavioral2/files/0x000800000002351d-10.dat	upx
behavioral2/memory/4488-9-0x00007FF72FD30000-0x00007FF730125000-memory.dmp	upx
behavioral2/memory/3176-12-0x00007FF7F6AE0000-0x00007FF7F6ED5000-memory.dmp	upx
behavioral2/memory/3024-23-0x00007FF740D60000-0x00007FF741155000-memory.dmp	upx
behavioral2/files/0x0007000000023523-22.dat	upx
behavioral2/files/0x0007000000023524-26.dat	upx
behavioral2/files/0x0007000000023526-43.dat	upx
behavioral2/files/0x0007000000023527-47.dat	upx
behavioral2/files/0x0007000000023525-54.dat	upx
behavioral2/memory/3416-62-0x00007FF680160000-0x00007FF680555000-memory.dmp	upx
behavioral2/memory/3932-65-0x00007FF716320000-0x00007FF716715000-memory.dmp	upx
behavioral2/memory/4292-68-0x00007FF64BCF0000-0x00007FF64C0E5000-memory.dmp	upx
behavioral2/memory/3800-69-0x00007FF6B99C0000-0x00007FF6B9DB5000-memory.dmp	upx
behavioral2/memory/5056-77-0x00007FF667380000-0x00007FF667775000-memory.dmp	upx
behavioral2/files/0x0007000000023530-103.dat	upx
behavioral2/files/0x0007000000023533-116.dat	upx
behavioral2/files/0x0007000000023539-148.dat	upx
behavioral2/memory/4488-768-0x00007FF72FD30000-0x00007FF730125000-memory.dmp	upx
behavioral2/memory/1160-769-0x00007FF615270000-0x00007FF615665000-memory.dmp	upx
behavioral2/memory/3480-772-0x00007FF636DE0000-0x00007FF6371D5000-memory.dmp	upx
behavioral2/memory/2676-771-0x00007FF76E1D0000-0x00007FF76E5C5000-memory.dmp	upx
behavioral2/memory/2792-770-0x00007FF646B20000-0x00007FF646F15000-memory.dmp	upx
behavioral2/files/0x000700000002353e-173.dat	upx
behavioral2/files/0x000700000002353d-168.dat	upx
behavioral2/files/0x000700000002353c-163.dat	upx
behavioral2/files/0x000700000002353b-158.dat	upx
behavioral2/files/0x000700000002353a-153.dat	upx
behavioral2/files/0x0007000000023538-143.dat	upx
behavioral2/files/0x0007000000023537-138.dat	upx
behavioral2/files/0x0007000000023536-133.dat	upx
behavioral2/files/0x0007000000023535-128.dat	upx
behavioral2/files/0x0007000000023534-123.dat	upx
behavioral2/files/0x0007000000023532-113.dat	upx
behavioral2/files/0x0007000000023531-108.dat	upx
behavioral2/files/0x000700000002352f-98.dat	upx
behavioral2/files/0x000700000002352e-93.dat	upx
behavioral2/files/0x000700000002352d-88.dat	upx
behavioral2/files/0x000700000002352c-83.dat	upx
behavioral2/files/0x000700000002352b-81.dat	upx
behavioral2/memory/1504-74-0x00007FF654D20000-0x00007FF655115000-memory.dmp	upx
behavioral2/memory/648-73-0x00007FF6A26E0000-0x00007FF6A2AD5000-memory.dmp	upx
behavioral2/files/0x000700000002352a-70.dat	upx
behavioral2/files/0x0007000000023529-67.dat	upx
behavioral2/memory/3200-56-0x00007FF6D2740000-0x00007FF6D2B35000-memory.dmp	upx
behavioral2/files/0x0007000000023528-59.dat	upx
behavioral2/memory/3672-45-0x00007FF7044B0000-0x00007FF7048A5000-memory.dmp	upx
behavioral2/files/0x000800000002351e-39.dat	upx
behavioral2/memory/4440-35-0x00007FF6AD090000-0x00007FF6AD485000-memory.dmp	upx
behavioral2/memory/380-773-0x00007FF6B8470000-0x00007FF6B8865000-memory.dmp	upx
behavioral2/memory/756-781-0x00007FF6073D0000-0x00007FF6077C5000-memory.dmp	upx
behavioral2/memory/4652-816-0x00007FF6709F0000-0x00007FF670DE5000-memory.dmp	upx
behavioral2/memory/4828-803-0x00007FF7B2D70000-0x00007FF7B3165000-memory.dmp	upx
behavioral2/memory/3756-792-0x00007FF7CBCF0000-0x00007FF7CC0E5000-memory.dmp	upx
behavioral2/memory/5060-831-0x00007FF77A150000-0x00007FF77A545000-memory.dmp	upx
behavioral2/memory/4560-825-0x00007FF6B9230000-0x00007FF6B9625000-memory.dmp	upx
behavioral2/memory/864-1201-0x00007FF788820000-0x00007FF788C15000-memory.dmp	upx
behavioral2/memory/3200-1884-0x00007FF6D2740000-0x00007FF6D2B35000-memory.dmp	upx
behavioral2/memory/3416-1885-0x00007FF680160000-0x00007FF680555000-memory.dmp	upx
behavioral2/memory/648-1886-0x00007FF6A26E0000-0x00007FF6A2AD5000-memory.dmp	upx
behavioral2/memory/5056-1887-0x00007FF667380000-0x00007FF667775000-memory.dmp	upx
behavioral2/memory/864-1888-0x00007FF788820000-0x00007FF788C15000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\RQrUcCF.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\HnLQOQO.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\mKGJMMt.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\OlBDbcg.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\PldzHbe.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\voLvDld.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\NIOjzUt.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\exgyhph.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\INfwoSh.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\TBqoeOM.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\SylATQA.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\HzOsDJk.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\iWHNzTH.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\GeAXWLr.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\xOfeBVX.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\YBmqxHT.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\SmdIvdo.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\HSJZWyt.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\aPNCdsw.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\CVupvHg.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\NdadOda.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\fRaTJks.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\qVibafR.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\ZcgiEkx.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\LgmdZMf.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\MtqEQss.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\uqGafUm.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\DtoUhvM.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\lOWDQrY.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\ZHTKEmn.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\llnuwlY.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\HOHOmZU.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\mqgfoCB.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\Jgebnoa.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\njeXffc.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\blNitYk.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\ZrcvIRK.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\MhMrQLb.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\HWpZorg.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\KMLEkIm.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\jhzvMOM.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\ezyknie.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\RCuaKCm.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\KnJQOpV.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\EsBaCWL.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\zGfDNuh.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\SjXxjuH.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\DGgsgvG.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\BWyyRTM.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\IceWtip.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\rnrTwiu.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\lVTmJMP.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\KhXCQKi.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\MKeqOXu.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\kVhqRmA.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\NhrZJEa.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\TmZYnEi.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\tQlMXdJ.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\IqMvQdn.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\HrEqqfk.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\TFLVzzC.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\YSKxldY.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\taBoHRi.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
File created	C:\Windows\System32\wUurLdb.exe	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13708	dwm.exe
Token: SeChangeNotifyPrivilege	13708	dwm.exe
Token: 33	13708	dwm.exe
Token: SeIncBasePriorityPrivilege	13708	dwm.exe
Token: SeShutdownPrivilege	13708	dwm.exe
Token: SeCreatePagefilePrivilege	13708	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 4488	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	91
PID 864 wrote to memory of 4488	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	91
PID 864 wrote to memory of 3176	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	92
PID 864 wrote to memory of 3176	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	92
PID 864 wrote to memory of 3024	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	93
PID 864 wrote to memory of 3024	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	93
PID 864 wrote to memory of 4440	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	94
PID 864 wrote to memory of 4440	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	94
PID 864 wrote to memory of 3672	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	95
PID 864 wrote to memory of 3672	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	95
PID 864 wrote to memory of 3932	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	96
PID 864 wrote to memory of 3932	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	96
PID 864 wrote to memory of 4292	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	97
PID 864 wrote to memory of 4292	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	97
PID 864 wrote to memory of 3200	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	98
PID 864 wrote to memory of 3200	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	98
PID 864 wrote to memory of 3800	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	99
PID 864 wrote to memory of 3800	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	99
PID 864 wrote to memory of 3416	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	100
PID 864 wrote to memory of 3416	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	100
PID 864 wrote to memory of 648	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	101
PID 864 wrote to memory of 648	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	101
PID 864 wrote to memory of 1504	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	102
PID 864 wrote to memory of 1504	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	102
PID 864 wrote to memory of 5056	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	103
PID 864 wrote to memory of 5056	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	103
PID 864 wrote to memory of 1160	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	104
PID 864 wrote to memory of 1160	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	104
PID 864 wrote to memory of 2792	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	105
PID 864 wrote to memory of 2792	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	105
PID 864 wrote to memory of 2676	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	106
PID 864 wrote to memory of 2676	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	106
PID 864 wrote to memory of 3480	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	107
PID 864 wrote to memory of 3480	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	107
PID 864 wrote to memory of 380	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	108
PID 864 wrote to memory of 380	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	108
PID 864 wrote to memory of 756	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	109
PID 864 wrote to memory of 756	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	109
PID 864 wrote to memory of 3756	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	110
PID 864 wrote to memory of 3756	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	110
PID 864 wrote to memory of 4828	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	111
PID 864 wrote to memory of 4828	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	111
PID 864 wrote to memory of 4652	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	112
PID 864 wrote to memory of 4652	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	112
PID 864 wrote to memory of 4560	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	113
PID 864 wrote to memory of 4560	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	113
PID 864 wrote to memory of 5060	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	114
PID 864 wrote to memory of 5060	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	114
PID 864 wrote to memory of 4320	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	115
PID 864 wrote to memory of 4320	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	115
PID 864 wrote to memory of 3284	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	116
PID 864 wrote to memory of 3284	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	116
PID 864 wrote to memory of 832	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	117
PID 864 wrote to memory of 832	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	117
PID 864 wrote to memory of 1508	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	118
PID 864 wrote to memory of 1508	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	118
PID 864 wrote to memory of 4912	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	119
PID 864 wrote to memory of 4912	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	119
PID 864 wrote to memory of 2844	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	120
PID 864 wrote to memory of 2844	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	120
PID 864 wrote to memory of 4516	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	121
PID 864 wrote to memory of 4516	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	121
PID 864 wrote to memory of 2160	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	122
PID 864 wrote to memory of 2160	864	5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe	122

C:\Users\Admin\AppData\Local\Temp\5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5336159c4cc6a9787d3037d900e84e30_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\System32\OmZXsab.exe
  C:\Windows\System32\OmZXsab.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System32\mBfMFQE.exe
  C:\Windows\System32\mBfMFQE.exe
  2⤵
  - Executes dropped EXE
  PID:3176
- C:\Windows\System32\ezyknie.exe
  C:\Windows\System32\ezyknie.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System32\ZsyVepV.exe
  C:\Windows\System32\ZsyVepV.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System32\MyrvEag.exe
  C:\Windows\System32\MyrvEag.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System32\PZXOVgr.exe
  C:\Windows\System32\PZXOVgr.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System32\zfycGEc.exe
  C:\Windows\System32\zfycGEc.exe
  2⤵
  - Executes dropped EXE
  PID:4292
- C:\Windows\System32\RSkBHPp.exe
  C:\Windows\System32\RSkBHPp.exe
  2⤵
  - Executes dropped EXE
  PID:3200
- C:\Windows\System32\KwtxYdz.exe
  C:\Windows\System32\KwtxYdz.exe
  2⤵
  - Executes dropped EXE
  PID:3800
- C:\Windows\System32\JIjbfzw.exe
  C:\Windows\System32\JIjbfzw.exe
  2⤵
  - Executes dropped EXE
  PID:3416
- C:\Windows\System32\pXzAzcA.exe
  C:\Windows\System32\pXzAzcA.exe
  2⤵
  - Executes dropped EXE
  PID:648
- C:\Windows\System32\RCuaKCm.exe
  C:\Windows\System32\RCuaKCm.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System32\huKrmaD.exe
  C:\Windows\System32\huKrmaD.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System32\gNaieKy.exe
  C:\Windows\System32\gNaieKy.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System32\nskGGmP.exe
  C:\Windows\System32\nskGGmP.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System32\PBQSYmq.exe
  C:\Windows\System32\PBQSYmq.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System32\dvzyAMf.exe
  C:\Windows\System32\dvzyAMf.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System32\uAOqYkX.exe
  C:\Windows\System32\uAOqYkX.exe
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\System32\taBoHRi.exe
  C:\Windows\System32\taBoHRi.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System32\llnuwlY.exe
  C:\Windows\System32\llnuwlY.exe
  2⤵
  - Executes dropped EXE
  PID:3756
- C:\Windows\System32\RPNEUnS.exe
  C:\Windows\System32\RPNEUnS.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System32\GFoWsAq.exe
  C:\Windows\System32\GFoWsAq.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System32\ZKmvMXY.exe
  C:\Windows\System32\ZKmvMXY.exe
  2⤵
  - Executes dropped EXE
  PID:4560
- C:\Windows\System32\ozDOvTs.exe
  C:\Windows\System32\ozDOvTs.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System32\FGTGlqI.exe
  C:\Windows\System32\FGTGlqI.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System32\iJDlfEn.exe
  C:\Windows\System32\iJDlfEn.exe
  2⤵
  - Executes dropped EXE
  PID:3284
- C:\Windows\System32\noeLzxA.exe
  C:\Windows\System32\noeLzxA.exe
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Windows\System32\VZgwsTh.exe
  C:\Windows\System32\VZgwsTh.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System32\HypKwTF.exe
  C:\Windows\System32\HypKwTF.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System32\DBkxemc.exe
  C:\Windows\System32\DBkxemc.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System32\gQmMwzZ.exe
  C:\Windows\System32\gQmMwzZ.exe
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Windows\System32\eAnfiTg.exe
  C:\Windows\System32\eAnfiTg.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System32\lYFsvCH.exe
  C:\Windows\System32\lYFsvCH.exe
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Windows\System32\dSJsgvA.exe
  C:\Windows\System32\dSJsgvA.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System32\mBPeWSU.exe
  C:\Windows\System32\mBPeWSU.exe
  2⤵
  - Executes dropped EXE
  PID:4288
- C:\Windows\System32\pVflmAR.exe
  C:\Windows\System32\pVflmAR.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System32\ZqffYuW.exe
  C:\Windows\System32\ZqffYuW.exe
  2⤵
  - Executes dropped EXE
  PID:3732
- C:\Windows\System32\KUQwCrY.exe
  C:\Windows\System32\KUQwCrY.exe
  2⤵
  - Executes dropped EXE
  PID:724
- C:\Windows\System32\aECAPRE.exe
  C:\Windows\System32\aECAPRE.exe
  2⤵
  - Executes dropped EXE
  PID:804
- C:\Windows\System32\lQLTFKR.exe
  C:\Windows\System32\lQLTFKR.exe
  2⤵
  - Executes dropped EXE
  PID:676
- C:\Windows\System32\yoVMEyR.exe
  C:\Windows\System32\yoVMEyR.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System32\UCDFyLS.exe
  C:\Windows\System32\UCDFyLS.exe
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\System32\FZDpcNU.exe
  C:\Windows\System32\FZDpcNU.exe
  2⤵
  - Executes dropped EXE
  PID:460
- C:\Windows\System32\RNAXapN.exe
  C:\Windows\System32\RNAXapN.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System32\VzcGUrm.exe
  C:\Windows\System32\VzcGUrm.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System32\wByEDHZ.exe
  C:\Windows\System32\wByEDHZ.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System32\xOfeBVX.exe
  C:\Windows\System32\xOfeBVX.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System32\gEgBbqZ.exe
  C:\Windows\System32\gEgBbqZ.exe
  2⤵
  - Executes dropped EXE
  PID:5144
- C:\Windows\System32\UfzvXTv.exe
  C:\Windows\System32\UfzvXTv.exe
  2⤵
  - Executes dropped EXE
  PID:5172
- C:\Windows\System32\dDRcxSG.exe
  C:\Windows\System32\dDRcxSG.exe
  2⤵
  - Executes dropped EXE
  PID:5200
- C:\Windows\System32\nXDRYFN.exe
  C:\Windows\System32\nXDRYFN.exe
  2⤵
  - Executes dropped EXE
  PID:5228
- C:\Windows\System32\eNjkCvN.exe
  C:\Windows\System32\eNjkCvN.exe
  2⤵
  - Executes dropped EXE
  PID:5256
- C:\Windows\System32\vnpniuY.exe
  C:\Windows\System32\vnpniuY.exe
  2⤵
  - Executes dropped EXE
  PID:5272
- C:\Windows\System32\NeNZths.exe
  C:\Windows\System32\NeNZths.exe
  2⤵
  - Executes dropped EXE
  PID:5312
- C:\Windows\System32\MZZpCRZ.exe
  C:\Windows\System32\MZZpCRZ.exe
  2⤵
  - Executes dropped EXE
  PID:5328
- C:\Windows\System32\tLfDDlH.exe
  C:\Windows\System32\tLfDDlH.exe
  2⤵
  - Executes dropped EXE
  PID:5368
- C:\Windows\System32\TRradeF.exe
  C:\Windows\System32\TRradeF.exe
  2⤵
  - Executes dropped EXE
  PID:5384
- C:\Windows\System32\wpbFafr.exe
  C:\Windows\System32\wpbFafr.exe
  2⤵
  - Executes dropped EXE
  PID:5412
- C:\Windows\System32\qJZXcdT.exe
  C:\Windows\System32\qJZXcdT.exe
  2⤵
  - Executes dropped EXE
  PID:5452
- C:\Windows\System32\rzbFTlv.exe
  C:\Windows\System32\rzbFTlv.exe
  2⤵
  - Executes dropped EXE
  PID:5480
- C:\Windows\System32\jhzvMOM.exe
  C:\Windows\System32\jhzvMOM.exe
  2⤵
  - Executes dropped EXE
  PID:5496
- C:\Windows\System32\WtaNwMA.exe
  C:\Windows\System32\WtaNwMA.exe
  2⤵
  - Executes dropped EXE
  PID:5524
- C:\Windows\System32\tVeAwFp.exe
  C:\Windows\System32\tVeAwFp.exe
  2⤵
  - Executes dropped EXE
  PID:5564
- C:\Windows\System32\HibZFoL.exe
  C:\Windows\System32\HibZFoL.exe
  2⤵
  - Executes dropped EXE
  PID:5580
- C:\Windows\System32\VPoSMAk.exe
  C:\Windows\System32\VPoSMAk.exe
  2⤵
  PID:5620
- C:\Windows\System32\aZadcNk.exe
  C:\Windows\System32\aZadcNk.exe
  2⤵
  PID:5636
- C:\Windows\System32\RcmVcYz.exe
  C:\Windows\System32\RcmVcYz.exe
  2⤵
  PID:5676
- C:\Windows\System32\uPEzoUc.exe
  C:\Windows\System32\uPEzoUc.exe
  2⤵
  PID:5704
- C:\Windows\System32\YnoChiY.exe
  C:\Windows\System32\YnoChiY.exe
  2⤵
  PID:5720
- C:\Windows\System32\ZYTzQAv.exe
  C:\Windows\System32\ZYTzQAv.exe
  2⤵
  PID:5748
- C:\Windows\System32\QHKkVbd.exe
  C:\Windows\System32\QHKkVbd.exe
  2⤵
  PID:5776
- C:\Windows\System32\GVbJjdb.exe
  C:\Windows\System32\GVbJjdb.exe
  2⤵
  PID:5816
- C:\Windows\System32\zKeZbiR.exe
  C:\Windows\System32\zKeZbiR.exe
  2⤵
  PID:5832
- C:\Windows\System32\LCflKfN.exe
  C:\Windows\System32\LCflKfN.exe
  2⤵
  PID:5860
- C:\Windows\System32\TsAOUvt.exe
  C:\Windows\System32\TsAOUvt.exe
  2⤵
  PID:5888
- C:\Windows\System32\AQKrztZ.exe
  C:\Windows\System32\AQKrztZ.exe
  2⤵
  PID:5928
- C:\Windows\System32\jiQWmdG.exe
  C:\Windows\System32\jiQWmdG.exe
  2⤵
  PID:5944
- C:\Windows\System32\niDMUHX.exe
  C:\Windows\System32\niDMUHX.exe
  2⤵
  PID:5972
- C:\Windows\System32\YEgdVlz.exe
  C:\Windows\System32\YEgdVlz.exe
  2⤵
  PID:6000
- C:\Windows\System32\UWCZONK.exe
  C:\Windows\System32\UWCZONK.exe
  2⤵
  PID:6040
- C:\Windows\System32\JuyyvKP.exe
  C:\Windows\System32\JuyyvKP.exe
  2⤵
  PID:6056
- C:\Windows\System32\YbwaFtx.exe
  C:\Windows\System32\YbwaFtx.exe
  2⤵
  PID:6096
- C:\Windows\System32\JsapDlr.exe
  C:\Windows\System32\JsapDlr.exe
  2⤵
  PID:6112
- C:\Windows\System32\glIkbJf.exe
  C:\Windows\System32\glIkbJf.exe
  2⤵
  PID:2520
- C:\Windows\System32\AaocKpb.exe
  C:\Windows\System32\AaocKpb.exe
  2⤵
  PID:1468
- C:\Windows\System32\pDRBiTS.exe
  C:\Windows\System32\pDRBiTS.exe
  2⤵
  PID:2744
- C:\Windows\System32\UuAlLeR.exe
  C:\Windows\System32\UuAlLeR.exe
  2⤵
  PID:4660
- C:\Windows\System32\QJZckxr.exe
  C:\Windows\System32\QJZckxr.exe
  2⤵
  PID:5136
- C:\Windows\System32\zwNdpGf.exe
  C:\Windows\System32\zwNdpGf.exe
  2⤵
  PID:5192
- C:\Windows\System32\EXoFJQq.exe
  C:\Windows\System32\EXoFJQq.exe
  2⤵
  PID:5248
- C:\Windows\System32\ddQpbwU.exe
  C:\Windows\System32\ddQpbwU.exe
  2⤵
  PID:5288
- C:\Windows\System32\JzqbNOs.exe
  C:\Windows\System32\JzqbNOs.exe
  2⤵
  PID:5352
- C:\Windows\System32\MtZzalm.exe
  C:\Windows\System32\MtZzalm.exe
  2⤵
  PID:5408
- C:\Windows\System32\HZzZQTR.exe
  C:\Windows\System32\HZzZQTR.exe
  2⤵
  PID:5472
- C:\Windows\System32\ZnrsDYU.exe
  C:\Windows\System32\ZnrsDYU.exe
  2⤵
  PID:5572
- C:\Windows\System32\heEIsOh.exe
  C:\Windows\System32\heEIsOh.exe
  2⤵
  PID:5612
- C:\Windows\System32\EnXorRE.exe
  C:\Windows\System32\EnXorRE.exe
  2⤵
  PID:5696
- C:\Windows\System32\UWJQoRh.exe
  C:\Windows\System32\UWJQoRh.exe
  2⤵
  PID:5764
- C:\Windows\System32\FiAOMtq.exe
  C:\Windows\System32\FiAOMtq.exe
  2⤵
  PID:5824
- C:\Windows\System32\NPNlUXU.exe
  C:\Windows\System32\NPNlUXU.exe
  2⤵
  PID:5900
- C:\Windows\System32\wpbdMIO.exe
  C:\Windows\System32\wpbdMIO.exe
  2⤵
  PID:5940
- C:\Windows\System32\zGfDNuh.exe
  C:\Windows\System32\zGfDNuh.exe
  2⤵
  PID:5996
- C:\Windows\System32\IqMvQdn.exe
  C:\Windows\System32\IqMvQdn.exe
  2⤵
  PID:6072
- C:\Windows\System32\aOrRGYE.exe
  C:\Windows\System32\aOrRGYE.exe
  2⤵
  PID:1844
- C:\Windows\System32\FDvIFFJ.exe
  C:\Windows\System32\FDvIFFJ.exe
  2⤵
  PID:3992
- C:\Windows\System32\tuuSAqu.exe
  C:\Windows\System32\tuuSAqu.exe
  2⤵
  PID:1148
- C:\Windows\System32\RQrUcCF.exe
  C:\Windows\System32\RQrUcCF.exe
  2⤵
  PID:5296
- C:\Windows\System32\tUeXZWv.exe
  C:\Windows\System32\tUeXZWv.exe
  2⤵
  PID:5508
- C:\Windows\System32\zDSvxrr.exe
  C:\Windows\System32\zDSvxrr.exe
  2⤵
  PID:5668
- C:\Windows\System32\UuFdTZg.exe
  C:\Windows\System32\UuFdTZg.exe
  2⤵
  PID:5712
- C:\Windows\System32\lVTmJMP.exe
  C:\Windows\System32\lVTmJMP.exe
  2⤵
  PID:6168
- C:\Windows\System32\wGsUspc.exe
  C:\Windows\System32\wGsUspc.exe
  2⤵
  PID:6184
- C:\Windows\System32\vteFWkD.exe
  C:\Windows\System32\vteFWkD.exe
  2⤵
  PID:6212
- C:\Windows\System32\PeoWvjW.exe
  C:\Windows\System32\PeoWvjW.exe
  2⤵
  PID:6252
- C:\Windows\System32\TBqoeOM.exe
  C:\Windows\System32\TBqoeOM.exe
  2⤵
  PID:6268
- C:\Windows\System32\QojThrC.exe
  C:\Windows\System32\QojThrC.exe
  2⤵
  PID:6308
- C:\Windows\System32\cPLfjgE.exe
  C:\Windows\System32\cPLfjgE.exe
  2⤵
  PID:6324
- C:\Windows\System32\yTSdLMA.exe
  C:\Windows\System32\yTSdLMA.exe
  2⤵
  PID:6368
- C:\Windows\System32\UlgWPFM.exe
  C:\Windows\System32\UlgWPFM.exe
  2⤵
  PID:6384
- C:\Windows\System32\NYezmPU.exe
  C:\Windows\System32\NYezmPU.exe
  2⤵
  PID:6424
- C:\Windows\System32\HnLQOQO.exe
  C:\Windows\System32\HnLQOQO.exe
  2⤵
  PID:6440
- C:\Windows\System32\BSWOzSC.exe
  C:\Windows\System32\BSWOzSC.exe
  2⤵
  PID:6468
- C:\Windows\System32\GnpJrrD.exe
  C:\Windows\System32\GnpJrrD.exe
  2⤵
  PID:6496
- C:\Windows\System32\jKWgGuh.exe
  C:\Windows\System32\jKWgGuh.exe
  2⤵
  PID:6524
- C:\Windows\System32\cAcHmVf.exe
  C:\Windows\System32\cAcHmVf.exe
  2⤵
  PID:6552
- C:\Windows\System32\TWrZorr.exe
  C:\Windows\System32\TWrZorr.exe
  2⤵
  PID:6580
- C:\Windows\System32\hjHiTGh.exe
  C:\Windows\System32\hjHiTGh.exe
  2⤵
  PID:6620
- C:\Windows\System32\RjGWuJT.exe
  C:\Windows\System32\RjGWuJT.exe
  2⤵
  PID:6648
- C:\Windows\System32\upRvEfS.exe
  C:\Windows\System32\upRvEfS.exe
  2⤵
  PID:6676
- C:\Windows\System32\hJmnNfc.exe
  C:\Windows\System32\hJmnNfc.exe
  2⤵
  PID:6692
- C:\Windows\System32\kdMjUQT.exe
  C:\Windows\System32\kdMjUQT.exe
  2⤵
  PID:6732
- C:\Windows\System32\VUejSXr.exe
  C:\Windows\System32\VUejSXr.exe
  2⤵
  PID:6748
- C:\Windows\System32\RorVTcQ.exe
  C:\Windows\System32\RorVTcQ.exe
  2⤵
  PID:6776
- C:\Windows\System32\RCzPQrl.exe
  C:\Windows\System32\RCzPQrl.exe
  2⤵
  PID:6804
- C:\Windows\System32\jdZSQlm.exe
  C:\Windows\System32\jdZSQlm.exe
  2⤵
  PID:6844
- C:\Windows\System32\Tbrxxkw.exe
  C:\Windows\System32\Tbrxxkw.exe
  2⤵
  PID:6860
- C:\Windows\System32\ObVkPfJ.exe
  C:\Windows\System32\ObVkPfJ.exe
  2⤵
  PID:6888
- C:\Windows\System32\ZQszzIN.exe
  C:\Windows\System32\ZQszzIN.exe
  2⤵
  PID:6916
- C:\Windows\System32\NtPRsfJ.exe
  C:\Windows\System32\NtPRsfJ.exe
  2⤵
  PID:6956
- C:\Windows\System32\glBDcfm.exe
  C:\Windows\System32\glBDcfm.exe
  2⤵
  PID:6972
- C:\Windows\System32\CJCmwqJ.exe
  C:\Windows\System32\CJCmwqJ.exe
  2⤵
  PID:7000
- C:\Windows\System32\EJTpNfh.exe
  C:\Windows\System32\EJTpNfh.exe
  2⤵
  PID:7040
- C:\Windows\System32\DmbmdXQ.exe
  C:\Windows\System32\DmbmdXQ.exe
  2⤵
  PID:7056
- C:\Windows\System32\emWlmfx.exe
  C:\Windows\System32\emWlmfx.exe
  2⤵
  PID:7096
- C:\Windows\System32\HrEqqfk.exe
  C:\Windows\System32\HrEqqfk.exe
  2⤵
  PID:7112
- C:\Windows\System32\GGPyPby.exe
  C:\Windows\System32\GGPyPby.exe
  2⤵
  PID:7152
- C:\Windows\System32\puhLSjL.exe
  C:\Windows\System32\puhLSjL.exe
  2⤵
  PID:5904
- C:\Windows\System32\muFMfps.exe
  C:\Windows\System32\muFMfps.exe
  2⤵
  PID:5988
- C:\Windows\System32\CYZANmX.exe
  C:\Windows\System32\CYZANmX.exe
  2⤵
  PID:932
- C:\Windows\System32\ZrcvIRK.exe
  C:\Windows\System32\ZrcvIRK.exe
  2⤵
  PID:5376
- C:\Windows\System32\ITsVhsb.exe
  C:\Windows\System32\ITsVhsb.exe
  2⤵
  PID:5536
- C:\Windows\System32\keNTocV.exe
  C:\Windows\System32\keNTocV.exe
  2⤵
  PID:5800
- C:\Windows\System32\snnPwLW.exe
  C:\Windows\System32\snnPwLW.exe
  2⤵
  PID:6260
- C:\Windows\System32\fZtDxhh.exe
  C:\Windows\System32\fZtDxhh.exe
  2⤵
  PID:6300
- C:\Windows\System32\HdqPRVD.exe
  C:\Windows\System32\HdqPRVD.exe
  2⤵
  PID:6340
- C:\Windows\System32\TjPtaQl.exe
  C:\Windows\System32\TjPtaQl.exe
  2⤵
  PID:6464
- C:\Windows\System32\tTrVJJX.exe
  C:\Windows\System32\tTrVJJX.exe
  2⤵
  PID:6484
- C:\Windows\System32\OLxwlvv.exe
  C:\Windows\System32\OLxwlvv.exe
  2⤵
  PID:6592
- C:\Windows\System32\NjKfuGN.exe
  C:\Windows\System32\NjKfuGN.exe
  2⤵
  PID:6632
- C:\Windows\System32\xgVNEqM.exe
  C:\Windows\System32\xgVNEqM.exe
  2⤵
  PID:6708
- C:\Windows\System32\IosHHXO.exe
  C:\Windows\System32\IosHHXO.exe
  2⤵
  PID:6760
- C:\Windows\System32\TSdkuEy.exe
  C:\Windows\System32\TSdkuEy.exe
  2⤵
  PID:6856
- C:\Windows\System32\NaqyAWg.exe
  C:\Windows\System32\NaqyAWg.exe
  2⤵
  PID:6876
- C:\Windows\System32\HOHOmZU.exe
  C:\Windows\System32\HOHOmZU.exe
  2⤵
  PID:6932
- C:\Windows\System32\HYUFSlN.exe
  C:\Windows\System32\HYUFSlN.exe
  2⤵
  PID:7024
- C:\Windows\System32\qbekkmX.exe
  C:\Windows\System32\qbekkmX.exe
  2⤵
  PID:7080
- C:\Windows\System32\sQoQdpz.exe
  C:\Windows\System32\sQoQdpz.exe
  2⤵
  PID:7144
- C:\Windows\System32\bggURJS.exe
  C:\Windows\System32\bggURJS.exe
  2⤵
  PID:6080
- C:\Windows\System32\dokiHXP.exe
  C:\Windows\System32\dokiHXP.exe
  2⤵
  PID:5788
- C:\Windows\System32\BeGtMiW.exe
  C:\Windows\System32\BeGtMiW.exe
  2⤵
  PID:6224
- C:\Windows\System32\tiAjHlE.exe
  C:\Windows\System32\tiAjHlE.exe
  2⤵
  PID:6408
- C:\Windows\System32\KhXCQKi.exe
  C:\Windows\System32\KhXCQKi.exe
  2⤵
  PID:6512
- C:\Windows\System32\qiUpwwj.exe
  C:\Windows\System32\qiUpwwj.exe
  2⤵
  PID:6744
- C:\Windows\System32\etndvUw.exe
  C:\Windows\System32\etndvUw.exe
  2⤵
  PID:6836
- C:\Windows\System32\HSJZWyt.exe
  C:\Windows\System32\HSJZWyt.exe
  2⤵
  PID:7012
- C:\Windows\System32\EgCsvVr.exe
  C:\Windows\System32\EgCsvVr.exe
  2⤵
  PID:7172
- C:\Windows\System32\QMApxhN.exe
  C:\Windows\System32\QMApxhN.exe
  2⤵
  PID:7192
- C:\Windows\System32\VBPhCOB.exe
  C:\Windows\System32\VBPhCOB.exe
  2⤵
  PID:7220
- C:\Windows\System32\fnlJiYN.exe
  C:\Windows\System32\fnlJiYN.exe
  2⤵
  PID:7248
- C:\Windows\System32\FrUkIOv.exe
  C:\Windows\System32\FrUkIOv.exe
  2⤵
  PID:7284
- C:\Windows\System32\scichvI.exe
  C:\Windows\System32\scichvI.exe
  2⤵
  PID:7304
- C:\Windows\System32\GGpMOKp.exe
  C:\Windows\System32\GGpMOKp.exe
  2⤵
  PID:7328
- C:\Windows\System32\pTmyrth.exe
  C:\Windows\System32\pTmyrth.exe
  2⤵
  PID:7360
- C:\Windows\System32\peakGfo.exe
  C:\Windows\System32\peakGfo.exe
  2⤵
  PID:7392
- C:\Windows\System32\RYuFDWE.exe
  C:\Windows\System32\RYuFDWE.exe
  2⤵
  PID:7416
- C:\Windows\System32\lFunGqU.exe
  C:\Windows\System32\lFunGqU.exe
  2⤵
  PID:7444
- C:\Windows\System32\yaHTsep.exe
  C:\Windows\System32\yaHTsep.exe
  2⤵
  PID:7472
- C:\Windows\System32\fyVhhyw.exe
  C:\Windows\System32\fyVhhyw.exe
  2⤵
  PID:7512
- C:\Windows\System32\GCezfeR.exe
  C:\Windows\System32\GCezfeR.exe
  2⤵
  PID:7528
- C:\Windows\System32\fNCskFc.exe
  C:\Windows\System32\fNCskFc.exe
  2⤵
  PID:7556
- C:\Windows\System32\MKeqOXu.exe
  C:\Windows\System32\MKeqOXu.exe
  2⤵
  PID:7584
- C:\Windows\System32\XOajKEu.exe
  C:\Windows\System32\XOajKEu.exe
  2⤵
  PID:7612
- C:\Windows\System32\SdObYwN.exe
  C:\Windows\System32\SdObYwN.exe
  2⤵
  PID:7640
- C:\Windows\System32\MNCuUAa.exe
  C:\Windows\System32\MNCuUAa.exe
  2⤵
  PID:7680
- C:\Windows\System32\raipRaa.exe
  C:\Windows\System32\raipRaa.exe
  2⤵
  PID:7708
- C:\Windows\System32\KqTaQVw.exe
  C:\Windows\System32\KqTaQVw.exe
  2⤵
  PID:7724
- C:\Windows\System32\ecSlxTO.exe
  C:\Windows\System32\ecSlxTO.exe
  2⤵
  PID:7764
- C:\Windows\System32\DVpeHGP.exe
  C:\Windows\System32\DVpeHGP.exe
  2⤵
  PID:7792
- C:\Windows\System32\kQbWvnh.exe
  C:\Windows\System32\kQbWvnh.exe
  2⤵
  PID:7808
- C:\Windows\System32\kVhqRmA.exe
  C:\Windows\System32\kVhqRmA.exe
  2⤵
  PID:7848
- C:\Windows\System32\AMgaOPR.exe
  C:\Windows\System32\AMgaOPR.exe
  2⤵
  PID:7864
- C:\Windows\System32\cuKJzTt.exe
  C:\Windows\System32\cuKJzTt.exe
  2⤵
  PID:7904
- C:\Windows\System32\TpyhJBs.exe
  C:\Windows\System32\TpyhJBs.exe
  2⤵
  PID:7920
- C:\Windows\System32\neMBBhL.exe
  C:\Windows\System32\neMBBhL.exe
  2⤵
  PID:7960
- C:\Windows\System32\MAJyQQq.exe
  C:\Windows\System32\MAJyQQq.exe
  2⤵
  PID:7976
- C:\Windows\System32\MFjEfXQ.exe
  C:\Windows\System32\MFjEfXQ.exe
  2⤵
  PID:8004
- C:\Windows\System32\gJtaype.exe
  C:\Windows\System32\gJtaype.exe
  2⤵
  PID:8044
- C:\Windows\System32\UeWawKj.exe
  C:\Windows\System32\UeWawKj.exe
  2⤵
  PID:8072
- C:\Windows\System32\zJSfNrD.exe
  C:\Windows\System32\zJSfNrD.exe
  2⤵
  PID:8088
- C:\Windows\System32\EwDHYCa.exe
  C:\Windows\System32\EwDHYCa.exe
  2⤵
  PID:8128
- C:\Windows\System32\xsRFbGy.exe
  C:\Windows\System32\xsRFbGy.exe
  2⤵
  PID:8144
- C:\Windows\System32\JAIraEK.exe
  C:\Windows\System32\JAIraEK.exe
  2⤵
  PID:8184
- C:\Windows\System32\FuXFvXq.exe
  C:\Windows\System32\FuXFvXq.exe
  2⤵
  PID:7160
- C:\Windows\System32\AgIHfXA.exe
  C:\Windows\System32\AgIHfXA.exe
  2⤵
  PID:5380
- C:\Windows\System32\PmwcsKu.exe
  C:\Windows\System32\PmwcsKu.exe
  2⤵
  PID:6280
- C:\Windows\System32\EfWaWoD.exe
  C:\Windows\System32\EfWaWoD.exe
  2⤵
  PID:3748
- C:\Windows\System32\MhMrQLb.exe
  C:\Windows\System32\MhMrQLb.exe
  2⤵
  PID:7068
- C:\Windows\System32\RbUcnRL.exe
  C:\Windows\System32\RbUcnRL.exe
  2⤵
  PID:7184
- C:\Windows\System32\BJSSdft.exe
  C:\Windows\System32\BJSSdft.exe
  2⤵
  PID:7280
- C:\Windows\System32\PoTWnmq.exe
  C:\Windows\System32\PoTWnmq.exe
  2⤵
  PID:7316
- C:\Windows\System32\PVNHLve.exe
  C:\Windows\System32\PVNHLve.exe
  2⤵
  PID:7388
- C:\Windows\System32\uqGafUm.exe
  C:\Windows\System32\uqGafUm.exe
  2⤵
  PID:7412
- C:\Windows\System32\KBRZdPK.exe
  C:\Windows\System32\KBRZdPK.exe
  2⤵
  PID:7504
- C:\Windows\System32\BCgyPzr.exe
  C:\Windows\System32\BCgyPzr.exe
  2⤵
  PID:7540
- C:\Windows\System32\HbAUMci.exe
  C:\Windows\System32\HbAUMci.exe
  2⤵
  PID:7596
- C:\Windows\System32\jlKNqtD.exe
  C:\Windows\System32\jlKNqtD.exe
  2⤵
  PID:7692
- C:\Windows\System32\cDlGHVM.exe
  C:\Windows\System32\cDlGHVM.exe
  2⤵
  PID:7720
- C:\Windows\System32\sffbFDx.exe
  C:\Windows\System32\sffbFDx.exe
  2⤵
  PID:7772
- C:\Windows\System32\xWmRuDL.exe
  C:\Windows\System32\xWmRuDL.exe
  2⤵
  PID:7876
- C:\Windows\System32\flIcgom.exe
  C:\Windows\System32\flIcgom.exe
  2⤵
  PID:7912
- C:\Windows\System32\qFksGll.exe
  C:\Windows\System32\qFksGll.exe
  2⤵
  PID:7972
- C:\Windows\System32\caqEvrg.exe
  C:\Windows\System32\caqEvrg.exe
  2⤵
  PID:8136
- C:\Windows\System32\gbljUZO.exe
  C:\Windows\System32\gbljUZO.exe
  2⤵
  PID:8176
- C:\Windows\System32\CtuUTnR.exe
  C:\Windows\System32\CtuUTnR.exe
  2⤵
  PID:5876
- C:\Windows\System32\pkyLjWv.exe
  C:\Windows\System32\pkyLjWv.exe
  2⤵
  PID:6292
- C:\Windows\System32\KsfjriS.exe
  C:\Windows\System32\KsfjriS.exe
  2⤵
  PID:6396
- C:\Windows\System32\EZAclPK.exe
  C:\Windows\System32\EZAclPK.exe
  2⤵
  PID:4604
- C:\Windows\System32\uOsUumO.exe
  C:\Windows\System32\uOsUumO.exe
  2⤵
  PID:4360
- C:\Windows\System32\jMXWWQw.exe
  C:\Windows\System32\jMXWWQw.exe
  2⤵
  PID:7048
- C:\Windows\System32\HWpZorg.exe
  C:\Windows\System32\HWpZorg.exe
  2⤵
  PID:7260
- C:\Windows\System32\bRJctSQ.exe
  C:\Windows\System32\bRJctSQ.exe
  2⤵
  PID:3468
- C:\Windows\System32\cHwgELH.exe
  C:\Windows\System32\cHwgELH.exe
  2⤵
  PID:7344
- C:\Windows\System32\nIqNsAB.exe
  C:\Windows\System32\nIqNsAB.exe
  2⤵
  PID:2016
- C:\Windows\System32\QdPgopB.exe
  C:\Windows\System32\QdPgopB.exe
  2⤵
  PID:4872
- C:\Windows\System32\BMrxmzP.exe
  C:\Windows\System32\BMrxmzP.exe
  2⤵
  PID:1172
- C:\Windows\System32\PWMuALY.exe
  C:\Windows\System32\PWMuALY.exe
  2⤵
  PID:5072
- C:\Windows\System32\lbHAcJP.exe
  C:\Windows\System32\lbHAcJP.exe
  2⤵
  PID:876
- C:\Windows\System32\aSHCRoL.exe
  C:\Windows\System32\aSHCRoL.exe
  2⤵
  PID:3552
- C:\Windows\System32\FmUdhoH.exe
  C:\Windows\System32\FmUdhoH.exe
  2⤵
  PID:8052
- C:\Windows\System32\adfaXsK.exe
  C:\Windows\System32\adfaXsK.exe
  2⤵
  PID:3996
- C:\Windows\System32\DkFmrjK.exe
  C:\Windows\System32\DkFmrjK.exe
  2⤵
  PID:2560
- C:\Windows\System32\IQfhRmo.exe
  C:\Windows\System32\IQfhRmo.exe
  2⤵
  PID:1008
- C:\Windows\System32\IspbGBe.exe
  C:\Windows\System32\IspbGBe.exe
  2⤵
  PID:7520
- C:\Windows\System32\lpBhQjq.exe
  C:\Windows\System32\lpBhQjq.exe
  2⤵
  PID:7820
- C:\Windows\System32\IqgpmYs.exe
  C:\Windows\System32\IqgpmYs.exe
  2⤵
  PID:2372
- C:\Windows\System32\xajNYoI.exe
  C:\Windows\System32\xajNYoI.exe
  2⤵
  PID:7300
- C:\Windows\System32\HOKWpGJ.exe
  C:\Windows\System32\HOKWpGJ.exe
  2⤵
  PID:3532
- C:\Windows\System32\swwSxKc.exe
  C:\Windows\System32\swwSxKc.exe
  2⤵
  PID:1252
- C:\Windows\System32\veigpWU.exe
  C:\Windows\System32\veigpWU.exe
  2⤵
  PID:7748
- C:\Windows\System32\BinEPHN.exe
  C:\Windows\System32\BinEPHN.exe
  2⤵
  PID:7200
- C:\Windows\System32\GozBUAY.exe
  C:\Windows\System32\GozBUAY.exe
  2⤵
  PID:8200
- C:\Windows\System32\nGyTrBr.exe
  C:\Windows\System32\nGyTrBr.exe
  2⤵
  PID:8232
- C:\Windows\System32\DZYpywN.exe
  C:\Windows\System32\DZYpywN.exe
  2⤵
  PID:8260
- C:\Windows\System32\lbbIDET.exe
  C:\Windows\System32\lbbIDET.exe
  2⤵
  PID:8288
- C:\Windows\System32\sYGqGej.exe
  C:\Windows\System32\sYGqGej.exe
  2⤵
  PID:8332
- C:\Windows\System32\LwiIprL.exe
  C:\Windows\System32\LwiIprL.exe
  2⤵
  PID:8352
- C:\Windows\System32\NhrZJEa.exe
  C:\Windows\System32\NhrZJEa.exe
  2⤵
  PID:8380
- C:\Windows\System32\IOhJLTu.exe
  C:\Windows\System32\IOhJLTu.exe
  2⤵
  PID:8412
- C:\Windows\System32\bHmvbEP.exe
  C:\Windows\System32\bHmvbEP.exe
  2⤵
  PID:8440
- C:\Windows\System32\JWJyBLM.exe
  C:\Windows\System32\JWJyBLM.exe
  2⤵
  PID:8456
- C:\Windows\System32\PTfNSfm.exe
  C:\Windows\System32\PTfNSfm.exe
  2⤵
  PID:8484
- C:\Windows\System32\aBrTxrw.exe
  C:\Windows\System32\aBrTxrw.exe
  2⤵
  PID:8524
- C:\Windows\System32\ZFPAUIm.exe
  C:\Windows\System32\ZFPAUIm.exe
  2⤵
  PID:8556
- C:\Windows\System32\TmZYnEi.exe
  C:\Windows\System32\TmZYnEi.exe
  2⤵
  PID:8580
- C:\Windows\System32\CVupvHg.exe
  C:\Windows\System32\CVupvHg.exe
  2⤵
  PID:8616
- C:\Windows\System32\Ltrgubp.exe
  C:\Windows\System32\Ltrgubp.exe
  2⤵
  PID:8644
- C:\Windows\System32\wYqbOLF.exe
  C:\Windows\System32\wYqbOLF.exe
  2⤵
  PID:8672
- C:\Windows\System32\ZryGmcf.exe
  C:\Windows\System32\ZryGmcf.exe
  2⤵
  PID:8700
- C:\Windows\System32\PLjGrLW.exe
  C:\Windows\System32\PLjGrLW.exe
  2⤵
  PID:8728
- C:\Windows\System32\hUAqpjI.exe
  C:\Windows\System32\hUAqpjI.exe
  2⤵
  PID:8756
- C:\Windows\System32\VAMuTSV.exe
  C:\Windows\System32\VAMuTSV.exe
  2⤵
  PID:8784
- C:\Windows\System32\EAjXLxg.exe
  C:\Windows\System32\EAjXLxg.exe
  2⤵
  PID:8804
- C:\Windows\System32\TFLVzzC.exe
  C:\Windows\System32\TFLVzzC.exe
  2⤵
  PID:8828
- C:\Windows\System32\JujGVAx.exe
  C:\Windows\System32\JujGVAx.exe
  2⤵
  PID:8864
- C:\Windows\System32\wqdybjI.exe
  C:\Windows\System32\wqdybjI.exe
  2⤵
  PID:8884
- C:\Windows\System32\dMjnFzT.exe
  C:\Windows\System32\dMjnFzT.exe
  2⤵
  PID:8920
- C:\Windows\System32\ClXGYDV.exe
  C:\Windows\System32\ClXGYDV.exe
  2⤵
  PID:8940
- C:\Windows\System32\lvApoHR.exe
  C:\Windows\System32\lvApoHR.exe
  2⤵
  PID:8976
- C:\Windows\System32\YTEIoZH.exe
  C:\Windows\System32\YTEIoZH.exe
  2⤵
  PID:9016
- C:\Windows\System32\SEtDJQa.exe
  C:\Windows\System32\SEtDJQa.exe
  2⤵
  PID:9036
- C:\Windows\System32\UHygYtc.exe
  C:\Windows\System32\UHygYtc.exe
  2⤵
  PID:9052
- C:\Windows\System32\iSSyrpc.exe
  C:\Windows\System32\iSSyrpc.exe
  2⤵
  PID:9088
- C:\Windows\System32\wwhyhDg.exe
  C:\Windows\System32\wwhyhDg.exe
  2⤵
  PID:9112
- C:\Windows\System32\yAVDwnS.exe
  C:\Windows\System32\yAVDwnS.exe
  2⤵
  PID:9148
- C:\Windows\System32\amyejIH.exe
  C:\Windows\System32\amyejIH.exe
  2⤵
  PID:9176
- C:\Windows\System32\uUdwGyo.exe
  C:\Windows\System32\uUdwGyo.exe
  2⤵
  PID:9196
- C:\Windows\System32\cjBfCKu.exe
  C:\Windows\System32\cjBfCKu.exe
  2⤵
  PID:8212
- C:\Windows\System32\vBEzoKr.exe
  C:\Windows\System32\vBEzoKr.exe
  2⤵
  PID:8256
- C:\Windows\System32\pShTuMp.exe
  C:\Windows\System32\pShTuMp.exe
  2⤵
  PID:8312
- C:\Windows\System32\wUurLdb.exe
  C:\Windows\System32\wUurLdb.exe
  2⤵
  PID:8436
- C:\Windows\System32\DrWXUsF.exe
  C:\Windows\System32\DrWXUsF.exe
  2⤵
  PID:8508
- C:\Windows\System32\wNENizF.exe
  C:\Windows\System32\wNENizF.exe
  2⤵
  PID:8564
- C:\Windows\System32\REgOmpw.exe
  C:\Windows\System32\REgOmpw.exe
  2⤵
  PID:8632
- C:\Windows\System32\YjBfTed.exe
  C:\Windows\System32\YjBfTed.exe
  2⤵
  PID:8712
- C:\Windows\System32\ssmKMaI.exe
  C:\Windows\System32\ssmKMaI.exe
  2⤵
  PID:8772
- C:\Windows\System32\WBqQQJc.exe
  C:\Windows\System32\WBqQQJc.exe
  2⤵
  PID:8824
- C:\Windows\System32\YVPbQah.exe
  C:\Windows\System32\YVPbQah.exe
  2⤵
  PID:8912
- C:\Windows\System32\AwZPTEN.exe
  C:\Windows\System32\AwZPTEN.exe
  2⤵
  PID:8960
- C:\Windows\System32\WgIHNWh.exe
  C:\Windows\System32\WgIHNWh.exe
  2⤵
  PID:9032
- C:\Windows\System32\LgBiztb.exe
  C:\Windows\System32\LgBiztb.exe
  2⤵
  PID:9080
- C:\Windows\System32\WMgGFse.exe
  C:\Windows\System32\WMgGFse.exe
  2⤵
  PID:9168
- C:\Windows\System32\CrmAeXt.exe
  C:\Windows\System32\CrmAeXt.exe
  2⤵
  PID:8240
- C:\Windows\System32\TyyTHNE.exe
  C:\Windows\System32\TyyTHNE.exe
  2⤵
  PID:8424
- C:\Windows\System32\PcZEjEP.exe
  C:\Windows\System32\PcZEjEP.exe
  2⤵
  PID:8572
- C:\Windows\System32\zdBSpmP.exe
  C:\Windows\System32\zdBSpmP.exe
  2⤵
  PID:8736
- C:\Windows\System32\DPgIwBW.exe
  C:\Windows\System32\DPgIwBW.exe
  2⤵
  PID:8896
- C:\Windows\System32\NdadOda.exe
  C:\Windows\System32\NdadOda.exe
  2⤵
  PID:9024
- C:\Windows\System32\YrDVQIF.exe
  C:\Windows\System32\YrDVQIF.exe
  2⤵
  PID:9104
- C:\Windows\System32\PdWzlNk.exe
  C:\Windows\System32\PdWzlNk.exe
  2⤵
  PID:8536
- C:\Windows\System32\XplEQCC.exe
  C:\Windows\System32\XplEQCC.exe
  2⤵
  PID:8696
- C:\Windows\System32\XJtXhXv.exe
  C:\Windows\System32\XJtXhXv.exe
  2⤵
  PID:8340
- C:\Windows\System32\fboKsZx.exe
  C:\Windows\System32\fboKsZx.exe
  2⤵
  PID:8968
- C:\Windows\System32\aaDgDDl.exe
  C:\Windows\System32\aaDgDDl.exe
  2⤵
  PID:9232
- C:\Windows\System32\CcKIylY.exe
  C:\Windows\System32\CcKIylY.exe
  2⤵
  PID:9260
- C:\Windows\System32\PEpiRzI.exe
  C:\Windows\System32\PEpiRzI.exe
  2⤵
  PID:9284
- C:\Windows\System32\dUrvfTY.exe
  C:\Windows\System32\dUrvfTY.exe
  2⤵
  PID:9316
- C:\Windows\System32\sMgTBJv.exe
  C:\Windows\System32\sMgTBJv.exe
  2⤵
  PID:9344
- C:\Windows\System32\voLvDld.exe
  C:\Windows\System32\voLvDld.exe
  2⤵
  PID:9372
- C:\Windows\System32\OhcRhJd.exe
  C:\Windows\System32\OhcRhJd.exe
  2⤵
  PID:9388
- C:\Windows\System32\GJmgJFI.exe
  C:\Windows\System32\GJmgJFI.exe
  2⤵
  PID:9416
- C:\Windows\System32\nshaXtk.exe
  C:\Windows\System32\nshaXtk.exe
  2⤵
  PID:9448
- C:\Windows\System32\mKGJMMt.exe
  C:\Windows\System32\mKGJMMt.exe
  2⤵
  PID:9480
- C:\Windows\System32\NJQcLaL.exe
  C:\Windows\System32\NJQcLaL.exe
  2⤵
  PID:9504
- C:\Windows\System32\ASvCzXF.exe
  C:\Windows\System32\ASvCzXF.exe
  2⤵
  PID:9532
- C:\Windows\System32\xJDqmcS.exe
  C:\Windows\System32\xJDqmcS.exe
  2⤵
  PID:9572
- C:\Windows\System32\YYKUjls.exe
  C:\Windows\System32\YYKUjls.exe
  2⤵
  PID:9588
- C:\Windows\System32\BGvvgcr.exe
  C:\Windows\System32\BGvvgcr.exe
  2⤵
  PID:9624
- C:\Windows\System32\ZkrnPTl.exe
  C:\Windows\System32\ZkrnPTl.exe
  2⤵
  PID:9652
- C:\Windows\System32\maZAwZN.exe
  C:\Windows\System32\maZAwZN.exe
  2⤵
  PID:9684
- C:\Windows\System32\zXVkpVZ.exe
  C:\Windows\System32\zXVkpVZ.exe
  2⤵
  PID:9712
- C:\Windows\System32\HqKhkUS.exe
  C:\Windows\System32\HqKhkUS.exe
  2⤵
  PID:9728
- C:\Windows\System32\fcvgIlb.exe
  C:\Windows\System32\fcvgIlb.exe
  2⤵
  PID:9748
- C:\Windows\System32\OlBDbcg.exe
  C:\Windows\System32\OlBDbcg.exe
  2⤵
  PID:9764
- C:\Windows\System32\BEvjvvI.exe
  C:\Windows\System32\BEvjvvI.exe
  2⤵
  PID:9824
- C:\Windows\System32\oIzYPdo.exe
  C:\Windows\System32\oIzYPdo.exe
  2⤵
  PID:9844
- C:\Windows\System32\ntcOWYJ.exe
  C:\Windows\System32\ntcOWYJ.exe
  2⤵
  PID:9884
- C:\Windows\System32\axNpkYa.exe
  C:\Windows\System32\axNpkYa.exe
  2⤵
  PID:9912
- C:\Windows\System32\KnJQOpV.exe
  C:\Windows\System32\KnJQOpV.exe
  2⤵
  PID:9940
- C:\Windows\System32\WomSITG.exe
  C:\Windows\System32\WomSITG.exe
  2⤵
  PID:9960
- C:\Windows\System32\iuCufns.exe
  C:\Windows\System32\iuCufns.exe
  2⤵
  PID:9984
- C:\Windows\System32\kiwZksZ.exe
  C:\Windows\System32\kiwZksZ.exe
  2⤵
  PID:10024
- C:\Windows\System32\dwojrPW.exe
  C:\Windows\System32\dwojrPW.exe
  2⤵
  PID:10056
- C:\Windows\System32\OFWTAaJ.exe
  C:\Windows\System32\OFWTAaJ.exe
  2⤵
  PID:10084
- C:\Windows\System32\STtRlok.exe
  C:\Windows\System32\STtRlok.exe
  2⤵
  PID:10112
- C:\Windows\System32\XvHdzTv.exe
  C:\Windows\System32\XvHdzTv.exe
  2⤵
  PID:10140
- C:\Windows\System32\yiRfqif.exe
  C:\Windows\System32\yiRfqif.exe
  2⤵
  PID:10164
- C:\Windows\System32\fRaTJks.exe
  C:\Windows\System32\fRaTJks.exe
  2⤵
  PID:10196
- C:\Windows\System32\wdlYfZo.exe
  C:\Windows\System32\wdlYfZo.exe
  2⤵
  PID:10212
- C:\Windows\System32\xucAMbb.exe
  C:\Windows\System32\xucAMbb.exe
  2⤵
  PID:8544
- C:\Windows\System32\HZFkzYs.exe
  C:\Windows\System32\HZFkzYs.exe
  2⤵
  PID:9304
- C:\Windows\System32\zZLpAbg.exe
  C:\Windows\System32\zZLpAbg.exe
  2⤵
  PID:9336
- C:\Windows\System32\LXvIfzM.exe
  C:\Windows\System32\LXvIfzM.exe
  2⤵
  PID:9428
- C:\Windows\System32\CYSdnsS.exe
  C:\Windows\System32\CYSdnsS.exe
  2⤵
  PID:9488
- C:\Windows\System32\wKJWiwt.exe
  C:\Windows\System32\wKJWiwt.exe
  2⤵
  PID:9568
- C:\Windows\System32\qZgKuiO.exe
  C:\Windows\System32\qZgKuiO.exe
  2⤵
  PID:9604
- C:\Windows\System32\lxXJLpk.exe
  C:\Windows\System32\lxXJLpk.exe
  2⤵
  PID:9644
- C:\Windows\System32\ZmIBPPN.exe
  C:\Windows\System32\ZmIBPPN.exe
  2⤵
  PID:9760
- C:\Windows\System32\gIuBgwh.exe
  C:\Windows\System32\gIuBgwh.exe
  2⤵
  PID:9832
- C:\Windows\System32\MsVeguB.exe
  C:\Windows\System32\MsVeguB.exe
  2⤵
  PID:9896
- C:\Windows\System32\ZOBJupU.exe
  C:\Windows\System32\ZOBJupU.exe
  2⤵
  PID:9948
- C:\Windows\System32\hmaVqFr.exe
  C:\Windows\System32\hmaVqFr.exe
  2⤵
  PID:10012
- C:\Windows\System32\PZicbed.exe
  C:\Windows\System32\PZicbed.exe
  2⤵
  PID:10076
- C:\Windows\System32\fTvNSli.exe
  C:\Windows\System32\fTvNSli.exe
  2⤵
  PID:10136
- C:\Windows\System32\VcuhOKI.exe
  C:\Windows\System32\VcuhOKI.exe
  2⤵
  PID:10160
- C:\Windows\System32\SXTdPzK.exe
  C:\Windows\System32\SXTdPzK.exe
  2⤵
  PID:8684
- C:\Windows\System32\WndLxAD.exe
  C:\Windows\System32\WndLxAD.exe
  2⤵
  PID:9400
- C:\Windows\System32\cTyApiZ.exe
  C:\Windows\System32\cTyApiZ.exe
  2⤵
  PID:9584
- C:\Windows\System32\AbJQwJC.exe
  C:\Windows\System32\AbJQwJC.exe
  2⤵
  PID:9860
- C:\Windows\System32\vXVucWH.exe
  C:\Windows\System32\vXVucWH.exe
  2⤵
  PID:10004
- C:\Windows\System32\xkYNzsc.exe
  C:\Windows\System32\xkYNzsc.exe
  2⤵
  PID:4480
- C:\Windows\System32\LSDuFbp.exe
  C:\Windows\System32\LSDuFbp.exe
  2⤵
  PID:10236
- C:\Windows\System32\mqgfoCB.exe
  C:\Windows\System32\mqgfoCB.exe
  2⤵
  PID:9776
- C:\Windows\System32\wEfTEtQ.exe
  C:\Windows\System32\wEfTEtQ.exe
  2⤵
  PID:9708
- C:\Windows\System32\VoRvCiu.exe
  C:\Windows\System32\VoRvCiu.exe
  2⤵
  PID:10244
- C:\Windows\System32\heDvWwB.exe
  C:\Windows\System32\heDvWwB.exe
  2⤵
  PID:10268
- C:\Windows\System32\bxgSKSp.exe
  C:\Windows\System32\bxgSKSp.exe
  2⤵
  PID:10304
- C:\Windows\System32\uJVQPhN.exe
  C:\Windows\System32\uJVQPhN.exe
  2⤵
  PID:10328
- C:\Windows\System32\ePAzgmk.exe
  C:\Windows\System32\ePAzgmk.exe
  2⤵
  PID:10352
- C:\Windows\System32\knggMDA.exe
  C:\Windows\System32\knggMDA.exe
  2⤵
  PID:10380
- C:\Windows\System32\KIGuCti.exe
  C:\Windows\System32\KIGuCti.exe
  2⤵
  PID:10416
- C:\Windows\System32\sAvkQiR.exe
  C:\Windows\System32\sAvkQiR.exe
  2⤵
  PID:10452
- C:\Windows\System32\UNQiWbC.exe
  C:\Windows\System32\UNQiWbC.exe
  2⤵
  PID:10496
- C:\Windows\System32\hYwntkV.exe
  C:\Windows\System32\hYwntkV.exe
  2⤵
  PID:10524
- C:\Windows\System32\sRMNTRZ.exe
  C:\Windows\System32\sRMNTRZ.exe
  2⤵
  PID:10552
- C:\Windows\System32\CkMATko.exe
  C:\Windows\System32\CkMATko.exe
  2⤵
  PID:10580
- C:\Windows\System32\zhKLdxq.exe
  C:\Windows\System32\zhKLdxq.exe
  2⤵
  PID:10608
- C:\Windows\System32\MvOyVJS.exe
  C:\Windows\System32\MvOyVJS.exe
  2⤵
  PID:10636
- C:\Windows\System32\irsllaf.exe
  C:\Windows\System32\irsllaf.exe
  2⤵
  PID:10664
- C:\Windows\System32\oOGyjBA.exe
  C:\Windows\System32\oOGyjBA.exe
  2⤵
  PID:10680
- C:\Windows\System32\juGvvdj.exe
  C:\Windows\System32\juGvvdj.exe
  2⤵
  PID:10712
- C:\Windows\System32\MuekvrU.exe
  C:\Windows\System32\MuekvrU.exe
  2⤵
  PID:10748
- C:\Windows\System32\UNPWeLa.exe
  C:\Windows\System32\UNPWeLa.exe
  2⤵
  PID:10776
- C:\Windows\System32\LSAxbNl.exe
  C:\Windows\System32\LSAxbNl.exe
  2⤵
  PID:10812
- C:\Windows\System32\NiKWlrG.exe
  C:\Windows\System32\NiKWlrG.exe
  2⤵
  PID:10840
- C:\Windows\System32\ujfUIGn.exe
  C:\Windows\System32\ujfUIGn.exe
  2⤵
  PID:10868
- C:\Windows\System32\RyXAzSF.exe
  C:\Windows\System32\RyXAzSF.exe
  2⤵
  PID:10900
- C:\Windows\System32\TJSCaRS.exe
  C:\Windows\System32\TJSCaRS.exe
  2⤵
  PID:10916
- C:\Windows\System32\Gfrsnoz.exe
  C:\Windows\System32\Gfrsnoz.exe
  2⤵
  PID:10948
- C:\Windows\System32\SylATQA.exe
  C:\Windows\System32\SylATQA.exe
  2⤵
  PID:10980
- C:\Windows\System32\mFOeeAs.exe
  C:\Windows\System32\mFOeeAs.exe
  2⤵
  PID:11016
- C:\Windows\System32\QUBqeLx.exe
  C:\Windows\System32\QUBqeLx.exe
  2⤵
  PID:11040
- C:\Windows\System32\otLkYSq.exe
  C:\Windows\System32\otLkYSq.exe
  2⤵
  PID:11084
- C:\Windows\System32\kUcyMeX.exe
  C:\Windows\System32\kUcyMeX.exe
  2⤵
  PID:11112
- C:\Windows\System32\hHlYBmL.exe
  C:\Windows\System32\hHlYBmL.exe
  2⤵
  PID:11156
- C:\Windows\System32\nhZCjbS.exe
  C:\Windows\System32\nhZCjbS.exe
  2⤵
  PID:11184
- C:\Windows\System32\iwenweG.exe
  C:\Windows\System32\iwenweG.exe
  2⤵
  PID:11224
- C:\Windows\System32\DtoUhvM.exe
  C:\Windows\System32\DtoUhvM.exe
  2⤵
  PID:11240
- C:\Windows\System32\KhtAjOK.exe
  C:\Windows\System32\KhtAjOK.exe
  2⤵
  PID:11260
- C:\Windows\System32\DuekIKh.exe
  C:\Windows\System32\DuekIKh.exe
  2⤵
  PID:10316
- C:\Windows\System32\xELDxnP.exe
  C:\Windows\System32\xELDxnP.exe
  2⤵
  PID:10400
- C:\Windows\System32\bSvtrfc.exe
  C:\Windows\System32\bSvtrfc.exe
  2⤵
  PID:10464
- C:\Windows\System32\kUUwvym.exe
  C:\Windows\System32\kUUwvym.exe
  2⤵
  PID:10568
- C:\Windows\System32\BrBzNCA.exe
  C:\Windows\System32\BrBzNCA.exe
  2⤵
  PID:10660
- C:\Windows\System32\RtPGLvv.exe
  C:\Windows\System32\RtPGLvv.exe
  2⤵
  PID:10744
- C:\Windows\System32\EVFmGMu.exe
  C:\Windows\System32\EVFmGMu.exe
  2⤵
  PID:10832
- C:\Windows\System32\wOsQQuE.exe
  C:\Windows\System32\wOsQQuE.exe
  2⤵
  PID:10888
- C:\Windows\System32\qFXzutW.exe
  C:\Windows\System32\qFXzutW.exe
  2⤵
  PID:10992
- C:\Windows\System32\qVibafR.exe
  C:\Windows\System32\qVibafR.exe
  2⤵
  PID:11108
- C:\Windows\System32\dTrnFGP.exe
  C:\Windows\System32\dTrnFGP.exe
  2⤵
  PID:10260
- C:\Windows\System32\XDNvnOR.exe
  C:\Windows\System32\XDNvnOR.exe
  2⤵
  PID:10436
- C:\Windows\System32\EtzSLHX.exe
  C:\Windows\System32\EtzSLHX.exe
  2⤵
  PID:10700
- C:\Windows\System32\wogbQbI.exe
  C:\Windows\System32\wogbQbI.exe
  2⤵
  PID:10932
- C:\Windows\System32\RqsJfFs.exe
  C:\Windows\System32\RqsJfFs.exe
  2⤵
  PID:11232
- C:\Windows\System32\EsBaCWL.exe
  C:\Windows\System32\EsBaCWL.exe
  2⤵
  PID:10508
- C:\Windows\System32\RGWLXWZ.exe
  C:\Windows\System32\RGWLXWZ.exe
  2⤵
  PID:10880
- C:\Windows\System32\oPvsHYj.exe
  C:\Windows\System32\oPvsHYj.exe
  2⤵
  PID:11268
- C:\Windows\System32\wKTdtDC.exe
  C:\Windows\System32\wKTdtDC.exe
  2⤵
  PID:11292
- C:\Windows\System32\ZRiatma.exe
  C:\Windows\System32\ZRiatma.exe
  2⤵
  PID:11316
- C:\Windows\System32\sEGgUNr.exe
  C:\Windows\System32\sEGgUNr.exe
  2⤵
  PID:11356
- C:\Windows\System32\TCCWCin.exe
  C:\Windows\System32\TCCWCin.exe
  2⤵
  PID:11388
- C:\Windows\System32\ayavWjc.exe
  C:\Windows\System32\ayavWjc.exe
  2⤵
  PID:11408
- C:\Windows\System32\RtRYkgp.exe
  C:\Windows\System32\RtRYkgp.exe
  2⤵
  PID:11436
- C:\Windows\System32\MMTHuEq.exe
  C:\Windows\System32\MMTHuEq.exe
  2⤵
  PID:11468
- C:\Windows\System32\kTPFzjc.exe
  C:\Windows\System32\kTPFzjc.exe
  2⤵
  PID:11492
- C:\Windows\System32\ZriNOaX.exe
  C:\Windows\System32\ZriNOaX.exe
  2⤵
  PID:11508
- C:\Windows\System32\fLgAYeq.exe
  C:\Windows\System32\fLgAYeq.exe
  2⤵
  PID:11572
- C:\Windows\System32\bOTCocy.exe
  C:\Windows\System32\bOTCocy.exe
  2⤵
  PID:11592
- C:\Windows\System32\PaNfqHG.exe
  C:\Windows\System32\PaNfqHG.exe
  2⤵
  PID:11620
- C:\Windows\System32\dZFOXYB.exe
  C:\Windows\System32\dZFOXYB.exe
  2⤵
  PID:11644
- C:\Windows\System32\bDxoJhI.exe
  C:\Windows\System32\bDxoJhI.exe
  2⤵
  PID:11676
- C:\Windows\System32\OgZdFCZ.exe
  C:\Windows\System32\OgZdFCZ.exe
  2⤵
  PID:11724
- C:\Windows\System32\XPRprLN.exe
  C:\Windows\System32\XPRprLN.exe
  2⤵
  PID:11748
- C:\Windows\System32\aCkyetr.exe
  C:\Windows\System32\aCkyetr.exe
  2⤵
  PID:11800
- C:\Windows\System32\lRxviaZ.exe
  C:\Windows\System32\lRxviaZ.exe
  2⤵
  PID:11816
- C:\Windows\System32\lOWDQrY.exe
  C:\Windows\System32\lOWDQrY.exe
  2⤵
  PID:11848
- C:\Windows\System32\SSKFmTS.exe
  C:\Windows\System32\SSKFmTS.exe
  2⤵
  PID:11876
- C:\Windows\System32\PQfTJfm.exe
  C:\Windows\System32\PQfTJfm.exe
  2⤵
  PID:11904
- C:\Windows\System32\cBPevux.exe
  C:\Windows\System32\cBPevux.exe
  2⤵
  PID:11932
- C:\Windows\System32\kOAqZoU.exe
  C:\Windows\System32\kOAqZoU.exe
  2⤵
  PID:11960
- C:\Windows\System32\rZVjvmI.exe
  C:\Windows\System32\rZVjvmI.exe
  2⤵
  PID:11988
- C:\Windows\System32\jUONyms.exe
  C:\Windows\System32\jUONyms.exe
  2⤵
  PID:12044
- C:\Windows\System32\FlYPPon.exe
  C:\Windows\System32\FlYPPon.exe
  2⤵
  PID:12076
- C:\Windows\System32\xchdDmT.exe
  C:\Windows\System32\xchdDmT.exe
  2⤵
  PID:12104
- C:\Windows\System32\RZHuOLe.exe
  C:\Windows\System32\RZHuOLe.exe
  2⤵
  PID:12132
- C:\Windows\System32\IqspbyT.exe
  C:\Windows\System32\IqspbyT.exe
  2⤵
  PID:12160
- C:\Windows\System32\bGfpreP.exe
  C:\Windows\System32\bGfpreP.exe
  2⤵
  PID:12188
- C:\Windows\System32\EmVuxfA.exe
  C:\Windows\System32\EmVuxfA.exe
  2⤵
  PID:12216
- C:\Windows\System32\tPKUVtN.exe
  C:\Windows\System32\tPKUVtN.exe
  2⤵
  PID:12244
- C:\Windows\System32\pAZPafb.exe
  C:\Windows\System32\pAZPafb.exe
  2⤵
  PID:12260
- C:\Windows\System32\Eurvein.exe
  C:\Windows\System32\Eurvein.exe
  2⤵
  PID:10396
- C:\Windows\System32\eKizpBW.exe
  C:\Windows\System32\eKizpBW.exe
  2⤵
  PID:11364
- C:\Windows\System32\eLcSJvp.exe
  C:\Windows\System32\eLcSJvp.exe
  2⤵
  PID:11420
- C:\Windows\System32\JCaPHrJ.exe
  C:\Windows\System32\JCaPHrJ.exe
  2⤵
  PID:11476
- C:\Windows\System32\daFCVam.exe
  C:\Windows\System32\daFCVam.exe
  2⤵
  PID:11556
- C:\Windows\System32\Dmxfjsw.exe
  C:\Windows\System32\Dmxfjsw.exe
  2⤵
  PID:11628
- C:\Windows\System32\NkYQhOJ.exe
  C:\Windows\System32\NkYQhOJ.exe
  2⤵
  PID:11656
- C:\Windows\System32\mZcvTin.exe
  C:\Windows\System32\mZcvTin.exe
  2⤵
  PID:11784
- C:\Windows\System32\KMLEkIm.exe
  C:\Windows\System32\KMLEkIm.exe
  2⤵
  PID:11836
- C:\Windows\System32\qFcDzvM.exe
  C:\Windows\System32\qFcDzvM.exe
  2⤵
  PID:11920
- C:\Windows\System32\SESnDax.exe
  C:\Windows\System32\SESnDax.exe
  2⤵
  PID:12008
- C:\Windows\System32\TSZEejo.exe
  C:\Windows\System32\TSZEejo.exe
  2⤵
  PID:12096
- C:\Windows\System32\uTHkoSO.exe
  C:\Windows\System32\uTHkoSO.exe
  2⤵
  PID:12128
- C:\Windows\System32\rFarDvu.exe
  C:\Windows\System32\rFarDvu.exe
  2⤵
  PID:12172
- C:\Windows\System32\ZcgiEkx.exe
  C:\Windows\System32\ZcgiEkx.exe
  2⤵
  PID:11280
- C:\Windows\System32\mXOQEke.exe
  C:\Windows\System32\mXOQEke.exe
  2⤵
  PID:11372
- C:\Windows\System32\Jgebnoa.exe
  C:\Windows\System32\Jgebnoa.exe
  2⤵
  PID:11588
- C:\Windows\System32\keFWDEe.exe
  C:\Windows\System32\keFWDEe.exe
  2⤵
  PID:11756
- C:\Windows\System32\XeJsovg.exe
  C:\Windows\System32\XeJsovg.exe
  2⤵
  PID:11924
- C:\Windows\System32\XOydAAm.exe
  C:\Windows\System32\XOydAAm.exe
  2⤵
  PID:12060
- C:\Windows\System32\OYlGbOX.exe
  C:\Windows\System32\OYlGbOX.exe
  2⤵
  PID:12196
- C:\Windows\System32\vxKdvIN.exe
  C:\Windows\System32\vxKdvIN.exe
  2⤵
  PID:11716
- C:\Windows\System32\OOLziJd.exe
  C:\Windows\System32\OOLziJd.exe
  2⤵
  PID:11984
- C:\Windows\System32\EkgsjEW.exe
  C:\Windows\System32\EkgsjEW.exe
  2⤵
  PID:12284
- C:\Windows\System32\EOPYnuv.exe
  C:\Windows\System32\EOPYnuv.exe
  2⤵
  PID:12116
- C:\Windows\System32\FuJGwgb.exe
  C:\Windows\System32\FuJGwgb.exe
  2⤵
  PID:12308
- C:\Windows\System32\dwomubq.exe
  C:\Windows\System32\dwomubq.exe
  2⤵
  PID:12336
- C:\Windows\System32\xmBLXcT.exe
  C:\Windows\System32\xmBLXcT.exe
  2⤵
  PID:12364
- C:\Windows\System32\Lsqfkly.exe
  C:\Windows\System32\Lsqfkly.exe
  2⤵
  PID:12392
- C:\Windows\System32\miPHukq.exe
  C:\Windows\System32\miPHukq.exe
  2⤵
  PID:12420
- C:\Windows\System32\UjHGXOy.exe
  C:\Windows\System32\UjHGXOy.exe
  2⤵
  PID:12448
- C:\Windows\System32\icfwiCF.exe
  C:\Windows\System32\icfwiCF.exe
  2⤵
  PID:12476
- C:\Windows\System32\gAxKgOh.exe
  C:\Windows\System32\gAxKgOh.exe
  2⤵
  PID:12492
- C:\Windows\System32\MekVynN.exe
  C:\Windows\System32\MekVynN.exe
  2⤵
  PID:12520
- C:\Windows\System32\UxISpOP.exe
  C:\Windows\System32\UxISpOP.exe
  2⤵
  PID:12560
- C:\Windows\System32\bWZRRjc.exe
  C:\Windows\System32\bWZRRjc.exe
  2⤵
  PID:12592
- C:\Windows\System32\GvTItpT.exe
  C:\Windows\System32\GvTItpT.exe
  2⤵
  PID:12620
- C:\Windows\System32\BwCZlDI.exe
  C:\Windows\System32\BwCZlDI.exe
  2⤵
  PID:12644
- C:\Windows\System32\ykxszxR.exe
  C:\Windows\System32\ykxszxR.exe
  2⤵
  PID:12668
- C:\Windows\System32\LvaEhPB.exe
  C:\Windows\System32\LvaEhPB.exe
  2⤵
  PID:12692
- C:\Windows\System32\hCYwEHc.exe
  C:\Windows\System32\hCYwEHc.exe
  2⤵
  PID:12732
- C:\Windows\System32\QZxsEnA.exe
  C:\Windows\System32\QZxsEnA.exe
  2⤵
  PID:12752
- C:\Windows\System32\ycDbgKp.exe
  C:\Windows\System32\ycDbgKp.exe
  2⤵
  PID:12788
- C:\Windows\System32\XxVfnAB.exe
  C:\Windows\System32\XxVfnAB.exe
  2⤵
  PID:12816
- C:\Windows\System32\jZQKjGK.exe
  C:\Windows\System32\jZQKjGK.exe
  2⤵
  PID:12844
- C:\Windows\System32\aPNCdsw.exe
  C:\Windows\System32\aPNCdsw.exe
  2⤵
  PID:12872
- C:\Windows\System32\rKCtmTH.exe
  C:\Windows\System32\rKCtmTH.exe
  2⤵
  PID:12900
- C:\Windows\System32\HIdRiRV.exe
  C:\Windows\System32\HIdRiRV.exe
  2⤵
  PID:12916
- C:\Windows\System32\VBrTjbR.exe
  C:\Windows\System32\VBrTjbR.exe
  2⤵
  PID:12956
- C:\Windows\System32\lCrAHjB.exe
  C:\Windows\System32\lCrAHjB.exe
  2⤵
  PID:12984
- C:\Windows\System32\EKJBxES.exe
  C:\Windows\System32\EKJBxES.exe
  2⤵
  PID:13012
- C:\Windows\System32\YSKxldY.exe
  C:\Windows\System32\YSKxldY.exe
  2⤵
  PID:13040
- C:\Windows\System32\rpXkxpw.exe
  C:\Windows\System32\rpXkxpw.exe
  2⤵
  PID:13056
- C:\Windows\System32\jBVExGT.exe
  C:\Windows\System32\jBVExGT.exe
  2⤵
  PID:13096
- C:\Windows\System32\EDHXdan.exe
  C:\Windows\System32\EDHXdan.exe
  2⤵
  PID:13128
- C:\Windows\System32\KSTMVEp.exe
  C:\Windows\System32\KSTMVEp.exe
  2⤵
  PID:13144
- C:\Windows\System32\ndrPCTH.exe
  C:\Windows\System32\ndrPCTH.exe
  2⤵
  PID:13184
- C:\Windows\System32\ZHTKEmn.exe
  C:\Windows\System32\ZHTKEmn.exe
  2⤵
  PID:13200
- C:\Windows\System32\jbUNbGX.exe
  C:\Windows\System32\jbUNbGX.exe
  2⤵
  PID:13240
- C:\Windows\System32\HJxfzVb.exe
  C:\Windows\System32\HJxfzVb.exe
  2⤵
  PID:13268
- C:\Windows\System32\GntBXNj.exe
  C:\Windows\System32\GntBXNj.exe
  2⤵
  PID:13296
- C:\Windows\System32\FuKzBWv.exe
  C:\Windows\System32\FuKzBWv.exe
  2⤵
  PID:12292
- C:\Windows\System32\XalbJaU.exe
  C:\Windows\System32\XalbJaU.exe
  2⤵
  PID:12376
- C:\Windows\System32\tQlMXdJ.exe
  C:\Windows\System32\tQlMXdJ.exe
  2⤵
  PID:12432
- C:\Windows\System32\VMuMyef.exe
  C:\Windows\System32\VMuMyef.exe
  2⤵
  PID:12504
- C:\Windows\System32\rdyQZpr.exe
  C:\Windows\System32\rdyQZpr.exe
  2⤵
  PID:12576
- C:\Windows\System32\rGWceUi.exe
  C:\Windows\System32\rGWceUi.exe
  2⤵
  PID:4180
- C:\Windows\System32\HzOsDJk.exe
  C:\Windows\System32\HzOsDJk.exe
  2⤵
  PID:12660
- C:\Windows\System32\clFnCho.exe
  C:\Windows\System32\clFnCho.exe
  2⤵
  PID:12712
- C:\Windows\System32\NdDtFSS.exe
  C:\Windows\System32\NdDtFSS.exe
  2⤵
  PID:12776
- C:\Windows\System32\ndDdfew.exe
  C:\Windows\System32\ndDdfew.exe
  2⤵
  PID:12832
- C:\Windows\System32\sdQYHMm.exe
  C:\Windows\System32\sdQYHMm.exe
  2⤵
  PID:12908
- C:\Windows\System32\CcfHGOD.exe
  C:\Windows\System32\CcfHGOD.exe
  2⤵
  PID:12976
- C:\Windows\System32\SjXxjuH.exe
  C:\Windows\System32\SjXxjuH.exe
  2⤵
  PID:13028
- C:\Windows\System32\nICcUEE.exe
  C:\Windows\System32\nICcUEE.exe
  2⤵
  PID:13112
- C:\Windows\System32\YJpfDvF.exe
  C:\Windows\System32\YJpfDvF.exe
  2⤵
  PID:13252
- C:\Windows\System32\moyIHry.exe
  C:\Windows\System32\moyIHry.exe
  2⤵
  PID:12348
- C:\Windows\System32\rnrTwiu.exe
  C:\Windows\System32\rnrTwiu.exe
  2⤵
  PID:464
- C:\Windows\System32\ghwwrYM.exe
  C:\Windows\System32\ghwwrYM.exe
  2⤵
  PID:12680
- C:\Windows\System32\ZDmLLKQ.exe
  C:\Windows\System32\ZDmLLKQ.exe
  2⤵
  PID:12708
- C:\Windows\System32\NioMQNf.exe
  C:\Windows\System32\NioMQNf.exe
  2⤵
  PID:12800
- C:\Windows\System32\geYLYmJ.exe
  C:\Windows\System32\geYLYmJ.exe
  2⤵
  PID:12896
- C:\Windows\System32\oORiEdh.exe
  C:\Windows\System32\oORiEdh.exe
  2⤵
  PID:13068
- C:\Windows\System32\pReTKUO.exe
  C:\Windows\System32\pReTKUO.exe
  2⤵
  PID:13288
- C:\Windows\System32\DGgsgvG.exe
  C:\Windows\System32\DGgsgvG.exe
  2⤵
  PID:12652
- C:\Windows\System32\cJmUCBY.exe
  C:\Windows\System32\cJmUCBY.exe
  2⤵
  PID:10792
- C:\Windows\System32\YBmqxHT.exe
  C:\Windows\System32\YBmqxHT.exe
  2⤵
  PID:13156
- C:\Windows\System32\HZtBDzF.exe
  C:\Windows\System32\HZtBDzF.exe
  2⤵
  PID:11900
- C:\Windows\System32\nXgYMaf.exe
  C:\Windows\System32\nXgYMaf.exe
  2⤵
  PID:11796
- C:\Windows\System32\LgmdZMf.exe
  C:\Windows\System32\LgmdZMf.exe
  2⤵
  PID:13328
- C:\Windows\System32\hgEixlD.exe
  C:\Windows\System32\hgEixlD.exe
  2⤵
  PID:13356
- C:\Windows\System32\njeXffc.exe
  C:\Windows\System32\njeXffc.exe
  2⤵
  PID:13384
- C:\Windows\System32\aNgiUen.exe
  C:\Windows\System32\aNgiUen.exe
  2⤵
  PID:13420
- C:\Windows\System32\btlHqte.exe
  C:\Windows\System32\btlHqte.exe
  2⤵
  PID:13448
- C:\Windows\System32\dIVXvvG.exe
  C:\Windows\System32\dIVXvvG.exe
  2⤵
  PID:13476
- C:\Windows\System32\rCaNVfM.exe
  C:\Windows\System32\rCaNVfM.exe
  2⤵
  PID:13504
- C:\Windows\System32\swcdXCR.exe
  C:\Windows\System32\swcdXCR.exe
  2⤵
  PID:13532
- C:\Windows\System32\SmdIvdo.exe
  C:\Windows\System32\SmdIvdo.exe
  2⤵
  PID:13560
- C:\Windows\System32\tArviIC.exe
  C:\Windows\System32\tArviIC.exe
  2⤵
  PID:13588
- C:\Windows\System32\tBrarHZ.exe
  C:\Windows\System32\tBrarHZ.exe
  2⤵
  PID:13616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4080,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4000 /prefetch:8
1⤵
PID:336

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\DBkxemc.exe

Filesize
2.6MB

MD5
dc23ac671e5631b74ffeb0c9af221961

SHA1
4a7c9d7c147a26984ec6c455a7051c1447cf70a3

SHA256
3ee42f9941ddf1fbab8ea69d36857af974e7558c0dd74240b1c4b3bd329ea2d3

SHA512
840401da5755bb703c9db07926967a08ef0f73a72a64741ea7fd3006814a22ef57dfa911d3d13d5acf9b2187009ffa71a0bf2eadf9541eeee5d5e7c6369180f2

Download Submit
C:\Windows\System32\FGTGlqI.exe

Filesize
2.6MB

MD5
3cd8ddaf73b114ab59ba117d0b6ad60a

SHA1
68dd858ce5415b15a82d13f6a191fb5349d4aa97

SHA256
1de8a4a904a59461cdaed209848eae47d45b19c3876eab1a06a2b099af92cd61

SHA512
824721ae28482894e63fa400eb67fe8f2157252d8a4efa0e58b1ce76cb1ca03090e27881f306243806adc73ae20e4e734743fffa994cf617867918959393e22c

Download Submit
C:\Windows\System32\GFoWsAq.exe

Filesize
2.6MB

MD5
8678c1bb011ea8f793c6ad29fc3795bf

SHA1
6d5435c979d3c403f8f60cc451748a5e9172ef56

SHA256
8c8dde168c0b2f9cdf39d38fc3472bbdfeceb213565cbf9cfe0c96b83856a3f0

SHA512
393f30117d8445d09c6c9fead373163f0e92896378a6a3a133131f65476ef402ad4bdfa68b3bf382f7c2d50f4e2ef5fa93ad656aa8b5ffa8c40443f3faf73736

Download Submit
C:\Windows\System32\HypKwTF.exe

Filesize
2.6MB

MD5
7fa5eac9a344d26307d88af2d9eb2cc6

SHA1
b5d4ba57333e0c795b47b0ee2d5082ae60aa604d

SHA256
51f5a4987c6afe13fe91c87870f3eb89c504f59b91077376a14ec295075efaa9

SHA512
3e6b229675e1da46197e8e459f60d135a92b95993eba142b2cc42e43e78b3ab36587f46932a24103d9a5e1dd83dc0080f6c57388af08a55e300f956a989e13cc

Download Submit
C:\Windows\System32\JIjbfzw.exe

Filesize
2.6MB

MD5
0e82fa04f7fcec52aca0f4b8cb194573

SHA1
6541392a242c9fe19ca8d356bf2e0f85c8b00245

SHA256
ff2fc6096fb654acef009227fe2533d2c41c590c127b140412afaec072933f7a

SHA512
371d4d26943b968f62e66a2c215390bcd4d5810d824d91848cb4ed58f14e12633744fd9721e34a1287de1b331d7aaea36381cf34e6adf2c12c85ac6532f9e6dd

Download Submit
C:\Windows\System32\KwtxYdz.exe

Filesize
2.6MB

MD5
67c37f2def2f39a078ae953e957f52fe

SHA1
024326fc83c9961818e02786e3c3ba871c5ce8a9

SHA256
c224241be3f8eaef1f0f8998d60edd6a5bd81fe6ff79a90bf93f810432d22ec4

SHA512
025c4944a030fdf41f8f0b5750416eaa7087552f2591e0eedc4c58cec866626943f7687bcbd613f9e7a49485c9dd967c37ad6a8a6bbb79513bc3b81eff5eadf4

Download Submit
C:\Windows\System32\MyrvEag.exe

Filesize
2.6MB

MD5
6959eaf1bfcdf083352dbd51a3252b09

SHA1
adfd1260f924dbbb4e292fc1820a4f28999007fd

SHA256
cf5c78b05aff3ec0d093c59b2d97359ad492b54ec594bbcffb2a848dc30b3858

SHA512
c2037cf3313ec84a911b80ee28b346d2bee6dc170370b0dc6453a62e33163aa4d03e430631f9d1e8203d1f7aed4d546a306d9faa23f17aed5df529d521447976

Download Submit
C:\Windows\System32\OmZXsab.exe

Filesize
2.6MB

MD5
2c2a5419c801be8338480abbe080a876

SHA1
ca74ee58dea2a065db1f27c50c738397ffe4bdb4

SHA256
5d50d9e21e18e5d855808b99ced30afcefb2255d63a1a371ac301d6c0915aa65

SHA512
ab1256473b9a487cbcd699ad05b83f8c2e4007845345aefd73a27a593322d072a05f76c8162abca25cdf63a1e4d6092553387497ed1c5cf509d9ff7f2fbd3cc9

Download Submit
C:\Windows\System32\PBQSYmq.exe

Filesize
2.6MB

MD5
54988db8aadeb1062730cf3d8a4a95e7

SHA1
b7b3fccf2751dac1a247b03936543dd3b5ae5b40

SHA256
4cd1fe78453789e3a65b91e30f10fbbb9909e0e2b3378f6d84be857a992d313a

SHA512
d0a41423585fb67fcc7aedb6cc77188528a51be2271d3573a3e10aec9554f394484cd4b659edfe83b358fbb29716c7cb39b487c24cbef5310a495523a543e377

Download Submit
C:\Windows\System32\PZXOVgr.exe

Filesize
2.6MB

MD5
1f561c75513ce0101f2882c2932dd890

SHA1
7d31a5e08f854a93b935da9455bf39cd430167be

SHA256
05d1193562719003f999cad76c5c4b72c1bff09c5fb1c0b637da4ab1e206c2d1

SHA512
e61f9e6339c22ea7a33d795882f210e216ec47a433839f33585907ebe003445c73628818d6b4a502fd0d52ad33945c6c0f6460a560c43794f8201259444c8308

Download Submit
C:\Windows\System32\RCuaKCm.exe

Filesize
2.6MB

MD5
4a0190d7a60b657c74a1d34bffbb8d0f

SHA1
4372dda5904bf0a66f8e53609efcf76b13165755

SHA256
51a91724c7fec7aa20d4b9b80176d8c394e8d7749aab78e94aba7a8e66fbe938

SHA512
a16980e3ce0b51dc7995e4b6f22be3a4cbaee4f4b81c1c87b188046e522400cf67169de1c46613e784639897d69cfdf04ecf271690e3e8be86e4a0e53f42757b

Download Submit
C:\Windows\System32\RPNEUnS.exe

Filesize
2.6MB

MD5
54f7b047f408f09905e1bb54ad78684c

SHA1
e7cafa4d51ae0f320834fa3c41e840c81e3dbe49

SHA256
df7ac5296ae8a2be940d3fc871942e9c338aef0110528051b28765d0884f00cf

SHA512
5519045720b600783cb504c06b57847ccdb50f6959b17ff6ac875d279a106ea68eaa1ef05bdf818f1c3e0bc60666bcf829f62e7173d8abc066e7652e8d125e41

Download Submit
C:\Windows\System32\RSkBHPp.exe

Filesize
2.6MB

MD5
2947e0205974e2ffd3a4acac7fb0e76d

SHA1
53550ad23dbd0fdc589d51e65afda9cd881bb810

SHA256
3c6a431b6398aa042992315ce4497e17886e2cb3081a0ab4a9b2ce3ae71e6242

SHA512
4dbba22287d7320f6137185e2d18011634db414c9dd3207763855cd2f9b49dd2cbb2c5c2d50b6380440161852d751ad1bb50a9dab03d169b3865272ba5cab3cb

Download Submit
C:\Windows\System32\VZgwsTh.exe

Filesize
2.6MB

MD5
9ac70a735c892cf4dde6b7717685cdd7

SHA1
f723d5ca0b34ff86d10b3c3cd27dc468f2154035

SHA256
71fbe0a386e42a7b5474de6702849c6c5d19161e9c12fac1afe5088c8a080da7

SHA512
a5533b3d21417d42cd0e7883f6812ff69de97fb0ce567410a7f079acf311cfa97c9113fd7ab33954345289ab47433cb1304c6f17c9e1c51fe8d047a7a10190c3

Download Submit
C:\Windows\System32\ZKmvMXY.exe

Filesize
2.6MB

MD5
b67525176c1661f8b55f8f57b5d77f50

SHA1
8e3b72999204ffe5efaf16297cf43d9041f26a9b

SHA256
e26c31a002199967a1915acae9b86b66a5d79860af990944c1ce997449c08d39

SHA512
ef4cfe21ab8a35774d25f500460dbb949c173236f90b3708b413dc3149a3d6ea0bcfa59ffc2deb36f936270196a29d9f9a679dde4e5cc62767fac2d3f66d1d74

Download Submit
C:\Windows\System32\ZsyVepV.exe

Filesize
2.6MB

MD5
992259ec8d4f532343e1b41725f1d9d4

SHA1
12a30727d99266169ea0f0265ee06c0d2512abce

SHA256
30792b2c8757042c1f532551150564db6342224299ac98b932490194ff0b631e

SHA512
64db592be54318134fa4b7ef02dc638e231f4dfdefaa7d75953dab9d2abe2d5e040c09396792f477d1e0cc0e4e565ee6211a5c9a49f93cefedfcd76032571e01

Download Submit
C:\Windows\System32\dvzyAMf.exe

Filesize
2.6MB

MD5
36fb8435f87fca3e4407425519d33a90

SHA1
a83094a2ba451a4c2b454cf5a295a937c9310f5e

SHA256
91f49f0aaf551c98cab2f3367a0f5ea5e465985559a0ec4268d8029368c110b6

SHA512
b02f6a54ce7cc25520a3f16a35cec77f1693bbad79fab8a107bcf088d4eec70af48af4d9462ac66d827bf83f1064894d5ef1673dd8c6eae842329d67c496cf9f

Download Submit
C:\Windows\System32\eAnfiTg.exe

Filesize
2.6MB

MD5
40f7c0751de0f3d2b9d764092047aa38

SHA1
f1f49de808a226590f6e43abd70aea6cbd4c7bcd

SHA256
cece4a87dc89d546eb7a82214c2ccb88e63ea2e5d1c83085d9583ce292aea231

SHA512
3e867b233e99453449e29a0e1862f810ab4795a7692588c6b4fa719b3c260fd3f95e3035f51116add02b8ad1ea74bc07f1f531328107d73545d6bf8d3443a027

Download Submit
C:\Windows\System32\ezyknie.exe

Filesize
2.6MB

MD5
9408dfcebea1ec8ef9c891d8212d08ea

SHA1
974f81ba278f53c9fcc9a0a5045dc3eae192e068

SHA256
51841477e6a33ecfc8216b3ab6cb006aff3e1414ed8d76d7604fc3dbd46e3eb2

SHA512
cfc5d96778a802c04e32e89da612ff78b33a48a2909f0dda7b0149d2342c47b360346fa1793f62ef8d89f8e10bc0bd2eaf65f4c3caf4e62942f164a397fb767e

Download Submit
C:\Windows\System32\gNaieKy.exe

Filesize
2.6MB

MD5
38438edec04e12783836b7e0db5ec94b

SHA1
fa4a60271b80b529989e787c94a3b3d42715c22f

SHA256
828765bad19c1527b8ad61b194d8ea1d7bd60a7e4518f18258d83a4a42c2aa09

SHA512
8f82d212bbd30183c7dfd9b2aa4dd7b2b0d5506c25fbfa1e0adc66651d31d00c1567d7ffb8352f9dcb35b45b770f12426cfe03e9d3b7c860f9841271d2579cb1

Download Submit
C:\Windows\System32\gQmMwzZ.exe

Filesize
2.6MB

MD5
d52ab6d10e53636b8408f5f3ad35994a

SHA1
b805e75332d776c3b4ee6f672352ffeb295b7ca2

SHA256
78fd5541b3f362824d24619ef1b41bf2845c4a729649e146eadccf2e21a9f0ae

SHA512
5c3d80955c325a79a18a1a1724f2bef2641343884ac1710fec3561ed5d710ec9f672e6f8e06fc9f635320fd7a7a1325dbc9d6110f36c167d95a58e7472d6411f

Download Submit
C:\Windows\System32\huKrmaD.exe

Filesize
2.6MB

MD5
a431ee61a42d83964fd72a5ebc17adf5

SHA1
73c8c141db3d7e2119d5da0b076241d53ff53a0b

SHA256
119c92dcbb96b7fe436fd0fef32ab1ce2072ca862e6e0e331911e5dc49fb3e18

SHA512
6e69f682deb991ea36a3fcf780a10b6441123a500fdd3a1dc6169c1c11e0d64b21cd3555b8a2242b9cc7e3338279d6776b33d97d60b9c0e7a7b5a596998403f8

Download Submit
C:\Windows\System32\iJDlfEn.exe

Filesize
2.6MB

MD5
0b65ad04b9a1fbf65da7a1fc47186221

SHA1
abd4fd0afea0cfdccd18fa208979e2c29fc0a68c

SHA256
fc1590f977921c0be61d6f22ba0991b8035afb0a52b833e7a3463aa4b253eb88

SHA512
c7cd53ff696171a983dc4aab8497a6a45f5ee9f21bfdbce9f8550abbd498fe9a2275205c4d1aba73a2c2d0fb7236196d131fab6244bbf1ac67ee59b6032a743f

Download Submit
C:\Windows\System32\llnuwlY.exe

Filesize
2.6MB

MD5
df6498b87e1b4bcfc7d84ba2b224e1e2

SHA1
49a6777db4914aec31f18e8fd4b66ea39f9e488d

SHA256
f843d25f94f66e9892a0f96a75e28a151300195bc024ee65b28834f320580932

SHA512
7fa1bd51be4959a834219f1098913b1e575416874f578e4b830772521c5b8a478803037efa8bd7ffedc24cff8b51c34ecc80f0f67625bb63c48637ec77a322a2

Download Submit
C:\Windows\System32\mBfMFQE.exe

Filesize
2.6MB

MD5
2825201cbfecd1ed001ffefce835dc17

SHA1
a40e7898fdd33318e227259a6955e38fe777edc1

SHA256
ba9d1c491e5fbe5bd538b34e6d5e1748a5d331b2412152abc3cf4556d920bd39

SHA512
2b62c4b98340a1ea108cc8fa28d410d2e964dd7063333fcc10ea30cc37cc1d1303d6b23073be070bec3bbc1fbdc9f1c922ce52940b8ed544c4f1639eaf7504f9

Download Submit
C:\Windows\System32\noeLzxA.exe

Filesize
2.6MB

MD5
ba582f914cdd3aefc1e4ecfec06dddf4

SHA1
932dee03a92427497967929541b3c3d007dc38cf

SHA256
d2260bc438626750234c66eeea54492ea6099bfa3559d2a19317c6166e09d226

SHA512
e07bd1304901328e71c9ce396a3b0be45350a5e39110689c08b989cf648af35e5a9831f7a77d58d72a2e92b1cfe4b9f92ab99c9a3d51418817a30d72edccb069

Download Submit
C:\Windows\System32\nskGGmP.exe

Filesize
2.6MB

MD5
7c3f38f00aaa1f0a872eb759961329b1

SHA1
ac746a25ba45d7cdba1774c9515a7b93dad58cb5

SHA256
8239f52a084157a7390b4358c47a1cdfb8e679c48b5cf6f8182e91281b37b8a4

SHA512
d6ce3888e2bec42910f93fe58481d33b7b3bd85543b8d91d32f6659507fbb690d40e560c22f6d70d5dc80ede9c00fb48b776542facd26515f5880bee421145a4

Download Submit
C:\Windows\System32\ozDOvTs.exe

Filesize
2.6MB

MD5
07674b0721ed0f264466b2af30b895f7

SHA1
577bf29359b9667590d08a077e04f4041782414e

SHA256
3c2121a4f74ad14cc8c2404b0d68c26efd61e14608ec3f1aec3c7f4baee4c02e

SHA512
10a0dc533793a5176bd74434decffdd235c3fd69b78bef18b9e66fc1d77609c98728b35fe3d472967e6c79c2905fdf4051307289a652dca1a0e8610a3faed982

Download Submit
C:\Windows\System32\pXzAzcA.exe

Filesize
2.6MB

MD5
cd734a17747e79716d6a6f32a62ad607

SHA1
7c1ade20245d4837923f486fe02b61d00133814d

SHA256
b164efaef253843b1ff43c643e2f74c5a2621505b9adee21d298178535cebf8a

SHA512
b84b4857a53c17bfd49acd1b70468f4f55b07ba964091ce591567df73406eb4f07dd8a026e21751d0e784c88ba098ff0b5acc30e22f7b193f2cd3670960123ec

Download Submit
C:\Windows\System32\taBoHRi.exe

Filesize
2.6MB

MD5
183677470e595db957d5f4d80fa02645

SHA1
b8d8b90f1db8e94c9df4e598d2765f6108244e82

SHA256
b8d96782814eccb0f96b83a434b7756604f2620a10a7644f3f670ad9a1211b86

SHA512
440c6c4ff7defd631938a6be37a43f477f17d1b5a0f04655db7974de7f0eb22eaec39490950f75a2051929e4c110079210767c5504aac7a52930a80ebc38d8ff

Download Submit
C:\Windows\System32\uAOqYkX.exe

Filesize
2.6MB

MD5
a666603904f5942426fdcf803d2a8d98

SHA1
51dd2fd0e8259a0b081c78a054595363d54c590a

SHA256
fcfd8fc7db8845b5e9cd91ff6911c8b8bd8b5cfbb690a4b7547712eded40f801

SHA512
7352847b37f0c6708c519c0a72dcb33ce98ec197bfee0f631c18d08b5e6f912202596589bf928d4ef3773ec820d7e36f515b2e3d85e4b83a0b7134246360a4d7

Download Submit
C:\Windows\System32\zfycGEc.exe

Filesize
2.6MB

MD5
f90aee69112af92e6ad7ad5ce3687976

SHA1
3aa3a8fde8927c2505531760de06f71fd1b27c26

SHA256
8e959110ed8d7f5a1df44bea5bc752068b15f2b4720ce841e42709ceaf0aa6fa

SHA512
fc8c06748ff11fc56583113528fc9e3a68ef0839ee3319a06ade30e4de7219674a1a94fb35fe10dbe37ff7ebeb61e33007ff89b77021a52f79d3e23cfdb72bdf

Download Submit
memory/380-1910-0x00007FF6B8470000-0x00007FF6B8865000-memory.dmp

Filesize
4.0MB

Download
memory/380-773-0x00007FF6B8470000-0x00007FF6B8865000-memory.dmp

Filesize
4.0MB

Download
memory/648-1912-0x00007FF6A26E0000-0x00007FF6A2AD5000-memory.dmp

Filesize
4.0MB

Download
memory/648-1886-0x00007FF6A26E0000-0x00007FF6A2AD5000-memory.dmp

Filesize
4.0MB

Download
memory/648-73-0x00007FF6A26E0000-0x00007FF6A2AD5000-memory.dmp

Filesize
4.0MB

Download
memory/756-781-0x00007FF6073D0000-0x00007FF6077C5000-memory.dmp

Filesize
4.0MB

Download
memory/756-1906-0x00007FF6073D0000-0x00007FF6077C5000-memory.dmp

Filesize
4.0MB

Download
memory/864-0-0x00007FF788820000-0x00007FF788C15000-memory.dmp

Filesize
4.0MB

Download
memory/864-1201-0x00007FF788820000-0x00007FF788C15000-memory.dmp

Filesize
4.0MB

Download
memory/864-1-0x0000018BA5780000-0x0000018BA5790000-memory.dmp

Filesize
64KB

Download
memory/864-1888-0x00007FF788820000-0x00007FF788C15000-memory.dmp

Filesize
4.0MB

Download
memory/1160-1911-0x00007FF615270000-0x00007FF615665000-memory.dmp

Filesize
4.0MB

Download
memory/1160-769-0x00007FF615270000-0x00007FF615665000-memory.dmp

Filesize
4.0MB

Download
memory/1504-74-0x00007FF654D20000-0x00007FF655115000-memory.dmp

Filesize
4.0MB

Download
memory/1504-1899-0x00007FF654D20000-0x00007FF655115000-memory.dmp

Filesize
4.0MB

Download
memory/2676-771-0x00007FF76E1D0000-0x00007FF76E5C5000-memory.dmp

Filesize
4.0MB

Download
memory/2676-1907-0x00007FF76E1D0000-0x00007FF76E5C5000-memory.dmp

Filesize
4.0MB

Download
memory/2792-770-0x00007FF646B20000-0x00007FF646F15000-memory.dmp

Filesize
4.0MB

Download
memory/2792-1909-0x00007FF646B20000-0x00007FF646F15000-memory.dmp

Filesize
4.0MB

Download
memory/3024-1891-0x00007FF740D60000-0x00007FF741155000-memory.dmp

Filesize
4.0MB

Download
memory/3024-23-0x00007FF740D60000-0x00007FF741155000-memory.dmp

Filesize
4.0MB

Download
memory/3176-1890-0x00007FF7F6AE0000-0x00007FF7F6ED5000-memory.dmp

Filesize
4.0MB

Download
memory/3176-12-0x00007FF7F6AE0000-0x00007FF7F6ED5000-memory.dmp

Filesize
4.0MB

Download
memory/3200-1896-0x00007FF6D2740000-0x00007FF6D2B35000-memory.dmp

Filesize
4.0MB

Download
memory/3200-1884-0x00007FF6D2740000-0x00007FF6D2B35000-memory.dmp

Filesize
4.0MB

Download
memory/3200-56-0x00007FF6D2740000-0x00007FF6D2B35000-memory.dmp

Filesize
4.0MB

Download
memory/3416-1898-0x00007FF680160000-0x00007FF680555000-memory.dmp

Filesize
4.0MB

Download
memory/3416-62-0x00007FF680160000-0x00007FF680555000-memory.dmp

Filesize
4.0MB

Download
memory/3416-1885-0x00007FF680160000-0x00007FF680555000-memory.dmp

Filesize
4.0MB

Download
memory/3480-1905-0x00007FF636DE0000-0x00007FF6371D5000-memory.dmp

Filesize
4.0MB

Download
memory/3480-772-0x00007FF636DE0000-0x00007FF6371D5000-memory.dmp

Filesize
4.0MB

Download
memory/3672-1894-0x00007FF7044B0000-0x00007FF7048A5000-memory.dmp

Filesize
4.0MB

Download
memory/3672-45-0x00007FF7044B0000-0x00007FF7048A5000-memory.dmp

Filesize
4.0MB

Download
memory/3756-1904-0x00007FF7CBCF0000-0x00007FF7CC0E5000-memory.dmp

Filesize
4.0MB

Download
memory/3756-792-0x00007FF7CBCF0000-0x00007FF7CC0E5000-memory.dmp

Filesize
4.0MB

Download
memory/3800-69-0x00007FF6B99C0000-0x00007FF6B9DB5000-memory.dmp

Filesize
4.0MB

Download
memory/3800-1895-0x00007FF6B99C0000-0x00007FF6B9DB5000-memory.dmp

Filesize
4.0MB

Download
memory/3932-1893-0x00007FF716320000-0x00007FF716715000-memory.dmp

Filesize
4.0MB

Download
memory/3932-65-0x00007FF716320000-0x00007FF716715000-memory.dmp

Filesize
4.0MB

Download
memory/4292-1897-0x00007FF64BCF0000-0x00007FF64C0E5000-memory.dmp

Filesize
4.0MB

Download
memory/4292-68-0x00007FF64BCF0000-0x00007FF64C0E5000-memory.dmp

Filesize
4.0MB

Download
memory/4440-1892-0x00007FF6AD090000-0x00007FF6AD485000-memory.dmp

Filesize
4.0MB

Download
memory/4440-35-0x00007FF6AD090000-0x00007FF6AD485000-memory.dmp

Filesize
4.0MB

Download
memory/4488-768-0x00007FF72FD30000-0x00007FF730125000-memory.dmp

Filesize
4.0MB

Download
memory/4488-1889-0x00007FF72FD30000-0x00007FF730125000-memory.dmp

Filesize
4.0MB

Download
memory/4488-9-0x00007FF72FD30000-0x00007FF730125000-memory.dmp

Filesize
4.0MB

Download
memory/4560-1901-0x00007FF6B9230000-0x00007FF6B9625000-memory.dmp

Filesize
4.0MB

Download
memory/4560-825-0x00007FF6B9230000-0x00007FF6B9625000-memory.dmp

Filesize
4.0MB

Download
memory/4652-816-0x00007FF6709F0000-0x00007FF670DE5000-memory.dmp

Filesize
4.0MB

Download
memory/4652-1902-0x00007FF6709F0000-0x00007FF670DE5000-memory.dmp

Filesize
4.0MB

Download
memory/4828-1903-0x00007FF7B2D70000-0x00007FF7B3165000-memory.dmp

Filesize
4.0MB

Download
memory/4828-803-0x00007FF7B2D70000-0x00007FF7B3165000-memory.dmp

Filesize
4.0MB

Download
memory/5056-1908-0x00007FF667380000-0x00007FF667775000-memory.dmp

Filesize
4.0MB

Download
memory/5056-1887-0x00007FF667380000-0x00007FF667775000-memory.dmp

Filesize
4.0MB

Download
memory/5056-77-0x00007FF667380000-0x00007FF667775000-memory.dmp

Filesize
4.0MB

Download
memory/5060-831-0x00007FF77A150000-0x00007FF77A545000-memory.dmp

Filesize
4.0MB

Download
memory/5060-1900-0x00007FF77A150000-0x00007FF77A545000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads