xmrig | 9c1209e35d95931990066419e9f9c72335190d38843ae13eb19854a55a06e56f

Analysis

max time kernel
142s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
Size

2.9MB
MD5

6f8415db2d8557e04c900628c9cadcd0
SHA1

ec9cdd6fa20494a07ce308d3547b87b4e792544e
SHA256

9c1209e35d95931990066419e9f9c72335190d38843ae13eb19854a55a06e56f
SHA512

e79412070779df9589479de4ec1db0a5626b20239f86ac7f4963099cedbe46895b6b41dd07eed5284690fcde5c6a0169f653c50389bb98737d49e2224641f10e
SSDEEP

49152:N0wjnJMOWh50kC1/dVFdx6e0EALKWVTffZiPAcRq6jHjcz8DzHUJ8Y9c87MQyRjO:N0GnJMOWPClFdx6e0EALKWVTffZiPAcO

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4956-0-0x00007FF617450000-0x00007FF617845000-memory.dmp	xmrig
behavioral2/files/0x000800000002343a-5.dat	xmrig
behavioral2/files/0x000800000002343d-7.dat	xmrig
behavioral2/memory/2732-18-0x00007FF79CEE0000-0x00007FF79D2D5000-memory.dmp	xmrig
behavioral2/files/0x0007000000023444-29.dat	xmrig
behavioral2/files/0x0007000000023443-31.dat	xmrig
behavioral2/files/0x0007000000023445-37.dat	xmrig
behavioral2/files/0x0007000000023448-50.dat	xmrig
behavioral2/files/0x0007000000023452-100.dat	xmrig
behavioral2/files/0x0007000000023454-110.dat	xmrig
behavioral2/files/0x0007000000023459-132.dat	xmrig
behavioral2/files/0x000700000002345b-145.dat	xmrig
behavioral2/files/0x000700000002345f-162.dat	xmrig
behavioral2/memory/4108-538-0x00007FF60B540000-0x00007FF60B935000-memory.dmp	xmrig
behavioral2/memory/4364-539-0x00007FF6418A0000-0x00007FF641C95000-memory.dmp	xmrig
behavioral2/memory/2696-540-0x00007FF7622B0000-0x00007FF7626A5000-memory.dmp	xmrig
behavioral2/memory/4600-541-0x00007FF7DD100000-0x00007FF7DD4F5000-memory.dmp	xmrig
behavioral2/memory/2456-542-0x00007FF6643D0000-0x00007FF6647C5000-memory.dmp	xmrig
behavioral2/memory/460-543-0x00007FF7DD6D0000-0x00007FF7DDAC5000-memory.dmp	xmrig
behavioral2/memory/1620-544-0x00007FF79E660000-0x00007FF79EA55000-memory.dmp	xmrig
behavioral2/memory/1992-552-0x00007FF7738E0000-0x00007FF773CD5000-memory.dmp	xmrig
behavioral2/memory/4732-559-0x00007FF61C900000-0x00007FF61CCF5000-memory.dmp	xmrig
behavioral2/memory/1032-566-0x00007FF6D3550000-0x00007FF6D3945000-memory.dmp	xmrig
behavioral2/memory/5080-606-0x00007FF653C50000-0x00007FF654045000-memory.dmp	xmrig
behavioral2/memory/868-600-0x00007FF7A2AA0000-0x00007FF7A2E95000-memory.dmp	xmrig
behavioral2/memory/784-589-0x00007FF6EA790000-0x00007FF6EAB85000-memory.dmp	xmrig
behavioral2/memory/2320-587-0x00007FF6AB5D0000-0x00007FF6AB9C5000-memory.dmp	xmrig
behavioral2/memory/4724-583-0x00007FF687950000-0x00007FF687D45000-memory.dmp	xmrig
behavioral2/memory/436-573-0x00007FF658480000-0x00007FF658875000-memory.dmp	xmrig
behavioral2/memory/2508-576-0x00007FF72CC50000-0x00007FF72D045000-memory.dmp	xmrig
behavioral2/memory/3616-569-0x00007FF75A570000-0x00007FF75A965000-memory.dmp	xmrig
behavioral2/memory/2400-561-0x00007FF63B240000-0x00007FF63B635000-memory.dmp	xmrig
behavioral2/memory/876-554-0x00007FF60AC10000-0x00007FF60B005000-memory.dmp	xmrig
behavioral2/files/0x000700000002345e-160.dat	xmrig
behavioral2/files/0x000700000002345d-155.dat	xmrig
behavioral2/files/0x000700000002345c-150.dat	xmrig
behavioral2/files/0x000700000002345a-140.dat	xmrig
behavioral2/files/0x0007000000023458-130.dat	xmrig
behavioral2/files/0x0007000000023457-125.dat	xmrig
behavioral2/files/0x0007000000023456-120.dat	xmrig
behavioral2/files/0x0007000000023455-115.dat	xmrig
behavioral2/files/0x0007000000023453-105.dat	xmrig
behavioral2/files/0x0007000000023451-95.dat	xmrig
behavioral2/files/0x0007000000023450-90.dat	xmrig
behavioral2/files/0x000700000002344f-85.dat	xmrig
behavioral2/files/0x000700000002344e-80.dat	xmrig
behavioral2/files/0x000700000002344d-75.dat	xmrig
behavioral2/files/0x000700000002344c-70.dat	xmrig
behavioral2/files/0x000700000002344b-65.dat	xmrig
behavioral2/files/0x0007000000023449-60.dat	xmrig
behavioral2/files/0x0007000000023446-53.dat	xmrig
behavioral2/files/0x0007000000023447-51.dat	xmrig
behavioral2/memory/3556-45-0x00007FF7C6480000-0x00007FF7C6875000-memory.dmp	xmrig
behavioral2/memory/4184-35-0x00007FF7699E0000-0x00007FF769DD5000-memory.dmp	xmrig
behavioral2/memory/4740-28-0x00007FF677840000-0x00007FF677C35000-memory.dmp	xmrig
behavioral2/files/0x0007000000023442-27.dat	xmrig
behavioral2/files/0x0007000000023441-23.dat	xmrig
behavioral2/memory/4956-1866-0x00007FF617450000-0x00007FF617845000-memory.dmp	xmrig
behavioral2/memory/2732-1867-0x00007FF79CEE0000-0x00007FF79D2D5000-memory.dmp	xmrig
behavioral2/memory/4740-1868-0x00007FF677840000-0x00007FF677C35000-memory.dmp	xmrig
behavioral2/memory/4184-1869-0x00007FF7699E0000-0x00007FF769DD5000-memory.dmp	xmrig
behavioral2/memory/2732-1870-0x00007FF79CEE0000-0x00007FF79D2D5000-memory.dmp	xmrig
behavioral2/memory/3556-1871-0x00007FF7C6480000-0x00007FF7C6875000-memory.dmp	xmrig
behavioral2/memory/4108-1872-0x00007FF60B540000-0x00007FF60B935000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2732	OAXILXH.exe
3556	JIsdKhq.exe
4108	HaFAvJx.exe
4740	rEtypnd.exe
4364	YXIFQgl.exe
4184	TrsTCJn.exe
868	zHVLraQ.exe
5080	dvCSVoT.exe
2696	jlpnYzF.exe
4600	AGtyZIZ.exe
2456	XVeDaZT.exe
460	UkdlCJD.exe
1620	nfWTYrB.exe
1992	sLLJneT.exe
876	uMMHsxl.exe
4732	XHhDHWR.exe
2400	mqoyctt.exe
1032	smDGvHl.exe
3616	WLwRNBf.exe
436	NMpIGVK.exe
2508	zTkIRSM.exe
4724	gBysycm.exe
2320	JKkdFYQ.exe
784	UODGDrj.exe
4088	ioCovys.exe
732	ktXGStG.exe
3532	ujsrsuO.exe
1856	GRiqGsO.exe
2460	HiNJxIt.exe
3288	PIpKBGh.exe
2392	OARmMBX.exe
3792	kwymeId.exe
3436	zREVdgv.exe
4444	vSafVWh.exe
4120	HBSocFs.exe
3500	uewqBHN.exe
3632	LRrCvHc.exe
2788	duvhFot.exe
3204	kaxYvQy.exe
1488	lwvBBLS.exe
2488	eAYZdrH.exe
1132	zbeWehc.exe
3132	NQKUALZ.exe
4500	jMQzsmE.exe
4144	PzJuwsZ.exe
792	xsjbaic.exe
392	JZqkXMt.exe
2164	ljSbzBe.exe
1812	XPJUWmq.exe
1180	WNOKpLl.exe
4616	iQLHGuq.exe
3972	tCpflvr.exe
116	tYTvuyQ.exe
3924	OCRocFx.exe
4388	jikypGw.exe
2316	VSSRaen.exe
1560	mxHBlPr.exe
2168	urThcRC.exe
1980	uTfHUgJ.exe
3744	AUXmWZW.exe
5036	aattThH.exe
4848	RWQIlVj.exe
4788	dffcHFL.exe
2244	sLXRsPn.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4956-0-0x00007FF617450000-0x00007FF617845000-memory.dmp	upx
behavioral2/files/0x000800000002343a-5.dat	upx
behavioral2/files/0x000800000002343d-7.dat	upx
behavioral2/memory/2732-18-0x00007FF79CEE0000-0x00007FF79D2D5000-memory.dmp	upx
behavioral2/files/0x0007000000023444-29.dat	upx
behavioral2/files/0x0007000000023443-31.dat	upx
behavioral2/files/0x0007000000023445-37.dat	upx
behavioral2/files/0x0007000000023448-50.dat	upx
behavioral2/files/0x0007000000023452-100.dat	upx
behavioral2/files/0x0007000000023454-110.dat	upx
behavioral2/files/0x0007000000023459-132.dat	upx
behavioral2/files/0x000700000002345b-145.dat	upx
behavioral2/files/0x000700000002345f-162.dat	upx
behavioral2/memory/4108-538-0x00007FF60B540000-0x00007FF60B935000-memory.dmp	upx
behavioral2/memory/4364-539-0x00007FF6418A0000-0x00007FF641C95000-memory.dmp	upx
behavioral2/memory/2696-540-0x00007FF7622B0000-0x00007FF7626A5000-memory.dmp	upx
behavioral2/memory/4600-541-0x00007FF7DD100000-0x00007FF7DD4F5000-memory.dmp	upx
behavioral2/memory/2456-542-0x00007FF6643D0000-0x00007FF6647C5000-memory.dmp	upx
behavioral2/memory/460-543-0x00007FF7DD6D0000-0x00007FF7DDAC5000-memory.dmp	upx
behavioral2/memory/1620-544-0x00007FF79E660000-0x00007FF79EA55000-memory.dmp	upx
behavioral2/memory/1992-552-0x00007FF7738E0000-0x00007FF773CD5000-memory.dmp	upx
behavioral2/memory/4732-559-0x00007FF61C900000-0x00007FF61CCF5000-memory.dmp	upx
behavioral2/memory/1032-566-0x00007FF6D3550000-0x00007FF6D3945000-memory.dmp	upx
behavioral2/memory/5080-606-0x00007FF653C50000-0x00007FF654045000-memory.dmp	upx
behavioral2/memory/868-600-0x00007FF7A2AA0000-0x00007FF7A2E95000-memory.dmp	upx
behavioral2/memory/784-589-0x00007FF6EA790000-0x00007FF6EAB85000-memory.dmp	upx
behavioral2/memory/2320-587-0x00007FF6AB5D0000-0x00007FF6AB9C5000-memory.dmp	upx
behavioral2/memory/4724-583-0x00007FF687950000-0x00007FF687D45000-memory.dmp	upx
behavioral2/memory/436-573-0x00007FF658480000-0x00007FF658875000-memory.dmp	upx
behavioral2/memory/2508-576-0x00007FF72CC50000-0x00007FF72D045000-memory.dmp	upx
behavioral2/memory/3616-569-0x00007FF75A570000-0x00007FF75A965000-memory.dmp	upx
behavioral2/memory/2400-561-0x00007FF63B240000-0x00007FF63B635000-memory.dmp	upx
behavioral2/memory/876-554-0x00007FF60AC10000-0x00007FF60B005000-memory.dmp	upx
behavioral2/files/0x000700000002345e-160.dat	upx
behavioral2/files/0x000700000002345d-155.dat	upx
behavioral2/files/0x000700000002345c-150.dat	upx
behavioral2/files/0x000700000002345a-140.dat	upx
behavioral2/files/0x0007000000023458-130.dat	upx
behavioral2/files/0x0007000000023457-125.dat	upx
behavioral2/files/0x0007000000023456-120.dat	upx
behavioral2/files/0x0007000000023455-115.dat	upx
behavioral2/files/0x0007000000023453-105.dat	upx
behavioral2/files/0x0007000000023451-95.dat	upx
behavioral2/files/0x0007000000023450-90.dat	upx
behavioral2/files/0x000700000002344f-85.dat	upx
behavioral2/files/0x000700000002344e-80.dat	upx
behavioral2/files/0x000700000002344d-75.dat	upx
behavioral2/files/0x000700000002344c-70.dat	upx
behavioral2/files/0x000700000002344b-65.dat	upx
behavioral2/files/0x0007000000023449-60.dat	upx
behavioral2/files/0x0007000000023446-53.dat	upx
behavioral2/files/0x0007000000023447-51.dat	upx
behavioral2/memory/3556-45-0x00007FF7C6480000-0x00007FF7C6875000-memory.dmp	upx
behavioral2/memory/4184-35-0x00007FF7699E0000-0x00007FF769DD5000-memory.dmp	upx
behavioral2/memory/4740-28-0x00007FF677840000-0x00007FF677C35000-memory.dmp	upx
behavioral2/files/0x0007000000023442-27.dat	upx
behavioral2/files/0x0007000000023441-23.dat	upx
behavioral2/memory/4956-1866-0x00007FF617450000-0x00007FF617845000-memory.dmp	upx
behavioral2/memory/2732-1867-0x00007FF79CEE0000-0x00007FF79D2D5000-memory.dmp	upx
behavioral2/memory/4740-1868-0x00007FF677840000-0x00007FF677C35000-memory.dmp	upx
behavioral2/memory/4184-1869-0x00007FF7699E0000-0x00007FF769DD5000-memory.dmp	upx
behavioral2/memory/2732-1870-0x00007FF79CEE0000-0x00007FF79D2D5000-memory.dmp	upx
behavioral2/memory/3556-1871-0x00007FF7C6480000-0x00007FF7C6875000-memory.dmp	upx
behavioral2/memory/4108-1872-0x00007FF60B540000-0x00007FF60B935000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\QowQSNX.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\RawMAhI.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\auoXOcP.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\qyHiLjE.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\lNRbnaa.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\pRLxsSf.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\wkkyPse.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\XBamkIQ.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\uXsnkoh.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\SZwpKLP.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\VijEmmN.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\hcIKXxl.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\kszuFNR.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\rZOSLJr.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\ZSofAmj.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\xWzNAsi.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\NucwDtf.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\viMOujh.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\LunCJvF.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\dffcHFL.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\VRaHrJE.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\nDjdnPP.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\fpIevam.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\snMGyaV.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\gKvQZMT.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\IBwCahr.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\iQLHGuq.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\jHYfEXw.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\shpsROC.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\CLwBQWO.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\chLVFdM.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\DuYgidu.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\wWCKpoZ.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\XfWmwfh.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\uDpauGd.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\rtvuafo.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\mtCLeTl.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\ktXGStG.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\LRrCvHc.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\qYpnDrm.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\JFLkNyT.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\WHuHpWv.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\urThcRC.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\ckHHdRb.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\pxKyEHN.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\BOejQqT.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\HDxxVPf.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\erpeEuu.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\baKmFxh.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\nzfVomj.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\veqVVWf.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\EDrmMkp.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\zmdoOda.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\cTjvopO.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\nBfWksf.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\FWYSlYV.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\HaFAvJx.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\YXIFQgl.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\uactKSe.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\FManVub.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\MRjhozK.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\wtuuEDo.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\NyqyIem.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
File created	C:\Windows\System32\WNOKpLl.exe	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	2856	dwm.exe
Token: SeChangeNotifyPrivilege	2856	dwm.exe
Token: 33	2856	dwm.exe
Token: SeIncBasePriorityPrivilege	2856	dwm.exe
Token: SeShutdownPrivilege	2856	dwm.exe
Token: SeCreatePagefilePrivilege	2856	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 2732	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	86
PID 4956 wrote to memory of 2732	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	86
PID 4956 wrote to memory of 3556	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	87
PID 4956 wrote to memory of 3556	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	87
PID 4956 wrote to memory of 4108	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	88
PID 4956 wrote to memory of 4108	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	88
PID 4956 wrote to memory of 4740	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	89
PID 4956 wrote to memory of 4740	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	89
PID 4956 wrote to memory of 4364	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	90
PID 4956 wrote to memory of 4364	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	90
PID 4956 wrote to memory of 4184	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	91
PID 4956 wrote to memory of 4184	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	91
PID 4956 wrote to memory of 868	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	92
PID 4956 wrote to memory of 868	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	92
PID 4956 wrote to memory of 2696	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	93
PID 4956 wrote to memory of 2696	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	93
PID 4956 wrote to memory of 5080	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	94
PID 4956 wrote to memory of 5080	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	94
PID 4956 wrote to memory of 4600	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	95
PID 4956 wrote to memory of 4600	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	95
PID 4956 wrote to memory of 2456	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	96
PID 4956 wrote to memory of 2456	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	96
PID 4956 wrote to memory of 460	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	97
PID 4956 wrote to memory of 460	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	97
PID 4956 wrote to memory of 1620	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	98
PID 4956 wrote to memory of 1620	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	98
PID 4956 wrote to memory of 1992	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	99
PID 4956 wrote to memory of 1992	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	99
PID 4956 wrote to memory of 876	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	100
PID 4956 wrote to memory of 876	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	100
PID 4956 wrote to memory of 4732	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	101
PID 4956 wrote to memory of 4732	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	101
PID 4956 wrote to memory of 2400	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	102
PID 4956 wrote to memory of 2400	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	102
PID 4956 wrote to memory of 1032	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	103
PID 4956 wrote to memory of 1032	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	103
PID 4956 wrote to memory of 3616	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	104
PID 4956 wrote to memory of 3616	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	104
PID 4956 wrote to memory of 436	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	105
PID 4956 wrote to memory of 436	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	105
PID 4956 wrote to memory of 2508	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	106
PID 4956 wrote to memory of 2508	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	106
PID 4956 wrote to memory of 4724	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	107
PID 4956 wrote to memory of 4724	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	107
PID 4956 wrote to memory of 2320	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	108
PID 4956 wrote to memory of 2320	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	108
PID 4956 wrote to memory of 784	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	109
PID 4956 wrote to memory of 784	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	109
PID 4956 wrote to memory of 4088	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	110
PID 4956 wrote to memory of 4088	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	110
PID 4956 wrote to memory of 732	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	111
PID 4956 wrote to memory of 732	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	111
PID 4956 wrote to memory of 3532	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	112
PID 4956 wrote to memory of 3532	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	112
PID 4956 wrote to memory of 1856	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	113
PID 4956 wrote to memory of 1856	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	113
PID 4956 wrote to memory of 2460	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	114
PID 4956 wrote to memory of 2460	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	114
PID 4956 wrote to memory of 3288	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	115
PID 4956 wrote to memory of 3288	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	115
PID 4956 wrote to memory of 2392	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	116
PID 4956 wrote to memory of 2392	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	116
PID 4956 wrote to memory of 3792	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	117
PID 4956 wrote to memory of 3792	4956	6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe	117

C:\Users\Admin\AppData\Local\Temp\6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6f8415db2d8557e04c900628c9cadcd0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\System32\OAXILXH.exe
  C:\Windows\System32\OAXILXH.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System32\JIsdKhq.exe
  C:\Windows\System32\JIsdKhq.exe
  2⤵
  - Executes dropped EXE
  PID:3556
- C:\Windows\System32\HaFAvJx.exe
  C:\Windows\System32\HaFAvJx.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System32\rEtypnd.exe
  C:\Windows\System32\rEtypnd.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System32\YXIFQgl.exe
  C:\Windows\System32\YXIFQgl.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System32\TrsTCJn.exe
  C:\Windows\System32\TrsTCJn.exe
  2⤵
  - Executes dropped EXE
  PID:4184
- C:\Windows\System32\zHVLraQ.exe
  C:\Windows\System32\zHVLraQ.exe
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\System32\jlpnYzF.exe
  C:\Windows\System32\jlpnYzF.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System32\dvCSVoT.exe
  C:\Windows\System32\dvCSVoT.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System32\AGtyZIZ.exe
  C:\Windows\System32\AGtyZIZ.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System32\XVeDaZT.exe
  C:\Windows\System32\XVeDaZT.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System32\UkdlCJD.exe
  C:\Windows\System32\UkdlCJD.exe
  2⤵
  - Executes dropped EXE
  PID:460
- C:\Windows\System32\nfWTYrB.exe
  C:\Windows\System32\nfWTYrB.exe
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\System32\sLLJneT.exe
  C:\Windows\System32\sLLJneT.exe
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\System32\uMMHsxl.exe
  C:\Windows\System32\uMMHsxl.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System32\XHhDHWR.exe
  C:\Windows\System32\XHhDHWR.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System32\mqoyctt.exe
  C:\Windows\System32\mqoyctt.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System32\smDGvHl.exe
  C:\Windows\System32\smDGvHl.exe
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\System32\WLwRNBf.exe
  C:\Windows\System32\WLwRNBf.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System32\NMpIGVK.exe
  C:\Windows\System32\NMpIGVK.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System32\zTkIRSM.exe
  C:\Windows\System32\zTkIRSM.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System32\gBysycm.exe
  C:\Windows\System32\gBysycm.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System32\JKkdFYQ.exe
  C:\Windows\System32\JKkdFYQ.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System32\UODGDrj.exe
  C:\Windows\System32\UODGDrj.exe
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\System32\ioCovys.exe
  C:\Windows\System32\ioCovys.exe
  2⤵
  - Executes dropped EXE
  PID:4088
- C:\Windows\System32\ktXGStG.exe
  C:\Windows\System32\ktXGStG.exe
  2⤵
  - Executes dropped EXE
  PID:732
- C:\Windows\System32\ujsrsuO.exe
  C:\Windows\System32\ujsrsuO.exe
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Windows\System32\GRiqGsO.exe
  C:\Windows\System32\GRiqGsO.exe
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\System32\HiNJxIt.exe
  C:\Windows\System32\HiNJxIt.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System32\PIpKBGh.exe
  C:\Windows\System32\PIpKBGh.exe
  2⤵
  - Executes dropped EXE
  PID:3288
- C:\Windows\System32\OARmMBX.exe
  C:\Windows\System32\OARmMBX.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System32\kwymeId.exe
  C:\Windows\System32\kwymeId.exe
  2⤵
  - Executes dropped EXE
  PID:3792
- C:\Windows\System32\zREVdgv.exe
  C:\Windows\System32\zREVdgv.exe
  2⤵
  - Executes dropped EXE
  PID:3436
- C:\Windows\System32\vSafVWh.exe
  C:\Windows\System32\vSafVWh.exe
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Windows\System32\HBSocFs.exe
  C:\Windows\System32\HBSocFs.exe
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\System32\uewqBHN.exe
  C:\Windows\System32\uewqBHN.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System32\LRrCvHc.exe
  C:\Windows\System32\LRrCvHc.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System32\duvhFot.exe
  C:\Windows\System32\duvhFot.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System32\kaxYvQy.exe
  C:\Windows\System32\kaxYvQy.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System32\lwvBBLS.exe
  C:\Windows\System32\lwvBBLS.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System32\eAYZdrH.exe
  C:\Windows\System32\eAYZdrH.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System32\zbeWehc.exe
  C:\Windows\System32\zbeWehc.exe
  2⤵
  - Executes dropped EXE
  PID:1132
- C:\Windows\System32\NQKUALZ.exe
  C:\Windows\System32\NQKUALZ.exe
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\System32\jMQzsmE.exe
  C:\Windows\System32\jMQzsmE.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Windows\System32\PzJuwsZ.exe
  C:\Windows\System32\PzJuwsZ.exe
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Windows\System32\xsjbaic.exe
  C:\Windows\System32\xsjbaic.exe
  2⤵
  - Executes dropped EXE
  PID:792
- C:\Windows\System32\JZqkXMt.exe
  C:\Windows\System32\JZqkXMt.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System32\ljSbzBe.exe
  C:\Windows\System32\ljSbzBe.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\System32\XPJUWmq.exe
  C:\Windows\System32\XPJUWmq.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System32\WNOKpLl.exe
  C:\Windows\System32\WNOKpLl.exe
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\System32\iQLHGuq.exe
  C:\Windows\System32\iQLHGuq.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System32\tCpflvr.exe
  C:\Windows\System32\tCpflvr.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System32\tYTvuyQ.exe
  C:\Windows\System32\tYTvuyQ.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System32\OCRocFx.exe
  C:\Windows\System32\OCRocFx.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System32\jikypGw.exe
  C:\Windows\System32\jikypGw.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System32\VSSRaen.exe
  C:\Windows\System32\VSSRaen.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System32\mxHBlPr.exe
  C:\Windows\System32\mxHBlPr.exe
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\System32\urThcRC.exe
  C:\Windows\System32\urThcRC.exe
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\System32\uTfHUgJ.exe
  C:\Windows\System32\uTfHUgJ.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System32\AUXmWZW.exe
  C:\Windows\System32\AUXmWZW.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System32\aattThH.exe
  C:\Windows\System32\aattThH.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System32\RWQIlVj.exe
  C:\Windows\System32\RWQIlVj.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System32\dffcHFL.exe
  C:\Windows\System32\dffcHFL.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System32\sLXRsPn.exe
  C:\Windows\System32\sLXRsPn.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System32\hVKCszG.exe
  C:\Windows\System32\hVKCszG.exe
  2⤵
  PID:1636
- C:\Windows\System32\hPfNgSt.exe
  C:\Windows\System32\hPfNgSt.exe
  2⤵
  PID:4680
- C:\Windows\System32\HKCXzBA.exe
  C:\Windows\System32\HKCXzBA.exe
  2⤵
  PID:212
- C:\Windows\System32\iHkqkOf.exe
  C:\Windows\System32\iHkqkOf.exe
  2⤵
  PID:2516
- C:\Windows\System32\xWzNAsi.exe
  C:\Windows\System32\xWzNAsi.exe
  2⤵
  PID:1012
- C:\Windows\System32\MTnQfmJ.exe
  C:\Windows\System32\MTnQfmJ.exe
  2⤵
  PID:2636
- C:\Windows\System32\RuLoiYm.exe
  C:\Windows\System32\RuLoiYm.exe
  2⤵
  PID:5148
- C:\Windows\System32\xnlwCIX.exe
  C:\Windows\System32\xnlwCIX.exe
  2⤵
  PID:5172
- C:\Windows\System32\NlnIKbu.exe
  C:\Windows\System32\NlnIKbu.exe
  2⤵
  PID:5212
- C:\Windows\System32\cADgLaI.exe
  C:\Windows\System32\cADgLaI.exe
  2⤵
  PID:5232
- C:\Windows\System32\fBaptga.exe
  C:\Windows\System32\fBaptga.exe
  2⤵
  PID:5260
- C:\Windows\System32\nBhAhcr.exe
  C:\Windows\System32\nBhAhcr.exe
  2⤵
  PID:5288
- C:\Windows\System32\rVrySoJ.exe
  C:\Windows\System32\rVrySoJ.exe
  2⤵
  PID:5316
- C:\Windows\System32\tTzanBw.exe
  C:\Windows\System32\tTzanBw.exe
  2⤵
  PID:5344
- C:\Windows\System32\wWCKpoZ.exe
  C:\Windows\System32\wWCKpoZ.exe
  2⤵
  PID:5372
- C:\Windows\System32\cLLMWlW.exe
  C:\Windows\System32\cLLMWlW.exe
  2⤵
  PID:5400
- C:\Windows\System32\QowQSNX.exe
  C:\Windows\System32\QowQSNX.exe
  2⤵
  PID:5428
- C:\Windows\System32\ZxxksUl.exe
  C:\Windows\System32\ZxxksUl.exe
  2⤵
  PID:5456
- C:\Windows\System32\RFDDzsL.exe
  C:\Windows\System32\RFDDzsL.exe
  2⤵
  PID:5480
- C:\Windows\System32\QsnTXNI.exe
  C:\Windows\System32\QsnTXNI.exe
  2⤵
  PID:5512
- C:\Windows\System32\JlScLeC.exe
  C:\Windows\System32\JlScLeC.exe
  2⤵
  PID:5540
- C:\Windows\System32\glqBVuE.exe
  C:\Windows\System32\glqBVuE.exe
  2⤵
  PID:5568
- C:\Windows\System32\PKYsyYD.exe
  C:\Windows\System32\PKYsyYD.exe
  2⤵
  PID:5596
- C:\Windows\System32\jYrNYxj.exe
  C:\Windows\System32\jYrNYxj.exe
  2⤵
  PID:5624
- C:\Windows\System32\unSlvWH.exe
  C:\Windows\System32\unSlvWH.exe
  2⤵
  PID:5652
- C:\Windows\System32\fAaXwUh.exe
  C:\Windows\System32\fAaXwUh.exe
  2⤵
  PID:5680
- C:\Windows\System32\zMhUnrp.exe
  C:\Windows\System32\zMhUnrp.exe
  2⤵
  PID:5708
- C:\Windows\System32\lSNnbXy.exe
  C:\Windows\System32\lSNnbXy.exe
  2⤵
  PID:5736
- C:\Windows\System32\coqYOnP.exe
  C:\Windows\System32\coqYOnP.exe
  2⤵
  PID:5764
- C:\Windows\System32\gJzccvG.exe
  C:\Windows\System32\gJzccvG.exe
  2⤵
  PID:5792
- C:\Windows\System32\mmwuuku.exe
  C:\Windows\System32\mmwuuku.exe
  2⤵
  PID:5820
- C:\Windows\System32\EsGEnyu.exe
  C:\Windows\System32\EsGEnyu.exe
  2⤵
  PID:5848
- C:\Windows\System32\tQDuOmT.exe
  C:\Windows\System32\tQDuOmT.exe
  2⤵
  PID:5876
- C:\Windows\System32\LvCURNG.exe
  C:\Windows\System32\LvCURNG.exe
  2⤵
  PID:5904
- C:\Windows\System32\bbxHVhJ.exe
  C:\Windows\System32\bbxHVhJ.exe
  2⤵
  PID:5932
- C:\Windows\System32\reLeofH.exe
  C:\Windows\System32\reLeofH.exe
  2⤵
  PID:5960
- C:\Windows\System32\exthisZ.exe
  C:\Windows\System32\exthisZ.exe
  2⤵
  PID:5988
- C:\Windows\System32\hbmCzIE.exe
  C:\Windows\System32\hbmCzIE.exe
  2⤵
  PID:6016
- C:\Windows\System32\zNRiAzv.exe
  C:\Windows\System32\zNRiAzv.exe
  2⤵
  PID:6044
- C:\Windows\System32\wkkyPse.exe
  C:\Windows\System32\wkkyPse.exe
  2⤵
  PID:6084
- C:\Windows\System32\kWPJQPE.exe
  C:\Windows\System32\kWPJQPE.exe
  2⤵
  PID:6100
- C:\Windows\System32\WdcnvLD.exe
  C:\Windows\System32\WdcnvLD.exe
  2⤵
  PID:6124
- C:\Windows\System32\DdpNjHA.exe
  C:\Windows\System32\DdpNjHA.exe
  2⤵
  PID:3496
- C:\Windows\System32\vsmbFIH.exe
  C:\Windows\System32\vsmbFIH.exe
  2⤵
  PID:3712
- C:\Windows\System32\ffESrYf.exe
  C:\Windows\System32\ffESrYf.exe
  2⤵
  PID:2888
- C:\Windows\System32\fTdaiuz.exe
  C:\Windows\System32\fTdaiuz.exe
  2⤵
  PID:3520
- C:\Windows\System32\KBwLhFx.exe
  C:\Windows\System32\KBwLhFx.exe
  2⤵
  PID:5028
- C:\Windows\System32\ckHHdRb.exe
  C:\Windows\System32\ckHHdRb.exe
  2⤵
  PID:5168
- C:\Windows\System32\tpVCxxt.exe
  C:\Windows\System32\tpVCxxt.exe
  2⤵
  PID:5252
- C:\Windows\System32\rLtlkfQ.exe
  C:\Windows\System32\rLtlkfQ.exe
  2⤵
  PID:5300
- C:\Windows\System32\xMHOwoT.exe
  C:\Windows\System32\xMHOwoT.exe
  2⤵
  PID:5352
- C:\Windows\System32\DjPKcNb.exe
  C:\Windows\System32\DjPKcNb.exe
  2⤵
  PID:5464
- C:\Windows\System32\JWQPIHC.exe
  C:\Windows\System32\JWQPIHC.exe
  2⤵
  PID:5496
- C:\Windows\System32\FUNFbFf.exe
  C:\Windows\System32\FUNFbFf.exe
  2⤵
  PID:5548
- C:\Windows\System32\baKmFxh.exe
  C:\Windows\System32\baKmFxh.exe
  2⤵
  PID:5632
- C:\Windows\System32\mSncxsR.exe
  C:\Windows\System32\mSncxsR.exe
  2⤵
  PID:5692
- C:\Windows\System32\zTEDrQV.exe
  C:\Windows\System32\zTEDrQV.exe
  2⤵
  PID:5748
- C:\Windows\System32\bSxUaWY.exe
  C:\Windows\System32\bSxUaWY.exe
  2⤵
  PID:5856
- C:\Windows\System32\yJKWaGY.exe
  C:\Windows\System32\yJKWaGY.exe
  2⤵
  PID:5888
- C:\Windows\System32\QUQttxq.exe
  C:\Windows\System32\QUQttxq.exe
  2⤵
  PID:5944
- C:\Windows\System32\IfvWuiz.exe
  C:\Windows\System32\IfvWuiz.exe
  2⤵
  PID:6036
- C:\Windows\System32\nFQsyKH.exe
  C:\Windows\System32\nFQsyKH.exe
  2⤵
  PID:6092
- C:\Windows\System32\RbCdyKT.exe
  C:\Windows\System32\RbCdyKT.exe
  2⤵
  PID:6132
- C:\Windows\System32\XfWmwfh.exe
  C:\Windows\System32\XfWmwfh.exe
  2⤵
  PID:3764
- C:\Windows\System32\Ditutdf.exe
  C:\Windows\System32\Ditutdf.exe
  2⤵
  PID:3028
- C:\Windows\System32\RawMAhI.exe
  C:\Windows\System32\RawMAhI.exe
  2⤵
  PID:5268
- C:\Windows\System32\TiyQtUs.exe
  C:\Windows\System32\TiyQtUs.exe
  2⤵
  PID:5384
- C:\Windows\System32\TIHCgce.exe
  C:\Windows\System32\TIHCgce.exe
  2⤵
  PID:5560
- C:\Windows\System32\nKtPaLD.exe
  C:\Windows\System32\nKtPaLD.exe
  2⤵
  PID:5728
- C:\Windows\System32\nWmAGdR.exe
  C:\Windows\System32\nWmAGdR.exe
  2⤵
  PID:5868
- C:\Windows\System32\jIFgiLK.exe
  C:\Windows\System32\jIFgiLK.exe
  2⤵
  PID:5980
- C:\Windows\System32\xawbGRB.exe
  C:\Windows\System32\xawbGRB.exe
  2⤵
  PID:4720
- C:\Windows\System32\QytOcfC.exe
  C:\Windows\System32\QytOcfC.exe
  2⤵
  PID:5196
- C:\Windows\System32\lCEcPOg.exe
  C:\Windows\System32\lCEcPOg.exe
  2⤵
  PID:5520
- C:\Windows\System32\zmdoOda.exe
  C:\Windows\System32\zmdoOda.exe
  2⤵
  PID:5776
- C:\Windows\System32\pxKyEHN.exe
  C:\Windows\System32\pxKyEHN.exe
  2⤵
  PID:2000
- C:\Windows\System32\IUrSvAW.exe
  C:\Windows\System32\IUrSvAW.exe
  2⤵
  PID:6148
- C:\Windows\System32\JqwXliH.exe
  C:\Windows\System32\JqwXliH.exe
  2⤵
  PID:6188
- C:\Windows\System32\MjQyDHq.exe
  C:\Windows\System32\MjQyDHq.exe
  2⤵
  PID:6204
- C:\Windows\System32\FFuIDKu.exe
  C:\Windows\System32\FFuIDKu.exe
  2⤵
  PID:6244
- C:\Windows\System32\hAgidPM.exe
  C:\Windows\System32\hAgidPM.exe
  2⤵
  PID:6260
- C:\Windows\System32\bFOkZkG.exe
  C:\Windows\System32\bFOkZkG.exe
  2⤵
  PID:6284
- C:\Windows\System32\dgEXPmX.exe
  C:\Windows\System32\dgEXPmX.exe
  2⤵
  PID:6316
- C:\Windows\System32\uDpauGd.exe
  C:\Windows\System32\uDpauGd.exe
  2⤵
  PID:6340
- C:\Windows\System32\zAOnAME.exe
  C:\Windows\System32\zAOnAME.exe
  2⤵
  PID:6372
- C:\Windows\System32\izCnMRY.exe
  C:\Windows\System32\izCnMRY.exe
  2⤵
  PID:6400
- C:\Windows\System32\FhAGIcw.exe
  C:\Windows\System32\FhAGIcw.exe
  2⤵
  PID:6440
- C:\Windows\System32\ggZkEuE.exe
  C:\Windows\System32\ggZkEuE.exe
  2⤵
  PID:6456
- C:\Windows\System32\FhNtHzA.exe
  C:\Windows\System32\FhNtHzA.exe
  2⤵
  PID:6480
- C:\Windows\System32\uHHNNmH.exe
  C:\Windows\System32\uHHNNmH.exe
  2⤵
  PID:6512
- C:\Windows\System32\OKnSiec.exe
  C:\Windows\System32\OKnSiec.exe
  2⤵
  PID:6536
- C:\Windows\System32\jCEAVjh.exe
  C:\Windows\System32\jCEAVjh.exe
  2⤵
  PID:6564
- C:\Windows\System32\SXtujHC.exe
  C:\Windows\System32\SXtujHC.exe
  2⤵
  PID:6596
- C:\Windows\System32\nMtrAwJ.exe
  C:\Windows\System32\nMtrAwJ.exe
  2⤵
  PID:6684
- C:\Windows\System32\auoXOcP.exe
  C:\Windows\System32\auoXOcP.exe
  2⤵
  PID:6744
- C:\Windows\System32\uNQAXeM.exe
  C:\Windows\System32\uNQAXeM.exe
  2⤵
  PID:6804
- C:\Windows\System32\DyyrtCx.exe
  C:\Windows\System32\DyyrtCx.exe
  2⤵
  PID:6824
- C:\Windows\System32\cxMrXkb.exe
  C:\Windows\System32\cxMrXkb.exe
  2⤵
  PID:6844
- C:\Windows\System32\QFlRJDf.exe
  C:\Windows\System32\QFlRJDf.exe
  2⤵
  PID:6864
- C:\Windows\System32\MpiKEIs.exe
  C:\Windows\System32\MpiKEIs.exe
  2⤵
  PID:6892
- C:\Windows\System32\bdmisAW.exe
  C:\Windows\System32\bdmisAW.exe
  2⤵
  PID:6920
- C:\Windows\System32\ozpiZpl.exe
  C:\Windows\System32\ozpiZpl.exe
  2⤵
  PID:6944
- C:\Windows\System32\aCtAqCr.exe
  C:\Windows\System32\aCtAqCr.exe
  2⤵
  PID:6980
- C:\Windows\System32\Imkppzn.exe
  C:\Windows\System32\Imkppzn.exe
  2⤵
  PID:7000
- C:\Windows\System32\EublxfA.exe
  C:\Windows\System32\EublxfA.exe
  2⤵
  PID:7056
- C:\Windows\System32\WsvWjxT.exe
  C:\Windows\System32\WsvWjxT.exe
  2⤵
  PID:7084
- C:\Windows\System32\bWiLcak.exe
  C:\Windows\System32\bWiLcak.exe
  2⤵
  PID:7104
- C:\Windows\System32\DPdMDMZ.exe
  C:\Windows\System32\DPdMDMZ.exe
  2⤵
  PID:7124
- C:\Windows\System32\xZVaFMR.exe
  C:\Windows\System32\xZVaFMR.exe
  2⤵
  PID:7156
- C:\Windows\System32\BkTVGmV.exe
  C:\Windows\System32\BkTVGmV.exe
  2⤵
  PID:5924
- C:\Windows\System32\GPSaczY.exe
  C:\Windows\System32\GPSaczY.exe
  2⤵
  PID:6168
- C:\Windows\System32\kmJNyjD.exe
  C:\Windows\System32\kmJNyjD.exe
  2⤵
  PID:6324
- C:\Windows\System32\FXlYohj.exe
  C:\Windows\System32\FXlYohj.exe
  2⤵
  PID:3964
- C:\Windows\System32\BdXFzCz.exe
  C:\Windows\System32\BdXFzCz.exe
  2⤵
  PID:6464
- C:\Windows\System32\GxFzytJ.exe
  C:\Windows\System32\GxFzytJ.exe
  2⤵
  PID:6504
- C:\Windows\System32\tkaQXQQ.exe
  C:\Windows\System32\tkaQXQQ.exe
  2⤵
  PID:6552
- C:\Windows\System32\mdzENug.exe
  C:\Windows\System32\mdzENug.exe
  2⤵
  PID:2152
- C:\Windows\System32\HDZqEGw.exe
  C:\Windows\System32\HDZqEGw.exe
  2⤵
  PID:6588
- C:\Windows\System32\NokmhCN.exe
  C:\Windows\System32\NokmhCN.exe
  2⤵
  PID:3076
- C:\Windows\System32\XMmpvIr.exe
  C:\Windows\System32\XMmpvIr.exe
  2⤵
  PID:6724
- C:\Windows\System32\fcqtChd.exe
  C:\Windows\System32\fcqtChd.exe
  2⤵
  PID:3724
- C:\Windows\System32\YuGdORz.exe
  C:\Windows\System32\YuGdORz.exe
  2⤵
  PID:1904
- C:\Windows\System32\gXIDYjb.exe
  C:\Windows\System32\gXIDYjb.exe
  2⤵
  PID:1356
- C:\Windows\System32\AYpwKGI.exe
  C:\Windows\System32\AYpwKGI.exe
  2⤵
  PID:4116
- C:\Windows\System32\zBUMMmL.exe
  C:\Windows\System32\zBUMMmL.exe
  2⤵
  PID:4808
- C:\Windows\System32\QsVhdwZ.exe
  C:\Windows\System32\QsVhdwZ.exe
  2⤵
  PID:6832
- C:\Windows\System32\QsZVSsy.exe
  C:\Windows\System32\QsZVSsy.exe
  2⤵
  PID:6904
- C:\Windows\System32\UAfJINi.exe
  C:\Windows\System32\UAfJINi.exe
  2⤵
  PID:6936
- C:\Windows\System32\UxMrIqW.exe
  C:\Windows\System32\UxMrIqW.exe
  2⤵
  PID:7096
- C:\Windows\System32\rSTHUib.exe
  C:\Windows\System32\rSTHUib.exe
  2⤵
  PID:7100
- C:\Windows\System32\xnLGfys.exe
  C:\Windows\System32\xnLGfys.exe
  2⤵
  PID:4760
- C:\Windows\System32\XBamkIQ.exe
  C:\Windows\System32\XBamkIQ.exe
  2⤵
  PID:6280
- C:\Windows\System32\LmBHwUk.exe
  C:\Windows\System32\LmBHwUk.exe
  2⤵
  PID:968
- C:\Windows\System32\WblItEY.exe
  C:\Windows\System32\WblItEY.exe
  2⤵
  PID:4060
- C:\Windows\System32\TRDELXp.exe
  C:\Windows\System32\TRDELXp.exe
  2⤵
  PID:2512
- C:\Windows\System32\KWsvVML.exe
  C:\Windows\System32\KWsvVML.exe
  2⤵
  PID:4068
- C:\Windows\System32\bqyorkp.exe
  C:\Windows\System32\bqyorkp.exe
  2⤵
  PID:6796
- C:\Windows\System32\HZiVTog.exe
  C:\Windows\System32\HZiVTog.exe
  2⤵
  PID:396
- C:\Windows\System32\FvxuXmG.exe
  C:\Windows\System32\FvxuXmG.exe
  2⤵
  PID:400
- C:\Windows\System32\yvvZpPy.exe
  C:\Windows\System32\yvvZpPy.exe
  2⤵
  PID:6880
- C:\Windows\System32\qYpnDrm.exe
  C:\Windows\System32\qYpnDrm.exe
  2⤵
  PID:1988
- C:\Windows\System32\jHYfEXw.exe
  C:\Windows\System32\jHYfEXw.exe
  2⤵
  PID:7136
- C:\Windows\System32\kzHlnsK.exe
  C:\Windows\System32\kzHlnsK.exe
  2⤵
  PID:6412
- C:\Windows\System32\nzfVomj.exe
  C:\Windows\System32\nzfVomj.exe
  2⤵
  PID:5024
- C:\Windows\System32\ZbEntFb.exe
  C:\Windows\System32\ZbEntFb.exe
  2⤵
  PID:3492
- C:\Windows\System32\qFFdNOr.exe
  C:\Windows\System32\qFFdNOr.exe
  2⤵
  PID:1748
- C:\Windows\System32\eDXBuSa.exe
  C:\Windows\System32\eDXBuSa.exe
  2⤵
  PID:7120
- C:\Windows\System32\HBgBGUw.exe
  C:\Windows\System32\HBgBGUw.exe
  2⤵
  PID:3936
- C:\Windows\System32\fPgDJJC.exe
  C:\Windows\System32\fPgDJJC.exe
  2⤵
  PID:7020
- C:\Windows\System32\cMScpUu.exe
  C:\Windows\System32\cMScpUu.exe
  2⤵
  PID:3576
- C:\Windows\System32\tKVUEEm.exe
  C:\Windows\System32\tKVUEEm.exe
  2⤵
  PID:6632
- C:\Windows\System32\OnNOwek.exe
  C:\Windows\System32\OnNOwek.exe
  2⤵
  PID:2720
- C:\Windows\System32\TlVElZL.exe
  C:\Windows\System32\TlVElZL.exe
  2⤵
  PID:6216
- C:\Windows\System32\ODOMlmO.exe
  C:\Windows\System32\ODOMlmO.exe
  2⤵
  PID:7184
- C:\Windows\System32\OEExjcH.exe
  C:\Windows\System32\OEExjcH.exe
  2⤵
  PID:7212
- C:\Windows\System32\wxrosAW.exe
  C:\Windows\System32\wxrosAW.exe
  2⤵
  PID:7240
- C:\Windows\System32\mDuZjTE.exe
  C:\Windows\System32\mDuZjTE.exe
  2⤵
  PID:7272
- C:\Windows\System32\WpYhReb.exe
  C:\Windows\System32\WpYhReb.exe
  2⤵
  PID:7292
- C:\Windows\System32\ElrDHEG.exe
  C:\Windows\System32\ElrDHEG.exe
  2⤵
  PID:7332
- C:\Windows\System32\VesNPCd.exe
  C:\Windows\System32\VesNPCd.exe
  2⤵
  PID:7360
- C:\Windows\System32\zeGXAKJ.exe
  C:\Windows\System32\zeGXAKJ.exe
  2⤵
  PID:7388
- C:\Windows\System32\njEsRgo.exe
  C:\Windows\System32\njEsRgo.exe
  2⤵
  PID:7416
- C:\Windows\System32\DNTEkIl.exe
  C:\Windows\System32\DNTEkIl.exe
  2⤵
  PID:7444
- C:\Windows\System32\AHCaFqa.exe
  C:\Windows\System32\AHCaFqa.exe
  2⤵
  PID:7472
- C:\Windows\System32\pVJAWGD.exe
  C:\Windows\System32\pVJAWGD.exe
  2⤵
  PID:7496
- C:\Windows\System32\GOwKOKt.exe
  C:\Windows\System32\GOwKOKt.exe
  2⤵
  PID:7524
- C:\Windows\System32\paNeyaU.exe
  C:\Windows\System32\paNeyaU.exe
  2⤵
  PID:7556
- C:\Windows\System32\xAFGiSD.exe
  C:\Windows\System32\xAFGiSD.exe
  2⤵
  PID:7584
- C:\Windows\System32\cVzsvkN.exe
  C:\Windows\System32\cVzsvkN.exe
  2⤵
  PID:7608
- C:\Windows\System32\qDtCOEC.exe
  C:\Windows\System32\qDtCOEC.exe
  2⤵
  PID:7640
- C:\Windows\System32\XLmPoIp.exe
  C:\Windows\System32\XLmPoIp.exe
  2⤵
  PID:7668
- C:\Windows\System32\VYtQCYI.exe
  C:\Windows\System32\VYtQCYI.exe
  2⤵
  PID:7700
- C:\Windows\System32\oDfJHCU.exe
  C:\Windows\System32\oDfJHCU.exe
  2⤵
  PID:7728
- C:\Windows\System32\VlWvDLR.exe
  C:\Windows\System32\VlWvDLR.exe
  2⤵
  PID:7756
- C:\Windows\System32\mfFBktF.exe
  C:\Windows\System32\mfFBktF.exe
  2⤵
  PID:7784
- C:\Windows\System32\FUWpGoE.exe
  C:\Windows\System32\FUWpGoE.exe
  2⤵
  PID:7812
- C:\Windows\System32\tXZBxFn.exe
  C:\Windows\System32\tXZBxFn.exe
  2⤵
  PID:7840
- C:\Windows\System32\xLTLwMu.exe
  C:\Windows\System32\xLTLwMu.exe
  2⤵
  PID:7884
- C:\Windows\System32\MKdRHhH.exe
  C:\Windows\System32\MKdRHhH.exe
  2⤵
  PID:7944
- C:\Windows\System32\uXsnkoh.exe
  C:\Windows\System32\uXsnkoh.exe
  2⤵
  PID:7968
- C:\Windows\System32\JttDJoa.exe
  C:\Windows\System32\JttDJoa.exe
  2⤵
  PID:8000
- C:\Windows\System32\UqhHZvP.exe
  C:\Windows\System32\UqhHZvP.exe
  2⤵
  PID:8028
- C:\Windows\System32\DUGCLDb.exe
  C:\Windows\System32\DUGCLDb.exe
  2⤵
  PID:8056
- C:\Windows\System32\tunfPDq.exe
  C:\Windows\System32\tunfPDq.exe
  2⤵
  PID:8084
- C:\Windows\System32\zUnOaLD.exe
  C:\Windows\System32\zUnOaLD.exe
  2⤵
  PID:8112
- C:\Windows\System32\PnIrumR.exe
  C:\Windows\System32\PnIrumR.exe
  2⤵
  PID:8144
- C:\Windows\System32\uactKSe.exe
  C:\Windows\System32\uactKSe.exe
  2⤵
  PID:8172
- C:\Windows\System32\qyHiLjE.exe
  C:\Windows\System32\qyHiLjE.exe
  2⤵
  PID:7180
- C:\Windows\System32\TjigGhs.exe
  C:\Windows\System32\TjigGhs.exe
  2⤵
  PID:7260
- C:\Windows\System32\shpsROC.exe
  C:\Windows\System32\shpsROC.exe
  2⤵
  PID:7328
- C:\Windows\System32\GZBgDPy.exe
  C:\Windows\System32\GZBgDPy.exe
  2⤵
  PID:7408
- C:\Windows\System32\daWFLFw.exe
  C:\Windows\System32\daWFLFw.exe
  2⤵
  PID:6668
- C:\Windows\System32\lzErEBr.exe
  C:\Windows\System32\lzErEBr.exe
  2⤵
  PID:7484
- C:\Windows\System32\CLwBQWO.exe
  C:\Windows\System32\CLwBQWO.exe
  2⤵
  PID:7580
- C:\Windows\System32\UxzuAyc.exe
  C:\Windows\System32\UxzuAyc.exe
  2⤵
  PID:7624
- C:\Windows\System32\Pzupqcr.exe
  C:\Windows\System32\Pzupqcr.exe
  2⤵
  PID:7712
- C:\Windows\System32\rDSItXB.exe
  C:\Windows\System32\rDSItXB.exe
  2⤵
  PID:7776
- C:\Windows\System32\ggkgOMQ.exe
  C:\Windows\System32\ggkgOMQ.exe
  2⤵
  PID:7808
- C:\Windows\System32\fdKzRXp.exe
  C:\Windows\System32\fdKzRXp.exe
  2⤵
  PID:7880
- C:\Windows\System32\fiTEUCO.exe
  C:\Windows\System32\fiTEUCO.exe
  2⤵
  PID:7952
- C:\Windows\System32\YUIpQpy.exe
  C:\Windows\System32\YUIpQpy.exe
  2⤵
  PID:6900
- C:\Windows\System32\TVDIOhD.exe
  C:\Windows\System32\TVDIOhD.exe
  2⤵
  PID:8068
- C:\Windows\System32\QFkVzgn.exe
  C:\Windows\System32\QFkVzgn.exe
  2⤵
  PID:8108
- C:\Windows\System32\WYxGqDJ.exe
  C:\Windows\System32\WYxGqDJ.exe
  2⤵
  PID:8168
- C:\Windows\System32\qoEqKYi.exe
  C:\Windows\System32\qoEqKYi.exe
  2⤵
  PID:7252
- C:\Windows\System32\NmhzMsX.exe
  C:\Windows\System32\NmhzMsX.exe
  2⤵
  PID:7436
- C:\Windows\System32\rQFnbMk.exe
  C:\Windows\System32\rQFnbMk.exe
  2⤵
  PID:7552
- C:\Windows\System32\TxfTkEj.exe
  C:\Windows\System32\TxfTkEj.exe
  2⤵
  PID:7616
- C:\Windows\System32\AMJYfjk.exe
  C:\Windows\System32\AMJYfjk.exe
  2⤵
  PID:7796
- C:\Windows\System32\auFssvE.exe
  C:\Windows\System32\auFssvE.exe
  2⤵
  PID:6952
- C:\Windows\System32\MLQElxO.exe
  C:\Windows\System32\MLQElxO.exe
  2⤵
  PID:8024
- C:\Windows\System32\wByPbCt.exe
  C:\Windows\System32\wByPbCt.exe
  2⤵
  PID:7208
- C:\Windows\System32\ULAcNEQ.exe
  C:\Windows\System32\ULAcNEQ.exe
  2⤵
  PID:7512
- C:\Windows\System32\YwbQjMG.exe
  C:\Windows\System32\YwbQjMG.exe
  2⤵
  PID:7804
- C:\Windows\System32\NSlhcdL.exe
  C:\Windows\System32\NSlhcdL.exe
  2⤵
  PID:8048
- C:\Windows\System32\ZMDdaIM.exe
  C:\Windows\System32\ZMDdaIM.exe
  2⤵
  PID:3528
- C:\Windows\System32\owtUzMJ.exe
  C:\Windows\System32\owtUzMJ.exe
  2⤵
  PID:7464
- C:\Windows\System32\kszuFNR.exe
  C:\Windows\System32\kszuFNR.exe
  2⤵
  PID:2608
- C:\Windows\System32\nAXTcYa.exe
  C:\Windows\System32\nAXTcYa.exe
  2⤵
  PID:8208
- C:\Windows\System32\EnHMoad.exe
  C:\Windows\System32\EnHMoad.exe
  2⤵
  PID:8264
- C:\Windows\System32\nECZNpW.exe
  C:\Windows\System32\nECZNpW.exe
  2⤵
  PID:8284
- C:\Windows\System32\nmGHwBa.exe
  C:\Windows\System32\nmGHwBa.exe
  2⤵
  PID:8320
- C:\Windows\System32\aTzmVNU.exe
  C:\Windows\System32\aTzmVNU.exe
  2⤵
  PID:8336
- C:\Windows\System32\IjKQhkn.exe
  C:\Windows\System32\IjKQhkn.exe
  2⤵
  PID:8368
- C:\Windows\System32\zFhzpvU.exe
  C:\Windows\System32\zFhzpvU.exe
  2⤵
  PID:8408
- C:\Windows\System32\qafGJsN.exe
  C:\Windows\System32\qafGJsN.exe
  2⤵
  PID:8436
- C:\Windows\System32\SZwpKLP.exe
  C:\Windows\System32\SZwpKLP.exe
  2⤵
  PID:8488
- C:\Windows\System32\vPlBjkn.exe
  C:\Windows\System32\vPlBjkn.exe
  2⤵
  PID:8512
- C:\Windows\System32\MiGMKzw.exe
  C:\Windows\System32\MiGMKzw.exe
  2⤵
  PID:8556
- C:\Windows\System32\rggJjAq.exe
  C:\Windows\System32\rggJjAq.exe
  2⤵
  PID:8576
- C:\Windows\System32\OJNfTer.exe
  C:\Windows\System32\OJNfTer.exe
  2⤵
  PID:8604
- C:\Windows\System32\IKBtHrn.exe
  C:\Windows\System32\IKBtHrn.exe
  2⤵
  PID:8652
- C:\Windows\System32\TPOPSqJ.exe
  C:\Windows\System32\TPOPSqJ.exe
  2⤵
  PID:8680
- C:\Windows\System32\QTVcBHS.exe
  C:\Windows\System32\QTVcBHS.exe
  2⤵
  PID:8728
- C:\Windows\System32\wODNoIp.exe
  C:\Windows\System32\wODNoIp.exe
  2⤵
  PID:8748
- C:\Windows\System32\PxQcCIm.exe
  C:\Windows\System32\PxQcCIm.exe
  2⤵
  PID:8772
- C:\Windows\System32\YJstnuO.exe
  C:\Windows\System32\YJstnuO.exe
  2⤵
  PID:8792
- C:\Windows\System32\hIMEidj.exe
  C:\Windows\System32\hIMEidj.exe
  2⤵
  PID:8820
- C:\Windows\System32\omMohBE.exe
  C:\Windows\System32\omMohBE.exe
  2⤵
  PID:8868
- C:\Windows\System32\LTYHlwN.exe
  C:\Windows\System32\LTYHlwN.exe
  2⤵
  PID:8912
- C:\Windows\System32\LqSKPql.exe
  C:\Windows\System32\LqSKPql.exe
  2⤵
  PID:8936
- C:\Windows\System32\uGRzgIJ.exe
  C:\Windows\System32\uGRzgIJ.exe
  2⤵
  PID:8960
- C:\Windows\System32\uAHtLLB.exe
  C:\Windows\System32\uAHtLLB.exe
  2⤵
  PID:8996
- C:\Windows\System32\CQephRX.exe
  C:\Windows\System32\CQephRX.exe
  2⤵
  PID:9032
- C:\Windows\System32\AdczkBQ.exe
  C:\Windows\System32\AdczkBQ.exe
  2⤵
  PID:9064
- C:\Windows\System32\QbGzjRQ.exe
  C:\Windows\System32\QbGzjRQ.exe
  2⤵
  PID:9124
- C:\Windows\System32\kcxdmoX.exe
  C:\Windows\System32\kcxdmoX.exe
  2⤵
  PID:9156
- C:\Windows\System32\VRaHrJE.exe
  C:\Windows\System32\VRaHrJE.exe
  2⤵
  PID:9172
- C:\Windows\System32\uyVkkWw.exe
  C:\Windows\System32\uyVkkWw.exe
  2⤵
  PID:8204
- C:\Windows\System32\YYMQtaQ.exe
  C:\Windows\System32\YYMQtaQ.exe
  2⤵
  PID:8272
- C:\Windows\System32\OZOROEd.exe
  C:\Windows\System32\OZOROEd.exe
  2⤵
  PID:8356
- C:\Windows\System32\UvQvypG.exe
  C:\Windows\System32\UvQvypG.exe
  2⤵
  PID:8480
- C:\Windows\System32\MlqtOSs.exe
  C:\Windows\System32\MlqtOSs.exe
  2⤵
  PID:8500
- C:\Windows\System32\zceYmtg.exe
  C:\Windows\System32\zceYmtg.exe
  2⤵
  PID:8612
- C:\Windows\System32\HrZEiiE.exe
  C:\Windows\System32\HrZEiiE.exe
  2⤵
  PID:8688
- C:\Windows\System32\zkLfREK.exe
  C:\Windows\System32\zkLfREK.exe
  2⤵
  PID:8764
- C:\Windows\System32\kXzfugb.exe
  C:\Windows\System32\kXzfugb.exe
  2⤵
  PID:8804
- C:\Windows\System32\OJowKhl.exe
  C:\Windows\System32\OJowKhl.exe
  2⤵
  PID:8908
- C:\Windows\System32\UnUkchE.exe
  C:\Windows\System32\UnUkchE.exe
  2⤵
  PID:8980
- C:\Windows\System32\CtVMxIh.exe
  C:\Windows\System32\CtVMxIh.exe
  2⤵
  PID:9024
- C:\Windows\System32\FManVub.exe
  C:\Windows\System32\FManVub.exe
  2⤵
  PID:9136
- C:\Windows\System32\luLnUID.exe
  C:\Windows\System32\luLnUID.exe
  2⤵
  PID:6756
- C:\Windows\System32\iLcaAfT.exe
  C:\Windows\System32\iLcaAfT.exe
  2⤵
  PID:2036
- C:\Windows\System32\eXYDmeE.exe
  C:\Windows\System32\eXYDmeE.exe
  2⤵
  PID:8700
- C:\Windows\System32\hJmuJbt.exe
  C:\Windows\System32\hJmuJbt.exe
  2⤵
  PID:8832
- C:\Windows\System32\XNiIMlb.exe
  C:\Windows\System32\XNiIMlb.exe
  2⤵
  PID:9008
- C:\Windows\System32\ccEdCqL.exe
  C:\Windows\System32\ccEdCqL.exe
  2⤵
  PID:8376
- C:\Windows\System32\JzicxcJ.exe
  C:\Windows\System32\JzicxcJ.exe
  2⤵
  PID:8528
- C:\Windows\System32\utirosf.exe
  C:\Windows\System32\utirosf.exe
  2⤵
  PID:2304
- C:\Windows\System32\XphulOU.exe
  C:\Windows\System32\XphulOU.exe
  2⤵
  PID:8768
- C:\Windows\System32\FVUyxac.exe
  C:\Windows\System32\FVUyxac.exe
  2⤵
  PID:9236
- C:\Windows\System32\MhZXvtU.exe
  C:\Windows\System32\MhZXvtU.exe
  2⤵
  PID:9264
- C:\Windows\System32\qMxZFqm.exe
  C:\Windows\System32\qMxZFqm.exe
  2⤵
  PID:9296
- C:\Windows\System32\cMIsKaV.exe
  C:\Windows\System32\cMIsKaV.exe
  2⤵
  PID:9316
- C:\Windows\System32\nLvJvmu.exe
  C:\Windows\System32\nLvJvmu.exe
  2⤵
  PID:9352
- C:\Windows\System32\DAtUKEF.exe
  C:\Windows\System32\DAtUKEF.exe
  2⤵
  PID:9372
- C:\Windows\System32\KYfQbeW.exe
  C:\Windows\System32\KYfQbeW.exe
  2⤵
  PID:9400
- C:\Windows\System32\IOrQaEo.exe
  C:\Windows\System32\IOrQaEo.exe
  2⤵
  PID:9436
- C:\Windows\System32\rRhmKni.exe
  C:\Windows\System32\rRhmKni.exe
  2⤵
  PID:9464
- C:\Windows\System32\BdzFztV.exe
  C:\Windows\System32\BdzFztV.exe
  2⤵
  PID:9492
- C:\Windows\System32\MSVSDbQ.exe
  C:\Windows\System32\MSVSDbQ.exe
  2⤵
  PID:9520
- C:\Windows\System32\nNrVcyk.exe
  C:\Windows\System32\nNrVcyk.exe
  2⤵
  PID:9548
- C:\Windows\System32\CXRaQQK.exe
  C:\Windows\System32\CXRaQQK.exe
  2⤵
  PID:9564
- C:\Windows\System32\vfKDNUD.exe
  C:\Windows\System32\vfKDNUD.exe
  2⤵
  PID:9596
- C:\Windows\System32\VZPXrtV.exe
  C:\Windows\System32\VZPXrtV.exe
  2⤵
  PID:9632
- C:\Windows\System32\UZRYHgQ.exe
  C:\Windows\System32\UZRYHgQ.exe
  2⤵
  PID:9660
- C:\Windows\System32\nDjdnPP.exe
  C:\Windows\System32\nDjdnPP.exe
  2⤵
  PID:9688
- C:\Windows\System32\SqilHYR.exe
  C:\Windows\System32\SqilHYR.exe
  2⤵
  PID:9708
- C:\Windows\System32\SXtXngE.exe
  C:\Windows\System32\SXtXngE.exe
  2⤵
  PID:9740
- C:\Windows\System32\LiTyJOi.exe
  C:\Windows\System32\LiTyJOi.exe
  2⤵
  PID:9760
- C:\Windows\System32\TxHLQNl.exe
  C:\Windows\System32\TxHLQNl.exe
  2⤵
  PID:9800
- C:\Windows\System32\exRbjve.exe
  C:\Windows\System32\exRbjve.exe
  2⤵
  PID:9816
- C:\Windows\System32\hYYCivW.exe
  C:\Windows\System32\hYYCivW.exe
  2⤵
  PID:9836
- C:\Windows\System32\cszIFfO.exe
  C:\Windows\System32\cszIFfO.exe
  2⤵
  PID:9884
- C:\Windows\System32\GqasVrZ.exe
  C:\Windows\System32\GqasVrZ.exe
  2⤵
  PID:9900
- C:\Windows\System32\reLdmuo.exe
  C:\Windows\System32\reLdmuo.exe
  2⤵
  PID:9928
- C:\Windows\System32\JfGeegb.exe
  C:\Windows\System32\JfGeegb.exe
  2⤵
  PID:9968
- C:\Windows\System32\TXHDCEG.exe
  C:\Windows\System32\TXHDCEG.exe
  2⤵
  PID:9992
- C:\Windows\System32\nBvwmCd.exe
  C:\Windows\System32\nBvwmCd.exe
  2⤵
  PID:10024
- C:\Windows\System32\cTjvopO.exe
  C:\Windows\System32\cTjvopO.exe
  2⤵
  PID:10040
- C:\Windows\System32\BEPGniV.exe
  C:\Windows\System32\BEPGniV.exe
  2⤵
  PID:10072
- C:\Windows\System32\rtvuafo.exe
  C:\Windows\System32\rtvuafo.exe
  2⤵
  PID:10108
- C:\Windows\System32\ycieboJ.exe
  C:\Windows\System32\ycieboJ.exe
  2⤵
  PID:10124
- C:\Windows\System32\ifVOUWe.exe
  C:\Windows\System32\ifVOUWe.exe
  2⤵
  PID:10164
- C:\Windows\System32\lrbWaUN.exe
  C:\Windows\System32\lrbWaUN.exe
  2⤵
  PID:10184
- C:\Windows\System32\suREAjw.exe
  C:\Windows\System32\suREAjw.exe
  2⤵
  PID:10208
- C:\Windows\System32\OzvbDvT.exe
  C:\Windows\System32\OzvbDvT.exe
  2⤵
  PID:9220
- C:\Windows\System32\FRtGcmj.exe
  C:\Windows\System32\FRtGcmj.exe
  2⤵
  PID:9308
- C:\Windows\System32\sGtdrML.exe
  C:\Windows\System32\sGtdrML.exe
  2⤵
  PID:9368
- C:\Windows\System32\beGXXAI.exe
  C:\Windows\System32\beGXXAI.exe
  2⤵
  PID:9428
- C:\Windows\System32\VijEmmN.exe
  C:\Windows\System32\VijEmmN.exe
  2⤵
  PID:9504
- C:\Windows\System32\KozsOxD.exe
  C:\Windows\System32\KozsOxD.exe
  2⤵
  PID:9540
- C:\Windows\System32\MTncOxm.exe
  C:\Windows\System32\MTncOxm.exe
  2⤵
  PID:9644
- C:\Windows\System32\FBPhsBH.exe
  C:\Windows\System32\FBPhsBH.exe
  2⤵
  PID:9716
- C:\Windows\System32\DtDrNgB.exe
  C:\Windows\System32\DtDrNgB.exe
  2⤵
  PID:9772
- C:\Windows\System32\JmFVVnv.exe
  C:\Windows\System32\JmFVVnv.exe
  2⤵
  PID:9832
- C:\Windows\System32\rBFoyOV.exe
  C:\Windows\System32\rBFoyOV.exe
  2⤵
  PID:9892
- C:\Windows\System32\CfvjcdR.exe
  C:\Windows\System32\CfvjcdR.exe
  2⤵
  PID:9964
- C:\Windows\System32\wZlHZCF.exe
  C:\Windows\System32\wZlHZCF.exe
  2⤵
  PID:10008
- C:\Windows\System32\XeHuKqo.exe
  C:\Windows\System32\XeHuKqo.exe
  2⤵
  PID:10064
- C:\Windows\System32\OqnuwnM.exe
  C:\Windows\System32\OqnuwnM.exe
  2⤵
  PID:10148
- C:\Windows\System32\DXhtbHw.exe
  C:\Windows\System32\DXhtbHw.exe
  2⤵
  PID:10220
- C:\Windows\System32\WCUTraE.exe
  C:\Windows\System32\WCUTraE.exe
  2⤵
  PID:9260
- C:\Windows\System32\EkdXpxp.exe
  C:\Windows\System32\EkdXpxp.exe
  2⤵
  PID:9432
- C:\Windows\System32\wWMLUrQ.exe
  C:\Windows\System32\wWMLUrQ.exe
  2⤵
  PID:9676
- C:\Windows\System32\lALGvpw.exe
  C:\Windows\System32\lALGvpw.exe
  2⤵
  PID:9792
- C:\Windows\System32\szrRAVg.exe
  C:\Windows\System32\szrRAVg.exe
  2⤵
  PID:9940
- C:\Windows\System32\mlHYnpn.exe
  C:\Windows\System32\mlHYnpn.exe
  2⤵
  PID:9984
- C:\Windows\System32\QVgHUpS.exe
  C:\Windows\System32\QVgHUpS.exe
  2⤵
  PID:10192
- C:\Windows\System32\tGPDtIr.exe
  C:\Windows\System32\tGPDtIr.exe
  2⤵
  PID:9560
- C:\Windows\System32\FHfbYij.exe
  C:\Windows\System32\FHfbYij.exe
  2⤵
  PID:9896
- C:\Windows\System32\chLVFdM.exe
  C:\Windows\System32\chLVFdM.exe
  2⤵
  PID:8332
- C:\Windows\System32\gjmltHw.exe
  C:\Windows\System32\gjmltHw.exe
  2⤵
  PID:10092
- C:\Windows\System32\rZOSLJr.exe
  C:\Windows\System32\rZOSLJr.exe
  2⤵
  PID:9516
- C:\Windows\System32\qMLIYQC.exe
  C:\Windows\System32\qMLIYQC.exe
  2⤵
  PID:10268
- C:\Windows\System32\Cltplwl.exe
  C:\Windows\System32\Cltplwl.exe
  2⤵
  PID:10296
- C:\Windows\System32\veqVVWf.exe
  C:\Windows\System32\veqVVWf.exe
  2⤵
  PID:10312
- C:\Windows\System32\ameivcy.exe
  C:\Windows\System32\ameivcy.exe
  2⤵
  PID:10360
- C:\Windows\System32\oUYAzGz.exe
  C:\Windows\System32\oUYAzGz.exe
  2⤵
  PID:10380
- C:\Windows\System32\yCfSRIe.exe
  C:\Windows\System32\yCfSRIe.exe
  2⤵
  PID:10420
- C:\Windows\System32\FdjsVPZ.exe
  C:\Windows\System32\FdjsVPZ.exe
  2⤵
  PID:10448
- C:\Windows\System32\XHIIyFU.exe
  C:\Windows\System32\XHIIyFU.exe
  2⤵
  PID:10464
- C:\Windows\System32\BOejQqT.exe
  C:\Windows\System32\BOejQqT.exe
  2⤵
  PID:10504
- C:\Windows\System32\ezigYpW.exe
  C:\Windows\System32\ezigYpW.exe
  2⤵
  PID:10532
- C:\Windows\System32\ciFRAem.exe
  C:\Windows\System32\ciFRAem.exe
  2⤵
  PID:10560
- C:\Windows\System32\HDxxVPf.exe
  C:\Windows\System32\HDxxVPf.exe
  2⤵
  PID:10580
- C:\Windows\System32\hcIKXxl.exe
  C:\Windows\System32\hcIKXxl.exe
  2⤵
  PID:10608
- C:\Windows\System32\lNRbnaa.exe
  C:\Windows\System32\lNRbnaa.exe
  2⤵
  PID:10640
- C:\Windows\System32\nirTMxc.exe
  C:\Windows\System32\nirTMxc.exe
  2⤵
  PID:10672
- C:\Windows\System32\EGEhAMw.exe
  C:\Windows\System32\EGEhAMw.exe
  2⤵
  PID:10688
- C:\Windows\System32\uiLMwFZ.exe
  C:\Windows\System32\uiLMwFZ.exe
  2⤵
  PID:10720
- C:\Windows\System32\AlVrsTz.exe
  C:\Windows\System32\AlVrsTz.exe
  2⤵
  PID:10756
- C:\Windows\System32\MHRSpiH.exe
  C:\Windows\System32\MHRSpiH.exe
  2⤵
  PID:10772
- C:\Windows\System32\kKCwITH.exe
  C:\Windows\System32\kKCwITH.exe
  2⤵
  PID:10800
- C:\Windows\System32\ZSofAmj.exe
  C:\Windows\System32\ZSofAmj.exe
  2⤵
  PID:10824
- C:\Windows\System32\nWxuQTO.exe
  C:\Windows\System32\nWxuQTO.exe
  2⤵
  PID:10876
- C:\Windows\System32\qXelQVX.exe
  C:\Windows\System32\qXelQVX.exe
  2⤵
  PID:10896
- C:\Windows\System32\XunTcGY.exe
  C:\Windows\System32\XunTcGY.exe
  2⤵
  PID:10912
- C:\Windows\System32\WqbxnJh.exe
  C:\Windows\System32\WqbxnJh.exe
  2⤵
  PID:10952
- C:\Windows\System32\ANPmcFB.exe
  C:\Windows\System32\ANPmcFB.exe
  2⤵
  PID:10972
- C:\Windows\System32\GOyBXPP.exe
  C:\Windows\System32\GOyBXPP.exe
  2⤵
  PID:11000
- C:\Windows\System32\PsXUnwS.exe
  C:\Windows\System32\PsXUnwS.exe
  2⤵
  PID:11036
- C:\Windows\System32\mINhcMe.exe
  C:\Windows\System32\mINhcMe.exe
  2⤵
  PID:11064
- C:\Windows\System32\IxLiCrA.exe
  C:\Windows\System32\IxLiCrA.exe
  2⤵
  PID:11092
- C:\Windows\System32\rswNyoI.exe
  C:\Windows\System32\rswNyoI.exe
  2⤵
  PID:11120
- C:\Windows\System32\RJeiyzO.exe
  C:\Windows\System32\RJeiyzO.exe
  2⤵
  PID:11148
- C:\Windows\System32\qhNfjFE.exe
  C:\Windows\System32\qhNfjFE.exe
  2⤵
  PID:11176
- C:\Windows\System32\XbsKhzH.exe
  C:\Windows\System32\XbsKhzH.exe
  2⤵
  PID:11192
- C:\Windows\System32\OzPyGKj.exe
  C:\Windows\System32\OzPyGKj.exe
  2⤵
  PID:11232
- C:\Windows\System32\nrrXDID.exe
  C:\Windows\System32\nrrXDID.exe
  2⤵
  PID:11260
- C:\Windows\System32\HHOrBvt.exe
  C:\Windows\System32\HHOrBvt.exe
  2⤵
  PID:10256
- C:\Windows\System32\bwobYXC.exe
  C:\Windows\System32\bwobYXC.exe
  2⤵
  PID:10372
- C:\Windows\System32\ykJZQWR.exe
  C:\Windows\System32\ykJZQWR.exe
  2⤵
  PID:10396
- C:\Windows\System32\GxrPgPR.exe
  C:\Windows\System32\GxrPgPR.exe
  2⤵
  PID:10500
- C:\Windows\System32\UeWSEVt.exe
  C:\Windows\System32\UeWSEVt.exe
  2⤵
  PID:10616
- C:\Windows\System32\PAnktoO.exe
  C:\Windows\System32\PAnktoO.exe
  2⤵
  PID:10736
- C:\Windows\System32\xndBdxT.exe
  C:\Windows\System32\xndBdxT.exe
  2⤵
  PID:10764
- C:\Windows\System32\nAMRFHS.exe
  C:\Windows\System32\nAMRFHS.exe
  2⤵
  PID:10792
- C:\Windows\System32\JadiMnw.exe
  C:\Windows\System32\JadiMnw.exe
  2⤵
  PID:10908
- C:\Windows\System32\wMTdGqR.exe
  C:\Windows\System32\wMTdGqR.exe
  2⤵
  PID:10936
- C:\Windows\System32\eZFlEBu.exe
  C:\Windows\System32\eZFlEBu.exe
  2⤵
  PID:11032
- C:\Windows\System32\bUgezpo.exe
  C:\Windows\System32\bUgezpo.exe
  2⤵
  PID:11076
- C:\Windows\System32\zBRtePg.exe
  C:\Windows\System32\zBRtePg.exe
  2⤵
  PID:11160
- C:\Windows\System32\IeQzfzW.exe
  C:\Windows\System32\IeQzfzW.exe
  2⤵
  PID:11188
- C:\Windows\System32\sjTBHMk.exe
  C:\Windows\System32\sjTBHMk.exe
  2⤵
  PID:11244
- C:\Windows\System32\SxpnUPz.exe
  C:\Windows\System32\SxpnUPz.exe
  2⤵
  PID:10428
- C:\Windows\System32\oamkVKI.exe
  C:\Windows\System32\oamkVKI.exe
  2⤵
  PID:10656
- C:\Windows\System32\NvZJmHP.exe
  C:\Windows\System32\NvZJmHP.exe
  2⤵
  PID:10820
- C:\Windows\System32\fpIevam.exe
  C:\Windows\System32\fpIevam.exe
  2⤵
  PID:10944
- C:\Windows\System32\gzrwHar.exe
  C:\Windows\System32\gzrwHar.exe
  2⤵
  PID:11088
- C:\Windows\System32\lzmHGvH.exe
  C:\Windows\System32\lzmHGvH.exe
  2⤵
  PID:10368
- C:\Windows\System32\PPoLTyK.exe
  C:\Windows\System32\PPoLTyK.exe
  2⤵
  PID:11216
- C:\Windows\System32\jHqjIkd.exe
  C:\Windows\System32\jHqjIkd.exe
  2⤵
  PID:11012
- C:\Windows\System32\XXHCZFH.exe
  C:\Windows\System32\XXHCZFH.exe
  2⤵
  PID:10280
- C:\Windows\System32\jPYTBEg.exe
  C:\Windows\System32\jPYTBEg.exe
  2⤵
  PID:10852
- C:\Windows\System32\ReNqmAB.exe
  C:\Windows\System32\ReNqmAB.exe
  2⤵
  PID:11276
- C:\Windows\System32\npNmyAB.exe
  C:\Windows\System32\npNmyAB.exe
  2⤵
  PID:11316
- C:\Windows\System32\ulLIDoF.exe
  C:\Windows\System32\ulLIDoF.exe
  2⤵
  PID:11344
- C:\Windows\System32\KKSZsTe.exe
  C:\Windows\System32\KKSZsTe.exe
  2⤵
  PID:11360
- C:\Windows\System32\pNbluKq.exe
  C:\Windows\System32\pNbluKq.exe
  2⤵
  PID:11396
- C:\Windows\System32\YYrVBDP.exe
  C:\Windows\System32\YYrVBDP.exe
  2⤵
  PID:11432
- C:\Windows\System32\ycpWjhD.exe
  C:\Windows\System32\ycpWjhD.exe
  2⤵
  PID:11456
- C:\Windows\System32\NucwDtf.exe
  C:\Windows\System32\NucwDtf.exe
  2⤵
  PID:11484
- C:\Windows\System32\IiuzCIm.exe
  C:\Windows\System32\IiuzCIm.exe
  2⤵
  PID:11508
- C:\Windows\System32\pHyTCec.exe
  C:\Windows\System32\pHyTCec.exe
  2⤵
  PID:11540
- C:\Windows\System32\hvcvfDT.exe
  C:\Windows\System32\hvcvfDT.exe
  2⤵
  PID:11556
- C:\Windows\System32\aWfrIZf.exe
  C:\Windows\System32\aWfrIZf.exe
  2⤵
  PID:11596
- C:\Windows\System32\pxqogDq.exe
  C:\Windows\System32\pxqogDq.exe
  2⤵
  PID:11628
- C:\Windows\System32\OtFPuaV.exe
  C:\Windows\System32\OtFPuaV.exe
  2⤵
  PID:11652
- C:\Windows\System32\DuYgidu.exe
  C:\Windows\System32\DuYgidu.exe
  2⤵
  PID:11680
- C:\Windows\System32\qtRMhuV.exe
  C:\Windows\System32\qtRMhuV.exe
  2⤵
  PID:11700
- C:\Windows\System32\yjFtKCo.exe
  C:\Windows\System32\yjFtKCo.exe
  2⤵
  PID:11724
- C:\Windows\System32\cMYtVKr.exe
  C:\Windows\System32\cMYtVKr.exe
  2⤵
  PID:11756
- C:\Windows\System32\LOvaxEW.exe
  C:\Windows\System32\LOvaxEW.exe
  2⤵
  PID:11792
- C:\Windows\System32\tvPrBop.exe
  C:\Windows\System32\tvPrBop.exe
  2⤵
  PID:11824
- C:\Windows\System32\HFNjExx.exe
  C:\Windows\System32\HFNjExx.exe
  2⤵
  PID:11852
- C:\Windows\System32\ySZxJNw.exe
  C:\Windows\System32\ySZxJNw.exe
  2⤵
  PID:11872
- C:\Windows\System32\rnzPauA.exe
  C:\Windows\System32\rnzPauA.exe
  2⤵
  PID:11896
- C:\Windows\System32\PwDFcSC.exe
  C:\Windows\System32\PwDFcSC.exe
  2⤵
  PID:11924
- C:\Windows\System32\oStwdnV.exe
  C:\Windows\System32\oStwdnV.exe
  2⤵
  PID:11952
- C:\Windows\System32\waJmSeN.exe
  C:\Windows\System32\waJmSeN.exe
  2⤵
  PID:11984
- C:\Windows\System32\yPrJRGA.exe
  C:\Windows\System32\yPrJRGA.exe
  2⤵
  PID:12008
- C:\Windows\System32\MRjhozK.exe
  C:\Windows\System32\MRjhozK.exe
  2⤵
  PID:12036
- C:\Windows\System32\FOJmyae.exe
  C:\Windows\System32\FOJmyae.exe
  2⤵
  PID:12068
- C:\Windows\System32\LzuDxyO.exe
  C:\Windows\System32\LzuDxyO.exe
  2⤵
  PID:12096
- C:\Windows\System32\ZWWKebK.exe
  C:\Windows\System32\ZWWKebK.exe
  2⤵
  PID:12120
- C:\Windows\System32\PAFMBYW.exe
  C:\Windows\System32\PAFMBYW.exe
  2⤵
  PID:12148
- C:\Windows\System32\zMiBeqU.exe
  C:\Windows\System32\zMiBeqU.exe
  2⤵
  PID:12188
- C:\Windows\System32\nBfWksf.exe
  C:\Windows\System32\nBfWksf.exe
  2⤵
  PID:12212
- C:\Windows\System32\CoFvISX.exe
  C:\Windows\System32\CoFvISX.exe
  2⤵
  PID:12240
- C:\Windows\System32\iUkNHaJ.exe
  C:\Windows\System32\iUkNHaJ.exe
  2⤵
  PID:12276
- C:\Windows\System32\QAxdyKo.exe
  C:\Windows\System32\QAxdyKo.exe
  2⤵
  PID:11292
- C:\Windows\System32\yRYebpT.exe
  C:\Windows\System32\yRYebpT.exe
  2⤵
  PID:11356
- C:\Windows\System32\TUnIYQX.exe
  C:\Windows\System32\TUnIYQX.exe
  2⤵
  PID:11376
- C:\Windows\System32\enSEeBc.exe
  C:\Windows\System32\enSEeBc.exe
  2⤵
  PID:11440
- C:\Windows\System32\olHYRmO.exe
  C:\Windows\System32\olHYRmO.exe
  2⤵
  PID:11524
- C:\Windows\System32\haPmVzs.exe
  C:\Windows\System32\haPmVzs.exe
  2⤵
  PID:11608
- C:\Windows\System32\viMOujh.exe
  C:\Windows\System32\viMOujh.exe
  2⤵
  PID:11664
- C:\Windows\System32\iixICsQ.exe
  C:\Windows\System32\iixICsQ.exe
  2⤵
  PID:11708
- C:\Windows\System32\uRgcKeo.exe
  C:\Windows\System32\uRgcKeo.exe
  2⤵
  PID:11816
- C:\Windows\System32\JFLZWCG.exe
  C:\Windows\System32\JFLZWCG.exe
  2⤵
  PID:11860
- C:\Windows\System32\LunCJvF.exe
  C:\Windows\System32\LunCJvF.exe
  2⤵
  PID:11912
- C:\Windows\System32\cLNDhxo.exe
  C:\Windows\System32\cLNDhxo.exe
  2⤵
  PID:11980
- C:\Windows\System32\jRkugCm.exe
  C:\Windows\System32\jRkugCm.exe
  2⤵
  PID:12028
- C:\Windows\System32\fdEDWmP.exe
  C:\Windows\System32\fdEDWmP.exe
  2⤵
  PID:12132
- C:\Windows\System32\UfpgXqp.exe
  C:\Windows\System32\UfpgXqp.exe
  2⤵
  PID:12220
- C:\Windows\System32\qMhskIB.exe
  C:\Windows\System32\qMhskIB.exe
  2⤵
  PID:12248
- C:\Windows\System32\uGouKyY.exe
  C:\Windows\System32\uGouKyY.exe
  2⤵
  PID:11336
- C:\Windows\System32\JQXAYVa.exe
  C:\Windows\System32\JQXAYVa.exe
  2⤵
  PID:11496
- C:\Windows\System32\dgPHrpf.exe
  C:\Windows\System32\dgPHrpf.exe
  2⤵
  PID:11636
- C:\Windows\System32\zaGaSFs.exe
  C:\Windows\System32\zaGaSFs.exe
  2⤵
  PID:11764
- C:\Windows\System32\hIYuJmv.exe
  C:\Windows\System32\hIYuJmv.exe
  2⤵
  PID:11884
- C:\Windows\System32\xNnlodY.exe
  C:\Windows\System32\xNnlodY.exe
  2⤵
  PID:12104
- C:\Windows\System32\SKeOUME.exe
  C:\Windows\System32\SKeOUME.exe
  2⤵
  PID:12236
- C:\Windows\System32\RksZBxo.exe
  C:\Windows\System32\RksZBxo.exe
  2⤵
  PID:11352
- C:\Windows\System32\OmLjCzB.exe
  C:\Windows\System32\OmLjCzB.exe
  2⤵
  PID:10304
- C:\Windows\System32\BcwbFoe.exe
  C:\Windows\System32\BcwbFoe.exe
  2⤵
  PID:10844
- C:\Windows\System32\HlwQAFD.exe
  C:\Windows\System32\HlwQAFD.exe
  2⤵
  PID:11688
- C:\Windows\System32\LYvoCKx.exe
  C:\Windows\System32\LYvoCKx.exe
  2⤵
  PID:11844
- C:\Windows\System32\ydvKhGg.exe
  C:\Windows\System32\ydvKhGg.exe
  2⤵
  PID:12316
- C:\Windows\System32\TvpjhUy.exe
  C:\Windows\System32\TvpjhUy.exe
  2⤵
  PID:12344
- C:\Windows\System32\sTQTzws.exe
  C:\Windows\System32\sTQTzws.exe
  2⤵
  PID:12372
- C:\Windows\System32\arxSluN.exe
  C:\Windows\System32\arxSluN.exe
  2⤵
  PID:12396
- C:\Windows\System32\BufyOfP.exe
  C:\Windows\System32\BufyOfP.exe
  2⤵
  PID:12424
- C:\Windows\System32\XrEJDMM.exe
  C:\Windows\System32\XrEJDMM.exe
  2⤵
  PID:12464
- C:\Windows\System32\WQCDfVR.exe
  C:\Windows\System32\WQCDfVR.exe
  2⤵
  PID:12480
- C:\Windows\System32\YkNieCz.exe
  C:\Windows\System32\YkNieCz.exe
  2⤵
  PID:12512
- C:\Windows\System32\IllTLYj.exe
  C:\Windows\System32\IllTLYj.exe
  2⤵
  PID:12548
- C:\Windows\System32\uKfrLci.exe
  C:\Windows\System32\uKfrLci.exe
  2⤵
  PID:12564
- C:\Windows\System32\iFRDWxP.exe
  C:\Windows\System32\iFRDWxP.exe
  2⤵
  PID:12604
- C:\Windows\System32\OhkDNoM.exe
  C:\Windows\System32\OhkDNoM.exe
  2⤵
  PID:12632
- C:\Windows\System32\kIxJbMb.exe
  C:\Windows\System32\kIxJbMb.exe
  2⤵
  PID:12660
- C:\Windows\System32\EGRJJHP.exe
  C:\Windows\System32\EGRJJHP.exe
  2⤵
  PID:12688
- C:\Windows\System32\mtCLeTl.exe
  C:\Windows\System32\mtCLeTl.exe
  2⤵
  PID:12716
- C:\Windows\System32\jiFIOcl.exe
  C:\Windows\System32\jiFIOcl.exe
  2⤵
  PID:12744
- C:\Windows\System32\zvBAvOX.exe
  C:\Windows\System32\zvBAvOX.exe
  2⤵
  PID:12772
- C:\Windows\System32\JLwMAfa.exe
  C:\Windows\System32\JLwMAfa.exe
  2⤵
  PID:12800
- C:\Windows\System32\SdOuome.exe
  C:\Windows\System32\SdOuome.exe
  2⤵
  PID:12828
- C:\Windows\System32\EjjdrXn.exe
  C:\Windows\System32\EjjdrXn.exe
  2⤵
  PID:12856
- C:\Windows\System32\rZUcvFn.exe
  C:\Windows\System32\rZUcvFn.exe
  2⤵
  PID:12884
- C:\Windows\System32\CwVjaYG.exe
  C:\Windows\System32\CwVjaYG.exe
  2⤵
  PID:12912
- C:\Windows\System32\bVuQTsK.exe
  C:\Windows\System32\bVuQTsK.exe
  2⤵
  PID:12940
- C:\Windows\System32\PbkwbMc.exe
  C:\Windows\System32\PbkwbMc.exe
  2⤵
  PID:12968
- C:\Windows\System32\DpANcoX.exe
  C:\Windows\System32\DpANcoX.exe
  2⤵
  PID:12996
- C:\Windows\System32\kSWIPmm.exe
  C:\Windows\System32\kSWIPmm.exe
  2⤵
  PID:13024
- C:\Windows\System32\ojSrDGe.exe
  C:\Windows\System32\ojSrDGe.exe
  2⤵
  PID:13052
- C:\Windows\System32\OmQVBmG.exe
  C:\Windows\System32\OmQVBmG.exe
  2⤵
  PID:13084
- C:\Windows\System32\ArJredf.exe
  C:\Windows\System32\ArJredf.exe
  2⤵
  PID:13112
- C:\Windows\System32\mfLohmO.exe
  C:\Windows\System32\mfLohmO.exe
  2⤵
  PID:13164
- C:\Windows\System32\rNCXtkf.exe
  C:\Windows\System32\rNCXtkf.exe
  2⤵
  PID:13212
- C:\Windows\System32\JFLkNyT.exe
  C:\Windows\System32\JFLkNyT.exe
  2⤵
  PID:13248
- C:\Windows\System32\uDyrfNy.exe
  C:\Windows\System32\uDyrfNy.exe
  2⤵
  PID:13300
- C:\Windows\System32\jWBthPy.exe
  C:\Windows\System32\jWBthPy.exe
  2⤵
  PID:12384
- C:\Windows\System32\SqcbLSV.exe
  C:\Windows\System32\SqcbLSV.exe
  2⤵
  PID:224
- C:\Windows\System32\FWYSlYV.exe
  C:\Windows\System32\FWYSlYV.exe
  2⤵
  PID:2308
- C:\Windows\System32\rVQMWUN.exe
  C:\Windows\System32\rVQMWUN.exe
  2⤵
  PID:12556
- C:\Windows\System32\lOJmWAR.exe
  C:\Windows\System32\lOJmWAR.exe
  2⤵
  PID:12624
- C:\Windows\System32\cBSqBTm.exe
  C:\Windows\System32\cBSqBTm.exe
  2⤵
  PID:12712
- C:\Windows\System32\VTBqDGG.exe
  C:\Windows\System32\VTBqDGG.exe
  2⤵
  PID:12792
- C:\Windows\System32\BpehLFx.exe
  C:\Windows\System32\BpehLFx.exe
  2⤵
  PID:12848
- C:\Windows\System32\pRLxsSf.exe
  C:\Windows\System32\pRLxsSf.exe
  2⤵
  PID:12908
- C:\Windows\System32\gJNBcUK.exe
  C:\Windows\System32\gJNBcUK.exe
  2⤵
  PID:12992
- C:\Windows\System32\MbgiNcE.exe
  C:\Windows\System32\MbgiNcE.exe
  2⤵
  PID:13064
- C:\Windows\System32\mGsXSir.exe
  C:\Windows\System32\mGsXSir.exe
  2⤵
  PID:13132
- C:\Windows\System32\stKcMra.exe
  C:\Windows\System32\stKcMra.exe
  2⤵
  PID:13236
- C:\Windows\System32\gycEBeV.exe
  C:\Windows\System32\gycEBeV.exe
  2⤵
  PID:12352
- C:\Windows\System32\IBwCahr.exe
  C:\Windows\System32\IBwCahr.exe
  2⤵
  PID:12532
- C:\Windows\System32\dsaePGI.exe
  C:\Windows\System32\dsaePGI.exe
  2⤵
  PID:12704
- C:\Windows\System32\JrRjfyA.exe
  C:\Windows\System32\JrRjfyA.exe
  2⤵
  PID:12824
- C:\Windows\System32\wtuuEDo.exe
  C:\Windows\System32\wtuuEDo.exe
  2⤵
  PID:13016
- C:\Windows\System32\zlZpPSU.exe
  C:\Windows\System32\zlZpPSU.exe
  2⤵
  PID:13196
- C:\Windows\System32\kSKKRUC.exe
  C:\Windows\System32\kSKKRUC.exe
  2⤵
  PID:12476
- C:\Windows\System32\JCrWpie.exe
  C:\Windows\System32\JCrWpie.exe
  2⤵
  PID:12168

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AGtyZIZ.exe

Filesize
2.9MB

MD5
44bcf76777338710597d4ea500d543b8

SHA1
ef973ac92a2d3942c19eab2f7ebc9c7a0202fa95

SHA256
cca08a5b8d932ea37e415895091c6723e07094b76288b57a3899ff53ab2cf026

SHA512
8675c2690628b41d135dfda33c96bd04bc1b3460c9c6ebea69c465cb6461b05374e626c88a915c8c4ecc06a595d56f56611b1c06b3f0a5518fd7be7310dc3da1

Download Submit
C:\Windows\System32\GRiqGsO.exe

Filesize
2.9MB

MD5
99ab7a1da8f54e19fdd14b2cc565acb5

SHA1
4c80881cfc2e9b7da86d467a48dc9572ba1e3333

SHA256
24b9a772c50b3285f7b07f300102579bc31777abc38a40c9647ddf84c03c8231

SHA512
4d09b50f9b17761a3321b4524050c87d8678b46173ae61243c7d2da2faefa3857029d1822f3634d1b46bae3cf8a6cd2face3073a1d3cd9909f7e1af3e490d0c6

Download Submit
C:\Windows\System32\HaFAvJx.exe

Filesize
2.9MB

MD5
75ce01f9e13244b5663d0c8db291fe9a

SHA1
f2f0731ee422a95fe944dc862361bb33e339f4f1

SHA256
f9375757369188d8cb11b471906435e5facb6d218e874588891328b9c04881b5

SHA512
243c5dbabfb3795f5a574aa868ce47c3dc8358f342ce49bbbdf883c8d096162ac89a0a9c753d16f12f74e67b8335b22d7611921594b74550b98c2ac0b3d3ad92

Download Submit
C:\Windows\System32\HiNJxIt.exe

Filesize
2.9MB

MD5
ddab9fe20515ae8a92298ed0f66cbcbe

SHA1
4de461d9ec0ae45d3f2c4917273bf91938e044d4

SHA256
c7a34d96b50b65c1bf358be3394df001964019c5babe968c24c0cd1a734f12e8

SHA512
4495fa4963ef3fea9a36275b87f143d5bc713c09937c448cae03a50ecc8de796a928cbf3c46040b72e7bf3620f18973c2fff11730a731dc28e047d4fb98a3eb7

Download Submit
C:\Windows\System32\JIsdKhq.exe

Filesize
2.9MB

MD5
1c817d345c493c92a497d38839658adf

SHA1
3cde43ae4406b5efc101ebb3ca4053183470590f

SHA256
7393b4b58c6907eb22111b25a28219f351e7882f3586dec114c44918f4907372

SHA512
85c998e7af5bf3bd83a689649d5b64ad90f062bf6af63f76cdb219dd669154da2a15d9f13dc65ae9a13ba1dfbfddeeb913f303d9a023709b6f168809add9215e

Download Submit
C:\Windows\System32\JKkdFYQ.exe

Filesize
2.9MB

MD5
87c03535349c9d7ae4da743450603d76

SHA1
c55fd1dcc84687235f499222aac802006843faa6

SHA256
0684bf1e43231cdcafb06251664717fe781a77efd753c17631cda3cadad05a82

SHA512
c8ce6d504c170136dec2c8b09845086d5e2ccad87892410a40ff4f0c2bd4268d984af8f73bf2ef0c5260686d06e1c9f0813d87d0186be34e49367889c13dbb59

Download Submit
C:\Windows\System32\NMpIGVK.exe

Filesize
2.9MB

MD5
c7cdee48f8d418fcf4d05b99952fc220

SHA1
ec0ce2dd366211773c099675443747169159a6fa

SHA256
b3ac5214be7ca25038f467503105b4b726ffcba768baccc2e6386bb8685f9b63

SHA512
9681ead5bf88a1bad36cc24a2409c8171c8439252b4da2831706f662fb819006b79541ae87deee72b981b285e8cd79e4617ee2aadcc84265237c7522946db646

Download Submit
C:\Windows\System32\OARmMBX.exe

Filesize
2.9MB

MD5
e5e6c779633ac52d078bff1641e836a3

SHA1
f9f3c24b55b8ad7b55567dc08f2281172a1874c1

SHA256
6983b0a822a635f80b7973f6a657988a07e19e8550eb9cb390a62363572725e9

SHA512
c63a9f58c6322709dbaecbbe8990091e1bcb000d410db6500a956518828298cf9ded5d539bea7284217b92e827e5b8af8f2fa9f24ba49fa6511339c84b2c4c74

Download Submit
C:\Windows\System32\OAXILXH.exe

Filesize
2.9MB

MD5
d28e2e2ba2d03e7de0e17579ba56654f

SHA1
8dea7feefe7308ad54e9dff709d7126552c3149a

SHA256
f5e74043eea3a766b31703b3930d53cae687124c02e11071164a9dcf306c79c6

SHA512
55f4bf4382bc698a830a02e15fbf9731a8c65d85b1a6bcd68242514931714e963fa0870cecbea69117f64c2b379881587b36edf94690a04df8569c63c6513e99

Download Submit
C:\Windows\System32\PIpKBGh.exe

Filesize
2.9MB

MD5
24e0899d02133ffa5c4cd87923d17817

SHA1
efcb5fbff48376700e3b4f2939d2d45a08c01dce

SHA256
86329a07b84a901397c806af20010b2b4b28e3f4f93d71805c8b8289c7d2a1c5

SHA512
7b4512a6819760b9a3046605f85c554a7e7ee154759e7e0e300bb93cbd5eb468c2f7c3c006cf3bde12825735aa0070fbd053f795c406b8ba1f23f938d961cab7

Download Submit
C:\Windows\System32\TrsTCJn.exe

Filesize
2.9MB

MD5
25ddbbc0fed0e3d127be3c0f758aefff

SHA1
fb2e1e3c632398949088bdc61b9a9752e9342986

SHA256
c085aeee504fcb84eff421ee25c5c473e68b0ff5ee246bbbb4fab2ed27f6a94e

SHA512
e683ee32ef0a67552ee0c6e1358176c3dcc00f18ab5a5b05d4710b928fbdfc0fe499a30ea4f5ac3c3c1ff05df3bab578d9d42666ad08a6eccec480a38a8705bb

Download Submit
C:\Windows\System32\UODGDrj.exe

Filesize
2.9MB

MD5
258e82739db3129aa34627926e6a7002

SHA1
86dd1810daa08f8f95c3a2199ee2f63553bd77ad

SHA256
93f7ad6711f8afa009426ba8e42127d019513832ef47bc0efde8ba12b086a35a

SHA512
0b70b2e9f7cbd04857e5727aac7f74e49eea8365c45d358d60aa7867de9aac30915e9d3d43e2825aa67112b4959da9a7b7500ccbe938a6c652b72ca36d4b37a5

Download Submit
C:\Windows\System32\UkdlCJD.exe

Filesize
2.9MB

MD5
609e4ed1252fd6b8c5b5d8133fc5c075

SHA1
9d943aef28f736f05e2d0165be2aeb2230873154

SHA256
0a3b22ce1859928c9f2a2cb5eb06df823210c762cbcb2b643b68d24306e7f29c

SHA512
22948dda2dd249a3bc920f74806861fd0b07e4dd60a372f16e7e2d122ca28105995ca8caddf08be28a9a00e842f5a60d8b348b64e6d06841aa762b36bd95a6e8

Download Submit
C:\Windows\System32\WLwRNBf.exe

Filesize
2.9MB

MD5
b64410ae7ea8002f9b5d06f280bd80fa

SHA1
f57afbaa253c3db3da120d8afca1541a9f351e0c

SHA256
80fbc4ea56b309e1640f452fa37ae7f05c7e0789f53e2d14968b765b9723e51a

SHA512
10ea80fc8ab9b3f96ea681c412356eb987ab3583140cef5e3e304b2b6138eb524105768c1cf808bd6ad22cec504dcc66ebad175132f78141f29f473c0996838c

Download Submit
C:\Windows\System32\XHhDHWR.exe

Filesize
2.9MB

MD5
a1788f5b375d4ff8e5234a6b7d340232

SHA1
499dd3c0caff890d30b11520f506a0ca053ef717

SHA256
fa03fc13721ceaa107170bf16570573538c57719daa22af6745100b975ccf831

SHA512
48b4a56f85e00ab0fad6213991a4aeeb12008d420b9ef1c456bc89a32f7c7d5ea52000194a3c59670b9709199e5d2d1eae82ac3c7b6f930d8a9b4adbeaa84d50

Download Submit
C:\Windows\System32\XVeDaZT.exe

Filesize
2.9MB

MD5
c211035eea607481a83cbf0cda2bd895

SHA1
fa0535ba0813ad9dc61de2963996145211014bbe

SHA256
ce90d9012ba5e018bf261ec6279ae00fd9e61935ba49ab51f4817703a803f40c

SHA512
69f49a9d7a5957540b5bd0884ed34cc39bebd751dce13e931d0e165d7964f557e7524bfede202423e119bf5935851d99b2da951b987426de7a39c680528c98d5

Download Submit
C:\Windows\System32\YXIFQgl.exe

Filesize
2.9MB

MD5
eb008deb8f014f437b3a4c1dc525458b

SHA1
8aa5675728666fad88feb705b982fb17556ba345

SHA256
8d6bbd92d71e86731fd623c477775dd330306124e5c75c1f03fb1319e7cc0daf

SHA512
b90ff27e75ed0e4913e978e4a05b3bc4dee8f8e8b2bd8ddf994b88acb0b7094a437742c25fed7740211b0405730822c78e17e2d46ae01b745ea849ab010c4533

Download Submit
C:\Windows\System32\dvCSVoT.exe

Filesize
2.9MB

MD5
0960c1d7760af2d77d8c4dd5fa446991

SHA1
5bd5cc77c6be99d0dfd42b6484d537ad5414c76b

SHA256
493bba532313a106b5c1f10a5d91c9dae69b6b96d1c2e3797a39530ce456d617

SHA512
295feee77d2748b50c327ae05cb044e78489d283692e529404045be6afd23ccd8c5971cabd1f0d401915879f12cd973e9f0d4a86787b0a10e5e3e396160488fa

Download Submit
C:\Windows\System32\gBysycm.exe

Filesize
2.9MB

MD5
c42e0f1bb3810c68d2433f123f06e328

SHA1
4a18b7dc6982410785512c120f98c5337c186810

SHA256
14cd97a87e4b91682473cdae8b50e11c87fb284c579147b8af051782680f0d4f

SHA512
7a9dc53c2700bd7e46d7acf74cdcac98c02d8ba3a7c48007bc8b59bd34740390378dc2f75058949f1f7143389a24736bc2f16fc0a9ef8bc4c165c95644ed7008

Download Submit
C:\Windows\System32\ioCovys.exe

Filesize
2.9MB

MD5
87c4e3596ba5d2b7c0ecb973caef1cce

SHA1
a437c58e6b950610a036b8370bc4e96b697cd6f2

SHA256
e8a05e32a50dc67d7edef35890aa35108732a3a9653713ab340a951151a42d71

SHA512
1c4c888a871bd68a8529dd4569ba5195421ba93759d2824c9fc5f4aed06c7d98191f0e5363d663518c65c35835ae477c7b0a9ccfd9c3808b7063c5c291d8b750

Download Submit
C:\Windows\System32\jlpnYzF.exe

Filesize
2.9MB

MD5
eb638803e971933fffda141c71260097

SHA1
95d5e17c519cb33208a164ee9f1b67fd3c9cf10e

SHA256
8ecd73a2598fb8d531d7c6650d6bcfe3816f1a5ece9894f86b8dba7c6f11eb12

SHA512
7efc00b41d11a7e771b31ef1c673237ea5520ce9feb8bdbfd68d681685045529c89ed96c633ca4339e1e8c34395060ef81a256360f4e0d1a8ce775d0fbc36399

Download Submit
C:\Windows\System32\ktXGStG.exe

Filesize
2.9MB

MD5
15011c1c2b1a207455e7ee64b7adf1e1

SHA1
8165cb5846f962412fa9660b950f6b8064f86b80

SHA256
00613c1e2ef4451c31c04e224865f16b082601272923263c480bc97c34a41978

SHA512
e04b580567fcd95cb4d9a5297a641eea7988a89ac099eb60ae1917376f1d45a591c61a4ea5860485e300d9bec8e726c54f6587e3b69f5b59c9887cef6c3c09c5

Download Submit
C:\Windows\System32\kwymeId.exe

Filesize
2.9MB

MD5
20f8828380e14885780fc85c6d847a93

SHA1
a6556076f32a9cff31e5d1d70a097797eb47ef33

SHA256
e6ac6a8bdd9e0ea4d32b0bd06ef7c23f3377d430f131e39abe69b47c0469ddcb

SHA512
adc15f39dd2ef1ba77a616413d1b1ae0d6f79c7b6ecf72726ff2bf9d4ae11ea5fecbe4905dad30f919076ea4d2e1e7c85b7808401d9fc6e2f0f1a34cb8c92900

Download Submit
C:\Windows\System32\mqoyctt.exe

Filesize
2.9MB

MD5
20d4d08d7c51aeeb113b48331e2fe818

SHA1
323fd0232c26423d520704f1ffc8857d22b23258

SHA256
047f98c9a6c46cce12081060fd04ba869fd022492e631a91e8ad7b07491ee646

SHA512
fd3619598c698f49c0a7bcf4ad3585da1668477691d803fb96adb45002577ddd35c44718c4397ea220b14b3bf21f08bcaed5c2cfc42a9fe5bb0efacca446a190

Download Submit
C:\Windows\System32\nfWTYrB.exe

Filesize
2.9MB

MD5
ad05de3c1bc0a5edb9133d410516fffc

SHA1
59ee0658c433d46155c9436856db1db0c2037b82

SHA256
f0174f82a846f631177c400679bf919d5cb3185b84564a28cba308b2d8740965

SHA512
72547e22c92bdc7c71014e306e94dd8cfc9892208f8f43ef604fea8a0c0741b089693dad489b316d6ac603cd4292f91b965aa196802da675909649fb7c70b56f

Download Submit
C:\Windows\System32\rEtypnd.exe

Filesize
2.9MB

MD5
7d69b3edb60744c6f59aef6de4dadb73

SHA1
1a13800ecc276ce46c6848cb6dd546395ee873fd

SHA256
be2cc2ffa3a265cea1858ba8273e3fbcc04e5601d058f3f2889eb3207c37a9f6

SHA512
d75d8a95ba9af22c0c324846d5a3cca080008596ffa4de4b8a2ee7521958347f3918ed97fbcd1de70e104d518e0b814832567cf9df8004e459909aa65238430a

Download Submit
C:\Windows\System32\sLLJneT.exe

Filesize
2.9MB

MD5
35077b71f216252375321382306e63a3

SHA1
f1194c92cf810d20fd3a4ef6f96786fa0daa038c

SHA256
c850e6a2735a312301f47cb284588e62f86306fe8c7f27511bc4d976d866eb11

SHA512
447262d027b187e6661bb2a14e4522d9863a40b7a75b17597c76b9a64fb98ce1a8887642a23f1a7722ed98ca712a47111b107466cb6961ea3af0830a38e0dd9d

Download Submit
C:\Windows\System32\smDGvHl.exe

Filesize
2.9MB

MD5
d6b3a92572e367978b27f426e1e02520

SHA1
911b96aea75050369a03c982c1fa120e95f29472

SHA256
1c9d1a6a0b343a17b5e00db8c663753c235d659e7b85a9e78487911488e7ae86

SHA512
19c8e7c524ceeda986639813dbaf28c3e0322193987132b871cf943776730cfc6cf46dc83f7306e8e1a6b0c25276691137a9874acc93bb32105e7dace8da9dd5

Download Submit
C:\Windows\System32\uMMHsxl.exe

Filesize
2.9MB

MD5
a894ff6a84d36c27e06e9aed8a3bb966

SHA1
1b26ac54339b9fe21e28906f8edec24bc480feea

SHA256
4d896e7995d012566b5517fa8c6b99f044e7cbc12d275af8e67f92077a2c4449

SHA512
58020b1cbc66cbc7798dc936ae55218a747803a6d1ae81678bc03b3daad35252e779928861f109c7dd19fed8e31cb290f0f700775f1912d3d2ab278900e303e2

Download Submit
C:\Windows\System32\ujsrsuO.exe

Filesize
2.9MB

MD5
152403da0e0e171581a61e2587cd8f40

SHA1
55e69135c3ab59acb87050108e13864853f11149

SHA256
c4b4c137f5084a027d27fd20c63290e10b32c1271765c588d6e78aa1b3302686

SHA512
7280b40bdac47995c3d6078241284eb40f865fa98eb15421ec4f275fd0fb066c1d65e8ff0e9843a8a15cf4ed12efe5c2ca03240b74430cad2551355ec4e087ef

Download Submit
C:\Windows\System32\zHVLraQ.exe

Filesize
2.9MB

MD5
b07530e10b8113a42dc9372614c03fe1

SHA1
3619b82791dccd49a64259c984843b764ef6c3af

SHA256
6ab108ec2a96c286beedec78764ec3b763aa341b18e64002e4a97e343c6303bb

SHA512
4d69988aa4be4bbf7875219c0c2f4045cb34fb3dcf2b28cdcb2b06ea5012d82ac5cd8fdfea30ffeddbac1eba88099a71e1635a63495c9de098d4c42a916b432e

Download Submit
C:\Windows\System32\zTkIRSM.exe

Filesize
2.9MB

MD5
97c70db1c2e30893bad76edb5d1a7f03

SHA1
cce32d01345945399f1126d3627c12bb04ed9666

SHA256
7eb1468d03f30a000ffc06e17d12c54c4f62c7785dc6920d79a46f94531d37c0

SHA512
1b29640583623a38ca1fe97ce29657df09640ca16438c30b5c75bf44015866a777ea5f11b944c313c05534cf7ee4d72f24fd12df1c8b5976274d2a9ad8512202

Download Submit
memory/436-573-0x00007FF658480000-0x00007FF658875000-memory.dmp

Filesize
4.0MB

Download
memory/436-1891-0x00007FF658480000-0x00007FF658875000-memory.dmp

Filesize
4.0MB

Download
memory/460-1881-0x00007FF7DD6D0000-0x00007FF7DDAC5000-memory.dmp

Filesize
4.0MB

Download
memory/460-543-0x00007FF7DD6D0000-0x00007FF7DDAC5000-memory.dmp

Filesize
4.0MB

Download
memory/784-589-0x00007FF6EA790000-0x00007FF6EAB85000-memory.dmp

Filesize
4.0MB

Download
memory/784-1886-0x00007FF6EA790000-0x00007FF6EAB85000-memory.dmp

Filesize
4.0MB

Download
memory/868-1875-0x00007FF7A2AA0000-0x00007FF7A2E95000-memory.dmp

Filesize
4.0MB

Download
memory/868-600-0x00007FF7A2AA0000-0x00007FF7A2E95000-memory.dmp

Filesize
4.0MB

Download
memory/876-1884-0x00007FF60AC10000-0x00007FF60B005000-memory.dmp

Filesize
4.0MB

Download
memory/876-554-0x00007FF60AC10000-0x00007FF60B005000-memory.dmp

Filesize
4.0MB

Download
memory/1032-566-0x00007FF6D3550000-0x00007FF6D3945000-memory.dmp

Filesize
4.0MB

Download
memory/1032-1892-0x00007FF6D3550000-0x00007FF6D3945000-memory.dmp

Filesize
4.0MB

Download
memory/1620-1882-0x00007FF79E660000-0x00007FF79EA55000-memory.dmp

Filesize
4.0MB

Download
memory/1620-544-0x00007FF79E660000-0x00007FF79EA55000-memory.dmp

Filesize
4.0MB

Download
memory/1992-552-0x00007FF7738E0000-0x00007FF773CD5000-memory.dmp

Filesize
4.0MB

Download
memory/1992-1883-0x00007FF7738E0000-0x00007FF773CD5000-memory.dmp

Filesize
4.0MB

Download
memory/2320-1893-0x00007FF6AB5D0000-0x00007FF6AB9C5000-memory.dmp

Filesize
4.0MB

Download
memory/2320-587-0x00007FF6AB5D0000-0x00007FF6AB9C5000-memory.dmp

Filesize
4.0MB

Download
memory/2400-1885-0x00007FF63B240000-0x00007FF63B635000-memory.dmp

Filesize
4.0MB

Download
memory/2400-561-0x00007FF63B240000-0x00007FF63B635000-memory.dmp

Filesize
4.0MB

Download
memory/2456-542-0x00007FF6643D0000-0x00007FF6647C5000-memory.dmp

Filesize
4.0MB

Download
memory/2456-1880-0x00007FF6643D0000-0x00007FF6647C5000-memory.dmp

Filesize
4.0MB

Download
memory/2508-1890-0x00007FF72CC50000-0x00007FF72D045000-memory.dmp

Filesize
4.0MB

Download
memory/2508-576-0x00007FF72CC50000-0x00007FF72D045000-memory.dmp

Filesize
4.0MB

Download
memory/2696-540-0x00007FF7622B0000-0x00007FF7626A5000-memory.dmp

Filesize
4.0MB

Download
memory/2696-1878-0x00007FF7622B0000-0x00007FF7626A5000-memory.dmp

Filesize
4.0MB

Download
memory/2732-1870-0x00007FF79CEE0000-0x00007FF79D2D5000-memory.dmp

Filesize
4.0MB

Download
memory/2732-1867-0x00007FF79CEE0000-0x00007FF79D2D5000-memory.dmp

Filesize
4.0MB

Download
memory/2732-18-0x00007FF79CEE0000-0x00007FF79D2D5000-memory.dmp

Filesize
4.0MB

Download
memory/3556-45-0x00007FF7C6480000-0x00007FF7C6875000-memory.dmp

Filesize
4.0MB

Download
memory/3556-1871-0x00007FF7C6480000-0x00007FF7C6875000-memory.dmp

Filesize
4.0MB

Download
memory/3616-1889-0x00007FF75A570000-0x00007FF75A965000-memory.dmp

Filesize
4.0MB

Download
memory/3616-569-0x00007FF75A570000-0x00007FF75A965000-memory.dmp

Filesize
4.0MB

Download
memory/4108-1872-0x00007FF60B540000-0x00007FF60B935000-memory.dmp

Filesize
4.0MB

Download
memory/4108-538-0x00007FF60B540000-0x00007FF60B935000-memory.dmp

Filesize
4.0MB

Download
memory/4184-1869-0x00007FF7699E0000-0x00007FF769DD5000-memory.dmp

Filesize
4.0MB

Download
memory/4184-1876-0x00007FF7699E0000-0x00007FF769DD5000-memory.dmp

Filesize
4.0MB

Download
memory/4184-35-0x00007FF7699E0000-0x00007FF769DD5000-memory.dmp

Filesize
4.0MB

Download
memory/4364-1874-0x00007FF6418A0000-0x00007FF641C95000-memory.dmp

Filesize
4.0MB

Download
memory/4364-539-0x00007FF6418A0000-0x00007FF641C95000-memory.dmp

Filesize
4.0MB

Download
memory/4600-1877-0x00007FF7DD100000-0x00007FF7DD4F5000-memory.dmp

Filesize
4.0MB

Download
memory/4600-541-0x00007FF7DD100000-0x00007FF7DD4F5000-memory.dmp

Filesize
4.0MB

Download
memory/4724-1887-0x00007FF687950000-0x00007FF687D45000-memory.dmp

Filesize
4.0MB

Download
memory/4724-583-0x00007FF687950000-0x00007FF687D45000-memory.dmp

Filesize
4.0MB

Download
memory/4732-559-0x00007FF61C900000-0x00007FF61CCF5000-memory.dmp

Filesize
4.0MB

Download
memory/4732-1888-0x00007FF61C900000-0x00007FF61CCF5000-memory.dmp

Filesize
4.0MB

Download
memory/4740-1873-0x00007FF677840000-0x00007FF677C35000-memory.dmp

Filesize
4.0MB

Download
memory/4740-1868-0x00007FF677840000-0x00007FF677C35000-memory.dmp

Filesize
4.0MB

Download
memory/4740-28-0x00007FF677840000-0x00007FF677C35000-memory.dmp

Filesize
4.0MB

Download
memory/4956-1866-0x00007FF617450000-0x00007FF617845000-memory.dmp

Filesize
4.0MB

Download
memory/4956-0-0x00007FF617450000-0x00007FF617845000-memory.dmp

Filesize
4.0MB

Download
memory/4956-1-0x000001C0538F0000-0x000001C053900000-memory.dmp

Filesize
64KB

Download
memory/5080-1879-0x00007FF653C50000-0x00007FF654045000-memory.dmp

Filesize
4.0MB

Download
memory/5080-606-0x00007FF653C50000-0x00007FF654045000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads