xmrig | 616e7aedb64955c315d6c0af2f92c8295e2b7fbcf5acd784ec7f21226085d033

Analysis

max time kernel
125s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 07:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
Size

3.1MB
MD5

a086032c2c22d9bba6abe57a1c3aa600
SHA1

b1e9434906eee7ddc9bc48646e7664fd9631feed
SHA256

616e7aedb64955c315d6c0af2f92c8295e2b7fbcf5acd784ec7f21226085d033
SHA512

ada418659596a50ef6aa3b2f7476ae221a308140f094888501ecc6795390c12a4036f10c48c69d8c7f13b87af844d0c706796e24733c3365ea97e6cda0376fdb
SSDEEP

98304:N0GnJMOWPClFdx6e0EALKWVTffZiPAcRq6jHjc4N:NFWPClFd

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2704-0-0x00007FF613A80000-0x00007FF613E75000-memory.dmp	xmrig
behavioral2/files/0x00080000000235ba-5.dat	xmrig
behavioral2/files/0x00070000000235bf-8.dat	xmrig
behavioral2/files/0x00070000000235be-10.dat	xmrig
behavioral2/files/0x00070000000235c0-21.dat	xmrig
behavioral2/files/0x00070000000235c1-24.dat	xmrig
behavioral2/files/0x00070000000235c2-31.dat	xmrig
behavioral2/files/0x00070000000235c4-43.dat	xmrig
behavioral2/files/0x00070000000235c6-51.dat	xmrig
behavioral2/files/0x00070000000235cb-78.dat	xmrig
behavioral2/files/0x00070000000235cf-96.dat	xmrig
behavioral2/files/0x00070000000235d3-118.dat	xmrig
behavioral2/files/0x00070000000235d8-143.dat	xmrig
behavioral2/memory/4212-776-0x00007FF71B130000-0x00007FF71B525000-memory.dmp	xmrig
behavioral2/files/0x00070000000235dc-163.dat	xmrig
behavioral2/memory/4184-777-0x00007FF625080000-0x00007FF625475000-memory.dmp	xmrig
behavioral2/files/0x00070000000235db-158.dat	xmrig
behavioral2/files/0x00070000000235da-153.dat	xmrig
behavioral2/files/0x00070000000235d9-148.dat	xmrig
behavioral2/files/0x00070000000235d7-138.dat	xmrig
behavioral2/files/0x00070000000235d6-133.dat	xmrig
behavioral2/files/0x00070000000235d5-128.dat	xmrig
behavioral2/files/0x00070000000235d4-123.dat	xmrig
behavioral2/files/0x00070000000235d2-113.dat	xmrig
behavioral2/files/0x00070000000235d1-108.dat	xmrig
behavioral2/files/0x00070000000235d0-103.dat	xmrig
behavioral2/files/0x00070000000235ce-93.dat	xmrig
behavioral2/files/0x00070000000235cd-88.dat	xmrig
behavioral2/files/0x00070000000235cc-83.dat	xmrig
behavioral2/files/0x00070000000235ca-73.dat	xmrig
behavioral2/files/0x00070000000235c9-68.dat	xmrig
behavioral2/files/0x00070000000235c8-63.dat	xmrig
behavioral2/files/0x00070000000235c7-58.dat	xmrig
behavioral2/files/0x00070000000235c5-48.dat	xmrig
behavioral2/files/0x00070000000235c3-38.dat	xmrig
behavioral2/memory/1212-17-0x00007FF6ECFF0000-0x00007FF6ED3E5000-memory.dmp	xmrig
behavioral2/memory/212-11-0x00007FF6A8BD0000-0x00007FF6A8FC5000-memory.dmp	xmrig
behavioral2/memory/2692-778-0x00007FF6C71A0000-0x00007FF6C7595000-memory.dmp	xmrig
behavioral2/memory/2980-779-0x00007FF69CA10000-0x00007FF69CE05000-memory.dmp	xmrig
behavioral2/memory/4080-780-0x00007FF6C9CA0000-0x00007FF6CA095000-memory.dmp	xmrig
behavioral2/memory/540-785-0x00007FF7E1920000-0x00007FF7E1D15000-memory.dmp	xmrig
behavioral2/memory/4200-788-0x00007FF773270000-0x00007FF773665000-memory.dmp	xmrig
behavioral2/memory/1644-796-0x00007FF7FB850000-0x00007FF7FBC45000-memory.dmp	xmrig
behavioral2/memory/3644-806-0x00007FF60F500000-0x00007FF60F8F5000-memory.dmp	xmrig
behavioral2/memory/2856-799-0x00007FF767080000-0x00007FF767475000-memory.dmp	xmrig
behavioral2/memory/4808-793-0x00007FF68F440000-0x00007FF68F835000-memory.dmp	xmrig
behavioral2/memory/556-815-0x00007FF778E50000-0x00007FF779245000-memory.dmp	xmrig
behavioral2/memory/1124-819-0x00007FF77DED0000-0x00007FF77E2C5000-memory.dmp	xmrig
behavioral2/memory/932-823-0x00007FF698750000-0x00007FF698B45000-memory.dmp	xmrig
behavioral2/memory/3712-812-0x00007FF6847F0000-0x00007FF684BE5000-memory.dmp	xmrig
behavioral2/memory/2804-810-0x00007FF642070000-0x00007FF642465000-memory.dmp	xmrig
behavioral2/memory/5084-830-0x00007FF7150C0000-0x00007FF7154B5000-memory.dmp	xmrig
behavioral2/memory/780-833-0x00007FF60BBF0000-0x00007FF60BFE5000-memory.dmp	xmrig
behavioral2/memory/3900-835-0x00007FF6B06A0000-0x00007FF6B0A95000-memory.dmp	xmrig
behavioral2/memory/2588-832-0x00007FF61AFD0000-0x00007FF61B3C5000-memory.dmp	xmrig
behavioral2/memory/656-829-0x00007FF6E6310000-0x00007FF6E6705000-memory.dmp	xmrig
behavioral2/memory/384-826-0x00007FF7E6560000-0x00007FF7E6955000-memory.dmp	xmrig
behavioral2/memory/1212-1826-0x00007FF6ECFF0000-0x00007FF6ED3E5000-memory.dmp	xmrig
behavioral2/memory/4212-1827-0x00007FF71B130000-0x00007FF71B525000-memory.dmp	xmrig
behavioral2/memory/212-1828-0x00007FF6A8BD0000-0x00007FF6A8FC5000-memory.dmp	xmrig
behavioral2/memory/1212-1829-0x00007FF6ECFF0000-0x00007FF6ED3E5000-memory.dmp	xmrig
behavioral2/memory/3900-1831-0x00007FF6B06A0000-0x00007FF6B0A95000-memory.dmp	xmrig
behavioral2/memory/4212-1833-0x00007FF71B130000-0x00007FF71B525000-memory.dmp	xmrig
behavioral2/memory/2692-1832-0x00007FF6C71A0000-0x00007FF6C7595000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
212	PmfzbDT.exe
1212	eCFlRgX.exe
4212	vZNpKNz.exe
3900	VwBEOTK.exe
4184	DPaovtR.exe
2692	iuktwJm.exe
2980	PtUYSbY.exe
4080	pOeMfyv.exe
540	YVsOMao.exe
4200	EqHwJXE.exe
4808	oiTCfiK.exe
1644	IPIzpWj.exe
2856	ukkditE.exe
3644	gweCGiz.exe
2804	QfvLJOh.exe
3712	UbILHgl.exe
556	nomnwzs.exe
1124	uUSQcms.exe
932	AHglJmz.exe
384	emzfuYW.exe
656	iZghIdW.exe
5084	EoBXrHT.exe
2588	fSwvhla.exe
780	qAgRbzc.exe
1288	InbSITw.exe
2020	TGQtpvq.exe
3280	tQYvkpD.exe
3096	NdDeFKh.exe
1276	pWbEDAt.exe
2132	mquNsMg.exe
2284	NfgBMcG.exe
4404	sYUVFIz.exe
4532	wCiClef.exe
4696	WuGcWri.exe
464	qFMujRf.exe
3184	mzabrEW.exe
5028	XlldOQA.exe
3272	yRjVleg.exe
4148	ABtPYXq.exe
4976	smrtymp.exe
1292	DAArRFv.exe
4236	KKTjchL.exe
2352	LBhIQvZ.exe
4940	oPdwqSa.exe
4308	nDqNBMO.exe
3544	rKIAnLF.exe
3380	ZwrpUpD.exe
4116	wsAtbvr.exe
2984	iZnerVv.exe
3984	CXSKgRH.exe
4744	IoPPyfA.exe
5132	CnfvTJq.exe
5160	IZJpjta.exe
5188	zpnbwbX.exe
5216	hDjpqBx.exe
5256	pvoplIx.exe
5284	NvChuID.exe
5312	qUvRnIw.exe
5328	olJGEZe.exe
5368	cavqicj.exe
5396	ScpXtEK.exe
5424	CXcjjpk.exe
5440	NCOvYuj.exe
5480	awdplPm.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2704-0-0x00007FF613A80000-0x00007FF613E75000-memory.dmp	upx
behavioral2/files/0x00080000000235ba-5.dat	upx
behavioral2/files/0x00070000000235bf-8.dat	upx
behavioral2/files/0x00070000000235be-10.dat	upx
behavioral2/files/0x00070000000235c0-21.dat	upx
behavioral2/files/0x00070000000235c1-24.dat	upx
behavioral2/files/0x00070000000235c2-31.dat	upx
behavioral2/files/0x00070000000235c4-43.dat	upx
behavioral2/files/0x00070000000235c6-51.dat	upx
behavioral2/files/0x00070000000235cb-78.dat	upx
behavioral2/files/0x00070000000235cf-96.dat	upx
behavioral2/files/0x00070000000235d3-118.dat	upx
behavioral2/files/0x00070000000235d8-143.dat	upx
behavioral2/memory/4212-776-0x00007FF71B130000-0x00007FF71B525000-memory.dmp	upx
behavioral2/files/0x00070000000235dc-163.dat	upx
behavioral2/memory/4184-777-0x00007FF625080000-0x00007FF625475000-memory.dmp	upx
behavioral2/files/0x00070000000235db-158.dat	upx
behavioral2/files/0x00070000000235da-153.dat	upx
behavioral2/files/0x00070000000235d9-148.dat	upx
behavioral2/files/0x00070000000235d7-138.dat	upx
behavioral2/files/0x00070000000235d6-133.dat	upx
behavioral2/files/0x00070000000235d5-128.dat	upx
behavioral2/files/0x00070000000235d4-123.dat	upx
behavioral2/files/0x00070000000235d2-113.dat	upx
behavioral2/files/0x00070000000235d1-108.dat	upx
behavioral2/files/0x00070000000235d0-103.dat	upx
behavioral2/files/0x00070000000235ce-93.dat	upx
behavioral2/files/0x00070000000235cd-88.dat	upx
behavioral2/files/0x00070000000235cc-83.dat	upx
behavioral2/files/0x00070000000235ca-73.dat	upx
behavioral2/files/0x00070000000235c9-68.dat	upx
behavioral2/files/0x00070000000235c8-63.dat	upx
behavioral2/files/0x00070000000235c7-58.dat	upx
behavioral2/files/0x00070000000235c5-48.dat	upx
behavioral2/files/0x00070000000235c3-38.dat	upx
behavioral2/memory/1212-17-0x00007FF6ECFF0000-0x00007FF6ED3E5000-memory.dmp	upx
behavioral2/memory/212-11-0x00007FF6A8BD0000-0x00007FF6A8FC5000-memory.dmp	upx
behavioral2/memory/2692-778-0x00007FF6C71A0000-0x00007FF6C7595000-memory.dmp	upx
behavioral2/memory/2980-779-0x00007FF69CA10000-0x00007FF69CE05000-memory.dmp	upx
behavioral2/memory/4080-780-0x00007FF6C9CA0000-0x00007FF6CA095000-memory.dmp	upx
behavioral2/memory/540-785-0x00007FF7E1920000-0x00007FF7E1D15000-memory.dmp	upx
behavioral2/memory/4200-788-0x00007FF773270000-0x00007FF773665000-memory.dmp	upx
behavioral2/memory/1644-796-0x00007FF7FB850000-0x00007FF7FBC45000-memory.dmp	upx
behavioral2/memory/3644-806-0x00007FF60F500000-0x00007FF60F8F5000-memory.dmp	upx
behavioral2/memory/2856-799-0x00007FF767080000-0x00007FF767475000-memory.dmp	upx
behavioral2/memory/4808-793-0x00007FF68F440000-0x00007FF68F835000-memory.dmp	upx
behavioral2/memory/556-815-0x00007FF778E50000-0x00007FF779245000-memory.dmp	upx
behavioral2/memory/1124-819-0x00007FF77DED0000-0x00007FF77E2C5000-memory.dmp	upx
behavioral2/memory/932-823-0x00007FF698750000-0x00007FF698B45000-memory.dmp	upx
behavioral2/memory/3712-812-0x00007FF6847F0000-0x00007FF684BE5000-memory.dmp	upx
behavioral2/memory/2804-810-0x00007FF642070000-0x00007FF642465000-memory.dmp	upx
behavioral2/memory/5084-830-0x00007FF7150C0000-0x00007FF7154B5000-memory.dmp	upx
behavioral2/memory/780-833-0x00007FF60BBF0000-0x00007FF60BFE5000-memory.dmp	upx
behavioral2/memory/3900-835-0x00007FF6B06A0000-0x00007FF6B0A95000-memory.dmp	upx
behavioral2/memory/2588-832-0x00007FF61AFD0000-0x00007FF61B3C5000-memory.dmp	upx
behavioral2/memory/656-829-0x00007FF6E6310000-0x00007FF6E6705000-memory.dmp	upx
behavioral2/memory/384-826-0x00007FF7E6560000-0x00007FF7E6955000-memory.dmp	upx
behavioral2/memory/1212-1826-0x00007FF6ECFF0000-0x00007FF6ED3E5000-memory.dmp	upx
behavioral2/memory/4212-1827-0x00007FF71B130000-0x00007FF71B525000-memory.dmp	upx
behavioral2/memory/212-1828-0x00007FF6A8BD0000-0x00007FF6A8FC5000-memory.dmp	upx
behavioral2/memory/1212-1829-0x00007FF6ECFF0000-0x00007FF6ED3E5000-memory.dmp	upx
behavioral2/memory/3900-1831-0x00007FF6B06A0000-0x00007FF6B0A95000-memory.dmp	upx
behavioral2/memory/4212-1833-0x00007FF71B130000-0x00007FF71B525000-memory.dmp	upx
behavioral2/memory/2692-1832-0x00007FF6C71A0000-0x00007FF6C7595000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\aBnrXNr.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\aujUIly.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\zxJPSpZ.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\ouYsjlm.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\Okovrxz.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\rTqdCTB.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\mquNsMg.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\aSZGiKT.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\VVsqdKw.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\WdfyhhZ.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\cdRLwoj.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\tQYvkpD.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\rsTIQxQ.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\QLDSZrP.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\eDLczqw.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\uiQtVsC.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\JtnGDTb.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\dgHKxpE.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\YVsOMao.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\VnePWYN.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\AqYvlpp.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\GawqzHV.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\roVTJXX.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\HqzlmTL.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\tAIVSNo.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\xJjMKxR.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\nomnwzs.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\ZMxIilo.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\ltPWirK.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\ixLuyFG.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\ohPAtAB.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\TpCjVvW.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\EhbBBVU.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\vHXqKHi.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\KtMOZXV.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\RwOXlZo.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\EQUteSP.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\KBHHWzX.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\yegfzKd.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\buJubZJ.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\EeoyqJs.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\vjGfroG.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\anEmgaX.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\wkMqVuF.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\WgsEHtZ.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\gghzQrn.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\ocmoOkL.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\TaivXmo.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\hcqNMRm.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\HzUfPxf.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\vZNpKNz.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\NfgBMcG.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\aEOQlma.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\pYGANlA.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\vAzGHfd.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\uymWhXT.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\HgVPoGb.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\CESziId.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\LGKdGdv.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\Rtalayb.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\gebxaQN.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\SQHyMuj.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\uyvsXFf.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
File created	C:\Windows\System32\qFMujRf.exe	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13956	dwm.exe
Token: SeChangeNotifyPrivilege	13956	dwm.exe
Token: 33	13956	dwm.exe
Token: SeIncBasePriorityPrivilege	13956	dwm.exe
Token: SeShutdownPrivilege	13956	dwm.exe
Token: SeCreatePagefilePrivilege	13956	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 212	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	92
PID 2704 wrote to memory of 212	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	92
PID 2704 wrote to memory of 1212	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	93
PID 2704 wrote to memory of 1212	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	93
PID 2704 wrote to memory of 4212	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	94
PID 2704 wrote to memory of 4212	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	94
PID 2704 wrote to memory of 3900	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	95
PID 2704 wrote to memory of 3900	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	95
PID 2704 wrote to memory of 4184	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	96
PID 2704 wrote to memory of 4184	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	96
PID 2704 wrote to memory of 2692	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	97
PID 2704 wrote to memory of 2692	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	97
PID 2704 wrote to memory of 2980	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	98
PID 2704 wrote to memory of 2980	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	98
PID 2704 wrote to memory of 4080	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	99
PID 2704 wrote to memory of 4080	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	99
PID 2704 wrote to memory of 540	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	100
PID 2704 wrote to memory of 540	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	100
PID 2704 wrote to memory of 4200	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	101
PID 2704 wrote to memory of 4200	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	101
PID 2704 wrote to memory of 4808	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	102
PID 2704 wrote to memory of 4808	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	102
PID 2704 wrote to memory of 1644	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	103
PID 2704 wrote to memory of 1644	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	103
PID 2704 wrote to memory of 2856	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	104
PID 2704 wrote to memory of 2856	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	104
PID 2704 wrote to memory of 3644	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	105
PID 2704 wrote to memory of 3644	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	105
PID 2704 wrote to memory of 2804	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	106
PID 2704 wrote to memory of 2804	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	106
PID 2704 wrote to memory of 3712	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	107
PID 2704 wrote to memory of 3712	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	107
PID 2704 wrote to memory of 556	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	108
PID 2704 wrote to memory of 556	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	108
PID 2704 wrote to memory of 1124	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	109
PID 2704 wrote to memory of 1124	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	109
PID 2704 wrote to memory of 932	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	110
PID 2704 wrote to memory of 932	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	110
PID 2704 wrote to memory of 384	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	111
PID 2704 wrote to memory of 384	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	111
PID 2704 wrote to memory of 656	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	112
PID 2704 wrote to memory of 656	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	112
PID 2704 wrote to memory of 5084	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	113
PID 2704 wrote to memory of 5084	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	113
PID 2704 wrote to memory of 2588	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	114
PID 2704 wrote to memory of 2588	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	114
PID 2704 wrote to memory of 780	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	115
PID 2704 wrote to memory of 780	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	115
PID 2704 wrote to memory of 1288	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	116
PID 2704 wrote to memory of 1288	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	116
PID 2704 wrote to memory of 2020	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	117
PID 2704 wrote to memory of 2020	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	117
PID 2704 wrote to memory of 3280	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	118
PID 2704 wrote to memory of 3280	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	118
PID 2704 wrote to memory of 3096	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	119
PID 2704 wrote to memory of 3096	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	119
PID 2704 wrote to memory of 1276	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	120
PID 2704 wrote to memory of 1276	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	120
PID 2704 wrote to memory of 2132	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	121
PID 2704 wrote to memory of 2132	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	121
PID 2704 wrote to memory of 2284	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	122
PID 2704 wrote to memory of 2284	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	122
PID 2704 wrote to memory of 4404	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	123
PID 2704 wrote to memory of 4404	2704	a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe	123

C:\Users\Admin\AppData\Local\Temp\a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a086032c2c22d9bba6abe57a1c3aa600_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\System32\PmfzbDT.exe
  C:\Windows\System32\PmfzbDT.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System32\eCFlRgX.exe
  C:\Windows\System32\eCFlRgX.exe
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\System32\vZNpKNz.exe
  C:\Windows\System32\vZNpKNz.exe
  2⤵
  - Executes dropped EXE
  PID:4212
- C:\Windows\System32\VwBEOTK.exe
  C:\Windows\System32\VwBEOTK.exe
  2⤵
  - Executes dropped EXE
  PID:3900
- C:\Windows\System32\DPaovtR.exe
  C:\Windows\System32\DPaovtR.exe
  2⤵
  - Executes dropped EXE
  PID:4184
- C:\Windows\System32\iuktwJm.exe
  C:\Windows\System32\iuktwJm.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System32\PtUYSbY.exe
  C:\Windows\System32\PtUYSbY.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System32\pOeMfyv.exe
  C:\Windows\System32\pOeMfyv.exe
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Windows\System32\YVsOMao.exe
  C:\Windows\System32\YVsOMao.exe
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Windows\System32\EqHwJXE.exe
  C:\Windows\System32\EqHwJXE.exe
  2⤵
  - Executes dropped EXE
  PID:4200
- C:\Windows\System32\oiTCfiK.exe
  C:\Windows\System32\oiTCfiK.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System32\IPIzpWj.exe
  C:\Windows\System32\IPIzpWj.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System32\ukkditE.exe
  C:\Windows\System32\ukkditE.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System32\gweCGiz.exe
  C:\Windows\System32\gweCGiz.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System32\QfvLJOh.exe
  C:\Windows\System32\QfvLJOh.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System32\UbILHgl.exe
  C:\Windows\System32\UbILHgl.exe
  2⤵
  - Executes dropped EXE
  PID:3712
- C:\Windows\System32\nomnwzs.exe
  C:\Windows\System32\nomnwzs.exe
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\System32\uUSQcms.exe
  C:\Windows\System32\uUSQcms.exe
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Windows\System32\AHglJmz.exe
  C:\Windows\System32\AHglJmz.exe
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\System32\emzfuYW.exe
  C:\Windows\System32\emzfuYW.exe
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\System32\iZghIdW.exe
  C:\Windows\System32\iZghIdW.exe
  2⤵
  - Executes dropped EXE
  PID:656
- C:\Windows\System32\EoBXrHT.exe
  C:\Windows\System32\EoBXrHT.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System32\fSwvhla.exe
  C:\Windows\System32\fSwvhla.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System32\qAgRbzc.exe
  C:\Windows\System32\qAgRbzc.exe
  2⤵
  - Executes dropped EXE
  PID:780
- C:\Windows\System32\InbSITw.exe
  C:\Windows\System32\InbSITw.exe
  2⤵
  - Executes dropped EXE
  PID:1288
- C:\Windows\System32\TGQtpvq.exe
  C:\Windows\System32\TGQtpvq.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System32\tQYvkpD.exe
  C:\Windows\System32\tQYvkpD.exe
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\System32\NdDeFKh.exe
  C:\Windows\System32\NdDeFKh.exe
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Windows\System32\pWbEDAt.exe
  C:\Windows\System32\pWbEDAt.exe
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\System32\mquNsMg.exe
  C:\Windows\System32\mquNsMg.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System32\NfgBMcG.exe
  C:\Windows\System32\NfgBMcG.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System32\sYUVFIz.exe
  C:\Windows\System32\sYUVFIz.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System32\wCiClef.exe
  C:\Windows\System32\wCiClef.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System32\WuGcWri.exe
  C:\Windows\System32\WuGcWri.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System32\qFMujRf.exe
  C:\Windows\System32\qFMujRf.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System32\mzabrEW.exe
  C:\Windows\System32\mzabrEW.exe
  2⤵
  - Executes dropped EXE
  PID:3184
- C:\Windows\System32\XlldOQA.exe
  C:\Windows\System32\XlldOQA.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System32\yRjVleg.exe
  C:\Windows\System32\yRjVleg.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System32\ABtPYXq.exe
  C:\Windows\System32\ABtPYXq.exe
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Windows\System32\smrtymp.exe
  C:\Windows\System32\smrtymp.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System32\DAArRFv.exe
  C:\Windows\System32\DAArRFv.exe
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\System32\KKTjchL.exe
  C:\Windows\System32\KKTjchL.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System32\LBhIQvZ.exe
  C:\Windows\System32\LBhIQvZ.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System32\oPdwqSa.exe
  C:\Windows\System32\oPdwqSa.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Windows\System32\nDqNBMO.exe
  C:\Windows\System32\nDqNBMO.exe
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Windows\System32\rKIAnLF.exe
  C:\Windows\System32\rKIAnLF.exe
  2⤵
  - Executes dropped EXE
  PID:3544
- C:\Windows\System32\ZwrpUpD.exe
  C:\Windows\System32\ZwrpUpD.exe
  2⤵
  - Executes dropped EXE
  PID:3380
- C:\Windows\System32\wsAtbvr.exe
  C:\Windows\System32\wsAtbvr.exe
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Windows\System32\iZnerVv.exe
  C:\Windows\System32\iZnerVv.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System32\CXSKgRH.exe
  C:\Windows\System32\CXSKgRH.exe
  2⤵
  - Executes dropped EXE
  PID:3984
- C:\Windows\System32\IoPPyfA.exe
  C:\Windows\System32\IoPPyfA.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\System32\CnfvTJq.exe
  C:\Windows\System32\CnfvTJq.exe
  2⤵
  - Executes dropped EXE
  PID:5132
- C:\Windows\System32\IZJpjta.exe
  C:\Windows\System32\IZJpjta.exe
  2⤵
  - Executes dropped EXE
  PID:5160
- C:\Windows\System32\zpnbwbX.exe
  C:\Windows\System32\zpnbwbX.exe
  2⤵
  - Executes dropped EXE
  PID:5188
- C:\Windows\System32\hDjpqBx.exe
  C:\Windows\System32\hDjpqBx.exe
  2⤵
  - Executes dropped EXE
  PID:5216
- C:\Windows\System32\pvoplIx.exe
  C:\Windows\System32\pvoplIx.exe
  2⤵
  - Executes dropped EXE
  PID:5256
- C:\Windows\System32\NvChuID.exe
  C:\Windows\System32\NvChuID.exe
  2⤵
  - Executes dropped EXE
  PID:5284
- C:\Windows\System32\qUvRnIw.exe
  C:\Windows\System32\qUvRnIw.exe
  2⤵
  - Executes dropped EXE
  PID:5312
- C:\Windows\System32\olJGEZe.exe
  C:\Windows\System32\olJGEZe.exe
  2⤵
  - Executes dropped EXE
  PID:5328
- C:\Windows\System32\cavqicj.exe
  C:\Windows\System32\cavqicj.exe
  2⤵
  - Executes dropped EXE
  PID:5368
- C:\Windows\System32\ScpXtEK.exe
  C:\Windows\System32\ScpXtEK.exe
  2⤵
  - Executes dropped EXE
  PID:5396
- C:\Windows\System32\CXcjjpk.exe
  C:\Windows\System32\CXcjjpk.exe
  2⤵
  - Executes dropped EXE
  PID:5424
- C:\Windows\System32\NCOvYuj.exe
  C:\Windows\System32\NCOvYuj.exe
  2⤵
  - Executes dropped EXE
  PID:5440
- C:\Windows\System32\awdplPm.exe
  C:\Windows\System32\awdplPm.exe
  2⤵
  - Executes dropped EXE
  PID:5480
- C:\Windows\System32\uiQtVsC.exe
  C:\Windows\System32\uiQtVsC.exe
  2⤵
  PID:5508
- C:\Windows\System32\XxmWmwa.exe
  C:\Windows\System32\XxmWmwa.exe
  2⤵
  PID:5536
- C:\Windows\System32\fESffWr.exe
  C:\Windows\System32\fESffWr.exe
  2⤵
  PID:5564
- C:\Windows\System32\IRIzhcJ.exe
  C:\Windows\System32\IRIzhcJ.exe
  2⤵
  PID:5580
- C:\Windows\System32\UhPNroJ.exe
  C:\Windows\System32\UhPNroJ.exe
  2⤵
  PID:5608
- C:\Windows\System32\fFJjbil.exe
  C:\Windows\System32\fFJjbil.exe
  2⤵
  PID:5636
- C:\Windows\System32\mHAlDqF.exe
  C:\Windows\System32\mHAlDqF.exe
  2⤵
  PID:5676
- C:\Windows\System32\vMNrlCd.exe
  C:\Windows\System32\vMNrlCd.exe
  2⤵
  PID:5692
- C:\Windows\System32\fdfRVBG.exe
  C:\Windows\System32\fdfRVBG.exe
  2⤵
  PID:5732
- C:\Windows\System32\QnLVaZz.exe
  C:\Windows\System32\QnLVaZz.exe
  2⤵
  PID:5748
- C:\Windows\System32\rzMfWpn.exe
  C:\Windows\System32\rzMfWpn.exe
  2⤵
  PID:5776
- C:\Windows\System32\dojarki.exe
  C:\Windows\System32\dojarki.exe
  2⤵
  PID:5816
- C:\Windows\System32\eGwdruw.exe
  C:\Windows\System32\eGwdruw.exe
  2⤵
  PID:5844
- C:\Windows\System32\sSsIyAi.exe
  C:\Windows\System32\sSsIyAi.exe
  2⤵
  PID:5872
- C:\Windows\System32\RfUubVm.exe
  C:\Windows\System32\RfUubVm.exe
  2⤵
  PID:5888
- C:\Windows\System32\fFpTKwO.exe
  C:\Windows\System32\fFpTKwO.exe
  2⤵
  PID:5916
- C:\Windows\System32\dNOIloX.exe
  C:\Windows\System32\dNOIloX.exe
  2⤵
  PID:5944
- C:\Windows\System32\ujrmQEk.exe
  C:\Windows\System32\ujrmQEk.exe
  2⤵
  PID:5984
- C:\Windows\System32\gFvNzXe.exe
  C:\Windows\System32\gFvNzXe.exe
  2⤵
  PID:6000
- C:\Windows\System32\GqHhBHK.exe
  C:\Windows\System32\GqHhBHK.exe
  2⤵
  PID:6040
- C:\Windows\System32\pOJFqiS.exe
  C:\Windows\System32\pOJFqiS.exe
  2⤵
  PID:6068
- C:\Windows\System32\wIZXRIt.exe
  C:\Windows\System32\wIZXRIt.exe
  2⤵
  PID:6096
- C:\Windows\System32\auFquZA.exe
  C:\Windows\System32\auFquZA.exe
  2⤵
  PID:6112
- C:\Windows\System32\aujUIly.exe
  C:\Windows\System32\aujUIly.exe
  2⤵
  PID:6140
- C:\Windows\System32\uCfYkbT.exe
  C:\Windows\System32\uCfYkbT.exe
  2⤵
  PID:3684
- C:\Windows\System32\WgsEHtZ.exe
  C:\Windows\System32\WgsEHtZ.exe
  2⤵
  PID:3572
- C:\Windows\System32\vyCGPfF.exe
  C:\Windows\System32\vyCGPfF.exe
  2⤵
  PID:3940
- C:\Windows\System32\FcCLext.exe
  C:\Windows\System32\FcCLext.exe
  2⤵
  PID:5156
- C:\Windows\System32\vUEEbEl.exe
  C:\Windows\System32\vUEEbEl.exe
  2⤵
  PID:5176
- C:\Windows\System32\avsRkHN.exe
  C:\Windows\System32\avsRkHN.exe
  2⤵
  PID:5268
- C:\Windows\System32\NNQWRTL.exe
  C:\Windows\System32\NNQWRTL.exe
  2⤵
  PID:5320
- C:\Windows\System32\NVYouqv.exe
  C:\Windows\System32\NVYouqv.exe
  2⤵
  PID:5416
- C:\Windows\System32\haICvpU.exe
  C:\Windows\System32\haICvpU.exe
  2⤵
  PID:5452
- C:\Windows\System32\OPEogew.exe
  C:\Windows\System32\OPEogew.exe
  2⤵
  PID:5556
- C:\Windows\System32\harGtNS.exe
  C:\Windows\System32\harGtNS.exe
  2⤵
  PID:5596
- C:\Windows\System32\gghzQrn.exe
  C:\Windows\System32\gghzQrn.exe
  2⤵
  PID:5648
- C:\Windows\System32\RvmyNZF.exe
  C:\Windows\System32\RvmyNZF.exe
  2⤵
  PID:5744
- C:\Windows\System32\iBNRrhk.exe
  C:\Windows\System32\iBNRrhk.exe
  2⤵
  PID:5800
- C:\Windows\System32\syAGPby.exe
  C:\Windows\System32\syAGPby.exe
  2⤵
  PID:5852
- C:\Windows\System32\FmYGthi.exe
  C:\Windows\System32\FmYGthi.exe
  2⤵
  PID:5912
- C:\Windows\System32\unaKPcE.exe
  C:\Windows\System32\unaKPcE.exe
  2⤵
  PID:5996
- C:\Windows\System32\fvGkMEm.exe
  C:\Windows\System32\fvGkMEm.exe
  2⤵
  PID:6024
- C:\Windows\System32\HKuJRfr.exe
  C:\Windows\System32\HKuJRfr.exe
  2⤵
  PID:6108
- C:\Windows\System32\xjHzlkJ.exe
  C:\Windows\System32\xjHzlkJ.exe
  2⤵
  PID:2348
- C:\Windows\System32\GAZnLUB.exe
  C:\Windows\System32\GAZnLUB.exe
  2⤵
  PID:4504
- C:\Windows\System32\XckdxJw.exe
  C:\Windows\System32\XckdxJw.exe
  2⤵
  PID:5304
- C:\Windows\System32\cpplNCi.exe
  C:\Windows\System32\cpplNCi.exe
  2⤵
  PID:5436
- C:\Windows\System32\pxaFgcx.exe
  C:\Windows\System32\pxaFgcx.exe
  2⤵
  PID:5544
- C:\Windows\System32\CjkEngT.exe
  C:\Windows\System32\CjkEngT.exe
  2⤵
  PID:5788
- C:\Windows\System32\uEcGhai.exe
  C:\Windows\System32\uEcGhai.exe
  2⤵
  PID:5824
- C:\Windows\System32\ffnZdXK.exe
  C:\Windows\System32\ffnZdXK.exe
  2⤵
  PID:6052
- C:\Windows\System32\EEsPxmo.exe
  C:\Windows\System32\EEsPxmo.exe
  2⤵
  PID:6172
- C:\Windows\System32\QqtScHP.exe
  C:\Windows\System32\QqtScHP.exe
  2⤵
  PID:6200
- C:\Windows\System32\xGEFWaL.exe
  C:\Windows\System32\xGEFWaL.exe
  2⤵
  PID:6216
- C:\Windows\System32\YvOcJlH.exe
  C:\Windows\System32\YvOcJlH.exe
  2⤵
  PID:6256
- C:\Windows\System32\NLMyTdj.exe
  C:\Windows\System32\NLMyTdj.exe
  2⤵
  PID:6272
- C:\Windows\System32\McYHDsF.exe
  C:\Windows\System32\McYHDsF.exe
  2⤵
  PID:6300
- C:\Windows\System32\Smjswvt.exe
  C:\Windows\System32\Smjswvt.exe
  2⤵
  PID:6340
- C:\Windows\System32\gebxaQN.exe
  C:\Windows\System32\gebxaQN.exe
  2⤵
  PID:6356
- C:\Windows\System32\UARzpjv.exe
  C:\Windows\System32\UARzpjv.exe
  2⤵
  PID:6384
- C:\Windows\System32\HwzZWPx.exe
  C:\Windows\System32\HwzZWPx.exe
  2⤵
  PID:6424
- C:\Windows\System32\CbFvFcE.exe
  C:\Windows\System32\CbFvFcE.exe
  2⤵
  PID:6456
- C:\Windows\System32\qJXFwLe.exe
  C:\Windows\System32\qJXFwLe.exe
  2⤵
  PID:6472
- C:\Windows\System32\RgVVQhz.exe
  C:\Windows\System32\RgVVQhz.exe
  2⤵
  PID:6500
- C:\Windows\System32\ODKzyhQ.exe
  C:\Windows\System32\ODKzyhQ.exe
  2⤵
  PID:6528
- C:\Windows\System32\HMyRsdb.exe
  C:\Windows\System32\HMyRsdb.exe
  2⤵
  PID:6568
- C:\Windows\System32\IjSFxRl.exe
  C:\Windows\System32\IjSFxRl.exe
  2⤵
  PID:6584
- C:\Windows\System32\ZMxIilo.exe
  C:\Windows\System32\ZMxIilo.exe
  2⤵
  PID:6612
- C:\Windows\System32\fTsWIOc.exe
  C:\Windows\System32\fTsWIOc.exe
  2⤵
  PID:6652
- C:\Windows\System32\levAVoC.exe
  C:\Windows\System32\levAVoC.exe
  2⤵
  PID:6680
- C:\Windows\System32\GUWEYKd.exe
  C:\Windows\System32\GUWEYKd.exe
  2⤵
  PID:6696
- C:\Windows\System32\raIOlDw.exe
  C:\Windows\System32\raIOlDw.exe
  2⤵
  PID:6736
- C:\Windows\System32\DLwgUMj.exe
  C:\Windows\System32\DLwgUMj.exe
  2⤵
  PID:6752
- C:\Windows\System32\aEOQlma.exe
  C:\Windows\System32\aEOQlma.exe
  2⤵
  PID:6780
- C:\Windows\System32\cjViaqt.exe
  C:\Windows\System32\cjViaqt.exe
  2⤵
  PID:6820
- C:\Windows\System32\yegfzKd.exe
  C:\Windows\System32\yegfzKd.exe
  2⤵
  PID:6836
- C:\Windows\System32\oQgpdpO.exe
  C:\Windows\System32\oQgpdpO.exe
  2⤵
  PID:6876
- C:\Windows\System32\dLktxei.exe
  C:\Windows\System32\dLktxei.exe
  2⤵
  PID:6892
- C:\Windows\System32\TqKcjoP.exe
  C:\Windows\System32\TqKcjoP.exe
  2⤵
  PID:6920
- C:\Windows\System32\RuyEJHI.exe
  C:\Windows\System32\RuyEJHI.exe
  2⤵
  PID:6960
- C:\Windows\System32\vQzXdFt.exe
  C:\Windows\System32\vQzXdFt.exe
  2⤵
  PID:6976
- C:\Windows\System32\BOrAlot.exe
  C:\Windows\System32\BOrAlot.exe
  2⤵
  PID:7004
- C:\Windows\System32\aSZGiKT.exe
  C:\Windows\System32\aSZGiKT.exe
  2⤵
  PID:7044
- C:\Windows\System32\icJXeKP.exe
  C:\Windows\System32\icJXeKP.exe
  2⤵
  PID:7072
- C:\Windows\System32\KrcWVBU.exe
  C:\Windows\System32\KrcWVBU.exe
  2⤵
  PID:7100
- C:\Windows\System32\cDvGKxe.exe
  C:\Windows\System32\cDvGKxe.exe
  2⤵
  PID:7128
- C:\Windows\System32\xJjMKxR.exe
  C:\Windows\System32\xJjMKxR.exe
  2⤵
  PID:7156
- C:\Windows\System32\VsNInaa.exe
  C:\Windows\System32\VsNInaa.exe
  2⤵
  PID:6076
- C:\Windows\System32\pyoxLTV.exe
  C:\Windows\System32\pyoxLTV.exe
  2⤵
  PID:5172
- C:\Windows\System32\UWkThdu.exe
  C:\Windows\System32\UWkThdu.exe
  2⤵
  PID:5684
- C:\Windows\System32\QDYpnch.exe
  C:\Windows\System32\QDYpnch.exe
  2⤵
  PID:5856
- C:\Windows\System32\KuPUaxZ.exe
  C:\Windows\System32\KuPUaxZ.exe
  2⤵
  PID:6164
- C:\Windows\System32\EqgIsxz.exe
  C:\Windows\System32\EqgIsxz.exe
  2⤵
  PID:6268
- C:\Windows\System32\eeMFXia.exe
  C:\Windows\System32\eeMFXia.exe
  2⤵
  PID:6296
- C:\Windows\System32\ViBagGY.exe
  C:\Windows\System32\ViBagGY.exe
  2⤵
  PID:6368
- C:\Windows\System32\xhYEzqx.exe
  C:\Windows\System32\xhYEzqx.exe
  2⤵
  PID:6468
- C:\Windows\System32\zdPprtg.exe
  C:\Windows\System32\zdPprtg.exe
  2⤵
  PID:6488
- C:\Windows\System32\mkOxSGY.exe
  C:\Windows\System32\mkOxSGY.exe
  2⤵
  PID:6596
- C:\Windows\System32\GHlsDjT.exe
  C:\Windows\System32\GHlsDjT.exe
  2⤵
  PID:6644
- C:\Windows\System32\SQHyMuj.exe
  C:\Windows\System32\SQHyMuj.exe
  2⤵
  PID:6692
- C:\Windows\System32\WxflsjA.exe
  C:\Windows\System32\WxflsjA.exe
  2⤵
  PID:6792
- C:\Windows\System32\mnsMJVQ.exe
  C:\Windows\System32\mnsMJVQ.exe
  2⤵
  PID:6832
- C:\Windows\System32\MNtZFOa.exe
  C:\Windows\System32\MNtZFOa.exe
  2⤵
  PID:6916
- C:\Windows\System32\tLYkwyM.exe
  C:\Windows\System32\tLYkwyM.exe
  2⤵
  PID:6936
- C:\Windows\System32\yIywHrp.exe
  C:\Windows\System32\yIywHrp.exe
  2⤵
  PID:7036
- C:\Windows\System32\HgVPoGb.exe
  C:\Windows\System32\HgVPoGb.exe
  2⤵
  PID:7120
- C:\Windows\System32\yiKYnWm.exe
  C:\Windows\System32\yiKYnWm.exe
  2⤵
  PID:7148
- C:\Windows\System32\DNSISOr.exe
  C:\Windows\System32\DNSISOr.exe
  2⤵
  PID:3828
- C:\Windows\System32\DcPGRWa.exe
  C:\Windows\System32\DcPGRWa.exe
  2⤵
  PID:6156
- C:\Windows\System32\NEXCNXM.exe
  C:\Windows\System32\NEXCNXM.exe
  2⤵
  PID:6240
- C:\Windows\System32\YlEJVHh.exe
  C:\Windows\System32\YlEJVHh.exe
  2⤵
  PID:6444
- C:\Windows\System32\cjmOZwE.exe
  C:\Windows\System32\cjmOZwE.exe
  2⤵
  PID:6552
- C:\Windows\System32\mLTFWcI.exe
  C:\Windows\System32\mLTFWcI.exe
  2⤵
  PID:6688
- C:\Windows\System32\clbEWVS.exe
  C:\Windows\System32\clbEWVS.exe
  2⤵
  PID:6796
- C:\Windows\System32\hiIhwJx.exe
  C:\Windows\System32\hiIhwJx.exe
  2⤵
  PID:7052
- C:\Windows\System32\vHXqKHi.exe
  C:\Windows\System32\vHXqKHi.exe
  2⤵
  PID:7172
- C:\Windows\System32\bTgDevJ.exe
  C:\Windows\System32\bTgDevJ.exe
  2⤵
  PID:7200
- C:\Windows\System32\LGKdGdv.exe
  C:\Windows\System32\LGKdGdv.exe
  2⤵
  PID:7240
- C:\Windows\System32\opHuaSc.exe
  C:\Windows\System32\opHuaSc.exe
  2⤵
  PID:7256
- C:\Windows\System32\vUFoNAu.exe
  C:\Windows\System32\vUFoNAu.exe
  2⤵
  PID:7284
- C:\Windows\System32\nYcLPYj.exe
  C:\Windows\System32\nYcLPYj.exe
  2⤵
  PID:7312
- C:\Windows\System32\CQjdgwz.exe
  C:\Windows\System32\CQjdgwz.exe
  2⤵
  PID:7340
- C:\Windows\System32\WAVxoSW.exe
  C:\Windows\System32\WAVxoSW.exe
  2⤵
  PID:7380
- C:\Windows\System32\BJJnyOK.exe
  C:\Windows\System32\BJJnyOK.exe
  2⤵
  PID:7396
- C:\Windows\System32\UUNkLjC.exe
  C:\Windows\System32\UUNkLjC.exe
  2⤵
  PID:7436
- C:\Windows\System32\KtMOZXV.exe
  C:\Windows\System32\KtMOZXV.exe
  2⤵
  PID:7452
- C:\Windows\System32\VnePWYN.exe
  C:\Windows\System32\VnePWYN.exe
  2⤵
  PID:7492
- C:\Windows\System32\OldpLrl.exe
  C:\Windows\System32\OldpLrl.exe
  2⤵
  PID:7508
- C:\Windows\System32\SPuIyHy.exe
  C:\Windows\System32\SPuIyHy.exe
  2⤵
  PID:7548
- C:\Windows\System32\iDahjFx.exe
  C:\Windows\System32\iDahjFx.exe
  2⤵
  PID:7564
- C:\Windows\System32\ZCLFDKx.exe
  C:\Windows\System32\ZCLFDKx.exe
  2⤵
  PID:7596
- C:\Windows\System32\tZnthqC.exe
  C:\Windows\System32\tZnthqC.exe
  2⤵
  PID:7620
- C:\Windows\System32\xFQpSJv.exe
  C:\Windows\System32\xFQpSJv.exe
  2⤵
  PID:7660
- C:\Windows\System32\UdDwOtM.exe
  C:\Windows\System32\UdDwOtM.exe
  2⤵
  PID:7676
- C:\Windows\System32\buJubZJ.exe
  C:\Windows\System32\buJubZJ.exe
  2⤵
  PID:7716
- C:\Windows\System32\acuDoMm.exe
  C:\Windows\System32\acuDoMm.exe
  2⤵
  PID:7732
- C:\Windows\System32\PjaVSPs.exe
  C:\Windows\System32\PjaVSPs.exe
  2⤵
  PID:7772
- C:\Windows\System32\vFsDEdU.exe
  C:\Windows\System32\vFsDEdU.exe
  2⤵
  PID:7800
- C:\Windows\System32\UYFpimZ.exe
  C:\Windows\System32\UYFpimZ.exe
  2⤵
  PID:7816
- C:\Windows\System32\ocmoOkL.exe
  C:\Windows\System32\ocmoOkL.exe
  2⤵
  PID:7844
- C:\Windows\System32\FKMGnKt.exe
  C:\Windows\System32\FKMGnKt.exe
  2⤵
  PID:7872
- C:\Windows\System32\DKVsrEJ.exe
  C:\Windows\System32\DKVsrEJ.exe
  2⤵
  PID:7912
- C:\Windows\System32\RbepGvM.exe
  C:\Windows\System32\RbepGvM.exe
  2⤵
  PID:7928
- C:\Windows\System32\RAWmAvg.exe
  C:\Windows\System32\RAWmAvg.exe
  2⤵
  PID:7956
- C:\Windows\System32\JtnGDTb.exe
  C:\Windows\System32\JtnGDTb.exe
  2⤵
  PID:7984
- C:\Windows\System32\vVTwbyA.exe
  C:\Windows\System32\vVTwbyA.exe
  2⤵
  PID:8024
- C:\Windows\System32\TzrtOoV.exe
  C:\Windows\System32\TzrtOoV.exe
  2⤵
  PID:8040
- C:\Windows\System32\vhxHOiD.exe
  C:\Windows\System32\vhxHOiD.exe
  2⤵
  PID:8080
- C:\Windows\System32\OkQtpyT.exe
  C:\Windows\System32\OkQtpyT.exe
  2⤵
  PID:8108
- C:\Windows\System32\tsaYBWI.exe
  C:\Windows\System32\tsaYBWI.exe
  2⤵
  PID:8124
- C:\Windows\System32\lOPlpeC.exe
  C:\Windows\System32\lOPlpeC.exe
  2⤵
  PID:8164
- C:\Windows\System32\zqfMuhs.exe
  C:\Windows\System32\zqfMuhs.exe
  2⤵
  PID:8180
- C:\Windows\System32\IVuRwYu.exe
  C:\Windows\System32\IVuRwYu.exe
  2⤵
  PID:5276
- C:\Windows\System32\scEsEgJ.exe
  C:\Windows\System32\scEsEgJ.exe
  2⤵
  PID:6284
- C:\Windows\System32\MtBCcbb.exe
  C:\Windows\System32\MtBCcbb.exe
  2⤵
  PID:6624
- C:\Windows\System32\TRafFIw.exe
  C:\Windows\System32\TRafFIw.exe
  2⤵
  PID:7056
- C:\Windows\System32\XonCKxn.exe
  C:\Windows\System32\XonCKxn.exe
  2⤵
  PID:7196
- C:\Windows\System32\joavEZa.exe
  C:\Windows\System32\joavEZa.exe
  2⤵
  PID:7268
- C:\Windows\System32\KcwoyRF.exe
  C:\Windows\System32\KcwoyRF.exe
  2⤵
  PID:7328
- C:\Windows\System32\bKjxAYM.exe
  C:\Windows\System32\bKjxAYM.exe
  2⤵
  PID:4992
- C:\Windows\System32\alTASoc.exe
  C:\Windows\System32\alTASoc.exe
  2⤵
  PID:7476
- C:\Windows\System32\chsbxxV.exe
  C:\Windows\System32\chsbxxV.exe
  2⤵
  PID:7504
- C:\Windows\System32\ltPWirK.exe
  C:\Windows\System32\ltPWirK.exe
  2⤵
  PID:7588
- C:\Windows\System32\ynSoHhv.exe
  C:\Windows\System32\ynSoHhv.exe
  2⤵
  PID:7616
- C:\Windows\System32\RbPskQp.exe
  C:\Windows\System32\RbPskQp.exe
  2⤵
  PID:7692
- C:\Windows\System32\XQsqdkf.exe
  C:\Windows\System32\XQsqdkf.exe
  2⤵
  PID:3632
- C:\Windows\System32\dzbDFGa.exe
  C:\Windows\System32\dzbDFGa.exe
  2⤵
  PID:7792
- C:\Windows\System32\TfxHFpY.exe
  C:\Windows\System32\TfxHFpY.exe
  2⤵
  PID:1216
- C:\Windows\System32\qjDBujy.exe
  C:\Windows\System32\qjDBujy.exe
  2⤵
  PID:7888
- C:\Windows\System32\BhQDOid.exe
  C:\Windows\System32\BhQDOid.exe
  2⤵
  PID:7996
- C:\Windows\System32\XHCoCGX.exe
  C:\Windows\System32\XHCoCGX.exe
  2⤵
  PID:8032
- C:\Windows\System32\uVfwXNR.exe
  C:\Windows\System32\uVfwXNR.exe
  2⤵
  PID:8088
- C:\Windows\System32\zgcGYuM.exe
  C:\Windows\System32\zgcGYuM.exe
  2⤵
  PID:8136
- C:\Windows\System32\byHdsNW.exe
  C:\Windows\System32\byHdsNW.exe
  2⤵
  PID:3564
- C:\Windows\System32\dbkbbUD.exe
  C:\Windows\System32\dbkbbUD.exe
  2⤵
  PID:7412
- C:\Windows\System32\Stflblg.exe
  C:\Windows\System32\Stflblg.exe
  2⤵
  PID:7540
- C:\Windows\System32\fxPuczr.exe
  C:\Windows\System32\fxPuczr.exe
  2⤵
  PID:7636
- C:\Windows\System32\lrICIyc.exe
  C:\Windows\System32\lrICIyc.exe
  2⤵
  PID:7764
- C:\Windows\System32\dGkCQmu.exe
  C:\Windows\System32\dGkCQmu.exe
  2⤵
  PID:7884
- C:\Windows\System32\KVEceVI.exe
  C:\Windows\System32\KVEceVI.exe
  2⤵
  PID:400
- C:\Windows\System32\AgTqUBB.exe
  C:\Windows\System32\AgTqUBB.exe
  2⤵
  PID:8064
- C:\Windows\System32\GQOJhVG.exe
  C:\Windows\System32\GQOJhVG.exe
  2⤵
  PID:2196
- C:\Windows\System32\wVKbuug.exe
  C:\Windows\System32\wVKbuug.exe
  2⤵
  PID:8116
- C:\Windows\System32\AYBEsWa.exe
  C:\Windows\System32\AYBEsWa.exe
  2⤵
  PID:2300
- C:\Windows\System32\ihaPOFY.exe
  C:\Windows\System32\ihaPOFY.exe
  2⤵
  PID:7232
- C:\Windows\System32\vGKKKEm.exe
  C:\Windows\System32\vGKKKEm.exe
  2⤵
  PID:5008
- C:\Windows\System32\TaivXmo.exe
  C:\Windows\System32\TaivXmo.exe
  2⤵
  PID:4228
- C:\Windows\System32\TLeKuet.exe
  C:\Windows\System32\TLeKuet.exe
  2⤵
  PID:2320
- C:\Windows\System32\GljQtqB.exe
  C:\Windows\System32\GljQtqB.exe
  2⤵
  PID:3996
- C:\Windows\System32\jCNYUmk.exe
  C:\Windows\System32\jCNYUmk.exe
  2⤵
  PID:456
- C:\Windows\System32\AumTjyv.exe
  C:\Windows\System32\AumTjyv.exe
  2⤵
  PID:3176
- C:\Windows\System32\pVEnHGV.exe
  C:\Windows\System32\pVEnHGV.exe
  2⤵
  PID:7308
- C:\Windows\System32\rsTIQxQ.exe
  C:\Windows\System32\rsTIQxQ.exe
  2⤵
  PID:408
- C:\Windows\System32\smhNCzB.exe
  C:\Windows\System32\smhNCzB.exe
  2⤵
  PID:4000
- C:\Windows\System32\omunTtW.exe
  C:\Windows\System32\omunTtW.exe
  2⤵
  PID:4672
- C:\Windows\System32\HYjBTbw.exe
  C:\Windows\System32\HYjBTbw.exe
  2⤵
  PID:4040
- C:\Windows\System32\mzwBgvV.exe
  C:\Windows\System32\mzwBgvV.exe
  2⤵
  PID:7500
- C:\Windows\System32\UTocdex.exe
  C:\Windows\System32\UTocdex.exe
  2⤵
  PID:8100
- C:\Windows\System32\ULSYQpF.exe
  C:\Windows\System32\ULSYQpF.exe
  2⤵
  PID:8072
- C:\Windows\System32\YjUEtix.exe
  C:\Windows\System32\YjUEtix.exe
  2⤵
  PID:7952
- C:\Windows\System32\UBqeWOc.exe
  C:\Windows\System32\UBqeWOc.exe
  2⤵
  PID:8228
- C:\Windows\System32\uyvsXFf.exe
  C:\Windows\System32\uyvsXFf.exe
  2⤵
  PID:8248
- C:\Windows\System32\WZJRzTf.exe
  C:\Windows\System32\WZJRzTf.exe
  2⤵
  PID:8272
- C:\Windows\System32\zvukkfZ.exe
  C:\Windows\System32\zvukkfZ.exe
  2⤵
  PID:8304
- C:\Windows\System32\UNLlCNi.exe
  C:\Windows\System32\UNLlCNi.exe
  2⤵
  PID:8332
- C:\Windows\System32\NTwfQeQ.exe
  C:\Windows\System32\NTwfQeQ.exe
  2⤵
  PID:8368
- C:\Windows\System32\kWnNsLY.exe
  C:\Windows\System32\kWnNsLY.exe
  2⤵
  PID:8404
- C:\Windows\System32\BaXxtah.exe
  C:\Windows\System32\BaXxtah.exe
  2⤵
  PID:8436
- C:\Windows\System32\sYnYolh.exe
  C:\Windows\System32\sYnYolh.exe
  2⤵
  PID:8456
- C:\Windows\System32\fhiVBmh.exe
  C:\Windows\System32\fhiVBmh.exe
  2⤵
  PID:8484
- C:\Windows\System32\nVpcubY.exe
  C:\Windows\System32\nVpcubY.exe
  2⤵
  PID:8520
- C:\Windows\System32\dwyvphr.exe
  C:\Windows\System32\dwyvphr.exe
  2⤵
  PID:8552
- C:\Windows\System32\wVPcSKQ.exe
  C:\Windows\System32\wVPcSKQ.exe
  2⤵
  PID:8580
- C:\Windows\System32\XfbpvEt.exe
  C:\Windows\System32\XfbpvEt.exe
  2⤵
  PID:8624
- C:\Windows\System32\xZAGafT.exe
  C:\Windows\System32\xZAGafT.exe
  2⤵
  PID:8660
- C:\Windows\System32\vdFmlxz.exe
  C:\Windows\System32\vdFmlxz.exe
  2⤵
  PID:8688
- C:\Windows\System32\UWrlswo.exe
  C:\Windows\System32\UWrlswo.exe
  2⤵
  PID:8704
- C:\Windows\System32\nirycwG.exe
  C:\Windows\System32\nirycwG.exe
  2⤵
  PID:8744
- C:\Windows\System32\yDqQxgC.exe
  C:\Windows\System32\yDqQxgC.exe
  2⤵
  PID:8772
- C:\Windows\System32\ZnOWSUn.exe
  C:\Windows\System32\ZnOWSUn.exe
  2⤵
  PID:8800
- C:\Windows\System32\tDfYciw.exe
  C:\Windows\System32\tDfYciw.exe
  2⤵
  PID:8828
- C:\Windows\System32\UXZJcBN.exe
  C:\Windows\System32\UXZJcBN.exe
  2⤵
  PID:8860
- C:\Windows\System32\zxJPSpZ.exe
  C:\Windows\System32\zxJPSpZ.exe
  2⤵
  PID:8896
- C:\Windows\System32\IvyfHYM.exe
  C:\Windows\System32\IvyfHYM.exe
  2⤵
  PID:8924
- C:\Windows\System32\lEqeogT.exe
  C:\Windows\System32\lEqeogT.exe
  2⤵
  PID:8940
- C:\Windows\System32\hjmfxKM.exe
  C:\Windows\System32\hjmfxKM.exe
  2⤵
  PID:8980
- C:\Windows\System32\EeByJle.exe
  C:\Windows\System32\EeByJle.exe
  2⤵
  PID:9000
- C:\Windows\System32\BLvWJVH.exe
  C:\Windows\System32\BLvWJVH.exe
  2⤵
  PID:9040
- C:\Windows\System32\TljVxDP.exe
  C:\Windows\System32\TljVxDP.exe
  2⤵
  PID:9072
- C:\Windows\System32\hqSboEW.exe
  C:\Windows\System32\hqSboEW.exe
  2⤵
  PID:9088
- C:\Windows\System32\nWTpoyJ.exe
  C:\Windows\System32\nWTpoyJ.exe
  2⤵
  PID:9128
- C:\Windows\System32\UMgvpue.exe
  C:\Windows\System32\UMgvpue.exe
  2⤵
  PID:9144
- C:\Windows\System32\vIJRQaS.exe
  C:\Windows\System32\vIJRQaS.exe
  2⤵
  PID:9184
- C:\Windows\System32\iWydYYZ.exe
  C:\Windows\System32\iWydYYZ.exe
  2⤵
  PID:9200
- C:\Windows\System32\LEipZxO.exe
  C:\Windows\System32\LEipZxO.exe
  2⤵
  PID:8244
- C:\Windows\System32\ZoSsebn.exe
  C:\Windows\System32\ZoSsebn.exe
  2⤵
  PID:8316
- C:\Windows\System32\KVBnnBj.exe
  C:\Windows\System32\KVBnnBj.exe
  2⤵
  PID:8356
- C:\Windows\System32\hRMIyMV.exe
  C:\Windows\System32\hRMIyMV.exe
  2⤵
  PID:8420
- C:\Windows\System32\jXrFIqd.exe
  C:\Windows\System32\jXrFIqd.exe
  2⤵
  PID:8468
- C:\Windows\System32\WbKZptu.exe
  C:\Windows\System32\WbKZptu.exe
  2⤵
  PID:8568
- C:\Windows\System32\ENMZkXr.exe
  C:\Windows\System32\ENMZkXr.exe
  2⤵
  PID:8656
- C:\Windows\System32\MQCyPyz.exe
  C:\Windows\System32\MQCyPyz.exe
  2⤵
  PID:8788
- C:\Windows\System32\AVbcZhA.exe
  C:\Windows\System32\AVbcZhA.exe
  2⤵
  PID:8840
- C:\Windows\System32\GtqVIWa.exe
  C:\Windows\System32\GtqVIWa.exe
  2⤵
  PID:8888
- C:\Windows\System32\UBSSGhz.exe
  C:\Windows\System32\UBSSGhz.exe
  2⤵
  PID:8952
- C:\Windows\System32\uAoHaMI.exe
  C:\Windows\System32\uAoHaMI.exe
  2⤵
  PID:9056
- C:\Windows\System32\FzmvlfV.exe
  C:\Windows\System32\FzmvlfV.exe
  2⤵
  PID:9104
- C:\Windows\System32\sNVoAmw.exe
  C:\Windows\System32\sNVoAmw.exe
  2⤵
  PID:9192
- C:\Windows\System32\PZRezVF.exe
  C:\Windows\System32\PZRezVF.exe
  2⤵
  PID:8204
- C:\Windows\System32\IIZoYRc.exe
  C:\Windows\System32\IIZoYRc.exe
  2⤵
  PID:8396
- C:\Windows\System32\fgnxWpc.exe
  C:\Windows\System32\fgnxWpc.exe
  2⤵
  PID:8532
- C:\Windows\System32\pYGANlA.exe
  C:\Windows\System32\pYGANlA.exe
  2⤵
  PID:8736
- C:\Windows\System32\kxYSfnR.exe
  C:\Windows\System32\kxYSfnR.exe
  2⤵
  PID:8884
- C:\Windows\System32\dgHKxpE.exe
  C:\Windows\System32\dgHKxpE.exe
  2⤵
  PID:8880
- C:\Windows\System32\TIjXnDx.exe
  C:\Windows\System32\TIjXnDx.exe
  2⤵
  PID:9212
- C:\Windows\System32\fSLycvi.exe
  C:\Windows\System32\fSLycvi.exe
  2⤵
  PID:8644
- C:\Windows\System32\cEmAtet.exe
  C:\Windows\System32\cEmAtet.exe
  2⤵
  PID:8792
- C:\Windows\System32\MKxLybL.exe
  C:\Windows\System32\MKxLybL.exe
  2⤵
  PID:8472
- C:\Windows\System32\tWSlCKR.exe
  C:\Windows\System32\tWSlCKR.exe
  2⤵
  PID:8296
- C:\Windows\System32\dmJswpN.exe
  C:\Windows\System32\dmJswpN.exe
  2⤵
  PID:9232
- C:\Windows\System32\GZYXDjQ.exe
  C:\Windows\System32\GZYXDjQ.exe
  2⤵
  PID:9272
- C:\Windows\System32\oGbSbEB.exe
  C:\Windows\System32\oGbSbEB.exe
  2⤵
  PID:9300
- C:\Windows\System32\SNJNdAg.exe
  C:\Windows\System32\SNJNdAg.exe
  2⤵
  PID:9336
- C:\Windows\System32\ECKTiCJ.exe
  C:\Windows\System32\ECKTiCJ.exe
  2⤵
  PID:9364
- C:\Windows\System32\VVsqdKw.exe
  C:\Windows\System32\VVsqdKw.exe
  2⤵
  PID:9396
- C:\Windows\System32\cnhCzcU.exe
  C:\Windows\System32\cnhCzcU.exe
  2⤵
  PID:9424
- C:\Windows\System32\sCVzlLq.exe
  C:\Windows\System32\sCVzlLq.exe
  2⤵
  PID:9460
- C:\Windows\System32\DQfTsar.exe
  C:\Windows\System32\DQfTsar.exe
  2⤵
  PID:9488
- C:\Windows\System32\mfKwWWA.exe
  C:\Windows\System32\mfKwWWA.exe
  2⤵
  PID:9516
- C:\Windows\System32\sScOrNy.exe
  C:\Windows\System32\sScOrNy.exe
  2⤵
  PID:9552
- C:\Windows\System32\UXaAIio.exe
  C:\Windows\System32\UXaAIio.exe
  2⤵
  PID:9572
- C:\Windows\System32\XIKVNPU.exe
  C:\Windows\System32\XIKVNPU.exe
  2⤵
  PID:9608
- C:\Windows\System32\UViZwai.exe
  C:\Windows\System32\UViZwai.exe
  2⤵
  PID:9636
- C:\Windows\System32\louAkJL.exe
  C:\Windows\System32\louAkJL.exe
  2⤵
  PID:9664
- C:\Windows\System32\BfypHla.exe
  C:\Windows\System32\BfypHla.exe
  2⤵
  PID:9680
- C:\Windows\System32\DpleWke.exe
  C:\Windows\System32\DpleWke.exe
  2⤵
  PID:9716
- C:\Windows\System32\iuhdrjq.exe
  C:\Windows\System32\iuhdrjq.exe
  2⤵
  PID:9740
- C:\Windows\System32\BgJtkCJ.exe
  C:\Windows\System32\BgJtkCJ.exe
  2⤵
  PID:9776
- C:\Windows\System32\HqzlmTL.exe
  C:\Windows\System32\HqzlmTL.exe
  2⤵
  PID:9804
- C:\Windows\System32\GkvGiIU.exe
  C:\Windows\System32\GkvGiIU.exe
  2⤵
  PID:9832
- C:\Windows\System32\tUJgPtx.exe
  C:\Windows\System32\tUJgPtx.exe
  2⤵
  PID:9860
- C:\Windows\System32\VUeFxCc.exe
  C:\Windows\System32\VUeFxCc.exe
  2⤵
  PID:9916
- C:\Windows\System32\Thznzcm.exe
  C:\Windows\System32\Thznzcm.exe
  2⤵
  PID:9948
- C:\Windows\System32\PnEMOHR.exe
  C:\Windows\System32\PnEMOHR.exe
  2⤵
  PID:9968
- C:\Windows\System32\GliIPyv.exe
  C:\Windows\System32\GliIPyv.exe
  2⤵
  PID:10012
- C:\Windows\System32\elSKbsg.exe
  C:\Windows\System32\elSKbsg.exe
  2⤵
  PID:10056
- C:\Windows\System32\FLYABgl.exe
  C:\Windows\System32\FLYABgl.exe
  2⤵
  PID:10088
- C:\Windows\System32\DgFTebv.exe
  C:\Windows\System32\DgFTebv.exe
  2⤵
  PID:10112
- C:\Windows\System32\xJimsMO.exe
  C:\Windows\System32\xJimsMO.exe
  2⤵
  PID:10144
- C:\Windows\System32\gofvRpZ.exe
  C:\Windows\System32\gofvRpZ.exe
  2⤵
  PID:10176
- C:\Windows\System32\RwOXlZo.exe
  C:\Windows\System32\RwOXlZo.exe
  2⤵
  PID:10204
- C:\Windows\System32\aNpmREi.exe
  C:\Windows\System32\aNpmREi.exe
  2⤵
  PID:10232
- C:\Windows\System32\EvDHWAr.exe
  C:\Windows\System32\EvDHWAr.exe
  2⤵
  PID:9248
- C:\Windows\System32\DzWHpPg.exe
  C:\Windows\System32\DzWHpPg.exe
  2⤵
  PID:9284
- C:\Windows\System32\tAIVSNo.exe
  C:\Windows\System32\tAIVSNo.exe
  2⤵
  PID:9348
- C:\Windows\System32\gFclXSF.exe
  C:\Windows\System32\gFclXSF.exe
  2⤵
  PID:9456
- C:\Windows\System32\loWcAuq.exe
  C:\Windows\System32\loWcAuq.exe
  2⤵
  PID:9528
- C:\Windows\System32\hMXjOMz.exe
  C:\Windows\System32\hMXjOMz.exe
  2⤵
  PID:9600
- C:\Windows\System32\dpavFme.exe
  C:\Windows\System32\dpavFme.exe
  2⤵
  PID:9656
- C:\Windows\System32\VcumTGV.exe
  C:\Windows\System32\VcumTGV.exe
  2⤵
  PID:9704
- C:\Windows\System32\jRiFvtB.exe
  C:\Windows\System32\jRiFvtB.exe
  2⤵
  PID:9760
- C:\Windows\System32\EQUteSP.exe
  C:\Windows\System32\EQUteSP.exe
  2⤵
  PID:9852
- C:\Windows\System32\FeGukHD.exe
  C:\Windows\System32\FeGukHD.exe
  2⤵
  PID:9924
- C:\Windows\System32\eZadRnS.exe
  C:\Windows\System32\eZadRnS.exe
  2⤵
  PID:10032
- C:\Windows\System32\ickQrna.exe
  C:\Windows\System32\ickQrna.exe
  2⤵
  PID:10084
- C:\Windows\System32\qOenGDk.exe
  C:\Windows\System32\qOenGDk.exe
  2⤵
  PID:10196
- C:\Windows\System32\OheDKdg.exe
  C:\Windows\System32\OheDKdg.exe
  2⤵
  PID:8424
- C:\Windows\System32\HrpZIwP.exe
  C:\Windows\System32\HrpZIwP.exe
  2⤵
  PID:9408
- C:\Windows\System32\SnpDCHy.exe
  C:\Windows\System32\SnpDCHy.exe
  2⤵
  PID:9476
- C:\Windows\System32\LSbhSkb.exe
  C:\Windows\System32\LSbhSkb.exe
  2⤵
  PID:9692
- C:\Windows\System32\azkSOMJ.exe
  C:\Windows\System32\azkSOMJ.exe
  2⤵
  PID:9828
- C:\Windows\System32\GKkOhsk.exe
  C:\Windows\System32\GKkOhsk.exe
  2⤵
  PID:10096
- C:\Windows\System32\LHmZDuu.exe
  C:\Windows\System32\LHmZDuu.exe
  2⤵
  PID:10228
- C:\Windows\System32\bCAkWQq.exe
  C:\Windows\System32\bCAkWQq.exe
  2⤵
  PID:9268
- C:\Windows\System32\xqTpqNd.exe
  C:\Windows\System32\xqTpqNd.exe
  2⤵
  PID:9792
- C:\Windows\System32\sjiGaxq.exe
  C:\Windows\System32\sjiGaxq.exe
  2⤵
  PID:9332
- C:\Windows\System32\ouYsjlm.exe
  C:\Windows\System32\ouYsjlm.exe
  2⤵
  PID:9648
- C:\Windows\System32\rhemlpX.exe
  C:\Windows\System32\rhemlpX.exe
  2⤵
  PID:10132
- C:\Windows\System32\EvilJBf.exe
  C:\Windows\System32\EvilJBf.exe
  2⤵
  PID:10256
- C:\Windows\System32\gXpCdKm.exe
  C:\Windows\System32\gXpCdKm.exe
  2⤵
  PID:10272
- C:\Windows\System32\zuvaIMm.exe
  C:\Windows\System32\zuvaIMm.exe
  2⤵
  PID:10332
- C:\Windows\System32\ixLuyFG.exe
  C:\Windows\System32\ixLuyFG.exe
  2⤵
  PID:10376
- C:\Windows\System32\lGFwbqN.exe
  C:\Windows\System32\lGFwbqN.exe
  2⤵
  PID:10404
- C:\Windows\System32\UJgyjqW.exe
  C:\Windows\System32\UJgyjqW.exe
  2⤵
  PID:10432
- C:\Windows\System32\QnoFqth.exe
  C:\Windows\System32\QnoFqth.exe
  2⤵
  PID:10460
- C:\Windows\System32\sMIUYea.exe
  C:\Windows\System32\sMIUYea.exe
  2⤵
  PID:10488
- C:\Windows\System32\dadhrAf.exe
  C:\Windows\System32\dadhrAf.exe
  2⤵
  PID:10516
- C:\Windows\System32\zwjrsNn.exe
  C:\Windows\System32\zwjrsNn.exe
  2⤵
  PID:10548
- C:\Windows\System32\TQPpbqT.exe
  C:\Windows\System32\TQPpbqT.exe
  2⤵
  PID:10572
- C:\Windows\System32\hcqNMRm.exe
  C:\Windows\System32\hcqNMRm.exe
  2⤵
  PID:10588
- C:\Windows\System32\DDQavBr.exe
  C:\Windows\System32\DDQavBr.exe
  2⤵
  PID:10628
- C:\Windows\System32\noaJjYc.exe
  C:\Windows\System32\noaJjYc.exe
  2⤵
  PID:10660
- C:\Windows\System32\vulNOeZ.exe
  C:\Windows\System32\vulNOeZ.exe
  2⤵
  PID:10688
- C:\Windows\System32\fzmnwvE.exe
  C:\Windows\System32\fzmnwvE.exe
  2⤵
  PID:10716
- C:\Windows\System32\FLnvfOn.exe
  C:\Windows\System32\FLnvfOn.exe
  2⤵
  PID:10744
- C:\Windows\System32\LeCWPSp.exe
  C:\Windows\System32\LeCWPSp.exe
  2⤵
  PID:10768
- C:\Windows\System32\kNORqoX.exe
  C:\Windows\System32\kNORqoX.exe
  2⤵
  PID:10792
- C:\Windows\System32\ngoDUxq.exe
  C:\Windows\System32\ngoDUxq.exe
  2⤵
  PID:10828
- C:\Windows\System32\WdfyhhZ.exe
  C:\Windows\System32\WdfyhhZ.exe
  2⤵
  PID:10856
- C:\Windows\System32\CESziId.exe
  C:\Windows\System32\CESziId.exe
  2⤵
  PID:10880
- C:\Windows\System32\hbYuUyr.exe
  C:\Windows\System32\hbYuUyr.exe
  2⤵
  PID:10908
- C:\Windows\System32\sXVYfTN.exe
  C:\Windows\System32\sXVYfTN.exe
  2⤵
  PID:10932
- C:\Windows\System32\ESAQBEa.exe
  C:\Windows\System32\ESAQBEa.exe
  2⤵
  PID:10968
- C:\Windows\System32\UzAOOVr.exe
  C:\Windows\System32\UzAOOVr.exe
  2⤵
  PID:11000
- C:\Windows\System32\ONcpsdx.exe
  C:\Windows\System32\ONcpsdx.exe
  2⤵
  PID:11016
- C:\Windows\System32\ViIhtbc.exe
  C:\Windows\System32\ViIhtbc.exe
  2⤵
  PID:11044
- C:\Windows\System32\WvPnxxx.exe
  C:\Windows\System32\WvPnxxx.exe
  2⤵
  PID:11084
- C:\Windows\System32\WlQpRvH.exe
  C:\Windows\System32\WlQpRvH.exe
  2⤵
  PID:11104
- C:\Windows\System32\xUgVDAj.exe
  C:\Windows\System32\xUgVDAj.exe
  2⤵
  PID:11140
- C:\Windows\System32\dYoOoIn.exe
  C:\Windows\System32\dYoOoIn.exe
  2⤵
  PID:11168
- C:\Windows\System32\PIwcXsA.exe
  C:\Windows\System32\PIwcXsA.exe
  2⤵
  PID:11196
- C:\Windows\System32\KBHHWzX.exe
  C:\Windows\System32\KBHHWzX.exe
  2⤵
  PID:11224
- C:\Windows\System32\ZYTWrcx.exe
  C:\Windows\System32\ZYTWrcx.exe
  2⤵
  PID:11252
- C:\Windows\System32\ymvpiqv.exe
  C:\Windows\System32\ymvpiqv.exe
  2⤵
  PID:9596
- C:\Windows\System32\wWvdafL.exe
  C:\Windows\System32\wWvdafL.exe
  2⤵
  PID:10316
- C:\Windows\System32\Xudebsp.exe
  C:\Windows\System32\Xudebsp.exe
  2⤵
  PID:10300
- C:\Windows\System32\cBalobd.exe
  C:\Windows\System32\cBalobd.exe
  2⤵
  PID:9900
- C:\Windows\System32\WtQuFLu.exe
  C:\Windows\System32\WtQuFLu.exe
  2⤵
  PID:10560
- C:\Windows\System32\kEzIyVD.exe
  C:\Windows\System32\kEzIyVD.exe
  2⤵
  PID:10620
- C:\Windows\System32\WZDjdfu.exe
  C:\Windows\System32\WZDjdfu.exe
  2⤵
  PID:10740
- C:\Windows\System32\HlYTTxV.exe
  C:\Windows\System32\HlYTTxV.exe
  2⤵
  PID:10820
- C:\Windows\System32\LNRKhqK.exe
  C:\Windows\System32\LNRKhqK.exe
  2⤵
  PID:10920
- C:\Windows\System32\GShvuJD.exe
  C:\Windows\System32\GShvuJD.exe
  2⤵
  PID:10948
- C:\Windows\System32\pvYQoRO.exe
  C:\Windows\System32\pvYQoRO.exe
  2⤵
  PID:11008
- C:\Windows\System32\bWHUkkY.exe
  C:\Windows\System32\bWHUkkY.exe
  2⤵
  PID:11076
- C:\Windows\System32\wIdSRJh.exe
  C:\Windows\System32\wIdSRJh.exe
  2⤵
  PID:11132
- C:\Windows\System32\EeoyqJs.exe
  C:\Windows\System32\EeoyqJs.exe
  2⤵
  PID:9956
- C:\Windows\System32\DPdXEXg.exe
  C:\Windows\System32\DPdXEXg.exe
  2⤵
  PID:10252
- C:\Windows\System32\dARxtTQ.exe
  C:\Windows\System32\dARxtTQ.exe
  2⤵
  PID:10448
- C:\Windows\System32\rLDMajG.exe
  C:\Windows\System32\rLDMajG.exe
  2⤵
  PID:10600
- C:\Windows\System32\SJlDEse.exe
  C:\Windows\System32\SJlDEse.exe
  2⤵
  PID:10836
- C:\Windows\System32\IrDcghL.exe
  C:\Windows\System32\IrDcghL.exe
  2⤵
  PID:9452
- C:\Windows\System32\fojdKcD.exe
  C:\Windows\System32\fojdKcD.exe
  2⤵
  PID:10976
- C:\Windows\System32\YmkaUwJ.exe
  C:\Windows\System32\YmkaUwJ.exe
  2⤵
  PID:10780
- C:\Windows\System32\QODgOhg.exe
  C:\Windows\System32\QODgOhg.exe
  2⤵
  PID:10652
- C:\Windows\System32\DCLJKMx.exe
  C:\Windows\System32\DCLJKMx.exe
  2⤵
  PID:11036
- C:\Windows\System32\VjgmOLK.exe
  C:\Windows\System32\VjgmOLK.exe
  2⤵
  PID:9312
- C:\Windows\System32\Rtalayb.exe
  C:\Windows\System32\Rtalayb.exe
  2⤵
  PID:11160
- C:\Windows\System32\WcjhzvZ.exe
  C:\Windows\System32\WcjhzvZ.exe
  2⤵
  PID:11268
- C:\Windows\System32\jIlmWxQ.exe
  C:\Windows\System32\jIlmWxQ.exe
  2⤵
  PID:11296
- C:\Windows\System32\WPdsSiC.exe
  C:\Windows\System32\WPdsSiC.exe
  2⤵
  PID:11324
- C:\Windows\System32\WQoucdW.exe
  C:\Windows\System32\WQoucdW.exe
  2⤵
  PID:11352
- C:\Windows\System32\cJHLWyg.exe
  C:\Windows\System32\cJHLWyg.exe
  2⤵
  PID:11380
- C:\Windows\System32\YRHjvMq.exe
  C:\Windows\System32\YRHjvMq.exe
  2⤵
  PID:11408
- C:\Windows\System32\dWtrjOL.exe
  C:\Windows\System32\dWtrjOL.exe
  2⤵
  PID:11436
- C:\Windows\System32\TVmCfpv.exe
  C:\Windows\System32\TVmCfpv.exe
  2⤵
  PID:11472
- C:\Windows\System32\kOodkHE.exe
  C:\Windows\System32\kOodkHE.exe
  2⤵
  PID:11500
- C:\Windows\System32\PbdHhMC.exe
  C:\Windows\System32\PbdHhMC.exe
  2⤵
  PID:11528
- C:\Windows\System32\wqjQfdP.exe
  C:\Windows\System32\wqjQfdP.exe
  2⤵
  PID:11556
- C:\Windows\System32\lPixPAm.exe
  C:\Windows\System32\lPixPAm.exe
  2⤵
  PID:11584
- C:\Windows\System32\ohPAtAB.exe
  C:\Windows\System32\ohPAtAB.exe
  2⤵
  PID:11620
- C:\Windows\System32\JDQICpD.exe
  C:\Windows\System32\JDQICpD.exe
  2⤵
  PID:11648
- C:\Windows\System32\Okovrxz.exe
  C:\Windows\System32\Okovrxz.exe
  2⤵
  PID:11676
- C:\Windows\System32\EubhutW.exe
  C:\Windows\System32\EubhutW.exe
  2⤵
  PID:11708
- C:\Windows\System32\eYraaBq.exe
  C:\Windows\System32\eYraaBq.exe
  2⤵
  PID:11724
- C:\Windows\System32\PdvHVrR.exe
  C:\Windows\System32\PdvHVrR.exe
  2⤵
  PID:11764
- C:\Windows\System32\epPfDrS.exe
  C:\Windows\System32\epPfDrS.exe
  2⤵
  PID:11788
- C:\Windows\System32\LaqPpiW.exe
  C:\Windows\System32\LaqPpiW.exe
  2⤵
  PID:11828
- C:\Windows\System32\mMNZROm.exe
  C:\Windows\System32\mMNZROm.exe
  2⤵
  PID:11864
- C:\Windows\System32\ucpFFfn.exe
  C:\Windows\System32\ucpFFfn.exe
  2⤵
  PID:11892
- C:\Windows\System32\tyQsnWD.exe
  C:\Windows\System32\tyQsnWD.exe
  2⤵
  PID:11908
- C:\Windows\System32\PYLbEwg.exe
  C:\Windows\System32\PYLbEwg.exe
  2⤵
  PID:11968
- C:\Windows\System32\JvIZHfZ.exe
  C:\Windows\System32\JvIZHfZ.exe
  2⤵
  PID:12008
- C:\Windows\System32\dlMsdDL.exe
  C:\Windows\System32\dlMsdDL.exe
  2⤵
  PID:12052
- C:\Windows\System32\QFSRPwc.exe
  C:\Windows\System32\QFSRPwc.exe
  2⤵
  PID:12104
- C:\Windows\System32\TIzHJtN.exe
  C:\Windows\System32\TIzHJtN.exe
  2⤵
  PID:12140
- C:\Windows\System32\HbKyOVS.exe
  C:\Windows\System32\HbKyOVS.exe
  2⤵
  PID:12208
- C:\Windows\System32\cdRLwoj.exe
  C:\Windows\System32\cdRLwoj.exe
  2⤵
  PID:12256
- C:\Windows\System32\oEaigiJ.exe
  C:\Windows\System32\oEaigiJ.exe
  2⤵
  PID:12272
- C:\Windows\System32\oNuvHiR.exe
  C:\Windows\System32\oNuvHiR.exe
  2⤵
  PID:11308
- C:\Windows\System32\sZfgcIl.exe
  C:\Windows\System32\sZfgcIl.exe
  2⤵
  PID:11364
- C:\Windows\System32\OxJZWDt.exe
  C:\Windows\System32\OxJZWDt.exe
  2⤵
  PID:11464
- C:\Windows\System32\vjGfroG.exe
  C:\Windows\System32\vjGfroG.exe
  2⤵
  PID:11524
- C:\Windows\System32\cegRkPC.exe
  C:\Windows\System32\cegRkPC.exe
  2⤵
  PID:11600
- C:\Windows\System32\nfpPTMP.exe
  C:\Windows\System32\nfpPTMP.exe
  2⤵
  PID:11672
- C:\Windows\System32\aiJximU.exe
  C:\Windows\System32\aiJximU.exe
  2⤵
  PID:11748
- C:\Windows\System32\HhadoEX.exe
  C:\Windows\System32\HhadoEX.exe
  2⤵
  PID:11816
- C:\Windows\System32\HzUfPxf.exe
  C:\Windows\System32\HzUfPxf.exe
  2⤵
  PID:11932
- C:\Windows\System32\uYHUfIs.exe
  C:\Windows\System32\uYHUfIs.exe
  2⤵
  PID:12044
- C:\Windows\System32\kIrhdXn.exe
  C:\Windows\System32\kIrhdXn.exe
  2⤵
  PID:12156
- C:\Windows\System32\CAphWUk.exe
  C:\Windows\System32\CAphWUk.exe
  2⤵
  PID:12268
- C:\Windows\System32\KqXALbo.exe
  C:\Windows\System32\KqXALbo.exe
  2⤵
  PID:11400
- C:\Windows\System32\AqYvlpp.exe
  C:\Windows\System32\AqYvlpp.exe
  2⤵
  PID:11552
- C:\Windows\System32\nOpvPHV.exe
  C:\Windows\System32\nOpvPHV.exe
  2⤵
  PID:11716
- C:\Windows\System32\OZPBxxo.exe
  C:\Windows\System32\OZPBxxo.exe
  2⤵
  PID:11884
- C:\Windows\System32\AKijtai.exe
  C:\Windows\System32\AKijtai.exe
  2⤵
  PID:12132
- C:\Windows\System32\uIvfruj.exe
  C:\Windows\System32\uIvfruj.exe
  2⤵
  PID:11492
- C:\Windows\System32\yvHxWIm.exe
  C:\Windows\System32\yvHxWIm.exe
  2⤵
  PID:11804
- C:\Windows\System32\iHzdlEE.exe
  C:\Windows\System32\iHzdlEE.exe
  2⤵
  PID:11668
- C:\Windows\System32\ICLOTPG.exe
  C:\Windows\System32\ICLOTPG.exe
  2⤵
  PID:11448
- C:\Windows\System32\vAzGHfd.exe
  C:\Windows\System32\vAzGHfd.exe
  2⤵
  PID:12316
- C:\Windows\System32\IhgGtlT.exe
  C:\Windows\System32\IhgGtlT.exe
  2⤵
  PID:12348
- C:\Windows\System32\QLDSZrP.exe
  C:\Windows\System32\QLDSZrP.exe
  2⤵
  PID:12376
- C:\Windows\System32\aBnrXNr.exe
  C:\Windows\System32\aBnrXNr.exe
  2⤵
  PID:12404
- C:\Windows\System32\ltbcept.exe
  C:\Windows\System32\ltbcept.exe
  2⤵
  PID:12432
- C:\Windows\System32\WJiviPk.exe
  C:\Windows\System32\WJiviPk.exe
  2⤵
  PID:12460
- C:\Windows\System32\XyRpWDa.exe
  C:\Windows\System32\XyRpWDa.exe
  2⤵
  PID:12488
- C:\Windows\System32\uoqiysG.exe
  C:\Windows\System32\uoqiysG.exe
  2⤵
  PID:12528
- C:\Windows\System32\PKINcSf.exe
  C:\Windows\System32\PKINcSf.exe
  2⤵
  PID:12556
- C:\Windows\System32\GztBcSA.exe
  C:\Windows\System32\GztBcSA.exe
  2⤵
  PID:12584
- C:\Windows\System32\TpYejbO.exe
  C:\Windows\System32\TpYejbO.exe
  2⤵
  PID:12616
- C:\Windows\System32\lzIrSqp.exe
  C:\Windows\System32\lzIrSqp.exe
  2⤵
  PID:12644
- C:\Windows\System32\dmubMgx.exe
  C:\Windows\System32\dmubMgx.exe
  2⤵
  PID:12672
- C:\Windows\System32\fLoyohC.exe
  C:\Windows\System32\fLoyohC.exe
  2⤵
  PID:12700
- C:\Windows\System32\PPBwLSn.exe
  C:\Windows\System32\PPBwLSn.exe
  2⤵
  PID:12728
- C:\Windows\System32\KkDdZAg.exe
  C:\Windows\System32\KkDdZAg.exe
  2⤵
  PID:12756
- C:\Windows\System32\aFmEJgF.exe
  C:\Windows\System32\aFmEJgF.exe
  2⤵
  PID:12784
- C:\Windows\System32\qWlJScx.exe
  C:\Windows\System32\qWlJScx.exe
  2⤵
  PID:12812
- C:\Windows\System32\dYtkzkH.exe
  C:\Windows\System32\dYtkzkH.exe
  2⤵
  PID:12840
- C:\Windows\System32\flYAVXS.exe
  C:\Windows\System32\flYAVXS.exe
  2⤵
  PID:12868
- C:\Windows\System32\uymWhXT.exe
  C:\Windows\System32\uymWhXT.exe
  2⤵
  PID:12896
- C:\Windows\System32\jCHzGOX.exe
  C:\Windows\System32\jCHzGOX.exe
  2⤵
  PID:12924
- C:\Windows\System32\AQhJPjT.exe
  C:\Windows\System32\AQhJPjT.exe
  2⤵
  PID:12952
- C:\Windows\System32\bZeYBiV.exe
  C:\Windows\System32\bZeYBiV.exe
  2⤵
  PID:12980
- C:\Windows\System32\ceySpFf.exe
  C:\Windows\System32\ceySpFf.exe
  2⤵
  PID:13016
- C:\Windows\System32\JWMGdUg.exe
  C:\Windows\System32\JWMGdUg.exe
  2⤵
  PID:13044
- C:\Windows\System32\VLmsSxC.exe
  C:\Windows\System32\VLmsSxC.exe
  2⤵
  PID:13100
- C:\Windows\System32\anEmgaX.exe
  C:\Windows\System32\anEmgaX.exe
  2⤵
  PID:13120
- C:\Windows\System32\TpCjVvW.exe
  C:\Windows\System32\TpCjVvW.exe
  2⤵
  PID:13148
- C:\Windows\System32\wdBPdap.exe
  C:\Windows\System32\wdBPdap.exe
  2⤵
  PID:13176
- C:\Windows\System32\QgpGxvy.exe
  C:\Windows\System32\QgpGxvy.exe
  2⤵
  PID:13204
- C:\Windows\System32\AcvngxX.exe
  C:\Windows\System32\AcvngxX.exe
  2⤵
  PID:13232
- C:\Windows\System32\jnRRVNR.exe
  C:\Windows\System32\jnRRVNR.exe
  2⤵
  PID:13260
- C:\Windows\System32\AKTckyr.exe
  C:\Windows\System32\AKTckyr.exe
  2⤵
  PID:13288
- C:\Windows\System32\nyLnKIX.exe
  C:\Windows\System32\nyLnKIX.exe
  2⤵
  PID:12304
- C:\Windows\System32\RjpFxVr.exe
  C:\Windows\System32\RjpFxVr.exe
  2⤵
  PID:12368
- C:\Windows\System32\LlcxyLT.exe
  C:\Windows\System32\LlcxyLT.exe
  2⤵
  PID:12428
- C:\Windows\System32\JMYkaPV.exe
  C:\Windows\System32\JMYkaPV.exe
  2⤵
  PID:12508
- C:\Windows\System32\pbztdoc.exe
  C:\Windows\System32\pbztdoc.exe
  2⤵
  PID:12580
- C:\Windows\System32\rTqdCTB.exe
  C:\Windows\System32\rTqdCTB.exe
  2⤵
  PID:12660
- C:\Windows\System32\iTeLKXJ.exe
  C:\Windows\System32\iTeLKXJ.exe
  2⤵
  PID:12720
- C:\Windows\System32\bExmyFZ.exe
  C:\Windows\System32\bExmyFZ.exe
  2⤵
  PID:12780
- C:\Windows\System32\GawqzHV.exe
  C:\Windows\System32\GawqzHV.exe
  2⤵
  PID:12852
- C:\Windows\System32\qzQlRnc.exe
  C:\Windows\System32\qzQlRnc.exe
  2⤵
  PID:12916
- C:\Windows\System32\RoaqgyS.exe
  C:\Windows\System32\RoaqgyS.exe
  2⤵
  PID:12976
- C:\Windows\System32\LjsEqvC.exe
  C:\Windows\System32\LjsEqvC.exe
  2⤵
  PID:13012
- C:\Windows\System32\TBQnrzF.exe
  C:\Windows\System32\TBQnrzF.exe
  2⤵
  PID:13040
- C:\Windows\System32\kuegnDI.exe
  C:\Windows\System32\kuegnDI.exe
  2⤵
  PID:13116
- C:\Windows\System32\SUFKiMS.exe
  C:\Windows\System32\SUFKiMS.exe
  2⤵
  PID:13188
- C:\Windows\System32\eDLczqw.exe
  C:\Windows\System32\eDLczqw.exe
  2⤵
  PID:13252
- C:\Windows\System32\UkPnsQN.exe
  C:\Windows\System32\UkPnsQN.exe
  2⤵
  PID:11348
- C:\Windows\System32\OFXPhvs.exe
  C:\Windows\System32\OFXPhvs.exe
  2⤵
  PID:12472
- C:\Windows\System32\LSjUxby.exe
  C:\Windows\System32\LSjUxby.exe
  2⤵
  PID:12636
- C:\Windows\System32\HNuOEnh.exe
  C:\Windows\System32\HNuOEnh.exe
  2⤵
  PID:12776
- C:\Windows\System32\OvnXFrI.exe
  C:\Windows\System32\OvnXFrI.exe
  2⤵
  PID:12944
- C:\Windows\System32\mhvigzp.exe
  C:\Windows\System32\mhvigzp.exe
  2⤵
  PID:13028
- C:\Windows\System32\wCaZGmn.exe
  C:\Windows\System32\wCaZGmn.exe
  2⤵
  PID:13172
- C:\Windows\System32\PHUbjkN.exe
  C:\Windows\System32\PHUbjkN.exe
  2⤵
  PID:12360
- C:\Windows\System32\yqVJllD.exe
  C:\Windows\System32\yqVJllD.exe
  2⤵
  PID:12576
- C:\Windows\System32\fMyRdgl.exe
  C:\Windows\System32\fMyRdgl.exe
  2⤵
  PID:1320
- C:\Windows\System32\AtOdZZU.exe
  C:\Windows\System32\AtOdZZU.exe
  2⤵
  PID:12548
- C:\Windows\System32\TexREvG.exe
  C:\Windows\System32\TexREvG.exe
  2⤵
  PID:12892
- C:\Windows\System32\vAiqjzm.exe
  C:\Windows\System32\vAiqjzm.exe
  2⤵
  PID:13336
- C:\Windows\System32\dTTRzuX.exe
  C:\Windows\System32\dTTRzuX.exe
  2⤵
  PID:13364
- C:\Windows\System32\bxYAThK.exe
  C:\Windows\System32\bxYAThK.exe
  2⤵
  PID:13392
- C:\Windows\System32\vfbuGaj.exe
  C:\Windows\System32\vfbuGaj.exe
  2⤵
  PID:13420
- C:\Windows\System32\YYbOczg.exe
  C:\Windows\System32\YYbOczg.exe
  2⤵
  PID:13448
- C:\Windows\System32\MPvHwNd.exe
  C:\Windows\System32\MPvHwNd.exe
  2⤵
  PID:13476
- C:\Windows\System32\ultfChK.exe
  C:\Windows\System32\ultfChK.exe
  2⤵
  PID:13504
- C:\Windows\System32\YxCReRY.exe
  C:\Windows\System32\YxCReRY.exe
  2⤵
  PID:13532
- C:\Windows\System32\JHKRgLW.exe
  C:\Windows\System32\JHKRgLW.exe
  2⤵
  PID:13560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4288,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4028 /prefetch:8
1⤵
PID:7248

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AHglJmz.exe

Filesize
3.1MB

MD5
cb5fa1e5f7dfa0e4faa9ccee0fa7d371

SHA1
8b8b01f14378939ea0cf44cbf5d25804b4fb5ce4

SHA256
fe5b206fd5d6cb2240ea7f0ba7ba36b1ab62cc2c690e2aca83c4c668a085aaaf

SHA512
a791a8871140d31849a635df53c1e408ebc4e4406695434f83c402b469a933e58f39c8ba5a260f3246d653a8259f1c54c297ccbef50427707a0b571af169f65d

Download Submit
C:\Windows\System32\DPaovtR.exe

Filesize
3.1MB

MD5
b07b78855d1e7cfc290b003816ea4d9e

SHA1
f58d57f84a2b3c813cad80433b95ced41683be10

SHA256
50a98e30f183448b8811f859221fffa08a8cabcba504212d7ae17c3afb13cec5

SHA512
094f33db42c2acb73ca707584538226f19706f816d65a3872fae01fe57268e6cf48c2a6c4ab23a1b616be938c698c68c47d5e97cf6c14ac3526f3d2e1d7ccc0a

Download Submit
C:\Windows\System32\EoBXrHT.exe

Filesize
3.1MB

MD5
58f719fd359b5b4fb508c3e1189d416e

SHA1
8be6ed26c3dbd8038e2df07d743a9db59552fae5

SHA256
ce08e104ee807b8a3a0bb732b44173e79a0209ccfc8d6b6794aeb96a08735779

SHA512
fae944043d7c033335fdcd9043252e1733e6a0155a0385ac39454bce3b8279f97d245e683842766c8d80e61ce14713f0e601870cb600a915ad8a8bc151e62609

Download Submit
C:\Windows\System32\EqHwJXE.exe

Filesize
3.1MB

MD5
2a37c2778ba5d1f6b465fd3e789a63f3

SHA1
568f2858575bd4bcf37e70581653f6ed7d87bdb7

SHA256
93bb5171e9f4a24d1861af1b1d75e69c312215bd91149aba35faae46b0bf78c2

SHA512
2b35fcc68a68ca85aab4372ef3824b6d7eb147390f070b4185c42bf9369d4f9720d7d133a7e585013be7b4a5ceb90cd102b33e935ffbf973d92a26309403cfdf

Download Submit
C:\Windows\System32\IPIzpWj.exe

Filesize
3.1MB

MD5
a43e648ecdda7e500c44724a1c23f194

SHA1
122b7be4c249953f1edfd760d8754a4f5f1abd6c

SHA256
d3b5d43c9b890ebd8f9cb75a650d2ca7e4f561a91c0b0b3f6108a1efb807a4fa

SHA512
aae4c300fc981a3362636eba5b5c81cc081df0f0a9280e973c9a33c0389b99c7bfbb27e1d012f141011bcb4066551033606e02e872cb974a240dc17bde9abcf1

Download Submit
C:\Windows\System32\InbSITw.exe

Filesize
3.1MB

MD5
04af813ad1d0fd55ef0db3d04ff553cc

SHA1
2b251699ebd169aef35e768b8620ecc9cf543cad

SHA256
8a4703d0795d9cccd3955ddcd4a223666c53594d73525c7b469424c11665ffd7

SHA512
48d2fda4c9d1218d5091411177c920269dc9cd85057fa5fc7bb2e63b8abb59d5af3b98fddaf38ef9c77e109ba40ccc3d4f6ee861a7fcb9aa8aece17c9efcd60e

Download Submit
C:\Windows\System32\NdDeFKh.exe

Filesize
3.1MB

MD5
24e810060117ad3796e199154acc255a

SHA1
a550b2d151ee9f7122841fb7e77911923c16cfc5

SHA256
75d2f4e5f0dc2b6e9b36cdcaf02b2119aec9986238c0b140dc1ec4242fba1360

SHA512
1d1574ae8b048b14d5b5b4b0d718ae4c5bb1df0bec83ef20158e721e88d985e6646544f2028c16075ee29f0c83a4dda0b81333bfe86ab10358f45ede0eb2e49c

Download Submit
C:\Windows\System32\NfgBMcG.exe

Filesize
3.1MB

MD5
203d277e022e80a0e6ca1332d0f70a15

SHA1
5805c3b3bf3845a68eabf186579f9560d616a23d

SHA256
b01895a268bcde9fa331164297810997210cf69c3253178c514beba6e6ff0463

SHA512
d15c54c1869466f841f6b1b8df4fe988c22c13ede1f67065b36ac84c901ac1b98d59e4c2f7e33c513a2c50e3a2e751be55a2fa68f544eafed3ae98e099d72a03

Download Submit
C:\Windows\System32\PmfzbDT.exe

Filesize
3.1MB

MD5
cd92fdd81bed684a4c9c843cb5edb784

SHA1
20bae3b796bbfe3037c52e54d59981b461e528c5

SHA256
bd4eb9e1293cb118c2f1f1a0be0657952259280a0043dada068e886213c11f1a

SHA512
e8bc78f27055a60be6889f1fbc6e2b3923b9e2446e26ae2d80b3014c8e9c4c8a4796d4c4640acc52e6ce17a4f3664045a3a17920a196e08d9f3e3782fb701879

Download Submit
C:\Windows\System32\PtUYSbY.exe

Filesize
3.1MB

MD5
509f05e07c534ee8fd5294d6e0a24197

SHA1
119531887373b92a02b6b0bad24603e46d0dc6bb

SHA256
d582f682528a290c7bbd283ad517c35944f25d4baead5ce83b17e95afb9009af

SHA512
966f9e988c85cc464889f2d93e4066e7859359dfa8557f7747b4f20d1f23ebff45c1b901f3a0cbb7fd00fa1e0997b6f182837e5aca0f1a3e68f3af501ecf36cf

Download Submit
C:\Windows\System32\QfvLJOh.exe

Filesize
3.1MB

MD5
1b549d8e88df8d14c6a48c5410c21c97

SHA1
63a0c0aeb04c618a6d8cfc44b574441d66f36bfc

SHA256
85f6fcb81f2a1671304a7c0b9931f45c3c00c35384ef1afb4a218308cd091b24

SHA512
42554b76d113db933680685b3b8024e09b92eab5fee8fef2b85464f2dfccea3c85c89844768c13df77ee64f7aa29af5f960a4cb3c8305b1d3f8d6028ebb103b3

Download Submit
C:\Windows\System32\TGQtpvq.exe

Filesize
3.1MB

MD5
03c9898a159ca6a537dbf75a28e06db1

SHA1
5b094ca7327c99aaea5f9cd8b2fb5076f79e4d6a

SHA256
223984e9b48d457b1b29749acdaa2f8dd4323fc3b2de9015b7655d97165ba350

SHA512
7e8600b2bd60c76be3693fcb7ab38fd695941f0d3a353d88335fcc20cc8f3ac2f13ea2336127c0d29d8c5a56acdc8cb9b92a4f89e3ff920b6796a6b5ece58243

Download Submit
C:\Windows\System32\UbILHgl.exe

Filesize
3.1MB

MD5
2b00d0db63b58a31f9e096be2c135f70

SHA1
3a089ead97d6cb395a2c37fec7fc0990e7a6e87d

SHA256
8bf91a1fb88546a5ec41428197c72679ead584a517e9bcd907eb616f39639f97

SHA512
a1686b94ceba5d17773cfbfccbe1a6ce010f5bcda1157467dea14512753fa00cd042bd787baf06f4822f981242f29453799de3aec1bb81f3db0ed2a106ba31cc

Download Submit
C:\Windows\System32\VwBEOTK.exe

Filesize
3.1MB

MD5
fc31128ebf0359c6174f58a38faa573f

SHA1
b51c37c1b418054869460732e1dae13817f3cf2f

SHA256
c74d95bc51bdf901102da38d46ba3eb4e5cfd036899e2f776ae3ddf27d6e10c1

SHA512
5fd8094ec9e8c5487c2dca7b8a6dcc84fa90530537d326e34b7b3c255bb2ac314ab77aa2e0cd645eb6832bc958afae25ba1b54f4adbc7cfd32f25915aa5ec58e

Download Submit
C:\Windows\System32\YVsOMao.exe

Filesize
3.1MB

MD5
a57fc39d79f211eadf68d1b999d415fb

SHA1
684bf2a139612f05b766dfcdb12bcf1154274012

SHA256
06fd9a013dcd0d37da7af75d867550a1edd681e73d975e439a84b9bbd8ed7d72

SHA512
14bbec0273b309d152f0bce88bbfec94aa8fb9813440d3498a36e5da242f79030c4944cb2c110a430e1dbdfec0e130b92a63888ef5100157eb35b7f7e4ff4e72

Download Submit
C:\Windows\System32\eCFlRgX.exe

Filesize
3.1MB

MD5
42c32f4c5570d37898eba2e763efdf7b

SHA1
6a88a927b7e9b12de713e9e404e21037ab84d6cf

SHA256
81e8dfb41a944d814a3ff7d927ac7d3bc78302d5c1e20c6e5f611fe94727c5fa

SHA512
fa8891d2ffd2fe82c0db0e5708cd478891151eb52ff4c7ad1c97ca4d4b4603a81ea8eb3cabdf79c266929dfce024c14a5afb22e8efde5bf6b39c30f032c45a55

Download Submit
C:\Windows\System32\emzfuYW.exe

Filesize
3.1MB

MD5
3276d78b79d01157cd989283c8051995

SHA1
bc1543c7ea4d47a5d13e255ed53219c7fab1c36f

SHA256
5a30e59899ae9b9ad9ae89ad6500c1c01a3653fcca3dce0bdc3ce1339c420b2a

SHA512
75e1ff6d499a6a0f86c30b6ead1b7a9bda40417b92c799014218bb5654d3f018597c813b0ef3c948085a0dd2fbca481553cc81e61500872455cc6fc320984c12

Download Submit
C:\Windows\System32\fSwvhla.exe

Filesize
3.1MB

MD5
642cd57959fd64350d176aaa5bf8a957

SHA1
9ec3651227b3857e3320fc4e6c81e0fdb46dce41

SHA256
ad9b1f54c2a3b72ec83554b243da6124e2a211e2a81969bafcd869a59a46a0ac

SHA512
7d739d40d1834a026cd707611c2077a0ea7c34a07e2855f62ca1540c5dc6e46806341db0cba130ba5dd26bf4b262bcf232f6d1dcc73a25055c711a91134c2498

Download Submit
C:\Windows\System32\gweCGiz.exe

Filesize
3.1MB

MD5
e3746b578e8a4a4ffe5da93f6230c1d0

SHA1
9eb13fce54c4b14230bc471fda19e19d2e0d54d0

SHA256
6fffbd906e8359d8ba1ca0a9759b486d667f1cf351f1d49c27f5cf2cf3c67aef

SHA512
7b19baeaa71a7cb0a4445a73d99c7cf145ceff47d26fae68991a75b77b99cff57a1f1da363626b0c209ed76bbf3b3d00c05caff092519be0050be705cb6204b9

Download Submit
C:\Windows\System32\iZghIdW.exe

Filesize
3.1MB

MD5
9fe5517fd4ec1e865860038fc10f5ec1

SHA1
641ecc0d0c354e51ebd56de0c59628fc026c7547

SHA256
1e42f86a4ec096b5a5b765a4cbf657e0e593074122bc18b6b57f79a137b39ac3

SHA512
8b96072a0990ff37d3cc73ad5ca06fb24459dcc99656f1af445c9589b5e7e22cf4e6e9a24c2babf1161f01647a9842316c58810ddb230357c76a91559866d93e

Download Submit
C:\Windows\System32\iuktwJm.exe

Filesize
3.1MB

MD5
5e5bd575151bbf13e30681848e2001fc

SHA1
09a40cbbbbd69b35478ffe6f4c3bad6e364d4ba4

SHA256
0b44ae84880f062a03755251addc249a1909bb38d2d81619706b81996718d989

SHA512
39e75126e4754d3279ee99abf7cabeffda6f8166176b1ff19d3ce297515f3c3ae15e53abab70122b12093d7a687a4c3afaa267eee3ca82b10c3278efc1d70ad3

Download Submit
C:\Windows\System32\mquNsMg.exe

Filesize
3.1MB

MD5
a55b6bc97c2e52216bcb48b54b336527

SHA1
57813199906bdcbf52131a6b29664c808f8a4aa5

SHA256
ad37a6155da197762713be75d17048dcac47c2f73a65749ac43e85740057bcdc

SHA512
d9075b8d81d3d630db1a1a1f45db2203a0d34f38ca8486dd4c25265e5f2bc64cf26945c76705f900346cdccfc1c0397a84927137845a34ff064e7beb0e4edd2d

Download Submit
C:\Windows\System32\nomnwzs.exe

Filesize
3.1MB

MD5
327530a924dcc3021833b6f1f5e76b76

SHA1
462ac7883e47d66463462a567a90c14e2c5d22c4

SHA256
ac984ac27e4517ad2e5f1095b332299a925a54a2b30b741d0cf29f3cbdd6f236

SHA512
2777df30a238df5be886c0850f5de4235862b22f3b9ea09dcde922fb2f0ae19d950db8e4cb5c8977d3a7f527ce01f75a1a5e4dd38becd599e8dcc6357f85c29c

Download Submit
C:\Windows\System32\oiTCfiK.exe

Filesize
3.1MB

MD5
22691e652b5c1e0c3070a90731b32652

SHA1
4df9304a70c8552e97bdca8ccfacbb3354875558

SHA256
11fe707d31b1d4e86849bfa6711481ce66a400f9d9eabe5a9e55407ce7f822b7

SHA512
e8b7eb17c440174148fb15e0a87ddd5db8dd0d97d006bdc2ab591a41d84ffa4cca72706188a2b67adab5bb9f21919c7376e05b3c9457d97ef38aef70eb144c45

Download Submit
C:\Windows\System32\pOeMfyv.exe

Filesize
3.1MB

MD5
9f0b1af00c86994e941cad98fe33d60e

SHA1
f097144360b05b4cb4f988494a976243ad828c1c

SHA256
43fbbb3fbb7f76a05ac62d91fe4aef552b4859d530a58d2e9a73c5d82c39d087

SHA512
5f20faec77efb31c4135d50e3894933547710073fd444e1e767d930ac5c8578c93bdd035b9fd9f91552a9e6753a77f2992f50197a359b5571d34034a4c2d69f9

Download Submit
C:\Windows\System32\pWbEDAt.exe

Filesize
3.1MB

MD5
9e6ecbfbc781d96c5ac74d9950cdddd3

SHA1
9a03dc5e4657d35dba421298d8dfb33101c28241

SHA256
8bf018622b8f2acb6c20a9d2fa85579eb13b273b2ec4250197fdde1e60a0cdd9

SHA512
6f85a531f7b2e03d69c1bd9acbcd1b0e442dae1a106d6579f049ed8cb2d95f4ef174ffbbd56c9d8ab2f6b8807d81389f7b72bbb4b06eb9c501e9b9c84e4db558

Download Submit
C:\Windows\System32\qAgRbzc.exe

Filesize
3.1MB

MD5
9146e91a19068d8ed059908d0b565741

SHA1
91f42bafdaf0bf8b034c0f1600a67245c30050c8

SHA256
08aaba4358b181494ea7484fd960a0c03a55f54eee71497f222645606a9b1058

SHA512
947a0ebbea30c52a112986af745d3675e946fd0784b4cfa36db68a3e5333f8e1f0c81df4dacc45ba57abac76f1f6ce6bd2947c0021f5573488adbbfa74311276

Download Submit
C:\Windows\System32\sYUVFIz.exe

Filesize
3.1MB

MD5
1d1efcb57eb0e897b04581a8576871df

SHA1
9f35f6ca03ab896cf3afaf7b18e796fd91ed0b05

SHA256
b9a76f0e9d1c46d66247aca7b51b1f8e94ecae39fbb55f713c4d8f6c93540d85

SHA512
20839c6c91f9561952b887ed9826caca204dc6a74b993e3f4313383e0766f93b7348b3e7f252bd99abd56a6dbf7d356327b9c1b84e88c6cbc2414f2de8874da2

Download Submit
C:\Windows\System32\tQYvkpD.exe

Filesize
3.1MB

MD5
9964332e206760931261770f64f2ff98

SHA1
64293b8306417bf24250bf6a17a2cfe818cfbfd6

SHA256
9af7ac7ac92f532fe5f810ef68d9af74612a54d28f273f1afba11b61e8c28232

SHA512
17d4eb3db4e7ecd17162dec8476e680ad0cd3eb240c108f23c5ae691c48ae522c3d3980cf8d109204923e3a044f0f32601794decead45e504dd732794f53320b

Download Submit
C:\Windows\System32\uUSQcms.exe

Filesize
3.1MB

MD5
216f5202e9cca5e02dc16e6fe2e907da

SHA1
ee96e214a86d1efa0a4b4bb3e413ddb649142cc4

SHA256
a1507c5a55bd7adedd0b5847e5cbb1620202705e49ee437d6c47e5c6020c9aff

SHA512
1b4b4b6a0af181e0c06c8196c111df79da73b38b079ebe7774927f60bc9e9db26c39977bbac5899b02a6bb4ad581af2641af2a3acbca5badfb219cf8c23c96f7

Download Submit
C:\Windows\System32\ukkditE.exe

Filesize
3.1MB

MD5
3cfba5e27ec6502ef7948a614417b6f1

SHA1
7266af29aec3e2283dc6104bc39ed1cb8f03cda3

SHA256
a96796bc82c8ca5eda55f3236d084c24284c3ed90bc5f65c554e86701704af2a

SHA512
c0dd7c9045c60d527fb3328c096c740f894c4cc789185c179371ea0342a292888a23e45bd54f10076c43a2f7c983b5936960f44e083ff8e0333bccc7f3867eb3

Download Submit
C:\Windows\System32\vZNpKNz.exe

Filesize
3.1MB

MD5
6aed411e5320aac7971acdbfaab2dabe

SHA1
f3d922e4e39c7c85c695a941c2e120622bc8fe50

SHA256
c82129a9a61e455c488828fc9029eb326237de13ebc2d52ff83db60bf180f8d5

SHA512
d79d499d52662182b3d0fef0558155c1d1ea7157add79924072d59987c3ebe0414ffc7137e9686921cba84bcc2a5c3385e9309fc57273b7e9720e643ecadf4ed

Download Submit
memory/212-11-0x00007FF6A8BD0000-0x00007FF6A8FC5000-memory.dmp

Filesize
4.0MB

Download
memory/212-1828-0x00007FF6A8BD0000-0x00007FF6A8FC5000-memory.dmp

Filesize
4.0MB

Download
memory/384-1851-0x00007FF7E6560000-0x00007FF7E6955000-memory.dmp

Filesize
4.0MB

Download
memory/384-826-0x00007FF7E6560000-0x00007FF7E6955000-memory.dmp

Filesize
4.0MB

Download
memory/540-1850-0x00007FF7E1920000-0x00007FF7E1D15000-memory.dmp

Filesize
4.0MB

Download
memory/540-785-0x00007FF7E1920000-0x00007FF7E1D15000-memory.dmp

Filesize
4.0MB

Download
memory/556-815-0x00007FF778E50000-0x00007FF779245000-memory.dmp

Filesize
4.0MB

Download
memory/556-1842-0x00007FF778E50000-0x00007FF779245000-memory.dmp

Filesize
4.0MB

Download
memory/656-1838-0x00007FF6E6310000-0x00007FF6E6705000-memory.dmp

Filesize
4.0MB

Download
memory/656-829-0x00007FF6E6310000-0x00007FF6E6705000-memory.dmp

Filesize
4.0MB

Download
memory/780-1845-0x00007FF60BBF0000-0x00007FF60BFE5000-memory.dmp

Filesize
4.0MB

Download
memory/780-833-0x00007FF60BBF0000-0x00007FF60BFE5000-memory.dmp

Filesize
4.0MB

Download
memory/932-1840-0x00007FF698750000-0x00007FF698B45000-memory.dmp

Filesize
4.0MB

Download
memory/932-823-0x00007FF698750000-0x00007FF698B45000-memory.dmp

Filesize
4.0MB

Download
memory/1124-1841-0x00007FF77DED0000-0x00007FF77E2C5000-memory.dmp

Filesize
4.0MB

Download
memory/1124-819-0x00007FF77DED0000-0x00007FF77E2C5000-memory.dmp

Filesize
4.0MB

Download
memory/1212-1829-0x00007FF6ECFF0000-0x00007FF6ED3E5000-memory.dmp

Filesize
4.0MB

Download
memory/1212-1826-0x00007FF6ECFF0000-0x00007FF6ED3E5000-memory.dmp

Filesize
4.0MB

Download
memory/1212-17-0x00007FF6ECFF0000-0x00007FF6ED3E5000-memory.dmp

Filesize
4.0MB

Download
memory/1644-796-0x00007FF7FB850000-0x00007FF7FBC45000-memory.dmp

Filesize
4.0MB

Download
memory/1644-1836-0x00007FF7FB850000-0x00007FF7FBC45000-memory.dmp

Filesize
4.0MB

Download
memory/2588-832-0x00007FF61AFD0000-0x00007FF61B3C5000-memory.dmp

Filesize
4.0MB

Download
memory/2588-1846-0x00007FF61AFD0000-0x00007FF61B3C5000-memory.dmp

Filesize
4.0MB

Download
memory/2692-1832-0x00007FF6C71A0000-0x00007FF6C7595000-memory.dmp

Filesize
4.0MB

Download
memory/2692-778-0x00007FF6C71A0000-0x00007FF6C7595000-memory.dmp

Filesize
4.0MB

Download
memory/2704-0-0x00007FF613A80000-0x00007FF613E75000-memory.dmp

Filesize
4.0MB

Download
memory/2704-1-0x0000026984B60000-0x0000026984B70000-memory.dmp

Filesize
64KB

Download
memory/2804-1843-0x00007FF642070000-0x00007FF642465000-memory.dmp

Filesize
4.0MB

Download
memory/2804-810-0x00007FF642070000-0x00007FF642465000-memory.dmp

Filesize
4.0MB

Download
memory/2856-799-0x00007FF767080000-0x00007FF767475000-memory.dmp

Filesize
4.0MB

Download
memory/2856-1835-0x00007FF767080000-0x00007FF767475000-memory.dmp

Filesize
4.0MB

Download
memory/2980-779-0x00007FF69CA10000-0x00007FF69CE05000-memory.dmp

Filesize
4.0MB

Download
memory/2980-1839-0x00007FF69CA10000-0x00007FF69CE05000-memory.dmp

Filesize
4.0MB

Download
memory/3644-806-0x00007FF60F500000-0x00007FF60F8F5000-memory.dmp

Filesize
4.0MB

Download
memory/3644-1834-0x00007FF60F500000-0x00007FF60F8F5000-memory.dmp

Filesize
4.0MB

Download
memory/3712-1844-0x00007FF6847F0000-0x00007FF684BE5000-memory.dmp

Filesize
4.0MB

Download
memory/3712-812-0x00007FF6847F0000-0x00007FF684BE5000-memory.dmp

Filesize
4.0MB

Download
memory/3900-835-0x00007FF6B06A0000-0x00007FF6B0A95000-memory.dmp

Filesize
4.0MB

Download
memory/3900-1831-0x00007FF6B06A0000-0x00007FF6B0A95000-memory.dmp

Filesize
4.0MB

Download
memory/4080-1837-0x00007FF6C9CA0000-0x00007FF6CA095000-memory.dmp

Filesize
4.0MB

Download
memory/4080-780-0x00007FF6C9CA0000-0x00007FF6CA095000-memory.dmp

Filesize
4.0MB

Download
memory/4184-777-0x00007FF625080000-0x00007FF625475000-memory.dmp

Filesize
4.0MB

Download
memory/4184-1830-0x00007FF625080000-0x00007FF625475000-memory.dmp

Filesize
4.0MB

Download
memory/4200-1848-0x00007FF773270000-0x00007FF773665000-memory.dmp

Filesize
4.0MB

Download
memory/4200-788-0x00007FF773270000-0x00007FF773665000-memory.dmp

Filesize
4.0MB

Download
memory/4212-1833-0x00007FF71B130000-0x00007FF71B525000-memory.dmp

Filesize
4.0MB

Download
memory/4212-776-0x00007FF71B130000-0x00007FF71B525000-memory.dmp

Filesize
4.0MB

Download
memory/4212-1827-0x00007FF71B130000-0x00007FF71B525000-memory.dmp

Filesize
4.0MB

Download
memory/4808-1847-0x00007FF68F440000-0x00007FF68F835000-memory.dmp

Filesize
4.0MB

Download
memory/4808-793-0x00007FF68F440000-0x00007FF68F835000-memory.dmp

Filesize
4.0MB

Download
memory/5084-830-0x00007FF7150C0000-0x00007FF7154B5000-memory.dmp

Filesize
4.0MB

Download
memory/5084-1849-0x00007FF7150C0000-0x00007FF7154B5000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads