xmrig | 07d18e5643210d8ccb15172922d0267e34a31ea7ae0560855366cafe17f24c7d

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
Size

2.7MB
MD5

57b4aa774011e6dcac8dc1a3732be150
SHA1

1c8417f3c4f7e89f9d3a687d280e81f4fb0c9f43
SHA256

07d18e5643210d8ccb15172922d0267e34a31ea7ae0560855366cafe17f24c7d
SHA512

54d824e6bec816716dbd58f970ac162851eb5265e015ff9881c42a644a9a7e757b029b9c80c8e5aa07cf1ca76fdb61246a78e88246943f7a1151e8ab16a3cae4
SSDEEP

49152:N0wjnJMOWh50kC1/dVFdx6e0EALKWVTffZiPAcRq6jHjcz8DzHUJ8Y9c+Mt:N0GnJMOWPClFdx6e0EALKWVTffZiPAcx

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2204-0-0x00007FF6A50E0000-0x00007FF6A54D5000-memory.dmp	xmrig
behavioral2/files/0x00090000000235e3-6.dat	xmrig
behavioral2/memory/3376-9-0x00007FF7A1F30000-0x00007FF7A2325000-memory.dmp	xmrig
behavioral2/files/0x00080000000235e6-12.dat	xmrig
behavioral2/files/0x00070000000235ea-10.dat	xmrig
behavioral2/memory/3848-14-0x00007FF78D360000-0x00007FF78D755000-memory.dmp	xmrig
behavioral2/memory/3552-22-0x00007FF6F7880000-0x00007FF6F7C75000-memory.dmp	xmrig
behavioral2/files/0x00080000000235e7-25.dat	xmrig
behavioral2/files/0x00070000000235ed-37.dat	xmrig
behavioral2/files/0x00070000000235ec-40.dat	xmrig
behavioral2/memory/2728-43-0x00007FF7E44F0000-0x00007FF7E48E5000-memory.dmp	xmrig
behavioral2/memory/392-38-0x00007FF6AE190000-0x00007FF6AE585000-memory.dmp	xmrig
behavioral2/memory/648-35-0x00007FF7C4830000-0x00007FF7C4C25000-memory.dmp	xmrig
behavioral2/files/0x00070000000235ee-47.dat	xmrig
behavioral2/memory/3496-48-0x00007FF6D4110000-0x00007FF6D4505000-memory.dmp	xmrig
behavioral2/memory/1000-33-0x00007FF7D9FE0000-0x00007FF7DA3D5000-memory.dmp	xmrig
behavioral2/files/0x00070000000235eb-29.dat	xmrig
behavioral2/files/0x00070000000235f1-53.dat	xmrig
behavioral2/memory/2672-62-0x00007FF78AFC0000-0x00007FF78B3B5000-memory.dmp	xmrig
behavioral2/memory/3204-68-0x00007FF7C2DB0000-0x00007FF7C31A5000-memory.dmp	xmrig
behavioral2/files/0x00070000000235f5-73.dat	xmrig
behavioral2/memory/4536-76-0x00007FF775D00000-0x00007FF7760F5000-memory.dmp	xmrig
behavioral2/memory/2204-86-0x00007FF6A50E0000-0x00007FF6A54D5000-memory.dmp	xmrig
behavioral2/files/0x00070000000235f7-90.dat	xmrig
behavioral2/memory/3772-93-0x00007FF628260000-0x00007FF628655000-memory.dmp	xmrig
behavioral2/files/0x00070000000235f9-96.dat	xmrig
behavioral2/files/0x00070000000235f8-104.dat	xmrig
behavioral2/files/0x00070000000235fd-118.dat	xmrig
behavioral2/files/0x0007000000023602-143.dat	xmrig
behavioral2/memory/2452-680-0x00007FF720190000-0x00007FF720585000-memory.dmp	xmrig
behavioral2/files/0x0007000000023609-177.dat	xmrig
behavioral2/files/0x0007000000023608-174.dat	xmrig
behavioral2/files/0x0007000000023607-171.dat	xmrig
behavioral2/files/0x0007000000023606-166.dat	xmrig
behavioral2/files/0x0007000000023605-164.dat	xmrig
behavioral2/files/0x0007000000023604-156.dat	xmrig
behavioral2/files/0x0007000000023603-151.dat	xmrig
behavioral2/files/0x0007000000023601-141.dat	xmrig
behavioral2/files/0x0007000000023600-136.dat	xmrig
behavioral2/files/0x00070000000235ff-131.dat	xmrig
behavioral2/files/0x00070000000235fe-126.dat	xmrig
behavioral2/files/0x00070000000235fc-116.dat	xmrig
behavioral2/files/0x00070000000235fb-111.dat	xmrig
behavioral2/files/0x00070000000235fa-106.dat	xmrig
behavioral2/memory/1516-87-0x00007FF702C30000-0x00007FF703025000-memory.dmp	xmrig
behavioral2/files/0x00070000000235f4-83.dat	xmrig
behavioral2/memory/3272-82-0x00007FF6A3B70000-0x00007FF6A3F65000-memory.dmp	xmrig
behavioral2/files/0x00070000000235f6-74.dat	xmrig
behavioral2/files/0x00070000000235f3-75.dat	xmrig
behavioral2/files/0x00070000000235f2-60.dat	xmrig
behavioral2/memory/3376-687-0x00007FF7A1F30000-0x00007FF7A2325000-memory.dmp	xmrig
behavioral2/memory/1120-694-0x00007FF732BF0000-0x00007FF732FE5000-memory.dmp	xmrig
behavioral2/memory/1716-702-0x00007FF7A6840000-0x00007FF7A6C35000-memory.dmp	xmrig
behavioral2/memory/1708-708-0x00007FF741330000-0x00007FF741725000-memory.dmp	xmrig
behavioral2/memory/2600-717-0x00007FF628B00000-0x00007FF628EF5000-memory.dmp	xmrig
behavioral2/memory/2472-720-0x00007FF6A7E20000-0x00007FF6A8215000-memory.dmp	xmrig
behavioral2/memory/2080-747-0x00007FF69A4D0000-0x00007FF69A8C5000-memory.dmp	xmrig
behavioral2/memory/1644-742-0x00007FF7FCC40000-0x00007FF7FD035000-memory.dmp	xmrig
behavioral2/memory/460-738-0x00007FF788030000-0x00007FF788425000-memory.dmp	xmrig
behavioral2/memory/4952-734-0x00007FF680720000-0x00007FF680B15000-memory.dmp	xmrig
behavioral2/memory/392-1566-0x00007FF6AE190000-0x00007FF6AE585000-memory.dmp	xmrig
behavioral2/memory/1000-1563-0x00007FF7D9FE0000-0x00007FF7DA3D5000-memory.dmp	xmrig
behavioral2/memory/3496-1898-0x00007FF6D4110000-0x00007FF6D4505000-memory.dmp	xmrig
behavioral2/memory/2672-1899-0x00007FF78AFC0000-0x00007FF78B3B5000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3376	xwUqabe.exe
3848	VlqrRgx.exe
3552	noSAGPa.exe
1000	dKHUpqG.exe
648	yeyOpIC.exe
392	hfMngJt.exe
2728	WBFEEHM.exe
3496	JaLKvIS.exe
2672	tdZyjMR.exe
3204	UOXWCJw.exe
1516	BLjhbUc.exe
4536	LdZXBnU.exe
3772	ORWecIq.exe
3272	nFOSJbl.exe
2452	DUcXgdf.exe
1120	qUtjuXr.exe
2080	KJiufFl.exe
1716	hJQTpVT.exe
1708	LGhGGum.exe
2600	FwqlFKn.exe
2472	NCDBHgV.exe
4952	uvONHGa.exe
460	MngJHYS.exe
1644	pyjuvlL.exe
3052	SFwBNrP.exe
1072	hfQTbgy.exe
5020	QYvDgrC.exe
5056	WGDMzOX.exe
1656	QrZIHNa.exe
1724	emCCIyG.exe
1864	RCTIlBg.exe
760	iPQXQOt.exe
3636	EvSGagH.exe
424	EKFgdtQ.exe
8	dsNzxjG.exe
2268	wgMAiRD.exe
3196	hjjmItg.exe
4944	SmVxfmB.exe
1260	spubvJh.exe
4928	ZRuOcoZ.exe
3400	cGNJGSy.exe
4012	uMmRNCf.exe
3288	GsPMwKF.exe
3764	AJiYkze.exe
1396	pLrWWaA.exe
4392	CoVoLWB.exe
4348	dxnHTwb.exe
5052	jBZQGDU.exe
3356	qzNnUmz.exe
1944	tGxYoeX.exe
4416	wuxJiwo.exe
3540	deDHIif.exe
4412	YQRaIhs.exe
5144	PmYgXSY.exe
5184	zWcEIwt.exe
5200	qATxXdH.exe
5228	fOVkINM.exe
5256	bpsxDqR.exe
5284	tdSdehz.exe
5312	lHpWTbZ.exe
5340	FBoncbl.exe
5368	uDMjIzw.exe
5396	VOTBghq.exe
5424	qJzlVxv.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2204-0-0x00007FF6A50E0000-0x00007FF6A54D5000-memory.dmp	upx
behavioral2/files/0x00090000000235e3-6.dat	upx
behavioral2/memory/3376-9-0x00007FF7A1F30000-0x00007FF7A2325000-memory.dmp	upx
behavioral2/files/0x00080000000235e6-12.dat	upx
behavioral2/files/0x00070000000235ea-10.dat	upx
behavioral2/memory/3848-14-0x00007FF78D360000-0x00007FF78D755000-memory.dmp	upx
behavioral2/memory/3552-22-0x00007FF6F7880000-0x00007FF6F7C75000-memory.dmp	upx
behavioral2/files/0x00080000000235e7-25.dat	upx
behavioral2/files/0x00070000000235ed-37.dat	upx
behavioral2/files/0x00070000000235ec-40.dat	upx
behavioral2/memory/2728-43-0x00007FF7E44F0000-0x00007FF7E48E5000-memory.dmp	upx
behavioral2/memory/392-38-0x00007FF6AE190000-0x00007FF6AE585000-memory.dmp	upx
behavioral2/memory/648-35-0x00007FF7C4830000-0x00007FF7C4C25000-memory.dmp	upx
behavioral2/files/0x00070000000235ee-47.dat	upx
behavioral2/memory/3496-48-0x00007FF6D4110000-0x00007FF6D4505000-memory.dmp	upx
behavioral2/memory/1000-33-0x00007FF7D9FE0000-0x00007FF7DA3D5000-memory.dmp	upx
behavioral2/files/0x00070000000235eb-29.dat	upx
behavioral2/files/0x00070000000235f1-53.dat	upx
behavioral2/memory/2672-62-0x00007FF78AFC0000-0x00007FF78B3B5000-memory.dmp	upx
behavioral2/memory/3204-68-0x00007FF7C2DB0000-0x00007FF7C31A5000-memory.dmp	upx
behavioral2/files/0x00070000000235f5-73.dat	upx
behavioral2/memory/4536-76-0x00007FF775D00000-0x00007FF7760F5000-memory.dmp	upx
behavioral2/memory/2204-86-0x00007FF6A50E0000-0x00007FF6A54D5000-memory.dmp	upx
behavioral2/files/0x00070000000235f7-90.dat	upx
behavioral2/memory/3772-93-0x00007FF628260000-0x00007FF628655000-memory.dmp	upx
behavioral2/files/0x00070000000235f9-96.dat	upx
behavioral2/files/0x00070000000235f8-104.dat	upx
behavioral2/files/0x00070000000235fd-118.dat	upx
behavioral2/files/0x0007000000023602-143.dat	upx
behavioral2/memory/2452-680-0x00007FF720190000-0x00007FF720585000-memory.dmp	upx
behavioral2/files/0x0007000000023609-177.dat	upx
behavioral2/files/0x0007000000023608-174.dat	upx
behavioral2/files/0x0007000000023607-171.dat	upx
behavioral2/files/0x0007000000023606-166.dat	upx
behavioral2/files/0x0007000000023605-164.dat	upx
behavioral2/files/0x0007000000023604-156.dat	upx
behavioral2/files/0x0007000000023603-151.dat	upx
behavioral2/files/0x0007000000023601-141.dat	upx
behavioral2/files/0x0007000000023600-136.dat	upx
behavioral2/files/0x00070000000235ff-131.dat	upx
behavioral2/files/0x00070000000235fe-126.dat	upx
behavioral2/files/0x00070000000235fc-116.dat	upx
behavioral2/files/0x00070000000235fb-111.dat	upx
behavioral2/files/0x00070000000235fa-106.dat	upx
behavioral2/memory/1516-87-0x00007FF702C30000-0x00007FF703025000-memory.dmp	upx
behavioral2/files/0x00070000000235f4-83.dat	upx
behavioral2/memory/3272-82-0x00007FF6A3B70000-0x00007FF6A3F65000-memory.dmp	upx
behavioral2/files/0x00070000000235f6-74.dat	upx
behavioral2/files/0x00070000000235f3-75.dat	upx
behavioral2/files/0x00070000000235f2-60.dat	upx
behavioral2/memory/3376-687-0x00007FF7A1F30000-0x00007FF7A2325000-memory.dmp	upx
behavioral2/memory/1120-694-0x00007FF732BF0000-0x00007FF732FE5000-memory.dmp	upx
behavioral2/memory/1716-702-0x00007FF7A6840000-0x00007FF7A6C35000-memory.dmp	upx
behavioral2/memory/1708-708-0x00007FF741330000-0x00007FF741725000-memory.dmp	upx
behavioral2/memory/2600-717-0x00007FF628B00000-0x00007FF628EF5000-memory.dmp	upx
behavioral2/memory/2472-720-0x00007FF6A7E20000-0x00007FF6A8215000-memory.dmp	upx
behavioral2/memory/2080-747-0x00007FF69A4D0000-0x00007FF69A8C5000-memory.dmp	upx
behavioral2/memory/1644-742-0x00007FF7FCC40000-0x00007FF7FD035000-memory.dmp	upx
behavioral2/memory/460-738-0x00007FF788030000-0x00007FF788425000-memory.dmp	upx
behavioral2/memory/4952-734-0x00007FF680720000-0x00007FF680B15000-memory.dmp	upx
behavioral2/memory/392-1566-0x00007FF6AE190000-0x00007FF6AE585000-memory.dmp	upx
behavioral2/memory/1000-1563-0x00007FF7D9FE0000-0x00007FF7DA3D5000-memory.dmp	upx
behavioral2/memory/3496-1898-0x00007FF6D4110000-0x00007FF6D4505000-memory.dmp	upx
behavioral2/memory/2672-1899-0x00007FF78AFC0000-0x00007FF78B3B5000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\WBFEEHM.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\LdZXBnU.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\fcXEppa.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\yWPKSzC.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\lRngWjD.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\ICTDqrK.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\mTqesub.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\nkLlghl.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\DrMSouG.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\NctxPgB.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\apQfdvs.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\yGAPYve.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\CoVoLWB.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\LsnFwDR.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\TtqheGX.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\icNTcEr.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\gnSgepi.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\glyMmnk.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\gAJoqmK.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\UyElWzV.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\FBoncbl.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\GRFgxol.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\JBAdFIF.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\qOOFOIZ.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\XISDmJN.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\ILHDWdX.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\mgMJlEI.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\FFbsRAA.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\WnDoAXm.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\NOpfWIk.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\QrZIHNa.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\GvKUVzC.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\feLPznr.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\QgBFlup.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\MrAeGZc.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\SZonCMD.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\VIVsayb.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\wiVpweE.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\AUpnLfx.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\VrcwcFb.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\bCRLtjq.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\EyrCNWN.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\zofrGbQ.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\VpRsaKE.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\SFXXDsu.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\KWEVWto.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\ceQyjXK.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\TNIYTKo.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\XRZBMiz.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\VqyJsFZ.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\HVFnijO.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\tdSdehz.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\jgGQajs.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\PUhYuIO.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\LmltlUa.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\aBXmvSq.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\hPrkmAu.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\nFOSJbl.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\fOVkINM.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\lHpWTbZ.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\ldtRvZR.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\fNtpdHr.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\wssjwOw.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
File created	C:\Windows\System32\bvWHCHZ.exe	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	14300	dwm.exe
Token: SeChangeNotifyPrivilege	14300	dwm.exe
Token: 33	14300	dwm.exe
Token: SeIncBasePriorityPrivilege	14300	dwm.exe
Token: SeShutdownPrivilege	14300	dwm.exe
Token: SeCreatePagefilePrivilege	14300	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 3376	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	91
PID 2204 wrote to memory of 3376	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	91
PID 2204 wrote to memory of 3848	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	92
PID 2204 wrote to memory of 3848	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	92
PID 2204 wrote to memory of 3552	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	93
PID 2204 wrote to memory of 3552	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	93
PID 2204 wrote to memory of 1000	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	94
PID 2204 wrote to memory of 1000	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	94
PID 2204 wrote to memory of 648	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	95
PID 2204 wrote to memory of 648	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	95
PID 2204 wrote to memory of 392	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	96
PID 2204 wrote to memory of 392	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	96
PID 2204 wrote to memory of 2728	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	97
PID 2204 wrote to memory of 2728	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	97
PID 2204 wrote to memory of 3496	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	98
PID 2204 wrote to memory of 3496	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	98
PID 2204 wrote to memory of 2672	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	99
PID 2204 wrote to memory of 2672	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	99
PID 2204 wrote to memory of 3204	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	100
PID 2204 wrote to memory of 3204	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	100
PID 2204 wrote to memory of 1516	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	101
PID 2204 wrote to memory of 1516	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	101
PID 2204 wrote to memory of 4536	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	102
PID 2204 wrote to memory of 4536	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	102
PID 2204 wrote to memory of 3772	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	103
PID 2204 wrote to memory of 3772	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	103
PID 2204 wrote to memory of 3272	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	104
PID 2204 wrote to memory of 3272	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	104
PID 2204 wrote to memory of 1120	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	105
PID 2204 wrote to memory of 1120	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	105
PID 2204 wrote to memory of 2452	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	106
PID 2204 wrote to memory of 2452	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	106
PID 2204 wrote to memory of 2080	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	107
PID 2204 wrote to memory of 2080	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	107
PID 2204 wrote to memory of 1716	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	108
PID 2204 wrote to memory of 1716	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	108
PID 2204 wrote to memory of 1708	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	109
PID 2204 wrote to memory of 1708	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	109
PID 2204 wrote to memory of 2600	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	110
PID 2204 wrote to memory of 2600	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	110
PID 2204 wrote to memory of 2472	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	111
PID 2204 wrote to memory of 2472	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	111
PID 2204 wrote to memory of 4952	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	112
PID 2204 wrote to memory of 4952	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	112
PID 2204 wrote to memory of 460	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	113
PID 2204 wrote to memory of 460	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	113
PID 2204 wrote to memory of 1644	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	114
PID 2204 wrote to memory of 1644	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	114
PID 2204 wrote to memory of 3052	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	115
PID 2204 wrote to memory of 3052	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	115
PID 2204 wrote to memory of 1072	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	116
PID 2204 wrote to memory of 1072	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	116
PID 2204 wrote to memory of 5020	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	117
PID 2204 wrote to memory of 5020	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	117
PID 2204 wrote to memory of 5056	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	118
PID 2204 wrote to memory of 5056	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	118
PID 2204 wrote to memory of 1656	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	119
PID 2204 wrote to memory of 1656	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	119
PID 2204 wrote to memory of 1724	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	120
PID 2204 wrote to memory of 1724	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	120
PID 2204 wrote to memory of 1864	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	121
PID 2204 wrote to memory of 1864	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	121
PID 2204 wrote to memory of 760	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	122
PID 2204 wrote to memory of 760	2204	57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe	122

C:\Users\Admin\AppData\Local\Temp\57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\57b4aa774011e6dcac8dc1a3732be150_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\System32\xwUqabe.exe
  C:\Windows\System32\xwUqabe.exe
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Windows\System32\VlqrRgx.exe
  C:\Windows\System32\VlqrRgx.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System32\noSAGPa.exe
  C:\Windows\System32\noSAGPa.exe
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\System32\dKHUpqG.exe
  C:\Windows\System32\dKHUpqG.exe
  2⤵
  - Executes dropped EXE
  PID:1000
- C:\Windows\System32\yeyOpIC.exe
  C:\Windows\System32\yeyOpIC.exe
  2⤵
  - Executes dropped EXE
  PID:648
- C:\Windows\System32\hfMngJt.exe
  C:\Windows\System32\hfMngJt.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System32\WBFEEHM.exe
  C:\Windows\System32\WBFEEHM.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System32\JaLKvIS.exe
  C:\Windows\System32\JaLKvIS.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System32\tdZyjMR.exe
  C:\Windows\System32\tdZyjMR.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System32\UOXWCJw.exe
  C:\Windows\System32\UOXWCJw.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System32\BLjhbUc.exe
  C:\Windows\System32\BLjhbUc.exe
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\System32\LdZXBnU.exe
  C:\Windows\System32\LdZXBnU.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System32\ORWecIq.exe
  C:\Windows\System32\ORWecIq.exe
  2⤵
  - Executes dropped EXE
  PID:3772
- C:\Windows\System32\nFOSJbl.exe
  C:\Windows\System32\nFOSJbl.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System32\qUtjuXr.exe
  C:\Windows\System32\qUtjuXr.exe
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\System32\DUcXgdf.exe
  C:\Windows\System32\DUcXgdf.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System32\KJiufFl.exe
  C:\Windows\System32\KJiufFl.exe
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\System32\hJQTpVT.exe
  C:\Windows\System32\hJQTpVT.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System32\LGhGGum.exe
  C:\Windows\System32\LGhGGum.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\System32\FwqlFKn.exe
  C:\Windows\System32\FwqlFKn.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System32\NCDBHgV.exe
  C:\Windows\System32\NCDBHgV.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System32\uvONHGa.exe
  C:\Windows\System32\uvONHGa.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System32\MngJHYS.exe
  C:\Windows\System32\MngJHYS.exe
  2⤵
  - Executes dropped EXE
  PID:460
- C:\Windows\System32\pyjuvlL.exe
  C:\Windows\System32\pyjuvlL.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System32\SFwBNrP.exe
  C:\Windows\System32\SFwBNrP.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System32\hfQTbgy.exe
  C:\Windows\System32\hfQTbgy.exe
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\System32\QYvDgrC.exe
  C:\Windows\System32\QYvDgrC.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System32\WGDMzOX.exe
  C:\Windows\System32\WGDMzOX.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System32\QrZIHNa.exe
  C:\Windows\System32\QrZIHNa.exe
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\System32\emCCIyG.exe
  C:\Windows\System32\emCCIyG.exe
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\System32\RCTIlBg.exe
  C:\Windows\System32\RCTIlBg.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System32\iPQXQOt.exe
  C:\Windows\System32\iPQXQOt.exe
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\System32\EvSGagH.exe
  C:\Windows\System32\EvSGagH.exe
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Windows\System32\EKFgdtQ.exe
  C:\Windows\System32\EKFgdtQ.exe
  2⤵
  - Executes dropped EXE
  PID:424
- C:\Windows\System32\dsNzxjG.exe
  C:\Windows\System32\dsNzxjG.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System32\wgMAiRD.exe
  C:\Windows\System32\wgMAiRD.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System32\hjjmItg.exe
  C:\Windows\System32\hjjmItg.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System32\SmVxfmB.exe
  C:\Windows\System32\SmVxfmB.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System32\spubvJh.exe
  C:\Windows\System32\spubvJh.exe
  2⤵
  - Executes dropped EXE
  PID:1260
- C:\Windows\System32\ZRuOcoZ.exe
  C:\Windows\System32\ZRuOcoZ.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System32\cGNJGSy.exe
  C:\Windows\System32\cGNJGSy.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System32\uMmRNCf.exe
  C:\Windows\System32\uMmRNCf.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System32\GsPMwKF.exe
  C:\Windows\System32\GsPMwKF.exe
  2⤵
  - Executes dropped EXE
  PID:3288
- C:\Windows\System32\AJiYkze.exe
  C:\Windows\System32\AJiYkze.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System32\pLrWWaA.exe
  C:\Windows\System32\pLrWWaA.exe
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\System32\CoVoLWB.exe
  C:\Windows\System32\CoVoLWB.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System32\dxnHTwb.exe
  C:\Windows\System32\dxnHTwb.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System32\jBZQGDU.exe
  C:\Windows\System32\jBZQGDU.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System32\qzNnUmz.exe
  C:\Windows\System32\qzNnUmz.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System32\tGxYoeX.exe
  C:\Windows\System32\tGxYoeX.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System32\wuxJiwo.exe
  C:\Windows\System32\wuxJiwo.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System32\deDHIif.exe
  C:\Windows\System32\deDHIif.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System32\YQRaIhs.exe
  C:\Windows\System32\YQRaIhs.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System32\PmYgXSY.exe
  C:\Windows\System32\PmYgXSY.exe
  2⤵
  - Executes dropped EXE
  PID:5144
- C:\Windows\System32\zWcEIwt.exe
  C:\Windows\System32\zWcEIwt.exe
  2⤵
  - Executes dropped EXE
  PID:5184
- C:\Windows\System32\qATxXdH.exe
  C:\Windows\System32\qATxXdH.exe
  2⤵
  - Executes dropped EXE
  PID:5200
- C:\Windows\System32\fOVkINM.exe
  C:\Windows\System32\fOVkINM.exe
  2⤵
  - Executes dropped EXE
  PID:5228
- C:\Windows\System32\bpsxDqR.exe
  C:\Windows\System32\bpsxDqR.exe
  2⤵
  - Executes dropped EXE
  PID:5256
- C:\Windows\System32\tdSdehz.exe
  C:\Windows\System32\tdSdehz.exe
  2⤵
  - Executes dropped EXE
  PID:5284
- C:\Windows\System32\lHpWTbZ.exe
  C:\Windows\System32\lHpWTbZ.exe
  2⤵
  - Executes dropped EXE
  PID:5312
- C:\Windows\System32\FBoncbl.exe
  C:\Windows\System32\FBoncbl.exe
  2⤵
  - Executes dropped EXE
  PID:5340
- C:\Windows\System32\uDMjIzw.exe
  C:\Windows\System32\uDMjIzw.exe
  2⤵
  - Executes dropped EXE
  PID:5368
- C:\Windows\System32\VOTBghq.exe
  C:\Windows\System32\VOTBghq.exe
  2⤵
  - Executes dropped EXE
  PID:5396
- C:\Windows\System32\qJzlVxv.exe
  C:\Windows\System32\qJzlVxv.exe
  2⤵
  - Executes dropped EXE
  PID:5424
- C:\Windows\System32\VIVsayb.exe
  C:\Windows\System32\VIVsayb.exe
  2⤵
  PID:5452
- C:\Windows\System32\mjoIwyT.exe
  C:\Windows\System32\mjoIwyT.exe
  2⤵
  PID:5492
- C:\Windows\System32\csDBrIF.exe
  C:\Windows\System32\csDBrIF.exe
  2⤵
  PID:5508
- C:\Windows\System32\RWjPfJE.exe
  C:\Windows\System32\RWjPfJE.exe
  2⤵
  PID:5536
- C:\Windows\System32\GTXYAJl.exe
  C:\Windows\System32\GTXYAJl.exe
  2⤵
  PID:5564
- C:\Windows\System32\AxnFdWl.exe
  C:\Windows\System32\AxnFdWl.exe
  2⤵
  PID:5592
- C:\Windows\System32\fcXEppa.exe
  C:\Windows\System32\fcXEppa.exe
  2⤵
  PID:5620
- C:\Windows\System32\fuDTFzm.exe
  C:\Windows\System32\fuDTFzm.exe
  2⤵
  PID:5648
- C:\Windows\System32\VkIXHOh.exe
  C:\Windows\System32\VkIXHOh.exe
  2⤵
  PID:5676
- C:\Windows\System32\ZHEFqWP.exe
  C:\Windows\System32\ZHEFqWP.exe
  2⤵
  PID:5704
- C:\Windows\System32\KThRCrl.exe
  C:\Windows\System32\KThRCrl.exe
  2⤵
  PID:5732
- C:\Windows\System32\tlwyymk.exe
  C:\Windows\System32\tlwyymk.exe
  2⤵
  PID:5760
- C:\Windows\System32\ldtRvZR.exe
  C:\Windows\System32\ldtRvZR.exe
  2⤵
  PID:5788
- C:\Windows\System32\oMzqiym.exe
  C:\Windows\System32\oMzqiym.exe
  2⤵
  PID:5816
- C:\Windows\System32\MkZntfJ.exe
  C:\Windows\System32\MkZntfJ.exe
  2⤵
  PID:5844
- C:\Windows\System32\LffZNfO.exe
  C:\Windows\System32\LffZNfO.exe
  2⤵
  PID:5872
- C:\Windows\System32\ailTgJX.exe
  C:\Windows\System32\ailTgJX.exe
  2⤵
  PID:5900
- C:\Windows\System32\kEwVvFY.exe
  C:\Windows\System32\kEwVvFY.exe
  2⤵
  PID:5928
- C:\Windows\System32\fNtpdHr.exe
  C:\Windows\System32\fNtpdHr.exe
  2⤵
  PID:5956
- C:\Windows\System32\laMiucV.exe
  C:\Windows\System32\laMiucV.exe
  2⤵
  PID:5984
- C:\Windows\System32\BztelkG.exe
  C:\Windows\System32\BztelkG.exe
  2⤵
  PID:6012
- C:\Windows\System32\nNvfdYw.exe
  C:\Windows\System32\nNvfdYw.exe
  2⤵
  PID:6040
- C:\Windows\System32\VIqaGlm.exe
  C:\Windows\System32\VIqaGlm.exe
  2⤵
  PID:6068
- C:\Windows\System32\wvcEply.exe
  C:\Windows\System32\wvcEply.exe
  2⤵
  PID:6096
- C:\Windows\System32\llvOPCF.exe
  C:\Windows\System32\llvOPCF.exe
  2⤵
  PID:6124
- C:\Windows\System32\xOXWUQy.exe
  C:\Windows\System32\xOXWUQy.exe
  2⤵
  PID:2904
- C:\Windows\System32\TXfsvQD.exe
  C:\Windows\System32\TXfsvQD.exe
  2⤵
  PID:4532
- C:\Windows\System32\bIWUngl.exe
  C:\Windows\System32\bIWUngl.exe
  2⤵
  PID:3892
- C:\Windows\System32\IZhTOXZ.exe
  C:\Windows\System32\IZhTOXZ.exe
  2⤵
  PID:740
- C:\Windows\System32\GjXqLrG.exe
  C:\Windows\System32\GjXqLrG.exe
  2⤵
  PID:5128
- C:\Windows\System32\evBEapg.exe
  C:\Windows\System32\evBEapg.exe
  2⤵
  PID:5220
- C:\Windows\System32\WOERAcS.exe
  C:\Windows\System32\WOERAcS.exe
  2⤵
  PID:5268
- C:\Windows\System32\glyMmnk.exe
  C:\Windows\System32\glyMmnk.exe
  2⤵
  PID:5332
- C:\Windows\System32\FQAYpMM.exe
  C:\Windows\System32\FQAYpMM.exe
  2⤵
  PID:5416
- C:\Windows\System32\mTqesub.exe
  C:\Windows\System32\mTqesub.exe
  2⤵
  PID:5464
- C:\Windows\System32\XDYhcEp.exe
  C:\Windows\System32\XDYhcEp.exe
  2⤵
  PID:5516
- C:\Windows\System32\Dxzweon.exe
  C:\Windows\System32\Dxzweon.exe
  2⤵
  PID:5612
- C:\Windows\System32\XLLYIeq.exe
  C:\Windows\System32\XLLYIeq.exe
  2⤵
  PID:5660
- C:\Windows\System32\alGiyVa.exe
  C:\Windows\System32\alGiyVa.exe
  2⤵
  PID:5712
- C:\Windows\System32\bpTqDvn.exe
  C:\Windows\System32\bpTqDvn.exe
  2⤵
  PID:5808
- C:\Windows\System32\NCeQVqw.exe
  C:\Windows\System32\NCeQVqw.exe
  2⤵
  PID:5856
- C:\Windows\System32\ifqYgTm.exe
  C:\Windows\System32\ifqYgTm.exe
  2⤵
  PID:5920
- C:\Windows\System32\oewQdzF.exe
  C:\Windows\System32\oewQdzF.exe
  2⤵
  PID:6004
- C:\Windows\System32\bCPGEFx.exe
  C:\Windows\System32\bCPGEFx.exe
  2⤵
  PID:6052
- C:\Windows\System32\FsLMCTw.exe
  C:\Windows\System32\FsLMCTw.exe
  2⤵
  PID:6116
- C:\Windows\System32\kBXHyTZ.exe
  C:\Windows\System32\kBXHyTZ.exe
  2⤵
  PID:996
- C:\Windows\System32\KdakKvG.exe
  C:\Windows\System32\KdakKvG.exe
  2⤵
  PID:3284
- C:\Windows\System32\wRHmXMP.exe
  C:\Windows\System32\wRHmXMP.exe
  2⤵
  PID:5236
- C:\Windows\System32\BuEJhVW.exe
  C:\Windows\System32\BuEJhVW.exe
  2⤵
  PID:5408
- C:\Windows\System32\YsJYLiW.exe
  C:\Windows\System32\YsJYLiW.exe
  2⤵
  PID:5548
- C:\Windows\System32\MVGuayn.exe
  C:\Windows\System32\MVGuayn.exe
  2⤵
  PID:5696
- C:\Windows\System32\EXcVSQV.exe
  C:\Windows\System32\EXcVSQV.exe
  2⤵
  PID:5880
- C:\Windows\System32\XrZfNtx.exe
  C:\Windows\System32\XrZfNtx.exe
  2⤵
  PID:6020
- C:\Windows\System32\bCRLtjq.exe
  C:\Windows\System32\bCRLtjq.exe
  2⤵
  PID:6152
- C:\Windows\System32\RHDXqSn.exe
  C:\Windows\System32\RHDXqSn.exe
  2⤵
  PID:6184
- C:\Windows\System32\lNtlhSo.exe
  C:\Windows\System32\lNtlhSo.exe
  2⤵
  PID:6212
- C:\Windows\System32\cjmIpbB.exe
  C:\Windows\System32\cjmIpbB.exe
  2⤵
  PID:6236
- C:\Windows\System32\JBtNCVV.exe
  C:\Windows\System32\JBtNCVV.exe
  2⤵
  PID:6268
- C:\Windows\System32\GuOaMBD.exe
  C:\Windows\System32\GuOaMBD.exe
  2⤵
  PID:6296
- C:\Windows\System32\fZqeoSa.exe
  C:\Windows\System32\fZqeoSa.exe
  2⤵
  PID:6324
- C:\Windows\System32\dGMAkqO.exe
  C:\Windows\System32\dGMAkqO.exe
  2⤵
  PID:6352
- C:\Windows\System32\jRuXBOL.exe
  C:\Windows\System32\jRuXBOL.exe
  2⤵
  PID:6380
- C:\Windows\System32\dOJukxK.exe
  C:\Windows\System32\dOJukxK.exe
  2⤵
  PID:6408
- C:\Windows\System32\YxZOceg.exe
  C:\Windows\System32\YxZOceg.exe
  2⤵
  PID:6436
- C:\Windows\System32\kaEMKYi.exe
  C:\Windows\System32\kaEMKYi.exe
  2⤵
  PID:6464
- C:\Windows\System32\wssjwOw.exe
  C:\Windows\System32\wssjwOw.exe
  2⤵
  PID:6492
- C:\Windows\System32\dnlPfsL.exe
  C:\Windows\System32\dnlPfsL.exe
  2⤵
  PID:6520
- C:\Windows\System32\GTXNSMD.exe
  C:\Windows\System32\GTXNSMD.exe
  2⤵
  PID:6548
- C:\Windows\System32\fzmnizj.exe
  C:\Windows\System32\fzmnizj.exe
  2⤵
  PID:6576
- C:\Windows\System32\ZUASLXf.exe
  C:\Windows\System32\ZUASLXf.exe
  2⤵
  PID:6604
- C:\Windows\System32\qFJiDDt.exe
  C:\Windows\System32\qFJiDDt.exe
  2⤵
  PID:6632
- C:\Windows\System32\FKsWmfV.exe
  C:\Windows\System32\FKsWmfV.exe
  2⤵
  PID:6660
- C:\Windows\System32\LsnFwDR.exe
  C:\Windows\System32\LsnFwDR.exe
  2⤵
  PID:6688
- C:\Windows\System32\LgecVJe.exe
  C:\Windows\System32\LgecVJe.exe
  2⤵
  PID:6728
- C:\Windows\System32\GkplCfk.exe
  C:\Windows\System32\GkplCfk.exe
  2⤵
  PID:6744
- C:\Windows\System32\hubooit.exe
  C:\Windows\System32\hubooit.exe
  2⤵
  PID:6772
- C:\Windows\System32\xeQlUPv.exe
  C:\Windows\System32\xeQlUPv.exe
  2⤵
  PID:6800
- C:\Windows\System32\udmoPZh.exe
  C:\Windows\System32\udmoPZh.exe
  2⤵
  PID:6828
- C:\Windows\System32\EyrCNWN.exe
  C:\Windows\System32\EyrCNWN.exe
  2⤵
  PID:6856
- C:\Windows\System32\fJAwIyM.exe
  C:\Windows\System32\fJAwIyM.exe
  2⤵
  PID:6884
- C:\Windows\System32\jUDHhkD.exe
  C:\Windows\System32\jUDHhkD.exe
  2⤵
  PID:6912
- C:\Windows\System32\CKpQoCp.exe
  C:\Windows\System32\CKpQoCp.exe
  2⤵
  PID:6940
- C:\Windows\System32\zHtpvub.exe
  C:\Windows\System32\zHtpvub.exe
  2⤵
  PID:6968
- C:\Windows\System32\fdRVPGv.exe
  C:\Windows\System32\fdRVPGv.exe
  2⤵
  PID:6996
- C:\Windows\System32\mrQchzb.exe
  C:\Windows\System32\mrQchzb.exe
  2⤵
  PID:7020
- C:\Windows\System32\OhDDkxP.exe
  C:\Windows\System32\OhDDkxP.exe
  2⤵
  PID:7048
- C:\Windows\System32\cPTlucH.exe
  C:\Windows\System32\cPTlucH.exe
  2⤵
  PID:7080
- C:\Windows\System32\TnmCFjh.exe
  C:\Windows\System32\TnmCFjh.exe
  2⤵
  PID:7108
- C:\Windows\System32\bzpNmSY.exe
  C:\Windows\System32\bzpNmSY.exe
  2⤵
  PID:7136
- C:\Windows\System32\Asbznhx.exe
  C:\Windows\System32\Asbznhx.exe
  2⤵
  PID:7164
- C:\Windows\System32\WxpJITr.exe
  C:\Windows\System32\WxpJITr.exe
  2⤵
  PID:4912
- C:\Windows\System32\WTEzzpc.exe
  C:\Windows\System32\WTEzzpc.exe
  2⤵
  PID:5528
- C:\Windows\System32\xqqLvzb.exe
  C:\Windows\System32\xqqLvzb.exe
  2⤵
  PID:5772
- C:\Windows\System32\QeGJWQD.exe
  C:\Windows\System32\QeGJWQD.exe
  2⤵
  PID:6148
- C:\Windows\System32\BtDXvRM.exe
  C:\Windows\System32\BtDXvRM.exe
  2⤵
  PID:6204
- C:\Windows\System32\ikmmuAr.exe
  C:\Windows\System32\ikmmuAr.exe
  2⤵
  PID:6276
- C:\Windows\System32\aeVCapz.exe
  C:\Windows\System32\aeVCapz.exe
  2⤵
  PID:6332
- C:\Windows\System32\jZAJiYW.exe
  C:\Windows\System32\jZAJiYW.exe
  2⤵
  PID:6392
- C:\Windows\System32\jHUWIeX.exe
  C:\Windows\System32\jHUWIeX.exe
  2⤵
  PID:6448
- C:\Windows\System32\HjogvXt.exe
  C:\Windows\System32\HjogvXt.exe
  2⤵
  PID:6528
- C:\Windows\System32\qYIrrBZ.exe
  C:\Windows\System32\qYIrrBZ.exe
  2⤵
  PID:6588
- C:\Windows\System32\vpAOCbs.exe
  C:\Windows\System32\vpAOCbs.exe
  2⤵
  PID:6644
- C:\Windows\System32\vLQgilD.exe
  C:\Windows\System32\vLQgilD.exe
  2⤵
  PID:6720
- C:\Windows\System32\FMEvNFL.exe
  C:\Windows\System32\FMEvNFL.exe
  2⤵
  PID:4680
- C:\Windows\System32\IjmiLJE.exe
  C:\Windows\System32\IjmiLJE.exe
  2⤵
  PID:6836
- C:\Windows\System32\FFbsRAA.exe
  C:\Windows\System32\FFbsRAA.exe
  2⤵
  PID:6904
- C:\Windows\System32\rcqoxKh.exe
  C:\Windows\System32\rcqoxKh.exe
  2⤵
  PID:6948
- C:\Windows\System32\cJzvAis.exe
  C:\Windows\System32\cJzvAis.exe
  2⤵
  PID:7028
- C:\Windows\System32\AYHmZuE.exe
  C:\Windows\System32\AYHmZuE.exe
  2⤵
  PID:7092
- C:\Windows\System32\LvZUREH.exe
  C:\Windows\System32\LvZUREH.exe
  2⤵
  PID:3832
- C:\Windows\System32\NhoMqqO.exe
  C:\Windows\System32\NhoMqqO.exe
  2⤵
  PID:2428
- C:\Windows\System32\udXJNaE.exe
  C:\Windows\System32\udXJNaE.exe
  2⤵
  PID:5968
- C:\Windows\System32\dfaiPsu.exe
  C:\Windows\System32\dfaiPsu.exe
  2⤵
  PID:6232
- C:\Windows\System32\aiHcNIM.exe
  C:\Windows\System32\aiHcNIM.exe
  2⤵
  PID:6372
- C:\Windows\System32\kHLgwlV.exe
  C:\Windows\System32\kHLgwlV.exe
  2⤵
  PID:6484
- C:\Windows\System32\ZNNanFA.exe
  C:\Windows\System32\ZNNanFA.exe
  2⤵
  PID:6672
- C:\Windows\System32\uJXdECR.exe
  C:\Windows\System32\uJXdECR.exe
  2⤵
  PID:6784
- C:\Windows\System32\ltdocBh.exe
  C:\Windows\System32\ltdocBh.exe
  2⤵
  PID:6988
- C:\Windows\System32\puOevkH.exe
  C:\Windows\System32\puOevkH.exe
  2⤵
  PID:7056
- C:\Windows\System32\BdkKXEZ.exe
  C:\Windows\System32\BdkKXEZ.exe
  2⤵
  PID:6136
- C:\Windows\System32\ymiTZIK.exe
  C:\Windows\System32\ymiTZIK.exe
  2⤵
  PID:6192
- C:\Windows\System32\rCECwtU.exe
  C:\Windows\System32\rCECwtU.exe
  2⤵
  PID:6456
- C:\Windows\System32\TeekgOn.exe
  C:\Windows\System32\TeekgOn.exe
  2⤵
  PID:7180
- C:\Windows\System32\UdyTztQ.exe
  C:\Windows\System32\UdyTztQ.exe
  2⤵
  PID:7196
- C:\Windows\System32\ObyiyaN.exe
  C:\Windows\System32\ObyiyaN.exe
  2⤵
  PID:7224
- C:\Windows\System32\apfhidH.exe
  C:\Windows\System32\apfhidH.exe
  2⤵
  PID:7264
- C:\Windows\System32\qLmGVRj.exe
  C:\Windows\System32\qLmGVRj.exe
  2⤵
  PID:7280
- C:\Windows\System32\WVdldUw.exe
  C:\Windows\System32\WVdldUw.exe
  2⤵
  PID:7308
- C:\Windows\System32\NdPPbth.exe
  C:\Windows\System32\NdPPbth.exe
  2⤵
  PID:7336
- C:\Windows\System32\lBBGDPE.exe
  C:\Windows\System32\lBBGDPE.exe
  2⤵
  PID:7364
- C:\Windows\System32\OqfdFBl.exe
  C:\Windows\System32\OqfdFBl.exe
  2⤵
  PID:7392
- C:\Windows\System32\qeydAqD.exe
  C:\Windows\System32\qeydAqD.exe
  2⤵
  PID:7420
- C:\Windows\System32\cjyCJjc.exe
  C:\Windows\System32\cjyCJjc.exe
  2⤵
  PID:7444
- C:\Windows\System32\HJtZNLJ.exe
  C:\Windows\System32\HJtZNLJ.exe
  2⤵
  PID:7476
- C:\Windows\System32\osdnQZR.exe
  C:\Windows\System32\osdnQZR.exe
  2⤵
  PID:7504
- C:\Windows\System32\jxbFcNr.exe
  C:\Windows\System32\jxbFcNr.exe
  2⤵
  PID:7532
- C:\Windows\System32\bOITogH.exe
  C:\Windows\System32\bOITogH.exe
  2⤵
  PID:7560
- C:\Windows\System32\tINolRj.exe
  C:\Windows\System32\tINolRj.exe
  2⤵
  PID:7608
- C:\Windows\System32\HUGxhBf.exe
  C:\Windows\System32\HUGxhBf.exe
  2⤵
  PID:7632
- C:\Windows\System32\PxMcrpr.exe
  C:\Windows\System32\PxMcrpr.exe
  2⤵
  PID:7652
- C:\Windows\System32\wiVpweE.exe
  C:\Windows\System32\wiVpweE.exe
  2⤵
  PID:7668
- C:\Windows\System32\DIdlEHd.exe
  C:\Windows\System32\DIdlEHd.exe
  2⤵
  PID:7688
- C:\Windows\System32\mmNntxt.exe
  C:\Windows\System32\mmNntxt.exe
  2⤵
  PID:7748
- C:\Windows\System32\bvWHCHZ.exe
  C:\Windows\System32\bvWHCHZ.exe
  2⤵
  PID:7784
- C:\Windows\System32\XYoCuKk.exe
  C:\Windows\System32\XYoCuKk.exe
  2⤵
  PID:7808
- C:\Windows\System32\psbLuwZ.exe
  C:\Windows\System32\psbLuwZ.exe
  2⤵
  PID:7836
- C:\Windows\System32\XdrRqOf.exe
  C:\Windows\System32\XdrRqOf.exe
  2⤵
  PID:7864
- C:\Windows\System32\vugnBbz.exe
  C:\Windows\System32\vugnBbz.exe
  2⤵
  PID:7916
- C:\Windows\System32\rHEWfDX.exe
  C:\Windows\System32\rHEWfDX.exe
  2⤵
  PID:7944
- C:\Windows\System32\gGvaHOq.exe
  C:\Windows\System32\gGvaHOq.exe
  2⤵
  PID:7988
- C:\Windows\System32\QXLCWQJ.exe
  C:\Windows\System32\QXLCWQJ.exe
  2⤵
  PID:8004
- C:\Windows\System32\OPOVreP.exe
  C:\Windows\System32\OPOVreP.exe
  2⤵
  PID:8020
- C:\Windows\System32\CjrjQcE.exe
  C:\Windows\System32\CjrjQcE.exe
  2⤵
  PID:8044
- C:\Windows\System32\MiNXrMY.exe
  C:\Windows\System32\MiNXrMY.exe
  2⤵
  PID:8136
- C:\Windows\System32\MTcagjj.exe
  C:\Windows\System32\MTcagjj.exe
  2⤵
  PID:8172
- C:\Windows\System32\UQaADKB.exe
  C:\Windows\System32\UQaADKB.exe
  2⤵
  PID:1628
- C:\Windows\System32\BPUDeoM.exe
  C:\Windows\System32\BPUDeoM.exe
  2⤵
  PID:1696
- C:\Windows\System32\pqBvJQx.exe
  C:\Windows\System32\pqBvJQx.exe
  2⤵
  PID:6344
- C:\Windows\System32\eBnIcBC.exe
  C:\Windows\System32\eBnIcBC.exe
  2⤵
  PID:6540
- C:\Windows\System32\aSolCRb.exe
  C:\Windows\System32\aSolCRb.exe
  2⤵
  PID:7272
- C:\Windows\System32\OgXKnST.exe
  C:\Windows\System32\OgXKnST.exe
  2⤵
  PID:7320
- C:\Windows\System32\EpWiSmM.exe
  C:\Windows\System32\EpWiSmM.exe
  2⤵
  PID:7356
- C:\Windows\System32\QevPPse.exe
  C:\Windows\System32\QevPPse.exe
  2⤵
  PID:2756
- C:\Windows\System32\ecLxlBW.exe
  C:\Windows\System32\ecLxlBW.exe
  2⤵
  PID:7440
- C:\Windows\System32\piTyBsx.exe
  C:\Windows\System32\piTyBsx.exe
  2⤵
  PID:7460
- C:\Windows\System32\BRsrsrX.exe
  C:\Windows\System32\BRsrsrX.exe
  2⤵
  PID:2528
- C:\Windows\System32\hPrkmAu.exe
  C:\Windows\System32\hPrkmAu.exe
  2⤵
  PID:7512
- C:\Windows\System32\bLnEgvH.exe
  C:\Windows\System32\bLnEgvH.exe
  2⤵
  PID:2548
- C:\Windows\System32\NOpfWIk.exe
  C:\Windows\System32\NOpfWIk.exe
  2⤵
  PID:7544
- C:\Windows\System32\tXAUsUG.exe
  C:\Windows\System32\tXAUsUG.exe
  2⤵
  PID:7732
- C:\Windows\System32\mihBbPj.exe
  C:\Windows\System32\mihBbPj.exe
  2⤵
  PID:7768
- C:\Windows\System32\HRuTMrR.exe
  C:\Windows\System32\HRuTMrR.exe
  2⤵
  PID:7888
- C:\Windows\System32\kjIkWPv.exe
  C:\Windows\System32\kjIkWPv.exe
  2⤵
  PID:7900
- C:\Windows\System32\JqNkAUJ.exe
  C:\Windows\System32\JqNkAUJ.exe
  2⤵
  PID:7940
- C:\Windows\System32\acOPiJz.exe
  C:\Windows\System32\acOPiJz.exe
  2⤵
  PID:8052
- C:\Windows\System32\oBTpWhR.exe
  C:\Windows\System32\oBTpWhR.exe
  2⤵
  PID:8180
- C:\Windows\System32\ctTiQLb.exe
  C:\Windows\System32\ctTiQLb.exe
  2⤵
  PID:4648
- C:\Windows\System32\ZgRmEHK.exe
  C:\Windows\System32\ZgRmEHK.exe
  2⤵
  PID:7148
- C:\Windows\System32\ptiXMui.exe
  C:\Windows\System32\ptiXMui.exe
  2⤵
  PID:7208
- C:\Windows\System32\pZwdcPY.exe
  C:\Windows\System32\pZwdcPY.exe
  2⤵
  PID:7708
- C:\Windows\System32\kHSjSFN.exe
  C:\Windows\System32\kHSjSFN.exe
  2⤵
  PID:7188
- C:\Windows\System32\eJMYHmq.exe
  C:\Windows\System32\eJMYHmq.exe
  2⤵
  PID:7376
- C:\Windows\System32\rrMDBtk.exe
  C:\Windows\System32\rrMDBtk.exe
  2⤵
  PID:4172
- C:\Windows\System32\cJMAmgY.exe
  C:\Windows\System32\cJMAmgY.exe
  2⤵
  PID:4932
- C:\Windows\System32\jidAWkl.exe
  C:\Windows\System32\jidAWkl.exe
  2⤵
  PID:7648
- C:\Windows\System32\lFlbsPu.exe
  C:\Windows\System32\lFlbsPu.exe
  2⤵
  PID:8036
- C:\Windows\System32\zljmLmG.exe
  C:\Windows\System32\zljmLmG.exe
  2⤵
  PID:8144
- C:\Windows\System32\nydQlYv.exe
  C:\Windows\System32\nydQlYv.exe
  2⤵
  PID:1468
- C:\Windows\System32\PsIpiMQ.exe
  C:\Windows\System32\PsIpiMQ.exe
  2⤵
  PID:7292
- C:\Windows\System32\gGwCHLD.exe
  C:\Windows\System32\gGwCHLD.exe
  2⤵
  PID:7664
- C:\Windows\System32\qOOFOIZ.exe
  C:\Windows\System32\qOOFOIZ.exe
  2⤵
  PID:7792
- C:\Windows\System32\EVmnkUo.exe
  C:\Windows\System32\EVmnkUo.exe
  2⤵
  PID:904
- C:\Windows\System32\RSlojvJ.exe
  C:\Windows\System32\RSlojvJ.exe
  2⤵
  PID:5032
- C:\Windows\System32\rmLFgOT.exe
  C:\Windows\System32\rmLFgOT.exe
  2⤵
  PID:7328
- C:\Windows\System32\jRXwlvq.exe
  C:\Windows\System32\jRXwlvq.exe
  2⤵
  PID:8220
- C:\Windows\System32\nqEgKgp.exe
  C:\Windows\System32\nqEgKgp.exe
  2⤵
  PID:8248
- C:\Windows\System32\xPntnos.exe
  C:\Windows\System32\xPntnos.exe
  2⤵
  PID:8276
- C:\Windows\System32\AUpnLfx.exe
  C:\Windows\System32\AUpnLfx.exe
  2⤵
  PID:8292
- C:\Windows\System32\zYNamKi.exe
  C:\Windows\System32\zYNamKi.exe
  2⤵
  PID:8340
- C:\Windows\System32\pUOgRgU.exe
  C:\Windows\System32\pUOgRgU.exe
  2⤵
  PID:8364
- C:\Windows\System32\FWJONgW.exe
  C:\Windows\System32\FWJONgW.exe
  2⤵
  PID:8380
- C:\Windows\System32\TPFMPwg.exe
  C:\Windows\System32\TPFMPwg.exe
  2⤵
  PID:8420
- C:\Windows\System32\AfrCaIB.exe
  C:\Windows\System32\AfrCaIB.exe
  2⤵
  PID:8436
- C:\Windows\System32\bOFHFka.exe
  C:\Windows\System32\bOFHFka.exe
  2⤵
  PID:8472
- C:\Windows\System32\UtvCqsx.exe
  C:\Windows\System32\UtvCqsx.exe
  2⤵
  PID:8492
- C:\Windows\System32\ONbQxFq.exe
  C:\Windows\System32\ONbQxFq.exe
  2⤵
  PID:8520
- C:\Windows\System32\GvKUVzC.exe
  C:\Windows\System32\GvKUVzC.exe
  2⤵
  PID:8560
- C:\Windows\System32\XISDmJN.exe
  C:\Windows\System32\XISDmJN.exe
  2⤵
  PID:8576
- C:\Windows\System32\VRRncNZ.exe
  C:\Windows\System32\VRRncNZ.exe
  2⤵
  PID:8616
- C:\Windows\System32\XVyWqks.exe
  C:\Windows\System32\XVyWqks.exe
  2⤵
  PID:8644
- C:\Windows\System32\cvPinkF.exe
  C:\Windows\System32\cvPinkF.exe
  2⤵
  PID:8676
- C:\Windows\System32\JhzwaUT.exe
  C:\Windows\System32\JhzwaUT.exe
  2⤵
  PID:8700
- C:\Windows\System32\znhBPJi.exe
  C:\Windows\System32\znhBPJi.exe
  2⤵
  PID:8736
- C:\Windows\System32\fxlUJbj.exe
  C:\Windows\System32\fxlUJbj.exe
  2⤵
  PID:8752
- C:\Windows\System32\zofrGbQ.exe
  C:\Windows\System32\zofrGbQ.exe
  2⤵
  PID:8788
- C:\Windows\System32\tXeZjLE.exe
  C:\Windows\System32\tXeZjLE.exe
  2⤵
  PID:8808
- C:\Windows\System32\cMbsDHJ.exe
  C:\Windows\System32\cMbsDHJ.exe
  2⤵
  PID:8840
- C:\Windows\System32\skPtCxd.exe
  C:\Windows\System32\skPtCxd.exe
  2⤵
  PID:8864
- C:\Windows\System32\nRgdxJi.exe
  C:\Windows\System32\nRgdxJi.exe
  2⤵
  PID:8912
- C:\Windows\System32\kSPvPLu.exe
  C:\Windows\System32\kSPvPLu.exe
  2⤵
  PID:8948
- C:\Windows\System32\aLjArjA.exe
  C:\Windows\System32\aLjArjA.exe
  2⤵
  PID:8968
- C:\Windows\System32\rMjroId.exe
  C:\Windows\System32\rMjroId.exe
  2⤵
  PID:9004
- C:\Windows\System32\VnfEtcl.exe
  C:\Windows\System32\VnfEtcl.exe
  2⤵
  PID:9032
- C:\Windows\System32\WnDoAXm.exe
  C:\Windows\System32\WnDoAXm.exe
  2⤵
  PID:9060
- C:\Windows\System32\ssslffk.exe
  C:\Windows\System32\ssslffk.exe
  2⤵
  PID:9092
- C:\Windows\System32\iWwcIyd.exe
  C:\Windows\System32\iWwcIyd.exe
  2⤵
  PID:9132
- C:\Windows\System32\ixsoMPk.exe
  C:\Windows\System32\ixsoMPk.exe
  2⤵
  PID:9164
- C:\Windows\System32\KAEqkzs.exe
  C:\Windows\System32\KAEqkzs.exe
  2⤵
  PID:9196
- C:\Windows\System32\wYiiSwV.exe
  C:\Windows\System32\wYiiSwV.exe
  2⤵
  PID:7852
- C:\Windows\System32\pOYiuDf.exe
  C:\Windows\System32\pOYiuDf.exe
  2⤵
  PID:8236
- C:\Windows\System32\tYcXlLh.exe
  C:\Windows\System32\tYcXlLh.exe
  2⤵
  PID:8352
- C:\Windows\System32\yWPKSzC.exe
  C:\Windows\System32\yWPKSzC.exe
  2⤵
  PID:8400
- C:\Windows\System32\oTMyxGV.exe
  C:\Windows\System32\oTMyxGV.exe
  2⤵
  PID:8448
- C:\Windows\System32\JlrYiFi.exe
  C:\Windows\System32\JlrYiFi.exe
  2⤵
  PID:8484
- C:\Windows\System32\NfJyvFg.exe
  C:\Windows\System32\NfJyvFg.exe
  2⤵
  PID:8572
- C:\Windows\System32\YKBxYzv.exe
  C:\Windows\System32\YKBxYzv.exe
  2⤵
  PID:8664
- C:\Windows\System32\cfCYENR.exe
  C:\Windows\System32\cfCYENR.exe
  2⤵
  PID:8732
- C:\Windows\System32\hkdzfcJ.exe
  C:\Windows\System32\hkdzfcJ.exe
  2⤵
  PID:8776
- C:\Windows\System32\uESZKHl.exe
  C:\Windows\System32\uESZKHl.exe
  2⤵
  PID:8828
- C:\Windows\System32\yslxZnp.exe
  C:\Windows\System32\yslxZnp.exe
  2⤵
  PID:8900
- C:\Windows\System32\puDMKhS.exe
  C:\Windows\System32\puDMKhS.exe
  2⤵
  PID:8964
- C:\Windows\System32\IdNABwy.exe
  C:\Windows\System32\IdNABwy.exe
  2⤵
  PID:9088
- C:\Windows\System32\NnOufFa.exe
  C:\Windows\System32\NnOufFa.exe
  2⤵
  PID:9140
- C:\Windows\System32\mrDvqvt.exe
  C:\Windows\System32\mrDvqvt.exe
  2⤵
  PID:9208
- C:\Windows\System32\zwFadWs.exe
  C:\Windows\System32\zwFadWs.exe
  2⤵
  PID:8324
- C:\Windows\System32\gHCLOTz.exe
  C:\Windows\System32\gHCLOTz.exe
  2⤵
  PID:8428
- C:\Windows\System32\fGZeLqG.exe
  C:\Windows\System32\fGZeLqG.exe
  2⤵
  PID:8544
- C:\Windows\System32\bIRaPab.exe
  C:\Windows\System32\bIRaPab.exe
  2⤵
  PID:8796
- C:\Windows\System32\KVjUrQk.exe
  C:\Windows\System32\KVjUrQk.exe
  2⤵
  PID:8960
- C:\Windows\System32\TtqheGX.exe
  C:\Windows\System32\TtqheGX.exe
  2⤵
  PID:8976
- C:\Windows\System32\NBeIDet.exe
  C:\Windows\System32\NBeIDet.exe
  2⤵
  PID:8212
- C:\Windows\System32\feLPznr.exe
  C:\Windows\System32\feLPznr.exe
  2⤵
  PID:8656
- C:\Windows\System32\rUUJcYm.exe
  C:\Windows\System32\rUUJcYm.exe
  2⤵
  PID:4452
- C:\Windows\System32\nkLlghl.exe
  C:\Windows\System32\nkLlghl.exe
  2⤵
  PID:9112
- C:\Windows\System32\kfxGbrw.exe
  C:\Windows\System32\kfxGbrw.exe
  2⤵
  PID:9232
- C:\Windows\System32\akovliz.exe
  C:\Windows\System32\akovliz.exe
  2⤵
  PID:9260
- C:\Windows\System32\KVtEHAz.exe
  C:\Windows\System32\KVtEHAz.exe
  2⤵
  PID:9276
- C:\Windows\System32\FeSFDql.exe
  C:\Windows\System32\FeSFDql.exe
  2⤵
  PID:9328
- C:\Windows\System32\sIgjfEN.exe
  C:\Windows\System32\sIgjfEN.exe
  2⤵
  PID:9344
- C:\Windows\System32\rMKiFOX.exe
  C:\Windows\System32\rMKiFOX.exe
  2⤵
  PID:9372
- C:\Windows\System32\yzZpbPw.exe
  C:\Windows\System32\yzZpbPw.exe
  2⤵
  PID:9388
- C:\Windows\System32\oUkctXK.exe
  C:\Windows\System32\oUkctXK.exe
  2⤵
  PID:9416
- C:\Windows\System32\UaIdkfg.exe
  C:\Windows\System32\UaIdkfg.exe
  2⤵
  PID:9448
- C:\Windows\System32\IaWdsVE.exe
  C:\Windows\System32\IaWdsVE.exe
  2⤵
  PID:9472
- C:\Windows\System32\SkdJiBu.exe
  C:\Windows\System32\SkdJiBu.exe
  2⤵
  PID:9492
- C:\Windows\System32\xLbxskw.exe
  C:\Windows\System32\xLbxskw.exe
  2⤵
  PID:9532
- C:\Windows\System32\RemQhui.exe
  C:\Windows\System32\RemQhui.exe
  2⤵
  PID:9576
- C:\Windows\System32\pZFBbeL.exe
  C:\Windows\System32\pZFBbeL.exe
  2⤵
  PID:9596
- C:\Windows\System32\jgGQajs.exe
  C:\Windows\System32\jgGQajs.exe
  2⤵
  PID:9612
- C:\Windows\System32\jnsKizQ.exe
  C:\Windows\System32\jnsKizQ.exe
  2⤵
  PID:9636
- C:\Windows\System32\lmuyRVl.exe
  C:\Windows\System32\lmuyRVl.exe
  2⤵
  PID:9680
- C:\Windows\System32\TZqsfhV.exe
  C:\Windows\System32\TZqsfhV.exe
  2⤵
  PID:9708
- C:\Windows\System32\okYepPo.exe
  C:\Windows\System32\okYepPo.exe
  2⤵
  PID:9736
- C:\Windows\System32\CCjbBuy.exe
  C:\Windows\System32\CCjbBuy.exe
  2⤵
  PID:9764
- C:\Windows\System32\MhPALsn.exe
  C:\Windows\System32\MhPALsn.exe
  2⤵
  PID:9792
- C:\Windows\System32\WShPQNR.exe
  C:\Windows\System32\WShPQNR.exe
  2⤵
  PID:9820
- C:\Windows\System32\UHDQykl.exe
  C:\Windows\System32\UHDQykl.exe
  2⤵
  PID:9848
- C:\Windows\System32\BKPUMMl.exe
  C:\Windows\System32\BKPUMMl.exe
  2⤵
  PID:9876
- C:\Windows\System32\QgBFlup.exe
  C:\Windows\System32\QgBFlup.exe
  2⤵
  PID:9904
- C:\Windows\System32\tmEiRhE.exe
  C:\Windows\System32\tmEiRhE.exe
  2⤵
  PID:9920
- C:\Windows\System32\ILHDWdX.exe
  C:\Windows\System32\ILHDWdX.exe
  2⤵
  PID:9940
- C:\Windows\System32\ANrTTLe.exe
  C:\Windows\System32\ANrTTLe.exe
  2⤵
  PID:9984
- C:\Windows\System32\jKBgJtr.exe
  C:\Windows\System32\jKBgJtr.exe
  2⤵
  PID:10016
- C:\Windows\System32\eymywHh.exe
  C:\Windows\System32\eymywHh.exe
  2⤵
  PID:10044
- C:\Windows\System32\fbLCCLQ.exe
  C:\Windows\System32\fbLCCLQ.exe
  2⤵
  PID:10072
- C:\Windows\System32\ADwuDQh.exe
  C:\Windows\System32\ADwuDQh.exe
  2⤵
  PID:10092
- C:\Windows\System32\KypOOzk.exe
  C:\Windows\System32\KypOOzk.exe
  2⤵
  PID:10116
- C:\Windows\System32\WYkIUQl.exe
  C:\Windows\System32\WYkIUQl.exe
  2⤵
  PID:10152
- C:\Windows\System32\xRwCsEa.exe
  C:\Windows\System32\xRwCsEa.exe
  2⤵
  PID:10172
- C:\Windows\System32\oOEysrJ.exe
  C:\Windows\System32\oOEysrJ.exe
  2⤵
  PID:10212
- C:\Windows\System32\TLtqAIG.exe
  C:\Windows\System32\TLtqAIG.exe
  2⤵
  PID:10232
- C:\Windows\System32\VABpqtb.exe
  C:\Windows\System32\VABpqtb.exe
  2⤵
  PID:9044
- C:\Windows\System32\XVTLhWM.exe
  C:\Windows\System32\XVTLhWM.exe
  2⤵
  PID:9252
- C:\Windows\System32\fZawUKd.exe
  C:\Windows\System32\fZawUKd.exe
  2⤵
  PID:9352
- C:\Windows\System32\IfsIlha.exe
  C:\Windows\System32\IfsIlha.exe
  2⤵
  PID:9456
- C:\Windows\System32\EscsiVb.exe
  C:\Windows\System32\EscsiVb.exe
  2⤵
  PID:9480
- C:\Windows\System32\eFxgncc.exe
  C:\Windows\System32\eFxgncc.exe
  2⤵
  PID:9548
- C:\Windows\System32\NOEChMy.exe
  C:\Windows\System32\NOEChMy.exe
  2⤵
  PID:9608
- C:\Windows\System32\gsDcZxp.exe
  C:\Windows\System32\gsDcZxp.exe
  2⤵
  PID:9676
- C:\Windows\System32\HaCytEO.exe
  C:\Windows\System32\HaCytEO.exe
  2⤵
  PID:9744
- C:\Windows\System32\DmKTJpi.exe
  C:\Windows\System32\DmKTJpi.exe
  2⤵
  PID:9804
- C:\Windows\System32\oPnVevy.exe
  C:\Windows\System32\oPnVevy.exe
  2⤵
  PID:9872
- C:\Windows\System32\UWZRTNM.exe
  C:\Windows\System32\UWZRTNM.exe
  2⤵
  PID:9968
- C:\Windows\System32\MrAeGZc.exe
  C:\Windows\System32\MrAeGZc.exe
  2⤵
  PID:10004
- C:\Windows\System32\czONfah.exe
  C:\Windows\System32\czONfah.exe
  2⤵
  PID:10108
- C:\Windows\System32\fyCSVPa.exe
  C:\Windows\System32\fyCSVPa.exe
  2⤵
  PID:10184
- C:\Windows\System32\tUDeMmx.exe
  C:\Windows\System32\tUDeMmx.exe
  2⤵
  PID:10208
- C:\Windows\System32\tiEAcYP.exe
  C:\Windows\System32\tiEAcYP.exe
  2⤵
  PID:9312
- C:\Windows\System32\jiGiyUJ.exe
  C:\Windows\System32\jiGiyUJ.exe
  2⤵
  PID:9404
- C:\Windows\System32\ReIBVrq.exe
  C:\Windows\System32\ReIBVrq.exe
  2⤵
  PID:9632
- C:\Windows\System32\RmtoFqd.exe
  C:\Windows\System32\RmtoFqd.exe
  2⤵
  PID:9720
- C:\Windows\System32\jLLEmJA.exe
  C:\Windows\System32\jLLEmJA.exe
  2⤵
  PID:9888
- C:\Windows\System32\PUEPkAh.exe
  C:\Windows\System32\PUEPkAh.exe
  2⤵
  PID:10060
- C:\Windows\System32\FgsnCzz.exe
  C:\Windows\System32\FgsnCzz.exe
  2⤵
  PID:10164
- C:\Windows\System32\qcyfORi.exe
  C:\Windows\System32\qcyfORi.exe
  2⤵
  PID:9520
- C:\Windows\System32\KWEVWto.exe
  C:\Windows\System32\KWEVWto.exe
  2⤵
  PID:9728
- C:\Windows\System32\kkdhpNz.exe
  C:\Windows\System32\kkdhpNz.exe
  2⤵
  PID:10144
- C:\Windows\System32\VpRsaKE.exe
  C:\Windows\System32\VpRsaKE.exe
  2⤵
  PID:9832
- C:\Windows\System32\cBndJWJ.exe
  C:\Windows\System32\cBndJWJ.exe
  2⤵
  PID:10252
- C:\Windows\System32\oDvrBFs.exe
  C:\Windows\System32\oDvrBFs.exe
  2⤵
  PID:10272
- C:\Windows\System32\phRnQoO.exe
  C:\Windows\System32\phRnQoO.exe
  2⤵
  PID:10288
- C:\Windows\System32\bxqWYsX.exe
  C:\Windows\System32\bxqWYsX.exe
  2⤵
  PID:10320
- C:\Windows\System32\CmWfLNE.exe
  C:\Windows\System32\CmWfLNE.exe
  2⤵
  PID:10368
- C:\Windows\System32\hUiaALv.exe
  C:\Windows\System32\hUiaALv.exe
  2⤵
  PID:10396
- C:\Windows\System32\PKoWJEG.exe
  C:\Windows\System32\PKoWJEG.exe
  2⤵
  PID:10412
- C:\Windows\System32\hiafLeA.exe
  C:\Windows\System32\hiafLeA.exe
  2⤵
  PID:10428
- C:\Windows\System32\shptGbn.exe
  C:\Windows\System32\shptGbn.exe
  2⤵
  PID:10480
- C:\Windows\System32\mgMJlEI.exe
  C:\Windows\System32\mgMJlEI.exe
  2⤵
  PID:10504
- C:\Windows\System32\UfwCSof.exe
  C:\Windows\System32\UfwCSof.exe
  2⤵
  PID:10540
- C:\Windows\System32\PyFvSZj.exe
  C:\Windows\System32\PyFvSZj.exe
  2⤵
  PID:10560
- C:\Windows\System32\iRqPLUK.exe
  C:\Windows\System32\iRqPLUK.exe
  2⤵
  PID:10624
- C:\Windows\System32\KlwpyEk.exe
  C:\Windows\System32\KlwpyEk.exe
  2⤵
  PID:10648
- C:\Windows\System32\bXyqQff.exe
  C:\Windows\System32\bXyqQff.exe
  2⤵
  PID:10680
- C:\Windows\System32\vXpfEFs.exe
  C:\Windows\System32\vXpfEFs.exe
  2⤵
  PID:10720
- C:\Windows\System32\KrVMyuh.exe
  C:\Windows\System32\KrVMyuh.exe
  2⤵
  PID:10736
- C:\Windows\System32\PmzBDvj.exe
  C:\Windows\System32\PmzBDvj.exe
  2⤵
  PID:10768
- C:\Windows\System32\moTJbQE.exe
  C:\Windows\System32\moTJbQE.exe
  2⤵
  PID:10800
- C:\Windows\System32\trMoyqf.exe
  C:\Windows\System32\trMoyqf.exe
  2⤵
  PID:10836
- C:\Windows\System32\dyQGVpw.exe
  C:\Windows\System32\dyQGVpw.exe
  2⤵
  PID:10864
- C:\Windows\System32\koPtmJo.exe
  C:\Windows\System32\koPtmJo.exe
  2⤵
  PID:10892
- C:\Windows\System32\merIWZC.exe
  C:\Windows\System32\merIWZC.exe
  2⤵
  PID:10920
- C:\Windows\System32\ZoIacgt.exe
  C:\Windows\System32\ZoIacgt.exe
  2⤵
  PID:10936
- C:\Windows\System32\QxjfeEy.exe
  C:\Windows\System32\QxjfeEy.exe
  2⤵
  PID:10972
- C:\Windows\System32\oRTjSNr.exe
  C:\Windows\System32\oRTjSNr.exe
  2⤵
  PID:11000
- C:\Windows\System32\qUWFxLy.exe
  C:\Windows\System32\qUWFxLy.exe
  2⤵
  PID:11020
- C:\Windows\System32\ceQyjXK.exe
  C:\Windows\System32\ceQyjXK.exe
  2⤵
  PID:11056
- C:\Windows\System32\GyATDCM.exe
  C:\Windows\System32\GyATDCM.exe
  2⤵
  PID:11080
- C:\Windows\System32\uztLErl.exe
  C:\Windows\System32\uztLErl.exe
  2⤵
  PID:11104
- C:\Windows\System32\wnBsYtS.exe
  C:\Windows\System32\wnBsYtS.exe
  2⤵
  PID:11140
- C:\Windows\System32\LlgfXDP.exe
  C:\Windows\System32\LlgfXDP.exe
  2⤵
  PID:11172
- C:\Windows\System32\JPnPjVR.exe
  C:\Windows\System32\JPnPjVR.exe
  2⤵
  PID:11204
- C:\Windows\System32\aQiAXGW.exe
  C:\Windows\System32\aQiAXGW.exe
  2⤵
  PID:11236
- C:\Windows\System32\rcQiIcB.exe
  C:\Windows\System32\rcQiIcB.exe
  2⤵
  PID:9408
- C:\Windows\System32\aBJdayE.exe
  C:\Windows\System32\aBJdayE.exe
  2⤵
  PID:10280
- C:\Windows\System32\pRcUZPq.exe
  C:\Windows\System32\pRcUZPq.exe
  2⤵
  PID:10380
- C:\Windows\System32\irRqBWz.exe
  C:\Windows\System32\irRqBWz.exe
  2⤵
  PID:10420
- C:\Windows\System32\quxsmha.exe
  C:\Windows\System32\quxsmha.exe
  2⤵
  PID:10488
- C:\Windows\System32\MygUOhD.exe
  C:\Windows\System32\MygUOhD.exe
  2⤵
  PID:10568
- C:\Windows\System32\FvIoREE.exe
  C:\Windows\System32\FvIoREE.exe
  2⤵
  PID:10692
- C:\Windows\System32\vyGMUtQ.exe
  C:\Windows\System32\vyGMUtQ.exe
  2⤵
  PID:10752
- C:\Windows\System32\FRWAaOU.exe
  C:\Windows\System32\FRWAaOU.exe
  2⤵
  PID:10904
- C:\Windows\System32\GvJIDwU.exe
  C:\Windows\System32\GvJIDwU.exe
  2⤵
  PID:10952
- C:\Windows\System32\ExpjpLZ.exe
  C:\Windows\System32\ExpjpLZ.exe
  2⤵
  PID:11016
- C:\Windows\System32\BrrapDq.exe
  C:\Windows\System32\BrrapDq.exe
  2⤵
  PID:11068
- C:\Windows\System32\jwvUgCr.exe
  C:\Windows\System32\jwvUgCr.exe
  2⤵
  PID:11132
- C:\Windows\System32\cTllSvz.exe
  C:\Windows\System32\cTllSvz.exe
  2⤵
  PID:11228
- C:\Windows\System32\TNIYTKo.exe
  C:\Windows\System32\TNIYTKo.exe
  2⤵
  PID:10260
- C:\Windows\System32\zKIkdmC.exe
  C:\Windows\System32\zKIkdmC.exe
  2⤵
  PID:10468
- C:\Windows\System32\BPUFtYy.exe
  C:\Windows\System32\BPUFtYy.exe
  2⤵
  PID:10596
- C:\Windows\System32\KaEajLF.exe
  C:\Windows\System32\KaEajLF.exe
  2⤵
  PID:8720
- C:\Windows\System32\SZonCMD.exe
  C:\Windows\System32\SZonCMD.exe
  2⤵
  PID:7956
- C:\Windows\System32\jXRLKYj.exe
  C:\Windows\System32\jXRLKYj.exe
  2⤵
  PID:11012
- C:\Windows\System32\SOQWOIO.exe
  C:\Windows\System32\SOQWOIO.exe
  2⤵
  PID:11100
- C:\Windows\System32\AjshETC.exe
  C:\Windows\System32\AjshETC.exe
  2⤵
  PID:10344
- C:\Windows\System32\Zkklbax.exe
  C:\Windows\System32\Zkklbax.exe
  2⤵
  PID:10556
- C:\Windows\System32\KSfMcyx.exe
  C:\Windows\System32\KSfMcyx.exe
  2⤵
  PID:10748
- C:\Windows\System32\SKlgFIr.exe
  C:\Windows\System32\SKlgFIr.exe
  2⤵
  PID:11196
- C:\Windows\System32\DrMSouG.exe
  C:\Windows\System32\DrMSouG.exe
  2⤵
  PID:10404
- C:\Windows\System32\jiDzblW.exe
  C:\Windows\System32\jiDzblW.exe
  2⤵
  PID:11304
- C:\Windows\System32\XRZBMiz.exe
  C:\Windows\System32\XRZBMiz.exe
  2⤵
  PID:11336
- C:\Windows\System32\xsDNbID.exe
  C:\Windows\System32\xsDNbID.exe
  2⤵
  PID:11376
- C:\Windows\System32\pvvQrPg.exe
  C:\Windows\System32\pvvQrPg.exe
  2⤵
  PID:11400
- C:\Windows\System32\PUhYuIO.exe
  C:\Windows\System32\PUhYuIO.exe
  2⤵
  PID:11440
- C:\Windows\System32\rdYPKOF.exe
  C:\Windows\System32\rdYPKOF.exe
  2⤵
  PID:11472
- C:\Windows\System32\HLQgJYd.exe
  C:\Windows\System32\HLQgJYd.exe
  2⤵
  PID:11488
- C:\Windows\System32\tBHUvsL.exe
  C:\Windows\System32\tBHUvsL.exe
  2⤵
  PID:11528
- C:\Windows\System32\XgesRta.exe
  C:\Windows\System32\XgesRta.exe
  2⤵
  PID:11548
- C:\Windows\System32\JJuZPkE.exe
  C:\Windows\System32\JJuZPkE.exe
  2⤵
  PID:11584
- C:\Windows\System32\gtBwdCg.exe
  C:\Windows\System32\gtBwdCg.exe
  2⤵
  PID:11608
- C:\Windows\System32\odnRpNv.exe
  C:\Windows\System32\odnRpNv.exe
  2⤵
  PID:11648
- C:\Windows\System32\KHKpILo.exe
  C:\Windows\System32\KHKpILo.exe
  2⤵
  PID:11688
- C:\Windows\System32\VRjTUMW.exe
  C:\Windows\System32\VRjTUMW.exe
  2⤵
  PID:11740
- C:\Windows\System32\hQnaLYp.exe
  C:\Windows\System32\hQnaLYp.exe
  2⤵
  PID:11796
- C:\Windows\System32\NctxPgB.exe
  C:\Windows\System32\NctxPgB.exe
  2⤵
  PID:11832
- C:\Windows\System32\kgPyONF.exe
  C:\Windows\System32\kgPyONF.exe
  2⤵
  PID:11856
- C:\Windows\System32\ATGcIuX.exe
  C:\Windows\System32\ATGcIuX.exe
  2⤵
  PID:11876
- C:\Windows\System32\zSHJcuN.exe
  C:\Windows\System32\zSHJcuN.exe
  2⤵
  PID:11904
- C:\Windows\System32\kwYqNWM.exe
  C:\Windows\System32\kwYqNWM.exe
  2⤵
  PID:11932
- C:\Windows\System32\gFfEaAa.exe
  C:\Windows\System32\gFfEaAa.exe
  2⤵
  PID:11956
- C:\Windows\System32\DSGTZOx.exe
  C:\Windows\System32\DSGTZOx.exe
  2⤵
  PID:12000
- C:\Windows\System32\rDhmxBd.exe
  C:\Windows\System32\rDhmxBd.exe
  2⤵
  PID:12028
- C:\Windows\System32\cvjdNrv.exe
  C:\Windows\System32\cvjdNrv.exe
  2⤵
  PID:12048
- C:\Windows\System32\VunNdMc.exe
  C:\Windows\System32\VunNdMc.exe
  2⤵
  PID:12084
- C:\Windows\System32\BEzhAZQ.exe
  C:\Windows\System32\BEzhAZQ.exe
  2⤵
  PID:12104
- C:\Windows\System32\jQbJhkK.exe
  C:\Windows\System32\jQbJhkK.exe
  2⤵
  PID:12132
- C:\Windows\System32\TYkQLYd.exe
  C:\Windows\System32\TYkQLYd.exe
  2⤵
  PID:12160
- C:\Windows\System32\JXsbCKV.exe
  C:\Windows\System32\JXsbCKV.exe
  2⤵
  PID:12196
- C:\Windows\System32\cDjcEvF.exe
  C:\Windows\System32\cDjcEvF.exe
  2⤵
  PID:12212
- C:\Windows\System32\aSYRwIz.exe
  C:\Windows\System32\aSYRwIz.exe
  2⤵
  PID:12248
- C:\Windows\System32\VqyJsFZ.exe
  C:\Windows\System32\VqyJsFZ.exe
  2⤵
  PID:12276
- C:\Windows\System32\FnXkCVc.exe
  C:\Windows\System32\FnXkCVc.exe
  2⤵
  PID:11276
- C:\Windows\System32\szHadTm.exe
  C:\Windows\System32\szHadTm.exe
  2⤵
  PID:11396
- C:\Windows\System32\VOHTQNQ.exe
  C:\Windows\System32\VOHTQNQ.exe
  2⤵
  PID:11484
- C:\Windows\System32\gLTPaOJ.exe
  C:\Windows\System32\gLTPaOJ.exe
  2⤵
  PID:11540
- C:\Windows\System32\apQfdvs.exe
  C:\Windows\System32\apQfdvs.exe
  2⤵
  PID:11644
- C:\Windows\System32\SFdJfWi.exe
  C:\Windows\System32\SFdJfWi.exe
  2⤵
  PID:11672
- C:\Windows\System32\EZHEJQi.exe
  C:\Windows\System32\EZHEJQi.exe
  2⤵
  PID:11736
- C:\Windows\System32\sYLJbCq.exe
  C:\Windows\System32\sYLJbCq.exe
  2⤵
  PID:11852
- C:\Windows\System32\yGAPYve.exe
  C:\Windows\System32\yGAPYve.exe
  2⤵
  PID:11944
- C:\Windows\System32\tvIWYyY.exe
  C:\Windows\System32\tvIWYyY.exe
  2⤵
  PID:11984
- C:\Windows\System32\pSUKhSo.exe
  C:\Windows\System32\pSUKhSo.exe
  2⤵
  PID:12036
- C:\Windows\System32\icNTcEr.exe
  C:\Windows\System32\icNTcEr.exe
  2⤵
  PID:12128
- C:\Windows\System32\IpefOiH.exe
  C:\Windows\System32\IpefOiH.exe
  2⤵
  PID:12188
- C:\Windows\System32\FjVrgul.exe
  C:\Windows\System32\FjVrgul.exe
  2⤵
  PID:12256
- C:\Windows\System32\LXqDdjE.exe
  C:\Windows\System32\LXqDdjE.exe
  2⤵
  PID:11324
- C:\Windows\System32\urrOfOK.exe
  C:\Windows\System32\urrOfOK.exe
  2⤵
  PID:11564
- C:\Windows\System32\vBhycCv.exe
  C:\Windows\System32\vBhycCv.exe
  2⤵
  PID:11792
- C:\Windows\System32\lRngWjD.exe
  C:\Windows\System32\lRngWjD.exe
  2⤵
  PID:11972
- C:\Windows\System32\fbcxixi.exe
  C:\Windows\System32\fbcxixi.exe
  2⤵
  PID:12056
- C:\Windows\System32\ulePFVu.exe
  C:\Windows\System32\ulePFVu.exe
  2⤵
  PID:12140
- C:\Windows\System32\hWOxLbu.exe
  C:\Windows\System32\hWOxLbu.exe
  2⤵
  PID:11916
- C:\Windows\System32\pYdGKgT.exe
  C:\Windows\System32\pYdGKgT.exe
  2⤵
  PID:12148
- C:\Windows\System32\IwiTTpz.exe
  C:\Windows\System32\IwiTTpz.exe
  2⤵
  PID:12304
- C:\Windows\System32\xaHyLhf.exe
  C:\Windows\System32\xaHyLhf.exe
  2⤵
  PID:12328
- C:\Windows\System32\aiEAvjB.exe
  C:\Windows\System32\aiEAvjB.exe
  2⤵
  PID:12348
- C:\Windows\System32\SKxpoHY.exe
  C:\Windows\System32\SKxpoHY.exe
  2⤵
  PID:12384
- C:\Windows\System32\pHwbcKu.exe
  C:\Windows\System32\pHwbcKu.exe
  2⤵
  PID:12416
- C:\Windows\System32\tywobuf.exe
  C:\Windows\System32\tywobuf.exe
  2⤵
  PID:12452
- C:\Windows\System32\bzPBdKC.exe
  C:\Windows\System32\bzPBdKC.exe
  2⤵
  PID:12472
- C:\Windows\System32\KIDosEl.exe
  C:\Windows\System32\KIDosEl.exe
  2⤵
  PID:12496
- C:\Windows\System32\jBgoeLO.exe
  C:\Windows\System32\jBgoeLO.exe
  2⤵
  PID:12524
- C:\Windows\System32\KRYaRed.exe
  C:\Windows\System32\KRYaRed.exe
  2⤵
  PID:12552
- C:\Windows\System32\gAJoqmK.exe
  C:\Windows\System32\gAJoqmK.exe
  2⤵
  PID:12612
- C:\Windows\System32\PNUIDgG.exe
  C:\Windows\System32\PNUIDgG.exe
  2⤵
  PID:12628
- C:\Windows\System32\CzSqwsG.exe
  C:\Windows\System32\CzSqwsG.exe
  2⤵
  PID:12656
- C:\Windows\System32\PycQpkO.exe
  C:\Windows\System32\PycQpkO.exe
  2⤵
  PID:12684
- C:\Windows\System32\vOJtgyR.exe
  C:\Windows\System32\vOJtgyR.exe
  2⤵
  PID:12712
- C:\Windows\System32\VvpFuJJ.exe
  C:\Windows\System32\VvpFuJJ.exe
  2⤵
  PID:12732
- C:\Windows\System32\ziTIyAy.exe
  C:\Windows\System32\ziTIyAy.exe
  2⤵
  PID:12756
- C:\Windows\System32\DAyyNVP.exe
  C:\Windows\System32\DAyyNVP.exe
  2⤵
  PID:12800
- C:\Windows\System32\FpmBSiY.exe
  C:\Windows\System32\FpmBSiY.exe
  2⤵
  PID:12832
- C:\Windows\System32\vwEuexR.exe
  C:\Windows\System32\vwEuexR.exe
  2⤵
  PID:12860
- C:\Windows\System32\hTKiTOR.exe
  C:\Windows\System32\hTKiTOR.exe
  2⤵
  PID:12888
- C:\Windows\System32\CWQRTzX.exe
  C:\Windows\System32\CWQRTzX.exe
  2⤵
  PID:12916
- C:\Windows\System32\KZLzSDZ.exe
  C:\Windows\System32\KZLzSDZ.exe
  2⤵
  PID:12944
- C:\Windows\System32\AniZtGs.exe
  C:\Windows\System32\AniZtGs.exe
  2⤵
  PID:12972
- C:\Windows\System32\vyIhhXl.exe
  C:\Windows\System32\vyIhhXl.exe
  2⤵
  PID:13000
- C:\Windows\System32\gnSgepi.exe
  C:\Windows\System32\gnSgepi.exe
  2⤵
  PID:13028
- C:\Windows\System32\VGGlnLb.exe
  C:\Windows\System32\VGGlnLb.exe
  2⤵
  PID:13064
- C:\Windows\System32\JaUqjLf.exe
  C:\Windows\System32\JaUqjLf.exe
  2⤵
  PID:13080
- C:\Windows\System32\YEWcuZW.exe
  C:\Windows\System32\YEWcuZW.exe
  2⤵
  PID:13116
- C:\Windows\System32\fzLoHGS.exe
  C:\Windows\System32\fzLoHGS.exe
  2⤵
  PID:13152
- C:\Windows\System32\ZIgSLFk.exe
  C:\Windows\System32\ZIgSLFk.exe
  2⤵
  PID:13180
- C:\Windows\System32\kyuJGLi.exe
  C:\Windows\System32\kyuJGLi.exe
  2⤵
  PID:13208
- C:\Windows\System32\liWZPuY.exe
  C:\Windows\System32\liWZPuY.exe
  2⤵
  PID:13236
- C:\Windows\System32\HvaXVFP.exe
  C:\Windows\System32\HvaXVFP.exe
  2⤵
  PID:13264
- C:\Windows\System32\eTzkjxe.exe
  C:\Windows\System32\eTzkjxe.exe
  2⤵
  PID:13292
- C:\Windows\System32\HFylGAt.exe
  C:\Windows\System32\HFylGAt.exe
  2⤵
  PID:11516
- C:\Windows\System32\wXZiqwS.exe
  C:\Windows\System32\wXZiqwS.exe
  2⤵
  PID:12360
- C:\Windows\System32\DBvgGji.exe
  C:\Windows\System32\DBvgGji.exe
  2⤵
  PID:12432
- C:\Windows\System32\srYGCnd.exe
  C:\Windows\System32\srYGCnd.exe
  2⤵
  PID:12492
- C:\Windows\System32\UtIOxeX.exe
  C:\Windows\System32\UtIOxeX.exe
  2⤵
  PID:12568
- C:\Windows\System32\AqJIXld.exe
  C:\Windows\System32\AqJIXld.exe
  2⤵
  PID:3508
- C:\Windows\System32\RSVBbEL.exe
  C:\Windows\System32\RSVBbEL.exe
  2⤵
  PID:12624
- C:\Windows\System32\VrcwcFb.exe
  C:\Windows\System32\VrcwcFb.exe
  2⤵
  PID:12696
- C:\Windows\System32\ATUlKis.exe
  C:\Windows\System32\ATUlKis.exe
  2⤵
  PID:12744
- C:\Windows\System32\iNXvZOx.exe
  C:\Windows\System32\iNXvZOx.exe
  2⤵
  PID:12820
- C:\Windows\System32\vkNSGVR.exe
  C:\Windows\System32\vkNSGVR.exe
  2⤵
  PID:12900
- C:\Windows\System32\KpgtedX.exe
  C:\Windows\System32\KpgtedX.exe
  2⤵
  PID:12964
- C:\Windows\System32\HVFnijO.exe
  C:\Windows\System32\HVFnijO.exe
  2⤵
  PID:13024
- C:\Windows\System32\jbkeWEP.exe
  C:\Windows\System32\jbkeWEP.exe
  2⤵
  PID:13108
- C:\Windows\System32\yHextUH.exe
  C:\Windows\System32\yHextUH.exe
  2⤵
  PID:13168
- C:\Windows\System32\kMdTalA.exe
  C:\Windows\System32\kMdTalA.exe
  2⤵
  PID:13224
- C:\Windows\System32\LVaJnDL.exe
  C:\Windows\System32\LVaJnDL.exe
  2⤵
  PID:13284
- C:\Windows\System32\tyQkmxQ.exe
  C:\Windows\System32\tyQkmxQ.exe
  2⤵
  PID:12364
- C:\Windows\System32\XohZnur.exe
  C:\Windows\System32\XohZnur.exe
  2⤵
  PID:12536
- C:\Windows\System32\tYYcCjD.exe
  C:\Windows\System32\tYYcCjD.exe
  2⤵
  PID:12620
- C:\Windows\System32\UMuguFw.exe
  C:\Windows\System32\UMuguFw.exe
  2⤵
  PID:12772
- C:\Windows\System32\LmltlUa.exe
  C:\Windows\System32\LmltlUa.exe
  2⤵
  PID:12940
- C:\Windows\System32\DbGRNFj.exe
  C:\Windows\System32\DbGRNFj.exe
  2⤵
  PID:13072
- C:\Windows\System32\zZuCYjt.exe
  C:\Windows\System32\zZuCYjt.exe
  2⤵
  PID:13252
- C:\Windows\System32\mmRJrqx.exe
  C:\Windows\System32\mmRJrqx.exe
  2⤵
  PID:12512
- C:\Windows\System32\wMzfBeh.exe
  C:\Windows\System32\wMzfBeh.exe
  2⤵
  PID:12740
- C:\Windows\System32\fpiFtcv.exe
  C:\Windows\System32\fpiFtcv.exe
  2⤵
  PID:13164
- C:\Windows\System32\JQCxQYc.exe
  C:\Windows\System32\JQCxQYc.exe
  2⤵
  PID:12680
- C:\Windows\System32\QSThpEc.exe
  C:\Windows\System32\QSThpEc.exe
  2⤵
  PID:376
- C:\Windows\System32\ReGcNde.exe
  C:\Windows\System32\ReGcNde.exe
  2⤵
  PID:13328
- C:\Windows\System32\ISUeNoE.exe
  C:\Windows\System32\ISUeNoE.exe
  2⤵
  PID:13356
- C:\Windows\System32\TOYGaFp.exe
  C:\Windows\System32\TOYGaFp.exe
  2⤵
  PID:13384
- C:\Windows\System32\UyElWzV.exe
  C:\Windows\System32\UyElWzV.exe
  2⤵
  PID:13412
- C:\Windows\System32\RbcljFe.exe
  C:\Windows\System32\RbcljFe.exe
  2⤵
  PID:13440
- C:\Windows\System32\kGftnRJ.exe
  C:\Windows\System32\kGftnRJ.exe
  2⤵
  PID:13476
- C:\Windows\System32\kAsfsJF.exe
  C:\Windows\System32\kAsfsJF.exe
  2⤵
  PID:13516
- C:\Windows\System32\CWRwFhI.exe
  C:\Windows\System32\CWRwFhI.exe
  2⤵
  PID:13540
- C:\Windows\System32\aBXmvSq.exe
  C:\Windows\System32\aBXmvSq.exe
  2⤵
  PID:13576
- C:\Windows\System32\kXejrgj.exe
  C:\Windows\System32\kXejrgj.exe
  2⤵
  PID:13608
- C:\Windows\System32\WGIlnKp.exe
  C:\Windows\System32\WGIlnKp.exe
  2⤵
  PID:13644
- C:\Windows\System32\IObFyJz.exe
  C:\Windows\System32\IObFyJz.exe
  2⤵
  PID:13672
- C:\Windows\System32\vOyYrqA.exe
  C:\Windows\System32\vOyYrqA.exe
  2⤵
  PID:13700
- C:\Windows\System32\DoQNKYw.exe
  C:\Windows\System32\DoQNKYw.exe
  2⤵
  PID:13728
- C:\Windows\System32\GRFgxol.exe
  C:\Windows\System32\GRFgxol.exe
  2⤵
  PID:13756
- C:\Windows\System32\QFwvsxA.exe
  C:\Windows\System32\QFwvsxA.exe
  2⤵
  PID:13784
- C:\Windows\System32\sDMqTAd.exe
  C:\Windows\System32\sDMqTAd.exe
  2⤵
  PID:13812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4316,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=3756 /prefetch:8
1⤵
PID:7600

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:14300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BLjhbUc.exe

Filesize
2.7MB

MD5
610d5a8894550214a3ea26105378e11a

SHA1
662dd807b7f9c65117a00e2ae3142158716f3db6

SHA256
9b86e40a7a84bfd77e5b729843d9f1f07757aa039dfe23dcaad912c57114533e

SHA512
fcb7978d6ac105269be7884c2cd2d2ccb7c474c0bfa99cc76b9cc9863f12c4952fff2dae697aadeb53ee3928cd93be0fd3f0841a67e1a98387984799b7ebcaac

Download Submit
C:\Windows\System32\DUcXgdf.exe

Filesize
2.7MB

MD5
2c4b090bad321f9224f0b6cecbe2b33c

SHA1
bc57323937530d6b3be30e085ef6494af26fcbf2

SHA256
4807ef2cddecdea5932f1840063bd44b0f463eee7dd3fdef700d047c964705a2

SHA512
b4a21965411db9aa2b20f6ed79ae25baee46e22954e8fc8d1dd4b395900f4683c0bdab27376cb0a7c999fe5e390859b74108178406cbd63fc922b05b970ffb9d

Download Submit
C:\Windows\System32\EvSGagH.exe

Filesize
2.7MB

MD5
1a132fa154d35f7301efcbf85c22016f

SHA1
68d1a6462e5d77002a46d8befb625c8e849a0756

SHA256
6c6780919cf6aeae06b1366a3450c44fcd3595574b783dfd309df7853874be4f

SHA512
3081a1f22e283a31f2d586728a9d78516afe91da29e82709182c5faeca4ad31ed6eeefa67a319aa3b621b401ee1708d479664772684b330cb4b77b718e56b312

Download Submit
C:\Windows\System32\FwqlFKn.exe

Filesize
2.7MB

MD5
97a0fa51806a56518244404b5cfb74dc

SHA1
9f156b0470c3bd9a017ce59dfaead1e6a549a8ed

SHA256
e6e79f5210a63cd20ab4bf735a0b3db479dbabaa157da4ceabdf74557005a945

SHA512
f9a5a039ea546b05ef8e5c2df97880dfe485820053cb092c2975349e366cf0b4cd2918c7b25c70d4bb7cc3b950e2f63a3fe9a94d1486a310140c9cf50786d26c

Download Submit
C:\Windows\System32\JaLKvIS.exe

Filesize
2.7MB

MD5
c91d3690bb1bfcbb29923e200efd0d87

SHA1
ec41c07108258f20d0d7626fb4622844032a7c7f

SHA256
fb163e061d3309c8535780f1884d09da1271f8aff92d0b5bfb6767b021aa0403

SHA512
72796a899cc07fd81c07769edc98c780af3ef7ec46671d96221d9890d810f22c0418d044384c62e0af91eac35a1cebc49208534a5a7b98fe24470f57ab041f46

Download Submit
C:\Windows\System32\KJiufFl.exe

Filesize
2.7MB

MD5
804999a6b67c474a4d92ff7f7c282df5

SHA1
c32d8863a7d18524233b62d7fb742caac5abe92f

SHA256
a62274337c305025424c0bd8dbc29cb8713c008099127b9624c3950dc552fab6

SHA512
6ef7cfe941e9e3e184184d168f87e27a59fc2148a294c8f929d54b52043423db339916684bc24c9366c1e3a5e9e4716d542c49848fcde10b0c5d5bc55181f05e

Download Submit
C:\Windows\System32\LGhGGum.exe

Filesize
2.7MB

MD5
668a5ac1dc03283a9964bf757a1e4dfd

SHA1
c76655d759d0ad2d2fe1c3b6ebc385bd5518a8cd

SHA256
8a97f00668e54bb28ae82d6d2d5ea522db8d460880cffac7903e32643e32dfa4

SHA512
4a97560346e27d9f4a0226b0af4eb56bd49f57678e577822b5e4bfc5e2df59de1a106d065bf1a0e6578e2b84d6ea6aea34ebe613e6a3dd5b7d1900b3045bb1d4

Download Submit
C:\Windows\System32\LdZXBnU.exe

Filesize
2.7MB

MD5
e9fe8773aeea5a7bea497e65e0d40377

SHA1
e56b9bb99174a09067cb8ffe8c3eb2bc80dcd17a

SHA256
988ad6dddeca660877d4bd69c939b011a68dde44ac37f8d252a372b03d975779

SHA512
c56bf6569d9b9fadb9bda2b1a9967ec73bde7ce234c02e93c0f1acba7c73fdf841882d768b2b34a04e6fff795ee7db87367d3e36dc52dff1b068446f3af9ebc7

Download Submit
C:\Windows\System32\MngJHYS.exe

Filesize
2.7MB

MD5
c43f3b866dea3130bdf0ee8189ac8474

SHA1
4d685f5f62e81b60bf21b75fc7f5791110e1c3d0

SHA256
f2a5023e8d01a307f46cba6c41a42306fa16836d48a21b68bd2b6d79ec4f54dd

SHA512
4061f3ab5788e1ab5caea4a30914a75436de7e67eb37411a8ccc31a10554896b8fd6184a006c36a3d7d832aecad9d94eb65666e228030670d9fc339255024cbb

Download Submit
C:\Windows\System32\NCDBHgV.exe

Filesize
2.7MB

MD5
567080caf762c1f2b418b7db2e79d90b

SHA1
9a37528f975a586f44825ab867e78a8e27872e06

SHA256
6e7674f4bd2c158ff6433f144ad89a810ad0ea0250c6639197ecf1f7afb9aa1e

SHA512
362e2d88b8ba65b040626a402cbe6bf813894dde5432bc949563e16013230a70cb66940616149b34043872861851b0c549a4e75f5b95a691ba35dc337151ee41

Download Submit
C:\Windows\System32\ORWecIq.exe

Filesize
2.7MB

MD5
7bcdb9bace5ea38dd50990442535e642

SHA1
6ab42f307bff3b54bd529e058d67bf03038ccaf4

SHA256
9b4c8f5e621cd9c7a07c5fabba0c3fd3b8d10bf234d061e79fd1734751e460dc

SHA512
160cb84a6b7e0e181cf1bc4413eb530aba8a3cefe33f7021276be73670e39a1920331fe18f042475dcf005945f0361d389ad341fb4d0eaae9787dc6b91602d71

Download Submit
C:\Windows\System32\QYvDgrC.exe

Filesize
2.7MB

MD5
2428edd30bf217c5068f8f498109b0db

SHA1
a17f6b89eae3cc8b240ca0751cb538e35000f03c

SHA256
dc6ac81b1c3977bd8eca00a57de36b66644ed6296dbdd6c3fd543effc73d2048

SHA512
9e03ccf2240379190c28c4c07b8f835c6b9f0774f3cf29e6375c79819fb83d0e6d74bc69aa292d5d527c7eaee46b8a5857bd2098ee2290d150a6947f3d51594e

Download Submit
C:\Windows\System32\QrZIHNa.exe

Filesize
2.7MB

MD5
c6643c4f36714c368058a5474e03148d

SHA1
d4aa445fbe21dc49ce0c97d810352f1782593c89

SHA256
e80069c4aa408f9ba79c2ae26f4f5abf3d93104fd720b25bf6a587b842ed09b3

SHA512
ea4f12dbce8c53bb42f64cd7940d6f80b29e8477ed7fe54a57040f8df88770c9f042a19ccc1ff2facd28f5e9e7b88ae604033e6e79dbb8f826667b509d93680a

Download Submit
C:\Windows\System32\RCTIlBg.exe

Filesize
2.7MB

MD5
6688522a71268887146b8c04388dcad5

SHA1
bc31695df4a8705c09768f234850d3df4c38df2e

SHA256
a2ec983968b1a91bb5b37301bdbdc839ee03164207b16f87358ea5228b4e5cb2

SHA512
6d99533e59be61a71cdee004a0add90c38a3351068e73c6fa9925b683f243787d2a922632669d66dd30161af5681eeab961a30843c3db4c28cbe4524bb77772c

Download Submit
C:\Windows\System32\SFwBNrP.exe

Filesize
2.7MB

MD5
25590652651c2810644ce9ce46487cee

SHA1
ea35417244b1151ca488cb417ded9eb783442b42

SHA256
874021a1cf826c60292bc1d4651b0596fc69721d866c6502d5f5775e28761763

SHA512
8a14fd3d0c65c63f721a79b48cb74d1479d3adfc8e26ac940e762e93e488eeabf392e467f7e84075ff30e2fa66c18067b8f53f17f8c8f926f70d591ecb4a9138

Download Submit
C:\Windows\System32\UOXWCJw.exe

Filesize
2.7MB

MD5
33e5e9ccab26dfed52efaaa98505584a

SHA1
877f84e33e08c784e7b1a7f986e6cac9459f5534

SHA256
1812202cdfd174c7a16a556a96043f4dcf51a20d985a75592b71cf9014da7f7d

SHA512
f956856fd2b1986c894317fffa40996d306192270e7213446cb37ca2b5e25d78d62963a35ede24a45ac70ed7cdc1f2c75e8c1429e77b15fff1183b03735f25f5

Download Submit
C:\Windows\System32\VlqrRgx.exe

Filesize
2.7MB

MD5
64f7d9be1386dc415d8de1a54d63d248

SHA1
e6ed74642b71a65d61e91f3c2ad981361893a8d7

SHA256
6a2ef3732a6c77e162fc18214e38b23868ce88c4331dbdbff76dd1ebadf57e24

SHA512
e1984ba25256c47fd0839d08b578e4caa281e70032013a9f19a8b879ebcfbecc59b8541447c4cd2aedf5fdc7e6f052929bd48db7fcbc29c4bcad49e100302f76

Download Submit
C:\Windows\System32\WBFEEHM.exe

Filesize
2.7MB

MD5
ad0c42ced75c7ad6690a050872aa1717

SHA1
d49b5c873ea30b01db0635e9ea6bc7f289eed2cf

SHA256
7196d941e8569b832bff7f7d160bd526e7027991a4a681aa85e679a2e923d314

SHA512
0c793da44c77eb1c6923b00b20510af32b22ffc1a391cbe6cd1a719d1dbddd96e8615e08a826ffabd509b92845532f1f3a812411dcbf9ae059e4ec8ebb223ec6

Download Submit
C:\Windows\System32\WGDMzOX.exe

Filesize
2.7MB

MD5
5ac8c79d420fb4ff9c2ba5cabf6b7d38

SHA1
a4672ddcf4b181adb1dc0e11360ec375a218f5f4

SHA256
49fe3ad3c4db542dd04adaf53d9f75fe5cba7c65a8f6295a1c714fd195feec39

SHA512
d2386a87568a72f6002955a14341ee4cb1c53e600cd8ff0c0053540341ff167f26f15b30589a6da960a315ec47301199c06a8b75a3cd54b0737c73dcf924e687

Download Submit
C:\Windows\System32\dKHUpqG.exe

Filesize
2.7MB

MD5
522968c82eb4e951b2cdc0189267e555

SHA1
d6ac42ddb7d17a353a1b114cf779d19f10e75355

SHA256
edcd972e6cdb668dfeba58789a9d7f331189c178a72eeb8b647d8c48ec2b8709

SHA512
8489e964ecff3fbe26d295092058d86d7cea17f8f2fe1233a6ded2473861c590167b5231395c40b606bdb631734088226a08496adb76efe6b9dcf752d68cf9c2

Download Submit
C:\Windows\System32\emCCIyG.exe

Filesize
2.7MB

MD5
0d1d2bb6a6ce302586364c4a76542e28

SHA1
684e7171d3c2cd99c51dd936ec79e2a90df81d1a

SHA256
9245719e47fafd7fcb734cbd05c25bcffda914dcb7c0629b18c3525bf047614a

SHA512
deffc4ae0375562b5c7c3192a9a7c46f56277e0ee06cacfa0590a4149316eb100e3dea8bd70570fe7f2ea0899b419f347da1f852819133df7a0a24be70cf911b

Download Submit
C:\Windows\System32\hJQTpVT.exe

Filesize
2.7MB

MD5
6cfac444a89e589998c48555f5565237

SHA1
43c2b1daa907c5eb5cb405dc03ac110045ff39af

SHA256
408680a43b767dae3795c092ef78746818ee64d2f1d029c4780a672b403f4ed7

SHA512
f92e6a6abe8823264dd299d24d73f30c0781386de86323331b67cce194d773a33e86d684e4d186eaed4a45c3a9dc378685e85d2ebb7a3c2131a36a073be80ce3

Download Submit
C:\Windows\System32\hfMngJt.exe

Filesize
2.7MB

MD5
76815cc61aaa72fe0826913b11e91ca7

SHA1
7fbc6e71089408bd77ba3fb924ce9fa8af781d21

SHA256
13f0f53879688682b2b32d90ca4f0b8aee3ca729352cffa25cae8f369b6d8913

SHA512
7e9b61340c5fa105c254a91eb13e99ec37990ebf321c5592be7973df7c3fae323001f973c66d05f2489d5e82eb73c082ecd599f72f7c328b155da4e7de5d187e

Download Submit
C:\Windows\System32\hfQTbgy.exe

Filesize
2.7MB

MD5
9d8078adf2dbf3717751dff643a09d6f

SHA1
965a6a22c72c450ae50e80b0a501b3596f765e29

SHA256
f8fd9eccc9b93b3e5be3ba719af8a40b96dfa1a260ac2927606d843f68249b1f

SHA512
c37f369292b20f8c8621c1e4a2959a40c83ef7607d936ccb37dd6dda902434f783ba2e34970040a31793d07b5ed5e47ef9876f2da33ee522f5d357165462df60

Download Submit
C:\Windows\System32\iPQXQOt.exe

Filesize
2.7MB

MD5
611fb72fcf1fd33c0251dba36f52a7e7

SHA1
02c4bcbce706a73361e81b2260333063c2ad4fcc

SHA256
e2dbee0d99eda161af35cf5295f1549e6f3fd1cd5d13832f2a5842767adb0f4b

SHA512
d1e54f4387513ddf6da73088fcdd085d9c55727b1297f0c7fbc02e282121e56096c9a6598cbf6da2144965b2009cb64c7ac054757a5491b613f31ebdb7416b1c

Download Submit
C:\Windows\System32\nFOSJbl.exe

Filesize
2.7MB

MD5
32ae498b04f8558d0bbed5aef0ee2e79

SHA1
f1002b016adcae522ec38559a5b6d1860bb6b48c

SHA256
606a68f287042c53801c6f77881463152e38d810a33510b823b8ad6da61d03ae

SHA512
11b93a1f5181acec1e14ecbf387c2d642f898003634ee80fa8a29304f2006fb89b649d85e5caffb8ce7327f25f5150d857f1a30700573cb147963c8955283fa7

Download Submit
C:\Windows\System32\noSAGPa.exe

Filesize
2.7MB

MD5
af5bd0bad4af44cf1b6e6f3a1dbec15f

SHA1
3c6c879c7c07d7aac97cee856d6069a8b120ecfd

SHA256
c7e0e850886682dea1afbd10a03b1bbcf62319801cdd37cd910849ea37576e89

SHA512
24fea9fe5c1d8929e984069415729824deb4afb6d0f52c2f3a6afeb16bc15b90eec3694948de26ff9757da97c4744e7d7417dd48dfd33caadc61ff8f1c26e465

Download Submit
C:\Windows\System32\pyjuvlL.exe

Filesize
2.7MB

MD5
1c458af6c2e4b4d78e00cf442de617f7

SHA1
34d00e0995e28ea9bb6a4b71445b172dc882959a

SHA256
699ffa4d78a8b7915eead7c1cf0fd8a53568e6305dd3d6bd28ecba581c496daa

SHA512
4fa734eb8d3f0f5c0f1f67c29f1fec67ed166d303968dcd9ee6cb09ee035ed3d0d4d47c88040db2a3e1391ca4a392fdb672e4f9a5846a4083e51db114894eaad

Download Submit
C:\Windows\System32\qUtjuXr.exe

Filesize
2.7MB

MD5
b831f303a4f774c625431321761d7b00

SHA1
dd3e11509bb283d2ad1ef45b7a429399571a8e72

SHA256
9a21ec1c144dd23f76dfe56470009278422c5c65f13f8a90b65cedf5077c720e

SHA512
a114816b711adabbb60a9a9d66c2abb92a13fe399c69868c3c880ad33939aae1e8710e48c9461aa7f0288ea7baff86f337774f8f8ccd09797395334e033b6582

Download Submit
C:\Windows\System32\tdZyjMR.exe

Filesize
2.7MB

MD5
7d0fbb4653d3304eb194ec034b658964

SHA1
95f1302edb331ae33de65207fd6b6a1908b75476

SHA256
61eca6e8da37773b1dc83be9bb2dcfdcf92a7ce5247fc9c071cac8aa01b65fbd

SHA512
b4e6223f7ec5f1d07f5e9a92bdeef1aaf51c68e9b4b9df0633e34ab86d8ec87379a5942e159d13f7718eb25a109122180271dbf16b09dfd5bc5d52f455bd5378

Download Submit
C:\Windows\System32\uvONHGa.exe

Filesize
2.7MB

MD5
b8ac198c515f31118ada43886466084b

SHA1
21174aea7292bb5f3f66a7f43394fbf1823c22af

SHA256
be0930d553d7b2407df452b57e8eadcec34048165aaf2adc43ddf4bdf50a5358

SHA512
d633169ce107dd7e2fac158004c354de3d4c195c59bb06cbe2a4f8cc8a7595226e2cde88fb17f0e10c822568afc1aa6329bc255cd82334c3f821286855db3168

Download Submit
C:\Windows\System32\xwUqabe.exe

Filesize
2.7MB

MD5
e72017c93d9a200f8329c6febfb989db

SHA1
4716f811a8ccb75e63151e1d58d7d9f87b210b38

SHA256
96a562b31bca8b9c4b8c3b37ee313476cd6725fea38afca31ad60965f8f63f17

SHA512
7620e93b5706de73388b976178d2c3d6d3c61eff6b7f296fe68b34b5c30f8c50387efeadc4cd1289dfe47f835a86fd6c4b5aefd4ba78c9dcdeaaa5a7794b154b

Download Submit
C:\Windows\System32\yeyOpIC.exe

Filesize
2.7MB

MD5
81ec9febd9d5fc0386c845950865e00d

SHA1
cd11f3a49427da69f9cda55a5e9241c00de8685f

SHA256
23c755c7f400aed5047de0c103ef904beacd324052fde929f8d0f7605a390d2a

SHA512
ef4aab78443eaec9661852b561ca0fd904824ad5595bd36aca0536f7227852da94eecf92a85eb7725a90b9edfed3472e01bf34586b0940b0174d1a422f811321

Download Submit
memory/392-38-0x00007FF6AE190000-0x00007FF6AE585000-memory.dmp

Filesize
4.0MB

Download
memory/392-1910-0x00007FF6AE190000-0x00007FF6AE585000-memory.dmp

Filesize
4.0MB

Download
memory/392-1566-0x00007FF6AE190000-0x00007FF6AE585000-memory.dmp

Filesize
4.0MB

Download
memory/460-738-0x00007FF788030000-0x00007FF788425000-memory.dmp

Filesize
4.0MB

Download
memory/460-1926-0x00007FF788030000-0x00007FF788425000-memory.dmp

Filesize
4.0MB

Download
memory/648-35-0x00007FF7C4830000-0x00007FF7C4C25000-memory.dmp

Filesize
4.0MB

Download
memory/648-1908-0x00007FF7C4830000-0x00007FF7C4C25000-memory.dmp

Filesize
4.0MB

Download
memory/1000-1909-0x00007FF7D9FE0000-0x00007FF7DA3D5000-memory.dmp

Filesize
4.0MB

Download
memory/1000-1563-0x00007FF7D9FE0000-0x00007FF7DA3D5000-memory.dmp

Filesize
4.0MB

Download
memory/1000-33-0x00007FF7D9FE0000-0x00007FF7DA3D5000-memory.dmp

Filesize
4.0MB

Download
memory/1120-694-0x00007FF732BF0000-0x00007FF732FE5000-memory.dmp

Filesize
4.0MB

Download
memory/1120-1918-0x00007FF732BF0000-0x00007FF732FE5000-memory.dmp

Filesize
4.0MB

Download
memory/1516-87-0x00007FF702C30000-0x00007FF703025000-memory.dmp

Filesize
4.0MB

Download
memory/1516-1915-0x00007FF702C30000-0x00007FF703025000-memory.dmp

Filesize
4.0MB

Download
memory/1644-1928-0x00007FF7FCC40000-0x00007FF7FD035000-memory.dmp

Filesize
4.0MB

Download
memory/1644-742-0x00007FF7FCC40000-0x00007FF7FD035000-memory.dmp

Filesize
4.0MB

Download
memory/1708-1924-0x00007FF741330000-0x00007FF741725000-memory.dmp

Filesize
4.0MB

Download
memory/1708-708-0x00007FF741330000-0x00007FF741725000-memory.dmp

Filesize
4.0MB

Download
memory/1716-1921-0x00007FF7A6840000-0x00007FF7A6C35000-memory.dmp

Filesize
4.0MB

Download
memory/1716-702-0x00007FF7A6840000-0x00007FF7A6C35000-memory.dmp

Filesize
4.0MB

Download
memory/2080-747-0x00007FF69A4D0000-0x00007FF69A8C5000-memory.dmp

Filesize
4.0MB

Download
memory/2080-1917-0x00007FF69A4D0000-0x00007FF69A8C5000-memory.dmp

Filesize
4.0MB

Download
memory/2204-86-0x00007FF6A50E0000-0x00007FF6A54D5000-memory.dmp

Filesize
4.0MB

Download
memory/2204-1-0x000001B148900000-0x000001B148910000-memory.dmp

Filesize
64KB

Download
memory/2204-0-0x00007FF6A50E0000-0x00007FF6A54D5000-memory.dmp

Filesize
4.0MB

Download
memory/2204-1904-0x00007FF6A50E0000-0x00007FF6A54D5000-memory.dmp

Filesize
4.0MB

Download
memory/2452-1903-0x00007FF720190000-0x00007FF720585000-memory.dmp

Filesize
4.0MB

Download
memory/2452-680-0x00007FF720190000-0x00007FF720585000-memory.dmp

Filesize
4.0MB

Download
memory/2452-1916-0x00007FF720190000-0x00007FF720585000-memory.dmp

Filesize
4.0MB

Download
memory/2472-1925-0x00007FF6A7E20000-0x00007FF6A8215000-memory.dmp

Filesize
4.0MB

Download
memory/2472-720-0x00007FF6A7E20000-0x00007FF6A8215000-memory.dmp

Filesize
4.0MB

Download
memory/2600-717-0x00007FF628B00000-0x00007FF628EF5000-memory.dmp

Filesize
4.0MB

Download
memory/2600-1923-0x00007FF628B00000-0x00007FF628EF5000-memory.dmp

Filesize
4.0MB

Download
memory/2672-62-0x00007FF78AFC0000-0x00007FF78B3B5000-memory.dmp

Filesize
4.0MB

Download
memory/2672-1914-0x00007FF78AFC0000-0x00007FF78B3B5000-memory.dmp

Filesize
4.0MB

Download
memory/2672-1899-0x00007FF78AFC0000-0x00007FF78B3B5000-memory.dmp

Filesize
4.0MB

Download
memory/2728-43-0x00007FF7E44F0000-0x00007FF7E48E5000-memory.dmp

Filesize
4.0MB

Download
memory/2728-1911-0x00007FF7E44F0000-0x00007FF7E48E5000-memory.dmp

Filesize
4.0MB

Download
memory/3204-68-0x00007FF7C2DB0000-0x00007FF7C31A5000-memory.dmp

Filesize
4.0MB

Download
memory/3204-1913-0x00007FF7C2DB0000-0x00007FF7C31A5000-memory.dmp

Filesize
4.0MB

Download
memory/3272-1901-0x00007FF6A3B70000-0x00007FF6A3F65000-memory.dmp

Filesize
4.0MB

Download
memory/3272-82-0x00007FF6A3B70000-0x00007FF6A3F65000-memory.dmp

Filesize
4.0MB

Download
memory/3272-1919-0x00007FF6A3B70000-0x00007FF6A3F65000-memory.dmp

Filesize
4.0MB

Download
memory/3376-1905-0x00007FF7A1F30000-0x00007FF7A2325000-memory.dmp

Filesize
4.0MB

Download
memory/3376-687-0x00007FF7A1F30000-0x00007FF7A2325000-memory.dmp

Filesize
4.0MB

Download
memory/3376-9-0x00007FF7A1F30000-0x00007FF7A2325000-memory.dmp

Filesize
4.0MB

Download
memory/3496-48-0x00007FF6D4110000-0x00007FF6D4505000-memory.dmp

Filesize
4.0MB

Download
memory/3496-1912-0x00007FF6D4110000-0x00007FF6D4505000-memory.dmp

Filesize
4.0MB

Download
memory/3496-1898-0x00007FF6D4110000-0x00007FF6D4505000-memory.dmp

Filesize
4.0MB

Download
memory/3552-22-0x00007FF6F7880000-0x00007FF6F7C75000-memory.dmp

Filesize
4.0MB

Download
memory/3552-1907-0x00007FF6F7880000-0x00007FF6F7C75000-memory.dmp

Filesize
4.0MB

Download
memory/3772-1922-0x00007FF628260000-0x00007FF628655000-memory.dmp

Filesize
4.0MB

Download
memory/3772-1902-0x00007FF628260000-0x00007FF628655000-memory.dmp

Filesize
4.0MB

Download
memory/3772-93-0x00007FF628260000-0x00007FF628655000-memory.dmp

Filesize
4.0MB

Download
memory/3848-1906-0x00007FF78D360000-0x00007FF78D755000-memory.dmp

Filesize
4.0MB

Download
memory/3848-14-0x00007FF78D360000-0x00007FF78D755000-memory.dmp

Filesize
4.0MB

Download
memory/4536-1900-0x00007FF775D00000-0x00007FF7760F5000-memory.dmp

Filesize
4.0MB

Download
memory/4536-1920-0x00007FF775D00000-0x00007FF7760F5000-memory.dmp

Filesize
4.0MB

Download
memory/4536-76-0x00007FF775D00000-0x00007FF7760F5000-memory.dmp

Filesize
4.0MB

Download
memory/4952-1927-0x00007FF680720000-0x00007FF680B15000-memory.dmp

Filesize
4.0MB

Download
memory/4952-734-0x00007FF680720000-0x00007FF680B15000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads