xmrig | a5801e15de11cd67b13b2bf35d6655cac11234ea5c87fc20683c9f4450472e13

Analysis

max time kernel
131s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
Size

3.2MB
MD5

2c0db110f14a9d544886b8a9fab4ce50
SHA1

13df20f2363504cd3ab92239119e9251c8734b70
SHA256

a5801e15de11cd67b13b2bf35d6655cac11234ea5c87fc20683c9f4450472e13
SHA512

10364227b7a4a7a4ad2a6546d74b479804ec6e21a370e7e89d84a26c86ccf62ab47ac357775dd71cded8db41425ec90856dfa948d59c0710feb7e4d10a9ef0ac
SSDEEP

98304:N0GnJMOWPClFdx6e0EALKWVTffZiPAcRq6jHjc48:NFWPClFM

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1664-0-0x00007FF6FB560000-0x00007FF6FB955000-memory.dmp	xmrig
behavioral2/files/0x000700000002343f-6.dat	xmrig
behavioral2/files/0x000800000002343b-10.dat	xmrig
behavioral2/files/0x0007000000023440-8.dat	xmrig
behavioral2/memory/660-11-0x00007FF6998B0000-0x00007FF699CA5000-memory.dmp	xmrig
behavioral2/memory/3148-12-0x00007FF7DAA10000-0x00007FF7DAE05000-memory.dmp	xmrig
behavioral2/files/0x0007000000023441-21.dat	xmrig
behavioral2/files/0x0007000000023444-38.dat	xmrig
behavioral2/files/0x0007000000023445-43.dat	xmrig
behavioral2/files/0x0007000000023446-48.dat	xmrig
behavioral2/files/0x0007000000023449-63.dat	xmrig
behavioral2/files/0x000700000002344b-71.dat	xmrig
behavioral2/files/0x000700000002344e-88.dat	xmrig
behavioral2/files/0x0007000000023452-106.dat	xmrig
behavioral2/files/0x0007000000023457-133.dat	xmrig
behavioral2/files/0x000700000002345c-158.dat	xmrig
behavioral2/files/0x000700000002345d-163.dat	xmrig
behavioral2/files/0x000700000002345b-153.dat	xmrig
behavioral2/files/0x000700000002345a-148.dat	xmrig
behavioral2/files/0x0007000000023459-143.dat	xmrig
behavioral2/files/0x0007000000023458-138.dat	xmrig
behavioral2/files/0x0007000000023456-128.dat	xmrig
behavioral2/files/0x0007000000023455-123.dat	xmrig
behavioral2/files/0x0007000000023454-118.dat	xmrig
behavioral2/files/0x0007000000023453-113.dat	xmrig
behavioral2/files/0x0007000000023451-103.dat	xmrig
behavioral2/files/0x0007000000023450-98.dat	xmrig
behavioral2/files/0x000700000002344f-93.dat	xmrig
behavioral2/files/0x000700000002344d-83.dat	xmrig
behavioral2/files/0x000700000002344c-78.dat	xmrig
behavioral2/files/0x000700000002344a-68.dat	xmrig
behavioral2/files/0x0007000000023448-58.dat	xmrig
behavioral2/files/0x0007000000023447-53.dat	xmrig
behavioral2/files/0x0007000000023443-33.dat	xmrig
behavioral2/files/0x0007000000023442-28.dat	xmrig
behavioral2/memory/3572-805-0x00007FF73BAE0000-0x00007FF73BED5000-memory.dmp	xmrig
behavioral2/memory/3040-810-0x00007FF7307D0000-0x00007FF730BC5000-memory.dmp	xmrig
behavioral2/memory/4788-820-0x00007FF607620000-0x00007FF607A15000-memory.dmp	xmrig
behavioral2/memory/4588-830-0x00007FF645D50000-0x00007FF646145000-memory.dmp	xmrig
behavioral2/memory/1340-833-0x00007FF7922A0000-0x00007FF792695000-memory.dmp	xmrig
behavioral2/memory/2108-838-0x00007FF6B3400000-0x00007FF6B37F5000-memory.dmp	xmrig
behavioral2/memory/4272-840-0x00007FF7F9BD0000-0x00007FF7F9FC5000-memory.dmp	xmrig
behavioral2/memory/3736-825-0x00007FF73DC80000-0x00007FF73E075000-memory.dmp	xmrig
behavioral2/memory/2772-847-0x00007FF7DF220000-0x00007FF7DF615000-memory.dmp	xmrig
behavioral2/memory/3932-850-0x00007FF610440000-0x00007FF610835000-memory.dmp	xmrig
behavioral2/memory/5056-860-0x00007FF6B4620000-0x00007FF6B4A15000-memory.dmp	xmrig
behavioral2/memory/1924-861-0x00007FF637040000-0x00007FF637435000-memory.dmp	xmrig
behavioral2/memory/664-863-0x00007FF7E2860000-0x00007FF7E2C55000-memory.dmp	xmrig
behavioral2/memory/2628-867-0x00007FF776C80000-0x00007FF777075000-memory.dmp	xmrig
behavioral2/memory/4464-866-0x00007FF60AEA0000-0x00007FF60B295000-memory.dmp	xmrig
behavioral2/memory/1984-919-0x00007FF7776F0000-0x00007FF777AE5000-memory.dmp	xmrig
behavioral2/memory/3884-971-0x00007FF736CB0000-0x00007FF7370A5000-memory.dmp	xmrig
behavioral2/memory/1280-976-0x00007FF63E040000-0x00007FF63E435000-memory.dmp	xmrig
behavioral2/memory/3632-981-0x00007FF6355C0000-0x00007FF6359B5000-memory.dmp	xmrig
behavioral2/memory/1488-984-0x00007FF6C9AB0000-0x00007FF6C9EA5000-memory.dmp	xmrig
behavioral2/memory/624-990-0x00007FF7596D0000-0x00007FF759AC5000-memory.dmp	xmrig
behavioral2/memory/5040-987-0x00007FF705210000-0x00007FF705605000-memory.dmp	xmrig
behavioral2/memory/1664-1928-0x00007FF6FB560000-0x00007FF6FB955000-memory.dmp	xmrig
behavioral2/memory/660-1929-0x00007FF6998B0000-0x00007FF699CA5000-memory.dmp	xmrig
behavioral2/memory/3148-1930-0x00007FF7DAA10000-0x00007FF7DAE05000-memory.dmp	xmrig
behavioral2/memory/3572-1931-0x00007FF73BAE0000-0x00007FF73BED5000-memory.dmp	xmrig
behavioral2/memory/3040-1932-0x00007FF7307D0000-0x00007FF730BC5000-memory.dmp	xmrig
behavioral2/memory/4788-1934-0x00007FF607620000-0x00007FF607A15000-memory.dmp	xmrig
behavioral2/memory/2108-1937-0x00007FF6B3400000-0x00007FF6B37F5000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
660	pMnfNWR.exe
3148	WGvOWCo.exe
3572	YtLZGmK.exe
3040	HGkFlQX.exe
4788	QEfDRms.exe
3736	qspDJiG.exe
4588	ukblPOs.exe
1340	EVGIkpS.exe
2108	BaNGkqB.exe
4272	SgxvGsV.exe
2772	KWnrYgm.exe
3932	upFSjRF.exe
5056	rYreyuR.exe
1924	spNzbzc.exe
664	WtrmKpi.exe
4464	beIKKiR.exe
2628	NXucNEq.exe
1984	jCYIxAS.exe
3884	ffWCVhn.exe
1280	GOpmnmV.exe
3632	mUjFAdd.exe
1488	zCFNcuO.exe
5040	cSfozre.exe
624	LudECBz.exe
1416	lXDkuZN.exe
2932	vrUoMcM.exe
984	WaSdgVG.exe
3284	FtuoRdo.exe
3588	XQLnaAU.exe
3000	CzZLpzb.exe
1484	HeNeKtI.exe
3364	vaYgKYt.exe
4476	BjFJYsT.exe
4472	RiNhpss.exe
3480	NFqaTxZ.exe
1956	EMUWHMy.exe
888	VduDjtm.exe
5036	AyKuXvc.exe
3624	gQtynLN.exe
4672	tjruXRM.exe
4904	ytsBqDL.exe
2580	hpHjxjY.exe
4600	AoJysDs.exe
1772	jUGomaL.exe
560	pdOsJED.exe
2836	qNtaFim.exe
116	VWUdPDv.exe
920	qrdPuHX.exe
4516	vvsLNLF.exe
3432	YkfbRHe.exe
2944	PsiASCQ.exe
2920	ncaFvvZ.exe
1932	dZzxwJN.exe
3200	EPGFQjv.exe
2784	dNHZqks.exe
4976	BwKKITF.exe
4252	JACjOVI.exe
4576	jPvWjbo.exe
4984	myxrtQB.exe
4900	xKLpGtP.exe
2440	LxVohfS.exe
8	UTXjgnE.exe
1800	YWqqonS.exe
1596	tayNbqg.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1664-0-0x00007FF6FB560000-0x00007FF6FB955000-memory.dmp	upx
behavioral2/files/0x000700000002343f-6.dat	upx
behavioral2/files/0x000800000002343b-10.dat	upx
behavioral2/files/0x0007000000023440-8.dat	upx
behavioral2/memory/660-11-0x00007FF6998B0000-0x00007FF699CA5000-memory.dmp	upx
behavioral2/memory/3148-12-0x00007FF7DAA10000-0x00007FF7DAE05000-memory.dmp	upx
behavioral2/files/0x0007000000023441-21.dat	upx
behavioral2/files/0x0007000000023444-38.dat	upx
behavioral2/files/0x0007000000023445-43.dat	upx
behavioral2/files/0x0007000000023446-48.dat	upx
behavioral2/files/0x0007000000023449-63.dat	upx
behavioral2/files/0x000700000002344b-71.dat	upx
behavioral2/files/0x000700000002344e-88.dat	upx
behavioral2/files/0x0007000000023452-106.dat	upx
behavioral2/files/0x0007000000023457-133.dat	upx
behavioral2/files/0x000700000002345c-158.dat	upx
behavioral2/files/0x000700000002345d-163.dat	upx
behavioral2/files/0x000700000002345b-153.dat	upx
behavioral2/files/0x000700000002345a-148.dat	upx
behavioral2/files/0x0007000000023459-143.dat	upx
behavioral2/files/0x0007000000023458-138.dat	upx
behavioral2/files/0x0007000000023456-128.dat	upx
behavioral2/files/0x0007000000023455-123.dat	upx
behavioral2/files/0x0007000000023454-118.dat	upx
behavioral2/files/0x0007000000023453-113.dat	upx
behavioral2/files/0x0007000000023451-103.dat	upx
behavioral2/files/0x0007000000023450-98.dat	upx
behavioral2/files/0x000700000002344f-93.dat	upx
behavioral2/files/0x000700000002344d-83.dat	upx
behavioral2/files/0x000700000002344c-78.dat	upx
behavioral2/files/0x000700000002344a-68.dat	upx
behavioral2/files/0x0007000000023448-58.dat	upx
behavioral2/files/0x0007000000023447-53.dat	upx
behavioral2/files/0x0007000000023443-33.dat	upx
behavioral2/files/0x0007000000023442-28.dat	upx
behavioral2/memory/3572-805-0x00007FF73BAE0000-0x00007FF73BED5000-memory.dmp	upx
behavioral2/memory/3040-810-0x00007FF7307D0000-0x00007FF730BC5000-memory.dmp	upx
behavioral2/memory/4788-820-0x00007FF607620000-0x00007FF607A15000-memory.dmp	upx
behavioral2/memory/4588-830-0x00007FF645D50000-0x00007FF646145000-memory.dmp	upx
behavioral2/memory/1340-833-0x00007FF7922A0000-0x00007FF792695000-memory.dmp	upx
behavioral2/memory/2108-838-0x00007FF6B3400000-0x00007FF6B37F5000-memory.dmp	upx
behavioral2/memory/4272-840-0x00007FF7F9BD0000-0x00007FF7F9FC5000-memory.dmp	upx
behavioral2/memory/3736-825-0x00007FF73DC80000-0x00007FF73E075000-memory.dmp	upx
behavioral2/memory/2772-847-0x00007FF7DF220000-0x00007FF7DF615000-memory.dmp	upx
behavioral2/memory/3932-850-0x00007FF610440000-0x00007FF610835000-memory.dmp	upx
behavioral2/memory/5056-860-0x00007FF6B4620000-0x00007FF6B4A15000-memory.dmp	upx
behavioral2/memory/1924-861-0x00007FF637040000-0x00007FF637435000-memory.dmp	upx
behavioral2/memory/664-863-0x00007FF7E2860000-0x00007FF7E2C55000-memory.dmp	upx
behavioral2/memory/2628-867-0x00007FF776C80000-0x00007FF777075000-memory.dmp	upx
behavioral2/memory/4464-866-0x00007FF60AEA0000-0x00007FF60B295000-memory.dmp	upx
behavioral2/memory/1984-919-0x00007FF7776F0000-0x00007FF777AE5000-memory.dmp	upx
behavioral2/memory/3884-971-0x00007FF736CB0000-0x00007FF7370A5000-memory.dmp	upx
behavioral2/memory/1280-976-0x00007FF63E040000-0x00007FF63E435000-memory.dmp	upx
behavioral2/memory/3632-981-0x00007FF6355C0000-0x00007FF6359B5000-memory.dmp	upx
behavioral2/memory/1488-984-0x00007FF6C9AB0000-0x00007FF6C9EA5000-memory.dmp	upx
behavioral2/memory/624-990-0x00007FF7596D0000-0x00007FF759AC5000-memory.dmp	upx
behavioral2/memory/5040-987-0x00007FF705210000-0x00007FF705605000-memory.dmp	upx
behavioral2/memory/1664-1928-0x00007FF6FB560000-0x00007FF6FB955000-memory.dmp	upx
behavioral2/memory/660-1929-0x00007FF6998B0000-0x00007FF699CA5000-memory.dmp	upx
behavioral2/memory/3148-1930-0x00007FF7DAA10000-0x00007FF7DAE05000-memory.dmp	upx
behavioral2/memory/3572-1931-0x00007FF73BAE0000-0x00007FF73BED5000-memory.dmp	upx
behavioral2/memory/3040-1932-0x00007FF7307D0000-0x00007FF730BC5000-memory.dmp	upx
behavioral2/memory/4788-1934-0x00007FF607620000-0x00007FF607A15000-memory.dmp	upx
behavioral2/memory/2108-1937-0x00007FF6B3400000-0x00007FF6B37F5000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\mUjFAdd.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\wLSAIPs.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\gWIzKZx.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\ffWCVhn.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\jNRoPFO.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\VDNLDGT.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\fgBJDHw.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\IPnWiFQ.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\IdUJhTL.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\rTaVVVV.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\REwMPFt.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\eghuylF.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\BkgxVLz.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\zhKPkNl.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\AxWujmT.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\vpQwILH.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\exUSNSA.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\XbIevEx.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\gpwoGaf.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\ZrWEbUG.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\hMpAdFR.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\KWnrYgm.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\vwloFNL.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\xScsTne.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\TQbjaVj.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\gHUdoMl.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\yOBFQCr.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\RKOZUWy.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\GahXiLB.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\wuHrDRP.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\wrcsxse.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\JfMbpWM.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\tLGbgtg.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\JwIJHRi.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\jPvWjbo.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\NZvmUES.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\PEfTeqO.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\RSPxQhu.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\SWcgMoD.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\CzZLpzb.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\THqfzTK.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\XMylofq.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\OLbMGMc.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\CKdfrBc.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\WxFlfJs.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\hiLxYpT.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\CxGXzDr.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\GOVmzPb.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\CkUQlOh.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\zDLeePL.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\xbNJPMk.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\fptlsVz.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\yUpvTSj.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\EZlhmNZ.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\xKLpGtP.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\rHysKlx.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\BSPjQAb.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\CkrxYJz.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\nHYkEpR.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\ODFhhRb.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\vrUoMcM.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\WkpLXXS.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\rSAQRPh.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
File created	C:\Windows\System32\zhjeEWA.exe	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12592	dwm.exe
Token: SeChangeNotifyPrivilege	12592	dwm.exe
Token: 33	12592	dwm.exe
Token: SeIncBasePriorityPrivilege	12592	dwm.exe
Token: SeShutdownPrivilege	12592	dwm.exe
Token: SeCreatePagefilePrivilege	12592	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 3148	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	84
PID 1664 wrote to memory of 3148	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	84
PID 1664 wrote to memory of 660	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	85
PID 1664 wrote to memory of 660	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	85
PID 1664 wrote to memory of 3572	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	86
PID 1664 wrote to memory of 3572	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	86
PID 1664 wrote to memory of 3040	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	87
PID 1664 wrote to memory of 3040	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	87
PID 1664 wrote to memory of 4788	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	88
PID 1664 wrote to memory of 4788	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	88
PID 1664 wrote to memory of 3736	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	89
PID 1664 wrote to memory of 3736	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	89
PID 1664 wrote to memory of 4588	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	90
PID 1664 wrote to memory of 4588	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	90
PID 1664 wrote to memory of 1340	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	91
PID 1664 wrote to memory of 1340	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	91
PID 1664 wrote to memory of 2108	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	92
PID 1664 wrote to memory of 2108	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	92
PID 1664 wrote to memory of 4272	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	93
PID 1664 wrote to memory of 4272	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	93
PID 1664 wrote to memory of 2772	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	94
PID 1664 wrote to memory of 2772	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	94
PID 1664 wrote to memory of 3932	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	95
PID 1664 wrote to memory of 3932	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	95
PID 1664 wrote to memory of 5056	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	96
PID 1664 wrote to memory of 5056	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	96
PID 1664 wrote to memory of 1924	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	97
PID 1664 wrote to memory of 1924	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	97
PID 1664 wrote to memory of 664	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	98
PID 1664 wrote to memory of 664	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	98
PID 1664 wrote to memory of 4464	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	99
PID 1664 wrote to memory of 4464	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	99
PID 1664 wrote to memory of 2628	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	100
PID 1664 wrote to memory of 2628	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	100
PID 1664 wrote to memory of 1984	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	101
PID 1664 wrote to memory of 1984	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	101
PID 1664 wrote to memory of 3884	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	102
PID 1664 wrote to memory of 3884	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	102
PID 1664 wrote to memory of 1280	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	103
PID 1664 wrote to memory of 1280	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	103
PID 1664 wrote to memory of 3632	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	104
PID 1664 wrote to memory of 3632	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	104
PID 1664 wrote to memory of 1488	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	105
PID 1664 wrote to memory of 1488	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	105
PID 1664 wrote to memory of 5040	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	106
PID 1664 wrote to memory of 5040	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	106
PID 1664 wrote to memory of 624	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	107
PID 1664 wrote to memory of 624	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	107
PID 1664 wrote to memory of 1416	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	108
PID 1664 wrote to memory of 1416	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	108
PID 1664 wrote to memory of 2932	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	109
PID 1664 wrote to memory of 2932	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	109
PID 1664 wrote to memory of 984	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	110
PID 1664 wrote to memory of 984	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	110
PID 1664 wrote to memory of 3284	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	111
PID 1664 wrote to memory of 3284	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	111
PID 1664 wrote to memory of 3588	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	112
PID 1664 wrote to memory of 3588	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	112
PID 1664 wrote to memory of 3000	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	113
PID 1664 wrote to memory of 3000	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	113
PID 1664 wrote to memory of 1484	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	114
PID 1664 wrote to memory of 1484	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	114
PID 1664 wrote to memory of 3364	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	115
PID 1664 wrote to memory of 3364	1664	2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe	115

C:\Users\Admin\AppData\Local\Temp\2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2c0db110f14a9d544886b8a9fab4ce50_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\System32\WGvOWCo.exe
  C:\Windows\System32\WGvOWCo.exe
  2⤵
  - Executes dropped EXE
  PID:3148
- C:\Windows\System32\pMnfNWR.exe
  C:\Windows\System32\pMnfNWR.exe
  2⤵
  - Executes dropped EXE
  PID:660
- C:\Windows\System32\YtLZGmK.exe
  C:\Windows\System32\YtLZGmK.exe
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\System32\HGkFlQX.exe
  C:\Windows\System32\HGkFlQX.exe
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\System32\QEfDRms.exe
  C:\Windows\System32\QEfDRms.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System32\qspDJiG.exe
  C:\Windows\System32\qspDJiG.exe
  2⤵
  - Executes dropped EXE
  PID:3736
- C:\Windows\System32\ukblPOs.exe
  C:\Windows\System32\ukblPOs.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System32\EVGIkpS.exe
  C:\Windows\System32\EVGIkpS.exe
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Windows\System32\BaNGkqB.exe
  C:\Windows\System32\BaNGkqB.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System32\SgxvGsV.exe
  C:\Windows\System32\SgxvGsV.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System32\KWnrYgm.exe
  C:\Windows\System32\KWnrYgm.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System32\upFSjRF.exe
  C:\Windows\System32\upFSjRF.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System32\rYreyuR.exe
  C:\Windows\System32\rYreyuR.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System32\spNzbzc.exe
  C:\Windows\System32\spNzbzc.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System32\WtrmKpi.exe
  C:\Windows\System32\WtrmKpi.exe
  2⤵
  - Executes dropped EXE
  PID:664
- C:\Windows\System32\beIKKiR.exe
  C:\Windows\System32\beIKKiR.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System32\NXucNEq.exe
  C:\Windows\System32\NXucNEq.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System32\jCYIxAS.exe
  C:\Windows\System32\jCYIxAS.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System32\ffWCVhn.exe
  C:\Windows\System32\ffWCVhn.exe
  2⤵
  - Executes dropped EXE
  PID:3884
- C:\Windows\System32\GOpmnmV.exe
  C:\Windows\System32\GOpmnmV.exe
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\System32\mUjFAdd.exe
  C:\Windows\System32\mUjFAdd.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System32\zCFNcuO.exe
  C:\Windows\System32\zCFNcuO.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System32\cSfozre.exe
  C:\Windows\System32\cSfozre.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System32\LudECBz.exe
  C:\Windows\System32\LudECBz.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System32\lXDkuZN.exe
  C:\Windows\System32\lXDkuZN.exe
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Windows\System32\vrUoMcM.exe
  C:\Windows\System32\vrUoMcM.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System32\WaSdgVG.exe
  C:\Windows\System32\WaSdgVG.exe
  2⤵
  - Executes dropped EXE
  PID:984
- C:\Windows\System32\FtuoRdo.exe
  C:\Windows\System32\FtuoRdo.exe
  2⤵
  - Executes dropped EXE
  PID:3284
- C:\Windows\System32\XQLnaAU.exe
  C:\Windows\System32\XQLnaAU.exe
  2⤵
  - Executes dropped EXE
  PID:3588
- C:\Windows\System32\CzZLpzb.exe
  C:\Windows\System32\CzZLpzb.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System32\HeNeKtI.exe
  C:\Windows\System32\HeNeKtI.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\System32\vaYgKYt.exe
  C:\Windows\System32\vaYgKYt.exe
  2⤵
  - Executes dropped EXE
  PID:3364
- C:\Windows\System32\BjFJYsT.exe
  C:\Windows\System32\BjFJYsT.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System32\RiNhpss.exe
  C:\Windows\System32\RiNhpss.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System32\NFqaTxZ.exe
  C:\Windows\System32\NFqaTxZ.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System32\EMUWHMy.exe
  C:\Windows\System32\EMUWHMy.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System32\VduDjtm.exe
  C:\Windows\System32\VduDjtm.exe
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\System32\AyKuXvc.exe
  C:\Windows\System32\AyKuXvc.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System32\gQtynLN.exe
  C:\Windows\System32\gQtynLN.exe
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Windows\System32\tjruXRM.exe
  C:\Windows\System32\tjruXRM.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System32\ytsBqDL.exe
  C:\Windows\System32\ytsBqDL.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System32\hpHjxjY.exe
  C:\Windows\System32\hpHjxjY.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System32\AoJysDs.exe
  C:\Windows\System32\AoJysDs.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System32\jUGomaL.exe
  C:\Windows\System32\jUGomaL.exe
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\System32\pdOsJED.exe
  C:\Windows\System32\pdOsJED.exe
  2⤵
  - Executes dropped EXE
  PID:560
- C:\Windows\System32\qNtaFim.exe
  C:\Windows\System32\qNtaFim.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System32\VWUdPDv.exe
  C:\Windows\System32\VWUdPDv.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System32\qrdPuHX.exe
  C:\Windows\System32\qrdPuHX.exe
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\System32\vvsLNLF.exe
  C:\Windows\System32\vvsLNLF.exe
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Windows\System32\YkfbRHe.exe
  C:\Windows\System32\YkfbRHe.exe
  2⤵
  - Executes dropped EXE
  PID:3432
- C:\Windows\System32\PsiASCQ.exe
  C:\Windows\System32\PsiASCQ.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System32\ncaFvvZ.exe
  C:\Windows\System32\ncaFvvZ.exe
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\System32\dZzxwJN.exe
  C:\Windows\System32\dZzxwJN.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System32\EPGFQjv.exe
  C:\Windows\System32\EPGFQjv.exe
  2⤵
  - Executes dropped EXE
  PID:3200
- C:\Windows\System32\dNHZqks.exe
  C:\Windows\System32\dNHZqks.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System32\BwKKITF.exe
  C:\Windows\System32\BwKKITF.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System32\JACjOVI.exe
  C:\Windows\System32\JACjOVI.exe
  2⤵
  - Executes dropped EXE
  PID:4252
- C:\Windows\System32\jPvWjbo.exe
  C:\Windows\System32\jPvWjbo.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System32\myxrtQB.exe
  C:\Windows\System32\myxrtQB.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System32\xKLpGtP.exe
  C:\Windows\System32\xKLpGtP.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System32\LxVohfS.exe
  C:\Windows\System32\LxVohfS.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System32\UTXjgnE.exe
  C:\Windows\System32\UTXjgnE.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System32\YWqqonS.exe
  C:\Windows\System32\YWqqonS.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System32\tayNbqg.exe
  C:\Windows\System32\tayNbqg.exe
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\System32\DTXXTIL.exe
  C:\Windows\System32\DTXXTIL.exe
  2⤵
  PID:4996
- C:\Windows\System32\zhZNmpB.exe
  C:\Windows\System32\zhZNmpB.exe
  2⤵
  PID:976
- C:\Windows\System32\SeLfHzx.exe
  C:\Windows\System32\SeLfHzx.exe
  2⤵
  PID:3620
- C:\Windows\System32\dpcikVa.exe
  C:\Windows\System32\dpcikVa.exe
  2⤵
  PID:1268
- C:\Windows\System32\QmsUAQB.exe
  C:\Windows\System32\QmsUAQB.exe
  2⤵
  PID:4700
- C:\Windows\System32\dbUEZZW.exe
  C:\Windows\System32\dbUEZZW.exe
  2⤵
  PID:2988
- C:\Windows\System32\ZyWMRgN.exe
  C:\Windows\System32\ZyWMRgN.exe
  2⤵
  PID:4784
- C:\Windows\System32\Usefonx.exe
  C:\Windows\System32\Usefonx.exe
  2⤵
  PID:2964
- C:\Windows\System32\nUEAkKw.exe
  C:\Windows\System32\nUEAkKw.exe
  2⤵
  PID:3560
- C:\Windows\System32\nYjJVzN.exe
  C:\Windows\System32\nYjJVzN.exe
  2⤵
  PID:1556
- C:\Windows\System32\hiLxYpT.exe
  C:\Windows\System32\hiLxYpT.exe
  2⤵
  PID:1408
- C:\Windows\System32\qturXIt.exe
  C:\Windows\System32\qturXIt.exe
  2⤵
  PID:4116
- C:\Windows\System32\yUpvTSj.exe
  C:\Windows\System32\yUpvTSj.exe
  2⤵
  PID:2160
- C:\Windows\System32\nlWwdkm.exe
  C:\Windows\System32\nlWwdkm.exe
  2⤵
  PID:4956
- C:\Windows\System32\RTzhuDQ.exe
  C:\Windows\System32\RTzhuDQ.exe
  2⤵
  PID:3464
- C:\Windows\System32\CuYzXeH.exe
  C:\Windows\System32\CuYzXeH.exe
  2⤵
  PID:4912
- C:\Windows\System32\mkQArUP.exe
  C:\Windows\System32\mkQArUP.exe
  2⤵
  PID:2660
- C:\Windows\System32\uVAULvd.exe
  C:\Windows\System32\uVAULvd.exe
  2⤵
  PID:5148
- C:\Windows\System32\AglIhkn.exe
  C:\Windows\System32\AglIhkn.exe
  2⤵
  PID:5176
- C:\Windows\System32\ajgcRbM.exe
  C:\Windows\System32\ajgcRbM.exe
  2⤵
  PID:5212
- C:\Windows\System32\RrhHQaD.exe
  C:\Windows\System32\RrhHQaD.exe
  2⤵
  PID:5232
- C:\Windows\System32\ilhtVkz.exe
  C:\Windows\System32\ilhtVkz.exe
  2⤵
  PID:5268
- C:\Windows\System32\ZodTWQt.exe
  C:\Windows\System32\ZodTWQt.exe
  2⤵
  PID:5296
- C:\Windows\System32\YnwNfcs.exe
  C:\Windows\System32\YnwNfcs.exe
  2⤵
  PID:5324
- C:\Windows\System32\ISxLUYa.exe
  C:\Windows\System32\ISxLUYa.exe
  2⤵
  PID:5344
- C:\Windows\System32\ZGRVZlj.exe
  C:\Windows\System32\ZGRVZlj.exe
  2⤵
  PID:5372
- C:\Windows\System32\CxGXzDr.exe
  C:\Windows\System32\CxGXzDr.exe
  2⤵
  PID:5400
- C:\Windows\System32\GOVmzPb.exe
  C:\Windows\System32\GOVmzPb.exe
  2⤵
  PID:5428
- C:\Windows\System32\HxSldIn.exe
  C:\Windows\System32\HxSldIn.exe
  2⤵
  PID:5456
- C:\Windows\System32\lIldpHs.exe
  C:\Windows\System32\lIldpHs.exe
  2⤵
  PID:5484
- C:\Windows\System32\tIvAqaA.exe
  C:\Windows\System32\tIvAqaA.exe
  2⤵
  PID:5512
- C:\Windows\System32\VGInXPI.exe
  C:\Windows\System32\VGInXPI.exe
  2⤵
  PID:5540
- C:\Windows\System32\olRfZUQ.exe
  C:\Windows\System32\olRfZUQ.exe
  2⤵
  PID:5568
- C:\Windows\System32\GhRxjGP.exe
  C:\Windows\System32\GhRxjGP.exe
  2⤵
  PID:5596
- C:\Windows\System32\vsIGYVn.exe
  C:\Windows\System32\vsIGYVn.exe
  2⤵
  PID:5624
- C:\Windows\System32\AgMIyHr.exe
  C:\Windows\System32\AgMIyHr.exe
  2⤵
  PID:5652
- C:\Windows\System32\mrLNJwI.exe
  C:\Windows\System32\mrLNJwI.exe
  2⤵
  PID:5680
- C:\Windows\System32\dLJsKxZ.exe
  C:\Windows\System32\dLJsKxZ.exe
  2⤵
  PID:5708
- C:\Windows\System32\wOrkaRh.exe
  C:\Windows\System32\wOrkaRh.exe
  2⤵
  PID:5736
- C:\Windows\System32\wwJPUHa.exe
  C:\Windows\System32\wwJPUHa.exe
  2⤵
  PID:5764
- C:\Windows\System32\xCanrvK.exe
  C:\Windows\System32\xCanrvK.exe
  2⤵
  PID:5792
- C:\Windows\System32\XRwGWYF.exe
  C:\Windows\System32\XRwGWYF.exe
  2⤵
  PID:5820
- C:\Windows\System32\MLecfVO.exe
  C:\Windows\System32\MLecfVO.exe
  2⤵
  PID:5848
- C:\Windows\System32\bTxVvKj.exe
  C:\Windows\System32\bTxVvKj.exe
  2⤵
  PID:5876
- C:\Windows\System32\znRDacE.exe
  C:\Windows\System32\znRDacE.exe
  2⤵
  PID:5904
- C:\Windows\System32\gNELFPk.exe
  C:\Windows\System32\gNELFPk.exe
  2⤵
  PID:5932
- C:\Windows\System32\GthhGnj.exe
  C:\Windows\System32\GthhGnj.exe
  2⤵
  PID:5960
- C:\Windows\System32\yGAZqYe.exe
  C:\Windows\System32\yGAZqYe.exe
  2⤵
  PID:5988
- C:\Windows\System32\zxmtekH.exe
  C:\Windows\System32\zxmtekH.exe
  2⤵
  PID:6016
- C:\Windows\System32\yOBFQCr.exe
  C:\Windows\System32\yOBFQCr.exe
  2⤵
  PID:6044
- C:\Windows\System32\brEoCQu.exe
  C:\Windows\System32\brEoCQu.exe
  2⤵
  PID:6072
- C:\Windows\System32\RKOZUWy.exe
  C:\Windows\System32\RKOZUWy.exe
  2⤵
  PID:6100
- C:\Windows\System32\KMBgmkg.exe
  C:\Windows\System32\KMBgmkg.exe
  2⤵
  PID:6128
- C:\Windows\System32\RIunwDO.exe
  C:\Windows\System32\RIunwDO.exe
  2⤵
  PID:4304
- C:\Windows\System32\JvYZDCn.exe
  C:\Windows\System32\JvYZDCn.exe
  2⤵
  PID:2032
- C:\Windows\System32\ZPimCBt.exe
  C:\Windows\System32\ZPimCBt.exe
  2⤵
  PID:2056
- C:\Windows\System32\VWXFBUR.exe
  C:\Windows\System32\VWXFBUR.exe
  2⤵
  PID:316
- C:\Windows\System32\LiLYKxw.exe
  C:\Windows\System32\LiLYKxw.exe
  2⤵
  PID:5136
- C:\Windows\System32\IdUJhTL.exe
  C:\Windows\System32\IdUJhTL.exe
  2⤵
  PID:5168
- C:\Windows\System32\OqwLFjq.exe
  C:\Windows\System32\OqwLFjq.exe
  2⤵
  PID:5248
- C:\Windows\System32\GQqeQHE.exe
  C:\Windows\System32\GQqeQHE.exe
  2⤵
  PID:5304
- C:\Windows\System32\UDZwVzJ.exe
  C:\Windows\System32\UDZwVzJ.exe
  2⤵
  PID:5364
- C:\Windows\System32\JcRRcKY.exe
  C:\Windows\System32\JcRRcKY.exe
  2⤵
  PID:5472
- C:\Windows\System32\lDaZLPB.exe
  C:\Windows\System32\lDaZLPB.exe
  2⤵
  PID:5492
- C:\Windows\System32\BeYOCVJ.exe
  C:\Windows\System32\BeYOCVJ.exe
  2⤵
  PID:5560
- C:\Windows\System32\caKXICT.exe
  C:\Windows\System32\caKXICT.exe
  2⤵
  PID:5632
- C:\Windows\System32\nrmylGr.exe
  C:\Windows\System32\nrmylGr.exe
  2⤵
  PID:5700
- C:\Windows\System32\XWVWbyg.exe
  C:\Windows\System32\XWVWbyg.exe
  2⤵
  PID:5744
- C:\Windows\System32\mcdeAsE.exe
  C:\Windows\System32\mcdeAsE.exe
  2⤵
  PID:5812
- C:\Windows\System32\IpoDTJp.exe
  C:\Windows\System32\IpoDTJp.exe
  2⤵
  PID:5892
- C:\Windows\System32\tvvmqeN.exe
  C:\Windows\System32\tvvmqeN.exe
  2⤵
  PID:5940
- C:\Windows\System32\PjqHlMh.exe
  C:\Windows\System32\PjqHlMh.exe
  2⤵
  PID:6024
- C:\Windows\System32\mEyWvHK.exe
  C:\Windows\System32\mEyWvHK.exe
  2⤵
  PID:6088
- C:\Windows\System32\jAkdsxX.exe
  C:\Windows\System32\jAkdsxX.exe
  2⤵
  PID:6136
- C:\Windows\System32\CpoolYu.exe
  C:\Windows\System32\CpoolYu.exe
  2⤵
  PID:836
- C:\Windows\System32\uXQEeTp.exe
  C:\Windows\System32\uXQEeTp.exe
  2⤵
  PID:216
- C:\Windows\System32\MneQdxy.exe
  C:\Windows\System32\MneQdxy.exe
  2⤵
  PID:5340
- C:\Windows\System32\KcMBqpA.exe
  C:\Windows\System32\KcMBqpA.exe
  2⤵
  PID:5476
- C:\Windows\System32\fPSqjum.exe
  C:\Windows\System32\fPSqjum.exe
  2⤵
  PID:544
- C:\Windows\System32\fhHStIr.exe
  C:\Windows\System32\fhHStIr.exe
  2⤵
  PID:5780
- C:\Windows\System32\sSLLXzb.exe
  C:\Windows\System32\sSLLXzb.exe
  2⤵
  PID:5828
- C:\Windows\System32\jFIRHRB.exe
  C:\Windows\System32\jFIRHRB.exe
  2⤵
  PID:6032
- C:\Windows\System32\gNRbGKl.exe
  C:\Windows\System32\gNRbGKl.exe
  2⤵
  PID:1952
- C:\Windows\System32\yyxqOEj.exe
  C:\Windows\System32\yyxqOEj.exe
  2⤵
  PID:6164
- C:\Windows\System32\vqrGdqH.exe
  C:\Windows\System32\vqrGdqH.exe
  2⤵
  PID:6192
- C:\Windows\System32\qiSVZts.exe
  C:\Windows\System32\qiSVZts.exe
  2⤵
  PID:6220
- C:\Windows\System32\GmAKJls.exe
  C:\Windows\System32\GmAKJls.exe
  2⤵
  PID:6260
- C:\Windows\System32\vwloFNL.exe
  C:\Windows\System32\vwloFNL.exe
  2⤵
  PID:6288
- C:\Windows\System32\wTUpkUD.exe
  C:\Windows\System32\wTUpkUD.exe
  2⤵
  PID:6316
- C:\Windows\System32\jhxIODd.exe
  C:\Windows\System32\jhxIODd.exe
  2⤵
  PID:6332
- C:\Windows\System32\uHFxlLF.exe
  C:\Windows\System32\uHFxlLF.exe
  2⤵
  PID:6360
- C:\Windows\System32\jNRoPFO.exe
  C:\Windows\System32\jNRoPFO.exe
  2⤵
  PID:6388
- C:\Windows\System32\KSFZojF.exe
  C:\Windows\System32\KSFZojF.exe
  2⤵
  PID:6416
- C:\Windows\System32\FjKeLPd.exe
  C:\Windows\System32\FjKeLPd.exe
  2⤵
  PID:6444
- C:\Windows\System32\Mvjtpvc.exe
  C:\Windows\System32\Mvjtpvc.exe
  2⤵
  PID:6472
- C:\Windows\System32\qDAHhhx.exe
  C:\Windows\System32\qDAHhhx.exe
  2⤵
  PID:6500
- C:\Windows\System32\YRkEArs.exe
  C:\Windows\System32\YRkEArs.exe
  2⤵
  PID:6528
- C:\Windows\System32\exUSNSA.exe
  C:\Windows\System32\exUSNSA.exe
  2⤵
  PID:6556
- C:\Windows\System32\zfJgObL.exe
  C:\Windows\System32\zfJgObL.exe
  2⤵
  PID:6584
- C:\Windows\System32\wrjyzmL.exe
  C:\Windows\System32\wrjyzmL.exe
  2⤵
  PID:6612
- C:\Windows\System32\JNPXDJQ.exe
  C:\Windows\System32\JNPXDJQ.exe
  2⤵
  PID:6640
- C:\Windows\System32\uiiJgqa.exe
  C:\Windows\System32\uiiJgqa.exe
  2⤵
  PID:6668
- C:\Windows\System32\gNmqgQV.exe
  C:\Windows\System32\gNmqgQV.exe
  2⤵
  PID:6704
- C:\Windows\System32\OluWVaV.exe
  C:\Windows\System32\OluWVaV.exe
  2⤵
  PID:6724
- C:\Windows\System32\UeGELwP.exe
  C:\Windows\System32\UeGELwP.exe
  2⤵
  PID:6764
- C:\Windows\System32\YZRqMyL.exe
  C:\Windows\System32\YZRqMyL.exe
  2⤵
  PID:6788
- C:\Windows\System32\rHysKlx.exe
  C:\Windows\System32\rHysKlx.exe
  2⤵
  PID:6808
- C:\Windows\System32\bFuhflj.exe
  C:\Windows\System32\bFuhflj.exe
  2⤵
  PID:6836
- C:\Windows\System32\YIMnJFS.exe
  C:\Windows\System32\YIMnJFS.exe
  2⤵
  PID:6864
- C:\Windows\System32\YWKGXdl.exe
  C:\Windows\System32\YWKGXdl.exe
  2⤵
  PID:6892
- C:\Windows\System32\PyEcXED.exe
  C:\Windows\System32\PyEcXED.exe
  2⤵
  PID:6920
- C:\Windows\System32\FivhKXT.exe
  C:\Windows\System32\FivhKXT.exe
  2⤵
  PID:6948
- C:\Windows\System32\PgKKWhd.exe
  C:\Windows\System32\PgKKWhd.exe
  2⤵
  PID:6976
- C:\Windows\System32\TjmwXmW.exe
  C:\Windows\System32\TjmwXmW.exe
  2⤵
  PID:7004
- C:\Windows\System32\aSUucFv.exe
  C:\Windows\System32\aSUucFv.exe
  2⤵
  PID:7032
- C:\Windows\System32\oevEdJK.exe
  C:\Windows\System32\oevEdJK.exe
  2⤵
  PID:7060
- C:\Windows\System32\BvbAUQJ.exe
  C:\Windows\System32\BvbAUQJ.exe
  2⤵
  PID:7088
- C:\Windows\System32\DSkkrGV.exe
  C:\Windows\System32\DSkkrGV.exe
  2⤵
  PID:7116
- C:\Windows\System32\THqfzTK.exe
  C:\Windows\System32\THqfzTK.exe
  2⤵
  PID:7144
- C:\Windows\System32\MzFnJdy.exe
  C:\Windows\System32\MzFnJdy.exe
  2⤵
  PID:4120
- C:\Windows\System32\leBryLV.exe
  C:\Windows\System32\leBryLV.exe
  2⤵
  PID:5380
- C:\Windows\System32\ulbfSde.exe
  C:\Windows\System32\ulbfSde.exe
  2⤵
  PID:5752
- C:\Windows\System32\IbIkTgx.exe
  C:\Windows\System32\IbIkTgx.exe
  2⤵
  PID:6092
- C:\Windows\System32\UoMcOKU.exe
  C:\Windows\System32\UoMcOKU.exe
  2⤵
  PID:6172
- C:\Windows\System32\fLXoDZl.exe
  C:\Windows\System32\fLXoDZl.exe
  2⤵
  PID:6252
- C:\Windows\System32\FwZBZzd.exe
  C:\Windows\System32\FwZBZzd.exe
  2⤵
  PID:6300
- C:\Windows\System32\qVxMlpB.exe
  C:\Windows\System32\qVxMlpB.exe
  2⤵
  PID:6368
- C:\Windows\System32\ffadbxf.exe
  C:\Windows\System32\ffadbxf.exe
  2⤵
  PID:6436
- C:\Windows\System32\vDwJZSD.exe
  C:\Windows\System32\vDwJZSD.exe
  2⤵
  PID:6544
- C:\Windows\System32\kQwjvSG.exe
  C:\Windows\System32\kQwjvSG.exe
  2⤵
  PID:6564
- C:\Windows\System32\HlVuzjJ.exe
  C:\Windows\System32\HlVuzjJ.exe
  2⤵
  PID:6648
- C:\Windows\System32\xScsTne.exe
  C:\Windows\System32\xScsTne.exe
  2⤵
  PID:6700
- C:\Windows\System32\nCClNeE.exe
  C:\Windows\System32\nCClNeE.exe
  2⤵
  PID:6772
- C:\Windows\System32\odFeJgM.exe
  C:\Windows\System32\odFeJgM.exe
  2⤵
  PID:6828
- C:\Windows\System32\eJVrtlE.exe
  C:\Windows\System32\eJVrtlE.exe
  2⤵
  PID:6908
- C:\Windows\System32\kSakDCD.exe
  C:\Windows\System32\kSakDCD.exe
  2⤵
  PID:6956
- C:\Windows\System32\trwKojf.exe
  C:\Windows\System32\trwKojf.exe
  2⤵
  PID:7024
- C:\Windows\System32\ORdZEIe.exe
  C:\Windows\System32\ORdZEIe.exe
  2⤵
  PID:7104
- C:\Windows\System32\LoEEGMq.exe
  C:\Windows\System32\LoEEGMq.exe
  2⤵
  PID:7164
- C:\Windows\System32\bUYcXrg.exe
  C:\Windows\System32\bUYcXrg.exe
  2⤵
  PID:5576
- C:\Windows\System32\MaGLoWn.exe
  C:\Windows\System32\MaGLoWn.exe
  2⤵
  PID:6212
- C:\Windows\System32\CkUQlOh.exe
  C:\Windows\System32\CkUQlOh.exe
  2⤵
  PID:6352
- C:\Windows\System32\ftGnQuj.exe
  C:\Windows\System32\ftGnQuj.exe
  2⤵
  PID:6464
- C:\Windows\System32\vlxhAMw.exe
  C:\Windows\System32\vlxhAMw.exe
  2⤵
  PID:6600
- C:\Windows\System32\zDLeePL.exe
  C:\Windows\System32\zDLeePL.exe
  2⤵
  PID:6804
- C:\Windows\System32\TQbjaVj.exe
  C:\Windows\System32\TQbjaVj.exe
  2⤵
  PID:6928
- C:\Windows\System32\DCrYbJs.exe
  C:\Windows\System32\DCrYbJs.exe
  2⤵
  PID:6992
- C:\Windows\System32\TTXndFR.exe
  C:\Windows\System32\TTXndFR.exe
  2⤵
  PID:5284
- C:\Windows\System32\oFofprR.exe
  C:\Windows\System32\oFofprR.exe
  2⤵
  PID:7188
- C:\Windows\System32\GahXiLB.exe
  C:\Windows\System32\GahXiLB.exe
  2⤵
  PID:7216
- C:\Windows\System32\cxxseDG.exe
  C:\Windows\System32\cxxseDG.exe
  2⤵
  PID:7244
- C:\Windows\System32\BSPjQAb.exe
  C:\Windows\System32\BSPjQAb.exe
  2⤵
  PID:7272
- C:\Windows\System32\EOqqjjI.exe
  C:\Windows\System32\EOqqjjI.exe
  2⤵
  PID:7300
- C:\Windows\System32\TtdvBQL.exe
  C:\Windows\System32\TtdvBQL.exe
  2⤵
  PID:7328
- C:\Windows\System32\oOwBdJU.exe
  C:\Windows\System32\oOwBdJU.exe
  2⤵
  PID:7356
- C:\Windows\System32\likdKoE.exe
  C:\Windows\System32\likdKoE.exe
  2⤵
  PID:7384
- C:\Windows\System32\vnzywBE.exe
  C:\Windows\System32\vnzywBE.exe
  2⤵
  PID:7412
- C:\Windows\System32\KgAuYot.exe
  C:\Windows\System32\KgAuYot.exe
  2⤵
  PID:7440
- C:\Windows\System32\wxkyOMX.exe
  C:\Windows\System32\wxkyOMX.exe
  2⤵
  PID:7468
- C:\Windows\System32\iMIEYEk.exe
  C:\Windows\System32\iMIEYEk.exe
  2⤵
  PID:7496
- C:\Windows\System32\BkgxVLz.exe
  C:\Windows\System32\BkgxVLz.exe
  2⤵
  PID:7524
- C:\Windows\System32\twoogNy.exe
  C:\Windows\System32\twoogNy.exe
  2⤵
  PID:7552
- C:\Windows\System32\uTGWxrh.exe
  C:\Windows\System32\uTGWxrh.exe
  2⤵
  PID:7580
- C:\Windows\System32\hcuSTdr.exe
  C:\Windows\System32\hcuSTdr.exe
  2⤵
  PID:7608
- C:\Windows\System32\XfcnaUl.exe
  C:\Windows\System32\XfcnaUl.exe
  2⤵
  PID:7636
- C:\Windows\System32\dfISRge.exe
  C:\Windows\System32\dfISRge.exe
  2⤵
  PID:7664
- C:\Windows\System32\dfgmxaI.exe
  C:\Windows\System32\dfgmxaI.exe
  2⤵
  PID:7692
- C:\Windows\System32\XbIevEx.exe
  C:\Windows\System32\XbIevEx.exe
  2⤵
  PID:7720
- C:\Windows\System32\XsEcOkR.exe
  C:\Windows\System32\XsEcOkR.exe
  2⤵
  PID:7748
- C:\Windows\System32\ESGLmeL.exe
  C:\Windows\System32\ESGLmeL.exe
  2⤵
  PID:7776
- C:\Windows\System32\NWmhxGf.exe
  C:\Windows\System32\NWmhxGf.exe
  2⤵
  PID:7804
- C:\Windows\System32\BRphaYa.exe
  C:\Windows\System32\BRphaYa.exe
  2⤵
  PID:7832
- C:\Windows\System32\IJCUDhp.exe
  C:\Windows\System32\IJCUDhp.exe
  2⤵
  PID:7860
- C:\Windows\System32\YOAZsGn.exe
  C:\Windows\System32\YOAZsGn.exe
  2⤵
  PID:7888
- C:\Windows\System32\EBlKXGG.exe
  C:\Windows\System32\EBlKXGG.exe
  2⤵
  PID:7916
- C:\Windows\System32\OuNlTEh.exe
  C:\Windows\System32\OuNlTEh.exe
  2⤵
  PID:7944
- C:\Windows\System32\MGvaIfP.exe
  C:\Windows\System32\MGvaIfP.exe
  2⤵
  PID:7972
- C:\Windows\System32\CkrxYJz.exe
  C:\Windows\System32\CkrxYJz.exe
  2⤵
  PID:8000
- C:\Windows\System32\YlddBYZ.exe
  C:\Windows\System32\YlddBYZ.exe
  2⤵
  PID:8028
- C:\Windows\System32\bYiSfse.exe
  C:\Windows\System32\bYiSfse.exe
  2⤵
  PID:8068
- C:\Windows\System32\DuUxYfv.exe
  C:\Windows\System32\DuUxYfv.exe
  2⤵
  PID:8144
- C:\Windows\System32\RTsgMyg.exe
  C:\Windows\System32\RTsgMyg.exe
  2⤵
  PID:8160
- C:\Windows\System32\pSJARMs.exe
  C:\Windows\System32\pSJARMs.exe
  2⤵
  PID:8176
- C:\Windows\System32\iWRlAfd.exe
  C:\Windows\System32\iWRlAfd.exe
  2⤵
  PID:6432
- C:\Windows\System32\WkpLXXS.exe
  C:\Windows\System32\WkpLXXS.exe
  2⤵
  PID:4388
- C:\Windows\System32\fobQWzd.exe
  C:\Windows\System32\fobQWzd.exe
  2⤵
  PID:6824
- C:\Windows\System32\gKSQMPK.exe
  C:\Windows\System32\gKSQMPK.exe
  2⤵
  PID:7180
- C:\Windows\System32\vcRJnkq.exe
  C:\Windows\System32\vcRJnkq.exe
  2⤵
  PID:7224
- C:\Windows\System32\wuHrDRP.exe
  C:\Windows\System32\wuHrDRP.exe
  2⤵
  PID:7292
- C:\Windows\System32\adSBDgN.exe
  C:\Windows\System32\adSBDgN.exe
  2⤵
  PID:7404
- C:\Windows\System32\owoGWQu.exe
  C:\Windows\System32\owoGWQu.exe
  2⤵
  PID:7456
- C:\Windows\System32\McBqoeq.exe
  C:\Windows\System32\McBqoeq.exe
  2⤵
  PID:7532
- C:\Windows\System32\iCMLWYZ.exe
  C:\Windows\System32\iCMLWYZ.exe
  2⤵
  PID:7652
- C:\Windows\System32\aJdHKbz.exe
  C:\Windows\System32\aJdHKbz.exe
  2⤵
  PID:3972
- C:\Windows\System32\hmnPGbG.exe
  C:\Windows\System32\hmnPGbG.exe
  2⤵
  PID:4060
- C:\Windows\System32\ZodGbwc.exe
  C:\Windows\System32\ZodGbwc.exe
  2⤵
  PID:2624
- C:\Windows\System32\mMuiCOO.exe
  C:\Windows\System32\mMuiCOO.exe
  2⤵
  PID:7820
- C:\Windows\System32\wrcsxse.exe
  C:\Windows\System32\wrcsxse.exe
  2⤵
  PID:7848
- C:\Windows\System32\nSNPPnX.exe
  C:\Windows\System32\nSNPPnX.exe
  2⤵
  PID:884
- C:\Windows\System32\YmZzVfP.exe
  C:\Windows\System32\YmZzVfP.exe
  2⤵
  PID:7952
- C:\Windows\System32\lglKgjY.exe
  C:\Windows\System32\lglKgjY.exe
  2⤵
  PID:7988
- C:\Windows\System32\nhyzdNj.exe
  C:\Windows\System32\nhyzdNj.exe
  2⤵
  PID:5116
- C:\Windows\System32\Gsvaobg.exe
  C:\Windows\System32\Gsvaobg.exe
  2⤵
  PID:8016
- C:\Windows\System32\VDNLDGT.exe
  C:\Windows\System32\VDNLDGT.exe
  2⤵
  PID:8108
- C:\Windows\System32\jdrHPMt.exe
  C:\Windows\System32\jdrHPMt.exe
  2⤵
  PID:4696
- C:\Windows\System32\KfWSPsi.exe
  C:\Windows\System32\KfWSPsi.exe
  2⤵
  PID:6268
- C:\Windows\System32\TybXjVM.exe
  C:\Windows\System32\TybXjVM.exe
  2⤵
  PID:7124
- C:\Windows\System32\WZPubOn.exe
  C:\Windows\System32\WZPubOn.exe
  2⤵
  PID:7196
- C:\Windows\System32\SumrcWK.exe
  C:\Windows\System32\SumrcWK.exe
  2⤵
  PID:7280
- C:\Windows\System32\qQaGLvi.exe
  C:\Windows\System32\qQaGLvi.exe
  2⤵
  PID:7504
- C:\Windows\System32\IEaVWvB.exe
  C:\Windows\System32\IEaVWvB.exe
  2⤵
  PID:7684
- C:\Windows\System32\YavWrKT.exe
  C:\Windows\System32\YavWrKT.exe
  2⤵
  PID:7764
- C:\Windows\System32\fgBJDHw.exe
  C:\Windows\System32\fgBJDHw.exe
  2⤵
  PID:7904
- C:\Windows\System32\CkWZPcx.exe
  C:\Windows\System32\CkWZPcx.exe
  2⤵
  PID:8052
- C:\Windows\System32\uOLhGcs.exe
  C:\Windows\System32\uOLhGcs.exe
  2⤵
  PID:8060
- C:\Windows\System32\qPTADJB.exe
  C:\Windows\System32\qPTADJB.exe
  2⤵
  PID:8168
- C:\Windows\System32\JfMbpWM.exe
  C:\Windows\System32\JfMbpWM.exe
  2⤵
  PID:5864
- C:\Windows\System32\isVATHI.exe
  C:\Windows\System32\isVATHI.exe
  2⤵
  PID:7712
- C:\Windows\System32\UEXepqq.exe
  C:\Windows\System32\UEXepqq.exe
  2⤵
  PID:7936
- C:\Windows\System32\UVAZUGW.exe
  C:\Windows\System32\UVAZUGW.exe
  2⤵
  PID:6508
- C:\Windows\System32\aluYUEd.exe
  C:\Windows\System32\aluYUEd.exe
  2⤵
  PID:8196
- C:\Windows\System32\gHUdoMl.exe
  C:\Windows\System32\gHUdoMl.exe
  2⤵
  PID:8224
- C:\Windows\System32\MtHxOtO.exe
  C:\Windows\System32\MtHxOtO.exe
  2⤵
  PID:8244
- C:\Windows\System32\AwnazGs.exe
  C:\Windows\System32\AwnazGs.exe
  2⤵
  PID:8272
- C:\Windows\System32\bEOIOOz.exe
  C:\Windows\System32\bEOIOOz.exe
  2⤵
  PID:8300
- C:\Windows\System32\GAiUQde.exe
  C:\Windows\System32\GAiUQde.exe
  2⤵
  PID:8328
- C:\Windows\System32\kuqWQRg.exe
  C:\Windows\System32\kuqWQRg.exe
  2⤵
  PID:8364
- C:\Windows\System32\TavOeEn.exe
  C:\Windows\System32\TavOeEn.exe
  2⤵
  PID:8384
- C:\Windows\System32\gpwoGaf.exe
  C:\Windows\System32\gpwoGaf.exe
  2⤵
  PID:8412
- C:\Windows\System32\feZFINW.exe
  C:\Windows\System32\feZFINW.exe
  2⤵
  PID:8448
- C:\Windows\System32\TXLCoMD.exe
  C:\Windows\System32\TXLCoMD.exe
  2⤵
  PID:8476
- C:\Windows\System32\ukwrCnI.exe
  C:\Windows\System32\ukwrCnI.exe
  2⤵
  PID:8496
- C:\Windows\System32\ofzzDZy.exe
  C:\Windows\System32\ofzzDZy.exe
  2⤵
  PID:8528
- C:\Windows\System32\ymjlRhF.exe
  C:\Windows\System32\ymjlRhF.exe
  2⤵
  PID:8576
- C:\Windows\System32\ZSdnVyN.exe
  C:\Windows\System32\ZSdnVyN.exe
  2⤵
  PID:8596
- C:\Windows\System32\DmBMXQJ.exe
  C:\Windows\System32\DmBMXQJ.exe
  2⤵
  PID:8612
- C:\Windows\System32\iPYCbrS.exe
  C:\Windows\System32\iPYCbrS.exe
  2⤵
  PID:8632
- C:\Windows\System32\ADhzjws.exe
  C:\Windows\System32\ADhzjws.exe
  2⤵
  PID:8668
- C:\Windows\System32\rSAQRPh.exe
  C:\Windows\System32\rSAQRPh.exe
  2⤵
  PID:8704
- C:\Windows\System32\GNjSYcl.exe
  C:\Windows\System32\GNjSYcl.exe
  2⤵
  PID:8724
- C:\Windows\System32\SSOZZZY.exe
  C:\Windows\System32\SSOZZZY.exe
  2⤵
  PID:8740
- C:\Windows\System32\oiQOArl.exe
  C:\Windows\System32\oiQOArl.exe
  2⤵
  PID:8768
- C:\Windows\System32\ZtVtUpJ.exe
  C:\Windows\System32\ZtVtUpJ.exe
  2⤵
  PID:8860
- C:\Windows\System32\TkHAFru.exe
  C:\Windows\System32\TkHAFru.exe
  2⤵
  PID:8876
- C:\Windows\System32\jJdrcYz.exe
  C:\Windows\System32\jJdrcYz.exe
  2⤵
  PID:8892
- C:\Windows\System32\IBaLwSC.exe
  C:\Windows\System32\IBaLwSC.exe
  2⤵
  PID:8940
- C:\Windows\System32\wWHhqey.exe
  C:\Windows\System32\wWHhqey.exe
  2⤵
  PID:8976
- C:\Windows\System32\uGvITnq.exe
  C:\Windows\System32\uGvITnq.exe
  2⤵
  PID:9064
- C:\Windows\System32\PEfTeqO.exe
  C:\Windows\System32\PEfTeqO.exe
  2⤵
  PID:9100
- C:\Windows\System32\XMylofq.exe
  C:\Windows\System32\XMylofq.exe
  2⤵
  PID:9132
- C:\Windows\System32\ChFivxg.exe
  C:\Windows\System32\ChFivxg.exe
  2⤵
  PID:7656
- C:\Windows\System32\WSwwCfE.exe
  C:\Windows\System32\WSwwCfE.exe
  2⤵
  PID:8204
- C:\Windows\System32\DeLgkUe.exe
  C:\Windows\System32\DeLgkUe.exe
  2⤵
  PID:8264
- C:\Windows\System32\sHBHgUF.exe
  C:\Windows\System32\sHBHgUF.exe
  2⤵
  PID:8336
- C:\Windows\System32\fcrXZDP.exe
  C:\Windows\System32\fcrXZDP.exe
  2⤵
  PID:8380
- C:\Windows\System32\TlgxFRf.exe
  C:\Windows\System32\TlgxFRf.exe
  2⤵
  PID:5084
- C:\Windows\System32\akrYZGW.exe
  C:\Windows\System32\akrYZGW.exe
  2⤵
  PID:8512
- C:\Windows\System32\CvZxGDW.exe
  C:\Windows\System32\CvZxGDW.exe
  2⤵
  PID:2132
- C:\Windows\System32\GnNGGgA.exe
  C:\Windows\System32\GnNGGgA.exe
  2⤵
  PID:3824
- C:\Windows\System32\EjPUpWK.exe
  C:\Windows\System32\EjPUpWK.exe
  2⤵
  PID:8584
- C:\Windows\System32\hiJHVkp.exe
  C:\Windows\System32\hiJHVkp.exe
  2⤵
  PID:8648
- C:\Windows\System32\xbNJPMk.exe
  C:\Windows\System32\xbNJPMk.exe
  2⤵
  PID:8696
- C:\Windows\System32\ZlnqMKe.exe
  C:\Windows\System32\ZlnqMKe.exe
  2⤵
  PID:8800
- C:\Windows\System32\zhjeEWA.exe
  C:\Windows\System32\zhjeEWA.exe
  2⤵
  PID:8836
- C:\Windows\System32\qTHwrwB.exe
  C:\Windows\System32\qTHwrwB.exe
  2⤵
  PID:8900
- C:\Windows\System32\ahyGOZu.exe
  C:\Windows\System32\ahyGOZu.exe
  2⤵
  PID:940
- C:\Windows\System32\DUTVOsj.exe
  C:\Windows\System32\DUTVOsj.exe
  2⤵
  PID:7628
- C:\Windows\System32\bPUyOiW.exe
  C:\Windows\System32\bPUyOiW.exe
  2⤵
  PID:9056
- C:\Windows\System32\ZdbszRZ.exe
  C:\Windows\System32\ZdbszRZ.exe
  2⤵
  PID:9080
- C:\Windows\System32\bAdIcpv.exe
  C:\Windows\System32\bAdIcpv.exe
  2⤵
  PID:9124
- C:\Windows\System32\MUqqZcI.exe
  C:\Windows\System32\MUqqZcI.exe
  2⤵
  PID:9108
- C:\Windows\System32\nYlYvqY.exe
  C:\Windows\System32\nYlYvqY.exe
  2⤵
  PID:8232
- C:\Windows\System32\yeyUcaF.exe
  C:\Windows\System32\yeyUcaF.exe
  2⤵
  PID:8360
- C:\Windows\System32\XTtOoDf.exe
  C:\Windows\System32\XTtOoDf.exe
  2⤵
  PID:1940
- C:\Windows\System32\vpQwILH.exe
  C:\Windows\System32\vpQwILH.exe
  2⤵
  PID:1492
- C:\Windows\System32\KPhxsnA.exe
  C:\Windows\System32\KPhxsnA.exe
  2⤵
  PID:8712
- C:\Windows\System32\YsCTBpF.exe
  C:\Windows\System32\YsCTBpF.exe
  2⤵
  PID:1652
- C:\Windows\System32\HDweyGx.exe
  C:\Windows\System32\HDweyGx.exe
  2⤵
  PID:3604
- C:\Windows\System32\pObhkiK.exe
  C:\Windows\System32\pObhkiK.exe
  2⤵
  PID:3144
- C:\Windows\System32\ZFEaEgc.exe
  C:\Windows\System32\ZFEaEgc.exe
  2⤵
  PID:9084
- C:\Windows\System32\DztGhiP.exe
  C:\Windows\System32\DztGhiP.exe
  2⤵
  PID:748
- C:\Windows\System32\XrgqHBN.exe
  C:\Windows\System32\XrgqHBN.exe
  2⤵
  PID:1084
- C:\Windows\System32\YjNopAZ.exe
  C:\Windows\System32\YjNopAZ.exe
  2⤵
  PID:8748
- C:\Windows\System32\cKJwMFs.exe
  C:\Windows\System32\cKJwMFs.exe
  2⤵
  PID:4228
- C:\Windows\System32\NWTndRz.exe
  C:\Windows\System32\NWTndRz.exe
  2⤵
  PID:7020
- C:\Windows\System32\WEqQihl.exe
  C:\Windows\System32\WEqQihl.exe
  2⤵
  PID:7868
- C:\Windows\System32\djQkwuM.exe
  C:\Windows\System32\djQkwuM.exe
  2⤵
  PID:1872
- C:\Windows\System32\hheFrCi.exe
  C:\Windows\System32\hheFrCi.exe
  2⤵
  PID:8456
- C:\Windows\System32\RStvkuW.exe
  C:\Windows\System32\RStvkuW.exe
  2⤵
  PID:9224
- C:\Windows\System32\aPFsMYb.exe
  C:\Windows\System32\aPFsMYb.exe
  2⤵
  PID:9264
- C:\Windows\System32\IOKHUSx.exe
  C:\Windows\System32\IOKHUSx.exe
  2⤵
  PID:9280
- C:\Windows\System32\ZrWEbUG.exe
  C:\Windows\System32\ZrWEbUG.exe
  2⤵
  PID:9312
- C:\Windows\System32\IPnWiFQ.exe
  C:\Windows\System32\IPnWiFQ.exe
  2⤵
  PID:9328
- C:\Windows\System32\Xjicunm.exe
  C:\Windows\System32\Xjicunm.exe
  2⤵
  PID:9364
- C:\Windows\System32\tlTxije.exe
  C:\Windows\System32\tlTxije.exe
  2⤵
  PID:9392
- C:\Windows\System32\oWJRxdv.exe
  C:\Windows\System32\oWJRxdv.exe
  2⤵
  PID:9416
- C:\Windows\System32\wpIFjdX.exe
  C:\Windows\System32\wpIFjdX.exe
  2⤵
  PID:9468
- C:\Windows\System32\bSXUMWw.exe
  C:\Windows\System32\bSXUMWw.exe
  2⤵
  PID:9496
- C:\Windows\System32\smcmWsa.exe
  C:\Windows\System32\smcmWsa.exe
  2⤵
  PID:9524
- C:\Windows\System32\daTOvYX.exe
  C:\Windows\System32\daTOvYX.exe
  2⤵
  PID:9556
- C:\Windows\System32\jMSCfLd.exe
  C:\Windows\System32\jMSCfLd.exe
  2⤵
  PID:9584
- C:\Windows\System32\NTnpZVo.exe
  C:\Windows\System32\NTnpZVo.exe
  2⤵
  PID:9612
- C:\Windows\System32\SCgAWAj.exe
  C:\Windows\System32\SCgAWAj.exe
  2⤵
  PID:9640
- C:\Windows\System32\ZdpxuRK.exe
  C:\Windows\System32\ZdpxuRK.exe
  2⤵
  PID:9668
- C:\Windows\System32\oAvYlTZ.exe
  C:\Windows\System32\oAvYlTZ.exe
  2⤵
  PID:9696
- C:\Windows\System32\pwwJiSx.exe
  C:\Windows\System32\pwwJiSx.exe
  2⤵
  PID:9724
- C:\Windows\System32\YsVyjUO.exe
  C:\Windows\System32\YsVyjUO.exe
  2⤵
  PID:9752
- C:\Windows\System32\TvRYJHF.exe
  C:\Windows\System32\TvRYJHF.exe
  2⤵
  PID:9768
- C:\Windows\System32\iINKMPJ.exe
  C:\Windows\System32\iINKMPJ.exe
  2⤵
  PID:9796
- C:\Windows\System32\QuRpyyI.exe
  C:\Windows\System32\QuRpyyI.exe
  2⤵
  PID:9824
- C:\Windows\System32\rVScKjg.exe
  C:\Windows\System32\rVScKjg.exe
  2⤵
  PID:9864
- C:\Windows\System32\MRGVURg.exe
  C:\Windows\System32\MRGVURg.exe
  2⤵
  PID:9880
- C:\Windows\System32\xjSSXml.exe
  C:\Windows\System32\xjSSXml.exe
  2⤵
  PID:9916
- C:\Windows\System32\SXVwhht.exe
  C:\Windows\System32\SXVwhht.exe
  2⤵
  PID:9948
- C:\Windows\System32\OLbMGMc.exe
  C:\Windows\System32\OLbMGMc.exe
  2⤵
  PID:9980
- C:\Windows\System32\ZaAnPtl.exe
  C:\Windows\System32\ZaAnPtl.exe
  2⤵
  PID:10008
- C:\Windows\System32\kizOtIP.exe
  C:\Windows\System32\kizOtIP.exe
  2⤵
  PID:10032
- C:\Windows\System32\izOxEpp.exe
  C:\Windows\System32\izOxEpp.exe
  2⤵
  PID:10064
- C:\Windows\System32\KjFYjnX.exe
  C:\Windows\System32\KjFYjnX.exe
  2⤵
  PID:10080
- C:\Windows\System32\RSPxQhu.exe
  C:\Windows\System32\RSPxQhu.exe
  2⤵
  PID:10120
- C:\Windows\System32\GvvsLgH.exe
  C:\Windows\System32\GvvsLgH.exe
  2⤵
  PID:10148
- C:\Windows\System32\VdZcvBq.exe
  C:\Windows\System32\VdZcvBq.exe
  2⤵
  PID:10168
- C:\Windows\System32\mxHJigY.exe
  C:\Windows\System32\mxHJigY.exe
  2⤵
  PID:10196
- C:\Windows\System32\ZtPgKXX.exe
  C:\Windows\System32\ZtPgKXX.exe
  2⤵
  PID:10232
- C:\Windows\System32\NBZmLRa.exe
  C:\Windows\System32\NBZmLRa.exe
  2⤵
  PID:9256
- C:\Windows\System32\nmwVAUy.exe
  C:\Windows\System32\nmwVAUy.exe
  2⤵
  PID:9300
- C:\Windows\System32\vWnxXMN.exe
  C:\Windows\System32\vWnxXMN.exe
  2⤵
  PID:9356
- C:\Windows\System32\ApeDgKv.exe
  C:\Windows\System32\ApeDgKv.exe
  2⤵
  PID:9440
- C:\Windows\System32\HYiygUS.exe
  C:\Windows\System32\HYiygUS.exe
  2⤵
  PID:9520
- C:\Windows\System32\NaWZkbu.exe
  C:\Windows\System32\NaWZkbu.exe
  2⤵
  PID:9596
- C:\Windows\System32\EUuIdDI.exe
  C:\Windows\System32\EUuIdDI.exe
  2⤵
  PID:9664
- C:\Windows\System32\CKdfrBc.exe
  C:\Windows\System32\CKdfrBc.exe
  2⤵
  PID:9692
- C:\Windows\System32\FNSCEAS.exe
  C:\Windows\System32\FNSCEAS.exe
  2⤵
  PID:9764
- C:\Windows\System32\QSClrXv.exe
  C:\Windows\System32\QSClrXv.exe
  2⤵
  PID:9812
- C:\Windows\System32\NNfwBvU.exe
  C:\Windows\System32\NNfwBvU.exe
  2⤵
  PID:9896
- C:\Windows\System32\HELDPdG.exe
  C:\Windows\System32\HELDPdG.exe
  2⤵
  PID:9960
- C:\Windows\System32\zFvAzKE.exe
  C:\Windows\System32\zFvAzKE.exe
  2⤵
  PID:10000
- C:\Windows\System32\rTbXmyC.exe
  C:\Windows\System32\rTbXmyC.exe
  2⤵
  PID:10092
- C:\Windows\System32\aDZfIFo.exe
  C:\Windows\System32\aDZfIFo.exe
  2⤵
  PID:10136
- C:\Windows\System32\hDYTrdZ.exe
  C:\Windows\System32\hDYTrdZ.exe
  2⤵
  PID:10220
- C:\Windows\System32\tLGbgtg.exe
  C:\Windows\System32\tLGbgtg.exe
  2⤵
  PID:9352
- C:\Windows\System32\lVwGkUt.exe
  C:\Windows\System32\lVwGkUt.exe
  2⤵
  PID:9484
- C:\Windows\System32\FjNERTg.exe
  C:\Windows\System32\FjNERTg.exe
  2⤵
  PID:9632
- C:\Windows\System32\bDgtMOq.exe
  C:\Windows\System32\bDgtMOq.exe
  2⤵
  PID:9780
- C:\Windows\System32\twbcAGP.exe
  C:\Windows\System32\twbcAGP.exe
  2⤵
  PID:9924
- C:\Windows\System32\jbPOrUB.exe
  C:\Windows\System32\jbPOrUB.exe
  2⤵
  PID:9532
- C:\Windows\System32\ZmvrftJ.exe
  C:\Windows\System32\ZmvrftJ.exe
  2⤵
  PID:10204
- C:\Windows\System32\oacOLUd.exe
  C:\Windows\System32\oacOLUd.exe
  2⤵
  PID:9448
- C:\Windows\System32\WsxsDFr.exe
  C:\Windows\System32\WsxsDFr.exe
  2⤵
  PID:9876
- C:\Windows\System32\NcRhXeo.exe
  C:\Windows\System32\NcRhXeo.exe
  2⤵
  PID:10104
- C:\Windows\System32\CnmSRYf.exe
  C:\Windows\System32\CnmSRYf.exe
  2⤵
  PID:9680
- C:\Windows\System32\VisZzIS.exe
  C:\Windows\System32\VisZzIS.exe
  2⤵
  PID:9276
- C:\Windows\System32\XjKAKiY.exe
  C:\Windows\System32\XjKAKiY.exe
  2⤵
  PID:10252
- C:\Windows\System32\tHPGRZm.exe
  C:\Windows\System32\tHPGRZm.exe
  2⤵
  PID:10280
- C:\Windows\System32\TlxRBhX.exe
  C:\Windows\System32\TlxRBhX.exe
  2⤵
  PID:10308
- C:\Windows\System32\AGjOnnp.exe
  C:\Windows\System32\AGjOnnp.exe
  2⤵
  PID:10344
- C:\Windows\System32\CWitjjx.exe
  C:\Windows\System32\CWitjjx.exe
  2⤵
  PID:10376
- C:\Windows\System32\zLhJuZK.exe
  C:\Windows\System32\zLhJuZK.exe
  2⤵
  PID:10404
- C:\Windows\System32\MRFfnKk.exe
  C:\Windows\System32\MRFfnKk.exe
  2⤵
  PID:10420
- C:\Windows\System32\hMpAdFR.exe
  C:\Windows\System32\hMpAdFR.exe
  2⤵
  PID:10456
- C:\Windows\System32\StyOyCT.exe
  C:\Windows\System32\StyOyCT.exe
  2⤵
  PID:10492
- C:\Windows\System32\rTaVVVV.exe
  C:\Windows\System32\rTaVVVV.exe
  2⤵
  PID:10532
- C:\Windows\System32\KeLLkJM.exe
  C:\Windows\System32\KeLLkJM.exe
  2⤵
  PID:10548
- C:\Windows\System32\EAjnafF.exe
  C:\Windows\System32\EAjnafF.exe
  2⤵
  PID:10584
- C:\Windows\System32\HazWcBx.exe
  C:\Windows\System32\HazWcBx.exe
  2⤵
  PID:10600
- C:\Windows\System32\PNPBJPI.exe
  C:\Windows\System32\PNPBJPI.exe
  2⤵
  PID:10644
- C:\Windows\System32\pkdYSid.exe
  C:\Windows\System32\pkdYSid.exe
  2⤵
  PID:10672
- C:\Windows\System32\WhyEdRt.exe
  C:\Windows\System32\WhyEdRt.exe
  2⤵
  PID:10700
- C:\Windows\System32\zsGFXBO.exe
  C:\Windows\System32\zsGFXBO.exe
  2⤵
  PID:10724
- C:\Windows\System32\seUlwHW.exe
  C:\Windows\System32\seUlwHW.exe
  2⤵
  PID:10756
- C:\Windows\System32\REwMPFt.exe
  C:\Windows\System32\REwMPFt.exe
  2⤵
  PID:10784
- C:\Windows\System32\EnpQHKw.exe
  C:\Windows\System32\EnpQHKw.exe
  2⤵
  PID:10820
- C:\Windows\System32\QUJPFIM.exe
  C:\Windows\System32\QUJPFIM.exe
  2⤵
  PID:10868
- C:\Windows\System32\olJzsKp.exe
  C:\Windows\System32\olJzsKp.exe
  2⤵
  PID:10908
- C:\Windows\System32\zhKPkNl.exe
  C:\Windows\System32\zhKPkNl.exe
  2⤵
  PID:10936
- C:\Windows\System32\pFgSxiM.exe
  C:\Windows\System32\pFgSxiM.exe
  2⤵
  PID:10968
- C:\Windows\System32\EPTEQio.exe
  C:\Windows\System32\EPTEQio.exe
  2⤵
  PID:10988
- C:\Windows\System32\nHYkEpR.exe
  C:\Windows\System32\nHYkEpR.exe
  2⤵
  PID:11016
- C:\Windows\System32\dSkIZaR.exe
  C:\Windows\System32\dSkIZaR.exe
  2⤵
  PID:11044
- C:\Windows\System32\qpKJsoa.exe
  C:\Windows\System32\qpKJsoa.exe
  2⤵
  PID:11080
- C:\Windows\System32\xBSJnvW.exe
  C:\Windows\System32\xBSJnvW.exe
  2⤵
  PID:11112
- C:\Windows\System32\tysfWOA.exe
  C:\Windows\System32\tysfWOA.exe
  2⤵
  PID:11140
- C:\Windows\System32\OdYTryX.exe
  C:\Windows\System32\OdYTryX.exe
  2⤵
  PID:11168
- C:\Windows\System32\SjJCWki.exe
  C:\Windows\System32\SjJCWki.exe
  2⤵
  PID:11188
- C:\Windows\System32\bdhPAmb.exe
  C:\Windows\System32\bdhPAmb.exe
  2⤵
  PID:11212
- C:\Windows\System32\TrxQYZY.exe
  C:\Windows\System32\TrxQYZY.exe
  2⤵
  PID:11240
- C:\Windows\System32\ADsKXFl.exe
  C:\Windows\System32\ADsKXFl.exe
  2⤵
  PID:11260
- C:\Windows\System32\qJAbRxw.exe
  C:\Windows\System32\qJAbRxw.exe
  2⤵
  PID:10268
- C:\Windows\System32\RbYBHvB.exe
  C:\Windows\System32\RbYBHvB.exe
  2⤵
  PID:10388
- C:\Windows\System32\SWcgMoD.exe
  C:\Windows\System32\SWcgMoD.exe
  2⤵
  PID:10440
- C:\Windows\System32\ydcqZPr.exe
  C:\Windows\System32\ydcqZPr.exe
  2⤵
  PID:10528
- C:\Windows\System32\ctblwmX.exe
  C:\Windows\System32\ctblwmX.exe
  2⤵
  PID:10564
- C:\Windows\System32\ZrnrAVm.exe
  C:\Windows\System32\ZrnrAVm.exe
  2⤵
  PID:10628
- C:\Windows\System32\uixOjDk.exe
  C:\Windows\System32\uixOjDk.exe
  2⤵
  PID:10696
- C:\Windows\System32\yAkNxZH.exe
  C:\Windows\System32\yAkNxZH.exe
  2⤵
  PID:10772
- C:\Windows\System32\BPLAbRu.exe
  C:\Windows\System32\BPLAbRu.exe
  2⤵
  PID:10840
- C:\Windows\System32\UMpRBdO.exe
  C:\Windows\System32\UMpRBdO.exe
  2⤵
  PID:10928
- C:\Windows\System32\ODFhhRb.exe
  C:\Windows\System32\ODFhhRb.exe
  2⤵
  PID:11004
- C:\Windows\System32\zjyhALc.exe
  C:\Windows\System32\zjyhALc.exe
  2⤵
  PID:11028
- C:\Windows\System32\hdMnMRi.exe
  C:\Windows\System32\hdMnMRi.exe
  2⤵
  PID:11164
- C:\Windows\System32\QmmPUey.exe
  C:\Windows\System32\QmmPUey.exe
  2⤵
  PID:11208
- C:\Windows\System32\yvoJYuW.exe
  C:\Windows\System32\yvoJYuW.exe
  2⤵
  PID:11248
- C:\Windows\System32\ewuEYKZ.exe
  C:\Windows\System32\ewuEYKZ.exe
  2⤵
  PID:10372
- C:\Windows\System32\gkRZRSq.exe
  C:\Windows\System32\gkRZRSq.exe
  2⤵
  PID:10544
- C:\Windows\System32\wLSAIPs.exe
  C:\Windows\System32\wLSAIPs.exe
  2⤵
  PID:10592
- C:\Windows\System32\ARBxFik.exe
  C:\Windows\System32\ARBxFik.exe
  2⤵
  PID:10852
- C:\Windows\System32\drFiENh.exe
  C:\Windows\System32\drFiENh.exe
  2⤵
  PID:10948
- C:\Windows\System32\vBsdeaU.exe
  C:\Windows\System32\vBsdeaU.exe
  2⤵
  PID:11064
- C:\Windows\System32\wgGemxO.exe
  C:\Windows\System32\wgGemxO.exe
  2⤵
  PID:10540
- C:\Windows\System32\qnNyURS.exe
  C:\Windows\System32\qnNyURS.exe
  2⤵
  PID:10816
- C:\Windows\System32\mpsjVYv.exe
  C:\Windows\System32\mpsjVYv.exe
  2⤵
  PID:10292
- C:\Windows\System32\szZnhHS.exe
  C:\Windows\System32\szZnhHS.exe
  2⤵
  PID:11280
- C:\Windows\System32\dCqJVyQ.exe
  C:\Windows\System32\dCqJVyQ.exe
  2⤵
  PID:11396
- C:\Windows\System32\AxWujmT.exe
  C:\Windows\System32\AxWujmT.exe
  2⤵
  PID:11412
- C:\Windows\System32\wterxOM.exe
  C:\Windows\System32\wterxOM.exe
  2⤵
  PID:11444
- C:\Windows\System32\bQybtQn.exe
  C:\Windows\System32\bQybtQn.exe
  2⤵
  PID:11464
- C:\Windows\System32\DdMBayb.exe
  C:\Windows\System32\DdMBayb.exe
  2⤵
  PID:11508
- C:\Windows\System32\uHwgjkv.exe
  C:\Windows\System32\uHwgjkv.exe
  2⤵
  PID:11540
- C:\Windows\System32\FNsIuGM.exe
  C:\Windows\System32\FNsIuGM.exe
  2⤵
  PID:11568
- C:\Windows\System32\LXpDizb.exe
  C:\Windows\System32\LXpDizb.exe
  2⤵
  PID:11584
- C:\Windows\System32\aodCdqZ.exe
  C:\Windows\System32\aodCdqZ.exe
  2⤵
  PID:11612
- C:\Windows\System32\PACuhcB.exe
  C:\Windows\System32\PACuhcB.exe
  2⤵
  PID:11656
- C:\Windows\System32\zHVAONG.exe
  C:\Windows\System32\zHVAONG.exe
  2⤵
  PID:11672
- C:\Windows\System32\MiJlhTo.exe
  C:\Windows\System32\MiJlhTo.exe
  2⤵
  PID:11700
- C:\Windows\System32\sgSnfDv.exe
  C:\Windows\System32\sgSnfDv.exe
  2⤵
  PID:11728
- C:\Windows\System32\FcCWuqI.exe
  C:\Windows\System32\FcCWuqI.exe
  2⤵
  PID:11764
- C:\Windows\System32\SaZYmHr.exe
  C:\Windows\System32\SaZYmHr.exe
  2⤵
  PID:11784
- C:\Windows\System32\ocgLXbz.exe
  C:\Windows\System32\ocgLXbz.exe
  2⤵
  PID:11800
- C:\Windows\System32\xsAESpz.exe
  C:\Windows\System32\xsAESpz.exe
  2⤵
  PID:11844
- C:\Windows\System32\yBYgZxY.exe
  C:\Windows\System32\yBYgZxY.exe
  2⤵
  PID:11872
- C:\Windows\System32\unkPEjC.exe
  C:\Windows\System32\unkPEjC.exe
  2⤵
  PID:11912
- C:\Windows\System32\uqnBQuW.exe
  C:\Windows\System32\uqnBQuW.exe
  2⤵
  PID:11936
- C:\Windows\System32\mOGGYTG.exe
  C:\Windows\System32\mOGGYTG.exe
  2⤵
  PID:11968
- C:\Windows\System32\mgYCKLZ.exe
  C:\Windows\System32\mgYCKLZ.exe
  2⤵
  PID:11996
- C:\Windows\System32\lUXwPsx.exe
  C:\Windows\System32\lUXwPsx.exe
  2⤵
  PID:12024
- C:\Windows\System32\JWzSpKO.exe
  C:\Windows\System32\JWzSpKO.exe
  2⤵
  PID:12044
- C:\Windows\System32\IvpQLjd.exe
  C:\Windows\System32\IvpQLjd.exe
  2⤵
  PID:12088
- C:\Windows\System32\BSwjPyi.exe
  C:\Windows\System32\BSwjPyi.exe
  2⤵
  PID:12108
- C:\Windows\System32\HMUlpLa.exe
  C:\Windows\System32\HMUlpLa.exe
  2⤵
  PID:12132
- C:\Windows\System32\JddJetC.exe
  C:\Windows\System32\JddJetC.exe
  2⤵
  PID:12172
- C:\Windows\System32\TmZSTpn.exe
  C:\Windows\System32\TmZSTpn.exe
  2⤵
  PID:12200
- C:\Windows\System32\XnSsDcf.exe
  C:\Windows\System32\XnSsDcf.exe
  2⤵
  PID:12228
- C:\Windows\System32\XRaJZSI.exe
  C:\Windows\System32\XRaJZSI.exe
  2⤵
  PID:12256
- C:\Windows\System32\LSxGGHn.exe
  C:\Windows\System32\LSxGGHn.exe
  2⤵
  PID:12272
- C:\Windows\System32\vhlRuIy.exe
  C:\Windows\System32\vhlRuIy.exe
  2⤵
  PID:10964
- C:\Windows\System32\BGUTXLO.exe
  C:\Windows\System32\BGUTXLO.exe
  2⤵
  PID:11404
- C:\Windows\System32\GgsKOSS.exe
  C:\Windows\System32\GgsKOSS.exe
  2⤵
  PID:11476
- C:\Windows\System32\qoLMSSY.exe
  C:\Windows\System32\qoLMSSY.exe
  2⤵
  PID:11552
- C:\Windows\System32\JUIGAon.exe
  C:\Windows\System32\JUIGAon.exe
  2⤵
  PID:11684
- C:\Windows\System32\kdIiWPn.exe
  C:\Windows\System32\kdIiWPn.exe
  2⤵
  PID:11752
- C:\Windows\System32\xtBnJpE.exe
  C:\Windows\System32\xtBnJpE.exe
  2⤵
  PID:11776
- C:\Windows\System32\kMnqrOA.exe
  C:\Windows\System32\kMnqrOA.exe
  2⤵
  PID:11864
- C:\Windows\System32\uWWOyYV.exe
  C:\Windows\System32\uWWOyYV.exe
  2⤵
  PID:11892
- C:\Windows\System32\gBhffoM.exe
  C:\Windows\System32\gBhffoM.exe
  2⤵
  PID:11952
- C:\Windows\System32\KLivyix.exe
  C:\Windows\System32\KLivyix.exe
  2⤵
  PID:12036
- C:\Windows\System32\WNxoJbx.exe
  C:\Windows\System32\WNxoJbx.exe
  2⤵
  PID:12096
- C:\Windows\System32\XsqfzSm.exe
  C:\Windows\System32\XsqfzSm.exe
  2⤵
  PID:12156
- C:\Windows\System32\RvEkKVj.exe
  C:\Windows\System32\RvEkKVj.exe
  2⤵
  PID:12196
- C:\Windows\System32\oIqbJsf.exe
  C:\Windows\System32\oIqbJsf.exe
  2⤵
  PID:12240
- C:\Windows\System32\NTrjltI.exe
  C:\Windows\System32\NTrjltI.exe
  2⤵
  PID:12268
- C:\Windows\System32\mkgpyYm.exe
  C:\Windows\System32\mkgpyYm.exe
  2⤵
  PID:11304
- C:\Windows\System32\lSpAlDz.exe
  C:\Windows\System32\lSpAlDz.exe
  2⤵
  PID:11792
- C:\Windows\System32\ZkaZejo.exe
  C:\Windows\System32\ZkaZejo.exe
  2⤵
  PID:11924
- C:\Windows\System32\epdNZUf.exe
  C:\Windows\System32\epdNZUf.exe
  2⤵
  PID:12060
- C:\Windows\System32\mOTBxSc.exe
  C:\Windows\System32\mOTBxSc.exe
  2⤵
  PID:10664
- C:\Windows\System32\bLeNTlQ.exe
  C:\Windows\System32\bLeNTlQ.exe
  2⤵
  PID:11716
- C:\Windows\System32\eKPmJMt.exe
  C:\Windows\System32\eKPmJMt.exe
  2⤵
  PID:12008
- C:\Windows\System32\IwrlKga.exe
  C:\Windows\System32\IwrlKga.exe
  2⤵
  PID:12192
- C:\Windows\System32\lyxagAB.exe
  C:\Windows\System32\lyxagAB.exe
  2⤵
  PID:12128
- C:\Windows\System32\rbADkJf.exe
  C:\Windows\System32\rbADkJf.exe
  2⤵
  PID:11432
- C:\Windows\System32\WNGkbnN.exe
  C:\Windows\System32\WNGkbnN.exe
  2⤵
  PID:11828
- C:\Windows\System32\DzDWDbp.exe
  C:\Windows\System32\DzDWDbp.exe
  2⤵
  PID:11888
- C:\Windows\System32\gWIzKZx.exe
  C:\Windows\System32\gWIzKZx.exe
  2⤵
  PID:12324
- C:\Windows\System32\PGPPVNx.exe
  C:\Windows\System32\PGPPVNx.exe
  2⤵
  PID:12356
- C:\Windows\System32\dYJYvxH.exe
  C:\Windows\System32\dYJYvxH.exe
  2⤵
  PID:12376
- C:\Windows\System32\tzDQNCe.exe
  C:\Windows\System32\tzDQNCe.exe
  2⤵
  PID:12404
- C:\Windows\System32\fwSgQys.exe
  C:\Windows\System32\fwSgQys.exe
  2⤵
  PID:12444
- C:\Windows\System32\AJdahLx.exe
  C:\Windows\System32\AJdahLx.exe
  2⤵
  PID:12472
- C:\Windows\System32\DBLnbTW.exe
  C:\Windows\System32\DBLnbTW.exe
  2⤵
  PID:12500
- C:\Windows\System32\XVgRuiu.exe
  C:\Windows\System32\XVgRuiu.exe
  2⤵
  PID:12516
- C:\Windows\System32\mCdhBfY.exe
  C:\Windows\System32\mCdhBfY.exe
  2⤵
  PID:12552
- C:\Windows\System32\OTqElFp.exe
  C:\Windows\System32\OTqElFp.exe
  2⤵
  PID:12576
- C:\Windows\System32\pBPsMYh.exe
  C:\Windows\System32\pBPsMYh.exe
  2⤵
  PID:12600
- C:\Windows\System32\fypnTDF.exe
  C:\Windows\System32\fypnTDF.exe
  2⤵
  PID:12628
- C:\Windows\System32\tTznvkq.exe
  C:\Windows\System32\tTznvkq.exe
  2⤵
  PID:12656
- C:\Windows\System32\lQZyTCf.exe
  C:\Windows\System32\lQZyTCf.exe
  2⤵
  PID:12684
- C:\Windows\System32\HkHMwsr.exe
  C:\Windows\System32\HkHMwsr.exe
  2⤵
  PID:12716
- C:\Windows\System32\mwIuKkx.exe
  C:\Windows\System32\mwIuKkx.exe
  2⤵
  PID:12764
- C:\Windows\System32\XIguLUG.exe
  C:\Windows\System32\XIguLUG.exe
  2⤵
  PID:12796
- C:\Windows\System32\WxFlfJs.exe
  C:\Windows\System32\WxFlfJs.exe
  2⤵
  PID:12820
- C:\Windows\System32\JGXDovg.exe
  C:\Windows\System32\JGXDovg.exe
  2⤵
  PID:12848
- C:\Windows\System32\xLyKzfI.exe
  C:\Windows\System32\xLyKzfI.exe
  2⤵
  PID:12884
- C:\Windows\System32\iOpnsPz.exe
  C:\Windows\System32\iOpnsPz.exe
  2⤵
  PID:12912
- C:\Windows\System32\JLDrijP.exe
  C:\Windows\System32\JLDrijP.exe
  2⤵
  PID:12932
- C:\Windows\System32\XRdAVpY.exe
  C:\Windows\System32\XRdAVpY.exe
  2⤵
  PID:12956
- C:\Windows\System32\cCAvseM.exe
  C:\Windows\System32\cCAvseM.exe
  2⤵
  PID:12988
- C:\Windows\System32\OejBzlu.exe
  C:\Windows\System32\OejBzlu.exe
  2⤵
  PID:13004
- C:\Windows\System32\CSTkeIe.exe
  C:\Windows\System32\CSTkeIe.exe
  2⤵
  PID:13044
- C:\Windows\System32\EUSIgmX.exe
  C:\Windows\System32\EUSIgmX.exe
  2⤵
  PID:13072
- C:\Windows\System32\APKQROY.exe
  C:\Windows\System32\APKQROY.exe
  2⤵
  PID:13108
- C:\Windows\System32\HPMvtws.exe
  C:\Windows\System32\HPMvtws.exe
  2⤵
  PID:13140
- C:\Windows\System32\ehEPqGu.exe
  C:\Windows\System32\ehEPqGu.exe
  2⤵
  PID:13172
- C:\Windows\System32\ZRsGdJW.exe
  C:\Windows\System32\ZRsGdJW.exe
  2⤵
  PID:13200
- C:\Windows\System32\cVzhtFB.exe
  C:\Windows\System32\cVzhtFB.exe
  2⤵
  PID:13228
- C:\Windows\System32\rbhuEBS.exe
  C:\Windows\System32\rbhuEBS.exe
  2⤵
  PID:13256
- C:\Windows\System32\luMyORz.exe
  C:\Windows\System32\luMyORz.exe
  2⤵
  PID:13276
- C:\Windows\System32\khSyWcV.exe
  C:\Windows\System32\khSyWcV.exe
  2⤵
  PID:13300
- C:\Windows\System32\IoqqMur.exe
  C:\Windows\System32\IoqqMur.exe
  2⤵
  PID:12312
- C:\Windows\System32\ZFnqRik.exe
  C:\Windows\System32\ZFnqRik.exe
  2⤵
  PID:12416
- C:\Windows\System32\lxBCqUB.exe
  C:\Windows\System32\lxBCqUB.exe
  2⤵
  PID:12464
- C:\Windows\System32\XdfvjWG.exe
  C:\Windows\System32\XdfvjWG.exe
  2⤵
  PID:12528
- C:\Windows\System32\seAXOdw.exe
  C:\Windows\System32\seAXOdw.exe
  2⤵
  PID:12584
- C:\Windows\System32\zyNDaSL.exe
  C:\Windows\System32\zyNDaSL.exe
  2⤵
  PID:12636
- C:\Windows\System32\jvUscHU.exe
  C:\Windows\System32\jvUscHU.exe
  2⤵
  PID:12728
- C:\Windows\System32\xuyKTvY.exe
  C:\Windows\System32\xuyKTvY.exe
  2⤵
  PID:12804
- C:\Windows\System32\mkDPLgM.exe
  C:\Windows\System32\mkDPLgM.exe
  2⤵
  PID:12832
- C:\Windows\System32\zxAwzXv.exe
  C:\Windows\System32\zxAwzXv.exe
  2⤵
  PID:12924
- C:\Windows\System32\YOpAwRk.exe
  C:\Windows\System32\YOpAwRk.exe
  2⤵
  PID:12972
- C:\Windows\System32\SKyHVtS.exe
  C:\Windows\System32\SKyHVtS.exe
  2⤵
  PID:13024

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BaNGkqB.exe

Filesize
3.2MB

MD5
59f5d0e85b13e2d3a45e70645d687d36

SHA1
f2b6f109a8f83853dc1c1d43cb03f6363086d9d9

SHA256
1a836a71b45e0cdae19fd2fa6c112e59d754b661f0ba8f20c29b85bf11805eaa

SHA512
f3e637f71a66b494c73632a5ea132548992a03fbdf55960f66f20af8a16f086334766e72a17bab5a386d4ec3ee8f3d4c7b00a62272285b27a52b110ced9164c6

Download Submit
C:\Windows\System32\CzZLpzb.exe

Filesize
3.2MB

MD5
2454009323baa6cef1ea9efefc706459

SHA1
6fed5e823e1f2246141dd3f0a5cdbdd4ba5b041b

SHA256
c61799c33dd35c4c431a0d8229183d8d94f3adae2516ffba045ce906d1388f4c

SHA512
1c897a29f115598b14732761b1992eef1ed7692a04d948c6e8c501ebc0d03f6b3f7f2123b1118e488a654efe865f1484d5c1193c34f748f15b2f809801907ba0

Download Submit
C:\Windows\System32\EVGIkpS.exe

Filesize
3.2MB

MD5
b26d65fc3e9d0d928f4021e3ccd8156e

SHA1
b24d3857d6496e6149e9a2fee715004fdb1518fa

SHA256
a79c0a803103e00e14a64ddb337b3557f7966f87650908764f36149021cd9d20

SHA512
2d4c05502b4b259ee4aea63157563e207636ae611e3d8a0b0cec74777f0696dba107bd1282711643cb48850b46360deb022f95de0f4c91d17d66d05840265fc7

Download Submit
C:\Windows\System32\FtuoRdo.exe

Filesize
3.2MB

MD5
a1d68d93c6ed6fa17736c443d0f32cfe

SHA1
d47cdc3999925a5e0c1b374c6881540fdd6487be

SHA256
7c531e1ce22546ade65b59a8087b073464afcb8b5447e5b8db9c54aaba2bbc81

SHA512
49e41b72f79bb3baea80d8f96248494d789a46e93c699639214d95ce0ebb222ad9bf706f2c73db59bd9b2e346fabf321649db9720cbc814787c79dd0cbf2b61f

Download Submit
C:\Windows\System32\GOpmnmV.exe

Filesize
3.2MB

MD5
9c131bfa034eabc665032c73a646c318

SHA1
bdc15bedbf76f52fdbd84000daf4c9150d5e5435

SHA256
f9cef6e6eaf37b51533a3ad733eccbc726deac9e25f90fa52454cf439ae68eae

SHA512
14a763bcd3891f4e907887520038886664d14d4ae9b546444b92835a2c8b29d72fc4cc1ca40b89e002b8bd81dbba5779344fa5ec0da3fe2578cf3032be1ac683

Download Submit
C:\Windows\System32\HGkFlQX.exe

Filesize
3.2MB

MD5
9b843e926aafae12aaffad6f894d0d9e

SHA1
b7b016a8c5dc31da0ad4cdf4e7ca9701fb3cf594

SHA256
30b213080f63a7a3aaf0815663a4b7740b3919b2fb7535900105e3c600c49df8

SHA512
8ec8c45a99a468ffefd7e2d40d4dd682197dee04fe2ab39f83b86ea75e34d761e23a6b51822163ece4730954e599549bae17ecfcae8a377ba33c533f17c79f07

Download Submit
C:\Windows\System32\HeNeKtI.exe

Filesize
3.2MB

MD5
7df796118ee23f7154c49236fe88a3fb

SHA1
139ddbc6047ff03d5476fdc44d7df313e3776d5e

SHA256
2b618f40573e44ecfa1c146a27b7cb9fdad03d3d1e59db6e982afef1c01ab8c1

SHA512
61159b48f1942afc4754a84af604c2b81cc2ba0a6c0d32aec545234807f2617630df2854479aee99a35ba78b0437c9d6ebf766d186d474597e2882046abdab89

Download Submit
C:\Windows\System32\KWnrYgm.exe

Filesize
3.2MB

MD5
17f2bd92672fba79097efe8639dd0536

SHA1
1aea79b9c3223443c2b64f3cb2fcc918c31117bb

SHA256
10795c24e162ecf411db2c281dd9556eeaadb40e5abad91d48ef51c42278c1f8

SHA512
6be1f5f82cafbb7bb640a8c4719a9b0393794ac184108f97223276e23add7072b8d5a69c628fa9d68c0d3476cba89b4ae68d382d42d90b728361db28c3c8a761

Download Submit
C:\Windows\System32\LudECBz.exe

Filesize
3.2MB

MD5
af0dc98a8b2fe0e39bf0a4b9a55d7ad3

SHA1
4db0d5fa9bd70ae446bf2b1e8c91742d80342343

SHA256
6a54f5b5b2ca4876abfffa763af088ab4a3d26eea437739849338495e7226708

SHA512
ac6ad6a6ebddf062c2695993b3cccd5a0eac59f4e803dcd66fabf9cbd7e5fa44980eac4433c9c24a5ac94da2434c1aa9dd97268c77fc9df50b9a7baa8bb43ba6

Download Submit
C:\Windows\System32\NXucNEq.exe

Filesize
3.2MB

MD5
577fd48ea64d1111caed5f7c34f83eb3

SHA1
b65912f82dc3bd8a20c06d602be5910eafe3d949

SHA256
9183a5dc3fe4656c939fc6c6635bfe1af46fc671482c93338d3248ee3676d207

SHA512
a1689fd0a3f60f061b45f7591710818065802c2bc4bcb96d2b519207298578f4ffa8b6f1197fd189de8db4700707b12dec0e4a233cdb9361e43acbb1885ba81b

Download Submit
C:\Windows\System32\QEfDRms.exe

Filesize
3.2MB

MD5
4a0730913702893b32efcb7386703710

SHA1
7da0701c73fdf4e23396c7a49bdf0fcf1b19592d

SHA256
de0e0c58f998d89b728b73336dd73e1d130b3d3acdbdc88e70b2cc44109f231b

SHA512
586538daddee250a06a6aa0259e3e1763aa98abc21ae802f11e3ff2a4e7d720759556e79b9ef9ffc535969117e3489f84103bc3864c4dbebbb93c87596f805ec

Download Submit
C:\Windows\System32\SgxvGsV.exe

Filesize
3.2MB

MD5
defd158bad9116c6070ecda11f416624

SHA1
d2cd87f2b2892aafac256138db71d747a8db44f3

SHA256
1b8dcb026a969eebe1bfd4154c57dccf2e9fc273c7016a7d415de9b465d3a3b9

SHA512
2b91ed9da973eb4dc042c6f8bd585ea6485fd84813e14b04904d2cfba059d604dd6d2c6030e9c6c25a3f7f1e69845ef5f147c3cbcca3bd2ab64591fe25faa588

Download Submit
C:\Windows\System32\WGvOWCo.exe

Filesize
3.2MB

MD5
9263b5af33cf5e399065a9a0b0bbb70b

SHA1
7e9fc5b27d8b41e3e172447cc6e5ee9c79e72f19

SHA256
12e11b7cc01aae6ed4e8c05a5575e2d544422b66b97613971744cd0bf49ae190

SHA512
63dd82a837e8a7f38b28ca8700ad180298a5566dca064e863b634658d9ef9bc3185da06df74051e004d99a5526e81b8a65b989f801c391037f126b86ca8bf82f

Download Submit
C:\Windows\System32\WaSdgVG.exe

Filesize
3.2MB

MD5
59521d3a5932f26f552a74e7e64c97a3

SHA1
5307cbe7dfa0f26b12225af5cb1e4da2587c3b1a

SHA256
3b127e3ee6417c4d05e983181fe92e11dca1b9884d8bc4c73c25e28c99d4ca9e

SHA512
3710aac21d6e65522606945d19b11b2389a31b47da1cf4e184b1496ccc04e311071340ad31af5c1376baca5ce09fdf7581ff2e997650543a350800f5ddd6dea8

Download Submit
C:\Windows\System32\WtrmKpi.exe

Filesize
3.2MB

MD5
3a0c5cb5a37bbe529eebdc9818332bc0

SHA1
ab41d775cb86b2564864dc05408aa56185311440

SHA256
e7a8c8c87a5f21527e092277fd7e3817ce5a136a3f767240a74357b6e5faef08

SHA512
ea9efa280dee103959bbfe1c8d8bd8de260881fbec566e762f56a0aca623719952a0872e79eff6b548b4c76316d4dea725da5e2cf6e773d7eaa44ed99d5340a8

Download Submit
C:\Windows\System32\XQLnaAU.exe

Filesize
3.2MB

MD5
92cc0a9503ba01189c977493edc96b4f

SHA1
ada7e8e95a0d18712859a255e362e0b41fb935d0

SHA256
c12caf69e8319eb4f8992a18d94fe8e1f5814a4a3c88b4400d2c971d9d720cba

SHA512
30d3a2399fd7e7570408caefd355ce4251a044f6c01fa14e2013b116d47471b07af5787890c2ef7ead99029bc2d51b26465fcf7997279ab7e1b33cb53edcde58

Download Submit
C:\Windows\System32\YtLZGmK.exe

Filesize
3.2MB

MD5
4dd088f2ce60548a9336ff774c34025e

SHA1
d52eb1aea1150a51cfa5175a3fad31bc331de99b

SHA256
9789a90c013745dba56b8c4eaecaecc29b1373696c79d9542dd3e6faa9f32190

SHA512
40bd3f76ed40544b993d5af1f1284206744af43191ebe18f468024263c5b5447f540b189c8bf79a5bdc9b802914433a9ba3d02a1e6d6fb6fc7e0c516406e2c11

Download Submit
C:\Windows\System32\beIKKiR.exe

Filesize
3.2MB

MD5
e4dfdc082859f63026d16e1902900e5a

SHA1
c4e69ae9796d2b1e7b8a30f9724d95ac6945efdc

SHA256
1c6b73bb7c7ff8099c2ea09f4427f48dae9accbd8432f6ad8a54141cb64faf44

SHA512
53b67c981459d29101ec34610f7efc5a053d49d87174a1d4c2430f7551927bcbf55c63c9ead931db1374a2ab68bb16124dd1c4f6769c687f80035ed1ebdaf110

Download Submit
C:\Windows\System32\cSfozre.exe

Filesize
3.2MB

MD5
67e66ac65b0dbc084afe2bfcf14b1750

SHA1
0724c576cb50c3405009766844c7b36ad4205042

SHA256
ff09f0880ea038bf40cf4d42a407c9bb34d171d21a2b882aad5cfd05d603da23

SHA512
d654931eb32f73d83add5b6935c2924e9f6a79a7cdcf5c24159a3b7ccc8bc58b8e98358993bd031c687e112f97eefa874f65cc07c92efe76fbaff4732d65a23b

Download Submit
C:\Windows\System32\ffWCVhn.exe

Filesize
3.2MB

MD5
18fce5a43b8f3675b2a0a6bf0f57252c

SHA1
4529d29c3b04cef3be349edd8b5ab244f83f8b2e

SHA256
1816f65410c8f9908f11d692af1c88d3045b216c9dfd02c7a6475c101d1f3a3d

SHA512
84b4876bcfecf75722d459cfbda7c7f2137730f3cb5740a20646a8d3824e3bad42515a986482533b0bdcb242ea1e9b1862e46ccecef1a0c4a49ed4fab2e4ff10

Download Submit
C:\Windows\System32\jCYIxAS.exe

Filesize
3.2MB

MD5
01526f218c6c3db335939a03b53e617c

SHA1
f30f7fd2257742b7f9f7a2a66d088b21eb1987db

SHA256
8dcdd9ff0a34b0d70b721605bf0d7e371c82d2ff2482019f35cba7e9c3c5445b

SHA512
01f2bf0110985e57f87237de768b61980c10b98272330b76a6e2664138424e7d13e3d9aae7525056614211ca35a00eb6bb983bdfdf87d3c566ca1062f7ca6490

Download Submit
C:\Windows\System32\lXDkuZN.exe

Filesize
3.2MB

MD5
9d7455b3ead8705a8082a990eebe98c8

SHA1
aea05864d41a7b738a6a7aaafcdae1961b98b2b5

SHA256
438a03eb0dc6d82e97531ca3223a7dc03b04d77952aa8bccb96b172a38596daa

SHA512
f504400343e9d88bc94ad90244d86f7b6fd33e112e66d945ad0a15b8f637ff4091e3ab3a52aa74c406a511a4afd805b16ce8b713eaab47d3615c9ef402466c03

Download Submit
C:\Windows\System32\mUjFAdd.exe

Filesize
3.2MB

MD5
a34bc08d5f590dae34bbb9bbbef6d4d9

SHA1
a71ce7266c7fd0f665b9cd15b4dfdd46a308d4ab

SHA256
43233165cda0373541a2a3febcd648f750d3953c289d6df9d02d2b9bd35ba250

SHA512
69a02fc0e4e9dec264d810a436f224ed9cc275fe75d727af273aa928e4ca7953692aae28387e4aca3cb93ac244cbdd2184e229279f62af738b2c0603c7bf3a4d

Download Submit
C:\Windows\System32\pMnfNWR.exe

Filesize
3.2MB

MD5
87c89b37e60cb84ca8cdd63517e626ee

SHA1
860bc416ba30fddeefe0e7bf07389844fe7a398a

SHA256
6f76419b0818bee8473c74f1d3cdb5ceb4bd5b1bfd10c6d28303c78d958cf0f9

SHA512
f974ab19397a9a7c8a41aea20392283de58a1cb9a69e53c606a5b2bdbab3c38e1c3df55fa7c76fe3cc3f2f1833cb6313327f0048db25505cc4acf10f6e935cdc

Download Submit
C:\Windows\System32\qspDJiG.exe

Filesize
3.2MB

MD5
c54da784423b07aefcda657a856d11e4

SHA1
b5192f745982c52ecedd44a11f77bb301efb0348

SHA256
6334fb1e69fe28a2cc0bb4556e307946c97ae8d9f6ac48d079ed242eb9f563fa

SHA512
93371b37476f7467a9e018eaa65d98f37a24d64364d613a1ab144732c16f62dc19fce7701420c06d2a2a6f24385c9864e1013091b70e3d9b872eedf1b8d768b8

Download Submit
C:\Windows\System32\rYreyuR.exe

Filesize
3.2MB

MD5
90c21357ddc52130b697ffaf0b6e05fe

SHA1
2b0cb41a4beb68264e8e247d5b34be851e376381

SHA256
1299be76dc85608023752071e4eb3ffb2846a52ce35607fa731c0a203ec115ab

SHA512
1f86f812cc1e9837eaadf37166e33722c6b1ced2616b42a0e5cb2862a9a8ebe39cbd2e3ebc06b79044dfa426cc412a4a51325ddd8af0bcdc4bf4fcafe5431fa7

Download Submit
C:\Windows\System32\spNzbzc.exe

Filesize
3.2MB

MD5
7562b7380f9061d27d7c7706fa22d7e2

SHA1
7bb4a12827791b7fbe88a9a97cac8f647d0ed71f

SHA256
b9befc56c12c086cbc8e17c0933ce2cc2eb911bd1ed7cd3220ec35620657a424

SHA512
8c810130a0d15132db8d7d3c6d24d48ff62076d3a28b28bf223f817a78d7b2cd91a553a6434ceb6cb3e828de3c1d3e40018243b891394333277eb7c382a209ed

Download Submit
C:\Windows\System32\ukblPOs.exe

Filesize
3.2MB

MD5
57eca12c11f22c9a8e325cb749b2f038

SHA1
3f1e6031431e98cf457ce4a71d10ab78f7e6855b

SHA256
facc48e0b8faca3419787d0775c52e12e3c8e2d2cf4d8f911ee2276c3aab0637

SHA512
e0df6c1b234d7abedb373f996626cebb2cf5f6bd7b3112f6209dd60096f9670ee79061c7be10dcaf617e79282819852879fd8d159b02119fe84fc166042f9ae3

Download Submit
C:\Windows\System32\upFSjRF.exe

Filesize
3.2MB

MD5
53b47e1fc438df94b375eefb5918f7c3

SHA1
dcaf199ab2c15d1ee32c3dfab427b6f5569f7939

SHA256
0edf0ebda8d95bef95415fc8a13283f32244012cae1452f98a1ca0de8c5b9bd3

SHA512
dcf0bef131066eaba810eeb87a2da44d4b4266c920f10f246ffceeff10120e919515bff93b4c19fce40ba05fa521f36f2154054aaaae502911504ead28f4e150

Download Submit
C:\Windows\System32\vaYgKYt.exe

Filesize
3.2MB

MD5
878d47fd467ca859c592ffbee03ab43e

SHA1
1de9177760c6ffd64518b3af8fa5af567d6f249e

SHA256
270c7e0413db9e17c9195d1e90f43da5334808d21482b3e148030f1d2f0f84ce

SHA512
8b20082db562c830956cd265e10053c7a35d262c2c51e867afd2cc7beead281695d06cc16d6169b4e9ea5c87b065e73d8a6541fca61dce5bfb34bb336bb33c05

Download Submit
C:\Windows\System32\vrUoMcM.exe

Filesize
3.2MB

MD5
71aa4f6c24d1464edb951a3f668a2d12

SHA1
d6e2c4dfcc14a0f8e5e8d2bd453ac129ceefe342

SHA256
c7e5300b93b69ad1a9074f5a02fb8a4f92b22f8a7bd2159b25b02abfe6b1ae71

SHA512
19fbcd978f397164a2d1976a4ff97c6a865cead64d04603ca437bba0789bdfb978dde3503de417ca1b0c612f1f45fb36005f03fa13fa2f36c24c27b459399820

Download Submit
C:\Windows\System32\zCFNcuO.exe

Filesize
3.2MB

MD5
111e39de7a89ac055a060b2ca2877d1b

SHA1
9d1ee3ea8d40d815af1123bd92f1553891b259b3

SHA256
c3a17ca9ad4b8f9a00cd03f39efde04468891574da4d0caff02533e16452ed2b

SHA512
871975c5078a1e7ac404137a3ecdd194593818df9efe6fd6875d0ff3010ef972d6683f7b45326df296fa2572632e108358896bdba5ae90238f6f3838b25eefb8

Download Submit
memory/624-990-0x00007FF7596D0000-0x00007FF759AC5000-memory.dmp

Filesize
4.0MB

Download
memory/624-1948-0x00007FF7596D0000-0x00007FF759AC5000-memory.dmp

Filesize
4.0MB

Download
memory/660-11-0x00007FF6998B0000-0x00007FF699CA5000-memory.dmp

Filesize
4.0MB

Download
memory/660-1929-0x00007FF6998B0000-0x00007FF699CA5000-memory.dmp

Filesize
4.0MB

Download
memory/664-863-0x00007FF7E2860000-0x00007FF7E2C55000-memory.dmp

Filesize
4.0MB

Download
memory/664-1940-0x00007FF7E2860000-0x00007FF7E2C55000-memory.dmp

Filesize
4.0MB

Download
memory/1280-976-0x00007FF63E040000-0x00007FF63E435000-memory.dmp

Filesize
4.0MB

Download
memory/1280-1945-0x00007FF63E040000-0x00007FF63E435000-memory.dmp

Filesize
4.0MB

Download
memory/1340-1935-0x00007FF7922A0000-0x00007FF792695000-memory.dmp

Filesize
4.0MB

Download
memory/1340-833-0x00007FF7922A0000-0x00007FF792695000-memory.dmp

Filesize
4.0MB

Download
memory/1488-1947-0x00007FF6C9AB0000-0x00007FF6C9EA5000-memory.dmp

Filesize
4.0MB

Download
memory/1488-984-0x00007FF6C9AB0000-0x00007FF6C9EA5000-memory.dmp

Filesize
4.0MB

Download
memory/1664-0-0x00007FF6FB560000-0x00007FF6FB955000-memory.dmp

Filesize
4.0MB

Download
memory/1664-1928-0x00007FF6FB560000-0x00007FF6FB955000-memory.dmp

Filesize
4.0MB

Download
memory/1664-1-0x00000151037C0000-0x00000151037D0000-memory.dmp

Filesize
64KB

Download
memory/1924-1951-0x00007FF637040000-0x00007FF637435000-memory.dmp

Filesize
4.0MB

Download
memory/1924-861-0x00007FF637040000-0x00007FF637435000-memory.dmp

Filesize
4.0MB

Download
memory/1984-1952-0x00007FF7776F0000-0x00007FF777AE5000-memory.dmp

Filesize
4.0MB

Download
memory/1984-919-0x00007FF7776F0000-0x00007FF777AE5000-memory.dmp

Filesize
4.0MB

Download
memory/2108-838-0x00007FF6B3400000-0x00007FF6B37F5000-memory.dmp

Filesize
4.0MB

Download
memory/2108-1937-0x00007FF6B3400000-0x00007FF6B37F5000-memory.dmp

Filesize
4.0MB

Download
memory/2628-867-0x00007FF776C80000-0x00007FF777075000-memory.dmp

Filesize
4.0MB

Download
memory/2628-1943-0x00007FF776C80000-0x00007FF777075000-memory.dmp

Filesize
4.0MB

Download
memory/2772-847-0x00007FF7DF220000-0x00007FF7DF615000-memory.dmp

Filesize
4.0MB

Download
memory/2772-1939-0x00007FF7DF220000-0x00007FF7DF615000-memory.dmp

Filesize
4.0MB

Download
memory/3040-1932-0x00007FF7307D0000-0x00007FF730BC5000-memory.dmp

Filesize
4.0MB

Download
memory/3040-810-0x00007FF7307D0000-0x00007FF730BC5000-memory.dmp

Filesize
4.0MB

Download
memory/3148-1930-0x00007FF7DAA10000-0x00007FF7DAE05000-memory.dmp

Filesize
4.0MB

Download
memory/3148-12-0x00007FF7DAA10000-0x00007FF7DAE05000-memory.dmp

Filesize
4.0MB

Download
memory/3572-1931-0x00007FF73BAE0000-0x00007FF73BED5000-memory.dmp

Filesize
4.0MB

Download
memory/3572-805-0x00007FF73BAE0000-0x00007FF73BED5000-memory.dmp

Filesize
4.0MB

Download
memory/3632-1944-0x00007FF6355C0000-0x00007FF6359B5000-memory.dmp

Filesize
4.0MB

Download
memory/3632-981-0x00007FF6355C0000-0x00007FF6359B5000-memory.dmp

Filesize
4.0MB

Download
memory/3736-825-0x00007FF73DC80000-0x00007FF73E075000-memory.dmp

Filesize
4.0MB

Download
memory/3736-1936-0x00007FF73DC80000-0x00007FF73E075000-memory.dmp

Filesize
4.0MB

Download
memory/3884-971-0x00007FF736CB0000-0x00007FF7370A5000-memory.dmp

Filesize
4.0MB

Download
memory/3884-1946-0x00007FF736CB0000-0x00007FF7370A5000-memory.dmp

Filesize
4.0MB

Download
memory/3932-1949-0x00007FF610440000-0x00007FF610835000-memory.dmp

Filesize
4.0MB

Download
memory/3932-850-0x00007FF610440000-0x00007FF610835000-memory.dmp

Filesize
4.0MB

Download
memory/4272-840-0x00007FF7F9BD0000-0x00007FF7F9FC5000-memory.dmp

Filesize
4.0MB

Download
memory/4272-1938-0x00007FF7F9BD0000-0x00007FF7F9FC5000-memory.dmp

Filesize
4.0MB

Download
memory/4464-1941-0x00007FF60AEA0000-0x00007FF60B295000-memory.dmp

Filesize
4.0MB

Download
memory/4464-866-0x00007FF60AEA0000-0x00007FF60B295000-memory.dmp

Filesize
4.0MB

Download
memory/4588-830-0x00007FF645D50000-0x00007FF646145000-memory.dmp

Filesize
4.0MB

Download
memory/4588-1933-0x00007FF645D50000-0x00007FF646145000-memory.dmp

Filesize
4.0MB

Download
memory/4788-1934-0x00007FF607620000-0x00007FF607A15000-memory.dmp

Filesize
4.0MB

Download
memory/4788-820-0x00007FF607620000-0x00007FF607A15000-memory.dmp

Filesize
4.0MB

Download
memory/5040-1942-0x00007FF705210000-0x00007FF705605000-memory.dmp

Filesize
4.0MB

Download
memory/5040-987-0x00007FF705210000-0x00007FF705605000-memory.dmp

Filesize
4.0MB

Download
memory/5056-860-0x00007FF6B4620000-0x00007FF6B4A15000-memory.dmp

Filesize
4.0MB

Download
memory/5056-1950-0x00007FF6B4620000-0x00007FF6B4A15000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads