xmrig | 97c18ef1e9a2395427c8d725fbb734345ac811316a1f90d8b1f5003526f0d6a7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
Size

1.4MB
MD5

754713e4b7ad21efef021404217b1f80
SHA1

300fe678e5bab36aebc8bf868a1f82b6ba6b43e7
SHA256

97c18ef1e9a2395427c8d725fbb734345ac811316a1f90d8b1f5003526f0d6a7
SHA512

c58bfdd1735c5149ccb15b6d99fcc44085c3f20d3aa33f4e0ad5cf482cf3ace26ca9f7359ef3e1d506e0dd8ee9e7763ba9c6b7a0092aa0df990e63cffc3ca965
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIHbAYhbcj9V+V64u7Eoh:knw9oUUEEDlGUJ8Y9c+MV

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 50 IoCs

miner

resource	yara_rule
behavioral2/memory/2712-40-0x00007FF6D5470000-0x00007FF6D5861000-memory.dmp	xmrig
behavioral2/memory/4308-54-0x00007FF613E20000-0x00007FF614211000-memory.dmp	xmrig
behavioral2/memory/4696-56-0x00007FF6CB370000-0x00007FF6CB761000-memory.dmp	xmrig
behavioral2/memory/4020-373-0x00007FF664650000-0x00007FF664A41000-memory.dmp	xmrig
behavioral2/memory/3588-374-0x00007FF70C980000-0x00007FF70CD71000-memory.dmp	xmrig
behavioral2/memory/2532-376-0x00007FF7A2750000-0x00007FF7A2B41000-memory.dmp	xmrig
behavioral2/memory/4904-375-0x00007FF668770000-0x00007FF668B61000-memory.dmp	xmrig
behavioral2/memory/2432-386-0x00007FF639710000-0x00007FF639B01000-memory.dmp	xmrig
behavioral2/memory/2496-391-0x00007FF6DF8E0000-0x00007FF6DFCD1000-memory.dmp	xmrig
behavioral2/memory/3340-405-0x00007FF7B0540000-0x00007FF7B0931000-memory.dmp	xmrig
behavioral2/memory/4324-410-0x00007FF6B72A0000-0x00007FF6B7691000-memory.dmp	xmrig
behavioral2/memory/888-417-0x00007FF799020000-0x00007FF799411000-memory.dmp	xmrig
behavioral2/memory/4356-426-0x00007FF794A50000-0x00007FF794E41000-memory.dmp	xmrig
behavioral2/memory/2744-432-0x00007FF7F04C0000-0x00007FF7F08B1000-memory.dmp	xmrig
behavioral2/memory/3056-423-0x00007FF7AD090000-0x00007FF7AD481000-memory.dmp	xmrig
behavioral2/memory/3052-395-0x00007FF6803D0000-0x00007FF6807C1000-memory.dmp	xmrig
behavioral2/memory/2964-390-0x00007FF7D0B90000-0x00007FF7D0F81000-memory.dmp	xmrig
behavioral2/memory/4220-379-0x00007FF765F20000-0x00007FF766311000-memory.dmp	xmrig
behavioral2/memory/4288-1516-0x00007FF747D10000-0x00007FF748101000-memory.dmp	xmrig
behavioral2/memory/216-1938-0x00007FF79BCB0000-0x00007FF79C0A1000-memory.dmp	xmrig
behavioral2/memory/2752-1965-0x00007FF7D15E0000-0x00007FF7D19D1000-memory.dmp	xmrig
behavioral2/memory/1056-1966-0x00007FF6AA520000-0x00007FF6AA911000-memory.dmp	xmrig
behavioral2/memory/3752-1967-0x00007FF6F9590000-0x00007FF6F9981000-memory.dmp	xmrig
behavioral2/memory/2712-1968-0x00007FF6D5470000-0x00007FF6D5861000-memory.dmp	xmrig
behavioral2/memory/3784-1999-0x00007FF78C7F0000-0x00007FF78CBE1000-memory.dmp	xmrig
behavioral2/memory/4288-2003-0x00007FF747D10000-0x00007FF748101000-memory.dmp	xmrig
behavioral2/memory/4492-2013-0x00007FF6B4F40000-0x00007FF6B5331000-memory.dmp	xmrig
behavioral2/memory/216-2015-0x00007FF79BCB0000-0x00007FF79C0A1000-memory.dmp	xmrig
behavioral2/memory/2752-2017-0x00007FF7D15E0000-0x00007FF7D19D1000-memory.dmp	xmrig
behavioral2/memory/1056-2019-0x00007FF6AA520000-0x00007FF6AA911000-memory.dmp	xmrig
behavioral2/memory/2712-2021-0x00007FF6D5470000-0x00007FF6D5861000-memory.dmp	xmrig
behavioral2/memory/3752-2023-0x00007FF6F9590000-0x00007FF6F9981000-memory.dmp	xmrig
behavioral2/memory/3784-2025-0x00007FF78C7F0000-0x00007FF78CBE1000-memory.dmp	xmrig
behavioral2/memory/4308-2027-0x00007FF613E20000-0x00007FF614211000-memory.dmp	xmrig
behavioral2/memory/4696-2029-0x00007FF6CB370000-0x00007FF6CB761000-memory.dmp	xmrig
behavioral2/memory/4020-2033-0x00007FF664650000-0x00007FF664A41000-memory.dmp	xmrig
behavioral2/memory/2744-2060-0x00007FF7F04C0000-0x00007FF7F08B1000-memory.dmp	xmrig
behavioral2/memory/4356-2058-0x00007FF794A50000-0x00007FF794E41000-memory.dmp	xmrig
behavioral2/memory/888-2056-0x00007FF799020000-0x00007FF799411000-memory.dmp	xmrig
behavioral2/memory/3056-2053-0x00007FF7AD090000-0x00007FF7AD481000-memory.dmp	xmrig
behavioral2/memory/4324-2051-0x00007FF6B72A0000-0x00007FF6B7691000-memory.dmp	xmrig
behavioral2/memory/2964-2049-0x00007FF7D0B90000-0x00007FF7D0F81000-memory.dmp	xmrig
behavioral2/memory/2432-2047-0x00007FF639710000-0x00007FF639B01000-memory.dmp	xmrig
behavioral2/memory/4220-2045-0x00007FF765F20000-0x00007FF766311000-memory.dmp	xmrig
behavioral2/memory/3052-2043-0x00007FF6803D0000-0x00007FF6807C1000-memory.dmp	xmrig
behavioral2/memory/4904-2035-0x00007FF668770000-0x00007FF668B61000-memory.dmp	xmrig
behavioral2/memory/2532-2031-0x00007FF7A2750000-0x00007FF7A2B41000-memory.dmp	xmrig
behavioral2/memory/2496-2041-0x00007FF6DF8E0000-0x00007FF6DFCD1000-memory.dmp	xmrig
behavioral2/memory/3340-2039-0x00007FF7B0540000-0x00007FF7B0931000-memory.dmp	xmrig
behavioral2/memory/3588-2037-0x00007FF70C980000-0x00007FF70CD71000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4492	olrDRol.exe
216	ODtgqTj.exe
2752	ddpeNzk.exe
1056	WvEYhPe.exe
3752	LhbtKkI.exe
2712	HohhcNy.exe
3784	lvzlEvj.exe
4308	COwtAoz.exe
4696	fWfceAs.exe
4020	PMDMQPx.exe
3588	HUAZbiP.exe
4904	JcRtLdY.exe
2532	WJInYKy.exe
4220	acUhLCx.exe
2432	TLreOdE.exe
2964	pplFhfP.exe
2496	abdoKkB.exe
3052	csnoWxp.exe
3340	mzttGIq.exe
4324	bPiMXOo.exe
888	CvoXZIO.exe
3056	GMPlulI.exe
4356	DKHtsUz.exe
2744	vxkQSIn.exe
2248	eNPiawu.exe
1232	JyzQDyI.exe
1792	bfaGQWz.exe
4468	dbeUoZA.exe
1168	vmJpknG.exe
5056	cJsvmbd.exe
3096	rBevitu.exe
5016	Zseykrr.exe
4000	teiWHyE.exe
1972	PDkqkMp.exe
1708	buLVgkR.exe
1376	dnXXRuo.exe
2012	SkYzuOA.exe
4700	RIosZic.exe
5000	DGLAIdZ.exe
3524	eyUcBBX.exe
3792	VzusTMJ.exe
4332	rLdfsAy.exe
1440	wWTdZui.exe
1984	npeIvyL.exe
4856	zFRtfOW.exe
4360	BxraKgt.exe
1776	AssgutL.exe
3332	uyHqzXr.exe
3044	FPneiDu.exe
4852	zyBlxGc.exe
3708	nzigDio.exe
2252	WrURKJq.exe
720	ilVAWIZ.exe
1924	bsVuxcZ.exe
2364	JGBxSTR.exe
1080	GyfyhWx.exe
2904	ReSEAmh.exe
736	CzHKYPs.exe
1920	ILCZGqR.exe
2704	DowlAQh.exe
2488	eYJlXED.exe
1036	WRFFgAN.exe
1584	sleKBac.exe
3872	clHualW.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4288-0-0x00007FF747D10000-0x00007FF748101000-memory.dmp	upx
behavioral2/files/0x0008000000023437-5.dat	upx
behavioral2/files/0x000700000002343b-13.dat	upx
behavioral2/memory/4492-11-0x00007FF6B4F40000-0x00007FF6B5331000-memory.dmp	upx
behavioral2/files/0x000700000002343c-22.dat	upx
behavioral2/memory/1056-24-0x00007FF6AA520000-0x00007FF6AA911000-memory.dmp	upx
behavioral2/files/0x000700000002343d-25.dat	upx
behavioral2/memory/2752-19-0x00007FF7D15E0000-0x00007FF7D19D1000-memory.dmp	upx
behavioral2/memory/216-18-0x00007FF79BCB0000-0x00007FF79C0A1000-memory.dmp	upx
behavioral2/files/0x000700000002343e-29.dat	upx
behavioral2/files/0x0008000000023438-38.dat	upx
behavioral2/memory/3752-36-0x00007FF6F9590000-0x00007FF6F9981000-memory.dmp	upx
behavioral2/files/0x000700000002343f-35.dat	upx
behavioral2/memory/2712-40-0x00007FF6D5470000-0x00007FF6D5861000-memory.dmp	upx
behavioral2/memory/3784-44-0x00007FF78C7F0000-0x00007FF78CBE1000-memory.dmp	upx
behavioral2/files/0x0007000000023440-49.dat	upx
behavioral2/files/0x0007000000023441-51.dat	upx
behavioral2/memory/4308-54-0x00007FF613E20000-0x00007FF614211000-memory.dmp	upx
behavioral2/memory/4696-56-0x00007FF6CB370000-0x00007FF6CB761000-memory.dmp	upx
behavioral2/files/0x0007000000023444-65.dat	upx
behavioral2/files/0x0007000000023446-75.dat	upx
behavioral2/files/0x0007000000023448-83.dat	upx
behavioral2/files/0x0007000000023449-88.dat	upx
behavioral2/files/0x000700000002344b-100.dat	upx
behavioral2/files/0x0007000000023452-135.dat	upx
behavioral2/files/0x0007000000023454-145.dat	upx
behavioral2/files/0x0007000000023457-158.dat	upx
behavioral2/memory/4020-373-0x00007FF664650000-0x00007FF664A41000-memory.dmp	upx
behavioral2/files/0x0007000000023459-170.dat	upx
behavioral2/files/0x0007000000023458-165.dat	upx
behavioral2/files/0x0007000000023456-155.dat	upx
behavioral2/files/0x0007000000023455-150.dat	upx
behavioral2/files/0x0007000000023453-140.dat	upx
behavioral2/files/0x0007000000023451-130.dat	upx
behavioral2/files/0x0007000000023450-125.dat	upx
behavioral2/files/0x000700000002344f-120.dat	upx
behavioral2/files/0x000700000002344e-115.dat	upx
behavioral2/files/0x000700000002344d-110.dat	upx
behavioral2/files/0x000700000002344c-105.dat	upx
behavioral2/files/0x000700000002344a-95.dat	upx
behavioral2/files/0x0007000000023447-80.dat	upx
behavioral2/files/0x0007000000023445-70.dat	upx
behavioral2/files/0x0007000000023442-59.dat	upx
behavioral2/memory/3588-374-0x00007FF70C980000-0x00007FF70CD71000-memory.dmp	upx
behavioral2/memory/2532-376-0x00007FF7A2750000-0x00007FF7A2B41000-memory.dmp	upx
behavioral2/memory/4904-375-0x00007FF668770000-0x00007FF668B61000-memory.dmp	upx
behavioral2/memory/2432-386-0x00007FF639710000-0x00007FF639B01000-memory.dmp	upx
behavioral2/memory/2496-391-0x00007FF6DF8E0000-0x00007FF6DFCD1000-memory.dmp	upx
behavioral2/memory/3340-405-0x00007FF7B0540000-0x00007FF7B0931000-memory.dmp	upx
behavioral2/memory/4324-410-0x00007FF6B72A0000-0x00007FF6B7691000-memory.dmp	upx
behavioral2/memory/888-417-0x00007FF799020000-0x00007FF799411000-memory.dmp	upx
behavioral2/memory/4356-426-0x00007FF794A50000-0x00007FF794E41000-memory.dmp	upx
behavioral2/memory/2744-432-0x00007FF7F04C0000-0x00007FF7F08B1000-memory.dmp	upx
behavioral2/memory/3056-423-0x00007FF7AD090000-0x00007FF7AD481000-memory.dmp	upx
behavioral2/memory/3052-395-0x00007FF6803D0000-0x00007FF6807C1000-memory.dmp	upx
behavioral2/memory/2964-390-0x00007FF7D0B90000-0x00007FF7D0F81000-memory.dmp	upx
behavioral2/memory/4220-379-0x00007FF765F20000-0x00007FF766311000-memory.dmp	upx
behavioral2/memory/4288-1516-0x00007FF747D10000-0x00007FF748101000-memory.dmp	upx
behavioral2/memory/216-1938-0x00007FF79BCB0000-0x00007FF79C0A1000-memory.dmp	upx
behavioral2/memory/2752-1965-0x00007FF7D15E0000-0x00007FF7D19D1000-memory.dmp	upx
behavioral2/memory/1056-1966-0x00007FF6AA520000-0x00007FF6AA911000-memory.dmp	upx
behavioral2/memory/3752-1967-0x00007FF6F9590000-0x00007FF6F9981000-memory.dmp	upx
behavioral2/memory/2712-1968-0x00007FF6D5470000-0x00007FF6D5861000-memory.dmp	upx
behavioral2/memory/3784-1999-0x00007FF78C7F0000-0x00007FF78CBE1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\aONNxRX.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\uxeiCAk.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\JiKthji.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\NNOJpri.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\QmrHknv.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\ykUzQKz.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\ILCZGqR.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\ZvcOgoh.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\qoNlDwv.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\zFEDSqL.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\PiPJaEz.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\cAaiPcF.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\dMWDcWK.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\csnoWxp.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\qFjndhu.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\kFuZlOr.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\kEvjhFY.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\vkaolZp.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\nWkqtcb.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\adgySVv.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\cQeZJTt.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\GoSBUbx.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\mkTZQpk.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\ZrHRKDA.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\MPFvEtS.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\WTqNdVI.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\sleKBac.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\lWgQpsM.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\UGMnxDO.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\HTEbQcm.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\FdXWYFa.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\lEXOUUQ.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\JDTEkMR.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\ODtgqTj.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\wEjdpPk.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\qmsufsb.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\SnziBka.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\DiqPRjN.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\GxoJAjY.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\xKhmuHt.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\oVacRtc.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\XhQsLGq.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\NUDEFSG.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\ZlnbQjb.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\yMLOLCX.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\fzpyZGU.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\teiWHyE.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\DGLAIdZ.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\uyHqzXr.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\KkVNAZt.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\ATFBUTs.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\QOAybcN.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\AUEmVEK.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\reEwfLj.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\buLVgkR.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\FqHzAZz.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\KDyHCUq.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\jyPENEn.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\oKtqlsW.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\pQuHLSX.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\bTQQpfz.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\wCyBpbb.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\OOEVyiH.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
File created	C:\Windows\System32\zJvVyCa.exe	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13860	dwm.exe
Token: SeChangeNotifyPrivilege	13860	dwm.exe
Token: 33	13860	dwm.exe
Token: SeIncBasePriorityPrivilege	13860	dwm.exe
Token: SeShutdownPrivilege	13860	dwm.exe
Token: SeCreatePagefilePrivilege	13860	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 4492	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	84
PID 4288 wrote to memory of 4492	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	84
PID 4288 wrote to memory of 216	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	85
PID 4288 wrote to memory of 216	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	85
PID 4288 wrote to memory of 2752	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	86
PID 4288 wrote to memory of 2752	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	86
PID 4288 wrote to memory of 1056	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	87
PID 4288 wrote to memory of 1056	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	87
PID 4288 wrote to memory of 3752	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	88
PID 4288 wrote to memory of 3752	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	88
PID 4288 wrote to memory of 2712	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	89
PID 4288 wrote to memory of 2712	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	89
PID 4288 wrote to memory of 3784	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	90
PID 4288 wrote to memory of 3784	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	90
PID 4288 wrote to memory of 4308	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	91
PID 4288 wrote to memory of 4308	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	91
PID 4288 wrote to memory of 4696	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	92
PID 4288 wrote to memory of 4696	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	92
PID 4288 wrote to memory of 4020	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	93
PID 4288 wrote to memory of 4020	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	93
PID 4288 wrote to memory of 3588	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	94
PID 4288 wrote to memory of 3588	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	94
PID 4288 wrote to memory of 4904	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	95
PID 4288 wrote to memory of 4904	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	95
PID 4288 wrote to memory of 2532	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	96
PID 4288 wrote to memory of 2532	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	96
PID 4288 wrote to memory of 4220	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	97
PID 4288 wrote to memory of 4220	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	97
PID 4288 wrote to memory of 2432	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	98
PID 4288 wrote to memory of 2432	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	98
PID 4288 wrote to memory of 2964	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	99
PID 4288 wrote to memory of 2964	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	99
PID 4288 wrote to memory of 2496	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	100
PID 4288 wrote to memory of 2496	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	100
PID 4288 wrote to memory of 3052	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	101
PID 4288 wrote to memory of 3052	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	101
PID 4288 wrote to memory of 3340	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	102
PID 4288 wrote to memory of 3340	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	102
PID 4288 wrote to memory of 4324	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	103
PID 4288 wrote to memory of 4324	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	103
PID 4288 wrote to memory of 888	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	104
PID 4288 wrote to memory of 888	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	104
PID 4288 wrote to memory of 3056	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	105
PID 4288 wrote to memory of 3056	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	105
PID 4288 wrote to memory of 4356	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	106
PID 4288 wrote to memory of 4356	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	106
PID 4288 wrote to memory of 2744	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	107
PID 4288 wrote to memory of 2744	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	107
PID 4288 wrote to memory of 2248	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	108
PID 4288 wrote to memory of 2248	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	108
PID 4288 wrote to memory of 1232	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	109
PID 4288 wrote to memory of 1232	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	109
PID 4288 wrote to memory of 1792	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	110
PID 4288 wrote to memory of 1792	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	110
PID 4288 wrote to memory of 4468	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	111
PID 4288 wrote to memory of 4468	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	111
PID 4288 wrote to memory of 1168	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	112
PID 4288 wrote to memory of 1168	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	112
PID 4288 wrote to memory of 5056	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	113
PID 4288 wrote to memory of 5056	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	113
PID 4288 wrote to memory of 3096	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	114
PID 4288 wrote to memory of 3096	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	114
PID 4288 wrote to memory of 5016	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	115
PID 4288 wrote to memory of 5016	4288	754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe	115

C:\Users\Admin\AppData\Local\Temp\754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\754713e4b7ad21efef021404217b1f80_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Windows\System32\olrDRol.exe
  C:\Windows\System32\olrDRol.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System32\ODtgqTj.exe
  C:\Windows\System32\ODtgqTj.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System32\ddpeNzk.exe
  C:\Windows\System32\ddpeNzk.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System32\WvEYhPe.exe
  C:\Windows\System32\WvEYhPe.exe
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\System32\LhbtKkI.exe
  C:\Windows\System32\LhbtKkI.exe
  2⤵
  - Executes dropped EXE
  PID:3752
- C:\Windows\System32\HohhcNy.exe
  C:\Windows\System32\HohhcNy.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System32\lvzlEvj.exe
  C:\Windows\System32\lvzlEvj.exe
  2⤵
  - Executes dropped EXE
  PID:3784
- C:\Windows\System32\COwtAoz.exe
  C:\Windows\System32\COwtAoz.exe
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Windows\System32\fWfceAs.exe
  C:\Windows\System32\fWfceAs.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System32\PMDMQPx.exe
  C:\Windows\System32\PMDMQPx.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\System32\HUAZbiP.exe
  C:\Windows\System32\HUAZbiP.exe
  2⤵
  - Executes dropped EXE
  PID:3588
- C:\Windows\System32\JcRtLdY.exe
  C:\Windows\System32\JcRtLdY.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System32\WJInYKy.exe
  C:\Windows\System32\WJInYKy.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System32\acUhLCx.exe
  C:\Windows\System32\acUhLCx.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System32\TLreOdE.exe
  C:\Windows\System32\TLreOdE.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System32\pplFhfP.exe
  C:\Windows\System32\pplFhfP.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System32\abdoKkB.exe
  C:\Windows\System32\abdoKkB.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\System32\csnoWxp.exe
  C:\Windows\System32\csnoWxp.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System32\mzttGIq.exe
  C:\Windows\System32\mzttGIq.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\System32\bPiMXOo.exe
  C:\Windows\System32\bPiMXOo.exe
  2⤵
  - Executes dropped EXE
  PID:4324
- C:\Windows\System32\CvoXZIO.exe
  C:\Windows\System32\CvoXZIO.exe
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\System32\GMPlulI.exe
  C:\Windows\System32\GMPlulI.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System32\DKHtsUz.exe
  C:\Windows\System32\DKHtsUz.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System32\vxkQSIn.exe
  C:\Windows\System32\vxkQSIn.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System32\eNPiawu.exe
  C:\Windows\System32\eNPiawu.exe
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\System32\JyzQDyI.exe
  C:\Windows\System32\JyzQDyI.exe
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Windows\System32\bfaGQWz.exe
  C:\Windows\System32\bfaGQWz.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System32\dbeUoZA.exe
  C:\Windows\System32\dbeUoZA.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System32\vmJpknG.exe
  C:\Windows\System32\vmJpknG.exe
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\System32\cJsvmbd.exe
  C:\Windows\System32\cJsvmbd.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System32\rBevitu.exe
  C:\Windows\System32\rBevitu.exe
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Windows\System32\Zseykrr.exe
  C:\Windows\System32\Zseykrr.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System32\teiWHyE.exe
  C:\Windows\System32\teiWHyE.exe
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\System32\PDkqkMp.exe
  C:\Windows\System32\PDkqkMp.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System32\buLVgkR.exe
  C:\Windows\System32\buLVgkR.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\System32\dnXXRuo.exe
  C:\Windows\System32\dnXXRuo.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System32\SkYzuOA.exe
  C:\Windows\System32\SkYzuOA.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System32\RIosZic.exe
  C:\Windows\System32\RIosZic.exe
  2⤵
  - Executes dropped EXE
  PID:4700
- C:\Windows\System32\DGLAIdZ.exe
  C:\Windows\System32\DGLAIdZ.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System32\eyUcBBX.exe
  C:\Windows\System32\eyUcBBX.exe
  2⤵
  - Executes dropped EXE
  PID:3524
- C:\Windows\System32\VzusTMJ.exe
  C:\Windows\System32\VzusTMJ.exe
  2⤵
  - Executes dropped EXE
  PID:3792
- C:\Windows\System32\rLdfsAy.exe
  C:\Windows\System32\rLdfsAy.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Windows\System32\wWTdZui.exe
  C:\Windows\System32\wWTdZui.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System32\npeIvyL.exe
  C:\Windows\System32\npeIvyL.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System32\zFRtfOW.exe
  C:\Windows\System32\zFRtfOW.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System32\BxraKgt.exe
  C:\Windows\System32\BxraKgt.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System32\AssgutL.exe
  C:\Windows\System32\AssgutL.exe
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\System32\uyHqzXr.exe
  C:\Windows\System32\uyHqzXr.exe
  2⤵
  - Executes dropped EXE
  PID:3332
- C:\Windows\System32\FPneiDu.exe
  C:\Windows\System32\FPneiDu.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System32\zyBlxGc.exe
  C:\Windows\System32\zyBlxGc.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System32\nzigDio.exe
  C:\Windows\System32\nzigDio.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System32\WrURKJq.exe
  C:\Windows\System32\WrURKJq.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System32\ilVAWIZ.exe
  C:\Windows\System32\ilVAWIZ.exe
  2⤵
  - Executes dropped EXE
  PID:720
- C:\Windows\System32\bsVuxcZ.exe
  C:\Windows\System32\bsVuxcZ.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System32\JGBxSTR.exe
  C:\Windows\System32\JGBxSTR.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System32\GyfyhWx.exe
  C:\Windows\System32\GyfyhWx.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System32\ReSEAmh.exe
  C:\Windows\System32\ReSEAmh.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System32\CzHKYPs.exe
  C:\Windows\System32\CzHKYPs.exe
  2⤵
  - Executes dropped EXE
  PID:736
- C:\Windows\System32\ILCZGqR.exe
  C:\Windows\System32\ILCZGqR.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System32\DowlAQh.exe
  C:\Windows\System32\DowlAQh.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System32\eYJlXED.exe
  C:\Windows\System32\eYJlXED.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System32\WRFFgAN.exe
  C:\Windows\System32\WRFFgAN.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System32\sleKBac.exe
  C:\Windows\System32\sleKBac.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\System32\clHualW.exe
  C:\Windows\System32\clHualW.exe
  2⤵
  - Executes dropped EXE
  PID:3872
- C:\Windows\System32\AaPCPbm.exe
  C:\Windows\System32\AaPCPbm.exe
  2⤵
  PID:3836
- C:\Windows\System32\BDbueRO.exe
  C:\Windows\System32\BDbueRO.exe
  2⤵
  PID:2568
- C:\Windows\System32\drDnWKA.exe
  C:\Windows\System32\drDnWKA.exe
  2⤵
  PID:4248
- C:\Windows\System32\LCeWqzK.exe
  C:\Windows\System32\LCeWqzK.exe
  2⤵
  PID:424
- C:\Windows\System32\lWgQpsM.exe
  C:\Windows\System32\lWgQpsM.exe
  2⤵
  PID:4524
- C:\Windows\System32\aoMofvm.exe
  C:\Windows\System32\aoMofvm.exe
  2⤵
  PID:2064
- C:\Windows\System32\zfrggya.exe
  C:\Windows\System32\zfrggya.exe
  2⤵
  PID:4464
- C:\Windows\System32\ebVTkek.exe
  C:\Windows\System32\ebVTkek.exe
  2⤵
  PID:4284
- C:\Windows\System32\zJvVyCa.exe
  C:\Windows\System32\zJvVyCa.exe
  2⤵
  PID:3108
- C:\Windows\System32\BgTUeqH.exe
  C:\Windows\System32\BgTUeqH.exe
  2⤵
  PID:1752
- C:\Windows\System32\mDQmihl.exe
  C:\Windows\System32\mDQmihl.exe
  2⤵
  PID:1184
- C:\Windows\System32\VNMGvWB.exe
  C:\Windows\System32\VNMGvWB.exe
  2⤵
  PID:4728
- C:\Windows\System32\VKOtxcT.exe
  C:\Windows\System32\VKOtxcT.exe
  2⤵
  PID:4680
- C:\Windows\System32\QwMdHme.exe
  C:\Windows\System32\QwMdHme.exe
  2⤵
  PID:4928
- C:\Windows\System32\PfpFmSg.exe
  C:\Windows\System32\PfpFmSg.exe
  2⤵
  PID:5040
- C:\Windows\System32\Okttlyu.exe
  C:\Windows\System32\Okttlyu.exe
  2⤵
  PID:2044
- C:\Windows\System32\GZzumMy.exe
  C:\Windows\System32\GZzumMy.exe
  2⤵
  PID:3948
- C:\Windows\System32\RRCNrRD.exe
  C:\Windows\System32\RRCNrRD.exe
  2⤵
  PID:4572
- C:\Windows\System32\mdlDWuv.exe
  C:\Windows\System32\mdlDWuv.exe
  2⤵
  PID:5012
- C:\Windows\System32\aRRKJdy.exe
  C:\Windows\System32\aRRKJdy.exe
  2⤵
  PID:4988
- C:\Windows\System32\tUlYEFI.exe
  C:\Windows\System32\tUlYEFI.exe
  2⤵
  PID:2292
- C:\Windows\System32\dRdeTss.exe
  C:\Windows\System32\dRdeTss.exe
  2⤵
  PID:4556
- C:\Windows\System32\yrlHHuI.exe
  C:\Windows\System32\yrlHHuI.exe
  2⤵
  PID:2272
- C:\Windows\System32\JvRtPYo.exe
  C:\Windows\System32\JvRtPYo.exe
  2⤵
  PID:532
- C:\Windows\System32\niOytsa.exe
  C:\Windows\System32\niOytsa.exe
  2⤵
  PID:5140
- C:\Windows\System32\ykBYHAi.exe
  C:\Windows\System32\ykBYHAi.exe
  2⤵
  PID:5168
- C:\Windows\System32\EIDmtvi.exe
  C:\Windows\System32\EIDmtvi.exe
  2⤵
  PID:5196
- C:\Windows\System32\RGEQbAi.exe
  C:\Windows\System32\RGEQbAi.exe
  2⤵
  PID:5224
- C:\Windows\System32\xIbddLr.exe
  C:\Windows\System32\xIbddLr.exe
  2⤵
  PID:5252
- C:\Windows\System32\uHmiiRn.exe
  C:\Windows\System32\uHmiiRn.exe
  2⤵
  PID:5280
- C:\Windows\System32\vJLfVbC.exe
  C:\Windows\System32\vJLfVbC.exe
  2⤵
  PID:5308
- C:\Windows\System32\XQevbCX.exe
  C:\Windows\System32\XQevbCX.exe
  2⤵
  PID:5336
- C:\Windows\System32\bvcvXsD.exe
  C:\Windows\System32\bvcvXsD.exe
  2⤵
  PID:5364
- C:\Windows\System32\FHBoMXI.exe
  C:\Windows\System32\FHBoMXI.exe
  2⤵
  PID:5392
- C:\Windows\System32\tdXJQdF.exe
  C:\Windows\System32\tdXJQdF.exe
  2⤵
  PID:5420
- C:\Windows\System32\LtTGtzT.exe
  C:\Windows\System32\LtTGtzT.exe
  2⤵
  PID:5448
- C:\Windows\System32\sbuqrmm.exe
  C:\Windows\System32\sbuqrmm.exe
  2⤵
  PID:5524
- C:\Windows\System32\yvJpOYX.exe
  C:\Windows\System32\yvJpOYX.exe
  2⤵
  PID:5544
- C:\Windows\System32\VbnbIil.exe
  C:\Windows\System32\VbnbIil.exe
  2⤵
  PID:5560
- C:\Windows\System32\ZvcOgoh.exe
  C:\Windows\System32\ZvcOgoh.exe
  2⤵
  PID:5576
- C:\Windows\System32\JbfFbsQ.exe
  C:\Windows\System32\JbfFbsQ.exe
  2⤵
  PID:5636
- C:\Windows\System32\CpSMYaS.exe
  C:\Windows\System32\CpSMYaS.exe
  2⤵
  PID:5668
- C:\Windows\System32\gHPeena.exe
  C:\Windows\System32\gHPeena.exe
  2⤵
  PID:5688
- C:\Windows\System32\KkVNAZt.exe
  C:\Windows\System32\KkVNAZt.exe
  2⤵
  PID:5712
- C:\Windows\System32\cGuaGir.exe
  C:\Windows\System32\cGuaGir.exe
  2⤵
  PID:5728
- C:\Windows\System32\rnSRfyn.exe
  C:\Windows\System32\rnSRfyn.exe
  2⤵
  PID:5752
- C:\Windows\System32\erdJSFJ.exe
  C:\Windows\System32\erdJSFJ.exe
  2⤵
  PID:5792
- C:\Windows\System32\gwEHIyP.exe
  C:\Windows\System32\gwEHIyP.exe
  2⤵
  PID:5840
- C:\Windows\System32\blOlYXP.exe
  C:\Windows\System32\blOlYXP.exe
  2⤵
  PID:5860
- C:\Windows\System32\LHbZWCi.exe
  C:\Windows\System32\LHbZWCi.exe
  2⤵
  PID:5880
- C:\Windows\System32\uZawmmN.exe
  C:\Windows\System32\uZawmmN.exe
  2⤵
  PID:5900
- C:\Windows\System32\qoNlDwv.exe
  C:\Windows\System32\qoNlDwv.exe
  2⤵
  PID:5928
- C:\Windows\System32\yAOlrIh.exe
  C:\Windows\System32\yAOlrIh.exe
  2⤵
  PID:5944
- C:\Windows\System32\AwExhmo.exe
  C:\Windows\System32\AwExhmo.exe
  2⤵
  PID:5980
- C:\Windows\System32\zFEDSqL.exe
  C:\Windows\System32\zFEDSqL.exe
  2⤵
  PID:6044
- C:\Windows\System32\fNHaVnx.exe
  C:\Windows\System32\fNHaVnx.exe
  2⤵
  PID:6108
- C:\Windows\System32\OkKIkVa.exe
  C:\Windows\System32\OkKIkVa.exe
  2⤵
  PID:6124
- C:\Windows\System32\XHinFkU.exe
  C:\Windows\System32\XHinFkU.exe
  2⤵
  PID:4116
- C:\Windows\System32\vTEdIyF.exe
  C:\Windows\System32\vTEdIyF.exe
  2⤵
  PID:3580
- C:\Windows\System32\DpqBNuF.exe
  C:\Windows\System32\DpqBNuF.exe
  2⤵
  PID:2408
- C:\Windows\System32\SOWAsBX.exe
  C:\Windows\System32\SOWAsBX.exe
  2⤵
  PID:5124
- C:\Windows\System32\EAjzotA.exe
  C:\Windows\System32\EAjzotA.exe
  2⤵
  PID:5180
- C:\Windows\System32\Zkhlqkr.exe
  C:\Windows\System32\Zkhlqkr.exe
  2⤵
  PID:5240
- C:\Windows\System32\uDghzQB.exe
  C:\Windows\System32\uDghzQB.exe
  2⤵
  PID:972
- C:\Windows\System32\kbWKVeU.exe
  C:\Windows\System32\kbWKVeU.exe
  2⤵
  PID:5332
- C:\Windows\System32\RcTjVBM.exe
  C:\Windows\System32\RcTjVBM.exe
  2⤵
  PID:4992
- C:\Windows\System32\PiPJaEz.exe
  C:\Windows\System32\PiPJaEz.exe
  2⤵
  PID:5404
- C:\Windows\System32\fMVUhHP.exe
  C:\Windows\System32\fMVUhHP.exe
  2⤵
  PID:1760
- C:\Windows\System32\QMrtAvo.exe
  C:\Windows\System32\QMrtAvo.exe
  2⤵
  PID:4204
- C:\Windows\System32\lKMvbBP.exe
  C:\Windows\System32\lKMvbBP.exe
  2⤵
  PID:5572
- C:\Windows\System32\MSTGhdb.exe
  C:\Windows\System32\MSTGhdb.exe
  2⤵
  PID:5628
- C:\Windows\System32\XhQsLGq.exe
  C:\Windows\System32\XhQsLGq.exe
  2⤵
  PID:5800
- C:\Windows\System32\qmsufsb.exe
  C:\Windows\System32\qmsufsb.exe
  2⤵
  PID:5680
- C:\Windows\System32\cAaiPcF.exe
  C:\Windows\System32\cAaiPcF.exe
  2⤵
  PID:5868
- C:\Windows\System32\NbxUchQ.exe
  C:\Windows\System32\NbxUchQ.exe
  2⤵
  PID:5856
- C:\Windows\System32\hBbfNbs.exe
  C:\Windows\System32\hBbfNbs.exe
  2⤵
  PID:5952
- C:\Windows\System32\JnWEANt.exe
  C:\Windows\System32\JnWEANt.exe
  2⤵
  PID:6060
- C:\Windows\System32\tujsZCt.exe
  C:\Windows\System32\tujsZCt.exe
  2⤵
  PID:6116
- C:\Windows\System32\dkcTEnd.exe
  C:\Windows\System32\dkcTEnd.exe
  2⤵
  PID:5092
- C:\Windows\System32\QFwPzYI.exe
  C:\Windows\System32\QFwPzYI.exe
  2⤵
  PID:5164
- C:\Windows\System32\xKRbqQp.exe
  C:\Windows\System32\xKRbqQp.exe
  2⤵
  PID:5268
- C:\Windows\System32\IAHUjmN.exe
  C:\Windows\System32\IAHUjmN.exe
  2⤵
  PID:5508
- C:\Windows\System32\QfkKBwr.exe
  C:\Windows\System32\QfkKBwr.exe
  2⤵
  PID:5612
- C:\Windows\System32\UxgPkpu.exe
  C:\Windows\System32\UxgPkpu.exe
  2⤵
  PID:2016
- C:\Windows\System32\JOAmGUW.exe
  C:\Windows\System32\JOAmGUW.exe
  2⤵
  PID:5664
- C:\Windows\System32\DwXSCLu.exe
  C:\Windows\System32\DwXSCLu.exe
  2⤵
  PID:5788
- C:\Windows\System32\cModvUX.exe
  C:\Windows\System32\cModvUX.exe
  2⤵
  PID:6056
- C:\Windows\System32\tStovOR.exe
  C:\Windows\System32\tStovOR.exe
  2⤵
  PID:1940
- C:\Windows\System32\HpJqGxc.exe
  C:\Windows\System32\HpJqGxc.exe
  2⤵
  PID:5736
- C:\Windows\System32\BCFmakc.exe
  C:\Windows\System32\BCFmakc.exe
  2⤵
  PID:5348
- C:\Windows\System32\vWWjASY.exe
  C:\Windows\System32\vWWjASY.exe
  2⤵
  PID:5516
- C:\Windows\System32\BgmQcEP.exe
  C:\Windows\System32\BgmQcEP.exe
  2⤵
  PID:6004
- C:\Windows\System32\HqLyZaE.exe
  C:\Windows\System32\HqLyZaE.exe
  2⤵
  PID:5720
- C:\Windows\System32\MvEgjvT.exe
  C:\Windows\System32\MvEgjvT.exe
  2⤵
  PID:6156
- C:\Windows\System32\NjcPNdQ.exe
  C:\Windows\System32\NjcPNdQ.exe
  2⤵
  PID:6176
- C:\Windows\System32\adgySVv.exe
  C:\Windows\System32\adgySVv.exe
  2⤵
  PID:6200
- C:\Windows\System32\gOORUgR.exe
  C:\Windows\System32\gOORUgR.exe
  2⤵
  PID:6220
- C:\Windows\System32\PFBrqMn.exe
  C:\Windows\System32\PFBrqMn.exe
  2⤵
  PID:6244
- C:\Windows\System32\xIuXgjg.exe
  C:\Windows\System32\xIuXgjg.exe
  2⤵
  PID:6272
- C:\Windows\System32\BawebUT.exe
  C:\Windows\System32\BawebUT.exe
  2⤵
  PID:6296
- C:\Windows\System32\QvPQPMU.exe
  C:\Windows\System32\QvPQPMU.exe
  2⤵
  PID:6332
- C:\Windows\System32\iZfFsSH.exe
  C:\Windows\System32\iZfFsSH.exe
  2⤵
  PID:6352
- C:\Windows\System32\BjTxuIA.exe
  C:\Windows\System32\BjTxuIA.exe
  2⤵
  PID:6372
- C:\Windows\System32\FlaJPuj.exe
  C:\Windows\System32\FlaJPuj.exe
  2⤵
  PID:6396
- C:\Windows\System32\ruzqZlu.exe
  C:\Windows\System32\ruzqZlu.exe
  2⤵
  PID:6448
- C:\Windows\System32\tMSDDka.exe
  C:\Windows\System32\tMSDDka.exe
  2⤵
  PID:6468
- C:\Windows\System32\kdlRNPO.exe
  C:\Windows\System32\kdlRNPO.exe
  2⤵
  PID:6492
- C:\Windows\System32\pxgBGBx.exe
  C:\Windows\System32\pxgBGBx.exe
  2⤵
  PID:6532
- C:\Windows\System32\vgZABoN.exe
  C:\Windows\System32\vgZABoN.exe
  2⤵
  PID:6552
- C:\Windows\System32\DbOklYP.exe
  C:\Windows\System32\DbOklYP.exe
  2⤵
  PID:6576
- C:\Windows\System32\mgCFmPu.exe
  C:\Windows\System32\mgCFmPu.exe
  2⤵
  PID:6600
- C:\Windows\System32\eLIiADc.exe
  C:\Windows\System32\eLIiADc.exe
  2⤵
  PID:6620
- C:\Windows\System32\cxOIgQh.exe
  C:\Windows\System32\cxOIgQh.exe
  2⤵
  PID:6676
- C:\Windows\System32\gqzGRNw.exe
  C:\Windows\System32\gqzGRNw.exe
  2⤵
  PID:6728
- C:\Windows\System32\SnziBka.exe
  C:\Windows\System32\SnziBka.exe
  2⤵
  PID:6744
- C:\Windows\System32\mUZctUS.exe
  C:\Windows\System32\mUZctUS.exe
  2⤵
  PID:6776
- C:\Windows\System32\KhusyfF.exe
  C:\Windows\System32\KhusyfF.exe
  2⤵
  PID:6792
- C:\Windows\System32\vuoLyGW.exe
  C:\Windows\System32\vuoLyGW.exe
  2⤵
  PID:6820
- C:\Windows\System32\BrHsyCX.exe
  C:\Windows\System32\BrHsyCX.exe
  2⤵
  PID:6840
- C:\Windows\System32\dMWDcWK.exe
  C:\Windows\System32\dMWDcWK.exe
  2⤵
  PID:6856
- C:\Windows\System32\lEJQlEZ.exe
  C:\Windows\System32\lEJQlEZ.exe
  2⤵
  PID:6900
- C:\Windows\System32\KsjNqox.exe
  C:\Windows\System32\KsjNqox.exe
  2⤵
  PID:6944
- C:\Windows\System32\SvQwKdW.exe
  C:\Windows\System32\SvQwKdW.exe
  2⤵
  PID:6980
- C:\Windows\System32\XUIlSAu.exe
  C:\Windows\System32\XUIlSAu.exe
  2⤵
  PID:7000
- C:\Windows\System32\rZiYTxc.exe
  C:\Windows\System32\rZiYTxc.exe
  2⤵
  PID:7024
- C:\Windows\System32\FlSReFd.exe
  C:\Windows\System32\FlSReFd.exe
  2⤵
  PID:7040
- C:\Windows\System32\xiAXRTk.exe
  C:\Windows\System32\xiAXRTk.exe
  2⤵
  PID:7068
- C:\Windows\System32\yWLontz.exe
  C:\Windows\System32\yWLontz.exe
  2⤵
  PID:7116
- C:\Windows\System32\GeelpCh.exe
  C:\Windows\System32\GeelpCh.exe
  2⤵
  PID:7140
- C:\Windows\System32\zeScDcH.exe
  C:\Windows\System32\zeScDcH.exe
  2⤵
  PID:7156
- C:\Windows\System32\pixCaET.exe
  C:\Windows\System32\pixCaET.exe
  2⤵
  PID:6152
- C:\Windows\System32\OcsduoP.exe
  C:\Windows\System32\OcsduoP.exe
  2⤵
  PID:6216
- C:\Windows\System32\gmpTWJY.exe
  C:\Windows\System32\gmpTWJY.exe
  2⤵
  PID:6268
- C:\Windows\System32\iIDxsbz.exe
  C:\Windows\System32\iIDxsbz.exe
  2⤵
  PID:6348
- C:\Windows\System32\dTHszSv.exe
  C:\Windows\System32\dTHszSv.exe
  2⤵
  PID:6436
- C:\Windows\System32\WTqNdVI.exe
  C:\Windows\System32\WTqNdVI.exe
  2⤵
  PID:6484
- C:\Windows\System32\UGMnxDO.exe
  C:\Windows\System32\UGMnxDO.exe
  2⤵
  PID:6592
- C:\Windows\System32\MdiinVr.exe
  C:\Windows\System32\MdiinVr.exe
  2⤵
  PID:6640
- C:\Windows\System32\ePxARBq.exe
  C:\Windows\System32\ePxARBq.exe
  2⤵
  PID:6700
- C:\Windows\System32\TcGDXKB.exe
  C:\Windows\System32\TcGDXKB.exe
  2⤵
  PID:6736
- C:\Windows\System32\TtEdSIf.exe
  C:\Windows\System32\TtEdSIf.exe
  2⤵
  PID:6884
- C:\Windows\System32\psPfYjd.exe
  C:\Windows\System32\psPfYjd.exe
  2⤵
  PID:6848
- C:\Windows\System32\LhTlTtU.exe
  C:\Windows\System32\LhTlTtU.exe
  2⤵
  PID:6972
- C:\Windows\System32\eCYOdEj.exe
  C:\Windows\System32\eCYOdEj.exe
  2⤵
  PID:7048
- C:\Windows\System32\zamkolH.exe
  C:\Windows\System32\zamkolH.exe
  2⤵
  PID:7056
- C:\Windows\System32\vKOEijv.exe
  C:\Windows\System32\vKOEijv.exe
  2⤵
  PID:7096
- C:\Windows\System32\nxwrDwE.exe
  C:\Windows\System32\nxwrDwE.exe
  2⤵
  PID:6196
- C:\Windows\System32\wQWYNWc.exe
  C:\Windows\System32\wQWYNWc.exe
  2⤵
  PID:6260
- C:\Windows\System32\KNdVUPQ.exe
  C:\Windows\System32\KNdVUPQ.exe
  2⤵
  PID:6560
- C:\Windows\System32\wKcfBfy.exe
  C:\Windows\System32\wKcfBfy.exe
  2⤵
  PID:6524
- C:\Windows\System32\FHoqEWc.exe
  C:\Windows\System32\FHoqEWc.exe
  2⤵
  PID:6720
- C:\Windows\System32\KVPIuTx.exe
  C:\Windows\System32\KVPIuTx.exe
  2⤵
  PID:6996
- C:\Windows\System32\daxOoKB.exe
  C:\Windows\System32\daxOoKB.exe
  2⤵
  PID:7148
- C:\Windows\System32\kNbRIPW.exe
  C:\Windows\System32\kNbRIPW.exe
  2⤵
  PID:6168
- C:\Windows\System32\nUrHDcb.exe
  C:\Windows\System32\nUrHDcb.exe
  2⤵
  PID:6764
- C:\Windows\System32\cUAfGEu.exe
  C:\Windows\System32\cUAfGEu.exe
  2⤵
  PID:6804
- C:\Windows\System32\PyKikLN.exe
  C:\Windows\System32\PyKikLN.exe
  2⤵
  PID:6808
- C:\Windows\System32\RGnqNmS.exe
  C:\Windows\System32\RGnqNmS.exe
  2⤵
  PID:7176
- C:\Windows\System32\nEBfmkc.exe
  C:\Windows\System32\nEBfmkc.exe
  2⤵
  PID:7196
- C:\Windows\System32\ySZrbWg.exe
  C:\Windows\System32\ySZrbWg.exe
  2⤵
  PID:7212
- C:\Windows\System32\EYQZCYR.exe
  C:\Windows\System32\EYQZCYR.exe
  2⤵
  PID:7240
- C:\Windows\System32\PPXrYRi.exe
  C:\Windows\System32\PPXrYRi.exe
  2⤵
  PID:7264
- C:\Windows\System32\WsXuvhU.exe
  C:\Windows\System32\WsXuvhU.exe
  2⤵
  PID:7308
- C:\Windows\System32\diVhllm.exe
  C:\Windows\System32\diVhllm.exe
  2⤵
  PID:7328
- C:\Windows\System32\ggFPXpW.exe
  C:\Windows\System32\ggFPXpW.exe
  2⤵
  PID:7388
- C:\Windows\System32\dWxdoZu.exe
  C:\Windows\System32\dWxdoZu.exe
  2⤵
  PID:7412
- C:\Windows\System32\RaXPEzw.exe
  C:\Windows\System32\RaXPEzw.exe
  2⤵
  PID:7428
- C:\Windows\System32\KjKRpXd.exe
  C:\Windows\System32\KjKRpXd.exe
  2⤵
  PID:7468
- C:\Windows\System32\dDYWYzm.exe
  C:\Windows\System32\dDYWYzm.exe
  2⤵
  PID:7484
- C:\Windows\System32\OfrQdzn.exe
  C:\Windows\System32\OfrQdzn.exe
  2⤵
  PID:7500
- C:\Windows\System32\BICqwGn.exe
  C:\Windows\System32\BICqwGn.exe
  2⤵
  PID:7528
- C:\Windows\System32\LWzFVFQ.exe
  C:\Windows\System32\LWzFVFQ.exe
  2⤵
  PID:7556
- C:\Windows\System32\LHivzFr.exe
  C:\Windows\System32\LHivzFr.exe
  2⤵
  PID:7584
- C:\Windows\System32\zBFXRfs.exe
  C:\Windows\System32\zBFXRfs.exe
  2⤵
  PID:7612
- C:\Windows\System32\CgTsrtY.exe
  C:\Windows\System32\CgTsrtY.exe
  2⤵
  PID:7648
- C:\Windows\System32\FyqGfud.exe
  C:\Windows\System32\FyqGfud.exe
  2⤵
  PID:7692
- C:\Windows\System32\EEKbUNS.exe
  C:\Windows\System32\EEKbUNS.exe
  2⤵
  PID:7720
- C:\Windows\System32\uRZhwHm.exe
  C:\Windows\System32\uRZhwHm.exe
  2⤵
  PID:7748
- C:\Windows\System32\DiXePaS.exe
  C:\Windows\System32\DiXePaS.exe
  2⤵
  PID:7764
- C:\Windows\System32\cSabURU.exe
  C:\Windows\System32\cSabURU.exe
  2⤵
  PID:7784
- C:\Windows\System32\USYlZsB.exe
  C:\Windows\System32\USYlZsB.exe
  2⤵
  PID:7812
- C:\Windows\System32\aMEpbOR.exe
  C:\Windows\System32\aMEpbOR.exe
  2⤵
  PID:7836
- C:\Windows\System32\CYexEvR.exe
  C:\Windows\System32\CYexEvR.exe
  2⤵
  PID:7872
- C:\Windows\System32\EfDKTtT.exe
  C:\Windows\System32\EfDKTtT.exe
  2⤵
  PID:7908
- C:\Windows\System32\AXhPbrT.exe
  C:\Windows\System32\AXhPbrT.exe
  2⤵
  PID:7936
- C:\Windows\System32\qFWdhml.exe
  C:\Windows\System32\qFWdhml.exe
  2⤵
  PID:7956
- C:\Windows\System32\rLCgOSq.exe
  C:\Windows\System32\rLCgOSq.exe
  2⤵
  PID:7992
- C:\Windows\System32\FxicMyK.exe
  C:\Windows\System32\FxicMyK.exe
  2⤵
  PID:8008
- C:\Windows\System32\SlbiWLt.exe
  C:\Windows\System32\SlbiWLt.exe
  2⤵
  PID:8036
- C:\Windows\System32\GqovVbR.exe
  C:\Windows\System32\GqovVbR.exe
  2⤵
  PID:8088
- C:\Windows\System32\ACnQVOr.exe
  C:\Windows\System32\ACnQVOr.exe
  2⤵
  PID:8116
- C:\Windows\System32\aZVueqS.exe
  C:\Windows\System32\aZVueqS.exe
  2⤵
  PID:8144
- C:\Windows\System32\AHqnBOY.exe
  C:\Windows\System32\AHqnBOY.exe
  2⤵
  PID:8160
- C:\Windows\System32\NUDEFSG.exe
  C:\Windows\System32\NUDEFSG.exe
  2⤵
  PID:8180
- C:\Windows\System32\sGNMQHb.exe
  C:\Windows\System32\sGNMQHb.exe
  2⤵
  PID:7188
- C:\Windows\System32\YjPNHih.exe
  C:\Windows\System32\YjPNHih.exe
  2⤵
  PID:7248
- C:\Windows\System32\JBwHeBF.exe
  C:\Windows\System32\JBwHeBF.exe
  2⤵
  PID:7380
- C:\Windows\System32\mgXLujB.exe
  C:\Windows\System32\mgXLujB.exe
  2⤵
  PID:7404
- C:\Windows\System32\sHTWizs.exe
  C:\Windows\System32\sHTWizs.exe
  2⤵
  PID:7480
- C:\Windows\System32\illxarm.exe
  C:\Windows\System32\illxarm.exe
  2⤵
  PID:7520
- C:\Windows\System32\ipBrJLD.exe
  C:\Windows\System32\ipBrJLD.exe
  2⤵
  PID:7600
- C:\Windows\System32\mPNorsp.exe
  C:\Windows\System32\mPNorsp.exe
  2⤵
  PID:7676
- C:\Windows\System32\cQeZJTt.exe
  C:\Windows\System32\cQeZJTt.exe
  2⤵
  PID:7732
- C:\Windows\System32\sqJzfAd.exe
  C:\Windows\System32\sqJzfAd.exe
  2⤵
  PID:7112
- C:\Windows\System32\hYkvziN.exe
  C:\Windows\System32\hYkvziN.exe
  2⤵
  PID:7856
- C:\Windows\System32\oEGFwFY.exe
  C:\Windows\System32\oEGFwFY.exe
  2⤵
  PID:7920
- C:\Windows\System32\JcOWjzi.exe
  C:\Windows\System32\JcOWjzi.exe
  2⤵
  PID:8056
- C:\Windows\System32\eXbvmjJ.exe
  C:\Windows\System32\eXbvmjJ.exe
  2⤵
  PID:8076
- C:\Windows\System32\NkIZLTu.exe
  C:\Windows\System32\NkIZLTu.exe
  2⤵
  PID:8112
- C:\Windows\System32\gqrusCJ.exe
  C:\Windows\System32\gqrusCJ.exe
  2⤵
  PID:8172
- C:\Windows\System32\GJLFomt.exe
  C:\Windows\System32\GJLFomt.exe
  2⤵
  PID:7284
- C:\Windows\System32\QKZJWrN.exe
  C:\Windows\System32\QKZJWrN.exe
  2⤵
  PID:7512
- C:\Windows\System32\VEgXkrC.exe
  C:\Windows\System32\VEgXkrC.exe
  2⤵
  PID:7576
- C:\Windows\System32\RnWKFrl.exe
  C:\Windows\System32\RnWKFrl.exe
  2⤵
  PID:7792
- C:\Windows\System32\exnOnRb.exe
  C:\Windows\System32\exnOnRb.exe
  2⤵
  PID:7896
- C:\Windows\System32\ghGiIvK.exe
  C:\Windows\System32\ghGiIvK.exe
  2⤵
  PID:8004
- C:\Windows\System32\UqlZvwr.exe
  C:\Windows\System32\UqlZvwr.exe
  2⤵
  PID:8176
- C:\Windows\System32\FdoOpVV.exe
  C:\Windows\System32\FdoOpVV.exe
  2⤵
  PID:7408
- C:\Windows\System32\YUqnddR.exe
  C:\Windows\System32\YUqnddR.exe
  2⤵
  PID:7848
- C:\Windows\System32\irqqVdD.exe
  C:\Windows\System32\irqqVdD.exe
  2⤵
  PID:7460
- C:\Windows\System32\MueKujm.exe
  C:\Windows\System32\MueKujm.exe
  2⤵
  PID:8208
- C:\Windows\System32\pIOnZCy.exe
  C:\Windows\System32\pIOnZCy.exe
  2⤵
  PID:8224
- C:\Windows\System32\wQaWkwq.exe
  C:\Windows\System32\wQaWkwq.exe
  2⤵
  PID:8244
- C:\Windows\System32\LPvBUBZ.exe
  C:\Windows\System32\LPvBUBZ.exe
  2⤵
  PID:8260
- C:\Windows\System32\bJaaCpX.exe
  C:\Windows\System32\bJaaCpX.exe
  2⤵
  PID:8304
- C:\Windows\System32\IZCdtLF.exe
  C:\Windows\System32\IZCdtLF.exe
  2⤵
  PID:8320
- C:\Windows\System32\kEvjhFY.exe
  C:\Windows\System32\kEvjhFY.exe
  2⤵
  PID:8360
- C:\Windows\System32\RcqjFYP.exe
  C:\Windows\System32\RcqjFYP.exe
  2⤵
  PID:8392
- C:\Windows\System32\yBGUBYs.exe
  C:\Windows\System32\yBGUBYs.exe
  2⤵
  PID:8436
- C:\Windows\System32\zZrhhgL.exe
  C:\Windows\System32\zZrhhgL.exe
  2⤵
  PID:8560
- C:\Windows\System32\UjnFIOj.exe
  C:\Windows\System32\UjnFIOj.exe
  2⤵
  PID:8580
- C:\Windows\System32\ASVYBGP.exe
  C:\Windows\System32\ASVYBGP.exe
  2⤵
  PID:8596
- C:\Windows\System32\yHBakFI.exe
  C:\Windows\System32\yHBakFI.exe
  2⤵
  PID:8612
- C:\Windows\System32\czXamKj.exe
  C:\Windows\System32\czXamKj.exe
  2⤵
  PID:8628
- C:\Windows\System32\znpUJLH.exe
  C:\Windows\System32\znpUJLH.exe
  2⤵
  PID:8644
- C:\Windows\System32\TMfRtmM.exe
  C:\Windows\System32\TMfRtmM.exe
  2⤵
  PID:8660
- C:\Windows\System32\UmhwoxN.exe
  C:\Windows\System32\UmhwoxN.exe
  2⤵
  PID:8676
- C:\Windows\System32\yzZNJzk.exe
  C:\Windows\System32\yzZNJzk.exe
  2⤵
  PID:8692
- C:\Windows\System32\AWQYaTJ.exe
  C:\Windows\System32\AWQYaTJ.exe
  2⤵
  PID:8708
- C:\Windows\System32\qGKLSlh.exe
  C:\Windows\System32\qGKLSlh.exe
  2⤵
  PID:8724
- C:\Windows\System32\niWhNjY.exe
  C:\Windows\System32\niWhNjY.exe
  2⤵
  PID:8740
- C:\Windows\System32\pVuGNMI.exe
  C:\Windows\System32\pVuGNMI.exe
  2⤵
  PID:8756
- C:\Windows\System32\BBwLvVz.exe
  C:\Windows\System32\BBwLvVz.exe
  2⤵
  PID:8772
- C:\Windows\System32\qbfesGz.exe
  C:\Windows\System32\qbfesGz.exe
  2⤵
  PID:8788
- C:\Windows\System32\HTEbQcm.exe
  C:\Windows\System32\HTEbQcm.exe
  2⤵
  PID:8804
- C:\Windows\System32\QHYmOHG.exe
  C:\Windows\System32\QHYmOHG.exe
  2⤵
  PID:8820
- C:\Windows\System32\yviyXtt.exe
  C:\Windows\System32\yviyXtt.exe
  2⤵
  PID:8836
- C:\Windows\System32\lXyXwps.exe
  C:\Windows\System32\lXyXwps.exe
  2⤵
  PID:8852
- C:\Windows\System32\xExyyES.exe
  C:\Windows\System32\xExyyES.exe
  2⤵
  PID:8868
- C:\Windows\System32\nUoPoMh.exe
  C:\Windows\System32\nUoPoMh.exe
  2⤵
  PID:8884
- C:\Windows\System32\kFuZlOr.exe
  C:\Windows\System32\kFuZlOr.exe
  2⤵
  PID:8900
- C:\Windows\System32\jKFyztE.exe
  C:\Windows\System32\jKFyztE.exe
  2⤵
  PID:8916
- C:\Windows\System32\FdXWYFa.exe
  C:\Windows\System32\FdXWYFa.exe
  2⤵
  PID:8932
- C:\Windows\System32\BJvYtpa.exe
  C:\Windows\System32\BJvYtpa.exe
  2⤵
  PID:8948
- C:\Windows\System32\fqSxBys.exe
  C:\Windows\System32\fqSxBys.exe
  2⤵
  PID:8988
- C:\Windows\System32\EZwFYlN.exe
  C:\Windows\System32\EZwFYlN.exe
  2⤵
  PID:9004
- C:\Windows\System32\JjWBDsi.exe
  C:\Windows\System32\JjWBDsi.exe
  2⤵
  PID:9056
- C:\Windows\System32\BfuVdCi.exe
  C:\Windows\System32\BfuVdCi.exe
  2⤵
  PID:9156
- C:\Windows\System32\RCQnekD.exe
  C:\Windows\System32\RCQnekD.exe
  2⤵
  PID:8552
- C:\Windows\System32\tgWadVt.exe
  C:\Windows\System32\tgWadVt.exe
  2⤵
  PID:8764
- C:\Windows\System32\nlCpyjB.exe
  C:\Windows\System32\nlCpyjB.exe
  2⤵
  PID:8568
- C:\Windows\System32\aaXQFuR.exe
  C:\Windows\System32\aaXQFuR.exe
  2⤵
  PID:8524
- C:\Windows\System32\zmjYOoA.exe
  C:\Windows\System32\zmjYOoA.exe
  2⤵
  PID:8548
- C:\Windows\System32\uxeiCAk.exe
  C:\Windows\System32\uxeiCAk.exe
  2⤵
  PID:8860
- C:\Windows\System32\eaWTWsa.exe
  C:\Windows\System32\eaWTWsa.exe
  2⤵
  PID:3348
- C:\Windows\System32\sRWGlBM.exe
  C:\Windows\System32\sRWGlBM.exe
  2⤵
  PID:9116
- C:\Windows\System32\DyyMRrH.exe
  C:\Windows\System32\DyyMRrH.exe
  2⤵
  PID:9136
- C:\Windows\System32\RGQngEC.exe
  C:\Windows\System32\RGQngEC.exe
  2⤵
  PID:9188
- C:\Windows\System32\ZImTArb.exe
  C:\Windows\System32\ZImTArb.exe
  2⤵
  PID:9212
- C:\Windows\System32\DiqPRjN.exe
  C:\Windows\System32\DiqPRjN.exe
  2⤵
  PID:8252
- C:\Windows\System32\JSZksmt.exe
  C:\Windows\System32\JSZksmt.exe
  2⤵
  PID:8312
- C:\Windows\System32\jtcKWAw.exe
  C:\Windows\System32\jtcKWAw.exe
  2⤵
  PID:8484
- C:\Windows\System32\VdXRPhM.exe
  C:\Windows\System32\VdXRPhM.exe
  2⤵
  PID:8220
- C:\Windows\System32\quqVBAr.exe
  C:\Windows\System32\quqVBAr.exe
  2⤵
  PID:8500
- C:\Windows\System32\LUQFFnG.exe
  C:\Windows\System32\LUQFFnG.exe
  2⤵
  PID:8700
- C:\Windows\System32\AikFZMj.exe
  C:\Windows\System32\AikFZMj.exe
  2⤵
  PID:8608
- C:\Windows\System32\ATFBUTs.exe
  C:\Windows\System32\ATFBUTs.exe
  2⤵
  PID:8780
- C:\Windows\System32\QOAybcN.exe
  C:\Windows\System32\QOAybcN.exe
  2⤵
  PID:9020
- C:\Windows\System32\JFqTmJA.exe
  C:\Windows\System32\JFqTmJA.exe
  2⤵
  PID:8296
- C:\Windows\System32\vactpdX.exe
  C:\Windows\System32\vactpdX.exe
  2⤵
  PID:7904
- C:\Windows\System32\FJxIfDk.exe
  C:\Windows\System32\FJxIfDk.exe
  2⤵
  PID:4684
- C:\Windows\System32\alCgiOH.exe
  C:\Windows\System32\alCgiOH.exe
  2⤵
  PID:8828
- C:\Windows\System32\PTDmmsw.exe
  C:\Windows\System32\PTDmmsw.exe
  2⤵
  PID:8980
- C:\Windows\System32\ANRFFzC.exe
  C:\Windows\System32\ANRFFzC.exe
  2⤵
  PID:4644
- C:\Windows\System32\meBdHdf.exe
  C:\Windows\System32\meBdHdf.exe
  2⤵
  PID:8732
- C:\Windows\System32\sYcIVqx.exe
  C:\Windows\System32\sYcIVqx.exe
  2⤵
  PID:8652
- C:\Windows\System32\wDvNYgm.exe
  C:\Windows\System32\wDvNYgm.exe
  2⤵
  PID:9256
- C:\Windows\System32\FGcJIse.exe
  C:\Windows\System32\FGcJIse.exe
  2⤵
  PID:9272
- C:\Windows\System32\BFQiyWz.exe
  C:\Windows\System32\BFQiyWz.exe
  2⤵
  PID:9296
- C:\Windows\System32\SocBhZo.exe
  C:\Windows\System32\SocBhZo.exe
  2⤵
  PID:9312
- C:\Windows\System32\TBMRXoE.exe
  C:\Windows\System32\TBMRXoE.exe
  2⤵
  PID:9340
- C:\Windows\System32\QxPByqq.exe
  C:\Windows\System32\QxPByqq.exe
  2⤵
  PID:9396
- C:\Windows\System32\NrhCvKr.exe
  C:\Windows\System32\NrhCvKr.exe
  2⤵
  PID:9420
- C:\Windows\System32\AfFgKoO.exe
  C:\Windows\System32\AfFgKoO.exe
  2⤵
  PID:9436
- C:\Windows\System32\TzoepqX.exe
  C:\Windows\System32\TzoepqX.exe
  2⤵
  PID:9460
- C:\Windows\System32\AGtUhYl.exe
  C:\Windows\System32\AGtUhYl.exe
  2⤵
  PID:9476
- C:\Windows\System32\SllyOAB.exe
  C:\Windows\System32\SllyOAB.exe
  2⤵
  PID:9596
- C:\Windows\System32\LYVeWHU.exe
  C:\Windows\System32\LYVeWHU.exe
  2⤵
  PID:9612
- C:\Windows\System32\TjyomLA.exe
  C:\Windows\System32\TjyomLA.exe
  2⤵
  PID:9648
- C:\Windows\System32\jKuVSwz.exe
  C:\Windows\System32\jKuVSwz.exe
  2⤵
  PID:9704
- C:\Windows\System32\XOyLojD.exe
  C:\Windows\System32\XOyLojD.exe
  2⤵
  PID:9732
- C:\Windows\System32\jydjrgP.exe
  C:\Windows\System32\jydjrgP.exe
  2⤵
  PID:9752
- C:\Windows\System32\OPtCWHM.exe
  C:\Windows\System32\OPtCWHM.exe
  2⤵
  PID:9788
- C:\Windows\System32\jeYjjGa.exe
  C:\Windows\System32\jeYjjGa.exe
  2⤵
  PID:9812
- C:\Windows\System32\ZqynMqF.exe
  C:\Windows\System32\ZqynMqF.exe
  2⤵
  PID:9836
- C:\Windows\System32\SNAcSDu.exe
  C:\Windows\System32\SNAcSDu.exe
  2⤵
  PID:9852
- C:\Windows\System32\pWUKTMc.exe
  C:\Windows\System32\pWUKTMc.exe
  2⤵
  PID:9880
- C:\Windows\System32\mKIItYN.exe
  C:\Windows\System32\mKIItYN.exe
  2⤵
  PID:9924
- C:\Windows\System32\PxTTVju.exe
  C:\Windows\System32\PxTTVju.exe
  2⤵
  PID:9956
- C:\Windows\System32\ZqgAWsa.exe
  C:\Windows\System32\ZqgAWsa.exe
  2⤵
  PID:9992
- C:\Windows\System32\QsFCkvH.exe
  C:\Windows\System32\QsFCkvH.exe
  2⤵
  PID:10012
- C:\Windows\System32\CEvxFdt.exe
  C:\Windows\System32\CEvxFdt.exe
  2⤵
  PID:10032
- C:\Windows\System32\OZVlTxY.exe
  C:\Windows\System32\OZVlTxY.exe
  2⤵
  PID:10080
- C:\Windows\System32\SKziCHm.exe
  C:\Windows\System32\SKziCHm.exe
  2⤵
  PID:10108
- C:\Windows\System32\TvFJcoo.exe
  C:\Windows\System32\TvFJcoo.exe
  2⤵
  PID:10128
- C:\Windows\System32\oVbdcFk.exe
  C:\Windows\System32\oVbdcFk.exe
  2⤵
  PID:10164
- C:\Windows\System32\WOZDdcj.exe
  C:\Windows\System32\WOZDdcj.exe
  2⤵
  PID:10180
- C:\Windows\System32\UiaRGjO.exe
  C:\Windows\System32\UiaRGjO.exe
  2⤵
  PID:10208
- C:\Windows\System32\wLZisKv.exe
  C:\Windows\System32\wLZisKv.exe
  2⤵
  PID:10228
- C:\Windows\System32\HuWCCWb.exe
  C:\Windows\System32\HuWCCWb.exe
  2⤵
  PID:9232
- C:\Windows\System32\JGCnaBB.exe
  C:\Windows\System32\JGCnaBB.exe
  2⤵
  PID:9308
- C:\Windows\System32\RGLnVoZ.exe
  C:\Windows\System32\RGLnVoZ.exe
  2⤵
  PID:9408
- C:\Windows\System32\XgENzdH.exe
  C:\Windows\System32\XgENzdH.exe
  2⤵
  PID:9456
- C:\Windows\System32\WkRSYUr.exe
  C:\Windows\System32\WkRSYUr.exe
  2⤵
  PID:9448
- C:\Windows\System32\fpOEZRJ.exe
  C:\Windows\System32\fpOEZRJ.exe
  2⤵
  PID:9532
- C:\Windows\System32\NrslVnv.exe
  C:\Windows\System32\NrslVnv.exe
  2⤵
  PID:9548
- C:\Windows\System32\wPwFoHJ.exe
  C:\Windows\System32\wPwFoHJ.exe
  2⤵
  PID:9576
- C:\Windows\System32\AFWZavm.exe
  C:\Windows\System32\AFWZavm.exe
  2⤵
  PID:9604
- C:\Windows\System32\qaLHcFw.exe
  C:\Windows\System32\qaLHcFw.exe
  2⤵
  PID:9660
- C:\Windows\System32\IkRzDOC.exe
  C:\Windows\System32\IkRzDOC.exe
  2⤵
  PID:9748
- C:\Windows\System32\XsItbWK.exe
  C:\Windows\System32\XsItbWK.exe
  2⤵
  PID:9832
- C:\Windows\System32\AUEmVEK.exe
  C:\Windows\System32\AUEmVEK.exe
  2⤵
  PID:9944
- C:\Windows\System32\GoSBUbx.exe
  C:\Windows\System32\GoSBUbx.exe
  2⤵
  PID:9964
- C:\Windows\System32\gnCZzmA.exe
  C:\Windows\System32\gnCZzmA.exe
  2⤵
  PID:10008
- C:\Windows\System32\oeoYvNb.exe
  C:\Windows\System32\oeoYvNb.exe
  2⤵
  PID:10060
- C:\Windows\System32\KALqZlj.exe
  C:\Windows\System32\KALqZlj.exe
  2⤵
  PID:10124
- C:\Windows\System32\JIJdsEE.exe
  C:\Windows\System32\JIJdsEE.exe
  2⤵
  PID:10196
- C:\Windows\System32\dzEmlIp.exe
  C:\Windows\System32\dzEmlIp.exe
  2⤵
  PID:9244
- C:\Windows\System32\ZlnbQjb.exe
  C:\Windows\System32\ZlnbQjb.exe
  2⤵
  PID:9428
- C:\Windows\System32\GxoJAjY.exe
  C:\Windows\System32\GxoJAjY.exe
  2⤵
  PID:9524
- C:\Windows\System32\BkwWzdT.exe
  C:\Windows\System32\BkwWzdT.exe
  2⤵
  PID:9592
- C:\Windows\System32\zUmFhOA.exe
  C:\Windows\System32\zUmFhOA.exe
  2⤵
  PID:9712
- C:\Windows\System32\QAOnnGr.exe
  C:\Windows\System32\QAOnnGr.exe
  2⤵
  PID:9804
- C:\Windows\System32\LPpSVGp.exe
  C:\Windows\System32\LPpSVGp.exe
  2⤵
  PID:9908
- C:\Windows\System32\lLZSoaL.exe
  C:\Windows\System32\lLZSoaL.exe
  2⤵
  PID:10176
- C:\Windows\System32\hyeUBQK.exe
  C:\Windows\System32\hyeUBQK.exe
  2⤵
  PID:9268
- C:\Windows\System32\yMLOLCX.exe
  C:\Windows\System32\yMLOLCX.exe
  2⤵
  PID:9360
- C:\Windows\System32\IhPjShf.exe
  C:\Windows\System32\IhPjShf.exe
  2⤵
  PID:9656
- C:\Windows\System32\JQSNsqo.exe
  C:\Windows\System32\JQSNsqo.exe
  2⤵
  PID:10236
- C:\Windows\System32\CXfVmHJ.exe
  C:\Windows\System32\CXfVmHJ.exe
  2⤵
  PID:9828
- C:\Windows\System32\LgsUogQ.exe
  C:\Windows\System32\LgsUogQ.exe
  2⤵
  PID:10252
- C:\Windows\System32\dBqnHMq.exe
  C:\Windows\System32\dBqnHMq.exe
  2⤵
  PID:10280
- C:\Windows\System32\vTOynsu.exe
  C:\Windows\System32\vTOynsu.exe
  2⤵
  PID:10308
- C:\Windows\System32\dggbEJc.exe
  C:\Windows\System32\dggbEJc.exe
  2⤵
  PID:10324
- C:\Windows\System32\XjQtbCE.exe
  C:\Windows\System32\XjQtbCE.exe
  2⤵
  PID:10352
- C:\Windows\System32\ykUzQKz.exe
  C:\Windows\System32\ykUzQKz.exe
  2⤵
  PID:10380
- C:\Windows\System32\ZKxSrzB.exe
  C:\Windows\System32\ZKxSrzB.exe
  2⤵
  PID:10400
- C:\Windows\System32\tbrHVdv.exe
  C:\Windows\System32\tbrHVdv.exe
  2⤵
  PID:10424
- C:\Windows\System32\EqkHzPu.exe
  C:\Windows\System32\EqkHzPu.exe
  2⤵
  PID:10468
- C:\Windows\System32\MWEVUMb.exe
  C:\Windows\System32\MWEVUMb.exe
  2⤵
  PID:10492
- C:\Windows\System32\BLXNwvX.exe
  C:\Windows\System32\BLXNwvX.exe
  2⤵
  PID:10532
- C:\Windows\System32\bxFDlWU.exe
  C:\Windows\System32\bxFDlWU.exe
  2⤵
  PID:10556
- C:\Windows\System32\AgtKyiB.exe
  C:\Windows\System32\AgtKyiB.exe
  2⤵
  PID:10576
- C:\Windows\System32\Duhgtej.exe
  C:\Windows\System32\Duhgtej.exe
  2⤵
  PID:10596
- C:\Windows\System32\GmeMXDi.exe
  C:\Windows\System32\GmeMXDi.exe
  2⤵
  PID:10620
- C:\Windows\System32\gdBFyFf.exe
  C:\Windows\System32\gdBFyFf.exe
  2⤵
  PID:10648
- C:\Windows\System32\HbPZDjg.exe
  C:\Windows\System32\HbPZDjg.exe
  2⤵
  PID:10696
- C:\Windows\System32\SLQwsNP.exe
  C:\Windows\System32\SLQwsNP.exe
  2⤵
  PID:10716
- C:\Windows\System32\mkTZQpk.exe
  C:\Windows\System32\mkTZQpk.exe
  2⤵
  PID:10756
- C:\Windows\System32\bGZkusV.exe
  C:\Windows\System32\bGZkusV.exe
  2⤵
  PID:10772
- C:\Windows\System32\FaanTNF.exe
  C:\Windows\System32\FaanTNF.exe
  2⤵
  PID:10812
- C:\Windows\System32\WICFLTA.exe
  C:\Windows\System32\WICFLTA.exe
  2⤵
  PID:10848
- C:\Windows\System32\ZcTMtYj.exe
  C:\Windows\System32\ZcTMtYj.exe
  2⤵
  PID:10864
- C:\Windows\System32\JzgQkSc.exe
  C:\Windows\System32\JzgQkSc.exe
  2⤵
  PID:10884
- C:\Windows\System32\jNZhtRg.exe
  C:\Windows\System32\jNZhtRg.exe
  2⤵
  PID:10912
- C:\Windows\System32\JiKthji.exe
  C:\Windows\System32\JiKthji.exe
  2⤵
  PID:10940
- C:\Windows\System32\ijxPVmE.exe
  C:\Windows\System32\ijxPVmE.exe
  2⤵
  PID:10984
- C:\Windows\System32\hWdzjNr.exe
  C:\Windows\System32\hWdzjNr.exe
  2⤵
  PID:11008
- C:\Windows\System32\zGtSiax.exe
  C:\Windows\System32\zGtSiax.exe
  2⤵
  PID:11048
- C:\Windows\System32\sLebiSq.exe
  C:\Windows\System32\sLebiSq.exe
  2⤵
  PID:11064
- C:\Windows\System32\DvsCtXB.exe
  C:\Windows\System32\DvsCtXB.exe
  2⤵
  PID:11084
- C:\Windows\System32\uuNxwPP.exe
  C:\Windows\System32\uuNxwPP.exe
  2⤵
  PID:11104
- C:\Windows\System32\dEcDfTB.exe
  C:\Windows\System32\dEcDfTB.exe
  2⤵
  PID:11132
- C:\Windows\System32\LTJIqaC.exe
  C:\Windows\System32\LTJIqaC.exe
  2⤵
  PID:11172
- C:\Windows\System32\sHzVyIu.exe
  C:\Windows\System32\sHzVyIu.exe
  2⤵
  PID:11188
- C:\Windows\System32\bmSIIKA.exe
  C:\Windows\System32\bmSIIKA.exe
  2⤵
  PID:11228
- C:\Windows\System32\yynUnrr.exe
  C:\Windows\System32\yynUnrr.exe
  2⤵
  PID:9540
- C:\Windows\System32\RrslBQv.exe
  C:\Windows\System32\RrslBQv.exe
  2⤵
  PID:10276
- C:\Windows\System32\zSwNYpS.exe
  C:\Windows\System32\zSwNYpS.exe
  2⤵
  PID:10320
- C:\Windows\System32\PLYWDMP.exe
  C:\Windows\System32\PLYWDMP.exe
  2⤵
  PID:10396
- C:\Windows\System32\tfJpKSN.exe
  C:\Windows\System32\tfJpKSN.exe
  2⤵
  PID:10480
- C:\Windows\System32\fJQFkNU.exe
  C:\Windows\System32\fJQFkNU.exe
  2⤵
  PID:10568
- C:\Windows\System32\IQYyiGv.exe
  C:\Windows\System32\IQYyiGv.exe
  2⤵
  PID:10604
- C:\Windows\System32\MDeZslx.exe
  C:\Windows\System32\MDeZslx.exe
  2⤵
  PID:10712
- C:\Windows\System32\UvkfZIB.exe
  C:\Windows\System32\UvkfZIB.exe
  2⤵
  PID:10752
- C:\Windows\System32\buLNgUn.exe
  C:\Windows\System32\buLNgUn.exe
  2⤵
  PID:10824
- C:\Windows\System32\AsdcvVE.exe
  C:\Windows\System32\AsdcvVE.exe
  2⤵
  PID:10856
- C:\Windows\System32\FPCzzZS.exe
  C:\Windows\System32\FPCzzZS.exe
  2⤵
  PID:10900
- C:\Windows\System32\rJIZOuX.exe
  C:\Windows\System32\rJIZOuX.exe
  2⤵
  PID:10924
- C:\Windows\System32\JPVUbPS.exe
  C:\Windows\System32\JPVUbPS.exe
  2⤵
  PID:11004
- C:\Windows\System32\wCnMLsy.exe
  C:\Windows\System32\wCnMLsy.exe
  2⤵
  PID:11112
- C:\Windows\System32\BAbZZjI.exe
  C:\Windows\System32\BAbZZjI.exe
  2⤵
  PID:11212
- C:\Windows\System32\IqMermM.exe
  C:\Windows\System32\IqMermM.exe
  2⤵
  PID:9488
- C:\Windows\System32\rKzBZWj.exe
  C:\Windows\System32\rKzBZWj.exe
  2⤵
  PID:10392
- C:\Windows\System32\jFewpZa.exe
  C:\Windows\System32\jFewpZa.exe
  2⤵
  PID:10476
- C:\Windows\System32\kYZvZQl.exe
  C:\Windows\System32\kYZvZQl.exe
  2⤵
  PID:10588
- C:\Windows\System32\NaRSNDN.exe
  C:\Windows\System32\NaRSNDN.exe
  2⤵
  PID:10952
- C:\Windows\System32\IVjZEBe.exe
  C:\Windows\System32\IVjZEBe.exe
  2⤵
  PID:10932
- C:\Windows\System32\hHxcSyw.exe
  C:\Windows\System32\hHxcSyw.exe
  2⤵
  PID:11168
- C:\Windows\System32\dgNCoKI.exe
  C:\Windows\System32\dgNCoKI.exe
  2⤵
  PID:11240
- C:\Windows\System32\jpkcafq.exe
  C:\Windows\System32\jpkcafq.exe
  2⤵
  PID:10572
- C:\Windows\System32\nMWQkfq.exe
  C:\Windows\System32\nMWQkfq.exe
  2⤵
  PID:10908
- C:\Windows\System32\JplGnuZ.exe
  C:\Windows\System32\JplGnuZ.exe
  2⤵
  PID:10872
- C:\Windows\System32\bwylptI.exe
  C:\Windows\System32\bwylptI.exe
  2⤵
  PID:11072
- C:\Windows\System32\lbKOemp.exe
  C:\Windows\System32\lbKOemp.exe
  2⤵
  PID:11292
- C:\Windows\System32\WoviFYs.exe
  C:\Windows\System32\WoviFYs.exe
  2⤵
  PID:11316
- C:\Windows\System32\ngURmrW.exe
  C:\Windows\System32\ngURmrW.exe
  2⤵
  PID:11340
- C:\Windows\System32\upWmvrr.exe
  C:\Windows\System32\upWmvrr.exe
  2⤵
  PID:11364
- C:\Windows\System32\JlVTqOg.exe
  C:\Windows\System32\JlVTqOg.exe
  2⤵
  PID:11400
- C:\Windows\System32\HiNZPWO.exe
  C:\Windows\System32\HiNZPWO.exe
  2⤵
  PID:11436
- C:\Windows\System32\yFEITKY.exe
  C:\Windows\System32\yFEITKY.exe
  2⤵
  PID:11464
- C:\Windows\System32\wCyBpbb.exe
  C:\Windows\System32\wCyBpbb.exe
  2⤵
  PID:11484
- C:\Windows\System32\QPhIagP.exe
  C:\Windows\System32\QPhIagP.exe
  2⤵
  PID:11504
- C:\Windows\System32\lzZQOXN.exe
  C:\Windows\System32\lzZQOXN.exe
  2⤵
  PID:11536
- C:\Windows\System32\reEwfLj.exe
  C:\Windows\System32\reEwfLj.exe
  2⤵
  PID:11560
- C:\Windows\System32\ovbOTwd.exe
  C:\Windows\System32\ovbOTwd.exe
  2⤵
  PID:11592
- C:\Windows\System32\NNOJpri.exe
  C:\Windows\System32\NNOJpri.exe
  2⤵
  PID:11636
- C:\Windows\System32\VAJWwhG.exe
  C:\Windows\System32\VAJWwhG.exe
  2⤵
  PID:11652
- C:\Windows\System32\GvjKCXk.exe
  C:\Windows\System32\GvjKCXk.exe
  2⤵
  PID:11672
- C:\Windows\System32\xKhmuHt.exe
  C:\Windows\System32\xKhmuHt.exe
  2⤵
  PID:11700
- C:\Windows\System32\jBInljL.exe
  C:\Windows\System32\jBInljL.exe
  2⤵
  PID:11740
- C:\Windows\System32\KdeOHbU.exe
  C:\Windows\System32\KdeOHbU.exe
  2⤵
  PID:11756
- C:\Windows\System32\GqPyhpR.exe
  C:\Windows\System32\GqPyhpR.exe
  2⤵
  PID:11780
- C:\Windows\System32\ywvVhtr.exe
  C:\Windows\System32\ywvVhtr.exe
  2⤵
  PID:11824
- C:\Windows\System32\HMHJVpn.exe
  C:\Windows\System32\HMHJVpn.exe
  2⤵
  PID:11856
- C:\Windows\System32\xBPjLOu.exe
  C:\Windows\System32\xBPjLOu.exe
  2⤵
  PID:11880
- C:\Windows\System32\njlzFsf.exe
  C:\Windows\System32\njlzFsf.exe
  2⤵
  PID:11916
- C:\Windows\System32\IrxJSYA.exe
  C:\Windows\System32\IrxJSYA.exe
  2⤵
  PID:11944
- C:\Windows\System32\YYQpjVO.exe
  C:\Windows\System32\YYQpjVO.exe
  2⤵
  PID:11964
- C:\Windows\System32\lEXOUUQ.exe
  C:\Windows\System32\lEXOUUQ.exe
  2⤵
  PID:11984
- C:\Windows\System32\pxllvwu.exe
  C:\Windows\System32\pxllvwu.exe
  2⤵
  PID:12024
- C:\Windows\System32\WBchHuT.exe
  C:\Windows\System32\WBchHuT.exe
  2⤵
  PID:12044
- C:\Windows\System32\MhUgruO.exe
  C:\Windows\System32\MhUgruO.exe
  2⤵
  PID:12072
- C:\Windows\System32\bTQQpfz.exe
  C:\Windows\System32\bTQQpfz.exe
  2⤵
  PID:12104
- C:\Windows\System32\CqieYkm.exe
  C:\Windows\System32\CqieYkm.exe
  2⤵
  PID:12132
- C:\Windows\System32\bVUhrCr.exe
  C:\Windows\System32\bVUhrCr.exe
  2⤵
  PID:12152
- C:\Windows\System32\xTsPbxo.exe
  C:\Windows\System32\xTsPbxo.exe
  2⤵
  PID:12176
- C:\Windows\System32\YRbAGti.exe
  C:\Windows\System32\YRbAGti.exe
  2⤵
  PID:12204
- C:\Windows\System32\OPbyfPq.exe
  C:\Windows\System32\OPbyfPq.exe
  2⤵
  PID:12228
- C:\Windows\System32\WvXZRGg.exe
  C:\Windows\System32\WvXZRGg.exe
  2⤵
  PID:12248
- C:\Windows\System32\ugfYatb.exe
  C:\Windows\System32\ugfYatb.exe
  2⤵
  PID:10736
- C:\Windows\System32\cpgZLIx.exe
  C:\Windows\System32\cpgZLIx.exe
  2⤵
  PID:11300
- C:\Windows\System32\tzIPhzH.exe
  C:\Windows\System32\tzIPhzH.exe
  2⤵
  PID:11360
- C:\Windows\System32\UJcutOO.exe
  C:\Windows\System32\UJcutOO.exe
  2⤵
  PID:11416
- C:\Windows\System32\liJWWRj.exe
  C:\Windows\System32\liJWWRj.exe
  2⤵
  PID:11496
- C:\Windows\System32\DnELyZT.exe
  C:\Windows\System32\DnELyZT.exe
  2⤵
  PID:11648
- C:\Windows\System32\qxRdTBQ.exe
  C:\Windows\System32\qxRdTBQ.exe
  2⤵
  PID:11752
- C:\Windows\System32\OHNFQaw.exe
  C:\Windows\System32\OHNFQaw.exe
  2⤵
  PID:11868
- C:\Windows\System32\zuenltU.exe
  C:\Windows\System32\zuenltU.exe
  2⤵
  PID:11912
- C:\Windows\System32\FqHzAZz.exe
  C:\Windows\System32\FqHzAZz.exe
  2⤵
  PID:11972
- C:\Windows\System32\LCRNNVy.exe
  C:\Windows\System32\LCRNNVy.exe
  2⤵
  PID:12080
- C:\Windows\System32\wGeMbpN.exe
  C:\Windows\System32\wGeMbpN.exe
  2⤵
  PID:12148
- C:\Windows\System32\YbHdvXJ.exe
  C:\Windows\System32\YbHdvXJ.exe
  2⤵
  PID:12188
- C:\Windows\System32\SEwjdJd.exe
  C:\Windows\System32\SEwjdJd.exe
  2⤵
  PID:12284
- C:\Windows\System32\KDyHCUq.exe
  C:\Windows\System32\KDyHCUq.exe
  2⤵
  PID:12240
- C:\Windows\System32\uKFVnlm.exe
  C:\Windows\System32\uKFVnlm.exe
  2⤵
  PID:11424
- C:\Windows\System32\RwvjdzV.exe
  C:\Windows\System32\RwvjdzV.exe
  2⤵
  PID:11532
- C:\Windows\System32\AeCYTxX.exe
  C:\Windows\System32\AeCYTxX.exe
  2⤵
  PID:11688
- C:\Windows\System32\aKpUCZs.exe
  C:\Windows\System32\aKpUCZs.exe
  2⤵
  PID:2688
- C:\Windows\System32\ZrHRKDA.exe
  C:\Windows\System32\ZrHRKDA.exe
  2⤵
  PID:3364
- C:\Windows\System32\CiVVIks.exe
  C:\Windows\System32\CiVVIks.exe
  2⤵
  PID:12040
- C:\Windows\System32\mvHFzjf.exe
  C:\Windows\System32\mvHFzjf.exe
  2⤵
  PID:11356
- C:\Windows\System32\badOFGP.exe
  C:\Windows\System32\badOFGP.exe
  2⤵
  PID:11632
- C:\Windows\System32\meCVyaL.exe
  C:\Windows\System32\meCVyaL.exe
  2⤵
  PID:11848
- C:\Windows\System32\gmYHIqp.exe
  C:\Windows\System32\gmYHIqp.exe
  2⤵
  PID:10732
- C:\Windows\System32\iiZSbHs.exe
  C:\Windows\System32\iiZSbHs.exe
  2⤵
  PID:3176
- C:\Windows\System32\GwOSOQL.exe
  C:\Windows\System32\GwOSOQL.exe
  2⤵
  PID:11456
- C:\Windows\System32\QQmZlnd.exe
  C:\Windows\System32\QQmZlnd.exe
  2⤵
  PID:1640
- C:\Windows\System32\jyPENEn.exe
  C:\Windows\System32\jyPENEn.exe
  2⤵
  PID:12332
- C:\Windows\System32\fxGXuGV.exe
  C:\Windows\System32\fxGXuGV.exe
  2⤵
  PID:12360
- C:\Windows\System32\DvvcCGF.exe
  C:\Windows\System32\DvvcCGF.exe
  2⤵
  PID:12388
- C:\Windows\System32\vunrsVf.exe
  C:\Windows\System32\vunrsVf.exe
  2⤵
  PID:12416
- C:\Windows\System32\XQBqhUA.exe
  C:\Windows\System32\XQBqhUA.exe
  2⤵
  PID:12436
- C:\Windows\System32\szHWwjE.exe
  C:\Windows\System32\szHWwjE.exe
  2⤵
  PID:12460
- C:\Windows\System32\cFZHiYb.exe
  C:\Windows\System32\cFZHiYb.exe
  2⤵
  PID:12480
- C:\Windows\System32\bQAfLVU.exe
  C:\Windows\System32\bQAfLVU.exe
  2⤵
  PID:12504
- C:\Windows\System32\szCUqCC.exe
  C:\Windows\System32\szCUqCC.exe
  2⤵
  PID:12528
- C:\Windows\System32\cIUBUpY.exe
  C:\Windows\System32\cIUBUpY.exe
  2⤵
  PID:12552
- C:\Windows\System32\FttLwEu.exe
  C:\Windows\System32\FttLwEu.exe
  2⤵
  PID:12576
- C:\Windows\System32\qFjndhu.exe
  C:\Windows\System32\qFjndhu.exe
  2⤵
  PID:12644
- C:\Windows\System32\EXNaEOb.exe
  C:\Windows\System32\EXNaEOb.exe
  2⤵
  PID:12668
- C:\Windows\System32\aONNxRX.exe
  C:\Windows\System32\aONNxRX.exe
  2⤵
  PID:12684
- C:\Windows\System32\EFDBbJP.exe
  C:\Windows\System32\EFDBbJP.exe
  2⤵
  PID:12708
- C:\Windows\System32\syljvJe.exe
  C:\Windows\System32\syljvJe.exe
  2⤵
  PID:12728
- C:\Windows\System32\GyyNgcw.exe
  C:\Windows\System32\GyyNgcw.exe
  2⤵
  PID:12748
- C:\Windows\System32\rTHyacZ.exe
  C:\Windows\System32\rTHyacZ.exe
  2⤵
  PID:12792
- C:\Windows\System32\iajffVQ.exe
  C:\Windows\System32\iajffVQ.exe
  2⤵
  PID:12844
- C:\Windows\System32\OucADAO.exe
  C:\Windows\System32\OucADAO.exe
  2⤵
  PID:12868
- C:\Windows\System32\mOdkqzA.exe
  C:\Windows\System32\mOdkqzA.exe
  2⤵
  PID:12896
- C:\Windows\System32\vgpIXye.exe
  C:\Windows\System32\vgpIXye.exe
  2⤵
  PID:12924
- C:\Windows\System32\fvmMzrU.exe
  C:\Windows\System32\fvmMzrU.exe
  2⤵
  PID:12952
- C:\Windows\System32\bpVRdAe.exe
  C:\Windows\System32\bpVRdAe.exe
  2⤵
  PID:12976
- C:\Windows\System32\sxMozVb.exe
  C:\Windows\System32\sxMozVb.exe
  2⤵
  PID:13016
- C:\Windows\System32\myrFijt.exe
  C:\Windows\System32\myrFijt.exe
  2⤵
  PID:13052
- C:\Windows\System32\DNZTfnq.exe
  C:\Windows\System32\DNZTfnq.exe
  2⤵
  PID:13068
- C:\Windows\System32\HOCZHiI.exe
  C:\Windows\System32\HOCZHiI.exe
  2⤵
  PID:13100
- C:\Windows\System32\aFhEvoH.exe
  C:\Windows\System32\aFhEvoH.exe
  2⤵
  PID:13144
- C:\Windows\System32\hOvhlQx.exe
  C:\Windows\System32\hOvhlQx.exe
  2⤵
  PID:13188
- C:\Windows\System32\GojwKvY.exe
  C:\Windows\System32\GojwKvY.exe
  2⤵
  PID:13212
- C:\Windows\System32\vqbVTLJ.exe
  C:\Windows\System32\vqbVTLJ.exe
  2⤵
  PID:13244
- C:\Windows\System32\MUkiIrq.exe
  C:\Windows\System32\MUkiIrq.exe
  2⤵
  PID:13268
- C:\Windows\System32\HTXGQSd.exe
  C:\Windows\System32\HTXGQSd.exe
  2⤵
  PID:13288
- C:\Windows\System32\zmUbuaD.exe
  C:\Windows\System32\zmUbuaD.exe
  2⤵
  PID:12280
- C:\Windows\System32\OFOZWkY.exe
  C:\Windows\System32\OFOZWkY.exe
  2⤵
  PID:12368
- C:\Windows\System32\nYeCEho.exe
  C:\Windows\System32\nYeCEho.exe
  2⤵
  PID:12468
- C:\Windows\System32\yVHsuNu.exe
  C:\Windows\System32\yVHsuNu.exe
  2⤵
  PID:12536
- C:\Windows\System32\UmivJlI.exe
  C:\Windows\System32\UmivJlI.exe
  2⤵
  PID:12660
- C:\Windows\System32\oKtqlsW.exe
  C:\Windows\System32\oKtqlsW.exe
  2⤵
  PID:12692
- C:\Windows\System32\cnyOXFf.exe
  C:\Windows\System32\cnyOXFf.exe
  2⤵
  PID:12740
- C:\Windows\System32\ssiGbMt.exe
  C:\Windows\System32\ssiGbMt.exe
  2⤵
  PID:12852
- C:\Windows\System32\nlLbQkQ.exe
  C:\Windows\System32\nlLbQkQ.exe
  2⤵
  PID:12916
- C:\Windows\System32\pQuHLSX.exe
  C:\Windows\System32\pQuHLSX.exe
  2⤵
  PID:13040
- C:\Windows\System32\qOzNBUn.exe
  C:\Windows\System32\qOzNBUn.exe
  2⤵
  PID:13060
- C:\Windows\System32\CYrKCzR.exe
  C:\Windows\System32\CYrKCzR.exe
  2⤵
  PID:13108
- C:\Windows\System32\fIkXCdJ.exe
  C:\Windows\System32\fIkXCdJ.exe
  2⤵
  PID:13228
- C:\Windows\System32\TjSMZeH.exe
  C:\Windows\System32\TjSMZeH.exe
  2⤵
  PID:12428
- C:\Windows\System32\JDTEkMR.exe
  C:\Windows\System32\JDTEkMR.exe
  2⤵
  PID:12592
- C:\Windows\System32\vkaolZp.exe
  C:\Windows\System32\vkaolZp.exe
  2⤵
  PID:12744
- C:\Windows\System32\DasWDZA.exe
  C:\Windows\System32\DasWDZA.exe
  2⤵
  PID:13064

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\COwtAoz.exe

Filesize
1.4MB

MD5
fd76421fb386e423b9e2db7d41c9e55a

SHA1
ed3836b4efd01fb786ac83c1f80fe6bcbe5ab540

SHA256
cbe4ec2a46281dc54231e263947c29b9b0a48f766d474c563610cf8191cd6ade

SHA512
7d05c5e0c5508d4f8e4a3892407e5778b69f8b1905c843fdd469b475949fad153cad1cad38221a45c52bacec17bbcd234d4b05070e5fdcc207d2081538375ce7

Download Submit
C:\Windows\System32\CvoXZIO.exe

Filesize
1.4MB

MD5
e05521d131404a2e5fbffc99674fb5b6

SHA1
443cd0abdda9717db98ccfdd0364d11f6b76d2dd

SHA256
6930cd12031b780177b4138ecac9832d1b0f8ceb795450f01d1edfb66d7a1f0d

SHA512
4213d4309c615831ed046c9cbc04d91b35623a3d8aa430b320d53b66dacbd89e4c411589061c913ba6e43c90f2b34a48769294b35d8dea6c26297979cee815f8

Download Submit
C:\Windows\System32\DKHtsUz.exe

Filesize
1.4MB

MD5
800c4dbe0e2c4d3f226b9292664e3ceb

SHA1
0b5a1dcd51f2efb1204275adb43af8f02d328705

SHA256
497b336adaecb28433dcd4f0ea6a33776f7ed1129ae3320f73411fd8bd23feed

SHA512
06b339387060b7e9f39987dfd4a8988e2acac7dfe2961ad8530d419c26e47735dab543a031a58aff02279a25f853ec0ea37ca2018d22ffd62f74c25ce425de4b

Download Submit
C:\Windows\System32\GMPlulI.exe

Filesize
1.4MB

MD5
7ae9950ca8bc27a1fdb210a367ca1e44

SHA1
d72c7bc099d3a5967896769676b98a7ece069f28

SHA256
6817bb939ae57a9ad522d26ab8008fd91d02577ac42f44763d85824274a03d6d

SHA512
ace824c40bbed2f084f488f5971eddc31cdd085ba572e7f50d510a8ff1032934375eab4cf2a33bef0db2d7707d3e55fdb8ec98aa834f4779a75c7641df343cf3

Download Submit
C:\Windows\System32\HUAZbiP.exe

Filesize
1.4MB

MD5
c9d1ee93334dcb68800c4d8c0423ddd2

SHA1
ca9bd65171935c198456398755b4c5197ad65d1a

SHA256
9812a09d6fe52f5640391d887d5eba0e1efa0c1c0d897be6bdc74c8422e9ba57

SHA512
e308981bb3021c692446037fb48a7f6d9e2568b6b1e006ed187be5514415c4425ef8e24568d2a685e97f3730059c2c5d0974a71d6e43152665201baaedbb5bc2

Download Submit
C:\Windows\System32\HohhcNy.exe

Filesize
1.4MB

MD5
a3fdf25746c78b42efbf3be2a818214b

SHA1
f50e235595cc97dd07b0cd999a8e81eda7157162

SHA256
8fa8db7743f410581eca8be41693c3a132210c053e9ec312b8dc802e99499673

SHA512
12f5fd9983d9db683ba4ab386f0d96d32621b10b7468669e744f800e429e506639dcd5d06f1c4c0357d482257bfab3bd138015986c6c83795119b00f31b72427

Download Submit
C:\Windows\System32\JcRtLdY.exe

Filesize
1.4MB

MD5
c29c61eede77790e7df57083bb0c177b

SHA1
80f924952aabcb90eb36dfbc1b9cc121bfd1626b

SHA256
8628f4d12fe0902570c1d2fc913d2a345c2f58e241eec51afc4211632b2b73ae

SHA512
81168c91f877b760fb70fed88c971be098767976f109aca0f1f95d06c51d3249bddf724dddf29d0e05b8e73c6ebb712a505206f2ceca7b67c3932fa0cb8db9ef

Download Submit
C:\Windows\System32\JyzQDyI.exe

Filesize
1.4MB

MD5
92725e3dabbc0bd920b4e0892427377b

SHA1
4c0fa783c9a763b7675be5d98cd99ececba50496

SHA256
9a214aafbc287a3aa4dbcad26a89e51d8715f485c43dc4ab0308adda79eaf001

SHA512
9f51b2b0d7b8bd8959fa1f525f3cdbb90939e077e50f6be32ccf06f3d8c550319c6c9f038f944e59e9b5904a5331edd0b3db89a37a78049c9babcc5ec81c80f3

Download Submit
C:\Windows\System32\LhbtKkI.exe

Filesize
1.4MB

MD5
4feb6d1749f4e593d55c859ba04540aa

SHA1
bac3c4b748b07ae2b851e20a21e14b514629be77

SHA256
2ae027f0b0827c0e4503dda1ca0d15544c246a8b79bd35b1e2eba24e0046b9dd

SHA512
3790c1d259ae98753f443a9a1a3019245b3005f6df2c2d8886904b47d17b11a5ec771aed22bea6198109b6d6281f652fd9479c7b5f3cb515507ee189c8c80b2d

Download Submit
C:\Windows\System32\ODtgqTj.exe

Filesize
1.4MB

MD5
32350a63f39755a4b50949e8e335f93e

SHA1
06ab17df28c396281a536f0edb2b44fec860e423

SHA256
d02508d7701dc7b8eac4f453a2367bb0c6d80c7843ac84fa7f0f4ef1223cae6f

SHA512
1a4b43bf38e3511f47debf2a2a1caaba0d4a8b1dd3ed6dac97237c7d7c6cb0e6bd50df1a01f6f073bb9f5133690b1d72e22f00ebed3dbd246826168fe634aac1

Download Submit
C:\Windows\System32\PMDMQPx.exe

Filesize
1.4MB

MD5
d22b189166033cc27f295df9dda3778d

SHA1
099898ab9141357673a0b1f8e0970e523a728be5

SHA256
cf0d29cb89f975a31dad9b5783b0a744117608f626b9d3ff283c293289601dd3

SHA512
15fe9074405dd3616bf26f75e60ccb9fa6aceaad54993b6c7bfd2822dd9f7fafa6977eb0fd5a46975dc7d46a10a3e324d472a40468dc19fb38506e32f51469ca

Download Submit
C:\Windows\System32\TLreOdE.exe

Filesize
1.4MB

MD5
224ceda8e26bca24ec7d4cc74b4035e6

SHA1
aaa0a8ba18948dd8966b2306582e9bcfb6bf9c77

SHA256
d3c9e378a800c639055c80ca36e6997e0dab3d1c2ce8bf331190d271049deacc

SHA512
a5d2ecfe5e9ff09e7d72cb5cffe8cca42709c4f02a0a714b91a55ecab0bd41b6a3f41543e649643fdeffcd38a5ae5bbd977b9d2e55b9ac56d9ab3352850528ea

Download Submit
C:\Windows\System32\WJInYKy.exe

Filesize
1.4MB

MD5
c03177a0f1beeef6ab3ce442b5e4262d

SHA1
f325a4523413e9f730ac1a857e121d4edd8cdd95

SHA256
5686669882cc25d7f8c0e4252a0517974740034fdfd37f6ddc89643e598633fa

SHA512
e284cdca651b896a50864fa4fb6f804c48b1fcf4d980699532937fc4d42cced524e5c86caf87f67b11d03f56b8896bb3719230d9d3330c053bd75f06e34c0627

Download Submit
C:\Windows\System32\WvEYhPe.exe

Filesize
1.4MB

MD5
d03bbb2e23637d72345d21d9c3800b1f

SHA1
4812c60f7719142f466ca59e588bfa8721416604

SHA256
6edb0b836c0df4665f67fb723a9d2604f524077be99d1cfabfc52215037f587f

SHA512
40305947301f1265bde3cac821ebbbb170602ddf8caef603cfb98c0a21122fe59ea3d611d5bb1a60b9278458076754a94f25c446dcf46b9a209753fa94924b13

Download Submit
C:\Windows\System32\Zseykrr.exe

Filesize
1.4MB

MD5
d4a6326fe4f3108373364aec77ef4777

SHA1
edc8f746c1e7ebf010d4834ce0a253f7ed8a1266

SHA256
a3a58b2f8bb93fcb5e0ac17f7371f4a6d22d6c350cc29f9c2ea1f12f7f4dc0b4

SHA512
066fffe4f78415d9181c08b02223dc295647b60b702522bd67fa0bb5653227a6f3d8599299a56dd36eacb6ce761969b8089f72cbda23a1b7fa1b0137190b765f

Download Submit
C:\Windows\System32\abdoKkB.exe

Filesize
1.4MB

MD5
496b77c21e6920ee90e1cfce946a523e

SHA1
d153626d2038227362422d3c3596d4326196ee3d

SHA256
f7c4d8a157859f378bcd3ac191db79902da1e58cd5f0eb2d2d470f180d499fa1

SHA512
20204683ff1b37add24a8a5cebd60e8a7f1424b40d30d89110afd4491cd6cfe5266e99f4bc88b62b6b8d6ee942ea24a1b24bf8dd75ae7226d583a2d5e898634a

Download Submit
C:\Windows\System32\acUhLCx.exe

Filesize
1.4MB

MD5
33d70248a7e4276a4b05674cf5a72b94

SHA1
e3ad18333c8e4ad812e6cff21ca423c5c5c121c0

SHA256
bc1b675f82c154cebc948142b7eab63c533b54b731291142a5b4eeeeba0db7ea

SHA512
3c2045ac00d94b362ce2d221505dea18171187f1aacca9a2c01d2010b5b5cb17e2789d127bd6803d435e267449b7938401bbae7c9ee05f5685fdc2a2e44e77b2

Download Submit
C:\Windows\System32\bPiMXOo.exe

Filesize
1.4MB

MD5
80a88ae7b327ee62b88b73785ac777e0

SHA1
c38ece6e4341647e5579d360ab3403af61a9af6f

SHA256
12a73ec2ec77ea2e8f339054aa4e395ad936988899a3d6fae812f25970da44f3

SHA512
fcf948d71db75297ffa1677b2c6dccf5c1647e7e80022f418bc7745aec2a2d07af4cd2b42948c6a4547460284ce746ca3ec48d370b496bccc3932c3b7f286bdf

Download Submit
C:\Windows\System32\bfaGQWz.exe

Filesize
1.4MB

MD5
436d8640f5253f4086fb4ab54b7545cc

SHA1
18aa793ee83d3ec27f6c9dc96ea8a6ef490b9186

SHA256
3ee71e8b35c62a0ecf5ff24623bb3f38cddfebbd2acc713c5b93ff10893cc3cb

SHA512
d1f0888fbd8da9e2b819eaa00eedff209b80d3c6d6264a92b324354bbc40c9dfb6c61a8b259d2d17b302b79825c97bf1e432b6def58cd4659919498f24e89c2b

Download Submit
C:\Windows\System32\cJsvmbd.exe

Filesize
1.4MB

MD5
c1d43ca8bbd9af96d811afd5d4a1f27e

SHA1
45c975480b42a224b7e07cda38e521cf78bf2ded

SHA256
f525cabde67ec0ea210108e102adf4900f272fb513698d3465812aa0529a86c2

SHA512
17071f6d8048957eba3c282521295808c33a74143d8bc65d8c3643a703f12691d71695205f8065974e26b2c67e64fbda04e0242b440b5824292934c55c75bf39

Download Submit
C:\Windows\System32\csnoWxp.exe

Filesize
1.4MB

MD5
d33ad73557101cb0ed87504b22c8c3d4

SHA1
04d81866822732709c06daef37dc95ea33ec4900

SHA256
62b98801780f763fe24736941384fc99b2f98d22bae1415db7070bbf89268aaa

SHA512
25ce6d4ec4ebf4fd00e3fc15025172d730fcc59d62cad46eb2b16f72875555162783fbd00586bbcda864fd10dddf4233247b7677a7aaa30ff54d197f5532f9e4

Download Submit
C:\Windows\System32\dbeUoZA.exe

Filesize
1.4MB

MD5
468cfb519c022b693196bb590d7bebee

SHA1
f02dff94181c4e4f1c3d0da537b2f6ae0b4eca84

SHA256
825ac5bf5c519bf8de2dc8d4f904040b229784fbd12687b648d243e2d99f53e9

SHA512
5714a107013aff5e408ded1ee799e736388084679aea0cd08f8d2dd1a63213168a778f26547efa762ac8ffc2658e2c80573c5266dba207d310719d9308635231

Download Submit
C:\Windows\System32\ddpeNzk.exe

Filesize
1.4MB

MD5
59c84c352453e5df7ae21d52698a5871

SHA1
8996dce7b82dbf6f0212cdb16a9fe05521163393

SHA256
e4eabcc90083ff1185bb715343aa538f38aab3586fa7ab37f89a5d68735c34a3

SHA512
ff25e837f55396ee5b6e22824b69eae7acbdb3f2d5933ae9072a52fbfda77299d9d680a0ee9390563391d7743b0264e822be98b7033dee7d47dee38e5800f979

Download Submit
C:\Windows\System32\eNPiawu.exe

Filesize
1.4MB

MD5
e3483812a3b3307b3f88eade51d892c4

SHA1
ebb0e893618d251af38dc7efe3ebc898389d0f25

SHA256
61001af3627724e13d7e2743ff0aa9ed709176ed1fe6824518632ffbaf337b4b

SHA512
e858f21b18dc60410c8d61ea58ce9b653b787b5bb764464bac8493053a1e9075aa8424b2639b744a250d927b4d1401ebc928f6d15db6b02652d18cec56447e73

Download Submit
C:\Windows\System32\fWfceAs.exe

Filesize
1.4MB

MD5
23aada070a73191d04497d78f672bb2d

SHA1
94fec948e788b236eddfbec0070afefaf6986a47

SHA256
3ff7eba6a854df00cef09ee4b2afa4b65cd8800756d59c46a4232a6ecf1a90c2

SHA512
14a1d92e6f28bd4b9667eed61c51bc18247cd7a90322f33841878ff1eca3d8e52bd59fcd2a67cc97fb098f449ccc02d9b1423a7e9564e2a263c0f48614e541b2

Download Submit
C:\Windows\System32\lvzlEvj.exe

Filesize
1.4MB

MD5
c38fab53bfb889fa9dfed1b8309b435c

SHA1
c3f88578ecb5cc1872127d04a57b6c6fb9bb7c0f

SHA256
a640f468871d957b58b56fc05d4afcc9eed8564e70f589fa3302c0d3c766926b

SHA512
5b585a143ef6639ec99abfb8aef91c99fee0b23e54ec13033e24fccb501ac28e739cc0d3115d9761127302be710f60c1f4b592c03620716ed592ab705eb48348

Download Submit
C:\Windows\System32\mzttGIq.exe

Filesize
1.4MB

MD5
00cd4c9e2f00211c763f4ee2a74af8ec

SHA1
0a671a5b5a426b03ab8ad90b554bdc2265ede339

SHA256
45abe82b12e90169d7c9e180f1cfce6a7bda95959745a83515cfc2c28a0cdffb

SHA512
feac1123658e22f96dc78e478f580616bba817d182f2691631e7a2102833c520aa4d94957b76cd1dbd4db1ead22f7339a6a3cab9673da06b3e3ac8fc59c88c9a

Download Submit
C:\Windows\System32\olrDRol.exe

Filesize
1.4MB

MD5
f6d7fd1216f1fca47caec3723a3114a5

SHA1
2c43f4f01b68444e67e738a4ae14cb8cced6ad63

SHA256
c3d2c8935b5167d626349fcd96e31fa3fcefaef31671cc8cde1e6ca9ea9c8002

SHA512
9859b2abf157072abfd3ce21fba8671b149b9ef4faf0102e6bb53f754cacbea4148373b34f78359c720c66c4347671b95850ca8b830e4c7a82c6b65d3128243e

Download Submit
C:\Windows\System32\pplFhfP.exe

Filesize
1.4MB

MD5
8dca649b57fbfbf02d91ae29b8820628

SHA1
b24b9144bd95eb4245713740bc01a38a3ff67a9b

SHA256
ff75858b77f9c534220f5bdbeef045feb413cb79e3c0c0a533d7c2f2ed861200

SHA512
7beaaf76454680baf20e745d6e09bd351530a717c5e3738d4d5b2338f0e3a7134ed9700bf005f5e375451bb5068f1cda26a23204cd97dac25f2566c19458bba5

Download Submit
C:\Windows\System32\rBevitu.exe

Filesize
1.4MB

MD5
9ddc0c28145c9db5ac918c331ce1de8a

SHA1
240a51b70409a46be83598cf9dc40457b0af41e2

SHA256
f57740e83f64a3b1c5f171cb138ca898ad1b0622a30f587d7fc3a90325fc917d

SHA512
ca41b8b577f77cb63f18f36ef460936cb4add2a45879465abb46c9dc58c27907b09d19dc87441aef9150f1287d2e5bdfad8156cdbeac904d74260df156e58ee7

Download Submit
C:\Windows\System32\vmJpknG.exe

Filesize
1.4MB

MD5
bf99b675252677658797430b3880e0ab

SHA1
f3c5b002513e82f95ba4421b8a68eaa7f48ceb0f

SHA256
91678ce443d6fb96713979beb5cbee0789541263e1b265cbcdf37328b0c4f366

SHA512
feb068ad73e196be44dba737ddda899be91137efd24446c6f309d6049cfd9ca8b49e304b2366fff1190a4c15ec04e400bb248fe0377b5c54ba21cea3791c7f34

Download Submit
C:\Windows\System32\vxkQSIn.exe

Filesize
1.4MB

MD5
9dffd1d66de0b59b878594b7cf30c139

SHA1
cc1de50c3885925fc8629e5c8b3a87fcdae847cf

SHA256
ac312b0ba3ec2c9513750bdb09497b78762d7694396455506b54934a8dcfadf1

SHA512
aa1e10c5317bf5e511febbb8d4c55f43ebd276f495ff278e780df858daeffa8f07984b5b76109ce494f2ed79151fdc4a81e69c49faafc0a5b04f3e33e3951bad

Download Submit
memory/216-1938-0x00007FF79BCB0000-0x00007FF79C0A1000-memory.dmp

Filesize
3.9MB

Download
memory/216-18-0x00007FF79BCB0000-0x00007FF79C0A1000-memory.dmp

Filesize
3.9MB

Download
memory/216-2015-0x00007FF79BCB0000-0x00007FF79C0A1000-memory.dmp

Filesize
3.9MB

Download
memory/888-2056-0x00007FF799020000-0x00007FF799411000-memory.dmp

Filesize
3.9MB

Download
memory/888-417-0x00007FF799020000-0x00007FF799411000-memory.dmp

Filesize
3.9MB

Download
memory/1056-24-0x00007FF6AA520000-0x00007FF6AA911000-memory.dmp

Filesize
3.9MB

Download
memory/1056-2019-0x00007FF6AA520000-0x00007FF6AA911000-memory.dmp

Filesize
3.9MB

Download
memory/1056-1966-0x00007FF6AA520000-0x00007FF6AA911000-memory.dmp

Filesize
3.9MB

Download
memory/2432-2047-0x00007FF639710000-0x00007FF639B01000-memory.dmp

Filesize
3.9MB

Download
memory/2432-386-0x00007FF639710000-0x00007FF639B01000-memory.dmp

Filesize
3.9MB

Download
memory/2496-391-0x00007FF6DF8E0000-0x00007FF6DFCD1000-memory.dmp

Filesize
3.9MB

Download
memory/2496-2041-0x00007FF6DF8E0000-0x00007FF6DFCD1000-memory.dmp

Filesize
3.9MB

Download
memory/2532-376-0x00007FF7A2750000-0x00007FF7A2B41000-memory.dmp

Filesize
3.9MB

Download
memory/2532-2031-0x00007FF7A2750000-0x00007FF7A2B41000-memory.dmp

Filesize
3.9MB

Download
memory/2712-2021-0x00007FF6D5470000-0x00007FF6D5861000-memory.dmp

Filesize
3.9MB

Download
memory/2712-40-0x00007FF6D5470000-0x00007FF6D5861000-memory.dmp

Filesize
3.9MB

Download
memory/2712-1968-0x00007FF6D5470000-0x00007FF6D5861000-memory.dmp

Filesize
3.9MB

Download
memory/2744-432-0x00007FF7F04C0000-0x00007FF7F08B1000-memory.dmp

Filesize
3.9MB

Download
memory/2744-2060-0x00007FF7F04C0000-0x00007FF7F08B1000-memory.dmp

Filesize
3.9MB

Download
memory/2752-19-0x00007FF7D15E0000-0x00007FF7D19D1000-memory.dmp

Filesize
3.9MB

Download
memory/2752-2017-0x00007FF7D15E0000-0x00007FF7D19D1000-memory.dmp

Filesize
3.9MB

Download
memory/2752-1965-0x00007FF7D15E0000-0x00007FF7D19D1000-memory.dmp

Filesize
3.9MB

Download
memory/2964-390-0x00007FF7D0B90000-0x00007FF7D0F81000-memory.dmp

Filesize
3.9MB

Download
memory/2964-2049-0x00007FF7D0B90000-0x00007FF7D0F81000-memory.dmp

Filesize
3.9MB

Download
memory/3052-2043-0x00007FF6803D0000-0x00007FF6807C1000-memory.dmp

Filesize
3.9MB

Download
memory/3052-395-0x00007FF6803D0000-0x00007FF6807C1000-memory.dmp

Filesize
3.9MB

Download
memory/3056-423-0x00007FF7AD090000-0x00007FF7AD481000-memory.dmp

Filesize
3.9MB

Download
memory/3056-2053-0x00007FF7AD090000-0x00007FF7AD481000-memory.dmp

Filesize
3.9MB

Download
memory/3340-2039-0x00007FF7B0540000-0x00007FF7B0931000-memory.dmp

Filesize
3.9MB

Download
memory/3340-405-0x00007FF7B0540000-0x00007FF7B0931000-memory.dmp

Filesize
3.9MB

Download
memory/3588-374-0x00007FF70C980000-0x00007FF70CD71000-memory.dmp

Filesize
3.9MB

Download
memory/3588-2037-0x00007FF70C980000-0x00007FF70CD71000-memory.dmp

Filesize
3.9MB

Download
memory/3752-1967-0x00007FF6F9590000-0x00007FF6F9981000-memory.dmp

Filesize
3.9MB

Download
memory/3752-2023-0x00007FF6F9590000-0x00007FF6F9981000-memory.dmp

Filesize
3.9MB

Download
memory/3752-36-0x00007FF6F9590000-0x00007FF6F9981000-memory.dmp

Filesize
3.9MB

Download
memory/3784-44-0x00007FF78C7F0000-0x00007FF78CBE1000-memory.dmp

Filesize
3.9MB

Download
memory/3784-1999-0x00007FF78C7F0000-0x00007FF78CBE1000-memory.dmp

Filesize
3.9MB

Download
memory/3784-2025-0x00007FF78C7F0000-0x00007FF78CBE1000-memory.dmp

Filesize
3.9MB

Download
memory/4020-2033-0x00007FF664650000-0x00007FF664A41000-memory.dmp

Filesize
3.9MB

Download
memory/4020-373-0x00007FF664650000-0x00007FF664A41000-memory.dmp

Filesize
3.9MB

Download
memory/4220-379-0x00007FF765F20000-0x00007FF766311000-memory.dmp

Filesize
3.9MB

Download
memory/4220-2045-0x00007FF765F20000-0x00007FF766311000-memory.dmp

Filesize
3.9MB

Download
memory/4288-0-0x00007FF747D10000-0x00007FF748101000-memory.dmp

Filesize
3.9MB

Download
memory/4288-1516-0x00007FF747D10000-0x00007FF748101000-memory.dmp

Filesize
3.9MB

Download
memory/4288-2003-0x00007FF747D10000-0x00007FF748101000-memory.dmp

Filesize
3.9MB

Download
memory/4288-1-0x000001B5F1150000-0x000001B5F1160000-memory.dmp

Filesize
64KB

Download
memory/4308-54-0x00007FF613E20000-0x00007FF614211000-memory.dmp

Filesize
3.9MB

Download
memory/4308-2027-0x00007FF613E20000-0x00007FF614211000-memory.dmp

Filesize
3.9MB

Download
memory/4324-2051-0x00007FF6B72A0000-0x00007FF6B7691000-memory.dmp

Filesize
3.9MB

Download
memory/4324-410-0x00007FF6B72A0000-0x00007FF6B7691000-memory.dmp

Filesize
3.9MB

Download
memory/4356-426-0x00007FF794A50000-0x00007FF794E41000-memory.dmp

Filesize
3.9MB

Download
memory/4356-2058-0x00007FF794A50000-0x00007FF794E41000-memory.dmp

Filesize
3.9MB

Download
memory/4492-11-0x00007FF6B4F40000-0x00007FF6B5331000-memory.dmp

Filesize
3.9MB

Download
memory/4492-2013-0x00007FF6B4F40000-0x00007FF6B5331000-memory.dmp

Filesize
3.9MB

Download
memory/4696-2029-0x00007FF6CB370000-0x00007FF6CB761000-memory.dmp

Filesize
3.9MB

Download
memory/4696-56-0x00007FF6CB370000-0x00007FF6CB761000-memory.dmp

Filesize
3.9MB

Download
memory/4904-2035-0x00007FF668770000-0x00007FF668B61000-memory.dmp

Filesize
3.9MB

Download
memory/4904-375-0x00007FF668770000-0x00007FF668B61000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads