xmrig | 00508d65364aba5f1a15824eb2d67e5902ae56f623bbbc7727769c3d2d17bbc1

Analysis

max time kernel
150s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
Size

2.6MB
MD5

48afda054ee4476042635bf30340afd0
SHA1

120bedaf135653cedefee387f2034e1b5462faf3
SHA256

00508d65364aba5f1a15824eb2d67e5902ae56f623bbbc7727769c3d2d17bbc1
SHA512

0a600cade91c0d79dbd32e25aa9695647f89a12c0c11b565986a3960ac234f96e60669ca648031388913e9440d35b6f6b1ab7df5eb144fcca855440de64adc0e
SSDEEP

49152:N0wjnJMOWh50kC1/dVFdx6e0EALKWVTffZiPAcRq6jHjcz8Dze7jcq4xG5QUDh:N0GnJMOWPClFdx6e0EALKWVTffZiPAco

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 59 IoCs

miner

resource	yara_rule
behavioral2/memory/3620-0-0x00007FF731810000-0x00007FF731C05000-memory.dmp	xmrig
behavioral2/files/0x0009000000023418-5.dat	xmrig
behavioral2/files/0x000700000002341f-8.dat	xmrig
behavioral2/files/0x0007000000023420-9.dat	xmrig
behavioral2/files/0x0007000000023421-21.dat	xmrig
behavioral2/files/0x0007000000023424-38.dat	xmrig
behavioral2/files/0x0007000000023426-48.dat	xmrig
behavioral2/files/0x0007000000023427-53.dat	xmrig
behavioral2/files/0x000700000002342c-76.dat	xmrig
behavioral2/files/0x000700000002342d-83.dat	xmrig
behavioral2/files/0x000700000002342f-93.dat	xmrig
behavioral2/files/0x0007000000023430-98.dat	xmrig
behavioral2/files/0x0007000000023433-111.dat	xmrig
behavioral2/files/0x0007000000023436-126.dat	xmrig
behavioral2/files/0x0007000000023438-136.dat	xmrig
behavioral2/files/0x000700000002343a-146.dat	xmrig
behavioral2/files/0x000700000002343c-158.dat	xmrig
behavioral2/memory/4328-492-0x00007FF65C6E0000-0x00007FF65CAD5000-memory.dmp	xmrig
behavioral2/memory/1280-493-0x00007FF68AB80000-0x00007FF68AF75000-memory.dmp	xmrig
behavioral2/memory/5528-494-0x00007FF724BB0000-0x00007FF724FA5000-memory.dmp	xmrig
behavioral2/memory/5196-495-0x00007FF729810000-0x00007FF729C05000-memory.dmp	xmrig
behavioral2/memory/768-496-0x00007FF60EFC0000-0x00007FF60F3B5000-memory.dmp	xmrig
behavioral2/memory/1564-498-0x00007FF7279F0000-0x00007FF727DE5000-memory.dmp	xmrig
behavioral2/memory/5060-497-0x00007FF7B1EB0000-0x00007FF7B22A5000-memory.dmp	xmrig
behavioral2/files/0x000700000002343d-163.dat	xmrig
behavioral2/files/0x000700000002343b-153.dat	xmrig
behavioral2/files/0x0007000000023439-143.dat	xmrig
behavioral2/files/0x0007000000023437-133.dat	xmrig
behavioral2/files/0x0007000000023435-123.dat	xmrig
behavioral2/files/0x0007000000023434-118.dat	xmrig
behavioral2/memory/4056-499-0x00007FF7418A0000-0x00007FF741C95000-memory.dmp	xmrig
behavioral2/files/0x0007000000023432-108.dat	xmrig
behavioral2/files/0x0007000000023431-103.dat	xmrig
behavioral2/files/0x000700000002342e-88.dat	xmrig
behavioral2/files/0x000700000002342b-73.dat	xmrig
behavioral2/files/0x000700000002342a-68.dat	xmrig
behavioral2/files/0x0007000000023429-63.dat	xmrig
behavioral2/files/0x0007000000023428-58.dat	xmrig
behavioral2/files/0x0007000000023425-43.dat	xmrig
behavioral2/files/0x0007000000023423-33.dat	xmrig
behavioral2/files/0x0007000000023422-28.dat	xmrig
behavioral2/memory/2376-15-0x00007FF642760000-0x00007FF642B55000-memory.dmp	xmrig
behavioral2/memory/1520-7-0x00007FF69A050000-0x00007FF69A445000-memory.dmp	xmrig
behavioral2/memory/1800-510-0x00007FF7E91F0000-0x00007FF7E95E5000-memory.dmp	xmrig
behavioral2/memory/3152-516-0x00007FF661A10000-0x00007FF661E05000-memory.dmp	xmrig
behavioral2/memory/5116-523-0x00007FF72E170000-0x00007FF72E565000-memory.dmp	xmrig
behavioral2/memory/5852-527-0x00007FF7AEC50000-0x00007FF7AF045000-memory.dmp	xmrig
behavioral2/memory/4352-503-0x00007FF7E27C0000-0x00007FF7E2BB5000-memory.dmp	xmrig
behavioral2/memory/2008-541-0x00007FF64ACE0000-0x00007FF64B0D5000-memory.dmp	xmrig
behavioral2/memory/4780-555-0x00007FF749AD0000-0x00007FF749EC5000-memory.dmp	xmrig
behavioral2/memory/5712-561-0x00007FF685E30000-0x00007FF686225000-memory.dmp	xmrig
behavioral2/memory/1396-551-0x00007FF6CB360000-0x00007FF6CB755000-memory.dmp	xmrig
behavioral2/memory/5204-569-0x00007FF656F70000-0x00007FF657365000-memory.dmp	xmrig
behavioral2/memory/5520-562-0x00007FF755DB0000-0x00007FF7561A5000-memory.dmp	xmrig
behavioral2/memory/4568-544-0x00007FF655C60000-0x00007FF656055000-memory.dmp	xmrig
behavioral2/memory/4972-537-0x00007FF78C6B0000-0x00007FF78CAA5000-memory.dmp	xmrig
behavioral2/memory/1232-534-0x00007FF7EDFD0000-0x00007FF7EE3C5000-memory.dmp	xmrig
behavioral2/memory/3620-2407-0x00007FF731810000-0x00007FF731C05000-memory.dmp	xmrig
behavioral2/memory/2376-2526-0x00007FF642760000-0x00007FF642B55000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1520	HZSJZRK.exe
2376	oMrkBXm.exe
4328	BHTDmYL.exe
5204	pXBGlZJ.exe
1280	xFHnOsF.exe
5528	jKjqopv.exe
5196	pCJaOaP.exe
768	YrWrzcD.exe
5060	nsYHQOm.exe
1564	QXJSMha.exe
4056	usvgXHS.exe
4352	YsFITXV.exe
1800	iddnlZH.exe
3152	GaQxQFc.exe
5116	ZGFaDev.exe
5852	MChPDtb.exe
1232	TVLSQsn.exe
4972	OhTncCR.exe
2008	AGXEyja.exe
4568	HbgcuCU.exe
1396	iHyfmOJ.exe
4780	ZpMaZNK.exe
5712	GqgaYFS.exe
5520	GFMFIoe.exe
4392	bwhkxgW.exe
5532	seJjMzv.exe
3188	JTBpMZL.exe
5044	JEaaSbW.exe
5748	Gbxwmzt.exe
880	otQiTyU.exe
4796	belylNJ.exe
2152	TDpCVvb.exe
2872	bIyNqPS.exe
4024	TedLCAX.exe
640	RwFgAqy.exe
6080	MeETSSI.exe
368	ovcyAXN.exe
2308	agPHEgu.exe
3216	vfBAhQv.exe
1980	YwjCIRA.exe
3960	sqhyUqu.exe
4776	hRGcCla.exe
3992	CdLRgKo.exe
2904	FhRbFbf.exe
2000	SgUssty.exe
872	MDCEoEn.exe
5188	HdwEbHE.exe
4552	KSVTAst.exe
4432	dxGTZCn.exe
3460	hHsdHvp.exe
1916	ZkFxcym.exe
5824	RsbKZMz.exe
4704	OrrFdlK.exe
4408	TJrXRYQ.exe
1672	xdGIaTE.exe
1964	DBLrrYy.exe
1424	rnppeER.exe
1052	TKJPGmP.exe
544	GhFHBGA.exe
1720	xpVEIZb.exe
5708	qZDZfyw.exe
1816	jgsVqdV.exe
5008	PGSsNhN.exe
3468	jedMSip.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3620-0-0x00007FF731810000-0x00007FF731C05000-memory.dmp	upx
behavioral2/files/0x0009000000023418-5.dat	upx
behavioral2/files/0x000700000002341f-8.dat	upx
behavioral2/files/0x0007000000023420-9.dat	upx
behavioral2/files/0x0007000000023421-21.dat	upx
behavioral2/files/0x0007000000023424-38.dat	upx
behavioral2/files/0x0007000000023426-48.dat	upx
behavioral2/files/0x0007000000023427-53.dat	upx
behavioral2/files/0x000700000002342c-76.dat	upx
behavioral2/files/0x000700000002342d-83.dat	upx
behavioral2/files/0x000700000002342f-93.dat	upx
behavioral2/files/0x0007000000023430-98.dat	upx
behavioral2/files/0x0007000000023433-111.dat	upx
behavioral2/files/0x0007000000023436-126.dat	upx
behavioral2/files/0x0007000000023438-136.dat	upx
behavioral2/files/0x000700000002343a-146.dat	upx
behavioral2/files/0x000700000002343c-158.dat	upx
behavioral2/memory/4328-492-0x00007FF65C6E0000-0x00007FF65CAD5000-memory.dmp	upx
behavioral2/memory/1280-493-0x00007FF68AB80000-0x00007FF68AF75000-memory.dmp	upx
behavioral2/memory/5528-494-0x00007FF724BB0000-0x00007FF724FA5000-memory.dmp	upx
behavioral2/memory/5196-495-0x00007FF729810000-0x00007FF729C05000-memory.dmp	upx
behavioral2/memory/768-496-0x00007FF60EFC0000-0x00007FF60F3B5000-memory.dmp	upx
behavioral2/memory/1564-498-0x00007FF7279F0000-0x00007FF727DE5000-memory.dmp	upx
behavioral2/memory/5060-497-0x00007FF7B1EB0000-0x00007FF7B22A5000-memory.dmp	upx
behavioral2/files/0x000700000002343d-163.dat	upx
behavioral2/files/0x000700000002343b-153.dat	upx
behavioral2/files/0x0007000000023439-143.dat	upx
behavioral2/files/0x0007000000023437-133.dat	upx
behavioral2/files/0x0007000000023435-123.dat	upx
behavioral2/files/0x0007000000023434-118.dat	upx
behavioral2/memory/4056-499-0x00007FF7418A0000-0x00007FF741C95000-memory.dmp	upx
behavioral2/files/0x0007000000023432-108.dat	upx
behavioral2/files/0x0007000000023431-103.dat	upx
behavioral2/files/0x000700000002342e-88.dat	upx
behavioral2/files/0x000700000002342b-73.dat	upx
behavioral2/files/0x000700000002342a-68.dat	upx
behavioral2/files/0x0007000000023429-63.dat	upx
behavioral2/files/0x0007000000023428-58.dat	upx
behavioral2/files/0x0007000000023425-43.dat	upx
behavioral2/files/0x0007000000023423-33.dat	upx
behavioral2/files/0x0007000000023422-28.dat	upx
behavioral2/memory/2376-15-0x00007FF642760000-0x00007FF642B55000-memory.dmp	upx
behavioral2/memory/1520-7-0x00007FF69A050000-0x00007FF69A445000-memory.dmp	upx
behavioral2/memory/1800-510-0x00007FF7E91F0000-0x00007FF7E95E5000-memory.dmp	upx
behavioral2/memory/3152-516-0x00007FF661A10000-0x00007FF661E05000-memory.dmp	upx
behavioral2/memory/5116-523-0x00007FF72E170000-0x00007FF72E565000-memory.dmp	upx
behavioral2/memory/5852-527-0x00007FF7AEC50000-0x00007FF7AF045000-memory.dmp	upx
behavioral2/memory/4352-503-0x00007FF7E27C0000-0x00007FF7E2BB5000-memory.dmp	upx
behavioral2/memory/2008-541-0x00007FF64ACE0000-0x00007FF64B0D5000-memory.dmp	upx
behavioral2/memory/4780-555-0x00007FF749AD0000-0x00007FF749EC5000-memory.dmp	upx
behavioral2/memory/5712-561-0x00007FF685E30000-0x00007FF686225000-memory.dmp	upx
behavioral2/memory/1396-551-0x00007FF6CB360000-0x00007FF6CB755000-memory.dmp	upx
behavioral2/memory/5204-569-0x00007FF656F70000-0x00007FF657365000-memory.dmp	upx
behavioral2/memory/5520-562-0x00007FF755DB0000-0x00007FF7561A5000-memory.dmp	upx
behavioral2/memory/4568-544-0x00007FF655C60000-0x00007FF656055000-memory.dmp	upx
behavioral2/memory/4972-537-0x00007FF78C6B0000-0x00007FF78CAA5000-memory.dmp	upx
behavioral2/memory/1232-534-0x00007FF7EDFD0000-0x00007FF7EE3C5000-memory.dmp	upx
behavioral2/memory/3620-2407-0x00007FF731810000-0x00007FF731C05000-memory.dmp	upx
behavioral2/memory/2376-2526-0x00007FF642760000-0x00007FF642B55000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\UdXqJTm.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\ZFzVhVW.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\VYhQULn.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\YyVcUxk.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\spARjPX.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\ijcXmyj.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\hHnYRby.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\BErjPZg.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\VvDTHxD.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\DujNTcM.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\HhpPaMP.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\TDpCVvb.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\ypgYtrC.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\sGxmigp.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\pkTwuMo.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\EqaYWQV.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\vNECtUG.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\bhbaSxK.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\wMHfDBS.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\mlogUng.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\aAsDmPl.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\jWJvSEv.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\Gzssjpl.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\kCbMlNp.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\cqDOzlN.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\OEONPvj.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\ugSMgPd.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\pKFRhEH.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\qBkcZXY.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\AGXEyja.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\PQwBFap.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\Hpldhgl.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\hMnYTqU.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\kuGOvPD.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\bSvhAYe.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\gKepdTn.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\xEQvSJh.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\xclxczG.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\zWkHXYx.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\LIfVkdB.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\qMPimhv.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\AYLoKKf.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\zcfhxaR.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\KndrMbj.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\MoWGmkI.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\YUcLWGT.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\hDYCsON.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\jFaDNrA.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\fDMfPMR.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\oCActgK.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\pBMoIyW.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\IkMHtvF.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\fQKRveu.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\TvzSsLT.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\wGFjBZr.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\qhVlxwc.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\MJgyBRc.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\FUoUzsq.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\TlwqHie.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\jglPaor.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\IFToUcS.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\cKKhyRr.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\jedMSip.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
File created	C:\Windows\System32\jyUeQeh.exe	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 10 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
14192	Process not Found
12392	Process not Found
13592	Process not Found
12372	Process not Found
4900	Process not Found
3964	Process not Found
4824	Process not Found
2300	Process not Found
4524	Process not Found
13452	Process not Found
13460	Process not Found
14316	Process not Found
13384	Process not Found
4980	Process not Found
3184	Process not Found
5460	Process not Found
3772	Process not Found
12828	Process not Found
864	Process not Found
4492	Process not Found
1456	Process not Found
13660	Process not Found
13584	Process not Found
3852	Process not Found
13632	Process not Found
4124	Process not Found
13668	Process not Found
5772	Process not Found
812	Process not Found
1292	Process not Found
13888	Process not Found
3292	Process not Found
2644	Process not Found
4384	Process not Found
4088	Process not Found
13892	Process not Found
14024	Process not Found
13968	Process not Found
4512	Process not Found
13852	Process not Found
14012	Process not Found
14028	Process not Found
9412	Process not Found
9644	Process not Found
10408	Process not Found
3064	Process not Found
1496	Process not Found
9684	Process not Found
9656	Process not Found
9476	Process not Found
9484	Process not Found
3116	Process not Found
14000	Process not Found
9480	Process not Found
14084	Process not Found
14164	Process not Found
3380	Process not Found
14044	Process not Found
1320	Process not Found
1264	Process not Found
5108	Process not Found
14180	Process not Found
680	Process not Found
13776	Process not Found

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12588	dwm.exe
Token: SeChangeNotifyPrivilege	12588	dwm.exe
Token: 33	12588	dwm.exe
Token: SeIncBasePriorityPrivilege	12588	dwm.exe
Token: SeCreateGlobalPrivilege	13136	dwm.exe
Token: SeChangeNotifyPrivilege	13136	dwm.exe
Token: 33	13136	dwm.exe
Token: SeIncBasePriorityPrivilege	13136	dwm.exe
Token: SeCreateGlobalPrivilege	13428	dwm.exe
Token: SeChangeNotifyPrivilege	13428	dwm.exe
Token: 33	13428	dwm.exe
Token: SeIncBasePriorityPrivilege	13428	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 1520	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	83
PID 3620 wrote to memory of 1520	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	83
PID 3620 wrote to memory of 2376	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	84
PID 3620 wrote to memory of 2376	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	84
PID 3620 wrote to memory of 4328	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	85
PID 3620 wrote to memory of 4328	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	85
PID 3620 wrote to memory of 5204	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	86
PID 3620 wrote to memory of 5204	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	86
PID 3620 wrote to memory of 1280	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	87
PID 3620 wrote to memory of 1280	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	87
PID 3620 wrote to memory of 5528	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	88
PID 3620 wrote to memory of 5528	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	88
PID 3620 wrote to memory of 5196	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	89
PID 3620 wrote to memory of 5196	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	89
PID 3620 wrote to memory of 768	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	90
PID 3620 wrote to memory of 768	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	90
PID 3620 wrote to memory of 5060	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	91
PID 3620 wrote to memory of 5060	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	91
PID 3620 wrote to memory of 1564	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	92
PID 3620 wrote to memory of 1564	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	92
PID 3620 wrote to memory of 4056	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	93
PID 3620 wrote to memory of 4056	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	93
PID 3620 wrote to memory of 4352	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	94
PID 3620 wrote to memory of 4352	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	94
PID 3620 wrote to memory of 1800	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	95
PID 3620 wrote to memory of 1800	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	95
PID 3620 wrote to memory of 3152	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	96
PID 3620 wrote to memory of 3152	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	96
PID 3620 wrote to memory of 5116	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	97
PID 3620 wrote to memory of 5116	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	97
PID 3620 wrote to memory of 5852	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	98
PID 3620 wrote to memory of 5852	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	98
PID 3620 wrote to memory of 1232	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	99
PID 3620 wrote to memory of 1232	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	99
PID 3620 wrote to memory of 4972	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	100
PID 3620 wrote to memory of 4972	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	100
PID 3620 wrote to memory of 2008	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	101
PID 3620 wrote to memory of 2008	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	101
PID 3620 wrote to memory of 4568	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	102
PID 3620 wrote to memory of 4568	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	102
PID 3620 wrote to memory of 1396	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	103
PID 3620 wrote to memory of 1396	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	103
PID 3620 wrote to memory of 4780	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	104
PID 3620 wrote to memory of 4780	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	104
PID 3620 wrote to memory of 5712	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	105
PID 3620 wrote to memory of 5712	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	105
PID 3620 wrote to memory of 5520	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	106
PID 3620 wrote to memory of 5520	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	106
PID 3620 wrote to memory of 4392	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	107
PID 3620 wrote to memory of 4392	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	107
PID 3620 wrote to memory of 5532	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	108
PID 3620 wrote to memory of 5532	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	108
PID 3620 wrote to memory of 3188	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	109
PID 3620 wrote to memory of 3188	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	109
PID 3620 wrote to memory of 5044	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	110
PID 3620 wrote to memory of 5044	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	110
PID 3620 wrote to memory of 5748	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	111
PID 3620 wrote to memory of 5748	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	111
PID 3620 wrote to memory of 880	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	112
PID 3620 wrote to memory of 880	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	112
PID 3620 wrote to memory of 4796	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	113
PID 3620 wrote to memory of 4796	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	113
PID 3620 wrote to memory of 2152	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	114
PID 3620 wrote to memory of 2152	3620	48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe	114

C:\Users\Admin\AppData\Local\Temp\48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\48afda054ee4476042635bf30340afd0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Windows\System32\HZSJZRK.exe
  C:\Windows\System32\HZSJZRK.exe
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\System32\oMrkBXm.exe
  C:\Windows\System32\oMrkBXm.exe
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\System32\BHTDmYL.exe
  C:\Windows\System32\BHTDmYL.exe
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\System32\pXBGlZJ.exe
  C:\Windows\System32\pXBGlZJ.exe
  2⤵
  - Executes dropped EXE
  PID:5204
- C:\Windows\System32\xFHnOsF.exe
  C:\Windows\System32\xFHnOsF.exe
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\System32\jKjqopv.exe
  C:\Windows\System32\jKjqopv.exe
  2⤵
  - Executes dropped EXE
  PID:5528
- C:\Windows\System32\pCJaOaP.exe
  C:\Windows\System32\pCJaOaP.exe
  2⤵
  - Executes dropped EXE
  PID:5196
- C:\Windows\System32\YrWrzcD.exe
  C:\Windows\System32\YrWrzcD.exe
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Windows\System32\nsYHQOm.exe
  C:\Windows\System32\nsYHQOm.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System32\QXJSMha.exe
  C:\Windows\System32\QXJSMha.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System32\usvgXHS.exe
  C:\Windows\System32\usvgXHS.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System32\YsFITXV.exe
  C:\Windows\System32\YsFITXV.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System32\iddnlZH.exe
  C:\Windows\System32\iddnlZH.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System32\GaQxQFc.exe
  C:\Windows\System32\GaQxQFc.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System32\ZGFaDev.exe
  C:\Windows\System32\ZGFaDev.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System32\MChPDtb.exe
  C:\Windows\System32\MChPDtb.exe
  2⤵
  - Executes dropped EXE
  PID:5852
- C:\Windows\System32\TVLSQsn.exe
  C:\Windows\System32\TVLSQsn.exe
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Windows\System32\OhTncCR.exe
  C:\Windows\System32\OhTncCR.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System32\AGXEyja.exe
  C:\Windows\System32\AGXEyja.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System32\HbgcuCU.exe
  C:\Windows\System32\HbgcuCU.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System32\iHyfmOJ.exe
  C:\Windows\System32\iHyfmOJ.exe
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\System32\ZpMaZNK.exe
  C:\Windows\System32\ZpMaZNK.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System32\GqgaYFS.exe
  C:\Windows\System32\GqgaYFS.exe
  2⤵
  - Executes dropped EXE
  PID:5712
- C:\Windows\System32\GFMFIoe.exe
  C:\Windows\System32\GFMFIoe.exe
  2⤵
  - Executes dropped EXE
  PID:5520
- C:\Windows\System32\bwhkxgW.exe
  C:\Windows\System32\bwhkxgW.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System32\seJjMzv.exe
  C:\Windows\System32\seJjMzv.exe
  2⤵
  - Executes dropped EXE
  PID:5532
- C:\Windows\System32\JTBpMZL.exe
  C:\Windows\System32\JTBpMZL.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System32\JEaaSbW.exe
  C:\Windows\System32\JEaaSbW.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System32\Gbxwmzt.exe
  C:\Windows\System32\Gbxwmzt.exe
  2⤵
  - Executes dropped EXE
  PID:5748
- C:\Windows\System32\otQiTyU.exe
  C:\Windows\System32\otQiTyU.exe
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\System32\belylNJ.exe
  C:\Windows\System32\belylNJ.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System32\TDpCVvb.exe
  C:\Windows\System32\TDpCVvb.exe
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\System32\bIyNqPS.exe
  C:\Windows\System32\bIyNqPS.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System32\TedLCAX.exe
  C:\Windows\System32\TedLCAX.exe
  2⤵
  - Executes dropped EXE
  PID:4024
- C:\Windows\System32\RwFgAqy.exe
  C:\Windows\System32\RwFgAqy.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System32\MeETSSI.exe
  C:\Windows\System32\MeETSSI.exe
  2⤵
  - Executes dropped EXE
  PID:6080
- C:\Windows\System32\ovcyAXN.exe
  C:\Windows\System32\ovcyAXN.exe
  2⤵
  - Executes dropped EXE
  PID:368
- C:\Windows\System32\agPHEgu.exe
  C:\Windows\System32\agPHEgu.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System32\vfBAhQv.exe
  C:\Windows\System32\vfBAhQv.exe
  2⤵
  - Executes dropped EXE
  PID:3216
- C:\Windows\System32\YwjCIRA.exe
  C:\Windows\System32\YwjCIRA.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System32\sqhyUqu.exe
  C:\Windows\System32\sqhyUqu.exe
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Windows\System32\hRGcCla.exe
  C:\Windows\System32\hRGcCla.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System32\CdLRgKo.exe
  C:\Windows\System32\CdLRgKo.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System32\FhRbFbf.exe
  C:\Windows\System32\FhRbFbf.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System32\SgUssty.exe
  C:\Windows\System32\SgUssty.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System32\MDCEoEn.exe
  C:\Windows\System32\MDCEoEn.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System32\HdwEbHE.exe
  C:\Windows\System32\HdwEbHE.exe
  2⤵
  - Executes dropped EXE
  PID:5188
- C:\Windows\System32\KSVTAst.exe
  C:\Windows\System32\KSVTAst.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System32\dxGTZCn.exe
  C:\Windows\System32\dxGTZCn.exe
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Windows\System32\hHsdHvp.exe
  C:\Windows\System32\hHsdHvp.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System32\ZkFxcym.exe
  C:\Windows\System32\ZkFxcym.exe
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\System32\RsbKZMz.exe
  C:\Windows\System32\RsbKZMz.exe
  2⤵
  - Executes dropped EXE
  PID:5824
- C:\Windows\System32\OrrFdlK.exe
  C:\Windows\System32\OrrFdlK.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System32\TJrXRYQ.exe
  C:\Windows\System32\TJrXRYQ.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System32\xdGIaTE.exe
  C:\Windows\System32\xdGIaTE.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\System32\DBLrrYy.exe
  C:\Windows\System32\DBLrrYy.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System32\rnppeER.exe
  C:\Windows\System32\rnppeER.exe
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\System32\TKJPGmP.exe
  C:\Windows\System32\TKJPGmP.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System32\GhFHBGA.exe
  C:\Windows\System32\GhFHBGA.exe
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\System32\xpVEIZb.exe
  C:\Windows\System32\xpVEIZb.exe
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\System32\qZDZfyw.exe
  C:\Windows\System32\qZDZfyw.exe
  2⤵
  - Executes dropped EXE
  PID:5708
- C:\Windows\System32\jgsVqdV.exe
  C:\Windows\System32\jgsVqdV.exe
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\System32\PGSsNhN.exe
  C:\Windows\System32\PGSsNhN.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System32\jedMSip.exe
  C:\Windows\System32\jedMSip.exe
  2⤵
  - Executes dropped EXE
  PID:3468
- C:\Windows\System32\oAdHZpe.exe
  C:\Windows\System32\oAdHZpe.exe
  2⤵
  PID:1848
- C:\Windows\System32\gzyCpbo.exe
  C:\Windows\System32\gzyCpbo.exe
  2⤵
  PID:944
- C:\Windows\System32\qhVlxwc.exe
  C:\Windows\System32\qhVlxwc.exe
  2⤵
  PID:2604
- C:\Windows\System32\rNyJRWu.exe
  C:\Windows\System32\rNyJRWu.exe
  2⤵
  PID:5056
- C:\Windows\System32\DKeXUSL.exe
  C:\Windows\System32\DKeXUSL.exe
  2⤵
  PID:3432
- C:\Windows\System32\XSuZaDI.exe
  C:\Windows\System32\XSuZaDI.exe
  2⤵
  PID:3312
- C:\Windows\System32\KYudVJV.exe
  C:\Windows\System32\KYudVJV.exe
  2⤵
  PID:4600
- C:\Windows\System32\MdwmMBv.exe
  C:\Windows\System32\MdwmMBv.exe
  2⤵
  PID:2236
- C:\Windows\System32\Evdiyhx.exe
  C:\Windows\System32\Evdiyhx.exe
  2⤵
  PID:220
- C:\Windows\System32\SkbDkMy.exe
  C:\Windows\System32\SkbDkMy.exe
  2⤵
  PID:2800
- C:\Windows\System32\aUVQTmJ.exe
  C:\Windows\System32\aUVQTmJ.exe
  2⤵
  PID:1856
- C:\Windows\System32\zVXfIdO.exe
  C:\Windows\System32\zVXfIdO.exe
  2⤵
  PID:1656
- C:\Windows\System32\frrVoqw.exe
  C:\Windows\System32\frrVoqw.exe
  2⤵
  PID:1332
- C:\Windows\System32\kBwsfzi.exe
  C:\Windows\System32\kBwsfzi.exe
  2⤵
  PID:5232
- C:\Windows\System32\gCPMTlm.exe
  C:\Windows\System32\gCPMTlm.exe
  2⤵
  PID:1952
- C:\Windows\System32\OPlXMCO.exe
  C:\Windows\System32\OPlXMCO.exe
  2⤵
  PID:6140
- C:\Windows\System32\yBZGKJj.exe
  C:\Windows\System32\yBZGKJj.exe
  2⤵
  PID:3068
- C:\Windows\System32\QdCtfcz.exe
  C:\Windows\System32\QdCtfcz.exe
  2⤵
  PID:464
- C:\Windows\System32\tHTzWoH.exe
  C:\Windows\System32\tHTzWoH.exe
  2⤵
  PID:4768
- C:\Windows\System32\RvbrEmT.exe
  C:\Windows\System32\RvbrEmT.exe
  2⤵
  PID:1048
- C:\Windows\System32\ijcXmyj.exe
  C:\Windows\System32\ijcXmyj.exe
  2⤵
  PID:4232
- C:\Windows\System32\TOzXmTD.exe
  C:\Windows\System32\TOzXmTD.exe
  2⤵
  PID:5432
- C:\Windows\System32\iGaUXpl.exe
  C:\Windows\System32\iGaUXpl.exe
  2⤵
  PID:4480
- C:\Windows\System32\VYhQULn.exe
  C:\Windows\System32\VYhQULn.exe
  2⤵
  PID:5896
- C:\Windows\System32\OeqWPPy.exe
  C:\Windows\System32\OeqWPPy.exe
  2⤵
  PID:2688
- C:\Windows\System32\CEMeoth.exe
  C:\Windows\System32\CEMeoth.exe
  2⤵
  PID:3868
- C:\Windows\System32\xIZrJLz.exe
  C:\Windows\System32\xIZrJLz.exe
  2⤵
  PID:608
- C:\Windows\System32\IkMHtvF.exe
  C:\Windows\System32\IkMHtvF.exe
  2⤵
  PID:4072
- C:\Windows\System32\JcrHgRr.exe
  C:\Windows\System32\JcrHgRr.exe
  2⤵
  PID:4144
- C:\Windows\System32\aDBTWFX.exe
  C:\Windows\System32\aDBTWFX.exe
  2⤵
  PID:5876
- C:\Windows\System32\EfCqfcg.exe
  C:\Windows\System32\EfCqfcg.exe
  2⤵
  PID:1200
- C:\Windows\System32\LIfVkdB.exe
  C:\Windows\System32\LIfVkdB.exe
  2⤵
  PID:3788
- C:\Windows\System32\WoxZtup.exe
  C:\Windows\System32\WoxZtup.exe
  2⤵
  PID:5644
- C:\Windows\System32\yUyHCPw.exe
  C:\Windows\System32\yUyHCPw.exe
  2⤵
  PID:5332
- C:\Windows\System32\hVBcwle.exe
  C:\Windows\System32\hVBcwle.exe
  2⤵
  PID:5740
- C:\Windows\System32\AYLoKKf.exe
  C:\Windows\System32\AYLoKKf.exe
  2⤵
  PID:1616
- C:\Windows\System32\HoqOcbU.exe
  C:\Windows\System32\HoqOcbU.exe
  2⤵
  PID:4040
- C:\Windows\System32\lJrvpck.exe
  C:\Windows\System32\lJrvpck.exe
  2⤵
  PID:3908
- C:\Windows\System32\VElLCPF.exe
  C:\Windows\System32\VElLCPF.exe
  2⤵
  PID:4916
- C:\Windows\System32\vMqjNko.exe
  C:\Windows\System32\vMqjNko.exe
  2⤵
  PID:888
- C:\Windows\System32\FhgwzUA.exe
  C:\Windows\System32\FhgwzUA.exe
  2⤵
  PID:4692
- C:\Windows\System32\tzMndNr.exe
  C:\Windows\System32\tzMndNr.exe
  2⤵
  PID:3644
- C:\Windows\System32\XdNebKr.exe
  C:\Windows\System32\XdNebKr.exe
  2⤵
  PID:2372
- C:\Windows\System32\tVxiHSg.exe
  C:\Windows\System32\tVxiHSg.exe
  2⤵
  PID:524
- C:\Windows\System32\ScgmrAS.exe
  C:\Windows\System32\ScgmrAS.exe
  2⤵
  PID:5272
- C:\Windows\System32\fZydEKx.exe
  C:\Windows\System32\fZydEKx.exe
  2⤵
  PID:5672
- C:\Windows\System32\QiHQqkA.exe
  C:\Windows\System32\QiHQqkA.exe
  2⤵
  PID:4240
- C:\Windows\System32\lYNUvKF.exe
  C:\Windows\System32\lYNUvKF.exe
  2⤵
  PID:1900
- C:\Windows\System32\Gzssjpl.exe
  C:\Windows\System32\Gzssjpl.exe
  2⤵
  PID:6052
- C:\Windows\System32\bEVmGZO.exe
  C:\Windows\System32\bEVmGZO.exe
  2⤵
  PID:4624
- C:\Windows\System32\KfLDIWN.exe
  C:\Windows\System32\KfLDIWN.exe
  2⤵
  PID:2316
- C:\Windows\System32\dKfXOpY.exe
  C:\Windows\System32\dKfXOpY.exe
  2⤵
  PID:1972
- C:\Windows\System32\QLZhHGo.exe
  C:\Windows\System32\QLZhHGo.exe
  2⤵
  PID:4696
- C:\Windows\System32\TXyJJrK.exe
  C:\Windows\System32\TXyJJrK.exe
  2⤵
  PID:4836
- C:\Windows\System32\xIfmGOv.exe
  C:\Windows\System32\xIfmGOv.exe
  2⤵
  PID:3148
- C:\Windows\System32\ZhOArGi.exe
  C:\Windows\System32\ZhOArGi.exe
  2⤵
  PID:5508
- C:\Windows\System32\WEVCpop.exe
  C:\Windows\System32\WEVCpop.exe
  2⤵
  PID:1512
- C:\Windows\System32\OIwfwNW.exe
  C:\Windows\System32\OIwfwNW.exe
  2⤵
  PID:4004
- C:\Windows\System32\jyUeQeh.exe
  C:\Windows\System32\jyUeQeh.exe
  2⤵
  PID:4944
- C:\Windows\System32\AwedRlO.exe
  C:\Windows\System32\AwedRlO.exe
  2⤵
  PID:3500
- C:\Windows\System32\FgHrRMg.exe
  C:\Windows\System32\FgHrRMg.exe
  2⤵
  PID:3700
- C:\Windows\System32\JtPZWwY.exe
  C:\Windows\System32\JtPZWwY.exe
  2⤵
  PID:1080
- C:\Windows\System32\GlcSrai.exe
  C:\Windows\System32\GlcSrai.exe
  2⤵
  PID:5072
- C:\Windows\System32\gTMckRU.exe
  C:\Windows\System32\gTMckRU.exe
  2⤵
  PID:4068
- C:\Windows\System32\pFMEHGm.exe
  C:\Windows\System32\pFMEHGm.exe
  2⤵
  PID:5224
- C:\Windows\System32\WrBZaNT.exe
  C:\Windows\System32\WrBZaNT.exe
  2⤵
  PID:2592
- C:\Windows\System32\psjHQvU.exe
  C:\Windows\System32\psjHQvU.exe
  2⤵
  PID:2560
- C:\Windows\System32\CgdnZUb.exe
  C:\Windows\System32\CgdnZUb.exe
  2⤵
  PID:4372
- C:\Windows\System32\oIocyrz.exe
  C:\Windows\System32\oIocyrz.exe
  2⤵
  PID:3520
- C:\Windows\System32\MoWGmkI.exe
  C:\Windows\System32\MoWGmkI.exe
  2⤵
  PID:2748
- C:\Windows\System32\AAWEDUb.exe
  C:\Windows\System32\AAWEDUb.exe
  2⤵
  PID:5300
- C:\Windows\System32\fEdCubW.exe
  C:\Windows\System32\fEdCubW.exe
  2⤵
  PID:5780
- C:\Windows\System32\pwrQvnI.exe
  C:\Windows\System32\pwrQvnI.exe
  2⤵
  PID:3132
- C:\Windows\System32\rlZadlB.exe
  C:\Windows\System32\rlZadlB.exe
  2⤵
  PID:4964
- C:\Windows\System32\RwLCgmt.exe
  C:\Windows\System32\RwLCgmt.exe
  2⤵
  PID:5812
- C:\Windows\System32\rISpDcE.exe
  C:\Windows\System32\rISpDcE.exe
  2⤵
  PID:2144
- C:\Windows\System32\OoERckn.exe
  C:\Windows\System32\OoERckn.exe
  2⤵
  PID:5668
- C:\Windows\System32\AOWxIZs.exe
  C:\Windows\System32\AOWxIZs.exe
  2⤵
  PID:5884
- C:\Windows\System32\zJXyxMo.exe
  C:\Windows\System32\zJXyxMo.exe
  2⤵
  PID:1472
- C:\Windows\System32\KxkNxAf.exe
  C:\Windows\System32\KxkNxAf.exe
  2⤵
  PID:5180
- C:\Windows\System32\JLkhgKL.exe
  C:\Windows\System32\JLkhgKL.exe
  2⤵
  PID:2996
- C:\Windows\System32\qwAMyJv.exe
  C:\Windows\System32\qwAMyJv.exe
  2⤵
  PID:5464
- C:\Windows\System32\dkHkSvx.exe
  C:\Windows\System32\dkHkSvx.exe
  2⤵
  PID:2444
- C:\Windows\System32\IuzhMRi.exe
  C:\Windows\System32\IuzhMRi.exe
  2⤵
  PID:2536
- C:\Windows\System32\VMVHvhu.exe
  C:\Windows\System32\VMVHvhu.exe
  2⤵
  PID:3948
- C:\Windows\System32\SmTyBZH.exe
  C:\Windows\System32\SmTyBZH.exe
  2⤵
  PID:3716
- C:\Windows\System32\DkSScQY.exe
  C:\Windows\System32\DkSScQY.exe
  2⤵
  PID:4844
- C:\Windows\System32\DeuIpIZ.exe
  C:\Windows\System32\DeuIpIZ.exe
  2⤵
  PID:3424
- C:\Windows\System32\nyteTLS.exe
  C:\Windows\System32\nyteTLS.exe
  2⤵
  PID:3804
- C:\Windows\System32\ueiSJaJ.exe
  C:\Windows\System32\ueiSJaJ.exe
  2⤵
  PID:3328
- C:\Windows\System32\XVgWWzE.exe
  C:\Windows\System32\XVgWWzE.exe
  2⤵
  PID:3564
- C:\Windows\System32\TKnAUjj.exe
  C:\Windows\System32\TKnAUjj.exe
  2⤵
  PID:2584
- C:\Windows\System32\kecvqiT.exe
  C:\Windows\System32\kecvqiT.exe
  2⤵
  PID:5516
- C:\Windows\System32\EvDrzNK.exe
  C:\Windows\System32\EvDrzNK.exe
  2⤵
  PID:5616
- C:\Windows\System32\mndmkfK.exe
  C:\Windows\System32\mndmkfK.exe
  2⤵
  PID:4556
- C:\Windows\System32\FNmiQCt.exe
  C:\Windows\System32\FNmiQCt.exe
  2⤵
  PID:4716
- C:\Windows\System32\pqqofFu.exe
  C:\Windows\System32\pqqofFu.exe
  2⤵
  PID:4464
- C:\Windows\System32\EFyJnEC.exe
  C:\Windows\System32\EFyJnEC.exe
  2⤵
  PID:4932
- C:\Windows\System32\juhpzaB.exe
  C:\Windows\System32\juhpzaB.exe
  2⤵
  PID:5604
- C:\Windows\System32\ZlDHdFC.exe
  C:\Windows\System32\ZlDHdFC.exe
  2⤵
  PID:5544
- C:\Windows\System32\SRQcVFc.exe
  C:\Windows\System32\SRQcVFc.exe
  2⤵
  PID:5904
- C:\Windows\System32\EjkmlIT.exe
  C:\Windows\System32\EjkmlIT.exe
  2⤵
  PID:3176
- C:\Windows\System32\rrnlJae.exe
  C:\Windows\System32\rrnlJae.exe
  2⤵
  PID:4700
- C:\Windows\System32\eNRyHSN.exe
  C:\Windows\System32\eNRyHSN.exe
  2⤵
  PID:2652
- C:\Windows\System32\mZhydzL.exe
  C:\Windows\System32\mZhydzL.exe
  2⤵
  PID:6148
- C:\Windows\System32\fgWuEQG.exe
  C:\Windows\System32\fgWuEQG.exe
  2⤵
  PID:6168
- C:\Windows\System32\jdXArgc.exe
  C:\Windows\System32\jdXArgc.exe
  2⤵
  PID:6204
- C:\Windows\System32\FHPQTwd.exe
  C:\Windows\System32\FHPQTwd.exe
  2⤵
  PID:6228
- C:\Windows\System32\FEPMyag.exe
  C:\Windows\System32\FEPMyag.exe
  2⤵
  PID:6264
- C:\Windows\System32\HRXavhX.exe
  C:\Windows\System32\HRXavhX.exe
  2⤵
  PID:6292
- C:\Windows\System32\aWTjDYJ.exe
  C:\Windows\System32\aWTjDYJ.exe
  2⤵
  PID:6332
- C:\Windows\System32\fHYiryy.exe
  C:\Windows\System32\fHYiryy.exe
  2⤵
  PID:6348
- C:\Windows\System32\YyIpsQy.exe
  C:\Windows\System32\YyIpsQy.exe
  2⤵
  PID:6376
- C:\Windows\System32\gedUSoF.exe
  C:\Windows\System32\gedUSoF.exe
  2⤵
  PID:6400
- C:\Windows\System32\xuBaVcG.exe
  C:\Windows\System32\xuBaVcG.exe
  2⤵
  PID:6432
- C:\Windows\System32\yyoaJbh.exe
  C:\Windows\System32\yyoaJbh.exe
  2⤵
  PID:6464
- C:\Windows\System32\gIueKqA.exe
  C:\Windows\System32\gIueKqA.exe
  2⤵
  PID:6492
- C:\Windows\System32\wTbqsnw.exe
  C:\Windows\System32\wTbqsnw.exe
  2⤵
  PID:6516
- C:\Windows\System32\iOhcRSl.exe
  C:\Windows\System32\iOhcRSl.exe
  2⤵
  PID:6548
- C:\Windows\System32\CSNbdSc.exe
  C:\Windows\System32\CSNbdSc.exe
  2⤵
  PID:6576
- C:\Windows\System32\DbiCeIE.exe
  C:\Windows\System32\DbiCeIE.exe
  2⤵
  PID:6608
- C:\Windows\System32\HzmwTHD.exe
  C:\Windows\System32\HzmwTHD.exe
  2⤵
  PID:6636
- C:\Windows\System32\TvzSsLT.exe
  C:\Windows\System32\TvzSsLT.exe
  2⤵
  PID:6680
- C:\Windows\System32\MJgyBRc.exe
  C:\Windows\System32\MJgyBRc.exe
  2⤵
  PID:6700
- C:\Windows\System32\OsKdQoX.exe
  C:\Windows\System32\OsKdQoX.exe
  2⤵
  PID:6720
- C:\Windows\System32\gsZttwm.exe
  C:\Windows\System32\gsZttwm.exe
  2⤵
  PID:6744
- C:\Windows\System32\qmoOKSK.exe
  C:\Windows\System32\qmoOKSK.exe
  2⤵
  PID:6792
- C:\Windows\System32\TYKaOTp.exe
  C:\Windows\System32\TYKaOTp.exe
  2⤵
  PID:6808
- C:\Windows\System32\nUuxEzt.exe
  C:\Windows\System32\nUuxEzt.exe
  2⤵
  PID:6852
- C:\Windows\System32\wDrVHZA.exe
  C:\Windows\System32\wDrVHZA.exe
  2⤵
  PID:6876
- C:\Windows\System32\LrFycPB.exe
  C:\Windows\System32\LrFycPB.exe
  2⤵
  PID:6916
- C:\Windows\System32\duiMnxY.exe
  C:\Windows\System32\duiMnxY.exe
  2⤵
  PID:6944
- C:\Windows\System32\QtKjByw.exe
  C:\Windows\System32\QtKjByw.exe
  2⤵
  PID:6972
- C:\Windows\System32\VzgbCWM.exe
  C:\Windows\System32\VzgbCWM.exe
  2⤵
  PID:6988
- C:\Windows\System32\miPuLPw.exe
  C:\Windows\System32\miPuLPw.exe
  2⤵
  PID:7020
- C:\Windows\System32\AjyDYUV.exe
  C:\Windows\System32\AjyDYUV.exe
  2⤵
  PID:7056
- C:\Windows\System32\aUbpGGW.exe
  C:\Windows\System32\aUbpGGW.exe
  2⤵
  PID:7072
- C:\Windows\System32\yTeGqYA.exe
  C:\Windows\System32\yTeGqYA.exe
  2⤵
  PID:7104
- C:\Windows\System32\PQllmdK.exe
  C:\Windows\System32\PQllmdK.exe
  2⤵
  PID:7152
- C:\Windows\System32\sKGCgHw.exe
  C:\Windows\System32\sKGCgHw.exe
  2⤵
  PID:4052
- C:\Windows\System32\BSZKDZM.exe
  C:\Windows\System32\BSZKDZM.exe
  2⤵
  PID:6156
- C:\Windows\System32\IFWFpsC.exe
  C:\Windows\System32\IFWFpsC.exe
  2⤵
  PID:6256
- C:\Windows\System32\rZEqVGO.exe
  C:\Windows\System32\rZEqVGO.exe
  2⤵
  PID:6304
- C:\Windows\System32\aErLsSZ.exe
  C:\Windows\System32\aErLsSZ.exe
  2⤵
  PID:6372
- C:\Windows\System32\JYdcXfC.exe
  C:\Windows\System32\JYdcXfC.exe
  2⤵
  PID:6452
- C:\Windows\System32\qQXoXbs.exe
  C:\Windows\System32\qQXoXbs.exe
  2⤵
  PID:6544
- C:\Windows\System32\gBjmzsA.exe
  C:\Windows\System32\gBjmzsA.exe
  2⤵
  PID:6620
- C:\Windows\System32\AsCGCVZ.exe
  C:\Windows\System32\AsCGCVZ.exe
  2⤵
  PID:6696
- C:\Windows\System32\yQOFUdq.exe
  C:\Windows\System32\yQOFUdq.exe
  2⤵
  PID:6760
- C:\Windows\System32\aHgwjru.exe
  C:\Windows\System32\aHgwjru.exe
  2⤵
  PID:6904
- C:\Windows\System32\wYvnIBG.exe
  C:\Windows\System32\wYvnIBG.exe
  2⤵
  PID:6980
- C:\Windows\System32\TlLOyDR.exe
  C:\Windows\System32\TlLOyDR.exe
  2⤵
  PID:6860
- C:\Windows\System32\boxWWDF.exe
  C:\Windows\System32\boxWWDF.exe
  2⤵
  PID:7096
- C:\Windows\System32\JxsDbpi.exe
  C:\Windows\System32\JxsDbpi.exe
  2⤵
  PID:6180
- C:\Windows\System32\liPqQeL.exe
  C:\Windows\System32\liPqQeL.exe
  2⤵
  PID:5652
- C:\Windows\System32\rSghprY.exe
  C:\Windows\System32\rSghprY.exe
  2⤵
  PID:6320
- C:\Windows\System32\FMdwqFE.exe
  C:\Windows\System32\FMdwqFE.exe
  2⤵
  PID:6624
- C:\Windows\System32\URvOTMp.exe
  C:\Windows\System32\URvOTMp.exe
  2⤵
  PID:6804
- C:\Windows\System32\wheEjxh.exe
  C:\Windows\System32\wheEjxh.exe
  2⤵
  PID:7052
- C:\Windows\System32\iKAEkQL.exe
  C:\Windows\System32\iKAEkQL.exe
  2⤵
  PID:7140
- C:\Windows\System32\JWkizME.exe
  C:\Windows\System32\JWkizME.exe
  2⤵
  PID:6340
- C:\Windows\System32\hHnYRby.exe
  C:\Windows\System32\hHnYRby.exe
  2⤵
  PID:6956
- C:\Windows\System32\xbQDgmp.exe
  C:\Windows\System32\xbQDgmp.exe
  2⤵
  PID:6448
- C:\Windows\System32\rrsiypQ.exe
  C:\Windows\System32\rrsiypQ.exe
  2⤵
  PID:7196
- C:\Windows\System32\HrezTNr.exe
  C:\Windows\System32\HrezTNr.exe
  2⤵
  PID:7248
- C:\Windows\System32\HUzpkQA.exe
  C:\Windows\System32\HUzpkQA.exe
  2⤵
  PID:7276
- C:\Windows\System32\BErjPZg.exe
  C:\Windows\System32\BErjPZg.exe
  2⤵
  PID:7292
- C:\Windows\System32\bmslmZb.exe
  C:\Windows\System32\bmslmZb.exe
  2⤵
  PID:7320
- C:\Windows\System32\YAAmdOl.exe
  C:\Windows\System32\YAAmdOl.exe
  2⤵
  PID:7348
- C:\Windows\System32\EdvHsQT.exe
  C:\Windows\System32\EdvHsQT.exe
  2⤵
  PID:7372
- C:\Windows\System32\SFNorUX.exe
  C:\Windows\System32\SFNorUX.exe
  2⤵
  PID:7412
- C:\Windows\System32\mkXQGfW.exe
  C:\Windows\System32\mkXQGfW.exe
  2⤵
  PID:7436
- C:\Windows\System32\arufLto.exe
  C:\Windows\System32\arufLto.exe
  2⤵
  PID:7464
- C:\Windows\System32\XTVCNfU.exe
  C:\Windows\System32\XTVCNfU.exe
  2⤵
  PID:7512
- C:\Windows\System32\QzxBbxh.exe
  C:\Windows\System32\QzxBbxh.exe
  2⤵
  PID:7532
- C:\Windows\System32\bhvRXsB.exe
  C:\Windows\System32\bhvRXsB.exe
  2⤵
  PID:7556
- C:\Windows\System32\OEONPvj.exe
  C:\Windows\System32\OEONPvj.exe
  2⤵
  PID:7592
- C:\Windows\System32\DwNLPeN.exe
  C:\Windows\System32\DwNLPeN.exe
  2⤵
  PID:7624
- C:\Windows\System32\LBCeSkM.exe
  C:\Windows\System32\LBCeSkM.exe
  2⤵
  PID:7652
- C:\Windows\System32\UonojUR.exe
  C:\Windows\System32\UonojUR.exe
  2⤵
  PID:7668
- C:\Windows\System32\Xwroint.exe
  C:\Windows\System32\Xwroint.exe
  2⤵
  PID:7708
- C:\Windows\System32\iJyGhny.exe
  C:\Windows\System32\iJyGhny.exe
  2⤵
  PID:7736
- C:\Windows\System32\IdZUmPr.exe
  C:\Windows\System32\IdZUmPr.exe
  2⤵
  PID:7768
- C:\Windows\System32\GncjyFL.exe
  C:\Windows\System32\GncjyFL.exe
  2⤵
  PID:7792
- C:\Windows\System32\AUpKGIX.exe
  C:\Windows\System32\AUpKGIX.exe
  2⤵
  PID:7820
- C:\Windows\System32\ohMlfLZ.exe
  C:\Windows\System32\ohMlfLZ.exe
  2⤵
  PID:7848
- C:\Windows\System32\hBWSAnD.exe
  C:\Windows\System32\hBWSAnD.exe
  2⤵
  PID:7868
- C:\Windows\System32\MEspYtp.exe
  C:\Windows\System32\MEspYtp.exe
  2⤵
  PID:7884
- C:\Windows\System32\WkRNjyL.exe
  C:\Windows\System32\WkRNjyL.exe
  2⤵
  PID:7904
- C:\Windows\System32\rRUwiLB.exe
  C:\Windows\System32\rRUwiLB.exe
  2⤵
  PID:7972
- C:\Windows\System32\bpOWdLG.exe
  C:\Windows\System32\bpOWdLG.exe
  2⤵
  PID:7992
- C:\Windows\System32\VabcoeX.exe
  C:\Windows\System32\VabcoeX.exe
  2⤵
  PID:8020
- C:\Windows\System32\tNhckIt.exe
  C:\Windows\System32\tNhckIt.exe
  2⤵
  PID:8048
- C:\Windows\System32\Dydecbn.exe
  C:\Windows\System32\Dydecbn.exe
  2⤵
  PID:8064
- C:\Windows\System32\EyyTJyU.exe
  C:\Windows\System32\EyyTJyU.exe
  2⤵
  PID:8092
- C:\Windows\System32\dpJdnPI.exe
  C:\Windows\System32\dpJdnPI.exe
  2⤵
  PID:8120
- C:\Windows\System32\OTYCVAP.exe
  C:\Windows\System32\OTYCVAP.exe
  2⤵
  PID:8160
- C:\Windows\System32\nZovjcT.exe
  C:\Windows\System32\nZovjcT.exe
  2⤵
  PID:8188
- C:\Windows\System32\VOdXrqp.exe
  C:\Windows\System32\VOdXrqp.exe
  2⤵
  PID:7184
- C:\Windows\System32\YiulXOn.exe
  C:\Windows\System32\YiulXOn.exe
  2⤵
  PID:7284
- C:\Windows\System32\BScNoRA.exe
  C:\Windows\System32\BScNoRA.exe
  2⤵
  PID:7340
- C:\Windows\System32\sEfwgqy.exe
  C:\Windows\System32\sEfwgqy.exe
  2⤵
  PID:7408
- C:\Windows\System32\zcfhxaR.exe
  C:\Windows\System32\zcfhxaR.exe
  2⤵
  PID:7480
- C:\Windows\System32\BaFDImN.exe
  C:\Windows\System32\BaFDImN.exe
  2⤵
  PID:7552
- C:\Windows\System32\ikiIsXW.exe
  C:\Windows\System32\ikiIsXW.exe
  2⤵
  PID:7616
- C:\Windows\System32\FvbRQXX.exe
  C:\Windows\System32\FvbRQXX.exe
  2⤵
  PID:7688
- C:\Windows\System32\YkHugRk.exe
  C:\Windows\System32\YkHugRk.exe
  2⤵
  PID:7704
- C:\Windows\System32\zeuzKNh.exe
  C:\Windows\System32\zeuzKNh.exe
  2⤵
  PID:7804
- C:\Windows\System32\qXXhqkx.exe
  C:\Windows\System32\qXXhqkx.exe
  2⤵
  PID:7840
- C:\Windows\System32\EEdGPUL.exe
  C:\Windows\System32\EEdGPUL.exe
  2⤵
  PID:7900
- C:\Windows\System32\tiqJFrx.exe
  C:\Windows\System32\tiqJFrx.exe
  2⤵
  PID:8004
- C:\Windows\System32\knBeMdH.exe
  C:\Windows\System32\knBeMdH.exe
  2⤵
  PID:8056
- C:\Windows\System32\eRzYWgZ.exe
  C:\Windows\System32\eRzYWgZ.exe
  2⤵
  PID:8132
- C:\Windows\System32\SGzqvla.exe
  C:\Windows\System32\SGzqvla.exe
  2⤵
  PID:7180
- C:\Windows\System32\WvinPVE.exe
  C:\Windows\System32\WvinPVE.exe
  2⤵
  PID:7312
- C:\Windows\System32\uYzswgX.exe
  C:\Windows\System32\uYzswgX.exe
  2⤵
  PID:7388
- C:\Windows\System32\lMnhYrg.exe
  C:\Windows\System32\lMnhYrg.exe
  2⤵
  PID:7584
- C:\Windows\System32\bzSuthJ.exe
  C:\Windows\System32\bzSuthJ.exe
  2⤵
  PID:6532
- C:\Windows\System32\IPtfPCk.exe
  C:\Windows\System32\IPtfPCk.exe
  2⤵
  PID:7960
- C:\Windows\System32\bAfUFHa.exe
  C:\Windows\System32\bAfUFHa.exe
  2⤵
  PID:8032
- C:\Windows\System32\wtOrdzT.exe
  C:\Windows\System32\wtOrdzT.exe
  2⤵
  PID:8184
- C:\Windows\System32\IAlNSoT.exe
  C:\Windows\System32\IAlNSoT.exe
  2⤵
  PID:7520
- C:\Windows\System32\vNECtUG.exe
  C:\Windows\System32\vNECtUG.exe
  2⤵
  PID:7948
- C:\Windows\System32\tzdDBFa.exe
  C:\Windows\System32\tzdDBFa.exe
  2⤵
  PID:7384
- C:\Windows\System32\WVQbSDd.exe
  C:\Windows\System32\WVQbSDd.exe
  2⤵
  PID:7460
- C:\Windows\System32\cJDLnxX.exe
  C:\Windows\System32\cJDLnxX.exe
  2⤵
  PID:8148
- C:\Windows\System32\swbyRDa.exe
  C:\Windows\System32\swbyRDa.exe
  2⤵
  PID:8224
- C:\Windows\System32\ZYLQWFj.exe
  C:\Windows\System32\ZYLQWFj.exe
  2⤵
  PID:8264
- C:\Windows\System32\ypgYtrC.exe
  C:\Windows\System32\ypgYtrC.exe
  2⤵
  PID:8288
- C:\Windows\System32\XXMSZMi.exe
  C:\Windows\System32\XXMSZMi.exe
  2⤵
  PID:8308
- C:\Windows\System32\gzsszJc.exe
  C:\Windows\System32\gzsszJc.exe
  2⤵
  PID:8344
- C:\Windows\System32\ajuGZvc.exe
  C:\Windows\System32\ajuGZvc.exe
  2⤵
  PID:8372
- C:\Windows\System32\ftwWRty.exe
  C:\Windows\System32\ftwWRty.exe
  2⤵
  PID:8404
- C:\Windows\System32\TfjZwiR.exe
  C:\Windows\System32\TfjZwiR.exe
  2⤵
  PID:8436
- C:\Windows\System32\wpKIsWj.exe
  C:\Windows\System32\wpKIsWj.exe
  2⤵
  PID:8464
- C:\Windows\System32\sTQcbGO.exe
  C:\Windows\System32\sTQcbGO.exe
  2⤵
  PID:8492
- C:\Windows\System32\bXtckTx.exe
  C:\Windows\System32\bXtckTx.exe
  2⤵
  PID:8508
- C:\Windows\System32\oIJRRCp.exe
  C:\Windows\System32\oIJRRCp.exe
  2⤵
  PID:8548
- C:\Windows\System32\fXdKKqI.exe
  C:\Windows\System32\fXdKKqI.exe
  2⤵
  PID:8576
- C:\Windows\System32\SrtZkoe.exe
  C:\Windows\System32\SrtZkoe.exe
  2⤵
  PID:8592
- C:\Windows\System32\BUNYIus.exe
  C:\Windows\System32\BUNYIus.exe
  2⤵
  PID:8632
- C:\Windows\System32\NtBnUGj.exe
  C:\Windows\System32\NtBnUGj.exe
  2⤵
  PID:8656
- C:\Windows\System32\XQzIgGY.exe
  C:\Windows\System32\XQzIgGY.exe
  2⤵
  PID:8700
- C:\Windows\System32\qYYCsap.exe
  C:\Windows\System32\qYYCsap.exe
  2⤵
  PID:8716
- C:\Windows\System32\cBbASjk.exe
  C:\Windows\System32\cBbASjk.exe
  2⤵
  PID:8744
- C:\Windows\System32\gKepdTn.exe
  C:\Windows\System32\gKepdTn.exe
  2⤵
  PID:8772
- C:\Windows\System32\uXPPmfV.exe
  C:\Windows\System32\uXPPmfV.exe
  2⤵
  PID:8800
- C:\Windows\System32\sgiwFFL.exe
  C:\Windows\System32\sgiwFFL.exe
  2⤵
  PID:8828
- C:\Windows\System32\GwqcFQq.exe
  C:\Windows\System32\GwqcFQq.exe
  2⤵
  PID:8856
- C:\Windows\System32\nIhQYxN.exe
  C:\Windows\System32\nIhQYxN.exe
  2⤵
  PID:8876
- C:\Windows\System32\aGYgBow.exe
  C:\Windows\System32\aGYgBow.exe
  2⤵
  PID:8912
- C:\Windows\System32\caaYpZG.exe
  C:\Windows\System32\caaYpZG.exe
  2⤵
  PID:8932
- C:\Windows\System32\BgomrvU.exe
  C:\Windows\System32\BgomrvU.exe
  2⤵
  PID:8956
- C:\Windows\System32\MMApynT.exe
  C:\Windows\System32\MMApynT.exe
  2⤵
  PID:8996
- C:\Windows\System32\sGxmigp.exe
  C:\Windows\System32\sGxmigp.exe
  2⤵
  PID:9024
- C:\Windows\System32\ejhjjkr.exe
  C:\Windows\System32\ejhjjkr.exe
  2⤵
  PID:9052
- C:\Windows\System32\QBlTSub.exe
  C:\Windows\System32\QBlTSub.exe
  2⤵
  PID:9068
- C:\Windows\System32\eqfsfsv.exe
  C:\Windows\System32\eqfsfsv.exe
  2⤵
  PID:9108
- C:\Windows\System32\XxfJWuY.exe
  C:\Windows\System32\XxfJWuY.exe
  2⤵
  PID:9148
- C:\Windows\System32\qbNoWtg.exe
  C:\Windows\System32\qbNoWtg.exe
  2⤵
  PID:9168
- C:\Windows\System32\bEFXefM.exe
  C:\Windows\System32\bEFXefM.exe
  2⤵
  PID:9196
- C:\Windows\System32\ZNCyEKP.exe
  C:\Windows\System32\ZNCyEKP.exe
  2⤵
  PID:8204
- C:\Windows\System32\EgRcclO.exe
  C:\Windows\System32\EgRcclO.exe
  2⤵
  PID:8244
- C:\Windows\System32\DZvIHLC.exe
  C:\Windows\System32\DZvIHLC.exe
  2⤵
  PID:8332
- C:\Windows\System32\AZvNYkd.exe
  C:\Windows\System32\AZvNYkd.exe
  2⤵
  PID:8388
- C:\Windows\System32\cqDOzlN.exe
  C:\Windows\System32\cqDOzlN.exe
  2⤵
  PID:8476
- C:\Windows\System32\txoKYCm.exe
  C:\Windows\System32\txoKYCm.exe
  2⤵
  PID:8536
- C:\Windows\System32\jAZqPxx.exe
  C:\Windows\System32\jAZqPxx.exe
  2⤵
  PID:8588
- C:\Windows\System32\deLvtEe.exe
  C:\Windows\System32\deLvtEe.exe
  2⤵
  PID:8648
- C:\Windows\System32\qqaDRWA.exe
  C:\Windows\System32\qqaDRWA.exe
  2⤵
  PID:8708
- C:\Windows\System32\psbFuQF.exe
  C:\Windows\System32\psbFuQF.exe
  2⤵
  PID:8816
- C:\Windows\System32\YUcLWGT.exe
  C:\Windows\System32\YUcLWGT.exe
  2⤵
  PID:8872
- C:\Windows\System32\jfrVTWk.exe
  C:\Windows\System32\jfrVTWk.exe
  2⤵
  PID:8908
- C:\Windows\System32\VMSNlzY.exe
  C:\Windows\System32\VMSNlzY.exe
  2⤵
  PID:8992
- C:\Windows\System32\dPlRgUs.exe
  C:\Windows\System32\dPlRgUs.exe
  2⤵
  PID:9044
- C:\Windows\System32\kAXlDJg.exe
  C:\Windows\System32\kAXlDJg.exe
  2⤵
  PID:9164
- C:\Windows\System32\MRrgphZ.exe
  C:\Windows\System32\MRrgphZ.exe
  2⤵
  PID:9180
- C:\Windows\System32\aAsDmPl.exe
  C:\Windows\System32\aAsDmPl.exe
  2⤵
  PID:8240
- C:\Windows\System32\JsbaIdy.exe
  C:\Windows\System32\JsbaIdy.exe
  2⤵
  PID:8424
- C:\Windows\System32\HYTEDjX.exe
  C:\Windows\System32\HYTEDjX.exe
  2⤵
  PID:8564
- C:\Windows\System32\jnKPovK.exe
  C:\Windows\System32\jnKPovK.exe
  2⤵
  PID:8736
- C:\Windows\System32\bSvhAYe.exe
  C:\Windows\System32\bSvhAYe.exe
  2⤵
  PID:8864
- C:\Windows\System32\bhbaSxK.exe
  C:\Windows\System32\bhbaSxK.exe
  2⤵
  PID:8972
- C:\Windows\System32\EpHSQzr.exe
  C:\Windows\System32\EpHSQzr.exe
  2⤵
  PID:9184
- C:\Windows\System32\WPCWKmX.exe
  C:\Windows\System32\WPCWKmX.exe
  2⤵
  PID:8500
- C:\Windows\System32\wSIKfIh.exe
  C:\Windows\System32\wSIKfIh.exe
  2⤵
  PID:8812
- C:\Windows\System32\GzwWZTv.exe
  C:\Windows\System32\GzwWZTv.exe
  2⤵
  PID:8232
- C:\Windows\System32\PRCmrMb.exe
  C:\Windows\System32\PRCmrMb.exe
  2⤵
  PID:8840
- C:\Windows\System32\MVdIYfZ.exe
  C:\Windows\System32\MVdIYfZ.exe
  2⤵
  PID:9224
- C:\Windows\System32\WTmMdMm.exe
  C:\Windows\System32\WTmMdMm.exe
  2⤵
  PID:9252
- C:\Windows\System32\nlarKre.exe
  C:\Windows\System32\nlarKre.exe
  2⤵
  PID:9280
- C:\Windows\System32\MjIFMds.exe
  C:\Windows\System32\MjIFMds.exe
  2⤵
  PID:9308
- C:\Windows\System32\MGttPvU.exe
  C:\Windows\System32\MGttPvU.exe
  2⤵
  PID:9336
- C:\Windows\System32\wUKDNsH.exe
  C:\Windows\System32\wUKDNsH.exe
  2⤵
  PID:9364
- C:\Windows\System32\AMDrKkR.exe
  C:\Windows\System32\AMDrKkR.exe
  2⤵
  PID:9392
- C:\Windows\System32\MccAFbp.exe
  C:\Windows\System32\MccAFbp.exe
  2⤵
  PID:9436
- C:\Windows\System32\WUSdmAk.exe
  C:\Windows\System32\WUSdmAk.exe
  2⤵
  PID:9468
- C:\Windows\System32\dZrjFfN.exe
  C:\Windows\System32\dZrjFfN.exe
  2⤵
  PID:9504
- C:\Windows\System32\IyPWteY.exe
  C:\Windows\System32\IyPWteY.exe
  2⤵
  PID:9536
- C:\Windows\System32\yUnAMie.exe
  C:\Windows\System32\yUnAMie.exe
  2⤵
  PID:9564
- C:\Windows\System32\hvfpNLo.exe
  C:\Windows\System32\hvfpNLo.exe
  2⤵
  PID:9596
- C:\Windows\System32\euTHIha.exe
  C:\Windows\System32\euTHIha.exe
  2⤵
  PID:9628
- C:\Windows\System32\jkKjPHT.exe
  C:\Windows\System32\jkKjPHT.exe
  2⤵
  PID:9664
- C:\Windows\System32\UOryeXw.exe
  C:\Windows\System32\UOryeXw.exe
  2⤵
  PID:9692
- C:\Windows\System32\YeWidGV.exe
  C:\Windows\System32\YeWidGV.exe
  2⤵
  PID:9716
- C:\Windows\System32\ukRYiYS.exe
  C:\Windows\System32\ukRYiYS.exe
  2⤵
  PID:9740
- C:\Windows\System32\yzEOHqW.exe
  C:\Windows\System32\yzEOHqW.exe
  2⤵
  PID:9776
- C:\Windows\System32\lbSLLcR.exe
  C:\Windows\System32\lbSLLcR.exe
  2⤵
  PID:9804
- C:\Windows\System32\gWTgjVN.exe
  C:\Windows\System32\gWTgjVN.exe
  2⤵
  PID:9832
- C:\Windows\System32\jkDknwY.exe
  C:\Windows\System32\jkDknwY.exe
  2⤵
  PID:9860
- C:\Windows\System32\FCquFvX.exe
  C:\Windows\System32\FCquFvX.exe
  2⤵
  PID:9892
- C:\Windows\System32\NuEGsXF.exe
  C:\Windows\System32\NuEGsXF.exe
  2⤵
  PID:9920
- C:\Windows\System32\IVMaHcY.exe
  C:\Windows\System32\IVMaHcY.exe
  2⤵
  PID:9948
- C:\Windows\System32\cPPohZi.exe
  C:\Windows\System32\cPPohZi.exe
  2⤵
  PID:9980
- C:\Windows\System32\iMazyos.exe
  C:\Windows\System32\iMazyos.exe
  2⤵
  PID:10008
- C:\Windows\System32\eZpCRFn.exe
  C:\Windows\System32\eZpCRFn.exe
  2⤵
  PID:10040
- C:\Windows\System32\fkCMAxg.exe
  C:\Windows\System32\fkCMAxg.exe
  2⤵
  PID:10064
- C:\Windows\System32\olaaIzs.exe
  C:\Windows\System32\olaaIzs.exe
  2⤵
  PID:10092
- C:\Windows\System32\SFmkKhJ.exe
  C:\Windows\System32\SFmkKhJ.exe
  2⤵
  PID:10124
- C:\Windows\System32\pYaUHUJ.exe
  C:\Windows\System32\pYaUHUJ.exe
  2⤵
  PID:10176
- C:\Windows\System32\EmfVwny.exe
  C:\Windows\System32\EmfVwny.exe
  2⤵
  PID:10192
- C:\Windows\System32\HiMwqaV.exe
  C:\Windows\System32\HiMwqaV.exe
  2⤵
  PID:9136
- C:\Windows\System32\spIAcVS.exe
  C:\Windows\System32\spIAcVS.exe
  2⤵
  PID:9296
- C:\Windows\System32\TjmjgLT.exe
  C:\Windows\System32\TjmjgLT.exe
  2⤵
  PID:9360
- C:\Windows\System32\PKaxHku.exe
  C:\Windows\System32\PKaxHku.exe
  2⤵
  PID:9456
- C:\Windows\System32\wTVUTxp.exe
  C:\Windows\System32\wTVUTxp.exe
  2⤵
  PID:9512
- C:\Windows\System32\gIjLRJS.exe
  C:\Windows\System32\gIjLRJS.exe
  2⤵
  PID:9616
- C:\Windows\System32\dBiRfCm.exe
  C:\Windows\System32\dBiRfCm.exe
  2⤵
  PID:9708
- C:\Windows\System32\rDAffzG.exe
  C:\Windows\System32\rDAffzG.exe
  2⤵
  PID:9752
- C:\Windows\System32\IgfpWrC.exe
  C:\Windows\System32\IgfpWrC.exe
  2⤵
  PID:9800
- C:\Windows\System32\fVpYUfF.exe
  C:\Windows\System32\fVpYUfF.exe
  2⤵
  PID:9904
- C:\Windows\System32\dUKBpAB.exe
  C:\Windows\System32\dUKBpAB.exe
  2⤵
  PID:9944
- C:\Windows\System32\DAbfTLU.exe
  C:\Windows\System32\DAbfTLU.exe
  2⤵
  PID:10120
- C:\Windows\System32\oATVFZg.exe
  C:\Windows\System32\oATVFZg.exe
  2⤵
  PID:6848
- C:\Windows\System32\bPKzvvG.exe
  C:\Windows\System32\bPKzvvG.exe
  2⤵
  PID:7028
- C:\Windows\System32\bHaFmuO.exe
  C:\Windows\System32\bHaFmuO.exe
  2⤵
  PID:10184
- C:\Windows\System32\lSttzDG.exe
  C:\Windows\System32\lSttzDG.exe
  2⤵
  PID:9528
- C:\Windows\System32\FUoUzsq.exe
  C:\Windows\System32\FUoUzsq.exe
  2⤵
  PID:9680
- C:\Windows\System32\nNDKzkl.exe
  C:\Windows\System32\nNDKzkl.exe
  2⤵
  PID:9884
- C:\Windows\System32\aYWTKdC.exe
  C:\Windows\System32\aYWTKdC.exe
  2⤵
  PID:10020
- C:\Windows\System32\qWXFgQe.exe
  C:\Windows\System32\qWXFgQe.exe
  2⤵
  PID:6568
- C:\Windows\System32\cfrnEhc.exe
  C:\Windows\System32\cfrnEhc.exe
  2⤵
  PID:9576
- C:\Windows\System32\cjhoYhH.exe
  C:\Windows\System32\cjhoYhH.exe
  2⤵
  PID:10136
- C:\Windows\System32\IXjIPFw.exe
  C:\Windows\System32\IXjIPFw.exe
  2⤵
  PID:10276
- C:\Windows\System32\WvPZGPs.exe
  C:\Windows\System32\WvPZGPs.exe
  2⤵
  PID:10312
- C:\Windows\System32\apcOjxY.exe
  C:\Windows\System32\apcOjxY.exe
  2⤵
  PID:10344
- C:\Windows\System32\witJiGm.exe
  C:\Windows\System32\witJiGm.exe
  2⤵
  PID:10388
- C:\Windows\System32\yvZEBHv.exe
  C:\Windows\System32\yvZEBHv.exe
  2⤵
  PID:10424
- C:\Windows\System32\nyeLfEB.exe
  C:\Windows\System32\nyeLfEB.exe
  2⤵
  PID:10440
- C:\Windows\System32\JPNHvkm.exe
  C:\Windows\System32\JPNHvkm.exe
  2⤵
  PID:10464
- C:\Windows\System32\afyKsPE.exe
  C:\Windows\System32\afyKsPE.exe
  2⤵
  PID:10496
- C:\Windows\System32\kCbMlNp.exe
  C:\Windows\System32\kCbMlNp.exe
  2⤵
  PID:10536
- C:\Windows\System32\aDofVed.exe
  C:\Windows\System32\aDofVed.exe
  2⤵
  PID:10564
- C:\Windows\System32\eBViRaf.exe
  C:\Windows\System32\eBViRaf.exe
  2⤵
  PID:10584
- C:\Windows\System32\EfMYYhO.exe
  C:\Windows\System32\EfMYYhO.exe
  2⤵
  PID:10612
- C:\Windows\System32\noLdulC.exe
  C:\Windows\System32\noLdulC.exe
  2⤵
  PID:10660
- C:\Windows\System32\tMNffmX.exe
  C:\Windows\System32\tMNffmX.exe
  2⤵
  PID:10680
- C:\Windows\System32\OPGGHIr.exe
  C:\Windows\System32\OPGGHIr.exe
  2⤵
  PID:10720
- C:\Windows\System32\gnEKUvB.exe
  C:\Windows\System32\gnEKUvB.exe
  2⤵
  PID:10744
- C:\Windows\System32\FCxbZFZ.exe
  C:\Windows\System32\FCxbZFZ.exe
  2⤵
  PID:10760
- C:\Windows\System32\CxFrDzV.exe
  C:\Windows\System32\CxFrDzV.exe
  2⤵
  PID:10796
- C:\Windows\System32\VvDTHxD.exe
  C:\Windows\System32\VvDTHxD.exe
  2⤵
  PID:10832
- C:\Windows\System32\KbgBLss.exe
  C:\Windows\System32\KbgBLss.exe
  2⤵
  PID:10860
- C:\Windows\System32\FDXKeZJ.exe
  C:\Windows\System32\FDXKeZJ.exe
  2⤵
  PID:10876
- C:\Windows\System32\PcRUrRA.exe
  C:\Windows\System32\PcRUrRA.exe
  2⤵
  PID:10900
- C:\Windows\System32\wTOVhEa.exe
  C:\Windows\System32\wTOVhEa.exe
  2⤵
  PID:10952
- C:\Windows\System32\fglCaVu.exe
  C:\Windows\System32\fglCaVu.exe
  2⤵
  PID:10988
- C:\Windows\System32\EoRlFXA.exe
  C:\Windows\System32\EoRlFXA.exe
  2⤵
  PID:11024
- C:\Windows\System32\leYXUJF.exe
  C:\Windows\System32\leYXUJF.exe
  2⤵
  PID:11052
- C:\Windows\System32\hCUSMYn.exe
  C:\Windows\System32\hCUSMYn.exe
  2⤵
  PID:11080
- C:\Windows\System32\EXIWahR.exe
  C:\Windows\System32\EXIWahR.exe
  2⤵
  PID:11108
- C:\Windows\System32\BPGLZGE.exe
  C:\Windows\System32\BPGLZGE.exe
  2⤵
  PID:11136
- C:\Windows\System32\CPTGcpg.exe
  C:\Windows\System32\CPTGcpg.exe
  2⤵
  PID:11164
- C:\Windows\System32\vxfpwUc.exe
  C:\Windows\System32\vxfpwUc.exe
  2⤵
  PID:11196
- C:\Windows\System32\pkTwuMo.exe
  C:\Windows\System32\pkTwuMo.exe
  2⤵
  PID:11224
- C:\Windows\System32\MbFmjgt.exe
  C:\Windows\System32\MbFmjgt.exe
  2⤵
  PID:11252
- C:\Windows\System32\LZQzHwq.exe
  C:\Windows\System32\LZQzHwq.exe
  2⤵
  PID:10292
- C:\Windows\System32\gxLCHLp.exe
  C:\Windows\System32\gxLCHLp.exe
  2⤵
  PID:6096
- C:\Windows\System32\MFrLxyM.exe
  C:\Windows\System32\MFrLxyM.exe
  2⤵
  PID:10436
- C:\Windows\System32\gDCnjlc.exe
  C:\Windows\System32\gDCnjlc.exe
  2⤵
  PID:10512
- C:\Windows\System32\TUQfRCg.exe
  C:\Windows\System32\TUQfRCg.exe
  2⤵
  PID:10556
- C:\Windows\System32\OsWrOXF.exe
  C:\Windows\System32\OsWrOXF.exe
  2⤵
  PID:10580
- C:\Windows\System32\oCUJgff.exe
  C:\Windows\System32\oCUJgff.exe
  2⤵
  PID:10640
- C:\Windows\System32\biGSsSs.exe
  C:\Windows\System32\biGSsSs.exe
  2⤵
  PID:10712
- C:\Windows\System32\EOPajkI.exe
  C:\Windows\System32\EOPajkI.exe
  2⤵
  PID:10780
- C:\Windows\System32\zDVUtDF.exe
  C:\Windows\System32\zDVUtDF.exe
  2⤵
  PID:10856
- C:\Windows\System32\NMoQfOW.exe
  C:\Windows\System32\NMoQfOW.exe
  2⤵
  PID:10912
- C:\Windows\System32\ppdAtpv.exe
  C:\Windows\System32\ppdAtpv.exe
  2⤵
  PID:10976
- C:\Windows\System32\RkjcgcC.exe
  C:\Windows\System32\RkjcgcC.exe
  2⤵
  PID:11048
- C:\Windows\System32\AwmhhbY.exe
  C:\Windows\System32\AwmhhbY.exe
  2⤵
  PID:11124
- C:\Windows\System32\heStUMC.exe
  C:\Windows\System32\heStUMC.exe
  2⤵
  PID:11188
- C:\Windows\System32\pUKewPN.exe
  C:\Windows\System32\pUKewPN.exe
  2⤵
  PID:11248
- C:\Windows\System32\jXmtNnH.exe
  C:\Windows\System32\jXmtNnH.exe
  2⤵
  PID:876
- C:\Windows\System32\OKHqqSo.exe
  C:\Windows\System32\OKHqqSo.exe
  2⤵
  PID:10480
- C:\Windows\System32\PuNoomt.exe
  C:\Windows\System32\PuNoomt.exe
  2⤵
  PID:2260
- C:\Windows\System32\wWOLBwI.exe
  C:\Windows\System32\wWOLBwI.exe
  2⤵
  PID:10740
- C:\Windows\System32\QGORGsH.exe
  C:\Windows\System32\QGORGsH.exe
  2⤵
  PID:10936
- C:\Windows\System32\jUdOwkw.exe
  C:\Windows\System32\jUdOwkw.exe
  2⤵
  PID:11072
- C:\Windows\System32\eAlkiDv.exe
  C:\Windows\System32\eAlkiDv.exe
  2⤵
  PID:11236
- C:\Windows\System32\sWUsWfe.exe
  C:\Windows\System32\sWUsWfe.exe
  2⤵
  PID:10432
- C:\Windows\System32\HswkNUQ.exe
  C:\Windows\System32\HswkNUQ.exe
  2⤵
  PID:10828
- C:\Windows\System32\oAZBGzW.exe
  C:\Windows\System32\oAZBGzW.exe
  2⤵
  PID:11216
- C:\Windows\System32\AqJsGBn.exe
  C:\Windows\System32\AqJsGBn.exe
  2⤵
  PID:11044
- C:\Windows\System32\QtbNThH.exe
  C:\Windows\System32\QtbNThH.exe
  2⤵
  PID:11284
- C:\Windows\System32\BjuzQRJ.exe
  C:\Windows\System32\BjuzQRJ.exe
  2⤵
  PID:11300
- C:\Windows\System32\dtHOoUG.exe
  C:\Windows\System32\dtHOoUG.exe
  2⤵
  PID:11328
- C:\Windows\System32\YbZpHiU.exe
  C:\Windows\System32\YbZpHiU.exe
  2⤵
  PID:11352
- C:\Windows\System32\CuSqeUO.exe
  C:\Windows\System32\CuSqeUO.exe
  2⤵
  PID:11372
- C:\Windows\System32\xOCNQny.exe
  C:\Windows\System32\xOCNQny.exe
  2⤵
  PID:11420
- C:\Windows\System32\vMVcbNc.exe
  C:\Windows\System32\vMVcbNc.exe
  2⤵
  PID:11440
- C:\Windows\System32\nImGKBj.exe
  C:\Windows\System32\nImGKBj.exe
  2⤵
  PID:11468
- C:\Windows\System32\ssBQAso.exe
  C:\Windows\System32\ssBQAso.exe
  2⤵
  PID:11496
- C:\Windows\System32\ugSMgPd.exe
  C:\Windows\System32\ugSMgPd.exe
  2⤵
  PID:11524
- C:\Windows\System32\HhkOpoD.exe
  C:\Windows\System32\HhkOpoD.exe
  2⤵
  PID:11552
- C:\Windows\System32\DGBNead.exe
  C:\Windows\System32\DGBNead.exe
  2⤵
  PID:11580
- C:\Windows\System32\DkESAcm.exe
  C:\Windows\System32\DkESAcm.exe
  2⤵
  PID:11608
- C:\Windows\System32\sgpxUmt.exe
  C:\Windows\System32\sgpxUmt.exe
  2⤵
  PID:11636
- C:\Windows\System32\hDYCsON.exe
  C:\Windows\System32\hDYCsON.exe
  2⤵
  PID:11664
- C:\Windows\System32\rEyjLNt.exe
  C:\Windows\System32\rEyjLNt.exe
  2⤵
  PID:11692
- C:\Windows\System32\PzzclhW.exe
  C:\Windows\System32\PzzclhW.exe
  2⤵
  PID:11720
- C:\Windows\System32\ZmefLLr.exe
  C:\Windows\System32\ZmefLLr.exe
  2⤵
  PID:11748
- C:\Windows\System32\wZoxAlf.exe
  C:\Windows\System32\wZoxAlf.exe
  2⤵
  PID:11776
- C:\Windows\System32\VBqgQvN.exe
  C:\Windows\System32\VBqgQvN.exe
  2⤵
  PID:11804
- C:\Windows\System32\sXXnXNm.exe
  C:\Windows\System32\sXXnXNm.exe
  2⤵
  PID:11832
- C:\Windows\System32\jkCgquV.exe
  C:\Windows\System32\jkCgquV.exe
  2⤵
  PID:11860
- C:\Windows\System32\sVPMZKi.exe
  C:\Windows\System32\sVPMZKi.exe
  2⤵
  PID:11888
- C:\Windows\System32\LzYNWVd.exe
  C:\Windows\System32\LzYNWVd.exe
  2⤵
  PID:11920
- C:\Windows\System32\kQBbAYQ.exe
  C:\Windows\System32\kQBbAYQ.exe
  2⤵
  PID:11956
- C:\Windows\System32\LYvYepu.exe
  C:\Windows\System32\LYvYepu.exe
  2⤵
  PID:11988
- C:\Windows\System32\jODhZzK.exe
  C:\Windows\System32\jODhZzK.exe
  2⤵
  PID:12016
- C:\Windows\System32\suiVZWB.exe
  C:\Windows\System32\suiVZWB.exe
  2⤵
  PID:12044
- C:\Windows\System32\jnOMHuB.exe
  C:\Windows\System32\jnOMHuB.exe
  2⤵
  PID:12072
- C:\Windows\System32\xEQvSJh.exe
  C:\Windows\System32\xEQvSJh.exe
  2⤵
  PID:12100
- C:\Windows\System32\egiiIWW.exe
  C:\Windows\System32\egiiIWW.exe
  2⤵
  PID:12128
- C:\Windows\System32\oSsPCJy.exe
  C:\Windows\System32\oSsPCJy.exe
  2⤵
  PID:12156
- C:\Windows\System32\xGzSpFP.exe
  C:\Windows\System32\xGzSpFP.exe
  2⤵
  PID:12184
- C:\Windows\System32\fYalyDI.exe
  C:\Windows\System32\fYalyDI.exe
  2⤵
  PID:12212
- C:\Windows\System32\rcACwIk.exe
  C:\Windows\System32\rcACwIk.exe
  2⤵
  PID:12240
- C:\Windows\System32\tQOxWwE.exe
  C:\Windows\System32\tQOxWwE.exe
  2⤵
  PID:12268
- C:\Windows\System32\eQaGgDr.exe
  C:\Windows\System32\eQaGgDr.exe
  2⤵
  PID:11320
- C:\Windows\System32\jWJvSEv.exe
  C:\Windows\System32\jWJvSEv.exe
  2⤵
  PID:11384
- C:\Windows\System32\zVIURLi.exe
  C:\Windows\System32\zVIURLi.exe
  2⤵
  PID:11432
- C:\Windows\System32\pblEbuH.exe
  C:\Windows\System32\pblEbuH.exe
  2⤵
  PID:11512
- C:\Windows\System32\qygbwOQ.exe
  C:\Windows\System32\qygbwOQ.exe
  2⤵
  PID:11576
- C:\Windows\System32\yZtfjEz.exe
  C:\Windows\System32\yZtfjEz.exe
  2⤵
  PID:11620
- C:\Windows\System32\UdXqJTm.exe
  C:\Windows\System32\UdXqJTm.exe
  2⤵
  PID:11712
- C:\Windows\System32\TqMSZQe.exe
  C:\Windows\System32\TqMSZQe.exe
  2⤵
  PID:11796
- C:\Windows\System32\oszkVil.exe
  C:\Windows\System32\oszkVil.exe
  2⤵
  PID:11844
- C:\Windows\System32\VjZSVuN.exe
  C:\Windows\System32\VjZSVuN.exe
  2⤵
  PID:11912
- C:\Windows\System32\ZPOeKuC.exe
  C:\Windows\System32\ZPOeKuC.exe
  2⤵
  PID:11984
- C:\Windows\System32\AwIhalf.exe
  C:\Windows\System32\AwIhalf.exe
  2⤵
  PID:12060
- C:\Windows\System32\nhaNgrZ.exe
  C:\Windows\System32\nhaNgrZ.exe
  2⤵
  PID:12124
- C:\Windows\System32\iWvYyKn.exe
  C:\Windows\System32\iWvYyKn.exe
  2⤵
  PID:12200
- C:\Windows\System32\sesStxq.exe
  C:\Windows\System32\sesStxq.exe
  2⤵
  PID:12236
- C:\Windows\System32\yzHbRAm.exe
  C:\Windows\System32\yzHbRAm.exe
  2⤵
  PID:11344
- C:\Windows\System32\PQwBFap.exe
  C:\Windows\System32\PQwBFap.exe
  2⤵
  PID:11460
- C:\Windows\System32\IWONVeT.exe
  C:\Windows\System32\IWONVeT.exe
  2⤵
  PID:11604
- C:\Windows\System32\qcOjbkh.exe
  C:\Windows\System32\qcOjbkh.exe
  2⤵
  PID:11768
- C:\Windows\System32\FvloFsP.exe
  C:\Windows\System32\FvloFsP.exe
  2⤵
  PID:11948
- C:\Windows\System32\ISKwjvP.exe
  C:\Windows\System32\ISKwjvP.exe
  2⤵
  PID:12068
- C:\Windows\System32\jFaDNrA.exe
  C:\Windows\System32\jFaDNrA.exe
  2⤵
  PID:5552
- C:\Windows\System32\yuNaBbk.exe
  C:\Windows\System32\yuNaBbk.exe
  2⤵
  PID:11340
- C:\Windows\System32\ZvnUbaD.exe
  C:\Windows\System32\ZvnUbaD.exe
  2⤵
  PID:11704
- C:\Windows\System32\lsZgELd.exe
  C:\Windows\System32\lsZgELd.exe
  2⤵
  PID:12096
- C:\Windows\System32\iHhmiOu.exe
  C:\Windows\System32\iHhmiOu.exe
  2⤵
  PID:11536
- C:\Windows\System32\lZFXxlL.exe
  C:\Windows\System32\lZFXxlL.exe
  2⤵
  PID:11276
- C:\Windows\System32\wMHfDBS.exe
  C:\Windows\System32\wMHfDBS.exe
  2⤵
  PID:12296
- C:\Windows\System32\aNZCHln.exe
  C:\Windows\System32\aNZCHln.exe
  2⤵
  PID:12324
- C:\Windows\System32\cBlHowq.exe
  C:\Windows\System32\cBlHowq.exe
  2⤵
  PID:12352
- C:\Windows\System32\sNNgPiI.exe
  C:\Windows\System32\sNNgPiI.exe
  2⤵
  PID:12380
- C:\Windows\System32\smCqcbI.exe
  C:\Windows\System32\smCqcbI.exe
  2⤵
  PID:12408
- C:\Windows\System32\wqhFTyv.exe
  C:\Windows\System32\wqhFTyv.exe
  2⤵
  PID:12436
- C:\Windows\System32\tGScAIr.exe
  C:\Windows\System32\tGScAIr.exe
  2⤵
  PID:12464
- C:\Windows\System32\gbBzIyO.exe
  C:\Windows\System32\gbBzIyO.exe
  2⤵
  PID:12492
- C:\Windows\System32\BavYcGK.exe
  C:\Windows\System32\BavYcGK.exe
  2⤵
  PID:12520
- C:\Windows\System32\zquAjMX.exe
  C:\Windows\System32\zquAjMX.exe
  2⤵
  PID:12548
- C:\Windows\System32\wmprjxa.exe
  C:\Windows\System32\wmprjxa.exe
  2⤵
  PID:12576
- C:\Windows\System32\xFAlWBQ.exe
  C:\Windows\System32\xFAlWBQ.exe
  2⤵
  PID:12604
- C:\Windows\System32\cCSzqBF.exe
  C:\Windows\System32\cCSzqBF.exe
  2⤵
  PID:12632
- C:\Windows\System32\FakBLZX.exe
  C:\Windows\System32\FakBLZX.exe
  2⤵
  PID:12660
- C:\Windows\System32\bTbbdZl.exe
  C:\Windows\System32\bTbbdZl.exe
  2⤵
  PID:12688
- C:\Windows\System32\neSGFcB.exe
  C:\Windows\System32\neSGFcB.exe
  2⤵
  PID:12720
- C:\Windows\System32\uCUmTvJ.exe
  C:\Windows\System32\uCUmTvJ.exe
  2⤵
  PID:12744
- C:\Windows\System32\AAoXsJz.exe
  C:\Windows\System32\AAoXsJz.exe
  2⤵
  PID:12772
- C:\Windows\System32\fliDjVy.exe
  C:\Windows\System32\fliDjVy.exe
  2⤵
  PID:12800
- C:\Windows\System32\WwnbINj.exe
  C:\Windows\System32\WwnbINj.exe
  2⤵
  PID:12832
- C:\Windows\System32\jsuqrHo.exe
  C:\Windows\System32\jsuqrHo.exe
  2⤵
  PID:12864
- C:\Windows\System32\aJXsgHR.exe
  C:\Windows\System32\aJXsgHR.exe
  2⤵
  PID:12892
- C:\Windows\System32\sdpQIul.exe
  C:\Windows\System32\sdpQIul.exe
  2⤵
  PID:12920
- C:\Windows\System32\SPKbgpb.exe
  C:\Windows\System32\SPKbgpb.exe
  2⤵
  PID:12948
- C:\Windows\System32\bEYSZQX.exe
  C:\Windows\System32\bEYSZQX.exe
  2⤵
  PID:12976
- C:\Windows\System32\MPpcIEf.exe
  C:\Windows\System32\MPpcIEf.exe
  2⤵
  PID:13004
- C:\Windows\System32\VcYlaLW.exe
  C:\Windows\System32\VcYlaLW.exe
  2⤵
  PID:13032
- C:\Windows\System32\DHudQjO.exe
  C:\Windows\System32\DHudQjO.exe
  2⤵
  PID:13060
- C:\Windows\System32\ZOcHuXD.exe
  C:\Windows\System32\ZOcHuXD.exe
  2⤵
  PID:13088
- C:\Windows\System32\NmzRvbd.exe
  C:\Windows\System32\NmzRvbd.exe
  2⤵
  PID:13116
- C:\Windows\System32\TUmjOVc.exe
  C:\Windows\System32\TUmjOVc.exe
  2⤵
  PID:13144
- C:\Windows\System32\HuxODry.exe
  C:\Windows\System32\HuxODry.exe
  2⤵
  PID:13160
- C:\Windows\System32\DujNTcM.exe
  C:\Windows\System32\DujNTcM.exe
  2⤵
  PID:13180
- C:\Windows\System32\KLPMYnV.exe
  C:\Windows\System32\KLPMYnV.exe
  2⤵
  PID:13196
- C:\Windows\System32\Hpldhgl.exe
  C:\Windows\System32\Hpldhgl.exe
  2⤵
  PID:13224
- C:\Windows\System32\MpqJGBE.exe
  C:\Windows\System32\MpqJGBE.exe
  2⤵
  PID:13288
- C:\Windows\System32\CaaRppU.exe
  C:\Windows\System32\CaaRppU.exe
  2⤵
  PID:12292
- C:\Windows\System32\zWjYVTC.exe
  C:\Windows\System32\zWjYVTC.exe
  2⤵
  PID:12348
- C:\Windows\System32\DmlSHNE.exe
  C:\Windows\System32\DmlSHNE.exe
  2⤵
  PID:12420
- C:\Windows\System32\pgIEgCQ.exe
  C:\Windows\System32\pgIEgCQ.exe
  2⤵
  PID:12476
- C:\Windows\System32\stNzjMi.exe
  C:\Windows\System32\stNzjMi.exe
  2⤵
  PID:12544
- C:\Windows\System32\GwoPgGz.exe
  C:\Windows\System32\GwoPgGz.exe
  2⤵
  PID:12592
- C:\Windows\System32\DFioydb.exe
  C:\Windows\System32\DFioydb.exe
  2⤵
  PID:12652
- C:\Windows\System32\vJPkoUL.exe
  C:\Windows\System32\vJPkoUL.exe
  2⤵
  PID:12728
- C:\Windows\System32\fYKpFeI.exe
  C:\Windows\System32\fYKpFeI.exe
  2⤵
  PID:12784
- C:\Windows\System32\fCHsPlE.exe
  C:\Windows\System32\fCHsPlE.exe
  2⤵
  PID:12856
- C:\Windows\System32\PbopuUL.exe
  C:\Windows\System32\PbopuUL.exe
  2⤵
  PID:12916
- C:\Windows\System32\ubOtGPg.exe
  C:\Windows\System32\ubOtGPg.exe
  2⤵
  PID:12992
- C:\Windows\System32\lDfLKzG.exe
  C:\Windows\System32\lDfLKzG.exe
  2⤵
  PID:13052
- C:\Windows\System32\eYNtZis.exe
  C:\Windows\System32\eYNtZis.exe
  2⤵
  PID:13100
- C:\Windows\System32\hMnYTqU.exe
  C:\Windows\System32\hMnYTqU.exe
  2⤵
  PID:12620
- C:\Windows\System32\DfEEqyo.exe
  C:\Windows\System32\DfEEqyo.exe
  2⤵
  PID:13044
- C:\Windows\System32\ysPGGuX.exe
  C:\Windows\System32\ysPGGuX.exe
  2⤵
  PID:13152
- C:\Windows\System32\sExgjVt.exe
  C:\Windows\System32\sExgjVt.exe
  2⤵
  PID:12840
- C:\Windows\System32\KuPSpIH.exe
  C:\Windows\System32\KuPSpIH.exe
  2⤵
  PID:12888
- C:\Windows\System32\lOLfFSl.exe
  C:\Windows\System32\lOLfFSl.exe
  2⤵
  PID:13440
- C:\Windows\System32\wyWOhMO.exe
  C:\Windows\System32\wyWOhMO.exe
  2⤵
  PID:13532
- C:\Windows\System32\jhNyGxt.exe
  C:\Windows\System32\jhNyGxt.exe
  2⤵
  PID:13556
- C:\Windows\System32\IUMVPhX.exe
  C:\Windows\System32\IUMVPhX.exe
  2⤵
  PID:13676
- C:\Windows\System32\sXjdZfn.exe
  C:\Windows\System32\sXjdZfn.exe
  2⤵
  PID:13692
- C:\Windows\System32\UoiESUP.exe
  C:\Windows\System32\UoiESUP.exe
  2⤵
  PID:13752
- C:\Windows\System32\ciKQZXw.exe
  C:\Windows\System32\ciKQZXw.exe
  2⤵
  PID:13816
- C:\Windows\System32\AcrbRcD.exe
  C:\Windows\System32\AcrbRcD.exe
  2⤵
  PID:13836
- C:\Windows\System32\fZCMiri.exe
  C:\Windows\System32\fZCMiri.exe
  2⤵
  PID:13856
- C:\Windows\System32\mDoWhYW.exe
  C:\Windows\System32\mDoWhYW.exe
  2⤵
  PID:13876
- C:\Windows\System32\xhuidWT.exe
  C:\Windows\System32\xhuidWT.exe
  2⤵
  PID:13896
- C:\Windows\System32\OKpjMnX.exe
  C:\Windows\System32\OKpjMnX.exe
  2⤵
  PID:13916
- C:\Windows\System32\VBuDwzU.exe
  C:\Windows\System32\VBuDwzU.exe
  2⤵
  PID:13932
- C:\Windows\System32\JLymCfR.exe
  C:\Windows\System32\JLymCfR.exe
  2⤵
  PID:13952
- C:\Windows\System32\PPXEmub.exe
  C:\Windows\System32\PPXEmub.exe
  2⤵
  PID:13972
- C:\Windows\System32\jglPaor.exe
  C:\Windows\System32\jglPaor.exe
  2⤵
  PID:13992
- C:\Windows\System32\QBwFjTd.exe
  C:\Windows\System32\QBwFjTd.exe
  2⤵
  PID:14016
- C:\Windows\System32\LMWqCpB.exe
  C:\Windows\System32\LMWqCpB.exe
  2⤵
  PID:14032
- C:\Windows\System32\CwpYiNA.exe
  C:\Windows\System32\CwpYiNA.exe
  2⤵
  PID:14048
- C:\Windows\System32\VUQNUfT.exe
  C:\Windows\System32\VUQNUfT.exe
  2⤵
  PID:14072
- C:\Windows\System32\qMPimhv.exe
  C:\Windows\System32\qMPimhv.exe
  2⤵
  PID:14092
- C:\Windows\System32\PYZlZIk.exe
  C:\Windows\System32\PYZlZIk.exe
  2⤵
  PID:14112
- C:\Windows\System32\nVyvzSE.exe
  C:\Windows\System32\nVyvzSE.exe
  2⤵
  PID:14128
- C:\Windows\System32\ONIgZIO.exe
  C:\Windows\System32\ONIgZIO.exe
  2⤵
  PID:14148
- C:\Windows\System32\AXGOTJh.exe
  C:\Windows\System32\AXGOTJh.exe
  2⤵
  PID:14172
- C:\Windows\System32\qBkcZXY.exe
  C:\Windows\System32\qBkcZXY.exe
  2⤵
  PID:14200
- C:\Windows\System32\BebXmMz.exe
  C:\Windows\System32\BebXmMz.exe
  2⤵
  PID:14216
- C:\Windows\System32\KmETffd.exe
  C:\Windows\System32\KmETffd.exe
  2⤵
  PID:14236
- C:\Windows\System32\iASskgz.exe
  C:\Windows\System32\iASskgz.exe
  2⤵
  PID:14256
- C:\Windows\System32\KfHwSzb.exe
  C:\Windows\System32\KfHwSzb.exe
  2⤵
  PID:14284
- C:\Windows\System32\GTWtSnw.exe
  C:\Windows\System32\GTWtSnw.exe
  2⤵
  PID:14304
- C:\Windows\System32\DahjfrV.exe
  C:\Windows\System32\DahjfrV.exe
  2⤵
  PID:14328
- C:\Windows\System32\xClNmFb.exe
  C:\Windows\System32\xClNmFb.exe
  2⤵
  PID:13252
- C:\Windows\System32\RxAPFHt.exe
  C:\Windows\System32\RxAPFHt.exe
  2⤵
  PID:13356
- C:\Windows\System32\KndrMbj.exe
  C:\Windows\System32\KndrMbj.exe
  2⤵
  PID:13392
- C:\Windows\System32\LdVnGiI.exe
  C:\Windows\System32\LdVnGiI.exe
  2⤵
  PID:13420
- C:\Windows\System32\urWdZuj.exe
  C:\Windows\System32\urWdZuj.exe
  2⤵
  PID:13188
- C:\Windows\System32\hhoVbzt.exe
  C:\Windows\System32\hhoVbzt.exe
  2⤵
  PID:13324
- C:\Windows\System32\dzTMQox.exe
  C:\Windows\System32\dzTMQox.exe
  2⤵
  PID:13176
- C:\Windows\System32\HTJUAVS.exe
  C:\Windows\System32\HTJUAVS.exe
  2⤵
  PID:13488
- C:\Windows\System32\buRyoTG.exe
  C:\Windows\System32\buRyoTG.exe
  2⤵
  PID:13500
- C:\Windows\System32\CsCEvJJ.exe
  C:\Windows\System32\CsCEvJJ.exe
  2⤵
  PID:13448
- C:\Windows\System32\rVANHsw.exe
  C:\Windows\System32\rVANHsw.exe
  2⤵
  PID:616
- C:\Windows\System32\IjYHIJl.exe
  C:\Windows\System32\IjYHIJl.exe
  2⤵
  PID:844
- C:\Windows\System32\hZWaHsn.exe
  C:\Windows\System32\hZWaHsn.exe
  2⤵
  PID:784
- C:\Windows\System32\BYPEopU.exe
  C:\Windows\System32\BYPEopU.exe
  2⤵
  PID:4284
- C:\Windows\System32\XHeqisX.exe
  C:\Windows\System32\XHeqisX.exe
  2⤵
  PID:4504
- C:\Windows\System32\bwskIpT.exe
  C:\Windows\System32\bwskIpT.exe
  2⤵
  PID:4404
- C:\Windows\System32\lUAKBbT.exe
  C:\Windows\System32\lUAKBbT.exe
  2⤵
  PID:13564
- C:\Windows\System32\ZyEQtFR.exe
  C:\Windows\System32\ZyEQtFR.exe
  2⤵
  PID:13712
- C:\Windows\System32\IKeNqMf.exe
  C:\Windows\System32\IKeNqMf.exe
  2⤵
  PID:13728
- C:\Windows\System32\qoCBPnQ.exe
  C:\Windows\System32\qoCBPnQ.exe
  2⤵
  PID:4288
- C:\Windows\System32\draVtsH.exe
  C:\Windows\System32\draVtsH.exe
  2⤵
  PID:4396
- C:\Windows\System32\kqVAdxv.exe
  C:\Windows\System32\kqVAdxv.exe
  2⤵
  PID:4116
- C:\Windows\System32\IpELMys.exe
  C:\Windows\System32\IpELMys.exe
  2⤵
  PID:4084
- C:\Windows\System32\XqQmTFl.exe
  C:\Windows\System32\XqQmTFl.exe
  2⤵
  PID:13844
- C:\Windows\System32\fpJSghf.exe
  C:\Windows\System32\fpJSghf.exe
  2⤵
  PID:14004
- C:\Windows\System32\QVDTBVx.exe
  C:\Windows\System32\QVDTBVx.exe
  2⤵
  PID:14088
- C:\Windows\System32\xVkymgM.exe
  C:\Windows\System32\xVkymgM.exe
  2⤵
  PID:14100
- C:\Windows\System32\yVlsUXV.exe
  C:\Windows\System32\yVlsUXV.exe
  2⤵
  PID:14136
- C:\Windows\System32\FVceath.exe
  C:\Windows\System32\FVceath.exe
  2⤵
  PID:14212
- C:\Windows\System32\GaFoOea.exe
  C:\Windows\System32\GaFoOea.exe
  2⤵
  PID:13336
- C:\Windows\System32\KCRkFNt.exe
  C:\Windows\System32\KCRkFNt.exe
  2⤵
  PID:12320
- C:\Windows\System32\Khtqetq.exe
  C:\Windows\System32\Khtqetq.exe
  2⤵
  PID:13480
- C:\Windows\System32\gUQOjnq.exe
  C:\Windows\System32\gUQOjnq.exe
  2⤵
  PID:3924
- C:\Windows\System32\doNchNm.exe
  C:\Windows\System32\doNchNm.exe
  2⤵
  PID:2516
- C:\Windows\System32\WgtvEwx.exe
  C:\Windows\System32\WgtvEwx.exe
  2⤵
  PID:1188
- C:\Windows\System32\nudGGWQ.exe
  C:\Windows\System32\nudGGWQ.exe
  2⤵
  PID:13656
- C:\Windows\System32\WyNSwMd.exe
  C:\Windows\System32\WyNSwMd.exe
  2⤵
  PID:13600
- C:\Windows\System32\oCActgK.exe
  C:\Windows\System32\oCActgK.exe
  2⤵
  PID:13708
- C:\Windows\System32\foWyraO.exe
  C:\Windows\System32\foWyraO.exe
  2⤵
  PID:4272
- C:\Windows\System32\uuyZEJK.exe
  C:\Windows\System32\uuyZEJK.exe
  2⤵
  PID:4456
- C:\Windows\System32\oESqMjd.exe
  C:\Windows\System32\oESqMjd.exe
  2⤵
  PID:13864
- C:\Windows\System32\hJumYKz.exe
  C:\Windows\System32\hJumYKz.exe
  2⤵
  PID:14064
- C:\Windows\System32\AdcUWmi.exe
  C:\Windows\System32\AdcUWmi.exe
  2⤵
  PID:14080
- C:\Windows\System32\aBpdxtT.exe
  C:\Windows\System32\aBpdxtT.exe
  2⤵
  PID:14228
- C:\Windows\System32\tynBJcw.exe
  C:\Windows\System32\tynBJcw.exe
  2⤵
  PID:14320
- C:\Windows\System32\XBFYgex.exe
  C:\Windows\System32\XBFYgex.exe
  2⤵
  PID:13380
- C:\Windows\System32\pKsMtVI.exe
  C:\Windows\System32\pKsMtVI.exe
  2⤵
  PID:13172
- C:\Windows\System32\gkVHyLz.exe
  C:\Windows\System32\gkVHyLz.exe
  2⤵
  PID:13504
- C:\Windows\System32\DVpqjeN.exe
  C:\Windows\System32\DVpqjeN.exe
  2⤵
  PID:13524
- C:\Windows\System32\oASfoVX.exe
  C:\Windows\System32\oASfoVX.exe
  2⤵
  PID:13580
- C:\Windows\System32\hmCNAAs.exe
  C:\Windows\System32\hmCNAAs.exe
  2⤵
  PID:13548
- C:\Windows\System32\qRHiZCc.exe
  C:\Windows\System32\qRHiZCc.exe
  2⤵
  PID:13624
- C:\Windows\System32\muLuuHc.exe
  C:\Windows\System32\muLuuHc.exe
  2⤵
  PID:13568
- C:\Windows\System32\JUbhRxt.exe
  C:\Windows\System32\JUbhRxt.exe
  2⤵
  PID:13768
- C:\Windows\System32\IKpgpdM.exe
  C:\Windows\System32\IKpgpdM.exe
  2⤵
  PID:13720
- C:\Windows\System32\wzuTlhy.exe
  C:\Windows\System32\wzuTlhy.exe
  2⤵
  PID:4360
- C:\Windows\System32\yUsxrGc.exe
  C:\Windows\System32\yUsxrGc.exe
  2⤵
  PID:13912
- C:\Windows\System32\eZIKeVw.exe
  C:\Windows\System32\eZIKeVw.exe
  2⤵
  PID:13940
- C:\Windows\System32\aNlYMqk.exe
  C:\Windows\System32\aNlYMqk.exe
  2⤵
  PID:13964
- C:\Windows\System32\iROYAfO.exe
  C:\Windows\System32\iROYAfO.exe
  2⤵
  PID:14124
- C:\Windows\System32\tbVzXoi.exe
  C:\Windows\System32\tbVzXoi.exe
  2⤵
  PID:14224
- C:\Windows\System32\UChWwZh.exe
  C:\Windows\System32\UChWwZh.exe
  2⤵
  PID:1488
- C:\Windows\System32\UhiAzye.exe
  C:\Windows\System32\UhiAzye.exe
  2⤵
  PID:13204
- C:\Windows\System32\KKGKYnw.exe
  C:\Windows\System32\KKGKYnw.exe
  2⤵
  PID:3936
- C:\Windows\System32\FCyQxOE.exe
  C:\Windows\System32\FCyQxOE.exe
  2⤵
  PID:13552
- C:\Windows\System32\fLXMjog.exe
  C:\Windows\System32\fLXMjog.exe
  2⤵
  PID:4224
- C:\Windows\System32\fwfeJEB.exe
  C:\Windows\System32\fwfeJEB.exe
  2⤵
  PID:9416
- C:\Windows\System32\CKpnlSt.exe
  C:\Windows\System32\CKpnlSt.exe
  2⤵
  PID:3680
- C:\Windows\System32\pBMoIyW.exe
  C:\Windows\System32\pBMoIyW.exe
  2⤵
  PID:13348
- C:\Windows\System32\xpGuMQc.exe
  C:\Windows\System32\xpGuMQc.exe
  2⤵
  PID:3972
- C:\Windows\System32\kbCFEJO.exe
  C:\Windows\System32\kbCFEJO.exe
  2⤵
  PID:13464
- C:\Windows\System32\rNJKchS.exe
  C:\Windows\System32\rNJKchS.exe
  2⤵
  PID:3028
- C:\Windows\System32\GBpAPcB.exe
  C:\Windows\System32\GBpAPcB.exe
  2⤵
  PID:13784
- C:\Windows\System32\KSSgHNp.exe
  C:\Windows\System32\KSSgHNp.exe
  2⤵
  PID:2548
- C:\Windows\System32\uGglTjP.exe
  C:\Windows\System32\uGglTjP.exe
  2⤵
  PID:13828
- C:\Windows\System32\tdkQJxZ.exe
  C:\Windows\System32\tdkQJxZ.exe
  2⤵
  PID:14008

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12588

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13136

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:13428

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:13564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AGXEyja.exe

Filesize
2.6MB

MD5
5e42d4190206d518eccf9a13946b6110

SHA1
b0a40b4fa21215edf046fe6fece93c1b2135a620

SHA256
268ff8094cce3495b93b705b517f777532388e848397699b3c053cfd70b4d25e

SHA512
6b04aeec3b4ba7c595f6760753cc6e3e97a3efc912a484690ef02bf58fcf8482a2c6fab1e32ed98618cb08078761bbd601ed6b552aa8b06c877e846fcf6b4c61

Download Submit
C:\Windows\System32\BHTDmYL.exe

Filesize
2.6MB

MD5
7738263b86f806f70e43a20d9481a93a

SHA1
0a9cfa534f808e2be97b4e0d290bb3aeba66df09

SHA256
133c656f167e4487e541cb596d553291bf0345b6c9d8530b3210f1086f143cc4

SHA512
361612057169ec64aaeb21965bbf82a1118546b10992aed61e30116c56c3022d58721e470a9502d6b28b628749b4e144393fa068482cc48bf84011681411b481

Download Submit
C:\Windows\System32\GFMFIoe.exe

Filesize
2.6MB

MD5
a7c271652d5585b4923856560d8e521a

SHA1
b4d8bb8deb9f833d778d4bdc65a7a193510ddcd8

SHA256
1c4e3422aa33084bc803debe5092b014048d13ebb64faf6ac28f8a5b825a5406

SHA512
9ea351d03c4c912ca4fb178ce4378722ca98c69ec3774179a83a2da4df5a77c0e8696a211af8eb7411a5eac9b69276674c5a24cf697ea91ba874113ea9937462

Download Submit
C:\Windows\System32\GaQxQFc.exe

Filesize
2.6MB

MD5
f355929f7d9179be128007b0f8a05728

SHA1
523aa92a0c8eca6eddcba1dcdf8f4d7001d57de3

SHA256
ee8ff7cdfff95ae0b90d3ff44c8efc87b714d73419900661022460410b930cf3

SHA512
c30e30bdab550459616fa86d32db2cb46810b7b7ae0178ee91a104b0ee8c444ca2953975e4e8c8bf7c212d753e62b7c663a4cca5e86fa7c6479e831eee38e0f1

Download Submit
C:\Windows\System32\Gbxwmzt.exe

Filesize
2.6MB

MD5
6b84cd89bb265a38172e18ab8d560882

SHA1
98abb756d82eb829f0919fdc5cc1b38ab201432f

SHA256
7aa4221431b84c69ca63d6742e5fc3e4f019178d3c27fac00f91160e60dc68ba

SHA512
6a9c0c605340548363618f23b4d778b48cc80d244b4bc88e85ca881f703ba92bae07e31b3969150049a0c3eed8ee84f0d7cb64bedc33ad2e82826bff4d9c5a8e

Download Submit
C:\Windows\System32\GqgaYFS.exe

Filesize
2.6MB

MD5
2829dd55ee9db0561cfa40dcba45599d

SHA1
bdb18bded293d41e019ea255fa996f9bbe0916c6

SHA256
df501b331a79dbeb25315465f339adb68d5dfff315b160a900403cb497a945e8

SHA512
e8338e7bbb85653d657ccc59840491b01c33651ef5478b1c97082fcd23802423cfd191e010ce4f06f54a744957c3d49950fd34255a27f0b484e8ff31b1b8671f

Download Submit
C:\Windows\System32\HZSJZRK.exe

Filesize
2.6MB

MD5
7491027ccbdf5e5c3f2704fb7c4cac40

SHA1
e468a62716000afa91ab5c2bc9b34c22d67973ab

SHA256
1840cda9cea4d59f5fb319da15b721cf301bb2d99992c9e1471a9c17fbf39f6c

SHA512
86549bf779b10ffec71c5fe66cf82c5d83ee1fc446b0d70a9626703273f76cdb31530c4c134f1dd9bddb4809a81596357dee3bfc0eb1fbe44c7e244f2e94ea4e

Download Submit
C:\Windows\System32\HbgcuCU.exe

Filesize
2.6MB

MD5
e1d962ff8af45ed8b7ecd3d20b22d4ff

SHA1
096b34526460a522971d69def58d3466f3a48daf

SHA256
01b513851fcd2cf06fa6a402e40dad8f1ed41bd9fc6f7fd06021867bddfdbc00

SHA512
360a1d81809ee99e7b131990ce52bcb150ce7ff729b23e7d3dabe8418e652414d443c3b21856955ef8d5f31be8347bab016441983da88b3f0111bafe267b0ec2

Download Submit
C:\Windows\System32\JEaaSbW.exe

Filesize
2.6MB

MD5
ed61513ac81e08b370c1397b46875c61

SHA1
36cf2d8956ffa25e30d190525f8033cedb8fae6c

SHA256
8da1e74c571c7644bedf0b424eddd042b688e00655a290bb027b0803d8c71a03

SHA512
222053be92974721db075d5cefd188deedc452c30cedc43d52dd3fbe7c4f7ee0a3ca9f0a0d20268479066de45b9ee744aeb808e2c6afa067bb462e9891d1d500

Download Submit
C:\Windows\System32\JTBpMZL.exe

Filesize
2.6MB

MD5
b89c8981d47db8fcc198d3e8e753fbe5

SHA1
5202c0ba7d414140713ba322c88d9add721d1e9e

SHA256
31eea1a283a79a83f5e1661889269e4f82d454b95cf919577f0ed651045666d3

SHA512
a4b27aec99436434bb34a6de9dd90d03010ef2942871d8ea8a7353876f2280a0040a9fd6e94381dbc771b2c4265856d793a5b45d156e5d778f265fb236a01f13

Download Submit
C:\Windows\System32\MChPDtb.exe

Filesize
2.6MB

MD5
568918f11cfb80a03f68580f4a4b4c26

SHA1
41e5f615f49bffbeb0bc5f78bed239acc2b0f57c

SHA256
d6bd9b49f4b15081b4a8f35c22571aa7e0ad02b16e70791c37759d3779d02241

SHA512
fb5a9345a2382db76b11eb23bacb3b5492c09a75ac746a66cf71b231672d7ae1bb05155519f3d89be64757642698738a34a9a60bc1ea80915b57b1d9e207e89d

Download Submit
C:\Windows\System32\OhTncCR.exe

Filesize
2.6MB

MD5
d9375b81ef40ac349e41bd22c89433ad

SHA1
255803f76cc5cd4d0063f9dc8329c0e634e3cce0

SHA256
a1174b565a9afeaa3f0ba6e9c741004f10eda1629a28953113b5ff8f12b2af36

SHA512
8915976892a79534e1d050aaf8f9370d855f89e8558c61d7c029d05557b57026e527eea40aae52f43a76724d115eaa76b8e4d4afbf5787345ef9b69cb7537b16

Download Submit
C:\Windows\System32\QXJSMha.exe

Filesize
2.6MB

MD5
84253118ea397ca1c06dd933a7a5d30f

SHA1
ab8ec76675a664f01318db723043b5e22831a8e8

SHA256
0dd3c098c6afee795cf2b0cfc6c7769bffa7c6e3436554668fd1c4191ddb3fc6

SHA512
e75c98b0a3dbc303d675224ce9d1280186bfbcde7efccf37075016561d84033dd4f53ce39363fe78508bbbeeafcd3b55e5ad954d9b48470fd1d8806406611aa8

Download Submit
C:\Windows\System32\TDpCVvb.exe

Filesize
2.6MB

MD5
acdbf63716827b8245726628e3632b20

SHA1
602af2afe7686dafa214092dd34b8dbce43bdf30

SHA256
1b7d16e02f712dc526981c073d2881adab3694391225b98a7caafe747d821f62

SHA512
20fafa5d20630db10caa750666de79ee730e2abe355300921a9771be5d217717339c3d4f6ffb2c9a8b0fc5e19c1575f3d58bd3a7adbb8f92e038c6dd6464a2df

Download Submit
C:\Windows\System32\TVLSQsn.exe

Filesize
2.6MB

MD5
75cbeff29643ee119a222150a178db44

SHA1
1e1b9d21b2e82db6188717a89e659add4663ad48

SHA256
d111d8f819704fb133a55896f306776bd2f2a0a91d9aefa2a8b884e5ebb01128

SHA512
a228eccf22512943e47a4e84c054b5c3a1dc0b02ada4b0b093ccd7db073dd35ceccd34c12437c1c25bf0f680172187c642f192f66a26c55d6169bf180b3c353f

Download Submit
C:\Windows\System32\YrWrzcD.exe

Filesize
2.6MB

MD5
3a9fc028bc1582d2a6aefd78ca88f449

SHA1
4cc6e17bbb87b31076698788916e7d57cceccad3

SHA256
09dad2d22997038891ffe8412d20cf1e655e6aca357a19e9a9d17f421a8afa27

SHA512
82d5ab50ba6bda9b99bef0a1c5d5e0ca33ba3bc36e02261736e6f7e8664849b27161ba279f42d0785890cf9745267a2bc187b276003aa5a2a22a4ca46497d1ea

Download Submit
C:\Windows\System32\YsFITXV.exe

Filesize
2.6MB

MD5
6ca0e98a40c9575d3be06f2182743ff5

SHA1
fb806b79bbb30e59d4dba484f930ddb476139adc

SHA256
20df1a0a512a75e775089ba44451eb318ff2d8e9aaf6456779a032bb6c9f7408

SHA512
fe795ad04ef28ec56c78b5bec67660fb5b0cf23318d2d5169e4a3f70330550e936c33c393374576e464ee8465c712807d2727dbd6a7444571ee2bf145257c60d

Download Submit
C:\Windows\System32\ZGFaDev.exe

Filesize
2.6MB

MD5
a8f5e9bc03de68c18e7492254986cfb9

SHA1
4416482a1ef5006fdcc0ec1552c300852ba9f24d

SHA256
59512bec275696a13bcd5f20d3cb081cb5511998f151f586b1a18ede13f56cfa

SHA512
fb6e79017332ca3907dc829ada1efcb8659f698dd3506ba509f46ebd3a9f2951c1627fc648f6436028b08913c02c241731e3b24947539c7a5e784f8e2b32ef6e

Download Submit
C:\Windows\System32\ZpMaZNK.exe

Filesize
2.6MB

MD5
700b0ff276cf066c56b40d9cdbef1038

SHA1
a3dbc9ca8c83e20ee542ac18eea1a6613521743c

SHA256
d7b897b1a9aa919a15b22a00a4def2629de1813e887957bdf73b3fda2a67a7c8

SHA512
eb24716c3e970b44bb23caeb4c2392e9cd3f6accff8fd5b736fedbab958f8283ce523b0ba873354a4ae68faaa4da94da6bc8a04a2540f4fabd86fe58399d6dca

Download Submit
C:\Windows\System32\belylNJ.exe

Filesize
2.6MB

MD5
b42eacde37c6fbc05512d151895a1e99

SHA1
c03964f4ccbe85b2b34c8924c17f0e78eff0bd9b

SHA256
6551ed770c236267a5cda610d27e780a1e74a0dd4d48b6d07ea2487ee20797fd

SHA512
9995d51b3914e0dbfe13e0ed02f451b4d05231bd7fc306f84867d92927db84d01d1926d64ce3984c1f46cd06dea4bac370553b6506c1aa92a15123c2c3d0d2c0

Download Submit
C:\Windows\System32\bwhkxgW.exe

Filesize
2.6MB

MD5
98f8a237ab690a3fa0532ef8d734ed6c

SHA1
d66c3ea0ae31757d8977eaa8d93d75b64be1a9f5

SHA256
7b767b33ceca17eee29738148a9ef8c86d0a787d6447bc401f892bb9f130eb5a

SHA512
0f71e02f587234933a4dd35f515a824852d94590e451edaed7865be5eefcf02a7c98eeda296b39d254cefe6387b1cff54a0c85a58e9db8d0dafefde4016e6ccc

Download Submit
C:\Windows\System32\iHyfmOJ.exe

Filesize
2.6MB

MD5
88ebfd9ab4389494e31e27ec6df24b87

SHA1
bc43b7851ab203789be9da162ff056656e3624a5

SHA256
86f8599a2cc039e468e998afa8c9fdd73442176561159b23223f175ad6e7e2e2

SHA512
b8ee59fb6ff55ca644480238684054a900803bd074bc4371c37d2ef9256ba1045ec5255169bb2e2e910c50e85ddbc11957bf2834ebb04ddc3ab989385e35c6c5

Download Submit
C:\Windows\System32\iddnlZH.exe

Filesize
2.6MB

MD5
55a4ae23823160614f7583a717586913

SHA1
170315ab0696eb7fe8f9585bd59044f7b1ce48ba

SHA256
e6553eabe98fe4a551b39719b45529a530999cbad3b0343bde4d974aec2b97ba

SHA512
77a4ffaef57af4a06036ce7ce527039cd657b7d2675e011684920017e2ffbe3f067f98dc48c714671ac6dfca9729848da3b2c99089f150fcf9a7c056bb1bf910

Download Submit
C:\Windows\System32\jKjqopv.exe

Filesize
2.6MB

MD5
ecf21d380e284fa1a32bd4cba1c0be00

SHA1
9c65b051b103bda2e994ba5914337840ab94f955

SHA256
c1019f6b011be209c0c4ca7f4b983ef1197ab67538593a8c42bef9958b81ed65

SHA512
40bce953fe97e28938ce1a7107386a47ad3713ca88ebc326eb4bd03df2287898e691baf42e45e76ef9aa2aa0328379e536998098428215c70a3f263fd62041db

Download Submit
C:\Windows\System32\nsYHQOm.exe

Filesize
2.6MB

MD5
63242817775e438cd1754aa1b797debf

SHA1
656ffd0d489e82707c975c5783f8bd86c757e0d6

SHA256
41f4a78142fffd7ee6f436526c58e75af8934422d25186ed99afd42cec17c2df

SHA512
15e7e7826a3b3300cc8dbcb18004cb8b227326ed39b90a9fb59487f853ac356a864dc1967606a1abc48822035b47d4e787b5406caa9a0547ef7ade770ef44bee

Download Submit
C:\Windows\System32\oMrkBXm.exe

Filesize
2.6MB

MD5
62d2e8d06d1f684a860af93850909cf9

SHA1
1722ed169712d5ac90f2fbb1723c977565ba7146

SHA256
e075f89ddbd62e214aa70bd8ae86406b0566a6547825762711a70f5cac60226d

SHA512
5187de4d77311f7079698d08b2d5ea33228842469e761944bf43c6d0b86612141e0e3eaa1b8a0d6e680cdae76971261b071475156a7ff0942a141fe81c245883

Download Submit
C:\Windows\System32\otQiTyU.exe

Filesize
2.6MB

MD5
b600bf6252acdbc7f91afec01c75b29b

SHA1
b6f322f78cf12795562a9a6c339177ba3b03acf8

SHA256
f581f44702dd2aed164745dceb5008dfaa572ce6b0530360843a0364c16a56aa

SHA512
ddc87790f50fced99e1b07e7f5928ea264ded4f1e3abf501dac069ac71ec7def98c1eb8d4388358c99f85c7331cb65a9b0e0b4de0369efb95fd650283a7dbc45

Download Submit
C:\Windows\System32\pCJaOaP.exe

Filesize
2.6MB

MD5
d5b4f2a846a661dacd413eff067bd6f4

SHA1
1470f61a77528ad1e11967974c3867da67eb98a9

SHA256
68e608ffb15ee613505d6ee8656e5927e6c5980ee44e8be2240ffaaf3717add0

SHA512
8a13cd76781d9b129f49fa90a47c8a80aa28aafcc0666e72617cd095f81bee7becaff1b21a495fd20c03d9482304f0d61eafc4c27bc07a20b00c72326bb5c59b

Download Submit
C:\Windows\System32\pXBGlZJ.exe

Filesize
2.6MB

MD5
f7ee80a5ed30274621e1f59020c140d4

SHA1
f061dce9218846bc4c32832d193354c0e6fe100b

SHA256
bf7450a78f9e599b100e646c990ee2865ee0d0350c4d79599935572145e7a996

SHA512
331134182e97dbca969c2c5a6dfdf3489407af6cb8b1c76da538eacd4272335062fa06e085a264fd48f2d05b95991e29854250d8b2fb13ee0534b0072600f462

Download Submit
C:\Windows\System32\seJjMzv.exe

Filesize
2.6MB

MD5
f0c13f887ffa8e599e3aa07d4bc47983

SHA1
de7dc1b7f4fac51715cda8c1c30b77fd30b7cfe1

SHA256
3ec7375abf95e098756e1db6445cb6866e1a4ccdf1623b29f8c794d82267e7d6

SHA512
4c6b5a55abc7d3568f43ce70fd3460c4f7f303e0040440a6ec9743f051d77926b14e14dcecb94312e3ff6bbf34a5d04dc5e6fb5525e09cfe4ec7043a03459367

Download Submit
C:\Windows\System32\usvgXHS.exe

Filesize
2.6MB

MD5
d2fdba04d83e9e69168fad111511c24d

SHA1
a869abca02ef804e2ca61602984b9f44758f03ab

SHA256
88606bc7d80824a7b3e2d5acf3ba32ffd9a56ae1cf051d28bf10cbb18357bc26

SHA512
652b88bbde3c17fc3b2bb0497d15420e6f8ff35316ed88955af697e106fee2658e4fae6eff2ea3734c993acd0da03c282e73403f5261e4a0b200df2402eeeb6a

Download Submit
C:\Windows\System32\xFHnOsF.exe

Filesize
2.6MB

MD5
4571cbad5303b7467daebf12b8d9f640

SHA1
a5eda87c84719f71fac0a3477e566ffaee6f46a9

SHA256
5d0fcd5f07a6050e2a11a6d40efd2a1df3b08769e4afe9b9133ce32acbeb15b7

SHA512
ef245ce13bfd5b5d76d4d9b8411012d81b802beb8651f0a83683196a2f80f85e968c768af2c2894c628d251b3f45185da693c0c9d144facb3d14bf6bd80800c5

Download Submit
memory/768-496-0x00007FF60EFC0000-0x00007FF60F3B5000-memory.dmp

Filesize
4.0MB

Download
memory/1232-534-0x00007FF7EDFD0000-0x00007FF7EE3C5000-memory.dmp

Filesize
4.0MB

Download
memory/1280-493-0x00007FF68AB80000-0x00007FF68AF75000-memory.dmp

Filesize
4.0MB

Download
memory/1396-551-0x00007FF6CB360000-0x00007FF6CB755000-memory.dmp

Filesize
4.0MB

Download
memory/1520-7-0x00007FF69A050000-0x00007FF69A445000-memory.dmp

Filesize
4.0MB

Download
memory/1564-498-0x00007FF7279F0000-0x00007FF727DE5000-memory.dmp

Filesize
4.0MB

Download
memory/1800-510-0x00007FF7E91F0000-0x00007FF7E95E5000-memory.dmp

Filesize
4.0MB

Download
memory/2008-541-0x00007FF64ACE0000-0x00007FF64B0D5000-memory.dmp

Filesize
4.0MB

Download
memory/2376-15-0x00007FF642760000-0x00007FF642B55000-memory.dmp

Filesize
4.0MB

Download
memory/2376-2526-0x00007FF642760000-0x00007FF642B55000-memory.dmp

Filesize
4.0MB

Download
memory/3152-516-0x00007FF661A10000-0x00007FF661E05000-memory.dmp

Filesize
4.0MB

Download
memory/3620-1-0x00000219487D0000-0x00000219487E0000-memory.dmp

Filesize
64KB

Download
memory/3620-0-0x00007FF731810000-0x00007FF731C05000-memory.dmp

Filesize
4.0MB

Download
memory/3620-2407-0x00007FF731810000-0x00007FF731C05000-memory.dmp

Filesize
4.0MB

Download
memory/4056-499-0x00007FF7418A0000-0x00007FF741C95000-memory.dmp

Filesize
4.0MB

Download
memory/4328-492-0x00007FF65C6E0000-0x00007FF65CAD5000-memory.dmp

Filesize
4.0MB

Download
memory/4352-503-0x00007FF7E27C0000-0x00007FF7E2BB5000-memory.dmp

Filesize
4.0MB

Download
memory/4568-544-0x00007FF655C60000-0x00007FF656055000-memory.dmp

Filesize
4.0MB

Download
memory/4780-555-0x00007FF749AD0000-0x00007FF749EC5000-memory.dmp

Filesize
4.0MB

Download
memory/4972-537-0x00007FF78C6B0000-0x00007FF78CAA5000-memory.dmp

Filesize
4.0MB

Download
memory/5060-497-0x00007FF7B1EB0000-0x00007FF7B22A5000-memory.dmp

Filesize
4.0MB

Download
memory/5116-523-0x00007FF72E170000-0x00007FF72E565000-memory.dmp

Filesize
4.0MB

Download
memory/5196-495-0x00007FF729810000-0x00007FF729C05000-memory.dmp

Filesize
4.0MB

Download
memory/5204-569-0x00007FF656F70000-0x00007FF657365000-memory.dmp

Filesize
4.0MB

Download
memory/5520-562-0x00007FF755DB0000-0x00007FF7561A5000-memory.dmp

Filesize
4.0MB

Download
memory/5528-494-0x00007FF724BB0000-0x00007FF724FA5000-memory.dmp

Filesize
4.0MB

Download
memory/5712-561-0x00007FF685E30000-0x00007FF686225000-memory.dmp

Filesize
4.0MB

Download
memory/5852-527-0x00007FF7AEC50000-0x00007FF7AF045000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads