xmrig | f2e41bcf7b42772aa4a6b3ff72c2b8134baf28cbd27a9e918f839947643e6989

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
Size

2.1MB
MD5

537606db4c787a8fbf13cd09ce0af5d0
SHA1

53a07a8a0214fc205c8fe8bae823b78d826f95f3
SHA256

f2e41bcf7b42772aa4a6b3ff72c2b8134baf28cbd27a9e918f839947643e6989
SHA512

27488fe9d73473e943737bd11e7e03d0236051d026897b96cf5c5a02692f6fc57fc74cce53093facd7a915e9ad47775e512803c7611a5bc2b32cb87653030af0
SSDEEP

49152:BezaTF8FcNkNdfE0pZ9ozt4wICbbnlD5/xFVP9OHiMX:BemTLkNdfE0pZrX

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3416-0-0x00007FF7BA210000-0x00007FF7BA564000-memory.dmp	xmrig
behavioral2/files/0x00050000000232a4-8.dat	xmrig
behavioral2/files/0x000700000002344e-13.dat	xmrig
behavioral2/files/0x0007000000023450-26.dat	xmrig
behavioral2/memory/4020-25-0x00007FF7B4090000-0x00007FF7B43E4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023451-32.dat	xmrig
behavioral2/files/0x0007000000023452-37.dat	xmrig
behavioral2/memory/1692-40-0x00007FF6F9010000-0x00007FF6F9364000-memory.dmp	xmrig
behavioral2/memory/3684-38-0x00007FF675500000-0x00007FF675854000-memory.dmp	xmrig
behavioral2/memory/2360-33-0x00007FF68DBA0000-0x00007FF68DEF4000-memory.dmp	xmrig
behavioral2/files/0x000700000002344f-30.dat	xmrig
behavioral2/memory/4248-27-0x00007FF6F5C20000-0x00007FF6F5F74000-memory.dmp	xmrig
behavioral2/memory/4808-23-0x00007FF64E500000-0x00007FF64E854000-memory.dmp	xmrig
behavioral2/files/0x000700000002344d-22.dat	xmrig
behavioral2/memory/404-16-0x00007FF745D40000-0x00007FF746094000-memory.dmp	xmrig
behavioral2/files/0x0007000000023453-48.dat	xmrig
behavioral2/files/0x0009000000023446-52.dat	xmrig
behavioral2/memory/912-57-0x00007FF6244C0000-0x00007FF624814000-memory.dmp	xmrig
behavioral2/files/0x0007000000023457-73.dat	xmrig
behavioral2/files/0x0007000000023454-71.dat	xmrig
behavioral2/files/0x0007000000023456-79.dat	xmrig
behavioral2/files/0x000700000002345a-92.dat	xmrig
behavioral2/files/0x0007000000023459-90.dat	xmrig
behavioral2/memory/2604-83-0x00007FF6CC9A0000-0x00007FF6CCCF4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023458-77.dat	xmrig
behavioral2/files/0x0007000000023455-74.dat	xmrig
behavioral2/memory/2224-68-0x00007FF665140000-0x00007FF665494000-memory.dmp	xmrig
behavioral2/memory/5004-51-0x00007FF6DF540000-0x00007FF6DF894000-memory.dmp	xmrig
behavioral2/memory/3524-94-0x00007FF729A20000-0x00007FF729D74000-memory.dmp	xmrig
behavioral2/memory/5028-95-0x00007FF725D90000-0x00007FF7260E4000-memory.dmp	xmrig
behavioral2/memory/2340-97-0x00007FF6FFEC0000-0x00007FF700214000-memory.dmp	xmrig
behavioral2/memory/1552-96-0x00007FF7B6860000-0x00007FF7B6BB4000-memory.dmp	xmrig
behavioral2/memory/1768-98-0x00007FF691F10000-0x00007FF692264000-memory.dmp	xmrig
behavioral2/files/0x000700000002345b-100.dat	xmrig
behavioral2/files/0x000700000002345d-121.dat	xmrig
behavioral2/memory/2044-129-0x00007FF705C70000-0x00007FF705FC4000-memory.dmp	xmrig
behavioral2/files/0x000700000002345f-132.dat	xmrig
behavioral2/files/0x0007000000023461-140.dat	xmrig
behavioral2/memory/4372-148-0x00007FF687760000-0x00007FF687AB4000-memory.dmp	xmrig
behavioral2/memory/3684-150-0x00007FF675500000-0x00007FF675854000-memory.dmp	xmrig
behavioral2/memory/4736-152-0x00007FF7F4AE0000-0x00007FF7F4E34000-memory.dmp	xmrig
behavioral2/files/0x0007000000023463-155.dat	xmrig
behavioral2/files/0x0007000000023460-154.dat	xmrig
behavioral2/files/0x0007000000023462-153.dat	xmrig
behavioral2/memory/1000-151-0x00007FF7FEA70000-0x00007FF7FEDC4000-memory.dmp	xmrig
behavioral2/memory/4760-149-0x00007FF7E91F0000-0x00007FF7E9544000-memory.dmp	xmrig
behavioral2/memory/2360-145-0x00007FF68DBA0000-0x00007FF68DEF4000-memory.dmp	xmrig
behavioral2/memory/3888-142-0x00007FF6FD360000-0x00007FF6FD6B4000-memory.dmp	xmrig
behavioral2/memory/4248-136-0x00007FF6F5C20000-0x00007FF6F5F74000-memory.dmp	xmrig
behavioral2/memory/2888-135-0x00007FF797230000-0x00007FF797584000-memory.dmp	xmrig
behavioral2/memory/4792-127-0x00007FF75DF00000-0x00007FF75E254000-memory.dmp	xmrig
behavioral2/files/0x000700000002345e-126.dat	xmrig
behavioral2/files/0x0007000000023466-170.dat	xmrig
behavioral2/files/0x000700000002346a-190.dat	xmrig
behavioral2/memory/4456-631-0x00007FF757090000-0x00007FF7573E4000-memory.dmp	xmrig
behavioral2/memory/3720-641-0x00007FF6BA580000-0x00007FF6BA8D4000-memory.dmp	xmrig
behavioral2/memory/3296-638-0x00007FF740CD0000-0x00007FF741024000-memory.dmp	xmrig
behavioral2/memory/2608-637-0x00007FF6D9B30000-0x00007FF6D9E84000-memory.dmp	xmrig
behavioral2/files/0x000700000002346c-194.dat	xmrig
behavioral2/files/0x000700000002346b-189.dat	xmrig
behavioral2/files/0x0007000000023469-184.dat	xmrig
behavioral2/files/0x0007000000023468-180.dat	xmrig
behavioral2/files/0x0007000000023467-175.dat	xmrig
behavioral2/files/0x0007000000023464-165.dat	xmrig

Executes dropped EXE 64 IoCs

pid	Process
404	bHlgodM.exe
4020	OVaEGwL.exe
4808	HTVZpoJ.exe
4248	qDweOBB.exe
2360	fMclfYq.exe
3684	HTrIrXU.exe
1692	owfaMNu.exe
5004	gWktZZT.exe
912	LQugKwD.exe
2224	lXlspZf.exe
2340	ruLUPgD.exe
2604	MiutkFp.exe
3524	FUTAsmx.exe
5028	xCVrAkW.exe
1768	ELgpFip.exe
1552	tatBJzP.exe
4656	CGeduCo.exe
2044	zeZtNqq.exe
2888	wBcPpxN.exe
4792	IfsFOjD.exe
3888	rXGNwDJ.exe
4372	xAjcAaO.exe
4760	aSjxTNK.exe
4736	jAJsljy.exe
1000	xksNIDL.exe
4456	OBMfsVE.exe
2608	GyYDGmW.exe
3296	VtvAGxe.exe
3720	oyeJnPN.exe
4184	dbRfVgE.exe
2020	TZmOEUD.exe
5024	RXtIhaB.exe
2748	vAFhuxj.exe
3444	SErKBMV.exe
540	yciaNXR.exe
4580	ERZdbZw.exe
904	YdppFdy.exe
2908	zfrjDWv.exe
2940	WANOXET.exe
4336	XdadlwB.exe
4344	mzFfjmB.exe
556	YoNwFYQ.exe
724	KpVaQPI.exe
4832	dqvQVEl.exe
2284	haCzxVO.exe
2456	ZTFTocp.exe
2196	LLKpNwD.exe
228	MxZHUnT.exe
3196	lniQcql.exe
4612	zdnRdVw.exe
548	YPoQGQn.exe
4408	HxCeEQY.exe
4772	ufaTgHy.exe
4948	hNPZTDn.exe
4844	hhveZNn.exe
3832	KzVSCRB.exe
800	Ydigyyk.exe
3312	ZUXEKlt.exe
316	tkpiQOT.exe
1308	bkIfTqY.exe
1628	dvCewFV.exe
1140	IMHVdLQ.exe
468	nGzXQWn.exe
1940	FUMLFcO.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3416-0-0x00007FF7BA210000-0x00007FF7BA564000-memory.dmp	upx
behavioral2/files/0x00050000000232a4-8.dat	upx
behavioral2/files/0x000700000002344e-13.dat	upx
behavioral2/files/0x0007000000023450-26.dat	upx
behavioral2/memory/4020-25-0x00007FF7B4090000-0x00007FF7B43E4000-memory.dmp	upx
behavioral2/files/0x0007000000023451-32.dat	upx
behavioral2/files/0x0007000000023452-37.dat	upx
behavioral2/memory/1692-40-0x00007FF6F9010000-0x00007FF6F9364000-memory.dmp	upx
behavioral2/memory/3684-38-0x00007FF675500000-0x00007FF675854000-memory.dmp	upx
behavioral2/memory/2360-33-0x00007FF68DBA0000-0x00007FF68DEF4000-memory.dmp	upx
behavioral2/files/0x000700000002344f-30.dat	upx
behavioral2/memory/4248-27-0x00007FF6F5C20000-0x00007FF6F5F74000-memory.dmp	upx
behavioral2/memory/4808-23-0x00007FF64E500000-0x00007FF64E854000-memory.dmp	upx
behavioral2/files/0x000700000002344d-22.dat	upx
behavioral2/memory/404-16-0x00007FF745D40000-0x00007FF746094000-memory.dmp	upx
behavioral2/files/0x0007000000023453-48.dat	upx
behavioral2/files/0x0009000000023446-52.dat	upx
behavioral2/memory/912-57-0x00007FF6244C0000-0x00007FF624814000-memory.dmp	upx
behavioral2/files/0x0007000000023457-73.dat	upx
behavioral2/files/0x0007000000023454-71.dat	upx
behavioral2/files/0x0007000000023456-79.dat	upx
behavioral2/files/0x000700000002345a-92.dat	upx
behavioral2/files/0x0007000000023459-90.dat	upx
behavioral2/memory/2604-83-0x00007FF6CC9A0000-0x00007FF6CCCF4000-memory.dmp	upx
behavioral2/files/0x0007000000023458-77.dat	upx
behavioral2/files/0x0007000000023455-74.dat	upx
behavioral2/memory/2224-68-0x00007FF665140000-0x00007FF665494000-memory.dmp	upx
behavioral2/memory/5004-51-0x00007FF6DF540000-0x00007FF6DF894000-memory.dmp	upx
behavioral2/memory/3524-94-0x00007FF729A20000-0x00007FF729D74000-memory.dmp	upx
behavioral2/memory/5028-95-0x00007FF725D90000-0x00007FF7260E4000-memory.dmp	upx
behavioral2/memory/2340-97-0x00007FF6FFEC0000-0x00007FF700214000-memory.dmp	upx
behavioral2/memory/1552-96-0x00007FF7B6860000-0x00007FF7B6BB4000-memory.dmp	upx
behavioral2/memory/1768-98-0x00007FF691F10000-0x00007FF692264000-memory.dmp	upx
behavioral2/files/0x000700000002345b-100.dat	upx
behavioral2/files/0x000700000002345d-121.dat	upx
behavioral2/memory/2044-129-0x00007FF705C70000-0x00007FF705FC4000-memory.dmp	upx
behavioral2/files/0x000700000002345f-132.dat	upx
behavioral2/files/0x0007000000023461-140.dat	upx
behavioral2/memory/4372-148-0x00007FF687760000-0x00007FF687AB4000-memory.dmp	upx
behavioral2/memory/3684-150-0x00007FF675500000-0x00007FF675854000-memory.dmp	upx
behavioral2/memory/4736-152-0x00007FF7F4AE0000-0x00007FF7F4E34000-memory.dmp	upx
behavioral2/files/0x0007000000023463-155.dat	upx
behavioral2/files/0x0007000000023460-154.dat	upx
behavioral2/files/0x0007000000023462-153.dat	upx
behavioral2/memory/1000-151-0x00007FF7FEA70000-0x00007FF7FEDC4000-memory.dmp	upx
behavioral2/memory/4760-149-0x00007FF7E91F0000-0x00007FF7E9544000-memory.dmp	upx
behavioral2/memory/2360-145-0x00007FF68DBA0000-0x00007FF68DEF4000-memory.dmp	upx
behavioral2/memory/3888-142-0x00007FF6FD360000-0x00007FF6FD6B4000-memory.dmp	upx
behavioral2/memory/4248-136-0x00007FF6F5C20000-0x00007FF6F5F74000-memory.dmp	upx
behavioral2/memory/2888-135-0x00007FF797230000-0x00007FF797584000-memory.dmp	upx
behavioral2/memory/4792-127-0x00007FF75DF00000-0x00007FF75E254000-memory.dmp	upx
behavioral2/files/0x000700000002345e-126.dat	upx
behavioral2/files/0x0007000000023466-170.dat	upx
behavioral2/files/0x000700000002346a-190.dat	upx
behavioral2/memory/4456-631-0x00007FF757090000-0x00007FF7573E4000-memory.dmp	upx
behavioral2/memory/3720-641-0x00007FF6BA580000-0x00007FF6BA8D4000-memory.dmp	upx
behavioral2/memory/3296-638-0x00007FF740CD0000-0x00007FF741024000-memory.dmp	upx
behavioral2/memory/2608-637-0x00007FF6D9B30000-0x00007FF6D9E84000-memory.dmp	upx
behavioral2/files/0x000700000002346c-194.dat	upx
behavioral2/files/0x000700000002346b-189.dat	upx
behavioral2/files/0x0007000000023469-184.dat	upx
behavioral2/files/0x0007000000023468-180.dat	upx
behavioral2/files/0x0007000000023467-175.dat	upx
behavioral2/files/0x0007000000023464-165.dat	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\vjOJVFw.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\KqDukCn.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\ONThNtg.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\VhtdJTs.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\CQUeKDs.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\AxSLLZp.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\vIXutYo.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\oChTmhk.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\WAfdpmj.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\SSxskpw.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\FloguyD.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\mQsCLTc.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\SbOuyYX.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\ssoIRri.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\cDxztLa.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\uEdfZuN.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\wBcPpxN.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\HVfecvi.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\Bkwbrge.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\EsXmCef.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\whqkYHy.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\lniQcql.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\ahmUMdN.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\VtvAGxe.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\CpLeCun.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\OEbLieA.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\ZVCipHI.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\hEKJsdL.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\DFphmus.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\WXCDLiB.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\KPyszDT.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\jmVCQCr.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\pbiuVKr.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\UDnEYzr.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\tatBJzP.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\soEQmaP.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\MhUypFi.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\XiKWbhS.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\lAotUok.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\TCEwugS.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\NtxcVJC.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\vjcuyJd.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\rYrLmhZ.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\wBHZpGp.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\bmugobD.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\MEtTzRQ.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\vtjqGty.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\VoaZcCX.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\VUluFCb.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\fHevMtX.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\GSnGRVF.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\uCSCxMr.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\RXtIhaB.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\ccERKDX.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\DspgRmg.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\OQIzeiD.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\YPoQGQn.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\RBQtTTP.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\XPjeCjk.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\nXiloOg.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\myhgQWt.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\gUKobVZ.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\GOiWPLw.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
File created	C:\Windows\System\TGrHkzS.exe	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	14704	dwm.exe
Token: SeChangeNotifyPrivilege	14704	dwm.exe
Token: 33	14704	dwm.exe
Token: SeIncBasePriorityPrivilege	14704	dwm.exe
Token: SeCreateGlobalPrivilege	15324	dwm.exe
Token: SeChangeNotifyPrivilege	15324	dwm.exe
Token: 33	15324	dwm.exe
Token: SeIncBasePriorityPrivilege	15324	dwm.exe
Token: SeCreateGlobalPrivilege	14440	dwm.exe
Token: SeChangeNotifyPrivilege	14440	dwm.exe
Token: 33	14440	dwm.exe
Token: SeIncBasePriorityPrivilege	14440	dwm.exe
Token: SeCreateGlobalPrivilege	14044	dwm.exe
Token: SeChangeNotifyPrivilege	14044	dwm.exe
Token: 33	14044	dwm.exe
Token: SeIncBasePriorityPrivilege	14044	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 404	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	84
PID 3416 wrote to memory of 404	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	84
PID 3416 wrote to memory of 4020	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	85
PID 3416 wrote to memory of 4020	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	85
PID 3416 wrote to memory of 4808	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	86
PID 3416 wrote to memory of 4808	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	86
PID 3416 wrote to memory of 4248	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	87
PID 3416 wrote to memory of 4248	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	87
PID 3416 wrote to memory of 2360	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	88
PID 3416 wrote to memory of 2360	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	88
PID 3416 wrote to memory of 3684	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	89
PID 3416 wrote to memory of 3684	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	89
PID 3416 wrote to memory of 1692	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	90
PID 3416 wrote to memory of 1692	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	90
PID 3416 wrote to memory of 5004	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	91
PID 3416 wrote to memory of 5004	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	91
PID 3416 wrote to memory of 912	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	92
PID 3416 wrote to memory of 912	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	92
PID 3416 wrote to memory of 2224	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	93
PID 3416 wrote to memory of 2224	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	93
PID 3416 wrote to memory of 2340	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	94
PID 3416 wrote to memory of 2340	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	94
PID 3416 wrote to memory of 2604	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	95
PID 3416 wrote to memory of 2604	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	95
PID 3416 wrote to memory of 3524	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	96
PID 3416 wrote to memory of 3524	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	96
PID 3416 wrote to memory of 5028	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	97
PID 3416 wrote to memory of 5028	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	97
PID 3416 wrote to memory of 1768	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	98
PID 3416 wrote to memory of 1768	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	98
PID 3416 wrote to memory of 1552	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	99
PID 3416 wrote to memory of 1552	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	99
PID 3416 wrote to memory of 4656	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	100
PID 3416 wrote to memory of 4656	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	100
PID 3416 wrote to memory of 2044	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	101
PID 3416 wrote to memory of 2044	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	101
PID 3416 wrote to memory of 2888	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	102
PID 3416 wrote to memory of 2888	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	102
PID 3416 wrote to memory of 4792	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	103
PID 3416 wrote to memory of 4792	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	103
PID 3416 wrote to memory of 3888	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	104
PID 3416 wrote to memory of 3888	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	104
PID 3416 wrote to memory of 4760	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	105
PID 3416 wrote to memory of 4760	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	105
PID 3416 wrote to memory of 4372	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	106
PID 3416 wrote to memory of 4372	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	106
PID 3416 wrote to memory of 4736	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	107
PID 3416 wrote to memory of 4736	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	107
PID 3416 wrote to memory of 1000	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	109
PID 3416 wrote to memory of 1000	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	109
PID 3416 wrote to memory of 4456	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	110
PID 3416 wrote to memory of 4456	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	110
PID 3416 wrote to memory of 2608	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	111
PID 3416 wrote to memory of 2608	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	111
PID 3416 wrote to memory of 3296	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	112
PID 3416 wrote to memory of 3296	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	112
PID 3416 wrote to memory of 3720	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	113
PID 3416 wrote to memory of 3720	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	113
PID 3416 wrote to memory of 4184	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	114
PID 3416 wrote to memory of 4184	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	114
PID 3416 wrote to memory of 2020	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	115
PID 3416 wrote to memory of 2020	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	115
PID 3416 wrote to memory of 5024	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	116
PID 3416 wrote to memory of 5024	3416	537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe	116

C:\Users\Admin\AppData\Local\Temp\537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\537606db4c787a8fbf13cd09ce0af5d0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Windows\System\bHlgodM.exe
  C:\Windows\System\bHlgodM.exe
  2⤵
  - Executes dropped EXE
  PID:404
- C:\Windows\System\OVaEGwL.exe
  C:\Windows\System\OVaEGwL.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\System\HTVZpoJ.exe
  C:\Windows\System\HTVZpoJ.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System\qDweOBB.exe
  C:\Windows\System\qDweOBB.exe
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Windows\System\fMclfYq.exe
  C:\Windows\System\fMclfYq.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\HTrIrXU.exe
  C:\Windows\System\HTrIrXU.exe
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Windows\System\owfaMNu.exe
  C:\Windows\System\owfaMNu.exe
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\System\gWktZZT.exe
  C:\Windows\System\gWktZZT.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System\LQugKwD.exe
  C:\Windows\System\LQugKwD.exe
  2⤵
  - Executes dropped EXE
  PID:912
- C:\Windows\System\lXlspZf.exe
  C:\Windows\System\lXlspZf.exe
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\System\ruLUPgD.exe
  C:\Windows\System\ruLUPgD.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System\MiutkFp.exe
  C:\Windows\System\MiutkFp.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\FUTAsmx.exe
  C:\Windows\System\FUTAsmx.exe
  2⤵
  - Executes dropped EXE
  PID:3524
- C:\Windows\System\xCVrAkW.exe
  C:\Windows\System\xCVrAkW.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System\ELgpFip.exe
  C:\Windows\System\ELgpFip.exe
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\System\tatBJzP.exe
  C:\Windows\System\tatBJzP.exe
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\System\CGeduCo.exe
  C:\Windows\System\CGeduCo.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System\zeZtNqq.exe
  C:\Windows\System\zeZtNqq.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System\wBcPpxN.exe
  C:\Windows\System\wBcPpxN.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\IfsFOjD.exe
  C:\Windows\System\IfsFOjD.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System\rXGNwDJ.exe
  C:\Windows\System\rXGNwDJ.exe
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\System\aSjxTNK.exe
  C:\Windows\System\aSjxTNK.exe
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Windows\System\xAjcAaO.exe
  C:\Windows\System\xAjcAaO.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System\jAJsljy.exe
  C:\Windows\System\jAJsljy.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System\xksNIDL.exe
  C:\Windows\System\xksNIDL.exe
  2⤵
  - Executes dropped EXE
  PID:1000
- C:\Windows\System\OBMfsVE.exe
  C:\Windows\System\OBMfsVE.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System\GyYDGmW.exe
  C:\Windows\System\GyYDGmW.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\VtvAGxe.exe
  C:\Windows\System\VtvAGxe.exe
  2⤵
  - Executes dropped EXE
  PID:3296
- C:\Windows\System\oyeJnPN.exe
  C:\Windows\System\oyeJnPN.exe
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Windows\System\dbRfVgE.exe
  C:\Windows\System\dbRfVgE.exe
  2⤵
  - Executes dropped EXE
  PID:4184
- C:\Windows\System\TZmOEUD.exe
  C:\Windows\System\TZmOEUD.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\RXtIhaB.exe
  C:\Windows\System\RXtIhaB.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System\vAFhuxj.exe
  C:\Windows\System\vAFhuxj.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\SErKBMV.exe
  C:\Windows\System\SErKBMV.exe
  2⤵
  - Executes dropped EXE
  PID:3444
- C:\Windows\System\yciaNXR.exe
  C:\Windows\System\yciaNXR.exe
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Windows\System\ERZdbZw.exe
  C:\Windows\System\ERZdbZw.exe
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Windows\System\YdppFdy.exe
  C:\Windows\System\YdppFdy.exe
  2⤵
  - Executes dropped EXE
  PID:904
- C:\Windows\System\zfrjDWv.exe
  C:\Windows\System\zfrjDWv.exe
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\System\WANOXET.exe
  C:\Windows\System\WANOXET.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\XdadlwB.exe
  C:\Windows\System\XdadlwB.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System\mzFfjmB.exe
  C:\Windows\System\mzFfjmB.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System\YoNwFYQ.exe
  C:\Windows\System\YoNwFYQ.exe
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\System\KpVaQPI.exe
  C:\Windows\System\KpVaQPI.exe
  2⤵
  - Executes dropped EXE
  PID:724
- C:\Windows\System\dqvQVEl.exe
  C:\Windows\System\dqvQVEl.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System\haCzxVO.exe
  C:\Windows\System\haCzxVO.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\ZTFTocp.exe
  C:\Windows\System\ZTFTocp.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\LLKpNwD.exe
  C:\Windows\System\LLKpNwD.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\System\MxZHUnT.exe
  C:\Windows\System\MxZHUnT.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System\lniQcql.exe
  C:\Windows\System\lniQcql.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System\zdnRdVw.exe
  C:\Windows\System\zdnRdVw.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System\YPoQGQn.exe
  C:\Windows\System\YPoQGQn.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System\HxCeEQY.exe
  C:\Windows\System\HxCeEQY.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System\ufaTgHy.exe
  C:\Windows\System\ufaTgHy.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System\hNPZTDn.exe
  C:\Windows\System\hNPZTDn.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System\hhveZNn.exe
  C:\Windows\System\hhveZNn.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System\KzVSCRB.exe
  C:\Windows\System\KzVSCRB.exe
  2⤵
  - Executes dropped EXE
  PID:3832
- C:\Windows\System\Ydigyyk.exe
  C:\Windows\System\Ydigyyk.exe
  2⤵
  - Executes dropped EXE
  PID:800
- C:\Windows\System\ZUXEKlt.exe
  C:\Windows\System\ZUXEKlt.exe
  2⤵
  - Executes dropped EXE
  PID:3312
- C:\Windows\System\tkpiQOT.exe
  C:\Windows\System\tkpiQOT.exe
  2⤵
  - Executes dropped EXE
  PID:316
- C:\Windows\System\bkIfTqY.exe
  C:\Windows\System\bkIfTqY.exe
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\System\dvCewFV.exe
  C:\Windows\System\dvCewFV.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System\IMHVdLQ.exe
  C:\Windows\System\IMHVdLQ.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System\nGzXQWn.exe
  C:\Windows\System\nGzXQWn.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System\FUMLFcO.exe
  C:\Windows\System\FUMLFcO.exe
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\System\QyNucdL.exe
  C:\Windows\System\QyNucdL.exe
  2⤵
  PID:4428
- C:\Windows\System\CQUeKDs.exe
  C:\Windows\System\CQUeKDs.exe
  2⤵
  PID:4976
- C:\Windows\System\qWztSUv.exe
  C:\Windows\System\qWztSUv.exe
  2⤵
  PID:3120
- C:\Windows\System\jTOIBez.exe
  C:\Windows\System\jTOIBez.exe
  2⤵
  PID:4340
- C:\Windows\System\SMdJxfm.exe
  C:\Windows\System\SMdJxfm.exe
  2⤵
  PID:2024
- C:\Windows\System\LgTOwpS.exe
  C:\Windows\System\LgTOwpS.exe
  2⤵
  PID:3400
- C:\Windows\System\UAhRqWn.exe
  C:\Windows\System\UAhRqWn.exe
  2⤵
  PID:2416
- C:\Windows\System\VvzwNMr.exe
  C:\Windows\System\VvzwNMr.exe
  2⤵
  PID:1884
- C:\Windows\System\fAMKKwB.exe
  C:\Windows\System\fAMKKwB.exe
  2⤵
  PID:3844
- C:\Windows\System\RtTbNLy.exe
  C:\Windows\System\RtTbNLy.exe
  2⤵
  PID:1960
- C:\Windows\System\MQmtirs.exe
  C:\Windows\System\MQmtirs.exe
  2⤵
  PID:1496
- C:\Windows\System\nSTSxOM.exe
  C:\Windows\System\nSTSxOM.exe
  2⤵
  PID:3436
- C:\Windows\System\IrJoHnb.exe
  C:\Windows\System\IrJoHnb.exe
  2⤵
  PID:452
- C:\Windows\System\XymojBS.exe
  C:\Windows\System\XymojBS.exe
  2⤵
  PID:3652
- C:\Windows\System\pSROsEL.exe
  C:\Windows\System\pSROsEL.exe
  2⤵
  PID:1012
- C:\Windows\System\ZtqPlTZ.exe
  C:\Windows\System\ZtqPlTZ.exe
  2⤵
  PID:412
- C:\Windows\System\wfAoxbY.exe
  C:\Windows\System\wfAoxbY.exe
  2⤵
  PID:3304
- C:\Windows\System\yFUlUwF.exe
  C:\Windows\System\yFUlUwF.exe
  2⤵
  PID:5140
- C:\Windows\System\gvKxbHj.exe
  C:\Windows\System\gvKxbHj.exe
  2⤵
  PID:5168
- C:\Windows\System\BzhNmDB.exe
  C:\Windows\System\BzhNmDB.exe
  2⤵
  PID:5196
- C:\Windows\System\znorjpx.exe
  C:\Windows\System\znorjpx.exe
  2⤵
  PID:5224
- C:\Windows\System\QwVHmHq.exe
  C:\Windows\System\QwVHmHq.exe
  2⤵
  PID:5252
- C:\Windows\System\HHPhdIC.exe
  C:\Windows\System\HHPhdIC.exe
  2⤵
  PID:5280
- C:\Windows\System\vayOchR.exe
  C:\Windows\System\vayOchR.exe
  2⤵
  PID:5308
- C:\Windows\System\MngNsRw.exe
  C:\Windows\System\MngNsRw.exe
  2⤵
  PID:5336
- C:\Windows\System\BZQClnm.exe
  C:\Windows\System\BZQClnm.exe
  2⤵
  PID:5364
- C:\Windows\System\WWHIZBG.exe
  C:\Windows\System\WWHIZBG.exe
  2⤵
  PID:5392
- C:\Windows\System\CBCHKkD.exe
  C:\Windows\System\CBCHKkD.exe
  2⤵
  PID:5420
- C:\Windows\System\iqJkZjZ.exe
  C:\Windows\System\iqJkZjZ.exe
  2⤵
  PID:5448
- C:\Windows\System\jmVCQCr.exe
  C:\Windows\System\jmVCQCr.exe
  2⤵
  PID:5476
- C:\Windows\System\XHEIekD.exe
  C:\Windows\System\XHEIekD.exe
  2⤵
  PID:5504
- C:\Windows\System\btPMPUw.exe
  C:\Windows\System\btPMPUw.exe
  2⤵
  PID:5532
- C:\Windows\System\paKaFQz.exe
  C:\Windows\System\paKaFQz.exe
  2⤵
  PID:5560
- C:\Windows\System\xjGgdQd.exe
  C:\Windows\System\xjGgdQd.exe
  2⤵
  PID:5588
- C:\Windows\System\QyWuevp.exe
  C:\Windows\System\QyWuevp.exe
  2⤵
  PID:5616
- C:\Windows\System\PPDCBCD.exe
  C:\Windows\System\PPDCBCD.exe
  2⤵
  PID:5644
- C:\Windows\System\cDxztLa.exe
  C:\Windows\System\cDxztLa.exe
  2⤵
  PID:5672
- C:\Windows\System\wiEkTHy.exe
  C:\Windows\System\wiEkTHy.exe
  2⤵
  PID:5700
- C:\Windows\System\yEpDZWr.exe
  C:\Windows\System\yEpDZWr.exe
  2⤵
  PID:5728
- C:\Windows\System\nqiApEB.exe
  C:\Windows\System\nqiApEB.exe
  2⤵
  PID:5756
- C:\Windows\System\KUVKsYn.exe
  C:\Windows\System\KUVKsYn.exe
  2⤵
  PID:5784
- C:\Windows\System\hEKJsdL.exe
  C:\Windows\System\hEKJsdL.exe
  2⤵
  PID:5812
- C:\Windows\System\PtMWZhZ.exe
  C:\Windows\System\PtMWZhZ.exe
  2⤵
  PID:5840
- C:\Windows\System\EfOTOmL.exe
  C:\Windows\System\EfOTOmL.exe
  2⤵
  PID:5868
- C:\Windows\System\Pxscrou.exe
  C:\Windows\System\Pxscrou.exe
  2⤵
  PID:5896
- C:\Windows\System\DHEtheV.exe
  C:\Windows\System\DHEtheV.exe
  2⤵
  PID:5924
- C:\Windows\System\rFrVzSG.exe
  C:\Windows\System\rFrVzSG.exe
  2⤵
  PID:5952
- C:\Windows\System\xFKHeZx.exe
  C:\Windows\System\xFKHeZx.exe
  2⤵
  PID:5980
- C:\Windows\System\prxdqmz.exe
  C:\Windows\System\prxdqmz.exe
  2⤵
  PID:6008
- C:\Windows\System\FMgigTt.exe
  C:\Windows\System\FMgigTt.exe
  2⤵
  PID:6036
- C:\Windows\System\vgnpIuL.exe
  C:\Windows\System\vgnpIuL.exe
  2⤵
  PID:6064
- C:\Windows\System\KYDyPbH.exe
  C:\Windows\System\KYDyPbH.exe
  2⤵
  PID:6092
- C:\Windows\System\fhHXKPv.exe
  C:\Windows\System\fhHXKPv.exe
  2⤵
  PID:6120
- C:\Windows\System\xnlSVQc.exe
  C:\Windows\System\xnlSVQc.exe
  2⤵
  PID:1676
- C:\Windows\System\kZZYjUa.exe
  C:\Windows\System\kZZYjUa.exe
  2⤵
  PID:4688
- C:\Windows\System\QsvQRgy.exe
  C:\Windows\System\QsvQRgy.exe
  2⤵
  PID:2552
- C:\Windows\System\DFphmus.exe
  C:\Windows\System\DFphmus.exe
  2⤵
  PID:1056
- C:\Windows\System\iOalUeT.exe
  C:\Windows\System\iOalUeT.exe
  2⤵
  PID:5124
- C:\Windows\System\RlSpVkz.exe
  C:\Windows\System\RlSpVkz.exe
  2⤵
  PID:5184
- C:\Windows\System\QEpngWU.exe
  C:\Windows\System\QEpngWU.exe
  2⤵
  PID:5240
- C:\Windows\System\eabqdqb.exe
  C:\Windows\System\eabqdqb.exe
  2⤵
  PID:5300
- C:\Windows\System\JYBIRfK.exe
  C:\Windows\System\JYBIRfK.exe
  2⤵
  PID:5376
- C:\Windows\System\UhyAIZc.exe
  C:\Windows\System\UhyAIZc.exe
  2⤵
  PID:5436
- C:\Windows\System\kUeFpde.exe
  C:\Windows\System\kUeFpde.exe
  2⤵
  PID:5496
- C:\Windows\System\svnSGUY.exe
  C:\Windows\System\svnSGUY.exe
  2⤵
  PID:5572
- C:\Windows\System\gBNYeDK.exe
  C:\Windows\System\gBNYeDK.exe
  2⤵
  PID:5632
- C:\Windows\System\XrdZLtp.exe
  C:\Windows\System\XrdZLtp.exe
  2⤵
  PID:5692
- C:\Windows\System\soEQmaP.exe
  C:\Windows\System\soEQmaP.exe
  2⤵
  PID:5768
- C:\Windows\System\agNKGYq.exe
  C:\Windows\System\agNKGYq.exe
  2⤵
  PID:5828
- C:\Windows\System\KtNRjRz.exe
  C:\Windows\System\KtNRjRz.exe
  2⤵
  PID:5888
- C:\Windows\System\MhUypFi.exe
  C:\Windows\System\MhUypFi.exe
  2⤵
  PID:5944
- C:\Windows\System\gDkoNkJ.exe
  C:\Windows\System\gDkoNkJ.exe
  2⤵
  PID:6020
- C:\Windows\System\HVfecvi.exe
  C:\Windows\System\HVfecvi.exe
  2⤵
  PID:6080
- C:\Windows\System\zDTmxPq.exe
  C:\Windows\System\zDTmxPq.exe
  2⤵
  PID:6140
- C:\Windows\System\uFxPNvS.exe
  C:\Windows\System\uFxPNvS.exe
  2⤵
  PID:2988
- C:\Windows\System\BcQSoSt.exe
  C:\Windows\System\BcQSoSt.exe
  2⤵
  PID:5156
- C:\Windows\System\daldRmO.exe
  C:\Windows\System\daldRmO.exe
  2⤵
  PID:5272
- C:\Windows\System\JrTvlYl.exe
  C:\Windows\System\JrTvlYl.exe
  2⤵
  PID:5404
- C:\Windows\System\fbPWFKY.exe
  C:\Windows\System\fbPWFKY.exe
  2⤵
  PID:5524
- C:\Windows\System\HnXNpfY.exe
  C:\Windows\System\HnXNpfY.exe
  2⤵
  PID:1560
- C:\Windows\System\yKvhZrs.exe
  C:\Windows\System\yKvhZrs.exe
  2⤵
  PID:5800
- C:\Windows\System\aMqKnjx.exe
  C:\Windows\System\aMqKnjx.exe
  2⤵
  PID:1980
- C:\Windows\System\FnHuphl.exe
  C:\Windows\System\FnHuphl.exe
  2⤵
  PID:6108
- C:\Windows\System\OEzwfeR.exe
  C:\Windows\System\OEzwfeR.exe
  2⤵
  PID:908
- C:\Windows\System\ZDoybEv.exe
  C:\Windows\System\ZDoybEv.exe
  2⤵
  PID:5348
- C:\Windows\System\Rgfbrks.exe
  C:\Windows\System\Rgfbrks.exe
  2⤵
  PID:6168
- C:\Windows\System\WIEYDeo.exe
  C:\Windows\System\WIEYDeo.exe
  2⤵
  PID:6196
- C:\Windows\System\UGxwrtk.exe
  C:\Windows\System\UGxwrtk.exe
  2⤵
  PID:6224
- C:\Windows\System\vUtbles.exe
  C:\Windows\System\vUtbles.exe
  2⤵
  PID:6256
- C:\Windows\System\vdDNZPZ.exe
  C:\Windows\System\vdDNZPZ.exe
  2⤵
  PID:6292
- C:\Windows\System\kFkVkyq.exe
  C:\Windows\System\kFkVkyq.exe
  2⤵
  PID:6320
- C:\Windows\System\PKBwUlr.exe
  C:\Windows\System\PKBwUlr.exe
  2⤵
  PID:6336
- C:\Windows\System\VtzLKZN.exe
  C:\Windows\System\VtzLKZN.exe
  2⤵
  PID:6364
- C:\Windows\System\bPMepHl.exe
  C:\Windows\System\bPMepHl.exe
  2⤵
  PID:6392
- C:\Windows\System\eFDIhKC.exe
  C:\Windows\System\eFDIhKC.exe
  2⤵
  PID:6420
- C:\Windows\System\WyAoYfk.exe
  C:\Windows\System\WyAoYfk.exe
  2⤵
  PID:6448
- C:\Windows\System\ztQFpjK.exe
  C:\Windows\System\ztQFpjK.exe
  2⤵
  PID:6476
- C:\Windows\System\NEgaxsg.exe
  C:\Windows\System\NEgaxsg.exe
  2⤵
  PID:6504
- C:\Windows\System\MsULvFK.exe
  C:\Windows\System\MsULvFK.exe
  2⤵
  PID:6532
- C:\Windows\System\xbehJOk.exe
  C:\Windows\System\xbehJOk.exe
  2⤵
  PID:6560
- C:\Windows\System\ZgFeUSm.exe
  C:\Windows\System\ZgFeUSm.exe
  2⤵
  PID:6588
- C:\Windows\System\VWxCsrk.exe
  C:\Windows\System\VWxCsrk.exe
  2⤵
  PID:6616
- C:\Windows\System\CyhVBvC.exe
  C:\Windows\System\CyhVBvC.exe
  2⤵
  PID:6644
- C:\Windows\System\cNNLZos.exe
  C:\Windows\System\cNNLZos.exe
  2⤵
  PID:6672
- C:\Windows\System\ZFOzvYj.exe
  C:\Windows\System\ZFOzvYj.exe
  2⤵
  PID:6700
- C:\Windows\System\ffVGODj.exe
  C:\Windows\System\ffVGODj.exe
  2⤵
  PID:6728
- C:\Windows\System\WMBtxjj.exe
  C:\Windows\System\WMBtxjj.exe
  2⤵
  PID:6756
- C:\Windows\System\VJVMeos.exe
  C:\Windows\System\VJVMeos.exe
  2⤵
  PID:6784
- C:\Windows\System\bmugobD.exe
  C:\Windows\System\bmugobD.exe
  2⤵
  PID:6812
- C:\Windows\System\RBQtTTP.exe
  C:\Windows\System\RBQtTTP.exe
  2⤵
  PID:6840
- C:\Windows\System\CQdPHoZ.exe
  C:\Windows\System\CQdPHoZ.exe
  2⤵
  PID:6868
- C:\Windows\System\AxSLLZp.exe
  C:\Windows\System\AxSLLZp.exe
  2⤵
  PID:6896
- C:\Windows\System\NgIRxln.exe
  C:\Windows\System\NgIRxln.exe
  2⤵
  PID:6924
- C:\Windows\System\YigTafX.exe
  C:\Windows\System\YigTafX.exe
  2⤵
  PID:6968
- C:\Windows\System\rgOXONz.exe
  C:\Windows\System\rgOXONz.exe
  2⤵
  PID:6992
- C:\Windows\System\YUtMzix.exe
  C:\Windows\System\YUtMzix.exe
  2⤵
  PID:7008
- C:\Windows\System\utrcKph.exe
  C:\Windows\System\utrcKph.exe
  2⤵
  PID:7028
- C:\Windows\System\cBkapBX.exe
  C:\Windows\System\cBkapBX.exe
  2⤵
  PID:7072
- C:\Windows\System\SyoUCjX.exe
  C:\Windows\System\SyoUCjX.exe
  2⤵
  PID:7096
- C:\Windows\System\UBLWfEc.exe
  C:\Windows\System\UBLWfEc.exe
  2⤵
  PID:7128
- C:\Windows\System\Oekwgor.exe
  C:\Windows\System\Oekwgor.exe
  2⤵
  PID:5600
- C:\Windows\System\onAuqwS.exe
  C:\Windows\System\onAuqwS.exe
  2⤵
  PID:6460
- C:\Windows\System\QObhybU.exe
  C:\Windows\System\QObhybU.exe
  2⤵
  PID:1084
- C:\Windows\System\JBapbRQ.exe
  C:\Windows\System\JBapbRQ.exe
  2⤵
  PID:3664
- C:\Windows\System\sheFahb.exe
  C:\Windows\System\sheFahb.exe
  2⤵
  PID:6576
- C:\Windows\System\CpLeCun.exe
  C:\Windows\System\CpLeCun.exe
  2⤵
  PID:3768
- C:\Windows\System\VbRXLPY.exe
  C:\Windows\System\VbRXLPY.exe
  2⤵
  PID:6660
- C:\Windows\System\wnKHkeG.exe
  C:\Windows\System\wnKHkeG.exe
  2⤵
  PID:6740
- C:\Windows\System\nARMimx.exe
  C:\Windows\System\nARMimx.exe
  2⤵
  PID:6832
- C:\Windows\System\kSEWGYg.exe
  C:\Windows\System\kSEWGYg.exe
  2⤵
  PID:6860
- C:\Windows\System\yshWscY.exe
  C:\Windows\System\yshWscY.exe
  2⤵
  PID:7048
- C:\Windows\System\AeHyVyy.exe
  C:\Windows\System\AeHyVyy.exe
  2⤵
  PID:6976
- C:\Windows\System\ESECfWr.exe
  C:\Windows\System\ESECfWr.exe
  2⤵
  PID:4776
- C:\Windows\System\BcKvTIq.exe
  C:\Windows\System\BcKvTIq.exe
  2⤵
  PID:7140
- C:\Windows\System\vIXutYo.exe
  C:\Windows\System\vIXutYo.exe
  2⤵
  PID:5744
- C:\Windows\System\wSsHBJn.exe
  C:\Windows\System\wSsHBJn.exe
  2⤵
  PID:208
- C:\Windows\System\qIWRfeO.exe
  C:\Windows\System\qIWRfeO.exe
  2⤵
  PID:6056
- C:\Windows\System\agepRvy.exe
  C:\Windows\System\agepRvy.exe
  2⤵
  PID:6524
- C:\Windows\System\eeKEHNQ.exe
  C:\Windows\System\eeKEHNQ.exe
  2⤵
  PID:6276
- C:\Windows\System\uOqocVB.exe
  C:\Windows\System\uOqocVB.exe
  2⤵
  PID:4956
- C:\Windows\System\LHIVuyJ.exe
  C:\Windows\System\LHIVuyJ.exe
  2⤵
  PID:1656
- C:\Windows\System\DWabAzT.exe
  C:\Windows\System\DWabAzT.exe
  2⤵
  PID:7080
- C:\Windows\System\YcOXQDo.exe
  C:\Windows\System\YcOXQDo.exe
  2⤵
  PID:6908
- C:\Windows\System\fHevMtX.exe
  C:\Windows\System\fHevMtX.exe
  2⤵
  PID:1900
- C:\Windows\System\LKGfHeB.exe
  C:\Windows\System\LKGfHeB.exe
  2⤵
  PID:3252
- C:\Windows\System\oxPfCTh.exe
  C:\Windows\System\oxPfCTh.exe
  2⤵
  PID:6156
- C:\Windows\System\cPHYrFo.exe
  C:\Windows\System\cPHYrFo.exe
  2⤵
  PID:6488
- C:\Windows\System\uTNxPMP.exe
  C:\Windows\System\uTNxPMP.exe
  2⤵
  PID:5104
- C:\Windows\System\xRIEBsV.exe
  C:\Windows\System\xRIEBsV.exe
  2⤵
  PID:6804
- C:\Windows\System\iVSViot.exe
  C:\Windows\System\iVSViot.exe
  2⤵
  PID:2112
- C:\Windows\System\QuVIHap.exe
  C:\Windows\System\QuVIHap.exe
  2⤵
  PID:7172
- C:\Windows\System\GSnGRVF.exe
  C:\Windows\System\GSnGRVF.exe
  2⤵
  PID:7196
- C:\Windows\System\VFrTsGC.exe
  C:\Windows\System\VFrTsGC.exe
  2⤵
  PID:7236
- C:\Windows\System\qbZIMPs.exe
  C:\Windows\System\qbZIMPs.exe
  2⤵
  PID:7260
- C:\Windows\System\HzkvGIY.exe
  C:\Windows\System\HzkvGIY.exe
  2⤵
  PID:7312
- C:\Windows\System\sjJDUWa.exe
  C:\Windows\System\sjJDUWa.exe
  2⤵
  PID:7340
- C:\Windows\System\iHDbmkD.exe
  C:\Windows\System\iHDbmkD.exe
  2⤵
  PID:7372
- C:\Windows\System\AcRwUId.exe
  C:\Windows\System\AcRwUId.exe
  2⤵
  PID:7396
- C:\Windows\System\Vtftmkb.exe
  C:\Windows\System\Vtftmkb.exe
  2⤵
  PID:7412
- C:\Windows\System\HnMwJzg.exe
  C:\Windows\System\HnMwJzg.exe
  2⤵
  PID:7432
- C:\Windows\System\ctuTkhY.exe
  C:\Windows\System\ctuTkhY.exe
  2⤵
  PID:7480
- C:\Windows\System\cgUwYKt.exe
  C:\Windows\System\cgUwYKt.exe
  2⤵
  PID:7496
- C:\Windows\System\BcuvrUz.exe
  C:\Windows\System\BcuvrUz.exe
  2⤵
  PID:7524
- C:\Windows\System\kPxPaxd.exe
  C:\Windows\System\kPxPaxd.exe
  2⤵
  PID:7552
- C:\Windows\System\QYLELTE.exe
  C:\Windows\System\QYLELTE.exe
  2⤵
  PID:7580
- C:\Windows\System\KzEjfGk.exe
  C:\Windows\System\KzEjfGk.exe
  2⤵
  PID:7604
- C:\Windows\System\RZvBacb.exe
  C:\Windows\System\RZvBacb.exe
  2⤵
  PID:7636
- C:\Windows\System\fIWjIWR.exe
  C:\Windows\System\fIWjIWR.exe
  2⤵
  PID:7652
- C:\Windows\System\Bkwbrge.exe
  C:\Windows\System\Bkwbrge.exe
  2⤵
  PID:7688
- C:\Windows\System\kuwTTSf.exe
  C:\Windows\System\kuwTTSf.exe
  2⤵
  PID:7732
- C:\Windows\System\jqmQRDd.exe
  C:\Windows\System\jqmQRDd.exe
  2⤵
  PID:7760
- C:\Windows\System\rcSPvdT.exe
  C:\Windows\System\rcSPvdT.exe
  2⤵
  PID:7780
- C:\Windows\System\AHuQWjg.exe
  C:\Windows\System\AHuQWjg.exe
  2⤵
  PID:7812
- C:\Windows\System\ysFnnjs.exe
  C:\Windows\System\ysFnnjs.exe
  2⤵
  PID:7828
- C:\Windows\System\BjIUMAO.exe
  C:\Windows\System\BjIUMAO.exe
  2⤵
  PID:7848
- C:\Windows\System\QzQPkhs.exe
  C:\Windows\System\QzQPkhs.exe
  2⤵
  PID:7884
- C:\Windows\System\FuPXNIG.exe
  C:\Windows\System\FuPXNIG.exe
  2⤵
  PID:7908
- C:\Windows\System\hTaklAO.exe
  C:\Windows\System\hTaklAO.exe
  2⤵
  PID:7944
- C:\Windows\System\xHjpzhB.exe
  C:\Windows\System\xHjpzhB.exe
  2⤵
  PID:7976
- C:\Windows\System\PhAgpgc.exe
  C:\Windows\System\PhAgpgc.exe
  2⤵
  PID:8000
- C:\Windows\System\alqIbHz.exe
  C:\Windows\System\alqIbHz.exe
  2⤵
  PID:8028
- C:\Windows\System\rYrLmhZ.exe
  C:\Windows\System\rYrLmhZ.exe
  2⤵
  PID:8056
- C:\Windows\System\EsXmCef.exe
  C:\Windows\System\EsXmCef.exe
  2⤵
  PID:8084
- C:\Windows\System\hUmRhJO.exe
  C:\Windows\System\hUmRhJO.exe
  2⤵
  PID:8124
- C:\Windows\System\whAUgyt.exe
  C:\Windows\System\whAUgyt.exe
  2⤵
  PID:8152
- C:\Windows\System\ovpznEm.exe
  C:\Windows\System\ovpznEm.exe
  2⤵
  PID:8184
- C:\Windows\System\YOyUmEO.exe
  C:\Windows\System\YOyUmEO.exe
  2⤵
  PID:1152
- C:\Windows\System\hIluTcO.exe
  C:\Windows\System\hIluTcO.exe
  2⤵
  PID:7228
- C:\Windows\System\TCEwugS.exe
  C:\Windows\System\TCEwugS.exe
  2⤵
  PID:7284
- C:\Windows\System\yYqlFYT.exe
  C:\Windows\System\yYqlFYT.exe
  2⤵
  PID:7336
- C:\Windows\System\OZVEiJL.exe
  C:\Windows\System\OZVEiJL.exe
  2⤵
  PID:7404
- C:\Windows\System\KBmevNz.exe
  C:\Windows\System\KBmevNz.exe
  2⤵
  PID:7476
- C:\Windows\System\Xbodbzj.exe
  C:\Windows\System\Xbodbzj.exe
  2⤵
  PID:7512
- C:\Windows\System\tOmwJav.exe
  C:\Windows\System\tOmwJav.exe
  2⤵
  PID:7592
- C:\Windows\System\ucnTYTL.exe
  C:\Windows\System\ucnTYTL.exe
  2⤵
  PID:7644
- C:\Windows\System\cGzfVYw.exe
  C:\Windows\System\cGzfVYw.exe
  2⤵
  PID:7756
- C:\Windows\System\MEtTzRQ.exe
  C:\Windows\System\MEtTzRQ.exe
  2⤵
  PID:7788
- C:\Windows\System\gjxPIHw.exe
  C:\Windows\System\gjxPIHw.exe
  2⤵
  PID:7836
- C:\Windows\System\WXCDLiB.exe
  C:\Windows\System\WXCDLiB.exe
  2⤵
  PID:7932
- C:\Windows\System\RgTqMXi.exe
  C:\Windows\System\RgTqMXi.exe
  2⤵
  PID:8020
- C:\Windows\System\djKlIvw.exe
  C:\Windows\System\djKlIvw.exe
  2⤵
  PID:8080
- C:\Windows\System\ckzhUBq.exe
  C:\Windows\System\ckzhUBq.exe
  2⤵
  PID:8140
- C:\Windows\System\cNVuBzj.exe
  C:\Windows\System\cNVuBzj.exe
  2⤵
  PID:8160
- C:\Windows\System\HSMIarI.exe
  C:\Windows\System\HSMIarI.exe
  2⤵
  PID:6572
- C:\Windows\System\nzJdfXR.exe
  C:\Windows\System\nzJdfXR.exe
  2⤵
  PID:7420
- C:\Windows\System\IpdKgof.exe
  C:\Windows\System\IpdKgof.exe
  2⤵
  PID:7516
- C:\Windows\System\cONyofm.exe
  C:\Windows\System\cONyofm.exe
  2⤵
  PID:7720
- C:\Windows\System\ozwObVb.exe
  C:\Windows\System\ozwObVb.exe
  2⤵
  PID:7824
- C:\Windows\System\JjqEfUK.exe
  C:\Windows\System\JjqEfUK.exe
  2⤵
  PID:7864
- C:\Windows\System\cqzNIty.exe
  C:\Windows\System\cqzNIty.exe
  2⤵
  PID:8104
- C:\Windows\System\BehGomY.exe
  C:\Windows\System\BehGomY.exe
  2⤵
  PID:8148
- C:\Windows\System\quYYjmk.exe
  C:\Windows\System\quYYjmk.exe
  2⤵
  PID:7696
- C:\Windows\System\WjxjkGM.exe
  C:\Windows\System\WjxjkGM.exe
  2⤵
  PID:7840
- C:\Windows\System\izaqKDQ.exe
  C:\Windows\System\izaqKDQ.exe
  2⤵
  PID:8040
- C:\Windows\System\KRPDweY.exe
  C:\Windows\System\KRPDweY.exe
  2⤵
  PID:8220
- C:\Windows\System\OVTBXnd.exe
  C:\Windows\System\OVTBXnd.exe
  2⤵
  PID:8236
- C:\Windows\System\rYRtApv.exe
  C:\Windows\System\rYRtApv.exe
  2⤵
  PID:8264
- C:\Windows\System\iVBIANc.exe
  C:\Windows\System\iVBIANc.exe
  2⤵
  PID:8304
- C:\Windows\System\whqkYHy.exe
  C:\Windows\System\whqkYHy.exe
  2⤵
  PID:8332
- C:\Windows\System\MCqtpaP.exe
  C:\Windows\System\MCqtpaP.exe
  2⤵
  PID:8348
- C:\Windows\System\IsuKeFd.exe
  C:\Windows\System\IsuKeFd.exe
  2⤵
  PID:8388
- C:\Windows\System\MzKxYvI.exe
  C:\Windows\System\MzKxYvI.exe
  2⤵
  PID:8404
- C:\Windows\System\UuzJAlT.exe
  C:\Windows\System\UuzJAlT.exe
  2⤵
  PID:8432
- C:\Windows\System\RXvUmZN.exe
  C:\Windows\System\RXvUmZN.exe
  2⤵
  PID:8460
- C:\Windows\System\qmVqzZE.exe
  C:\Windows\System\qmVqzZE.exe
  2⤵
  PID:8492
- C:\Windows\System\oALWbJu.exe
  C:\Windows\System\oALWbJu.exe
  2⤵
  PID:8516
- C:\Windows\System\gUKobVZ.exe
  C:\Windows\System\gUKobVZ.exe
  2⤵
  PID:8548
- C:\Windows\System\axlSFzI.exe
  C:\Windows\System\axlSFzI.exe
  2⤵
  PID:8576
- C:\Windows\System\wfHvBsp.exe
  C:\Windows\System\wfHvBsp.exe
  2⤵
  PID:8616
- C:\Windows\System\uBambgD.exe
  C:\Windows\System\uBambgD.exe
  2⤵
  PID:8644
- C:\Windows\System\EqFcZnv.exe
  C:\Windows\System\EqFcZnv.exe
  2⤵
  PID:8672
- C:\Windows\System\XiKWbhS.exe
  C:\Windows\System\XiKWbhS.exe
  2⤵
  PID:8692
- C:\Windows\System\bkCsJXc.exe
  C:\Windows\System\bkCsJXc.exe
  2⤵
  PID:8720
- C:\Windows\System\qjMlkmQ.exe
  C:\Windows\System\qjMlkmQ.exe
  2⤵
  PID:8748
- C:\Windows\System\mDdstpk.exe
  C:\Windows\System\mDdstpk.exe
  2⤵
  PID:8768
- C:\Windows\System\EMychJN.exe
  C:\Windows\System\EMychJN.exe
  2⤵
  PID:8804
- C:\Windows\System\fzZljJb.exe
  C:\Windows\System\fzZljJb.exe
  2⤵
  PID:8828
- C:\Windows\System\AwqbkCw.exe
  C:\Windows\System\AwqbkCw.exe
  2⤵
  PID:8856
- C:\Windows\System\Xdbqbkx.exe
  C:\Windows\System\Xdbqbkx.exe
  2⤵
  PID:8884
- C:\Windows\System\GVZzcDJ.exe
  C:\Windows\System\GVZzcDJ.exe
  2⤵
  PID:8912
- C:\Windows\System\MOjHAdg.exe
  C:\Windows\System\MOjHAdg.exe
  2⤵
  PID:8948
- C:\Windows\System\nfCZOKq.exe
  C:\Windows\System\nfCZOKq.exe
  2⤵
  PID:8968
- C:\Windows\System\UqaSwTL.exe
  C:\Windows\System\UqaSwTL.exe
  2⤵
  PID:9008
- C:\Windows\System\orXyRBr.exe
  C:\Windows\System\orXyRBr.exe
  2⤵
  PID:9036
- C:\Windows\System\shPVrba.exe
  C:\Windows\System\shPVrba.exe
  2⤵
  PID:9052
- C:\Windows\System\tdbTJMW.exe
  C:\Windows\System\tdbTJMW.exe
  2⤵
  PID:9080
- C:\Windows\System\KMsyJXe.exe
  C:\Windows\System\KMsyJXe.exe
  2⤵
  PID:9108
- C:\Windows\System\IjEzzvy.exe
  C:\Windows\System\IjEzzvy.exe
  2⤵
  PID:9136
- C:\Windows\System\OkRYpmZ.exe
  C:\Windows\System\OkRYpmZ.exe
  2⤵
  PID:9164
- C:\Windows\System\ZiQdosy.exe
  C:\Windows\System\ZiQdosy.exe
  2⤵
  PID:9196
- C:\Windows\System\WlUQOdY.exe
  C:\Windows\System\WlUQOdY.exe
  2⤵
  PID:7304
- C:\Windows\System\xbMolOi.exe
  C:\Windows\System\xbMolOi.exe
  2⤵
  PID:8228
- C:\Windows\System\IPwwaVX.exe
  C:\Windows\System\IPwwaVX.exe
  2⤵
  PID:8320
- C:\Windows\System\ebpfuJJ.exe
  C:\Windows\System\ebpfuJJ.exe
  2⤵
  PID:8372
- C:\Windows\System\eItfgVM.exe
  C:\Windows\System\eItfgVM.exe
  2⤵
  PID:8428
- C:\Windows\System\hrfsOhY.exe
  C:\Windows\System\hrfsOhY.exe
  2⤵
  PID:8508
- C:\Windows\System\pTjTazd.exe
  C:\Windows\System\pTjTazd.exe
  2⤵
  PID:8572
- C:\Windows\System\sJueQRH.exe
  C:\Windows\System\sJueQRH.exe
  2⤵
  PID:8656
- C:\Windows\System\AvRAcgT.exe
  C:\Windows\System\AvRAcgT.exe
  2⤵
  PID:8728
- C:\Windows\System\EizFTmE.exe
  C:\Windows\System\EizFTmE.exe
  2⤵
  PID:8784
- C:\Windows\System\JRtQLVi.exe
  C:\Windows\System\JRtQLVi.exe
  2⤵
  PID:8848
- C:\Windows\System\eQUpnds.exe
  C:\Windows\System\eQUpnds.exe
  2⤵
  PID:8872
- C:\Windows\System\VwTLbXl.exe
  C:\Windows\System\VwTLbXl.exe
  2⤵
  PID:8936
- C:\Windows\System\hJkWnjt.exe
  C:\Windows\System\hJkWnjt.exe
  2⤵
  PID:9000
- C:\Windows\System\IgjQLIt.exe
  C:\Windows\System\IgjQLIt.exe
  2⤵
  PID:9064
- C:\Windows\System\ebzIfvE.exe
  C:\Windows\System\ebzIfvE.exe
  2⤵
  PID:9124
- C:\Windows\System\LMsfrzC.exe
  C:\Windows\System\LMsfrzC.exe
  2⤵
  PID:8212
- C:\Windows\System\cbXOhdZ.exe
  C:\Windows\System\cbXOhdZ.exe
  2⤵
  PID:8300
- C:\Windows\System\VjtqkJp.exe
  C:\Windows\System\VjtqkJp.exe
  2⤵
  PID:8588
- C:\Windows\System\VacQCNq.exe
  C:\Windows\System\VacQCNq.exe
  2⤵
  PID:8700
- C:\Windows\System\lKskqqf.exe
  C:\Windows\System\lKskqqf.exe
  2⤵
  PID:7308
- C:\Windows\System\LGEAFls.exe
  C:\Windows\System\LGEAFls.exe
  2⤵
  PID:8996
- C:\Windows\System\ahmUMdN.exe
  C:\Windows\System\ahmUMdN.exe
  2⤵
  PID:9092
- C:\Windows\System\ZWduZcw.exe
  C:\Windows\System\ZWduZcw.exe
  2⤵
  PID:8512
- C:\Windows\System\LcyvVEc.exe
  C:\Windows\System\LcyvVEc.exe
  2⤵
  PID:8776
- C:\Windows\System\iPoBiuw.exe
  C:\Windows\System\iPoBiuw.exe
  2⤵
  PID:9028
- C:\Windows\System\IniuuQT.exe
  C:\Windows\System\IniuuQT.exe
  2⤵
  PID:8680
- C:\Windows\System\mqOFfme.exe
  C:\Windows\System\mqOFfme.exe
  2⤵
  PID:9188
- C:\Windows\System\IxZxERy.exe
  C:\Windows\System\IxZxERy.exe
  2⤵
  PID:9232
- C:\Windows\System\QwCotFn.exe
  C:\Windows\System\QwCotFn.exe
  2⤵
  PID:9260
- C:\Windows\System\ccERKDX.exe
  C:\Windows\System\ccERKDX.exe
  2⤵
  PID:9280
- C:\Windows\System\wervaUw.exe
  C:\Windows\System\wervaUw.exe
  2⤵
  PID:9316
- C:\Windows\System\HxfqyHY.exe
  C:\Windows\System\HxfqyHY.exe
  2⤵
  PID:9344
- C:\Windows\System\UOrsviv.exe
  C:\Windows\System\UOrsviv.exe
  2⤵
  PID:9380
- C:\Windows\System\YAImaKr.exe
  C:\Windows\System\YAImaKr.exe
  2⤵
  PID:9400
- C:\Windows\System\oDPTVeC.exe
  C:\Windows\System\oDPTVeC.exe
  2⤵
  PID:9440
- C:\Windows\System\iUsYgpi.exe
  C:\Windows\System\iUsYgpi.exe
  2⤵
  PID:9456
- C:\Windows\System\KtsBuXr.exe
  C:\Windows\System\KtsBuXr.exe
  2⤵
  PID:9496
- C:\Windows\System\OcVwBBj.exe
  C:\Windows\System\OcVwBBj.exe
  2⤵
  PID:9516
- C:\Windows\System\JWdsmlg.exe
  C:\Windows\System\JWdsmlg.exe
  2⤵
  PID:9548
- C:\Windows\System\RSwlfqz.exe
  C:\Windows\System\RSwlfqz.exe
  2⤵
  PID:9580
- C:\Windows\System\XYmgWlx.exe
  C:\Windows\System\XYmgWlx.exe
  2⤵
  PID:9628
- C:\Windows\System\GOiWPLw.exe
  C:\Windows\System\GOiWPLw.exe
  2⤵
  PID:9644
- C:\Windows\System\fUeLdBp.exe
  C:\Windows\System\fUeLdBp.exe
  2⤵
  PID:9688
- C:\Windows\System\aDzwiae.exe
  C:\Windows\System\aDzwiae.exe
  2⤵
  PID:9720
- C:\Windows\System\abZyCpX.exe
  C:\Windows\System\abZyCpX.exe
  2⤵
  PID:9744
- C:\Windows\System\SSxskpw.exe
  C:\Windows\System\SSxskpw.exe
  2⤵
  PID:9776
- C:\Windows\System\xIDaxEG.exe
  C:\Windows\System\xIDaxEG.exe
  2⤵
  PID:9804
- C:\Windows\System\akWcdbw.exe
  C:\Windows\System\akWcdbw.exe
  2⤵
  PID:9820
- C:\Windows\System\JOEDBUC.exe
  C:\Windows\System\JOEDBUC.exe
  2⤵
  PID:9844
- C:\Windows\System\wuKtMrJ.exe
  C:\Windows\System\wuKtMrJ.exe
  2⤵
  PID:9900
- C:\Windows\System\MuPBHJG.exe
  C:\Windows\System\MuPBHJG.exe
  2⤵
  PID:9924
- C:\Windows\System\RbzXoec.exe
  C:\Windows\System\RbzXoec.exe
  2⤵
  PID:9964
- C:\Windows\System\yVtUZSS.exe
  C:\Windows\System\yVtUZSS.exe
  2⤵
  PID:9980
- C:\Windows\System\WuEhLaw.exe
  C:\Windows\System\WuEhLaw.exe
  2⤵
  PID:10008
- C:\Windows\System\DqKXMJB.exe
  C:\Windows\System\DqKXMJB.exe
  2⤵
  PID:10040
- C:\Windows\System\dDIYZGJ.exe
  C:\Windows\System\dDIYZGJ.exe
  2⤵
  PID:10064
- C:\Windows\System\merCWRU.exe
  C:\Windows\System\merCWRU.exe
  2⤵
  PID:10096
- C:\Windows\System\PrPyXIi.exe
  C:\Windows\System\PrPyXIi.exe
  2⤵
  PID:10132
- C:\Windows\System\DmUsBaN.exe
  C:\Windows\System\DmUsBaN.exe
  2⤵
  PID:10148
- C:\Windows\System\joYEVbD.exe
  C:\Windows\System\joYEVbD.exe
  2⤵
  PID:10176
- C:\Windows\System\pgEeZeB.exe
  C:\Windows\System\pgEeZeB.exe
  2⤵
  PID:10216
- C:\Windows\System\vwCdwik.exe
  C:\Windows\System\vwCdwik.exe
  2⤵
  PID:10232
- C:\Windows\System\UlePBaL.exe
  C:\Windows\System\UlePBaL.exe
  2⤵
  PID:9244
- C:\Windows\System\mPALBvT.exe
  C:\Windows\System\mPALBvT.exe
  2⤵
  PID:9360
- C:\Windows\System\dgDBIKK.exe
  C:\Windows\System\dgDBIKK.exe
  2⤵
  PID:9392
- C:\Windows\System\bzvLOnj.exe
  C:\Windows\System\bzvLOnj.exe
  2⤵
  PID:9452
- C:\Windows\System\qAxuhhG.exe
  C:\Windows\System\qAxuhhG.exe
  2⤵
  PID:9524
- C:\Windows\System\SxCwPFw.exe
  C:\Windows\System\SxCwPFw.exe
  2⤵
  PID:9592
- C:\Windows\System\Gbkugfe.exe
  C:\Windows\System\Gbkugfe.exe
  2⤵
  PID:9640
- C:\Windows\System\YXnsurN.exe
  C:\Windows\System\YXnsurN.exe
  2⤵
  PID:9732
- C:\Windows\System\wzVZWqn.exe
  C:\Windows\System\wzVZWqn.exe
  2⤵
  PID:9812
- C:\Windows\System\jZcpImE.exe
  C:\Windows\System\jZcpImE.exe
  2⤵
  PID:9888
- C:\Windows\System\XwIinXr.exe
  C:\Windows\System\XwIinXr.exe
  2⤵
  PID:9960
- C:\Windows\System\sdcJrKJ.exe
  C:\Windows\System\sdcJrKJ.exe
  2⤵
  PID:10020
- C:\Windows\System\kWwpIeD.exe
  C:\Windows\System\kWwpIeD.exe
  2⤵
  PID:10128
- C:\Windows\System\jGYgRnX.exe
  C:\Windows\System\jGYgRnX.exe
  2⤵
  PID:10164
- C:\Windows\System\WmkeBfF.exe
  C:\Windows\System\WmkeBfF.exe
  2⤵
  PID:10196
- C:\Windows\System\WyMwXzh.exe
  C:\Windows\System\WyMwXzh.exe
  2⤵
  PID:9420
- C:\Windows\System\zKGwSry.exe
  C:\Windows\System\zKGwSry.exe
  2⤵
  PID:9564
- C:\Windows\System\syNFwYm.exe
  C:\Windows\System\syNFwYm.exe
  2⤵
  PID:9532
- C:\Windows\System\hNfSyZF.exe
  C:\Windows\System\hNfSyZF.exe
  2⤵
  PID:9880
- C:\Windows\System\sFjDdsW.exe
  C:\Windows\System\sFjDdsW.exe
  2⤵
  PID:10000
- C:\Windows\System\WMgzSlQ.exe
  C:\Windows\System\WMgzSlQ.exe
  2⤵
  PID:10172
- C:\Windows\System\ZDhIFNL.exe
  C:\Windows\System\ZDhIFNL.exe
  2⤵
  PID:9300
- C:\Windows\System\nBDiLuF.exe
  C:\Windows\System\nBDiLuF.exe
  2⤵
  PID:9712
- C:\Windows\System\essdTlr.exe
  C:\Windows\System\essdTlr.exe
  2⤵
  PID:10056
- C:\Windows\System\cpdfirq.exe
  C:\Windows\System\cpdfirq.exe
  2⤵
  PID:9612
- C:\Windows\System\nlNNlXh.exe
  C:\Windows\System\nlNNlXh.exe
  2⤵
  PID:10192
- C:\Windows\System\FloguyD.exe
  C:\Windows\System\FloguyD.exe
  2⤵
  PID:10244
- C:\Windows\System\ITVJzAD.exe
  C:\Windows\System\ITVJzAD.exe
  2⤵
  PID:10260
- C:\Windows\System\yqDBXbz.exe
  C:\Windows\System\yqDBXbz.exe
  2⤵
  PID:10308
- C:\Windows\System\VKskNHL.exe
  C:\Windows\System\VKskNHL.exe
  2⤵
  PID:10340
- C:\Windows\System\PZTSWRp.exe
  C:\Windows\System\PZTSWRp.exe
  2⤵
  PID:10376
- C:\Windows\System\VljLioh.exe
  C:\Windows\System\VljLioh.exe
  2⤵
  PID:10424
- C:\Windows\System\kipXhwV.exe
  C:\Windows\System\kipXhwV.exe
  2⤵
  PID:10452
- C:\Windows\System\fNGMXgw.exe
  C:\Windows\System\fNGMXgw.exe
  2⤵
  PID:10476
- C:\Windows\System\HghuIwC.exe
  C:\Windows\System\HghuIwC.exe
  2⤵
  PID:10500
- C:\Windows\System\GkUNdYT.exe
  C:\Windows\System\GkUNdYT.exe
  2⤵
  PID:10528
- C:\Windows\System\gkmcYfi.exe
  C:\Windows\System\gkmcYfi.exe
  2⤵
  PID:10568
- C:\Windows\System\kfJIeED.exe
  C:\Windows\System\kfJIeED.exe
  2⤵
  PID:10588
- C:\Windows\System\sHnRCby.exe
  C:\Windows\System\sHnRCby.exe
  2⤵
  PID:10620
- C:\Windows\System\LoNEwMo.exe
  C:\Windows\System\LoNEwMo.exe
  2⤵
  PID:10652
- C:\Windows\System\ZMSbAOi.exe
  C:\Windows\System\ZMSbAOi.exe
  2⤵
  PID:10680
- C:\Windows\System\vkNOWBa.exe
  C:\Windows\System\vkNOWBa.exe
  2⤵
  PID:10716
- C:\Windows\System\YkHQQtV.exe
  C:\Windows\System\YkHQQtV.exe
  2⤵
  PID:10740
- C:\Windows\System\WPwdYXj.exe
  C:\Windows\System\WPwdYXj.exe
  2⤵
  PID:10768
- C:\Windows\System\WluDZux.exe
  C:\Windows\System\WluDZux.exe
  2⤵
  PID:10800
- C:\Windows\System\cRzvszz.exe
  C:\Windows\System\cRzvszz.exe
  2⤵
  PID:10824
- C:\Windows\System\JvmmACS.exe
  C:\Windows\System\JvmmACS.exe
  2⤵
  PID:10872
- C:\Windows\System\Akxqden.exe
  C:\Windows\System\Akxqden.exe
  2⤵
  PID:10904
- C:\Windows\System\DspgRmg.exe
  C:\Windows\System\DspgRmg.exe
  2⤵
  PID:10944
- C:\Windows\System\jfHLgCh.exe
  C:\Windows\System\jfHLgCh.exe
  2⤵
  PID:10988
- C:\Windows\System\psKkTOp.exe
  C:\Windows\System\psKkTOp.exe
  2⤵
  PID:11016
- C:\Windows\System\mkGOYfZ.exe
  C:\Windows\System\mkGOYfZ.exe
  2⤵
  PID:11036
- C:\Windows\System\VoaZcCX.exe
  C:\Windows\System\VoaZcCX.exe
  2⤵
  PID:11060
- C:\Windows\System\TaQKSgQ.exe
  C:\Windows\System\TaQKSgQ.exe
  2⤵
  PID:11084
- C:\Windows\System\rRfgoer.exe
  C:\Windows\System\rRfgoer.exe
  2⤵
  PID:11108
- C:\Windows\System\VUluFCb.exe
  C:\Windows\System\VUluFCb.exe
  2⤵
  PID:11124
- C:\Windows\System\llMIhCW.exe
  C:\Windows\System\llMIhCW.exe
  2⤵
  PID:11152
- C:\Windows\System\gQVnFFM.exe
  C:\Windows\System\gQVnFFM.exe
  2⤵
  PID:11180
- C:\Windows\System\nKvMJIc.exe
  C:\Windows\System\nKvMJIc.exe
  2⤵
  PID:11240
- C:\Windows\System\sYRfHuu.exe
  C:\Windows\System\sYRfHuu.exe
  2⤵
  PID:10324
- C:\Windows\System\IxJIDrn.exe
  C:\Windows\System\IxJIDrn.exe
  2⤵
  PID:10420
- C:\Windows\System\cKiQvrb.exe
  C:\Windows\System\cKiQvrb.exe
  2⤵
  PID:10492
- C:\Windows\System\jpHFWuC.exe
  C:\Windows\System\jpHFWuC.exe
  2⤵
  PID:10552
- C:\Windows\System\kiTEIBy.exe
  C:\Windows\System\kiTEIBy.exe
  2⤵
  PID:10612
- C:\Windows\System\RfXglgo.exe
  C:\Windows\System\RfXglgo.exe
  2⤵
  PID:10668
- C:\Windows\System\boDnEPa.exe
  C:\Windows\System\boDnEPa.exe
  2⤵
  PID:10756
- C:\Windows\System\IucTKWA.exe
  C:\Windows\System\IucTKWA.exe
  2⤵
  PID:10852
- C:\Windows\System\kSkHdiF.exe
  C:\Windows\System\kSkHdiF.exe
  2⤵
  PID:10972
- C:\Windows\System\NtxcVJC.exe
  C:\Windows\System\NtxcVJC.exe
  2⤵
  PID:11004
- C:\Windows\System\uSsLPPX.exe
  C:\Windows\System\uSsLPPX.exe
  2⤵
  PID:11052
- C:\Windows\System\NXLJORV.exe
  C:\Windows\System\NXLJORV.exe
  2⤵
  PID:11120
- C:\Windows\System\yVjfMuD.exe
  C:\Windows\System\yVjfMuD.exe
  2⤵
  PID:11224
- C:\Windows\System\SkjPEIj.exe
  C:\Windows\System\SkjPEIj.exe
  2⤵
  PID:4780
- C:\Windows\System\UbbaHBJ.exe
  C:\Windows\System\UbbaHBJ.exe
  2⤵
  PID:10516
- C:\Windows\System\SuGtwrI.exe
  C:\Windows\System\SuGtwrI.exe
  2⤵
  PID:10812
- C:\Windows\System\oIJGbhB.exe
  C:\Windows\System\oIJGbhB.exe
  2⤵
  PID:10932
- C:\Windows\System\NhsoDWx.exe
  C:\Windows\System\NhsoDWx.exe
  2⤵
  PID:11056
- C:\Windows\System\VBJwQGv.exe
  C:\Windows\System\VBJwQGv.exe
  2⤵
  PID:11144
- C:\Windows\System\EWnmrpV.exe
  C:\Windows\System\EWnmrpV.exe
  2⤵
  PID:10676
- C:\Windows\System\gAerhaL.exe
  C:\Windows\System\gAerhaL.exe
  2⤵
  PID:10816
- C:\Windows\System\xrvEUAs.exe
  C:\Windows\System\xrvEUAs.exe
  2⤵
  PID:11316
- C:\Windows\System\XzEnFuL.exe
  C:\Windows\System\XzEnFuL.exe
  2⤵
  PID:11360
- C:\Windows\System\hQIsVNs.exe
  C:\Windows\System\hQIsVNs.exe
  2⤵
  PID:11376
- C:\Windows\System\xfJDZQw.exe
  C:\Windows\System\xfJDZQw.exe
  2⤵
  PID:11392
- C:\Windows\System\qOREsAI.exe
  C:\Windows\System\qOREsAI.exe
  2⤵
  PID:11424
- C:\Windows\System\kNBxiih.exe
  C:\Windows\System\kNBxiih.exe
  2⤵
  PID:11456
- C:\Windows\System\VKdxNZb.exe
  C:\Windows\System\VKdxNZb.exe
  2⤵
  PID:11480
- C:\Windows\System\CQJozkf.exe
  C:\Windows\System\CQJozkf.exe
  2⤵
  PID:11536
- C:\Windows\System\xnVFvop.exe
  C:\Windows\System\xnVFvop.exe
  2⤵
  PID:11552
- C:\Windows\System\IhkAZcL.exe
  C:\Windows\System\IhkAZcL.exe
  2⤵
  PID:11580
- C:\Windows\System\cnURHZU.exe
  C:\Windows\System\cnURHZU.exe
  2⤵
  PID:11608
- C:\Windows\System\OufMtoL.exe
  C:\Windows\System\OufMtoL.exe
  2⤵
  PID:11636
- C:\Windows\System\GvhoUMW.exe
  C:\Windows\System\GvhoUMW.exe
  2⤵
  PID:11656
- C:\Windows\System\uQIRnAa.exe
  C:\Windows\System\uQIRnAa.exe
  2⤵
  PID:11672
- C:\Windows\System\gdcpXao.exe
  C:\Windows\System\gdcpXao.exe
  2⤵
  PID:11704
- C:\Windows\System\GDvcHZW.exe
  C:\Windows\System\GDvcHZW.exe
  2⤵
  PID:11752
- C:\Windows\System\yqcTjuD.exe
  C:\Windows\System\yqcTjuD.exe
  2⤵
  PID:11780
- C:\Windows\System\VopGcWP.exe
  C:\Windows\System\VopGcWP.exe
  2⤵
  PID:11816
- C:\Windows\System\KmvKelP.exe
  C:\Windows\System\KmvKelP.exe
  2⤵
  PID:11844
- C:\Windows\System\NmDxYYr.exe
  C:\Windows\System\NmDxYYr.exe
  2⤵
  PID:11876
- C:\Windows\System\HGgHVwV.exe
  C:\Windows\System\HGgHVwV.exe
  2⤵
  PID:11892
- C:\Windows\System\ZbXWmuL.exe
  C:\Windows\System\ZbXWmuL.exe
  2⤵
  PID:11932
- C:\Windows\System\DgOumEZ.exe
  C:\Windows\System\DgOumEZ.exe
  2⤵
  PID:11960
- C:\Windows\System\vYyepfY.exe
  C:\Windows\System\vYyepfY.exe
  2⤵
  PID:11988
- C:\Windows\System\WVtBSki.exe
  C:\Windows\System\WVtBSki.exe
  2⤵
  PID:12004
- C:\Windows\System\DJtPhoC.exe
  C:\Windows\System\DJtPhoC.exe
  2⤵
  PID:12032
- C:\Windows\System\dhdlIho.exe
  C:\Windows\System\dhdlIho.exe
  2⤵
  PID:12060
- C:\Windows\System\TQpcawj.exe
  C:\Windows\System\TQpcawj.exe
  2⤵
  PID:12100
- C:\Windows\System\BXfcCJU.exe
  C:\Windows\System\BXfcCJU.exe
  2⤵
  PID:12116
- C:\Windows\System\GtjEQwD.exe
  C:\Windows\System\GtjEQwD.exe
  2⤵
  PID:12144
- C:\Windows\System\bOGBigQ.exe
  C:\Windows\System\bOGBigQ.exe
  2⤵
  PID:12172
- C:\Windows\System\mzxVYbB.exe
  C:\Windows\System\mzxVYbB.exe
  2⤵
  PID:12200
- C:\Windows\System\pbiuVKr.exe
  C:\Windows\System\pbiuVKr.exe
  2⤵
  PID:12240
- C:\Windows\System\nWNvmju.exe
  C:\Windows\System\nWNvmju.exe
  2⤵
  PID:12256
- C:\Windows\System\lctDTXr.exe
  C:\Windows\System\lctDTXr.exe
  2⤵
  PID:1192
- C:\Windows\System\FukbksZ.exe
  C:\Windows\System\FukbksZ.exe
  2⤵
  PID:11284
- C:\Windows\System\BrdUaHC.exe
  C:\Windows\System\BrdUaHC.exe
  2⤵
  PID:11340
- C:\Windows\System\oChTmhk.exe
  C:\Windows\System\oChTmhk.exe
  2⤵
  PID:11444
- C:\Windows\System\CooZMvJ.exe
  C:\Windows\System\CooZMvJ.exe
  2⤵
  PID:11468
- C:\Windows\System\afzEIVt.exe
  C:\Windows\System\afzEIVt.exe
  2⤵
  PID:11596
- C:\Windows\System\gbgOCjr.exe
  C:\Windows\System\gbgOCjr.exe
  2⤵
  PID:11624
- C:\Windows\System\YnhNlyI.exe
  C:\Windows\System\YnhNlyI.exe
  2⤵
  PID:11664
- C:\Windows\System\ssoIRri.exe
  C:\Windows\System\ssoIRri.exe
  2⤵
  PID:11764
- C:\Windows\System\zZqUyiP.exe
  C:\Windows\System\zZqUyiP.exe
  2⤵
  PID:11836
- C:\Windows\System\OVLyvbA.exe
  C:\Windows\System\OVLyvbA.exe
  2⤵
  PID:11884
- C:\Windows\System\xFQXiZS.exe
  C:\Windows\System\xFQXiZS.exe
  2⤵
  PID:11948
- C:\Windows\System\fhtMGAv.exe
  C:\Windows\System\fhtMGAv.exe
  2⤵
  PID:12020
- C:\Windows\System\JliKmbC.exe
  C:\Windows\System\JliKmbC.exe
  2⤵
  PID:12112
- C:\Windows\System\XveCtMy.exe
  C:\Windows\System\XveCtMy.exe
  2⤵
  PID:12160
- C:\Windows\System\JYgLmMH.exe
  C:\Windows\System\JYgLmMH.exe
  2⤵
  PID:12228
- C:\Windows\System\HotMQJc.exe
  C:\Windows\System\HotMQJc.exe
  2⤵
  PID:2228
- C:\Windows\System\mktrwCL.exe
  C:\Windows\System\mktrwCL.exe
  2⤵
  PID:12284
- C:\Windows\System\UgXAGHs.exe
  C:\Windows\System\UgXAGHs.exe
  2⤵
  PID:11504
- C:\Windows\System\JVmhmlA.exe
  C:\Windows\System\JVmhmlA.exe
  2⤵
  PID:11544
- C:\Windows\System\NhgIzkd.exe
  C:\Windows\System\NhgIzkd.exe
  2⤵
  PID:11668
- C:\Windows\System\UJQYfDp.exe
  C:\Windows\System\UJQYfDp.exe
  2⤵
  PID:11864
- C:\Windows\System\OtLetqN.exe
  C:\Windows\System\OtLetqN.exe
  2⤵
  PID:11924
- C:\Windows\System\LHIvedr.exe
  C:\Windows\System\LHIvedr.exe
  2⤵
  PID:12076
- C:\Windows\System\NOYWiGE.exe
  C:\Windows\System\NOYWiGE.exe
  2⤵
  PID:12224
- C:\Windows\System\GWkHWwV.exe
  C:\Windows\System\GWkHWwV.exe
  2⤵
  PID:11600
- C:\Windows\System\mtlIzBh.exe
  C:\Windows\System\mtlIzBh.exe
  2⤵
  PID:12084
- C:\Windows\System\WFfSsVu.exe
  C:\Windows\System\WFfSsVu.exe
  2⤵
  PID:12044
- C:\Windows\System\RIABUAz.exe
  C:\Windows\System\RIABUAz.exe
  2⤵
  PID:11808
- C:\Windows\System\RYdsFME.exe
  C:\Windows\System\RYdsFME.exe
  2⤵
  PID:11700
- C:\Windows\System\ozXYaeb.exe
  C:\Windows\System\ozXYaeb.exe
  2⤵
  PID:12328
- C:\Windows\System\vjOJVFw.exe
  C:\Windows\System\vjOJVFw.exe
  2⤵
  PID:12348
- C:\Windows\System\RsRtVgt.exe
  C:\Windows\System\RsRtVgt.exe
  2⤵
  PID:12388
- C:\Windows\System\HwlIYpC.exe
  C:\Windows\System\HwlIYpC.exe
  2⤵
  PID:12416
- C:\Windows\System\KPyszDT.exe
  C:\Windows\System\KPyszDT.exe
  2⤵
  PID:12432
- C:\Windows\System\fQPNJbm.exe
  C:\Windows\System\fQPNJbm.exe
  2⤵
  PID:12464
- C:\Windows\System\pGRMCFG.exe
  C:\Windows\System\pGRMCFG.exe
  2⤵
  PID:12488
- C:\Windows\System\mBgyhrW.exe
  C:\Windows\System\mBgyhrW.exe
  2⤵
  PID:12508
- C:\Windows\System\zonSUmt.exe
  C:\Windows\System\zonSUmt.exe
  2⤵
  PID:12536
- C:\Windows\System\LwEONll.exe
  C:\Windows\System\LwEONll.exe
  2⤵
  PID:12560
- C:\Windows\System\WYCJmbw.exe
  C:\Windows\System\WYCJmbw.exe
  2⤵
  PID:12604
- C:\Windows\System\OEbLieA.exe
  C:\Windows\System\OEbLieA.exe
  2⤵
  PID:12636
- C:\Windows\System\NijlOME.exe
  C:\Windows\System\NijlOME.exe
  2⤵
  PID:12668
- C:\Windows\System\SrxNPkQ.exe
  C:\Windows\System\SrxNPkQ.exe
  2⤵
  PID:12684
- C:\Windows\System\zhuorIX.exe
  C:\Windows\System\zhuorIX.exe
  2⤵
  PID:12704
- C:\Windows\System\vjcuyJd.exe
  C:\Windows\System\vjcuyJd.exe
  2⤵
  PID:12740
- C:\Windows\System\ZMPXREx.exe
  C:\Windows\System\ZMPXREx.exe
  2⤵
  PID:12768
- C:\Windows\System\wuZkgxE.exe
  C:\Windows\System\wuZkgxE.exe
  2⤵
  PID:12796
- C:\Windows\System\RljYZyH.exe
  C:\Windows\System\RljYZyH.exe
  2⤵
  PID:12824
- C:\Windows\System\SYJpLYf.exe
  C:\Windows\System\SYJpLYf.exe
  2⤵
  PID:12864
- C:\Windows\System\lCEMQgX.exe
  C:\Windows\System\lCEMQgX.exe
  2⤵
  PID:12880
- C:\Windows\System\uASjnIp.exe
  C:\Windows\System\uASjnIp.exe
  2⤵
  PID:12908
- C:\Windows\System\ENiDhWY.exe
  C:\Windows\System\ENiDhWY.exe
  2⤵
  PID:12936
- C:\Windows\System\CGjaTom.exe
  C:\Windows\System\CGjaTom.exe
  2⤵
  PID:12964
- C:\Windows\System\UJOYzLB.exe
  C:\Windows\System\UJOYzLB.exe
  2⤵
  PID:13004
- C:\Windows\System\khDNgFW.exe
  C:\Windows\System\khDNgFW.exe
  2⤵
  PID:13032
- C:\Windows\System\FsnxOHG.exe
  C:\Windows\System\FsnxOHG.exe
  2⤵
  PID:13060
- C:\Windows\System\OQIzeiD.exe
  C:\Windows\System\OQIzeiD.exe
  2⤵
  PID:13076
- C:\Windows\System\kpQsdUe.exe
  C:\Windows\System\kpQsdUe.exe
  2⤵
  PID:13104
- C:\Windows\System\HCzvVIF.exe
  C:\Windows\System\HCzvVIF.exe
  2⤵
  PID:13144
- C:\Windows\System\mQsCLTc.exe
  C:\Windows\System\mQsCLTc.exe
  2⤵
  PID:13176
- C:\Windows\System\bAusIiR.exe
  C:\Windows\System\bAusIiR.exe
  2⤵
  PID:13200
- C:\Windows\System\ihtwxee.exe
  C:\Windows\System\ihtwxee.exe
  2⤵
  PID:13232
- C:\Windows\System\wrXvJoD.exe
  C:\Windows\System\wrXvJoD.exe
  2⤵
  PID:13248
- C:\Windows\System\FkcBETH.exe
  C:\Windows\System\FkcBETH.exe
  2⤵
  PID:13268
- C:\Windows\System\fixUTKx.exe
  C:\Windows\System\fixUTKx.exe
  2⤵
  PID:13304
- C:\Windows\System\QExUSbo.exe
  C:\Windows\System\QExUSbo.exe
  2⤵
  PID:12320
- C:\Windows\System\VkfyjRy.exe
  C:\Windows\System\VkfyjRy.exe
  2⤵
  PID:12424
- C:\Windows\System\amAGnNo.exe
  C:\Windows\System\amAGnNo.exe
  2⤵
  PID:12476
- C:\Windows\System\Ujulhbt.exe
  C:\Windows\System\Ujulhbt.exe
  2⤵
  PID:12572
- C:\Windows\System\hjkrKyF.exe
  C:\Windows\System\hjkrKyF.exe
  2⤵
  PID:12680
- C:\Windows\System\GmXDRUF.exe
  C:\Windows\System\GmXDRUF.exe
  2⤵
  PID:12756
- C:\Windows\System\MyyLfYI.exe
  C:\Windows\System\MyyLfYI.exe
  2⤵
  PID:12848
- C:\Windows\System\PkmNIyE.exe
  C:\Windows\System\PkmNIyE.exe
  2⤵
  PID:12856
- C:\Windows\System\OGVatDv.exe
  C:\Windows\System\OGVatDv.exe
  2⤵
  PID:12952
- C:\Windows\System\dxWXTzr.exe
  C:\Windows\System\dxWXTzr.exe
  2⤵
  PID:12984
- C:\Windows\System\AMljjHF.exe
  C:\Windows\System\AMljjHF.exe
  2⤵
  PID:13056
- C:\Windows\System\hFBxmVJ.exe
  C:\Windows\System\hFBxmVJ.exe
  2⤵
  PID:13140
- C:\Windows\System\HzkoVdh.exe
  C:\Windows\System\HzkoVdh.exe
  2⤵
  PID:13224
- C:\Windows\System\uMwjxqP.exe
  C:\Windows\System\uMwjxqP.exe
  2⤵
  PID:3112
- C:\Windows\System\pgqDhjn.exe
  C:\Windows\System\pgqDhjn.exe
  2⤵
  PID:12340
- C:\Windows\System\KFHPaXy.exe
  C:\Windows\System\KFHPaXy.exe
  2⤵
  PID:12412
- C:\Windows\System\jAgymxF.exe
  C:\Windows\System\jAgymxF.exe
  2⤵
  PID:12620
- C:\Windows\System\wVZwBSX.exe
  C:\Windows\System\wVZwBSX.exe
  2⤵
  PID:12788
- C:\Windows\System\DHoHsBt.exe
  C:\Windows\System\DHoHsBt.exe
  2⤵
  PID:12896
- C:\Windows\System\ZBWnJYh.exe
  C:\Windows\System\ZBWnJYh.exe
  2⤵
  PID:13024
- C:\Windows\System\vcypDan.exe
  C:\Windows\System\vcypDan.exe
  2⤵
  PID:13220
- C:\Windows\System\HDccIPe.exe
  C:\Windows\System\HDccIPe.exe
  2⤵
  PID:13296
- C:\Windows\System\PvPxfkL.exe
  C:\Windows\System\PvPxfkL.exe
  2⤵
  PID:12904
- C:\Windows\System\uQLoAtF.exe
  C:\Windows\System\uQLoAtF.exe
  2⤵
  PID:13192
- C:\Windows\System\XTTTZLc.exe
  C:\Windows\System\XTTTZLc.exe
  2⤵
  PID:12792
- C:\Windows\System\YGOyLeo.exe
  C:\Windows\System\YGOyLeo.exe
  2⤵
  PID:13276
- C:\Windows\System\yOoqGXg.exe
  C:\Windows\System\yOoqGXg.exe
  2⤵
  PID:13332
- C:\Windows\System\uawvaFr.exe
  C:\Windows\System\uawvaFr.exe
  2⤵
  PID:13360
- C:\Windows\System\OfpAHNL.exe
  C:\Windows\System\OfpAHNL.exe
  2⤵
  PID:13388
- C:\Windows\System\NSPjRhm.exe
  C:\Windows\System\NSPjRhm.exe
  2⤵
  PID:13408
- C:\Windows\System\MBKbzKh.exe
  C:\Windows\System\MBKbzKh.exe
  2⤵
  PID:13436
- C:\Windows\System\EwfxQIx.exe
  C:\Windows\System\EwfxQIx.exe
  2⤵
  PID:13472
- C:\Windows\System\lAotUok.exe
  C:\Windows\System\lAotUok.exe
  2⤵
  PID:13496
- C:\Windows\System\uEdfZuN.exe
  C:\Windows\System\uEdfZuN.exe
  2⤵
  PID:13528
- C:\Windows\System\qCkfnxB.exe
  C:\Windows\System\qCkfnxB.exe
  2⤵
  PID:13556
- C:\Windows\System\BQPhhxP.exe
  C:\Windows\System\BQPhhxP.exe
  2⤵
  PID:13572
- C:\Windows\System\KYTUYZl.exe
  C:\Windows\System\KYTUYZl.exe
  2⤵
  PID:13600
- C:\Windows\System\seQUYgQ.exe
  C:\Windows\System\seQUYgQ.exe
  2⤵
  PID:13640
- C:\Windows\System\oFcmTQW.exe
  C:\Windows\System\oFcmTQW.exe
  2⤵
  PID:13668
- C:\Windows\System\vtjqGty.exe
  C:\Windows\System\vtjqGty.exe
  2⤵
  PID:13692
- C:\Windows\System\rtSoKTl.exe
  C:\Windows\System\rtSoKTl.exe
  2⤵
  PID:13724
- C:\Windows\System\egaulbg.exe
  C:\Windows\System\egaulbg.exe
  2⤵
  PID:13744
- C:\Windows\System\LkErcDr.exe
  C:\Windows\System\LkErcDr.exe
  2⤵
  PID:13768
- C:\Windows\System\DHVrTDQ.exe
  C:\Windows\System\DHVrTDQ.exe
  2⤵
  PID:13808
- C:\Windows\System\FtEDuYI.exe
  C:\Windows\System\FtEDuYI.exe
  2⤵
  PID:13824
- C:\Windows\System\qnJmgqN.exe
  C:\Windows\System\qnJmgqN.exe
  2⤵
  PID:13864
- C:\Windows\System\zGKoXup.exe
  C:\Windows\System\zGKoXup.exe
  2⤵
  PID:13892
- C:\Windows\System\BlFppWI.exe
  C:\Windows\System\BlFppWI.exe
  2⤵
  PID:13920
- C:\Windows\System\wewzEkz.exe
  C:\Windows\System\wewzEkz.exe
  2⤵
  PID:13948
- C:\Windows\System\nrJxREO.exe
  C:\Windows\System\nrJxREO.exe
  2⤵
  PID:13968
- C:\Windows\System\fMiEEhl.exe
  C:\Windows\System\fMiEEhl.exe
  2⤵
  PID:13992
- C:\Windows\System\JBBsjwE.exe
  C:\Windows\System\JBBsjwE.exe
  2⤵
  PID:14012
- C:\Windows\System\IACLgPG.exe
  C:\Windows\System\IACLgPG.exe
  2⤵
  PID:14052
- C:\Windows\System\LgcWKbL.exe
  C:\Windows\System\LgcWKbL.exe
  2⤵
  PID:14088
- C:\Windows\System\BrWzxlW.exe
  C:\Windows\System\BrWzxlW.exe
  2⤵
  PID:14108
- C:\Windows\System\WXaynVw.exe
  C:\Windows\System\WXaynVw.exe
  2⤵
  PID:14124
- C:\Windows\System\nBetaOK.exe
  C:\Windows\System\nBetaOK.exe
  2⤵
  PID:14180
- C:\Windows\System\UzMgUHn.exe
  C:\Windows\System\UzMgUHn.exe
  2⤵
  PID:14208
- C:\Windows\System\fSNKUUc.exe
  C:\Windows\System\fSNKUUc.exe
  2⤵
  PID:14244
- C:\Windows\System\MingOpg.exe
  C:\Windows\System\MingOpg.exe
  2⤵
  PID:14272
- C:\Windows\System\IeTaYIC.exe
  C:\Windows\System\IeTaYIC.exe
  2⤵
  PID:14288
- C:\Windows\System\iEzAHfN.exe
  C:\Windows\System\iEzAHfN.exe
  2⤵
  PID:14308
- C:\Windows\System\gOUsOji.exe
  C:\Windows\System\gOUsOji.exe
  2⤵
  PID:13328
- C:\Windows\System\CSxBWBf.exe
  C:\Windows\System\CSxBWBf.exe
  2⤵
  PID:13424
- C:\Windows\System\saRDTOZ.exe
  C:\Windows\System\saRDTOZ.exe
  2⤵
  PID:13488
- C:\Windows\System\KntvyBT.exe
  C:\Windows\System\KntvyBT.exe
  2⤵
  PID:13516
- C:\Windows\System\JrGrmhw.exe
  C:\Windows\System\JrGrmhw.exe
  2⤵
  PID:13584
- C:\Windows\System\BglzjQE.exe
  C:\Windows\System\BglzjQE.exe
  2⤵
  PID:13636
- C:\Windows\System\LbeVqNE.exe
  C:\Windows\System\LbeVqNE.exe
  2⤵
  PID:13720
- C:\Windows\System\KonuIvK.exe
  C:\Windows\System\KonuIvK.exe
  2⤵
  PID:13760
- C:\Windows\System\kOYbbxj.exe
  C:\Windows\System\kOYbbxj.exe
  2⤵
  PID:13840
- C:\Windows\System\tvFrvfO.exe
  C:\Windows\System\tvFrvfO.exe
  2⤵
  PID:13904
- C:\Windows\System\bogMTZd.exe
  C:\Windows\System\bogMTZd.exe
  2⤵
  PID:14032
- C:\Windows\System\pyymdUL.exe
  C:\Windows\System\pyymdUL.exe
  2⤵
  PID:3952
- C:\Windows\System\gDoyPeP.exe
  C:\Windows\System\gDoyPeP.exe
  2⤵
  PID:14084
- C:\Windows\System\daMLzhu.exe
  C:\Windows\System\daMLzhu.exe
  2⤵
  PID:4260
- C:\Windows\System\cCYKATo.exe
  C:\Windows\System\cCYKATo.exe
  2⤵
  PID:2964
- C:\Windows\System\cqfcaJN.exe
  C:\Windows\System\cqfcaJN.exe
  2⤵
  PID:14216
- C:\Windows\System\XWUxPdt.exe
  C:\Windows\System\XWUxPdt.exe
  2⤵
  PID:14268
- C:\Windows\System\TeNDwih.exe
  C:\Windows\System\TeNDwih.exe
  2⤵
  PID:14296
- C:\Windows\System\FVzarVU.exe
  C:\Windows\System\FVzarVU.exe
  2⤵
  PID:13372
- C:\Windows\System\HGxmziu.exe
  C:\Windows\System\HGxmziu.exe
  2⤵
  PID:13548
- C:\Windows\System\jADGVOl.exe
  C:\Windows\System\jADGVOl.exe
  2⤵
  PID:13172
- C:\Windows\System\yWpAvAr.exe
  C:\Windows\System\yWpAvAr.exe
  2⤵
  PID:13940
- C:\Windows\System\qnXLwnZ.exe
  C:\Windows\System\qnXLwnZ.exe
  2⤵
  PID:14004
- C:\Windows\System\VaOGaJN.exe
  C:\Windows\System\VaOGaJN.exe
  2⤵
  PID:13816
- C:\Windows\System\JtOGxSR.exe
  C:\Windows\System\JtOGxSR.exe
  2⤵
  PID:13944
- C:\Windows\System\zwkuSiG.exe
  C:\Windows\System\zwkuSiG.exe
  2⤵
  PID:14352
- C:\Windows\System\UxJHoAR.exe
  C:\Windows\System\UxJHoAR.exe
  2⤵
  PID:14384
- C:\Windows\System\IRqEXPt.exe
  C:\Windows\System\IRqEXPt.exe
  2⤵
  PID:14452
- C:\Windows\System\SbOuyYX.exe
  C:\Windows\System\SbOuyYX.exe
  2⤵
  PID:14468
- C:\Windows\System\bozdpBd.exe
  C:\Windows\System\bozdpBd.exe
  2⤵
  PID:14496
- C:\Windows\System\dGKgEGk.exe
  C:\Windows\System\dGKgEGk.exe
  2⤵
  PID:14524
- C:\Windows\System\wBHZpGp.exe
  C:\Windows\System\wBHZpGp.exe
  2⤵
  PID:14540
- C:\Windows\System\vIhgCzn.exe
  C:\Windows\System\vIhgCzn.exe
  2⤵
  PID:14580
- C:\Windows\System\FTsnDIZ.exe
  C:\Windows\System\FTsnDIZ.exe
  2⤵
  PID:14596
- C:\Windows\System\kqfBucA.exe
  C:\Windows\System\kqfBucA.exe
  2⤵
  PID:14620
- C:\Windows\System\RlEgzRn.exe
  C:\Windows\System\RlEgzRn.exe
  2⤵
  PID:14652
- C:\Windows\System\lwCWzbJ.exe
  C:\Windows\System\lwCWzbJ.exe
  2⤵
  PID:14688
- C:\Windows\System\kjifOtz.exe
  C:\Windows\System\kjifOtz.exe
  2⤵
  PID:14708
- C:\Windows\System\YUqOkBC.exe
  C:\Windows\System\YUqOkBC.exe
  2⤵
  PID:14736
- C:\Windows\System\TIKPTvH.exe
  C:\Windows\System\TIKPTvH.exe
  2⤵
  PID:14776
- C:\Windows\System\yTuuywr.exe
  C:\Windows\System\yTuuywr.exe
  2⤵
  PID:14804
- C:\Windows\System\elMmKdB.exe
  C:\Windows\System\elMmKdB.exe
  2⤵
  PID:14832
- C:\Windows\System\hutGkpA.exe
  C:\Windows\System\hutGkpA.exe
  2⤵
  PID:14860
- C:\Windows\System\KqDukCn.exe
  C:\Windows\System\KqDukCn.exe
  2⤵
  PID:14888
- C:\Windows\System\NJcbLoY.exe
  C:\Windows\System\NJcbLoY.exe
  2⤵
  PID:14916
- C:\Windows\System\ONThNtg.exe
  C:\Windows\System\ONThNtg.exe
  2⤵
  PID:14944
- C:\Windows\System\YuofXYQ.exe
  C:\Windows\System\YuofXYQ.exe
  2⤵
  PID:14972
- C:\Windows\System\UDnEYzr.exe
  C:\Windows\System\UDnEYzr.exe
  2⤵
  PID:14988
- C:\Windows\System\lkXaaMi.exe
  C:\Windows\System\lkXaaMi.exe
  2⤵
  PID:15016
- C:\Windows\System\pxgpzZa.exe
  C:\Windows\System\pxgpzZa.exe
  2⤵
  PID:15044
- C:\Windows\System\iExUCql.exe
  C:\Windows\System\iExUCql.exe
  2⤵
  PID:15060
- C:\Windows\System\vuJyuEm.exe
  C:\Windows\System\vuJyuEm.exe
  2⤵
  PID:15096
- C:\Windows\System\HKABylK.exe
  C:\Windows\System\HKABylK.exe
  2⤵
  PID:15128
- C:\Windows\System\ghUcNov.exe
  C:\Windows\System\ghUcNov.exe
  2⤵
  PID:15144
- C:\Windows\System\XPjeCjk.exe
  C:\Windows\System\XPjeCjk.exe
  2⤵
  PID:14732
- C:\Windows\System\KumZsCJ.exe
  C:\Windows\System\KumZsCJ.exe
  2⤵
  PID:14872
- C:\Windows\System\vASbFRG.exe
  C:\Windows\System\vASbFRG.exe
  2⤵
  PID:15004
- C:\Windows\System\zWsoPvb.exe
  C:\Windows\System\zWsoPvb.exe
  2⤵
  PID:15120
- C:\Windows\System\ycGRWQL.exe
  C:\Windows\System\ycGRWQL.exe
  2⤵
  PID:15180
- C:\Windows\System\JCAXXmZ.exe
  C:\Windows\System\JCAXXmZ.exe
  2⤵
  PID:15316
- C:\Windows\System\kujGBON.exe
  C:\Windows\System\kujGBON.exe
  2⤵
  PID:15348
- C:\Windows\System\DDpjUtL.exe
  C:\Windows\System\DDpjUtL.exe
  2⤵
  PID:852
- C:\Windows\System\YiywHWH.exe
  C:\Windows\System\YiywHWH.exe
  2⤵
  PID:14284
- C:\Windows\System\bExwnWz.exe
  C:\Windows\System\bExwnWz.exe
  2⤵
  PID:14188
- C:\Windows\System\MGwMlKB.exe
  C:\Windows\System\MGwMlKB.exe
  2⤵
  PID:14552

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:14704

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:15324

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:14440

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:14044

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:14644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CGeduCo.exe

Filesize
2.1MB

MD5
94b7e7033b3ee329febfff9b1fa8e5cc

SHA1
77368de1e4deed5ff034ad84d8bf40ba8b594b15

SHA256
0ba4efc274a49d062ce810916f0fdc23363122d68fe99bfc384cf51f788a5bfd

SHA512
7c5322b33fea2e05dfb26197d3f5d8a27eaf9251f7b2613278707be2b6a95f3364f3a015891d65dea56d901efc8e80cdf444029d688f1f8d1cedbb6d98fbb07c

Download Submit
C:\Windows\System\ELgpFip.exe

Filesize
2.1MB

MD5
b57520eb79176ae89873ff1d74b8c7f1

SHA1
c4d9231da9623e17a7f65eacb16fee0b2fd90493

SHA256
a59281df91162788469784630e6e6fc03a9e92320820a31769c1fa200ff651c7

SHA512
e3b252f6c6425c94d9a716e2c14382c470a17289a91131085557b90f9fd48b0e7bffc5618454f7af4c032f27fb3b223512cd2d076c667e91d8e3a89fb10b7e12

Download Submit
C:\Windows\System\FUTAsmx.exe

Filesize
2.1MB

MD5
4d44eaab9479462ba95232ab5f3219df

SHA1
a4a7fc9b76c5f130439cb16b7eccb3f0d2b594f0

SHA256
7634b98401ade2aad397d069fb15027c66e0be392b4d2ebc47f5853ae5a6c05c

SHA512
265d06504e1e8d6e7cf7a5a6a145ca046cff334b2c2ddff25f4464388f818a4418a850579351989fffc71d9c0e3034938d1eb1bf0ed2dd7e305ce534d66fa760

Download Submit
C:\Windows\System\GyYDGmW.exe

Filesize
2.1MB

MD5
7970bbb08619600c8648f8067ebc5336

SHA1
fee28731cbb3a2f3e5f4ec01d40e3734e37b0037

SHA256
d2d4b6e53bb2815829189ec730eb435386ff43046fc985a0a1a972bfdc869ac2

SHA512
413e4c00d71bb9c2716c0f8412fcd147b788cee44c1439ba3d8b29e67441543bd332611ab4d655e98e09aa6faaf380bfc983bfdc66675bf20057e80a6131b74e

Download Submit
C:\Windows\System\HTVZpoJ.exe

Filesize
2.1MB

MD5
942262e4f94405545f1734adb497aaa4

SHA1
6753c559e06d465d1340e048e9cc024c167ca574

SHA256
7a480466a515b6915f5bfc81a16b34ba81f2f42fbd3027ef81a6196a4e98d41a

SHA512
3201631fece244ec7d69c687260a15599bfc24470651697e34684344b3086849de58d241ec2e4f23cfe26ee69edf60d59e34a7ca3fffc1bcbc3fc615df8f63fb

Download Submit
C:\Windows\System\HTrIrXU.exe

Filesize
2.1MB

MD5
bc75014e18dc5fb272191f5e5a39e022

SHA1
470c8f0511bbcd967779986fb069e57b0d6f590c

SHA256
54111df20e97dcdca699f20ba09eeb763fe68e9ad5f67d3312451df4b3338dc8

SHA512
33783622a30087dded11081d04390c7f17e9a06a67ffab212e387072348a2065db6e2f3945ba77700c8c67e120423a61c4490c3fefad7ba37910143870ab5a8b

Download Submit
C:\Windows\System\IfsFOjD.exe

Filesize
2.1MB

MD5
5445f14c5ac3a12ed3ee3ca7b1e1f434

SHA1
8732cc9a006cb7efc25a07f8e58de4a494a3ace9

SHA256
ea82ceecf2bd02589a018b335d984b1323014fef2a25568ad529037ebb6486d5

SHA512
1368707d85b050b01980faeb38cc2d1c2d3334a0da7c890b964a93171aec06e1ea1f9f45bd1e93b3874c0853c84bf23cb602cb1910c1bc020ecc56d4286b7aa4

Download Submit
C:\Windows\System\LQugKwD.exe

Filesize
2.1MB

MD5
58a943008f35e304daedce3f6219449c

SHA1
34bd0a5617847f415a940f951ef514903cf476ab

SHA256
8c682c327c9e5ee248a7f00070115d21fe46fcff3ac2afc7df757efeda2a378a

SHA512
42fa1a67bbd9396c319395bea918aa305ea57121a73987510b9b345657ece1536a3375664f350e10311d7a60f2af7a70f420ad98754a4c034805d18e04fb8049

Download Submit
C:\Windows\System\MiutkFp.exe

Filesize
2.1MB

MD5
9bad28c48a5e36539dd8ee670fadc8f2

SHA1
912c43cfeea66e0fe53c8289e49d1828c79b2360

SHA256
61db123d3cbc76cfa56b6c6ae32b98a674b254470d86f20f3c63fbe129de2ddc

SHA512
9ec53014bf9acc7aed1e183fa51c09ce0dd0fbd2497bead216e034ba3a0fb8264d8e54b6fd98315ef948c128441245f03cbd97b8776f7bf6cd382fb558576041

Download Submit
C:\Windows\System\OBMfsVE.exe

Filesize
2.1MB

MD5
ad5c282fefe2686dbee5b90be7654aa3

SHA1
3073da42d2f5101791e4267a85762c8b863eae81

SHA256
31cece338fc25f7449fcde43d4ccfd7d818863d5242e0eead5b370709729de0c

SHA512
ccf00410656eb3cb4369c0b3c11bdb9d946805334bab793a2de19bf328d28946394c8551ddc723b9c8f8ad39a0b66c756cb096b579b2d23fc30879e72cb393c5

Download Submit
C:\Windows\System\OVaEGwL.exe

Filesize
2.1MB

MD5
b8f42e0cfd4cc469ef61e6d45b78a778

SHA1
247cbea79be9fb99a84068d118696eb9915f6955

SHA256
0bc4c51929910bddb5db514b532ab775d824a807292dfd867b571b51b88bcf25

SHA512
fc9c41fa75cf2501d8f1829a29e55b9f6984207077b1294607b328fe7edb30b86eccff900c95edb2b6971fe78e8baa39792e3061c9715305916a3972f4c136c2

Download Submit
C:\Windows\System\RXtIhaB.exe

Filesize
2.1MB

MD5
7106499554981debb414e9d8ad7901a9

SHA1
cf24bf21bf4b9c312ec25929df8ee854f06f7050

SHA256
00fa8d0a650c856cfc781b6debadf802551af77c41190e098ab5de580dcfa5f2

SHA512
e4ee7bcf0cdfb7234bebe0721c49c7619e3e67811949180a639e18f8a4964eb4bdc4c901853aff902fb8f1ed191f06b96e2751d3c8f310fc61f5c9d05542eb10

Download Submit
C:\Windows\System\TZmOEUD.exe

Filesize
2.1MB

MD5
6f6fbfbf728db7b1f1fc3e4f87cd6eec

SHA1
5491d830ded5b219422f26fa7fb2b0d012f4d267

SHA256
f9b932e4dd910bf5e1ad89258a3328fff9f4bc439b911f17df5be5b2888b4e64

SHA512
4d758ecfe7be00f84a1d08b00d84013f50abd60c04ab687e76bc2f7c456a70a19bde8cd474561be149552bbcf9bd584b33d535e7d8e877f84834d323ca7a72b8

Download Submit
C:\Windows\System\VtvAGxe.exe

Filesize
2.1MB

MD5
4490c76eb7d7e224f9a62f8c7d682474

SHA1
6f4eafb7bf2513d030e9c5562d4a36b0097d5bd7

SHA256
5f5115178236eddb9626ae33b2085fbf75c632559f09709ee586adb1ee6b440c

SHA512
c96054bcf7628542f608b5c70a43d2222b98dd287a357b81448ae2a53edef3bdb5b94c242c3e4c1363937a168f1dbe96fd55652876cbb399ba00125ce8827dd9

Download Submit
C:\Windows\System\aSjxTNK.exe

Filesize
2.1MB

MD5
371bc3046591603495d57f3adb911199

SHA1
ee4646e245c6e518d321917609293c1ec15eece6

SHA256
b088780edfbb6adaa6cd6cf67d68a2b46da3e4a5d879ab421eb70e789f96fe37

SHA512
d6b796506c3b7d431d67979a6aacee04c69af57c163f53e0165710de4ff5b4d895950bcadedb1432f7e21aa427c37ab8d6b9a9899e3520fbb66936f1ff5a33aa

Download Submit
C:\Windows\System\bHlgodM.exe

Filesize
2.1MB

MD5
45a853d5c4413773a209b050bf4e884e

SHA1
62bde5a69c910ec3119cfbff8977b159eac2a3ae

SHA256
21e8f654155903e46b52b7637ba9849cdf091c789d671366a663c6ab326291c6

SHA512
86f719a5423f4b4f4b9df9167b387686457c58147eb8ad40cdd99b7193c817b303d8fcc00304b12704b6f5bccacde9bc216af801ac613433c11ccd591d595595

Download Submit
C:\Windows\System\dbRfVgE.exe

Filesize
2.1MB

MD5
f8362362d46d8fe4c4a962623cf520e8

SHA1
ec7c0bb581c0f5e016f4e2707d803d18b4cb6bf5

SHA256
aadc57d75361e8afb802055391b6d8ecd6d45e56d14eeffb9462c8728ba0f15f

SHA512
074646710def67db5d86d281a2724ef0f69f82f770c493743532f9d463dd9e5f90224ee4ad523de5a0a3b0f5d3c9c108db6482abef7a4d6bedc28bffc14dc5cd

Download Submit
C:\Windows\System\fMclfYq.exe

Filesize
2.1MB

MD5
51f084766e9cb543c28cb467958dec08

SHA1
f3b68d22f51cf6ea7a415d2a33f1162d855defea

SHA256
6f70864148f185088e0c77e454434e7e1ef2edddd3d1e41fbc240b19dacf9b86

SHA512
cd24a1148894d7783c1ab2f2d3ff15963c9b3f07e70dda60d578f71f7f9b9c2cab1f04bab905079699cc4d89eb5b1ac802b9a8f8f11fd667b839f814d32d9632

Download Submit
C:\Windows\System\gWktZZT.exe

Filesize
2.1MB

MD5
ac1e4955986e3aca4e3c3b2286ceb6ed

SHA1
0e530e2379f1733cc9cb533cd5465b9750a1dd6d

SHA256
657f82114c872568d3b1b416dee67e762e29b2fe7fd836d3b2024beea4777633

SHA512
85ad63b306c195839e2cab6c3be6d24cc318cd64260816905bfb2813485cdf14fb530968e968d9258e54f1b529b128bd4d6808c683964da19e56a8b3b923f271

Download Submit
C:\Windows\System\jAJsljy.exe

Filesize
2.1MB

MD5
a6e9fe7292a93de0f3549065b628bc63

SHA1
81682d22f92589cf2e6a18a0350f7b6698a06d3c

SHA256
9124c68b51356bfe0f0b5dc077988b5fbfbc06cc306b129a21a4b994b03882d1

SHA512
8b3c4e9b9ce0185dcee3aa6af54652dcbd676e06f0241b45f9313cde5dd54d812a2848b9479adee7cf02fd2efa9eb9cc0c288bc412bebdd4ee0765831057b660

Download Submit
C:\Windows\System\lXlspZf.exe

Filesize
2.1MB

MD5
65251a0c6637c9c58d29bb6ec82bba66

SHA1
d779a1e47ed2ab13996888b7f5be34f99620d53a

SHA256
d2814d9a829d5c48555fa4735f910dfc7e60fbfbbe68297de3700a606da80567

SHA512
97a8ad7d5af8e02bd9a8d97190da68d046a6359d508ff75dede309ac68e605d96bf0ef755d144548a1c686db2bafd3f05fb7e45c15ed5df0740a1cc19c8af7fd

Download Submit
C:\Windows\System\owfaMNu.exe

Filesize
2.1MB

MD5
96fcec8923fb462117318f143d384cb4

SHA1
d6f6a86f0a5e6845f17daa15b5bad70660b9735d

SHA256
78d43746f29c7102e5aab224cc355a2e346f0f542d39db08955459b827fd07cc

SHA512
80cd7c3bd7f8ffd24fcf8dfc85b34cd9316813613f669dfa8b15810ea97f4f32dc1a99078d35092990737ba3e99dde5dd3ed6049e0efbbaead103e83b742bd6d

Download Submit
C:\Windows\System\oyeJnPN.exe

Filesize
2.1MB

MD5
836dcaa96a6a6cea68de9c89ea8b441b

SHA1
0a7cf839345cadd581591b854ea5d81ee38126f7

SHA256
3565c7b1de15cfd9030c7da3ffdc8b27d21b5e3fbe72c5219a57def3c0f61722

SHA512
b5613e56c8748114747ee80723f73bbdbbc704492e73665cf3cdd45d3996512e0015c8cfc4f99b4afefc7b97ce4957a852a090f9570b3bd3c0b5a799da8467c1

Download Submit
C:\Windows\System\qDweOBB.exe

Filesize
2.1MB

MD5
2ca300d1eccac5eb0b162da9a4fb15d7

SHA1
ee6923560213c700ec3aa38d2719baa0b13eb3e0

SHA256
fbeace7d15d3a110ff99a02a1329338a11ef1d5fc3ef00bc5516cfd6e84582a0

SHA512
004f5f8597ea2fbb44534e8e767ed514c61e02a90dcb04dd0c9bd4b18517ddd325a43e67896fe5ee85ac823d5c2ddbcb86390f0f4f6878bb550b31c7a57f9b24

Download Submit
C:\Windows\System\rXGNwDJ.exe

Filesize
2.1MB

MD5
353e1b431c3e5d6e8d5e17239621a7f3

SHA1
a9f58ca917d9b31b3c0c5a3c5747f0ea7645b751

SHA256
cd63ff53d92c7ddaaaba40968a9bcca2f3943d98cc5db27bcf346d1cb9cded85

SHA512
6e84edb73aa00a794e4c1563f69bbbd452e5924abb2d8b58fee54c8b00b23440ca0d0fac33a4020464f12a977be0698f59fa0ee3d40f498d5b67c3e59a9cde12

Download Submit
C:\Windows\System\ruLUPgD.exe

Filesize
2.1MB

MD5
c7c329121cccc30f898bdbcbc50ab1cf

SHA1
d23cf7651c4f5242b6a6b7a761aeab2084541ffb

SHA256
a5740fea72415a9de82be81ff8d4f34b998078d5b86023ddc01d63c2d35a30f2

SHA512
06619441e0e041efccaabdbc5048cfa38ee42137c4b55810eede9e0809ccdfd4b38c20c237f3e8645526ec604f69685f203f8f68be87e84a1726846fd17757d3

Download Submit
C:\Windows\System\tatBJzP.exe

Filesize
2.1MB

MD5
ebea6148888ac8a1681ad18729c59e34

SHA1
7e9533ee9f34f1359b720f41e917ebfd650487b2

SHA256
631125a03a320e7549732b9fb1acc1fd26c45a39caba80482981ec24aaf18bd9

SHA512
61d765a0b2003c9d0ed42c58b8dfc2fe58cc97e5f5148b17d0a54656e940512b60992ed7e4bcd549e0c47c0c28cb41a56c4e95fcb6df4810db290db92f4f8b36

Download Submit
C:\Windows\System\vAFhuxj.exe

Filesize
2.1MB

MD5
047cb7129da772d39bef7b4e17324a2c

SHA1
6113e9fa551678aa8a48d0477b7bb1eeb692cb42

SHA256
455b680bd3d7ce4d2524012dfd1c2937652b4c940399033f9a87b4c02afdbb0d

SHA512
825b68da1b32b75d4518146473cb084a636445c24348123d8f1347113fcb75bc6fd770c5e6efe29d71e132b79d5ec70a280c315f22406382d3bd5e4875575d73

Download Submit
C:\Windows\System\wBcPpxN.exe

Filesize
2.1MB

MD5
c30d14a381f65c7e2366d8412992ff92

SHA1
39fcdfecf4d0134966f1f3b6237a8b09c22d97af

SHA256
b45e07736216d72c9a91b866db410f1a1f62532439ff8fe901b9da8380e90225

SHA512
03a7fa5547e9d99f2b4fd16ad80bb2f8257581cd8197581a5430ecf653b97f2b6ea064928edcc7b32b8d06f01bb5653846f42a1d8dc297924613890fb4f40389

Download Submit
C:\Windows\System\xAjcAaO.exe

Filesize
2.1MB

MD5
d927f2894de59351d891de51f1eb3596

SHA1
fae770580ce3e788af8df0a66e2d534438e30aab

SHA256
7335b187048a70131aff684542dfb42d6059f33f9299ee5fabdbde64c84633e9

SHA512
d1f1e1fff6abc061447f2b4fc440cceffb643b11bd7372e24db84f3816f41cdddc4472ebebe04bfbc7490853902c7f976f9721f4be0b1e20d2e469aff45e9022

Download Submit
C:\Windows\System\xCVrAkW.exe

Filesize
2.1MB

MD5
d82ff6a55c278ddfd480cab1e304bef6

SHA1
51a0a6380f2aa71698fc7bcb1b6d8e3ec423637c

SHA256
53dd2c80d6383010e7f51e24b62af05cb9336c1d2edfc0e17191a8bf66c112da

SHA512
1a7ea91044d9eead2343c690352fa5120b41ca755fc204a3336b6bf66280e5a1fa7c04f746a7c770d40df68da47259700fde84bcbe5aea5a4484c8e28e96c550

Download Submit
C:\Windows\System\xksNIDL.exe

Filesize
2.1MB

MD5
eff552c06681030d17f00cb93784d112

SHA1
8f000ac97e10af0f16f3d0aaad60fa5acc84d800

SHA256
0306679df4af69495b65068b45be6d8a2b8bc7045a9724394ea9386d676090df

SHA512
d3ec4dc3b4e87b13614b86607e63b4054d0b01ca018e2e01de7e04b9e470865e5b7592137f44beb8b11a8563ab07ba95407b69a4ed00872012bbea9752b72728

Download Submit
C:\Windows\System\zeZtNqq.exe

Filesize
2.1MB

MD5
df11ddf03c2a88d1ad3c659dd38b7c55

SHA1
8c81fb1d12feb880bb16dbeb147f64ffc639db21

SHA256
b4422f16430f4d9443bda2240e6b9f534a218cd8561cc95283ec548f2831e8a6

SHA512
f96cac3ac7d09825eb3c736e834f233fd14dd5d55b70a39963e7a453c8a649640385069aad59f642a9682fec96613cbb3a391b86a9a7204e1dca525f0621e86e

Download Submit
memory/404-16-0x00007FF745D40000-0x00007FF746094000-memory.dmp

Filesize
3.3MB

Download
memory/404-108-0x00007FF745D40000-0x00007FF746094000-memory.dmp

Filesize
3.3MB

Download
memory/404-2341-0x00007FF745D40000-0x00007FF746094000-memory.dmp

Filesize
3.3MB

Download
memory/912-1918-0x00007FF6244C0000-0x00007FF624814000-memory.dmp

Filesize
3.3MB

Download
memory/912-2349-0x00007FF6244C0000-0x00007FF624814000-memory.dmp

Filesize
3.3MB

Download
memory/912-57-0x00007FF6244C0000-0x00007FF624814000-memory.dmp

Filesize
3.3MB

Download
memory/1000-2339-0x00007FF7FEA70000-0x00007FF7FEDC4000-memory.dmp

Filesize
3.3MB

Download
memory/1000-2363-0x00007FF7FEA70000-0x00007FF7FEDC4000-memory.dmp

Filesize
3.3MB

Download
memory/1000-151-0x00007FF7FEA70000-0x00007FF7FEDC4000-memory.dmp

Filesize
3.3MB

Download
memory/1552-2356-0x00007FF7B6860000-0x00007FF7B6BB4000-memory.dmp

Filesize
3.3MB

Download
memory/1552-96-0x00007FF7B6860000-0x00007FF7B6BB4000-memory.dmp

Filesize
3.3MB

Download
memory/1692-1075-0x00007FF6F9010000-0x00007FF6F9364000-memory.dmp

Filesize
3.3MB

Download
memory/1692-2345-0x00007FF6F9010000-0x00007FF6F9364000-memory.dmp

Filesize
3.3MB

Download
memory/1692-40-0x00007FF6F9010000-0x00007FF6F9364000-memory.dmp

Filesize
3.3MB

Download
memory/1768-2355-0x00007FF691F10000-0x00007FF692264000-memory.dmp

Filesize
3.3MB

Download
memory/1768-98-0x00007FF691F10000-0x00007FF692264000-memory.dmp

Filesize
3.3MB

Download
memory/2044-129-0x00007FF705C70000-0x00007FF705FC4000-memory.dmp

Filesize
3.3MB

Download
memory/2044-2358-0x00007FF705C70000-0x00007FF705FC4000-memory.dmp

Filesize
3.3MB

Download
memory/2224-68-0x00007FF665140000-0x00007FF665494000-memory.dmp

Filesize
3.3MB

Download
memory/2224-2353-0x00007FF665140000-0x00007FF665494000-memory.dmp

Filesize
3.3MB

Download
memory/2224-1921-0x00007FF665140000-0x00007FF665494000-memory.dmp

Filesize
3.3MB

Download
memory/2340-2350-0x00007FF6FFEC0000-0x00007FF700214000-memory.dmp

Filesize
3.3MB

Download
memory/2340-97-0x00007FF6FFEC0000-0x00007FF700214000-memory.dmp

Filesize
3.3MB

Download
memory/2360-33-0x00007FF68DBA0000-0x00007FF68DEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2360-2344-0x00007FF68DBA0000-0x00007FF68DEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2360-145-0x00007FF68DBA0000-0x00007FF68DEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2604-83-0x00007FF6CC9A0000-0x00007FF6CCCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2604-2351-0x00007FF6CC9A0000-0x00007FF6CCCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2608-637-0x00007FF6D9B30000-0x00007FF6D9E84000-memory.dmp

Filesize
3.3MB

Download
memory/2608-2366-0x00007FF6D9B30000-0x00007FF6D9E84000-memory.dmp

Filesize
3.3MB

Download
memory/2888-135-0x00007FF797230000-0x00007FF797584000-memory.dmp

Filesize
3.3MB

Download
memory/2888-2361-0x00007FF797230000-0x00007FF797584000-memory.dmp

Filesize
3.3MB

Download
memory/3296-638-0x00007FF740CD0000-0x00007FF741024000-memory.dmp

Filesize
3.3MB

Download
memory/3296-2368-0x00007FF740CD0000-0x00007FF741024000-memory.dmp

Filesize
3.3MB

Download
memory/3416-1-0x00000267DB600000-0x00000267DB610000-memory.dmp

Filesize
64KB

Download
memory/3416-0-0x00007FF7BA210000-0x00007FF7BA564000-memory.dmp

Filesize
3.3MB

Download
memory/3416-106-0x00007FF7BA210000-0x00007FF7BA564000-memory.dmp

Filesize
3.3MB

Download
memory/3524-1922-0x00007FF729A20000-0x00007FF729D74000-memory.dmp

Filesize
3.3MB

Download
memory/3524-94-0x00007FF729A20000-0x00007FF729D74000-memory.dmp

Filesize
3.3MB

Download
memory/3524-2354-0x00007FF729A20000-0x00007FF729D74000-memory.dmp

Filesize
3.3MB

Download
memory/3684-150-0x00007FF675500000-0x00007FF675854000-memory.dmp

Filesize
3.3MB

Download
memory/3684-2346-0x00007FF675500000-0x00007FF675854000-memory.dmp

Filesize
3.3MB

Download
memory/3684-38-0x00007FF675500000-0x00007FF675854000-memory.dmp

Filesize
3.3MB

Download
memory/3720-2369-0x00007FF6BA580000-0x00007FF6BA8D4000-memory.dmp

Filesize
3.3MB

Download
memory/3720-641-0x00007FF6BA580000-0x00007FF6BA8D4000-memory.dmp

Filesize
3.3MB

Download
memory/3888-142-0x00007FF6FD360000-0x00007FF6FD6B4000-memory.dmp

Filesize
3.3MB

Download
memory/3888-2359-0x00007FF6FD360000-0x00007FF6FD6B4000-memory.dmp

Filesize
3.3MB

Download
memory/4020-2342-0x00007FF7B4090000-0x00007FF7B43E4000-memory.dmp

Filesize
3.3MB

Download
memory/4020-25-0x00007FF7B4090000-0x00007FF7B43E4000-memory.dmp

Filesize
3.3MB

Download
memory/4248-27-0x00007FF6F5C20000-0x00007FF6F5F74000-memory.dmp

Filesize
3.3MB

Download
memory/4248-136-0x00007FF6F5C20000-0x00007FF6F5F74000-memory.dmp

Filesize
3.3MB

Download
memory/4248-2347-0x00007FF6F5C20000-0x00007FF6F5F74000-memory.dmp

Filesize
3.3MB

Download
memory/4372-148-0x00007FF687760000-0x00007FF687AB4000-memory.dmp

Filesize
3.3MB

Download
memory/4372-2362-0x00007FF687760000-0x00007FF687AB4000-memory.dmp

Filesize
3.3MB

Download
memory/4456-2365-0x00007FF757090000-0x00007FF7573E4000-memory.dmp

Filesize
3.3MB

Download
memory/4456-631-0x00007FF757090000-0x00007FF7573E4000-memory.dmp

Filesize
3.3MB

Download
memory/4656-120-0x00007FF7F4900000-0x00007FF7F4C54000-memory.dmp

Filesize
3.3MB

Download
memory/4656-2357-0x00007FF7F4900000-0x00007FF7F4C54000-memory.dmp

Filesize
3.3MB

Download
memory/4736-2367-0x00007FF7F4AE0000-0x00007FF7F4E34000-memory.dmp

Filesize
3.3MB

Download
memory/4736-152-0x00007FF7F4AE0000-0x00007FF7F4E34000-memory.dmp

Filesize
3.3MB

Download
memory/4736-2340-0x00007FF7F4AE0000-0x00007FF7F4E34000-memory.dmp

Filesize
3.3MB

Download
memory/4760-2364-0x00007FF7E91F0000-0x00007FF7E9544000-memory.dmp

Filesize
3.3MB

Download
memory/4760-149-0x00007FF7E91F0000-0x00007FF7E9544000-memory.dmp

Filesize
3.3MB

Download
memory/4760-2338-0x00007FF7E91F0000-0x00007FF7E9544000-memory.dmp

Filesize
3.3MB

Download
memory/4792-2337-0x00007FF75DF00000-0x00007FF75E254000-memory.dmp

Filesize
3.3MB

Download
memory/4792-2360-0x00007FF75DF00000-0x00007FF75E254000-memory.dmp

Filesize
3.3MB

Download
memory/4792-127-0x00007FF75DF00000-0x00007FF75E254000-memory.dmp

Filesize
3.3MB

Download
memory/4808-2343-0x00007FF64E500000-0x00007FF64E854000-memory.dmp

Filesize
3.3MB

Download
memory/4808-113-0x00007FF64E500000-0x00007FF64E854000-memory.dmp

Filesize
3.3MB

Download
memory/4808-23-0x00007FF64E500000-0x00007FF64E854000-memory.dmp

Filesize
3.3MB

Download
memory/5004-2348-0x00007FF6DF540000-0x00007FF6DF894000-memory.dmp

Filesize
3.3MB

Download
memory/5004-1505-0x00007FF6DF540000-0x00007FF6DF894000-memory.dmp

Filesize
3.3MB

Download
memory/5004-51-0x00007FF6DF540000-0x00007FF6DF894000-memory.dmp

Filesize
3.3MB

Download
memory/5028-95-0x00007FF725D90000-0x00007FF7260E4000-memory.dmp

Filesize
3.3MB

Download
memory/5028-2352-0x00007FF725D90000-0x00007FF7260E4000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads