xmrig | a4e3c0343ff0d158a450632c891da49fc9fecf0b3ca3022170af5dd5e3ce4644

Analysis

max time kernel
139s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
Size

2.9MB
MD5

5d42cb5280f17d7408dca7314b2a5450
SHA1

35b0e2e574fe45c70a7368616bac231ef695166f
SHA256

a4e3c0343ff0d158a450632c891da49fc9fecf0b3ca3022170af5dd5e3ce4644
SHA512

2f5e6bb49916419f75f09fd17bda020bf51947aa8e767bb6e0a49203322e1d8651040e3f820f55422b7c68bc15bc9599446cf4412a873c9b6219eb8b4ba8cb32
SSDEEP

49152:w0wjnJMOWh50kC1/dVFdx6e0EALKWVTffZiPAcRq6jHjcz8Dze7jcmWHz7nsDzs:w0GnJMOWPClFdx6e0EALKWVTffZiPAcN

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2564-0-0x00007FF6EE490000-0x00007FF6EE885000-memory.dmp	xmrig
behavioral2/files/0x0008000000023543-5.dat	xmrig
behavioral2/memory/3312-13-0x00007FF62E810000-0x00007FF62EC05000-memory.dmp	xmrig
behavioral2/files/0x0007000000023548-15.dat	xmrig
behavioral2/files/0x0007000000023549-21.dat	xmrig
behavioral2/files/0x000700000002354a-30.dat	xmrig
behavioral2/files/0x000700000002354b-33.dat	xmrig
behavioral2/files/0x000700000002354c-37.dat	xmrig
behavioral2/files/0x000700000002354e-50.dat	xmrig
behavioral2/files/0x0007000000023551-63.dat	xmrig
behavioral2/files/0x0007000000023552-70.dat	xmrig
behavioral2/files/0x0007000000023555-85.dat	xmrig
behavioral2/files/0x0007000000023559-105.dat	xmrig
behavioral2/files/0x0007000000023561-145.dat	xmrig
behavioral2/files/0x0007000000023565-163.dat	xmrig
behavioral2/memory/3028-802-0x00007FF76C4E0000-0x00007FF76C8D5000-memory.dmp	xmrig
behavioral2/files/0x0007000000023564-160.dat	xmrig
behavioral2/files/0x0007000000023563-155.dat	xmrig
behavioral2/files/0x0007000000023562-150.dat	xmrig
behavioral2/files/0x0007000000023560-140.dat	xmrig
behavioral2/files/0x000700000002355f-135.dat	xmrig
behavioral2/files/0x000700000002355e-130.dat	xmrig
behavioral2/files/0x000700000002355d-125.dat	xmrig
behavioral2/files/0x000700000002355c-120.dat	xmrig
behavioral2/files/0x000700000002355b-115.dat	xmrig
behavioral2/files/0x000700000002355a-110.dat	xmrig
behavioral2/files/0x0007000000023558-100.dat	xmrig
behavioral2/files/0x0007000000023557-95.dat	xmrig
behavioral2/files/0x0007000000023556-90.dat	xmrig
behavioral2/files/0x0007000000023554-80.dat	xmrig
behavioral2/files/0x0007000000023553-75.dat	xmrig
behavioral2/files/0x0007000000023550-60.dat	xmrig
behavioral2/files/0x000700000002354f-58.dat	xmrig
behavioral2/files/0x000700000002354d-48.dat	xmrig
behavioral2/memory/2548-29-0x00007FF6512F0000-0x00007FF6516E5000-memory.dmp	xmrig
behavioral2/memory/2156-19-0x00007FF70F390000-0x00007FF70F785000-memory.dmp	xmrig
behavioral2/files/0x0007000000023547-18.dat	xmrig
behavioral2/memory/1964-16-0x00007FF6662D0000-0x00007FF6666C5000-memory.dmp	xmrig
behavioral2/memory/2648-813-0x00007FF7D09A0000-0x00007FF7D0D95000-memory.dmp	xmrig
behavioral2/memory/2340-815-0x00007FF7FC890000-0x00007FF7FCC85000-memory.dmp	xmrig
behavioral2/memory/672-829-0x00007FF720E80000-0x00007FF721275000-memory.dmp	xmrig
behavioral2/memory/2416-832-0x00007FF7FE390000-0x00007FF7FE785000-memory.dmp	xmrig
behavioral2/memory/1832-820-0x00007FF6221C0000-0x00007FF6225B5000-memory.dmp	xmrig
behavioral2/memory/5016-836-0x00007FF60D910000-0x00007FF60DD05000-memory.dmp	xmrig
behavioral2/memory/5036-841-0x00007FF6675A0000-0x00007FF667995000-memory.dmp	xmrig
behavioral2/memory/3156-847-0x00007FF79EC80000-0x00007FF79F075000-memory.dmp	xmrig
behavioral2/memory/2364-848-0x00007FF75A920000-0x00007FF75AD15000-memory.dmp	xmrig
behavioral2/memory/2776-855-0x00007FF72DF80000-0x00007FF72E375000-memory.dmp	xmrig
behavioral2/memory/4828-865-0x00007FF77D480000-0x00007FF77D875000-memory.dmp	xmrig
behavioral2/memory/1736-863-0x00007FF783A50000-0x00007FF783E45000-memory.dmp	xmrig
behavioral2/memory/1648-866-0x00007FF79DFD0000-0x00007FF79E3C5000-memory.dmp	xmrig
behavioral2/memory/2272-861-0x00007FF6DDE50000-0x00007FF6DE245000-memory.dmp	xmrig
behavioral2/memory/3428-859-0x00007FF6D7610000-0x00007FF6D7A05000-memory.dmp	xmrig
behavioral2/memory/3204-853-0x00007FF608D10000-0x00007FF609105000-memory.dmp	xmrig
behavioral2/memory/4388-874-0x00007FF680ED0000-0x00007FF6812C5000-memory.dmp	xmrig
behavioral2/memory/4580-871-0x00007FF6499B0000-0x00007FF649DA5000-memory.dmp	xmrig
behavioral2/memory/1836-880-0x00007FF6065A0000-0x00007FF606995000-memory.dmp	xmrig
behavioral2/memory/1964-1848-0x00007FF6662D0000-0x00007FF6666C5000-memory.dmp	xmrig
behavioral2/memory/2156-1874-0x00007FF70F390000-0x00007FF70F785000-memory.dmp	xmrig
behavioral2/memory/2548-1875-0x00007FF6512F0000-0x00007FF6516E5000-memory.dmp	xmrig
behavioral2/memory/3028-1876-0x00007FF76C4E0000-0x00007FF76C8D5000-memory.dmp	xmrig
behavioral2/memory/2564-1877-0x00007FF6EE490000-0x00007FF6EE885000-memory.dmp	xmrig
behavioral2/memory/3312-1878-0x00007FF62E810000-0x00007FF62EC05000-memory.dmp	xmrig
behavioral2/memory/2156-1879-0x00007FF70F390000-0x00007FF70F785000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3312	SuaebnI.exe
1964	ooFEAMF.exe
2156	cITwLYa.exe
2548	DZiOBux.exe
3028	XXxfYcu.exe
1836	gvHQUOM.exe
2648	ntuogSF.exe
2340	pYMHJmS.exe
1832	mlRdNkJ.exe
672	XgtlrDJ.exe
2416	vvddheM.exe
5016	uqdKXpe.exe
5036	WjBzQub.exe
3156	opPGQeU.exe
2364	xQeMqSt.exe
3204	oEpgmOc.exe
2776	rPelCxW.exe
3428	yOMeecW.exe
2272	VGEHcOH.exe
1736	bjPPJcT.exe
4828	sYlbfIa.exe
1648	YIOvOLs.exe
4580	SsRNxWN.exe
4388	QXUdRYo.exe
1532	Citkptu.exe
3708	dMXXWaV.exe
4492	NXVLTIp.exe
2756	xBreVJR.exe
2452	mwbpEln.exe
3488	kZLxekL.exe
2812	WOyLSJs.exe
4792	sFbFzAx.exe
2676	pqhjOmT.exe
4344	NhyoGMU.exe
3060	FSwFiuI.exe
3260	LuSKUZz.exe
1804	lSZFpDf.exe
1592	xrQXkNx.exe
4280	YzvtITf.exe
2928	FwBGPCZ.exe
3356	KxPMfFF.exe
2360	SzfbVpF.exe
4788	kPtsDTc.exe
4220	azKqKjy.exe
3472	PQhkjtQ.exe
2140	ObSZqlR.exe
2500	ZQJafkW.exe
2904	JOJOowg.exe
2344	jpYVzKM.exe
5028	uMLlTmm.exe
4052	wHBGLQX.exe
908	RbvcGed.exe
4268	AmvUCnw.exe
4680	CyGyZIG.exe
5132	MWCcYkx.exe
5160	etnRaqc.exe
5188	SpRvzdT.exe
5216	lxlXCjU.exe
5244	zKFNbcA.exe
5272	RsZRMce.exe
5300	hYuICOJ.exe
5328	LHyDKIX.exe
5356	TcQIhdH.exe
5384	XvwPwyH.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2564-0-0x00007FF6EE490000-0x00007FF6EE885000-memory.dmp	upx
behavioral2/files/0x0008000000023543-5.dat	upx
behavioral2/memory/3312-13-0x00007FF62E810000-0x00007FF62EC05000-memory.dmp	upx
behavioral2/files/0x0007000000023548-15.dat	upx
behavioral2/files/0x0007000000023549-21.dat	upx
behavioral2/files/0x000700000002354a-30.dat	upx
behavioral2/files/0x000700000002354b-33.dat	upx
behavioral2/files/0x000700000002354c-37.dat	upx
behavioral2/files/0x000700000002354e-50.dat	upx
behavioral2/files/0x0007000000023551-63.dat	upx
behavioral2/files/0x0007000000023552-70.dat	upx
behavioral2/files/0x0007000000023555-85.dat	upx
behavioral2/files/0x0007000000023559-105.dat	upx
behavioral2/files/0x0007000000023561-145.dat	upx
behavioral2/files/0x0007000000023565-163.dat	upx
behavioral2/memory/3028-802-0x00007FF76C4E0000-0x00007FF76C8D5000-memory.dmp	upx
behavioral2/files/0x0007000000023564-160.dat	upx
behavioral2/files/0x0007000000023563-155.dat	upx
behavioral2/files/0x0007000000023562-150.dat	upx
behavioral2/files/0x0007000000023560-140.dat	upx
behavioral2/files/0x000700000002355f-135.dat	upx
behavioral2/files/0x000700000002355e-130.dat	upx
behavioral2/files/0x000700000002355d-125.dat	upx
behavioral2/files/0x000700000002355c-120.dat	upx
behavioral2/files/0x000700000002355b-115.dat	upx
behavioral2/files/0x000700000002355a-110.dat	upx
behavioral2/files/0x0007000000023558-100.dat	upx
behavioral2/files/0x0007000000023557-95.dat	upx
behavioral2/files/0x0007000000023556-90.dat	upx
behavioral2/files/0x0007000000023554-80.dat	upx
behavioral2/files/0x0007000000023553-75.dat	upx
behavioral2/files/0x0007000000023550-60.dat	upx
behavioral2/files/0x000700000002354f-58.dat	upx
behavioral2/files/0x000700000002354d-48.dat	upx
behavioral2/memory/2548-29-0x00007FF6512F0000-0x00007FF6516E5000-memory.dmp	upx
behavioral2/memory/2156-19-0x00007FF70F390000-0x00007FF70F785000-memory.dmp	upx
behavioral2/files/0x0007000000023547-18.dat	upx
behavioral2/memory/1964-16-0x00007FF6662D0000-0x00007FF6666C5000-memory.dmp	upx
behavioral2/memory/2648-813-0x00007FF7D09A0000-0x00007FF7D0D95000-memory.dmp	upx
behavioral2/memory/2340-815-0x00007FF7FC890000-0x00007FF7FCC85000-memory.dmp	upx
behavioral2/memory/672-829-0x00007FF720E80000-0x00007FF721275000-memory.dmp	upx
behavioral2/memory/2416-832-0x00007FF7FE390000-0x00007FF7FE785000-memory.dmp	upx
behavioral2/memory/1832-820-0x00007FF6221C0000-0x00007FF6225B5000-memory.dmp	upx
behavioral2/memory/5016-836-0x00007FF60D910000-0x00007FF60DD05000-memory.dmp	upx
behavioral2/memory/5036-841-0x00007FF6675A0000-0x00007FF667995000-memory.dmp	upx
behavioral2/memory/3156-847-0x00007FF79EC80000-0x00007FF79F075000-memory.dmp	upx
behavioral2/memory/2364-848-0x00007FF75A920000-0x00007FF75AD15000-memory.dmp	upx
behavioral2/memory/2776-855-0x00007FF72DF80000-0x00007FF72E375000-memory.dmp	upx
behavioral2/memory/4828-865-0x00007FF77D480000-0x00007FF77D875000-memory.dmp	upx
behavioral2/memory/1736-863-0x00007FF783A50000-0x00007FF783E45000-memory.dmp	upx
behavioral2/memory/1648-866-0x00007FF79DFD0000-0x00007FF79E3C5000-memory.dmp	upx
behavioral2/memory/2272-861-0x00007FF6DDE50000-0x00007FF6DE245000-memory.dmp	upx
behavioral2/memory/3428-859-0x00007FF6D7610000-0x00007FF6D7A05000-memory.dmp	upx
behavioral2/memory/3204-853-0x00007FF608D10000-0x00007FF609105000-memory.dmp	upx
behavioral2/memory/4388-874-0x00007FF680ED0000-0x00007FF6812C5000-memory.dmp	upx
behavioral2/memory/4580-871-0x00007FF6499B0000-0x00007FF649DA5000-memory.dmp	upx
behavioral2/memory/1836-880-0x00007FF6065A0000-0x00007FF606995000-memory.dmp	upx
behavioral2/memory/1964-1848-0x00007FF6662D0000-0x00007FF6666C5000-memory.dmp	upx
behavioral2/memory/2156-1874-0x00007FF70F390000-0x00007FF70F785000-memory.dmp	upx
behavioral2/memory/2548-1875-0x00007FF6512F0000-0x00007FF6516E5000-memory.dmp	upx
behavioral2/memory/3028-1876-0x00007FF76C4E0000-0x00007FF76C8D5000-memory.dmp	upx
behavioral2/memory/2564-1877-0x00007FF6EE490000-0x00007FF6EE885000-memory.dmp	upx
behavioral2/memory/3312-1878-0x00007FF62E810000-0x00007FF62EC05000-memory.dmp	upx
behavioral2/memory/2156-1879-0x00007FF70F390000-0x00007FF70F785000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\yiQcrsO.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\NZFuWre.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\yLGpJzW.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\NhyoGMU.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\etnRaqc.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\YhVjqOF.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\SKaaBJg.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\gatmgrq.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\jjcEzyM.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\CQAGrOz.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\TeiMZSZ.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\lpqFpSf.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\zvvagMW.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\hXCMhYR.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\SUiZvEG.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\vCrLava.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\CyGyZIG.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\IMxKsLn.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\EILjrnQ.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\NGHzNgJ.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\pXtnBoK.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\wrNezRr.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\hMxoxku.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\lgYkoBw.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\tlGozdd.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\mWfYxbW.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\CJSoxbD.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\MvfecwT.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\OStiZgi.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\JYAIWzA.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\mBHciAI.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\wZIdbLN.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\HDQyZLT.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\OaGskoI.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\xBreVJR.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\cShPjaQ.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\bOTcMZb.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\DfWtTjl.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\SUipxjC.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\SzfbVpF.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\hDbzPMy.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\MJSkgEH.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\eNeTcnj.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\ogsMgOg.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\tURfhAg.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\NWrRYMG.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\nZGoslP.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\rVGeSRr.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\AhHlQLg.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\pTSbbrA.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\cITwLYa.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\xSGuRVI.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\vIQMxxd.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\JqlQrCC.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\VSuSfsX.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\VXPeWvS.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\qawefdI.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\TXMrUzZ.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\kIOWuyg.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\leAaDSe.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\opJebNi.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\ANmfOtr.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\MWCcYkx.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
File created	C:\Windows\System32\JBdeEOC.exe	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13496	dwm.exe
Token: SeChangeNotifyPrivilege	13496	dwm.exe
Token: 33	13496	dwm.exe
Token: SeIncBasePriorityPrivilege	13496	dwm.exe
Token: SeShutdownPrivilege	13496	dwm.exe
Token: SeCreatePagefilePrivilege	13496	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 3312	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	91
PID 2564 wrote to memory of 3312	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	91
PID 2564 wrote to memory of 1964	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	92
PID 2564 wrote to memory of 1964	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	92
PID 2564 wrote to memory of 2156	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	93
PID 2564 wrote to memory of 2156	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	93
PID 2564 wrote to memory of 2548	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	94
PID 2564 wrote to memory of 2548	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	94
PID 2564 wrote to memory of 3028	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	95
PID 2564 wrote to memory of 3028	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	95
PID 2564 wrote to memory of 1836	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	96
PID 2564 wrote to memory of 1836	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	96
PID 2564 wrote to memory of 2648	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	97
PID 2564 wrote to memory of 2648	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	97
PID 2564 wrote to memory of 2340	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	98
PID 2564 wrote to memory of 2340	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	98
PID 2564 wrote to memory of 1832	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	99
PID 2564 wrote to memory of 1832	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	99
PID 2564 wrote to memory of 672	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	100
PID 2564 wrote to memory of 672	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	100
PID 2564 wrote to memory of 2416	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	101
PID 2564 wrote to memory of 2416	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	101
PID 2564 wrote to memory of 5016	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	102
PID 2564 wrote to memory of 5016	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	102
PID 2564 wrote to memory of 5036	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	103
PID 2564 wrote to memory of 5036	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	103
PID 2564 wrote to memory of 3156	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	104
PID 2564 wrote to memory of 3156	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	104
PID 2564 wrote to memory of 2364	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	105
PID 2564 wrote to memory of 2364	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	105
PID 2564 wrote to memory of 3204	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	106
PID 2564 wrote to memory of 3204	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	106
PID 2564 wrote to memory of 2776	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	107
PID 2564 wrote to memory of 2776	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	107
PID 2564 wrote to memory of 3428	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	108
PID 2564 wrote to memory of 3428	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	108
PID 2564 wrote to memory of 2272	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	109
PID 2564 wrote to memory of 2272	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	109
PID 2564 wrote to memory of 1736	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	110
PID 2564 wrote to memory of 1736	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	110
PID 2564 wrote to memory of 4828	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	111
PID 2564 wrote to memory of 4828	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	111
PID 2564 wrote to memory of 1648	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	112
PID 2564 wrote to memory of 1648	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	112
PID 2564 wrote to memory of 4580	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	113
PID 2564 wrote to memory of 4580	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	113
PID 2564 wrote to memory of 4388	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	114
PID 2564 wrote to memory of 4388	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	114
PID 2564 wrote to memory of 1532	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	115
PID 2564 wrote to memory of 1532	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	115
PID 2564 wrote to memory of 3708	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	116
PID 2564 wrote to memory of 3708	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	116
PID 2564 wrote to memory of 4492	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	117
PID 2564 wrote to memory of 4492	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	117
PID 2564 wrote to memory of 2756	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	118
PID 2564 wrote to memory of 2756	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	118
PID 2564 wrote to memory of 2452	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	119
PID 2564 wrote to memory of 2452	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	119
PID 2564 wrote to memory of 3488	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	120
PID 2564 wrote to memory of 3488	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	120
PID 2564 wrote to memory of 2812	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	121
PID 2564 wrote to memory of 2812	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	121
PID 2564 wrote to memory of 4792	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	122
PID 2564 wrote to memory of 4792	2564	5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe	122

C:\Users\Admin\AppData\Local\Temp\5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5d42cb5280f17d7408dca7314b2a5450_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\System32\SuaebnI.exe
  C:\Windows\System32\SuaebnI.exe
  2⤵
  - Executes dropped EXE
  PID:3312
- C:\Windows\System32\ooFEAMF.exe
  C:\Windows\System32\ooFEAMF.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System32\cITwLYa.exe
  C:\Windows\System32\cITwLYa.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System32\DZiOBux.exe
  C:\Windows\System32\DZiOBux.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System32\XXxfYcu.exe
  C:\Windows\System32\XXxfYcu.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System32\gvHQUOM.exe
  C:\Windows\System32\gvHQUOM.exe
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\System32\ntuogSF.exe
  C:\Windows\System32\ntuogSF.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System32\pYMHJmS.exe
  C:\Windows\System32\pYMHJmS.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System32\mlRdNkJ.exe
  C:\Windows\System32\mlRdNkJ.exe
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\System32\XgtlrDJ.exe
  C:\Windows\System32\XgtlrDJ.exe
  2⤵
  - Executes dropped EXE
  PID:672
- C:\Windows\System32\vvddheM.exe
  C:\Windows\System32\vvddheM.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System32\uqdKXpe.exe
  C:\Windows\System32\uqdKXpe.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System32\WjBzQub.exe
  C:\Windows\System32\WjBzQub.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System32\opPGQeU.exe
  C:\Windows\System32\opPGQeU.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System32\xQeMqSt.exe
  C:\Windows\System32\xQeMqSt.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System32\oEpgmOc.exe
  C:\Windows\System32\oEpgmOc.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System32\rPelCxW.exe
  C:\Windows\System32\rPelCxW.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System32\yOMeecW.exe
  C:\Windows\System32\yOMeecW.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System32\VGEHcOH.exe
  C:\Windows\System32\VGEHcOH.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System32\bjPPJcT.exe
  C:\Windows\System32\bjPPJcT.exe
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\System32\sYlbfIa.exe
  C:\Windows\System32\sYlbfIa.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System32\YIOvOLs.exe
  C:\Windows\System32\YIOvOLs.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System32\SsRNxWN.exe
  C:\Windows\System32\SsRNxWN.exe
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Windows\System32\QXUdRYo.exe
  C:\Windows\System32\QXUdRYo.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System32\Citkptu.exe
  C:\Windows\System32\Citkptu.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\System32\dMXXWaV.exe
  C:\Windows\System32\dMXXWaV.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System32\NXVLTIp.exe
  C:\Windows\System32\NXVLTIp.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System32\xBreVJR.exe
  C:\Windows\System32\xBreVJR.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System32\mwbpEln.exe
  C:\Windows\System32\mwbpEln.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System32\kZLxekL.exe
  C:\Windows\System32\kZLxekL.exe
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Windows\System32\WOyLSJs.exe
  C:\Windows\System32\WOyLSJs.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System32\sFbFzAx.exe
  C:\Windows\System32\sFbFzAx.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System32\pqhjOmT.exe
  C:\Windows\System32\pqhjOmT.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System32\NhyoGMU.exe
  C:\Windows\System32\NhyoGMU.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System32\FSwFiuI.exe
  C:\Windows\System32\FSwFiuI.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System32\LuSKUZz.exe
  C:\Windows\System32\LuSKUZz.exe
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Windows\System32\lSZFpDf.exe
  C:\Windows\System32\lSZFpDf.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System32\xrQXkNx.exe
  C:\Windows\System32\xrQXkNx.exe
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\System32\YzvtITf.exe
  C:\Windows\System32\YzvtITf.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System32\FwBGPCZ.exe
  C:\Windows\System32\FwBGPCZ.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System32\KxPMfFF.exe
  C:\Windows\System32\KxPMfFF.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System32\SzfbVpF.exe
  C:\Windows\System32\SzfbVpF.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System32\kPtsDTc.exe
  C:\Windows\System32\kPtsDTc.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System32\azKqKjy.exe
  C:\Windows\System32\azKqKjy.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System32\PQhkjtQ.exe
  C:\Windows\System32\PQhkjtQ.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System32\ObSZqlR.exe
  C:\Windows\System32\ObSZqlR.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System32\ZQJafkW.exe
  C:\Windows\System32\ZQJafkW.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System32\JOJOowg.exe
  C:\Windows\System32\JOJOowg.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System32\jpYVzKM.exe
  C:\Windows\System32\jpYVzKM.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System32\uMLlTmm.exe
  C:\Windows\System32\uMLlTmm.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System32\wHBGLQX.exe
  C:\Windows\System32\wHBGLQX.exe
  2⤵
  - Executes dropped EXE
  PID:4052
- C:\Windows\System32\RbvcGed.exe
  C:\Windows\System32\RbvcGed.exe
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Windows\System32\AmvUCnw.exe
  C:\Windows\System32\AmvUCnw.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System32\CyGyZIG.exe
  C:\Windows\System32\CyGyZIG.exe
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Windows\System32\MWCcYkx.exe
  C:\Windows\System32\MWCcYkx.exe
  2⤵
  - Executes dropped EXE
  PID:5132
- C:\Windows\System32\etnRaqc.exe
  C:\Windows\System32\etnRaqc.exe
  2⤵
  - Executes dropped EXE
  PID:5160
- C:\Windows\System32\SpRvzdT.exe
  C:\Windows\System32\SpRvzdT.exe
  2⤵
  - Executes dropped EXE
  PID:5188
- C:\Windows\System32\lxlXCjU.exe
  C:\Windows\System32\lxlXCjU.exe
  2⤵
  - Executes dropped EXE
  PID:5216
- C:\Windows\System32\zKFNbcA.exe
  C:\Windows\System32\zKFNbcA.exe
  2⤵
  - Executes dropped EXE
  PID:5244
- C:\Windows\System32\RsZRMce.exe
  C:\Windows\System32\RsZRMce.exe
  2⤵
  - Executes dropped EXE
  PID:5272
- C:\Windows\System32\hYuICOJ.exe
  C:\Windows\System32\hYuICOJ.exe
  2⤵
  - Executes dropped EXE
  PID:5300
- C:\Windows\System32\LHyDKIX.exe
  C:\Windows\System32\LHyDKIX.exe
  2⤵
  - Executes dropped EXE
  PID:5328
- C:\Windows\System32\TcQIhdH.exe
  C:\Windows\System32\TcQIhdH.exe
  2⤵
  - Executes dropped EXE
  PID:5356
- C:\Windows\System32\XvwPwyH.exe
  C:\Windows\System32\XvwPwyH.exe
  2⤵
  - Executes dropped EXE
  PID:5384
- C:\Windows\System32\PbQTzNw.exe
  C:\Windows\System32\PbQTzNw.exe
  2⤵
  PID:5412
- C:\Windows\System32\UeUVXJC.exe
  C:\Windows\System32\UeUVXJC.exe
  2⤵
  PID:5452
- C:\Windows\System32\yobxwzl.exe
  C:\Windows\System32\yobxwzl.exe
  2⤵
  PID:5468
- C:\Windows\System32\KjNFIBD.exe
  C:\Windows\System32\KjNFIBD.exe
  2⤵
  PID:5508
- C:\Windows\System32\DcSagkP.exe
  C:\Windows\System32\DcSagkP.exe
  2⤵
  PID:5524
- C:\Windows\System32\tHgzqJv.exe
  C:\Windows\System32\tHgzqJv.exe
  2⤵
  PID:5552
- C:\Windows\System32\GwuBFYJ.exe
  C:\Windows\System32\GwuBFYJ.exe
  2⤵
  PID:5592
- C:\Windows\System32\MKZWfYJ.exe
  C:\Windows\System32\MKZWfYJ.exe
  2⤵
  PID:5608
- C:\Windows\System32\yzqjKYk.exe
  C:\Windows\System32\yzqjKYk.exe
  2⤵
  PID:5648
- C:\Windows\System32\HLTasSt.exe
  C:\Windows\System32\HLTasSt.exe
  2⤵
  PID:5664
- C:\Windows\System32\BmQrssq.exe
  C:\Windows\System32\BmQrssq.exe
  2⤵
  PID:5692
- C:\Windows\System32\ELIwKUa.exe
  C:\Windows\System32\ELIwKUa.exe
  2⤵
  PID:5720
- C:\Windows\System32\NfvuQlN.exe
  C:\Windows\System32\NfvuQlN.exe
  2⤵
  PID:5760
- C:\Windows\System32\oCeFilA.exe
  C:\Windows\System32\oCeFilA.exe
  2⤵
  PID:5776
- C:\Windows\System32\xWMISlK.exe
  C:\Windows\System32\xWMISlK.exe
  2⤵
  PID:5816
- C:\Windows\System32\IDeaEpe.exe
  C:\Windows\System32\IDeaEpe.exe
  2⤵
  PID:5832
- C:\Windows\System32\TeDLMmF.exe
  C:\Windows\System32\TeDLMmF.exe
  2⤵
  PID:5872
- C:\Windows\System32\oBFxSjU.exe
  C:\Windows\System32\oBFxSjU.exe
  2⤵
  PID:5888
- C:\Windows\System32\LaJXQdZ.exe
  C:\Windows\System32\LaJXQdZ.exe
  2⤵
  PID:5928
- C:\Windows\System32\ItINzOa.exe
  C:\Windows\System32\ItINzOa.exe
  2⤵
  PID:5944
- C:\Windows\System32\ZiQuCtG.exe
  C:\Windows\System32\ZiQuCtG.exe
  2⤵
  PID:5972
- C:\Windows\System32\lDPPCYc.exe
  C:\Windows\System32\lDPPCYc.exe
  2⤵
  PID:6012
- C:\Windows\System32\BRyLhQY.exe
  C:\Windows\System32\BRyLhQY.exe
  2⤵
  PID:6028
- C:\Windows\System32\IbPpcIU.exe
  C:\Windows\System32\IbPpcIU.exe
  2⤵
  PID:6068
- C:\Windows\System32\jLDsxFd.exe
  C:\Windows\System32\jLDsxFd.exe
  2⤵
  PID:6084
- C:\Windows\System32\FGsGBIb.exe
  C:\Windows\System32\FGsGBIb.exe
  2⤵
  PID:6112
- C:\Windows\System32\XSnzEWc.exe
  C:\Windows\System32\XSnzEWc.exe
  2⤵
  PID:6140
- C:\Windows\System32\QdDlmme.exe
  C:\Windows\System32\QdDlmme.exe
  2⤵
  PID:4476
- C:\Windows\System32\DWUVteJ.exe
  C:\Windows\System32\DWUVteJ.exe
  2⤵
  PID:1680
- C:\Windows\System32\IJnCjDj.exe
  C:\Windows\System32\IJnCjDj.exe
  2⤵
  PID:4460
- C:\Windows\System32\iawQtes.exe
  C:\Windows\System32\iawQtes.exe
  2⤵
  PID:2196
- C:\Windows\System32\OZZvoQn.exe
  C:\Windows\System32\OZZvoQn.exe
  2⤵
  PID:5156
- C:\Windows\System32\fgxIMmm.exe
  C:\Windows\System32\fgxIMmm.exe
  2⤵
  PID:5200
- C:\Windows\System32\HQLScnt.exe
  C:\Windows\System32\HQLScnt.exe
  2⤵
  PID:5268
- C:\Windows\System32\djbaecr.exe
  C:\Windows\System32\djbaecr.exe
  2⤵
  PID:5348
- C:\Windows\System32\kRvkUqs.exe
  C:\Windows\System32\kRvkUqs.exe
  2⤵
  PID:5396
- C:\Windows\System32\FDXCtQx.exe
  C:\Windows\System32\FDXCtQx.exe
  2⤵
  PID:5464
- C:\Windows\System32\kZCOtGq.exe
  C:\Windows\System32\kZCOtGq.exe
  2⤵
  PID:5516
- C:\Windows\System32\aITnaec.exe
  C:\Windows\System32\aITnaec.exe
  2⤵
  PID:5568
- C:\Windows\System32\tUANlOL.exe
  C:\Windows\System32\tUANlOL.exe
  2⤵
  PID:5688
- C:\Windows\System32\RbYITZi.exe
  C:\Windows\System32\RbYITZi.exe
  2⤵
  PID:5716
- C:\Windows\System32\rCtqflW.exe
  C:\Windows\System32\rCtqflW.exe
  2⤵
  PID:5788
- C:\Windows\System32\mucEnqO.exe
  C:\Windows\System32\mucEnqO.exe
  2⤵
  PID:5880
- C:\Windows\System32\IzEddRT.exe
  C:\Windows\System32\IzEddRT.exe
  2⤵
  PID:5936
- C:\Windows\System32\dqqDqSR.exe
  C:\Windows\System32\dqqDqSR.exe
  2⤵
  PID:6020
- C:\Windows\System32\mXtyMol.exe
  C:\Windows\System32\mXtyMol.exe
  2⤵
  PID:6060
- C:\Windows\System32\ershpMh.exe
  C:\Windows\System32\ershpMh.exe
  2⤵
  PID:6124
- C:\Windows\System32\GyOmcMs.exe
  C:\Windows\System32\GyOmcMs.exe
  2⤵
  PID:1720
- C:\Windows\System32\MgnfnAd.exe
  C:\Windows\System32\MgnfnAd.exe
  2⤵
  PID:5128
- C:\Windows\System32\mBHciAI.exe
  C:\Windows\System32\mBHciAI.exe
  2⤵
  PID:5236
- C:\Windows\System32\YhVjqOF.exe
  C:\Windows\System32\YhVjqOF.exe
  2⤵
  PID:5372
- C:\Windows\System32\LGeJrGe.exe
  C:\Windows\System32\LGeJrGe.exe
  2⤵
  PID:5584
- C:\Windows\System32\pwiWKtK.exe
  C:\Windows\System32\pwiWKtK.exe
  2⤵
  PID:5656
- C:\Windows\System32\wZIdbLN.exe
  C:\Windows\System32\wZIdbLN.exe
  2⤵
  PID:5912
- C:\Windows\System32\CySgsFd.exe
  C:\Windows\System32\CySgsFd.exe
  2⤵
  PID:5984
- C:\Windows\System32\wPhtttf.exe
  C:\Windows\System32\wPhtttf.exe
  2⤵
  PID:6156
- C:\Windows\System32\NcjMPUn.exe
  C:\Windows\System32\NcjMPUn.exe
  2⤵
  PID:6184
- C:\Windows\System32\NTvEeWf.exe
  C:\Windows\System32\NTvEeWf.exe
  2⤵
  PID:6212
- C:\Windows\System32\ArPXxGp.exe
  C:\Windows\System32\ArPXxGp.exe
  2⤵
  PID:6240
- C:\Windows\System32\XfoeyNL.exe
  C:\Windows\System32\XfoeyNL.exe
  2⤵
  PID:6268
- C:\Windows\System32\dPZxhdv.exe
  C:\Windows\System32\dPZxhdv.exe
  2⤵
  PID:6296
- C:\Windows\System32\TyqNXuz.exe
  C:\Windows\System32\TyqNXuz.exe
  2⤵
  PID:6324
- C:\Windows\System32\ocLAtPt.exe
  C:\Windows\System32\ocLAtPt.exe
  2⤵
  PID:6352
- C:\Windows\System32\pXbjTHm.exe
  C:\Windows\System32\pXbjTHm.exe
  2⤵
  PID:6392
- C:\Windows\System32\yiQcrsO.exe
  C:\Windows\System32\yiQcrsO.exe
  2⤵
  PID:6420
- C:\Windows\System32\cPcrEbD.exe
  C:\Windows\System32\cPcrEbD.exe
  2⤵
  PID:6436
- C:\Windows\System32\NcxLUXo.exe
  C:\Windows\System32\NcxLUXo.exe
  2⤵
  PID:6464
- C:\Windows\System32\EIADaIH.exe
  C:\Windows\System32\EIADaIH.exe
  2⤵
  PID:6504
- C:\Windows\System32\klARGdC.exe
  C:\Windows\System32\klARGdC.exe
  2⤵
  PID:6532
- C:\Windows\System32\NWrRYMG.exe
  C:\Windows\System32\NWrRYMG.exe
  2⤵
  PID:6548
- C:\Windows\System32\voigSrT.exe
  C:\Windows\System32\voigSrT.exe
  2⤵
  PID:6576
- C:\Windows\System32\CorSAzy.exe
  C:\Windows\System32\CorSAzy.exe
  2⤵
  PID:6616
- C:\Windows\System32\QfmtXgR.exe
  C:\Windows\System32\QfmtXgR.exe
  2⤵
  PID:6632
- C:\Windows\System32\cShPjaQ.exe
  C:\Windows\System32\cShPjaQ.exe
  2⤵
  PID:6672
- C:\Windows\System32\cxIxZAm.exe
  C:\Windows\System32\cxIxZAm.exe
  2⤵
  PID:6688
- C:\Windows\System32\JnSAcZc.exe
  C:\Windows\System32\JnSAcZc.exe
  2⤵
  PID:6728
- C:\Windows\System32\lFrxrNR.exe
  C:\Windows\System32\lFrxrNR.exe
  2⤵
  PID:6744
- C:\Windows\System32\WJVboRZ.exe
  C:\Windows\System32\WJVboRZ.exe
  2⤵
  PID:6784
- C:\Windows\System32\wCpXTXI.exe
  C:\Windows\System32\wCpXTXI.exe
  2⤵
  PID:6800
- C:\Windows\System32\ZaBIUmD.exe
  C:\Windows\System32\ZaBIUmD.exe
  2⤵
  PID:6840
- C:\Windows\System32\JCMUqyV.exe
  C:\Windows\System32\JCMUqyV.exe
  2⤵
  PID:6856
- C:\Windows\System32\SoHIMMC.exe
  C:\Windows\System32\SoHIMMC.exe
  2⤵
  PID:6884
- C:\Windows\System32\tOjsSiL.exe
  C:\Windows\System32\tOjsSiL.exe
  2⤵
  PID:6912
- C:\Windows\System32\HZwaNBS.exe
  C:\Windows\System32\HZwaNBS.exe
  2⤵
  PID:6952
- C:\Windows\System32\rLrGroG.exe
  C:\Windows\System32\rLrGroG.exe
  2⤵
  PID:6980
- C:\Windows\System32\QTeVrdG.exe
  C:\Windows\System32\QTeVrdG.exe
  2⤵
  PID:7008
- C:\Windows\System32\CcihBxN.exe
  C:\Windows\System32\CcihBxN.exe
  2⤵
  PID:7024
- C:\Windows\System32\JjYqlSu.exe
  C:\Windows\System32\JjYqlSu.exe
  2⤵
  PID:7052
- C:\Windows\System32\xJEfVjd.exe
  C:\Windows\System32\xJEfVjd.exe
  2⤵
  PID:7092
- C:\Windows\System32\RkqeCgb.exe
  C:\Windows\System32\RkqeCgb.exe
  2⤵
  PID:7108
- C:\Windows\System32\wrCwONm.exe
  C:\Windows\System32\wrCwONm.exe
  2⤵
  PID:7136
- C:\Windows\System32\dzJvonn.exe
  C:\Windows\System32\dzJvonn.exe
  2⤵
  PID:7164
- C:\Windows\System32\hneawUS.exe
  C:\Windows\System32\hneawUS.exe
  2⤵
  PID:2224
- C:\Windows\System32\TqPWUdv.exe
  C:\Windows\System32\TqPWUdv.exe
  2⤵
  PID:5520
- C:\Windows\System32\oHJjjqM.exe
  C:\Windows\System32\oHJjjqM.exe
  2⤵
  PID:5632
- C:\Windows\System32\gVpygKo.exe
  C:\Windows\System32\gVpygKo.exe
  2⤵
  PID:6040
- C:\Windows\System32\zTbrqmj.exe
  C:\Windows\System32\zTbrqmj.exe
  2⤵
  PID:6236
- C:\Windows\System32\uvOtUQR.exe
  C:\Windows\System32\uvOtUQR.exe
  2⤵
  PID:6256
- C:\Windows\System32\NBzEEMR.exe
  C:\Windows\System32\NBzEEMR.exe
  2⤵
  PID:6336
- C:\Windows\System32\rWDaMfD.exe
  C:\Windows\System32\rWDaMfD.exe
  2⤵
  PID:6432
- C:\Windows\System32\unyAQmD.exe
  C:\Windows\System32\unyAQmD.exe
  2⤵
  PID:6460
- C:\Windows\System32\FooTJuA.exe
  C:\Windows\System32\FooTJuA.exe
  2⤵
  PID:6524
- C:\Windows\System32\tzmgjMK.exe
  C:\Windows\System32\tzmgjMK.exe
  2⤵
  PID:6600
- C:\Windows\System32\KfhxBQQ.exe
  C:\Windows\System32\KfhxBQQ.exe
  2⤵
  PID:6664
- C:\Windows\System32\ixgWEVD.exe
  C:\Windows\System32\ixgWEVD.exe
  2⤵
  PID:6740
- C:\Windows\System32\gsAWDuO.exe
  C:\Windows\System32\gsAWDuO.exe
  2⤵
  PID:6760
- C:\Windows\System32\lAlxFzI.exe
  C:\Windows\System32\lAlxFzI.exe
  2⤵
  PID:6852
- C:\Windows\System32\kZhjgqu.exe
  C:\Windows\System32\kZhjgqu.exe
  2⤵
  PID:6928
- C:\Windows\System32\LeBffVZ.exe
  C:\Windows\System32\LeBffVZ.exe
  2⤵
  PID:6960
- C:\Windows\System32\zRDZqzX.exe
  C:\Windows\System32\zRDZqzX.exe
  2⤵
  PID:7064
- C:\Windows\System32\hDbzPMy.exe
  C:\Windows\System32\hDbzPMy.exe
  2⤵
  PID:7104
- C:\Windows\System32\jtlfRGP.exe
  C:\Windows\System32\jtlfRGP.exe
  2⤵
  PID:7152
- C:\Windows\System32\DNKHUKU.exe
  C:\Windows\System32\DNKHUKU.exe
  2⤵
  PID:5184
- C:\Windows\System32\qqnzXLZ.exe
  C:\Windows\System32\qqnzXLZ.exe
  2⤵
  PID:6168
- C:\Windows\System32\JqlQrCC.exe
  C:\Windows\System32\JqlQrCC.exe
  2⤵
  PID:6308
- C:\Windows\System32\rSUYjrF.exe
  C:\Windows\System32\rSUYjrF.exe
  2⤵
  PID:6496
- C:\Windows\System32\nZGoslP.exe
  C:\Windows\System32\nZGoslP.exe
  2⤵
  PID:1348
- C:\Windows\System32\RKBbhZC.exe
  C:\Windows\System32\RKBbhZC.exe
  2⤵
  PID:6768
- C:\Windows\System32\GnGmtnf.exe
  C:\Windows\System32\GnGmtnf.exe
  2⤵
  PID:6816
- C:\Windows\System32\roIClBF.exe
  C:\Windows\System32\roIClBF.exe
  2⤵
  PID:7000
- C:\Windows\System32\PerdTfP.exe
  C:\Windows\System32\PerdTfP.exe
  2⤵
  PID:7160
- C:\Windows\System32\JBdeEOC.exe
  C:\Windows\System32\JBdeEOC.exe
  2⤵
  PID:7192
- C:\Windows\System32\epjasCY.exe
  C:\Windows\System32\epjasCY.exe
  2⤵
  PID:7232
- C:\Windows\System32\jQCNfWt.exe
  C:\Windows\System32\jQCNfWt.exe
  2⤵
  PID:7248
- C:\Windows\System32\ZNOWzWg.exe
  C:\Windows\System32\ZNOWzWg.exe
  2⤵
  PID:7288
- C:\Windows\System32\xytRcEk.exe
  C:\Windows\System32\xytRcEk.exe
  2⤵
  PID:7304
- C:\Windows\System32\SKaaBJg.exe
  C:\Windows\System32\SKaaBJg.exe
  2⤵
  PID:7332
- C:\Windows\System32\bLfYQal.exe
  C:\Windows\System32\bLfYQal.exe
  2⤵
  PID:7360
- C:\Windows\System32\SKASrKd.exe
  C:\Windows\System32\SKASrKd.exe
  2⤵
  PID:7388
- C:\Windows\System32\IMxKsLn.exe
  C:\Windows\System32\IMxKsLn.exe
  2⤵
  PID:7428
- C:\Windows\System32\DXDtVmu.exe
  C:\Windows\System32\DXDtVmu.exe
  2⤵
  PID:7444
- C:\Windows\System32\gyOooeg.exe
  C:\Windows\System32\gyOooeg.exe
  2⤵
  PID:7484
- C:\Windows\System32\oJQOBYG.exe
  C:\Windows\System32\oJQOBYG.exe
  2⤵
  PID:7512
- C:\Windows\System32\TeLBXiv.exe
  C:\Windows\System32\TeLBXiv.exe
  2⤵
  PID:7540
- C:\Windows\System32\KyQbgVd.exe
  C:\Windows\System32\KyQbgVd.exe
  2⤵
  PID:7568
- C:\Windows\System32\VSuSfsX.exe
  C:\Windows\System32\VSuSfsX.exe
  2⤵
  PID:7596
- C:\Windows\System32\MJSkgEH.exe
  C:\Windows\System32\MJSkgEH.exe
  2⤵
  PID:7612
- C:\Windows\System32\xVllkQG.exe
  C:\Windows\System32\xVllkQG.exe
  2⤵
  PID:7652
- C:\Windows\System32\iTpdLyt.exe
  C:\Windows\System32\iTpdLyt.exe
  2⤵
  PID:7668
- C:\Windows\System32\EILjrnQ.exe
  C:\Windows\System32\EILjrnQ.exe
  2⤵
  PID:7708
- C:\Windows\System32\tcsRnGR.exe
  C:\Windows\System32\tcsRnGR.exe
  2⤵
  PID:7724
- C:\Windows\System32\DGyMqwc.exe
  C:\Windows\System32\DGyMqwc.exe
  2⤵
  PID:7752
- C:\Windows\System32\wrOtrMn.exe
  C:\Windows\System32\wrOtrMn.exe
  2⤵
  PID:7792
- C:\Windows\System32\eFgTqcD.exe
  C:\Windows\System32\eFgTqcD.exe
  2⤵
  PID:7808
- C:\Windows\System32\FHcsMGO.exe
  C:\Windows\System32\FHcsMGO.exe
  2⤵
  PID:7836
- C:\Windows\System32\JXXcDur.exe
  C:\Windows\System32\JXXcDur.exe
  2⤵
  PID:7872
- C:\Windows\System32\rVGeSRr.exe
  C:\Windows\System32\rVGeSRr.exe
  2⤵
  PID:7892
- C:\Windows\System32\wmwJoDT.exe
  C:\Windows\System32\wmwJoDT.exe
  2⤵
  PID:7920
- C:\Windows\System32\FFAaqpd.exe
  C:\Windows\System32\FFAaqpd.exe
  2⤵
  PID:7960
- C:\Windows\System32\hsheTJJ.exe
  C:\Windows\System32\hsheTJJ.exe
  2⤵
  PID:7976
- C:\Windows\System32\CMWhamK.exe
  C:\Windows\System32\CMWhamK.exe
  2⤵
  PID:8004
- C:\Windows\System32\aHpPcBc.exe
  C:\Windows\System32\aHpPcBc.exe
  2⤵
  PID:8032
- C:\Windows\System32\CdkpdSK.exe
  C:\Windows\System32\CdkpdSK.exe
  2⤵
  PID:8060
- C:\Windows\System32\pehiUdT.exe
  C:\Windows\System32\pehiUdT.exe
  2⤵
  PID:8096
- C:\Windows\System32\GVfCXiL.exe
  C:\Windows\System32\GVfCXiL.exe
  2⤵
  PID:8128
- C:\Windows\System32\JybEZrt.exe
  C:\Windows\System32\JybEZrt.exe
  2⤵
  PID:8156
- C:\Windows\System32\HTZXIEr.exe
  C:\Windows\System32\HTZXIEr.exe
  2⤵
  PID:8172
- C:\Windows\System32\EdlQZbl.exe
  C:\Windows\System32\EdlQZbl.exe
  2⤵
  PID:5900
- C:\Windows\System32\MGRlpBO.exe
  C:\Windows\System32\MGRlpBO.exe
  2⤵
  PID:6264
- C:\Windows\System32\SpGBiOE.exe
  C:\Windows\System32\SpGBiOE.exe
  2⤵
  PID:1852
- C:\Windows\System32\kAoNUCM.exe
  C:\Windows\System32\kAoNUCM.exe
  2⤵
  PID:4444
- C:\Windows\System32\oCVAKbN.exe
  C:\Windows\System32\oCVAKbN.exe
  2⤵
  PID:7216
- C:\Windows\System32\WGlzhtm.exe
  C:\Windows\System32\WGlzhtm.exe
  2⤵
  PID:7272
- C:\Windows\System32\UVrNFDe.exe
  C:\Windows\System32\UVrNFDe.exe
  2⤵
  PID:7316
- C:\Windows\System32\PvWmJyD.exe
  C:\Windows\System32\PvWmJyD.exe
  2⤵
  PID:7376
- C:\Windows\System32\PRUDJbP.exe
  C:\Windows\System32\PRUDJbP.exe
  2⤵
  PID:7436
- C:\Windows\System32\ncIgxWB.exe
  C:\Windows\System32\ncIgxWB.exe
  2⤵
  PID:7496
- C:\Windows\System32\nbutjog.exe
  C:\Windows\System32\nbutjog.exe
  2⤵
  PID:7576
- C:\Windows\System32\NGHzNgJ.exe
  C:\Windows\System32\NGHzNgJ.exe
  2⤵
  PID:7636
- C:\Windows\System32\BbNedcC.exe
  C:\Windows\System32\BbNedcC.exe
  2⤵
  PID:7692
- C:\Windows\System32\QWuzdlh.exe
  C:\Windows\System32\QWuzdlh.exe
  2⤵
  PID:7740
- C:\Windows\System32\KtaTuYK.exe
  C:\Windows\System32\KtaTuYK.exe
  2⤵
  PID:1668
- C:\Windows\System32\pzAgSBw.exe
  C:\Windows\System32\pzAgSBw.exe
  2⤵
  PID:3948
- C:\Windows\System32\yoJXEau.exe
  C:\Windows\System32\yoJXEau.exe
  2⤵
  PID:7908
- C:\Windows\System32\zxVYtAA.exe
  C:\Windows\System32\zxVYtAA.exe
  2⤵
  PID:2732
- C:\Windows\System32\QXJVAJF.exe
  C:\Windows\System32\QXJVAJF.exe
  2⤵
  PID:8028
- C:\Windows\System32\MAzeMAg.exe
  C:\Windows\System32\MAzeMAg.exe
  2⤵
  PID:2520
- C:\Windows\System32\qjpDdAm.exe
  C:\Windows\System32\qjpDdAm.exe
  2⤵
  PID:8140
- C:\Windows\System32\VXPeWvS.exe
  C:\Windows\System32\VXPeWvS.exe
  2⤵
  PID:5824
- C:\Windows\System32\mAdLnXc.exe
  C:\Windows\System32\mAdLnXc.exe
  2⤵
  PID:6624
- C:\Windows\System32\tegKdKP.exe
  C:\Windows\System32\tegKdKP.exe
  2⤵
  PID:2752
- C:\Windows\System32\HJOXMbb.exe
  C:\Windows\System32\HJOXMbb.exe
  2⤵
  PID:7412
- C:\Windows\System32\BuhgVnl.exe
  C:\Windows\System32\BuhgVnl.exe
  2⤵
  PID:7504
- C:\Windows\System32\meAMbTm.exe
  C:\Windows\System32\meAMbTm.exe
  2⤵
  PID:7624
- C:\Windows\System32\vRHHHxx.exe
  C:\Windows\System32\vRHHHxx.exe
  2⤵
  PID:7720
- C:\Windows\System32\ZuNtkUD.exe
  C:\Windows\System32\ZuNtkUD.exe
  2⤵
  PID:2760
- C:\Windows\System32\wawSyob.exe
  C:\Windows\System32\wawSyob.exe
  2⤵
  PID:2144
- C:\Windows\System32\yenPNaY.exe
  C:\Windows\System32\yenPNaY.exe
  2⤵
  PID:8000
- C:\Windows\System32\VQHrbtQ.exe
  C:\Windows\System32\VQHrbtQ.exe
  2⤵
  PID:4916
- C:\Windows\System32\wYjFSyK.exe
  C:\Windows\System32\wYjFSyK.exe
  2⤵
  PID:1608
- C:\Windows\System32\naPkOLY.exe
  C:\Windows\System32\naPkOLY.exe
  2⤵
  PID:2000
- C:\Windows\System32\BDYtLXa.exe
  C:\Windows\System32\BDYtLXa.exe
  2⤵
  PID:1072
- C:\Windows\System32\pozojnZ.exe
  C:\Windows\System32\pozojnZ.exe
  2⤵
  PID:7296
- C:\Windows\System32\FRbuFUm.exe
  C:\Windows\System32\FRbuFUm.exe
  2⤵
  PID:1672
- C:\Windows\System32\euLooNT.exe
  C:\Windows\System32\euLooNT.exe
  2⤵
  PID:8124
- C:\Windows\System32\adiXXgZ.exe
  C:\Windows\System32\adiXXgZ.exe
  2⤵
  PID:3940
- C:\Windows\System32\BNUzPJg.exe
  C:\Windows\System32\BNUzPJg.exe
  2⤵
  PID:7356
- C:\Windows\System32\bsdkBcA.exe
  C:\Windows\System32\bsdkBcA.exe
  2⤵
  PID:8200
- C:\Windows\System32\TeiMZSZ.exe
  C:\Windows\System32\TeiMZSZ.exe
  2⤵
  PID:8228
- C:\Windows\System32\AzSrEvv.exe
  C:\Windows\System32\AzSrEvv.exe
  2⤵
  PID:8248
- C:\Windows\System32\yQdXpfu.exe
  C:\Windows\System32\yQdXpfu.exe
  2⤵
  PID:8264
- C:\Windows\System32\qjScLnv.exe
  C:\Windows\System32\qjScLnv.exe
  2⤵
  PID:8284
- C:\Windows\System32\dJYcxRo.exe
  C:\Windows\System32\dJYcxRo.exe
  2⤵
  PID:8312
- C:\Windows\System32\hCTRmsM.exe
  C:\Windows\System32\hCTRmsM.exe
  2⤵
  PID:8376
- C:\Windows\System32\xSGuRVI.exe
  C:\Windows\System32\xSGuRVI.exe
  2⤵
  PID:8408
- C:\Windows\System32\hYHHYen.exe
  C:\Windows\System32\hYHHYen.exe
  2⤵
  PID:8436
- C:\Windows\System32\aGZpPyM.exe
  C:\Windows\System32\aGZpPyM.exe
  2⤵
  PID:8476
- C:\Windows\System32\TzNzvsH.exe
  C:\Windows\System32\TzNzvsH.exe
  2⤵
  PID:8504
- C:\Windows\System32\gmHavtZ.exe
  C:\Windows\System32\gmHavtZ.exe
  2⤵
  PID:8532
- C:\Windows\System32\ztvFlSG.exe
  C:\Windows\System32\ztvFlSG.exe
  2⤵
  PID:8560
- C:\Windows\System32\yAesQNP.exe
  C:\Windows\System32\yAesQNP.exe
  2⤵
  PID:8588
- C:\Windows\System32\YFrGmNB.exe
  C:\Windows\System32\YFrGmNB.exe
  2⤵
  PID:8616
- C:\Windows\System32\LSuXkPf.exe
  C:\Windows\System32\LSuXkPf.exe
  2⤵
  PID:8660
- C:\Windows\System32\tjTuklN.exe
  C:\Windows\System32\tjTuklN.exe
  2⤵
  PID:8684
- C:\Windows\System32\bmVPPvx.exe
  C:\Windows\System32\bmVPPvx.exe
  2⤵
  PID:8720
- C:\Windows\System32\POzBOCY.exe
  C:\Windows\System32\POzBOCY.exe
  2⤵
  PID:8748
- C:\Windows\System32\lfUJBUk.exe
  C:\Windows\System32\lfUJBUk.exe
  2⤵
  PID:8776
- C:\Windows\System32\pXtnBoK.exe
  C:\Windows\System32\pXtnBoK.exe
  2⤵
  PID:8804
- C:\Windows\System32\MeoApVM.exe
  C:\Windows\System32\MeoApVM.exe
  2⤵
  PID:8832
- C:\Windows\System32\qnTHLXR.exe
  C:\Windows\System32\qnTHLXR.exe
  2⤵
  PID:8860
- C:\Windows\System32\VrdRbmD.exe
  C:\Windows\System32\VrdRbmD.exe
  2⤵
  PID:8876
- C:\Windows\System32\TmPdiFo.exe
  C:\Windows\System32\TmPdiFo.exe
  2⤵
  PID:8916
- C:\Windows\System32\qawefdI.exe
  C:\Windows\System32\qawefdI.exe
  2⤵
  PID:8944
- C:\Windows\System32\gUEpKMb.exe
  C:\Windows\System32\gUEpKMb.exe
  2⤵
  PID:8976
- C:\Windows\System32\wrNezRr.exe
  C:\Windows\System32\wrNezRr.exe
  2⤵
  PID:9004
- C:\Windows\System32\eUKPLXv.exe
  C:\Windows\System32\eUKPLXv.exe
  2⤵
  PID:9036
- C:\Windows\System32\WrPuknL.exe
  C:\Windows\System32\WrPuknL.exe
  2⤵
  PID:9052
- C:\Windows\System32\PqBPSHW.exe
  C:\Windows\System32\PqBPSHW.exe
  2⤵
  PID:9068
- C:\Windows\System32\MvfecwT.exe
  C:\Windows\System32\MvfecwT.exe
  2⤵
  PID:9116
- C:\Windows\System32\YXsNqCP.exe
  C:\Windows\System32\YXsNqCP.exe
  2⤵
  PID:9180
- C:\Windows\System32\zuCyOTx.exe
  C:\Windows\System32\zuCyOTx.exe
  2⤵
  PID:9204
- C:\Windows\System32\culOrlv.exe
  C:\Windows\System32\culOrlv.exe
  2⤵
  PID:456
- C:\Windows\System32\bEivjzt.exe
  C:\Windows\System32\bEivjzt.exe
  2⤵
  PID:1560
- C:\Windows\System32\ydiPSIF.exe
  C:\Windows\System32\ydiPSIF.exe
  2⤵
  PID:8244
- C:\Windows\System32\rAltThJ.exe
  C:\Windows\System32\rAltThJ.exe
  2⤵
  PID:8272
- C:\Windows\System32\OStiZgi.exe
  C:\Windows\System32\OStiZgi.exe
  2⤵
  PID:8396
- C:\Windows\System32\LvYJgjn.exe
  C:\Windows\System32\LvYJgjn.exe
  2⤵
  PID:8472
- C:\Windows\System32\IeZzWZO.exe
  C:\Windows\System32\IeZzWZO.exe
  2⤵
  PID:8544
- C:\Windows\System32\eNeTcnj.exe
  C:\Windows\System32\eNeTcnj.exe
  2⤵
  PID:8612
- C:\Windows\System32\BNqnGSK.exe
  C:\Windows\System32\BNqnGSK.exe
  2⤵
  PID:8656
- C:\Windows\System32\MUjDktJ.exe
  C:\Windows\System32\MUjDktJ.exe
  2⤵
  PID:8740
- C:\Windows\System32\XDooCnF.exe
  C:\Windows\System32\XDooCnF.exe
  2⤵
  PID:8796
- C:\Windows\System32\eopkvqx.exe
  C:\Windows\System32\eopkvqx.exe
  2⤵
  PID:8892
- C:\Windows\System32\ictowmN.exe
  C:\Windows\System32\ictowmN.exe
  2⤵
  PID:8968
- C:\Windows\System32\zbiCjlf.exe
  C:\Windows\System32\zbiCjlf.exe
  2⤵
  PID:9044
- C:\Windows\System32\jFJKTtW.exe
  C:\Windows\System32\jFJKTtW.exe
  2⤵
  PID:9096
- C:\Windows\System32\tjMkeQE.exe
  C:\Windows\System32\tjMkeQE.exe
  2⤵
  PID:9192
- C:\Windows\System32\gatmgrq.exe
  C:\Windows\System32\gatmgrq.exe
  2⤵
  PID:8076
- C:\Windows\System32\RpSpPLI.exe
  C:\Windows\System32\RpSpPLI.exe
  2⤵
  PID:8352
- C:\Windows\System32\ZDSMdkf.exe
  C:\Windows\System32\ZDSMdkf.exe
  2⤵
  PID:8488
- C:\Windows\System32\mfOedkh.exe
  C:\Windows\System32\mfOedkh.exe
  2⤵
  PID:8632
- C:\Windows\System32\OOEvvSQ.exe
  C:\Windows\System32\OOEvvSQ.exe
  2⤵
  PID:8772
- C:\Windows\System32\lpqFpSf.exe
  C:\Windows\System32\lpqFpSf.exe
  2⤵
  PID:8936
- C:\Windows\System32\XPYvjvy.exe
  C:\Windows\System32\XPYvjvy.exe
  2⤵
  PID:3888
- C:\Windows\System32\yXoQuUO.exe
  C:\Windows\System32\yXoQuUO.exe
  2⤵
  PID:8692
- C:\Windows\System32\bOTcMZb.exe
  C:\Windows\System32\bOTcMZb.exe
  2⤵
  PID:9028
- C:\Windows\System32\aTNkIAy.exe
  C:\Windows\System32\aTNkIAy.exe
  2⤵
  PID:9164
- C:\Windows\System32\ZdOOsbc.exe
  C:\Windows\System32\ZdOOsbc.exe
  2⤵
  PID:9060
- C:\Windows\System32\kQgQOPb.exe
  C:\Windows\System32\kQgQOPb.exe
  2⤵
  PID:8448
- C:\Windows\System32\qaWYJaY.exe
  C:\Windows\System32\qaWYJaY.exe
  2⤵
  PID:9264
- C:\Windows\System32\exKcHXR.exe
  C:\Windows\System32\exKcHXR.exe
  2⤵
  PID:9280
- C:\Windows\System32\NfKmoqb.exe
  C:\Windows\System32\NfKmoqb.exe
  2⤵
  PID:9304
- C:\Windows\System32\eLvjzkF.exe
  C:\Windows\System32\eLvjzkF.exe
  2⤵
  PID:9340
- C:\Windows\System32\TnTcbXm.exe
  C:\Windows\System32\TnTcbXm.exe
  2⤵
  PID:9372
- C:\Windows\System32\jlOAymC.exe
  C:\Windows\System32\jlOAymC.exe
  2⤵
  PID:9404
- C:\Windows\System32\LVILVgT.exe
  C:\Windows\System32\LVILVgT.exe
  2⤵
  PID:9432
- C:\Windows\System32\UXPdEuu.exe
  C:\Windows\System32\UXPdEuu.exe
  2⤵
  PID:9460
- C:\Windows\System32\gGexNJx.exe
  C:\Windows\System32\gGexNJx.exe
  2⤵
  PID:9492
- C:\Windows\System32\modTKiS.exe
  C:\Windows\System32\modTKiS.exe
  2⤵
  PID:9520
- C:\Windows\System32\GInwbdo.exe
  C:\Windows\System32\GInwbdo.exe
  2⤵
  PID:9540
- C:\Windows\System32\TXMrUzZ.exe
  C:\Windows\System32\TXMrUzZ.exe
  2⤵
  PID:9576
- C:\Windows\System32\UJirJCl.exe
  C:\Windows\System32\UJirJCl.exe
  2⤵
  PID:9604
- C:\Windows\System32\cDReNYo.exe
  C:\Windows\System32\cDReNYo.exe
  2⤵
  PID:9632
- C:\Windows\System32\msMihzB.exe
  C:\Windows\System32\msMihzB.exe
  2⤵
  PID:9668
- C:\Windows\System32\RCDLsDC.exe
  C:\Windows\System32\RCDLsDC.exe
  2⤵
  PID:9696
- C:\Windows\System32\tCYHRqo.exe
  C:\Windows\System32\tCYHRqo.exe
  2⤵
  PID:9716
- C:\Windows\System32\xKJljqY.exe
  C:\Windows\System32\xKJljqY.exe
  2⤵
  PID:9744
- C:\Windows\System32\OIIwQAC.exe
  C:\Windows\System32\OIIwQAC.exe
  2⤵
  PID:9772
- C:\Windows\System32\DZaRbLd.exe
  C:\Windows\System32\DZaRbLd.exe
  2⤵
  PID:9808
- C:\Windows\System32\bgjIFdY.exe
  C:\Windows\System32\bgjIFdY.exe
  2⤵
  PID:9836
- C:\Windows\System32\qeObBWE.exe
  C:\Windows\System32\qeObBWE.exe
  2⤵
  PID:9864
- C:\Windows\System32\pgGkgYU.exe
  C:\Windows\System32\pgGkgYU.exe
  2⤵
  PID:9896
- C:\Windows\System32\WiLKeRb.exe
  C:\Windows\System32\WiLKeRb.exe
  2⤵
  PID:9920
- C:\Windows\System32\yyvhhzZ.exe
  C:\Windows\System32\yyvhhzZ.exe
  2⤵
  PID:9952
- C:\Windows\System32\sbuootN.exe
  C:\Windows\System32\sbuootN.exe
  2⤵
  PID:9972
- C:\Windows\System32\ogsMgOg.exe
  C:\Windows\System32\ogsMgOg.exe
  2⤵
  PID:10004
- C:\Windows\System32\CwTZeUw.exe
  C:\Windows\System32\CwTZeUw.exe
  2⤵
  PID:10040
- C:\Windows\System32\uDThUfu.exe
  C:\Windows\System32\uDThUfu.exe
  2⤵
  PID:10068
- C:\Windows\System32\HTlppUr.exe
  C:\Windows\System32\HTlppUr.exe
  2⤵
  PID:10096
- C:\Windows\System32\lyTIldN.exe
  C:\Windows\System32\lyTIldN.exe
  2⤵
  PID:10124
- C:\Windows\System32\zvvagMW.exe
  C:\Windows\System32\zvvagMW.exe
  2⤵
  PID:10152
- C:\Windows\System32\AQbciiQ.exe
  C:\Windows\System32\AQbciiQ.exe
  2⤵
  PID:10176
- C:\Windows\System32\ZPlJRje.exe
  C:\Windows\System32\ZPlJRje.exe
  2⤵
  PID:10208
- C:\Windows\System32\rIbqjeV.exe
  C:\Windows\System32\rIbqjeV.exe
  2⤵
  PID:10224
- C:\Windows\System32\SyOzcAu.exe
  C:\Windows\System32\SyOzcAu.exe
  2⤵
  PID:9272
- C:\Windows\System32\hMxoxku.exe
  C:\Windows\System32\hMxoxku.exe
  2⤵
  PID:9320
- C:\Windows\System32\LsDWkSZ.exe
  C:\Windows\System32\LsDWkSZ.exe
  2⤵
  PID:9396
- C:\Windows\System32\TmNpwyW.exe
  C:\Windows\System32\TmNpwyW.exe
  2⤵
  PID:9472
- C:\Windows\System32\WSZADHt.exe
  C:\Windows\System32\WSZADHt.exe
  2⤵
  PID:4368
- C:\Windows\System32\sdwTENA.exe
  C:\Windows\System32\sdwTENA.exe
  2⤵
  PID:9572
- C:\Windows\System32\dWmCTrE.exe
  C:\Windows\System32\dWmCTrE.exe
  2⤵
  PID:9624
- C:\Windows\System32\LYBShvo.exe
  C:\Windows\System32\LYBShvo.exe
  2⤵
  PID:9728
- C:\Windows\System32\MnuJySb.exe
  C:\Windows\System32\MnuJySb.exe
  2⤵
  PID:9792
- C:\Windows\System32\ObJpSAm.exe
  C:\Windows\System32\ObJpSAm.exe
  2⤵
  PID:9832
- C:\Windows\System32\xZTnBSj.exe
  C:\Windows\System32\xZTnBSj.exe
  2⤵
  PID:9936
- C:\Windows\System32\HDQyZLT.exe
  C:\Windows\System32\HDQyZLT.exe
  2⤵
  PID:10012
- C:\Windows\System32\bUBnevc.exe
  C:\Windows\System32\bUBnevc.exe
  2⤵
  PID:10084
- C:\Windows\System32\tiEHhdj.exe
  C:\Windows\System32\tiEHhdj.exe
  2⤵
  PID:10144
- C:\Windows\System32\pfGigWi.exe
  C:\Windows\System32\pfGigWi.exe
  2⤵
  PID:10196
- C:\Windows\System32\auwMBCF.exe
  C:\Windows\System32\auwMBCF.exe
  2⤵
  PID:9240
- C:\Windows\System32\sVxSLMl.exe
  C:\Windows\System32\sVxSLMl.exe
  2⤵
  PID:9444
- C:\Windows\System32\cXXtHwB.exe
  C:\Windows\System32\cXXtHwB.exe
  2⤵
  PID:9552
- C:\Windows\System32\BDYVvwk.exe
  C:\Windows\System32\BDYVvwk.exe
  2⤵
  PID:9712
- C:\Windows\System32\xUIIaJz.exe
  C:\Windows\System32\xUIIaJz.exe
  2⤵
  PID:9884
- C:\Windows\System32\AvJTHFS.exe
  C:\Windows\System32\AvJTHFS.exe
  2⤵
  PID:10056
- C:\Windows\System32\tvHzZBB.exe
  C:\Windows\System32\tvHzZBB.exe
  2⤵
  PID:10200
- C:\Windows\System32\hXCMhYR.exe
  C:\Windows\System32\hXCMhYR.exe
  2⤵
  PID:9512
- C:\Windows\System32\ToFwYsu.exe
  C:\Windows\System32\ToFwYsu.exe
  2⤵
  PID:9824
- C:\Windows\System32\kWAuHAk.exe
  C:\Windows\System32\kWAuHAk.exe
  2⤵
  PID:10064
- C:\Windows\System32\FYzeLhn.exe
  C:\Windows\System32\FYzeLhn.exe
  2⤵
  PID:9960
- C:\Windows\System32\FMHqQhM.exe
  C:\Windows\System32\FMHqQhM.exe
  2⤵
  PID:9704
- C:\Windows\System32\asCuqYF.exe
  C:\Windows\System32\asCuqYF.exe
  2⤵
  PID:10268
- C:\Windows\System32\DaCYGyW.exe
  C:\Windows\System32\DaCYGyW.exe
  2⤵
  PID:10296
- C:\Windows\System32\wBtkYzU.exe
  C:\Windows\System32\wBtkYzU.exe
  2⤵
  PID:10328
- C:\Windows\System32\zIlORrx.exe
  C:\Windows\System32\zIlORrx.exe
  2⤵
  PID:10352
- C:\Windows\System32\hoWOnbj.exe
  C:\Windows\System32\hoWOnbj.exe
  2⤵
  PID:10380
- C:\Windows\System32\bGXNhVD.exe
  C:\Windows\System32\bGXNhVD.exe
  2⤵
  PID:10408
- C:\Windows\System32\CMKGAFw.exe
  C:\Windows\System32\CMKGAFw.exe
  2⤵
  PID:10436
- C:\Windows\System32\OQXUMkL.exe
  C:\Windows\System32\OQXUMkL.exe
  2⤵
  PID:10456
- C:\Windows\System32\VmHLIfW.exe
  C:\Windows\System32\VmHLIfW.exe
  2⤵
  PID:10496
- C:\Windows\System32\nRXmFpi.exe
  C:\Windows\System32\nRXmFpi.exe
  2⤵
  PID:10524
- C:\Windows\System32\lgYkoBw.exe
  C:\Windows\System32\lgYkoBw.exe
  2⤵
  PID:10552
- C:\Windows\System32\WBBdElL.exe
  C:\Windows\System32\WBBdElL.exe
  2⤵
  PID:10580
- C:\Windows\System32\waeFdna.exe
  C:\Windows\System32\waeFdna.exe
  2⤵
  PID:10596
- C:\Windows\System32\GhWNUzE.exe
  C:\Windows\System32\GhWNUzE.exe
  2⤵
  PID:10624
- C:\Windows\System32\evdcSZL.exe
  C:\Windows\System32\evdcSZL.exe
  2⤵
  PID:10652
- C:\Windows\System32\LmWacLp.exe
  C:\Windows\System32\LmWacLp.exe
  2⤵
  PID:10672
- C:\Windows\System32\EdPwPSr.exe
  C:\Windows\System32\EdPwPSr.exe
  2⤵
  PID:10716
- C:\Windows\System32\kIOWuyg.exe
  C:\Windows\System32\kIOWuyg.exe
  2⤵
  PID:10748
- C:\Windows\System32\pgdNwbg.exe
  C:\Windows\System32\pgdNwbg.exe
  2⤵
  PID:10776
- C:\Windows\System32\LaZfRUA.exe
  C:\Windows\System32\LaZfRUA.exe
  2⤵
  PID:10804
- C:\Windows\System32\yXURRHM.exe
  C:\Windows\System32\yXURRHM.exe
  2⤵
  PID:10832
- C:\Windows\System32\wHroMXe.exe
  C:\Windows\System32\wHroMXe.exe
  2⤵
  PID:10860
- C:\Windows\System32\VqEjHZr.exe
  C:\Windows\System32\VqEjHZr.exe
  2⤵
  PID:10876
- C:\Windows\System32\FbsNdjc.exe
  C:\Windows\System32\FbsNdjc.exe
  2⤵
  PID:10904
- C:\Windows\System32\eQlmtGJ.exe
  C:\Windows\System32\eQlmtGJ.exe
  2⤵
  PID:10944
- C:\Windows\System32\kLTJhLG.exe
  C:\Windows\System32\kLTJhLG.exe
  2⤵
  PID:10972
- C:\Windows\System32\AmOdLSv.exe
  C:\Windows\System32\AmOdLSv.exe
  2⤵
  PID:10992
- C:\Windows\System32\aeZPsaf.exe
  C:\Windows\System32\aeZPsaf.exe
  2⤵
  PID:11016
- C:\Windows\System32\rwbuhLd.exe
  C:\Windows\System32\rwbuhLd.exe
  2⤵
  PID:11044
- C:\Windows\System32\AQwXtaV.exe
  C:\Windows\System32\AQwXtaV.exe
  2⤵
  PID:11084
- C:\Windows\System32\sRXawjj.exe
  C:\Windows\System32\sRXawjj.exe
  2⤵
  PID:11104
- C:\Windows\System32\PdkzUbz.exe
  C:\Windows\System32\PdkzUbz.exe
  2⤵
  PID:11144
- C:\Windows\System32\bYOZmpS.exe
  C:\Windows\System32\bYOZmpS.exe
  2⤵
  PID:11172
- C:\Windows\System32\UfvLjGh.exe
  C:\Windows\System32\UfvLjGh.exe
  2⤵
  PID:11196
- C:\Windows\System32\fbzozRu.exe
  C:\Windows\System32\fbzozRu.exe
  2⤵
  PID:11228
- C:\Windows\System32\quMiQEY.exe
  C:\Windows\System32\quMiQEY.exe
  2⤵
  PID:11256
- C:\Windows\System32\BtxhItz.exe
  C:\Windows\System32\BtxhItz.exe
  2⤵
  PID:10284
- C:\Windows\System32\Wcufqxk.exe
  C:\Windows\System32\Wcufqxk.exe
  2⤵
  PID:10344
- C:\Windows\System32\uOSTBVQ.exe
  C:\Windows\System32\uOSTBVQ.exe
  2⤵
  PID:10420
- C:\Windows\System32\cdHrpQf.exe
  C:\Windows\System32\cdHrpQf.exe
  2⤵
  PID:10488
- C:\Windows\System32\wgkfRyD.exe
  C:\Windows\System32\wgkfRyD.exe
  2⤵
  PID:10544
- C:\Windows\System32\BreDZrn.exe
  C:\Windows\System32\BreDZrn.exe
  2⤵
  PID:4824
- C:\Windows\System32\MKWHPhP.exe
  C:\Windows\System32\MKWHPhP.exe
  2⤵
  PID:10680
- C:\Windows\System32\YGBcRcl.exe
  C:\Windows\System32\YGBcRcl.exe
  2⤵
  PID:10696
- C:\Windows\System32\dgTUjoa.exe
  C:\Windows\System32\dgTUjoa.exe
  2⤵
  PID:9992
- C:\Windows\System32\UKSupAU.exe
  C:\Windows\System32\UKSupAU.exe
  2⤵
  PID:10852
- C:\Windows\System32\ncEUDAR.exe
  C:\Windows\System32\ncEUDAR.exe
  2⤵
  PID:10924
- C:\Windows\System32\NZFuWre.exe
  C:\Windows\System32\NZFuWre.exe
  2⤵
  PID:10988
- C:\Windows\System32\USlAzhd.exe
  C:\Windows\System32\USlAzhd.exe
  2⤵
  PID:11060
- C:\Windows\System32\cMOjsFZ.exe
  C:\Windows\System32\cMOjsFZ.exe
  2⤵
  PID:11096
- C:\Windows\System32\qlrZeQq.exe
  C:\Windows\System32\qlrZeQq.exe
  2⤵
  PID:11188
- C:\Windows\System32\PDKyuQz.exe
  C:\Windows\System32\PDKyuQz.exe
  2⤵
  PID:11252
- C:\Windows\System32\TpeUwHK.exe
  C:\Windows\System32\TpeUwHK.exe
  2⤵
  PID:10368
- C:\Windows\System32\BdtfsTK.exe
  C:\Windows\System32\BdtfsTK.exe
  2⤵
  PID:10444
- C:\Windows\System32\XjidLjk.exe
  C:\Windows\System32\XjidLjk.exe
  2⤵
  PID:10616
- C:\Windows\System32\DvqkMil.exe
  C:\Windows\System32\DvqkMil.exe
  2⤵
  PID:10828
- C:\Windows\System32\yQjMcgu.exe
  C:\Windows\System32\yQjMcgu.exe
  2⤵
  PID:10956
- C:\Windows\System32\SUiZvEG.exe
  C:\Windows\System32\SUiZvEG.exe
  2⤵
  PID:11040
- C:\Windows\System32\GqyYrIf.exe
  C:\Windows\System32\GqyYrIf.exe
  2⤵
  PID:10376
- C:\Windows\System32\mcLngXP.exe
  C:\Windows\System32\mcLngXP.exe
  2⤵
  PID:10772
- C:\Windows\System32\dnAjCVU.exe
  C:\Windows\System32\dnAjCVU.exe
  2⤵
  PID:11240
- C:\Windows\System32\TWDofxL.exe
  C:\Windows\System32\TWDofxL.exe
  2⤵
  PID:11012
- C:\Windows\System32\smbOICW.exe
  C:\Windows\System32\smbOICW.exe
  2⤵
  PID:11296
- C:\Windows\System32\Lznsxdc.exe
  C:\Windows\System32\Lznsxdc.exe
  2⤵
  PID:11340
- C:\Windows\System32\ugojmru.exe
  C:\Windows\System32\ugojmru.exe
  2⤵
  PID:11368
- C:\Windows\System32\SgpZIbA.exe
  C:\Windows\System32\SgpZIbA.exe
  2⤵
  PID:11396
- C:\Windows\System32\hWwXbMq.exe
  C:\Windows\System32\hWwXbMq.exe
  2⤵
  PID:11424
- C:\Windows\System32\ErUBiJF.exe
  C:\Windows\System32\ErUBiJF.exe
  2⤵
  PID:11452
- C:\Windows\System32\rfStWHY.exe
  C:\Windows\System32\rfStWHY.exe
  2⤵
  PID:11480
- C:\Windows\System32\WmPWvBy.exe
  C:\Windows\System32\WmPWvBy.exe
  2⤵
  PID:11508
- C:\Windows\System32\VkFxogd.exe
  C:\Windows\System32\VkFxogd.exe
  2⤵
  PID:11540
- C:\Windows\System32\mkTWNyl.exe
  C:\Windows\System32\mkTWNyl.exe
  2⤵
  PID:11560
- C:\Windows\System32\CPckeHl.exe
  C:\Windows\System32\CPckeHl.exe
  2⤵
  PID:11600
- C:\Windows\System32\ulJcEpa.exe
  C:\Windows\System32\ulJcEpa.exe
  2⤵
  PID:11624
- C:\Windows\System32\NrRRHVH.exe
  C:\Windows\System32\NrRRHVH.exe
  2⤵
  PID:11640
- C:\Windows\System32\azWAhlP.exe
  C:\Windows\System32\azWAhlP.exe
  2⤵
  PID:11680
- C:\Windows\System32\NpMAIEh.exe
  C:\Windows\System32\NpMAIEh.exe
  2⤵
  PID:11708
- C:\Windows\System32\DFHBtUI.exe
  C:\Windows\System32\DFHBtUI.exe
  2⤵
  PID:11744
- C:\Windows\System32\rEdOhKo.exe
  C:\Windows\System32\rEdOhKo.exe
  2⤵
  PID:11772
- C:\Windows\System32\AmObWpG.exe
  C:\Windows\System32\AmObWpG.exe
  2⤵
  PID:11804
- C:\Windows\System32\vabmvTc.exe
  C:\Windows\System32\vabmvTc.exe
  2⤵
  PID:11844
- C:\Windows\System32\mCVWbgF.exe
  C:\Windows\System32\mCVWbgF.exe
  2⤵
  PID:11896
- C:\Windows\System32\LwpfLEu.exe
  C:\Windows\System32\LwpfLEu.exe
  2⤵
  PID:11928
- C:\Windows\System32\ZeKqlXz.exe
  C:\Windows\System32\ZeKqlXz.exe
  2⤵
  PID:11960
- C:\Windows\System32\cTUMmSQ.exe
  C:\Windows\System32\cTUMmSQ.exe
  2⤵
  PID:12004
- C:\Windows\System32\IZfDBat.exe
  C:\Windows\System32\IZfDBat.exe
  2⤵
  PID:12036
- C:\Windows\System32\WAqLPnt.exe
  C:\Windows\System32\WAqLPnt.exe
  2⤵
  PID:12084
- C:\Windows\System32\HqNtCES.exe
  C:\Windows\System32\HqNtCES.exe
  2⤵
  PID:12128
- C:\Windows\System32\qsIxFGd.exe
  C:\Windows\System32\qsIxFGd.exe
  2⤵
  PID:12188
- C:\Windows\System32\qKfBGfD.exe
  C:\Windows\System32\qKfBGfD.exe
  2⤵
  PID:12208
- C:\Windows\System32\EQRwtla.exe
  C:\Windows\System32\EQRwtla.exe
  2⤵
  PID:12236
- C:\Windows\System32\wJcGBwA.exe
  C:\Windows\System32\wJcGBwA.exe
  2⤵
  PID:10888
- C:\Windows\System32\QiiPDfL.exe
  C:\Windows\System32\QiiPDfL.exe
  2⤵
  PID:11336
- C:\Windows\System32\QxhMrob.exe
  C:\Windows\System32\QxhMrob.exe
  2⤵
  PID:11436
- C:\Windows\System32\jjcEzyM.exe
  C:\Windows\System32\jjcEzyM.exe
  2⤵
  PID:11528
- C:\Windows\System32\tlGozdd.exe
  C:\Windows\System32\tlGozdd.exe
  2⤵
  PID:11592
- C:\Windows\System32\KdWqBOJ.exe
  C:\Windows\System32\KdWqBOJ.exe
  2⤵
  PID:11740
- C:\Windows\System32\FSdckJr.exe
  C:\Windows\System32\FSdckJr.exe
  2⤵
  PID:11784
- C:\Windows\System32\pozaAnu.exe
  C:\Windows\System32\pozaAnu.exe
  2⤵
  PID:11820
- C:\Windows\System32\rsVfOrR.exe
  C:\Windows\System32\rsVfOrR.exe
  2⤵
  PID:11956
- C:\Windows\System32\AJeQhbL.exe
  C:\Windows\System32\AJeQhbL.exe
  2⤵
  PID:12080
- C:\Windows\System32\wLlZcxE.exe
  C:\Windows\System32\wLlZcxE.exe
  2⤵
  PID:12196
- C:\Windows\System32\LQIWwHU.exe
  C:\Windows\System32\LQIWwHU.exe
  2⤵
  PID:9904
- C:\Windows\System32\sQbyDKO.exe
  C:\Windows\System32\sQbyDKO.exe
  2⤵
  PID:12204
- C:\Windows\System32\aRpiALL.exe
  C:\Windows\System32\aRpiALL.exe
  2⤵
  PID:12272
- C:\Windows\System32\AoEzqwA.exe
  C:\Windows\System32\AoEzqwA.exe
  2⤵
  PID:11500
- C:\Windows\System32\LQjmSJf.exe
  C:\Windows\System32\LQjmSJf.exe
  2⤵
  PID:11660
- C:\Windows\System32\iEZDtLZ.exe
  C:\Windows\System32\iEZDtLZ.exe
  2⤵
  PID:11944
- C:\Windows\System32\hSxAyyG.exe
  C:\Windows\System32\hSxAyyG.exe
  2⤵
  PID:12120
- C:\Windows\System32\KCcpQyH.exe
  C:\Windows\System32\KCcpQyH.exe
  2⤵
  PID:11536
- C:\Windows\System32\pZxAbSA.exe
  C:\Windows\System32\pZxAbSA.exe
  2⤵
  PID:11816
- C:\Windows\System32\vCrLava.exe
  C:\Windows\System32\vCrLava.exe
  2⤵
  PID:12304
- C:\Windows\System32\dJLvWBK.exe
  C:\Windows\System32\dJLvWBK.exe
  2⤵
  PID:12328
- C:\Windows\System32\NfcLDFm.exe
  C:\Windows\System32\NfcLDFm.exe
  2⤵
  PID:12356
- C:\Windows\System32\VBcGTXq.exe
  C:\Windows\System32\VBcGTXq.exe
  2⤵
  PID:12384
- C:\Windows\System32\tHoXPso.exe
  C:\Windows\System32\tHoXPso.exe
  2⤵
  PID:12416
- C:\Windows\System32\CeLbzcs.exe
  C:\Windows\System32\CeLbzcs.exe
  2⤵
  PID:12444
- C:\Windows\System32\AzlrxPx.exe
  C:\Windows\System32\AzlrxPx.exe
  2⤵
  PID:12472
- C:\Windows\System32\uzLlWMt.exe
  C:\Windows\System32\uzLlWMt.exe
  2⤵
  PID:12500
- C:\Windows\System32\YISZsib.exe
  C:\Windows\System32\YISZsib.exe
  2⤵
  PID:12528
- C:\Windows\System32\ukHRwtE.exe
  C:\Windows\System32\ukHRwtE.exe
  2⤵
  PID:12556
- C:\Windows\System32\MTnvFgF.exe
  C:\Windows\System32\MTnvFgF.exe
  2⤵
  PID:12576
- C:\Windows\System32\xXbtmvT.exe
  C:\Windows\System32\xXbtmvT.exe
  2⤵
  PID:12612
- C:\Windows\System32\ClpXUlj.exe
  C:\Windows\System32\ClpXUlj.exe
  2⤵
  PID:12640
- C:\Windows\System32\dvrBUhH.exe
  C:\Windows\System32\dvrBUhH.exe
  2⤵
  PID:12668
- C:\Windows\System32\YkhIYlg.exe
  C:\Windows\System32\YkhIYlg.exe
  2⤵
  PID:12696
- C:\Windows\System32\SYdSwZM.exe
  C:\Windows\System32\SYdSwZM.exe
  2⤵
  PID:12724
- C:\Windows\System32\OnrMyNQ.exe
  C:\Windows\System32\OnrMyNQ.exe
  2⤵
  PID:12752
- C:\Windows\System32\DfWtTjl.exe
  C:\Windows\System32\DfWtTjl.exe
  2⤵
  PID:12780
- C:\Windows\System32\FOWfExN.exe
  C:\Windows\System32\FOWfExN.exe
  2⤵
  PID:12808
- C:\Windows\System32\zktZigU.exe
  C:\Windows\System32\zktZigU.exe
  2⤵
  PID:12840
- C:\Windows\System32\OaGskoI.exe
  C:\Windows\System32\OaGskoI.exe
  2⤵
  PID:12868
- C:\Windows\System32\jrRSZgD.exe
  C:\Windows\System32\jrRSZgD.exe
  2⤵
  PID:12896
- C:\Windows\System32\gsVWNVu.exe
  C:\Windows\System32\gsVWNVu.exe
  2⤵
  PID:12924
- C:\Windows\System32\UHuEVlh.exe
  C:\Windows\System32\UHuEVlh.exe
  2⤵
  PID:12952
- C:\Windows\System32\ddynjkt.exe
  C:\Windows\System32\ddynjkt.exe
  2⤵
  PID:12980
- C:\Windows\System32\QEhxKhu.exe
  C:\Windows\System32\QEhxKhu.exe
  2⤵
  PID:13008
- C:\Windows\System32\uSwGmnJ.exe
  C:\Windows\System32\uSwGmnJ.exe
  2⤵
  PID:13036
- C:\Windows\System32\moqyWdo.exe
  C:\Windows\System32\moqyWdo.exe
  2⤵
  PID:13064
- C:\Windows\System32\nnJDQXm.exe
  C:\Windows\System32\nnJDQXm.exe
  2⤵
  PID:13096
- C:\Windows\System32\sZGFbBt.exe
  C:\Windows\System32\sZGFbBt.exe
  2⤵
  PID:13128
- C:\Windows\System32\eiLTeMB.exe
  C:\Windows\System32\eiLTeMB.exe
  2⤵
  PID:13156
- C:\Windows\System32\FFSkWYg.exe
  C:\Windows\System32\FFSkWYg.exe
  2⤵
  PID:13188
- C:\Windows\System32\LYtARnp.exe
  C:\Windows\System32\LYtARnp.exe
  2⤵
  PID:13216
- C:\Windows\System32\aLLRumF.exe
  C:\Windows\System32\aLLRumF.exe
  2⤵
  PID:13244
- C:\Windows\System32\KXiHVux.exe
  C:\Windows\System32\KXiHVux.exe
  2⤵
  PID:13272
- C:\Windows\System32\XxUzWAN.exe
  C:\Windows\System32\XxUzWAN.exe
  2⤵
  PID:13300
- C:\Windows\System32\TtgOvgG.exe
  C:\Windows\System32\TtgOvgG.exe
  2⤵
  PID:12324
- C:\Windows\System32\QoeXLkI.exe
  C:\Windows\System32\QoeXLkI.exe
  2⤵
  PID:12396
- C:\Windows\System32\Gmyoqtc.exe
  C:\Windows\System32\Gmyoqtc.exe
  2⤵
  PID:12468
- C:\Windows\System32\fWxLZDO.exe
  C:\Windows\System32\fWxLZDO.exe
  2⤵
  PID:2252
- C:\Windows\System32\SKRTzxA.exe
  C:\Windows\System32\SKRTzxA.exe
  2⤵
  PID:12524
- C:\Windows\System32\nsVkCPV.exe
  C:\Windows\System32\nsVkCPV.exe
  2⤵
  PID:12588
- C:\Windows\System32\keBOhoQ.exe
  C:\Windows\System32\keBOhoQ.exe
  2⤵
  PID:12660
- C:\Windows\System32\OXuiEni.exe
  C:\Windows\System32\OXuiEni.exe
  2⤵
  PID:12720
- C:\Windows\System32\LMhvwxo.exe
  C:\Windows\System32\LMhvwxo.exe
  2⤵
  PID:12792
- C:\Windows\System32\MZAGFzb.exe
  C:\Windows\System32\MZAGFzb.exe
  2⤵
  PID:12860
- C:\Windows\System32\rQdjOmm.exe
  C:\Windows\System32\rQdjOmm.exe
  2⤵
  PID:12916
- C:\Windows\System32\CdyuDKM.exe
  C:\Windows\System32\CdyuDKM.exe
  2⤵
  PID:12976
- C:\Windows\System32\OafHqXR.exe
  C:\Windows\System32\OafHqXR.exe
  2⤵
  PID:13048
- C:\Windows\System32\BavpaZI.exe
  C:\Windows\System32\BavpaZI.exe
  2⤵
  PID:13116
- C:\Windows\System32\CekezSI.exe
  C:\Windows\System32\CekezSI.exe
  2⤵
  PID:13204
- C:\Windows\System32\gfmfZGb.exe
  C:\Windows\System32\gfmfZGb.exe
  2⤵
  PID:13264
- C:\Windows\System32\tzKlhbF.exe
  C:\Windows\System32\tzKlhbF.exe
  2⤵
  PID:12320
- C:\Windows\System32\JKeEWBU.exe
  C:\Windows\System32\JKeEWBU.exe
  2⤵
  PID:12496
- C:\Windows\System32\FYDVWhg.exe
  C:\Windows\System32\FYDVWhg.exe
  2⤵
  PID:12572
- C:\Windows\System32\AhHlQLg.exe
  C:\Windows\System32\AhHlQLg.exe
  2⤵
  PID:12716
- C:\Windows\System32\SUipxjC.exe
  C:\Windows\System32\SUipxjC.exe
  2⤵
  PID:12892
- C:\Windows\System32\MFrSVOC.exe
  C:\Windows\System32\MFrSVOC.exe
  2⤵
  PID:13032
- C:\Windows\System32\ncIIpWJ.exe
  C:\Windows\System32\ncIIpWJ.exe
  2⤵
  PID:13228
- C:\Windows\System32\XkzUuER.exe
  C:\Windows\System32\XkzUuER.exe
  2⤵
  PID:12436
- C:\Windows\System32\pTSbbrA.exe
  C:\Windows\System32\pTSbbrA.exe
  2⤵
  PID:12964
- C:\Windows\System32\XGqDFri.exe
  C:\Windows\System32\XGqDFri.exe
  2⤵
  PID:12348
- C:\Windows\System32\WhOnLgK.exe
  C:\Windows\System32\WhOnLgK.exe
  2⤵
  PID:13332
- C:\Windows\System32\myONxZt.exe
  C:\Windows\System32\myONxZt.exe
  2⤵
  PID:13352
- C:\Windows\System32\fUQXjGX.exe
  C:\Windows\System32\fUQXjGX.exe
  2⤵
  PID:13392
- C:\Windows\System32\uEnujeB.exe
  C:\Windows\System32\uEnujeB.exe
  2⤵
  PID:13416
- C:\Windows\System32\mWfYxbW.exe
  C:\Windows\System32\mWfYxbW.exe
  2⤵
  PID:13444
- C:\Windows\System32\yXlyEFb.exe
  C:\Windows\System32\yXlyEFb.exe
  2⤵
  PID:13472
- C:\Windows\System32\oifhKOM.exe
  C:\Windows\System32\oifhKOM.exe
  2⤵
  PID:13500
- C:\Windows\System32\vBjIaAP.exe
  C:\Windows\System32\vBjIaAP.exe
  2⤵
  PID:13536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4176,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=4316 /prefetch:8
1⤵
PID:7400

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\Citkptu.exe

Filesize
2.9MB

MD5
97a432cf0f5220b0f6cc92442075da4d

SHA1
0705351c54fd3a568c42d88f7aba0ce8a22944f2

SHA256
40b553e00cada07a979c0593cfa2fb1a3a5a9a7c275902b2b5e05a9df21dbf34

SHA512
826f299dbea0cdd60d1972027457a461830a409f825dbd991abdf3d80e73823c8eb6950be1dafcfb6a5e6188f96bfc582db35be80d4c009d2cb6415daa04595c

Download Submit
C:\Windows\System32\DZiOBux.exe

Filesize
2.9MB

MD5
fb74a9e1485d4cd78037e7c82e1edbeb

SHA1
6f26611045ce92ea7559b791d397325ee8d0a2ca

SHA256
b9a2364fe41f23533e162b8a7a1b449d8032bd9a31b4088d6a493b1763b96987

SHA512
de107812a7cf1870aedb6a8f704e63811b23bfc592c7f7620aed2a99e4b38a6222f515698d9544e62a515d8d5fe70fd4713ea37f404310e738ba3379eee4ae2b

Download Submit
C:\Windows\System32\NXVLTIp.exe

Filesize
2.9MB

MD5
b657a33f88ea2212e7e63d4da61dcc49

SHA1
bc983be8c9909f61e88a60f89061fee8e582926c

SHA256
03d434d8fad8b2ac6906e9c1aedaaae99adde5ae8ecbea70d048a33813ebd0b7

SHA512
3d686526719d5f428e7930a75255f4b7c53be4d600054dc731504d185e0b5eef9efddb9cf964e5289b99b92059259ba552464e7112dca50c274ea67c2fa0211a

Download Submit
C:\Windows\System32\QXUdRYo.exe

Filesize
2.9MB

MD5
a7edfc15c9f6222e0c0babb89ce093e9

SHA1
5dff8a3911b553e1eb40dd8dbfc28755b2f07172

SHA256
729b0a614bb433013af55574baeab35232c5b9a3f8289618cb025a4e65a2adda

SHA512
acee36caa3ab54a08aa579a6da1e73871c4c50745addcd018997a9c811ec37a5868639a657a7057dc14c24ceeb00195ccbfbdd33defcf3c46a41a10f3763c12b

Download Submit
C:\Windows\System32\SsRNxWN.exe

Filesize
2.9MB

MD5
6fab6d5bef0596565d1b358374c2a93b

SHA1
3e892f3039e2964c27a8f574ae8062cb07a282ec

SHA256
d1d58badfa22086cded3eab57dba2d0ed5967acaf520976341fb5f0f99cffc27

SHA512
d44f0f2a21ee4f36ca0fa9dca42c1b0167d16e5fd31543a5db4345cfb1fd1e2d3a94551d62d695c655007c6f10d13b0459bc83a90df2e6e51dfd76a84eb17aa2

Download Submit
C:\Windows\System32\SuaebnI.exe

Filesize
2.9MB

MD5
ea7c1f16ccd86c53c1121bb3f89adc0e

SHA1
c6e7a75ae5a3af6458114652579821a318ba4584

SHA256
c8d74275e6824316c4fd48d77c573ecf5725a24cf07d48be3fc5c3ac91e126f1

SHA512
e89dd463d6bf34a52fba8031fd754107b4f5d7f42f6832f24e21bf7e33561ce613dcf6727b45ee57950482cf770bdca8dd6f21c88cfb1db8f6da543b356dd1c6

Download Submit
C:\Windows\System32\VGEHcOH.exe

Filesize
2.9MB

MD5
9439c2fd204c2cb477de9a7ee7db6566

SHA1
f44458a22b0ed88885267c08fa8f00631f95511c

SHA256
6cc3fe61082640a987a3a271b3a79b808e3290b75a848b807f376464289b4fbc

SHA512
ea48a368a85fb07fd45686fa979380d3fc96286929f3ca76ef81635b812d6f8cfd10b30dc140f8e6785e3c39ad08d3d3b8ae47a2726083731071f8f1fa1187bd

Download Submit
C:\Windows\System32\WOyLSJs.exe

Filesize
2.9MB

MD5
fbc57afafc1d976e87e0adf1380265db

SHA1
e3a5e3bac3609ea9fb053eb068e7d7bff89cba39

SHA256
404218b5745002778eb83fca6262044c0b1e602d43e2f4c2802cb5bc15d4ab05

SHA512
94c249458d286d55dc07558805eb8ea5fee2b389bae5f0a55fde6fb5c81a9a916a755ab0aa81f904df5b9dbbb948101c43aeb98e504b19847b388106b5c8a4c1

Download Submit
C:\Windows\System32\WjBzQub.exe

Filesize
2.9MB

MD5
a7108ce32e743529b976000e94872b6e

SHA1
814a56c9353e749a066474e6d014112552575a7d

SHA256
3c7464ccc0cf836ec6ee120a964f67fa35051c357a17a209f6f6d00d627503ec

SHA512
42c9f88e449c15c9767a4f031874a35d84be2a62c727274410e99e26b05fdbae6e3bdf9c0b658b7390c61c726539a721f6c9c3abc1103489037d1417437e7e0f

Download Submit
C:\Windows\System32\XXxfYcu.exe

Filesize
2.9MB

MD5
5ca6638bfb8905fadb6ac5e21cd8ab39

SHA1
b730d2ab989c2d29b4bda90bee163bf23d2c10a6

SHA256
de3f8e54d2a7660549afd071b32271c3e682bb986af3d36d239732f4154878dd

SHA512
38b63d4533fe80b383736b26ce1c353135c7882cd97dc46191d8f478308e264b06ce2b4b91ff0877a3e6575bdea1592c5a17c92a8c615e911deba126d5e652c7

Download Submit
C:\Windows\System32\XgtlrDJ.exe

Filesize
2.9MB

MD5
5cfdf5bbb43745ca66a8223a9fcd5988

SHA1
bc51b926c5016fe1281e9d7390ca27b4f92a270e

SHA256
5449d66da2b356abd0b852394bd07102576d0db7b1e665fd0f6d63090179cabd

SHA512
29e911a34ba879f817397d097b024f5cca688d8287f7c8096a6d8232a695a29c0a42ea930ced164720db589529ab577a8e5d1960caade6c7e5722170b43dddb2

Download Submit
C:\Windows\System32\YIOvOLs.exe

Filesize
2.9MB

MD5
327ed83b75fb16509194ca14460ff811

SHA1
a899d38046169f742978bcb6383b2247d8081cc5

SHA256
6fe9e0c05988f5e30a68ce0c69c91775fb6d59460ffb11a8e05c2b36ca0222fb

SHA512
3570fabba1429bc71238508bb0f9ebc8e2d22f2fff07ae82e0a917bad4e24353d6a4807b82186618d52741b1144bae841e5a2c78f709de73359335e9c962b4f0

Download Submit
C:\Windows\System32\bjPPJcT.exe

Filesize
2.9MB

MD5
9468c6aa02def559117a05a6a944adf3

SHA1
5502b9cbeae5d0137f735e93bdaf5c0d126bff89

SHA256
36ef64b64311c6f1aa406ae2e9248346e116339c2f952df9722ae09ad846b44d

SHA512
b5a35e6ea6cdaf97b3da1cafeeb8212159a4052ce3adfbf1aa3c6b9af32f956de90938d47b8c74f042535aa87c1cfa4d891185adee8b46b799a2687c6f26c927

Download Submit
C:\Windows\System32\cITwLYa.exe

Filesize
2.9MB

MD5
9edc45727353bfd1933f0a56e4504930

SHA1
933311c5b4a03fe82fa510ebdad6aaa7665e4f56

SHA256
3c55d7196d25c2e97d4e0b19fb35a89439c58dd045d8da9113535b4adada9a6b

SHA512
5558aa6cc6642e9c9ccc839205a3f3634de80dc8b5974f0080e5845379761355661399ee18a1376692aa142745c34f3f4b57ac4a7170d3b0fc99be6f48ea5ac3

Download Submit
C:\Windows\System32\dMXXWaV.exe

Filesize
2.9MB

MD5
bb9602cf201545b82f992cd571e25c10

SHA1
3b6ed8287370bca13602380ec720328bb234676f

SHA256
cba83b0335cd4541e9daafcbaf42ff73db20e311db19bdcc59044f58b6355609

SHA512
2c2f0a37dd81b19b159d845f28ee3b3589b090469c1842cfb0b0e952df5cf8293680e99e4527991e13128072af3d2dc6da8d0369a073a5a6ddc696860319affb

Download Submit
C:\Windows\System32\gvHQUOM.exe

Filesize
2.9MB

MD5
539f551f2001c5b116f5593caa2a5bfd

SHA1
53d36ae293049ca6120127009fe1c70d6b613909

SHA256
11fc380b73a32414b3d707d624852b10b783d86679abaa0fc103598125dcbbd3

SHA512
91b1e7b2d7cdfccaca256b951d8ba3c92f187e10dbae721f58bbb9a6cd1b5d8b5a4261691bd33d61e5ead929f6cd5e87a84812aa826bcf5b555158de4588e66a

Download Submit
C:\Windows\System32\kZLxekL.exe

Filesize
2.9MB

MD5
8bfa740e91e16b3dadc290f57f6da367

SHA1
34495903bf42c60dd5a6188b074e7632fbf6776b

SHA256
87b7a51a8360562d2ba2c9b9efe11304537639cf19cab5c2ba08befda3171211

SHA512
584d1be6ea3e7aedb6cc13d77ae22b26ac5d7682a439ae7d16f34fecc3615cf255d809a56e50ae1513fd77753bb51d5ff058431a5cee2c5997509ec68ca48f32

Download Submit
C:\Windows\System32\mlRdNkJ.exe

Filesize
2.9MB

MD5
4ab662d69334c92e4f5f9e821a05cafe

SHA1
892cc6fbad647519844701d6ccd42e74e046dad7

SHA256
26582e58a42f7056601c55a6595884a16dc6d42238e6d8af48772c1f170b4503

SHA512
538bb4f866d7f75f3b680c3d308deac4e83fba9fe7025f8fcd5cd8f3610203753ee8bd618001c3cb213e10aaaf18205d4397154f499ad838bb06755d08d4394d

Download Submit
C:\Windows\System32\mwbpEln.exe

Filesize
2.9MB

MD5
a0648f769b16bdae6a05342924a8ec2e

SHA1
4640b85e5984f3e6e797eab98960b3849f59b739

SHA256
4f9b47eb94e2a6d1f0f1b503907bfdb7f30b5be7903e05470e0e103b661a23fb

SHA512
b89ceff8e92e91a8366db6c84dc33d8084c947df80c71c3c2a33831c78a6fbb2a2f70bf866c4df32299bce37653afb4019bfb3a909318585dd35d017e5c12b3b

Download Submit
C:\Windows\System32\ntuogSF.exe

Filesize
2.9MB

MD5
4fffb62b5ccc8489e5f1a01925a477c0

SHA1
8ceaec8c5d90e9073eda4749726af490e1b31d0f

SHA256
777e17109f240c7dc2ba60d3f37f440215bf2e5382b68f6499b4f2ce3d09f333

SHA512
cf91326566ffcdd0714d67ab846ea7651808895a26c2faad0be7a0ad4f5b8e8b413000c17e485901169794adac453d8ef3425e59d88d920336e35488631a8ced

Download Submit
C:\Windows\System32\oEpgmOc.exe

Filesize
2.9MB

MD5
bfbeebc4fb6fa826c2240e7bb81f3113

SHA1
49fab6c1a49670455a2770074fe8135b38c82f2b

SHA256
e392d495c2c39bca06bac0c5ac0cfd049264aa3af5917809cb577445594176df

SHA512
ca2e1d20437fe4deb504a3fd3ccdaf884c2eae0b6897cc06565255bbe9ca29ebe15eab95944307e74001fcecf3a961b24871d26b2dddb5a0601e227458d3f7bc

Download Submit
C:\Windows\System32\ooFEAMF.exe

Filesize
2.9MB

MD5
67444de3bb3d5dfaf3074c3105d0d5f0

SHA1
6b25fbdbe0ba957f09761c971eab51b357487987

SHA256
4f064bbc42ac192015c9576851c42764c2c62af403154159980d21e315ab26b0

SHA512
e878841eaf47b48f58d9b192be185510de4a35b833b7b78d7426c0fcc5616b0df548ece6f63cf3ee503883fad811748d0931ef4e64d943a46aeb8ea7c8a90977

Download Submit
C:\Windows\System32\opPGQeU.exe

Filesize
2.9MB

MD5
96028a889761e17c0b77dcd7da831a34

SHA1
154be46efcdde56755490ee70f83d12423a887e7

SHA256
9c050f61bc49340a5d13c87b5cc883e45e7750184150e902b400e8ec4ae71993

SHA512
4dd67e1a96e7f036e0d3e5a4d22bcfb447865d880c42daae5272f52d19ef90b8d80420cd102590eba86c50a237286417be7d45e4a70a11453f416bb72117ac28

Download Submit
C:\Windows\System32\pYMHJmS.exe

Filesize
2.9MB

MD5
98a4447d3d610f35bea59e128c1931df

SHA1
371df7a02189bc34e4bc4ad893bd27b692702df0

SHA256
b0516523ca28da87b46470bb673d73dd3b55d1e9354674617845370cc9ad6e7e

SHA512
0d86d13e413f03a276b65967c70552afe44179fde379710e4e43ff66d9199c82cb12834eb603eb4b512d69c6f1909468962ff5277194f6bdd49a4e54ce6cdedb

Download Submit
C:\Windows\System32\rPelCxW.exe

Filesize
2.9MB

MD5
2a3fe9c7cdfc35b7d34790d989366554

SHA1
20140e8691ef358e0c725dbfeea0ceef5ae42873

SHA256
8d891c6757a5d402179d0ecd64b1240cb1f7532084867426d6785bd32d9aa37e

SHA512
3e9fcdd0e7717bb5985ee0417fc5d4f123fad77746d58918891b93786caddf8e3974c6ab886c5549f061e994d07d63eb2686f7b26515c2aa6fd79e5ec3ff62bb

Download Submit
C:\Windows\System32\sFbFzAx.exe

Filesize
2.9MB

MD5
90e3ee828c233a3509271362d147c11e

SHA1
ef3802d4b64f38e8e6ad61f8d5d0c9cff7816b38

SHA256
f3803773d86a3a31cd19482bbffff51d25060e166bee7d7b720c8e12bec77444

SHA512
12508049e0783b3261947ac06ea9e7338adda8e61c266caf74641c416a2716debdd3996050ddde2b97bba0078e67f56b7d80042ea6ab5d0e774be9332f172c03

Download Submit
C:\Windows\System32\sYlbfIa.exe

Filesize
2.9MB

MD5
eb8e3813175146d1bdd15d66a20589d5

SHA1
98f665f4bd2f123b247ef6a31fe7d8b42c34a503

SHA256
4a882ddbf1223509f735b1ca39eac5682be6d0b66d0c730cf45a945b0359559b

SHA512
18c0ec4a3f7b8145b2caa978e0f36d2c1fe34f4c84cc0b0512488f1ce1777c6d64cb30360c4f68871e6d83bd2c31d393da7e542fbf55a58acce9523edf3e177d

Download Submit
C:\Windows\System32\uqdKXpe.exe

Filesize
2.9MB

MD5
a1743428019c7f690b1cce941a6b8f7f

SHA1
b2b274d8a3fe4a4df6d6b11da7a44fc622c3dff6

SHA256
cee395deabd354d2a5a020ea408fde249d78f746b7db714d4ebf38aeb329ae6e

SHA512
02a17d3664782037f5a26eabec1ae8ef585060b98afc4c02d49cd957a08455e1cd17234617dfe6a6d9412552c1f9282e5214f479201b5e9340c9bfce426c41b3

Download Submit
C:\Windows\System32\vvddheM.exe

Filesize
2.9MB

MD5
5186eef6b1034cdb2576f9c6d2e51e4e

SHA1
03757095a3007995de9bac302dde040f00fd327a

SHA256
4d3f671c2b587c7b601f9cb28a8d676dbd2d09368be181e624210f9e5d53cf23

SHA512
5f5f133240195ea9d051b468b3439903a29b561be775ea333dfc0368fb46058fe9e4facca626ebfb0cb7b7ad9bb5f5f7c78a6c337b9983799fc2d9d10472d95f

Download Submit
C:\Windows\System32\xBreVJR.exe

Filesize
2.9MB

MD5
3c011b20bc9995d0f2efad739901ff13

SHA1
f995b9dfbbea676007610c2561e01a2085ea7fa9

SHA256
ba7cc167a93447d590f54f2db2f1931ab8c36efc8636bf6e5ebdd17c20af1fe2

SHA512
126b8569c0f64a212a34dbfa1ffd8e8b73afd4fafb4b70e0c64ce6e4c7cb134077925e5bda826e657e3ff1577262019be369e90de3ae8bc23d8302f3f712797d

Download Submit
C:\Windows\System32\xQeMqSt.exe

Filesize
2.9MB

MD5
fc64f0c7f4258c69a98d832213ebd8a1

SHA1
9a20e5eecf7d0e38234e38546245ac55a14ec4ff

SHA256
8bda40786aaa74401172959005a332abf92a61419fad0db56901c0b63aa3a4c1

SHA512
8c2de95bdedab6cf930bdd17e842aa95f00bd1ade7a981fd1a9263dfb3a69aeb9558aa80535a6d32bb736d2ca74bd484eb21994371b9d99900183db74a37665a

Download Submit
C:\Windows\System32\yOMeecW.exe

Filesize
2.9MB

MD5
e774ff09738ffea3ab3abeeae68094b6

SHA1
837d2eb6fc1565227f7aac1c021307a639d40aba

SHA256
a186b848d0e497f4aac1715d14abea961526576e207e6d32c57822387ba50443

SHA512
4b063c9c35ab965269a35da8dd549d874a1cbd8638d3d65e18133cb6a0dafdb7aca4308c540548eefbc6635de223448cfdb9c121c42762720d02b876307f3d4e

Download Submit
memory/672-1889-0x00007FF720E80000-0x00007FF721275000-memory.dmp

Filesize
4.0MB

Download
memory/672-829-0x00007FF720E80000-0x00007FF721275000-memory.dmp

Filesize
4.0MB

Download
memory/1648-1891-0x00007FF79DFD0000-0x00007FF79E3C5000-memory.dmp

Filesize
4.0MB

Download
memory/1648-866-0x00007FF79DFD0000-0x00007FF79E3C5000-memory.dmp

Filesize
4.0MB

Download
memory/1736-1899-0x00007FF783A50000-0x00007FF783E45000-memory.dmp

Filesize
4.0MB

Download
memory/1736-863-0x00007FF783A50000-0x00007FF783E45000-memory.dmp

Filesize
4.0MB

Download
memory/1832-820-0x00007FF6221C0000-0x00007FF6225B5000-memory.dmp

Filesize
4.0MB

Download
memory/1832-1895-0x00007FF6221C0000-0x00007FF6225B5000-memory.dmp

Filesize
4.0MB

Download
memory/1836-1883-0x00007FF6065A0000-0x00007FF606995000-memory.dmp

Filesize
4.0MB

Download
memory/1836-880-0x00007FF6065A0000-0x00007FF606995000-memory.dmp

Filesize
4.0MB

Download
memory/1964-16-0x00007FF6662D0000-0x00007FF6666C5000-memory.dmp

Filesize
4.0MB

Download
memory/1964-1881-0x00007FF6662D0000-0x00007FF6666C5000-memory.dmp

Filesize
4.0MB

Download
memory/1964-1848-0x00007FF6662D0000-0x00007FF6666C5000-memory.dmp

Filesize
4.0MB

Download
memory/2156-1879-0x00007FF70F390000-0x00007FF70F785000-memory.dmp

Filesize
4.0MB

Download
memory/2156-1874-0x00007FF70F390000-0x00007FF70F785000-memory.dmp

Filesize
4.0MB

Download
memory/2156-19-0x00007FF70F390000-0x00007FF70F785000-memory.dmp

Filesize
4.0MB

Download
memory/2272-1886-0x00007FF6DDE50000-0x00007FF6DE245000-memory.dmp

Filesize
4.0MB

Download
memory/2272-861-0x00007FF6DDE50000-0x00007FF6DE245000-memory.dmp

Filesize
4.0MB

Download
memory/2340-815-0x00007FF7FC890000-0x00007FF7FCC85000-memory.dmp

Filesize
4.0MB

Download
memory/2340-1885-0x00007FF7FC890000-0x00007FF7FCC85000-memory.dmp

Filesize
4.0MB

Download
memory/2364-848-0x00007FF75A920000-0x00007FF75AD15000-memory.dmp

Filesize
4.0MB

Download
memory/2364-1896-0x00007FF75A920000-0x00007FF75AD15000-memory.dmp

Filesize
4.0MB

Download
memory/2416-1890-0x00007FF7FE390000-0x00007FF7FE785000-memory.dmp

Filesize
4.0MB

Download
memory/2416-832-0x00007FF7FE390000-0x00007FF7FE785000-memory.dmp

Filesize
4.0MB

Download
memory/2548-29-0x00007FF6512F0000-0x00007FF6516E5000-memory.dmp

Filesize
4.0MB

Download
memory/2548-1875-0x00007FF6512F0000-0x00007FF6516E5000-memory.dmp

Filesize
4.0MB

Download
memory/2548-1880-0x00007FF6512F0000-0x00007FF6516E5000-memory.dmp

Filesize
4.0MB

Download
memory/2564-1-0x0000020578AF0000-0x0000020578B00000-memory.dmp

Filesize
64KB

Download
memory/2564-0-0x00007FF6EE490000-0x00007FF6EE885000-memory.dmp

Filesize
4.0MB

Download
memory/2564-1877-0x00007FF6EE490000-0x00007FF6EE885000-memory.dmp

Filesize
4.0MB

Download
memory/2648-1882-0x00007FF7D09A0000-0x00007FF7D0D95000-memory.dmp

Filesize
4.0MB

Download
memory/2648-813-0x00007FF7D09A0000-0x00007FF7D0D95000-memory.dmp

Filesize
4.0MB

Download
memory/2776-1901-0x00007FF72DF80000-0x00007FF72E375000-memory.dmp

Filesize
4.0MB

Download
memory/2776-855-0x00007FF72DF80000-0x00007FF72E375000-memory.dmp

Filesize
4.0MB

Download
memory/3028-802-0x00007FF76C4E0000-0x00007FF76C8D5000-memory.dmp

Filesize
4.0MB

Download
memory/3028-1876-0x00007FF76C4E0000-0x00007FF76C8D5000-memory.dmp

Filesize
4.0MB

Download
memory/3028-1884-0x00007FF76C4E0000-0x00007FF76C8D5000-memory.dmp

Filesize
4.0MB

Download
memory/3156-1887-0x00007FF79EC80000-0x00007FF79F075000-memory.dmp

Filesize
4.0MB

Download
memory/3156-847-0x00007FF79EC80000-0x00007FF79F075000-memory.dmp

Filesize
4.0MB

Download
memory/3204-853-0x00007FF608D10000-0x00007FF609105000-memory.dmp

Filesize
4.0MB

Download
memory/3204-1897-0x00007FF608D10000-0x00007FF609105000-memory.dmp

Filesize
4.0MB

Download
memory/3312-13-0x00007FF62E810000-0x00007FF62EC05000-memory.dmp

Filesize
4.0MB

Download
memory/3312-1878-0x00007FF62E810000-0x00007FF62EC05000-memory.dmp

Filesize
4.0MB

Download
memory/3428-1898-0x00007FF6D7610000-0x00007FF6D7A05000-memory.dmp

Filesize
4.0MB

Download
memory/3428-859-0x00007FF6D7610000-0x00007FF6D7A05000-memory.dmp

Filesize
4.0MB

Download
memory/4388-874-0x00007FF680ED0000-0x00007FF6812C5000-memory.dmp

Filesize
4.0MB

Download
memory/4388-1892-0x00007FF680ED0000-0x00007FF6812C5000-memory.dmp

Filesize
4.0MB

Download
memory/4580-1893-0x00007FF6499B0000-0x00007FF649DA5000-memory.dmp

Filesize
4.0MB

Download
memory/4580-871-0x00007FF6499B0000-0x00007FF649DA5000-memory.dmp

Filesize
4.0MB

Download
memory/4828-1894-0x00007FF77D480000-0x00007FF77D875000-memory.dmp

Filesize
4.0MB

Download
memory/4828-865-0x00007FF77D480000-0x00007FF77D875000-memory.dmp

Filesize
4.0MB

Download
memory/5016-836-0x00007FF60D910000-0x00007FF60DD05000-memory.dmp

Filesize
4.0MB

Download
memory/5016-1888-0x00007FF60D910000-0x00007FF60DD05000-memory.dmp

Filesize
4.0MB

Download
memory/5036-1900-0x00007FF6675A0000-0x00007FF667995000-memory.dmp

Filesize
4.0MB

Download
memory/5036-841-0x00007FF6675A0000-0x00007FF667995000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads