xmrig | 3bfd4e0cc4418c5da38b56066e8ee264cc584a5b407a62569ef32277b8575fe0

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
Size

3.3MB
MD5

73e3a5219e52b93bcae31f2abf5da630
SHA1

dba7bbcf629e05cf0e88056970ad25f9bd88da87
SHA256

3bfd4e0cc4418c5da38b56066e8ee264cc584a5b407a62569ef32277b8575fe0
SHA512

26b8a78c5776489196265e5e3f176b2c817bce2b6eb8b9542b6f8550c8f185d2d2e16bbfb75da370dcdd0a79420a101794feab53f8787dde3afcb7f48d0d20f5
SSDEEP

98304:N0GnJMOWPClFdx6e0EALKWVTffZiPAcRq6jHjc43:NFWPClFn

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/972-0-0x00007FF6E66B0000-0x00007FF6E6AA5000-memory.dmp	xmrig
behavioral2/files/0x00090000000233ee-5.dat	xmrig
behavioral2/files/0x00070000000233f5-8.dat	xmrig
behavioral2/files/0x00070000000233f6-7.dat	xmrig
behavioral2/files/0x00070000000233f7-20.dat	xmrig
behavioral2/memory/4332-18-0x00007FF68E760000-0x00007FF68EB55000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f8-26.dat	xmrig
behavioral2/memory/1400-33-0x00007FF621D70000-0x00007FF622165000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f9-36.dat	xmrig
behavioral2/files/0x00070000000233fb-45.dat	xmrig
behavioral2/files/0x00070000000233fc-52.dat	xmrig
behavioral2/files/0x00070000000233fe-60.dat	xmrig
behavioral2/files/0x00070000000233ff-67.dat	xmrig
behavioral2/files/0x0007000000023401-77.dat	xmrig
behavioral2/files/0x0007000000023403-85.dat	xmrig
behavioral2/files/0x0007000000023405-97.dat	xmrig
behavioral2/files/0x0007000000023408-113.dat	xmrig
behavioral2/files/0x000700000002340f-145.dat	xmrig
behavioral2/files/0x0007000000023412-160.dat	xmrig
behavioral2/files/0x0007000000023413-168.dat	xmrig
behavioral2/files/0x0007000000023411-158.dat	xmrig
behavioral2/files/0x0007000000023410-153.dat	xmrig
behavioral2/files/0x000700000002340e-143.dat	xmrig
behavioral2/files/0x000700000002340d-138.dat	xmrig
behavioral2/files/0x000700000002340c-133.dat	xmrig
behavioral2/files/0x000700000002340b-128.dat	xmrig
behavioral2/files/0x000700000002340a-123.dat	xmrig
behavioral2/files/0x0007000000023409-118.dat	xmrig
behavioral2/files/0x0007000000023407-108.dat	xmrig
behavioral2/files/0x0007000000023406-103.dat	xmrig
behavioral2/files/0x0007000000023404-92.dat	xmrig
behavioral2/files/0x0007000000023402-82.dat	xmrig
behavioral2/files/0x0007000000023400-72.dat	xmrig
behavioral2/files/0x00070000000233fd-57.dat	xmrig
behavioral2/files/0x00070000000233fa-42.dat	xmrig
behavioral2/memory/960-38-0x00007FF68A020000-0x00007FF68A415000-memory.dmp	xmrig
behavioral2/memory/3884-35-0x00007FF615730000-0x00007FF615B25000-memory.dmp	xmrig
behavioral2/memory/1200-34-0x00007FF7607B0000-0x00007FF760BA5000-memory.dmp	xmrig
behavioral2/memory/3968-25-0x00007FF6124E0000-0x00007FF6128D5000-memory.dmp	xmrig
behavioral2/memory/1140-843-0x00007FF713C80000-0x00007FF714075000-memory.dmp	xmrig
behavioral2/memory/2800-852-0x00007FF6C5450000-0x00007FF6C5845000-memory.dmp	xmrig
behavioral2/memory/3868-861-0x00007FF7FC770000-0x00007FF7FCB65000-memory.dmp	xmrig
behavioral2/memory/2816-894-0x00007FF7CA740000-0x00007FF7CAB35000-memory.dmp	xmrig
behavioral2/memory/1668-904-0x00007FF6810C0000-0x00007FF6814B5000-memory.dmp	xmrig
behavioral2/memory/5104-917-0x00007FF63CA70000-0x00007FF63CE65000-memory.dmp	xmrig
behavioral2/memory/4676-925-0x00007FF7FB400000-0x00007FF7FB7F5000-memory.dmp	xmrig
behavioral2/memory/3948-911-0x00007FF66FCA0000-0x00007FF670095000-memory.dmp	xmrig
behavioral2/memory/3708-887-0x00007FF7DD370000-0x00007FF7DD765000-memory.dmp	xmrig
behavioral2/memory/1620-877-0x00007FF688840000-0x00007FF688C35000-memory.dmp	xmrig
behavioral2/memory/1768-867-0x00007FF7A7D80000-0x00007FF7A8175000-memory.dmp	xmrig
behavioral2/memory/2364-932-0x00007FF6053E0000-0x00007FF6057D5000-memory.dmp	xmrig
behavioral2/memory/3744-928-0x00007FF7839E0000-0x00007FF783DD5000-memory.dmp	xmrig
behavioral2/memory/2100-936-0x00007FF7586A0000-0x00007FF758A95000-memory.dmp	xmrig
behavioral2/memory/3172-941-0x00007FF7F39A0000-0x00007FF7F3D95000-memory.dmp	xmrig
behavioral2/memory/3160-942-0x00007FF722440000-0x00007FF722835000-memory.dmp	xmrig
behavioral2/memory/1212-946-0x00007FF7C5450000-0x00007FF7C5845000-memory.dmp	xmrig
behavioral2/memory/3812-945-0x00007FF630EA0000-0x00007FF631295000-memory.dmp	xmrig
behavioral2/memory/972-1898-0x00007FF6E66B0000-0x00007FF6E6AA5000-memory.dmp	xmrig
behavioral2/memory/1400-1899-0x00007FF621D70000-0x00007FF622165000-memory.dmp	xmrig
behavioral2/memory/1200-1901-0x00007FF7607B0000-0x00007FF760BA5000-memory.dmp	xmrig
behavioral2/memory/4332-1900-0x00007FF68E760000-0x00007FF68EB55000-memory.dmp	xmrig
behavioral2/memory/1400-1903-0x00007FF621D70000-0x00007FF622165000-memory.dmp	xmrig
behavioral2/memory/3884-1902-0x00007FF615730000-0x00007FF615B25000-memory.dmp	xmrig
behavioral2/memory/3968-1904-0x00007FF6124E0000-0x00007FF6128D5000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4332	EIbWXGR.exe
1200	SqbSCPY.exe
3968	mFBbzkY.exe
3884	NYizcFw.exe
1400	eUcplDb.exe
960	FxCKQmR.exe
1140	icoNCuF.exe
2800	oqmtZEx.exe
3868	xBwZhRq.exe
1768	dzCNdvn.exe
1620	uaPcdVM.exe
3708	hGThsNT.exe
2816	eZUTugO.exe
1668	hvRuWLp.exe
3948	NcXQsWr.exe
5104	vtEWiZP.exe
4676	RhddgBh.exe
3744	QzfQbrU.exe
2364	pmSgjCH.exe
2100	ECbdMrg.exe
3172	mlKXJkv.exe
3160	UrcDKAU.exe
3812	UxBGBfl.exe
1212	RpjsizZ.exe
1592	fTEwJcX.exe
804	WYnTeRh.exe
844	rFNLasN.exe
1808	zPfSieF.exe
708	gicVdIn.exe
4148	hQGeLpy.exe
4904	TqeKMUF.exe
3664	BeOTNub.exe
3088	QATUovD.exe
3540	pGkdEGG.exe
3204	aqXvCbD.exe
1612	xUagpUh.exe
4108	XdPFZIp.exe
3056	hUqOrcM.exe
4304	SzbPsOG.exe
1564	bWCBuyr.exe
2008	FObQlLi.exe
532	atxOeuR.exe
464	WgQkdLI.exe
2084	WDxVmTr.exe
4836	lHsXOdX.exe
4956	wqfYPdV.exe
4268	XaCpWCE.exe
3608	rEYDKYq.exe
3660	GaXnUHb.exe
4740	xsYewfS.exe
4620	ktBkCng.exe
4600	KodcMRu.exe
2232	oMtnYUf.exe
912	arhwkzT.exe
3448	ewxcqvb.exe
2476	uejPfGm.exe
3156	bqDXdlm.exe
4980	PQlYRSt.exe
2724	EFhHRUL.exe
1800	UbarIlI.exe
2956	paRvIbX.exe
1280	CCVUHir.exe
856	KxKzlRL.exe
3184	rLKMIjR.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/972-0-0x00007FF6E66B0000-0x00007FF6E6AA5000-memory.dmp	upx
behavioral2/files/0x00090000000233ee-5.dat	upx
behavioral2/files/0x00070000000233f5-8.dat	upx
behavioral2/files/0x00070000000233f6-7.dat	upx
behavioral2/files/0x00070000000233f7-20.dat	upx
behavioral2/memory/4332-18-0x00007FF68E760000-0x00007FF68EB55000-memory.dmp	upx
behavioral2/files/0x00070000000233f8-26.dat	upx
behavioral2/memory/1400-33-0x00007FF621D70000-0x00007FF622165000-memory.dmp	upx
behavioral2/files/0x00070000000233f9-36.dat	upx
behavioral2/files/0x00070000000233fb-45.dat	upx
behavioral2/files/0x00070000000233fc-52.dat	upx
behavioral2/files/0x00070000000233fe-60.dat	upx
behavioral2/files/0x00070000000233ff-67.dat	upx
behavioral2/files/0x0007000000023401-77.dat	upx
behavioral2/files/0x0007000000023403-85.dat	upx
behavioral2/files/0x0007000000023405-97.dat	upx
behavioral2/files/0x0007000000023408-113.dat	upx
behavioral2/files/0x000700000002340f-145.dat	upx
behavioral2/files/0x0007000000023412-160.dat	upx
behavioral2/files/0x0007000000023413-168.dat	upx
behavioral2/files/0x0007000000023411-158.dat	upx
behavioral2/files/0x0007000000023410-153.dat	upx
behavioral2/files/0x000700000002340e-143.dat	upx
behavioral2/files/0x000700000002340d-138.dat	upx
behavioral2/files/0x000700000002340c-133.dat	upx
behavioral2/files/0x000700000002340b-128.dat	upx
behavioral2/files/0x000700000002340a-123.dat	upx
behavioral2/files/0x0007000000023409-118.dat	upx
behavioral2/files/0x0007000000023407-108.dat	upx
behavioral2/files/0x0007000000023406-103.dat	upx
behavioral2/files/0x0007000000023404-92.dat	upx
behavioral2/files/0x0007000000023402-82.dat	upx
behavioral2/files/0x0007000000023400-72.dat	upx
behavioral2/files/0x00070000000233fd-57.dat	upx
behavioral2/files/0x00070000000233fa-42.dat	upx
behavioral2/memory/960-38-0x00007FF68A020000-0x00007FF68A415000-memory.dmp	upx
behavioral2/memory/3884-35-0x00007FF615730000-0x00007FF615B25000-memory.dmp	upx
behavioral2/memory/1200-34-0x00007FF7607B0000-0x00007FF760BA5000-memory.dmp	upx
behavioral2/memory/3968-25-0x00007FF6124E0000-0x00007FF6128D5000-memory.dmp	upx
behavioral2/memory/1140-843-0x00007FF713C80000-0x00007FF714075000-memory.dmp	upx
behavioral2/memory/2800-852-0x00007FF6C5450000-0x00007FF6C5845000-memory.dmp	upx
behavioral2/memory/3868-861-0x00007FF7FC770000-0x00007FF7FCB65000-memory.dmp	upx
behavioral2/memory/2816-894-0x00007FF7CA740000-0x00007FF7CAB35000-memory.dmp	upx
behavioral2/memory/1668-904-0x00007FF6810C0000-0x00007FF6814B5000-memory.dmp	upx
behavioral2/memory/5104-917-0x00007FF63CA70000-0x00007FF63CE65000-memory.dmp	upx
behavioral2/memory/4676-925-0x00007FF7FB400000-0x00007FF7FB7F5000-memory.dmp	upx
behavioral2/memory/3948-911-0x00007FF66FCA0000-0x00007FF670095000-memory.dmp	upx
behavioral2/memory/3708-887-0x00007FF7DD370000-0x00007FF7DD765000-memory.dmp	upx
behavioral2/memory/1620-877-0x00007FF688840000-0x00007FF688C35000-memory.dmp	upx
behavioral2/memory/1768-867-0x00007FF7A7D80000-0x00007FF7A8175000-memory.dmp	upx
behavioral2/memory/2364-932-0x00007FF6053E0000-0x00007FF6057D5000-memory.dmp	upx
behavioral2/memory/3744-928-0x00007FF7839E0000-0x00007FF783DD5000-memory.dmp	upx
behavioral2/memory/2100-936-0x00007FF7586A0000-0x00007FF758A95000-memory.dmp	upx
behavioral2/memory/3172-941-0x00007FF7F39A0000-0x00007FF7F3D95000-memory.dmp	upx
behavioral2/memory/3160-942-0x00007FF722440000-0x00007FF722835000-memory.dmp	upx
behavioral2/memory/1212-946-0x00007FF7C5450000-0x00007FF7C5845000-memory.dmp	upx
behavioral2/memory/3812-945-0x00007FF630EA0000-0x00007FF631295000-memory.dmp	upx
behavioral2/memory/972-1898-0x00007FF6E66B0000-0x00007FF6E6AA5000-memory.dmp	upx
behavioral2/memory/1400-1899-0x00007FF621D70000-0x00007FF622165000-memory.dmp	upx
behavioral2/memory/1200-1901-0x00007FF7607B0000-0x00007FF760BA5000-memory.dmp	upx
behavioral2/memory/4332-1900-0x00007FF68E760000-0x00007FF68EB55000-memory.dmp	upx
behavioral2/memory/1400-1903-0x00007FF621D70000-0x00007FF622165000-memory.dmp	upx
behavioral2/memory/3884-1902-0x00007FF615730000-0x00007FF615B25000-memory.dmp	upx
behavioral2/memory/3968-1904-0x00007FF6124E0000-0x00007FF6128D5000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\VeijGNQ.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\fyOLIGB.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\KHXCUqx.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\UQEATRF.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\jLUHaCc.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\kSOYtNW.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\OADuatx.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\pGZZRlk.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\DSgXrdk.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\TXSuKTT.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\MsUWOnG.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\TONdxzD.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\atxOeuR.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\CphdkiP.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\NIvbOGp.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\HSRbSPg.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\jcsjVke.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\wcFoXgK.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\SvsGcJD.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\uGEdSIv.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\QzfQbrU.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\DlgJseC.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\pxtXDAc.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\SnorzsU.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\mOlgDwZ.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\HyhWlVG.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\CHjCLbp.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\AagxitJ.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\aqXvCbD.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\YWKeGjM.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\FicvECG.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\jJpsYKF.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\nQCVFKn.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\RJUthHV.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\xBwZhRq.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\eEmmUFH.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\VMAscxj.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\xuScECf.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\PkcxUER.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\aOavzzh.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\EMFbPRX.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\SqalDjE.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\qutjQan.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\qoTpYpd.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\lEiGkqE.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\mbEHOKu.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\WoiPulT.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\XEmnOvp.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\gVyWXLr.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\rFNLasN.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\sEGUPph.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\fgheylR.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\oQbHxwG.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\yZePJol.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\olhPEBY.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\uvaeZho.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\QeZqnOI.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\nRnJcoc.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\rMBTphZ.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\KmNJXRj.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\ZFLOHAe.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\qExDsLm.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\QyoWXbM.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
File created	C:\Windows\System32\oYYrZec.exe	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	1596	dwm.exe
Token: SeChangeNotifyPrivilege	1596	dwm.exe
Token: 33	1596	dwm.exe
Token: SeIncBasePriorityPrivilege	1596	dwm.exe
Token: SeShutdownPrivilege	1596	dwm.exe
Token: SeCreatePagefilePrivilege	1596	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 972 wrote to memory of 4332	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	83
PID 972 wrote to memory of 4332	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	83
PID 972 wrote to memory of 1200	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	84
PID 972 wrote to memory of 1200	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	84
PID 972 wrote to memory of 3968	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	85
PID 972 wrote to memory of 3968	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	85
PID 972 wrote to memory of 3884	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	86
PID 972 wrote to memory of 3884	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	86
PID 972 wrote to memory of 1400	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	87
PID 972 wrote to memory of 1400	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	87
PID 972 wrote to memory of 960	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	88
PID 972 wrote to memory of 960	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	88
PID 972 wrote to memory of 1140	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	89
PID 972 wrote to memory of 1140	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	89
PID 972 wrote to memory of 2800	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	90
PID 972 wrote to memory of 2800	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	90
PID 972 wrote to memory of 3868	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	91
PID 972 wrote to memory of 3868	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	91
PID 972 wrote to memory of 1768	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	92
PID 972 wrote to memory of 1768	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	92
PID 972 wrote to memory of 1620	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	93
PID 972 wrote to memory of 1620	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	93
PID 972 wrote to memory of 3708	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	94
PID 972 wrote to memory of 3708	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	94
PID 972 wrote to memory of 2816	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	95
PID 972 wrote to memory of 2816	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	95
PID 972 wrote to memory of 1668	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	96
PID 972 wrote to memory of 1668	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	96
PID 972 wrote to memory of 3948	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	97
PID 972 wrote to memory of 3948	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	97
PID 972 wrote to memory of 5104	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	98
PID 972 wrote to memory of 5104	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	98
PID 972 wrote to memory of 4676	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	99
PID 972 wrote to memory of 4676	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	99
PID 972 wrote to memory of 3744	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	100
PID 972 wrote to memory of 3744	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	100
PID 972 wrote to memory of 2364	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	101
PID 972 wrote to memory of 2364	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	101
PID 972 wrote to memory of 2100	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	102
PID 972 wrote to memory of 2100	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	102
PID 972 wrote to memory of 3172	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	103
PID 972 wrote to memory of 3172	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	103
PID 972 wrote to memory of 3160	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	104
PID 972 wrote to memory of 3160	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	104
PID 972 wrote to memory of 3812	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	105
PID 972 wrote to memory of 3812	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	105
PID 972 wrote to memory of 1212	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	106
PID 972 wrote to memory of 1212	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	106
PID 972 wrote to memory of 1592	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	107
PID 972 wrote to memory of 1592	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	107
PID 972 wrote to memory of 804	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	108
PID 972 wrote to memory of 804	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	108
PID 972 wrote to memory of 844	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	109
PID 972 wrote to memory of 844	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	109
PID 972 wrote to memory of 1808	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	110
PID 972 wrote to memory of 1808	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	110
PID 972 wrote to memory of 708	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	111
PID 972 wrote to memory of 708	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	111
PID 972 wrote to memory of 4148	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	112
PID 972 wrote to memory of 4148	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	112
PID 972 wrote to memory of 4904	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	113
PID 972 wrote to memory of 4904	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	113
PID 972 wrote to memory of 3664	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	114
PID 972 wrote to memory of 3664	972	73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe	114

C:\Users\Admin\AppData\Local\Temp\73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\73e3a5219e52b93bcae31f2abf5da630_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:972
- C:\Windows\System32\EIbWXGR.exe
  C:\Windows\System32\EIbWXGR.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Windows\System32\SqbSCPY.exe
  C:\Windows\System32\SqbSCPY.exe
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\System32\mFBbzkY.exe
  C:\Windows\System32\mFBbzkY.exe
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Windows\System32\NYizcFw.exe
  C:\Windows\System32\NYizcFw.exe
  2⤵
  - Executes dropped EXE
  PID:3884
- C:\Windows\System32\eUcplDb.exe
  C:\Windows\System32\eUcplDb.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\System32\FxCKQmR.exe
  C:\Windows\System32\FxCKQmR.exe
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\System32\icoNCuF.exe
  C:\Windows\System32\icoNCuF.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System32\oqmtZEx.exe
  C:\Windows\System32\oqmtZEx.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System32\xBwZhRq.exe
  C:\Windows\System32\xBwZhRq.exe
  2⤵
  - Executes dropped EXE
  PID:3868
- C:\Windows\System32\dzCNdvn.exe
  C:\Windows\System32\dzCNdvn.exe
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\System32\uaPcdVM.exe
  C:\Windows\System32\uaPcdVM.exe
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\System32\hGThsNT.exe
  C:\Windows\System32\hGThsNT.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System32\eZUTugO.exe
  C:\Windows\System32\eZUTugO.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System32\hvRuWLp.exe
  C:\Windows\System32\hvRuWLp.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System32\NcXQsWr.exe
  C:\Windows\System32\NcXQsWr.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Windows\System32\vtEWiZP.exe
  C:\Windows\System32\vtEWiZP.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Windows\System32\RhddgBh.exe
  C:\Windows\System32\RhddgBh.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System32\QzfQbrU.exe
  C:\Windows\System32\QzfQbrU.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System32\pmSgjCH.exe
  C:\Windows\System32\pmSgjCH.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System32\ECbdMrg.exe
  C:\Windows\System32\ECbdMrg.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System32\mlKXJkv.exe
  C:\Windows\System32\mlKXJkv.exe
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Windows\System32\UrcDKAU.exe
  C:\Windows\System32\UrcDKAU.exe
  2⤵
  - Executes dropped EXE
  PID:3160
- C:\Windows\System32\UxBGBfl.exe
  C:\Windows\System32\UxBGBfl.exe
  2⤵
  - Executes dropped EXE
  PID:3812
- C:\Windows\System32\RpjsizZ.exe
  C:\Windows\System32\RpjsizZ.exe
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\System32\fTEwJcX.exe
  C:\Windows\System32\fTEwJcX.exe
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\System32\WYnTeRh.exe
  C:\Windows\System32\WYnTeRh.exe
  2⤵
  - Executes dropped EXE
  PID:804
- C:\Windows\System32\rFNLasN.exe
  C:\Windows\System32\rFNLasN.exe
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\System32\zPfSieF.exe
  C:\Windows\System32\zPfSieF.exe
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\System32\gicVdIn.exe
  C:\Windows\System32\gicVdIn.exe
  2⤵
  - Executes dropped EXE
  PID:708
- C:\Windows\System32\hQGeLpy.exe
  C:\Windows\System32\hQGeLpy.exe
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Windows\System32\TqeKMUF.exe
  C:\Windows\System32\TqeKMUF.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System32\BeOTNub.exe
  C:\Windows\System32\BeOTNub.exe
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\System32\QATUovD.exe
  C:\Windows\System32\QATUovD.exe
  2⤵
  - Executes dropped EXE
  PID:3088
- C:\Windows\System32\pGkdEGG.exe
  C:\Windows\System32\pGkdEGG.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System32\aqXvCbD.exe
  C:\Windows\System32\aqXvCbD.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System32\xUagpUh.exe
  C:\Windows\System32\xUagpUh.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System32\XdPFZIp.exe
  C:\Windows\System32\XdPFZIp.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System32\hUqOrcM.exe
  C:\Windows\System32\hUqOrcM.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System32\SzbPsOG.exe
  C:\Windows\System32\SzbPsOG.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System32\bWCBuyr.exe
  C:\Windows\System32\bWCBuyr.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System32\FObQlLi.exe
  C:\Windows\System32\FObQlLi.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System32\atxOeuR.exe
  C:\Windows\System32\atxOeuR.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System32\WgQkdLI.exe
  C:\Windows\System32\WgQkdLI.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System32\WDxVmTr.exe
  C:\Windows\System32\WDxVmTr.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System32\lHsXOdX.exe
  C:\Windows\System32\lHsXOdX.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System32\wqfYPdV.exe
  C:\Windows\System32\wqfYPdV.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System32\XaCpWCE.exe
  C:\Windows\System32\XaCpWCE.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System32\rEYDKYq.exe
  C:\Windows\System32\rEYDKYq.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System32\GaXnUHb.exe
  C:\Windows\System32\GaXnUHb.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System32\xsYewfS.exe
  C:\Windows\System32\xsYewfS.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System32\ktBkCng.exe
  C:\Windows\System32\ktBkCng.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Windows\System32\KodcMRu.exe
  C:\Windows\System32\KodcMRu.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System32\oMtnYUf.exe
  C:\Windows\System32\oMtnYUf.exe
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\System32\arhwkzT.exe
  C:\Windows\System32\arhwkzT.exe
  2⤵
  - Executes dropped EXE
  PID:912
- C:\Windows\System32\ewxcqvb.exe
  C:\Windows\System32\ewxcqvb.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System32\uejPfGm.exe
  C:\Windows\System32\uejPfGm.exe
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\System32\bqDXdlm.exe
  C:\Windows\System32\bqDXdlm.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System32\PQlYRSt.exe
  C:\Windows\System32\PQlYRSt.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System32\EFhHRUL.exe
  C:\Windows\System32\EFhHRUL.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System32\UbarIlI.exe
  C:\Windows\System32\UbarIlI.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System32\paRvIbX.exe
  C:\Windows\System32\paRvIbX.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System32\CCVUHir.exe
  C:\Windows\System32\CCVUHir.exe
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\System32\KxKzlRL.exe
  C:\Windows\System32\KxKzlRL.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System32\rLKMIjR.exe
  C:\Windows\System32\rLKMIjR.exe
  2⤵
  - Executes dropped EXE
  PID:3184
- C:\Windows\System32\oefHjjz.exe
  C:\Windows\System32\oefHjjz.exe
  2⤵
  PID:2560
- C:\Windows\System32\xKrPDQA.exe
  C:\Windows\System32\xKrPDQA.exe
  2⤵
  PID:4156
- C:\Windows\System32\vpSOVlL.exe
  C:\Windows\System32\vpSOVlL.exe
  2⤵
  PID:4232
- C:\Windows\System32\jXxYEnw.exe
  C:\Windows\System32\jXxYEnw.exe
  2⤵
  PID:1876
- C:\Windows\System32\cQmqsgF.exe
  C:\Windows\System32\cQmqsgF.exe
  2⤵
  PID:800
- C:\Windows\System32\RvINoyA.exe
  C:\Windows\System32\RvINoyA.exe
  2⤵
  PID:548
- C:\Windows\System32\crfiDZR.exe
  C:\Windows\System32\crfiDZR.exe
  2⤵
  PID:4476
- C:\Windows\System32\UfeBOZn.exe
  C:\Windows\System32\UfeBOZn.exe
  2⤵
  PID:3176
- C:\Windows\System32\VYzlfDs.exe
  C:\Windows\System32\VYzlfDs.exe
  2⤵
  PID:4604
- C:\Windows\System32\hYzbICL.exe
  C:\Windows\System32\hYzbICL.exe
  2⤵
  PID:1848
- C:\Windows\System32\jtttxkH.exe
  C:\Windows\System32\jtttxkH.exe
  2⤵
  PID:1472
- C:\Windows\System32\mbHOEXQ.exe
  C:\Windows\System32\mbHOEXQ.exe
  2⤵
  PID:996
- C:\Windows\System32\SpahaTD.exe
  C:\Windows\System32\SpahaTD.exe
  2⤵
  PID:4552
- C:\Windows\System32\opkinYo.exe
  C:\Windows\System32\opkinYo.exe
  2⤵
  PID:2276
- C:\Windows\System32\NyWGwAS.exe
  C:\Windows\System32\NyWGwAS.exe
  2⤵
  PID:1608
- C:\Windows\System32\xLXXTYy.exe
  C:\Windows\System32\xLXXTYy.exe
  2⤵
  PID:4696
- C:\Windows\System32\dgymvqZ.exe
  C:\Windows\System32\dgymvqZ.exe
  2⤵
  PID:3616
- C:\Windows\System32\ebOJcxl.exe
  C:\Windows\System32\ebOJcxl.exe
  2⤵
  PID:5136
- C:\Windows\System32\DlgJseC.exe
  C:\Windows\System32\DlgJseC.exe
  2⤵
  PID:5164
- C:\Windows\System32\tSwvMFN.exe
  C:\Windows\System32\tSwvMFN.exe
  2⤵
  PID:5192
- C:\Windows\System32\ggCOUhF.exe
  C:\Windows\System32\ggCOUhF.exe
  2⤵
  PID:5220
- C:\Windows\System32\sozRJsK.exe
  C:\Windows\System32\sozRJsK.exe
  2⤵
  PID:5248
- C:\Windows\System32\AZegKrM.exe
  C:\Windows\System32\AZegKrM.exe
  2⤵
  PID:5288
- C:\Windows\System32\ImOkceM.exe
  C:\Windows\System32\ImOkceM.exe
  2⤵
  PID:5304
- C:\Windows\System32\gbjcaoi.exe
  C:\Windows\System32\gbjcaoi.exe
  2⤵
  PID:5344
- C:\Windows\System32\FCQmzRs.exe
  C:\Windows\System32\FCQmzRs.exe
  2⤵
  PID:5360
- C:\Windows\System32\Ydnycle.exe
  C:\Windows\System32\Ydnycle.exe
  2⤵
  PID:5388
- C:\Windows\System32\VqIrhFl.exe
  C:\Windows\System32\VqIrhFl.exe
  2⤵
  PID:5416
- C:\Windows\System32\rbdeWkF.exe
  C:\Windows\System32\rbdeWkF.exe
  2⤵
  PID:5444
- C:\Windows\System32\pCjOXOF.exe
  C:\Windows\System32\pCjOXOF.exe
  2⤵
  PID:5472
- C:\Windows\System32\bDavvCT.exe
  C:\Windows\System32\bDavvCT.exe
  2⤵
  PID:5500
- C:\Windows\System32\yXjPiEv.exe
  C:\Windows\System32\yXjPiEv.exe
  2⤵
  PID:5528
- C:\Windows\System32\iYKRMbM.exe
  C:\Windows\System32\iYKRMbM.exe
  2⤵
  PID:5556
- C:\Windows\System32\nFUfNrm.exe
  C:\Windows\System32\nFUfNrm.exe
  2⤵
  PID:5584
- C:\Windows\System32\uEogQTH.exe
  C:\Windows\System32\uEogQTH.exe
  2⤵
  PID:5612
- C:\Windows\System32\BgsqAqo.exe
  C:\Windows\System32\BgsqAqo.exe
  2⤵
  PID:5640
- C:\Windows\System32\Fpaprvl.exe
  C:\Windows\System32\Fpaprvl.exe
  2⤵
  PID:5668
- C:\Windows\System32\HIzhXDK.exe
  C:\Windows\System32\HIzhXDK.exe
  2⤵
  PID:5696
- C:\Windows\System32\VOSjjqA.exe
  C:\Windows\System32\VOSjjqA.exe
  2⤵
  PID:5736
- C:\Windows\System32\eamHXXB.exe
  C:\Windows\System32\eamHXXB.exe
  2⤵
  PID:5752
- C:\Windows\System32\RRaCvKu.exe
  C:\Windows\System32\RRaCvKu.exe
  2⤵
  PID:5780
- C:\Windows\System32\jLUHaCc.exe
  C:\Windows\System32\jLUHaCc.exe
  2⤵
  PID:5808
- C:\Windows\System32\dLXtXMu.exe
  C:\Windows\System32\dLXtXMu.exe
  2⤵
  PID:5836
- C:\Windows\System32\sEGUPph.exe
  C:\Windows\System32\sEGUPph.exe
  2⤵
  PID:5864
- C:\Windows\System32\FfhlSQw.exe
  C:\Windows\System32\FfhlSQw.exe
  2⤵
  PID:5892
- C:\Windows\System32\PLeKxql.exe
  C:\Windows\System32\PLeKxql.exe
  2⤵
  PID:5920
- C:\Windows\System32\xmzeiTP.exe
  C:\Windows\System32\xmzeiTP.exe
  2⤵
  PID:5948
- C:\Windows\System32\aqQHJcA.exe
  C:\Windows\System32\aqQHJcA.exe
  2⤵
  PID:5976
- C:\Windows\System32\YCqoOzP.exe
  C:\Windows\System32\YCqoOzP.exe
  2⤵
  PID:6004
- C:\Windows\System32\ubXANlj.exe
  C:\Windows\System32\ubXANlj.exe
  2⤵
  PID:6032
- C:\Windows\System32\teGXjyf.exe
  C:\Windows\System32\teGXjyf.exe
  2⤵
  PID:6060
- C:\Windows\System32\IqAKfZS.exe
  C:\Windows\System32\IqAKfZS.exe
  2⤵
  PID:6088
- C:\Windows\System32\XEqJRGU.exe
  C:\Windows\System32\XEqJRGU.exe
  2⤵
  PID:6116
- C:\Windows\System32\YWKeGjM.exe
  C:\Windows\System32\YWKeGjM.exe
  2⤵
  PID:880
- C:\Windows\System32\FPKnsIw.exe
  C:\Windows\System32\FPKnsIw.exe
  2⤵
  PID:1952
- C:\Windows\System32\kSOYtNW.exe
  C:\Windows\System32\kSOYtNW.exe
  2⤵
  PID:3944
- C:\Windows\System32\UqbdzlK.exe
  C:\Windows\System32\UqbdzlK.exe
  2⤵
  PID:2464
- C:\Windows\System32\onAJfUS.exe
  C:\Windows\System32\onAJfUS.exe
  2⤵
  PID:2032
- C:\Windows\System32\SNMMtrr.exe
  C:\Windows\System32\SNMMtrr.exe
  2⤵
  PID:5152
- C:\Windows\System32\qoISNce.exe
  C:\Windows\System32\qoISNce.exe
  2⤵
  PID:5200
- C:\Windows\System32\nmFONmu.exe
  C:\Windows\System32\nmFONmu.exe
  2⤵
  PID:5268
- C:\Windows\System32\eEmmUFH.exe
  C:\Windows\System32\eEmmUFH.exe
  2⤵
  PID:5328
- C:\Windows\System32\MRMoKKQ.exe
  C:\Windows\System32\MRMoKKQ.exe
  2⤵
  PID:5396
- C:\Windows\System32\pxtXDAc.exe
  C:\Windows\System32\pxtXDAc.exe
  2⤵
  PID:5464
- C:\Windows\System32\IZlVKKv.exe
  C:\Windows\System32\IZlVKKv.exe
  2⤵
  PID:5544
- C:\Windows\System32\DDeOnhZ.exe
  C:\Windows\System32\DDeOnhZ.exe
  2⤵
  PID:5592
- C:\Windows\System32\yPnUfRz.exe
  C:\Windows\System32\yPnUfRz.exe
  2⤵
  PID:5648
- C:\Windows\System32\KdRaKsO.exe
  C:\Windows\System32\KdRaKsO.exe
  2⤵
  PID:5728
- C:\Windows\System32\nRnJcoc.exe
  C:\Windows\System32\nRnJcoc.exe
  2⤵
  PID:5788
- C:\Windows\System32\JwMcjsW.exe
  C:\Windows\System32\JwMcjsW.exe
  2⤵
  PID:5856
- C:\Windows\System32\zCXIrFw.exe
  C:\Windows\System32\zCXIrFw.exe
  2⤵
  PID:5936
- C:\Windows\System32\DeKxTLK.exe
  C:\Windows\System32\DeKxTLK.exe
  2⤵
  PID:5984
- C:\Windows\System32\FfaRCGy.exe
  C:\Windows\System32\FfaRCGy.exe
  2⤵
  PID:6052
- C:\Windows\System32\EeLfeQZ.exe
  C:\Windows\System32\EeLfeQZ.exe
  2⤵
  PID:6132
- C:\Windows\System32\LxSiYvI.exe
  C:\Windows\System32\LxSiYvI.exe
  2⤵
  PID:2592
- C:\Windows\System32\oAoUSFP.exe
  C:\Windows\System32\oAoUSFP.exe
  2⤵
  PID:2180
- C:\Windows\System32\JsGlWpl.exe
  C:\Windows\System32\JsGlWpl.exe
  2⤵
  PID:5240
- C:\Windows\System32\HyhWlVG.exe
  C:\Windows\System32\HyhWlVG.exe
  2⤵
  PID:5368
- C:\Windows\System32\eDGoTzg.exe
  C:\Windows\System32\eDGoTzg.exe
  2⤵
  PID:5480
- C:\Windows\System32\qutjQan.exe
  C:\Windows\System32\qutjQan.exe
  2⤵
  PID:5656
- C:\Windows\System32\tmjPIVp.exe
  C:\Windows\System32\tmjPIVp.exe
  2⤵
  PID:5772
- C:\Windows\System32\ORgIlqI.exe
  C:\Windows\System32\ORgIlqI.exe
  2⤵
  PID:5956
- C:\Windows\System32\akENpMV.exe
  C:\Windows\System32\akENpMV.exe
  2⤵
  PID:6068
- C:\Windows\System32\ZrqySvM.exe
  C:\Windows\System32\ZrqySvM.exe
  2⤵
  PID:6164
- C:\Windows\System32\dsNUMNY.exe
  C:\Windows\System32\dsNUMNY.exe
  2⤵
  PID:6192
- C:\Windows\System32\ANbLWOq.exe
  C:\Windows\System32\ANbLWOq.exe
  2⤵
  PID:6220
- C:\Windows\System32\TdHGVJD.exe
  C:\Windows\System32\TdHGVJD.exe
  2⤵
  PID:6248
- C:\Windows\System32\VeUzqAo.exe
  C:\Windows\System32\VeUzqAo.exe
  2⤵
  PID:6276
- C:\Windows\System32\JHEwBFv.exe
  C:\Windows\System32\JHEwBFv.exe
  2⤵
  PID:6304
- C:\Windows\System32\DSgXrdk.exe
  C:\Windows\System32\DSgXrdk.exe
  2⤵
  PID:6332
- C:\Windows\System32\bqPmipE.exe
  C:\Windows\System32\bqPmipE.exe
  2⤵
  PID:6360
- C:\Windows\System32\YXnRrNl.exe
  C:\Windows\System32\YXnRrNl.exe
  2⤵
  PID:6388
- C:\Windows\System32\MWMuTPU.exe
  C:\Windows\System32\MWMuTPU.exe
  2⤵
  PID:6416
- C:\Windows\System32\pQkLhdD.exe
  C:\Windows\System32\pQkLhdD.exe
  2⤵
  PID:6444
- C:\Windows\System32\ohWkUWE.exe
  C:\Windows\System32\ohWkUWE.exe
  2⤵
  PID:6472
- C:\Windows\System32\chzlLGQ.exe
  C:\Windows\System32\chzlLGQ.exe
  2⤵
  PID:6500
- C:\Windows\System32\IMOwpIc.exe
  C:\Windows\System32\IMOwpIc.exe
  2⤵
  PID:6528
- C:\Windows\System32\olLkVrc.exe
  C:\Windows\System32\olLkVrc.exe
  2⤵
  PID:6556
- C:\Windows\System32\AVrjzDg.exe
  C:\Windows\System32\AVrjzDg.exe
  2⤵
  PID:6584
- C:\Windows\System32\JdysZhn.exe
  C:\Windows\System32\JdysZhn.exe
  2⤵
  PID:6612
- C:\Windows\System32\VnxzoNO.exe
  C:\Windows\System32\VnxzoNO.exe
  2⤵
  PID:6640
- C:\Windows\System32\VfJcokI.exe
  C:\Windows\System32\VfJcokI.exe
  2⤵
  PID:6668
- C:\Windows\System32\XQnnvvY.exe
  C:\Windows\System32\XQnnvvY.exe
  2⤵
  PID:6696
- C:\Windows\System32\rMBTphZ.exe
  C:\Windows\System32\rMBTphZ.exe
  2⤵
  PID:6724
- C:\Windows\System32\homEczl.exe
  C:\Windows\System32\homEczl.exe
  2⤵
  PID:6752
- C:\Windows\System32\XmyTviE.exe
  C:\Windows\System32\XmyTviE.exe
  2⤵
  PID:6780
- C:\Windows\System32\iYVMdIB.exe
  C:\Windows\System32\iYVMdIB.exe
  2⤵
  PID:6808
- C:\Windows\System32\iBwcWAq.exe
  C:\Windows\System32\iBwcWAq.exe
  2⤵
  PID:6836
- C:\Windows\System32\bUBbmau.exe
  C:\Windows\System32\bUBbmau.exe
  2⤵
  PID:6864
- C:\Windows\System32\qoTpYpd.exe
  C:\Windows\System32\qoTpYpd.exe
  2⤵
  PID:6892
- C:\Windows\System32\PxahrBl.exe
  C:\Windows\System32\PxahrBl.exe
  2⤵
  PID:6920
- C:\Windows\System32\wioGggP.exe
  C:\Windows\System32\wioGggP.exe
  2⤵
  PID:6956
- C:\Windows\System32\jSGeSZK.exe
  C:\Windows\System32\jSGeSZK.exe
  2⤵
  PID:6976
- C:\Windows\System32\dYkJbuO.exe
  C:\Windows\System32\dYkJbuO.exe
  2⤵
  PID:7004
- C:\Windows\System32\PkzoYJr.exe
  C:\Windows\System32\PkzoYJr.exe
  2⤵
  PID:7032
- C:\Windows\System32\rYduVTR.exe
  C:\Windows\System32\rYduVTR.exe
  2⤵
  PID:7060
- C:\Windows\System32\RlyCXxa.exe
  C:\Windows\System32\RlyCXxa.exe
  2⤵
  PID:7088
- C:\Windows\System32\iBccukg.exe
  C:\Windows\System32\iBccukg.exe
  2⤵
  PID:7116
- C:\Windows\System32\ZDIPEHB.exe
  C:\Windows\System32\ZDIPEHB.exe
  2⤵
  PID:7144
- C:\Windows\System32\fQohAzq.exe
  C:\Windows\System32\fQohAzq.exe
  2⤵
  PID:3212
- C:\Windows\System32\tGUMTnB.exe
  C:\Windows\System32\tGUMTnB.exe
  2⤵
  PID:5296
- C:\Windows\System32\fgheylR.exe
  C:\Windows\System32\fgheylR.exe
  2⤵
  PID:5564
- C:\Windows\System32\WsyoFNM.exe
  C:\Windows\System32\WsyoFNM.exe
  2⤵
  PID:5872
- C:\Windows\System32\dqvnwhe.exe
  C:\Windows\System32\dqvnwhe.exe
  2⤵
  PID:6184
- C:\Windows\System32\gQAHeRl.exe
  C:\Windows\System32\gQAHeRl.exe
  2⤵
  PID:6236
- C:\Windows\System32\iqYJzNX.exe
  C:\Windows\System32\iqYJzNX.exe
  2⤵
  PID:6284
- C:\Windows\System32\OADuatx.exe
  C:\Windows\System32\OADuatx.exe
  2⤵
  PID:6352
- C:\Windows\System32\gwmZCEH.exe
  C:\Windows\System32\gwmZCEH.exe
  2⤵
  PID:6432
- C:\Windows\System32\QvHkSuT.exe
  C:\Windows\System32\QvHkSuT.exe
  2⤵
  PID:6480
- C:\Windows\System32\KmNJXRj.exe
  C:\Windows\System32\KmNJXRj.exe
  2⤵
  PID:6548
- C:\Windows\System32\DWqNaUt.exe
  C:\Windows\System32\DWqNaUt.exe
  2⤵
  PID:6628
- C:\Windows\System32\YfCJpeQ.exe
  C:\Windows\System32\YfCJpeQ.exe
  2⤵
  PID:6684
- C:\Windows\System32\wfcnbAc.exe
  C:\Windows\System32\wfcnbAc.exe
  2⤵
  PID:6740
- C:\Windows\System32\tVNLbrf.exe
  C:\Windows\System32\tVNLbrf.exe
  2⤵
  PID:6796
- C:\Windows\System32\qExDsLm.exe
  C:\Windows\System32\qExDsLm.exe
  2⤵
  PID:6844
- C:\Windows\System32\XDQjgMO.exe
  C:\Windows\System32\XDQjgMO.exe
  2⤵
  PID:6940
- C:\Windows\System32\VOeWEvX.exe
  C:\Windows\System32\VOeWEvX.exe
  2⤵
  PID:6984
- C:\Windows\System32\wurONJT.exe
  C:\Windows\System32\wurONJT.exe
  2⤵
  PID:7076
- C:\Windows\System32\hqlYMxl.exe
  C:\Windows\System32\hqlYMxl.exe
  2⤵
  PID:1092
- C:\Windows\System32\NwWGDOG.exe
  C:\Windows\System32\NwWGDOG.exe
  2⤵
  PID:5156
- C:\Windows\System32\aYmLanA.exe
  C:\Windows\System32\aYmLanA.exe
  2⤵
  PID:5312
- C:\Windows\System32\WfmTuVX.exe
  C:\Windows\System32\WfmTuVX.exe
  2⤵
  PID:5968
- C:\Windows\System32\ucPqLcR.exe
  C:\Windows\System32\ucPqLcR.exe
  2⤵
  PID:6324
- C:\Windows\System32\JvOVRAt.exe
  C:\Windows\System32\JvOVRAt.exe
  2⤵
  PID:6436
- C:\Windows\System32\lAuFPKb.exe
  C:\Windows\System32\lAuFPKb.exe
  2⤵
  PID:6564
- C:\Windows\System32\MIlqKUL.exe
  C:\Windows\System32\MIlqKUL.exe
  2⤵
  PID:6704
- C:\Windows\System32\sOcYKLK.exe
  C:\Windows\System32\sOcYKLK.exe
  2⤵
  PID:6872
- C:\Windows\System32\VjBejnL.exe
  C:\Windows\System32\VjBejnL.exe
  2⤵
  PID:7020
- C:\Windows\System32\kSDszBc.exe
  C:\Windows\System32\kSDszBc.exe
  2⤵
  PID:3388
- C:\Windows\System32\xGoCOeu.exe
  C:\Windows\System32\xGoCOeu.exe
  2⤵
  PID:7180
- C:\Windows\System32\bYWMSlh.exe
  C:\Windows\System32\bYWMSlh.exe
  2⤵
  PID:7208
- C:\Windows\System32\wCptliR.exe
  C:\Windows\System32\wCptliR.exe
  2⤵
  PID:7248
- C:\Windows\System32\muyxeXk.exe
  C:\Windows\System32\muyxeXk.exe
  2⤵
  PID:7264
- C:\Windows\System32\PcDCYxd.exe
  C:\Windows\System32\PcDCYxd.exe
  2⤵
  PID:7292
- C:\Windows\System32\kNfiMaE.exe
  C:\Windows\System32\kNfiMaE.exe
  2⤵
  PID:7320
- C:\Windows\System32\ukDwTeX.exe
  C:\Windows\System32\ukDwTeX.exe
  2⤵
  PID:7348
- C:\Windows\System32\fbvlgaQ.exe
  C:\Windows\System32\fbvlgaQ.exe
  2⤵
  PID:7384
- C:\Windows\System32\ZqnItWE.exe
  C:\Windows\System32\ZqnItWE.exe
  2⤵
  PID:7412
- C:\Windows\System32\QyoWXbM.exe
  C:\Windows\System32\QyoWXbM.exe
  2⤵
  PID:7444
- C:\Windows\System32\IyeqFAi.exe
  C:\Windows\System32\IyeqFAi.exe
  2⤵
  PID:7468
- C:\Windows\System32\DIEedfA.exe
  C:\Windows\System32\DIEedfA.exe
  2⤵
  PID:7496
- C:\Windows\System32\aHJwFbD.exe
  C:\Windows\System32\aHJwFbD.exe
  2⤵
  PID:7528
- C:\Windows\System32\IGitJmC.exe
  C:\Windows\System32\IGitJmC.exe
  2⤵
  PID:7544
- C:\Windows\System32\OBpzkyw.exe
  C:\Windows\System32\OBpzkyw.exe
  2⤵
  PID:7572
- C:\Windows\System32\TuPEtDx.exe
  C:\Windows\System32\TuPEtDx.exe
  2⤵
  PID:7600
- C:\Windows\System32\QGUkoGY.exe
  C:\Windows\System32\QGUkoGY.exe
  2⤵
  PID:7636
- C:\Windows\System32\uydzuSA.exe
  C:\Windows\System32\uydzuSA.exe
  2⤵
  PID:7656
- C:\Windows\System32\LzHneqt.exe
  C:\Windows\System32\LzHneqt.exe
  2⤵
  PID:7696
- C:\Windows\System32\pjLPHlY.exe
  C:\Windows\System32\pjLPHlY.exe
  2⤵
  PID:7720
- C:\Windows\System32\wvbVoCJ.exe
  C:\Windows\System32\wvbVoCJ.exe
  2⤵
  PID:7740
- C:\Windows\System32\UejyHZl.exe
  C:\Windows\System32\UejyHZl.exe
  2⤵
  PID:7768
- C:\Windows\System32\fNDNARO.exe
  C:\Windows\System32\fNDNARO.exe
  2⤵
  PID:7796
- C:\Windows\System32\ifpDOPK.exe
  C:\Windows\System32\ifpDOPK.exe
  2⤵
  PID:7824
- C:\Windows\System32\ttZQeFA.exe
  C:\Windows\System32\ttZQeFA.exe
  2⤵
  PID:7852
- C:\Windows\System32\yASAnpe.exe
  C:\Windows\System32\yASAnpe.exe
  2⤵
  PID:7880
- C:\Windows\System32\IMXXfIc.exe
  C:\Windows\System32\IMXXfIc.exe
  2⤵
  PID:7908
- C:\Windows\System32\ZScIwcY.exe
  C:\Windows\System32\ZScIwcY.exe
  2⤵
  PID:7948
- C:\Windows\System32\GqJkUTe.exe
  C:\Windows\System32\GqJkUTe.exe
  2⤵
  PID:7964
- C:\Windows\System32\IBeUqXA.exe
  C:\Windows\System32\IBeUqXA.exe
  2⤵
  PID:7992
- C:\Windows\System32\hOPeMWM.exe
  C:\Windows\System32\hOPeMWM.exe
  2⤵
  PID:8020
- C:\Windows\System32\lEiGkqE.exe
  C:\Windows\System32\lEiGkqE.exe
  2⤵
  PID:8048
- C:\Windows\System32\oYYrZec.exe
  C:\Windows\System32\oYYrZec.exe
  2⤵
  PID:8076
- C:\Windows\System32\lOgMqnM.exe
  C:\Windows\System32\lOgMqnM.exe
  2⤵
  PID:8104
- C:\Windows\System32\VkEUitc.exe
  C:\Windows\System32\VkEUitc.exe
  2⤵
  PID:8140
- C:\Windows\System32\qderuSj.exe
  C:\Windows\System32\qderuSj.exe
  2⤵
  PID:8168
- C:\Windows\System32\AKKktrU.exe
  C:\Windows\System32\AKKktrU.exe
  2⤵
  PID:6152
- C:\Windows\System32\MjHjlPG.exe
  C:\Windows\System32\MjHjlPG.exe
  2⤵
  PID:6396
- C:\Windows\System32\QnLQpQW.exe
  C:\Windows\System32\QnLQpQW.exe
  2⤵
  PID:6660
- C:\Windows\System32\uHGrUAC.exe
  C:\Windows\System32\uHGrUAC.exe
  2⤵
  PID:7024
- C:\Windows\System32\qkkwomx.exe
  C:\Windows\System32\qkkwomx.exe
  2⤵
  PID:7200
- C:\Windows\System32\RXLEEdg.exe
  C:\Windows\System32\RXLEEdg.exe
  2⤵
  PID:7232
- C:\Windows\System32\tNmdCbk.exe
  C:\Windows\System32\tNmdCbk.exe
  2⤵
  PID:7300
- C:\Windows\System32\oQbHxwG.exe
  C:\Windows\System32\oQbHxwG.exe
  2⤵
  PID:3052
- C:\Windows\System32\gDKiwVC.exe
  C:\Windows\System32\gDKiwVC.exe
  2⤵
  PID:7536
- C:\Windows\System32\TOYsQMI.exe
  C:\Windows\System32\TOYsQMI.exe
  2⤵
  PID:7560
- C:\Windows\System32\PBskDNp.exe
  C:\Windows\System32\PBskDNp.exe
  2⤵
  PID:7620
- C:\Windows\System32\DEnvrcZ.exe
  C:\Windows\System32\DEnvrcZ.exe
  2⤵
  PID:7688
- C:\Windows\System32\heSjakH.exe
  C:\Windows\System32\heSjakH.exe
  2⤵
  PID:7736
- C:\Windows\System32\pCPOcXT.exe
  C:\Windows\System32\pCPOcXT.exe
  2⤵
  PID:1396
- C:\Windows\System32\WoiPulT.exe
  C:\Windows\System32\WoiPulT.exe
  2⤵
  PID:7812
- C:\Windows\System32\hcIUUCP.exe
  C:\Windows\System32\hcIUUCP.exe
  2⤵
  PID:7816
- C:\Windows\System32\HIWHgTr.exe
  C:\Windows\System32\HIWHgTr.exe
  2⤵
  PID:7860
- C:\Windows\System32\sBEKhrr.exe
  C:\Windows\System32\sBEKhrr.exe
  2⤵
  PID:7916
- C:\Windows\System32\TACFZkb.exe
  C:\Windows\System32\TACFZkb.exe
  2⤵
  PID:2804
- C:\Windows\System32\xqVJvUQ.exe
  C:\Windows\System32\xqVJvUQ.exe
  2⤵
  PID:1016
- C:\Windows\System32\lHNsduz.exe
  C:\Windows\System32\lHNsduz.exe
  2⤵
  PID:8068
- C:\Windows\System32\rNKeGbq.exe
  C:\Windows\System32\rNKeGbq.exe
  2⤵
  PID:724
- C:\Windows\System32\qtqxexY.exe
  C:\Windows\System32\qtqxexY.exe
  2⤵
  PID:8164
- C:\Windows\System32\yZePJol.exe
  C:\Windows\System32\yZePJol.exe
  2⤵
  PID:8184
- C:\Windows\System32\olhPEBY.exe
  C:\Windows\System32\olhPEBY.exe
  2⤵
  PID:6256
- C:\Windows\System32\wVcdTlk.exe
  C:\Windows\System32\wVcdTlk.exe
  2⤵
  PID:3264
- C:\Windows\System32\uvaeZho.exe
  C:\Windows\System32\uvaeZho.exe
  2⤵
  PID:1380
- C:\Windows\System32\ZaIXrRG.exe
  C:\Windows\System32\ZaIXrRG.exe
  2⤵
  PID:7428
- C:\Windows\System32\dLSRjMl.exe
  C:\Windows\System32\dLSRjMl.exe
  2⤵
  PID:4340
- C:\Windows\System32\zDerFaK.exe
  C:\Windows\System32\zDerFaK.exe
  2⤵
  PID:1440
- C:\Windows\System32\VpltfUc.exe
  C:\Windows\System32\VpltfUc.exe
  2⤵
  PID:2356
- C:\Windows\System32\HSRbSPg.exe
  C:\Windows\System32\HSRbSPg.exe
  2⤵
  PID:1272
- C:\Windows\System32\xriIpIv.exe
  C:\Windows\System32\xriIpIv.exe
  2⤵
  PID:4236
- C:\Windows\System32\jSeAOqh.exe
  C:\Windows\System32\jSeAOqh.exe
  2⤵
  PID:7960
- C:\Windows\System32\FxPXJKA.exe
  C:\Windows\System32\FxPXJKA.exe
  2⤵
  PID:1064
- C:\Windows\System32\dppydQa.exe
  C:\Windows\System32\dppydQa.exe
  2⤵
  PID:392
- C:\Windows\System32\lnHGfpA.exe
  C:\Windows\System32\lnHGfpA.exe
  2⤵
  PID:7484
- C:\Windows\System32\xuScECf.exe
  C:\Windows\System32\xuScECf.exe
  2⤵
  PID:7592
- C:\Windows\System32\jnghOeF.exe
  C:\Windows\System32\jnghOeF.exe
  2⤵
  PID:6648
- C:\Windows\System32\hXCqjsm.exe
  C:\Windows\System32\hXCqjsm.exe
  2⤵
  PID:7240
- C:\Windows\System32\TXSuKTT.exe
  C:\Windows\System32\TXSuKTT.exe
  2⤵
  PID:7680
- C:\Windows\System32\HOQaDRx.exe
  C:\Windows\System32\HOQaDRx.exe
  2⤵
  PID:4636
- C:\Windows\System32\LEyDlwk.exe
  C:\Windows\System32\LEyDlwk.exe
  2⤵
  PID:7984
- C:\Windows\System32\UQEATRF.exe
  C:\Windows\System32\UQEATRF.exe
  2⤵
  PID:2872
- C:\Windows\System32\ioEdWms.exe
  C:\Windows\System32\ioEdWms.exe
  2⤵
  PID:6348
- C:\Windows\System32\RMwpefD.exe
  C:\Windows\System32\RMwpefD.exe
  2⤵
  PID:7672
- C:\Windows\System32\AoMhIGr.exe
  C:\Windows\System32\AoMhIGr.exe
  2⤵
  PID:3124
- C:\Windows\System32\ZFhfcYF.exe
  C:\Windows\System32\ZFhfcYF.exe
  2⤵
  PID:8228
- C:\Windows\System32\IRPCcFv.exe
  C:\Windows\System32\IRPCcFv.exe
  2⤵
  PID:8260
- C:\Windows\System32\peLbdsy.exe
  C:\Windows\System32\peLbdsy.exe
  2⤵
  PID:8288
- C:\Windows\System32\Vtvavoh.exe
  C:\Windows\System32\Vtvavoh.exe
  2⤵
  PID:8328
- C:\Windows\System32\EgvyHBm.exe
  C:\Windows\System32\EgvyHBm.exe
  2⤵
  PID:8344
- C:\Windows\System32\UlNAivG.exe
  C:\Windows\System32\UlNAivG.exe
  2⤵
  PID:8360
- C:\Windows\System32\BOLbAeW.exe
  C:\Windows\System32\BOLbAeW.exe
  2⤵
  PID:8384
- C:\Windows\System32\GPtjujB.exe
  C:\Windows\System32\GPtjujB.exe
  2⤵
  PID:8428
- C:\Windows\System32\LBmqFZt.exe
  C:\Windows\System32\LBmqFZt.exe
  2⤵
  PID:8456
- C:\Windows\System32\tGhaeAf.exe
  C:\Windows\System32\tGhaeAf.exe
  2⤵
  PID:8484
- C:\Windows\System32\XvZinBC.exe
  C:\Windows\System32\XvZinBC.exe
  2⤵
  PID:8500
- C:\Windows\System32\gAeOSCd.exe
  C:\Windows\System32\gAeOSCd.exe
  2⤵
  PID:8552
- C:\Windows\System32\fJxsaEM.exe
  C:\Windows\System32\fJxsaEM.exe
  2⤵
  PID:8568
- C:\Windows\System32\jGsLNva.exe
  C:\Windows\System32\jGsLNva.exe
  2⤵
  PID:8588
- C:\Windows\System32\VBwumxH.exe
  C:\Windows\System32\VBwumxH.exe
  2⤵
  PID:8616
- C:\Windows\System32\upEJxvf.exe
  C:\Windows\System32\upEJxvf.exe
  2⤵
  PID:8656
- C:\Windows\System32\XEmnOvp.exe
  C:\Windows\System32\XEmnOvp.exe
  2⤵
  PID:8680
- C:\Windows\System32\TiWaUoB.exe
  C:\Windows\System32\TiWaUoB.exe
  2⤵
  PID:8708
- C:\Windows\System32\tVncBpl.exe
  C:\Windows\System32\tVncBpl.exe
  2⤵
  PID:8740
- C:\Windows\System32\PkcxUER.exe
  C:\Windows\System32\PkcxUER.exe
  2⤵
  PID:8776
- C:\Windows\System32\PobtJWI.exe
  C:\Windows\System32\PobtJWI.exe
  2⤵
  PID:8796
- C:\Windows\System32\elYYjir.exe
  C:\Windows\System32\elYYjir.exe
  2⤵
  PID:8824
- C:\Windows\System32\ghlrhvv.exe
  C:\Windows\System32\ghlrhvv.exe
  2⤵
  PID:8856
- C:\Windows\System32\FQWDFfa.exe
  C:\Windows\System32\FQWDFfa.exe
  2⤵
  PID:8888
- C:\Windows\System32\htYjSzM.exe
  C:\Windows\System32\htYjSzM.exe
  2⤵
  PID:8920
- C:\Windows\System32\IBvVwZP.exe
  C:\Windows\System32\IBvVwZP.exe
  2⤵
  PID:8952
- C:\Windows\System32\gVyWXLr.exe
  C:\Windows\System32\gVyWXLr.exe
  2⤵
  PID:8980
- C:\Windows\System32\tbboQKd.exe
  C:\Windows\System32\tbboQKd.exe
  2⤵
  PID:9008
- C:\Windows\System32\lylyuYo.exe
  C:\Windows\System32\lylyuYo.exe
  2⤵
  PID:9036
- C:\Windows\System32\qaZoffG.exe
  C:\Windows\System32\qaZoffG.exe
  2⤵
  PID:9080
- C:\Windows\System32\csnhREY.exe
  C:\Windows\System32\csnhREY.exe
  2⤵
  PID:9112
- C:\Windows\System32\iAHTIVR.exe
  C:\Windows\System32\iAHTIVR.exe
  2⤵
  PID:9144
- C:\Windows\System32\tmjCeba.exe
  C:\Windows\System32\tmjCeba.exe
  2⤵
  PID:9176
- C:\Windows\System32\cfjsGYg.exe
  C:\Windows\System32\cfjsGYg.exe
  2⤵
  PID:9208
- C:\Windows\System32\GmTORZD.exe
  C:\Windows\System32\GmTORZD.exe
  2⤵
  PID:8216
- C:\Windows\System32\JUmVCzI.exe
  C:\Windows\System32\JUmVCzI.exe
  2⤵
  PID:8280
- C:\Windows\System32\OifxHJp.exe
  C:\Windows\System32\OifxHJp.exe
  2⤵
  PID:8356
- C:\Windows\System32\onFvutr.exe
  C:\Windows\System32\onFvutr.exe
  2⤵
  PID:8376
- C:\Windows\System32\jNJdanF.exe
  C:\Windows\System32\jNJdanF.exe
  2⤵
  PID:8476
- C:\Windows\System32\pJWVwag.exe
  C:\Windows\System32\pJWVwag.exe
  2⤵
  PID:8528
- C:\Windows\System32\mOfKUYS.exe
  C:\Windows\System32\mOfKUYS.exe
  2⤵
  PID:8604
- C:\Windows\System32\CwMqOJZ.exe
  C:\Windows\System32\CwMqOJZ.exe
  2⤵
  PID:8648
- C:\Windows\System32\KuOkpvn.exe
  C:\Windows\System32\KuOkpvn.exe
  2⤵
  PID:8704
- C:\Windows\System32\DKfXWZp.exe
  C:\Windows\System32\DKfXWZp.exe
  2⤵
  PID:8788
- C:\Windows\System32\oIIBKck.exe
  C:\Windows\System32\oIIBKck.exe
  2⤵
  PID:8844
- C:\Windows\System32\tvhNujj.exe
  C:\Windows\System32\tvhNujj.exe
  2⤵
  PID:8912
- C:\Windows\System32\TSDTqJy.exe
  C:\Windows\System32\TSDTqJy.exe
  2⤵
  PID:8948
- C:\Windows\System32\kBhEmhX.exe
  C:\Windows\System32\kBhEmhX.exe
  2⤵
  PID:9072
- C:\Windows\System32\kUlNzhH.exe
  C:\Windows\System32\kUlNzhH.exe
  2⤵
  PID:9168
- C:\Windows\System32\qjDJmHW.exe
  C:\Windows\System32\qjDJmHW.exe
  2⤵
  PID:2992
- C:\Windows\System32\xAkdFpj.exe
  C:\Windows\System32\xAkdFpj.exe
  2⤵
  PID:8340
- C:\Windows\System32\UyBmVDZ.exe
  C:\Windows\System32\UyBmVDZ.exe
  2⤵
  PID:8516
- C:\Windows\System32\UJepnWY.exe
  C:\Windows\System32\UJepnWY.exe
  2⤵
  PID:8640
- C:\Windows\System32\VMAscxj.exe
  C:\Windows\System32\VMAscxj.exe
  2⤵
  PID:3140
- C:\Windows\System32\aOavzzh.exe
  C:\Windows\System32\aOavzzh.exe
  2⤵
  PID:8944
- C:\Windows\System32\QfRzXXO.exe
  C:\Windows\System32\QfRzXXO.exe
  2⤵
  PID:9064
- C:\Windows\System32\QeZqnOI.exe
  C:\Windows\System32\QeZqnOI.exe
  2⤵
  PID:5096
- C:\Windows\System32\SYKDzXw.exe
  C:\Windows\System32\SYKDzXw.exe
  2⤵
  PID:8580
- C:\Windows\System32\bLVJech.exe
  C:\Windows\System32\bLVJech.exe
  2⤵
  PID:8808
- C:\Windows\System32\HEcnAMY.exe
  C:\Windows\System32\HEcnAMY.exe
  2⤵
  PID:8372
- C:\Windows\System32\GKsCJqC.exe
  C:\Windows\System32\GKsCJqC.exe
  2⤵
  PID:1604
- C:\Windows\System32\cqCqenf.exe
  C:\Windows\System32\cqCqenf.exe
  2⤵
  PID:9240
- C:\Windows\System32\EygXFxl.exe
  C:\Windows\System32\EygXFxl.exe
  2⤵
  PID:9272
- C:\Windows\System32\Imdhmiu.exe
  C:\Windows\System32\Imdhmiu.exe
  2⤵
  PID:9300
- C:\Windows\System32\hnlwPKi.exe
  C:\Windows\System32\hnlwPKi.exe
  2⤵
  PID:9328
- C:\Windows\System32\KJeldjW.exe
  C:\Windows\System32\KJeldjW.exe
  2⤵
  PID:9356
- C:\Windows\System32\AMXmkYc.exe
  C:\Windows\System32\AMXmkYc.exe
  2⤵
  PID:9384
- C:\Windows\System32\jskIlMT.exe
  C:\Windows\System32\jskIlMT.exe
  2⤵
  PID:9428
- C:\Windows\System32\AOlbjWU.exe
  C:\Windows\System32\AOlbjWU.exe
  2⤵
  PID:9444
- C:\Windows\System32\rdFgIbX.exe
  C:\Windows\System32\rdFgIbX.exe
  2⤵
  PID:9472
- C:\Windows\System32\jJpsYKF.exe
  C:\Windows\System32\jJpsYKF.exe
  2⤵
  PID:9492
- C:\Windows\System32\CMKCWWg.exe
  C:\Windows\System32\CMKCWWg.exe
  2⤵
  PID:9536
- C:\Windows\System32\igmCzQK.exe
  C:\Windows\System32\igmCzQK.exe
  2⤵
  PID:9560
- C:\Windows\System32\HLoDrsm.exe
  C:\Windows\System32\HLoDrsm.exe
  2⤵
  PID:9576
- C:\Windows\System32\gifHRrW.exe
  C:\Windows\System32\gifHRrW.exe
  2⤵
  PID:9608
- C:\Windows\System32\DNigRJF.exe
  C:\Windows\System32\DNigRJF.exe
  2⤵
  PID:9636
- C:\Windows\System32\zjPpEZy.exe
  C:\Windows\System32\zjPpEZy.exe
  2⤵
  PID:9668
- C:\Windows\System32\psObHlA.exe
  C:\Windows\System32\psObHlA.exe
  2⤵
  PID:9700
- C:\Windows\System32\JnhAogF.exe
  C:\Windows\System32\JnhAogF.exe
  2⤵
  PID:9728
- C:\Windows\System32\YwjeEkn.exe
  C:\Windows\System32\YwjeEkn.exe
  2⤵
  PID:9748
- C:\Windows\System32\YPWQVmZ.exe
  C:\Windows\System32\YPWQVmZ.exe
  2⤵
  PID:9784
- C:\Windows\System32\lPFCnke.exe
  C:\Windows\System32\lPFCnke.exe
  2⤵
  PID:9800
- C:\Windows\System32\bsnlRKa.exe
  C:\Windows\System32\bsnlRKa.exe
  2⤵
  PID:9816
- C:\Windows\System32\CMLvBuD.exe
  C:\Windows\System32\CMLvBuD.exe
  2⤵
  PID:9856
- C:\Windows\System32\BTkKLMr.exe
  C:\Windows\System32\BTkKLMr.exe
  2⤵
  PID:9888
- C:\Windows\System32\WJaBJOE.exe
  C:\Windows\System32\WJaBJOE.exe
  2⤵
  PID:9924
- C:\Windows\System32\CHjCLbp.exe
  C:\Windows\System32\CHjCLbp.exe
  2⤵
  PID:9952
- C:\Windows\System32\joVJtFZ.exe
  C:\Windows\System32\joVJtFZ.exe
  2⤵
  PID:9980
- C:\Windows\System32\NayjlQR.exe
  C:\Windows\System32\NayjlQR.exe
  2⤵
  PID:9996
- C:\Windows\System32\FRrsRMY.exe
  C:\Windows\System32\FRrsRMY.exe
  2⤵
  PID:10044
- C:\Windows\System32\MVWblpI.exe
  C:\Windows\System32\MVWblpI.exe
  2⤵
  PID:10064
- C:\Windows\System32\cQksSRN.exe
  C:\Windows\System32\cQksSRN.exe
  2⤵
  PID:10092
- C:\Windows\System32\EhjDevP.exe
  C:\Windows\System32\EhjDevP.exe
  2⤵
  PID:10124
- C:\Windows\System32\mGdWCrx.exe
  C:\Windows\System32\mGdWCrx.exe
  2⤵
  PID:10148
- C:\Windows\System32\nFIhxXL.exe
  C:\Windows\System32\nFIhxXL.exe
  2⤵
  PID:10180
- C:\Windows\System32\VxzsyNN.exe
  C:\Windows\System32\VxzsyNN.exe
  2⤵
  PID:10208
- C:\Windows\System32\VbDVSlx.exe
  C:\Windows\System32\VbDVSlx.exe
  2⤵
  PID:8996
- C:\Windows\System32\jcsjVke.exe
  C:\Windows\System32\jcsjVke.exe
  2⤵
  PID:9236
- C:\Windows\System32\ygMNReA.exe
  C:\Windows\System32\ygMNReA.exe
  2⤵
  PID:9316
- C:\Windows\System32\zLkxVIg.exe
  C:\Windows\System32\zLkxVIg.exe
  2⤵
  PID:9368
- C:\Windows\System32\ZvVYMKr.exe
  C:\Windows\System32\ZvVYMKr.exe
  2⤵
  PID:9396
- C:\Windows\System32\fmONxhF.exe
  C:\Windows\System32\fmONxhF.exe
  2⤵
  PID:9520
- C:\Windows\System32\sNWyZhA.exe
  C:\Windows\System32\sNWyZhA.exe
  2⤵
  PID:9616
- C:\Windows\System32\uDYrJfJ.exe
  C:\Windows\System32\uDYrJfJ.exe
  2⤵
  PID:9648
- C:\Windows\System32\XLquaZq.exe
  C:\Windows\System32\XLquaZq.exe
  2⤵
  PID:3024
- C:\Windows\System32\zsLEPVI.exe
  C:\Windows\System32\zsLEPVI.exe
  2⤵
  PID:9724
- C:\Windows\System32\WkbajtH.exe
  C:\Windows\System32\WkbajtH.exe
  2⤵
  PID:9780
- C:\Windows\System32\ARepZKd.exe
  C:\Windows\System32\ARepZKd.exe
  2⤵
  PID:9872
- C:\Windows\System32\dPopybo.exe
  C:\Windows\System32\dPopybo.exe
  2⤵
  PID:9948
- C:\Windows\System32\enRuUwI.exe
  C:\Windows\System32\enRuUwI.exe
  2⤵
  PID:9988
- C:\Windows\System32\rkpTRhq.exe
  C:\Windows\System32\rkpTRhq.exe
  2⤵
  PID:10084
- C:\Windows\System32\BWwiZmU.exe
  C:\Windows\System32\BWwiZmU.exe
  2⤵
  PID:10160
- C:\Windows\System32\ivqUjld.exe
  C:\Windows\System32\ivqUjld.exe
  2⤵
  PID:10236
- C:\Windows\System32\omcdjNi.exe
  C:\Windows\System32\omcdjNi.exe
  2⤵
  PID:9440
- C:\Windows\System32\wcFoXgK.exe
  C:\Windows\System32\wcFoXgK.exe
  2⤵
  PID:9644
- C:\Windows\System32\HKIXbJE.exe
  C:\Windows\System32\HKIXbJE.exe
  2⤵
  PID:4940
- C:\Windows\System32\emKwFoc.exe
  C:\Windows\System32\emKwFoc.exe
  2⤵
  PID:9848
- C:\Windows\System32\lYOvvrV.exe
  C:\Windows\System32\lYOvvrV.exe
  2⤵
  PID:10052
- C:\Windows\System32\SObbglf.exe
  C:\Windows\System32\SObbglf.exe
  2⤵
  PID:10140
- C:\Windows\System32\WglAhLj.exe
  C:\Windows\System32\WglAhLj.exe
  2⤵
  PID:10196
- C:\Windows\System32\mlmrhqM.exe
  C:\Windows\System32\mlmrhqM.exe
  2⤵
  PID:9972
- C:\Windows\System32\LqVDLmm.exe
  C:\Windows\System32\LqVDLmm.exe
  2⤵
  PID:8756
- C:\Windows\System32\mypDpOz.exe
  C:\Windows\System32\mypDpOz.exe
  2⤵
  PID:9572
- C:\Windows\System32\kzjTJiH.exe
  C:\Windows\System32\kzjTJiH.exe
  2⤵
  PID:10264
- C:\Windows\System32\zfTvbPA.exe
  C:\Windows\System32\zfTvbPA.exe
  2⤵
  PID:10284
- C:\Windows\System32\HIggsPJ.exe
  C:\Windows\System32\HIggsPJ.exe
  2⤵
  PID:10312
- C:\Windows\System32\TrWJKcS.exe
  C:\Windows\System32\TrWJKcS.exe
  2⤵
  PID:10340
- C:\Windows\System32\qywMQaS.exe
  C:\Windows\System32\qywMQaS.exe
  2⤵
  PID:10368
- C:\Windows\System32\iYNZwki.exe
  C:\Windows\System32\iYNZwki.exe
  2⤵
  PID:10388
- C:\Windows\System32\yndXSuX.exe
  C:\Windows\System32\yndXSuX.exe
  2⤵
  PID:10416
- C:\Windows\System32\FbqYybT.exe
  C:\Windows\System32\FbqYybT.exe
  2⤵
  PID:10444
- C:\Windows\System32\pDjrtbN.exe
  C:\Windows\System32\pDjrtbN.exe
  2⤵
  PID:10476
- C:\Windows\System32\reCHwmX.exe
  C:\Windows\System32\reCHwmX.exe
  2⤵
  PID:10520
- C:\Windows\System32\fYqWMoP.exe
  C:\Windows\System32\fYqWMoP.exe
  2⤵
  PID:10536
- C:\Windows\System32\yKwhCCv.exe
  C:\Windows\System32\yKwhCCv.exe
  2⤵
  PID:10552
- C:\Windows\System32\VeijGNQ.exe
  C:\Windows\System32\VeijGNQ.exe
  2⤵
  PID:10588
- C:\Windows\System32\gDLCcwB.exe
  C:\Windows\System32\gDLCcwB.exe
  2⤵
  PID:10636
- C:\Windows\System32\OCiihoV.exe
  C:\Windows\System32\OCiihoV.exe
  2⤵
  PID:10680
- C:\Windows\System32\vrEvjEr.exe
  C:\Windows\System32\vrEvjEr.exe
  2⤵
  PID:10708
- C:\Windows\System32\aWXaXNN.exe
  C:\Windows\System32\aWXaXNN.exe
  2⤵
  PID:10736
- C:\Windows\System32\tDYBSqQ.exe
  C:\Windows\System32\tDYBSqQ.exe
  2⤵
  PID:10760
- C:\Windows\System32\YuVUgEh.exe
  C:\Windows\System32\YuVUgEh.exe
  2⤵
  PID:10800
- C:\Windows\System32\tVwelWG.exe
  C:\Windows\System32\tVwelWG.exe
  2⤵
  PID:10844
- C:\Windows\System32\gsWYPtc.exe
  C:\Windows\System32\gsWYPtc.exe
  2⤵
  PID:10880
- C:\Windows\System32\ZtYpCqV.exe
  C:\Windows\System32\ZtYpCqV.exe
  2⤵
  PID:10920
- C:\Windows\System32\AagxitJ.exe
  C:\Windows\System32\AagxitJ.exe
  2⤵
  PID:10948
- C:\Windows\System32\UYunevz.exe
  C:\Windows\System32\UYunevz.exe
  2⤵
  PID:10980
- C:\Windows\System32\ZUCuwRs.exe
  C:\Windows\System32\ZUCuwRs.exe
  2⤵
  PID:11008
- C:\Windows\System32\SvsGcJD.exe
  C:\Windows\System32\SvsGcJD.exe
  2⤵
  PID:11060
- C:\Windows\System32\aFhWFFQ.exe
  C:\Windows\System32\aFhWFFQ.exe
  2⤵
  PID:11092
- C:\Windows\System32\ZFLOHAe.exe
  C:\Windows\System32\ZFLOHAe.exe
  2⤵
  PID:11140
- C:\Windows\System32\zGDlwoF.exe
  C:\Windows\System32\zGDlwoF.exe
  2⤵
  PID:11156
- C:\Windows\System32\GzJcXTB.exe
  C:\Windows\System32\GzJcXTB.exe
  2⤵
  PID:11208
- C:\Windows\System32\FzahqHT.exe
  C:\Windows\System32\FzahqHT.exe
  2⤵
  PID:11248
- C:\Windows\System32\dqOKonu.exe
  C:\Windows\System32\dqOKonu.exe
  2⤵
  PID:10320
- C:\Windows\System32\bspNaVT.exe
  C:\Windows\System32\bspNaVT.exe
  2⤵
  PID:10356
- C:\Windows\System32\uPEgCln.exe
  C:\Windows\System32\uPEgCln.exe
  2⤵
  PID:10424
- C:\Windows\System32\jZqYfVW.exe
  C:\Windows\System32\jZqYfVW.exe
  2⤵
  PID:10492
- C:\Windows\System32\aeaGDkK.exe
  C:\Windows\System32\aeaGDkK.exe
  2⤵
  PID:10548
- C:\Windows\System32\agqFspx.exe
  C:\Windows\System32\agqFspx.exe
  2⤵
  PID:10624
- C:\Windows\System32\CYgMAUO.exe
  C:\Windows\System32\CYgMAUO.exe
  2⤵
  PID:10700
- C:\Windows\System32\AKcoJUF.exe
  C:\Windows\System32\AKcoJUF.exe
  2⤵
  PID:10744
- C:\Windows\System32\MsUWOnG.exe
  C:\Windows\System32\MsUWOnG.exe
  2⤵
  PID:10860
- C:\Windows\System32\WmLmqHL.exe
  C:\Windows\System32\WmLmqHL.exe
  2⤵
  PID:10988
- C:\Windows\System32\CphdkiP.exe
  C:\Windows\System32\CphdkiP.exe
  2⤵
  PID:11084
- C:\Windows\System32\XxohaDj.exe
  C:\Windows\System32\XxohaDj.exe
  2⤵
  PID:11168
- C:\Windows\System32\VREjytK.exe
  C:\Windows\System32\VREjytK.exe
  2⤵
  PID:10248
- C:\Windows\System32\CKCDvIE.exe
  C:\Windows\System32\CKCDvIE.exe
  2⤵
  PID:10452
- C:\Windows\System32\TrdOqhp.exe
  C:\Windows\System32\TrdOqhp.exe
  2⤵
  PID:10652
- C:\Windows\System32\pGZZRlk.exe
  C:\Windows\System32\pGZZRlk.exe
  2⤵
  PID:10724
- C:\Windows\System32\kQAzVOg.exe
  C:\Windows\System32\kQAzVOg.exe
  2⤵
  PID:10944
- C:\Windows\System32\VEJrNpE.exe
  C:\Windows\System32\VEJrNpE.exe
  2⤵
  PID:11136
- C:\Windows\System32\kjOkGeV.exe
  C:\Windows\System32\kjOkGeV.exe
  2⤵
  PID:10352
- C:\Windows\System32\fyOLIGB.exe
  C:\Windows\System32\fyOLIGB.exe
  2⤵
  PID:11080
- C:\Windows\System32\nyAsnbs.exe
  C:\Windows\System32\nyAsnbs.exe
  2⤵
  PID:10720
- C:\Windows\System32\pBdGgDN.exe
  C:\Windows\System32\pBdGgDN.exe
  2⤵
  PID:11280
- C:\Windows\System32\zlAoZyC.exe
  C:\Windows\System32\zlAoZyC.exe
  2⤵
  PID:11320
- C:\Windows\System32\NqUTgzv.exe
  C:\Windows\System32\NqUTgzv.exe
  2⤵
  PID:11348
- C:\Windows\System32\mllyGDu.exe
  C:\Windows\System32\mllyGDu.exe
  2⤵
  PID:11376
- C:\Windows\System32\bKEQUaX.exe
  C:\Windows\System32\bKEQUaX.exe
  2⤵
  PID:11404
- C:\Windows\System32\OlRVqFM.exe
  C:\Windows\System32\OlRVqFM.exe
  2⤵
  PID:11432
- C:\Windows\System32\aUJmzeH.exe
  C:\Windows\System32\aUJmzeH.exe
  2⤵
  PID:11448
- C:\Windows\System32\XORvQpI.exe
  C:\Windows\System32\XORvQpI.exe
  2⤵
  PID:11488
- C:\Windows\System32\PHVLLHq.exe
  C:\Windows\System32\PHVLLHq.exe
  2⤵
  PID:11516
- C:\Windows\System32\Bvosqfc.exe
  C:\Windows\System32\Bvosqfc.exe
  2⤵
  PID:11532
- C:\Windows\System32\eDMBkRt.exe
  C:\Windows\System32\eDMBkRt.exe
  2⤵
  PID:11560
- C:\Windows\System32\mOlgDwZ.exe
  C:\Windows\System32\mOlgDwZ.exe
  2⤵
  PID:11604
- C:\Windows\System32\VBHtVph.exe
  C:\Windows\System32\VBHtVph.exe
  2⤵
  PID:11668
- C:\Windows\System32\KRhaRPj.exe
  C:\Windows\System32\KRhaRPj.exe
  2⤵
  PID:11700
- C:\Windows\System32\OdUSsbi.exe
  C:\Windows\System32\OdUSsbi.exe
  2⤵
  PID:11728
- C:\Windows\System32\zLssdma.exe
  C:\Windows\System32\zLssdma.exe
  2⤵
  PID:11748
- C:\Windows\System32\eEHiGSX.exe
  C:\Windows\System32\eEHiGSX.exe
  2⤵
  PID:11780
- C:\Windows\System32\itLzjlx.exe
  C:\Windows\System32\itLzjlx.exe
  2⤵
  PID:11804
- C:\Windows\System32\sCOkAEs.exe
  C:\Windows\System32\sCOkAEs.exe
  2⤵
  PID:11824
- C:\Windows\System32\AEYdBur.exe
  C:\Windows\System32\AEYdBur.exe
  2⤵
  PID:11868
- C:\Windows\System32\MOuefGV.exe
  C:\Windows\System32\MOuefGV.exe
  2⤵
  PID:11884
- C:\Windows\System32\nQCVFKn.exe
  C:\Windows\System32\nQCVFKn.exe
  2⤵
  PID:11924
- C:\Windows\System32\uLpbGai.exe
  C:\Windows\System32\uLpbGai.exe
  2⤵
  PID:11944
- C:\Windows\System32\dQVaSph.exe
  C:\Windows\System32\dQVaSph.exe
  2⤵
  PID:11988
- C:\Windows\System32\NTNnNfZ.exe
  C:\Windows\System32\NTNnNfZ.exe
  2⤵
  PID:12016
- C:\Windows\System32\XZVunys.exe
  C:\Windows\System32\XZVunys.exe
  2⤵
  PID:12048
- C:\Windows\System32\UXvoLEy.exe
  C:\Windows\System32\UXvoLEy.exe
  2⤵
  PID:12064
- C:\Windows\System32\MOgZUFg.exe
  C:\Windows\System32\MOgZUFg.exe
  2⤵
  PID:12100
- C:\Windows\System32\VetQjqw.exe
  C:\Windows\System32\VetQjqw.exe
  2⤵
  PID:12132
- C:\Windows\System32\yoYrEuj.exe
  C:\Windows\System32\yoYrEuj.exe
  2⤵
  PID:12160
- C:\Windows\System32\TXduDNZ.exe
  C:\Windows\System32\TXduDNZ.exe
  2⤵
  PID:12196
- C:\Windows\System32\dXMODoa.exe
  C:\Windows\System32\dXMODoa.exe
  2⤵
  PID:12216
- C:\Windows\System32\jqvKShP.exe
  C:\Windows\System32\jqvKShP.exe
  2⤵
  PID:12244
- C:\Windows\System32\TDzHkcM.exe
  C:\Windows\System32\TDzHkcM.exe
  2⤵
  PID:12272
- C:\Windows\System32\ufRyFxF.exe
  C:\Windows\System32\ufRyFxF.exe
  2⤵
  PID:11276
- C:\Windows\System32\XbzkHEm.exe
  C:\Windows\System32\XbzkHEm.exe
  2⤵
  PID:11364
- C:\Windows\System32\AMTdGqR.exe
  C:\Windows\System32\AMTdGqR.exe
  2⤵
  PID:11420
- C:\Windows\System32\hJOYyDQ.exe
  C:\Windows\System32\hJOYyDQ.exe
  2⤵
  PID:11504
- C:\Windows\System32\DRRwqlf.exe
  C:\Windows\System32\DRRwqlf.exe
  2⤵
  PID:11552
- C:\Windows\System32\ZCDfeqK.exe
  C:\Windows\System32\ZCDfeqK.exe
  2⤵
  PID:11664
- C:\Windows\System32\FicvECG.exe
  C:\Windows\System32\FicvECG.exe
  2⤵
  PID:11772
- C:\Windows\System32\XPFWarx.exe
  C:\Windows\System32\XPFWarx.exe
  2⤵
  PID:11856
- C:\Windows\System32\Muckbeb.exe
  C:\Windows\System32\Muckbeb.exe
  2⤵
  PID:11916
- C:\Windows\System32\RylkDVl.exe
  C:\Windows\System32\RylkDVl.exe
  2⤵
  PID:9156
- C:\Windows\System32\qBQnJfM.exe
  C:\Windows\System32\qBQnJfM.exe
  2⤵
  PID:10644
- C:\Windows\System32\SCAKGcR.exe
  C:\Windows\System32\SCAKGcR.exe
  2⤵
  PID:11984
- C:\Windows\System32\EMFbPRX.exe
  C:\Windows\System32\EMFbPRX.exe
  2⤵
  PID:12060
- C:\Windows\System32\VndczqU.exe
  C:\Windows\System32\VndczqU.exe
  2⤵
  PID:12128
- C:\Windows\System32\lRkkCkv.exe
  C:\Windows\System32\lRkkCkv.exe
  2⤵
  PID:12212
- C:\Windows\System32\mlqIpeL.exe
  C:\Windows\System32\mlqIpeL.exe
  2⤵
  PID:5004
- C:\Windows\System32\POnYgYh.exe
  C:\Windows\System32\POnYgYh.exe
  2⤵
  PID:11396
- C:\Windows\System32\NKQKnTo.exe
  C:\Windows\System32\NKQKnTo.exe
  2⤵
  PID:11528
- C:\Windows\System32\QcHnxcN.exe
  C:\Windows\System32\QcHnxcN.exe
  2⤵
  PID:11756
- C:\Windows\System32\pCFxhOL.exe
  C:\Windows\System32\pCFxhOL.exe
  2⤵
  PID:8412
- C:\Windows\System32\CMvxlyQ.exe
  C:\Windows\System32\CMvxlyQ.exe
  2⤵
  PID:4080
- C:\Windows\System32\icvlNqT.exe
  C:\Windows\System32\icvlNqT.exe
  2⤵
  PID:3004
- C:\Windows\System32\rnTrpkr.exe
  C:\Windows\System32\rnTrpkr.exe
  2⤵
  PID:12108
- C:\Windows\System32\YDWvkJr.exe
  C:\Windows\System32\YDWvkJr.exe
  2⤵
  PID:11332
- C:\Windows\System32\CGBEjRB.exe
  C:\Windows\System32\CGBEjRB.exe
  2⤵
  PID:9140
- C:\Windows\System32\UeDXiuD.exe
  C:\Windows\System32\UeDXiuD.exe
  2⤵
  PID:12008
- C:\Windows\System32\KiSyRZL.exe
  C:\Windows\System32\KiSyRZL.exe
  2⤵
  PID:11688
- C:\Windows\System32\uGEdSIv.exe
  C:\Windows\System32\uGEdSIv.exe
  2⤵
  PID:12300
- C:\Windows\System32\wxxRmGU.exe
  C:\Windows\System32\wxxRmGU.exe
  2⤵
  PID:12328
- C:\Windows\System32\EbMSiPe.exe
  C:\Windows\System32\EbMSiPe.exe
  2⤵
  PID:12360
- C:\Windows\System32\SqalDjE.exe
  C:\Windows\System32\SqalDjE.exe
  2⤵
  PID:12380
- C:\Windows\System32\FPkEVde.exe
  C:\Windows\System32\FPkEVde.exe
  2⤵
  PID:12416
- C:\Windows\System32\DzPEtti.exe
  C:\Windows\System32\DzPEtti.exe
  2⤵
  PID:12444
- C:\Windows\System32\uUIHwhT.exe
  C:\Windows\System32\uUIHwhT.exe
  2⤵
  PID:12460
- C:\Windows\System32\OBeOWXZ.exe
  C:\Windows\System32\OBeOWXZ.exe
  2⤵
  PID:12496
- C:\Windows\System32\XGXUkqO.exe
  C:\Windows\System32\XGXUkqO.exe
  2⤵
  PID:12516
- C:\Windows\System32\qgGvGjw.exe
  C:\Windows\System32\qgGvGjw.exe
  2⤵
  PID:12540
- C:\Windows\System32\pFQMenP.exe
  C:\Windows\System32\pFQMenP.exe
  2⤵
  PID:12584
- C:\Windows\System32\GnLNlnK.exe
  C:\Windows\System32\GnLNlnK.exe
  2⤵
  PID:12600
- C:\Windows\System32\sxeuEDH.exe
  C:\Windows\System32\sxeuEDH.exe
  2⤵
  PID:12644
- C:\Windows\System32\bpVOxvp.exe
  C:\Windows\System32\bpVOxvp.exe
  2⤵
  PID:12668
- C:\Windows\System32\NIvbOGp.exe
  C:\Windows\System32\NIvbOGp.exe
  2⤵
  PID:12704
- C:\Windows\System32\mbEHOKu.exe
  C:\Windows\System32\mbEHOKu.exe
  2⤵
  PID:12724
- C:\Windows\System32\HBrQLbH.exe
  C:\Windows\System32\HBrQLbH.exe
  2⤵
  PID:12760
- C:\Windows\System32\JiJtGOG.exe
  C:\Windows\System32\JiJtGOG.exe
  2⤵
  PID:12780
- C:\Windows\System32\KsQUuBa.exe
  C:\Windows\System32\KsQUuBa.exe
  2⤵
  PID:12808
- C:\Windows\System32\YnAzcBZ.exe
  C:\Windows\System32\YnAzcBZ.exe
  2⤵
  PID:12836
- C:\Windows\System32\TONdxzD.exe
  C:\Windows\System32\TONdxzD.exe
  2⤵
  PID:12864
- C:\Windows\System32\sLbYhtz.exe
  C:\Windows\System32\sLbYhtz.exe
  2⤵
  PID:12900
- C:\Windows\System32\OHxkfoZ.exe
  C:\Windows\System32\OHxkfoZ.exe
  2⤵
  PID:12920
- C:\Windows\System32\CwPSbfB.exe
  C:\Windows\System32\CwPSbfB.exe
  2⤵
  PID:12948
- C:\Windows\System32\tDFzeqY.exe
  C:\Windows\System32\tDFzeqY.exe
  2⤵
  PID:12964
- C:\Windows\System32\CddCnfY.exe
  C:\Windows\System32\CddCnfY.exe
  2⤵
  PID:13004
- C:\Windows\System32\dlGkMdB.exe
  C:\Windows\System32\dlGkMdB.exe
  2⤵
  PID:13032
- C:\Windows\System32\osDCRxH.exe
  C:\Windows\System32\osDCRxH.exe
  2⤵
  PID:13060
- C:\Windows\System32\yPAnEOG.exe
  C:\Windows\System32\yPAnEOG.exe
  2⤵
  PID:13088
- C:\Windows\System32\fCbcFfX.exe
  C:\Windows\System32\fCbcFfX.exe
  2⤵
  PID:13116
- C:\Windows\System32\YDPaWyH.exe
  C:\Windows\System32\YDPaWyH.exe
  2⤵
  PID:13144
- C:\Windows\System32\sKlfxGm.exe
  C:\Windows\System32\sKlfxGm.exe
  2⤵
  PID:13172
- C:\Windows\System32\wTvwCGk.exe
  C:\Windows\System32\wTvwCGk.exe
  2⤵
  PID:13200
- C:\Windows\System32\WwKocsw.exe
  C:\Windows\System32\WwKocsw.exe
  2⤵
  PID:13228
- C:\Windows\System32\mIJeMRB.exe
  C:\Windows\System32\mIJeMRB.exe
  2⤵
  PID:13256
- C:\Windows\System32\fKbeJla.exe
  C:\Windows\System32\fKbeJla.exe
  2⤵
  PID:13288
- C:\Windows\System32\VgPWtUN.exe
  C:\Windows\System32\VgPWtUN.exe
  2⤵
  PID:544
- C:\Windows\System32\NpleUsC.exe
  C:\Windows\System32\NpleUsC.exe
  2⤵
  PID:12352
- C:\Windows\System32\QGQATEC.exe
  C:\Windows\System32\QGQATEC.exe
  2⤵
  PID:12404
- C:\Windows\System32\MrBdhlM.exe
  C:\Windows\System32\MrBdhlM.exe
  2⤵
  PID:12488
- C:\Windows\System32\aFgBkjX.exe
  C:\Windows\System32\aFgBkjX.exe
  2⤵
  PID:12536
- C:\Windows\System32\slKDqHB.exe
  C:\Windows\System32\slKDqHB.exe
  2⤵
  PID:12568
- C:\Windows\System32\wLpUnHe.exe
  C:\Windows\System32\wLpUnHe.exe
  2⤵
  PID:12652
- C:\Windows\System32\xXMMokM.exe
  C:\Windows\System32\xXMMokM.exe
  2⤵
  PID:12748
- C:\Windows\System32\kqvhsFD.exe
  C:\Windows\System32\kqvhsFD.exe
  2⤵
  PID:12804
- C:\Windows\System32\kDdWEkY.exe
  C:\Windows\System32\kDdWEkY.exe
  2⤵
  PID:12872
- C:\Windows\System32\zCnxabJ.exe
  C:\Windows\System32\zCnxabJ.exe
  2⤵
  PID:12940
- C:\Windows\System32\RJUthHV.exe
  C:\Windows\System32\RJUthHV.exe
  2⤵
  PID:13020
- C:\Windows\System32\MiHASOU.exe
  C:\Windows\System32\MiHASOU.exe
  2⤵
  PID:13080
- C:\Windows\System32\hzkGQOf.exe
  C:\Windows\System32\hzkGQOf.exe
  2⤵
  PID:13140
- C:\Windows\System32\JvxyuiF.exe
  C:\Windows\System32\JvxyuiF.exe
  2⤵
  PID:13212

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BeOTNub.exe

Filesize
3.3MB

MD5
bc82dc79319966dcb7903f23a3ef3288

SHA1
a899654fc2fb99db290e199c4cddd68e70226fcf

SHA256
9b3fd2365b85596d4cd0dd693f51157b5bb848c7f8e273f003c5e5fc11ef0344

SHA512
3717ada7d1bb59a2e64e162d3dfd7c87533fcffff409cd0157071054f88df05a30e03cea210255987caad41752e3f5f2d3d8f1f90558504eb7fc97bfceb4466d

Download Submit
C:\Windows\System32\ECbdMrg.exe

Filesize
3.3MB

MD5
60b56cd2af8f8165c16e1e656ddff7c1

SHA1
63e4d99f480efb89e25ab727535f8c34f2260244

SHA256
ab279a873fd70d45dbff85d0da133387a963560b74c0a8bd09aa229aad50f3b0

SHA512
83b764643c97b572b05410da3cbd43f7463b573fa7c6d01096f6b1ec0912051f944b2fb926066f6fd8c1bb789c02b592d292915208d7afed0237173560df19dc

Download Submit
C:\Windows\System32\EIbWXGR.exe

Filesize
3.3MB

MD5
ce819f04101d60dfee0fb1a6d226d477

SHA1
f87fed13308e2ae54e520fe9c4b7afa9121650d5

SHA256
ce4a2515105d03e44947952b95fe05409e7ae748441f3416e43c4453cee13660

SHA512
b64c3bbefc6ffb62db1cf62a4ec98e5dbfac7e9469e0b7038268182fc4c30ed308d400afcfb79d9bfa00ecdf76c8040566e991a8497636c65150810e608f7074

Download Submit
C:\Windows\System32\FxCKQmR.exe

Filesize
3.3MB

MD5
e8c745ebacdd67d32e27730aaf16ed7e

SHA1
b56f050d1c9db1d55bdd60ae5d81c0754df55e1d

SHA256
a00ac443a795b3193396f74e23a03d56b99ae298abc52cac485377083d0f7005

SHA512
a622d8b818ee40ae15ba7fc17f0581775c51b30a05d5c22687413db4b2e67aa9c01920944f8ba939ec62dfd2c3ded99f710c99f8a547f069150aa6d0918271ef

Download Submit
C:\Windows\System32\NYizcFw.exe

Filesize
3.3MB

MD5
5bd2f3f0b1b868d80b01199944febf4f

SHA1
561a88abeeff547445ef514b32dd50b49450cad3

SHA256
f59b8fdfad3db305aa20da707459fde2bed9d83b3fd59029f0c32981bc5df263

SHA512
1ec5214fa46b767b80f4cb257eff257ea8b4a757d7038de14fdbac009740f0214c886012f1a56405ecf5c222e9f3173b709b9f89a62faa8abadb0235d1f30817

Download Submit
C:\Windows\System32\NcXQsWr.exe

Filesize
3.3MB

MD5
c649e783a277a56ec862d45c2f81fd0e

SHA1
4a487151141f2c8844baee77a15e1da3c90ed292

SHA256
128b86336fe309c5feeab5f4969c96e166a5c205f0b0609b7ee77bdf55853bbf

SHA512
a7369e2c2dc102704dd8bade03e322a0e7e6ad4bd7bc3612df11cde36d83208de62fdc336d717c0ae25a7dc9e3a26439e7936e24504100c91fc170067120479f

Download Submit
C:\Windows\System32\QzfQbrU.exe

Filesize
3.3MB

MD5
3ec39c6600de76ddd5f9a415a828cb12

SHA1
7b9662fbcff17fea712d2ac26d501c2892631ad4

SHA256
75b17d5a3dda850e23b19102cdbadc10398516d5c9f00472a40524a75c0194ad

SHA512
41ff37a5626166b9fa55cb327321805398ddd6c8d34626bd352e6242fc61339ab74ccfea31f135ba6dc6fafd6bb4139ad8f40dfa8b6017bbf53988460b1821bc

Download Submit
C:\Windows\System32\RhddgBh.exe

Filesize
3.3MB

MD5
eeac56281ec596d797f156f6db86fe92

SHA1
1a58fa80db5e7ff4e6e24e23069e5f7037cca780

SHA256
c1c7bcaae9d735d0dd0228d64be9462df3a74c576084edbb91724672d7c29f4f

SHA512
4a10cf11ef67fb55de2b5fc9eb4613e4b9b66e0f7f6cde4aca6b27bbe5d855a37c38d505cbfc12d5bdb5ecb15dfff3f0a76a8f4511b46ead31fcd90ac00ef1a5

Download Submit
C:\Windows\System32\RpjsizZ.exe

Filesize
3.3MB

MD5
957d03e598544664246563fb0de6bf0c

SHA1
dc248aa369b95b49bcdcbd4a787e624f1b09e3f2

SHA256
6b403c666cffb4cf974d19a5ef75be9e4914da301f612b038f56c487b5c0d679

SHA512
15685146c725649e2d02eefe7c4336b19fc52869fd3c21f385b6a0b0e1848851b152889e20ee978f92f71511f1c7fd08a33dae2b43f711b69e6925c5f245414c

Download Submit
C:\Windows\System32\SqbSCPY.exe

Filesize
3.3MB

MD5
a3be6c1116c84207f637e4b457279f70

SHA1
1c27ca3c1dbda02e2035b8f378187b4af74c6c17

SHA256
8fa57e1a26120981b41c8f4bd07c38556af7c45efe7a22d25b0f2c7105785f5e

SHA512
6adb70fbde1b57899c75c0becf118b2f413c1ec76e97546fcf58252abf6fc7d9591ebd104d34e2ba273a682a34327aff6221a8db1069abc1e240baa917382410

Download Submit
C:\Windows\System32\TqeKMUF.exe

Filesize
3.3MB

MD5
c2a177145793d33fb0726c05036015f3

SHA1
eaa8e9d60693405c5864fb882e6b228b22883252

SHA256
b93e42304dd20c644098cd23b361f213fc07dc832dcc8278bcdec650a4298b8f

SHA512
6eaeba8dde43ccacb6292863698224f0a29a1cd4810950b8254f3659f6db033e2ba1e352a8918dbecad3fe1d9e3be823baab5fa091a5f1b3ed89e7997229a1f4

Download Submit
C:\Windows\System32\UrcDKAU.exe

Filesize
3.3MB

MD5
fae2967ebce6f1b5a86830d6aef7f88a

SHA1
cfe86fe139d88223e38d5f4890600969d86f8da2

SHA256
330492a1c3d54ca782cb09101adcaec22b5d5b69e2b6e932f8d6cc7df976e1dd

SHA512
73ddd6344e99b238fec18d950526ae3a05c5e403b545ef1b21e8f6f5c31e017239fa2ec053ea2fbb22670dfdbbe4d2c37c741d595a0dc467ef7398f63f94e8df

Download Submit
C:\Windows\System32\UxBGBfl.exe

Filesize
3.3MB

MD5
71d1947ade608f319308062df9dbc800

SHA1
e21d926629a938f972b4602fb1d20be0dd1e5a02

SHA256
a81baa1bd409934394e5ca117191ff530326aad79b396bf7133214773233abd6

SHA512
b953226393e53dab717f763dec7880e486643cce0b207f16ec22a8f70ed3ddb0c1a3f8ac91e7cca878cdbe69f0bb7b7a9e7155d71fd323bbfb1338133058b674

Download Submit
C:\Windows\System32\WYnTeRh.exe

Filesize
3.3MB

MD5
cb2979bc182922eb21b7fab0ac6c2418

SHA1
555f510b0f5aec6339bb4cdf1993b5b943af6d25

SHA256
6f76da8c68aa7ffd9c67ca782bade502c25dded43787e2d4d52c97f465d0775c

SHA512
766bb63a6b5d3860f1fc4d13db708138e909e6f9de91e5479f6923682ddd2e12987c39727b43d2fffe458355a45fa91faaa475ff3c898af8c360702caecf84c3

Download Submit
C:\Windows\System32\dzCNdvn.exe

Filesize
3.3MB

MD5
c390e3a379addcebe63fd879080873c8

SHA1
41259bb6b3c8ad94be8543048d833ece70d3f932

SHA256
71aee10a02b02dfa33c2c8b2b18bc609c4dcaaa682beafe74af07dca3f0195b1

SHA512
f39bf5ae311c580f8a23f56a26b24333f5c43f2400b9e5846c290f30b64ac2f47881914924d733e200000b621f527c36d9cb5c070be7eb87cbf8bcfbd7acef44

Download Submit
C:\Windows\System32\eUcplDb.exe

Filesize
3.3MB

MD5
9cbcf52b400756690f8ce716c03355d8

SHA1
cac70b3fe1cc377a4f508adfe82fe5ead60467cb

SHA256
1b89141061351af3c5e236711bf97d28277f9d8cc3214f7d937df0cf31d94f8d

SHA512
c918e304a2a93658dd67b069e5b0f9750160ba771e8a6b07b71d8fd15f266eef0cebee4579ca5ab1fc24b1e721fbcaa0132f572476083961b9e32b54e20da1ab

Download Submit
C:\Windows\System32\eZUTugO.exe

Filesize
3.3MB

MD5
88e337bd34526ed4ece454adc6929143

SHA1
d1cf5454ac09974674a595f9ffa989a63154d6d3

SHA256
f88ccea9d01190e3353028daa710411a88487bc66c9cef4e2eae84c1d81c9bf9

SHA512
bf1ce08d1b0c6b080015eb6f7840a303e9d64a91ea8dc80ac6906175d9ac8600da64376168be18a3bb4dd3707e5f6e0e93c95841e0cff247bd813703bd9dfb41

Download Submit
C:\Windows\System32\fTEwJcX.exe

Filesize
3.3MB

MD5
60ea01ab193eea0e92a3e66ad8012f1a

SHA1
d5c1b238361b76702be9dcb301ca313a08f1dd24

SHA256
2943210df5c1b4fbe961ef1ac8afd4839459ac00eede8c3650c6d0f4ecea2341

SHA512
654641cdd661a3455c1d3e98d331727218db48c0d71cef6b946705877ae3ee88d3fd0bee8d6c6e27076969093f292ecfe26617c620f7f5219a833434d2418957

Download Submit
C:\Windows\System32\gicVdIn.exe

Filesize
3.3MB

MD5
7ead4396e56111ef2c826c5a6f8eb918

SHA1
336c8756b0d04652f0a9f3a44e5401cb84fdbb9e

SHA256
239549e0f0f4b5a537386987361354964e9d129870f0e071d7285dc2da671783

SHA512
f2681d34cbe3928e3236eaf9143a1a544c2f73daa2f54934dda83f53f7d7a8b862cc35365baa8f81f2ba7c5affec7994a476085d27ec2e5617a65674c5a4ce25

Download Submit
C:\Windows\System32\hGThsNT.exe

Filesize
3.3MB

MD5
8ba8ee3897a601198d84ebeb66b8994d

SHA1
10bccbb6e57148e83a4fe70d6867d1bf3085acef

SHA256
90aa6f3f552a3b8bc7b20a2ac6e19d01ba77b7cb5978ce32425d84ab4ee90e8c

SHA512
e0ff5d0701f38b7e404f4541a8e79abf4a2d76a74bb9ab0bfb749a2be341fceee30791d83442a6ddc6275137d16dc2ec31945c9afa990b6ab60a0d6c85498fb6

Download Submit
C:\Windows\System32\hQGeLpy.exe

Filesize
3.3MB

MD5
83b68e574fd696181782c695d22a30bb

SHA1
eaa8daaeacb3711b2e5aaa77ecb9ff500534effb

SHA256
9fa58c4510cead75302a241b927ad26494bb07af5f4de84ee1fe2b489f7be3d6

SHA512
6800f6f6d53ab8c62f70e6f44308b6ea21ca5aaf64feba59121ff6e2ed9aae3093d96ab203b62ab0e0ac7d2f2628b4666e749e3c666f8f342e032eb411070bf0

Download Submit
C:\Windows\System32\hvRuWLp.exe

Filesize
3.3MB

MD5
1bd0ff5ba4b2319210c272e95bdbd623

SHA1
baf54522541fa1f4f673b3960f63bede073087fb

SHA256
7ffc3645604ef29bd8fb03b0e33160c81ee0d1e1033fb0e9353861b4b5499844

SHA512
362abfa404bd467601b96772ef0a07a86f42becd7ebdbe211cc7402b10cfe0689ddc7cc6818d72468fcf44a687cf1e4804241efc52226d11b5bb6dabe5ecd167

Download Submit
C:\Windows\System32\icoNCuF.exe

Filesize
3.3MB

MD5
e48a6bd68f34a6581a025cca38a424c3

SHA1
e07c1cfc8832642dd28c54a3b68ad0badd07a6c8

SHA256
b7de8d2b8b2d221b0bab7e00c1d8696cc47671d87cfd5aa954a330a04888a7a9

SHA512
4baace64046dd00e969f6bba85613a2de7e0eee3f5a3106129175634349042fca72a19bde58c61197cb4147482f665e4487623a2dc9ade1c87dafe7f8f690d73

Download Submit
C:\Windows\System32\mFBbzkY.exe

Filesize
3.3MB

MD5
d64dc5a01c820bdf072822732ffa6965

SHA1
190810283ed33b9a4b0ed2ff49f610cd291c7a1b

SHA256
0bcc0428582c6f72024493c8506277270de35628392cccb22579f3a93d5d03a7

SHA512
5bf6a5817d17dcd95694ca4ee7165802352e58d79a3164391ff166f54fcfee046a9b0a22c5b9ed17233d093390019e6c4f691db60a5b7c970f3945a3ca4f7746

Download Submit
C:\Windows\System32\mlKXJkv.exe

Filesize
3.3MB

MD5
b927837e6fb6fdacefc64c9a1a1e7e8d

SHA1
0ba842f2349752dd607c5470d02d39f2acdae833

SHA256
70053516a20b5b29a18983ff536c19bc645a753af76e7ee60c9b4a1838712468

SHA512
10d243552f8bd7092f22e836dbb599123dd6fc93a6f2400138384982be35e4faec3f41f79e22a236912d026113d9066aeda237202d8a0d33b91901c875ca876c

Download Submit
C:\Windows\System32\oqmtZEx.exe

Filesize
3.3MB

MD5
98ad6838fd8dd53167a8c6bb3e45c049

SHA1
7e16302a9d2f7370612f5a18568dd5f564e296e5

SHA256
f26f5f53c936c364f97d4fca0a629c56ea3b4cd3b9c4349ffa4e828ef44d94cb

SHA512
4539b67228ca2a02f6c614577944102e358f18c7294a2baa4912733b851fcdcc3f26837feecd31a77df661b98ab24df39f8bffd79afb5152dd5fcc48ea33b79e

Download Submit
C:\Windows\System32\pmSgjCH.exe

Filesize
3.3MB

MD5
4251899cf2b97b776265d6256cf88eaa

SHA1
a293bbbd4d20d724dd16b13ebb05bb7678d2cf68

SHA256
470f193721985e387dca2779a65bc14b0053700592be83bffe8d8185753e4ce5

SHA512
97a301d71891c8c3ae09cd884072547b4c50d7faf88473b074c427d9218cb39aacbd869219fc99ed43fa228cff9679b0f57a816353ccab7667e8f3c40a42d821

Download Submit
C:\Windows\System32\rFNLasN.exe

Filesize
3.3MB

MD5
51649f91b4cb1b6098800d637879d7dc

SHA1
71b48ebeb6a3f750154cf60f12a7acccce136978

SHA256
5917d7d99f4b33fe1045c7bed980c22c6d530d922f870963b79b03ad3dad82b7

SHA512
e1c5ede7bc6526fd8d18077b31d70a63f855f73dff442d9288c93d742d07471cdf370ee44deaa5a594a49ba6a850cd90c106a7895d8ddefd7e48bb98eaade305

Download Submit
C:\Windows\System32\uaPcdVM.exe

Filesize
3.3MB

MD5
be04d41f2da00e709e3eef500228327e

SHA1
6a04acd1f12a2fdf6f4952ae27b2423cb2019733

SHA256
bf430c89a6cd3267936a59471b676fdd1c27ef2d98a3a83a6bc04088ffdb172a

SHA512
aa3aa10e499bced127359b8f71098224168f2a444c11a68df96d7d12c30f7e73606eae28b1418abbdbee9f5840da0202d6a32bea8e2cfea941e15f3003a398dc

Download Submit
C:\Windows\System32\vtEWiZP.exe

Filesize
3.3MB

MD5
f2e75b83bcc6ed86a13a63e55733bfc5

SHA1
e1aab1b3f150e0dbe9e5ecc4e82855a6466f2efa

SHA256
0da5bf4ae4cd8d7573a180ea2b5d5beff05abfd794a80d9dd68c886f879d1d5e

SHA512
064296c3b42ea494e32d3c2ff88c0eb98563dfaf2ba4be770146442d2b551be2fe3bf6ced930b01cc7f40ad9d801ad95d3967e960348266f454d4097331f1cd3

Download Submit
C:\Windows\System32\xBwZhRq.exe

Filesize
3.3MB

MD5
f6059476efece51f58680e294cdb48e4

SHA1
78f57bee8ccc8006895d4c83e6d4fb33d8ce9719

SHA256
2745cbf625230e57d87551e8b98c94a843dc1e250144aa45a17a8bd0b8c0df4f

SHA512
b9c49f2aacde87a939b1cc7333173ff4ef601a4b422ecf7de426c33f6a02e19cc862ff1e19458d073fdecf18b0c41b82d1a6420b9e32d86f20041f06f8ceba66

Download Submit
C:\Windows\System32\zPfSieF.exe

Filesize
3.3MB

MD5
22144146b05f57461c06638b4e3678a6

SHA1
c37d01c4fbaf791fe12a0c34fb77f2430203f824

SHA256
14ca801bc54e1d62d7b166630aa72ef4519cb54f327dc90ca66dbdce57a8993a

SHA512
e4f57d7e7d02914efea777d18af40fcb15673d95fb5983639e3377539fa1919c05d18c386cab8ecef2e7547d69a7524949bbf3b86cfc2ea75b467e383fb465f1

Download Submit
memory/960-1905-0x00007FF68A020000-0x00007FF68A415000-memory.dmp

Filesize
4.0MB

Download
memory/960-38-0x00007FF68A020000-0x00007FF68A415000-memory.dmp

Filesize
4.0MB

Download
memory/972-1898-0x00007FF6E66B0000-0x00007FF6E6AA5000-memory.dmp

Filesize
4.0MB

Download
memory/972-1-0x0000028E61CB0000-0x0000028E61CC0000-memory.dmp

Filesize
64KB

Download
memory/972-0-0x00007FF6E66B0000-0x00007FF6E6AA5000-memory.dmp

Filesize
4.0MB

Download
memory/1140-1908-0x00007FF713C80000-0x00007FF714075000-memory.dmp

Filesize
4.0MB

Download
memory/1140-843-0x00007FF713C80000-0x00007FF714075000-memory.dmp

Filesize
4.0MB

Download
memory/1200-1901-0x00007FF7607B0000-0x00007FF760BA5000-memory.dmp

Filesize
4.0MB

Download
memory/1200-34-0x00007FF7607B0000-0x00007FF760BA5000-memory.dmp

Filesize
4.0MB

Download
memory/1212-1919-0x00007FF7C5450000-0x00007FF7C5845000-memory.dmp

Filesize
4.0MB

Download
memory/1212-946-0x00007FF7C5450000-0x00007FF7C5845000-memory.dmp

Filesize
4.0MB

Download
memory/1400-33-0x00007FF621D70000-0x00007FF622165000-memory.dmp

Filesize
4.0MB

Download
memory/1400-1899-0x00007FF621D70000-0x00007FF622165000-memory.dmp

Filesize
4.0MB

Download
memory/1400-1903-0x00007FF621D70000-0x00007FF622165000-memory.dmp

Filesize
4.0MB

Download
memory/1620-1909-0x00007FF688840000-0x00007FF688C35000-memory.dmp

Filesize
4.0MB

Download
memory/1620-877-0x00007FF688840000-0x00007FF688C35000-memory.dmp

Filesize
4.0MB

Download
memory/1668-904-0x00007FF6810C0000-0x00007FF6814B5000-memory.dmp

Filesize
4.0MB

Download
memory/1668-1915-0x00007FF6810C0000-0x00007FF6814B5000-memory.dmp

Filesize
4.0MB

Download
memory/1768-867-0x00007FF7A7D80000-0x00007FF7A8175000-memory.dmp

Filesize
4.0MB

Download
memory/1768-1913-0x00007FF7A7D80000-0x00007FF7A8175000-memory.dmp

Filesize
4.0MB

Download
memory/2100-936-0x00007FF7586A0000-0x00007FF758A95000-memory.dmp

Filesize
4.0MB

Download
memory/2100-1921-0x00007FF7586A0000-0x00007FF758A95000-memory.dmp

Filesize
4.0MB

Download
memory/2364-932-0x00007FF6053E0000-0x00007FF6057D5000-memory.dmp

Filesize
4.0MB

Download
memory/2364-1916-0x00007FF6053E0000-0x00007FF6057D5000-memory.dmp

Filesize
4.0MB

Download
memory/2800-852-0x00007FF6C5450000-0x00007FF6C5845000-memory.dmp

Filesize
4.0MB

Download
memory/2800-1907-0x00007FF6C5450000-0x00007FF6C5845000-memory.dmp

Filesize
4.0MB

Download
memory/2816-894-0x00007FF7CA740000-0x00007FF7CAB35000-memory.dmp

Filesize
4.0MB

Download
memory/2816-1911-0x00007FF7CA740000-0x00007FF7CAB35000-memory.dmp

Filesize
4.0MB

Download
memory/3160-942-0x00007FF722440000-0x00007FF722835000-memory.dmp

Filesize
4.0MB

Download
memory/3160-1923-0x00007FF722440000-0x00007FF722835000-memory.dmp

Filesize
4.0MB

Download
memory/3172-1918-0x00007FF7F39A0000-0x00007FF7F3D95000-memory.dmp

Filesize
4.0MB

Download
memory/3172-941-0x00007FF7F39A0000-0x00007FF7F3D95000-memory.dmp

Filesize
4.0MB

Download
memory/3708-887-0x00007FF7DD370000-0x00007FF7DD765000-memory.dmp

Filesize
4.0MB

Download
memory/3708-1910-0x00007FF7DD370000-0x00007FF7DD765000-memory.dmp

Filesize
4.0MB

Download
memory/3744-928-0x00007FF7839E0000-0x00007FF783DD5000-memory.dmp

Filesize
4.0MB

Download
memory/3744-1920-0x00007FF7839E0000-0x00007FF783DD5000-memory.dmp

Filesize
4.0MB

Download
memory/3812-945-0x00007FF630EA0000-0x00007FF631295000-memory.dmp

Filesize
4.0MB

Download
memory/3812-1917-0x00007FF630EA0000-0x00007FF631295000-memory.dmp

Filesize
4.0MB

Download
memory/3868-861-0x00007FF7FC770000-0x00007FF7FCB65000-memory.dmp

Filesize
4.0MB

Download
memory/3868-1906-0x00007FF7FC770000-0x00007FF7FCB65000-memory.dmp

Filesize
4.0MB

Download
memory/3884-1902-0x00007FF615730000-0x00007FF615B25000-memory.dmp

Filesize
4.0MB

Download
memory/3884-35-0x00007FF615730000-0x00007FF615B25000-memory.dmp

Filesize
4.0MB

Download
memory/3948-911-0x00007FF66FCA0000-0x00007FF670095000-memory.dmp

Filesize
4.0MB

Download
memory/3948-1914-0x00007FF66FCA0000-0x00007FF670095000-memory.dmp

Filesize
4.0MB

Download
memory/3968-1904-0x00007FF6124E0000-0x00007FF6128D5000-memory.dmp

Filesize
4.0MB

Download
memory/3968-25-0x00007FF6124E0000-0x00007FF6128D5000-memory.dmp

Filesize
4.0MB

Download
memory/4332-1900-0x00007FF68E760000-0x00007FF68EB55000-memory.dmp

Filesize
4.0MB

Download
memory/4332-18-0x00007FF68E760000-0x00007FF68EB55000-memory.dmp

Filesize
4.0MB

Download
memory/4676-1922-0x00007FF7FB400000-0x00007FF7FB7F5000-memory.dmp

Filesize
4.0MB

Download
memory/4676-925-0x00007FF7FB400000-0x00007FF7FB7F5000-memory.dmp

Filesize
4.0MB

Download
memory/5104-1912-0x00007FF63CA70000-0x00007FF63CE65000-memory.dmp

Filesize
4.0MB

Download
memory/5104-917-0x00007FF63CA70000-0x00007FF63CE65000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads