xmrig | 6de5a434739945ecf11cf2ba983e278e32594ac5d2f04265fc15b6db185f3510

Analysis

max time kernel
121s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 10:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
Size

3.1MB
MD5

afba323989d105ce36ff53accc6b8b90
SHA1

79bc287936d3dd0b5e67ce71c7250855e025eb99
SHA256

6de5a434739945ecf11cf2ba983e278e32594ac5d2f04265fc15b6db185f3510
SHA512

eb273bb94665d285490a22f70c4a776b7f92851e616d16bc61874f9ad5425b1bb43703e42d0ae8477a1e6fc21dd6d5d4e8843676895b317473895deec6b9a209
SSDEEP

98304:N0GnJMOWPClFdx6e0EALKWVTffZiPAcRq6jHjc408:NFWPClFk8

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4044-0-0x00007FF607D70000-0x00007FF608165000-memory.dmp	xmrig
behavioral2/files/0x0008000000023419-4.dat	xmrig
behavioral2/files/0x000700000002341e-10.dat	xmrig
behavioral2/files/0x000700000002341f-23.dat	xmrig
behavioral2/files/0x0007000000023420-26.dat	xmrig
behavioral2/files/0x0007000000023421-34.dat	xmrig
behavioral2/files/0x0007000000023422-39.dat	xmrig
behavioral2/files/0x0007000000023423-44.dat	xmrig
behavioral2/files/0x0007000000023425-52.dat	xmrig
behavioral2/files/0x0007000000023426-59.dat	xmrig
behavioral2/files/0x0007000000023428-69.dat	xmrig
behavioral2/files/0x000700000002342b-84.dat	xmrig
behavioral2/files/0x0007000000023430-109.dat	xmrig
behavioral2/files/0x0007000000023432-119.dat	xmrig
behavioral2/files/0x0007000000023439-152.dat	xmrig
behavioral2/memory/4612-816-0x00007FF6D9FF0000-0x00007FF6DA3E5000-memory.dmp	xmrig
behavioral2/memory/4080-817-0x00007FF704490000-0x00007FF704885000-memory.dmp	xmrig
behavioral2/files/0x000700000002343b-164.dat	xmrig
behavioral2/files/0x000700000002343a-159.dat	xmrig
behavioral2/files/0x0007000000023438-149.dat	xmrig
behavioral2/files/0x0007000000023437-144.dat	xmrig
behavioral2/files/0x0007000000023436-139.dat	xmrig
behavioral2/files/0x0007000000023435-134.dat	xmrig
behavioral2/files/0x0007000000023434-129.dat	xmrig
behavioral2/files/0x0007000000023433-124.dat	xmrig
behavioral2/files/0x0007000000023431-114.dat	xmrig
behavioral2/files/0x000700000002342f-104.dat	xmrig
behavioral2/files/0x000700000002342e-99.dat	xmrig
behavioral2/files/0x000700000002342d-94.dat	xmrig
behavioral2/files/0x000700000002342c-89.dat	xmrig
behavioral2/files/0x000700000002342a-79.dat	xmrig
behavioral2/files/0x0007000000023429-74.dat	xmrig
behavioral2/files/0x0007000000023427-64.dat	xmrig
behavioral2/files/0x0007000000023424-49.dat	xmrig
behavioral2/memory/2632-22-0x00007FF756A00000-0x00007FF756DF5000-memory.dmp	xmrig
behavioral2/memory/1552-19-0x00007FF740440000-0x00007FF740835000-memory.dmp	xmrig
behavioral2/files/0x000700000002341d-15.dat	xmrig
behavioral2/memory/4032-9-0x00007FF705710000-0x00007FF705B05000-memory.dmp	xmrig
behavioral2/memory/3360-818-0x00007FF6A2190000-0x00007FF6A2585000-memory.dmp	xmrig
behavioral2/memory/1160-821-0x00007FF6DEA70000-0x00007FF6DEE65000-memory.dmp	xmrig
behavioral2/memory/4208-823-0x00007FF7A6CC0000-0x00007FF7A70B5000-memory.dmp	xmrig
behavioral2/memory/4592-829-0x00007FF70F6C0000-0x00007FF70FAB5000-memory.dmp	xmrig
behavioral2/memory/3776-837-0x00007FF765AD0000-0x00007FF765EC5000-memory.dmp	xmrig
behavioral2/memory/1132-831-0x00007FF638650000-0x00007FF638A45000-memory.dmp	xmrig
behavioral2/memory/2072-842-0x00007FF6E8200000-0x00007FF6E85F5000-memory.dmp	xmrig
behavioral2/memory/2288-849-0x00007FF610540000-0x00007FF610935000-memory.dmp	xmrig
behavioral2/memory/696-845-0x00007FF611870000-0x00007FF611C65000-memory.dmp	xmrig
behavioral2/memory/4988-843-0x00007FF6C3BB0000-0x00007FF6C3FA5000-memory.dmp	xmrig
behavioral2/memory/1084-861-0x00007FF625D70000-0x00007FF626165000-memory.dmp	xmrig
behavioral2/memory/1044-868-0x00007FF722A20000-0x00007FF722E15000-memory.dmp	xmrig
behavioral2/memory/2368-871-0x00007FF6903B0000-0x00007FF6907A5000-memory.dmp	xmrig
behavioral2/memory/760-877-0x00007FF734B10000-0x00007FF734F05000-memory.dmp	xmrig
behavioral2/memory/604-875-0x00007FF7517C0000-0x00007FF751BB5000-memory.dmp	xmrig
behavioral2/memory/1844-881-0x00007FF7DF650000-0x00007FF7DFA45000-memory.dmp	xmrig
behavioral2/memory/5088-874-0x00007FF67BC40000-0x00007FF67C035000-memory.dmp	xmrig
behavioral2/memory/4404-888-0x00007FF7A4740000-0x00007FF7A4B35000-memory.dmp	xmrig
behavioral2/memory/2144-892-0x00007FF660B40000-0x00007FF660F35000-memory.dmp	xmrig
behavioral2/memory/4044-1890-0x00007FF607D70000-0x00007FF608165000-memory.dmp	xmrig
behavioral2/memory/1552-1891-0x00007FF740440000-0x00007FF740835000-memory.dmp	xmrig
behavioral2/memory/4612-1892-0x00007FF6D9FF0000-0x00007FF6DA3E5000-memory.dmp	xmrig
behavioral2/memory/4032-1893-0x00007FF705710000-0x00007FF705B05000-memory.dmp	xmrig
behavioral2/memory/1552-1894-0x00007FF740440000-0x00007FF740835000-memory.dmp	xmrig
behavioral2/memory/2144-1897-0x00007FF660B40000-0x00007FF660F35000-memory.dmp	xmrig
behavioral2/memory/4080-1896-0x00007FF704490000-0x00007FF704885000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4032	RpdyjfQ.exe
1552	oeEaRQX.exe
2632	XvRFXuU.exe
4612	daVtOPO.exe
2144	mOvKWuL.exe
4080	oRlUblu.exe
3360	JUKHMTt.exe
1160	ijeSZQB.exe
4208	pWSpNfI.exe
4592	GYwmZCW.exe
1132	ybysqIH.exe
3776	hDoufyI.exe
2072	MDtrFQN.exe
4988	zbpGMca.exe
696	eeRSsXJ.exe
2288	jcctXtj.exe
1084	BbZtbsP.exe
1044	usENgww.exe
2368	nHGsnBB.exe
5088	IFHNYUf.exe
604	wVxPQbH.exe
760	IZYiKJA.exe
1844	HXlwPZs.exe
4404	vtWEryq.exe
4968	ofNmMno.exe
4584	nFEaDmQ.exe
388	CfUhFAu.exe
1544	LEJPtWv.exe
1720	UuHOpXx.exe
1036	kfYdgYI.exe
4932	zAJPyNa.exe
3256	faHpQhl.exe
4504	LQcHGGF.exe
5032	smXIWnA.exe
2688	NYsNRqB.exe
3632	pOTxFFe.exe
1620	hiLnpQx.exe
4396	ADPZIEf.exe
3532	BZAQlAm.exe
2524	SeFjzKB.exe
2232	RqSibLs.exe
1968	ZZxqucF.exe
4840	GlIhMnD.exe
1540	nAVRAts.exe
2992	hHIaZvW.exe
2484	vdhjxDq.exe
2472	XRapFfa.exe
464	ieUUzaX.exe
3872	VYeNsxx.exe
4400	FFTgrYv.exe
3768	UjBicCO.exe
2884	TUkVzUE.exe
5016	SeFHLVE.exe
2316	mZUXpql.exe
4976	PjItEgf.exe
2572	ReVuXhM.exe
3156	GvTNYDs.exe
3672	hxFwwGd.exe
2620	EVzMqWZ.exe
2496	XZsEWlY.exe
988	QkiSjPl.exe
4436	NnheKpP.exe
2044	RWAiFOz.exe
1004	WhcvLns.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4044-0-0x00007FF607D70000-0x00007FF608165000-memory.dmp	upx
behavioral2/files/0x0008000000023419-4.dat	upx
behavioral2/files/0x000700000002341e-10.dat	upx
behavioral2/files/0x000700000002341f-23.dat	upx
behavioral2/files/0x0007000000023420-26.dat	upx
behavioral2/files/0x0007000000023421-34.dat	upx
behavioral2/files/0x0007000000023422-39.dat	upx
behavioral2/files/0x0007000000023423-44.dat	upx
behavioral2/files/0x0007000000023425-52.dat	upx
behavioral2/files/0x0007000000023426-59.dat	upx
behavioral2/files/0x0007000000023428-69.dat	upx
behavioral2/files/0x000700000002342b-84.dat	upx
behavioral2/files/0x0007000000023430-109.dat	upx
behavioral2/files/0x0007000000023432-119.dat	upx
behavioral2/files/0x0007000000023439-152.dat	upx
behavioral2/memory/4612-816-0x00007FF6D9FF0000-0x00007FF6DA3E5000-memory.dmp	upx
behavioral2/memory/4080-817-0x00007FF704490000-0x00007FF704885000-memory.dmp	upx
behavioral2/files/0x000700000002343b-164.dat	upx
behavioral2/files/0x000700000002343a-159.dat	upx
behavioral2/files/0x0007000000023438-149.dat	upx
behavioral2/files/0x0007000000023437-144.dat	upx
behavioral2/files/0x0007000000023436-139.dat	upx
behavioral2/files/0x0007000000023435-134.dat	upx
behavioral2/files/0x0007000000023434-129.dat	upx
behavioral2/files/0x0007000000023433-124.dat	upx
behavioral2/files/0x0007000000023431-114.dat	upx
behavioral2/files/0x000700000002342f-104.dat	upx
behavioral2/files/0x000700000002342e-99.dat	upx
behavioral2/files/0x000700000002342d-94.dat	upx
behavioral2/files/0x000700000002342c-89.dat	upx
behavioral2/files/0x000700000002342a-79.dat	upx
behavioral2/files/0x0007000000023429-74.dat	upx
behavioral2/files/0x0007000000023427-64.dat	upx
behavioral2/files/0x0007000000023424-49.dat	upx
behavioral2/memory/2632-22-0x00007FF756A00000-0x00007FF756DF5000-memory.dmp	upx
behavioral2/memory/1552-19-0x00007FF740440000-0x00007FF740835000-memory.dmp	upx
behavioral2/files/0x000700000002341d-15.dat	upx
behavioral2/memory/4032-9-0x00007FF705710000-0x00007FF705B05000-memory.dmp	upx
behavioral2/memory/3360-818-0x00007FF6A2190000-0x00007FF6A2585000-memory.dmp	upx
behavioral2/memory/1160-821-0x00007FF6DEA70000-0x00007FF6DEE65000-memory.dmp	upx
behavioral2/memory/4208-823-0x00007FF7A6CC0000-0x00007FF7A70B5000-memory.dmp	upx
behavioral2/memory/4592-829-0x00007FF70F6C0000-0x00007FF70FAB5000-memory.dmp	upx
behavioral2/memory/3776-837-0x00007FF765AD0000-0x00007FF765EC5000-memory.dmp	upx
behavioral2/memory/1132-831-0x00007FF638650000-0x00007FF638A45000-memory.dmp	upx
behavioral2/memory/2072-842-0x00007FF6E8200000-0x00007FF6E85F5000-memory.dmp	upx
behavioral2/memory/2288-849-0x00007FF610540000-0x00007FF610935000-memory.dmp	upx
behavioral2/memory/696-845-0x00007FF611870000-0x00007FF611C65000-memory.dmp	upx
behavioral2/memory/4988-843-0x00007FF6C3BB0000-0x00007FF6C3FA5000-memory.dmp	upx
behavioral2/memory/1084-861-0x00007FF625D70000-0x00007FF626165000-memory.dmp	upx
behavioral2/memory/1044-868-0x00007FF722A20000-0x00007FF722E15000-memory.dmp	upx
behavioral2/memory/2368-871-0x00007FF6903B0000-0x00007FF6907A5000-memory.dmp	upx
behavioral2/memory/760-877-0x00007FF734B10000-0x00007FF734F05000-memory.dmp	upx
behavioral2/memory/604-875-0x00007FF7517C0000-0x00007FF751BB5000-memory.dmp	upx
behavioral2/memory/1844-881-0x00007FF7DF650000-0x00007FF7DFA45000-memory.dmp	upx
behavioral2/memory/5088-874-0x00007FF67BC40000-0x00007FF67C035000-memory.dmp	upx
behavioral2/memory/4404-888-0x00007FF7A4740000-0x00007FF7A4B35000-memory.dmp	upx
behavioral2/memory/2144-892-0x00007FF660B40000-0x00007FF660F35000-memory.dmp	upx
behavioral2/memory/4044-1890-0x00007FF607D70000-0x00007FF608165000-memory.dmp	upx
behavioral2/memory/1552-1891-0x00007FF740440000-0x00007FF740835000-memory.dmp	upx
behavioral2/memory/4612-1892-0x00007FF6D9FF0000-0x00007FF6DA3E5000-memory.dmp	upx
behavioral2/memory/4032-1893-0x00007FF705710000-0x00007FF705B05000-memory.dmp	upx
behavioral2/memory/1552-1894-0x00007FF740440000-0x00007FF740835000-memory.dmp	upx
behavioral2/memory/2144-1897-0x00007FF660B40000-0x00007FF660F35000-memory.dmp	upx
behavioral2/memory/4080-1896-0x00007FF704490000-0x00007FF704885000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\rabmWuL.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\ehexEBH.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\DjicamA.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\pOTxFFe.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\qQwaCwS.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\traCOpa.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\zMnyZsJ.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\wQXnioH.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\smXIWnA.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\BnSsVfW.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\ZZKEYwL.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\cABGllK.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\abhnnfj.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\NMgAQTT.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\AfLTqFC.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\yFmXVTX.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\wygEvJY.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\EDdrDRd.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\mpaqFYz.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\XFEAuvU.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\uQXnUgD.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\QAKdXri.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\KcXSOXH.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\Maribdl.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\QMhXjHb.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\QlEXaEa.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\UuGcnHP.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\qPhMtmS.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\aKKJRbQ.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\DKohulx.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\iKIFRlC.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\fLAxslS.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\ZmoodPS.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\aTjiUlq.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\WewUDDz.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\KsMFYIq.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\odXrahk.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\tihhLaK.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\nWSmsdy.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\RpdyjfQ.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\vdhjxDq.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\ZcWFZqr.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\nxtoyZe.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\BaCxihZ.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\DKEWdqS.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\yzkCiXr.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\HlkQZJH.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\yDcIZCp.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\XpDRteK.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\rERHlYB.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\lwSAOIp.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\FFcocCw.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\dMGrScP.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\lDXIVTd.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\wPLyKOW.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\MEBWWHV.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\SvYMUuK.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\oYYDiQr.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\oeEaRQX.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\ZsOLxjn.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\qnHeWFR.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\aPJMNOb.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\qYPHKfy.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
File created	C:\Windows\System32\KzgYakH.exe	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	2164	dwm.exe
Token: SeChangeNotifyPrivilege	2164	dwm.exe
Token: 33	2164	dwm.exe
Token: SeIncBasePriorityPrivilege	2164	dwm.exe
Token: SeShutdownPrivilege	2164	dwm.exe
Token: SeCreatePagefilePrivilege	2164	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 4032	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	84
PID 4044 wrote to memory of 4032	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	84
PID 4044 wrote to memory of 1552	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	85
PID 4044 wrote to memory of 1552	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	85
PID 4044 wrote to memory of 2632	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	86
PID 4044 wrote to memory of 2632	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	86
PID 4044 wrote to memory of 4612	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	87
PID 4044 wrote to memory of 4612	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	87
PID 4044 wrote to memory of 2144	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	88
PID 4044 wrote to memory of 2144	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	88
PID 4044 wrote to memory of 4080	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	89
PID 4044 wrote to memory of 4080	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	89
PID 4044 wrote to memory of 3360	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	90
PID 4044 wrote to memory of 3360	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	90
PID 4044 wrote to memory of 1160	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	91
PID 4044 wrote to memory of 1160	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	91
PID 4044 wrote to memory of 4208	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	92
PID 4044 wrote to memory of 4208	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	92
PID 4044 wrote to memory of 4592	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	93
PID 4044 wrote to memory of 4592	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	93
PID 4044 wrote to memory of 1132	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	94
PID 4044 wrote to memory of 1132	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	94
PID 4044 wrote to memory of 3776	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	95
PID 4044 wrote to memory of 3776	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	95
PID 4044 wrote to memory of 2072	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	96
PID 4044 wrote to memory of 2072	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	96
PID 4044 wrote to memory of 4988	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	97
PID 4044 wrote to memory of 4988	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	97
PID 4044 wrote to memory of 696	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	98
PID 4044 wrote to memory of 696	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	98
PID 4044 wrote to memory of 2288	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	99
PID 4044 wrote to memory of 2288	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	99
PID 4044 wrote to memory of 1084	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	100
PID 4044 wrote to memory of 1084	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	100
PID 4044 wrote to memory of 1044	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	101
PID 4044 wrote to memory of 1044	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	101
PID 4044 wrote to memory of 2368	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	102
PID 4044 wrote to memory of 2368	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	102
PID 4044 wrote to memory of 5088	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	103
PID 4044 wrote to memory of 5088	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	103
PID 4044 wrote to memory of 604	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	104
PID 4044 wrote to memory of 604	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	104
PID 4044 wrote to memory of 760	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	105
PID 4044 wrote to memory of 760	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	105
PID 4044 wrote to memory of 1844	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	106
PID 4044 wrote to memory of 1844	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	106
PID 4044 wrote to memory of 4404	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	107
PID 4044 wrote to memory of 4404	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	107
PID 4044 wrote to memory of 4968	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	108
PID 4044 wrote to memory of 4968	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	108
PID 4044 wrote to memory of 4584	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	109
PID 4044 wrote to memory of 4584	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	109
PID 4044 wrote to memory of 388	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	110
PID 4044 wrote to memory of 388	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	110
PID 4044 wrote to memory of 1544	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	111
PID 4044 wrote to memory of 1544	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	111
PID 4044 wrote to memory of 1720	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	112
PID 4044 wrote to memory of 1720	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	112
PID 4044 wrote to memory of 1036	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	113
PID 4044 wrote to memory of 1036	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	113
PID 4044 wrote to memory of 4932	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	114
PID 4044 wrote to memory of 4932	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	114
PID 4044 wrote to memory of 3256	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	115
PID 4044 wrote to memory of 3256	4044	afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe	115

C:\Users\Admin\AppData\Local\Temp\afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\afba323989d105ce36ff53accc6b8b90_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\System32\RpdyjfQ.exe
  C:\Windows\System32\RpdyjfQ.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System32\oeEaRQX.exe
  C:\Windows\System32\oeEaRQX.exe
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\System32\XvRFXuU.exe
  C:\Windows\System32\XvRFXuU.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System32\daVtOPO.exe
  C:\Windows\System32\daVtOPO.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System32\mOvKWuL.exe
  C:\Windows\System32\mOvKWuL.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\System32\oRlUblu.exe
  C:\Windows\System32\oRlUblu.exe
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Windows\System32\JUKHMTt.exe
  C:\Windows\System32\JUKHMTt.exe
  2⤵
  - Executes dropped EXE
  PID:3360
- C:\Windows\System32\ijeSZQB.exe
  C:\Windows\System32\ijeSZQB.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System32\pWSpNfI.exe
  C:\Windows\System32\pWSpNfI.exe
  2⤵
  - Executes dropped EXE
  PID:4208
- C:\Windows\System32\GYwmZCW.exe
  C:\Windows\System32\GYwmZCW.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System32\ybysqIH.exe
  C:\Windows\System32\ybysqIH.exe
  2⤵
  - Executes dropped EXE
  PID:1132
- C:\Windows\System32\hDoufyI.exe
  C:\Windows\System32\hDoufyI.exe
  2⤵
  - Executes dropped EXE
  PID:3776
- C:\Windows\System32\MDtrFQN.exe
  C:\Windows\System32\MDtrFQN.exe
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\System32\zbpGMca.exe
  C:\Windows\System32\zbpGMca.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System32\eeRSsXJ.exe
  C:\Windows\System32\eeRSsXJ.exe
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\System32\jcctXtj.exe
  C:\Windows\System32\jcctXtj.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System32\BbZtbsP.exe
  C:\Windows\System32\BbZtbsP.exe
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\System32\usENgww.exe
  C:\Windows\System32\usENgww.exe
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\System32\nHGsnBB.exe
  C:\Windows\System32\nHGsnBB.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System32\IFHNYUf.exe
  C:\Windows\System32\IFHNYUf.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System32\wVxPQbH.exe
  C:\Windows\System32\wVxPQbH.exe
  2⤵
  - Executes dropped EXE
  PID:604
- C:\Windows\System32\IZYiKJA.exe
  C:\Windows\System32\IZYiKJA.exe
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\System32\HXlwPZs.exe
  C:\Windows\System32\HXlwPZs.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System32\vtWEryq.exe
  C:\Windows\System32\vtWEryq.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System32\ofNmMno.exe
  C:\Windows\System32\ofNmMno.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System32\nFEaDmQ.exe
  C:\Windows\System32\nFEaDmQ.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System32\CfUhFAu.exe
  C:\Windows\System32\CfUhFAu.exe
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Windows\System32\LEJPtWv.exe
  C:\Windows\System32\LEJPtWv.exe
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\System32\UuHOpXx.exe
  C:\Windows\System32\UuHOpXx.exe
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\System32\kfYdgYI.exe
  C:\Windows\System32\kfYdgYI.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System32\zAJPyNa.exe
  C:\Windows\System32\zAJPyNa.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System32\faHpQhl.exe
  C:\Windows\System32\faHpQhl.exe
  2⤵
  - Executes dropped EXE
  PID:3256
- C:\Windows\System32\LQcHGGF.exe
  C:\Windows\System32\LQcHGGF.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System32\smXIWnA.exe
  C:\Windows\System32\smXIWnA.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System32\NYsNRqB.exe
  C:\Windows\System32\NYsNRqB.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System32\pOTxFFe.exe
  C:\Windows\System32\pOTxFFe.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System32\hiLnpQx.exe
  C:\Windows\System32\hiLnpQx.exe
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\System32\ADPZIEf.exe
  C:\Windows\System32\ADPZIEf.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System32\BZAQlAm.exe
  C:\Windows\System32\BZAQlAm.exe
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Windows\System32\SeFjzKB.exe
  C:\Windows\System32\SeFjzKB.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System32\RqSibLs.exe
  C:\Windows\System32\RqSibLs.exe
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\System32\ZZxqucF.exe
  C:\Windows\System32\ZZxqucF.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System32\GlIhMnD.exe
  C:\Windows\System32\GlIhMnD.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System32\nAVRAts.exe
  C:\Windows\System32\nAVRAts.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System32\hHIaZvW.exe
  C:\Windows\System32\hHIaZvW.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System32\vdhjxDq.exe
  C:\Windows\System32\vdhjxDq.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System32\XRapFfa.exe
  C:\Windows\System32\XRapFfa.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System32\ieUUzaX.exe
  C:\Windows\System32\ieUUzaX.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System32\VYeNsxx.exe
  C:\Windows\System32\VYeNsxx.exe
  2⤵
  - Executes dropped EXE
  PID:3872
- C:\Windows\System32\FFTgrYv.exe
  C:\Windows\System32\FFTgrYv.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System32\UjBicCO.exe
  C:\Windows\System32\UjBicCO.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Windows\System32\TUkVzUE.exe
  C:\Windows\System32\TUkVzUE.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System32\SeFHLVE.exe
  C:\Windows\System32\SeFHLVE.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System32\mZUXpql.exe
  C:\Windows\System32\mZUXpql.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System32\PjItEgf.exe
  C:\Windows\System32\PjItEgf.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System32\ReVuXhM.exe
  C:\Windows\System32\ReVuXhM.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System32\GvTNYDs.exe
  C:\Windows\System32\GvTNYDs.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System32\hxFwwGd.exe
  C:\Windows\System32\hxFwwGd.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System32\EVzMqWZ.exe
  C:\Windows\System32\EVzMqWZ.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System32\XZsEWlY.exe
  C:\Windows\System32\XZsEWlY.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\System32\QkiSjPl.exe
  C:\Windows\System32\QkiSjPl.exe
  2⤵
  - Executes dropped EXE
  PID:988
- C:\Windows\System32\NnheKpP.exe
  C:\Windows\System32\NnheKpP.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System32\RWAiFOz.exe
  C:\Windows\System32\RWAiFOz.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System32\WhcvLns.exe
  C:\Windows\System32\WhcvLns.exe
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\System32\azkvzBY.exe
  C:\Windows\System32\azkvzBY.exe
  2⤵
  PID:4764
- C:\Windows\System32\ylmtNti.exe
  C:\Windows\System32\ylmtNti.exe
  2⤵
  PID:4776
- C:\Windows\System32\ocrgVpM.exe
  C:\Windows\System32\ocrgVpM.exe
  2⤵
  PID:3924
- C:\Windows\System32\qDVISeL.exe
  C:\Windows\System32\qDVISeL.exe
  2⤵
  PID:1128
- C:\Windows\System32\UVBsOYi.exe
  C:\Windows\System32\UVBsOYi.exe
  2⤵
  PID:3944
- C:\Windows\System32\Vypyywh.exe
  C:\Windows\System32\Vypyywh.exe
  2⤵
  PID:2860
- C:\Windows\System32\pOGMpcf.exe
  C:\Windows\System32\pOGMpcf.exe
  2⤵
  PID:1012
- C:\Windows\System32\ezuNJkJ.exe
  C:\Windows\System32\ezuNJkJ.exe
  2⤵
  PID:3932
- C:\Windows\System32\zvvkiLO.exe
  C:\Windows\System32\zvvkiLO.exe
  2⤵
  PID:3488
- C:\Windows\System32\DKohulx.exe
  C:\Windows\System32\DKohulx.exe
  2⤵
  PID:1344
- C:\Windows\System32\COHmEjs.exe
  C:\Windows\System32\COHmEjs.exe
  2⤵
  PID:3064
- C:\Windows\System32\VCtjqOc.exe
  C:\Windows\System32\VCtjqOc.exe
  2⤵
  PID:4908
- C:\Windows\System32\EDdrDRd.exe
  C:\Windows\System32\EDdrDRd.exe
  2⤵
  PID:4628
- C:\Windows\System32\RNHZcgR.exe
  C:\Windows\System32\RNHZcgR.exe
  2⤵
  PID:2432
- C:\Windows\System32\mpaqFYz.exe
  C:\Windows\System32\mpaqFYz.exe
  2⤵
  PID:5100
- C:\Windows\System32\gMiVhjZ.exe
  C:\Windows\System32\gMiVhjZ.exe
  2⤵
  PID:5132
- C:\Windows\System32\cwYPpfh.exe
  C:\Windows\System32\cwYPpfh.exe
  2⤵
  PID:5160
- C:\Windows\System32\fowvqIR.exe
  C:\Windows\System32\fowvqIR.exe
  2⤵
  PID:5188
- C:\Windows\System32\sEHYSYB.exe
  C:\Windows\System32\sEHYSYB.exe
  2⤵
  PID:5216
- C:\Windows\System32\pieuteo.exe
  C:\Windows\System32\pieuteo.exe
  2⤵
  PID:5244
- C:\Windows\System32\LULbaGE.exe
  C:\Windows\System32\LULbaGE.exe
  2⤵
  PID:5272
- C:\Windows\System32\TIipQAk.exe
  C:\Windows\System32\TIipQAk.exe
  2⤵
  PID:5308
- C:\Windows\System32\utzCUIY.exe
  C:\Windows\System32\utzCUIY.exe
  2⤵
  PID:5336
- C:\Windows\System32\BrcipNv.exe
  C:\Windows\System32\BrcipNv.exe
  2⤵
  PID:5356
- C:\Windows\System32\xYdTNJA.exe
  C:\Windows\System32\xYdTNJA.exe
  2⤵
  PID:5384
- C:\Windows\System32\jMbwJIW.exe
  C:\Windows\System32\jMbwJIW.exe
  2⤵
  PID:5412
- C:\Windows\System32\qQwaCwS.exe
  C:\Windows\System32\qQwaCwS.exe
  2⤵
  PID:5440
- C:\Windows\System32\eapVkgu.exe
  C:\Windows\System32\eapVkgu.exe
  2⤵
  PID:5468
- C:\Windows\System32\fLZJWLv.exe
  C:\Windows\System32\fLZJWLv.exe
  2⤵
  PID:5496
- C:\Windows\System32\BYpewdh.exe
  C:\Windows\System32\BYpewdh.exe
  2⤵
  PID:5524
- C:\Windows\System32\ZyXQxTR.exe
  C:\Windows\System32\ZyXQxTR.exe
  2⤵
  PID:5552
- C:\Windows\System32\iipPHVs.exe
  C:\Windows\System32\iipPHVs.exe
  2⤵
  PID:5580
- C:\Windows\System32\hBffVEC.exe
  C:\Windows\System32\hBffVEC.exe
  2⤵
  PID:5608
- C:\Windows\System32\CVnUyNB.exe
  C:\Windows\System32\CVnUyNB.exe
  2⤵
  PID:5636
- C:\Windows\System32\FdvUjBj.exe
  C:\Windows\System32\FdvUjBj.exe
  2⤵
  PID:5664
- C:\Windows\System32\IZwrsfJ.exe
  C:\Windows\System32\IZwrsfJ.exe
  2⤵
  PID:5692
- C:\Windows\System32\IWobLcs.exe
  C:\Windows\System32\IWobLcs.exe
  2⤵
  PID:5720
- C:\Windows\System32\rabmWuL.exe
  C:\Windows\System32\rabmWuL.exe
  2⤵
  PID:5748
- C:\Windows\System32\KcXSOXH.exe
  C:\Windows\System32\KcXSOXH.exe
  2⤵
  PID:5776
- C:\Windows\System32\xCeGrSP.exe
  C:\Windows\System32\xCeGrSP.exe
  2⤵
  PID:5804
- C:\Windows\System32\jcuCZNJ.exe
  C:\Windows\System32\jcuCZNJ.exe
  2⤵
  PID:5832
- C:\Windows\System32\uQFXedg.exe
  C:\Windows\System32\uQFXedg.exe
  2⤵
  PID:5860
- C:\Windows\System32\HCRgEch.exe
  C:\Windows\System32\HCRgEch.exe
  2⤵
  PID:5888
- C:\Windows\System32\LoMXRHT.exe
  C:\Windows\System32\LoMXRHT.exe
  2⤵
  PID:5916
- C:\Windows\System32\UWWysFI.exe
  C:\Windows\System32\UWWysFI.exe
  2⤵
  PID:5944
- C:\Windows\System32\BIHbeQV.exe
  C:\Windows\System32\BIHbeQV.exe
  2⤵
  PID:5972
- C:\Windows\System32\pHUFMQp.exe
  C:\Windows\System32\pHUFMQp.exe
  2⤵
  PID:6000
- C:\Windows\System32\MEBWWHV.exe
  C:\Windows\System32\MEBWWHV.exe
  2⤵
  PID:6028
- C:\Windows\System32\FDeuBrr.exe
  C:\Windows\System32\FDeuBrr.exe
  2⤵
  PID:6056
- C:\Windows\System32\VVoTVkG.exe
  C:\Windows\System32\VVoTVkG.exe
  2⤵
  PID:6084
- C:\Windows\System32\YyoezfM.exe
  C:\Windows\System32\YyoezfM.exe
  2⤵
  PID:6112
- C:\Windows\System32\yTHVmqe.exe
  C:\Windows\System32\yTHVmqe.exe
  2⤵
  PID:6140
- C:\Windows\System32\uaPmHHN.exe
  C:\Windows\System32\uaPmHHN.exe
  2⤵
  PID:1356
- C:\Windows\System32\nWSRqwf.exe
  C:\Windows\System32\nWSRqwf.exe
  2⤵
  PID:4372
- C:\Windows\System32\HlkQZJH.exe
  C:\Windows\System32\HlkQZJH.exe
  2⤵
  PID:4108
- C:\Windows\System32\KzgYakH.exe
  C:\Windows\System32\KzgYakH.exe
  2⤵
  PID:1268
- C:\Windows\System32\ToOrdmz.exe
  C:\Windows\System32\ToOrdmz.exe
  2⤵
  PID:4292
- C:\Windows\System32\emYdTTv.exe
  C:\Windows\System32\emYdTTv.exe
  2⤵
  PID:5172
- C:\Windows\System32\lwSAOIp.exe
  C:\Windows\System32\lwSAOIp.exe
  2⤵
  PID:5240
- C:\Windows\System32\icmLlZO.exe
  C:\Windows\System32\icmLlZO.exe
  2⤵
  PID:5288
- C:\Windows\System32\NbBZNAR.exe
  C:\Windows\System32\NbBZNAR.exe
  2⤵
  PID:5368
- C:\Windows\System32\VuwAaQQ.exe
  C:\Windows\System32\VuwAaQQ.exe
  2⤵
  PID:5436
- C:\Windows\System32\OuLenIU.exe
  C:\Windows\System32\OuLenIU.exe
  2⤵
  PID:5484
- C:\Windows\System32\yGNTxeM.exe
  C:\Windows\System32\yGNTxeM.exe
  2⤵
  PID:5564
- C:\Windows\System32\mPbGwrS.exe
  C:\Windows\System32\mPbGwrS.exe
  2⤵
  PID:5632
- C:\Windows\System32\LoEQQDZ.exe
  C:\Windows\System32\LoEQQDZ.exe
  2⤵
  PID:5680
- C:\Windows\System32\zBcXLsc.exe
  C:\Windows\System32\zBcXLsc.exe
  2⤵
  PID:5760
- C:\Windows\System32\KUCJYYL.exe
  C:\Windows\System32\KUCJYYL.exe
  2⤵
  PID:5828
- C:\Windows\System32\YzyKVuu.exe
  C:\Windows\System32\YzyKVuu.exe
  2⤵
  PID:5876
- C:\Windows\System32\KTyWHZS.exe
  C:\Windows\System32\KTyWHZS.exe
  2⤵
  PID:5956
- C:\Windows\System32\mlrbYRc.exe
  C:\Windows\System32\mlrbYRc.exe
  2⤵
  PID:6024
- C:\Windows\System32\nftYFIE.exe
  C:\Windows\System32\nftYFIE.exe
  2⤵
  PID:6072
- C:\Windows\System32\hGWldjx.exe
  C:\Windows\System32\hGWldjx.exe
  2⤵
  PID:436
- C:\Windows\System32\VfzAsoY.exe
  C:\Windows\System32\VfzAsoY.exe
  2⤵
  PID:372
- C:\Windows\System32\VJOklLC.exe
  C:\Windows\System32\VJOklLC.exe
  2⤵
  PID:800
- C:\Windows\System32\xefdUSb.exe
  C:\Windows\System32\xefdUSb.exe
  2⤵
  PID:5268
- C:\Windows\System32\ONMLOrB.exe
  C:\Windows\System32\ONMLOrB.exe
  2⤵
  PID:5424
- C:\Windows\System32\SQDeqCz.exe
  C:\Windows\System32\SQDeqCz.exe
  2⤵
  PID:5536
- C:\Windows\System32\PBIRnZX.exe
  C:\Windows\System32\PBIRnZX.exe
  2⤵
  PID:5708
- C:\Windows\System32\boBVajE.exe
  C:\Windows\System32\boBVajE.exe
  2⤵
  PID:5904
- C:\Windows\System32\qKRrotx.exe
  C:\Windows\System32\qKRrotx.exe
  2⤵
  PID:6164
- C:\Windows\System32\aTjiUlq.exe
  C:\Windows\System32\aTjiUlq.exe
  2⤵
  PID:6192
- C:\Windows\System32\bbvEgVG.exe
  C:\Windows\System32\bbvEgVG.exe
  2⤵
  PID:6220
- C:\Windows\System32\eIuSfvL.exe
  C:\Windows\System32\eIuSfvL.exe
  2⤵
  PID:6248
- C:\Windows\System32\ciJPjnB.exe
  C:\Windows\System32\ciJPjnB.exe
  2⤵
  PID:6276
- C:\Windows\System32\WMEWjOT.exe
  C:\Windows\System32\WMEWjOT.exe
  2⤵
  PID:6304
- C:\Windows\System32\qXCHaDc.exe
  C:\Windows\System32\qXCHaDc.exe
  2⤵
  PID:6332
- C:\Windows\System32\VjZkAFd.exe
  C:\Windows\System32\VjZkAFd.exe
  2⤵
  PID:6360
- C:\Windows\System32\mVZlnDq.exe
  C:\Windows\System32\mVZlnDq.exe
  2⤵
  PID:6388
- C:\Windows\System32\FLwrWMV.exe
  C:\Windows\System32\FLwrWMV.exe
  2⤵
  PID:6416
- C:\Windows\System32\jkSgUwD.exe
  C:\Windows\System32\jkSgUwD.exe
  2⤵
  PID:6444
- C:\Windows\System32\hpIpBSL.exe
  C:\Windows\System32\hpIpBSL.exe
  2⤵
  PID:6472
- C:\Windows\System32\bWdFXAG.exe
  C:\Windows\System32\bWdFXAG.exe
  2⤵
  PID:6500
- C:\Windows\System32\VnfEZJC.exe
  C:\Windows\System32\VnfEZJC.exe
  2⤵
  PID:6528
- C:\Windows\System32\zAXrylD.exe
  C:\Windows\System32\zAXrylD.exe
  2⤵
  PID:6556
- C:\Windows\System32\ixRZDbw.exe
  C:\Windows\System32\ixRZDbw.exe
  2⤵
  PID:6584
- C:\Windows\System32\bbmBcZy.exe
  C:\Windows\System32\bbmBcZy.exe
  2⤵
  PID:6612
- C:\Windows\System32\tvlntLT.exe
  C:\Windows\System32\tvlntLT.exe
  2⤵
  PID:6640
- C:\Windows\System32\mZpTBJy.exe
  C:\Windows\System32\mZpTBJy.exe
  2⤵
  PID:6668
- C:\Windows\System32\OdpHxxa.exe
  C:\Windows\System32\OdpHxxa.exe
  2⤵
  PID:6696
- C:\Windows\System32\cmkfsFQ.exe
  C:\Windows\System32\cmkfsFQ.exe
  2⤵
  PID:6724
- C:\Windows\System32\WyVmqTK.exe
  C:\Windows\System32\WyVmqTK.exe
  2⤵
  PID:6752
- C:\Windows\System32\CnWGWRP.exe
  C:\Windows\System32\CnWGWRP.exe
  2⤵
  PID:6780
- C:\Windows\System32\xlOSvjB.exe
  C:\Windows\System32\xlOSvjB.exe
  2⤵
  PID:6808
- C:\Windows\System32\hnfsUug.exe
  C:\Windows\System32\hnfsUug.exe
  2⤵
  PID:6836
- C:\Windows\System32\FfToBbn.exe
  C:\Windows\System32\FfToBbn.exe
  2⤵
  PID:6864
- C:\Windows\System32\WewUDDz.exe
  C:\Windows\System32\WewUDDz.exe
  2⤵
  PID:6892
- C:\Windows\System32\nEQmjgm.exe
  C:\Windows\System32\nEQmjgm.exe
  2⤵
  PID:6920
- C:\Windows\System32\ZsOLxjn.exe
  C:\Windows\System32\ZsOLxjn.exe
  2⤵
  PID:6948
- C:\Windows\System32\KsMFYIq.exe
  C:\Windows\System32\KsMFYIq.exe
  2⤵
  PID:6976
- C:\Windows\System32\veiWmgz.exe
  C:\Windows\System32\veiWmgz.exe
  2⤵
  PID:7004
- C:\Windows\System32\wsYcZpd.exe
  C:\Windows\System32\wsYcZpd.exe
  2⤵
  PID:7032
- C:\Windows\System32\RkapzdA.exe
  C:\Windows\System32\RkapzdA.exe
  2⤵
  PID:7060
- C:\Windows\System32\GoRpHyy.exe
  C:\Windows\System32\GoRpHyy.exe
  2⤵
  PID:7088
- C:\Windows\System32\GetCyQL.exe
  C:\Windows\System32\GetCyQL.exe
  2⤵
  PID:7116
- C:\Windows\System32\kTLQvuj.exe
  C:\Windows\System32\kTLQvuj.exe
  2⤵
  PID:7152
- C:\Windows\System32\kiwweSG.exe
  C:\Windows\System32\kiwweSG.exe
  2⤵
  PID:5928
- C:\Windows\System32\PUtckiT.exe
  C:\Windows\System32\PUtckiT.exe
  2⤵
  PID:6044
- C:\Windows\System32\WoNZENS.exe
  C:\Windows\System32\WoNZENS.exe
  2⤵
  PID:4016
- C:\Windows\System32\wrGKMoE.exe
  C:\Windows\System32\wrGKMoE.exe
  2⤵
  PID:5396
- C:\Windows\System32\MfoClJl.exe
  C:\Windows\System32\MfoClJl.exe
  2⤵
  PID:5652
- C:\Windows\System32\IaFquuS.exe
  C:\Windows\System32\IaFquuS.exe
  2⤵
  PID:6156
- C:\Windows\System32\TNgfFwn.exe
  C:\Windows\System32\TNgfFwn.exe
  2⤵
  PID:6232
- C:\Windows\System32\VcowXoX.exe
  C:\Windows\System32\VcowXoX.exe
  2⤵
  PID:6300
- C:\Windows\System32\cKrMduZ.exe
  C:\Windows\System32\cKrMduZ.exe
  2⤵
  PID:6348
- C:\Windows\System32\FFcocCw.exe
  C:\Windows\System32\FFcocCw.exe
  2⤵
  PID:6428
- C:\Windows\System32\ZvqYnNX.exe
  C:\Windows\System32\ZvqYnNX.exe
  2⤵
  PID:6488
- C:\Windows\System32\TvhgWml.exe
  C:\Windows\System32\TvhgWml.exe
  2⤵
  PID:6544
- C:\Windows\System32\uMOrerr.exe
  C:\Windows\System32\uMOrerr.exe
  2⤵
  PID:6624
- C:\Windows\System32\cqYkLmG.exe
  C:\Windows\System32\cqYkLmG.exe
  2⤵
  PID:6692
- C:\Windows\System32\XVvawEV.exe
  C:\Windows\System32\XVvawEV.exe
  2⤵
  PID:6748
- C:\Windows\System32\DbsRbhJ.exe
  C:\Windows\System32\DbsRbhJ.exe
  2⤵
  PID:6796
- C:\Windows\System32\FwhxQpj.exe
  C:\Windows\System32\FwhxQpj.exe
  2⤵
  PID:6876
- C:\Windows\System32\iKIFRlC.exe
  C:\Windows\System32\iKIFRlC.exe
  2⤵
  PID:6944
- C:\Windows\System32\yqobUQj.exe
  C:\Windows\System32\yqobUQj.exe
  2⤵
  PID:6992
- C:\Windows\System32\ClKkYiJ.exe
  C:\Windows\System32\ClKkYiJ.exe
  2⤵
  PID:7048
- C:\Windows\System32\zylcuOE.exe
  C:\Windows\System32\zylcuOE.exe
  2⤵
  PID:7128
- C:\Windows\System32\NXoGZFE.exe
  C:\Windows\System32\NXoGZFE.exe
  2⤵
  PID:1000
- C:\Windows\System32\cacuutE.exe
  C:\Windows\System32\cacuutE.exe
  2⤵
  PID:5324
- C:\Windows\System32\sPhSDNA.exe
  C:\Windows\System32\sPhSDNA.exe
  2⤵
  PID:5816
- C:\Windows\System32\VbJYXqy.exe
  C:\Windows\System32\VbJYXqy.exe
  2⤵
  PID:224
- C:\Windows\System32\XlrxFAP.exe
  C:\Windows\System32\XlrxFAP.exe
  2⤵
  PID:6456
- C:\Windows\System32\KenlIZi.exe
  C:\Windows\System32\KenlIZi.exe
  2⤵
  PID:6600
- C:\Windows\System32\zekxnfc.exe
  C:\Windows\System32\zekxnfc.exe
  2⤵
  PID:6736
- C:\Windows\System32\IlOVBfH.exe
  C:\Windows\System32\IlOVBfH.exe
  2⤵
  PID:6848
- C:\Windows\System32\GydgmTx.exe
  C:\Windows\System32\GydgmTx.exe
  2⤵
  PID:7020
- C:\Windows\System32\UuGcnHP.exe
  C:\Windows\System32\UuGcnHP.exe
  2⤵
  PID:5940
- C:\Windows\System32\qbTkzLJ.exe
  C:\Windows\System32\qbTkzLJ.exe
  2⤵
  PID:5456
- C:\Windows\System32\bOFQgcS.exe
  C:\Windows\System32\bOFQgcS.exe
  2⤵
  PID:7192
- C:\Windows\System32\QQHVYgt.exe
  C:\Windows\System32\QQHVYgt.exe
  2⤵
  PID:7220
- C:\Windows\System32\xbxNpwa.exe
  C:\Windows\System32\xbxNpwa.exe
  2⤵
  PID:7248
- C:\Windows\System32\urkfKqP.exe
  C:\Windows\System32\urkfKqP.exe
  2⤵
  PID:7276
- C:\Windows\System32\aRrGDzb.exe
  C:\Windows\System32\aRrGDzb.exe
  2⤵
  PID:7304
- C:\Windows\System32\kFtefBA.exe
  C:\Windows\System32\kFtefBA.exe
  2⤵
  PID:7332
- C:\Windows\System32\iPzCxas.exe
  C:\Windows\System32\iPzCxas.exe
  2⤵
  PID:7360
- C:\Windows\System32\zJxsHyz.exe
  C:\Windows\System32\zJxsHyz.exe
  2⤵
  PID:7388
- C:\Windows\System32\xwosInB.exe
  C:\Windows\System32\xwosInB.exe
  2⤵
  PID:7416
- C:\Windows\System32\ZDZhANh.exe
  C:\Windows\System32\ZDZhANh.exe
  2⤵
  PID:7444
- C:\Windows\System32\ZwuUBFf.exe
  C:\Windows\System32\ZwuUBFf.exe
  2⤵
  PID:7472
- C:\Windows\System32\cnsztep.exe
  C:\Windows\System32\cnsztep.exe
  2⤵
  PID:7500
- C:\Windows\System32\tTqZaVE.exe
  C:\Windows\System32\tTqZaVE.exe
  2⤵
  PID:7528
- C:\Windows\System32\pJjbrPR.exe
  C:\Windows\System32\pJjbrPR.exe
  2⤵
  PID:7556
- C:\Windows\System32\xQVimKx.exe
  C:\Windows\System32\xQVimKx.exe
  2⤵
  PID:7584
- C:\Windows\System32\Maribdl.exe
  C:\Windows\System32\Maribdl.exe
  2⤵
  PID:7612
- C:\Windows\System32\WAPgVPt.exe
  C:\Windows\System32\WAPgVPt.exe
  2⤵
  PID:7640
- C:\Windows\System32\AvjPjbH.exe
  C:\Windows\System32\AvjPjbH.exe
  2⤵
  PID:7668
- C:\Windows\System32\ioNnHWu.exe
  C:\Windows\System32\ioNnHWu.exe
  2⤵
  PID:7696
- C:\Windows\System32\HfZlWZI.exe
  C:\Windows\System32\HfZlWZI.exe
  2⤵
  PID:7724
- C:\Windows\System32\GHwFSyu.exe
  C:\Windows\System32\GHwFSyu.exe
  2⤵
  PID:7752
- C:\Windows\System32\iAsUwaj.exe
  C:\Windows\System32\iAsUwaj.exe
  2⤵
  PID:7788
- C:\Windows\System32\zpxwGft.exe
  C:\Windows\System32\zpxwGft.exe
  2⤵
  PID:7808
- C:\Windows\System32\iilYHUW.exe
  C:\Windows\System32\iilYHUW.exe
  2⤵
  PID:7836
- C:\Windows\System32\nVhbXTC.exe
  C:\Windows\System32\nVhbXTC.exe
  2⤵
  PID:7864
- C:\Windows\System32\vlXeIoW.exe
  C:\Windows\System32\vlXeIoW.exe
  2⤵
  PID:7892
- C:\Windows\System32\oOZahPD.exe
  C:\Windows\System32\oOZahPD.exe
  2⤵
  PID:7920
- C:\Windows\System32\ZEOmMsl.exe
  C:\Windows\System32\ZEOmMsl.exe
  2⤵
  PID:7948
- C:\Windows\System32\ZWfOrig.exe
  C:\Windows\System32\ZWfOrig.exe
  2⤵
  PID:7976
- C:\Windows\System32\JuYgVpW.exe
  C:\Windows\System32\JuYgVpW.exe
  2⤵
  PID:8004
- C:\Windows\System32\RkZOEiC.exe
  C:\Windows\System32\RkZOEiC.exe
  2⤵
  PID:8032
- C:\Windows\System32\ilwBaVa.exe
  C:\Windows\System32\ilwBaVa.exe
  2⤵
  PID:8060
- C:\Windows\System32\AQjbVqk.exe
  C:\Windows\System32\AQjbVqk.exe
  2⤵
  PID:8088
- C:\Windows\System32\fosiHju.exe
  C:\Windows\System32\fosiHju.exe
  2⤵
  PID:8116
- C:\Windows\System32\ZUbdtMv.exe
  C:\Windows\System32\ZUbdtMv.exe
  2⤵
  PID:8144
- C:\Windows\System32\RqyBOGM.exe
  C:\Windows\System32\RqyBOGM.exe
  2⤵
  PID:8172
- C:\Windows\System32\YroIqrp.exe
  C:\Windows\System32\YroIqrp.exe
  2⤵
  PID:6320
- C:\Windows\System32\lGULZNl.exe
  C:\Windows\System32\lGULZNl.exe
  2⤵
  PID:6652
- C:\Windows\System32\jmUjsUg.exe
  C:\Windows\System32\jmUjsUg.exe
  2⤵
  PID:4040
- C:\Windows\System32\HhXoSOi.exe
  C:\Windows\System32\HhXoSOi.exe
  2⤵
  PID:7300
- C:\Windows\System32\BsEPWVb.exe
  C:\Windows\System32\BsEPWVb.exe
  2⤵
  PID:7320
- C:\Windows\System32\lNlmsLy.exe
  C:\Windows\System32\lNlmsLy.exe
  2⤵
  PID:7372
- C:\Windows\System32\tdyEAZl.exe
  C:\Windows\System32\tdyEAZl.exe
  2⤵
  PID:7440
- C:\Windows\System32\BnHQenK.exe
  C:\Windows\System32\BnHQenK.exe
  2⤵
  PID:7572
- C:\Windows\System32\dCzrDLa.exe
  C:\Windows\System32\dCzrDLa.exe
  2⤵
  PID:7652
- C:\Windows\System32\szyopGy.exe
  C:\Windows\System32\szyopGy.exe
  2⤵
  PID:7680
- C:\Windows\System32\pYEBBSD.exe
  C:\Windows\System32\pYEBBSD.exe
  2⤵
  PID:7720
- C:\Windows\System32\iXyWtRi.exe
  C:\Windows\System32\iXyWtRi.exe
  2⤵
  PID:1296
- C:\Windows\System32\MMDonNQ.exe
  C:\Windows\System32\MMDonNQ.exe
  2⤵
  PID:7848
- C:\Windows\System32\elaxBtx.exe
  C:\Windows\System32\elaxBtx.exe
  2⤵
  PID:7880
- C:\Windows\System32\pLmKyfx.exe
  C:\Windows\System32\pLmKyfx.exe
  2⤵
  PID:7932
- C:\Windows\System32\PrSXTtu.exe
  C:\Windows\System32\PrSXTtu.exe
  2⤵
  PID:7992
- C:\Windows\System32\QLJqQjp.exe
  C:\Windows\System32\QLJqQjp.exe
  2⤵
  PID:8056
- C:\Windows\System32\OSVNtWV.exe
  C:\Windows\System32\OSVNtWV.exe
  2⤵
  PID:3708
- C:\Windows\System32\abhnnfj.exe
  C:\Windows\System32\abhnnfj.exe
  2⤵
  PID:8140
- C:\Windows\System32\spIVDuM.exe
  C:\Windows\System32\spIVDuM.exe
  2⤵
  PID:3876
- C:\Windows\System32\ngVItun.exe
  C:\Windows\System32\ngVItun.exe
  2⤵
  PID:3448
- C:\Windows\System32\AfLTqFC.exe
  C:\Windows\System32\AfLTqFC.exe
  2⤵
  PID:6160
- C:\Windows\System32\CUGUFIn.exe
  C:\Windows\System32\CUGUFIn.exe
  2⤵
  PID:3644
- C:\Windows\System32\hcdachY.exe
  C:\Windows\System32\hcdachY.exe
  2⤵
  PID:2380
- C:\Windows\System32\VFjkwTM.exe
  C:\Windows\System32\VFjkwTM.exe
  2⤵
  PID:4580
- C:\Windows\System32\QMhXjHb.exe
  C:\Windows\System32\QMhXjHb.exe
  2⤵
  PID:1264
- C:\Windows\System32\yDcIZCp.exe
  C:\Windows\System32\yDcIZCp.exe
  2⤵
  PID:7356
- C:\Windows\System32\SvYMUuK.exe
  C:\Windows\System32\SvYMUuK.exe
  2⤵
  PID:7664
- C:\Windows\System32\bmLNMnR.exe
  C:\Windows\System32\bmLNMnR.exe
  2⤵
  PID:756
- C:\Windows\System32\WGHqyMp.exe
  C:\Windows\System32\WGHqyMp.exe
  2⤵
  PID:7860
- C:\Windows\System32\TIOJXpO.exe
  C:\Windows\System32\TIOJXpO.exe
  2⤵
  PID:7260
- C:\Windows\System32\RFdxIQD.exe
  C:\Windows\System32\RFdxIQD.exe
  2⤵
  PID:3968
- C:\Windows\System32\CtQFBPv.exe
  C:\Windows\System32\CtQFBPv.exe
  2⤵
  PID:8128
- C:\Windows\System32\FCjlYzH.exe
  C:\Windows\System32\FCjlYzH.exe
  2⤵
  PID:5020
- C:\Windows\System32\jiHchtP.exe
  C:\Windows\System32\jiHchtP.exe
  2⤵
  PID:4260
- C:\Windows\System32\xbisPua.exe
  C:\Windows\System32\xbisPua.exe
  2⤵
  PID:1196
- C:\Windows\System32\pCCPIfw.exe
  C:\Windows\System32\pCCPIfw.exe
  2⤵
  PID:3684
- C:\Windows\System32\NMgAQTT.exe
  C:\Windows\System32\NMgAQTT.exe
  2⤵
  PID:8216
- C:\Windows\System32\eUjgxVz.exe
  C:\Windows\System32\eUjgxVz.exe
  2⤵
  PID:8232
- C:\Windows\System32\zZqdwyH.exe
  C:\Windows\System32\zZqdwyH.exe
  2⤵
  PID:8280
- C:\Windows\System32\Knrslop.exe
  C:\Windows\System32\Knrslop.exe
  2⤵
  PID:8296
- C:\Windows\System32\UBOrpIw.exe
  C:\Windows\System32\UBOrpIw.exe
  2⤵
  PID:8348
- C:\Windows\System32\uTQWfct.exe
  C:\Windows\System32\uTQWfct.exe
  2⤵
  PID:8380
- C:\Windows\System32\yQRmXhf.exe
  C:\Windows\System32\yQRmXhf.exe
  2⤵
  PID:8412
- C:\Windows\System32\eqcYCWH.exe
  C:\Windows\System32\eqcYCWH.exe
  2⤵
  PID:8440
- C:\Windows\System32\yFmXVTX.exe
  C:\Windows\System32\yFmXVTX.exe
  2⤵
  PID:8468
- C:\Windows\System32\FLhziHn.exe
  C:\Windows\System32\FLhziHn.exe
  2⤵
  PID:8496
- C:\Windows\System32\ehexEBH.exe
  C:\Windows\System32\ehexEBH.exe
  2⤵
  PID:8524
- C:\Windows\System32\zdyzFZW.exe
  C:\Windows\System32\zdyzFZW.exe
  2⤵
  PID:8572
- C:\Windows\System32\khPlWew.exe
  C:\Windows\System32\khPlWew.exe
  2⤵
  PID:8600
- C:\Windows\System32\VzNQdAh.exe
  C:\Windows\System32\VzNQdAh.exe
  2⤵
  PID:8628
- C:\Windows\System32\JBaYsMe.exe
  C:\Windows\System32\JBaYsMe.exe
  2⤵
  PID:8656
- C:\Windows\System32\jiOLsAW.exe
  C:\Windows\System32\jiOLsAW.exe
  2⤵
  PID:8684
- C:\Windows\System32\HHWpmmc.exe
  C:\Windows\System32\HHWpmmc.exe
  2⤵
  PID:8712
- C:\Windows\System32\qPhMtmS.exe
  C:\Windows\System32\qPhMtmS.exe
  2⤵
  PID:8748
- C:\Windows\System32\sbCcmhW.exe
  C:\Windows\System32\sbCcmhW.exe
  2⤵
  PID:8776
- C:\Windows\System32\kAdNYyf.exe
  C:\Windows\System32\kAdNYyf.exe
  2⤵
  PID:8804
- C:\Windows\System32\yPBbapM.exe
  C:\Windows\System32\yPBbapM.exe
  2⤵
  PID:8820
- C:\Windows\System32\SxwqdpG.exe
  C:\Windows\System32\SxwqdpG.exe
  2⤵
  PID:8864
- C:\Windows\System32\QISwmsI.exe
  C:\Windows\System32\QISwmsI.exe
  2⤵
  PID:8892
- C:\Windows\System32\BahFvvj.exe
  C:\Windows\System32\BahFvvj.exe
  2⤵
  PID:8916
- C:\Windows\System32\bwsvEXj.exe
  C:\Windows\System32\bwsvEXj.exe
  2⤵
  PID:8948
- C:\Windows\System32\zmZmHGf.exe
  C:\Windows\System32\zmZmHGf.exe
  2⤵
  PID:8976
- C:\Windows\System32\ecZAsZG.exe
  C:\Windows\System32\ecZAsZG.exe
  2⤵
  PID:9004
- C:\Windows\System32\kLMsgJA.exe
  C:\Windows\System32\kLMsgJA.exe
  2⤵
  PID:9020
- C:\Windows\System32\GQuYfpl.exe
  C:\Windows\System32\GQuYfpl.exe
  2⤵
  PID:9056
- C:\Windows\System32\tirfihv.exe
  C:\Windows\System32\tirfihv.exe
  2⤵
  PID:9076
- C:\Windows\System32\tnuRvDM.exe
  C:\Windows\System32\tnuRvDM.exe
  2⤵
  PID:9116
- C:\Windows\System32\INHTeFF.exe
  C:\Windows\System32\INHTeFF.exe
  2⤵
  PID:9144
- C:\Windows\System32\YXeWFff.exe
  C:\Windows\System32\YXeWFff.exe
  2⤵
  PID:9172
- C:\Windows\System32\kdvDfNZ.exe
  C:\Windows\System32\kdvDfNZ.exe
  2⤵
  PID:9200
- C:\Windows\System32\SdMAjKk.exe
  C:\Windows\System32\SdMAjKk.exe
  2⤵
  PID:4424
- C:\Windows\System32\EFgIRSI.exe
  C:\Windows\System32\EFgIRSI.exe
  2⤵
  PID:8188
- C:\Windows\System32\BzjQfIE.exe
  C:\Windows\System32\BzjQfIE.exe
  2⤵
  PID:7384
- C:\Windows\System32\VKNsOVd.exe
  C:\Windows\System32\VKNsOVd.exe
  2⤵
  PID:7916
- C:\Windows\System32\OIkGjVS.exe
  C:\Windows\System32\OIkGjVS.exe
  2⤵
  PID:7852
- C:\Windows\System32\grgSVfC.exe
  C:\Windows\System32\grgSVfC.exe
  2⤵
  PID:8288
- C:\Windows\System32\SKxMLQe.exe
  C:\Windows\System32\SKxMLQe.exe
  2⤵
  PID:4904
- C:\Windows\System32\NqsTmdl.exe
  C:\Windows\System32\NqsTmdl.exe
  2⤵
  PID:4164
- C:\Windows\System32\ZYpHydL.exe
  C:\Windows\System32\ZYpHydL.exe
  2⤵
  PID:8460
- C:\Windows\System32\RZFBkod.exe
  C:\Windows\System32\RZFBkod.exe
  2⤵
  PID:8516
- C:\Windows\System32\VsPomVS.exe
  C:\Windows\System32\VsPomVS.exe
  2⤵
  PID:8592
- C:\Windows\System32\QyNWHrv.exe
  C:\Windows\System32\QyNWHrv.exe
  2⤵
  PID:8668
- C:\Windows\System32\ylvupvD.exe
  C:\Windows\System32\ylvupvD.exe
  2⤵
  PID:8756
- C:\Windows\System32\aEIJuoi.exe
  C:\Windows\System32\aEIJuoi.exe
  2⤵
  PID:8792
- C:\Windows\System32\olVHlow.exe
  C:\Windows\System32\olVHlow.exe
  2⤵
  PID:8848
- C:\Windows\System32\ZcWFZqr.exe
  C:\Windows\System32\ZcWFZqr.exe
  2⤵
  PID:8940
- C:\Windows\System32\lwNiIEJ.exe
  C:\Windows\System32\lwNiIEJ.exe
  2⤵
  PID:9044
- C:\Windows\System32\SHdLgzg.exe
  C:\Windows\System32\SHdLgzg.exe
  2⤵
  PID:9088
- C:\Windows\System32\HNsSAkH.exe
  C:\Windows\System32\HNsSAkH.exe
  2⤵
  PID:9164
- C:\Windows\System32\KckkauX.exe
  C:\Windows\System32\KckkauX.exe
  2⤵
  PID:8028
- C:\Windows\System32\VwOuoQx.exe
  C:\Windows\System32\VwOuoQx.exe
  2⤵
  PID:8292
- C:\Windows\System32\VyZppDw.exe
  C:\Windows\System32\VyZppDw.exe
  2⤵
  PID:8376
- C:\Windows\System32\PuHdack.exe
  C:\Windows\System32\PuHdack.exe
  2⤵
  PID:8452
- C:\Windows\System32\RyuwWhl.exe
  C:\Windows\System32\RyuwWhl.exe
  2⤵
  PID:8676
- C:\Windows\System32\BnSsVfW.exe
  C:\Windows\System32\BnSsVfW.exe
  2⤵
  PID:8872
- C:\Windows\System32\aeLqkNB.exe
  C:\Windows\System32\aeLqkNB.exe
  2⤵
  PID:9040
- C:\Windows\System32\sOpUYig.exe
  C:\Windows\System32\sOpUYig.exe
  2⤵
  PID:7376
- C:\Windows\System32\lDFaKNV.exe
  C:\Windows\System32\lDFaKNV.exe
  2⤵
  PID:7748
- C:\Windows\System32\vRrndRv.exe
  C:\Windows\System32\vRrndRv.exe
  2⤵
  PID:8568
- C:\Windows\System32\CPazcXp.exe
  C:\Windows\System32\CPazcXp.exe
  2⤵
  PID:9000
- C:\Windows\System32\AiPaqNv.exe
  C:\Windows\System32\AiPaqNv.exe
  2⤵
  PID:7348
- C:\Windows\System32\HOcZvEg.exe
  C:\Windows\System32\HOcZvEg.exe
  2⤵
  PID:8640
- C:\Windows\System32\cRCcaPd.exe
  C:\Windows\System32\cRCcaPd.exe
  2⤵
  PID:9228
- C:\Windows\System32\XFEAuvU.exe
  C:\Windows\System32\XFEAuvU.exe
  2⤵
  PID:9264
- C:\Windows\System32\gltazSI.exe
  C:\Windows\System32\gltazSI.exe
  2⤵
  PID:9292
- C:\Windows\System32\QIWdroS.exe
  C:\Windows\System32\QIWdroS.exe
  2⤵
  PID:9332
- C:\Windows\System32\XkodNwE.exe
  C:\Windows\System32\XkodNwE.exe
  2⤵
  PID:9360
- C:\Windows\System32\LPUZKiN.exe
  C:\Windows\System32\LPUZKiN.exe
  2⤵
  PID:9400
- C:\Windows\System32\nxtoyZe.exe
  C:\Windows\System32\nxtoyZe.exe
  2⤵
  PID:9444
- C:\Windows\System32\IWuViif.exe
  C:\Windows\System32\IWuViif.exe
  2⤵
  PID:9476
- C:\Windows\System32\bZaNnVb.exe
  C:\Windows\System32\bZaNnVb.exe
  2⤵
  PID:9504
- C:\Windows\System32\wbpcqIt.exe
  C:\Windows\System32\wbpcqIt.exe
  2⤵
  PID:9532
- C:\Windows\System32\ghhHEnS.exe
  C:\Windows\System32\ghhHEnS.exe
  2⤵
  PID:9560
- C:\Windows\System32\FUUIzil.exe
  C:\Windows\System32\FUUIzil.exe
  2⤵
  PID:9600
- C:\Windows\System32\TdkbruP.exe
  C:\Windows\System32\TdkbruP.exe
  2⤵
  PID:9628
- C:\Windows\System32\lNKQdGa.exe
  C:\Windows\System32\lNKQdGa.exe
  2⤵
  PID:9656
- C:\Windows\System32\DGJZFsF.exe
  C:\Windows\System32\DGJZFsF.exe
  2⤵
  PID:9684
- C:\Windows\System32\qtNEMQT.exe
  C:\Windows\System32\qtNEMQT.exe
  2⤵
  PID:9716
- C:\Windows\System32\UaNTsCP.exe
  C:\Windows\System32\UaNTsCP.exe
  2⤵
  PID:9744
- C:\Windows\System32\rwcmERA.exe
  C:\Windows\System32\rwcmERA.exe
  2⤵
  PID:9780
- C:\Windows\System32\EgtpjOl.exe
  C:\Windows\System32\EgtpjOl.exe
  2⤵
  PID:9808
- C:\Windows\System32\RRKifez.exe
  C:\Windows\System32\RRKifez.exe
  2⤵
  PID:9844
- C:\Windows\System32\pjcZERV.exe
  C:\Windows\System32\pjcZERV.exe
  2⤵
  PID:9880
- C:\Windows\System32\naWINyy.exe
  C:\Windows\System32\naWINyy.exe
  2⤵
  PID:9932
- C:\Windows\System32\WeYVvWf.exe
  C:\Windows\System32\WeYVvWf.exe
  2⤵
  PID:9960
- C:\Windows\System32\FwUifES.exe
  C:\Windows\System32\FwUifES.exe
  2⤵
  PID:9976
- C:\Windows\System32\GNbuZEs.exe
  C:\Windows\System32\GNbuZEs.exe
  2⤵
  PID:10008
- C:\Windows\System32\gVhmsJe.exe
  C:\Windows\System32\gVhmsJe.exe
  2⤵
  PID:10032
- C:\Windows\System32\WWjlpnC.exe
  C:\Windows\System32\WWjlpnC.exe
  2⤵
  PID:10092
- C:\Windows\System32\EFEEogC.exe
  C:\Windows\System32\EFEEogC.exe
  2⤵
  PID:10112
- C:\Windows\System32\aKKJRbQ.exe
  C:\Windows\System32\aKKJRbQ.exe
  2⤵
  PID:10176
- C:\Windows\System32\cGwzOOP.exe
  C:\Windows\System32\cGwzOOP.exe
  2⤵
  PID:10200
- C:\Windows\System32\PFMgrKD.exe
  C:\Windows\System32\PFMgrKD.exe
  2⤵
  PID:10220
- C:\Windows\System32\HtoDIvk.exe
  C:\Windows\System32\HtoDIvk.exe
  2⤵
  PID:9280
- C:\Windows\System32\XrQNjyu.exe
  C:\Windows\System32\XrQNjyu.exe
  2⤵
  PID:9344
- C:\Windows\System32\ziFAgvB.exe
  C:\Windows\System32\ziFAgvB.exe
  2⤵
  PID:9456
- C:\Windows\System32\YuTzRaV.exe
  C:\Windows\System32\YuTzRaV.exe
  2⤵
  PID:9492
- C:\Windows\System32\OjMAalk.exe
  C:\Windows\System32\OjMAalk.exe
  2⤵
  PID:9624
- C:\Windows\System32\hSrbMfc.exe
  C:\Windows\System32\hSrbMfc.exe
  2⤵
  PID:9736
- C:\Windows\System32\qOLFbCo.exe
  C:\Windows\System32\qOLFbCo.exe
  2⤵
  PID:9824
- C:\Windows\System32\VARdKeC.exe
  C:\Windows\System32\VARdKeC.exe
  2⤵
  PID:9924
- C:\Windows\System32\IKnmDCE.exe
  C:\Windows\System32\IKnmDCE.exe
  2⤵
  PID:10016
- C:\Windows\System32\VQCHEOe.exe
  C:\Windows\System32\VQCHEOe.exe
  2⤵
  PID:10136
- C:\Windows\System32\dMGrScP.exe
  C:\Windows\System32\dMGrScP.exe
  2⤵
  PID:10188
- C:\Windows\System32\SCdcxtM.exe
  C:\Windows\System32\SCdcxtM.exe
  2⤵
  PID:9432
- C:\Windows\System32\JtDgDnX.exe
  C:\Windows\System32\JtDgDnX.exe
  2⤵
  PID:4768
- C:\Windows\System32\tJrBdEg.exe
  C:\Windows\System32\tJrBdEg.exe
  2⤵
  PID:9856
- C:\Windows\System32\qTJhKKo.exe
  C:\Windows\System32\qTJhKKo.exe
  2⤵
  PID:10052
- C:\Windows\System32\ARrMBfU.exe
  C:\Windows\System32\ARrMBfU.exe
  2⤵
  PID:3616
- C:\Windows\System32\LlKsOTe.exe
  C:\Windows\System32\LlKsOTe.exe
  2⤵
  PID:3320
- C:\Windows\System32\uQXnUgD.exe
  C:\Windows\System32\uQXnUgD.exe
  2⤵
  PID:9592
- C:\Windows\System32\fVwHGCC.exe
  C:\Windows\System32\fVwHGCC.exe
  2⤵
  PID:10248
- C:\Windows\System32\ZJNddiH.exe
  C:\Windows\System32\ZJNddiH.exe
  2⤵
  PID:10280
- C:\Windows\System32\QAKdXri.exe
  C:\Windows\System32\QAKdXri.exe
  2⤵
  PID:10304
- C:\Windows\System32\omAiUln.exe
  C:\Windows\System32\omAiUln.exe
  2⤵
  PID:10328
- C:\Windows\System32\swBSEMr.exe
  C:\Windows\System32\swBSEMr.exe
  2⤵
  PID:10352
- C:\Windows\System32\ImzSESJ.exe
  C:\Windows\System32\ImzSESJ.exe
  2⤵
  PID:10388
- C:\Windows\System32\PxLsegv.exe
  C:\Windows\System32\PxLsegv.exe
  2⤵
  PID:10424
- C:\Windows\System32\oYYDiQr.exe
  C:\Windows\System32\oYYDiQr.exe
  2⤵
  PID:10452
- C:\Windows\System32\WBCRBLO.exe
  C:\Windows\System32\WBCRBLO.exe
  2⤵
  PID:10484
- C:\Windows\System32\EJdfMOt.exe
  C:\Windows\System32\EJdfMOt.exe
  2⤵
  PID:10516
- C:\Windows\System32\FstEBah.exe
  C:\Windows\System32\FstEBah.exe
  2⤵
  PID:10548
- C:\Windows\System32\odiMULr.exe
  C:\Windows\System32\odiMULr.exe
  2⤵
  PID:10572
- C:\Windows\System32\VrVmbBZ.exe
  C:\Windows\System32\VrVmbBZ.exe
  2⤵
  PID:10600
- C:\Windows\System32\XpDRteK.exe
  C:\Windows\System32\XpDRteK.exe
  2⤵
  PID:10644
- C:\Windows\System32\zVtdeCN.exe
  C:\Windows\System32\zVtdeCN.exe
  2⤵
  PID:10660
- C:\Windows\System32\Tdpbkpc.exe
  C:\Windows\System32\Tdpbkpc.exe
  2⤵
  PID:10688
- C:\Windows\System32\EIiLUkK.exe
  C:\Windows\System32\EIiLUkK.exe
  2⤵
  PID:10716
- C:\Windows\System32\lIGLJZI.exe
  C:\Windows\System32\lIGLJZI.exe
  2⤵
  PID:10744
- C:\Windows\System32\opiRDwf.exe
  C:\Windows\System32\opiRDwf.exe
  2⤵
  PID:10768
- C:\Windows\System32\wRDKMWU.exe
  C:\Windows\System32\wRDKMWU.exe
  2⤵
  PID:10792
- C:\Windows\System32\Kjeyaro.exe
  C:\Windows\System32\Kjeyaro.exe
  2⤵
  PID:10828
- C:\Windows\System32\YpRwcqf.exe
  C:\Windows\System32\YpRwcqf.exe
  2⤵
  PID:10856
- C:\Windows\System32\vyMScRy.exe
  C:\Windows\System32\vyMScRy.exe
  2⤵
  PID:10884
- C:\Windows\System32\yhdstnL.exe
  C:\Windows\System32\yhdstnL.exe
  2⤵
  PID:10900
- C:\Windows\System32\kXUSsaO.exe
  C:\Windows\System32\kXUSsaO.exe
  2⤵
  PID:10928
- C:\Windows\System32\WrioCWQ.exe
  C:\Windows\System32\WrioCWQ.exe
  2⤵
  PID:10968
- C:\Windows\System32\iFtAcKF.exe
  C:\Windows\System32\iFtAcKF.exe
  2⤵
  PID:10992
- C:\Windows\System32\OqOHQsw.exe
  C:\Windows\System32\OqOHQsw.exe
  2⤵
  PID:11012
- C:\Windows\System32\wQZxmNP.exe
  C:\Windows\System32\wQZxmNP.exe
  2⤵
  PID:11052
- C:\Windows\System32\brFQSoF.exe
  C:\Windows\System32\brFQSoF.exe
  2⤵
  PID:11080
- C:\Windows\System32\DsyuYtP.exe
  C:\Windows\System32\DsyuYtP.exe
  2⤵
  PID:11116
- C:\Windows\System32\qnHeWFR.exe
  C:\Windows\System32\qnHeWFR.exe
  2⤵
  PID:11144
- C:\Windows\System32\xqjhAAL.exe
  C:\Windows\System32\xqjhAAL.exe
  2⤵
  PID:11160
- C:\Windows\System32\grANTpY.exe
  C:\Windows\System32\grANTpY.exe
  2⤵
  PID:11180
- C:\Windows\System32\tNyzMgt.exe
  C:\Windows\System32\tNyzMgt.exe
  2⤵
  PID:11220
- C:\Windows\System32\KYLVcKo.exe
  C:\Windows\System32\KYLVcKo.exe
  2⤵
  PID:11260
- C:\Windows\System32\TmtHrJC.exe
  C:\Windows\System32\TmtHrJC.exe
  2⤵
  PID:10268
- C:\Windows\System32\VBNlbsm.exe
  C:\Windows\System32\VBNlbsm.exe
  2⤵
  PID:10312
- C:\Windows\System32\boEgEcv.exe
  C:\Windows\System32\boEgEcv.exe
  2⤵
  PID:10412
- C:\Windows\System32\DWrRKFr.exe
  C:\Windows\System32\DWrRKFr.exe
  2⤵
  PID:10476
- C:\Windows\System32\XkmTuQK.exe
  C:\Windows\System32\XkmTuQK.exe
  2⤵
  PID:10528
- C:\Windows\System32\KqPWbCD.exe
  C:\Windows\System32\KqPWbCD.exe
  2⤵
  PID:8556
- C:\Windows\System32\VjAwCzC.exe
  C:\Windows\System32\VjAwCzC.exe
  2⤵
  PID:640
- C:\Windows\System32\zGWfBfI.exe
  C:\Windows\System32\zGWfBfI.exe
  2⤵
  PID:9340
- C:\Windows\System32\dBZitIP.exe
  C:\Windows\System32\dBZitIP.exe
  2⤵
  PID:10684
- C:\Windows\System32\GFagYdh.exe
  C:\Windows\System32\GFagYdh.exe
  2⤵
  PID:10752
- C:\Windows\System32\traCOpa.exe
  C:\Windows\System32\traCOpa.exe
  2⤵
  PID:10820
- C:\Windows\System32\bQGFevt.exe
  C:\Windows\System32\bQGFevt.exe
  2⤵
  PID:10880
- C:\Windows\System32\ZXEeJhg.exe
  C:\Windows\System32\ZXEeJhg.exe
  2⤵
  PID:10944
- C:\Windows\System32\wBqMues.exe
  C:\Windows\System32\wBqMues.exe
  2⤵
  PID:10984
- C:\Windows\System32\grJniGM.exe
  C:\Windows\System32\grJniGM.exe
  2⤵
  PID:11044
- C:\Windows\System32\odXrahk.exe
  C:\Windows\System32\odXrahk.exe
  2⤵
  PID:11104
- C:\Windows\System32\aPJMNOb.exe
  C:\Windows\System32\aPJMNOb.exe
  2⤵
  PID:11152
- C:\Windows\System32\krNDrHs.exe
  C:\Windows\System32\krNDrHs.exe
  2⤵
  PID:11244
- C:\Windows\System32\KzXUSLG.exe
  C:\Windows\System32\KzXUSLG.exe
  2⤵
  PID:10372
- C:\Windows\System32\GoCSZQc.exe
  C:\Windows\System32\GoCSZQc.exe
  2⤵
  PID:10512
- C:\Windows\System32\JozHlUE.exe
  C:\Windows\System32\JozHlUE.exe
  2⤵
  PID:9252
- C:\Windows\System32\UaZTxmq.exe
  C:\Windows\System32\UaZTxmq.exe
  2⤵
  PID:10680
- C:\Windows\System32\rDgSDdE.exe
  C:\Windows\System32\rDgSDdE.exe
  2⤵
  PID:4312
- C:\Windows\System32\bbAzTrM.exe
  C:\Windows\System32\bbAzTrM.exe
  2⤵
  PID:10964
- C:\Windows\System32\stRezOA.exe
  C:\Windows\System32\stRezOA.exe
  2⤵
  PID:11092
- C:\Windows\System32\YiZYSqr.exe
  C:\Windows\System32\YiZYSqr.exe
  2⤵
  PID:11176
- C:\Windows\System32\JvfCton.exe
  C:\Windows\System32\JvfCton.exe
  2⤵
  PID:10404
- C:\Windows\System32\tzcDfld.exe
  C:\Windows\System32\tzcDfld.exe
  2⤵
  PID:3704
- C:\Windows\System32\HVTxiHr.exe
  C:\Windows\System32\HVTxiHr.exe
  2⤵
  PID:10788
- C:\Windows\System32\DASwpYw.exe
  C:\Windows\System32\DASwpYw.exe
  2⤵
  PID:4360
- C:\Windows\System32\fLAxslS.exe
  C:\Windows\System32\fLAxslS.exe
  2⤵
  PID:1420
- C:\Windows\System32\PSjRjRT.exe
  C:\Windows\System32\PSjRjRT.exe
  2⤵
  PID:11008
- C:\Windows\System32\RNbzQGP.exe
  C:\Windows\System32\RNbzQGP.exe
  2⤵
  PID:10912
- C:\Windows\System32\Nzxmbsa.exe
  C:\Windows\System32\Nzxmbsa.exe
  2⤵
  PID:11284
- C:\Windows\System32\RZlnoiM.exe
  C:\Windows\System32\RZlnoiM.exe
  2⤵
  PID:11312
- C:\Windows\System32\XAaKLFQ.exe
  C:\Windows\System32\XAaKLFQ.exe
  2⤵
  PID:11340
- C:\Windows\System32\kcqzjIa.exe
  C:\Windows\System32\kcqzjIa.exe
  2⤵
  PID:11364
- C:\Windows\System32\SnoPnXS.exe
  C:\Windows\System32\SnoPnXS.exe
  2⤵
  PID:11400
- C:\Windows\System32\rERHlYB.exe
  C:\Windows\System32\rERHlYB.exe
  2⤵
  PID:11428
- C:\Windows\System32\BuUSJoa.exe
  C:\Windows\System32\BuUSJoa.exe
  2⤵
  PID:11444
- C:\Windows\System32\JVjaHED.exe
  C:\Windows\System32\JVjaHED.exe
  2⤵
  PID:11484
- C:\Windows\System32\dFUmDag.exe
  C:\Windows\System32\dFUmDag.exe
  2⤵
  PID:11512
- C:\Windows\System32\QdIXTbI.exe
  C:\Windows\System32\QdIXTbI.exe
  2⤵
  PID:11528
- C:\Windows\System32\DfjZlZf.exe
  C:\Windows\System32\DfjZlZf.exe
  2⤵
  PID:11568
- C:\Windows\System32\gIZMkRr.exe
  C:\Windows\System32\gIZMkRr.exe
  2⤵
  PID:11596
- C:\Windows\System32\lRujWdp.exe
  C:\Windows\System32\lRujWdp.exe
  2⤵
  PID:11628
- C:\Windows\System32\ulpcLix.exe
  C:\Windows\System32\ulpcLix.exe
  2⤵
  PID:11656
- C:\Windows\System32\ZmoodPS.exe
  C:\Windows\System32\ZmoodPS.exe
  2⤵
  PID:11684
- C:\Windows\System32\KyrTZxf.exe
  C:\Windows\System32\KyrTZxf.exe
  2⤵
  PID:11712
- C:\Windows\System32\trFWvna.exe
  C:\Windows\System32\trFWvna.exe
  2⤵
  PID:11740
- C:\Windows\System32\xkyQLXD.exe
  C:\Windows\System32\xkyQLXD.exe
  2⤵
  PID:11768
- C:\Windows\System32\CgOsCmt.exe
  C:\Windows\System32\CgOsCmt.exe
  2⤵
  PID:11816
- C:\Windows\System32\YkgfASL.exe
  C:\Windows\System32\YkgfASL.exe
  2⤵
  PID:11844
- C:\Windows\System32\tihhLaK.exe
  C:\Windows\System32\tihhLaK.exe
  2⤵
  PID:11892
- C:\Windows\System32\BEVlmWy.exe
  C:\Windows\System32\BEVlmWy.exe
  2⤵
  PID:11916
- C:\Windows\System32\jklpWlD.exe
  C:\Windows\System32\jklpWlD.exe
  2⤵
  PID:11944
- C:\Windows\System32\BaCxihZ.exe
  C:\Windows\System32\BaCxihZ.exe
  2⤵
  PID:11972
- C:\Windows\System32\SAKpxEH.exe
  C:\Windows\System32\SAKpxEH.exe
  2⤵
  PID:12004
- C:\Windows\System32\vMPfJkS.exe
  C:\Windows\System32\vMPfJkS.exe
  2⤵
  PID:12032
- C:\Windows\System32\OjnMDkL.exe
  C:\Windows\System32\OjnMDkL.exe
  2⤵
  PID:12060
- C:\Windows\System32\rMubLhO.exe
  C:\Windows\System32\rMubLhO.exe
  2⤵
  PID:12092
- C:\Windows\System32\CiGYTEb.exe
  C:\Windows\System32\CiGYTEb.exe
  2⤵
  PID:12136
- C:\Windows\System32\zPMkILr.exe
  C:\Windows\System32\zPMkILr.exe
  2⤵
  PID:12164
- C:\Windows\System32\PiCaRWG.exe
  C:\Windows\System32\PiCaRWG.exe
  2⤵
  PID:12192
- C:\Windows\System32\RZLCken.exe
  C:\Windows\System32\RZLCken.exe
  2⤵
  PID:12232
- C:\Windows\System32\klTwlyg.exe
  C:\Windows\System32\klTwlyg.exe
  2⤵
  PID:12260
- C:\Windows\System32\wAYjXgC.exe
  C:\Windows\System32\wAYjXgC.exe
  2⤵
  PID:9248
- C:\Windows\System32\NFKwOfq.exe
  C:\Windows\System32\NFKwOfq.exe
  2⤵
  PID:11336
- C:\Windows\System32\yUgJRPB.exe
  C:\Windows\System32\yUgJRPB.exe
  2⤵
  PID:11380
- C:\Windows\System32\ZmRcsqR.exe
  C:\Windows\System32\ZmRcsqR.exe
  2⤵
  PID:11456
- C:\Windows\System32\HdngbIu.exe
  C:\Windows\System32\HdngbIu.exe
  2⤵
  PID:11520
- C:\Windows\System32\AkIjHJp.exe
  C:\Windows\System32\AkIjHJp.exe
  2⤵
  PID:11584
- C:\Windows\System32\hkXqkoD.exe
  C:\Windows\System32\hkXqkoD.exe
  2⤵
  PID:11652
- C:\Windows\System32\kqZHCOW.exe
  C:\Windows\System32\kqZHCOW.exe
  2⤵
  PID:11724
- C:\Windows\System32\nBxfutq.exe
  C:\Windows\System32\nBxfutq.exe
  2⤵
  PID:11800
- C:\Windows\System32\QJHqtQh.exe
  C:\Windows\System32\QJHqtQh.exe
  2⤵
  PID:11900
- C:\Windows\System32\nWSmsdy.exe
  C:\Windows\System32\nWSmsdy.exe
  2⤵
  PID:11964
- C:\Windows\System32\iSnIHPD.exe
  C:\Windows\System32\iSnIHPD.exe
  2⤵
  PID:12024
- C:\Windows\System32\hiavNkw.exe
  C:\Windows\System32\hiavNkw.exe
  2⤵
  PID:12104
- C:\Windows\System32\aRMdRFo.exe
  C:\Windows\System32\aRMdRFo.exe
  2⤵
  PID:12184
- C:\Windows\System32\HQuHCCH.exe
  C:\Windows\System32\HQuHCCH.exe
  2⤵
  PID:12256
- C:\Windows\System32\qsGAxPZ.exe
  C:\Windows\System32\qsGAxPZ.exe
  2⤵
  PID:11356
- C:\Windows\System32\EdMPiiX.exe
  C:\Windows\System32\EdMPiiX.exe
  2⤵
  PID:11500
- C:\Windows\System32\tiFKzMY.exe
  C:\Windows\System32\tiFKzMY.exe
  2⤵
  PID:11644
- C:\Windows\System32\ReyVBin.exe
  C:\Windows\System32\ReyVBin.exe
  2⤵
  PID:3420
- C:\Windows\System32\MqAvYoV.exe
  C:\Windows\System32\MqAvYoV.exe
  2⤵
  PID:3424
- C:\Windows\System32\zAzYGoB.exe
  C:\Windows\System32\zAzYGoB.exe
  2⤵
  PID:12000
- C:\Windows\System32\ItNiOZq.exe
  C:\Windows\System32\ItNiOZq.exe
  2⤵
  PID:12160
- C:\Windows\System32\weIryfU.exe
  C:\Windows\System32\weIryfU.exe
  2⤵
  PID:11308
- C:\Windows\System32\vkkOibN.exe
  C:\Windows\System32\vkkOibN.exe
  2⤵
  PID:11624
- C:\Windows\System32\vFVlxjD.exe
  C:\Windows\System32\vFVlxjD.exe
  2⤵
  PID:11928
- C:\Windows\System32\FtIoSfI.exe
  C:\Windows\System32\FtIoSfI.exe
  2⤵
  PID:12284
- C:\Windows\System32\DWrtbQT.exe
  C:\Windows\System32\DWrtbQT.exe
  2⤵
  PID:12296
- C:\Windows\System32\gisnNkl.exe
  C:\Windows\System32\gisnNkl.exe
  2⤵
  PID:12312
- C:\Windows\System32\QxruAQm.exe
  C:\Windows\System32\QxruAQm.exe
  2⤵
  PID:12340
- C:\Windows\System32\JmHdzxm.exe
  C:\Windows\System32\JmHdzxm.exe
  2⤵
  PID:12368
- C:\Windows\System32\wygEvJY.exe
  C:\Windows\System32\wygEvJY.exe
  2⤵
  PID:12400
- C:\Windows\System32\heTPspw.exe
  C:\Windows\System32\heTPspw.exe
  2⤵
  PID:12428
- C:\Windows\System32\mKogUrX.exe
  C:\Windows\System32\mKogUrX.exe
  2⤵
  PID:12456
- C:\Windows\System32\pDqlLga.exe
  C:\Windows\System32\pDqlLga.exe
  2⤵
  PID:12484
- C:\Windows\System32\jFGKTwI.exe
  C:\Windows\System32\jFGKTwI.exe
  2⤵
  PID:12512
- C:\Windows\System32\ZkpaqKU.exe
  C:\Windows\System32\ZkpaqKU.exe
  2⤵
  PID:12544
- C:\Windows\System32\uiPNkLi.exe
  C:\Windows\System32\uiPNkLi.exe
  2⤵
  PID:12568
- C:\Windows\System32\twAjPoP.exe
  C:\Windows\System32\twAjPoP.exe
  2⤵
  PID:12596
- C:\Windows\System32\zMnyZsJ.exe
  C:\Windows\System32\zMnyZsJ.exe
  2⤵
  PID:12624
- C:\Windows\System32\vbZmFZo.exe
  C:\Windows\System32\vbZmFZo.exe
  2⤵
  PID:12652
- C:\Windows\System32\XamXqvt.exe
  C:\Windows\System32\XamXqvt.exe
  2⤵
  PID:12680
- C:\Windows\System32\VBbgOVr.exe
  C:\Windows\System32\VBbgOVr.exe
  2⤵
  PID:12708
- C:\Windows\System32\QlEXaEa.exe
  C:\Windows\System32\QlEXaEa.exe
  2⤵
  PID:12736
- C:\Windows\System32\JiUXCOP.exe
  C:\Windows\System32\JiUXCOP.exe
  2⤵
  PID:12764
- C:\Windows\System32\BgfweYQ.exe
  C:\Windows\System32\BgfweYQ.exe
  2⤵
  PID:12792
- C:\Windows\System32\FZMFfTH.exe
  C:\Windows\System32\FZMFfTH.exe
  2⤵
  PID:12820
- C:\Windows\System32\kEbsclv.exe
  C:\Windows\System32\kEbsclv.exe
  2⤵
  PID:12848
- C:\Windows\System32\NSWSBzV.exe
  C:\Windows\System32\NSWSBzV.exe
  2⤵
  PID:12876
- C:\Windows\System32\nCsMFge.exe
  C:\Windows\System32\nCsMFge.exe
  2⤵
  PID:12904
- C:\Windows\System32\MmmRTOG.exe
  C:\Windows\System32\MmmRTOG.exe
  2⤵
  PID:12932
- C:\Windows\System32\DKEWdqS.exe
  C:\Windows\System32\DKEWdqS.exe
  2⤵
  PID:12960
- C:\Windows\System32\GLLrYOe.exe
  C:\Windows\System32\GLLrYOe.exe
  2⤵
  PID:12988
- C:\Windows\System32\ivwVLoQ.exe
  C:\Windows\System32\ivwVLoQ.exe
  2⤵
  PID:13016
- C:\Windows\System32\dHFCSgh.exe
  C:\Windows\System32\dHFCSgh.exe
  2⤵
  PID:13044
- C:\Windows\System32\UWCuFrb.exe
  C:\Windows\System32\UWCuFrb.exe
  2⤵
  PID:13072
- C:\Windows\System32\NncIhvE.exe
  C:\Windows\System32\NncIhvE.exe
  2⤵
  PID:13100
- C:\Windows\System32\fqBpkob.exe
  C:\Windows\System32\fqBpkob.exe
  2⤵
  PID:13128
- C:\Windows\System32\DLefMde.exe
  C:\Windows\System32\DLefMde.exe
  2⤵
  PID:13156
- C:\Windows\System32\JLPGzKH.exe
  C:\Windows\System32\JLPGzKH.exe
  2⤵
  PID:13184
- C:\Windows\System32\FcWHjZG.exe
  C:\Windows\System32\FcWHjZG.exe
  2⤵
  PID:13212
- C:\Windows\System32\HpdkYLF.exe
  C:\Windows\System32\HpdkYLF.exe
  2⤵
  PID:13260
- C:\Windows\System32\vySKMBe.exe
  C:\Windows\System32\vySKMBe.exe
  2⤵
  PID:13284
- C:\Windows\System32\tzLSVUs.exe
  C:\Windows\System32\tzLSVUs.exe
  2⤵
  PID:3260
- C:\Windows\System32\SeJYNmI.exe
  C:\Windows\System32\SeJYNmI.exe
  2⤵
  PID:12360
- C:\Windows\System32\taNxDjx.exe
  C:\Windows\System32\taNxDjx.exe
  2⤵
  PID:12424
- C:\Windows\System32\qYPHKfy.exe
  C:\Windows\System32\qYPHKfy.exe
  2⤵
  PID:12496
- C:\Windows\System32\saHmaET.exe
  C:\Windows\System32\saHmaET.exe
  2⤵
  PID:12560
- C:\Windows\System32\dRBdFvw.exe
  C:\Windows\System32\dRBdFvw.exe
  2⤵
  PID:12616
- C:\Windows\System32\nxkpwmf.exe
  C:\Windows\System32\nxkpwmf.exe
  2⤵
  PID:12692
- C:\Windows\System32\wuZdSvy.exe
  C:\Windows\System32\wuZdSvy.exe
  2⤵
  PID:12756
- C:\Windows\System32\WFhivJr.exe
  C:\Windows\System32\WFhivJr.exe
  2⤵
  PID:12816
- C:\Windows\System32\acdwpzG.exe
  C:\Windows\System32\acdwpzG.exe
  2⤵
  PID:12888
- C:\Windows\System32\ZtkmzNJ.exe
  C:\Windows\System32\ZtkmzNJ.exe
  2⤵
  PID:12956
- C:\Windows\System32\nAvfYwB.exe
  C:\Windows\System32\nAvfYwB.exe
  2⤵
  PID:13028
- C:\Windows\System32\ZZKEYwL.exe
  C:\Windows\System32\ZZKEYwL.exe
  2⤵
  PID:11436
- C:\Windows\System32\GrjUkpn.exe
  C:\Windows\System32\GrjUkpn.exe
  2⤵
  PID:13148
- C:\Windows\System32\nlBrpvN.exe
  C:\Windows\System32\nlBrpvN.exe
  2⤵
  PID:13208
- C:\Windows\System32\QDBJqxG.exe
  C:\Windows\System32\QDBJqxG.exe
  2⤵
  PID:13300
- C:\Windows\System32\CodubVT.exe
  C:\Windows\System32\CodubVT.exe
  2⤵
  PID:12396

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BbZtbsP.exe

Filesize
3.1MB

MD5
d07784977da7610ca229e46a30a67a96

SHA1
12b863d08083389c2b1b933dc521e7538f10d574

SHA256
0668683b53ec72746ae49ae6f444504f717dee5a510f8f608f7d3288bb8bb5f8

SHA512
05fbe9007b55a9fcddd9367d4886c2da4c02f7798d181878f846d70cc77bd05a72817762315b90975f0e0f170c00d8d212f70377d1060807241ce38fb3a913a4

Download Submit
C:\Windows\System32\CfUhFAu.exe

Filesize
3.1MB

MD5
2020c6cb8acc2d9e23507ca5c1b9359e

SHA1
e5cbfe65e2bc9b44e262df078c1d3b0c023e6690

SHA256
f680c3e041c389c49b7539001e9a1a8d9b09849bccfa481afd25cbf446b1adeb

SHA512
719324d12bc6354c676fdf83fa569a6d63eed2d40c7dbecb5c5a8ad026dc0059dbb927673c87869db95b5f7d89aba603e15e296e4cfc5ddbba8d963395ac3f16

Download Submit
C:\Windows\System32\GYwmZCW.exe

Filesize
3.1MB

MD5
21b3832a10ad19d281caf93a8ee416dc

SHA1
86b6fbefcea4b8880cca2c54cb3e1adbd33befa7

SHA256
8990b66e9060928514d06e6a629806394077aca52bb1c1fcd402b1b3fb36b46e

SHA512
e00ff9cdbe23ded72a8230239176f1e19df6974fe964615ac592e2aaa700882db03f83f9bbdf27dca333c204fd7a593b5648a66f9f338aafa57f341308c86142

Download Submit
C:\Windows\System32\HXlwPZs.exe

Filesize
3.1MB

MD5
0234d628feb3e87025cf927984337023

SHA1
ff788644bb01cd95fcd74bcc325dc92326b228d5

SHA256
a24363790471d63a807489834686e64039c89440b37b8dcde133baf46596533b

SHA512
d90e16cd1085c46fabd5b8696281877889433e75876d594886c5835831203e6467fed5414cae2868855dda0ec958c9b6db4e5b6e24c809dd203ca46f610e6ceb

Download Submit
C:\Windows\System32\IFHNYUf.exe

Filesize
3.1MB

MD5
ec65ed8d32049eac45890563ed834431

SHA1
68d447382ec7842f7674e312740371765a9dd119

SHA256
8cb172c0d40d36b1d94313e6981477d1990959d23e5da97039a053a01d0b6493

SHA512
1663ca74caa70e25feebf8587b1905ff07f24f21a1869d13c7f803d47a42445c9a436403214435d611cc58be8008550ad8dbc7192f470a77be47c88b4155f063

Download Submit
C:\Windows\System32\IZYiKJA.exe

Filesize
3.1MB

MD5
59f99f64c2ef1070452e962d0cf01dd0

SHA1
173f7e7ae786006a65f540e837207a7d8891e4c1

SHA256
a709a83ee9e7a718befd8eb24a36cebab6602678ba6c6b2064c723d3e8396598

SHA512
ad451d1088ead9e52bce3139fe42112ac8290cdc9e1d1a39fdda2f33e53411565c8029515a136fb40c6f81944387e9a5ac57fc73fd5bc9e1ead487ed30b01079

Download Submit
C:\Windows\System32\JUKHMTt.exe

Filesize
3.1MB

MD5
bab10a792ba4483c2c1b5947aac2e122

SHA1
5fa1b177e43d6719ab256bc93be6ffc404431177

SHA256
88fc9bace3d2f80e514de82f27fedd445781ccdb314b162cf6423b1bf2db2992

SHA512
b0ae3a4d3950e2b1466f9f39f96ad85e697bf3690b9b4f791150b0eb4fca70ca8cc4cac8b22e2c716095a337b692d054a14f863a0f5c0afba3ef6fe14bc9de46

Download Submit
C:\Windows\System32\LEJPtWv.exe

Filesize
3.1MB

MD5
36417368bc3f39d7c9adb0e65bc1027c

SHA1
cb358feee0891c98a14d2c2bbe6ecb6689d7b85c

SHA256
0c2a02056ce9057dd6a170c0fd250a895402eb59a71d8f9b9c27107791e78e67

SHA512
772d82f7b6949e9756e16cf84de7ea8751eeb5bb3fe3cf38b46a6c4b5c91a7c13eeb358fa3b82211d87ce4e0eca4a62dac57934fcf00087fa22276150da4626c

Download Submit
C:\Windows\System32\MDtrFQN.exe

Filesize
3.1MB

MD5
7356e9684f510b1c00572e5a6b6a89d1

SHA1
922996af3f7dcc0dc1ec181c13368c8c6ce0dcfb

SHA256
44b8c028dcc6f53d2f04d443f92de81dd729ca70adfe235f8d5ff4a5a614a54d

SHA512
e4571a50b8038156fa2631e74b32e9a50394713e988d73cb92da053d5879fc3b1a28057e9f8d2c82392702ef46048f42c4d0a679fc89f81b26c7bb83ccdb44ab

Download Submit
C:\Windows\System32\RpdyjfQ.exe

Filesize
3.1MB

MD5
0628e7cd29468b1566504af7b4d0cb54

SHA1
eb6af0cb58264927232830cc4bd1560a40d2570e

SHA256
58b1be8eb4200815f415e49e6e33e298fd1f3789eb0bbfc0b18722ba308f8356

SHA512
8f9b01254e7fa558f00895f8b56910fb99c2a6c40afcd94a5c62702aade92214cea72493709157554c6358cdc20770f96544a58447b6aa2e1b80954499a536fa

Download Submit
C:\Windows\System32\UuHOpXx.exe

Filesize
3.1MB

MD5
2646d08b3a127a717ac0f18dbc29d9de

SHA1
98e3428ac85c93e1d78f86d8af5213e5c801f1e2

SHA256
0b06e75d7acd0a3848766537ef0be28b881b526fab4fd8b0e4d4ac48b16f3c2b

SHA512
7395e3f7632e8c57c8e68209934d22e47c53c81ed92585eba256e8b5d4765b4d86d85c3be559c6adffed3faff92090be1745e897455ab35b3483f6a604b7861c

Download Submit
C:\Windows\System32\XvRFXuU.exe

Filesize
3.1MB

MD5
82c3c437367fb9d12b2e36dcc42e1a6f

SHA1
4a6009820d21883171184333ceda0c514215502c

SHA256
0909bcc6f9044b7014625f0a2f5aaa5ceb4819852dc3842734af4f521664404a

SHA512
2df2e930df6cab1353f0bb5c4bf9b63b60ed2cfe40c7bd1e1f4cff1afa11f3fae897cfc1c4326cdbfba0c2a3056ca37588b52bb3a82bc7873cea1f40a1d41419

Download Submit
C:\Windows\System32\daVtOPO.exe

Filesize
3.1MB

MD5
59536530d7ab25ce9f00c8d9f1c24e46

SHA1
2cee7c31ac0ba889606149dc217e653c99622a40

SHA256
59ac12b8ed6cc24d643dab8333e0da924a0e3910251e222dc6302927613de694

SHA512
2a5fe158e87feefd602e37c515419e736519187d24139c47b92dbebcadd2b61e2dbbaa637e0212d062edb89f21245edb7f58b3133ee7da377fcfeb6ef0fb815e

Download Submit
C:\Windows\System32\eeRSsXJ.exe

Filesize
3.1MB

MD5
132412157f7956bf646cb09908827840

SHA1
ac81e8cbe932e52e4539a1e5c98251ed38b58b7d

SHA256
e575f7a13ffe19e3d0a62372eb3071d9c349224d4164e26cf92adb5698ff4944

SHA512
bea5e37ca4570e23577a87e05f39acdf707ababca89494cedbf3634372f6717cd29f7727267a90e5e0aa5f5a83020cd3b23006829e05df023c2a09e9f670f79c

Download Submit
C:\Windows\System32\faHpQhl.exe

Filesize
3.1MB

MD5
c4b97e48b976d441e3a7a32dd1788a36

SHA1
71b192b021059f00649581750ed339a8d9c81250

SHA256
bcea83f54bec4fe31f474f5521d8b552a128802a77c58f58b8680b59bfcd8afb

SHA512
a2fc2dd0d3f109ec2b900f1ed47e7c876c647c06738e93d00eb031104b9000f530a3ad40a24e202735a534f4efb8208ed005ab915d948582f54c47b79a073d9d

Download Submit
C:\Windows\System32\hDoufyI.exe

Filesize
3.1MB

MD5
377fec1d262e26439743561a0c56835d

SHA1
81f16950624d63cc778d7d71007a95ef990980cc

SHA256
88e0ea08cdcd5609eb1cda2171fe5c81ca0c1f01ba3ac8c93519f6e8bb23f4a7

SHA512
353ad0b09978540c94dab6559993425776370d782abd8d4e0ef06c4d69bd2666e205cb8c377f2c3560ad9dd394aca1e5063cd2776f8b9dfb77b3d8f3f6438d2c

Download Submit
C:\Windows\System32\ijeSZQB.exe

Filesize
3.1MB

MD5
b445a555211e755935230a840a130874

SHA1
5bbb4eff34a8a27f543c5a4b0e0b14c0be999edc

SHA256
bc5823643ccc10812f9ef57ecb14fb9b0298e9f6aaadf01914e42baccc141e31

SHA512
edb5b7c03165a7186e53b06ce0853058367ab5a88f2758fd0fc27f6873815b59add40ed5e3de896a45840ad23794b4e480a3fc0518fe72dca8067bf616c6936b

Download Submit
C:\Windows\System32\jcctXtj.exe

Filesize
3.1MB

MD5
d3b6faffc2e510d9b954a2d0a05fc8a4

SHA1
690815c3289f7475bc1434e4c246604ea2e9ab9b

SHA256
0c18eb6f200d83ca62d82413da46279e64b50b8c1bd33f754b8ff8ba1d430fb7

SHA512
59dbf1128a822e0b98ae1be6c55197f8b559c33d7946d116899beef1612a3a7e3723c43c49c62b8a986f8242ce0f4ceb752b7faf9aab5226e73438b1bbf215df

Download Submit
C:\Windows\System32\kfYdgYI.exe

Filesize
3.1MB

MD5
2a1306c40accec0fa5b9f0bf8892c86a

SHA1
cecd2af2b15fb78392c923e8b2123d726cc8354c

SHA256
76f6f484afa89db86af33d349a12caf43382f0f6dc208a9aefda3218ae561de8

SHA512
756e1d7e4ef8d946f58b40316cad0bc434cc60f11e6107ae878c069584e17b0b3dbe401369e066c3565723ccdaa2b27eec43a8a03da8fa87a308d37ad4efe78d

Download Submit
C:\Windows\System32\mOvKWuL.exe

Filesize
3.1MB

MD5
6247b9e088b22bfb6901fd31a7dc43f7

SHA1
10ed04cd0c966f963ee6e3975394dbb93b608c07

SHA256
e1a5d6290cf4ed97a8ade125e7acff8e9624feb3f6ed0b2ba2f225bf87eb858f

SHA512
52154533d2296a64cc78b66281a9905a953b28298fcc8cb42ca23585562fdf448a1591b688b3ca23c5e3b5730f7a5c905318d1d6284ac13771d14395c7be4448

Download Submit
C:\Windows\System32\nFEaDmQ.exe

Filesize
3.1MB

MD5
a6b0dd2e09b5584a1de62a6474d61884

SHA1
25667b0b781f0bed1d19d5ebd1f2be7e99136572

SHA256
1ccf27664c928ca7cec62def1bbf21bf545254050a152e70333bd78030e70dce

SHA512
8cdebb1edc15eb4d7ab3d123f54f04cd7ccfe047733bb07bde50f2936832af2992c01c5e5b4bfc8aa50a0054a4ca31db597ef7ecd441ceba9f095dd05f66d5a4

Download Submit
C:\Windows\System32\nHGsnBB.exe

Filesize
3.1MB

MD5
ac6e4742938beb2b897d2e52b68088c0

SHA1
6123bd52d67366095fc68c69a20347e5ae6329e8

SHA256
5bdbc9a6782653b2f2b500ca01aa8dea5f06fd4fe49e9e96b32ce6c332634398

SHA512
970bf1790cfab7a71f6cfd56cdcae7b7a2f9bdae1c3a1ab0a1dbe3dc08e16d3e45825c5e20e9c792a82a2d77ecdbc71841a50a6d017f0ff720b6d6589cc52716

Download Submit
C:\Windows\System32\oRlUblu.exe

Filesize
3.1MB

MD5
a87b3ead521701f249bc372c1a080f7f

SHA1
08b4c405544099fd4a770cecffd06f23f28886fa

SHA256
305b4b5cd8799e2896b012566fe670b4649fb3173975ba21a84ed7b106332033

SHA512
fecbd8a552496880b35c855eeb0fb09c056595d6faa3d1e07ab7d0fba638a822081331a93c43f4b4fae5469ce843c2b9cfb1499577cf964243739561970281e9

Download Submit
C:\Windows\System32\oeEaRQX.exe

Filesize
3.1MB

MD5
23fb061cb346026addcb1e4bbb57ef4e

SHA1
204aede31beed455a8a6c0030f9d074f3c80727d

SHA256
d456a8b191b878e015c2ce5b3c466386b020506a721a665f1e3e47f68623141b

SHA512
5df873d2fe3c596aa4ab507ed06922ba8c3abd2eed668c3f5eaf1d11cdd703c1d0d757c29061bce3eb66fe586b1a50dfe1395d3dd0baa239499271055d26eeef

Download Submit
C:\Windows\System32\ofNmMno.exe

Filesize
3.1MB

MD5
eac0539c74298f69757b712ed7d00b84

SHA1
73a1c4964de70b6a4e72ed4c4630a3843f33f1f9

SHA256
89272ce1b2d74f42935dadba835fe47768726e9f2dfb4811881fb5bfbf6bc2e7

SHA512
f377de2ec89a277c2033958e34b76369211cfd3921ae0a78547cbafc64f6a227c667914c43c6db1887d639961d187b3c863b53e0ed033cd0890e21244bad9f7c

Download Submit
C:\Windows\System32\pWSpNfI.exe

Filesize
3.1MB

MD5
956cba2765a84c3f0c8fc8bb0e94aa5b

SHA1
bfa2e72aca6249ec98c3b249e5e42def5dc0e6ee

SHA256
f217f56e57cdb975c6aa0aed24e096eafa36ba6054d1c4ebd90e187bc75ee24a

SHA512
11df5f8ee825b5f42f732348b2660450d50d78d9a0a9356f0f00d4e443cce7f339c04b48ef52483a49dd101d9216c41ce1c39547157780d991ba0dbc95e83f63

Download Submit
C:\Windows\System32\usENgww.exe

Filesize
3.1MB

MD5
a2067914d63378aeec1f1c09f332471e

SHA1
cbea968c635c303563862d13afc3519aa9d274fe

SHA256
1b385f3310b9302014caaf26ef6d061030155cf9cfa4ce8beb85a59193302bf1

SHA512
c0d6cbcdfa2e60c2dde411a6b6d1462cc27530400f34cafa828cc661dfa79a0bf50cf577d9e240ccb546b9d0e11d7fd5ca138df7730077abbbef944ec0ed4b26

Download Submit
C:\Windows\System32\vtWEryq.exe

Filesize
3.1MB

MD5
39d094445255ddb08197cced9f298ee1

SHA1
58a2976e1ab387ed9a1047806a18524455f41bdc

SHA256
8daeae9e231872e8a076d98aba2a82757965906bb3ea767ca00fb2ea22c68762

SHA512
8fbd434994f016a1c07b503ea426fac60e32794b6abf0880f19417232501247ebcf6ad981814251e5b46943a347a97bc274337b905b16990e766bdabddc94319

Download Submit
C:\Windows\System32\wVxPQbH.exe

Filesize
3.1MB

MD5
291f5f44e004d523197c1780aff90763

SHA1
611dda88f7ce52a4eaaa2d3b0ae4e94f9f4f97a4

SHA256
493a1fa09946bf629b0cb53a998479e59438a55c34d9d3a6483f24f2619ee421

SHA512
547889a6de9f763b3b361998f8a204aec005f611fa234ff220d7bf782b0b451d3e7c56e137f015d4ec7c8eb10bc9460962ce992b0742c7caf0b1f61a8c1dd7ae

Download Submit
C:\Windows\System32\ybysqIH.exe

Filesize
3.1MB

MD5
306d5ecadde47293b6f314d67640a687

SHA1
7bb76f9c3c71693dc39e8e365ebbbbc73a96cff8

SHA256
c99191a461c6f4cedf97d0330503dc721510b6e3e4765de9e20db6517b6faae1

SHA512
c1fc1c98f735e0919073192363e1e708973ad279122f5fb7adf29ab274f1c9acdee423ff15557e81f0e163f6f9bea8242cdc320ddbf4a6c19314b3d26924dbe6

Download Submit
C:\Windows\System32\zAJPyNa.exe

Filesize
3.1MB

MD5
019ca506b7ff27be4b6ba99fefe28e86

SHA1
c8e05fc834c65f7e0fb369a93018951d36655721

SHA256
17c090663f05f56036160af47b12868d24d326039fe59c7eb7dcb19bfca75e02

SHA512
9bb36d73f27afc58e4d1053579f7a52820e6275c794dee882dbdee2c252c76f896f61c9e2a068cd3e0c794996b65a2e14221b27f88de63b72b1f570070073920

Download Submit
C:\Windows\System32\zbpGMca.exe

Filesize
3.1MB

MD5
8934a5ff14b920a26b714930a54c86c7

SHA1
8a3161b7305c8c159dee16a3229a2764c9cd24dc

SHA256
2c6b1b2dab5998600c87a2f0360504b6a401c754ecaacdbe71e257b4211b76d8

SHA512
bd75953ebddc8db58a468430bb139196bd99a6ba7655731f7ccb277fa3eab6e3cb14149e930af5e92bb1bbb548431533e04d4a03dd4b5543890d5e2ae8f120b7

Download Submit
memory/604-875-0x00007FF7517C0000-0x00007FF751BB5000-memory.dmp

Filesize
4.0MB

Download
memory/604-1913-0x00007FF7517C0000-0x00007FF751BB5000-memory.dmp

Filesize
4.0MB

Download
memory/696-845-0x00007FF611870000-0x00007FF611C65000-memory.dmp

Filesize
4.0MB

Download
memory/696-1899-0x00007FF611870000-0x00007FF611C65000-memory.dmp

Filesize
4.0MB

Download
memory/760-1916-0x00007FF734B10000-0x00007FF734F05000-memory.dmp

Filesize
4.0MB

Download
memory/760-877-0x00007FF734B10000-0x00007FF734F05000-memory.dmp

Filesize
4.0MB

Download
memory/1044-1903-0x00007FF722A20000-0x00007FF722E15000-memory.dmp

Filesize
4.0MB

Download
memory/1044-868-0x00007FF722A20000-0x00007FF722E15000-memory.dmp

Filesize
4.0MB

Download
memory/1084-1906-0x00007FF625D70000-0x00007FF626165000-memory.dmp

Filesize
4.0MB

Download
memory/1084-861-0x00007FF625D70000-0x00007FF626165000-memory.dmp

Filesize
4.0MB

Download
memory/1132-831-0x00007FF638650000-0x00007FF638A45000-memory.dmp

Filesize
4.0MB

Download
memory/1132-1901-0x00007FF638650000-0x00007FF638A45000-memory.dmp

Filesize
4.0MB

Download
memory/1160-821-0x00007FF6DEA70000-0x00007FF6DEE65000-memory.dmp

Filesize
4.0MB

Download
memory/1160-1909-0x00007FF6DEA70000-0x00007FF6DEE65000-memory.dmp

Filesize
4.0MB

Download
memory/1552-1894-0x00007FF740440000-0x00007FF740835000-memory.dmp

Filesize
4.0MB

Download
memory/1552-1891-0x00007FF740440000-0x00007FF740835000-memory.dmp

Filesize
4.0MB

Download
memory/1552-19-0x00007FF740440000-0x00007FF740835000-memory.dmp

Filesize
4.0MB

Download
memory/1844-1915-0x00007FF7DF650000-0x00007FF7DFA45000-memory.dmp

Filesize
4.0MB

Download
memory/1844-881-0x00007FF7DF650000-0x00007FF7DFA45000-memory.dmp

Filesize
4.0MB

Download
memory/2072-842-0x00007FF6E8200000-0x00007FF6E85F5000-memory.dmp

Filesize
4.0MB

Download
memory/2072-1905-0x00007FF6E8200000-0x00007FF6E85F5000-memory.dmp

Filesize
4.0MB

Download
memory/2144-1897-0x00007FF660B40000-0x00007FF660F35000-memory.dmp

Filesize
4.0MB

Download
memory/2144-892-0x00007FF660B40000-0x00007FF660F35000-memory.dmp

Filesize
4.0MB

Download
memory/2288-849-0x00007FF610540000-0x00007FF610935000-memory.dmp

Filesize
4.0MB

Download
memory/2288-1910-0x00007FF610540000-0x00007FF610935000-memory.dmp

Filesize
4.0MB

Download
memory/2368-871-0x00007FF6903B0000-0x00007FF6907A5000-memory.dmp

Filesize
4.0MB

Download
memory/2368-1912-0x00007FF6903B0000-0x00007FF6907A5000-memory.dmp

Filesize
4.0MB

Download
memory/2632-22-0x00007FF756A00000-0x00007FF756DF5000-memory.dmp

Filesize
4.0MB

Download
memory/2632-1895-0x00007FF756A00000-0x00007FF756DF5000-memory.dmp

Filesize
4.0MB

Download
memory/3360-818-0x00007FF6A2190000-0x00007FF6A2585000-memory.dmp

Filesize
4.0MB

Download
memory/3360-1898-0x00007FF6A2190000-0x00007FF6A2585000-memory.dmp

Filesize
4.0MB

Download
memory/3776-1908-0x00007FF765AD0000-0x00007FF765EC5000-memory.dmp

Filesize
4.0MB

Download
memory/3776-837-0x00007FF765AD0000-0x00007FF765EC5000-memory.dmp

Filesize
4.0MB

Download
memory/4032-9-0x00007FF705710000-0x00007FF705B05000-memory.dmp

Filesize
4.0MB

Download
memory/4032-1893-0x00007FF705710000-0x00007FF705B05000-memory.dmp

Filesize
4.0MB

Download
memory/4044-0-0x00007FF607D70000-0x00007FF608165000-memory.dmp

Filesize
4.0MB

Download
memory/4044-1-0x00000225D6380000-0x00000225D6390000-memory.dmp

Filesize
64KB

Download
memory/4044-1890-0x00007FF607D70000-0x00007FF608165000-memory.dmp

Filesize
4.0MB

Download
memory/4080-1896-0x00007FF704490000-0x00007FF704885000-memory.dmp

Filesize
4.0MB

Download
memory/4080-817-0x00007FF704490000-0x00007FF704885000-memory.dmp

Filesize
4.0MB

Download
memory/4208-1907-0x00007FF7A6CC0000-0x00007FF7A70B5000-memory.dmp

Filesize
4.0MB

Download
memory/4208-823-0x00007FF7A6CC0000-0x00007FF7A70B5000-memory.dmp

Filesize
4.0MB

Download
memory/4404-1914-0x00007FF7A4740000-0x00007FF7A4B35000-memory.dmp

Filesize
4.0MB

Download
memory/4404-888-0x00007FF7A4740000-0x00007FF7A4B35000-memory.dmp

Filesize
4.0MB

Download
memory/4592-829-0x00007FF70F6C0000-0x00007FF70FAB5000-memory.dmp

Filesize
4.0MB

Download
memory/4592-1902-0x00007FF70F6C0000-0x00007FF70FAB5000-memory.dmp

Filesize
4.0MB

Download
memory/4612-1904-0x00007FF6D9FF0000-0x00007FF6DA3E5000-memory.dmp

Filesize
4.0MB

Download
memory/4612-816-0x00007FF6D9FF0000-0x00007FF6DA3E5000-memory.dmp

Filesize
4.0MB

Download
memory/4612-1892-0x00007FF6D9FF0000-0x00007FF6DA3E5000-memory.dmp

Filesize
4.0MB

Download
memory/4988-843-0x00007FF6C3BB0000-0x00007FF6C3FA5000-memory.dmp

Filesize
4.0MB

Download
memory/4988-1900-0x00007FF6C3BB0000-0x00007FF6C3FA5000-memory.dmp

Filesize
4.0MB

Download
memory/5088-1911-0x00007FF67BC40000-0x00007FF67C035000-memory.dmp

Filesize
4.0MB

Download
memory/5088-874-0x00007FF67BC40000-0x00007FF67C035000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads