xmrig | 642cdf4fe24ce70be0fcd036893e2033cda1994c3cd83efd7d9514d4e6fecfba

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
Size

2.9MB
MD5

c7421e06ebdb06cf2c8af6ead4646340
SHA1

ed5049b0d45bf5815119ab07d9447fb7b4ff1525
SHA256

642cdf4fe24ce70be0fcd036893e2033cda1994c3cd83efd7d9514d4e6fecfba
SHA512

25048cb65c8f56e35fc60ce105c05295238dc5025a90b5c1f61f6e0c98ecc7022eed462d1f6d43f319db6986a8a40f05d33dcc0b7322037d8a57c5e88a6361ff
SSDEEP

49152:w0wjnJMOWh50kC1/dVFdx6e0EALKWVTffZiPAcRq6jHjcz8DzHUh+hNfwd:w0GnJMOWPClFdx6e0EALKWVTffZiPAcM

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2012-0-0x00007FF7EAA60000-0x00007FF7EAE55000-memory.dmp	xmrig
behavioral2/files/0x000800000002360d-4.dat	xmrig
behavioral2/memory/4592-10-0x00007FF7DE910000-0x00007FF7DED05000-memory.dmp	xmrig
behavioral2/files/0x000700000002360f-13.dat	xmrig
behavioral2/files/0x000700000002360e-14.dat	xmrig
behavioral2/files/0x0007000000023610-23.dat	xmrig
behavioral2/files/0x0007000000023612-30.dat	xmrig
behavioral2/files/0x0007000000023613-37.dat	xmrig
behavioral2/files/0x0007000000023614-42.dat	xmrig
behavioral2/files/0x0007000000023616-52.dat	xmrig
behavioral2/files/0x0007000000023617-59.dat	xmrig
behavioral2/files/0x0007000000023619-67.dat	xmrig
behavioral2/files/0x000700000002361a-74.dat	xmrig
behavioral2/files/0x000700000002361c-82.dat	xmrig
behavioral2/files/0x000700000002361e-92.dat	xmrig
behavioral2/files/0x0007000000023620-102.dat	xmrig
behavioral2/files/0x0007000000023622-112.dat	xmrig
behavioral2/files/0x0007000000023625-127.dat	xmrig
behavioral2/files/0x0007000000023627-139.dat	xmrig
behavioral2/files/0x000700000002362b-157.dat	xmrig
behavioral2/memory/2964-743-0x00007FF7F73C0000-0x00007FF7F77B5000-memory.dmp	xmrig
behavioral2/files/0x000700000002362c-164.dat	xmrig
behavioral2/files/0x000700000002362a-154.dat	xmrig
behavioral2/files/0x0007000000023629-149.dat	xmrig
behavioral2/files/0x0007000000023628-144.dat	xmrig
behavioral2/files/0x0007000000023626-134.dat	xmrig
behavioral2/files/0x0007000000023624-124.dat	xmrig
behavioral2/files/0x0007000000023623-119.dat	xmrig
behavioral2/files/0x0007000000023621-109.dat	xmrig
behavioral2/files/0x000700000002361f-99.dat	xmrig
behavioral2/files/0x000700000002361d-89.dat	xmrig
behavioral2/files/0x000700000002361b-79.dat	xmrig
behavioral2/files/0x0007000000023618-64.dat	xmrig
behavioral2/files/0x0007000000023615-49.dat	xmrig
behavioral2/files/0x0007000000023611-32.dat	xmrig
behavioral2/memory/1920-27-0x00007FF681C90000-0x00007FF682085000-memory.dmp	xmrig
behavioral2/memory/3448-19-0x00007FF6A7EC0000-0x00007FF6A82B5000-memory.dmp	xmrig
behavioral2/memory/1228-744-0x00007FF6375A0000-0x00007FF637995000-memory.dmp	xmrig
behavioral2/memory/1720-745-0x00007FF603C60000-0x00007FF604055000-memory.dmp	xmrig
behavioral2/memory/3844-748-0x00007FF7BF120000-0x00007FF7BF515000-memory.dmp	xmrig
behavioral2/memory/2904-755-0x00007FF7787C0000-0x00007FF778BB5000-memory.dmp	xmrig
behavioral2/memory/4924-768-0x00007FF62BCE0000-0x00007FF62C0D5000-memory.dmp	xmrig
behavioral2/memory/3028-760-0x00007FF7FF960000-0x00007FF7FFD55000-memory.dmp	xmrig
behavioral2/memory/2284-776-0x00007FF673CA0000-0x00007FF674095000-memory.dmp	xmrig
behavioral2/memory/5004-777-0x00007FF7B5740000-0x00007FF7B5B35000-memory.dmp	xmrig
behavioral2/memory/4052-783-0x00007FF6B4330000-0x00007FF6B4725000-memory.dmp	xmrig
behavioral2/memory/1808-787-0x00007FF6D00C0000-0x00007FF6D04B5000-memory.dmp	xmrig
behavioral2/memory/4900-789-0x00007FF7A7E90000-0x00007FF7A8285000-memory.dmp	xmrig
behavioral2/memory/868-795-0x00007FF62B550000-0x00007FF62B945000-memory.dmp	xmrig
behavioral2/memory/2752-799-0x00007FF69AB70000-0x00007FF69AF65000-memory.dmp	xmrig
behavioral2/memory/4424-803-0x00007FF7BDC90000-0x00007FF7BE085000-memory.dmp	xmrig
behavioral2/memory/1440-801-0x00007FF7803E0000-0x00007FF7807D5000-memory.dmp	xmrig
behavioral2/memory/4008-790-0x00007FF706A50000-0x00007FF706E45000-memory.dmp	xmrig
behavioral2/memory/4708-809-0x00007FF7D0D30000-0x00007FF7D1125000-memory.dmp	xmrig
behavioral2/memory/2892-814-0x00007FF72A990000-0x00007FF72AD85000-memory.dmp	xmrig
behavioral2/memory/1260-816-0x00007FF65F640000-0x00007FF65FA35000-memory.dmp	xmrig
behavioral2/memory/3552-805-0x00007FF6BF950000-0x00007FF6BFD45000-memory.dmp	xmrig
behavioral2/memory/4592-1818-0x00007FF7DE910000-0x00007FF7DED05000-memory.dmp	xmrig
behavioral2/memory/2012-1819-0x00007FF7EAA60000-0x00007FF7EAE55000-memory.dmp	xmrig
behavioral2/memory/3448-1820-0x00007FF6A7EC0000-0x00007FF6A82B5000-memory.dmp	xmrig
behavioral2/memory/2964-1821-0x00007FF7F73C0000-0x00007FF7F77B5000-memory.dmp	xmrig
behavioral2/memory/4592-1822-0x00007FF7DE910000-0x00007FF7DED05000-memory.dmp	xmrig
behavioral2/memory/3448-1823-0x00007FF6A7EC0000-0x00007FF6A82B5000-memory.dmp	xmrig
behavioral2/memory/2892-1826-0x00007FF72A990000-0x00007FF72AD85000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4592	DivlaAo.exe
3448	JYXPHkH.exe
1920	AjMDPTT.exe
4708	DRcWEMf.exe
2892	EQyeAUL.exe
2964	oXuhtcX.exe
1260	PfzapKG.exe
1228	HZVXASB.exe
1720	YJXZVur.exe
3844	RfOeZtB.exe
2904	TbdWKiH.exe
3028	JMBAUDc.exe
4924	ATvcVPZ.exe
2284	ztlmUwn.exe
5004	LEFjLiZ.exe
4052	bPTruwP.exe
1808	slBfvJd.exe
4900	ewFymym.exe
4008	vJWBAYa.exe
868	ZpsZcKq.exe
2752	eTywkBK.exe
1440	UmUbhaE.exe
4424	pmoGDHK.exe
3552	CzcTtiB.exe
2568	UdDaSYd.exe
3316	GItVgaH.exe
1112	qAufymF.exe
3192	hxOMYjB.exe
1108	MvtIxps.exe
2588	UdteYzZ.exe
4876	KRXKVaw.exe
4316	tAwkKCm.exe
552	yiSRivt.exe
2976	SeMrvnn.exe
1624	zvdPGKd.exe
2980	CGpwVbJ.exe
2768	MwWfvpx.exe
4336	YVwpisD.exe
3224	rveZnya.exe
3648	UIydaCQ.exe
232	pgodMZL.exe
3564	xZfXlbi.exe
4400	qhcQSXV.exe
368	RGrCQjs.exe
884	zqzYIFu.exe
4804	uoJEfam.exe
2004	lGkYpAd.exe
3412	nNqEedI.exe
4128	FbPBkoL.exe
1948	FefUiHv.exe
5132	YCVEtuO.exe
5160	kNpSrdF.exe
5188	oNOpApx.exe
5204	ulZVTaJ.exe
5232	AiGRHSi.exe
5260	oyVYYfq.exe
5300	WWylMcR.exe
5316	ePZenTJ.exe
5352	dCwkdRM.exe
5372	qlflssg.exe
5400	gnOHIVa.exe
5428	yDsNBrh.exe
5456	doSRQkF.exe
5496	rPTRubg.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2012-0-0x00007FF7EAA60000-0x00007FF7EAE55000-memory.dmp	upx
behavioral2/files/0x000800000002360d-4.dat	upx
behavioral2/memory/4592-10-0x00007FF7DE910000-0x00007FF7DED05000-memory.dmp	upx
behavioral2/files/0x000700000002360f-13.dat	upx
behavioral2/files/0x000700000002360e-14.dat	upx
behavioral2/files/0x0007000000023610-23.dat	upx
behavioral2/files/0x0007000000023612-30.dat	upx
behavioral2/files/0x0007000000023613-37.dat	upx
behavioral2/files/0x0007000000023614-42.dat	upx
behavioral2/files/0x0007000000023616-52.dat	upx
behavioral2/files/0x0007000000023617-59.dat	upx
behavioral2/files/0x0007000000023619-67.dat	upx
behavioral2/files/0x000700000002361a-74.dat	upx
behavioral2/files/0x000700000002361c-82.dat	upx
behavioral2/files/0x000700000002361e-92.dat	upx
behavioral2/files/0x0007000000023620-102.dat	upx
behavioral2/files/0x0007000000023622-112.dat	upx
behavioral2/files/0x0007000000023625-127.dat	upx
behavioral2/files/0x0007000000023627-139.dat	upx
behavioral2/files/0x000700000002362b-157.dat	upx
behavioral2/memory/2964-743-0x00007FF7F73C0000-0x00007FF7F77B5000-memory.dmp	upx
behavioral2/files/0x000700000002362c-164.dat	upx
behavioral2/files/0x000700000002362a-154.dat	upx
behavioral2/files/0x0007000000023629-149.dat	upx
behavioral2/files/0x0007000000023628-144.dat	upx
behavioral2/files/0x0007000000023626-134.dat	upx
behavioral2/files/0x0007000000023624-124.dat	upx
behavioral2/files/0x0007000000023623-119.dat	upx
behavioral2/files/0x0007000000023621-109.dat	upx
behavioral2/files/0x000700000002361f-99.dat	upx
behavioral2/files/0x000700000002361d-89.dat	upx
behavioral2/files/0x000700000002361b-79.dat	upx
behavioral2/files/0x0007000000023618-64.dat	upx
behavioral2/files/0x0007000000023615-49.dat	upx
behavioral2/files/0x0007000000023611-32.dat	upx
behavioral2/memory/1920-27-0x00007FF681C90000-0x00007FF682085000-memory.dmp	upx
behavioral2/memory/3448-19-0x00007FF6A7EC0000-0x00007FF6A82B5000-memory.dmp	upx
behavioral2/memory/1228-744-0x00007FF6375A0000-0x00007FF637995000-memory.dmp	upx
behavioral2/memory/1720-745-0x00007FF603C60000-0x00007FF604055000-memory.dmp	upx
behavioral2/memory/3844-748-0x00007FF7BF120000-0x00007FF7BF515000-memory.dmp	upx
behavioral2/memory/2904-755-0x00007FF7787C0000-0x00007FF778BB5000-memory.dmp	upx
behavioral2/memory/4924-768-0x00007FF62BCE0000-0x00007FF62C0D5000-memory.dmp	upx
behavioral2/memory/3028-760-0x00007FF7FF960000-0x00007FF7FFD55000-memory.dmp	upx
behavioral2/memory/2284-776-0x00007FF673CA0000-0x00007FF674095000-memory.dmp	upx
behavioral2/memory/5004-777-0x00007FF7B5740000-0x00007FF7B5B35000-memory.dmp	upx
behavioral2/memory/4052-783-0x00007FF6B4330000-0x00007FF6B4725000-memory.dmp	upx
behavioral2/memory/1808-787-0x00007FF6D00C0000-0x00007FF6D04B5000-memory.dmp	upx
behavioral2/memory/4900-789-0x00007FF7A7E90000-0x00007FF7A8285000-memory.dmp	upx
behavioral2/memory/868-795-0x00007FF62B550000-0x00007FF62B945000-memory.dmp	upx
behavioral2/memory/2752-799-0x00007FF69AB70000-0x00007FF69AF65000-memory.dmp	upx
behavioral2/memory/4424-803-0x00007FF7BDC90000-0x00007FF7BE085000-memory.dmp	upx
behavioral2/memory/1440-801-0x00007FF7803E0000-0x00007FF7807D5000-memory.dmp	upx
behavioral2/memory/4008-790-0x00007FF706A50000-0x00007FF706E45000-memory.dmp	upx
behavioral2/memory/4708-809-0x00007FF7D0D30000-0x00007FF7D1125000-memory.dmp	upx
behavioral2/memory/2892-814-0x00007FF72A990000-0x00007FF72AD85000-memory.dmp	upx
behavioral2/memory/1260-816-0x00007FF65F640000-0x00007FF65FA35000-memory.dmp	upx
behavioral2/memory/3552-805-0x00007FF6BF950000-0x00007FF6BFD45000-memory.dmp	upx
behavioral2/memory/4592-1818-0x00007FF7DE910000-0x00007FF7DED05000-memory.dmp	upx
behavioral2/memory/2012-1819-0x00007FF7EAA60000-0x00007FF7EAE55000-memory.dmp	upx
behavioral2/memory/3448-1820-0x00007FF6A7EC0000-0x00007FF6A82B5000-memory.dmp	upx
behavioral2/memory/2964-1821-0x00007FF7F73C0000-0x00007FF7F77B5000-memory.dmp	upx
behavioral2/memory/4592-1822-0x00007FF7DE910000-0x00007FF7DED05000-memory.dmp	upx
behavioral2/memory/3448-1823-0x00007FF6A7EC0000-0x00007FF6A82B5000-memory.dmp	upx
behavioral2/memory/2892-1826-0x00007FF72A990000-0x00007FF72AD85000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DUrfYsT.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\jjYjUOv.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\JozCaoY.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\uoJEfam.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\kdLMvVg.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\EebhViP.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\JJUJrTb.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\lsMzlbW.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\HafnPYQ.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\UAQNsIS.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\svTQVbZ.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\cMLILJU.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\RkOgAwL.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\QbldxVX.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\oEazOnC.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\TAYVcng.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\SeMrvnn.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\vzPfqvv.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\kQbYQjT.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\AjMDPTT.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\aXlwNtO.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\wQIZOgH.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\PfFmmgg.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\uTkRDUa.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\cmgwdwD.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\FXnYtpw.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\aSXSpEO.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\NzkOBRg.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\XMBUVrT.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\tsWLrme.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\WTSlfuz.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\frFUVFN.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\DHFvZcw.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\ONlqvyA.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\wiKYPux.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\ZjvUejv.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\YGPSxLK.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\GqZfEMt.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\NkfcoXz.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\OnshBAP.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\qwEVIJn.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\czewWTl.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\YCVEtuO.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\feoxrBC.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\eNPVSmy.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\TCTyjCb.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\SYUuOkc.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\KwJIUJO.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\wlNKCdy.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\QWlPNoX.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\YlQsQVM.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\AvWyNiq.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\BvTsrDe.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\JnvYvGV.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\xTigVno.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\SERMpgu.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\EPyNoMj.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\luAwOii.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\oyVYYfq.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\tahWpcP.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\DFLaZeS.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\haqcBSc.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\EXMAjbX.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
File created	C:\Windows\System32\LEgoNXa.exe	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13912	dwm.exe
Token: SeChangeNotifyPrivilege	13912	dwm.exe
Token: 33	13912	dwm.exe
Token: SeIncBasePriorityPrivilege	13912	dwm.exe
Token: SeShutdownPrivilege	13912	dwm.exe
Token: SeCreatePagefilePrivilege	13912	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 4592	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	91
PID 2012 wrote to memory of 4592	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	91
PID 2012 wrote to memory of 3448	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	92
PID 2012 wrote to memory of 3448	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	92
PID 2012 wrote to memory of 1920	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	93
PID 2012 wrote to memory of 1920	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	93
PID 2012 wrote to memory of 4708	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	94
PID 2012 wrote to memory of 4708	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	94
PID 2012 wrote to memory of 2892	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	95
PID 2012 wrote to memory of 2892	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	95
PID 2012 wrote to memory of 2964	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	96
PID 2012 wrote to memory of 2964	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	96
PID 2012 wrote to memory of 1260	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	97
PID 2012 wrote to memory of 1260	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	97
PID 2012 wrote to memory of 1228	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	98
PID 2012 wrote to memory of 1228	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	98
PID 2012 wrote to memory of 1720	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	99
PID 2012 wrote to memory of 1720	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	99
PID 2012 wrote to memory of 3844	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	100
PID 2012 wrote to memory of 3844	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	100
PID 2012 wrote to memory of 2904	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	101
PID 2012 wrote to memory of 2904	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	101
PID 2012 wrote to memory of 3028	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	102
PID 2012 wrote to memory of 3028	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	102
PID 2012 wrote to memory of 4924	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	103
PID 2012 wrote to memory of 4924	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	103
PID 2012 wrote to memory of 2284	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	104
PID 2012 wrote to memory of 2284	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	104
PID 2012 wrote to memory of 5004	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	105
PID 2012 wrote to memory of 5004	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	105
PID 2012 wrote to memory of 4052	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	106
PID 2012 wrote to memory of 4052	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	106
PID 2012 wrote to memory of 1808	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	107
PID 2012 wrote to memory of 1808	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	107
PID 2012 wrote to memory of 4900	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	108
PID 2012 wrote to memory of 4900	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	108
PID 2012 wrote to memory of 4008	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	109
PID 2012 wrote to memory of 4008	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	109
PID 2012 wrote to memory of 868	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	110
PID 2012 wrote to memory of 868	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	110
PID 2012 wrote to memory of 2752	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	111
PID 2012 wrote to memory of 2752	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	111
PID 2012 wrote to memory of 1440	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	112
PID 2012 wrote to memory of 1440	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	112
PID 2012 wrote to memory of 4424	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	113
PID 2012 wrote to memory of 4424	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	113
PID 2012 wrote to memory of 3552	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	114
PID 2012 wrote to memory of 3552	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	114
PID 2012 wrote to memory of 2568	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	115
PID 2012 wrote to memory of 2568	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	115
PID 2012 wrote to memory of 3316	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	116
PID 2012 wrote to memory of 3316	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	116
PID 2012 wrote to memory of 1112	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	117
PID 2012 wrote to memory of 1112	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	117
PID 2012 wrote to memory of 3192	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	118
PID 2012 wrote to memory of 3192	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	118
PID 2012 wrote to memory of 1108	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	119
PID 2012 wrote to memory of 1108	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	119
PID 2012 wrote to memory of 2588	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	120
PID 2012 wrote to memory of 2588	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	120
PID 2012 wrote to memory of 4876	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	121
PID 2012 wrote to memory of 4876	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	121
PID 2012 wrote to memory of 4316	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	122
PID 2012 wrote to memory of 4316	2012	c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe	122

C:\Users\Admin\AppData\Local\Temp\c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c7421e06ebdb06cf2c8af6ead4646340_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\System32\DivlaAo.exe
  C:\Windows\System32\DivlaAo.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System32\JYXPHkH.exe
  C:\Windows\System32\JYXPHkH.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System32\AjMDPTT.exe
  C:\Windows\System32\AjMDPTT.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System32\DRcWEMf.exe
  C:\Windows\System32\DRcWEMf.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System32\EQyeAUL.exe
  C:\Windows\System32\EQyeAUL.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System32\oXuhtcX.exe
  C:\Windows\System32\oXuhtcX.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System32\PfzapKG.exe
  C:\Windows\System32\PfzapKG.exe
  2⤵
  - Executes dropped EXE
  PID:1260
- C:\Windows\System32\HZVXASB.exe
  C:\Windows\System32\HZVXASB.exe
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Windows\System32\YJXZVur.exe
  C:\Windows\System32\YJXZVur.exe
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\System32\RfOeZtB.exe
  C:\Windows\System32\RfOeZtB.exe
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Windows\System32\TbdWKiH.exe
  C:\Windows\System32\TbdWKiH.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System32\JMBAUDc.exe
  C:\Windows\System32\JMBAUDc.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System32\ATvcVPZ.exe
  C:\Windows\System32\ATvcVPZ.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System32\ztlmUwn.exe
  C:\Windows\System32\ztlmUwn.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System32\LEFjLiZ.exe
  C:\Windows\System32\LEFjLiZ.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System32\bPTruwP.exe
  C:\Windows\System32\bPTruwP.exe
  2⤵
  - Executes dropped EXE
  PID:4052
- C:\Windows\System32\slBfvJd.exe
  C:\Windows\System32\slBfvJd.exe
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\System32\ewFymym.exe
  C:\Windows\System32\ewFymym.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System32\vJWBAYa.exe
  C:\Windows\System32\vJWBAYa.exe
  2⤵
  - Executes dropped EXE
  PID:4008
- C:\Windows\System32\ZpsZcKq.exe
  C:\Windows\System32\ZpsZcKq.exe
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\System32\eTywkBK.exe
  C:\Windows\System32\eTywkBK.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System32\UmUbhaE.exe
  C:\Windows\System32\UmUbhaE.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System32\pmoGDHK.exe
  C:\Windows\System32\pmoGDHK.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System32\CzcTtiB.exe
  C:\Windows\System32\CzcTtiB.exe
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\System32\UdDaSYd.exe
  C:\Windows\System32\UdDaSYd.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System32\GItVgaH.exe
  C:\Windows\System32\GItVgaH.exe
  2⤵
  - Executes dropped EXE
  PID:3316
- C:\Windows\System32\qAufymF.exe
  C:\Windows\System32\qAufymF.exe
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Windows\System32\hxOMYjB.exe
  C:\Windows\System32\hxOMYjB.exe
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Windows\System32\MvtIxps.exe
  C:\Windows\System32\MvtIxps.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\System32\UdteYzZ.exe
  C:\Windows\System32\UdteYzZ.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System32\KRXKVaw.exe
  C:\Windows\System32\KRXKVaw.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Windows\System32\tAwkKCm.exe
  C:\Windows\System32\tAwkKCm.exe
  2⤵
  - Executes dropped EXE
  PID:4316
- C:\Windows\System32\yiSRivt.exe
  C:\Windows\System32\yiSRivt.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\System32\SeMrvnn.exe
  C:\Windows\System32\SeMrvnn.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\System32\zvdPGKd.exe
  C:\Windows\System32\zvdPGKd.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System32\CGpwVbJ.exe
  C:\Windows\System32\CGpwVbJ.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System32\MwWfvpx.exe
  C:\Windows\System32\MwWfvpx.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System32\YVwpisD.exe
  C:\Windows\System32\YVwpisD.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System32\rveZnya.exe
  C:\Windows\System32\rveZnya.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System32\UIydaCQ.exe
  C:\Windows\System32\UIydaCQ.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System32\pgodMZL.exe
  C:\Windows\System32\pgodMZL.exe
  2⤵
  - Executes dropped EXE
  PID:232
- C:\Windows\System32\xZfXlbi.exe
  C:\Windows\System32\xZfXlbi.exe
  2⤵
  - Executes dropped EXE
  PID:3564
- C:\Windows\System32\qhcQSXV.exe
  C:\Windows\System32\qhcQSXV.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System32\RGrCQjs.exe
  C:\Windows\System32\RGrCQjs.exe
  2⤵
  - Executes dropped EXE
  PID:368
- C:\Windows\System32\zqzYIFu.exe
  C:\Windows\System32\zqzYIFu.exe
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\System32\uoJEfam.exe
  C:\Windows\System32\uoJEfam.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System32\lGkYpAd.exe
  C:\Windows\System32\lGkYpAd.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System32\nNqEedI.exe
  C:\Windows\System32\nNqEedI.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System32\FbPBkoL.exe
  C:\Windows\System32\FbPBkoL.exe
  2⤵
  - Executes dropped EXE
  PID:4128
- C:\Windows\System32\FefUiHv.exe
  C:\Windows\System32\FefUiHv.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System32\YCVEtuO.exe
  C:\Windows\System32\YCVEtuO.exe
  2⤵
  - Executes dropped EXE
  PID:5132
- C:\Windows\System32\kNpSrdF.exe
  C:\Windows\System32\kNpSrdF.exe
  2⤵
  - Executes dropped EXE
  PID:5160
- C:\Windows\System32\oNOpApx.exe
  C:\Windows\System32\oNOpApx.exe
  2⤵
  - Executes dropped EXE
  PID:5188
- C:\Windows\System32\ulZVTaJ.exe
  C:\Windows\System32\ulZVTaJ.exe
  2⤵
  - Executes dropped EXE
  PID:5204
- C:\Windows\System32\AiGRHSi.exe
  C:\Windows\System32\AiGRHSi.exe
  2⤵
  - Executes dropped EXE
  PID:5232
- C:\Windows\System32\oyVYYfq.exe
  C:\Windows\System32\oyVYYfq.exe
  2⤵
  - Executes dropped EXE
  PID:5260
- C:\Windows\System32\WWylMcR.exe
  C:\Windows\System32\WWylMcR.exe
  2⤵
  - Executes dropped EXE
  PID:5300
- C:\Windows\System32\ePZenTJ.exe
  C:\Windows\System32\ePZenTJ.exe
  2⤵
  - Executes dropped EXE
  PID:5316
- C:\Windows\System32\dCwkdRM.exe
  C:\Windows\System32\dCwkdRM.exe
  2⤵
  - Executes dropped EXE
  PID:5352
- C:\Windows\System32\qlflssg.exe
  C:\Windows\System32\qlflssg.exe
  2⤵
  - Executes dropped EXE
  PID:5372
- C:\Windows\System32\gnOHIVa.exe
  C:\Windows\System32\gnOHIVa.exe
  2⤵
  - Executes dropped EXE
  PID:5400
- C:\Windows\System32\yDsNBrh.exe
  C:\Windows\System32\yDsNBrh.exe
  2⤵
  - Executes dropped EXE
  PID:5428
- C:\Windows\System32\doSRQkF.exe
  C:\Windows\System32\doSRQkF.exe
  2⤵
  - Executes dropped EXE
  PID:5456
- C:\Windows\System32\rPTRubg.exe
  C:\Windows\System32\rPTRubg.exe
  2⤵
  - Executes dropped EXE
  PID:5496
- C:\Windows\System32\eWgbODM.exe
  C:\Windows\System32\eWgbODM.exe
  2⤵
  PID:5512
- C:\Windows\System32\oUIMxPf.exe
  C:\Windows\System32\oUIMxPf.exe
  2⤵
  PID:5540
- C:\Windows\System32\mXgBQbU.exe
  C:\Windows\System32\mXgBQbU.exe
  2⤵
  PID:5580
- C:\Windows\System32\PkCsauN.exe
  C:\Windows\System32\PkCsauN.exe
  2⤵
  PID:5596
- C:\Windows\System32\MNbCYNz.exe
  C:\Windows\System32\MNbCYNz.exe
  2⤵
  PID:5636
- C:\Windows\System32\VHZfvIQ.exe
  C:\Windows\System32\VHZfvIQ.exe
  2⤵
  PID:5652
- C:\Windows\System32\wbXlbqO.exe
  C:\Windows\System32\wbXlbqO.exe
  2⤵
  PID:5692
- C:\Windows\System32\yGyrwIi.exe
  C:\Windows\System32\yGyrwIi.exe
  2⤵
  PID:5708
- C:\Windows\System32\lAyYLai.exe
  C:\Windows\System32\lAyYLai.exe
  2⤵
  PID:5736
- C:\Windows\System32\ShHMUzB.exe
  C:\Windows\System32\ShHMUzB.exe
  2⤵
  PID:5776
- C:\Windows\System32\XmUvPDj.exe
  C:\Windows\System32\XmUvPDj.exe
  2⤵
  PID:5792
- C:\Windows\System32\EnpJbsw.exe
  C:\Windows\System32\EnpJbsw.exe
  2⤵
  PID:5820
- C:\Windows\System32\tahWpcP.exe
  C:\Windows\System32\tahWpcP.exe
  2⤵
  PID:5860
- C:\Windows\System32\fcJdehX.exe
  C:\Windows\System32\fcJdehX.exe
  2⤵
  PID:5876
- C:\Windows\System32\ZZxhxKW.exe
  C:\Windows\System32\ZZxhxKW.exe
  2⤵
  PID:5904
- C:\Windows\System32\ZhQZddy.exe
  C:\Windows\System32\ZhQZddy.exe
  2⤵
  PID:5932
- C:\Windows\System32\ROrOfmA.exe
  C:\Windows\System32\ROrOfmA.exe
  2⤵
  PID:5960
- C:\Windows\System32\uSJhLXL.exe
  C:\Windows\System32\uSJhLXL.exe
  2⤵
  PID:6000
- C:\Windows\System32\DVUTGkS.exe
  C:\Windows\System32\DVUTGkS.exe
  2⤵
  PID:6016
- C:\Windows\System32\uDhvITk.exe
  C:\Windows\System32\uDhvITk.exe
  2⤵
  PID:6044
- C:\Windows\System32\DhtSnON.exe
  C:\Windows\System32\DhtSnON.exe
  2⤵
  PID:6072
- C:\Windows\System32\ozPjbEN.exe
  C:\Windows\System32\ozPjbEN.exe
  2⤵
  PID:6100
- C:\Windows\System32\tsWLrme.exe
  C:\Windows\System32\tsWLrme.exe
  2⤵
  PID:6140
- C:\Windows\System32\pRbCtqc.exe
  C:\Windows\System32\pRbCtqc.exe
  2⤵
  PID:4012
- C:\Windows\System32\ZuUleTt.exe
  C:\Windows\System32\ZuUleTt.exe
  2⤵
  PID:1636
- C:\Windows\System32\ZlqEwoi.exe
  C:\Windows\System32\ZlqEwoi.exe
  2⤵
  PID:4712
- C:\Windows\System32\UydMQPk.exe
  C:\Windows\System32\UydMQPk.exe
  2⤵
  PID:5124
- C:\Windows\System32\kXUlUHF.exe
  C:\Windows\System32\kXUlUHF.exe
  2⤵
  PID:5152
- C:\Windows\System32\iIbmxkU.exe
  C:\Windows\System32\iIbmxkU.exe
  2⤵
  PID:5244
- C:\Windows\System32\PdCgxDt.exe
  C:\Windows\System32\PdCgxDt.exe
  2⤵
  PID:5292
- C:\Windows\System32\eEcuMfc.exe
  C:\Windows\System32\eEcuMfc.exe
  2⤵
  PID:5364
- C:\Windows\System32\PyzvzwC.exe
  C:\Windows\System32\PyzvzwC.exe
  2⤵
  PID:5412
- C:\Windows\System32\PKbGlTF.exe
  C:\Windows\System32\PKbGlTF.exe
  2⤵
  PID:5472
- C:\Windows\System32\lTivOcf.exe
  C:\Windows\System32\lTivOcf.exe
  2⤵
  PID:5536
- C:\Windows\System32\RkOgAwL.exe
  C:\Windows\System32\RkOgAwL.exe
  2⤵
  PID:5592
- C:\Windows\System32\SNrZuqX.exe
  C:\Windows\System32\SNrZuqX.exe
  2⤵
  PID:5676
- C:\Windows\System32\qxhprRs.exe
  C:\Windows\System32\qxhprRs.exe
  2⤵
  PID:5760
- C:\Windows\System32\MxJSLiA.exe
  C:\Windows\System32\MxJSLiA.exe
  2⤵
  PID:5784
- C:\Windows\System32\kdLMvVg.exe
  C:\Windows\System32\kdLMvVg.exe
  2⤵
  PID:5836
- C:\Windows\System32\WTSlfuz.exe
  C:\Windows\System32\WTSlfuz.exe
  2⤵
  PID:5928
- C:\Windows\System32\LJBpcxd.exe
  C:\Windows\System32\LJBpcxd.exe
  2⤵
  PID:5992
- C:\Windows\System32\wiKYPux.exe
  C:\Windows\System32\wiKYPux.exe
  2⤵
  PID:6084
- C:\Windows\System32\zXteyEt.exe
  C:\Windows\System32\zXteyEt.exe
  2⤵
  PID:6124
- C:\Windows\System32\UAQNsIS.exe
  C:\Windows\System32\UAQNsIS.exe
  2⤵
  PID:4160
- C:\Windows\System32\zaeGZwZ.exe
  C:\Windows\System32\zaeGZwZ.exe
  2⤵
  PID:1180
- C:\Windows\System32\CNFMrac.exe
  C:\Windows\System32\CNFMrac.exe
  2⤵
  PID:5256
- C:\Windows\System32\tLDpDNW.exe
  C:\Windows\System32\tLDpDNW.exe
  2⤵
  PID:5388
- C:\Windows\System32\HuJcfjW.exe
  C:\Windows\System32\HuJcfjW.exe
  2⤵
  PID:5572
- C:\Windows\System32\swcIsWC.exe
  C:\Windows\System32\swcIsWC.exe
  2⤵
  PID:5788
- C:\Windows\System32\BWkfUaV.exe
  C:\Windows\System32\BWkfUaV.exe
  2⤵
  PID:436
- C:\Windows\System32\VfCewxk.exe
  C:\Windows\System32\VfCewxk.exe
  2⤵
  PID:6008
- C:\Windows\System32\TsRzfEk.exe
  C:\Windows\System32\TsRzfEk.exe
  2⤵
  PID:6160
- C:\Windows\System32\amzJNOo.exe
  C:\Windows\System32\amzJNOo.exe
  2⤵
  PID:6188
- C:\Windows\System32\dzDIxBV.exe
  C:\Windows\System32\dzDIxBV.exe
  2⤵
  PID:6228
- C:\Windows\System32\ADljokR.exe
  C:\Windows\System32\ADljokR.exe
  2⤵
  PID:6244
- C:\Windows\System32\zuwKgaq.exe
  C:\Windows\System32\zuwKgaq.exe
  2⤵
  PID:6284
- C:\Windows\System32\fZtRmWa.exe
  C:\Windows\System32\fZtRmWa.exe
  2⤵
  PID:6300
- C:\Windows\System32\TfUbSxK.exe
  C:\Windows\System32\TfUbSxK.exe
  2⤵
  PID:6328
- C:\Windows\System32\EzFLyuO.exe
  C:\Windows\System32\EzFLyuO.exe
  2⤵
  PID:6368
- C:\Windows\System32\tddbeDG.exe
  C:\Windows\System32\tddbeDG.exe
  2⤵
  PID:6384
- C:\Windows\System32\BNAYtGH.exe
  C:\Windows\System32\BNAYtGH.exe
  2⤵
  PID:6424
- C:\Windows\System32\lqSUfOj.exe
  C:\Windows\System32\lqSUfOj.exe
  2⤵
  PID:6440
- C:\Windows\System32\cnFpPHS.exe
  C:\Windows\System32\cnFpPHS.exe
  2⤵
  PID:6480
- C:\Windows\System32\rVcCqKH.exe
  C:\Windows\System32\rVcCqKH.exe
  2⤵
  PID:6496
- C:\Windows\System32\NqkqVkI.exe
  C:\Windows\System32\NqkqVkI.exe
  2⤵
  PID:6524
- C:\Windows\System32\SDuMoKM.exe
  C:\Windows\System32\SDuMoKM.exe
  2⤵
  PID:6552
- C:\Windows\System32\HWZpyfz.exe
  C:\Windows\System32\HWZpyfz.exe
  2⤵
  PID:6580
- C:\Windows\System32\ZjvUejv.exe
  C:\Windows\System32\ZjvUejv.exe
  2⤵
  PID:6620
- C:\Windows\System32\MVgRuqw.exe
  C:\Windows\System32\MVgRuqw.exe
  2⤵
  PID:6636
- C:\Windows\System32\ogtCAbO.exe
  C:\Windows\System32\ogtCAbO.exe
  2⤵
  PID:6676
- C:\Windows\System32\aXlwNtO.exe
  C:\Windows\System32\aXlwNtO.exe
  2⤵
  PID:6692
- C:\Windows\System32\YGPSxLK.exe
  C:\Windows\System32\YGPSxLK.exe
  2⤵
  PID:6732
- C:\Windows\System32\vAMxFxm.exe
  C:\Windows\System32\vAMxFxm.exe
  2⤵
  PID:6748
- C:\Windows\System32\yegKBur.exe
  C:\Windows\System32\yegKBur.exe
  2⤵
  PID:6788
- C:\Windows\System32\SYfXatW.exe
  C:\Windows\System32\SYfXatW.exe
  2⤵
  PID:6804
- C:\Windows\System32\FAPoxfR.exe
  C:\Windows\System32\FAPoxfR.exe
  2⤵
  PID:6844
- C:\Windows\System32\VkMoXqs.exe
  C:\Windows\System32\VkMoXqs.exe
  2⤵
  PID:6860
- C:\Windows\System32\rTbVgpc.exe
  C:\Windows\System32\rTbVgpc.exe
  2⤵
  PID:6888
- C:\Windows\System32\knHdicD.exe
  C:\Windows\System32\knHdicD.exe
  2⤵
  PID:6916
- C:\Windows\System32\jSGyZXI.exe
  C:\Windows\System32\jSGyZXI.exe
  2⤵
  PID:6944
- C:\Windows\System32\OYfgvFo.exe
  C:\Windows\System32\OYfgvFo.exe
  2⤵
  PID:6972
- C:\Windows\System32\ZXekqVi.exe
  C:\Windows\System32\ZXekqVi.exe
  2⤵
  PID:7012
- C:\Windows\System32\MjtRypg.exe
  C:\Windows\System32\MjtRypg.exe
  2⤵
  PID:7028
- C:\Windows\System32\QCwrnDv.exe
  C:\Windows\System32\QCwrnDv.exe
  2⤵
  PID:7056
- C:\Windows\System32\GZQnjtj.exe
  C:\Windows\System32\GZQnjtj.exe
  2⤵
  PID:7084
- C:\Windows\System32\NVYBZhK.exe
  C:\Windows\System32\NVYBZhK.exe
  2⤵
  PID:7124
- C:\Windows\System32\GbdmKja.exe
  C:\Windows\System32\GbdmKja.exe
  2⤵
  PID:7140
- C:\Windows\System32\svTQVbZ.exe
  C:\Windows\System32\svTQVbZ.exe
  2⤵
  PID:6112
- C:\Windows\System32\CAQhhth.exe
  C:\Windows\System32\CAQhhth.exe
  2⤵
  PID:3164
- C:\Windows\System32\DFLaZeS.exe
  C:\Windows\System32\DFLaZeS.exe
  2⤵
  PID:5488
- C:\Windows\System32\cOMFjMJ.exe
  C:\Windows\System32\cOMFjMJ.exe
  2⤵
  PID:5956
- C:\Windows\System32\ktsfwxW.exe
  C:\Windows\System32\ktsfwxW.exe
  2⤵
  PID:6148
- C:\Windows\System32\zsNHdrd.exe
  C:\Windows\System32\zsNHdrd.exe
  2⤵
  PID:6240
- C:\Windows\System32\frFUVFN.exe
  C:\Windows\System32\frFUVFN.exe
  2⤵
  PID:6296
- C:\Windows\System32\DTvUSjZ.exe
  C:\Windows\System32\DTvUSjZ.exe
  2⤵
  PID:6360
- C:\Windows\System32\pcHKVjY.exe
  C:\Windows\System32\pcHKVjY.exe
  2⤵
  PID:6400
- C:\Windows\System32\NfhYISi.exe
  C:\Windows\System32\NfhYISi.exe
  2⤵
  PID:6520
- C:\Windows\System32\nYwzNBG.exe
  C:\Windows\System32\nYwzNBG.exe
  2⤵
  PID:6540
- C:\Windows\System32\lQSxSDH.exe
  C:\Windows\System32\lQSxSDH.exe
  2⤵
  PID:6596
- C:\Windows\System32\eBHYKEp.exe
  C:\Windows\System32\eBHYKEp.exe
  2⤵
  PID:6704
- C:\Windows\System32\HIsbTPc.exe
  C:\Windows\System32\HIsbTPc.exe
  2⤵
  PID:6708
- C:\Windows\System32\qnxUASb.exe
  C:\Windows\System32\qnxUASb.exe
  2⤵
  PID:6828
- C:\Windows\System32\fMSlRTu.exe
  C:\Windows\System32\fMSlRTu.exe
  2⤵
  PID:6852
- C:\Windows\System32\cIzMsvA.exe
  C:\Windows\System32\cIzMsvA.exe
  2⤵
  PID:6956
- C:\Windows\System32\qbwDyXr.exe
  C:\Windows\System32\qbwDyXr.exe
  2⤵
  PID:6996
- C:\Windows\System32\CDdUChm.exe
  C:\Windows\System32\CDdUChm.exe
  2⤵
  PID:7040
- C:\Windows\System32\zMTtgfr.exe
  C:\Windows\System32\zMTtgfr.exe
  2⤵
  PID:7108
- C:\Windows\System32\FTklcPd.exe
  C:\Windows\System32\FTklcPd.exe
  2⤵
  PID:7156
- C:\Windows\System32\HapUrMT.exe
  C:\Windows\System32\HapUrMT.exe
  2⤵
  PID:5852
- C:\Windows\System32\feoxrBC.exe
  C:\Windows\System32\feoxrBC.exe
  2⤵
  PID:6184
- C:\Windows\System32\CCpEEFo.exe
  C:\Windows\System32\CCpEEFo.exe
  2⤵
  PID:6396
- C:\Windows\System32\rTZXBpz.exe
  C:\Windows\System32\rTZXBpz.exe
  2⤵
  PID:6464
- C:\Windows\System32\smkkkmy.exe
  C:\Windows\System32\smkkkmy.exe
  2⤵
  PID:6660
- C:\Windows\System32\vIhSkut.exe
  C:\Windows\System32\vIhSkut.exe
  2⤵
  PID:6820
- C:\Windows\System32\gqIzQwn.exe
  C:\Windows\System32\gqIzQwn.exe
  2⤵
  PID:6940
- C:\Windows\System32\wLHiFdH.exe
  C:\Windows\System32\wLHiFdH.exe
  2⤵
  PID:3728
- C:\Windows\System32\PCIAkNo.exe
  C:\Windows\System32\PCIAkNo.exe
  2⤵
  PID:7164
- C:\Windows\System32\oZfpWLf.exe
  C:\Windows\System32\oZfpWLf.exe
  2⤵
  PID:7192
- C:\Windows\System32\KoCjFJD.exe
  C:\Windows\System32\KoCjFJD.exe
  2⤵
  PID:7232
- C:\Windows\System32\hsYEwZU.exe
  C:\Windows\System32\hsYEwZU.exe
  2⤵
  PID:7248
- C:\Windows\System32\ethCGnc.exe
  C:\Windows\System32\ethCGnc.exe
  2⤵
  PID:7276
- C:\Windows\System32\eCjrure.exe
  C:\Windows\System32\eCjrure.exe
  2⤵
  PID:7304
- C:\Windows\System32\mXyFMDO.exe
  C:\Windows\System32\mXyFMDO.exe
  2⤵
  PID:7344
- C:\Windows\System32\JKOyPVd.exe
  C:\Windows\System32\JKOyPVd.exe
  2⤵
  PID:7360
- C:\Windows\System32\OayxKgq.exe
  C:\Windows\System32\OayxKgq.exe
  2⤵
  PID:7388
- C:\Windows\System32\eeqhlIV.exe
  C:\Windows\System32\eeqhlIV.exe
  2⤵
  PID:7428
- C:\Windows\System32\LDXulca.exe
  C:\Windows\System32\LDXulca.exe
  2⤵
  PID:7444
- C:\Windows\System32\SqKniVh.exe
  C:\Windows\System32\SqKniVh.exe
  2⤵
  PID:7472
- C:\Windows\System32\CXSbXgZ.exe
  C:\Windows\System32\CXSbXgZ.exe
  2⤵
  PID:7500
- C:\Windows\System32\LNQUJyM.exe
  C:\Windows\System32\LNQUJyM.exe
  2⤵
  PID:7540
- C:\Windows\System32\LTCqtQw.exe
  C:\Windows\System32\LTCqtQw.exe
  2⤵
  PID:7568
- C:\Windows\System32\wIaVJqF.exe
  C:\Windows\System32\wIaVJqF.exe
  2⤵
  PID:7584
- C:\Windows\System32\qDphNcX.exe
  C:\Windows\System32\qDphNcX.exe
  2⤵
  PID:7624
- C:\Windows\System32\cSMsHRd.exe
  C:\Windows\System32\cSMsHRd.exe
  2⤵
  PID:7640
- C:\Windows\System32\tJiaRqe.exe
  C:\Windows\System32\tJiaRqe.exe
  2⤵
  PID:7668
- C:\Windows\System32\ZwbVHSs.exe
  C:\Windows\System32\ZwbVHSs.exe
  2⤵
  PID:7708
- C:\Windows\System32\LEgoNXa.exe
  C:\Windows\System32\LEgoNXa.exe
  2⤵
  PID:7736
- C:\Windows\System32\idKknuD.exe
  C:\Windows\System32\idKknuD.exe
  2⤵
  PID:7752
- C:\Windows\System32\ksjbSwf.exe
  C:\Windows\System32\ksjbSwf.exe
  2⤵
  PID:7792
- C:\Windows\System32\eNPVSmy.exe
  C:\Windows\System32\eNPVSmy.exe
  2⤵
  PID:7808
- C:\Windows\System32\tEbmeom.exe
  C:\Windows\System32\tEbmeom.exe
  2⤵
  PID:7836
- C:\Windows\System32\VvqwJvs.exe
  C:\Windows\System32\VvqwJvs.exe
  2⤵
  PID:7864
- C:\Windows\System32\gqsublJ.exe
  C:\Windows\System32\gqsublJ.exe
  2⤵
  PID:7904
- C:\Windows\System32\fVzfKOf.exe
  C:\Windows\System32\fVzfKOf.exe
  2⤵
  PID:7920
- C:\Windows\System32\JuijWus.exe
  C:\Windows\System32\JuijWus.exe
  2⤵
  PID:7960
- C:\Windows\System32\vzPfqvv.exe
  C:\Windows\System32\vzPfqvv.exe
  2⤵
  PID:7976
- C:\Windows\System32\jsLiyuV.exe
  C:\Windows\System32\jsLiyuV.exe
  2⤵
  PID:8016
- C:\Windows\System32\bhlBRqi.exe
  C:\Windows\System32\bhlBRqi.exe
  2⤵
  PID:8044
- C:\Windows\System32\kQbYQjT.exe
  C:\Windows\System32\kQbYQjT.exe
  2⤵
  PID:8060
- C:\Windows\System32\Hwfdicf.exe
  C:\Windows\System32\Hwfdicf.exe
  2⤵
  PID:8088
- C:\Windows\System32\AWvPAva.exe
  C:\Windows\System32\AWvPAva.exe
  2⤵
  PID:8116
- C:\Windows\System32\KnDOGEs.exe
  C:\Windows\System32\KnDOGEs.exe
  2⤵
  PID:8156
- C:\Windows\System32\RmFfbpJ.exe
  C:\Windows\System32\RmFfbpJ.exe
  2⤵
  PID:8172
- C:\Windows\System32\QbtkDVJ.exe
  C:\Windows\System32\QbtkDVJ.exe
  2⤵
  PID:6256
- C:\Windows\System32\wdYRjlN.exe
  C:\Windows\System32\wdYRjlN.exe
  2⤵
  PID:3416
- C:\Windows\System32\oohbLWj.exe
  C:\Windows\System32\oohbLWj.exe
  2⤵
  PID:4076
- C:\Windows\System32\PufEIkx.exe
  C:\Windows\System32\PufEIkx.exe
  2⤵
  PID:7096
- C:\Windows\System32\ExqWzqu.exe
  C:\Windows\System32\ExqWzqu.exe
  2⤵
  PID:7204
- C:\Windows\System32\JnvYvGV.exe
  C:\Windows\System32\JnvYvGV.exe
  2⤵
  PID:7244
- C:\Windows\System32\twWtdvt.exe
  C:\Windows\System32\twWtdvt.exe
  2⤵
  PID:7300
- C:\Windows\System32\oEazOnC.exe
  C:\Windows\System32\oEazOnC.exe
  2⤵
  PID:7384
- C:\Windows\System32\nbGOvoD.exe
  C:\Windows\System32\nbGOvoD.exe
  2⤵
  PID:7404
- C:\Windows\System32\tnHNCHd.exe
  C:\Windows\System32\tnHNCHd.exe
  2⤵
  PID:7580
- C:\Windows\System32\cmgwdwD.exe
  C:\Windows\System32\cmgwdwD.exe
  2⤵
  PID:7632
- C:\Windows\System32\cmbIQVe.exe
  C:\Windows\System32\cmbIQVe.exe
  2⤵
  PID:3504
- C:\Windows\System32\shvAbxN.exe
  C:\Windows\System32\shvAbxN.exe
  2⤵
  PID:1560
- C:\Windows\System32\msYDPcg.exe
  C:\Windows\System32\msYDPcg.exe
  2⤵
  PID:7804
- C:\Windows\System32\srIbThC.exe
  C:\Windows\System32\srIbThC.exe
  2⤵
  PID:7860
- C:\Windows\System32\GqZfEMt.exe
  C:\Windows\System32\GqZfEMt.exe
  2⤵
  PID:7968
- C:\Windows\System32\TpBgftd.exe
  C:\Windows\System32\TpBgftd.exe
  2⤵
  PID:8028
- C:\Windows\System32\LggjCRL.exe
  C:\Windows\System32\LggjCRL.exe
  2⤵
  PID:8072
- C:\Windows\System32\PCpafYk.exe
  C:\Windows\System32\PCpafYk.exe
  2⤵
  PID:8140
- C:\Windows\System32\GsoWHUC.exe
  C:\Windows\System32\GsoWHUC.exe
  2⤵
  PID:8188
- C:\Windows\System32\uxBsNbx.exe
  C:\Windows\System32\uxBsNbx.exe
  2⤵
  PID:3108
- C:\Windows\System32\BZIsMry.exe
  C:\Windows\System32\BZIsMry.exe
  2⤵
  PID:3292
- C:\Windows\System32\NpdtlUm.exe
  C:\Windows\System32\NpdtlUm.exe
  2⤵
  PID:7180
- C:\Windows\System32\esFOutW.exe
  C:\Windows\System32\esFOutW.exe
  2⤵
  PID:4832
- C:\Windows\System32\RZicgjP.exe
  C:\Windows\System32\RZicgjP.exe
  2⤵
  PID:7320
- C:\Windows\System32\jYWMNHR.exe
  C:\Windows\System32\jYWMNHR.exe
  2⤵
  PID:2680
- C:\Windows\System32\OGQjXqq.exe
  C:\Windows\System32\OGQjXqq.exe
  2⤵
  PID:1940
- C:\Windows\System32\nUxbYkL.exe
  C:\Windows\System32\nUxbYkL.exe
  2⤵
  PID:3324
- C:\Windows\System32\JsZMTgQ.exe
  C:\Windows\System32\JsZMTgQ.exe
  2⤵
  PID:3748
- C:\Windows\System32\daVNgoN.exe
  C:\Windows\System32\daVNgoN.exe
  2⤵
  PID:4972
- C:\Windows\System32\eOUKWcY.exe
  C:\Windows\System32\eOUKWcY.exe
  2⤵
  PID:4016
- C:\Windows\System32\pqXpOjO.exe
  C:\Windows\System32\pqXpOjO.exe
  2⤵
  PID:8052
- C:\Windows\System32\JbHeSeQ.exe
  C:\Windows\System32\JbHeSeQ.exe
  2⤵
  PID:912
- C:\Windows\System32\vhETiFB.exe
  C:\Windows\System32\vhETiFB.exe
  2⤵
  PID:4852
- C:\Windows\System32\qcBPIts.exe
  C:\Windows\System32\qcBPIts.exe
  2⤵
  PID:2984
- C:\Windows\System32\tJkmtWf.exe
  C:\Windows\System32\tJkmtWf.exe
  2⤵
  PID:4456
- C:\Windows\System32\DHFvZcw.exe
  C:\Windows\System32\DHFvZcw.exe
  2⤵
  PID:2376
- C:\Windows\System32\YfnAGoD.exe
  C:\Windows\System32\YfnAGoD.exe
  2⤵
  PID:7776
- C:\Windows\System32\YlQsQVM.exe
  C:\Windows\System32\YlQsQVM.exe
  2⤵
  PID:6716
- C:\Windows\System32\rtWxgba.exe
  C:\Windows\System32\rtWxgba.exe
  2⤵
  PID:7068
- C:\Windows\System32\TeOLvWa.exe
  C:\Windows\System32\TeOLvWa.exe
  2⤵
  PID:7512
- C:\Windows\System32\vTOyJSH.exe
  C:\Windows\System32\vTOyJSH.exe
  2⤵
  PID:8220
- C:\Windows\System32\NkfcoXz.exe
  C:\Windows\System32\NkfcoXz.exe
  2⤵
  PID:8236
- C:\Windows\System32\UoOLJqx.exe
  C:\Windows\System32\UoOLJqx.exe
  2⤵
  PID:8276
- C:\Windows\System32\BspjzmP.exe
  C:\Windows\System32\BspjzmP.exe
  2⤵
  PID:8304
- C:\Windows\System32\JTYdQKT.exe
  C:\Windows\System32\JTYdQKT.exe
  2⤵
  PID:8332
- C:\Windows\System32\pRsAyiw.exe
  C:\Windows\System32\pRsAyiw.exe
  2⤵
  PID:8348
- C:\Windows\System32\vZGYUru.exe
  C:\Windows\System32\vZGYUru.exe
  2⤵
  PID:8388
- C:\Windows\System32\EbHiCfx.exe
  C:\Windows\System32\EbHiCfx.exe
  2⤵
  PID:8404
- C:\Windows\System32\JTiDPTi.exe
  C:\Windows\System32\JTiDPTi.exe
  2⤵
  PID:8432
- C:\Windows\System32\RXFcqmn.exe
  C:\Windows\System32\RXFcqmn.exe
  2⤵
  PID:8460
- C:\Windows\System32\TvSwiif.exe
  C:\Windows\System32\TvSwiif.exe
  2⤵
  PID:8488
- C:\Windows\System32\IvczGIZ.exe
  C:\Windows\System32\IvczGIZ.exe
  2⤵
  PID:8516
- C:\Windows\System32\phCFGJC.exe
  C:\Windows\System32\phCFGJC.exe
  2⤵
  PID:8544
- C:\Windows\System32\PrRzsFp.exe
  C:\Windows\System32\PrRzsFp.exe
  2⤵
  PID:8584
- C:\Windows\System32\ZgCMgKr.exe
  C:\Windows\System32\ZgCMgKr.exe
  2⤵
  PID:8612
- C:\Windows\System32\UdQlDSW.exe
  C:\Windows\System32\UdQlDSW.exe
  2⤵
  PID:8628
- C:\Windows\System32\ZghXQYL.exe
  C:\Windows\System32\ZghXQYL.exe
  2⤵
  PID:8668
- C:\Windows\System32\gxgYvgh.exe
  C:\Windows\System32\gxgYvgh.exe
  2⤵
  PID:8696
- C:\Windows\System32\SCmpHLN.exe
  C:\Windows\System32\SCmpHLN.exe
  2⤵
  PID:8712
- C:\Windows\System32\DbJypys.exe
  C:\Windows\System32\DbJypys.exe
  2⤵
  PID:8740
- C:\Windows\System32\EebhViP.exe
  C:\Windows\System32\EebhViP.exe
  2⤵
  PID:8768
- C:\Windows\System32\PtrYteB.exe
  C:\Windows\System32\PtrYteB.exe
  2⤵
  PID:8808
- C:\Windows\System32\lldrEYJ.exe
  C:\Windows\System32\lldrEYJ.exe
  2⤵
  PID:8836
- C:\Windows\System32\xDixbMC.exe
  C:\Windows\System32\xDixbMC.exe
  2⤵
  PID:8864
- C:\Windows\System32\DvXYRou.exe
  C:\Windows\System32\DvXYRou.exe
  2⤵
  PID:8884
- C:\Windows\System32\ysNhxuo.exe
  C:\Windows\System32\ysNhxuo.exe
  2⤵
  PID:8932
- C:\Windows\System32\WXpsjYT.exe
  C:\Windows\System32\WXpsjYT.exe
  2⤵
  PID:8960
- C:\Windows\System32\bIahBia.exe
  C:\Windows\System32\bIahBia.exe
  2⤵
  PID:8976
- C:\Windows\System32\oLqmUTO.exe
  C:\Windows\System32\oLqmUTO.exe
  2⤵
  PID:9020
- C:\Windows\System32\tSObdnb.exe
  C:\Windows\System32\tSObdnb.exe
  2⤵
  PID:9044
- C:\Windows\System32\oKRVTjL.exe
  C:\Windows\System32\oKRVTjL.exe
  2⤵
  PID:9060
- C:\Windows\System32\zVYxteS.exe
  C:\Windows\System32\zVYxteS.exe
  2⤵
  PID:9076
- C:\Windows\System32\UcApjzV.exe
  C:\Windows\System32\UcApjzV.exe
  2⤵
  PID:9128
- C:\Windows\System32\jrICvnt.exe
  C:\Windows\System32\jrICvnt.exe
  2⤵
  PID:9156
- C:\Windows\System32\furEnrD.exe
  C:\Windows\System32\furEnrD.exe
  2⤵
  PID:9172
- C:\Windows\System32\kbHqCTP.exe
  C:\Windows\System32\kbHqCTP.exe
  2⤵
  PID:9212
- C:\Windows\System32\DUrfYsT.exe
  C:\Windows\System32\DUrfYsT.exe
  2⤵
  PID:7272
- C:\Windows\System32\wdtBirj.exe
  C:\Windows\System32\wdtBirj.exe
  2⤵
  PID:8232
- C:\Windows\System32\DhIMNQP.exe
  C:\Windows\System32\DhIMNQP.exe
  2⤵
  PID:8252
- C:\Windows\System32\jjYjUOv.exe
  C:\Windows\System32\jjYjUOv.exe
  2⤵
  PID:8360
- C:\Windows\System32\OmuomNx.exe
  C:\Windows\System32\OmuomNx.exe
  2⤵
  PID:8448
- C:\Windows\System32\GegBksf.exe
  C:\Windows\System32\GegBksf.exe
  2⤵
  PID:8500
- C:\Windows\System32\cMLILJU.exe
  C:\Windows\System32\cMLILJU.exe
  2⤵
  PID:8576
- C:\Windows\System32\FDwVHzH.exe
  C:\Windows\System32\FDwVHzH.exe
  2⤵
  PID:8620
- C:\Windows\System32\QwmaLcL.exe
  C:\Windows\System32\QwmaLcL.exe
  2⤵
  PID:8680
- C:\Windows\System32\GeskeIy.exe
  C:\Windows\System32\GeskeIy.exe
  2⤵
  PID:8728
- C:\Windows\System32\QTdRUyh.exe
  C:\Windows\System32\QTdRUyh.exe
  2⤵
  PID:8780
- C:\Windows\System32\JozCaoY.exe
  C:\Windows\System32\JozCaoY.exe
  2⤵
  PID:8848
- C:\Windows\System32\pRABbgw.exe
  C:\Windows\System32\pRABbgw.exe
  2⤵
  PID:8908
- C:\Windows\System32\ZzGdcAJ.exe
  C:\Windows\System32\ZzGdcAJ.exe
  2⤵
  PID:3944
- C:\Windows\System32\iNaOZcV.exe
  C:\Windows\System32\iNaOZcV.exe
  2⤵
  PID:5000
- C:\Windows\System32\jsCMGHd.exe
  C:\Windows\System32\jsCMGHd.exe
  2⤵
  PID:8988
- C:\Windows\System32\VIisHOs.exe
  C:\Windows\System32\VIisHOs.exe
  2⤵
  PID:9068
- C:\Windows\System32\vBMkBpb.exe
  C:\Windows\System32\vBMkBpb.exe
  2⤵
  PID:9152
- C:\Windows\System32\NzkOBRg.exe
  C:\Windows\System32\NzkOBRg.exe
  2⤵
  PID:9196
- C:\Windows\System32\PzyNQWU.exe
  C:\Windows\System32\PzyNQWU.exe
  2⤵
  PID:8260
- C:\Windows\System32\gCqpyou.exe
  C:\Windows\System32\gCqpyou.exe
  2⤵
  PID:8400
- C:\Windows\System32\lKeOrMP.exe
  C:\Windows\System32\lKeOrMP.exe
  2⤵
  PID:8532
- C:\Windows\System32\AvWyNiq.exe
  C:\Windows\System32\AvWyNiq.exe
  2⤵
  PID:7784
- C:\Windows\System32\aApXtXS.exe
  C:\Windows\System32\aApXtXS.exe
  2⤵
  PID:8828
- C:\Windows\System32\OExcKvb.exe
  C:\Windows\System32\OExcKvb.exe
  2⤵
  PID:4724
- C:\Windows\System32\dvBADyx.exe
  C:\Windows\System32\dvBADyx.exe
  2⤵
  PID:9120
- C:\Windows\System32\OnshBAP.exe
  C:\Windows\System32\OnshBAP.exe
  2⤵
  PID:9164
- C:\Windows\System32\nZcSxIO.exe
  C:\Windows\System32\nZcSxIO.exe
  2⤵
  PID:8364
- C:\Windows\System32\idLiXVQ.exe
  C:\Windows\System32\idLiXVQ.exe
  2⤵
  PID:5012
- C:\Windows\System32\mWGpuwZ.exe
  C:\Windows\System32\mWGpuwZ.exe
  2⤵
  PID:8876
- C:\Windows\System32\FQIuidh.exe
  C:\Windows\System32\FQIuidh.exe
  2⤵
  PID:9184
- C:\Windows\System32\rfYbNVh.exe
  C:\Windows\System32\rfYbNVh.exe
  2⤵
  PID:9228
- C:\Windows\System32\mJpFDBj.exe
  C:\Windows\System32\mJpFDBj.exe
  2⤵
  PID:9268
- C:\Windows\System32\VcxHjXK.exe
  C:\Windows\System32\VcxHjXK.exe
  2⤵
  PID:9316
- C:\Windows\System32\BCyOnqu.exe
  C:\Windows\System32\BCyOnqu.exe
  2⤵
  PID:9332
- C:\Windows\System32\igUzmAe.exe
  C:\Windows\System32\igUzmAe.exe
  2⤵
  PID:9360
- C:\Windows\System32\RRqKSDX.exe
  C:\Windows\System32\RRqKSDX.exe
  2⤵
  PID:9380
- C:\Windows\System32\cRKkBOg.exe
  C:\Windows\System32\cRKkBOg.exe
  2⤵
  PID:9420
- C:\Windows\System32\tFdFvit.exe
  C:\Windows\System32\tFdFvit.exe
  2⤵
  PID:9456
- C:\Windows\System32\whUFtgJ.exe
  C:\Windows\System32\whUFtgJ.exe
  2⤵
  PID:9484
- C:\Windows\System32\nRzpFPM.exe
  C:\Windows\System32\nRzpFPM.exe
  2⤵
  PID:9512
- C:\Windows\System32\iTnLrlR.exe
  C:\Windows\System32\iTnLrlR.exe
  2⤵
  PID:9540
- C:\Windows\System32\SEpyZNn.exe
  C:\Windows\System32\SEpyZNn.exe
  2⤵
  PID:9556
- C:\Windows\System32\UqFbJhA.exe
  C:\Windows\System32\UqFbJhA.exe
  2⤵
  PID:9580
- C:\Windows\System32\mSLIKDU.exe
  C:\Windows\System32\mSLIKDU.exe
  2⤵
  PID:9632
- C:\Windows\System32\RSKVPwx.exe
  C:\Windows\System32\RSKVPwx.exe
  2⤵
  PID:9664
- C:\Windows\System32\ryupiHp.exe
  C:\Windows\System32\ryupiHp.exe
  2⤵
  PID:9692
- C:\Windows\System32\TbQxkHm.exe
  C:\Windows\System32\TbQxkHm.exe
  2⤵
  PID:9708
- C:\Windows\System32\kTBVurP.exe
  C:\Windows\System32\kTBVurP.exe
  2⤵
  PID:9768
- C:\Windows\System32\bqLlgNl.exe
  C:\Windows\System32\bqLlgNl.exe
  2⤵
  PID:9788
- C:\Windows\System32\yVSoIRZ.exe
  C:\Windows\System32\yVSoIRZ.exe
  2⤵
  PID:9816
- C:\Windows\System32\sTHOLcR.exe
  C:\Windows\System32\sTHOLcR.exe
  2⤵
  PID:9848
- C:\Windows\System32\BvTsrDe.exe
  C:\Windows\System32\BvTsrDe.exe
  2⤵
  PID:9884
- C:\Windows\System32\NNLRqMN.exe
  C:\Windows\System32\NNLRqMN.exe
  2⤵
  PID:9912
- C:\Windows\System32\QKDwzGM.exe
  C:\Windows\System32\QKDwzGM.exe
  2⤵
  PID:9940
- C:\Windows\System32\OPrGmAz.exe
  C:\Windows\System32\OPrGmAz.exe
  2⤵
  PID:9956
- C:\Windows\System32\JJUJrTb.exe
  C:\Windows\System32\JJUJrTb.exe
  2⤵
  PID:9996
- C:\Windows\System32\IHONCYH.exe
  C:\Windows\System32\IHONCYH.exe
  2⤵
  PID:10024
- C:\Windows\System32\loPLnZM.exe
  C:\Windows\System32\loPLnZM.exe
  2⤵
  PID:10052
- C:\Windows\System32\aJbMoCL.exe
  C:\Windows\System32\aJbMoCL.exe
  2⤵
  PID:10084
- C:\Windows\System32\XMBUVrT.exe
  C:\Windows\System32\XMBUVrT.exe
  2⤵
  PID:10128
- C:\Windows\System32\zdahApD.exe
  C:\Windows\System32\zdahApD.exe
  2⤵
  PID:10148
- C:\Windows\System32\KVeYjPK.exe
  C:\Windows\System32\KVeYjPK.exe
  2⤵
  PID:10164
- C:\Windows\System32\FexlHXW.exe
  C:\Windows\System32\FexlHXW.exe
  2⤵
  PID:10192
- C:\Windows\System32\VhdAByJ.exe
  C:\Windows\System32\VhdAByJ.exe
  2⤵
  PID:10232
- C:\Windows\System32\vmiwbaW.exe
  C:\Windows\System32\vmiwbaW.exe
  2⤵
  PID:9308
- C:\Windows\System32\lhRrtiR.exe
  C:\Windows\System32\lhRrtiR.exe
  2⤵
  PID:9368
- C:\Windows\System32\ajkirfC.exe
  C:\Windows\System32\ajkirfC.exe
  2⤵
  PID:9404
- C:\Windows\System32\snbWTxt.exe
  C:\Windows\System32\snbWTxt.exe
  2⤵
  PID:9496
- C:\Windows\System32\ffmGxnu.exe
  C:\Windows\System32\ffmGxnu.exe
  2⤵
  PID:9548
- C:\Windows\System32\xTigVno.exe
  C:\Windows\System32\xTigVno.exe
  2⤵
  PID:9628
- C:\Windows\System32\iHxTEmG.exe
  C:\Windows\System32\iHxTEmG.exe
  2⤵
  PID:9700
- C:\Windows\System32\FlVdtEV.exe
  C:\Windows\System32\FlVdtEV.exe
  2⤵
  PID:9736
- C:\Windows\System32\nKEKrQB.exe
  C:\Windows\System32\nKEKrQB.exe
  2⤵
  PID:9840
- C:\Windows\System32\EqeXVbF.exe
  C:\Windows\System32\EqeXVbF.exe
  2⤵
  PID:9876
- C:\Windows\System32\ZeYosVG.exe
  C:\Windows\System32\ZeYosVG.exe
  2⤵
  PID:9924
- C:\Windows\System32\WlSGGJu.exe
  C:\Windows\System32\WlSGGJu.exe
  2⤵
  PID:10040
- C:\Windows\System32\RQLVImg.exe
  C:\Windows\System32\RQLVImg.exe
  2⤵
  PID:10124
- C:\Windows\System32\IxsUfMM.exe
  C:\Windows\System32\IxsUfMM.exe
  2⤵
  PID:10156
- C:\Windows\System32\qwEVIJn.exe
  C:\Windows\System32\qwEVIJn.exe
  2⤵
  PID:9240
- C:\Windows\System32\iHBxxzW.exe
  C:\Windows\System32\iHBxxzW.exe
  2⤵
  PID:9356
- C:\Windows\System32\fgMNeiz.exe
  C:\Windows\System32\fgMNeiz.exe
  2⤵
  PID:9508
- C:\Windows\System32\zNbILxG.exe
  C:\Windows\System32\zNbILxG.exe
  2⤵
  PID:9652
- C:\Windows\System32\oKuYrXm.exe
  C:\Windows\System32\oKuYrXm.exe
  2⤵
  PID:9880
- C:\Windows\System32\sefuLzU.exe
  C:\Windows\System32\sefuLzU.exe
  2⤵
  PID:10020
- C:\Windows\System32\wlNKCdy.exe
  C:\Windows\System32\wlNKCdy.exe
  2⤵
  PID:10224
- C:\Windows\System32\CIEOutw.exe
  C:\Windows\System32\CIEOutw.exe
  2⤵
  PID:9448
- C:\Windows\System32\KxkRnZV.exe
  C:\Windows\System32\KxkRnZV.exe
  2⤵
  PID:9864
- C:\Windows\System32\NFCuFIQ.exe
  C:\Windows\System32\NFCuFIQ.exe
  2⤵
  PID:9220
- C:\Windows\System32\lUTsHDp.exe
  C:\Windows\System32\lUTsHDp.exe
  2⤵
  PID:10144
- C:\Windows\System32\ONBTIcc.exe
  C:\Windows\System32\ONBTIcc.exe
  2⤵
  PID:9992
- C:\Windows\System32\FXnYtpw.exe
  C:\Windows\System32\FXnYtpw.exe
  2⤵
  PID:10272
- C:\Windows\System32\HvYJVkz.exe
  C:\Windows\System32\HvYJVkz.exe
  2⤵
  PID:10308
- C:\Windows\System32\sUTjSrw.exe
  C:\Windows\System32\sUTjSrw.exe
  2⤵
  PID:10328
- C:\Windows\System32\ZOJsJNO.exe
  C:\Windows\System32\ZOJsJNO.exe
  2⤵
  PID:10356
- C:\Windows\System32\fyNpKak.exe
  C:\Windows\System32\fyNpKak.exe
  2⤵
  PID:10384
- C:\Windows\System32\oRoItiQ.exe
  C:\Windows\System32\oRoItiQ.exe
  2⤵
  PID:10412
- C:\Windows\System32\vPrtMsG.exe
  C:\Windows\System32\vPrtMsG.exe
  2⤵
  PID:10444
- C:\Windows\System32\kgACdrW.exe
  C:\Windows\System32\kgACdrW.exe
  2⤵
  PID:10472
- C:\Windows\System32\zzSQTVo.exe
  C:\Windows\System32\zzSQTVo.exe
  2⤵
  PID:10500
- C:\Windows\System32\ZlyeBjL.exe
  C:\Windows\System32\ZlyeBjL.exe
  2⤵
  PID:10528
- C:\Windows\System32\BYchooB.exe
  C:\Windows\System32\BYchooB.exe
  2⤵
  PID:10556
- C:\Windows\System32\ZiUyJtK.exe
  C:\Windows\System32\ZiUyJtK.exe
  2⤵
  PID:10592
- C:\Windows\System32\iSmcvOy.exe
  C:\Windows\System32\iSmcvOy.exe
  2⤵
  PID:10632
- C:\Windows\System32\amGIrcq.exe
  C:\Windows\System32\amGIrcq.exe
  2⤵
  PID:10656
- C:\Windows\System32\cTZLzxT.exe
  C:\Windows\System32\cTZLzxT.exe
  2⤵
  PID:10700
- C:\Windows\System32\pnqOKLD.exe
  C:\Windows\System32\pnqOKLD.exe
  2⤵
  PID:10736
- C:\Windows\System32\otnMoBr.exe
  C:\Windows\System32\otnMoBr.exe
  2⤵
  PID:10768
- C:\Windows\System32\XnhkWqL.exe
  C:\Windows\System32\XnhkWqL.exe
  2⤵
  PID:10792
- C:\Windows\System32\gzlgbSE.exe
  C:\Windows\System32\gzlgbSE.exe
  2⤵
  PID:10824
- C:\Windows\System32\SxBVvsg.exe
  C:\Windows\System32\SxBVvsg.exe
  2⤵
  PID:10852
- C:\Windows\System32\RYeBmuL.exe
  C:\Windows\System32\RYeBmuL.exe
  2⤵
  PID:10908
- C:\Windows\System32\ChGfJTc.exe
  C:\Windows\System32\ChGfJTc.exe
  2⤵
  PID:10928
- C:\Windows\System32\aSXSpEO.exe
  C:\Windows\System32\aSXSpEO.exe
  2⤵
  PID:10956
- C:\Windows\System32\YBOvgZZ.exe
  C:\Windows\System32\YBOvgZZ.exe
  2⤵
  PID:10984
- C:\Windows\System32\aRRrZJK.exe
  C:\Windows\System32\aRRrZJK.exe
  2⤵
  PID:11000
- C:\Windows\System32\XCTLzeM.exe
  C:\Windows\System32\XCTLzeM.exe
  2⤵
  PID:11048
- C:\Windows\System32\RezSSdO.exe
  C:\Windows\System32\RezSSdO.exe
  2⤵
  PID:11100
- C:\Windows\System32\SERMpgu.exe
  C:\Windows\System32\SERMpgu.exe
  2⤵
  PID:11132
- C:\Windows\System32\vfnoDBk.exe
  C:\Windows\System32\vfnoDBk.exe
  2⤵
  PID:11160
- C:\Windows\System32\HWPVaOI.exe
  C:\Windows\System32\HWPVaOI.exe
  2⤵
  PID:11188
- C:\Windows\System32\mzaXBim.exe
  C:\Windows\System32\mzaXBim.exe
  2⤵
  PID:11216
- C:\Windows\System32\czewWTl.exe
  C:\Windows\System32\czewWTl.exe
  2⤵
  PID:11244
- C:\Windows\System32\YcVqpaa.exe
  C:\Windows\System32\YcVqpaa.exe
  2⤵
  PID:10244
- C:\Windows\System32\kKCAoFg.exe
  C:\Windows\System32\kKCAoFg.exe
  2⤵
  PID:10320
- C:\Windows\System32\EPSihtq.exe
  C:\Windows\System32\EPSihtq.exe
  2⤵
  PID:10352
- C:\Windows\System32\DHygIrv.exe
  C:\Windows\System32\DHygIrv.exe
  2⤵
  PID:10456
- C:\Windows\System32\OWRusyQ.exe
  C:\Windows\System32\OWRusyQ.exe
  2⤵
  PID:10520
- C:\Windows\System32\EnNPcKc.exe
  C:\Windows\System32\EnNPcKc.exe
  2⤵
  PID:10608
- C:\Windows\System32\BGbORZj.exe
  C:\Windows\System32\BGbORZj.exe
  2⤵
  PID:10684
- C:\Windows\System32\AJgHtmf.exe
  C:\Windows\System32\AJgHtmf.exe
  2⤵
  PID:10752
- C:\Windows\System32\UNTMzFw.exe
  C:\Windows\System32\UNTMzFw.exe
  2⤵
  PID:10836
- C:\Windows\System32\RjluBKs.exe
  C:\Windows\System32\RjluBKs.exe
  2⤵
  PID:10864
- C:\Windows\System32\UMFpNNV.exe
  C:\Windows\System32\UMFpNNV.exe
  2⤵
  PID:10920
- C:\Windows\System32\pBhVLhV.exe
  C:\Windows\System32\pBhVLhV.exe
  2⤵
  PID:10992
- C:\Windows\System32\EfwvsQV.exe
  C:\Windows\System32\EfwvsQV.exe
  2⤵
  PID:11112
- C:\Windows\System32\TCTyjCb.exe
  C:\Windows\System32\TCTyjCb.exe
  2⤵
  PID:11184
- C:\Windows\System32\apMbOZL.exe
  C:\Windows\System32\apMbOZL.exe
  2⤵
  PID:11256
- C:\Windows\System32\BDSaBdV.exe
  C:\Windows\System32\BDSaBdV.exe
  2⤵
  PID:10340
- C:\Windows\System32\EPyNoMj.exe
  C:\Windows\System32\EPyNoMj.exe
  2⤵
  PID:10548
- C:\Windows\System32\WLEuOqy.exe
  C:\Windows\System32\WLEuOqy.exe
  2⤵
  PID:10720
- C:\Windows\System32\ONlqvyA.exe
  C:\Windows\System32\ONlqvyA.exe
  2⤵
  PID:10848
- C:\Windows\System32\KjpSept.exe
  C:\Windows\System32\KjpSept.exe
  2⤵
  PID:10972
- C:\Windows\System32\ytdFyKg.exe
  C:\Windows\System32\ytdFyKg.exe
  2⤵
  PID:11232
- C:\Windows\System32\ULHsWSd.exe
  C:\Windows\System32\ULHsWSd.exe
  2⤵
  PID:10672
- C:\Windows\System32\WNgSjzK.exe
  C:\Windows\System32\WNgSjzK.exe
  2⤵
  PID:10436
- C:\Windows\System32\ywIMURV.exe
  C:\Windows\System32\ywIMURV.exe
  2⤵
  PID:10288
- C:\Windows\System32\snBTTcO.exe
  C:\Windows\System32\snBTTcO.exe
  2⤵
  PID:11268
- C:\Windows\System32\iUpWmTl.exe
  C:\Windows\System32\iUpWmTl.exe
  2⤵
  PID:11288
- C:\Windows\System32\FoiIQFd.exe
  C:\Windows\System32\FoiIQFd.exe
  2⤵
  PID:11304
- C:\Windows\System32\HfuCcyT.exe
  C:\Windows\System32\HfuCcyT.exe
  2⤵
  PID:11344
- C:\Windows\System32\LTJQlZQ.exe
  C:\Windows\System32\LTJQlZQ.exe
  2⤵
  PID:11372
- C:\Windows\System32\BLsGPIt.exe
  C:\Windows\System32\BLsGPIt.exe
  2⤵
  PID:11400
- C:\Windows\System32\JbBbsNH.exe
  C:\Windows\System32\JbBbsNH.exe
  2⤵
  PID:11428
- C:\Windows\System32\HljujSR.exe
  C:\Windows\System32\HljujSR.exe
  2⤵
  PID:11456
- C:\Windows\System32\PfFmmgg.exe
  C:\Windows\System32\PfFmmgg.exe
  2⤵
  PID:11484
- C:\Windows\System32\wSywNXZ.exe
  C:\Windows\System32\wSywNXZ.exe
  2⤵
  PID:11512
- C:\Windows\System32\YHeruFC.exe
  C:\Windows\System32\YHeruFC.exe
  2⤵
  PID:11540
- C:\Windows\System32\UTPawVy.exe
  C:\Windows\System32\UTPawVy.exe
  2⤵
  PID:11568
- C:\Windows\System32\jqltiHK.exe
  C:\Windows\System32\jqltiHK.exe
  2⤵
  PID:11596
- C:\Windows\System32\MhhTSqV.exe
  C:\Windows\System32\MhhTSqV.exe
  2⤵
  PID:11624
- C:\Windows\System32\dDsqfqs.exe
  C:\Windows\System32\dDsqfqs.exe
  2⤵
  PID:11640
- C:\Windows\System32\gjBntjL.exe
  C:\Windows\System32\gjBntjL.exe
  2⤵
  PID:11680
- C:\Windows\System32\mxUUWcd.exe
  C:\Windows\System32\mxUUWcd.exe
  2⤵
  PID:11708
- C:\Windows\System32\vcyQGwk.exe
  C:\Windows\System32\vcyQGwk.exe
  2⤵
  PID:11736
- C:\Windows\System32\TsRlNJC.exe
  C:\Windows\System32\TsRlNJC.exe
  2⤵
  PID:11764
- C:\Windows\System32\BNcucet.exe
  C:\Windows\System32\BNcucet.exe
  2⤵
  PID:11792
- C:\Windows\System32\MRDwZDT.exe
  C:\Windows\System32\MRDwZDT.exe
  2⤵
  PID:11832
- C:\Windows\System32\jXeQszE.exe
  C:\Windows\System32\jXeQszE.exe
  2⤵
  PID:11848
- C:\Windows\System32\CpHyVuE.exe
  C:\Windows\System32\CpHyVuE.exe
  2⤵
  PID:11864
- C:\Windows\System32\wkxwlvP.exe
  C:\Windows\System32\wkxwlvP.exe
  2⤵
  PID:11912
- C:\Windows\System32\mDgBUxR.exe
  C:\Windows\System32\mDgBUxR.exe
  2⤵
  PID:11932
- C:\Windows\System32\PCvEHeY.exe
  C:\Windows\System32\PCvEHeY.exe
  2⤵
  PID:11960
- C:\Windows\System32\olfUpIs.exe
  C:\Windows\System32\olfUpIs.exe
  2⤵
  PID:11992
- C:\Windows\System32\VvxZMhA.exe
  C:\Windows\System32\VvxZMhA.exe
  2⤵
  PID:12008
- C:\Windows\System32\vxunoIl.exe
  C:\Windows\System32\vxunoIl.exe
  2⤵
  PID:12036
- C:\Windows\System32\NXIqsed.exe
  C:\Windows\System32\NXIqsed.exe
  2⤵
  PID:12076
- C:\Windows\System32\ZEfHjoy.exe
  C:\Windows\System32\ZEfHjoy.exe
  2⤵
  PID:12104
- C:\Windows\System32\jGkgiIB.exe
  C:\Windows\System32\jGkgiIB.exe
  2⤵
  PID:12132
- C:\Windows\System32\oVTzfPZ.exe
  C:\Windows\System32\oVTzfPZ.exe
  2⤵
  PID:12176
- C:\Windows\System32\HwDtEmw.exe
  C:\Windows\System32\HwDtEmw.exe
  2⤵
  PID:12220
- C:\Windows\System32\DoqAWUb.exe
  C:\Windows\System32\DoqAWUb.exe
  2⤵
  PID:12256
- C:\Windows\System32\WdczDzm.exe
  C:\Windows\System32\WdczDzm.exe
  2⤵
  PID:12284
- C:\Windows\System32\kntcipd.exe
  C:\Windows\System32\kntcipd.exe
  2⤵
  PID:11316
- C:\Windows\System32\VFEPEHN.exe
  C:\Windows\System32\VFEPEHN.exe
  2⤵
  PID:11368
- C:\Windows\System32\bqmoxgj.exe
  C:\Windows\System32\bqmoxgj.exe
  2⤵
  PID:11448
- C:\Windows\System32\MnUiMOm.exe
  C:\Windows\System32\MnUiMOm.exe
  2⤵
  PID:11508
- C:\Windows\System32\OWXoeLT.exe
  C:\Windows\System32\OWXoeLT.exe
  2⤵
  PID:11580
- C:\Windows\System32\ozDGszO.exe
  C:\Windows\System32\ozDGszO.exe
  2⤵
  PID:11660
- C:\Windows\System32\iCJtMYQ.exe
  C:\Windows\System32\iCJtMYQ.exe
  2⤵
  PID:11724
- C:\Windows\System32\gXRIKnG.exe
  C:\Windows\System32\gXRIKnG.exe
  2⤵
  PID:11800
- C:\Windows\System32\hWTFEgb.exe
  C:\Windows\System32\hWTFEgb.exe
  2⤵
  PID:11876
- C:\Windows\System32\MtTIiNz.exe
  C:\Windows\System32\MtTIiNz.exe
  2⤵
  PID:11928
- C:\Windows\System32\qsBHVVr.exe
  C:\Windows\System32\qsBHVVr.exe
  2⤵
  PID:12004
- C:\Windows\System32\tqGZXyB.exe
  C:\Windows\System32\tqGZXyB.exe
  2⤵
  PID:12068
- C:\Windows\System32\pWLnIkE.exe
  C:\Windows\System32\pWLnIkE.exe
  2⤵
  PID:10708
- C:\Windows\System32\hhXXQXI.exe
  C:\Windows\System32\hhXXQXI.exe
  2⤵
  PID:10884
- C:\Windows\System32\TujhsFg.exe
  C:\Windows\System32\TujhsFg.exe
  2⤵
  PID:11032
- C:\Windows\System32\JRUJHwd.exe
  C:\Windows\System32\JRUJHwd.exe
  2⤵
  PID:12248
- C:\Windows\System32\rIOYjAM.exe
  C:\Windows\System32\rIOYjAM.exe
  2⤵
  PID:11280
- C:\Windows\System32\mLPFbPh.exe
  C:\Windows\System32\mLPFbPh.exe
  2⤵
  PID:11444
- C:\Windows\System32\luAwOii.exe
  C:\Windows\System32\luAwOii.exe
  2⤵
  PID:11616
- C:\Windows\System32\yLMyATu.exe
  C:\Windows\System32\yLMyATu.exe
  2⤵
  PID:11776
- C:\Windows\System32\eqLGdOq.exe
  C:\Windows\System32\eqLGdOq.exe
  2⤵
  PID:11856
- C:\Windows\System32\BsepwEw.exe
  C:\Windows\System32\BsepwEw.exe
  2⤵
  PID:11956
- C:\Windows\System32\FQOaeAc.exe
  C:\Windows\System32\FQOaeAc.exe
  2⤵
  PID:10612
- C:\Windows\System32\OUvnyHx.exe
  C:\Windows\System32\OUvnyHx.exe
  2⤵
  PID:12204
- C:\Windows\System32\QTUtXNS.exe
  C:\Windows\System32\QTUtXNS.exe
  2⤵
  PID:11676
- C:\Windows\System32\IXikywQ.exe
  C:\Windows\System32\IXikywQ.exe
  2⤵
  PID:11924
- C:\Windows\System32\DBhCJKX.exe
  C:\Windows\System32\DBhCJKX.exe
  2⤵
  PID:11276
- C:\Windows\System32\BnPZEzj.exe
  C:\Windows\System32\BnPZEzj.exe
  2⤵
  PID:10488
- C:\Windows\System32\rHllRqM.exe
  C:\Windows\System32\rHllRqM.exe
  2⤵
  PID:12296
- C:\Windows\System32\kFHbZcI.exe
  C:\Windows\System32\kFHbZcI.exe
  2⤵
  PID:12320
- C:\Windows\System32\zciTBkB.exe
  C:\Windows\System32\zciTBkB.exe
  2⤵
  PID:12348
- C:\Windows\System32\LJZhvPB.exe
  C:\Windows\System32\LJZhvPB.exe
  2⤵
  PID:12392
- C:\Windows\System32\iWYJWoL.exe
  C:\Windows\System32\iWYJWoL.exe
  2⤵
  PID:12408
- C:\Windows\System32\zeQXcWC.exe
  C:\Windows\System32\zeQXcWC.exe
  2⤵
  PID:12440
- C:\Windows\System32\bEjOHPq.exe
  C:\Windows\System32\bEjOHPq.exe
  2⤵
  PID:12456
- C:\Windows\System32\JRUXZru.exe
  C:\Windows\System32\JRUXZru.exe
  2⤵
  PID:12500
- C:\Windows\System32\UOQccra.exe
  C:\Windows\System32\UOQccra.exe
  2⤵
  PID:12528
- C:\Windows\System32\QVDDpwU.exe
  C:\Windows\System32\QVDDpwU.exe
  2⤵
  PID:12576
- C:\Windows\System32\lyfcBNV.exe
  C:\Windows\System32\lyfcBNV.exe
  2⤵
  PID:12628
- C:\Windows\System32\CbNzdOg.exe
  C:\Windows\System32\CbNzdOg.exe
  2⤵
  PID:12660
- C:\Windows\System32\xTmOSWB.exe
  C:\Windows\System32\xTmOSWB.exe
  2⤵
  PID:12696
- C:\Windows\System32\FRYZmca.exe
  C:\Windows\System32\FRYZmca.exe
  2⤵
  PID:12724
- C:\Windows\System32\GrlkXwk.exe
  C:\Windows\System32\GrlkXwk.exe
  2⤵
  PID:12756
- C:\Windows\System32\pGjKhez.exe
  C:\Windows\System32\pGjKhez.exe
  2⤵
  PID:12784
- C:\Windows\System32\haqcBSc.exe
  C:\Windows\System32\haqcBSc.exe
  2⤵
  PID:12812
- C:\Windows\System32\lhWenKg.exe
  C:\Windows\System32\lhWenKg.exe
  2⤵
  PID:12844
- C:\Windows\System32\SYUuOkc.exe
  C:\Windows\System32\SYUuOkc.exe
  2⤵
  PID:12872
- C:\Windows\System32\IaDulLm.exe
  C:\Windows\System32\IaDulLm.exe
  2⤵
  PID:12900
- C:\Windows\System32\vURXqiA.exe
  C:\Windows\System32\vURXqiA.exe
  2⤵
  PID:12928
- C:\Windows\System32\sBZNIxm.exe
  C:\Windows\System32\sBZNIxm.exe
  2⤵
  PID:12956
- C:\Windows\System32\SVZhfQW.exe
  C:\Windows\System32\SVZhfQW.exe
  2⤵
  PID:12988
- C:\Windows\System32\YhivoGw.exe
  C:\Windows\System32\YhivoGw.exe
  2⤵
  PID:13020
- C:\Windows\System32\McOiGbZ.exe
  C:\Windows\System32\McOiGbZ.exe
  2⤵
  PID:13048
- C:\Windows\System32\CYRLleL.exe
  C:\Windows\System32\CYRLleL.exe
  2⤵
  PID:13076
- C:\Windows\System32\VYzyzsP.exe
  C:\Windows\System32\VYzyzsP.exe
  2⤵
  PID:13104
- C:\Windows\System32\EXMAjbX.exe
  C:\Windows\System32\EXMAjbX.exe
  2⤵
  PID:13132
- C:\Windows\System32\PDUTghP.exe
  C:\Windows\System32\PDUTghP.exe
  2⤵
  PID:13160
- C:\Windows\System32\VZxDOjy.exe
  C:\Windows\System32\VZxDOjy.exe
  2⤵
  PID:13188
- C:\Windows\System32\OVojCwA.exe
  C:\Windows\System32\OVojCwA.exe
  2⤵
  PID:13220
- C:\Windows\System32\cjEiAJC.exe
  C:\Windows\System32\cjEiAJC.exe
  2⤵
  PID:13248
- C:\Windows\System32\tElDzdr.exe
  C:\Windows\System32\tElDzdr.exe
  2⤵
  PID:13276
- C:\Windows\System32\SsrXiDa.exe
  C:\Windows\System32\SsrXiDa.exe
  2⤵
  PID:13304
- C:\Windows\System32\puqlwut.exe
  C:\Windows\System32\puqlwut.exe
  2⤵
  PID:12332
- C:\Windows\System32\iQWunil.exe
  C:\Windows\System32\iQWunil.exe
  2⤵
  PID:12400
- C:\Windows\System32\zltusPW.exe
  C:\Windows\System32\zltusPW.exe
  2⤵
  PID:12476
- C:\Windows\System32\lsMzlbW.exe
  C:\Windows\System32\lsMzlbW.exe
  2⤵
  PID:3604
- C:\Windows\System32\bTedava.exe
  C:\Windows\System32\bTedava.exe
  2⤵
  PID:12572
- C:\Windows\System32\czHqBBY.exe
  C:\Windows\System32\czHqBBY.exe
  2⤵
  PID:12652
- C:\Windows\System32\OCWiFUG.exe
  C:\Windows\System32\OCWiFUG.exe
  2⤵
  PID:12720
- C:\Windows\System32\QbldxVX.exe
  C:\Windows\System32\QbldxVX.exe
  2⤵
  PID:12780
- C:\Windows\System32\lqRpXCv.exe
  C:\Windows\System32\lqRpXCv.exe
  2⤵
  PID:12856
- C:\Windows\System32\QWlPNoX.exe
  C:\Windows\System32\QWlPNoX.exe
  2⤵
  PID:12920
- C:\Windows\System32\uTkRDUa.exe
  C:\Windows\System32\uTkRDUa.exe
  2⤵
  PID:12980
- C:\Windows\System32\pszGoPu.exe
  C:\Windows\System32\pszGoPu.exe
  2⤵
  PID:13096
- C:\Windows\System32\bYaExmo.exe
  C:\Windows\System32\bYaExmo.exe
  2⤵
  PID:13152
- C:\Windows\System32\ncplVEo.exe
  C:\Windows\System32\ncplVEo.exe
  2⤵
  PID:13212
- C:\Windows\System32\uCTsKzt.exe
  C:\Windows\System32\uCTsKzt.exe
  2⤵
  PID:13288
- C:\Windows\System32\gKhLwZX.exe
  C:\Windows\System32\gKhLwZX.exe
  2⤵
  PID:12432
- C:\Windows\System32\upXXLHw.exe
  C:\Windows\System32\upXXLHw.exe
  2⤵
  PID:3056
- C:\Windows\System32\TAYVcng.exe
  C:\Windows\System32\TAYVcng.exe
  2⤵
  PID:12828
- C:\Windows\System32\DNVvNuD.exe
  C:\Windows\System32\DNVvNuD.exe
  2⤵
  PID:13172
- C:\Windows\System32\WBNdbOv.exe
  C:\Windows\System32\WBNdbOv.exe
  2⤵
  PID:12364
- C:\Windows\System32\HGphsEL.exe
  C:\Windows\System32\HGphsEL.exe
  2⤵
  PID:13016
- C:\Windows\System32\xNEcOnG.exe
  C:\Windows\System32\xNEcOnG.exe
  2⤵
  PID:13324
- C:\Windows\System32\XUBmLCj.exe
  C:\Windows\System32\XUBmLCj.exe
  2⤵
  PID:13368
- C:\Windows\System32\sDVNKjQ.exe
  C:\Windows\System32\sDVNKjQ.exe
  2⤵
  PID:13400
- C:\Windows\System32\wKdiPiv.exe
  C:\Windows\System32\wKdiPiv.exe
  2⤵
  PID:13440
- C:\Windows\System32\KwJIUJO.exe
  C:\Windows\System32\KwJIUJO.exe
  2⤵
  PID:13472
- C:\Windows\System32\ORNwjzY.exe
  C:\Windows\System32\ORNwjzY.exe
  2⤵
  PID:13508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=4456 /prefetch:8
1⤵
PID:7552

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\ATvcVPZ.exe

Filesize
2.9MB

MD5
1696b3430d49bb6c496dc083a12a3d93

SHA1
4be010c807e80f34b752bba778f648528dc08507

SHA256
0bf35d5c76570cc5d6ead6963cef7a5dc451f5cf235365bf9c4e0b6442d82cc9

SHA512
cab200df7d40e53e6037017c4eb416d8f5bf93e96150e3bf161a0907015a22be50c98ade8fa2e08264da01733b99c5a7f61817401338a537a989938c59618ae6

Download Submit
C:\Windows\System32\AjMDPTT.exe

Filesize
2.9MB

MD5
e76c8dc8f6f3b0e6ec73a72bd52691b9

SHA1
9b145961d8d5c9f41ca60d6fbbced44ebc281d9b

SHA256
081c2a7cdfaaaf75e3132168efb6912dd92d2f017ac0f416fef3ef4896838995

SHA512
f285b95c45867de2c14e5e4078c266b236ec82e4767b4ed49ea251efcd6e15393613a56c6a1791396c12f764530103287ff5eef60d1d9990dfd1422cde27e0c5

Download Submit
C:\Windows\System32\CzcTtiB.exe

Filesize
2.9MB

MD5
64f437e6580116877e6507ab7d77321f

SHA1
e14facc54599dd1ef6093af8e71e8773744de373

SHA256
9acfb2fce5d88e846e3b8f75c677deef888f84d9d871bc9e343335250506f056

SHA512
4a645bb583b0bd793f5d55766175e7a0f526368c22f519ab31b9e063dcc71ab7b76b602fc2938e7329106b6bd0044b7b00afe696ee393eafdc5d57b1d30ec1e6

Download Submit
C:\Windows\System32\DRcWEMf.exe

Filesize
2.9MB

MD5
600ff99f95478efd50d9017d4255d53a

SHA1
c6c1d25d9703b37497cdd6d88c18d0bca7430ce4

SHA256
e65e7fc58c8e4406e365e082ea10719ff5054b937a59afe544ce49dee97d7284

SHA512
e519ee78840c3cc84b35303620bc0dcd2dbd0ae70ef63468abc211c8a1cd89038dda3e4bf9b80fdf09cf80e386a9fb6a8d9025b42ac26886c69fa8d89290feee

Download Submit
C:\Windows\System32\DivlaAo.exe

Filesize
2.9MB

MD5
d10b554636dd6cad77d62fd35b01150e

SHA1
9e71526f214e7a0105f49ff547036eb3ba6184c8

SHA256
0b50447d524f3ddd81fa38c82abd892ac3ef84eb092f2b0475208afce993a631

SHA512
0330d0971ba16a4d54033c14b3988155a754325259ec3d0e5082f1a20b181c6f06859efb6f2c8e2127b4ca0ed6fbe4b0114db033f4ef6d6faae3b832545fcdc8

Download Submit
C:\Windows\System32\EQyeAUL.exe

Filesize
2.9MB

MD5
85db3edc5f7cd82005fd008c62c6c026

SHA1
16a7911099cf645873bec8e6b5765522a165f28b

SHA256
f366f5a03fcabe0cdaf0ad82ea74de34e8c2d15aecaaef2e6e39b4545aa4af60

SHA512
94772e9e904f2c3e6d907a7bf77632ff21ef750dcb019832d79fbda4d07c31cdbaf039e410eade0ce552f43f8f99d1bc0f7c20e9476102aa7fb53d238a292fc1

Download Submit
C:\Windows\System32\GItVgaH.exe

Filesize
2.9MB

MD5
1d1c999450e385906f7497c029d8056d

SHA1
2c93ca6ecbde63ee205f34a243c26d141c7b7070

SHA256
e507cd0e862372b52884b81197b4d86bdb6f37b1c8d4b5710663f3895aa57188

SHA512
872c0140cdfc4f9a606b6d0df502cb1cb9cb591efc1e1f53d6a8079e2687935a73525753baaefceac3446698eee024b67040b0c120e356ecb5be50b17eb74a5b

Download Submit
C:\Windows\System32\HZVXASB.exe

Filesize
2.9MB

MD5
8bc1824b3f09f42b361c5d9abfd8b3ee

SHA1
5c698813d2a201a69ca405074a337fbfeec0044d

SHA256
37790be9adc75b813946dc965ed465e77b93f5a2e873a86ef1a24b5f8766ffdf

SHA512
816197dfe3abdfcfaf3d1b7ddbf46bb0ac36fa7b31fdad683dc3c93227bf6ba6b39e1aa06a80f53713541c6526044b6ee9072141a7179affdc5e3efa2eb5d782

Download Submit
C:\Windows\System32\JMBAUDc.exe

Filesize
2.9MB

MD5
bf3c23e970ecca8529e4084842dbabc1

SHA1
e4b9593e8e7e8ed6c0f6b16229f0abc45c0e0125

SHA256
b6f837accc40d224213cc1947cbffeded6ce1532cea1844660408ea103788321

SHA512
4824cababa006cab6b6220d5c0185576a30bc6799c2289875df8a9e4c7a2630aa6cac89a6e56d00e5df12bb31b258123e82249eb82fa022df81b04813646f02a

Download Submit
C:\Windows\System32\JYXPHkH.exe

Filesize
2.9MB

MD5
67efc717274a49ba3d66f0432c82c9f6

SHA1
0fa0b2d21f22f03e1107760cc4351599b45c1b03

SHA256
2487e98a1f063de57f8a2312181389a5f03105954e1bc62aeef85651860db31b

SHA512
6d2deadef24b63f9a2db91aeda728d9d3904564fd1fe3fbeaecbf684c22c54fc914bd96aea85d76f4b0e578835cb25f2993b0a2ded29794ea3ace51f2184aec5

Download Submit
C:\Windows\System32\KRXKVaw.exe

Filesize
2.9MB

MD5
75d22bb65c4083970ab36daaeec7149f

SHA1
1fe339cda70d84f80d87fc0adc16f0b15c7ffbc3

SHA256
19cf138061c559b07aa1250fad5993e97f974b99f82721557a9a0f797a08c84c

SHA512
ffcd1070d2b6fb0fd5187fa10262f1e5c2c946a1c930a99d20a3b2267a8bb8f57e72338b3103100757fd19b3742d73cb455b1c7d3a7aec84e9e2a44deacf4ebc

Download Submit
C:\Windows\System32\LEFjLiZ.exe

Filesize
2.9MB

MD5
ff704cd163fd3c212abe2ecfc0d5bfe0

SHA1
61c354c988beadffb56280b670f95f98ce0005f2

SHA256
41079d461d897dbb6b8c7938c99cc2159e17c4f36d874c71dbf08fd150435b54

SHA512
dabae384ef4bf6c4670216eb38edf8094e571513fae09b446fd76719dc4ed612733a9f3d447a01ec771d85337231cf1ac8abc2919b7f541d817c9ba00324c7ac

Download Submit
C:\Windows\System32\MvtIxps.exe

Filesize
2.9MB

MD5
3ff06b5885837878561c61d6bb7c7cc0

SHA1
d381fe04bf4edc260067378486b6f08ab81d59ef

SHA256
3afcbadcf95f0dc5f9906fca06fe88be54a5771f21c34e636ccdbf2a09a98b9e

SHA512
efc6151e583d3dfaa8ea3ee2f58cf4e0eee77ac1d99cead76c679794cf2ccde474c22f957021dbf9fd17bec8e9cfe832d3e9f5b1d27516ae31ffc758e07d15ca

Download Submit
C:\Windows\System32\PfzapKG.exe

Filesize
2.9MB

MD5
fb4c3ccd787fb883513374b7f3675f9a

SHA1
26bda822f5ad5106d12d2cbfd1fe7578c12e724a

SHA256
6cfe50e6c01d5d8068a7a706758591af28dfe52444addc430c5a6c9b3c470560

SHA512
02b3a0ac1ca911f79e062760b1eb17870c11c84e860097d1ff7f44228280e74a9db7290fb5c7f26c31cf0e87338cd8d245d9c8746c12992a5b2f6ab22f13d423

Download Submit
C:\Windows\System32\RfOeZtB.exe

Filesize
2.9MB

MD5
0c5d2acb720594e3715468319b08db9c

SHA1
41bb96588ee46b3bda608de843e83462c81a789b

SHA256
491b952521752ea7a90992055f974280915fc38f2e81fb06669a230f116a0373

SHA512
f4bebdf03988a9cdd60c570b7047a12df94c6569d5c29514535e3a1c394332513d53d8b443ba9e2a398b1872feb71bdea85b201e5d57883359eb790e413c10e7

Download Submit
C:\Windows\System32\TbdWKiH.exe

Filesize
2.9MB

MD5
71e8af146ce803650de0b3186bf2abdb

SHA1
3a6d4e017adf87103573d1b633329ff9cd731a83

SHA256
2bd8c06eb22742878173ff96eabe4ad32d62e393383c1fdf63d6253e1a11ed96

SHA512
129948987d2c886f9caa143b8f69a81d3dfb544959b6be7cb1da449ca048efb1dcba2a7327eefcaefa90ae8e538ae6bda071e970c7285044e07e84329afaf4a7

Download Submit
C:\Windows\System32\UdDaSYd.exe

Filesize
2.9MB

MD5
494bfeca5014994e78817381f078efa8

SHA1
c8350fb75adc24f4fede429d9d59b3eca345b5df

SHA256
3977dd7ea73cc0ff6e0f4700f0968448fe6fa07039747e9acaaff05785ba7c4a

SHA512
00210b57cd2b34d353059d059281fd6c0d8965734de8d85bb15fdb690d0c751a488290f608a6a668f44486b5d0d06044318d87f33f0b3dd74c5317b228d9cfb5

Download Submit
C:\Windows\System32\UdteYzZ.exe

Filesize
2.9MB

MD5
bbb283f094be2010ae8c0d15e9ea2857

SHA1
0de19a90441cc93a032a7673cd92e8623c036ca9

SHA256
d29356a98d6dffb497e651b2af5d85d9ce7cb7aca5cb8ac4c344419f88e65e54

SHA512
91a58a0e4bf6ef23d06c3ab28c7958b6c1b4aecd06e94c0954c6364706975f87ea784cdfabbc5c6263f08ef1c29a5a4058d8a8efb2e8d8ed32b60e8a6c0e7806

Download Submit
C:\Windows\System32\UmUbhaE.exe

Filesize
2.9MB

MD5
7a786b5092e2e2c4cc91f0b5d48db247

SHA1
1da2f0c78320282f272dcb2295d8c91483e94a06

SHA256
89f774c9c35ec66a2629895aa7b60b701bdbee956e8bdd77cc9ad3f4cb58e837

SHA512
f44e6a4f59ae2b4762eb89dbc04174bd7aaa8be362a803f7ef4242ac93b4918ba32d2ac876832615c83c97d72f36a1e3b28bd695dc54b37d28130ae9837f63ee

Download Submit
C:\Windows\System32\YJXZVur.exe

Filesize
2.9MB

MD5
38ae2871d1f059fa3b3e49231c8b700f

SHA1
4148ee0dfb23c182187af72cb3ef396ddbc19151

SHA256
739b9bdd7436e352c86c54bb03c2c9c4c9fc5455476d53a7c350f9ccefa5a5d8

SHA512
992cc90a6db25346a46227690ce41aac336be98e77a720ada597a01d40ba7b1a98212660d65897b07533512fdb0c0c71e65583e70b8ec58467852525da80fe7e

Download Submit
C:\Windows\System32\ZpsZcKq.exe

Filesize
2.9MB

MD5
8cc7ca86c705f622ab3ed76bb566d0bf

SHA1
ac61fde6ffe19a682b4da8beb364015b0287e03c

SHA256
dc74903ed73b3a644f460960aa7c2fa815f92e1cc736b4365b76d7dac74cb4aa

SHA512
da98f53035b2790d51d0a594389545bf3859bf9b989c28630385d32cb45c3f5d4818ba2bd540f8678dbeb76cd25e406557810d673da66cc296e4b54be9e2dd36

Download Submit
C:\Windows\System32\bPTruwP.exe

Filesize
2.9MB

MD5
9d9d39d2efecb380e7f87fb5581c977d

SHA1
3bde0d4e3d18989aff15d0b85cb163096da69a88

SHA256
97930647f86528cc026fa120539d32b246fc2e8a9402d2211f375118c9b987f7

SHA512
af377443622764e5fbfacf7a9c3e1d9de615edfd35b90dd4b67e243ebc748c758d1bb18e551f385d9ccee7193055625d2e3ca5eca6a7099033235f6e2aef0048

Download Submit
C:\Windows\System32\eTywkBK.exe

Filesize
2.9MB

MD5
fdf6c9a0d8bb6252913bb59e73739694

SHA1
b38b79ede54d2f7987037ef4345bbcd5df45ca13

SHA256
2605b71e8211a0ffa875a8ae9c1799323009e5efe72207e99490659d07b85d09

SHA512
70cf843dcf030c70314ca79bdeb4f60d94f8307abf34ca271b6541f770b76787f5463278b85e1d3fcf051298e5ca191d93d93bda08099939bfbed38258c281e2

Download Submit
C:\Windows\System32\ewFymym.exe

Filesize
2.9MB

MD5
f7cc5dc250fb377f91518d88878213ef

SHA1
a2d1c4e579c2b404d1c944b1f4226f534cf97bf0

SHA256
6118870c15a07a7704ff35ae659e0004e24bf99bdc6f985463ff67fdfec57156

SHA512
7826e0690e0a244634643983dcbc88097af4c9966d74656a7c7bf495988ce7b0e65fa7dbda34895ce260a79619e2c4e4665d37478a545e4a920fd20b4efd12fa

Download Submit
C:\Windows\System32\hxOMYjB.exe

Filesize
2.9MB

MD5
b28281da5b51b6ffe33f180c1043d016

SHA1
e41684e7ad335e078f64a6ae95c8333256938ae7

SHA256
d954a93f83202320b688b568bf666f6556ffb05b65fe7eab28b84bcf9ac24bdc

SHA512
93df53f017401ee30c40a08ba8e35e144d504b5acd1db80a9aa1cb224f4d83edcc99fb151c0c3435bca56c187185c76a039117e86cbe188a567c74b66b9c0cfe

Download Submit
C:\Windows\System32\oXuhtcX.exe

Filesize
2.9MB

MD5
8034634757dc301a443d9cf67551a625

SHA1
cb10b8cd96348222774fcf69ed44e48f8fb3f9d9

SHA256
52a399ee63b91a76e679a0c5dd49c56e41cc7215b77811f0575df5b28458bc32

SHA512
6ea753222c3a0c8242cc539f8907f35d216d99b3565c970494ade4a2c240c7aae37728043f4efe2323e5f235aee2bbe74d22bbe2f9ec8fb02438c4c232c5b104

Download Submit
C:\Windows\System32\pmoGDHK.exe

Filesize
2.9MB

MD5
8ebd6a3b845ec648276d1d8966415825

SHA1
39ba556f4fbbd6c428e6718e07b11a6a06e5de58

SHA256
6c3e8e2b695954a1700155c2fc71dcbd500eb1c0a1a6e0cd71578c68cbd4222a

SHA512
e96c8ed713adfa4e46a9cbcf77a2ae6814ef5db5ff8ad36f405bc1768160bf72fca323836d14da1fc5c29a7ef5de1438afaf490cd76ea441da280b7c2425dd6f

Download Submit
C:\Windows\System32\qAufymF.exe

Filesize
2.9MB

MD5
fc3aba34652fd95aa75ec410bdcde163

SHA1
84297bfe97d8bee1890d9e686ee8393b26e186b5

SHA256
0fcf76671d0dc418b4bb21788ea5961256ff0ca06e906f2e45e830b030941db7

SHA512
66f944082067b1a49c9367f52566585622b92b96bab0c5a292550c2c84bee6170b6c35848be479c08415513938f1236eea1f1f6ba2b830ee3481c2176797c197

Download Submit
C:\Windows\System32\slBfvJd.exe

Filesize
2.9MB

MD5
803a0562e529eb881989464174253282

SHA1
d6d09d69133b1a5fa66189e44f6619cbca29e13c

SHA256
1f9a7d63e33f4eef80168b5fbc2cf8e3d877a349498402f9252acc3b391a5fb7

SHA512
803bea766d95294ae91c942b4b3febafce115e8682d4a0bac81ba36da02a1c99a2afba2a6a5242d7abd525d0bc40a00f05288c730e6808efe37b163a7f232b53

Download Submit
C:\Windows\System32\tAwkKCm.exe

Filesize
2.9MB

MD5
0b961a4146b7c53db92f237708108b0b

SHA1
d7ec42374c2949da28103db4acbe1fe797ce3ef0

SHA256
c2be68d40547506afbc731f4e92b42d511f6ad5fcd7e1ae413c34ade2d65eb50

SHA512
faa8bf4f32804ab6f6f5c349a880673a1631bbbd445a9c55b23e3870c306e01fee3f44b845a37b940b295dfbc05487b8298bd69a175df490169425a3a9d1f24c

Download Submit
C:\Windows\System32\vJWBAYa.exe

Filesize
2.9MB

MD5
de73e0b1d569fcf0da426e345ae19a2c

SHA1
a3d403ae22db56608bd63b395eca3a40ffc2267c

SHA256
e195c35b4472dadc47e7c095ac6b8083e2d57e3842e06cfad778276e61320756

SHA512
43869a3af07015c72fbec3068c6cd5c3aa79fac97abc367ab25b2107d55eec121d1175fc232627201beee250c4c06ac33928523779df1b4706afdb47ff75da74

Download Submit
C:\Windows\System32\ztlmUwn.exe

Filesize
2.9MB

MD5
c244d342fafc32499816dfc2f8b53c18

SHA1
3fb23691001e785f5453581a427801a2e5467de4

SHA256
a25bc202ad43f621c5ffd806e3e297db540c3a6346f9b95c1af0e215a1a244ba

SHA512
ac8b11ddccef010bc14a86761178a5496d8e528b9d00562395932f4ed14d157aea3c653283b0bb9d6b009126a6d1422e99fd7c194cdfdd0124ffceb9c54911c3

Download Submit
memory/868-795-0x00007FF62B550000-0x00007FF62B945000-memory.dmp

Filesize
4.0MB

Download
memory/868-1845-0x00007FF62B550000-0x00007FF62B945000-memory.dmp

Filesize
4.0MB

Download
memory/1228-744-0x00007FF6375A0000-0x00007FF637995000-memory.dmp

Filesize
4.0MB

Download
memory/1228-1830-0x00007FF6375A0000-0x00007FF637995000-memory.dmp

Filesize
4.0MB

Download
memory/1260-1836-0x00007FF65F640000-0x00007FF65FA35000-memory.dmp

Filesize
4.0MB

Download
memory/1260-816-0x00007FF65F640000-0x00007FF65FA35000-memory.dmp

Filesize
4.0MB

Download
memory/1440-1843-0x00007FF7803E0000-0x00007FF7807D5000-memory.dmp

Filesize
4.0MB

Download
memory/1440-801-0x00007FF7803E0000-0x00007FF7807D5000-memory.dmp

Filesize
4.0MB

Download
memory/1720-745-0x00007FF603C60000-0x00007FF604055000-memory.dmp

Filesize
4.0MB

Download
memory/1720-1831-0x00007FF603C60000-0x00007FF604055000-memory.dmp

Filesize
4.0MB

Download
memory/1808-1835-0x00007FF6D00C0000-0x00007FF6D04B5000-memory.dmp

Filesize
4.0MB

Download
memory/1808-787-0x00007FF6D00C0000-0x00007FF6D04B5000-memory.dmp

Filesize
4.0MB

Download
memory/1920-27-0x00007FF681C90000-0x00007FF682085000-memory.dmp

Filesize
4.0MB

Download
memory/1920-1824-0x00007FF681C90000-0x00007FF682085000-memory.dmp

Filesize
4.0MB

Download
memory/2012-0-0x00007FF7EAA60000-0x00007FF7EAE55000-memory.dmp

Filesize
4.0MB

Download
memory/2012-1-0x0000015B08890000-0x0000015B088A0000-memory.dmp

Filesize
64KB

Download
memory/2012-1819-0x00007FF7EAA60000-0x00007FF7EAE55000-memory.dmp

Filesize
4.0MB

Download
memory/2284-776-0x00007FF673CA0000-0x00007FF674095000-memory.dmp

Filesize
4.0MB

Download
memory/2284-1828-0x00007FF673CA0000-0x00007FF674095000-memory.dmp

Filesize
4.0MB

Download
memory/2752-799-0x00007FF69AB70000-0x00007FF69AF65000-memory.dmp

Filesize
4.0MB

Download
memory/2752-1840-0x00007FF69AB70000-0x00007FF69AF65000-memory.dmp

Filesize
4.0MB

Download
memory/2892-814-0x00007FF72A990000-0x00007FF72AD85000-memory.dmp

Filesize
4.0MB

Download
memory/2892-1826-0x00007FF72A990000-0x00007FF72AD85000-memory.dmp

Filesize
4.0MB

Download
memory/2904-755-0x00007FF7787C0000-0x00007FF778BB5000-memory.dmp

Filesize
4.0MB

Download
memory/2904-1832-0x00007FF7787C0000-0x00007FF778BB5000-memory.dmp

Filesize
4.0MB

Download
memory/2964-743-0x00007FF7F73C0000-0x00007FF7F77B5000-memory.dmp

Filesize
4.0MB

Download
memory/2964-1821-0x00007FF7F73C0000-0x00007FF7F77B5000-memory.dmp

Filesize
4.0MB

Download
memory/2964-1827-0x00007FF7F73C0000-0x00007FF7F77B5000-memory.dmp

Filesize
4.0MB

Download
memory/3028-760-0x00007FF7FF960000-0x00007FF7FFD55000-memory.dmp

Filesize
4.0MB

Download
memory/3028-1829-0x00007FF7FF960000-0x00007FF7FFD55000-memory.dmp

Filesize
4.0MB

Download
memory/3448-1820-0x00007FF6A7EC0000-0x00007FF6A82B5000-memory.dmp

Filesize
4.0MB

Download
memory/3448-1823-0x00007FF6A7EC0000-0x00007FF6A82B5000-memory.dmp

Filesize
4.0MB

Download
memory/3448-19-0x00007FF6A7EC0000-0x00007FF6A82B5000-memory.dmp

Filesize
4.0MB

Download
memory/3552-1841-0x00007FF6BF950000-0x00007FF6BFD45000-memory.dmp

Filesize
4.0MB

Download
memory/3552-805-0x00007FF6BF950000-0x00007FF6BFD45000-memory.dmp

Filesize
4.0MB

Download
memory/3844-748-0x00007FF7BF120000-0x00007FF7BF515000-memory.dmp

Filesize
4.0MB

Download
memory/3844-1833-0x00007FF7BF120000-0x00007FF7BF515000-memory.dmp

Filesize
4.0MB

Download
memory/4008-1842-0x00007FF706A50000-0x00007FF706E45000-memory.dmp

Filesize
4.0MB

Download
memory/4008-790-0x00007FF706A50000-0x00007FF706E45000-memory.dmp

Filesize
4.0MB

Download
memory/4052-1839-0x00007FF6B4330000-0x00007FF6B4725000-memory.dmp

Filesize
4.0MB

Download
memory/4052-783-0x00007FF6B4330000-0x00007FF6B4725000-memory.dmp

Filesize
4.0MB

Download
memory/4424-803-0x00007FF7BDC90000-0x00007FF7BE085000-memory.dmp

Filesize
4.0MB

Download
memory/4424-1844-0x00007FF7BDC90000-0x00007FF7BE085000-memory.dmp

Filesize
4.0MB

Download
memory/4592-10-0x00007FF7DE910000-0x00007FF7DED05000-memory.dmp

Filesize
4.0MB

Download
memory/4592-1818-0x00007FF7DE910000-0x00007FF7DED05000-memory.dmp

Filesize
4.0MB

Download
memory/4592-1822-0x00007FF7DE910000-0x00007FF7DED05000-memory.dmp

Filesize
4.0MB

Download
memory/4708-809-0x00007FF7D0D30000-0x00007FF7D1125000-memory.dmp

Filesize
4.0MB

Download
memory/4708-1825-0x00007FF7D0D30000-0x00007FF7D1125000-memory.dmp

Filesize
4.0MB

Download
memory/4900-789-0x00007FF7A7E90000-0x00007FF7A8285000-memory.dmp

Filesize
4.0MB

Download
memory/4900-1838-0x00007FF7A7E90000-0x00007FF7A8285000-memory.dmp

Filesize
4.0MB

Download
memory/4924-768-0x00007FF62BCE0000-0x00007FF62C0D5000-memory.dmp

Filesize
4.0MB

Download
memory/4924-1834-0x00007FF62BCE0000-0x00007FF62C0D5000-memory.dmp

Filesize
4.0MB

Download
memory/5004-777-0x00007FF7B5740000-0x00007FF7B5B35000-memory.dmp

Filesize
4.0MB

Download
memory/5004-1837-0x00007FF7B5740000-0x00007FF7B5B35000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads