xmrig | cb094136881df5428d2428b2f90675767bb72a5228a2c40fdb17c7952a6ca1c8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
Size

1.8MB
MD5

192a53bc8882a3c1a328a8f9da19e9e0
SHA1

a0e6926dd56c5df86e0f6729d200529c538c60eb
SHA256

cb094136881df5428d2428b2f90675767bb72a5228a2c40fdb17c7952a6ca1c8
SHA512

8c54fedf2168e48d0289935a690bc70b4c6c4968e47c532fc27ba1c2707c608681a84316340573d6172a2459af34e3744540e10b184be880edfe20692484d639
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIO6zRIhRmuSOGApwJbxgU67tqSNP3l50lt:knw9oUUEEDlGUh+hNGTbu5bmt

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/3352-20-0x00007FF685500000-0x00007FF6858F1000-memory.dmp	xmrig
behavioral2/memory/1524-437-0x00007FF6DA960000-0x00007FF6DAD51000-memory.dmp	xmrig
behavioral2/memory/224-32-0x00007FF6D2080000-0x00007FF6D2471000-memory.dmp	xmrig
behavioral2/memory/1276-438-0x00007FF6F23B0000-0x00007FF6F27A1000-memory.dmp	xmrig
behavioral2/memory/3216-439-0x00007FF659CC0000-0x00007FF65A0B1000-memory.dmp	xmrig
behavioral2/memory/1472-440-0x00007FF724570000-0x00007FF724961000-memory.dmp	xmrig
behavioral2/memory/4836-441-0x00007FF793A40000-0x00007FF793E31000-memory.dmp	xmrig
behavioral2/memory/4576-446-0x00007FF7D1B20000-0x00007FF7D1F11000-memory.dmp	xmrig
behavioral2/memory/2148-453-0x00007FF6ED680000-0x00007FF6EDA71000-memory.dmp	xmrig
behavioral2/memory/2412-457-0x00007FF770930000-0x00007FF770D21000-memory.dmp	xmrig
behavioral2/memory/3760-481-0x00007FF6B6B80000-0x00007FF6B6F71000-memory.dmp	xmrig
behavioral2/memory/4140-467-0x00007FF783290000-0x00007FF783681000-memory.dmp	xmrig
behavioral2/memory/3152-519-0x00007FF635FB0000-0x00007FF6363A1000-memory.dmp	xmrig
behavioral2/memory/380-555-0x00007FF7E1AB0000-0x00007FF7E1EA1000-memory.dmp	xmrig
behavioral2/memory/1444-545-0x00007FF788B70000-0x00007FF788F61000-memory.dmp	xmrig
behavioral2/memory/3044-539-0x00007FF726E40000-0x00007FF727231000-memory.dmp	xmrig
behavioral2/memory/1080-535-0x00007FF7E9370000-0x00007FF7E9761000-memory.dmp	xmrig
behavioral2/memory/4872-533-0x00007FF6B2110000-0x00007FF6B2501000-memory.dmp	xmrig
behavioral2/memory/1264-507-0x00007FF7784A0000-0x00007FF778891000-memory.dmp	xmrig
behavioral2/memory/4692-494-0x00007FF7B7F50000-0x00007FF7B8341000-memory.dmp	xmrig
behavioral2/memory/4252-487-0x00007FF7D7700000-0x00007FF7D7AF1000-memory.dmp	xmrig
behavioral2/memory/3352-1994-0x00007FF685500000-0x00007FF6858F1000-memory.dmp	xmrig
behavioral2/memory/3772-1995-0x00007FF707880000-0x00007FF707C71000-memory.dmp	xmrig
behavioral2/memory/1608-1996-0x00007FF668760000-0x00007FF668B51000-memory.dmp	xmrig
behavioral2/memory/3352-2002-0x00007FF685500000-0x00007FF6858F1000-memory.dmp	xmrig
behavioral2/memory/4080-2004-0x00007FF7F90E0000-0x00007FF7F94D1000-memory.dmp	xmrig
behavioral2/memory/3772-2008-0x00007FF707880000-0x00007FF707C71000-memory.dmp	xmrig
behavioral2/memory/1524-2010-0x00007FF6DA960000-0x00007FF6DAD51000-memory.dmp	xmrig
behavioral2/memory/224-2006-0x00007FF6D2080000-0x00007FF6D2471000-memory.dmp	xmrig
behavioral2/memory/1276-2012-0x00007FF6F23B0000-0x00007FF6F27A1000-memory.dmp	xmrig
behavioral2/memory/4252-2030-0x00007FF7D7700000-0x00007FF7D7AF1000-memory.dmp	xmrig
behavioral2/memory/3760-2028-0x00007FF6B6B80000-0x00007FF6B6F71000-memory.dmp	xmrig
behavioral2/memory/4692-2034-0x00007FF7B7F50000-0x00007FF7B8341000-memory.dmp	xmrig
behavioral2/memory/4872-2087-0x00007FF6B2110000-0x00007FF6B2501000-memory.dmp	xmrig
behavioral2/memory/3044-2122-0x00007FF726E40000-0x00007FF727231000-memory.dmp	xmrig
behavioral2/memory/1080-2089-0x00007FF7E9370000-0x00007FF7E9761000-memory.dmp	xmrig
behavioral2/memory/3152-2060-0x00007FF635FB0000-0x00007FF6363A1000-memory.dmp	xmrig
behavioral2/memory/1264-2032-0x00007FF7784A0000-0x00007FF778891000-memory.dmp	xmrig
behavioral2/memory/4140-2026-0x00007FF783290000-0x00007FF783681000-memory.dmp	xmrig
behavioral2/memory/4576-2022-0x00007FF7D1B20000-0x00007FF7D1F11000-memory.dmp	xmrig
behavioral2/memory/2412-2020-0x00007FF770930000-0x00007FF770D21000-memory.dmp	xmrig
behavioral2/memory/2148-2018-0x00007FF6ED680000-0x00007FF6EDA71000-memory.dmp	xmrig
behavioral2/memory/3216-2016-0x00007FF659CC0000-0x00007FF65A0B1000-memory.dmp	xmrig
behavioral2/memory/1472-2014-0x00007FF724570000-0x00007FF724961000-memory.dmp	xmrig
behavioral2/memory/4836-2024-0x00007FF793A40000-0x00007FF793E31000-memory.dmp	xmrig
behavioral2/memory/1444-2110-0x00007FF788B70000-0x00007FF788F61000-memory.dmp	xmrig
behavioral2/memory/380-2116-0x00007FF7E1AB0000-0x00007FF7E1EA1000-memory.dmp	xmrig
behavioral2/memory/1608-2247-0x00007FF668760000-0x00007FF668B51000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4080	ROSJmGV.exe
3352	kdUwPIj.exe
224	rdjGucL.exe
3772	djvVDci.exe
1608	AXuRyAS.exe
1524	SljWsdm.exe
1276	XmXElqD.exe
3216	ioxVmQK.exe
1472	oSJCkgW.exe
4836	ZpsWLap.exe
4576	SFIgnPl.exe
2148	LflYCSs.exe
2412	BAPWhYK.exe
4140	ljKfGqR.exe
3760	bwUehDE.exe
4252	aMzcHCv.exe
4692	iCZpsco.exe
1264	VijtVey.exe
3152	ZbhvQPU.exe
4872	CzHDoOs.exe
1080	LIzNMDj.exe
3044	BTLGelW.exe
1444	JKQzZTz.exe
380	zbntHJP.exe
1092	mRSemxy.exe
4464	aJvUymC.exe
736	DsrZgFF.exe
3520	brxsLMu.exe
2616	DWYLDnN.exe
4452	EhMFvCR.exe
532	OsYzhEH.exe
1528	SMNptCQ.exe
3412	AclgyoR.exe
844	mdYPmHv.exe
2484	DWcLlxJ.exe
2648	rsUASsr.exe
3880	znwBITs.exe
4628	RqEgsqT.exe
636	FfaHcey.exe
2432	EiSHPfd.exe
1028	ebWGNPi.exe
3296	IKohERS.exe
3600	XDDfIQt.exe
2140	kXFbafe.exe
2112	ObAexOT.exe
3376	ptaBtKP.exe
1152	OxHbcGu.exe
1812	WnDZZOC.exe
1456	NpyUvDM.exe
4316	OnqSlVo.exe
4332	TqqygRQ.exe
3720	hWPXwfZ.exe
1772	oiSqHZx.exe
1016	EMVnPKK.exe
1360	pkTqPZo.exe
1344	JJrUgIc.exe
5080	RmQZHOi.exe
2808	GwIbvHW.exe
2584	JNKFlAU.exe
3028	ILjRnoh.exe
1956	XcUtvAZ.exe
4960	ylzsBSK.exe
1904	ECIBITw.exe
4956	kiCbZFC.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2660-0-0x00007FF69E730000-0x00007FF69EB21000-memory.dmp	upx
behavioral2/files/0x00080000000233fb-5.dat	upx
behavioral2/files/0x00070000000233ff-7.dat	upx
behavioral2/files/0x0007000000023400-9.dat	upx
behavioral2/memory/4080-11-0x00007FF7F90E0000-0x00007FF7F94D1000-memory.dmp	upx
behavioral2/memory/3352-20-0x00007FF685500000-0x00007FF6858F1000-memory.dmp	upx
behavioral2/memory/3772-27-0x00007FF707880000-0x00007FF707C71000-memory.dmp	upx
behavioral2/memory/1608-31-0x00007FF668760000-0x00007FF668B51000-memory.dmp	upx
behavioral2/files/0x0007000000023403-35.dat	upx
behavioral2/files/0x0007000000023405-45.dat	upx
behavioral2/files/0x0007000000023406-50.dat	upx
behavioral2/files/0x0007000000023407-55.dat	upx
behavioral2/files/0x000700000002340a-68.dat	upx
behavioral2/files/0x000700000002340d-85.dat	upx
behavioral2/files/0x000700000002340f-95.dat	upx
behavioral2/files/0x0007000000023411-105.dat	upx
behavioral2/files/0x0007000000023413-115.dat	upx
behavioral2/files/0x0007000000023418-138.dat	upx
behavioral2/files/0x000700000002341b-153.dat	upx
behavioral2/memory/1524-437-0x00007FF6DA960000-0x00007FF6DAD51000-memory.dmp	upx
behavioral2/files/0x000700000002341d-165.dat	upx
behavioral2/files/0x000700000002341c-161.dat	upx
behavioral2/files/0x000700000002341a-150.dat	upx
behavioral2/files/0x0007000000023419-145.dat	upx
behavioral2/files/0x0007000000023417-135.dat	upx
behavioral2/files/0x0007000000023416-130.dat	upx
behavioral2/files/0x0007000000023415-125.dat	upx
behavioral2/files/0x0007000000023414-120.dat	upx
behavioral2/files/0x0007000000023412-111.dat	upx
behavioral2/files/0x0007000000023410-100.dat	upx
behavioral2/files/0x000700000002340e-90.dat	upx
behavioral2/files/0x000700000002340c-80.dat	upx
behavioral2/files/0x000700000002340b-75.dat	upx
behavioral2/files/0x0007000000023409-66.dat	upx
behavioral2/files/0x0007000000023408-61.dat	upx
behavioral2/files/0x0007000000023404-40.dat	upx
behavioral2/memory/224-32-0x00007FF6D2080000-0x00007FF6D2471000-memory.dmp	upx
behavioral2/files/0x0007000000023402-29.dat	upx
behavioral2/files/0x0007000000023401-23.dat	upx
behavioral2/memory/1276-438-0x00007FF6F23B0000-0x00007FF6F27A1000-memory.dmp	upx
behavioral2/memory/3216-439-0x00007FF659CC0000-0x00007FF65A0B1000-memory.dmp	upx
behavioral2/memory/1472-440-0x00007FF724570000-0x00007FF724961000-memory.dmp	upx
behavioral2/memory/4836-441-0x00007FF793A40000-0x00007FF793E31000-memory.dmp	upx
behavioral2/memory/4576-446-0x00007FF7D1B20000-0x00007FF7D1F11000-memory.dmp	upx
behavioral2/memory/2148-453-0x00007FF6ED680000-0x00007FF6EDA71000-memory.dmp	upx
behavioral2/memory/2412-457-0x00007FF770930000-0x00007FF770D21000-memory.dmp	upx
behavioral2/memory/3760-481-0x00007FF6B6B80000-0x00007FF6B6F71000-memory.dmp	upx
behavioral2/memory/4140-467-0x00007FF783290000-0x00007FF783681000-memory.dmp	upx
behavioral2/memory/3152-519-0x00007FF635FB0000-0x00007FF6363A1000-memory.dmp	upx
behavioral2/memory/380-555-0x00007FF7E1AB0000-0x00007FF7E1EA1000-memory.dmp	upx
behavioral2/memory/1444-545-0x00007FF788B70000-0x00007FF788F61000-memory.dmp	upx
behavioral2/memory/3044-539-0x00007FF726E40000-0x00007FF727231000-memory.dmp	upx
behavioral2/memory/1080-535-0x00007FF7E9370000-0x00007FF7E9761000-memory.dmp	upx
behavioral2/memory/4872-533-0x00007FF6B2110000-0x00007FF6B2501000-memory.dmp	upx
behavioral2/memory/1264-507-0x00007FF7784A0000-0x00007FF778891000-memory.dmp	upx
behavioral2/memory/4692-494-0x00007FF7B7F50000-0x00007FF7B8341000-memory.dmp	upx
behavioral2/memory/4252-487-0x00007FF7D7700000-0x00007FF7D7AF1000-memory.dmp	upx
behavioral2/memory/3352-1994-0x00007FF685500000-0x00007FF6858F1000-memory.dmp	upx
behavioral2/memory/3772-1995-0x00007FF707880000-0x00007FF707C71000-memory.dmp	upx
behavioral2/memory/1608-1996-0x00007FF668760000-0x00007FF668B51000-memory.dmp	upx
behavioral2/memory/3352-2002-0x00007FF685500000-0x00007FF6858F1000-memory.dmp	upx
behavioral2/memory/4080-2004-0x00007FF7F90E0000-0x00007FF7F94D1000-memory.dmp	upx
behavioral2/memory/3772-2008-0x00007FF707880000-0x00007FF707C71000-memory.dmp	upx
behavioral2/memory/1524-2010-0x00007FF6DA960000-0x00007FF6DAD51000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\bNNqbkR.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\VVZpfxw.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\RNZZeKt.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\ovEWwDy.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\OsYzhEH.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\DWcLlxJ.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\wBtoCIZ.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\RUbCgig.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\gtFBWNh.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\JUSkmit.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\vgoxnpr.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\gDYievO.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\BhxMSwF.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\DsrZgFF.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\YLFwnAE.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\nanDTDw.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\MrtotqB.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\vJYglYP.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\JRghIyI.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\LlrXFJm.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\cGWPVjw.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\AVampzi.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\ADCnxdm.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\yelUJIr.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\RmQZHOi.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\mJHwjxz.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\xUPPojI.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\kIwdbas.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\WdCERNZ.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\YaGiYRx.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\DbWwtSD.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\BTLGelW.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\TIIZGzK.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\ewPxKHB.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\HLrMxTH.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\nQNsLNh.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\ZCrHKFQ.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\YOmSltn.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\ZfGyEMz.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\tAKhFhe.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\ihJRnKg.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\uTUpeLa.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\gxQKCwE.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\lyIiRGv.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\HcHhPoO.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\ALlWLki.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\njgHvQU.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\OnqSlVo.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\mvyrZYX.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\bXnhYfp.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\bpDRqjU.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\duNKqWF.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\hWPXwfZ.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\gPdMESg.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\MUCdclA.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\fSkBAyt.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\eHpiIQJ.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\pranICF.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\XmXElqD.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\snSmLlb.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\EgPlZqF.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\DAPPKxz.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\oiSqHZx.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
File created	C:\Windows\System32\nTeYfbE.exe	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13092	dwm.exe
Token: SeChangeNotifyPrivilege	13092	dwm.exe
Token: 33	13092	dwm.exe
Token: SeIncBasePriorityPrivilege	13092	dwm.exe
Token: SeShutdownPrivilege	13092	dwm.exe
Token: SeCreatePagefilePrivilege	13092	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 4080	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	84
PID 2660 wrote to memory of 4080	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	84
PID 2660 wrote to memory of 3352	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	85
PID 2660 wrote to memory of 3352	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	85
PID 2660 wrote to memory of 224	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	86
PID 2660 wrote to memory of 224	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	86
PID 2660 wrote to memory of 3772	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	87
PID 2660 wrote to memory of 3772	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	87
PID 2660 wrote to memory of 1608	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	88
PID 2660 wrote to memory of 1608	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	88
PID 2660 wrote to memory of 1524	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	89
PID 2660 wrote to memory of 1524	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	89
PID 2660 wrote to memory of 1276	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	90
PID 2660 wrote to memory of 1276	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	90
PID 2660 wrote to memory of 3216	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	91
PID 2660 wrote to memory of 3216	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	91
PID 2660 wrote to memory of 1472	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	92
PID 2660 wrote to memory of 1472	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	92
PID 2660 wrote to memory of 4836	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	93
PID 2660 wrote to memory of 4836	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	93
PID 2660 wrote to memory of 4576	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	94
PID 2660 wrote to memory of 4576	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	94
PID 2660 wrote to memory of 2148	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	95
PID 2660 wrote to memory of 2148	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	95
PID 2660 wrote to memory of 2412	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	96
PID 2660 wrote to memory of 2412	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	96
PID 2660 wrote to memory of 4140	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	97
PID 2660 wrote to memory of 4140	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	97
PID 2660 wrote to memory of 3760	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	98
PID 2660 wrote to memory of 3760	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	98
PID 2660 wrote to memory of 4252	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	99
PID 2660 wrote to memory of 4252	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	99
PID 2660 wrote to memory of 4692	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	100
PID 2660 wrote to memory of 4692	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	100
PID 2660 wrote to memory of 1264	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	101
PID 2660 wrote to memory of 1264	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	101
PID 2660 wrote to memory of 3152	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	102
PID 2660 wrote to memory of 3152	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	102
PID 2660 wrote to memory of 4872	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	103
PID 2660 wrote to memory of 4872	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	103
PID 2660 wrote to memory of 1080	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	104
PID 2660 wrote to memory of 1080	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	104
PID 2660 wrote to memory of 3044	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	105
PID 2660 wrote to memory of 3044	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	105
PID 2660 wrote to memory of 1444	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	106
PID 2660 wrote to memory of 1444	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	106
PID 2660 wrote to memory of 380	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	107
PID 2660 wrote to memory of 380	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	107
PID 2660 wrote to memory of 1092	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	108
PID 2660 wrote to memory of 1092	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	108
PID 2660 wrote to memory of 4464	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	109
PID 2660 wrote to memory of 4464	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	109
PID 2660 wrote to memory of 736	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	110
PID 2660 wrote to memory of 736	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	110
PID 2660 wrote to memory of 3520	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	111
PID 2660 wrote to memory of 3520	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	111
PID 2660 wrote to memory of 2616	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	112
PID 2660 wrote to memory of 2616	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	112
PID 2660 wrote to memory of 4452	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	113
PID 2660 wrote to memory of 4452	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	113
PID 2660 wrote to memory of 532	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	114
PID 2660 wrote to memory of 532	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	114
PID 2660 wrote to memory of 1528	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	115
PID 2660 wrote to memory of 1528	2660	192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe	115

C:\Users\Admin\AppData\Local\Temp\192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\192a53bc8882a3c1a328a8f9da19e9e0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\System32\ROSJmGV.exe
  C:\Windows\System32\ROSJmGV.exe
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Windows\System32\kdUwPIj.exe
  C:\Windows\System32\kdUwPIj.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\System32\rdjGucL.exe
  C:\Windows\System32\rdjGucL.exe
  2⤵
  - Executes dropped EXE
  PID:224
- C:\Windows\System32\djvVDci.exe
  C:\Windows\System32\djvVDci.exe
  2⤵
  - Executes dropped EXE
  PID:3772
- C:\Windows\System32\AXuRyAS.exe
  C:\Windows\System32\AXuRyAS.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System32\SljWsdm.exe
  C:\Windows\System32\SljWsdm.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System32\XmXElqD.exe
  C:\Windows\System32\XmXElqD.exe
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\System32\ioxVmQK.exe
  C:\Windows\System32\ioxVmQK.exe
  2⤵
  - Executes dropped EXE
  PID:3216
- C:\Windows\System32\oSJCkgW.exe
  C:\Windows\System32\oSJCkgW.exe
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\System32\ZpsWLap.exe
  C:\Windows\System32\ZpsWLap.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System32\SFIgnPl.exe
  C:\Windows\System32\SFIgnPl.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System32\LflYCSs.exe
  C:\Windows\System32\LflYCSs.exe
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\System32\BAPWhYK.exe
  C:\Windows\System32\BAPWhYK.exe
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\System32\ljKfGqR.exe
  C:\Windows\System32\ljKfGqR.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System32\bwUehDE.exe
  C:\Windows\System32\bwUehDE.exe
  2⤵
  - Executes dropped EXE
  PID:3760
- C:\Windows\System32\aMzcHCv.exe
  C:\Windows\System32\aMzcHCv.exe
  2⤵
  - Executes dropped EXE
  PID:4252
- C:\Windows\System32\iCZpsco.exe
  C:\Windows\System32\iCZpsco.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System32\VijtVey.exe
  C:\Windows\System32\VijtVey.exe
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\System32\ZbhvQPU.exe
  C:\Windows\System32\ZbhvQPU.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System32\CzHDoOs.exe
  C:\Windows\System32\CzHDoOs.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System32\LIzNMDj.exe
  C:\Windows\System32\LIzNMDj.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System32\BTLGelW.exe
  C:\Windows\System32\BTLGelW.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System32\JKQzZTz.exe
  C:\Windows\System32\JKQzZTz.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System32\zbntHJP.exe
  C:\Windows\System32\zbntHJP.exe
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\System32\mRSemxy.exe
  C:\Windows\System32\mRSemxy.exe
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\System32\aJvUymC.exe
  C:\Windows\System32\aJvUymC.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System32\DsrZgFF.exe
  C:\Windows\System32\DsrZgFF.exe
  2⤵
  - Executes dropped EXE
  PID:736
- C:\Windows\System32\brxsLMu.exe
  C:\Windows\System32\brxsLMu.exe
  2⤵
  - Executes dropped EXE
  PID:3520
- C:\Windows\System32\DWYLDnN.exe
  C:\Windows\System32\DWYLDnN.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System32\EhMFvCR.exe
  C:\Windows\System32\EhMFvCR.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System32\OsYzhEH.exe
  C:\Windows\System32\OsYzhEH.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System32\SMNptCQ.exe
  C:\Windows\System32\SMNptCQ.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\System32\AclgyoR.exe
  C:\Windows\System32\AclgyoR.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System32\mdYPmHv.exe
  C:\Windows\System32\mdYPmHv.exe
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\System32\DWcLlxJ.exe
  C:\Windows\System32\DWcLlxJ.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System32\rsUASsr.exe
  C:\Windows\System32\rsUASsr.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System32\znwBITs.exe
  C:\Windows\System32\znwBITs.exe
  2⤵
  - Executes dropped EXE
  PID:3880
- C:\Windows\System32\RqEgsqT.exe
  C:\Windows\System32\RqEgsqT.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System32\FfaHcey.exe
  C:\Windows\System32\FfaHcey.exe
  2⤵
  - Executes dropped EXE
  PID:636
- C:\Windows\System32\EiSHPfd.exe
  C:\Windows\System32\EiSHPfd.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System32\ebWGNPi.exe
  C:\Windows\System32\ebWGNPi.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System32\IKohERS.exe
  C:\Windows\System32\IKohERS.exe
  2⤵
  - Executes dropped EXE
  PID:3296
- C:\Windows\System32\XDDfIQt.exe
  C:\Windows\System32\XDDfIQt.exe
  2⤵
  - Executes dropped EXE
  PID:3600
- C:\Windows\System32\kXFbafe.exe
  C:\Windows\System32\kXFbafe.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System32\ObAexOT.exe
  C:\Windows\System32\ObAexOT.exe
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\System32\ptaBtKP.exe
  C:\Windows\System32\ptaBtKP.exe
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Windows\System32\OxHbcGu.exe
  C:\Windows\System32\OxHbcGu.exe
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\System32\WnDZZOC.exe
  C:\Windows\System32\WnDZZOC.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System32\NpyUvDM.exe
  C:\Windows\System32\NpyUvDM.exe
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Windows\System32\OnqSlVo.exe
  C:\Windows\System32\OnqSlVo.exe
  2⤵
  - Executes dropped EXE
  PID:4316
- C:\Windows\System32\TqqygRQ.exe
  C:\Windows\System32\TqqygRQ.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Windows\System32\hWPXwfZ.exe
  C:\Windows\System32\hWPXwfZ.exe
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Windows\System32\oiSqHZx.exe
  C:\Windows\System32\oiSqHZx.exe
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\System32\EMVnPKK.exe
  C:\Windows\System32\EMVnPKK.exe
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\System32\pkTqPZo.exe
  C:\Windows\System32\pkTqPZo.exe
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Windows\System32\JJrUgIc.exe
  C:\Windows\System32\JJrUgIc.exe
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\System32\RmQZHOi.exe
  C:\Windows\System32\RmQZHOi.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System32\GwIbvHW.exe
  C:\Windows\System32\GwIbvHW.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System32\JNKFlAU.exe
  C:\Windows\System32\JNKFlAU.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System32\ILjRnoh.exe
  C:\Windows\System32\ILjRnoh.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System32\XcUtvAZ.exe
  C:\Windows\System32\XcUtvAZ.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System32\ylzsBSK.exe
  C:\Windows\System32\ylzsBSK.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System32\ECIBITw.exe
  C:\Windows\System32\ECIBITw.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System32\kiCbZFC.exe
  C:\Windows\System32\kiCbZFC.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System32\QygNyoS.exe
  C:\Windows\System32\QygNyoS.exe
  2⤵
  PID:5104
- C:\Windows\System32\pIAWLDc.exe
  C:\Windows\System32\pIAWLDc.exe
  2⤵
  PID:1720
- C:\Windows\System32\JpBcBuT.exe
  C:\Windows\System32\JpBcBuT.exe
  2⤵
  PID:4660
- C:\Windows\System32\GwVzxaM.exe
  C:\Windows\System32\GwVzxaM.exe
  2⤵
  PID:1728
- C:\Windows\System32\CaZTCBK.exe
  C:\Windows\System32\CaZTCBK.exe
  2⤵
  PID:3856
- C:\Windows\System32\gxQKCwE.exe
  C:\Windows\System32\gxQKCwE.exe
  2⤵
  PID:3276
- C:\Windows\System32\zlwOPbY.exe
  C:\Windows\System32\zlwOPbY.exe
  2⤵
  PID:1200
- C:\Windows\System32\dmaCKYL.exe
  C:\Windows\System32\dmaCKYL.exe
  2⤵
  PID:4396
- C:\Windows\System32\WDfxoHY.exe
  C:\Windows\System32\WDfxoHY.exe
  2⤵
  PID:3660
- C:\Windows\System32\RtGoDtd.exe
  C:\Windows\System32\RtGoDtd.exe
  2⤵
  PID:4016
- C:\Windows\System32\QmtdIpi.exe
  C:\Windows\System32\QmtdIpi.exe
  2⤵
  PID:1484
- C:\Windows\System32\BRopJIE.exe
  C:\Windows\System32\BRopJIE.exe
  2⤵
  PID:2568
- C:\Windows\System32\bqwftXq.exe
  C:\Windows\System32\bqwftXq.exe
  2⤵
  PID:4588
- C:\Windows\System32\aMShapH.exe
  C:\Windows\System32\aMShapH.exe
  2⤵
  PID:3212
- C:\Windows\System32\ALSkdkB.exe
  C:\Windows\System32\ALSkdkB.exe
  2⤵
  PID:968
- C:\Windows\System32\YYgriwT.exe
  C:\Windows\System32\YYgriwT.exe
  2⤵
  PID:3776
- C:\Windows\System32\TyULVsy.exe
  C:\Windows\System32\TyULVsy.exe
  2⤵
  PID:448
- C:\Windows\System32\nLcYgeR.exe
  C:\Windows\System32\nLcYgeR.exe
  2⤵
  PID:3024
- C:\Windows\System32\fIewscf.exe
  C:\Windows\System32\fIewscf.exe
  2⤵
  PID:1864
- C:\Windows\System32\yakVijV.exe
  C:\Windows\System32\yakVijV.exe
  2⤵
  PID:2004
- C:\Windows\System32\mvyrZYX.exe
  C:\Windows\System32\mvyrZYX.exe
  2⤵
  PID:3372
- C:\Windows\System32\lrNwGWg.exe
  C:\Windows\System32\lrNwGWg.exe
  2⤵
  PID:3724
- C:\Windows\System32\KKOnucu.exe
  C:\Windows\System32\KKOnucu.exe
  2⤵
  PID:5132
- C:\Windows\System32\QLIPxOV.exe
  C:\Windows\System32\QLIPxOV.exe
  2⤵
  PID:5160
- C:\Windows\System32\zkVPAXW.exe
  C:\Windows\System32\zkVPAXW.exe
  2⤵
  PID:5188
- C:\Windows\System32\xoIodbp.exe
  C:\Windows\System32\xoIodbp.exe
  2⤵
  PID:5216
- C:\Windows\System32\NcmlMFo.exe
  C:\Windows\System32\NcmlMFo.exe
  2⤵
  PID:5244
- C:\Windows\System32\nOxzdxx.exe
  C:\Windows\System32\nOxzdxx.exe
  2⤵
  PID:5272
- C:\Windows\System32\viiZijb.exe
  C:\Windows\System32\viiZijb.exe
  2⤵
  PID:5300
- C:\Windows\System32\kXliCXt.exe
  C:\Windows\System32\kXliCXt.exe
  2⤵
  PID:5328
- C:\Windows\System32\nanDTDw.exe
  C:\Windows\System32\nanDTDw.exe
  2⤵
  PID:5356
- C:\Windows\System32\eVLcuUE.exe
  C:\Windows\System32\eVLcuUE.exe
  2⤵
  PID:5384
- C:\Windows\System32\QmXSTxL.exe
  C:\Windows\System32\QmXSTxL.exe
  2⤵
  PID:5412
- C:\Windows\System32\MrtotqB.exe
  C:\Windows\System32\MrtotqB.exe
  2⤵
  PID:5444
- C:\Windows\System32\XRCsHXq.exe
  C:\Windows\System32\XRCsHXq.exe
  2⤵
  PID:5468
- C:\Windows\System32\ZbhcCQJ.exe
  C:\Windows\System32\ZbhcCQJ.exe
  2⤵
  PID:5496
- C:\Windows\System32\dluctRr.exe
  C:\Windows\System32\dluctRr.exe
  2⤵
  PID:5524
- C:\Windows\System32\ozoikLN.exe
  C:\Windows\System32\ozoikLN.exe
  2⤵
  PID:5552
- C:\Windows\System32\zyJsetJ.exe
  C:\Windows\System32\zyJsetJ.exe
  2⤵
  PID:5580
- C:\Windows\System32\RWDgJjX.exe
  C:\Windows\System32\RWDgJjX.exe
  2⤵
  PID:5608
- C:\Windows\System32\HEhZcOv.exe
  C:\Windows\System32\HEhZcOv.exe
  2⤵
  PID:5636
- C:\Windows\System32\YCIXpNG.exe
  C:\Windows\System32\YCIXpNG.exe
  2⤵
  PID:5664
- C:\Windows\System32\xkyylYJ.exe
  C:\Windows\System32\xkyylYJ.exe
  2⤵
  PID:5692
- C:\Windows\System32\hJFzdRN.exe
  C:\Windows\System32\hJFzdRN.exe
  2⤵
  PID:5720
- C:\Windows\System32\KzxKElk.exe
  C:\Windows\System32\KzxKElk.exe
  2⤵
  PID:5748
- C:\Windows\System32\YOmSltn.exe
  C:\Windows\System32\YOmSltn.exe
  2⤵
  PID:5776
- C:\Windows\System32\fJQUJlC.exe
  C:\Windows\System32\fJQUJlC.exe
  2⤵
  PID:5804
- C:\Windows\System32\swSGhmJ.exe
  C:\Windows\System32\swSGhmJ.exe
  2⤵
  PID:5832
- C:\Windows\System32\LzhcatG.exe
  C:\Windows\System32\LzhcatG.exe
  2⤵
  PID:5860
- C:\Windows\System32\aPQnOgY.exe
  C:\Windows\System32\aPQnOgY.exe
  2⤵
  PID:5888
- C:\Windows\System32\GFkufdl.exe
  C:\Windows\System32\GFkufdl.exe
  2⤵
  PID:5916
- C:\Windows\System32\iHGfYjO.exe
  C:\Windows\System32\iHGfYjO.exe
  2⤵
  PID:5944
- C:\Windows\System32\HLYgtvA.exe
  C:\Windows\System32\HLYgtvA.exe
  2⤵
  PID:5972
- C:\Windows\System32\NymvcuF.exe
  C:\Windows\System32\NymvcuF.exe
  2⤵
  PID:6000
- C:\Windows\System32\ljbLEiF.exe
  C:\Windows\System32\ljbLEiF.exe
  2⤵
  PID:6028
- C:\Windows\System32\QDRqFcs.exe
  C:\Windows\System32\QDRqFcs.exe
  2⤵
  PID:6056
- C:\Windows\System32\hXpORYd.exe
  C:\Windows\System32\hXpORYd.exe
  2⤵
  PID:6084
- C:\Windows\System32\somzwlw.exe
  C:\Windows\System32\somzwlw.exe
  2⤵
  PID:6112
- C:\Windows\System32\HdzxemP.exe
  C:\Windows\System32\HdzxemP.exe
  2⤵
  PID:6140
- C:\Windows\System32\DagUlxm.exe
  C:\Windows\System32\DagUlxm.exe
  2⤵
  PID:5152
- C:\Windows\System32\ZfGyEMz.exe
  C:\Windows\System32\ZfGyEMz.exe
  2⤵
  PID:5168
- C:\Windows\System32\QmRcQlM.exe
  C:\Windows\System32\QmRcQlM.exe
  2⤵
  PID:1804
- C:\Windows\System32\Dambjph.exe
  C:\Windows\System32\Dambjph.exe
  2⤵
  PID:3348
- C:\Windows\System32\vciPbxS.exe
  C:\Windows\System32\vciPbxS.exe
  2⤵
  PID:5348
- C:\Windows\System32\NlOZBfj.exe
  C:\Windows\System32\NlOZBfj.exe
  2⤵
  PID:3112
- C:\Windows\System32\EoZSZJv.exe
  C:\Windows\System32\EoZSZJv.exe
  2⤵
  PID:4088
- C:\Windows\System32\KqoYevy.exe
  C:\Windows\System32\KqoYevy.exe
  2⤵
  PID:5460
- C:\Windows\System32\wcVqzAa.exe
  C:\Windows\System32\wcVqzAa.exe
  2⤵
  PID:5488
- C:\Windows\System32\IpVTQFM.exe
  C:\Windows\System32\IpVTQFM.exe
  2⤵
  PID:5540
- C:\Windows\System32\EcUyrcq.exe
  C:\Windows\System32\EcUyrcq.exe
  2⤵
  PID:5560
- C:\Windows\System32\vkUbNCl.exe
  C:\Windows\System32\vkUbNCl.exe
  2⤵
  PID:5616
- C:\Windows\System32\cBzPUEK.exe
  C:\Windows\System32\cBzPUEK.exe
  2⤵
  PID:5644
- C:\Windows\System32\WsIHHDf.exe
  C:\Windows\System32\WsIHHDf.exe
  2⤵
  PID:5672
- C:\Windows\System32\lGgMlrA.exe
  C:\Windows\System32\lGgMlrA.exe
  2⤵
  PID:5712
- C:\Windows\System32\WXiBnKh.exe
  C:\Windows\System32\WXiBnKh.exe
  2⤵
  PID:5060
- C:\Windows\System32\QrAqMqx.exe
  C:\Windows\System32\QrAqMqx.exe
  2⤵
  PID:5932
- C:\Windows\System32\xFGtfWs.exe
  C:\Windows\System32\xFGtfWs.exe
  2⤵
  PID:5952
- C:\Windows\System32\kELmqEl.exe
  C:\Windows\System32\kELmqEl.exe
  2⤵
  PID:1196
- C:\Windows\System32\aNraxSm.exe
  C:\Windows\System32\aNraxSm.exe
  2⤵
  PID:6020
- C:\Windows\System32\uViZjFh.exe
  C:\Windows\System32\uViZjFh.exe
  2⤵
  PID:6036
- C:\Windows\System32\JUSkmit.exe
  C:\Windows\System32\JUSkmit.exe
  2⤵
  PID:624
- C:\Windows\System32\pSDUwsa.exe
  C:\Windows\System32\pSDUwsa.exe
  2⤵
  PID:4812
- C:\Windows\System32\INULxgx.exe
  C:\Windows\System32\INULxgx.exe
  2⤵
  PID:2200
- C:\Windows\System32\owLsEiq.exe
  C:\Windows\System32\owLsEiq.exe
  2⤵
  PID:6132
- C:\Windows\System32\tsfrUMW.exe
  C:\Windows\System32\tsfrUMW.exe
  2⤵
  PID:2908
- C:\Windows\System32\nCtqhIk.exe
  C:\Windows\System32\nCtqhIk.exe
  2⤵
  PID:4484
- C:\Windows\System32\BZooLLl.exe
  C:\Windows\System32\BZooLLl.exe
  2⤵
  PID:1544
- C:\Windows\System32\tEbsBSK.exe
  C:\Windows\System32\tEbsBSK.exe
  2⤵
  PID:5376
- C:\Windows\System32\CNUtuWP.exe
  C:\Windows\System32\CNUtuWP.exe
  2⤵
  PID:5424
- C:\Windows\System32\TIIZGzK.exe
  C:\Windows\System32\TIIZGzK.exe
  2⤵
  PID:5504
- C:\Windows\System32\SRlmqHu.exe
  C:\Windows\System32\SRlmqHu.exe
  2⤵
  PID:6044
- C:\Windows\System32\RBYzfjI.exe
  C:\Windows\System32\RBYzfjI.exe
  2⤵
  PID:452
- C:\Windows\System32\rjdMWDK.exe
  C:\Windows\System32\rjdMWDK.exe
  2⤵
  PID:6100
- C:\Windows\System32\BAhfhCu.exe
  C:\Windows\System32\BAhfhCu.exe
  2⤵
  PID:5980
- C:\Windows\System32\ngosBrW.exe
  C:\Windows\System32\ngosBrW.exe
  2⤵
  PID:4968
- C:\Windows\System32\lApVUAr.exe
  C:\Windows\System32\lApVUAr.exe
  2⤵
  PID:4176
- C:\Windows\System32\ReYMsqE.exe
  C:\Windows\System32\ReYMsqE.exe
  2⤵
  PID:5208
- C:\Windows\System32\OuuryXu.exe
  C:\Windows\System32\OuuryXu.exe
  2⤵
  PID:5140
- C:\Windows\System32\RFpcvMO.exe
  C:\Windows\System32\RFpcvMO.exe
  2⤵
  PID:2532
- C:\Windows\System32\ERZhRdA.exe
  C:\Windows\System32\ERZhRdA.exe
  2⤵
  PID:6064
- C:\Windows\System32\uNoNrXw.exe
  C:\Windows\System32\uNoNrXw.exe
  2⤵
  PID:4372
- C:\Windows\System32\pMLsLqX.exe
  C:\Windows\System32\pMLsLqX.exe
  2⤵
  PID:6212
- C:\Windows\System32\XTyeAgF.exe
  C:\Windows\System32\XTyeAgF.exe
  2⤵
  PID:6248
- C:\Windows\System32\CTlfFSc.exe
  C:\Windows\System32\CTlfFSc.exe
  2⤵
  PID:6264
- C:\Windows\System32\GAXQbuQ.exe
  C:\Windows\System32\GAXQbuQ.exe
  2⤵
  PID:6288
- C:\Windows\System32\vYVknBQ.exe
  C:\Windows\System32\vYVknBQ.exe
  2⤵
  PID:6304
- C:\Windows\System32\DKeDNqI.exe
  C:\Windows\System32\DKeDNqI.exe
  2⤵
  PID:6368
- C:\Windows\System32\LOPkvYB.exe
  C:\Windows\System32\LOPkvYB.exe
  2⤵
  PID:6440
- C:\Windows\System32\yQTUUHk.exe
  C:\Windows\System32\yQTUUHk.exe
  2⤵
  PID:6472
- C:\Windows\System32\KRpIVek.exe
  C:\Windows\System32\KRpIVek.exe
  2⤵
  PID:6500
- C:\Windows\System32\mNscvGT.exe
  C:\Windows\System32\mNscvGT.exe
  2⤵
  PID:6528
- C:\Windows\System32\mJHwjxz.exe
  C:\Windows\System32\mJHwjxz.exe
  2⤵
  PID:6552
- C:\Windows\System32\RrqsFBd.exe
  C:\Windows\System32\RrqsFBd.exe
  2⤵
  PID:6596
- C:\Windows\System32\mgziRLO.exe
  C:\Windows\System32\mgziRLO.exe
  2⤵
  PID:6616
- C:\Windows\System32\hBawzBh.exe
  C:\Windows\System32\hBawzBh.exe
  2⤵
  PID:6632
- C:\Windows\System32\hOowjcY.exe
  C:\Windows\System32\hOowjcY.exe
  2⤵
  PID:6652
- C:\Windows\System32\tAKhFhe.exe
  C:\Windows\System32\tAKhFhe.exe
  2⤵
  PID:6668
- C:\Windows\System32\ryqPxql.exe
  C:\Windows\System32\ryqPxql.exe
  2⤵
  PID:6692
- C:\Windows\System32\nWRXkFH.exe
  C:\Windows\System32\nWRXkFH.exe
  2⤵
  PID:6744
- C:\Windows\System32\yHABnca.exe
  C:\Windows\System32\yHABnca.exe
  2⤵
  PID:6760
- C:\Windows\System32\istovYs.exe
  C:\Windows\System32\istovYs.exe
  2⤵
  PID:6792
- C:\Windows\System32\KhZuFvd.exe
  C:\Windows\System32\KhZuFvd.exe
  2⤵
  PID:6808
- C:\Windows\System32\gPdMESg.exe
  C:\Windows\System32\gPdMESg.exe
  2⤵
  PID:6824
- C:\Windows\System32\QsAcPoU.exe
  C:\Windows\System32\QsAcPoU.exe
  2⤵
  PID:6840
- C:\Windows\System32\nTeYfbE.exe
  C:\Windows\System32\nTeYfbE.exe
  2⤵
  PID:6856
- C:\Windows\System32\AXatDAD.exe
  C:\Windows\System32\AXatDAD.exe
  2⤵
  PID:6888
- C:\Windows\System32\AJKpjHE.exe
  C:\Windows\System32\AJKpjHE.exe
  2⤵
  PID:6908
- C:\Windows\System32\yHTlavk.exe
  C:\Windows\System32\yHTlavk.exe
  2⤵
  PID:6928
- C:\Windows\System32\TvCsoTq.exe
  C:\Windows\System32\TvCsoTq.exe
  2⤵
  PID:6948
- C:\Windows\System32\EJbQQyR.exe
  C:\Windows\System32\EJbQQyR.exe
  2⤵
  PID:6964
- C:\Windows\System32\CBfjxgP.exe
  C:\Windows\System32\CBfjxgP.exe
  2⤵
  PID:6988
- C:\Windows\System32\wckZYbt.exe
  C:\Windows\System32\wckZYbt.exe
  2⤵
  PID:7008
- C:\Windows\System32\VmCCPQI.exe
  C:\Windows\System32\VmCCPQI.exe
  2⤵
  PID:7032
- C:\Windows\System32\iTqPctF.exe
  C:\Windows\System32\iTqPctF.exe
  2⤵
  PID:7080
- C:\Windows\System32\WpyhbWw.exe
  C:\Windows\System32\WpyhbWw.exe
  2⤵
  PID:7132
- C:\Windows\System32\ihJRnKg.exe
  C:\Windows\System32\ihJRnKg.exe
  2⤵
  PID:7152
- C:\Windows\System32\zQfaBci.exe
  C:\Windows\System32\zQfaBci.exe
  2⤵
  PID:4768
- C:\Windows\System32\AQfCMUi.exe
  C:\Windows\System32\AQfCMUi.exe
  2⤵
  PID:6280
- C:\Windows\System32\gWIAXWj.exe
  C:\Windows\System32\gWIAXWj.exe
  2⤵
  PID:6364
- C:\Windows\System32\BEcvbmz.exe
  C:\Windows\System32\BEcvbmz.exe
  2⤵
  PID:6456
- C:\Windows\System32\bNNqbkR.exe
  C:\Windows\System32\bNNqbkR.exe
  2⤵
  PID:3100
- C:\Windows\System32\AnwUatg.exe
  C:\Windows\System32\AnwUatg.exe
  2⤵
  PID:6568
- C:\Windows\System32\yeutERn.exe
  C:\Windows\System32\yeutERn.exe
  2⤵
  PID:6072
- C:\Windows\System32\UAYIVBC.exe
  C:\Windows\System32\UAYIVBC.exe
  2⤵
  PID:5516
- C:\Windows\System32\ACzinMk.exe
  C:\Windows\System32\ACzinMk.exe
  2⤵
  PID:6680
- C:\Windows\System32\ChaeeOB.exe
  C:\Windows\System32\ChaeeOB.exe
  2⤵
  PID:6664
- C:\Windows\System32\AgWUEHi.exe
  C:\Windows\System32\AgWUEHi.exe
  2⤵
  PID:6788
- C:\Windows\System32\LBEXRWE.exe
  C:\Windows\System32\LBEXRWE.exe
  2⤵
  PID:6752
- C:\Windows\System32\fOLNwvA.exe
  C:\Windows\System32\fOLNwvA.exe
  2⤵
  PID:6816
- C:\Windows\System32\yYoUMHM.exe
  C:\Windows\System32\yYoUMHM.exe
  2⤵
  PID:7064
- C:\Windows\System32\SvsVXaS.exe
  C:\Windows\System32\SvsVXaS.exe
  2⤵
  PID:5896
- C:\Windows\System32\RfWmraO.exe
  C:\Windows\System32\RfWmraO.exe
  2⤵
  PID:7044
- C:\Windows\System32\uKsngGJ.exe
  C:\Windows\System32\uKsngGJ.exe
  2⤵
  PID:7100
- C:\Windows\System32\NdGlROP.exe
  C:\Windows\System32\NdGlROP.exe
  2⤵
  PID:4356
- C:\Windows\System32\bHaGJRn.exe
  C:\Windows\System32\bHaGJRn.exe
  2⤵
  PID:6204
- C:\Windows\System32\gWxHoDA.exe
  C:\Windows\System32\gWxHoDA.exe
  2⤵
  PID:6460
- C:\Windows\System32\ySpmMtp.exe
  C:\Windows\System32\ySpmMtp.exe
  2⤵
  PID:5288
- C:\Windows\System32\PjPAcCb.exe
  C:\Windows\System32\PjPAcCb.exe
  2⤵
  PID:6644
- C:\Windows\System32\ohAsytZ.exe
  C:\Windows\System32\ohAsytZ.exe
  2⤵
  PID:6864
- C:\Windows\System32\ArMccsV.exe
  C:\Windows\System32\ArMccsV.exe
  2⤵
  PID:6736
- C:\Windows\System32\AWoelBj.exe
  C:\Windows\System32\AWoelBj.exe
  2⤵
  PID:6980
- C:\Windows\System32\Pxcwowh.exe
  C:\Windows\System32\Pxcwowh.exe
  2⤵
  PID:7124
- C:\Windows\System32\kuZCgso.exe
  C:\Windows\System32\kuZCgso.exe
  2⤵
  PID:5068
- C:\Windows\System32\hufCQbj.exe
  C:\Windows\System32\hufCQbj.exe
  2⤵
  PID:6008
- C:\Windows\System32\ADnlDgs.exe
  C:\Windows\System32\ADnlDgs.exe
  2⤵
  PID:6544
- C:\Windows\System32\vQpCChO.exe
  C:\Windows\System32\vQpCChO.exe
  2⤵
  PID:7164
- C:\Windows\System32\QAxwRBF.exe
  C:\Windows\System32\QAxwRBF.exe
  2⤵
  PID:6660
- C:\Windows\System32\uqvMXsX.exe
  C:\Windows\System32\uqvMXsX.exe
  2⤵
  PID:7200
- C:\Windows\System32\CfoixUq.exe
  C:\Windows\System32\CfoixUq.exe
  2⤵
  PID:7240
- C:\Windows\System32\OKLbrkR.exe
  C:\Windows\System32\OKLbrkR.exe
  2⤵
  PID:7268
- C:\Windows\System32\leWOWYS.exe
  C:\Windows\System32\leWOWYS.exe
  2⤵
  PID:7296
- C:\Windows\System32\HXgxORZ.exe
  C:\Windows\System32\HXgxORZ.exe
  2⤵
  PID:7320
- C:\Windows\System32\dPKgzBG.exe
  C:\Windows\System32\dPKgzBG.exe
  2⤵
  PID:7348
- C:\Windows\System32\hgXORjx.exe
  C:\Windows\System32\hgXORjx.exe
  2⤵
  PID:7372
- C:\Windows\System32\bXnhYfp.exe
  C:\Windows\System32\bXnhYfp.exe
  2⤵
  PID:7392
- C:\Windows\System32\ogbhOeX.exe
  C:\Windows\System32\ogbhOeX.exe
  2⤵
  PID:7420
- C:\Windows\System32\yyagESd.exe
  C:\Windows\System32\yyagESd.exe
  2⤵
  PID:7436
- C:\Windows\System32\JiWsiMz.exe
  C:\Windows\System32\JiWsiMz.exe
  2⤵
  PID:7456
- C:\Windows\System32\TqhlxkD.exe
  C:\Windows\System32\TqhlxkD.exe
  2⤵
  PID:7484
- C:\Windows\System32\BlJpKPL.exe
  C:\Windows\System32\BlJpKPL.exe
  2⤵
  PID:7504
- C:\Windows\System32\DieAOlf.exe
  C:\Windows\System32\DieAOlf.exe
  2⤵
  PID:7540
- C:\Windows\System32\vGwgOMJ.exe
  C:\Windows\System32\vGwgOMJ.exe
  2⤵
  PID:7596
- C:\Windows\System32\PoPwwJC.exe
  C:\Windows\System32\PoPwwJC.exe
  2⤵
  PID:7612
- C:\Windows\System32\BUHnHLD.exe
  C:\Windows\System32\BUHnHLD.exe
  2⤵
  PID:7636
- C:\Windows\System32\twHGENU.exe
  C:\Windows\System32\twHGENU.exe
  2⤵
  PID:7664
- C:\Windows\System32\AfRmFPI.exe
  C:\Windows\System32\AfRmFPI.exe
  2⤵
  PID:7684
- C:\Windows\System32\gSLddNc.exe
  C:\Windows\System32\gSLddNc.exe
  2⤵
  PID:7708
- C:\Windows\System32\KJuggYe.exe
  C:\Windows\System32\KJuggYe.exe
  2⤵
  PID:7772
- C:\Windows\System32\MUCdclA.exe
  C:\Windows\System32\MUCdclA.exe
  2⤵
  PID:7792
- C:\Windows\System32\dCKOJtf.exe
  C:\Windows\System32\dCKOJtf.exe
  2⤵
  PID:7812
- C:\Windows\System32\qDCIKbX.exe
  C:\Windows\System32\qDCIKbX.exe
  2⤵
  PID:7840
- C:\Windows\System32\RQApXYZ.exe
  C:\Windows\System32\RQApXYZ.exe
  2⤵
  PID:7868
- C:\Windows\System32\eUtJGks.exe
  C:\Windows\System32\eUtJGks.exe
  2⤵
  PID:7900
- C:\Windows\System32\zTygtqS.exe
  C:\Windows\System32\zTygtqS.exe
  2⤵
  PID:7944
- C:\Windows\System32\rQLkNLT.exe
  C:\Windows\System32\rQLkNLT.exe
  2⤵
  PID:7968
- C:\Windows\System32\yPBcVIJ.exe
  C:\Windows\System32\yPBcVIJ.exe
  2⤵
  PID:8004
- C:\Windows\System32\uoXWzGc.exe
  C:\Windows\System32\uoXWzGc.exe
  2⤵
  PID:8024
- C:\Windows\System32\xUPPojI.exe
  C:\Windows\System32\xUPPojI.exe
  2⤵
  PID:8048
- C:\Windows\System32\SSjLQoe.exe
  C:\Windows\System32\SSjLQoe.exe
  2⤵
  PID:8068
- C:\Windows\System32\pGbNfIB.exe
  C:\Windows\System32\pGbNfIB.exe
  2⤵
  PID:8092
- C:\Windows\System32\fWRRTWi.exe
  C:\Windows\System32\fWRRTWi.exe
  2⤵
  PID:8124
- C:\Windows\System32\GvrWFde.exe
  C:\Windows\System32\GvrWFde.exe
  2⤵
  PID:8172
- C:\Windows\System32\KizMVRI.exe
  C:\Windows\System32\KizMVRI.exe
  2⤵
  PID:6848
- C:\Windows\System32\AfWMdPB.exe
  C:\Windows\System32\AfWMdPB.exe
  2⤵
  PID:7212
- C:\Windows\System32\MmMaMtQ.exe
  C:\Windows\System32\MmMaMtQ.exe
  2⤵
  PID:7280
- C:\Windows\System32\uVfOBXA.exe
  C:\Windows\System32\uVfOBXA.exe
  2⤵
  PID:7384
- C:\Windows\System32\zuAznFV.exe
  C:\Windows\System32\zuAznFV.exe
  2⤵
  PID:6592
- C:\Windows\System32\enAWVwm.exe
  C:\Windows\System32\enAWVwm.exe
  2⤵
  PID:7512
- C:\Windows\System32\lfbIHoQ.exe
  C:\Windows\System32\lfbIHoQ.exe
  2⤵
  PID:7552
- C:\Windows\System32\TyBXRPI.exe
  C:\Windows\System32\TyBXRPI.exe
  2⤵
  PID:7628
- C:\Windows\System32\FghDhaa.exe
  C:\Windows\System32\FghDhaa.exe
  2⤵
  PID:7648
- C:\Windows\System32\xWgayDj.exe
  C:\Windows\System32\xWgayDj.exe
  2⤵
  PID:7700
- C:\Windows\System32\VVZpfxw.exe
  C:\Windows\System32\VVZpfxw.exe
  2⤵
  PID:7820
- C:\Windows\System32\DZeOiEg.exe
  C:\Windows\System32\DZeOiEg.exe
  2⤵
  PID:7832
- C:\Windows\System32\NYCVfCD.exe
  C:\Windows\System32\NYCVfCD.exe
  2⤵
  PID:7928
- C:\Windows\System32\BWNLGkU.exe
  C:\Windows\System32\BWNLGkU.exe
  2⤵
  PID:7964
- C:\Windows\System32\vJYglYP.exe
  C:\Windows\System32\vJYglYP.exe
  2⤵
  PID:8060
- C:\Windows\System32\fgjuWge.exe
  C:\Windows\System32\fgjuWge.exe
  2⤵
  PID:8184
- C:\Windows\System32\HyWkjSD.exe
  C:\Windows\System32\HyWkjSD.exe
  2⤵
  PID:7196
- C:\Windows\System32\lXJkVTl.exe
  C:\Windows\System32\lXJkVTl.exe
  2⤵
  PID:7404
- C:\Windows\System32\pNpJbfW.exe
  C:\Windows\System32\pNpJbfW.exe
  2⤵
  PID:7528
- C:\Windows\System32\TKoBGQt.exe
  C:\Windows\System32\TKoBGQt.exe
  2⤵
  PID:7676
- C:\Windows\System32\bpDRqjU.exe
  C:\Windows\System32\bpDRqjU.exe
  2⤵
  PID:7760
- C:\Windows\System32\ewPxKHB.exe
  C:\Windows\System32\ewPxKHB.exe
  2⤵
  PID:7992
- C:\Windows\System32\xJioxBe.exe
  C:\Windows\System32\xJioxBe.exe
  2⤵
  PID:8044
- C:\Windows\System32\Yqbrsgv.exe
  C:\Windows\System32\Yqbrsgv.exe
  2⤵
  PID:8084
- C:\Windows\System32\ewZBHTF.exe
  C:\Windows\System32\ewZBHTF.exe
  2⤵
  PID:7248
- C:\Windows\System32\HGAvXiL.exe
  C:\Windows\System32\HGAvXiL.exe
  2⤵
  PID:7568
- C:\Windows\System32\gBTOUcb.exe
  C:\Windows\System32\gBTOUcb.exe
  2⤵
  PID:7724
- C:\Windows\System32\knhRQiK.exe
  C:\Windows\System32\knhRQiK.exe
  2⤵
  PID:6944
- C:\Windows\System32\XZHKmja.exe
  C:\Windows\System32\XZHKmja.exe
  2⤵
  PID:8232
- C:\Windows\System32\WBZbTFh.exe
  C:\Windows\System32\WBZbTFh.exe
  2⤵
  PID:8260
- C:\Windows\System32\YJHFXjY.exe
  C:\Windows\System32\YJHFXjY.exe
  2⤵
  PID:8280
- C:\Windows\System32\lOVdReN.exe
  C:\Windows\System32\lOVdReN.exe
  2⤵
  PID:8304
- C:\Windows\System32\GSvgkhO.exe
  C:\Windows\System32\GSvgkhO.exe
  2⤵
  PID:8320
- C:\Windows\System32\IunfAKt.exe
  C:\Windows\System32\IunfAKt.exe
  2⤵
  PID:8356
- C:\Windows\System32\snSmLlb.exe
  C:\Windows\System32\snSmLlb.exe
  2⤵
  PID:8380
- C:\Windows\System32\FVEdItH.exe
  C:\Windows\System32\FVEdItH.exe
  2⤵
  PID:8400
- C:\Windows\System32\JRghIyI.exe
  C:\Windows\System32\JRghIyI.exe
  2⤵
  PID:8424
- C:\Windows\System32\hkxYzfO.exe
  C:\Windows\System32\hkxYzfO.exe
  2⤵
  PID:8448
- C:\Windows\System32\wBtoCIZ.exe
  C:\Windows\System32\wBtoCIZ.exe
  2⤵
  PID:8468
- C:\Windows\System32\oJasMRf.exe
  C:\Windows\System32\oJasMRf.exe
  2⤵
  PID:8496
- C:\Windows\System32\dgsHNyr.exe
  C:\Windows\System32\dgsHNyr.exe
  2⤵
  PID:8516
- C:\Windows\System32\HrdyZyG.exe
  C:\Windows\System32\HrdyZyG.exe
  2⤵
  PID:8572
- C:\Windows\System32\VmNeBta.exe
  C:\Windows\System32\VmNeBta.exe
  2⤵
  PID:8600
- C:\Windows\System32\hlBoGjW.exe
  C:\Windows\System32\hlBoGjW.exe
  2⤵
  PID:8636
- C:\Windows\System32\csOpcWt.exe
  C:\Windows\System32\csOpcWt.exe
  2⤵
  PID:8664
- C:\Windows\System32\LlrXFJm.exe
  C:\Windows\System32\LlrXFJm.exe
  2⤵
  PID:8704
- C:\Windows\System32\dUcbhzp.exe
  C:\Windows\System32\dUcbhzp.exe
  2⤵
  PID:8736
- C:\Windows\System32\qqtFyLP.exe
  C:\Windows\System32\qqtFyLP.exe
  2⤵
  PID:8760
- C:\Windows\System32\pNPjvED.exe
  C:\Windows\System32\pNPjvED.exe
  2⤵
  PID:8800
- C:\Windows\System32\WlLlVcZ.exe
  C:\Windows\System32\WlLlVcZ.exe
  2⤵
  PID:8828
- C:\Windows\System32\tKibeTb.exe
  C:\Windows\System32\tKibeTb.exe
  2⤵
  PID:8844
- C:\Windows\System32\cEAYjLv.exe
  C:\Windows\System32\cEAYjLv.exe
  2⤵
  PID:8892
- C:\Windows\System32\pRgXQQe.exe
  C:\Windows\System32\pRgXQQe.exe
  2⤵
  PID:8908
- C:\Windows\System32\TFFkhdp.exe
  C:\Windows\System32\TFFkhdp.exe
  2⤵
  PID:8928
- C:\Windows\System32\oszlkLY.exe
  C:\Windows\System32\oszlkLY.exe
  2⤵
  PID:8956
- C:\Windows\System32\GnZSEiB.exe
  C:\Windows\System32\GnZSEiB.exe
  2⤵
  PID:8980
- C:\Windows\System32\blsnvaB.exe
  C:\Windows\System32\blsnvaB.exe
  2⤵
  PID:9000
- C:\Windows\System32\dgazeSV.exe
  C:\Windows\System32\dgazeSV.exe
  2⤵
  PID:9028
- C:\Windows\System32\XPpxWYy.exe
  C:\Windows\System32\XPpxWYy.exe
  2⤵
  PID:9084
- C:\Windows\System32\WFfPcaY.exe
  C:\Windows\System32\WFfPcaY.exe
  2⤵
  PID:9108
- C:\Windows\System32\TVTpxCi.exe
  C:\Windows\System32\TVTpxCi.exe
  2⤵
  PID:9136
- C:\Windows\System32\eQeHBtI.exe
  C:\Windows\System32\eQeHBtI.exe
  2⤵
  PID:9156
- C:\Windows\System32\MctIJtn.exe
  C:\Windows\System32\MctIJtn.exe
  2⤵
  PID:9192
- C:\Windows\System32\ZfLoEwt.exe
  C:\Windows\System32\ZfLoEwt.exe
  2⤵
  PID:6852
- C:\Windows\System32\vbOyUXn.exe
  C:\Windows\System32\vbOyUXn.exe
  2⤵
  PID:8272
- C:\Windows\System32\EiblOlV.exe
  C:\Windows\System32\EiblOlV.exe
  2⤵
  PID:8312
- C:\Windows\System32\VokzTxO.exe
  C:\Windows\System32\VokzTxO.exe
  2⤵
  PID:8392
- C:\Windows\System32\CSBpkKM.exe
  C:\Windows\System32\CSBpkKM.exe
  2⤵
  PID:8440
- C:\Windows\System32\KpNSNuo.exe
  C:\Windows\System32\KpNSNuo.exe
  2⤵
  PID:8480
- C:\Windows\System32\iYUajPo.exe
  C:\Windows\System32\iYUajPo.exe
  2⤵
  PID:8588
- C:\Windows\System32\AXJXPwl.exe
  C:\Windows\System32\AXJXPwl.exe
  2⤵
  PID:8692
- C:\Windows\System32\ccFSOkF.exe
  C:\Windows\System32\ccFSOkF.exe
  2⤵
  PID:228
- C:\Windows\System32\EQxoMDU.exe
  C:\Windows\System32\EQxoMDU.exe
  2⤵
  PID:8784
- C:\Windows\System32\fdrxDxK.exe
  C:\Windows\System32\fdrxDxK.exe
  2⤵
  PID:8840
- C:\Windows\System32\uxrPOmC.exe
  C:\Windows\System32\uxrPOmC.exe
  2⤵
  PID:8900
- C:\Windows\System32\VhaJcZZ.exe
  C:\Windows\System32\VhaJcZZ.exe
  2⤵
  PID:8964
- C:\Windows\System32\xZHqLQU.exe
  C:\Windows\System32\xZHqLQU.exe
  2⤵
  PID:8992
- C:\Windows\System32\duNKqWF.exe
  C:\Windows\System32\duNKqWF.exe
  2⤵
  PID:9152
- C:\Windows\System32\uoWGJKK.exe
  C:\Windows\System32\uoWGJKK.exe
  2⤵
  PID:9164
- C:\Windows\System32\AomawFf.exe
  C:\Windows\System32\AomawFf.exe
  2⤵
  PID:8200
- C:\Windows\System32\UjggFmF.exe
  C:\Windows\System32\UjggFmF.exe
  2⤵
  PID:8372
- C:\Windows\System32\MqbMOoi.exe
  C:\Windows\System32\MqbMOoi.exe
  2⤵
  PID:8808
- C:\Windows\System32\MpOrFES.exe
  C:\Windows\System32\MpOrFES.exe
  2⤵
  PID:9052
- C:\Windows\System32\RUbCgig.exe
  C:\Windows\System32\RUbCgig.exe
  2⤵
  PID:8920
- C:\Windows\System32\kIwdbas.exe
  C:\Windows\System32\kIwdbas.exe
  2⤵
  PID:9224
- C:\Windows\System32\YyzZxiI.exe
  C:\Windows\System32\YyzZxiI.exe
  2⤵
  PID:9240
- C:\Windows\System32\rPXOhOW.exe
  C:\Windows\System32\rPXOhOW.exe
  2⤵
  PID:9260
- C:\Windows\System32\EgLwpzk.exe
  C:\Windows\System32\EgLwpzk.exe
  2⤵
  PID:9276
- C:\Windows\System32\oXSLENB.exe
  C:\Windows\System32\oXSLENB.exe
  2⤵
  PID:9292
- C:\Windows\System32\rRPkdnD.exe
  C:\Windows\System32\rRPkdnD.exe
  2⤵
  PID:9308
- C:\Windows\System32\FkbuXjc.exe
  C:\Windows\System32\FkbuXjc.exe
  2⤵
  PID:9324
- C:\Windows\System32\ppIXSTm.exe
  C:\Windows\System32\ppIXSTm.exe
  2⤵
  PID:9340
- C:\Windows\System32\TIgofaU.exe
  C:\Windows\System32\TIgofaU.exe
  2⤵
  PID:9356
- C:\Windows\System32\qmBZcah.exe
  C:\Windows\System32\qmBZcah.exe
  2⤵
  PID:9372
- C:\Windows\System32\AnxsVSH.exe
  C:\Windows\System32\AnxsVSH.exe
  2⤵
  PID:9388
- C:\Windows\System32\HLrMxTH.exe
  C:\Windows\System32\HLrMxTH.exe
  2⤵
  PID:9408
- C:\Windows\System32\nYVTIRZ.exe
  C:\Windows\System32\nYVTIRZ.exe
  2⤵
  PID:9444
- C:\Windows\System32\PQVElNf.exe
  C:\Windows\System32\PQVElNf.exe
  2⤵
  PID:9588
- C:\Windows\System32\OXiDMdO.exe
  C:\Windows\System32\OXiDMdO.exe
  2⤵
  PID:9628
- C:\Windows\System32\HaznyZy.exe
  C:\Windows\System32\HaznyZy.exe
  2⤵
  PID:9656
- C:\Windows\System32\lyIiRGv.exe
  C:\Windows\System32\lyIiRGv.exe
  2⤵
  PID:9676
- C:\Windows\System32\yJPpxjU.exe
  C:\Windows\System32\yJPpxjU.exe
  2⤵
  PID:9696
- C:\Windows\System32\XPigAHG.exe
  C:\Windows\System32\XPigAHG.exe
  2⤵
  PID:9716
- C:\Windows\System32\WJjakYV.exe
  C:\Windows\System32\WJjakYV.exe
  2⤵
  PID:9776
- C:\Windows\System32\LIEfeXr.exe
  C:\Windows\System32\LIEfeXr.exe
  2⤵
  PID:9808
- C:\Windows\System32\SYHrLrx.exe
  C:\Windows\System32\SYHrLrx.exe
  2⤵
  PID:9832
- C:\Windows\System32\WrmdOAA.exe
  C:\Windows\System32\WrmdOAA.exe
  2⤵
  PID:9852
- C:\Windows\System32\gbpVWXP.exe
  C:\Windows\System32\gbpVWXP.exe
  2⤵
  PID:9876
- C:\Windows\System32\nYhuIAJ.exe
  C:\Windows\System32\nYhuIAJ.exe
  2⤵
  PID:9920
- C:\Windows\System32\slApFaA.exe
  C:\Windows\System32\slApFaA.exe
  2⤵
  PID:9944
- C:\Windows\System32\HmfttKa.exe
  C:\Windows\System32\HmfttKa.exe
  2⤵
  PID:9964
- C:\Windows\System32\XGCitCX.exe
  C:\Windows\System32\XGCitCX.exe
  2⤵
  PID:9984
- C:\Windows\System32\gWLIOqQ.exe
  C:\Windows\System32\gWLIOqQ.exe
  2⤵
  PID:10008
- C:\Windows\System32\DMLJVGc.exe
  C:\Windows\System32\DMLJVGc.exe
  2⤵
  PID:10036
- C:\Windows\System32\dJsEuzY.exe
  C:\Windows\System32\dJsEuzY.exe
  2⤵
  PID:10052
- C:\Windows\System32\BChxAyg.exe
  C:\Windows\System32\BChxAyg.exe
  2⤵
  PID:10072
- C:\Windows\System32\mdMliCX.exe
  C:\Windows\System32\mdMliCX.exe
  2⤵
  PID:10120
- C:\Windows\System32\ILYwtBf.exe
  C:\Windows\System32\ILYwtBf.exe
  2⤵
  PID:10156
- C:\Windows\System32\vUbpSKU.exe
  C:\Windows\System32\vUbpSKU.exe
  2⤵
  PID:10188
- C:\Windows\System32\cLhmwgf.exe
  C:\Windows\System32\cLhmwgf.exe
  2⤵
  PID:10220
- C:\Windows\System32\mDBQWgq.exe
  C:\Windows\System32\mDBQWgq.exe
  2⤵
  PID:8336
- C:\Windows\System32\iFoSmdK.exe
  C:\Windows\System32\iFoSmdK.exe
  2⤵
  PID:8484
- C:\Windows\System32\fHgiaYn.exe
  C:\Windows\System32\fHgiaYn.exe
  2⤵
  PID:9220
- C:\Windows\System32\dUVUAmp.exe
  C:\Windows\System32\dUVUAmp.exe
  2⤵
  PID:9256
- C:\Windows\System32\uMJfRWa.exe
  C:\Windows\System32\uMJfRWa.exe
  2⤵
  PID:9336
- C:\Windows\System32\cXWwdIa.exe
  C:\Windows\System32\cXWwdIa.exe
  2⤵
  PID:9368
- C:\Windows\System32\OpxraWB.exe
  C:\Windows\System32\OpxraWB.exe
  2⤵
  PID:9120
- C:\Windows\System32\DZUdIrn.exe
  C:\Windows\System32\DZUdIrn.exe
  2⤵
  PID:9420
- C:\Windows\System32\YZSXFtl.exe
  C:\Windows\System32\YZSXFtl.exe
  2⤵
  PID:9300
- C:\Windows\System32\CwiLANs.exe
  C:\Windows\System32\CwiLANs.exe
  2⤵
  PID:9532
- C:\Windows\System32\hUASzcD.exe
  C:\Windows\System32\hUASzcD.exe
  2⤵
  PID:9556
- C:\Windows\System32\PSJbiCB.exe
  C:\Windows\System32\PSJbiCB.exe
  2⤵
  PID:9684
- C:\Windows\System32\vgoxnpr.exe
  C:\Windows\System32\vgoxnpr.exe
  2⤵
  PID:9708
- C:\Windows\System32\DZIgSAh.exe
  C:\Windows\System32\DZIgSAh.exe
  2⤵
  PID:9724
- C:\Windows\System32\hHGNHuK.exe
  C:\Windows\System32\hHGNHuK.exe
  2⤵
  PID:9868
- C:\Windows\System32\cGWPVjw.exe
  C:\Windows\System32\cGWPVjw.exe
  2⤵
  PID:9908
- C:\Windows\System32\YLFwnAE.exe
  C:\Windows\System32\YLFwnAE.exe
  2⤵
  PID:9976
- C:\Windows\System32\XMZovsu.exe
  C:\Windows\System32\XMZovsu.exe
  2⤵
  PID:10020
- C:\Windows\System32\zySPUXE.exe
  C:\Windows\System32\zySPUXE.exe
  2⤵
  PID:10064
- C:\Windows\System32\VhJIisn.exe
  C:\Windows\System32\VhJIisn.exe
  2⤵
  PID:10164
- C:\Windows\System32\iAjHqzr.exe
  C:\Windows\System32\iAjHqzr.exe
  2⤵
  PID:8684
- C:\Windows\System32\cEmfZag.exe
  C:\Windows\System32\cEmfZag.exe
  2⤵
  PID:8476
- C:\Windows\System32\HSHoCyl.exe
  C:\Windows\System32\HSHoCyl.exe
  2⤵
  PID:9272
- C:\Windows\System32\BExwXmL.exe
  C:\Windows\System32\BExwXmL.exe
  2⤵
  PID:8852
- C:\Windows\System32\PsWKqyd.exe
  C:\Windows\System32\PsWKqyd.exe
  2⤵
  PID:9364
- C:\Windows\System32\UhkcWXc.exe
  C:\Windows\System32\UhkcWXc.exe
  2⤵
  PID:2628
- C:\Windows\System32\SHzPPgY.exe
  C:\Windows\System32\SHzPPgY.exe
  2⤵
  PID:9692
- C:\Windows\System32\deZQFdj.exe
  C:\Windows\System32\deZQFdj.exe
  2⤵
  PID:8948
- C:\Windows\System32\iecOrTt.exe
  C:\Windows\System32\iecOrTt.exe
  2⤵
  PID:10000
- C:\Windows\System32\Vxkidfq.exe
  C:\Windows\System32\Vxkidfq.exe
  2⤵
  PID:10232
- C:\Windows\System32\DwSJUMy.exe
  C:\Windows\System32\DwSJUMy.exe
  2⤵
  PID:8812
- C:\Windows\System32\swXgBtH.exe
  C:\Windows\System32\swXgBtH.exe
  2⤵
  PID:9380
- C:\Windows\System32\RXQnaSX.exe
  C:\Windows\System32\RXQnaSX.exe
  2⤵
  PID:3180
- C:\Windows\System32\JAxFvEs.exe
  C:\Windows\System32\JAxFvEs.exe
  2⤵
  PID:9772
- C:\Windows\System32\xtkgIVg.exe
  C:\Windows\System32\xtkgIVg.exe
  2⤵
  PID:8408
- C:\Windows\System32\RmCWHaj.exe
  C:\Windows\System32\RmCWHaj.exe
  2⤵
  PID:9640
- C:\Windows\System32\hOoOnmn.exe
  C:\Windows\System32\hOoOnmn.exe
  2⤵
  PID:9792
- C:\Windows\System32\pUxxuJc.exe
  C:\Windows\System32\pUxxuJc.exe
  2⤵
  PID:10256
- C:\Windows\System32\ZIpHKTb.exe
  C:\Windows\System32\ZIpHKTb.exe
  2⤵
  PID:10272
- C:\Windows\System32\FhvOyrw.exe
  C:\Windows\System32\FhvOyrw.exe
  2⤵
  PID:10292
- C:\Windows\System32\sTjtyMK.exe
  C:\Windows\System32\sTjtyMK.exe
  2⤵
  PID:10364
- C:\Windows\System32\UqupOhp.exe
  C:\Windows\System32\UqupOhp.exe
  2⤵
  PID:10388
- C:\Windows\System32\pxaVEgs.exe
  C:\Windows\System32\pxaVEgs.exe
  2⤵
  PID:10408
- C:\Windows\System32\fSkBAyt.exe
  C:\Windows\System32\fSkBAyt.exe
  2⤵
  PID:10440
- C:\Windows\System32\DaiPwvW.exe
  C:\Windows\System32\DaiPwvW.exe
  2⤵
  PID:10472
- C:\Windows\System32\KLCkqWw.exe
  C:\Windows\System32\KLCkqWw.exe
  2⤵
  PID:10488
- C:\Windows\System32\AUzpRIo.exe
  C:\Windows\System32\AUzpRIo.exe
  2⤵
  PID:10512
- C:\Windows\System32\gDYievO.exe
  C:\Windows\System32\gDYievO.exe
  2⤵
  PID:10548
- C:\Windows\System32\MYFGlXc.exe
  C:\Windows\System32\MYFGlXc.exe
  2⤵
  PID:10564
- C:\Windows\System32\nsEsRpy.exe
  C:\Windows\System32\nsEsRpy.exe
  2⤵
  PID:10580
- C:\Windows\System32\nAPykiR.exe
  C:\Windows\System32\nAPykiR.exe
  2⤵
  PID:10600
- C:\Windows\System32\JYHJhsV.exe
  C:\Windows\System32\JYHJhsV.exe
  2⤵
  PID:10636
- C:\Windows\System32\rcGXbMB.exe
  C:\Windows\System32\rcGXbMB.exe
  2⤵
  PID:10684
- C:\Windows\System32\RNZZeKt.exe
  C:\Windows\System32\RNZZeKt.exe
  2⤵
  PID:10712
- C:\Windows\System32\jLtwueg.exe
  C:\Windows\System32\jLtwueg.exe
  2⤵
  PID:10736
- C:\Windows\System32\IvQBKkT.exe
  C:\Windows\System32\IvQBKkT.exe
  2⤵
  PID:10764
- C:\Windows\System32\ogzbQqk.exe
  C:\Windows\System32\ogzbQqk.exe
  2⤵
  PID:10784
- C:\Windows\System32\eKBhNGA.exe
  C:\Windows\System32\eKBhNGA.exe
  2⤵
  PID:10800
- C:\Windows\System32\llJbgrT.exe
  C:\Windows\System32\llJbgrT.exe
  2⤵
  PID:10828
- C:\Windows\System32\TTcKRyp.exe
  C:\Windows\System32\TTcKRyp.exe
  2⤵
  PID:10860
- C:\Windows\System32\hdPYstj.exe
  C:\Windows\System32\hdPYstj.exe
  2⤵
  PID:10912
- C:\Windows\System32\mHDDKog.exe
  C:\Windows\System32\mHDDKog.exe
  2⤵
  PID:10940
- C:\Windows\System32\faRFXzt.exe
  C:\Windows\System32\faRFXzt.exe
  2⤵
  PID:10956
- C:\Windows\System32\ypppCmI.exe
  C:\Windows\System32\ypppCmI.exe
  2⤵
  PID:11016
- C:\Windows\System32\RxrbEFd.exe
  C:\Windows\System32\RxrbEFd.exe
  2⤵
  PID:11040
- C:\Windows\System32\UpCReNX.exe
  C:\Windows\System32\UpCReNX.exe
  2⤵
  PID:11056
- C:\Windows\System32\HcHhPoO.exe
  C:\Windows\System32\HcHhPoO.exe
  2⤵
  PID:11084
- C:\Windows\System32\hLCRQkO.exe
  C:\Windows\System32\hLCRQkO.exe
  2⤵
  PID:11124
- C:\Windows\System32\fKJNpSv.exe
  C:\Windows\System32\fKJNpSv.exe
  2⤵
  PID:11148
- C:\Windows\System32\VMSLnzm.exe
  C:\Windows\System32\VMSLnzm.exe
  2⤵
  PID:11168
- C:\Windows\System32\SmGefvb.exe
  C:\Windows\System32\SmGefvb.exe
  2⤵
  PID:11192
- C:\Windows\System32\MQqnyNH.exe
  C:\Windows\System32\MQqnyNH.exe
  2⤵
  PID:11236
- C:\Windows\System32\oUDhIlG.exe
  C:\Windows\System32\oUDhIlG.exe
  2⤵
  PID:11252
- C:\Windows\System32\JKYgdhQ.exe
  C:\Windows\System32\JKYgdhQ.exe
  2⤵
  PID:10300
- C:\Windows\System32\BYVMhTK.exe
  C:\Windows\System32\BYVMhTK.exe
  2⤵
  PID:10320
- C:\Windows\System32\BacJMsf.exe
  C:\Windows\System32\BacJMsf.exe
  2⤵
  PID:10400
- C:\Windows\System32\ldSAVYr.exe
  C:\Windows\System32\ldSAVYr.exe
  2⤵
  PID:10428
- C:\Windows\System32\nQNsLNh.exe
  C:\Windows\System32\nQNsLNh.exe
  2⤵
  PID:10532
- C:\Windows\System32\ntRbSRs.exe
  C:\Windows\System32\ntRbSRs.exe
  2⤵
  PID:3584
- C:\Windows\System32\AmIexRm.exe
  C:\Windows\System32\AmIexRm.exe
  2⤵
  PID:10556
- C:\Windows\System32\XymZdID.exe
  C:\Windows\System32\XymZdID.exe
  2⤵
  PID:10576
- C:\Windows\System32\xOxXLcH.exe
  C:\Windows\System32\xOxXLcH.exe
  2⤵
  PID:10648
- C:\Windows\System32\MJFCPyg.exe
  C:\Windows\System32\MJFCPyg.exe
  2⤵
  PID:10700
- C:\Windows\System32\PvbyHnu.exe
  C:\Windows\System32\PvbyHnu.exe
  2⤵
  PID:10724
- C:\Windows\System32\BPyRFPF.exe
  C:\Windows\System32\BPyRFPF.exe
  2⤵
  PID:10840
- C:\Windows\System32\bHUuoOe.exe
  C:\Windows\System32\bHUuoOe.exe
  2⤵
  PID:10888
- C:\Windows\System32\CXmfJbK.exe
  C:\Windows\System32\CXmfJbK.exe
  2⤵
  PID:10920
- C:\Windows\System32\yalcdJS.exe
  C:\Windows\System32\yalcdJS.exe
  2⤵
  PID:10972
- C:\Windows\System32\eHpiIQJ.exe
  C:\Windows\System32\eHpiIQJ.exe
  2⤵
  PID:11136
- C:\Windows\System32\uTUpeLa.exe
  C:\Windows\System32\uTUpeLa.exe
  2⤵
  PID:10252
- C:\Windows\System32\sqehcXh.exe
  C:\Windows\System32\sqehcXh.exe
  2⤵
  PID:10344
- C:\Windows\System32\ySSpyqf.exe
  C:\Windows\System32\ySSpyqf.exe
  2⤵
  PID:10480
- C:\Windows\System32\ZLObKdi.exe
  C:\Windows\System32\ZLObKdi.exe
  2⤵
  PID:10508
- C:\Windows\System32\SFRCgHS.exe
  C:\Windows\System32\SFRCgHS.exe
  2⤵
  PID:10692
- C:\Windows\System32\wcYPDDD.exe
  C:\Windows\System32\wcYPDDD.exe
  2⤵
  PID:10848
- C:\Windows\System32\EgPlZqF.exe
  C:\Windows\System32\EgPlZqF.exe
  2⤵
  PID:11048
- C:\Windows\System32\WheWufk.exe
  C:\Windows\System32\WheWufk.exe
  2⤵
  PID:11248
- C:\Windows\System32\AVampzi.exe
  C:\Windows\System32\AVampzi.exe
  2⤵
  PID:10352
- C:\Windows\System32\UnVkfCz.exe
  C:\Windows\System32\UnVkfCz.exe
  2⤵
  PID:8924
- C:\Windows\System32\ivSZdaF.exe
  C:\Windows\System32\ivSZdaF.exe
  2⤵
  PID:10560
- C:\Windows\System32\pcSIXLa.exe
  C:\Windows\System32\pcSIXLa.exe
  2⤵
  PID:10984
- C:\Windows\System32\ALlWLki.exe
  C:\Windows\System32\ALlWLki.exe
  2⤵
  PID:11292
- C:\Windows\System32\YckePJD.exe
  C:\Windows\System32\YckePJD.exe
  2⤵
  PID:11308
- C:\Windows\System32\SsXtYfb.exe
  C:\Windows\System32\SsXtYfb.exe
  2⤵
  PID:11352
- C:\Windows\System32\UeGYSGa.exe
  C:\Windows\System32\UeGYSGa.exe
  2⤵
  PID:11400
- C:\Windows\System32\KXpnDCP.exe
  C:\Windows\System32\KXpnDCP.exe
  2⤵
  PID:11424
- C:\Windows\System32\eckagCN.exe
  C:\Windows\System32\eckagCN.exe
  2⤵
  PID:11440
- C:\Windows\System32\BhxMSwF.exe
  C:\Windows\System32\BhxMSwF.exe
  2⤵
  PID:11468
- C:\Windows\System32\uxccQtT.exe
  C:\Windows\System32\uxccQtT.exe
  2⤵
  PID:11504
- C:\Windows\System32\ePdNHMn.exe
  C:\Windows\System32\ePdNHMn.exe
  2⤵
  PID:11524
- C:\Windows\System32\fHJFqBa.exe
  C:\Windows\System32\fHJFqBa.exe
  2⤵
  PID:11548
- C:\Windows\System32\WdCERNZ.exe
  C:\Windows\System32\WdCERNZ.exe
  2⤵
  PID:11564
- C:\Windows\System32\hCabBad.exe
  C:\Windows\System32\hCabBad.exe
  2⤵
  PID:11616
- C:\Windows\System32\SETFPPH.exe
  C:\Windows\System32\SETFPPH.exe
  2⤵
  PID:11676
- C:\Windows\System32\jXYuIXw.exe
  C:\Windows\System32\jXYuIXw.exe
  2⤵
  PID:11704
- C:\Windows\System32\PUoawqY.exe
  C:\Windows\System32\PUoawqY.exe
  2⤵
  PID:11732
- C:\Windows\System32\lWmwpAr.exe
  C:\Windows\System32\lWmwpAr.exe
  2⤵
  PID:11748
- C:\Windows\System32\KmqTpKM.exe
  C:\Windows\System32\KmqTpKM.exe
  2⤵
  PID:11776
- C:\Windows\System32\AUSidki.exe
  C:\Windows\System32\AUSidki.exe
  2⤵
  PID:11820
- C:\Windows\System32\YaGiYRx.exe
  C:\Windows\System32\YaGiYRx.exe
  2⤵
  PID:11848
- C:\Windows\System32\PjYxGKD.exe
  C:\Windows\System32\PjYxGKD.exe
  2⤵
  PID:11864
- C:\Windows\System32\jkiiZOx.exe
  C:\Windows\System32\jkiiZOx.exe
  2⤵
  PID:11892
- C:\Windows\System32\ResMjVC.exe
  C:\Windows\System32\ResMjVC.exe
  2⤵
  PID:11920
- C:\Windows\System32\bryMiLP.exe
  C:\Windows\System32\bryMiLP.exe
  2⤵
  PID:11968
- C:\Windows\System32\GshTZOx.exe
  C:\Windows\System32\GshTZOx.exe
  2⤵
  PID:11988
- C:\Windows\System32\DbWwtSD.exe
  C:\Windows\System32\DbWwtSD.exe
  2⤵
  PID:12016
- C:\Windows\System32\CQvGQce.exe
  C:\Windows\System32\CQvGQce.exe
  2⤵
  PID:12032
- C:\Windows\System32\XQSZWfX.exe
  C:\Windows\System32\XQSZWfX.exe
  2⤵
  PID:12052
- C:\Windows\System32\oBRASdc.exe
  C:\Windows\System32\oBRASdc.exe
  2⤵
  PID:12080
- C:\Windows\System32\YMWAReV.exe
  C:\Windows\System32\YMWAReV.exe
  2⤵
  PID:12108
- C:\Windows\System32\SSjaKLI.exe
  C:\Windows\System32\SSjaKLI.exe
  2⤵
  PID:12188
- C:\Windows\System32\jVmyHac.exe
  C:\Windows\System32\jVmyHac.exe
  2⤵
  PID:12212
- C:\Windows\System32\mfdXooo.exe
  C:\Windows\System32\mfdXooo.exe
  2⤵
  PID:12236
- C:\Windows\System32\NVTnmmx.exe
  C:\Windows\System32\NVTnmmx.exe
  2⤵
  PID:12276
- C:\Windows\System32\gZvVQWh.exe
  C:\Windows\System32\gZvVQWh.exe
  2⤵
  PID:9068
- C:\Windows\System32\KfogRyS.exe
  C:\Windows\System32\KfogRyS.exe
  2⤵
  PID:10340
- C:\Windows\System32\MxcewdR.exe
  C:\Windows\System32\MxcewdR.exe
  2⤵
  PID:11360
- C:\Windows\System32\CqVimzZ.exe
  C:\Windows\System32\CqVimzZ.exe
  2⤵
  PID:4416
- C:\Windows\System32\hCLjBsA.exe
  C:\Windows\System32\hCLjBsA.exe
  2⤵
  PID:11416
- C:\Windows\System32\GIqYWmZ.exe
  C:\Windows\System32\GIqYWmZ.exe
  2⤵
  PID:11500
- C:\Windows\System32\ZCrHKFQ.exe
  C:\Windows\System32\ZCrHKFQ.exe
  2⤵
  PID:11560
- C:\Windows\System32\DAPPKxz.exe
  C:\Windows\System32\DAPPKxz.exe
  2⤵
  PID:11624
- C:\Windows\System32\Sffmphm.exe
  C:\Windows\System32\Sffmphm.exe
  2⤵
  PID:11664
- C:\Windows\System32\XoqzXHP.exe
  C:\Windows\System32\XoqzXHP.exe
  2⤵
  PID:11740
- C:\Windows\System32\iigpMvp.exe
  C:\Windows\System32\iigpMvp.exe
  2⤵
  PID:11812
- C:\Windows\System32\VPPyuyo.exe
  C:\Windows\System32\VPPyuyo.exe
  2⤵
  PID:11904
- C:\Windows\System32\YANDXZy.exe
  C:\Windows\System32\YANDXZy.exe
  2⤵
  PID:11976
- C:\Windows\System32\GxbJoIh.exe
  C:\Windows\System32\GxbJoIh.exe
  2⤵
  PID:12024
- C:\Windows\System32\OdLSQcl.exe
  C:\Windows\System32\OdLSQcl.exe
  2⤵
  PID:12096
- C:\Windows\System32\SyOASNz.exe
  C:\Windows\System32\SyOASNz.exe
  2⤵
  PID:12152
- C:\Windows\System32\aPMxVRC.exe
  C:\Windows\System32\aPMxVRC.exe
  2⤵
  PID:12132
- C:\Windows\System32\CRNKkMU.exe
  C:\Windows\System32\CRNKkMU.exe
  2⤵
  PID:12184
- C:\Windows\System32\RCgwHSX.exe
  C:\Windows\System32\RCgwHSX.exe
  2⤵
  PID:10776
- C:\Windows\System32\loStOvJ.exe
  C:\Windows\System32\loStOvJ.exe
  2⤵
  PID:11372
- C:\Windows\System32\lisZqld.exe
  C:\Windows\System32\lisZqld.exe
  2⤵
  PID:11448
- C:\Windows\System32\oxJbqor.exe
  C:\Windows\System32\oxJbqor.exe
  2⤵
  PID:11640
- C:\Windows\System32\nkoENkM.exe
  C:\Windows\System32\nkoENkM.exe
  2⤵
  PID:11728
- C:\Windows\System32\jGDYYbd.exe
  C:\Windows\System32\jGDYYbd.exe
  2⤵
  PID:11888
- C:\Windows\System32\nzhmCnF.exe
  C:\Windows\System32\nzhmCnF.exe
  2⤵
  PID:12064
- C:\Windows\System32\ztBlYfd.exe
  C:\Windows\System32\ztBlYfd.exe
  2⤵
  PID:12156
- C:\Windows\System32\zDwyYfM.exe
  C:\Windows\System32\zDwyYfM.exe
  2⤵
  PID:12200
- C:\Windows\System32\lmJraet.exe
  C:\Windows\System32\lmJraet.exe
  2⤵
  PID:11464
- C:\Windows\System32\gpnefjw.exe
  C:\Windows\System32\gpnefjw.exe
  2⤵
  PID:11800
- C:\Windows\System32\kupUVrP.exe
  C:\Windows\System32\kupUVrP.exe
  2⤵
  PID:12256
- C:\Windows\System32\CMvqCFR.exe
  C:\Windows\System32\CMvqCFR.exe
  2⤵
  PID:4160
- C:\Windows\System32\ybeqtlr.exe
  C:\Windows\System32\ybeqtlr.exe
  2⤵
  PID:11796
- C:\Windows\System32\lOumTNc.exe
  C:\Windows\System32\lOumTNc.exe
  2⤵
  PID:11488
- C:\Windows\System32\PVTLhJd.exe
  C:\Windows\System32\PVTLhJd.exe
  2⤵
  PID:11572
- C:\Windows\System32\YLSOzfZ.exe
  C:\Windows\System32\YLSOzfZ.exe
  2⤵
  PID:12320
- C:\Windows\System32\CXLJsgL.exe
  C:\Windows\System32\CXLJsgL.exe
  2⤵
  PID:12364
- C:\Windows\System32\wZSArfk.exe
  C:\Windows\System32\wZSArfk.exe
  2⤵
  PID:12400
- C:\Windows\System32\ovEWwDy.exe
  C:\Windows\System32\ovEWwDy.exe
  2⤵
  PID:12436
- C:\Windows\System32\zDDxHYo.exe
  C:\Windows\System32\zDDxHYo.exe
  2⤵
  PID:12452
- C:\Windows\System32\iTFdTOw.exe
  C:\Windows\System32\iTFdTOw.exe
  2⤵
  PID:12476
- C:\Windows\System32\YvySfAl.exe
  C:\Windows\System32\YvySfAl.exe
  2⤵
  PID:12500
- C:\Windows\System32\jdEcSiY.exe
  C:\Windows\System32\jdEcSiY.exe
  2⤵
  PID:12520
- C:\Windows\System32\JtolrNU.exe
  C:\Windows\System32\JtolrNU.exe
  2⤵
  PID:12548
- C:\Windows\System32\ySxfoPI.exe
  C:\Windows\System32\ySxfoPI.exe
  2⤵
  PID:12572
- C:\Windows\System32\QULkhfq.exe
  C:\Windows\System32\QULkhfq.exe
  2⤵
  PID:12588
- C:\Windows\System32\PrsrvOn.exe
  C:\Windows\System32\PrsrvOn.exe
  2⤵
  PID:12616
- C:\Windows\System32\BzwSQeA.exe
  C:\Windows\System32\BzwSQeA.exe
  2⤵
  PID:12668
- C:\Windows\System32\ygpAxQv.exe
  C:\Windows\System32\ygpAxQv.exe
  2⤵
  PID:12700
- C:\Windows\System32\zYqUVuR.exe
  C:\Windows\System32\zYqUVuR.exe
  2⤵
  PID:12728
- C:\Windows\System32\IlopoiW.exe
  C:\Windows\System32\IlopoiW.exe
  2⤵
  PID:12748
- C:\Windows\System32\iAisDpo.exe
  C:\Windows\System32\iAisDpo.exe
  2⤵
  PID:12788
- C:\Windows\System32\dkmTJbL.exe
  C:\Windows\System32\dkmTJbL.exe
  2⤵
  PID:12804
- C:\Windows\System32\MRDvATn.exe
  C:\Windows\System32\MRDvATn.exe
  2⤵
  PID:12828
- C:\Windows\System32\ViLWjtS.exe
  C:\Windows\System32\ViLWjtS.exe
  2⤵
  PID:12856
- C:\Windows\System32\AqSimPX.exe
  C:\Windows\System32\AqSimPX.exe
  2⤵
  PID:12900
- C:\Windows\System32\vlanCLO.exe
  C:\Windows\System32\vlanCLO.exe
  2⤵
  PID:12936
- C:\Windows\System32\KlPLNvU.exe
  C:\Windows\System32\KlPLNvU.exe
  2⤵
  PID:12956
- C:\Windows\System32\lcTQLzM.exe
  C:\Windows\System32\lcTQLzM.exe
  2⤵
  PID:12980
- C:\Windows\System32\njgHvQU.exe
  C:\Windows\System32\njgHvQU.exe
  2⤵
  PID:13004
- C:\Windows\System32\iLlMwso.exe
  C:\Windows\System32\iLlMwso.exe
  2⤵
  PID:13048
- C:\Windows\System32\hJnRvNA.exe
  C:\Windows\System32\hJnRvNA.exe
  2⤵
  PID:13076
- C:\Windows\System32\qqorJOO.exe
  C:\Windows\System32\qqorJOO.exe
  2⤵
  PID:13104
- C:\Windows\System32\aXLWYve.exe
  C:\Windows\System32\aXLWYve.exe
  2⤵
  PID:13124
- C:\Windows\System32\SccuHPf.exe
  C:\Windows\System32\SccuHPf.exe
  2⤵
  PID:13148
- C:\Windows\System32\fYaFYqU.exe
  C:\Windows\System32\fYaFYqU.exe
  2⤵
  PID:13192
- C:\Windows\System32\bwnunmX.exe
  C:\Windows\System32\bwnunmX.exe
  2⤵
  PID:13216
- C:\Windows\System32\QWaBuYH.exe
  C:\Windows\System32\QWaBuYH.exe
  2⤵
  PID:13240
- C:\Windows\System32\llAnylv.exe
  C:\Windows\System32\llAnylv.exe
  2⤵
  PID:13256
- C:\Windows\System32\gtFBWNh.exe
  C:\Windows\System32\gtFBWNh.exe
  2⤵
  PID:13280
- C:\Windows\System32\gKWrnKQ.exe
  C:\Windows\System32\gKWrnKQ.exe
  2⤵
  PID:13304
- C:\Windows\System32\bmqazzB.exe
  C:\Windows\System32\bmqazzB.exe
  2⤵
  PID:11772
- C:\Windows\System32\XlhrigQ.exe
  C:\Windows\System32\XlhrigQ.exe
  2⤵
  PID:12396
- C:\Windows\System32\EbsxDad.exe
  C:\Windows\System32\EbsxDad.exe
  2⤵
  PID:12464
- C:\Windows\System32\CqFeHwb.exe
  C:\Windows\System32\CqFeHwb.exe
  2⤵
  PID:12512

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AXuRyAS.exe

Filesize
1.8MB

MD5
f3a897e391c253de6963f5e9d7e6615d

SHA1
93e8b00a12d1c32bbedd1b94b3a4bc22209861f4

SHA256
6b56231c8ffac9951186043b7d6a27f35472c9bd11e78e4c5a37cafde6269efa

SHA512
d0e284743668037ab7c8b1dd7c9058f4d0496a445bbac19e30e8cf85c03cfb97b49478d835cfd78977f523d38d9d30a43facf8e3ededf98eb8882a8f1c1c1907

Download Submit
C:\Windows\System32\BAPWhYK.exe

Filesize
1.8MB

MD5
41ac0ee26e7ebb44ed0444642f5411d3

SHA1
6e87cd5c54917c0a871593b000e8ca3c0360cf07

SHA256
461dc93018a27d32a299e368747f110f283ae5dc01f182f54f1af09504a84db8

SHA512
1a1bbce1c6668e73dc0920b3b0def32a0d818259659a5dddbcf034662e5d674b52446730221c2c29f0fe429bdf6bafac2ae5f84638a7cf649d7b3cc0baa65294

Download Submit
C:\Windows\System32\BTLGelW.exe

Filesize
1.8MB

MD5
fa11f4f17a60f44ea23c9b48336356df

SHA1
adf2092e3d4bce9988721c34924b62164b38f5d4

SHA256
80535f22d88e774d58e4d2c37780f5cfd80eebfd6e8d8b4042deb3235401d4ba

SHA512
f3439f0eaa5e62b0e7b0bdac0349155940c45b81eafd3d92115fa643ff9d7733df974845419f2cf24abc09896ba6e64fd49a580bbf02e1cdc85486dcb95601a2

Download Submit
C:\Windows\System32\CzHDoOs.exe

Filesize
1.8MB

MD5
ad3509a6a7bff95e62bf91ce67b36de2

SHA1
1e52cbfd4f4b9394cfef94084a1c272a8e295192

SHA256
7db0574408ff2fdadb94c89a9068e420b5ce2daa316630838655893de2ab782b

SHA512
13ec2e377f41482e6ffc871a937278e780d3f3854d88af4faaa89eb8d6469231088ebfba0b6f1288b20f4c8c5e2c75904f0704e938da801f01515573babed3b0

Download Submit
C:\Windows\System32\DWYLDnN.exe

Filesize
1.8MB

MD5
dba32400b7f811bd3f55c2efe2f90a6c

SHA1
d08c194deb0c304c91bd7b2345afcceac5598f09

SHA256
49e5a81505fd3a19b0bfae85c0c6359221a0dce01fbce481f01229f579e80b0d

SHA512
6d6f798c0bc67b7c6ae6a3168683fbe2336dd52a150648073dfe20d30a94e96783c05fda3d8f7dc4cf64a791da19b52663a61e9254ef17f776a0aaa4bdb6f27d

Download Submit
C:\Windows\System32\DsrZgFF.exe

Filesize
1.8MB

MD5
02c049d61687fa5cd5f71523a7690826

SHA1
058622914490f5cc000ac8029300435923cec3ec

SHA256
f0c950ceb57185550bd62725db9b5bc7e47824ece8e66a95d5cbdbc8bc65042e

SHA512
d0a146c7833c9a1e734840526d284a81bbc5c22c47fbeec8afdf35db18e4e9222c7a0cf748365b368b988bbcb0fc10680cd05a09e504df37be7cae484299ba55

Download Submit
C:\Windows\System32\EhMFvCR.exe

Filesize
1.8MB

MD5
e8f7346a475e6bc3888c104d24153dd6

SHA1
91f3fd5dab39fd7d1b4d40f25b7a46cabbe8cc02

SHA256
f38c7ef16e0499d798ada5c6e60b4ea301f0517999f290b08a172c08b35d77ca

SHA512
bf734c575fb111277ecd4fa1623504ce8395be009539a97eac6db532779dad6692c634b102cdfbce0f924ca11f0a600a10965e82c531effe5f579120d4fdb79f

Download Submit
C:\Windows\System32\JKQzZTz.exe

Filesize
1.8MB

MD5
5f60859d0d7924b518969a108806191d

SHA1
db524c9e8fd3db1376a31894e28faeccd124d93a

SHA256
ee3b1a4851b15c80af4069179d056d5c2ac472099ff6989d3e86b89f4435511c

SHA512
759ce4af45a0ba0459572e539be90c395a65a0f5309847f2e231369014d43ba821c4fa7d36e1067836aed68fab8d7244c267c7dbacaf75118522c16cff574e77

Download Submit
C:\Windows\System32\LIzNMDj.exe

Filesize
1.8MB

MD5
442b91754c860188c117bd13dc7b7490

SHA1
9330be8680e9bc763902cf1890faef8b0edd9002

SHA256
e60a2df09beb2b29b81bc43edd42e939b4b7d9b442b4e83bdaea409523de1617

SHA512
cf4072fc701a726089ee426a447d36b18732b7f6409d114004f05f47262b6204b82c8d29a11a95e40b190703a3623b15f1a88cba5bd987af2f0e15509077f1af

Download Submit
C:\Windows\System32\LflYCSs.exe

Filesize
1.8MB

MD5
6285b0d78ac9d04be561865893f90d21

SHA1
838333f30943d7f3801f45ba4fafabf84cf17a6c

SHA256
c100198601433a20ce24fbba101ff676c3e05ccba5edc982913f8e1c15f26359

SHA512
b34a44b268caedcd2f4810ae2f773640a0894a4caf56fcee372dec3a13d00623f44b433406a99ec26374ae658581e5d4b290e87a0f58b1a7d8f087c30a574fe6

Download Submit
C:\Windows\System32\OsYzhEH.exe

Filesize
1.8MB

MD5
55b60e2d93fbfe7e0a3228bf72c86df3

SHA1
de3b63aeabe804068b74eece69aaf234c2bb3df3

SHA256
a5fca44b1a7e81e2cdf7f6632194f7c9b89df590315ebc77ecc890cf76479b5d

SHA512
86b4c6d27e7809aa097ca7288038de6f9beab53c6e1091c3af4883e732a78cf71da6a3ed3fe9744b5718b7f6b43e2f196ec882e77f6c5d2c7bdbbf06d3b7c0fe

Download Submit
C:\Windows\System32\ROSJmGV.exe

Filesize
1.8MB

MD5
6ccd342019a7c639bc466b5c68d2a14f

SHA1
30c48b5b3abbfe1141de9b9a85228175e9f15600

SHA256
343469d4ac86bb695175810f5d4d1e39957d6410b199bd4946b143c455bc6b89

SHA512
4df42f6a4fee46ffc88f484ebc89c252a6febf0430b4692a41c7f2cd0aef7597ad2e40b4bc59d86e30b328b64210ad359c8ef221ea46eec7f7e91efc9b036357

Download Submit
C:\Windows\System32\SFIgnPl.exe

Filesize
1.8MB

MD5
3c7b78e9765cbdef45fe9ce12e993bb3

SHA1
d8da9395644ab1f81beeb53cf83de4ee41876f39

SHA256
bd410da9cb62de6cd1dfa3afd70fbce3c16fe2a07b202fb46b5dfa8a39538ceb

SHA512
a12ebd3881b7d8eb75ef17602127d166bec81802eba03471f3320f7fde9149f355ae3b040cf0945fc86f8d5ca4b5a104c4fb62a552d58dfe19ee487eb880f050

Download Submit
C:\Windows\System32\SMNptCQ.exe

Filesize
1.8MB

MD5
f0c30fc65fa5a893a04a1498fa85b7a6

SHA1
40fd06d7e2dd9c5ac313269f3d983bcc0925a0f3

SHA256
1700174eded8193122628d48c576ca363c97aa59fa98801554642b36ab859189

SHA512
a9a1ce7193ae7f4f85a0464218d0e743637e56e737ebe591aacb3cb476d1422a24f781826610e9297d55eb1fe76a386612232fde5a3fcceea3b421d52c97bb43

Download Submit
C:\Windows\System32\SljWsdm.exe

Filesize
1.8MB

MD5
25c7ff5821cabe5eecdccba491e627f7

SHA1
d3eb1a47af9377477bd0e67f85f9bfa7a20896ad

SHA256
869e88fe843e6b96b88e3b8482617fd9dc4dbc4f1ec91f22f42fc40c45359f80

SHA512
9c98800e18b116102099b5bb9203b1a1075432d475546d51a9df989db043c64bc07175664e2eca242a3b4e891602c456eee1e5cb13aa4570cb1f615543915702

Download Submit
C:\Windows\System32\VijtVey.exe

Filesize
1.8MB

MD5
f7a91ad635774bd095690d92d412643a

SHA1
f82b469d737b311eecd44b3b688ce82eee700e69

SHA256
821023efff18f3183e2f9e62a5c835aa1bb4f6dffacbb66d4e0d0192c497ecb8

SHA512
0f83d6255ce363c661d225e4174371b4c190dbf19a120ad5e1c48e9b9a6ad820165a7f16591525c6c2b0cdd502f1c1f3547d5853af7ff4d2f4af0d67692bb180

Download Submit
C:\Windows\System32\XmXElqD.exe

Filesize
1.8MB

MD5
60b922effca443a0460d8f11d39373fc

SHA1
0873b7b101e659d3596ee50db7763fdce27f71f0

SHA256
fa277e320ba52ac1ed4059800f9c752f32202bf18ba510bf714522b8c2220eff

SHA512
07731b585ad050e9662ba551242ec7ca6d05a40fd482eb862981b161b25b70f21d7b812a763681882da943e72757d66f4431ce2e6113a602dcb1c910b3893eb1

Download Submit
C:\Windows\System32\ZbhvQPU.exe

Filesize
1.8MB

MD5
c6fbfbcd5d873578ad39f29803c863ac

SHA1
290e38b002de897f993ef02878ff71c4ca77754d

SHA256
d72ad9248dac6c515ba42b98d5313a62f7289d5f1e0ed39e00ce99effb18d6f1

SHA512
a24bedb1194eeb4f652aa8ffa18a342e637a0e57494f61d829e2f7f43e00732b856e3afc27b5212b26c14f4ae06ac01b2dde82b61a1f27c3e7eec2d3cd759983

Download Submit
C:\Windows\System32\ZpsWLap.exe

Filesize
1.8MB

MD5
27810afed218b3dabd15705e09907884

SHA1
5ea59833ad2974b761cfdc9306fcbd286b5a9760

SHA256
2b09dfe956082f0f7b5d5794375b4322ee0b9422d257b1b7d6c91387188a6527

SHA512
98c5e34e5e942555308012e4b26bcb125bf52e774b5476de8c06bd52acde2693d9cc9f1dce2fcef975b53444a528badf2482171f42c3172860d830eda3cbe588

Download Submit
C:\Windows\System32\aJvUymC.exe

Filesize
1.8MB

MD5
500694bf281f76d7994cf1df43f5fea3

SHA1
ce86d1c38f153f70d52118a4234a6cc4897dd39d

SHA256
d04ca6d32d09498fb6d2188556151a8d61cdc32097f0e2c8261825de9c80ec92

SHA512
8a12c4972b0612feaee941f7f4cc12684995957a65413c77eba6f5a168a8ac884de9256bf00ae4eda9ffa7cad73da0430e353573f1bdaeeca5a914f8077ed6a0

Download Submit
C:\Windows\System32\aMzcHCv.exe

Filesize
1.8MB

MD5
982d6c54aa2203d5ab7e0d9431afca1a

SHA1
ec9a5a996950b024eac33a727e861300e3e465e4

SHA256
fed223a241baa7b190987eaadb402e3f74b1eda87b1854ee40ac152ca3a33a8a

SHA512
69e8bfcccd2d35324a3eed9f9574b1b09ebf51dcb7aff183fa74017517adf499db5ea21412fbed52c511de9e78ae6ac83049bc12731a129c910b45ad88137f00

Download Submit
C:\Windows\System32\brxsLMu.exe

Filesize
1.8MB

MD5
c9b56ffa1d2a11d09f8fb97837e54ffa

SHA1
731c4d0ed5596856bcd95dae5dd1a7e40aa92a42

SHA256
d7f83de93ca059ff198c7b70a4520032bf9eaf66740d98489dbc427ace4bd0cb

SHA512
d01633ee5530b63588f5cf87bc097da67e092d22d5a36920058ce991478fa5ae5ccdc7e5381ee562fc2944e34bbcf16a36125c64647a63c26b3c1265c2d508ca

Download Submit
C:\Windows\System32\bwUehDE.exe

Filesize
1.8MB

MD5
7b8a6e6b2c019d012b38dbcee62ceb4f

SHA1
a0b9872fcb6e837ed653ffedc380328a80c6dc4d

SHA256
24ae655f9f5c0b5b7882ca5181c9bcae5f7edbdfb46a2c047e51431b6a27d09a

SHA512
27d9a0eb16006e75001cbcdba9146a81ddd71c9c3bfaad6b7196640c7232cd0fdceadc880777c223fdbec207bbc54660f8f0591244ceff251092f270054e9463

Download Submit
C:\Windows\System32\djvVDci.exe

Filesize
1.8MB

MD5
bd148694444d50a3efe9527a0b14dfcd

SHA1
7e562cb4624aa0c9985f2de3a3dfddcf2abbb8e6

SHA256
b54858cfdedc6a1f6a5f06b43acdd016dd20b9cb911dbff45bd65f67e350a685

SHA512
9d07df77cfe54efb7f150af363e1bc41c9bbb75798fc8406bae4ced354bafe67905a19bc47cae00b08aabb020ed52a248727db65637214e19038207ca5dc2ab4

Download Submit
C:\Windows\System32\iCZpsco.exe

Filesize
1.8MB

MD5
db4b2dce365f4138d04e1a9061bdd02e

SHA1
a63d1f9fe9d0de538dea975ca655b973ba98e417

SHA256
185bb36f083f6dee9d5a736737084dc5fa895dbe049faf4d8ecc0f3f84dd053f

SHA512
571f735f8265a67953ab278200fe29dba09d6e6fa899c7879ab93d46c695df60058586aff9976d96bda4d16a580272f2d9bdd60d7c2ebc8cfbb4c5f3c6e7eeaf

Download Submit
C:\Windows\System32\ioxVmQK.exe

Filesize
1.8MB

MD5
5a77392aa2f01ce9c70ba41e57964694

SHA1
90f04c02f50f3d14bfd5558b67c7e3a14d7b8e81

SHA256
1d0eeda3bd72d2b504e0e2c2962b8e13403a1dcf2c30cae7049925dd59402792

SHA512
25921692852bc69dadb9a5391b3516edb64332eec43f6d7b83c9f5712eabe2c069edcd3be93186d1ab9ffabd58fbb95f82fca2420da6f4e632326159d5492cd4

Download Submit
C:\Windows\System32\kdUwPIj.exe

Filesize
1.8MB

MD5
71bd81f962de877262135a02e66be56d

SHA1
d295ddffdd411155fb57ad9ac07daa70906d3e46

SHA256
030884e3c2644ee12ec3c6f12c6b9a23e6f80bc33ffd2af08c1f2c039c43fe72

SHA512
34a40a184c78dfaf3366966692d868bf2535c0a1610faa079ab912ba5c94d8e3ec1bd161bb102b3ead6c69be6ec3750ca559d6597017e2de50eb9bc0d6092c14

Download Submit
C:\Windows\System32\ljKfGqR.exe

Filesize
1.8MB

MD5
dd0024fd9e61b7afb7679d9f85bb7642

SHA1
8bef997c7d715b175ab0861bf08904a00ad3842a

SHA256
eecf6ea480a1224a2af1522a4f1220a752a1cf91329184e082bdb5b545e3f48e

SHA512
3fbbbbd057f7e644b0338b9bad15be225c989bd8a665e64a6d990b679d635d6d7549c22941d8110ffb1a4205a2c445002e947313fd022e34fa1c2895be5fa2db

Download Submit
C:\Windows\System32\mRSemxy.exe

Filesize
1.8MB

MD5
4db6c52c846ec23ede9d58da34f20b70

SHA1
bb76c78bf3d668ee79026f53c864ffe27c8d0e78

SHA256
576b3a49649e0a14e4539256eb136c3af9d5321f8799447afc1f95201e6ba2b7

SHA512
1694055e67ddd7a50c604aa28a7a4e8ca80a0dacd8cf531f85e55f60f41889268f445df18dd92c9bfff07b0fdcfb78335d9a5276b61cc72f0c18a2142acf3ee2

Download Submit
C:\Windows\System32\oSJCkgW.exe

Filesize
1.8MB

MD5
4770da96f0bd76b259228ac2f0a8f021

SHA1
e022bfa4701515d0c8778ce5e7ac0b6de517f9e0

SHA256
a64bb6e7c0abb1eda47975a8a8fc52673928c36a3c92f2b6b10efda00a09c7a0

SHA512
551c440fec21908821facd429c8e233b19b3cc07f064275497ab1ac45a0b553e72ec3d6873dd106ca3e0039e437fdc2a5de85f239b7e5b8ed53bf6545cbfc398

Download Submit
C:\Windows\System32\rdjGucL.exe

Filesize
1.8MB

MD5
2db4662eb28f283aa0cddf3eeca57ef1

SHA1
c755e40d3aecb559b4acf5e30a57130477e20778

SHA256
99331e722f5b916752e70bde588edb08861c4d28d0402670777f5901a64723ad

SHA512
2bee2e567929dfb73ce7a236f5f2e45f91723004d15f53dd6280884945ea2ba24f1ffc7c9d94cac3466a9cf422d5d6a1c3b16f04198041bf5c75d7cac50dd2d7

Download Submit
C:\Windows\System32\zbntHJP.exe

Filesize
1.8MB

MD5
3f67363e28bc265d640be13c4ea9f8f1

SHA1
a1b0bd25fba8a10a9b9407d5294cb4c510a8c8da

SHA256
c29bbf5b6217e40f4ea04e5874222e3f9f89046ec86a8ff5f98bc90dd1fc1cb2

SHA512
a21a43ea562a9e6060f1275585a30b3933f6bbe21b9a1235a003305fadf9979badac851c175c41a2d913730b22ec0cdd820a6569211e76fbf90de39d3d957000

Download Submit
memory/224-32-0x00007FF6D2080000-0x00007FF6D2471000-memory.dmp

Filesize
3.9MB

Download
memory/224-2006-0x00007FF6D2080000-0x00007FF6D2471000-memory.dmp

Filesize
3.9MB

Download
memory/380-2116-0x00007FF7E1AB0000-0x00007FF7E1EA1000-memory.dmp

Filesize
3.9MB

Download
memory/380-555-0x00007FF7E1AB0000-0x00007FF7E1EA1000-memory.dmp

Filesize
3.9MB

Download
memory/1080-2089-0x00007FF7E9370000-0x00007FF7E9761000-memory.dmp

Filesize
3.9MB

Download
memory/1080-535-0x00007FF7E9370000-0x00007FF7E9761000-memory.dmp

Filesize
3.9MB

Download
memory/1264-2032-0x00007FF7784A0000-0x00007FF778891000-memory.dmp

Filesize
3.9MB

Download
memory/1264-507-0x00007FF7784A0000-0x00007FF778891000-memory.dmp

Filesize
3.9MB

Download
memory/1276-438-0x00007FF6F23B0000-0x00007FF6F27A1000-memory.dmp

Filesize
3.9MB

Download
memory/1276-2012-0x00007FF6F23B0000-0x00007FF6F27A1000-memory.dmp

Filesize
3.9MB

Download
memory/1444-2110-0x00007FF788B70000-0x00007FF788F61000-memory.dmp

Filesize
3.9MB

Download
memory/1444-545-0x00007FF788B70000-0x00007FF788F61000-memory.dmp

Filesize
3.9MB

Download
memory/1472-440-0x00007FF724570000-0x00007FF724961000-memory.dmp

Filesize
3.9MB

Download
memory/1472-2014-0x00007FF724570000-0x00007FF724961000-memory.dmp

Filesize
3.9MB

Download
memory/1524-437-0x00007FF6DA960000-0x00007FF6DAD51000-memory.dmp

Filesize
3.9MB

Download
memory/1524-2010-0x00007FF6DA960000-0x00007FF6DAD51000-memory.dmp

Filesize
3.9MB

Download
memory/1608-2247-0x00007FF668760000-0x00007FF668B51000-memory.dmp

Filesize
3.9MB

Download
memory/1608-31-0x00007FF668760000-0x00007FF668B51000-memory.dmp

Filesize
3.9MB

Download
memory/1608-1996-0x00007FF668760000-0x00007FF668B51000-memory.dmp

Filesize
3.9MB

Download
memory/2148-453-0x00007FF6ED680000-0x00007FF6EDA71000-memory.dmp

Filesize
3.9MB

Download
memory/2148-2018-0x00007FF6ED680000-0x00007FF6EDA71000-memory.dmp

Filesize
3.9MB

Download
memory/2412-2020-0x00007FF770930000-0x00007FF770D21000-memory.dmp

Filesize
3.9MB

Download
memory/2412-457-0x00007FF770930000-0x00007FF770D21000-memory.dmp

Filesize
3.9MB

Download
memory/2660-0-0x00007FF69E730000-0x00007FF69EB21000-memory.dmp

Filesize
3.9MB

Download
memory/2660-1-0x0000023CED5A0000-0x0000023CED5B0000-memory.dmp

Filesize
64KB

Download
memory/3044-539-0x00007FF726E40000-0x00007FF727231000-memory.dmp

Filesize
3.9MB

Download
memory/3044-2122-0x00007FF726E40000-0x00007FF727231000-memory.dmp

Filesize
3.9MB

Download
memory/3152-519-0x00007FF635FB0000-0x00007FF6363A1000-memory.dmp

Filesize
3.9MB

Download
memory/3152-2060-0x00007FF635FB0000-0x00007FF6363A1000-memory.dmp

Filesize
3.9MB

Download
memory/3216-439-0x00007FF659CC0000-0x00007FF65A0B1000-memory.dmp

Filesize
3.9MB

Download
memory/3216-2016-0x00007FF659CC0000-0x00007FF65A0B1000-memory.dmp

Filesize
3.9MB

Download
memory/3352-2002-0x00007FF685500000-0x00007FF6858F1000-memory.dmp

Filesize
3.9MB

Download
memory/3352-1994-0x00007FF685500000-0x00007FF6858F1000-memory.dmp

Filesize
3.9MB

Download
memory/3352-20-0x00007FF685500000-0x00007FF6858F1000-memory.dmp

Filesize
3.9MB

Download
memory/3760-2028-0x00007FF6B6B80000-0x00007FF6B6F71000-memory.dmp

Filesize
3.9MB

Download
memory/3760-481-0x00007FF6B6B80000-0x00007FF6B6F71000-memory.dmp

Filesize
3.9MB

Download
memory/3772-1995-0x00007FF707880000-0x00007FF707C71000-memory.dmp

Filesize
3.9MB

Download
memory/3772-27-0x00007FF707880000-0x00007FF707C71000-memory.dmp

Filesize
3.9MB

Download
memory/3772-2008-0x00007FF707880000-0x00007FF707C71000-memory.dmp

Filesize
3.9MB

Download
memory/4080-11-0x00007FF7F90E0000-0x00007FF7F94D1000-memory.dmp

Filesize
3.9MB

Download
memory/4080-2004-0x00007FF7F90E0000-0x00007FF7F94D1000-memory.dmp

Filesize
3.9MB

Download
memory/4140-2026-0x00007FF783290000-0x00007FF783681000-memory.dmp

Filesize
3.9MB

Download
memory/4140-467-0x00007FF783290000-0x00007FF783681000-memory.dmp

Filesize
3.9MB

Download
memory/4252-2030-0x00007FF7D7700000-0x00007FF7D7AF1000-memory.dmp

Filesize
3.9MB

Download
memory/4252-487-0x00007FF7D7700000-0x00007FF7D7AF1000-memory.dmp

Filesize
3.9MB

Download
memory/4576-2022-0x00007FF7D1B20000-0x00007FF7D1F11000-memory.dmp

Filesize
3.9MB

Download
memory/4576-446-0x00007FF7D1B20000-0x00007FF7D1F11000-memory.dmp

Filesize
3.9MB

Download
memory/4692-494-0x00007FF7B7F50000-0x00007FF7B8341000-memory.dmp

Filesize
3.9MB

Download
memory/4692-2034-0x00007FF7B7F50000-0x00007FF7B8341000-memory.dmp

Filesize
3.9MB

Download
memory/4836-441-0x00007FF793A40000-0x00007FF793E31000-memory.dmp

Filesize
3.9MB

Download
memory/4836-2024-0x00007FF793A40000-0x00007FF793E31000-memory.dmp

Filesize
3.9MB

Download
memory/4872-533-0x00007FF6B2110000-0x00007FF6B2501000-memory.dmp

Filesize
3.9MB

Download
memory/4872-2087-0x00007FF6B2110000-0x00007FF6B2501000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads