xmrig | 724ad85dfb27264c66e9826db2af7be697b530c0c8eee7823c314223d0687119

Analysis

max time kernel
150s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
Size

2.9MB
MD5

555f97e844de510b04b9f7b33769ff10
SHA1

d791aba036382523e4eb551ff14d7e943279a5f8
SHA256

724ad85dfb27264c66e9826db2af7be697b530c0c8eee7823c314223d0687119
SHA512

2914a05a99de98c5c6fd077c97c59dbdfdae63ec5f821b1fbc0e3d37f7b6ece172a4978bf3bf72cfc8595852fd09ee4f9e4497693827863ba81f116979626a61
SSDEEP

49152:w0wjnJMOWh50kC1/dVFdx6e0EALKWVTffZiPAcRq6jHjcz8DzcCNfeT5J0aXiJPI:w0GnJMOWPClFdx6e0EALKWVTffZiPAcW

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/664-0-0x00007FF638550000-0x00007FF638945000-memory.dmp	xmrig
behavioral2/files/0x00070000000232a4-4.dat	xmrig
behavioral2/files/0x0007000000023434-11.dat	xmrig
behavioral2/files/0x0007000000023435-10.dat	xmrig
behavioral2/files/0x0007000000023437-26.dat	xmrig
behavioral2/files/0x000700000002343b-46.dat	xmrig
behavioral2/files/0x000700000002343d-56.dat	xmrig
behavioral2/files/0x000700000002343f-66.dat	xmrig
behavioral2/files/0x0007000000023445-98.dat	xmrig
behavioral2/files/0x0007000000023447-108.dat	xmrig
behavioral2/files/0x000700000002344c-131.dat	xmrig
behavioral2/memory/4668-682-0x00007FF643790000-0x00007FF643B85000-memory.dmp	xmrig
behavioral2/memory/4420-683-0x00007FF707D50000-0x00007FF708145000-memory.dmp	xmrig
behavioral2/memory/4616-684-0x00007FF7ADD50000-0x00007FF7AE145000-memory.dmp	xmrig
behavioral2/memory/456-685-0x00007FF68EE40000-0x00007FF68F235000-memory.dmp	xmrig
behavioral2/memory/2020-687-0x00007FF78D490000-0x00007FF78D885000-memory.dmp	xmrig
behavioral2/memory/756-686-0x00007FF65C400000-0x00007FF65C7F5000-memory.dmp	xmrig
behavioral2/memory/3892-688-0x00007FF6E9000000-0x00007FF6E93F5000-memory.dmp	xmrig
behavioral2/memory/3456-689-0x00007FF7A1E30000-0x00007FF7A2225000-memory.dmp	xmrig
behavioral2/memory/3432-696-0x00007FF77C960000-0x00007FF77CD55000-memory.dmp	xmrig
behavioral2/memory/4412-699-0x00007FF77BF00000-0x00007FF77C2F5000-memory.dmp	xmrig
behavioral2/memory/4264-754-0x00007FF7457C0000-0x00007FF745BB5000-memory.dmp	xmrig
behavioral2/memory/3976-764-0x00007FF73A550000-0x00007FF73A945000-memory.dmp	xmrig
behavioral2/memory/3228-770-0x00007FF61CD80000-0x00007FF61D175000-memory.dmp	xmrig
behavioral2/memory/1540-785-0x00007FF6B82B0000-0x00007FF6B86A5000-memory.dmp	xmrig
behavioral2/memory/3384-778-0x00007FF652F40000-0x00007FF653335000-memory.dmp	xmrig
behavioral2/memory/4180-747-0x00007FF659870000-0x00007FF659C65000-memory.dmp	xmrig
behavioral2/memory/3912-735-0x00007FF6595F0000-0x00007FF6599E5000-memory.dmp	xmrig
behavioral2/memory/692-727-0x00007FF685C40000-0x00007FF686035000-memory.dmp	xmrig
behavioral2/memory/2148-716-0x00007FF7E3820000-0x00007FF7E3C15000-memory.dmp	xmrig
behavioral2/memory/3180-706-0x00007FF658F60000-0x00007FF659355000-memory.dmp	xmrig
behavioral2/memory/3132-691-0x00007FF6FE2F0000-0x00007FF6FE6E5000-memory.dmp	xmrig
behavioral2/memory/1772-690-0x00007FF6D73C0000-0x00007FF6D77B5000-memory.dmp	xmrig
behavioral2/files/0x0007000000023452-163.dat	xmrig
behavioral2/files/0x0007000000023451-158.dat	xmrig
behavioral2/files/0x0007000000023450-153.dat	xmrig
behavioral2/files/0x000700000002344f-148.dat	xmrig
behavioral2/files/0x000700000002344e-143.dat	xmrig
behavioral2/files/0x000700000002344d-138.dat	xmrig
behavioral2/files/0x000700000002344b-128.dat	xmrig
behavioral2/files/0x000700000002344a-123.dat	xmrig
behavioral2/files/0x0007000000023449-118.dat	xmrig
behavioral2/files/0x0007000000023448-113.dat	xmrig
behavioral2/files/0x0007000000023446-103.dat	xmrig
behavioral2/files/0x0007000000023444-93.dat	xmrig
behavioral2/files/0x0007000000023443-88.dat	xmrig
behavioral2/files/0x0007000000023442-83.dat	xmrig
behavioral2/files/0x0007000000023441-78.dat	xmrig
behavioral2/files/0x0007000000023440-73.dat	xmrig
behavioral2/files/0x000700000002343e-63.dat	xmrig
behavioral2/files/0x000700000002343c-53.dat	xmrig
behavioral2/files/0x000700000002343a-43.dat	xmrig
behavioral2/files/0x0007000000023439-38.dat	xmrig
behavioral2/files/0x0007000000023438-33.dat	xmrig
behavioral2/files/0x0007000000023436-23.dat	xmrig
behavioral2/memory/4804-17-0x00007FF6A8A90000-0x00007FF6A8E85000-memory.dmp	xmrig
behavioral2/memory/4912-9-0x00007FF63BC20000-0x00007FF63C015000-memory.dmp	xmrig
behavioral2/memory/664-1903-0x00007FF638550000-0x00007FF638945000-memory.dmp	xmrig
behavioral2/memory/4912-1904-0x00007FF63BC20000-0x00007FF63C015000-memory.dmp	xmrig
behavioral2/memory/4804-1905-0x00007FF6A8A90000-0x00007FF6A8E85000-memory.dmp	xmrig
behavioral2/memory/4420-1908-0x00007FF707D50000-0x00007FF708145000-memory.dmp	xmrig
behavioral2/memory/4616-1909-0x00007FF7ADD50000-0x00007FF7AE145000-memory.dmp	xmrig
behavioral2/memory/456-1910-0x00007FF68EE40000-0x00007FF68F235000-memory.dmp	xmrig
behavioral2/memory/756-1911-0x00007FF65C400000-0x00007FF65C7F5000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4912	AZpXUJP.exe
4804	bsQWkXE.exe
1540	GFyvXum.exe
4668	MptyWHI.exe
4420	pUgovCQ.exe
4616	iaaGvqJ.exe
456	RGOKNOE.exe
756	PgjsWpp.exe
2020	kOlOkuR.exe
3892	BclrSMd.exe
3456	YchpHOH.exe
1772	weezxGV.exe
3132	UbPrNHu.exe
3432	UrRCmlf.exe
4412	nBxSfXI.exe
3180	XpsSsDu.exe
2148	nLlukgm.exe
692	sRoznlc.exe
3912	dbwjlsK.exe
4180	ZPnIUPf.exe
4264	AdRHjcU.exe
3976	KBalCux.exe
3228	kgOCnUG.exe
3384	wqtCNQL.exe
1812	YPSCYwI.exe
212	ZwCHXqm.exe
4524	TDqTwXw.exe
3652	mzCSVuD.exe
60	zZylvxi.exe
3628	FwRPqLp.exe
3036	YUyDCvr.exe
4672	BHuqyRd.exe
4704	jUdCKAd.exe
1056	pMBMkdX.exe
4252	KddtDPM.exe
1784	ijAlqri.exe
1324	dCSKjzm.exe
3108	yaiTejf.exe
3740	RmgeDAw.exe
3848	xKvdmui.exe
3080	LDwtPAs.exe
3964	MLLTtHt.exe
2532	meQJJuN.exe
844	QynrwTT.exe
1424	TtfOkSO.exe
3584	NlergIL.exe
4332	EpwQEuj.exe
1612	YJDWPgY.exe
2584	RoMlDXP.exe
1152	WEgxtDr.exe
3620	avOpIyo.exe
1928	qFWYSfV.exe
2972	uKswgxX.exe
1132	QTpqiqx.exe
3300	JrtHEuv.exe
4724	tPhrkJP.exe
3552	RUgTcvG.exe
4540	ZAYlZEy.exe
2952	SJlIMWS.exe
4048	gibUlpd.exe
1072	GGYTUlN.exe
2796	OEPoSKW.exe
3932	YKPdzRs.exe
1000	fJpFBuQ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/664-0-0x00007FF638550000-0x00007FF638945000-memory.dmp	upx
behavioral2/files/0x00070000000232a4-4.dat	upx
behavioral2/files/0x0007000000023434-11.dat	upx
behavioral2/files/0x0007000000023435-10.dat	upx
behavioral2/files/0x0007000000023437-26.dat	upx
behavioral2/files/0x000700000002343b-46.dat	upx
behavioral2/files/0x000700000002343d-56.dat	upx
behavioral2/files/0x000700000002343f-66.dat	upx
behavioral2/files/0x0007000000023445-98.dat	upx
behavioral2/files/0x0007000000023447-108.dat	upx
behavioral2/files/0x000700000002344c-131.dat	upx
behavioral2/memory/4668-682-0x00007FF643790000-0x00007FF643B85000-memory.dmp	upx
behavioral2/memory/4420-683-0x00007FF707D50000-0x00007FF708145000-memory.dmp	upx
behavioral2/memory/4616-684-0x00007FF7ADD50000-0x00007FF7AE145000-memory.dmp	upx
behavioral2/memory/456-685-0x00007FF68EE40000-0x00007FF68F235000-memory.dmp	upx
behavioral2/memory/2020-687-0x00007FF78D490000-0x00007FF78D885000-memory.dmp	upx
behavioral2/memory/756-686-0x00007FF65C400000-0x00007FF65C7F5000-memory.dmp	upx
behavioral2/memory/3892-688-0x00007FF6E9000000-0x00007FF6E93F5000-memory.dmp	upx
behavioral2/memory/3456-689-0x00007FF7A1E30000-0x00007FF7A2225000-memory.dmp	upx
behavioral2/memory/3432-696-0x00007FF77C960000-0x00007FF77CD55000-memory.dmp	upx
behavioral2/memory/4412-699-0x00007FF77BF00000-0x00007FF77C2F5000-memory.dmp	upx
behavioral2/memory/4264-754-0x00007FF7457C0000-0x00007FF745BB5000-memory.dmp	upx
behavioral2/memory/3976-764-0x00007FF73A550000-0x00007FF73A945000-memory.dmp	upx
behavioral2/memory/3228-770-0x00007FF61CD80000-0x00007FF61D175000-memory.dmp	upx
behavioral2/memory/1540-785-0x00007FF6B82B0000-0x00007FF6B86A5000-memory.dmp	upx
behavioral2/memory/3384-778-0x00007FF652F40000-0x00007FF653335000-memory.dmp	upx
behavioral2/memory/4180-747-0x00007FF659870000-0x00007FF659C65000-memory.dmp	upx
behavioral2/memory/3912-735-0x00007FF6595F0000-0x00007FF6599E5000-memory.dmp	upx
behavioral2/memory/692-727-0x00007FF685C40000-0x00007FF686035000-memory.dmp	upx
behavioral2/memory/2148-716-0x00007FF7E3820000-0x00007FF7E3C15000-memory.dmp	upx
behavioral2/memory/3180-706-0x00007FF658F60000-0x00007FF659355000-memory.dmp	upx
behavioral2/memory/3132-691-0x00007FF6FE2F0000-0x00007FF6FE6E5000-memory.dmp	upx
behavioral2/memory/1772-690-0x00007FF6D73C0000-0x00007FF6D77B5000-memory.dmp	upx
behavioral2/files/0x0007000000023452-163.dat	upx
behavioral2/files/0x0007000000023451-158.dat	upx
behavioral2/files/0x0007000000023450-153.dat	upx
behavioral2/files/0x000700000002344f-148.dat	upx
behavioral2/files/0x000700000002344e-143.dat	upx
behavioral2/files/0x000700000002344d-138.dat	upx
behavioral2/files/0x000700000002344b-128.dat	upx
behavioral2/files/0x000700000002344a-123.dat	upx
behavioral2/files/0x0007000000023449-118.dat	upx
behavioral2/files/0x0007000000023448-113.dat	upx
behavioral2/files/0x0007000000023446-103.dat	upx
behavioral2/files/0x0007000000023444-93.dat	upx
behavioral2/files/0x0007000000023443-88.dat	upx
behavioral2/files/0x0007000000023442-83.dat	upx
behavioral2/files/0x0007000000023441-78.dat	upx
behavioral2/files/0x0007000000023440-73.dat	upx
behavioral2/files/0x000700000002343e-63.dat	upx
behavioral2/files/0x000700000002343c-53.dat	upx
behavioral2/files/0x000700000002343a-43.dat	upx
behavioral2/files/0x0007000000023439-38.dat	upx
behavioral2/files/0x0007000000023438-33.dat	upx
behavioral2/files/0x0007000000023436-23.dat	upx
behavioral2/memory/4804-17-0x00007FF6A8A90000-0x00007FF6A8E85000-memory.dmp	upx
behavioral2/memory/4912-9-0x00007FF63BC20000-0x00007FF63C015000-memory.dmp	upx
behavioral2/memory/664-1903-0x00007FF638550000-0x00007FF638945000-memory.dmp	upx
behavioral2/memory/4912-1904-0x00007FF63BC20000-0x00007FF63C015000-memory.dmp	upx
behavioral2/memory/4804-1905-0x00007FF6A8A90000-0x00007FF6A8E85000-memory.dmp	upx
behavioral2/memory/4420-1908-0x00007FF707D50000-0x00007FF708145000-memory.dmp	upx
behavioral2/memory/4616-1909-0x00007FF7ADD50000-0x00007FF7AE145000-memory.dmp	upx
behavioral2/memory/456-1910-0x00007FF68EE40000-0x00007FF68F235000-memory.dmp	upx
behavioral2/memory/756-1911-0x00007FF65C400000-0x00007FF65C7F5000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\yeRegJY.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\sXsEQDR.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\CHUeaSC.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\bldeSZf.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\FPtVsRz.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\dCSKjzm.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\epYKPJa.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\gdeAQBQ.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\ASBCLHC.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\qLZeLrS.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\qQjLHsp.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\oxtHAUA.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\qJkVCdX.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\RmgeDAw.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\VREDrFg.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\jMlJgtj.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\mJJdeIu.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\pyPydQW.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\LFAJotj.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\ORRXKme.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\quJUcDK.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\gJHWVMa.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\AzBuMyF.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\prpGzAL.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\jwYzNXc.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\MptyWHI.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\JMLryIz.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\DPLGaAo.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\OSuniia.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\NwcHJnX.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\avOpIyo.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\rZxYlOG.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\sfnIFWi.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\UrRCmlf.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\TbAQuGZ.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\BAnCydz.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\GWqmHXk.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\fOaIpCi.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\KZmPGHb.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\vHxRcRs.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\nSgZzOS.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\EBBCjqv.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\nhkyymm.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\BvIWxoN.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\QLLkLci.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\GBNkgxe.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\wXtRJvb.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\HOmVoTf.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\gKpSKjw.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\hUMovaL.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\hAflIkd.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\tPhrkJP.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\SJlIMWS.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\aXmYaEB.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\mkZcHWd.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\yelHOLS.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\oOuzien.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\CpcJHKz.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\AdRHjcU.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\HFueyiy.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\rIfYXYa.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\eEtuTmG.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\VPynoQs.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
File created	C:\Windows\System32\JRMctAp.exe	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	8880	dwm.exe
Token: SeChangeNotifyPrivilege	8880	dwm.exe
Token: 33	8880	dwm.exe
Token: SeIncBasePriorityPrivilege	8880	dwm.exe
Token: SeShutdownPrivilege	8880	dwm.exe
Token: SeCreatePagefilePrivilege	8880	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 664 wrote to memory of 4912	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	85
PID 664 wrote to memory of 4912	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	85
PID 664 wrote to memory of 4804	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	86
PID 664 wrote to memory of 4804	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	86
PID 664 wrote to memory of 1540	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	87
PID 664 wrote to memory of 1540	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	87
PID 664 wrote to memory of 4668	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	88
PID 664 wrote to memory of 4668	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	88
PID 664 wrote to memory of 4420	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	89
PID 664 wrote to memory of 4420	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	89
PID 664 wrote to memory of 4616	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	90
PID 664 wrote to memory of 4616	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	90
PID 664 wrote to memory of 456	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	91
PID 664 wrote to memory of 456	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	91
PID 664 wrote to memory of 756	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	92
PID 664 wrote to memory of 756	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	92
PID 664 wrote to memory of 2020	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	93
PID 664 wrote to memory of 2020	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	93
PID 664 wrote to memory of 3892	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	94
PID 664 wrote to memory of 3892	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	94
PID 664 wrote to memory of 3456	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	95
PID 664 wrote to memory of 3456	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	95
PID 664 wrote to memory of 1772	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	96
PID 664 wrote to memory of 1772	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	96
PID 664 wrote to memory of 3132	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	97
PID 664 wrote to memory of 3132	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	97
PID 664 wrote to memory of 3432	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	98
PID 664 wrote to memory of 3432	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	98
PID 664 wrote to memory of 4412	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	99
PID 664 wrote to memory of 4412	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	99
PID 664 wrote to memory of 3180	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	100
PID 664 wrote to memory of 3180	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	100
PID 664 wrote to memory of 2148	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	101
PID 664 wrote to memory of 2148	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	101
PID 664 wrote to memory of 692	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	102
PID 664 wrote to memory of 692	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	102
PID 664 wrote to memory of 3912	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	103
PID 664 wrote to memory of 3912	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	103
PID 664 wrote to memory of 4180	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	104
PID 664 wrote to memory of 4180	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	104
PID 664 wrote to memory of 4264	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	105
PID 664 wrote to memory of 4264	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	105
PID 664 wrote to memory of 3976	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	106
PID 664 wrote to memory of 3976	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	106
PID 664 wrote to memory of 3228	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	107
PID 664 wrote to memory of 3228	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	107
PID 664 wrote to memory of 3384	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	108
PID 664 wrote to memory of 3384	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	108
PID 664 wrote to memory of 1812	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	109
PID 664 wrote to memory of 1812	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	109
PID 664 wrote to memory of 212	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	110
PID 664 wrote to memory of 212	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	110
PID 664 wrote to memory of 4524	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	111
PID 664 wrote to memory of 4524	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	111
PID 664 wrote to memory of 3652	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	112
PID 664 wrote to memory of 3652	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	112
PID 664 wrote to memory of 60	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	113
PID 664 wrote to memory of 60	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	113
PID 664 wrote to memory of 3628	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	114
PID 664 wrote to memory of 3628	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	114
PID 664 wrote to memory of 3036	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	115
PID 664 wrote to memory of 3036	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	115
PID 664 wrote to memory of 4672	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	116
PID 664 wrote to memory of 4672	664	555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe	116

C:\Users\Admin\AppData\Local\Temp\555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\555f97e844de510b04b9f7b33769ff10_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:664
- C:\Windows\System32\AZpXUJP.exe
  C:\Windows\System32\AZpXUJP.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System32\bsQWkXE.exe
  C:\Windows\System32\bsQWkXE.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System32\GFyvXum.exe
  C:\Windows\System32\GFyvXum.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System32\MptyWHI.exe
  C:\Windows\System32\MptyWHI.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Windows\System32\pUgovCQ.exe
  C:\Windows\System32\pUgovCQ.exe
  2⤵
  - Executes dropped EXE
  PID:4420
- C:\Windows\System32\iaaGvqJ.exe
  C:\Windows\System32\iaaGvqJ.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System32\RGOKNOE.exe
  C:\Windows\System32\RGOKNOE.exe
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Windows\System32\PgjsWpp.exe
  C:\Windows\System32\PgjsWpp.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System32\kOlOkuR.exe
  C:\Windows\System32\kOlOkuR.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System32\BclrSMd.exe
  C:\Windows\System32\BclrSMd.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System32\YchpHOH.exe
  C:\Windows\System32\YchpHOH.exe
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\System32\weezxGV.exe
  C:\Windows\System32\weezxGV.exe
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\System32\UbPrNHu.exe
  C:\Windows\System32\UbPrNHu.exe
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\System32\UrRCmlf.exe
  C:\Windows\System32\UrRCmlf.exe
  2⤵
  - Executes dropped EXE
  PID:3432
- C:\Windows\System32\nBxSfXI.exe
  C:\Windows\System32\nBxSfXI.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System32\XpsSsDu.exe
  C:\Windows\System32\XpsSsDu.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System32\nLlukgm.exe
  C:\Windows\System32\nLlukgm.exe
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\System32\sRoznlc.exe
  C:\Windows\System32\sRoznlc.exe
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Windows\System32\dbwjlsK.exe
  C:\Windows\System32\dbwjlsK.exe
  2⤵
  - Executes dropped EXE
  PID:3912
- C:\Windows\System32\ZPnIUPf.exe
  C:\Windows\System32\ZPnIUPf.exe
  2⤵
  - Executes dropped EXE
  PID:4180
- C:\Windows\System32\AdRHjcU.exe
  C:\Windows\System32\AdRHjcU.exe
  2⤵
  - Executes dropped EXE
  PID:4264
- C:\Windows\System32\KBalCux.exe
  C:\Windows\System32\KBalCux.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System32\kgOCnUG.exe
  C:\Windows\System32\kgOCnUG.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System32\wqtCNQL.exe
  C:\Windows\System32\wqtCNQL.exe
  2⤵
  - Executes dropped EXE
  PID:3384
- C:\Windows\System32\YPSCYwI.exe
  C:\Windows\System32\YPSCYwI.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System32\ZwCHXqm.exe
  C:\Windows\System32\ZwCHXqm.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System32\TDqTwXw.exe
  C:\Windows\System32\TDqTwXw.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System32\mzCSVuD.exe
  C:\Windows\System32\mzCSVuD.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System32\zZylvxi.exe
  C:\Windows\System32\zZylvxi.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System32\FwRPqLp.exe
  C:\Windows\System32\FwRPqLp.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System32\YUyDCvr.exe
  C:\Windows\System32\YUyDCvr.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System32\BHuqyRd.exe
  C:\Windows\System32\BHuqyRd.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System32\jUdCKAd.exe
  C:\Windows\System32\jUdCKAd.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System32\pMBMkdX.exe
  C:\Windows\System32\pMBMkdX.exe
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\System32\KddtDPM.exe
  C:\Windows\System32\KddtDPM.exe
  2⤵
  - Executes dropped EXE
  PID:4252
- C:\Windows\System32\ijAlqri.exe
  C:\Windows\System32\ijAlqri.exe
  2⤵
  - Executes dropped EXE
  PID:1784
- C:\Windows\System32\dCSKjzm.exe
  C:\Windows\System32\dCSKjzm.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\System32\yaiTejf.exe
  C:\Windows\System32\yaiTejf.exe
  2⤵
  - Executes dropped EXE
  PID:3108
- C:\Windows\System32\RmgeDAw.exe
  C:\Windows\System32\RmgeDAw.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System32\xKvdmui.exe
  C:\Windows\System32\xKvdmui.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System32\LDwtPAs.exe
  C:\Windows\System32\LDwtPAs.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System32\MLLTtHt.exe
  C:\Windows\System32\MLLTtHt.exe
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Windows\System32\meQJJuN.exe
  C:\Windows\System32\meQJJuN.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System32\QynrwTT.exe
  C:\Windows\System32\QynrwTT.exe
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\System32\TtfOkSO.exe
  C:\Windows\System32\TtfOkSO.exe
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\System32\NlergIL.exe
  C:\Windows\System32\NlergIL.exe
  2⤵
  - Executes dropped EXE
  PID:3584
- C:\Windows\System32\EpwQEuj.exe
  C:\Windows\System32\EpwQEuj.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Windows\System32\YJDWPgY.exe
  C:\Windows\System32\YJDWPgY.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System32\RoMlDXP.exe
  C:\Windows\System32\RoMlDXP.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System32\WEgxtDr.exe
  C:\Windows\System32\WEgxtDr.exe
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\System32\avOpIyo.exe
  C:\Windows\System32\avOpIyo.exe
  2⤵
  - Executes dropped EXE
  PID:3620
- C:\Windows\System32\qFWYSfV.exe
  C:\Windows\System32\qFWYSfV.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System32\uKswgxX.exe
  C:\Windows\System32\uKswgxX.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System32\QTpqiqx.exe
  C:\Windows\System32\QTpqiqx.exe
  2⤵
  - Executes dropped EXE
  PID:1132
- C:\Windows\System32\JrtHEuv.exe
  C:\Windows\System32\JrtHEuv.exe
  2⤵
  - Executes dropped EXE
  PID:3300
- C:\Windows\System32\tPhrkJP.exe
  C:\Windows\System32\tPhrkJP.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System32\RUgTcvG.exe
  C:\Windows\System32\RUgTcvG.exe
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\System32\ZAYlZEy.exe
  C:\Windows\System32\ZAYlZEy.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System32\SJlIMWS.exe
  C:\Windows\System32\SJlIMWS.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System32\gibUlpd.exe
  C:\Windows\System32\gibUlpd.exe
  2⤵
  - Executes dropped EXE
  PID:4048
- C:\Windows\System32\GGYTUlN.exe
  C:\Windows\System32\GGYTUlN.exe
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\System32\OEPoSKW.exe
  C:\Windows\System32\OEPoSKW.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System32\YKPdzRs.exe
  C:\Windows\System32\YKPdzRs.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System32\fJpFBuQ.exe
  C:\Windows\System32\fJpFBuQ.exe
  2⤵
  - Executes dropped EXE
  PID:1000
- C:\Windows\System32\wbgCuHq.exe
  C:\Windows\System32\wbgCuHq.exe
  2⤵
  PID:1372
- C:\Windows\System32\ivlyNwS.exe
  C:\Windows\System32\ivlyNwS.exe
  2⤵
  PID:3520
- C:\Windows\System32\ccOmBZc.exe
  C:\Windows\System32\ccOmBZc.exe
  2⤵
  PID:1380
- C:\Windows\System32\quJUcDK.exe
  C:\Windows\System32\quJUcDK.exe
  2⤵
  PID:4928
- C:\Windows\System32\OaWLpcf.exe
  C:\Windows\System32\OaWLpcf.exe
  2⤵
  PID:4032
- C:\Windows\System32\HftYLrU.exe
  C:\Windows\System32\HftYLrU.exe
  2⤵
  PID:5096
- C:\Windows\System32\RCUylFp.exe
  C:\Windows\System32\RCUylFp.exe
  2⤵
  PID:3156
- C:\Windows\System32\lWtMreI.exe
  C:\Windows\System32\lWtMreI.exe
  2⤵
  PID:2304
- C:\Windows\System32\JRiGteT.exe
  C:\Windows\System32\JRiGteT.exe
  2⤵
  PID:3820
- C:\Windows\System32\uxRDfpG.exe
  C:\Windows\System32\uxRDfpG.exe
  2⤵
  PID:628
- C:\Windows\System32\FNqnXHl.exe
  C:\Windows\System32\FNqnXHl.exe
  2⤵
  PID:4496
- C:\Windows\System32\ccGGgfv.exe
  C:\Windows\System32\ccGGgfv.exe
  2⤵
  PID:4392
- C:\Windows\System32\fqJwYnB.exe
  C:\Windows\System32\fqJwYnB.exe
  2⤵
  PID:3084
- C:\Windows\System32\scWNEbf.exe
  C:\Windows\System32\scWNEbf.exe
  2⤵
  PID:1508
- C:\Windows\System32\lobQEvB.exe
  C:\Windows\System32\lobQEvB.exe
  2⤵
  PID:2900
- C:\Windows\System32\fVJfdcE.exe
  C:\Windows\System32\fVJfdcE.exe
  2⤵
  PID:1656
- C:\Windows\System32\SrEfdOp.exe
  C:\Windows\System32\SrEfdOp.exe
  2⤵
  PID:4452
- C:\Windows\System32\ZIdwXBS.exe
  C:\Windows\System32\ZIdwXBS.exe
  2⤵
  PID:5136
- C:\Windows\System32\nIWYkHn.exe
  C:\Windows\System32\nIWYkHn.exe
  2⤵
  PID:5164
- C:\Windows\System32\LBlqHpn.exe
  C:\Windows\System32\LBlqHpn.exe
  2⤵
  PID:5192
- C:\Windows\System32\mPqBnIS.exe
  C:\Windows\System32\mPqBnIS.exe
  2⤵
  PID:5220
- C:\Windows\System32\xbFZqjP.exe
  C:\Windows\System32\xbFZqjP.exe
  2⤵
  PID:5248
- C:\Windows\System32\PLoJrIc.exe
  C:\Windows\System32\PLoJrIc.exe
  2⤵
  PID:5276
- C:\Windows\System32\ZvPvCXq.exe
  C:\Windows\System32\ZvPvCXq.exe
  2⤵
  PID:5304
- C:\Windows\System32\fgskIpv.exe
  C:\Windows\System32\fgskIpv.exe
  2⤵
  PID:5332
- C:\Windows\System32\huLhgig.exe
  C:\Windows\System32\huLhgig.exe
  2⤵
  PID:5360
- C:\Windows\System32\koAmDAc.exe
  C:\Windows\System32\koAmDAc.exe
  2⤵
  PID:5388
- C:\Windows\System32\QLrTDwr.exe
  C:\Windows\System32\QLrTDwr.exe
  2⤵
  PID:5416
- C:\Windows\System32\sIXmRAZ.exe
  C:\Windows\System32\sIXmRAZ.exe
  2⤵
  PID:5444
- C:\Windows\System32\ErWUruq.exe
  C:\Windows\System32\ErWUruq.exe
  2⤵
  PID:5472
- C:\Windows\System32\UAPjZuc.exe
  C:\Windows\System32\UAPjZuc.exe
  2⤵
  PID:5500
- C:\Windows\System32\eOmzVAy.exe
  C:\Windows\System32\eOmzVAy.exe
  2⤵
  PID:5528
- C:\Windows\System32\uvFujxi.exe
  C:\Windows\System32\uvFujxi.exe
  2⤵
  PID:5556
- C:\Windows\System32\LpsHphQ.exe
  C:\Windows\System32\LpsHphQ.exe
  2⤵
  PID:5592
- C:\Windows\System32\ASHnNoI.exe
  C:\Windows\System32\ASHnNoI.exe
  2⤵
  PID:5620
- C:\Windows\System32\OKxZkNa.exe
  C:\Windows\System32\OKxZkNa.exe
  2⤵
  PID:5648
- C:\Windows\System32\HFUmEma.exe
  C:\Windows\System32\HFUmEma.exe
  2⤵
  PID:5668
- C:\Windows\System32\RUyveag.exe
  C:\Windows\System32\RUyveag.exe
  2⤵
  PID:5696
- C:\Windows\System32\SutZUUo.exe
  C:\Windows\System32\SutZUUo.exe
  2⤵
  PID:5724
- C:\Windows\System32\meMokuw.exe
  C:\Windows\System32\meMokuw.exe
  2⤵
  PID:5752
- C:\Windows\System32\QlQIloK.exe
  C:\Windows\System32\QlQIloK.exe
  2⤵
  PID:5780
- C:\Windows\System32\ifTzsJe.exe
  C:\Windows\System32\ifTzsJe.exe
  2⤵
  PID:5808
- C:\Windows\System32\EKlkfZU.exe
  C:\Windows\System32\EKlkfZU.exe
  2⤵
  PID:5836
- C:\Windows\System32\XeOFkwh.exe
  C:\Windows\System32\XeOFkwh.exe
  2⤵
  PID:5864
- C:\Windows\System32\BWRuzZL.exe
  C:\Windows\System32\BWRuzZL.exe
  2⤵
  PID:5892
- C:\Windows\System32\NMdtbqv.exe
  C:\Windows\System32\NMdtbqv.exe
  2⤵
  PID:5920
- C:\Windows\System32\JxXLwkF.exe
  C:\Windows\System32\JxXLwkF.exe
  2⤵
  PID:5948
- C:\Windows\System32\dRzVafr.exe
  C:\Windows\System32\dRzVafr.exe
  2⤵
  PID:5984
- C:\Windows\System32\SxzXbDs.exe
  C:\Windows\System32\SxzXbDs.exe
  2⤵
  PID:6012
- C:\Windows\System32\zFDgden.exe
  C:\Windows\System32\zFDgden.exe
  2⤵
  PID:6032
- C:\Windows\System32\MCjNrMz.exe
  C:\Windows\System32\MCjNrMz.exe
  2⤵
  PID:6060
- C:\Windows\System32\KLMrozH.exe
  C:\Windows\System32\KLMrozH.exe
  2⤵
  PID:6088
- C:\Windows\System32\ZAYDeWe.exe
  C:\Windows\System32\ZAYDeWe.exe
  2⤵
  PID:6116
- C:\Windows\System32\puEUpJC.exe
  C:\Windows\System32\puEUpJC.exe
  2⤵
  PID:3124
- C:\Windows\System32\QxugxOA.exe
  C:\Windows\System32\QxugxOA.exe
  2⤵
  PID:3376
- C:\Windows\System32\VCNOJHN.exe
  C:\Windows\System32\VCNOJHN.exe
  2⤵
  PID:1416
- C:\Windows\System32\BcZVRsx.exe
  C:\Windows\System32\BcZVRsx.exe
  2⤵
  PID:5124
- C:\Windows\System32\rWUPhNM.exe
  C:\Windows\System32\rWUPhNM.exe
  2⤵
  PID:5144
- C:\Windows\System32\QjjYCkn.exe
  C:\Windows\System32\QjjYCkn.exe
  2⤵
  PID:5236
- C:\Windows\System32\fmutozU.exe
  C:\Windows\System32\fmutozU.exe
  2⤵
  PID:5284
- C:\Windows\System32\HPPHeSL.exe
  C:\Windows\System32\HPPHeSL.exe
  2⤵
  PID:5352
- C:\Windows\System32\ZKzpFAT.exe
  C:\Windows\System32\ZKzpFAT.exe
  2⤵
  PID:5432
- C:\Windows\System32\eTeSOSS.exe
  C:\Windows\System32\eTeSOSS.exe
  2⤵
  PID:5480
- C:\Windows\System32\ORRXKme.exe
  C:\Windows\System32\ORRXKme.exe
  2⤵
  PID:5548
- C:\Windows\System32\GMlIuGN.exe
  C:\Windows\System32\GMlIuGN.exe
  2⤵
  PID:5616
- C:\Windows\System32\rGNbaXl.exe
  C:\Windows\System32\rGNbaXl.exe
  2⤵
  PID:5676
- C:\Windows\System32\trjKoug.exe
  C:\Windows\System32\trjKoug.exe
  2⤵
  PID:5732
- C:\Windows\System32\QmHiFvU.exe
  C:\Windows\System32\QmHiFvU.exe
  2⤵
  PID:5788
- C:\Windows\System32\VREDrFg.exe
  C:\Windows\System32\VREDrFg.exe
  2⤵
  PID:5880
- C:\Windows\System32\FuNmrEO.exe
  C:\Windows\System32\FuNmrEO.exe
  2⤵
  PID:5928
- C:\Windows\System32\WhTYYJl.exe
  C:\Windows\System32\WhTYYJl.exe
  2⤵
  PID:6000
- C:\Windows\System32\iTvZdNx.exe
  C:\Windows\System32\iTvZdNx.exe
  2⤵
  PID:6076
- C:\Windows\System32\aeCkrGQ.exe
  C:\Windows\System32\aeCkrGQ.exe
  2⤵
  PID:6124
- C:\Windows\System32\luhQkbs.exe
  C:\Windows\System32\luhQkbs.exe
  2⤵
  PID:2028
- C:\Windows\System32\laqnfTF.exe
  C:\Windows\System32\laqnfTF.exe
  2⤵
  PID:5208
- C:\Windows\System32\HMQfAYt.exe
  C:\Windows\System32\HMQfAYt.exe
  2⤵
  PID:5320
- C:\Windows\System32\hxFnPVJ.exe
  C:\Windows\System32\hxFnPVJ.exe
  2⤵
  PID:5464
- C:\Windows\System32\smAyxNz.exe
  C:\Windows\System32\smAyxNz.exe
  2⤵
  PID:5656
- C:\Windows\System32\rZPVLee.exe
  C:\Windows\System32\rZPVLee.exe
  2⤵
  PID:5768
- C:\Windows\System32\BFheGvf.exe
  C:\Windows\System32\BFheGvf.exe
  2⤵
  PID:5912
- C:\Windows\System32\RRAvkJQ.exe
  C:\Windows\System32\RRAvkJQ.exe
  2⤵
  PID:6096
- C:\Windows\System32\dDWJPay.exe
  C:\Windows\System32\dDWJPay.exe
  2⤵
  PID:6172
- C:\Windows\System32\sFEmLVN.exe
  C:\Windows\System32\sFEmLVN.exe
  2⤵
  PID:6200
- C:\Windows\System32\NwcHJnX.exe
  C:\Windows\System32\NwcHJnX.exe
  2⤵
  PID:6228
- C:\Windows\System32\PZTpAub.exe
  C:\Windows\System32\PZTpAub.exe
  2⤵
  PID:6256
- C:\Windows\System32\cAUpkwt.exe
  C:\Windows\System32\cAUpkwt.exe
  2⤵
  PID:6284
- C:\Windows\System32\fgAmehV.exe
  C:\Windows\System32\fgAmehV.exe
  2⤵
  PID:6312
- C:\Windows\System32\oQFESUI.exe
  C:\Windows\System32\oQFESUI.exe
  2⤵
  PID:6340
- C:\Windows\System32\gEEiyWa.exe
  C:\Windows\System32\gEEiyWa.exe
  2⤵
  PID:6368
- C:\Windows\System32\JMLryIz.exe
  C:\Windows\System32\JMLryIz.exe
  2⤵
  PID:6396
- C:\Windows\System32\jSBPUTS.exe
  C:\Windows\System32\jSBPUTS.exe
  2⤵
  PID:6424
- C:\Windows\System32\rVtcPmy.exe
  C:\Windows\System32\rVtcPmy.exe
  2⤵
  PID:6452
- C:\Windows\System32\prQVTQC.exe
  C:\Windows\System32\prQVTQC.exe
  2⤵
  PID:6480
- C:\Windows\System32\HIwJHBX.exe
  C:\Windows\System32\HIwJHBX.exe
  2⤵
  PID:6508
- C:\Windows\System32\BvraLlY.exe
  C:\Windows\System32\BvraLlY.exe
  2⤵
  PID:6536
- C:\Windows\System32\OJVFBpp.exe
  C:\Windows\System32\OJVFBpp.exe
  2⤵
  PID:6564
- C:\Windows\System32\GlPybVP.exe
  C:\Windows\System32\GlPybVP.exe
  2⤵
  PID:6592
- C:\Windows\System32\EyCzSjS.exe
  C:\Windows\System32\EyCzSjS.exe
  2⤵
  PID:6632
- C:\Windows\System32\jMlJgtj.exe
  C:\Windows\System32\jMlJgtj.exe
  2⤵
  PID:6648
- C:\Windows\System32\bPggILd.exe
  C:\Windows\System32\bPggILd.exe
  2⤵
  PID:6676
- C:\Windows\System32\EEhCUYk.exe
  C:\Windows\System32\EEhCUYk.exe
  2⤵
  PID:6716
- C:\Windows\System32\NAvXBVA.exe
  C:\Windows\System32\NAvXBVA.exe
  2⤵
  PID:6740
- C:\Windows\System32\DXDXZsb.exe
  C:\Windows\System32\DXDXZsb.exe
  2⤵
  PID:6760
- C:\Windows\System32\mhzcOIo.exe
  C:\Windows\System32\mhzcOIo.exe
  2⤵
  PID:6788
- C:\Windows\System32\yFyCZMj.exe
  C:\Windows\System32\yFyCZMj.exe
  2⤵
  PID:6816
- C:\Windows\System32\zkShQot.exe
  C:\Windows\System32\zkShQot.exe
  2⤵
  PID:6856
- C:\Windows\System32\KfxoNpV.exe
  C:\Windows\System32\KfxoNpV.exe
  2⤵
  PID:6880
- C:\Windows\System32\oFfemJj.exe
  C:\Windows\System32\oFfemJj.exe
  2⤵
  PID:6900
- C:\Windows\System32\OgUHWfq.exe
  C:\Windows\System32\OgUHWfq.exe
  2⤵
  PID:6928
- C:\Windows\System32\CaaShEH.exe
  C:\Windows\System32\CaaShEH.exe
  2⤵
  PID:6956
- C:\Windows\System32\lHQuStQ.exe
  C:\Windows\System32\lHQuStQ.exe
  2⤵
  PID:6984
- C:\Windows\System32\ZSXIWbT.exe
  C:\Windows\System32\ZSXIWbT.exe
  2⤵
  PID:7012
- C:\Windows\System32\PApxtoN.exe
  C:\Windows\System32\PApxtoN.exe
  2⤵
  PID:7040
- C:\Windows\System32\XmBECjO.exe
  C:\Windows\System32\XmBECjO.exe
  2⤵
  PID:7068
- C:\Windows\System32\MWLyTho.exe
  C:\Windows\System32\MWLyTho.exe
  2⤵
  PID:7096
- C:\Windows\System32\DfROhXw.exe
  C:\Windows\System32\DfROhXw.exe
  2⤵
  PID:7124
- C:\Windows\System32\UaVXptP.exe
  C:\Windows\System32\UaVXptP.exe
  2⤵
  PID:7152
- C:\Windows\System32\bIpZfUm.exe
  C:\Windows\System32\bIpZfUm.exe
  2⤵
  PID:4284
- C:\Windows\System32\UVxBtjN.exe
  C:\Windows\System32\UVxBtjN.exe
  2⤵
  PID:5268
- C:\Windows\System32\IVVuyri.exe
  C:\Windows\System32\IVVuyri.exe
  2⤵
  PID:1868
- C:\Windows\System32\mrAGFiQ.exe
  C:\Windows\System32\mrAGFiQ.exe
  2⤵
  PID:6048
- C:\Windows\System32\TscidYV.exe
  C:\Windows\System32\TscidYV.exe
  2⤵
  PID:6188
- C:\Windows\System32\hdkFNAV.exe
  C:\Windows\System32\hdkFNAV.exe
  2⤵
  PID:6236
- C:\Windows\System32\WTndVJj.exe
  C:\Windows\System32\WTndVJj.exe
  2⤵
  PID:6304
- C:\Windows\System32\mlWUNeK.exe
  C:\Windows\System32\mlWUNeK.exe
  2⤵
  PID:6384
- C:\Windows\System32\ZuwtDfE.exe
  C:\Windows\System32\ZuwtDfE.exe
  2⤵
  PID:6440
- C:\Windows\System32\lXODjfB.exe
  C:\Windows\System32\lXODjfB.exe
  2⤵
  PID:6488
- C:\Windows\System32\TswhkMy.exe
  C:\Windows\System32\TswhkMy.exe
  2⤵
  PID:6572
- C:\Windows\System32\InThmAE.exe
  C:\Windows\System32\InThmAE.exe
  2⤵
  PID:6644
- C:\Windows\System32\HJuKAVC.exe
  C:\Windows\System32\HJuKAVC.exe
  2⤵
  PID:6692
- C:\Windows\System32\UTyrjxV.exe
  C:\Windows\System32\UTyrjxV.exe
  2⤵
  PID:6748
- C:\Windows\System32\LwvmRDF.exe
  C:\Windows\System32\LwvmRDF.exe
  2⤵
  PID:6808
- C:\Windows\System32\bttYnny.exe
  C:\Windows\System32\bttYnny.exe
  2⤵
  PID:6868
- C:\Windows\System32\XzTcZhU.exe
  C:\Windows\System32\XzTcZhU.exe
  2⤵
  PID:6944
- C:\Windows\System32\HhUKGog.exe
  C:\Windows\System32\HhUKGog.exe
  2⤵
  PID:7000
- C:\Windows\System32\uUBUPeA.exe
  C:\Windows\System32\uUBUPeA.exe
  2⤵
  PID:7048
- C:\Windows\System32\beXeRDG.exe
  C:\Windows\System32\beXeRDG.exe
  2⤵
  PID:7140
- C:\Windows\System32\YvknTsk.exe
  C:\Windows\System32\YvknTsk.exe
  2⤵
  PID:2132
- C:\Windows\System32\rnCPoMj.exe
  C:\Windows\System32\rnCPoMj.exe
  2⤵
  PID:4260
- C:\Windows\System32\oSMwgxn.exe
  C:\Windows\System32\oSMwgxn.exe
  2⤵
  PID:6192
- C:\Windows\System32\ZdGCcVL.exe
  C:\Windows\System32\ZdGCcVL.exe
  2⤵
  PID:6300
- C:\Windows\System32\FbLfgzq.exe
  C:\Windows\System32\FbLfgzq.exe
  2⤵
  PID:6824
- C:\Windows\System32\HoVWFFS.exe
  C:\Windows\System32\HoVWFFS.exe
  2⤵
  PID:6964
- C:\Windows\System32\yeRegJY.exe
  C:\Windows\System32\yeRegJY.exe
  2⤵
  PID:2772
- C:\Windows\System32\xtuimTT.exe
  C:\Windows\System32\xtuimTT.exe
  2⤵
  PID:4920
- C:\Windows\System32\ciCsZvT.exe
  C:\Windows\System32\ciCsZvT.exe
  2⤵
  PID:7144
- C:\Windows\System32\QvGasAM.exe
  C:\Windows\System32\QvGasAM.exe
  2⤵
  PID:5516
- C:\Windows\System32\ZtNYRZC.exe
  C:\Windows\System32\ZtNYRZC.exe
  2⤵
  PID:4696
- C:\Windows\System32\XDDZxGF.exe
  C:\Windows\System32\XDDZxGF.exe
  2⤵
  PID:4324
- C:\Windows\System32\hLKIdeb.exe
  C:\Windows\System32\hLKIdeb.exe
  2⤵
  PID:2472
- C:\Windows\System32\AjRurVV.exe
  C:\Windows\System32\AjRurVV.exe
  2⤵
  PID:3632
- C:\Windows\System32\uezTQYT.exe
  C:\Windows\System32\uezTQYT.exe
  2⤵
  PID:5056
- C:\Windows\System32\pCBOrfI.exe
  C:\Windows\System32\pCBOrfI.exe
  2⤵
  PID:1172
- C:\Windows\System32\LJDTNgc.exe
  C:\Windows\System32\LJDTNgc.exe
  2⤵
  PID:6888
- C:\Windows\System32\ygiBhYh.exe
  C:\Windows\System32\ygiBhYh.exe
  2⤵
  PID:1080
- C:\Windows\System32\fGBzygU.exe
  C:\Windows\System32\fGBzygU.exe
  2⤵
  PID:2224
- C:\Windows\System32\orkELDg.exe
  C:\Windows\System32\orkELDg.exe
  2⤵
  PID:3760
- C:\Windows\System32\jfccGAb.exe
  C:\Windows\System32\jfccGAb.exe
  2⤵
  PID:3840
- C:\Windows\System32\OzHsUMo.exe
  C:\Windows\System32\OzHsUMo.exe
  2⤵
  PID:412
- C:\Windows\System32\JRMctAp.exe
  C:\Windows\System32\JRMctAp.exe
  2⤵
  PID:4544
- C:\Windows\System32\GRaIWqL.exe
  C:\Windows\System32\GRaIWqL.exe
  2⤵
  PID:3096
- C:\Windows\System32\kjQQxwx.exe
  C:\Windows\System32\kjQQxwx.exe
  2⤵
  PID:7224
- C:\Windows\System32\RNzRQbv.exe
  C:\Windows\System32\RNzRQbv.exe
  2⤵
  PID:7252
- C:\Windows\System32\tGACcVB.exe
  C:\Windows\System32\tGACcVB.exe
  2⤵
  PID:7284
- C:\Windows\System32\rnKEqcT.exe
  C:\Windows\System32\rnKEqcT.exe
  2⤵
  PID:7316
- C:\Windows\System32\RiWRmoX.exe
  C:\Windows\System32\RiWRmoX.exe
  2⤵
  PID:7392
- C:\Windows\System32\obDEITD.exe
  C:\Windows\System32\obDEITD.exe
  2⤵
  PID:7420
- C:\Windows\System32\hAflIkd.exe
  C:\Windows\System32\hAflIkd.exe
  2⤵
  PID:7448
- C:\Windows\System32\MbyvfZo.exe
  C:\Windows\System32\MbyvfZo.exe
  2⤵
  PID:7472
- C:\Windows\System32\rZxYlOG.exe
  C:\Windows\System32\rZxYlOG.exe
  2⤵
  PID:7516
- C:\Windows\System32\WwhJNwQ.exe
  C:\Windows\System32\WwhJNwQ.exe
  2⤵
  PID:7592
- C:\Windows\System32\giteqnY.exe
  C:\Windows\System32\giteqnY.exe
  2⤵
  PID:7624
- C:\Windows\System32\ulupLeP.exe
  C:\Windows\System32\ulupLeP.exe
  2⤵
  PID:7640
- C:\Windows\System32\nhkyymm.exe
  C:\Windows\System32\nhkyymm.exe
  2⤵
  PID:7660
- C:\Windows\System32\jbeYLKy.exe
  C:\Windows\System32\jbeYLKy.exe
  2⤵
  PID:7680
- C:\Windows\System32\zSfYuVd.exe
  C:\Windows\System32\zSfYuVd.exe
  2⤵
  PID:7740
- C:\Windows\System32\exTFTwR.exe
  C:\Windows\System32\exTFTwR.exe
  2⤵
  PID:7768
- C:\Windows\System32\JrTdHKu.exe
  C:\Windows\System32\JrTdHKu.exe
  2⤵
  PID:7788
- C:\Windows\System32\fxezIrC.exe
  C:\Windows\System32\fxezIrC.exe
  2⤵
  PID:7824
- C:\Windows\System32\NiqgBXx.exe
  C:\Windows\System32\NiqgBXx.exe
  2⤵
  PID:7856
- C:\Windows\System32\QkpQdiO.exe
  C:\Windows\System32\QkpQdiO.exe
  2⤵
  PID:7884
- C:\Windows\System32\aUfmDkJ.exe
  C:\Windows\System32\aUfmDkJ.exe
  2⤵
  PID:7932
- C:\Windows\System32\NrFpMcV.exe
  C:\Windows\System32\NrFpMcV.exe
  2⤵
  PID:7956
- C:\Windows\System32\SpEXcir.exe
  C:\Windows\System32\SpEXcir.exe
  2⤵
  PID:7976
- C:\Windows\System32\HMQGLXG.exe
  C:\Windows\System32\HMQGLXG.exe
  2⤵
  PID:7996
- C:\Windows\System32\fZYayxH.exe
  C:\Windows\System32\fZYayxH.exe
  2⤵
  PID:8080
- C:\Windows\System32\NToQcip.exe
  C:\Windows\System32\NToQcip.exe
  2⤵
  PID:8096
- C:\Windows\System32\aXmYaEB.exe
  C:\Windows\System32\aXmYaEB.exe
  2⤵
  PID:8144
- C:\Windows\System32\FqYuxYn.exe
  C:\Windows\System32\FqYuxYn.exe
  2⤵
  PID:8172
- C:\Windows\System32\pozEzvI.exe
  C:\Windows\System32\pozEzvI.exe
  2⤵
  PID:3868
- C:\Windows\System32\BAnCydz.exe
  C:\Windows\System32\BAnCydz.exe
  2⤵
  PID:5000
- C:\Windows\System32\bAONrIT.exe
  C:\Windows\System32\bAONrIT.exe
  2⤵
  PID:7268
- C:\Windows\System32\OzzhQPi.exe
  C:\Windows\System32\OzzhQPi.exe
  2⤵
  PID:7332
- C:\Windows\System32\OEWFHpE.exe
  C:\Windows\System32\OEWFHpE.exe
  2⤵
  PID:7412
- C:\Windows\System32\FHKGnag.exe
  C:\Windows\System32\FHKGnag.exe
  2⤵
  PID:7460
- C:\Windows\System32\HssuIrf.exe
  C:\Windows\System32\HssuIrf.exe
  2⤵
  PID:3884
- C:\Windows\System32\voqaPYu.exe
  C:\Windows\System32\voqaPYu.exe
  2⤵
  PID:7612
- C:\Windows\System32\RSDYaTF.exe
  C:\Windows\System32\RSDYaTF.exe
  2⤵
  PID:7732
- C:\Windows\System32\VwHCCoX.exe
  C:\Windows\System32\VwHCCoX.exe
  2⤵
  PID:7760
- C:\Windows\System32\IFmXOlw.exe
  C:\Windows\System32\IFmXOlw.exe
  2⤵
  PID:7900
- C:\Windows\System32\mvJztzL.exe
  C:\Windows\System32\mvJztzL.exe
  2⤵
  PID:7964
- C:\Windows\System32\czyuGqZ.exe
  C:\Windows\System32\czyuGqZ.exe
  2⤵
  PID:8136
- C:\Windows\System32\cQGBqwe.exe
  C:\Windows\System32\cQGBqwe.exe
  2⤵
  PID:4824
- C:\Windows\System32\BSZcCKU.exe
  C:\Windows\System32\BSZcCKU.exe
  2⤵
  PID:1832
- C:\Windows\System32\cQuzIQm.exe
  C:\Windows\System32\cQuzIQm.exe
  2⤵
  PID:7304
- C:\Windows\System32\DaEbSRW.exe
  C:\Windows\System32\DaEbSRW.exe
  2⤵
  PID:4312
- C:\Windows\System32\KxEtJlW.exe
  C:\Windows\System32\KxEtJlW.exe
  2⤵
  PID:7764
- C:\Windows\System32\OLFjrRP.exe
  C:\Windows\System32\OLFjrRP.exe
  2⤵
  PID:7988
- C:\Windows\System32\mkZcHWd.exe
  C:\Windows\System32\mkZcHWd.exe
  2⤵
  PID:4516
- C:\Windows\System32\dBSgihq.exe
  C:\Windows\System32\dBSgihq.exe
  2⤵
  PID:8040
- C:\Windows\System32\qdrWxyq.exe
  C:\Windows\System32\qdrWxyq.exe
  2⤵
  PID:3116
- C:\Windows\System32\hhsrFvp.exe
  C:\Windows\System32\hhsrFvp.exe
  2⤵
  PID:7508
- C:\Windows\System32\pxGSkdg.exe
  C:\Windows\System32\pxGSkdg.exe
  2⤵
  PID:7952
- C:\Windows\System32\OvFGIXc.exe
  C:\Windows\System32\OvFGIXc.exe
  2⤵
  PID:8188
- C:\Windows\System32\NAsGDid.exe
  C:\Windows\System32\NAsGDid.exe
  2⤵
  PID:7668
- C:\Windows\System32\jLwfaGn.exe
  C:\Windows\System32\jLwfaGn.exe
  2⤵
  PID:6776
- C:\Windows\System32\epYKPJa.exe
  C:\Windows\System32\epYKPJa.exe
  2⤵
  PID:8196
- C:\Windows\System32\nPfwoSf.exe
  C:\Windows\System32\nPfwoSf.exe
  2⤵
  PID:8220
- C:\Windows\System32\OWfjnHS.exe
  C:\Windows\System32\OWfjnHS.exe
  2⤵
  PID:8256
- C:\Windows\System32\LZjWcjO.exe
  C:\Windows\System32\LZjWcjO.exe
  2⤵
  PID:8284
- C:\Windows\System32\luMFTos.exe
  C:\Windows\System32\luMFTos.exe
  2⤵
  PID:8312
- C:\Windows\System32\skynMXf.exe
  C:\Windows\System32\skynMXf.exe
  2⤵
  PID:8340
- C:\Windows\System32\IuulfAA.exe
  C:\Windows\System32\IuulfAA.exe
  2⤵
  PID:8368
- C:\Windows\System32\uJykeNn.exe
  C:\Windows\System32\uJykeNn.exe
  2⤵
  PID:8396
- C:\Windows\System32\HLHWDnM.exe
  C:\Windows\System32\HLHWDnM.exe
  2⤵
  PID:8416
- C:\Windows\System32\KIquobP.exe
  C:\Windows\System32\KIquobP.exe
  2⤵
  PID:8432
- C:\Windows\System32\uDAeADp.exe
  C:\Windows\System32\uDAeADp.exe
  2⤵
  PID:8448
- C:\Windows\System32\jfDLFfz.exe
  C:\Windows\System32\jfDLFfz.exe
  2⤵
  PID:8488
- C:\Windows\System32\xDfvAWY.exe
  C:\Windows\System32\xDfvAWY.exe
  2⤵
  PID:8516
- C:\Windows\System32\yCyfucK.exe
  C:\Windows\System32\yCyfucK.exe
  2⤵
  PID:8580
- C:\Windows\System32\fRcRZTC.exe
  C:\Windows\System32\fRcRZTC.exe
  2⤵
  PID:8596
- C:\Windows\System32\igeTHel.exe
  C:\Windows\System32\igeTHel.exe
  2⤵
  PID:8624
- C:\Windows\System32\ywcIxpZ.exe
  C:\Windows\System32\ywcIxpZ.exe
  2⤵
  PID:8660
- C:\Windows\System32\FqsUqyY.exe
  C:\Windows\System32\FqsUqyY.exe
  2⤵
  PID:8684
- C:\Windows\System32\cFEbBsc.exe
  C:\Windows\System32\cFEbBsc.exe
  2⤵
  PID:8716
- C:\Windows\System32\mJJdeIu.exe
  C:\Windows\System32\mJJdeIu.exe
  2⤵
  PID:8740
- C:\Windows\System32\sXsEQDR.exe
  C:\Windows\System32\sXsEQDR.exe
  2⤵
  PID:8776
- C:\Windows\System32\BvIWxoN.exe
  C:\Windows\System32\BvIWxoN.exe
  2⤵
  PID:8812
- C:\Windows\System32\RFWNzIQ.exe
  C:\Windows\System32\RFWNzIQ.exe
  2⤵
  PID:8856
- C:\Windows\System32\ozamfyt.exe
  C:\Windows\System32\ozamfyt.exe
  2⤵
  PID:8896
- C:\Windows\System32\JNUVHtZ.exe
  C:\Windows\System32\JNUVHtZ.exe
  2⤵
  PID:8928
- C:\Windows\System32\WlZklDw.exe
  C:\Windows\System32\WlZklDw.exe
  2⤵
  PID:8960
- C:\Windows\System32\UlVLlcW.exe
  C:\Windows\System32\UlVLlcW.exe
  2⤵
  PID:8996
- C:\Windows\System32\bTeFgUK.exe
  C:\Windows\System32\bTeFgUK.exe
  2⤵
  PID:9024
- C:\Windows\System32\IOMyVKK.exe
  C:\Windows\System32\IOMyVKK.exe
  2⤵
  PID:9044
- C:\Windows\System32\BODtVrM.exe
  C:\Windows\System32\BODtVrM.exe
  2⤵
  PID:9084
- C:\Windows\System32\jfXUtlN.exe
  C:\Windows\System32\jfXUtlN.exe
  2⤵
  PID:9112
- C:\Windows\System32\CUfCaHj.exe
  C:\Windows\System32\CUfCaHj.exe
  2⤵
  PID:9140
- C:\Windows\System32\pTORMhj.exe
  C:\Windows\System32\pTORMhj.exe
  2⤵
  PID:9168
- C:\Windows\System32\QLLkLci.exe
  C:\Windows\System32\QLLkLci.exe
  2⤵
  PID:9196
- C:\Windows\System32\fdBzonf.exe
  C:\Windows\System32\fdBzonf.exe
  2⤵
  PID:7308
- C:\Windows\System32\jczOpeP.exe
  C:\Windows\System32\jczOpeP.exe
  2⤵
  PID:8252
- C:\Windows\System32\KEBStYe.exe
  C:\Windows\System32\KEBStYe.exe
  2⤵
  PID:8308
- C:\Windows\System32\SITytaE.exe
  C:\Windows\System32\SITytaE.exe
  2⤵
  PID:8364
- C:\Windows\System32\lcfBFao.exe
  C:\Windows\System32\lcfBFao.exe
  2⤵
  PID:8392
- C:\Windows\System32\CHUeaSC.exe
  C:\Windows\System32\CHUeaSC.exe
  2⤵
  PID:8480
- C:\Windows\System32\daBUMec.exe
  C:\Windows\System32\daBUMec.exe
  2⤵
  PID:8536
- C:\Windows\System32\HPpqOOk.exe
  C:\Windows\System32\HPpqOOk.exe
  2⤵
  PID:8608
- C:\Windows\System32\BOJJrZd.exe
  C:\Windows\System32\BOJJrZd.exe
  2⤵
  PID:8696
- C:\Windows\System32\gHvpVPP.exe
  C:\Windows\System32\gHvpVPP.exe
  2⤵
  PID:8736
- C:\Windows\System32\qvqtDHg.exe
  C:\Windows\System32\qvqtDHg.exe
  2⤵
  PID:8796
- C:\Windows\System32\dDAXRwy.exe
  C:\Windows\System32\dDAXRwy.exe
  2⤵
  PID:8916
- C:\Windows\System32\gJHWVMa.exe
  C:\Windows\System32\gJHWVMa.exe
  2⤵
  PID:8972
- C:\Windows\System32\sfnIFWi.exe
  C:\Windows\System32\sfnIFWi.exe
  2⤵
  PID:9032
- C:\Windows\System32\JGpXnYP.exe
  C:\Windows\System32\JGpXnYP.exe
  2⤵
  PID:9108
- C:\Windows\System32\oZVbRPs.exe
  C:\Windows\System32\oZVbRPs.exe
  2⤵
  PID:9180
- C:\Windows\System32\oFNEMqT.exe
  C:\Windows\System32\oFNEMqT.exe
  2⤵
  PID:8240
- C:\Windows\System32\rgonTAB.exe
  C:\Windows\System32\rgonTAB.exe
  2⤵
  PID:8360
- C:\Windows\System32\eMBZmwj.exe
  C:\Windows\System32\eMBZmwj.exe
  2⤵
  PID:8500
- C:\Windows\System32\xqnmGrU.exe
  C:\Windows\System32\xqnmGrU.exe
  2⤵
  PID:8644
- C:\Windows\System32\PcsIMYa.exe
  C:\Windows\System32\PcsIMYa.exe
  2⤵
  PID:8832
- C:\Windows\System32\gLgtuCj.exe
  C:\Windows\System32\gLgtuCj.exe
  2⤵
  PID:9016
- C:\Windows\System32\rYGFGFv.exe
  C:\Windows\System32\rYGFGFv.exe
  2⤵
  PID:9164
- C:\Windows\System32\ytdBtZH.exe
  C:\Windows\System32\ytdBtZH.exe
  2⤵
  PID:8408
- C:\Windows\System32\TbAQuGZ.exe
  C:\Windows\System32\TbAQuGZ.exe
  2⤵
  PID:8808
- C:\Windows\System32\JncOCts.exe
  C:\Windows\System32\JncOCts.exe
  2⤵
  PID:9160
- C:\Windows\System32\toeZKNN.exe
  C:\Windows\System32\toeZKNN.exe
  2⤵
  PID:8204
- C:\Windows\System32\XiuHuFZ.exe
  C:\Windows\System32\XiuHuFZ.exe
  2⤵
  PID:8352
- C:\Windows\System32\GDZIpnV.exe
  C:\Windows\System32\GDZIpnV.exe
  2⤵
  PID:9256
- C:\Windows\System32\GBNkgxe.exe
  C:\Windows\System32\GBNkgxe.exe
  2⤵
  PID:9284
- C:\Windows\System32\wXtRJvb.exe
  C:\Windows\System32\wXtRJvb.exe
  2⤵
  PID:9312
- C:\Windows\System32\GWqmHXk.exe
  C:\Windows\System32\GWqmHXk.exe
  2⤵
  PID:9332
- C:\Windows\System32\yUPvRdg.exe
  C:\Windows\System32\yUPvRdg.exe
  2⤵
  PID:9364
- C:\Windows\System32\gdeAQBQ.exe
  C:\Windows\System32\gdeAQBQ.exe
  2⤵
  PID:9388
- C:\Windows\System32\WKALPXi.exe
  C:\Windows\System32\WKALPXi.exe
  2⤵
  PID:9412
- C:\Windows\System32\lcdZsqv.exe
  C:\Windows\System32\lcdZsqv.exe
  2⤵
  PID:9444
- C:\Windows\System32\PXSKsgH.exe
  C:\Windows\System32\PXSKsgH.exe
  2⤵
  PID:9488
- C:\Windows\System32\OscZzUL.exe
  C:\Windows\System32\OscZzUL.exe
  2⤵
  PID:9524
- C:\Windows\System32\BOiDfor.exe
  C:\Windows\System32\BOiDfor.exe
  2⤵
  PID:9544
- C:\Windows\System32\vFoJLgV.exe
  C:\Windows\System32\vFoJLgV.exe
  2⤵
  PID:9576
- C:\Windows\System32\ORZccNY.exe
  C:\Windows\System32\ORZccNY.exe
  2⤵
  PID:9596
- C:\Windows\System32\CeSXqiW.exe
  C:\Windows\System32\CeSXqiW.exe
  2⤵
  PID:9640
- C:\Windows\System32\hurrDKy.exe
  C:\Windows\System32\hurrDKy.exe
  2⤵
  PID:9664
- C:\Windows\System32\YdZUlrp.exe
  C:\Windows\System32\YdZUlrp.exe
  2⤵
  PID:9688
- C:\Windows\System32\acDkBnk.exe
  C:\Windows\System32\acDkBnk.exe
  2⤵
  PID:9728
- C:\Windows\System32\GLxibKZ.exe
  C:\Windows\System32\GLxibKZ.exe
  2⤵
  PID:9756
- C:\Windows\System32\COrrxqR.exe
  C:\Windows\System32\COrrxqR.exe
  2⤵
  PID:9796
- C:\Windows\System32\OXaBgDA.exe
  C:\Windows\System32\OXaBgDA.exe
  2⤵
  PID:9828
- C:\Windows\System32\pKoaRfG.exe
  C:\Windows\System32\pKoaRfG.exe
  2⤵
  PID:9848
- C:\Windows\System32\EbHsUeq.exe
  C:\Windows\System32\EbHsUeq.exe
  2⤵
  PID:9896
- C:\Windows\System32\dgBQizF.exe
  C:\Windows\System32\dgBQizF.exe
  2⤵
  PID:9924
- C:\Windows\System32\rnmsyuD.exe
  C:\Windows\System32\rnmsyuD.exe
  2⤵
  PID:9948
- C:\Windows\System32\YGPRJGV.exe
  C:\Windows\System32\YGPRJGV.exe
  2⤵
  PID:10008
- C:\Windows\System32\LUNUAtK.exe
  C:\Windows\System32\LUNUAtK.exe
  2⤵
  PID:10028
- C:\Windows\System32\NGaXRaB.exe
  C:\Windows\System32\NGaXRaB.exe
  2⤵
  PID:10060
- C:\Windows\System32\NGSoYvn.exe
  C:\Windows\System32\NGSoYvn.exe
  2⤵
  PID:10128
- C:\Windows\System32\VFMfHTA.exe
  C:\Windows\System32\VFMfHTA.exe
  2⤵
  PID:10172
- C:\Windows\System32\qpDNFsX.exe
  C:\Windows\System32\qpDNFsX.exe
  2⤵
  PID:10188
- C:\Windows\System32\exzJOjM.exe
  C:\Windows\System32\exzJOjM.exe
  2⤵
  PID:10220
- C:\Windows\System32\pSBYbrn.exe
  C:\Windows\System32\pSBYbrn.exe
  2⤵
  PID:9236
- C:\Windows\System32\ZpCuBOF.exe
  C:\Windows\System32\ZpCuBOF.exe
  2⤵
  PID:9320
- C:\Windows\System32\cYWpFhA.exe
  C:\Windows\System32\cYWpFhA.exe
  2⤵
  PID:9404
- C:\Windows\System32\swxcHTt.exe
  C:\Windows\System32\swxcHTt.exe
  2⤵
  PID:9464
- C:\Windows\System32\tCSGVGk.exe
  C:\Windows\System32\tCSGVGk.exe
  2⤵
  PID:9508
- C:\Windows\System32\InVAZJG.exe
  C:\Windows\System32\InVAZJG.exe
  2⤵
  PID:9572
- C:\Windows\System32\EUtzuxl.exe
  C:\Windows\System32\EUtzuxl.exe
  2⤵
  PID:9656
- C:\Windows\System32\NpbCSKq.exe
  C:\Windows\System32\NpbCSKq.exe
  2⤵
  PID:9744
- C:\Windows\System32\UfpLTNX.exe
  C:\Windows\System32\UfpLTNX.exe
  2⤵
  PID:9840
- C:\Windows\System32\OOAbRkO.exe
  C:\Windows\System32\OOAbRkO.exe
  2⤵
  PID:9940
- C:\Windows\System32\XjOcSOj.exe
  C:\Windows\System32\XjOcSOj.exe
  2⤵
  PID:9988
- C:\Windows\System32\JvFnLBt.exe
  C:\Windows\System32\JvFnLBt.exe
  2⤵
  PID:10044
- C:\Windows\System32\zflMaqK.exe
  C:\Windows\System32\zflMaqK.exe
  2⤵
  PID:10204
- C:\Windows\System32\sOfVgTn.exe
  C:\Windows\System32\sOfVgTn.exe
  2⤵
  PID:9280
- C:\Windows\System32\JrMrEfM.exe
  C:\Windows\System32\JrMrEfM.exe
  2⤵
  PID:9352
- C:\Windows\System32\IHyioUz.exe
  C:\Windows\System32\IHyioUz.exe
  2⤵
  PID:9648
- C:\Windows\System32\pDnuzOL.exe
  C:\Windows\System32\pDnuzOL.exe
  2⤵
  PID:9740
- C:\Windows\System32\DQplWod.exe
  C:\Windows\System32\DQplWod.exe
  2⤵
  PID:9908
- C:\Windows\System32\MIUuZlW.exe
  C:\Windows\System32\MIUuZlW.exe
  2⤵
  PID:10140
- C:\Windows\System32\xcLChgQ.exe
  C:\Windows\System32\xcLChgQ.exe
  2⤵
  PID:9360
- C:\Windows\System32\WGzwNeR.exe
  C:\Windows\System32\WGzwNeR.exe
  2⤵
  PID:9960
- C:\Windows\System32\fagznyC.exe
  C:\Windows\System32\fagznyC.exe
  2⤵
  PID:9452
- C:\Windows\System32\NRglqKW.exe
  C:\Windows\System32\NRglqKW.exe
  2⤵
  PID:10144
- C:\Windows\System32\WsALkrG.exe
  C:\Windows\System32\WsALkrG.exe
  2⤵
  PID:10260
- C:\Windows\System32\ElEktCD.exe
  C:\Windows\System32\ElEktCD.exe
  2⤵
  PID:10296
- C:\Windows\System32\ISHVVkJ.exe
  C:\Windows\System32\ISHVVkJ.exe
  2⤵
  PID:10320
- C:\Windows\System32\xsjEKml.exe
  C:\Windows\System32\xsjEKml.exe
  2⤵
  PID:10356
- C:\Windows\System32\dPtBEEg.exe
  C:\Windows\System32\dPtBEEg.exe
  2⤵
  PID:10372
- C:\Windows\System32\ksIrYUx.exe
  C:\Windows\System32\ksIrYUx.exe
  2⤵
  PID:10412
- C:\Windows\System32\iMhXowB.exe
  C:\Windows\System32\iMhXowB.exe
  2⤵
  PID:10440
- C:\Windows\System32\SrqMXIC.exe
  C:\Windows\System32\SrqMXIC.exe
  2⤵
  PID:10472
- C:\Windows\System32\FOdFKgQ.exe
  C:\Windows\System32\FOdFKgQ.exe
  2⤵
  PID:10488
- C:\Windows\System32\NjAcTGC.exe
  C:\Windows\System32\NjAcTGC.exe
  2⤵
  PID:10516
- C:\Windows\System32\xlXObgI.exe
  C:\Windows\System32\xlXObgI.exe
  2⤵
  PID:10560
- C:\Windows\System32\ASBCLHC.exe
  C:\Windows\System32\ASBCLHC.exe
  2⤵
  PID:10584
- C:\Windows\System32\DPLGaAo.exe
  C:\Windows\System32\DPLGaAo.exe
  2⤵
  PID:10620
- C:\Windows\System32\AspVUxG.exe
  C:\Windows\System32\AspVUxG.exe
  2⤵
  PID:10652
- C:\Windows\System32\gWXdssw.exe
  C:\Windows\System32\gWXdssw.exe
  2⤵
  PID:10692
- C:\Windows\System32\KUnwjwm.exe
  C:\Windows\System32\KUnwjwm.exe
  2⤵
  PID:10720
- C:\Windows\System32\lCLmYYF.exe
  C:\Windows\System32\lCLmYYF.exe
  2⤵
  PID:10748
- C:\Windows\System32\HFueyiy.exe
  C:\Windows\System32\HFueyiy.exe
  2⤵
  PID:10776
- C:\Windows\System32\KuAJoUW.exe
  C:\Windows\System32\KuAJoUW.exe
  2⤵
  PID:10792
- C:\Windows\System32\lkiYhtB.exe
  C:\Windows\System32\lkiYhtB.exe
  2⤵
  PID:10828
- C:\Windows\System32\flmjhtP.exe
  C:\Windows\System32\flmjhtP.exe
  2⤵
  PID:10852
- C:\Windows\System32\qLZeLrS.exe
  C:\Windows\System32\qLZeLrS.exe
  2⤵
  PID:10888
- C:\Windows\System32\MfBbiCd.exe
  C:\Windows\System32\MfBbiCd.exe
  2⤵
  PID:10908
- C:\Windows\System32\pkoDdkw.exe
  C:\Windows\System32\pkoDdkw.exe
  2⤵
  PID:10940
- C:\Windows\System32\UeDUPYe.exe
  C:\Windows\System32\UeDUPYe.exe
  2⤵
  PID:10968
- C:\Windows\System32\uZEQabI.exe
  C:\Windows\System32\uZEQabI.exe
  2⤵
  PID:11000
- C:\Windows\System32\FCADUbv.exe
  C:\Windows\System32\FCADUbv.exe
  2⤵
  PID:11028
- C:\Windows\System32\BHHLjwM.exe
  C:\Windows\System32\BHHLjwM.exe
  2⤵
  PID:11056
- C:\Windows\System32\CTTKLLp.exe
  C:\Windows\System32\CTTKLLp.exe
  2⤵
  PID:11072
- C:\Windows\System32\ZIPUere.exe
  C:\Windows\System32\ZIPUere.exe
  2⤵
  PID:11112
- C:\Windows\System32\FXKTioR.exe
  C:\Windows\System32\FXKTioR.exe
  2⤵
  PID:11140
- C:\Windows\System32\HOmVoTf.exe
  C:\Windows\System32\HOmVoTf.exe
  2⤵
  PID:11168
- C:\Windows\System32\xyCukgv.exe
  C:\Windows\System32\xyCukgv.exe
  2⤵
  PID:11200
- C:\Windows\System32\jZVujBW.exe
  C:\Windows\System32\jZVujBW.exe
  2⤵
  PID:11224
- C:\Windows\System32\vAaoGIS.exe
  C:\Windows\System32\vAaoGIS.exe
  2⤵
  PID:11252
- C:\Windows\System32\qtckfqN.exe
  C:\Windows\System32\qtckfqN.exe
  2⤵
  PID:10252
- C:\Windows\System32\NCFlmzU.exe
  C:\Windows\System32\NCFlmzU.exe
  2⤵
  PID:10304
- C:\Windows\System32\nzXIDEk.exe
  C:\Windows\System32\nzXIDEk.exe
  2⤵
  PID:10384
- C:\Windows\System32\TNKoaoY.exe
  C:\Windows\System32\TNKoaoY.exe
  2⤵
  PID:10464
- C:\Windows\System32\iyuRogH.exe
  C:\Windows\System32\iyuRogH.exe
  2⤵
  PID:10548
- C:\Windows\System32\SLyxQTI.exe
  C:\Windows\System32\SLyxQTI.exe
  2⤵
  PID:10608
- C:\Windows\System32\NkcKOLN.exe
  C:\Windows\System32\NkcKOLN.exe
  2⤵
  PID:10676
- C:\Windows\System32\zmjsTjc.exe
  C:\Windows\System32\zmjsTjc.exe
  2⤵
  PID:10744
- C:\Windows\System32\dEYiUGn.exe
  C:\Windows\System32\dEYiUGn.exe
  2⤵
  PID:10820
- C:\Windows\System32\vTqROUW.exe
  C:\Windows\System32\vTqROUW.exe
  2⤵
  PID:10872
- C:\Windows\System32\ochqENr.exe
  C:\Windows\System32\ochqENr.exe
  2⤵
  PID:10960
- C:\Windows\System32\DJsKKqf.exe
  C:\Windows\System32\DJsKKqf.exe
  2⤵
  PID:11020
- C:\Windows\System32\COIAvvK.exe
  C:\Windows\System32\COIAvvK.exe
  2⤵
  PID:11084
- C:\Windows\System32\wzQcLWw.exe
  C:\Windows\System32\wzQcLWw.exe
  2⤵
  PID:11136
- C:\Windows\System32\SAZsHVO.exe
  C:\Windows\System32\SAZsHVO.exe
  2⤵
  PID:11208
- C:\Windows\System32\fOaIpCi.exe
  C:\Windows\System32\fOaIpCi.exe
  2⤵
  PID:10244
- C:\Windows\System32\rjkPaxx.exe
  C:\Windows\System32\rjkPaxx.exe
  2⤵
  PID:10344
- C:\Windows\System32\yuOwpEr.exe
  C:\Windows\System32\yuOwpEr.exe
  2⤵
  PID:10480
- C:\Windows\System32\eCnjvsF.exe
  C:\Windows\System32\eCnjvsF.exe
  2⤵
  PID:10712
- C:\Windows\System32\OSuniia.exe
  C:\Windows\System32\OSuniia.exe
  2⤵
  PID:10788
- C:\Windows\System32\aFSwTcg.exe
  C:\Windows\System32\aFSwTcg.exe
  2⤵
  PID:10984
- C:\Windows\System32\EiiEaHI.exe
  C:\Windows\System32\EiiEaHI.exe
  2⤵
  PID:11124
- C:\Windows\System32\hoknojv.exe
  C:\Windows\System32\hoknojv.exe
  2⤵
  PID:10276
- C:\Windows\System32\zRYvPEv.exe
  C:\Windows\System32\zRYvPEv.exe
  2⤵
  PID:10500
- C:\Windows\System32\uOEpyvn.exe
  C:\Windows\System32\uOEpyvn.exe
  2⤵
  PID:11188
- C:\Windows\System32\dUvcUtb.exe
  C:\Windows\System32\dUvcUtb.exe
  2⤵
  PID:10396
- C:\Windows\System32\zzQjGHL.exe
  C:\Windows\System32\zzQjGHL.exe
  2⤵
  PID:10328
- C:\Windows\System32\gvGknwS.exe
  C:\Windows\System32\gvGknwS.exe
  2⤵
  PID:11292
- C:\Windows\System32\AjaeUTm.exe
  C:\Windows\System32\AjaeUTm.exe
  2⤵
  PID:11328
- C:\Windows\System32\xILjabn.exe
  C:\Windows\System32\xILjabn.exe
  2⤵
  PID:11348
- C:\Windows\System32\TrmKXMl.exe
  C:\Windows\System32\TrmKXMl.exe
  2⤵
  PID:11372
- C:\Windows\System32\ehGGKws.exe
  C:\Windows\System32\ehGGKws.exe
  2⤵
  PID:11408
- C:\Windows\System32\dJtsaMN.exe
  C:\Windows\System32\dJtsaMN.exe
  2⤵
  PID:11432
- C:\Windows\System32\sjFcsbh.exe
  C:\Windows\System32\sjFcsbh.exe
  2⤵
  PID:11468
- C:\Windows\System32\qQjLHsp.exe
  C:\Windows\System32\qQjLHsp.exe
  2⤵
  PID:11500
- C:\Windows\System32\czhbrQj.exe
  C:\Windows\System32\czhbrQj.exe
  2⤵
  PID:11528
- C:\Windows\System32\sFisaWY.exe
  C:\Windows\System32\sFisaWY.exe
  2⤵
  PID:11548
- C:\Windows\System32\nxbadcc.exe
  C:\Windows\System32\nxbadcc.exe
  2⤵
  PID:11580
- C:\Windows\System32\MeoLisC.exe
  C:\Windows\System32\MeoLisC.exe
  2⤵
  PID:11612
- C:\Windows\System32\okTzWVb.exe
  C:\Windows\System32\okTzWVb.exe
  2⤵
  PID:11640
- C:\Windows\System32\hAKNfbz.exe
  C:\Windows\System32\hAKNfbz.exe
  2⤵
  PID:11656
- C:\Windows\System32\qyXDuOl.exe
  C:\Windows\System32\qyXDuOl.exe
  2⤵
  PID:11696
- C:\Windows\System32\MKrxpei.exe
  C:\Windows\System32\MKrxpei.exe
  2⤵
  PID:11724
- C:\Windows\System32\NoujgyO.exe
  C:\Windows\System32\NoujgyO.exe
  2⤵
  PID:11752
- C:\Windows\System32\gltMlvj.exe
  C:\Windows\System32\gltMlvj.exe
  2⤵
  PID:11768
- C:\Windows\System32\yelHOLS.exe
  C:\Windows\System32\yelHOLS.exe
  2⤵
  PID:11804
- C:\Windows\System32\CFtKklB.exe
  C:\Windows\System32\CFtKklB.exe
  2⤵
  PID:11824
- C:\Windows\System32\ajrUfkl.exe
  C:\Windows\System32\ajrUfkl.exe
  2⤵
  PID:11852
- C:\Windows\System32\qkHEANI.exe
  C:\Windows\System32\qkHEANI.exe
  2⤵
  PID:11888
- C:\Windows\System32\KdgeGWK.exe
  C:\Windows\System32\KdgeGWK.exe
  2⤵
  PID:11916
- C:\Windows\System32\oxtHAUA.exe
  C:\Windows\System32\oxtHAUA.exe
  2⤵
  PID:11936
- C:\Windows\System32\VRRnswv.exe
  C:\Windows\System32\VRRnswv.exe
  2⤵
  PID:11964
- C:\Windows\System32\FfjSKPa.exe
  C:\Windows\System32\FfjSKPa.exe
  2⤵
  PID:12004
- C:\Windows\System32\CduOrsw.exe
  C:\Windows\System32\CduOrsw.exe
  2⤵
  PID:12020
- C:\Windows\System32\NsOfCTa.exe
  C:\Windows\System32\NsOfCTa.exe
  2⤵
  PID:12036
- C:\Windows\System32\NmecGTl.exe
  C:\Windows\System32\NmecGTl.exe
  2⤵
  PID:12068
- C:\Windows\System32\Orxkkls.exe
  C:\Windows\System32\Orxkkls.exe
  2⤵
  PID:12112
- C:\Windows\System32\euNIswJ.exe
  C:\Windows\System32\euNIswJ.exe
  2⤵
  PID:12148
- C:\Windows\System32\DCdblGN.exe
  C:\Windows\System32\DCdblGN.exe
  2⤵
  PID:12180
- C:\Windows\System32\vBJkQAW.exe
  C:\Windows\System32\vBJkQAW.exe
  2⤵
  PID:12196
- C:\Windows\System32\yALOolv.exe
  C:\Windows\System32\yALOolv.exe
  2⤵
  PID:12232
- C:\Windows\System32\rIfYXYa.exe
  C:\Windows\System32\rIfYXYa.exe
  2⤵
  PID:12280
- C:\Windows\System32\KZmPGHb.exe
  C:\Windows\System32\KZmPGHb.exe
  2⤵
  PID:11280
- C:\Windows\System32\PxLGteC.exe
  C:\Windows\System32\PxLGteC.exe
  2⤵
  PID:11388
- C:\Windows\System32\aOCpdtV.exe
  C:\Windows\System32\aOCpdtV.exe
  2⤵
  PID:11452
- C:\Windows\System32\GvaiWMj.exe
  C:\Windows\System32\GvaiWMj.exe
  2⤵
  PID:11496
- C:\Windows\System32\ctwqvIb.exe
  C:\Windows\System32\ctwqvIb.exe
  2⤵
  PID:11596
- C:\Windows\System32\hJsLtrB.exe
  C:\Windows\System32\hJsLtrB.exe
  2⤵
  PID:11636
- C:\Windows\System32\eZObXJy.exe
  C:\Windows\System32\eZObXJy.exe
  2⤵
  PID:11736
- C:\Windows\System32\aaQCSJt.exe
  C:\Windows\System32\aaQCSJt.exe
  2⤵
  PID:11796
- C:\Windows\System32\SYRvVmP.exe
  C:\Windows\System32\SYRvVmP.exe
  2⤵
  PID:11840
- C:\Windows\System32\fEGocEe.exe
  C:\Windows\System32\fEGocEe.exe
  2⤵
  PID:11900
- C:\Windows\System32\BsWfkhb.exe
  C:\Windows\System32\BsWfkhb.exe
  2⤵
  PID:11976
- C:\Windows\System32\eEtuTmG.exe
  C:\Windows\System32\eEtuTmG.exe
  2⤵
  PID:12032
- C:\Windows\System32\CSPfznf.exe
  C:\Windows\System32\CSPfznf.exe
  2⤵
  PID:12076
- C:\Windows\System32\hEwQAYB.exe
  C:\Windows\System32\hEwQAYB.exe
  2⤵
  PID:12192
- C:\Windows\System32\oOuzien.exe
  C:\Windows\System32\oOuzien.exe
  2⤵
  PID:12240
- C:\Windows\System32\AxMHlYs.exe
  C:\Windows\System32\AxMHlYs.exe
  2⤵
  PID:11336
- C:\Windows\System32\RaSfZkt.exe
  C:\Windows\System32\RaSfZkt.exe
  2⤵
  PID:11440
- C:\Windows\System32\VsCcXsj.exe
  C:\Windows\System32\VsCcXsj.exe
  2⤵
  PID:11588
- C:\Windows\System32\SDtnTBJ.exe
  C:\Windows\System32\SDtnTBJ.exe
  2⤵
  PID:11764
- C:\Windows\System32\jgoRVPX.exe
  C:\Windows\System32\jgoRVPX.exe
  2⤵
  PID:11952
- C:\Windows\System32\zCKrUxe.exe
  C:\Windows\System32\zCKrUxe.exe
  2⤵
  PID:12048
- C:\Windows\System32\yfAKQwg.exe
  C:\Windows\System32\yfAKQwg.exe
  2⤵
  PID:12216
- C:\Windows\System32\FCSYAED.exe
  C:\Windows\System32\FCSYAED.exe
  2⤵
  PID:11364
- C:\Windows\System32\zClukVv.exe
  C:\Windows\System32\zClukVv.exe
  2⤵
  PID:11820
- C:\Windows\System32\jQCUTtz.exe
  C:\Windows\System32\jQCUTtz.exe
  2⤵
  PID:4416
- C:\Windows\System32\joVZlUs.exe
  C:\Windows\System32\joVZlUs.exe
  2⤵
  PID:11652
- C:\Windows\System32\icwNzii.exe
  C:\Windows\System32\icwNzii.exe
  2⤵
  PID:11272
- C:\Windows\System32\CpcJHKz.exe
  C:\Windows\System32\CpcJHKz.exe
  2⤵
  PID:12308
- C:\Windows\System32\eQNrsmn.exe
  C:\Windows\System32\eQNrsmn.exe
  2⤵
  PID:12336
- C:\Windows\System32\fhxLfIQ.exe
  C:\Windows\System32\fhxLfIQ.exe
  2⤵
  PID:12352
- C:\Windows\System32\EkWKEFK.exe
  C:\Windows\System32\EkWKEFK.exe
  2⤵
  PID:12388
- C:\Windows\System32\fUKctWV.exe
  C:\Windows\System32\fUKctWV.exe
  2⤵
  PID:12408
- C:\Windows\System32\zeVGffS.exe
  C:\Windows\System32\zeVGffS.exe
  2⤵
  PID:12440
- C:\Windows\System32\IHwuUMG.exe
  C:\Windows\System32\IHwuUMG.exe
  2⤵
  PID:12476
- C:\Windows\System32\zPPqIgq.exe
  C:\Windows\System32\zPPqIgq.exe
  2⤵
  PID:12504
- C:\Windows\System32\fWkDvHq.exe
  C:\Windows\System32\fWkDvHq.exe
  2⤵
  PID:12532
- C:\Windows\System32\xryrIvW.exe
  C:\Windows\System32\xryrIvW.exe
  2⤵
  PID:12560
- C:\Windows\System32\Nxdgjin.exe
  C:\Windows\System32\Nxdgjin.exe
  2⤵
  PID:12576
- C:\Windows\System32\TlPQLJe.exe
  C:\Windows\System32\TlPQLJe.exe
  2⤵
  PID:12616
- C:\Windows\System32\jEVEiHC.exe
  C:\Windows\System32\jEVEiHC.exe
  2⤵
  PID:12644
- C:\Windows\System32\XUaeEau.exe
  C:\Windows\System32\XUaeEau.exe
  2⤵
  PID:12660
- C:\Windows\System32\HisXlrW.exe
  C:\Windows\System32\HisXlrW.exe
  2⤵
  PID:12688
- C:\Windows\System32\kuVdENO.exe
  C:\Windows\System32\kuVdENO.exe
  2⤵
  PID:12720
- C:\Windows\System32\LeIfEgp.exe
  C:\Windows\System32\LeIfEgp.exe
  2⤵
  PID:12752
- C:\Windows\System32\bldeSZf.exe
  C:\Windows\System32\bldeSZf.exe
  2⤵
  PID:12772
- C:\Windows\System32\AzBuMyF.exe
  C:\Windows\System32\AzBuMyF.exe
  2⤵
  PID:12792
- C:\Windows\System32\DUdrVCz.exe
  C:\Windows\System32\DUdrVCz.exe
  2⤵
  PID:12840
- C:\Windows\System32\iicUYFE.exe
  C:\Windows\System32\iicUYFE.exe
  2⤵
  PID:12868
- C:\Windows\System32\FPtVsRz.exe
  C:\Windows\System32\FPtVsRz.exe
  2⤵
  PID:12928
- C:\Windows\System32\WGAZxYD.exe
  C:\Windows\System32\WGAZxYD.exe
  2⤵
  PID:12944
- C:\Windows\System32\WtAcLjM.exe
  C:\Windows\System32\WtAcLjM.exe
  2⤵
  PID:12960
- C:\Windows\System32\dTDwWXU.exe
  C:\Windows\System32\dTDwWXU.exe
  2⤵
  PID:12988
- C:\Windows\System32\gKpSKjw.exe
  C:\Windows\System32\gKpSKjw.exe
  2⤵
  PID:13028
- C:\Windows\System32\EzVYSpk.exe
  C:\Windows\System32\EzVYSpk.exe
  2⤵
  PID:13048
- C:\Windows\System32\epbzXlb.exe
  C:\Windows\System32\epbzXlb.exe
  2⤵
  PID:13088
- C:\Windows\System32\qRWdfaY.exe
  C:\Windows\System32\qRWdfaY.exe
  2⤵
  PID:13116
- C:\Windows\System32\htRKRrn.exe
  C:\Windows\System32\htRKRrn.exe
  2⤵
  PID:13144
- C:\Windows\System32\epuhaMa.exe
  C:\Windows\System32\epuhaMa.exe
  2⤵
  PID:13160
- C:\Windows\System32\anXnuXV.exe
  C:\Windows\System32\anXnuXV.exe
  2⤵
  PID:13192
- C:\Windows\System32\vHxRcRs.exe
  C:\Windows\System32\vHxRcRs.exe
  2⤵
  PID:13228
- C:\Windows\System32\IDCUBme.exe
  C:\Windows\System32\IDCUBme.exe
  2⤵
  PID:13256
- C:\Windows\System32\AumLmpB.exe
  C:\Windows\System32\AumLmpB.exe
  2⤵
  PID:13272
- C:\Windows\System32\SPSWZLG.exe
  C:\Windows\System32\SPSWZLG.exe
  2⤵
  PID:13304
- C:\Windows\System32\EWDQGqH.exe
  C:\Windows\System32\EWDQGqH.exe
  2⤵
  PID:12348
- C:\Windows\System32\nccXXOZ.exe
  C:\Windows\System32\nccXXOZ.exe
  2⤵
  PID:7588
- C:\Windows\System32\QzVcnMP.exe
  C:\Windows\System32\QzVcnMP.exe
  2⤵
  PID:5076
- C:\Windows\System32\ufUnBmr.exe
  C:\Windows\System32\ufUnBmr.exe
  2⤵
  PID:12424
- C:\Windows\System32\TvtOgqx.exe
  C:\Windows\System32\TvtOgqx.exe
  2⤵
  PID:12544
- C:\Windows\System32\jfElMNb.exe
  C:\Windows\System32\jfElMNb.exe
  2⤵
  PID:4216
- C:\Windows\System32\xZueIxT.exe
  C:\Windows\System32\xZueIxT.exe
  2⤵
  PID:12604
- C:\Windows\System32\nSgZzOS.exe
  C:\Windows\System32\nSgZzOS.exe
  2⤵
  PID:12672
- C:\Windows\System32\rJuRRAg.exe
  C:\Windows\System32\rJuRRAg.exe
  2⤵
  PID:12716
- C:\Windows\System32\kKPTaeV.exe
  C:\Windows\System32\kKPTaeV.exe
  2⤵
  PID:12780
- C:\Windows\System32\uNGsUdl.exe
  C:\Windows\System32\uNGsUdl.exe
  2⤵
  PID:12852
- C:\Windows\System32\UkkWlPl.exe
  C:\Windows\System32\UkkWlPl.exe
  2⤵
  PID:12904
- C:\Windows\System32\XbBhSIi.exe
  C:\Windows\System32\XbBhSIi.exe
  2⤵
  PID:12940
- C:\Windows\System32\CBpULjh.exe
  C:\Windows\System32\CBpULjh.exe
  2⤵
  PID:13008
- C:\Windows\System32\CWKUfZh.exe
  C:\Windows\System32\CWKUfZh.exe
  2⤵
  PID:13076
- C:\Windows\System32\LstCzFw.exe
  C:\Windows\System32\LstCzFw.exe
  2⤵
  PID:13152
- C:\Windows\System32\ETovgRp.exe
  C:\Windows\System32\ETovgRp.exe
  2⤵
  PID:13220
- C:\Windows\System32\prpGzAL.exe
  C:\Windows\System32\prpGzAL.exe
  2⤵
  PID:13284
- C:\Windows\System32\occnEaT.exe
  C:\Windows\System32\occnEaT.exe
  2⤵
  PID:4404
- C:\Windows\System32\rgCYcUW.exe
  C:\Windows\System32\rgCYcUW.exe
  2⤵
  PID:4828
- C:\Windows\System32\MXoJNWc.exe
  C:\Windows\System32\MXoJNWc.exe
  2⤵
  PID:12520
- C:\Windows\System32\rmgolft.exe
  C:\Windows\System32\rmgolft.exe
  2⤵
  PID:12640
- C:\Windows\System32\IzVOHQT.exe
  C:\Windows\System32\IzVOHQT.exe
  2⤵
  PID:12836
- C:\Windows\System32\sZbLLte.exe
  C:\Windows\System32\sZbLLte.exe
  2⤵
  PID:12860
- C:\Windows\System32\FaYabwz.exe
  C:\Windows\System32\FaYabwz.exe
  2⤵
  PID:13000

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:8880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AZpXUJP.exe

Filesize
2.9MB

MD5
aa5138a4304995f354c4e974563cce6e

SHA1
4f4da0e1f8891ac016e6d6eba39ad6b54eb827c0

SHA256
6be3f944667b8024c81c54a6d4c68dc644a36b77260f10272d534cf0ac89f4c2

SHA512
dddfed888430de317c07cd86775ae03d21251726b7c842a3f33ca7b17f4df0fa96a00d07ce8b3457849132bf39fedaac0ba96aa7c27c471953116bc306d539ba

Download Submit
C:\Windows\System32\AdRHjcU.exe

Filesize
2.9MB

MD5
9565cc86e3b26a36d5a47d8dc1f32be2

SHA1
9968cf4cc2891f6024216608cef26bab7e1813de

SHA256
02643ad673ed63127674945e76058b9db293c586fd3117cafb2c89689b49dbe4

SHA512
c3e60af9cb1051ac73d50ae03247f3ebd98c1a4d5e5a59e095b5c2b67656b5476573c8d8892d13fa80aa4fe126a4becaabdf7bcced5ef4c3753ef50cf247d693

Download Submit
C:\Windows\System32\BHuqyRd.exe

Filesize
2.9MB

MD5
1496c05409837e3fc0d7c220cc0a1580

SHA1
aa9aaf63d4b2b92ff7726583359730ceb93f8967

SHA256
2272c31290a7a728699ddb06c8e7c560c66a278e4a05d2741ff534d289ce35ed

SHA512
d706fedef52dc06e02824425df07ca34a55a770b58b4f32b18c79d7cdcfa32177a2d325728f6b71d93adc4cf95f7ae6b8a0a0db4b7f04ecb40dc472d99822c5e

Download Submit
C:\Windows\System32\BclrSMd.exe

Filesize
2.9MB

MD5
2489d0a6f2ebdae7c292cf0e91758129

SHA1
71cc1daf8db54eed14f11def8d77fc237876ba9f

SHA256
834ee0261fcf0c4542339b0750d855b1d9af232042b5df211b5af7c8fccd2894

SHA512
cb67526e458bfbeeb58569ed49945d80f0d4cb0b178d382c6b18f8b5274f3ef488956cba60c28d517b4ca5c26073964ee1022ed2f965e6b3271bec1e8868426f

Download Submit
C:\Windows\System32\FwRPqLp.exe

Filesize
2.9MB

MD5
6cb2e7506946eb0c5434cb4f7d8bb56c

SHA1
bff7bf644ba60f7607b2f8bc1bd045e9e8d778e3

SHA256
a63e279b17e1dc015b636de7afe66d2fd0ee170b5b88752d621fdb19be25e84f

SHA512
a8701163fc30abe6d1a49a2e6c924308e4f1f6d2cf606cc2de3fdca20f1c542e726eeec89320fde3f7cce5d813146293f66278e847f80ce25eca83c4cda2a365

Download Submit
C:\Windows\System32\GFyvXum.exe

Filesize
2.9MB

MD5
14963128b0d51ca035415dc33c20447d

SHA1
64725ae6fbe1195ab1c152f90e501f86438acb2b

SHA256
512a346d5cdab5b4f675b6bb4e9d931c080142e0790d1a29a4f42aa55a46a5b2

SHA512
dbf0cc375d77e6a172a22fe47cee9bdc0a0539d005a6fee87fd5a508fd2b9b9fac322ef0da1d8bad05438d22618e74718f421d77de4d691187c206e9e5152817

Download Submit
C:\Windows\System32\KBalCux.exe

Filesize
2.9MB

MD5
300beb4996f5b81d27f08bcfeb18ab97

SHA1
4b0bb650fed2dd7ba5fa393be5d2df4e91d77b94

SHA256
35959f0c57352caa85eb66a67c73868808f47e9dc3cc2f489989a76636ae59b9

SHA512
8be36e871b45cb457948006a3eb95bdc2ac48c579261394a3b084c57bca7af251f21aeae0d4c372af3ab13fa13d3d3d4fcc7f59902da760275f67c325076c0c1

Download Submit
C:\Windows\System32\MptyWHI.exe

Filesize
2.9MB

MD5
fd81d8512dcda17cc3ab4f3e7393fd37

SHA1
6aaf9b0de4cc9cb60bff3bb4f684a154ba57382e

SHA256
99bc669bf3afc1602761e78311b9cd8ab46104be01d30792c6d5dbb42dda232d

SHA512
0a7753ab666697f1947fa23fd32b58215906ebed9766f4f636e3c84f46cf8765fc66e746df5c36c42492f68d2cdd8766030903af5e1b30e2f6aec5ed2a701be0

Download Submit
C:\Windows\System32\PgjsWpp.exe

Filesize
2.9MB

MD5
fea94e99f6e90e6d6c1c89cd224428eb

SHA1
2e884eb0ce1db646fb26edfc52163d3fd84f00da

SHA256
bf0a973267b32e6563df38bb226fca5b39833aecb372f2b3c688520abe246ef1

SHA512
a1d6f628b2921672543b68ae0022d28fdd9d27c4872e64b85323cf07bcf54d37a6af6fcf134af8f679e81950a1ba3ca12fc0a2571e5b49e82e500aee3d41a22c

Download Submit
C:\Windows\System32\RGOKNOE.exe

Filesize
2.9MB

MD5
0024fdb08b9b9d81539a26ce7c40ccff

SHA1
5ef29680c6fb1251a341a88d0d1a4d206718efd3

SHA256
6c8a89f012579b27116f79232d8f3dc59f86f1c2a75bf25b3fc900d4d6cdacfd

SHA512
40e0c4e6a86549f371a31ec87056b47e6da20827b5127be9c5c15f3d5be348862b98544083045854158a9c3fa0033846890e25416f820d5de2350c20bdeafd56

Download Submit
C:\Windows\System32\TDqTwXw.exe

Filesize
2.9MB

MD5
09ea9759848be1e3fa8b91d43f789457

SHA1
957b7cf011b0f8cc33327099251572297b1883e3

SHA256
7a8327b68f308efc2f8f3aeb452d69d7d5f2d5926b3580ce84e2bc80427bd29b

SHA512
dd0566daf978ef69455c7ea0914f346bf0675a420b07756c3490acd7bc506983c733c45fac21c9e249d616c71f9ffc885b9dd257fd6b973264c750cb9767d3a7

Download Submit
C:\Windows\System32\UbPrNHu.exe

Filesize
2.9MB

MD5
ca90aa411562f5c62a4dbab473074add

SHA1
d752a3f153829861b77513b01acdc81b9d29ce18

SHA256
4e3e636ff264f20ed94270e0e4853ce706488de342139556e2889aacddf6f9b5

SHA512
f619e1746f4c53c11470b0d231b494f7df3059a6232e00b19e2c4d8a884643ef05c5877c12a24a198a0c73a4ea86cd8a8354b5e0a9ccc57c6968a847c2d765ce

Download Submit
C:\Windows\System32\UrRCmlf.exe

Filesize
2.9MB

MD5
3ff96fc44449607aa937a0bf403b939c

SHA1
82ab79c2aabd9ad5bb9b073968365b3a520a6cdd

SHA256
d950234c05e9c5092141f17d19cb8e6c87d5d966e1affc27a430cc611284b065

SHA512
e8b9265fe5f83549118024956502f4322ffaf3a121d0d3d780890bfbaac6daf3bf221e437a1fc36838967c216a2428033c5495ccbad17c992ddec15f823adf7b

Download Submit
C:\Windows\System32\XpsSsDu.exe

Filesize
2.9MB

MD5
2cb55bfc3f5e47bc8e91244af0d0c5f0

SHA1
1442b905f11ef565587c8d37b688d5c51b6296ec

SHA256
c5a75e0a0b82c8b7b06f9b5c869674366578cc5586b311986abd639795480f9a

SHA512
4d4b90a789a9b966ffa79914a05da09dde89f9868e0b80bf71725df47f61a3577cbcb402fa7832d4f3aff1bfa4bec49467b65fc1c0c8eacb531892abd76b9377

Download Submit
C:\Windows\System32\YPSCYwI.exe

Filesize
2.9MB

MD5
b5e5bb9cb2135dc933e8b236ffe08cb1

SHA1
179f49ed331d259619477d2e06188a6759472cd0

SHA256
3ed44a9701a9377579666f862f4d3e457a47278b1ceb3fade49bbd34afb5e202

SHA512
e4b98ddb523ca1022e2b87998a81b4e0adce18d5cc5dbcefcd84006c5d612a7faac23879d6c92392cb684183280580572451c95fbd99e35fb1dd5424e3b23bbe

Download Submit
C:\Windows\System32\YUyDCvr.exe

Filesize
2.9MB

MD5
bba415cef982c4221224cb1a91457f75

SHA1
cdec19e96b5b1c9351233c2b39c94835945af774

SHA256
0f0cb69b6d91605158df21cec319dd3e70cb25baa6d656b3fc953f36fd867731

SHA512
36badd9827d7518c674f0c6f7c70a561c69ba3e0069ebeb508cde21a8d05b5cadb1c7e73bff9933b0f3143d58776f6f3c68c3011c1eae82636e91c1b46809b41

Download Submit
C:\Windows\System32\YchpHOH.exe

Filesize
2.9MB

MD5
805bc9b0cb6bd586042f9d157c2f17b8

SHA1
09754c9b55de317902f50b660949a22e6682d646

SHA256
98d1aa12b602ceb529e9f88b27269d6f2b35ec5d28474cadfa748155edc7ef27

SHA512
c4c3ce69d35bc45644a47879b93a29061965a6fa1d72928a417ac150310812df4bbb388e9a2487b71bb5085bfc95a114f99ea6c68500e0fdc1e0e14f0bc33a0d

Download Submit
C:\Windows\System32\ZPnIUPf.exe

Filesize
2.9MB

MD5
a0b211e5af6dcabd1ab3c58610d3ee4e

SHA1
7c86e2b68c5a032602daca4f1e0dbee4eb9e2aee

SHA256
4f9b663493ee86d1bc9f3c305a424161f19f4d3b56c52c5cd4b4f9a82c295f23

SHA512
554bbbcafc44c218c07c1ebdab6e581d92b9b7ab33559af8d726a79203bd680ff48f5ef006199b8f804b52be677cf2235ca7cb631f923871f72ea54be137b014

Download Submit
C:\Windows\System32\ZwCHXqm.exe

Filesize
2.9MB

MD5
fe2c31c0fa64669415fdcc8a8375dd4b

SHA1
6782e2b4d91cb9b9642ce0b789691936c544efe5

SHA256
5fdd314b708a99b098e9b1d70eec73eb7979bc9cf4197c84f6c2a2fdcf9a2765

SHA512
a4f825a588fb70a43c75fc9eaa433b816d725cfd3a22f4100f1248c99d8d0fe77094de905ab88267143bad954f51891341c4447e8c7172bfb6d808fa16b347b8

Download Submit
C:\Windows\System32\bsQWkXE.exe

Filesize
2.9MB

MD5
31a1404c64730aea3c7210df598ef7d3

SHA1
919fd15888510b4f95ce274831d48d79254c1e86

SHA256
04ecd5adfd554adb34e3e5deb56e7aa8fd78f8d4b5265eafcf6af701c9505caf

SHA512
ba19993f1965d0dde6663602447322da9df5646d2248db581233e6e2e213557b3cb209b24cc9723314f28838c4008210574c14b0ada89ec78a9331da8f40be6c

Download Submit
C:\Windows\System32\dbwjlsK.exe

Filesize
2.9MB

MD5
b4d58c41f9190fd77dc99fc0f9cef6e6

SHA1
679fd936d838535b482082e849a04e09e4bf68f6

SHA256
5b03fb43395dc0630ff538574b77445de716fbacee1cb30e7975051398926b5c

SHA512
dbd1fae95cad9f9c75f83321d2d52ff1bbb5222f007098cd157061368379a17a9563245036ecbde458396c6f3052f9af97b3009ce44af47c36ec08878dcd20d4

Download Submit
C:\Windows\System32\iaaGvqJ.exe

Filesize
2.9MB

MD5
f6968a7934c3e929c337499c374bfab9

SHA1
7d078393bf9a026f00d37b67ce6bff9546e68fd3

SHA256
1cf6afef18776eb29c8307b67970858ae2e8b2cb1529003b631711116d8ee052

SHA512
c67a665aebb4b1bba0657ff428d281b2b698c7b6d23a95a9b6dca83287f4f69b50c7831bd77994eab440c07e30b4150266d9b96ae1ba13677c7762fbfe01b441

Download Submit
C:\Windows\System32\kOlOkuR.exe

Filesize
2.9MB

MD5
fe871bc89074b8aa67c842f96377b1e5

SHA1
50a53ba9a1aa5c65cc519908e48169b802ee308c

SHA256
05527aefde33d89c9dd8d4b7db44a2412f6931b8e5f42da778715621ac97a191

SHA512
384d435494628b1b023856e96e67d79ebb53e3efeffd0b0cc02b90e9a235fa6e38a3ffda4432a27b8e25647d5eaa960e2c1472c7d79873dce5f8b1feb9afaca9

Download Submit
C:\Windows\System32\kgOCnUG.exe

Filesize
2.9MB

MD5
4a72951fecd70fceaa84c560ba0ded42

SHA1
9e2cfc812bf3cdb83bde02592aff0b7dd6a94519

SHA256
fdf49224dc11de2c390a02cca2dca94298f6c548fe74183d3990869211d71d32

SHA512
132d567060b0769f57a5cfa3528fcb6a25426e709bef8bd10b63c75550b62afae02211e5447006ef1d5fd943f60c2d8a33ddd6d877eb038f877e9b4958365d4f

Download Submit
C:\Windows\System32\mzCSVuD.exe

Filesize
2.9MB

MD5
4f7469aeb28bfe52a9abb241261ac6c4

SHA1
25f2feee9b7e6acdd5b68f8aa44300cc8e35c3e0

SHA256
bff4fc178717b58424e7eb5668a44d4647de10dd384adeb85abc9fdbde52c662

SHA512
fba27b2cde4ef1228336f74b5db6c09db4a3cb6abd3889bcd9fb1eacba20368b148ca356ca347dc1eeb50d1affb1c0bb79e15c9ae0e203debcc5e9ef444b6efd

Download Submit
C:\Windows\System32\nBxSfXI.exe

Filesize
2.9MB

MD5
5a8b6d8dad7de63cf2d7e80cfd361c42

SHA1
e9fbf8a9c4f12cbf1a38d3767231d5d112c83900

SHA256
77381de0114047e24334dfcc5318ed60f9d63ad2e0617eac9832619400b1aeca

SHA512
673158fe36988c3cb21ff5822f7f0362c92d2ebac5ebdb5a0d2dc3aa8ca6fa7de031ee053388a4368270835ced6f4e008be47a14e291723b84c82f3560bb25c5

Download Submit
C:\Windows\System32\nLlukgm.exe

Filesize
2.9MB

MD5
aa2d89545617247f40418969168085e1

SHA1
170bc963f0242f5a27be6534cc1973acb8ee94b6

SHA256
bb6e499c89d0a371cb237c4743372ee16bf9e01a892389c4c8e12c92ea865f2a

SHA512
a6a92db3f899cb9fef047229dea941c9b9f57f10d41991521b8cc377b6a061aa01a9199a232b20186e784fab300ad07e80676914b26cce25c06f648846ec8e2a

Download Submit
C:\Windows\System32\pUgovCQ.exe

Filesize
2.9MB

MD5
2ef7fe51a872528f48e56c0d27180fa4

SHA1
2be24f79049f9246fb85353ed2de305dc8a247a4

SHA256
a6a1933e48d7c8a4ecb105fb1861e732fa80e2561ed94289fc948ad40a5e0262

SHA512
a851a8ba34649cb9318cfe93306ab460184094bc7d72514121cf50444e434b8e5862fa4d4373a36772a11d59c8b241feeee9f9bb30d26357da22f6b4fc01b6e5

Download Submit
C:\Windows\System32\sRoznlc.exe

Filesize
2.9MB

MD5
e7b50770ce8d6bc01105e303d75cd54c

SHA1
0130a50ce7f6cea72392649a4f8228ea7fa7c378

SHA256
758bcc84a8555d7cda2aad491639f3d4b46fcceaa7f2e43dc6c9fe2b431d4bd7

SHA512
c34bc8b0cf98c6ebc56343dc8ce378c978d1d50182db3b81bb1f84ad106a49c52cbad667b26d87b67f2e6b59569232b5ab19eddae7d263b1d74bda83773fc2e9

Download Submit
C:\Windows\System32\weezxGV.exe

Filesize
2.9MB

MD5
7316e7e2d593c33932f3bb35fa53da83

SHA1
1910924559c873e4f4496dfc4ad31aa45b308c75

SHA256
fca3016abbf23d192122acdac607e17d00666c8717e2e35f91673094ff7df3f0

SHA512
43cbb12e01e9380a403323e2dbf8b1ef1a26d6a2a37f002a4c6dfe4b506990342dd3c84df9d6f562dacac637ce271da84a39fb071122dda62b1116f125930450

Download Submit
C:\Windows\System32\wqtCNQL.exe

Filesize
2.9MB

MD5
839fc0b4dcd8262cbe7697af71d6e4ea

SHA1
1145fccac81482ac44018b98be6e07e393bc1441

SHA256
06f1efd437c530da50e6943bc755194c171344c26cdae2e8c22f2adf774521cd

SHA512
b75828506680a8ac5b2235558b8b1f231e6bf7922700c60da7a9a4ba569879a2c1429f4d052cdf381cab517031b0c6f20f0e1ea03b68c82f9ea5f327202089fe

Download Submit
C:\Windows\System32\zZylvxi.exe

Filesize
2.9MB

MD5
6ea0077fa416a28332ce35ea25737d86

SHA1
15a33f97d9a4c911827db4045906f8714ff73037

SHA256
d899026f04519ce9be38ffc84fd8d41b79b216777a373db798136bc8f7086e52

SHA512
77b820b3ea58840412b13d32935daed16b232bbd20c58d36a9d01f17450d6483d7e18a217f8f2cf899a4643fe48aeac464c9c65541c4998ed1af9592107ad35b

Download Submit
memory/456-1910-0x00007FF68EE40000-0x00007FF68F235000-memory.dmp

Filesize
4.0MB

Download
memory/456-685-0x00007FF68EE40000-0x00007FF68F235000-memory.dmp

Filesize
4.0MB

Download
memory/664-0-0x00007FF638550000-0x00007FF638945000-memory.dmp

Filesize
4.0MB

Download
memory/664-1-0x000001E071110000-0x000001E071120000-memory.dmp

Filesize
64KB

Download
memory/664-1903-0x00007FF638550000-0x00007FF638945000-memory.dmp

Filesize
4.0MB

Download
memory/692-1921-0x00007FF685C40000-0x00007FF686035000-memory.dmp

Filesize
4.0MB

Download
memory/692-727-0x00007FF685C40000-0x00007FF686035000-memory.dmp

Filesize
4.0MB

Download
memory/756-1911-0x00007FF65C400000-0x00007FF65C7F5000-memory.dmp

Filesize
4.0MB

Download
memory/756-686-0x00007FF65C400000-0x00007FF65C7F5000-memory.dmp

Filesize
4.0MB

Download
memory/1540-785-0x00007FF6B82B0000-0x00007FF6B86A5000-memory.dmp

Filesize
4.0MB

Download
memory/1540-1906-0x00007FF6B82B0000-0x00007FF6B86A5000-memory.dmp

Filesize
4.0MB

Download
memory/1772-1915-0x00007FF6D73C0000-0x00007FF6D77B5000-memory.dmp

Filesize
4.0MB

Download
memory/1772-690-0x00007FF6D73C0000-0x00007FF6D77B5000-memory.dmp

Filesize
4.0MB

Download
memory/2020-1912-0x00007FF78D490000-0x00007FF78D885000-memory.dmp

Filesize
4.0MB

Download
memory/2020-687-0x00007FF78D490000-0x00007FF78D885000-memory.dmp

Filesize
4.0MB

Download
memory/2148-1920-0x00007FF7E3820000-0x00007FF7E3C15000-memory.dmp

Filesize
4.0MB

Download
memory/2148-716-0x00007FF7E3820000-0x00007FF7E3C15000-memory.dmp

Filesize
4.0MB

Download
memory/3132-691-0x00007FF6FE2F0000-0x00007FF6FE6E5000-memory.dmp

Filesize
4.0MB

Download
memory/3132-1916-0x00007FF6FE2F0000-0x00007FF6FE6E5000-memory.dmp

Filesize
4.0MB

Download
memory/3180-1919-0x00007FF658F60000-0x00007FF659355000-memory.dmp

Filesize
4.0MB

Download
memory/3180-706-0x00007FF658F60000-0x00007FF659355000-memory.dmp

Filesize
4.0MB

Download
memory/3228-770-0x00007FF61CD80000-0x00007FF61D175000-memory.dmp

Filesize
4.0MB

Download
memory/3228-1926-0x00007FF61CD80000-0x00007FF61D175000-memory.dmp

Filesize
4.0MB

Download
memory/3384-778-0x00007FF652F40000-0x00007FF653335000-memory.dmp

Filesize
4.0MB

Download
memory/3384-1927-0x00007FF652F40000-0x00007FF653335000-memory.dmp

Filesize
4.0MB

Download
memory/3432-1917-0x00007FF77C960000-0x00007FF77CD55000-memory.dmp

Filesize
4.0MB

Download
memory/3432-696-0x00007FF77C960000-0x00007FF77CD55000-memory.dmp

Filesize
4.0MB

Download
memory/3456-689-0x00007FF7A1E30000-0x00007FF7A2225000-memory.dmp

Filesize
4.0MB

Download
memory/3456-1914-0x00007FF7A1E30000-0x00007FF7A2225000-memory.dmp

Filesize
4.0MB

Download
memory/3892-1913-0x00007FF6E9000000-0x00007FF6E93F5000-memory.dmp

Filesize
4.0MB

Download
memory/3892-688-0x00007FF6E9000000-0x00007FF6E93F5000-memory.dmp

Filesize
4.0MB

Download
memory/3912-1922-0x00007FF6595F0000-0x00007FF6599E5000-memory.dmp

Filesize
4.0MB

Download
memory/3912-735-0x00007FF6595F0000-0x00007FF6599E5000-memory.dmp

Filesize
4.0MB

Download
memory/3976-764-0x00007FF73A550000-0x00007FF73A945000-memory.dmp

Filesize
4.0MB

Download
memory/3976-1925-0x00007FF73A550000-0x00007FF73A945000-memory.dmp

Filesize
4.0MB

Download
memory/4180-1923-0x00007FF659870000-0x00007FF659C65000-memory.dmp

Filesize
4.0MB

Download
memory/4180-747-0x00007FF659870000-0x00007FF659C65000-memory.dmp

Filesize
4.0MB

Download
memory/4264-1924-0x00007FF7457C0000-0x00007FF745BB5000-memory.dmp

Filesize
4.0MB

Download
memory/4264-754-0x00007FF7457C0000-0x00007FF745BB5000-memory.dmp

Filesize
4.0MB

Download
memory/4412-1918-0x00007FF77BF00000-0x00007FF77C2F5000-memory.dmp

Filesize
4.0MB

Download
memory/4412-699-0x00007FF77BF00000-0x00007FF77C2F5000-memory.dmp

Filesize
4.0MB

Download
memory/4420-1908-0x00007FF707D50000-0x00007FF708145000-memory.dmp

Filesize
4.0MB

Download
memory/4420-683-0x00007FF707D50000-0x00007FF708145000-memory.dmp

Filesize
4.0MB

Download
memory/4616-1909-0x00007FF7ADD50000-0x00007FF7AE145000-memory.dmp

Filesize
4.0MB

Download
memory/4616-684-0x00007FF7ADD50000-0x00007FF7AE145000-memory.dmp

Filesize
4.0MB

Download
memory/4668-1907-0x00007FF643790000-0x00007FF643B85000-memory.dmp

Filesize
4.0MB

Download
memory/4668-682-0x00007FF643790000-0x00007FF643B85000-memory.dmp

Filesize
4.0MB

Download
memory/4804-1905-0x00007FF6A8A90000-0x00007FF6A8E85000-memory.dmp

Filesize
4.0MB

Download
memory/4804-17-0x00007FF6A8A90000-0x00007FF6A8E85000-memory.dmp

Filesize
4.0MB

Download
memory/4912-1904-0x00007FF63BC20000-0x00007FF63C015000-memory.dmp

Filesize
4.0MB

Download
memory/4912-9-0x00007FF63BC20000-0x00007FF63C015000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads