xmrig | 2d1ed2389e9fac7a86b8a2981ed9bd2a8b85a7611af8288ee213c339f49aece8

Analysis

max time kernel
129s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
Size

2.6MB
MD5

13e1b9d6aeee42f06252005197af3840
SHA1

f0acc031d47e46ac307662262e4124df66fe5039
SHA256

2d1ed2389e9fac7a86b8a2981ed9bd2a8b85a7611af8288ee213c339f49aece8
SHA512

e96b59f9be18b7d037b66e945657797672c67cc98c2acf6fe143addb34f69ea0c2dec845068198e23e8e15543903f7e7e6c78beb0dbb176487fcd70ea773d215
SSDEEP

49152:w0wjnJMOWh50kC1/dVFdx6e0EALKWVTffZiPAcRq6jHjcz8DzzxTMS8Tg3avLoo:w0GnJMOWPClFdx6e0EALKWVTffZiPAcI

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/436-0-0x00007FF777C90000-0x00007FF778085000-memory.dmp	xmrig
behavioral2/files/0x00080000000233e8-5.dat	xmrig
behavioral2/memory/4244-10-0x00007FF75FB00000-0x00007FF75FEF5000-memory.dmp	xmrig
behavioral2/files/0x00070000000233ec-11.dat	xmrig
behavioral2/files/0x00070000000233ed-17.dat	xmrig
behavioral2/files/0x00070000000233ee-20.dat	xmrig
behavioral2/files/0x00070000000233ef-25.dat	xmrig
behavioral2/files/0x00070000000233f0-32.dat	xmrig
behavioral2/files/0x00070000000233f2-40.dat	xmrig
behavioral2/files/0x00070000000233f7-67.dat	xmrig
behavioral2/files/0x00070000000233f9-75.dat	xmrig
behavioral2/files/0x00070000000233fa-82.dat	xmrig
behavioral2/files/0x00070000000233fc-92.dat	xmrig
behavioral2/files/0x0007000000023403-127.dat	xmrig
behavioral2/memory/3828-599-0x00007FF78D420000-0x00007FF78D815000-memory.dmp	xmrig
behavioral2/files/0x000700000002340a-162.dat	xmrig
behavioral2/files/0x0007000000023409-157.dat	xmrig
behavioral2/files/0x0007000000023408-152.dat	xmrig
behavioral2/files/0x0007000000023407-147.dat	xmrig
behavioral2/files/0x0007000000023406-142.dat	xmrig
behavioral2/files/0x0007000000023405-137.dat	xmrig
behavioral2/files/0x0007000000023404-132.dat	xmrig
behavioral2/files/0x0007000000023402-122.dat	xmrig
behavioral2/files/0x0007000000023401-117.dat	xmrig
behavioral2/files/0x0007000000023400-112.dat	xmrig
behavioral2/files/0x00070000000233ff-107.dat	xmrig
behavioral2/files/0x00070000000233fe-102.dat	xmrig
behavioral2/files/0x00070000000233fd-97.dat	xmrig
behavioral2/files/0x00070000000233fb-87.dat	xmrig
behavioral2/files/0x00070000000233f8-72.dat	xmrig
behavioral2/files/0x00070000000233f6-62.dat	xmrig
behavioral2/files/0x00070000000233f5-57.dat	xmrig
behavioral2/files/0x00070000000233f4-52.dat	xmrig
behavioral2/files/0x00070000000233f3-47.dat	xmrig
behavioral2/files/0x00070000000233f1-37.dat	xmrig
behavioral2/memory/2772-600-0x00007FF7088C0000-0x00007FF708CB5000-memory.dmp	xmrig
behavioral2/memory/3824-601-0x00007FF7E7BC0000-0x00007FF7E7FB5000-memory.dmp	xmrig
behavioral2/memory/4280-603-0x00007FF754320000-0x00007FF754715000-memory.dmp	xmrig
behavioral2/memory/2064-602-0x00007FF6A12B0000-0x00007FF6A16A5000-memory.dmp	xmrig
behavioral2/memory/3692-604-0x00007FF763070000-0x00007FF763465000-memory.dmp	xmrig
behavioral2/memory/2352-605-0x00007FF62BAA0000-0x00007FF62BE95000-memory.dmp	xmrig
behavioral2/memory/2404-608-0x00007FF721CD0000-0x00007FF7220C5000-memory.dmp	xmrig
behavioral2/memory/3176-611-0x00007FF715090000-0x00007FF715485000-memory.dmp	xmrig
behavioral2/memory/4072-616-0x00007FF765440000-0x00007FF765835000-memory.dmp	xmrig
behavioral2/memory/2036-627-0x00007FF6F4B50000-0x00007FF6F4F45000-memory.dmp	xmrig
behavioral2/memory/3724-629-0x00007FF7012D0000-0x00007FF7016C5000-memory.dmp	xmrig
behavioral2/memory/2328-618-0x00007FF6D9FF0000-0x00007FF6DA3E5000-memory.dmp	xmrig
behavioral2/memory/1792-630-0x00007FF7EAD10000-0x00007FF7EB105000-memory.dmp	xmrig
behavioral2/memory/3684-641-0x00007FF75E1A0000-0x00007FF75E595000-memory.dmp	xmrig
behavioral2/memory/2296-634-0x00007FF6563D0000-0x00007FF6567C5000-memory.dmp	xmrig
behavioral2/memory/3512-645-0x00007FF68F540000-0x00007FF68F935000-memory.dmp	xmrig
behavioral2/memory/8-648-0x00007FF605490000-0x00007FF605885000-memory.dmp	xmrig
behavioral2/memory/4708-658-0x00007FF7DA6C0000-0x00007FF7DAAB5000-memory.dmp	xmrig
behavioral2/memory/2344-678-0x00007FF75D830000-0x00007FF75DC25000-memory.dmp	xmrig
behavioral2/memory/3768-673-0x00007FF7199F0000-0x00007FF719DE5000-memory.dmp	xmrig
behavioral2/memory/4724-665-0x00007FF642C20000-0x00007FF643015000-memory.dmp	xmrig
behavioral2/memory/4404-661-0x00007FF7D8DE0000-0x00007FF7D91D5000-memory.dmp	xmrig
behavioral2/memory/4244-1893-0x00007FF75FB00000-0x00007FF75FEF5000-memory.dmp	xmrig
behavioral2/memory/3828-1894-0x00007FF78D420000-0x00007FF78D815000-memory.dmp	xmrig
behavioral2/memory/2772-1896-0x00007FF7088C0000-0x00007FF708CB5000-memory.dmp	xmrig
behavioral2/memory/2344-1895-0x00007FF75D830000-0x00007FF75DC25000-memory.dmp	xmrig
behavioral2/memory/4072-1900-0x00007FF765440000-0x00007FF765835000-memory.dmp	xmrig
behavioral2/memory/3824-1905-0x00007FF7E7BC0000-0x00007FF7E7FB5000-memory.dmp	xmrig
behavioral2/memory/1792-1907-0x00007FF7EAD10000-0x00007FF7EB105000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4244	DdhGSlY.exe
3828	QXAmWtk.exe
2344	giuLxHG.exe
2772	LPBPHQN.exe
3824	urtKqsA.exe
2064	eMUeBVp.exe
4280	MirIRLV.exe
3692	hZENUTE.exe
2352	SrHysBo.exe
2404	MxibcBr.exe
3176	sqcesLF.exe
4072	gGLTncm.exe
2328	UMrtQXG.exe
2036	goKmkJo.exe
3724	QvPDalo.exe
1792	PhnexwE.exe
2296	iDKXXzZ.exe
3684	yELFhmQ.exe
3512	RoKojYv.exe
8	kECSiUv.exe
4708	ZQQPlnJ.exe
4404	ZMqFtzy.exe
4724	SXGuRKr.exe
3768	cLerUEV.exe
3740	UBGuOvq.exe
3240	EdFAwuE.exe
840	VsXMban.exe
1576	MzvutFb.exe
4436	lnhsWjI.exe
816	LnsCuaz.exe
2580	OavitvG.exe
1860	SdzlqPT.exe
1980	HGkSRhz.exe
1696	CMqiLfH.exe
1516	HkCaqWR.exe
2756	CBgWheM.exe
512	bfvjEaV.exe
3604	yIwtaFi.exe
1572	TzouIzY.exe
3016	TSHoyXF.exe
5008	uwtwEbY.exe
1612	AHpHtGk.exe
1968	lyJqyIR.exe
2652	NkBNfpe.exe
2720	EWwhUJR.exe
4932	mkzvYRw.exe
4868	FWOGYwG.exe
1580	OvfHiob.exe
4812	yvpIrYk.exe
4660	SxxhBgE.exe
4408	GGfosye.exe
1504	gOOIeyH.exe
3084	UjonXNg.exe
4036	UnJJYja.exe
1376	GbNWUDM.exe
2996	QAgzpaW.exe
2612	QnUkssO.exe
2104	lKxydTO.exe
4856	ssNPhvf.exe
1496	VStIDoo.exe
3944	CEtcauf.exe
2764	pjHcqnR.exe
4272	iwOVgyg.exe
2588	PWiSvPE.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/436-0-0x00007FF777C90000-0x00007FF778085000-memory.dmp	upx
behavioral2/files/0x00080000000233e8-5.dat	upx
behavioral2/memory/4244-10-0x00007FF75FB00000-0x00007FF75FEF5000-memory.dmp	upx
behavioral2/files/0x00070000000233ec-11.dat	upx
behavioral2/files/0x00070000000233ed-17.dat	upx
behavioral2/files/0x00070000000233ee-20.dat	upx
behavioral2/files/0x00070000000233ef-25.dat	upx
behavioral2/files/0x00070000000233f0-32.dat	upx
behavioral2/files/0x00070000000233f2-40.dat	upx
behavioral2/files/0x00070000000233f7-67.dat	upx
behavioral2/files/0x00070000000233f9-75.dat	upx
behavioral2/files/0x00070000000233fa-82.dat	upx
behavioral2/files/0x00070000000233fc-92.dat	upx
behavioral2/files/0x0007000000023403-127.dat	upx
behavioral2/memory/3828-599-0x00007FF78D420000-0x00007FF78D815000-memory.dmp	upx
behavioral2/files/0x000700000002340a-162.dat	upx
behavioral2/files/0x0007000000023409-157.dat	upx
behavioral2/files/0x0007000000023408-152.dat	upx
behavioral2/files/0x0007000000023407-147.dat	upx
behavioral2/files/0x0007000000023406-142.dat	upx
behavioral2/files/0x0007000000023405-137.dat	upx
behavioral2/files/0x0007000000023404-132.dat	upx
behavioral2/files/0x0007000000023402-122.dat	upx
behavioral2/files/0x0007000000023401-117.dat	upx
behavioral2/files/0x0007000000023400-112.dat	upx
behavioral2/files/0x00070000000233ff-107.dat	upx
behavioral2/files/0x00070000000233fe-102.dat	upx
behavioral2/files/0x00070000000233fd-97.dat	upx
behavioral2/files/0x00070000000233fb-87.dat	upx
behavioral2/files/0x00070000000233f8-72.dat	upx
behavioral2/files/0x00070000000233f6-62.dat	upx
behavioral2/files/0x00070000000233f5-57.dat	upx
behavioral2/files/0x00070000000233f4-52.dat	upx
behavioral2/files/0x00070000000233f3-47.dat	upx
behavioral2/files/0x00070000000233f1-37.dat	upx
behavioral2/memory/2772-600-0x00007FF7088C0000-0x00007FF708CB5000-memory.dmp	upx
behavioral2/memory/3824-601-0x00007FF7E7BC0000-0x00007FF7E7FB5000-memory.dmp	upx
behavioral2/memory/4280-603-0x00007FF754320000-0x00007FF754715000-memory.dmp	upx
behavioral2/memory/2064-602-0x00007FF6A12B0000-0x00007FF6A16A5000-memory.dmp	upx
behavioral2/memory/3692-604-0x00007FF763070000-0x00007FF763465000-memory.dmp	upx
behavioral2/memory/2352-605-0x00007FF62BAA0000-0x00007FF62BE95000-memory.dmp	upx
behavioral2/memory/2404-608-0x00007FF721CD0000-0x00007FF7220C5000-memory.dmp	upx
behavioral2/memory/3176-611-0x00007FF715090000-0x00007FF715485000-memory.dmp	upx
behavioral2/memory/4072-616-0x00007FF765440000-0x00007FF765835000-memory.dmp	upx
behavioral2/memory/2036-627-0x00007FF6F4B50000-0x00007FF6F4F45000-memory.dmp	upx
behavioral2/memory/3724-629-0x00007FF7012D0000-0x00007FF7016C5000-memory.dmp	upx
behavioral2/memory/2328-618-0x00007FF6D9FF0000-0x00007FF6DA3E5000-memory.dmp	upx
behavioral2/memory/1792-630-0x00007FF7EAD10000-0x00007FF7EB105000-memory.dmp	upx
behavioral2/memory/3684-641-0x00007FF75E1A0000-0x00007FF75E595000-memory.dmp	upx
behavioral2/memory/2296-634-0x00007FF6563D0000-0x00007FF6567C5000-memory.dmp	upx
behavioral2/memory/3512-645-0x00007FF68F540000-0x00007FF68F935000-memory.dmp	upx
behavioral2/memory/8-648-0x00007FF605490000-0x00007FF605885000-memory.dmp	upx
behavioral2/memory/4708-658-0x00007FF7DA6C0000-0x00007FF7DAAB5000-memory.dmp	upx
behavioral2/memory/2344-678-0x00007FF75D830000-0x00007FF75DC25000-memory.dmp	upx
behavioral2/memory/3768-673-0x00007FF7199F0000-0x00007FF719DE5000-memory.dmp	upx
behavioral2/memory/4724-665-0x00007FF642C20000-0x00007FF643015000-memory.dmp	upx
behavioral2/memory/4404-661-0x00007FF7D8DE0000-0x00007FF7D91D5000-memory.dmp	upx
behavioral2/memory/4244-1893-0x00007FF75FB00000-0x00007FF75FEF5000-memory.dmp	upx
behavioral2/memory/3828-1894-0x00007FF78D420000-0x00007FF78D815000-memory.dmp	upx
behavioral2/memory/2772-1896-0x00007FF7088C0000-0x00007FF708CB5000-memory.dmp	upx
behavioral2/memory/2344-1895-0x00007FF75D830000-0x00007FF75DC25000-memory.dmp	upx
behavioral2/memory/4072-1900-0x00007FF765440000-0x00007FF765835000-memory.dmp	upx
behavioral2/memory/3824-1905-0x00007FF7E7BC0000-0x00007FF7E7FB5000-memory.dmp	upx
behavioral2/memory/1792-1907-0x00007FF7EAD10000-0x00007FF7EB105000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\miMoxey.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\BmEiDgZ.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\OCPfvdF.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\XwUXVJK.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\lZIGoCY.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\wUWUFuO.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\DlHkexz.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\GmUSTsj.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\yIwtaFi.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\CoZrxGk.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\KourzKH.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\tumYTWH.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\MVZBhxF.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\bfvjEaV.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\MJREMfF.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\VIqtBCv.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\QgChxxQ.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\sKesuNw.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\TXVgwFw.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\UCwNKGP.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\ExotVnr.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\CbCspUr.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\nRkZWHL.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\yIGADzR.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\NICmlkM.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\qgYuMRd.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\bJuaHer.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\yDyONrb.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\tRiEQmd.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\ygIYFRd.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\uJVYWWJ.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\UyCRZWz.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\DmXFxYw.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\hLqBtnI.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\aVoUTWd.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\ePscNPY.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\UjonXNg.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\GbNWUDM.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\nCiWznJ.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\IeCHjcB.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\ZQkMPwu.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\EQdydms.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\xbaNoMV.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\aPrcKoc.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\ZrVlEFs.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\SvaIKmA.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\SXGuRKr.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\wRVgmbM.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\rRoVHWe.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\ZvWWeeu.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\lXmLblt.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\ZecjvZv.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\BHiylNJ.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\xgMUyoa.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\DLaiRsi.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\lTFpdeZ.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\klexEtl.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\AOENAVa.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\umrAWJV.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\dngiHpa.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\SmeyQSZ.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\jEAerwi.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\INsalIA.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
File created	C:\Windows\System32\IQUqLUU.exe	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	4648	dwm.exe
Token: SeChangeNotifyPrivilege	4648	dwm.exe
Token: 33	4648	dwm.exe
Token: SeIncBasePriorityPrivilege	4648	dwm.exe
Token: SeShutdownPrivilege	4648	dwm.exe
Token: SeCreatePagefilePrivilege	4648	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 4244	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	83
PID 436 wrote to memory of 4244	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	83
PID 436 wrote to memory of 3828	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	84
PID 436 wrote to memory of 3828	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	84
PID 436 wrote to memory of 2344	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	85
PID 436 wrote to memory of 2344	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	85
PID 436 wrote to memory of 2772	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	86
PID 436 wrote to memory of 2772	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	86
PID 436 wrote to memory of 3824	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	87
PID 436 wrote to memory of 3824	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	87
PID 436 wrote to memory of 2064	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	88
PID 436 wrote to memory of 2064	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	88
PID 436 wrote to memory of 4280	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	89
PID 436 wrote to memory of 4280	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	89
PID 436 wrote to memory of 3692	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	90
PID 436 wrote to memory of 3692	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	90
PID 436 wrote to memory of 2352	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	91
PID 436 wrote to memory of 2352	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	91
PID 436 wrote to memory of 2404	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	92
PID 436 wrote to memory of 2404	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	92
PID 436 wrote to memory of 3176	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	93
PID 436 wrote to memory of 3176	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	93
PID 436 wrote to memory of 4072	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	94
PID 436 wrote to memory of 4072	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	94
PID 436 wrote to memory of 2328	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	95
PID 436 wrote to memory of 2328	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	95
PID 436 wrote to memory of 2036	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	96
PID 436 wrote to memory of 2036	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	96
PID 436 wrote to memory of 3724	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	97
PID 436 wrote to memory of 3724	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	97
PID 436 wrote to memory of 1792	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	98
PID 436 wrote to memory of 1792	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	98
PID 436 wrote to memory of 2296	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	99
PID 436 wrote to memory of 2296	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	99
PID 436 wrote to memory of 3684	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	100
PID 436 wrote to memory of 3684	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	100
PID 436 wrote to memory of 3512	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	101
PID 436 wrote to memory of 3512	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	101
PID 436 wrote to memory of 8	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	102
PID 436 wrote to memory of 8	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	102
PID 436 wrote to memory of 4708	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	103
PID 436 wrote to memory of 4708	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	103
PID 436 wrote to memory of 4404	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	104
PID 436 wrote to memory of 4404	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	104
PID 436 wrote to memory of 4724	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	105
PID 436 wrote to memory of 4724	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	105
PID 436 wrote to memory of 3768	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	106
PID 436 wrote to memory of 3768	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	106
PID 436 wrote to memory of 3740	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	107
PID 436 wrote to memory of 3740	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	107
PID 436 wrote to memory of 3240	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	108
PID 436 wrote to memory of 3240	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	108
PID 436 wrote to memory of 840	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	109
PID 436 wrote to memory of 840	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	109
PID 436 wrote to memory of 1576	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	110
PID 436 wrote to memory of 1576	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	110
PID 436 wrote to memory of 4436	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	111
PID 436 wrote to memory of 4436	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	111
PID 436 wrote to memory of 816	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	112
PID 436 wrote to memory of 816	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	112
PID 436 wrote to memory of 2580	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	113
PID 436 wrote to memory of 2580	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	113
PID 436 wrote to memory of 1860	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	114
PID 436 wrote to memory of 1860	436	13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe	114

C:\Users\Admin\AppData\Local\Temp\13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\13e1b9d6aeee42f06252005197af3840_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:436
- C:\Windows\System32\DdhGSlY.exe
  C:\Windows\System32\DdhGSlY.exe
  2⤵
  - Executes dropped EXE
  PID:4244
- C:\Windows\System32\QXAmWtk.exe
  C:\Windows\System32\QXAmWtk.exe
  2⤵
  - Executes dropped EXE
  PID:3828
- C:\Windows\System32\giuLxHG.exe
  C:\Windows\System32\giuLxHG.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System32\LPBPHQN.exe
  C:\Windows\System32\LPBPHQN.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System32\urtKqsA.exe
  C:\Windows\System32\urtKqsA.exe
  2⤵
  - Executes dropped EXE
  PID:3824
- C:\Windows\System32\eMUeBVp.exe
  C:\Windows\System32\eMUeBVp.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\System32\MirIRLV.exe
  C:\Windows\System32\MirIRLV.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System32\hZENUTE.exe
  C:\Windows\System32\hZENUTE.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System32\SrHysBo.exe
  C:\Windows\System32\SrHysBo.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System32\MxibcBr.exe
  C:\Windows\System32\MxibcBr.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System32\sqcesLF.exe
  C:\Windows\System32\sqcesLF.exe
  2⤵
  - Executes dropped EXE
  PID:3176
- C:\Windows\System32\gGLTncm.exe
  C:\Windows\System32\gGLTncm.exe
  2⤵
  - Executes dropped EXE
  PID:4072
- C:\Windows\System32\UMrtQXG.exe
  C:\Windows\System32\UMrtQXG.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System32\goKmkJo.exe
  C:\Windows\System32\goKmkJo.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System32\QvPDalo.exe
  C:\Windows\System32\QvPDalo.exe
  2⤵
  - Executes dropped EXE
  PID:3724
- C:\Windows\System32\PhnexwE.exe
  C:\Windows\System32\PhnexwE.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System32\iDKXXzZ.exe
  C:\Windows\System32\iDKXXzZ.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System32\yELFhmQ.exe
  C:\Windows\System32\yELFhmQ.exe
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Windows\System32\RoKojYv.exe
  C:\Windows\System32\RoKojYv.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System32\kECSiUv.exe
  C:\Windows\System32\kECSiUv.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System32\ZQQPlnJ.exe
  C:\Windows\System32\ZQQPlnJ.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System32\ZMqFtzy.exe
  C:\Windows\System32\ZMqFtzy.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System32\SXGuRKr.exe
  C:\Windows\System32\SXGuRKr.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System32\cLerUEV.exe
  C:\Windows\System32\cLerUEV.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Windows\System32\UBGuOvq.exe
  C:\Windows\System32\UBGuOvq.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System32\EdFAwuE.exe
  C:\Windows\System32\EdFAwuE.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System32\VsXMban.exe
  C:\Windows\System32\VsXMban.exe
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\System32\MzvutFb.exe
  C:\Windows\System32\MzvutFb.exe
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\System32\lnhsWjI.exe
  C:\Windows\System32\lnhsWjI.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System32\LnsCuaz.exe
  C:\Windows\System32\LnsCuaz.exe
  2⤵
  - Executes dropped EXE
  PID:816
- C:\Windows\System32\OavitvG.exe
  C:\Windows\System32\OavitvG.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System32\SdzlqPT.exe
  C:\Windows\System32\SdzlqPT.exe
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\System32\HGkSRhz.exe
  C:\Windows\System32\HGkSRhz.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System32\CMqiLfH.exe
  C:\Windows\System32\CMqiLfH.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\System32\HkCaqWR.exe
  C:\Windows\System32\HkCaqWR.exe
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\System32\CBgWheM.exe
  C:\Windows\System32\CBgWheM.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System32\bfvjEaV.exe
  C:\Windows\System32\bfvjEaV.exe
  2⤵
  - Executes dropped EXE
  PID:512
- C:\Windows\System32\yIwtaFi.exe
  C:\Windows\System32\yIwtaFi.exe
  2⤵
  - Executes dropped EXE
  PID:3604
- C:\Windows\System32\TzouIzY.exe
  C:\Windows\System32\TzouIzY.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System32\TSHoyXF.exe
  C:\Windows\System32\TSHoyXF.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System32\uwtwEbY.exe
  C:\Windows\System32\uwtwEbY.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System32\AHpHtGk.exe
  C:\Windows\System32\AHpHtGk.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System32\lyJqyIR.exe
  C:\Windows\System32\lyJqyIR.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System32\NkBNfpe.exe
  C:\Windows\System32\NkBNfpe.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System32\EWwhUJR.exe
  C:\Windows\System32\EWwhUJR.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System32\mkzvYRw.exe
  C:\Windows\System32\mkzvYRw.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System32\FWOGYwG.exe
  C:\Windows\System32\FWOGYwG.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System32\OvfHiob.exe
  C:\Windows\System32\OvfHiob.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System32\yvpIrYk.exe
  C:\Windows\System32\yvpIrYk.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System32\SxxhBgE.exe
  C:\Windows\System32\SxxhBgE.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System32\GGfosye.exe
  C:\Windows\System32\GGfosye.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System32\gOOIeyH.exe
  C:\Windows\System32\gOOIeyH.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System32\UjonXNg.exe
  C:\Windows\System32\UjonXNg.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Windows\System32\UnJJYja.exe
  C:\Windows\System32\UnJJYja.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System32\GbNWUDM.exe
  C:\Windows\System32\GbNWUDM.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System32\QAgzpaW.exe
  C:\Windows\System32\QAgzpaW.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System32\QnUkssO.exe
  C:\Windows\System32\QnUkssO.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System32\lKxydTO.exe
  C:\Windows\System32\lKxydTO.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System32\ssNPhvf.exe
  C:\Windows\System32\ssNPhvf.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System32\VStIDoo.exe
  C:\Windows\System32\VStIDoo.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System32\CEtcauf.exe
  C:\Windows\System32\CEtcauf.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System32\pjHcqnR.exe
  C:\Windows\System32\pjHcqnR.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System32\iwOVgyg.exe
  C:\Windows\System32\iwOVgyg.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System32\PWiSvPE.exe
  C:\Windows\System32\PWiSvPE.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System32\DRDVUHz.exe
  C:\Windows\System32\DRDVUHz.exe
  2⤵
  PID:2804
- C:\Windows\System32\gKheoAl.exe
  C:\Windows\System32\gKheoAl.exe
  2⤵
  PID:5044
- C:\Windows\System32\lGHiSwB.exe
  C:\Windows\System32\lGHiSwB.exe
  2⤵
  PID:1180
- C:\Windows\System32\BGbNGUQ.exe
  C:\Windows\System32\BGbNGUQ.exe
  2⤵
  PID:428
- C:\Windows\System32\GSKHklu.exe
  C:\Windows\System32\GSKHklu.exe
  2⤵
  PID:4696
- C:\Windows\System32\hbwDzKI.exe
  C:\Windows\System32\hbwDzKI.exe
  2⤵
  PID:4972
- C:\Windows\System32\oxtGJHi.exe
  C:\Windows\System32\oxtGJHi.exe
  2⤵
  PID:3744
- C:\Windows\System32\MHRPyGx.exe
  C:\Windows\System32\MHRPyGx.exe
  2⤵
  PID:1564
- C:\Windows\System32\rlFyRSu.exe
  C:\Windows\System32\rlFyRSu.exe
  2⤵
  PID:3260
- C:\Windows\System32\UrvonPc.exe
  C:\Windows\System32\UrvonPc.exe
  2⤵
  PID:4164
- C:\Windows\System32\RThCgEZ.exe
  C:\Windows\System32\RThCgEZ.exe
  2⤵
  PID:3204
- C:\Windows\System32\ZvWWeeu.exe
  C:\Windows\System32\ZvWWeeu.exe
  2⤵
  PID:4544
- C:\Windows\System32\YNVKkDy.exe
  C:\Windows\System32\YNVKkDy.exe
  2⤵
  PID:3568
- C:\Windows\System32\jMocpMZ.exe
  C:\Windows\System32\jMocpMZ.exe
  2⤵
  PID:3248
- C:\Windows\System32\ixDBvan.exe
  C:\Windows\System32\ixDBvan.exe
  2⤵
  PID:4160
- C:\Windows\System32\lXmLblt.exe
  C:\Windows\System32\lXmLblt.exe
  2⤵
  PID:5140
- C:\Windows\System32\izuBtoS.exe
  C:\Windows\System32\izuBtoS.exe
  2⤵
  PID:5168
- C:\Windows\System32\TZGLoZk.exe
  C:\Windows\System32\TZGLoZk.exe
  2⤵
  PID:5196
- C:\Windows\System32\AfrPjMJ.exe
  C:\Windows\System32\AfrPjMJ.exe
  2⤵
  PID:5224
- C:\Windows\System32\QRciLDe.exe
  C:\Windows\System32\QRciLDe.exe
  2⤵
  PID:5252
- C:\Windows\System32\FcCaTQV.exe
  C:\Windows\System32\FcCaTQV.exe
  2⤵
  PID:5280
- C:\Windows\System32\MHTFoue.exe
  C:\Windows\System32\MHTFoue.exe
  2⤵
  PID:5308
- C:\Windows\System32\nWuJDuX.exe
  C:\Windows\System32\nWuJDuX.exe
  2⤵
  PID:5336
- C:\Windows\System32\TPgIncM.exe
  C:\Windows\System32\TPgIncM.exe
  2⤵
  PID:5364
- C:\Windows\System32\CbCspUr.exe
  C:\Windows\System32\CbCspUr.exe
  2⤵
  PID:5392
- C:\Windows\System32\pOhBNvQ.exe
  C:\Windows\System32\pOhBNvQ.exe
  2⤵
  PID:5420
- C:\Windows\System32\jBoXNwu.exe
  C:\Windows\System32\jBoXNwu.exe
  2⤵
  PID:5448
- C:\Windows\System32\OoUWamC.exe
  C:\Windows\System32\OoUWamC.exe
  2⤵
  PID:5476
- C:\Windows\System32\FxYbsri.exe
  C:\Windows\System32\FxYbsri.exe
  2⤵
  PID:5504
- C:\Windows\System32\uwshEgM.exe
  C:\Windows\System32\uwshEgM.exe
  2⤵
  PID:5532
- C:\Windows\System32\RAwnvKW.exe
  C:\Windows\System32\RAwnvKW.exe
  2⤵
  PID:5560
- C:\Windows\System32\fUoPcrV.exe
  C:\Windows\System32\fUoPcrV.exe
  2⤵
  PID:5588
- C:\Windows\System32\KjzaSGs.exe
  C:\Windows\System32\KjzaSGs.exe
  2⤵
  PID:5616
- C:\Windows\System32\GdJkVIr.exe
  C:\Windows\System32\GdJkVIr.exe
  2⤵
  PID:5644
- C:\Windows\System32\CRULTyS.exe
  C:\Windows\System32\CRULTyS.exe
  2⤵
  PID:5672
- C:\Windows\System32\nCiWznJ.exe
  C:\Windows\System32\nCiWznJ.exe
  2⤵
  PID:5700
- C:\Windows\System32\EqkFQIQ.exe
  C:\Windows\System32\EqkFQIQ.exe
  2⤵
  PID:5728
- C:\Windows\System32\LMMvzYm.exe
  C:\Windows\System32\LMMvzYm.exe
  2⤵
  PID:5756
- C:\Windows\System32\LJdUdYJ.exe
  C:\Windows\System32\LJdUdYJ.exe
  2⤵
  PID:5784
- C:\Windows\System32\WiNeYtc.exe
  C:\Windows\System32\WiNeYtc.exe
  2⤵
  PID:5812
- C:\Windows\System32\rJigPAS.exe
  C:\Windows\System32\rJigPAS.exe
  2⤵
  PID:5840
- C:\Windows\System32\YYuAqiO.exe
  C:\Windows\System32\YYuAqiO.exe
  2⤵
  PID:5868
- C:\Windows\System32\sQaetiR.exe
  C:\Windows\System32\sQaetiR.exe
  2⤵
  PID:5896
- C:\Windows\System32\WIeggzq.exe
  C:\Windows\System32\WIeggzq.exe
  2⤵
  PID:5924
- C:\Windows\System32\nIzEVgn.exe
  C:\Windows\System32\nIzEVgn.exe
  2⤵
  PID:5952
- C:\Windows\System32\sjLFOMR.exe
  C:\Windows\System32\sjLFOMR.exe
  2⤵
  PID:5980
- C:\Windows\System32\JFGxQDa.exe
  C:\Windows\System32\JFGxQDa.exe
  2⤵
  PID:6008
- C:\Windows\System32\RNfdSaw.exe
  C:\Windows\System32\RNfdSaw.exe
  2⤵
  PID:6036
- C:\Windows\System32\gftsBjS.exe
  C:\Windows\System32\gftsBjS.exe
  2⤵
  PID:6064
- C:\Windows\System32\WISmQPD.exe
  C:\Windows\System32\WISmQPD.exe
  2⤵
  PID:6092
- C:\Windows\System32\cLZOYlk.exe
  C:\Windows\System32\cLZOYlk.exe
  2⤵
  PID:6120
- C:\Windows\System32\nRkZWHL.exe
  C:\Windows\System32\nRkZWHL.exe
  2⤵
  PID:1500
- C:\Windows\System32\KTlWkbR.exe
  C:\Windows\System32\KTlWkbR.exe
  2⤵
  PID:4204
- C:\Windows\System32\NHPbmkV.exe
  C:\Windows\System32\NHPbmkV.exe
  2⤵
  PID:3680
- C:\Windows\System32\DNtdLvo.exe
  C:\Windows\System32\DNtdLvo.exe
  2⤵
  PID:3972
- C:\Windows\System32\PmcGUhg.exe
  C:\Windows\System32\PmcGUhg.exe
  2⤵
  PID:780
- C:\Windows\System32\mAfJsUv.exe
  C:\Windows\System32\mAfJsUv.exe
  2⤵
  PID:5136
- C:\Windows\System32\kyYjIdb.exe
  C:\Windows\System32\kyYjIdb.exe
  2⤵
  PID:5184
- C:\Windows\System32\EQdydms.exe
  C:\Windows\System32\EQdydms.exe
  2⤵
  PID:5264
- C:\Windows\System32\TyhUNlX.exe
  C:\Windows\System32\TyhUNlX.exe
  2⤵
  PID:5332
- C:\Windows\System32\qJWNMuk.exe
  C:\Windows\System32\qJWNMuk.exe
  2⤵
  PID:5380
- C:\Windows\System32\BCOrNBe.exe
  C:\Windows\System32\BCOrNBe.exe
  2⤵
  PID:5460
- C:\Windows\System32\PfMYdrq.exe
  C:\Windows\System32\PfMYdrq.exe
  2⤵
  PID:5520
- C:\Windows\System32\GpKBIAa.exe
  C:\Windows\System32\GpKBIAa.exe
  2⤵
  PID:5576
- C:\Windows\System32\YAHPEOl.exe
  C:\Windows\System32\YAHPEOl.exe
  2⤵
  PID:5632
- C:\Windows\System32\zRugKdU.exe
  C:\Windows\System32\zRugKdU.exe
  2⤵
  PID:5712
- C:\Windows\System32\MhPCUEx.exe
  C:\Windows\System32\MhPCUEx.exe
  2⤵
  PID:5780
- C:\Windows\System32\AFWevLn.exe
  C:\Windows\System32\AFWevLn.exe
  2⤵
  PID:5836
- C:\Windows\System32\ZOiCjFz.exe
  C:\Windows\System32\ZOiCjFz.exe
  2⤵
  PID:5908
- C:\Windows\System32\cMhDUbK.exe
  C:\Windows\System32\cMhDUbK.exe
  2⤵
  PID:5976
- C:\Windows\System32\kuBgAMD.exe
  C:\Windows\System32\kuBgAMD.exe
  2⤵
  PID:6032
- C:\Windows\System32\alofwLv.exe
  C:\Windows\System32\alofwLv.exe
  2⤵
  PID:6080
- C:\Windows\System32\INsalIA.exe
  C:\Windows\System32\INsalIA.exe
  2⤵
  PID:2768
- C:\Windows\System32\ugLqDIq.exe
  C:\Windows\System32\ugLqDIq.exe
  2⤵
  PID:5064
- C:\Windows\System32\hNbOUjC.exe
  C:\Windows\System32\hNbOUjC.exe
  2⤵
  PID:3448
- C:\Windows\System32\GKipQUC.exe
  C:\Windows\System32\GKipQUC.exe
  2⤵
  PID:5292
- C:\Windows\System32\TpyABgX.exe
  C:\Windows\System32\TpyABgX.exe
  2⤵
  PID:5436
- C:\Windows\System32\SKwxLSi.exe
  C:\Windows\System32\SKwxLSi.exe
  2⤵
  PID:5548
- C:\Windows\System32\BmEiDgZ.exe
  C:\Windows\System32\BmEiDgZ.exe
  2⤵
  PID:5684
- C:\Windows\System32\SBBJSzS.exe
  C:\Windows\System32\SBBJSzS.exe
  2⤵
  PID:5856
- C:\Windows\System32\bFevWFW.exe
  C:\Windows\System32\bFevWFW.exe
  2⤵
  PID:6004
- C:\Windows\System32\DKIzjal.exe
  C:\Windows\System32\DKIzjal.exe
  2⤵
  PID:6136
- C:\Windows\System32\qDLsIKe.exe
  C:\Windows\System32\qDLsIKe.exe
  2⤵
  PID:1972
- C:\Windows\System32\WpihjPE.exe
  C:\Windows\System32\WpihjPE.exe
  2⤵
  PID:5516
- C:\Windows\System32\jkLhafL.exe
  C:\Windows\System32\jkLhafL.exe
  2⤵
  PID:5752
- C:\Windows\System32\EkZqZJS.exe
  C:\Windows\System32\EkZqZJS.exe
  2⤵
  PID:984
- C:\Windows\System32\wAMLvxq.exe
  C:\Windows\System32\wAMLvxq.exe
  2⤵
  PID:6156
- C:\Windows\System32\irGqexF.exe
  C:\Windows\System32\irGqexF.exe
  2⤵
  PID:6184
- C:\Windows\System32\BXHUugw.exe
  C:\Windows\System32\BXHUugw.exe
  2⤵
  PID:6212
- C:\Windows\System32\dngiHpa.exe
  C:\Windows\System32\dngiHpa.exe
  2⤵
  PID:6240
- C:\Windows\System32\ZecjvZv.exe
  C:\Windows\System32\ZecjvZv.exe
  2⤵
  PID:6268
- C:\Windows\System32\FcbmFDN.exe
  C:\Windows\System32\FcbmFDN.exe
  2⤵
  PID:6296
- C:\Windows\System32\xEbbWWd.exe
  C:\Windows\System32\xEbbWWd.exe
  2⤵
  PID:6324
- C:\Windows\System32\TqGiNSr.exe
  C:\Windows\System32\TqGiNSr.exe
  2⤵
  PID:6352
- C:\Windows\System32\skXArmD.exe
  C:\Windows\System32\skXArmD.exe
  2⤵
  PID:6380
- C:\Windows\System32\jrwHrtw.exe
  C:\Windows\System32\jrwHrtw.exe
  2⤵
  PID:6408
- C:\Windows\System32\VfjKyHI.exe
  C:\Windows\System32\VfjKyHI.exe
  2⤵
  PID:6436
- C:\Windows\System32\sKIknAN.exe
  C:\Windows\System32\sKIknAN.exe
  2⤵
  PID:6464
- C:\Windows\System32\BHiylNJ.exe
  C:\Windows\System32\BHiylNJ.exe
  2⤵
  PID:6492
- C:\Windows\System32\RpiVDJx.exe
  C:\Windows\System32\RpiVDJx.exe
  2⤵
  PID:6520
- C:\Windows\System32\dtIgOUi.exe
  C:\Windows\System32\dtIgOUi.exe
  2⤵
  PID:6548
- C:\Windows\System32\QTytUbm.exe
  C:\Windows\System32\QTytUbm.exe
  2⤵
  PID:6576
- C:\Windows\System32\rFQZpIl.exe
  C:\Windows\System32\rFQZpIl.exe
  2⤵
  PID:6604
- C:\Windows\System32\nWHwSmd.exe
  C:\Windows\System32\nWHwSmd.exe
  2⤵
  PID:6632
- C:\Windows\System32\RkHAkyg.exe
  C:\Windows\System32\RkHAkyg.exe
  2⤵
  PID:6660
- C:\Windows\System32\suiLIwB.exe
  C:\Windows\System32\suiLIwB.exe
  2⤵
  PID:6688
- C:\Windows\System32\lOTvbOY.exe
  C:\Windows\System32\lOTvbOY.exe
  2⤵
  PID:6716
- C:\Windows\System32\EWambZG.exe
  C:\Windows\System32\EWambZG.exe
  2⤵
  PID:6744
- C:\Windows\System32\ZrNdGZr.exe
  C:\Windows\System32\ZrNdGZr.exe
  2⤵
  PID:6772
- C:\Windows\System32\YAqVqXO.exe
  C:\Windows\System32\YAqVqXO.exe
  2⤵
  PID:6800
- C:\Windows\System32\WXkcfHP.exe
  C:\Windows\System32\WXkcfHP.exe
  2⤵
  PID:6828
- C:\Windows\System32\zzmkTmX.exe
  C:\Windows\System32\zzmkTmX.exe
  2⤵
  PID:6856
- C:\Windows\System32\nOvHqpI.exe
  C:\Windows\System32\nOvHqpI.exe
  2⤵
  PID:6884
- C:\Windows\System32\VnujUDD.exe
  C:\Windows\System32\VnujUDD.exe
  2⤵
  PID:6912
- C:\Windows\System32\RZfpiKf.exe
  C:\Windows\System32\RZfpiKf.exe
  2⤵
  PID:7016
- C:\Windows\System32\ORzKRpA.exe
  C:\Windows\System32\ORzKRpA.exe
  2⤵
  PID:7036
- C:\Windows\System32\ekvPWfY.exe
  C:\Windows\System32\ekvPWfY.exe
  2⤵
  PID:7084
- C:\Windows\System32\flupzOf.exe
  C:\Windows\System32\flupzOf.exe
  2⤵
  PID:7104
- C:\Windows\System32\MSumQmj.exe
  C:\Windows\System32\MSumQmj.exe
  2⤵
  PID:7128
- C:\Windows\System32\lYMfsFf.exe
  C:\Windows\System32\lYMfsFf.exe
  2⤵
  PID:7144
- C:\Windows\System32\VsvtPdk.exe
  C:\Windows\System32\VsvtPdk.exe
  2⤵
  PID:5388
- C:\Windows\System32\lLUFksy.exe
  C:\Windows\System32\lLUFksy.exe
  2⤵
  PID:5948
- C:\Windows\System32\ClNyGIp.exe
  C:\Windows\System32\ClNyGIp.exe
  2⤵
  PID:6172
- C:\Windows\System32\aFTzquV.exe
  C:\Windows\System32\aFTzquV.exe
  2⤵
  PID:6284
- C:\Windows\System32\pNSEyDi.exe
  C:\Windows\System32\pNSEyDi.exe
  2⤵
  PID:6460
- C:\Windows\System32\yIGADzR.exe
  C:\Windows\System32\yIGADzR.exe
  2⤵
  PID:6488
- C:\Windows\System32\osPvVJs.exe
  C:\Windows\System32\osPvVJs.exe
  2⤵
  PID:6536
- C:\Windows\System32\PISFWoC.exe
  C:\Windows\System32\PISFWoC.exe
  2⤵
  PID:1624
- C:\Windows\System32\RokwvNT.exe
  C:\Windows\System32\RokwvNT.exe
  2⤵
  PID:6620
- C:\Windows\System32\NICmlkM.exe
  C:\Windows\System32\NICmlkM.exe
  2⤵
  PID:892
- C:\Windows\System32\BtbvCZG.exe
  C:\Windows\System32\BtbvCZG.exe
  2⤵
  PID:6704
- C:\Windows\System32\YJLHzXB.exe
  C:\Windows\System32\YJLHzXB.exe
  2⤵
  PID:6740
- C:\Windows\System32\XBvWXKp.exe
  C:\Windows\System32\XBvWXKp.exe
  2⤵
  PID:4888
- C:\Windows\System32\UQfGPwc.exe
  C:\Windows\System32\UQfGPwc.exe
  2⤵
  PID:6788
- C:\Windows\System32\wJOgJVj.exe
  C:\Windows\System32\wJOgJVj.exe
  2⤵
  PID:6852
- C:\Windows\System32\eXkgvuf.exe
  C:\Windows\System32\eXkgvuf.exe
  2⤵
  PID:6900
- C:\Windows\System32\DzoJfOi.exe
  C:\Windows\System32\DzoJfOi.exe
  2⤵
  PID:952
- C:\Windows\System32\CeXdjjT.exe
  C:\Windows\System32\CeXdjjT.exe
  2⤵
  PID:1920
- C:\Windows\System32\PDMYxQB.exe
  C:\Windows\System32\PDMYxQB.exe
  2⤵
  PID:2988
- C:\Windows\System32\YssOsSC.exe
  C:\Windows\System32\YssOsSC.exe
  2⤵
  PID:7008
- C:\Windows\System32\IeCHjcB.exe
  C:\Windows\System32\IeCHjcB.exe
  2⤵
  PID:7092
- C:\Windows\System32\OOFpFBv.exe
  C:\Windows\System32\OOFpFBv.exe
  2⤵
  PID:7152
- C:\Windows\System32\wAratlX.exe
  C:\Windows\System32\wAratlX.exe
  2⤵
  PID:3412
- C:\Windows\System32\xgMUyoa.exe
  C:\Windows\System32\xgMUyoa.exe
  2⤵
  PID:6256
- C:\Windows\System32\hhNwupK.exe
  C:\Windows\System32\hhNwupK.exe
  2⤵
  PID:6996
- C:\Windows\System32\FDXHzeo.exe
  C:\Windows\System32\FDXHzeo.exe
  2⤵
  PID:6476
- C:\Windows\System32\WuKlBic.exe
  C:\Windows\System32\WuKlBic.exe
  2⤵
  PID:5500
- C:\Windows\System32\AjbTCOe.exe
  C:\Windows\System32\AjbTCOe.exe
  2⤵
  PID:6628
- C:\Windows\System32\BZsCaYe.exe
  C:\Windows\System32\BZsCaYe.exe
  2⤵
  PID:2168
- C:\Windows\System32\YfepdxS.exe
  C:\Windows\System32\YfepdxS.exe
  2⤵
  PID:6784
- C:\Windows\System32\ZPMlGhy.exe
  C:\Windows\System32\ZPMlGhy.exe
  2⤵
  PID:1672
- C:\Windows\System32\brnVKlz.exe
  C:\Windows\System32\brnVKlz.exe
  2⤵
  PID:6988
- C:\Windows\System32\sKesuNw.exe
  C:\Windows\System32\sKesuNw.exe
  2⤵
  PID:7032
- C:\Windows\System32\LMzstea.exe
  C:\Windows\System32\LMzstea.exe
  2⤵
  PID:6816
- C:\Windows\System32\QTUUDri.exe
  C:\Windows\System32\QTUUDri.exe
  2⤵
  PID:2640
- C:\Windows\System32\gyIIXkQ.exe
  C:\Windows\System32\gyIIXkQ.exe
  2⤵
  PID:6264
- C:\Windows\System32\PWFEoaC.exe
  C:\Windows\System32\PWFEoaC.exe
  2⤵
  PID:6880
- C:\Windows\System32\wHuLsYb.exe
  C:\Windows\System32\wHuLsYb.exe
  2⤵
  PID:7056
- C:\Windows\System32\DazQyJD.exe
  C:\Windows\System32\DazQyJD.exe
  2⤵
  PID:4136
- C:\Windows\System32\OCPfvdF.exe
  C:\Windows\System32\OCPfvdF.exe
  2⤵
  PID:4112
- C:\Windows\System32\JAJsBQD.exe
  C:\Windows\System32\JAJsBQD.exe
  2⤵
  PID:980
- C:\Windows\System32\JjaBGus.exe
  C:\Windows\System32\JjaBGus.exe
  2⤵
  PID:7180
- C:\Windows\System32\qgYuMRd.exe
  C:\Windows\System32\qgYuMRd.exe
  2⤵
  PID:7228
- C:\Windows\System32\vjoPmXq.exe
  C:\Windows\System32\vjoPmXq.exe
  2⤵
  PID:7248
- C:\Windows\System32\MJREMfF.exe
  C:\Windows\System32\MJREMfF.exe
  2⤵
  PID:7276
- C:\Windows\System32\vIxqCGO.exe
  C:\Windows\System32\vIxqCGO.exe
  2⤵
  PID:7312
- C:\Windows\System32\YvIRvdO.exe
  C:\Windows\System32\YvIRvdO.exe
  2⤵
  PID:7332
- C:\Windows\System32\rSQjxsk.exe
  C:\Windows\System32\rSQjxsk.exe
  2⤵
  PID:7360
- C:\Windows\System32\shLiLYB.exe
  C:\Windows\System32\shLiLYB.exe
  2⤵
  PID:7388
- C:\Windows\System32\VoSSCMz.exe
  C:\Windows\System32\VoSSCMz.exe
  2⤵
  PID:7404
- C:\Windows\System32\IQUqLUU.exe
  C:\Windows\System32\IQUqLUU.exe
  2⤵
  PID:7444
- C:\Windows\System32\KiGQVnJ.exe
  C:\Windows\System32\KiGQVnJ.exe
  2⤵
  PID:7476
- C:\Windows\System32\yqYywEY.exe
  C:\Windows\System32\yqYywEY.exe
  2⤵
  PID:7504
- C:\Windows\System32\QUmdVOO.exe
  C:\Windows\System32\QUmdVOO.exe
  2⤵
  PID:7536
- C:\Windows\System32\gfkRZuL.exe
  C:\Windows\System32\gfkRZuL.exe
  2⤵
  PID:7564
- C:\Windows\System32\rGkotzX.exe
  C:\Windows\System32\rGkotzX.exe
  2⤵
  PID:7592
- C:\Windows\System32\DLaiRsi.exe
  C:\Windows\System32\DLaiRsi.exe
  2⤵
  PID:7620
- C:\Windows\System32\PiOnUKA.exe
  C:\Windows\System32\PiOnUKA.exe
  2⤵
  PID:7652
- C:\Windows\System32\FnxFXRg.exe
  C:\Windows\System32\FnxFXRg.exe
  2⤵
  PID:7688
- C:\Windows\System32\CopGDvc.exe
  C:\Windows\System32\CopGDvc.exe
  2⤵
  PID:7736
- C:\Windows\System32\swUooJg.exe
  C:\Windows\System32\swUooJg.exe
  2⤵
  PID:7752
- C:\Windows\System32\xNnVSbA.exe
  C:\Windows\System32\xNnVSbA.exe
  2⤵
  PID:7792
- C:\Windows\System32\CsIrBqK.exe
  C:\Windows\System32\CsIrBqK.exe
  2⤵
  PID:7832
- C:\Windows\System32\RKrdAEx.exe
  C:\Windows\System32\RKrdAEx.exe
  2⤵
  PID:7860
- C:\Windows\System32\xpxggpA.exe
  C:\Windows\System32\xpxggpA.exe
  2⤵
  PID:7892
- C:\Windows\System32\QAbINKD.exe
  C:\Windows\System32\QAbINKD.exe
  2⤵
  PID:7916
- C:\Windows\System32\zuRoovp.exe
  C:\Windows\System32\zuRoovp.exe
  2⤵
  PID:7944
- C:\Windows\System32\auKJRHA.exe
  C:\Windows\System32\auKJRHA.exe
  2⤵
  PID:7976
- C:\Windows\System32\aSzEJnd.exe
  C:\Windows\System32\aSzEJnd.exe
  2⤵
  PID:8004
- C:\Windows\System32\TXVgwFw.exe
  C:\Windows\System32\TXVgwFw.exe
  2⤵
  PID:8040
- C:\Windows\System32\VPEcnGi.exe
  C:\Windows\System32\VPEcnGi.exe
  2⤵
  PID:8068
- C:\Windows\System32\fYdWkdc.exe
  C:\Windows\System32\fYdWkdc.exe
  2⤵
  PID:8100
- C:\Windows\System32\nTKkxsA.exe
  C:\Windows\System32\nTKkxsA.exe
  2⤵
  PID:8124
- C:\Windows\System32\xfSpAJO.exe
  C:\Windows\System32\xfSpAJO.exe
  2⤵
  PID:8156
- C:\Windows\System32\qluClNu.exe
  C:\Windows\System32\qluClNu.exe
  2⤵
  PID:8180
- C:\Windows\System32\czSnOfj.exe
  C:\Windows\System32\czSnOfj.exe
  2⤵
  PID:7196
- C:\Windows\System32\rxGWneJ.exe
  C:\Windows\System32\rxGWneJ.exe
  2⤵
  PID:7268
- C:\Windows\System32\tCIVdlZ.exe
  C:\Windows\System32\tCIVdlZ.exe
  2⤵
  PID:7344
- C:\Windows\System32\RGJgZpQ.exe
  C:\Windows\System32\RGJgZpQ.exe
  2⤵
  PID:7400
- C:\Windows\System32\BJneaTR.exe
  C:\Windows\System32\BJneaTR.exe
  2⤵
  PID:7488
- C:\Windows\System32\JjLzUrX.exe
  C:\Windows\System32\JjLzUrX.exe
  2⤵
  PID:7548
- C:\Windows\System32\lsLabxB.exe
  C:\Windows\System32\lsLabxB.exe
  2⤵
  PID:7608
- C:\Windows\System32\YNEnXfG.exe
  C:\Windows\System32\YNEnXfG.exe
  2⤵
  PID:7684
- C:\Windows\System32\fHAffgl.exe
  C:\Windows\System32\fHAffgl.exe
  2⤵
  PID:3700
- C:\Windows\System32\kziftCd.exe
  C:\Windows\System32\kziftCd.exe
  2⤵
  PID:532
- C:\Windows\System32\iJIEdMr.exe
  C:\Windows\System32\iJIEdMr.exe
  2⤵
  PID:7768
- C:\Windows\System32\YJTVyLF.exe
  C:\Windows\System32\YJTVyLF.exe
  2⤵
  PID:7852
- C:\Windows\System32\qOqlyPz.exe
  C:\Windows\System32\qOqlyPz.exe
  2⤵
  PID:7912
- C:\Windows\System32\HPBwJTp.exe
  C:\Windows\System32\HPBwJTp.exe
  2⤵
  PID:7992
- C:\Windows\System32\yEFVADQ.exe
  C:\Windows\System32\yEFVADQ.exe
  2⤵
  PID:8064
- C:\Windows\System32\dCmYjlY.exe
  C:\Windows\System32\dCmYjlY.exe
  2⤵
  PID:8116
- C:\Windows\System32\CqdJrKw.exe
  C:\Windows\System32\CqdJrKw.exe
  2⤵
  PID:8176
- C:\Windows\System32\lxNgPvI.exe
  C:\Windows\System32\lxNgPvI.exe
  2⤵
  PID:7328
- C:\Windows\System32\QQfHggh.exe
  C:\Windows\System32\QQfHggh.exe
  2⤵
  PID:7436
- C:\Windows\System32\klexEtl.exe
  C:\Windows\System32\klexEtl.exe
  2⤵
  PID:7584
- C:\Windows\System32\bfAZXnr.exe
  C:\Windows\System32\bfAZXnr.exe
  2⤵
  PID:7524
- C:\Windows\System32\UmnmtGw.exe
  C:\Windows\System32\UmnmtGw.exe
  2⤵
  PID:7884
- C:\Windows\System32\QFekIUU.exe
  C:\Windows\System32\QFekIUU.exe
  2⤵
  PID:8088
- C:\Windows\System32\HkTCScm.exe
  C:\Windows\System32\HkTCScm.exe
  2⤵
  PID:2628
- C:\Windows\System32\EJCaQBa.exe
  C:\Windows\System32\EJCaQBa.exe
  2⤵
  PID:7580
- C:\Windows\System32\jdjHMZc.exe
  C:\Windows\System32\jdjHMZc.exe
  2⤵
  PID:7844
- C:\Windows\System32\RSrzGOa.exe
  C:\Windows\System32\RSrzGOa.exe
  2⤵
  PID:7500
- C:\Windows\System32\rONXMZT.exe
  C:\Windows\System32\rONXMZT.exe
  2⤵
  PID:7820
- C:\Windows\System32\jCfRUnn.exe
  C:\Windows\System32\jCfRUnn.exe
  2⤵
  PID:8212
- C:\Windows\System32\BAwWiBe.exe
  C:\Windows\System32\BAwWiBe.exe
  2⤵
  PID:8240
- C:\Windows\System32\cIMXCXJ.exe
  C:\Windows\System32\cIMXCXJ.exe
  2⤵
  PID:8272
- C:\Windows\System32\BORTfgL.exe
  C:\Windows\System32\BORTfgL.exe
  2⤵
  PID:8296
- C:\Windows\System32\xasdkkB.exe
  C:\Windows\System32\xasdkkB.exe
  2⤵
  PID:8324
- C:\Windows\System32\ZxYVmHp.exe
  C:\Windows\System32\ZxYVmHp.exe
  2⤵
  PID:8340
- C:\Windows\System32\SmeyQSZ.exe
  C:\Windows\System32\SmeyQSZ.exe
  2⤵
  PID:8368
- C:\Windows\System32\VziUxqZ.exe
  C:\Windows\System32\VziUxqZ.exe
  2⤵
  PID:8408
- C:\Windows\System32\FqZgdch.exe
  C:\Windows\System32\FqZgdch.exe
  2⤵
  PID:8436
- C:\Windows\System32\XwUXVJK.exe
  C:\Windows\System32\XwUXVJK.exe
  2⤵
  PID:8468
- C:\Windows\System32\KWqfKmW.exe
  C:\Windows\System32\KWqfKmW.exe
  2⤵
  PID:8496
- C:\Windows\System32\mSwxXtF.exe
  C:\Windows\System32\mSwxXtF.exe
  2⤵
  PID:8512
- C:\Windows\System32\ypNkhZM.exe
  C:\Windows\System32\ypNkhZM.exe
  2⤵
  PID:8540
- C:\Windows\System32\xYeJGdb.exe
  C:\Windows\System32\xYeJGdb.exe
  2⤵
  PID:8580
- C:\Windows\System32\NFHjeNu.exe
  C:\Windows\System32\NFHjeNu.exe
  2⤵
  PID:8608
- C:\Windows\System32\awxmVCW.exe
  C:\Windows\System32\awxmVCW.exe
  2⤵
  PID:8636
- C:\Windows\System32\uYaFUrh.exe
  C:\Windows\System32\uYaFUrh.exe
  2⤵
  PID:8664
- C:\Windows\System32\IzTHnEX.exe
  C:\Windows\System32\IzTHnEX.exe
  2⤵
  PID:8692
- C:\Windows\System32\fxqTZng.exe
  C:\Windows\System32\fxqTZng.exe
  2⤵
  PID:8720
- C:\Windows\System32\HQKrqub.exe
  C:\Windows\System32\HQKrqub.exe
  2⤵
  PID:8760
- C:\Windows\System32\btLpspI.exe
  C:\Windows\System32\btLpspI.exe
  2⤵
  PID:8784
- C:\Windows\System32\SFcPzFG.exe
  C:\Windows\System32\SFcPzFG.exe
  2⤵
  PID:8808
- C:\Windows\System32\xbaNoMV.exe
  C:\Windows\System32\xbaNoMV.exe
  2⤵
  PID:8832
- C:\Windows\System32\JpgPjOp.exe
  C:\Windows\System32\JpgPjOp.exe
  2⤵
  PID:8868
- C:\Windows\System32\swafFlX.exe
  C:\Windows\System32\swafFlX.exe
  2⤵
  PID:8896
- C:\Windows\System32\lZIGoCY.exe
  C:\Windows\System32\lZIGoCY.exe
  2⤵
  PID:8920
- C:\Windows\System32\uJVYWWJ.exe
  C:\Windows\System32\uJVYWWJ.exe
  2⤵
  PID:8956
- C:\Windows\System32\PPETixe.exe
  C:\Windows\System32\PPETixe.exe
  2⤵
  PID:8988
- C:\Windows\System32\GFzuDMm.exe
  C:\Windows\System32\GFzuDMm.exe
  2⤵
  PID:9008
- C:\Windows\System32\WPuNBxH.exe
  C:\Windows\System32\WPuNBxH.exe
  2⤵
  PID:9048
- C:\Windows\System32\hJhMnTr.exe
  C:\Windows\System32\hJhMnTr.exe
  2⤵
  PID:9068
- C:\Windows\System32\ooLVAkQ.exe
  C:\Windows\System32\ooLVAkQ.exe
  2⤵
  PID:9092
- C:\Windows\System32\SvMELMP.exe
  C:\Windows\System32\SvMELMP.exe
  2⤵
  PID:9136
- C:\Windows\System32\mLrPWvx.exe
  C:\Windows\System32\mLrPWvx.exe
  2⤵
  PID:9164
- C:\Windows\System32\vuOKooW.exe
  C:\Windows\System32\vuOKooW.exe
  2⤵
  PID:9192
- C:\Windows\System32\oUVexLP.exe
  C:\Windows\System32\oUVexLP.exe
  2⤵
  PID:8148
- C:\Windows\System32\JvChzzF.exe
  C:\Windows\System32\JvChzzF.exe
  2⤵
  PID:8224
- C:\Windows\System32\uAKgwQW.exe
  C:\Windows\System32\uAKgwQW.exe
  2⤵
  PID:8316
- C:\Windows\System32\meCSivS.exe
  C:\Windows\System32\meCSivS.exe
  2⤵
  PID:8364
- C:\Windows\System32\bJuaHer.exe
  C:\Windows\System32\bJuaHer.exe
  2⤵
  PID:8452
- C:\Windows\System32\nzyhGfQ.exe
  C:\Windows\System32\nzyhGfQ.exe
  2⤵
  PID:8504
- C:\Windows\System32\tVOMXNM.exe
  C:\Windows\System32\tVOMXNM.exe
  2⤵
  PID:8564
- C:\Windows\System32\DOuPNot.exe
  C:\Windows\System32\DOuPNot.exe
  2⤵
  PID:8648
- C:\Windows\System32\jDsLahN.exe
  C:\Windows\System32\jDsLahN.exe
  2⤵
  PID:8712
- C:\Windows\System32\CoZrxGk.exe
  C:\Windows\System32\CoZrxGk.exe
  2⤵
  PID:8772
- C:\Windows\System32\qDqogLP.exe
  C:\Windows\System32\qDqogLP.exe
  2⤵
  PID:8852
- C:\Windows\System32\rdEycwf.exe
  C:\Windows\System32\rdEycwf.exe
  2⤵
  PID:8944
- C:\Windows\System32\BgBkWcn.exe
  C:\Windows\System32\BgBkWcn.exe
  2⤵
  PID:8980
- C:\Windows\System32\jEAerwi.exe
  C:\Windows\System32\jEAerwi.exe
  2⤵
  PID:9076
- C:\Windows\System32\azPHyYY.exe
  C:\Windows\System32\azPHyYY.exe
  2⤵
  PID:9060
- C:\Windows\System32\VduQlbW.exe
  C:\Windows\System32\VduQlbW.exe
  2⤵
  PID:9184
- C:\Windows\System32\fCQIeVx.exe
  C:\Windows\System32\fCQIeVx.exe
  2⤵
  PID:8256
- C:\Windows\System32\tkgxjGu.exe
  C:\Windows\System32\tkgxjGu.exe
  2⤵
  PID:8396
- C:\Windows\System32\zKCckgq.exe
  C:\Windows\System32\zKCckgq.exe
  2⤵
  PID:8568
- C:\Windows\System32\aPrcKoc.exe
  C:\Windows\System32\aPrcKoc.exe
  2⤵
  PID:8704
- C:\Windows\System32\GZREcZf.exe
  C:\Windows\System32\GZREcZf.exe
  2⤵
  PID:8856
- C:\Windows\System32\xjJTwPl.exe
  C:\Windows\System32\xjJTwPl.exe
  2⤵
  PID:8964
- C:\Windows\System32\wRVgmbM.exe
  C:\Windows\System32\wRVgmbM.exe
  2⤵
  PID:9148
- C:\Windows\System32\LKAAkBj.exe
  C:\Windows\System32\LKAAkBj.exe
  2⤵
  PID:8484
- C:\Windows\System32\YJqCvvk.exe
  C:\Windows\System32\YJqCvvk.exe
  2⤵
  PID:8424
- C:\Windows\System32\AXhyoKv.exe
  C:\Windows\System32\AXhyoKv.exe
  2⤵
  PID:9212
- C:\Windows\System32\yQBCYOt.exe
  C:\Windows\System32\yQBCYOt.exe
  2⤵
  PID:8880
- C:\Windows\System32\nCSqCRJ.exe
  C:\Windows\System32\nCSqCRJ.exe
  2⤵
  PID:9224
- C:\Windows\System32\EtFxYEm.exe
  C:\Windows\System32\EtFxYEm.exe
  2⤵
  PID:9252
- C:\Windows\System32\DpycVQj.exe
  C:\Windows\System32\DpycVQj.exe
  2⤵
  PID:9280
- C:\Windows\System32\ymqLRWx.exe
  C:\Windows\System32\ymqLRWx.exe
  2⤵
  PID:9308
- C:\Windows\System32\eyhyKtA.exe
  C:\Windows\System32\eyhyKtA.exe
  2⤵
  PID:9340
- C:\Windows\System32\HcWZLxf.exe
  C:\Windows\System32\HcWZLxf.exe
  2⤵
  PID:9364
- C:\Windows\System32\lTFpdeZ.exe
  C:\Windows\System32\lTFpdeZ.exe
  2⤵
  PID:9392
- C:\Windows\System32\WEcHmGL.exe
  C:\Windows\System32\WEcHmGL.exe
  2⤵
  PID:9420
- C:\Windows\System32\ZrVlEFs.exe
  C:\Windows\System32\ZrVlEFs.exe
  2⤵
  PID:9460
- C:\Windows\System32\vxZCpXF.exe
  C:\Windows\System32\vxZCpXF.exe
  2⤵
  PID:9476
- C:\Windows\System32\yDyONrb.exe
  C:\Windows\System32\yDyONrb.exe
  2⤵
  PID:9504
- C:\Windows\System32\bVysqLr.exe
  C:\Windows\System32\bVysqLr.exe
  2⤵
  PID:9524
- C:\Windows\System32\tIxRdiu.exe
  C:\Windows\System32\tIxRdiu.exe
  2⤵
  PID:9560
- C:\Windows\System32\HQYGYzQ.exe
  C:\Windows\System32\HQYGYzQ.exe
  2⤵
  PID:9588
- C:\Windows\System32\NpJYwzD.exe
  C:\Windows\System32\NpJYwzD.exe
  2⤵
  PID:9616
- C:\Windows\System32\fDLhBwk.exe
  C:\Windows\System32\fDLhBwk.exe
  2⤵
  PID:9644
- C:\Windows\System32\mYnVyIK.exe
  C:\Windows\System32\mYnVyIK.exe
  2⤵
  PID:9672
- C:\Windows\System32\lMsqEqW.exe
  C:\Windows\System32\lMsqEqW.exe
  2⤵
  PID:9700
- C:\Windows\System32\kDQfrZA.exe
  C:\Windows\System32\kDQfrZA.exe
  2⤵
  PID:9716
- C:\Windows\System32\JstojXU.exe
  C:\Windows\System32\JstojXU.exe
  2⤵
  PID:9748
- C:\Windows\System32\tYlszlg.exe
  C:\Windows\System32\tYlszlg.exe
  2⤵
  PID:9784
- C:\Windows\System32\UyCRZWz.exe
  C:\Windows\System32\UyCRZWz.exe
  2⤵
  PID:9812
- C:\Windows\System32\JwAvLHL.exe
  C:\Windows\System32\JwAvLHL.exe
  2⤵
  PID:9840
- C:\Windows\System32\GRVXOEZ.exe
  C:\Windows\System32\GRVXOEZ.exe
  2⤵
  PID:9860
- C:\Windows\System32\wUWUFuO.exe
  C:\Windows\System32\wUWUFuO.exe
  2⤵
  PID:9888
- C:\Windows\System32\cAamJOM.exe
  C:\Windows\System32\cAamJOM.exe
  2⤵
  PID:9924
- C:\Windows\System32\ybInvsQ.exe
  C:\Windows\System32\ybInvsQ.exe
  2⤵
  PID:9952
- C:\Windows\System32\GfhEzXL.exe
  C:\Windows\System32\GfhEzXL.exe
  2⤵
  PID:9968
- C:\Windows\System32\HWvVILZ.exe
  C:\Windows\System32\HWvVILZ.exe
  2⤵
  PID:10008
- C:\Windows\System32\CsbrNhY.exe
  C:\Windows\System32\CsbrNhY.exe
  2⤵
  PID:10036
- C:\Windows\System32\rOhuEub.exe
  C:\Windows\System32\rOhuEub.exe
  2⤵
  PID:10064
- C:\Windows\System32\tYSjlwS.exe
  C:\Windows\System32\tYSjlwS.exe
  2⤵
  PID:10080
- C:\Windows\System32\MVuGwmS.exe
  C:\Windows\System32\MVuGwmS.exe
  2⤵
  PID:10100
- C:\Windows\System32\zUHEgiV.exe
  C:\Windows\System32\zUHEgiV.exe
  2⤵
  PID:10136
- C:\Windows\System32\THXguqE.exe
  C:\Windows\System32\THXguqE.exe
  2⤵
  PID:10180
- C:\Windows\System32\VuNGZKS.exe
  C:\Windows\System32\VuNGZKS.exe
  2⤵
  PID:10208
- C:\Windows\System32\VmdrdJr.exe
  C:\Windows\System32\VmdrdJr.exe
  2⤵
  PID:10228
- C:\Windows\System32\qwsCxLR.exe
  C:\Windows\System32\qwsCxLR.exe
  2⤵
  PID:9264
- C:\Windows\System32\fWMjbbe.exe
  C:\Windows\System32\fWMjbbe.exe
  2⤵
  PID:9328
- C:\Windows\System32\cUhzifZ.exe
  C:\Windows\System32\cUhzifZ.exe
  2⤵
  PID:9384
- C:\Windows\System32\kAVvVsP.exe
  C:\Windows\System32\kAVvVsP.exe
  2⤵
  PID:9444
- C:\Windows\System32\tfgcgbn.exe
  C:\Windows\System32\tfgcgbn.exe
  2⤵
  PID:9500
- C:\Windows\System32\vFYmzYh.exe
  C:\Windows\System32\vFYmzYh.exe
  2⤵
  PID:9576
- C:\Windows\System32\lZMEyrc.exe
  C:\Windows\System32\lZMEyrc.exe
  2⤵
  PID:9668
- C:\Windows\System32\wohtnJu.exe
  C:\Windows\System32\wohtnJu.exe
  2⤵
  PID:9712
- C:\Windows\System32\RdMYxoF.exe
  C:\Windows\System32\RdMYxoF.exe
  2⤵
  PID:9776
- C:\Windows\System32\iEciKte.exe
  C:\Windows\System32\iEciKte.exe
  2⤵
  PID:9852
- C:\Windows\System32\XFVjfFq.exe
  C:\Windows\System32\XFVjfFq.exe
  2⤵
  PID:9896
- C:\Windows\System32\BDWUlri.exe
  C:\Windows\System32\BDWUlri.exe
  2⤵
  PID:9960
- C:\Windows\System32\ChNxMes.exe
  C:\Windows\System32\ChNxMes.exe
  2⤵
  PID:10056
- C:\Windows\System32\erSdEDq.exe
  C:\Windows\System32\erSdEDq.exe
  2⤵
  PID:10116
- C:\Windows\System32\RVqFGVr.exe
  C:\Windows\System32\RVqFGVr.exe
  2⤵
  PID:10196
- C:\Windows\System32\fHrQHxW.exe
  C:\Windows\System32\fHrQHxW.exe
  2⤵
  PID:9236
- C:\Windows\System32\DmXFxYw.exe
  C:\Windows\System32\DmXFxYw.exe
  2⤵
  PID:9376
- C:\Windows\System32\VIqtBCv.exe
  C:\Windows\System32\VIqtBCv.exe
  2⤵
  PID:9516
- C:\Windows\System32\FPOcWAr.exe
  C:\Windows\System32\FPOcWAr.exe
  2⤵
  PID:9692
- C:\Windows\System32\ExotVnr.exe
  C:\Windows\System32\ExotVnr.exe
  2⤵
  PID:9824
- C:\Windows\System32\CnVDDJS.exe
  C:\Windows\System32\CnVDDJS.exe
  2⤵
  PID:10004
- C:\Windows\System32\GoJNWpA.exe
  C:\Windows\System32\GoJNWpA.exe
  2⤵
  PID:8780
- C:\Windows\System32\OylBKIb.exe
  C:\Windows\System32\OylBKIb.exe
  2⤵
  PID:10216
- C:\Windows\System32\JbiSQsz.exe
  C:\Windows\System32\JbiSQsz.exe
  2⤵
  PID:9636
- C:\Windows\System32\wuhWwUz.exe
  C:\Windows\System32\wuhWwUz.exe
  2⤵
  PID:10048
- C:\Windows\System32\dviKiPB.exe
  C:\Windows\System32\dviKiPB.exe
  2⤵
  PID:9544
- C:\Windows\System32\oLaHcxS.exe
  C:\Windows\System32\oLaHcxS.exe
  2⤵
  PID:9920
- C:\Windows\System32\yhaItTn.exe
  C:\Windows\System32\yhaItTn.exe
  2⤵
  PID:10248
- C:\Windows\System32\ZteaPsx.exe
  C:\Windows\System32\ZteaPsx.exe
  2⤵
  PID:10288
- C:\Windows\System32\iBIUSuZ.exe
  C:\Windows\System32\iBIUSuZ.exe
  2⤵
  PID:10316
- C:\Windows\System32\PFsbQvY.exe
  C:\Windows\System32\PFsbQvY.exe
  2⤵
  PID:10344
- C:\Windows\System32\fzeGHlU.exe
  C:\Windows\System32\fzeGHlU.exe
  2⤵
  PID:10364
- C:\Windows\System32\YKOVPYN.exe
  C:\Windows\System32\YKOVPYN.exe
  2⤵
  PID:10400
- C:\Windows\System32\VHzgMhM.exe
  C:\Windows\System32\VHzgMhM.exe
  2⤵
  PID:10416
- C:\Windows\System32\YsXDhfH.exe
  C:\Windows\System32\YsXDhfH.exe
  2⤵
  PID:10456
- C:\Windows\System32\duqMaFD.exe
  C:\Windows\System32\duqMaFD.exe
  2⤵
  PID:10480
- C:\Windows\System32\iOSkzMo.exe
  C:\Windows\System32\iOSkzMo.exe
  2⤵
  PID:10500
- C:\Windows\System32\aPCxGTG.exe
  C:\Windows\System32\aPCxGTG.exe
  2⤵
  PID:10540
- C:\Windows\System32\DlHkexz.exe
  C:\Windows\System32\DlHkexz.exe
  2⤵
  PID:10556
- C:\Windows\System32\PmYQexk.exe
  C:\Windows\System32\PmYQexk.exe
  2⤵
  PID:10584
- C:\Windows\System32\mCMnRUl.exe
  C:\Windows\System32\mCMnRUl.exe
  2⤵
  PID:10612
- C:\Windows\System32\BYequqh.exe
  C:\Windows\System32\BYequqh.exe
  2⤵
  PID:10652
- C:\Windows\System32\vjICtKW.exe
  C:\Windows\System32\vjICtKW.exe
  2⤵
  PID:10672
- C:\Windows\System32\guDaZYd.exe
  C:\Windows\System32\guDaZYd.exe
  2⤵
  PID:10700
- C:\Windows\System32\MqolqqQ.exe
  C:\Windows\System32\MqolqqQ.exe
  2⤵
  PID:10728
- C:\Windows\System32\kltOLBS.exe
  C:\Windows\System32\kltOLBS.exe
  2⤵
  PID:10764
- C:\Windows\System32\SvaIKmA.exe
  C:\Windows\System32\SvaIKmA.exe
  2⤵
  PID:10784
- C:\Windows\System32\ToYHlOf.exe
  C:\Windows\System32\ToYHlOf.exe
  2⤵
  PID:10804
- C:\Windows\System32\jYftMfp.exe
  C:\Windows\System32\jYftMfp.exe
  2⤵
  PID:10836
- C:\Windows\System32\DlmctxG.exe
  C:\Windows\System32\DlmctxG.exe
  2⤵
  PID:10868
- C:\Windows\System32\oiNfSgy.exe
  C:\Windows\System32\oiNfSgy.exe
  2⤵
  PID:10904
- C:\Windows\System32\FmAmMYT.exe
  C:\Windows\System32\FmAmMYT.exe
  2⤵
  PID:10932
- C:\Windows\System32\kVmEVey.exe
  C:\Windows\System32\kVmEVey.exe
  2⤵
  PID:10960
- C:\Windows\System32\WRnhdRO.exe
  C:\Windows\System32\WRnhdRO.exe
  2⤵
  PID:10988
- C:\Windows\System32\AfYkMhj.exe
  C:\Windows\System32\AfYkMhj.exe
  2⤵
  PID:11016
- C:\Windows\System32\qTFcnDC.exe
  C:\Windows\System32\qTFcnDC.exe
  2⤵
  PID:11052
- C:\Windows\System32\rixwcbM.exe
  C:\Windows\System32\rixwcbM.exe
  2⤵
  PID:11076
- C:\Windows\System32\sBhGcrs.exe
  C:\Windows\System32\sBhGcrs.exe
  2⤵
  PID:11108
- C:\Windows\System32\SlVuCOa.exe
  C:\Windows\System32\SlVuCOa.exe
  2⤵
  PID:11136
- C:\Windows\System32\LPewFwY.exe
  C:\Windows\System32\LPewFwY.exe
  2⤵
  PID:11164
- C:\Windows\System32\XdJjigm.exe
  C:\Windows\System32\XdJjigm.exe
  2⤵
  PID:11196
- C:\Windows\System32\fDBomhz.exe
  C:\Windows\System32\fDBomhz.exe
  2⤵
  PID:11216
- C:\Windows\System32\VjMTrWW.exe
  C:\Windows\System32\VjMTrWW.exe
  2⤵
  PID:11252
- C:\Windows\System32\pFMCmpG.exe
  C:\Windows\System32\pFMCmpG.exe
  2⤵
  PID:10264
- C:\Windows\System32\yRCUGtp.exe
  C:\Windows\System32\yRCUGtp.exe
  2⤵
  PID:10328
- C:\Windows\System32\RvvwJbH.exe
  C:\Windows\System32\RvvwJbH.exe
  2⤵
  PID:10396
- C:\Windows\System32\goMfkVG.exe
  C:\Windows\System32\goMfkVG.exe
  2⤵
  PID:10472
- C:\Windows\System32\KourzKH.exe
  C:\Windows\System32\KourzKH.exe
  2⤵
  PID:10532
- C:\Windows\System32\AOENAVa.exe
  C:\Windows\System32\AOENAVa.exe
  2⤵
  PID:10568
- C:\Windows\System32\CoKjUoP.exe
  C:\Windows\System32\CoKjUoP.exe
  2⤵
  PID:10664
- C:\Windows\System32\ZArDCiQ.exe
  C:\Windows\System32\ZArDCiQ.exe
  2⤵
  PID:10724
- C:\Windows\System32\jzsBSZl.exe
  C:\Windows\System32\jzsBSZl.exe
  2⤵
  PID:10772
- C:\Windows\System32\GoHbMCO.exe
  C:\Windows\System32\GoHbMCO.exe
  2⤵
  PID:10860
- C:\Windows\System32\fWIIhXw.exe
  C:\Windows\System32\fWIIhXw.exe
  2⤵
  PID:10920
- C:\Windows\System32\nGMaLSA.exe
  C:\Windows\System32\nGMaLSA.exe
  2⤵
  PID:10980
- C:\Windows\System32\vsCUtHt.exe
  C:\Windows\System32\vsCUtHt.exe
  2⤵
  PID:11008
- C:\Windows\System32\EUSWJsM.exe
  C:\Windows\System32\EUSWJsM.exe
  2⤵
  PID:11084
- C:\Windows\System32\zyrpbgE.exe
  C:\Windows\System32\zyrpbgE.exe
  2⤵
  PID:11152
- C:\Windows\System32\tSDDgmB.exe
  C:\Windows\System32\tSDDgmB.exe
  2⤵
  PID:11232
- C:\Windows\System32\AAcdNZL.exe
  C:\Windows\System32\AAcdNZL.exe
  2⤵
  PID:10284
- C:\Windows\System32\KGpHNkd.exe
  C:\Windows\System32\KGpHNkd.exe
  2⤵
  PID:10452
- C:\Windows\System32\mjtUOXc.exe
  C:\Windows\System32\mjtUOXc.exe
  2⤵
  PID:10636
- C:\Windows\System32\IsRRElt.exe
  C:\Windows\System32\IsRRElt.exe
  2⤵
  PID:10952
- C:\Windows\System32\WJiMUvF.exe
  C:\Windows\System32\WJiMUvF.exe
  2⤵
  PID:11028
- C:\Windows\System32\ODnNwlg.exe
  C:\Windows\System32\ODnNwlg.exe
  2⤵
  PID:11160
- C:\Windows\System32\eUdJQRd.exe
  C:\Windows\System32\eUdJQRd.exe
  2⤵
  PID:10360
- C:\Windows\System32\YNSZwJC.exe
  C:\Windows\System32\YNSZwJC.exe
  2⤵
  PID:10776
- C:\Windows\System32\WsAZVNu.exe
  C:\Windows\System32\WsAZVNu.exe
  2⤵
  PID:11104
- C:\Windows\System32\eDbcSvs.exe
  C:\Windows\System32\eDbcSvs.exe
  2⤵
  PID:10696
- C:\Windows\System32\vaRpyRG.exe
  C:\Windows\System32\vaRpyRG.exe
  2⤵
  PID:11124
- C:\Windows\System32\NqbhpOO.exe
  C:\Windows\System32\NqbhpOO.exe
  2⤵
  PID:11284
- C:\Windows\System32\aDchXBJ.exe
  C:\Windows\System32\aDchXBJ.exe
  2⤵
  PID:11312
- C:\Windows\System32\bgEHlsf.exe
  C:\Windows\System32\bgEHlsf.exe
  2⤵
  PID:11340
- C:\Windows\System32\bUGxJLV.exe
  C:\Windows\System32\bUGxJLV.exe
  2⤵
  PID:11368
- C:\Windows\System32\pzlihJO.exe
  C:\Windows\System32\pzlihJO.exe
  2⤵
  PID:11396
- C:\Windows\System32\uZLrNAq.exe
  C:\Windows\System32\uZLrNAq.exe
  2⤵
  PID:11424
- C:\Windows\System32\QgChxxQ.exe
  C:\Windows\System32\QgChxxQ.exe
  2⤵
  PID:11452
- C:\Windows\System32\BdUviXC.exe
  C:\Windows\System32\BdUviXC.exe
  2⤵
  PID:11488
- C:\Windows\System32\KktcuiE.exe
  C:\Windows\System32\KktcuiE.exe
  2⤵
  PID:11516
- C:\Windows\System32\WcAxbBN.exe
  C:\Windows\System32\WcAxbBN.exe
  2⤵
  PID:11544
- C:\Windows\System32\dIRsQRf.exe
  C:\Windows\System32\dIRsQRf.exe
  2⤵
  PID:11572
- C:\Windows\System32\sYqBsuE.exe
  C:\Windows\System32\sYqBsuE.exe
  2⤵
  PID:11600
- C:\Windows\System32\wKNqQAz.exe
  C:\Windows\System32\wKNqQAz.exe
  2⤵
  PID:11632
- C:\Windows\System32\zNysfNM.exe
  C:\Windows\System32\zNysfNM.exe
  2⤵
  PID:11660
- C:\Windows\System32\EdTOzyk.exe
  C:\Windows\System32\EdTOzyk.exe
  2⤵
  PID:11688
- C:\Windows\System32\ihGsiwL.exe
  C:\Windows\System32\ihGsiwL.exe
  2⤵
  PID:11716
- C:\Windows\System32\bCZAVBK.exe
  C:\Windows\System32\bCZAVBK.exe
  2⤵
  PID:11744
- C:\Windows\System32\DOySWbE.exe
  C:\Windows\System32\DOySWbE.exe
  2⤵
  PID:11772
- C:\Windows\System32\IKzfOCz.exe
  C:\Windows\System32\IKzfOCz.exe
  2⤵
  PID:11804
- C:\Windows\System32\LAXubkE.exe
  C:\Windows\System32\LAXubkE.exe
  2⤵
  PID:11832
- C:\Windows\System32\xJEHkiw.exe
  C:\Windows\System32\xJEHkiw.exe
  2⤵
  PID:11860
- C:\Windows\System32\XPHOcmz.exe
  C:\Windows\System32\XPHOcmz.exe
  2⤵
  PID:11888
- C:\Windows\System32\hLqBtnI.exe
  C:\Windows\System32\hLqBtnI.exe
  2⤵
  PID:11916
- C:\Windows\System32\WVuFFfI.exe
  C:\Windows\System32\WVuFFfI.exe
  2⤵
  PID:11944
- C:\Windows\System32\hnUhvHN.exe
  C:\Windows\System32\hnUhvHN.exe
  2⤵
  PID:11972
- C:\Windows\System32\hbLjWBz.exe
  C:\Windows\System32\hbLjWBz.exe
  2⤵
  PID:12000
- C:\Windows\System32\EYTdcGf.exe
  C:\Windows\System32\EYTdcGf.exe
  2⤵
  PID:12028
- C:\Windows\System32\VEwfYkO.exe
  C:\Windows\System32\VEwfYkO.exe
  2⤵
  PID:12056
- C:\Windows\System32\aVoUTWd.exe
  C:\Windows\System32\aVoUTWd.exe
  2⤵
  PID:12084
- C:\Windows\System32\YZqHqed.exe
  C:\Windows\System32\YZqHqed.exe
  2⤵
  PID:12112
- C:\Windows\System32\mTYidnW.exe
  C:\Windows\System32\mTYidnW.exe
  2⤵
  PID:12140
- C:\Windows\System32\umrAWJV.exe
  C:\Windows\System32\umrAWJV.exe
  2⤵
  PID:12168
- C:\Windows\System32\hPEqrqd.exe
  C:\Windows\System32\hPEqrqd.exe
  2⤵
  PID:12200
- C:\Windows\System32\nbXFQHS.exe
  C:\Windows\System32\nbXFQHS.exe
  2⤵
  PID:12236
- C:\Windows\System32\rRoVHWe.exe
  C:\Windows\System32\rRoVHWe.exe
  2⤵
  PID:12256
- C:\Windows\System32\qGXGGXT.exe
  C:\Windows\System32\qGXGGXT.exe
  2⤵
  PID:12284
- C:\Windows\System32\ZyOITti.exe
  C:\Windows\System32\ZyOITti.exe
  2⤵
  PID:11308
- C:\Windows\System32\PRLKkvz.exe
  C:\Windows\System32\PRLKkvz.exe
  2⤵
  PID:11380
- C:\Windows\System32\ZBQvThb.exe
  C:\Windows\System32\ZBQvThb.exe
  2⤵
  PID:11476
- C:\Windows\System32\cJEgGoz.exe
  C:\Windows\System32\cJEgGoz.exe
  2⤵
  PID:11536
- C:\Windows\System32\jIOIjis.exe
  C:\Windows\System32\jIOIjis.exe
  2⤵
  PID:11596
- C:\Windows\System32\ZCRGwwv.exe
  C:\Windows\System32\ZCRGwwv.exe
  2⤵
  PID:11672
- C:\Windows\System32\sURpXuc.exe
  C:\Windows\System32\sURpXuc.exe
  2⤵
  PID:11728
- C:\Windows\System32\UCwNKGP.exe
  C:\Windows\System32\UCwNKGP.exe
  2⤵
  PID:11796
- C:\Windows\System32\nwERacc.exe
  C:\Windows\System32\nwERacc.exe
  2⤵
  PID:11856
- C:\Windows\System32\INSeZeB.exe
  C:\Windows\System32\INSeZeB.exe
  2⤵
  PID:11928
- C:\Windows\System32\xqyewOK.exe
  C:\Windows\System32\xqyewOK.exe
  2⤵
  PID:11992
- C:\Windows\System32\gpCNumi.exe
  C:\Windows\System32\gpCNumi.exe
  2⤵
  PID:12048
- C:\Windows\System32\mvrzYAS.exe
  C:\Windows\System32\mvrzYAS.exe
  2⤵
  PID:12124
- C:\Windows\System32\WXXUcmU.exe
  C:\Windows\System32\WXXUcmU.exe
  2⤵
  PID:12192
- C:\Windows\System32\WphJMix.exe
  C:\Windows\System32\WphJMix.exe
  2⤵
  PID:12252
- C:\Windows\System32\ndYqdrb.exe
  C:\Windows\System32\ndYqdrb.exe
  2⤵
  PID:11336
- C:\Windows\System32\iAeDVQn.exe
  C:\Windows\System32\iAeDVQn.exe
  2⤵
  PID:11528
- C:\Windows\System32\nmNPwvi.exe
  C:\Windows\System32\nmNPwvi.exe
  2⤵
  PID:4424
- C:\Windows\System32\LGTbGff.exe
  C:\Windows\System32\LGTbGff.exe
  2⤵
  PID:11828
- C:\Windows\System32\TXhiaHA.exe
  C:\Windows\System32\TXhiaHA.exe
  2⤵
  PID:12020
- C:\Windows\System32\TxNkHBw.exe
  C:\Windows\System32\TxNkHBw.exe
  2⤵
  PID:12152
- C:\Windows\System32\aOXfVLT.exe
  C:\Windows\System32\aOXfVLT.exe
  2⤵
  PID:11192
- C:\Windows\System32\DpPBcOR.exe
  C:\Windows\System32\DpPBcOR.exe
  2⤵
  PID:11652
- C:\Windows\System32\MNlCHLk.exe
  C:\Windows\System32\MNlCHLk.exe
  2⤵
  PID:12096
- C:\Windows\System32\uuFENiF.exe
  C:\Windows\System32\uuFENiF.exe
  2⤵
  PID:11628
- C:\Windows\System32\tqVlKwi.exe
  C:\Windows\System32\tqVlKwi.exe
  2⤵
  PID:11500
- C:\Windows\System32\LdluEsX.exe
  C:\Windows\System32\LdluEsX.exe
  2⤵
  PID:12304
- C:\Windows\System32\qCGTtTe.exe
  C:\Windows\System32\qCGTtTe.exe
  2⤵
  PID:12336
- C:\Windows\System32\ESDcvlv.exe
  C:\Windows\System32\ESDcvlv.exe
  2⤵
  PID:12364
- C:\Windows\System32\GmUSTsj.exe
  C:\Windows\System32\GmUSTsj.exe
  2⤵
  PID:12392
- C:\Windows\System32\uhtetcC.exe
  C:\Windows\System32\uhtetcC.exe
  2⤵
  PID:12420
- C:\Windows\System32\jgMTriW.exe
  C:\Windows\System32\jgMTriW.exe
  2⤵
  PID:12448
- C:\Windows\System32\cATpIXo.exe
  C:\Windows\System32\cATpIXo.exe
  2⤵
  PID:12476
- C:\Windows\System32\oGnWftB.exe
  C:\Windows\System32\oGnWftB.exe
  2⤵
  PID:12504
- C:\Windows\System32\ySaPSIA.exe
  C:\Windows\System32\ySaPSIA.exe
  2⤵
  PID:12532
- C:\Windows\System32\eBiFiVx.exe
  C:\Windows\System32\eBiFiVx.exe
  2⤵
  PID:12560
- C:\Windows\System32\qkjmjvP.exe
  C:\Windows\System32\qkjmjvP.exe
  2⤵
  PID:12588
- C:\Windows\System32\zXvajIH.exe
  C:\Windows\System32\zXvajIH.exe
  2⤵
  PID:12616
- C:\Windows\System32\JlFAIPF.exe
  C:\Windows\System32\JlFAIPF.exe
  2⤵
  PID:12644
- C:\Windows\System32\BgRqOvu.exe
  C:\Windows\System32\BgRqOvu.exe
  2⤵
  PID:12672
- C:\Windows\System32\miMoxey.exe
  C:\Windows\System32\miMoxey.exe
  2⤵
  PID:12700
- C:\Windows\System32\iDASIYJ.exe
  C:\Windows\System32\iDASIYJ.exe
  2⤵
  PID:12728
- C:\Windows\System32\NziChPE.exe
  C:\Windows\System32\NziChPE.exe
  2⤵
  PID:12756
- C:\Windows\System32\IoShhnc.exe
  C:\Windows\System32\IoShhnc.exe
  2⤵
  PID:12784
- C:\Windows\System32\IFuXqHE.exe
  C:\Windows\System32\IFuXqHE.exe
  2⤵
  PID:12812
- C:\Windows\System32\OXqpmnS.exe
  C:\Windows\System32\OXqpmnS.exe
  2⤵
  PID:12840
- C:\Windows\System32\tRiEQmd.exe
  C:\Windows\System32\tRiEQmd.exe
  2⤵
  PID:12868
- C:\Windows\System32\hXLAkMp.exe
  C:\Windows\System32\hXLAkMp.exe
  2⤵
  PID:12896
- C:\Windows\System32\oczBAxg.exe
  C:\Windows\System32\oczBAxg.exe
  2⤵
  PID:12924
- C:\Windows\System32\JrVPzPB.exe
  C:\Windows\System32\JrVPzPB.exe
  2⤵
  PID:12952
- C:\Windows\System32\GJSbqRl.exe
  C:\Windows\System32\GJSbqRl.exe
  2⤵
  PID:12980
- C:\Windows\System32\FerokOv.exe
  C:\Windows\System32\FerokOv.exe
  2⤵
  PID:13008
- C:\Windows\System32\FIDgAkq.exe
  C:\Windows\System32\FIDgAkq.exe
  2⤵
  PID:13036
- C:\Windows\System32\fmEUWDW.exe
  C:\Windows\System32\fmEUWDW.exe
  2⤵
  PID:13064
- C:\Windows\System32\VltStXJ.exe
  C:\Windows\System32\VltStXJ.exe
  2⤵
  PID:13092
- C:\Windows\System32\XzWGTar.exe
  C:\Windows\System32\XzWGTar.exe
  2⤵
  PID:13120
- C:\Windows\System32\cROSuPM.exe
  C:\Windows\System32\cROSuPM.exe
  2⤵
  PID:13148
- C:\Windows\System32\lyjMayG.exe
  C:\Windows\System32\lyjMayG.exe
  2⤵
  PID:13176
- C:\Windows\System32\VthVFqy.exe
  C:\Windows\System32\VthVFqy.exe
  2⤵
  PID:13204
- C:\Windows\System32\pdOKSSF.exe
  C:\Windows\System32\pdOKSSF.exe
  2⤵
  PID:13244
- C:\Windows\System32\wUakxNd.exe
  C:\Windows\System32\wUakxNd.exe
  2⤵
  PID:13260
- C:\Windows\System32\vSdRJVr.exe
  C:\Windows\System32\vSdRJVr.exe
  2⤵
  PID:13288
- C:\Windows\System32\ULqyGQe.exe
  C:\Windows\System32\ULqyGQe.exe
  2⤵
  PID:12296
- C:\Windows\System32\bytxIfF.exe
  C:\Windows\System32\bytxIfF.exe
  2⤵
  PID:12360
- C:\Windows\System32\CntkmxC.exe
  C:\Windows\System32\CntkmxC.exe
  2⤵
  PID:12432
- C:\Windows\System32\BRJTbyB.exe
  C:\Windows\System32\BRJTbyB.exe
  2⤵
  PID:12496
- C:\Windows\System32\OpBYpnz.exe
  C:\Windows\System32\OpBYpnz.exe
  2⤵
  PID:12556
- C:\Windows\System32\MibAOEn.exe
  C:\Windows\System32\MibAOEn.exe
  2⤵
  PID:1244
- C:\Windows\System32\QEIfOwc.exe
  C:\Windows\System32\QEIfOwc.exe
  2⤵
  PID:12656
- C:\Windows\System32\tumYTWH.exe
  C:\Windows\System32\tumYTWH.exe
  2⤵
  PID:12720
- C:\Windows\System32\sowQkTK.exe
  C:\Windows\System32\sowQkTK.exe
  2⤵
  PID:12780
- C:\Windows\System32\MVZBhxF.exe
  C:\Windows\System32\MVZBhxF.exe
  2⤵
  PID:12852
- C:\Windows\System32\JLSPMOn.exe
  C:\Windows\System32\JLSPMOn.exe
  2⤵
  PID:12916
- C:\Windows\System32\hXMgZeP.exe
  C:\Windows\System32\hXMgZeP.exe
  2⤵
  PID:12976

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\DdhGSlY.exe

Filesize
2.6MB

MD5
2f14fd1d3e657e838fe205b3e66f2c32

SHA1
2f1764cc5f44d6d17d516e317a993ee1eb74862e

SHA256
807e9118a1042249047505b0ee4a6a5284f53db141c86e7c0f828fa66572370c

SHA512
a7163f13ea1a428347d0a518091da360bc087c7b80517172096070b62fb05d7486ae169b51d2c5316ed2e3c1fd72279fc04920f53b6e20d4e825b898893e3b75

Download Submit
C:\Windows\System32\EdFAwuE.exe

Filesize
2.6MB

MD5
9268220b77538e06ec4d909481ba0e6a

SHA1
80f2c243e45a3e84331e82c49a6be95340fa5eda

SHA256
ab24763ae67032bc5474f6a3e14747de397a35b5e62c4f91aaeb3dd657f341d4

SHA512
e16a8636d7d64ad8f48e92718aba6ee3b6656ed8fd8738f83a503df30285e64291e40b3a56825bfabf1f5ba2f60fb93e97aa759bc2d6948a323b8ca4aa397816

Download Submit
C:\Windows\System32\LPBPHQN.exe

Filesize
2.6MB

MD5
8b6666e1fe6a9e9c656e550d1b5a02bd

SHA1
00a3379c75573b315a697ebfb073d47a484d384b

SHA256
fe3a55084ac5720b34a792c56595334b82a53d333a9608b9292eec9ab0fa9a93

SHA512
8ff95fe08a2a7505bd8cc50ce1423e78cf984240792d293f9524185b91245087669d303af0325d6b551fea0e0db46d72fbe480007ee0f93f9811d8e6114e7d03

Download Submit
C:\Windows\System32\LnsCuaz.exe

Filesize
2.6MB

MD5
4bc84431bf048cb5ec889de8a0ddb011

SHA1
8c639cfc0abcc0264a5d013c3b4ad4ee0c6421a9

SHA256
01a9cb29f1f9141a120ad0d64ea1dfa090daab677b36daeea9de90f7cd87ee70

SHA512
7021bda2e847235c4234dec871d2e913ee9e9d29664a94782043357cac1f61b2778fd9c645ee685007feef3cdb4abe411c39c22a0f21340dba5cf062e51eebd5

Download Submit
C:\Windows\System32\MirIRLV.exe

Filesize
2.6MB

MD5
fec473484eae94e03b9c7413602a7657

SHA1
8dbfe3403ca66fa1b27a8e99436b43fd767c4f1b

SHA256
38afc9312153abf3910db228687105d408cef4e3e53ccbde675558c49a6d7356

SHA512
16652a019c2c87b470269173b88c8933b03d04f8484a0c31adee6d2c2caa7a0edc08462a4b294c7e76307fc21f3ef7a70b1fab42e0848f37a7635897ff1b88c1

Download Submit
C:\Windows\System32\MxibcBr.exe

Filesize
2.6MB

MD5
0ae3416f43b6d64dbe09cbc28475adda

SHA1
c819628106f5c6472154a49f14347f1559da7457

SHA256
7d560d61e7c1af3600647200abd6f317c83126fe16d7cfab31678ecae6cdf2cc

SHA512
ebfc69c0030cb1142030635a8f5b0034989894d711a3c0e5ea69b33fac0f461cfe3241a2e05cc7a14ffad52eddabd0fdc68fe8f8bac46e07cb962a7a1dab9d48

Download Submit
C:\Windows\System32\MzvutFb.exe

Filesize
2.6MB

MD5
b6addb86c16cbc2ce16d1965eaf9dd79

SHA1
3dc2b07556f75f087f0651295cf18b631f88dc07

SHA256
a2a4d5e12dcfcc1f259e07ea9d0a8326f57fd41b1edd8cb4506aef0be6e33ed0

SHA512
a322bea5df9744a8cab749e71e0e152639458bc082c6841707d47a97969f8ffaa26545b003e455e0dbe4a148bb5b96c96e8c1dc5c910e6945ae9b1ca88447c67

Download Submit
C:\Windows\System32\OavitvG.exe

Filesize
2.6MB

MD5
9ab330c7d82e2359937f6605c8b56f10

SHA1
4db5392fdfa9fbd18c949cc7ea0469d8914b6a9d

SHA256
91c8323dbde9d12b858247d3c23d1203a7029910f7bbcd4ab544aeaa0646b985

SHA512
b8d425a867b8ec369ac46de5be11294774b409acd509a12bf7125bea5e9d9db41b0a3950fff7fb5c1232e0528b38d27af1da08f257850d31d2726c92b66f4e78

Download Submit
C:\Windows\System32\PhnexwE.exe

Filesize
2.6MB

MD5
4dac630b2c7ec9e1b4e8427210c0e905

SHA1
dd82cfefe202d63c7c2d1aa02ebbff42ae824ec3

SHA256
32cf6173557ba4fc9bc4894338b0332bb81a7e385af398790eb10cd548eaaead

SHA512
30bcf792d09086fd65ed5a8568e28011361f3bfe5da6191ecd57dbfba5540dba6e16bf3cf15c49bd0a7435fce6d697251b29775cc2711c851e5046e6536bc15f

Download Submit
C:\Windows\System32\QXAmWtk.exe

Filesize
2.6MB

MD5
169d7315c144b3cb2514f07a2fe3b56f

SHA1
a78b2011621e55d322fb62b39e65e115f62df5d1

SHA256
ab1f2182274f7cb432f821678f6924c13b6a3c71694604a3441858c5c4d0d187

SHA512
8d6b312de22ea9d8cc7f9243d49f9725d5ccffccca73e86151df3a5ffe406a7343b7bb5b25783a5ff68cfd925d69c8635350178d8c05fed288e5e015c10055d7

Download Submit
C:\Windows\System32\QvPDalo.exe

Filesize
2.6MB

MD5
c8103ff9f770c3520c849f7d7f6f001a

SHA1
418180db97fc47c606dd92d676b05e026c8d0f8f

SHA256
e8e64ad931d47882bee7d4eff4c37cad940d85407076e2729b70d82842a3af1f

SHA512
e8b777e7874b9122857ba0ecc0a9cc811dbe542f0352fd7a19bd6e1779d86552e48d631bf5bce20b2baad0f096e9dc4c7a7fa110398c2805491123c8260457af

Download Submit
C:\Windows\System32\RoKojYv.exe

Filesize
2.6MB

MD5
aaf9f806920dc82e34544f9a0f80bf8e

SHA1
f85f26231a6813e9926cc3f38081e187c29a555e

SHA256
3419602d348a0cd3ea51769fdff3cd255af7f71afec3ba66037db0633ee21d39

SHA512
55c04511c296578cbd296c907601f7952758ea297244083a2de3034fcbec8f4b3d2dcdf93758dfb3a5250eb834c8d73c585eac23d5aecce3332b8c05128361f4

Download Submit
C:\Windows\System32\SXGuRKr.exe

Filesize
2.6MB

MD5
8fb66565580be37342409fb0b3069889

SHA1
a99a3e27bd5d475e70523d924f55df5180ecc2d5

SHA256
2eb501074a917f808e8a99646a7aad1f2ea76a536f853a87151b2e2d5c06decd

SHA512
bae5ef53779316d4804ee48f7dff8daef7fa8fea2d7a3d3b936e714e38d7ee5e6c0df53195a296492b755a9b005c18c653e878dc31286d511003bfa095199b92

Download Submit
C:\Windows\System32\SdzlqPT.exe

Filesize
2.6MB

MD5
3fd89bbc6f24d99e0e6ace5d77ad7dc8

SHA1
3e69690b0f9ab3322f37ada01e37ea187f1c4665

SHA256
4c1f9a7aa37e372a94a2b703ecd608c80fcd80e9906d286b09a5cb43a0f1c55f

SHA512
e5dc65b1c1e77b322b96653ae5387b0dedd7f90ba85e0c4073fd2d051a131475bbc5fb78f180d5bc9bf4f0673830c824548e3014f19503c058d3bbeb7e124c10

Download Submit
C:\Windows\System32\SrHysBo.exe

Filesize
2.6MB

MD5
7a26fe713c220d8fe4b879a6cbe7fd7f

SHA1
aa631496d3b264dd45f074335b7316ae7129d9d2

SHA256
56b3025f5fbc128f5450ad8596671a9c8447319f479b997b77ae01634bec385f

SHA512
917e1b0ccd29d37bfa65bba7fec00aed2ffdcac46fa487b857dcb42f709b9dfb22086c759e567b1a2f0fc3f7e51bee311525bad07fcd8cbda58cc6886ff06e4f

Download Submit
C:\Windows\System32\UBGuOvq.exe

Filesize
2.6MB

MD5
f5bb2e637d91e9575531be39e8d9e234

SHA1
3bbd9e1b2c8eb800adbc387962153e28488d78b3

SHA256
bb8215e0d3336a4eb06cafecb29ea608f36515c77cfdbc8456cca33ebb0c9233

SHA512
16b8afb8859cc43fcaa2de66d5ef55c84cafca6f826644f8813aba8837d31bfdd1e76bca2178e7f86987b77888ca742e5419729fce393e76d8a303d2fa0aba07

Download Submit
C:\Windows\System32\UMrtQXG.exe

Filesize
2.6MB

MD5
3cfde730e8a0bb4060b10ba458d14420

SHA1
71041e93ed8a0af173b9a0ae1ba43a7c2eac82b7

SHA256
331e7170249c962a39883dd41f0f7a5b415a7872a3938c7a49483a9c93dc8195

SHA512
ad6eec15a18f7392b15d436613119089c2e9c50ca7ec34f77851b2e60fcbe6628cfb007a647c29d2f8ce341d32c306651debcfbb9738d43e85ea37616c2ed1a3

Download Submit
C:\Windows\System32\VsXMban.exe

Filesize
2.6MB

MD5
c62a51ae74a153ad6e9c0f946e7fd763

SHA1
4c87308dbe6762b4252fd07d7749b501cfa77d97

SHA256
4f0f675f9e81b42ab7a280c471050bf136522c08d85f98bca5285c8d62ae8a30

SHA512
a4ce69b23c1a0b0dbf463b4a9359158f36cdf6b0b247811fffbd04b21a22737c66d29dd3bca1c8de3988bc557220b8df4b3ae081d314c7f57ca85cb3d7558ce4

Download Submit
C:\Windows\System32\ZMqFtzy.exe

Filesize
2.6MB

MD5
a186d46854a740e5de1faf48d9b3dbca

SHA1
892c25751d60dfc44c5e17491eb25a3638327c16

SHA256
ab17740b4f9e2c25245ba731b639029f41994eb4c0010b5a462e907fa037db13

SHA512
2c63cf0a227c2fddde90cdef79fe2ba5ae3187e58b2e35cd9de4b952c01f38278a34507b704972f3b71709abf1525b10f5eeb47efca3622c4e632abe47c207ae

Download Submit
C:\Windows\System32\ZQQPlnJ.exe

Filesize
2.6MB

MD5
d2e9888262398d7edbed58b6bf1012db

SHA1
ea1b66e80649c6d08de9aa0b8573e4c13f22fe3e

SHA256
1618826efd4e946b02096529f4849a8be756748d2fe439b11afa58834832617b

SHA512
7102f7208ffab2bb8eaa035f78ce56421157e05090fa9c9276dc9be22a3c766b0ac7f386f8b0182030914a9f64d3d677322ac13b255a6fa41e8e2919575653d7

Download Submit
C:\Windows\System32\cLerUEV.exe

Filesize
2.6MB

MD5
dcbf16f60e7cb98bc9dca266e175edc2

SHA1
62114e652aa356451d6f3fcba70dd277fa22a192

SHA256
846893042f9d87df94548204142485a4c2d8740d87d454ac1aad08ea658ff8a3

SHA512
78310122a83d9dc47736adfe5dbff6b9b5cf702e95a4783226fa2c8134faf50e653d0c4292b98988b563b2c6a860c68af6d4c145199e629081abbb972c670322

Download Submit
C:\Windows\System32\eMUeBVp.exe

Filesize
2.6MB

MD5
5e6f521aa6495c4ae317206040f824ba

SHA1
3a9b626bbf0281340240a3c73483dd6b39093834

SHA256
ffbd70b1d1d0a6a2e3e01dabad3c88cae118ecda4eb1af1ab1e069170b1a7106

SHA512
aa7a4db9d60210533422e43cc5640c19f5daa891ba10eaff263b2cf3c9741a75bfa6bd87cfbac5a64900b2969a3dad18852121a9d3f8be14fde385de647b0b71

Download Submit
C:\Windows\System32\gGLTncm.exe

Filesize
2.6MB

MD5
d785b50b02aceb23b0d4b3edf93da9e1

SHA1
d7a196c7fface189b65c20913fbf6628609e5378

SHA256
e2669586eb93f9b50650c56829ca4ddc2017b3ca0d6d573770bc5302f379d617

SHA512
a7c087ecb3e7bd784f670e7cafcb41b25f95e4bff29bb2df05347f0e4e478dfe13953b7c011728a93c900b10060d1b5e39c3fe0e99fcaba7753fb8697abc1d1b

Download Submit
C:\Windows\System32\giuLxHG.exe

Filesize
2.6MB

MD5
b3e6aa2a56ea776c50f7bf041a475986

SHA1
60a8f7072aa0507aeb843f1fc307e70de12df9f1

SHA256
22c48dece490df56120dfdd33be14be2ff37c45ec96648c5278a21a40a84f16a

SHA512
eff28ffbf5dfadc8609703d57f234c4b8e025eaf8cefeba7de7aca825b590cfd1e2946d8543874a4e73dd549acc16e059f461ed8cf9f0d48e3ae0a8049fe5cbd

Download Submit
C:\Windows\System32\goKmkJo.exe

Filesize
2.6MB

MD5
da44aab70f859ee089ce474a84a53e3f

SHA1
5ee626532f398edd69e2284d16f4d46070347db5

SHA256
1c8baf1bfaa80b61c0695c6e1173837a8d5a0b3b642b612250a15f74c88be283

SHA512
d389dae3a921ac2b323e0db3f31318faa4665e58e8ddb9fc7445063f12348fccc475fd821a897020270c5f4b88736f24e3dfaba3b9f6dc1e7a732f72400baca8

Download Submit
C:\Windows\System32\hZENUTE.exe

Filesize
2.6MB

MD5
c44e382c68c99ad8a1bcb546fd5fb525

SHA1
c1ff478761372f0636d8103867cf45d27da09545

SHA256
d50ecc8a0174ebfd2d459ed9e42f00fbe9e41ccb8ec970319af33be125a68cce

SHA512
9743a014e10d83786b3eaca84793d64fe4fd7dfa6df6f3a86cb9d56afbbca9a52c4aa8064d9ae62590a1c454925f0815cf58119b885f6405d48899bd575654d3

Download Submit
C:\Windows\System32\iDKXXzZ.exe

Filesize
2.6MB

MD5
f9d651eaef17b1e4f22530489a6af034

SHA1
b40dbe0486acb2cfcbbbc8f8b6bee5717aebb016

SHA256
774cc8daca055180df5fe92eb70467437b0d47d348467f86fdbc363f41e285bf

SHA512
41f3e8bf6d37832d9f551cea7414c6e5180e6944f44901cce386e9c6f181c4e4546fbaa355246783d5c3c2999fe072a914eb18879b1cca2ac75b228f58f668e9

Download Submit
C:\Windows\System32\kECSiUv.exe

Filesize
2.6MB

MD5
2ac30a19cfb28d6efa3c3d131bab2d48

SHA1
310c9c1a06564ab1e7373e2c6aec3347dca81b6d

SHA256
b22e06fc1113abb5cc7cdc3fb1c7eb3a190ff89ce5a8af5d2888e86e85a851c9

SHA512
5e154fcd91fab0c322a26888ba6d0e05f7998f7a9337a65c0c009f56b5c688acf29ed41d3f7eb5fa95335eca89f9971668dbc321dd9e32acfa662503418e2f3d

Download Submit
C:\Windows\System32\lnhsWjI.exe

Filesize
2.6MB

MD5
e4724c736d5eac1f499c4fda16403685

SHA1
3fbf8f7cbe70a186f9b34e15244828aac0fdadf2

SHA256
fb59432dc3d0d2fde472bc8f59ac294a140de5b73113c5ef3dfa69e2a15ff7a9

SHA512
311e154e70bede4650add0820143c2ad47ab2e692efa09e0356a97ced3ee407e8a7439bb75c709944fa4fb2adee89c2d09353eac9acfe1aba5bff96ca5a03400

Download Submit
C:\Windows\System32\sqcesLF.exe

Filesize
2.6MB

MD5
dad26dc7728e01b5bcf8b02f55258a65

SHA1
dfb49202db48b30b9f015502499d85b7c5fe609f

SHA256
f88b6d093269bb8a3a434295ff0a637dfc06d1b221a6de1f4a7516874f666caf

SHA512
f0633a5b810a02fdbc08e449ea5694d5bd34c6c53faef26fb505b7951261233e1ec574f309889084ba0c1847b2553d6fd08dd58b2c17e0b4d3cdbe242434596a

Download Submit
C:\Windows\System32\urtKqsA.exe

Filesize
2.6MB

MD5
fdf36f7e8099f32ffd9c830e1597d94f

SHA1
3600e4960566c2cbc74ce7dff4c3086b855af635

SHA256
1077b68c0939dadc4daf94b202884936aeec95c72f94ec70f5736beb656e2bfa

SHA512
220fc9e15bb001e4d3435c9798d79ea178307120b6d18e96ba9a91423ab46a1733e9d263e522a1272bf076985d669281715c96e2ddf8309ae339fc6bcc82108b

Download Submit
C:\Windows\System32\yELFhmQ.exe

Filesize
2.6MB

MD5
a55e94b00e0b809f92f690c442f084b1

SHA1
165ed45f77d80a5221a1754f7672fc4073721f7a

SHA256
45d0e74fdb3a5f2143f4bd27a379f829fb00108493aba01624fe79bdea9ab582

SHA512
83738d4601fea11cd04794f8c204fa1004663bdd9b71773bf589ba7be1cec077af57e40dd256ad8d4de66a5354f051fc54938ac3fd19ff47189848f32c7f7a07

Download Submit
memory/8-648-0x00007FF605490000-0x00007FF605885000-memory.dmp

Filesize
4.0MB

Download
memory/8-1913-0x00007FF605490000-0x00007FF605885000-memory.dmp

Filesize
4.0MB

Download
memory/436-1-0x000001DC98B20000-0x000001DC98B30000-memory.dmp

Filesize
64KB

Download
memory/436-0-0x00007FF777C90000-0x00007FF778085000-memory.dmp

Filesize
4.0MB

Download
memory/1792-1907-0x00007FF7EAD10000-0x00007FF7EB105000-memory.dmp

Filesize
4.0MB

Download
memory/1792-630-0x00007FF7EAD10000-0x00007FF7EB105000-memory.dmp

Filesize
4.0MB

Download
memory/2036-627-0x00007FF6F4B50000-0x00007FF6F4F45000-memory.dmp

Filesize
4.0MB

Download
memory/2036-1906-0x00007FF6F4B50000-0x00007FF6F4F45000-memory.dmp

Filesize
4.0MB

Download
memory/2064-1904-0x00007FF6A12B0000-0x00007FF6A16A5000-memory.dmp

Filesize
4.0MB

Download
memory/2064-602-0x00007FF6A12B0000-0x00007FF6A16A5000-memory.dmp

Filesize
4.0MB

Download
memory/2296-1911-0x00007FF6563D0000-0x00007FF6567C5000-memory.dmp

Filesize
4.0MB

Download
memory/2296-634-0x00007FF6563D0000-0x00007FF6567C5000-memory.dmp

Filesize
4.0MB

Download
memory/2328-1903-0x00007FF6D9FF0000-0x00007FF6DA3E5000-memory.dmp

Filesize
4.0MB

Download
memory/2328-618-0x00007FF6D9FF0000-0x00007FF6DA3E5000-memory.dmp

Filesize
4.0MB

Download
memory/2344-1895-0x00007FF75D830000-0x00007FF75DC25000-memory.dmp

Filesize
4.0MB

Download
memory/2344-678-0x00007FF75D830000-0x00007FF75DC25000-memory.dmp

Filesize
4.0MB

Download
memory/2352-605-0x00007FF62BAA0000-0x00007FF62BE95000-memory.dmp

Filesize
4.0MB

Download
memory/2352-1899-0x00007FF62BAA0000-0x00007FF62BE95000-memory.dmp

Filesize
4.0MB

Download
memory/2404-1901-0x00007FF721CD0000-0x00007FF7220C5000-memory.dmp

Filesize
4.0MB

Download
memory/2404-608-0x00007FF721CD0000-0x00007FF7220C5000-memory.dmp

Filesize
4.0MB

Download
memory/2772-1896-0x00007FF7088C0000-0x00007FF708CB5000-memory.dmp

Filesize
4.0MB

Download
memory/2772-600-0x00007FF7088C0000-0x00007FF708CB5000-memory.dmp

Filesize
4.0MB

Download
memory/3176-1902-0x00007FF715090000-0x00007FF715485000-memory.dmp

Filesize
4.0MB

Download
memory/3176-611-0x00007FF715090000-0x00007FF715485000-memory.dmp

Filesize
4.0MB

Download
memory/3512-1912-0x00007FF68F540000-0x00007FF68F935000-memory.dmp

Filesize
4.0MB

Download
memory/3512-645-0x00007FF68F540000-0x00007FF68F935000-memory.dmp

Filesize
4.0MB

Download
memory/3684-1910-0x00007FF75E1A0000-0x00007FF75E595000-memory.dmp

Filesize
4.0MB

Download
memory/3684-641-0x00007FF75E1A0000-0x00007FF75E595000-memory.dmp

Filesize
4.0MB

Download
memory/3692-1897-0x00007FF763070000-0x00007FF763465000-memory.dmp

Filesize
4.0MB

Download
memory/3692-604-0x00007FF763070000-0x00007FF763465000-memory.dmp

Filesize
4.0MB

Download
memory/3724-1914-0x00007FF7012D0000-0x00007FF7016C5000-memory.dmp

Filesize
4.0MB

Download
memory/3724-629-0x00007FF7012D0000-0x00007FF7016C5000-memory.dmp

Filesize
4.0MB

Download
memory/3768-1916-0x00007FF7199F0000-0x00007FF719DE5000-memory.dmp

Filesize
4.0MB

Download
memory/3768-673-0x00007FF7199F0000-0x00007FF719DE5000-memory.dmp

Filesize
4.0MB

Download
memory/3824-1905-0x00007FF7E7BC0000-0x00007FF7E7FB5000-memory.dmp

Filesize
4.0MB

Download
memory/3824-601-0x00007FF7E7BC0000-0x00007FF7E7FB5000-memory.dmp

Filesize
4.0MB

Download
memory/3828-1894-0x00007FF78D420000-0x00007FF78D815000-memory.dmp

Filesize
4.0MB

Download
memory/3828-599-0x00007FF78D420000-0x00007FF78D815000-memory.dmp

Filesize
4.0MB

Download
memory/4072-616-0x00007FF765440000-0x00007FF765835000-memory.dmp

Filesize
4.0MB

Download
memory/4072-1900-0x00007FF765440000-0x00007FF765835000-memory.dmp

Filesize
4.0MB

Download
memory/4244-1893-0x00007FF75FB00000-0x00007FF75FEF5000-memory.dmp

Filesize
4.0MB

Download
memory/4244-10-0x00007FF75FB00000-0x00007FF75FEF5000-memory.dmp

Filesize
4.0MB

Download
memory/4280-603-0x00007FF754320000-0x00007FF754715000-memory.dmp

Filesize
4.0MB

Download
memory/4280-1898-0x00007FF754320000-0x00007FF754715000-memory.dmp

Filesize
4.0MB

Download
memory/4404-1909-0x00007FF7D8DE0000-0x00007FF7D91D5000-memory.dmp

Filesize
4.0MB

Download
memory/4404-661-0x00007FF7D8DE0000-0x00007FF7D91D5000-memory.dmp

Filesize
4.0MB

Download
memory/4708-1915-0x00007FF7DA6C0000-0x00007FF7DAAB5000-memory.dmp

Filesize
4.0MB

Download
memory/4708-658-0x00007FF7DA6C0000-0x00007FF7DAAB5000-memory.dmp

Filesize
4.0MB

Download
memory/4724-665-0x00007FF642C20000-0x00007FF643015000-memory.dmp

Filesize
4.0MB

Download
memory/4724-1908-0x00007FF642C20000-0x00007FF643015000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads