xmrig | 5454bb92f199bb2d1172ba33cb5c090e01bb4dea7142473e12664cb23add80ef

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
Size

1.9MB
MD5

11ff47505f3429cdc1a0989036fbc9f0
SHA1

cee8f5edefc90f34030ddc985cc0e5aaa7f0bcec
SHA256

5454bb92f199bb2d1172ba33cb5c090e01bb4dea7142473e12664cb23add80ef
SHA512

24cd7f4b6c8a1b1cbce23717488a0dd39cdacc3102c587be383035d083fac0f5479999041f0a53bcfda0ca3eadc28d5900e31614e03c2954be2c41672a020cd4
SSDEEP

49152:knw9oUUEEDlOuJv0oD5WBsv5AK6kxGTnburHB:kQUEED

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 50 IoCs

miner

resource	yara_rule
behavioral2/memory/2980-53-0x00007FF612640000-0x00007FF612A31000-memory.dmp	xmrig
behavioral2/memory/3572-531-0x00007FF795680000-0x00007FF795A71000-memory.dmp	xmrig
behavioral2/memory/2800-532-0x00007FF662530000-0x00007FF662921000-memory.dmp	xmrig
behavioral2/memory/2372-534-0x00007FF610430000-0x00007FF610821000-memory.dmp	xmrig
behavioral2/memory/4528-542-0x00007FF6B1C50000-0x00007FF6B2041000-memory.dmp	xmrig
behavioral2/memory/2264-548-0x00007FF69B1F0000-0x00007FF69B5E1000-memory.dmp	xmrig
behavioral2/memory/5068-552-0x00007FF6C92C0000-0x00007FF6C96B1000-memory.dmp	xmrig
behavioral2/memory/2864-562-0x00007FF730200000-0x00007FF7305F1000-memory.dmp	xmrig
behavioral2/memory/452-571-0x00007FF799570000-0x00007FF799961000-memory.dmp	xmrig
behavioral2/memory/4948-578-0x00007FF6A5970000-0x00007FF6A5D61000-memory.dmp	xmrig
behavioral2/memory/3132-587-0x00007FF72B2E0000-0x00007FF72B6D1000-memory.dmp	xmrig
behavioral2/memory/3432-581-0x00007FF6A6040000-0x00007FF6A6431000-memory.dmp	xmrig
behavioral2/memory/1836-580-0x00007FF719B10000-0x00007FF719F01000-memory.dmp	xmrig
behavioral2/memory/1300-575-0x00007FF7ED2F0000-0x00007FF7ED6E1000-memory.dmp	xmrig
behavioral2/memory/3420-545-0x00007FF6339A0000-0x00007FF633D91000-memory.dmp	xmrig
behavioral2/memory/2744-539-0x00007FF71F1B0000-0x00007FF71F5A1000-memory.dmp	xmrig
behavioral2/memory/1808-57-0x00007FF6ADA30000-0x00007FF6ADE21000-memory.dmp	xmrig
behavioral2/memory/5052-56-0x00007FF696920000-0x00007FF696D11000-memory.dmp	xmrig
behavioral2/memory/3200-1960-0x00007FF7E03A0000-0x00007FF7E0791000-memory.dmp	xmrig
behavioral2/memory/5092-1961-0x00007FF71F4C0000-0x00007FF71F8B1000-memory.dmp	xmrig
behavioral2/memory/3300-1967-0x00007FF6D9CF0000-0x00007FF6DA0E1000-memory.dmp	xmrig
behavioral2/memory/996-1995-0x00007FF79F250000-0x00007FF79F641000-memory.dmp	xmrig
behavioral2/memory/2664-1996-0x00007FF6E6F70000-0x00007FF6E7361000-memory.dmp	xmrig
behavioral2/memory/4704-1997-0x00007FF623240000-0x00007FF623631000-memory.dmp	xmrig
behavioral2/memory/1808-1998-0x00007FF6ADA30000-0x00007FF6ADE21000-memory.dmp	xmrig
behavioral2/memory/1656-2000-0x00007FF61C020000-0x00007FF61C411000-memory.dmp	xmrig
behavioral2/memory/3200-2003-0x00007FF7E03A0000-0x00007FF7E0791000-memory.dmp	xmrig
behavioral2/memory/5092-2005-0x00007FF71F4C0000-0x00007FF71F8B1000-memory.dmp	xmrig
behavioral2/memory/3300-2007-0x00007FF6D9CF0000-0x00007FF6DA0E1000-memory.dmp	xmrig
behavioral2/memory/996-2042-0x00007FF79F250000-0x00007FF79F641000-memory.dmp	xmrig
behavioral2/memory/2664-2046-0x00007FF6E6F70000-0x00007FF6E7361000-memory.dmp	xmrig
behavioral2/memory/5052-2056-0x00007FF696920000-0x00007FF696D11000-memory.dmp	xmrig
behavioral2/memory/3572-2054-0x00007FF795680000-0x00007FF795A71000-memory.dmp	xmrig
behavioral2/memory/2372-2060-0x00007FF610430000-0x00007FF610821000-memory.dmp	xmrig
behavioral2/memory/2744-2058-0x00007FF71F1B0000-0x00007FF71F5A1000-memory.dmp	xmrig
behavioral2/memory/2980-2052-0x00007FF612640000-0x00007FF612A31000-memory.dmp	xmrig
behavioral2/memory/4704-2048-0x00007FF623240000-0x00007FF623631000-memory.dmp	xmrig
behavioral2/memory/2800-2050-0x00007FF662530000-0x00007FF662921000-memory.dmp	xmrig
behavioral2/memory/4528-2062-0x00007FF6B1C50000-0x00007FF6B2041000-memory.dmp	xmrig
behavioral2/memory/3420-2064-0x00007FF6339A0000-0x00007FF633D91000-memory.dmp	xmrig
behavioral2/memory/5068-2066-0x00007FF6C92C0000-0x00007FF6C96B1000-memory.dmp	xmrig
behavioral2/memory/4948-2098-0x00007FF6A5970000-0x00007FF6A5D61000-memory.dmp	xmrig
behavioral2/memory/2264-2070-0x00007FF69B1F0000-0x00007FF69B5E1000-memory.dmp	xmrig
behavioral2/memory/452-2093-0x00007FF799570000-0x00007FF799961000-memory.dmp	xmrig
behavioral2/memory/1300-2091-0x00007FF7ED2F0000-0x00007FF7ED6E1000-memory.dmp	xmrig
behavioral2/memory/3432-2080-0x00007FF6A6040000-0x00007FF6A6431000-memory.dmp	xmrig
behavioral2/memory/2864-2069-0x00007FF730200000-0x00007FF7305F1000-memory.dmp	xmrig
behavioral2/memory/3132-2088-0x00007FF72B2E0000-0x00007FF72B6D1000-memory.dmp	xmrig
behavioral2/memory/1836-2084-0x00007FF719B10000-0x00007FF719F01000-memory.dmp	xmrig
behavioral2/memory/1808-2211-0x00007FF6ADA30000-0x00007FF6ADE21000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3200	AsMGkff.exe
5092	JpjuukC.exe
3300	UXwhLbZ.exe
996	ohVbfVr.exe
2664	uKQbEJb.exe
4704	PJoPKCB.exe
2980	ydOjYoa.exe
5052	AapTbKU.exe
1808	qEbVksq.exe
3572	fQXPeko.exe
2800	FnHJYAK.exe
2372	PMudDGs.exe
2744	SUJFeKt.exe
4528	yYiKGnN.exe
3420	vtVtuwg.exe
2264	YXDVqCc.exe
5068	YDvILaG.exe
2864	TUJgTaZ.exe
452	KXZklzZ.exe
1300	ioTbZFX.exe
4948	bXoZWaM.exe
1836	sSqroHT.exe
3432	djfCrTI.exe
3132	XNdySUM.exe
4556	XsdFOWT.exe
2964	cuOQYmU.exe
3552	qOsPGxS.exe
2628	VxOFbmj.exe
4300	YwrDKtQ.exe
2996	dcCSzPT.exe
2436	JCRzuqc.exe
1856	jZGoEpH.exe
2280	qTEHoqd.exe
4436	IgaMtXx.exe
3528	KIzDpSM.exe
4204	RDWPTOC.exe
1376	LbihQSx.exe
3644	lKujDZB.exe
640	iIYaOSW.exe
4508	wzZhimL.exe
3652	lRNUASs.exe
2780	CDtnGoQ.exe
3984	sWBaAuu.exe
376	urGQYqK.exe
2384	GXnJClh.exe
2824	LykNkiq.exe
2276	WzRgaZC.exe
908	vTYrFHB.exe
1948	MsyfqvQ.exe
4616	FmrCHJg.exe
2840	YrlUGDV.exe
4448	VVdSZOe.exe
3000	RCYfyHE.exe
1896	rdXyXFv.exe
856	VIbvPtr.exe
2788	DJxZHIP.exe
4612	YZLBKuk.exe
4420	qHIzqRY.exe
4416	VvRIcWe.exe
2660	iQaBwDh.exe
2008	rGdYEJw.exe
4792	sYWTahm.exe
5088	pOwEylW.exe
4452	OccjuJx.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1656-0-0x00007FF61C020000-0x00007FF61C411000-memory.dmp	upx
behavioral2/files/0x0007000000023463-9.dat	upx
behavioral2/memory/3300-18-0x00007FF6D9CF0000-0x00007FF6DA0E1000-memory.dmp	upx
behavioral2/files/0x0008000000023462-16.dat	upx
behavioral2/memory/5092-15-0x00007FF71F4C0000-0x00007FF71F8B1000-memory.dmp	upx
behavioral2/files/0x0005000000022f58-7.dat	upx
behavioral2/memory/3200-6-0x00007FF7E03A0000-0x00007FF7E0791000-memory.dmp	upx
behavioral2/files/0x0007000000023464-23.dat	upx
behavioral2/files/0x0007000000023465-27.dat	upx
behavioral2/memory/996-28-0x00007FF79F250000-0x00007FF79F641000-memory.dmp	upx
behavioral2/files/0x0008000000023460-34.dat	upx
behavioral2/files/0x0007000000023467-44.dat	upx
behavioral2/memory/2980-53-0x00007FF612640000-0x00007FF612A31000-memory.dmp	upx
behavioral2/files/0x0007000000023469-62.dat	upx
behavioral2/files/0x000700000002346a-64.dat	upx
behavioral2/files/0x000700000002346e-82.dat	upx
behavioral2/files/0x0007000000023472-104.dat	upx
behavioral2/files/0x0007000000023474-114.dat	upx
behavioral2/files/0x0007000000023479-139.dat	upx
behavioral2/files/0x000700000002347c-154.dat	upx
behavioral2/memory/3572-531-0x00007FF795680000-0x00007FF795A71000-memory.dmp	upx
behavioral2/memory/2800-532-0x00007FF662530000-0x00007FF662921000-memory.dmp	upx
behavioral2/memory/2372-534-0x00007FF610430000-0x00007FF610821000-memory.dmp	upx
behavioral2/memory/4528-542-0x00007FF6B1C50000-0x00007FF6B2041000-memory.dmp	upx
behavioral2/memory/2264-548-0x00007FF69B1F0000-0x00007FF69B5E1000-memory.dmp	upx
behavioral2/memory/5068-552-0x00007FF6C92C0000-0x00007FF6C96B1000-memory.dmp	upx
behavioral2/memory/2864-562-0x00007FF730200000-0x00007FF7305F1000-memory.dmp	upx
behavioral2/memory/452-571-0x00007FF799570000-0x00007FF799961000-memory.dmp	upx
behavioral2/memory/4948-578-0x00007FF6A5970000-0x00007FF6A5D61000-memory.dmp	upx
behavioral2/memory/3132-587-0x00007FF72B2E0000-0x00007FF72B6D1000-memory.dmp	upx
behavioral2/memory/3432-581-0x00007FF6A6040000-0x00007FF6A6431000-memory.dmp	upx
behavioral2/memory/1836-580-0x00007FF719B10000-0x00007FF719F01000-memory.dmp	upx
behavioral2/memory/1300-575-0x00007FF7ED2F0000-0x00007FF7ED6E1000-memory.dmp	upx
behavioral2/memory/3420-545-0x00007FF6339A0000-0x00007FF633D91000-memory.dmp	upx
behavioral2/memory/2744-539-0x00007FF71F1B0000-0x00007FF71F5A1000-memory.dmp	upx
behavioral2/files/0x000700000002347f-169.dat	upx
behavioral2/files/0x000700000002347e-164.dat	upx
behavioral2/files/0x000700000002347d-159.dat	upx
behavioral2/files/0x000700000002347b-149.dat	upx
behavioral2/files/0x000700000002347a-144.dat	upx
behavioral2/files/0x0007000000023478-134.dat	upx
behavioral2/files/0x0007000000023477-129.dat	upx
behavioral2/files/0x0007000000023476-124.dat	upx
behavioral2/files/0x0007000000023475-119.dat	upx
behavioral2/files/0x0007000000023473-109.dat	upx
behavioral2/files/0x0007000000023471-99.dat	upx
behavioral2/files/0x0007000000023470-94.dat	upx
behavioral2/files/0x000700000002346f-89.dat	upx
behavioral2/files/0x000700000002346d-79.dat	upx
behavioral2/files/0x000700000002346c-74.dat	upx
behavioral2/files/0x000700000002346b-69.dat	upx
behavioral2/memory/1808-57-0x00007FF6ADA30000-0x00007FF6ADE21000-memory.dmp	upx
behavioral2/memory/5052-56-0x00007FF696920000-0x00007FF696D11000-memory.dmp	upx
behavioral2/files/0x0007000000023468-52.dat	upx
behavioral2/files/0x0007000000023466-49.dat	upx
behavioral2/memory/4704-37-0x00007FF623240000-0x00007FF623631000-memory.dmp	upx
behavioral2/memory/2664-33-0x00007FF6E6F70000-0x00007FF6E7361000-memory.dmp	upx
behavioral2/memory/3200-1960-0x00007FF7E03A0000-0x00007FF7E0791000-memory.dmp	upx
behavioral2/memory/5092-1961-0x00007FF71F4C0000-0x00007FF71F8B1000-memory.dmp	upx
behavioral2/memory/3300-1967-0x00007FF6D9CF0000-0x00007FF6DA0E1000-memory.dmp	upx
behavioral2/memory/996-1995-0x00007FF79F250000-0x00007FF79F641000-memory.dmp	upx
behavioral2/memory/2664-1996-0x00007FF6E6F70000-0x00007FF6E7361000-memory.dmp	upx
behavioral2/memory/4704-1997-0x00007FF623240000-0x00007FF623631000-memory.dmp	upx
behavioral2/memory/1808-1998-0x00007FF6ADA30000-0x00007FF6ADE21000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\qrpaVex.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\LwERvlY.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\RKNpVSv.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\CEWRjZc.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\jfhPkhe.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\FmrCHJg.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\rGdYEJw.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\wPAcFQM.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\IFgBnKX.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\dLvSfXa.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\mehpojE.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\UXwhLbZ.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\fQXPeko.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\XTHWvdq.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\wZlXIlW.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\HJwfllK.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\ujkuObZ.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\ioTbZFX.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\vTYrFHB.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\AxskwEj.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\iRTeMWY.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\ohVbfVr.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\RDWPTOC.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\BEzZAlG.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\GXuCfem.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\gghPoMM.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\WiIHVeO.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\VOvDhfS.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\KuKMKNv.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\urGQYqK.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\OccjuJx.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\HlZUcsS.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\xPNnYcj.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\ojzLtxL.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\ozTJLmt.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\UszkacO.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\AapTbKU.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\FnHJYAK.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\lKujDZB.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\THNywgT.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\ChdVLLI.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\TrOEUew.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\jZJcPBY.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\oHIFhiF.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\YNAdBrp.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\tBuiHlu.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\uPtWRln.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\BSjKuGO.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\dYNJgTM.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\YZLBKuk.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\FicYgSk.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\tvfqmIP.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\ohbRhXR.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\OeUHyEo.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\yrOkNIk.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\jBBSNws.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\uKQbEJb.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\VxOFbmj.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\eVfvbTW.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\BZXGwAA.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\GFAHHpA.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\XGHxhQN.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\zpyQzUm.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\xGKAusg.exe	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	988	dwm.exe
Token: SeChangeNotifyPrivilege	988	dwm.exe
Token: 33	988	dwm.exe
Token: SeIncBasePriorityPrivilege	988	dwm.exe
Token: SeShutdownPrivilege	988	dwm.exe
Token: SeCreatePagefilePrivilege	988	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 3200	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	83
PID 1656 wrote to memory of 3200	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	83
PID 1656 wrote to memory of 5092	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	84
PID 1656 wrote to memory of 5092	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	84
PID 1656 wrote to memory of 3300	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	85
PID 1656 wrote to memory of 3300	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	85
PID 1656 wrote to memory of 996	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	86
PID 1656 wrote to memory of 996	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	86
PID 1656 wrote to memory of 2664	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	87
PID 1656 wrote to memory of 2664	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	87
PID 1656 wrote to memory of 4704	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	88
PID 1656 wrote to memory of 4704	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	88
PID 1656 wrote to memory of 2980	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	90
PID 1656 wrote to memory of 2980	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	90
PID 1656 wrote to memory of 5052	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	91
PID 1656 wrote to memory of 5052	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	91
PID 1656 wrote to memory of 1808	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	92
PID 1656 wrote to memory of 1808	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	92
PID 1656 wrote to memory of 3572	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	93
PID 1656 wrote to memory of 3572	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	93
PID 1656 wrote to memory of 2800	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	94
PID 1656 wrote to memory of 2800	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	94
PID 1656 wrote to memory of 2372	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	95
PID 1656 wrote to memory of 2372	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	95
PID 1656 wrote to memory of 2744	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	96
PID 1656 wrote to memory of 2744	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	96
PID 1656 wrote to memory of 4528	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	97
PID 1656 wrote to memory of 4528	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	97
PID 1656 wrote to memory of 3420	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	98
PID 1656 wrote to memory of 3420	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	98
PID 1656 wrote to memory of 2264	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	99
PID 1656 wrote to memory of 2264	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	99
PID 1656 wrote to memory of 5068	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	100
PID 1656 wrote to memory of 5068	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	100
PID 1656 wrote to memory of 2864	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	101
PID 1656 wrote to memory of 2864	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	101
PID 1656 wrote to memory of 452	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	102
PID 1656 wrote to memory of 452	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	102
PID 1656 wrote to memory of 1300	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	103
PID 1656 wrote to memory of 1300	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	103
PID 1656 wrote to memory of 4948	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	104
PID 1656 wrote to memory of 4948	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	104
PID 1656 wrote to memory of 1836	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	105
PID 1656 wrote to memory of 1836	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	105
PID 1656 wrote to memory of 3432	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	106
PID 1656 wrote to memory of 3432	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	106
PID 1656 wrote to memory of 3132	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	107
PID 1656 wrote to memory of 3132	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	107
PID 1656 wrote to memory of 4556	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	108
PID 1656 wrote to memory of 4556	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	108
PID 1656 wrote to memory of 2964	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	109
PID 1656 wrote to memory of 2964	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	109
PID 1656 wrote to memory of 3552	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	110
PID 1656 wrote to memory of 3552	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	110
PID 1656 wrote to memory of 2628	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	111
PID 1656 wrote to memory of 2628	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	111
PID 1656 wrote to memory of 4300	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	112
PID 1656 wrote to memory of 4300	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	112
PID 1656 wrote to memory of 2996	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	113
PID 1656 wrote to memory of 2996	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	113
PID 1656 wrote to memory of 2436	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	114
PID 1656 wrote to memory of 2436	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	114
PID 1656 wrote to memory of 1856	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	115
PID 1656 wrote to memory of 1856	1656	11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe	115

C:\Users\Admin\AppData\Local\Temp\11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\11ff47505f3429cdc1a0989036fbc9f0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\System32\AsMGkff.exe
  C:\Windows\System32\AsMGkff.exe
  2⤵
  - Executes dropped EXE
  PID:3200
- C:\Windows\System32\JpjuukC.exe
  C:\Windows\System32\JpjuukC.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System32\UXwhLbZ.exe
  C:\Windows\System32\UXwhLbZ.exe
  2⤵
  - Executes dropped EXE
  PID:3300
- C:\Windows\System32\ohVbfVr.exe
  C:\Windows\System32\ohVbfVr.exe
  2⤵
  - Executes dropped EXE
  PID:996
- C:\Windows\System32\uKQbEJb.exe
  C:\Windows\System32\uKQbEJb.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System32\PJoPKCB.exe
  C:\Windows\System32\PJoPKCB.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System32\ydOjYoa.exe
  C:\Windows\System32\ydOjYoa.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System32\AapTbKU.exe
  C:\Windows\System32\AapTbKU.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System32\qEbVksq.exe
  C:\Windows\System32\qEbVksq.exe
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\System32\fQXPeko.exe
  C:\Windows\System32\fQXPeko.exe
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\System32\FnHJYAK.exe
  C:\Windows\System32\FnHJYAK.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System32\PMudDGs.exe
  C:\Windows\System32\PMudDGs.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System32\SUJFeKt.exe
  C:\Windows\System32\SUJFeKt.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System32\yYiKGnN.exe
  C:\Windows\System32\yYiKGnN.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\System32\vtVtuwg.exe
  C:\Windows\System32\vtVtuwg.exe
  2⤵
  - Executes dropped EXE
  PID:3420
- C:\Windows\System32\YXDVqCc.exe
  C:\Windows\System32\YXDVqCc.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System32\YDvILaG.exe
  C:\Windows\System32\YDvILaG.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System32\TUJgTaZ.exe
  C:\Windows\System32\TUJgTaZ.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System32\KXZklzZ.exe
  C:\Windows\System32\KXZklzZ.exe
  2⤵
  - Executes dropped EXE
  PID:452
- C:\Windows\System32\ioTbZFX.exe
  C:\Windows\System32\ioTbZFX.exe
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Windows\System32\bXoZWaM.exe
  C:\Windows\System32\bXoZWaM.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System32\sSqroHT.exe
  C:\Windows\System32\sSqroHT.exe
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\System32\djfCrTI.exe
  C:\Windows\System32\djfCrTI.exe
  2⤵
  - Executes dropped EXE
  PID:3432
- C:\Windows\System32\XNdySUM.exe
  C:\Windows\System32\XNdySUM.exe
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\System32\XsdFOWT.exe
  C:\Windows\System32\XsdFOWT.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System32\cuOQYmU.exe
  C:\Windows\System32\cuOQYmU.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System32\qOsPGxS.exe
  C:\Windows\System32\qOsPGxS.exe
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\System32\VxOFbmj.exe
  C:\Windows\System32\VxOFbmj.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System32\YwrDKtQ.exe
  C:\Windows\System32\YwrDKtQ.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System32\dcCSzPT.exe
  C:\Windows\System32\dcCSzPT.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System32\JCRzuqc.exe
  C:\Windows\System32\JCRzuqc.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System32\jZGoEpH.exe
  C:\Windows\System32\jZGoEpH.exe
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\System32\qTEHoqd.exe
  C:\Windows\System32\qTEHoqd.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\System32\IgaMtXx.exe
  C:\Windows\System32\IgaMtXx.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System32\KIzDpSM.exe
  C:\Windows\System32\KIzDpSM.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System32\RDWPTOC.exe
  C:\Windows\System32\RDWPTOC.exe
  2⤵
  - Executes dropped EXE
  PID:4204
- C:\Windows\System32\LbihQSx.exe
  C:\Windows\System32\LbihQSx.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System32\lKujDZB.exe
  C:\Windows\System32\lKujDZB.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System32\iIYaOSW.exe
  C:\Windows\System32\iIYaOSW.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System32\wzZhimL.exe
  C:\Windows\System32\wzZhimL.exe
  2⤵
  - Executes dropped EXE
  PID:4508
- C:\Windows\System32\lRNUASs.exe
  C:\Windows\System32\lRNUASs.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System32\CDtnGoQ.exe
  C:\Windows\System32\CDtnGoQ.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System32\sWBaAuu.exe
  C:\Windows\System32\sWBaAuu.exe
  2⤵
  - Executes dropped EXE
  PID:3984
- C:\Windows\System32\urGQYqK.exe
  C:\Windows\System32\urGQYqK.exe
  2⤵
  - Executes dropped EXE
  PID:376
- C:\Windows\System32\GXnJClh.exe
  C:\Windows\System32\GXnJClh.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System32\LykNkiq.exe
  C:\Windows\System32\LykNkiq.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System32\WzRgaZC.exe
  C:\Windows\System32\WzRgaZC.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System32\vTYrFHB.exe
  C:\Windows\System32\vTYrFHB.exe
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Windows\System32\MsyfqvQ.exe
  C:\Windows\System32\MsyfqvQ.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System32\FmrCHJg.exe
  C:\Windows\System32\FmrCHJg.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System32\YrlUGDV.exe
  C:\Windows\System32\YrlUGDV.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System32\VVdSZOe.exe
  C:\Windows\System32\VVdSZOe.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\System32\RCYfyHE.exe
  C:\Windows\System32\RCYfyHE.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System32\rdXyXFv.exe
  C:\Windows\System32\rdXyXFv.exe
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Windows\System32\VIbvPtr.exe
  C:\Windows\System32\VIbvPtr.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System32\DJxZHIP.exe
  C:\Windows\System32\DJxZHIP.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System32\YZLBKuk.exe
  C:\Windows\System32\YZLBKuk.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System32\qHIzqRY.exe
  C:\Windows\System32\qHIzqRY.exe
  2⤵
  - Executes dropped EXE
  PID:4420
- C:\Windows\System32\VvRIcWe.exe
  C:\Windows\System32\VvRIcWe.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System32\iQaBwDh.exe
  C:\Windows\System32\iQaBwDh.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System32\rGdYEJw.exe
  C:\Windows\System32\rGdYEJw.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System32\sYWTahm.exe
  C:\Windows\System32\sYWTahm.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System32\pOwEylW.exe
  C:\Windows\System32\pOwEylW.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System32\OccjuJx.exe
  C:\Windows\System32\OccjuJx.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System32\XqYonCI.exe
  C:\Windows\System32\XqYonCI.exe
  2⤵
  PID:1488
- C:\Windows\System32\WWpsIgs.exe
  C:\Windows\System32\WWpsIgs.exe
  2⤵
  PID:2956
- C:\Windows\System32\WKaRiBA.exe
  C:\Windows\System32\WKaRiBA.exe
  2⤵
  PID:4580
- C:\Windows\System32\phbIXaN.exe
  C:\Windows\System32\phbIXaN.exe
  2⤵
  PID:3276
- C:\Windows\System32\POflHbH.exe
  C:\Windows\System32\POflHbH.exe
  2⤵
  PID:3988
- C:\Windows\System32\mTPEWKe.exe
  C:\Windows\System32\mTPEWKe.exe
  2⤵
  PID:4520
- C:\Windows\System32\IGqniiH.exe
  C:\Windows\System32\IGqniiH.exe
  2⤵
  PID:2376
- C:\Windows\System32\ecYMXVt.exe
  C:\Windows\System32\ecYMXVt.exe
  2⤵
  PID:5048
- C:\Windows\System32\EndtMgL.exe
  C:\Windows\System32\EndtMgL.exe
  2⤵
  PID:3964
- C:\Windows\System32\EqoCKfq.exe
  C:\Windows\System32\EqoCKfq.exe
  2⤵
  PID:2288
- C:\Windows\System32\VvauIwD.exe
  C:\Windows\System32\VvauIwD.exe
  2⤵
  PID:3952
- C:\Windows\System32\gghPoMM.exe
  C:\Windows\System32\gghPoMM.exe
  2⤵
  PID:4924
- C:\Windows\System32\hYFLlSh.exe
  C:\Windows\System32\hYFLlSh.exe
  2⤵
  PID:3264
- C:\Windows\System32\rJPGmQY.exe
  C:\Windows\System32\rJPGmQY.exe
  2⤵
  PID:4440
- C:\Windows\System32\ugWuHiv.exe
  C:\Windows\System32\ugWuHiv.exe
  2⤵
  PID:4444
- C:\Windows\System32\HketQdI.exe
  C:\Windows\System32\HketQdI.exe
  2⤵
  PID:4012
- C:\Windows\System32\grDwKBg.exe
  C:\Windows\System32\grDwKBg.exe
  2⤵
  PID:456
- C:\Windows\System32\YNAdBrp.exe
  C:\Windows\System32\YNAdBrp.exe
  2⤵
  PID:644
- C:\Windows\System32\CEWRjZc.exe
  C:\Windows\System32\CEWRjZc.exe
  2⤵
  PID:2128
- C:\Windows\System32\JjgbyMJ.exe
  C:\Windows\System32\JjgbyMJ.exe
  2⤵
  PID:4684
- C:\Windows\System32\TNMaFuZ.exe
  C:\Windows\System32\TNMaFuZ.exe
  2⤵
  PID:1472
- C:\Windows\System32\SBCaknd.exe
  C:\Windows\System32\SBCaknd.exe
  2⤵
  PID:3628
- C:\Windows\System32\wOtRjGc.exe
  C:\Windows\System32\wOtRjGc.exe
  2⤵
  PID:2932
- C:\Windows\System32\FbGWTQX.exe
  C:\Windows\System32\FbGWTQX.exe
  2⤵
  PID:1348
- C:\Windows\System32\epJUnrB.exe
  C:\Windows\System32\epJUnrB.exe
  2⤵
  PID:4976
- C:\Windows\System32\raRMaHl.exe
  C:\Windows\System32\raRMaHl.exe
  2⤵
  PID:3960
- C:\Windows\System32\YztZvFB.exe
  C:\Windows\System32\YztZvFB.exe
  2⤵
  PID:4656
- C:\Windows\System32\DTzySIx.exe
  C:\Windows\System32\DTzySIx.exe
  2⤵
  PID:5136
- C:\Windows\System32\zYkBuLq.exe
  C:\Windows\System32\zYkBuLq.exe
  2⤵
  PID:5176
- C:\Windows\System32\Wnxzbpt.exe
  C:\Windows\System32\Wnxzbpt.exe
  2⤵
  PID:5200
- C:\Windows\System32\YGnhQPI.exe
  C:\Windows\System32\YGnhQPI.exe
  2⤵
  PID:5228
- C:\Windows\System32\EEVrHNM.exe
  C:\Windows\System32\EEVrHNM.exe
  2⤵
  PID:5248
- C:\Windows\System32\rGfGByT.exe
  C:\Windows\System32\rGfGByT.exe
  2⤵
  PID:5276
- C:\Windows\System32\viVXGtV.exe
  C:\Windows\System32\viVXGtV.exe
  2⤵
  PID:5304
- C:\Windows\System32\aENhvCB.exe
  C:\Windows\System32\aENhvCB.exe
  2⤵
  PID:5332
- C:\Windows\System32\DnIMpUh.exe
  C:\Windows\System32\DnIMpUh.exe
  2⤵
  PID:5360
- C:\Windows\System32\BmgfdIt.exe
  C:\Windows\System32\BmgfdIt.exe
  2⤵
  PID:5388
- C:\Windows\System32\JUpmlOq.exe
  C:\Windows\System32\JUpmlOq.exe
  2⤵
  PID:5416
- C:\Windows\System32\EDCwwrm.exe
  C:\Windows\System32\EDCwwrm.exe
  2⤵
  PID:5444
- C:\Windows\System32\NKmfivK.exe
  C:\Windows\System32\NKmfivK.exe
  2⤵
  PID:5480
- C:\Windows\System32\uaKUlWj.exe
  C:\Windows\System32\uaKUlWj.exe
  2⤵
  PID:5500
- C:\Windows\System32\vxlRLLa.exe
  C:\Windows\System32\vxlRLLa.exe
  2⤵
  PID:5528
- C:\Windows\System32\ttSzFWv.exe
  C:\Windows\System32\ttSzFWv.exe
  2⤵
  PID:5556
- C:\Windows\System32\DQLljHJ.exe
  C:\Windows\System32\DQLljHJ.exe
  2⤵
  PID:5592
- C:\Windows\System32\nEvNofD.exe
  C:\Windows\System32\nEvNofD.exe
  2⤵
  PID:5612
- C:\Windows\System32\zdLTMaQ.exe
  C:\Windows\System32\zdLTMaQ.exe
  2⤵
  PID:5640
- C:\Windows\System32\KLCuSPJ.exe
  C:\Windows\System32\KLCuSPJ.exe
  2⤵
  PID:5668
- C:\Windows\System32\qrpaVex.exe
  C:\Windows\System32\qrpaVex.exe
  2⤵
  PID:5696
- C:\Windows\System32\MsOTLXD.exe
  C:\Windows\System32\MsOTLXD.exe
  2⤵
  PID:5724
- C:\Windows\System32\BEzZAlG.exe
  C:\Windows\System32\BEzZAlG.exe
  2⤵
  PID:5760
- C:\Windows\System32\eVfvbTW.exe
  C:\Windows\System32\eVfvbTW.exe
  2⤵
  PID:5780
- C:\Windows\System32\tnSTVeN.exe
  C:\Windows\System32\tnSTVeN.exe
  2⤵
  PID:5808
- C:\Windows\System32\CbKgGSs.exe
  C:\Windows\System32\CbKgGSs.exe
  2⤵
  PID:5836
- C:\Windows\System32\TIrtSae.exe
  C:\Windows\System32\TIrtSae.exe
  2⤵
  PID:5864
- C:\Windows\System32\bVvALOq.exe
  C:\Windows\System32\bVvALOq.exe
  2⤵
  PID:5892
- C:\Windows\System32\zfbDXec.exe
  C:\Windows\System32\zfbDXec.exe
  2⤵
  PID:5920
- C:\Windows\System32\GXuCfem.exe
  C:\Windows\System32\GXuCfem.exe
  2⤵
  PID:5948
- C:\Windows\System32\FhLTtql.exe
  C:\Windows\System32\FhLTtql.exe
  2⤵
  PID:5976
- C:\Windows\System32\aOVCfNm.exe
  C:\Windows\System32\aOVCfNm.exe
  2⤵
  PID:6004
- C:\Windows\System32\nPdskNG.exe
  C:\Windows\System32\nPdskNG.exe
  2⤵
  PID:6028
- C:\Windows\System32\xGKAusg.exe
  C:\Windows\System32\xGKAusg.exe
  2⤵
  PID:6060
- C:\Windows\System32\FGHjnuP.exe
  C:\Windows\System32\FGHjnuP.exe
  2⤵
  PID:6088
- C:\Windows\System32\VGSGJDX.exe
  C:\Windows\System32\VGSGJDX.exe
  2⤵
  PID:6124
- C:\Windows\System32\ICRpSpr.exe
  C:\Windows\System32\ICRpSpr.exe
  2⤵
  PID:4380
- C:\Windows\System32\JFnQmIS.exe
  C:\Windows\System32\JFnQmIS.exe
  2⤵
  PID:3948
- C:\Windows\System32\HlZUcsS.exe
  C:\Windows\System32\HlZUcsS.exe
  2⤵
  PID:4788
- C:\Windows\System32\xPNnYcj.exe
  C:\Windows\System32\xPNnYcj.exe
  2⤵
  PID:3560
- C:\Windows\System32\lNVNXhy.exe
  C:\Windows\System32\lNVNXhy.exe
  2⤵
  PID:1612
- C:\Windows\System32\agwTpub.exe
  C:\Windows\System32\agwTpub.exe
  2⤵
  PID:5152
- C:\Windows\System32\bKqfLNI.exe
  C:\Windows\System32\bKqfLNI.exe
  2⤵
  PID:5244
- C:\Windows\System32\FPWQhhF.exe
  C:\Windows\System32\FPWQhhF.exe
  2⤵
  PID:5300
- C:\Windows\System32\ggiHKUm.exe
  C:\Windows\System32\ggiHKUm.exe
  2⤵
  PID:1668
- C:\Windows\System32\MePrFHA.exe
  C:\Windows\System32\MePrFHA.exe
  2⤵
  PID:5400
- C:\Windows\System32\rXAclhY.exe
  C:\Windows\System32\rXAclhY.exe
  2⤵
  PID:5476
- C:\Windows\System32\qNWeqxX.exe
  C:\Windows\System32\qNWeqxX.exe
  2⤵
  PID:5516
- C:\Windows\System32\UovXbAJ.exe
  C:\Windows\System32\UovXbAJ.exe
  2⤵
  PID:5588
- C:\Windows\System32\caiZnNh.exe
  C:\Windows\System32\caiZnNh.exe
  2⤵
  PID:5652
- C:\Windows\System32\ubceWPl.exe
  C:\Windows\System32\ubceWPl.exe
  2⤵
  PID:5708
- C:\Windows\System32\ojzLtxL.exe
  C:\Windows\System32\ojzLtxL.exe
  2⤵
  PID:5776
- C:\Windows\System32\FfGbOMo.exe
  C:\Windows\System32\FfGbOMo.exe
  2⤵
  PID:5844
- C:\Windows\System32\JqbYiNE.exe
  C:\Windows\System32\JqbYiNE.exe
  2⤵
  PID:5904
- C:\Windows\System32\yktVOZV.exe
  C:\Windows\System32\yktVOZV.exe
  2⤵
  PID:5960
- C:\Windows\System32\THNywgT.exe
  C:\Windows\System32\THNywgT.exe
  2⤵
  PID:6024
- C:\Windows\System32\fyJYtUY.exe
  C:\Windows\System32\fyJYtUY.exe
  2⤵
  PID:6084
- C:\Windows\System32\tBuiHlu.exe
  C:\Windows\System32\tBuiHlu.exe
  2⤵
  PID:6104
- C:\Windows\System32\AMWzYlF.exe
  C:\Windows\System32\AMWzYlF.exe
  2⤵
  PID:2244
- C:\Windows\System32\udOEfax.exe
  C:\Windows\System32\udOEfax.exe
  2⤵
  PID:3084
- C:\Windows\System32\MqZqChS.exe
  C:\Windows\System32\MqZqChS.exe
  2⤵
  PID:5160
- C:\Windows\System32\zZJoxqG.exe
  C:\Windows\System32\zZJoxqG.exe
  2⤵
  PID:5264
- C:\Windows\System32\anTnLxF.exe
  C:\Windows\System32\anTnLxF.exe
  2⤵
  PID:1912
- C:\Windows\System32\BZXGwAA.exe
  C:\Windows\System32\BZXGwAA.exe
  2⤵
  PID:5084
- C:\Windows\System32\PZEYepY.exe
  C:\Windows\System32\PZEYepY.exe
  2⤵
  PID:444
- C:\Windows\System32\vZnLQYk.exe
  C:\Windows\System32\vZnLQYk.exe
  2⤵
  PID:5408
- C:\Windows\System32\aXkSNQs.exe
  C:\Windows\System32\aXkSNQs.exe
  2⤵
  PID:5432
- C:\Windows\System32\JKJcumG.exe
  C:\Windows\System32\JKJcumG.exe
  2⤵
  PID:2332
- C:\Windows\System32\yKagghh.exe
  C:\Windows\System32\yKagghh.exe
  2⤵
  PID:1516
- C:\Windows\System32\mEKWXEe.exe
  C:\Windows\System32\mEKWXEe.exe
  2⤵
  PID:5856
- C:\Windows\System32\Pzypxbk.exe
  C:\Windows\System32\Pzypxbk.exe
  2⤵
  PID:5908
- C:\Windows\System32\zKFlJrq.exe
  C:\Windows\System32\zKFlJrq.exe
  2⤵
  PID:5988
- C:\Windows\System32\BLOvYIv.exe
  C:\Windows\System32\BLOvYIv.exe
  2⤵
  PID:2472
- C:\Windows\System32\YfUwAPx.exe
  C:\Windows\System32\YfUwAPx.exe
  2⤵
  PID:5216
- C:\Windows\System32\ozTJLmt.exe
  C:\Windows\System32\ozTJLmt.exe
  2⤵
  PID:2572
- C:\Windows\System32\FicYgSk.exe
  C:\Windows\System32\FicYgSk.exe
  2⤵
  PID:5796
- C:\Windows\System32\tbYsokF.exe
  C:\Windows\System32\tbYsokF.exe
  2⤵
  PID:5688
- C:\Windows\System32\yrOkNIk.exe
  C:\Windows\System32\yrOkNIk.exe
  2⤵
  PID:3316
- C:\Windows\System32\atfXwGD.exe
  C:\Windows\System32\atfXwGD.exe
  2⤵
  PID:1060
- C:\Windows\System32\SSBuNDD.exe
  C:\Windows\System32\SSBuNDD.exe
  2⤵
  PID:5944
- C:\Windows\System32\KSbsdet.exe
  C:\Windows\System32\KSbsdet.exe
  2⤵
  PID:6168
- C:\Windows\System32\JiVwZZp.exe
  C:\Windows\System32\JiVwZZp.exe
  2⤵
  PID:6192
- C:\Windows\System32\BNOaUMf.exe
  C:\Windows\System32\BNOaUMf.exe
  2⤵
  PID:6224
- C:\Windows\System32\GizsqYG.exe
  C:\Windows\System32\GizsqYG.exe
  2⤵
  PID:6248
- C:\Windows\System32\NScAkpl.exe
  C:\Windows\System32\NScAkpl.exe
  2⤵
  PID:6276
- C:\Windows\System32\nbaYBhk.exe
  C:\Windows\System32\nbaYBhk.exe
  2⤵
  PID:6308
- C:\Windows\System32\UwZrwpv.exe
  C:\Windows\System32\UwZrwpv.exe
  2⤵
  PID:6336
- C:\Windows\System32\VtelHkb.exe
  C:\Windows\System32\VtelHkb.exe
  2⤵
  PID:6364
- C:\Windows\System32\wKukabm.exe
  C:\Windows\System32\wKukabm.exe
  2⤵
  PID:6388
- C:\Windows\System32\EjHkNed.exe
  C:\Windows\System32\EjHkNed.exe
  2⤵
  PID:6420
- C:\Windows\System32\yPXeYhi.exe
  C:\Windows\System32\yPXeYhi.exe
  2⤵
  PID:6444
- C:\Windows\System32\smSmrWi.exe
  C:\Windows\System32\smSmrWi.exe
  2⤵
  PID:6472
- C:\Windows\System32\MwHEGFg.exe
  C:\Windows\System32\MwHEGFg.exe
  2⤵
  PID:6504
- C:\Windows\System32\CyclZAV.exe
  C:\Windows\System32\CyclZAV.exe
  2⤵
  PID:6528
- C:\Windows\System32\xGvhfEp.exe
  C:\Windows\System32\xGvhfEp.exe
  2⤵
  PID:6556
- C:\Windows\System32\hsDyxNx.exe
  C:\Windows\System32\hsDyxNx.exe
  2⤵
  PID:6588
- C:\Windows\System32\jTrRgYs.exe
  C:\Windows\System32\jTrRgYs.exe
  2⤵
  PID:6616
- C:\Windows\System32\XVZPokz.exe
  C:\Windows\System32\XVZPokz.exe
  2⤵
  PID:6640
- C:\Windows\System32\wPAcFQM.exe
  C:\Windows\System32\wPAcFQM.exe
  2⤵
  PID:6672
- C:\Windows\System32\IPkNFDV.exe
  C:\Windows\System32\IPkNFDV.exe
  2⤵
  PID:6700
- C:\Windows\System32\uPtWRln.exe
  C:\Windows\System32\uPtWRln.exe
  2⤵
  PID:6728
- C:\Windows\System32\OEtkvrn.exe
  C:\Windows\System32\OEtkvrn.exe
  2⤵
  PID:6756
- C:\Windows\System32\dzyQuks.exe
  C:\Windows\System32\dzyQuks.exe
  2⤵
  PID:6780
- C:\Windows\System32\UbmZZia.exe
  C:\Windows\System32\UbmZZia.exe
  2⤵
  PID:6820
- C:\Windows\System32\rlncYSk.exe
  C:\Windows\System32\rlncYSk.exe
  2⤵
  PID:6840
- C:\Windows\System32\UszkacO.exe
  C:\Windows\System32\UszkacO.exe
  2⤵
  PID:6868
- C:\Windows\System32\QoxQndr.exe
  C:\Windows\System32\QoxQndr.exe
  2⤵
  PID:6896
- C:\Windows\System32\dExLIse.exe
  C:\Windows\System32\dExLIse.exe
  2⤵
  PID:6920
- C:\Windows\System32\IKFOnjL.exe
  C:\Windows\System32\IKFOnjL.exe
  2⤵
  PID:6952
- C:\Windows\System32\jhZfaMA.exe
  C:\Windows\System32\jhZfaMA.exe
  2⤵
  PID:6980
- C:\Windows\System32\eeQKPct.exe
  C:\Windows\System32\eeQKPct.exe
  2⤵
  PID:7004
- C:\Windows\System32\IFgBnKX.exe
  C:\Windows\System32\IFgBnKX.exe
  2⤵
  PID:7032
- C:\Windows\System32\yneQKOI.exe
  C:\Windows\System32\yneQKOI.exe
  2⤵
  PID:7064
- C:\Windows\System32\huoKfJN.exe
  C:\Windows\System32\huoKfJN.exe
  2⤵
  PID:7108
- C:\Windows\System32\cYpEjgP.exe
  C:\Windows\System32\cYpEjgP.exe
  2⤵
  PID:7148
- C:\Windows\System32\YGQGDHR.exe
  C:\Windows\System32\YGQGDHR.exe
  2⤵
  PID:6488
- C:\Windows\System32\JccVugs.exe
  C:\Windows\System32\JccVugs.exe
  2⤵
  PID:6552
- C:\Windows\System32\ZmCCOYO.exe
  C:\Windows\System32\ZmCCOYO.exe
  2⤵
  PID:6624
- C:\Windows\System32\YkEVlPc.exe
  C:\Windows\System32\YkEVlPc.exe
  2⤵
  PID:6684
- C:\Windows\System32\orpZzyG.exe
  C:\Windows\System32\orpZzyG.exe
  2⤵
  PID:6748
- C:\Windows\System32\DJJPsbW.exe
  C:\Windows\System32\DJJPsbW.exe
  2⤵
  PID:6816
- C:\Windows\System32\zwpOocW.exe
  C:\Windows\System32\zwpOocW.exe
  2⤵
  PID:6880
- C:\Windows\System32\EUxEddi.exe
  C:\Windows\System32\EUxEddi.exe
  2⤵
  PID:6916
- C:\Windows\System32\LwERvlY.exe
  C:\Windows\System32\LwERvlY.exe
  2⤵
  PID:6136
- C:\Windows\System32\PchcNig.exe
  C:\Windows\System32\PchcNig.exe
  2⤵
  PID:7060
- C:\Windows\System32\zSdlDoE.exe
  C:\Windows\System32\zSdlDoE.exe
  2⤵
  PID:7084
- C:\Windows\System32\CuulWLh.exe
  C:\Windows\System32\CuulWLh.exe
  2⤵
  PID:7116
- C:\Windows\System32\UezmLsf.exe
  C:\Windows\System32\UezmLsf.exe
  2⤵
  PID:7100
- C:\Windows\System32\iiwvaPi.exe
  C:\Windows\System32\iiwvaPi.exe
  2⤵
  PID:4576
- C:\Windows\System32\DJrjxqN.exe
  C:\Windows\System32\DJrjxqN.exe
  2⤵
  PID:6596
- C:\Windows\System32\BXSCHOk.exe
  C:\Windows\System32\BXSCHOk.exe
  2⤵
  PID:6000
- C:\Windows\System32\xnaYsvx.exe
  C:\Windows\System32\xnaYsvx.exe
  2⤵
  PID:6788
- C:\Windows\System32\JeMVoNm.exe
  C:\Windows\System32\JeMVoNm.exe
  2⤵
  PID:6852
- C:\Windows\System32\AHULyRf.exe
  C:\Windows\System32\AHULyRf.exe
  2⤵
  PID:6960
- C:\Windows\System32\TtwePFY.exe
  C:\Windows\System32\TtwePFY.exe
  2⤵
  PID:7080
- C:\Windows\System32\MeXdJTL.exe
  C:\Windows\System32\MeXdJTL.exe
  2⤵
  PID:6244
- C:\Windows\System32\kHDiHaN.exe
  C:\Windows\System32\kHDiHaN.exe
  2⤵
  PID:6044
- C:\Windows\System32\LmpEONY.exe
  C:\Windows\System32\LmpEONY.exe
  2⤵
  PID:7000
- C:\Windows\System32\ORWivgC.exe
  C:\Windows\System32\ORWivgC.exe
  2⤵
  PID:3024
- C:\Windows\System32\Apxtjnr.exe
  C:\Windows\System32\Apxtjnr.exe
  2⤵
  PID:6048
- C:\Windows\System32\bKccphY.exe
  C:\Windows\System32\bKccphY.exe
  2⤵
  PID:7176
- C:\Windows\System32\wMhWzcm.exe
  C:\Windows\System32\wMhWzcm.exe
  2⤵
  PID:7200
- C:\Windows\System32\pXToLJE.exe
  C:\Windows\System32\pXToLJE.exe
  2⤵
  PID:7232
- C:\Windows\System32\UmSFgUH.exe
  C:\Windows\System32\UmSFgUH.exe
  2⤵
  PID:7264
- C:\Windows\System32\swPLBAj.exe
  C:\Windows\System32\swPLBAj.exe
  2⤵
  PID:7324
- C:\Windows\System32\vUwGAea.exe
  C:\Windows\System32\vUwGAea.exe
  2⤵
  PID:7352
- C:\Windows\System32\jBBSNws.exe
  C:\Windows\System32\jBBSNws.exe
  2⤵
  PID:7376
- C:\Windows\System32\jRbbGyV.exe
  C:\Windows\System32\jRbbGyV.exe
  2⤵
  PID:7408
- C:\Windows\System32\xqBetgB.exe
  C:\Windows\System32\xqBetgB.exe
  2⤵
  PID:7428
- C:\Windows\System32\tbtjopq.exe
  C:\Windows\System32\tbtjopq.exe
  2⤵
  PID:7452
- C:\Windows\System32\ROtIvBc.exe
  C:\Windows\System32\ROtIvBc.exe
  2⤵
  PID:7492
- C:\Windows\System32\tvfqmIP.exe
  C:\Windows\System32\tvfqmIP.exe
  2⤵
  PID:7516
- C:\Windows\System32\GNGPnfg.exe
  C:\Windows\System32\GNGPnfg.exe
  2⤵
  PID:7536
- C:\Windows\System32\KogTzxF.exe
  C:\Windows\System32\KogTzxF.exe
  2⤵
  PID:7560
- C:\Windows\System32\TrOEUew.exe
  C:\Windows\System32\TrOEUew.exe
  2⤵
  PID:7592
- C:\Windows\System32\ULKJEDD.exe
  C:\Windows\System32\ULKJEDD.exe
  2⤵
  PID:7612
- C:\Windows\System32\qncgvkl.exe
  C:\Windows\System32\qncgvkl.exe
  2⤵
  PID:7636
- C:\Windows\System32\updFglK.exe
  C:\Windows\System32\updFglK.exe
  2⤵
  PID:7664
- C:\Windows\System32\lQpfTSt.exe
  C:\Windows\System32\lQpfTSt.exe
  2⤵
  PID:7684
- C:\Windows\System32\kEOVxdv.exe
  C:\Windows\System32\kEOVxdv.exe
  2⤵
  PID:7728
- C:\Windows\System32\FjxbsWB.exe
  C:\Windows\System32\FjxbsWB.exe
  2⤵
  PID:7768
- C:\Windows\System32\tJStUMK.exe
  C:\Windows\System32\tJStUMK.exe
  2⤵
  PID:7792
- C:\Windows\System32\GFAHHpA.exe
  C:\Windows\System32\GFAHHpA.exe
  2⤵
  PID:7816
- C:\Windows\System32\xbtmClx.exe
  C:\Windows\System32\xbtmClx.exe
  2⤵
  PID:7840
- C:\Windows\System32\hKyuKKc.exe
  C:\Windows\System32\hKyuKKc.exe
  2⤵
  PID:7860
- C:\Windows\System32\xeTOgFM.exe
  C:\Windows\System32\xeTOgFM.exe
  2⤵
  PID:7896
- C:\Windows\System32\oaxnfEl.exe
  C:\Windows\System32\oaxnfEl.exe
  2⤵
  PID:7936
- C:\Windows\System32\DEMOcZk.exe
  C:\Windows\System32\DEMOcZk.exe
  2⤵
  PID:7952
- C:\Windows\System32\ohIwxdP.exe
  C:\Windows\System32\ohIwxdP.exe
  2⤵
  PID:7984
- C:\Windows\System32\YmXjNip.exe
  C:\Windows\System32\YmXjNip.exe
  2⤵
  PID:8008
- C:\Windows\System32\XGHxhQN.exe
  C:\Windows\System32\XGHxhQN.exe
  2⤵
  PID:8036
- C:\Windows\System32\oBQOFQM.exe
  C:\Windows\System32\oBQOFQM.exe
  2⤵
  PID:8052
- C:\Windows\System32\Dftccqz.exe
  C:\Windows\System32\Dftccqz.exe
  2⤵
  PID:8084
- C:\Windows\System32\VozzgTF.exe
  C:\Windows\System32\VozzgTF.exe
  2⤵
  PID:8104
- C:\Windows\System32\FLbmDzR.exe
  C:\Windows\System32\FLbmDzR.exe
  2⤵
  PID:8148
- C:\Windows\System32\qArLbPC.exe
  C:\Windows\System32\qArLbPC.exe
  2⤵
  PID:8184
- C:\Windows\System32\ozISuTh.exe
  C:\Windows\System32\ozISuTh.exe
  2⤵
  PID:7208
- C:\Windows\System32\xkxVOhY.exe
  C:\Windows\System32\xkxVOhY.exe
  2⤵
  PID:7252
- C:\Windows\System32\pmpakHL.exe
  C:\Windows\System32\pmpakHL.exe
  2⤵
  PID:7344
- C:\Windows\System32\jSEeaKs.exe
  C:\Windows\System32\jSEeaKs.exe
  2⤵
  PID:7440
- C:\Windows\System32\xfXqRXz.exe
  C:\Windows\System32\xfXqRXz.exe
  2⤵
  PID:7484
- C:\Windows\System32\AaKyDqZ.exe
  C:\Windows\System32\AaKyDqZ.exe
  2⤵
  PID:7528
- C:\Windows\System32\XYkryGL.exe
  C:\Windows\System32\XYkryGL.exe
  2⤵
  PID:7644
- C:\Windows\System32\KubwVpc.exe
  C:\Windows\System32\KubwVpc.exe
  2⤵
  PID:7704
- C:\Windows\System32\JIZWDgZ.exe
  C:\Windows\System32\JIZWDgZ.exe
  2⤵
  PID:7740
- C:\Windows\System32\hMRcrYO.exe
  C:\Windows\System32\hMRcrYO.exe
  2⤵
  PID:7836
- C:\Windows\System32\bDgXvEx.exe
  C:\Windows\System32\bDgXvEx.exe
  2⤵
  PID:7856
- C:\Windows\System32\mXgCZVg.exe
  C:\Windows\System32\mXgCZVg.exe
  2⤵
  PID:7948
- C:\Windows\System32\jMfSZDW.exe
  C:\Windows\System32\jMfSZDW.exe
  2⤵
  PID:7992
- C:\Windows\System32\KTUwGjz.exe
  C:\Windows\System32\KTUwGjz.exe
  2⤵
  PID:8096
- C:\Windows\System32\TEnycRt.exe
  C:\Windows\System32\TEnycRt.exe
  2⤵
  PID:8100
- C:\Windows\System32\vhxVQgt.exe
  C:\Windows\System32\vhxVQgt.exe
  2⤵
  PID:8176
- C:\Windows\System32\IQsXrkl.exe
  C:\Windows\System32\IQsXrkl.exe
  2⤵
  PID:7240
- C:\Windows\System32\sSYfpwq.exe
  C:\Windows\System32\sSYfpwq.exe
  2⤵
  PID:7348
- C:\Windows\System32\WiIHVeO.exe
  C:\Windows\System32\WiIHVeO.exe
  2⤵
  PID:7524
- C:\Windows\System32\IXcFLya.exe
  C:\Windows\System32\IXcFLya.exe
  2⤵
  PID:7692
- C:\Windows\System32\wAgdaGS.exe
  C:\Windows\System32\wAgdaGS.exe
  2⤵
  PID:4892
- C:\Windows\System32\xeaqVve.exe
  C:\Windows\System32\xeaqVve.exe
  2⤵
  PID:8044
- C:\Windows\System32\MObinXr.exe
  C:\Windows\System32\MObinXr.exe
  2⤵
  PID:7280
- C:\Windows\System32\GZOXjAn.exe
  C:\Windows\System32\GZOXjAn.exe
  2⤵
  PID:1740
- C:\Windows\System32\rXEfyfW.exe
  C:\Windows\System32\rXEfyfW.exe
  2⤵
  PID:7808
- C:\Windows\System32\TfAYfAf.exe
  C:\Windows\System32\TfAYfAf.exe
  2⤵
  PID:8020
- C:\Windows\System32\ioEozDs.exe
  C:\Windows\System32\ioEozDs.exe
  2⤵
  PID:7476
- C:\Windows\System32\VcubQmI.exe
  C:\Windows\System32\VcubQmI.exe
  2⤵
  PID:7424
- C:\Windows\System32\NYVwAyx.exe
  C:\Windows\System32\NYVwAyx.exe
  2⤵
  PID:8220
- C:\Windows\System32\yxRhNSK.exe
  C:\Windows\System32\yxRhNSK.exe
  2⤵
  PID:8240
- C:\Windows\System32\ZnwkEMd.exe
  C:\Windows\System32\ZnwkEMd.exe
  2⤵
  PID:8280
- C:\Windows\System32\OfEvdtS.exe
  C:\Windows\System32\OfEvdtS.exe
  2⤵
  PID:8304
- C:\Windows\System32\VOvDhfS.exe
  C:\Windows\System32\VOvDhfS.exe
  2⤵
  PID:8332
- C:\Windows\System32\mLZTzYb.exe
  C:\Windows\System32\mLZTzYb.exe
  2⤵
  PID:8360
- C:\Windows\System32\eUXELSn.exe
  C:\Windows\System32\eUXELSn.exe
  2⤵
  PID:8380
- C:\Windows\System32\EFDfobl.exe
  C:\Windows\System32\EFDfobl.exe
  2⤵
  PID:8424
- C:\Windows\System32\pYzCpUc.exe
  C:\Windows\System32\pYzCpUc.exe
  2⤵
  PID:8448
- C:\Windows\System32\FDsnwXG.exe
  C:\Windows\System32\FDsnwXG.exe
  2⤵
  PID:8476
- C:\Windows\System32\qmCYIhh.exe
  C:\Windows\System32\qmCYIhh.exe
  2⤵
  PID:8516
- C:\Windows\System32\lSqLvpz.exe
  C:\Windows\System32\lSqLvpz.exe
  2⤵
  PID:8532
- C:\Windows\System32\OdifRJE.exe
  C:\Windows\System32\OdifRJE.exe
  2⤵
  PID:8560
- C:\Windows\System32\FkMVHxI.exe
  C:\Windows\System32\FkMVHxI.exe
  2⤵
  PID:8588
- C:\Windows\System32\PWBHsys.exe
  C:\Windows\System32\PWBHsys.exe
  2⤵
  PID:8620
- C:\Windows\System32\bgclGTy.exe
  C:\Windows\System32\bgclGTy.exe
  2⤵
  PID:8636
- C:\Windows\System32\gMPrrMF.exe
  C:\Windows\System32\gMPrrMF.exe
  2⤵
  PID:8664
- C:\Windows\System32\TgKyDYM.exe
  C:\Windows\System32\TgKyDYM.exe
  2⤵
  PID:8688
- C:\Windows\System32\WRoUnYQ.exe
  C:\Windows\System32\WRoUnYQ.exe
  2⤵
  PID:8708
- C:\Windows\System32\rGyochW.exe
  C:\Windows\System32\rGyochW.exe
  2⤵
  PID:8760
- C:\Windows\System32\bfTptCe.exe
  C:\Windows\System32\bfTptCe.exe
  2⤵
  PID:8788
- C:\Windows\System32\YMtCTfl.exe
  C:\Windows\System32\YMtCTfl.exe
  2⤵
  PID:8812
- C:\Windows\System32\TXQWOIx.exe
  C:\Windows\System32\TXQWOIx.exe
  2⤵
  PID:8828
- C:\Windows\System32\pQqMLKj.exe
  C:\Windows\System32\pQqMLKj.exe
  2⤵
  PID:8856
- C:\Windows\System32\dTFNxOU.exe
  C:\Windows\System32\dTFNxOU.exe
  2⤵
  PID:8900
- C:\Windows\System32\DdxJdUc.exe
  C:\Windows\System32\DdxJdUc.exe
  2⤵
  PID:8928
- C:\Windows\System32\rsaFjMN.exe
  C:\Windows\System32\rsaFjMN.exe
  2⤵
  PID:8964
- C:\Windows\System32\AcQHuMy.exe
  C:\Windows\System32\AcQHuMy.exe
  2⤵
  PID:8980
- C:\Windows\System32\QFNajiZ.exe
  C:\Windows\System32\QFNajiZ.exe
  2⤵
  PID:9000
- C:\Windows\System32\keFOPdg.exe
  C:\Windows\System32\keFOPdg.exe
  2⤵
  PID:9028
- C:\Windows\System32\xZcXnZc.exe
  C:\Windows\System32\xZcXnZc.exe
  2⤵
  PID:9048
- C:\Windows\System32\JCvHBmn.exe
  C:\Windows\System32\JCvHBmn.exe
  2⤵
  PID:9064
- C:\Windows\System32\IpLYetD.exe
  C:\Windows\System32\IpLYetD.exe
  2⤵
  PID:9088
- C:\Windows\System32\uLIAeoI.exe
  C:\Windows\System32\uLIAeoI.exe
  2⤵
  PID:9128
- C:\Windows\System32\BSjKuGO.exe
  C:\Windows\System32\BSjKuGO.exe
  2⤵
  PID:9152
- C:\Windows\System32\QAhcqQS.exe
  C:\Windows\System32\QAhcqQS.exe
  2⤵
  PID:9172
- C:\Windows\System32\fDxdOFr.exe
  C:\Windows\System32\fDxdOFr.exe
  2⤵
  PID:7848
- C:\Windows\System32\zkiYXtf.exe
  C:\Windows\System32\zkiYXtf.exe
  2⤵
  PID:8276
- C:\Windows\System32\kcpOiNQ.exe
  C:\Windows\System32\kcpOiNQ.exe
  2⤵
  PID:8272
- C:\Windows\System32\BJcfuEd.exe
  C:\Windows\System32\BJcfuEd.exe
  2⤵
  PID:8316
- C:\Windows\System32\itoOOqW.exe
  C:\Windows\System32\itoOOqW.exe
  2⤵
  PID:8372
- C:\Windows\System32\SSIyRlG.exe
  C:\Windows\System32\SSIyRlG.exe
  2⤵
  PID:8472
- C:\Windows\System32\admdrMK.exe
  C:\Windows\System32\admdrMK.exe
  2⤵
  PID:8572
- C:\Windows\System32\NnHyCQK.exe
  C:\Windows\System32\NnHyCQK.exe
  2⤵
  PID:8676
- C:\Windows\System32\LrZizPS.exe
  C:\Windows\System32\LrZizPS.exe
  2⤵
  PID:8740
- C:\Windows\System32\xzsaQkJ.exe
  C:\Windows\System32\xzsaQkJ.exe
  2⤵
  PID:8808
- C:\Windows\System32\YXPaSUZ.exe
  C:\Windows\System32\YXPaSUZ.exe
  2⤵
  PID:8840
- C:\Windows\System32\fXBBPci.exe
  C:\Windows\System32\fXBBPci.exe
  2⤵
  PID:8912
- C:\Windows\System32\YqraNtM.exe
  C:\Windows\System32\YqraNtM.exe
  2⤵
  PID:8972
- C:\Windows\System32\bxfcmxw.exe
  C:\Windows\System32\bxfcmxw.exe
  2⤵
  PID:9072
- C:\Windows\System32\EgRzwHk.exe
  C:\Windows\System32\EgRzwHk.exe
  2⤵
  PID:4752
- C:\Windows\System32\HCdXIwQ.exe
  C:\Windows\System32\HCdXIwQ.exe
  2⤵
  PID:8432
- C:\Windows\System32\VKrVwbp.exe
  C:\Windows\System32\VKrVwbp.exe
  2⤵
  PID:8496
- C:\Windows\System32\CKXmbiX.exe
  C:\Windows\System32\CKXmbiX.exe
  2⤵
  PID:8648
- C:\Windows\System32\yWeBoUi.exe
  C:\Windows\System32\yWeBoUi.exe
  2⤵
  PID:8724
- C:\Windows\System32\FcQznIY.exe
  C:\Windows\System32\FcQznIY.exe
  2⤵
  PID:8824
- C:\Windows\System32\UoFzjCi.exe
  C:\Windows\System32\UoFzjCi.exe
  2⤵
  PID:8880
- C:\Windows\System32\YpsJhAi.exe
  C:\Windows\System32\YpsJhAi.exe
  2⤵
  PID:8996
- C:\Windows\System32\qdFOqKx.exe
  C:\Windows\System32\qdFOqKx.exe
  2⤵
  PID:9144
- C:\Windows\System32\xtLVIBv.exe
  C:\Windows\System32\xtLVIBv.exe
  2⤵
  PID:9232
- C:\Windows\System32\crVpTZg.exe
  C:\Windows\System32\crVpTZg.exe
  2⤵
  PID:9248
- C:\Windows\System32\byZaKeN.exe
  C:\Windows\System32\byZaKeN.exe
  2⤵
  PID:9264
- C:\Windows\System32\VWpLnZs.exe
  C:\Windows\System32\VWpLnZs.exe
  2⤵
  PID:9280
- C:\Windows\System32\ajKylvK.exe
  C:\Windows\System32\ajKylvK.exe
  2⤵
  PID:9296
- C:\Windows\System32\EjkOqDn.exe
  C:\Windows\System32\EjkOqDn.exe
  2⤵
  PID:9312
- C:\Windows\System32\ROvNIec.exe
  C:\Windows\System32\ROvNIec.exe
  2⤵
  PID:9328
- C:\Windows\System32\xJHHcvN.exe
  C:\Windows\System32\xJHHcvN.exe
  2⤵
  PID:9344
- C:\Windows\System32\hPcopCJ.exe
  C:\Windows\System32\hPcopCJ.exe
  2⤵
  PID:9380
- C:\Windows\System32\IEKZtML.exe
  C:\Windows\System32\IEKZtML.exe
  2⤵
  PID:9396
- C:\Windows\System32\SscQrCz.exe
  C:\Windows\System32\SscQrCz.exe
  2⤵
  PID:9476
- C:\Windows\System32\FAUGRbH.exe
  C:\Windows\System32\FAUGRbH.exe
  2⤵
  PID:9612
- C:\Windows\System32\DkzVhmX.exe
  C:\Windows\System32\DkzVhmX.exe
  2⤵
  PID:9684
- C:\Windows\System32\GNTSknv.exe
  C:\Windows\System32\GNTSknv.exe
  2⤵
  PID:9712
- C:\Windows\System32\grPzwvA.exe
  C:\Windows\System32\grPzwvA.exe
  2⤵
  PID:9732
- C:\Windows\System32\gEFHUSO.exe
  C:\Windows\System32\gEFHUSO.exe
  2⤵
  PID:9748
- C:\Windows\System32\WtGGzSX.exe
  C:\Windows\System32\WtGGzSX.exe
  2⤵
  PID:9800
- C:\Windows\System32\lYSErFZ.exe
  C:\Windows\System32\lYSErFZ.exe
  2⤵
  PID:9828
- C:\Windows\System32\QWNSOUY.exe
  C:\Windows\System32\QWNSOUY.exe
  2⤵
  PID:9856
- C:\Windows\System32\tejUwXt.exe
  C:\Windows\System32\tejUwXt.exe
  2⤵
  PID:9872
- C:\Windows\System32\EqXDcJn.exe
  C:\Windows\System32\EqXDcJn.exe
  2⤵
  PID:9908
- C:\Windows\System32\fbvZWbc.exe
  C:\Windows\System32\fbvZWbc.exe
  2⤵
  PID:9928
- C:\Windows\System32\gEnUboM.exe
  C:\Windows\System32\gEnUboM.exe
  2⤵
  PID:9968
- C:\Windows\System32\YkGbMGz.exe
  C:\Windows\System32\YkGbMGz.exe
  2⤵
  PID:9992
- C:\Windows\System32\rmkyFOH.exe
  C:\Windows\System32\rmkyFOH.exe
  2⤵
  PID:10012
- C:\Windows\System32\aPgFPsS.exe
  C:\Windows\System32\aPgFPsS.exe
  2⤵
  PID:10052
- C:\Windows\System32\UZlSlLw.exe
  C:\Windows\System32\UZlSlLw.exe
  2⤵
  PID:10076
- C:\Windows\System32\ORYvxBP.exe
  C:\Windows\System32\ORYvxBP.exe
  2⤵
  PID:10104
- C:\Windows\System32\YQPPNUK.exe
  C:\Windows\System32\YQPPNUK.exe
  2⤵
  PID:10128
- C:\Windows\System32\dGdrgfU.exe
  C:\Windows\System32\dGdrgfU.exe
  2⤵
  PID:10164
- C:\Windows\System32\fkDFwOh.exe
  C:\Windows\System32\fkDFwOh.exe
  2⤵
  PID:10184
- C:\Windows\System32\bEIGJAW.exe
  C:\Windows\System32\bEIGJAW.exe
  2⤵
  PID:10216
- C:\Windows\System32\RBqmKfc.exe
  C:\Windows\System32\RBqmKfc.exe
  2⤵
  PID:9096
- C:\Windows\System32\qNdQCGI.exe
  C:\Windows\System32\qNdQCGI.exe
  2⤵
  PID:9192
- C:\Windows\System32\tIUQMEe.exe
  C:\Windows\System32\tIUQMEe.exe
  2⤵
  PID:9228
- C:\Windows\System32\JYiTiIY.exe
  C:\Windows\System32\JYiTiIY.exe
  2⤵
  PID:9408
- C:\Windows\System32\JghdTqB.exe
  C:\Windows\System32\JghdTqB.exe
  2⤵
  PID:8784
- C:\Windows\System32\VOPlMde.exe
  C:\Windows\System32\VOPlMde.exe
  2⤵
  PID:9036
- C:\Windows\System32\taobtod.exe
  C:\Windows\System32\taobtod.exe
  2⤵
  PID:9212
- C:\Windows\System32\ioMoflG.exe
  C:\Windows\System32\ioMoflG.exe
  2⤵
  PID:8728
- C:\Windows\System32\MXHxPps.exe
  C:\Windows\System32\MXHxPps.exe
  2⤵
  PID:9324
- C:\Windows\System32\iDGxDqz.exe
  C:\Windows\System32\iDGxDqz.exe
  2⤵
  PID:9368
- C:\Windows\System32\FiiODxF.exe
  C:\Windows\System32\FiiODxF.exe
  2⤵
  PID:9460
- C:\Windows\System32\GCNDpkP.exe
  C:\Windows\System32\GCNDpkP.exe
  2⤵
  PID:9552
- C:\Windows\System32\tRnhaUo.exe
  C:\Windows\System32\tRnhaUo.exe
  2⤵
  PID:9520
- C:\Windows\System32\jMnFqal.exe
  C:\Windows\System32\jMnFqal.exe
  2⤵
  PID:9692
- C:\Windows\System32\mKfLHKw.exe
  C:\Windows\System32\mKfLHKw.exe
  2⤵
  PID:3544
- C:\Windows\System32\yEWqeeQ.exe
  C:\Windows\System32\yEWqeeQ.exe
  2⤵
  PID:9772
- C:\Windows\System32\cewLxTb.exe
  C:\Windows\System32\cewLxTb.exe
  2⤵
  PID:9864
- C:\Windows\System32\LLQQMEU.exe
  C:\Windows\System32\LLQQMEU.exe
  2⤵
  PID:9884
- C:\Windows\System32\cAQSAHE.exe
  C:\Windows\System32\cAQSAHE.exe
  2⤵
  PID:9984
- C:\Windows\System32\svZbxDT.exe
  C:\Windows\System32\svZbxDT.exe
  2⤵
  PID:10032
- C:\Windows\System32\sWRBtVS.exe
  C:\Windows\System32\sWRBtVS.exe
  2⤵
  PID:10064
- C:\Windows\System32\paMOrmN.exe
  C:\Windows\System32\paMOrmN.exe
  2⤵
  PID:10196
- C:\Windows\System32\KuKMKNv.exe
  C:\Windows\System32\KuKMKNv.exe
  2⤵
  PID:9108
- C:\Windows\System32\SFRKrhT.exe
  C:\Windows\System32\SFRKrhT.exe
  2⤵
  PID:9056
- C:\Windows\System32\YxqUrth.exe
  C:\Windows\System32\YxqUrth.exe
  2⤵
  PID:9372
- C:\Windows\System32\AIWnqgg.exe
  C:\Windows\System32\AIWnqgg.exe
  2⤵
  PID:9184
- C:\Windows\System32\YMcnoUL.exe
  C:\Windows\System32\YMcnoUL.exe
  2⤵
  PID:9416
- C:\Windows\System32\gesEIUM.exe
  C:\Windows\System32\gesEIUM.exe
  2⤵
  PID:9528
- C:\Windows\System32\BJJOPjw.exe
  C:\Windows\System32\BJJOPjw.exe
  2⤵
  PID:9680
- C:\Windows\System32\kSgNjDd.exe
  C:\Windows\System32\kSgNjDd.exe
  2⤵
  PID:9792
- C:\Windows\System32\qwhCFTo.exe
  C:\Windows\System32\qwhCFTo.exe
  2⤵
  PID:9900
- C:\Windows\System32\AxskwEj.exe
  C:\Windows\System32\AxskwEj.exe
  2⤵
  PID:10120
- C:\Windows\System32\cgpiwau.exe
  C:\Windows\System32\cgpiwau.exe
  2⤵
  PID:9140
- C:\Windows\System32\AoRHUCQ.exe
  C:\Windows\System32\AoRHUCQ.exe
  2⤵
  PID:8884
- C:\Windows\System32\UIHYUNb.exe
  C:\Windows\System32\UIHYUNb.exe
  2⤵
  PID:9592
- C:\Windows\System32\LdWTIpF.exe
  C:\Windows\System32\LdWTIpF.exe
  2⤵
  PID:9740
- C:\Windows\System32\dLvSfXa.exe
  C:\Windows\System32\dLvSfXa.exe
  2⤵
  PID:888
- C:\Windows\System32\jZJcPBY.exe
  C:\Windows\System32\jZJcPBY.exe
  2⤵
  PID:8236
- C:\Windows\System32\YXKujtn.exe
  C:\Windows\System32\YXKujtn.exe
  2⤵
  PID:3996
- C:\Windows\System32\eefxPqJ.exe
  C:\Windows\System32\eefxPqJ.exe
  2⤵
  PID:10256
- C:\Windows\System32\oAKwrQs.exe
  C:\Windows\System32\oAKwrQs.exe
  2⤵
  PID:10284
- C:\Windows\System32\WORUzsq.exe
  C:\Windows\System32\WORUzsq.exe
  2⤵
  PID:10304
- C:\Windows\System32\fzAQHcA.exe
  C:\Windows\System32\fzAQHcA.exe
  2⤵
  PID:10320
- C:\Windows\System32\mkWFsxt.exe
  C:\Windows\System32\mkWFsxt.exe
  2⤵
  PID:10364
- C:\Windows\System32\gYCkonP.exe
  C:\Windows\System32\gYCkonP.exe
  2⤵
  PID:10388
- C:\Windows\System32\gDVJhnl.exe
  C:\Windows\System32\gDVJhnl.exe
  2⤵
  PID:10408
- C:\Windows\System32\dLNlsOn.exe
  C:\Windows\System32\dLNlsOn.exe
  2⤵
  PID:10452
- C:\Windows\System32\uUpOqym.exe
  C:\Windows\System32\uUpOqym.exe
  2⤵
  PID:10480
- C:\Windows\System32\XlUJNnm.exe
  C:\Windows\System32\XlUJNnm.exe
  2⤵
  PID:10508
- C:\Windows\System32\mPNCSnx.exe
  C:\Windows\System32\mPNCSnx.exe
  2⤵
  PID:10528
- C:\Windows\System32\ZyIizQP.exe
  C:\Windows\System32\ZyIizQP.exe
  2⤵
  PID:10548
- C:\Windows\System32\bmhByXY.exe
  C:\Windows\System32\bmhByXY.exe
  2⤵
  PID:10564
- C:\Windows\System32\zHJJDNS.exe
  C:\Windows\System32\zHJJDNS.exe
  2⤵
  PID:10600
- C:\Windows\System32\eYlWHyH.exe
  C:\Windows\System32\eYlWHyH.exe
  2⤵
  PID:10620
- C:\Windows\System32\HbDAjHq.exe
  C:\Windows\System32\HbDAjHq.exe
  2⤵
  PID:10648
- C:\Windows\System32\CVEGpwG.exe
  C:\Windows\System32\CVEGpwG.exe
  2⤵
  PID:10684
- C:\Windows\System32\kIEeViV.exe
  C:\Windows\System32\kIEeViV.exe
  2⤵
  PID:10728
- C:\Windows\System32\BjpaSQv.exe
  C:\Windows\System32\BjpaSQv.exe
  2⤵
  PID:10760
- C:\Windows\System32\ZcuiFwu.exe
  C:\Windows\System32\ZcuiFwu.exe
  2⤵
  PID:10780
- C:\Windows\System32\kPXZNAY.exe
  C:\Windows\System32\kPXZNAY.exe
  2⤵
  PID:10820
- C:\Windows\System32\ZxfaExr.exe
  C:\Windows\System32\ZxfaExr.exe
  2⤵
  PID:10840
- C:\Windows\System32\Ovfdwvb.exe
  C:\Windows\System32\Ovfdwvb.exe
  2⤵
  PID:10876
- C:\Windows\System32\DnAKWuP.exe
  C:\Windows\System32\DnAKWuP.exe
  2⤵
  PID:10892
- C:\Windows\System32\YCkGqFC.exe
  C:\Windows\System32\YCkGqFC.exe
  2⤵
  PID:10916
- C:\Windows\System32\udxsmmh.exe
  C:\Windows\System32\udxsmmh.exe
  2⤵
  PID:10956
- C:\Windows\System32\zCRzdAI.exe
  C:\Windows\System32\zCRzdAI.exe
  2⤵
  PID:10992
- C:\Windows\System32\ChdVLLI.exe
  C:\Windows\System32\ChdVLLI.exe
  2⤵
  PID:11016
- C:\Windows\System32\ADPcqxK.exe
  C:\Windows\System32\ADPcqxK.exe
  2⤵
  PID:11044
- C:\Windows\System32\fNfnlZE.exe
  C:\Windows\System32\fNfnlZE.exe
  2⤵
  PID:11080
- C:\Windows\System32\CkxgAYR.exe
  C:\Windows\System32\CkxgAYR.exe
  2⤵
  PID:11100
- C:\Windows\System32\WWtKVVv.exe
  C:\Windows\System32\WWtKVVv.exe
  2⤵
  PID:11124
- C:\Windows\System32\XTHWvdq.exe
  C:\Windows\System32\XTHWvdq.exe
  2⤵
  PID:11168
- C:\Windows\System32\oHncCOb.exe
  C:\Windows\System32\oHncCOb.exe
  2⤵
  PID:11192
- C:\Windows\System32\bgviVcE.exe
  C:\Windows\System32\bgviVcE.exe
  2⤵
  PID:11208
- C:\Windows\System32\jLnsexv.exe
  C:\Windows\System32\jLnsexv.exe
  2⤵
  PID:11228
- C:\Windows\System32\qMEdEiA.exe
  C:\Windows\System32\qMEdEiA.exe
  2⤵
  PID:11252
- C:\Windows\System32\klqgvyo.exe
  C:\Windows\System32\klqgvyo.exe
  2⤵
  PID:10264
- C:\Windows\System32\RawUNOb.exe
  C:\Windows\System32\RawUNOb.exe
  2⤵
  PID:10340
- C:\Windows\System32\tOJKOmM.exe
  C:\Windows\System32\tOJKOmM.exe
  2⤵
  PID:10404
- C:\Windows\System32\rVPCcNK.exe
  C:\Windows\System32\rVPCcNK.exe
  2⤵
  PID:10472
- C:\Windows\System32\DoHIbOE.exe
  C:\Windows\System32\DoHIbOE.exe
  2⤵
  PID:10536
- C:\Windows\System32\SuPbCfE.exe
  C:\Windows\System32\SuPbCfE.exe
  2⤵
  PID:10556
- C:\Windows\System32\BHhqTnj.exe
  C:\Windows\System32\BHhqTnj.exe
  2⤵
  PID:10708
- C:\Windows\System32\KLnlEHP.exe
  C:\Windows\System32\KLnlEHP.exe
  2⤵
  PID:10752
- C:\Windows\System32\PaZOMkn.exe
  C:\Windows\System32\PaZOMkn.exe
  2⤵
  PID:10804
- C:\Windows\System32\bwDFfEe.exe
  C:\Windows\System32\bwDFfEe.exe
  2⤵
  PID:10908
- C:\Windows\System32\FHcenbY.exe
  C:\Windows\System32\FHcenbY.exe
  2⤵
  PID:10928
- C:\Windows\System32\ohbRhXR.exe
  C:\Windows\System32\ohbRhXR.exe
  2⤵
  PID:11036
- C:\Windows\System32\NaoJMpD.exe
  C:\Windows\System32\NaoJMpD.exe
  2⤵
  PID:11072
- C:\Windows\System32\STFLhMb.exe
  C:\Windows\System32\STFLhMb.exe
  2⤵
  PID:11132
- C:\Windows\System32\rIbRrqj.exe
  C:\Windows\System32\rIbRrqj.exe
  2⤵
  PID:11236
- C:\Windows\System32\RKNpVSv.exe
  C:\Windows\System32\RKNpVSv.exe
  2⤵
  PID:3888
- C:\Windows\System32\wZlXIlW.exe
  C:\Windows\System32\wZlXIlW.exe
  2⤵
  PID:10420
- C:\Windows\System32\FCNiNkt.exe
  C:\Windows\System32\FCNiNkt.exe
  2⤵
  PID:10432
- C:\Windows\System32\iDiTXsb.exe
  C:\Windows\System32\iDiTXsb.exe
  2⤵
  PID:10716
- C:\Windows\System32\PwoyUTR.exe
  C:\Windows\System32\PwoyUTR.exe
  2⤵
  PID:10856
- C:\Windows\System32\oYiaHjl.exe
  C:\Windows\System32\oYiaHjl.exe
  2⤵
  PID:10968
- C:\Windows\System32\eolHBkZ.exe
  C:\Windows\System32\eolHBkZ.exe
  2⤵
  PID:11116
- C:\Windows\System32\aHTQlgx.exe
  C:\Windows\System32\aHTQlgx.exe
  2⤵
  PID:11220
- C:\Windows\System32\jgPUKPA.exe
  C:\Windows\System32\jgPUKPA.exe
  2⤵
  PID:10560
- C:\Windows\System32\WiyItBg.exe
  C:\Windows\System32\WiyItBg.exe
  2⤵
  PID:10952
- C:\Windows\System32\PFTcmut.exe
  C:\Windows\System32\PFTcmut.exe
  2⤵
  PID:10148
- C:\Windows\System32\FZsQzlU.exe
  C:\Windows\System32\FZsQzlU.exe
  2⤵
  PID:10748
- C:\Windows\System32\wElrsJg.exe
  C:\Windows\System32\wElrsJg.exe
  2⤵
  PID:11272
- C:\Windows\System32\lIJfEpa.exe
  C:\Windows\System32\lIJfEpa.exe
  2⤵
  PID:11288
- C:\Windows\System32\qUwcJGK.exe
  C:\Windows\System32\qUwcJGK.exe
  2⤵
  PID:11308
- C:\Windows\System32\EZOrxCX.exe
  C:\Windows\System32\EZOrxCX.exe
  2⤵
  PID:11412
- C:\Windows\System32\iRTeMWY.exe
  C:\Windows\System32\iRTeMWY.exe
  2⤵
  PID:11428
- C:\Windows\System32\kwhTnWQ.exe
  C:\Windows\System32\kwhTnWQ.exe
  2⤵
  PID:11444
- C:\Windows\System32\asMPZnD.exe
  C:\Windows\System32\asMPZnD.exe
  2⤵
  PID:11464
- C:\Windows\System32\tnbMqaU.exe
  C:\Windows\System32\tnbMqaU.exe
  2⤵
  PID:11500
- C:\Windows\System32\pTLzzjN.exe
  C:\Windows\System32\pTLzzjN.exe
  2⤵
  PID:11544
- C:\Windows\System32\xXMDKct.exe
  C:\Windows\System32\xXMDKct.exe
  2⤵
  PID:11568
- C:\Windows\System32\WzIpGrl.exe
  C:\Windows\System32\WzIpGrl.exe
  2⤵
  PID:11596
- C:\Windows\System32\lsAmIcN.exe
  C:\Windows\System32\lsAmIcN.exe
  2⤵
  PID:11612
- C:\Windows\System32\bGPwIUY.exe
  C:\Windows\System32\bGPwIUY.exe
  2⤵
  PID:11648
- C:\Windows\System32\GVGlGLi.exe
  C:\Windows\System32\GVGlGLi.exe
  2⤵
  PID:11672
- C:\Windows\System32\yvBzXOW.exe
  C:\Windows\System32\yvBzXOW.exe
  2⤵
  PID:11696
- C:\Windows\System32\pPDUsgV.exe
  C:\Windows\System32\pPDUsgV.exe
  2⤵
  PID:11728
- C:\Windows\System32\dYNJgTM.exe
  C:\Windows\System32\dYNJgTM.exe
  2⤵
  PID:11744
- C:\Windows\System32\dwSCMSm.exe
  C:\Windows\System32\dwSCMSm.exe
  2⤵
  PID:11764
- C:\Windows\System32\WnRodyx.exe
  C:\Windows\System32\WnRodyx.exe
  2⤵
  PID:11796
- C:\Windows\System32\yteIQog.exe
  C:\Windows\System32\yteIQog.exe
  2⤵
  PID:11816
- C:\Windows\System32\gxikiZR.exe
  C:\Windows\System32\gxikiZR.exe
  2⤵
  PID:11876
- C:\Windows\System32\RSTcrrl.exe
  C:\Windows\System32\RSTcrrl.exe
  2⤵
  PID:11900
- C:\Windows\System32\juXOkAy.exe
  C:\Windows\System32\juXOkAy.exe
  2⤵
  PID:11920
- C:\Windows\System32\IPttmoc.exe
  C:\Windows\System32\IPttmoc.exe
  2⤵
  PID:11952
- C:\Windows\System32\dKZpSOJ.exe
  C:\Windows\System32\dKZpSOJ.exe
  2⤵
  PID:11980
- C:\Windows\System32\VDeqbFK.exe
  C:\Windows\System32\VDeqbFK.exe
  2⤵
  PID:12008
- C:\Windows\System32\rWtQNfa.exe
  C:\Windows\System32\rWtQNfa.exe
  2⤵
  PID:12044
- C:\Windows\System32\oHIFhiF.exe
  C:\Windows\System32\oHIFhiF.exe
  2⤵
  PID:12068
- C:\Windows\System32\RaXFesu.exe
  C:\Windows\System32\RaXFesu.exe
  2⤵
  PID:12092
- C:\Windows\System32\kLUXHug.exe
  C:\Windows\System32\kLUXHug.exe
  2⤵
  PID:12128
- C:\Windows\System32\Axoqqsc.exe
  C:\Windows\System32\Axoqqsc.exe
  2⤵
  PID:12152
- C:\Windows\System32\HJwfllK.exe
  C:\Windows\System32\HJwfllK.exe
  2⤵
  PID:12184
- C:\Windows\System32\ldUPSsh.exe
  C:\Windows\System32\ldUPSsh.exe
  2⤵
  PID:12204
- C:\Windows\System32\Aupvpwl.exe
  C:\Windows\System32\Aupvpwl.exe
  2⤵
  PID:12220
- C:\Windows\System32\HQLVDZz.exe
  C:\Windows\System32\HQLVDZz.exe
  2⤵
  PID:12264
- C:\Windows\System32\LFewchl.exe
  C:\Windows\System32\LFewchl.exe
  2⤵
  PID:11012
- C:\Windows\System32\RKmUIai.exe
  C:\Windows\System32\RKmUIai.exe
  2⤵
  PID:11280
- C:\Windows\System32\lxppMCm.exe
  C:\Windows\System32\lxppMCm.exe
  2⤵
  PID:11300
- C:\Windows\System32\PWGVeeZ.exe
  C:\Windows\System32\PWGVeeZ.exe
  2⤵
  PID:11408
- C:\Windows\System32\WeOJOjm.exe
  C:\Windows\System32\WeOJOjm.exe
  2⤵
  PID:11488
- C:\Windows\System32\UVGVkgb.exe
  C:\Windows\System32\UVGVkgb.exe
  2⤵
  PID:11560
- C:\Windows\System32\QDvHzZB.exe
  C:\Windows\System32\QDvHzZB.exe
  2⤵
  PID:11608
- C:\Windows\System32\XWSeEMV.exe
  C:\Windows\System32\XWSeEMV.exe
  2⤵
  PID:11664
- C:\Windows\System32\OwwhFHZ.exe
  C:\Windows\System32\OwwhFHZ.exe
  2⤵
  PID:11772
- C:\Windows\System32\Hjhwkqs.exe
  C:\Windows\System32\Hjhwkqs.exe
  2⤵
  PID:11780
- C:\Windows\System32\YFEZIaq.exe
  C:\Windows\System32\YFEZIaq.exe
  2⤵
  PID:11896
- C:\Windows\System32\lJHnbVD.exe
  C:\Windows\System32\lJHnbVD.exe
  2⤵
  PID:11936
- C:\Windows\System32\SNmNwXi.exe
  C:\Windows\System32\SNmNwXi.exe
  2⤵
  PID:11996
- C:\Windows\System32\UomGFiI.exe
  C:\Windows\System32\UomGFiI.exe
  2⤵
  PID:12064
- C:\Windows\System32\OiRcAez.exe
  C:\Windows\System32\OiRcAez.exe
  2⤵
  PID:12088
- C:\Windows\System32\yJzfZtt.exe
  C:\Windows\System32\yJzfZtt.exe
  2⤵
  PID:12176
- C:\Windows\System32\uaLFFRz.exe
  C:\Windows\System32\uaLFFRz.exe
  2⤵
  PID:12212
- C:\Windows\System32\FfNeqmw.exe
  C:\Windows\System32\FfNeqmw.exe
  2⤵
  PID:4140
- C:\Windows\System32\lWUMKgB.exe
  C:\Windows\System32\lWUMKgB.exe
  2⤵
  PID:12284
- C:\Windows\System32\LIcfmhn.exe
  C:\Windows\System32\LIcfmhn.exe
  2⤵
  PID:11484
- C:\Windows\System32\JSvesTE.exe
  C:\Windows\System32\JSvesTE.exe
  2⤵
  PID:11624
- C:\Windows\System32\WZqXTlG.exe
  C:\Windows\System32\WZqXTlG.exe
  2⤵
  PID:11792
- C:\Windows\System32\QLHNEMY.exe
  C:\Windows\System32\QLHNEMY.exe
  2⤵
  PID:11888
- C:\Windows\System32\DtZlYJU.exe
  C:\Windows\System32\DtZlYJU.exe
  2⤵
  PID:12024
- C:\Windows\System32\IVBIcPS.exe
  C:\Windows\System32\IVBIcPS.exe
  2⤵
  PID:12200
- C:\Windows\System32\mvvfYkp.exe
  C:\Windows\System32\mvvfYkp.exe
  2⤵
  PID:3100
- C:\Windows\System32\PaGqMMn.exe
  C:\Windows\System32\PaGqMMn.exe
  2⤵
  PID:11372
- C:\Windows\System32\LGzMsoS.exe
  C:\Windows\System32\LGzMsoS.exe
  2⤵
  PID:11760
- C:\Windows\System32\UWyrcQK.exe
  C:\Windows\System32\UWyrcQK.exe
  2⤵
  PID:11932
- C:\Windows\System32\uBxLoVP.exe
  C:\Windows\System32\uBxLoVP.exe
  2⤵
  PID:11944
- C:\Windows\System32\mehpojE.exe
  C:\Windows\System32\mehpojE.exe
  2⤵
  PID:12300
- C:\Windows\System32\tDetPSc.exe
  C:\Windows\System32\tDetPSc.exe
  2⤵
  PID:12320
- C:\Windows\System32\xdewmBL.exe
  C:\Windows\System32\xdewmBL.exe
  2⤵
  PID:12344
- C:\Windows\System32\gZfosNa.exe
  C:\Windows\System32\gZfosNa.exe
  2⤵
  PID:12364
- C:\Windows\System32\rYLIXbf.exe
  C:\Windows\System32\rYLIXbf.exe
  2⤵
  PID:12384
- C:\Windows\System32\FvtEnXR.exe
  C:\Windows\System32\FvtEnXR.exe
  2⤵
  PID:12400
- C:\Windows\System32\gDElodO.exe
  C:\Windows\System32\gDElodO.exe
  2⤵
  PID:12432
- C:\Windows\System32\JAbAiTk.exe
  C:\Windows\System32\JAbAiTk.exe
  2⤵
  PID:12488
- C:\Windows\System32\MPRIiWQ.exe
  C:\Windows\System32\MPRIiWQ.exe
  2⤵
  PID:12512
- C:\Windows\System32\QjuSyGM.exe
  C:\Windows\System32\QjuSyGM.exe
  2⤵
  PID:12528
- C:\Windows\System32\ngmkWgP.exe
  C:\Windows\System32\ngmkWgP.exe
  2⤵
  PID:12552
- C:\Windows\System32\hqIviYS.exe
  C:\Windows\System32\hqIviYS.exe
  2⤵
  PID:12580
- C:\Windows\System32\DfXeOfQ.exe
  C:\Windows\System32\DfXeOfQ.exe
  2⤵
  PID:12608
- C:\Windows\System32\jkeyuqM.exe
  C:\Windows\System32\jkeyuqM.exe
  2⤵
  PID:12632
- C:\Windows\System32\tObuiUW.exe
  C:\Windows\System32\tObuiUW.exe
  2⤵
  PID:12648
- C:\Windows\System32\EhXiihG.exe
  C:\Windows\System32\EhXiihG.exe
  2⤵
  PID:12700
- C:\Windows\System32\nvFtZTH.exe
  C:\Windows\System32\nvFtZTH.exe
  2⤵
  PID:12732
- C:\Windows\System32\WAxcwHm.exe
  C:\Windows\System32\WAxcwHm.exe
  2⤵
  PID:12760
- C:\Windows\System32\YEbmhIN.exe
  C:\Windows\System32\YEbmhIN.exe
  2⤵
  PID:12780
- C:\Windows\System32\XXgwncl.exe
  C:\Windows\System32\XXgwncl.exe
  2⤵
  PID:12800
- C:\Windows\System32\UrmGPQC.exe
  C:\Windows\System32\UrmGPQC.exe
  2⤵
  PID:12816
- C:\Windows\System32\BMwdWJJ.exe
  C:\Windows\System32\BMwdWJJ.exe
  2⤵
  PID:12876
- C:\Windows\System32\JelwSpZ.exe
  C:\Windows\System32\JelwSpZ.exe
  2⤵
  PID:12904
- C:\Windows\System32\zkswQyM.exe
  C:\Windows\System32\zkswQyM.exe
  2⤵
  PID:12924
- C:\Windows\System32\jfhPkhe.exe
  C:\Windows\System32\jfhPkhe.exe
  2⤵
  PID:12964
- C:\Windows\System32\pvstNBy.exe
  C:\Windows\System32\pvstNBy.exe
  2⤵
  PID:12984
- C:\Windows\System32\fkttNFS.exe
  C:\Windows\System32\fkttNFS.exe
  2⤵
  PID:13000
- C:\Windows\System32\BlzsOOk.exe
  C:\Windows\System32\BlzsOOk.exe
  2⤵
  PID:13024
- C:\Windows\System32\zpyQzUm.exe
  C:\Windows\System32\zpyQzUm.exe
  2⤵
  PID:13068
- C:\Windows\System32\HkADIYW.exe
  C:\Windows\System32\HkADIYW.exe
  2⤵
  PID:13100
- C:\Windows\System32\iVwFSXI.exe
  C:\Windows\System32\iVwFSXI.exe
  2⤵
  PID:13116
- C:\Windows\System32\YAnvXgU.exe
  C:\Windows\System32\YAnvXgU.exe
  2⤵
  PID:13136
- C:\Windows\System32\tnBFOau.exe
  C:\Windows\System32\tnBFOau.exe
  2⤵
  PID:13184
- C:\Windows\System32\tYDkGsY.exe
  C:\Windows\System32\tYDkGsY.exe
  2⤵
  PID:13216
- C:\Windows\System32\jamEIqK.exe
  C:\Windows\System32\jamEIqK.exe
  2⤵
  PID:13244
- C:\Windows\System32\HVdRAIq.exe
  C:\Windows\System32\HVdRAIq.exe
  2⤵
  PID:13264
- C:\Windows\System32\qdIqedq.exe
  C:\Windows\System32\qdIqedq.exe
  2⤵
  PID:13292
- C:\Windows\System32\VgJVGFl.exe
  C:\Windows\System32\VgJVGFl.exe
  2⤵
  PID:12332
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 12332 -s 244
    3⤵
    PID:12916

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AapTbKU.exe

Filesize
1.9MB

MD5
3aafd64b8315b9bdd23c75874a3eaea8

SHA1
bf059f8f4f0e25600c7584bf148151a2992be370

SHA256
a2dffb51baa9b64928a8944638fbec10badc9a310f0c940fdc5d77e097322caf

SHA512
af16a03532ffa3c2d5b6d63003b272e7b81ce3a34794014f4043cbc88f73eb792d6df57122309bc0e2655aa9c92b0d281de760f9a0724dc51755d9f57e3c72bd

Download Submit
C:\Windows\System32\AsMGkff.exe

Filesize
1.9MB

MD5
a33244f6af7d13e8e4e5ff2459bf6f64

SHA1
fa5dbe54b5ef2ea6e5f6099be05810c9dcc66f52

SHA256
3417a4a42d1e75c567c68fcf821166542e0cb53bd0df378366447ad726742c48

SHA512
116dfe228c299a48af2221b71ae88ea7c55272ecc8a97429065f47f28868b97c646a29ca73c70d568b9ec0afd705ec1bc70b968da4b2dc3227410de641844463

Download Submit
C:\Windows\System32\FnHJYAK.exe

Filesize
1.9MB

MD5
b1455f21ad934fb78f2278c630e60aab

SHA1
4e0ffb0c67dbdf0f4b5f3292e9b751f7ef1e2907

SHA256
c526447ecd052b60d48d3e40c282d7d702e94b66b0e4b5df1aec073002451e8d

SHA512
6c71cac6e54ccdbba171ce1bca97ab3b73706d0750b4c2947e6af41ad1e5f7ad621222d0b0c3ed3dbdfc9eb46c5b7639895305a4688e2c7bf23b8c04cce7947c

Download Submit
C:\Windows\System32\JCRzuqc.exe

Filesize
1.9MB

MD5
e3ff67aa54d1c8dae060d109f9e86cce

SHA1
f65ccbc9b4a4f51cc39dd82f751b84d4de537004

SHA256
3e223fbd79a036091ab8f8178c7dde0b42be53b59ef0c5927f1de53e1db64c45

SHA512
676d5b31bb70647576698c393df53b5be75384b9a464e540965a3e3c567d5ce9c9ec5c8a9dae31db57c083cd4563b312c7573172a1b1b8544a2c62111718074d

Download Submit
C:\Windows\System32\JpjuukC.exe

Filesize
1.9MB

MD5
55269a81b806472ed0ebd9e6a850ca27

SHA1
7e037908bb98e56fe088a824b407766c91cc943c

SHA256
b7ab6698d981fbcdb452e99f9082936face07a07b6e9d9f2d60a4426604111d2

SHA512
79ade48dda5126bc6e6f573a284e11297cafbfe91d04bcb0df459ab74a264fbf2cab437c617f683d45b9f69baaa06f70038a17345d3209bb44661570db19f784

Download Submit
C:\Windows\System32\KXZklzZ.exe

Filesize
1.9MB

MD5
cda4d8dd92239c92c57b2ee71b5b4a4e

SHA1
8ac5f0cee46e8c181454311832d2b3c0c85a5014

SHA256
4ec596f0c8a767b6aaecb7febbd423fa5756831fa58c5b73bc1adfb6cc976526

SHA512
d79869db82f45bf392c4a59d772f814ead6f44775372758e7dee6ef5d12765d4da611ba2addcdf9721fc0c42ce2ff264e0e1230f574500abbecde0560e5830cd

Download Submit
C:\Windows\System32\PJoPKCB.exe

Filesize
1.9MB

MD5
9d494e37867383ef3690559b5fda0365

SHA1
08ab4f2e8e294a419b0d7db7b925b3701dfb8b8f

SHA256
8b4a8da03bf94675dbc6ab12f4cdd93319e6f1d959d61a17752212cf50c6c466

SHA512
9dc9015af8c7392365bd13177020c498fc428148645d6e121508c6426ed131d5b72965759eb179a8ef76cd343514c0995a9b1bcfebb45f84c62a7f8ade57d225

Download Submit
C:\Windows\System32\PMudDGs.exe

Filesize
1.9MB

MD5
5a302b6cc9b1f876dd21deaf3a122ead

SHA1
3e4129509834c7d0482120be364923558ffb0a61

SHA256
5e2471cbc4e7a322f93ae753b7d3b6ee7ef9dd44b3e0b2ea184da3cb7469d560

SHA512
5467748a9e433c5f8b33efabb77ecf310a3035d2ca68e213c3399b485c6912a71fd3de8e1a8b73ff55262c97fe3385935dd6978b509f31fb3f234a35e353d81c

Download Submit
C:\Windows\System32\SUJFeKt.exe

Filesize
1.9MB

MD5
c312e346d77fb6542d3be0207d3886f8

SHA1
2b94287e1168128540e16e3f5cbfd203a1a0906e

SHA256
be68cf465a2ae9f4a604b88d7ea82da3dedb698d6fadb60eb94656fcd2fb3dbf

SHA512
d026902e03a83376a3c2a07b57230896b5cbb9ff53b05dfcf45b970cd694b9240a84655c980651ade5f05d3463245136e3cef0dcf4879764b814fc236c2c346e

Download Submit
C:\Windows\System32\TUJgTaZ.exe

Filesize
1.9MB

MD5
366afb6a6b615d98d5b19045f11f69d5

SHA1
03dafb1415bb974dec9777e061062c614c65254a

SHA256
b046d7384997bc63c3809017017f653a419402357ac1a948bb5c85bb1cff35d8

SHA512
9ce3d921966c8620e3d2678a3c90e03b1a0c84d97f6b864aa0cc19f903a42b69ce55bb4d6de23197c06974b3fa3b66cace07e6bfeaf5649d6f571ec7ff892de5

Download Submit
C:\Windows\System32\UXwhLbZ.exe

Filesize
1.9MB

MD5
52d2923f6ad3caca07de8875b904d0c7

SHA1
3dd246603a770f5253f658adfcbe932676dff19a

SHA256
2b60aa7408c49fe5696230e28478291417e13ffa9b0e838085989319da8a5c76

SHA512
8f74d1120eb8a625237fdb079e89a814a68a1800a7b919004fd0d53c5436a9f4aec1f5f29c5e656a18c4fd5ba891680f351aafc3bed6136751db3af74982a9c4

Download Submit
C:\Windows\System32\VxOFbmj.exe

Filesize
1.9MB

MD5
542f367dcd9af501c69d97fdefde21a8

SHA1
fd255cb2109c38900bf6677da1b4540ecef45019

SHA256
c67e67ef09bdb5b62d23d8937bc1a3163f25da7ab7fc79c56df989fbdf8f613c

SHA512
90a4e8c0d6836f267ff9a2582c8782f7e08861be492eebc4c3eb4751500b577073f03c8b358814878d363bb1aa83b9dec6f2fac47c38bf9db46c4ce0a53433ea

Download Submit
C:\Windows\System32\XNdySUM.exe

Filesize
1.9MB

MD5
fc59a13ca55d5714e6e6279228171366

SHA1
9742e30549918beb0e8f89aa181374114cff5120

SHA256
54f8dcab0e6cd8820ac0107b684c81f9c389b58d89b9d618e32a864e12a726d5

SHA512
89ef3747b79aecc62a88f9e0727bc2198bf123605e02900f2bccadb8db38d20828d3b547ce155991cbb9bf9aa24e11fd39366068bf2666308876636e627f9724

Download Submit
C:\Windows\System32\XsdFOWT.exe

Filesize
1.9MB

MD5
9f0daa9a6167cc73b7739f599bdd51a4

SHA1
df1eb150d95950c12a597f67393068109194733c

SHA256
c8150f7b449abcd54932278dc845051ac077e36836e407d88efbc799b3a40447

SHA512
7443dd2bfe2200cb09177bd014c40a85e7a2e198b53084e8ab2c540d04092aa7ff7891d885dfedbe2f5ae0032ad69c2d84319b56193ce9aa2520ca56875a9d3d

Download Submit
C:\Windows\System32\YDvILaG.exe

Filesize
1.9MB

MD5
362a3778a4f1394688acd4af0db49f7d

SHA1
0a85943515d1ad21e0bc271ae42c29a2f431b332

SHA256
77c0c7cc84246c032d45fd42ebdde1bfed42f533395b985d46cbc25426103939

SHA512
ddbfac7e0aa90bc2b56fbfdbf5ee961cc285fdddc7fac0e852d78fcb2f96d0817657c289f4ad8ea3e38d7ae19d223ff6b4ea32b39f58fdeab603d680848f7cd6

Download Submit
C:\Windows\System32\YXDVqCc.exe

Filesize
1.9MB

MD5
e5fb9a12137e2ac07a5415f9a3e63f1d

SHA1
16372701f4d95251cc32800d9ea69bc02232b48b

SHA256
61502849791475a1daf7bdd77cd036ef18c360d4ad9c3477e3f6238d71c7bd62

SHA512
6ea7b28ffe0beb25f703e7a631bc7a176676bfee0b796525a83ecb1014627016148ed0f8d465ce74b4b84c09323c529057cde638a01d904c9a25beae11dcd7af

Download Submit
C:\Windows\System32\YwrDKtQ.exe

Filesize
1.9MB

MD5
72692c5561fccb7a9395143e800ca048

SHA1
ecb02708903fde5808d3738a8e8240195edec914

SHA256
505fa0ee1bd7e9ac531dde53ce805719f8320939d2baad301559696b3715470a

SHA512
64de4c92a0eab81b6ba5e4382058a944d233fce53ebd3f74a21542c757bf9fcfd9e6742830fad3fb2155fb7cd586caf1b66f824e4a28a6cabecec9fc4dc68ef1

Download Submit
C:\Windows\System32\bXoZWaM.exe

Filesize
1.9MB

MD5
a3d9836bf639e1ee774809761d5961fa

SHA1
2393ce27c54cfda1b7963ff26a1ba4664f6e0812

SHA256
4129c78b5e1e984604cf90f587d2106f63cbe3e1e3de8b5b187d6086ecdb3690

SHA512
a0922c80c65b89bfc36034d894d012508600c45be920f405d058d22fe87356166c6c241d3b5a17599a99cdad6ab8e757c690daa30c1f65ebbfd9befbed674641

Download Submit
C:\Windows\System32\cuOQYmU.exe

Filesize
1.9MB

MD5
726f2fbb53959dec58f4bedc8c9b6ed4

SHA1
e2e6215f9e30c6f0564a23e87dcc49592eea242c

SHA256
7dcc7b20d029ff5f7588743647fede1af2373e6480c4ae9e3b22ea70984fb8c4

SHA512
ae0b3b7696919468aabdd6c2cfd2a5e4f070b10471b53b0cbbdb289dc854073110eaba84a94dbac2f86603124d783a612c8b6f816ff572486cabbf507d3f1259

Download Submit
C:\Windows\System32\dcCSzPT.exe

Filesize
1.9MB

MD5
6dcbcaba1e8a24175442a89ebfeb747b

SHA1
ca44a9b643ae7c2d1156a87e14d5034c0d890de1

SHA256
f463ca4d016aaca989f43538601296e2c51924688b2fd87dde90dce797d39169

SHA512
9b39822842d1c2feaa51d95d9cdecd0f55730ba4d3635500d6a62f8b877602263299276c0217251a0156bd34be7495ae10e88e52522ac20808f2aa14c9802510

Download Submit
C:\Windows\System32\djfCrTI.exe

Filesize
1.9MB

MD5
ae1f48b7607d201f09b015bb6baa1868

SHA1
3737e68d9125e0553d0bcd4ebb3910af10a6a0c3

SHA256
1d2ebd93c131a98f43f9f7d657d8a9143adf00f6e2c96afd5a75d03b92b1c8b3

SHA512
0faa73ca4b504144a14edbd583a6d866d219f1556c771eaf0a22a3f0bfada4236f0d529fb72b079c34d9bb7670a98360d8632ce8a581eb9ce792c8d76e42affe

Download Submit
C:\Windows\System32\fQXPeko.exe

Filesize
1.9MB

MD5
bcf762321b9c1e24d3270751f903509d

SHA1
acc6a5bf18a9eb6c8314c28e62fe5c2cf84b42f4

SHA256
ce013d1930dab53105b167ea042f2dfeaf9fdbfd9522f70c2ea114df4a3cc3b9

SHA512
f004f0c6d06a7dd4503f9a2e67070543eec94e3d4a59e79afd6f02512eec66b6e003b0aad47a8a9908bf18562bf116e198855b07daa399827ba8518cbbdf6e26

Download Submit
C:\Windows\System32\ioTbZFX.exe

Filesize
1.9MB

MD5
18099b2d85452207a97e4b16822a07d7

SHA1
5b7d8b199aa2b22a30fd60d4e0d6d9e0fa8bcbf3

SHA256
a04a562f77294a0d78376af0b056853cfdd02fafe00b713166f6d45136b06f56

SHA512
8eba0b8c01153ac20956f234c8270ba0169d934e67df3e84fdf31a9a3a61f9d3a634affbcdd63ba6eb383fde0529dd098e2ab63ec360b439b4667d5341c0e0ca

Download Submit
C:\Windows\System32\jZGoEpH.exe

Filesize
1.9MB

MD5
4f2d998b672175a0195f5a3cf9a6daed

SHA1
4e7f3b59a326e0ccfa8dd11bcf44269116b33434

SHA256
ce89490c567bc28034ce5ccaa3ce0dd81a22f78c6113c8fca2cad791ecbd80f4

SHA512
b2cf5c2f930167813351d9577171ba0fa7fedff74be81a362e9ad9a0f8d2f5e02a3e3cc10f863273fdf1b44032d8fbafc4fdd3924ce14cc7cfd9259397abe6b3

Download Submit
C:\Windows\System32\ohVbfVr.exe

Filesize
1.9MB

MD5
d920acc94b555f6472ba69bdf07d41a9

SHA1
c33cff905545dff81bb1383a3e9469f5b904e9b1

SHA256
af22672f8e485c69c30366c087d9d8f2bde36f2b72fff07e94ab3d5eb5a46d83

SHA512
4591cc882e81e909d2994b8c7d1f6057ec244896e70ffca7472a23e22db3905382855cbaf7360913dbcb02edde97602d012ac35a16a42471afd633ab45c76e54

Download Submit
C:\Windows\System32\qEbVksq.exe

Filesize
1.9MB

MD5
b5fa7993968526a4e61e9bf26d7fe987

SHA1
28fad16a6cec80c30f97b7b1d2a49167161fbb43

SHA256
3c720ee7d29a54499aa98fafcc87f2cc007ddf480df77bcd79d1ad76f00bb3db

SHA512
74abe76d4fa0a4d1512b87d5c44a5b1c26eafb2a6dd618660121e5b914e1b57c79e6eecbc6e09eaf127c3b233fc485fb90048ccdb9e97e66d499c4bcadba0486

Download Submit
C:\Windows\System32\qOsPGxS.exe

Filesize
1.9MB

MD5
927bb40ff44ecfa09af163b5423872dc

SHA1
bb41ea18ddc5063a1aec92e858134759267a12a0

SHA256
57cf9c61d57cc5141df8155794b02f5b42f260efd861d6e30f2568648ac815a1

SHA512
6e052c9c0156cf7b7bb88789f73141550669f6bea3852d9b11997072ca5f05cbcd5a89f9fc4cd4247353f8a753785b1edcb97b8df9a29fe6390be6ef0f82cc3a

Download Submit
C:\Windows\System32\sSqroHT.exe

Filesize
1.9MB

MD5
eb56b458167d74edd4bfbaa8395b53e7

SHA1
f93dd683339a689010849ad11dc3b8e534e73bde

SHA256
03d59872bd5c632077f3369a1d06aae2bb6343c0fa7cb3ff266f1e977eff79d7

SHA512
eebd0ea2a8a423bbef90a9355fe8032a2135615b4117dfb530c53bd2a11c0bcd06d16bdd0afa7e3cb6d423b71ae8d329fff6fb019adee0885af0f900e3ddc308

Download Submit
C:\Windows\System32\uKQbEJb.exe

Filesize
1.9MB

MD5
85b54220145f67629a7c1eabc910e54d

SHA1
7600a9896e5f258267491a52b79d6dbaa556f59b

SHA256
987163f3a0a528f04bce1bc7446f80a094b916bc3ba6a25143a0e8fe1d83ccd6

SHA512
18ec241cf5d676377c1630de68792e5ce8a18d475e1b02ad39696ad0783496682e3016f55b566f1658c892f418ab69fc3ac81402f4208df265df75f5f52b7f5a

Download Submit
C:\Windows\System32\vtVtuwg.exe

Filesize
1.9MB

MD5
b4ff0c4b25d0774b4badb45b479a6fcc

SHA1
27021b73398230444ef2d7a08eea94bedb2b86bc

SHA256
bc6251658287450541617c40c784bdc1c9822bec969c27b811748547533de0ec

SHA512
6b63fc72a44a0a51754c79557833e6d781d95d9ce779c335ca4d12f76f0802590d0e4cae2c944bf3ed08aacb58948d452094b33fc48ba5d00f96110c80173028

Download Submit
C:\Windows\System32\yYiKGnN.exe

Filesize
1.9MB

MD5
e26e7b92eefca0b711bbbc3bdd821357

SHA1
7cacddaabca4cba61760508c8213f476e6d1f4a2

SHA256
bac5e17ca954811af79e0e7f667e3ee0a2751b8fff1539661c10c05773f73608

SHA512
bc3e365baf45905fafd7421d97359cc37081c3b6b5aeef3f742ee1a34f5e09e886e6d358f9ba1098454596a52384ce5bc29e4b6957117a7e3fea2efe50cf5325

Download Submit
C:\Windows\System32\ydOjYoa.exe

Filesize
1.9MB

MD5
ab096a0f8c15704bb8279e2436ebdd90

SHA1
9621d6c1085948fdb56c784b5052d013da1c2bb3

SHA256
e8cbf596228ddda2052e6442fdb9ac66eeafc5f5c1abe2885f5c1f4919a1eab7

SHA512
e7afb27e3c23ecdf4ad0b5e9003fc2d1d193fea562399f159823e327104f320c8e3a44d1508005ca2bc8a43239bf85d546cb83809f8aeff57e75f94be686c8b1

Download Submit
memory/452-571-0x00007FF799570000-0x00007FF799961000-memory.dmp

Filesize
3.9MB

Download
memory/452-2093-0x00007FF799570000-0x00007FF799961000-memory.dmp

Filesize
3.9MB

Download
memory/996-28-0x00007FF79F250000-0x00007FF79F641000-memory.dmp

Filesize
3.9MB

Download
memory/996-2042-0x00007FF79F250000-0x00007FF79F641000-memory.dmp

Filesize
3.9MB

Download
memory/996-1995-0x00007FF79F250000-0x00007FF79F641000-memory.dmp

Filesize
3.9MB

Download
memory/1300-2091-0x00007FF7ED2F0000-0x00007FF7ED6E1000-memory.dmp

Filesize
3.9MB

Download
memory/1300-575-0x00007FF7ED2F0000-0x00007FF7ED6E1000-memory.dmp

Filesize
3.9MB

Download
memory/1656-0-0x00007FF61C020000-0x00007FF61C411000-memory.dmp

Filesize
3.9MB

Download
memory/1656-2000-0x00007FF61C020000-0x00007FF61C411000-memory.dmp

Filesize
3.9MB

Download
memory/1656-1-0x000002841E0E0000-0x000002841E0F0000-memory.dmp

Filesize
64KB

Download
memory/1808-1998-0x00007FF6ADA30000-0x00007FF6ADE21000-memory.dmp

Filesize
3.9MB

Download
memory/1808-57-0x00007FF6ADA30000-0x00007FF6ADE21000-memory.dmp

Filesize
3.9MB

Download
memory/1808-2211-0x00007FF6ADA30000-0x00007FF6ADE21000-memory.dmp

Filesize
3.9MB

Download
memory/1836-580-0x00007FF719B10000-0x00007FF719F01000-memory.dmp

Filesize
3.9MB

Download
memory/1836-2084-0x00007FF719B10000-0x00007FF719F01000-memory.dmp

Filesize
3.9MB

Download
memory/2264-548-0x00007FF69B1F0000-0x00007FF69B5E1000-memory.dmp

Filesize
3.9MB

Download
memory/2264-2070-0x00007FF69B1F0000-0x00007FF69B5E1000-memory.dmp

Filesize
3.9MB

Download
memory/2372-2060-0x00007FF610430000-0x00007FF610821000-memory.dmp

Filesize
3.9MB

Download
memory/2372-534-0x00007FF610430000-0x00007FF610821000-memory.dmp

Filesize
3.9MB

Download
memory/2664-2046-0x00007FF6E6F70000-0x00007FF6E7361000-memory.dmp

Filesize
3.9MB

Download
memory/2664-1996-0x00007FF6E6F70000-0x00007FF6E7361000-memory.dmp

Filesize
3.9MB

Download
memory/2664-33-0x00007FF6E6F70000-0x00007FF6E7361000-memory.dmp

Filesize
3.9MB

Download
memory/2744-2058-0x00007FF71F1B0000-0x00007FF71F5A1000-memory.dmp

Filesize
3.9MB

Download
memory/2744-539-0x00007FF71F1B0000-0x00007FF71F5A1000-memory.dmp

Filesize
3.9MB

Download
memory/2800-532-0x00007FF662530000-0x00007FF662921000-memory.dmp

Filesize
3.9MB

Download
memory/2800-2050-0x00007FF662530000-0x00007FF662921000-memory.dmp

Filesize
3.9MB

Download
memory/2864-2069-0x00007FF730200000-0x00007FF7305F1000-memory.dmp

Filesize
3.9MB

Download
memory/2864-562-0x00007FF730200000-0x00007FF7305F1000-memory.dmp

Filesize
3.9MB

Download
memory/2980-53-0x00007FF612640000-0x00007FF612A31000-memory.dmp

Filesize
3.9MB

Download
memory/2980-2052-0x00007FF612640000-0x00007FF612A31000-memory.dmp

Filesize
3.9MB

Download
memory/3132-2088-0x00007FF72B2E0000-0x00007FF72B6D1000-memory.dmp

Filesize
3.9MB

Download
memory/3132-587-0x00007FF72B2E0000-0x00007FF72B6D1000-memory.dmp

Filesize
3.9MB

Download
memory/3200-1960-0x00007FF7E03A0000-0x00007FF7E0791000-memory.dmp

Filesize
3.9MB

Download
memory/3200-6-0x00007FF7E03A0000-0x00007FF7E0791000-memory.dmp

Filesize
3.9MB

Download
memory/3200-2003-0x00007FF7E03A0000-0x00007FF7E0791000-memory.dmp

Filesize
3.9MB

Download
memory/3300-1967-0x00007FF6D9CF0000-0x00007FF6DA0E1000-memory.dmp

Filesize
3.9MB

Download
memory/3300-2007-0x00007FF6D9CF0000-0x00007FF6DA0E1000-memory.dmp

Filesize
3.9MB

Download
memory/3300-18-0x00007FF6D9CF0000-0x00007FF6DA0E1000-memory.dmp

Filesize
3.9MB

Download
memory/3420-2064-0x00007FF6339A0000-0x00007FF633D91000-memory.dmp

Filesize
3.9MB

Download
memory/3420-545-0x00007FF6339A0000-0x00007FF633D91000-memory.dmp

Filesize
3.9MB

Download
memory/3432-2080-0x00007FF6A6040000-0x00007FF6A6431000-memory.dmp

Filesize
3.9MB

Download
memory/3432-581-0x00007FF6A6040000-0x00007FF6A6431000-memory.dmp

Filesize
3.9MB

Download
memory/3572-2054-0x00007FF795680000-0x00007FF795A71000-memory.dmp

Filesize
3.9MB

Download
memory/3572-531-0x00007FF795680000-0x00007FF795A71000-memory.dmp

Filesize
3.9MB

Download
memory/4528-542-0x00007FF6B1C50000-0x00007FF6B2041000-memory.dmp

Filesize
3.9MB

Download
memory/4528-2062-0x00007FF6B1C50000-0x00007FF6B2041000-memory.dmp

Filesize
3.9MB

Download
memory/4704-37-0x00007FF623240000-0x00007FF623631000-memory.dmp

Filesize
3.9MB

Download
memory/4704-2048-0x00007FF623240000-0x00007FF623631000-memory.dmp

Filesize
3.9MB

Download
memory/4704-1997-0x00007FF623240000-0x00007FF623631000-memory.dmp

Filesize
3.9MB

Download
memory/4948-2098-0x00007FF6A5970000-0x00007FF6A5D61000-memory.dmp

Filesize
3.9MB

Download
memory/4948-578-0x00007FF6A5970000-0x00007FF6A5D61000-memory.dmp

Filesize
3.9MB

Download
memory/5052-2056-0x00007FF696920000-0x00007FF696D11000-memory.dmp

Filesize
3.9MB

Download
memory/5052-56-0x00007FF696920000-0x00007FF696D11000-memory.dmp

Filesize
3.9MB

Download
memory/5068-2066-0x00007FF6C92C0000-0x00007FF6C96B1000-memory.dmp

Filesize
3.9MB

Download
memory/5068-552-0x00007FF6C92C0000-0x00007FF6C96B1000-memory.dmp

Filesize
3.9MB

Download
memory/5092-2005-0x00007FF71F4C0000-0x00007FF71F8B1000-memory.dmp

Filesize
3.9MB

Download
memory/5092-15-0x00007FF71F4C0000-0x00007FF71F8B1000-memory.dmp

Filesize
3.9MB

Download
memory/5092-1961-0x00007FF71F4C0000-0x00007FF71F8B1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads