xmrig | 940153ec0356b9ba3cd3b630dd5c7e0edca5d325d9ccaa0daffbaa358dea9cce

Analysis

max time kernel
138s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
19/06/2024, 14:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
Size

1.7MB
MD5

c36a97c8147f4df4582c8db44f1b3d00
SHA1

01ab335265b08607310b93b470e2d09b0638f71a
SHA256

940153ec0356b9ba3cd3b630dd5c7e0edca5d325d9ccaa0daffbaa358dea9cce
SHA512

73072f4c7449785753e260926379ef8afdd0d961f622de9345ee18da2630c5b90670532982ff656746b0badf8f95ea1d7deab5634c81e864b76430ac8b490620
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlOqzJO0v+BEJU666p4cI37tGTcAiUkggqd+Xf0BEK0:knw9oUUEEDlOuJ2Y4cIZGcygjow

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/5112-435-0x00007FF6D00D0000-0x00007FF6D04C1000-memory.dmp	xmrig
behavioral2/memory/400-473-0x00007FF6C6BA0000-0x00007FF6C6F91000-memory.dmp	xmrig
behavioral2/memory/3384-451-0x00007FF75DBC0000-0x00007FF75DFB1000-memory.dmp	xmrig
behavioral2/memory/4076-499-0x00007FF6FE050000-0x00007FF6FE441000-memory.dmp	xmrig
behavioral2/memory/548-504-0x00007FF7F0A30000-0x00007FF7F0E21000-memory.dmp	xmrig
behavioral2/memory/856-535-0x00007FF71E4E0000-0x00007FF71E8D1000-memory.dmp	xmrig
behavioral2/memory/4856-560-0x00007FF6085C0000-0x00007FF6089B1000-memory.dmp	xmrig
behavioral2/memory/1688-578-0x00007FF670CD0000-0x00007FF6710C1000-memory.dmp	xmrig
behavioral2/memory/1896-581-0x00007FF61BC80000-0x00007FF61C071000-memory.dmp	xmrig
behavioral2/memory/4560-587-0x00007FF776100000-0x00007FF7764F1000-memory.dmp	xmrig
behavioral2/memory/5048-594-0x00007FF797530000-0x00007FF797921000-memory.dmp	xmrig
behavioral2/memory/4116-590-0x00007FF6ECA90000-0x00007FF6ECE81000-memory.dmp	xmrig
behavioral2/memory/2208-572-0x00007FF63D7E0000-0x00007FF63DBD1000-memory.dmp	xmrig
behavioral2/memory/3624-569-0x00007FF696220000-0x00007FF696611000-memory.dmp	xmrig
behavioral2/memory/1856-550-0x00007FF786690000-0x00007FF786A81000-memory.dmp	xmrig
behavioral2/memory/4436-531-0x00007FF7CD180000-0x00007FF7CD571000-memory.dmp	xmrig
behavioral2/memory/1540-448-0x00007FF6D0460000-0x00007FF6D0851000-memory.dmp	xmrig
behavioral2/memory/3064-11-0x00007FF65F750000-0x00007FF65FB41000-memory.dmp	xmrig
behavioral2/memory/2480-1989-0x00007FF7DD780000-0x00007FF7DDB71000-memory.dmp	xmrig
behavioral2/memory/2720-1990-0x00007FF62C750000-0x00007FF62CB41000-memory.dmp	xmrig
behavioral2/memory/2752-1991-0x00007FF6453E0000-0x00007FF6457D1000-memory.dmp	xmrig
behavioral2/memory/1420-1992-0x00007FF74D250000-0x00007FF74D641000-memory.dmp	xmrig
behavioral2/memory/4092-1993-0x00007FF69C580000-0x00007FF69C971000-memory.dmp	xmrig
behavioral2/memory/1060-1994-0x00007FF6E1680000-0x00007FF6E1A71000-memory.dmp	xmrig
behavioral2/memory/4140-2029-0x00007FF75C5B0000-0x00007FF75C9A1000-memory.dmp	xmrig
behavioral2/memory/3064-2033-0x00007FF65F750000-0x00007FF65FB41000-memory.dmp	xmrig
behavioral2/memory/2752-2035-0x00007FF6453E0000-0x00007FF6457D1000-memory.dmp	xmrig
behavioral2/memory/2720-2037-0x00007FF62C750000-0x00007FF62CB41000-memory.dmp	xmrig
behavioral2/memory/1420-2041-0x00007FF74D250000-0x00007FF74D641000-memory.dmp	xmrig
behavioral2/memory/4092-2039-0x00007FF69C580000-0x00007FF69C971000-memory.dmp	xmrig
behavioral2/memory/1060-2043-0x00007FF6E1680000-0x00007FF6E1A71000-memory.dmp	xmrig
behavioral2/memory/5112-2049-0x00007FF6D00D0000-0x00007FF6D04C1000-memory.dmp	xmrig
behavioral2/memory/4076-2055-0x00007FF6FE050000-0x00007FF6FE441000-memory.dmp	xmrig
behavioral2/memory/4436-2059-0x00007FF7CD180000-0x00007FF7CD571000-memory.dmp	xmrig
behavioral2/memory/1856-2063-0x00007FF786690000-0x00007FF786A81000-memory.dmp	xmrig
behavioral2/memory/4856-2065-0x00007FF6085C0000-0x00007FF6089B1000-memory.dmp	xmrig
behavioral2/memory/3624-2067-0x00007FF696220000-0x00007FF696611000-memory.dmp	xmrig
behavioral2/memory/856-2061-0x00007FF71E4E0000-0x00007FF71E8D1000-memory.dmp	xmrig
behavioral2/memory/548-2057-0x00007FF7F0A30000-0x00007FF7F0E21000-memory.dmp	xmrig
behavioral2/memory/3384-2053-0x00007FF75DBC0000-0x00007FF75DFB1000-memory.dmp	xmrig
behavioral2/memory/400-2051-0x00007FF6C6BA0000-0x00007FF6C6F91000-memory.dmp	xmrig
behavioral2/memory/4140-2045-0x00007FF75C5B0000-0x00007FF75C9A1000-memory.dmp	xmrig
behavioral2/memory/1540-2047-0x00007FF6D0460000-0x00007FF6D0851000-memory.dmp	xmrig
behavioral2/memory/2208-2071-0x00007FF63D7E0000-0x00007FF63DBD1000-memory.dmp	xmrig
behavioral2/memory/1896-2079-0x00007FF61BC80000-0x00007FF61C071000-memory.dmp	xmrig
behavioral2/memory/5048-2073-0x00007FF797530000-0x00007FF797921000-memory.dmp	xmrig
behavioral2/memory/4560-2077-0x00007FF776100000-0x00007FF7764F1000-memory.dmp	xmrig
behavioral2/memory/4116-2075-0x00007FF6ECA90000-0x00007FF6ECE81000-memory.dmp	xmrig
behavioral2/memory/1688-2069-0x00007FF670CD0000-0x00007FF6710C1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3064	bdMLbxC.exe
2752	TUrnXUf.exe
2720	uIwdfeZ.exe
1420	WlBAiHD.exe
4092	RqaipBt.exe
1060	OynMYee.exe
4140	eaonMOF.exe
5112	llTqqDP.exe
1540	SOprgUn.exe
3384	ZEIiENj.exe
400	oGbSqUZ.exe
4076	AwaHAvp.exe
548	JdMLVtb.exe
4436	eKmfaDy.exe
856	JvDDHZM.exe
1856	KgIxIgn.exe
4856	agSGHPg.exe
3624	tYNJegq.exe
2208	bqFcewA.exe
1688	NCYXBLH.exe
1896	TuamGti.exe
4560	FMGmOWZ.exe
4116	rLXdmjF.exe
5048	JHxkAWc.exe
2284	qYXJCtb.exe
3668	trUwWJu.exe
1864	CIfzXyy.exe
1192	RDmmFfx.exe
764	xgrHYPm.exe
2476	UhdIFtu.exe
4460	NaruYpm.exe
4056	HaelHmS.exe
1424	TgcwsJK.exe
3884	UEChJwh.exe
1692	InWcsRK.exe
2224	gMgdFeT.exe
4920	dunLqaQ.exe
1708	nibWBek.exe
4240	zAmLqzA.exe
3988	skNcnEb.exe
2440	jLWleKD.exe
696	zubymJb.exe
4588	SPayEMx.exe
4420	jtSnjUz.exe
1528	ffMcNzn.exe
3732	QZTzenl.exe
2708	BIkmfPl.exe
592	dLtUZOb.exe
3768	slYHkFi.exe
2240	eOtDIjp.exe
2668	aoisdjX.exe
4088	ToliYBe.exe
4540	uyswkul.exe
3840	vhloaUB.exe
2384	asAUDBl.exe
996	zwtBpBZ.exe
1744	fXAQCaY.exe
1924	tHLcAox.exe
4452	qAfLzMZ.exe
4136	VXzYdGL.exe
5032	OAuotHL.exe
3792	dItkVim.exe
2084	oeeSoNJ.exe
3628	lgflUsj.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2480-0-0x00007FF7DD780000-0x00007FF7DDB71000-memory.dmp	upx
behavioral2/files/0x0008000000023426-4.dat	upx
behavioral2/files/0x000700000002342d-8.dat	upx
behavioral2/files/0x0008000000023429-10.dat	upx
behavioral2/memory/2720-15-0x00007FF62C750000-0x00007FF62CB41000-memory.dmp	upx
behavioral2/files/0x000700000002342e-24.dat	upx
behavioral2/files/0x000700000002342f-26.dat	upx
behavioral2/files/0x0007000000023430-35.dat	upx
behavioral2/files/0x0007000000023431-39.dat	upx
behavioral2/memory/1060-40-0x00007FF6E1680000-0x00007FF6E1A71000-memory.dmp	upx
behavioral2/files/0x0007000000023432-47.dat	upx
behavioral2/files/0x0007000000023436-63.dat	upx
behavioral2/files/0x0007000000023437-68.dat	upx
behavioral2/files/0x000700000002343c-91.dat	upx
behavioral2/files/0x000700000002343f-108.dat	upx
behavioral2/files/0x0007000000023441-119.dat	upx
behavioral2/files/0x0007000000023443-128.dat	upx
behavioral2/files/0x0007000000023445-138.dat	upx
behavioral2/files/0x000700000002344a-163.dat	upx
behavioral2/memory/5112-435-0x00007FF6D00D0000-0x00007FF6D04C1000-memory.dmp	upx
behavioral2/memory/400-473-0x00007FF6C6BA0000-0x00007FF6C6F91000-memory.dmp	upx
behavioral2/memory/3384-451-0x00007FF75DBC0000-0x00007FF75DFB1000-memory.dmp	upx
behavioral2/memory/4076-499-0x00007FF6FE050000-0x00007FF6FE441000-memory.dmp	upx
behavioral2/memory/548-504-0x00007FF7F0A30000-0x00007FF7F0E21000-memory.dmp	upx
behavioral2/memory/856-535-0x00007FF71E4E0000-0x00007FF71E8D1000-memory.dmp	upx
behavioral2/memory/4856-560-0x00007FF6085C0000-0x00007FF6089B1000-memory.dmp	upx
behavioral2/memory/1688-578-0x00007FF670CD0000-0x00007FF6710C1000-memory.dmp	upx
behavioral2/memory/1896-581-0x00007FF61BC80000-0x00007FF61C071000-memory.dmp	upx
behavioral2/memory/4560-587-0x00007FF776100000-0x00007FF7764F1000-memory.dmp	upx
behavioral2/memory/5048-594-0x00007FF797530000-0x00007FF797921000-memory.dmp	upx
behavioral2/memory/4116-590-0x00007FF6ECA90000-0x00007FF6ECE81000-memory.dmp	upx
behavioral2/memory/2208-572-0x00007FF63D7E0000-0x00007FF63DBD1000-memory.dmp	upx
behavioral2/memory/3624-569-0x00007FF696220000-0x00007FF696611000-memory.dmp	upx
behavioral2/memory/1856-550-0x00007FF786690000-0x00007FF786A81000-memory.dmp	upx
behavioral2/memory/4436-531-0x00007FF7CD180000-0x00007FF7CD571000-memory.dmp	upx
behavioral2/memory/1540-448-0x00007FF6D0460000-0x00007FF6D0851000-memory.dmp	upx
behavioral2/files/0x000700000002344b-168.dat	upx
behavioral2/files/0x0007000000023449-158.dat	upx
behavioral2/files/0x0007000000023448-153.dat	upx
behavioral2/files/0x0007000000023447-148.dat	upx
behavioral2/files/0x0007000000023446-143.dat	upx
behavioral2/files/0x0007000000023444-133.dat	upx
behavioral2/files/0x0007000000023442-123.dat	upx
behavioral2/files/0x0007000000023440-113.dat	upx
behavioral2/files/0x000700000002343e-103.dat	upx
behavioral2/files/0x000700000002343d-98.dat	upx
behavioral2/files/0x000700000002343b-88.dat	upx
behavioral2/files/0x000700000002343a-84.dat	upx
behavioral2/files/0x0007000000023439-78.dat	upx
behavioral2/files/0x0007000000023438-73.dat	upx
behavioral2/files/0x0007000000023435-58.dat	upx
behavioral2/files/0x0007000000023433-53.dat	upx
behavioral2/memory/4140-43-0x00007FF75C5B0000-0x00007FF75C9A1000-memory.dmp	upx
behavioral2/memory/4092-32-0x00007FF69C580000-0x00007FF69C971000-memory.dmp	upx
behavioral2/memory/1420-28-0x00007FF74D250000-0x00007FF74D641000-memory.dmp	upx
behavioral2/memory/2752-21-0x00007FF6453E0000-0x00007FF6457D1000-memory.dmp	upx
behavioral2/memory/3064-11-0x00007FF65F750000-0x00007FF65FB41000-memory.dmp	upx
behavioral2/memory/2480-1989-0x00007FF7DD780000-0x00007FF7DDB71000-memory.dmp	upx
behavioral2/memory/2720-1990-0x00007FF62C750000-0x00007FF62CB41000-memory.dmp	upx
behavioral2/memory/2752-1991-0x00007FF6453E0000-0x00007FF6457D1000-memory.dmp	upx
behavioral2/memory/1420-1992-0x00007FF74D250000-0x00007FF74D641000-memory.dmp	upx
behavioral2/memory/4092-1993-0x00007FF69C580000-0x00007FF69C971000-memory.dmp	upx
behavioral2/memory/1060-1994-0x00007FF6E1680000-0x00007FF6E1A71000-memory.dmp	upx
behavioral2/memory/4140-2029-0x00007FF75C5B0000-0x00007FF75C9A1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\BqEtPgR.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\PTKAZPK.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\jXPwrDK.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\XgToBfI.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\qMHxCaW.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\uqWJzhd.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\QLsQtsI.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\RJZbJfo.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\htiuDWq.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\iHMHbou.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\ITdItQy.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\dunLqaQ.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\xhXKvxf.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\qPMbCHB.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\BCDWepf.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\zAdqcnJ.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\IzCdgiE.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\njsJyfm.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\gUEUaPm.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\OAuotHL.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\HWaGLSz.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\LZyjiAr.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\lvIeyev.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\akrBmMI.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\EfnNMtn.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\OHAoUeI.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\ijtYrhF.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\uIwdfeZ.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\TbgMQaZ.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\ZxYytAP.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\qQXhtco.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\rppkrkE.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\tnSwjAp.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\ZHEcCwh.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\PnNNBlR.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\COwBOCk.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\cIgdKYn.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\HgTBmZl.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\TeZpnxe.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\bLHOqpK.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\ffMcNzn.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\dDzXgtM.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\LfAgoKn.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\ImHGgyO.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\TCfxbUU.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\wlPXsBc.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\NkxeAQx.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\wcXOyoy.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\ZWbohTe.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\MnVZJcO.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\SebKLLv.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\OxOWPkJ.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\eOtDIjp.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\taLssuR.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\iLfzbzi.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\XIVaeok.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\EcqOkYP.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\TUbvmuQ.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\zDqbGDW.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\bXjFnfJ.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\xlbQgRy.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\bHAsvnJ.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\vpfSLZZ.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
File created	C:\Windows\System32\AwaHAvp.exe	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13060	dwm.exe
Token: SeChangeNotifyPrivilege	13060	dwm.exe
Token: 33	13060	dwm.exe
Token: SeIncBasePriorityPrivilege	13060	dwm.exe
Token: SeShutdownPrivilege	13060	dwm.exe
Token: SeCreatePagefilePrivilege	13060	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 3064	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	86
PID 2480 wrote to memory of 3064	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	86
PID 2480 wrote to memory of 2752	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	87
PID 2480 wrote to memory of 2752	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	87
PID 2480 wrote to memory of 2720	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	88
PID 2480 wrote to memory of 2720	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	88
PID 2480 wrote to memory of 1420	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	89
PID 2480 wrote to memory of 1420	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	89
PID 2480 wrote to memory of 4092	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	90
PID 2480 wrote to memory of 4092	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	90
PID 2480 wrote to memory of 1060	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	91
PID 2480 wrote to memory of 1060	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	91
PID 2480 wrote to memory of 4140	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	92
PID 2480 wrote to memory of 4140	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	92
PID 2480 wrote to memory of 5112	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	93
PID 2480 wrote to memory of 5112	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	93
PID 2480 wrote to memory of 1540	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	94
PID 2480 wrote to memory of 1540	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	94
PID 2480 wrote to memory of 3384	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	95
PID 2480 wrote to memory of 3384	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	95
PID 2480 wrote to memory of 400	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	96
PID 2480 wrote to memory of 400	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	96
PID 2480 wrote to memory of 4076	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	97
PID 2480 wrote to memory of 4076	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	97
PID 2480 wrote to memory of 548	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	98
PID 2480 wrote to memory of 548	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	98
PID 2480 wrote to memory of 4436	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	99
PID 2480 wrote to memory of 4436	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	99
PID 2480 wrote to memory of 856	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	100
PID 2480 wrote to memory of 856	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	100
PID 2480 wrote to memory of 1856	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	101
PID 2480 wrote to memory of 1856	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	101
PID 2480 wrote to memory of 4856	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	102
PID 2480 wrote to memory of 4856	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	102
PID 2480 wrote to memory of 3624	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	103
PID 2480 wrote to memory of 3624	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	103
PID 2480 wrote to memory of 2208	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	104
PID 2480 wrote to memory of 2208	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	104
PID 2480 wrote to memory of 1688	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	105
PID 2480 wrote to memory of 1688	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	105
PID 2480 wrote to memory of 1896	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	106
PID 2480 wrote to memory of 1896	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	106
PID 2480 wrote to memory of 4560	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	107
PID 2480 wrote to memory of 4560	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	107
PID 2480 wrote to memory of 4116	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	108
PID 2480 wrote to memory of 4116	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	108
PID 2480 wrote to memory of 5048	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	109
PID 2480 wrote to memory of 5048	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	109
PID 2480 wrote to memory of 2284	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	110
PID 2480 wrote to memory of 2284	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	110
PID 2480 wrote to memory of 3668	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	111
PID 2480 wrote to memory of 3668	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	111
PID 2480 wrote to memory of 1864	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	112
PID 2480 wrote to memory of 1864	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	112
PID 2480 wrote to memory of 1192	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	113
PID 2480 wrote to memory of 1192	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	113
PID 2480 wrote to memory of 764	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	114
PID 2480 wrote to memory of 764	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	114
PID 2480 wrote to memory of 2476	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	115
PID 2480 wrote to memory of 2476	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	115
PID 2480 wrote to memory of 4460	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	116
PID 2480 wrote to memory of 4460	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	116
PID 2480 wrote to memory of 4056	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	117
PID 2480 wrote to memory of 4056	2480	c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe	117

C:\Users\Admin\AppData\Local\Temp\c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c36a97c8147f4df4582c8db44f1b3d00_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\System32\bdMLbxC.exe
  C:\Windows\System32\bdMLbxC.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\System32\TUrnXUf.exe
  C:\Windows\System32\TUrnXUf.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System32\uIwdfeZ.exe
  C:\Windows\System32\uIwdfeZ.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System32\WlBAiHD.exe
  C:\Windows\System32\WlBAiHD.exe
  2⤵
  - Executes dropped EXE
  PID:1420
- C:\Windows\System32\RqaipBt.exe
  C:\Windows\System32\RqaipBt.exe
  2⤵
  - Executes dropped EXE
  PID:4092
- C:\Windows\System32\OynMYee.exe
  C:\Windows\System32\OynMYee.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\System32\eaonMOF.exe
  C:\Windows\System32\eaonMOF.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System32\llTqqDP.exe
  C:\Windows\System32\llTqqDP.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System32\SOprgUn.exe
  C:\Windows\System32\SOprgUn.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System32\ZEIiENj.exe
  C:\Windows\System32\ZEIiENj.exe
  2⤵
  - Executes dropped EXE
  PID:3384
- C:\Windows\System32\oGbSqUZ.exe
  C:\Windows\System32\oGbSqUZ.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System32\AwaHAvp.exe
  C:\Windows\System32\AwaHAvp.exe
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Windows\System32\JdMLVtb.exe
  C:\Windows\System32\JdMLVtb.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System32\eKmfaDy.exe
  C:\Windows\System32\eKmfaDy.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System32\JvDDHZM.exe
  C:\Windows\System32\JvDDHZM.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System32\KgIxIgn.exe
  C:\Windows\System32\KgIxIgn.exe
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\System32\agSGHPg.exe
  C:\Windows\System32\agSGHPg.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System32\tYNJegq.exe
  C:\Windows\System32\tYNJegq.exe
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Windows\System32\bqFcewA.exe
  C:\Windows\System32\bqFcewA.exe
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\System32\NCYXBLH.exe
  C:\Windows\System32\NCYXBLH.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System32\TuamGti.exe
  C:\Windows\System32\TuamGti.exe
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Windows\System32\FMGmOWZ.exe
  C:\Windows\System32\FMGmOWZ.exe
  2⤵
  - Executes dropped EXE
  PID:4560
- C:\Windows\System32\rLXdmjF.exe
  C:\Windows\System32\rLXdmjF.exe
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Windows\System32\JHxkAWc.exe
  C:\Windows\System32\JHxkAWc.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System32\qYXJCtb.exe
  C:\Windows\System32\qYXJCtb.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System32\trUwWJu.exe
  C:\Windows\System32\trUwWJu.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System32\CIfzXyy.exe
  C:\Windows\System32\CIfzXyy.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System32\RDmmFfx.exe
  C:\Windows\System32\RDmmFfx.exe
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\System32\xgrHYPm.exe
  C:\Windows\System32\xgrHYPm.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System32\UhdIFtu.exe
  C:\Windows\System32\UhdIFtu.exe
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\System32\NaruYpm.exe
  C:\Windows\System32\NaruYpm.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System32\HaelHmS.exe
  C:\Windows\System32\HaelHmS.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System32\TgcwsJK.exe
  C:\Windows\System32\TgcwsJK.exe
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\System32\UEChJwh.exe
  C:\Windows\System32\UEChJwh.exe
  2⤵
  - Executes dropped EXE
  PID:3884
- C:\Windows\System32\InWcsRK.exe
  C:\Windows\System32\InWcsRK.exe
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\System32\gMgdFeT.exe
  C:\Windows\System32\gMgdFeT.exe
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\System32\dunLqaQ.exe
  C:\Windows\System32\dunLqaQ.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System32\nibWBek.exe
  C:\Windows\System32\nibWBek.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\System32\zAmLqzA.exe
  C:\Windows\System32\zAmLqzA.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System32\skNcnEb.exe
  C:\Windows\System32\skNcnEb.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System32\jLWleKD.exe
  C:\Windows\System32\jLWleKD.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System32\zubymJb.exe
  C:\Windows\System32\zubymJb.exe
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\System32\SPayEMx.exe
  C:\Windows\System32\SPayEMx.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System32\jtSnjUz.exe
  C:\Windows\System32\jtSnjUz.exe
  2⤵
  - Executes dropped EXE
  PID:4420
- C:\Windows\System32\ffMcNzn.exe
  C:\Windows\System32\ffMcNzn.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\System32\QZTzenl.exe
  C:\Windows\System32\QZTzenl.exe
  2⤵
  - Executes dropped EXE
  PID:3732
- C:\Windows\System32\BIkmfPl.exe
  C:\Windows\System32\BIkmfPl.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System32\dLtUZOb.exe
  C:\Windows\System32\dLtUZOb.exe
  2⤵
  - Executes dropped EXE
  PID:592
- C:\Windows\System32\slYHkFi.exe
  C:\Windows\System32\slYHkFi.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Windows\System32\eOtDIjp.exe
  C:\Windows\System32\eOtDIjp.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System32\aoisdjX.exe
  C:\Windows\System32\aoisdjX.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\System32\ToliYBe.exe
  C:\Windows\System32\ToliYBe.exe
  2⤵
  - Executes dropped EXE
  PID:4088
- C:\Windows\System32\uyswkul.exe
  C:\Windows\System32\uyswkul.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System32\vhloaUB.exe
  C:\Windows\System32\vhloaUB.exe
  2⤵
  - Executes dropped EXE
  PID:3840
- C:\Windows\System32\asAUDBl.exe
  C:\Windows\System32\asAUDBl.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System32\zwtBpBZ.exe
  C:\Windows\System32\zwtBpBZ.exe
  2⤵
  - Executes dropped EXE
  PID:996
- C:\Windows\System32\fXAQCaY.exe
  C:\Windows\System32\fXAQCaY.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System32\tHLcAox.exe
  C:\Windows\System32\tHLcAox.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System32\qAfLzMZ.exe
  C:\Windows\System32\qAfLzMZ.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System32\VXzYdGL.exe
  C:\Windows\System32\VXzYdGL.exe
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\Windows\System32\OAuotHL.exe
  C:\Windows\System32\OAuotHL.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System32\dItkVim.exe
  C:\Windows\System32\dItkVim.exe
  2⤵
  - Executes dropped EXE
  PID:3792
- C:\Windows\System32\oeeSoNJ.exe
  C:\Windows\System32\oeeSoNJ.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System32\lgflUsj.exe
  C:\Windows\System32\lgflUsj.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System32\nwpAiGn.exe
  C:\Windows\System32\nwpAiGn.exe
  2⤵
  PID:4652
- C:\Windows\System32\GdVkxmu.exe
  C:\Windows\System32\GdVkxmu.exe
  2⤵
  PID:4348
- C:\Windows\System32\TbgMQaZ.exe
  C:\Windows\System32\TbgMQaZ.exe
  2⤵
  PID:4984
- C:\Windows\System32\sMQebCk.exe
  C:\Windows\System32\sMQebCk.exe
  2⤵
  PID:4400
- C:\Windows\System32\wmvihnc.exe
  C:\Windows\System32\wmvihnc.exe
  2⤵
  PID:1892
- C:\Windows\System32\hGJPcXi.exe
  C:\Windows\System32\hGJPcXi.exe
  2⤵
  PID:2056
- C:\Windows\System32\bdkhTFR.exe
  C:\Windows\System32\bdkhTFR.exe
  2⤵
  PID:2008
- C:\Windows\System32\EjZIoBg.exe
  C:\Windows\System32\EjZIoBg.exe
  2⤵
  PID:3216
- C:\Windows\System32\TjRLhDB.exe
  C:\Windows\System32\TjRLhDB.exe
  2⤵
  PID:1964
- C:\Windows\System32\GarIEwT.exe
  C:\Windows\System32\GarIEwT.exe
  2⤵
  PID:964
- C:\Windows\System32\CJEluIa.exe
  C:\Windows\System32\CJEluIa.exe
  2⤵
  PID:4832
- C:\Windows\System32\SaPmPJE.exe
  C:\Windows\System32\SaPmPJE.exe
  2⤵
  PID:4972
- C:\Windows\System32\FDRFzWW.exe
  C:\Windows\System32\FDRFzWW.exe
  2⤵
  PID:4196
- C:\Windows\System32\ISacThk.exe
  C:\Windows\System32\ISacThk.exe
  2⤵
  PID:4376
- C:\Windows\System32\ZxYytAP.exe
  C:\Windows\System32\ZxYytAP.exe
  2⤵
  PID:8
- C:\Windows\System32\wHCcSLT.exe
  C:\Windows\System32\wHCcSLT.exe
  2⤵
  PID:228
- C:\Windows\System32\MoVnGjp.exe
  C:\Windows\System32\MoVnGjp.exe
  2⤵
  PID:5144
- C:\Windows\System32\cTfPSVI.exe
  C:\Windows\System32\cTfPSVI.exe
  2⤵
  PID:5176
- C:\Windows\System32\iqkLAFW.exe
  C:\Windows\System32\iqkLAFW.exe
  2⤵
  PID:5204
- C:\Windows\System32\HtiEVOr.exe
  C:\Windows\System32\HtiEVOr.exe
  2⤵
  PID:5232
- C:\Windows\System32\uEvHlRD.exe
  C:\Windows\System32\uEvHlRD.exe
  2⤵
  PID:5260
- C:\Windows\System32\lNLtPSC.exe
  C:\Windows\System32\lNLtPSC.exe
  2⤵
  PID:5288
- C:\Windows\System32\fczhKOm.exe
  C:\Windows\System32\fczhKOm.exe
  2⤵
  PID:5316
- C:\Windows\System32\EfowcvF.exe
  C:\Windows\System32\EfowcvF.exe
  2⤵
  PID:5344
- C:\Windows\System32\pztPwcb.exe
  C:\Windows\System32\pztPwcb.exe
  2⤵
  PID:5376
- C:\Windows\System32\rRFtfca.exe
  C:\Windows\System32\rRFtfca.exe
  2⤵
  PID:5396
- C:\Windows\System32\eCqhLRX.exe
  C:\Windows\System32\eCqhLRX.exe
  2⤵
  PID:5428
- C:\Windows\System32\vYOnxox.exe
  C:\Windows\System32\vYOnxox.exe
  2⤵
  PID:5456
- C:\Windows\System32\NsObxro.exe
  C:\Windows\System32\NsObxro.exe
  2⤵
  PID:5484
- C:\Windows\System32\ZjxzjXR.exe
  C:\Windows\System32\ZjxzjXR.exe
  2⤵
  PID:5516
- C:\Windows\System32\HWaGLSz.exe
  C:\Windows\System32\HWaGLSz.exe
  2⤵
  PID:5544
- C:\Windows\System32\xrAJbXd.exe
  C:\Windows\System32\xrAJbXd.exe
  2⤵
  PID:5564
- C:\Windows\System32\ZlLQGRq.exe
  C:\Windows\System32\ZlLQGRq.exe
  2⤵
  PID:5592
- C:\Windows\System32\TUbvmuQ.exe
  C:\Windows\System32\TUbvmuQ.exe
  2⤵
  PID:5620
- C:\Windows\System32\NhxRVZj.exe
  C:\Windows\System32\NhxRVZj.exe
  2⤵
  PID:5648
- C:\Windows\System32\RJZbJfo.exe
  C:\Windows\System32\RJZbJfo.exe
  2⤵
  PID:5676
- C:\Windows\System32\aPiiZFm.exe
  C:\Windows\System32\aPiiZFm.exe
  2⤵
  PID:5704
- C:\Windows\System32\TOcYMVo.exe
  C:\Windows\System32\TOcYMVo.exe
  2⤵
  PID:5732
- C:\Windows\System32\IauDyfZ.exe
  C:\Windows\System32\IauDyfZ.exe
  2⤵
  PID:5760
- C:\Windows\System32\llzbkOt.exe
  C:\Windows\System32\llzbkOt.exe
  2⤵
  PID:5796
- C:\Windows\System32\MgSfMOH.exe
  C:\Windows\System32\MgSfMOH.exe
  2⤵
  PID:5816
- C:\Windows\System32\RZUsViO.exe
  C:\Windows\System32\RZUsViO.exe
  2⤵
  PID:5844
- C:\Windows\System32\hCZINBB.exe
  C:\Windows\System32\hCZINBB.exe
  2⤵
  PID:5872
- C:\Windows\System32\JDAUKaD.exe
  C:\Windows\System32\JDAUKaD.exe
  2⤵
  PID:5900
- C:\Windows\System32\CAKbjvy.exe
  C:\Windows\System32\CAKbjvy.exe
  2⤵
  PID:5928
- C:\Windows\System32\iFQWwKs.exe
  C:\Windows\System32\iFQWwKs.exe
  2⤵
  PID:5956
- C:\Windows\System32\bpUNtwo.exe
  C:\Windows\System32\bpUNtwo.exe
  2⤵
  PID:5984
- C:\Windows\System32\MKYeFcq.exe
  C:\Windows\System32\MKYeFcq.exe
  2⤵
  PID:6012
- C:\Windows\System32\cXmdeoO.exe
  C:\Windows\System32\cXmdeoO.exe
  2⤵
  PID:6040
- C:\Windows\System32\YsDSJvc.exe
  C:\Windows\System32\YsDSJvc.exe
  2⤵
  PID:6068
- C:\Windows\System32\BqEtPgR.exe
  C:\Windows\System32\BqEtPgR.exe
  2⤵
  PID:6096
- C:\Windows\System32\bpTMfix.exe
  C:\Windows\System32\bpTMfix.exe
  2⤵
  PID:6124
- C:\Windows\System32\qEOYUfF.exe
  C:\Windows\System32\qEOYUfF.exe
  2⤵
  PID:4500
- C:\Windows\System32\KzogqPa.exe
  C:\Windows\System32\KzogqPa.exe
  2⤵
  PID:1200
- C:\Windows\System32\bOQzsZA.exe
  C:\Windows\System32\bOQzsZA.exe
  2⤵
  PID:3584
- C:\Windows\System32\VXkulmH.exe
  C:\Windows\System32\VXkulmH.exe
  2⤵
  PID:5128
- C:\Windows\System32\PHjZFmm.exe
  C:\Windows\System32\PHjZFmm.exe
  2⤵
  PID:5196
- C:\Windows\System32\RGmUTxI.exe
  C:\Windows\System32\RGmUTxI.exe
  2⤵
  PID:5352
- C:\Windows\System32\XfjYlah.exe
  C:\Windows\System32\XfjYlah.exe
  2⤵
  PID:5392
- C:\Windows\System32\CkQzmQU.exe
  C:\Windows\System32\CkQzmQU.exe
  2⤵
  PID:5404
- C:\Windows\System32\qMHxCaW.exe
  C:\Windows\System32\qMHxCaW.exe
  2⤵
  PID:5476
- C:\Windows\System32\azlppsf.exe
  C:\Windows\System32\azlppsf.exe
  2⤵
  PID:5492
- C:\Windows\System32\EUcbSpl.exe
  C:\Windows\System32\EUcbSpl.exe
  2⤵
  PID:5532
- C:\Windows\System32\jCTMewc.exe
  C:\Windows\System32\jCTMewc.exe
  2⤵
  PID:5584
- C:\Windows\System32\XOqBPNm.exe
  C:\Windows\System32\XOqBPNm.exe
  2⤵
  PID:5628
- C:\Windows\System32\zDqbGDW.exe
  C:\Windows\System32\zDqbGDW.exe
  2⤵
  PID:5668
- C:\Windows\System32\SwCTwGH.exe
  C:\Windows\System32\SwCTwGH.exe
  2⤵
  PID:5696
- C:\Windows\System32\WbnRSdk.exe
  C:\Windows\System32\WbnRSdk.exe
  2⤵
  PID:5748
- C:\Windows\System32\qQXhtco.exe
  C:\Windows\System32\qQXhtco.exe
  2⤵
  PID:5752
- C:\Windows\System32\XIFqXRu.exe
  C:\Windows\System32\XIFqXRu.exe
  2⤵
  PID:5812
- C:\Windows\System32\JfRwreI.exe
  C:\Windows\System32\JfRwreI.exe
  2⤵
  PID:4464
- C:\Windows\System32\RSrVpLb.exe
  C:\Windows\System32\RSrVpLb.exe
  2⤵
  PID:5888
- C:\Windows\System32\nSCXooX.exe
  C:\Windows\System32\nSCXooX.exe
  2⤵
  PID:5920
- C:\Windows\System32\heCJNEB.exe
  C:\Windows\System32\heCJNEB.exe
  2⤵
  PID:5964
- C:\Windows\System32\rBoLuLE.exe
  C:\Windows\System32\rBoLuLE.exe
  2⤵
  PID:5992
- C:\Windows\System32\NkxeAQx.exe
  C:\Windows\System32\NkxeAQx.exe
  2⤵
  PID:6020
- C:\Windows\System32\PLeudKO.exe
  C:\Windows\System32\PLeudKO.exe
  2⤵
  PID:6048
- C:\Windows\System32\etEZGVo.exe
  C:\Windows\System32\etEZGVo.exe
  2⤵
  PID:6076
- C:\Windows\System32\RPPCCUW.exe
  C:\Windows\System32\RPPCCUW.exe
  2⤵
  PID:368
- C:\Windows\System32\cIYesXd.exe
  C:\Windows\System32\cIYesXd.exe
  2⤵
  PID:3100
- C:\Windows\System32\PhJyoMN.exe
  C:\Windows\System32\PhJyoMN.exe
  2⤵
  PID:4744
- C:\Windows\System32\ewccjdP.exe
  C:\Windows\System32\ewccjdP.exe
  2⤵
  PID:5024
- C:\Windows\System32\Ibdtmyw.exe
  C:\Windows\System32\Ibdtmyw.exe
  2⤵
  PID:2936
- C:\Windows\System32\eYaOiOu.exe
  C:\Windows\System32\eYaOiOu.exe
  2⤵
  PID:3968
- C:\Windows\System32\rSWabtC.exe
  C:\Windows\System32\rSWabtC.exe
  2⤵
  PID:4860
- C:\Windows\System32\NBMGKjH.exe
  C:\Windows\System32\NBMGKjH.exe
  2⤵
  PID:5304
- C:\Windows\System32\ImHGgyO.exe
  C:\Windows\System32\ImHGgyO.exe
  2⤵
  PID:5152
- C:\Windows\System32\BxXCYfr.exe
  C:\Windows\System32\BxXCYfr.exe
  2⤵
  PID:3208
- C:\Windows\System32\BGtqtoz.exe
  C:\Windows\System32\BGtqtoz.exe
  2⤵
  PID:2408
- C:\Windows\System32\YcqoEAQ.exe
  C:\Windows\System32\YcqoEAQ.exe
  2⤵
  PID:5364
- C:\Windows\System32\dWdBKBm.exe
  C:\Windows\System32\dWdBKBm.exe
  2⤵
  PID:5512
- C:\Windows\System32\UNzBbbJ.exe
  C:\Windows\System32\UNzBbbJ.exe
  2⤵
  PID:5560
- C:\Windows\System32\oHbuCeQ.exe
  C:\Windows\System32\oHbuCeQ.exe
  2⤵
  PID:5836
- C:\Windows\System32\OyCnMaX.exe
  C:\Windows\System32\OyCnMaX.exe
  2⤵
  PID:5600
- C:\Windows\System32\VyifBNS.exe
  C:\Windows\System32\VyifBNS.exe
  2⤵
  PID:5972
- C:\Windows\System32\tRdbPJZ.exe
  C:\Windows\System32\tRdbPJZ.exe
  2⤵
  PID:1312
- C:\Windows\System32\XBLSfrx.exe
  C:\Windows\System32\XBLSfrx.exe
  2⤵
  PID:5740
- C:\Windows\System32\HhEwMvp.exe
  C:\Windows\System32\HhEwMvp.exe
  2⤵
  PID:1660
- C:\Windows\System32\HgTBmZl.exe
  C:\Windows\System32\HgTBmZl.exe
  2⤵
  PID:4416
- C:\Windows\System32\xhXKvxf.exe
  C:\Windows\System32\xhXKvxf.exe
  2⤵
  PID:6372
- C:\Windows\System32\txDgPAc.exe
  C:\Windows\System32\txDgPAc.exe
  2⤵
  PID:6388
- C:\Windows\System32\MXykVrf.exe
  C:\Windows\System32\MXykVrf.exe
  2⤵
  PID:6460
- C:\Windows\System32\VckoHJV.exe
  C:\Windows\System32\VckoHJV.exe
  2⤵
  PID:6480
- C:\Windows\System32\VPAxCbs.exe
  C:\Windows\System32\VPAxCbs.exe
  2⤵
  PID:6528
- C:\Windows\System32\ZnTFQUb.exe
  C:\Windows\System32\ZnTFQUb.exe
  2⤵
  PID:6560
- C:\Windows\System32\CGlAQsa.exe
  C:\Windows\System32\CGlAQsa.exe
  2⤵
  PID:6592
- C:\Windows\System32\bXjFnfJ.exe
  C:\Windows\System32\bXjFnfJ.exe
  2⤵
  PID:6620
- C:\Windows\System32\QRiCUuS.exe
  C:\Windows\System32\QRiCUuS.exe
  2⤵
  PID:6668
- C:\Windows\System32\LLCBhPL.exe
  C:\Windows\System32\LLCBhPL.exe
  2⤵
  PID:6688
- C:\Windows\System32\woqyROO.exe
  C:\Windows\System32\woqyROO.exe
  2⤵
  PID:6724
- C:\Windows\System32\OFNmUMi.exe
  C:\Windows\System32\OFNmUMi.exe
  2⤵
  PID:6752
- C:\Windows\System32\lcLnhRa.exe
  C:\Windows\System32\lcLnhRa.exe
  2⤵
  PID:6796
- C:\Windows\System32\QhUYHMi.exe
  C:\Windows\System32\QhUYHMi.exe
  2⤵
  PID:6820
- C:\Windows\System32\pYMJpzf.exe
  C:\Windows\System32\pYMJpzf.exe
  2⤵
  PID:6848
- C:\Windows\System32\KmdYZwk.exe
  C:\Windows\System32\KmdYZwk.exe
  2⤵
  PID:6888
- C:\Windows\System32\DtNiAJM.exe
  C:\Windows\System32\DtNiAJM.exe
  2⤵
  PID:6912
- C:\Windows\System32\JkfXdha.exe
  C:\Windows\System32\JkfXdha.exe
  2⤵
  PID:6940
- C:\Windows\System32\YacdraZ.exe
  C:\Windows\System32\YacdraZ.exe
  2⤵
  PID:6968
- C:\Windows\System32\DzNSkZq.exe
  C:\Windows\System32\DzNSkZq.exe
  2⤵
  PID:6996
- C:\Windows\System32\VItGWjN.exe
  C:\Windows\System32\VItGWjN.exe
  2⤵
  PID:7024
- C:\Windows\System32\jFgmHTf.exe
  C:\Windows\System32\jFgmHTf.exe
  2⤵
  PID:7048
- C:\Windows\System32\qPMbCHB.exe
  C:\Windows\System32\qPMbCHB.exe
  2⤵
  PID:7076
- C:\Windows\System32\jXPwrDK.exe
  C:\Windows\System32\jXPwrDK.exe
  2⤵
  PID:7100
- C:\Windows\System32\cIBYZIN.exe
  C:\Windows\System32\cIBYZIN.exe
  2⤵
  PID:7124
- C:\Windows\System32\QpYZPZO.exe
  C:\Windows\System32\QpYZPZO.exe
  2⤵
  PID:7144
- C:\Windows\System32\LZyjiAr.exe
  C:\Windows\System32\LZyjiAr.exe
  2⤵
  PID:7160
- C:\Windows\System32\MGfQqrM.exe
  C:\Windows\System32\MGfQqrM.exe
  2⤵
  PID:4208
- C:\Windows\System32\MlVWUbf.exe
  C:\Windows\System32\MlVWUbf.exe
  2⤵
  PID:4300
- C:\Windows\System32\LQtbieB.exe
  C:\Windows\System32\LQtbieB.exe
  2⤵
  PID:6084
- C:\Windows\System32\CzNZAwn.exe
  C:\Windows\System32\CzNZAwn.exe
  2⤵
  PID:2748
- C:\Windows\System32\HCYEdZd.exe
  C:\Windows\System32\HCYEdZd.exe
  2⤵
  PID:1488
- C:\Windows\System32\tRcwTTv.exe
  C:\Windows\System32\tRcwTTv.exe
  2⤵
  PID:540
- C:\Windows\System32\KzaSKBu.exe
  C:\Windows\System32\KzaSKBu.exe
  2⤵
  PID:5864
- C:\Windows\System32\RjhKDmA.exe
  C:\Windows\System32\RjhKDmA.exe
  2⤵
  PID:1288
- C:\Windows\System32\mxDvSUB.exe
  C:\Windows\System32\mxDvSUB.exe
  2⤵
  PID:6252
- C:\Windows\System32\rXwoecu.exe
  C:\Windows\System32\rXwoecu.exe
  2⤵
  PID:6380
- C:\Windows\System32\AezpBzj.exe
  C:\Windows\System32\AezpBzj.exe
  2⤵
  PID:6436
- C:\Windows\System32\OUAxurP.exe
  C:\Windows\System32\OUAxurP.exe
  2⤵
  PID:2352
- C:\Windows\System32\imgrxWI.exe
  C:\Windows\System32\imgrxWI.exe
  2⤵
  PID:6536
- C:\Windows\System32\PFMSfZi.exe
  C:\Windows\System32\PFMSfZi.exe
  2⤵
  PID:3948
- C:\Windows\System32\HhxJvqD.exe
  C:\Windows\System32\HhxJvqD.exe
  2⤵
  PID:6600
- C:\Windows\System32\AYOvYWU.exe
  C:\Windows\System32\AYOvYWU.exe
  2⤵
  PID:6676
- C:\Windows\System32\dpynIjY.exe
  C:\Windows\System32\dpynIjY.exe
  2⤵
  PID:6740
- C:\Windows\System32\LyQmeqT.exe
  C:\Windows\System32\LyQmeqT.exe
  2⤵
  PID:6028
- C:\Windows\System32\FQXpUTF.exe
  C:\Windows\System32\FQXpUTF.exe
  2⤵
  PID:3392
- C:\Windows\System32\aadAIJA.exe
  C:\Windows\System32\aadAIJA.exe
  2⤵
  PID:6760
- C:\Windows\System32\klWuMSk.exe
  C:\Windows\System32\klWuMSk.exe
  2⤵
  PID:6828
- C:\Windows\System32\AeXBCEk.exe
  C:\Windows\System32\AeXBCEk.exe
  2⤵
  PID:6856
- C:\Windows\System32\DzZkNnl.exe
  C:\Windows\System32\DzZkNnl.exe
  2⤵
  PID:6880
- C:\Windows\System32\adrSbuS.exe
  C:\Windows\System32\adrSbuS.exe
  2⤵
  PID:6988
- C:\Windows\System32\sGVDkUy.exe
  C:\Windows\System32\sGVDkUy.exe
  2⤵
  PID:7008
- C:\Windows\System32\dcQTdAm.exe
  C:\Windows\System32\dcQTdAm.exe
  2⤵
  PID:7064
- C:\Windows\System32\JwHJAKR.exe
  C:\Windows\System32\JwHJAKR.exe
  2⤵
  PID:5416
- C:\Windows\System32\DRVSFGL.exe
  C:\Windows\System32\DRVSFGL.exe
  2⤵
  PID:1372
- C:\Windows\System32\dHioukq.exe
  C:\Windows\System32\dHioukq.exe
  2⤵
  PID:4456
- C:\Windows\System32\aReXwXP.exe
  C:\Windows\System32\aReXwXP.exe
  2⤵
  PID:5372
- C:\Windows\System32\dDzXgtM.exe
  C:\Windows\System32\dDzXgtM.exe
  2⤵
  PID:1872
- C:\Windows\System32\bgnTHCt.exe
  C:\Windows\System32\bgnTHCt.exe
  2⤵
  PID:4988
- C:\Windows\System32\LeUNwal.exe
  C:\Windows\System32\LeUNwal.exe
  2⤵
  PID:6488
- C:\Windows\System32\uVZALmu.exe
  C:\Windows\System32\uVZALmu.exe
  2⤵
  PID:6648
- C:\Windows\System32\JkxARWj.exe
  C:\Windows\System32\JkxARWj.exe
  2⤵
  PID:5572
- C:\Windows\System32\hXHrtzj.exe
  C:\Windows\System32\hXHrtzj.exe
  2⤵
  PID:6772
- C:\Windows\System32\rppkrkE.exe
  C:\Windows\System32\rppkrkE.exe
  2⤵
  PID:6868
- C:\Windows\System32\htiuDWq.exe
  C:\Windows\System32\htiuDWq.exe
  2⤵
  PID:7056
- C:\Windows\System32\eRYVuXs.exe
  C:\Windows\System32\eRYVuXs.exe
  2⤵
  PID:1008
- C:\Windows\System32\kjdsVuB.exe
  C:\Windows\System32\kjdsVuB.exe
  2⤵
  PID:5824
- C:\Windows\System32\TCfxbUU.exe
  C:\Windows\System32\TCfxbUU.exe
  2⤵
  PID:2840
- C:\Windows\System32\baRyXFp.exe
  C:\Windows\System32\baRyXFp.exe
  2⤵
  PID:6496
- C:\Windows\System32\OzKtHER.exe
  C:\Windows\System32\OzKtHER.exe
  2⤵
  PID:4264
- C:\Windows\System32\kRATTEP.exe
  C:\Windows\System32\kRATTEP.exe
  2⤵
  PID:7020
- C:\Windows\System32\fachBPv.exe
  C:\Windows\System32\fachBPv.exe
  2⤵
  PID:5472
- C:\Windows\System32\naCRQow.exe
  C:\Windows\System32\naCRQow.exe
  2⤵
  PID:6312
- C:\Windows\System32\HwNOPKt.exe
  C:\Windows\System32\HwNOPKt.exe
  2⤵
  PID:6788
- C:\Windows\System32\GjpSvdX.exe
  C:\Windows\System32\GjpSvdX.exe
  2⤵
  PID:896
- C:\Windows\System32\IwnOuNA.exe
  C:\Windows\System32\IwnOuNA.exe
  2⤵
  PID:7172
- C:\Windows\System32\JHNHqeH.exe
  C:\Windows\System32\JHNHqeH.exe
  2⤵
  PID:7192
- C:\Windows\System32\EbkTSKZ.exe
  C:\Windows\System32\EbkTSKZ.exe
  2⤵
  PID:7228
- C:\Windows\System32\UdMSOWs.exe
  C:\Windows\System32\UdMSOWs.exe
  2⤵
  PID:7248
- C:\Windows\System32\lkhaDUQ.exe
  C:\Windows\System32\lkhaDUQ.exe
  2⤵
  PID:7280
- C:\Windows\System32\gFRlOWt.exe
  C:\Windows\System32\gFRlOWt.exe
  2⤵
  PID:7312
- C:\Windows\System32\ZJocpxU.exe
  C:\Windows\System32\ZJocpxU.exe
  2⤵
  PID:7352
- C:\Windows\System32\WsGazYs.exe
  C:\Windows\System32\WsGazYs.exe
  2⤵
  PID:7368
- C:\Windows\System32\cATtlwb.exe
  C:\Windows\System32\cATtlwb.exe
  2⤵
  PID:7396
- C:\Windows\System32\YqHoGDF.exe
  C:\Windows\System32\YqHoGDF.exe
  2⤵
  PID:7428
- C:\Windows\System32\rXeDDKr.exe
  C:\Windows\System32\rXeDDKr.exe
  2⤵
  PID:7448
- C:\Windows\System32\SZVZVHO.exe
  C:\Windows\System32\SZVZVHO.exe
  2⤵
  PID:7480
- C:\Windows\System32\IJSuNPA.exe
  C:\Windows\System32\IJSuNPA.exe
  2⤵
  PID:7500
- C:\Windows\System32\GhYAjlR.exe
  C:\Windows\System32\GhYAjlR.exe
  2⤵
  PID:7544
- C:\Windows\System32\wIcjgsL.exe
  C:\Windows\System32\wIcjgsL.exe
  2⤵
  PID:7572
- C:\Windows\System32\cepmuxK.exe
  C:\Windows\System32\cepmuxK.exe
  2⤵
  PID:7596
- C:\Windows\System32\cDjadeG.exe
  C:\Windows\System32\cDjadeG.exe
  2⤵
  PID:7620
- C:\Windows\System32\jBTCLde.exe
  C:\Windows\System32\jBTCLde.exe
  2⤵
  PID:7652
- C:\Windows\System32\ohZZTse.exe
  C:\Windows\System32\ohZZTse.exe
  2⤵
  PID:7684
- C:\Windows\System32\jJoiJgd.exe
  C:\Windows\System32\jJoiJgd.exe
  2⤵
  PID:7720
- C:\Windows\System32\LSZsfwR.exe
  C:\Windows\System32\LSZsfwR.exe
  2⤵
  PID:7744
- C:\Windows\System32\vbiUnet.exe
  C:\Windows\System32\vbiUnet.exe
  2⤵
  PID:7760
- C:\Windows\System32\sLwyPyE.exe
  C:\Windows\System32\sLwyPyE.exe
  2⤵
  PID:7776
- C:\Windows\System32\wcXOyoy.exe
  C:\Windows\System32\wcXOyoy.exe
  2⤵
  PID:7792
- C:\Windows\System32\InnjjMK.exe
  C:\Windows\System32\InnjjMK.exe
  2⤵
  PID:7808
- C:\Windows\System32\QhnScdX.exe
  C:\Windows\System32\QhnScdX.exe
  2⤵
  PID:7828
- C:\Windows\System32\ShqCBzn.exe
  C:\Windows\System32\ShqCBzn.exe
  2⤵
  PID:7848
- C:\Windows\System32\awlTTxH.exe
  C:\Windows\System32\awlTTxH.exe
  2⤵
  PID:7892
- C:\Windows\System32\bqOOVNs.exe
  C:\Windows\System32\bqOOVNs.exe
  2⤵
  PID:7912
- C:\Windows\System32\mXwTojG.exe
  C:\Windows\System32\mXwTojG.exe
  2⤵
  PID:7948
- C:\Windows\System32\WcErRZV.exe
  C:\Windows\System32\WcErRZV.exe
  2⤵
  PID:8012
- C:\Windows\System32\zDmmzNz.exe
  C:\Windows\System32\zDmmzNz.exe
  2⤵
  PID:8036
- C:\Windows\System32\uGWoxqF.exe
  C:\Windows\System32\uGWoxqF.exe
  2⤵
  PID:8068
- C:\Windows\System32\fSPWAYj.exe
  C:\Windows\System32\fSPWAYj.exe
  2⤵
  PID:8108
- C:\Windows\System32\TkFoGYD.exe
  C:\Windows\System32\TkFoGYD.exe
  2⤵
  PID:8132
- C:\Windows\System32\IqJmEUV.exe
  C:\Windows\System32\IqJmEUV.exe
  2⤵
  PID:8152
- C:\Windows\System32\GOBZiKx.exe
  C:\Windows\System32\GOBZiKx.exe
  2⤵
  PID:8172
- C:\Windows\System32\znNEsTx.exe
  C:\Windows\System32\znNEsTx.exe
  2⤵
  PID:7188
- C:\Windows\System32\EtTVoGC.exe
  C:\Windows\System32\EtTVoGC.exe
  2⤵
  PID:7220
- C:\Windows\System32\exbEiOg.exe
  C:\Windows\System32\exbEiOg.exe
  2⤵
  PID:1520
- C:\Windows\System32\prcBeTY.exe
  C:\Windows\System32\prcBeTY.exe
  2⤵
  PID:7436
- C:\Windows\System32\uVVfJHC.exe
  C:\Windows\System32\uVVfJHC.exe
  2⤵
  PID:7464
- C:\Windows\System32\dahRtaL.exe
  C:\Windows\System32\dahRtaL.exe
  2⤵
  PID:7472
- C:\Windows\System32\IIozKtb.exe
  C:\Windows\System32\IIozKtb.exe
  2⤵
  PID:7508
- C:\Windows\System32\sVSKiOS.exe
  C:\Windows\System32\sVSKiOS.exe
  2⤵
  PID:7608
- C:\Windows\System32\ktVWOpl.exe
  C:\Windows\System32\ktVWOpl.exe
  2⤵
  PID:7712
- C:\Windows\System32\cAHHpHm.exe
  C:\Windows\System32\cAHHpHm.exe
  2⤵
  PID:7736
- C:\Windows\System32\xxicAZR.exe
  C:\Windows\System32\xxicAZR.exe
  2⤵
  PID:7788
- C:\Windows\System32\adLolMD.exe
  C:\Windows\System32\adLolMD.exe
  2⤵
  PID:7824
- C:\Windows\System32\aGgwnGQ.exe
  C:\Windows\System32\aGgwnGQ.exe
  2⤵
  PID:7860
- C:\Windows\System32\HIvHJoh.exe
  C:\Windows\System32\HIvHJoh.exe
  2⤵
  PID:7936
- C:\Windows\System32\dEmhjnG.exe
  C:\Windows\System32\dEmhjnG.exe
  2⤵
  PID:7996
- C:\Windows\System32\GsJlQvM.exe
  C:\Windows\System32\GsJlQvM.exe
  2⤵
  PID:8140
- C:\Windows\System32\apPWukc.exe
  C:\Windows\System32\apPWukc.exe
  2⤵
  PID:8180
- C:\Windows\System32\taLssuR.exe
  C:\Windows\System32\taLssuR.exe
  2⤵
  PID:7384
- C:\Windows\System32\tvqQKHK.exe
  C:\Windows\System32\tvqQKHK.exe
  2⤵
  PID:7564
- C:\Windows\System32\pMbYRwz.exe
  C:\Windows\System32\pMbYRwz.exe
  2⤵
  PID:7664
- C:\Windows\System32\LIcpJhu.exe
  C:\Windows\System32\LIcpJhu.exe
  2⤵
  PID:7784
- C:\Windows\System32\TeZpnxe.exe
  C:\Windows\System32\TeZpnxe.exe
  2⤵
  PID:7968
- C:\Windows\System32\cdTsiBe.exe
  C:\Windows\System32\cdTsiBe.exe
  2⤵
  PID:8168
- C:\Windows\System32\FaMXjAC.exe
  C:\Windows\System32\FaMXjAC.exe
  2⤵
  PID:8144
- C:\Windows\System32\eXroaXe.exe
  C:\Windows\System32\eXroaXe.exe
  2⤵
  PID:7476
- C:\Windows\System32\oevlyeM.exe
  C:\Windows\System32\oevlyeM.exe
  2⤵
  PID:7920
- C:\Windows\System32\RFxjMwz.exe
  C:\Windows\System32\RFxjMwz.exe
  2⤵
  PID:8048
- C:\Windows\System32\CzGsOvs.exe
  C:\Windows\System32\CzGsOvs.exe
  2⤵
  PID:7308
- C:\Windows\System32\GwqqWam.exe
  C:\Windows\System32\GwqqWam.exe
  2⤵
  PID:8216
- C:\Windows\System32\dUNjPNX.exe
  C:\Windows\System32\dUNjPNX.exe
  2⤵
  PID:8244
- C:\Windows\System32\drXBnde.exe
  C:\Windows\System32\drXBnde.exe
  2⤵
  PID:8272
- C:\Windows\System32\CnoflwK.exe
  C:\Windows\System32\CnoflwK.exe
  2⤵
  PID:8288
- C:\Windows\System32\JxdtAoS.exe
  C:\Windows\System32\JxdtAoS.exe
  2⤵
  PID:8344
- C:\Windows\System32\QoHAmeX.exe
  C:\Windows\System32\QoHAmeX.exe
  2⤵
  PID:8368
- C:\Windows\System32\lmAIabu.exe
  C:\Windows\System32\lmAIabu.exe
  2⤵
  PID:8388
- C:\Windows\System32\MgbmAMH.exe
  C:\Windows\System32\MgbmAMH.exe
  2⤵
  PID:8424
- C:\Windows\System32\kiDJfiV.exe
  C:\Windows\System32\kiDJfiV.exe
  2⤵
  PID:8444
- C:\Windows\System32\XhIZlGe.exe
  C:\Windows\System32\XhIZlGe.exe
  2⤵
  PID:8484
- C:\Windows\System32\EESpYYE.exe
  C:\Windows\System32\EESpYYE.exe
  2⤵
  PID:8520
- C:\Windows\System32\EIbbLcI.exe
  C:\Windows\System32\EIbbLcI.exe
  2⤵
  PID:8568
- C:\Windows\System32\goMyuAl.exe
  C:\Windows\System32\goMyuAl.exe
  2⤵
  PID:8588
- C:\Windows\System32\KQXgmKp.exe
  C:\Windows\System32\KQXgmKp.exe
  2⤵
  PID:8620
- C:\Windows\System32\ZkwFJME.exe
  C:\Windows\System32\ZkwFJME.exe
  2⤵
  PID:8644
- C:\Windows\System32\JMgBlzP.exe
  C:\Windows\System32\JMgBlzP.exe
  2⤵
  PID:8672
- C:\Windows\System32\ITYFtgj.exe
  C:\Windows\System32\ITYFtgj.exe
  2⤵
  PID:8692
- C:\Windows\System32\snnMrUr.exe
  C:\Windows\System32\snnMrUr.exe
  2⤵
  PID:8728
- C:\Windows\System32\fcDFvMI.exe
  C:\Windows\System32\fcDFvMI.exe
  2⤵
  PID:8744
- C:\Windows\System32\ZLFaUTa.exe
  C:\Windows\System32\ZLFaUTa.exe
  2⤵
  PID:8764
- C:\Windows\System32\qgxBwvq.exe
  C:\Windows\System32\qgxBwvq.exe
  2⤵
  PID:8800
- C:\Windows\System32\IGatzmc.exe
  C:\Windows\System32\IGatzmc.exe
  2⤵
  PID:8824
- C:\Windows\System32\eCmzanH.exe
  C:\Windows\System32\eCmzanH.exe
  2⤵
  PID:8840
- C:\Windows\System32\GsEDqhK.exe
  C:\Windows\System32\GsEDqhK.exe
  2⤵
  PID:8864
- C:\Windows\System32\jOCHJpx.exe
  C:\Windows\System32\jOCHJpx.exe
  2⤵
  PID:8896
- C:\Windows\System32\fcGNGBi.exe
  C:\Windows\System32\fcGNGBi.exe
  2⤵
  PID:8920
- C:\Windows\System32\PpCUofA.exe
  C:\Windows\System32\PpCUofA.exe
  2⤵
  PID:8940
- C:\Windows\System32\eHUbBTe.exe
  C:\Windows\System32\eHUbBTe.exe
  2⤵
  PID:9000
- C:\Windows\System32\tnSwjAp.exe
  C:\Windows\System32\tnSwjAp.exe
  2⤵
  PID:9064
- C:\Windows\System32\CRaEkQJ.exe
  C:\Windows\System32\CRaEkQJ.exe
  2⤵
  PID:9088
- C:\Windows\System32\dBmpJqZ.exe
  C:\Windows\System32\dBmpJqZ.exe
  2⤵
  PID:9104
- C:\Windows\System32\mrgOsAp.exe
  C:\Windows\System32\mrgOsAp.exe
  2⤵
  PID:9124
- C:\Windows\System32\Ocevnvo.exe
  C:\Windows\System32\Ocevnvo.exe
  2⤵
  PID:9144
- C:\Windows\System32\OjwgGqx.exe
  C:\Windows\System32\OjwgGqx.exe
  2⤵
  PID:9172
- C:\Windows\System32\AUYjtjE.exe
  C:\Windows\System32\AUYjtjE.exe
  2⤵
  PID:9204
- C:\Windows\System32\LfAgoKn.exe
  C:\Windows\System32\LfAgoKn.exe
  2⤵
  PID:8204
- C:\Windows\System32\ZVxUAxB.exe
  C:\Windows\System32\ZVxUAxB.exe
  2⤵
  PID:8284
- C:\Windows\System32\QtsMfYI.exe
  C:\Windows\System32\QtsMfYI.exe
  2⤵
  PID:8356
- C:\Windows\System32\vBkaDsi.exe
  C:\Windows\System32\vBkaDsi.exe
  2⤵
  PID:8384
- C:\Windows\System32\GfYofEq.exe
  C:\Windows\System32\GfYofEq.exe
  2⤵
  PID:8464
- C:\Windows\System32\WsopyXX.exe
  C:\Windows\System32\WsopyXX.exe
  2⤵
  PID:8904
- C:\Windows\System32\WsoRoDg.exe
  C:\Windows\System32\WsoRoDg.exe
  2⤵
  PID:8876
- C:\Windows\System32\HlmvTbU.exe
  C:\Windows\System32\HlmvTbU.exe
  2⤵
  PID:8936
- C:\Windows\System32\YyGeeYA.exe
  C:\Windows\System32\YyGeeYA.exe
  2⤵
  PID:8932
- C:\Windows\System32\aNCarph.exe
  C:\Windows\System32\aNCarph.exe
  2⤵
  PID:9028
- C:\Windows\System32\ZcSFypl.exe
  C:\Windows\System32\ZcSFypl.exe
  2⤵
  PID:9056
- C:\Windows\System32\uqWJzhd.exe
  C:\Windows\System32\uqWJzhd.exe
  2⤵
  PID:9100
- C:\Windows\System32\AobCVIk.exe
  C:\Windows\System32\AobCVIk.exe
  2⤵
  PID:9196
- C:\Windows\System32\lRWOcyv.exe
  C:\Windows\System32\lRWOcyv.exe
  2⤵
  PID:8336
- C:\Windows\System32\GXDKwaV.exe
  C:\Windows\System32\GXDKwaV.exe
  2⤵
  PID:8576
- C:\Windows\System32\oqLhhnK.exe
  C:\Windows\System32\oqLhhnK.exe
  2⤵
  PID:8796
- C:\Windows\System32\LkVAqZl.exe
  C:\Windows\System32\LkVAqZl.exe
  2⤵
  PID:8604
- C:\Windows\System32\bEAfjzV.exe
  C:\Windows\System32\bEAfjzV.exe
  2⤵
  PID:9052
- C:\Windows\System32\iWqCjoX.exe
  C:\Windows\System32\iWqCjoX.exe
  2⤵
  PID:8928
- C:\Windows\System32\BCDWepf.exe
  C:\Windows\System32\BCDWepf.exe
  2⤵
  PID:9080
- C:\Windows\System32\vJkOpLU.exe
  C:\Windows\System32\vJkOpLU.exe
  2⤵
  PID:9120
- C:\Windows\System32\pnijmuR.exe
  C:\Windows\System32\pnijmuR.exe
  2⤵
  PID:8460
- C:\Windows\System32\AEiVSzr.exe
  C:\Windows\System32\AEiVSzr.exe
  2⤵
  PID:8780
- C:\Windows\System32\PnNNBlR.exe
  C:\Windows\System32\PnNNBlR.exe
  2⤵
  PID:8712
- C:\Windows\System32\WYPMhoy.exe
  C:\Windows\System32\WYPMhoy.exe
  2⤵
  PID:8972
- C:\Windows\System32\JfNECYu.exe
  C:\Windows\System32\JfNECYu.exe
  2⤵
  PID:7944
- C:\Windows\System32\spBjwUM.exe
  C:\Windows\System32\spBjwUM.exe
  2⤵
  PID:8552
- C:\Windows\System32\XDylbaj.exe
  C:\Windows\System32\XDylbaj.exe
  2⤵
  PID:9224
- C:\Windows\System32\piWWAIo.exe
  C:\Windows\System32\piWWAIo.exe
  2⤵
  PID:9260
- C:\Windows\System32\OOmneyh.exe
  C:\Windows\System32\OOmneyh.exe
  2⤵
  PID:9312
- C:\Windows\System32\pxjUyfU.exe
  C:\Windows\System32\pxjUyfU.exe
  2⤵
  PID:9332
- C:\Windows\System32\goaLUwW.exe
  C:\Windows\System32\goaLUwW.exe
  2⤵
  PID:9372
- C:\Windows\System32\pvGXQrA.exe
  C:\Windows\System32\pvGXQrA.exe
  2⤵
  PID:9396
- C:\Windows\System32\ZMXRnUx.exe
  C:\Windows\System32\ZMXRnUx.exe
  2⤵
  PID:9416
- C:\Windows\System32\ARaWrOA.exe
  C:\Windows\System32\ARaWrOA.exe
  2⤵
  PID:9448
- C:\Windows\System32\gDoySgD.exe
  C:\Windows\System32\gDoySgD.exe
  2⤵
  PID:9472
- C:\Windows\System32\ZkzHKGi.exe
  C:\Windows\System32\ZkzHKGi.exe
  2⤵
  PID:9496
- C:\Windows\System32\XLCBoJX.exe
  C:\Windows\System32\XLCBoJX.exe
  2⤵
  PID:9516
- C:\Windows\System32\QLsQtsI.exe
  C:\Windows\System32\QLsQtsI.exe
  2⤵
  PID:9532
- C:\Windows\System32\wytcDok.exe
  C:\Windows\System32\wytcDok.exe
  2⤵
  PID:9560
- C:\Windows\System32\BeMGVsU.exe
  C:\Windows\System32\BeMGVsU.exe
  2⤵
  PID:9584
- C:\Windows\System32\GsqTckf.exe
  C:\Windows\System32\GsqTckf.exe
  2⤵
  PID:9604
- C:\Windows\System32\GSmUzEQ.exe
  C:\Windows\System32\GSmUzEQ.exe
  2⤵
  PID:9660
- C:\Windows\System32\rlJtFNl.exe
  C:\Windows\System32\rlJtFNl.exe
  2⤵
  PID:9692
- C:\Windows\System32\ZpOAAiQ.exe
  C:\Windows\System32\ZpOAAiQ.exe
  2⤵
  PID:9728
- C:\Windows\System32\snsPoSY.exe
  C:\Windows\System32\snsPoSY.exe
  2⤵
  PID:9776
- C:\Windows\System32\BHlEBOf.exe
  C:\Windows\System32\BHlEBOf.exe
  2⤵
  PID:9800
- C:\Windows\System32\whIfFgd.exe
  C:\Windows\System32\whIfFgd.exe
  2⤵
  PID:9824
- C:\Windows\System32\ArcLNpT.exe
  C:\Windows\System32\ArcLNpT.exe
  2⤵
  PID:9840
- C:\Windows\System32\ZNFeoFH.exe
  C:\Windows\System32\ZNFeoFH.exe
  2⤵
  PID:9864
- C:\Windows\System32\uSCqUuY.exe
  C:\Windows\System32\uSCqUuY.exe
  2⤵
  PID:9880
- C:\Windows\System32\dnmIRtK.exe
  C:\Windows\System32\dnmIRtK.exe
  2⤵
  PID:9936
- C:\Windows\System32\zVZBPAd.exe
  C:\Windows\System32\zVZBPAd.exe
  2⤵
  PID:9960
- C:\Windows\System32\JDoynew.exe
  C:\Windows\System32\JDoynew.exe
  2⤵
  PID:9988
- C:\Windows\System32\ACUHykE.exe
  C:\Windows\System32\ACUHykE.exe
  2⤵
  PID:10012
- C:\Windows\System32\njBfFVm.exe
  C:\Windows\System32\njBfFVm.exe
  2⤵
  PID:10060
- C:\Windows\System32\otxASFU.exe
  C:\Windows\System32\otxASFU.exe
  2⤵
  PID:10076
- C:\Windows\System32\wkwOUdn.exe
  C:\Windows\System32\wkwOUdn.exe
  2⤵
  PID:10104
- C:\Windows\System32\pzjbWfh.exe
  C:\Windows\System32\pzjbWfh.exe
  2⤵
  PID:10144
- C:\Windows\System32\wHkttAi.exe
  C:\Windows\System32\wHkttAi.exe
  2⤵
  PID:10168
- C:\Windows\System32\XgToBfI.exe
  C:\Windows\System32\XgToBfI.exe
  2⤵
  PID:10200
- C:\Windows\System32\nDAEFsa.exe
  C:\Windows\System32\nDAEFsa.exe
  2⤵
  PID:10216
- C:\Windows\System32\stVhwOK.exe
  C:\Windows\System32\stVhwOK.exe
  2⤵
  PID:9236
- C:\Windows\System32\ifeueBg.exe
  C:\Windows\System32\ifeueBg.exe
  2⤵
  PID:9296
- C:\Windows\System32\lHmYjFG.exe
  C:\Windows\System32\lHmYjFG.exe
  2⤵
  PID:9348
- C:\Windows\System32\EyxQbDA.exe
  C:\Windows\System32\EyxQbDA.exe
  2⤵
  PID:9412
- C:\Windows\System32\FqxSySj.exe
  C:\Windows\System32\FqxSySj.exe
  2⤵
  PID:9492
- C:\Windows\System32\cATZCvP.exe
  C:\Windows\System32\cATZCvP.exe
  2⤵
  PID:9528
- C:\Windows\System32\zTtzySX.exe
  C:\Windows\System32\zTtzySX.exe
  2⤵
  PID:9620
- C:\Windows\System32\EgHWreu.exe
  C:\Windows\System32\EgHWreu.exe
  2⤵
  PID:9708
- C:\Windows\System32\uaFCpaz.exe
  C:\Windows\System32\uaFCpaz.exe
  2⤵
  PID:9724
- C:\Windows\System32\sHLZwte.exe
  C:\Windows\System32\sHLZwte.exe
  2⤵
  PID:9796
- C:\Windows\System32\PMMhjCT.exe
  C:\Windows\System32\PMMhjCT.exe
  2⤵
  PID:9832
- C:\Windows\System32\UUkiOWB.exe
  C:\Windows\System32\UUkiOWB.exe
  2⤵
  PID:9892
- C:\Windows\System32\AYoekuA.exe
  C:\Windows\System32\AYoekuA.exe
  2⤵
  PID:10028
- C:\Windows\System32\ATLTxmM.exe
  C:\Windows\System32\ATLTxmM.exe
  2⤵
  PID:10088
- C:\Windows\System32\vTwSaGc.exe
  C:\Windows\System32\vTwSaGc.exe
  2⤵
  PID:10176
- C:\Windows\System32\ZKoPASD.exe
  C:\Windows\System32\ZKoPASD.exe
  2⤵
  PID:10228
- C:\Windows\System32\xBYGFnp.exe
  C:\Windows\System32\xBYGFnp.exe
  2⤵
  PID:9324
- C:\Windows\System32\clUNTXj.exe
  C:\Windows\System32\clUNTXj.exe
  2⤵
  PID:9384
- C:\Windows\System32\aCbbrfo.exe
  C:\Windows\System32\aCbbrfo.exe
  2⤵
  PID:9468
- C:\Windows\System32\gXTJhwV.exe
  C:\Windows\System32\gXTJhwV.exe
  2⤵
  PID:9784
- C:\Windows\System32\lvIeyev.exe
  C:\Windows\System32\lvIeyev.exe
  2⤵
  PID:9852
- C:\Windows\System32\ClCkkhG.exe
  C:\Windows\System32\ClCkkhG.exe
  2⤵
  PID:9972
- C:\Windows\System32\ERbyvnx.exe
  C:\Windows\System32\ERbyvnx.exe
  2⤵
  PID:10020
- C:\Windows\System32\OHAoUeI.exe
  C:\Windows\System32\OHAoUeI.exe
  2⤵
  PID:10212
- C:\Windows\System32\iHMHbou.exe
  C:\Windows\System32\iHMHbou.exe
  2⤵
  PID:9544
- C:\Windows\System32\vSSXIhF.exe
  C:\Windows\System32\vSSXIhF.exe
  2⤵
  PID:9944
- C:\Windows\System32\UTZbPYA.exe
  C:\Windows\System32\UTZbPYA.exe
  2⤵
  PID:10160
- C:\Windows\System32\YYkcYTi.exe
  C:\Windows\System32\YYkcYTi.exe
  2⤵
  PID:10068
- C:\Windows\System32\CjZEDLt.exe
  C:\Windows\System32\CjZEDLt.exe
  2⤵
  PID:10268
- C:\Windows\System32\KVRbvJC.exe
  C:\Windows\System32\KVRbvJC.exe
  2⤵
  PID:10296
- C:\Windows\System32\sZjpoen.exe
  C:\Windows\System32\sZjpoen.exe
  2⤵
  PID:10328
- C:\Windows\System32\kniizie.exe
  C:\Windows\System32\kniizie.exe
  2⤵
  PID:10356
- C:\Windows\System32\KVeFPll.exe
  C:\Windows\System32\KVeFPll.exe
  2⤵
  PID:10376
- C:\Windows\System32\ZWbohTe.exe
  C:\Windows\System32\ZWbohTe.exe
  2⤵
  PID:10412
- C:\Windows\System32\COwBOCk.exe
  C:\Windows\System32\COwBOCk.exe
  2⤵
  PID:10428
- C:\Windows\System32\yTOxwes.exe
  C:\Windows\System32\yTOxwes.exe
  2⤵
  PID:10452
- C:\Windows\System32\rHwckhN.exe
  C:\Windows\System32\rHwckhN.exe
  2⤵
  PID:10484
- C:\Windows\System32\jklhMqo.exe
  C:\Windows\System32\jklhMqo.exe
  2⤵
  PID:10508
- C:\Windows\System32\ioVweVl.exe
  C:\Windows\System32\ioVweVl.exe
  2⤵
  PID:10528
- C:\Windows\System32\kSUbEgS.exe
  C:\Windows\System32\kSUbEgS.exe
  2⤵
  PID:10572
- C:\Windows\System32\wsNfDod.exe
  C:\Windows\System32\wsNfDod.exe
  2⤵
  PID:10604
- C:\Windows\System32\qlsxGTR.exe
  C:\Windows\System32\qlsxGTR.exe
  2⤵
  PID:10624
- C:\Windows\System32\FYNljLW.exe
  C:\Windows\System32\FYNljLW.exe
  2⤵
  PID:10644
- C:\Windows\System32\QPQSouE.exe
  C:\Windows\System32\QPQSouE.exe
  2⤵
  PID:10668
- C:\Windows\System32\MKHGNlB.exe
  C:\Windows\System32\MKHGNlB.exe
  2⤵
  PID:10692
- C:\Windows\System32\JdCBPcV.exe
  C:\Windows\System32\JdCBPcV.exe
  2⤵
  PID:10740
- C:\Windows\System32\ydGUpSf.exe
  C:\Windows\System32\ydGUpSf.exe
  2⤵
  PID:10792
- C:\Windows\System32\VZXTynr.exe
  C:\Windows\System32\VZXTynr.exe
  2⤵
  PID:10808
- C:\Windows\System32\NogUAlO.exe
  C:\Windows\System32\NogUAlO.exe
  2⤵
  PID:10836
- C:\Windows\System32\IDcDnjX.exe
  C:\Windows\System32\IDcDnjX.exe
  2⤵
  PID:10852
- C:\Windows\System32\iLfzbzi.exe
  C:\Windows\System32\iLfzbzi.exe
  2⤵
  PID:10872
- C:\Windows\System32\kmqQCZC.exe
  C:\Windows\System32\kmqQCZC.exe
  2⤵
  PID:10892
- C:\Windows\System32\iYCGJem.exe
  C:\Windows\System32\iYCGJem.exe
  2⤵
  PID:10912
- C:\Windows\System32\IgPXeDR.exe
  C:\Windows\System32\IgPXeDR.exe
  2⤵
  PID:10940
- C:\Windows\System32\lqEKKdX.exe
  C:\Windows\System32\lqEKKdX.exe
  2⤵
  PID:10960
- C:\Windows\System32\kzuYZZt.exe
  C:\Windows\System32\kzuYZZt.exe
  2⤵
  PID:10976
- C:\Windows\System32\GFubgZd.exe
  C:\Windows\System32\GFubgZd.exe
  2⤵
  PID:10996
- C:\Windows\System32\pMPxSvd.exe
  C:\Windows\System32\pMPxSvd.exe
  2⤵
  PID:11052
- C:\Windows\System32\zZZKebY.exe
  C:\Windows\System32\zZZKebY.exe
  2⤵
  PID:11124
- C:\Windows\System32\DMkhLVI.exe
  C:\Windows\System32\DMkhLVI.exe
  2⤵
  PID:11148
- C:\Windows\System32\GbzZNJb.exe
  C:\Windows\System32\GbzZNJb.exe
  2⤵
  PID:11176
- C:\Windows\System32\uRzargS.exe
  C:\Windows\System32\uRzargS.exe
  2⤵
  PID:11204
- C:\Windows\System32\kcSftgf.exe
  C:\Windows\System32\kcSftgf.exe
  2⤵
  PID:11232
- C:\Windows\System32\WwVGceJ.exe
  C:\Windows\System32\WwVGceJ.exe
  2⤵
  PID:11260
- C:\Windows\System32\XAHWswN.exe
  C:\Windows\System32\XAHWswN.exe
  2⤵
  PID:10276
- C:\Windows\System32\ScjATER.exe
  C:\Windows\System32\ScjATER.exe
  2⤵
  PID:10336
- C:\Windows\System32\lQXcBHm.exe
  C:\Windows\System32\lQXcBHm.exe
  2⤵
  PID:10388
- C:\Windows\System32\XfGlzQy.exe
  C:\Windows\System32\XfGlzQy.exe
  2⤵
  PID:10440
- C:\Windows\System32\dRcXVEP.exe
  C:\Windows\System32\dRcXVEP.exe
  2⤵
  PID:10556
- C:\Windows\System32\hGywcRa.exe
  C:\Windows\System32\hGywcRa.exe
  2⤵
  PID:10612
- C:\Windows\System32\ACfzWuz.exe
  C:\Windows\System32\ACfzWuz.exe
  2⤵
  PID:10664
- C:\Windows\System32\EyVBMdl.exe
  C:\Windows\System32\EyVBMdl.exe
  2⤵
  PID:10708
- C:\Windows\System32\CSqQwqS.exe
  C:\Windows\System32\CSqQwqS.exe
  2⤵
  PID:10680
- C:\Windows\System32\XrMphml.exe
  C:\Windows\System32\XrMphml.exe
  2⤵
  PID:10800
- C:\Windows\System32\gDqivMr.exe
  C:\Windows\System32\gDqivMr.exe
  2⤵
  PID:10884
- C:\Windows\System32\WfvTbVE.exe
  C:\Windows\System32\WfvTbVE.exe
  2⤵
  PID:10860
- C:\Windows\System32\lPRhSYx.exe
  C:\Windows\System32\lPRhSYx.exe
  2⤵
  PID:10908
- C:\Windows\System32\VXqmQBS.exe
  C:\Windows\System32\VXqmQBS.exe
  2⤵
  PID:11012
- C:\Windows\System32\OBeGiZr.exe
  C:\Windows\System32\OBeGiZr.exe
  2⤵
  PID:10948
- C:\Windows\System32\bIEPJJE.exe
  C:\Windows\System32\bIEPJJE.exe
  2⤵
  PID:11160
- C:\Windows\System32\jPKqIFv.exe
  C:\Windows\System32\jPKqIFv.exe
  2⤵
  PID:10244
- C:\Windows\System32\biMOhKd.exe
  C:\Windows\System32\biMOhKd.exe
  2⤵
  PID:10424
- C:\Windows\System32\rSlAppb.exe
  C:\Windows\System32\rSlAppb.exe
  2⤵
  PID:10500
- C:\Windows\System32\ZaDjiTk.exe
  C:\Windows\System32\ZaDjiTk.exe
  2⤵
  PID:10752
- C:\Windows\System32\axVZlzz.exe
  C:\Windows\System32\axVZlzz.exe
  2⤵
  PID:10804
- C:\Windows\System32\zAdqcnJ.exe
  C:\Windows\System32\zAdqcnJ.exe
  2⤵
  PID:10956
- C:\Windows\System32\iqGSUYp.exe
  C:\Windows\System32\iqGSUYp.exe
  2⤵
  PID:11132
- C:\Windows\System32\YaFfKBN.exe
  C:\Windows\System32\YaFfKBN.exe
  2⤵
  PID:10288
- C:\Windows\System32\jIeNxCR.exe
  C:\Windows\System32\jIeNxCR.exe
  2⤵
  PID:10728
- C:\Windows\System32\eAmpUkr.exe
  C:\Windows\System32\eAmpUkr.exe
  2⤵
  PID:11068
- C:\Windows\System32\QgHlajO.exe
  C:\Windows\System32\QgHlajO.exe
  2⤵
  PID:10384
- C:\Windows\System32\rjMRFPB.exe
  C:\Windows\System32\rjMRFPB.exe
  2⤵
  PID:11284
- C:\Windows\System32\tVBzSxL.exe
  C:\Windows\System32\tVBzSxL.exe
  2⤵
  PID:11316
- C:\Windows\System32\NqgGWlv.exe
  C:\Windows\System32\NqgGWlv.exe
  2⤵
  PID:11332
- C:\Windows\System32\ijtYrhF.exe
  C:\Windows\System32\ijtYrhF.exe
  2⤵
  PID:11356
- C:\Windows\System32\EgcYkBf.exe
  C:\Windows\System32\EgcYkBf.exe
  2⤵
  PID:11420
- C:\Windows\System32\TVXWrWw.exe
  C:\Windows\System32\TVXWrWw.exe
  2⤵
  PID:11456
- C:\Windows\System32\cNEMexI.exe
  C:\Windows\System32\cNEMexI.exe
  2⤵
  PID:11484
- C:\Windows\System32\KSoJNlV.exe
  C:\Windows\System32\KSoJNlV.exe
  2⤵
  PID:11504
- C:\Windows\System32\LxmPbVC.exe
  C:\Windows\System32\LxmPbVC.exe
  2⤵
  PID:11540
- C:\Windows\System32\AjtjJNE.exe
  C:\Windows\System32\AjtjJNE.exe
  2⤵
  PID:11560
- C:\Windows\System32\yMXJVuD.exe
  C:\Windows\System32\yMXJVuD.exe
  2⤵
  PID:11576
- C:\Windows\System32\bjADcyS.exe
  C:\Windows\System32\bjADcyS.exe
  2⤵
  PID:11596
- C:\Windows\System32\PTKAZPK.exe
  C:\Windows\System32\PTKAZPK.exe
  2⤵
  PID:11636
- C:\Windows\System32\xlbQgRy.exe
  C:\Windows\System32\xlbQgRy.exe
  2⤵
  PID:11660
- C:\Windows\System32\HJSNOir.exe
  C:\Windows\System32\HJSNOir.exe
  2⤵
  PID:11700
- C:\Windows\System32\jBMxafo.exe
  C:\Windows\System32\jBMxafo.exe
  2⤵
  PID:11740
- C:\Windows\System32\GWvNGux.exe
  C:\Windows\System32\GWvNGux.exe
  2⤵
  PID:11768
- C:\Windows\System32\ETETfWC.exe
  C:\Windows\System32\ETETfWC.exe
  2⤵
  PID:11796
- C:\Windows\System32\uBNKsIR.exe
  C:\Windows\System32\uBNKsIR.exe
  2⤵
  PID:11828
- C:\Windows\System32\vNnJLkC.exe
  C:\Windows\System32\vNnJLkC.exe
  2⤵
  PID:11852
- C:\Windows\System32\cIVitYT.exe
  C:\Windows\System32\cIVitYT.exe
  2⤵
  PID:11880
- C:\Windows\System32\yMNNqmU.exe
  C:\Windows\System32\yMNNqmU.exe
  2⤵
  PID:11924
- C:\Windows\System32\CLEylOF.exe
  C:\Windows\System32\CLEylOF.exe
  2⤵
  PID:11940
- C:\Windows\System32\WWMJxRm.exe
  C:\Windows\System32\WWMJxRm.exe
  2⤵
  PID:11976
- C:\Windows\System32\DXgmqnZ.exe
  C:\Windows\System32\DXgmqnZ.exe
  2⤵
  PID:12000
- C:\Windows\System32\FfAZOFN.exe
  C:\Windows\System32\FfAZOFN.exe
  2⤵
  PID:12024
- C:\Windows\System32\LEdaZwI.exe
  C:\Windows\System32\LEdaZwI.exe
  2⤵
  PID:12040
- C:\Windows\System32\YugFkcp.exe
  C:\Windows\System32\YugFkcp.exe
  2⤵
  PID:12064
- C:\Windows\System32\aESEXJq.exe
  C:\Windows\System32\aESEXJq.exe
  2⤵
  PID:12124
- C:\Windows\System32\jSFnUga.exe
  C:\Windows\System32\jSFnUga.exe
  2⤵
  PID:12140
- C:\Windows\System32\MqVmAkx.exe
  C:\Windows\System32\MqVmAkx.exe
  2⤵
  PID:12168
- C:\Windows\System32\ZHEcCwh.exe
  C:\Windows\System32\ZHEcCwh.exe
  2⤵
  PID:12196
- C:\Windows\System32\vfEcxuY.exe
  C:\Windows\System32\vfEcxuY.exe
  2⤵
  PID:12212
- C:\Windows\System32\hlnuAjy.exe
  C:\Windows\System32\hlnuAjy.exe
  2⤵
  PID:12252
- C:\Windows\System32\VSPXjVV.exe
  C:\Windows\System32\VSPXjVV.exe
  2⤵
  PID:12280
- C:\Windows\System32\MILTWOQ.exe
  C:\Windows\System32\MILTWOQ.exe
  2⤵
  PID:10640
- C:\Windows\System32\bHAsvnJ.exe
  C:\Windows\System32\bHAsvnJ.exe
  2⤵
  PID:11300
- C:\Windows\System32\qdWozTY.exe
  C:\Windows\System32\qdWozTY.exe
  2⤵
  PID:11328
- C:\Windows\System32\QmbZEBv.exe
  C:\Windows\System32\QmbZEBv.exe
  2⤵
  PID:11404
- C:\Windows\System32\ELXtcik.exe
  C:\Windows\System32\ELXtcik.exe
  2⤵
  PID:11428
- C:\Windows\System32\ibhXVmI.exe
  C:\Windows\System32\ibhXVmI.exe
  2⤵
  PID:11568
- C:\Windows\System32\vCSespY.exe
  C:\Windows\System32\vCSespY.exe
  2⤵
  PID:11676
- C:\Windows\System32\uRXkfoF.exe
  C:\Windows\System32\uRXkfoF.exe
  2⤵
  PID:11688
- C:\Windows\System32\xyirJUq.exe
  C:\Windows\System32\xyirJUq.exe
  2⤵
  PID:11756
- C:\Windows\System32\uFGHpHu.exe
  C:\Windows\System32\uFGHpHu.exe
  2⤵
  PID:11788
- C:\Windows\System32\DXJWGNU.exe
  C:\Windows\System32\DXJWGNU.exe
  2⤵
  PID:11848
- C:\Windows\System32\swnxnDq.exe
  C:\Windows\System32\swnxnDq.exe
  2⤵
  PID:11888
- C:\Windows\System32\vpfSLZZ.exe
  C:\Windows\System32\vpfSLZZ.exe
  2⤵
  PID:11984
- C:\Windows\System32\wePdOFW.exe
  C:\Windows\System32\wePdOFW.exe
  2⤵
  PID:12036
- C:\Windows\System32\NXBQQgU.exe
  C:\Windows\System32\NXBQQgU.exe
  2⤵
  PID:12156
- C:\Windows\System32\jfxRmuT.exe
  C:\Windows\System32\jfxRmuT.exe
  2⤵
  PID:12204
- C:\Windows\System32\RXlnAFF.exe
  C:\Windows\System32\RXlnAFF.exe
  2⤵
  PID:12272
- C:\Windows\System32\cIgdKYn.exe
  C:\Windows\System32\cIgdKYn.exe
  2⤵
  PID:11292
- C:\Windows\System32\mRJzhUN.exe
  C:\Windows\System32\mRJzhUN.exe
  2⤵
  PID:11352
- C:\Windows\System32\wlPXsBc.exe
  C:\Windows\System32\wlPXsBc.exe
  2⤵
  PID:11516
- C:\Windows\System32\SzyLjmI.exe
  C:\Windows\System32\SzyLjmI.exe
  2⤵
  PID:11720
- C:\Windows\System32\mkXqhsO.exe
  C:\Windows\System32\mkXqhsO.exe
  2⤵
  PID:11972
- C:\Windows\System32\qtajMMw.exe
  C:\Windows\System32\qtajMMw.exe
  2⤵
  PID:12056
- C:\Windows\System32\QCytume.exe
  C:\Windows\System32\QCytume.exe
  2⤵
  PID:11252
- C:\Windows\System32\ZmrrGns.exe
  C:\Windows\System32\ZmrrGns.exe
  2⤵
  PID:10468
- C:\Windows\System32\VWNNEgL.exe
  C:\Windows\System32\VWNNEgL.exe
  2⤵
  PID:11776
- C:\Windows\System32\FuyDeFT.exe
  C:\Windows\System32\FuyDeFT.exe
  2⤵
  PID:12016
- C:\Windows\System32\TiJlXni.exe
  C:\Windows\System32\TiJlXni.exe
  2⤵
  PID:12208
- C:\Windows\System32\rLYKUqK.exe
  C:\Windows\System32\rLYKUqK.exe
  2⤵
  PID:2672
- C:\Windows\System32\WLFjXVf.exe
  C:\Windows\System32\WLFjXVf.exe
  2⤵
  PID:3708
- C:\Windows\System32\vCMFRvr.exe
  C:\Windows\System32\vCMFRvr.exe
  2⤵
  PID:12292
- C:\Windows\System32\TPpVrfI.exe
  C:\Windows\System32\TPpVrfI.exe
  2⤵
  PID:12336
- C:\Windows\System32\pYhofyW.exe
  C:\Windows\System32\pYhofyW.exe
  2⤵
  PID:12360
- C:\Windows\System32\SMuRhAO.exe
  C:\Windows\System32\SMuRhAO.exe
  2⤵
  PID:12376
- C:\Windows\System32\cpUZQsy.exe
  C:\Windows\System32\cpUZQsy.exe
  2⤵
  PID:12404
- C:\Windows\System32\SLgOfiO.exe
  C:\Windows\System32\SLgOfiO.exe
  2⤵
  PID:12452
- C:\Windows\System32\vnIQPXz.exe
  C:\Windows\System32\vnIQPXz.exe
  2⤵
  PID:12472
- C:\Windows\System32\YHzpxqj.exe
  C:\Windows\System32\YHzpxqj.exe
  2⤵
  PID:12492
- C:\Windows\System32\XIVaeok.exe
  C:\Windows\System32\XIVaeok.exe
  2⤵
  PID:12536
- C:\Windows\System32\pEuxHop.exe
  C:\Windows\System32\pEuxHop.exe
  2⤵
  PID:12552
- C:\Windows\System32\MyHJsBr.exe
  C:\Windows\System32\MyHJsBr.exe
  2⤵
  PID:12576
- C:\Windows\System32\wtfPHhz.exe
  C:\Windows\System32\wtfPHhz.exe
  2⤵
  PID:12592
- C:\Windows\System32\lxjwCAC.exe
  C:\Windows\System32\lxjwCAC.exe
  2⤵
  PID:12620
- C:\Windows\System32\tjTwtZC.exe
  C:\Windows\System32\tjTwtZC.exe
  2⤵
  PID:12652
- C:\Windows\System32\IzCdgiE.exe
  C:\Windows\System32\IzCdgiE.exe
  2⤵
  PID:12696
- C:\Windows\System32\oIodebN.exe
  C:\Windows\System32\oIodebN.exe
  2⤵
  PID:12724
- C:\Windows\System32\vmzvNTJ.exe
  C:\Windows\System32\vmzvNTJ.exe
  2⤵
  PID:12744
- C:\Windows\System32\cdpEGJM.exe
  C:\Windows\System32\cdpEGJM.exe
  2⤵
  PID:12768
- C:\Windows\System32\cdUyQAk.exe
  C:\Windows\System32\cdUyQAk.exe
  2⤵
  PID:12812
- C:\Windows\System32\OJSAUNQ.exe
  C:\Windows\System32\OJSAUNQ.exe
  2⤵
  PID:12840
- C:\Windows\System32\PvTaKst.exe
  C:\Windows\System32\PvTaKst.exe
  2⤵
  PID:12864
- C:\Windows\System32\yNiwoBJ.exe
  C:\Windows\System32\yNiwoBJ.exe
  2⤵
  PID:12884
- C:\Windows\System32\ZSAieeo.exe
  C:\Windows\System32\ZSAieeo.exe
  2⤵
  PID:12904
- C:\Windows\System32\SHotsqT.exe
  C:\Windows\System32\SHotsqT.exe
  2⤵
  PID:12920
- C:\Windows\System32\hcOivUd.exe
  C:\Windows\System32\hcOivUd.exe
  2⤵
  PID:12948
- C:\Windows\System32\ygIZqWN.exe
  C:\Windows\System32\ygIZqWN.exe
  2⤵
  PID:13012
- C:\Windows\System32\WKiEXAJ.exe
  C:\Windows\System32\WKiEXAJ.exe
  2⤵
  PID:13028
- C:\Windows\System32\tbxjNIU.exe
  C:\Windows\System32\tbxjNIU.exe
  2⤵
  PID:13052
- C:\Windows\System32\VMCUSIN.exe
  C:\Windows\System32\VMCUSIN.exe
  2⤵
  PID:13072
- C:\Windows\System32\iduNFBu.exe
  C:\Windows\System32\iduNFBu.exe
  2⤵
  PID:13088
- C:\Windows\System32\UzuEnNj.exe
  C:\Windows\System32\UzuEnNj.exe
  2⤵
  PID:13124
- C:\Windows\System32\WWqQMRA.exe
  C:\Windows\System32\WWqQMRA.exe
  2⤵
  PID:13160
- C:\Windows\System32\aYlxTIK.exe
  C:\Windows\System32\aYlxTIK.exe
  2⤵
  PID:13180
- C:\Windows\System32\MqxxNsQ.exe
  C:\Windows\System32\MqxxNsQ.exe
  2⤵
  PID:13208
- C:\Windows\System32\VLNbmOJ.exe
  C:\Windows\System32\VLNbmOJ.exe
  2⤵
  PID:13248
- C:\Windows\System32\yfAEaEa.exe
  C:\Windows\System32\yfAEaEa.exe
  2⤵
  PID:13288
- C:\Windows\System32\hnWDPgy.exe
  C:\Windows\System32\hnWDPgy.exe
  2⤵
  PID:11784

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AwaHAvp.exe

Filesize
1.7MB

MD5
9f049d6ffc5cf8486555ffc9a81ece7d

SHA1
a2ace56d0a565dd42173f4a6d7f86ed180ffb069

SHA256
b4abdbb0dcce1adc47907b26814ad0d2756c8917ee597347bfe7742fe0504da9

SHA512
e888a6de5f1a3c3a9cbd638043b3c8b5409ba2e30d633c9d13fb05738aa2711c68774e21bd5df864e1c835c9a8b0e788d302ea70ac7c18a64b48d7022cf60d5a

Download Submit
C:\Windows\System32\CIfzXyy.exe

Filesize
1.7MB

MD5
1ccc5c1cbd39661b99555cc8cea4a38b

SHA1
f083aa6add9498a4b15b95a2259c51d8daafb755

SHA256
39bb038d9cce1ea71b30b29fb05c116c99aed336b741d021adbe549e6661ef27

SHA512
d4b56a8a55e7cf21f866809611cdf0cf0952a668c5e85857f018edfc419295a0d5164d77592e169232fd590693ef102dd0d08d6db47ee98e220b2e26b76aee07

Download Submit
C:\Windows\System32\FMGmOWZ.exe

Filesize
1.7MB

MD5
b8109d24282f479755ee49705d2e2103

SHA1
18cf90c6533ac37af23c88ed61175ec7017bcaef

SHA256
b03dd61af4c131974e41e287cb99f11a752138317b5c9e4a016dacf94c577ef4

SHA512
a59f5473a1ca7612153734f9381df077f46a6445dfc2122145fc045da0079f79969b0eedf647a9118e6da93982b4bb51c5613fab7ff9662eedc3154c123b96b5

Download Submit
C:\Windows\System32\HaelHmS.exe

Filesize
1.7MB

MD5
237ed24f700e907bcb2420b1dfbc0634

SHA1
b01d8ae963d822b3b22971d98fa1b977d1497b49

SHA256
1339b838a1ccf9628e8383e9830c514721be1df427593fe4a79d2da8143164fc

SHA512
e85774c5332b6527a98808cbe20ed42e7d049701ff173c9d9c5d2e36d05b3dfb7fb5f5d2f97478b1856fd891fcf9b16b3a97603f971312f9fe1c1b9b960a209c

Download Submit
C:\Windows\System32\JHxkAWc.exe

Filesize
1.7MB

MD5
2100217da8b9b595853b90ba3978a51e

SHA1
0d6260033e281418f4bb0c6748a48bdc008ce0c0

SHA256
efc288468d3ae7155524130c16892d6691537bc600f39af14adeb1658c49252e

SHA512
2743bfb2ece3367e231c947fc8a4caee597dce1156e81ff0df91e90157bd95c463a0e9472c8960454ec7b462063df58feaf3470658b87905cb90175340b62b94

Download Submit
C:\Windows\System32\JdMLVtb.exe

Filesize
1.7MB

MD5
e8c2455b815e976ab104456e1dfc5327

SHA1
bbda09920eda3b13f9c7c3d71708f74d9caa18b7

SHA256
abb58e5db73eb1e649591b3c8d068568a108da08b052ef4567299a63eee5de27

SHA512
10d991702af6bd532e30520fb838efe94cdc01879a96ce56c44a4a07028f55a65e14943c236ab83943313132f2ed39b9b30b3bea75591c33c851506e0aea705a

Download Submit
C:\Windows\System32\JvDDHZM.exe

Filesize
1.7MB

MD5
99cc88c61d28b89c4a22de24bb62d6e8

SHA1
babcd7b88cd376eba48b72a0ef48f8591a573e43

SHA256
4e4d305934fed0ba04847efa3935968d8790356c5ea47205fa5036d217f95c5f

SHA512
7ae229b73be80ac1a396d102ca22f2d3c4c483183f50715fd5dfff77c21b39d9f68a14332f3314ef0fc14fb3b0758993872747b99c8662a8bbf9a50df3af4614

Download Submit
C:\Windows\System32\KgIxIgn.exe

Filesize
1.7MB

MD5
956c0c0ec6d62b3532f54042aea29c84

SHA1
b1a0eaf8123b2e51a65955cd20656a667ef1e921

SHA256
0086b11b91b6be6a49407fefeb2da3b9d2f8951830231aa7c7597d61d8947dc2

SHA512
fa543e51fa99c387ba998d3f0fadf29d82f59f86103ddc54a3eb0b2bde71ab959169861e0d5fec515653f97209af39e845a2fadce30742a8180c55ab7345f0ae

Download Submit
C:\Windows\System32\NCYXBLH.exe

Filesize
1.7MB

MD5
cd53e54ee1a604b8ec229c09e04ce5d9

SHA1
188f104b0e1c89dfb9b573b3d3a7dc4ccb22fc66

SHA256
71ef7471d9a22f44095218694776375b085e56444267c6ef57597f6542d7de19

SHA512
9bbc44e6381199ce08ae566a759b6f595d6af2807a71c1b9849bdfe642f488421b8e46a6b0ce85664dff2a61abe3e2447214541c33096254b871efbb3956ad9a

Download Submit
C:\Windows\System32\NaruYpm.exe

Filesize
1.7MB

MD5
882881ce3f3b1997af579ffd4194ef69

SHA1
956cc394400926ab9120209b6f1fd9b4b678eda0

SHA256
f10cfedb0cfdcadb41d740d87136a0d432078d072725ab8a7851dafb4325b92c

SHA512
a12d86fc506bb2c7cea274bc47014403128e2694ec29cfff895b85da0d2771c10a176cdb40bd5e677a72968ab9c37c3159641788b844f6f0a9d3d4ff29dadcda

Download Submit
C:\Windows\System32\OynMYee.exe

Filesize
1.7MB

MD5
fbecd42500a6e0b576236386fb55b99c

SHA1
2f7bf30851d78ddc87ca69454b55c61b4a441e04

SHA256
e9d0806bd4424527560c6f267166481609a2023a05c8a9034ca0363648ed3897

SHA512
8298d8fdd4bd489223a7a1e7ad00eadba7442828dbadc42aa21b03e0bdc210107f100bb62ad6ce932c443c478f9aa7e1a0206688329ad9edb515debbbf8e0c83

Download Submit
C:\Windows\System32\RDmmFfx.exe

Filesize
1.7MB

MD5
4c15d22f2ada5b38255fc305c5e73acf

SHA1
3cbe3f227a50bf2134598de542014f37338cfbf0

SHA256
6cb0dea6d16f963cf5414290bb44931d5667e49454339c0c6b4ea9b95faa949a

SHA512
2f55da9f00ff6747a59901f8d2160247611917f3ce4d2545f0e048e8aaf3f13861b8d33458aecf9ed548f95258b3cf10380920c81237e5b950233db500a2fb57

Download Submit
C:\Windows\System32\RqaipBt.exe

Filesize
1.7MB

MD5
fabb6e0d85b7ef5c327b662ec590ffb1

SHA1
60280c20e1100b211c54a477ef0988509d8d42c6

SHA256
90de221f87a12c5ca3701097ca14c5fc3a94df4c222d2b829ec6132350133995

SHA512
b67ec3dbabc55cebc1b2041b02c95011f65d2e2cc10d5f6abb4347800a9fc39d1f15f76e2b8241340bed4f39f0c1daf8cb35e71ed98c4e27171d48965c9386a0

Download Submit
C:\Windows\System32\SOprgUn.exe

Filesize
1.7MB

MD5
0909e6be3095eed4443eb79328bfc859

SHA1
c6e0d3fd02f211347e5899ee0ac002b114a305e2

SHA256
47367113335b47a455956aab0a565a74f41b1165d8dce61eecee47786bb91e9e

SHA512
022c055d357abc1bea6a99ef5c2581dae0df8c3a3ba56b36b1a6eb812018e09b9230d3a8953e098cca41189d15a892cff269bda50d7761f192631354d975ddeb

Download Submit
C:\Windows\System32\TUrnXUf.exe

Filesize
1.7MB

MD5
accf3405b25771aaa4c1187f49e27564

SHA1
b194fa8e8d3bae8d8765dae617137b1864781627

SHA256
5c781a75740557cbcb7172f96542cbbd9a5661ced9345efd68eff0ad5c850693

SHA512
f0444359bc86ebefdbb21789b5d1ab312c3266b91ab086ac9e3984c5c3d8f9e7474e030725eb7bbec1fbb81ddf618d21cb1f00a03824fa99fe0545892232c252

Download Submit
C:\Windows\System32\TuamGti.exe

Filesize
1.7MB

MD5
76875f39a83ab80597d517217fb0826e

SHA1
a939a71faf5ed389e7d1530326aa38d18a9b2531

SHA256
9df907804d1f76c2026ce11a8fa16afa0e40cf6bf2b08dd5babf26cb16942146

SHA512
d458910a3829519ed944a85b96b36b291a52e0be8d3647a393898601d5be58b39db070764f0bc512d517c1f9e527121eb9f0fc05f50a7455cf14287f4253cef0

Download Submit
C:\Windows\System32\UhdIFtu.exe

Filesize
1.7MB

MD5
0b7af75a3832f8b3e676fd0f23390cc1

SHA1
68afc109b8c4c251cbe33d01ad5a44f1626fe416

SHA256
9a894451afef2cef4654c654780dadd797eead7e04384704e66ae7cf9192633c

SHA512
3bd16b6d20caaa0c56d3618bb7e1bae528d7679f8285e898c1ddd08275278eb342627f868b649d2e3f11d021458bad05aa74beda265a0b49c0fbcca8d05ae550

Download Submit
C:\Windows\System32\WlBAiHD.exe

Filesize
1.7MB

MD5
a60cbaff71aabda57c6f2a5c403b2526

SHA1
aa624b92be26f21b16ed5808f6ce72957d518b21

SHA256
d7305c1d078ae45f75588a468406e63b92e53854713b098d8a0d53a2f6b7b5ec

SHA512
9b2f85423911556ae7ee27da90fb7c2c7a285d8fc6a5568b79f45e682a823eb1cadbe9823dc96457263d6d46e0f0baa9cdd4266f45a16b32b95a211913067b95

Download Submit
C:\Windows\System32\ZEIiENj.exe

Filesize
1.7MB

MD5
ba7b99c23a26ac103725ed0fd291f579

SHA1
d45644949edfedd811b91fb718c7f680e521a47c

SHA256
bd1bc3cb77197328c219fb642fce423508590a555615681d93c3572d934b03dd

SHA512
a280c4a613c6f6aa1b93e2dda2556f01a03e9b4f905a5a4e40cf706f23de4affcbf44130e451bfe5f4fb5f3d82de326ad76bc984a6d946e9921945eac7f20c9d

Download Submit
C:\Windows\System32\agSGHPg.exe

Filesize
1.7MB

MD5
4a2abb9f4bc24f88f59cc6591d8f594d

SHA1
8e72040964ecfc6d23e535a6e13bb612eebafedc

SHA256
116dff879f26395a278b5f5632dd40e9c57f41f693099dec16a66c468e22117f

SHA512
ea8360beb86247ea2eb1306094b6ba6c7f908b76d5aa6578a0539abb817392dfb0d98fb789015ce67deed536902543e9670b834278ac26103ee7ad69b79efa6d

Download Submit
C:\Windows\System32\bdMLbxC.exe

Filesize
1.7MB

MD5
c13efb0a015e4a3b0da0434c75c781aa

SHA1
020852f42176fafe87243b15864e1614e47837c7

SHA256
4646ada65502242acee7f00ef5cb4eda7c84643f048d390ca6caaf5afe9014c2

SHA512
1794d8d21c7e6af9fca79cf9978e2bff716dcee66fb1f6c50840bc35621a9120a7f6a369fd917f7f47dc79185b3c6641232403e958d7a4ab07b84c560a83b51f

Download Submit
C:\Windows\System32\bqFcewA.exe

Filesize
1.7MB

MD5
b0fee21462a7899e2f9af38914411347

SHA1
df8287fc1bd80297aa76554558497b38004bb77a

SHA256
5baba4aaf07cc1d462178a6ee21e5d313b122e9b1bea2c6a4f48ee7d7c823d9f

SHA512
61e034035fafb6f44fe136a9b18716e502eb7e0b31606d728012073978258aa07035997b82791b6d86ee28ea750d82d9e0332c95aad793de211f8d69e29ae0f9

Download Submit
C:\Windows\System32\eKmfaDy.exe

Filesize
1.7MB

MD5
aabb312c13b4b19eac0d0bde3539c8d0

SHA1
6b4d79ca1a4c5f59e2cfbf07f31552363271c0fa

SHA256
6d8f58d0aa39df575d5caf09ef75e2c6200e9a065b1fa2a5363b99a56f4a0fae

SHA512
16eb8ab815105eab4404b7009d98f2a4dc2137292b2f42b7d72d4ef75280d80bd9da57c78754775f727fe20a110237eab0cedb1d7102adaef62a37374b980fae

Download Submit
C:\Windows\System32\eaonMOF.exe

Filesize
1.7MB

MD5
7657ac261341fb5ce84e85f6206b50b2

SHA1
5d80b98c9dc0979f0dc81e7a77c024c691663840

SHA256
598b4618ee4455b1e8c9475f4f0a56e846c5acf7f2b7508cbfa4b2ebd508b4e0

SHA512
fb52dde3b217a90961979202b6771d1e0a50a4b445b51fadf2c0a07086ed7dbe59278b2f97430338de268c86abe7df2da0dd37c522bd77224fcc25d1bc01eddb

Download Submit
C:\Windows\System32\llTqqDP.exe

Filesize
1.7MB

MD5
79705e01aa920a1447fa15de3cab0e8f

SHA1
b91e098451f188e94f107f6a8cafab3ed01261f6

SHA256
87ea7c57ca6e08ff2538a76b9e91bfd52464a9bcb99fe533b9ea6473ca42060c

SHA512
265ffc3aa358c944335236efdd14b5eed5950f6aad936bce3a781fb6e199b9fda781a8f1d8efe5acf1b71e90e61992da19ae4ad60a822444e157a017beecb132

Download Submit
C:\Windows\System32\oGbSqUZ.exe

Filesize
1.7MB

MD5
624359b3c0eab4b5a585240de98cac6f

SHA1
9c71b19e8215cd544ce7c4ddcd0b92872108dc18

SHA256
da76f4e60657e99190a817b29456109d34111104e5f67e135f83833bf1b0fdbf

SHA512
61eb101038dd2c58893df25f3d50a1a3d25466a0014da85cacd7a1b3ac59caf400892b9fab61cef225e18d38376f90c983653365717b44aa865d7ea8519a2e83

Download Submit
C:\Windows\System32\qYXJCtb.exe

Filesize
1.7MB

MD5
9b77fae8a88327c1c52a639ff0458f1a

SHA1
d4a40b0dab33baa91f6164f8730948eafd609d61

SHA256
cfd7ae01f65a9d5ad18387f3a10a7dca8d1e450837ff55081bc033f8a45a1e3e

SHA512
37ad146a3a09c213fa61fe209bb3f46910ed6ff955d5060f8226c8cc50698cce934e01492f14eb3f715f1b089d53f5427acf6e465bc8f74f36aa28feec55601e

Download Submit
C:\Windows\System32\rLXdmjF.exe

Filesize
1.7MB

MD5
c3e522e888e7b0b96dea023b3669bca0

SHA1
9ca95e595941c8902d63ed474aa4e44b3efa1808

SHA256
4d07f534855cc135ee9513726f89b22577816cc6e0bf0d4a84490db3a564a1e9

SHA512
a24f69baffdc55212974e0cfdeaa752509ec7cd2e80be9d9f613fe79cde44f9c194721ae3d6edac3fde4a11bd0b525485be50d95a73da8ae1852424e2613e53a

Download Submit
C:\Windows\System32\tYNJegq.exe

Filesize
1.7MB

MD5
3691411680d33d7cd61a479e46c87808

SHA1
f549e65d0c677914950c150e9befe74d67105bc0

SHA256
ce58ab044572a6f0f12431aa67ff7721f2ba4f7fa43104441aec32ce91befe0c

SHA512
1b6a874d82c8a2b925d9304a4ab6c53a2e1780bc680bf5837e03966e36db40350948036f49017e0dabd08ee985cc3ccc7e9ecf3af39a82384a21aefde3bd10b0

Download Submit
C:\Windows\System32\trUwWJu.exe

Filesize
1.7MB

MD5
f5905bb27b4331f0f4b130ef84a9ed21

SHA1
716ea4fecb2bbe81e606cbcdaa729f7f0c47014f

SHA256
bc83dff29b00cf50eb7aa1b7fa7a26923e19825906a964ca9b55728c7fcd9019

SHA512
207baed3c3afb3fb31c46d1af2e607219dd04d7de49ceb2687f3664e6451959eb1edbf97c6b807ea037d3daf41c1559cf58cf62d2e5755adf4e69d8047a47439

Download Submit
C:\Windows\System32\uIwdfeZ.exe

Filesize
1.7MB

MD5
1b444e6b8fc7f39b13780dad35608cea

SHA1
82f98bc3d5be3990b15457aa39adcfec736d0faa

SHA256
68e12a618a32cf2d529ac44404368b13f7b67839e85e4fb4e74166d725c40d9a

SHA512
5a952d29f14a6524f3cf75eef7528716a1dd4fd6aa079f39fcfdd2facb1bab1abcebfaf98a060a80f532bff691e4b8dbc7d5df89fc5a5f14329370535a10c9e0

Download Submit
C:\Windows\System32\xgrHYPm.exe

Filesize
1.7MB

MD5
d3aa6b7893436949a58a00b7df8a7812

SHA1
06e0e74c60677bce114fec78df4e08499361b2f6

SHA256
bbe38b897ad2dfe0facee70cafb8e9687fa3b4bb2281bd4fd49abdb2bb27d6da

SHA512
569f0b4e6b77942b38a9b894c785899931d066ded9c63c3a4050c81a738b12566b9f14dab1591592b408a7754f427801017e3a4601b65e6513db4269ae6bb3ae

Download Submit
memory/400-473-0x00007FF6C6BA0000-0x00007FF6C6F91000-memory.dmp

Filesize
3.9MB

Download
memory/400-2051-0x00007FF6C6BA0000-0x00007FF6C6F91000-memory.dmp

Filesize
3.9MB

Download
memory/548-2057-0x00007FF7F0A30000-0x00007FF7F0E21000-memory.dmp

Filesize
3.9MB

Download
memory/548-504-0x00007FF7F0A30000-0x00007FF7F0E21000-memory.dmp

Filesize
3.9MB

Download
memory/856-535-0x00007FF71E4E0000-0x00007FF71E8D1000-memory.dmp

Filesize
3.9MB

Download
memory/856-2061-0x00007FF71E4E0000-0x00007FF71E8D1000-memory.dmp

Filesize
3.9MB

Download
memory/1060-1994-0x00007FF6E1680000-0x00007FF6E1A71000-memory.dmp

Filesize
3.9MB

Download
memory/1060-2043-0x00007FF6E1680000-0x00007FF6E1A71000-memory.dmp

Filesize
3.9MB

Download
memory/1060-40-0x00007FF6E1680000-0x00007FF6E1A71000-memory.dmp

Filesize
3.9MB

Download
memory/1420-28-0x00007FF74D250000-0x00007FF74D641000-memory.dmp

Filesize
3.9MB

Download
memory/1420-1992-0x00007FF74D250000-0x00007FF74D641000-memory.dmp

Filesize
3.9MB

Download
memory/1420-2041-0x00007FF74D250000-0x00007FF74D641000-memory.dmp

Filesize
3.9MB

Download
memory/1540-448-0x00007FF6D0460000-0x00007FF6D0851000-memory.dmp

Filesize
3.9MB

Download
memory/1540-2047-0x00007FF6D0460000-0x00007FF6D0851000-memory.dmp

Filesize
3.9MB

Download
memory/1688-2069-0x00007FF670CD0000-0x00007FF6710C1000-memory.dmp

Filesize
3.9MB

Download
memory/1688-578-0x00007FF670CD0000-0x00007FF6710C1000-memory.dmp

Filesize
3.9MB

Download
memory/1856-550-0x00007FF786690000-0x00007FF786A81000-memory.dmp

Filesize
3.9MB

Download
memory/1856-2063-0x00007FF786690000-0x00007FF786A81000-memory.dmp

Filesize
3.9MB

Download
memory/1896-2079-0x00007FF61BC80000-0x00007FF61C071000-memory.dmp

Filesize
3.9MB

Download
memory/1896-581-0x00007FF61BC80000-0x00007FF61C071000-memory.dmp

Filesize
3.9MB

Download
memory/2208-572-0x00007FF63D7E0000-0x00007FF63DBD1000-memory.dmp

Filesize
3.9MB

Download
memory/2208-2071-0x00007FF63D7E0000-0x00007FF63DBD1000-memory.dmp

Filesize
3.9MB

Download
memory/2480-1-0x000001B7F7CE0000-0x000001B7F7CF0000-memory.dmp

Filesize
64KB

Download
memory/2480-1989-0x00007FF7DD780000-0x00007FF7DDB71000-memory.dmp

Filesize
3.9MB

Download
memory/2480-0-0x00007FF7DD780000-0x00007FF7DDB71000-memory.dmp

Filesize
3.9MB

Download
memory/2720-15-0x00007FF62C750000-0x00007FF62CB41000-memory.dmp

Filesize
3.9MB

Download
memory/2720-2037-0x00007FF62C750000-0x00007FF62CB41000-memory.dmp

Filesize
3.9MB

Download
memory/2720-1990-0x00007FF62C750000-0x00007FF62CB41000-memory.dmp

Filesize
3.9MB

Download
memory/2752-2035-0x00007FF6453E0000-0x00007FF6457D1000-memory.dmp

Filesize
3.9MB

Download
memory/2752-1991-0x00007FF6453E0000-0x00007FF6457D1000-memory.dmp

Filesize
3.9MB

Download
memory/2752-21-0x00007FF6453E0000-0x00007FF6457D1000-memory.dmp

Filesize
3.9MB

Download
memory/3064-11-0x00007FF65F750000-0x00007FF65FB41000-memory.dmp

Filesize
3.9MB

Download
memory/3064-2033-0x00007FF65F750000-0x00007FF65FB41000-memory.dmp

Filesize
3.9MB

Download
memory/3384-451-0x00007FF75DBC0000-0x00007FF75DFB1000-memory.dmp

Filesize
3.9MB

Download
memory/3384-2053-0x00007FF75DBC0000-0x00007FF75DFB1000-memory.dmp

Filesize
3.9MB

Download
memory/3624-2067-0x00007FF696220000-0x00007FF696611000-memory.dmp

Filesize
3.9MB

Download
memory/3624-569-0x00007FF696220000-0x00007FF696611000-memory.dmp

Filesize
3.9MB

Download
memory/4076-499-0x00007FF6FE050000-0x00007FF6FE441000-memory.dmp

Filesize
3.9MB

Download
memory/4076-2055-0x00007FF6FE050000-0x00007FF6FE441000-memory.dmp

Filesize
3.9MB

Download
memory/4092-2039-0x00007FF69C580000-0x00007FF69C971000-memory.dmp

Filesize
3.9MB

Download
memory/4092-1993-0x00007FF69C580000-0x00007FF69C971000-memory.dmp

Filesize
3.9MB

Download
memory/4092-32-0x00007FF69C580000-0x00007FF69C971000-memory.dmp

Filesize
3.9MB

Download
memory/4116-2075-0x00007FF6ECA90000-0x00007FF6ECE81000-memory.dmp

Filesize
3.9MB

Download
memory/4116-590-0x00007FF6ECA90000-0x00007FF6ECE81000-memory.dmp

Filesize
3.9MB

Download
memory/4140-43-0x00007FF75C5B0000-0x00007FF75C9A1000-memory.dmp

Filesize
3.9MB

Download
memory/4140-2029-0x00007FF75C5B0000-0x00007FF75C9A1000-memory.dmp

Filesize
3.9MB

Download
memory/4140-2045-0x00007FF75C5B0000-0x00007FF75C9A1000-memory.dmp

Filesize
3.9MB

Download
memory/4436-2059-0x00007FF7CD180000-0x00007FF7CD571000-memory.dmp

Filesize
3.9MB

Download
memory/4436-531-0x00007FF7CD180000-0x00007FF7CD571000-memory.dmp

Filesize
3.9MB

Download
memory/4560-2077-0x00007FF776100000-0x00007FF7764F1000-memory.dmp

Filesize
3.9MB

Download
memory/4560-587-0x00007FF776100000-0x00007FF7764F1000-memory.dmp

Filesize
3.9MB

Download
memory/4856-2065-0x00007FF6085C0000-0x00007FF6089B1000-memory.dmp

Filesize
3.9MB

Download
memory/4856-560-0x00007FF6085C0000-0x00007FF6089B1000-memory.dmp

Filesize
3.9MB

Download
memory/5048-2073-0x00007FF797530000-0x00007FF797921000-memory.dmp

Filesize
3.9MB

Download
memory/5048-594-0x00007FF797530000-0x00007FF797921000-memory.dmp

Filesize
3.9MB

Download
memory/5112-2049-0x00007FF6D00D0000-0x00007FF6D04C1000-memory.dmp

Filesize
3.9MB

Download
memory/5112-435-0x00007FF6D00D0000-0x00007FF6D04C1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads