xmrig | ddc30c9d282248bf363dc64b313d23d70bc8f07c33f7142f9faec64c519c0fd7

Analysis

max time kernel
135s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 18:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
Size

2.6MB
MD5

2aa70a9623043f89f5253d3d59f9d9f0
SHA1

2c64f1e6a6cf1220aebe87e787909a9da0abd32c
SHA256

ddc30c9d282248bf363dc64b313d23d70bc8f07c33f7142f9faec64c519c0fd7
SHA512

25dcaf4c54edb8935a6dd4ef5eeb5fad02aaeadc068a87b5c21cfd3f711a9d87306cdb2fb831e8d89b3c011c052ea8d0c26f9268c2efb84d834792063471bb63
SSDEEP

49152:N0wjnJMOWh50kC1/dVFdx6e0EALKWVTffZiPAcRq6jHjcz8Dzcd+XRqJZwTKvr:N0GnJMOWPClFdx6e0EALKWVTffZiPAc2

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2812-0-0x00007FF775320000-0x00007FF775715000-memory.dmp	xmrig
behavioral2/files/0x0007000000023278-5.dat	xmrig
behavioral2/files/0x00090000000233d8-9.dat	xmrig
behavioral2/files/0x00070000000233e3-16.dat	xmrig
behavioral2/files/0x00070000000233e4-22.dat	xmrig
behavioral2/files/0x00070000000233e5-27.dat	xmrig
behavioral2/files/0x00070000000233e7-37.dat	xmrig
behavioral2/files/0x00070000000233e8-40.dat	xmrig
behavioral2/files/0x00070000000233ea-52.dat	xmrig
behavioral2/files/0x00070000000233f3-97.dat	xmrig
behavioral2/files/0x00070000000233f6-112.dat	xmrig
behavioral2/files/0x00070000000233ff-155.dat	xmrig
behavioral2/files/0x0007000000023400-162.dat	xmrig
behavioral2/files/0x00070000000233fe-152.dat	xmrig
behavioral2/files/0x00070000000233fd-147.dat	xmrig
behavioral2/files/0x00070000000233fc-142.dat	xmrig
behavioral2/files/0x00070000000233fb-137.dat	xmrig
behavioral2/files/0x00070000000233fa-132.dat	xmrig
behavioral2/files/0x00070000000233f9-127.dat	xmrig
behavioral2/files/0x00070000000233f8-122.dat	xmrig
behavioral2/files/0x00070000000233f7-117.dat	xmrig
behavioral2/files/0x00070000000233f5-107.dat	xmrig
behavioral2/files/0x00070000000233f4-102.dat	xmrig
behavioral2/files/0x00070000000233f2-92.dat	xmrig
behavioral2/files/0x00070000000233f1-87.dat	xmrig
behavioral2/files/0x00070000000233f0-82.dat	xmrig
behavioral2/files/0x00070000000233ef-77.dat	xmrig
behavioral2/files/0x00070000000233ee-72.dat	xmrig
behavioral2/files/0x00070000000233ed-67.dat	xmrig
behavioral2/files/0x00070000000233ec-62.dat	xmrig
behavioral2/files/0x00070000000233eb-57.dat	xmrig
behavioral2/files/0x00070000000233e9-47.dat	xmrig
behavioral2/files/0x00070000000233e6-32.dat	xmrig
behavioral2/memory/2580-14-0x00007FF732010000-0x00007FF732405000-memory.dmp	xmrig
behavioral2/memory/3128-760-0x00007FF7790F0000-0x00007FF7794E5000-memory.dmp	xmrig
behavioral2/memory/3868-763-0x00007FF6C7BC0000-0x00007FF6C7FB5000-memory.dmp	xmrig
behavioral2/memory/60-769-0x00007FF729E40000-0x00007FF72A235000-memory.dmp	xmrig
behavioral2/memory/2772-774-0x00007FF693170000-0x00007FF693565000-memory.dmp	xmrig
behavioral2/memory/1120-782-0x00007FF7DEC40000-0x00007FF7DF035000-memory.dmp	xmrig
behavioral2/memory/696-808-0x00007FF7DEBD0000-0x00007FF7DEFC5000-memory.dmp	xmrig
behavioral2/memory/928-814-0x00007FF7440A0000-0x00007FF744495000-memory.dmp	xmrig
behavioral2/memory/3412-818-0x00007FF688ED0000-0x00007FF6892C5000-memory.dmp	xmrig
behavioral2/memory/5060-838-0x00007FF765150000-0x00007FF765545000-memory.dmp	xmrig
behavioral2/memory/1940-836-0x00007FF7FBCE0000-0x00007FF7FC0D5000-memory.dmp	xmrig
behavioral2/memory/3524-828-0x00007FF71CDA0000-0x00007FF71D195000-memory.dmp	xmrig
behavioral2/memory/2172-844-0x00007FF7F84F0000-0x00007FF7F88E5000-memory.dmp	xmrig
behavioral2/memory/536-854-0x00007FF770310000-0x00007FF770705000-memory.dmp	xmrig
behavioral2/memory/3196-856-0x00007FF7F6720000-0x00007FF7F6B15000-memory.dmp	xmrig
behavioral2/memory/1032-862-0x00007FF754030000-0x00007FF754425000-memory.dmp	xmrig
behavioral2/memory/1884-873-0x00007FF605B20000-0x00007FF605F15000-memory.dmp	xmrig
behavioral2/memory/3272-875-0x00007FF6F6EF0000-0x00007FF6F72E5000-memory.dmp	xmrig
behavioral2/memory/2668-879-0x00007FF6E7DD0000-0x00007FF6E81C5000-memory.dmp	xmrig
behavioral2/memory/4196-883-0x00007FF6727A0000-0x00007FF672B95000-memory.dmp	xmrig
behavioral2/memory/2680-850-0x00007FF6EEB40000-0x00007FF6EEF35000-memory.dmp	xmrig
behavioral2/memory/3076-889-0x00007FF7D8990000-0x00007FF7D8D85000-memory.dmp	xmrig
behavioral2/memory/4140-896-0x00007FF79F870000-0x00007FF79FC65000-memory.dmp	xmrig
behavioral2/memory/1400-891-0x00007FF693F20000-0x00007FF694315000-memory.dmp	xmrig
behavioral2/memory/2812-1945-0x00007FF775320000-0x00007FF775715000-memory.dmp	xmrig
behavioral2/memory/3128-1947-0x00007FF7790F0000-0x00007FF7794E5000-memory.dmp	xmrig
behavioral2/memory/2580-1948-0x00007FF732010000-0x00007FF732405000-memory.dmp	xmrig
behavioral2/memory/4140-1949-0x00007FF79F870000-0x00007FF79FC65000-memory.dmp	xmrig
behavioral2/memory/1400-1946-0x00007FF693F20000-0x00007FF694315000-memory.dmp	xmrig
behavioral2/memory/3868-1951-0x00007FF6C7BC0000-0x00007FF6C7FB5000-memory.dmp	xmrig
behavioral2/memory/1120-1952-0x00007FF7DEC40000-0x00007FF7DF035000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2580	RwNLKNa.exe
1400	ybszoos.exe
3128	CGHStnp.exe
4140	BxtdfGm.exe
3868	oyXpjMk.exe
60	RFrLXrY.exe
2772	WXNAyeT.exe
1120	vAbOeYB.exe
696	ZrpuarI.exe
928	dKrVByl.exe
3412	iXipJAG.exe
3524	IxUEEqW.exe
1940	aHJESJW.exe
5060	oaaHwHI.exe
2172	bcCuRgN.exe
2680	JYeRoDk.exe
536	MJMFJUV.exe
3196	KvaFhyq.exe
1032	vWWzmeK.exe
1884	vvKdoVr.exe
3272	pYcaHtU.exe
2668	kBZJrVB.exe
4196	TcXZRjI.exe
3076	LsGprPu.exe
2296	OBZotZx.exe
856	gXraXnh.exe
4512	uWkWZPv.exe
2316	xZYCMxH.exe
1384	gxrBiSs.exe
1100	sLekagQ.exe
2204	lbovXIq.exe
3844	TMpXoDF.exe
216	xaPPfZy.exe
4588	cThsfVR.exe
4912	hobZryw.exe
2016	yuPCeMW.exe
1712	hbdzbRo.exe
3708	hhQNZvD.exe
1556	oTnhZhn.exe
2044	oNYatzF.exe
4464	RacEOKT.exe
4224	KcIZLVP.exe
3696	kwjPuWw.exe
3528	esQhuXI.exe
1904	epocZPx.exe
2584	OKZKXNw.exe
3308	QfTjxwj.exe
5112	CxiJCWn.exe
1200	HpjHyKU.exe
3156	fQakUrU.exe
2360	GqeqFHU.exe
1116	kktZotg.exe
2424	niKicTv.exe
3848	bXDAYXj.exe
2272	fzplVRt.exe
1004	XvaDCfL.exe
3436	mQVFBfJ.exe
2404	phXwOJp.exe
3492	fskJjZD.exe
2688	DFOwCSM.exe
924	MBtbdSx.exe
3924	oWcJXkG.exe
3704	OEZymuL.exe
1504	ZDtFoHf.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2812-0-0x00007FF775320000-0x00007FF775715000-memory.dmp	upx
behavioral2/files/0x0007000000023278-5.dat	upx
behavioral2/files/0x00090000000233d8-9.dat	upx
behavioral2/files/0x00070000000233e3-16.dat	upx
behavioral2/files/0x00070000000233e4-22.dat	upx
behavioral2/files/0x00070000000233e5-27.dat	upx
behavioral2/files/0x00070000000233e7-37.dat	upx
behavioral2/files/0x00070000000233e8-40.dat	upx
behavioral2/files/0x00070000000233ea-52.dat	upx
behavioral2/files/0x00070000000233f3-97.dat	upx
behavioral2/files/0x00070000000233f6-112.dat	upx
behavioral2/files/0x00070000000233ff-155.dat	upx
behavioral2/files/0x0007000000023400-162.dat	upx
behavioral2/files/0x00070000000233fe-152.dat	upx
behavioral2/files/0x00070000000233fd-147.dat	upx
behavioral2/files/0x00070000000233fc-142.dat	upx
behavioral2/files/0x00070000000233fb-137.dat	upx
behavioral2/files/0x00070000000233fa-132.dat	upx
behavioral2/files/0x00070000000233f9-127.dat	upx
behavioral2/files/0x00070000000233f8-122.dat	upx
behavioral2/files/0x00070000000233f7-117.dat	upx
behavioral2/files/0x00070000000233f5-107.dat	upx
behavioral2/files/0x00070000000233f4-102.dat	upx
behavioral2/files/0x00070000000233f2-92.dat	upx
behavioral2/files/0x00070000000233f1-87.dat	upx
behavioral2/files/0x00070000000233f0-82.dat	upx
behavioral2/files/0x00070000000233ef-77.dat	upx
behavioral2/files/0x00070000000233ee-72.dat	upx
behavioral2/files/0x00070000000233ed-67.dat	upx
behavioral2/files/0x00070000000233ec-62.dat	upx
behavioral2/files/0x00070000000233eb-57.dat	upx
behavioral2/files/0x00070000000233e9-47.dat	upx
behavioral2/files/0x00070000000233e6-32.dat	upx
behavioral2/memory/2580-14-0x00007FF732010000-0x00007FF732405000-memory.dmp	upx
behavioral2/memory/3128-760-0x00007FF7790F0000-0x00007FF7794E5000-memory.dmp	upx
behavioral2/memory/3868-763-0x00007FF6C7BC0000-0x00007FF6C7FB5000-memory.dmp	upx
behavioral2/memory/60-769-0x00007FF729E40000-0x00007FF72A235000-memory.dmp	upx
behavioral2/memory/2772-774-0x00007FF693170000-0x00007FF693565000-memory.dmp	upx
behavioral2/memory/1120-782-0x00007FF7DEC40000-0x00007FF7DF035000-memory.dmp	upx
behavioral2/memory/696-808-0x00007FF7DEBD0000-0x00007FF7DEFC5000-memory.dmp	upx
behavioral2/memory/928-814-0x00007FF7440A0000-0x00007FF744495000-memory.dmp	upx
behavioral2/memory/3412-818-0x00007FF688ED0000-0x00007FF6892C5000-memory.dmp	upx
behavioral2/memory/5060-838-0x00007FF765150000-0x00007FF765545000-memory.dmp	upx
behavioral2/memory/1940-836-0x00007FF7FBCE0000-0x00007FF7FC0D5000-memory.dmp	upx
behavioral2/memory/3524-828-0x00007FF71CDA0000-0x00007FF71D195000-memory.dmp	upx
behavioral2/memory/2172-844-0x00007FF7F84F0000-0x00007FF7F88E5000-memory.dmp	upx
behavioral2/memory/536-854-0x00007FF770310000-0x00007FF770705000-memory.dmp	upx
behavioral2/memory/3196-856-0x00007FF7F6720000-0x00007FF7F6B15000-memory.dmp	upx
behavioral2/memory/1032-862-0x00007FF754030000-0x00007FF754425000-memory.dmp	upx
behavioral2/memory/1884-873-0x00007FF605B20000-0x00007FF605F15000-memory.dmp	upx
behavioral2/memory/3272-875-0x00007FF6F6EF0000-0x00007FF6F72E5000-memory.dmp	upx
behavioral2/memory/2668-879-0x00007FF6E7DD0000-0x00007FF6E81C5000-memory.dmp	upx
behavioral2/memory/4196-883-0x00007FF6727A0000-0x00007FF672B95000-memory.dmp	upx
behavioral2/memory/2680-850-0x00007FF6EEB40000-0x00007FF6EEF35000-memory.dmp	upx
behavioral2/memory/3076-889-0x00007FF7D8990000-0x00007FF7D8D85000-memory.dmp	upx
behavioral2/memory/4140-896-0x00007FF79F870000-0x00007FF79FC65000-memory.dmp	upx
behavioral2/memory/1400-891-0x00007FF693F20000-0x00007FF694315000-memory.dmp	upx
behavioral2/memory/2812-1945-0x00007FF775320000-0x00007FF775715000-memory.dmp	upx
behavioral2/memory/3128-1947-0x00007FF7790F0000-0x00007FF7794E5000-memory.dmp	upx
behavioral2/memory/2580-1948-0x00007FF732010000-0x00007FF732405000-memory.dmp	upx
behavioral2/memory/4140-1949-0x00007FF79F870000-0x00007FF79FC65000-memory.dmp	upx
behavioral2/memory/1400-1946-0x00007FF693F20000-0x00007FF694315000-memory.dmp	upx
behavioral2/memory/3868-1951-0x00007FF6C7BC0000-0x00007FF6C7FB5000-memory.dmp	upx
behavioral2/memory/1120-1952-0x00007FF7DEC40000-0x00007FF7DF035000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\veUfnlV.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\cFoxrRz.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\rICcbRb.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\oaaHwHI.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\PxUMaRU.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\XZUSiOK.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\sqIertA.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\GXNSTzm.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\KpdMsos.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\aMmyPIj.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\bJsRikb.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\TMpXoDF.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\GzSnhUO.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\uSzcJiF.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\WrmqzmN.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\bQjNotY.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\WGDnMjB.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\BDbKeLp.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\YTNVpjK.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\nZfEyLc.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\ZOtFshE.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\OAXJYvh.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\cTGphxS.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\aHJESJW.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\sLekagQ.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\EaIPNBR.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\wlWnNpt.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\qqCymOG.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\xCxIqGp.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\DIpZGUs.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\TeTwKMV.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\XhhKtQs.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\sXhOPzS.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\suVduuq.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\FBiszbS.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\iLiTsFb.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\MqtgqtN.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\kLwiMuq.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\PlwMCEr.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\cxmGeNA.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\VGWsLvB.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\sIoMAAk.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\TMOqtQY.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\yNdmSLe.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\MAsWiEY.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\dlBfPKb.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\YVcyGMJ.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\ETFsHhp.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\KcIZLVP.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\MBtbdSx.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\dFrKMKs.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\uyGaMAX.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\XQxxNPZ.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\bweMOLg.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\JXNcmSa.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\ZnIBOQp.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\yQLlEZf.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\QrIyxZX.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\hbdzbRo.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\xpkRrgs.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\cKZXxmm.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\KAPFJqr.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\uIRibKw.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
File created	C:\Windows\System32\EeEpBtr.exe	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12852	dwm.exe
Token: SeChangeNotifyPrivilege	12852	dwm.exe
Token: 33	12852	dwm.exe
Token: SeIncBasePriorityPrivilege	12852	dwm.exe
Token: SeShutdownPrivilege	12852	dwm.exe
Token: SeCreatePagefilePrivilege	12852	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2580	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	83
PID 2812 wrote to memory of 2580	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	83
PID 2812 wrote to memory of 1400	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	84
PID 2812 wrote to memory of 1400	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	84
PID 2812 wrote to memory of 3128	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	85
PID 2812 wrote to memory of 3128	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	85
PID 2812 wrote to memory of 4140	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	86
PID 2812 wrote to memory of 4140	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	86
PID 2812 wrote to memory of 3868	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	87
PID 2812 wrote to memory of 3868	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	87
PID 2812 wrote to memory of 60	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	88
PID 2812 wrote to memory of 60	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	88
PID 2812 wrote to memory of 2772	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	89
PID 2812 wrote to memory of 2772	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	89
PID 2812 wrote to memory of 1120	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	90
PID 2812 wrote to memory of 1120	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	90
PID 2812 wrote to memory of 696	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	91
PID 2812 wrote to memory of 696	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	91
PID 2812 wrote to memory of 928	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	92
PID 2812 wrote to memory of 928	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	92
PID 2812 wrote to memory of 3412	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	93
PID 2812 wrote to memory of 3412	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	93
PID 2812 wrote to memory of 3524	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	94
PID 2812 wrote to memory of 3524	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	94
PID 2812 wrote to memory of 1940	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	95
PID 2812 wrote to memory of 1940	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	95
PID 2812 wrote to memory of 5060	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	96
PID 2812 wrote to memory of 5060	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	96
PID 2812 wrote to memory of 2172	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	97
PID 2812 wrote to memory of 2172	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	97
PID 2812 wrote to memory of 2680	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	98
PID 2812 wrote to memory of 2680	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	98
PID 2812 wrote to memory of 536	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	99
PID 2812 wrote to memory of 536	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	99
PID 2812 wrote to memory of 3196	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	100
PID 2812 wrote to memory of 3196	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	100
PID 2812 wrote to memory of 1032	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	101
PID 2812 wrote to memory of 1032	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	101
PID 2812 wrote to memory of 1884	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	102
PID 2812 wrote to memory of 1884	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	102
PID 2812 wrote to memory of 3272	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	103
PID 2812 wrote to memory of 3272	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	103
PID 2812 wrote to memory of 2668	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	104
PID 2812 wrote to memory of 2668	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	104
PID 2812 wrote to memory of 4196	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	105
PID 2812 wrote to memory of 4196	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	105
PID 2812 wrote to memory of 3076	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	106
PID 2812 wrote to memory of 3076	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	106
PID 2812 wrote to memory of 2296	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	107
PID 2812 wrote to memory of 2296	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	107
PID 2812 wrote to memory of 856	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	108
PID 2812 wrote to memory of 856	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	108
PID 2812 wrote to memory of 4512	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	109
PID 2812 wrote to memory of 4512	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	109
PID 2812 wrote to memory of 2316	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	110
PID 2812 wrote to memory of 2316	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	110
PID 2812 wrote to memory of 1384	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	111
PID 2812 wrote to memory of 1384	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	111
PID 2812 wrote to memory of 1100	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	112
PID 2812 wrote to memory of 1100	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	112
PID 2812 wrote to memory of 2204	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	113
PID 2812 wrote to memory of 2204	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	113
PID 2812 wrote to memory of 3844	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	114
PID 2812 wrote to memory of 3844	2812	2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe	114

C:\Users\Admin\AppData\Local\Temp\2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2aa70a9623043f89f5253d3d59f9d9f0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\System32\RwNLKNa.exe
  C:\Windows\System32\RwNLKNa.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System32\ybszoos.exe
  C:\Windows\System32\ybszoos.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\System32\CGHStnp.exe
  C:\Windows\System32\CGHStnp.exe
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Windows\System32\BxtdfGm.exe
  C:\Windows\System32\BxtdfGm.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System32\oyXpjMk.exe
  C:\Windows\System32\oyXpjMk.exe
  2⤵
  - Executes dropped EXE
  PID:3868
- C:\Windows\System32\RFrLXrY.exe
  C:\Windows\System32\RFrLXrY.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System32\WXNAyeT.exe
  C:\Windows\System32\WXNAyeT.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System32\vAbOeYB.exe
  C:\Windows\System32\vAbOeYB.exe
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\System32\ZrpuarI.exe
  C:\Windows\System32\ZrpuarI.exe
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\System32\dKrVByl.exe
  C:\Windows\System32\dKrVByl.exe
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Windows\System32\iXipJAG.exe
  C:\Windows\System32\iXipJAG.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System32\IxUEEqW.exe
  C:\Windows\System32\IxUEEqW.exe
  2⤵
  - Executes dropped EXE
  PID:3524
- C:\Windows\System32\aHJESJW.exe
  C:\Windows\System32\aHJESJW.exe
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\System32\oaaHwHI.exe
  C:\Windows\System32\oaaHwHI.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System32\bcCuRgN.exe
  C:\Windows\System32\bcCuRgN.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System32\JYeRoDk.exe
  C:\Windows\System32\JYeRoDk.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System32\MJMFJUV.exe
  C:\Windows\System32\MJMFJUV.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System32\KvaFhyq.exe
  C:\Windows\System32\KvaFhyq.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System32\vWWzmeK.exe
  C:\Windows\System32\vWWzmeK.exe
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\System32\vvKdoVr.exe
  C:\Windows\System32\vvKdoVr.exe
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\System32\pYcaHtU.exe
  C:\Windows\System32\pYcaHtU.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System32\kBZJrVB.exe
  C:\Windows\System32\kBZJrVB.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\System32\TcXZRjI.exe
  C:\Windows\System32\TcXZRjI.exe
  2⤵
  - Executes dropped EXE
  PID:4196
- C:\Windows\System32\LsGprPu.exe
  C:\Windows\System32\LsGprPu.exe
  2⤵
  - Executes dropped EXE
  PID:3076
- C:\Windows\System32\OBZotZx.exe
  C:\Windows\System32\OBZotZx.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System32\gXraXnh.exe
  C:\Windows\System32\gXraXnh.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System32\uWkWZPv.exe
  C:\Windows\System32\uWkWZPv.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System32\xZYCMxH.exe
  C:\Windows\System32\xZYCMxH.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System32\gxrBiSs.exe
  C:\Windows\System32\gxrBiSs.exe
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\System32\sLekagQ.exe
  C:\Windows\System32\sLekagQ.exe
  2⤵
  - Executes dropped EXE
  PID:1100
- C:\Windows\System32\lbovXIq.exe
  C:\Windows\System32\lbovXIq.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System32\TMpXoDF.exe
  C:\Windows\System32\TMpXoDF.exe
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Windows\System32\xaPPfZy.exe
  C:\Windows\System32\xaPPfZy.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System32\cThsfVR.exe
  C:\Windows\System32\cThsfVR.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System32\hobZryw.exe
  C:\Windows\System32\hobZryw.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System32\yuPCeMW.exe
  C:\Windows\System32\yuPCeMW.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System32\hbdzbRo.exe
  C:\Windows\System32\hbdzbRo.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\System32\hhQNZvD.exe
  C:\Windows\System32\hhQNZvD.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System32\oTnhZhn.exe
  C:\Windows\System32\oTnhZhn.exe
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\System32\oNYatzF.exe
  C:\Windows\System32\oNYatzF.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System32\RacEOKT.exe
  C:\Windows\System32\RacEOKT.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System32\KcIZLVP.exe
  C:\Windows\System32\KcIZLVP.exe
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Windows\System32\kwjPuWw.exe
  C:\Windows\System32\kwjPuWw.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System32\esQhuXI.exe
  C:\Windows\System32\esQhuXI.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System32\epocZPx.exe
  C:\Windows\System32\epocZPx.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System32\OKZKXNw.exe
  C:\Windows\System32\OKZKXNw.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System32\QfTjxwj.exe
  C:\Windows\System32\QfTjxwj.exe
  2⤵
  - Executes dropped EXE
  PID:3308
- C:\Windows\System32\CxiJCWn.exe
  C:\Windows\System32\CxiJCWn.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System32\HpjHyKU.exe
  C:\Windows\System32\HpjHyKU.exe
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\System32\fQakUrU.exe
  C:\Windows\System32\fQakUrU.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System32\GqeqFHU.exe
  C:\Windows\System32\GqeqFHU.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System32\kktZotg.exe
  C:\Windows\System32\kktZotg.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System32\niKicTv.exe
  C:\Windows\System32\niKicTv.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System32\bXDAYXj.exe
  C:\Windows\System32\bXDAYXj.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System32\fzplVRt.exe
  C:\Windows\System32\fzplVRt.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System32\XvaDCfL.exe
  C:\Windows\System32\XvaDCfL.exe
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\System32\mQVFBfJ.exe
  C:\Windows\System32\mQVFBfJ.exe
  2⤵
  - Executes dropped EXE
  PID:3436
- C:\Windows\System32\phXwOJp.exe
  C:\Windows\System32\phXwOJp.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System32\fskJjZD.exe
  C:\Windows\System32\fskJjZD.exe
  2⤵
  - Executes dropped EXE
  PID:3492
- C:\Windows\System32\DFOwCSM.exe
  C:\Windows\System32\DFOwCSM.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System32\MBtbdSx.exe
  C:\Windows\System32\MBtbdSx.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System32\oWcJXkG.exe
  C:\Windows\System32\oWcJXkG.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System32\OEZymuL.exe
  C:\Windows\System32\OEZymuL.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System32\ZDtFoHf.exe
  C:\Windows\System32\ZDtFoHf.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System32\EaIPNBR.exe
  C:\Windows\System32\EaIPNBR.exe
  2⤵
  PID:4872
- C:\Windows\System32\qyiHLMq.exe
  C:\Windows\System32\qyiHLMq.exe
  2⤵
  PID:4772
- C:\Windows\System32\PbxyWAX.exe
  C:\Windows\System32\PbxyWAX.exe
  2⤵
  PID:3464
- C:\Windows\System32\qUrTZhG.exe
  C:\Windows\System32\qUrTZhG.exe
  2⤵
  PID:3404
- C:\Windows\System32\NXpOGwT.exe
  C:\Windows\System32\NXpOGwT.exe
  2⤵
  PID:4192
- C:\Windows\System32\oyjkyEp.exe
  C:\Windows\System32\oyjkyEp.exe
  2⤵
  PID:3264
- C:\Windows\System32\lPjqWMV.exe
  C:\Windows\System32\lPjqWMV.exe
  2⤵
  PID:1744
- C:\Windows\System32\HdtaSnK.exe
  C:\Windows\System32\HdtaSnK.exe
  2⤵
  PID:1440
- C:\Windows\System32\mIvScWv.exe
  C:\Windows\System32\mIvScWv.exe
  2⤵
  PID:4396
- C:\Windows\System32\sXhOPzS.exe
  C:\Windows\System32\sXhOPzS.exe
  2⤵
  PID:4384
- C:\Windows\System32\pNVynqp.exe
  C:\Windows\System32\pNVynqp.exe
  2⤵
  PID:2236
- C:\Windows\System32\SoCKwnk.exe
  C:\Windows\System32\SoCKwnk.exe
  2⤵
  PID:2020
- C:\Windows\System32\bQjNotY.exe
  C:\Windows\System32\bQjNotY.exe
  2⤵
  PID:4920
- C:\Windows\System32\xQcfyFF.exe
  C:\Windows\System32\xQcfyFF.exe
  2⤵
  PID:1692
- C:\Windows\System32\zVpTqKG.exe
  C:\Windows\System32\zVpTqKG.exe
  2⤵
  PID:1628
- C:\Windows\System32\vdtlHRT.exe
  C:\Windows\System32\vdtlHRT.exe
  2⤵
  PID:3176
- C:\Windows\System32\DlyyhWU.exe
  C:\Windows\System32\DlyyhWU.exe
  2⤵
  PID:4312
- C:\Windows\System32\znPkxVt.exe
  C:\Windows\System32\znPkxVt.exe
  2⤵
  PID:2376
- C:\Windows\System32\fhetylw.exe
  C:\Windows\System32\fhetylw.exe
  2⤵
  PID:3188
- C:\Windows\System32\zUJrBUR.exe
  C:\Windows\System32\zUJrBUR.exe
  2⤵
  PID:1808
- C:\Windows\System32\SNsiqor.exe
  C:\Windows\System32\SNsiqor.exe
  2⤵
  PID:2008
- C:\Windows\System32\DttWHHt.exe
  C:\Windows\System32\DttWHHt.exe
  2⤵
  PID:2124
- C:\Windows\System32\rwyeSrm.exe
  C:\Windows\System32\rwyeSrm.exe
  2⤵
  PID:384
- C:\Windows\System32\HSRRVCo.exe
  C:\Windows\System32\HSRRVCo.exe
  2⤵
  PID:3824
- C:\Windows\System32\MdLuZJm.exe
  C:\Windows\System32\MdLuZJm.exe
  2⤵
  PID:5140
- C:\Windows\System32\iLiTsFb.exe
  C:\Windows\System32\iLiTsFb.exe
  2⤵
  PID:5168
- C:\Windows\System32\KPFESmo.exe
  C:\Windows\System32\KPFESmo.exe
  2⤵
  PID:5204
- C:\Windows\System32\wUnmNhG.exe
  C:\Windows\System32\wUnmNhG.exe
  2⤵
  PID:5224
- C:\Windows\System32\uIRibKw.exe
  C:\Windows\System32\uIRibKw.exe
  2⤵
  PID:5260
- C:\Windows\System32\OqUiiUF.exe
  C:\Windows\System32\OqUiiUF.exe
  2⤵
  PID:5288
- C:\Windows\System32\uXeElcr.exe
  C:\Windows\System32\uXeElcr.exe
  2⤵
  PID:5316
- C:\Windows\System32\BJqRrUw.exe
  C:\Windows\System32\BJqRrUw.exe
  2⤵
  PID:5336
- C:\Windows\System32\mDEbGZf.exe
  C:\Windows\System32\mDEbGZf.exe
  2⤵
  PID:5364
- C:\Windows\System32\suVduuq.exe
  C:\Windows\System32\suVduuq.exe
  2⤵
  PID:5392
- C:\Windows\System32\uxiKhJm.exe
  C:\Windows\System32\uxiKhJm.exe
  2⤵
  PID:5420
- C:\Windows\System32\qBmUBfQ.exe
  C:\Windows\System32\qBmUBfQ.exe
  2⤵
  PID:5448
- C:\Windows\System32\AKGfBZk.exe
  C:\Windows\System32\AKGfBZk.exe
  2⤵
  PID:5476
- C:\Windows\System32\ipBSMAx.exe
  C:\Windows\System32\ipBSMAx.exe
  2⤵
  PID:5504
- C:\Windows\System32\gUcSKxl.exe
  C:\Windows\System32\gUcSKxl.exe
  2⤵
  PID:5544
- C:\Windows\System32\fLkzGDB.exe
  C:\Windows\System32\fLkzGDB.exe
  2⤵
  PID:5560
- C:\Windows\System32\DoROKfb.exe
  C:\Windows\System32\DoROKfb.exe
  2⤵
  PID:5588
- C:\Windows\System32\bQeKoGC.exe
  C:\Windows\System32\bQeKoGC.exe
  2⤵
  PID:5616
- C:\Windows\System32\kRbITox.exe
  C:\Windows\System32\kRbITox.exe
  2⤵
  PID:5644
- C:\Windows\System32\QMtZMfX.exe
  C:\Windows\System32\QMtZMfX.exe
  2⤵
  PID:5672
- C:\Windows\System32\zPVKsBD.exe
  C:\Windows\System32\zPVKsBD.exe
  2⤵
  PID:5700
- C:\Windows\System32\zWSoalB.exe
  C:\Windows\System32\zWSoalB.exe
  2⤵
  PID:5728
- C:\Windows\System32\fLrUJja.exe
  C:\Windows\System32\fLrUJja.exe
  2⤵
  PID:5764
- C:\Windows\System32\KpdMsos.exe
  C:\Windows\System32\KpdMsos.exe
  2⤵
  PID:5784
- C:\Windows\System32\IkDcCcd.exe
  C:\Windows\System32\IkDcCcd.exe
  2⤵
  PID:5812
- C:\Windows\System32\gomRFoi.exe
  C:\Windows\System32\gomRFoi.exe
  2⤵
  PID:5840
- C:\Windows\System32\eavBqId.exe
  C:\Windows\System32\eavBqId.exe
  2⤵
  PID:5868
- C:\Windows\System32\TMOqtQY.exe
  C:\Windows\System32\TMOqtQY.exe
  2⤵
  PID:5896
- C:\Windows\System32\iNXxGFX.exe
  C:\Windows\System32\iNXxGFX.exe
  2⤵
  PID:5924
- C:\Windows\System32\tmTGJZl.exe
  C:\Windows\System32\tmTGJZl.exe
  2⤵
  PID:5952
- C:\Windows\System32\UZzrcfo.exe
  C:\Windows\System32\UZzrcfo.exe
  2⤵
  PID:5988
- C:\Windows\System32\vqLcIck.exe
  C:\Windows\System32\vqLcIck.exe
  2⤵
  PID:6008
- C:\Windows\System32\FCuurfN.exe
  C:\Windows\System32\FCuurfN.exe
  2⤵
  PID:6036
- C:\Windows\System32\ZzjVdDY.exe
  C:\Windows\System32\ZzjVdDY.exe
  2⤵
  PID:6064
- C:\Windows\System32\tLpyKXq.exe
  C:\Windows\System32\tLpyKXq.exe
  2⤵
  PID:6092
- C:\Windows\System32\OZnmVQE.exe
  C:\Windows\System32\OZnmVQE.exe
  2⤵
  PID:6128
- C:\Windows\System32\yZOlyXc.exe
  C:\Windows\System32\yZOlyXc.exe
  2⤵
  PID:4832
- C:\Windows\System32\GSlNYfv.exe
  C:\Windows\System32\GSlNYfv.exe
  2⤵
  PID:2188
- C:\Windows\System32\dMRjrGS.exe
  C:\Windows\System32\dMRjrGS.exe
  2⤵
  PID:1944
- C:\Windows\System32\taTCCDL.exe
  C:\Windows\System32\taTCCDL.exe
  2⤵
  PID:3872
- C:\Windows\System32\ceevXOo.exe
  C:\Windows\System32\ceevXOo.exe
  2⤵
  PID:1488
- C:\Windows\System32\CuYtrHu.exe
  C:\Windows\System32\CuYtrHu.exe
  2⤵
  PID:1536
- C:\Windows\System32\wQDJwAx.exe
  C:\Windows\System32\wQDJwAx.exe
  2⤵
  PID:5164
- C:\Windows\System32\RzvlUeK.exe
  C:\Windows\System32\RzvlUeK.exe
  2⤵
  PID:5200
- C:\Windows\System32\SACpzvc.exe
  C:\Windows\System32\SACpzvc.exe
  2⤵
  PID:5276
- C:\Windows\System32\MqtgqtN.exe
  C:\Windows\System32\MqtgqtN.exe
  2⤵
  PID:5328
- C:\Windows\System32\Fykkpyj.exe
  C:\Windows\System32\Fykkpyj.exe
  2⤵
  PID:5404
- C:\Windows\System32\WrsZAlx.exe
  C:\Windows\System32\WrsZAlx.exe
  2⤵
  PID:5472
- C:\Windows\System32\tzDKllv.exe
  C:\Windows\System32\tzDKllv.exe
  2⤵
  PID:5528
- C:\Windows\System32\HmfhWwW.exe
  C:\Windows\System32\HmfhWwW.exe
  2⤵
  PID:5600
- C:\Windows\System32\aMmyPIj.exe
  C:\Windows\System32\aMmyPIj.exe
  2⤵
  PID:5668
- C:\Windows\System32\pJyAHdf.exe
  C:\Windows\System32\pJyAHdf.exe
  2⤵
  PID:5716
- C:\Windows\System32\DfWldYq.exe
  C:\Windows\System32\DfWldYq.exe
  2⤵
  PID:5796
- C:\Windows\System32\WGDnMjB.exe
  C:\Windows\System32\WGDnMjB.exe
  2⤵
  PID:5864
- C:\Windows\System32\QmyTban.exe
  C:\Windows\System32\QmyTban.exe
  2⤵
  PID:5948
- C:\Windows\System32\ZnYCQCN.exe
  C:\Windows\System32\ZnYCQCN.exe
  2⤵
  PID:5984
- C:\Windows\System32\TksXMgz.exe
  C:\Windows\System32\TksXMgz.exe
  2⤵
  PID:6060
- C:\Windows\System32\fMhWLMO.exe
  C:\Windows\System32\fMhWLMO.exe
  2⤵
  PID:6108
- C:\Windows\System32\zyWhVLY.exe
  C:\Windows\System32\zyWhVLY.exe
  2⤵
  PID:3140
- C:\Windows\System32\oIbMvnY.exe
  C:\Windows\System32\oIbMvnY.exe
  2⤵
  PID:4864
- C:\Windows\System32\jXlzTqQ.exe
  C:\Windows\System32\jXlzTqQ.exe
  2⤵
  PID:4744
- C:\Windows\System32\XDrkUGi.exe
  C:\Windows\System32\XDrkUGi.exe
  2⤵
  PID:5304
- C:\Windows\System32\pnPangW.exe
  C:\Windows\System32\pnPangW.exe
  2⤵
  PID:5460
- C:\Windows\System32\bNAzUcY.exe
  C:\Windows\System32\bNAzUcY.exe
  2⤵
  PID:5572
- C:\Windows\System32\NsAYMjX.exe
  C:\Windows\System32\NsAYMjX.exe
  2⤵
  PID:5688
- C:\Windows\System32\aHyniiE.exe
  C:\Windows\System32\aHyniiE.exe
  2⤵
  PID:5920
- C:\Windows\System32\pUWAcsQ.exe
  C:\Windows\System32\pUWAcsQ.exe
  2⤵
  PID:6088
- C:\Windows\System32\RxceCxC.exe
  C:\Windows\System32\RxceCxC.exe
  2⤵
  PID:1720
- C:\Windows\System32\EsIMspV.exe
  C:\Windows\System32\EsIMspV.exe
  2⤵
  PID:5192
- C:\Windows\System32\pgsEVVH.exe
  C:\Windows\System32\pgsEVVH.exe
  2⤵
  PID:5520
- C:\Windows\System32\zSvKCok.exe
  C:\Windows\System32\zSvKCok.exe
  2⤵
  PID:6172
- C:\Windows\System32\jrllQMR.exe
  C:\Windows\System32\jrllQMR.exe
  2⤵
  PID:6200
- C:\Windows\System32\VfCzsjs.exe
  C:\Windows\System32\VfCzsjs.exe
  2⤵
  PID:6228
- C:\Windows\System32\gKNcbXO.exe
  C:\Windows\System32\gKNcbXO.exe
  2⤵
  PID:6256
- C:\Windows\System32\bzvGszv.exe
  C:\Windows\System32\bzvGszv.exe
  2⤵
  PID:6284
- C:\Windows\System32\IAbSzcT.exe
  C:\Windows\System32\IAbSzcT.exe
  2⤵
  PID:6312
- C:\Windows\System32\Tyklwfz.exe
  C:\Windows\System32\Tyklwfz.exe
  2⤵
  PID:6340
- C:\Windows\System32\tMgvvWN.exe
  C:\Windows\System32\tMgvvWN.exe
  2⤵
  PID:6368
- C:\Windows\System32\xxkWXDE.exe
  C:\Windows\System32\xxkWXDE.exe
  2⤵
  PID:6396
- C:\Windows\System32\GahLAbf.exe
  C:\Windows\System32\GahLAbf.exe
  2⤵
  PID:6424
- C:\Windows\System32\PxUMaRU.exe
  C:\Windows\System32\PxUMaRU.exe
  2⤵
  PID:6452
- C:\Windows\System32\QBlUWWi.exe
  C:\Windows\System32\QBlUWWi.exe
  2⤵
  PID:6480
- C:\Windows\System32\fzbCqZA.exe
  C:\Windows\System32\fzbCqZA.exe
  2⤵
  PID:6508
- C:\Windows\System32\QzRddzq.exe
  C:\Windows\System32\QzRddzq.exe
  2⤵
  PID:6536
- C:\Windows\System32\QSquKRY.exe
  C:\Windows\System32\QSquKRY.exe
  2⤵
  PID:6564
- C:\Windows\System32\yNdmSLe.exe
  C:\Windows\System32\yNdmSLe.exe
  2⤵
  PID:6592
- C:\Windows\System32\rjKpOXB.exe
  C:\Windows\System32\rjKpOXB.exe
  2⤵
  PID:6620
- C:\Windows\System32\maoUEFX.exe
  C:\Windows\System32\maoUEFX.exe
  2⤵
  PID:6656
- C:\Windows\System32\YTNVpjK.exe
  C:\Windows\System32\YTNVpjK.exe
  2⤵
  PID:6676
- C:\Windows\System32\ByyvXBz.exe
  C:\Windows\System32\ByyvXBz.exe
  2⤵
  PID:6704
- C:\Windows\System32\aYGqlnk.exe
  C:\Windows\System32\aYGqlnk.exe
  2⤵
  PID:6732
- C:\Windows\System32\rfpoWQh.exe
  C:\Windows\System32\rfpoWQh.exe
  2⤵
  PID:6760
- C:\Windows\System32\dqIKqyW.exe
  C:\Windows\System32\dqIKqyW.exe
  2⤵
  PID:6788
- C:\Windows\System32\AQPIhdJ.exe
  C:\Windows\System32\AQPIhdJ.exe
  2⤵
  PID:6816
- C:\Windows\System32\yZbOvfY.exe
  C:\Windows\System32\yZbOvfY.exe
  2⤵
  PID:6844
- C:\Windows\System32\HmsLAzv.exe
  C:\Windows\System32\HmsLAzv.exe
  2⤵
  PID:6872
- C:\Windows\System32\XbayQrH.exe
  C:\Windows\System32\XbayQrH.exe
  2⤵
  PID:6908
- C:\Windows\System32\LungCcf.exe
  C:\Windows\System32\LungCcf.exe
  2⤵
  PID:6928
- C:\Windows\System32\aDzRPpL.exe
  C:\Windows\System32\aDzRPpL.exe
  2⤵
  PID:6956
- C:\Windows\System32\cMMkIrJ.exe
  C:\Windows\System32\cMMkIrJ.exe
  2⤵
  PID:6984
- C:\Windows\System32\bRElNgN.exe
  C:\Windows\System32\bRElNgN.exe
  2⤵
  PID:7012
- C:\Windows\System32\OiJhhrF.exe
  C:\Windows\System32\OiJhhrF.exe
  2⤵
  PID:7040
- C:\Windows\System32\RrXltXi.exe
  C:\Windows\System32\RrXltXi.exe
  2⤵
  PID:7068
- C:\Windows\System32\AzBpWKW.exe
  C:\Windows\System32\AzBpWKW.exe
  2⤵
  PID:7096
- C:\Windows\System32\xhOAVQw.exe
  C:\Windows\System32\xhOAVQw.exe
  2⤵
  PID:7124
- C:\Windows\System32\BnaZBVN.exe
  C:\Windows\System32\BnaZBVN.exe
  2⤵
  PID:7152
- C:\Windows\System32\JLZWpIx.exe
  C:\Windows\System32\JLZWpIx.exe
  2⤵
  PID:5724
- C:\Windows\System32\CqyAiHA.exe
  C:\Windows\System32\CqyAiHA.exe
  2⤵
  PID:6020
- C:\Windows\System32\fzZzxFl.exe
  C:\Windows\System32\fzZzxFl.exe
  2⤵
  PID:5352
- C:\Windows\System32\VFuRFcH.exe
  C:\Windows\System32\VFuRFcH.exe
  2⤵
  PID:6196
- C:\Windows\System32\QRvzoSq.exe
  C:\Windows\System32\QRvzoSq.exe
  2⤵
  PID:6252
- C:\Windows\System32\MrIaHKH.exe
  C:\Windows\System32\MrIaHKH.exe
  2⤵
  PID:6308
- C:\Windows\System32\eCpbbeU.exe
  C:\Windows\System32\eCpbbeU.exe
  2⤵
  PID:6356
- C:\Windows\System32\SpbukQE.exe
  C:\Windows\System32\SpbukQE.exe
  2⤵
  PID:6436
- C:\Windows\System32\wxPUooo.exe
  C:\Windows\System32\wxPUooo.exe
  2⤵
  PID:6504
- C:\Windows\System32\eCeGlln.exe
  C:\Windows\System32\eCeGlln.exe
  2⤵
  PID:6560
- C:\Windows\System32\MuyaXOB.exe
  C:\Windows\System32\MuyaXOB.exe
  2⤵
  PID:6608
- C:\Windows\System32\GzSnhUO.exe
  C:\Windows\System32\GzSnhUO.exe
  2⤵
  PID:6688
- C:\Windows\System32\PBSYbeB.exe
  C:\Windows\System32\PBSYbeB.exe
  2⤵
  PID:6744
- C:\Windows\System32\biImWvO.exe
  C:\Windows\System32\biImWvO.exe
  2⤵
  PID:6800
- C:\Windows\System32\tirUHwn.exe
  C:\Windows\System32\tirUHwn.exe
  2⤵
  PID:4404
- C:\Windows\System32\QeANCah.exe
  C:\Windows\System32\QeANCah.exe
  2⤵
  PID:6904
- C:\Windows\System32\uwfckAb.exe
  C:\Windows\System32\uwfckAb.exe
  2⤵
  PID:6980
- C:\Windows\System32\HnUusIw.exe
  C:\Windows\System32\HnUusIw.exe
  2⤵
  PID:7036
- C:\Windows\System32\oKzzKfg.exe
  C:\Windows\System32\oKzzKfg.exe
  2⤵
  PID:7092
- C:\Windows\System32\dFrKMKs.exe
  C:\Windows\System32\dFrKMKs.exe
  2⤵
  PID:7148
- C:\Windows\System32\USTrEma.exe
  C:\Windows\System32\USTrEma.exe
  2⤵
  PID:5976
- C:\Windows\System32\jisXpdG.exe
  C:\Windows\System32\jisXpdG.exe
  2⤵
  PID:6156
- C:\Windows\System32\jmHvHGh.exe
  C:\Windows\System32\jmHvHGh.exe
  2⤵
  PID:4556
- C:\Windows\System32\HlqBNXA.exe
  C:\Windows\System32\HlqBNXA.exe
  2⤵
  PID:6412
- C:\Windows\System32\EjMqnKm.exe
  C:\Windows\System32\EjMqnKm.exe
  2⤵
  PID:6532
- C:\Windows\System32\jaAbjLr.exe
  C:\Windows\System32\jaAbjLr.exe
  2⤵
  PID:6652
- C:\Windows\System32\xYYFMDq.exe
  C:\Windows\System32\xYYFMDq.exe
  2⤵
  PID:3496
- C:\Windows\System32\mIjSAYu.exe
  C:\Windows\System32\mIjSAYu.exe
  2⤵
  PID:6884
- C:\Windows\System32\bVKATyi.exe
  C:\Windows\System32\bVKATyi.exe
  2⤵
  PID:2956
- C:\Windows\System32\YzYLvTW.exe
  C:\Windows\System32\YzYLvTW.exe
  2⤵
  PID:2004
- C:\Windows\System32\tSEcKSy.exe
  C:\Windows\System32\tSEcKSy.exe
  2⤵
  PID:4756
- C:\Windows\System32\bweMOLg.exe
  C:\Windows\System32\bweMOLg.exe
  2⤵
  PID:6364
- C:\Windows\System32\LrDQOYL.exe
  C:\Windows\System32\LrDQOYL.exe
  2⤵
  PID:3672
- C:\Windows\System32\nNwxZWn.exe
  C:\Windows\System32\nNwxZWn.exe
  2⤵
  PID:2436
- C:\Windows\System32\xfzGpJx.exe
  C:\Windows\System32\xfzGpJx.exe
  2⤵
  PID:1132
- C:\Windows\System32\lrLIySU.exe
  C:\Windows\System32\lrLIySU.exe
  2⤵
  PID:4592
- C:\Windows\System32\IdbnklL.exe
  C:\Windows\System32\IdbnklL.exe
  2⤵
  PID:1588
- C:\Windows\System32\NibVlyF.exe
  C:\Windows\System32\NibVlyF.exe
  2⤵
  PID:2336
- C:\Windows\System32\JVWHhoV.exe
  C:\Windows\System32\JVWHhoV.exe
  2⤵
  PID:624
- C:\Windows\System32\JXNcmSa.exe
  C:\Windows\System32\JXNcmSa.exe
  2⤵
  PID:724
- C:\Windows\System32\XqIjCxG.exe
  C:\Windows\System32\XqIjCxG.exe
  2⤵
  PID:6476
- C:\Windows\System32\WqwCVJO.exe
  C:\Windows\System32\WqwCVJO.exe
  2⤵
  PID:1208
- C:\Windows\System32\EeEpBtr.exe
  C:\Windows\System32\EeEpBtr.exe
  2⤵
  PID:7192
- C:\Windows\System32\uofFNeb.exe
  C:\Windows\System32\uofFNeb.exe
  2⤵
  PID:7208
- C:\Windows\System32\BDbKeLp.exe
  C:\Windows\System32\BDbKeLp.exe
  2⤵
  PID:7252
- C:\Windows\System32\BXIDBZZ.exe
  C:\Windows\System32\BXIDBZZ.exe
  2⤵
  PID:7268
- C:\Windows\System32\cVauQLJ.exe
  C:\Windows\System32\cVauQLJ.exe
  2⤵
  PID:7300
- C:\Windows\System32\JVTorgu.exe
  C:\Windows\System32\JVTorgu.exe
  2⤵
  PID:7332
- C:\Windows\System32\ZyFmmGX.exe
  C:\Windows\System32\ZyFmmGX.exe
  2⤵
  PID:7348
- C:\Windows\System32\wyztLyz.exe
  C:\Windows\System32\wyztLyz.exe
  2⤵
  PID:7376
- C:\Windows\System32\jfalrjX.exe
  C:\Windows\System32\jfalrjX.exe
  2⤵
  PID:7408
- C:\Windows\System32\UtkGspd.exe
  C:\Windows\System32\UtkGspd.exe
  2⤵
  PID:7436
- C:\Windows\System32\nZfEyLc.exe
  C:\Windows\System32\nZfEyLc.exe
  2⤵
  PID:7452
- C:\Windows\System32\OPOVSCR.exe
  C:\Windows\System32\OPOVSCR.exe
  2⤵
  PID:7472
- C:\Windows\System32\lfdzJMt.exe
  C:\Windows\System32\lfdzJMt.exe
  2⤵
  PID:7512
- C:\Windows\System32\aTMZMMA.exe
  C:\Windows\System32\aTMZMMA.exe
  2⤵
  PID:7564
- C:\Windows\System32\jVlexii.exe
  C:\Windows\System32\jVlexii.exe
  2⤵
  PID:7584
- C:\Windows\System32\rKbGCIS.exe
  C:\Windows\System32\rKbGCIS.exe
  2⤵
  PID:7604
- C:\Windows\System32\kyynRTR.exe
  C:\Windows\System32\kyynRTR.exe
  2⤵
  PID:7628
- C:\Windows\System32\MAsWiEY.exe
  C:\Windows\System32\MAsWiEY.exe
  2⤵
  PID:7652
- C:\Windows\System32\Iggjtpe.exe
  C:\Windows\System32\Iggjtpe.exe
  2⤵
  PID:7716
- C:\Windows\System32\XdRzwtY.exe
  C:\Windows\System32\XdRzwtY.exe
  2⤵
  PID:7764
- C:\Windows\System32\pshkHPQ.exe
  C:\Windows\System32\pshkHPQ.exe
  2⤵
  PID:7832
- C:\Windows\System32\oFJnQDP.exe
  C:\Windows\System32\oFJnQDP.exe
  2⤵
  PID:7856
- C:\Windows\System32\RXtNXKA.exe
  C:\Windows\System32\RXtNXKA.exe
  2⤵
  PID:7880
- C:\Windows\System32\kLwiMuq.exe
  C:\Windows\System32\kLwiMuq.exe
  2⤵
  PID:7900
- C:\Windows\System32\XXcmBjz.exe
  C:\Windows\System32\XXcmBjz.exe
  2⤵
  PID:7940
- C:\Windows\System32\AnOqnAF.exe
  C:\Windows\System32\AnOqnAF.exe
  2⤵
  PID:7960
- C:\Windows\System32\bilRXjq.exe
  C:\Windows\System32\bilRXjq.exe
  2⤵
  PID:7984
- C:\Windows\System32\jPIscGY.exe
  C:\Windows\System32\jPIscGY.exe
  2⤵
  PID:8048
- C:\Windows\System32\YcHPEQR.exe
  C:\Windows\System32\YcHPEQR.exe
  2⤵
  PID:8096
- C:\Windows\System32\QVHuifY.exe
  C:\Windows\System32\QVHuifY.exe
  2⤵
  PID:8128
- C:\Windows\System32\UGggbAn.exe
  C:\Windows\System32\UGggbAn.exe
  2⤵
  PID:8156
- C:\Windows\System32\oevUwZL.exe
  C:\Windows\System32\oevUwZL.exe
  2⤵
  PID:4768
- C:\Windows\System32\cDSmLjQ.exe
  C:\Windows\System32\cDSmLjQ.exe
  2⤵
  PID:7220
- C:\Windows\System32\bHbXOFM.exe
  C:\Windows\System32\bHbXOFM.exe
  2⤵
  PID:7292
- C:\Windows\System32\kgxdaXj.exe
  C:\Windows\System32\kgxdaXj.exe
  2⤵
  PID:7340
- C:\Windows\System32\YWNsyid.exe
  C:\Windows\System32\YWNsyid.exe
  2⤵
  PID:7420
- C:\Windows\System32\RbeeSEA.exe
  C:\Windows\System32\RbeeSEA.exe
  2⤵
  PID:7484
- C:\Windows\System32\gNHTbjf.exe
  C:\Windows\System32\gNHTbjf.exe
  2⤵
  PID:7532
- C:\Windows\System32\OnskaNw.exe
  C:\Windows\System32\OnskaNw.exe
  2⤵
  PID:7644
- C:\Windows\System32\DFbvsSk.exe
  C:\Windows\System32\DFbvsSk.exe
  2⤵
  PID:7828
- C:\Windows\System32\wOtiiDL.exe
  C:\Windows\System32\wOtiiDL.exe
  2⤵
  PID:7464
- C:\Windows\System32\FBiszbS.exe
  C:\Windows\System32\FBiszbS.exe
  2⤵
  PID:7976
- C:\Windows\System32\RPefNab.exe
  C:\Windows\System32\RPefNab.exe
  2⤵
  PID:8040
- C:\Windows\System32\SkshnRs.exe
  C:\Windows\System32\SkshnRs.exe
  2⤵
  PID:8164
- C:\Windows\System32\GMNZWaH.exe
  C:\Windows\System32\GMNZWaH.exe
  2⤵
  PID:7872
- C:\Windows\System32\jokBzzy.exe
  C:\Windows\System32\jokBzzy.exe
  2⤵
  PID:3004
- C:\Windows\System32\nHLuRiP.exe
  C:\Windows\System32\nHLuRiP.exe
  2⤵
  PID:7324
- C:\Windows\System32\XliLnmk.exe
  C:\Windows\System32\XliLnmk.exe
  2⤵
  PID:8136
- C:\Windows\System32\WahNZIV.exe
  C:\Windows\System32\WahNZIV.exe
  2⤵
  PID:7488
- C:\Windows\System32\EQJcTPV.exe
  C:\Windows\System32\EQJcTPV.exe
  2⤵
  PID:7592
- C:\Windows\System32\MmAmYgd.exe
  C:\Windows\System32\MmAmYgd.exe
  2⤵
  PID:7784
- C:\Windows\System32\JXsYgxE.exe
  C:\Windows\System32\JXsYgxE.exe
  2⤵
  PID:7848
- C:\Windows\System32\QkwQoRh.exe
  C:\Windows\System32\QkwQoRh.exe
  2⤵
  PID:7224
- C:\Windows\System32\KbYgSKJ.exe
  C:\Windows\System32\KbYgSKJ.exe
  2⤵
  PID:7972
- C:\Windows\System32\nHpQswN.exe
  C:\Windows\System32\nHpQswN.exe
  2⤵
  PID:7728
- C:\Windows\System32\YinoaRL.exe
  C:\Windows\System32\YinoaRL.exe
  2⤵
  PID:7204
- C:\Windows\System32\HquEouF.exe
  C:\Windows\System32\HquEouF.exe
  2⤵
  PID:7448
- C:\Windows\System32\HUfVkGh.exe
  C:\Windows\System32\HUfVkGh.exe
  2⤵
  PID:7788
- C:\Windows\System32\RAgTwBX.exe
  C:\Windows\System32\RAgTwBX.exe
  2⤵
  PID:7804
- C:\Windows\System32\DrepKfR.exe
  C:\Windows\System32\DrepKfR.exe
  2⤵
  PID:7544
- C:\Windows\System32\UdvhHci.exe
  C:\Windows\System32\UdvhHci.exe
  2⤵
  PID:8168
- C:\Windows\System32\JuJnwwc.exe
  C:\Windows\System32\JuJnwwc.exe
  2⤵
  PID:3160
- C:\Windows\System32\dGSaYxz.exe
  C:\Windows\System32\dGSaYxz.exe
  2⤵
  PID:8104
- C:\Windows\System32\ZLRylUH.exe
  C:\Windows\System32\ZLRylUH.exe
  2⤵
  PID:8196
- C:\Windows\System32\jErtpYx.exe
  C:\Windows\System32\jErtpYx.exe
  2⤵
  PID:8228
- C:\Windows\System32\QSXLLhm.exe
  C:\Windows\System32\QSXLLhm.exe
  2⤵
  PID:8256
- C:\Windows\System32\UlHrRdy.exe
  C:\Windows\System32\UlHrRdy.exe
  2⤵
  PID:8292
- C:\Windows\System32\EyhQIEi.exe
  C:\Windows\System32\EyhQIEi.exe
  2⤵
  PID:8312
- C:\Windows\System32\viaLuoY.exe
  C:\Windows\System32\viaLuoY.exe
  2⤵
  PID:8344
- C:\Windows\System32\FZtKBfv.exe
  C:\Windows\System32\FZtKBfv.exe
  2⤵
  PID:8372
- C:\Windows\System32\ouhnQMb.exe
  C:\Windows\System32\ouhnQMb.exe
  2⤵
  PID:8400
- C:\Windows\System32\MPkfrcx.exe
  C:\Windows\System32\MPkfrcx.exe
  2⤵
  PID:8428
- C:\Windows\System32\VKoaCqb.exe
  C:\Windows\System32\VKoaCqb.exe
  2⤵
  PID:8460
- C:\Windows\System32\jmtkcjZ.exe
  C:\Windows\System32\jmtkcjZ.exe
  2⤵
  PID:8488
- C:\Windows\System32\tkUDABS.exe
  C:\Windows\System32\tkUDABS.exe
  2⤵
  PID:8512
- C:\Windows\System32\VRlMdTO.exe
  C:\Windows\System32\VRlMdTO.exe
  2⤵
  PID:8544
- C:\Windows\System32\iGGvavM.exe
  C:\Windows\System32\iGGvavM.exe
  2⤵
  PID:8572
- C:\Windows\System32\soxEofv.exe
  C:\Windows\System32\soxEofv.exe
  2⤵
  PID:8600
- C:\Windows\System32\wbYKxed.exe
  C:\Windows\System32\wbYKxed.exe
  2⤵
  PID:8628
- C:\Windows\System32\UbFdkZD.exe
  C:\Windows\System32\UbFdkZD.exe
  2⤵
  PID:8644
- C:\Windows\System32\dlBfPKb.exe
  C:\Windows\System32\dlBfPKb.exe
  2⤵
  PID:8672
- C:\Windows\System32\PmNSraM.exe
  C:\Windows\System32\PmNSraM.exe
  2⤵
  PID:8712
- C:\Windows\System32\bJsRikb.exe
  C:\Windows\System32\bJsRikb.exe
  2⤵
  PID:8740
- C:\Windows\System32\KcxKjHY.exe
  C:\Windows\System32\KcxKjHY.exe
  2⤵
  PID:8756
- C:\Windows\System32\CSaokMZ.exe
  C:\Windows\System32\CSaokMZ.exe
  2⤵
  PID:8792
- C:\Windows\System32\TIFnxXr.exe
  C:\Windows\System32\TIFnxXr.exe
  2⤵
  PID:8824
- C:\Windows\System32\ZnIBOQp.exe
  C:\Windows\System32\ZnIBOQp.exe
  2⤵
  PID:8852
- C:\Windows\System32\bzcxddk.exe
  C:\Windows\System32\bzcxddk.exe
  2⤵
  PID:8872
- C:\Windows\System32\bkvUajh.exe
  C:\Windows\System32\bkvUajh.exe
  2⤵
  PID:8920
- C:\Windows\System32\lsIPhBw.exe
  C:\Windows\System32\lsIPhBw.exe
  2⤵
  PID:8936
- C:\Windows\System32\sfVUJNG.exe
  C:\Windows\System32\sfVUJNG.exe
  2⤵
  PID:8952
- C:\Windows\System32\FMZtDKj.exe
  C:\Windows\System32\FMZtDKj.exe
  2⤵
  PID:8992
- C:\Windows\System32\skTYgnD.exe
  C:\Windows\System32\skTYgnD.exe
  2⤵
  PID:9020
- C:\Windows\System32\qHvwnxY.exe
  C:\Windows\System32\qHvwnxY.exe
  2⤵
  PID:9036
- C:\Windows\System32\lxOCMvJ.exe
  C:\Windows\System32\lxOCMvJ.exe
  2⤵
  PID:9076
- C:\Windows\System32\UZAzKDs.exe
  C:\Windows\System32\UZAzKDs.exe
  2⤵
  PID:9100
- C:\Windows\System32\rVvIMsZ.exe
  C:\Windows\System32\rVvIMsZ.exe
  2⤵
  PID:9128
- C:\Windows\System32\uXjwCDD.exe
  C:\Windows\System32\uXjwCDD.exe
  2⤵
  PID:9160
- C:\Windows\System32\qqCymOG.exe
  C:\Windows\System32\qqCymOG.exe
  2⤵
  PID:9192
- C:\Windows\System32\UsOgsdr.exe
  C:\Windows\System32\UsOgsdr.exe
  2⤵
  PID:9212
- C:\Windows\System32\KUjbEWt.exe
  C:\Windows\System32\KUjbEWt.exe
  2⤵
  PID:8224
- C:\Windows\System32\QyTipfw.exe
  C:\Windows\System32\QyTipfw.exe
  2⤵
  PID:8300
- C:\Windows\System32\MnyzJQE.exe
  C:\Windows\System32\MnyzJQE.exe
  2⤵
  PID:2136
- C:\Windows\System32\ZOtFshE.exe
  C:\Windows\System32\ZOtFshE.exe
  2⤵
  PID:8456
- C:\Windows\System32\wbAOwiY.exe
  C:\Windows\System32\wbAOwiY.exe
  2⤵
  PID:8504
- C:\Windows\System32\eNgiCBR.exe
  C:\Windows\System32\eNgiCBR.exe
  2⤵
  PID:8564
- C:\Windows\System32\AHrApaw.exe
  C:\Windows\System32\AHrApaw.exe
  2⤵
  PID:8612
- C:\Windows\System32\ZPpynQU.exe
  C:\Windows\System32\ZPpynQU.exe
  2⤵
  PID:8704
- C:\Windows\System32\wtOItrW.exe
  C:\Windows\System32\wtOItrW.exe
  2⤵
  PID:8748
- C:\Windows\System32\DLRMeKD.exe
  C:\Windows\System32\DLRMeKD.exe
  2⤵
  PID:8832
- C:\Windows\System32\uIupYeL.exe
  C:\Windows\System32\uIupYeL.exe
  2⤵
  PID:8880
- C:\Windows\System32\pgXgXZS.exe
  C:\Windows\System32\pgXgXZS.exe
  2⤵
  PID:8948
- C:\Windows\System32\uyGaMAX.exe
  C:\Windows\System32\uyGaMAX.exe
  2⤵
  PID:9016
- C:\Windows\System32\tLWzVQU.exe
  C:\Windows\System32\tLWzVQU.exe
  2⤵
  PID:2340
- C:\Windows\System32\WrhoMQQ.exe
  C:\Windows\System32\WrhoMQQ.exe
  2⤵
  PID:9068
- C:\Windows\System32\KVgumOK.exe
  C:\Windows\System32\KVgumOK.exe
  2⤵
  PID:9180
- C:\Windows\System32\bdTsVyl.exe
  C:\Windows\System32\bdTsVyl.exe
  2⤵
  PID:8276
- C:\Windows\System32\saalEgt.exe
  C:\Windows\System32\saalEgt.exe
  2⤵
  PID:5008
- C:\Windows\System32\jIDqFLZ.exe
  C:\Windows\System32\jIDqFLZ.exe
  2⤵
  PID:8568
- C:\Windows\System32\iSIijSc.exe
  C:\Windows\System32\iSIijSc.exe
  2⤵
  PID:8684
- C:\Windows\System32\htSVgmc.exe
  C:\Windows\System32\htSVgmc.exe
  2⤵
  PID:8800
- C:\Windows\System32\flXyejG.exe
  C:\Windows\System32\flXyejG.exe
  2⤵
  PID:7844
- C:\Windows\System32\jmAMgpc.exe
  C:\Windows\System32\jmAMgpc.exe
  2⤵
  PID:2612
- C:\Windows\System32\NVxnOgz.exe
  C:\Windows\System32\NVxnOgz.exe
  2⤵
  PID:9200
- C:\Windows\System32\sPGEGmc.exe
  C:\Windows\System32\sPGEGmc.exe
  2⤵
  PID:8636
- C:\Windows\System32\pWmUjGg.exe
  C:\Windows\System32\pWmUjGg.exe
  2⤵
  PID:8916
- C:\Windows\System32\sEFPnXG.exe
  C:\Windows\System32\sEFPnXG.exe
  2⤵
  PID:8356
- C:\Windows\System32\GgcDhcI.exe
  C:\Windows\System32\GgcDhcI.exe
  2⤵
  PID:9176
- C:\Windows\System32\PaSsrmF.exe
  C:\Windows\System32\PaSsrmF.exe
  2⤵
  PID:8868
- C:\Windows\System32\YyylqKo.exe
  C:\Windows\System32\YyylqKo.exe
  2⤵
  PID:9240
- C:\Windows\System32\ZCxwEEQ.exe
  C:\Windows\System32\ZCxwEEQ.exe
  2⤵
  PID:9268
- C:\Windows\System32\CWbDtiZ.exe
  C:\Windows\System32\CWbDtiZ.exe
  2⤵
  PID:9296
- C:\Windows\System32\TOMdUir.exe
  C:\Windows\System32\TOMdUir.exe
  2⤵
  PID:9324
- C:\Windows\System32\QanHkZn.exe
  C:\Windows\System32\QanHkZn.exe
  2⤵
  PID:9340
- C:\Windows\System32\jPBLMRX.exe
  C:\Windows\System32\jPBLMRX.exe
  2⤵
  PID:9368
- C:\Windows\System32\AgvZHks.exe
  C:\Windows\System32\AgvZHks.exe
  2⤵
  PID:9404
- C:\Windows\System32\nWDVfFB.exe
  C:\Windows\System32\nWDVfFB.exe
  2⤵
  PID:9436
- C:\Windows\System32\XZUSiOK.exe
  C:\Windows\System32\XZUSiOK.exe
  2⤵
  PID:9472
- C:\Windows\System32\cKFCucP.exe
  C:\Windows\System32\cKFCucP.exe
  2⤵
  PID:9500
- C:\Windows\System32\gAwCiMx.exe
  C:\Windows\System32\gAwCiMx.exe
  2⤵
  PID:9520
- C:\Windows\System32\sYGEWXn.exe
  C:\Windows\System32\sYGEWXn.exe
  2⤵
  PID:9556
- C:\Windows\System32\mKPpKuu.exe
  C:\Windows\System32\mKPpKuu.exe
  2⤵
  PID:9572
- C:\Windows\System32\ULAfzpi.exe
  C:\Windows\System32\ULAfzpi.exe
  2⤵
  PID:9604
- C:\Windows\System32\GodsSDO.exe
  C:\Windows\System32\GodsSDO.exe
  2⤵
  PID:9628
- C:\Windows\System32\xpkRrgs.exe
  C:\Windows\System32\xpkRrgs.exe
  2⤵
  PID:9660
- C:\Windows\System32\sqIertA.exe
  C:\Windows\System32\sqIertA.exe
  2⤵
  PID:9676
- C:\Windows\System32\BSuLqQo.exe
  C:\Windows\System32\BSuLqQo.exe
  2⤵
  PID:9728
- C:\Windows\System32\dtGwQQH.exe
  C:\Windows\System32\dtGwQQH.exe
  2⤵
  PID:9756
- C:\Windows\System32\EHeFBNn.exe
  C:\Windows\System32\EHeFBNn.exe
  2⤵
  PID:9784
- C:\Windows\System32\ixRlYbO.exe
  C:\Windows\System32\ixRlYbO.exe
  2⤵
  PID:9812
- C:\Windows\System32\ZJdxQBl.exe
  C:\Windows\System32\ZJdxQBl.exe
  2⤵
  PID:9840
- C:\Windows\System32\xLDsCGn.exe
  C:\Windows\System32\xLDsCGn.exe
  2⤵
  PID:9856
- C:\Windows\System32\uSzcJiF.exe
  C:\Windows\System32\uSzcJiF.exe
  2⤵
  PID:9884
- C:\Windows\System32\vEoVLXH.exe
  C:\Windows\System32\vEoVLXH.exe
  2⤵
  PID:9924
- C:\Windows\System32\TnVnusP.exe
  C:\Windows\System32\TnVnusP.exe
  2⤵
  PID:9940
- C:\Windows\System32\SPGcDAN.exe
  C:\Windows\System32\SPGcDAN.exe
  2⤵
  PID:9980
- C:\Windows\System32\dYVlomu.exe
  C:\Windows\System32\dYVlomu.exe
  2⤵
  PID:10000
- C:\Windows\System32\cKZXxmm.exe
  C:\Windows\System32\cKZXxmm.exe
  2⤵
  PID:10036
- C:\Windows\System32\dxhSKdm.exe
  C:\Windows\System32\dxhSKdm.exe
  2⤵
  PID:10064
- C:\Windows\System32\OjPebVK.exe
  C:\Windows\System32\OjPebVK.exe
  2⤵
  PID:10088
- C:\Windows\System32\GYYrLrY.exe
  C:\Windows\System32\GYYrLrY.exe
  2⤵
  PID:10108
- C:\Windows\System32\mlZQmzq.exe
  C:\Windows\System32\mlZQmzq.exe
  2⤵
  PID:10148
- C:\Windows\System32\GaKDVRO.exe
  C:\Windows\System32\GaKDVRO.exe
  2⤵
  PID:10176
- C:\Windows\System32\BOgqPuH.exe
  C:\Windows\System32\BOgqPuH.exe
  2⤵
  PID:10208
- C:\Windows\System32\BYSliVH.exe
  C:\Windows\System32\BYSliVH.exe
  2⤵
  PID:10232
- C:\Windows\System32\LEAoZTo.exe
  C:\Windows\System32\LEAoZTo.exe
  2⤵
  PID:9236
- C:\Windows\System32\PoNzRHb.exe
  C:\Windows\System32\PoNzRHb.exe
  2⤵
  PID:9336
- C:\Windows\System32\lCyPYpK.exe
  C:\Windows\System32\lCyPYpK.exe
  2⤵
  PID:9420
- C:\Windows\System32\zdbUHAX.exe
  C:\Windows\System32\zdbUHAX.exe
  2⤵
  PID:9468
- C:\Windows\System32\dYRAVhN.exe
  C:\Windows\System32\dYRAVhN.exe
  2⤵
  PID:9088
- C:\Windows\System32\MzTlYcq.exe
  C:\Windows\System32\MzTlYcq.exe
  2⤵
  PID:9568
- C:\Windows\System32\PnzYdCK.exe
  C:\Windows\System32\PnzYdCK.exe
  2⤵
  PID:9652
- C:\Windows\System32\PIVvfiG.exe
  C:\Windows\System32\PIVvfiG.exe
  2⤵
  PID:9696
- C:\Windows\System32\PlwMCEr.exe
  C:\Windows\System32\PlwMCEr.exe
  2⤵
  PID:9768
- C:\Windows\System32\AySRQhd.exe
  C:\Windows\System32\AySRQhd.exe
  2⤵
  PID:9848
- C:\Windows\System32\ECzwqiZ.exe
  C:\Windows\System32\ECzwqiZ.exe
  2⤵
  PID:9920
- C:\Windows\System32\KWEdMIr.exe
  C:\Windows\System32\KWEdMIr.exe
  2⤵
  PID:9988
- C:\Windows\System32\eidhvRp.exe
  C:\Windows\System32\eidhvRp.exe
  2⤵
  PID:10060
- C:\Windows\System32\neJeQBo.exe
  C:\Windows\System32\neJeQBo.exe
  2⤵
  PID:10132
- C:\Windows\System32\CchHZLG.exe
  C:\Windows\System32\CchHZLG.exe
  2⤵
  PID:10188
- C:\Windows\System32\ZuoZiFp.exe
  C:\Windows\System32\ZuoZiFp.exe
  2⤵
  PID:9292
- C:\Windows\System32\HPwUkpj.exe
  C:\Windows\System32\HPwUkpj.exe
  2⤵
  PID:9432
- C:\Windows\System32\WrmqzmN.exe
  C:\Windows\System32\WrmqzmN.exe
  2⤵
  PID:9552
- C:\Windows\System32\zBgFgDV.exe
  C:\Windows\System32\zBgFgDV.exe
  2⤵
  PID:9648
- C:\Windows\System32\mSvMGNV.exe
  C:\Windows\System32\mSvMGNV.exe
  2⤵
  PID:9876
- C:\Windows\System32\cNVngun.exe
  C:\Windows\System32\cNVngun.exe
  2⤵
  PID:10048
- C:\Windows\System32\OAXJYvh.exe
  C:\Windows\System32\OAXJYvh.exe
  2⤵
  PID:10184
- C:\Windows\System32\qcRvrxA.exe
  C:\Windows\System32\qcRvrxA.exe
  2⤵
  PID:9488
- C:\Windows\System32\nlAjAEv.exe
  C:\Windows\System32\nlAjAEv.exe
  2⤵
  PID:9656
- C:\Windows\System32\wPXPYuY.exe
  C:\Windows\System32\wPXPYuY.exe
  2⤵
  PID:9976
- C:\Windows\System32\SeIiABM.exe
  C:\Windows\System32\SeIiABM.exe
  2⤵
  PID:9396
- C:\Windows\System32\hwCLAuG.exe
  C:\Windows\System32\hwCLAuG.exe
  2⤵
  PID:10160
- C:\Windows\System32\KyCdvvA.exe
  C:\Windows\System32\KyCdvvA.exe
  2⤵
  PID:9960
- C:\Windows\System32\dqAozkM.exe
  C:\Windows\System32\dqAozkM.exe
  2⤵
  PID:10264
- C:\Windows\System32\sLqhfMG.exe
  C:\Windows\System32\sLqhfMG.exe
  2⤵
  PID:10292
- C:\Windows\System32\kbRMLvn.exe
  C:\Windows\System32\kbRMLvn.exe
  2⤵
  PID:10344
- C:\Windows\System32\hFBqKiD.exe
  C:\Windows\System32\hFBqKiD.exe
  2⤵
  PID:10360
- C:\Windows\System32\jYCiBJi.exe
  C:\Windows\System32\jYCiBJi.exe
  2⤵
  PID:10384
- C:\Windows\System32\VgusJlR.exe
  C:\Windows\System32\VgusJlR.exe
  2⤵
  PID:10404
- C:\Windows\System32\nodbTcw.exe
  C:\Windows\System32\nodbTcw.exe
  2⤵
  PID:10444
- C:\Windows\System32\ArPXxze.exe
  C:\Windows\System32\ArPXxze.exe
  2⤵
  PID:10472
- C:\Windows\System32\AoaMpaI.exe
  C:\Windows\System32\AoaMpaI.exe
  2⤵
  PID:10500
- C:\Windows\System32\JrQVoEW.exe
  C:\Windows\System32\JrQVoEW.exe
  2⤵
  PID:10528
- C:\Windows\System32\WtwhRIP.exe
  C:\Windows\System32\WtwhRIP.exe
  2⤵
  PID:10556
- C:\Windows\System32\gRNtqof.exe
  C:\Windows\System32\gRNtqof.exe
  2⤵
  PID:10584
- C:\Windows\System32\LiigqHz.exe
  C:\Windows\System32\LiigqHz.exe
  2⤵
  PID:10600
- C:\Windows\System32\YLILbQB.exe
  C:\Windows\System32\YLILbQB.exe
  2⤵
  PID:10628
- C:\Windows\System32\CncKTjt.exe
  C:\Windows\System32\CncKTjt.exe
  2⤵
  PID:10668
- C:\Windows\System32\dRkWoRA.exe
  C:\Windows\System32\dRkWoRA.exe
  2⤵
  PID:10696
- C:\Windows\System32\DaHbLps.exe
  C:\Windows\System32\DaHbLps.exe
  2⤵
  PID:10712
- C:\Windows\System32\sxOVGqe.exe
  C:\Windows\System32\sxOVGqe.exe
  2⤵
  PID:10740
- C:\Windows\System32\XCPXCIk.exe
  C:\Windows\System32\XCPXCIk.exe
  2⤵
  PID:10768
- C:\Windows\System32\kupVyEl.exe
  C:\Windows\System32\kupVyEl.exe
  2⤵
  PID:10796
- C:\Windows\System32\UWiiYds.exe
  C:\Windows\System32\UWiiYds.exe
  2⤵
  PID:10836
- C:\Windows\System32\cxmGeNA.exe
  C:\Windows\System32\cxmGeNA.exe
  2⤵
  PID:10852
- C:\Windows\System32\EaQXKYj.exe
  C:\Windows\System32\EaQXKYj.exe
  2⤵
  PID:10888
- C:\Windows\System32\pVESGNk.exe
  C:\Windows\System32\pVESGNk.exe
  2⤵
  PID:10912
- C:\Windows\System32\rfsyRiL.exe
  C:\Windows\System32\rfsyRiL.exe
  2⤵
  PID:10948
- C:\Windows\System32\siiycto.exe
  C:\Windows\System32\siiycto.exe
  2⤵
  PID:10964
- C:\Windows\System32\gzRuJyl.exe
  C:\Windows\System32\gzRuJyl.exe
  2⤵
  PID:10996
- C:\Windows\System32\cESiAsB.exe
  C:\Windows\System32\cESiAsB.exe
  2⤵
  PID:11020
- C:\Windows\System32\pKydhmO.exe
  C:\Windows\System32\pKydhmO.exe
  2⤵
  PID:11060
- C:\Windows\System32\xCxIqGp.exe
  C:\Windows\System32\xCxIqGp.exe
  2⤵
  PID:11080
- C:\Windows\System32\SdwAZdc.exe
  C:\Windows\System32\SdwAZdc.exe
  2⤵
  PID:11104
- C:\Windows\System32\JczNzSX.exe
  C:\Windows\System32\JczNzSX.exe
  2⤵
  PID:11136
- C:\Windows\System32\QXmZGri.exe
  C:\Windows\System32\QXmZGri.exe
  2⤵
  PID:11160
- C:\Windows\System32\nHsFXmC.exe
  C:\Windows\System32\nHsFXmC.exe
  2⤵
  PID:11188
- C:\Windows\System32\liOSsDy.exe
  C:\Windows\System32\liOSsDy.exe
  2⤵
  PID:11232
- C:\Windows\System32\CKJiEZB.exe
  C:\Windows\System32\CKJiEZB.exe
  2⤵
  PID:9316
- C:\Windows\System32\aKRUvle.exe
  C:\Windows\System32\aKRUvle.exe
  2⤵
  PID:10280
- C:\Windows\System32\xTAqEAI.exe
  C:\Windows\System32\xTAqEAI.exe
  2⤵
  PID:10352
- C:\Windows\System32\WSZVkqw.exe
  C:\Windows\System32\WSZVkqw.exe
  2⤵
  PID:10424
- C:\Windows\System32\axrtMNi.exe
  C:\Windows\System32\axrtMNi.exe
  2⤵
  PID:10492
- C:\Windows\System32\FbgjPlF.exe
  C:\Windows\System32\FbgjPlF.exe
  2⤵
  PID:3168
- C:\Windows\System32\GGZiMqR.exe
  C:\Windows\System32\GGZiMqR.exe
  2⤵
  PID:10612
- C:\Windows\System32\pUNxckT.exe
  C:\Windows\System32\pUNxckT.exe
  2⤵
  PID:10684
- C:\Windows\System32\PjjispP.exe
  C:\Windows\System32\PjjispP.exe
  2⤵
  PID:10764
- C:\Windows\System32\yLDOQhZ.exe
  C:\Windows\System32\yLDOQhZ.exe
  2⤵
  PID:10824
- C:\Windows\System32\meHIivy.exe
  C:\Windows\System32\meHIivy.exe
  2⤵
  PID:10844
- C:\Windows\System32\NTRxpMk.exe
  C:\Windows\System32\NTRxpMk.exe
  2⤵
  PID:10936
- C:\Windows\System32\aXKHWKm.exe
  C:\Windows\System32\aXKHWKm.exe
  2⤵
  PID:11012
- C:\Windows\System32\OjiQZUO.exe
  C:\Windows\System32\OjiQZUO.exe
  2⤵
  PID:11088
- C:\Windows\System32\JVnkPbM.exe
  C:\Windows\System32\JVnkPbM.exe
  2⤵
  PID:11116
- C:\Windows\System32\WszRjmh.exe
  C:\Windows\System32\WszRjmh.exe
  2⤵
  PID:11156
- C:\Windows\System32\YVcyGMJ.exe
  C:\Windows\System32\YVcyGMJ.exe
  2⤵
  PID:10256
- C:\Windows\System32\EJwaJlE.exe
  C:\Windows\System32\EJwaJlE.exe
  2⤵
  PID:10400
- C:\Windows\System32\Nzhwavj.exe
  C:\Windows\System32\Nzhwavj.exe
  2⤵
  PID:10544
- C:\Windows\System32\ccnYIVU.exe
  C:\Windows\System32\ccnYIVU.exe
  2⤵
  PID:10708
- C:\Windows\System32\DcwthPd.exe
  C:\Windows\System32\DcwthPd.exe
  2⤵
  PID:10832
- C:\Windows\System32\HUqlpmm.exe
  C:\Windows\System32\HUqlpmm.exe
  2⤵
  PID:10992
- C:\Windows\System32\oQIeXyi.exe
  C:\Windows\System32\oQIeXyi.exe
  2⤵
  PID:11172
- C:\Windows\System32\DIpZGUs.exe
  C:\Windows\System32\DIpZGUs.exe
  2⤵
  PID:11228
- C:\Windows\System32\DlwOZEv.exe
  C:\Windows\System32\DlwOZEv.exe
  2⤵
  PID:10680
- C:\Windows\System32\XieoHqm.exe
  C:\Windows\System32\XieoHqm.exe
  2⤵
  PID:11056
- C:\Windows\System32\veUfnlV.exe
  C:\Windows\System32\veUfnlV.exe
  2⤵
  PID:10576
- C:\Windows\System32\tTfIwAs.exe
  C:\Windows\System32\tTfIwAs.exe
  2⤵
  PID:11152
- C:\Windows\System32\IGScMgl.exe
  C:\Windows\System32\IGScMgl.exe
  2⤵
  PID:11296
- C:\Windows\System32\ARUnRjU.exe
  C:\Windows\System32\ARUnRjU.exe
  2⤵
  PID:11324
- C:\Windows\System32\UiiiFOA.exe
  C:\Windows\System32\UiiiFOA.exe
  2⤵
  PID:11352
- C:\Windows\System32\GiYXKfX.exe
  C:\Windows\System32\GiYXKfX.exe
  2⤵
  PID:11380
- C:\Windows\System32\IrZkvek.exe
  C:\Windows\System32\IrZkvek.exe
  2⤵
  PID:11408
- C:\Windows\System32\GvJfLtk.exe
  C:\Windows\System32\GvJfLtk.exe
  2⤵
  PID:11428
- C:\Windows\System32\zDbowdZ.exe
  C:\Windows\System32\zDbowdZ.exe
  2⤵
  PID:11452
- C:\Windows\System32\jXNFGWc.exe
  C:\Windows\System32\jXNFGWc.exe
  2⤵
  PID:11492
- C:\Windows\System32\xFfGJkK.exe
  C:\Windows\System32\xFfGJkK.exe
  2⤵
  PID:11520
- C:\Windows\System32\cFSDHLX.exe
  C:\Windows\System32\cFSDHLX.exe
  2⤵
  PID:11540
- C:\Windows\System32\YXCoZFt.exe
  C:\Windows\System32\YXCoZFt.exe
  2⤵
  PID:11576
- C:\Windows\System32\kDxvRvP.exe
  C:\Windows\System32\kDxvRvP.exe
  2⤵
  PID:11604
- C:\Windows\System32\RyKmCSg.exe
  C:\Windows\System32\RyKmCSg.exe
  2⤵
  PID:11632
- C:\Windows\System32\grOuqsW.exe
  C:\Windows\System32\grOuqsW.exe
  2⤵
  PID:11648
- C:\Windows\System32\AdddExX.exe
  C:\Windows\System32\AdddExX.exe
  2⤵
  PID:11688
- C:\Windows\System32\kCtRwLc.exe
  C:\Windows\System32\kCtRwLc.exe
  2⤵
  PID:11716
- C:\Windows\System32\BHNYXtm.exe
  C:\Windows\System32\BHNYXtm.exe
  2⤵
  PID:11732
- C:\Windows\System32\PtYwqrp.exe
  C:\Windows\System32\PtYwqrp.exe
  2⤵
  PID:11752
- C:\Windows\System32\FnakBgp.exe
  C:\Windows\System32\FnakBgp.exe
  2⤵
  PID:11772
- C:\Windows\System32\oBhxyjg.exe
  C:\Windows\System32\oBhxyjg.exe
  2⤵
  PID:11804
- C:\Windows\System32\uaeyKMQ.exe
  C:\Windows\System32\uaeyKMQ.exe
  2⤵
  PID:11832
- C:\Windows\System32\FtckSHw.exe
  C:\Windows\System32\FtckSHw.exe
  2⤵
  PID:11884
- C:\Windows\System32\ChcJHIB.exe
  C:\Windows\System32\ChcJHIB.exe
  2⤵
  PID:11912
- C:\Windows\System32\onJWCLH.exe
  C:\Windows\System32\onJWCLH.exe
  2⤵
  PID:11952
- C:\Windows\System32\EaSGsPZ.exe
  C:\Windows\System32\EaSGsPZ.exe
  2⤵
  PID:11976
- C:\Windows\System32\leebGOc.exe
  C:\Windows\System32\leebGOc.exe
  2⤵
  PID:12000
- C:\Windows\System32\KAPFJqr.exe
  C:\Windows\System32\KAPFJqr.exe
  2⤵
  PID:12028
- C:\Windows\System32\RordlbB.exe
  C:\Windows\System32\RordlbB.exe
  2⤵
  PID:12064
- C:\Windows\System32\FGezUml.exe
  C:\Windows\System32\FGezUml.exe
  2⤵
  PID:12084
- C:\Windows\System32\GzlhSyR.exe
  C:\Windows\System32\GzlhSyR.exe
  2⤵
  PID:12112
- C:\Windows\System32\VcVoDGf.exe
  C:\Windows\System32\VcVoDGf.exe
  2⤵
  PID:12128
- C:\Windows\System32\fBQjZKi.exe
  C:\Windows\System32\fBQjZKi.exe
  2⤵
  PID:12168
- C:\Windows\System32\olJBKIM.exe
  C:\Windows\System32\olJBKIM.exe
  2⤵
  PID:12188
- C:\Windows\System32\cTGphxS.exe
  C:\Windows\System32\cTGphxS.exe
  2⤵
  PID:12224
- C:\Windows\System32\KuFKpcD.exe
  C:\Windows\System32\KuFKpcD.exe
  2⤵
  PID:12252
- C:\Windows\System32\ELFkaDI.exe
  C:\Windows\System32\ELFkaDI.exe
  2⤵
  PID:12280
- C:\Windows\System32\ccyUdiE.exe
  C:\Windows\System32\ccyUdiE.exe
  2⤵
  PID:11284
- C:\Windows\System32\sKbKSbj.exe
  C:\Windows\System32\sKbKSbj.exe
  2⤵
  PID:11344
- C:\Windows\System32\qikjjRc.exe
  C:\Windows\System32\qikjjRc.exe
  2⤵
  PID:11404
- C:\Windows\System32\tgfjfsq.exe
  C:\Windows\System32\tgfjfsq.exe
  2⤵
  PID:11448
- C:\Windows\System32\RycTHKn.exe
  C:\Windows\System32\RycTHKn.exe
  2⤵
  PID:11556
- C:\Windows\System32\XQxxNPZ.exe
  C:\Windows\System32\XQxxNPZ.exe
  2⤵
  PID:11616
- C:\Windows\System32\CTePzSU.exe
  C:\Windows\System32\CTePzSU.exe
  2⤵
  PID:11680
- C:\Windows\System32\rCUIVAr.exe
  C:\Windows\System32\rCUIVAr.exe
  2⤵
  PID:11764
- C:\Windows\System32\NZnFmpP.exe
  C:\Windows\System32\NZnFmpP.exe
  2⤵
  PID:11760
- C:\Windows\System32\hyufwZi.exe
  C:\Windows\System32\hyufwZi.exe
  2⤵
  PID:11852
- C:\Windows\System32\fiQlikZ.exe
  C:\Windows\System32\fiQlikZ.exe
  2⤵
  PID:11908
- C:\Windows\System32\XHKmMgg.exe
  C:\Windows\System32\XHKmMgg.exe
  2⤵
  PID:12012
- C:\Windows\System32\VSxeSkj.exe
  C:\Windows\System32\VSxeSkj.exe
  2⤵
  PID:12080
- C:\Windows\System32\PbWneEX.exe
  C:\Windows\System32\PbWneEX.exe
  2⤵
  PID:12144
- C:\Windows\System32\szPjSWN.exe
  C:\Windows\System32\szPjSWN.exe
  2⤵
  PID:12208
- C:\Windows\System32\plNiGdC.exe
  C:\Windows\System32\plNiGdC.exe
  2⤵
  PID:12264
- C:\Windows\System32\YoyWyMX.exe
  C:\Windows\System32\YoyWyMX.exe
  2⤵
  PID:10848
- C:\Windows\System32\escRPoL.exe
  C:\Windows\System32\escRPoL.exe
  2⤵
  PID:11488
- C:\Windows\System32\YPZFcoD.exe
  C:\Windows\System32\YPZFcoD.exe
  2⤵
  PID:3028
- C:\Windows\System32\wNNEEBu.exe
  C:\Windows\System32\wNNEEBu.exe
  2⤵
  PID:2844
- C:\Windows\System32\kTCYuwM.exe
  C:\Windows\System32\kTCYuwM.exe
  2⤵
  PID:11812
- C:\Windows\System32\biBqqbp.exe
  C:\Windows\System32\biBqqbp.exe
  2⤵
  PID:11964
- C:\Windows\System32\vUoTOeB.exe
  C:\Windows\System32\vUoTOeB.exe
  2⤵
  PID:12040
- C:\Windows\System32\oGixOuD.exe
  C:\Windows\System32\oGixOuD.exe
  2⤵
  PID:12164
- C:\Windows\System32\cFoxrRz.exe
  C:\Windows\System32\cFoxrRz.exe
  2⤵
  PID:11444
- C:\Windows\System32\OJQzjhq.exe
  C:\Windows\System32\OJQzjhq.exe
  2⤵
  PID:11712
- C:\Windows\System32\Bmwbfds.exe
  C:\Windows\System32\Bmwbfds.exe
  2⤵
  PID:12120
- C:\Windows\System32\ftPJirn.exe
  C:\Windows\System32\ftPJirn.exe
  2⤵
  PID:11272
- C:\Windows\System32\XgwRjve.exe
  C:\Windows\System32\XgwRjve.exe
  2⤵
  PID:11848
- C:\Windows\System32\coLdScZ.exe
  C:\Windows\System32\coLdScZ.exe
  2⤵
  PID:11420
- C:\Windows\System32\SJJELcb.exe
  C:\Windows\System32\SJJELcb.exe
  2⤵
  PID:12308
- C:\Windows\System32\TZLZsPG.exe
  C:\Windows\System32\TZLZsPG.exe
  2⤵
  PID:12336
- C:\Windows\System32\NJzyMoO.exe
  C:\Windows\System32\NJzyMoO.exe
  2⤵
  PID:12368
- C:\Windows\System32\YIBaYNM.exe
  C:\Windows\System32\YIBaYNM.exe
  2⤵
  PID:12396
- C:\Windows\System32\QkyaJDw.exe
  C:\Windows\System32\QkyaJDw.exe
  2⤵
  PID:12424
- C:\Windows\System32\dJcLNZN.exe
  C:\Windows\System32\dJcLNZN.exe
  2⤵
  PID:12452
- C:\Windows\System32\ZIMISUM.exe
  C:\Windows\System32\ZIMISUM.exe
  2⤵
  PID:12480
- C:\Windows\System32\RCBdNVu.exe
  C:\Windows\System32\RCBdNVu.exe
  2⤵
  PID:12508
- C:\Windows\System32\IqmXdMQ.exe
  C:\Windows\System32\IqmXdMQ.exe
  2⤵
  PID:12536
- C:\Windows\System32\uZmbXli.exe
  C:\Windows\System32\uZmbXli.exe
  2⤵
  PID:12564
- C:\Windows\System32\wlWnNpt.exe
  C:\Windows\System32\wlWnNpt.exe
  2⤵
  PID:12592
- C:\Windows\System32\sZRCVUI.exe
  C:\Windows\System32\sZRCVUI.exe
  2⤵
  PID:12616
- C:\Windows\System32\DYvZqyk.exe
  C:\Windows\System32\DYvZqyk.exe
  2⤵
  PID:12648
- C:\Windows\System32\zAGABRQ.exe
  C:\Windows\System32\zAGABRQ.exe
  2⤵
  PID:12664
- C:\Windows\System32\oKixXoT.exe
  C:\Windows\System32\oKixXoT.exe
  2⤵
  PID:12704
- C:\Windows\System32\FXbEtZL.exe
  C:\Windows\System32\FXbEtZL.exe
  2⤵
  PID:12720
- C:\Windows\System32\zVwmcIZ.exe
  C:\Windows\System32\zVwmcIZ.exe
  2⤵
  PID:12760
- C:\Windows\System32\yQLlEZf.exe
  C:\Windows\System32\yQLlEZf.exe
  2⤵
  PID:12788
- C:\Windows\System32\KYSTSdo.exe
  C:\Windows\System32\KYSTSdo.exe
  2⤵
  PID:12820
- C:\Windows\System32\WUWZdIO.exe
  C:\Windows\System32\WUWZdIO.exe
  2⤵
  PID:12844
- C:\Windows\System32\xmiTlel.exe
  C:\Windows\System32\xmiTlel.exe
  2⤵
  PID:12860
- C:\Windows\System32\PQLlezo.exe
  C:\Windows\System32\PQLlezo.exe
  2⤵
  PID:12892
- C:\Windows\System32\uPIsMol.exe
  C:\Windows\System32\uPIsMol.exe
  2⤵
  PID:12928
- C:\Windows\System32\wnjlOoN.exe
  C:\Windows\System32\wnjlOoN.exe
  2⤵
  PID:12944
- C:\Windows\System32\CpyZFld.exe
  C:\Windows\System32\CpyZFld.exe
  2⤵
  PID:12984
- C:\Windows\System32\NurWeme.exe
  C:\Windows\System32\NurWeme.exe
  2⤵
  PID:13000
- C:\Windows\System32\ETFsHhp.exe
  C:\Windows\System32\ETFsHhp.exe
  2⤵
  PID:13016
- C:\Windows\System32\axsMREf.exe
  C:\Windows\System32\axsMREf.exe
  2⤵
  PID:13060

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BxtdfGm.exe

Filesize
2.6MB

MD5
cc077ef9e9991eb0117b138e7387d363

SHA1
419421bd52a487697f962edecec7488033146476

SHA256
df1027e3ef3f1a4c01200b5915ad5cbab25d842bab37ca10afffd7f3f01c3260

SHA512
02a6ab3b97055b3214f2939c529809a0d4ad63409f44126a1e4f53bbb761ac94b8762a292d2936feb775f71deaf01e67c7f758c9d60c3728334dbb9bab30a8b8

Download Submit
C:\Windows\System32\CGHStnp.exe

Filesize
2.6MB

MD5
773317c8444e11c6746d57668765ca3c

SHA1
64ff9ef9ce91fffa15f0b98ce27dafdde29c757f

SHA256
b06d64c6f3dc2aba6c69d2a9c689e37cf619ba27b63b4ac4d8e3c1184c4a1ab4

SHA512
5cea740d9ef51031e7101fa19aadcb4abf58f5d77fd2ca83601079852014968f8343edfb1a13be48aaae61c14bd681cbee331f84dbc71a07aa864f46dd388008

Download Submit
C:\Windows\System32\IxUEEqW.exe

Filesize
2.6MB

MD5
43509cf7e1b7998e511c28ba2a2273e9

SHA1
75df767485418f8d213acca63ff112fa26c1d339

SHA256
8398f1c59f83b482b88e7ef11392e475317a2084a1da635b041b4bb21928a7bd

SHA512
98adb88bc7aeac4ab7c7dbcde601af0581da94862b91ac3dafc92419adf6caa2f97d52f206ea754ba0bf1d09bd3bb6314bd6f90c6503c3f4153b1969f53203d9

Download Submit
C:\Windows\System32\JYeRoDk.exe

Filesize
2.6MB

MD5
22a00856715ef9a13a13ecb39dcb762d

SHA1
ab6df13d04d023567da258aeea30e44a5800a5b2

SHA256
94e0cdbe5e44fc55588c0286b04e31e0994af26e9fe935e68420cd9c6e2cd5d8

SHA512
fbb460ee45b7cb2c624d79a9e5ccd1052740ecbc1b3305ba07b9032d90a19379c9e67adaaf552ae2b57df389e0220f561989f4719f32483698defdb90c1257af

Download Submit
C:\Windows\System32\KvaFhyq.exe

Filesize
2.6MB

MD5
27ce0bd84fe0d4ecde7b0bb77d99490e

SHA1
6dd29d0f696e43c4d8023db9dee6b342b6d62fa6

SHA256
edfc15702124a54fc53716407e5ec262b24d7e714e19df767f52ea4685aa76c9

SHA512
8c43af71caca058ad404adbc212d4e91635b2a31862ecbda3db255f1ca89163b979d45bdfef31017296dcf2447ee06ac68f91d9aaa4e32fd6748e10419002bf5

Download Submit
C:\Windows\System32\LsGprPu.exe

Filesize
2.6MB

MD5
7ad216968876e5f9e55dcbcb4df10431

SHA1
0c8b2d922bf037c67185cc9fc526dec57b9c4f92

SHA256
16136fd9df8fca1b67e2d0b620b3501154ffef227c4436ef0982e2cf23104641

SHA512
684975c1f97b196b3e051d0f609e3a092e44507c3211cefcf70866e56072ca124d13e43e2d6806961c7e804ea84508c12d7e5a69e37285bc79e4fe55c54d554f

Download Submit
C:\Windows\System32\MJMFJUV.exe

Filesize
2.6MB

MD5
db00c0768abbc787ceb4239412b3924b

SHA1
82b569d94833fb06c940a8318f70f2eed220b4d5

SHA256
c519251d59aff1b9c94c09317a60cb470147ff3ab7e15de5a313ec4eb5610b80

SHA512
9e1bb8793c4d545debf7ad8272b2ea888aeacbc2d27f8dcce8d6b22c0a03fa01bba24b7bb77be705f1a3d0a0a0cc6f8891f46e607177e3ce740cbce89ebbd541

Download Submit
C:\Windows\System32\OBZotZx.exe

Filesize
2.6MB

MD5
11fca70ba74920e53bca9d3010971354

SHA1
0060a3d15ba37a68321ef3396a0d4c4ac5b28da8

SHA256
9a3befa7b68ebe61eac80b8173b740e8d2c1cd07a6c65ee376ce1af25dbf5e24

SHA512
e2f7e43195d5764b81598848f281614561cd8b9487e9029c09098d2cd1cccf098c4064338686bf64fb99b948861f738e3cc9988c7b313ab18349d9b322cab6e7

Download Submit
C:\Windows\System32\RFrLXrY.exe

Filesize
2.6MB

MD5
cdfa1938e7fa4e225609038d2918f0a4

SHA1
4279a235c505433666e2594d99bdf1d92f628c79

SHA256
cf190beb9bcf81333ccd35622e9ef3e5db04754332054cc3a37f89359a961528

SHA512
85d430ace6f3d842619e06be4a6df8ba4fdc9c5c83ca41766bed60885c585c0ba842491879a53603a18bb17593882e1d5d3eae466b7d7f69f301a7c6e121c7a7

Download Submit
C:\Windows\System32\RwNLKNa.exe

Filesize
2.6MB

MD5
76605288ba59792095312bc67cbc5146

SHA1
cda72eaa193c374cbd879498fbc7db6feb6d889c

SHA256
2d5b575dd10f75df0038218c63a91c803f9ed116f3d77eed67fb94728b281c24

SHA512
61359c48dc618bfa5ef7d7436a5b28a96978416ce3e13db98b9ec1584f76d8058c172a8ffb25c9374a9a892dd18673558f52b5df4ee8f305401e6036ea4044b3

Download Submit
C:\Windows\System32\TMpXoDF.exe

Filesize
2.6MB

MD5
c03c7ec597e306f74f3addcad89f3efd

SHA1
1d4f481842c2f67acb675d9d73cbdfa2ffd88337

SHA256
78433654c9acbf57fee22750a19a535f437faee4e3a4936b63caec73496c9471

SHA512
53079c9c326fbc95f56f773d1dd9f79def35b599fc0194ee9309f46f8fae1036d7da9585a5aa5b9c643625428e200f49dd5c4021198ed4a0c99b660c178276d1

Download Submit
C:\Windows\System32\TcXZRjI.exe

Filesize
2.6MB

MD5
a291c9b940927c1ea4cba943076652d3

SHA1
57796b73389da989bad92f7ba978dfd663af8215

SHA256
035dc822c9aabbc4c9378bc4b0d4ca9a39d03391dd41d6c9e8b2d8fdf08b8dfa

SHA512
76dba6fddfd47db0aa41885d40da319662b70513c0b4b7efdc3f13d6ebc0c4b731d07786ce922220ba643d39e6436e53495717133c6ff8e6f4eaae1b7ff82032

Download Submit
C:\Windows\System32\WXNAyeT.exe

Filesize
2.6MB

MD5
ea6a66e9266d0f8b3a205b3761f684ed

SHA1
b71ca01b28117c7768bfadb36da3f750d5449cf5

SHA256
051ce12f71cd7d1824bea7991fb6ac6c0793d17cc1a693102a7fc66186483c44

SHA512
c7a2e776390d4734fa8578c50b04612e7a744ba1e0981d8b40d7b5d0157bae2e2be09e75f1be6626cbeda6bb650abcdc94da852430d28765197d5c2653388843

Download Submit
C:\Windows\System32\ZrpuarI.exe

Filesize
2.6MB

MD5
d6e50c73d3deb022181ce8d5c739d6bc

SHA1
27e84b3c5b4e5c75e52f43e03d7fe761bf934830

SHA256
06a086acb6edc96e3d63a9c6bbdcac8433176ba8f7b1b53434d32b8133fcd63f

SHA512
b5478a36311aea731457d8ce725fee9e4d25c6c2a1a11d05599602e79a5e380f8bcf294edcbe17d78dacd6f096b98995ba279ccfee7dadd41a904f1b677b4661

Download Submit
C:\Windows\System32\aHJESJW.exe

Filesize
2.6MB

MD5
0db3d99b3ddca0399d7e45f729b0f184

SHA1
281bb781bc0a99a1f6c53ee274345848ae8a52e2

SHA256
466c25eee0197834caa399ac00a7cef94995d42fce95fee8ceeef9cac3ba061f

SHA512
f49f04ea253065ff2841fcf89e5ca72a79d1bf19f1b84953f6ed7428ea0bbb4c67bb1e08ea340233254c53e11e01e159bced704b837fc1825501b813e3b5bdfc

Download Submit
C:\Windows\System32\bcCuRgN.exe

Filesize
2.6MB

MD5
7ed5354d33bcdbee3e2666dafee0bc0e

SHA1
45c0f9735e1f2e0e1a1b529a2a3cf19ba3a08d87

SHA256
8755c2d42fd29be2823bfefa44198e88db4747fa5d0b10a024f0df28896caf05

SHA512
bd13332663152c3e29f1951dba2cf3781c07e0161028c244c212dd1eaa65ce01526900ccc7d19394ca56e6d42310123602652f2995b09c68ca4def604fe28855

Download Submit
C:\Windows\System32\dKrVByl.exe

Filesize
2.6MB

MD5
0be20a27ff0d87fe758979ba20d9cb0a

SHA1
db37f23e1311dbf515c3bebbc55a0407188033be

SHA256
48da8d070c82aa4fd9828dfa41f8878c76b49c9a99f6ffce673b79c5f158d505

SHA512
a94e612210250367f7b2aac64bba0289b1394425488724aa0804dac42a1da788a299c3a28a672a535f088630b4019a669a160f27d47b162f00689d9f938e42a3

Download Submit
C:\Windows\System32\gXraXnh.exe

Filesize
2.6MB

MD5
5c0e4f139c0936ff2954421a9a5de76a

SHA1
073059be4b3c274990ea79b2b6259de1485c7204

SHA256
ebaf501da35cab4da2d8e54b143f1e08872c561413e58937b1925753ee3bcaf9

SHA512
608fb2a7afc2487a705276cc6725fb7be8ab94fdd51ea4792d2bf2c3f2d9730b8f8009d7846ab51fc54b0a78d7088eae6e9197bd8a19f120ee1069b8abd4509b

Download Submit
C:\Windows\System32\gxrBiSs.exe

Filesize
2.6MB

MD5
9d3009de8399150d3b1b97688fb329e0

SHA1
03f0a64863a0cda521d60085252b34a8ac576601

SHA256
19e7f7214dd6e1e9ad4b8fcca9de71dbf1f2fe61e35895b43486c5672dfc4c96

SHA512
f01e8b0df6d9f57301b727bb2d01699eeff4eb495e1d9fcfdcb63b52d504271070cedcdff844220b4d22180fc290586434bcb081f6cfd6c5e9948055cbb1d8af

Download Submit
C:\Windows\System32\iXipJAG.exe

Filesize
2.6MB

MD5
993c96d231b8be1ba82a17377601302c

SHA1
4cd6dfe9567c05a0cea5ef78ca1efc2f15451d9e

SHA256
407bdc39828312788ea1fe986d250cb288e7b223ef82302327a59ee5c3e00792

SHA512
2fd64aa389319683bf76688de72065fe24b639a20bb56b5b01fb2c41ea5c13bdfe502250ef9cb090ee866e6c6739c511aa68207acf0adb3f26798b93f2c8af92

Download Submit
C:\Windows\System32\kBZJrVB.exe

Filesize
2.6MB

MD5
da0bb4850649fe81cd6708f5dad54da7

SHA1
581b8bfbcdb27ed25d9cd5629f30d1a4bae15496

SHA256
c345f9c00b1cd9ebc3884be1a30167e992ab3b9ea08857c4aa94175c808c4dbe

SHA512
1e1fca2c5a8b48ee5d9262ef95f5384361a4d496d533d33e80d8ac4354a876fd3107510cb4e907d17c0b27b6c538fac884bc1af0e4a8bff8e1e8fbe261634414

Download Submit
C:\Windows\System32\lbovXIq.exe

Filesize
2.6MB

MD5
4bbd7a94caaf623a034cf5f838703c42

SHA1
177be718a12ff4880b2391e2e491990b008f92b2

SHA256
9328b1169c9570e78184e44ba4f8ed85820ddd9c0dfb5b21eec419bffe31dfaa

SHA512
2ae54936cbb0762688bff5d395c5cfdc6ef29f92f7b3e93a3f3ca8b71baa941326c6507719db7c591e2d3783b60e8c1fb4da0db76b6879df55150931ebe69e36

Download Submit
C:\Windows\System32\oaaHwHI.exe

Filesize
2.6MB

MD5
f274ec4c3cf4e7410b06c12419e15c48

SHA1
e7488dd18fb92cc3fd014b409e1fb44c167898e7

SHA256
0c7aa8b3c2c862255521384f3ae6f5e1f96c2abe94155cf9110ff95ff4618468

SHA512
7bc543918cc8bdac08a52a9ec920e3f59dd838bf97801a545b3f2b333ac8919b504c921ee4886e81fcf17a246bee3397107af4d3326b61b27c9fcdb274db06f7

Download Submit
C:\Windows\System32\oyXpjMk.exe

Filesize
2.6MB

MD5
9fd105c31b6e60eaa0f726946b763ade

SHA1
7442d22b89382968402f9e01f327b16ce06eda20

SHA256
5632c2f3ddab37ad0ab05a22f7cb04fe9435b5002514bb2bdb7320b9e3c05d38

SHA512
d7a28d70babceecb6105b3918f651893f49c67cfa413a2f10efcfc855e9a6b7d978d942df5ffae4a8480d3c386fe9197d31e8bf09228641da1b2e1e542eba170

Download Submit
C:\Windows\System32\pYcaHtU.exe

Filesize
2.6MB

MD5
9686423714e9223af08c07188b6250e4

SHA1
ae97835f667c9cef55515bb121d7b4adc20d68d7

SHA256
85f09e19d572610e5fd650cc665078ead8b3e90da8a90259c608fa31ebe68d77

SHA512
fcce065b5e32d4b822aaf8854ddd41173c7556671e6cd8dae21b12a7a09b371024c7a65b501dd4b9d39eea25bb69321a810d616112f1964a736d2973f6172cb6

Download Submit
C:\Windows\System32\sLekagQ.exe

Filesize
2.6MB

MD5
c0920a119a40800686b8948d7a9427e0

SHA1
856e124ddf5aeccc07e7b63066240cf5175baf36

SHA256
2193c058544382c8959f8b03dba20621a15c0bc620068692a18ec4f53bafad36

SHA512
4b9ff8fb675abd65f0c822df638d25d585443bd8145a74c2d58a0877c4c550d4ac695700ea46c6e19ffcdc43b1bb093cca15e14278309d40d399d0cdb63361b6

Download Submit
C:\Windows\System32\uWkWZPv.exe

Filesize
2.6MB

MD5
067b9275f46b4e95764b27f5b71e9a07

SHA1
43d781299e899a1a94556d8fdd6380ac873031e0

SHA256
f20912c4e496a327a8f363e726d281d78ca4028c5b0cf0b41a16591efa3971ec

SHA512
0f67dea24ac6116b5b0b215e17c92fa04fd28c0e380bba237ca7ac41cce094426f97329cc2112b112f5f04e7b3bc710e61070ed90b575a30ba2fa6470cfae446

Download Submit
C:\Windows\System32\vAbOeYB.exe

Filesize
2.6MB

MD5
c2fa67f8aef17b59a6fd3ec16f274d68

SHA1
61c8f6f082c200a1bd037d540594811a1d377b17

SHA256
5944292552325030387033181a92c671e3ff5559278776b3c483a13686df19e7

SHA512
73087ef502192e2b0b9dc474c38ca40a03c7dc2f5263ab566f8b98c6110cf8fda727fbdbe37eea53200a76ec7fcc0fe7bea189cd480bdf82235b807b714f88c2

Download Submit
C:\Windows\System32\vWWzmeK.exe

Filesize
2.6MB

MD5
0a0fe1269004e9f58f83b74fc80a0df1

SHA1
0765fe0b41d6e9423dd153278513dca5ad2cd6e3

SHA256
1e85daebb7c12ca9c2e6e3b80e1e42b599d68e9ed12396762f4f1bc9bbfcaa3a

SHA512
ecc1e71e9ef848d31f8f4be31a27d4dcd978246d7cf59a5dd2aa69db724c2b088783adae441c4aa7b8d6629e97d8360315aae444797f2f763e2ebabc9be0378e

Download Submit
C:\Windows\System32\vvKdoVr.exe

Filesize
2.6MB

MD5
d25d0b16d05a91704b8aaf08035763b2

SHA1
23d0d4c29cf090a13beb6d9d843ddc40df11e01e

SHA256
cd11897c3facd6c9c9cbc3b59b9ace5322ec583376ad72ca4229e855f176b4fb

SHA512
7e3d2cf95acda7ef3d79e3d52ed469f52b81916b71f0d0e58dd0337f62f0f8fd9103c0a269b7ede985d060ecd4fe410a08973f9e1cd2761417938aa7ec80e2b4

Download Submit
C:\Windows\System32\xZYCMxH.exe

Filesize
2.6MB

MD5
9e127e717268006280e74d2fc35e0520

SHA1
ee20692e93e667630fff696865f3a70906625cec

SHA256
2a78295845a636ea20947cb030812225fe773e3530178345e4f59be85f83323b

SHA512
8e005dfb2bcce6db84c2a041aedc742db099053c7eb42af539e0bf9ad8d6cf11476a96fd11faa2a525d1e282bd8efe98ac5b3480a40de0e009291d2ebf6c6131

Download Submit
C:\Windows\System32\ybszoos.exe

Filesize
2.6MB

MD5
7c71eb06cbb820ecc453e4b497ff9192

SHA1
77a82a18bbdcbd1918fe2b8f1254a140d2ed4e19

SHA256
1ef58aeaae638d1b52e3aaaf67cf5bfbc60298ebb76ae6763a0471218f9ff31f

SHA512
fad3f407c106b9d17521a3a40dff7f7a6896d0b1f662ea1536380d0df0e91952a39f69fd6767bdd0f53ecac0e664a7316eb542d81b8b445805c14abaa1eea380

Download Submit
memory/60-1950-0x00007FF729E40000-0x00007FF72A235000-memory.dmp

Filesize
4.0MB

Download
memory/60-769-0x00007FF729E40000-0x00007FF72A235000-memory.dmp

Filesize
4.0MB

Download
memory/536-1961-0x00007FF770310000-0x00007FF770705000-memory.dmp

Filesize
4.0MB

Download
memory/536-854-0x00007FF770310000-0x00007FF770705000-memory.dmp

Filesize
4.0MB

Download
memory/696-808-0x00007FF7DEBD0000-0x00007FF7DEFC5000-memory.dmp

Filesize
4.0MB

Download
memory/696-1953-0x00007FF7DEBD0000-0x00007FF7DEFC5000-memory.dmp

Filesize
4.0MB

Download
memory/928-814-0x00007FF7440A0000-0x00007FF744495000-memory.dmp

Filesize
4.0MB

Download
memory/928-1955-0x00007FF7440A0000-0x00007FF744495000-memory.dmp

Filesize
4.0MB

Download
memory/1032-1964-0x00007FF754030000-0x00007FF754425000-memory.dmp

Filesize
4.0MB

Download
memory/1032-862-0x00007FF754030000-0x00007FF754425000-memory.dmp

Filesize
4.0MB

Download
memory/1120-1952-0x00007FF7DEC40000-0x00007FF7DF035000-memory.dmp

Filesize
4.0MB

Download
memory/1120-782-0x00007FF7DEC40000-0x00007FF7DF035000-memory.dmp

Filesize
4.0MB

Download
memory/1400-1946-0x00007FF693F20000-0x00007FF694315000-memory.dmp

Filesize
4.0MB

Download
memory/1400-891-0x00007FF693F20000-0x00007FF694315000-memory.dmp

Filesize
4.0MB

Download
memory/1884-1966-0x00007FF605B20000-0x00007FF605F15000-memory.dmp

Filesize
4.0MB

Download
memory/1884-873-0x00007FF605B20000-0x00007FF605F15000-memory.dmp

Filesize
4.0MB

Download
memory/1940-836-0x00007FF7FBCE0000-0x00007FF7FC0D5000-memory.dmp

Filesize
4.0MB

Download
memory/1940-1958-0x00007FF7FBCE0000-0x00007FF7FC0D5000-memory.dmp

Filesize
4.0MB

Download
memory/2172-844-0x00007FF7F84F0000-0x00007FF7F88E5000-memory.dmp

Filesize
4.0MB

Download
memory/2172-1957-0x00007FF7F84F0000-0x00007FF7F88E5000-memory.dmp

Filesize
4.0MB

Download
memory/2580-1948-0x00007FF732010000-0x00007FF732405000-memory.dmp

Filesize
4.0MB

Download
memory/2580-14-0x00007FF732010000-0x00007FF732405000-memory.dmp

Filesize
4.0MB

Download
memory/2668-879-0x00007FF6E7DD0000-0x00007FF6E81C5000-memory.dmp

Filesize
4.0MB

Download
memory/2668-1969-0x00007FF6E7DD0000-0x00007FF6E81C5000-memory.dmp

Filesize
4.0MB

Download
memory/2680-850-0x00007FF6EEB40000-0x00007FF6EEF35000-memory.dmp

Filesize
4.0MB

Download
memory/2680-1962-0x00007FF6EEB40000-0x00007FF6EEF35000-memory.dmp

Filesize
4.0MB

Download
memory/2772-774-0x00007FF693170000-0x00007FF693565000-memory.dmp

Filesize
4.0MB

Download
memory/2772-1954-0x00007FF693170000-0x00007FF693565000-memory.dmp

Filesize
4.0MB

Download
memory/2812-1-0x000001D654110000-0x000001D654120000-memory.dmp

Filesize
64KB

Download
memory/2812-1945-0x00007FF775320000-0x00007FF775715000-memory.dmp

Filesize
4.0MB

Download
memory/2812-0-0x00007FF775320000-0x00007FF775715000-memory.dmp

Filesize
4.0MB

Download
memory/3076-889-0x00007FF7D8990000-0x00007FF7D8D85000-memory.dmp

Filesize
4.0MB

Download
memory/3076-1967-0x00007FF7D8990000-0x00007FF7D8D85000-memory.dmp

Filesize
4.0MB

Download
memory/3128-760-0x00007FF7790F0000-0x00007FF7794E5000-memory.dmp

Filesize
4.0MB

Download
memory/3128-1947-0x00007FF7790F0000-0x00007FF7794E5000-memory.dmp

Filesize
4.0MB

Download
memory/3196-856-0x00007FF7F6720000-0x00007FF7F6B15000-memory.dmp

Filesize
4.0MB

Download
memory/3196-1963-0x00007FF7F6720000-0x00007FF7F6B15000-memory.dmp

Filesize
4.0MB

Download
memory/3272-1968-0x00007FF6F6EF0000-0x00007FF6F72E5000-memory.dmp

Filesize
4.0MB

Download
memory/3272-875-0x00007FF6F6EF0000-0x00007FF6F72E5000-memory.dmp

Filesize
4.0MB

Download
memory/3412-818-0x00007FF688ED0000-0x00007FF6892C5000-memory.dmp

Filesize
4.0MB

Download
memory/3412-1956-0x00007FF688ED0000-0x00007FF6892C5000-memory.dmp

Filesize
4.0MB

Download
memory/3524-828-0x00007FF71CDA0000-0x00007FF71D195000-memory.dmp

Filesize
4.0MB

Download
memory/3524-1960-0x00007FF71CDA0000-0x00007FF71D195000-memory.dmp

Filesize
4.0MB

Download
memory/3868-763-0x00007FF6C7BC0000-0x00007FF6C7FB5000-memory.dmp

Filesize
4.0MB

Download
memory/3868-1951-0x00007FF6C7BC0000-0x00007FF6C7FB5000-memory.dmp

Filesize
4.0MB

Download
memory/4140-896-0x00007FF79F870000-0x00007FF79FC65000-memory.dmp

Filesize
4.0MB

Download
memory/4140-1949-0x00007FF79F870000-0x00007FF79FC65000-memory.dmp

Filesize
4.0MB

Download
memory/4196-883-0x00007FF6727A0000-0x00007FF672B95000-memory.dmp

Filesize
4.0MB

Download
memory/4196-1965-0x00007FF6727A0000-0x00007FF672B95000-memory.dmp

Filesize
4.0MB

Download
memory/5060-838-0x00007FF765150000-0x00007FF765545000-memory.dmp

Filesize
4.0MB

Download
memory/5060-1959-0x00007FF765150000-0x00007FF765545000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads