xmrig | 632b185f53726e43b8a8336798e640c4016f8aa5e5ba5055fba912492cf43f9e

Analysis

max time kernel
124s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
Size

896KB
MD5

9afda835fdbe13e4d6b74c41dd8f3da0
SHA1

af368e8472194e808cfe93e10e1f81e34b8329d3
SHA256

632b185f53726e43b8a8336798e640c4016f8aa5e5ba5055fba912492cf43f9e
SHA512

8837cf6c06aaba631cb354f062e079bcb63d3effff01d96ffde8c6ddd8dae92ee81c1eb22021c98d69ec3f0deb4b77ff53008c96a80acd7f5e66b6c4b3c364e7
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlia+zzDwEU/D:knw9oUUEEDlnbD

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/4820-53-0x00007FF7A4200000-0x00007FF7A45F1000-memory.dmp	xmrig
behavioral2/memory/5100-64-0x00007FF659630000-0x00007FF659A21000-memory.dmp	xmrig
behavioral2/memory/1116-73-0x00007FF79DDB0000-0x00007FF79E1A1000-memory.dmp	xmrig
behavioral2/memory/4348-85-0x00007FF738940000-0x00007FF738D31000-memory.dmp	xmrig
behavioral2/memory/3112-88-0x00007FF6DE460000-0x00007FF6DE851000-memory.dmp	xmrig
behavioral2/memory/4936-93-0x00007FF6B35E0000-0x00007FF6B39D1000-memory.dmp	xmrig
behavioral2/memory/3308-269-0x00007FF7A95C0000-0x00007FF7A99B1000-memory.dmp	xmrig
behavioral2/memory/2012-271-0x00007FF62A3F0000-0x00007FF62A7E1000-memory.dmp	xmrig
behavioral2/memory/4308-273-0x00007FF72F060000-0x00007FF72F451000-memory.dmp	xmrig
behavioral2/memory/1992-275-0x00007FF693C20000-0x00007FF694011000-memory.dmp	xmrig
behavioral2/memory/2116-92-0x00007FF7B13D0000-0x00007FF7B17C1000-memory.dmp	xmrig
behavioral2/memory/4908-86-0x00007FF756D00000-0x00007FF7570F1000-memory.dmp	xmrig
behavioral2/memory/4856-77-0x00007FF7423A0000-0x00007FF742791000-memory.dmp	xmrig
behavioral2/memory/4580-55-0x00007FF77BCF0000-0x00007FF77C0E1000-memory.dmp	xmrig
behavioral2/memory/4436-51-0x00007FF6E0EA0000-0x00007FF6E1291000-memory.dmp	xmrig
behavioral2/memory/2424-48-0x00007FF66BE70000-0x00007FF66C261000-memory.dmp	xmrig
behavioral2/memory/2400-276-0x00007FF78AA50000-0x00007FF78AE41000-memory.dmp	xmrig
behavioral2/memory/3256-1906-0x00007FF775D20000-0x00007FF776111000-memory.dmp	xmrig
behavioral2/memory/3636-1939-0x00007FF7BB820000-0x00007FF7BBC11000-memory.dmp	xmrig
behavioral2/memory/3988-1940-0x00007FF7F8160000-0x00007FF7F8551000-memory.dmp	xmrig
behavioral2/memory/4280-1941-0x00007FF6D8CD0000-0x00007FF6D90C1000-memory.dmp	xmrig
behavioral2/memory/1044-1942-0x00007FF6BF420000-0x00007FF6BF811000-memory.dmp	xmrig
behavioral2/memory/2676-1962-0x00007FF6C1D80000-0x00007FF6C2171000-memory.dmp	xmrig
behavioral2/memory/2728-1978-0x00007FF666310000-0x00007FF666701000-memory.dmp	xmrig
behavioral2/memory/5100-1982-0x00007FF659630000-0x00007FF659A21000-memory.dmp	xmrig
behavioral2/memory/872-1986-0x00007FF60F8B0000-0x00007FF60FCA1000-memory.dmp	xmrig
behavioral2/memory/2424-1984-0x00007FF66BE70000-0x00007FF66C261000-memory.dmp	xmrig
behavioral2/memory/4580-1994-0x00007FF77BCF0000-0x00007FF77C0E1000-memory.dmp	xmrig
behavioral2/memory/1116-1996-0x00007FF79DDB0000-0x00007FF79E1A1000-memory.dmp	xmrig
behavioral2/memory/4820-1992-0x00007FF7A4200000-0x00007FF7A45F1000-memory.dmp	xmrig
behavioral2/memory/3256-1990-0x00007FF775D20000-0x00007FF776111000-memory.dmp	xmrig
behavioral2/memory/4436-1988-0x00007FF6E0EA0000-0x00007FF6E1291000-memory.dmp	xmrig
behavioral2/memory/4348-1998-0x00007FF738940000-0x00007FF738D31000-memory.dmp	xmrig
behavioral2/memory/4856-2000-0x00007FF7423A0000-0x00007FF742791000-memory.dmp	xmrig
behavioral2/memory/2116-2008-0x00007FF7B13D0000-0x00007FF7B17C1000-memory.dmp	xmrig
behavioral2/memory/4908-2007-0x00007FF756D00000-0x00007FF7570F1000-memory.dmp	xmrig
behavioral2/memory/4936-2005-0x00007FF6B35E0000-0x00007FF6B39D1000-memory.dmp	xmrig
behavioral2/memory/3112-2003-0x00007FF6DE460000-0x00007FF6DE851000-memory.dmp	xmrig
behavioral2/memory/3988-2014-0x00007FF7F8160000-0x00007FF7F8551000-memory.dmp	xmrig
behavioral2/memory/3636-2013-0x00007FF7BB820000-0x00007FF7BBC11000-memory.dmp	xmrig
behavioral2/memory/4280-2011-0x00007FF6D8CD0000-0x00007FF6D90C1000-memory.dmp	xmrig
behavioral2/memory/4308-2024-0x00007FF72F060000-0x00007FF72F451000-memory.dmp	xmrig
behavioral2/memory/3308-2018-0x00007FF7A95C0000-0x00007FF7A99B1000-memory.dmp	xmrig
behavioral2/memory/2400-2028-0x00007FF78AA50000-0x00007FF78AE41000-memory.dmp	xmrig
behavioral2/memory/2012-2026-0x00007FF62A3F0000-0x00007FF62A7E1000-memory.dmp	xmrig
behavioral2/memory/1992-2022-0x00007FF693C20000-0x00007FF694011000-memory.dmp	xmrig
behavioral2/memory/2728-2020-0x00007FF666310000-0x00007FF666701000-memory.dmp	xmrig
behavioral2/memory/1044-2016-0x00007FF6BF420000-0x00007FF6BF811000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
872	rdFkDar.exe
3256	wUXzSFx.exe
5100	mrXuWzA.exe
2424	TRLhuEU.exe
1116	xUJEcxy.exe
4436	ywpxbFd.exe
4820	FTHBujY.exe
4580	tWCMhev.exe
4856	MmGuYnt.exe
4348	xvoYMnA.exe
4908	idBJlAj.exe
2116	KjBrxOK.exe
3112	MtvkOYk.exe
4936	FbUdfVR.exe
3636	QLGekeJ.exe
4280	Ahztjze.exe
3988	WPlvgBo.exe
1044	Tdzzprv.exe
2728	vTeRlAB.exe
3308	OGsokiv.exe
2012	FljGIjE.exe
4308	mjJBuhn.exe
1992	cgGoVMA.exe
2400	jpWSXSc.exe
3028	IkuFDyP.exe
4664	JAbYRSo.exe
2744	hYAIVXr.exe
4328	dRuvkDE.exe
1216	yvWtDaP.exe
432	orYkQvY.exe
396	cmwoVqW.exe
2588	beTEGBw.exe
3660	YgfzjgN.exe
4560	nicritO.exe
2860	UypwRWo.exe
3240	wPqgngW.exe
2388	rrNBmfB.exe
1892	ZdDCepJ.exe
2464	yHUKpmD.exe
4808	UWxuEWs.exe
1360	vDaVKUY.exe
4860	dAoWTFT.exe
2580	byDJUPn.exe
3324	hlAdDPg.exe
5060	miXLWLS.exe
4544	ZlovaWq.exe
1192	MTPETzo.exe
1756	qvcVvQb.exe
4020	XJQzExH.exe
1620	BRbsQSc.exe
3740	ZFTVkEO.exe
720	shtUZxo.exe
4300	NYdFMSu.exe
3932	VwJHEzR.exe
468	pqEcIUy.exe
4212	pWnxNac.exe
4316	GZBFfBE.exe
4728	bsrrphl.exe
4992	XTnJWvw.exe
1332	DnsiBng.exe
1828	nGcsKdx.exe
1064	NaVFYco.exe
3788	JJVunsc.exe
2740	XLYlQKI.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2676-0-0x00007FF6C1D80000-0x00007FF6C2171000-memory.dmp	upx
behavioral2/files/0x00080000000235f9-5.dat	upx
behavioral2/files/0x00070000000235ff-23.dat	upx
behavioral2/files/0x0007000000023600-29.dat	upx
behavioral2/files/0x0007000000023601-45.dat	upx
behavioral2/files/0x0007000000023603-43.dat	upx
behavioral2/files/0x0007000000023602-41.dat	upx
behavioral2/memory/3256-34-0x00007FF775D20000-0x00007FF776111000-memory.dmp	upx
behavioral2/memory/872-22-0x00007FF60F8B0000-0x00007FF60FCA1000-memory.dmp	upx
behavioral2/files/0x00070000000235fe-21.dat	upx
behavioral2/files/0x00080000000235fc-19.dat	upx
behavioral2/files/0x00070000000235fd-17.dat	upx
behavioral2/memory/4820-53-0x00007FF7A4200000-0x00007FF7A45F1000-memory.dmp	upx
behavioral2/files/0x0007000000023606-67.dat	upx
behavioral2/memory/5100-64-0x00007FF659630000-0x00007FF659A21000-memory.dmp	upx
behavioral2/files/0x0007000000023607-69.dat	upx
behavioral2/memory/1116-73-0x00007FF79DDB0000-0x00007FF79E1A1000-memory.dmp	upx
behavioral2/files/0x0007000000023605-80.dat	upx
behavioral2/memory/4348-85-0x00007FF738940000-0x00007FF738D31000-memory.dmp	upx
behavioral2/files/0x0007000000023608-87.dat	upx
behavioral2/memory/3112-88-0x00007FF6DE460000-0x00007FF6DE851000-memory.dmp	upx
behavioral2/memory/4936-93-0x00007FF6B35E0000-0x00007FF6B39D1000-memory.dmp	upx
behavioral2/memory/3636-97-0x00007FF7BB820000-0x00007FF7BBC11000-memory.dmp	upx
behavioral2/files/0x000700000002360a-100.dat	upx
behavioral2/files/0x000700000002360b-103.dat	upx
behavioral2/memory/3988-106-0x00007FF7F8160000-0x00007FF7F8551000-memory.dmp	upx
behavioral2/memory/1044-110-0x00007FF6BF420000-0x00007FF6BF811000-memory.dmp	upx
behavioral2/files/0x000700000002360c-109.dat	upx
behavioral2/files/0x000700000002360d-123.dat	upx
behavioral2/files/0x0007000000023612-141.dat	upx
behavioral2/files/0x0007000000023613-153.dat	upx
behavioral2/files/0x0007000000023614-158.dat	upx
behavioral2/memory/3308-269-0x00007FF7A95C0000-0x00007FF7A99B1000-memory.dmp	upx
behavioral2/memory/2012-271-0x00007FF62A3F0000-0x00007FF62A7E1000-memory.dmp	upx
behavioral2/memory/4308-273-0x00007FF72F060000-0x00007FF72F451000-memory.dmp	upx
behavioral2/memory/1992-275-0x00007FF693C20000-0x00007FF694011000-memory.dmp	upx
behavioral2/files/0x000700000002361a-181.dat	upx
behavioral2/files/0x0007000000023618-178.dat	upx
behavioral2/files/0x0007000000023619-176.dat	upx
behavioral2/files/0x0007000000023617-173.dat	upx
behavioral2/files/0x0007000000023616-168.dat	upx
behavioral2/files/0x0007000000023615-163.dat	upx
behavioral2/files/0x0007000000023611-143.dat	upx
behavioral2/files/0x0007000000023610-138.dat	upx
behavioral2/files/0x000700000002360f-133.dat	upx
behavioral2/files/0x000700000002360e-128.dat	upx
behavioral2/memory/2728-111-0x00007FF666310000-0x00007FF666701000-memory.dmp	upx
behavioral2/memory/4280-102-0x00007FF6D8CD0000-0x00007FF6D90C1000-memory.dmp	upx
behavioral2/files/0x0007000000023609-98.dat	upx
behavioral2/memory/2116-92-0x00007FF7B13D0000-0x00007FF7B17C1000-memory.dmp	upx
behavioral2/memory/4908-86-0x00007FF756D00000-0x00007FF7570F1000-memory.dmp	upx
behavioral2/files/0x00080000000235fa-78.dat	upx
behavioral2/memory/4856-77-0x00007FF7423A0000-0x00007FF742791000-memory.dmp	upx
behavioral2/files/0x0007000000023604-63.dat	upx
behavioral2/memory/4580-55-0x00007FF77BCF0000-0x00007FF77C0E1000-memory.dmp	upx
behavioral2/memory/4436-51-0x00007FF6E0EA0000-0x00007FF6E1291000-memory.dmp	upx
behavioral2/memory/2424-48-0x00007FF66BE70000-0x00007FF66C261000-memory.dmp	upx
behavioral2/memory/2400-276-0x00007FF78AA50000-0x00007FF78AE41000-memory.dmp	upx
behavioral2/memory/3256-1906-0x00007FF775D20000-0x00007FF776111000-memory.dmp	upx
behavioral2/memory/3636-1939-0x00007FF7BB820000-0x00007FF7BBC11000-memory.dmp	upx
behavioral2/memory/3988-1940-0x00007FF7F8160000-0x00007FF7F8551000-memory.dmp	upx
behavioral2/memory/4280-1941-0x00007FF6D8CD0000-0x00007FF6D90C1000-memory.dmp	upx
behavioral2/memory/1044-1942-0x00007FF6BF420000-0x00007FF6BF811000-memory.dmp	upx
behavioral2/memory/2676-1962-0x00007FF6C1D80000-0x00007FF6C2171000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\RxHNUtA.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\RzOnpgs.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\BwEgGmG.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\HKudOhC.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\znghWqQ.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\LYYdlRI.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\kjThYtB.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\bsrrphl.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\eaIkZJQ.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\MJeXxnq.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\fzQnYVH.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\KRhkwxK.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\yzpQpaU.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\gFVuFyJ.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\uOvnZlD.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\MmGuYnt.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\dmUIoPa.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\uTqjtpk.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\EwcCfiA.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\FuFgLpj.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\DETpFub.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\CuaHmyV.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\TFkXssM.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\vTeRlAB.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\TojLEfY.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\RBtgRVp.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\ZrvhTIz.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\cMHwdvz.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\yHUKpmD.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\uDpmdIa.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\PRyPPeb.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\AzJKXFA.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\rrNBmfB.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\JktUQjP.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\qobcZrS.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\fLQbjEr.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\iWPCVdz.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\VlOWtkP.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\HjrlpnM.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\VtVWSLL.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\FWQJdGk.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\TIBcgWd.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\ealMKfI.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\AFHikRv.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\mufMPuZ.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\iwclkEY.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\mEvtzFo.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\EAWLZSF.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\kXMZPSl.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\zeAKWmg.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\jVgRNqn.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\OBEnvgV.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\LApsqbA.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\BRbsQSc.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\ZrnGdFq.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\DKVaxpG.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\pfZKhQP.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\rZOZRnr.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\eGFLAar.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\WnbBGTr.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\cGPVvVz.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\jBzgEzk.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\vlHlujC.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
File created	C:\Windows\System32\gneVXtW.exe	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12292	dwm.exe
Token: SeChangeNotifyPrivilege	12292	dwm.exe
Token: 33	12292	dwm.exe
Token: SeIncBasePriorityPrivilege	12292	dwm.exe
Token: SeShutdownPrivilege	12292	dwm.exe
Token: SeCreatePagefilePrivilege	12292	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 872	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	90
PID 2676 wrote to memory of 872	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	90
PID 2676 wrote to memory of 3256	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	91
PID 2676 wrote to memory of 3256	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	91
PID 2676 wrote to memory of 5100	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	92
PID 2676 wrote to memory of 5100	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	92
PID 2676 wrote to memory of 2424	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	93
PID 2676 wrote to memory of 2424	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	93
PID 2676 wrote to memory of 1116	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	94
PID 2676 wrote to memory of 1116	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	94
PID 2676 wrote to memory of 4436	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	95
PID 2676 wrote to memory of 4436	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	95
PID 2676 wrote to memory of 4820	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	96
PID 2676 wrote to memory of 4820	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	96
PID 2676 wrote to memory of 4580	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	97
PID 2676 wrote to memory of 4580	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	97
PID 2676 wrote to memory of 4856	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	98
PID 2676 wrote to memory of 4856	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	98
PID 2676 wrote to memory of 4348	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	99
PID 2676 wrote to memory of 4348	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	99
PID 2676 wrote to memory of 4908	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	100
PID 2676 wrote to memory of 4908	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	100
PID 2676 wrote to memory of 2116	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	101
PID 2676 wrote to memory of 2116	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	101
PID 2676 wrote to memory of 3112	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	102
PID 2676 wrote to memory of 3112	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	102
PID 2676 wrote to memory of 4936	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	103
PID 2676 wrote to memory of 4936	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	103
PID 2676 wrote to memory of 3636	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	104
PID 2676 wrote to memory of 3636	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	104
PID 2676 wrote to memory of 4280	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	105
PID 2676 wrote to memory of 4280	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	105
PID 2676 wrote to memory of 3988	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	106
PID 2676 wrote to memory of 3988	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	106
PID 2676 wrote to memory of 1044	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	107
PID 2676 wrote to memory of 1044	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	107
PID 2676 wrote to memory of 2728	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	108
PID 2676 wrote to memory of 2728	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	108
PID 2676 wrote to memory of 3308	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	109
PID 2676 wrote to memory of 3308	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	109
PID 2676 wrote to memory of 2012	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	110
PID 2676 wrote to memory of 2012	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	110
PID 2676 wrote to memory of 4308	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	111
PID 2676 wrote to memory of 4308	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	111
PID 2676 wrote to memory of 1992	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	112
PID 2676 wrote to memory of 1992	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	112
PID 2676 wrote to memory of 2400	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	113
PID 2676 wrote to memory of 2400	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	113
PID 2676 wrote to memory of 3028	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	114
PID 2676 wrote to memory of 3028	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	114
PID 2676 wrote to memory of 4664	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	115
PID 2676 wrote to memory of 4664	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	115
PID 2676 wrote to memory of 2744	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	116
PID 2676 wrote to memory of 2744	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	116
PID 2676 wrote to memory of 4328	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	117
PID 2676 wrote to memory of 4328	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	117
PID 2676 wrote to memory of 1216	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	118
PID 2676 wrote to memory of 1216	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	118
PID 2676 wrote to memory of 432	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	119
PID 2676 wrote to memory of 432	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	119
PID 2676 wrote to memory of 396	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	120
PID 2676 wrote to memory of 396	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	120
PID 2676 wrote to memory of 2588	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	121
PID 2676 wrote to memory of 2588	2676	9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe	121

C:\Users\Admin\AppData\Local\Temp\9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9afda835fdbe13e4d6b74c41dd8f3da0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\System32\rdFkDar.exe
  C:\Windows\System32\rdFkDar.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System32\wUXzSFx.exe
  C:\Windows\System32\wUXzSFx.exe
  2⤵
  - Executes dropped EXE
  PID:3256
- C:\Windows\System32\mrXuWzA.exe
  C:\Windows\System32\mrXuWzA.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System32\TRLhuEU.exe
  C:\Windows\System32\TRLhuEU.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System32\xUJEcxy.exe
  C:\Windows\System32\xUJEcxy.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System32\ywpxbFd.exe
  C:\Windows\System32\ywpxbFd.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System32\FTHBujY.exe
  C:\Windows\System32\FTHBujY.exe
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Windows\System32\tWCMhev.exe
  C:\Windows\System32\tWCMhev.exe
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Windows\System32\MmGuYnt.exe
  C:\Windows\System32\MmGuYnt.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System32\xvoYMnA.exe
  C:\Windows\System32\xvoYMnA.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System32\idBJlAj.exe
  C:\Windows\System32\idBJlAj.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System32\KjBrxOK.exe
  C:\Windows\System32\KjBrxOK.exe
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\System32\MtvkOYk.exe
  C:\Windows\System32\MtvkOYk.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System32\FbUdfVR.exe
  C:\Windows\System32\FbUdfVR.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System32\QLGekeJ.exe
  C:\Windows\System32\QLGekeJ.exe
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Windows\System32\Ahztjze.exe
  C:\Windows\System32\Ahztjze.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System32\WPlvgBo.exe
  C:\Windows\System32\WPlvgBo.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System32\Tdzzprv.exe
  C:\Windows\System32\Tdzzprv.exe
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\System32\vTeRlAB.exe
  C:\Windows\System32\vTeRlAB.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System32\OGsokiv.exe
  C:\Windows\System32\OGsokiv.exe
  2⤵
  - Executes dropped EXE
  PID:3308
- C:\Windows\System32\FljGIjE.exe
  C:\Windows\System32\FljGIjE.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System32\mjJBuhn.exe
  C:\Windows\System32\mjJBuhn.exe
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Windows\System32\cgGoVMA.exe
  C:\Windows\System32\cgGoVMA.exe
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\System32\jpWSXSc.exe
  C:\Windows\System32\jpWSXSc.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System32\IkuFDyP.exe
  C:\Windows\System32\IkuFDyP.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System32\JAbYRSo.exe
  C:\Windows\System32\JAbYRSo.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System32\hYAIVXr.exe
  C:\Windows\System32\hYAIVXr.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System32\dRuvkDE.exe
  C:\Windows\System32\dRuvkDE.exe
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\System32\yvWtDaP.exe
  C:\Windows\System32\yvWtDaP.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System32\orYkQvY.exe
  C:\Windows\System32\orYkQvY.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System32\cmwoVqW.exe
  C:\Windows\System32\cmwoVqW.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System32\beTEGBw.exe
  C:\Windows\System32\beTEGBw.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System32\YgfzjgN.exe
  C:\Windows\System32\YgfzjgN.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System32\nicritO.exe
  C:\Windows\System32\nicritO.exe
  2⤵
  - Executes dropped EXE
  PID:4560
- C:\Windows\System32\UypwRWo.exe
  C:\Windows\System32\UypwRWo.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System32\wPqgngW.exe
  C:\Windows\System32\wPqgngW.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System32\rrNBmfB.exe
  C:\Windows\System32\rrNBmfB.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System32\ZdDCepJ.exe
  C:\Windows\System32\ZdDCepJ.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\System32\yHUKpmD.exe
  C:\Windows\System32\yHUKpmD.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System32\UWxuEWs.exe
  C:\Windows\System32\UWxuEWs.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System32\vDaVKUY.exe
  C:\Windows\System32\vDaVKUY.exe
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Windows\System32\dAoWTFT.exe
  C:\Windows\System32\dAoWTFT.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System32\byDJUPn.exe
  C:\Windows\System32\byDJUPn.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System32\hlAdDPg.exe
  C:\Windows\System32\hlAdDPg.exe
  2⤵
  - Executes dropped EXE
  PID:3324
- C:\Windows\System32\miXLWLS.exe
  C:\Windows\System32\miXLWLS.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System32\ZlovaWq.exe
  C:\Windows\System32\ZlovaWq.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System32\MTPETzo.exe
  C:\Windows\System32\MTPETzo.exe
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\System32\qvcVvQb.exe
  C:\Windows\System32\qvcVvQb.exe
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\System32\XJQzExH.exe
  C:\Windows\System32\XJQzExH.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\System32\BRbsQSc.exe
  C:\Windows\System32\BRbsQSc.exe
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\System32\ZFTVkEO.exe
  C:\Windows\System32\ZFTVkEO.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System32\shtUZxo.exe
  C:\Windows\System32\shtUZxo.exe
  2⤵
  - Executes dropped EXE
  PID:720
- C:\Windows\System32\NYdFMSu.exe
  C:\Windows\System32\NYdFMSu.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System32\VwJHEzR.exe
  C:\Windows\System32\VwJHEzR.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System32\pqEcIUy.exe
  C:\Windows\System32\pqEcIUy.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System32\pWnxNac.exe
  C:\Windows\System32\pWnxNac.exe
  2⤵
  - Executes dropped EXE
  PID:4212
- C:\Windows\System32\GZBFfBE.exe
  C:\Windows\System32\GZBFfBE.exe
  2⤵
  - Executes dropped EXE
  PID:4316
- C:\Windows\System32\bsrrphl.exe
  C:\Windows\System32\bsrrphl.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System32\XTnJWvw.exe
  C:\Windows\System32\XTnJWvw.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System32\DnsiBng.exe
  C:\Windows\System32\DnsiBng.exe
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Windows\System32\nGcsKdx.exe
  C:\Windows\System32\nGcsKdx.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\System32\NaVFYco.exe
  C:\Windows\System32\NaVFYco.exe
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Windows\System32\JJVunsc.exe
  C:\Windows\System32\JJVunsc.exe
  2⤵
  - Executes dropped EXE
  PID:3788
- C:\Windows\System32\pjOCAcc.exe
  C:\Windows\System32\pjOCAcc.exe
  2⤵
  PID:4368
- C:\Windows\System32\XLYlQKI.exe
  C:\Windows\System32\XLYlQKI.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System32\ulHOAdQ.exe
  C:\Windows\System32\ulHOAdQ.exe
  2⤵
  PID:1380
- C:\Windows\System32\mqgkHmM.exe
  C:\Windows\System32\mqgkHmM.exe
  2⤵
  PID:1776
- C:\Windows\System32\OBEnvgV.exe
  C:\Windows\System32\OBEnvgV.exe
  2⤵
  PID:2696
- C:\Windows\System32\TOSfxRh.exe
  C:\Windows\System32\TOSfxRh.exe
  2⤵
  PID:228
- C:\Windows\System32\FnxsYZq.exe
  C:\Windows\System32\FnxsYZq.exe
  2⤵
  PID:1924
- C:\Windows\System32\WWXIYFP.exe
  C:\Windows\System32\WWXIYFP.exe
  2⤵
  PID:2312
- C:\Windows\System32\RYcjjZP.exe
  C:\Windows\System32\RYcjjZP.exe
  2⤵
  PID:4956
- C:\Windows\System32\dGGnZWT.exe
  C:\Windows\System32\dGGnZWT.exe
  2⤵
  PID:2068
- C:\Windows\System32\HLGPBha.exe
  C:\Windows\System32\HLGPBha.exe
  2⤵
  PID:3208
- C:\Windows\System32\Kuzlxee.exe
  C:\Windows\System32\Kuzlxee.exe
  2⤵
  PID:1220
- C:\Windows\System32\RzOnpgs.exe
  C:\Windows\System32\RzOnpgs.exe
  2⤵
  PID:1468
- C:\Windows\System32\sDgXVfM.exe
  C:\Windows\System32\sDgXVfM.exe
  2⤵
  PID:4972
- C:\Windows\System32\kLcwWxa.exe
  C:\Windows\System32\kLcwWxa.exe
  2⤵
  PID:324
- C:\Windows\System32\ERoSbmf.exe
  C:\Windows\System32\ERoSbmf.exe
  2⤵
  PID:2428
- C:\Windows\System32\dCYYasK.exe
  C:\Windows\System32\dCYYasK.exe
  2⤵
  PID:2636
- C:\Windows\System32\gdpXGHv.exe
  C:\Windows\System32\gdpXGHv.exe
  2⤵
  PID:4896
- C:\Windows\System32\mEvtzFo.exe
  C:\Windows\System32\mEvtzFo.exe
  2⤵
  PID:2168
- C:\Windows\System32\dmUIoPa.exe
  C:\Windows\System32\dmUIoPa.exe
  2⤵
  PID:2532
- C:\Windows\System32\daQrbLl.exe
  C:\Windows\System32\daQrbLl.exe
  2⤵
  PID:5164
- C:\Windows\System32\acOXfUj.exe
  C:\Windows\System32\acOXfUj.exe
  2⤵
  PID:5180
- C:\Windows\System32\Dkfcngj.exe
  C:\Windows\System32\Dkfcngj.exe
  2⤵
  PID:5208
- C:\Windows\System32\AFHikRv.exe
  C:\Windows\System32\AFHikRv.exe
  2⤵
  PID:5228
- C:\Windows\System32\MwvBcYh.exe
  C:\Windows\System32\MwvBcYh.exe
  2⤵
  PID:5256
- C:\Windows\System32\UZfWeIh.exe
  C:\Windows\System32\UZfWeIh.exe
  2⤵
  PID:5312
- C:\Windows\System32\YjREfPd.exe
  C:\Windows\System32\YjREfPd.exe
  2⤵
  PID:5336
- C:\Windows\System32\qUagGFg.exe
  C:\Windows\System32\qUagGFg.exe
  2⤵
  PID:5392
- C:\Windows\System32\viYzuwb.exe
  C:\Windows\System32\viYzuwb.exe
  2⤵
  PID:5420
- C:\Windows\System32\qzqjtDt.exe
  C:\Windows\System32\qzqjtDt.exe
  2⤵
  PID:5448
- C:\Windows\System32\qlJayhC.exe
  C:\Windows\System32\qlJayhC.exe
  2⤵
  PID:5472
- C:\Windows\System32\LBayRzA.exe
  C:\Windows\System32\LBayRzA.exe
  2⤵
  PID:5500
- C:\Windows\System32\doaUffs.exe
  C:\Windows\System32\doaUffs.exe
  2⤵
  PID:5516
- C:\Windows\System32\XeFkcFm.exe
  C:\Windows\System32\XeFkcFm.exe
  2⤵
  PID:5548
- C:\Windows\System32\YIJXsXX.exe
  C:\Windows\System32\YIJXsXX.exe
  2⤵
  PID:5572
- C:\Windows\System32\vzCWPPZ.exe
  C:\Windows\System32\vzCWPPZ.exe
  2⤵
  PID:5592
- C:\Windows\System32\NECZCmz.exe
  C:\Windows\System32\NECZCmz.exe
  2⤵
  PID:5612
- C:\Windows\System32\BhMOhUr.exe
  C:\Windows\System32\BhMOhUr.exe
  2⤵
  PID:5656
- C:\Windows\System32\DhvItrO.exe
  C:\Windows\System32\DhvItrO.exe
  2⤵
  PID:5684
- C:\Windows\System32\zsRhFXE.exe
  C:\Windows\System32\zsRhFXE.exe
  2⤵
  PID:5700
- C:\Windows\System32\rlXFewF.exe
  C:\Windows\System32\rlXFewF.exe
  2⤵
  PID:5724
- C:\Windows\System32\lJGDpGU.exe
  C:\Windows\System32\lJGDpGU.exe
  2⤵
  PID:5748
- C:\Windows\System32\ZwYLnjU.exe
  C:\Windows\System32\ZwYLnjU.exe
  2⤵
  PID:5772
- C:\Windows\System32\vegnjxV.exe
  C:\Windows\System32\vegnjxV.exe
  2⤵
  PID:5792
- C:\Windows\System32\BvqGpcI.exe
  C:\Windows\System32\BvqGpcI.exe
  2⤵
  PID:5812
- C:\Windows\System32\SWsSWoe.exe
  C:\Windows\System32\SWsSWoe.exe
  2⤵
  PID:5836
- C:\Windows\System32\djwvLxh.exe
  C:\Windows\System32\djwvLxh.exe
  2⤵
  PID:5896
- C:\Windows\System32\vZMTuzW.exe
  C:\Windows\System32\vZMTuzW.exe
  2⤵
  PID:5916
- C:\Windows\System32\BrjCYmO.exe
  C:\Windows\System32\BrjCYmO.exe
  2⤵
  PID:5952
- C:\Windows\System32\QgjKhwr.exe
  C:\Windows\System32\QgjKhwr.exe
  2⤵
  PID:5976
- C:\Windows\System32\HxfuSHC.exe
  C:\Windows\System32\HxfuSHC.exe
  2⤵
  PID:6004
- C:\Windows\System32\LymwAdX.exe
  C:\Windows\System32\LymwAdX.exe
  2⤵
  PID:6056
- C:\Windows\System32\SdoqwTO.exe
  C:\Windows\System32\SdoqwTO.exe
  2⤵
  PID:6072
- C:\Windows\System32\MuOnRVt.exe
  C:\Windows\System32\MuOnRVt.exe
  2⤵
  PID:6092
- C:\Windows\System32\FlNcITt.exe
  C:\Windows\System32\FlNcITt.exe
  2⤵
  PID:6112
- C:\Windows\System32\etDipnf.exe
  C:\Windows\System32\etDipnf.exe
  2⤵
  PID:6140
- C:\Windows\System32\urlySur.exe
  C:\Windows\System32\urlySur.exe
  2⤵
  PID:4204
- C:\Windows\System32\jgfrrrM.exe
  C:\Windows\System32\jgfrrrM.exe
  2⤵
  PID:5188
- C:\Windows\System32\YSztROY.exe
  C:\Windows\System32\YSztROY.exe
  2⤵
  PID:5240
- C:\Windows\System32\BiMuZox.exe
  C:\Windows\System32\BiMuZox.exe
  2⤵
  PID:5292
- C:\Windows\System32\ODwioKU.exe
  C:\Windows\System32\ODwioKU.exe
  2⤵
  PID:5320
- C:\Windows\System32\oHUmVFb.exe
  C:\Windows\System32\oHUmVFb.exe
  2⤵
  PID:5372
- C:\Windows\System32\IDzEeNY.exe
  C:\Windows\System32\IDzEeNY.exe
  2⤵
  PID:5400
- C:\Windows\System32\axPgfaN.exe
  C:\Windows\System32\axPgfaN.exe
  2⤵
  PID:5456
- C:\Windows\System32\kkXUPGY.exe
  C:\Windows\System32\kkXUPGY.exe
  2⤵
  PID:5608
- C:\Windows\System32\QOKgoRd.exe
  C:\Windows\System32\QOKgoRd.exe
  2⤵
  PID:5644
- C:\Windows\System32\DQIRbuO.exe
  C:\Windows\System32\DQIRbuO.exe
  2⤵
  PID:5804
- C:\Windows\System32\JNOelZH.exe
  C:\Windows\System32\JNOelZH.exe
  2⤵
  PID:5824
- C:\Windows\System32\ujknqcD.exe
  C:\Windows\System32\ujknqcD.exe
  2⤵
  PID:5932
- C:\Windows\System32\rffZqjR.exe
  C:\Windows\System32\rffZqjR.exe
  2⤵
  PID:6000
- C:\Windows\System32\lMkablj.exe
  C:\Windows\System32\lMkablj.exe
  2⤵
  PID:6120
- C:\Windows\System32\xVRwcJC.exe
  C:\Windows\System32\xVRwcJC.exe
  2⤵
  PID:5348
- C:\Windows\System32\YZqKaSB.exe
  C:\Windows\System32\YZqKaSB.exe
  2⤵
  PID:5288
- C:\Windows\System32\npvOFYV.exe
  C:\Windows\System32\npvOFYV.exe
  2⤵
  PID:5124
- C:\Windows\System32\reYSbbD.exe
  C:\Windows\System32\reYSbbD.exe
  2⤵
  PID:5360
- C:\Windows\System32\wxdtrQb.exe
  C:\Windows\System32\wxdtrQb.exe
  2⤵
  PID:5628
- C:\Windows\System32\BjwZUwi.exe
  C:\Windows\System32\BjwZUwi.exe
  2⤵
  PID:5788
- C:\Windows\System32\nJVmRup.exe
  C:\Windows\System32\nJVmRup.exe
  2⤵
  PID:5968
- C:\Windows\System32\UcloRvf.exe
  C:\Windows\System32\UcloRvf.exe
  2⤵
  PID:5176
- C:\Windows\System32\VLZoSEW.exe
  C:\Windows\System32\VLZoSEW.exe
  2⤵
  PID:3016
- C:\Windows\System32\WGVnutg.exe
  C:\Windows\System32\WGVnutg.exe
  2⤵
  PID:5600
- C:\Windows\System32\IBuQnXP.exe
  C:\Windows\System32\IBuQnXP.exe
  2⤵
  PID:5908
- C:\Windows\System32\rJvjdsL.exe
  C:\Windows\System32\rJvjdsL.exe
  2⤵
  PID:6148
- C:\Windows\System32\TojLEfY.exe
  C:\Windows\System32\TojLEfY.exe
  2⤵
  PID:6164
- C:\Windows\System32\yzpQpaU.exe
  C:\Windows\System32\yzpQpaU.exe
  2⤵
  PID:6212
- C:\Windows\System32\imuzPro.exe
  C:\Windows\System32\imuzPro.exe
  2⤵
  PID:6276
- C:\Windows\System32\SdWXnVv.exe
  C:\Windows\System32\SdWXnVv.exe
  2⤵
  PID:6308
- C:\Windows\System32\avXFbEq.exe
  C:\Windows\System32\avXFbEq.exe
  2⤵
  PID:6324
- C:\Windows\System32\zWkmnmd.exe
  C:\Windows\System32\zWkmnmd.exe
  2⤵
  PID:6344
- C:\Windows\System32\OraYYZM.exe
  C:\Windows\System32\OraYYZM.exe
  2⤵
  PID:6364
- C:\Windows\System32\DZPjRpP.exe
  C:\Windows\System32\DZPjRpP.exe
  2⤵
  PID:6384
- C:\Windows\System32\qCoUzWf.exe
  C:\Windows\System32\qCoUzWf.exe
  2⤵
  PID:6408
- C:\Windows\System32\ftknzft.exe
  C:\Windows\System32\ftknzft.exe
  2⤵
  PID:6436
- C:\Windows\System32\mSatIVI.exe
  C:\Windows\System32\mSatIVI.exe
  2⤵
  PID:6468
- C:\Windows\System32\yXYWGNv.exe
  C:\Windows\System32\yXYWGNv.exe
  2⤵
  PID:6488
- C:\Windows\System32\qVbjlfF.exe
  C:\Windows\System32\qVbjlfF.exe
  2⤵
  PID:6504
- C:\Windows\System32\pshRlan.exe
  C:\Windows\System32\pshRlan.exe
  2⤵
  PID:6568
- C:\Windows\System32\XBhhfxj.exe
  C:\Windows\System32\XBhhfxj.exe
  2⤵
  PID:6588
- C:\Windows\System32\VJKRUGJ.exe
  C:\Windows\System32\VJKRUGJ.exe
  2⤵
  PID:6608
- C:\Windows\System32\yTQUOEh.exe
  C:\Windows\System32\yTQUOEh.exe
  2⤵
  PID:6628
- C:\Windows\System32\QGAoFqJ.exe
  C:\Windows\System32\QGAoFqJ.exe
  2⤵
  PID:6648
- C:\Windows\System32\AJYSRaz.exe
  C:\Windows\System32\AJYSRaz.exe
  2⤵
  PID:6672
- C:\Windows\System32\yGVVUAH.exe
  C:\Windows\System32\yGVVUAH.exe
  2⤵
  PID:6736
- C:\Windows\System32\CqwWLjt.exe
  C:\Windows\System32\CqwWLjt.exe
  2⤵
  PID:6760
- C:\Windows\System32\yjVXWLM.exe
  C:\Windows\System32\yjVXWLM.exe
  2⤵
  PID:6776
- C:\Windows\System32\kjYDPws.exe
  C:\Windows\System32\kjYDPws.exe
  2⤵
  PID:6792
- C:\Windows\System32\TGYcEhr.exe
  C:\Windows\System32\TGYcEhr.exe
  2⤵
  PID:6816
- C:\Windows\System32\XwUkzMd.exe
  C:\Windows\System32\XwUkzMd.exe
  2⤵
  PID:6832
- C:\Windows\System32\GqKolsV.exe
  C:\Windows\System32\GqKolsV.exe
  2⤵
  PID:6856
- C:\Windows\System32\kkBRiCJ.exe
  C:\Windows\System32\kkBRiCJ.exe
  2⤵
  PID:6876
- C:\Windows\System32\mufMPuZ.exe
  C:\Windows\System32\mufMPuZ.exe
  2⤵
  PID:6952
- C:\Windows\System32\XcrEcjd.exe
  C:\Windows\System32\XcrEcjd.exe
  2⤵
  PID:6976
- C:\Windows\System32\jeaeqwv.exe
  C:\Windows\System32\jeaeqwv.exe
  2⤵
  PID:7028
- C:\Windows\System32\XkvOepf.exe
  C:\Windows\System32\XkvOepf.exe
  2⤵
  PID:7056
- C:\Windows\System32\AoDXUgK.exe
  C:\Windows\System32\AoDXUgK.exe
  2⤵
  PID:7084
- C:\Windows\System32\wdMCIXf.exe
  C:\Windows\System32\wdMCIXf.exe
  2⤵
  PID:7104
- C:\Windows\System32\FiwVVPx.exe
  C:\Windows\System32\FiwVVPx.exe
  2⤵
  PID:7132
- C:\Windows\System32\KDgBYvJ.exe
  C:\Windows\System32\KDgBYvJ.exe
  2⤵
  PID:7160
- C:\Windows\System32\qnAOsGl.exe
  C:\Windows\System32\qnAOsGl.exe
  2⤵
  PID:5712
- C:\Windows\System32\AZMeRKA.exe
  C:\Windows\System32\AZMeRKA.exe
  2⤵
  PID:6196
- C:\Windows\System32\RaKYRno.exe
  C:\Windows\System32\RaKYRno.exe
  2⤵
  PID:6232
- C:\Windows\System32\VgbCDDI.exe
  C:\Windows\System32\VgbCDDI.exe
  2⤵
  PID:6320
- C:\Windows\System32\swUJjAK.exe
  C:\Windows\System32\swUJjAK.exe
  2⤵
  PID:6332
- C:\Windows\System32\nTAcZGD.exe
  C:\Windows\System32\nTAcZGD.exe
  2⤵
  PID:6420
- C:\Windows\System32\CYtomhY.exe
  C:\Windows\System32\CYtomhY.exe
  2⤵
  PID:6520
- C:\Windows\System32\fzQnYVH.exe
  C:\Windows\System32\fzQnYVH.exe
  2⤵
  PID:6600
- C:\Windows\System32\MIYUQdv.exe
  C:\Windows\System32\MIYUQdv.exe
  2⤵
  PID:6696
- C:\Windows\System32\gVbPWnf.exe
  C:\Windows\System32\gVbPWnf.exe
  2⤵
  PID:6704
- C:\Windows\System32\qgYKMeq.exe
  C:\Windows\System32\qgYKMeq.exe
  2⤵
  PID:6784
- C:\Windows\System32\zBhUrye.exe
  C:\Windows\System32\zBhUrye.exe
  2⤵
  PID:6844
- C:\Windows\System32\uLRXfPe.exe
  C:\Windows\System32\uLRXfPe.exe
  2⤵
  PID:6872
- C:\Windows\System32\eaIkZJQ.exe
  C:\Windows\System32\eaIkZJQ.exe
  2⤵
  PID:6944
- C:\Windows\System32\TRNZRWM.exe
  C:\Windows\System32\TRNZRWM.exe
  2⤵
  PID:7020
- C:\Windows\System32\LjNfFFs.exe
  C:\Windows\System32\LjNfFFs.exe
  2⤵
  PID:7100
- C:\Windows\System32\LVFtVnZ.exe
  C:\Windows\System32\LVFtVnZ.exe
  2⤵
  PID:6180
- C:\Windows\System32\cZWRAMV.exe
  C:\Windows\System32\cZWRAMV.exe
  2⤵
  PID:6260
- C:\Windows\System32\CIoIGbZ.exe
  C:\Windows\System32\CIoIGbZ.exe
  2⤵
  PID:6340
- C:\Windows\System32\XqmyRZX.exe
  C:\Windows\System32\XqmyRZX.exe
  2⤵
  PID:6416
- C:\Windows\System32\bIXdPON.exe
  C:\Windows\System32\bIXdPON.exe
  2⤵
  PID:6584
- C:\Windows\System32\trEMNHm.exe
  C:\Windows\System32\trEMNHm.exe
  2⤵
  PID:6828
- C:\Windows\System32\LApsqbA.exe
  C:\Windows\System32\LApsqbA.exe
  2⤵
  PID:6884
- C:\Windows\System32\BgTJhSV.exe
  C:\Windows\System32\BgTJhSV.exe
  2⤵
  PID:7156
- C:\Windows\System32\iBVSDrd.exe
  C:\Windows\System32\iBVSDrd.exe
  2⤵
  PID:7152
- C:\Windows\System32\rrXzEsQ.exe
  C:\Windows\System32\rrXzEsQ.exe
  2⤵
  PID:6392
- C:\Windows\System32\ecadrYE.exe
  C:\Windows\System32\ecadrYE.exe
  2⤵
  PID:6640
- C:\Windows\System32\pRaPziD.exe
  C:\Windows\System32\pRaPziD.exe
  2⤵
  PID:6444
- C:\Windows\System32\AljwQbc.exe
  C:\Windows\System32\AljwQbc.exe
  2⤵
  PID:7176
- C:\Windows\System32\IFleEbc.exe
  C:\Windows\System32\IFleEbc.exe
  2⤵
  PID:7196
- C:\Windows\System32\Lwtebja.exe
  C:\Windows\System32\Lwtebja.exe
  2⤵
  PID:7212
- C:\Windows\System32\eGFLAar.exe
  C:\Windows\System32\eGFLAar.exe
  2⤵
  PID:7236
- C:\Windows\System32\qTzFXVz.exe
  C:\Windows\System32\qTzFXVz.exe
  2⤵
  PID:7264
- C:\Windows\System32\lNpWgyB.exe
  C:\Windows\System32\lNpWgyB.exe
  2⤵
  PID:7300
- C:\Windows\System32\mLyYWCv.exe
  C:\Windows\System32\mLyYWCv.exe
  2⤵
  PID:7348
- C:\Windows\System32\JxnQZkq.exe
  C:\Windows\System32\JxnQZkq.exe
  2⤵
  PID:7368
- C:\Windows\System32\MChhJjo.exe
  C:\Windows\System32\MChhJjo.exe
  2⤵
  PID:7400
- C:\Windows\System32\pyDLaNI.exe
  C:\Windows\System32\pyDLaNI.exe
  2⤵
  PID:7420
- C:\Windows\System32\YMOibJj.exe
  C:\Windows\System32\YMOibJj.exe
  2⤵
  PID:7436
- C:\Windows\System32\RLHuojV.exe
  C:\Windows\System32\RLHuojV.exe
  2⤵
  PID:7492
- C:\Windows\System32\uTqjtpk.exe
  C:\Windows\System32\uTqjtpk.exe
  2⤵
  PID:7508
- C:\Windows\System32\jFmZQBS.exe
  C:\Windows\System32\jFmZQBS.exe
  2⤵
  PID:7532
- C:\Windows\System32\lbEBoCU.exe
  C:\Windows\System32\lbEBoCU.exe
  2⤵
  PID:7564
- C:\Windows\System32\kUQcSAo.exe
  C:\Windows\System32\kUQcSAo.exe
  2⤵
  PID:7600
- C:\Windows\System32\chzHsqG.exe
  C:\Windows\System32\chzHsqG.exe
  2⤵
  PID:7632
- C:\Windows\System32\DdJtKOj.exe
  C:\Windows\System32\DdJtKOj.exe
  2⤵
  PID:7652
- C:\Windows\System32\coJIHOK.exe
  C:\Windows\System32\coJIHOK.exe
  2⤵
  PID:7676
- C:\Windows\System32\poHxbIN.exe
  C:\Windows\System32\poHxbIN.exe
  2⤵
  PID:7700
- C:\Windows\System32\GHhrenk.exe
  C:\Windows\System32\GHhrenk.exe
  2⤵
  PID:7716
- C:\Windows\System32\iEmVIFa.exe
  C:\Windows\System32\iEmVIFa.exe
  2⤵
  PID:7736
- C:\Windows\System32\kXMZPSl.exe
  C:\Windows\System32\kXMZPSl.exe
  2⤵
  PID:7812
- C:\Windows\System32\kGlUsct.exe
  C:\Windows\System32\kGlUsct.exe
  2⤵
  PID:7832
- C:\Windows\System32\gHUBeRs.exe
  C:\Windows\System32\gHUBeRs.exe
  2⤵
  PID:7856
- C:\Windows\System32\COspMja.exe
  C:\Windows\System32\COspMja.exe
  2⤵
  PID:7896
- C:\Windows\System32\wljkFid.exe
  C:\Windows\System32\wljkFid.exe
  2⤵
  PID:7912
- C:\Windows\System32\uVufPkC.exe
  C:\Windows\System32\uVufPkC.exe
  2⤵
  PID:7936
- C:\Windows\System32\spkbiKE.exe
  C:\Windows\System32\spkbiKE.exe
  2⤵
  PID:7952
- C:\Windows\System32\ksAeaBX.exe
  C:\Windows\System32\ksAeaBX.exe
  2⤵
  PID:7972
- C:\Windows\System32\JQpymKz.exe
  C:\Windows\System32\JQpymKz.exe
  2⤵
  PID:7996
- C:\Windows\System32\eNCTFRc.exe
  C:\Windows\System32\eNCTFRc.exe
  2⤵
  PID:8036
- C:\Windows\System32\otXAkVZ.exe
  C:\Windows\System32\otXAkVZ.exe
  2⤵
  PID:8060
- C:\Windows\System32\RfXZFhY.exe
  C:\Windows\System32\RfXZFhY.exe
  2⤵
  PID:8084
- C:\Windows\System32\VonOCOs.exe
  C:\Windows\System32\VonOCOs.exe
  2⤵
  PID:8108
- C:\Windows\System32\abGnAnj.exe
  C:\Windows\System32\abGnAnj.exe
  2⤵
  PID:8128
- C:\Windows\System32\VRsfnLm.exe
  C:\Windows\System32\VRsfnLm.exe
  2⤵
  PID:8180
- C:\Windows\System32\jiSoMbZ.exe
  C:\Windows\System32\jiSoMbZ.exe
  2⤵
  PID:7172
- C:\Windows\System32\LkTZFxO.exe
  C:\Windows\System32\LkTZFxO.exe
  2⤵
  PID:7260
- C:\Windows\System32\gFVuFyJ.exe
  C:\Windows\System32\gFVuFyJ.exe
  2⤵
  PID:7292
- C:\Windows\System32\ojMWVWK.exe
  C:\Windows\System32\ojMWVWK.exe
  2⤵
  PID:7376
- C:\Windows\System32\kDIVeRD.exe
  C:\Windows\System32\kDIVeRD.exe
  2⤵
  PID:7428
- C:\Windows\System32\IZkPYqx.exe
  C:\Windows\System32\IZkPYqx.exe
  2⤵
  PID:7412
- C:\Windows\System32\uSFpxpy.exe
  C:\Windows\System32\uSFpxpy.exe
  2⤵
  PID:7612
- C:\Windows\System32\VlOWtkP.exe
  C:\Windows\System32\VlOWtkP.exe
  2⤵
  PID:7668
- C:\Windows\System32\XaNQdzw.exe
  C:\Windows\System32\XaNQdzw.exe
  2⤵
  PID:7744
- C:\Windows\System32\TKVcGyK.exe
  C:\Windows\System32\TKVcGyK.exe
  2⤵
  PID:7780
- C:\Windows\System32\bwyORSr.exe
  C:\Windows\System32\bwyORSr.exe
  2⤵
  PID:7848
- C:\Windows\System32\lTGdIlP.exe
  C:\Windows\System32\lTGdIlP.exe
  2⤵
  PID:7932
- C:\Windows\System32\nFNlNpT.exe
  C:\Windows\System32\nFNlNpT.exe
  2⤵
  PID:7924
- C:\Windows\System32\BwEgGmG.exe
  C:\Windows\System32\BwEgGmG.exe
  2⤵
  PID:7960
- C:\Windows\System32\Vhvsxnp.exe
  C:\Windows\System32\Vhvsxnp.exe
  2⤵
  PID:8044
- C:\Windows\System32\qyoObMC.exe
  C:\Windows\System32\qyoObMC.exe
  2⤵
  PID:8140
- C:\Windows\System32\tKcUzSk.exe
  C:\Windows\System32\tKcUzSk.exe
  2⤵
  PID:6668
- C:\Windows\System32\nVDyfxM.exe
  C:\Windows\System32\nVDyfxM.exe
  2⤵
  PID:7188
- C:\Windows\System32\vvMYrMK.exe
  C:\Windows\System32\vvMYrMK.exe
  2⤵
  PID:7344
- C:\Windows\System32\aYpPvWZ.exe
  C:\Windows\System32\aYpPvWZ.exe
  2⤵
  PID:7608
- C:\Windows\System32\uYGzdzv.exe
  C:\Windows\System32\uYGzdzv.exe
  2⤵
  PID:7828
- C:\Windows\System32\qScYPBD.exe
  C:\Windows\System32\qScYPBD.exe
  2⤵
  PID:7980
- C:\Windows\System32\nrkTDLD.exe
  C:\Windows\System32\nrkTDLD.exe
  2⤵
  PID:8160
- C:\Windows\System32\snzejDG.exe
  C:\Windows\System32\snzejDG.exe
  2⤵
  PID:7252
- C:\Windows\System32\jrHYxcD.exe
  C:\Windows\System32\jrHYxcD.exe
  2⤵
  PID:7760
- C:\Windows\System32\otvLNrH.exe
  C:\Windows\System32\otvLNrH.exe
  2⤵
  PID:7208
- C:\Windows\System32\HqsDWTY.exe
  C:\Windows\System32\HqsDWTY.exe
  2⤵
  PID:7540
- C:\Windows\System32\HjrlpnM.exe
  C:\Windows\System32\HjrlpnM.exe
  2⤵
  PID:8212
- C:\Windows\System32\HQscaPf.exe
  C:\Windows\System32\HQscaPf.exe
  2⤵
  PID:8228
- C:\Windows\System32\GSzNTsx.exe
  C:\Windows\System32\GSzNTsx.exe
  2⤵
  PID:8248
- C:\Windows\System32\IhVCeul.exe
  C:\Windows\System32\IhVCeul.exe
  2⤵
  PID:8264
- C:\Windows\System32\nWfYhDM.exe
  C:\Windows\System32\nWfYhDM.exe
  2⤵
  PID:8284
- C:\Windows\System32\YItxZKt.exe
  C:\Windows\System32\YItxZKt.exe
  2⤵
  PID:8304
- C:\Windows\System32\cGPVvVz.exe
  C:\Windows\System32\cGPVvVz.exe
  2⤵
  PID:8324
- C:\Windows\System32\gkmdZaM.exe
  C:\Windows\System32\gkmdZaM.exe
  2⤵
  PID:8344
- C:\Windows\System32\JZgjWKj.exe
  C:\Windows\System32\JZgjWKj.exe
  2⤵
  PID:8364
- C:\Windows\System32\YuNOSQY.exe
  C:\Windows\System32\YuNOSQY.exe
  2⤵
  PID:8400
- C:\Windows\System32\KELWKde.exe
  C:\Windows\System32\KELWKde.exe
  2⤵
  PID:8416
- C:\Windows\System32\cLPfZmV.exe
  C:\Windows\System32\cLPfZmV.exe
  2⤵
  PID:8460
- C:\Windows\System32\wPdGErO.exe
  C:\Windows\System32\wPdGErO.exe
  2⤵
  PID:8520
- C:\Windows\System32\NyjMhyY.exe
  C:\Windows\System32\NyjMhyY.exe
  2⤵
  PID:8540
- C:\Windows\System32\DETpFub.exe
  C:\Windows\System32\DETpFub.exe
  2⤵
  PID:8604
- C:\Windows\System32\WYYxclF.exe
  C:\Windows\System32\WYYxclF.exe
  2⤵
  PID:8624
- C:\Windows\System32\uXoVqWh.exe
  C:\Windows\System32\uXoVqWh.exe
  2⤵
  PID:8648
- C:\Windows\System32\kKHnjRr.exe
  C:\Windows\System32\kKHnjRr.exe
  2⤵
  PID:8676
- C:\Windows\System32\EHLuZwk.exe
  C:\Windows\System32\EHLuZwk.exe
  2⤵
  PID:8716
- C:\Windows\System32\tijphrN.exe
  C:\Windows\System32\tijphrN.exe
  2⤵
  PID:8744
- C:\Windows\System32\LNfSbBO.exe
  C:\Windows\System32\LNfSbBO.exe
  2⤵
  PID:8764
- C:\Windows\System32\sbBNdKQ.exe
  C:\Windows\System32\sbBNdKQ.exe
  2⤵
  PID:8844
- C:\Windows\System32\QKCDpqt.exe
  C:\Windows\System32\QKCDpqt.exe
  2⤵
  PID:8864
- C:\Windows\System32\xJffrCB.exe
  C:\Windows\System32\xJffrCB.exe
  2⤵
  PID:8880
- C:\Windows\System32\RzBllZw.exe
  C:\Windows\System32\RzBllZw.exe
  2⤵
  PID:8896
- C:\Windows\System32\ASFGWHT.exe
  C:\Windows\System32\ASFGWHT.exe
  2⤵
  PID:8912
- C:\Windows\System32\HNHVIvB.exe
  C:\Windows\System32\HNHVIvB.exe
  2⤵
  PID:8940
- C:\Windows\System32\ftkNOjN.exe
  C:\Windows\System32\ftkNOjN.exe
  2⤵
  PID:8960
- C:\Windows\System32\Larzllo.exe
  C:\Windows\System32\Larzllo.exe
  2⤵
  PID:9012
- C:\Windows\System32\qgwOuhy.exe
  C:\Windows\System32\qgwOuhy.exe
  2⤵
  PID:9068
- C:\Windows\System32\xoYuXqc.exe
  C:\Windows\System32\xoYuXqc.exe
  2⤵
  PID:9088
- C:\Windows\System32\CWjnwUk.exe
  C:\Windows\System32\CWjnwUk.exe
  2⤵
  PID:9104
- C:\Windows\System32\EBPhtsh.exe
  C:\Windows\System32\EBPhtsh.exe
  2⤵
  PID:9156
- C:\Windows\System32\IIKzYwE.exe
  C:\Windows\System32\IIKzYwE.exe
  2⤵
  PID:9176
- C:\Windows\System32\KmgkOYG.exe
  C:\Windows\System32\KmgkOYG.exe
  2⤵
  PID:9192
- C:\Windows\System32\jBzgEzk.exe
  C:\Windows\System32\jBzgEzk.exe
  2⤵
  PID:8076
- C:\Windows\System32\AITMpeW.exe
  C:\Windows\System32\AITMpeW.exe
  2⤵
  PID:8220
- C:\Windows\System32\AjTMvbn.exe
  C:\Windows\System32\AjTMvbn.exe
  2⤵
  PID:8276
- C:\Windows\System32\VtVWSLL.exe
  C:\Windows\System32\VtVWSLL.exe
  2⤵
  PID:8396
- C:\Windows\System32\pjpRXTJ.exe
  C:\Windows\System32\pjpRXTJ.exe
  2⤵
  PID:8444
- C:\Windows\System32\qyEiERw.exe
  C:\Windows\System32\qyEiERw.exe
  2⤵
  PID:8484
- C:\Windows\System32\seFKJcm.exe
  C:\Windows\System32\seFKJcm.exe
  2⤵
  PID:8632
- C:\Windows\System32\KrCgpNh.exe
  C:\Windows\System32\KrCgpNh.exe
  2⤵
  PID:8696
- C:\Windows\System32\Pftuybi.exe
  C:\Windows\System32\Pftuybi.exe
  2⤵
  PID:8740
- C:\Windows\System32\LonedpG.exe
  C:\Windows\System32\LonedpG.exe
  2⤵
  PID:8816
- C:\Windows\System32\XPBmOhe.exe
  C:\Windows\System32\XPBmOhe.exe
  2⤵
  PID:8872
- C:\Windows\System32\PKvGRWU.exe
  C:\Windows\System32\PKvGRWU.exe
  2⤵
  PID:8836
- C:\Windows\System32\rFOSasN.exe
  C:\Windows\System32\rFOSasN.exe
  2⤵
  PID:9000
- C:\Windows\System32\fLQbjEr.exe
  C:\Windows\System32\fLQbjEr.exe
  2⤵
  PID:9024
- C:\Windows\System32\AXHqfyk.exe
  C:\Windows\System32\AXHqfyk.exe
  2⤵
  PID:9040
- C:\Windows\System32\JXOhvWQ.exe
  C:\Windows\System32\JXOhvWQ.exe
  2⤵
  PID:9080
- C:\Windows\System32\zeAKWmg.exe
  C:\Windows\System32\zeAKWmg.exe
  2⤵
  PID:9168
- C:\Windows\System32\JktUQjP.exe
  C:\Windows\System32\JktUQjP.exe
  2⤵
  PID:8188
- C:\Windows\System32\PjVpNiM.exe
  C:\Windows\System32\PjVpNiM.exe
  2⤵
  PID:8356
- C:\Windows\System32\MudwGng.exe
  C:\Windows\System32\MudwGng.exe
  2⤵
  PID:8456
- C:\Windows\System32\ZkfEBGY.exe
  C:\Windows\System32\ZkfEBGY.exe
  2⤵
  PID:8536
- C:\Windows\System32\ATXhlaY.exe
  C:\Windows\System32\ATXhlaY.exe
  2⤵
  PID:8752
- C:\Windows\System32\uDpmdIa.exe
  C:\Windows\System32\uDpmdIa.exe
  2⤵
  PID:9144
- C:\Windows\System32\VcpznZt.exe
  C:\Windows\System32\VcpznZt.exe
  2⤵
  PID:8392
- C:\Windows\System32\TISduVX.exe
  C:\Windows\System32\TISduVX.exe
  2⤵
  PID:9184
- C:\Windows\System32\MNjLvNI.exe
  C:\Windows\System32\MNjLvNI.exe
  2⤵
  PID:8952
- C:\Windows\System32\EAWLZSF.exe
  C:\Windows\System32\EAWLZSF.exe
  2⤵
  PID:7748
- C:\Windows\System32\CkQgIzj.exe
  C:\Windows\System32\CkQgIzj.exe
  2⤵
  PID:8908
- C:\Windows\System32\iwclkEY.exe
  C:\Windows\System32\iwclkEY.exe
  2⤵
  PID:9228
- C:\Windows\System32\awzWSkZ.exe
  C:\Windows\System32\awzWSkZ.exe
  2⤵
  PID:9248
- C:\Windows\System32\iWPCVdz.exe
  C:\Windows\System32\iWPCVdz.exe
  2⤵
  PID:9268
- C:\Windows\System32\NMLjvmI.exe
  C:\Windows\System32\NMLjvmI.exe
  2⤵
  PID:9288
- C:\Windows\System32\WuxViGU.exe
  C:\Windows\System32\WuxViGU.exe
  2⤵
  PID:9308
- C:\Windows\System32\ZZYUSwg.exe
  C:\Windows\System32\ZZYUSwg.exe
  2⤵
  PID:9356
- C:\Windows\System32\NTDFpFk.exe
  C:\Windows\System32\NTDFpFk.exe
  2⤵
  PID:9400
- C:\Windows\System32\uUVFUiF.exe
  C:\Windows\System32\uUVFUiF.exe
  2⤵
  PID:9416
- C:\Windows\System32\tgXEonj.exe
  C:\Windows\System32\tgXEonj.exe
  2⤵
  PID:9444
- C:\Windows\System32\FqudYJM.exe
  C:\Windows\System32\FqudYJM.exe
  2⤵
  PID:9460
- C:\Windows\System32\NAUgfDS.exe
  C:\Windows\System32\NAUgfDS.exe
  2⤵
  PID:9480
- C:\Windows\System32\hgJMcgg.exe
  C:\Windows\System32\hgJMcgg.exe
  2⤵
  PID:9500
- C:\Windows\System32\ZCQMsaD.exe
  C:\Windows\System32\ZCQMsaD.exe
  2⤵
  PID:9520
- C:\Windows\System32\jLbjtvs.exe
  C:\Windows\System32\jLbjtvs.exe
  2⤵
  PID:9536
- C:\Windows\System32\gEuVOhq.exe
  C:\Windows\System32\gEuVOhq.exe
  2⤵
  PID:9552
- C:\Windows\System32\BAbUiXo.exe
  C:\Windows\System32\BAbUiXo.exe
  2⤵
  PID:9576
- C:\Windows\System32\WRfAZsK.exe
  C:\Windows\System32\WRfAZsK.exe
  2⤵
  PID:9592
- C:\Windows\System32\cMlHZvW.exe
  C:\Windows\System32\cMlHZvW.exe
  2⤵
  PID:9612
- C:\Windows\System32\jNVXeVZ.exe
  C:\Windows\System32\jNVXeVZ.exe
  2⤵
  PID:9644
- C:\Windows\System32\yToGBEC.exe
  C:\Windows\System32\yToGBEC.exe
  2⤵
  PID:9660
- C:\Windows\System32\ICXIxSz.exe
  C:\Windows\System32\ICXIxSz.exe
  2⤵
  PID:9764
- C:\Windows\System32\NPPvYGj.exe
  C:\Windows\System32\NPPvYGj.exe
  2⤵
  PID:9808
- C:\Windows\System32\KfPqIaF.exe
  C:\Windows\System32\KfPqIaF.exe
  2⤵
  PID:9848
- C:\Windows\System32\gkxRHfG.exe
  C:\Windows\System32\gkxRHfG.exe
  2⤵
  PID:9872
- C:\Windows\System32\rBsQrsC.exe
  C:\Windows\System32\rBsQrsC.exe
  2⤵
  PID:9892
- C:\Windows\System32\RBtgRVp.exe
  C:\Windows\System32\RBtgRVp.exe
  2⤵
  PID:9916
- C:\Windows\System32\uUCqxAZ.exe
  C:\Windows\System32\uUCqxAZ.exe
  2⤵
  PID:9936
- C:\Windows\System32\YSqRabO.exe
  C:\Windows\System32\YSqRabO.exe
  2⤵
  PID:9956
- C:\Windows\System32\nnJjdfG.exe
  C:\Windows\System32\nnJjdfG.exe
  2⤵
  PID:9980
- C:\Windows\System32\PGcNOKw.exe
  C:\Windows\System32\PGcNOKw.exe
  2⤵
  PID:9996
- C:\Windows\System32\dtOwiMt.exe
  C:\Windows\System32\dtOwiMt.exe
  2⤵
  PID:10028
- C:\Windows\System32\FWQJdGk.exe
  C:\Windows\System32\FWQJdGk.exe
  2⤵
  PID:10048
- C:\Windows\System32\YYrgWis.exe
  C:\Windows\System32\YYrgWis.exe
  2⤵
  PID:10092
- C:\Windows\System32\arXSnLE.exe
  C:\Windows\System32\arXSnLE.exe
  2⤵
  PID:10156
- C:\Windows\System32\mnZgvwO.exe
  C:\Windows\System32\mnZgvwO.exe
  2⤵
  PID:10172
- C:\Windows\System32\EJfclst.exe
  C:\Windows\System32\EJfclst.exe
  2⤵
  PID:10192
- C:\Windows\System32\muhFqjn.exe
  C:\Windows\System32\muhFqjn.exe
  2⤵
  PID:10208
- C:\Windows\System32\NcfIiNP.exe
  C:\Windows\System32\NcfIiNP.exe
  2⤵
  PID:9264
- C:\Windows\System32\RxHNUtA.exe
  C:\Windows\System32\RxHNUtA.exe
  2⤵
  PID:9236
- C:\Windows\System32\SAXOlmb.exe
  C:\Windows\System32\SAXOlmb.exe
  2⤵
  PID:9316
- C:\Windows\System32\KdzMoPK.exe
  C:\Windows\System32\KdzMoPK.exe
  2⤵
  PID:9376
- C:\Windows\System32\znhZVtI.exe
  C:\Windows\System32\znhZVtI.exe
  2⤵
  PID:9516
- C:\Windows\System32\nHySIAn.exe
  C:\Windows\System32\nHySIAn.exe
  2⤵
  PID:9528
- C:\Windows\System32\GatiocS.exe
  C:\Windows\System32\GatiocS.exe
  2⤵
  PID:9584
- C:\Windows\System32\QLOipRx.exe
  C:\Windows\System32\QLOipRx.exe
  2⤵
  PID:9672
- C:\Windows\System32\LvdEUpS.exe
  C:\Windows\System32\LvdEUpS.exe
  2⤵
  PID:9732
- C:\Windows\System32\tNDqiWU.exe
  C:\Windows\System32\tNDqiWU.exe
  2⤵
  PID:9776
- C:\Windows\System32\qCsndHI.exe
  C:\Windows\System32\qCsndHI.exe
  2⤵
  PID:9932
- C:\Windows\System32\tucfvZO.exe
  C:\Windows\System32\tucfvZO.exe
  2⤵
  PID:10004
- C:\Windows\System32\hlxNizu.exe
  C:\Windows\System32\hlxNizu.exe
  2⤵
  PID:10056
- C:\Windows\System32\jgVuqkj.exe
  C:\Windows\System32\jgVuqkj.exe
  2⤵
  PID:10100
- C:\Windows\System32\ZnhsTPq.exe
  C:\Windows\System32\ZnhsTPq.exe
  2⤵
  PID:10184
- C:\Windows\System32\EGeyFaR.exe
  C:\Windows\System32\EGeyFaR.exe
  2⤵
  PID:9244
- C:\Windows\System32\iHgUwtt.exe
  C:\Windows\System32\iHgUwtt.exe
  2⤵
  PID:9320
- C:\Windows\System32\ZBnMuhL.exe
  C:\Windows\System32\ZBnMuhL.exe
  2⤵
  PID:9328
- C:\Windows\System32\jVgRNqn.exe
  C:\Windows\System32\jVgRNqn.exe
  2⤵
  PID:9640
- C:\Windows\System32\fnBJVbr.exe
  C:\Windows\System32\fnBJVbr.exe
  2⤵
  PID:9652
- C:\Windows\System32\GFyjMfs.exe
  C:\Windows\System32\GFyjMfs.exe
  2⤵
  PID:9952
- C:\Windows\System32\RVoAjVj.exe
  C:\Windows\System32\RVoAjVj.exe
  2⤵
  PID:10012
- C:\Windows\System32\imwDzAQ.exe
  C:\Windows\System32\imwDzAQ.exe
  2⤵
  PID:10084
- C:\Windows\System32\HfDPanW.exe
  C:\Windows\System32\HfDPanW.exe
  2⤵
  PID:8472
- C:\Windows\System32\pAxCeVm.exe
  C:\Windows\System32\pAxCeVm.exe
  2⤵
  PID:9276
- C:\Windows\System32\FtzMdGQ.exe
  C:\Windows\System32\FtzMdGQ.exe
  2⤵
  PID:9508
- C:\Windows\System32\sSWdQfy.exe
  C:\Windows\System32\sSWdQfy.exe
  2⤵
  PID:9860
- C:\Windows\System32\qmbBxis.exe
  C:\Windows\System32\qmbBxis.exe
  2⤵
  PID:10256
- C:\Windows\System32\wsbiZpd.exe
  C:\Windows\System32\wsbiZpd.exe
  2⤵
  PID:10276
- C:\Windows\System32\ADWnWuK.exe
  C:\Windows\System32\ADWnWuK.exe
  2⤵
  PID:10292
- C:\Windows\System32\ybBKpEj.exe
  C:\Windows\System32\ybBKpEj.exe
  2⤵
  PID:10308
- C:\Windows\System32\jDBsmfe.exe
  C:\Windows\System32\jDBsmfe.exe
  2⤵
  PID:10328
- C:\Windows\System32\oFUnTId.exe
  C:\Windows\System32\oFUnTId.exe
  2⤵
  PID:10344
- C:\Windows\System32\AvrvwnI.exe
  C:\Windows\System32\AvrvwnI.exe
  2⤵
  PID:10360
- C:\Windows\System32\iZftnnd.exe
  C:\Windows\System32\iZftnnd.exe
  2⤵
  PID:10380
- C:\Windows\System32\PhSdDei.exe
  C:\Windows\System32\PhSdDei.exe
  2⤵
  PID:10396
- C:\Windows\System32\gLpPLln.exe
  C:\Windows\System32\gLpPLln.exe
  2⤵
  PID:10420
- C:\Windows\System32\qsHGtPd.exe
  C:\Windows\System32\qsHGtPd.exe
  2⤵
  PID:10436
- C:\Windows\System32\RpKnxBH.exe
  C:\Windows\System32\RpKnxBH.exe
  2⤵
  PID:10460
- C:\Windows\System32\FDQkfei.exe
  C:\Windows\System32\FDQkfei.exe
  2⤵
  PID:10476
- C:\Windows\System32\vlHlujC.exe
  C:\Windows\System32\vlHlujC.exe
  2⤵
  PID:10500
- C:\Windows\System32\YzzkSos.exe
  C:\Windows\System32\YzzkSos.exe
  2⤵
  PID:10516
- C:\Windows\System32\abCDpsn.exe
  C:\Windows\System32\abCDpsn.exe
  2⤵
  PID:10532
- C:\Windows\System32\WiMkZbc.exe
  C:\Windows\System32\WiMkZbc.exe
  2⤵
  PID:10556
- C:\Windows\System32\pfHkBkJ.exe
  C:\Windows\System32\pfHkBkJ.exe
  2⤵
  PID:10572
- C:\Windows\System32\GMTsVZK.exe
  C:\Windows\System32\GMTsVZK.exe
  2⤵
  PID:10588
- C:\Windows\System32\CfDzwLE.exe
  C:\Windows\System32\CfDzwLE.exe
  2⤵
  PID:10656
- C:\Windows\System32\bxjauGD.exe
  C:\Windows\System32\bxjauGD.exe
  2⤵
  PID:10780
- C:\Windows\System32\dLpOvxJ.exe
  C:\Windows\System32\dLpOvxJ.exe
  2⤵
  PID:10888
- C:\Windows\System32\ZrvhTIz.exe
  C:\Windows\System32\ZrvhTIz.exe
  2⤵
  PID:10940
- C:\Windows\System32\gcEmkEK.exe
  C:\Windows\System32\gcEmkEK.exe
  2⤵
  PID:10960
- C:\Windows\System32\WpvqRgj.exe
  C:\Windows\System32\WpvqRgj.exe
  2⤵
  PID:10992
- C:\Windows\System32\IiSkiXl.exe
  C:\Windows\System32\IiSkiXl.exe
  2⤵
  PID:11008
- C:\Windows\System32\CuaHmyV.exe
  C:\Windows\System32\CuaHmyV.exe
  2⤵
  PID:11040
- C:\Windows\System32\dTSdLJz.exe
  C:\Windows\System32\dTSdLJz.exe
  2⤵
  PID:11088
- C:\Windows\System32\uIHciIe.exe
  C:\Windows\System32\uIHciIe.exe
  2⤵
  PID:11128
- C:\Windows\System32\Zgvxbav.exe
  C:\Windows\System32\Zgvxbav.exe
  2⤵
  PID:11160
- C:\Windows\System32\trNfBWo.exe
  C:\Windows\System32\trNfBWo.exe
  2⤵
  PID:11176
- C:\Windows\System32\nInAAGZ.exe
  C:\Windows\System32\nInAAGZ.exe
  2⤵
  PID:11216
- C:\Windows\System32\HGwyqWF.exe
  C:\Windows\System32\HGwyqWF.exe
  2⤵
  PID:11232
- C:\Windows\System32\EwcCfiA.exe
  C:\Windows\System32\EwcCfiA.exe
  2⤵
  PID:10236
- C:\Windows\System32\gZEukUR.exe
  C:\Windows\System32\gZEukUR.exe
  2⤵
  PID:10036
- C:\Windows\System32\LkNKzTw.exe
  C:\Windows\System32\LkNKzTw.exe
  2⤵
  PID:10284
- C:\Windows\System32\ApzqBsj.exe
  C:\Windows\System32\ApzqBsj.exe
  2⤵
  PID:10248
- C:\Windows\System32\DcuNuiH.exe
  C:\Windows\System32\DcuNuiH.exe
  2⤵
  PID:10320
- C:\Windows\System32\knsztCe.exe
  C:\Windows\System32\knsztCe.exe
  2⤵
  PID:10456
- C:\Windows\System32\maZKcJM.exe
  C:\Windows\System32\maZKcJM.exe
  2⤵
  PID:10416
- C:\Windows\System32\BQbaMBr.exe
  C:\Windows\System32\BQbaMBr.exe
  2⤵
  PID:10352
- C:\Windows\System32\kuatbSO.exe
  C:\Windows\System32\kuatbSO.exe
  2⤵
  PID:10472
- C:\Windows\System32\ZrnGdFq.exe
  C:\Windows\System32\ZrnGdFq.exe
  2⤵
  PID:10544
- C:\Windows\System32\Kxbfzxf.exe
  C:\Windows\System32\Kxbfzxf.exe
  2⤵
  PID:10668
- C:\Windows\System32\QCXaxTa.exe
  C:\Windows\System32\QCXaxTa.exe
  2⤵
  PID:10728
- C:\Windows\System32\kyiHXkW.exe
  C:\Windows\System32\kyiHXkW.exe
  2⤵
  PID:10768
- C:\Windows\System32\bgjIqSu.exe
  C:\Windows\System32\bgjIqSu.exe
  2⤵
  PID:10788
- C:\Windows\System32\NEeECJi.exe
  C:\Windows\System32\NEeECJi.exe
  2⤵
  PID:10952
- C:\Windows\System32\UzUumts.exe
  C:\Windows\System32\UzUumts.exe
  2⤵
  PID:10980
- C:\Windows\System32\xWXGbCu.exe
  C:\Windows\System32\xWXGbCu.exe
  2⤵
  PID:11108
- C:\Windows\System32\BsTPCyZ.exe
  C:\Windows\System32\BsTPCyZ.exe
  2⤵
  PID:11152
- C:\Windows\System32\zQPouoE.exe
  C:\Windows\System32\zQPouoE.exe
  2⤵
  PID:11200
- C:\Windows\System32\cMovkCV.exe
  C:\Windows\System32\cMovkCV.exe
  2⤵
  PID:11240
- C:\Windows\System32\keyheun.exe
  C:\Windows\System32\keyheun.exe
  2⤵
  PID:10564
- C:\Windows\System32\ZEgMPXn.exe
  C:\Windows\System32\ZEgMPXn.exe
  2⤵
  PID:10392
- C:\Windows\System32\Wujymms.exe
  C:\Windows\System32\Wujymms.exe
  2⤵
  PID:10340
- C:\Windows\System32\PVdsVey.exe
  C:\Windows\System32\PVdsVey.exe
  2⤵
  PID:10584
- C:\Windows\System32\qJRAUNH.exe
  C:\Windows\System32\qJRAUNH.exe
  2⤵
  PID:10812
- C:\Windows\System32\nGeWCDb.exe
  C:\Windows\System32\nGeWCDb.exe
  2⤵
  PID:11084
- C:\Windows\System32\AWOgCWX.exe
  C:\Windows\System32\AWOgCWX.exe
  2⤵
  PID:11168
- C:\Windows\System32\KRhkwxK.exe
  C:\Windows\System32\KRhkwxK.exe
  2⤵
  PID:10432
- C:\Windows\System32\bUaaAog.exe
  C:\Windows\System32\bUaaAog.exe
  2⤵
  PID:11272
- C:\Windows\System32\sDGanNf.exe
  C:\Windows\System32\sDGanNf.exe
  2⤵
  PID:11336
- C:\Windows\System32\kLfeOov.exe
  C:\Windows\System32\kLfeOov.exe
  2⤵
  PID:11368
- C:\Windows\System32\nQnjZsR.exe
  C:\Windows\System32\nQnjZsR.exe
  2⤵
  PID:11384
- C:\Windows\System32\xyAiRvP.exe
  C:\Windows\System32\xyAiRvP.exe
  2⤵
  PID:11404
- C:\Windows\System32\FuFgLpj.exe
  C:\Windows\System32\FuFgLpj.exe
  2⤵
  PID:11440
- C:\Windows\System32\szSeHsq.exe
  C:\Windows\System32\szSeHsq.exe
  2⤵
  PID:11460
- C:\Windows\System32\uJpKIEy.exe
  C:\Windows\System32\uJpKIEy.exe
  2⤵
  PID:11488
- C:\Windows\System32\cKSTnqi.exe
  C:\Windows\System32\cKSTnqi.exe
  2⤵
  PID:11508
- C:\Windows\System32\XURSuzj.exe
  C:\Windows\System32\XURSuzj.exe
  2⤵
  PID:11532
- C:\Windows\System32\BsklvpL.exe
  C:\Windows\System32\BsklvpL.exe
  2⤵
  PID:11552
- C:\Windows\System32\iCnXQgI.exe
  C:\Windows\System32\iCnXQgI.exe
  2⤵
  PID:11580
- C:\Windows\System32\vRYIrul.exe
  C:\Windows\System32\vRYIrul.exe
  2⤵
  PID:11608
- C:\Windows\System32\SbWUAAL.exe
  C:\Windows\System32\SbWUAAL.exe
  2⤵
  PID:11632
- C:\Windows\System32\ieJoSOC.exe
  C:\Windows\System32\ieJoSOC.exe
  2⤵
  PID:11672
- C:\Windows\System32\NnpksrA.exe
  C:\Windows\System32\NnpksrA.exe
  2⤵
  PID:11732
- C:\Windows\System32\svxJuIA.exe
  C:\Windows\System32\svxJuIA.exe
  2⤵
  PID:11764
- C:\Windows\System32\ReGFSwe.exe
  C:\Windows\System32\ReGFSwe.exe
  2⤵
  PID:11784
- C:\Windows\System32\CUSRtGp.exe
  C:\Windows\System32\CUSRtGp.exe
  2⤵
  PID:11820
- C:\Windows\System32\UYbecMx.exe
  C:\Windows\System32\UYbecMx.exe
  2⤵
  PID:11836
- C:\Windows\System32\htYNeWj.exe
  C:\Windows\System32\htYNeWj.exe
  2⤵
  PID:11876
- C:\Windows\System32\woBMilM.exe
  C:\Windows\System32\woBMilM.exe
  2⤵
  PID:11908
- C:\Windows\System32\OQTerVC.exe
  C:\Windows\System32\OQTerVC.exe
  2⤵
  PID:11932
- C:\Windows\System32\lKHwUfa.exe
  C:\Windows\System32\lKHwUfa.exe
  2⤵
  PID:11948
- C:\Windows\System32\lGVCKDT.exe
  C:\Windows\System32\lGVCKDT.exe
  2⤵
  PID:11964
- C:\Windows\System32\qsgOlNU.exe
  C:\Windows\System32\qsgOlNU.exe
  2⤵
  PID:11984
- C:\Windows\System32\unCbZuc.exe
  C:\Windows\System32\unCbZuc.exe
  2⤵
  PID:12004
- C:\Windows\System32\znghWqQ.exe
  C:\Windows\System32\znghWqQ.exe
  2⤵
  PID:12032
- C:\Windows\System32\uOvnZlD.exe
  C:\Windows\System32\uOvnZlD.exe
  2⤵
  PID:12088
- C:\Windows\System32\aljmDEI.exe
  C:\Windows\System32\aljmDEI.exe
  2⤵
  PID:12116
- C:\Windows\System32\kQcsvmI.exe
  C:\Windows\System32\kQcsvmI.exe
  2⤵
  PID:12160
- C:\Windows\System32\hcBBUdv.exe
  C:\Windows\System32\hcBBUdv.exe
  2⤵
  PID:12180
- C:\Windows\System32\rqlieEf.exe
  C:\Windows\System32\rqlieEf.exe
  2⤵
  PID:12200
- C:\Windows\System32\HJvEbXT.exe
  C:\Windows\System32\HJvEbXT.exe
  2⤵
  PID:12216
- C:\Windows\System32\lAPyEjt.exe
  C:\Windows\System32\lAPyEjt.exe
  2⤵
  PID:12252
- C:\Windows\System32\CxTaKIt.exe
  C:\Windows\System32\CxTaKIt.exe
  2⤵
  PID:12284
- C:\Windows\System32\koAdHLn.exe
  C:\Windows\System32\koAdHLn.exe
  2⤵
  PID:10252
- C:\Windows\System32\tVvyGhD.exe
  C:\Windows\System32\tVvyGhD.exe
  2⤵
  PID:10600
- C:\Windows\System32\EkAyFEE.exe
  C:\Windows\System32\EkAyFEE.exe
  2⤵
  PID:11196
- C:\Windows\System32\WjFiquC.exe
  C:\Windows\System32\WjFiquC.exe
  2⤵
  PID:11360
- C:\Windows\System32\iRLApRk.exe
  C:\Windows\System32\iRLApRk.exe
  2⤵
  PID:11424
- C:\Windows\System32\UCPYQNY.exe
  C:\Windows\System32\UCPYQNY.exe
  2⤵
  PID:11456
- C:\Windows\System32\BGSaIhf.exe
  C:\Windows\System32\BGSaIhf.exe
  2⤵
  PID:11540
- C:\Windows\System32\MvepTTv.exe
  C:\Windows\System32\MvepTTv.exe
  2⤵
  PID:11572
- C:\Windows\System32\cMHwdvz.exe
  C:\Windows\System32\cMHwdvz.exe
  2⤵
  PID:11604
- C:\Windows\System32\DBMZDKD.exe
  C:\Windows\System32\DBMZDKD.exe
  2⤵
  PID:11708
- C:\Windows\System32\wFbwRwA.exe
  C:\Windows\System32\wFbwRwA.exe
  2⤵
  PID:11812
- C:\Windows\System32\fXUOiKd.exe
  C:\Windows\System32\fXUOiKd.exe
  2⤵
  PID:11980
- C:\Windows\System32\xWRbYNu.exe
  C:\Windows\System32\xWRbYNu.exe
  2⤵
  PID:11992
- C:\Windows\System32\PUVrVYU.exe
  C:\Windows\System32\PUVrVYU.exe
  2⤵
  PID:12100
- C:\Windows\System32\qobcZrS.exe
  C:\Windows\System32\qobcZrS.exe
  2⤵
  PID:12144
- C:\Windows\System32\AdZHxPp.exe
  C:\Windows\System32\AdZHxPp.exe
  2⤵
  PID:12172
- C:\Windows\System32\oVgmkvI.exe
  C:\Windows\System32\oVgmkvI.exe
  2⤵
  PID:12212
- C:\Windows\System32\LKVmjpM.exe
  C:\Windows\System32\LKVmjpM.exe
  2⤵
  PID:11228
- C:\Windows\System32\alXaUPi.exe
  C:\Windows\System32\alXaUPi.exe
  2⤵
  PID:11268
- C:\Windows\System32\MJeXxnq.exe
  C:\Windows\System32\MJeXxnq.exe
  2⤵
  PID:11452
- C:\Windows\System32\MOBsVJs.exe
  C:\Windows\System32\MOBsVJs.exe
  2⤵
  PID:11628
- C:\Windows\System32\WnbBGTr.exe
  C:\Windows\System32\WnbBGTr.exe
  2⤵
  PID:11796
- C:\Windows\System32\kOKvAyb.exe
  C:\Windows\System32\kOKvAyb.exe
  2⤵
  PID:11844
- C:\Windows\System32\cBDFUgp.exe
  C:\Windows\System32\cBDFUgp.exe
  2⤵
  PID:12048
- C:\Windows\System32\qAklZTM.exe
  C:\Windows\System32\qAklZTM.exe
  2⤵
  PID:12272
- C:\Windows\System32\kplLyNE.exe
  C:\Windows\System32\kplLyNE.exe
  2⤵
  PID:11320
- C:\Windows\System32\DiBITuq.exe
  C:\Windows\System32\DiBITuq.exe
  2⤵
  PID:8
- C:\Windows\System32\HOToSxZ.exe
  C:\Windows\System32\HOToSxZ.exe
  2⤵
  PID:12040
- C:\Windows\System32\KtcFxKy.exe
  C:\Windows\System32\KtcFxKy.exe
  2⤵
  PID:10936
- C:\Windows\System32\kZHllHe.exe
  C:\Windows\System32\kZHllHe.exe
  2⤵
  PID:12296
- C:\Windows\System32\DKVaxpG.exe
  C:\Windows\System32\DKVaxpG.exe
  2⤵
  PID:12316
- C:\Windows\System32\ZkRCRPi.exe
  C:\Windows\System32\ZkRCRPi.exe
  2⤵
  PID:12356
- C:\Windows\System32\ZjFdOBq.exe
  C:\Windows\System32\ZjFdOBq.exe
  2⤵
  PID:12396
- C:\Windows\System32\uDJBBcK.exe
  C:\Windows\System32\uDJBBcK.exe
  2⤵
  PID:12448
- C:\Windows\System32\vHAYYDZ.exe
  C:\Windows\System32\vHAYYDZ.exe
  2⤵
  PID:12500
- C:\Windows\System32\FLpoXmw.exe
  C:\Windows\System32\FLpoXmw.exe
  2⤵
  PID:12564
- C:\Windows\System32\iHCgeDK.exe
  C:\Windows\System32\iHCgeDK.exe
  2⤵
  PID:12580
- C:\Windows\System32\PRyPPeb.exe
  C:\Windows\System32\PRyPPeb.exe
  2⤵
  PID:12596
- C:\Windows\System32\oeWdkbE.exe
  C:\Windows\System32\oeWdkbE.exe
  2⤵
  PID:12620
- C:\Windows\System32\TDrvFxf.exe
  C:\Windows\System32\TDrvFxf.exe
  2⤵
  PID:12636
- C:\Windows\System32\QvHkRvs.exe
  C:\Windows\System32\QvHkRvs.exe
  2⤵
  PID:12664
- C:\Windows\System32\MFdyViT.exe
  C:\Windows\System32\MFdyViT.exe
  2⤵
  PID:12680
- C:\Windows\System32\BlGfNwR.exe
  C:\Windows\System32\BlGfNwR.exe
  2⤵
  PID:12708
- C:\Windows\System32\bOWEJRU.exe
  C:\Windows\System32\bOWEJRU.exe
  2⤵
  PID:12772
- C:\Windows\System32\TVJyFty.exe
  C:\Windows\System32\TVJyFty.exe
  2⤵
  PID:12808
- C:\Windows\System32\TFkXssM.exe
  C:\Windows\System32\TFkXssM.exe
  2⤵
  PID:12828
- C:\Windows\System32\NEqEKhA.exe
  C:\Windows\System32\NEqEKhA.exe
  2⤵
  PID:12880
- C:\Windows\System32\mncxyrX.exe
  C:\Windows\System32\mncxyrX.exe
  2⤵
  PID:12912
- C:\Windows\System32\IhidFlS.exe
  C:\Windows\System32\IhidFlS.exe
  2⤵
  PID:12936
- C:\Windows\System32\FMUrXrF.exe
  C:\Windows\System32\FMUrXrF.exe
  2⤵
  PID:12956
- C:\Windows\System32\LeybtBw.exe
  C:\Windows\System32\LeybtBw.exe
  2⤵
  PID:12972
- C:\Windows\System32\Vvvqfwy.exe
  C:\Windows\System32\Vvvqfwy.exe
  2⤵
  PID:13012
- C:\Windows\System32\HbsAfcw.exe
  C:\Windows\System32\HbsAfcw.exe
  2⤵
  PID:13040
- C:\Windows\System32\zdgFCFS.exe
  C:\Windows\System32\zdgFCFS.exe
  2⤵
  PID:13060
- C:\Windows\System32\rctvTtk.exe
  C:\Windows\System32\rctvTtk.exe
  2⤵
  PID:13096
- C:\Windows\System32\MozvanN.exe
  C:\Windows\System32\MozvanN.exe
  2⤵
  PID:13124
- C:\Windows\System32\jEkVZLj.exe
  C:\Windows\System32\jEkVZLj.exe
  2⤵
  PID:13164
- C:\Windows\System32\cMkdieQ.exe
  C:\Windows\System32\cMkdieQ.exe
  2⤵
  PID:13180
- C:\Windows\System32\LDFUKZB.exe
  C:\Windows\System32\LDFUKZB.exe
  2⤵
  PID:13216
- C:\Windows\System32\SuflLOf.exe
  C:\Windows\System32\SuflLOf.exe
  2⤵
  PID:13232
- C:\Windows\System32\LYYdlRI.exe
  C:\Windows\System32\LYYdlRI.exe
  2⤵
  PID:13252
- C:\Windows\System32\BcTOAuC.exe
  C:\Windows\System32\BcTOAuC.exe
  2⤵
  PID:13300
- C:\Windows\System32\qmLIdBX.exe
  C:\Windows\System32\qmLIdBX.exe
  2⤵
  PID:11284
- C:\Windows\System32\TxhQhxq.exe
  C:\Windows\System32\TxhQhxq.exe
  2⤵
  PID:12348
- C:\Windows\System32\AaFVNjY.exe
  C:\Windows\System32\AaFVNjY.exe
  2⤵
  PID:12408
- C:\Windows\System32\wISnJqc.exe
  C:\Windows\System32\wISnJqc.exe
  2⤵
  PID:12456
- C:\Windows\System32\hdGrZUr.exe
  C:\Windows\System32\hdGrZUr.exe
  2⤵
  PID:12376
- C:\Windows\System32\qAwRjlL.exe
  C:\Windows\System32\qAwRjlL.exe
  2⤵
  PID:12404
- C:\Windows\System32\mrassnd.exe
  C:\Windows\System32\mrassnd.exe
  2⤵
  PID:12428
- C:\Windows\System32\JyZJbAm.exe
  C:\Windows\System32\JyZJbAm.exe
  2⤵
  PID:3920
- C:\Windows\System32\XChVyeN.exe
  C:\Windows\System32\XChVyeN.exe
  2⤵
  PID:1040
- C:\Windows\System32\ljDeBaw.exe
  C:\Windows\System32\ljDeBaw.exe
  2⤵
  PID:12576
- C:\Windows\System32\rRoWpcN.exe
  C:\Windows\System32\rRoWpcN.exe
  2⤵
  PID:12616
- C:\Windows\System32\XbJlecq.exe
  C:\Windows\System32\XbJlecq.exe
  2⤵
  PID:12612
- C:\Windows\System32\XJRwKOp.exe
  C:\Windows\System32\XJRwKOp.exe
  2⤵
  PID:12716
- C:\Windows\System32\xDFyZma.exe
  C:\Windows\System32\xDFyZma.exe
  2⤵
  PID:12780
- C:\Windows\System32\wrOKBBi.exe
  C:\Windows\System32\wrOKBBi.exe
  2⤵
  PID:12924
- C:\Windows\System32\ggaQXFC.exe
  C:\Windows\System32\ggaQXFC.exe
  2⤵
  PID:12980
- C:\Windows\System32\TIBcgWd.exe
  C:\Windows\System32\TIBcgWd.exe
  2⤵
  PID:13024
- C:\Windows\System32\REiZfAv.exe
  C:\Windows\System32\REiZfAv.exe
  2⤵
  PID:13052
- C:\Windows\System32\TDiSvsp.exe
  C:\Windows\System32\TDiSvsp.exe
  2⤵
  PID:13144
- C:\Windows\System32\vWoyStm.exe
  C:\Windows\System32\vWoyStm.exe
  2⤵
  PID:13200
- C:\Windows\System32\eLJtdJs.exe
  C:\Windows\System32\eLJtdJs.exe
  2⤵
  PID:12056
- C:\Windows\System32\SslmGVO.exe
  C:\Windows\System32\SslmGVO.exe
  2⤵
  PID:12192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3988,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1424 /prefetch:8
1⤵
PID:2948

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\Ahztjze.exe

Filesize
900KB

MD5
ff651630bec9342412fea8b5edce976c

SHA1
516ddadb138f76c16ccbe59fa7da02de5fb3edb5

SHA256
727d256010d603a355b9d9f9d3e4fea23d956b8152f33bbe7715b912ec315f04

SHA512
09ef6ab884ee2ab390ef759523866bf818008ad9d358d61ac9725d63338f2f24666fd9bda8c4022580e0a101cee2d2f92a03d845f469406c14716f153cd399ee

Download Submit
C:\Windows\System32\FTHBujY.exe

Filesize
897KB

MD5
acb89e7ffd615ac51ff4d6a5b7fd9126

SHA1
bb623f77b9087e8913c40fc10757556d2ecbbf95

SHA256
8361ea7efb13851cc752c88b89d728e2e7dd7411a25868884b7634e61e4c1897

SHA512
6bafbd4c83de9805716a44ea4420bcb1e2b3dadb6000e3caf742e0fc727484795a240cc80dc93256b40e7699585a21e2c68c9b3f4ba22336fb16bf43c5236534

Download Submit
C:\Windows\System32\FbUdfVR.exe

Filesize
899KB

MD5
1ffcc85e2ef489d27c3f5430966f13d5

SHA1
a9b079adae0b79269823c510e31504b83504b41b

SHA256
18db7bdee3d40fb4f10af9168a698df70871f8de9b426cdee61547580f7ebf34

SHA512
92c0f472b7f1c8719df4f2030c3a76c3902c686b513fbe3ddcec2e091f306eb736e59285870c955e3ae00bc20a1620db3e601cd15593a6e68f26dd2b48f71d9e

Download Submit
C:\Windows\System32\FljGIjE.exe

Filesize
901KB

MD5
28d9c88352a04d142e22002e560f7ab8

SHA1
91cb7718526e6cbc4b52951e3907c84fbfc23f5b

SHA256
2d0e98efed3e24dabd0e8d754af6980f8d5cf74465ca63e8222bc28169b27bef

SHA512
c4b711c1fb1f353cf7ad94159163fca98bfbe7907676e2aad11586c59fa745f0df59a460a741bedced485ca57269620af5f667fb834e6586a4fb955e7b87f4ee

Download Submit
C:\Windows\System32\IkuFDyP.exe

Filesize
902KB

MD5
d59b692147cb9566fad237f1af7dc235

SHA1
ea26805a25e0941b25e00f2090bec772b113aa12

SHA256
0439c2996d71e8d62d6eddd44bb906be1361d225eab72ea86dbc5fb4fce4152e

SHA512
20e463091f144bdee1c338d0b49e85d2261a4b299a3d38ed3c1fac5e041d8a9820460e0ae76bb353f9f74b75a08075a9ce83f708b84c7b04d3465d583c54c279

Download Submit
C:\Windows\System32\JAbYRSo.exe

Filesize
902KB

MD5
e74a48b0dcaacbe9f3345327a622704a

SHA1
b33ed938a2463689f487a6abdf9d7ae994f5b0c7

SHA256
ce9360ed5cb233808c5b80335c50f31fdea0caa37fc71f8c7448eb9467fd6bdc

SHA512
b2330fb84568259455376e5fccd09f91babdd3f6cc75ff1e5ffdca6073b43a66b5c8158d630a5a70cb5f9581002008326f2aee1a56175d4ab13f52ecde01b206

Download Submit
C:\Windows\System32\KjBrxOK.exe

Filesize
899KB

MD5
8920bf2c005dca2b0f414425ff38b7a8

SHA1
d8d2b780bab51872ba419602f5589b667e6ca999

SHA256
41ca4985eaaefe52d4687cd2cc23103f8a8acf06d931ed990291e4828ce15900

SHA512
a4cfe0ab9418f2dd1e5ef984f9147542e04b69d77b00cd70d9a3bf65e4c54b1d648514d9252e3c7f90c12b7a8df42ef677551f27f5a3a169e40026f0707e6cfc

Download Submit
C:\Windows\System32\MmGuYnt.exe

Filesize
898KB

MD5
1a693f777d7e6c8c3d9f35f93b5d6f08

SHA1
ef47342ab589e2783ce8f1d29d8666e9e287a5dc

SHA256
3dddf5f70b125e78b0e1f682443a0ac96523e826e53bcfa5ae504a2f31e9fc70

SHA512
7296c7c1fb040e1b646f7ce3920b7a962aeb952d8a7c29d463cab7273b5508b0f16c9e17b9e383b6af917305c9f348bb2488a2a3661a75e2c33e30492f7c5c9e

Download Submit
C:\Windows\System32\MtvkOYk.exe

Filesize
899KB

MD5
b142b82928982908a7434d6f0d6680c2

SHA1
92d54cc40d39a15f94fb2fae7339b22d27e485af

SHA256
dd9454db4c248368124c8ce8664cb4d239293e32bbccee4c49b42b918a6d22bb

SHA512
b81965e10951802332109fb7a23a07ce779b8d67578c19d63b841a40a745c3f726af3836cb84c42968ffe3f0a5b791f5ce470ff68d3902f1909fc323d11b1af8

Download Submit
C:\Windows\System32\OGsokiv.exe

Filesize
900KB

MD5
4c19be174b890dec207d0b67b746082b

SHA1
145da489967a314b2681f7eda4bae755fd1f848d

SHA256
c134d2af9483e6c9b6755b3c7ebcbb40c943f766a26d2675123fdde640bd410c

SHA512
b2469d0adf00706a7d6dda8a3d56aec52f51b0a4cc271a91767b4cf6ec664ca855f7f38b5059d282f6173f7d2cb2e8164d6396ba8be5414405cfe27b894736c9

Download Submit
C:\Windows\System32\QLGekeJ.exe

Filesize
899KB

MD5
0949ccd03e95d8c53670c1fc834f1f15

SHA1
8b50e8dec5bf5fae14cc30ca3e7c74a949423918

SHA256
d371c8bb887e302e3d774de8c347009690726648ef0ee929dcde541cdd1a92b5

SHA512
d769a540f91f67da5c4b8ae886efa47c436005fec0c072e23b1588e6bd0a173ee5b6009aef441af85ecd1af40b4ecd81ed35aa27f2ad5448d5c304f6f46533db

Download Submit
C:\Windows\System32\TRLhuEU.exe

Filesize
897KB

MD5
728f302212c45b93e176183bd788a7fe

SHA1
318d6083bbac6b320e6f6f71bddd081c6a9168db

SHA256
29b92abaa0a87601a6a0ed12a85e65360e1e205ac59404ddf8f0a9e377c8bad0

SHA512
99e206dc4fd8f700ac53383afd4558158e03b7b7b91903a33226c836acea9290ec75475a3062b3b2ab01a8e156035dd7eb111434afbc03de917819131af9d2b4

Download Submit
C:\Windows\System32\Tdzzprv.exe

Filesize
900KB

MD5
fe419d03564bc00a5acd9655cb60eb2e

SHA1
4c302890f854606fc5e5677cbaeeaa253cc3a881

SHA256
85faa89e8ae545105bfd79a27b2d01f80523edaf76d04d2952865154df9cd202

SHA512
3ec63e5ef52c406439ef7a0a504a6dde54191ea20f5c5b94f216797c7ba247eea17945522dfc85f805501baeea7e92fd3db2cc809e65b9fd18eeff038edfb671

Download Submit
C:\Windows\System32\WPlvgBo.exe

Filesize
900KB

MD5
50be8b811fd3fa7b6499c1c61c3ed6a6

SHA1
c2ab42a12f1004ffb485bc7a9e2a3409dc40e524

SHA256
d50716a3cda35971859e1a168bd6888626d8a6254e2babdb2340319d7c9b0765

SHA512
6e33b4b4f6cea5cb09082317e215dea3495fd1e5cec111adda460ce76fa722160b270887dd05dca1283ff0fb60d6248fde849707529ed6457e1a1628d23102c4

Download Submit
C:\Windows\System32\YgfzjgN.exe

Filesize
904KB

MD5
5882e3c04c7b2e1ce6fa29821512f82a

SHA1
7d98dd31a3acffdeb8e1f5a1909a7305451b354a

SHA256
76617a6c06d5c7cc803aa0a264d2b549d9dcf27bc70063caca2ebcb3b0c03630

SHA512
cebe2742dd7af983dfd75797c5f0f40cbb2a0e5a76b3f1e858803bec71d4cf84fdcf5e743a52e63e06962a4ee45ef02ad2ba25bfb1a7fd75c29b66a1e6128648

Download Submit
C:\Windows\System32\beTEGBw.exe

Filesize
903KB

MD5
7c101b9cec65bce3f9275080eff1eaed

SHA1
0b141c86e680ab03fb680eff7d852b6e79ecf3f2

SHA256
9dda66565b4f4e164d98f84ab3e27830edbea48e1d555ef0d3316b09e6db6523

SHA512
d3069dffc6b39e9fc3197a2b0fc3c976c04ce4589dae26f80ddb7ad2e377a171faf3d01c0e07035bbcac88ada633f127291e8e479ec2eb72900d22781aaf2d17

Download Submit
C:\Windows\System32\cgGoVMA.exe

Filesize
901KB

MD5
a67d9baff1b2a9bd0d5c616f3abe8c71

SHA1
e084dbfcb9549f7bc5e3f1e4341c4ef87c15749e

SHA256
4d68f8614f1c7331b15948d09c324ab433e8df372c544029c257daf841e3b18c

SHA512
35011d730cde3a18e9d624ab2972cbc9fdaaecbb8e6c211a7dd0d803160f7f6c23f00e9eafd41fccb48ce4452fe7077c61f2c3ca73d99e28b9f8d5630973cf0d

Download Submit
C:\Windows\System32\cmwoVqW.exe

Filesize
903KB

MD5
61986628a53f8a41b0799a1f4fc59fe4

SHA1
c94f05a67ae3de63377f61670d0962c3c3383d2d

SHA256
e434b618c7b72c7cbd1bb75b5cef40224c8755d6e231143b5f10a4dbffc03b28

SHA512
f635e181797ee0e1754cdda6a06f72221d5aaf2aa2275bae7b725d94eaece955c898620c344b69e2323ccaa59eb4f112bd324149c2038fef957c9c978a42afb7

Download Submit
C:\Windows\System32\dRuvkDE.exe

Filesize
902KB

MD5
b275ddeeb81c624c17b81c678ae2eb30

SHA1
b90cea334c428e524107a0395aca934fd2f0696b

SHA256
1bd6560cb3fcacf0496d200e7b96aa42bd22cd39934ae6addffb7fe34836112e

SHA512
0467ec18f0d04e0937f3c65ccedb5c78996b3aa369b9d39f52d677e310a4974625c197c0af6155ab7dbdd4495251a337103f2f6b434b32ada86467e18c056082

Download Submit
C:\Windows\System32\hYAIVXr.exe

Filesize
902KB

MD5
b8a2215cb028d79130f3e35a949ae422

SHA1
3baf4eb6646acacb28c5941684bca4eb18319b59

SHA256
bd1516dae8486a40fe1a38d744f28a0f8bf33a5054ab0de361e3935e96c3babf

SHA512
621b25036edf173c75702576a696494ea7c105761802b57e6e6e5803b7ceabf4522bb1ea50298ea7c1ddac455a0a13a59ffe22e6dffbac24b50ed9230f66a937

Download Submit
C:\Windows\System32\idBJlAj.exe

Filesize
898KB

MD5
8999d192a5f0584804138e559f9b3153

SHA1
63b650353824339db124c64ccd4f11da3f77c0a7

SHA256
babfc0d8a6268eaf1ce769f8df234f7936b121f96e0bc073a96f34feec053ecd

SHA512
456dc370c877f57e0942cf7ec1d5c76d6c316cd0e754fcab56c39ec96a5ec5d971afc67e81b50093576a30b50569aaee57436aa381cbb65ebbc9ca1df4f5d655

Download Submit
C:\Windows\System32\jpWSXSc.exe

Filesize
901KB

MD5
5858bba3d5872ab2ed909c876a33361e

SHA1
a5db9ea22b64dd334cbfb3e10452d0783f3412dc

SHA256
b752cad0e10b48f87e7c558607689232c818842ca3347cd400aa99fd800aa302

SHA512
396dba61a3fd52da879981c74a2f4432121d69a7ab98664eabffeca8ad41cea3504a30aab35514207efcf525aad66685aa33f9090d8142efa873172c20a52f15

Download Submit
C:\Windows\System32\mjJBuhn.exe

Filesize
901KB

MD5
f9a623dc54dfa3c6e9096bca47c6a609

SHA1
1f9fcadcdcd2da049684ed9919d4addc0ae2c06e

SHA256
c83b9caa57dba2c1b04b4294bbdd9a273b311de9beb9806901794dae028a1a02

SHA512
ae6282df8b86d0eb506ea3e8425a7e3ccb7c3c90ca555dab3f55d7d923663267b9a1a966521a9a11bdd4b786c74a29ee3434ad4c12518a30ff2ef47fc8bc9a9e

Download Submit
C:\Windows\System32\mrXuWzA.exe

Filesize
896KB

MD5
b5cb41db35c016f137c0a8898bf18c99

SHA1
40167a83c5cb646c1ea0070fb37e6425c1788faa

SHA256
66837ce28e4989a3a1c09d93584184b79d6177ecb537fb91f8ee0c4aa06740ad

SHA512
bc155ab4b992ea6d17dbe8db50367559366fdc6f6d4026782b535f8afc38dd8b8a76a863530e2865a44469457571b35cddf8efd22efd33b77f540ef8f58e0682

Download Submit
C:\Windows\System32\orYkQvY.exe

Filesize
903KB

MD5
cffd93359ea9996692f22a39fd8a0eaf

SHA1
cdddb83f8c1c2753b2c5ad0f0f52f4be1a6ec76f

SHA256
47ab80b5efd314cd02c830b92943bae6b4df51891f871d1c23552e6352c461cc

SHA512
74aa918822d6ac42d81970181987a452cfb7f70a431c7359d4e33cb01d279ca3db201f3cb1f147ef6ab188c499f4650da1dfe0bc664b69239e331e92b1904a2e

Download Submit
C:\Windows\System32\rdFkDar.exe

Filesize
896KB

MD5
bfd5535fd34d79cefd628c71af37f975

SHA1
27bd66842fef7a47a48b0d76f100bd95907de7a6

SHA256
9c5dac0796616ef007ace9e9e49fb12704bf9a6b4c0bb16585d0b71ef9e63050

SHA512
010cb19eed022d7ab21fccdaadd9a0414d86396fcb9150a39589807a7fdaf5db934e94dafbe1aab5ac413fb19eebf47577faf1ef76573e7569c4ee06e6e20bda

Download Submit
C:\Windows\System32\tWCMhev.exe

Filesize
898KB

MD5
fd3dcfd2e9747328bae09064c0516ffe

SHA1
c73daad68bced27d4a24aaec44081e826160bfa2

SHA256
0556c3648ef55dbdf6593780021715e3bf6c25f185f6aade628ac71840b1cf4c

SHA512
83f74bebaaf62258c08230f3bb4163430620abbbda3505279671e6534746f6be911690e378f30b4d825daf218c083e3d1991372fd31fbb6974c861ef9f6be6e6

Download Submit
C:\Windows\System32\vTeRlAB.exe

Filesize
900KB

MD5
59c16128e80c1e7386459690d8ef229d

SHA1
20f4607bc1e612449b4801eff00431a344f962de

SHA256
3f680eef15aaa676655d8bb99bd9ee57243e580842fa04a61caf728b6ea9e605

SHA512
0a6743a5015ed30664551e1ec2fef7a40854075b16ace25e48aea9fb2a5201fd8cb80faffa556b5a27b2a7b4d9213611a7ad03aac3fd9874901ce53615add43e

Download Submit
C:\Windows\System32\wUXzSFx.exe

Filesize
896KB

MD5
f299d2c1642ab4f3a1c8bbd6427f45d3

SHA1
597b8510d2db56cac00a0fbaebf38028585e4321

SHA256
165e4c7e874b48875318ce741f2861d6eb2cb423e20f8f66f530306730f1dcde

SHA512
7ec47a782d65c32d3e14d0f881bbf957ca9f1ccfef647dce72007f40adf787d1bf91342eefe68cfb7dd65947624d96e22edbb75726c9273b03f10fa282bae096

Download Submit
C:\Windows\System32\xUJEcxy.exe

Filesize
897KB

MD5
5c5a4fcc47b24a71648008d975a3a376

SHA1
239e3f5bde75247a0d890d11ece88728a9428410

SHA256
7a27866db38d6ba982767ed6cee50c7446d9f3e9bf58274c8027ba4987837fe3

SHA512
def307fd23e093f01ea2d02c3426642e0e397b8b5a01281896fe733f28f7b025d8d85b5b700e344dde8c3010f33f4c32399dd53322d67030e4f20231df06ac18

Download Submit
C:\Windows\System32\xvoYMnA.exe

Filesize
898KB

MD5
0fd791c7dedf0ace39e005ec553521ff

SHA1
3bcecee853c9a2f6cd9dfde2fb3215d566b7c74c

SHA256
eabe35954dfd071b31ad5e2660cc8b0f4d1007d388e064f74f8c8d1b1b4d5432

SHA512
7193b9779450c7a4f424060fa8df564277b0cc06c230e00b26e2cdaf881e7a9c28a8ee7b3039aeb7b694239dfaeafa34d6b6b6c2d752e25fcaaf4e479cf204f2

Download Submit
C:\Windows\System32\yvWtDaP.exe

Filesize
903KB

MD5
139cb248ba49d731a813125949b09062

SHA1
94be4fbdb692bed62fc46b01aab4459c76efb4f4

SHA256
8c9e649f2a586220cf5d89e5733dd690791779f67f030b10495fa31a58f36acd

SHA512
e96cad52dfc58c7e8f6dcc968d9a2d6ea767d703e3ad6cf9e7afc2d08f7051d22479e0bee5520253f6123b3852eab6cd71416996f547502a292f89ec1e3bcf1c

Download Submit
C:\Windows\System32\ywpxbFd.exe

Filesize
897KB

MD5
09f2b41caeeb4063b3585f53a5c0b543

SHA1
9986e23c410ca8ad827ada32047ac78c3b7bb5f4

SHA256
77c8f88b07c1c8315bf6f5b115ef15ec83be22213a5f95d61d8709a40ba61560

SHA512
443496636038426bec0e8438be37ecff63743e0f7d0535056ce12ac09db94173502063c6018c1a8eb338eb98a093c3dc4bb386df799d3471bfecec8a9e274ba7

Download Submit
memory/872-22-0x00007FF60F8B0000-0x00007FF60FCA1000-memory.dmp

Filesize
3.9MB

Download
memory/872-1986-0x00007FF60F8B0000-0x00007FF60FCA1000-memory.dmp

Filesize
3.9MB

Download
memory/1044-1942-0x00007FF6BF420000-0x00007FF6BF811000-memory.dmp

Filesize
3.9MB

Download
memory/1044-110-0x00007FF6BF420000-0x00007FF6BF811000-memory.dmp

Filesize
3.9MB

Download
memory/1044-2016-0x00007FF6BF420000-0x00007FF6BF811000-memory.dmp

Filesize
3.9MB

Download
memory/1116-1996-0x00007FF79DDB0000-0x00007FF79E1A1000-memory.dmp

Filesize
3.9MB

Download
memory/1116-73-0x00007FF79DDB0000-0x00007FF79E1A1000-memory.dmp

Filesize
3.9MB

Download
memory/1992-275-0x00007FF693C20000-0x00007FF694011000-memory.dmp

Filesize
3.9MB

Download
memory/1992-2022-0x00007FF693C20000-0x00007FF694011000-memory.dmp

Filesize
3.9MB

Download
memory/2012-2026-0x00007FF62A3F0000-0x00007FF62A7E1000-memory.dmp

Filesize
3.9MB

Download
memory/2012-271-0x00007FF62A3F0000-0x00007FF62A7E1000-memory.dmp

Filesize
3.9MB

Download
memory/2116-2008-0x00007FF7B13D0000-0x00007FF7B17C1000-memory.dmp

Filesize
3.9MB

Download
memory/2116-92-0x00007FF7B13D0000-0x00007FF7B17C1000-memory.dmp

Filesize
3.9MB

Download
memory/2400-2028-0x00007FF78AA50000-0x00007FF78AE41000-memory.dmp

Filesize
3.9MB

Download
memory/2400-276-0x00007FF78AA50000-0x00007FF78AE41000-memory.dmp

Filesize
3.9MB

Download
memory/2424-1984-0x00007FF66BE70000-0x00007FF66C261000-memory.dmp

Filesize
3.9MB

Download
memory/2424-48-0x00007FF66BE70000-0x00007FF66C261000-memory.dmp

Filesize
3.9MB

Download
memory/2676-0-0x00007FF6C1D80000-0x00007FF6C2171000-memory.dmp

Filesize
3.9MB

Download
memory/2676-1962-0x00007FF6C1D80000-0x00007FF6C2171000-memory.dmp

Filesize
3.9MB

Download
memory/2676-1-0x000002337F060000-0x000002337F070000-memory.dmp

Filesize
64KB

Download
memory/2728-1978-0x00007FF666310000-0x00007FF666701000-memory.dmp

Filesize
3.9MB

Download
memory/2728-111-0x00007FF666310000-0x00007FF666701000-memory.dmp

Filesize
3.9MB

Download
memory/2728-2020-0x00007FF666310000-0x00007FF666701000-memory.dmp

Filesize
3.9MB

Download
memory/3112-2003-0x00007FF6DE460000-0x00007FF6DE851000-memory.dmp

Filesize
3.9MB

Download
memory/3112-88-0x00007FF6DE460000-0x00007FF6DE851000-memory.dmp

Filesize
3.9MB

Download
memory/3256-1990-0x00007FF775D20000-0x00007FF776111000-memory.dmp

Filesize
3.9MB

Download
memory/3256-1906-0x00007FF775D20000-0x00007FF776111000-memory.dmp

Filesize
3.9MB

Download
memory/3256-34-0x00007FF775D20000-0x00007FF776111000-memory.dmp

Filesize
3.9MB

Download
memory/3308-2018-0x00007FF7A95C0000-0x00007FF7A99B1000-memory.dmp

Filesize
3.9MB

Download
memory/3308-269-0x00007FF7A95C0000-0x00007FF7A99B1000-memory.dmp

Filesize
3.9MB

Download
memory/3636-1939-0x00007FF7BB820000-0x00007FF7BBC11000-memory.dmp

Filesize
3.9MB

Download
memory/3636-2013-0x00007FF7BB820000-0x00007FF7BBC11000-memory.dmp

Filesize
3.9MB

Download
memory/3636-97-0x00007FF7BB820000-0x00007FF7BBC11000-memory.dmp

Filesize
3.9MB

Download
memory/3988-1940-0x00007FF7F8160000-0x00007FF7F8551000-memory.dmp

Filesize
3.9MB

Download
memory/3988-2014-0x00007FF7F8160000-0x00007FF7F8551000-memory.dmp

Filesize
3.9MB

Download
memory/3988-106-0x00007FF7F8160000-0x00007FF7F8551000-memory.dmp

Filesize
3.9MB

Download
memory/4280-102-0x00007FF6D8CD0000-0x00007FF6D90C1000-memory.dmp

Filesize
3.9MB

Download
memory/4280-2011-0x00007FF6D8CD0000-0x00007FF6D90C1000-memory.dmp

Filesize
3.9MB

Download
memory/4280-1941-0x00007FF6D8CD0000-0x00007FF6D90C1000-memory.dmp

Filesize
3.9MB

Download
memory/4308-2024-0x00007FF72F060000-0x00007FF72F451000-memory.dmp

Filesize
3.9MB

Download
memory/4308-273-0x00007FF72F060000-0x00007FF72F451000-memory.dmp

Filesize
3.9MB

Download
memory/4348-85-0x00007FF738940000-0x00007FF738D31000-memory.dmp

Filesize
3.9MB

Download
memory/4348-1998-0x00007FF738940000-0x00007FF738D31000-memory.dmp

Filesize
3.9MB

Download
memory/4436-1988-0x00007FF6E0EA0000-0x00007FF6E1291000-memory.dmp

Filesize
3.9MB

Download
memory/4436-51-0x00007FF6E0EA0000-0x00007FF6E1291000-memory.dmp

Filesize
3.9MB

Download
memory/4580-1994-0x00007FF77BCF0000-0x00007FF77C0E1000-memory.dmp

Filesize
3.9MB

Download
memory/4580-55-0x00007FF77BCF0000-0x00007FF77C0E1000-memory.dmp

Filesize
3.9MB

Download
memory/4820-53-0x00007FF7A4200000-0x00007FF7A45F1000-memory.dmp

Filesize
3.9MB

Download
memory/4820-1992-0x00007FF7A4200000-0x00007FF7A45F1000-memory.dmp

Filesize
3.9MB

Download
memory/4856-2000-0x00007FF7423A0000-0x00007FF742791000-memory.dmp

Filesize
3.9MB

Download
memory/4856-77-0x00007FF7423A0000-0x00007FF742791000-memory.dmp

Filesize
3.9MB

Download
memory/4908-86-0x00007FF756D00000-0x00007FF7570F1000-memory.dmp

Filesize
3.9MB

Download
memory/4908-2007-0x00007FF756D00000-0x00007FF7570F1000-memory.dmp

Filesize
3.9MB

Download
memory/4936-93-0x00007FF6B35E0000-0x00007FF6B39D1000-memory.dmp

Filesize
3.9MB

Download
memory/4936-2005-0x00007FF6B35E0000-0x00007FF6B39D1000-memory.dmp

Filesize
3.9MB

Download
memory/5100-64-0x00007FF659630000-0x00007FF659A21000-memory.dmp

Filesize
3.9MB

Download
memory/5100-1982-0x00007FF659630000-0x00007FF659A21000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads