xmrig | 542259a2455267e06fc1cffeb3a4417af46cdb591214c09646abdf50ea95ade7

Analysis

max time kernel
124s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2024, 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
Size

3.0MB
MD5

627fd84bfc02be32a9a7df4610dd5dc0
SHA1

a0b45d813062aa45bdfbf21d2386c168177174b4
SHA256

542259a2455267e06fc1cffeb3a4417af46cdb591214c09646abdf50ea95ade7
SHA512

e3e062b97a85689b54550858d05e7ff17a7ca6781cee77c2435b3dfff9a1f5514c8dae0d4098efc691e2077ea879b7929a4750905e0a3593c4d4b03ac4e54541
SSDEEP

49152:N0wjnJMOWh50kC1/dVFdx6e0EALKWVTffZiPAcRq6jHjcz8DzJuJUJGFQg2twp:N0GnJMOWPClFdx6e0EALKWVTffZiPAck

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4172-0-0x00007FF7D1D00000-0x00007FF7D20F5000-memory.dmp	xmrig
behavioral2/files/0x0006000000023278-4.dat	xmrig
behavioral2/files/0x00070000000233fc-10.dat	xmrig
behavioral2/memory/1684-14-0x00007FF634C90000-0x00007FF635085000-memory.dmp	xmrig
behavioral2/files/0x00070000000233fe-19.dat	xmrig
behavioral2/files/0x00070000000233ff-28.dat	xmrig
behavioral2/files/0x0007000000023400-31.dat	xmrig
behavioral2/files/0x0007000000023401-38.dat	xmrig
behavioral2/files/0x0007000000023402-43.dat	xmrig
behavioral2/files/0x0007000000023405-58.dat	xmrig
behavioral2/files/0x0007000000023408-71.dat	xmrig
behavioral2/files/0x000700000002340a-81.dat	xmrig
behavioral2/files/0x000700000002340e-101.dat	xmrig
behavioral2/files/0x0007000000023410-113.dat	xmrig
behavioral2/files/0x0007000000023418-151.dat	xmrig
behavioral2/memory/4356-792-0x00007FF7A4A60000-0x00007FF7A4E55000-memory.dmp	xmrig
behavioral2/files/0x000700000002341a-163.dat	xmrig
behavioral2/files/0x0007000000023419-158.dat	xmrig
behavioral2/files/0x0007000000023417-149.dat	xmrig
behavioral2/files/0x0007000000023416-144.dat	xmrig
behavioral2/files/0x0007000000023415-139.dat	xmrig
behavioral2/files/0x0007000000023414-134.dat	xmrig
behavioral2/files/0x0007000000023413-129.dat	xmrig
behavioral2/files/0x0007000000023412-123.dat	xmrig
behavioral2/files/0x0007000000023411-118.dat	xmrig
behavioral2/files/0x000700000002340f-108.dat	xmrig
behavioral2/files/0x000700000002340d-98.dat	xmrig
behavioral2/files/0x000700000002340c-93.dat	xmrig
behavioral2/files/0x000700000002340b-88.dat	xmrig
behavioral2/files/0x0007000000023409-78.dat	xmrig
behavioral2/files/0x0007000000023407-68.dat	xmrig
behavioral2/files/0x0007000000023406-63.dat	xmrig
behavioral2/files/0x0007000000023404-53.dat	xmrig
behavioral2/files/0x0007000000023403-48.dat	xmrig
behavioral2/files/0x00070000000233fd-21.dat	xmrig
behavioral2/memory/2876-17-0x00007FF60E5B0000-0x00007FF60E9A5000-memory.dmp	xmrig
behavioral2/memory/4784-799-0x00007FF7F03C0000-0x00007FF7F07B5000-memory.dmp	xmrig
behavioral2/memory/3324-819-0x00007FF7FA3A0000-0x00007FF7FA795000-memory.dmp	xmrig
behavioral2/memory/4780-808-0x00007FF756920000-0x00007FF756D15000-memory.dmp	xmrig
behavioral2/memory/1712-802-0x00007FF6AC1A0000-0x00007FF6AC595000-memory.dmp	xmrig
behavioral2/memory/876-826-0x00007FF635920000-0x00007FF635D15000-memory.dmp	xmrig
behavioral2/memory/2952-831-0x00007FF6A9BA0000-0x00007FF6A9F95000-memory.dmp	xmrig
behavioral2/memory/3228-836-0x00007FF77E870000-0x00007FF77EC65000-memory.dmp	xmrig
behavioral2/memory/1372-839-0x00007FF73DC30000-0x00007FF73E025000-memory.dmp	xmrig
behavioral2/memory/1928-842-0x00007FF7A3810000-0x00007FF7A3C05000-memory.dmp	xmrig
behavioral2/memory/1132-853-0x00007FF7F6F20000-0x00007FF7F7315000-memory.dmp	xmrig
behavioral2/memory/640-860-0x00007FF7BDE10000-0x00007FF7BE205000-memory.dmp	xmrig
behavioral2/memory/5100-863-0x00007FF63F2D0000-0x00007FF63F6C5000-memory.dmp	xmrig
behavioral2/memory/2036-866-0x00007FF725440000-0x00007FF725835000-memory.dmp	xmrig
behavioral2/memory/3576-871-0x00007FF78F1B0000-0x00007FF78F5A5000-memory.dmp	xmrig
behavioral2/memory/3660-873-0x00007FF749970000-0x00007FF749D65000-memory.dmp	xmrig
behavioral2/memory/4848-935-0x00007FF7BFD30000-0x00007FF7C0125000-memory.dmp	xmrig
behavioral2/memory/1044-932-0x00007FF7160A0000-0x00007FF716495000-memory.dmp	xmrig
behavioral2/memory/3852-938-0x00007FF6BE140000-0x00007FF6BE535000-memory.dmp	xmrig
behavioral2/memory/4732-977-0x00007FF606240000-0x00007FF606635000-memory.dmp	xmrig
behavioral2/memory/4644-984-0x00007FF79FE60000-0x00007FF7A0255000-memory.dmp	xmrig
behavioral2/memory/1016-988-0x00007FF777F90000-0x00007FF778385000-memory.dmp	xmrig
behavioral2/memory/4172-1881-0x00007FF7D1D00000-0x00007FF7D20F5000-memory.dmp	xmrig
behavioral2/memory/1684-1882-0x00007FF634C90000-0x00007FF635085000-memory.dmp	xmrig
behavioral2/memory/2876-1883-0x00007FF60E5B0000-0x00007FF60E9A5000-memory.dmp	xmrig
behavioral2/memory/4356-1884-0x00007FF7A4A60000-0x00007FF7A4E55000-memory.dmp	xmrig
behavioral2/memory/1016-1885-0x00007FF777F90000-0x00007FF778385000-memory.dmp	xmrig
behavioral2/memory/876-1890-0x00007FF635920000-0x00007FF635D15000-memory.dmp	xmrig
behavioral2/memory/1372-1893-0x00007FF73DC30000-0x00007FF73E025000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1684	igTnobO.exe
2876	SmOniFO.exe
4356	ZFOiXiW.exe
1016	mOULDdB.exe
4784	HCHxsVj.exe
1712	kFIetEc.exe
4780	EOXNeGM.exe
3324	AmcFkGT.exe
876	mfeSCTY.exe
2952	svBNqRg.exe
3228	lRqwaUp.exe
1372	DnXwJRV.exe
1928	EDtnNSu.exe
1132	gRAseWU.exe
640	yIjuXKd.exe
5100	qbDXCjV.exe
2036	Avaiwqm.exe
3576	vrUYnGS.exe
3660	xWcVAWL.exe
1044	fzMKMEl.exe
4848	pmlXSGY.exe
3852	GIOlxhO.exe
4732	VsYdomn.exe
4644	wKMQmOD.exe
4288	NVvCXMJ.exe
3628	FepyhFy.exe
4340	vQfIfRZ.exe
1312	nBAEzXg.exe
3676	HOerKFm.exe
4276	wgHXZLb.exe
4100	nSmKlQT.exe
3968	cmrPBUj.exe
3992	zodagAA.exe
4564	EnQxSKR.exe
3636	CFeTCQa.exe
4252	DwvYexZ.exe
1744	iTLLKgP.exe
2400	rciePZs.exe
3188	xsgOcVJ.exe
3184	zfVPSiE.exe
672	VXkEHDr.exe
1948	qoVvuga.exe
1852	ApUsUvr.exe
4944	cmTXACD.exe
3224	eHdXqdh.exe
4652	lDkveqX.exe
3864	rhGGFCB.exe
2912	XegOpFd.exe
3472	lQwLUZC.exe
4520	lMoJPGw.exe
2428	nVqysIc.exe
4828	keQWbhH.exe
4680	rGcQuXK.exe
1740	QTgmTRc.exe
3056	UsrsxIR.exe
2288	LnnhRRU.exe
668	IDlRBVj.exe
3620	NZPAhpa.exe
3920	GGwOKGA.exe
3816	leZjDqQ.exe
2904	lavOsXM.exe
3444	jSSvgPD.exe
4028	wftyocC.exe
3220	CgjYNNh.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4172-0-0x00007FF7D1D00000-0x00007FF7D20F5000-memory.dmp	upx
behavioral2/files/0x0006000000023278-4.dat	upx
behavioral2/files/0x00070000000233fc-10.dat	upx
behavioral2/memory/1684-14-0x00007FF634C90000-0x00007FF635085000-memory.dmp	upx
behavioral2/files/0x00070000000233fe-19.dat	upx
behavioral2/files/0x00070000000233ff-28.dat	upx
behavioral2/files/0x0007000000023400-31.dat	upx
behavioral2/files/0x0007000000023401-38.dat	upx
behavioral2/files/0x0007000000023402-43.dat	upx
behavioral2/files/0x0007000000023405-58.dat	upx
behavioral2/files/0x0007000000023408-71.dat	upx
behavioral2/files/0x000700000002340a-81.dat	upx
behavioral2/files/0x000700000002340e-101.dat	upx
behavioral2/files/0x0007000000023410-113.dat	upx
behavioral2/files/0x0007000000023418-151.dat	upx
behavioral2/memory/4356-792-0x00007FF7A4A60000-0x00007FF7A4E55000-memory.dmp	upx
behavioral2/files/0x000700000002341a-163.dat	upx
behavioral2/files/0x0007000000023419-158.dat	upx
behavioral2/files/0x0007000000023417-149.dat	upx
behavioral2/files/0x0007000000023416-144.dat	upx
behavioral2/files/0x0007000000023415-139.dat	upx
behavioral2/files/0x0007000000023414-134.dat	upx
behavioral2/files/0x0007000000023413-129.dat	upx
behavioral2/files/0x0007000000023412-123.dat	upx
behavioral2/files/0x0007000000023411-118.dat	upx
behavioral2/files/0x000700000002340f-108.dat	upx
behavioral2/files/0x000700000002340d-98.dat	upx
behavioral2/files/0x000700000002340c-93.dat	upx
behavioral2/files/0x000700000002340b-88.dat	upx
behavioral2/files/0x0007000000023409-78.dat	upx
behavioral2/files/0x0007000000023407-68.dat	upx
behavioral2/files/0x0007000000023406-63.dat	upx
behavioral2/files/0x0007000000023404-53.dat	upx
behavioral2/files/0x0007000000023403-48.dat	upx
behavioral2/files/0x00070000000233fd-21.dat	upx
behavioral2/memory/2876-17-0x00007FF60E5B0000-0x00007FF60E9A5000-memory.dmp	upx
behavioral2/memory/4784-799-0x00007FF7F03C0000-0x00007FF7F07B5000-memory.dmp	upx
behavioral2/memory/3324-819-0x00007FF7FA3A0000-0x00007FF7FA795000-memory.dmp	upx
behavioral2/memory/4780-808-0x00007FF756920000-0x00007FF756D15000-memory.dmp	upx
behavioral2/memory/1712-802-0x00007FF6AC1A0000-0x00007FF6AC595000-memory.dmp	upx
behavioral2/memory/876-826-0x00007FF635920000-0x00007FF635D15000-memory.dmp	upx
behavioral2/memory/2952-831-0x00007FF6A9BA0000-0x00007FF6A9F95000-memory.dmp	upx
behavioral2/memory/3228-836-0x00007FF77E870000-0x00007FF77EC65000-memory.dmp	upx
behavioral2/memory/1372-839-0x00007FF73DC30000-0x00007FF73E025000-memory.dmp	upx
behavioral2/memory/1928-842-0x00007FF7A3810000-0x00007FF7A3C05000-memory.dmp	upx
behavioral2/memory/1132-853-0x00007FF7F6F20000-0x00007FF7F7315000-memory.dmp	upx
behavioral2/memory/640-860-0x00007FF7BDE10000-0x00007FF7BE205000-memory.dmp	upx
behavioral2/memory/5100-863-0x00007FF63F2D0000-0x00007FF63F6C5000-memory.dmp	upx
behavioral2/memory/2036-866-0x00007FF725440000-0x00007FF725835000-memory.dmp	upx
behavioral2/memory/3576-871-0x00007FF78F1B0000-0x00007FF78F5A5000-memory.dmp	upx
behavioral2/memory/3660-873-0x00007FF749970000-0x00007FF749D65000-memory.dmp	upx
behavioral2/memory/4848-935-0x00007FF7BFD30000-0x00007FF7C0125000-memory.dmp	upx
behavioral2/memory/1044-932-0x00007FF7160A0000-0x00007FF716495000-memory.dmp	upx
behavioral2/memory/3852-938-0x00007FF6BE140000-0x00007FF6BE535000-memory.dmp	upx
behavioral2/memory/4732-977-0x00007FF606240000-0x00007FF606635000-memory.dmp	upx
behavioral2/memory/4644-984-0x00007FF79FE60000-0x00007FF7A0255000-memory.dmp	upx
behavioral2/memory/1016-988-0x00007FF777F90000-0x00007FF778385000-memory.dmp	upx
behavioral2/memory/4172-1881-0x00007FF7D1D00000-0x00007FF7D20F5000-memory.dmp	upx
behavioral2/memory/1684-1882-0x00007FF634C90000-0x00007FF635085000-memory.dmp	upx
behavioral2/memory/2876-1883-0x00007FF60E5B0000-0x00007FF60E9A5000-memory.dmp	upx
behavioral2/memory/4356-1884-0x00007FF7A4A60000-0x00007FF7A4E55000-memory.dmp	upx
behavioral2/memory/1016-1885-0x00007FF777F90000-0x00007FF778385000-memory.dmp	upx
behavioral2/memory/876-1890-0x00007FF635920000-0x00007FF635D15000-memory.dmp	upx
behavioral2/memory/1372-1893-0x00007FF73DC30000-0x00007FF73E025000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\nKFMgaz.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\UwofzEm.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\pIaHwUY.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\iQwwSsu.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\vXXtMFB.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\gvMPdii.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\LqYzLuc.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\szhbFCr.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\UTZzRRv.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\tRESKSz.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\RhilQeR.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\wNWhIIS.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\ruQjbXL.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\GIOlxhO.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\lCgzAtf.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\sMqelLv.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\LjsCFKS.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\gnBjsfy.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\IDlRBVj.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\YMSGwCq.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\fnvblfn.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\TzGDmnO.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\XdEcfUG.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\GTnNEnS.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\svBNqRg.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\HpfWwOB.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\mLxtsax.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\KuZixCW.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\EFEDIks.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\NEVcMvh.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\OOXrgir.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\fzMKMEl.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\plkcafs.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\QXvxNHs.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\ERXOgfa.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\HOerKFm.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\lXcDvtH.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\iVNmTuu.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\jTkGlDQ.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\eBxTNUm.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\WrnFxCv.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\ilHnnHD.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\JPRkRIJ.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\GahfZnm.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\HuPgWNP.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\xsgOcVJ.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\keQWbhH.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\cpkkPbr.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\CYZREVE.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\qhSwMug.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\yhftEcP.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\FkSJoci.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\ZFixGnw.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\IiVBaqk.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\BANnBTy.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\kbBZpRg.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\QTgmTRc.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\tOCInNB.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\ALCZtlS.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\MDplIQd.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\DnXwJRV.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\uTsLAFu.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\rJaDKOM.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
File created	C:\Windows\System32\gGIrbGS.exe	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	10140	dwm.exe
Token: SeChangeNotifyPrivilege	10140	dwm.exe
Token: 33	10140	dwm.exe
Token: SeIncBasePriorityPrivilege	10140	dwm.exe
Token: SeShutdownPrivilege	10140	dwm.exe
Token: SeCreatePagefilePrivilege	10140	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 1684	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	86
PID 4172 wrote to memory of 1684	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	86
PID 4172 wrote to memory of 2876	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	87
PID 4172 wrote to memory of 2876	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	87
PID 4172 wrote to memory of 4356	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	88
PID 4172 wrote to memory of 4356	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	88
PID 4172 wrote to memory of 1016	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	89
PID 4172 wrote to memory of 1016	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	89
PID 4172 wrote to memory of 4784	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	90
PID 4172 wrote to memory of 4784	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	90
PID 4172 wrote to memory of 1712	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	91
PID 4172 wrote to memory of 1712	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	91
PID 4172 wrote to memory of 4780	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	92
PID 4172 wrote to memory of 4780	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	92
PID 4172 wrote to memory of 3324	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	93
PID 4172 wrote to memory of 3324	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	93
PID 4172 wrote to memory of 876	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	94
PID 4172 wrote to memory of 876	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	94
PID 4172 wrote to memory of 2952	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	95
PID 4172 wrote to memory of 2952	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	95
PID 4172 wrote to memory of 3228	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	96
PID 4172 wrote to memory of 3228	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	96
PID 4172 wrote to memory of 1372	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	97
PID 4172 wrote to memory of 1372	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	97
PID 4172 wrote to memory of 1928	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	98
PID 4172 wrote to memory of 1928	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	98
PID 4172 wrote to memory of 1132	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	99
PID 4172 wrote to memory of 1132	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	99
PID 4172 wrote to memory of 640	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	100
PID 4172 wrote to memory of 640	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	100
PID 4172 wrote to memory of 5100	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	101
PID 4172 wrote to memory of 5100	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	101
PID 4172 wrote to memory of 2036	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	102
PID 4172 wrote to memory of 2036	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	102
PID 4172 wrote to memory of 3576	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	103
PID 4172 wrote to memory of 3576	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	103
PID 4172 wrote to memory of 3660	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	104
PID 4172 wrote to memory of 3660	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	104
PID 4172 wrote to memory of 1044	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	105
PID 4172 wrote to memory of 1044	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	105
PID 4172 wrote to memory of 4848	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	106
PID 4172 wrote to memory of 4848	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	106
PID 4172 wrote to memory of 3852	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	107
PID 4172 wrote to memory of 3852	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	107
PID 4172 wrote to memory of 4732	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	108
PID 4172 wrote to memory of 4732	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	108
PID 4172 wrote to memory of 4644	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	109
PID 4172 wrote to memory of 4644	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	109
PID 4172 wrote to memory of 4288	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	110
PID 4172 wrote to memory of 4288	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	110
PID 4172 wrote to memory of 3628	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	111
PID 4172 wrote to memory of 3628	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	111
PID 4172 wrote to memory of 4340	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	112
PID 4172 wrote to memory of 4340	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	112
PID 4172 wrote to memory of 1312	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	113
PID 4172 wrote to memory of 1312	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	113
PID 4172 wrote to memory of 3676	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	114
PID 4172 wrote to memory of 3676	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	114
PID 4172 wrote to memory of 4276	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	115
PID 4172 wrote to memory of 4276	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	115
PID 4172 wrote to memory of 4100	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	116
PID 4172 wrote to memory of 4100	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	116
PID 4172 wrote to memory of 3968	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	117
PID 4172 wrote to memory of 3968	4172	627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe	117

C:\Users\Admin\AppData\Local\Temp\627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\627fd84bfc02be32a9a7df4610dd5dc0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Windows\System32\igTnobO.exe
  C:\Windows\System32\igTnobO.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System32\SmOniFO.exe
  C:\Windows\System32\SmOniFO.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System32\ZFOiXiW.exe
  C:\Windows\System32\ZFOiXiW.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System32\mOULDdB.exe
  C:\Windows\System32\mOULDdB.exe
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\System32\HCHxsVj.exe
  C:\Windows\System32\HCHxsVj.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System32\kFIetEc.exe
  C:\Windows\System32\kFIetEc.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\System32\EOXNeGM.exe
  C:\Windows\System32\EOXNeGM.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System32\AmcFkGT.exe
  C:\Windows\System32\AmcFkGT.exe
  2⤵
  - Executes dropped EXE
  PID:3324
- C:\Windows\System32\mfeSCTY.exe
  C:\Windows\System32\mfeSCTY.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System32\svBNqRg.exe
  C:\Windows\System32\svBNqRg.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System32\lRqwaUp.exe
  C:\Windows\System32\lRqwaUp.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System32\DnXwJRV.exe
  C:\Windows\System32\DnXwJRV.exe
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\System32\EDtnNSu.exe
  C:\Windows\System32\EDtnNSu.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System32\gRAseWU.exe
  C:\Windows\System32\gRAseWU.exe
  2⤵
  - Executes dropped EXE
  PID:1132
- C:\Windows\System32\yIjuXKd.exe
  C:\Windows\System32\yIjuXKd.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System32\qbDXCjV.exe
  C:\Windows\System32\qbDXCjV.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System32\Avaiwqm.exe
  C:\Windows\System32\Avaiwqm.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System32\vrUYnGS.exe
  C:\Windows\System32\vrUYnGS.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System32\xWcVAWL.exe
  C:\Windows\System32\xWcVAWL.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System32\fzMKMEl.exe
  C:\Windows\System32\fzMKMEl.exe
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\System32\pmlXSGY.exe
  C:\Windows\System32\pmlXSGY.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System32\GIOlxhO.exe
  C:\Windows\System32\GIOlxhO.exe
  2⤵
  - Executes dropped EXE
  PID:3852
- C:\Windows\System32\VsYdomn.exe
  C:\Windows\System32\VsYdomn.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System32\wKMQmOD.exe
  C:\Windows\System32\wKMQmOD.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System32\NVvCXMJ.exe
  C:\Windows\System32\NVvCXMJ.exe
  2⤵
  - Executes dropped EXE
  PID:4288
- C:\Windows\System32\FepyhFy.exe
  C:\Windows\System32\FepyhFy.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System32\vQfIfRZ.exe
  C:\Windows\System32\vQfIfRZ.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System32\nBAEzXg.exe
  C:\Windows\System32\nBAEzXg.exe
  2⤵
  - Executes dropped EXE
  PID:1312
- C:\Windows\System32\HOerKFm.exe
  C:\Windows\System32\HOerKFm.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System32\wgHXZLb.exe
  C:\Windows\System32\wgHXZLb.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System32\nSmKlQT.exe
  C:\Windows\System32\nSmKlQT.exe
  2⤵
  - Executes dropped EXE
  PID:4100
- C:\Windows\System32\cmrPBUj.exe
  C:\Windows\System32\cmrPBUj.exe
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Windows\System32\zodagAA.exe
  C:\Windows\System32\zodagAA.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System32\EnQxSKR.exe
  C:\Windows\System32\EnQxSKR.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System32\CFeTCQa.exe
  C:\Windows\System32\CFeTCQa.exe
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Windows\System32\DwvYexZ.exe
  C:\Windows\System32\DwvYexZ.exe
  2⤵
  - Executes dropped EXE
  PID:4252
- C:\Windows\System32\iTLLKgP.exe
  C:\Windows\System32\iTLLKgP.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System32\rciePZs.exe
  C:\Windows\System32\rciePZs.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System32\xsgOcVJ.exe
  C:\Windows\System32\xsgOcVJ.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System32\zfVPSiE.exe
  C:\Windows\System32\zfVPSiE.exe
  2⤵
  - Executes dropped EXE
  PID:3184
- C:\Windows\System32\VXkEHDr.exe
  C:\Windows\System32\VXkEHDr.exe
  2⤵
  - Executes dropped EXE
  PID:672
- C:\Windows\System32\qoVvuga.exe
  C:\Windows\System32\qoVvuga.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System32\ApUsUvr.exe
  C:\Windows\System32\ApUsUvr.exe
  2⤵
  - Executes dropped EXE
  PID:1852
- C:\Windows\System32\cmTXACD.exe
  C:\Windows\System32\cmTXACD.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System32\eHdXqdh.exe
  C:\Windows\System32\eHdXqdh.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System32\lDkveqX.exe
  C:\Windows\System32\lDkveqX.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System32\rhGGFCB.exe
  C:\Windows\System32\rhGGFCB.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System32\XegOpFd.exe
  C:\Windows\System32\XegOpFd.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System32\lQwLUZC.exe
  C:\Windows\System32\lQwLUZC.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System32\lMoJPGw.exe
  C:\Windows\System32\lMoJPGw.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System32\nVqysIc.exe
  C:\Windows\System32\nVqysIc.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System32\keQWbhH.exe
  C:\Windows\System32\keQWbhH.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System32\rGcQuXK.exe
  C:\Windows\System32\rGcQuXK.exe
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Windows\System32\QTgmTRc.exe
  C:\Windows\System32\QTgmTRc.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System32\UsrsxIR.exe
  C:\Windows\System32\UsrsxIR.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System32\LnnhRRU.exe
  C:\Windows\System32\LnnhRRU.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System32\IDlRBVj.exe
  C:\Windows\System32\IDlRBVj.exe
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Windows\System32\NZPAhpa.exe
  C:\Windows\System32\NZPAhpa.exe
  2⤵
  - Executes dropped EXE
  PID:3620
- C:\Windows\System32\GGwOKGA.exe
  C:\Windows\System32\GGwOKGA.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\System32\leZjDqQ.exe
  C:\Windows\System32\leZjDqQ.exe
  2⤵
  - Executes dropped EXE
  PID:3816
- C:\Windows\System32\lavOsXM.exe
  C:\Windows\System32\lavOsXM.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System32\jSSvgPD.exe
  C:\Windows\System32\jSSvgPD.exe
  2⤵
  - Executes dropped EXE
  PID:3444
- C:\Windows\System32\wftyocC.exe
  C:\Windows\System32\wftyocC.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System32\CgjYNNh.exe
  C:\Windows\System32\CgjYNNh.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System32\leXhZsL.exe
  C:\Windows\System32\leXhZsL.exe
  2⤵
  PID:1252
- C:\Windows\System32\qhSwMug.exe
  C:\Windows\System32\qhSwMug.exe
  2⤵
  PID:3700
- C:\Windows\System32\MsuzzUz.exe
  C:\Windows\System32\MsuzzUz.exe
  2⤵
  PID:2592
- C:\Windows\System32\AcdRtWR.exe
  C:\Windows\System32\AcdRtWR.exe
  2⤵
  PID:2396
- C:\Windows\System32\rbajdbm.exe
  C:\Windows\System32\rbajdbm.exe
  2⤵
  PID:440
- C:\Windows\System32\WQJhuhx.exe
  C:\Windows\System32\WQJhuhx.exe
  2⤵
  PID:2224
- C:\Windows\System32\qTgmnuu.exe
  C:\Windows\System32\qTgmnuu.exe
  2⤵
  PID:64
- C:\Windows\System32\kSVqVLs.exe
  C:\Windows\System32\kSVqVLs.exe
  2⤵
  PID:4580
- C:\Windows\System32\JScrzEs.exe
  C:\Windows\System32\JScrzEs.exe
  2⤵
  PID:3640
- C:\Windows\System32\gqmfdeT.exe
  C:\Windows\System32\gqmfdeT.exe
  2⤵
  PID:4392
- C:\Windows\System32\iDzdDsl.exe
  C:\Windows\System32\iDzdDsl.exe
  2⤵
  PID:1848
- C:\Windows\System32\SxXOcqh.exe
  C:\Windows\System32\SxXOcqh.exe
  2⤵
  PID:944
- C:\Windows\System32\IiVBaqk.exe
  C:\Windows\System32\IiVBaqk.exe
  2⤵
  PID:4576
- C:\Windows\System32\kslSpzL.exe
  C:\Windows\System32\kslSpzL.exe
  2⤵
  PID:4212
- C:\Windows\System32\iBDySkI.exe
  C:\Windows\System32\iBDySkI.exe
  2⤵
  PID:1860
- C:\Windows\System32\VhTnysT.exe
  C:\Windows\System32\VhTnysT.exe
  2⤵
  PID:4684
- C:\Windows\System32\WUJgsnB.exe
  C:\Windows\System32\WUJgsnB.exe
  2⤵
  PID:904
- C:\Windows\System32\SOOdAeG.exe
  C:\Windows\System32\SOOdAeG.exe
  2⤵
  PID:3356
- C:\Windows\System32\AfPjIdA.exe
  C:\Windows\System32\AfPjIdA.exe
  2⤵
  PID:3988
- C:\Windows\System32\pZpTGjY.exe
  C:\Windows\System32\pZpTGjY.exe
  2⤵
  PID:5140
- C:\Windows\System32\zjhnovV.exe
  C:\Windows\System32\zjhnovV.exe
  2⤵
  PID:5168
- C:\Windows\System32\JdhEsnU.exe
  C:\Windows\System32\JdhEsnU.exe
  2⤵
  PID:5208
- C:\Windows\System32\ahrUNss.exe
  C:\Windows\System32\ahrUNss.exe
  2⤵
  PID:5224
- C:\Windows\System32\rTjIuhG.exe
  C:\Windows\System32\rTjIuhG.exe
  2⤵
  PID:5252
- C:\Windows\System32\fbHpXOx.exe
  C:\Windows\System32\fbHpXOx.exe
  2⤵
  PID:5280
- C:\Windows\System32\tvIMHux.exe
  C:\Windows\System32\tvIMHux.exe
  2⤵
  PID:5308
- C:\Windows\System32\XUSmYqN.exe
  C:\Windows\System32\XUSmYqN.exe
  2⤵
  PID:5336
- C:\Windows\System32\parXWhD.exe
  C:\Windows\System32\parXWhD.exe
  2⤵
  PID:5364
- C:\Windows\System32\WPvUydC.exe
  C:\Windows\System32\WPvUydC.exe
  2⤵
  PID:5392
- C:\Windows\System32\HpfWwOB.exe
  C:\Windows\System32\HpfWwOB.exe
  2⤵
  PID:5420
- C:\Windows\System32\NdQWnEF.exe
  C:\Windows\System32\NdQWnEF.exe
  2⤵
  PID:5448
- C:\Windows\System32\pULdHTG.exe
  C:\Windows\System32\pULdHTG.exe
  2⤵
  PID:5476
- C:\Windows\System32\QBGjIYv.exe
  C:\Windows\System32\QBGjIYv.exe
  2⤵
  PID:5504
- C:\Windows\System32\DeCOYEx.exe
  C:\Windows\System32\DeCOYEx.exe
  2⤵
  PID:5532
- C:\Windows\System32\sODAhvl.exe
  C:\Windows\System32\sODAhvl.exe
  2⤵
  PID:5560
- C:\Windows\System32\DQlGvVu.exe
  C:\Windows\System32\DQlGvVu.exe
  2⤵
  PID:5600
- C:\Windows\System32\TuCTtIP.exe
  C:\Windows\System32\TuCTtIP.exe
  2⤵
  PID:5616
- C:\Windows\System32\GVwceWW.exe
  C:\Windows\System32\GVwceWW.exe
  2⤵
  PID:5644
- C:\Windows\System32\PLLNeLi.exe
  C:\Windows\System32\PLLNeLi.exe
  2⤵
  PID:5672
- C:\Windows\System32\lXjZvXv.exe
  C:\Windows\System32\lXjZvXv.exe
  2⤵
  PID:5700
- C:\Windows\System32\UTZzRRv.exe
  C:\Windows\System32\UTZzRRv.exe
  2⤵
  PID:5728
- C:\Windows\System32\zRcfSPm.exe
  C:\Windows\System32\zRcfSPm.exe
  2⤵
  PID:5756
- C:\Windows\System32\hMdUHHc.exe
  C:\Windows\System32\hMdUHHc.exe
  2⤵
  PID:5796
- C:\Windows\System32\vkmSxIz.exe
  C:\Windows\System32\vkmSxIz.exe
  2⤵
  PID:5812
- C:\Windows\System32\JSKJcBp.exe
  C:\Windows\System32\JSKJcBp.exe
  2⤵
  PID:5840
- C:\Windows\System32\NqAOzJF.exe
  C:\Windows\System32\NqAOzJF.exe
  2⤵
  PID:5868
- C:\Windows\System32\RUfILwC.exe
  C:\Windows\System32\RUfILwC.exe
  2⤵
  PID:5896
- C:\Windows\System32\DZDQnFv.exe
  C:\Windows\System32\DZDQnFv.exe
  2⤵
  PID:5924
- C:\Windows\System32\VvzsDqS.exe
  C:\Windows\System32\VvzsDqS.exe
  2⤵
  PID:5952
- C:\Windows\System32\GTDpIrP.exe
  C:\Windows\System32\GTDpIrP.exe
  2⤵
  PID:5980
- C:\Windows\System32\tuPgobD.exe
  C:\Windows\System32\tuPgobD.exe
  2⤵
  PID:6008
- C:\Windows\System32\oaFuJgL.exe
  C:\Windows\System32\oaFuJgL.exe
  2⤵
  PID:6036
- C:\Windows\System32\tRESKSz.exe
  C:\Windows\System32\tRESKSz.exe
  2⤵
  PID:6064
- C:\Windows\System32\JaTsUvY.exe
  C:\Windows\System32\JaTsUvY.exe
  2⤵
  PID:6092
- C:\Windows\System32\BZcETQB.exe
  C:\Windows\System32\BZcETQB.exe
  2⤵
  PID:6120
- C:\Windows\System32\UTfCNBN.exe
  C:\Windows\System32\UTfCNBN.exe
  2⤵
  PID:4156
- C:\Windows\System32\WeIhmZC.exe
  C:\Windows\System32\WeIhmZC.exe
  2⤵
  PID:4560
- C:\Windows\System32\FktJdxN.exe
  C:\Windows\System32\FktJdxN.exe
  2⤵
  PID:2752
- C:\Windows\System32\XHLOdeM.exe
  C:\Windows\System32\XHLOdeM.exe
  2⤵
  PID:4872
- C:\Windows\System32\bMyELKf.exe
  C:\Windows\System32\bMyELKf.exe
  2⤵
  PID:1616
- C:\Windows\System32\COCOYDj.exe
  C:\Windows\System32\COCOYDj.exe
  2⤵
  PID:5128
- C:\Windows\System32\DJEQIrQ.exe
  C:\Windows\System32\DJEQIrQ.exe
  2⤵
  PID:5176
- C:\Windows\System32\IATKsTc.exe
  C:\Windows\System32\IATKsTc.exe
  2⤵
  PID:5244
- C:\Windows\System32\rrvsGnE.exe
  C:\Windows\System32\rrvsGnE.exe
  2⤵
  PID:5324
- C:\Windows\System32\oFZscnj.exe
  C:\Windows\System32\oFZscnj.exe
  2⤵
  PID:5372
- C:\Windows\System32\kTmWmMv.exe
  C:\Windows\System32\kTmWmMv.exe
  2⤵
  PID:5440
- C:\Windows\System32\plkcafs.exe
  C:\Windows\System32\plkcafs.exe
  2⤵
  PID:5496
- C:\Windows\System32\eWIyNhH.exe
  C:\Windows\System32\eWIyNhH.exe
  2⤵
  PID:5576
- C:\Windows\System32\gTcZZzz.exe
  C:\Windows\System32\gTcZZzz.exe
  2⤵
  PID:5624
- C:\Windows\System32\vHHaACs.exe
  C:\Windows\System32\vHHaACs.exe
  2⤵
  PID:5692
- C:\Windows\System32\EqJaCKW.exe
  C:\Windows\System32\EqJaCKW.exe
  2⤵
  PID:5772
- C:\Windows\System32\alAkCwN.exe
  C:\Windows\System32\alAkCwN.exe
  2⤵
  PID:5820
- C:\Windows\System32\MuPzGDz.exe
  C:\Windows\System32\MuPzGDz.exe
  2⤵
  PID:5876
- C:\Windows\System32\WgtWOwc.exe
  C:\Windows\System32\WgtWOwc.exe
  2⤵
  PID:5968
- C:\Windows\System32\tAGjwyC.exe
  C:\Windows\System32\tAGjwyC.exe
  2⤵
  PID:6016
- C:\Windows\System32\lcouiJd.exe
  C:\Windows\System32\lcouiJd.exe
  2⤵
  PID:6084
- C:\Windows\System32\ilHnnHD.exe
  C:\Windows\System32\ilHnnHD.exe
  2⤵
  PID:4968
- C:\Windows\System32\svwmnbF.exe
  C:\Windows\System32\svwmnbF.exe
  2⤵
  PID:3836
- C:\Windows\System32\yfwkveD.exe
  C:\Windows\System32\yfwkveD.exe
  2⤵
  PID:1580
- C:\Windows\System32\mSNYDud.exe
  C:\Windows\System32\mSNYDud.exe
  2⤵
  PID:5296
- C:\Windows\System32\vlLpxnW.exe
  C:\Windows\System32\vlLpxnW.exe
  2⤵
  PID:5408
- C:\Windows\System32\yhftEcP.exe
  C:\Windows\System32\yhftEcP.exe
  2⤵
  PID:5540
- C:\Windows\System32\mLxtsax.exe
  C:\Windows\System32\mLxtsax.exe
  2⤵
  PID:5744
- C:\Windows\System32\qvDuTGy.exe
  C:\Windows\System32\qvDuTGy.exe
  2⤵
  PID:5856
- C:\Windows\System32\lXcDvtH.exe
  C:\Windows\System32\lXcDvtH.exe
  2⤵
  PID:6164
- C:\Windows\System32\UTUyBRV.exe
  C:\Windows\System32\UTUyBRV.exe
  2⤵
  PID:6192
- C:\Windows\System32\jgyVTxj.exe
  C:\Windows\System32\jgyVTxj.exe
  2⤵
  PID:6220
- C:\Windows\System32\KzEhtOJ.exe
  C:\Windows\System32\KzEhtOJ.exe
  2⤵
  PID:6248
- C:\Windows\System32\diQPWki.exe
  C:\Windows\System32\diQPWki.exe
  2⤵
  PID:6276
- C:\Windows\System32\qLyTdAh.exe
  C:\Windows\System32\qLyTdAh.exe
  2⤵
  PID:6304
- C:\Windows\System32\JPRkRIJ.exe
  C:\Windows\System32\JPRkRIJ.exe
  2⤵
  PID:6332
- C:\Windows\System32\rkSxLOx.exe
  C:\Windows\System32\rkSxLOx.exe
  2⤵
  PID:6360
- C:\Windows\System32\qSPNyFr.exe
  C:\Windows\System32\qSPNyFr.exe
  2⤵
  PID:6388
- C:\Windows\System32\OkMogna.exe
  C:\Windows\System32\OkMogna.exe
  2⤵
  PID:6416
- C:\Windows\System32\zxWlHmM.exe
  C:\Windows\System32\zxWlHmM.exe
  2⤵
  PID:6444
- C:\Windows\System32\DhKMCkW.exe
  C:\Windows\System32\DhKMCkW.exe
  2⤵
  PID:6472
- C:\Windows\System32\tKcieXw.exe
  C:\Windows\System32\tKcieXw.exe
  2⤵
  PID:6500
- C:\Windows\System32\TzGDmnO.exe
  C:\Windows\System32\TzGDmnO.exe
  2⤵
  PID:6528
- C:\Windows\System32\EDzpMKQ.exe
  C:\Windows\System32\EDzpMKQ.exe
  2⤵
  PID:6556
- C:\Windows\System32\yBjShpV.exe
  C:\Windows\System32\yBjShpV.exe
  2⤵
  PID:6584
- C:\Windows\System32\lHfYHif.exe
  C:\Windows\System32\lHfYHif.exe
  2⤵
  PID:6612
- C:\Windows\System32\dHSUHiv.exe
  C:\Windows\System32\dHSUHiv.exe
  2⤵
  PID:6640
- C:\Windows\System32\BeTuiPy.exe
  C:\Windows\System32\BeTuiPy.exe
  2⤵
  PID:6668
- C:\Windows\System32\lCgzAtf.exe
  C:\Windows\System32\lCgzAtf.exe
  2⤵
  PID:6696
- C:\Windows\System32\DXWcxGF.exe
  C:\Windows\System32\DXWcxGF.exe
  2⤵
  PID:6724
- C:\Windows\System32\qInkGbP.exe
  C:\Windows\System32\qInkGbP.exe
  2⤵
  PID:6760
- C:\Windows\System32\hLzMmvN.exe
  C:\Windows\System32\hLzMmvN.exe
  2⤵
  PID:6780
- C:\Windows\System32\mYeMnBa.exe
  C:\Windows\System32\mYeMnBa.exe
  2⤵
  PID:6808
- C:\Windows\System32\BANnBTy.exe
  C:\Windows\System32\BANnBTy.exe
  2⤵
  PID:6844
- C:\Windows\System32\pHZjFyP.exe
  C:\Windows\System32\pHZjFyP.exe
  2⤵
  PID:6864
- C:\Windows\System32\KYEhHhi.exe
  C:\Windows\System32\KYEhHhi.exe
  2⤵
  PID:6892
- C:\Windows\System32\EQhGRaK.exe
  C:\Windows\System32\EQhGRaK.exe
  2⤵
  PID:6920
- C:\Windows\System32\LSWHrKB.exe
  C:\Windows\System32\LSWHrKB.exe
  2⤵
  PID:6948
- C:\Windows\System32\GJWtZVG.exe
  C:\Windows\System32\GJWtZVG.exe
  2⤵
  PID:6976
- C:\Windows\System32\iCmXoUX.exe
  C:\Windows\System32\iCmXoUX.exe
  2⤵
  PID:7008
- C:\Windows\System32\cfzQEOH.exe
  C:\Windows\System32\cfzQEOH.exe
  2⤵
  PID:7040
- C:\Windows\System32\gOmkSKZ.exe
  C:\Windows\System32\gOmkSKZ.exe
  2⤵
  PID:7060
- C:\Windows\System32\SPjtcEm.exe
  C:\Windows\System32\SPjtcEm.exe
  2⤵
  PID:7088
- C:\Windows\System32\awiXCzv.exe
  C:\Windows\System32\awiXCzv.exe
  2⤵
  PID:7116
- C:\Windows\System32\qvNeoKi.exe
  C:\Windows\System32\qvNeoKi.exe
  2⤵
  PID:7144
- C:\Windows\System32\MWrXBJj.exe
  C:\Windows\System32\MWrXBJj.exe
  2⤵
  PID:5932
- C:\Windows\System32\LFCRFhF.exe
  C:\Windows\System32\LFCRFhF.exe
  2⤵
  PID:6136
- C:\Windows\System32\hjcWAuc.exe
  C:\Windows\System32\hjcWAuc.exe
  2⤵
  PID:5092
- C:\Windows\System32\EDAuVkY.exe
  C:\Windows\System32\EDAuVkY.exe
  2⤵
  PID:5356
- C:\Windows\System32\pNLTcQa.exe
  C:\Windows\System32\pNLTcQa.exe
  2⤵
  PID:5660
- C:\Windows\System32\RgPeFWA.exe
  C:\Windows\System32\RgPeFWA.exe
  2⤵
  PID:6180
- C:\Windows\System32\PnNjyFd.exe
  C:\Windows\System32\PnNjyFd.exe
  2⤵
  PID:6264
- C:\Windows\System32\ypxhqmI.exe
  C:\Windows\System32\ypxhqmI.exe
  2⤵
  PID:6296
- C:\Windows\System32\jxzCpiF.exe
  C:\Windows\System32\jxzCpiF.exe
  2⤵
  PID:6340
- C:\Windows\System32\UwofzEm.exe
  C:\Windows\System32\UwofzEm.exe
  2⤵
  PID:6432
- C:\Windows\System32\MmtBFDy.exe
  C:\Windows\System32\MmtBFDy.exe
  2⤵
  PID:6508
- C:\Windows\System32\vKjprkM.exe
  C:\Windows\System32\vKjprkM.exe
  2⤵
  PID:6548
- C:\Windows\System32\TyVTJrc.exe
  C:\Windows\System32\TyVTJrc.exe
  2⤵
  PID:6628
- C:\Windows\System32\YMSGwCq.exe
  C:\Windows\System32\YMSGwCq.exe
  2⤵
  PID:6676
- C:\Windows\System32\xSToLgy.exe
  C:\Windows\System32\xSToLgy.exe
  2⤵
  PID:6744
- C:\Windows\System32\VMqxmuf.exe
  C:\Windows\System32\VMqxmuf.exe
  2⤵
  PID:388
- C:\Windows\System32\HbaJSed.exe
  C:\Windows\System32\HbaJSed.exe
  2⤵
  PID:6860
- C:\Windows\System32\RhilQeR.exe
  C:\Windows\System32\RhilQeR.exe
  2⤵
  PID:6936
- C:\Windows\System32\dEwRgNf.exe
  C:\Windows\System32\dEwRgNf.exe
  2⤵
  PID:6984
- C:\Windows\System32\fwyAJAW.exe
  C:\Windows\System32\fwyAJAW.exe
  2⤵
  PID:7048
- C:\Windows\System32\mTwVsKS.exe
  C:\Windows\System32\mTwVsKS.exe
  2⤵
  PID:7108
- C:\Windows\System32\UAHcliG.exe
  C:\Windows\System32\UAHcliG.exe
  2⤵
  PID:6056
- C:\Windows\System32\RuqoCaT.exe
  C:\Windows\System32\RuqoCaT.exe
  2⤵
  PID:5220
- C:\Windows\System32\tOCInNB.exe
  C:\Windows\System32\tOCInNB.exe
  2⤵
  PID:5940
- C:\Windows\System32\LLvzMzK.exe
  C:\Windows\System32\LLvzMzK.exe
  2⤵
  PID:6324
- C:\Windows\System32\QXvxNHs.exe
  C:\Windows\System32\QXvxNHs.exe
  2⤵
  PID:6436
- C:\Windows\System32\temworX.exe
  C:\Windows\System32\temworX.exe
  2⤵
  PID:6600
- C:\Windows\System32\sjtvojG.exe
  C:\Windows\System32\sjtvojG.exe
  2⤵
  PID:6632
- C:\Windows\System32\SehMdPN.exe
  C:\Windows\System32\SehMdPN.exe
  2⤵
  PID:6788
- C:\Windows\System32\rGQpPOV.exe
  C:\Windows\System32\rGQpPOV.exe
  2⤵
  PID:6956
- C:\Windows\System32\vXXtMFB.exe
  C:\Windows\System32\vXXtMFB.exe
  2⤵
  PID:7080
- C:\Windows\System32\UHjixAN.exe
  C:\Windows\System32\UHjixAN.exe
  2⤵
  PID:7152
- C:\Windows\System32\quaKGoP.exe
  C:\Windows\System32\quaKGoP.exe
  2⤵
  PID:6152
- C:\Windows\System32\pyuNKfV.exe
  C:\Windows\System32\pyuNKfV.exe
  2⤵
  PID:6544
- C:\Windows\System32\gYZmBYh.exe
  C:\Windows\System32\gYZmBYh.exe
  2⤵
  PID:6740
- C:\Windows\System32\QnScRzR.exe
  C:\Windows\System32\QnScRzR.exe
  2⤵
  PID:7196
- C:\Windows\System32\YRZmuXw.exe
  C:\Windows\System32\YRZmuXw.exe
  2⤵
  PID:7224
- C:\Windows\System32\kUJAiQR.exe
  C:\Windows\System32\kUJAiQR.exe
  2⤵
  PID:7252
- C:\Windows\System32\AOpVgrj.exe
  C:\Windows\System32\AOpVgrj.exe
  2⤵
  PID:7280
- C:\Windows\System32\ndgmPib.exe
  C:\Windows\System32\ndgmPib.exe
  2⤵
  PID:7308
- C:\Windows\System32\GNafFFP.exe
  C:\Windows\System32\GNafFFP.exe
  2⤵
  PID:7336
- C:\Windows\System32\acuZHLD.exe
  C:\Windows\System32\acuZHLD.exe
  2⤵
  PID:7364
- C:\Windows\System32\iPlrDvF.exe
  C:\Windows\System32\iPlrDvF.exe
  2⤵
  PID:7392
- C:\Windows\System32\tjKLGPL.exe
  C:\Windows\System32\tjKLGPL.exe
  2⤵
  PID:7420
- C:\Windows\System32\NwnUFtR.exe
  C:\Windows\System32\NwnUFtR.exe
  2⤵
  PID:7448
- C:\Windows\System32\ITGfmSi.exe
  C:\Windows\System32\ITGfmSi.exe
  2⤵
  PID:7476
- C:\Windows\System32\yrHJEXl.exe
  C:\Windows\System32\yrHJEXl.exe
  2⤵
  PID:7504
- C:\Windows\System32\TMPIYMz.exe
  C:\Windows\System32\TMPIYMz.exe
  2⤵
  PID:7532
- C:\Windows\System32\ZpsXibX.exe
  C:\Windows\System32\ZpsXibX.exe
  2⤵
  PID:7560
- C:\Windows\System32\iTUQtZQ.exe
  C:\Windows\System32\iTUQtZQ.exe
  2⤵
  PID:7588
- C:\Windows\System32\JMNgwRe.exe
  C:\Windows\System32\JMNgwRe.exe
  2⤵
  PID:7616
- C:\Windows\System32\sYGXLJr.exe
  C:\Windows\System32\sYGXLJr.exe
  2⤵
  PID:7644
- C:\Windows\System32\MeTZdOw.exe
  C:\Windows\System32\MeTZdOw.exe
  2⤵
  PID:7680
- C:\Windows\System32\sMqelLv.exe
  C:\Windows\System32\sMqelLv.exe
  2⤵
  PID:7700
- C:\Windows\System32\DuKEsxs.exe
  C:\Windows\System32\DuKEsxs.exe
  2⤵
  PID:7728
- C:\Windows\System32\gKpdLUR.exe
  C:\Windows\System32\gKpdLUR.exe
  2⤵
  PID:7756
- C:\Windows\System32\eTxhdli.exe
  C:\Windows\System32\eTxhdli.exe
  2⤵
  PID:7784
- C:\Windows\System32\mvPaxZV.exe
  C:\Windows\System32\mvPaxZV.exe
  2⤵
  PID:7812
- C:\Windows\System32\MtYFPyD.exe
  C:\Windows\System32\MtYFPyD.exe
  2⤵
  PID:7904
- C:\Windows\System32\DyFUpHI.exe
  C:\Windows\System32\DyFUpHI.exe
  2⤵
  PID:7968
- C:\Windows\System32\WvnGOgT.exe
  C:\Windows\System32\WvnGOgT.exe
  2⤵
  PID:7988
- C:\Windows\System32\fxTgFsn.exe
  C:\Windows\System32\fxTgFsn.exe
  2⤵
  PID:8008
- C:\Windows\System32\uMZnvEQ.exe
  C:\Windows\System32\uMZnvEQ.exe
  2⤵
  PID:8032
- C:\Windows\System32\KumDHwh.exe
  C:\Windows\System32\KumDHwh.exe
  2⤵
  PID:8056
- C:\Windows\System32\xfXEOHb.exe
  C:\Windows\System32\xfXEOHb.exe
  2⤵
  PID:8072
- C:\Windows\System32\TKyqcvJ.exe
  C:\Windows\System32\TKyqcvJ.exe
  2⤵
  PID:8088
- C:\Windows\System32\mrUWmAM.exe
  C:\Windows\System32\mrUWmAM.exe
  2⤵
  PID:8108
- C:\Windows\System32\mOynciQ.exe
  C:\Windows\System32\mOynciQ.exe
  2⤵
  PID:8124
- C:\Windows\System32\KvzUnqO.exe
  C:\Windows\System32\KvzUnqO.exe
  2⤵
  PID:8184
- C:\Windows\System32\ztvLUZu.exe
  C:\Windows\System32\ztvLUZu.exe
  2⤵
  PID:6184
- C:\Windows\System32\ODoTqZd.exe
  C:\Windows\System32\ODoTqZd.exe
  2⤵
  PID:4268
- C:\Windows\System32\PjCJKql.exe
  C:\Windows\System32\PjCJKql.exe
  2⤵
  PID:4204
- C:\Windows\System32\auGmzYO.exe
  C:\Windows\System32\auGmzYO.exe
  2⤵
  PID:7288
- C:\Windows\System32\tIAYQIt.exe
  C:\Windows\System32\tIAYQIt.exe
  2⤵
  PID:5112
- C:\Windows\System32\AFVenVd.exe
  C:\Windows\System32\AFVenVd.exe
  2⤵
  PID:7408
- C:\Windows\System32\kOidOmr.exe
  C:\Windows\System32\kOidOmr.exe
  2⤵
  PID:4396
- C:\Windows\System32\EZRJxRa.exe
  C:\Windows\System32\EZRJxRa.exe
  2⤵
  PID:3684
- C:\Windows\System32\kKRfRtr.exe
  C:\Windows\System32\kKRfRtr.exe
  2⤵
  PID:7512
- C:\Windows\System32\LUmAVqj.exe
  C:\Windows\System32\LUmAVqj.exe
  2⤵
  PID:7604
- C:\Windows\System32\BuDzSyy.exe
  C:\Windows\System32\BuDzSyy.exe
  2⤵
  PID:4024
- C:\Windows\System32\ZNTFAAK.exe
  C:\Windows\System32\ZNTFAAK.exe
  2⤵
  PID:7716
- C:\Windows\System32\iWiftuq.exe
  C:\Windows\System32\iWiftuq.exe
  2⤵
  PID:7744
- C:\Windows\System32\fXxfhqR.exe
  C:\Windows\System32\fXxfhqR.exe
  2⤵
  PID:7772
- C:\Windows\System32\dRlwpNb.exe
  C:\Windows\System32\dRlwpNb.exe
  2⤵
  PID:7792
- C:\Windows\System32\rcrfEJa.exe
  C:\Windows\System32\rcrfEJa.exe
  2⤵
  PID:4572
- C:\Windows\System32\DWjBSsV.exe
  C:\Windows\System32\DWjBSsV.exe
  2⤵
  PID:7820
- C:\Windows\System32\UasGSCD.exe
  C:\Windows\System32\UasGSCD.exe
  2⤵
  PID:1992
- C:\Windows\System32\ZieRzax.exe
  C:\Windows\System32\ZieRzax.exe
  2⤵
  PID:7912
- C:\Windows\System32\EDDIpeR.exe
  C:\Windows\System32\EDDIpeR.exe
  2⤵
  PID:7980
- C:\Windows\System32\sYVaxXG.exe
  C:\Windows\System32\sYVaxXG.exe
  2⤵
  PID:8068
- C:\Windows\System32\iVNmTuu.exe
  C:\Windows\System32\iVNmTuu.exe
  2⤵
  PID:8104
- C:\Windows\System32\ckcTYkR.exe
  C:\Windows\System32\ckcTYkR.exe
  2⤵
  PID:8172
- C:\Windows\System32\QUecunw.exe
  C:\Windows\System32\QUecunw.exe
  2⤵
  PID:6348
- C:\Windows\System32\NCxrLxL.exe
  C:\Windows\System32\NCxrLxL.exe
  2⤵
  PID:5104
- C:\Windows\System32\LvsCVcl.exe
  C:\Windows\System32\LvsCVcl.exe
  2⤵
  PID:7428
- C:\Windows\System32\PhxzwfK.exe
  C:\Windows\System32\PhxzwfK.exe
  2⤵
  PID:7568
- C:\Windows\System32\XHYYjoW.exe
  C:\Windows\System32\XHYYjoW.exe
  2⤵
  PID:4036
- C:\Windows\System32\dMxUfkC.exe
  C:\Windows\System32\dMxUfkC.exe
  2⤵
  PID:7800
- C:\Windows\System32\dGBUBsu.exe
  C:\Windows\System32\dGBUBsu.exe
  2⤵
  PID:7764
- C:\Windows\System32\FQnKJeV.exe
  C:\Windows\System32\FQnKJeV.exe
  2⤵
  PID:2468
- C:\Windows\System32\sjKjVWW.exe
  C:\Windows\System32\sjKjVWW.exe
  2⤵
  PID:900
- C:\Windows\System32\qeTJGQj.exe
  C:\Windows\System32\qeTJGQj.exe
  2⤵
  PID:8136
- C:\Windows\System32\MgkkGUk.exe
  C:\Windows\System32\MgkkGUk.exe
  2⤵
  PID:6240
- C:\Windows\System32\QUsdlYs.exe
  C:\Windows\System32\QUsdlYs.exe
  2⤵
  PID:1640
- C:\Windows\System32\mZSeSfJ.exe
  C:\Windows\System32\mZSeSfJ.exe
  2⤵
  PID:1084
- C:\Windows\System32\Noouwcp.exe
  C:\Windows\System32\Noouwcp.exe
  2⤵
  PID:8144
- C:\Windows\System32\FnuIlxG.exe
  C:\Windows\System32\FnuIlxG.exe
  2⤵
  PID:7632
- C:\Windows\System32\ECWDsJQ.exe
  C:\Windows\System32\ECWDsJQ.exe
  2⤵
  PID:5076
- C:\Windows\System32\HoWwGGH.exe
  C:\Windows\System32\HoWwGGH.exe
  2⤵
  PID:8216
- C:\Windows\System32\iPZziwg.exe
  C:\Windows\System32\iPZziwg.exe
  2⤵
  PID:8244
- C:\Windows\System32\HtIKXOa.exe
  C:\Windows\System32\HtIKXOa.exe
  2⤵
  PID:8276
- C:\Windows\System32\jRtGgQA.exe
  C:\Windows\System32\jRtGgQA.exe
  2⤵
  PID:8304
- C:\Windows\System32\HXWsNui.exe
  C:\Windows\System32\HXWsNui.exe
  2⤵
  PID:8332
- C:\Windows\System32\QNjxcXi.exe
  C:\Windows\System32\QNjxcXi.exe
  2⤵
  PID:8348
- C:\Windows\System32\ExBoeQU.exe
  C:\Windows\System32\ExBoeQU.exe
  2⤵
  PID:8376
- C:\Windows\System32\auGwYYv.exe
  C:\Windows\System32\auGwYYv.exe
  2⤵
  PID:8400
- C:\Windows\System32\QWEzZCe.exe
  C:\Windows\System32\QWEzZCe.exe
  2⤵
  PID:8424
- C:\Windows\System32\rywkGGJ.exe
  C:\Windows\System32\rywkGGJ.exe
  2⤵
  PID:8448
- C:\Windows\System32\LdoNvYA.exe
  C:\Windows\System32\LdoNvYA.exe
  2⤵
  PID:8472
- C:\Windows\System32\YvwkNnK.exe
  C:\Windows\System32\YvwkNnK.exe
  2⤵
  PID:8628
- C:\Windows\System32\wNWhIIS.exe
  C:\Windows\System32\wNWhIIS.exe
  2⤵
  PID:8644
- C:\Windows\System32\cHieQBC.exe
  C:\Windows\System32\cHieQBC.exe
  2⤵
  PID:8676
- C:\Windows\System32\LeRLHZY.exe
  C:\Windows\System32\LeRLHZY.exe
  2⤵
  PID:8720
- C:\Windows\System32\RpwObzZ.exe
  C:\Windows\System32\RpwObzZ.exe
  2⤵
  PID:8748
- C:\Windows\System32\BKGlZOW.exe
  C:\Windows\System32\BKGlZOW.exe
  2⤵
  PID:8764
- C:\Windows\System32\jPcBAIy.exe
  C:\Windows\System32\jPcBAIy.exe
  2⤵
  PID:8848
- C:\Windows\System32\yNgyeZo.exe
  C:\Windows\System32\yNgyeZo.exe
  2⤵
  PID:8876
- C:\Windows\System32\cYxESkc.exe
  C:\Windows\System32\cYxESkc.exe
  2⤵
  PID:8916
- C:\Windows\System32\SpYXdwZ.exe
  C:\Windows\System32\SpYXdwZ.exe
  2⤵
  PID:8940
- C:\Windows\System32\gGIrbGS.exe
  C:\Windows\System32\gGIrbGS.exe
  2⤵
  PID:8968
- C:\Windows\System32\ERXOgfa.exe
  C:\Windows\System32\ERXOgfa.exe
  2⤵
  PID:8988
- C:\Windows\System32\rPRuRLH.exe
  C:\Windows\System32\rPRuRLH.exe
  2⤵
  PID:9016
- C:\Windows\System32\wIpRWeu.exe
  C:\Windows\System32\wIpRWeu.exe
  2⤵
  PID:9048
- C:\Windows\System32\ZrHuxKT.exe
  C:\Windows\System32\ZrHuxKT.exe
  2⤵
  PID:9080
- C:\Windows\System32\sAoEUSQ.exe
  C:\Windows\System32\sAoEUSQ.exe
  2⤵
  PID:9100
- C:\Windows\System32\xbGCxkS.exe
  C:\Windows\System32\xbGCxkS.exe
  2⤵
  PID:9140
- C:\Windows\System32\cVZlnNN.exe
  C:\Windows\System32\cVZlnNN.exe
  2⤵
  PID:9168
- C:\Windows\System32\LjsCFKS.exe
  C:\Windows\System32\LjsCFKS.exe
  2⤵
  PID:9196
- C:\Windows\System32\KgHUxHw.exe
  C:\Windows\System32\KgHUxHw.exe
  2⤵
  PID:7216
- C:\Windows\System32\BQPAHDZ.exe
  C:\Windows\System32\BQPAHDZ.exe
  2⤵
  PID:1820
- C:\Windows\System32\mGDwMEo.exe
  C:\Windows\System32\mGDwMEo.exe
  2⤵
  PID:8284
- C:\Windows\System32\pdxagDW.exe
  C:\Windows\System32\pdxagDW.exe
  2⤵
  PID:8412
- C:\Windows\System32\nuKKFyc.exe
  C:\Windows\System32\nuKKFyc.exe
  2⤵
  PID:8388
- C:\Windows\System32\fmyBZXV.exe
  C:\Windows\System32\fmyBZXV.exe
  2⤵
  PID:4516
- C:\Windows\System32\XgHcgNZ.exe
  C:\Windows\System32\XgHcgNZ.exe
  2⤵
  PID:8572
- C:\Windows\System32\RtpmGLo.exe
  C:\Windows\System32\RtpmGLo.exe
  2⤵
  PID:8600
- C:\Windows\System32\ualCsvY.exe
  C:\Windows\System32\ualCsvY.exe
  2⤵
  PID:8640
- C:\Windows\System32\TzgfQCK.exe
  C:\Windows\System32\TzgfQCK.exe
  2⤵
  PID:8636
- C:\Windows\System32\OwZpMGr.exe
  C:\Windows\System32\OwZpMGr.exe
  2⤵
  PID:8356
- C:\Windows\System32\CNfvoBf.exe
  C:\Windows\System32\CNfvoBf.exe
  2⤵
  PID:8760
- C:\Windows\System32\OTWSoRh.exe
  C:\Windows\System32\OTWSoRh.exe
  2⤵
  PID:8824
- C:\Windows\System32\eoMFqwV.exe
  C:\Windows\System32\eoMFqwV.exe
  2⤵
  PID:8784
- C:\Windows\System32\sLbHjTi.exe
  C:\Windows\System32\sLbHjTi.exe
  2⤵
  PID:8888
- C:\Windows\System32\pIaHwUY.exe
  C:\Windows\System32\pIaHwUY.exe
  2⤵
  PID:8984
- C:\Windows\System32\cmXtKJi.exe
  C:\Windows\System32\cmXtKJi.exe
  2⤵
  PID:9056
- C:\Windows\System32\lSzoJIr.exe
  C:\Windows\System32\lSzoJIr.exe
  2⤵
  PID:9120
- C:\Windows\System32\cegUjMj.exe
  C:\Windows\System32\cegUjMj.exe
  2⤵
  PID:9192
- C:\Windows\System32\XAWzIMw.exe
  C:\Windows\System32\XAWzIMw.exe
  2⤵
  PID:8588
- C:\Windows\System32\PpditHV.exe
  C:\Windows\System32\PpditHV.exe
  2⤵
  PID:8688
- C:\Windows\System32\jGeMqvv.exe
  C:\Windows\System32\jGeMqvv.exe
  2⤵
  PID:8788
- C:\Windows\System32\oKvQKbY.exe
  C:\Windows\System32\oKvQKbY.exe
  2⤵
  PID:8868
- C:\Windows\System32\IySPUtf.exe
  C:\Windows\System32\IySPUtf.exe
  2⤵
  PID:8980
- C:\Windows\System32\cWvHlKA.exe
  C:\Windows\System32\cWvHlKA.exe
  2⤵
  PID:9096
- C:\Windows\System32\mREeLNr.exe
  C:\Windows\System32\mREeLNr.exe
  2⤵
  PID:8236
- C:\Windows\System32\lEywAex.exe
  C:\Windows\System32\lEywAex.exe
  2⤵
  PID:8344
- C:\Windows\System32\QcqpoPo.exe
  C:\Windows\System32\QcqpoPo.exe
  2⤵
  PID:8456
- C:\Windows\System32\ZUkcHTs.exe
  C:\Windows\System32\ZUkcHTs.exe
  2⤵
  PID:7676
- C:\Windows\System32\LuLsqYh.exe
  C:\Windows\System32\LuLsqYh.exe
  2⤵
  PID:4740
- C:\Windows\System32\GahfZnm.exe
  C:\Windows\System32\GahfZnm.exe
  2⤵
  PID:7160
- C:\Windows\System32\zzwcgSY.exe
  C:\Windows\System32\zzwcgSY.exe
  2⤵
  PID:7608
- C:\Windows\System32\BJWaHEz.exe
  C:\Windows\System32\BJWaHEz.exe
  2⤵
  PID:9036
- C:\Windows\System32\Xnbxnan.exe
  C:\Windows\System32\Xnbxnan.exe
  2⤵
  PID:8672
- C:\Windows\System32\GPvBfzd.exe
  C:\Windows\System32\GPvBfzd.exe
  2⤵
  PID:9248
- C:\Windows\System32\wRSpUCR.exe
  C:\Windows\System32\wRSpUCR.exe
  2⤵
  PID:9268
- C:\Windows\System32\DgKlwZi.exe
  C:\Windows\System32\DgKlwZi.exe
  2⤵
  PID:9304
- C:\Windows\System32\gJuELGG.exe
  C:\Windows\System32\gJuELGG.exe
  2⤵
  PID:9332
- C:\Windows\System32\cvVASJl.exe
  C:\Windows\System32\cvVASJl.exe
  2⤵
  PID:9360
- C:\Windows\System32\QSdSbrZ.exe
  C:\Windows\System32\QSdSbrZ.exe
  2⤵
  PID:9388
- C:\Windows\System32\cpkkPbr.exe
  C:\Windows\System32\cpkkPbr.exe
  2⤵
  PID:9404
- C:\Windows\System32\QtQEDHV.exe
  C:\Windows\System32\QtQEDHV.exe
  2⤵
  PID:9456
- C:\Windows\System32\NuoltUh.exe
  C:\Windows\System32\NuoltUh.exe
  2⤵
  PID:9484
- C:\Windows\System32\GaTThxW.exe
  C:\Windows\System32\GaTThxW.exe
  2⤵
  PID:9500
- C:\Windows\System32\skfRAnQ.exe
  C:\Windows\System32\skfRAnQ.exe
  2⤵
  PID:9528
- C:\Windows\System32\zHymCbX.exe
  C:\Windows\System32\zHymCbX.exe
  2⤵
  PID:9556
- C:\Windows\System32\etzaxdR.exe
  C:\Windows\System32\etzaxdR.exe
  2⤵
  PID:9584
- C:\Windows\System32\gnBjsfy.exe
  C:\Windows\System32\gnBjsfy.exe
  2⤵
  PID:9608
- C:\Windows\System32\YIAONGe.exe
  C:\Windows\System32\YIAONGe.exe
  2⤵
  PID:9636
- C:\Windows\System32\MKUTHTI.exe
  C:\Windows\System32\MKUTHTI.exe
  2⤵
  PID:9664
- C:\Windows\System32\ZpALsGy.exe
  C:\Windows\System32\ZpALsGy.exe
  2⤵
  PID:9688
- C:\Windows\System32\TLCkMeh.exe
  C:\Windows\System32\TLCkMeh.exe
  2⤵
  PID:9716
- C:\Windows\System32\JzMjqBH.exe
  C:\Windows\System32\JzMjqBH.exe
  2⤵
  PID:9756
- C:\Windows\System32\slUVsMI.exe
  C:\Windows\System32\slUVsMI.exe
  2⤵
  PID:9784
- C:\Windows\System32\OIZblFW.exe
  C:\Windows\System32\OIZblFW.exe
  2⤵
  PID:9800
- C:\Windows\System32\PUJotmo.exe
  C:\Windows\System32\PUJotmo.exe
  2⤵
  PID:9836
- C:\Windows\System32\jTkGlDQ.exe
  C:\Windows\System32\jTkGlDQ.exe
  2⤵
  PID:9868
- C:\Windows\System32\fJsXXLE.exe
  C:\Windows\System32\fJsXXLE.exe
  2⤵
  PID:9884
- C:\Windows\System32\AJyTtmj.exe
  C:\Windows\System32\AJyTtmj.exe
  2⤵
  PID:9924
- C:\Windows\System32\ruQjbXL.exe
  C:\Windows\System32\ruQjbXL.exe
  2⤵
  PID:9952
- C:\Windows\System32\qeIcvRx.exe
  C:\Windows\System32\qeIcvRx.exe
  2⤵
  PID:9980
- C:\Windows\System32\tLgHAGU.exe
  C:\Windows\System32\tLgHAGU.exe
  2⤵
  PID:10008
- C:\Windows\System32\FotRYpQ.exe
  C:\Windows\System32\FotRYpQ.exe
  2⤵
  PID:10036
- C:\Windows\System32\QyCEhVf.exe
  C:\Windows\System32\QyCEhVf.exe
  2⤵
  PID:10064
- C:\Windows\System32\aOoZTjI.exe
  C:\Windows\System32\aOoZTjI.exe
  2⤵
  PID:10088
- C:\Windows\System32\RDHVtcK.exe
  C:\Windows\System32\RDHVtcK.exe
  2⤵
  PID:10120
- C:\Windows\System32\OffGzPL.exe
  C:\Windows\System32\OffGzPL.exe
  2⤵
  PID:10152
- C:\Windows\System32\cCWgJgI.exe
  C:\Windows\System32\cCWgJgI.exe
  2⤵
  PID:10180
- C:\Windows\System32\MmGnXiX.exe
  C:\Windows\System32\MmGnXiX.exe
  2⤵
  PID:10208
- C:\Windows\System32\LqkzFVp.exe
  C:\Windows\System32\LqkzFVp.exe
  2⤵
  PID:10236
- C:\Windows\System32\UohQGWb.exe
  C:\Windows\System32\UohQGWb.exe
  2⤵
  PID:9244
- C:\Windows\System32\JYzRyyX.exe
  C:\Windows\System32\JYzRyyX.exe
  2⤵
  PID:9296
- C:\Windows\System32\HHXgoxD.exe
  C:\Windows\System32\HHXgoxD.exe
  2⤵
  PID:9384
- C:\Windows\System32\RGPzrKY.exe
  C:\Windows\System32\RGPzrKY.exe
  2⤵
  PID:9452
- C:\Windows\System32\eXmPUYk.exe
  C:\Windows\System32\eXmPUYk.exe
  2⤵
  PID:9496
- C:\Windows\System32\olowYub.exe
  C:\Windows\System32\olowYub.exe
  2⤵
  PID:9544
- C:\Windows\System32\gteJfrl.exe
  C:\Windows\System32\gteJfrl.exe
  2⤵
  PID:9628
- C:\Windows\System32\KuZixCW.exe
  C:\Windows\System32\KuZixCW.exe
  2⤵
  PID:9676
- C:\Windows\System32\XdEcfUG.exe
  C:\Windows\System32\XdEcfUG.exe
  2⤵
  PID:9744
- C:\Windows\System32\zwOXbyw.exe
  C:\Windows\System32\zwOXbyw.exe
  2⤵
  PID:4884
- C:\Windows\System32\gvMPdii.exe
  C:\Windows\System32\gvMPdii.exe
  2⤵
  PID:9880
- C:\Windows\System32\xVHMELD.exe
  C:\Windows\System32\xVHMELD.exe
  2⤵
  PID:9912
- C:\Windows\System32\NyKpsqX.exe
  C:\Windows\System32\NyKpsqX.exe
  2⤵
  PID:9964
- C:\Windows\System32\BOPdbyE.exe
  C:\Windows\System32\BOPdbyE.exe
  2⤵
  PID:10056
- C:\Windows\System32\iQwwSsu.exe
  C:\Windows\System32\iQwwSsu.exe
  2⤵
  PID:10148
- C:\Windows\System32\WXiBMEJ.exe
  C:\Windows\System32\WXiBMEJ.exe
  2⤵
  PID:9260
- C:\Windows\System32\YyiKDNM.exe
  C:\Windows\System32\YyiKDNM.exe
  2⤵
  PID:9476
- C:\Windows\System32\rOyaQoB.exe
  C:\Windows\System32\rOyaQoB.exe
  2⤵
  PID:9648
- C:\Windows\System32\BBsNkMu.exe
  C:\Windows\System32\BBsNkMu.exe
  2⤵
  PID:4696
- C:\Windows\System32\aACYeiD.exe
  C:\Windows\System32\aACYeiD.exe
  2⤵
  PID:10032
- C:\Windows\System32\QAdhGfY.exe
  C:\Windows\System32\QAdhGfY.exe
  2⤵
  PID:10228
- C:\Windows\System32\yXNcDdf.exe
  C:\Windows\System32\yXNcDdf.exe
  2⤵
  PID:9516
- C:\Windows\System32\htEDNWe.exe
  C:\Windows\System32\htEDNWe.exe
  2⤵
  PID:9936
- C:\Windows\System32\MPAnHVQ.exe
  C:\Windows\System32\MPAnHVQ.exe
  2⤵
  PID:3612
- C:\Windows\System32\mgiftPe.exe
  C:\Windows\System32\mgiftPe.exe
  2⤵
  PID:9832
- C:\Windows\System32\CRUOAab.exe
  C:\Windows\System32\CRUOAab.exe
  2⤵
  PID:10248
- C:\Windows\System32\sywrYkR.exe
  C:\Windows\System32\sywrYkR.exe
  2⤵
  PID:10272
- C:\Windows\System32\BMMdJRZ.exe
  C:\Windows\System32\BMMdJRZ.exe
  2⤵
  PID:10300
- C:\Windows\System32\jlLFAJM.exe
  C:\Windows\System32\jlLFAJM.exe
  2⤵
  PID:10336
- C:\Windows\System32\OQHaMCM.exe
  C:\Windows\System32\OQHaMCM.exe
  2⤵
  PID:10364
- C:\Windows\System32\QIdXaeo.exe
  C:\Windows\System32\QIdXaeo.exe
  2⤵
  PID:10392
- C:\Windows\System32\ipVySMA.exe
  C:\Windows\System32\ipVySMA.exe
  2⤵
  PID:10420
- C:\Windows\System32\qMxJQHi.exe
  C:\Windows\System32\qMxJQHi.exe
  2⤵
  PID:10448
- C:\Windows\System32\hnGfFMQ.exe
  C:\Windows\System32\hnGfFMQ.exe
  2⤵
  PID:10484
- C:\Windows\System32\WIhVpcD.exe
  C:\Windows\System32\WIhVpcD.exe
  2⤵
  PID:10512
- C:\Windows\System32\FkSJoci.exe
  C:\Windows\System32\FkSJoci.exe
  2⤵
  PID:10540
- C:\Windows\System32\VBCjwGQ.exe
  C:\Windows\System32\VBCjwGQ.exe
  2⤵
  PID:10564
- C:\Windows\System32\wHWNFDu.exe
  C:\Windows\System32\wHWNFDu.exe
  2⤵
  PID:10596
- C:\Windows\System32\UlvaaQy.exe
  C:\Windows\System32\UlvaaQy.exe
  2⤵
  PID:10624
- C:\Windows\System32\PSKxLNs.exe
  C:\Windows\System32\PSKxLNs.exe
  2⤵
  PID:10656
- C:\Windows\System32\ntUGgde.exe
  C:\Windows\System32\ntUGgde.exe
  2⤵
  PID:10692
- C:\Windows\System32\KOKgPpg.exe
  C:\Windows\System32\KOKgPpg.exe
  2⤵
  PID:10720
- C:\Windows\System32\fkCRYbY.exe
  C:\Windows\System32\fkCRYbY.exe
  2⤵
  PID:10736
- C:\Windows\System32\pEsahtO.exe
  C:\Windows\System32\pEsahtO.exe
  2⤵
  PID:10780
- C:\Windows\System32\DbJGTKS.exe
  C:\Windows\System32\DbJGTKS.exe
  2⤵
  PID:10804
- C:\Windows\System32\yJgpGcB.exe
  C:\Windows\System32\yJgpGcB.exe
  2⤵
  PID:10836
- C:\Windows\System32\IvoVMAY.exe
  C:\Windows\System32\IvoVMAY.exe
  2⤵
  PID:10864
- C:\Windows\System32\BpAaGmg.exe
  C:\Windows\System32\BpAaGmg.exe
  2⤵
  PID:10880
- C:\Windows\System32\WEnOOAu.exe
  C:\Windows\System32\WEnOOAu.exe
  2⤵
  PID:10916
- C:\Windows\System32\QyURMDG.exe
  C:\Windows\System32\QyURMDG.exe
  2⤵
  PID:10936
- C:\Windows\System32\IIAveBr.exe
  C:\Windows\System32\IIAveBr.exe
  2⤵
  PID:10964
- C:\Windows\System32\LsIiTSo.exe
  C:\Windows\System32\LsIiTSo.exe
  2⤵
  PID:10992
- C:\Windows\System32\udusrIB.exe
  C:\Windows\System32\udusrIB.exe
  2⤵
  PID:11036
- C:\Windows\System32\QeZuXSq.exe
  C:\Windows\System32\QeZuXSq.exe
  2⤵
  PID:11052
- C:\Windows\System32\ohZSozo.exe
  C:\Windows\System32\ohZSozo.exe
  2⤵
  PID:11108
- C:\Windows\System32\zaFkzSr.exe
  C:\Windows\System32\zaFkzSr.exe
  2⤵
  PID:11136
- C:\Windows\System32\zRaoTAU.exe
  C:\Windows\System32\zRaoTAU.exe
  2⤵
  PID:11164
- C:\Windows\System32\KcySBlo.exe
  C:\Windows\System32\KcySBlo.exe
  2⤵
  PID:11188
- C:\Windows\System32\znIrgHc.exe
  C:\Windows\System32\znIrgHc.exe
  2⤵
  PID:11244
- C:\Windows\System32\hbRIpHF.exe
  C:\Windows\System32\hbRIpHF.exe
  2⤵
  PID:10268
- C:\Windows\System32\gzjZOIa.exe
  C:\Windows\System32\gzjZOIa.exe
  2⤵
  PID:10312
- C:\Windows\System32\YXfEDJM.exe
  C:\Windows\System32\YXfEDJM.exe
  2⤵
  PID:10404
- C:\Windows\System32\wiOxWBt.exe
  C:\Windows\System32\wiOxWBt.exe
  2⤵
  PID:10508
- C:\Windows\System32\tdwqTQp.exe
  C:\Windows\System32\tdwqTQp.exe
  2⤵
  PID:10612
- C:\Windows\System32\xyDmFNH.exe
  C:\Windows\System32\xyDmFNH.exe
  2⤵
  PID:8808
- C:\Windows\System32\HuPgWNP.exe
  C:\Windows\System32\HuPgWNP.exe
  2⤵
  PID:10688
- C:\Windows\System32\qsTrHJD.exe
  C:\Windows\System32\qsTrHJD.exe
  2⤵
  PID:8364
- C:\Windows\System32\GjjuFhY.exe
  C:\Windows\System32\GjjuFhY.exe
  2⤵
  PID:10748
- C:\Windows\System32\AaqODKS.exe
  C:\Windows\System32\AaqODKS.exe
  2⤵
  PID:10892
- C:\Windows\System32\yjWXNFq.exe
  C:\Windows\System32\yjWXNFq.exe
  2⤵
  PID:10988
- C:\Windows\System32\GdCxRQt.exe
  C:\Windows\System32\GdCxRQt.exe
  2⤵
  PID:11076
- C:\Windows\System32\LqYzLuc.exe
  C:\Windows\System32\LqYzLuc.exe
  2⤵
  PID:11160
- C:\Windows\System32\mgKvFAQ.exe
  C:\Windows\System32\mgKvFAQ.exe
  2⤵
  PID:10380
- C:\Windows\System32\sygUSlz.exe
  C:\Windows\System32\sygUSlz.exe
  2⤵
  PID:10532
- C:\Windows\System32\tnvKroq.exe
  C:\Windows\System32\tnvKroq.exe
  2⤵
  PID:10676
- C:\Windows\System32\hxbpMlK.exe
  C:\Windows\System32\hxbpMlK.exe
  2⤵
  PID:10948
- C:\Windows\System32\IhBGpac.exe
  C:\Windows\System32\IhBGpac.exe
  2⤵
  PID:11232
- C:\Windows\System32\GaeGUfO.exe
  C:\Windows\System32\GaeGUfO.exe
  2⤵
  PID:10728
- C:\Windows\System32\lIyQAZT.exe
  C:\Windows\System32\lIyQAZT.exe
  2⤵
  PID:4068
- C:\Windows\System32\CvoayqU.exe
  C:\Windows\System32\CvoayqU.exe
  2⤵
  PID:11200
- C:\Windows\System32\wmvSGSn.exe
  C:\Windows\System32\wmvSGSn.exe
  2⤵
  PID:11276
- C:\Windows\System32\QutlsDo.exe
  C:\Windows\System32\QutlsDo.exe
  2⤵
  PID:11300
- C:\Windows\System32\TLjsDgZ.exe
  C:\Windows\System32\TLjsDgZ.exe
  2⤵
  PID:11320
- C:\Windows\System32\eHoMrjK.exe
  C:\Windows\System32\eHoMrjK.exe
  2⤵
  PID:11372
- C:\Windows\System32\QbGDAdU.exe
  C:\Windows\System32\QbGDAdU.exe
  2⤵
  PID:11392
- C:\Windows\System32\yMMYgGo.exe
  C:\Windows\System32\yMMYgGo.exe
  2⤵
  PID:11428
- C:\Windows\System32\AupkgYz.exe
  C:\Windows\System32\AupkgYz.exe
  2⤵
  PID:11456
- C:\Windows\System32\egJOrIz.exe
  C:\Windows\System32\egJOrIz.exe
  2⤵
  PID:11480
- C:\Windows\System32\dzfMPuo.exe
  C:\Windows\System32\dzfMPuo.exe
  2⤵
  PID:11516
- C:\Windows\System32\nKFMgaz.exe
  C:\Windows\System32\nKFMgaz.exe
  2⤵
  PID:11540
- C:\Windows\System32\kbBZpRg.exe
  C:\Windows\System32\kbBZpRg.exe
  2⤵
  PID:11564
- C:\Windows\System32\ejijvYC.exe
  C:\Windows\System32\ejijvYC.exe
  2⤵
  PID:11592
- C:\Windows\System32\RjWqYhY.exe
  C:\Windows\System32\RjWqYhY.exe
  2⤵
  PID:11616
- C:\Windows\System32\TcMFRSe.exe
  C:\Windows\System32\TcMFRSe.exe
  2⤵
  PID:11664
- C:\Windows\System32\TRsCCnd.exe
  C:\Windows\System32\TRsCCnd.exe
  2⤵
  PID:11692
- C:\Windows\System32\DculdUu.exe
  C:\Windows\System32\DculdUu.exe
  2⤵
  PID:11712
- C:\Windows\System32\aeRJckS.exe
  C:\Windows\System32\aeRJckS.exe
  2⤵
  PID:11748
- C:\Windows\System32\rmFUris.exe
  C:\Windows\System32\rmFUris.exe
  2⤵
  PID:11776
- C:\Windows\System32\xGpZRzf.exe
  C:\Windows\System32\xGpZRzf.exe
  2⤵
  PID:11796
- C:\Windows\System32\WxkZCxy.exe
  C:\Windows\System32\WxkZCxy.exe
  2⤵
  PID:11836
- C:\Windows\System32\RruSLhd.exe
  C:\Windows\System32\RruSLhd.exe
  2⤵
  PID:11864
- C:\Windows\System32\CFiRrgk.exe
  C:\Windows\System32\CFiRrgk.exe
  2⤵
  PID:11884
- C:\Windows\System32\jfPJiRa.exe
  C:\Windows\System32\jfPJiRa.exe
  2⤵
  PID:11908
- C:\Windows\System32\REZMrje.exe
  C:\Windows\System32\REZMrje.exe
  2⤵
  PID:11944
- C:\Windows\System32\UGWccxp.exe
  C:\Windows\System32\UGWccxp.exe
  2⤵
  PID:11972
- C:\Windows\System32\BIJdlxi.exe
  C:\Windows\System32\BIJdlxi.exe
  2⤵
  PID:12004
- C:\Windows\System32\HXPEeZD.exe
  C:\Windows\System32\HXPEeZD.exe
  2⤵
  PID:12032
- C:\Windows\System32\TDBCEXS.exe
  C:\Windows\System32\TDBCEXS.exe
  2⤵
  PID:12076
- C:\Windows\System32\vcUsxIj.exe
  C:\Windows\System32\vcUsxIj.exe
  2⤵
  PID:12092
- C:\Windows\System32\FLaMycN.exe
  C:\Windows\System32\FLaMycN.exe
  2⤵
  PID:12132
- C:\Windows\System32\TnGeHDf.exe
  C:\Windows\System32\TnGeHDf.exe
  2⤵
  PID:12160
- C:\Windows\System32\ApEUUFR.exe
  C:\Windows\System32\ApEUUFR.exe
  2⤵
  PID:12204
- C:\Windows\System32\WNZLavQ.exe
  C:\Windows\System32\WNZLavQ.exe
  2⤵
  PID:12236
- C:\Windows\System32\aACiNZp.exe
  C:\Windows\System32\aACiNZp.exe
  2⤵
  PID:12264
- C:\Windows\System32\bYvrHnW.exe
  C:\Windows\System32\bYvrHnW.exe
  2⤵
  PID:11284
- C:\Windows\System32\TNpbNRG.exe
  C:\Windows\System32\TNpbNRG.exe
  2⤵
  PID:4960
- C:\Windows\System32\BHISlyP.exe
  C:\Windows\System32\BHISlyP.exe
  2⤵
  PID:11420
- C:\Windows\System32\xvzcZdP.exe
  C:\Windows\System32\xvzcZdP.exe
  2⤵
  PID:11472
- C:\Windows\System32\ZhayaYr.exe
  C:\Windows\System32\ZhayaYr.exe
  2⤵
  PID:11552
- C:\Windows\System32\qEYZFjW.exe
  C:\Windows\System32\qEYZFjW.exe
  2⤵
  PID:11628
- C:\Windows\System32\ELvUwLs.exe
  C:\Windows\System32\ELvUwLs.exe
  2⤵
  PID:11680
- C:\Windows\System32\FYNMNqf.exe
  C:\Windows\System32\FYNMNqf.exe
  2⤵
  PID:11732
- C:\Windows\System32\SraNFlV.exe
  C:\Windows\System32\SraNFlV.exe
  2⤵
  PID:11808
- C:\Windows\System32\QInWzdz.exe
  C:\Windows\System32\QInWzdz.exe
  2⤵
  PID:11856
- C:\Windows\System32\HxBcwnO.exe
  C:\Windows\System32\HxBcwnO.exe
  2⤵
  PID:11920
- C:\Windows\System32\DONukIM.exe
  C:\Windows\System32\DONukIM.exe
  2⤵
  PID:12020
- C:\Windows\System32\PYgGvDt.exe
  C:\Windows\System32\PYgGvDt.exe
  2⤵
  PID:12088
- C:\Windows\System32\cAvMCED.exe
  C:\Windows\System32\cAvMCED.exe
  2⤵
  PID:12148
- C:\Windows\System32\eBxTNUm.exe
  C:\Windows\System32\eBxTNUm.exe
  2⤵
  PID:12244
- C:\Windows\System32\mLaQGGv.exe
  C:\Windows\System32\mLaQGGv.exe
  2⤵
  PID:11344
- C:\Windows\System32\WrnFxCv.exe
  C:\Windows\System32\WrnFxCv.exe
  2⤵
  PID:11452
- C:\Windows\System32\qcQzAXr.exe
  C:\Windows\System32\qcQzAXr.exe
  2⤵
  PID:11676
- C:\Windows\System32\cbQsqiw.exe
  C:\Windows\System32\cbQsqiw.exe
  2⤵
  PID:11700
- C:\Windows\System32\EFEDIks.exe
  C:\Windows\System32\EFEDIks.exe
  2⤵
  PID:11896
- C:\Windows\System32\vlrILAT.exe
  C:\Windows\System32\vlrILAT.exe
  2⤵
  PID:12144
- C:\Windows\System32\ViXwxba.exe
  C:\Windows\System32\ViXwxba.exe
  2⤵
  PID:12280
- C:\Windows\System32\NEVcMvh.exe
  C:\Windows\System32\NEVcMvh.exe
  2⤵
  PID:11600
- C:\Windows\System32\CYZREVE.exe
  C:\Windows\System32\CYZREVE.exe
  2⤵
  PID:12104
- C:\Windows\System32\dZFRtLU.exe
  C:\Windows\System32\dZFRtLU.exe
  2⤵
  PID:11784
- C:\Windows\System32\IXJNfLI.exe
  C:\Windows\System32\IXJNfLI.exe
  2⤵
  PID:11272
- C:\Windows\System32\FoQmJmZ.exe
  C:\Windows\System32\FoQmJmZ.exe
  2⤵
  PID:12296
- C:\Windows\System32\bnJcrMD.exe
  C:\Windows\System32\bnJcrMD.exe
  2⤵
  PID:12324
- C:\Windows\System32\rBuiYhK.exe
  C:\Windows\System32\rBuiYhK.exe
  2⤵
  PID:12356
- C:\Windows\System32\ruwHLOD.exe
  C:\Windows\System32\ruwHLOD.exe
  2⤵
  PID:12388
- C:\Windows\System32\YITwKCh.exe
  C:\Windows\System32\YITwKCh.exe
  2⤵
  PID:12404
- C:\Windows\System32\ncXlgAf.exe
  C:\Windows\System32\ncXlgAf.exe
  2⤵
  PID:12436
- C:\Windows\System32\edpyqtd.exe
  C:\Windows\System32\edpyqtd.exe
  2⤵
  PID:12472
- C:\Windows\System32\SovbdrI.exe
  C:\Windows\System32\SovbdrI.exe
  2⤵
  PID:12492
- C:\Windows\System32\WFBACQJ.exe
  C:\Windows\System32\WFBACQJ.exe
  2⤵
  PID:12524
- C:\Windows\System32\PyFSuDB.exe
  C:\Windows\System32\PyFSuDB.exe
  2⤵
  PID:12556
- C:\Windows\System32\MVPXltv.exe
  C:\Windows\System32\MVPXltv.exe
  2⤵
  PID:12576
- C:\Windows\System32\GTnNEnS.exe
  C:\Windows\System32\GTnNEnS.exe
  2⤵
  PID:12616
- C:\Windows\System32\jfQImMk.exe
  C:\Windows\System32\jfQImMk.exe
  2⤵
  PID:12640
- C:\Windows\System32\BKquvsc.exe
  C:\Windows\System32\BKquvsc.exe
  2⤵
  PID:12664
- C:\Windows\System32\xOILiPA.exe
  C:\Windows\System32\xOILiPA.exe
  2⤵
  PID:12696
- C:\Windows\System32\ALIAwaF.exe
  C:\Windows\System32\ALIAwaF.exe
  2⤵
  PID:12716
- C:\Windows\System32\hDHfEmh.exe
  C:\Windows\System32\hDHfEmh.exe
  2⤵
  PID:12740
- C:\Windows\System32\EZiykxq.exe
  C:\Windows\System32\EZiykxq.exe
  2⤵
  PID:12764
- C:\Windows\System32\TPDskeZ.exe
  C:\Windows\System32\TPDskeZ.exe
  2⤵
  PID:12800
- C:\Windows\System32\tNLvbAW.exe
  C:\Windows\System32\tNLvbAW.exe
  2⤵
  PID:12840
- C:\Windows\System32\blSqJYw.exe
  C:\Windows\System32\blSqJYw.exe
  2⤵
  PID:12868
- C:\Windows\System32\oIQmkxo.exe
  C:\Windows\System32\oIQmkxo.exe
  2⤵
  PID:12908
- C:\Windows\System32\HrUmKyQ.exe
  C:\Windows\System32\HrUmKyQ.exe
  2⤵
  PID:12944
- C:\Windows\System32\vnAHOUw.exe
  C:\Windows\System32\vnAHOUw.exe
  2⤵
  PID:12960
- C:\Windows\System32\IUedmqR.exe
  C:\Windows\System32\IUedmqR.exe
  2⤵
  PID:13000
- C:\Windows\System32\bQLzjoZ.exe
  C:\Windows\System32\bQLzjoZ.exe
  2⤵
  PID:13016
- C:\Windows\System32\uTsLAFu.exe
  C:\Windows\System32\uTsLAFu.exe
  2⤵
  PID:13044
- C:\Windows\System32\YheLfLJ.exe
  C:\Windows\System32\YheLfLJ.exe
  2⤵
  PID:13076
- C:\Windows\System32\ZJpZCIw.exe
  C:\Windows\System32\ZJpZCIw.exe
  2⤵
  PID:13108
- C:\Windows\System32\CVjWPeR.exe
  C:\Windows\System32\CVjWPeR.exe
  2⤵
  PID:13136
- C:\Windows\System32\dhqDnpH.exe
  C:\Windows\System32\dhqDnpH.exe
  2⤵
  PID:13156
- C:\Windows\System32\gvvdhkd.exe
  C:\Windows\System32\gvvdhkd.exe
  2⤵
  PID:13184
- C:\Windows\System32\JdavDDV.exe
  C:\Windows\System32\JdavDDV.exe
  2⤵
  PID:13228
- C:\Windows\System32\wOaxXoz.exe
  C:\Windows\System32\wOaxXoz.exe
  2⤵
  PID:13252
- C:\Windows\System32\xpbiAUa.exe
  C:\Windows\System32\xpbiAUa.exe
  2⤵
  PID:13280
- C:\Windows\System32\ALCZtlS.exe
  C:\Windows\System32\ALCZtlS.exe
  2⤵
  PID:2444
- C:\Windows\System32\lwdzStZ.exe
  C:\Windows\System32\lwdzStZ.exe
  2⤵
  PID:12316
- C:\Windows\System32\yITcHwZ.exe
  C:\Windows\System32\yITcHwZ.exe
  2⤵
  PID:12444
- C:\Windows\System32\MfwIfjG.exe
  C:\Windows\System32\MfwIfjG.exe
  2⤵
  PID:12488
- C:\Windows\System32\OOXrgir.exe
  C:\Windows\System32\OOXrgir.exe
  2⤵
  PID:12540
- C:\Windows\System32\ydxjDWi.exe
  C:\Windows\System32\ydxjDWi.exe
  2⤵
  PID:12604
- C:\Windows\System32\dJerwHu.exe
  C:\Windows\System32\dJerwHu.exe
  2⤵
  PID:12672
- C:\Windows\System32\zjgwKVT.exe
  C:\Windows\System32\zjgwKVT.exe
  2⤵
  PID:12752
- C:\Windows\System32\LdSOvYi.exe
  C:\Windows\System32\LdSOvYi.exe
  2⤵
  PID:12812
- C:\Windows\System32\UVNDyIy.exe
  C:\Windows\System32\UVNDyIy.exe
  2⤵
  PID:12880
- C:\Windows\System32\yMreMMK.exe
  C:\Windows\System32\yMreMMK.exe
  2⤵
  PID:12956
- C:\Windows\System32\KaLPxYL.exe
  C:\Windows\System32\KaLPxYL.exe
  2⤵
  PID:13028
- C:\Windows\System32\kGGNSjo.exe
  C:\Windows\System32\kGGNSjo.exe
  2⤵
  PID:13084
- C:\Windows\System32\szhbFCr.exe
  C:\Windows\System32\szhbFCr.exe
  2⤵
  PID:13148
- C:\Windows\System32\JNEqhrt.exe
  C:\Windows\System32\JNEqhrt.exe
  2⤵
  PID:13200
- C:\Windows\System32\ibeglcQ.exe
  C:\Windows\System32\ibeglcQ.exe
  2⤵
  PID:13276
- C:\Windows\System32\lNxCElA.exe
  C:\Windows\System32\lNxCElA.exe
  2⤵
  PID:12416

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:10140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AmcFkGT.exe

Filesize
3.0MB

MD5
038290713e951571b59b4d1ca985f405

SHA1
16535c18c52bd4414753c5919d16a9992d604f43

SHA256
95822b722a29aa46bf91794f6142e6798bd863026f2eea00186d67eea1994b84

SHA512
b6415b437ea850dba0c69d70fdde2d83899f19134f89af9ee93b8def813cd209d8eda64d331162c0f8f290bf6be989c36d9fea720669b7f1af4afcfc7d82adf8

Download Submit
C:\Windows\System32\Avaiwqm.exe

Filesize
3.0MB

MD5
2eb689fb712e9ac853eb86e69ce187cf

SHA1
3e138a89aaa5cdcb6415d39e3c008236810d13e9

SHA256
c6c210e8bac56b8e6e12d711042826b50a99379e7b3e434a8be49357028a8a35

SHA512
efce61fa0c76af016a7eb21bbf1439827a4d396e51223ef24c5c33475cfdc2c624db9145361eb8645accb55360fa6879c8a4fc58ff7ff274dc8bb3cae79bb935

Download Submit
C:\Windows\System32\DnXwJRV.exe

Filesize
3.0MB

MD5
76c6e95abea8fb8e154b9b9567b45829

SHA1
efb83e0be1f6a6b0b90fbf08001327c801c4a682

SHA256
3919a8871a8dc7d41ceda6e85a45b7302820c4fb3c7fbf7abd89b3714df1246e

SHA512
54333e0282fadd1992439cf975dd413a34644f2d2fd42b37062a4914f56ad0a921c16ff573d277d2f992d4c1da6d1d2dc29435f5bb74ad1e9d6e14913cb5a8e6

Download Submit
C:\Windows\System32\EDtnNSu.exe

Filesize
3.0MB

MD5
4ac197270fbdef673c1292044d93165b

SHA1
8d12881037b2b0d63ab6c0e971f57cba0e51026c

SHA256
87b915900b0b72cc8f0ffa6f1a97435ac61f0d5827d6b686c0e0961f1e008728

SHA512
f12331f9e38ed7f8b60254a5e61035d136288e64e438867ccf6e0d0d0abdb2d35b22fc1a61e102f6648d0c1f48aa1433c856920b9a87e40c667e9b9623f69e4f

Download Submit
C:\Windows\System32\EOXNeGM.exe

Filesize
3.0MB

MD5
bd277efe6509f055bf91a74c2e5a8df8

SHA1
c5a39c24c2f8f171de7603f6744c6a1d652bf876

SHA256
87853cac297bec40c77ec32748813dfce3260db3f628eef0bb9a3049aaca2897

SHA512
bf7b4d6d4d55e60f84c49b94967fe2cedeb2ef53f2614b6a32c587da360a735ed6bef01ba94d8dee3ead81f79713f569a15188af387147cf65051825161fd12d

Download Submit
C:\Windows\System32\FepyhFy.exe

Filesize
3.0MB

MD5
19e21712f2c3d4dcbded8c46a901d44d

SHA1
586461cbba36c3e2261e976709d7e2c9aaa54f24

SHA256
32d3d5c0607d0f5f7e64cb55bbf79984fd60b7afd1594a97298532594a780de1

SHA512
39e980a6fbdedf723b8ae47235c078671aab571505fda25cef212058d07224ce8078fe7e8fcf75792ff087a614dba3f1e9757d12d68d1cbe67b66cf298fd1029

Download Submit
C:\Windows\System32\GIOlxhO.exe

Filesize
3.0MB

MD5
62be762d0ff56db33960b91f59b5eee4

SHA1
89803e22bd1e52b4e472a3bb96ab982b375a94e9

SHA256
5d6e9c93b2075ec21f636babdbad662ecbde561bc6636e784698bf6512186915

SHA512
c32f2bfdac6b622116e59abd3719b41a260a0e2f075b22a20898f5af9e32654e41c588d3e155086a7f27876b9393ce1cb760906b090acad6c26007994cc3c265

Download Submit
C:\Windows\System32\HCHxsVj.exe

Filesize
3.0MB

MD5
02cb57959ca200dbcea459fd7dd9d066

SHA1
471cce4c84dc364f20c3976391fe1c058234a418

SHA256
a86c03e058fe96b0ca55212c3be19362659ccf689d65967d4513bc4594767a81

SHA512
3c104db6d73ca957b52f81f057d4465d20f270a9158db2c8060476e257bb89dafac86ae51def8fb96307469bd329c225e894e5c8e1985ff61b85120664776789

Download Submit
C:\Windows\System32\HOerKFm.exe

Filesize
3.0MB

MD5
af5b6d8b90734e4acb9c88731bdd8a94

SHA1
5612ef14705bd57c13f78a202ec016c63ddfb46e

SHA256
db2f0a6dd60e499b4424c9c738bc12d1251674b214202a0315177776fc882a51

SHA512
6a5ccc2bbbdf7b5666db6693ce58dbabaf72e4d786567dce486bd3b685b5832e9114a899d59215ebb497d312039ab58cdde9fa5d3b42a672a4ee8037a39c6a85

Download Submit
C:\Windows\System32\NVvCXMJ.exe

Filesize
3.0MB

MD5
b65946edbef1c4a65c31cf6dffc4755c

SHA1
4b3d14bdc6e971b05cefe337ca7bdb6e5156f933

SHA256
a6a89755864976f9584c2149d1f398ad57e15421d49e4db5f88e7c3dd6366e06

SHA512
f7d6aa3d05f5653dbd99fe0ea24c3f8710e97cd42af68ae527b4e32d677fe0acae3badcfb8b4ff7c62435a6d1ffc91cb81e9b9376afa1901249b6a15d5f19b7d

Download Submit
C:\Windows\System32\SmOniFO.exe

Filesize
3.0MB

MD5
024f474e9a2cae6923363a3c89488851

SHA1
b5a69e2b99914825309b318ea065672154955e98

SHA256
17986182188b2e358a23329d3e732f94dbd03c1fdee4c41df4fddf2ccb635a7d

SHA512
98c96d3482a878faed708afc7f9b1844d5339d5ccb0c94bcb8e8b0d5b95cb5483b5050f3a26afbbf15f77c4b15e0b9fc3db4e62ddeb48053e3ac10dcc6c1a7cb

Download Submit
C:\Windows\System32\VsYdomn.exe

Filesize
3.0MB

MD5
81dc6be6097c41f1ed043ae47c56dc0b

SHA1
1eb16ca85395825bc0805a79c6c3f1bd0ec33767

SHA256
cedbef21887f7c713d54ec00d7b071b133b67b6064661938b4db606a46dfa75e

SHA512
19bcdd3bfd4d6acb9979850311f939110ba91ba2602814ffe8a9c2709c07bdb91c53dbeff857bb6135c19570cea530e2cd8170e813e2152f25cd2f0e8dd8c7d8

Download Submit
C:\Windows\System32\ZFOiXiW.exe

Filesize
3.0MB

MD5
be3176a24f96a1ecd27b3c23dc6a69f1

SHA1
00b3fbe7048b1db5e64272dc6b3c3a4e6599befd

SHA256
487985d852b7baecd44add5284108284017b5d917eeacea1303c5dbe56656076

SHA512
f1077abd49b766e8de5b99783efd664539d0d97f960fb7fca4190625aaed38c49bce9f1b3588ccce0a3774a169eca524d2d1b7570ad6fe9884efe70d286a2893

Download Submit
C:\Windows\System32\cmrPBUj.exe

Filesize
3.0MB

MD5
31fa1a24312d348847cd92488cc31622

SHA1
70dbee78783465aa62e5e6130dc11a24d7558850

SHA256
59cb48adb6650e2d145986f715c035d1d7f39dafe6a10d70ac2d62829cb4c5cb

SHA512
4109b78b103889b7406bbde7c891420f86499562055dc75001c72878323de789d68efc3c6df213bfe8cd7c44f5a6d04593aea9161ff48d99ce686e5ccfbf5ed9

Download Submit
C:\Windows\System32\fzMKMEl.exe

Filesize
3.0MB

MD5
698898dc7eb439753c20fcc2226c1ff6

SHA1
4aefdd270f388b36b1352dbbac90c96d4bf55fa5

SHA256
9a633533feed6e47cf570029a97149fab7d64434dd63fe9dab09ecaebeb63e69

SHA512
76f9959d6f261629a82937765f96035ff1078228456aaf6f8b21ff732bd249725c7b1754d2565fdd0bd71a949790d1cb464c9b55556b8600f6d3817719ccb0d1

Download Submit
C:\Windows\System32\gRAseWU.exe

Filesize
3.0MB

MD5
2c39582aee09215c61a851487689af3d

SHA1
119ea576666f057f28052dc7b2d847f129973f0b

SHA256
ed3a8b5be4e1cce1969faecbc23b7f98953ec1238a9ca570c470156694b82462

SHA512
5e645e2d1aaf1fb8c2f63573c22b6245d23b737c9f00e44a77322a0f0de5a2df7f553e82567a8c28d01ac350e97657849bfdd37f786c3d90b1f912ef7f37ec90

Download Submit
C:\Windows\System32\igTnobO.exe

Filesize
3.0MB

MD5
d39d0f485dcdb10a76fbb5d3a0d89794

SHA1
1263da2e9337f9b93a5b679eea8ef0638b3a5e72

SHA256
3e0c8877f624c65481772d781b2ff528126b13cf25f778dfddda7ece59699dcb

SHA512
10bf4a0182a0d624ecb8d89ee95ee6ac859178c031c2a1d5de20fc780fd463d6bee827a192c5ce5ed96946ab0ef38cfd61b8b51388e7f36167426cb35eb2bc27

Download Submit
C:\Windows\System32\kFIetEc.exe

Filesize
3.0MB

MD5
9a45b9a70c329ba0403872b4ccd12878

SHA1
1ad8dde2921cda38273415fe7143a0b68ee6cebb

SHA256
4bf55a21e2b05ad028b6b73ee212caf0f33a095d9918d237cf676a20dc360c1d

SHA512
bd42ba51b9384af8c56827c07e0c5d56420b00184178db13139338daba56d7bbf4cf3554948569080adb272bad7a723f64248fa65f5edd6198cd0f6813149815

Download Submit
C:\Windows\System32\lRqwaUp.exe

Filesize
3.0MB

MD5
c580c7088545297f3c5471924d3946c8

SHA1
0a2c8443735d8819bc0dc216a65b44be6b912071

SHA256
4c56814c1e03c81ae66f1f5d4fdcf619386ba691ac3ec3a6d0350f5d15756d2b

SHA512
2b32fe0477d17ae0ad03a30bc145bb61253506f51b33d63a7d84e81382919c761600db6b7c9c7097f330743837d1cc893afe956314d1905e18b62a86f013094a

Download Submit
C:\Windows\System32\mOULDdB.exe

Filesize
3.0MB

MD5
555c9602e67539e9985b694f4a8914ab

SHA1
ac9233319416fc11a63354d4378ac4634ecd4220

SHA256
30b81f5977caf9acd89cb35d3cdeae2be084e8080d828a52be6202851ed38a43

SHA512
1dc070f3f4eef6cb17239a06207a18aa40f3312f14bb39ea4401e2d64bc5a81c92ee3926087c22c62243079789b884d838412ecdbbd493dc12cab47756debc04

Download Submit
C:\Windows\System32\mfeSCTY.exe

Filesize
3.0MB

MD5
246c1efd215e647b5b9689e41c9bb663

SHA1
01960f639d3ab99947b84f0f65f6bb336df312dd

SHA256
aa486a98f471ce68569ca8f56c3c60dfa03d9b79684d59b9b2d302b06292fb35

SHA512
ba8f551e05a3f4907609f5d60be2a4e42cb8ba3302afd07daf61d352f01bc3e2bd981dce87afaf5700cbea8f8ec425418c17c672c31b1b2a42b43feff24237e1

Download Submit
C:\Windows\System32\nBAEzXg.exe

Filesize
3.0MB

MD5
a29983492d0ea3f5f73050bab735fa8c

SHA1
c8259a9af58eb747852b9fd06ef660f289a9d47b

SHA256
a9e927e8a1a7dbd85ab768eb31cdff956b083c2dba0c55ea3d595dfd2aef1dbd

SHA512
ccd93fce2df421ebae0537e6402c8e3bafa7755a31cf03d7b6014d7fa96ec795f0de70a59fe1ad0f8485bb85c664779894b7517dd71f230ac55bbaefa8b4f019

Download Submit
C:\Windows\System32\nSmKlQT.exe

Filesize
3.0MB

MD5
f81cbb4809818323a7cb743b3a2b06e4

SHA1
25a1c292918f4ab6170c1d939fa4ecc1d6366e29

SHA256
f026cd0a3726d31e54e505f2eb30e780f63e3ad97a5cd2087c8b2be4d4b7dd50

SHA512
35664ecedaf56ff00097b0c490956925b58f3fd3d30f3e4a468fab51b75d4925bbec10e4b460f7679ea142509846b81e4ec66740128d78562aff8f98fcd38b47

Download Submit
C:\Windows\System32\pmlXSGY.exe

Filesize
3.0MB

MD5
e72f7524e245969e32c51c5b5f8cd5d2

SHA1
506df753d6186edf5a949a63c75bb0d5b9198f6d

SHA256
6588e3a5bab50c0ee1653cae1309ad06abbf1c2d1320aa4c16d55abff44338ce

SHA512
3775220db0fc42056b491dec10362da509507e37d6e978658e635ba0f1633f235d343ff0d50538d7f160540481b529cbda29053fc9035d5403abe02aa042b732

Download Submit
C:\Windows\System32\qbDXCjV.exe

Filesize
3.0MB

MD5
6969eece920fe420a80e29542f575aac

SHA1
e4f2077e68ccd527e55d96dcbf14ba4b645d67a6

SHA256
09cc10a804ed1a5108df678862d88b29db5bd3dcdd5b382905b461c040ea21ad

SHA512
9aa5fc5ac666999af4b8cd5efa1e5999beee747e439c1f0bba0f43e549b6895ac5b896477fa6344e70a4a8b6709dbd5b9b4a9afead40d78c6cb77df9a72ea80d

Download Submit
C:\Windows\System32\svBNqRg.exe

Filesize
3.0MB

MD5
0cd00c2a218ebc84355c8dc43fea8f19

SHA1
4f49c655172143461f6a1102e666e8de43504da2

SHA256
7ffa348b18de9e98af28c3f0fbd40eff50023d583fcf2054e86db40dcfce0401

SHA512
aba93658b63adb3fa7e59f1aae31c89e3c7234f6aaa814b417688512e34e4135f44dead1a2e8fa0272f063751552dbfc6cfb65b951c9db8bec03fefaaef5bc01

Download Submit
C:\Windows\System32\vQfIfRZ.exe

Filesize
3.0MB

MD5
c5460c1d9a7c219b66fb98cabf58220e

SHA1
492fa6aa2bad2b32ae6455d74744d4ef60f02976

SHA256
4eae8442f1ee99af6cd0a64f1318435e2999ad8723d1d66a8686e4312a966cc7

SHA512
778d6419f3d207ca063bcc26708bee9dde4badb7dcdd017248bd91d59db76d0d105771e3cd964dcefc1e84c32356a6b37d564a55f86921c180a990b3e5431dba

Download Submit
C:\Windows\System32\vrUYnGS.exe

Filesize
3.0MB

MD5
ba60dafbc3d8947573cd594e50453a37

SHA1
9aa42958cdb7b056c39ca8d7f9c558d578e7c3c8

SHA256
de292e99608aff2aef426920252b071778830209f03f9261701ab22a122dce72

SHA512
99039c3635f6c83321660ad6cf7af814363c0c83d011924d13bb104e556625f0576c30c325cb9a2be7c07243d551c4ced9e0540d654d9f77405da03a21a491b7

Download Submit
C:\Windows\System32\wKMQmOD.exe

Filesize
3.0MB

MD5
99e1d3cab746c130b71db59949c3c2b8

SHA1
2021aa69083f52e4521da51ab19174b0c1ca1a43

SHA256
6442bc110647ee87c962f614e46b505680c38eb075516dc39947f8bdf546293b

SHA512
9666ee3f658163edd5650d27471b864cb9af6abd587b02882e32472dae27f5116a8c9e877c7fe89ebe54455f169ff93ecc71206fe3cd36dac4844d84a1889280

Download Submit
C:\Windows\System32\wgHXZLb.exe

Filesize
3.0MB

MD5
725e4f103dce40d07c7bb663b8bb5fee

SHA1
ce4efb8d1a8f1e4d25bc66a674f02044963081f9

SHA256
4faf863eef47b6cf86c045117ffe054e471a33be93175e428bbb08f64a4adca5

SHA512
0d3698706a86a4358620affb06a9c3fbd5af634e1f46f0290840fe02e81fb31a07f83633af5c8ca665ce879c9c195a4b971ca3baee5f0de6459ae00ee3850350

Download Submit
C:\Windows\System32\xWcVAWL.exe

Filesize
3.0MB

MD5
82429cd4acd94c373051c36b9de58a3e

SHA1
4ccb9841615d24a5c17ed7ce2ec524de73b369dd

SHA256
c6841c2c0f7c4e6b45b13d4c6608d58168522100a1db0dd167ac95f1cb73eea7

SHA512
eb5b76eeb375fae96e8841fbe374be52de836060985fedbf03e1cd70afcc0103340b065ca72a28c01454abd9d5ec1b4126b5215a9434f847ec85cec2eb50f974

Download Submit
C:\Windows\System32\yIjuXKd.exe

Filesize
3.0MB

MD5
398fc2aad8355b76e2048c3dd85cde6d

SHA1
d14c59b8bdd193502fb692908cd367da0a4eb9fe

SHA256
4fb031752abcef103f12f1be4185bd9fa28b2197d26e710093a0200f73330123

SHA512
68b1c78731d77f4550fdfd9456e713b0708bcf9c2d055c21d91b0e4a7893578b848e13855c4db61c8ea419f33e361ab926482a24cfc7fab6e3f07a765065cbbb

Download Submit
memory/640-860-0x00007FF7BDE10000-0x00007FF7BE205000-memory.dmp

Filesize
4.0MB

Download
memory/640-1897-0x00007FF7BDE10000-0x00007FF7BE205000-memory.dmp

Filesize
4.0MB

Download
memory/876-826-0x00007FF635920000-0x00007FF635D15000-memory.dmp

Filesize
4.0MB

Download
memory/876-1890-0x00007FF635920000-0x00007FF635D15000-memory.dmp

Filesize
4.0MB

Download
memory/1016-1885-0x00007FF777F90000-0x00007FF778385000-memory.dmp

Filesize
4.0MB

Download
memory/1016-988-0x00007FF777F90000-0x00007FF778385000-memory.dmp

Filesize
4.0MB

Download
memory/1044-1903-0x00007FF7160A0000-0x00007FF716495000-memory.dmp

Filesize
4.0MB

Download
memory/1044-932-0x00007FF7160A0000-0x00007FF716495000-memory.dmp

Filesize
4.0MB

Download
memory/1132-1898-0x00007FF7F6F20000-0x00007FF7F7315000-memory.dmp

Filesize
4.0MB

Download
memory/1132-853-0x00007FF7F6F20000-0x00007FF7F7315000-memory.dmp

Filesize
4.0MB

Download
memory/1372-1893-0x00007FF73DC30000-0x00007FF73E025000-memory.dmp

Filesize
4.0MB

Download
memory/1372-839-0x00007FF73DC30000-0x00007FF73E025000-memory.dmp

Filesize
4.0MB

Download
memory/1684-1882-0x00007FF634C90000-0x00007FF635085000-memory.dmp

Filesize
4.0MB

Download
memory/1684-14-0x00007FF634C90000-0x00007FF635085000-memory.dmp

Filesize
4.0MB

Download
memory/1712-802-0x00007FF6AC1A0000-0x00007FF6AC595000-memory.dmp

Filesize
4.0MB

Download
memory/1712-1888-0x00007FF6AC1A0000-0x00007FF6AC595000-memory.dmp

Filesize
4.0MB

Download
memory/1928-1899-0x00007FF7A3810000-0x00007FF7A3C05000-memory.dmp

Filesize
4.0MB

Download
memory/1928-842-0x00007FF7A3810000-0x00007FF7A3C05000-memory.dmp

Filesize
4.0MB

Download
memory/2036-1905-0x00007FF725440000-0x00007FF725835000-memory.dmp

Filesize
4.0MB

Download
memory/2036-866-0x00007FF725440000-0x00007FF725835000-memory.dmp

Filesize
4.0MB

Download
memory/2876-17-0x00007FF60E5B0000-0x00007FF60E9A5000-memory.dmp

Filesize
4.0MB

Download
memory/2876-1883-0x00007FF60E5B0000-0x00007FF60E9A5000-memory.dmp

Filesize
4.0MB

Download
memory/2952-831-0x00007FF6A9BA0000-0x00007FF6A9F95000-memory.dmp

Filesize
4.0MB

Download
memory/2952-1889-0x00007FF6A9BA0000-0x00007FF6A9F95000-memory.dmp

Filesize
4.0MB

Download
memory/3228-1892-0x00007FF77E870000-0x00007FF77EC65000-memory.dmp

Filesize
4.0MB

Download
memory/3228-836-0x00007FF77E870000-0x00007FF77EC65000-memory.dmp

Filesize
4.0MB

Download
memory/3324-1891-0x00007FF7FA3A0000-0x00007FF7FA795000-memory.dmp

Filesize
4.0MB

Download
memory/3324-819-0x00007FF7FA3A0000-0x00007FF7FA795000-memory.dmp

Filesize
4.0MB

Download
memory/3576-1896-0x00007FF78F1B0000-0x00007FF78F5A5000-memory.dmp

Filesize
4.0MB

Download
memory/3576-871-0x00007FF78F1B0000-0x00007FF78F5A5000-memory.dmp

Filesize
4.0MB

Download
memory/3660-1902-0x00007FF749970000-0x00007FF749D65000-memory.dmp

Filesize
4.0MB

Download
memory/3660-873-0x00007FF749970000-0x00007FF749D65000-memory.dmp

Filesize
4.0MB

Download
memory/3852-1895-0x00007FF6BE140000-0x00007FF6BE535000-memory.dmp

Filesize
4.0MB

Download
memory/3852-938-0x00007FF6BE140000-0x00007FF6BE535000-memory.dmp

Filesize
4.0MB

Download
memory/4172-0-0x00007FF7D1D00000-0x00007FF7D20F5000-memory.dmp

Filesize
4.0MB

Download
memory/4172-1-0x000002294F4B0000-0x000002294F4C0000-memory.dmp

Filesize
64KB

Download
memory/4172-1881-0x00007FF7D1D00000-0x00007FF7D20F5000-memory.dmp

Filesize
4.0MB

Download
memory/4356-1884-0x00007FF7A4A60000-0x00007FF7A4E55000-memory.dmp

Filesize
4.0MB

Download
memory/4356-792-0x00007FF7A4A60000-0x00007FF7A4E55000-memory.dmp

Filesize
4.0MB

Download
memory/4644-1894-0x00007FF79FE60000-0x00007FF7A0255000-memory.dmp

Filesize
4.0MB

Download
memory/4644-984-0x00007FF79FE60000-0x00007FF7A0255000-memory.dmp

Filesize
4.0MB

Download
memory/4732-977-0x00007FF606240000-0x00007FF606635000-memory.dmp

Filesize
4.0MB

Download
memory/4732-1900-0x00007FF606240000-0x00007FF606635000-memory.dmp

Filesize
4.0MB

Download
memory/4780-1887-0x00007FF756920000-0x00007FF756D15000-memory.dmp

Filesize
4.0MB

Download
memory/4780-808-0x00007FF756920000-0x00007FF756D15000-memory.dmp

Filesize
4.0MB

Download
memory/4784-1886-0x00007FF7F03C0000-0x00007FF7F07B5000-memory.dmp

Filesize
4.0MB

Download
memory/4784-799-0x00007FF7F03C0000-0x00007FF7F07B5000-memory.dmp

Filesize
4.0MB

Download
memory/4848-935-0x00007FF7BFD30000-0x00007FF7C0125000-memory.dmp

Filesize
4.0MB

Download
memory/4848-1901-0x00007FF7BFD30000-0x00007FF7C0125000-memory.dmp

Filesize
4.0MB

Download
memory/5100-1904-0x00007FF63F2D0000-0x00007FF63F6C5000-memory.dmp

Filesize
4.0MB

Download
memory/5100-863-0x00007FF63F2D0000-0x00007FF63F6C5000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads