xmrig | ff5122822dcafc4ca060eb352a758d408ebbc94b51180550581daa64a6bbcbb1

Analysis

max time kernel
132s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
Size

1.4MB
MD5

05e09527b67b3f9ac93fac74b8ae4240
SHA1

dc74e3f0b8dc9c81811942fe2feee3d3751d5052
SHA256

ff5122822dcafc4ca060eb352a758d408ebbc94b51180550581daa64a6bbcbb1
SHA512

6edabeeecdccda888438bba1ace6d6b0e508c81e343a8950e0bcdf7518f2ad6b286023aaacd610657962c3527617266219d8f89f1eeb74051629a63b08ddb49e
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZdO23/oF7u3hmxjfU3KXAnmwJThEz8tU/FVJr:knw9oUUEEDl3aEUiRSW2j3r

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4496-483-0x00007FF649C30000-0x00007FF64A021000-memory.dmp	xmrig
behavioral2/memory/3380-482-0x00007FF6601F0000-0x00007FF6605E1000-memory.dmp	xmrig
behavioral2/memory/3516-484-0x00007FF6CE3D0000-0x00007FF6CE7C1000-memory.dmp	xmrig
behavioral2/memory/3792-486-0x00007FF7621C0000-0x00007FF7625B1000-memory.dmp	xmrig
behavioral2/memory/2912-485-0x00007FF69E480000-0x00007FF69E871000-memory.dmp	xmrig
behavioral2/memory/3796-499-0x00007FF6B16D0000-0x00007FF6B1AC1000-memory.dmp	xmrig
behavioral2/memory/4692-496-0x00007FF6324E0000-0x00007FF6328D1000-memory.dmp	xmrig
behavioral2/memory/4604-504-0x00007FF6265C0000-0x00007FF6269B1000-memory.dmp	xmrig
behavioral2/memory/3712-510-0x00007FF6B3800000-0x00007FF6B3BF1000-memory.dmp	xmrig
behavioral2/memory/3776-507-0x00007FF74F1C0000-0x00007FF74F5B1000-memory.dmp	xmrig
behavioral2/memory/4920-493-0x00007FF7D6BF0000-0x00007FF7D6FE1000-memory.dmp	xmrig
behavioral2/memory/2252-490-0x00007FF6B7160000-0x00007FF6B7551000-memory.dmp	xmrig
behavioral2/memory/3884-512-0x00007FF6B5D40000-0x00007FF6B6131000-memory.dmp	xmrig
behavioral2/memory/4464-516-0x00007FF64DDE0000-0x00007FF64E1D1000-memory.dmp	xmrig
behavioral2/memory/1364-523-0x00007FF703270000-0x00007FF703661000-memory.dmp	xmrig
behavioral2/memory/872-525-0x00007FF7E7170000-0x00007FF7E7561000-memory.dmp	xmrig
behavioral2/memory/3368-526-0x00007FF796800000-0x00007FF796BF1000-memory.dmp	xmrig
behavioral2/memory/1376-524-0x00007FF63EEA0000-0x00007FF63F291000-memory.dmp	xmrig
behavioral2/memory/1904-521-0x00007FF752200000-0x00007FF7525F1000-memory.dmp	xmrig
behavioral2/memory/2296-514-0x00007FF7FA2A0000-0x00007FF7FA691000-memory.dmp	xmrig
behavioral2/memory/5108-27-0x00007FF63A300000-0x00007FF63A6F1000-memory.dmp	xmrig
behavioral2/memory/3108-2013-0x00007FF717CC0000-0x00007FF7180B1000-memory.dmp	xmrig
behavioral2/memory/3416-2014-0x00007FF70B380000-0x00007FF70B771000-memory.dmp	xmrig
behavioral2/memory/2344-2020-0x00007FF718E70000-0x00007FF719261000-memory.dmp	xmrig
behavioral2/memory/3108-2022-0x00007FF717CC0000-0x00007FF7180B1000-memory.dmp	xmrig
behavioral2/memory/3792-2030-0x00007FF7621C0000-0x00007FF7625B1000-memory.dmp	xmrig
behavioral2/memory/2912-2034-0x00007FF69E480000-0x00007FF69E871000-memory.dmp	xmrig
behavioral2/memory/4920-2040-0x00007FF7D6BF0000-0x00007FF7D6FE1000-memory.dmp	xmrig
behavioral2/memory/3380-2036-0x00007FF6601F0000-0x00007FF6605E1000-memory.dmp	xmrig
behavioral2/memory/4496-2032-0x00007FF649C30000-0x00007FF64A021000-memory.dmp	xmrig
behavioral2/memory/3516-2028-0x00007FF6CE3D0000-0x00007FF6CE7C1000-memory.dmp	xmrig
behavioral2/memory/3416-2026-0x00007FF70B380000-0x00007FF70B771000-memory.dmp	xmrig
behavioral2/memory/5108-2024-0x00007FF63A300000-0x00007FF63A6F1000-memory.dmp	xmrig
behavioral2/memory/4604-2046-0x00007FF6265C0000-0x00007FF6269B1000-memory.dmp	xmrig
behavioral2/memory/3368-2067-0x00007FF796800000-0x00007FF796BF1000-memory.dmp	xmrig
behavioral2/memory/1376-2063-0x00007FF63EEA0000-0x00007FF63F291000-memory.dmp	xmrig
behavioral2/memory/1904-2059-0x00007FF752200000-0x00007FF7525F1000-memory.dmp	xmrig
behavioral2/memory/4464-2056-0x00007FF64DDE0000-0x00007FF64E1D1000-memory.dmp	xmrig
behavioral2/memory/3712-2052-0x00007FF6B3800000-0x00007FF6B3BF1000-memory.dmp	xmrig
behavioral2/memory/872-2065-0x00007FF7E7170000-0x00007FF7E7561000-memory.dmp	xmrig
behavioral2/memory/1364-2061-0x00007FF703270000-0x00007FF703661000-memory.dmp	xmrig
behavioral2/memory/2296-2054-0x00007FF7FA2A0000-0x00007FF7FA691000-memory.dmp	xmrig
behavioral2/memory/3884-2048-0x00007FF6B5D40000-0x00007FF6B6131000-memory.dmp	xmrig
behavioral2/memory/3776-2050-0x00007FF74F1C0000-0x00007FF74F5B1000-memory.dmp	xmrig
behavioral2/memory/3796-2044-0x00007FF6B16D0000-0x00007FF6B1AC1000-memory.dmp	xmrig
behavioral2/memory/4692-2042-0x00007FF6324E0000-0x00007FF6328D1000-memory.dmp	xmrig
behavioral2/memory/2252-2038-0x00007FF6B7160000-0x00007FF6B7551000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

Processes:

LMJQyXz.exeZJKptkE.exelceYPXI.execYSZqMJ.exexUbILTh.execEDdhga.exesynWYLx.exewGYehGh.exeeoyhrPr.exetfUlDnH.exegcxHinf.exetnTAMHD.exeJrinJRw.exelchdjWV.exeosFuECZ.exetoCNTrE.exedSRcHrX.exevJKpIPD.exeZfFYBpS.exeSVaAHTV.exebypQylU.exefMGFxVp.exepOpHqUk.exeZZJxGLW.exePblLHbt.exemfQyMfZ.exeeDJMGrQ.exeefkXfGI.exeePNvtTP.exezdlDxmM.exeoOviVPK.exeqKoZWmQ.exeXkvaHTt.exeJhpVRBa.exeXDwBDAm.exefSwQbWO.exeEUxMgBg.exemUitHip.exeCGFxOsk.exeSwmBGCt.exeHqOssEh.exeFTUFquB.exenAdaxOq.exeHssutuR.exejkfeiFe.exePmeUFbg.exeRBLRRfB.exevANbcuR.exeIRIXjGx.exeGcKZudF.exehnRyMTB.exegcqiqLf.exeWajFAIm.exedRauTfJ.exebNkKsHK.exeWbzngHK.exexpVvPhu.exeBsOKbLl.exeHTDvsuN.exepYwCKmg.exeDkfdojv.exedQHityc.exeAfKGCQO.exekEPMXCI.exe

pid	process
3108	LMJQyXz.exe
2344	ZJKptkE.exe
3416	lceYPXI.exe
5108	cYSZqMJ.exe
3380	xUbILTh.exe
4496	cEDdhga.exe
3516	synWYLx.exe
2912	wGYehGh.exe
3792	eoyhrPr.exe
2252	tfUlDnH.exe
4920	gcxHinf.exe
4692	tnTAMHD.exe
3796	JrinJRw.exe
4604	lchdjWV.exe
3776	osFuECZ.exe
3712	toCNTrE.exe
3884	dSRcHrX.exe
2296	vJKpIPD.exe
4464	ZfFYBpS.exe
1904	SVaAHTV.exe
1364	bypQylU.exe
1376	fMGFxVp.exe
872	pOpHqUk.exe
3368	ZZJxGLW.exe
1204	PblLHbt.exe
2740	mfQyMfZ.exe
1716	eDJMGrQ.exe
1700	efkXfGI.exe
3736	ePNvtTP.exe
2360	zdlDxmM.exe
4388	oOviVPK.exe
2120	qKoZWmQ.exe
3296	XkvaHTt.exe
4056	JhpVRBa.exe
1088	XDwBDAm.exe
3256	fSwQbWO.exe
3808	EUxMgBg.exe
860	mUitHip.exe
4516	CGFxOsk.exe
388	SwmBGCt.exe
848	HqOssEh.exe
1232	FTUFquB.exe
1812	nAdaxOq.exe
2236	HssutuR.exe
2892	jkfeiFe.exe
2352	PmeUFbg.exe
4132	RBLRRfB.exe
1080	vANbcuR.exe
4368	IRIXjGx.exe
1896	GcKZudF.exe
1284	hnRyMTB.exe
3476	gcqiqLf.exe
4352	WajFAIm.exe
4232	dRauTfJ.exe
1408	bNkKsHK.exe
5096	WbzngHK.exe
3484	xpVvPhu.exe
1056	BsOKbLl.exe
2840	HTDvsuN.exe
2176	pYwCKmg.exe
1512	Dkfdojv.exe
1832	dQHityc.exe
2264	AfKGCQO.exe
4612	kEPMXCI.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5012-0-0x00007FF667DB0000-0x00007FF6681A1000-memory.dmp	upx
C:\Windows\System32\lceYPXI.exe	upx
C:\Windows\System32\LMJQyXz.exe	upx
C:\Windows\System32\cYSZqMJ.exe	upx
C:\Windows\System32\xUbILTh.exe	upx
C:\Windows\System32\wGYehGh.exe	upx
C:\Windows\System32\gcxHinf.exe	upx
C:\Windows\System32\tnTAMHD.exe	upx
C:\Windows\System32\toCNTrE.exe	upx
C:\Windows\System32\bypQylU.exe	upx
C:\Windows\System32\pOpHqUk.exe	upx
C:\Windows\System32\eDJMGrQ.exe	upx
behavioral2/memory/4496-483-0x00007FF649C30000-0x00007FF64A021000-memory.dmp	upx
behavioral2/memory/3380-482-0x00007FF6601F0000-0x00007FF6605E1000-memory.dmp	upx
behavioral2/memory/3516-484-0x00007FF6CE3D0000-0x00007FF6CE7C1000-memory.dmp	upx
behavioral2/memory/3792-486-0x00007FF7621C0000-0x00007FF7625B1000-memory.dmp	upx
behavioral2/memory/2912-485-0x00007FF69E480000-0x00007FF69E871000-memory.dmp	upx
behavioral2/memory/3796-499-0x00007FF6B16D0000-0x00007FF6B1AC1000-memory.dmp	upx
behavioral2/memory/4692-496-0x00007FF6324E0000-0x00007FF6328D1000-memory.dmp	upx
behavioral2/memory/4604-504-0x00007FF6265C0000-0x00007FF6269B1000-memory.dmp	upx
behavioral2/memory/3712-510-0x00007FF6B3800000-0x00007FF6B3BF1000-memory.dmp	upx
behavioral2/memory/3776-507-0x00007FF74F1C0000-0x00007FF74F5B1000-memory.dmp	upx
behavioral2/memory/4920-493-0x00007FF7D6BF0000-0x00007FF7D6FE1000-memory.dmp	upx
behavioral2/memory/2252-490-0x00007FF6B7160000-0x00007FF6B7551000-memory.dmp	upx
behavioral2/memory/3884-512-0x00007FF6B5D40000-0x00007FF6B6131000-memory.dmp	upx
behavioral2/memory/4464-516-0x00007FF64DDE0000-0x00007FF64E1D1000-memory.dmp	upx
behavioral2/memory/1364-523-0x00007FF703270000-0x00007FF703661000-memory.dmp	upx
behavioral2/memory/872-525-0x00007FF7E7170000-0x00007FF7E7561000-memory.dmp	upx
behavioral2/memory/3368-526-0x00007FF796800000-0x00007FF796BF1000-memory.dmp	upx
behavioral2/memory/1376-524-0x00007FF63EEA0000-0x00007FF63F291000-memory.dmp	upx
behavioral2/memory/1904-521-0x00007FF752200000-0x00007FF7525F1000-memory.dmp	upx
behavioral2/memory/2296-514-0x00007FF7FA2A0000-0x00007FF7FA691000-memory.dmp	upx
C:\Windows\System32\qKoZWmQ.exe	upx
C:\Windows\System32\oOviVPK.exe	upx
C:\Windows\System32\zdlDxmM.exe	upx
C:\Windows\System32\ePNvtTP.exe	upx
C:\Windows\System32\efkXfGI.exe	upx
C:\Windows\System32\mfQyMfZ.exe	upx
C:\Windows\System32\PblLHbt.exe	upx
C:\Windows\System32\ZZJxGLW.exe	upx
C:\Windows\System32\fMGFxVp.exe	upx
C:\Windows\System32\SVaAHTV.exe	upx
C:\Windows\System32\ZfFYBpS.exe	upx
C:\Windows\System32\vJKpIPD.exe	upx
C:\Windows\System32\dSRcHrX.exe	upx
C:\Windows\System32\osFuECZ.exe	upx
C:\Windows\System32\lchdjWV.exe	upx
C:\Windows\System32\JrinJRw.exe	upx
C:\Windows\System32\tfUlDnH.exe	upx
C:\Windows\System32\eoyhrPr.exe	upx
C:\Windows\System32\synWYLx.exe	upx
C:\Windows\System32\cEDdhga.exe	upx
behavioral2/memory/5108-27-0x00007FF63A300000-0x00007FF63A6F1000-memory.dmp	upx
behavioral2/memory/3416-18-0x00007FF70B380000-0x00007FF70B771000-memory.dmp	upx
behavioral2/memory/2344-14-0x00007FF718E70000-0x00007FF719261000-memory.dmp	upx
behavioral2/memory/3108-13-0x00007FF717CC0000-0x00007FF7180B1000-memory.dmp	upx
C:\Windows\System32\ZJKptkE.exe	upx
behavioral2/memory/3108-2013-0x00007FF717CC0000-0x00007FF7180B1000-memory.dmp	upx
behavioral2/memory/3416-2014-0x00007FF70B380000-0x00007FF70B771000-memory.dmp	upx
behavioral2/memory/2344-2020-0x00007FF718E70000-0x00007FF719261000-memory.dmp	upx
behavioral2/memory/3108-2022-0x00007FF717CC0000-0x00007FF7180B1000-memory.dmp	upx
behavioral2/memory/3792-2030-0x00007FF7621C0000-0x00007FF7625B1000-memory.dmp	upx
behavioral2/memory/2912-2034-0x00007FF69E480000-0x00007FF69E871000-memory.dmp	upx
behavioral2/memory/4920-2040-0x00007FF7D6BF0000-0x00007FF7D6FE1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

Processes:

05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\System32\eoyhrPr.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\vTWIDfv.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\XKMNGdU.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\caaLoXD.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\STIlyJs.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\qKoZWmQ.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\dQHityc.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\DJeVPXA.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\dPhyPaU.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\fQonPOj.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\nhwwIuN.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\jkfeiFe.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\PmeUFbg.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\IczVTNb.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\NmIUDMl.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\hTfZFaX.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\ZZlJUmp.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\BwSgGaw.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\ybENsRr.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\FXQKZzM.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\PECOngT.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\upHPkwn.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\ZUqaLQf.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\lPcmybs.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\LMJQyXz.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\CVmFtGQ.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\VpqGJkc.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\DMFnqHz.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\DpDtmsr.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\YjjpTPa.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\BeVEYHu.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\WbzngHK.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\EXzToHR.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\FyhVwxk.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\EWcoUHW.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\eTltJTv.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\dpVaMiC.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\KJNdwPM.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\JyHeuFh.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\NvmKUTi.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\ScIZEGo.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\nuoTAor.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\mRREUFE.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\flSSHGm.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\oKqkRnc.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\RAKLAHN.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\BsOKbLl.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\BvOeUzS.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\DNDixmB.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\xmOMgDO.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\MbDVGxN.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\kCgbvip.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\EQslWhb.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\HMnDcjO.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\fKqfITI.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\IJciqZv.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\UApGZya.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\rwQsJmY.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\DAUXTXS.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\sygNecm.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\mRmqylu.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\ShuREHa.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\nHlqIYA.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
File created	C:\Windows\System32\cEDdhga.exe	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

dwm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

dwm.exe

description	pid	process
Token: SeCreateGlobalPrivilege	12388	dwm.exe
Token: SeChangeNotifyPrivilege	12388	dwm.exe
Token: 33	12388	dwm.exe
Token: SeIncBasePriorityPrivilege	12388	dwm.exe
Token: SeShutdownPrivilege	12388	dwm.exe
Token: SeCreatePagefilePrivilege	12388	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe

description	pid	process	target process
PID 5012 wrote to memory of 3108	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	LMJQyXz.exe
PID 5012 wrote to memory of 3108	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	LMJQyXz.exe
PID 5012 wrote to memory of 2344	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	ZJKptkE.exe
PID 5012 wrote to memory of 2344	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	ZJKptkE.exe
PID 5012 wrote to memory of 3416	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	lceYPXI.exe
PID 5012 wrote to memory of 3416	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	lceYPXI.exe
PID 5012 wrote to memory of 5108	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	cYSZqMJ.exe
PID 5012 wrote to memory of 5108	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	cYSZqMJ.exe
PID 5012 wrote to memory of 3380	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	xUbILTh.exe
PID 5012 wrote to memory of 3380	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	xUbILTh.exe
PID 5012 wrote to memory of 4496	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	cEDdhga.exe
PID 5012 wrote to memory of 4496	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	cEDdhga.exe
PID 5012 wrote to memory of 3516	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	synWYLx.exe
PID 5012 wrote to memory of 3516	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	synWYLx.exe
PID 5012 wrote to memory of 2912	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	wGYehGh.exe
PID 5012 wrote to memory of 2912	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	wGYehGh.exe
PID 5012 wrote to memory of 3792	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	eoyhrPr.exe
PID 5012 wrote to memory of 3792	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	eoyhrPr.exe
PID 5012 wrote to memory of 2252	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	tfUlDnH.exe
PID 5012 wrote to memory of 2252	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	tfUlDnH.exe
PID 5012 wrote to memory of 4920	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	gcxHinf.exe
PID 5012 wrote to memory of 4920	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	gcxHinf.exe
PID 5012 wrote to memory of 4692	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	tnTAMHD.exe
PID 5012 wrote to memory of 4692	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	tnTAMHD.exe
PID 5012 wrote to memory of 3796	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	JrinJRw.exe
PID 5012 wrote to memory of 3796	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	JrinJRw.exe
PID 5012 wrote to memory of 4604	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	lchdjWV.exe
PID 5012 wrote to memory of 4604	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	lchdjWV.exe
PID 5012 wrote to memory of 3776	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	osFuECZ.exe
PID 5012 wrote to memory of 3776	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	osFuECZ.exe
PID 5012 wrote to memory of 3712	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	toCNTrE.exe
PID 5012 wrote to memory of 3712	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	toCNTrE.exe
PID 5012 wrote to memory of 3884	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	dSRcHrX.exe
PID 5012 wrote to memory of 3884	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	dSRcHrX.exe
PID 5012 wrote to memory of 2296	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	vJKpIPD.exe
PID 5012 wrote to memory of 2296	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	vJKpIPD.exe
PID 5012 wrote to memory of 4464	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	ZfFYBpS.exe
PID 5012 wrote to memory of 4464	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	ZfFYBpS.exe
PID 5012 wrote to memory of 1904	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	SVaAHTV.exe
PID 5012 wrote to memory of 1904	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	SVaAHTV.exe
PID 5012 wrote to memory of 1364	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	bypQylU.exe
PID 5012 wrote to memory of 1364	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	bypQylU.exe
PID 5012 wrote to memory of 1376	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	fMGFxVp.exe
PID 5012 wrote to memory of 1376	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	fMGFxVp.exe
PID 5012 wrote to memory of 872	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	pOpHqUk.exe
PID 5012 wrote to memory of 872	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	pOpHqUk.exe
PID 5012 wrote to memory of 3368	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	ZZJxGLW.exe
PID 5012 wrote to memory of 3368	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	ZZJxGLW.exe
PID 5012 wrote to memory of 1204	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	PblLHbt.exe
PID 5012 wrote to memory of 1204	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	PblLHbt.exe
PID 5012 wrote to memory of 2740	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	mfQyMfZ.exe
PID 5012 wrote to memory of 2740	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	mfQyMfZ.exe
PID 5012 wrote to memory of 1716	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	eDJMGrQ.exe
PID 5012 wrote to memory of 1716	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	eDJMGrQ.exe
PID 5012 wrote to memory of 1700	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	efkXfGI.exe
PID 5012 wrote to memory of 1700	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	efkXfGI.exe
PID 5012 wrote to memory of 3736	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	ePNvtTP.exe
PID 5012 wrote to memory of 3736	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	ePNvtTP.exe
PID 5012 wrote to memory of 2360	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	zdlDxmM.exe
PID 5012 wrote to memory of 2360	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	zdlDxmM.exe
PID 5012 wrote to memory of 4388	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	oOviVPK.exe
PID 5012 wrote to memory of 4388	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	oOviVPK.exe
PID 5012 wrote to memory of 2120	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	qKoZWmQ.exe
PID 5012 wrote to memory of 2120	5012	05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe	qKoZWmQ.exe

C:\Users\Admin\AppData\Local\Temp\05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\05e09527b67b3f9ac93fac74b8ae4240_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\System32\LMJQyXz.exe
C:\Windows\System32\LMJQyXz.exe
2⤵
- Executes dropped EXE
PID:3108

C:\Windows\System32\ZJKptkE.exe
C:\Windows\System32\ZJKptkE.exe
2⤵
- Executes dropped EXE
PID:2344

C:\Windows\System32\lceYPXI.exe
C:\Windows\System32\lceYPXI.exe
2⤵
- Executes dropped EXE
PID:3416

C:\Windows\System32\cYSZqMJ.exe
C:\Windows\System32\cYSZqMJ.exe
2⤵
- Executes dropped EXE
PID:5108

C:\Windows\System32\xUbILTh.exe
C:\Windows\System32\xUbILTh.exe
2⤵
- Executes dropped EXE
PID:3380

C:\Windows\System32\cEDdhga.exe
C:\Windows\System32\cEDdhga.exe
2⤵
- Executes dropped EXE
PID:4496

C:\Windows\System32\synWYLx.exe
C:\Windows\System32\synWYLx.exe
2⤵
- Executes dropped EXE
PID:3516

C:\Windows\System32\wGYehGh.exe
C:\Windows\System32\wGYehGh.exe
2⤵
- Executes dropped EXE
PID:2912

C:\Windows\System32\eoyhrPr.exe
C:\Windows\System32\eoyhrPr.exe
2⤵
- Executes dropped EXE
PID:3792

C:\Windows\System32\tfUlDnH.exe
C:\Windows\System32\tfUlDnH.exe
2⤵
- Executes dropped EXE
PID:2252

C:\Windows\System32\gcxHinf.exe
C:\Windows\System32\gcxHinf.exe
2⤵
- Executes dropped EXE
PID:4920

C:\Windows\System32\tnTAMHD.exe
C:\Windows\System32\tnTAMHD.exe
2⤵
- Executes dropped EXE
PID:4692

C:\Windows\System32\JrinJRw.exe
C:\Windows\System32\JrinJRw.exe
2⤵
- Executes dropped EXE
PID:3796

C:\Windows\System32\lchdjWV.exe
C:\Windows\System32\lchdjWV.exe
2⤵
- Executes dropped EXE
PID:4604

C:\Windows\System32\osFuECZ.exe
C:\Windows\System32\osFuECZ.exe
2⤵
- Executes dropped EXE
PID:3776

C:\Windows\System32\toCNTrE.exe
C:\Windows\System32\toCNTrE.exe
2⤵
- Executes dropped EXE
PID:3712

C:\Windows\System32\dSRcHrX.exe
C:\Windows\System32\dSRcHrX.exe
2⤵
- Executes dropped EXE
PID:3884

C:\Windows\System32\vJKpIPD.exe
C:\Windows\System32\vJKpIPD.exe
2⤵
- Executes dropped EXE
PID:2296

C:\Windows\System32\ZfFYBpS.exe
C:\Windows\System32\ZfFYBpS.exe
2⤵
- Executes dropped EXE
PID:4464

C:\Windows\System32\SVaAHTV.exe
C:\Windows\System32\SVaAHTV.exe
2⤵
- Executes dropped EXE
PID:1904

C:\Windows\System32\bypQylU.exe
C:\Windows\System32\bypQylU.exe
2⤵
- Executes dropped EXE
PID:1364

C:\Windows\System32\fMGFxVp.exe
C:\Windows\System32\fMGFxVp.exe
2⤵
- Executes dropped EXE
PID:1376

C:\Windows\System32\pOpHqUk.exe
C:\Windows\System32\pOpHqUk.exe
2⤵
- Executes dropped EXE
PID:872

C:\Windows\System32\ZZJxGLW.exe
C:\Windows\System32\ZZJxGLW.exe
2⤵
- Executes dropped EXE
PID:3368

C:\Windows\System32\PblLHbt.exe
C:\Windows\System32\PblLHbt.exe
2⤵
- Executes dropped EXE
PID:1204

C:\Windows\System32\mfQyMfZ.exe
C:\Windows\System32\mfQyMfZ.exe
2⤵
- Executes dropped EXE
PID:2740

C:\Windows\System32\eDJMGrQ.exe
C:\Windows\System32\eDJMGrQ.exe
2⤵
- Executes dropped EXE
PID:1716

C:\Windows\System32\efkXfGI.exe
C:\Windows\System32\efkXfGI.exe
2⤵
- Executes dropped EXE
PID:1700

C:\Windows\System32\ePNvtTP.exe
C:\Windows\System32\ePNvtTP.exe
2⤵
- Executes dropped EXE
PID:3736

C:\Windows\System32\zdlDxmM.exe
C:\Windows\System32\zdlDxmM.exe
2⤵
- Executes dropped EXE
PID:2360

C:\Windows\System32\oOviVPK.exe
C:\Windows\System32\oOviVPK.exe
2⤵
- Executes dropped EXE
PID:4388

C:\Windows\System32\qKoZWmQ.exe
C:\Windows\System32\qKoZWmQ.exe
2⤵
- Executes dropped EXE
PID:2120

C:\Windows\System32\XkvaHTt.exe
C:\Windows\System32\XkvaHTt.exe
2⤵
- Executes dropped EXE
PID:3296

C:\Windows\System32\JhpVRBa.exe
C:\Windows\System32\JhpVRBa.exe
2⤵
- Executes dropped EXE
PID:4056

C:\Windows\System32\XDwBDAm.exe
C:\Windows\System32\XDwBDAm.exe
2⤵
- Executes dropped EXE
PID:1088

C:\Windows\System32\fSwQbWO.exe
C:\Windows\System32\fSwQbWO.exe
2⤵
- Executes dropped EXE
PID:3256

C:\Windows\System32\EUxMgBg.exe
C:\Windows\System32\EUxMgBg.exe
2⤵
- Executes dropped EXE
PID:3808

C:\Windows\System32\mUitHip.exe
C:\Windows\System32\mUitHip.exe
2⤵
- Executes dropped EXE
PID:860

C:\Windows\System32\CGFxOsk.exe
C:\Windows\System32\CGFxOsk.exe
2⤵
- Executes dropped EXE
PID:4516

C:\Windows\System32\SwmBGCt.exe
C:\Windows\System32\SwmBGCt.exe
2⤵
- Executes dropped EXE
PID:388

C:\Windows\System32\HqOssEh.exe
C:\Windows\System32\HqOssEh.exe
2⤵
- Executes dropped EXE
PID:848

C:\Windows\System32\FTUFquB.exe
C:\Windows\System32\FTUFquB.exe
2⤵
- Executes dropped EXE
PID:1232

C:\Windows\System32\nAdaxOq.exe
C:\Windows\System32\nAdaxOq.exe
2⤵
- Executes dropped EXE
PID:1812

C:\Windows\System32\HssutuR.exe
C:\Windows\System32\HssutuR.exe
2⤵
- Executes dropped EXE
PID:2236

C:\Windows\System32\jkfeiFe.exe
C:\Windows\System32\jkfeiFe.exe
2⤵
- Executes dropped EXE
PID:2892

C:\Windows\System32\PmeUFbg.exe
C:\Windows\System32\PmeUFbg.exe
2⤵
- Executes dropped EXE
PID:2352

C:\Windows\System32\RBLRRfB.exe
C:\Windows\System32\RBLRRfB.exe
2⤵
- Executes dropped EXE
PID:4132

C:\Windows\System32\vANbcuR.exe
C:\Windows\System32\vANbcuR.exe
2⤵
- Executes dropped EXE
PID:1080

C:\Windows\System32\IRIXjGx.exe
C:\Windows\System32\IRIXjGx.exe
2⤵
- Executes dropped EXE
PID:4368

C:\Windows\System32\GcKZudF.exe
C:\Windows\System32\GcKZudF.exe
2⤵
- Executes dropped EXE
PID:1896

C:\Windows\System32\hnRyMTB.exe
C:\Windows\System32\hnRyMTB.exe
2⤵
- Executes dropped EXE
PID:1284

C:\Windows\System32\gcqiqLf.exe
C:\Windows\System32\gcqiqLf.exe
2⤵
- Executes dropped EXE
PID:3476

C:\Windows\System32\WajFAIm.exe
C:\Windows\System32\WajFAIm.exe
2⤵
- Executes dropped EXE
PID:4352

C:\Windows\System32\dRauTfJ.exe
C:\Windows\System32\dRauTfJ.exe
2⤵
- Executes dropped EXE
PID:4232

C:\Windows\System32\bNkKsHK.exe
C:\Windows\System32\bNkKsHK.exe
2⤵
- Executes dropped EXE
PID:1408

C:\Windows\System32\WbzngHK.exe
C:\Windows\System32\WbzngHK.exe
2⤵
- Executes dropped EXE
PID:5096

C:\Windows\System32\xpVvPhu.exe
C:\Windows\System32\xpVvPhu.exe
2⤵
- Executes dropped EXE
PID:3484

C:\Windows\System32\BsOKbLl.exe
C:\Windows\System32\BsOKbLl.exe
2⤵
- Executes dropped EXE
PID:1056

C:\Windows\System32\HTDvsuN.exe
C:\Windows\System32\HTDvsuN.exe
2⤵
- Executes dropped EXE
PID:2840

C:\Windows\System32\pYwCKmg.exe
C:\Windows\System32\pYwCKmg.exe
2⤵
- Executes dropped EXE
PID:2176

C:\Windows\System32\Dkfdojv.exe
C:\Windows\System32\Dkfdojv.exe
2⤵
- Executes dropped EXE
PID:1512

C:\Windows\System32\dQHityc.exe
C:\Windows\System32\dQHityc.exe
2⤵
- Executes dropped EXE
PID:1832

C:\Windows\System32\AfKGCQO.exe
C:\Windows\System32\AfKGCQO.exe
2⤵
- Executes dropped EXE
PID:2264

C:\Windows\System32\kEPMXCI.exe
C:\Windows\System32\kEPMXCI.exe
2⤵
- Executes dropped EXE
PID:4612

C:\Windows\System32\jHXrgwj.exe
C:\Windows\System32\jHXrgwj.exe
2⤵
PID:4832

C:\Windows\System32\BtiVwkk.exe
C:\Windows\System32\BtiVwkk.exe
2⤵
PID:4360

C:\Windows\System32\rioPLPY.exe
C:\Windows\System32\rioPLPY.exe
2⤵
PID:4292

C:\Windows\System32\VEBeGOw.exe
C:\Windows\System32\VEBeGOw.exe
2⤵
PID:988

C:\Windows\System32\zzUsczZ.exe
C:\Windows\System32\zzUsczZ.exe
2⤵
PID:1608

C:\Windows\System32\sGxZrNa.exe
C:\Windows\System32\sGxZrNa.exe
2⤵
PID:4372

C:\Windows\System32\eKQMAhS.exe
C:\Windows\System32\eKQMAhS.exe
2⤵
PID:436

C:\Windows\System32\DljKgVv.exe
C:\Windows\System32\DljKgVv.exe
2⤵
PID:1644

C:\Windows\System32\fKqfITI.exe
C:\Windows\System32\fKqfITI.exe
2⤵
PID:4568

C:\Windows\System32\vKayeXc.exe
C:\Windows\System32\vKayeXc.exe
2⤵
PID:3580

C:\Windows\System32\VLkMjJj.exe
C:\Windows\System32\VLkMjJj.exe
2⤵
PID:2116

C:\Windows\System32\rkDaiuC.exe
C:\Windows\System32\rkDaiuC.exe
2⤵
PID:4864

C:\Windows\System32\FWSZsaK.exe
C:\Windows\System32\FWSZsaK.exe
2⤵
PID:4996

C:\Windows\System32\NRjIuSB.exe
C:\Windows\System32\NRjIuSB.exe
2⤵
PID:5136

C:\Windows\System32\CVmFtGQ.exe
C:\Windows\System32\CVmFtGQ.exe
2⤵
PID:5164

C:\Windows\System32\HCXikCX.exe
C:\Windows\System32\HCXikCX.exe
2⤵
PID:5192

C:\Windows\System32\MOnovRu.exe
C:\Windows\System32\MOnovRu.exe
2⤵
PID:5220

C:\Windows\System32\guZjkpJ.exe
C:\Windows\System32\guZjkpJ.exe
2⤵
PID:5248

C:\Windows\System32\MdkeJRF.exe
C:\Windows\System32\MdkeJRF.exe
2⤵
PID:5276

C:\Windows\System32\EhjwDlk.exe
C:\Windows\System32\EhjwDlk.exe
2⤵
PID:5304

C:\Windows\System32\XRXcCiQ.exe
C:\Windows\System32\XRXcCiQ.exe
2⤵
PID:5332

C:\Windows\System32\KczCogY.exe
C:\Windows\System32\KczCogY.exe
2⤵
PID:5360

C:\Windows\System32\QYjKhVf.exe
C:\Windows\System32\QYjKhVf.exe
2⤵
PID:5392

C:\Windows\System32\ZRHiWhJ.exe
C:\Windows\System32\ZRHiWhJ.exe
2⤵
PID:5420

C:\Windows\System32\tIiXPem.exe
C:\Windows\System32\tIiXPem.exe
2⤵
PID:5452

C:\Windows\System32\ztYCNiH.exe
C:\Windows\System32\ztYCNiH.exe
2⤵
PID:5472

C:\Windows\System32\uhEPcHO.exe
C:\Windows\System32\uhEPcHO.exe
2⤵
PID:5504

C:\Windows\System32\kKVeUnG.exe
C:\Windows\System32\kKVeUnG.exe
2⤵
PID:5532

C:\Windows\System32\IUfudGW.exe
C:\Windows\System32\IUfudGW.exe
2⤵
PID:5560

C:\Windows\System32\svUDgZo.exe
C:\Windows\System32\svUDgZo.exe
2⤵
PID:5584

C:\Windows\System32\ScIZEGo.exe
C:\Windows\System32\ScIZEGo.exe
2⤵
PID:5616

C:\Windows\System32\mlPKSOn.exe
C:\Windows\System32\mlPKSOn.exe
2⤵
PID:5640

C:\Windows\System32\IczVTNb.exe
C:\Windows\System32\IczVTNb.exe
2⤵
PID:5668

C:\Windows\System32\yGEtbsG.exe
C:\Windows\System32\yGEtbsG.exe
2⤵
PID:5696

C:\Windows\System32\wqigLnq.exe
C:\Windows\System32\wqigLnq.exe
2⤵
PID:5724

C:\Windows\System32\VLspNCL.exe
C:\Windows\System32\VLspNCL.exe
2⤵
PID:5752

C:\Windows\System32\vaLKqqh.exe
C:\Windows\System32\vaLKqqh.exe
2⤵
PID:5780

C:\Windows\System32\rredHhY.exe
C:\Windows\System32\rredHhY.exe
2⤵
PID:5808

C:\Windows\System32\rQuwuPQ.exe
C:\Windows\System32\rQuwuPQ.exe
2⤵
PID:5836

C:\Windows\System32\aMIKYAa.exe
C:\Windows\System32\aMIKYAa.exe
2⤵
PID:5864

C:\Windows\System32\PINAhAf.exe
C:\Windows\System32\PINAhAf.exe
2⤵
PID:5892

C:\Windows\System32\vTWIDfv.exe
C:\Windows\System32\vTWIDfv.exe
2⤵
PID:5920

C:\Windows\System32\EbEKTsM.exe
C:\Windows\System32\EbEKTsM.exe
2⤵
PID:5948

C:\Windows\System32\AggdLBI.exe
C:\Windows\System32\AggdLBI.exe
2⤵
PID:5976

C:\Windows\System32\hRiMZoD.exe
C:\Windows\System32\hRiMZoD.exe
2⤵
PID:6004

C:\Windows\System32\PVgYZTp.exe
C:\Windows\System32\PVgYZTp.exe
2⤵
PID:6032

C:\Windows\System32\YPWDote.exe
C:\Windows\System32\YPWDote.exe
2⤵
PID:6060

C:\Windows\System32\JSoOeBa.exe
C:\Windows\System32\JSoOeBa.exe
2⤵
PID:6088

C:\Windows\System32\MyDLley.exe
C:\Windows\System32\MyDLley.exe
2⤵
PID:6116

C:\Windows\System32\aEcDgKe.exe
C:\Windows\System32\aEcDgKe.exe
2⤵
PID:1464

C:\Windows\System32\aXqEbGo.exe
C:\Windows\System32\aXqEbGo.exe
2⤵
PID:212

C:\Windows\System32\nAEhMOh.exe
C:\Windows\System32\nAEhMOh.exe
2⤵
PID:3400

C:\Windows\System32\OSNIVnm.exe
C:\Windows\System32\OSNIVnm.exe
2⤵
PID:2220

C:\Windows\System32\lxFXZAW.exe
C:\Windows\System32\lxFXZAW.exe
2⤵
PID:3308

C:\Windows\System32\dRCyARX.exe
C:\Windows\System32\dRCyARX.exe
2⤵
PID:5132

C:\Windows\System32\NxzRDjA.exe
C:\Windows\System32\NxzRDjA.exe
2⤵
PID:5180

C:\Windows\System32\SBhpzDT.exe
C:\Windows\System32\SBhpzDT.exe
2⤵
PID:5236

C:\Windows\System32\GuXAZiB.exe
C:\Windows\System32\GuXAZiB.exe
2⤵
PID:5316

C:\Windows\System32\DJeVPXA.exe
C:\Windows\System32\DJeVPXA.exe
2⤵
PID:3716

C:\Windows\System32\impTofL.exe
C:\Windows\System32\impTofL.exe
2⤵
PID:5432

C:\Windows\System32\nSQZrFy.exe
C:\Windows\System32\nSQZrFy.exe
2⤵
PID:5496

C:\Windows\System32\pCSrLMs.exe
C:\Windows\System32\pCSrLMs.exe
2⤵
PID:5548

C:\Windows\System32\WOBoTgu.exe
C:\Windows\System32\WOBoTgu.exe
2⤵
PID:5628

C:\Windows\System32\EXzToHR.exe
C:\Windows\System32\EXzToHR.exe
2⤵
PID:5680

C:\Windows\System32\MgxNbLt.exe
C:\Windows\System32\MgxNbLt.exe
2⤵
PID:1516

C:\Windows\System32\YwIelNk.exe
C:\Windows\System32\YwIelNk.exe
2⤵
PID:5768

C:\Windows\System32\uQwayEQ.exe
C:\Windows\System32\uQwayEQ.exe
2⤵
PID:5848

C:\Windows\System32\feLCCXE.exe
C:\Windows\System32\feLCCXE.exe
2⤵
PID:5916

C:\Windows\System32\KJiEPNb.exe
C:\Windows\System32\KJiEPNb.exe
2⤵
PID:5936

C:\Windows\System32\mJdhgej.exe
C:\Windows\System32\mJdhgej.exe
2⤵
PID:6016

C:\Windows\System32\yjRwIkb.exe
C:\Windows\System32\yjRwIkb.exe
2⤵
PID:6072

C:\Windows\System32\NnfHmSr.exe
C:\Windows\System32\NnfHmSr.exe
2⤵
PID:6104

C:\Windows\System32\eTltJTv.exe
C:\Windows\System32\eTltJTv.exe
2⤵
PID:2424

C:\Windows\System32\pNgMUwM.exe
C:\Windows\System32\pNgMUwM.exe
2⤵
PID:3852

C:\Windows\System32\XOcqhUj.exe
C:\Windows\System32\XOcqhUj.exe
2⤵
PID:5408

C:\Windows\System32\OzOGZoD.exe
C:\Windows\System32\OzOGZoD.exe
2⤵
PID:5652

C:\Windows\System32\ZtXclgc.exe
C:\Windows\System32\ZtXclgc.exe
2⤵
PID:5708

C:\Windows\System32\onspNyb.exe
C:\Windows\System32\onspNyb.exe
2⤵
PID:5720

C:\Windows\System32\uIqmGDA.exe
C:\Windows\System32\uIqmGDA.exe
2⤵
PID:3196

C:\Windows\System32\KfaIXyu.exe
C:\Windows\System32\KfaIXyu.exe
2⤵
PID:6000

C:\Windows\System32\pZUHTGZ.exe
C:\Windows\System32\pZUHTGZ.exe
2⤵
PID:4248

C:\Windows\System32\GsBdWRF.exe
C:\Windows\System32\GsBdWRF.exe
2⤵
PID:6100

C:\Windows\System32\jfkASHI.exe
C:\Windows\System32\jfkASHI.exe
2⤵
PID:5084

C:\Windows\System32\waLrvKs.exe
C:\Windows\System32\waLrvKs.exe
2⤵
PID:5244

C:\Windows\System32\jEOJdOO.exe
C:\Windows\System32\jEOJdOO.exe
2⤵
PID:3180

C:\Windows\System32\EdEmEPn.exe
C:\Windows\System32\EdEmEPn.exe
2⤵
PID:4028

C:\Windows\System32\ZwxIsKw.exe
C:\Windows\System32\ZwxIsKw.exe
2⤵
PID:5596

C:\Windows\System32\peNYQkv.exe
C:\Windows\System32\peNYQkv.exe
2⤵
PID:5776

C:\Windows\System32\pLSenUY.exe
C:\Windows\System32\pLSenUY.exe
2⤵
PID:2576

C:\Windows\System32\lPaKILl.exe
C:\Windows\System32\lPaKILl.exe
2⤵
PID:4124

C:\Windows\System32\mjrIASD.exe
C:\Windows\System32\mjrIASD.exe
2⤵
PID:5076

C:\Windows\System32\IYZYJpC.exe
C:\Windows\System32\IYZYJpC.exe
2⤵
PID:4848

C:\Windows\System32\uAbuSfY.exe
C:\Windows\System32\uAbuSfY.exe
2⤵
PID:1780

C:\Windows\System32\boaSOzk.exe
C:\Windows\System32\boaSOzk.exe
2⤵
PID:220

C:\Windows\System32\RosnrAG.exe
C:\Windows\System32\RosnrAG.exe
2⤵
PID:6168

C:\Windows\System32\hQXjpAe.exe
C:\Windows\System32\hQXjpAe.exe
2⤵
PID:6196

C:\Windows\System32\LiqKvGs.exe
C:\Windows\System32\LiqKvGs.exe
2⤵
PID:6224

C:\Windows\System32\jvMCjEh.exe
C:\Windows\System32\jvMCjEh.exe
2⤵
PID:6252

C:\Windows\System32\RKQcRPG.exe
C:\Windows\System32\RKQcRPG.exe
2⤵
PID:6280

C:\Windows\System32\MVIYkJC.exe
C:\Windows\System32\MVIYkJC.exe
2⤵
PID:6308

C:\Windows\System32\GcNFmdB.exe
C:\Windows\System32\GcNFmdB.exe
2⤵
PID:6336

C:\Windows\System32\uQcUiXg.exe
C:\Windows\System32\uQcUiXg.exe
2⤵
PID:6364

C:\Windows\System32\PBOCGFi.exe
C:\Windows\System32\PBOCGFi.exe
2⤵
PID:6392

C:\Windows\System32\ThTnFsv.exe
C:\Windows\System32\ThTnFsv.exe
2⤵
PID:6420

C:\Windows\System32\NDUyCPF.exe
C:\Windows\System32\NDUyCPF.exe
2⤵
PID:6448

C:\Windows\System32\htxhpxd.exe
C:\Windows\System32\htxhpxd.exe
2⤵
PID:6476

C:\Windows\System32\VxlCCMx.exe
C:\Windows\System32\VxlCCMx.exe
2⤵
PID:6504

C:\Windows\System32\eFPOGfh.exe
C:\Windows\System32\eFPOGfh.exe
2⤵
PID:6532

C:\Windows\System32\DxeTJtU.exe
C:\Windows\System32\DxeTJtU.exe
2⤵
PID:6560

C:\Windows\System32\AWFnQuv.exe
C:\Windows\System32\AWFnQuv.exe
2⤵
PID:6588

C:\Windows\System32\lXwPbzV.exe
C:\Windows\System32\lXwPbzV.exe
2⤵
PID:6616

C:\Windows\System32\gvLGiKq.exe
C:\Windows\System32\gvLGiKq.exe
2⤵
PID:6644

C:\Windows\System32\vmGZoio.exe
C:\Windows\System32\vmGZoio.exe
2⤵
PID:6672

C:\Windows\System32\pDyNRIm.exe
C:\Windows\System32\pDyNRIm.exe
2⤵
PID:6700

C:\Windows\System32\jWhaXDy.exe
C:\Windows\System32\jWhaXDy.exe
2⤵
PID:6728

C:\Windows\System32\dWaiWNj.exe
C:\Windows\System32\dWaiWNj.exe
2⤵
PID:6756

C:\Windows\System32\mVBbNDq.exe
C:\Windows\System32\mVBbNDq.exe
2⤵
PID:6792

C:\Windows\System32\YXbqewQ.exe
C:\Windows\System32\YXbqewQ.exe
2⤵
PID:6820

C:\Windows\System32\VozdTyg.exe
C:\Windows\System32\VozdTyg.exe
2⤵
PID:6848

C:\Windows\System32\rzNPNmJ.exe
C:\Windows\System32\rzNPNmJ.exe
2⤵
PID:6876

C:\Windows\System32\JrABvxp.exe
C:\Windows\System32\JrABvxp.exe
2⤵
PID:6904

C:\Windows\System32\zgxLhEw.exe
C:\Windows\System32\zgxLhEw.exe
2⤵
PID:6932

C:\Windows\System32\rXaXIzT.exe
C:\Windows\System32\rXaXIzT.exe
2⤵
PID:6960

C:\Windows\System32\ZmceZkH.exe
C:\Windows\System32\ZmceZkH.exe
2⤵
PID:6988

C:\Windows\System32\voWZIgH.exe
C:\Windows\System32\voWZIgH.exe
2⤵
PID:7016

C:\Windows\System32\vFUYtKV.exe
C:\Windows\System32\vFUYtKV.exe
2⤵
PID:7044

C:\Windows\System32\vfOqEgj.exe
C:\Windows\System32\vfOqEgj.exe
2⤵
PID:7072

C:\Windows\System32\vtTrEpp.exe
C:\Windows\System32\vtTrEpp.exe
2⤵
PID:7100

C:\Windows\System32\svCKFCr.exe
C:\Windows\System32\svCKFCr.exe
2⤵
PID:7128

C:\Windows\System32\YbOPlgD.exe
C:\Windows\System32\YbOPlgD.exe
2⤵
PID:7156

C:\Windows\System32\JpViHDr.exe
C:\Windows\System32\JpViHDr.exe
2⤵
PID:5964

C:\Windows\System32\AtoJCEV.exe
C:\Windows\System32\AtoJCEV.exe
2⤵
PID:6156

C:\Windows\System32\dftNABt.exe
C:\Windows\System32\dftNABt.exe
2⤵
PID:6236

C:\Windows\System32\yuRWyma.exe
C:\Windows\System32\yuRWyma.exe
2⤵
PID:6304

C:\Windows\System32\NepKsWu.exe
C:\Windows\System32\NepKsWu.exe
2⤵
PID:6380

C:\Windows\System32\EhdQZNj.exe
C:\Windows\System32\EhdQZNj.exe
2⤵
PID:6432

C:\Windows\System32\MRzgOqu.exe
C:\Windows\System32\MRzgOqu.exe
2⤵
PID:6528

C:\Windows\System32\DAUXTXS.exe
C:\Windows\System32\DAUXTXS.exe
2⤵
PID:6572

C:\Windows\System32\cgORmYa.exe
C:\Windows\System32\cgORmYa.exe
2⤵
PID:6640

C:\Windows\System32\obVpvOg.exe
C:\Windows\System32\obVpvOg.exe
2⤵
PID:6688

C:\Windows\System32\uTafZUo.exe
C:\Windows\System32\uTafZUo.exe
2⤵
PID:1884

C:\Windows\System32\cytdNdJ.exe
C:\Windows\System32\cytdNdJ.exe
2⤵
PID:7116

C:\Windows\System32\YAeKjeO.exe
C:\Windows\System32\YAeKjeO.exe
2⤵
PID:7056

C:\Windows\System32\VpqGJkc.exe
C:\Windows\System32\VpqGJkc.exe
2⤵
PID:6984

C:\Windows\System32\RlxETAG.exe
C:\Windows\System32\RlxETAG.exe
2⤵
PID:6944

C:\Windows\System32\vcGvGOU.exe
C:\Windows\System32\vcGvGOU.exe
2⤵
PID:6804

C:\Windows\System32\uUFHCGy.exe
C:\Windows\System32\uUFHCGy.exe
2⤵
PID:6768

C:\Windows\System32\iNJUwrW.exe
C:\Windows\System32\iNJUwrW.exe
2⤵
PID:6716

C:\Windows\System32\HTPeZbs.exe
C:\Windows\System32\HTPeZbs.exe
2⤵
PID:6292

C:\Windows\System32\ojIkMZw.exe
C:\Windows\System32\ojIkMZw.exe
2⤵
PID:3560

C:\Windows\System32\wBNwjni.exe
C:\Windows\System32\wBNwjni.exe
2⤵
PID:6488

C:\Windows\System32\WeRiktb.exe
C:\Windows\System32\WeRiktb.exe
2⤵
PID:6660

C:\Windows\System32\Hzhvziy.exe
C:\Windows\System32\Hzhvziy.exe
2⤵
PID:7084

C:\Windows\System32\yYxPFNJ.exe
C:\Windows\System32\yYxPFNJ.exe
2⤵
PID:7060

C:\Windows\System32\jgMYeOg.exe
C:\Windows\System32\jgMYeOg.exe
2⤵
PID:6900

C:\Windows\System32\iCzdHqL.exe
C:\Windows\System32\iCzdHqL.exe
2⤵
PID:6816

C:\Windows\System32\wQcqqNN.exe
C:\Windows\System32\wQcqqNN.exe
2⤵
PID:6712

C:\Windows\System32\MiHEBxO.exe
C:\Windows\System32\MiHEBxO.exe
2⤵
PID:6628

C:\Windows\System32\TioYKBm.exe
C:\Windows\System32\TioYKBm.exe
2⤵
PID:4476

C:\Windows\System32\taESuvj.exe
C:\Windows\System32\taESuvj.exe
2⤵
PID:6416

C:\Windows\System32\oxAuMXd.exe
C:\Windows\System32\oxAuMXd.exe
2⤵
PID:6948

C:\Windows\System32\BwSgGaw.exe
C:\Windows\System32\BwSgGaw.exe
2⤵
PID:7176

C:\Windows\System32\LpvIhFQ.exe
C:\Windows\System32\LpvIhFQ.exe
2⤵
PID:7236

C:\Windows\System32\KOOtCDR.exe
C:\Windows\System32\KOOtCDR.exe
2⤵
PID:7256

C:\Windows\System32\FyhVwxk.exe
C:\Windows\System32\FyhVwxk.exe
2⤵
PID:7296

C:\Windows\System32\kahBWWl.exe
C:\Windows\System32\kahBWWl.exe
2⤵
PID:7312

C:\Windows\System32\cuOKeGC.exe
C:\Windows\System32\cuOKeGC.exe
2⤵
PID:7336

C:\Windows\System32\nYbQzFe.exe
C:\Windows\System32\nYbQzFe.exe
2⤵
PID:7356

C:\Windows\System32\CcGrruO.exe
C:\Windows\System32\CcGrruO.exe
2⤵
PID:7396

C:\Windows\System32\zQVSCIl.exe
C:\Windows\System32\zQVSCIl.exe
2⤵
PID:7412

C:\Windows\System32\TDfHUhJ.exe
C:\Windows\System32\TDfHUhJ.exe
2⤵
PID:7440

C:\Windows\System32\vdMzYZD.exe
C:\Windows\System32\vdMzYZD.exe
2⤵
PID:7480

C:\Windows\System32\pNHuwgA.exe
C:\Windows\System32\pNHuwgA.exe
2⤵
PID:7508

C:\Windows\System32\IgtsgZB.exe
C:\Windows\System32\IgtsgZB.exe
2⤵
PID:7532

C:\Windows\System32\UQRmCMp.exe
C:\Windows\System32\UQRmCMp.exe
2⤵
PID:7564

C:\Windows\System32\bMjKYxe.exe
C:\Windows\System32\bMjKYxe.exe
2⤵
PID:7580

C:\Windows\System32\XKMNGdU.exe
C:\Windows\System32\XKMNGdU.exe
2⤵
PID:7612

C:\Windows\System32\ZBuUNUh.exe
C:\Windows\System32\ZBuUNUh.exe
2⤵
PID:7644

C:\Windows\System32\IJciqZv.exe
C:\Windows\System32\IJciqZv.exe
2⤵
PID:7664

C:\Windows\System32\YWmTUTP.exe
C:\Windows\System32\YWmTUTP.exe
2⤵
PID:7680

C:\Windows\System32\yfWSSNl.exe
C:\Windows\System32\yfWSSNl.exe
2⤵
PID:7708

C:\Windows\System32\AGpQcRL.exe
C:\Windows\System32\AGpQcRL.exe
2⤵
PID:7744

C:\Windows\System32\rMLXmHG.exe
C:\Windows\System32\rMLXmHG.exe
2⤵
PID:7776

C:\Windows\System32\KZnSYxF.exe
C:\Windows\System32\KZnSYxF.exe
2⤵
PID:7812

C:\Windows\System32\GqTUTrY.exe
C:\Windows\System32\GqTUTrY.exe
2⤵
PID:7844

C:\Windows\System32\JJtWDna.exe
C:\Windows\System32\JJtWDna.exe
2⤵
PID:7868

C:\Windows\System32\YkPKwYl.exe
C:\Windows\System32\YkPKwYl.exe
2⤵
PID:7892

C:\Windows\System32\WoPYLZw.exe
C:\Windows\System32\WoPYLZw.exe
2⤵
PID:7932

C:\Windows\System32\MyJJfaw.exe
C:\Windows\System32\MyJJfaw.exe
2⤵
PID:7952

C:\Windows\System32\nuoTAor.exe
C:\Windows\System32\nuoTAor.exe
2⤵
PID:7988

C:\Windows\System32\VSrpJDW.exe
C:\Windows\System32\VSrpJDW.exe
2⤵
PID:8016

C:\Windows\System32\PzpgqJA.exe
C:\Windows\System32\PzpgqJA.exe
2⤵
PID:8036

C:\Windows\System32\andtAhb.exe
C:\Windows\System32\andtAhb.exe
2⤵
PID:8056

C:\Windows\System32\vKSVLFQ.exe
C:\Windows\System32\vKSVLFQ.exe
2⤵
PID:8084

C:\Windows\System32\FKrWPcF.exe
C:\Windows\System32\FKrWPcF.exe
2⤵
PID:8120

C:\Windows\System32\LrcmrIr.exe
C:\Windows\System32\LrcmrIr.exe
2⤵
PID:8164

C:\Windows\System32\cYhPDyy.exe
C:\Windows\System32\cYhPDyy.exe
2⤵
PID:6548

C:\Windows\System32\ItkDoSJ.exe
C:\Windows\System32\ItkDoSJ.exe
2⤵
PID:7200

C:\Windows\System32\SmQsUna.exe
C:\Windows\System32\SmQsUna.exe
2⤵
PID:7252

C:\Windows\System32\uvfurlv.exe
C:\Windows\System32\uvfurlv.exe
2⤵
PID:7308

C:\Windows\System32\zlwjDQH.exe
C:\Windows\System32\zlwjDQH.exe
2⤵
PID:7432

C:\Windows\System32\WSVqpYQ.exe
C:\Windows\System32\WSVqpYQ.exe
2⤵
PID:7468

C:\Windows\System32\heUMdPP.exe
C:\Windows\System32\heUMdPP.exe
2⤵
PID:7544

C:\Windows\System32\wZOnGgO.exe
C:\Windows\System32\wZOnGgO.exe
2⤵
PID:7576

C:\Windows\System32\aMpeKGA.exe
C:\Windows\System32\aMpeKGA.exe
2⤵
PID:7652

C:\Windows\System32\nAcgcng.exe
C:\Windows\System32\nAcgcng.exe
2⤵
PID:7704

C:\Windows\System32\oWRowBI.exe
C:\Windows\System32\oWRowBI.exe
2⤵
PID:7724

C:\Windows\System32\jaLYMoE.exe
C:\Windows\System32\jaLYMoE.exe
2⤵
PID:7828

C:\Windows\System32\iGEAcoU.exe
C:\Windows\System32\iGEAcoU.exe
2⤵
PID:7884

C:\Windows\System32\JdguIxz.exe
C:\Windows\System32\JdguIxz.exe
2⤵
PID:7920

C:\Windows\System32\hBvvHUD.exe
C:\Windows\System32\hBvvHUD.exe
2⤵
PID:8048

C:\Windows\System32\GRDQEfY.exe
C:\Windows\System32\GRDQEfY.exe
2⤵
PID:8136

C:\Windows\System32\bRkUcJY.exe
C:\Windows\System32\bRkUcJY.exe
2⤵
PID:6048

C:\Windows\System32\BvOeUzS.exe
C:\Windows\System32\BvOeUzS.exe
2⤵
PID:7284

C:\Windows\System32\tIZDDwN.exe
C:\Windows\System32\tIZDDwN.exe
2⤵
PID:7424

C:\Windows\System32\SxeprvD.exe
C:\Windows\System32\SxeprvD.exe
2⤵
PID:7528

C:\Windows\System32\btLLzIa.exe
C:\Windows\System32\btLLzIa.exe
2⤵
PID:7656

C:\Windows\System32\HVVQMlx.exe
C:\Windows\System32\HVVQMlx.exe
2⤵
PID:7876

C:\Windows\System32\PtliWsf.exe
C:\Windows\System32\PtliWsf.exe
2⤵
PID:8112

C:\Windows\System32\SnuwhqF.exe
C:\Windows\System32\SnuwhqF.exe
2⤵
PID:7348

C:\Windows\System32\GnGqtFd.exe
C:\Windows\System32\GnGqtFd.exe
2⤵
PID:1424

C:\Windows\System32\vGAYznY.exe
C:\Windows\System32\vGAYznY.exe
2⤵
PID:8032

C:\Windows\System32\mBqrNyH.exe
C:\Windows\System32\mBqrNyH.exe
2⤵
PID:8104

C:\Windows\System32\VIShoAY.exe
C:\Windows\System32\VIShoAY.exe
2⤵
PID:7628

C:\Windows\System32\LKJhAEz.exe
C:\Windows\System32\LKJhAEz.exe
2⤵
PID:8220

C:\Windows\System32\zBQWnZJ.exe
C:\Windows\System32\zBQWnZJ.exe
2⤵
PID:8248

C:\Windows\System32\AHAJkBK.exe
C:\Windows\System32\AHAJkBK.exe
2⤵
PID:8280

C:\Windows\System32\WwISsKC.exe
C:\Windows\System32\WwISsKC.exe
2⤵
PID:8300

C:\Windows\System32\wneZYPL.exe
C:\Windows\System32\wneZYPL.exe
2⤵
PID:8344

C:\Windows\System32\bNyZirH.exe
C:\Windows\System32\bNyZirH.exe
2⤵
PID:8364

C:\Windows\System32\sygNecm.exe
C:\Windows\System32\sygNecm.exe
2⤵
PID:8404

C:\Windows\System32\oowmQgZ.exe
C:\Windows\System32\oowmQgZ.exe
2⤵
PID:8424

C:\Windows\System32\djnrBEz.exe
C:\Windows\System32\djnrBEz.exe
2⤵
PID:8444

C:\Windows\System32\GiGHVKk.exe
C:\Windows\System32\GiGHVKk.exe
2⤵
PID:8480

C:\Windows\System32\kNGBMsA.exe
C:\Windows\System32\kNGBMsA.exe
2⤵
PID:8504

C:\Windows\System32\CuBKbCu.exe
C:\Windows\System32\CuBKbCu.exe
2⤵
PID:8528

C:\Windows\System32\wMJeIVX.exe
C:\Windows\System32\wMJeIVX.exe
2⤵
PID:8568

C:\Windows\System32\KAwQDbR.exe
C:\Windows\System32\KAwQDbR.exe
2⤵
PID:8592

C:\Windows\System32\tPBQRFj.exe
C:\Windows\System32\tPBQRFj.exe
2⤵
PID:8612

C:\Windows\System32\mRREUFE.exe
C:\Windows\System32\mRREUFE.exe
2⤵
PID:8652

C:\Windows\System32\WFtttno.exe
C:\Windows\System32\WFtttno.exe
2⤵
PID:8676

C:\Windows\System32\wPmvWeD.exe
C:\Windows\System32\wPmvWeD.exe
2⤵
PID:8700

C:\Windows\System32\NnBWjBs.exe
C:\Windows\System32\NnBWjBs.exe
2⤵
PID:8716

C:\Windows\System32\dPhyPaU.exe
C:\Windows\System32\dPhyPaU.exe
2⤵
PID:8736

C:\Windows\System32\WhIvWMg.exe
C:\Windows\System32\WhIvWMg.exe
2⤵
PID:8764

C:\Windows\System32\rnJlGoA.exe
C:\Windows\System32\rnJlGoA.exe
2⤵
PID:8800

C:\Windows\System32\PqTAlPi.exe
C:\Windows\System32\PqTAlPi.exe
2⤵
PID:8840

C:\Windows\System32\QuGBdLF.exe
C:\Windows\System32\QuGBdLF.exe
2⤵
PID:8872

C:\Windows\System32\hzdhQYN.exe
C:\Windows\System32\hzdhQYN.exe
2⤵
PID:8896

C:\Windows\System32\CqJuPEf.exe
C:\Windows\System32\CqJuPEf.exe
2⤵
PID:8936

C:\Windows\System32\UApGZya.exe
C:\Windows\System32\UApGZya.exe
2⤵
PID:8964

C:\Windows\System32\ybENsRr.exe
C:\Windows\System32\ybENsRr.exe
2⤵
PID:8984

C:\Windows\System32\crWOgVU.exe
C:\Windows\System32\crWOgVU.exe
2⤵
PID:9008

C:\Windows\System32\JxEInyu.exe
C:\Windows\System32\JxEInyu.exe
2⤵
PID:9052

C:\Windows\System32\OyrIaCZ.exe
C:\Windows\System32\OyrIaCZ.exe
2⤵
PID:9072

C:\Windows\System32\HsAxaPu.exe
C:\Windows\System32\HsAxaPu.exe
2⤵
PID:9092

C:\Windows\System32\bZMbSQM.exe
C:\Windows\System32\bZMbSQM.exe
2⤵
PID:9112

C:\Windows\System32\vwfXOfd.exe
C:\Windows\System32\vwfXOfd.exe
2⤵
PID:9128

C:\Windows\System32\caaLoXD.exe
C:\Windows\System32\caaLoXD.exe
2⤵
PID:9152

C:\Windows\System32\wxvNTYq.exe
C:\Windows\System32\wxvNTYq.exe
2⤵
PID:9180

C:\Windows\System32\PhuSkdm.exe
C:\Windows\System32\PhuSkdm.exe
2⤵
PID:9212

C:\Windows\System32\Imqyeea.exe
C:\Windows\System32\Imqyeea.exe
2⤵
PID:8264

C:\Windows\System32\UsaEpIS.exe
C:\Windows\System32\UsaEpIS.exe
2⤵
PID:3124

C:\Windows\System32\NULlzbF.exe
C:\Windows\System32\NULlzbF.exe
2⤵
PID:8356

C:\Windows\System32\Vatsguh.exe
C:\Windows\System32\Vatsguh.exe
2⤵
PID:8380

C:\Windows\System32\AcTqRmR.exe
C:\Windows\System32\AcTqRmR.exe
2⤵
PID:8456

C:\Windows\System32\rwQsJmY.exe
C:\Windows\System32\rwQsJmY.exe
2⤵
PID:8524

C:\Windows\System32\WFGbIBy.exe
C:\Windows\System32\WFGbIBy.exe
2⤵
PID:7904

C:\Windows\System32\mRmqylu.exe
C:\Windows\System32\mRmqylu.exe
2⤵
PID:8684

C:\Windows\System32\obbtkup.exe
C:\Windows\System32\obbtkup.exe
2⤵
PID:8784

C:\Windows\System32\DKCVJkQ.exe
C:\Windows\System32\DKCVJkQ.exe
2⤵
PID:8820

C:\Windows\System32\yqRMBJc.exe
C:\Windows\System32\yqRMBJc.exe
2⤵
PID:8880

C:\Windows\System32\mGDPdtr.exe
C:\Windows\System32\mGDPdtr.exe
2⤵
PID:8948

C:\Windows\System32\DNDixmB.exe
C:\Windows\System32\DNDixmB.exe
2⤵
PID:9040

C:\Windows\System32\YtvDnSj.exe
C:\Windows\System32\YtvDnSj.exe
2⤵
PID:9100

C:\Windows\System32\FXQKZzM.exe
C:\Windows\System32\FXQKZzM.exe
2⤵
PID:9124

C:\Windows\System32\ffbmNCU.exe
C:\Windows\System32\ffbmNCU.exe
2⤵
PID:9196

C:\Windows\System32\BRQmUcB.exe
C:\Windows\System32\BRQmUcB.exe
2⤵
PID:8292

C:\Windows\System32\VdMZqMZ.exe
C:\Windows\System32\VdMZqMZ.exe
2⤵
PID:8436

C:\Windows\System32\PsYxnnG.exe
C:\Windows\System32\PsYxnnG.exe
2⤵
PID:8544

C:\Windows\System32\dhwmMZj.exe
C:\Windows\System32\dhwmMZj.exe
2⤵
PID:3228

C:\Windows\System32\xeCqRHw.exe
C:\Windows\System32\xeCqRHw.exe
2⤵
PID:9176

C:\Windows\System32\EWcoUHW.exe
C:\Windows\System32\EWcoUHW.exe
2⤵
PID:8208

C:\Windows\System32\hBTaGCz.exe
C:\Windows\System32\hBTaGCz.exe
2⤵
PID:5088

C:\Windows\System32\JXxgdLp.exe
C:\Windows\System32\JXxgdLp.exe
2⤵
PID:8624

C:\Windows\System32\tLnzeos.exe
C:\Windows\System32\tLnzeos.exe
2⤵
PID:8796

C:\Windows\System32\sOUdQvl.exe
C:\Windows\System32\sOUdQvl.exe
2⤵
PID:9256

C:\Windows\System32\FNhsJnc.exe
C:\Windows\System32\FNhsJnc.exe
2⤵
PID:9272

C:\Windows\System32\dFiuNNu.exe
C:\Windows\System32\dFiuNNu.exe
2⤵
PID:9292

C:\Windows\System32\IhYBaqB.exe
C:\Windows\System32\IhYBaqB.exe
2⤵
PID:9324

C:\Windows\System32\BmSyIiT.exe
C:\Windows\System32\BmSyIiT.exe
2⤵
PID:9436

C:\Windows\System32\kHNBLEg.exe
C:\Windows\System32\kHNBLEg.exe
2⤵
PID:9452

C:\Windows\System32\rsgWevA.exe
C:\Windows\System32\rsgWevA.exe
2⤵
PID:9488

C:\Windows\System32\ojSzGBO.exe
C:\Windows\System32\ojSzGBO.exe
2⤵
PID:9528

C:\Windows\System32\GmWWTlz.exe
C:\Windows\System32\GmWWTlz.exe
2⤵
PID:9568

C:\Windows\System32\xTWVDVz.exe
C:\Windows\System32\xTWVDVz.exe
2⤵
PID:9600

C:\Windows\System32\ZTPxSeB.exe
C:\Windows\System32\ZTPxSeB.exe
2⤵
PID:9620

C:\Windows\System32\RcRuZVL.exe
C:\Windows\System32\RcRuZVL.exe
2⤵
PID:9636

C:\Windows\System32\izSDuxf.exe
C:\Windows\System32\izSDuxf.exe
2⤵
PID:9676

C:\Windows\System32\zUBvKfG.exe
C:\Windows\System32\zUBvKfG.exe
2⤵
PID:9708

C:\Windows\System32\qbgXXTB.exe
C:\Windows\System32\qbgXXTB.exe
2⤵
PID:9732

C:\Windows\System32\GWKXfeb.exe
C:\Windows\System32\GWKXfeb.exe
2⤵
PID:9768

C:\Windows\System32\EDMcQup.exe
C:\Windows\System32\EDMcQup.exe
2⤵
PID:9788

C:\Windows\System32\FZTZrbZ.exe
C:\Windows\System32\FZTZrbZ.exe
2⤵
PID:9828

C:\Windows\System32\PhZDAdy.exe
C:\Windows\System32\PhZDAdy.exe
2⤵
PID:9856

C:\Windows\System32\kVkjBhA.exe
C:\Windows\System32\kVkjBhA.exe
2⤵
PID:9888

C:\Windows\System32\fSneObb.exe
C:\Windows\System32\fSneObb.exe
2⤵
PID:9912

C:\Windows\System32\JOYApfC.exe
C:\Windows\System32\JOYApfC.exe
2⤵
PID:9936

C:\Windows\System32\qTTDIxx.exe
C:\Windows\System32\qTTDIxx.exe
2⤵
PID:9956

C:\Windows\System32\oiYAEMR.exe
C:\Windows\System32\oiYAEMR.exe
2⤵
PID:9980

C:\Windows\System32\SdlDJTT.exe
C:\Windows\System32\SdlDJTT.exe
2⤵
PID:10004

C:\Windows\System32\DzbFlqM.exe
C:\Windows\System32\DzbFlqM.exe
2⤵
PID:10028

C:\Windows\System32\eCxRslq.exe
C:\Windows\System32\eCxRslq.exe
2⤵
PID:10068

C:\Windows\System32\giDuaCn.exe
C:\Windows\System32\giDuaCn.exe
2⤵
PID:10108

C:\Windows\System32\dpVaMiC.exe
C:\Windows\System32\dpVaMiC.exe
2⤵
PID:10132

C:\Windows\System32\DwdAGRu.exe
C:\Windows\System32\DwdAGRu.exe
2⤵
PID:10152

C:\Windows\System32\VIDQLRT.exe
C:\Windows\System32\VIDQLRT.exe
2⤵
PID:10176

C:\Windows\System32\qZnkJTj.exe
C:\Windows\System32\qZnkJTj.exe
2⤵
PID:10220

C:\Windows\System32\NDDRHRm.exe
C:\Windows\System32\NDDRHRm.exe
2⤵
PID:1272

C:\Windows\System32\TmsfIDQ.exe
C:\Windows\System32\TmsfIDQ.exe
2⤵
PID:9268

C:\Windows\System32\dhGAhKe.exe
C:\Windows\System32\dhGAhKe.exe
2⤵
PID:9004

C:\Windows\System32\HyxHQHx.exe
C:\Windows\System32\HyxHQHx.exe
2⤵
PID:3856

C:\Windows\System32\cSzVwnj.exe
C:\Windows\System32\cSzVwnj.exe
2⤵
PID:9164

C:\Windows\System32\HKVAEgr.exe
C:\Windows\System32\HKVAEgr.exe
2⤵
PID:9228

C:\Windows\System32\rqFNzNJ.exe
C:\Windows\System32\rqFNzNJ.exe
2⤵
PID:9264

C:\Windows\System32\LogsoVg.exe
C:\Windows\System32\LogsoVg.exe
2⤵
PID:9460

C:\Windows\System32\hYvLxdg.exe
C:\Windows\System32\hYvLxdg.exe
2⤵
PID:9396

C:\Windows\System32\MVAkdKW.exe
C:\Windows\System32\MVAkdKW.exe
2⤵
PID:3840

C:\Windows\System32\ZFpHWEE.exe
C:\Windows\System32\ZFpHWEE.exe
2⤵
PID:3692

C:\Windows\System32\flSSHGm.exe
C:\Windows\System32\flSSHGm.exe
2⤵
PID:9588

C:\Windows\System32\RZgRIkE.exe
C:\Windows\System32\RZgRIkE.exe
2⤵
PID:9628

C:\Windows\System32\OfaOviD.exe
C:\Windows\System32\OfaOviD.exe
2⤵
PID:9728

C:\Windows\System32\jeIrkGU.exe
C:\Windows\System32\jeIrkGU.exe
2⤵
PID:9776

C:\Windows\System32\TbVtsED.exe
C:\Windows\System32\TbVtsED.exe
2⤵
PID:9824

C:\Windows\System32\XfTdevN.exe
C:\Windows\System32\XfTdevN.exe
2⤵
PID:9852

C:\Windows\System32\SOcMFEH.exe
C:\Windows\System32\SOcMFEH.exe
2⤵
PID:9908

C:\Windows\System32\Efdomtg.exe
C:\Windows\System32\Efdomtg.exe
2⤵
PID:9988

C:\Windows\System32\RBEKXgJ.exe
C:\Windows\System32\RBEKXgJ.exe
2⤵
PID:10056

C:\Windows\System32\MlbkdPG.exe
C:\Windows\System32\MlbkdPG.exe
2⤵
PID:10168

C:\Windows\System32\NzljxnY.exe
C:\Windows\System32\NzljxnY.exe
2⤵
PID:9240

C:\Windows\System32\XVSCfIn.exe
C:\Windows\System32\XVSCfIn.exe
2⤵
PID:8932

C:\Windows\System32\XhpgYix.exe
C:\Windows\System32\XhpgYix.exe
2⤵
PID:9220

C:\Windows\System32\yPOlqUu.exe
C:\Windows\System32\yPOlqUu.exe
2⤵
PID:9332

C:\Windows\System32\MbDVGxN.exe
C:\Windows\System32\MbDVGxN.exe
2⤵
PID:9428

C:\Windows\System32\VWJjwSN.exe
C:\Windows\System32\VWJjwSN.exe
2⤵
PID:9616

C:\Windows\System32\bjMppOO.exe
C:\Windows\System32\bjMppOO.exe
2⤵
PID:9744

C:\Windows\System32\ESoCNEA.exe
C:\Windows\System32\ESoCNEA.exe
2⤵
PID:9952

C:\Windows\System32\RlvHcGo.exe
C:\Windows\System32\RlvHcGo.exe
2⤵
PID:10096

C:\Windows\System32\nFROzqb.exe
C:\Windows\System32\nFROzqb.exe
2⤵
PID:10212

C:\Windows\System32\gaCVlNR.exe
C:\Windows\System32\gaCVlNR.exe
2⤵
PID:9000

C:\Windows\System32\gxIdLQQ.exe
C:\Windows\System32\gxIdLQQ.exe
2⤵
PID:1508

C:\Windows\System32\xmOMgDO.exe
C:\Windows\System32\xmOMgDO.exe
2⤵
PID:9760

C:\Windows\System32\clBmKVX.exe
C:\Windows\System32\clBmKVX.exe
2⤵
PID:9336

C:\Windows\System32\SIsoCdZ.exe
C:\Windows\System32\SIsoCdZ.exe
2⤵
PID:9556

C:\Windows\System32\TgVgLNj.exe
C:\Windows\System32\TgVgLNj.exe
2⤵
PID:9248

C:\Windows\System32\AktiaNb.exe
C:\Windows\System32\AktiaNb.exe
2⤵
PID:10244

C:\Windows\System32\mQLTbkh.exe
C:\Windows\System32\mQLTbkh.exe
2⤵
PID:10264

C:\Windows\System32\cFgciyz.exe
C:\Windows\System32\cFgciyz.exe
2⤵
PID:10304

C:\Windows\System32\SpDGkKC.exe
C:\Windows\System32\SpDGkKC.exe
2⤵
PID:10320

C:\Windows\System32\SuZFwLE.exe
C:\Windows\System32\SuZFwLE.exe
2⤵
PID:10340

C:\Windows\System32\oReCcoA.exe
C:\Windows\System32\oReCcoA.exe
2⤵
PID:10356

C:\Windows\System32\LpwwkxB.exe
C:\Windows\System32\LpwwkxB.exe
2⤵
PID:10392

C:\Windows\System32\wQfKyvY.exe
C:\Windows\System32\wQfKyvY.exe
2⤵
PID:10436

C:\Windows\System32\iggHVYw.exe
C:\Windows\System32\iggHVYw.exe
2⤵
PID:10472

C:\Windows\System32\NmlkEbj.exe
C:\Windows\System32\NmlkEbj.exe
2⤵
PID:10488

C:\Windows\System32\YlQYLTR.exe
C:\Windows\System32\YlQYLTR.exe
2⤵
PID:10516

C:\Windows\System32\KBrwvvA.exe
C:\Windows\System32\KBrwvvA.exe
2⤵
PID:10556

C:\Windows\System32\gZbvszy.exe
C:\Windows\System32\gZbvszy.exe
2⤵
PID:10584

C:\Windows\System32\qPVfOLx.exe
C:\Windows\System32\qPVfOLx.exe
2⤵
PID:10612

C:\Windows\System32\gbzkvyc.exe
C:\Windows\System32\gbzkvyc.exe
2⤵
PID:10640

C:\Windows\System32\EryvXmy.exe
C:\Windows\System32\EryvXmy.exe
2⤵
PID:10676

C:\Windows\System32\SfeYMhS.exe
C:\Windows\System32\SfeYMhS.exe
2⤵
PID:10692

C:\Windows\System32\GogBEwV.exe
C:\Windows\System32\GogBEwV.exe
2⤵
PID:10712

C:\Windows\System32\DOfyGzs.exe
C:\Windows\System32\DOfyGzs.exe
2⤵
PID:10732

C:\Windows\System32\CebcAiU.exe
C:\Windows\System32\CebcAiU.exe
2⤵
PID:10756

C:\Windows\System32\qkMOWKp.exe
C:\Windows\System32\qkMOWKp.exe
2⤵
PID:10772

C:\Windows\System32\ymxApGl.exe
C:\Windows\System32\ymxApGl.exe
2⤵
PID:10816

C:\Windows\System32\JjeLiun.exe
C:\Windows\System32\JjeLiun.exe
2⤵
PID:10856

C:\Windows\System32\uZlTCIW.exe
C:\Windows\System32\uZlTCIW.exe
2⤵
PID:10880

C:\Windows\System32\vnhmgpD.exe
C:\Windows\System32\vnhmgpD.exe
2⤵
PID:10896

C:\Windows\System32\hZGCFfp.exe
C:\Windows\System32\hZGCFfp.exe
2⤵
PID:10932

C:\Windows\System32\EeyPErI.exe
C:\Windows\System32\EeyPErI.exe
2⤵
PID:10964

C:\Windows\System32\yrFNUTA.exe
C:\Windows\System32\yrFNUTA.exe
2⤵
PID:11008

C:\Windows\System32\wnplQcI.exe
C:\Windows\System32\wnplQcI.exe
2⤵
PID:11032

C:\Windows\System32\pqfPUUd.exe
C:\Windows\System32\pqfPUUd.exe
2⤵
PID:11056

C:\Windows\System32\nHlqIYA.exe
C:\Windows\System32\nHlqIYA.exe
2⤵
PID:11108

C:\Windows\System32\LeILtUS.exe
C:\Windows\System32\LeILtUS.exe
2⤵
PID:11124

C:\Windows\System32\UkfNofQ.exe
C:\Windows\System32\UkfNofQ.exe
2⤵
PID:11152

C:\Windows\System32\GOswtHL.exe
C:\Windows\System32\GOswtHL.exe
2⤵
PID:11180

C:\Windows\System32\vQQIOAL.exe
C:\Windows\System32\vQQIOAL.exe
2⤵
PID:11204

C:\Windows\System32\IxEQSWg.exe
C:\Windows\System32\IxEQSWg.exe
2⤵
PID:11224

C:\Windows\System32\DtGYRXj.exe
C:\Windows\System32\DtGYRXj.exe
2⤵
PID:11240

C:\Windows\System32\XOLeMaI.exe
C:\Windows\System32\XOLeMaI.exe
2⤵
PID:10284

C:\Windows\System32\GWqoTbB.exe
C:\Windows\System32\GWqoTbB.exe
2⤵
PID:10336

C:\Windows\System32\zmSiKXH.exe
C:\Windows\System32\zmSiKXH.exe
2⤵
PID:2028

C:\Windows\System32\IFQXGKR.exe
C:\Windows\System32\IFQXGKR.exe
2⤵
PID:10432

C:\Windows\System32\MnPtQBt.exe
C:\Windows\System32\MnPtQBt.exe
2⤵
PID:10528

C:\Windows\System32\UdOjQhx.exe
C:\Windows\System32\UdOjQhx.exe
2⤵
PID:10604

C:\Windows\System32\OGbkEpb.exe
C:\Windows\System32\OGbkEpb.exe
2⤵
PID:10668

C:\Windows\System32\NmIUDMl.exe
C:\Windows\System32\NmIUDMl.exe
2⤵
PID:10724

C:\Windows\System32\glhgWFN.exe
C:\Windows\System32\glhgWFN.exe
2⤵
PID:10796

C:\Windows\System32\LoZTIkd.exe
C:\Windows\System32\LoZTIkd.exe
2⤵
PID:10868

C:\Windows\System32\DhZFdRM.exe
C:\Windows\System32\DhZFdRM.exe
2⤵
PID:10892

C:\Windows\System32\ENMqOWG.exe
C:\Windows\System32\ENMqOWG.exe
2⤵
PID:10996

C:\Windows\System32\AGLJkbp.exe
C:\Windows\System32\AGLJkbp.exe
2⤵
PID:11040

C:\Windows\System32\DuJJEmC.exe
C:\Windows\System32\DuJJEmC.exe
2⤵
PID:11088

C:\Windows\System32\yHzoZnl.exe
C:\Windows\System32\yHzoZnl.exe
2⤵
PID:11144

C:\Windows\System32\VCjKqJK.exe
C:\Windows\System32\VCjKqJK.exe
2⤵
PID:11216

C:\Windows\System32\ApQTlqt.exe
C:\Windows\System32\ApQTlqt.exe
2⤵
PID:2260

C:\Windows\System32\groQqjb.exe
C:\Windows\System32\groQqjb.exe
2⤵
PID:10352

C:\Windows\System32\dStmgeR.exe
C:\Windows\System32\dStmgeR.exe
2⤵
PID:10540

C:\Windows\System32\ceWyCCV.exe
C:\Windows\System32\ceWyCCV.exe
2⤵
PID:10704

C:\Windows\System32\GoSNEPt.exe
C:\Windows\System32\GoSNEPt.exe
2⤵
PID:10848

C:\Windows\System32\GCPlAFT.exe
C:\Windows\System32\GCPlAFT.exe
2⤵
PID:11044

C:\Windows\System32\KNQMLwE.exe
C:\Windows\System32\KNQMLwE.exe
2⤵
PID:11176

C:\Windows\System32\STIlyJs.exe
C:\Windows\System32\STIlyJs.exe
2⤵
PID:10312

C:\Windows\System32\JzQUrcp.exe
C:\Windows\System32\JzQUrcp.exe
2⤵
PID:10416

C:\Windows\System32\hTmVWBw.exe
C:\Windows\System32\hTmVWBw.exe
2⤵
PID:10920

C:\Windows\System32\EFlaXFu.exe
C:\Windows\System32\EFlaXFu.exe
2⤵
PID:4532

C:\Windows\System32\yXYrICD.exe
C:\Windows\System32\yXYrICD.exe
2⤵
PID:10784

C:\Windows\System32\WsDJtvN.exe
C:\Windows\System32\WsDJtvN.exe
2⤵
PID:11268

C:\Windows\System32\pGOMjbU.exe
C:\Windows\System32\pGOMjbU.exe
2⤵
PID:11296

C:\Windows\System32\MRLEAiW.exe
C:\Windows\System32\MRLEAiW.exe
2⤵
PID:11328

C:\Windows\System32\vMCxorY.exe
C:\Windows\System32\vMCxorY.exe
2⤵
PID:11352

C:\Windows\System32\hEgmupd.exe
C:\Windows\System32\hEgmupd.exe
2⤵
PID:11368

C:\Windows\System32\KCxAdTu.exe
C:\Windows\System32\KCxAdTu.exe
2⤵
PID:11408

C:\Windows\System32\SVWhUHd.exe
C:\Windows\System32\SVWhUHd.exe
2⤵
PID:11432

C:\Windows\System32\Xauaoky.exe
C:\Windows\System32\Xauaoky.exe
2⤵
PID:11460

C:\Windows\System32\PECOngT.exe
C:\Windows\System32\PECOngT.exe
2⤵
PID:11496

C:\Windows\System32\AGgcDRk.exe
C:\Windows\System32\AGgcDRk.exe
2⤵
PID:11532

C:\Windows\System32\eVFhzrB.exe
C:\Windows\System32\eVFhzrB.exe
2⤵
PID:11552

C:\Windows\System32\sNsCawS.exe
C:\Windows\System32\sNsCawS.exe
2⤵
PID:11580

C:\Windows\System32\HKnKdhx.exe
C:\Windows\System32\HKnKdhx.exe
2⤵
PID:11624

C:\Windows\System32\AcLxiBY.exe
C:\Windows\System32\AcLxiBY.exe
2⤵
PID:11656

C:\Windows\System32\OFzJavs.exe
C:\Windows\System32\OFzJavs.exe
2⤵
PID:11684

C:\Windows\System32\qNTTrCu.exe
C:\Windows\System32\qNTTrCu.exe
2⤵
PID:11712

C:\Windows\System32\TpBHesh.exe
C:\Windows\System32\TpBHesh.exe
2⤵
PID:11740

C:\Windows\System32\QoNyRRY.exe
C:\Windows\System32\QoNyRRY.exe
2⤵
PID:11768

C:\Windows\System32\dpAYsqr.exe
C:\Windows\System32\dpAYsqr.exe
2⤵
PID:11800

C:\Windows\System32\FszTWge.exe
C:\Windows\System32\FszTWge.exe
2⤵
PID:11832

C:\Windows\System32\PMExhep.exe
C:\Windows\System32\PMExhep.exe
2⤵
PID:11848

C:\Windows\System32\jbKJtgC.exe
C:\Windows\System32\jbKJtgC.exe
2⤵
PID:11876

C:\Windows\System32\DYnlmXk.exe
C:\Windows\System32\DYnlmXk.exe
2⤵
PID:11896

C:\Windows\System32\RTwmeUV.exe
C:\Windows\System32\RTwmeUV.exe
2⤵
PID:11936

C:\Windows\System32\ShuREHa.exe
C:\Windows\System32\ShuREHa.exe
2⤵
PID:11960

C:\Windows\System32\dSvJPcv.exe
C:\Windows\System32\dSvJPcv.exe
2⤵
PID:11992

C:\Windows\System32\dkiDWpu.exe
C:\Windows\System32\dkiDWpu.exe
2⤵
PID:12008

C:\Windows\System32\EnbkaGz.exe
C:\Windows\System32\EnbkaGz.exe
2⤵
PID:12036

C:\Windows\System32\ohDBTZZ.exe
C:\Windows\System32\ohDBTZZ.exe
2⤵
PID:12076

C:\Windows\System32\DMFnqHz.exe
C:\Windows\System32\DMFnqHz.exe
2⤵
PID:12104

C:\Windows\System32\vhSmVEJ.exe
C:\Windows\System32\vhSmVEJ.exe
2⤵
PID:12132

C:\Windows\System32\rHUQdaf.exe
C:\Windows\System32\rHUQdaf.exe
2⤵
PID:12148

C:\Windows\System32\dyRtMvd.exe
C:\Windows\System32\dyRtMvd.exe
2⤵
PID:12176

C:\Windows\System32\yhPHoKv.exe
C:\Windows\System32\yhPHoKv.exe
2⤵
PID:12196

C:\Windows\System32\ysjkzCU.exe
C:\Windows\System32\ysjkzCU.exe
2⤵
PID:12220

C:\Windows\System32\amJULWK.exe
C:\Windows\System32\amJULWK.exe
2⤵
PID:12240

C:\Windows\System32\HsZDRXF.exe
C:\Windows\System32\HsZDRXF.exe
2⤵
PID:11284

C:\Windows\System32\hTfZFaX.exe
C:\Windows\System32\hTfZFaX.exe
2⤵
PID:11324

C:\Windows\System32\xjlzdcZ.exe
C:\Windows\System32\xjlzdcZ.exe
2⤵
PID:11380

C:\Windows\System32\oKqkRnc.exe
C:\Windows\System32\oKqkRnc.exe
2⤵
PID:11440

C:\Windows\System32\QbrLexx.exe
C:\Windows\System32\QbrLexx.exe
2⤵
PID:11528

C:\Windows\System32\rJidQOp.exe
C:\Windows\System32\rJidQOp.exe
2⤵
PID:11576

C:\Windows\System32\WuvplLG.exe
C:\Windows\System32\WuvplLG.exe
2⤵
PID:11672

C:\Windows\System32\QZeuWmb.exe
C:\Windows\System32\QZeuWmb.exe
2⤵
PID:11752

C:\Windows\System32\WRdekwQ.exe
C:\Windows\System32\WRdekwQ.exe
2⤵
PID:11812

C:\Windows\System32\NDsJaqY.exe
C:\Windows\System32\NDsJaqY.exe
2⤵
PID:11860

C:\Windows\System32\fMITEFN.exe
C:\Windows\System32\fMITEFN.exe
2⤵
PID:11916

C:\Windows\System32\xUKBPFx.exe
C:\Windows\System32\xUKBPFx.exe
2⤵
PID:11956

C:\Windows\System32\AXdSEAS.exe
C:\Windows\System32\AXdSEAS.exe
2⤵
PID:12048

C:\Windows\System32\KJNdwPM.exe
C:\Windows\System32\KJNdwPM.exe
2⤵
PID:12144

C:\Windows\System32\oAgSJuM.exe
C:\Windows\System32\oAgSJuM.exe
2⤵
PID:12204

C:\Windows\System32\aUEERuC.exe
C:\Windows\System32\aUEERuC.exe
2⤵
PID:12268

C:\Windows\System32\tiXqSap.exe
C:\Windows\System32\tiXqSap.exe
2⤵
PID:4968

C:\Windows\System32\uWEEWZX.exe
C:\Windows\System32\uWEEWZX.exe
2⤵
PID:5520

C:\Windows\System32\KZTeAyx.exe
C:\Windows\System32\KZTeAyx.exe
2⤵
PID:11416

C:\Windows\System32\NdNAMRn.exe
C:\Windows\System32\NdNAMRn.exe
2⤵
PID:11560

C:\Windows\System32\pOJMGiG.exe
C:\Windows\System32\pOJMGiG.exe
2⤵
PID:11648

C:\Windows\System32\ihobrOK.exe
C:\Windows\System32\ihobrOK.exe
2⤵
PID:11824

C:\Windows\System32\OXPKmDG.exe
C:\Windows\System32\OXPKmDG.exe
2⤵
PID:11856

C:\Windows\System32\GjWWdwR.exe
C:\Windows\System32\GjWWdwR.exe
2⤵
PID:12116

C:\Windows\System32\FfqdEvD.exe
C:\Windows\System32\FfqdEvD.exe
2⤵
PID:12172

C:\Windows\System32\rKNhvPx.exe
C:\Windows\System32\rKNhvPx.exe
2⤵
PID:11312

C:\Windows\System32\CyCeygw.exe
C:\Windows\System32\CyCeygw.exe
2⤵
PID:11692

C:\Windows\System32\PgClnfU.exe
C:\Windows\System32\PgClnfU.exe
2⤵
PID:12128

C:\Windows\System32\ZQIomME.exe
C:\Windows\System32\ZQIomME.exe
2⤵
PID:11640

C:\Windows\System32\NYvWvbP.exe
C:\Windows\System32\NYvWvbP.exe
2⤵
PID:4104

C:\Windows\System32\kDSmdKe.exe
C:\Windows\System32\kDSmdKe.exe
2⤵
PID:12300

C:\Windows\System32\kijSxYj.exe
C:\Windows\System32\kijSxYj.exe
2⤵
PID:12320

C:\Windows\System32\kdywviH.exe
C:\Windows\System32\kdywviH.exe
2⤵
PID:12364

C:\Windows\System32\hiLQFTK.exe
C:\Windows\System32\hiLQFTK.exe
2⤵
PID:12408

C:\Windows\System32\MJtBcJJ.exe
C:\Windows\System32\MJtBcJJ.exe
2⤵
PID:12436

C:\Windows\System32\zRoMvUW.exe
C:\Windows\System32\zRoMvUW.exe
2⤵
PID:12476

C:\Windows\System32\uOlIAnL.exe
C:\Windows\System32\uOlIAnL.exe
2⤵
PID:12496

C:\Windows\System32\CZkefCt.exe
C:\Windows\System32\CZkefCt.exe
2⤵
PID:12520

C:\Windows\System32\XOhBDyH.exe
C:\Windows\System32\XOhBDyH.exe
2⤵
PID:12560

C:\Windows\System32\HQeinDh.exe
C:\Windows\System32\HQeinDh.exe
2⤵
PID:12584

C:\Windows\System32\SXlUZqq.exe
C:\Windows\System32\SXlUZqq.exe
2⤵
PID:12612

C:\Windows\System32\hpkrMBv.exe
C:\Windows\System32\hpkrMBv.exe
2⤵
PID:12636

C:\Windows\System32\kCgbvip.exe
C:\Windows\System32\kCgbvip.exe
2⤵
PID:12660

C:\Windows\System32\gxnYWbY.exe
C:\Windows\System32\gxnYWbY.exe
2⤵
PID:12676

C:\Windows\System32\vKUamKA.exe
C:\Windows\System32\vKUamKA.exe
2⤵
PID:12732

C:\Windows\System32\cAyhfvM.exe
C:\Windows\System32\cAyhfvM.exe
2⤵
PID:12756

C:\Windows\System32\upHPkwn.exe
C:\Windows\System32\upHPkwn.exe
2⤵
PID:12780

C:\Windows\System32\YALBUYW.exe
C:\Windows\System32\YALBUYW.exe
2⤵
PID:12804

C:\Windows\System32\fLXRaOG.exe
C:\Windows\System32\fLXRaOG.exe
2⤵
PID:12828

C:\Windows\System32\tGnLmjH.exe
C:\Windows\System32\tGnLmjH.exe
2⤵
PID:12868

C:\Windows\System32\EwuTwAu.exe
C:\Windows\System32\EwuTwAu.exe
2⤵
PID:12892

C:\Windows\System32\JJmZRDc.exe
C:\Windows\System32\JJmZRDc.exe
2⤵
PID:12924

C:\Windows\System32\DpDtmsr.exe
C:\Windows\System32\DpDtmsr.exe
2⤵
PID:12948

C:\Windows\System32\YjjpTPa.exe
C:\Windows\System32\YjjpTPa.exe
2⤵
PID:12964

C:\Windows\System32\GjHkIDS.exe
C:\Windows\System32\GjHkIDS.exe
2⤵
PID:12988

C:\Windows\System32\YTKgGjO.exe
C:\Windows\System32\YTKgGjO.exe
2⤵
PID:13020

C:\Windows\System32\RhPxaiT.exe
C:\Windows\System32\RhPxaiT.exe
2⤵
PID:13040

C:\Windows\System32\rFSIvwQ.exe
C:\Windows\System32\rFSIvwQ.exe
2⤵
PID:13084

C:\Windows\System32\TMWundH.exe
C:\Windows\System32\TMWundH.exe
2⤵
PID:13112

C:\Windows\System32\NYzqONj.exe
C:\Windows\System32\NYzqONj.exe
2⤵
PID:13140

C:\Windows\System32\JyHeuFh.exe
C:\Windows\System32\JyHeuFh.exe
2⤵
PID:13172

C:\Windows\System32\vgeFzkQ.exe
C:\Windows\System32\vgeFzkQ.exe
2⤵
PID:13204

C:\Windows\System32\lNayEeB.exe
C:\Windows\System32\lNayEeB.exe
2⤵
PID:13228

C:\Windows\System32\ZZlJUmp.exe
C:\Windows\System32\ZZlJUmp.exe
2⤵
PID:13244

C:\Windows\System32\ZUqaLQf.exe
C:\Windows\System32\ZUqaLQf.exe
2⤵
PID:13264

C:\Windows\System32\IgFsVbR.exe
C:\Windows\System32\IgFsVbR.exe
2⤵
PID:13284

C:\Windows\System32\rPhCmWD.exe
C:\Windows\System32\rPhCmWD.exe
2⤵
PID:13300

C:\Windows\System32\bwDSRmo.exe
C:\Windows\System32\bwDSRmo.exe
2⤵
PID:12336

C:\Windows\System32\lPcmybs.exe
C:\Windows\System32\lPcmybs.exe
2⤵
PID:12344

C:\Windows\System32\BeVEYHu.exe
C:\Windows\System32\BeVEYHu.exe
2⤵
PID:12492

C:\Windows\System32\lwJgTIi.exe
C:\Windows\System32\lwJgTIi.exe
2⤵
PID:12600

C:\Windows\System32\AAgbcyv.exe
C:\Windows\System32\AAgbcyv.exe
2⤵
PID:12688

C:\Windows\System32\GLNYlHX.exe
C:\Windows\System32\GLNYlHX.exe
2⤵
PID:12748

C:\Windows\System32\zCEzvlf.exe
C:\Windows\System32\zCEzvlf.exe
2⤵
PID:12792

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\JrinJRw.exe

Filesize
1.4MB

MD5
2373e9375ce6b3c971be3176e0c3bd00

SHA1
6fb3c5f30e7ce78a159ebe4cdfdc27918ff4fae4

SHA256
fdef74308534d7cb8d3704849e75c5424ef8d65d70dfece124687d0ad2f3343d

SHA512
d7a2f29fc6ee8920b3c57745e34e209ec74d3f793223471bc7069b8b34f598ff120d0e5d4028ac9b6250092ed5f6f1d83fc56ba326b0af500344aac67d37929b

Download Submit
C:\Windows\System32\LMJQyXz.exe

Filesize
1.4MB

MD5
4940684f2345b40799f51dee3e0d82bb

SHA1
6d5d1b3b17462b8868b89eed0b40517fc01875ab

SHA256
3b40e8f336eb7f7efe2fd3cfcefc27016941f6954da3f749e7b59601bb8c1157

SHA512
31d583b50ddefa832a5af13db856eca49a0618e19491e6699c4ac705ac29d69c78f0ead15caeb3c87e678cdae1deafc2f0fd0eb0a3606498f63fa2ed936e1852

Download Submit
C:\Windows\System32\PblLHbt.exe

Filesize
1.4MB

MD5
1600399c3077ee83d9a013e0d581e107

SHA1
06219c033f22d4de4bccd3cd817eb9bc9a56c8ba

SHA256
5caa153087b23207da030caedcb6fa81cebd7552773f2710dae587d337bd03f4

SHA512
432a807c5468d5370157d640dbeb7812dce1be7784ca12d951ff379089826b5a6115ebfe2f62ef83325752795deb9ff85d5755415b2321931820071f3fce1194

Download Submit
C:\Windows\System32\SVaAHTV.exe

Filesize
1.4MB

MD5
292c97e7f13cd340906f5bf7f43562b3

SHA1
6e32aea2698696fdcf40e4f776c1489d6f46579e

SHA256
4a6e23322eae60c624008dc61b8f5b296e4740ac96c8e41c2b6c7e5f58063f50

SHA512
2a81912663ffa39efa91485c3118098fd4af11f283dccadb85c077868472e6dcba7332868ebef69aa9cba145915e19e8431d2f65f2e6aeaef708730afe586ea1

Download Submit
C:\Windows\System32\ZJKptkE.exe

Filesize
1.4MB

MD5
79c00c0d6fea4de333a177fe812846b6

SHA1
8317f9117c9bad35d3c6d61235eca8378ad39f0f

SHA256
7290e35fa7353169a9ac249c26c41501b4f030c1119298cb1a8b1094fa1adad2

SHA512
4921dc1f6ee239743aba05ce2c40750942bef0397574e134b82780c3fb16e0d92820ec86a4cc27740d18063591a0d0741f5976177dfbcf273462cf90e30320f5

Download Submit
C:\Windows\System32\ZZJxGLW.exe

Filesize
1.4MB

MD5
092c700467d2a3c05c273e2f89621c10

SHA1
fb139495f9d569276371bab0f592d91e4c601a1c

SHA256
ef9bd9081c4df87cd3f2152cbc833cacabd8b9d81853f8559d3a87b0a8f9df80

SHA512
027108c4d531c6515d43f588bc6982386753381225bf68e911e183e409834b7a62438b30a2f2ae5440276fe9350ae476d140cd7f9af3caa5306cb3ec3e3e4a79

Download Submit
C:\Windows\System32\ZfFYBpS.exe

Filesize
1.4MB

MD5
7d4379b29596c9e39156c5a468e515ed

SHA1
9c796488ca25b5e92b5312a2bcaf8d626a4ea72c

SHA256
c2da3354b6d9e5997c30a717096fe4840fad7cf77a102d1769a6c7bf7ee7704c

SHA512
44ae41fef0ad3f83055ae5e69fcfd1319a96d05717f8259e3e9a5cdba95e6de270c17e8fb98a4ee5ef2ebdbf764443204453b21fa1f5b0ce7ca09a7939a86138

Download Submit
C:\Windows\System32\bypQylU.exe

Filesize
1.4MB

MD5
5d6160291fa567565a3cc01bd613d895

SHA1
16ab9a80f94ed2ff55561cab6bd54133a638d0d8

SHA256
6eadfda6e8efa4bde872ea205ce3a1113ef94c0734bc8d5d1865fc62593852bf

SHA512
37481387374ca7ee78ed024462ba870cd2a945856da343a25c0efc9dab6c11d7447880e77cbd77180f521fe8c2de6f87b5c068c971d1ea14c9587dd56a5084ae

Download Submit
C:\Windows\System32\cEDdhga.exe

Filesize
1.4MB

MD5
1c0212f82503b015d62a35c2492227c6

SHA1
04eeb7388cae943df72233ecb3715924fc9c21b9

SHA256
4e69637f7e0e84e121898ffeeea644d2cf042c2e1117aed46d995b95f9f8313d

SHA512
035157ecde64849f2226b1185fa300a968315dfb2f05028e3bb35bebab527afc95de67f0edb7b7ce7352941ae3fdae4856dbe180fd20bf50ed455106171b8f8b

Download Submit
C:\Windows\System32\cYSZqMJ.exe

Filesize
1.4MB

MD5
a5deeaeafcd49cc04abf676151594119

SHA1
c9fac03fe59c783447a259dc96ff655576b5aeb9

SHA256
effcc69ceec62e4e30762b57f664a1072e99d8c81c80d7c19650f78cbbb31224

SHA512
c77603947b50ae4a984538cdfff65be8e5d3c6cbe56bc9091ff3143a5783df49078fc9fd0db14f07abbe2b3348381c7ca26198a64518fd651d1122f0f18223a2

Download Submit
C:\Windows\System32\dSRcHrX.exe

Filesize
1.4MB

MD5
bfc7604527e6413ce60a1d313cd05197

SHA1
01a848469f99bf1092447e3bf7ec0b3d19709b27

SHA256
886177262185a7304d99ded6a2bf14d5d50374e69c0004a5cb6f1e00b2eb8204

SHA512
76c857d3fbc6a786ba68afc041a59d19b4fbfd001739beb1850148c0047740af9c86aab9b5ddd4e557fa85b22351f23cfb464d5b391f29b86373f7a24fab4311

Download Submit
C:\Windows\System32\eDJMGrQ.exe

Filesize
1.4MB

MD5
e27eced36768fee3b9c74db7d529968a

SHA1
55e3e1706e566ec2e0c27633cef5a6bb6593a7e9

SHA256
f946c586ae036d0da2c15393a62c6cbcb93560830b47eceaf03a677567c07a92

SHA512
0d12d64a96e6655a19fef2384c5ee8adf6dfa94ca618f2ea5babaf0f813ea3263cc526f07ce916fa08e59b1030b17cac3f2b15326023fbec3db970a75ec58d85

Download Submit
C:\Windows\System32\ePNvtTP.exe

Filesize
1.4MB

MD5
28cfba74cb410bc64ecce5d75d8e4f55

SHA1
13b7d87545a7346afe6c11bb99b2c5030b53af92

SHA256
e10a26535a4522468de6d25fb6e360bb461f871ef1ad66932fa4621bdebd8610

SHA512
0c7483ec6f45165baa14edbd180e066199bf017cae5bca1a5e628e2dac22dd179d86825e2f75811f6ef55215bc30e1f5ca34487eeffa2566c15ee09eeb162897

Download Submit
C:\Windows\System32\efkXfGI.exe

Filesize
1.4MB

MD5
f22e95d0575e0df99d2bf91d71d56725

SHA1
71d5c71d7415238b424fc85d92f9369654b7e4ca

SHA256
b5609b262186ca6b01123dae09f7c4a452729283a0f9c0c4ef46cb7fdb014309

SHA512
7504a376eb043c4997349dff8f8ab09e5ee1ba9c1fecf0feb0b45dd540ab5111b69577143ea28e30fdb3194c803760b71222b32b92438947c2507c95beec6af2

Download Submit
C:\Windows\System32\eoyhrPr.exe

Filesize
1.4MB

MD5
2d2613d4e21cd480bb72a77c2e04fe82

SHA1
bc04a778c61a1a2596ed6e26b219b45a5d3f5135

SHA256
fd220a6ae51419439b3a3e8aedbe1ce46d08287cbb6710aa11e693ea86ed97c8

SHA512
59cc5cfee00230a44f1c6d8649148cd2dec5cffc4790edb110bc88ff7b3e7cafef84d99fb91c2dc4540d82a2cad9e192be88668d63441a5dee15b7ebcd85fecd

Download Submit
C:\Windows\System32\fMGFxVp.exe

Filesize
1.4MB

MD5
a4412716c71250caf0590e5e2769d04c

SHA1
c917d0daadce8a5ee00f2380071ee0f1a20fad2c

SHA256
3e417cf4d687c1402729491b0bf4a339d90e9688e335d29fa918468db9f7c584

SHA512
aa1d15e3ef03f0b6fc482f2b4b632b277538d5e2a2c0de6d9f25efa06c67306e63d8418829e385d10a6ccee9e22d37e2362c784c6ac4cd570c69bf2c8df56f88

Download Submit
C:\Windows\System32\gcxHinf.exe

Filesize
1.4MB

MD5
c4bf69197af5da1b9d7f341dd1816ff1

SHA1
11a7613318ad04c172396abb220c72419ff4b661

SHA256
7851542dfe7c9a155813dea8cd2f610d1f19faa7612443dfd9726e0adb58a07d

SHA512
6a850b5a177af07f47aea2e82b6ae6e7ce2d83d35afde6528f4bd70473ed8102bafce6b64d1c60d4a754fe2a88f949b128e58f6ebaefe035e3ec7ac6a7b9dea2

Download Submit
C:\Windows\System32\lceYPXI.exe

Filesize
1.4MB

MD5
89b125dc513b4481d183cdb446fb6a46

SHA1
b0b5bfd8d9ad24a118278d1433812de5659f52a8

SHA256
d6b4e8ae25ec6518caaf3574ddd3bde9bf0183c94e186419e837d43c27c9824d

SHA512
fe2b0d605ea502b55639694ab64ed9e682dec02b1514f6c7dd3065ad278fdf1ef867c8080e6a0dcaacb4512dca822c061035e86e4150ce67b6dafcd89dd999f0

Download Submit
C:\Windows\System32\lchdjWV.exe

Filesize
1.4MB

MD5
8f45a1e5bfb28d569dd4a48b35038ca0

SHA1
b13bd71f4770c47a4faf64988d49847c09e80664

SHA256
b60ebbba721f2f4ca4021c3f9112ad8d26941673525b83e3ae161b4ca350fd6a

SHA512
d1d6457fb29471dbd2cd8ce02b4c3c11d22fb2cce246686519cb05f52260d6ec302aab3e376e93b07fe5ad0019978f42ccd46299f6acd472950d4d5338b6d620

Download Submit
C:\Windows\System32\mfQyMfZ.exe

Filesize
1.4MB

MD5
bc8f06a3b28ff11d5fedd6f95ef8af27

SHA1
53276b2f03de4b53ea7794372d9dfcac1d5b237d

SHA256
b183ab5b44cc5f36869eb11ebe6df5cdf58228cc97d8af42166032132d2cf44f

SHA512
c0c28e87b29d0ed76a08971715e06706736e74781a451d7bcd90878e10bbf378ce39b5d1f60cc8dadb2bfaed6dae611f8e9370c63818c6a95c9532a306e2bd6a

Download Submit
C:\Windows\System32\oOviVPK.exe

Filesize
1.4MB

MD5
2fc457cbb57602cef14554179e6a7247

SHA1
1ac4ff06d9f9cef2eb53f06d5215068603402493

SHA256
de58c3c093857dc4ae45dd1007ce19c028d593f5e83b650b695036e693d05a7a

SHA512
2e5d8d7187f541a4a97c48a37630cf5fc7135de40eec05ee2154457e97fee30a844b4750de67f72c24133e1c23256327aca5b0428b040f849d445101e70ecb99

Download Submit
C:\Windows\System32\osFuECZ.exe

Filesize
1.4MB

MD5
1cca456791b21f8cd2ab92a6b218dc56

SHA1
cce24cf257000d949b7a501b6aa0b384d23cd9b2

SHA256
ae1892ccb919d4534a20d03e1639915b7599f425286b0b3b42fe5f855a304ea2

SHA512
7a46749706dd54de5fa8b3d01b3bd7c142e2ac997f914771ae404a43b129867a329f04c14b8a12569de49b6409ea2c5d742e780d0b2d583bb5468e5ad3a7faef

Download Submit
C:\Windows\System32\pOpHqUk.exe

Filesize
1.4MB

MD5
a669bd020964e7f55d2634c91b19be3b

SHA1
2c580ba6facf21fa498a01fab2764ef75e616072

SHA256
ebdf1aef5a62df1265243f2e16a818a7ff3ce8d9331bcb12a2aa0d7fb57e7c44

SHA512
0af8d539b2de375c525109ac621ba7e6676c2d5e3b90cb3b45be7be0696b066defd00800059f522075048ef3d4e5d7e8d79205f79580f6d24817c62318f6e06d

Download Submit
C:\Windows\System32\qKoZWmQ.exe

Filesize
1.4MB

MD5
b305eee746bdb7f10b0ed74d7c7eb873

SHA1
82c9278e7438ee4dd5d3345e3ef6b8ced906cf7e

SHA256
97f1e6e093b32d46bd8f4390851cff484331e6e9eec8d3dc41aa95783009b46c

SHA512
5d4b23c3289946f1d8d66d0e392556ad39f78d887eea73735c15f63969a2f3534e62d5eb2947413cd9813c04b26605689537e88901cb300b2160199809640de0

Download Submit
C:\Windows\System32\synWYLx.exe

Filesize
1.4MB

MD5
4a8257a8494e943feaa99649fcb120da

SHA1
c944a8b8e5956bc4e0836265d31ae8563d2bf270

SHA256
f02ccbbe6f8f2d66bc97aba15e1661a89bed032fb9060b054a89afe4c03d199a

SHA512
63d19d9da1f6eee822260d4acd3d04ebbe5635e3a731f9e9ec933642cd044495242254c51fe468a51d078a5b38ddaf8cd6dfa1fd49db9eb473ce1742b70fe731

Download Submit
C:\Windows\System32\tfUlDnH.exe

Filesize
1.4MB

MD5
1dceea9128f1eabfa3d35731958c67ae

SHA1
a9fa61dfb20357f9108a999f7711550c768f302b

SHA256
e2607d42c2c7051755cbdf8a571c2d22b95e818189e18a19740e87512630fc4b

SHA512
334dd5e472ac54de9316c0203ba7a6372a3636c145a6f03d0367a52c2cc1065c50885dfcb2b4f42cb06e7ce8bb150e234f569f9370adf7be9f5eabcbddd978b2

Download Submit
C:\Windows\System32\tnTAMHD.exe

Filesize
1.4MB

MD5
75e7c1ab09b0757376911e55926bfe08

SHA1
d9efd0297586ac7b2ef600aca3022cf3bf9b4f85

SHA256
c7a28901037120f80704dc137c9596a04d6e530a420aac53bc15e4c8fb9273a8

SHA512
73a3ca43165e4f7927ea388de91d5381e527008506e8e6c3254b39f25b7bde8b59efb5f2f7a0b48b1d9ecf8598b625c0e5ae455514dbafd906d7a7d7172ded5b

Download Submit
C:\Windows\System32\toCNTrE.exe

Filesize
1.4MB

MD5
5379e0560bca859fac9acfe12dae5ca9

SHA1
54faa0220c7514bcfff857653a4d741f58b9820a

SHA256
9aea28aae6993032676caf538e35d690101b182638c5b772c3ef3963af88e452

SHA512
2b4cbb373292703fb7fe1d46d584bc2b1848bc97471258612f8c4a762e792b5f6494305ac47c918233d645dbf002f5173335504e09cb18863ebb137712d42aec

Download Submit
C:\Windows\System32\vJKpIPD.exe

Filesize
1.4MB

MD5
07e3c63ee1669351b3b5b4a5e96c3042

SHA1
9a2c983f0a68572521a60dacd43e0f2cd660babc

SHA256
910063dba3f262a4143b7138840117a2d5a1908e64347acf0e8e110fa815e91d

SHA512
59865a33c3553833933412779ae9286d8de969fa9c6eaa694f6ec33b4106b5c4f2a3437870a2195c6d0333fcd4c525898a030ace24fba5bf88691b6e46739830

Download Submit
C:\Windows\System32\wGYehGh.exe

Filesize
1.4MB

MD5
afb46cead464139a22f0769537d51af7

SHA1
564a4d6e9774d0f4298a589516cfa8b9ba12f060

SHA256
aaff2c1fdbaac75608e57b469d85f58cb054115c198fbb65ee3b1995ce87fc18

SHA512
13aafa6813e43303e0d9e0f82c954b0e9c60813ca35166dfb76bbd7cb1d0a0a7626a239f90d64c331bdac4793625465236816ed8205624c32f590d1ee3385488

Download Submit
C:\Windows\System32\xUbILTh.exe

Filesize
1.4MB

MD5
17ffba6fbfd97c20a65bf9901b2c81f9

SHA1
ce2fcf844891847dd555c59880ad9189fd00c007

SHA256
58c6ea051245199f0380eeabf4714f5810c29b4c9b7ef265af4606743bf9b5ee

SHA512
e08c8b6d92d0230e9c8d0d330368954f12e6b1f1c2f76aabaef2742981963e5255e64c715d6f1c08b0998fb58a9a1ebe2a5a6a1e6f0264026958795533f4962d

Download Submit
C:\Windows\System32\zdlDxmM.exe

Filesize
1.4MB

MD5
da14da3a0f9b0335c6c810e13d079131

SHA1
e6519500da5934d535ac9efd99bae36705ac7a03

SHA256
1c51a20b9fbba149d9e456059a3f8dd75d28c12e4533198b56bd87932ddf167a

SHA512
850d0ed0d82e1e191ec461466b7f50283c0e62e58bc83e7203bccbe1d60dfdb14e3d871b6e9a2e0e5b1f984e106043fb64aaa4471c4bb105faecd3d7119e8d73

Download Submit
memory/872-2065-0x00007FF7E7170000-0x00007FF7E7561000-memory.dmp

Filesize
3.9MB

Download
memory/872-525-0x00007FF7E7170000-0x00007FF7E7561000-memory.dmp

Filesize
3.9MB

Download
memory/1364-523-0x00007FF703270000-0x00007FF703661000-memory.dmp

Filesize
3.9MB

Download
memory/1364-2061-0x00007FF703270000-0x00007FF703661000-memory.dmp

Filesize
3.9MB

Download
memory/1376-524-0x00007FF63EEA0000-0x00007FF63F291000-memory.dmp

Filesize
3.9MB

Download
memory/1376-2063-0x00007FF63EEA0000-0x00007FF63F291000-memory.dmp

Filesize
3.9MB

Download
memory/1904-521-0x00007FF752200000-0x00007FF7525F1000-memory.dmp

Filesize
3.9MB

Download
memory/1904-2059-0x00007FF752200000-0x00007FF7525F1000-memory.dmp

Filesize
3.9MB

Download
memory/2252-2038-0x00007FF6B7160000-0x00007FF6B7551000-memory.dmp

Filesize
3.9MB

Download
memory/2252-490-0x00007FF6B7160000-0x00007FF6B7551000-memory.dmp

Filesize
3.9MB

Download
memory/2296-2054-0x00007FF7FA2A0000-0x00007FF7FA691000-memory.dmp

Filesize
3.9MB

Download
memory/2296-514-0x00007FF7FA2A0000-0x00007FF7FA691000-memory.dmp

Filesize
3.9MB

Download
memory/2344-2020-0x00007FF718E70000-0x00007FF719261000-memory.dmp

Filesize
3.9MB

Download
memory/2344-14-0x00007FF718E70000-0x00007FF719261000-memory.dmp

Filesize
3.9MB

Download
memory/2912-485-0x00007FF69E480000-0x00007FF69E871000-memory.dmp

Filesize
3.9MB

Download
memory/2912-2034-0x00007FF69E480000-0x00007FF69E871000-memory.dmp

Filesize
3.9MB

Download
memory/3108-13-0x00007FF717CC0000-0x00007FF7180B1000-memory.dmp

Filesize
3.9MB

Download
memory/3108-2022-0x00007FF717CC0000-0x00007FF7180B1000-memory.dmp

Filesize
3.9MB

Download
memory/3108-2013-0x00007FF717CC0000-0x00007FF7180B1000-memory.dmp

Filesize
3.9MB

Download
memory/3368-2067-0x00007FF796800000-0x00007FF796BF1000-memory.dmp

Filesize
3.9MB

Download
memory/3368-526-0x00007FF796800000-0x00007FF796BF1000-memory.dmp

Filesize
3.9MB

Download
memory/3380-2036-0x00007FF6601F0000-0x00007FF6605E1000-memory.dmp

Filesize
3.9MB

Download
memory/3380-482-0x00007FF6601F0000-0x00007FF6605E1000-memory.dmp

Filesize
3.9MB

Download
memory/3416-18-0x00007FF70B380000-0x00007FF70B771000-memory.dmp

Filesize
3.9MB

Download
memory/3416-2026-0x00007FF70B380000-0x00007FF70B771000-memory.dmp

Filesize
3.9MB

Download
memory/3416-2014-0x00007FF70B380000-0x00007FF70B771000-memory.dmp

Filesize
3.9MB

Download
memory/3516-2028-0x00007FF6CE3D0000-0x00007FF6CE7C1000-memory.dmp

Filesize
3.9MB

Download
memory/3516-484-0x00007FF6CE3D0000-0x00007FF6CE7C1000-memory.dmp

Filesize
3.9MB

Download
memory/3712-510-0x00007FF6B3800000-0x00007FF6B3BF1000-memory.dmp

Filesize
3.9MB

Download
memory/3712-2052-0x00007FF6B3800000-0x00007FF6B3BF1000-memory.dmp

Filesize
3.9MB

Download
memory/3776-507-0x00007FF74F1C0000-0x00007FF74F5B1000-memory.dmp

Filesize
3.9MB

Download
memory/3776-2050-0x00007FF74F1C0000-0x00007FF74F5B1000-memory.dmp

Filesize
3.9MB

Download
memory/3792-2030-0x00007FF7621C0000-0x00007FF7625B1000-memory.dmp

Filesize
3.9MB

Download
memory/3792-486-0x00007FF7621C0000-0x00007FF7625B1000-memory.dmp

Filesize
3.9MB

Download
memory/3796-2044-0x00007FF6B16D0000-0x00007FF6B1AC1000-memory.dmp

Filesize
3.9MB

Download
memory/3796-499-0x00007FF6B16D0000-0x00007FF6B1AC1000-memory.dmp

Filesize
3.9MB

Download
memory/3884-2048-0x00007FF6B5D40000-0x00007FF6B6131000-memory.dmp

Filesize
3.9MB

Download
memory/3884-512-0x00007FF6B5D40000-0x00007FF6B6131000-memory.dmp

Filesize
3.9MB

Download
memory/4464-2056-0x00007FF64DDE0000-0x00007FF64E1D1000-memory.dmp

Filesize
3.9MB

Download
memory/4464-516-0x00007FF64DDE0000-0x00007FF64E1D1000-memory.dmp

Filesize
3.9MB

Download
memory/4496-483-0x00007FF649C30000-0x00007FF64A021000-memory.dmp

Filesize
3.9MB

Download
memory/4496-2032-0x00007FF649C30000-0x00007FF64A021000-memory.dmp

Filesize
3.9MB

Download
memory/4604-504-0x00007FF6265C0000-0x00007FF6269B1000-memory.dmp

Filesize
3.9MB

Download
memory/4604-2046-0x00007FF6265C0000-0x00007FF6269B1000-memory.dmp

Filesize
3.9MB

Download
memory/4692-496-0x00007FF6324E0000-0x00007FF6328D1000-memory.dmp

Filesize
3.9MB

Download
memory/4692-2042-0x00007FF6324E0000-0x00007FF6328D1000-memory.dmp

Filesize
3.9MB

Download
memory/4920-493-0x00007FF7D6BF0000-0x00007FF7D6FE1000-memory.dmp

Filesize
3.9MB

Download
memory/4920-2040-0x00007FF7D6BF0000-0x00007FF7D6FE1000-memory.dmp

Filesize
3.9MB

Download
memory/5012-0-0x00007FF667DB0000-0x00007FF6681A1000-memory.dmp

Filesize
3.9MB

Download
memory/5012-1-0x00000229183F0000-0x0000022918400000-memory.dmp

Filesize
64KB

Download
memory/5108-2024-0x00007FF63A300000-0x00007FF63A6F1000-memory.dmp

Filesize
3.9MB

Download
memory/5108-27-0x00007FF63A300000-0x00007FF63A6F1000-memory.dmp

Filesize
3.9MB

Download