xmrig | 0d6abfe0f4a7507ad0009e214c3cc5c0af7fca98681376460cbe845b15a4e817

Analysis

max time kernel
134s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
Size

1.1MB
MD5

57c6fb8670f6b1d3032d249f21018e00
SHA1

007df53c8a8795b6fc077d599ab28f0aadf6233f
SHA256

0d6abfe0f4a7507ad0009e214c3cc5c0af7fca98681376460cbe845b15a4e817
SHA512

bd47d67b0ebd137497246aabf3b9bfd466868502e6baf9162eb8d70e21cbbde405e68fac8cc7645c0f56a64e481b64d781e2f380e6bb6ce5f3df5d97e67d9d04
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlia+zW7rir+u8bgm90L2B8:knw9oUUEEDlZ6RIH58

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 50 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2848-36-0x00007FF6D0960000-0x00007FF6D0D51000-memory.dmp	xmrig
behavioral2/memory/2116-38-0x00007FF6628A0000-0x00007FF662C91000-memory.dmp	xmrig
behavioral2/memory/1800-37-0x00007FF64BE10000-0x00007FF64C201000-memory.dmp	xmrig
behavioral2/memory/224-27-0x00007FF6F4A60000-0x00007FF6F4E51000-memory.dmp	xmrig
behavioral2/memory/4876-86-0x00007FF6F6BF0000-0x00007FF6F6FE1000-memory.dmp	xmrig
behavioral2/memory/1676-89-0x00007FF634090000-0x00007FF634481000-memory.dmp	xmrig
behavioral2/memory/2892-381-0x00007FF726790000-0x00007FF726B81000-memory.dmp	xmrig
behavioral2/memory/5012-380-0x00007FF6700C0000-0x00007FF6704B1000-memory.dmp	xmrig
behavioral2/memory/4456-382-0x00007FF60DCC0000-0x00007FF60E0B1000-memory.dmp	xmrig
behavioral2/memory/1508-383-0x00007FF7F7600000-0x00007FF7F79F1000-memory.dmp	xmrig
behavioral2/memory/4752-384-0x00007FF64D2F0000-0x00007FF64D6E1000-memory.dmp	xmrig
behavioral2/memory/2376-385-0x00007FF7D84D0000-0x00007FF7D88C1000-memory.dmp	xmrig
behavioral2/memory/1304-386-0x00007FF7CC640000-0x00007FF7CCA31000-memory.dmp	xmrig
behavioral2/memory/1740-387-0x00007FF6E3BF0000-0x00007FF6E3FE1000-memory.dmp	xmrig
behavioral2/memory/5096-92-0x00007FF647D20000-0x00007FF648111000-memory.dmp	xmrig
behavioral2/memory/2340-87-0x00007FF6E5CA0000-0x00007FF6E6091000-memory.dmp	xmrig
behavioral2/memory/3432-83-0x00007FF7EB8E0000-0x00007FF7EBCD1000-memory.dmp	xmrig
behavioral2/memory/2876-81-0x00007FF798EC0000-0x00007FF7992B1000-memory.dmp	xmrig
behavioral2/memory/1788-965-0x00007FF77F840000-0x00007FF77FC31000-memory.dmp	xmrig
behavioral2/memory/1888-960-0x00007FF617870000-0x00007FF617C61000-memory.dmp	xmrig
behavioral2/memory/224-1455-0x00007FF6F4A60000-0x00007FF6F4E51000-memory.dmp	xmrig
behavioral2/memory/2020-2001-0x00007FF7E3F00000-0x00007FF7E42F1000-memory.dmp	xmrig
behavioral2/memory/1860-2002-0x00007FF6D5750000-0x00007FF6D5B41000-memory.dmp	xmrig
behavioral2/memory/2264-2035-0x00007FF7B7BB0000-0x00007FF7B7FA1000-memory.dmp	xmrig
behavioral2/memory/4008-2036-0x00007FF6E1910000-0x00007FF6E1D01000-memory.dmp	xmrig
behavioral2/memory/2136-2037-0x00007FF7A29B0000-0x00007FF7A2DA1000-memory.dmp	xmrig
behavioral2/memory/1888-2039-0x00007FF617870000-0x00007FF617C61000-memory.dmp	xmrig
behavioral2/memory/1788-2041-0x00007FF77F840000-0x00007FF77FC31000-memory.dmp	xmrig
behavioral2/memory/224-2043-0x00007FF6F4A60000-0x00007FF6F4E51000-memory.dmp	xmrig
behavioral2/memory/2848-2049-0x00007FF6D0960000-0x00007FF6D0D51000-memory.dmp	xmrig
behavioral2/memory/2116-2047-0x00007FF6628A0000-0x00007FF662C91000-memory.dmp	xmrig
behavioral2/memory/1800-2045-0x00007FF64BE10000-0x00007FF64C201000-memory.dmp	xmrig
behavioral2/memory/1676-2097-0x00007FF634090000-0x00007FF634481000-memory.dmp	xmrig
behavioral2/memory/2876-2095-0x00007FF798EC0000-0x00007FF7992B1000-memory.dmp	xmrig
behavioral2/memory/2020-2093-0x00007FF7E3F00000-0x00007FF7E42F1000-memory.dmp	xmrig
behavioral2/memory/1860-2091-0x00007FF6D5750000-0x00007FF6D5B41000-memory.dmp	xmrig
behavioral2/memory/4456-2141-0x00007FF60DCC0000-0x00007FF60E0B1000-memory.dmp	xmrig
behavioral2/memory/1304-2149-0x00007FF7CC640000-0x00007FF7CCA31000-memory.dmp	xmrig
behavioral2/memory/1740-2151-0x00007FF6E3BF0000-0x00007FF6E3FE1000-memory.dmp	xmrig
behavioral2/memory/2376-2147-0x00007FF7D84D0000-0x00007FF7D88C1000-memory.dmp	xmrig
behavioral2/memory/1508-2143-0x00007FF7F7600000-0x00007FF7F79F1000-memory.dmp	xmrig
behavioral2/memory/4752-2145-0x00007FF64D2F0000-0x00007FF64D6E1000-memory.dmp	xmrig
behavioral2/memory/2892-2137-0x00007FF726790000-0x00007FF726B81000-memory.dmp	xmrig
behavioral2/memory/4008-2135-0x00007FF6E1910000-0x00007FF6E1D01000-memory.dmp	xmrig
behavioral2/memory/2136-2139-0x00007FF7A29B0000-0x00007FF7A2DA1000-memory.dmp	xmrig
behavioral2/memory/2264-2132-0x00007FF7B7BB0000-0x00007FF7B7FA1000-memory.dmp	xmrig
behavioral2/memory/4876-2118-0x00007FF6F6BF0000-0x00007FF6F6FE1000-memory.dmp	xmrig
behavioral2/memory/3432-2116-0x00007FF7EB8E0000-0x00007FF7EBCD1000-memory.dmp	xmrig
behavioral2/memory/5096-2114-0x00007FF647D20000-0x00007FF648111000-memory.dmp	xmrig
behavioral2/memory/2340-2112-0x00007FF6E5CA0000-0x00007FF6E6091000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

Processes:

SSyoBZA.exeFhjfOmt.exewUuInjr.exejDbRCUX.exeJThkQZa.exehlLLIuE.exeGMXwWwz.exejuzsuCG.exebGsunvo.exeZYFLqrT.exeeebILRd.exeINWPCcK.exeUAYmyJj.exejkycvAN.exeYVhEOEz.exeKgSTuyh.exehykgKnQ.exeSdSJCqe.exextJnwKw.exeLtYSGwm.exeLDEPLWe.exeqEJvoUE.exeLWmfyjh.exekIAYNDz.exeXmWudcU.exezjEWWtt.exeBgMhbTU.exezsDCARi.exeODgqlrM.exeKvXcikF.exelxXrIUM.exepnBakFw.exeBjkWFIQ.exedBCvAHc.exeXWcgOxK.exerUiaYLP.exelcJURqx.exekiTNOQY.exeROqnwbp.exeJVHqAtn.exeKGvOCOe.exefEBTATW.exewhZrrcv.execCBhPRd.exevbKCbDT.exeVVbKnyu.exenXPPBBt.exeYOreaaz.exeDoWvwsS.exerECKhIw.exeabIooWj.exeqXANXjr.exepELdIRf.exeIFNWQPJ.exepbWMbvd.exeUOGbMmL.exeiPjYdJu.exeatQDMSl.exeLnVWKKO.execOoqCsh.exeyULHDSz.exezigFETj.exeUblLZTH.exeJQjrlzf.exe

pid	process
1888	SSyoBZA.exe
1788	FhjfOmt.exe
224	wUuInjr.exe
2848	jDbRCUX.exe
2116	JThkQZa.exe
1800	hlLLIuE.exe
2020	GMXwWwz.exe
1860	juzsuCG.exe
2340	bGsunvo.exe
2876	ZYFLqrT.exe
1676	eebILRd.exe
5096	INWPCcK.exe
3432	UAYmyJj.exe
4876	jkycvAN.exe
2264	YVhEOEz.exe
4008	KgSTuyh.exe
2136	hykgKnQ.exe
2892	SdSJCqe.exe
4456	xtJnwKw.exe
1508	LtYSGwm.exe
4752	LDEPLWe.exe
2376	qEJvoUE.exe
1304	LWmfyjh.exe
1740	kIAYNDz.exe
5032	XmWudcU.exe
4044	zjEWWtt.exe
5040	BgMhbTU.exe
3484	zsDCARi.exe
4468	ODgqlrM.exe
628	KvXcikF.exe
4624	lxXrIUM.exe
1896	pnBakFw.exe
2740	BjkWFIQ.exe
2028	dBCvAHc.exe
4048	XWcgOxK.exe
1428	rUiaYLP.exe
3944	lcJURqx.exe
1084	kiTNOQY.exe
4824	ROqnwbp.exe
4544	JVHqAtn.exe
2496	KGvOCOe.exe
3420	fEBTATW.exe
3464	whZrrcv.exe
2864	cCBhPRd.exe
4924	vbKCbDT.exe
2092	VVbKnyu.exe
836	nXPPBBt.exe
1836	YOreaaz.exe
3284	DoWvwsS.exe
4236	rECKhIw.exe
3928	abIooWj.exe
4460	qXANXjr.exe
4036	pELdIRf.exe
2308	IFNWQPJ.exe
5036	pbWMbvd.exe
5048	UOGbMmL.exe
2924	iPjYdJu.exe
3196	atQDMSl.exe
4052	LnVWKKO.exe
5100	cOoqCsh.exe
384	yULHDSz.exe
4440	zigFETj.exe
4696	UblLZTH.exe
5052	JQjrlzf.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5012-0-0x00007FF6700C0000-0x00007FF6704B1000-memory.dmp	upx
C:\Windows\System32\SSyoBZA.exe	upx
C:\Windows\System32\wUuInjr.exe	upx
behavioral2/memory/1888-8-0x00007FF617870000-0x00007FF617C61000-memory.dmp	upx
C:\Windows\System32\FhjfOmt.exe	upx
C:\Windows\System32\jDbRCUX.exe	upx
C:\Windows\System32\JThkQZa.exe	upx
C:\Windows\System32\hlLLIuE.exe	upx
behavioral2/memory/2848-36-0x00007FF6D0960000-0x00007FF6D0D51000-memory.dmp	upx
behavioral2/memory/2116-38-0x00007FF6628A0000-0x00007FF662C91000-memory.dmp	upx
behavioral2/memory/1800-37-0x00007FF64BE10000-0x00007FF64C201000-memory.dmp	upx
behavioral2/memory/224-27-0x00007FF6F4A60000-0x00007FF6F4E51000-memory.dmp	upx
behavioral2/memory/1788-18-0x00007FF77F840000-0x00007FF77FC31000-memory.dmp	upx
C:\Windows\System32\GMXwWwz.exe	upx
C:\Windows\System32\juzsuCG.exe	upx
C:\Windows\System32\eebILRd.exe	upx
C:\Windows\System32\INWPCcK.exe	upx
C:\Windows\System32\bGsunvo.exe	upx
C:\Windows\System32\jkycvAN.exe	upx
C:\Windows\System32\YVhEOEz.exe	upx
behavioral2/memory/4876-86-0x00007FF6F6BF0000-0x00007FF6F6FE1000-memory.dmp	upx
behavioral2/memory/1676-89-0x00007FF634090000-0x00007FF634481000-memory.dmp	upx
behavioral2/memory/2264-95-0x00007FF7B7BB0000-0x00007FF7B7FA1000-memory.dmp	upx
C:\Windows\System32\SdSJCqe.exe	upx
C:\Windows\System32\LWmfyjh.exe	upx
C:\Windows\System32\ODgqlrM.exe	upx
behavioral2/memory/2892-381-0x00007FF726790000-0x00007FF726B81000-memory.dmp	upx
behavioral2/memory/5012-380-0x00007FF6700C0000-0x00007FF6704B1000-memory.dmp	upx
behavioral2/memory/4456-382-0x00007FF60DCC0000-0x00007FF60E0B1000-memory.dmp	upx
behavioral2/memory/1508-383-0x00007FF7F7600000-0x00007FF7F79F1000-memory.dmp	upx
behavioral2/memory/4752-384-0x00007FF64D2F0000-0x00007FF64D6E1000-memory.dmp	upx
behavioral2/memory/2376-385-0x00007FF7D84D0000-0x00007FF7D88C1000-memory.dmp	upx
behavioral2/memory/1304-386-0x00007FF7CC640000-0x00007FF7CCA31000-memory.dmp	upx
behavioral2/memory/1740-387-0x00007FF6E3BF0000-0x00007FF6E3FE1000-memory.dmp	upx
C:\Windows\System32\pnBakFw.exe	upx
C:\Windows\System32\lxXrIUM.exe	upx
C:\Windows\System32\KvXcikF.exe	upx
C:\Windows\System32\zsDCARi.exe	upx
C:\Windows\System32\BgMhbTU.exe	upx
C:\Windows\System32\zjEWWtt.exe	upx
C:\Windows\System32\XmWudcU.exe	upx
C:\Windows\System32\kIAYNDz.exe	upx
C:\Windows\System32\qEJvoUE.exe	upx
C:\Windows\System32\LDEPLWe.exe	upx
C:\Windows\System32\LtYSGwm.exe	upx
C:\Windows\System32\xtJnwKw.exe	upx
C:\Windows\System32\hykgKnQ.exe	upx
behavioral2/memory/2136-102-0x00007FF7A29B0000-0x00007FF7A2DA1000-memory.dmp	upx
C:\Windows\System32\KgSTuyh.exe	upx
behavioral2/memory/4008-99-0x00007FF6E1910000-0x00007FF6E1D01000-memory.dmp	upx
behavioral2/memory/5096-92-0x00007FF647D20000-0x00007FF648111000-memory.dmp	upx
behavioral2/memory/2340-87-0x00007FF6E5CA0000-0x00007FF6E6091000-memory.dmp	upx
behavioral2/memory/3432-83-0x00007FF7EB8E0000-0x00007FF7EBCD1000-memory.dmp	upx
behavioral2/memory/2876-81-0x00007FF798EC0000-0x00007FF7992B1000-memory.dmp	upx
C:\Windows\System32\UAYmyJj.exe	upx
behavioral2/memory/1860-65-0x00007FF6D5750000-0x00007FF6D5B41000-memory.dmp	upx
C:\Windows\System32\ZYFLqrT.exe	upx
behavioral2/memory/2020-52-0x00007FF7E3F00000-0x00007FF7E42F1000-memory.dmp	upx
behavioral2/memory/1788-965-0x00007FF77F840000-0x00007FF77FC31000-memory.dmp	upx
behavioral2/memory/1888-960-0x00007FF617870000-0x00007FF617C61000-memory.dmp	upx
behavioral2/memory/224-1455-0x00007FF6F4A60000-0x00007FF6F4E51000-memory.dmp	upx
behavioral2/memory/2020-2001-0x00007FF7E3F00000-0x00007FF7E42F1000-memory.dmp	upx
behavioral2/memory/1860-2002-0x00007FF6D5750000-0x00007FF6D5B41000-memory.dmp	upx
behavioral2/memory/2264-2035-0x00007FF7B7BB0000-0x00007FF7B7FA1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

Processes:

57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\System32\kklPyjU.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\vuKgVEI.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\zjEWWtt.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\XWcgOxK.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\WFzNtAt.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\yQXiKCk.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\ENvrGBZ.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\KtCpoqM.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\FjwDncG.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\QEtykfU.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\YFHRhvc.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\IpgeJja.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\TyySRKs.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\QmUHWEy.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\SnyyhQP.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\xhfEnOh.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\ZVcwwyk.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\MgNktwX.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\nkAmFFO.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\moLtTIg.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\kSeuTKT.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\uvmhRlb.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\scGUfcc.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\JFDFzfZ.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\YlvbpZm.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\ryYcGeJ.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\xNtIWPx.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\VcOSszl.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\brwjsQF.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\MxtnFZI.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\RmSTDHf.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\UuFViRs.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\XTgUmew.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\iATPNPg.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\VvxIqvN.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\TKWoiZT.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\XKUGBCG.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\uuaeoCr.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\SfgNpQS.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\psKcCWH.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\QhgnCbn.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\WorHbPR.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\dwkPcrA.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\PKJIuRj.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\MhikzfH.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\RacDrwv.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\DEpTdcw.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\vbKCbDT.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\LjdgWjf.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\YlCZyOx.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\XyEoSHr.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\sNkoRYw.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\owlpOrb.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\kCLwVZe.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\eaLzBPH.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\SVXyeaB.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\RIwKVdq.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\VnnfMxo.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\mVWSATf.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\GIblfGE.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\tgxxKWO.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\HPaPink.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\SCHPiVW.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
File created	C:\Windows\System32\RhyiGwM.exe	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

dwm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

dwm.exe

description	pid	process
Token: SeCreateGlobalPrivilege	13864	dwm.exe
Token: SeChangeNotifyPrivilege	13864	dwm.exe
Token: 33	13864	dwm.exe
Token: SeIncBasePriorityPrivilege	13864	dwm.exe
Token: SeShutdownPrivilege	13864	dwm.exe
Token: SeCreatePagefilePrivilege	13864	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe

description	pid	process	target process
PID 5012 wrote to memory of 1888	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	SSyoBZA.exe
PID 5012 wrote to memory of 1888	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	SSyoBZA.exe
PID 5012 wrote to memory of 1788	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	FhjfOmt.exe
PID 5012 wrote to memory of 1788	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	FhjfOmt.exe
PID 5012 wrote to memory of 224	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	wUuInjr.exe
PID 5012 wrote to memory of 224	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	wUuInjr.exe
PID 5012 wrote to memory of 2848	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	jDbRCUX.exe
PID 5012 wrote to memory of 2848	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	jDbRCUX.exe
PID 5012 wrote to memory of 2116	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	JThkQZa.exe
PID 5012 wrote to memory of 2116	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	JThkQZa.exe
PID 5012 wrote to memory of 1800	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	hlLLIuE.exe
PID 5012 wrote to memory of 1800	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	hlLLIuE.exe
PID 5012 wrote to memory of 2020	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	GMXwWwz.exe
PID 5012 wrote to memory of 2020	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	GMXwWwz.exe
PID 5012 wrote to memory of 1860	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	juzsuCG.exe
PID 5012 wrote to memory of 1860	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	juzsuCG.exe
PID 5012 wrote to memory of 2340	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	bGsunvo.exe
PID 5012 wrote to memory of 2340	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	bGsunvo.exe
PID 5012 wrote to memory of 2876	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	ZYFLqrT.exe
PID 5012 wrote to memory of 2876	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	ZYFLqrT.exe
PID 5012 wrote to memory of 1676	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	eebILRd.exe
PID 5012 wrote to memory of 1676	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	eebILRd.exe
PID 5012 wrote to memory of 5096	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	INWPCcK.exe
PID 5012 wrote to memory of 5096	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	INWPCcK.exe
PID 5012 wrote to memory of 3432	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	UAYmyJj.exe
PID 5012 wrote to memory of 3432	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	UAYmyJj.exe
PID 5012 wrote to memory of 4876	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	jkycvAN.exe
PID 5012 wrote to memory of 4876	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	jkycvAN.exe
PID 5012 wrote to memory of 2264	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	YVhEOEz.exe
PID 5012 wrote to memory of 2264	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	YVhEOEz.exe
PID 5012 wrote to memory of 4008	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	KgSTuyh.exe
PID 5012 wrote to memory of 4008	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	KgSTuyh.exe
PID 5012 wrote to memory of 2136	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	hykgKnQ.exe
PID 5012 wrote to memory of 2136	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	hykgKnQ.exe
PID 5012 wrote to memory of 2892	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	SdSJCqe.exe
PID 5012 wrote to memory of 2892	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	SdSJCqe.exe
PID 5012 wrote to memory of 4456	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	xtJnwKw.exe
PID 5012 wrote to memory of 4456	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	xtJnwKw.exe
PID 5012 wrote to memory of 1508	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	LtYSGwm.exe
PID 5012 wrote to memory of 1508	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	LtYSGwm.exe
PID 5012 wrote to memory of 4752	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	LDEPLWe.exe
PID 5012 wrote to memory of 4752	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	LDEPLWe.exe
PID 5012 wrote to memory of 2376	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	qEJvoUE.exe
PID 5012 wrote to memory of 2376	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	qEJvoUE.exe
PID 5012 wrote to memory of 1304	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	LWmfyjh.exe
PID 5012 wrote to memory of 1304	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	LWmfyjh.exe
PID 5012 wrote to memory of 1740	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	kIAYNDz.exe
PID 5012 wrote to memory of 1740	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	kIAYNDz.exe
PID 5012 wrote to memory of 5032	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	XmWudcU.exe
PID 5012 wrote to memory of 5032	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	XmWudcU.exe
PID 5012 wrote to memory of 4044	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	zjEWWtt.exe
PID 5012 wrote to memory of 4044	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	zjEWWtt.exe
PID 5012 wrote to memory of 5040	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	BgMhbTU.exe
PID 5012 wrote to memory of 5040	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	BgMhbTU.exe
PID 5012 wrote to memory of 3484	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	zsDCARi.exe
PID 5012 wrote to memory of 3484	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	zsDCARi.exe
PID 5012 wrote to memory of 4468	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	ODgqlrM.exe
PID 5012 wrote to memory of 4468	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	ODgqlrM.exe
PID 5012 wrote to memory of 628	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	KvXcikF.exe
PID 5012 wrote to memory of 628	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	KvXcikF.exe
PID 5012 wrote to memory of 4624	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	lxXrIUM.exe
PID 5012 wrote to memory of 4624	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	lxXrIUM.exe
PID 5012 wrote to memory of 1896	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	pnBakFw.exe
PID 5012 wrote to memory of 1896	5012	57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe	pnBakFw.exe

C:\Users\Admin\AppData\Local\Temp\57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\57c6fb8670f6b1d3032d249f21018e00_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\System32\SSyoBZA.exe
C:\Windows\System32\SSyoBZA.exe
2⤵
- Executes dropped EXE
PID:1888

C:\Windows\System32\FhjfOmt.exe
C:\Windows\System32\FhjfOmt.exe
2⤵
- Executes dropped EXE
PID:1788

C:\Windows\System32\wUuInjr.exe
C:\Windows\System32\wUuInjr.exe
2⤵
- Executes dropped EXE
PID:224

C:\Windows\System32\jDbRCUX.exe
C:\Windows\System32\jDbRCUX.exe
2⤵
- Executes dropped EXE
PID:2848

C:\Windows\System32\JThkQZa.exe
C:\Windows\System32\JThkQZa.exe
2⤵
- Executes dropped EXE
PID:2116

C:\Windows\System32\hlLLIuE.exe
C:\Windows\System32\hlLLIuE.exe
2⤵
- Executes dropped EXE
PID:1800

C:\Windows\System32\GMXwWwz.exe
C:\Windows\System32\GMXwWwz.exe
2⤵
- Executes dropped EXE
PID:2020

C:\Windows\System32\juzsuCG.exe
C:\Windows\System32\juzsuCG.exe
2⤵
- Executes dropped EXE
PID:1860

C:\Windows\System32\bGsunvo.exe
C:\Windows\System32\bGsunvo.exe
2⤵
- Executes dropped EXE
PID:2340

C:\Windows\System32\ZYFLqrT.exe
C:\Windows\System32\ZYFLqrT.exe
2⤵
- Executes dropped EXE
PID:2876

C:\Windows\System32\eebILRd.exe
C:\Windows\System32\eebILRd.exe
2⤵
- Executes dropped EXE
PID:1676

C:\Windows\System32\INWPCcK.exe
C:\Windows\System32\INWPCcK.exe
2⤵
- Executes dropped EXE
PID:5096

C:\Windows\System32\UAYmyJj.exe
C:\Windows\System32\UAYmyJj.exe
2⤵
- Executes dropped EXE
PID:3432

C:\Windows\System32\jkycvAN.exe
C:\Windows\System32\jkycvAN.exe
2⤵
- Executes dropped EXE
PID:4876

C:\Windows\System32\YVhEOEz.exe
C:\Windows\System32\YVhEOEz.exe
2⤵
- Executes dropped EXE
PID:2264

C:\Windows\System32\KgSTuyh.exe
C:\Windows\System32\KgSTuyh.exe
2⤵
- Executes dropped EXE
PID:4008

C:\Windows\System32\hykgKnQ.exe
C:\Windows\System32\hykgKnQ.exe
2⤵
- Executes dropped EXE
PID:2136

C:\Windows\System32\SdSJCqe.exe
C:\Windows\System32\SdSJCqe.exe
2⤵
- Executes dropped EXE
PID:2892

C:\Windows\System32\xtJnwKw.exe
C:\Windows\System32\xtJnwKw.exe
2⤵
- Executes dropped EXE
PID:4456

C:\Windows\System32\LtYSGwm.exe
C:\Windows\System32\LtYSGwm.exe
2⤵
- Executes dropped EXE
PID:1508

C:\Windows\System32\LDEPLWe.exe
C:\Windows\System32\LDEPLWe.exe
2⤵
- Executes dropped EXE
PID:4752

C:\Windows\System32\qEJvoUE.exe
C:\Windows\System32\qEJvoUE.exe
2⤵
- Executes dropped EXE
PID:2376

C:\Windows\System32\LWmfyjh.exe
C:\Windows\System32\LWmfyjh.exe
2⤵
- Executes dropped EXE
PID:1304

C:\Windows\System32\kIAYNDz.exe
C:\Windows\System32\kIAYNDz.exe
2⤵
- Executes dropped EXE
PID:1740

C:\Windows\System32\XmWudcU.exe
C:\Windows\System32\XmWudcU.exe
2⤵
- Executes dropped EXE
PID:5032

C:\Windows\System32\zjEWWtt.exe
C:\Windows\System32\zjEWWtt.exe
2⤵
- Executes dropped EXE
PID:4044

C:\Windows\System32\BgMhbTU.exe
C:\Windows\System32\BgMhbTU.exe
2⤵
- Executes dropped EXE
PID:5040

C:\Windows\System32\zsDCARi.exe
C:\Windows\System32\zsDCARi.exe
2⤵
- Executes dropped EXE
PID:3484

C:\Windows\System32\ODgqlrM.exe
C:\Windows\System32\ODgqlrM.exe
2⤵
- Executes dropped EXE
PID:4468

C:\Windows\System32\KvXcikF.exe
C:\Windows\System32\KvXcikF.exe
2⤵
- Executes dropped EXE
PID:628

C:\Windows\System32\lxXrIUM.exe
C:\Windows\System32\lxXrIUM.exe
2⤵
- Executes dropped EXE
PID:4624

C:\Windows\System32\pnBakFw.exe
C:\Windows\System32\pnBakFw.exe
2⤵
- Executes dropped EXE
PID:1896

C:\Windows\System32\BjkWFIQ.exe
C:\Windows\System32\BjkWFIQ.exe
2⤵
- Executes dropped EXE
PID:2740

C:\Windows\System32\dBCvAHc.exe
C:\Windows\System32\dBCvAHc.exe
2⤵
- Executes dropped EXE
PID:2028

C:\Windows\System32\XWcgOxK.exe
C:\Windows\System32\XWcgOxK.exe
2⤵
- Executes dropped EXE
PID:4048

C:\Windows\System32\rUiaYLP.exe
C:\Windows\System32\rUiaYLP.exe
2⤵
- Executes dropped EXE
PID:1428

C:\Windows\System32\lcJURqx.exe
C:\Windows\System32\lcJURqx.exe
2⤵
- Executes dropped EXE
PID:3944

C:\Windows\System32\kiTNOQY.exe
C:\Windows\System32\kiTNOQY.exe
2⤵
- Executes dropped EXE
PID:1084

C:\Windows\System32\ROqnwbp.exe
C:\Windows\System32\ROqnwbp.exe
2⤵
- Executes dropped EXE
PID:4824

C:\Windows\System32\JVHqAtn.exe
C:\Windows\System32\JVHqAtn.exe
2⤵
- Executes dropped EXE
PID:4544

C:\Windows\System32\KGvOCOe.exe
C:\Windows\System32\KGvOCOe.exe
2⤵
- Executes dropped EXE
PID:2496

C:\Windows\System32\fEBTATW.exe
C:\Windows\System32\fEBTATW.exe
2⤵
- Executes dropped EXE
PID:3420

C:\Windows\System32\whZrrcv.exe
C:\Windows\System32\whZrrcv.exe
2⤵
- Executes dropped EXE
PID:3464

C:\Windows\System32\cCBhPRd.exe
C:\Windows\System32\cCBhPRd.exe
2⤵
- Executes dropped EXE
PID:2864

C:\Windows\System32\vbKCbDT.exe
C:\Windows\System32\vbKCbDT.exe
2⤵
- Executes dropped EXE
PID:4924

C:\Windows\System32\VVbKnyu.exe
C:\Windows\System32\VVbKnyu.exe
2⤵
- Executes dropped EXE
PID:2092

C:\Windows\System32\nXPPBBt.exe
C:\Windows\System32\nXPPBBt.exe
2⤵
- Executes dropped EXE
PID:836

C:\Windows\System32\YOreaaz.exe
C:\Windows\System32\YOreaaz.exe
2⤵
- Executes dropped EXE
PID:1836

C:\Windows\System32\DoWvwsS.exe
C:\Windows\System32\DoWvwsS.exe
2⤵
- Executes dropped EXE
PID:3284

C:\Windows\System32\rECKhIw.exe
C:\Windows\System32\rECKhIw.exe
2⤵
- Executes dropped EXE
PID:4236

C:\Windows\System32\abIooWj.exe
C:\Windows\System32\abIooWj.exe
2⤵
- Executes dropped EXE
PID:3928

C:\Windows\System32\qXANXjr.exe
C:\Windows\System32\qXANXjr.exe
2⤵
- Executes dropped EXE
PID:4460

C:\Windows\System32\pELdIRf.exe
C:\Windows\System32\pELdIRf.exe
2⤵
- Executes dropped EXE
PID:4036

C:\Windows\System32\IFNWQPJ.exe
C:\Windows\System32\IFNWQPJ.exe
2⤵
- Executes dropped EXE
PID:2308

C:\Windows\System32\pbWMbvd.exe
C:\Windows\System32\pbWMbvd.exe
2⤵
- Executes dropped EXE
PID:5036

C:\Windows\System32\UOGbMmL.exe
C:\Windows\System32\UOGbMmL.exe
2⤵
- Executes dropped EXE
PID:5048

C:\Windows\System32\iPjYdJu.exe
C:\Windows\System32\iPjYdJu.exe
2⤵
- Executes dropped EXE
PID:2924

C:\Windows\System32\atQDMSl.exe
C:\Windows\System32\atQDMSl.exe
2⤵
- Executes dropped EXE
PID:3196

C:\Windows\System32\LnVWKKO.exe
C:\Windows\System32\LnVWKKO.exe
2⤵
- Executes dropped EXE
PID:4052

C:\Windows\System32\cOoqCsh.exe
C:\Windows\System32\cOoqCsh.exe
2⤵
- Executes dropped EXE
PID:5100

C:\Windows\System32\yULHDSz.exe
C:\Windows\System32\yULHDSz.exe
2⤵
- Executes dropped EXE
PID:384

C:\Windows\System32\zigFETj.exe
C:\Windows\System32\zigFETj.exe
2⤵
- Executes dropped EXE
PID:4440

C:\Windows\System32\UblLZTH.exe
C:\Windows\System32\UblLZTH.exe
2⤵
- Executes dropped EXE
PID:4696

C:\Windows\System32\JQjrlzf.exe
C:\Windows\System32\JQjrlzf.exe
2⤵
- Executes dropped EXE
PID:5052

C:\Windows\System32\WergWZM.exe
C:\Windows\System32\WergWZM.exe
2⤵
PID:2824

C:\Windows\System32\ZfASxvN.exe
C:\Windows\System32\ZfASxvN.exe
2⤵
PID:4904

C:\Windows\System32\OuoyrxT.exe
C:\Windows\System32\OuoyrxT.exe
2⤵
PID:1576

C:\Windows\System32\xuGhOUO.exe
C:\Windows\System32\xuGhOUO.exe
2⤵
PID:1696

C:\Windows\System32\yCmWsIZ.exe
C:\Windows\System32\yCmWsIZ.exe
2⤵
PID:4452

C:\Windows\System32\KQAaZnr.exe
C:\Windows\System32\KQAaZnr.exe
2⤵
PID:844

C:\Windows\System32\YcsrOLy.exe
C:\Windows\System32\YcsrOLy.exe
2⤵
PID:1972

C:\Windows\System32\CERNvkc.exe
C:\Windows\System32\CERNvkc.exe
2⤵
PID:2552

C:\Windows\System32\AADKmso.exe
C:\Windows\System32\AADKmso.exe
2⤵
PID:1348

C:\Windows\System32\bSWrbOw.exe
C:\Windows\System32\bSWrbOw.exe
2⤵
PID:2960

C:\Windows\System32\eKsBZvZ.exe
C:\Windows\System32\eKsBZvZ.exe
2⤵
PID:2036

C:\Windows\System32\OAYJUqT.exe
C:\Windows\System32\OAYJUqT.exe
2⤵
PID:2932

C:\Windows\System32\HbPFTTN.exe
C:\Windows\System32\HbPFTTN.exe
2⤵
PID:2288

C:\Windows\System32\zguvpnj.exe
C:\Windows\System32\zguvpnj.exe
2⤵
PID:3400

C:\Windows\System32\jkXSWJc.exe
C:\Windows\System32\jkXSWJc.exe
2⤵
PID:4948

C:\Windows\System32\sSRMqRS.exe
C:\Windows\System32\sSRMqRS.exe
2⤵
PID:3592

C:\Windows\System32\FIeDJKU.exe
C:\Windows\System32\FIeDJKU.exe
2⤵
PID:2920

C:\Windows\System32\XmXIhyh.exe
C:\Windows\System32\XmXIhyh.exe
2⤵
PID:4368

C:\Windows\System32\mUdzGtt.exe
C:\Windows\System32\mUdzGtt.exe
2⤵
PID:5000

C:\Windows\System32\eEDPOZu.exe
C:\Windows\System32\eEDPOZu.exe
2⤵
PID:3152

C:\Windows\System32\hTjDmYi.exe
C:\Windows\System32\hTjDmYi.exe
2⤵
PID:5144

C:\Windows\System32\qpMaqKv.exe
C:\Windows\System32\qpMaqKv.exe
2⤵
PID:5172

C:\Windows\System32\hhOiBKx.exe
C:\Windows\System32\hhOiBKx.exe
2⤵
PID:5196

C:\Windows\System32\pJixuYI.exe
C:\Windows\System32\pJixuYI.exe
2⤵
PID:5216

C:\Windows\System32\jHEfgIZ.exe
C:\Windows\System32\jHEfgIZ.exe
2⤵
PID:5256

C:\Windows\System32\AxeSgtq.exe
C:\Windows\System32\AxeSgtq.exe
2⤵
PID:5272

C:\Windows\System32\XUajyMA.exe
C:\Windows\System32\XUajyMA.exe
2⤵
PID:5300

C:\Windows\System32\YFHRhvc.exe
C:\Windows\System32\YFHRhvc.exe
2⤵
PID:5328

C:\Windows\System32\WFzNtAt.exe
C:\Windows\System32\WFzNtAt.exe
2⤵
PID:5356

C:\Windows\System32\ampDfTo.exe
C:\Windows\System32\ampDfTo.exe
2⤵
PID:5396

C:\Windows\System32\ojzwWLV.exe
C:\Windows\System32\ojzwWLV.exe
2⤵
PID:5428

C:\Windows\System32\gCfFEnW.exe
C:\Windows\System32\gCfFEnW.exe
2⤵
PID:5444

C:\Windows\System32\mhyjogC.exe
C:\Windows\System32\mhyjogC.exe
2⤵
PID:5472

C:\Windows\System32\iTpHGcT.exe
C:\Windows\System32\iTpHGcT.exe
2⤵
PID:5500

C:\Windows\System32\mQHAELV.exe
C:\Windows\System32\mQHAELV.exe
2⤵
PID:5528

C:\Windows\System32\BNyyevH.exe
C:\Windows\System32\BNyyevH.exe
2⤵
PID:5556

C:\Windows\System32\SUNWZQd.exe
C:\Windows\System32\SUNWZQd.exe
2⤵
PID:5672

C:\Windows\System32\VcOSszl.exe
C:\Windows\System32\VcOSszl.exe
2⤵
PID:5704

C:\Windows\System32\paWxEHl.exe
C:\Windows\System32\paWxEHl.exe
2⤵
PID:5752

C:\Windows\System32\VfTBrjk.exe
C:\Windows\System32\VfTBrjk.exe
2⤵
PID:5768

C:\Windows\System32\JMhlBAK.exe
C:\Windows\System32\JMhlBAK.exe
2⤵
PID:5788

C:\Windows\System32\dneneZI.exe
C:\Windows\System32\dneneZI.exe
2⤵
PID:5836

C:\Windows\System32\LrxIlLs.exe
C:\Windows\System32\LrxIlLs.exe
2⤵
PID:5852

C:\Windows\System32\kBGaNoX.exe
C:\Windows\System32\kBGaNoX.exe
2⤵
PID:5880

C:\Windows\System32\bRKnStp.exe
C:\Windows\System32\bRKnStp.exe
2⤵
PID:5896

C:\Windows\System32\fxaYRPQ.exe
C:\Windows\System32\fxaYRPQ.exe
2⤵
PID:5932

C:\Windows\System32\otOFftU.exe
C:\Windows\System32\otOFftU.exe
2⤵
PID:5948

C:\Windows\System32\KZCmLgY.exe
C:\Windows\System32\KZCmLgY.exe
2⤵
PID:5972

C:\Windows\System32\vIRjoGf.exe
C:\Windows\System32\vIRjoGf.exe
2⤵
PID:5988

C:\Windows\System32\asdvTER.exe
C:\Windows\System32\asdvTER.exe
2⤵
PID:6008

C:\Windows\System32\BtGflRW.exe
C:\Windows\System32\BtGflRW.exe
2⤵
PID:6028

C:\Windows\System32\CtQWsfy.exe
C:\Windows\System32\CtQWsfy.exe
2⤵
PID:6072

C:\Windows\System32\ryjhMxM.exe
C:\Windows\System32\ryjhMxM.exe
2⤵
PID:6120

C:\Windows\System32\BkCiAJW.exe
C:\Windows\System32\BkCiAJW.exe
2⤵
PID:6140

C:\Windows\System32\mCgjtDO.exe
C:\Windows\System32\mCgjtDO.exe
2⤵
PID:4656

C:\Windows\System32\aqpRIvz.exe
C:\Windows\System32\aqpRIvz.exe
2⤵
PID:4576

C:\Windows\System32\RAsvmbq.exe
C:\Windows\System32\RAsvmbq.exe
2⤵
PID:4464

C:\Windows\System32\qFiTfkn.exe
C:\Windows\System32\qFiTfkn.exe
2⤵
PID:5152

C:\Windows\System32\psKcCWH.exe
C:\Windows\System32\psKcCWH.exe
2⤵
PID:5248

C:\Windows\System32\cPHzTPo.exe
C:\Windows\System32\cPHzTPo.exe
2⤵
PID:5288

C:\Windows\System32\QhgnCbn.exe
C:\Windows\System32\QhgnCbn.exe
2⤵
PID:4604

C:\Windows\System32\diVjJUy.exe
C:\Windows\System32\diVjJUy.exe
2⤵
PID:5352

C:\Windows\System32\zrlwRKi.exe
C:\Windows\System32\zrlwRKi.exe
2⤵
PID:5380

C:\Windows\System32\EhFmVTO.exe
C:\Windows\System32\EhFmVTO.exe
2⤵
PID:5440

C:\Windows\System32\kuCRSos.exe
C:\Windows\System32\kuCRSos.exe
2⤵
PID:1496

C:\Windows\System32\MgNktwX.exe
C:\Windows\System32\MgNktwX.exe
2⤵
PID:1772

C:\Windows\System32\aHpRJvA.exe
C:\Windows\System32\aHpRJvA.exe
2⤵
PID:4284

C:\Windows\System32\ktbWuHo.exe
C:\Windows\System32\ktbWuHo.exe
2⤵
PID:5540

C:\Windows\System32\yTinIkC.exe
C:\Windows\System32\yTinIkC.exe
2⤵
PID:4600

C:\Windows\System32\PQJAsVy.exe
C:\Windows\System32\PQJAsVy.exe
2⤵
PID:5612

C:\Windows\System32\oEjEJFR.exe
C:\Windows\System32\oEjEJFR.exe
2⤵
PID:4860

C:\Windows\System32\gZumhWQ.exe
C:\Windows\System32\gZumhWQ.exe
2⤵
PID:5668

C:\Windows\System32\JCRsJPo.exe
C:\Windows\System32\JCRsJPo.exe
2⤵
PID:5728

C:\Windows\System32\FriatqL.exe
C:\Windows\System32\FriatqL.exe
2⤵
PID:5760

C:\Windows\System32\VMJRHJY.exe
C:\Windows\System32\VMJRHJY.exe
2⤵
PID:5944

C:\Windows\System32\kqLwSKJ.exe
C:\Windows\System32\kqLwSKJ.exe
2⤵
PID:6004

C:\Windows\System32\YRxjEqm.exe
C:\Windows\System32\YRxjEqm.exe
2⤵
PID:6024

C:\Windows\System32\rsLAGtV.exe
C:\Windows\System32\rsLAGtV.exe
2⤵
PID:6056

C:\Windows\System32\ANjxOdl.exe
C:\Windows\System32\ANjxOdl.exe
2⤵
PID:6132

C:\Windows\System32\uisFMJt.exe
C:\Windows\System32\uisFMJt.exe
2⤵
PID:4400

C:\Windows\System32\SzvMSHs.exe
C:\Windows\System32\SzvMSHs.exe
2⤵
PID:5136

C:\Windows\System32\IpgeJja.exe
C:\Windows\System32\IpgeJja.exe
2⤵
PID:1188

C:\Windows\System32\eGkjiIz.exe
C:\Windows\System32\eGkjiIz.exe
2⤵
PID:5340

C:\Windows\System32\nkAmFFO.exe
C:\Windows\System32\nkAmFFO.exe
2⤵
PID:3696

C:\Windows\System32\mOCfqKh.exe
C:\Windows\System32\mOCfqKh.exe
2⤵
PID:5488

C:\Windows\System32\MveDIUe.exe
C:\Windows\System32\MveDIUe.exe
2⤵
PID:5544

C:\Windows\System32\VhovXjG.exe
C:\Windows\System32\VhovXjG.exe
2⤵
PID:5632

C:\Windows\System32\EkMJZBf.exe
C:\Windows\System32\EkMJZBf.exe
2⤵
PID:5764

C:\Windows\System32\ZdQdBSu.exe
C:\Windows\System32\ZdQdBSu.exe
2⤵
PID:5868

C:\Windows\System32\hxMmIxl.exe
C:\Windows\System32\hxMmIxl.exe
2⤵
PID:6068

C:\Windows\System32\VCDxiGJ.exe
C:\Windows\System32\VCDxiGJ.exe
2⤵
PID:3188

C:\Windows\System32\LjdgWjf.exe
C:\Windows\System32\LjdgWjf.exe
2⤵
PID:1148

C:\Windows\System32\BlifjeI.exe
C:\Windows\System32\BlifjeI.exe
2⤵
PID:1484

C:\Windows\System32\CKVEjRP.exe
C:\Windows\System32\CKVEjRP.exe
2⤵
PID:232

C:\Windows\System32\QVozkWH.exe
C:\Windows\System32\QVozkWH.exe
2⤵
PID:728

C:\Windows\System32\TAxZdZP.exe
C:\Windows\System32\TAxZdZP.exe
2⤵
PID:5816

C:\Windows\System32\VAOSxmY.exe
C:\Windows\System32\VAOSxmY.exe
2⤵
PID:6136

C:\Windows\System32\nrQAMyl.exe
C:\Windows\System32\nrQAMyl.exe
2⤵
PID:5960

C:\Windows\System32\YwKwwaW.exe
C:\Windows\System32\YwKwwaW.exe
2⤵
PID:6172

C:\Windows\System32\pWtUvpM.exe
C:\Windows\System32\pWtUvpM.exe
2⤵
PID:6244

C:\Windows\System32\uvxTOeT.exe
C:\Windows\System32\uvxTOeT.exe
2⤵
PID:6276

C:\Windows\System32\YCfgdFW.exe
C:\Windows\System32\YCfgdFW.exe
2⤵
PID:6304

C:\Windows\System32\XTgUmew.exe
C:\Windows\System32\XTgUmew.exe
2⤵
PID:6344

C:\Windows\System32\VnnfMxo.exe
C:\Windows\System32\VnnfMxo.exe
2⤵
PID:6368

C:\Windows\System32\VqOujcp.exe
C:\Windows\System32\VqOujcp.exe
2⤵
PID:6384

C:\Windows\System32\GVDKInR.exe
C:\Windows\System32\GVDKInR.exe
2⤵
PID:6404

C:\Windows\System32\OXKUAcw.exe
C:\Windows\System32\OXKUAcw.exe
2⤵
PID:6448

C:\Windows\System32\tgEAWeF.exe
C:\Windows\System32\tgEAWeF.exe
2⤵
PID:6468

C:\Windows\System32\iWHDNUI.exe
C:\Windows\System32\iWHDNUI.exe
2⤵
PID:6488

C:\Windows\System32\WyCMNCK.exe
C:\Windows\System32\WyCMNCK.exe
2⤵
PID:6512

C:\Windows\System32\lcuRkok.exe
C:\Windows\System32\lcuRkok.exe
2⤵
PID:6532

C:\Windows\System32\gqdTtCI.exe
C:\Windows\System32\gqdTtCI.exe
2⤵
PID:6608

C:\Windows\System32\JFDFzfZ.exe
C:\Windows\System32\JFDFzfZ.exe
2⤵
PID:6624

C:\Windows\System32\wjgHRlC.exe
C:\Windows\System32\wjgHRlC.exe
2⤵
PID:6640

C:\Windows\System32\OWTVggY.exe
C:\Windows\System32\OWTVggY.exe
2⤵
PID:6660

C:\Windows\System32\TyySRKs.exe
C:\Windows\System32\TyySRKs.exe
2⤵
PID:6712

C:\Windows\System32\ISypsZA.exe
C:\Windows\System32\ISypsZA.exe
2⤵
PID:6728

C:\Windows\System32\PNAgPyP.exe
C:\Windows\System32\PNAgPyP.exe
2⤵
PID:6744

C:\Windows\System32\AStWaaa.exe
C:\Windows\System32\AStWaaa.exe
2⤵
PID:6764

C:\Windows\System32\LMFDhxR.exe
C:\Windows\System32\LMFDhxR.exe
2⤵
PID:6816

C:\Windows\System32\mivxXvP.exe
C:\Windows\System32\mivxXvP.exe
2⤵
PID:6844

C:\Windows\System32\uqoDPTz.exe
C:\Windows\System32\uqoDPTz.exe
2⤵
PID:6872

C:\Windows\System32\CLkFuOq.exe
C:\Windows\System32\CLkFuOq.exe
2⤵
PID:6892

C:\Windows\System32\NhgtzJW.exe
C:\Windows\System32\NhgtzJW.exe
2⤵
PID:6912

C:\Windows\System32\BxQUKlF.exe
C:\Windows\System32\BxQUKlF.exe
2⤵
PID:6932

C:\Windows\System32\oSNfYit.exe
C:\Windows\System32\oSNfYit.exe
2⤵
PID:6948

C:\Windows\System32\IIEfUEW.exe
C:\Windows\System32\IIEfUEW.exe
2⤵
PID:6976

C:\Windows\System32\moLtTIg.exe
C:\Windows\System32\moLtTIg.exe
2⤵
PID:7016

C:\Windows\System32\oPfANmw.exe
C:\Windows\System32\oPfANmw.exe
2⤵
PID:7072

C:\Windows\System32\eHWGyXQ.exe
C:\Windows\System32\eHWGyXQ.exe
2⤵
PID:7104

C:\Windows\System32\evLLjaJ.exe
C:\Windows\System32\evLLjaJ.exe
2⤵
PID:7128

C:\Windows\System32\tVDZcJD.exe
C:\Windows\System32\tVDZcJD.exe
2⤵
PID:7144

C:\Windows\System32\WXTAKxZ.exe
C:\Windows\System32\WXTAKxZ.exe
2⤵
PID:7164

C:\Windows\System32\WorHbPR.exe
C:\Windows\System32\WorHbPR.exe
2⤵
PID:2120

C:\Windows\System32\wGhSLlB.exe
C:\Windows\System32\wGhSLlB.exe
2⤵
PID:6188

C:\Windows\System32\YAkupxb.exe
C:\Windows\System32\YAkupxb.exe
2⤵
PID:6204

C:\Windows\System32\oZoACAf.exe
C:\Windows\System32\oZoACAf.exe
2⤵
PID:6264

C:\Windows\System32\pDTtQDx.exe
C:\Windows\System32\pDTtQDx.exe
2⤵
PID:6292

C:\Windows\System32\WmBdzwI.exe
C:\Windows\System32\WmBdzwI.exe
2⤵
PID:6360

C:\Windows\System32\TixdCib.exe
C:\Windows\System32\TixdCib.exe
2⤵
PID:6528

C:\Windows\System32\plsheNA.exe
C:\Windows\System32\plsheNA.exe
2⤵
PID:6592

C:\Windows\System32\wGnPaqn.exe
C:\Windows\System32\wGnPaqn.exe
2⤵
PID:6620

C:\Windows\System32\OWlFJHX.exe
C:\Windows\System32\OWlFJHX.exe
2⤵
PID:6632

C:\Windows\System32\rRDJTWi.exe
C:\Windows\System32\rRDJTWi.exe
2⤵
PID:6684

C:\Windows\System32\peOmvjM.exe
C:\Windows\System32\peOmvjM.exe
2⤵
PID:6840

C:\Windows\System32\IIZknQZ.exe
C:\Windows\System32\IIZknQZ.exe
2⤵
PID:6864

C:\Windows\System32\Zycrbkc.exe
C:\Windows\System32\Zycrbkc.exe
2⤵
PID:7000

C:\Windows\System32\IIjCwTv.exe
C:\Windows\System32\IIjCwTv.exe
2⤵
PID:6944

C:\Windows\System32\bsiHDQN.exe
C:\Windows\System32\bsiHDQN.exe
2⤵
PID:6984

C:\Windows\System32\CChpMMG.exe
C:\Windows\System32\CChpMMG.exe
2⤵
PID:7044

C:\Windows\System32\mZklPbi.exe
C:\Windows\System32\mZklPbi.exe
2⤵
PID:7120

C:\Windows\System32\eaCdlzU.exe
C:\Windows\System32\eaCdlzU.exe
2⤵
PID:5592

C:\Windows\System32\UTqlBQr.exe
C:\Windows\System32\UTqlBQr.exe
2⤵
PID:6228

C:\Windows\System32\UweOwGC.exe
C:\Windows\System32\UweOwGC.exe
2⤵
PID:6380

C:\Windows\System32\RPZyHtJ.exe
C:\Windows\System32\RPZyHtJ.exe
2⤵
PID:6520

C:\Windows\System32\XSdmRGy.exe
C:\Windows\System32\XSdmRGy.exe
2⤵
PID:6832

C:\Windows\System32\EEgZClZ.exe
C:\Windows\System32\EEgZClZ.exe
2⤵
PID:6988

C:\Windows\System32\UGbPuFy.exe
C:\Windows\System32\UGbPuFy.exe
2⤵
PID:7100

C:\Windows\System32\dwkPcrA.exe
C:\Windows\System32\dwkPcrA.exe
2⤵
PID:7092

C:\Windows\System32\FkHorcB.exe
C:\Windows\System32\FkHorcB.exe
2⤵
PID:4172

C:\Windows\System32\pEQauHe.exe
C:\Windows\System32\pEQauHe.exe
2⤵
PID:3564

C:\Windows\System32\eybUMZd.exe
C:\Windows\System32\eybUMZd.exe
2⤵
PID:6656

C:\Windows\System32\VHCsalx.exe
C:\Windows\System32\VHCsalx.exe
2⤵
PID:2284

C:\Windows\System32\mRJUfiF.exe
C:\Windows\System32\mRJUfiF.exe
2⤵
PID:7192

C:\Windows\System32\psWnVFr.exe
C:\Windows\System32\psWnVFr.exe
2⤵
PID:7232

C:\Windows\System32\HwDIZab.exe
C:\Windows\System32\HwDIZab.exe
2⤵
PID:7248

C:\Windows\System32\GAlhYck.exe
C:\Windows\System32\GAlhYck.exe
2⤵
PID:7268

C:\Windows\System32\bVzZWFN.exe
C:\Windows\System32\bVzZWFN.exe
2⤵
PID:7292

C:\Windows\System32\SKEUMrp.exe
C:\Windows\System32\SKEUMrp.exe
2⤵
PID:7308

C:\Windows\System32\qSocgKM.exe
C:\Windows\System32\qSocgKM.exe
2⤵
PID:7332

C:\Windows\System32\vhLwZlJ.exe
C:\Windows\System32\vhLwZlJ.exe
2⤵
PID:7364

C:\Windows\System32\LzZgzar.exe
C:\Windows\System32\LzZgzar.exe
2⤵
PID:7400

C:\Windows\System32\QmUHWEy.exe
C:\Windows\System32\QmUHWEy.exe
2⤵
PID:7444

C:\Windows\System32\SodxJEs.exe
C:\Windows\System32\SodxJEs.exe
2⤵
PID:7472

C:\Windows\System32\PDNOMOX.exe
C:\Windows\System32\PDNOMOX.exe
2⤵
PID:7500

C:\Windows\System32\weofBZi.exe
C:\Windows\System32\weofBZi.exe
2⤵
PID:7524

C:\Windows\System32\EbXYyLc.exe
C:\Windows\System32\EbXYyLc.exe
2⤵
PID:7548

C:\Windows\System32\iATPNPg.exe
C:\Windows\System32\iATPNPg.exe
2⤵
PID:7564

C:\Windows\System32\PedbTZH.exe
C:\Windows\System32\PedbTZH.exe
2⤵
PID:7588

C:\Windows\System32\WdenVQb.exe
C:\Windows\System32\WdenVQb.exe
2⤵
PID:7640

C:\Windows\System32\YlCZyOx.exe
C:\Windows\System32\YlCZyOx.exe
2⤵
PID:7668

C:\Windows\System32\xmtnJNV.exe
C:\Windows\System32\xmtnJNV.exe
2⤵
PID:7704

C:\Windows\System32\XyEoSHr.exe
C:\Windows\System32\XyEoSHr.exe
2⤵
PID:7736

C:\Windows\System32\jhBNgYd.exe
C:\Windows\System32\jhBNgYd.exe
2⤵
PID:7752

C:\Windows\System32\PskDnpE.exe
C:\Windows\System32\PskDnpE.exe
2⤵
PID:7772

C:\Windows\System32\tXSLvOG.exe
C:\Windows\System32\tXSLvOG.exe
2⤵
PID:7796

C:\Windows\System32\mVWSATf.exe
C:\Windows\System32\mVWSATf.exe
2⤵
PID:7840

C:\Windows\System32\ToXBeNB.exe
C:\Windows\System32\ToXBeNB.exe
2⤵
PID:7864

C:\Windows\System32\NwBvjwR.exe
C:\Windows\System32\NwBvjwR.exe
2⤵
PID:7904

C:\Windows\System32\dXetHQl.exe
C:\Windows\System32\dXetHQl.exe
2⤵
PID:7932

C:\Windows\System32\xZIYSQx.exe
C:\Windows\System32\xZIYSQx.exe
2⤵
PID:7956

C:\Windows\System32\PKJIuRj.exe
C:\Windows\System32\PKJIuRj.exe
2⤵
PID:7976

C:\Windows\System32\UpCNHKE.exe
C:\Windows\System32\UpCNHKE.exe
2⤵
PID:8016

C:\Windows\System32\zxrksJT.exe
C:\Windows\System32\zxrksJT.exe
2⤵
PID:8040

C:\Windows\System32\NxUszSj.exe
C:\Windows\System32\NxUszSj.exe
2⤵
PID:8056

C:\Windows\System32\KuwyiZN.exe
C:\Windows\System32\KuwyiZN.exe
2⤵
PID:8084

C:\Windows\System32\AeTgWWG.exe
C:\Windows\System32\AeTgWWG.exe
2⤵
PID:8108

C:\Windows\System32\DSLfhbQ.exe
C:\Windows\System32\DSLfhbQ.exe
2⤵
PID:8124

C:\Windows\System32\uDQBMYp.exe
C:\Windows\System32\uDQBMYp.exe
2⤵
PID:8164

C:\Windows\System32\gqOFhAb.exe
C:\Windows\System32\gqOFhAb.exe
2⤵
PID:6900

C:\Windows\System32\ztuBnwD.exe
C:\Windows\System32\ztuBnwD.exe
2⤵
PID:7188

C:\Windows\System32\ptsQcEZ.exe
C:\Windows\System32\ptsQcEZ.exe
2⤵
PID:7216

C:\Windows\System32\zhCZonD.exe
C:\Windows\System32\zhCZonD.exe
2⤵
PID:7356

C:\Windows\System32\UWwIqsF.exe
C:\Windows\System32\UWwIqsF.exe
2⤵
PID:7392

C:\Windows\System32\ENvrGBZ.exe
C:\Windows\System32\ENvrGBZ.exe
2⤵
PID:4812

C:\Windows\System32\rAJLuNl.exe
C:\Windows\System32\rAJLuNl.exe
2⤵
PID:7428

C:\Windows\System32\BjZUWEs.exe
C:\Windows\System32\BjZUWEs.exe
2⤵
PID:7492

C:\Windows\System32\PCGtfch.exe
C:\Windows\System32\PCGtfch.exe
2⤵
PID:7544

C:\Windows\System32\IKufjOU.exe
C:\Windows\System32\IKufjOU.exe
2⤵
PID:7540

C:\Windows\System32\voeKhyC.exe
C:\Windows\System32\voeKhyC.exe
2⤵
PID:7720

C:\Windows\System32\YlvbpZm.exe
C:\Windows\System32\YlvbpZm.exe
2⤵
PID:7768

C:\Windows\System32\PtkkJcM.exe
C:\Windows\System32\PtkkJcM.exe
2⤵
PID:7892

C:\Windows\System32\SAaSywY.exe
C:\Windows\System32\SAaSywY.exe
2⤵
PID:7924

C:\Windows\System32\NtHpIbd.exe
C:\Windows\System32\NtHpIbd.exe
2⤵
PID:8000

C:\Windows\System32\kSeuTKT.exe
C:\Windows\System32\kSeuTKT.exe
2⤵
PID:7464

C:\Windows\System32\gWvESSn.exe
C:\Windows\System32\gWvESSn.exe
2⤵
PID:7408

C:\Windows\System32\nWCTlnY.exe
C:\Windows\System32\nWCTlnY.exe
2⤵
PID:7636

C:\Windows\System32\LeIVxLO.exe
C:\Windows\System32\LeIVxLO.exe
2⤵
PID:7820

C:\Windows\System32\hbnLRtM.exe
C:\Windows\System32\hbnLRtM.exe
2⤵
PID:7744

C:\Windows\System32\nhzoMXd.exe
C:\Windows\System32\nhzoMXd.exe
2⤵
PID:7136

C:\Windows\System32\RWXrJEo.exe
C:\Windows\System32\RWXrJEo.exe
2⤵
PID:8136

C:\Windows\System32\brwjsQF.exe
C:\Windows\System32\brwjsQF.exe
2⤵
PID:7304

C:\Windows\System32\ooxQcDZ.exe
C:\Windows\System32\ooxQcDZ.exe
2⤵
PID:7608

C:\Windows\System32\qPdXbMe.exe
C:\Windows\System32\qPdXbMe.exe
2⤵
PID:7696

C:\Windows\System32\RAkPRCR.exe
C:\Windows\System32\RAkPRCR.exe
2⤵
PID:7860

C:\Windows\System32\hPqzIcu.exe
C:\Windows\System32\hPqzIcu.exe
2⤵
PID:7260

C:\Windows\System32\lpWgAgy.exe
C:\Windows\System32\lpWgAgy.exe
2⤵
PID:7584

C:\Windows\System32\pgchGuB.exe
C:\Windows\System32\pgchGuB.exe
2⤵
PID:8100

C:\Windows\System32\fMrQpsy.exe
C:\Windows\System32\fMrQpsy.exe
2⤵
PID:8196

C:\Windows\System32\MEktdZB.exe
C:\Windows\System32\MEktdZB.exe
2⤵
PID:8228

C:\Windows\System32\Huvnxok.exe
C:\Windows\System32\Huvnxok.exe
2⤵
PID:8272

C:\Windows\System32\EanKGdZ.exe
C:\Windows\System32\EanKGdZ.exe
2⤵
PID:8300

C:\Windows\System32\YeplkFh.exe
C:\Windows\System32\YeplkFh.exe
2⤵
PID:8324

C:\Windows\System32\GOtnYJh.exe
C:\Windows\System32\GOtnYJh.exe
2⤵
PID:8348

C:\Windows\System32\ryYcGeJ.exe
C:\Windows\System32\ryYcGeJ.exe
2⤵
PID:8364

C:\Windows\System32\OYLZKVt.exe
C:\Windows\System32\OYLZKVt.exe
2⤵
PID:8400

C:\Windows\System32\yVJWAEK.exe
C:\Windows\System32\yVJWAEK.exe
2⤵
PID:8424

C:\Windows\System32\XWawAIb.exe
C:\Windows\System32\XWawAIb.exe
2⤵
PID:8448

C:\Windows\System32\jeHxXqm.exe
C:\Windows\System32\jeHxXqm.exe
2⤵
PID:8464

C:\Windows\System32\QJguiJX.exe
C:\Windows\System32\QJguiJX.exe
2⤵
PID:8500

C:\Windows\System32\cRURfBK.exe
C:\Windows\System32\cRURfBK.exe
2⤵
PID:8516

C:\Windows\System32\yQXiKCk.exe
C:\Windows\System32\yQXiKCk.exe
2⤵
PID:8560

C:\Windows\System32\XQXQkSt.exe
C:\Windows\System32\XQXQkSt.exe
2⤵
PID:8592

C:\Windows\System32\BAYOIES.exe
C:\Windows\System32\BAYOIES.exe
2⤵
PID:8620

C:\Windows\System32\TqOgZAl.exe
C:\Windows\System32\TqOgZAl.exe
2⤵
PID:8648

C:\Windows\System32\JDQgiHe.exe
C:\Windows\System32\JDQgiHe.exe
2⤵
PID:8692

C:\Windows\System32\kklPyjU.exe
C:\Windows\System32\kklPyjU.exe
2⤵
PID:8712

C:\Windows\System32\GplCLXr.exe
C:\Windows\System32\GplCLXr.exe
2⤵
PID:8732

C:\Windows\System32\JjgMuOd.exe
C:\Windows\System32\JjgMuOd.exe
2⤵
PID:8784

C:\Windows\System32\XKUGBCG.exe
C:\Windows\System32\XKUGBCG.exe
2⤵
PID:8816

C:\Windows\System32\KqUHrRH.exe
C:\Windows\System32\KqUHrRH.exe
2⤵
PID:8840

C:\Windows\System32\vsFDkoA.exe
C:\Windows\System32\vsFDkoA.exe
2⤵
PID:8856

C:\Windows\System32\kleXNTP.exe
C:\Windows\System32\kleXNTP.exe
2⤵
PID:8884

C:\Windows\System32\qsRApYI.exe
C:\Windows\System32\qsRApYI.exe
2⤵
PID:8928

C:\Windows\System32\MLvvjHt.exe
C:\Windows\System32\MLvvjHt.exe
2⤵
PID:8952

C:\Windows\System32\YKHfmjl.exe
C:\Windows\System32\YKHfmjl.exe
2⤵
PID:8968

C:\Windows\System32\lQDMtgU.exe
C:\Windows\System32\lQDMtgU.exe
2⤵
PID:8992

C:\Windows\System32\PawdEpU.exe
C:\Windows\System32\PawdEpU.exe
2⤵
PID:9020

C:\Windows\System32\uuaeoCr.exe
C:\Windows\System32\uuaeoCr.exe
2⤵
PID:9048

C:\Windows\System32\RPYcPcI.exe
C:\Windows\System32\RPYcPcI.exe
2⤵
PID:9080

C:\Windows\System32\iPYlugy.exe
C:\Windows\System32\iPYlugy.exe
2⤵
PID:9112

C:\Windows\System32\MvydSJs.exe
C:\Windows\System32\MvydSJs.exe
2⤵
PID:9148

C:\Windows\System32\ZRCTFRZ.exe
C:\Windows\System32\ZRCTFRZ.exe
2⤵
PID:9168

C:\Windows\System32\rOswXFe.exe
C:\Windows\System32\rOswXFe.exe
2⤵
PID:9192

C:\Windows\System32\MhikzfH.exe
C:\Windows\System32\MhikzfH.exe
2⤵
PID:9208

C:\Windows\System32\QGdGhaz.exe
C:\Windows\System32\QGdGhaz.exe
2⤵
PID:8208

C:\Windows\System32\bkbVDPo.exe
C:\Windows\System32\bkbVDPo.exe
2⤵
PID:8292

C:\Windows\System32\RyWQhQj.exe
C:\Windows\System32\RyWQhQj.exe
2⤵
PID:8396

C:\Windows\System32\fqiIiqE.exe
C:\Windows\System32\fqiIiqE.exe
2⤵
PID:8440

C:\Windows\System32\iSlwYbE.exe
C:\Windows\System32\iSlwYbE.exe
2⤵
PID:8480

C:\Windows\System32\tFHzTsi.exe
C:\Windows\System32\tFHzTsi.exe
2⤵
PID:8584

C:\Windows\System32\GaRsIiH.exe
C:\Windows\System32\GaRsIiH.exe
2⤵
PID:8632

C:\Windows\System32\VvxIqvN.exe
C:\Windows\System32\VvxIqvN.exe
2⤵
PID:8684

C:\Windows\System32\BggzVlO.exe
C:\Windows\System32\BggzVlO.exe
2⤵
PID:8724

C:\Windows\System32\mHzOMan.exe
C:\Windows\System32\mHzOMan.exe
2⤵
PID:8812

C:\Windows\System32\HaXcusN.exe
C:\Windows\System32\HaXcusN.exe
2⤵
PID:8848

C:\Windows\System32\xfVVhfl.exe
C:\Windows\System32\xfVVhfl.exe
2⤵
PID:8920

C:\Windows\System32\iVrrPwd.exe
C:\Windows\System32\iVrrPwd.exe
2⤵
PID:8960

C:\Windows\System32\HPaPink.exe
C:\Windows\System32\HPaPink.exe
2⤵
PID:8976

C:\Windows\System32\BCCgYqE.exe
C:\Windows\System32\BCCgYqE.exe
2⤵
PID:9044

C:\Windows\System32\tBlCIql.exe
C:\Windows\System32\tBlCIql.exe
2⤵
PID:9156

C:\Windows\System32\UHWsgZn.exe
C:\Windows\System32\UHWsgZn.exe
2⤵
PID:8356

C:\Windows\System32\MxtnFZI.exe
C:\Windows\System32\MxtnFZI.exe
2⤵
PID:8556

C:\Windows\System32\NFvRSnU.exe
C:\Windows\System32\NFvRSnU.exe
2⤵
PID:8644

C:\Windows\System32\iricWfG.exe
C:\Windows\System32\iricWfG.exe
2⤵
PID:8964

C:\Windows\System32\XlepRpx.exe
C:\Windows\System32\XlepRpx.exe
2⤵
PID:9036

C:\Windows\System32\vcJLnZr.exe
C:\Windows\System32\vcJLnZr.exe
2⤵
PID:9120

C:\Windows\System32\FZHNrEt.exe
C:\Windows\System32\FZHNrEt.exe
2⤵
PID:8604

C:\Windows\System32\bAzeUsD.exe
C:\Windows\System32\bAzeUsD.exe
2⤵
PID:9028

C:\Windows\System32\PLKGSga.exe
C:\Windows\System32\PLKGSga.exe
2⤵
PID:8768

C:\Windows\System32\oddjDVp.exe
C:\Windows\System32\oddjDVp.exe
2⤵
PID:9232

C:\Windows\System32\cfhcZkm.exe
C:\Windows\System32\cfhcZkm.exe
2⤵
PID:9272

C:\Windows\System32\JPIzpMm.exe
C:\Windows\System32\JPIzpMm.exe
2⤵
PID:9296

C:\Windows\System32\yoAkPvO.exe
C:\Windows\System32\yoAkPvO.exe
2⤵
PID:9332

C:\Windows\System32\UJYYZjv.exe
C:\Windows\System32\UJYYZjv.exe
2⤵
PID:9352

C:\Windows\System32\ZuXPuRP.exe
C:\Windows\System32\ZuXPuRP.exe
2⤵
PID:9368

C:\Windows\System32\vCEKQtN.exe
C:\Windows\System32\vCEKQtN.exe
2⤵
PID:9396

C:\Windows\System32\IAOhimv.exe
C:\Windows\System32\IAOhimv.exe
2⤵
PID:9432

C:\Windows\System32\bOtnpUf.exe
C:\Windows\System32\bOtnpUf.exe
2⤵
PID:9452

C:\Windows\System32\CxksxPD.exe
C:\Windows\System32\CxksxPD.exe
2⤵
PID:9492

C:\Windows\System32\GOOlApc.exe
C:\Windows\System32\GOOlApc.exe
2⤵
PID:9512

C:\Windows\System32\xNtIWPx.exe
C:\Windows\System32\xNtIWPx.exe
2⤵
PID:9544

C:\Windows\System32\IXSquZm.exe
C:\Windows\System32\IXSquZm.exe
2⤵
PID:9564

C:\Windows\System32\riHKzex.exe
C:\Windows\System32\riHKzex.exe
2⤵
PID:9612

C:\Windows\System32\JEgwUWA.exe
C:\Windows\System32\JEgwUWA.exe
2⤵
PID:9636

C:\Windows\System32\uvmhRlb.exe
C:\Windows\System32\uvmhRlb.exe
2⤵
PID:9660

C:\Windows\System32\TJcFxDx.exe
C:\Windows\System32\TJcFxDx.exe
2⤵
PID:9696

C:\Windows\System32\SQNGiPR.exe
C:\Windows\System32\SQNGiPR.exe
2⤵
PID:9716

C:\Windows\System32\FDNXBKn.exe
C:\Windows\System32\FDNXBKn.exe
2⤵
PID:9740

C:\Windows\System32\DxpKawM.exe
C:\Windows\System32\DxpKawM.exe
2⤵
PID:9764

C:\Windows\System32\hlZvJJY.exe
C:\Windows\System32\hlZvJJY.exe
2⤵
PID:9808

C:\Windows\System32\UktvUHH.exe
C:\Windows\System32\UktvUHH.exe
2⤵
PID:9828

C:\Windows\System32\dTJChWC.exe
C:\Windows\System32\dTJChWC.exe
2⤵
PID:9844

C:\Windows\System32\NQCdkGR.exe
C:\Windows\System32\NQCdkGR.exe
2⤵
PID:9872

C:\Windows\System32\oSKvTXI.exe
C:\Windows\System32\oSKvTXI.exe
2⤵
PID:9896

C:\Windows\System32\bEoWtNg.exe
C:\Windows\System32\bEoWtNg.exe
2⤵
PID:9916

C:\Windows\System32\KsUCxzs.exe
C:\Windows\System32\KsUCxzs.exe
2⤵
PID:9940

C:\Windows\System32\pWftiDX.exe
C:\Windows\System32\pWftiDX.exe
2⤵
PID:9964

C:\Windows\System32\AKozzFg.exe
C:\Windows\System32\AKozzFg.exe
2⤵
PID:9988

C:\Windows\System32\DlyBvaR.exe
C:\Windows\System32\DlyBvaR.exe
2⤵
PID:10012

C:\Windows\System32\UnnQFaB.exe
C:\Windows\System32\UnnQFaB.exe
2⤵
PID:10036

C:\Windows\System32\nyqaIdz.exe
C:\Windows\System32\nyqaIdz.exe
2⤵
PID:10056

C:\Windows\System32\nSsGGCV.exe
C:\Windows\System32\nSsGGCV.exe
2⤵
PID:10140

C:\Windows\System32\tFWQjyn.exe
C:\Windows\System32\tFWQjyn.exe
2⤵
PID:10172

C:\Windows\System32\vjdYnaH.exe
C:\Windows\System32\vjdYnaH.exe
2⤵
PID:10216

C:\Windows\System32\KSSlWHE.exe
C:\Windows\System32\KSSlWHE.exe
2⤵
PID:10236

C:\Windows\System32\UoimMGI.exe
C:\Windows\System32\UoimMGI.exe
2⤵
PID:9260

C:\Windows\System32\pSyLSmf.exe
C:\Windows\System32\pSyLSmf.exe
2⤵
PID:9316

C:\Windows\System32\mycQGtA.exe
C:\Windows\System32\mycQGtA.exe
2⤵
PID:9340

C:\Windows\System32\GZnTDgn.exe
C:\Windows\System32\GZnTDgn.exe
2⤵
PID:9408

C:\Windows\System32\WVkMSbT.exe
C:\Windows\System32\WVkMSbT.exe
2⤵
PID:9508

C:\Windows\System32\APWSTTp.exe
C:\Windows\System32\APWSTTp.exe
2⤵
PID:9552

C:\Windows\System32\JvtVQrd.exe
C:\Windows\System32\JvtVQrd.exe
2⤵
PID:9632

C:\Windows\System32\DRPfiTW.exe
C:\Windows\System32\DRPfiTW.exe
2⤵
PID:9684

C:\Windows\System32\GIblfGE.exe
C:\Windows\System32\GIblfGE.exe
2⤵
PID:9752

C:\Windows\System32\ZBVHOce.exe
C:\Windows\System32\ZBVHOce.exe
2⤵
PID:9840

C:\Windows\System32\eUaEAbp.exe
C:\Windows\System32\eUaEAbp.exe
2⤵
PID:9928

C:\Windows\System32\mSdoGQT.exe
C:\Windows\System32\mSdoGQT.exe
2⤵
PID:9980

C:\Windows\System32\WbLBswm.exe
C:\Windows\System32\WbLBswm.exe
2⤵
PID:10076

C:\Windows\System32\tgxxKWO.exe
C:\Windows\System32\tgxxKWO.exe
2⤵
PID:10156

C:\Windows\System32\SBVoewQ.exe
C:\Windows\System32\SBVoewQ.exe
2⤵
PID:9280

C:\Windows\System32\ABZiQMU.exe
C:\Windows\System32\ABZiQMU.exe
2⤵
PID:9472

C:\Windows\System32\DJFftbB.exe
C:\Windows\System32\DJFftbB.exe
2⤵
PID:9608

C:\Windows\System32\NvwureA.exe
C:\Windows\System32\NvwureA.exe
2⤵
PID:9868

C:\Windows\System32\vhpzNjG.exe
C:\Windows\System32\vhpzNjG.exe
2⤵
PID:10024

C:\Windows\System32\RacDrwv.exe
C:\Windows\System32\RacDrwv.exe
2⤵
PID:10048

C:\Windows\System32\ehnvVFy.exe
C:\Windows\System32\ehnvVFy.exe
2⤵
PID:9836

C:\Windows\System32\MBmHLCL.exe
C:\Windows\System32\MBmHLCL.exe
2⤵
PID:10092

C:\Windows\System32\aOGRIoF.exe
C:\Windows\System32\aOGRIoF.exe
2⤵
PID:9912

C:\Windows\System32\wnLZedc.exe
C:\Windows\System32\wnLZedc.exe
2⤵
PID:10256

C:\Windows\System32\IZTsIex.exe
C:\Windows\System32\IZTsIex.exe
2⤵
PID:10288

C:\Windows\System32\lZyfMJq.exe
C:\Windows\System32\lZyfMJq.exe
2⤵
PID:10320

C:\Windows\System32\SCHPiVW.exe
C:\Windows\System32\SCHPiVW.exe
2⤵
PID:10360

C:\Windows\System32\YyhJxBA.exe
C:\Windows\System32\YyhJxBA.exe
2⤵
PID:10392

C:\Windows\System32\bkBVMqb.exe
C:\Windows\System32\bkBVMqb.exe
2⤵
PID:10420

C:\Windows\System32\QfotiND.exe
C:\Windows\System32\QfotiND.exe
2⤵
PID:10452

C:\Windows\System32\BwxfnlR.exe
C:\Windows\System32\BwxfnlR.exe
2⤵
PID:10512

C:\Windows\System32\tUZNdEc.exe
C:\Windows\System32\tUZNdEc.exe
2⤵
PID:10544

C:\Windows\System32\yAThcdz.exe
C:\Windows\System32\yAThcdz.exe
2⤵
PID:10600

C:\Windows\System32\tVHMPqr.exe
C:\Windows\System32\tVHMPqr.exe
2⤵
PID:10620

C:\Windows\System32\sPJiWPi.exe
C:\Windows\System32\sPJiWPi.exe
2⤵
PID:10644

C:\Windows\System32\iFDiJCp.exe
C:\Windows\System32\iFDiJCp.exe
2⤵
PID:10676

C:\Windows\System32\WNauFbv.exe
C:\Windows\System32\WNauFbv.exe
2⤵
PID:10700

C:\Windows\System32\vabZCYp.exe
C:\Windows\System32\vabZCYp.exe
2⤵
PID:10732

C:\Windows\System32\yODMcrA.exe
C:\Windows\System32\yODMcrA.exe
2⤵
PID:10764

C:\Windows\System32\lkmqsxX.exe
C:\Windows\System32\lkmqsxX.exe
2⤵
PID:10792

C:\Windows\System32\pYPccXO.exe
C:\Windows\System32\pYPccXO.exe
2⤵
PID:10820

C:\Windows\System32\IaWAKbZ.exe
C:\Windows\System32\IaWAKbZ.exe
2⤵
PID:10848

C:\Windows\System32\EffkTlH.exe
C:\Windows\System32\EffkTlH.exe
2⤵
PID:10900

C:\Windows\System32\ZMaEYMf.exe
C:\Windows\System32\ZMaEYMf.exe
2⤵
PID:10916

C:\Windows\System32\ZdOpERb.exe
C:\Windows\System32\ZdOpERb.exe
2⤵
PID:10940

C:\Windows\System32\cQfdIsU.exe
C:\Windows\System32\cQfdIsU.exe
2⤵
PID:10960

C:\Windows\System32\OZxZrBT.exe
C:\Windows\System32\OZxZrBT.exe
2⤵
PID:10980

C:\Windows\System32\ZIoKqrO.exe
C:\Windows\System32\ZIoKqrO.exe
2⤵
PID:11028

C:\Windows\System32\UMWOqvC.exe
C:\Windows\System32\UMWOqvC.exe
2⤵
PID:11056

C:\Windows\System32\WlSIpHK.exe
C:\Windows\System32\WlSIpHK.exe
2⤵
PID:11072

C:\Windows\System32\mvZCuow.exe
C:\Windows\System32\mvZCuow.exe
2⤵
PID:11092

C:\Windows\System32\tAMTlHJ.exe
C:\Windows\System32\tAMTlHJ.exe
2⤵
PID:11124

C:\Windows\System32\lMYTkmL.exe
C:\Windows\System32\lMYTkmL.exe
2⤵
PID:11144

C:\Windows\System32\pcpbadP.exe
C:\Windows\System32\pcpbadP.exe
2⤵
PID:11180

C:\Windows\System32\APpsBYy.exe
C:\Windows\System32\APpsBYy.exe
2⤵
PID:11200

C:\Windows\System32\ghbzyoD.exe
C:\Windows\System32\ghbzyoD.exe
2⤵
PID:11248

C:\Windows\System32\dtWgTVg.exe
C:\Windows\System32\dtWgTVg.exe
2⤵
PID:8808

C:\Windows\System32\irYDJpX.exe
C:\Windows\System32\irYDJpX.exe
2⤵
PID:10316

C:\Windows\System32\TagNkCl.exe
C:\Windows\System32\TagNkCl.exe
2⤵
PID:10384

C:\Windows\System32\pfsbWyM.exe
C:\Windows\System32\pfsbWyM.exe
2⤵
PID:10496

C:\Windows\System32\fwKThcS.exe
C:\Windows\System32\fwKThcS.exe
2⤵
PID:10564

C:\Windows\System32\OnyVeya.exe
C:\Windows\System32\OnyVeya.exe
2⤵
PID:10636

C:\Windows\System32\TKWoiZT.exe
C:\Windows\System32\TKWoiZT.exe
2⤵
PID:10756

C:\Windows\System32\qchfpXc.exe
C:\Windows\System32\qchfpXc.exe
2⤵
PID:10836

C:\Windows\System32\NggKPoh.exe
C:\Windows\System32\NggKPoh.exe
2⤵
PID:10936

C:\Windows\System32\zPtWOzS.exe
C:\Windows\System32\zPtWOzS.exe
2⤵
PID:704

C:\Windows\System32\VvEWMlY.exe
C:\Windows\System32\VvEWMlY.exe
2⤵
PID:11016

C:\Windows\System32\bbQNrEl.exe
C:\Windows\System32\bbQNrEl.exe
2⤵
PID:11112

C:\Windows\System32\RhyiGwM.exe
C:\Windows\System32\RhyiGwM.exe
2⤵
PID:11220

C:\Windows\System32\slcRJZn.exe
C:\Windows\System32\slcRJZn.exe
2⤵
PID:9824

C:\Windows\System32\XCZOnNc.exe
C:\Windows\System32\XCZOnNc.exe
2⤵
PID:10440

C:\Windows\System32\xhfEnOh.exe
C:\Windows\System32\xhfEnOh.exe
2⤵
PID:10616

C:\Windows\System32\tfWwbjV.exe
C:\Windows\System32\tfWwbjV.exe
2⤵
PID:10652

C:\Windows\System32\uuQaWIA.exe
C:\Windows\System32\uuQaWIA.exe
2⤵
PID:10780

C:\Windows\System32\BqlhiCS.exe
C:\Windows\System32\BqlhiCS.exe
2⤵
PID:10872

C:\Windows\System32\GCLBLkD.exe
C:\Windows\System32\GCLBLkD.exe
2⤵
PID:11156

C:\Windows\System32\eaLzBPH.exe
C:\Windows\System32\eaLzBPH.exe
2⤵
PID:10336

C:\Windows\System32\HrUkFHj.exe
C:\Windows\System32\HrUkFHj.exe
2⤵
PID:11212

C:\Windows\System32\HBSugVl.exe
C:\Windows\System32\HBSugVl.exe
2⤵
PID:10312

C:\Windows\System32\amivlyI.exe
C:\Windows\System32\amivlyI.exe
2⤵
PID:11272

C:\Windows\System32\wgtMWdW.exe
C:\Windows\System32\wgtMWdW.exe
2⤵
PID:11308

C:\Windows\System32\MEetTqd.exe
C:\Windows\System32\MEetTqd.exe
2⤵
PID:11328

C:\Windows\System32\yKsaaLf.exe
C:\Windows\System32\yKsaaLf.exe
2⤵
PID:11344

C:\Windows\System32\FDnFwXk.exe
C:\Windows\System32\FDnFwXk.exe
2⤵
PID:11404

C:\Windows\System32\DlCevzX.exe
C:\Windows\System32\DlCevzX.exe
2⤵
PID:11424

C:\Windows\System32\RmSTDHf.exe
C:\Windows\System32\RmSTDHf.exe
2⤵
PID:11448

C:\Windows\System32\VYlJMVj.exe
C:\Windows\System32\VYlJMVj.exe
2⤵
PID:11468

C:\Windows\System32\uKWGGIw.exe
C:\Windows\System32\uKWGGIw.exe
2⤵
PID:11484

C:\Windows\System32\FmvbFdP.exe
C:\Windows\System32\FmvbFdP.exe
2⤵
PID:11524

C:\Windows\System32\LYYJzyB.exe
C:\Windows\System32\LYYJzyB.exe
2⤵
PID:11552

C:\Windows\System32\HomKnso.exe
C:\Windows\System32\HomKnso.exe
2⤵
PID:11576

C:\Windows\System32\YnFYJuF.exe
C:\Windows\System32\YnFYJuF.exe
2⤵
PID:11608

C:\Windows\System32\FlpABsC.exe
C:\Windows\System32\FlpABsC.exe
2⤵
PID:11628

C:\Windows\System32\mcZXrsU.exe
C:\Windows\System32\mcZXrsU.exe
2⤵
PID:11644

C:\Windows\System32\lASmKmV.exe
C:\Windows\System32\lASmKmV.exe
2⤵
PID:11692

C:\Windows\System32\xWVPqDi.exe
C:\Windows\System32\xWVPqDi.exe
2⤵
PID:11728

C:\Windows\System32\WEYNCpc.exe
C:\Windows\System32\WEYNCpc.exe
2⤵
PID:11748

C:\Windows\System32\HyDQygp.exe
C:\Windows\System32\HyDQygp.exe
2⤵
PID:11776

C:\Windows\System32\NRESQdu.exe
C:\Windows\System32\NRESQdu.exe
2⤵
PID:11796

C:\Windows\System32\DEpTdcw.exe
C:\Windows\System32\DEpTdcw.exe
2⤵
PID:11824

C:\Windows\System32\fGDIavd.exe
C:\Windows\System32\fGDIavd.exe
2⤵
PID:11840

C:\Windows\System32\ekwTbbY.exe
C:\Windows\System32\ekwTbbY.exe
2⤵
PID:11884

C:\Windows\System32\kkBaBRG.exe
C:\Windows\System32\kkBaBRG.exe
2⤵
PID:11932

C:\Windows\System32\doBCkhW.exe
C:\Windows\System32\doBCkhW.exe
2⤵
PID:11960

C:\Windows\System32\UGnYsXe.exe
C:\Windows\System32\UGnYsXe.exe
2⤵
PID:11992

C:\Windows\System32\NVGvKcM.exe
C:\Windows\System32\NVGvKcM.exe
2⤵
PID:12016

C:\Windows\System32\bDbSCnZ.exe
C:\Windows\System32\bDbSCnZ.exe
2⤵
PID:12040

C:\Windows\System32\SIVKkNq.exe
C:\Windows\System32\SIVKkNq.exe
2⤵
PID:12056

C:\Windows\System32\SrheoAj.exe
C:\Windows\System32\SrheoAj.exe
2⤵
PID:12080

C:\Windows\System32\GZAsMIb.exe
C:\Windows\System32\GZAsMIb.exe
2⤵
PID:12096

C:\Windows\System32\qnyvdYu.exe
C:\Windows\System32\qnyvdYu.exe
2⤵
PID:12120

C:\Windows\System32\AvRAYlU.exe
C:\Windows\System32\AvRAYlU.exe
2⤵
PID:12160

C:\Windows\System32\gnKhjOz.exe
C:\Windows\System32\gnKhjOz.exe
2⤵
PID:12204

C:\Windows\System32\voqQMoG.exe
C:\Windows\System32\voqQMoG.exe
2⤵
PID:12236

C:\Windows\System32\cIvPORJ.exe
C:\Windows\System32\cIvPORJ.exe
2⤵
PID:12252

C:\Windows\System32\tTDRuUE.exe
C:\Windows\System32\tTDRuUE.exe
2⤵
PID:10708

C:\Windows\System32\SVXyeaB.exe
C:\Windows\System32\SVXyeaB.exe
2⤵
PID:11300

C:\Windows\System32\MGFOpAi.exe
C:\Windows\System32\MGFOpAi.exe
2⤵
PID:11336

C:\Windows\System32\wIKnLhv.exe
C:\Windows\System32\wIKnLhv.exe
2⤵
PID:11512

C:\Windows\System32\RAYnVcr.exe
C:\Windows\System32\RAYnVcr.exe
2⤵
PID:11572

C:\Windows\System32\sNkoRYw.exe
C:\Windows\System32\sNkoRYw.exe
2⤵
PID:11676

C:\Windows\System32\nTjIERb.exe
C:\Windows\System32\nTjIERb.exe
2⤵
PID:11740

C:\Windows\System32\kWYFLQi.exe
C:\Windows\System32\kWYFLQi.exe
2⤵
PID:10760

C:\Windows\System32\ngtLsrj.exe
C:\Windows\System32\ngtLsrj.exe
2⤵
PID:11808

C:\Windows\System32\HYgvZys.exe
C:\Windows\System32\HYgvZys.exe
2⤵
PID:11944

C:\Windows\System32\sackwxF.exe
C:\Windows\System32\sackwxF.exe
2⤵
PID:12012

C:\Windows\System32\WbrfVYQ.exe
C:\Windows\System32\WbrfVYQ.exe
2⤵
PID:12064

C:\Windows\System32\CUmuHZz.exe
C:\Windows\System32\CUmuHZz.exe
2⤵
PID:12092

C:\Windows\System32\kskdQql.exe
C:\Windows\System32\kskdQql.exe
2⤵
PID:12176

C:\Windows\System32\DsXQLJn.exe
C:\Windows\System32\DsXQLJn.exe
2⤵
PID:12248

C:\Windows\System32\Rdmyuvc.exe
C:\Windows\System32\Rdmyuvc.exe
2⤵
PID:11316

C:\Windows\System32\wgNizHx.exe
C:\Windows\System32\wgNizHx.exe
2⤵
PID:11508

C:\Windows\System32\aXHZUSL.exe
C:\Windows\System32\aXHZUSL.exe
2⤵
PID:11788

C:\Windows\System32\RIwKVdq.exe
C:\Windows\System32\RIwKVdq.exe
2⤵
PID:11916

C:\Windows\System32\DYMODvp.exe
C:\Windows\System32\DYMODvp.exe
2⤵
PID:12104

C:\Windows\System32\MFJbvzn.exe
C:\Windows\System32\MFJbvzn.exe
2⤵
PID:12168

C:\Windows\System32\gPeFZfb.exe
C:\Windows\System32\gPeFZfb.exe
2⤵
PID:12280

C:\Windows\System32\TSgkOYr.exe
C:\Windows\System32\TSgkOYr.exe
2⤵
PID:11804

C:\Windows\System32\ZITUePu.exe
C:\Windows\System32\ZITUePu.exe
2⤵
PID:11860

C:\Windows\System32\ShRFWJY.exe
C:\Windows\System32\ShRFWJY.exe
2⤵
PID:12220

C:\Windows\System32\dDTxkeC.exe
C:\Windows\System32\dDTxkeC.exe
2⤵
PID:12304

C:\Windows\System32\ymqpXmo.exe
C:\Windows\System32\ymqpXmo.exe
2⤵
PID:12328

C:\Windows\System32\LoWQKbM.exe
C:\Windows\System32\LoWQKbM.exe
2⤵
PID:12344

C:\Windows\System32\KgkBiYo.exe
C:\Windows\System32\KgkBiYo.exe
2⤵
PID:12364

C:\Windows\System32\TPMqGeD.exe
C:\Windows\System32\TPMqGeD.exe
2⤵
PID:12400

C:\Windows\System32\eLdvNMV.exe
C:\Windows\System32\eLdvNMV.exe
2⤵
PID:12432

C:\Windows\System32\qDlWqdd.exe
C:\Windows\System32\qDlWqdd.exe
2⤵
PID:12476

C:\Windows\System32\QYNHGfQ.exe
C:\Windows\System32\QYNHGfQ.exe
2⤵
PID:12492

C:\Windows\System32\vDUiCtS.exe
C:\Windows\System32\vDUiCtS.exe
2⤵
PID:12512

C:\Windows\System32\GIBtOry.exe
C:\Windows\System32\GIBtOry.exe
2⤵
PID:12540

C:\Windows\System32\rIBdseP.exe
C:\Windows\System32\rIBdseP.exe
2⤵
PID:12564

C:\Windows\System32\dCbFwlf.exe
C:\Windows\System32\dCbFwlf.exe
2⤵
PID:12596

C:\Windows\System32\kUVfKfV.exe
C:\Windows\System32\kUVfKfV.exe
2⤵
PID:12616

C:\Windows\System32\AGniDQG.exe
C:\Windows\System32\AGniDQG.exe
2⤵
PID:12640

C:\Windows\System32\ASXqIqf.exe
C:\Windows\System32\ASXqIqf.exe
2⤵
PID:12664

C:\Windows\System32\rjBKbjH.exe
C:\Windows\System32\rjBKbjH.exe
2⤵
PID:12712

C:\Windows\System32\KtCpoqM.exe
C:\Windows\System32\KtCpoqM.exe
2⤵
PID:12752

C:\Windows\System32\pqozbye.exe
C:\Windows\System32\pqozbye.exe
2⤵
PID:12772

C:\Windows\System32\XKfxPMk.exe
C:\Windows\System32\XKfxPMk.exe
2⤵
PID:12788

C:\Windows\System32\SETzSJQ.exe
C:\Windows\System32\SETzSJQ.exe
2⤵
PID:12828

C:\Windows\System32\nkjSTLw.exe
C:\Windows\System32\nkjSTLw.exe
2⤵
PID:12860

C:\Windows\System32\RlYYyDB.exe
C:\Windows\System32\RlYYyDB.exe
2⤵
PID:12884

C:\Windows\System32\IfWBBlb.exe
C:\Windows\System32\IfWBBlb.exe
2⤵
PID:12912

C:\Windows\System32\qSOMCWx.exe
C:\Windows\System32\qSOMCWx.exe
2⤵
PID:12940

C:\Windows\System32\YdVfkfh.exe
C:\Windows\System32\YdVfkfh.exe
2⤵
PID:12972

C:\Windows\System32\FjwDncG.exe
C:\Windows\System32\FjwDncG.exe
2⤵
PID:13000

C:\Windows\System32\iVucYrW.exe
C:\Windows\System32\iVucYrW.exe
2⤵
PID:13032

C:\Windows\System32\HNnTgkp.exe
C:\Windows\System32\HNnTgkp.exe
2⤵
PID:13060

C:\Windows\System32\oQkqQiy.exe
C:\Windows\System32\oQkqQiy.exe
2⤵
PID:13076

C:\Windows\System32\pWytbyR.exe
C:\Windows\System32\pWytbyR.exe
2⤵
PID:13096

C:\Windows\System32\QEtykfU.exe
C:\Windows\System32\QEtykfU.exe
2⤵
PID:13116

C:\Windows\System32\rzhcaRX.exe
C:\Windows\System32\rzhcaRX.exe
2⤵
PID:13140

C:\Windows\System32\nELCtnZ.exe
C:\Windows\System32\nELCtnZ.exe
2⤵
PID:13192

C:\Windows\System32\GvzlkDK.exe
C:\Windows\System32\GvzlkDK.exe
2⤵
PID:13244

C:\Windows\System32\CjCBQwW.exe
C:\Windows\System32\CjCBQwW.exe
2⤵
PID:13260

C:\Windows\System32\ZrdHiaO.exe
C:\Windows\System32\ZrdHiaO.exe
2⤵
PID:13296

C:\Windows\System32\RyfjbtI.exe
C:\Windows\System32\RyfjbtI.exe
2⤵
PID:11324

C:\Windows\System32\evioEFR.exe
C:\Windows\System32\evioEFR.exe
2⤵
PID:12300

C:\Windows\System32\rmCOOVn.exe
C:\Windows\System32\rmCOOVn.exe
2⤵
PID:12384

C:\Windows\System32\HttHQvV.exe
C:\Windows\System32\HttHQvV.exe
2⤵
PID:12428

C:\Windows\System32\KgpFKed.exe
C:\Windows\System32\KgpFKed.exe
2⤵
PID:12444

C:\Windows\System32\DgTysRC.exe
C:\Windows\System32\DgTysRC.exe
2⤵
PID:12536

C:\Windows\System32\wAsYqHa.exe
C:\Windows\System32\wAsYqHa.exe
2⤵
PID:12532

C:\Windows\System32\TAUVPmy.exe
C:\Windows\System32\TAUVPmy.exe
2⤵
PID:12608

C:\Windows\System32\DhPBfts.exe
C:\Windows\System32\DhPBfts.exe
2⤵
PID:12704

C:\Windows\System32\YuytMtZ.exe
C:\Windows\System32\YuytMtZ.exe
2⤵
PID:12812

C:\Windows\System32\arihtSP.exe
C:\Windows\System32\arihtSP.exe
2⤵
PID:12904

C:\Windows\System32\krDHshA.exe
C:\Windows\System32\krDHshA.exe
2⤵
PID:12956

C:\Windows\System32\lgiXeQx.exe
C:\Windows\System32\lgiXeQx.exe
2⤵
PID:13020

C:\Windows\System32\nuBFamt.exe
C:\Windows\System32\nuBFamt.exe
2⤵
PID:13052

C:\Windows\System32\UuFViRs.exe
C:\Windows\System32\UuFViRs.exe
2⤵
PID:13224

C:\Windows\System32\UYhyBCw.exe
C:\Windows\System32\UYhyBCw.exe
2⤵
PID:12072

C:\Windows\System32\fxetBmx.exe
C:\Windows\System32\fxetBmx.exe
2⤵
PID:12420

C:\Windows\System32\SnyyhQP.exe
C:\Windows\System32\SnyyhQP.exe
2⤵
PID:12440

C:\Windows\System32\OYfTiNh.exe
C:\Windows\System32\OYfTiNh.exe
2⤵
PID:12624

C:\Windows\System32\LzfWRsH.exe
C:\Windows\System32\LzfWRsH.exe
2⤵
PID:12648

C:\Windows\System32\aUNLbpY.exe
C:\Windows\System32\aUNLbpY.exe
2⤵
PID:12840

C:\Windows\System32\fTmFxsE.exe
C:\Windows\System32\fTmFxsE.exe
2⤵
PID:12876

C:\Windows\System32\igoeYKp.exe
C:\Windows\System32\igoeYKp.exe
2⤵
PID:12920

C:\Windows\System32\wyifuUe.exe
C:\Windows\System32\wyifuUe.exe
2⤵
PID:13256

C:\Windows\System32\xAVzaZR.exe
C:\Windows\System32\xAVzaZR.exe
2⤵
PID:1524

C:\Windows\System32\GRIykUp.exe
C:\Windows\System32\GRIykUp.exe
2⤵
PID:12552

C:\Windows\System32\PjGwtjX.exe
C:\Windows\System32\PjGwtjX.exe
2⤵
PID:12632

C:\Windows\System32\UDzRGiM.exe
C:\Windows\System32\UDzRGiM.exe
2⤵
PID:12872

C:\Windows\System32\rcLrjtk.exe
C:\Windows\System32\rcLrjtk.exe
2⤵
PID:12484

C:\Windows\System32\nOGfgIp.exe
C:\Windows\System32\nOGfgIp.exe
2⤵
PID:12996

C:\Windows\System32\yhaeXNm.exe
C:\Windows\System32\yhaeXNm.exe
2⤵
PID:13324

C:\Windows\System32\vKwRJDU.exe
C:\Windows\System32\vKwRJDU.exe
2⤵
PID:13348

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13864

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BgMhbTU.exe
Filesize
1.1MB

MD5
3f55eec7e2269aa083afe44124830ca2

SHA1
9ea50155aebb35e17f98f1c9fa0242837a2024ec

SHA256
10d4c229419790d7953fd045c8e83cba1e28baeee124e92e663765ed77650d8b

SHA512
d433d0c7baad6e848f30fe85f8e0eec117c492b9f8cadedb52ac6a9288d3b5d960dadad17b59dc94e81e3495de998330b80ad824d5ac09fe96303a1d3216ad8b

Download Submit
C:\Windows\System32\FhjfOmt.exe
Filesize
1.1MB

MD5
75b619ce84073f0eb1946a0ed341bf50

SHA1
59f2d614c648a673c15971b3af6a5d258a1410ec

SHA256
936e453ebb5d2c7113746a877f91729fd16e27091d076456cee935eaad6bf07c

SHA512
b26ed55cada58b1e248c7bef47b0bb789b005e47e6665a5d9d8d31c76acbf4233fe16e4667c18a74286154564c9cb99e488993ca9b153c7d7b0b0ead21d5ae12

Download Submit
C:\Windows\System32\GMXwWwz.exe
Filesize
1.1MB

MD5
4c4b874dd6e625cbbbde00c404634bf3

SHA1
998554c54c8a9bc1eb9f390f90179831a1e39c39

SHA256
05d8eda5d943675fb71192ef06c593a6b8af319c9dd5cc7de98521f362d8ee2a

SHA512
ff535f34295cde2d8743ec011259dcac15fba2a71f32e1610037968d74529b08f38a5a8b4a87427dd106445a603952a4a881030d0e63ae831745d740ef021c65

Download Submit
C:\Windows\System32\INWPCcK.exe
Filesize
1.1MB

MD5
01069a4f1f5e18d6bc0eeb305b2719ed

SHA1
aa6b050a8d939e167fc017368bbb67826da54d37

SHA256
8216896afdf8d00694baada11d4cc5ac5454868cdbf127dfb11aae2af356f6f0

SHA512
445e3e66af5136197e903af57d105c86914af53e50fd8b5652b10e852a954ddcb65b9f403d398939a9ad4b4a156417b2c92ef71ff90513f8bead36a7a4bf286c

Download Submit
C:\Windows\System32\JThkQZa.exe
Filesize
1.1MB

MD5
d1c0f3b4054528349ed2de38595fd382

SHA1
98ac71b67687d5b9e85f35524f768d51b113e0ca

SHA256
6b74626365aaf5525854903c33c1c64b5efd5c8ec5c89867f7d0e9a8c04c4cdf

SHA512
a6c58a264eca5c521a33b6e4f8d931ec5be4235f3eec51901a9576ad03f0dd53b8bd8a33c8d0a67292ea719a8891e05d8b475a6c6162b7ca4ce5794b24d56cf4

Download Submit
C:\Windows\System32\KgSTuyh.exe
Filesize
1.1MB

MD5
6262fd16c829ab38ea58a33a42806736

SHA1
c795dc1e792dfdc24f07619444a4fac8c3fdca7e

SHA256
5d1f32edeae6941aaf13fba2878e96f957cd182ea8cf8284a2bb2c61a9eac7d2

SHA512
4a56195dfe3a0d36bc5284ed8e93a48f32d97bfb0366cac2d93a69e58ed681c69bc98a4e383cef3e8080916ddccc9b753a0e8a923928497e06d73f6e93aa4a89

Download Submit
C:\Windows\System32\KvXcikF.exe
Filesize
1.1MB

MD5
877dcfc2a9c3af35d9c86ef3a63cfde7

SHA1
76284b6483ba9f6833fa92363d0f561546b08349

SHA256
f33894449293f012bd3e4229f7c26691a8f9f1b1523c1e60315f8ebb3b9dd4ec

SHA512
544a1a1971aab66902ac158fbd496b14a87a1ac5c2f3933c9d640fbc1ce4576a4a58e9099ed7ee5d9c2c8fe0d048aea8f3f557ec675a6a0ced9deb7512684658

Download Submit
C:\Windows\System32\LDEPLWe.exe
Filesize
1.1MB

MD5
b47445d011d21e4f24dd325be83b7956

SHA1
780d80226cac6ddfe459ced6ee6adea7e4db162e

SHA256
332c8d0d315884c1d8e4e7983c8cd097fb7ffa53166114afc6e56678c42acb3b

SHA512
244e17b64437b62f96be983eae17eb5a28656e51384ae2d7d40a7f412e31925e5f3be31508045056d8f42c369491c59eb6a8b3504cc8dbbc2dd1b96bcefbbac0

Download Submit
C:\Windows\System32\LWmfyjh.exe
Filesize
1.1MB

MD5
3f930188127f0b7207755c9cf9499fbc

SHA1
af60004ec955fd83b986a166b888f84d41bbdebd

SHA256
37addc738a862d2b70265a5c3383052568e94af5e251136e27ff33562a6787c8

SHA512
7b778fa1374fa04bd4fd4e9897654446836bf492afa2e51f38ac6d607c0ba8fb0503a1168ccea09cbfa9b4a4de419e80fd1bc63a4a1820c956f8aeac7dcabd74

Download Submit
C:\Windows\System32\LtYSGwm.exe
Filesize
1.1MB

MD5
475be172fff604dc6899e1e0daf647ea

SHA1
43e37b0f4ce31e2b368c70c4cee5c3abe8be6093

SHA256
be2ab91f2a1b1307eb272e13b73fbdcad2807a052c19e5fbd1d027047934812e

SHA512
312fa22e99a5a045830a6ac10f3aa7cfcca666c26c0d84ca4f2f7d98e69f87128206296fdba3fa0e63469744fd843657546963b2101b5d9fab83574276b61a82

Download Submit
C:\Windows\System32\ODgqlrM.exe
Filesize
1.1MB

MD5
2fc513d3fd256c4752d3d2d73c61777e

SHA1
f620adce58ff5923c23719736a10bd5c84320193

SHA256
c3093b0f8e90a1a074e359be97b5ece7a5fa944b63868d112757fab2f4ef62f4

SHA512
8372aedccbd7d498a553c7bcc48742e850823e7d9943ceaeff786580771ebf271c10277e37a46cf6182944027de89d053ff09ce8b79cee8158454522423adb91

Download Submit
C:\Windows\System32\SSyoBZA.exe
Filesize
1.1MB

MD5
92cb5e6852f7e94d2866d76a894d42dc

SHA1
36aa9e5cf13fd0ee02280d1e0f69a766797c6f25

SHA256
b2c6aef180ac3acda49c98a5b68406938a0416309d6de65b24bbb787bc22549c

SHA512
9e1f231d9d02eb37f13b19791c6379a3861698e6ed8ad9667496039b7ff8d3bda7e327c7d9b1bd924f02bd94873deb37a2c0b1bc0fb455e123239eaddb1cbfbc

Download Submit
C:\Windows\System32\SdSJCqe.exe
Filesize
1.1MB

MD5
db636e2c5d290f7c6d364257259c3abc

SHA1
2d71dcacce967864649ef3fb1eb230db391f3fb4

SHA256
0811f27c609b5ff3eb12e6cd3e86ccefc6333e4f685cc5f1ddb576232ce144e6

SHA512
b87881a7e4e0621b693c888a436250cf94348519f9d6b3cb77b348c0c4dbc42512bdeaf29993bff60295843b1da8acd8f009843d73ec3d2f9f294b6d04a562ae

Download Submit
C:\Windows\System32\UAYmyJj.exe
Filesize
1.1MB

MD5
9d671a673fe7231a27ccd39bf989042d

SHA1
fc8176bc721d74c25c1bd37d174df8cf315c934b

SHA256
3797ad43b92706bc6c5e034cbca49baec7c86f926c75a39aa0b0241e4a6aa774

SHA512
73173c97017f81b7441755ac2b10c3d7e9ce3ab9491c4b17e20a5f02bb66674517f8b338f81ff233fad3f191dbefa0f1e5b6ee82e3d75c5686e8da9e2e631e49

Download Submit
C:\Windows\System32\XmWudcU.exe
Filesize
1.1MB

MD5
dcdd16b8929faff4448a806a732acc36

SHA1
fe7631e20b5d2f5ef2a6866aab6401ce29c33f59

SHA256
5716ae4179a7f3712709fe6d73df8b0edfd9797cfe070232d6386be1679f706c

SHA512
1bb623790524d1b8f14fab93e3046f36ebe463f54281f06c2d9b3ac86c7839607cb5f53d0540bd660d3032c46324aeeef7558deb4e87e38c9c269c1ea0fd910c

Download Submit
C:\Windows\System32\YVhEOEz.exe
Filesize
1.1MB

MD5
1d293adb1df6933aae0f959a8c5607ce

SHA1
5b5766da082d5e930c5a1194a70c77214610801f

SHA256
2f3439721708b6206028d7052371f489399e57ab5a87004c017f890354f77da9

SHA512
d038217da6f41fa14a016b26200653da46d7368f4144df9c41c4ad1b08e91d82b642281c445a1a5c151690270734e8a925b8918b3ec3bd2f7ca593b727f9df8e

Download Submit
C:\Windows\System32\ZYFLqrT.exe
Filesize
1.1MB

MD5
893b65813df98376034d5e60b5dbe67d

SHA1
f2113178fde1fabdb5fda530bf591f1792498167

SHA256
699cfaf3dc59d286466479c3292518fd6986d21b4ea2a5bdb78adf5d7f1fa128

SHA512
30f3ae77f022e3a38999656bea7d0bbb5692848303c59bb90a00eac89d8d00fb2000a1acd0d3bc9ac0162c319a58813fcc88758c64aef61f1351276f86cbe26f

Download Submit
C:\Windows\System32\bGsunvo.exe
Filesize
1.1MB

MD5
631815085f15368723d893a8f0210e56

SHA1
627643d0384adf2af2856b308ad8a551ad48030a

SHA256
64e2a1c4011eddef0d2b2ee31eb8993bf282eaac7eb6bd6d659018c377b7480e

SHA512
09196841d69565412b584f0ddc433f5880b561c7d812d150cfdc4b222f0f7140e7bf6d880367c145d567a525358b34dcd02fcd2adc42dced6ca411b2476cdfab

Download Submit
C:\Windows\System32\eebILRd.exe
Filesize
1.1MB

MD5
24d162ecfd948725126cb4e7751c4075

SHA1
9312eeed0e6898294a92a45d3cd1c6cb75a4298d

SHA256
019acb80d505bdd62417163aff704abdeec8b1757289b7ed1b3b9860409f0362

SHA512
4018edb5968364da48c1f1b89f50609a5d0790e820d7868445dc19e3c510e92a7ff3eca11294e1dc93647c3c64bcb3c417b381c3380460dfacfe6bc295009634

Download Submit
C:\Windows\System32\hlLLIuE.exe
Filesize
1.1MB

MD5
7f4ee56e4660e465d944157c2fc982f4

SHA1
62f457c106b9c77ef271ad01a572f4cb5753f8e5

SHA256
5ded4d8f9ad22e0225ad869f29eeb9d29670fb6283adf26cacb4c9c2dc10b8ff

SHA512
6400f638c890fa2476807242da1888d535fa7a11437a2d05092b5b5a2c67220f17ab7ae5003095260b532548e83248fa02154538fa92c401ee9096ed812ccfd6

Download Submit
C:\Windows\System32\hykgKnQ.exe
Filesize
1.1MB

MD5
21cc7dd8289cc8128dbd815e82c71932

SHA1
f2f787fa5ef4e198f118372cfd71d79b868b5f15

SHA256
7ba3050682b7a5bbb07fde53f5d7d994777f00dcb46cc026bf96527990def37f

SHA512
45ff991d3634fb759092ccfe1759e5547905e31bc08fd18b363c6be59d0e00408f10f1f1f3de01ee5fb22a673d61e858cb60cd9c2347bac46ee942e4bb992283

Download Submit
C:\Windows\System32\jDbRCUX.exe
Filesize
1.1MB

MD5
e0c17f00064b1fa47b4a3df86a62001a

SHA1
6c2a947d9726c5825933d8b4b17005efeaad30d7

SHA256
cca478cf5cbe421b607e1697f1cf85286c815bbaeaca9d7d84a463d13bea8d7d

SHA512
befba70d503ee7c7b72ae5f8a77e0276e251f10e5f80ece75599ba834f889b019a43e5bbce437b8480053908587417a91d717cb52bb90815567c770d363f3c21

Download Submit
C:\Windows\System32\jkycvAN.exe
Filesize
1.1MB

MD5
8b4735dc36ee74d6f7ad8001bf18f910

SHA1
81a3b74a3b8a1afa42c2e69eac163381eb5e811a

SHA256
bd237c637012ae256576d4c9da2ec884736d455ce3edd75516f3988aef2f6c7c

SHA512
1e9795a5f71e6b13dc56a4a0bd5b70f8ddf659cf857e4a2f333107df40ae3faccaf17ec98a54a236443b41cfd963dbe71d2a356edad177494b2bb879a2de83d5

Download Submit
C:\Windows\System32\juzsuCG.exe
Filesize
1.1MB

MD5
5949601caaf05cf6edd1064925d2f86b

SHA1
7f3b947a3141be6807807456ede22722f99fb1c6

SHA256
5931832e8dcb4c82ce44cbb96a8e4df2eadb74b8a3ae22e5f992a75e99790d1b

SHA512
14c0e0ae899371fd0592f493505d782acbb2c61e82d8f8c6bccdcd3d49ad8e02c677c3c4444de299555c1e69edfc5e8795d1f02255c0b066960a1f3dd9f12f39

Download Submit
C:\Windows\System32\kIAYNDz.exe
Filesize
1.1MB

MD5
912f3316c84b8e167924267022c47dc3

SHA1
30f6e7432415b0bc9c781d59d5cf3cfea33f4d64

SHA256
7a7d24251ee7ca882fcf05a7a40678b185a4218b716a842cc880b99b73dacce5

SHA512
ae77a7baf3e9d63b5eab151164a7dd96e43aa8c2f743ce3bf4b6d03f6db58672bbaae21c8ca6e27f7e83cc104de00e64ba139b5d50817f79dead9ba5a5b5c85c

Download Submit
C:\Windows\System32\lxXrIUM.exe
Filesize
1.1MB

MD5
e762e9728cafb1c0efd5556aaaff04d5

SHA1
b724c77d7a37145172073eec32d18b572e1c1e2e

SHA256
7118fdd64d61eae6cee9f705bb5f311ff1302300b4f1a2e3be831b58d705336c

SHA512
235436e4f0f8eb5ba5917dd41c7cbc4e20b7cc052932f4be0dca734e09fef384272eff1885cd666ff5a441f30b77870af323be97b891af3c50b425b47a883d88

Download Submit
C:\Windows\System32\pnBakFw.exe
Filesize
1.1MB

MD5
b7fdab60255b3d54e99d6a91217e723c

SHA1
e74a0d590954751f2d15ac825229ec0af4e6d700

SHA256
7d6d8340f80e46e613d482cfcf33b94d876a9d97b28cb4592151fe995090e0da

SHA512
0f53e68003b3b4d827391a85005e988ce5ddd564958eed18486b4c43b3392817db96d0a1761bdde850d637d3de22ad55394b2eb450f0125d1ec49ac04dd1bc18

Download Submit
C:\Windows\System32\qEJvoUE.exe
Filesize
1.1MB

MD5
77328f013bcb6c68a37eb406f4b010ee

SHA1
c09749c5957dd709dd52cb86699a1dae04084db9

SHA256
8b80dbd32aecf8089e1790ae7392d141ab73bb034c1c0dc66ecf4a1a2c476474

SHA512
fbe227d7e9c30ae9422319684e16516f7db952e10de401232892b20abaf45966bb7039d5757d98558ebf197ac3e3d7cdd7467930e15a9b1420aa137fb197b369

Download Submit
C:\Windows\System32\wUuInjr.exe
Filesize
1.1MB

MD5
3fdeffaa8b80912349f3875973b399e6

SHA1
965112412954397d00f8c23fc1bdba895a2b3e91

SHA256
f9aa2005f1aa6fc0cfe3b7a8458ae8ee9d0b0faf8bc2e914907bb8bd3289c554

SHA512
1dd0c70de1a4e9fea45f06f8b1de0c8f3010bd40b77edbd5df8de66dbd303233b7ab7c4bff0114f9f8b97dbda9e923512517573311b5d9e46192aa0fa967ff69

Download Submit
C:\Windows\System32\xtJnwKw.exe
Filesize
1.1MB

MD5
362c392d6cc8bdd3aa24c1b413c47bbd

SHA1
e53b6f8c0d0ada653a522c683e262d57e086032d

SHA256
a0a06445f22fb1c47f9dfaa770e04d485ecea74ce17b8e37cd7353574b41ae88

SHA512
5000ceac37f86a5918cf12e7babff676822fd48395400866a380839e42be3190ace7e179adc9bb810614874b6a322420f38aade1b7ed85afe0bad2706c8be6f6

Download Submit
C:\Windows\System32\zjEWWtt.exe
Filesize
1.1MB

MD5
1bdfb45379acbeb0913452b080eb95af

SHA1
805191d223d2216eb73e66fd5d15f9aec70644fc

SHA256
0e321fd700dc0fe44c690ecbcdcefe05b54828504a7462665e9d727432e04072

SHA512
857c1bdccbe53eb147479479e166b53a781d0b505eef3c440964bdb87db4c859e45708bef47c6128ab149c12e5228f1ac423b568b02525a5d4cdedfddc25e29f

Download Submit
C:\Windows\System32\zsDCARi.exe
Filesize
1.1MB

MD5
1c58faab49fbf1696e35335880ed93ec

SHA1
e8a927d71a4e16f5ffcfc00c21009416b3bab883

SHA256
15689c4137bd584de615df9bc278b068c2aaf21aabd038c5190dd739d1b147e8

SHA512
330e017742c1051e0129d4d21b02724d3b0440d5ae13cdf91dbc00d3e116cca1052c131ea7c92430a48a4a4e707ddeecd004365fd6f9b04dd8bd3f1673d82957

Download Submit
memory/224-1455-0x00007FF6F4A60000-0x00007FF6F4E51000-memory.dmp

Filesize
3.9MB

Download
memory/224-27-0x00007FF6F4A60000-0x00007FF6F4E51000-memory.dmp

Filesize
3.9MB

Download
memory/224-2043-0x00007FF6F4A60000-0x00007FF6F4E51000-memory.dmp

Filesize
3.9MB

Download
memory/1304-386-0x00007FF7CC640000-0x00007FF7CCA31000-memory.dmp

Filesize
3.9MB

Download
memory/1304-2149-0x00007FF7CC640000-0x00007FF7CCA31000-memory.dmp

Filesize
3.9MB

Download
memory/1508-383-0x00007FF7F7600000-0x00007FF7F79F1000-memory.dmp

Filesize
3.9MB

Download
memory/1508-2143-0x00007FF7F7600000-0x00007FF7F79F1000-memory.dmp

Filesize
3.9MB

Download
memory/1676-2097-0x00007FF634090000-0x00007FF634481000-memory.dmp

Filesize
3.9MB

Download
memory/1676-89-0x00007FF634090000-0x00007FF634481000-memory.dmp

Filesize
3.9MB

Download
memory/1740-387-0x00007FF6E3BF0000-0x00007FF6E3FE1000-memory.dmp

Filesize
3.9MB

Download
memory/1740-2151-0x00007FF6E3BF0000-0x00007FF6E3FE1000-memory.dmp

Filesize
3.9MB

Download
memory/1788-18-0x00007FF77F840000-0x00007FF77FC31000-memory.dmp

Filesize
3.9MB

Download
memory/1788-965-0x00007FF77F840000-0x00007FF77FC31000-memory.dmp

Filesize
3.9MB

Download
memory/1788-2041-0x00007FF77F840000-0x00007FF77FC31000-memory.dmp

Filesize
3.9MB

Download
memory/1800-37-0x00007FF64BE10000-0x00007FF64C201000-memory.dmp

Filesize
3.9MB

Download
memory/1800-2045-0x00007FF64BE10000-0x00007FF64C201000-memory.dmp

Filesize
3.9MB

Download
memory/1860-2002-0x00007FF6D5750000-0x00007FF6D5B41000-memory.dmp

Filesize
3.9MB

Download
memory/1860-65-0x00007FF6D5750000-0x00007FF6D5B41000-memory.dmp

Filesize
3.9MB

Download
memory/1860-2091-0x00007FF6D5750000-0x00007FF6D5B41000-memory.dmp

Filesize
3.9MB

Download
memory/1888-8-0x00007FF617870000-0x00007FF617C61000-memory.dmp

Filesize
3.9MB

Download
memory/1888-2039-0x00007FF617870000-0x00007FF617C61000-memory.dmp

Filesize
3.9MB

Download
memory/1888-960-0x00007FF617870000-0x00007FF617C61000-memory.dmp

Filesize
3.9MB

Download
memory/2020-2001-0x00007FF7E3F00000-0x00007FF7E42F1000-memory.dmp

Filesize
3.9MB

Download
memory/2020-2093-0x00007FF7E3F00000-0x00007FF7E42F1000-memory.dmp

Filesize
3.9MB

Download
memory/2020-52-0x00007FF7E3F00000-0x00007FF7E42F1000-memory.dmp

Filesize
3.9MB

Download
memory/2116-38-0x00007FF6628A0000-0x00007FF662C91000-memory.dmp

Filesize
3.9MB

Download
memory/2116-2047-0x00007FF6628A0000-0x00007FF662C91000-memory.dmp

Filesize
3.9MB

Download
memory/2136-2037-0x00007FF7A29B0000-0x00007FF7A2DA1000-memory.dmp

Filesize
3.9MB

Download
memory/2136-102-0x00007FF7A29B0000-0x00007FF7A2DA1000-memory.dmp

Filesize
3.9MB

Download
memory/2136-2139-0x00007FF7A29B0000-0x00007FF7A2DA1000-memory.dmp

Filesize
3.9MB

Download
memory/2264-2035-0x00007FF7B7BB0000-0x00007FF7B7FA1000-memory.dmp

Filesize
3.9MB

Download
memory/2264-95-0x00007FF7B7BB0000-0x00007FF7B7FA1000-memory.dmp

Filesize
3.9MB

Download
memory/2264-2132-0x00007FF7B7BB0000-0x00007FF7B7FA1000-memory.dmp

Filesize
3.9MB

Download
memory/2340-87-0x00007FF6E5CA0000-0x00007FF6E6091000-memory.dmp

Filesize
3.9MB

Download
memory/2340-2112-0x00007FF6E5CA0000-0x00007FF6E6091000-memory.dmp

Filesize
3.9MB

Download
memory/2376-385-0x00007FF7D84D0000-0x00007FF7D88C1000-memory.dmp

Filesize
3.9MB

Download
memory/2376-2147-0x00007FF7D84D0000-0x00007FF7D88C1000-memory.dmp

Filesize
3.9MB

Download
memory/2848-2049-0x00007FF6D0960000-0x00007FF6D0D51000-memory.dmp

Filesize
3.9MB

Download
memory/2848-36-0x00007FF6D0960000-0x00007FF6D0D51000-memory.dmp

Filesize
3.9MB

Download
memory/2876-81-0x00007FF798EC0000-0x00007FF7992B1000-memory.dmp

Filesize
3.9MB

Download
memory/2876-2095-0x00007FF798EC0000-0x00007FF7992B1000-memory.dmp

Filesize
3.9MB

Download
memory/2892-2137-0x00007FF726790000-0x00007FF726B81000-memory.dmp

Filesize
3.9MB

Download
memory/2892-381-0x00007FF726790000-0x00007FF726B81000-memory.dmp

Filesize
3.9MB

Download
memory/3432-2116-0x00007FF7EB8E0000-0x00007FF7EBCD1000-memory.dmp

Filesize
3.9MB

Download
memory/3432-83-0x00007FF7EB8E0000-0x00007FF7EBCD1000-memory.dmp

Filesize
3.9MB

Download
memory/4008-99-0x00007FF6E1910000-0x00007FF6E1D01000-memory.dmp

Filesize
3.9MB

Download
memory/4008-2135-0x00007FF6E1910000-0x00007FF6E1D01000-memory.dmp

Filesize
3.9MB

Download
memory/4008-2036-0x00007FF6E1910000-0x00007FF6E1D01000-memory.dmp

Filesize
3.9MB

Download
memory/4456-2141-0x00007FF60DCC0000-0x00007FF60E0B1000-memory.dmp

Filesize
3.9MB

Download
memory/4456-382-0x00007FF60DCC0000-0x00007FF60E0B1000-memory.dmp

Filesize
3.9MB

Download
memory/4752-384-0x00007FF64D2F0000-0x00007FF64D6E1000-memory.dmp

Filesize
3.9MB

Download
memory/4752-2145-0x00007FF64D2F0000-0x00007FF64D6E1000-memory.dmp

Filesize
3.9MB

Download
memory/4876-2118-0x00007FF6F6BF0000-0x00007FF6F6FE1000-memory.dmp

Filesize
3.9MB

Download
memory/4876-86-0x00007FF6F6BF0000-0x00007FF6F6FE1000-memory.dmp

Filesize
3.9MB

Download
memory/5012-1-0x000002C374540000-0x000002C374550000-memory.dmp

Filesize
64KB

Download
memory/5012-0-0x00007FF6700C0000-0x00007FF6704B1000-memory.dmp

Filesize
3.9MB

Download
memory/5012-380-0x00007FF6700C0000-0x00007FF6704B1000-memory.dmp

Filesize
3.9MB

Download
memory/5096-2114-0x00007FF647D20000-0x00007FF648111000-memory.dmp

Filesize
3.9MB

Download
memory/5096-92-0x00007FF647D20000-0x00007FF648111000-memory.dmp

Filesize
3.9MB

Download