xmrig | da49e871f2db19cd640aafab0a730bd24634df11c7b064715f0f5e0b79631e29

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
Size

1.4MB
MD5

797c708d6eebb2fbd3b16a9c737dfb70
SHA1

7afc600b8836c6825bbe8a0e7e01f1966e5ae294
SHA256

da49e871f2db19cd640aafab0a730bd24634df11c7b064715f0f5e0b79631e29
SHA512

b15a8bb83290f6748a18c991e2298a63967c35767b79c92ab2c72613f9d388853cdfea5e0a21f28905fb3ddad042e790e00e9c465f761c4535579bc15ed1efab
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZdO23/oF7u3hmxjfU3KXAnmwJThEz8tU/FVJ91:knw9oUUEEDl3aEUiRSW2j3D

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1656-35-0x00007FF7FF920000-0x00007FF7FFD11000-memory.dmp	xmrig
behavioral2/memory/4376-327-0x00007FF65D2E0000-0x00007FF65D6D1000-memory.dmp	xmrig
behavioral2/memory/2668-326-0x00007FF75BF70000-0x00007FF75C361000-memory.dmp	xmrig
behavioral2/memory/3588-340-0x00007FF65F850000-0x00007FF65FC41000-memory.dmp	xmrig
behavioral2/memory/1780-345-0x00007FF7A7590000-0x00007FF7A7981000-memory.dmp	xmrig
behavioral2/memory/1568-333-0x00007FF654B60000-0x00007FF654F51000-memory.dmp	xmrig
behavioral2/memory/3456-365-0x00007FF7371A0000-0x00007FF737591000-memory.dmp	xmrig
behavioral2/memory/5012-370-0x00007FF672E70000-0x00007FF673261000-memory.dmp	xmrig
behavioral2/memory/2804-376-0x00007FF77FBD0000-0x00007FF77FFC1000-memory.dmp	xmrig
behavioral2/memory/4552-377-0x00007FF65BA60000-0x00007FF65BE51000-memory.dmp	xmrig
behavioral2/memory/2288-378-0x00007FF664880000-0x00007FF664C71000-memory.dmp	xmrig
behavioral2/memory/4540-379-0x00007FF7BC820000-0x00007FF7BCC11000-memory.dmp	xmrig
behavioral2/memory/1688-380-0x00007FF72A8D0000-0x00007FF72ACC1000-memory.dmp	xmrig
behavioral2/memory/2364-359-0x00007FF759CA0000-0x00007FF75A091000-memory.dmp	xmrig
behavioral2/memory/2420-382-0x00007FF7AEF30000-0x00007FF7AF321000-memory.dmp	xmrig
behavioral2/memory/1144-383-0x00007FF666880000-0x00007FF666C71000-memory.dmp	xmrig
behavioral2/memory/4408-381-0x00007FF6EA420000-0x00007FF6EA811000-memory.dmp	xmrig
behavioral2/memory/4928-355-0x00007FF6F7710000-0x00007FF6F7B01000-memory.dmp	xmrig
behavioral2/memory/2260-323-0x00007FF7C6110000-0x00007FF7C6501000-memory.dmp	xmrig
behavioral2/memory/3200-22-0x00007FF6F2E90000-0x00007FF6F3281000-memory.dmp	xmrig
behavioral2/memory/4472-1923-0x00007FF676850000-0x00007FF676C41000-memory.dmp	xmrig
behavioral2/memory/3468-1958-0x00007FF74EC30000-0x00007FF74F021000-memory.dmp	xmrig
behavioral2/memory/412-1967-0x00007FF7C89D0000-0x00007FF7C8DC1000-memory.dmp	xmrig
behavioral2/memory/804-1992-0x00007FF7F9310000-0x00007FF7F9701000-memory.dmp	xmrig
behavioral2/memory/4484-1993-0x00007FF6DA8D0000-0x00007FF6DACC1000-memory.dmp	xmrig
behavioral2/memory/3200-2008-0x00007FF6F2E90000-0x00007FF6F3281000-memory.dmp	xmrig
behavioral2/memory/3468-2010-0x00007FF74EC30000-0x00007FF74F021000-memory.dmp	xmrig
behavioral2/memory/1656-2012-0x00007FF7FF920000-0x00007FF7FFD11000-memory.dmp	xmrig
behavioral2/memory/804-2014-0x00007FF7F9310000-0x00007FF7F9701000-memory.dmp	xmrig
behavioral2/memory/2260-2018-0x00007FF7C6110000-0x00007FF7C6501000-memory.dmp	xmrig
behavioral2/memory/412-2016-0x00007FF7C89D0000-0x00007FF7C8DC1000-memory.dmp	xmrig
behavioral2/memory/1144-2020-0x00007FF666880000-0x00007FF666C71000-memory.dmp	xmrig
behavioral2/memory/4484-2022-0x00007FF6DA8D0000-0x00007FF6DACC1000-memory.dmp	xmrig
behavioral2/memory/2668-2024-0x00007FF75BF70000-0x00007FF75C361000-memory.dmp	xmrig
behavioral2/memory/4376-2026-0x00007FF65D2E0000-0x00007FF65D6D1000-memory.dmp	xmrig
behavioral2/memory/1568-2028-0x00007FF654B60000-0x00007FF654F51000-memory.dmp	xmrig
behavioral2/memory/1780-2032-0x00007FF7A7590000-0x00007FF7A7981000-memory.dmp	xmrig
behavioral2/memory/3456-2044-0x00007FF7371A0000-0x00007FF737591000-memory.dmp	xmrig
behavioral2/memory/4928-2040-0x00007FF6F7710000-0x00007FF6F7B01000-memory.dmp	xmrig
behavioral2/memory/3588-2030-0x00007FF65F850000-0x00007FF65FC41000-memory.dmp	xmrig
behavioral2/memory/2288-2046-0x00007FF664880000-0x00007FF664C71000-memory.dmp	xmrig
behavioral2/memory/5012-2042-0x00007FF672E70000-0x00007FF673261000-memory.dmp	xmrig
behavioral2/memory/2364-2038-0x00007FF759CA0000-0x00007FF75A091000-memory.dmp	xmrig
behavioral2/memory/2804-2036-0x00007FF77FBD0000-0x00007FF77FFC1000-memory.dmp	xmrig
behavioral2/memory/4540-2034-0x00007FF7BC820000-0x00007FF7BCC11000-memory.dmp	xmrig
behavioral2/memory/4552-2048-0x00007FF65BA60000-0x00007FF65BE51000-memory.dmp	xmrig
behavioral2/memory/2420-2060-0x00007FF7AEF30000-0x00007FF7AF321000-memory.dmp	xmrig
behavioral2/memory/4408-2052-0x00007FF6EA420000-0x00007FF6EA811000-memory.dmp	xmrig
behavioral2/memory/1688-2050-0x00007FF72A8D0000-0x00007FF72ACC1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

Processes:

zGEKVYl.exeocZKCXB.exeKEeGwtU.exeNUTWPdy.exeJohLbTH.exePQFJbZh.exeTwDsGrq.exeoeDuZkA.exeXcnHAdw.exepfitKDV.exeYXVHyyY.exeBevlamh.exefQhmtCB.exeEgKCLls.exeZcWchZs.exeCyUXOas.exeLKlVjYk.exesIOEjwA.exehapOTXM.exeebfiPOn.exeZiWzrdj.exezkiuTEU.exeDQCmoPU.exeIjLFRFo.exelQnEUnQ.exeKnAIFHr.exewGkzAfi.exeCbmwXNv.exeYnswsmw.exeFWfSvXm.exexvFvnCz.exeLZaqwdf.exeaEBxlAA.exesEoLonD.exeGuLNQDg.exeeaXnSmv.exeAcVGgKl.exeFqGTyik.exeTdtfruD.exeNjupVFa.exebpylcwt.exePgDNjTG.exenzfxpRw.exeKbhHvVY.exeyuOgras.exeXlbNddB.exesZslUwQ.exebGeBRjT.exeqOidkOy.exeISoAnBU.exeXapKvQP.exekUAJUSD.exesiBfVsu.exeoIKdyKH.exeDKcWOGE.exeaaVUKsU.exeXGoEKbm.exerLesbSB.exeFlMckAH.exeEGSDLTj.exeYHEtAMd.exeYnxniAa.exewiWUSnm.execFWdlTj.exe

pid	process
3468	zGEKVYl.exe
3200	ocZKCXB.exe
1656	KEeGwtU.exe
804	NUTWPdy.exe
412	JohLbTH.exe
4484	PQFJbZh.exe
1144	TwDsGrq.exe
2260	oeDuZkA.exe
2668	XcnHAdw.exe
4376	pfitKDV.exe
1568	YXVHyyY.exe
3588	Bevlamh.exe
1780	fQhmtCB.exe
4928	EgKCLls.exe
2364	ZcWchZs.exe
3456	CyUXOas.exe
5012	LKlVjYk.exe
2804	sIOEjwA.exe
4552	hapOTXM.exe
2288	ebfiPOn.exe
4540	ZiWzrdj.exe
1688	zkiuTEU.exe
4408	DQCmoPU.exe
2420	IjLFRFo.exe
4276	lQnEUnQ.exe
3084	KnAIFHr.exe
3964	wGkzAfi.exe
616	CbmwXNv.exe
400	Ynswsmw.exe
4908	FWfSvXm.exe
3828	xvFvnCz.exe
2508	LZaqwdf.exe
3516	aEBxlAA.exe
4264	sEoLonD.exe
2124	GuLNQDg.exe
964	eaXnSmv.exe
2320	AcVGgKl.exe
3204	FqGTyik.exe
3596	TdtfruD.exe
2392	NjupVFa.exe
3584	bpylcwt.exe
2732	PgDNjTG.exe
1456	nzfxpRw.exe
4116	KbhHvVY.exe
1724	yuOgras.exe
1252	XlbNddB.exe
2180	sZslUwQ.exe
4976	bGeBRjT.exe
2460	qOidkOy.exe
4340	ISoAnBU.exe
4764	XapKvQP.exe
2784	kUAJUSD.exe
4924	siBfVsu.exe
4372	oIKdyKH.exe
1204	DKcWOGE.exe
1652	aaVUKsU.exe
5076	XGoEKbm.exe
4160	rLesbSB.exe
4396	FlMckAH.exe
2772	EGSDLTj.exe
4792	YHEtAMd.exe
3872	YnxniAa.exe
4732	wiWUSnm.exe
3308	cFWdlTj.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4472-0-0x00007FF676850000-0x00007FF676C41000-memory.dmp	upx
C:\Windows\System32\zGEKVYl.exe	upx
C:\Windows\System32\ocZKCXB.exe	upx
behavioral2/memory/3468-14-0x00007FF74EC30000-0x00007FF74F021000-memory.dmp	upx
C:\Windows\System32\NUTWPdy.exe	upx
C:\Windows\System32\KEeGwtU.exe	upx
C:\Windows\System32\PQFJbZh.exe	upx
behavioral2/memory/1656-35-0x00007FF7FF920000-0x00007FF7FFD11000-memory.dmp	upx
C:\Windows\System32\TwDsGrq.exe	upx
C:\Windows\System32\oeDuZkA.exe	upx
C:\Windows\System32\XcnHAdw.exe	upx
C:\Windows\System32\YXVHyyY.exe	upx
C:\Windows\System32\EgKCLls.exe	upx
C:\Windows\System32\ZcWchZs.exe	upx
C:\Windows\System32\LKlVjYk.exe	upx
C:\Windows\System32\hapOTXM.exe	upx
C:\Windows\System32\DQCmoPU.exe	upx
C:\Windows\System32\lQnEUnQ.exe	upx
behavioral2/memory/4376-327-0x00007FF65D2E0000-0x00007FF65D6D1000-memory.dmp	upx
behavioral2/memory/2668-326-0x00007FF75BF70000-0x00007FF75C361000-memory.dmp	upx
behavioral2/memory/3588-340-0x00007FF65F850000-0x00007FF65FC41000-memory.dmp	upx
behavioral2/memory/1780-345-0x00007FF7A7590000-0x00007FF7A7981000-memory.dmp	upx
behavioral2/memory/1568-333-0x00007FF654B60000-0x00007FF654F51000-memory.dmp	upx
behavioral2/memory/3456-365-0x00007FF7371A0000-0x00007FF737591000-memory.dmp	upx
behavioral2/memory/5012-370-0x00007FF672E70000-0x00007FF673261000-memory.dmp	upx
behavioral2/memory/2804-376-0x00007FF77FBD0000-0x00007FF77FFC1000-memory.dmp	upx
behavioral2/memory/4552-377-0x00007FF65BA60000-0x00007FF65BE51000-memory.dmp	upx
behavioral2/memory/2288-378-0x00007FF664880000-0x00007FF664C71000-memory.dmp	upx
behavioral2/memory/4540-379-0x00007FF7BC820000-0x00007FF7BCC11000-memory.dmp	upx
behavioral2/memory/1688-380-0x00007FF72A8D0000-0x00007FF72ACC1000-memory.dmp	upx
behavioral2/memory/2364-359-0x00007FF759CA0000-0x00007FF75A091000-memory.dmp	upx
behavioral2/memory/2420-382-0x00007FF7AEF30000-0x00007FF7AF321000-memory.dmp	upx
behavioral2/memory/1144-383-0x00007FF666880000-0x00007FF666C71000-memory.dmp	upx
behavioral2/memory/4408-381-0x00007FF6EA420000-0x00007FF6EA811000-memory.dmp	upx
behavioral2/memory/4928-355-0x00007FF6F7710000-0x00007FF6F7B01000-memory.dmp	upx
behavioral2/memory/2260-323-0x00007FF7C6110000-0x00007FF7C6501000-memory.dmp	upx
C:\Windows\System32\LZaqwdf.exe	upx
C:\Windows\System32\xvFvnCz.exe	upx
C:\Windows\System32\FWfSvXm.exe	upx
C:\Windows\System32\Ynswsmw.exe	upx
C:\Windows\System32\CbmwXNv.exe	upx
C:\Windows\System32\wGkzAfi.exe	upx
C:\Windows\System32\KnAIFHr.exe	upx
C:\Windows\System32\IjLFRFo.exe	upx
C:\Windows\System32\zkiuTEU.exe	upx
C:\Windows\System32\ZiWzrdj.exe	upx
C:\Windows\System32\ebfiPOn.exe	upx
C:\Windows\System32\sIOEjwA.exe	upx
C:\Windows\System32\CyUXOas.exe	upx
C:\Windows\System32\fQhmtCB.exe	upx
C:\Windows\System32\Bevlamh.exe	upx
C:\Windows\System32\pfitKDV.exe	upx
behavioral2/memory/4484-36-0x00007FF6DA8D0000-0x00007FF6DACC1000-memory.dmp	upx
behavioral2/memory/412-34-0x00007FF7C89D0000-0x00007FF7C8DC1000-memory.dmp	upx
C:\Windows\System32\JohLbTH.exe	upx
behavioral2/memory/804-27-0x00007FF7F9310000-0x00007FF7F9701000-memory.dmp	upx
behavioral2/memory/3200-22-0x00007FF6F2E90000-0x00007FF6F3281000-memory.dmp	upx
behavioral2/memory/4472-1923-0x00007FF676850000-0x00007FF676C41000-memory.dmp	upx
behavioral2/memory/3468-1958-0x00007FF74EC30000-0x00007FF74F021000-memory.dmp	upx
behavioral2/memory/412-1967-0x00007FF7C89D0000-0x00007FF7C8DC1000-memory.dmp	upx
behavioral2/memory/804-1992-0x00007FF7F9310000-0x00007FF7F9701000-memory.dmp	upx
behavioral2/memory/4484-1993-0x00007FF6DA8D0000-0x00007FF6DACC1000-memory.dmp	upx
behavioral2/memory/3200-2008-0x00007FF6F2E90000-0x00007FF6F3281000-memory.dmp	upx
behavioral2/memory/3468-2010-0x00007FF74EC30000-0x00007FF74F021000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

Processes:

797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\System32\pXHZXgA.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\WtXUPSy.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\ZLOCzRA.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\WByyvqg.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\JchfSKL.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\XapKvQP.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\YnxniAa.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\BorQOQE.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\xBkFjnD.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\PhMPoJd.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\GzqSugT.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\qdWEZYm.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\PZUAUnq.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\qPJcvbs.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\ISoAnBU.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\aaVUKsU.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\olSRefN.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\QPBuInw.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\UdGfeSN.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\txyqiEy.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\fpLkwDD.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\ANmBCOe.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\DzpRVOy.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\FsNTTsl.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\yjmdblk.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\NgdrdIE.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\EsEJWih.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\zEJnxTB.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\nLTfKMh.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\sSQkdYY.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\qXqDxfM.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\GvmYRCR.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\ceqFigR.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\ZULYMiu.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\aABijei.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\bYmfZFP.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\VpRwKRK.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\ZfiaUkI.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\YPoKTJN.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\xAsaYXJ.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\LscpsJU.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\fQhmtCB.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\NfLYDvz.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\eDRSVAr.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\nNXLHUO.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\adSKxTx.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\lQnEUnQ.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\EGSDLTj.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\CMwBCTb.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\jdXHrma.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\KEeGwtU.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\TrzFJZY.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\ZVoObYr.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\UGwSJnQ.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\evASGdV.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\eXGLcvj.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\vjsJapj.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\HXDWTQO.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\AhsdGng.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\IrkiZYE.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\LKlVjYk.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\jeXHwkN.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\lpjGHFf.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
File created	C:\Windows\System32\mbJUBot.exe	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

dwm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

dwm.exe

description	pid	process
Token: SeCreateGlobalPrivilege	2008	dwm.exe
Token: SeChangeNotifyPrivilege	2008	dwm.exe
Token: 33	2008	dwm.exe
Token: SeIncBasePriorityPrivilege	2008	dwm.exe
Token: SeShutdownPrivilege	2008	dwm.exe
Token: SeCreatePagefilePrivilege	2008	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe

description	pid	process	target process
PID 4472 wrote to memory of 3468	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	zGEKVYl.exe
PID 4472 wrote to memory of 3468	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	zGEKVYl.exe
PID 4472 wrote to memory of 3200	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	ocZKCXB.exe
PID 4472 wrote to memory of 3200	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	ocZKCXB.exe
PID 4472 wrote to memory of 1656	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	KEeGwtU.exe
PID 4472 wrote to memory of 1656	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	KEeGwtU.exe
PID 4472 wrote to memory of 804	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	NUTWPdy.exe
PID 4472 wrote to memory of 804	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	NUTWPdy.exe
PID 4472 wrote to memory of 412	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	JohLbTH.exe
PID 4472 wrote to memory of 412	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	JohLbTH.exe
PID 4472 wrote to memory of 4484	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	PQFJbZh.exe
PID 4472 wrote to memory of 4484	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	PQFJbZh.exe
PID 4472 wrote to memory of 1144	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	TwDsGrq.exe
PID 4472 wrote to memory of 1144	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	TwDsGrq.exe
PID 4472 wrote to memory of 2260	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	oeDuZkA.exe
PID 4472 wrote to memory of 2260	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	oeDuZkA.exe
PID 4472 wrote to memory of 2668	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	XcnHAdw.exe
PID 4472 wrote to memory of 2668	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	XcnHAdw.exe
PID 4472 wrote to memory of 4376	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	pfitKDV.exe
PID 4472 wrote to memory of 4376	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	pfitKDV.exe
PID 4472 wrote to memory of 1568	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	YXVHyyY.exe
PID 4472 wrote to memory of 1568	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	YXVHyyY.exe
PID 4472 wrote to memory of 3588	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	Bevlamh.exe
PID 4472 wrote to memory of 3588	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	Bevlamh.exe
PID 4472 wrote to memory of 1780	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	fQhmtCB.exe
PID 4472 wrote to memory of 1780	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	fQhmtCB.exe
PID 4472 wrote to memory of 4928	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	EgKCLls.exe
PID 4472 wrote to memory of 4928	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	EgKCLls.exe
PID 4472 wrote to memory of 2364	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	ZcWchZs.exe
PID 4472 wrote to memory of 2364	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	ZcWchZs.exe
PID 4472 wrote to memory of 3456	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	CyUXOas.exe
PID 4472 wrote to memory of 3456	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	CyUXOas.exe
PID 4472 wrote to memory of 5012	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	LKlVjYk.exe
PID 4472 wrote to memory of 5012	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	LKlVjYk.exe
PID 4472 wrote to memory of 2804	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	sIOEjwA.exe
PID 4472 wrote to memory of 2804	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	sIOEjwA.exe
PID 4472 wrote to memory of 4552	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	hapOTXM.exe
PID 4472 wrote to memory of 4552	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	hapOTXM.exe
PID 4472 wrote to memory of 2288	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	ebfiPOn.exe
PID 4472 wrote to memory of 2288	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	ebfiPOn.exe
PID 4472 wrote to memory of 4540	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	ZiWzrdj.exe
PID 4472 wrote to memory of 4540	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	ZiWzrdj.exe
PID 4472 wrote to memory of 1688	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	zkiuTEU.exe
PID 4472 wrote to memory of 1688	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	zkiuTEU.exe
PID 4472 wrote to memory of 4408	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	DQCmoPU.exe
PID 4472 wrote to memory of 4408	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	DQCmoPU.exe
PID 4472 wrote to memory of 2420	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	IjLFRFo.exe
PID 4472 wrote to memory of 2420	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	IjLFRFo.exe
PID 4472 wrote to memory of 4276	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	lQnEUnQ.exe
PID 4472 wrote to memory of 4276	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	lQnEUnQ.exe
PID 4472 wrote to memory of 3084	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	KnAIFHr.exe
PID 4472 wrote to memory of 3084	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	KnAIFHr.exe
PID 4472 wrote to memory of 3964	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	wGkzAfi.exe
PID 4472 wrote to memory of 3964	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	wGkzAfi.exe
PID 4472 wrote to memory of 616	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	CbmwXNv.exe
PID 4472 wrote to memory of 616	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	CbmwXNv.exe
PID 4472 wrote to memory of 400	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	Ynswsmw.exe
PID 4472 wrote to memory of 400	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	Ynswsmw.exe
PID 4472 wrote to memory of 4908	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	FWfSvXm.exe
PID 4472 wrote to memory of 4908	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	FWfSvXm.exe
PID 4472 wrote to memory of 3828	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	xvFvnCz.exe
PID 4472 wrote to memory of 3828	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	xvFvnCz.exe
PID 4472 wrote to memory of 2508	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	LZaqwdf.exe
PID 4472 wrote to memory of 2508	4472	797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe	LZaqwdf.exe

C:\Users\Admin\AppData\Local\Temp\797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\797c708d6eebb2fbd3b16a9c737dfb70_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\System32\zGEKVYl.exe
C:\Windows\System32\zGEKVYl.exe
2⤵
- Executes dropped EXE
PID:3468

C:\Windows\System32\ocZKCXB.exe
C:\Windows\System32\ocZKCXB.exe
2⤵
- Executes dropped EXE
PID:3200

C:\Windows\System32\KEeGwtU.exe
C:\Windows\System32\KEeGwtU.exe
2⤵
- Executes dropped EXE
PID:1656

C:\Windows\System32\NUTWPdy.exe
C:\Windows\System32\NUTWPdy.exe
2⤵
- Executes dropped EXE
PID:804

C:\Windows\System32\JohLbTH.exe
C:\Windows\System32\JohLbTH.exe
2⤵
- Executes dropped EXE
PID:412

C:\Windows\System32\PQFJbZh.exe
C:\Windows\System32\PQFJbZh.exe
2⤵
- Executes dropped EXE
PID:4484

C:\Windows\System32\TwDsGrq.exe
C:\Windows\System32\TwDsGrq.exe
2⤵
- Executes dropped EXE
PID:1144

C:\Windows\System32\oeDuZkA.exe
C:\Windows\System32\oeDuZkA.exe
2⤵
- Executes dropped EXE
PID:2260

C:\Windows\System32\XcnHAdw.exe
C:\Windows\System32\XcnHAdw.exe
2⤵
- Executes dropped EXE
PID:2668

C:\Windows\System32\pfitKDV.exe
C:\Windows\System32\pfitKDV.exe
2⤵
- Executes dropped EXE
PID:4376

C:\Windows\System32\YXVHyyY.exe
C:\Windows\System32\YXVHyyY.exe
2⤵
- Executes dropped EXE
PID:1568

C:\Windows\System32\Bevlamh.exe
C:\Windows\System32\Bevlamh.exe
2⤵
- Executes dropped EXE
PID:3588

C:\Windows\System32\fQhmtCB.exe
C:\Windows\System32\fQhmtCB.exe
2⤵
- Executes dropped EXE
PID:1780

C:\Windows\System32\EgKCLls.exe
C:\Windows\System32\EgKCLls.exe
2⤵
- Executes dropped EXE
PID:4928

C:\Windows\System32\ZcWchZs.exe
C:\Windows\System32\ZcWchZs.exe
2⤵
- Executes dropped EXE
PID:2364

C:\Windows\System32\CyUXOas.exe
C:\Windows\System32\CyUXOas.exe
2⤵
- Executes dropped EXE
PID:3456

C:\Windows\System32\LKlVjYk.exe
C:\Windows\System32\LKlVjYk.exe
2⤵
- Executes dropped EXE
PID:5012

C:\Windows\System32\sIOEjwA.exe
C:\Windows\System32\sIOEjwA.exe
2⤵
- Executes dropped EXE
PID:2804

C:\Windows\System32\hapOTXM.exe
C:\Windows\System32\hapOTXM.exe
2⤵
- Executes dropped EXE
PID:4552

C:\Windows\System32\ebfiPOn.exe
C:\Windows\System32\ebfiPOn.exe
2⤵
- Executes dropped EXE
PID:2288

C:\Windows\System32\ZiWzrdj.exe
C:\Windows\System32\ZiWzrdj.exe
2⤵
- Executes dropped EXE
PID:4540

C:\Windows\System32\zkiuTEU.exe
C:\Windows\System32\zkiuTEU.exe
2⤵
- Executes dropped EXE
PID:1688

C:\Windows\System32\DQCmoPU.exe
C:\Windows\System32\DQCmoPU.exe
2⤵
- Executes dropped EXE
PID:4408

C:\Windows\System32\IjLFRFo.exe
C:\Windows\System32\IjLFRFo.exe
2⤵
- Executes dropped EXE
PID:2420

C:\Windows\System32\lQnEUnQ.exe
C:\Windows\System32\lQnEUnQ.exe
2⤵
- Executes dropped EXE
PID:4276

C:\Windows\System32\KnAIFHr.exe
C:\Windows\System32\KnAIFHr.exe
2⤵
- Executes dropped EXE
PID:3084

C:\Windows\System32\wGkzAfi.exe
C:\Windows\System32\wGkzAfi.exe
2⤵
- Executes dropped EXE
PID:3964

C:\Windows\System32\CbmwXNv.exe
C:\Windows\System32\CbmwXNv.exe
2⤵
- Executes dropped EXE
PID:616

C:\Windows\System32\Ynswsmw.exe
C:\Windows\System32\Ynswsmw.exe
2⤵
- Executes dropped EXE
PID:400

C:\Windows\System32\FWfSvXm.exe
C:\Windows\System32\FWfSvXm.exe
2⤵
- Executes dropped EXE
PID:4908

C:\Windows\System32\xvFvnCz.exe
C:\Windows\System32\xvFvnCz.exe
2⤵
- Executes dropped EXE
PID:3828

C:\Windows\System32\LZaqwdf.exe
C:\Windows\System32\LZaqwdf.exe
2⤵
- Executes dropped EXE
PID:2508

C:\Windows\System32\aEBxlAA.exe
C:\Windows\System32\aEBxlAA.exe
2⤵
- Executes dropped EXE
PID:3516

C:\Windows\System32\sEoLonD.exe
C:\Windows\System32\sEoLonD.exe
2⤵
- Executes dropped EXE
PID:4264

C:\Windows\System32\GuLNQDg.exe
C:\Windows\System32\GuLNQDg.exe
2⤵
- Executes dropped EXE
PID:2124

C:\Windows\System32\eaXnSmv.exe
C:\Windows\System32\eaXnSmv.exe
2⤵
- Executes dropped EXE
PID:964

C:\Windows\System32\AcVGgKl.exe
C:\Windows\System32\AcVGgKl.exe
2⤵
- Executes dropped EXE
PID:2320

C:\Windows\System32\FqGTyik.exe
C:\Windows\System32\FqGTyik.exe
2⤵
- Executes dropped EXE
PID:3204

C:\Windows\System32\TdtfruD.exe
C:\Windows\System32\TdtfruD.exe
2⤵
- Executes dropped EXE
PID:3596

C:\Windows\System32\NjupVFa.exe
C:\Windows\System32\NjupVFa.exe
2⤵
- Executes dropped EXE
PID:2392

C:\Windows\System32\bpylcwt.exe
C:\Windows\System32\bpylcwt.exe
2⤵
- Executes dropped EXE
PID:3584

C:\Windows\System32\PgDNjTG.exe
C:\Windows\System32\PgDNjTG.exe
2⤵
- Executes dropped EXE
PID:2732

C:\Windows\System32\nzfxpRw.exe
C:\Windows\System32\nzfxpRw.exe
2⤵
- Executes dropped EXE
PID:1456

C:\Windows\System32\KbhHvVY.exe
C:\Windows\System32\KbhHvVY.exe
2⤵
- Executes dropped EXE
PID:4116

C:\Windows\System32\yuOgras.exe
C:\Windows\System32\yuOgras.exe
2⤵
- Executes dropped EXE
PID:1724

C:\Windows\System32\XlbNddB.exe
C:\Windows\System32\XlbNddB.exe
2⤵
- Executes dropped EXE
PID:1252

C:\Windows\System32\sZslUwQ.exe
C:\Windows\System32\sZslUwQ.exe
2⤵
- Executes dropped EXE
PID:2180

C:\Windows\System32\bGeBRjT.exe
C:\Windows\System32\bGeBRjT.exe
2⤵
- Executes dropped EXE
PID:4976

C:\Windows\System32\qOidkOy.exe
C:\Windows\System32\qOidkOy.exe
2⤵
- Executes dropped EXE
PID:2460

C:\Windows\System32\ISoAnBU.exe
C:\Windows\System32\ISoAnBU.exe
2⤵
- Executes dropped EXE
PID:4340

C:\Windows\System32\XapKvQP.exe
C:\Windows\System32\XapKvQP.exe
2⤵
- Executes dropped EXE
PID:4764

C:\Windows\System32\kUAJUSD.exe
C:\Windows\System32\kUAJUSD.exe
2⤵
- Executes dropped EXE
PID:2784

C:\Windows\System32\siBfVsu.exe
C:\Windows\System32\siBfVsu.exe
2⤵
- Executes dropped EXE
PID:4924

C:\Windows\System32\oIKdyKH.exe
C:\Windows\System32\oIKdyKH.exe
2⤵
- Executes dropped EXE
PID:4372

C:\Windows\System32\DKcWOGE.exe
C:\Windows\System32\DKcWOGE.exe
2⤵
- Executes dropped EXE
PID:1204

C:\Windows\System32\aaVUKsU.exe
C:\Windows\System32\aaVUKsU.exe
2⤵
- Executes dropped EXE
PID:1652

C:\Windows\System32\XGoEKbm.exe
C:\Windows\System32\XGoEKbm.exe
2⤵
- Executes dropped EXE
PID:5076

C:\Windows\System32\rLesbSB.exe
C:\Windows\System32\rLesbSB.exe
2⤵
- Executes dropped EXE
PID:4160

C:\Windows\System32\FlMckAH.exe
C:\Windows\System32\FlMckAH.exe
2⤵
- Executes dropped EXE
PID:4396

C:\Windows\System32\EGSDLTj.exe
C:\Windows\System32\EGSDLTj.exe
2⤵
- Executes dropped EXE
PID:2772

C:\Windows\System32\YHEtAMd.exe
C:\Windows\System32\YHEtAMd.exe
2⤵
- Executes dropped EXE
PID:4792

C:\Windows\System32\YnxniAa.exe
C:\Windows\System32\YnxniAa.exe
2⤵
- Executes dropped EXE
PID:3872

C:\Windows\System32\wiWUSnm.exe
C:\Windows\System32\wiWUSnm.exe
2⤵
- Executes dropped EXE
PID:4732

C:\Windows\System32\cFWdlTj.exe
C:\Windows\System32\cFWdlTj.exe
2⤵
- Executes dropped EXE
PID:3308

C:\Windows\System32\WuHjAxq.exe
C:\Windows\System32\WuHjAxq.exe
2⤵
PID:2756

C:\Windows\System32\ZUCPiMv.exe
C:\Windows\System32\ZUCPiMv.exe
2⤵
PID:2528

C:\Windows\System32\NIiVSWF.exe
C:\Windows\System32\NIiVSWF.exe
2⤵
PID:3384

C:\Windows\System32\jpbPwfC.exe
C:\Windows\System32\jpbPwfC.exe
2⤵
PID:1920

C:\Windows\System32\ZULYMiu.exe
C:\Windows\System32\ZULYMiu.exe
2⤵
PID:4900

C:\Windows\System32\TjiQDvn.exe
C:\Windows\System32\TjiQDvn.exe
2⤵
PID:3220

C:\Windows\System32\nyqBikd.exe
C:\Windows\System32\nyqBikd.exe
2⤵
PID:4820

C:\Windows\System32\wzCyXtL.exe
C:\Windows\System32\wzCyXtL.exe
2⤵
PID:1756

C:\Windows\System32\FqKPHYF.exe
C:\Windows\System32\FqKPHYF.exe
2⤵
PID:548

C:\Windows\System32\tznHDZp.exe
C:\Windows\System32\tznHDZp.exe
2⤵
PID:1584

C:\Windows\System32\DWjBETT.exe
C:\Windows\System32\DWjBETT.exe
2⤵
PID:4608

C:\Windows\System32\xOniGkw.exe
C:\Windows\System32\xOniGkw.exe
2⤵
PID:4668

C:\Windows\System32\wVRBRIx.exe
C:\Windows\System32\wVRBRIx.exe
2⤵
PID:4140

C:\Windows\System32\abeXeLV.exe
C:\Windows\System32\abeXeLV.exe
2⤵
PID:3140

C:\Windows\System32\OFjyXmY.exe
C:\Windows\System32\OFjyXmY.exe
2⤵
PID:5060

C:\Windows\System32\PAUEOng.exe
C:\Windows\System32\PAUEOng.exe
2⤵
PID:2456

C:\Windows\System32\zEJnxTB.exe
C:\Windows\System32\zEJnxTB.exe
2⤵
PID:3240

C:\Windows\System32\YpjmCqU.exe
C:\Windows\System32\YpjmCqU.exe
2⤵
PID:2996

C:\Windows\System32\qdWEZYm.exe
C:\Windows\System32\qdWEZYm.exe
2⤵
PID:2880

C:\Windows\System32\QvHRWMQ.exe
C:\Windows\System32\QvHRWMQ.exe
2⤵
PID:4324

C:\Windows\System32\riHcFtn.exe
C:\Windows\System32\riHcFtn.exe
2⤵
PID:4916

C:\Windows\System32\chppiLa.exe
C:\Windows\System32\chppiLa.exe
2⤵
PID:4816

C:\Windows\System32\pAQhsrg.exe
C:\Windows\System32\pAQhsrg.exe
2⤵
PID:4864

C:\Windows\System32\byCTRDp.exe
C:\Windows\System32\byCTRDp.exe
2⤵
PID:2020

C:\Windows\System32\gnlqbvG.exe
C:\Windows\System32\gnlqbvG.exe
2⤵
PID:3144

C:\Windows\System32\ezejhAn.exe
C:\Windows\System32\ezejhAn.exe
2⤵
PID:1388

C:\Windows\System32\zIkWheN.exe
C:\Windows\System32\zIkWheN.exe
2⤵
PID:4312

C:\Windows\System32\QdMyjhH.exe
C:\Windows\System32\QdMyjhH.exe
2⤵
PID:1264

C:\Windows\System32\RCwsWFW.exe
C:\Windows\System32\RCwsWFW.exe
2⤵
PID:5124

C:\Windows\System32\ZjujmkI.exe
C:\Windows\System32\ZjujmkI.exe
2⤵
PID:5156

C:\Windows\System32\jNoRAtE.exe
C:\Windows\System32\jNoRAtE.exe
2⤵
PID:5176

C:\Windows\System32\uoJeikU.exe
C:\Windows\System32\uoJeikU.exe
2⤵
PID:5192

C:\Windows\System32\uJldBSP.exe
C:\Windows\System32\uJldBSP.exe
2⤵
PID:5208

C:\Windows\System32\hwvTSqc.exe
C:\Windows\System32\hwvTSqc.exe
2⤵
PID:5232

C:\Windows\System32\vbokYuY.exe
C:\Windows\System32\vbokYuY.exe
2⤵
PID:5248

C:\Windows\System32\pLfysJc.exe
C:\Windows\System32\pLfysJc.exe
2⤵
PID:5292

C:\Windows\System32\TrzFJZY.exe
C:\Windows\System32\TrzFJZY.exe
2⤵
PID:5364

C:\Windows\System32\mZfQnwo.exe
C:\Windows\System32\mZfQnwo.exe
2⤵
PID:5448

C:\Windows\System32\GdGFPil.exe
C:\Windows\System32\GdGFPil.exe
2⤵
PID:5476

C:\Windows\System32\uSmdFTD.exe
C:\Windows\System32\uSmdFTD.exe
2⤵
PID:5500

C:\Windows\System32\fYwiKhB.exe
C:\Windows\System32\fYwiKhB.exe
2⤵
PID:5540

C:\Windows\System32\TgHxoZb.exe
C:\Windows\System32\TgHxoZb.exe
2⤵
PID:5560

C:\Windows\System32\kdNMXNk.exe
C:\Windows\System32\kdNMXNk.exe
2⤵
PID:5584

C:\Windows\System32\cUccipr.exe
C:\Windows\System32\cUccipr.exe
2⤵
PID:5616

C:\Windows\System32\hVnGper.exe
C:\Windows\System32\hVnGper.exe
2⤵
PID:5652

C:\Windows\System32\HbmZCSB.exe
C:\Windows\System32\HbmZCSB.exe
2⤵
PID:5684

C:\Windows\System32\pCWpjii.exe
C:\Windows\System32\pCWpjii.exe
2⤵
PID:5708

C:\Windows\System32\DUGkVwn.exe
C:\Windows\System32\DUGkVwn.exe
2⤵
PID:5724

C:\Windows\System32\ybLlwmc.exe
C:\Windows\System32\ybLlwmc.exe
2⤵
PID:5768

C:\Windows\System32\lLDtPtP.exe
C:\Windows\System32\lLDtPtP.exe
2⤵
PID:5792

C:\Windows\System32\lbkUbjz.exe
C:\Windows\System32\lbkUbjz.exe
2⤵
PID:5828

C:\Windows\System32\KQYHIRK.exe
C:\Windows\System32\KQYHIRK.exe
2⤵
PID:5856

C:\Windows\System32\KhNavAz.exe
C:\Windows\System32\KhNavAz.exe
2⤵
PID:5892

C:\Windows\System32\aABijei.exe
C:\Windows\System32\aABijei.exe
2⤵
PID:5916

C:\Windows\System32\vjsJapj.exe
C:\Windows\System32\vjsJapj.exe
2⤵
PID:5956

C:\Windows\System32\fqxFMAw.exe
C:\Windows\System32\fqxFMAw.exe
2⤵
PID:5972

C:\Windows\System32\tTYqtfQ.exe
C:\Windows\System32\tTYqtfQ.exe
2⤵
PID:6000

C:\Windows\System32\bNsZLDK.exe
C:\Windows\System32\bNsZLDK.exe
2⤵
PID:6016

C:\Windows\System32\zRfxVfO.exe
C:\Windows\System32\zRfxVfO.exe
2⤵
PID:6036

C:\Windows\System32\lpjGHFf.exe
C:\Windows\System32\lpjGHFf.exe
2⤵
PID:6060

C:\Windows\System32\KTtcwtq.exe
C:\Windows\System32\KTtcwtq.exe
2⤵
PID:6076

C:\Windows\System32\SmOxorT.exe
C:\Windows\System32\SmOxorT.exe
2⤵
PID:6096

C:\Windows\System32\SoyBsHE.exe
C:\Windows\System32\SoyBsHE.exe
2⤵
PID:2292

C:\Windows\System32\jftPuxs.exe
C:\Windows\System32\jftPuxs.exe
2⤵
PID:512

C:\Windows\System32\ljbSVIq.exe
C:\Windows\System32\ljbSVIq.exe
2⤵
PID:3556

C:\Windows\System32\MNXHfcS.exe
C:\Windows\System32\MNXHfcS.exe
2⤵
PID:3344

C:\Windows\System32\fWVTgTs.exe
C:\Windows\System32\fWVTgTs.exe
2⤵
PID:3024

C:\Windows\System32\iWYhzcJ.exe
C:\Windows\System32\iWYhzcJ.exe
2⤵
PID:5200

C:\Windows\System32\ylwAJRS.exe
C:\Windows\System32\ylwAJRS.exe
2⤵
PID:2072

C:\Windows\System32\sCRLJqI.exe
C:\Windows\System32\sCRLJqI.exe
2⤵
PID:5240

C:\Windows\System32\rLyrNoL.exe
C:\Windows\System32\rLyrNoL.exe
2⤵
PID:5384

C:\Windows\System32\qLEFVIr.exe
C:\Windows\System32\qLEFVIr.exe
2⤵
PID:4400

C:\Windows\System32\WLPcwkd.exe
C:\Windows\System32\WLPcwkd.exe
2⤵
PID:5432

C:\Windows\System32\gOjvIjk.exe
C:\Windows\System32\gOjvIjk.exe
2⤵
PID:5468

C:\Windows\System32\frhCavs.exe
C:\Windows\System32\frhCavs.exe
2⤵
PID:5524

C:\Windows\System32\ilAscrH.exe
C:\Windows\System32\ilAscrH.exe
2⤵
PID:5548

C:\Windows\System32\gNQiuxi.exe
C:\Windows\System32\gNQiuxi.exe
2⤵
PID:1424

C:\Windows\System32\IbwsaPd.exe
C:\Windows\System32\IbwsaPd.exe
2⤵
PID:5756

C:\Windows\System32\uuiZLFk.exe
C:\Windows\System32\uuiZLFk.exe
2⤵
PID:5776

C:\Windows\System32\CYfcich.exe
C:\Windows\System32\CYfcich.exe
2⤵
PID:5848

C:\Windows\System32\olSRefN.exe
C:\Windows\System32\olSRefN.exe
2⤵
PID:5912

C:\Windows\System32\jLYakUu.exe
C:\Windows\System32\jLYakUu.exe
2⤵
PID:5964

C:\Windows\System32\pXHZXgA.exe
C:\Windows\System32\pXHZXgA.exe
2⤵
PID:6008

C:\Windows\System32\CerFeAJ.exe
C:\Windows\System32\CerFeAJ.exe
2⤵
PID:6136

C:\Windows\System32\wAzkzhB.exe
C:\Windows\System32\wAzkzhB.exe
2⤵
PID:3452

C:\Windows\System32\WJUkoUL.exe
C:\Windows\System32\WJUkoUL.exe
2⤵
PID:2972

C:\Windows\System32\znawPFT.exe
C:\Windows\System32\znawPFT.exe
2⤵
PID:5008

C:\Windows\System32\ZXkitRM.exe
C:\Windows\System32\ZXkitRM.exe
2⤵
PID:2476

C:\Windows\System32\AfjIEqv.exe
C:\Windows\System32\AfjIEqv.exe
2⤵
PID:1924

C:\Windows\System32\xDLuhxV.exe
C:\Windows\System32\xDLuhxV.exe
2⤵
PID:5512

C:\Windows\System32\sbPdexx.exe
C:\Windows\System32\sbPdexx.exe
2⤵
PID:3252

C:\Windows\System32\XSntKHG.exe
C:\Windows\System32\XSntKHG.exe
2⤵
PID:2024

C:\Windows\System32\MSXCZYC.exe
C:\Windows\System32\MSXCZYC.exe
2⤵
PID:5908

C:\Windows\System32\VQChjqh.exe
C:\Windows\System32\VQChjqh.exe
2⤵
PID:436

C:\Windows\System32\UzogjVD.exe
C:\Windows\System32\UzogjVD.exe
2⤵
PID:6104

C:\Windows\System32\MFPGfNK.exe
C:\Windows\System32\MFPGfNK.exe
2⤵
PID:3952

C:\Windows\System32\JpluYuR.exe
C:\Windows\System32\JpluYuR.exe
2⤵
PID:5188

C:\Windows\System32\NehihTe.exe
C:\Windows\System32\NehihTe.exe
2⤵
PID:5388

C:\Windows\System32\pKcyMlB.exe
C:\Windows\System32\pKcyMlB.exe
2⤵
PID:5216

C:\Windows\System32\UEtWNCx.exe
C:\Windows\System32\UEtWNCx.exe
2⤵
PID:5344

C:\Windows\System32\wfzSKIg.exe
C:\Windows\System32\wfzSKIg.exe
2⤵
PID:6024

C:\Windows\System32\nAWNaoT.exe
C:\Windows\System32\nAWNaoT.exe
2⤵
PID:5336

C:\Windows\System32\oEpfQln.exe
C:\Windows\System32\oEpfQln.exe
2⤵
PID:5820

C:\Windows\System32\aCybxUm.exe
C:\Windows\System32\aCybxUm.exe
2⤵
PID:6072

C:\Windows\System32\nLTfKMh.exe
C:\Windows\System32\nLTfKMh.exe
2⤵
PID:6152

C:\Windows\System32\EFTbafG.exe
C:\Windows\System32\EFTbafG.exe
2⤵
PID:6192

C:\Windows\System32\sUTvZhZ.exe
C:\Windows\System32\sUTvZhZ.exe
2⤵
PID:6220

C:\Windows\System32\LqQCPLU.exe
C:\Windows\System32\LqQCPLU.exe
2⤵
PID:6244

C:\Windows\System32\KVoKghn.exe
C:\Windows\System32\KVoKghn.exe
2⤵
PID:6268

C:\Windows\System32\bUqfiVZ.exe
C:\Windows\System32\bUqfiVZ.exe
2⤵
PID:6312

C:\Windows\System32\KjlCvyz.exe
C:\Windows\System32\KjlCvyz.exe
2⤵
PID:6332

C:\Windows\System32\lXppllM.exe
C:\Windows\System32\lXppllM.exe
2⤵
PID:6348

C:\Windows\System32\LcFSNzy.exe
C:\Windows\System32\LcFSNzy.exe
2⤵
PID:6396

C:\Windows\System32\xmFNUxX.exe
C:\Windows\System32\xmFNUxX.exe
2⤵
PID:6416

C:\Windows\System32\NdWgLxM.exe
C:\Windows\System32\NdWgLxM.exe
2⤵
PID:6440

C:\Windows\System32\wHNZdhN.exe
C:\Windows\System32\wHNZdhN.exe
2⤵
PID:6472

C:\Windows\System32\txESJLd.exe
C:\Windows\System32\txESJLd.exe
2⤵
PID:6496

C:\Windows\System32\IktTSUt.exe
C:\Windows\System32\IktTSUt.exe
2⤵
PID:6516

C:\Windows\System32\oEZwQyS.exe
C:\Windows\System32\oEZwQyS.exe
2⤵
PID:6552

C:\Windows\System32\WHVsqjV.exe
C:\Windows\System32\WHVsqjV.exe
2⤵
PID:6584

C:\Windows\System32\eVeptoQ.exe
C:\Windows\System32\eVeptoQ.exe
2⤵
PID:6612

C:\Windows\System32\BZYRzDY.exe
C:\Windows\System32\BZYRzDY.exe
2⤵
PID:6636

C:\Windows\System32\HrCdeeq.exe
C:\Windows\System32\HrCdeeq.exe
2⤵
PID:6652

C:\Windows\System32\KIlVwSl.exe
C:\Windows\System32\KIlVwSl.exe
2⤵
PID:6688

C:\Windows\System32\XQxVpms.exe
C:\Windows\System32\XQxVpms.exe
2⤵
PID:6716

C:\Windows\System32\UhFAsUU.exe
C:\Windows\System32\UhFAsUU.exe
2⤵
PID:6736

C:\Windows\System32\HtOTtst.exe
C:\Windows\System32\HtOTtst.exe
2⤵
PID:6780

C:\Windows\System32\LuqoLeT.exe
C:\Windows\System32\LuqoLeT.exe
2⤵
PID:6796

C:\Windows\System32\NGsJksu.exe
C:\Windows\System32\NGsJksu.exe
2⤵
PID:6828

C:\Windows\System32\hXvFnUX.exe
C:\Windows\System32\hXvFnUX.exe
2⤵
PID:6848

C:\Windows\System32\rKvwuvb.exe
C:\Windows\System32\rKvwuvb.exe
2⤵
PID:6880

C:\Windows\System32\FWPTIdv.exe
C:\Windows\System32\FWPTIdv.exe
2⤵
PID:6896

C:\Windows\System32\qwUuDfP.exe
C:\Windows\System32\qwUuDfP.exe
2⤵
PID:6920

C:\Windows\System32\VJgPRzp.exe
C:\Windows\System32\VJgPRzp.exe
2⤵
PID:6948

C:\Windows\System32\EoPCBtl.exe
C:\Windows\System32\EoPCBtl.exe
2⤵
PID:6996

C:\Windows\System32\SjFrzsx.exe
C:\Windows\System32\SjFrzsx.exe
2⤵
PID:7024

C:\Windows\System32\sYQaDmx.exe
C:\Windows\System32\sYQaDmx.exe
2⤵
PID:7040

C:\Windows\System32\sKjnJBX.exe
C:\Windows\System32\sKjnJBX.exe
2⤵
PID:7064

C:\Windows\System32\uxmqUem.exe
C:\Windows\System32\uxmqUem.exe
2⤵
PID:7080

C:\Windows\System32\DVriIko.exe
C:\Windows\System32\DVriIko.exe
2⤵
PID:7096

C:\Windows\System32\OdGWqxF.exe
C:\Windows\System32\OdGWqxF.exe
2⤵
PID:7116

C:\Windows\System32\nOuBtEM.exe
C:\Windows\System32\nOuBtEM.exe
2⤵
PID:7144

C:\Windows\System32\bOixtKr.exe
C:\Windows\System32\bOixtKr.exe
2⤵
PID:6236

C:\Windows\System32\IaaePQn.exe
C:\Windows\System32\IaaePQn.exe
2⤵
PID:6300

C:\Windows\System32\kaRMFJw.exe
C:\Windows\System32\kaRMFJw.exe
2⤵
PID:6364

C:\Windows\System32\nzzdjyc.exe
C:\Windows\System32\nzzdjyc.exe
2⤵
PID:6408

C:\Windows\System32\aWCEldE.exe
C:\Windows\System32\aWCEldE.exe
2⤵
PID:6508

C:\Windows\System32\caJVVVx.exe
C:\Windows\System32\caJVVVx.exe
2⤵
PID:6568

C:\Windows\System32\eDRSVAr.exe
C:\Windows\System32\eDRSVAr.exe
2⤵
PID:6600

C:\Windows\System32\UocUYek.exe
C:\Windows\System32\UocUYek.exe
2⤵
PID:6704

C:\Windows\System32\qiqwQtF.exe
C:\Windows\System32\qiqwQtF.exe
2⤵
PID:6764

C:\Windows\System32\lZlBtef.exe
C:\Windows\System32\lZlBtef.exe
2⤵
PID:6812

C:\Windows\System32\MBrDXSz.exe
C:\Windows\System32\MBrDXSz.exe
2⤵
PID:6868

C:\Windows\System32\WinrRFX.exe
C:\Windows\System32\WinrRFX.exe
2⤵
PID:6932

C:\Windows\System32\zksSMYC.exe
C:\Windows\System32\zksSMYC.exe
2⤵
PID:6976

C:\Windows\System32\CXYBLKo.exe
C:\Windows\System32\CXYBLKo.exe
2⤵
PID:7036

C:\Windows\System32\mBdeUPq.exe
C:\Windows\System32\mBdeUPq.exe
2⤵
PID:7112

C:\Windows\System32\xtDcbih.exe
C:\Windows\System32\xtDcbih.exe
2⤵
PID:5632

C:\Windows\System32\ScxcRLa.exe
C:\Windows\System32\ScxcRLa.exe
2⤵
PID:6252

C:\Windows\System32\YzkYsTB.exe
C:\Windows\System32\YzkYsTB.exe
2⤵
PID:6412

C:\Windows\System32\NcLLYDC.exe
C:\Windows\System32\NcLLYDC.exe
2⤵
PID:6608

C:\Windows\System32\PBfMPRd.exe
C:\Windows\System32\PBfMPRd.exe
2⤵
PID:6760

C:\Windows\System32\WegWInO.exe
C:\Windows\System32\WegWInO.exe
2⤵
PID:6872

C:\Windows\System32\DssSPlN.exe
C:\Windows\System32\DssSPlN.exe
2⤵
PID:7108

C:\Windows\System32\jQXZIKW.exe
C:\Windows\System32\jQXZIKW.exe
2⤵
PID:6320

C:\Windows\System32\HOWzDSh.exe
C:\Windows\System32\HOWzDSh.exe
2⤵
PID:6384

C:\Windows\System32\HPdCUVU.exe
C:\Windows\System32\HPdCUVU.exe
2⤵
PID:7048

C:\Windows\System32\DzpRVOy.exe
C:\Windows\System32\DzpRVOy.exe
2⤵
PID:6700

C:\Windows\System32\nerlApY.exe
C:\Windows\System32\nerlApY.exe
2⤵
PID:7180

C:\Windows\System32\cgKMrIy.exe
C:\Windows\System32\cgKMrIy.exe
2⤵
PID:7200

C:\Windows\System32\eukbEkP.exe
C:\Windows\System32\eukbEkP.exe
2⤵
PID:7228

C:\Windows\System32\KutVrbd.exe
C:\Windows\System32\KutVrbd.exe
2⤵
PID:7284

C:\Windows\System32\JeQembo.exe
C:\Windows\System32\JeQembo.exe
2⤵
PID:7300

C:\Windows\System32\bFAYIBX.exe
C:\Windows\System32\bFAYIBX.exe
2⤵
PID:7320

C:\Windows\System32\qPJcvbs.exe
C:\Windows\System32\qPJcvbs.exe
2⤵
PID:7360

C:\Windows\System32\KffYuNj.exe
C:\Windows\System32\KffYuNj.exe
2⤵
PID:7380

C:\Windows\System32\zhEAhBP.exe
C:\Windows\System32\zhEAhBP.exe
2⤵
PID:7400

C:\Windows\System32\GHiDxJk.exe
C:\Windows\System32\GHiDxJk.exe
2⤵
PID:7428

C:\Windows\System32\PhzXzLq.exe
C:\Windows\System32\PhzXzLq.exe
2⤵
PID:7456

C:\Windows\System32\WurrZrm.exe
C:\Windows\System32\WurrZrm.exe
2⤵
PID:7476

C:\Windows\System32\zXWyELn.exe
C:\Windows\System32\zXWyELn.exe
2⤵
PID:7508

C:\Windows\System32\GbyWyTP.exe
C:\Windows\System32\GbyWyTP.exe
2⤵
PID:7544

C:\Windows\System32\pVHQkAA.exe
C:\Windows\System32\pVHQkAA.exe
2⤵
PID:7596

C:\Windows\System32\COnqcmf.exe
C:\Windows\System32\COnqcmf.exe
2⤵
PID:7668

C:\Windows\System32\kpQAbvw.exe
C:\Windows\System32\kpQAbvw.exe
2⤵
PID:7684

C:\Windows\System32\NiUHMvL.exe
C:\Windows\System32\NiUHMvL.exe
2⤵
PID:7700

C:\Windows\System32\WHjTEUw.exe
C:\Windows\System32\WHjTEUw.exe
2⤵
PID:7716

C:\Windows\System32\jnktAIz.exe
C:\Windows\System32\jnktAIz.exe
2⤵
PID:7732

C:\Windows\System32\pLNBFPA.exe
C:\Windows\System32\pLNBFPA.exe
2⤵
PID:7748

C:\Windows\System32\KoYjObP.exe
C:\Windows\System32\KoYjObP.exe
2⤵
PID:7764

C:\Windows\System32\BmEBHbe.exe
C:\Windows\System32\BmEBHbe.exe
2⤵
PID:7780

C:\Windows\System32\ObTvVvH.exe
C:\Windows\System32\ObTvVvH.exe
2⤵
PID:7796

C:\Windows\System32\RaWFCCt.exe
C:\Windows\System32\RaWFCCt.exe
2⤵
PID:7904

C:\Windows\System32\YcmyULY.exe
C:\Windows\System32\YcmyULY.exe
2⤵
PID:7920

C:\Windows\System32\AboMMvv.exe
C:\Windows\System32\AboMMvv.exe
2⤵
PID:7992

C:\Windows\System32\ZSudghp.exe
C:\Windows\System32\ZSudghp.exe
2⤵
PID:8012

C:\Windows\System32\ssrzUtV.exe
C:\Windows\System32\ssrzUtV.exe
2⤵
PID:8032

C:\Windows\System32\WrcLEas.exe
C:\Windows\System32\WrcLEas.exe
2⤵
PID:8048

C:\Windows\System32\FtOBUUV.exe
C:\Windows\System32\FtOBUUV.exe
2⤵
PID:8064

C:\Windows\System32\oaZkBHT.exe
C:\Windows\System32\oaZkBHT.exe
2⤵
PID:8152

C:\Windows\System32\ixnVQNb.exe
C:\Windows\System32\ixnVQNb.exe
2⤵
PID:8184

C:\Windows\System32\fXpBXuj.exe
C:\Windows\System32\fXpBXuj.exe
2⤵
PID:7212

C:\Windows\System32\TJroDJB.exe
C:\Windows\System32\TJroDJB.exe
2⤵
PID:7296

C:\Windows\System32\EPCGXCw.exe
C:\Windows\System32\EPCGXCw.exe
2⤵
PID:6676

C:\Windows\System32\CYMxDao.exe
C:\Windows\System32\CYMxDao.exe
2⤵
PID:7392

C:\Windows\System32\tAicmMq.exe
C:\Windows\System32\tAicmMq.exe
2⤵
PID:7492

C:\Windows\System32\sKyhBIh.exe
C:\Windows\System32\sKyhBIh.exe
2⤵
PID:4964

C:\Windows\System32\nNXLHUO.exe
C:\Windows\System32\nNXLHUO.exe
2⤵
PID:7620

C:\Windows\System32\taskigT.exe
C:\Windows\System32\taskigT.exe
2⤵
PID:7728

C:\Windows\System32\CdCfqDM.exe
C:\Windows\System32\CdCfqDM.exe
2⤵
PID:7636

C:\Windows\System32\ZCRSDpY.exe
C:\Windows\System32\ZCRSDpY.exe
2⤵
PID:7832

C:\Windows\System32\iFYKWkM.exe
C:\Windows\System32\iFYKWkM.exe
2⤵
PID:7660

C:\Windows\System32\vszyknS.exe
C:\Windows\System32\vszyknS.exe
2⤵
PID:7844

C:\Windows\System32\OYywuqL.exe
C:\Windows\System32\OYywuqL.exe
2⤵
PID:7828

C:\Windows\System32\whWBvae.exe
C:\Windows\System32\whWBvae.exe
2⤵
PID:8020

C:\Windows\System32\jNNSpjE.exe
C:\Windows\System32\jNNSpjE.exe
2⤵
PID:7980

C:\Windows\System32\wsgfFYC.exe
C:\Windows\System32\wsgfFYC.exe
2⤵
PID:8076

C:\Windows\System32\BOSzWVr.exe
C:\Windows\System32\BOSzWVr.exe
2⤵
PID:8108

C:\Windows\System32\gfJylWs.exe
C:\Windows\System32\gfJylWs.exe
2⤵
PID:8180

C:\Windows\System32\hcSltTB.exe
C:\Windows\System32\hcSltTB.exe
2⤵
PID:7368

C:\Windows\System32\JsixCBY.exe
C:\Windows\System32\JsixCBY.exe
2⤵
PID:7488

C:\Windows\System32\WWxEUnD.exe
C:\Windows\System32\WWxEUnD.exe
2⤵
PID:7592

C:\Windows\System32\sdXosrw.exe
C:\Windows\System32\sdXosrw.exe
2⤵
PID:7792

C:\Windows\System32\GGcFKsF.exe
C:\Windows\System32\GGcFKsF.exe
2⤵
PID:7820

C:\Windows\System32\tXqhXWa.exe
C:\Windows\System32\tXqhXWa.exe
2⤵
PID:8008

C:\Windows\System32\zuvwyCl.exe
C:\Windows\System32\zuvwyCl.exe
2⤵
PID:8120

C:\Windows\System32\JQGpVZZ.exe
C:\Windows\System32\JQGpVZZ.exe
2⤵
PID:8148

C:\Windows\System32\WAgzHhL.exe
C:\Windows\System32\WAgzHhL.exe
2⤵
PID:7472

C:\Windows\System32\gzxUhMB.exe
C:\Windows\System32\gzxUhMB.exe
2⤵
PID:7632

C:\Windows\System32\xhnuzKu.exe
C:\Windows\System32\xhnuzKu.exe
2⤵
PID:8056

C:\Windows\System32\BJWWxWk.exe
C:\Windows\System32\BJWWxWk.exe
2⤵
PID:7724

C:\Windows\System32\uTLoZaI.exe
C:\Windows\System32\uTLoZaI.exe
2⤵
PID:8204

C:\Windows\System32\PZUAUnq.exe
C:\Windows\System32\PZUAUnq.exe
2⤵
PID:8244

C:\Windows\System32\xAAXpVL.exe
C:\Windows\System32\xAAXpVL.exe
2⤵
PID:8264

C:\Windows\System32\BdznifS.exe
C:\Windows\System32\BdznifS.exe
2⤵
PID:8284

C:\Windows\System32\NbPcAcd.exe
C:\Windows\System32\NbPcAcd.exe
2⤵
PID:8308

C:\Windows\System32\iWOPpdy.exe
C:\Windows\System32\iWOPpdy.exe
2⤵
PID:8324

C:\Windows\System32\MZSXTLZ.exe
C:\Windows\System32\MZSXTLZ.exe
2⤵
PID:8344

C:\Windows\System32\zHWzEWE.exe
C:\Windows\System32\zHWzEWE.exe
2⤵
PID:8364

C:\Windows\System32\gRAnyVO.exe
C:\Windows\System32\gRAnyVO.exe
2⤵
PID:8404

C:\Windows\System32\kZMuopX.exe
C:\Windows\System32\kZMuopX.exe
2⤵
PID:8428

C:\Windows\System32\CGKMSMj.exe
C:\Windows\System32\CGKMSMj.exe
2⤵
PID:8456

C:\Windows\System32\kaEUbRu.exe
C:\Windows\System32\kaEUbRu.exe
2⤵
PID:8480

C:\Windows\System32\kpryHbD.exe
C:\Windows\System32\kpryHbD.exe
2⤵
PID:8516

C:\Windows\System32\CPYwahT.exe
C:\Windows\System32\CPYwahT.exe
2⤵
PID:8536

C:\Windows\System32\sSQkdYY.exe
C:\Windows\System32\sSQkdYY.exe
2⤵
PID:8592

C:\Windows\System32\BirJWkc.exe
C:\Windows\System32\BirJWkc.exe
2⤵
PID:8616

C:\Windows\System32\VPpyLJv.exe
C:\Windows\System32\VPpyLJv.exe
2⤵
PID:8656

C:\Windows\System32\CCwwYMG.exe
C:\Windows\System32\CCwwYMG.exe
2⤵
PID:8680

C:\Windows\System32\fpLkwDD.exe
C:\Windows\System32\fpLkwDD.exe
2⤵
PID:8724

C:\Windows\System32\ygoUBmP.exe
C:\Windows\System32\ygoUBmP.exe
2⤵
PID:8748

C:\Windows\System32\wqddGHH.exe
C:\Windows\System32\wqddGHH.exe
2⤵
PID:8788

C:\Windows\System32\OYYfiXo.exe
C:\Windows\System32\OYYfiXo.exe
2⤵
PID:8820

C:\Windows\System32\pOpjrDK.exe
C:\Windows\System32\pOpjrDK.exe
2⤵
PID:8840

C:\Windows\System32\TzyngHN.exe
C:\Windows\System32\TzyngHN.exe
2⤵
PID:8864

C:\Windows\System32\bZTdOkU.exe
C:\Windows\System32\bZTdOkU.exe
2⤵
PID:8892

C:\Windows\System32\ANmBCOe.exe
C:\Windows\System32\ANmBCOe.exe
2⤵
PID:8912

C:\Windows\System32\FRYqtWy.exe
C:\Windows\System32\FRYqtWy.exe
2⤵
PID:8928

C:\Windows\System32\MmAeezt.exe
C:\Windows\System32\MmAeezt.exe
2⤵
PID:8956

C:\Windows\System32\cVLpdKJ.exe
C:\Windows\System32\cVLpdKJ.exe
2⤵
PID:8976

C:\Windows\System32\pONHmrt.exe
C:\Windows\System32\pONHmrt.exe
2⤵
PID:9032

C:\Windows\System32\DZWUYyL.exe
C:\Windows\System32\DZWUYyL.exe
2⤵
PID:9052

C:\Windows\System32\dVVNMsl.exe
C:\Windows\System32\dVVNMsl.exe
2⤵
PID:9100

C:\Windows\System32\BWlPAlD.exe
C:\Windows\System32\BWlPAlD.exe
2⤵
PID:9124

C:\Windows\System32\wFfgLaw.exe
C:\Windows\System32\wFfgLaw.exe
2⤵
PID:9148

C:\Windows\System32\QjTqFKM.exe
C:\Windows\System32\QjTqFKM.exe
2⤵
PID:9200

C:\Windows\System32\mHGUVUZ.exe
C:\Windows\System32\mHGUVUZ.exe
2⤵
PID:8096

C:\Windows\System32\JhzJfaI.exe
C:\Windows\System32\JhzJfaI.exe
2⤵
PID:8236

C:\Windows\System32\MgQuwCJ.exe
C:\Windows\System32\MgQuwCJ.exe
2⤵
PID:8304

C:\Windows\System32\HrrztUc.exe
C:\Windows\System32\HrrztUc.exe
2⤵
PID:8336

C:\Windows\System32\xBkFjnD.exe
C:\Windows\System32\xBkFjnD.exe
2⤵
PID:8360

C:\Windows\System32\lKYrokW.exe
C:\Windows\System32\lKYrokW.exe
2⤵
PID:8468

C:\Windows\System32\GSBFJdE.exe
C:\Windows\System32\GSBFJdE.exe
2⤵
PID:8572

C:\Windows\System32\eQYnIcp.exe
C:\Windows\System32\eQYnIcp.exe
2⤵
PID:8604

C:\Windows\System32\DQDXewy.exe
C:\Windows\System32\DQDXewy.exe
2⤵
PID:8652

C:\Windows\System32\JbIUVQK.exe
C:\Windows\System32\JbIUVQK.exe
2⤵
PID:8708

C:\Windows\System32\NbIeHaH.exe
C:\Windows\System32\NbIeHaH.exe
2⤵
PID:8744

C:\Windows\System32\QLZiFgd.exe
C:\Windows\System32\QLZiFgd.exe
2⤵
PID:8808

C:\Windows\System32\XnoCFwL.exe
C:\Windows\System32\XnoCFwL.exe
2⤵
PID:8964

C:\Windows\System32\vukWVDm.exe
C:\Windows\System32\vukWVDm.exe
2⤵
PID:9028

C:\Windows\System32\YmKHdHE.exe
C:\Windows\System32\YmKHdHE.exe
2⤵
PID:9048

C:\Windows\System32\bwFNutz.exe
C:\Windows\System32\bwFNutz.exe
2⤵
PID:9164

C:\Windows\System32\ATFEbYX.exe
C:\Windows\System32\ATFEbYX.exe
2⤵
PID:9112

C:\Windows\System32\sMFyylZ.exe
C:\Windows\System32\sMFyylZ.exe
2⤵
PID:8196

C:\Windows\System32\TiubdDv.exe
C:\Windows\System32\TiubdDv.exe
2⤵
PID:8440

C:\Windows\System32\SKQwrzC.exe
C:\Windows\System32\SKQwrzC.exe
2⤵
PID:8396

C:\Windows\System32\uxexWYh.exe
C:\Windows\System32\uxexWYh.exe
2⤵
PID:8644

C:\Windows\System32\WkccLde.exe
C:\Windows\System32\WkccLde.exe
2⤵
PID:8944

C:\Windows\System32\UWiMjKJ.exe
C:\Windows\System32\UWiMjKJ.exe
2⤵
PID:9136

C:\Windows\System32\udjfFDK.exe
C:\Windows\System32\udjfFDK.exe
2⤵
PID:8280

C:\Windows\System32\OwgyxyO.exe
C:\Windows\System32\OwgyxyO.exe
2⤵
PID:8568

C:\Windows\System32\uTqBOrB.exe
C:\Windows\System32\uTqBOrB.exe
2⤵
PID:8948

C:\Windows\System32\PkTFjaJ.exe
C:\Windows\System32\PkTFjaJ.exe
2⤵
PID:8544

C:\Windows\System32\SqlVsPC.exe
C:\Windows\System32\SqlVsPC.exe
2⤵
PID:9088

C:\Windows\System32\AosadBj.exe
C:\Windows\System32\AosadBj.exe
2⤵
PID:9232

C:\Windows\System32\cfAHRHe.exe
C:\Windows\System32\cfAHRHe.exe
2⤵
PID:9252

C:\Windows\System32\zLPMqPH.exe
C:\Windows\System32\zLPMqPH.exe
2⤵
PID:9280

C:\Windows\System32\BatNySl.exe
C:\Windows\System32\BatNySl.exe
2⤵
PID:9324

C:\Windows\System32\jBGlZWX.exe
C:\Windows\System32\jBGlZWX.exe
2⤵
PID:9348

C:\Windows\System32\wnKAUDg.exe
C:\Windows\System32\wnKAUDg.exe
2⤵
PID:9368

C:\Windows\System32\licIMjJ.exe
C:\Windows\System32\licIMjJ.exe
2⤵
PID:9388

C:\Windows\System32\IldOdPO.exe
C:\Windows\System32\IldOdPO.exe
2⤵
PID:9416

C:\Windows\System32\UOderTq.exe
C:\Windows\System32\UOderTq.exe
2⤵
PID:9440

C:\Windows\System32\dNsUXBf.exe
C:\Windows\System32\dNsUXBf.exe
2⤵
PID:9480

C:\Windows\System32\xRRlEnu.exe
C:\Windows\System32\xRRlEnu.exe
2⤵
PID:9500

C:\Windows\System32\oWmUWni.exe
C:\Windows\System32\oWmUWni.exe
2⤵
PID:9544

C:\Windows\System32\WtXUPSy.exe
C:\Windows\System32\WtXUPSy.exe
2⤵
PID:9576

C:\Windows\System32\HXDWTQO.exe
C:\Windows\System32\HXDWTQO.exe
2⤵
PID:9596

C:\Windows\System32\QgpQJUx.exe
C:\Windows\System32\QgpQJUx.exe
2⤵
PID:9620

C:\Windows\System32\iRwwCPM.exe
C:\Windows\System32\iRwwCPM.exe
2⤵
PID:9652

C:\Windows\System32\eaPyrGU.exe
C:\Windows\System32\eaPyrGU.exe
2⤵
PID:9668

C:\Windows\System32\OtuVNnD.exe
C:\Windows\System32\OtuVNnD.exe
2⤵
PID:9696

C:\Windows\System32\dqYAbqo.exe
C:\Windows\System32\dqYAbqo.exe
2⤵
PID:9716

C:\Windows\System32\EaZYFnA.exe
C:\Windows\System32\EaZYFnA.exe
2⤵
PID:9772

C:\Windows\System32\NfLYDvz.exe
C:\Windows\System32\NfLYDvz.exe
2⤵
PID:9804

C:\Windows\System32\xYCuaBj.exe
C:\Windows\System32\xYCuaBj.exe
2⤵
PID:9832

C:\Windows\System32\tmBRbWC.exe
C:\Windows\System32\tmBRbWC.exe
2⤵
PID:9860

C:\Windows\System32\bYmfZFP.exe
C:\Windows\System32\bYmfZFP.exe
2⤵
PID:9876

C:\Windows\System32\ZLOCzRA.exe
C:\Windows\System32\ZLOCzRA.exe
2⤵
PID:9896

C:\Windows\System32\CGmOMBB.exe
C:\Windows\System32\CGmOMBB.exe
2⤵
PID:9924

C:\Windows\System32\ITuabzf.exe
C:\Windows\System32\ITuabzf.exe
2⤵
PID:9968

C:\Windows\System32\VpRwKRK.exe
C:\Windows\System32\VpRwKRK.exe
2⤵
PID:9992

C:\Windows\System32\SWjOZag.exe
C:\Windows\System32\SWjOZag.exe
2⤵
PID:10008

C:\Windows\System32\HFtJZZI.exe
C:\Windows\System32\HFtJZZI.exe
2⤵
PID:10060

C:\Windows\System32\XOvFAwZ.exe
C:\Windows\System32\XOvFAwZ.exe
2⤵
PID:10084

C:\Windows\System32\YXASHIl.exe
C:\Windows\System32\YXASHIl.exe
2⤵
PID:10120

C:\Windows\System32\WByyvqg.exe
C:\Windows\System32\WByyvqg.exe
2⤵
PID:10140

C:\Windows\System32\APPYefs.exe
C:\Windows\System32\APPYefs.exe
2⤵
PID:10168

C:\Windows\System32\axAsUNZ.exe
C:\Windows\System32\axAsUNZ.exe
2⤵
PID:10188

C:\Windows\System32\CMwBCTb.exe
C:\Windows\System32\CMwBCTb.exe
2⤵
PID:10212

C:\Windows\System32\LeEAUrW.exe
C:\Windows\System32\LeEAUrW.exe
2⤵
PID:10228

C:\Windows\System32\WTJpqYa.exe
C:\Windows\System32\WTJpqYa.exe
2⤵
PID:9260

C:\Windows\System32\ktUitZb.exe
C:\Windows\System32\ktUitZb.exe
2⤵
PID:9300

C:\Windows\System32\ywJWGDc.exe
C:\Windows\System32\ywJWGDc.exe
2⤵
PID:9360

C:\Windows\System32\GUvTDtX.exe
C:\Windows\System32\GUvTDtX.exe
2⤵
PID:9436

C:\Windows\System32\UdwZsYj.exe
C:\Windows\System32\UdwZsYj.exe
2⤵
PID:9496

C:\Windows\System32\LdPmjIp.exe
C:\Windows\System32\LdPmjIp.exe
2⤵
PID:9608

C:\Windows\System32\ZVoObYr.exe
C:\Windows\System32\ZVoObYr.exe
2⤵
PID:9660

C:\Windows\System32\CYAbEvV.exe
C:\Windows\System32\CYAbEvV.exe
2⤵
PID:9748

C:\Windows\System32\nBNqWOz.exe
C:\Windows\System32\nBNqWOz.exe
2⤵
PID:9800

C:\Windows\System32\mbJUBot.exe
C:\Windows\System32\mbJUBot.exe
2⤵
PID:9852

C:\Windows\System32\XBdXUrH.exe
C:\Windows\System32\XBdXUrH.exe
2⤵
PID:10016

C:\Windows\System32\ihLLgpS.exe
C:\Windows\System32\ihLLgpS.exe
2⤵
PID:10004

C:\Windows\System32\VtuoKMd.exe
C:\Windows\System32\VtuoKMd.exe
2⤵
PID:10072

C:\Windows\System32\AMNAjoy.exe
C:\Windows\System32\AMNAjoy.exe
2⤵
PID:10164

C:\Windows\System32\izOGLMR.exe
C:\Windows\System32\izOGLMR.exe
2⤵
PID:10196

C:\Windows\System32\ppBlNdY.exe
C:\Windows\System32\ppBlNdY.exe
2⤵
PID:9304

C:\Windows\System32\nclriBp.exe
C:\Windows\System32\nclriBp.exe
2⤵
PID:9456

C:\Windows\System32\bRtUkob.exe
C:\Windows\System32\bRtUkob.exe
2⤵
PID:9616

C:\Windows\System32\jOUgZrD.exe
C:\Windows\System32\jOUgZrD.exe
2⤵
PID:9684

C:\Windows\System32\UdGfeSN.exe
C:\Windows\System32\UdGfeSN.exe
2⤵
PID:9820

C:\Windows\System32\gXyCVhV.exe
C:\Windows\System32\gXyCVhV.exe
2⤵
PID:10020

C:\Windows\System32\QNvjOkk.exe
C:\Windows\System32\QNvjOkk.exe
2⤵
PID:10132

C:\Windows\System32\ihxpoPA.exe
C:\Windows\System32\ihxpoPA.exe
2⤵
PID:9400

C:\Windows\System32\ldBSlDf.exe
C:\Windows\System32\ldBSlDf.exe
2⤵
PID:9796

C:\Windows\System32\lCQvSSq.exe
C:\Windows\System32\lCQvSSq.exe
2⤵
PID:10028

C:\Windows\System32\UjsUkTu.exe
C:\Windows\System32\UjsUkTu.exe
2⤵
PID:9604

C:\Windows\System32\jAUpACa.exe
C:\Windows\System32\jAUpACa.exe
2⤵
PID:9940

C:\Windows\System32\jdXHrma.exe
C:\Windows\System32\jdXHrma.exe
2⤵
PID:10260

C:\Windows\System32\AaIQyXZ.exe
C:\Windows\System32\AaIQyXZ.exe
2⤵
PID:10284

C:\Windows\System32\DYWQuQf.exe
C:\Windows\System32\DYWQuQf.exe
2⤵
PID:10304

C:\Windows\System32\nyGdgCU.exe
C:\Windows\System32\nyGdgCU.exe
2⤵
PID:10364

C:\Windows\System32\PHQdnYd.exe
C:\Windows\System32\PHQdnYd.exe
2⤵
PID:10404

C:\Windows\System32\rvihlTa.exe
C:\Windows\System32\rvihlTa.exe
2⤵
PID:10424

C:\Windows\System32\WNtrbgK.exe
C:\Windows\System32\WNtrbgK.exe
2⤵
PID:10476

C:\Windows\System32\txyqiEy.exe
C:\Windows\System32\txyqiEy.exe
2⤵
PID:10492

C:\Windows\System32\yZwdMxc.exe
C:\Windows\System32\yZwdMxc.exe
2⤵
PID:10508

C:\Windows\System32\jeXHwkN.exe
C:\Windows\System32\jeXHwkN.exe
2⤵
PID:10560

C:\Windows\System32\aYjwqfU.exe
C:\Windows\System32\aYjwqfU.exe
2⤵
PID:10576

C:\Windows\System32\kfAGcFK.exe
C:\Windows\System32\kfAGcFK.exe
2⤵
PID:10600

C:\Windows\System32\HKerEjk.exe
C:\Windows\System32\HKerEjk.exe
2⤵
PID:10624

C:\Windows\System32\ddtvxfx.exe
C:\Windows\System32\ddtvxfx.exe
2⤵
PID:10660

C:\Windows\System32\kTETISv.exe
C:\Windows\System32\kTETISv.exe
2⤵
PID:10688

C:\Windows\System32\pHMUJPD.exe
C:\Windows\System32\pHMUJPD.exe
2⤵
PID:10712

C:\Windows\System32\HpAMttL.exe
C:\Windows\System32\HpAMttL.exe
2⤵
PID:10748

C:\Windows\System32\edinAFR.exe
C:\Windows\System32\edinAFR.exe
2⤵
PID:10768

C:\Windows\System32\ntCqQaV.exe
C:\Windows\System32\ntCqQaV.exe
2⤵
PID:10800

C:\Windows\System32\agmKSOf.exe
C:\Windows\System32\agmKSOf.exe
2⤵
PID:10836

C:\Windows\System32\JguGwtP.exe
C:\Windows\System32\JguGwtP.exe
2⤵
PID:10852

C:\Windows\System32\idxAgrS.exe
C:\Windows\System32\idxAgrS.exe
2⤵
PID:10872

C:\Windows\System32\daSsQFA.exe
C:\Windows\System32\daSsQFA.exe
2⤵
PID:10892

C:\Windows\System32\uupAyZY.exe
C:\Windows\System32\uupAyZY.exe
2⤵
PID:10936

C:\Windows\System32\TPLaYwi.exe
C:\Windows\System32\TPLaYwi.exe
2⤵
PID:10956

C:\Windows\System32\nXIFGdR.exe
C:\Windows\System32\nXIFGdR.exe
2⤵
PID:10988

C:\Windows\System32\BOELHaf.exe
C:\Windows\System32\BOELHaf.exe
2⤵
PID:11004

C:\Windows\System32\CupNbzf.exe
C:\Windows\System32\CupNbzf.exe
2⤵
PID:11032

C:\Windows\System32\aYmKfND.exe
C:\Windows\System32\aYmKfND.exe
2⤵
PID:11080

C:\Windows\System32\DMQtHlr.exe
C:\Windows\System32\DMQtHlr.exe
2⤵
PID:11112

C:\Windows\System32\LLXCdhH.exe
C:\Windows\System32\LLXCdhH.exe
2⤵
PID:11140

C:\Windows\System32\mIUAnjF.exe
C:\Windows\System32\mIUAnjF.exe
2⤵
PID:11168

C:\Windows\System32\PhMPoJd.exe
C:\Windows\System32\PhMPoJd.exe
2⤵
PID:11192

C:\Windows\System32\IHNppdK.exe
C:\Windows\System32\IHNppdK.exe
2⤵
PID:11212

C:\Windows\System32\ZBqcMJJ.exe
C:\Windows\System32\ZBqcMJJ.exe
2⤵
PID:11236

C:\Windows\System32\nWbvUrX.exe
C:\Windows\System32\nWbvUrX.exe
2⤵
PID:9524

C:\Windows\System32\yjmdblk.exe
C:\Windows\System32\yjmdblk.exe
2⤵
PID:9756

C:\Windows\System32\jhHmrzg.exe
C:\Windows\System32\jhHmrzg.exe
2⤵
PID:10276

C:\Windows\System32\XdasCEO.exe
C:\Windows\System32\XdasCEO.exe
2⤵
PID:10416

C:\Windows\System32\UGwSJnQ.exe
C:\Windows\System32\UGwSJnQ.exe
2⤵
PID:10448

C:\Windows\System32\DLIhqgi.exe
C:\Windows\System32\DLIhqgi.exe
2⤵
PID:10504

C:\Windows\System32\adSKxTx.exe
C:\Windows\System32\adSKxTx.exe
2⤵
PID:10572

C:\Windows\System32\kNGvKwt.exe
C:\Windows\System32\kNGvKwt.exe
2⤵
PID:10656

C:\Windows\System32\mowHHAq.exe
C:\Windows\System32\mowHHAq.exe
2⤵
PID:10764

C:\Windows\System32\UiIdPKp.exe
C:\Windows\System32\UiIdPKp.exe
2⤵
PID:10812

C:\Windows\System32\eDvJpyo.exe
C:\Windows\System32\eDvJpyo.exe
2⤵
PID:10888

C:\Windows\System32\dwMAcGv.exe
C:\Windows\System32\dwMAcGv.exe
2⤵
PID:10948

C:\Windows\System32\ZfiaUkI.exe
C:\Windows\System32\ZfiaUkI.exe
2⤵
PID:10996

C:\Windows\System32\VDvOGrB.exe
C:\Windows\System32\VDvOGrB.exe
2⤵
PID:11056

C:\Windows\System32\tewpOTK.exe
C:\Windows\System32\tewpOTK.exe
2⤵
PID:11128

C:\Windows\System32\hpGJqPC.exe
C:\Windows\System32\hpGJqPC.exe
2⤵
PID:11180

C:\Windows\System32\kYntADU.exe
C:\Windows\System32\kYntADU.exe
2⤵
PID:10248

C:\Windows\System32\BkzMyKJ.exe
C:\Windows\System32\BkzMyKJ.exe
2⤵
PID:10336

C:\Windows\System32\qzmFLzD.exe
C:\Windows\System32\qzmFLzD.exe
2⤵
PID:10400

C:\Windows\System32\dVwPDBw.exe
C:\Windows\System32\dVwPDBw.exe
2⤵
PID:10548

C:\Windows\System32\kVOmhWH.exe
C:\Windows\System32\kVOmhWH.exe
2⤵
PID:10760

C:\Windows\System32\GJYBcXV.exe
C:\Windows\System32\GJYBcXV.exe
2⤵
PID:10952

C:\Windows\System32\YPoKTJN.exe
C:\Windows\System32\YPoKTJN.exe
2⤵
PID:11100

C:\Windows\System32\JDdzbwp.exe
C:\Windows\System32\JDdzbwp.exe
2⤵
PID:11260

C:\Windows\System32\hLvBjPD.exe
C:\Windows\System32\hLvBjPD.exe
2⤵
PID:10500

C:\Windows\System32\qYplist.exe
C:\Windows\System32\qYplist.exe
2⤵
PID:10924

C:\Windows\System32\BZQylAe.exe
C:\Windows\System32\BZQylAe.exe
2⤵
PID:10968

C:\Windows\System32\YHwOuUg.exe
C:\Windows\System32\YHwOuUg.exe
2⤵
PID:10516

C:\Windows\System32\NhIShyg.exe
C:\Windows\System32\NhIShyg.exe
2⤵
PID:11064

C:\Windows\System32\KXgpTQf.exe
C:\Windows\System32\KXgpTQf.exe
2⤵
PID:11272

C:\Windows\System32\pyzPuvu.exe
C:\Windows\System32\pyzPuvu.exe
2⤵
PID:11320

C:\Windows\System32\HKfwhnS.exe
C:\Windows\System32\HKfwhnS.exe
2⤵
PID:11356

C:\Windows\System32\fAdRGZk.exe
C:\Windows\System32\fAdRGZk.exe
2⤵
PID:11376

C:\Windows\System32\GLBoKKv.exe
C:\Windows\System32\GLBoKKv.exe
2⤵
PID:11420

C:\Windows\System32\TiIeNSP.exe
C:\Windows\System32\TiIeNSP.exe
2⤵
PID:11452

C:\Windows\System32\Wtqdixj.exe
C:\Windows\System32\Wtqdixj.exe
2⤵
PID:11480

C:\Windows\System32\xAsaYXJ.exe
C:\Windows\System32\xAsaYXJ.exe
2⤵
PID:11512

C:\Windows\System32\PTduYlZ.exe
C:\Windows\System32\PTduYlZ.exe
2⤵
PID:11540

C:\Windows\System32\clStdLw.exe
C:\Windows\System32\clStdLw.exe
2⤵
PID:11564

C:\Windows\System32\jnvAfkO.exe
C:\Windows\System32\jnvAfkO.exe
2⤵
PID:11588

C:\Windows\System32\qXqDxfM.exe
C:\Windows\System32\qXqDxfM.exe
2⤵
PID:11612

C:\Windows\System32\dAHQFMS.exe
C:\Windows\System32\dAHQFMS.exe
2⤵
PID:11640

C:\Windows\System32\ErEceXj.exe
C:\Windows\System32\ErEceXj.exe
2⤵
PID:11664

C:\Windows\System32\OfrVbAy.exe
C:\Windows\System32\OfrVbAy.exe
2⤵
PID:11692

C:\Windows\System32\rhKZbEd.exe
C:\Windows\System32\rhKZbEd.exe
2⤵
PID:11736

C:\Windows\System32\cNbHieK.exe
C:\Windows\System32\cNbHieK.exe
2⤵
PID:11752

C:\Windows\System32\vjZzmeI.exe
C:\Windows\System32\vjZzmeI.exe
2⤵
PID:11772

C:\Windows\System32\FsNTTsl.exe
C:\Windows\System32\FsNTTsl.exe
2⤵
PID:11808

C:\Windows\System32\TYGvvsO.exe
C:\Windows\System32\TYGvvsO.exe
2⤵
PID:11832

C:\Windows\System32\IiQLKtG.exe
C:\Windows\System32\IiQLKtG.exe
2⤵
PID:11864

C:\Windows\System32\YKkKdUQ.exe
C:\Windows\System32\YKkKdUQ.exe
2⤵
PID:11904

C:\Windows\System32\MLufpIU.exe
C:\Windows\System32\MLufpIU.exe
2⤵
PID:11932

C:\Windows\System32\AjNRBWs.exe
C:\Windows\System32\AjNRBWs.exe
2⤵
PID:11956

C:\Windows\System32\GzJrzyS.exe
C:\Windows\System32\GzJrzyS.exe
2⤵
PID:11976

C:\Windows\System32\nPNvABN.exe
C:\Windows\System32\nPNvABN.exe
2⤵
PID:12004

C:\Windows\System32\NczRVay.exe
C:\Windows\System32\NczRVay.exe
2⤵
PID:12028

C:\Windows\System32\iVsEgll.exe
C:\Windows\System32\iVsEgll.exe
2⤵
PID:12048

C:\Windows\System32\BorQOQE.exe
C:\Windows\System32\BorQOQE.exe
2⤵
PID:12092

C:\Windows\System32\zmIiSLV.exe
C:\Windows\System32\zmIiSLV.exe
2⤵
PID:12136

C:\Windows\System32\iirpTuB.exe
C:\Windows\System32\iirpTuB.exe
2⤵
PID:12160

C:\Windows\System32\XpFvelu.exe
C:\Windows\System32\XpFvelu.exe
2⤵
PID:12180

C:\Windows\System32\kkTJvDS.exe
C:\Windows\System32\kkTJvDS.exe
2⤵
PID:12204

C:\Windows\System32\HvqAPLZ.exe
C:\Windows\System32\HvqAPLZ.exe
2⤵
PID:12228

C:\Windows\System32\bwtJlrH.exe
C:\Windows\System32\bwtJlrH.exe
2⤵
PID:12244

C:\Windows\System32\HaaDyyr.exe
C:\Windows\System32\HaaDyyr.exe
2⤵
PID:12268

C:\Windows\System32\XKWWybL.exe
C:\Windows\System32\XKWWybL.exe
2⤵
PID:11292

C:\Windows\System32\linUpUd.exe
C:\Windows\System32\linUpUd.exe
2⤵
PID:11332

C:\Windows\System32\POAJnba.exe
C:\Windows\System32\POAJnba.exe
2⤵
PID:11440

C:\Windows\System32\vHojSQW.exe
C:\Windows\System32\vHojSQW.exe
2⤵
PID:11556

C:\Windows\System32\tOlvvIt.exe
C:\Windows\System32\tOlvvIt.exe
2⤵
PID:11608

C:\Windows\System32\evASGdV.exe
C:\Windows\System32\evASGdV.exe
2⤵
PID:11704

C:\Windows\System32\BPGOIis.exe
C:\Windows\System32\BPGOIis.exe
2⤵
PID:11768

C:\Windows\System32\tcEYygW.exe
C:\Windows\System32\tcEYygW.exe
2⤵
PID:11848

C:\Windows\System32\sZndpdf.exe
C:\Windows\System32\sZndpdf.exe
2⤵
PID:11884

C:\Windows\System32\IwzwfrT.exe
C:\Windows\System32\IwzwfrT.exe
2⤵
PID:11916

C:\Windows\System32\SICXbjr.exe
C:\Windows\System32\SICXbjr.exe
2⤵
PID:11972

C:\Windows\System32\AhsdGng.exe
C:\Windows\System32\AhsdGng.exe
2⤵
PID:12020

C:\Windows\System32\wYQFVai.exe
C:\Windows\System32\wYQFVai.exe
2⤵
PID:4064

C:\Windows\System32\rMYFznf.exe
C:\Windows\System32\rMYFznf.exe
2⤵
PID:12196

C:\Windows\System32\ZmPYlbC.exe
C:\Windows\System32\ZmPYlbC.exe
2⤵
PID:11340

C:\Windows\System32\fPvzhxI.exe
C:\Windows\System32\fPvzhxI.exe
2⤵
PID:11392

C:\Windows\System32\PdsTUDA.exe
C:\Windows\System32\PdsTUDA.exe
2⤵
PID:11604

C:\Windows\System32\qSkQiqx.exe
C:\Windows\System32\qSkQiqx.exe
2⤵
PID:11844

C:\Windows\System32\FgZhXyT.exe
C:\Windows\System32\FgZhXyT.exe
2⤵
PID:12000

C:\Windows\System32\UUoHyyf.exe
C:\Windows\System32\UUoHyyf.exe
2⤵
PID:12212

C:\Windows\System32\xYOQQhP.exe
C:\Windows\System32\xYOQQhP.exe
2⤵
PID:11560

C:\Windows\System32\DaNCNFB.exe
C:\Windows\System32\DaNCNFB.exe
2⤵
PID:11940

C:\Windows\System32\FwZPKFa.exe
C:\Windows\System32\FwZPKFa.exe
2⤵
PID:12120

C:\Windows\System32\VfwrajA.exe
C:\Windows\System32\VfwrajA.exe
2⤵
PID:11964

C:\Windows\System32\CwYyzAl.exe
C:\Windows\System32\CwYyzAl.exe
2⤵
PID:12304

C:\Windows\System32\ojMyuuK.exe
C:\Windows\System32\ojMyuuK.exe
2⤵
PID:12324

C:\Windows\System32\tNwzwsD.exe
C:\Windows\System32\tNwzwsD.exe
2⤵
PID:12340

C:\Windows\System32\yeWzBYm.exe
C:\Windows\System32\yeWzBYm.exe
2⤵
PID:12364

C:\Windows\System32\NgdrdIE.exe
C:\Windows\System32\NgdrdIE.exe
2⤵
PID:12384

C:\Windows\System32\ZcSazeb.exe
C:\Windows\System32\ZcSazeb.exe
2⤵
PID:12408

C:\Windows\System32\IrkiZYE.exe
C:\Windows\System32\IrkiZYE.exe
2⤵
PID:12480

C:\Windows\System32\RXAOAJR.exe
C:\Windows\System32\RXAOAJR.exe
2⤵
PID:12500

C:\Windows\System32\ihduxff.exe
C:\Windows\System32\ihduxff.exe
2⤵
PID:12524

C:\Windows\System32\idyQXto.exe
C:\Windows\System32\idyQXto.exe
2⤵
PID:12552

C:\Windows\System32\nLhFiiO.exe
C:\Windows\System32\nLhFiiO.exe
2⤵
PID:12608

C:\Windows\System32\eXGLcvj.exe
C:\Windows\System32\eXGLcvj.exe
2⤵
PID:12624

C:\Windows\System32\EmPnSGm.exe
C:\Windows\System32\EmPnSGm.exe
2⤵
PID:12648

C:\Windows\System32\Tyriyqw.exe
C:\Windows\System32\Tyriyqw.exe
2⤵
PID:12680

C:\Windows\System32\NeXtRSq.exe
C:\Windows\System32\NeXtRSq.exe
2⤵
PID:12704

C:\Windows\System32\GzqSugT.exe
C:\Windows\System32\GzqSugT.exe
2⤵
PID:12724

C:\Windows\System32\ygMwtUi.exe
C:\Windows\System32\ygMwtUi.exe
2⤵
PID:12764

C:\Windows\System32\LscpsJU.exe
C:\Windows\System32\LscpsJU.exe
2⤵
PID:12788

C:\Windows\System32\iulyClP.exe
C:\Windows\System32\iulyClP.exe
2⤵
PID:12812

C:\Windows\System32\OLsaWsr.exe
C:\Windows\System32\OLsaWsr.exe
2⤵
PID:12840

C:\Windows\System32\dETuYkv.exe
C:\Windows\System32\dETuYkv.exe
2⤵
PID:12860

C:\Windows\System32\WyjChog.exe
C:\Windows\System32\WyjChog.exe
2⤵
PID:12896

C:\Windows\System32\QPBuInw.exe
C:\Windows\System32\QPBuInw.exe
2⤵
PID:12916

C:\Windows\System32\tVxLsLb.exe
C:\Windows\System32\tVxLsLb.exe
2⤵
PID:12944

C:\Windows\System32\lyVrUuR.exe
C:\Windows\System32\lyVrUuR.exe
2⤵
PID:12988

C:\Windows\System32\xzxpPSl.exe
C:\Windows\System32\xzxpPSl.exe
2⤵
PID:13008

C:\Windows\System32\WjdkXTx.exe
C:\Windows\System32\WjdkXTx.exe
2⤵
PID:13028

C:\Windows\System32\PUKkGtv.exe
C:\Windows\System32\PUKkGtv.exe
2⤵
PID:13096

C:\Windows\System32\gqAwUVO.exe
C:\Windows\System32\gqAwUVO.exe
2⤵
PID:13120

C:\Windows\System32\wYebOsS.exe
C:\Windows\System32\wYebOsS.exe
2⤵
PID:13136

C:\Windows\System32\RJfQhgx.exe
C:\Windows\System32\RJfQhgx.exe
2⤵
PID:13156

C:\Windows\System32\HlXuVOE.exe
C:\Windows\System32\HlXuVOE.exe
2⤵
PID:13180

C:\Windows\System32\hVcgNyD.exe
C:\Windows\System32\hVcgNyD.exe
2⤵
PID:13228

C:\Windows\System32\KcdgEaS.exe
C:\Windows\System32\KcdgEaS.exe
2⤵
PID:13252

C:\Windows\System32\GvmYRCR.exe
C:\Windows\System32\GvmYRCR.exe
2⤵
PID:13272

C:\Windows\System32\hariDjd.exe
C:\Windows\System32\hariDjd.exe
2⤵
PID:13296

C:\Windows\System32\JjznphC.exe
C:\Windows\System32\JjznphC.exe
2⤵
PID:12400

C:\Windows\System32\ceqFigR.exe
C:\Windows\System32\ceqFigR.exe
2⤵
PID:4304

C:\Windows\System32\WiBrFiF.exe
C:\Windows\System32\WiBrFiF.exe
2⤵
PID:12508

C:\Windows\System32\QgtOYxV.exe
C:\Windows\System32\QgtOYxV.exe
2⤵
PID:12588

C:\Windows\System32\POqNlYo.exe
C:\Windows\System32\POqNlYo.exe
2⤵
PID:12616

C:\Windows\System32\ajMeKax.exe
C:\Windows\System32\ajMeKax.exe
2⤵
PID:12696

C:\Windows\System32\qEZJtiL.exe
C:\Windows\System32\qEZJtiL.exe
2⤵
PID:12800

C:\Windows\System32\SguMGXA.exe
C:\Windows\System32\SguMGXA.exe
2⤵
PID:12912

C:\Windows\System32\GsnHlDb.exe
C:\Windows\System32\GsnHlDb.exe
2⤵
PID:12960

C:\Windows\System32\keOIvMh.exe
C:\Windows\System32\keOIvMh.exe
2⤵
PID:13036

C:\Windows\System32\eOXJPZy.exe
C:\Windows\System32\eOXJPZy.exe
2⤵
PID:13148

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\Bevlamh.exe
Filesize
1.4MB

MD5
3695cd25f0466a2b4e9e05c75c469fe8

SHA1
5d2eefa1113dd007c24578d8fd1dba60edbdfaa2

SHA256
255516a9a03f55697928322f9195f6a69d02110b9f56d8c6c08cbf56c33687a9

SHA512
8ce395db63ef48140758e5bbe7ddf5d1e70e009f85152cc440ff257e58a30fe62b1d04ffd6d3d730d232d75eca778cff6ad4ea85c26f87ce721d2118e531377d

Download Submit
C:\Windows\System32\CbmwXNv.exe
Filesize
1.4MB

MD5
d395d10f70d33e23cedda2bc57bda082

SHA1
4374ee73d629b9cb02df28f83b768c20dadf366d

SHA256
9280b526625da2f27a58e16a6b1584b9e6587f804e3f690c287df064ed36cc60

SHA512
2f3a14be54cd409664dd5b50dbd71a11237432ce134fba5f9fbefdbea18ecbb67aa5268cbe25b84a51917f827ff726e061f099e3dd81f12c89d32db6d17de478

Download Submit
C:\Windows\System32\CyUXOas.exe
Filesize
1.4MB

MD5
dc5862bbbe74cd1817cbefdd6bd81abd

SHA1
bd366eb29ee7693ab2c7ae1d974227772541930e

SHA256
9c6c67215fd659906286ebe52c154eecaa12d3d02eb8eccab203f701f211ba77

SHA512
377f7c2a08346c2245dcd46e66e932501b4de776a9ef98deb6b3428fb5e2c4d5c77f401a140f411caed772a043cc7c87694e4af578af63369ba1579256434075

Download Submit
C:\Windows\System32\DQCmoPU.exe
Filesize
1.4MB

MD5
6646bf3ccdeae1d4ca03192277ec9e98

SHA1
a374a45cb2a9b14d6785e9d083f58517bd4dead7

SHA256
3dd6f31bfa33250294cd020114fce1056e503c1e278d93cb5cb10a782149c1a6

SHA512
8e0cfcbe9a24c0413f0f5e9360e0561dcdbaa5753e2d311e40fe390f34f98b8e5adc51838f576600a3c62c5f5526afb7424ae6d6b47b41500c6a737d5b4d1cc4

Download Submit
C:\Windows\System32\EgKCLls.exe
Filesize
1.4MB

MD5
e11eda2104a0e49221e46ef95bd361bd

SHA1
68e71b2d9afdab56886de82418b5646173abf37c

SHA256
4b7fc2b1344a6ee33de898d503c4c45d18d8fee69297e2a57df168d6b10a6f4c

SHA512
20d674ed831d89acd923a23552aa8e4cb3f7329367f518716d7df7bf8ab551a08860cca35d6388d201d84b30b053be7ae391c91a6f698c189b174ae92614a7bc

Download Submit
C:\Windows\System32\FWfSvXm.exe
Filesize
1.4MB

MD5
3a066cc1884b9e1930e762e00b171710

SHA1
8f80faf7977dcdbdd0a1e47b902c893de6313957

SHA256
6946f1fb2e50f89f5de0a8b40dc0626917559f145a8eff8ba4d9ebfcc4bef06b

SHA512
a1efdff06369879208092990fd3d75b7f7d0d8370e884faa388b9414878a36190dc51944f99d5bb1fdaa3794c30b6aed32719eea7e9d22854bdefe18ec183f0b

Download Submit
C:\Windows\System32\IjLFRFo.exe
Filesize
1.4MB

MD5
33b784dcbae82566ac3ee98e72d5c685

SHA1
ade4fa2c06f2083c92ca876843a16a83088b089d

SHA256
948a71f82327e04137ff45ccee5849a1d870f408e7625f4085f56858465a6e8d

SHA512
bbe8d661f93a07d611edba79563d5221464d570f1b412030d640d812df55886532da705d3ec9fadc72307d960a5c6ce42e37944dd7b948896e987ddfa3c0b77a

Download Submit
C:\Windows\System32\JohLbTH.exe
Filesize
1.4MB

MD5
bcc3b6c2f1e0b3e79f0efe0b6ea44538

SHA1
83d0d24bb0fe84bccea749efaca8c9e1117b261c

SHA256
c3001e896be45184aa9d695ae2dbbf994b637f1d937dfa39ee70162abd782066

SHA512
c36379440d254a585c2cdb61395d71bc70a6b65de3eb8c9cca2b6eeee8ed569bf673d401649392928bf6126cdc6e8ed4f5a238d4c69dfdeb77bfcb6317543667

Download Submit
C:\Windows\System32\KEeGwtU.exe
Filesize
1.4MB

MD5
f8fd57cc8dd5ad2ed69ee051ba700235

SHA1
a36e046a26193966f4a6baf24badd0fe8b70a867

SHA256
f600202a9a23ea4a838d1b7e03717de08f5df096503e9d3c231726abc7a28a98

SHA512
cad120e7138ce5f32ee0c426fab66d7e78233cfd4ac7257140be4d5d144656fcc4b5c2dbf40ab3fc3aff644601ad7641efb22accd812342dc7858971adc5a3c1

Download Submit
C:\Windows\System32\KnAIFHr.exe
Filesize
1.4MB

MD5
fb8039742be33ad0dafc5b97afde174c

SHA1
6c62c945f5acf926e63c61a9dc4cf9a3d2ee9999

SHA256
ad2d9797877c57036b965bcd7b2177fefec218d2fcf65b5aa9f75c7883590f06

SHA512
fac5ab278a42c3b0f7c8302b31dbb85f21b6899c775c1234222a176cd6b849fd98e6be2e4fe760ef941aa50a8199c8c88bb99299489606d47f52706dfe7b40a6

Download Submit
C:\Windows\System32\LKlVjYk.exe
Filesize
1.4MB

MD5
bf3347ddcda7d912df599485d9df48d9

SHA1
bfb7003b2f88089e84bd3349d9bede89ef527bf8

SHA256
cc36c4d080ffb203230762d2a97f8b6f8f488d6c8da43a47bf446218e3ff55a5

SHA512
11bcbc0f64517e6fa0371fa56208c319f03994dfc6892efb9add502cc80e3731f0c6ed56bd10ae9fad3ee40edfb858dd64d1feea09754a44f3add6739dc9b74f

Download Submit
C:\Windows\System32\LZaqwdf.exe
Filesize
1.4MB

MD5
5f2298d60e3d16f05b2ea548bd0ec003

SHA1
1a999f4ce4db4a9e9bf4d9ebfb02e8af7e1518be

SHA256
fe544c36d469339a7cb520aeecd599551cb0aca793df66fc214ea7cb49a2cefc

SHA512
e0d0b061f452ad08a45e76ee136523c4b3665a22ea4c01c0557e54e24a566a81b0760bba2eaf1ff353277059bcbc14393a0907a8872f5e787ad5e8d0aac3f0ca

Download Submit
C:\Windows\System32\NUTWPdy.exe
Filesize
1.4MB

MD5
0a3c162ea007e533a8054427dc67dc16

SHA1
cb13b45fe68efdfdcd75da4ce95e66c2c248b63c

SHA256
154669fd24878d0750de642eaefeae8f74991a9136da5953cf57e475b363a5ee

SHA512
eae6e512272d93bf5e3aff28a77c02a83fbcbdb12403efd7e06c8985d51361bcfeab621cdf2a5461c5d068bc9fcb7996559d116c0d0909000a9f570ea6d099c0

Download Submit
C:\Windows\System32\PQFJbZh.exe
Filesize
1.4MB

MD5
0fb948f6d91e81d13748be92f7d014a6

SHA1
859df6aa1cfd49f95b44d217e080610d51c4e151

SHA256
eea648154b635afeb9c8a53decc7788598dbc7d9eb2e30db4f1e8200c9f71861

SHA512
63004030ee10abe543feccdc9368cd862ae101c01a0a8272934e0c755fe9b57f609d685e510fdd0266c40765e00ab600a38309d507b4635184d90cd3cb5db718

Download Submit
C:\Windows\System32\TwDsGrq.exe
Filesize
1.4MB

MD5
d5a525139df46dd5e972a3ff2476243e

SHA1
c36d2e5e79a4481b5b9db7001a673c8ed7b9b340

SHA256
445491a472b20f34c9bb3d6994bc0a48fc42107c99747c5eba28ea86f8dc739a

SHA512
8a1621d703467de7460a261caabd5ad5994e3491d6e4ff72300d7b8bad3620c334b2d175f431ebfd293fc1d47f67e8ff61e6a416ca0f53141fdd3bc1111555ac

Download Submit
C:\Windows\System32\XcnHAdw.exe
Filesize
1.4MB

MD5
de4c06228a4cb0e70e98e7fe09930f77

SHA1
a632f20998f089e8e3336ce56e5d730f4b55f83c

SHA256
1eab75495881f590fcd7bbdfa3e89b158c4fff9ca356585d8ffee6099033aa86

SHA512
eebb4e91bd71314426579c37e9a8ace34464057410bc23c197126db66e26e15d887fbde0d891846a281ea497482151510a95e5b2c04c0b1ba0be5a22b731a5d9

Download Submit
C:\Windows\System32\YXVHyyY.exe
Filesize
1.4MB

MD5
ab19ae8fc313689ca162fefe3eec6cc7

SHA1
2784430c7be349bdc38bb1cfb9e516332ee93e1d

SHA256
bfb646e0bd5c0b9d9975608e131583e96581df4416444ddd193de339de999ae7

SHA512
b1068434d6ce8d5a42f69c8f8ba76610d652077f5188875361f5153ff5d04fad1d9fde97e93fa378dbe6d3098a1e2ac03cc8631082200aed62e29ecb5b2da72a

Download Submit
C:\Windows\System32\Ynswsmw.exe
Filesize
1.4MB

MD5
be7c94f9c96b7f780ab2cc0cb07388b1

SHA1
dbb94c6970fbdb9915fe11b35579c3d6fb735311

SHA256
902009686b6c6edcb80c4b42216c9d8b7de13daa5d44c089c58db5a808021e35

SHA512
8bb0af796203efa96958cb1bcc46c090c8e2b406e0ce00f123ddb1dc288ca798ef241e035dfbc5471f330c5fd21f8f8641ed0d275dcf0296929802df5b32c171

Download Submit
C:\Windows\System32\ZcWchZs.exe
Filesize
1.4MB

MD5
5220cab515a10aa5bf83d81807eb6d56

SHA1
1922b6601573c9b2bc7078848c5f5c8e7d3f5403

SHA256
274ae69ecce7157d3f915f3c83507933434a3ddf7adac9ceabf4dc34db67cc71

SHA512
19186c616255aa105709e234dbeca18538e4130847e061df41cd8b1293c926dec4644a45a9776d6763131af352305318d4d93fb76f4319f106cdf590c3f200ce

Download Submit
C:\Windows\System32\ZiWzrdj.exe
Filesize
1.4MB

MD5
c2a57b656cc4cef60f14ac5c096aeec0

SHA1
456c4f782072219b63b4a6143815a0c9b4f300b6

SHA256
8fc3922af73a89f76b91d9f402d94f40264bb74da24be4249ca2f5d9bc461a04

SHA512
f6ce2801b4d8111f7c34b14dd566b617f296bd4b7f1b34deeca6a9e23175e5038489c04fd50691eec6f9d3f5a7f1840c4badbe2db12d615a3e1d7c0abbc5e968

Download Submit
C:\Windows\System32\ebfiPOn.exe
Filesize
1.4MB

MD5
1f3b1cf82a19d0437e11290ad5cb4328

SHA1
4b1249ebf8755792460218a38f8c3ce97f2d95ca

SHA256
d5a57414e8bab7f4278669d39f26a237353c71c11eaca24e36581b18044d40e8

SHA512
32995382703badef00c0360cc7cac185b5954b0c4e5ec928d94475afa94d2cfa70c8416d0a6201a15b3b3630471d0919610c76279daf8affc7f8dc7da3c31b0b

Download Submit
C:\Windows\System32\fQhmtCB.exe
Filesize
1.4MB

MD5
91ad54a112371e1aef404d71208f9d19

SHA1
a6580e3a7bcf349cf785f32d89f568d0f6afe035

SHA256
234ffd75c26012e580c13930ca4e30b85fe6e40c1ff8ef86f61e6772c38ff131

SHA512
2d10288882883a69c67ba4fd46d68e2fb0b833d732ae9461da02d607d14bc6980669020d6ca4928d05f5467f19927c1c914079986f82d3d04ba66c12ddcabf37

Download Submit
C:\Windows\System32\hapOTXM.exe
Filesize
1.4MB

MD5
a5ce79d75c9a6f9949766fa024c166fe

SHA1
fc3544400e448d0df7756d0572e41303134491a8

SHA256
d12189d2067db8262f08f910b2d4c045446f8791ba3e47da350fbf2315aaa723

SHA512
45702a455204c6008e23333acf38e2d3e41a94a18c8d9f119a7e0f6a0e7b50c81bc93caf5371a5d1e3fb26bd05436f8bd2e5a2cd0f2601c1d33cb3e2d68cc21c

Download Submit
C:\Windows\System32\lQnEUnQ.exe
Filesize
1.4MB

MD5
a06e03658fb71af6c140758c9bb01d09

SHA1
e7468ede6062707b8219b30965d56aa05b0723e1

SHA256
9fd6c5cbdaf2c0efada5bbd9dd23d63c7aebb06c7081af40cf8376b0e266ab92

SHA512
eec205fa9c317d54c72de913ea1a5f356e18241db06f7032de4d2072a9881482b4418567526ae7a41d2f853b21c1058f660270749393f66353ee35e84ab52399

Download Submit
C:\Windows\System32\ocZKCXB.exe
Filesize
1.4MB

MD5
a818599ef1ae265845e494051fd636c5

SHA1
8fd307536b91b1fdd87786e447e92668d47e7849

SHA256
e050bcb90a870838a2594d3cd3a23e315c0a0914574087f226ac2b185a12bde4

SHA512
5b0aae0189f75619a6f308a9ed7774ffe3f90c4f6f462f443b800ed30d8b929705bf51740e226e534ff1073416b98b70f5dacf571143cb213ef033d7b292176c

Download Submit
C:\Windows\System32\oeDuZkA.exe
Filesize
1.4MB

MD5
b66b01b7d411f181fa1f87e7cd37100b

SHA1
a5219112fc571df4bb309d1c982e3a209f211689

SHA256
92c2caa5af79c03cdc6ede19bbac27e878837e3c82ed279c4f4f0f3ac313f3fa

SHA512
4843919c9657ace3cde1faa7bffa5cb532cb6f2ba7fe574190c99152a7d40e30ed70790dd75f294bf97172595b310601142c9305f9672136b36514074a8ad4ba

Download Submit
C:\Windows\System32\pfitKDV.exe
Filesize
1.4MB

MD5
3db1433933165e3291f45f1619160022

SHA1
49e91ca38caf559a6a6f1c698d4e5cd978946d7b

SHA256
1a4bf99943c1d768af84cbe2e0164191296166cdfbba3227f2f78532a5cfa5eb

SHA512
7fff1c696d7bbc79d9d8e42c3bef24ab86a9aea81e03074ea1fd951cd2ef4a83613198c902d0f54b1499b48f81df3ee029ceae9ba133a4712d3c818cd966e46a

Download Submit
C:\Windows\System32\sIOEjwA.exe
Filesize
1.4MB

MD5
89ebfa33ff21957b7930e80d701bfa92

SHA1
545429b60ca3142d58f8b8bfb36b07c830611b0a

SHA256
9e31f16c19a30a64de43213fe7f7b50dcba49f07a4f9a6214760e06f9f0eade7

SHA512
b01fa214b4b56af2ae67d9592505eb664f2865f24aa2c186ab0fb6d07e6197defc3380e8b2a8d2c88c2271e6e4e5678f209aff3437e135942d73f7cac253fb0c

Download Submit
C:\Windows\System32\wGkzAfi.exe
Filesize
1.4MB

MD5
3462f5e98757ed4c064d6832f7df292a

SHA1
535fb323f4ad490497160f0cbb0de2e33a8fa1b4

SHA256
cc59c6f72f236047e8f8938dd2e76047bd5c0e36a2fbe2750640a3d90204a141

SHA512
d01ac82d449a98e853f88f4e81c355330e6bc2f3415b99bb13f8635a284ea297a0a1a4748310fd33057384c181f5a3a09099c5aa6154d94ffb1e4c9afa08da9a

Download Submit
C:\Windows\System32\xvFvnCz.exe
Filesize
1.4MB

MD5
b767cc41b3fe83dffb2cec7daa64ce99

SHA1
616cd51d0f630727c4436693a56c9770de4fd02c

SHA256
58cd1eb9dbc4fe36fe0f1cecb50ae097c450b028cfecc942b7418336c84bf566

SHA512
3c3abd4c05df201b8eda07e7ad62ea17b37b2e1ea619be0685bb185997c1c3dd4f015a667b3803236749db68515c9cc1c6a049339adff50ae31ade0f71b47bbf

Download Submit
C:\Windows\System32\zGEKVYl.exe
Filesize
1.4MB

MD5
b97d54320d5c1ec963b56ade0475588e

SHA1
ad586851e762c4a9bb2cb73d9c81e4302f0efcff

SHA256
fc97f7601f6243d1b88a168fa7ba7d17d1cf1c4f170ceec9ce2afd7408896687

SHA512
377aa15b9e3738830c4000a08186fa061eacc21264ede2d401746603ec8491bccff5044d0cecc6cad20cd38c2308b90a1da3ac8aba663fda9feb2ba864e375f2

Download Submit
C:\Windows\System32\zkiuTEU.exe
Filesize
1.4MB

MD5
0688f6831d6dcf633ad49a649814e436

SHA1
aa6581322bfb0b353baa728ff5e9e0b5d96d3058

SHA256
2a3d42034887c5c79d0888844894fe22315f9d8a12bcbda052f5d36add245adf

SHA512
282492ee285ec95609b863c8556a23e93a3a0e27729220745484d59e5dbca68028002819d23f86685ce3712dff4fc09494f8b3bbf6a34f9aa0ca219da4268658

Download Submit
memory/412-2016-0x00007FF7C89D0000-0x00007FF7C8DC1000-memory.dmp

Filesize
3.9MB

Download
memory/412-1967-0x00007FF7C89D0000-0x00007FF7C8DC1000-memory.dmp

Filesize
3.9MB

Download
memory/412-34-0x00007FF7C89D0000-0x00007FF7C8DC1000-memory.dmp

Filesize
3.9MB

Download
memory/804-1992-0x00007FF7F9310000-0x00007FF7F9701000-memory.dmp

Filesize
3.9MB

Download
memory/804-2014-0x00007FF7F9310000-0x00007FF7F9701000-memory.dmp

Filesize
3.9MB

Download
memory/804-27-0x00007FF7F9310000-0x00007FF7F9701000-memory.dmp

Filesize
3.9MB

Download
memory/1144-383-0x00007FF666880000-0x00007FF666C71000-memory.dmp

Filesize
3.9MB

Download
memory/1144-2020-0x00007FF666880000-0x00007FF666C71000-memory.dmp

Filesize
3.9MB

Download
memory/1568-2028-0x00007FF654B60000-0x00007FF654F51000-memory.dmp

Filesize
3.9MB

Download
memory/1568-333-0x00007FF654B60000-0x00007FF654F51000-memory.dmp

Filesize
3.9MB

Download
memory/1656-2012-0x00007FF7FF920000-0x00007FF7FFD11000-memory.dmp

Filesize
3.9MB

Download
memory/1656-35-0x00007FF7FF920000-0x00007FF7FFD11000-memory.dmp

Filesize
3.9MB

Download
memory/1688-380-0x00007FF72A8D0000-0x00007FF72ACC1000-memory.dmp

Filesize
3.9MB

Download
memory/1688-2050-0x00007FF72A8D0000-0x00007FF72ACC1000-memory.dmp

Filesize
3.9MB

Download
memory/1780-345-0x00007FF7A7590000-0x00007FF7A7981000-memory.dmp

Filesize
3.9MB

Download
memory/1780-2032-0x00007FF7A7590000-0x00007FF7A7981000-memory.dmp

Filesize
3.9MB

Download
memory/2260-323-0x00007FF7C6110000-0x00007FF7C6501000-memory.dmp

Filesize
3.9MB

Download
memory/2260-2018-0x00007FF7C6110000-0x00007FF7C6501000-memory.dmp

Filesize
3.9MB

Download
memory/2288-378-0x00007FF664880000-0x00007FF664C71000-memory.dmp

Filesize
3.9MB

Download
memory/2288-2046-0x00007FF664880000-0x00007FF664C71000-memory.dmp

Filesize
3.9MB

Download
memory/2364-359-0x00007FF759CA0000-0x00007FF75A091000-memory.dmp

Filesize
3.9MB

Download
memory/2364-2038-0x00007FF759CA0000-0x00007FF75A091000-memory.dmp

Filesize
3.9MB

Download
memory/2420-2060-0x00007FF7AEF30000-0x00007FF7AF321000-memory.dmp

Filesize
3.9MB

Download
memory/2420-382-0x00007FF7AEF30000-0x00007FF7AF321000-memory.dmp

Filesize
3.9MB

Download
memory/2668-326-0x00007FF75BF70000-0x00007FF75C361000-memory.dmp

Filesize
3.9MB

Download
memory/2668-2024-0x00007FF75BF70000-0x00007FF75C361000-memory.dmp

Filesize
3.9MB

Download
memory/2804-2036-0x00007FF77FBD0000-0x00007FF77FFC1000-memory.dmp

Filesize
3.9MB

Download
memory/2804-376-0x00007FF77FBD0000-0x00007FF77FFC1000-memory.dmp

Filesize
3.9MB

Download
memory/3200-22-0x00007FF6F2E90000-0x00007FF6F3281000-memory.dmp

Filesize
3.9MB

Download
memory/3200-2008-0x00007FF6F2E90000-0x00007FF6F3281000-memory.dmp

Filesize
3.9MB

Download
memory/3456-2044-0x00007FF7371A0000-0x00007FF737591000-memory.dmp

Filesize
3.9MB

Download
memory/3456-365-0x00007FF7371A0000-0x00007FF737591000-memory.dmp

Filesize
3.9MB

Download
memory/3468-2010-0x00007FF74EC30000-0x00007FF74F021000-memory.dmp

Filesize
3.9MB

Download
memory/3468-14-0x00007FF74EC30000-0x00007FF74F021000-memory.dmp

Filesize
3.9MB

Download
memory/3468-1958-0x00007FF74EC30000-0x00007FF74F021000-memory.dmp

Filesize
3.9MB

Download
memory/3588-340-0x00007FF65F850000-0x00007FF65FC41000-memory.dmp

Filesize
3.9MB

Download
memory/3588-2030-0x00007FF65F850000-0x00007FF65FC41000-memory.dmp

Filesize
3.9MB

Download
memory/4376-327-0x00007FF65D2E0000-0x00007FF65D6D1000-memory.dmp

Filesize
3.9MB

Download
memory/4376-2026-0x00007FF65D2E0000-0x00007FF65D6D1000-memory.dmp

Filesize
3.9MB

Download
memory/4408-381-0x00007FF6EA420000-0x00007FF6EA811000-memory.dmp

Filesize
3.9MB

Download
memory/4408-2052-0x00007FF6EA420000-0x00007FF6EA811000-memory.dmp

Filesize
3.9MB

Download
memory/4472-1-0x00000152A1AA0000-0x00000152A1AB0000-memory.dmp

Filesize
64KB

Download
memory/4472-1923-0x00007FF676850000-0x00007FF676C41000-memory.dmp

Filesize
3.9MB

Download
memory/4472-0-0x00007FF676850000-0x00007FF676C41000-memory.dmp

Filesize
3.9MB

Download
memory/4484-36-0x00007FF6DA8D0000-0x00007FF6DACC1000-memory.dmp

Filesize
3.9MB

Download
memory/4484-1993-0x00007FF6DA8D0000-0x00007FF6DACC1000-memory.dmp

Filesize
3.9MB

Download
memory/4484-2022-0x00007FF6DA8D0000-0x00007FF6DACC1000-memory.dmp

Filesize
3.9MB

Download
memory/4540-2034-0x00007FF7BC820000-0x00007FF7BCC11000-memory.dmp

Filesize
3.9MB

Download
memory/4540-379-0x00007FF7BC820000-0x00007FF7BCC11000-memory.dmp

Filesize
3.9MB

Download
memory/4552-377-0x00007FF65BA60000-0x00007FF65BE51000-memory.dmp

Filesize
3.9MB

Download
memory/4552-2048-0x00007FF65BA60000-0x00007FF65BE51000-memory.dmp

Filesize
3.9MB

Download
memory/4928-2040-0x00007FF6F7710000-0x00007FF6F7B01000-memory.dmp

Filesize
3.9MB

Download
memory/4928-355-0x00007FF6F7710000-0x00007FF6F7B01000-memory.dmp

Filesize
3.9MB

Download
memory/5012-2042-0x00007FF672E70000-0x00007FF673261000-memory.dmp

Filesize
3.9MB

Download
memory/5012-370-0x00007FF672E70000-0x00007FF673261000-memory.dmp

Filesize
3.9MB

Download