xmrig | 60c8928372fec60d5596e01d22e8a3aa3794017a1b0ccdd668bb31df7d9e3dff

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
Size

2.7MB
MD5

46d913ec74170f32c1c53b09ab1325f0
SHA1

64093199f0c06901f80660060b9ad809f74f5b31
SHA256

60c8928372fec60d5596e01d22e8a3aa3794017a1b0ccdd668bb31df7d9e3dff
SHA512

44d89d98d20cc4455e964038b416a97e39105da79565a87c3ea26644665eae3e934a0f576a72f99138a0e0e00a82d32e4952a03f1679bd3ec82c7f643410b1ce
SSDEEP

49152:N0wjnJMOWh50kC1/dVFdx6e0EALKWVTffZiPAcRq6jHjcz8DzcJ2k2oj6tPtCp:N0GnJMOWPClFdx6e0EALKWVTffZiPAcq

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3008-0-0x00007FF69BBC0000-0x00007FF69BFB5000-memory.dmp	xmrig
C:\Windows\System32\nsmdWCq.exe	xmrig
C:\Windows\System32\SbbwKlh.exe	xmrig
behavioral2/memory/5972-10-0x00007FF70BFA0000-0x00007FF70C395000-memory.dmp	xmrig
behavioral2/memory/3916-14-0x00007FF78BD10000-0x00007FF78C105000-memory.dmp	xmrig
C:\Windows\System32\aYmvQMB.exe	xmrig
C:\Windows\System32\uBdkCDE.exe	xmrig
C:\Windows\System32\hOIoyHZ.exe	xmrig
C:\Windows\System32\tqxxEYb.exe	xmrig
C:\Windows\System32\DtRmzOJ.exe	xmrig
C:\Windows\System32\AmmNvFu.exe	xmrig
C:\Windows\System32\zYtKWpY.exe	xmrig
C:\Windows\System32\yCQMtsf.exe	xmrig
C:\Windows\System32\nQmPrGR.exe	xmrig
C:\Windows\System32\sIPdGTX.exe	xmrig
C:\Windows\System32\hFcRdLb.exe	xmrig
behavioral2/memory/4124-531-0x00007FF7AB110000-0x00007FF7AB505000-memory.dmp	xmrig
behavioral2/memory/3460-530-0x00007FF7AD140000-0x00007FF7AD535000-memory.dmp	xmrig
behavioral2/memory/4148-532-0x00007FF7A3770000-0x00007FF7A3B65000-memory.dmp	xmrig
behavioral2/memory/3420-533-0x00007FF747DD0000-0x00007FF7481C5000-memory.dmp	xmrig
behavioral2/memory/1252-534-0x00007FF7B5320000-0x00007FF7B5715000-memory.dmp	xmrig
behavioral2/memory/2296-535-0x00007FF7511C0000-0x00007FF7515B5000-memory.dmp	xmrig
behavioral2/memory/372-536-0x00007FF60C9F0000-0x00007FF60CDE5000-memory.dmp	xmrig
behavioral2/memory/6052-537-0x00007FF7D5690000-0x00007FF7D5A85000-memory.dmp	xmrig
behavioral2/memory/5160-538-0x00007FF6079B0000-0x00007FF607DA5000-memory.dmp	xmrig
behavioral2/memory/3856-556-0x00007FF7F4500000-0x00007FF7F48F5000-memory.dmp	xmrig
behavioral2/memory/3124-560-0x00007FF692B20000-0x00007FF692F15000-memory.dmp	xmrig
behavioral2/memory/4216-563-0x00007FF66F390000-0x00007FF66F785000-memory.dmp	xmrig
behavioral2/memory/5140-567-0x00007FF7FFBC0000-0x00007FF7FFFB5000-memory.dmp	xmrig
behavioral2/memory/4384-575-0x00007FF71FE90000-0x00007FF720285000-memory.dmp	xmrig
behavioral2/memory/2252-584-0x00007FF7666D0000-0x00007FF766AC5000-memory.dmp	xmrig
behavioral2/memory/3288-589-0x00007FF77C750000-0x00007FF77CB45000-memory.dmp	xmrig
behavioral2/memory/1856-582-0x00007FF7448B0000-0x00007FF744CA5000-memory.dmp	xmrig
behavioral2/memory/832-569-0x00007FF76B910000-0x00007FF76BD05000-memory.dmp	xmrig
behavioral2/memory/5424-553-0x00007FF6D9480000-0x00007FF6D9875000-memory.dmp	xmrig
behavioral2/memory/2864-548-0x00007FF6CB580000-0x00007FF6CB975000-memory.dmp	xmrig
behavioral2/memory/3904-595-0x00007FF7A2820000-0x00007FF7A2C15000-memory.dmp	xmrig
behavioral2/memory/5068-597-0x00007FF7B9B80000-0x00007FF7B9F75000-memory.dmp	xmrig
C:\Windows\System32\DACiQwv.exe	xmrig
C:\Windows\System32\bupEsVP.exe	xmrig
C:\Windows\System32\KIsssYb.exe	xmrig
C:\Windows\System32\SeguJTd.exe	xmrig
C:\Windows\System32\WajtOzG.exe	xmrig
C:\Windows\System32\OpPxIlE.exe	xmrig
C:\Windows\System32\nVDGSMy.exe	xmrig
C:\Windows\System32\CzOAPSO.exe	xmrig
C:\Windows\System32\ZGvLBjO.exe	xmrig
C:\Windows\System32\Gocldkz.exe	xmrig
C:\Windows\System32\ZmyiThN.exe	xmrig
C:\Windows\System32\efULDWn.exe	xmrig
C:\Windows\System32\ZEYJGUS.exe	xmrig
C:\Windows\System32\xFRWJXl.exe	xmrig
C:\Windows\System32\gaQCHgd.exe	xmrig
C:\Windows\System32\HuceeKw.exe	xmrig
C:\Windows\System32\xebdUxi.exe	xmrig
C:\Windows\System32\wTzsuKj.exe	xmrig
C:\Windows\System32\IRPWwMO.exe	xmrig
C:\Windows\System32\LJRRlkJ.exe	xmrig
behavioral2/memory/3916-1945-0x00007FF78BD10000-0x00007FF78C105000-memory.dmp	xmrig
behavioral2/memory/5972-1946-0x00007FF70BFA0000-0x00007FF70C395000-memory.dmp	xmrig
behavioral2/memory/3460-1947-0x00007FF7AD140000-0x00007FF7AD535000-memory.dmp	xmrig
behavioral2/memory/4124-1948-0x00007FF7AB110000-0x00007FF7AB505000-memory.dmp	xmrig
behavioral2/memory/4148-1949-0x00007FF7A3770000-0x00007FF7A3B65000-memory.dmp	xmrig
behavioral2/memory/3420-1950-0x00007FF747DD0000-0x00007FF7481C5000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

Processes:

nsmdWCq.exeLJRRlkJ.exeSbbwKlh.exeaYmvQMB.exeuBdkCDE.exehOIoyHZ.exetqxxEYb.exeDtRmzOJ.exeIRPWwMO.exeAmmNvFu.exewTzsuKj.exexebdUxi.exeHuceeKw.exezYtKWpY.exeyCQMtsf.exegaQCHgd.exenQmPrGR.exexFRWJXl.exeZEYJGUS.exeefULDWn.exeZmyiThN.exeGocldkz.exeZGvLBjO.exesIPdGTX.exeCzOAPSO.exenVDGSMy.exeOpPxIlE.exeWajtOzG.exeSeguJTd.exeKIsssYb.exehFcRdLb.exebupEsVP.exeDACiQwv.exeVwXEcXA.exeWLOeJvV.exeWUFXZWK.exeERkcbZf.exevJopSmD.exemDTopqm.exepqsHuch.exekKbuFli.exeZsPImSX.exeookoubo.exeaJjbBrE.exeMXYDAdv.exenOYLtYB.exeBWEYvmE.exeWpnIgbX.exeCyqfTUz.exetltExFP.exehmJsQKK.exefCcbstO.exeOkCSCkC.exeHxAZHAr.exeKgfcRwQ.exegSgRKoK.exebrwTNYi.exeOQMaxUR.exezTgJIhq.exesEiHQjN.exeZUmKtIH.exeWivbaTK.exePMUEKiy.exejOZnOoj.exe

pid	process
5972	nsmdWCq.exe
3916	LJRRlkJ.exe
3460	SbbwKlh.exe
4124	aYmvQMB.exe
4148	uBdkCDE.exe
3420	hOIoyHZ.exe
1252	tqxxEYb.exe
2296	DtRmzOJ.exe
372	IRPWwMO.exe
6052	AmmNvFu.exe
5160	wTzsuKj.exe
2864	xebdUxi.exe
5424	HuceeKw.exe
3856	zYtKWpY.exe
3124	yCQMtsf.exe
4216	gaQCHgd.exe
5140	nQmPrGR.exe
832	xFRWJXl.exe
4384	ZEYJGUS.exe
1856	efULDWn.exe
2252	ZmyiThN.exe
3288	Gocldkz.exe
3904	ZGvLBjO.exe
5068	sIPdGTX.exe
5616	CzOAPSO.exe
3912	nVDGSMy.exe
2472	OpPxIlE.exe
5596	WajtOzG.exe
3720	SeguJTd.exe
1472	KIsssYb.exe
4892	hFcRdLb.exe
4368	bupEsVP.exe
4208	DACiQwv.exe
5236	VwXEcXA.exe
5700	WLOeJvV.exe
1888	WUFXZWK.exe
2668	ERkcbZf.exe
2740	vJopSmD.exe
4880	mDTopqm.exe
1600	pqsHuch.exe
2084	kKbuFli.exe
2448	ZsPImSX.exe
4332	ookoubo.exe
2384	aJjbBrE.exe
6008	MXYDAdv.exe
1708	nOYLtYB.exe
4788	BWEYvmE.exe
6136	WpnIgbX.exe
5640	CyqfTUz.exe
4336	tltExFP.exe
2548	hmJsQKK.exe
5472	fCcbstO.exe
2984	OkCSCkC.exe
4952	HxAZHAr.exe
4180	KgfcRwQ.exe
1444	gSgRKoK.exe
2224	brwTNYi.exe
1904	OQMaxUR.exe
5192	zTgJIhq.exe
6048	sEiHQjN.exe
5736	ZUmKtIH.exe
5692	WivbaTK.exe
5848	PMUEKiy.exe
5744	jOZnOoj.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3008-0-0x00007FF69BBC0000-0x00007FF69BFB5000-memory.dmp	upx
C:\Windows\System32\nsmdWCq.exe	upx
C:\Windows\System32\SbbwKlh.exe	upx
behavioral2/memory/5972-10-0x00007FF70BFA0000-0x00007FF70C395000-memory.dmp	upx
behavioral2/memory/3916-14-0x00007FF78BD10000-0x00007FF78C105000-memory.dmp	upx
C:\Windows\System32\aYmvQMB.exe	upx
C:\Windows\System32\uBdkCDE.exe	upx
C:\Windows\System32\hOIoyHZ.exe	upx
C:\Windows\System32\tqxxEYb.exe	upx
C:\Windows\System32\DtRmzOJ.exe	upx
C:\Windows\System32\AmmNvFu.exe	upx
C:\Windows\System32\zYtKWpY.exe	upx
C:\Windows\System32\yCQMtsf.exe	upx
C:\Windows\System32\nQmPrGR.exe	upx
C:\Windows\System32\sIPdGTX.exe	upx
C:\Windows\System32\hFcRdLb.exe	upx
behavioral2/memory/4124-531-0x00007FF7AB110000-0x00007FF7AB505000-memory.dmp	upx
behavioral2/memory/3460-530-0x00007FF7AD140000-0x00007FF7AD535000-memory.dmp	upx
behavioral2/memory/4148-532-0x00007FF7A3770000-0x00007FF7A3B65000-memory.dmp	upx
behavioral2/memory/3420-533-0x00007FF747DD0000-0x00007FF7481C5000-memory.dmp	upx
behavioral2/memory/1252-534-0x00007FF7B5320000-0x00007FF7B5715000-memory.dmp	upx
behavioral2/memory/2296-535-0x00007FF7511C0000-0x00007FF7515B5000-memory.dmp	upx
behavioral2/memory/372-536-0x00007FF60C9F0000-0x00007FF60CDE5000-memory.dmp	upx
behavioral2/memory/6052-537-0x00007FF7D5690000-0x00007FF7D5A85000-memory.dmp	upx
behavioral2/memory/5160-538-0x00007FF6079B0000-0x00007FF607DA5000-memory.dmp	upx
behavioral2/memory/3856-556-0x00007FF7F4500000-0x00007FF7F48F5000-memory.dmp	upx
behavioral2/memory/3124-560-0x00007FF692B20000-0x00007FF692F15000-memory.dmp	upx
behavioral2/memory/4216-563-0x00007FF66F390000-0x00007FF66F785000-memory.dmp	upx
behavioral2/memory/5140-567-0x00007FF7FFBC0000-0x00007FF7FFFB5000-memory.dmp	upx
behavioral2/memory/4384-575-0x00007FF71FE90000-0x00007FF720285000-memory.dmp	upx
behavioral2/memory/2252-584-0x00007FF7666D0000-0x00007FF766AC5000-memory.dmp	upx
behavioral2/memory/3288-589-0x00007FF77C750000-0x00007FF77CB45000-memory.dmp	upx
behavioral2/memory/1856-582-0x00007FF7448B0000-0x00007FF744CA5000-memory.dmp	upx
behavioral2/memory/832-569-0x00007FF76B910000-0x00007FF76BD05000-memory.dmp	upx
behavioral2/memory/5424-553-0x00007FF6D9480000-0x00007FF6D9875000-memory.dmp	upx
behavioral2/memory/2864-548-0x00007FF6CB580000-0x00007FF6CB975000-memory.dmp	upx
behavioral2/memory/3904-595-0x00007FF7A2820000-0x00007FF7A2C15000-memory.dmp	upx
behavioral2/memory/5068-597-0x00007FF7B9B80000-0x00007FF7B9F75000-memory.dmp	upx
C:\Windows\System32\DACiQwv.exe	upx
C:\Windows\System32\bupEsVP.exe	upx
C:\Windows\System32\KIsssYb.exe	upx
C:\Windows\System32\SeguJTd.exe	upx
C:\Windows\System32\WajtOzG.exe	upx
C:\Windows\System32\OpPxIlE.exe	upx
C:\Windows\System32\nVDGSMy.exe	upx
C:\Windows\System32\CzOAPSO.exe	upx
C:\Windows\System32\ZGvLBjO.exe	upx
C:\Windows\System32\Gocldkz.exe	upx
C:\Windows\System32\ZmyiThN.exe	upx
C:\Windows\System32\efULDWn.exe	upx
C:\Windows\System32\ZEYJGUS.exe	upx
C:\Windows\System32\xFRWJXl.exe	upx
C:\Windows\System32\gaQCHgd.exe	upx
C:\Windows\System32\HuceeKw.exe	upx
C:\Windows\System32\xebdUxi.exe	upx
C:\Windows\System32\wTzsuKj.exe	upx
C:\Windows\System32\IRPWwMO.exe	upx
C:\Windows\System32\LJRRlkJ.exe	upx
behavioral2/memory/3916-1945-0x00007FF78BD10000-0x00007FF78C105000-memory.dmp	upx
behavioral2/memory/5972-1946-0x00007FF70BFA0000-0x00007FF70C395000-memory.dmp	upx
behavioral2/memory/3460-1947-0x00007FF7AD140000-0x00007FF7AD535000-memory.dmp	upx
behavioral2/memory/4124-1948-0x00007FF7AB110000-0x00007FF7AB505000-memory.dmp	upx
behavioral2/memory/4148-1949-0x00007FF7A3770000-0x00007FF7A3B65000-memory.dmp	upx
behavioral2/memory/3420-1950-0x00007FF747DD0000-0x00007FF7481C5000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

Processes:

46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\System32\PFgNkHp.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\yJYECMY.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\pnCajft.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\EXInypX.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\LozCaYi.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\pqguhIU.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\vNWPIuk.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\pakilUr.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\CDLMZQA.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\HpxTYTS.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\wnKWdSf.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\rhJLpem.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\KPRGKeS.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\TVtXyAs.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\eidsegl.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\sDmHkMA.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\sPHmwQE.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\PqVeJID.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\MYVOqsz.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\JBoqGsr.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\iMWyIJE.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\MDvXrjR.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\qRBgLRX.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\IBkLiYf.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\cORUOFD.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\xvWDIAg.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\ZNLifAs.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\cRKdPYh.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\iBgepZt.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\gaQCHgd.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\aJjbBrE.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\DBRqBjo.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\VjVpdCP.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\bQwjCom.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\IOsaScy.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\QcxqAJu.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\bQzLDJY.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\dqdBXRB.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\GwqcEAO.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\HegGSGn.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\cNoaXxi.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\IJdlSrl.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\tupFxAM.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\XCVDuSZ.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\RNBdziA.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\WaGnmcN.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\uFqPxwZ.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\VxxnrQL.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\ZaYacXI.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\pBbeKxD.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\BfqxRBu.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\NsfWtAn.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\xChMLEU.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\mbMUxRd.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\ytxzpAx.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\BkzbYGI.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\fqFUWEi.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\gbZevjR.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\iNmKxGT.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\OMzdgDC.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\KdDiQyU.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\btBUlEL.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\nDSqYwO.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
File created	C:\Windows\System32\BcfLEiK.exe	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

dwm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

dwm.exe

description	pid	process
Token: SeCreateGlobalPrivilege	9372	dwm.exe
Token: SeChangeNotifyPrivilege	9372	dwm.exe
Token: 33	9372	dwm.exe
Token: SeIncBasePriorityPrivilege	9372	dwm.exe
Token: SeShutdownPrivilege	9372	dwm.exe
Token: SeCreatePagefilePrivilege	9372	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe

description	pid	process	target process
PID 3008 wrote to memory of 5972	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	nsmdWCq.exe
PID 3008 wrote to memory of 5972	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	nsmdWCq.exe
PID 3008 wrote to memory of 3916	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	LJRRlkJ.exe
PID 3008 wrote to memory of 3916	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	LJRRlkJ.exe
PID 3008 wrote to memory of 3460	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	SbbwKlh.exe
PID 3008 wrote to memory of 3460	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	SbbwKlh.exe
PID 3008 wrote to memory of 4124	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	aYmvQMB.exe
PID 3008 wrote to memory of 4124	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	aYmvQMB.exe
PID 3008 wrote to memory of 4148	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	uBdkCDE.exe
PID 3008 wrote to memory of 4148	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	uBdkCDE.exe
PID 3008 wrote to memory of 3420	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	hOIoyHZ.exe
PID 3008 wrote to memory of 3420	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	hOIoyHZ.exe
PID 3008 wrote to memory of 1252	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	tqxxEYb.exe
PID 3008 wrote to memory of 1252	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	tqxxEYb.exe
PID 3008 wrote to memory of 2296	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	DtRmzOJ.exe
PID 3008 wrote to memory of 2296	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	DtRmzOJ.exe
PID 3008 wrote to memory of 372	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	IRPWwMO.exe
PID 3008 wrote to memory of 372	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	IRPWwMO.exe
PID 3008 wrote to memory of 6052	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	AmmNvFu.exe
PID 3008 wrote to memory of 6052	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	AmmNvFu.exe
PID 3008 wrote to memory of 5160	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	wTzsuKj.exe
PID 3008 wrote to memory of 5160	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	wTzsuKj.exe
PID 3008 wrote to memory of 2864	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	xebdUxi.exe
PID 3008 wrote to memory of 2864	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	xebdUxi.exe
PID 3008 wrote to memory of 5424	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	HuceeKw.exe
PID 3008 wrote to memory of 5424	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	HuceeKw.exe
PID 3008 wrote to memory of 3856	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	zYtKWpY.exe
PID 3008 wrote to memory of 3856	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	zYtKWpY.exe
PID 3008 wrote to memory of 3124	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	yCQMtsf.exe
PID 3008 wrote to memory of 3124	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	yCQMtsf.exe
PID 3008 wrote to memory of 4216	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	gaQCHgd.exe
PID 3008 wrote to memory of 4216	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	gaQCHgd.exe
PID 3008 wrote to memory of 5140	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	nQmPrGR.exe
PID 3008 wrote to memory of 5140	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	nQmPrGR.exe
PID 3008 wrote to memory of 832	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	xFRWJXl.exe
PID 3008 wrote to memory of 832	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	xFRWJXl.exe
PID 3008 wrote to memory of 4384	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	ZEYJGUS.exe
PID 3008 wrote to memory of 4384	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	ZEYJGUS.exe
PID 3008 wrote to memory of 1856	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	efULDWn.exe
PID 3008 wrote to memory of 1856	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	efULDWn.exe
PID 3008 wrote to memory of 2252	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	ZmyiThN.exe
PID 3008 wrote to memory of 2252	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	ZmyiThN.exe
PID 3008 wrote to memory of 3288	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	Gocldkz.exe
PID 3008 wrote to memory of 3288	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	Gocldkz.exe
PID 3008 wrote to memory of 3904	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	ZGvLBjO.exe
PID 3008 wrote to memory of 3904	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	ZGvLBjO.exe
PID 3008 wrote to memory of 5068	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	sIPdGTX.exe
PID 3008 wrote to memory of 5068	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	sIPdGTX.exe
PID 3008 wrote to memory of 5616	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	CzOAPSO.exe
PID 3008 wrote to memory of 5616	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	CzOAPSO.exe
PID 3008 wrote to memory of 3912	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	nVDGSMy.exe
PID 3008 wrote to memory of 3912	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	nVDGSMy.exe
PID 3008 wrote to memory of 2472	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	OpPxIlE.exe
PID 3008 wrote to memory of 2472	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	OpPxIlE.exe
PID 3008 wrote to memory of 5596	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	WajtOzG.exe
PID 3008 wrote to memory of 5596	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	WajtOzG.exe
PID 3008 wrote to memory of 3720	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	SeguJTd.exe
PID 3008 wrote to memory of 3720	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	SeguJTd.exe
PID 3008 wrote to memory of 1472	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	KIsssYb.exe
PID 3008 wrote to memory of 1472	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	KIsssYb.exe
PID 3008 wrote to memory of 4892	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	hFcRdLb.exe
PID 3008 wrote to memory of 4892	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	hFcRdLb.exe
PID 3008 wrote to memory of 4368	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	bupEsVP.exe
PID 3008 wrote to memory of 4368	3008	46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe	bupEsVP.exe

C:\Users\Admin\AppData\Local\Temp\46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\46d913ec74170f32c1c53b09ab1325f0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\System32\nsmdWCq.exe
  C:\Windows\System32\nsmdWCq.exe
  2⤵
  - Executes dropped EXE
  PID:5972
- C:\Windows\System32\LJRRlkJ.exe
  C:\Windows\System32\LJRRlkJ.exe
  2⤵
  - Executes dropped EXE
  PID:3916
- C:\Windows\System32\SbbwKlh.exe
  C:\Windows\System32\SbbwKlh.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System32\aYmvQMB.exe
  C:\Windows\System32\aYmvQMB.exe
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Windows\System32\uBdkCDE.exe
  C:\Windows\System32\uBdkCDE.exe
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Windows\System32\hOIoyHZ.exe
  C:\Windows\System32\hOIoyHZ.exe
  2⤵
  - Executes dropped EXE
  PID:3420
- C:\Windows\System32\tqxxEYb.exe
  C:\Windows\System32\tqxxEYb.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\System32\DtRmzOJ.exe
  C:\Windows\System32\DtRmzOJ.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System32\IRPWwMO.exe
  C:\Windows\System32\IRPWwMO.exe
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Windows\System32\AmmNvFu.exe
  C:\Windows\System32\AmmNvFu.exe
  2⤵
  - Executes dropped EXE
  PID:6052
- C:\Windows\System32\wTzsuKj.exe
  C:\Windows\System32\wTzsuKj.exe
  2⤵
  - Executes dropped EXE
  PID:5160
- C:\Windows\System32\xebdUxi.exe
  C:\Windows\System32\xebdUxi.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System32\HuceeKw.exe
  C:\Windows\System32\HuceeKw.exe
  2⤵
  - Executes dropped EXE
  PID:5424
- C:\Windows\System32\zYtKWpY.exe
  C:\Windows\System32\zYtKWpY.exe
  2⤵
  - Executes dropped EXE
  PID:3856
- C:\Windows\System32\yCQMtsf.exe
  C:\Windows\System32\yCQMtsf.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System32\gaQCHgd.exe
  C:\Windows\System32\gaQCHgd.exe
  2⤵
  - Executes dropped EXE
  PID:4216
- C:\Windows\System32\nQmPrGR.exe
  C:\Windows\System32\nQmPrGR.exe
  2⤵
  - Executes dropped EXE
  PID:5140
- C:\Windows\System32\xFRWJXl.exe
  C:\Windows\System32\xFRWJXl.exe
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Windows\System32\ZEYJGUS.exe
  C:\Windows\System32\ZEYJGUS.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System32\efULDWn.exe
  C:\Windows\System32\efULDWn.exe
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\System32\ZmyiThN.exe
  C:\Windows\System32\ZmyiThN.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System32\Gocldkz.exe
  C:\Windows\System32\Gocldkz.exe
  2⤵
  - Executes dropped EXE
  PID:3288
- C:\Windows\System32\ZGvLBjO.exe
  C:\Windows\System32\ZGvLBjO.exe
  2⤵
  - Executes dropped EXE
  PID:3904
- C:\Windows\System32\sIPdGTX.exe
  C:\Windows\System32\sIPdGTX.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System32\CzOAPSO.exe
  C:\Windows\System32\CzOAPSO.exe
  2⤵
  - Executes dropped EXE
  PID:5616
- C:\Windows\System32\nVDGSMy.exe
  C:\Windows\System32\nVDGSMy.exe
  2⤵
  - Executes dropped EXE
  PID:3912
- C:\Windows\System32\OpPxIlE.exe
  C:\Windows\System32\OpPxIlE.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System32\WajtOzG.exe
  C:\Windows\System32\WajtOzG.exe
  2⤵
  - Executes dropped EXE
  PID:5596
- C:\Windows\System32\SeguJTd.exe
  C:\Windows\System32\SeguJTd.exe
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Windows\System32\KIsssYb.exe
  C:\Windows\System32\KIsssYb.exe
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\System32\hFcRdLb.exe
  C:\Windows\System32\hFcRdLb.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System32\bupEsVP.exe
  C:\Windows\System32\bupEsVP.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System32\DACiQwv.exe
  C:\Windows\System32\DACiQwv.exe
  2⤵
  - Executes dropped EXE
  PID:4208
- C:\Windows\System32\VwXEcXA.exe
  C:\Windows\System32\VwXEcXA.exe
  2⤵
  - Executes dropped EXE
  PID:5236
- C:\Windows\System32\WLOeJvV.exe
  C:\Windows\System32\WLOeJvV.exe
  2⤵
  - Executes dropped EXE
  PID:5700
- C:\Windows\System32\WUFXZWK.exe
  C:\Windows\System32\WUFXZWK.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\System32\ERkcbZf.exe
  C:\Windows\System32\ERkcbZf.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\System32\vJopSmD.exe
  C:\Windows\System32\vJopSmD.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System32\mDTopqm.exe
  C:\Windows\System32\mDTopqm.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System32\pqsHuch.exe
  C:\Windows\System32\pqsHuch.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System32\kKbuFli.exe
  C:\Windows\System32\kKbuFli.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System32\ZsPImSX.exe
  C:\Windows\System32\ZsPImSX.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System32\ookoubo.exe
  C:\Windows\System32\ookoubo.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Windows\System32\aJjbBrE.exe
  C:\Windows\System32\aJjbBrE.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System32\MXYDAdv.exe
  C:\Windows\System32\MXYDAdv.exe
  2⤵
  - Executes dropped EXE
  PID:6008
- C:\Windows\System32\nOYLtYB.exe
  C:\Windows\System32\nOYLtYB.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\System32\BWEYvmE.exe
  C:\Windows\System32\BWEYvmE.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System32\WpnIgbX.exe
  C:\Windows\System32\WpnIgbX.exe
  2⤵
  - Executes dropped EXE
  PID:6136
- C:\Windows\System32\CyqfTUz.exe
  C:\Windows\System32\CyqfTUz.exe
  2⤵
  - Executes dropped EXE
  PID:5640
- C:\Windows\System32\tltExFP.exe
  C:\Windows\System32\tltExFP.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System32\hmJsQKK.exe
  C:\Windows\System32\hmJsQKK.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System32\fCcbstO.exe
  C:\Windows\System32\fCcbstO.exe
  2⤵
  - Executes dropped EXE
  PID:5472
- C:\Windows\System32\OkCSCkC.exe
  C:\Windows\System32\OkCSCkC.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System32\HxAZHAr.exe
  C:\Windows\System32\HxAZHAr.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System32\KgfcRwQ.exe
  C:\Windows\System32\KgfcRwQ.exe
  2⤵
  - Executes dropped EXE
  PID:4180
- C:\Windows\System32\gSgRKoK.exe
  C:\Windows\System32\gSgRKoK.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System32\brwTNYi.exe
  C:\Windows\System32\brwTNYi.exe
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\System32\OQMaxUR.exe
  C:\Windows\System32\OQMaxUR.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System32\zTgJIhq.exe
  C:\Windows\System32\zTgJIhq.exe
  2⤵
  - Executes dropped EXE
  PID:5192
- C:\Windows\System32\sEiHQjN.exe
  C:\Windows\System32\sEiHQjN.exe
  2⤵
  - Executes dropped EXE
  PID:6048
- C:\Windows\System32\ZUmKtIH.exe
  C:\Windows\System32\ZUmKtIH.exe
  2⤵
  - Executes dropped EXE
  PID:5736
- C:\Windows\System32\WivbaTK.exe
  C:\Windows\System32\WivbaTK.exe
  2⤵
  - Executes dropped EXE
  PID:5692
- C:\Windows\System32\PMUEKiy.exe
  C:\Windows\System32\PMUEKiy.exe
  2⤵
  - Executes dropped EXE
  PID:5848
- C:\Windows\System32\jOZnOoj.exe
  C:\Windows\System32\jOZnOoj.exe
  2⤵
  - Executes dropped EXE
  PID:5744
- C:\Windows\System32\ntvCXNf.exe
  C:\Windows\System32\ntvCXNf.exe
  2⤵
  PID:1284
- C:\Windows\System32\qWRybhm.exe
  C:\Windows\System32\qWRybhm.exe
  2⤵
  PID:2780
- C:\Windows\System32\kadlfvE.exe
  C:\Windows\System32\kadlfvE.exe
  2⤵
  PID:1688
- C:\Windows\System32\SKxWEKy.exe
  C:\Windows\System32\SKxWEKy.exe
  2⤵
  PID:1092
- C:\Windows\System32\MKuOcNA.exe
  C:\Windows\System32\MKuOcNA.exe
  2⤵
  PID:1584
- C:\Windows\System32\ASFNfUh.exe
  C:\Windows\System32\ASFNfUh.exe
  2⤵
  PID:3424
- C:\Windows\System32\CMvqvVJ.exe
  C:\Windows\System32\CMvqvVJ.exe
  2⤵
  PID:2648
- C:\Windows\System32\OnWVqTW.exe
  C:\Windows\System32\OnWVqTW.exe
  2⤵
  PID:1384
- C:\Windows\System32\nLoOpFj.exe
  C:\Windows\System32\nLoOpFj.exe
  2⤵
  PID:2952
- C:\Windows\System32\mOeFnHR.exe
  C:\Windows\System32\mOeFnHR.exe
  2⤵
  PID:1860
- C:\Windows\System32\FjlGJKu.exe
  C:\Windows\System32\FjlGJKu.exe
  2⤵
  PID:4864
- C:\Windows\System32\olkgqDG.exe
  C:\Windows\System32\olkgqDG.exe
  2⤵
  PID:2632
- C:\Windows\System32\vmswWGc.exe
  C:\Windows\System32\vmswWGc.exe
  2⤵
  PID:1900
- C:\Windows\System32\IyNsSss.exe
  C:\Windows\System32\IyNsSss.exe
  2⤵
  PID:3972
- C:\Windows\System32\hezpSNw.exe
  C:\Windows\System32\hezpSNw.exe
  2⤵
  PID:4908
- C:\Windows\System32\PjbvKtZ.exe
  C:\Windows\System32\PjbvKtZ.exe
  2⤵
  PID:5004
- C:\Windows\System32\icuVfwb.exe
  C:\Windows\System32\icuVfwb.exe
  2⤵
  PID:1072
- C:\Windows\System32\GqOscMS.exe
  C:\Windows\System32\GqOscMS.exe
  2⤵
  PID:528
- C:\Windows\System32\EdlBvlW.exe
  C:\Windows\System32\EdlBvlW.exe
  2⤵
  PID:912
- C:\Windows\System32\kSzwolX.exe
  C:\Windows\System32\kSzwolX.exe
  2⤵
  PID:2824
- C:\Windows\System32\FiPgCzc.exe
  C:\Windows\System32\FiPgCzc.exe
  2⤵
  PID:4724
- C:\Windows\System32\AnESVQF.exe
  C:\Windows\System32\AnESVQF.exe
  2⤵
  PID:2828
- C:\Windows\System32\sIVRsAr.exe
  C:\Windows\System32\sIVRsAr.exe
  2⤵
  PID:5248
- C:\Windows\System32\xChMLEU.exe
  C:\Windows\System32\xChMLEU.exe
  2⤵
  PID:2876
- C:\Windows\System32\OMzdgDC.exe
  C:\Windows\System32\OMzdgDC.exe
  2⤵
  PID:5388
- C:\Windows\System32\hBlYgfW.exe
  C:\Windows\System32\hBlYgfW.exe
  2⤵
  PID:3188
- C:\Windows\System32\vNSxhOc.exe
  C:\Windows\System32\vNSxhOc.exe
  2⤵
  PID:5084
- C:\Windows\System32\KiceYSd.exe
  C:\Windows\System32\KiceYSd.exe
  2⤵
  PID:4912
- C:\Windows\System32\oCyMWrl.exe
  C:\Windows\System32\oCyMWrl.exe
  2⤵
  PID:688
- C:\Windows\System32\BWfIETt.exe
  C:\Windows\System32\BWfIETt.exe
  2⤵
  PID:376
- C:\Windows\System32\hBiPkLg.exe
  C:\Windows\System32\hBiPkLg.exe
  2⤵
  PID:4824
- C:\Windows\System32\IxbprxR.exe
  C:\Windows\System32\IxbprxR.exe
  2⤵
  PID:4624
- C:\Windows\System32\dRXGYQU.exe
  C:\Windows\System32\dRXGYQU.exe
  2⤵
  PID:4100
- C:\Windows\System32\UyoIaqH.exe
  C:\Windows\System32\UyoIaqH.exe
  2⤵
  PID:4928
- C:\Windows\System32\AcULPjJ.exe
  C:\Windows\System32\AcULPjJ.exe
  2⤵
  PID:3876
- C:\Windows\System32\daOwUNv.exe
  C:\Windows\System32\daOwUNv.exe
  2⤵
  PID:4904
- C:\Windows\System32\EZIEQwL.exe
  C:\Windows\System32\EZIEQwL.exe
  2⤵
  PID:5544
- C:\Windows\System32\YdckDRU.exe
  C:\Windows\System32\YdckDRU.exe
  2⤵
  PID:4572
- C:\Windows\System32\sDGpSST.exe
  C:\Windows\System32\sDGpSST.exe
  2⤵
  PID:2564
- C:\Windows\System32\DBRqBjo.exe
  C:\Windows\System32\DBRqBjo.exe
  2⤵
  PID:5644
- C:\Windows\System32\bSwvvBO.exe
  C:\Windows\System32\bSwvvBO.exe
  2⤵
  PID:1484
- C:\Windows\System32\FTCalgC.exe
  C:\Windows\System32\FTCalgC.exe
  2⤵
  PID:4936
- C:\Windows\System32\TLszEDK.exe
  C:\Windows\System32\TLszEDK.exe
  2⤵
  PID:1632
- C:\Windows\System32\dXRDZVf.exe
  C:\Windows\System32\dXRDZVf.exe
  2⤵
  PID:4088
- C:\Windows\System32\fgRAwjo.exe
  C:\Windows\System32\fgRAwjo.exe
  2⤵
  PID:2592
- C:\Windows\System32\UnMKWSL.exe
  C:\Windows\System32\UnMKWSL.exe
  2⤵
  PID:5260
- C:\Windows\System32\zXeYbZJ.exe
  C:\Windows\System32\zXeYbZJ.exe
  2⤵
  PID:6092
- C:\Windows\System32\bwQPFEe.exe
  C:\Windows\System32\bwQPFEe.exe
  2⤵
  PID:4484
- C:\Windows\System32\giewHoV.exe
  C:\Windows\System32\giewHoV.exe
  2⤵
  PID:724
- C:\Windows\System32\bfaCVQd.exe
  C:\Windows\System32\bfaCVQd.exe
  2⤵
  PID:5768
- C:\Windows\System32\oZaERAH.exe
  C:\Windows\System32\oZaERAH.exe
  2⤵
  PID:2680
- C:\Windows\System32\rtePkOS.exe
  C:\Windows\System32\rtePkOS.exe
  2⤵
  PID:2900
- C:\Windows\System32\nnyCvKc.exe
  C:\Windows\System32\nnyCvKc.exe
  2⤵
  PID:4848
- C:\Windows\System32\PUcNTmt.exe
  C:\Windows\System32\PUcNTmt.exe
  2⤵
  PID:4964
- C:\Windows\System32\VwJKyMv.exe
  C:\Windows\System32\VwJKyMv.exe
  2⤵
  PID:3152
- C:\Windows\System32\ENWcnLY.exe
  C:\Windows\System32\ENWcnLY.exe
  2⤵
  PID:220
- C:\Windows\System32\cbqZvtw.exe
  C:\Windows\System32\cbqZvtw.exe
  2⤵
  PID:2808
- C:\Windows\System32\ZQRxaPQ.exe
  C:\Windows\System32\ZQRxaPQ.exe
  2⤵
  PID:4308
- C:\Windows\System32\JnyacHR.exe
  C:\Windows\System32\JnyacHR.exe
  2⤵
  PID:3580
- C:\Windows\System32\NSMNfhe.exe
  C:\Windows\System32\NSMNfhe.exe
  2⤵
  PID:4228
- C:\Windows\System32\nRnoyLc.exe
  C:\Windows\System32\nRnoyLc.exe
  2⤵
  PID:4076
- C:\Windows\System32\prbwjdO.exe
  C:\Windows\System32\prbwjdO.exe
  2⤵
  PID:4536
- C:\Windows\System32\dYZhEof.exe
  C:\Windows\System32\dYZhEof.exe
  2⤵
  PID:5556
- C:\Windows\System32\KJxuPNZ.exe
  C:\Windows\System32\KJxuPNZ.exe
  2⤵
  PID:3852
- C:\Windows\System32\TTPZIuE.exe
  C:\Windows\System32\TTPZIuE.exe
  2⤵
  PID:5568
- C:\Windows\System32\IiCapqS.exe
  C:\Windows\System32\IiCapqS.exe
  2⤵
  PID:1372
- C:\Windows\System32\uNHBmWY.exe
  C:\Windows\System32\uNHBmWY.exe
  2⤵
  PID:1236
- C:\Windows\System32\jcdqDPA.exe
  C:\Windows\System32\jcdqDPA.exe
  2⤵
  PID:5852
- C:\Windows\System32\RSIskFD.exe
  C:\Windows\System32\RSIskFD.exe
  2⤵
  PID:6016
- C:\Windows\System32\HiVbQEa.exe
  C:\Windows\System32\HiVbQEa.exe
  2⤵
  PID:1868
- C:\Windows\System32\pLfQlgk.exe
  C:\Windows\System32\pLfQlgk.exe
  2⤵
  PID:6056
- C:\Windows\System32\TkTEugy.exe
  C:\Windows\System32\TkTEugy.exe
  2⤵
  PID:3512
- C:\Windows\System32\MsHkMxF.exe
  C:\Windows\System32\MsHkMxF.exe
  2⤵
  PID:4264
- C:\Windows\System32\LQngoVC.exe
  C:\Windows\System32\LQngoVC.exe
  2⤵
  PID:5724
- C:\Windows\System32\xByTKXs.exe
  C:\Windows\System32\xByTKXs.exe
  2⤵
  PID:1392
- C:\Windows\System32\pWzAAQD.exe
  C:\Windows\System32\pWzAAQD.exe
  2⤵
  PID:3372
- C:\Windows\System32\ddVVTnT.exe
  C:\Windows\System32\ddVVTnT.exe
  2⤵
  PID:5652
- C:\Windows\System32\ySTNttM.exe
  C:\Windows\System32\ySTNttM.exe
  2⤵
  PID:2464
- C:\Windows\System32\mbMUxRd.exe
  C:\Windows\System32\mbMUxRd.exe
  2⤵
  PID:4476
- C:\Windows\System32\pRacCHz.exe
  C:\Windows\System32\pRacCHz.exe
  2⤵
  PID:752
- C:\Windows\System32\PxVkDQh.exe
  C:\Windows\System32\PxVkDQh.exe
  2⤵
  PID:4900
- C:\Windows\System32\jRoxIud.exe
  C:\Windows\System32\jRoxIud.exe
  2⤵
  PID:4320
- C:\Windows\System32\vNKVRRM.exe
  C:\Windows\System32\vNKVRRM.exe
  2⤵
  PID:1388
- C:\Windows\System32\AFADUIj.exe
  C:\Windows\System32\AFADUIj.exe
  2⤵
  PID:1032
- C:\Windows\System32\UIVtGJZ.exe
  C:\Windows\System32\UIVtGJZ.exe
  2⤵
  PID:1012
- C:\Windows\System32\EufxAbr.exe
  C:\Windows\System32\EufxAbr.exe
  2⤵
  PID:6164
- C:\Windows\System32\kPgcCsj.exe
  C:\Windows\System32\kPgcCsj.exe
  2⤵
  PID:6192
- C:\Windows\System32\hnfckqr.exe
  C:\Windows\System32\hnfckqr.exe
  2⤵
  PID:6220
- C:\Windows\System32\cuFMfMp.exe
  C:\Windows\System32\cuFMfMp.exe
  2⤵
  PID:6248
- C:\Windows\System32\OIElTGw.exe
  C:\Windows\System32\OIElTGw.exe
  2⤵
  PID:6276
- C:\Windows\System32\GwqcEAO.exe
  C:\Windows\System32\GwqcEAO.exe
  2⤵
  PID:6304
- C:\Windows\System32\QiysZoI.exe
  C:\Windows\System32\QiysZoI.exe
  2⤵
  PID:6400
- C:\Windows\System32\hAPDkED.exe
  C:\Windows\System32\hAPDkED.exe
  2⤵
  PID:6432
- C:\Windows\System32\QusmSVH.exe
  C:\Windows\System32\QusmSVH.exe
  2⤵
  PID:6464
- C:\Windows\System32\pBSSTvS.exe
  C:\Windows\System32\pBSSTvS.exe
  2⤵
  PID:6484
- C:\Windows\System32\EOSGTWy.exe
  C:\Windows\System32\EOSGTWy.exe
  2⤵
  PID:6500
- C:\Windows\System32\czeXged.exe
  C:\Windows\System32\czeXged.exe
  2⤵
  PID:6528
- C:\Windows\System32\xvYAhOj.exe
  C:\Windows\System32\xvYAhOj.exe
  2⤵
  PID:6604
- C:\Windows\System32\psGoawz.exe
  C:\Windows\System32\psGoawz.exe
  2⤵
  PID:6640
- C:\Windows\System32\VhCPrjw.exe
  C:\Windows\System32\VhCPrjw.exe
  2⤵
  PID:6660
- C:\Windows\System32\mETHTos.exe
  C:\Windows\System32\mETHTos.exe
  2⤵
  PID:6676
- C:\Windows\System32\VpvVvlA.exe
  C:\Windows\System32\VpvVvlA.exe
  2⤵
  PID:6712
- C:\Windows\System32\HkYAaUT.exe
  C:\Windows\System32\HkYAaUT.exe
  2⤵
  PID:6728
- C:\Windows\System32\QYeUOLE.exe
  C:\Windows\System32\QYeUOLE.exe
  2⤵
  PID:6756
- C:\Windows\System32\MuYlUYx.exe
  C:\Windows\System32\MuYlUYx.exe
  2⤵
  PID:6784
- C:\Windows\System32\rhJLpem.exe
  C:\Windows\System32\rhJLpem.exe
  2⤵
  PID:6864
- C:\Windows\System32\IZAeDkn.exe
  C:\Windows\System32\IZAeDkn.exe
  2⤵
  PID:6912
- C:\Windows\System32\qdJIoxW.exe
  C:\Windows\System32\qdJIoxW.exe
  2⤵
  PID:6928
- C:\Windows\System32\BcFiJOU.exe
  C:\Windows\System32\BcFiJOU.exe
  2⤵
  PID:6952
- C:\Windows\System32\rorbind.exe
  C:\Windows\System32\rorbind.exe
  2⤵
  PID:7000
- C:\Windows\System32\SEimKKO.exe
  C:\Windows\System32\SEimKKO.exe
  2⤵
  PID:7016
- C:\Windows\System32\HyFmkGc.exe
  C:\Windows\System32\HyFmkGc.exe
  2⤵
  PID:7032
- C:\Windows\System32\zrzGmSQ.exe
  C:\Windows\System32\zrzGmSQ.exe
  2⤵
  PID:7048
- C:\Windows\System32\fAjrdgN.exe
  C:\Windows\System32\fAjrdgN.exe
  2⤵
  PID:7076
- C:\Windows\System32\tWLHgzS.exe
  C:\Windows\System32\tWLHgzS.exe
  2⤵
  PID:7128
- C:\Windows\System32\FNGEzqm.exe
  C:\Windows\System32\FNGEzqm.exe
  2⤵
  PID:7156
- C:\Windows\System32\XBtpKRw.exe
  C:\Windows\System32\XBtpKRw.exe
  2⤵
  PID:2852
- C:\Windows\System32\KPRGKeS.exe
  C:\Windows\System32\KPRGKeS.exe
  2⤵
  PID:2180
- C:\Windows\System32\uFqPxwZ.exe
  C:\Windows\System32\uFqPxwZ.exe
  2⤵
  PID:6264
- C:\Windows\System32\orortXM.exe
  C:\Windows\System32\orortXM.exe
  2⤵
  PID:6292
- C:\Windows\System32\eTtlwkl.exe
  C:\Windows\System32\eTtlwkl.exe
  2⤵
  PID:6312
- C:\Windows\System32\HquYgDN.exe
  C:\Windows\System32\HquYgDN.exe
  2⤵
  PID:3168
- C:\Windows\System32\rtHfxRn.exe
  C:\Windows\System32\rtHfxRn.exe
  2⤵
  PID:3652
- C:\Windows\System32\jJfgWST.exe
  C:\Windows\System32\jJfgWST.exe
  2⤵
  PID:2356
- C:\Windows\System32\sUxfYiD.exe
  C:\Windows\System32\sUxfYiD.exe
  2⤵
  PID:4300
- C:\Windows\System32\RVuqzLm.exe
  C:\Windows\System32\RVuqzLm.exe
  2⤵
  PID:4636
- C:\Windows\System32\FcMHmZJ.exe
  C:\Windows\System32\FcMHmZJ.exe
  2⤵
  PID:508
- C:\Windows\System32\fBStOyV.exe
  C:\Windows\System32\fBStOyV.exe
  2⤵
  PID:5304
- C:\Windows\System32\AtJZjdS.exe
  C:\Windows\System32\AtJZjdS.exe
  2⤵
  PID:6472
- C:\Windows\System32\BUimxsI.exe
  C:\Windows\System32\BUimxsI.exe
  2⤵
  PID:6512
- C:\Windows\System32\GdNKSJT.exe
  C:\Windows\System32\GdNKSJT.exe
  2⤵
  PID:6668
- C:\Windows\System32\pnYQNOx.exe
  C:\Windows\System32\pnYQNOx.exe
  2⤵
  PID:6736
- C:\Windows\System32\hEShBZL.exe
  C:\Windows\System32\hEShBZL.exe
  2⤵
  PID:6792
- C:\Windows\System32\fGHzwCD.exe
  C:\Windows\System32\fGHzwCD.exe
  2⤵
  PID:5796
- C:\Windows\System32\IGBXzKy.exe
  C:\Windows\System32\IGBXzKy.exe
  2⤵
  PID:6944
- C:\Windows\System32\YIgabKb.exe
  C:\Windows\System32\YIgabKb.exe
  2⤵
  PID:7012
- C:\Windows\System32\FvwnLzG.exe
  C:\Windows\System32\FvwnLzG.exe
  2⤵
  PID:7024
- C:\Windows\System32\XJUfmEp.exe
  C:\Windows\System32\XJUfmEp.exe
  2⤵
  PID:7108
- C:\Windows\System32\sKoQnwo.exe
  C:\Windows\System32\sKoQnwo.exe
  2⤵
  PID:7148
- C:\Windows\System32\yWIvFEl.exe
  C:\Windows\System32\yWIvFEl.exe
  2⤵
  PID:6228
- C:\Windows\System32\nWlysIz.exe
  C:\Windows\System32\nWlysIz.exe
  2⤵
  PID:2576
- C:\Windows\System32\tyWXPxQ.exe
  C:\Windows\System32\tyWXPxQ.exe
  2⤵
  PID:1424
- C:\Windows\System32\PFgNkHp.exe
  C:\Windows\System32\PFgNkHp.exe
  2⤵
  PID:5040
- C:\Windows\System32\bTldbpo.exe
  C:\Windows\System32\bTldbpo.exe
  2⤵
  PID:5412
- C:\Windows\System32\tupFxAM.exe
  C:\Windows\System32\tupFxAM.exe
  2⤵
  PID:6440
- C:\Windows\System32\XTdaZcm.exe
  C:\Windows\System32\XTdaZcm.exe
  2⤵
  PID:6536
- C:\Windows\System32\gorwsbR.exe
  C:\Windows\System32\gorwsbR.exe
  2⤵
  PID:3556
- C:\Windows\System32\MlDTXhY.exe
  C:\Windows\System32\MlDTXhY.exe
  2⤵
  PID:6972
- C:\Windows\System32\FFPirwg.exe
  C:\Windows\System32\FFPirwg.exe
  2⤵
  PID:7092
- C:\Windows\System32\gdTdTlM.exe
  C:\Windows\System32\gdTdTlM.exe
  2⤵
  PID:6884
- C:\Windows\System32\RjWRDvA.exe
  C:\Windows\System32\RjWRDvA.exe
  2⤵
  PID:5228
- C:\Windows\System32\JSBLWAQ.exe
  C:\Windows\System32\JSBLWAQ.exe
  2⤵
  PID:4944
- C:\Windows\System32\exixijZ.exe
  C:\Windows\System32\exixijZ.exe
  2⤵
  PID:6128
- C:\Windows\System32\KdDiQyU.exe
  C:\Windows\System32\KdDiQyU.exe
  2⤵
  PID:6648
- C:\Windows\System32\lBeXcLb.exe
  C:\Windows\System32\lBeXcLb.exe
  2⤵
  PID:6428
- C:\Windows\System32\jvTMGUH.exe
  C:\Windows\System32\jvTMGUH.exe
  2⤵
  PID:5368
- C:\Windows\System32\qRBgLRX.exe
  C:\Windows\System32\qRBgLRX.exe
  2⤵
  PID:6820
- C:\Windows\System32\RaUNoqN.exe
  C:\Windows\System32\RaUNoqN.exe
  2⤵
  PID:6776
- C:\Windows\System32\HaTfsJY.exe
  C:\Windows\System32\HaTfsJY.exe
  2⤵
  PID:6380
- C:\Windows\System32\rGVzcAV.exe
  C:\Windows\System32\rGVzcAV.exe
  2⤵
  PID:7184
- C:\Windows\System32\EpzykfS.exe
  C:\Windows\System32\EpzykfS.exe
  2⤵
  PID:7224
- C:\Windows\System32\ubBkyWy.exe
  C:\Windows\System32\ubBkyWy.exe
  2⤵
  PID:7260
- C:\Windows\System32\dCAkeGa.exe
  C:\Windows\System32\dCAkeGa.exe
  2⤵
  PID:7284
- C:\Windows\System32\FgnwUkm.exe
  C:\Windows\System32\FgnwUkm.exe
  2⤵
  PID:7312
- C:\Windows\System32\wOXuGMs.exe
  C:\Windows\System32\wOXuGMs.exe
  2⤵
  PID:7340
- C:\Windows\System32\gaQMGNB.exe
  C:\Windows\System32\gaQMGNB.exe
  2⤵
  PID:7380
- C:\Windows\System32\wiHFlOM.exe
  C:\Windows\System32\wiHFlOM.exe
  2⤵
  PID:7396
- C:\Windows\System32\EQoyXHn.exe
  C:\Windows\System32\EQoyXHn.exe
  2⤵
  PID:7416
- C:\Windows\System32\ebHRQOd.exe
  C:\Windows\System32\ebHRQOd.exe
  2⤵
  PID:7452
- C:\Windows\System32\JxQAFRU.exe
  C:\Windows\System32\JxQAFRU.exe
  2⤵
  PID:7484
- C:\Windows\System32\tRgZTam.exe
  C:\Windows\System32\tRgZTam.exe
  2⤵
  PID:7504
- C:\Windows\System32\lxfnCAK.exe
  C:\Windows\System32\lxfnCAK.exe
  2⤵
  PID:7540
- C:\Windows\System32\ObiWoeN.exe
  C:\Windows\System32\ObiWoeN.exe
  2⤵
  PID:7556
- C:\Windows\System32\HegGSGn.exe
  C:\Windows\System32\HegGSGn.exe
  2⤵
  PID:7596
- C:\Windows\System32\KidlBur.exe
  C:\Windows\System32\KidlBur.exe
  2⤵
  PID:7616
- C:\Windows\System32\KfaZUpX.exe
  C:\Windows\System32\KfaZUpX.exe
  2⤵
  PID:7648
- C:\Windows\System32\vtPhsvq.exe
  C:\Windows\System32\vtPhsvq.exe
  2⤵
  PID:7676
- C:\Windows\System32\qbtTrJw.exe
  C:\Windows\System32\qbtTrJw.exe
  2⤵
  PID:7720
- C:\Windows\System32\iWYqvDQ.exe
  C:\Windows\System32\iWYqvDQ.exe
  2⤵
  PID:7736
- C:\Windows\System32\IBkLiYf.exe
  C:\Windows\System32\IBkLiYf.exe
  2⤵
  PID:7752
- C:\Windows\System32\btBUlEL.exe
  C:\Windows\System32\btBUlEL.exe
  2⤵
  PID:7792
- C:\Windows\System32\NXUdclk.exe
  C:\Windows\System32\NXUdclk.exe
  2⤵
  PID:7808
- C:\Windows\System32\rvpFcuo.exe
  C:\Windows\System32\rvpFcuo.exe
  2⤵
  PID:7824
- C:\Windows\System32\nDSqYwO.exe
  C:\Windows\System32\nDSqYwO.exe
  2⤵
  PID:7844
- C:\Windows\System32\ZQDHcjT.exe
  C:\Windows\System32\ZQDHcjT.exe
  2⤵
  PID:7884
- C:\Windows\System32\VnPvjLw.exe
  C:\Windows\System32\VnPvjLw.exe
  2⤵
  PID:7928
- C:\Windows\System32\XqFEYIy.exe
  C:\Windows\System32\XqFEYIy.exe
  2⤵
  PID:7960
- C:\Windows\System32\rgRkkxc.exe
  C:\Windows\System32\rgRkkxc.exe
  2⤵
  PID:7980
- C:\Windows\System32\ErqoIuA.exe
  C:\Windows\System32\ErqoIuA.exe
  2⤵
  PID:8016
- C:\Windows\System32\ysaCaei.exe
  C:\Windows\System32\ysaCaei.exe
  2⤵
  PID:8036
- C:\Windows\System32\VxxnrQL.exe
  C:\Windows\System32\VxxnrQL.exe
  2⤵
  PID:8064
- C:\Windows\System32\shDjCAr.exe
  C:\Windows\System32\shDjCAr.exe
  2⤵
  PID:8096
- C:\Windows\System32\DsyLeEX.exe
  C:\Windows\System32\DsyLeEX.exe
  2⤵
  PID:8116
- C:\Windows\System32\dJfKSbH.exe
  C:\Windows\System32\dJfKSbH.exe
  2⤵
  PID:8148
- C:\Windows\System32\SZTarpQ.exe
  C:\Windows\System32\SZTarpQ.exe
  2⤵
  PID:8184
- C:\Windows\System32\tbsrCMn.exe
  C:\Windows\System32\tbsrCMn.exe
  2⤵
  PID:7180
- C:\Windows\System32\cNoaXxi.exe
  C:\Windows\System32\cNoaXxi.exe
  2⤵
  PID:7216
- C:\Windows\System32\VvfBvLk.exe
  C:\Windows\System32\VvfBvLk.exe
  2⤵
  PID:7300
- C:\Windows\System32\NGdpPHB.exe
  C:\Windows\System32\NGdpPHB.exe
  2⤵
  PID:7356
- C:\Windows\System32\cORUOFD.exe
  C:\Windows\System32\cORUOFD.exe
  2⤵
  PID:7432
- C:\Windows\System32\LevoZgQ.exe
  C:\Windows\System32\LevoZgQ.exe
  2⤵
  PID:7536
- C:\Windows\System32\aRVGKXH.exe
  C:\Windows\System32\aRVGKXH.exe
  2⤵
  PID:7592
- C:\Windows\System32\HZCxOHK.exe
  C:\Windows\System32\HZCxOHK.exe
  2⤵
  PID:7668
- C:\Windows\System32\BcfLEiK.exe
  C:\Windows\System32\BcfLEiK.exe
  2⤵
  PID:7732
- C:\Windows\System32\MWaKriu.exe
  C:\Windows\System32\MWaKriu.exe
  2⤵
  PID:7788
- C:\Windows\System32\ZaYacXI.exe
  C:\Windows\System32\ZaYacXI.exe
  2⤵
  PID:7852
- C:\Windows\System32\mrRfRBv.exe
  C:\Windows\System32\mrRfRBv.exe
  2⤵
  PID:7896
- C:\Windows\System32\fHQKpgj.exe
  C:\Windows\System32\fHQKpgj.exe
  2⤵
  PID:7936
- C:\Windows\System32\jUkLCqO.exe
  C:\Windows\System32\jUkLCqO.exe
  2⤵
  PID:8024
- C:\Windows\System32\GXbWjau.exe
  C:\Windows\System32\GXbWjau.exe
  2⤵
  PID:8076
- C:\Windows\System32\QBQHshX.exe
  C:\Windows\System32\QBQHshX.exe
  2⤵
  PID:8136
- C:\Windows\System32\CaMBowE.exe
  C:\Windows\System32\CaMBowE.exe
  2⤵
  PID:7304
- C:\Windows\System32\ytxzpAx.exe
  C:\Windows\System32\ytxzpAx.exe
  2⤵
  PID:7324
- C:\Windows\System32\OqGXFyK.exe
  C:\Windows\System32\OqGXFyK.exe
  2⤵
  PID:7500
- C:\Windows\System32\vvCkQAJ.exe
  C:\Windows\System32\vvCkQAJ.exe
  2⤵
  PID:7716
- C:\Windows\System32\EvPJmrz.exe
  C:\Windows\System32\EvPJmrz.exe
  2⤵
  PID:7784
- C:\Windows\System32\uUBjzko.exe
  C:\Windows\System32\uUBjzko.exe
  2⤵
  PID:8088
- C:\Windows\System32\ZKCjyPZ.exe
  C:\Windows\System32\ZKCjyPZ.exe
  2⤵
  PID:7276
- C:\Windows\System32\QSuyxmx.exe
  C:\Windows\System32\QSuyxmx.exe
  2⤵
  PID:7952
- C:\Windows\System32\DVBFqzy.exe
  C:\Windows\System32\DVBFqzy.exe
  2⤵
  PID:7628
- C:\Windows\System32\BBSOnrO.exe
  C:\Windows\System32\BBSOnrO.exe
  2⤵
  PID:8212
- C:\Windows\System32\umRWdVH.exe
  C:\Windows\System32\umRWdVH.exe
  2⤵
  PID:8264
- C:\Windows\System32\azDOpKG.exe
  C:\Windows\System32\azDOpKG.exe
  2⤵
  PID:8280
- C:\Windows\System32\JxIfbSn.exe
  C:\Windows\System32\JxIfbSn.exe
  2⤵
  PID:8324
- C:\Windows\System32\VMWjGLo.exe
  C:\Windows\System32\VMWjGLo.exe
  2⤵
  PID:8340
- C:\Windows\System32\mFJTfvH.exe
  C:\Windows\System32\mFJTfvH.exe
  2⤵
  PID:8368
- C:\Windows\System32\xvWDIAg.exe
  C:\Windows\System32\xvWDIAg.exe
  2⤵
  PID:8396
- C:\Windows\System32\jADGlXj.exe
  C:\Windows\System32\jADGlXj.exe
  2⤵
  PID:8428
- C:\Windows\System32\VmXdTxK.exe
  C:\Windows\System32\VmXdTxK.exe
  2⤵
  PID:8452
- C:\Windows\System32\UnvQNPG.exe
  C:\Windows\System32\UnvQNPG.exe
  2⤵
  PID:8492
- C:\Windows\System32\hkAvDhh.exe
  C:\Windows\System32\hkAvDhh.exe
  2⤵
  PID:8512
- C:\Windows\System32\cMtbisY.exe
  C:\Windows\System32\cMtbisY.exe
  2⤵
  PID:8552
- C:\Windows\System32\BkzbYGI.exe
  C:\Windows\System32\BkzbYGI.exe
  2⤵
  PID:8576
- C:\Windows\System32\yobhTFh.exe
  C:\Windows\System32\yobhTFh.exe
  2⤵
  PID:8608
- C:\Windows\System32\twQUwlD.exe
  C:\Windows\System32\twQUwlD.exe
  2⤵
  PID:8628
- C:\Windows\System32\skXcztV.exe
  C:\Windows\System32\skXcztV.exe
  2⤵
  PID:8664
- C:\Windows\System32\nwSfHmx.exe
  C:\Windows\System32\nwSfHmx.exe
  2⤵
  PID:8692
- C:\Windows\System32\YhrCUMl.exe
  C:\Windows\System32\YhrCUMl.exe
  2⤵
  PID:8724
- C:\Windows\System32\TVtXyAs.exe
  C:\Windows\System32\TVtXyAs.exe
  2⤵
  PID:8740
- C:\Windows\System32\Unnjogd.exe
  C:\Windows\System32\Unnjogd.exe
  2⤵
  PID:8780
- C:\Windows\System32\JvRyRSE.exe
  C:\Windows\System32\JvRyRSE.exe
  2⤵
  PID:8804
- C:\Windows\System32\VRrjyqM.exe
  C:\Windows\System32\VRrjyqM.exe
  2⤵
  PID:8836
- C:\Windows\System32\eQKVcnP.exe
  C:\Windows\System32\eQKVcnP.exe
  2⤵
  PID:8864
- C:\Windows\System32\grMUrlH.exe
  C:\Windows\System32\grMUrlH.exe
  2⤵
  PID:8888
- C:\Windows\System32\tcJveAf.exe
  C:\Windows\System32\tcJveAf.exe
  2⤵
  PID:8920
- C:\Windows\System32\NMqWVTy.exe
  C:\Windows\System32\NMqWVTy.exe
  2⤵
  PID:8940
- C:\Windows\System32\yWWYGij.exe
  C:\Windows\System32\yWWYGij.exe
  2⤵
  PID:8972
- C:\Windows\System32\ZictsRa.exe
  C:\Windows\System32\ZictsRa.exe
  2⤵
  PID:8992
- C:\Windows\System32\hlDyHUN.exe
  C:\Windows\System32\hlDyHUN.exe
  2⤵
  PID:9020
- C:\Windows\System32\GeMifcZ.exe
  C:\Windows\System32\GeMifcZ.exe
  2⤵
  PID:9060
- C:\Windows\System32\HZTMTkY.exe
  C:\Windows\System32\HZTMTkY.exe
  2⤵
  PID:9080
- C:\Windows\System32\jgRSlTh.exe
  C:\Windows\System32\jgRSlTh.exe
  2⤵
  PID:9104
- C:\Windows\System32\jgIxBKs.exe
  C:\Windows\System32\jgIxBKs.exe
  2⤵
  PID:9120
- C:\Windows\System32\YDBAoFC.exe
  C:\Windows\System32\YDBAoFC.exe
  2⤵
  PID:9164
- C:\Windows\System32\zDoYMWZ.exe
  C:\Windows\System32\zDoYMWZ.exe
  2⤵
  PID:9188
- C:\Windows\System32\wXIqvik.exe
  C:\Windows\System32\wXIqvik.exe
  2⤵
  PID:8240
- C:\Windows\System32\XvwLkhJ.exe
  C:\Windows\System32\XvwLkhJ.exe
  2⤵
  PID:8308
- C:\Windows\System32\QUsRQOx.exe
  C:\Windows\System32\QUsRQOx.exe
  2⤵
  PID:8380
- C:\Windows\System32\VjVpdCP.exe
  C:\Windows\System32\VjVpdCP.exe
  2⤵
  PID:8416
- C:\Windows\System32\lznUOVM.exe
  C:\Windows\System32\lznUOVM.exe
  2⤵
  PID:8520
- C:\Windows\System32\ScWeaLj.exe
  C:\Windows\System32\ScWeaLj.exe
  2⤵
  PID:8544
- C:\Windows\System32\HhRctOt.exe
  C:\Windows\System32\HhRctOt.exe
  2⤵
  PID:8604
- C:\Windows\System32\nPIzfSU.exe
  C:\Windows\System32\nPIzfSU.exe
  2⤵
  PID:8684
- C:\Windows\System32\bGjldMJ.exe
  C:\Windows\System32\bGjldMJ.exe
  2⤵
  PID:8828
- C:\Windows\System32\rOReyAG.exe
  C:\Windows\System32\rOReyAG.exe
  2⤵
  PID:8860
- C:\Windows\System32\BDKoibm.exe
  C:\Windows\System32\BDKoibm.exe
  2⤵
  PID:8980
- C:\Windows\System32\gUUZSlW.exe
  C:\Windows\System32\gUUZSlW.exe
  2⤵
  PID:9004
- C:\Windows\System32\RioAzKX.exe
  C:\Windows\System32\RioAzKX.exe
  2⤵
  PID:9056
- C:\Windows\System32\AkXbfNT.exe
  C:\Windows\System32\AkXbfNT.exe
  2⤵
  PID:9112
- C:\Windows\System32\vfZLsAU.exe
  C:\Windows\System32\vfZLsAU.exe
  2⤵
  PID:9180
- C:\Windows\System32\mSdTqAg.exe
  C:\Windows\System32\mSdTqAg.exe
  2⤵
  PID:8348
- C:\Windows\System32\XyfyFwL.exe
  C:\Windows\System32\XyfyFwL.exe
  2⤵
  PID:8572
- C:\Windows\System32\jPRnzLJ.exe
  C:\Windows\System32\jPRnzLJ.exe
  2⤵
  PID:8820
- C:\Windows\System32\gzhKziz.exe
  C:\Windows\System32\gzhKziz.exe
  2⤵
  PID:8896
- C:\Windows\System32\QoRZWnw.exe
  C:\Windows\System32\QoRZWnw.exe
  2⤵
  PID:9068
- C:\Windows\System32\sLsUqvF.exe
  C:\Windows\System32\sLsUqvF.exe
  2⤵
  PID:8384
- C:\Windows\System32\PLbIENk.exe
  C:\Windows\System32\PLbIENk.exe
  2⤵
  PID:9220
- C:\Windows\System32\pbeixRU.exe
  C:\Windows\System32\pbeixRU.exe
  2⤵
  PID:9256
- C:\Windows\System32\KAEwXMy.exe
  C:\Windows\System32\KAEwXMy.exe
  2⤵
  PID:9288
- C:\Windows\System32\FYGAfiM.exe
  C:\Windows\System32\FYGAfiM.exe
  2⤵
  PID:9320
- C:\Windows\System32\DAZPsZQ.exe
  C:\Windows\System32\DAZPsZQ.exe
  2⤵
  PID:9352
- C:\Windows\System32\foJbgMq.exe
  C:\Windows\System32\foJbgMq.exe
  2⤵
  PID:9392
- C:\Windows\System32\VoOYzmm.exe
  C:\Windows\System32\VoOYzmm.exe
  2⤵
  PID:9436
- C:\Windows\System32\oXCEsIu.exe
  C:\Windows\System32\oXCEsIu.exe
  2⤵
  PID:9484
- C:\Windows\System32\QjMLVOC.exe
  C:\Windows\System32\QjMLVOC.exe
  2⤵
  PID:9524
- C:\Windows\System32\RQNQdiJ.exe
  C:\Windows\System32\RQNQdiJ.exe
  2⤵
  PID:9544
- C:\Windows\System32\KVNOMlJ.exe
  C:\Windows\System32\KVNOMlJ.exe
  2⤵
  PID:9580
- C:\Windows\System32\TvfjaUC.exe
  C:\Windows\System32\TvfjaUC.exe
  2⤵
  PID:9616
- C:\Windows\System32\vMnajtl.exe
  C:\Windows\System32\vMnajtl.exe
  2⤵
  PID:9648
- C:\Windows\System32\sGmqqIy.exe
  C:\Windows\System32\sGmqqIy.exe
  2⤵
  PID:9668
- C:\Windows\System32\XCVDuSZ.exe
  C:\Windows\System32\XCVDuSZ.exe
  2⤵
  PID:9696
- C:\Windows\System32\GNZmNlx.exe
  C:\Windows\System32\GNZmNlx.exe
  2⤵
  PID:9724
- C:\Windows\System32\BdPbUCC.exe
  C:\Windows\System32\BdPbUCC.exe
  2⤵
  PID:9764
- C:\Windows\System32\JBoqGsr.exe
  C:\Windows\System32\JBoqGsr.exe
  2⤵
  PID:9780
- C:\Windows\System32\wLwqYsi.exe
  C:\Windows\System32\wLwqYsi.exe
  2⤵
  PID:9816
- C:\Windows\System32\SCuwWNu.exe
  C:\Windows\System32\SCuwWNu.exe
  2⤵
  PID:9848
- C:\Windows\System32\BSlueJg.exe
  C:\Windows\System32\BSlueJg.exe
  2⤵
  PID:9868
- C:\Windows\System32\WFCFaxT.exe
  C:\Windows\System32\WFCFaxT.exe
  2⤵
  PID:9900
- C:\Windows\System32\glYuTEq.exe
  C:\Windows\System32\glYuTEq.exe
  2⤵
  PID:9920
- C:\Windows\System32\IBiDoBc.exe
  C:\Windows\System32\IBiDoBc.exe
  2⤵
  PID:9968
- C:\Windows\System32\ucDrjzj.exe
  C:\Windows\System32\ucDrjzj.exe
  2⤵
  PID:9988
- C:\Windows\System32\yJYECMY.exe
  C:\Windows\System32\yJYECMY.exe
  2⤵
  PID:10016
- C:\Windows\System32\mIglLFB.exe
  C:\Windows\System32\mIglLFB.exe
  2⤵
  PID:10048
- C:\Windows\System32\RlwNucV.exe
  C:\Windows\System32\RlwNucV.exe
  2⤵
  PID:10076
- C:\Windows\System32\LOsRVUH.exe
  C:\Windows\System32\LOsRVUH.exe
  2⤵
  PID:10100
- C:\Windows\System32\ztpDybz.exe
  C:\Windows\System32\ztpDybz.exe
  2⤵
  PID:10136
- C:\Windows\System32\xpPTKsV.exe
  C:\Windows\System32\xpPTKsV.exe
  2⤵
  PID:10164
- C:\Windows\System32\iMWyIJE.exe
  C:\Windows\System32\iMWyIJE.exe
  2⤵
  PID:10180
- C:\Windows\System32\bSNdQBp.exe
  C:\Windows\System32\bSNdQBp.exe
  2⤵
  PID:10228
- C:\Windows\System32\eNSApUI.exe
  C:\Windows\System32\eNSApUI.exe
  2⤵
  PID:9048
- C:\Windows\System32\GFpljty.exe
  C:\Windows\System32\GFpljty.exe
  2⤵
  PID:9300
- C:\Windows\System32\vUDjpmd.exe
  C:\Windows\System32\vUDjpmd.exe
  2⤵
  PID:9332
- C:\Windows\System32\fYRTqHD.exe
  C:\Windows\System32\fYRTqHD.exe
  2⤵
  PID:9496
- C:\Windows\System32\RUlMtWQ.exe
  C:\Windows\System32\RUlMtWQ.exe
  2⤵
  PID:9556
- C:\Windows\System32\KjaUMsv.exe
  C:\Windows\System32\KjaUMsv.exe
  2⤵
  PID:9608
- C:\Windows\System32\RdGqikX.exe
  C:\Windows\System32\RdGqikX.exe
  2⤵
  PID:9680
- C:\Windows\System32\pnCajft.exe
  C:\Windows\System32\pnCajft.exe
  2⤵
  PID:9752
- C:\Windows\System32\MCmDqmX.exe
  C:\Windows\System32\MCmDqmX.exe
  2⤵
  PID:9824
- C:\Windows\System32\VCFQDTQ.exe
  C:\Windows\System32\VCFQDTQ.exe
  2⤵
  PID:9908
- C:\Windows\System32\XIlHVZu.exe
  C:\Windows\System32\XIlHVZu.exe
  2⤵
  PID:9940
- C:\Windows\System32\LrAMFwe.exe
  C:\Windows\System32\LrAMFwe.exe
  2⤵
  PID:10008
- C:\Windows\System32\LXVssWa.exe
  C:\Windows\System32\LXVssWa.exe
  2⤵
  PID:10132
- C:\Windows\System32\zkQcsTx.exe
  C:\Windows\System32\zkQcsTx.exe
  2⤵
  PID:10196
- C:\Windows\System32\bQwjCom.exe
  C:\Windows\System32\bQwjCom.exe
  2⤵
  PID:10236
- C:\Windows\System32\IOsaScy.exe
  C:\Windows\System32\IOsaScy.exe
  2⤵
  PID:9448
- C:\Windows\System32\PAVZCAC.exe
  C:\Windows\System32\PAVZCAC.exe
  2⤵
  PID:9604
- C:\Windows\System32\qghoWUj.exe
  C:\Windows\System32\qghoWUj.exe
  2⤵
  PID:9840
- C:\Windows\System32\NaQiSER.exe
  C:\Windows\System32\NaQiSER.exe
  2⤵
  PID:9976
- C:\Windows\System32\gGgOGGo.exe
  C:\Windows\System32\gGgOGGo.exe
  2⤵
  PID:10176
- C:\Windows\System32\yUXKwXo.exe
  C:\Windows\System32\yUXKwXo.exe
  2⤵
  PID:9252
- C:\Windows\System32\lsSxzlY.exe
  C:\Windows\System32\lsSxzlY.exe
  2⤵
  PID:9892
- C:\Windows\System32\mpMPRaZ.exe
  C:\Windows\System32\mpMPRaZ.exe
  2⤵
  PID:10220
- C:\Windows\System32\zaoeoQu.exe
  C:\Windows\System32\zaoeoQu.exe
  2⤵
  PID:10028
- C:\Windows\System32\ZNLifAs.exe
  C:\Windows\System32\ZNLifAs.exe
  2⤵
  PID:10248
- C:\Windows\System32\nuyRaHF.exe
  C:\Windows\System32\nuyRaHF.exe
  2⤵
  PID:10276
- C:\Windows\System32\dHeBtEi.exe
  C:\Windows\System32\dHeBtEi.exe
  2⤵
  PID:10304
- C:\Windows\System32\JaIxvaf.exe
  C:\Windows\System32\JaIxvaf.exe
  2⤵
  PID:10332
- C:\Windows\System32\FtvuHib.exe
  C:\Windows\System32\FtvuHib.exe
  2⤵
  PID:10364
- C:\Windows\System32\fjLvkrz.exe
  C:\Windows\System32\fjLvkrz.exe
  2⤵
  PID:10392
- C:\Windows\System32\AZxVuUq.exe
  C:\Windows\System32\AZxVuUq.exe
  2⤵
  PID:10420
- C:\Windows\System32\OIdgJaW.exe
  C:\Windows\System32\OIdgJaW.exe
  2⤵
  PID:10448
- C:\Windows\System32\tsVIBPm.exe
  C:\Windows\System32\tsVIBPm.exe
  2⤵
  PID:10476
- C:\Windows\System32\WlkCauT.exe
  C:\Windows\System32\WlkCauT.exe
  2⤵
  PID:10504
- C:\Windows\System32\ijsiAeo.exe
  C:\Windows\System32\ijsiAeo.exe
  2⤵
  PID:10532
- C:\Windows\System32\VkslQvY.exe
  C:\Windows\System32\VkslQvY.exe
  2⤵
  PID:10560
- C:\Windows\System32\NyYPgpg.exe
  C:\Windows\System32\NyYPgpg.exe
  2⤵
  PID:10588
- C:\Windows\System32\NGWFLDY.exe
  C:\Windows\System32\NGWFLDY.exe
  2⤵
  PID:10616
- C:\Windows\System32\eidsegl.exe
  C:\Windows\System32\eidsegl.exe
  2⤵
  PID:10644
- C:\Windows\System32\qEeUPhk.exe
  C:\Windows\System32\qEeUPhk.exe
  2⤵
  PID:10676
- C:\Windows\System32\FKDRwPv.exe
  C:\Windows\System32\FKDRwPv.exe
  2⤵
  PID:10704
- C:\Windows\System32\IYmcnHb.exe
  C:\Windows\System32\IYmcnHb.exe
  2⤵
  PID:10736
- C:\Windows\System32\bLnTDYM.exe
  C:\Windows\System32\bLnTDYM.exe
  2⤵
  PID:10764
- C:\Windows\System32\DsPCkSv.exe
  C:\Windows\System32\DsPCkSv.exe
  2⤵
  PID:10792
- C:\Windows\System32\umLtuak.exe
  C:\Windows\System32\umLtuak.exe
  2⤵
  PID:10820
- C:\Windows\System32\ZETmuir.exe
  C:\Windows\System32\ZETmuir.exe
  2⤵
  PID:10848
- C:\Windows\System32\OqBHYWX.exe
  C:\Windows\System32\OqBHYWX.exe
  2⤵
  PID:10876
- C:\Windows\System32\MCnRrhE.exe
  C:\Windows\System32\MCnRrhE.exe
  2⤵
  PID:10904
- C:\Windows\System32\MMsOLHw.exe
  C:\Windows\System32\MMsOLHw.exe
  2⤵
  PID:10932
- C:\Windows\System32\zjSUppv.exe
  C:\Windows\System32\zjSUppv.exe
  2⤵
  PID:10960
- C:\Windows\System32\UOspbUP.exe
  C:\Windows\System32\UOspbUP.exe
  2⤵
  PID:10992
- C:\Windows\System32\vNWPIuk.exe
  C:\Windows\System32\vNWPIuk.exe
  2⤵
  PID:11016
- C:\Windows\System32\RNBdziA.exe
  C:\Windows\System32\RNBdziA.exe
  2⤵
  PID:11044
- C:\Windows\System32\ytYLCUk.exe
  C:\Windows\System32\ytYLCUk.exe
  2⤵
  PID:11072
- C:\Windows\System32\iyCCwUs.exe
  C:\Windows\System32\iyCCwUs.exe
  2⤵
  PID:11100
- C:\Windows\System32\pakilUr.exe
  C:\Windows\System32\pakilUr.exe
  2⤵
  PID:11128
- C:\Windows\System32\VJkQHni.exe
  C:\Windows\System32\VJkQHni.exe
  2⤵
  PID:11160
- C:\Windows\System32\lAIWCpr.exe
  C:\Windows\System32\lAIWCpr.exe
  2⤵
  PID:11188
- C:\Windows\System32\VCxXJUj.exe
  C:\Windows\System32\VCxXJUj.exe
  2⤵
  PID:11216
- C:\Windows\System32\bmupgkG.exe
  C:\Windows\System32\bmupgkG.exe
  2⤵
  PID:11244
- C:\Windows\System32\bQzLDJY.exe
  C:\Windows\System32\bQzLDJY.exe
  2⤵
  PID:10260
- C:\Windows\System32\IVZdxWd.exe
  C:\Windows\System32\IVZdxWd.exe
  2⤵
  PID:10344
- C:\Windows\System32\kjfWEvJ.exe
  C:\Windows\System32\kjfWEvJ.exe
  2⤵
  PID:10408
- C:\Windows\System32\MyCTjGK.exe
  C:\Windows\System32\MyCTjGK.exe
  2⤵
  PID:10472
- C:\Windows\System32\hnIstTG.exe
  C:\Windows\System32\hnIstTG.exe
  2⤵
  PID:10544
- C:\Windows\System32\XlisDnJ.exe
  C:\Windows\System32\XlisDnJ.exe
  2⤵
  PID:10600
- C:\Windows\System32\rUxUQpd.exe
  C:\Windows\System32\rUxUQpd.exe
  2⤵
  PID:10668
- C:\Windows\System32\dqdBXRB.exe
  C:\Windows\System32\dqdBXRB.exe
  2⤵
  PID:10744
- C:\Windows\System32\cRKdPYh.exe
  C:\Windows\System32\cRKdPYh.exe
  2⤵
  PID:10804
- C:\Windows\System32\fsocOdl.exe
  C:\Windows\System32\fsocOdl.exe
  2⤵
  PID:10872
- C:\Windows\System32\YeTbpPR.exe
  C:\Windows\System32\YeTbpPR.exe
  2⤵
  PID:10952
- C:\Windows\System32\TtUjiRV.exe
  C:\Windows\System32\TtUjiRV.exe
  2⤵
  PID:11012
- C:\Windows\System32\weQQntv.exe
  C:\Windows\System32\weQQntv.exe
  2⤵
  PID:11084
- C:\Windows\System32\ZFkwxzK.exe
  C:\Windows\System32\ZFkwxzK.exe
  2⤵
  PID:11152
- C:\Windows\System32\FbbpBdT.exe
  C:\Windows\System32\FbbpBdT.exe
  2⤵
  PID:11212
- C:\Windows\System32\RQDfZjs.exe
  C:\Windows\System32\RQDfZjs.exe
  2⤵
  PID:10300
- C:\Windows\System32\cLCeQGA.exe
  C:\Windows\System32\cLCeQGA.exe
  2⤵
  PID:10460
- C:\Windows\System32\sDmHkMA.exe
  C:\Windows\System32\sDmHkMA.exe
  2⤵
  PID:10604
- C:\Windows\System32\hVDfsSw.exe
  C:\Windows\System32\hVDfsSw.exe
  2⤵
  PID:10776
- C:\Windows\System32\onCujPT.exe
  C:\Windows\System32\onCujPT.exe
  2⤵
  PID:10900
- C:\Windows\System32\EXInypX.exe
  C:\Windows\System32\EXInypX.exe
  2⤵
  PID:11060
- C:\Windows\System32\murSgAC.exe
  C:\Windows\System32\murSgAC.exe
  2⤵
  PID:11208
- C:\Windows\System32\SkGznYH.exe
  C:\Windows\System32\SkGznYH.exe
  2⤵
  PID:10524
- C:\Windows\System32\aPmYVnO.exe
  C:\Windows\System32\aPmYVnO.exe
  2⤵
  PID:10860
- C:\Windows\System32\nPAsjFk.exe
  C:\Windows\System32\nPAsjFk.exe
  2⤵
  PID:9776
- C:\Windows\System32\AUhElxN.exe
  C:\Windows\System32\AUhElxN.exe
  2⤵
  PID:11180
- C:\Windows\System32\QYpYqgm.exe
  C:\Windows\System32\QYpYqgm.exe
  2⤵
  PID:11272
- C:\Windows\System32\luBmSIf.exe
  C:\Windows\System32\luBmSIf.exe
  2⤵
  PID:11300
- C:\Windows\System32\FfPWpWp.exe
  C:\Windows\System32\FfPWpWp.exe
  2⤵
  PID:11328
- C:\Windows\System32\FCicyIe.exe
  C:\Windows\System32\FCicyIe.exe
  2⤵
  PID:11356
- C:\Windows\System32\TvFdvBb.exe
  C:\Windows\System32\TvFdvBb.exe
  2⤵
  PID:11388
- C:\Windows\System32\fqFUWEi.exe
  C:\Windows\System32\fqFUWEi.exe
  2⤵
  PID:11412
- C:\Windows\System32\NhNRJad.exe
  C:\Windows\System32\NhNRJad.exe
  2⤵
  PID:11444
- C:\Windows\System32\NAcdkms.exe
  C:\Windows\System32\NAcdkms.exe
  2⤵
  PID:11468
- C:\Windows\System32\pANUNbe.exe
  C:\Windows\System32\pANUNbe.exe
  2⤵
  PID:11496
- C:\Windows\System32\MDvXrjR.exe
  C:\Windows\System32\MDvXrjR.exe
  2⤵
  PID:11524
- C:\Windows\System32\KWOqIDl.exe
  C:\Windows\System32\KWOqIDl.exe
  2⤵
  PID:11552
- C:\Windows\System32\sPHmwQE.exe
  C:\Windows\System32\sPHmwQE.exe
  2⤵
  PID:11580
- C:\Windows\System32\CQfPTXp.exe
  C:\Windows\System32\CQfPTXp.exe
  2⤵
  PID:11608
- C:\Windows\System32\wCGMPNs.exe
  C:\Windows\System32\wCGMPNs.exe
  2⤵
  PID:11636
- C:\Windows\System32\pKTPRkc.exe
  C:\Windows\System32\pKTPRkc.exe
  2⤵
  PID:11664
- C:\Windows\System32\RizHTUh.exe
  C:\Windows\System32\RizHTUh.exe
  2⤵
  PID:11700
- C:\Windows\System32\iFSzrnd.exe
  C:\Windows\System32\iFSzrnd.exe
  2⤵
  PID:11740
- C:\Windows\System32\DfQoSlh.exe
  C:\Windows\System32\DfQoSlh.exe
  2⤵
  PID:11780
- C:\Windows\System32\Gwvqyuy.exe
  C:\Windows\System32\Gwvqyuy.exe
  2⤵
  PID:11812
- C:\Windows\System32\enEkBUJ.exe
  C:\Windows\System32\enEkBUJ.exe
  2⤵
  PID:11840
- C:\Windows\System32\nZWqFcD.exe
  C:\Windows\System32\nZWqFcD.exe
  2⤵
  PID:11868
- C:\Windows\System32\DpdHXmp.exe
  C:\Windows\System32\DpdHXmp.exe
  2⤵
  PID:11896
- C:\Windows\System32\soQXrxr.exe
  C:\Windows\System32\soQXrxr.exe
  2⤵
  PID:11924
- C:\Windows\System32\ZRygDuf.exe
  C:\Windows\System32\ZRygDuf.exe
  2⤵
  PID:11952
- C:\Windows\System32\kXDiSxJ.exe
  C:\Windows\System32\kXDiSxJ.exe
  2⤵
  PID:11980
- C:\Windows\System32\OKQyjfA.exe
  C:\Windows\System32\OKQyjfA.exe
  2⤵
  PID:12008
- C:\Windows\System32\fbFjHKe.exe
  C:\Windows\System32\fbFjHKe.exe
  2⤵
  PID:12040
- C:\Windows\System32\kPmHAhM.exe
  C:\Windows\System32\kPmHAhM.exe
  2⤵
  PID:12068
- C:\Windows\System32\AuOuSmL.exe
  C:\Windows\System32\AuOuSmL.exe
  2⤵
  PID:12096
- C:\Windows\System32\xEQyZDo.exe
  C:\Windows\System32\xEQyZDo.exe
  2⤵
  PID:12124
- C:\Windows\System32\roYcYQD.exe
  C:\Windows\System32\roYcYQD.exe
  2⤵
  PID:12152
- C:\Windows\System32\PMJtLcb.exe
  C:\Windows\System32\PMJtLcb.exe
  2⤵
  PID:12180
- C:\Windows\System32\wPxkGRQ.exe
  C:\Windows\System32\wPxkGRQ.exe
  2⤵
  PID:12208
- C:\Windows\System32\vjxloWJ.exe
  C:\Windows\System32\vjxloWJ.exe
  2⤵
  PID:12236
- C:\Windows\System32\ddVBrhN.exe
  C:\Windows\System32\ddVBrhN.exe
  2⤵
  PID:12264
- C:\Windows\System32\yYPTdzk.exe
  C:\Windows\System32\yYPTdzk.exe
  2⤵
  PID:11268
- C:\Windows\System32\wFfgJJH.exe
  C:\Windows\System32\wFfgJJH.exe
  2⤵
  PID:11340
- C:\Windows\System32\UanTLgV.exe
  C:\Windows\System32\UanTLgV.exe
  2⤵
  PID:11404
- C:\Windows\System32\PqVeJID.exe
  C:\Windows\System32\PqVeJID.exe
  2⤵
  PID:11488
- C:\Windows\System32\FTGOFEX.exe
  C:\Windows\System32\FTGOFEX.exe
  2⤵
  PID:11548
- C:\Windows\System32\wSGgeQG.exe
  C:\Windows\System32\wSGgeQG.exe
  2⤵
  PID:11620
- C:\Windows\System32\jgyQvAt.exe
  C:\Windows\System32\jgyQvAt.exe
  2⤵
  PID:11688
- C:\Windows\System32\VCYykQp.exe
  C:\Windows\System32\VCYykQp.exe
  2⤵
  PID:11756
- C:\Windows\System32\llCcLgs.exe
  C:\Windows\System32\llCcLgs.exe
  2⤵
  PID:11836
- C:\Windows\System32\LTgSzIQ.exe
  C:\Windows\System32\LTgSzIQ.exe
  2⤵
  PID:11908
- C:\Windows\System32\hOvBICj.exe
  C:\Windows\System32\hOvBICj.exe
  2⤵
  PID:11972
- C:\Windows\System32\mAQLjWJ.exe
  C:\Windows\System32\mAQLjWJ.exe
  2⤵
  PID:12032
- C:\Windows\System32\ZfaHxPB.exe
  C:\Windows\System32\ZfaHxPB.exe
  2⤵
  PID:12108
- C:\Windows\System32\QcxqAJu.exe
  C:\Windows\System32\QcxqAJu.exe
  2⤵
  PID:12220
- C:\Windows\System32\LuiXeHO.exe
  C:\Windows\System32\LuiXeHO.exe
  2⤵
  PID:10844
- C:\Windows\System32\mTdriwo.exe
  C:\Windows\System32\mTdriwo.exe
  2⤵
  PID:11396
- C:\Windows\System32\mwdvzQV.exe
  C:\Windows\System32\mwdvzQV.exe
  2⤵
  PID:11576
- C:\Windows\System32\iBgepZt.exe
  C:\Windows\System32\iBgepZt.exe
  2⤵
  PID:11768
- C:\Windows\System32\dlIjwIC.exe
  C:\Windows\System32\dlIjwIC.exe
  2⤵
  PID:11888
- C:\Windows\System32\BzbwBjQ.exe
  C:\Windows\System32\BzbwBjQ.exe
  2⤵
  PID:12028
- C:\Windows\System32\IJdlSrl.exe
  C:\Windows\System32\IJdlSrl.exe
  2⤵
  PID:12276
- C:\Windows\System32\xUoJquG.exe
  C:\Windows\System32\xUoJquG.exe
  2⤵
  PID:11516
- C:\Windows\System32\IbUWaqm.exe
  C:\Windows\System32\IbUWaqm.exe
  2⤵
  PID:11948
- C:\Windows\System32\KaUzRxA.exe
  C:\Windows\System32\KaUzRxA.exe
  2⤵
  PID:11460
- C:\Windows\System32\QhcGJnR.exe
  C:\Windows\System32\QhcGJnR.exe
  2⤵
  PID:12200
- C:\Windows\System32\SooXmqn.exe
  C:\Windows\System32\SooXmqn.exe
  2⤵
  PID:12304
- C:\Windows\System32\ldqsHqs.exe
  C:\Windows\System32\ldqsHqs.exe
  2⤵
  PID:12332
- C:\Windows\System32\rpKJmzO.exe
  C:\Windows\System32\rpKJmzO.exe
  2⤵
  PID:12348
- C:\Windows\System32\baLnQxz.exe
  C:\Windows\System32\baLnQxz.exe
  2⤵
  PID:12388
- C:\Windows\System32\XQlOHww.exe
  C:\Windows\System32\XQlOHww.exe
  2⤵
  PID:12416
- C:\Windows\System32\yIOxGwS.exe
  C:\Windows\System32\yIOxGwS.exe
  2⤵
  PID:12444
- C:\Windows\System32\uSeAnby.exe
  C:\Windows\System32\uSeAnby.exe
  2⤵
  PID:12472
- C:\Windows\System32\AnERgvQ.exe
  C:\Windows\System32\AnERgvQ.exe
  2⤵
  PID:12500
- C:\Windows\System32\MutIJun.exe
  C:\Windows\System32\MutIJun.exe
  2⤵
  PID:12528
- C:\Windows\System32\GmYxcQB.exe
  C:\Windows\System32\GmYxcQB.exe
  2⤵
  PID:12556
- C:\Windows\System32\BwfggXR.exe
  C:\Windows\System32\BwfggXR.exe
  2⤵
  PID:12580
- C:\Windows\System32\mLeiIPb.exe
  C:\Windows\System32\mLeiIPb.exe
  2⤵
  PID:12600
- C:\Windows\System32\DPqBIxH.exe
  C:\Windows\System32\DPqBIxH.exe
  2⤵
  PID:12640
- C:\Windows\System32\WtyCBpj.exe
  C:\Windows\System32\WtyCBpj.exe
  2⤵
  PID:12656
- C:\Windows\System32\opFzCyz.exe
  C:\Windows\System32\opFzCyz.exe
  2⤵
  PID:12696
- C:\Windows\System32\eSzzRfB.exe
  C:\Windows\System32\eSzzRfB.exe
  2⤵
  PID:12724
- C:\Windows\System32\ZleczEt.exe
  C:\Windows\System32\ZleczEt.exe
  2⤵
  PID:12752
- C:\Windows\System32\wbBcdJU.exe
  C:\Windows\System32\wbBcdJU.exe
  2⤵
  PID:12768
- C:\Windows\System32\lhPeUfb.exe
  C:\Windows\System32\lhPeUfb.exe
  2⤵
  PID:12800
- C:\Windows\System32\PBbUhOo.exe
  C:\Windows\System32\PBbUhOo.exe
  2⤵
  PID:12836
- C:\Windows\System32\GBOuvkN.exe
  C:\Windows\System32\GBOuvkN.exe
  2⤵
  PID:12856
- C:\Windows\System32\bZmMfyo.exe
  C:\Windows\System32\bZmMfyo.exe
  2⤵
  PID:12892
- C:\Windows\System32\gbZevjR.exe
  C:\Windows\System32\gbZevjR.exe
  2⤵
  PID:12920
- C:\Windows\System32\uUARSrI.exe
  C:\Windows\System32\uUARSrI.exe
  2⤵
  PID:12952
- C:\Windows\System32\BDSFQcJ.exe
  C:\Windows\System32\BDSFQcJ.exe
  2⤵
  PID:12976
- C:\Windows\System32\NfcKGcD.exe
  C:\Windows\System32\NfcKGcD.exe
  2⤵
  PID:13004
- C:\Windows\System32\odSpJow.exe
  C:\Windows\System32\odSpJow.exe
  2⤵
  PID:13032
- C:\Windows\System32\RMVaFjS.exe
  C:\Windows\System32\RMVaFjS.exe
  2⤵
  PID:13060
- C:\Windows\System32\CuXfLrv.exe
  C:\Windows\System32\CuXfLrv.exe
  2⤵
  PID:13092
- C:\Windows\System32\fxcMUHi.exe
  C:\Windows\System32\fxcMUHi.exe
  2⤵
  PID:13120
- C:\Windows\System32\HjxmyeX.exe
  C:\Windows\System32\HjxmyeX.exe
  2⤵
  PID:13148
- C:\Windows\System32\eMgzXXu.exe
  C:\Windows\System32\eMgzXXu.exe
  2⤵
  PID:13176
- C:\Windows\System32\McsWJWA.exe
  C:\Windows\System32\McsWJWA.exe
  2⤵
  PID:13204
- C:\Windows\System32\BcBKBlY.exe
  C:\Windows\System32\BcBKBlY.exe
  2⤵
  PID:13232
- C:\Windows\System32\BxAbCKc.exe
  C:\Windows\System32\BxAbCKc.exe
  2⤵
  PID:13260
- C:\Windows\System32\cxBtZBh.exe
  C:\Windows\System32\cxBtZBh.exe
  2⤵
  PID:13304
- C:\Windows\System32\suCbgNI.exe
  C:\Windows\System32\suCbgNI.exe
  2⤵
  PID:12300
- C:\Windows\System32\sjmQkhG.exe
  C:\Windows\System32\sjmQkhG.exe
  2⤵
  PID:12368
- C:\Windows\System32\zTNsWRj.exe
  C:\Windows\System32\zTNsWRj.exe
  2⤵
  PID:12432
- C:\Windows\System32\sKQzzIu.exe
  C:\Windows\System32\sKQzzIu.exe
  2⤵
  PID:12488
- C:\Windows\System32\HvopLbK.exe
  C:\Windows\System32\HvopLbK.exe
  2⤵
  PID:12564
- C:\Windows\System32\qHxDMlI.exe
  C:\Windows\System32\qHxDMlI.exe
  2⤵
  PID:12628
- C:\Windows\System32\CDLMZQA.exe
  C:\Windows\System32\CDLMZQA.exe
  2⤵
  PID:12688
- C:\Windows\System32\GEsManD.exe
  C:\Windows\System32\GEsManD.exe
  2⤵
  PID:4612
- C:\Windows\System32\IdGDkTb.exe
  C:\Windows\System32\IdGDkTb.exe
  2⤵
  PID:12736
- C:\Windows\System32\DqqJZfl.exe
  C:\Windows\System32\DqqJZfl.exe
  2⤵
  PID:12824
- C:\Windows\System32\BBKtJVf.exe
  C:\Windows\System32\BBKtJVf.exe
  2⤵
  PID:12888
- C:\Windows\System32\IePSBjQ.exe
  C:\Windows\System32\IePSBjQ.exe
  2⤵
  PID:12972
- C:\Windows\System32\lVzXUTh.exe
  C:\Windows\System32\lVzXUTh.exe
  2⤵
  PID:13044
- C:\Windows\System32\umXiTOp.exe
  C:\Windows\System32\umXiTOp.exe
  2⤵
  PID:13112
- C:\Windows\System32\AeVogyK.exe
  C:\Windows\System32\AeVogyK.exe
  2⤵
  PID:13172
- C:\Windows\System32\NVpWpZH.exe
  C:\Windows\System32\NVpWpZH.exe
  2⤵
  PID:13244
- C:\Windows\System32\pKZndiE.exe
  C:\Windows\System32\pKZndiE.exe
  2⤵
  PID:13284
- C:\Windows\System32\PKozjui.exe
  C:\Windows\System32\PKozjui.exe
  2⤵
  PID:12412
- C:\Windows\System32\MtErJFc.exe
  C:\Windows\System32\MtErJFc.exe
  2⤵
  PID:12548
- C:\Windows\System32\spNDbVL.exe
  C:\Windows\System32\spNDbVL.exe
  2⤵
  PID:12716
- C:\Windows\System32\KiiTmyu.exe
  C:\Windows\System32\KiiTmyu.exe
  2⤵
  PID:12760
- C:\Windows\System32\RTidiXA.exe
  C:\Windows\System32\RTidiXA.exe
  2⤵
  PID:12964
- C:\Windows\System32\dZMmIxP.exe
  C:\Windows\System32\dZMmIxP.exe
  2⤵
  PID:3280
- C:\Windows\System32\fNEjMWh.exe
  C:\Windows\System32\fNEjMWh.exe
  2⤵
  PID:13228

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:9372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AmmNvFu.exe

Filesize
2.7MB

MD5
7c377504f3a5bb7ad432a6462a3cffaa

SHA1
2178b2771b441936cf9d7e6ed7f4ea849a9319e4

SHA256
7e7f848da29373cd6bb15888772c59707913ccbf5cae8654ce221c75724c113e

SHA512
34590f76996a2994e12803e3b62bd5f8714f0c7bfd44ef523dfae1d06fdbe87b633b50cb21fd7e813c172677c91da738f2321a9fba81f8974081b75bbc83a8dd

Download Submit
C:\Windows\System32\CzOAPSO.exe

Filesize
2.8MB

MD5
93551a8f096b2a6d1a748543c87d4598

SHA1
c2aaa5612cf9e56c22b51001c5c5157fa356592b

SHA256
bf34d876725e157d845cc5da9579c778cd0a875b7cecd3f7646aeb149033b193

SHA512
f3afd13d42a1ffb6cb0388b5626d583a4f287e838663e04c0397da02b8a0e4e97b4fc9a27941ebf3e334a0df7be40e43ba39fe7656e4209de7cc8de392806827

Download Submit
C:\Windows\System32\DACiQwv.exe

Filesize
2.8MB

MD5
9b2521cec6845fb88d581a78534790d1

SHA1
9118ba8a8357101d9f447c985d9d3468eb72ae33

SHA256
19fd2de23a221c464cb8e0079dd2e2dccac01515d24726c206bf0ef167999f1d

SHA512
0b147bb80865c49a2414b4a1e4379b7d61adcb3f085eec20a937a00e26ba4c8a1dc8c5468ccebcc1fe801f8f168eb3e7830d975b7e6dacd9373ba382f931b94a

Download Submit
C:\Windows\System32\DtRmzOJ.exe

Filesize
2.7MB

MD5
ec9af00399088c443fa6fd2ccf761131

SHA1
fe83bcc398e35b3085d304f2ea48ae83e457cd9e

SHA256
b7080b30d6ae14ecf2612540081125291caca496cdda232aaa9a95d3dbf642f1

SHA512
15d33e2bae00f1488e5c84cb382d8b4fda17fbb2d1468702b44665a6028b257f0507bd89a5cee01832770530d41efc6cacf03a465e24f91474b5df88db06a558

Download Submit
C:\Windows\System32\Gocldkz.exe

Filesize
2.8MB

MD5
890767a9bccf93de6c57417c7c023bb5

SHA1
c54bb0488ddbecb336c1a2cbf5adb871cedbd29a

SHA256
7c8ba6f2962cc1b6b92dd99c6abb2d7fdc52c1a5af345f426da723bb9495c351

SHA512
6747a3c8ce710bb043dbc0f8544b7949301207ebbf4e66b8d39dc9a05cec8c1b41141babf489a1ecc2b03cce08f19c209b8172ee252bc619d96f73afcbf9b34a

Download Submit
C:\Windows\System32\HuceeKw.exe

Filesize
2.7MB

MD5
7a1575d0c0017d849392dd21b58df81d

SHA1
c17d3a5f7f5f645d461481b0686c2e54f3cca86b

SHA256
dc61be214f240af32dd95bd397f621c79c29234b2fb0987b0282772973040877

SHA512
156a9fee0a61e02966c8b5b26077b8a9eca6e93ec8e218eaee777370e95d5c79cc826382663d47c0a4a43289a6a57e08ac3ecf6bfc2fff7dafd7937237ffd6e3

Download Submit
C:\Windows\System32\IRPWwMO.exe

Filesize
2.7MB

MD5
6fd642e924c002f05363bc19b8b2e22b

SHA1
82fec0199ad1c77b6ef887e4e7ea892dc18b20f5

SHA256
0e2cef648eddc29a7cecf31aa40067bb23978db8cd9fe4fe3e170bfbe3486c84

SHA512
03aa7c2d6ff5104e4e11c62f4562c5f99a7adf05ed578b157833298e4bcddfc4ebae54e5cbc356c0cf8e4052f17dd0c65e183e8ff54479d74633861c427bad5c

Download Submit
C:\Windows\System32\KIsssYb.exe

Filesize
2.8MB

MD5
071dd1c7cdfcb97b91fb68b04130b793

SHA1
afed9b09b188ff42498855fa8811a5f0d77bd4c7

SHA256
f5a8479505841502e0f3eeab20343ab80acef1a606ce6930d471719af2578880

SHA512
88a117b90169e9456b50847fb0617c8a118d2f04455a30f84637580e9799952bd1a94b92acf831ff8836b5b1106506e907e808e7043acfb53c94c1d6d752c6a6

Download Submit
C:\Windows\System32\LJRRlkJ.exe

Filesize
2.7MB

MD5
fc6e02a44b058732cdf84b1dcbfe9775

SHA1
86a8a7b52b3fc167584dd5453711302617492346

SHA256
b4b38a976e8d1c5bc2640b3c881fde3523822be3fe1ab48ed7303bd865964ed6

SHA512
64f5d8ffd9b321b2a0dac902806b41dab2fa16685b5f9a7c259a3f63a26b39dd0596ea496e17e38370703b4c014da1f0f97827537c64f105ecbbc81f1f36a488

Download Submit
C:\Windows\System32\OpPxIlE.exe

Filesize
2.8MB

MD5
4ca17550b9016397951d6f69d68a9358

SHA1
0d6f278db08a7115c582191dd530e30022cb34c2

SHA256
5c1e14058e8a69d71da0e0861e1a27c6a05bf820619752eb3101abb0bd56eefd

SHA512
43622ec72746f4d96ddab32799a4879a5ecf89a3465e5f467a53cd7a557669b149b3c08fbcc83123bcfc6f0b76ea13cac04e41ce6d291efa2afed14801bf3851

Download Submit
C:\Windows\System32\SbbwKlh.exe

Filesize
2.7MB

MD5
d269be23f34a57de737a3271e3134f4d

SHA1
301075edb63eaba809f4a82170421b7b205d0d2f

SHA256
ae2b3a5f94e9cc37dfd77f69ff0789c9c673f5ad9e6136ab447fcd56eecafa7e

SHA512
85488e90cdc807c1d79cf1a046525d8ea265781bb6b07e2a1c3fc22e91e36036fd1687827d596418ca7ede2ef27b35974d2ccc18846bfacb6180cbe983d7c423

Download Submit
C:\Windows\System32\SeguJTd.exe

Filesize
2.8MB

MD5
686c2d9c070a958318ac7bf0855292e0

SHA1
481723067f172bdadae5713b9b885b84cf1f5908

SHA256
bf9309d74c8f6166bfe66f968391e199bd777013cfbbe8ff8d1436d04e117c32

SHA512
6f21e4e02ea422ac968228c3da506223ea43e2ed0c6a0376773eefbcc5ed31b38c50d021552977e04c5567c1d087d0fa81d4741cd7495f40cf79410010c9c96c

Download Submit
C:\Windows\System32\WajtOzG.exe

Filesize
2.8MB

MD5
322d2e886475346ef050621cd5493bf7

SHA1
4f9386d0192ca57faba9ec39999187ea96102e24

SHA256
7fe9f1b5b0b884204d820560bd28e166471c4a4be8fd4e00df0063d7d4b33c97

SHA512
2650c951427fbbdd96e9a11e898e06018102bc3cfb3ea75a9047404abe8207b7d07964550c21ca87f57ed663387b373988f3af53a06d0b66b0eb041cdf11f1b1

Download Submit
C:\Windows\System32\ZEYJGUS.exe

Filesize
2.8MB

MD5
68fc4ddf538944935e82bf3376a07999

SHA1
9b4de0ebd054b6a3142ba0a7bca5248f712874ea

SHA256
eb794d9c597239d6462b202cd81fd4cbca145f3b5c5edf33f0095c578e216b46

SHA512
aa4470506e96b80351140233b455b59283441de44ef0b5a50cbe9042d2b1ff5967aef3e622187898120b6cbbbaa06c9ed45ba326659dc5ff096a393eb7827e53

Download Submit
C:\Windows\System32\ZGvLBjO.exe

Filesize
2.8MB

MD5
b7e61ec72915ce1a82f883fb32acdc3d

SHA1
2a014caa99989be7c5ab9b192beda69c543898f0

SHA256
b0c7a40fa74ccf290aed077eff094bb2324d0890d4b0687521989925343f1a2d

SHA512
082b05f0989136740f2b6d0dc80751e92501e93bf75fcfc1095226b095749da31341bea130b16de233ff4f10f71ae98fb950da11e71275120394e80fe8b5a736

Download Submit
C:\Windows\System32\ZmyiThN.exe

Filesize
2.8MB

MD5
2bb8db1ccc64d06576d01fe33f597773

SHA1
d7482462229b73d328f882f7d2e3818023c84b49

SHA256
16970c6b8d9b3dfd7a83c171422e269bbe8b3332135d472302b9b901bcbdeee1

SHA512
19829cdc5100dc2f7f5c342dec5a73adea0c4b1acef8a12ba1c732350d158808cb7cd21d6fd645298ec4b991699eb03dad55f0430a5049ac54ebc2f3dea8409b

Download Submit
C:\Windows\System32\aYmvQMB.exe

Filesize
2.7MB

MD5
84b5ad39c5954a7fb040d3b763391cb3

SHA1
f4ef8a337e9b2092038d978a6e1ab4eb19bb42bb

SHA256
c290c66d4636f6fc9bfb73bf3998c36a213cd2bf8f5e89ed4a9503c9e4462f1c

SHA512
e74760c15675d2f5e0c78723562ffcecf21635b85b968b43f2c68e8b7143f7bc4111311b50789706fcbde955a74375bedd2ca6f75bf85940e9af37be69f854df

Download Submit
C:\Windows\System32\bupEsVP.exe

Filesize
2.8MB

MD5
6b1da1b77b63ef9b70be5c4b8365e6a7

SHA1
3e9a8588c10625cd5911625f50b4b47edcd1e615

SHA256
22e5bebd5fe0f20be1fa69ac409c17d1407c383d2d75efa8588479b393d245d5

SHA512
74ba29e1f25587f36ea33405106571ef6ecd2fdaeca4d3c403bf2100e1a01b911abd443845bb60650d8ff88fbc58182460e7092ca8111d3c1c09c0e2fad3890f

Download Submit
C:\Windows\System32\efULDWn.exe

Filesize
2.8MB

MD5
c5b0a7dc4a3124230c57e2b2f69dacd6

SHA1
755d7425bd8f95391642769e482c70175153eb04

SHA256
c3511377ed96bfd437917bb21a186554fd129ea5ecff012b50232e5949e0453c

SHA512
f9390bf3ae921e225ecb07c6592e94540c9d709e275e89220bf2233325fd8edfef266b707999c07edd664ad499eb34b63c84aff82c86385aeb3010b9f551062a

Download Submit
C:\Windows\System32\gaQCHgd.exe

Filesize
2.7MB

MD5
7888b5920214644d4afb3be282a49eb1

SHA1
37a5ac3106638fef39fbc718f85c94a0f6adf1d7

SHA256
db5e6b0e31c127f2423f0d0eb4c6d79d145d0b125507d05ced6005040775cb82

SHA512
c969b439747db219cced8056e38ee8fde210a9987d24f097034685ea979f1f607ffd049e5bb721b30354d6c3bf52f0785ece587bc9900c2432c50edbe28deeb3

Download Submit
C:\Windows\System32\hFcRdLb.exe

Filesize
2.8MB

MD5
4806ee5b0ecbbbb50aeb8e49a7006e49

SHA1
2f47a486fbac02573947876aee41d826482ba847

SHA256
0a220a9c6e9b4e1d37684134af0c754dcff4c4132cd5e1c3650ab6b1b2c100f7

SHA512
508b6de380c64d82fba1d91ab9cc4da56ed31eb8cff6833b6502551eae9be4daba8b0b021d9db19d2cdfd1af3a38eb7317672cfc3de16ac45c96fb61e4762ac2

Download Submit
C:\Windows\System32\hOIoyHZ.exe

Filesize
2.7MB

MD5
55f0a4b6a9ecea44f7c301daffc42f87

SHA1
5f390ac5dbf0d39ac95b40507e7dbee378b70a9a

SHA256
33e34669cb517f83f44c555626282b629ab3a672a4df02ff53e17b3ca51397cb

SHA512
acdecb20f4705e872e27bd24782aed551c791f1bc6f043da0197fe1651af103b90aff12313aeb490c2a6cd84871c6f0f9062fa5a84102a70881256397500c01a

Download Submit
C:\Windows\System32\nQmPrGR.exe

Filesize
2.8MB

MD5
ed0471d299ecce6490a2f36202649f6f

SHA1
bf04ab0531a2b6a18594892528d92e37ff0bf68e

SHA256
c7f20e1eaf9d0a8db113872a6dba3ae94a3c87ef02aa0b7b7b25f319196bdace

SHA512
d2f463ddfa6515c7218f62d90774f53d072e2f330da739835267e5bcb9fb2e58094dfeb09f4df9f11c2b0b314b10ff87300db20eeffb33da988e89496dac2171

Download Submit
C:\Windows\System32\nVDGSMy.exe

Filesize
2.8MB

MD5
235c5ebce121e82972df8e4af2190edb

SHA1
9e0ca925296c47d1368c17191ceddc87ff5ee704

SHA256
6d5ee1cd3d8df3360837a95b889ed00f9bb1646ecab9f1ca4abf83aa8385519b

SHA512
5bdb514ea4cce8e06d16b7de28ec5c5b116070f285bb8263f0565f207b1abd5d1f2112335073b13cdbd8d2e5aca8f7a42141ba7489c59400405bc3659f0aa54d

Download Submit
C:\Windows\System32\nsmdWCq.exe

Filesize
2.7MB

MD5
37e2de605becdeb236271f73cbb13f65

SHA1
92afd96997bf296ff8fc84bc55bd3a02542b0ca1

SHA256
be8a079b2ca31cac6a9d9f3f6addd3dc144464078e2eea094b97325d0ea3dde5

SHA512
4ec67a3529aac536f3ecd0da31aad61657ad9d23451256c1cbc634400aee9fac50ab30d3407a78423f58142027a3dc443e097e85b3887560eafa2214db77b5ad

Download Submit
C:\Windows\System32\sIPdGTX.exe

Filesize
2.8MB

MD5
ddc16da53bd19f0083f0cc42864317ae

SHA1
d3f8021b9547bd4a0a625131ff105492f4b39dbe

SHA256
e8fa9bd9a2c7696f24829b9dfd0bf24886a901d59b467abc7d19ac46d1724652

SHA512
c050da9e4a075201350427b208d2dd930da3e0eabf4e5f8d8b54d2fe50b9b0c18e793c967cd4cb51f7e152f9451e25acdbc060c3d8e042ab37515d62d066c671

Download Submit
C:\Windows\System32\tqxxEYb.exe

Filesize
2.7MB

MD5
61ae715de47d99f1c1e9e4323c846e90

SHA1
9eeaab21db6e54a36c28e9ce18f9463a3ea1dd51

SHA256
e96fdd983c332796a8218e1390d9ce61e7da2db2c1ac853e7b2019842778dfa3

SHA512
61f995608b7550192a84751ff7f46b388fce3db0009d53c1182bb7f62333add0b4f77e5ff2c005b3ac8f2c5102a5a39fb20df89c5caef7c19871d33677f4429a

Download Submit
C:\Windows\System32\uBdkCDE.exe

Filesize
2.7MB

MD5
bf603e2ec3c2dc27f796f34734fa69bd

SHA1
1acef1d656b3a586b929e3b6dd96385fd20c5fb9

SHA256
e959502c015848e7aafb9c5b9b3085530398650c8466e81f5f4a44667f052e8f

SHA512
aaca5be101b7d2efc48446cecc8477ea46abe60f3ae9eedefb489b6f742293df855c580d743655b65bcb42270cd64d3cbbe19cc2a0eedc6978dad419397fdfdd

Download Submit
C:\Windows\System32\wTzsuKj.exe

Filesize
2.7MB

MD5
fe2a9d93f74a57180c5f4e4a173735e4

SHA1
c4179a507f94b31c9efc0db8d9eb78368178fd9d

SHA256
8d3092c1a0b79fb1e47081803d5c2123e5a50126f9fe074d8c78abf2e3b95f23

SHA512
3ebb7573c04cce37ff2eb3e0cd49e2badbcd4ee86baa8ff5a57a74c602eea369988bb4f78cac243aa76dc172101154f92b728dea83b7fe495603742727c11b58

Download Submit
C:\Windows\System32\xFRWJXl.exe

Filesize
2.8MB

MD5
7d419512de4015ec99c89d2e9873c2a3

SHA1
c95119cf21069f25b61b3f45099c36dd05af4851

SHA256
200cc430da66e89ca9d44351753efd2dccb8fc62fd933f2a102ccac027c78e73

SHA512
949bbae0e679a615a896040d58634b49fbe9756cc1308299e578a25d0832235f1c21d716e240c6373fd00b495302b61d5ef183d01da081b166b127b94e0367ed

Download Submit
C:\Windows\System32\xebdUxi.exe

Filesize
2.7MB

MD5
0c79db3c8e5d90b006760276993c80aa

SHA1
c5f095dce4d4c617a833bb2fa3c255ce405b1959

SHA256
80f2c1823680dfd4968f7bf6c66203bdef9c1b05c907c9f5c6cf0c65da679499

SHA512
74cdc1a94da6242ee05786e1b9e336b073f7531d962dd92af6e59a4a81feed876d89b00bcb9c13c40afd127a0afd60acc6f61e8c29198b4cdef4e9c301510037

Download Submit
C:\Windows\System32\yCQMtsf.exe

Filesize
2.7MB

MD5
eb3b12344de4b1adddea1d0993d16d53

SHA1
af2d07c2b97926a309f2d8857d506bd18d2990bb

SHA256
c3f4899309e3ab9dba34a30dd48c752c642a1ba2691715c87204b3ed6835ec12

SHA512
4faf01b2d81a2018b71566633e6095fcc1238ba75eac74ab4d81a679b7767a5ab073293ef77c7f9364e2f0a3a110c85f5c93131789c5c86aeefc9a0640ec704d

Download Submit
C:\Windows\System32\zYtKWpY.exe

Filesize
2.7MB

MD5
5ea3f1945288077d214014484a07902c

SHA1
184d28031282f1dc51f13d5a39e40e59468fb661

SHA256
77d641a6a27dabe1085b379ba90cbe112fea6a400ad95ce4d09e4c1677686f66

SHA512
ce2c1a42c641832618c367f4507561d3fc727213ccf13cfa42de0d64dd189d9978c662adba928b7f9aa9a76739b9277fdaee2f088e5da48df7586d8cf388c6d1

Download Submit
memory/372-536-0x00007FF60C9F0000-0x00007FF60CDE5000-memory.dmp

Filesize
4.0MB

Download
memory/372-1956-0x00007FF60C9F0000-0x00007FF60CDE5000-memory.dmp

Filesize
4.0MB

Download
memory/832-1963-0x00007FF76B910000-0x00007FF76BD05000-memory.dmp

Filesize
4.0MB

Download
memory/832-569-0x00007FF76B910000-0x00007FF76BD05000-memory.dmp

Filesize
4.0MB

Download
memory/1252-534-0x00007FF7B5320000-0x00007FF7B5715000-memory.dmp

Filesize
4.0MB

Download
memory/1252-1952-0x00007FF7B5320000-0x00007FF7B5715000-memory.dmp

Filesize
4.0MB

Download
memory/1856-582-0x00007FF7448B0000-0x00007FF744CA5000-memory.dmp

Filesize
4.0MB

Download
memory/1856-1968-0x00007FF7448B0000-0x00007FF744CA5000-memory.dmp

Filesize
4.0MB

Download
memory/2252-584-0x00007FF7666D0000-0x00007FF766AC5000-memory.dmp

Filesize
4.0MB

Download
memory/2252-1962-0x00007FF7666D0000-0x00007FF766AC5000-memory.dmp

Filesize
4.0MB

Download
memory/2296-535-0x00007FF7511C0000-0x00007FF7515B5000-memory.dmp

Filesize
4.0MB

Download
memory/2296-1951-0x00007FF7511C0000-0x00007FF7515B5000-memory.dmp

Filesize
4.0MB

Download
memory/2864-548-0x00007FF6CB580000-0x00007FF6CB975000-memory.dmp

Filesize
4.0MB

Download
memory/2864-1954-0x00007FF6CB580000-0x00007FF6CB975000-memory.dmp

Filesize
4.0MB

Download
memory/3008-1-0x000001F301040000-0x000001F301050000-memory.dmp

Filesize
64KB

Download
memory/3008-0-0x00007FF69BBC0000-0x00007FF69BFB5000-memory.dmp

Filesize
4.0MB

Download
memory/3124-560-0x00007FF692B20000-0x00007FF692F15000-memory.dmp

Filesize
4.0MB

Download
memory/3124-1965-0x00007FF692B20000-0x00007FF692F15000-memory.dmp

Filesize
4.0MB

Download
memory/3288-1967-0x00007FF77C750000-0x00007FF77CB45000-memory.dmp

Filesize
4.0MB

Download
memory/3288-589-0x00007FF77C750000-0x00007FF77CB45000-memory.dmp

Filesize
4.0MB

Download
memory/3420-533-0x00007FF747DD0000-0x00007FF7481C5000-memory.dmp

Filesize
4.0MB

Download
memory/3420-1950-0x00007FF747DD0000-0x00007FF7481C5000-memory.dmp

Filesize
4.0MB

Download
memory/3460-1947-0x00007FF7AD140000-0x00007FF7AD535000-memory.dmp

Filesize
4.0MB

Download
memory/3460-530-0x00007FF7AD140000-0x00007FF7AD535000-memory.dmp

Filesize
4.0MB

Download
memory/3856-556-0x00007FF7F4500000-0x00007FF7F48F5000-memory.dmp

Filesize
4.0MB

Download
memory/3856-1959-0x00007FF7F4500000-0x00007FF7F48F5000-memory.dmp

Filesize
4.0MB

Download
memory/3904-1960-0x00007FF7A2820000-0x00007FF7A2C15000-memory.dmp

Filesize
4.0MB

Download
memory/3904-595-0x00007FF7A2820000-0x00007FF7A2C15000-memory.dmp

Filesize
4.0MB

Download
memory/3916-14-0x00007FF78BD10000-0x00007FF78C105000-memory.dmp

Filesize
4.0MB

Download
memory/3916-1969-0x00007FF78BD10000-0x00007FF78C105000-memory.dmp

Filesize
4.0MB

Download
memory/3916-1945-0x00007FF78BD10000-0x00007FF78C105000-memory.dmp

Filesize
4.0MB

Download
memory/4124-531-0x00007FF7AB110000-0x00007FF7AB505000-memory.dmp

Filesize
4.0MB

Download
memory/4124-1948-0x00007FF7AB110000-0x00007FF7AB505000-memory.dmp

Filesize
4.0MB

Download
memory/4148-1949-0x00007FF7A3770000-0x00007FF7A3B65000-memory.dmp

Filesize
4.0MB

Download
memory/4148-532-0x00007FF7A3770000-0x00007FF7A3B65000-memory.dmp

Filesize
4.0MB

Download
memory/4216-563-0x00007FF66F390000-0x00007FF66F785000-memory.dmp

Filesize
4.0MB

Download
memory/4216-1958-0x00007FF66F390000-0x00007FF66F785000-memory.dmp

Filesize
4.0MB

Download
memory/4384-1957-0x00007FF71FE90000-0x00007FF720285000-memory.dmp

Filesize
4.0MB

Download
memory/4384-575-0x00007FF71FE90000-0x00007FF720285000-memory.dmp

Filesize
4.0MB

Download
memory/5068-1966-0x00007FF7B9B80000-0x00007FF7B9F75000-memory.dmp

Filesize
4.0MB

Download
memory/5068-597-0x00007FF7B9B80000-0x00007FF7B9F75000-memory.dmp

Filesize
4.0MB

Download
memory/5140-1964-0x00007FF7FFBC0000-0x00007FF7FFFB5000-memory.dmp

Filesize
4.0MB

Download
memory/5140-567-0x00007FF7FFBC0000-0x00007FF7FFFB5000-memory.dmp

Filesize
4.0MB

Download
memory/5160-1955-0x00007FF6079B0000-0x00007FF607DA5000-memory.dmp

Filesize
4.0MB

Download
memory/5160-538-0x00007FF6079B0000-0x00007FF607DA5000-memory.dmp

Filesize
4.0MB

Download
memory/5424-553-0x00007FF6D9480000-0x00007FF6D9875000-memory.dmp

Filesize
4.0MB

Download
memory/5424-1961-0x00007FF6D9480000-0x00007FF6D9875000-memory.dmp

Filesize
4.0MB

Download
memory/5972-10-0x00007FF70BFA0000-0x00007FF70C395000-memory.dmp

Filesize
4.0MB

Download
memory/5972-1946-0x00007FF70BFA0000-0x00007FF70C395000-memory.dmp

Filesize
4.0MB

Download
memory/6052-1953-0x00007FF7D5690000-0x00007FF7D5A85000-memory.dmp

Filesize
4.0MB

Download
memory/6052-537-0x00007FF7D5690000-0x00007FF7D5A85000-memory.dmp

Filesize
4.0MB

Download