xmrig | b89d3dee0caee27f0879650a47a5a5c3f6e128e64c5bef14cbe6a4f0aef8da35

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 12:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
Size

2.9MB
MD5

ae9bfe7acda7bfd29fb0b487a101fa20
SHA1

a4625ecd1d58d3097bef7c236e54eaaf68c4ec8f
SHA256

b89d3dee0caee27f0879650a47a5a5c3f6e128e64c5bef14cbe6a4f0aef8da35
SHA512

c598bd4ea8a41d28129bff7654fa9ddefff7c2fceb1a75acf0ea1d8375b0cf094dcea6954f7216d00779c8d1c81d67f0adcbb6497e68854a6d3ab31b0ed576e8
SSDEEP

49152:w0wjnJMOWh50kC1/dVFdx6e0EALKWVTffZiPAcRq6jHjcz8DzcDwq6Sd0R7qV2YW:w0GnJMOWPClFdx6e0EALKWVTffZiPAcB

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2740-0-0x00007FF6C63D0000-0x00007FF6C67C5000-memory.dmp	xmrig
behavioral2/files/0x0009000000023406-6.dat	xmrig
behavioral2/files/0x000700000002340d-9.dat	xmrig
behavioral2/memory/2472-12-0x00007FF7AF810000-0x00007FF7AFC05000-memory.dmp	xmrig
behavioral2/files/0x000700000002340e-10.dat	xmrig
behavioral2/files/0x000700000002340f-20.dat	xmrig
behavioral2/files/0x0007000000023410-28.dat	xmrig
behavioral2/memory/2164-32-0x00007FF7288A0000-0x00007FF728C95000-memory.dmp	xmrig
behavioral2/files/0x0007000000023411-33.dat	xmrig
behavioral2/files/0x0007000000023413-42.dat	xmrig
behavioral2/files/0x0007000000023416-59.dat	xmrig
behavioral2/files/0x0007000000023417-64.dat	xmrig
behavioral2/files/0x0007000000023419-72.dat	xmrig
behavioral2/files/0x000700000002341a-79.dat	xmrig
behavioral2/files/0x000700000002341e-99.dat	xmrig
behavioral2/files/0x0007000000023425-134.dat	xmrig
behavioral2/files/0x0007000000023429-152.dat	xmrig
behavioral2/memory/2024-553-0x00007FF767A20000-0x00007FF767E15000-memory.dmp	xmrig
behavioral2/memory/5048-554-0x00007FF7B5170000-0x00007FF7B5565000-memory.dmp	xmrig
behavioral2/memory/436-555-0x00007FF74E4B0000-0x00007FF74E8A5000-memory.dmp	xmrig
behavioral2/memory/468-556-0x00007FF7508D0000-0x00007FF750CC5000-memory.dmp	xmrig
behavioral2/memory/4116-557-0x00007FF72D0B0000-0x00007FF72D4A5000-memory.dmp	xmrig
behavioral2/memory/644-558-0x00007FF712780000-0x00007FF712B75000-memory.dmp	xmrig
behavioral2/memory/4128-559-0x00007FF6D8250000-0x00007FF6D8645000-memory.dmp	xmrig
behavioral2/memory/5060-560-0x00007FF6DA170000-0x00007FF6DA565000-memory.dmp	xmrig
behavioral2/memory/2392-570-0x00007FF7AC500000-0x00007FF7AC8F5000-memory.dmp	xmrig
behavioral2/memory/1796-575-0x00007FF6CC1F0000-0x00007FF6CC5E5000-memory.dmp	xmrig
behavioral2/memory/4296-582-0x00007FF691440000-0x00007FF691835000-memory.dmp	xmrig
behavioral2/memory/3036-591-0x00007FF7D34F0000-0x00007FF7D38E5000-memory.dmp	xmrig
behavioral2/memory/3836-595-0x00007FF72EF30000-0x00007FF72F325000-memory.dmp	xmrig
behavioral2/memory/1324-601-0x00007FF701EF0000-0x00007FF7022E5000-memory.dmp	xmrig
behavioral2/memory/3156-587-0x00007FF6D6040000-0x00007FF6D6435000-memory.dmp	xmrig
behavioral2/memory/2372-606-0x00007FF7EF3E0000-0x00007FF7EF7D5000-memory.dmp	xmrig
behavioral2/memory/2188-607-0x00007FF7E37C0000-0x00007FF7E3BB5000-memory.dmp	xmrig
behavioral2/memory/1472-611-0x00007FF7A3600000-0x00007FF7A39F5000-memory.dmp	xmrig
behavioral2/memory/3704-603-0x00007FF749D10000-0x00007FF74A105000-memory.dmp	xmrig
behavioral2/memory/2352-566-0x00007FF7E7040000-0x00007FF7E7435000-memory.dmp	xmrig
behavioral2/memory/4884-561-0x00007FF6D5A10000-0x00007FF6D5E05000-memory.dmp	xmrig
behavioral2/files/0x000700000002342b-164.dat	xmrig
behavioral2/files/0x000700000002342a-159.dat	xmrig
behavioral2/files/0x0007000000023428-149.dat	xmrig
behavioral2/files/0x0007000000023427-144.dat	xmrig
behavioral2/files/0x0007000000023426-139.dat	xmrig
behavioral2/files/0x0007000000023424-129.dat	xmrig
behavioral2/files/0x0007000000023423-124.dat	xmrig
behavioral2/files/0x0007000000023422-119.dat	xmrig
behavioral2/files/0x0007000000023421-114.dat	xmrig
behavioral2/files/0x0007000000023420-109.dat	xmrig
behavioral2/files/0x000700000002341f-104.dat	xmrig
behavioral2/files/0x000700000002341d-94.dat	xmrig
behavioral2/files/0x000700000002341c-89.dat	xmrig
behavioral2/files/0x000700000002341b-84.dat	xmrig
behavioral2/files/0x0007000000023418-69.dat	xmrig
behavioral2/files/0x0007000000023415-54.dat	xmrig
behavioral2/files/0x0007000000023414-49.dat	xmrig
behavioral2/files/0x0007000000023412-39.dat	xmrig
behavioral2/memory/4280-24-0x00007FF7F3EC0000-0x00007FF7F42B5000-memory.dmp	xmrig
behavioral2/memory/2472-1925-0x00007FF7AF810000-0x00007FF7AFC05000-memory.dmp	xmrig
behavioral2/memory/2740-1926-0x00007FF6C63D0000-0x00007FF6C67C5000-memory.dmp	xmrig
behavioral2/memory/4280-1927-0x00007FF7F3EC0000-0x00007FF7F42B5000-memory.dmp	xmrig
behavioral2/memory/2472-1928-0x00007FF7AF810000-0x00007FF7AFC05000-memory.dmp	xmrig
behavioral2/memory/4280-1929-0x00007FF7F3EC0000-0x00007FF7F42B5000-memory.dmp	xmrig
behavioral2/memory/2024-1930-0x00007FF767A20000-0x00007FF767E15000-memory.dmp	xmrig
behavioral2/memory/2164-1931-0x00007FF7288A0000-0x00007FF728C95000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2472	oFvcfJw.exe
4280	wZrdXja.exe
2024	KQknBTF.exe
2164	bOBUive.exe
5048	qLjoxTW.exe
1472	mrqhliT.exe
436	IZuqIXn.exe
468	brmkCzt.exe
4116	QIqDAjy.exe
644	lNFnoZm.exe
4128	lqAzbTj.exe
5060	hJDuTTe.exe
4884	IPhIAMs.exe
2352	iaHlSQB.exe
2392	IXyEDrp.exe
1796	HivFmlI.exe
4296	UHSuGrc.exe
3156	YAMhnCu.exe
3036	FNfCmEI.exe
3836	JwgwqCI.exe
1324	HXCxhVP.exe
3704	zlOBFfx.exe
2372	hVONZcY.exe
2188	JofQIjh.exe
3660	gNMDLlq.exe
3864	IdwNxeu.exe
2844	lusUDzW.exe
1104	VPQNOFB.exe
1640	nLizCMz.exe
3976	jDNIKJS.exe
984	vslVMbB.exe
4512	hPxfvZr.exe
3740	nurctQi.exe
836	gmtvXaL.exe
3368	bwFpyMH.exe
3708	dbnClpq.exe
1328	XktwMMo.exe
1976	NxAEthU.exe
2800	PZWHeqg.exe
4892	wCZkCJZ.exe
3688	uFZuhDn.exe
3152	TEpPnKA.exe
4720	rJdAlMS.exe
4464	jLcDNFa.exe
1068	YreFpVB.exe
4416	OrlFWRQ.exe
4424	QjoFYug.exe
3680	ROGYMhu.exe
4552	oIpSMjq.exe
920	LOBrJLv.exe
3320	nfhRnEr.exe
4612	JqWfZaa.exe
4376	VVVQUcD.exe
2176	bcDgFAH.exe
532	UlEvgSf.exe
1616	CMeImXp.exe
4076	wkgwIpU.exe
2056	SXSeToC.exe
2368	mKhTIZO.exe
3304	psdJVby.exe
4972	QZInVWQ.exe
2504	PkJsQnf.exe
3592	wxyqiHU.exe
1412	MAZKAvQ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2740-0-0x00007FF6C63D0000-0x00007FF6C67C5000-memory.dmp	upx
behavioral2/files/0x0009000000023406-6.dat	upx
behavioral2/files/0x000700000002340d-9.dat	upx
behavioral2/memory/2472-12-0x00007FF7AF810000-0x00007FF7AFC05000-memory.dmp	upx
behavioral2/files/0x000700000002340e-10.dat	upx
behavioral2/files/0x000700000002340f-20.dat	upx
behavioral2/files/0x0007000000023410-28.dat	upx
behavioral2/memory/2164-32-0x00007FF7288A0000-0x00007FF728C95000-memory.dmp	upx
behavioral2/files/0x0007000000023411-33.dat	upx
behavioral2/files/0x0007000000023413-42.dat	upx
behavioral2/files/0x0007000000023416-59.dat	upx
behavioral2/files/0x0007000000023417-64.dat	upx
behavioral2/files/0x0007000000023419-72.dat	upx
behavioral2/files/0x000700000002341a-79.dat	upx
behavioral2/files/0x000700000002341e-99.dat	upx
behavioral2/files/0x0007000000023425-134.dat	upx
behavioral2/files/0x0007000000023429-152.dat	upx
behavioral2/memory/2024-553-0x00007FF767A20000-0x00007FF767E15000-memory.dmp	upx
behavioral2/memory/5048-554-0x00007FF7B5170000-0x00007FF7B5565000-memory.dmp	upx
behavioral2/memory/436-555-0x00007FF74E4B0000-0x00007FF74E8A5000-memory.dmp	upx
behavioral2/memory/468-556-0x00007FF7508D0000-0x00007FF750CC5000-memory.dmp	upx
behavioral2/memory/4116-557-0x00007FF72D0B0000-0x00007FF72D4A5000-memory.dmp	upx
behavioral2/memory/644-558-0x00007FF712780000-0x00007FF712B75000-memory.dmp	upx
behavioral2/memory/4128-559-0x00007FF6D8250000-0x00007FF6D8645000-memory.dmp	upx
behavioral2/memory/5060-560-0x00007FF6DA170000-0x00007FF6DA565000-memory.dmp	upx
behavioral2/memory/2392-570-0x00007FF7AC500000-0x00007FF7AC8F5000-memory.dmp	upx
behavioral2/memory/1796-575-0x00007FF6CC1F0000-0x00007FF6CC5E5000-memory.dmp	upx
behavioral2/memory/4296-582-0x00007FF691440000-0x00007FF691835000-memory.dmp	upx
behavioral2/memory/3036-591-0x00007FF7D34F0000-0x00007FF7D38E5000-memory.dmp	upx
behavioral2/memory/3836-595-0x00007FF72EF30000-0x00007FF72F325000-memory.dmp	upx
behavioral2/memory/1324-601-0x00007FF701EF0000-0x00007FF7022E5000-memory.dmp	upx
behavioral2/memory/3156-587-0x00007FF6D6040000-0x00007FF6D6435000-memory.dmp	upx
behavioral2/memory/2372-606-0x00007FF7EF3E0000-0x00007FF7EF7D5000-memory.dmp	upx
behavioral2/memory/2188-607-0x00007FF7E37C0000-0x00007FF7E3BB5000-memory.dmp	upx
behavioral2/memory/1472-611-0x00007FF7A3600000-0x00007FF7A39F5000-memory.dmp	upx
behavioral2/memory/3704-603-0x00007FF749D10000-0x00007FF74A105000-memory.dmp	upx
behavioral2/memory/2352-566-0x00007FF7E7040000-0x00007FF7E7435000-memory.dmp	upx
behavioral2/memory/4884-561-0x00007FF6D5A10000-0x00007FF6D5E05000-memory.dmp	upx
behavioral2/files/0x000700000002342b-164.dat	upx
behavioral2/files/0x000700000002342a-159.dat	upx
behavioral2/files/0x0007000000023428-149.dat	upx
behavioral2/files/0x0007000000023427-144.dat	upx
behavioral2/files/0x0007000000023426-139.dat	upx
behavioral2/files/0x0007000000023424-129.dat	upx
behavioral2/files/0x0007000000023423-124.dat	upx
behavioral2/files/0x0007000000023422-119.dat	upx
behavioral2/files/0x0007000000023421-114.dat	upx
behavioral2/files/0x0007000000023420-109.dat	upx
behavioral2/files/0x000700000002341f-104.dat	upx
behavioral2/files/0x000700000002341d-94.dat	upx
behavioral2/files/0x000700000002341c-89.dat	upx
behavioral2/files/0x000700000002341b-84.dat	upx
behavioral2/files/0x0007000000023418-69.dat	upx
behavioral2/files/0x0007000000023415-54.dat	upx
behavioral2/files/0x0007000000023414-49.dat	upx
behavioral2/files/0x0007000000023412-39.dat	upx
behavioral2/memory/4280-24-0x00007FF7F3EC0000-0x00007FF7F42B5000-memory.dmp	upx
behavioral2/memory/2472-1925-0x00007FF7AF810000-0x00007FF7AFC05000-memory.dmp	upx
behavioral2/memory/2740-1926-0x00007FF6C63D0000-0x00007FF6C67C5000-memory.dmp	upx
behavioral2/memory/4280-1927-0x00007FF7F3EC0000-0x00007FF7F42B5000-memory.dmp	upx
behavioral2/memory/2472-1928-0x00007FF7AF810000-0x00007FF7AFC05000-memory.dmp	upx
behavioral2/memory/4280-1929-0x00007FF7F3EC0000-0x00007FF7F42B5000-memory.dmp	upx
behavioral2/memory/2024-1930-0x00007FF767A20000-0x00007FF767E15000-memory.dmp	upx
behavioral2/memory/2164-1931-0x00007FF7288A0000-0x00007FF728C95000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\piXNxrv.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\wbiRXPN.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\pHYUvrV.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\sMEcLkY.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\weaWGQo.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\XrWCByY.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\ylDdToW.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\mrABFhl.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\bOBUive.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\AWrvVpb.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\MuEqypk.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\bouqGED.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\rPBqhmA.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\mhxWmoe.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\kCusfOD.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\IuSrgAV.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\keYSAnV.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\JFfNXbX.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\cBUubpw.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\hFbLilf.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\VRccIBU.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\yqIoftj.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\IgNNnVC.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\vRAqDrQ.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\GuXXlfC.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\HqERDYf.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\yukcdqm.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\ywoSnZT.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\nskVtov.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\wZrdXja.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\WeIuwAM.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\ddOntqw.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\oFvcfJw.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\xLSclLF.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\hdSgqsK.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\mcOvymU.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\JBtNujS.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\exhlHgI.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\lfPkJCU.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\XRjpzrz.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\guIFVvG.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\eNozXQV.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\LCAwlOr.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\RmWNQlL.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\KsUHTBK.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\YpjtTdI.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\wzYqdtm.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\bKFUTzz.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\GSbpSRt.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\EvJNHuM.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\JtetHVB.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\tstsExr.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\wCZkCJZ.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\uCUCdZo.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\LtvgAqb.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\IzeUufo.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\udZzFCV.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\woyCvSx.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\UdZFwfs.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\IRrvKGO.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\cpmSeEw.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\ojUYXng.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\MHaYUxi.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
File created	C:\Windows\System32\JPCaWLQ.exe	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13924	dwm.exe
Token: SeChangeNotifyPrivilege	13924	dwm.exe
Token: 33	13924	dwm.exe
Token: SeIncBasePriorityPrivilege	13924	dwm.exe
Token: SeShutdownPrivilege	13924	dwm.exe
Token: SeCreatePagefilePrivilege	13924	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2472	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	83
PID 2740 wrote to memory of 2472	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	83
PID 2740 wrote to memory of 4280	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	84
PID 2740 wrote to memory of 4280	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	84
PID 2740 wrote to memory of 2024	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	85
PID 2740 wrote to memory of 2024	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	85
PID 2740 wrote to memory of 2164	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	86
PID 2740 wrote to memory of 2164	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	86
PID 2740 wrote to memory of 5048	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	87
PID 2740 wrote to memory of 5048	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	87
PID 2740 wrote to memory of 1472	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	88
PID 2740 wrote to memory of 1472	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	88
PID 2740 wrote to memory of 436	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	89
PID 2740 wrote to memory of 436	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	89
PID 2740 wrote to memory of 468	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	90
PID 2740 wrote to memory of 468	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	90
PID 2740 wrote to memory of 4116	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	91
PID 2740 wrote to memory of 4116	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	91
PID 2740 wrote to memory of 644	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	92
PID 2740 wrote to memory of 644	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	92
PID 2740 wrote to memory of 4128	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	93
PID 2740 wrote to memory of 4128	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	93
PID 2740 wrote to memory of 5060	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	94
PID 2740 wrote to memory of 5060	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	94
PID 2740 wrote to memory of 4884	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	95
PID 2740 wrote to memory of 4884	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	95
PID 2740 wrote to memory of 2352	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	96
PID 2740 wrote to memory of 2352	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	96
PID 2740 wrote to memory of 2392	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	97
PID 2740 wrote to memory of 2392	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	97
PID 2740 wrote to memory of 1796	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	98
PID 2740 wrote to memory of 1796	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	98
PID 2740 wrote to memory of 4296	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	99
PID 2740 wrote to memory of 4296	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	99
PID 2740 wrote to memory of 3156	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	100
PID 2740 wrote to memory of 3156	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	100
PID 2740 wrote to memory of 3036	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	101
PID 2740 wrote to memory of 3036	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	101
PID 2740 wrote to memory of 3836	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	102
PID 2740 wrote to memory of 3836	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	102
PID 2740 wrote to memory of 1324	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	103
PID 2740 wrote to memory of 1324	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	103
PID 2740 wrote to memory of 3704	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	104
PID 2740 wrote to memory of 3704	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	104
PID 2740 wrote to memory of 2372	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	105
PID 2740 wrote to memory of 2372	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	105
PID 2740 wrote to memory of 2188	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	106
PID 2740 wrote to memory of 2188	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	106
PID 2740 wrote to memory of 3660	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	107
PID 2740 wrote to memory of 3660	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	107
PID 2740 wrote to memory of 3864	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	108
PID 2740 wrote to memory of 3864	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	108
PID 2740 wrote to memory of 2844	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	109
PID 2740 wrote to memory of 2844	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	109
PID 2740 wrote to memory of 1104	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	110
PID 2740 wrote to memory of 1104	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	110
PID 2740 wrote to memory of 1640	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	111
PID 2740 wrote to memory of 1640	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	111
PID 2740 wrote to memory of 3976	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	112
PID 2740 wrote to memory of 3976	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	112
PID 2740 wrote to memory of 984	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	113
PID 2740 wrote to memory of 984	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	113
PID 2740 wrote to memory of 4512	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	114
PID 2740 wrote to memory of 4512	2740	ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe	114

C:\Users\Admin\AppData\Local\Temp\ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ae9bfe7acda7bfd29fb0b487a101fa20_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\System32\oFvcfJw.exe
  C:\Windows\System32\oFvcfJw.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System32\wZrdXja.exe
  C:\Windows\System32\wZrdXja.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System32\KQknBTF.exe
  C:\Windows\System32\KQknBTF.exe
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\System32\bOBUive.exe
  C:\Windows\System32\bOBUive.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\System32\qLjoxTW.exe
  C:\Windows\System32\qLjoxTW.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System32\mrqhliT.exe
  C:\Windows\System32\mrqhliT.exe
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\System32\IZuqIXn.exe
  C:\Windows\System32\IZuqIXn.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System32\brmkCzt.exe
  C:\Windows\System32\brmkCzt.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System32\QIqDAjy.exe
  C:\Windows\System32\QIqDAjy.exe
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Windows\System32\lNFnoZm.exe
  C:\Windows\System32\lNFnoZm.exe
  2⤵
  - Executes dropped EXE
  PID:644
- C:\Windows\System32\lqAzbTj.exe
  C:\Windows\System32\lqAzbTj.exe
  2⤵
  - Executes dropped EXE
  PID:4128
- C:\Windows\System32\hJDuTTe.exe
  C:\Windows\System32\hJDuTTe.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System32\IPhIAMs.exe
  C:\Windows\System32\IPhIAMs.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System32\iaHlSQB.exe
  C:\Windows\System32\iaHlSQB.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System32\IXyEDrp.exe
  C:\Windows\System32\IXyEDrp.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System32\HivFmlI.exe
  C:\Windows\System32\HivFmlI.exe
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\System32\UHSuGrc.exe
  C:\Windows\System32\UHSuGrc.exe
  2⤵
  - Executes dropped EXE
  PID:4296
- C:\Windows\System32\YAMhnCu.exe
  C:\Windows\System32\YAMhnCu.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System32\FNfCmEI.exe
  C:\Windows\System32\FNfCmEI.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System32\JwgwqCI.exe
  C:\Windows\System32\JwgwqCI.exe
  2⤵
  - Executes dropped EXE
  PID:3836
- C:\Windows\System32\HXCxhVP.exe
  C:\Windows\System32\HXCxhVP.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\System32\zlOBFfx.exe
  C:\Windows\System32\zlOBFfx.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System32\hVONZcY.exe
  C:\Windows\System32\hVONZcY.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System32\JofQIjh.exe
  C:\Windows\System32\JofQIjh.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System32\gNMDLlq.exe
  C:\Windows\System32\gNMDLlq.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System32\IdwNxeu.exe
  C:\Windows\System32\IdwNxeu.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System32\lusUDzW.exe
  C:\Windows\System32\lusUDzW.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System32\VPQNOFB.exe
  C:\Windows\System32\VPQNOFB.exe
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\System32\nLizCMz.exe
  C:\Windows\System32\nLizCMz.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System32\jDNIKJS.exe
  C:\Windows\System32\jDNIKJS.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System32\vslVMbB.exe
  C:\Windows\System32\vslVMbB.exe
  2⤵
  - Executes dropped EXE
  PID:984
- C:\Windows\System32\hPxfvZr.exe
  C:\Windows\System32\hPxfvZr.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System32\nurctQi.exe
  C:\Windows\System32\nurctQi.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System32\gmtvXaL.exe
  C:\Windows\System32\gmtvXaL.exe
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\System32\bwFpyMH.exe
  C:\Windows\System32\bwFpyMH.exe
  2⤵
  - Executes dropped EXE
  PID:3368
- C:\Windows\System32\dbnClpq.exe
  C:\Windows\System32\dbnClpq.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System32\XktwMMo.exe
  C:\Windows\System32\XktwMMo.exe
  2⤵
  - Executes dropped EXE
  PID:1328
- C:\Windows\System32\NxAEthU.exe
  C:\Windows\System32\NxAEthU.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System32\PZWHeqg.exe
  C:\Windows\System32\PZWHeqg.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System32\wCZkCJZ.exe
  C:\Windows\System32\wCZkCJZ.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System32\uFZuhDn.exe
  C:\Windows\System32\uFZuhDn.exe
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\System32\TEpPnKA.exe
  C:\Windows\System32\TEpPnKA.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System32\rJdAlMS.exe
  C:\Windows\System32\rJdAlMS.exe
  2⤵
  - Executes dropped EXE
  PID:4720
- C:\Windows\System32\jLcDNFa.exe
  C:\Windows\System32\jLcDNFa.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System32\YreFpVB.exe
  C:\Windows\System32\YreFpVB.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System32\OrlFWRQ.exe
  C:\Windows\System32\OrlFWRQ.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System32\QjoFYug.exe
  C:\Windows\System32\QjoFYug.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System32\ROGYMhu.exe
  C:\Windows\System32\ROGYMhu.exe
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Windows\System32\oIpSMjq.exe
  C:\Windows\System32\oIpSMjq.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System32\LOBrJLv.exe
  C:\Windows\System32\LOBrJLv.exe
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\System32\nfhRnEr.exe
  C:\Windows\System32\nfhRnEr.exe
  2⤵
  - Executes dropped EXE
  PID:3320
- C:\Windows\System32\JqWfZaa.exe
  C:\Windows\System32\JqWfZaa.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System32\VVVQUcD.exe
  C:\Windows\System32\VVVQUcD.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System32\bcDgFAH.exe
  C:\Windows\System32\bcDgFAH.exe
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\System32\UlEvgSf.exe
  C:\Windows\System32\UlEvgSf.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System32\CMeImXp.exe
  C:\Windows\System32\CMeImXp.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System32\wkgwIpU.exe
  C:\Windows\System32\wkgwIpU.exe
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Windows\System32\SXSeToC.exe
  C:\Windows\System32\SXSeToC.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System32\mKhTIZO.exe
  C:\Windows\System32\mKhTIZO.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System32\psdJVby.exe
  C:\Windows\System32\psdJVby.exe
  2⤵
  - Executes dropped EXE
  PID:3304
- C:\Windows\System32\QZInVWQ.exe
  C:\Windows\System32\QZInVWQ.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System32\PkJsQnf.exe
  C:\Windows\System32\PkJsQnf.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System32\wxyqiHU.exe
  C:\Windows\System32\wxyqiHU.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System32\MAZKAvQ.exe
  C:\Windows\System32\MAZKAvQ.exe
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\System32\JlEJwiZ.exe
  C:\Windows\System32\JlEJwiZ.exe
  2⤵
  PID:5028
- C:\Windows\System32\YPzxwam.exe
  C:\Windows\System32\YPzxwam.exe
  2⤵
  PID:4196
- C:\Windows\System32\RbgYcyb.exe
  C:\Windows\System32\RbgYcyb.exe
  2⤵
  PID:1248
- C:\Windows\System32\LgeJXDY.exe
  C:\Windows\System32\LgeJXDY.exe
  2⤵
  PID:4092
- C:\Windows\System32\GAePCSk.exe
  C:\Windows\System32\GAePCSk.exe
  2⤵
  PID:5012
- C:\Windows\System32\oJeHNhf.exe
  C:\Windows\System32\oJeHNhf.exe
  2⤵
  PID:3756
- C:\Windows\System32\IsflbAN.exe
  C:\Windows\System32\IsflbAN.exe
  2⤵
  PID:3984
- C:\Windows\System32\DSPqIjF.exe
  C:\Windows\System32\DSPqIjF.exe
  2⤵
  PID:4064
- C:\Windows\System32\EPWOSnr.exe
  C:\Windows\System32\EPWOSnr.exe
  2⤵
  PID:2948
- C:\Windows\System32\yXkvltS.exe
  C:\Windows\System32\yXkvltS.exe
  2⤵
  PID:3088
- C:\Windows\System32\svywjnD.exe
  C:\Windows\System32\svywjnD.exe
  2⤵
  PID:3940
- C:\Windows\System32\VJNAPKr.exe
  C:\Windows\System32\VJNAPKr.exe
  2⤵
  PID:5144
- C:\Windows\System32\FPQtaff.exe
  C:\Windows\System32\FPQtaff.exe
  2⤵
  PID:5172
- C:\Windows\System32\yCVnmSU.exe
  C:\Windows\System32\yCVnmSU.exe
  2⤵
  PID:5200
- C:\Windows\System32\dTsxEqF.exe
  C:\Windows\System32\dTsxEqF.exe
  2⤵
  PID:5228
- C:\Windows\System32\kPXlAIz.exe
  C:\Windows\System32\kPXlAIz.exe
  2⤵
  PID:5256
- C:\Windows\System32\eBsiYsg.exe
  C:\Windows\System32\eBsiYsg.exe
  2⤵
  PID:5284
- C:\Windows\System32\UeCGCcg.exe
  C:\Windows\System32\UeCGCcg.exe
  2⤵
  PID:5312
- C:\Windows\System32\XaXKRfj.exe
  C:\Windows\System32\XaXKRfj.exe
  2⤵
  PID:5340
- C:\Windows\System32\nGAVKYn.exe
  C:\Windows\System32\nGAVKYn.exe
  2⤵
  PID:5368
- C:\Windows\System32\XDafsqv.exe
  C:\Windows\System32\XDafsqv.exe
  2⤵
  PID:5396
- C:\Windows\System32\JqbtiOU.exe
  C:\Windows\System32\JqbtiOU.exe
  2⤵
  PID:5424
- C:\Windows\System32\DbpvNLd.exe
  C:\Windows\System32\DbpvNLd.exe
  2⤵
  PID:5452
- C:\Windows\System32\WoWDgSX.exe
  C:\Windows\System32\WoWDgSX.exe
  2⤵
  PID:5480
- C:\Windows\System32\mnzpIDy.exe
  C:\Windows\System32\mnzpIDy.exe
  2⤵
  PID:5508
- C:\Windows\System32\DYPXgXG.exe
  C:\Windows\System32\DYPXgXG.exe
  2⤵
  PID:5536
- C:\Windows\System32\RyMCODx.exe
  C:\Windows\System32\RyMCODx.exe
  2⤵
  PID:5564
- C:\Windows\System32\bmwipGR.exe
  C:\Windows\System32\bmwipGR.exe
  2⤵
  PID:5592
- C:\Windows\System32\mbQFSJB.exe
  C:\Windows\System32\mbQFSJB.exe
  2⤵
  PID:5620
- C:\Windows\System32\Naqtpwk.exe
  C:\Windows\System32\Naqtpwk.exe
  2⤵
  PID:5648
- C:\Windows\System32\pOVVfzr.exe
  C:\Windows\System32\pOVVfzr.exe
  2⤵
  PID:5676
- C:\Windows\System32\arCvFqV.exe
  C:\Windows\System32\arCvFqV.exe
  2⤵
  PID:5704
- C:\Windows\System32\QJWUPHV.exe
  C:\Windows\System32\QJWUPHV.exe
  2⤵
  PID:5732
- C:\Windows\System32\nnnTSdi.exe
  C:\Windows\System32\nnnTSdi.exe
  2⤵
  PID:5760
- C:\Windows\System32\vRAqDrQ.exe
  C:\Windows\System32\vRAqDrQ.exe
  2⤵
  PID:5796
- C:\Windows\System32\weaWGQo.exe
  C:\Windows\System32\weaWGQo.exe
  2⤵
  PID:5816
- C:\Windows\System32\FCZYtRk.exe
  C:\Windows\System32\FCZYtRk.exe
  2⤵
  PID:5844
- C:\Windows\System32\nBVUFLT.exe
  C:\Windows\System32\nBVUFLT.exe
  2⤵
  PID:5872
- C:\Windows\System32\pULyDtS.exe
  C:\Windows\System32\pULyDtS.exe
  2⤵
  PID:5900
- C:\Windows\System32\koouRqw.exe
  C:\Windows\System32\koouRqw.exe
  2⤵
  PID:5928
- C:\Windows\System32\IsuJFQx.exe
  C:\Windows\System32\IsuJFQx.exe
  2⤵
  PID:5956
- C:\Windows\System32\uzOVQkm.exe
  C:\Windows\System32\uzOVQkm.exe
  2⤵
  PID:5984
- C:\Windows\System32\coTWBCE.exe
  C:\Windows\System32\coTWBCE.exe
  2⤵
  PID:6012
- C:\Windows\System32\VXGVwVD.exe
  C:\Windows\System32\VXGVwVD.exe
  2⤵
  PID:6040
- C:\Windows\System32\WWYmkbT.exe
  C:\Windows\System32\WWYmkbT.exe
  2⤵
  PID:6068
- C:\Windows\System32\PXnbYws.exe
  C:\Windows\System32\PXnbYws.exe
  2⤵
  PID:6096
- C:\Windows\System32\cVENKEC.exe
  C:\Windows\System32\cVENKEC.exe
  2⤵
  PID:6124
- C:\Windows\System32\YMuOdKD.exe
  C:\Windows\System32\YMuOdKD.exe
  2⤵
  PID:4724
- C:\Windows\System32\VdStzfA.exe
  C:\Windows\System32\VdStzfA.exe
  2⤵
  PID:2724
- C:\Windows\System32\AMmfqVm.exe
  C:\Windows\System32\AMmfqVm.exe
  2⤵
  PID:2420
- C:\Windows\System32\ybAwLjy.exe
  C:\Windows\System32\ybAwLjy.exe
  2⤵
  PID:2180
- C:\Windows\System32\nNtTazY.exe
  C:\Windows\System32\nNtTazY.exe
  2⤵
  PID:628
- C:\Windows\System32\LnewCjZ.exe
  C:\Windows\System32\LnewCjZ.exe
  2⤵
  PID:5160
- C:\Windows\System32\NaKKGWU.exe
  C:\Windows\System32\NaKKGWU.exe
  2⤵
  PID:5240
- C:\Windows\System32\HgApbiZ.exe
  C:\Windows\System32\HgApbiZ.exe
  2⤵
  PID:5308
- C:\Windows\System32\fLoLPbL.exe
  C:\Windows\System32\fLoLPbL.exe
  2⤵
  PID:5356
- C:\Windows\System32\vbDGHoh.exe
  C:\Windows\System32\vbDGHoh.exe
  2⤵
  PID:5436
- C:\Windows\System32\XrWCByY.exe
  C:\Windows\System32\XrWCByY.exe
  2⤵
  PID:5504
- C:\Windows\System32\paSjWHT.exe
  C:\Windows\System32\paSjWHT.exe
  2⤵
  PID:5552
- C:\Windows\System32\wXmKNdn.exe
  C:\Windows\System32\wXmKNdn.exe
  2⤵
  PID:5608
- C:\Windows\System32\boJNmEC.exe
  C:\Windows\System32\boJNmEC.exe
  2⤵
  PID:5688
- C:\Windows\System32\hDqZZMu.exe
  C:\Windows\System32\hDqZZMu.exe
  2⤵
  PID:5756
- C:\Windows\System32\KhAcxrF.exe
  C:\Windows\System32\KhAcxrF.exe
  2⤵
  PID:5808
- C:\Windows\System32\IJTnieH.exe
  C:\Windows\System32\IJTnieH.exe
  2⤵
  PID:5884
- C:\Windows\System32\JWIMqcv.exe
  C:\Windows\System32\JWIMqcv.exe
  2⤵
  PID:5952
- C:\Windows\System32\DTRggut.exe
  C:\Windows\System32\DTRggut.exe
  2⤵
  PID:6008
- C:\Windows\System32\ZjdsGNs.exe
  C:\Windows\System32\ZjdsGNs.exe
  2⤵
  PID:6064
- C:\Windows\System32\laPUhAV.exe
  C:\Windows\System32\laPUhAV.exe
  2⤵
  PID:6112
- C:\Windows\System32\enLhPRq.exe
  C:\Windows\System32\enLhPRq.exe
  2⤵
  PID:3792
- C:\Windows\System32\RHJKqSh.exe
  C:\Windows\System32\RHJKqSh.exe
  2⤵
  PID:4056
- C:\Windows\System32\jsfheMg.exe
  C:\Windows\System32\jsfheMg.exe
  2⤵
  PID:5212
- C:\Windows\System32\YnJIhss.exe
  C:\Windows\System32\YnJIhss.exe
  2⤵
  PID:5384
- C:\Windows\System32\zvraeKt.exe
  C:\Windows\System32\zvraeKt.exe
  2⤵
  PID:5476
- C:\Windows\System32\DLajAGN.exe
  C:\Windows\System32\DLajAGN.exe
  2⤵
  PID:5636
- C:\Windows\System32\DTocyiS.exe
  C:\Windows\System32\DTocyiS.exe
  2⤵
  PID:5812
- C:\Windows\System32\vlWTsbx.exe
  C:\Windows\System32\vlWTsbx.exe
  2⤵
  PID:5924
- C:\Windows\System32\woyCvSx.exe
  C:\Windows\System32\woyCvSx.exe
  2⤵
  PID:6092
- C:\Windows\System32\ZybCQyx.exe
  C:\Windows\System32\ZybCQyx.exe
  2⤵
  PID:5116
- C:\Windows\System32\NnSkicq.exe
  C:\Windows\System32\NnSkicq.exe
  2⤵
  PID:5328
- C:\Windows\System32\RlEwsbi.exe
  C:\Windows\System32\RlEwsbi.exe
  2⤵
  PID:5524
- C:\Windows\System32\KwvTngE.exe
  C:\Windows\System32\KwvTngE.exe
  2⤵
  PID:5940
- C:\Windows\System32\FTSKIjf.exe
  C:\Windows\System32\FTSKIjf.exe
  2⤵
  PID:6140
- C:\Windows\System32\jRxFDcx.exe
  C:\Windows\System32\jRxFDcx.exe
  2⤵
  PID:6156
- C:\Windows\System32\sMEcLkY.exe
  C:\Windows\System32\sMEcLkY.exe
  2⤵
  PID:6184
- C:\Windows\System32\guIFVvG.exe
  C:\Windows\System32\guIFVvG.exe
  2⤵
  PID:6212
- C:\Windows\System32\WeIuwAM.exe
  C:\Windows\System32\WeIuwAM.exe
  2⤵
  PID:6240
- C:\Windows\System32\MuEqypk.exe
  C:\Windows\System32\MuEqypk.exe
  2⤵
  PID:6268
- C:\Windows\System32\IyuGbmZ.exe
  C:\Windows\System32\IyuGbmZ.exe
  2⤵
  PID:6296
- C:\Windows\System32\fmXghXk.exe
  C:\Windows\System32\fmXghXk.exe
  2⤵
  PID:6324
- C:\Windows\System32\CGgYKnS.exe
  C:\Windows\System32\CGgYKnS.exe
  2⤵
  PID:6352
- C:\Windows\System32\SvbkPjo.exe
  C:\Windows\System32\SvbkPjo.exe
  2⤵
  PID:6380
- C:\Windows\System32\rhVRnMz.exe
  C:\Windows\System32\rhVRnMz.exe
  2⤵
  PID:6408
- C:\Windows\System32\tOkLUTG.exe
  C:\Windows\System32\tOkLUTG.exe
  2⤵
  PID:6436
- C:\Windows\System32\tZGXMWJ.exe
  C:\Windows\System32\tZGXMWJ.exe
  2⤵
  PID:6464
- C:\Windows\System32\edJKLFf.exe
  C:\Windows\System32\edJKLFf.exe
  2⤵
  PID:6492
- C:\Windows\System32\gRFWyXW.exe
  C:\Windows\System32\gRFWyXW.exe
  2⤵
  PID:6520
- C:\Windows\System32\fkUKdRq.exe
  C:\Windows\System32\fkUKdRq.exe
  2⤵
  PID:6548
- C:\Windows\System32\YCctfYR.exe
  C:\Windows\System32\YCctfYR.exe
  2⤵
  PID:6576
- C:\Windows\System32\oooaSuC.exe
  C:\Windows\System32\oooaSuC.exe
  2⤵
  PID:6692
- C:\Windows\System32\ZmYXBdT.exe
  C:\Windows\System32\ZmYXBdT.exe
  2⤵
  PID:6708
- C:\Windows\System32\rGaYtiQ.exe
  C:\Windows\System32\rGaYtiQ.exe
  2⤵
  PID:6728
- C:\Windows\System32\aqBmukY.exe
  C:\Windows\System32\aqBmukY.exe
  2⤵
  PID:6748
- C:\Windows\System32\ZvjPEWX.exe
  C:\Windows\System32\ZvjPEWX.exe
  2⤵
  PID:6772
- C:\Windows\System32\RUNLgyv.exe
  C:\Windows\System32\RUNLgyv.exe
  2⤵
  PID:6804
- C:\Windows\System32\UEaBfoE.exe
  C:\Windows\System32\UEaBfoE.exe
  2⤵
  PID:6836
- C:\Windows\System32\xogpLHP.exe
  C:\Windows\System32\xogpLHP.exe
  2⤵
  PID:6876
- C:\Windows\System32\lpekrEJ.exe
  C:\Windows\System32\lpekrEJ.exe
  2⤵
  PID:6900
- C:\Windows\System32\YPbMPPu.exe
  C:\Windows\System32\YPbMPPu.exe
  2⤵
  PID:6944
- C:\Windows\System32\JKICuaV.exe
  C:\Windows\System32\JKICuaV.exe
  2⤵
  PID:7012
- C:\Windows\System32\vvszcRR.exe
  C:\Windows\System32\vvszcRR.exe
  2⤵
  PID:7060
- C:\Windows\System32\wzYqdtm.exe
  C:\Windows\System32\wzYqdtm.exe
  2⤵
  PID:7084
- C:\Windows\System32\gnInIAU.exe
  C:\Windows\System32\gnInIAU.exe
  2⤵
  PID:7140
- C:\Windows\System32\hiuBCJo.exe
  C:\Windows\System32\hiuBCJo.exe
  2⤵
  PID:2120
- C:\Windows\System32\ZMVvNwg.exe
  C:\Windows\System32\ZMVvNwg.exe
  2⤵
  PID:4540
- C:\Windows\System32\mdhDyYQ.exe
  C:\Windows\System32\mdhDyYQ.exe
  2⤵
  PID:6180
- C:\Windows\System32\GVvkXmc.exe
  C:\Windows\System32\GVvkXmc.exe
  2⤵
  PID:6236
- C:\Windows\System32\KWNrSCr.exe
  C:\Windows\System32\KWNrSCr.exe
  2⤵
  PID:6284
- C:\Windows\System32\RstOATo.exe
  C:\Windows\System32\RstOATo.exe
  2⤵
  PID:6348
- C:\Windows\System32\hWHRiUl.exe
  C:\Windows\System32\hWHRiUl.exe
  2⤵
  PID:6392
- C:\Windows\System32\WULxrXJ.exe
  C:\Windows\System32\WULxrXJ.exe
  2⤵
  PID:6448
- C:\Windows\System32\dNSuKBX.exe
  C:\Windows\System32\dNSuKBX.exe
  2⤵
  PID:6480
- C:\Windows\System32\NinkXRp.exe
  C:\Windows\System32\NinkXRp.exe
  2⤵
  PID:3164
- C:\Windows\System32\cBlaPhY.exe
  C:\Windows\System32\cBlaPhY.exe
  2⤵
  PID:5108
- C:\Windows\System32\OeepvsJ.exe
  C:\Windows\System32\OeepvsJ.exe
  2⤵
  PID:208
- C:\Windows\System32\CZLGNiL.exe
  C:\Windows\System32\CZLGNiL.exe
  2⤵
  PID:3348
- C:\Windows\System32\fOaAzbf.exe
  C:\Windows\System32\fOaAzbf.exe
  2⤵
  PID:2052
- C:\Windows\System32\KtSIJsH.exe
  C:\Windows\System32\KtSIJsH.exe
  2⤵
  PID:4100
- C:\Windows\System32\YoTzmSt.exe
  C:\Windows\System32\YoTzmSt.exe
  2⤵
  PID:1512
- C:\Windows\System32\crRwldb.exe
  C:\Windows\System32\crRwldb.exe
  2⤵
  PID:2040
- C:\Windows\System32\cBUubpw.exe
  C:\Windows\System32\cBUubpw.exe
  2⤵
  PID:4336
- C:\Windows\System32\eNozXQV.exe
  C:\Windows\System32\eNozXQV.exe
  2⤵
  PID:6784
- C:\Windows\System32\lgygsYT.exe
  C:\Windows\System32\lgygsYT.exe
  2⤵
  PID:6892
- C:\Windows\System32\bouqGED.exe
  C:\Windows\System32\bouqGED.exe
  2⤵
  PID:6864
- C:\Windows\System32\wFbuHBw.exe
  C:\Windows\System32\wFbuHBw.exe
  2⤵
  PID:1360
- C:\Windows\System32\FDTCxWl.exe
  C:\Windows\System32\FDTCxWl.exe
  2⤵
  PID:4428
- C:\Windows\System32\ZOoYBdT.exe
  C:\Windows\System32\ZOoYBdT.exe
  2⤵
  PID:6628
- C:\Windows\System32\VqyDiLh.exe
  C:\Windows\System32\VqyDiLh.exe
  2⤵
  PID:7108
- C:\Windows\System32\sxJxjbU.exe
  C:\Windows\System32\sxJxjbU.exe
  2⤵
  PID:5860
- C:\Windows\System32\aBxXomx.exe
  C:\Windows\System32\aBxXomx.exe
  2⤵
  PID:6264
- C:\Windows\System32\YdPvpGg.exe
  C:\Windows\System32\YdPvpGg.exe
  2⤵
  PID:6424
- C:\Windows\System32\WQtWStD.exe
  C:\Windows\System32\WQtWStD.exe
  2⤵
  PID:6664
- C:\Windows\System32\uCUCdZo.exe
  C:\Windows\System32\uCUCdZo.exe
  2⤵
  PID:6572
- C:\Windows\System32\grQAlEO.exe
  C:\Windows\System32\grQAlEO.exe
  2⤵
  PID:1384
- C:\Windows\System32\IKXuWrJ.exe
  C:\Windows\System32\IKXuWrJ.exe
  2⤵
  PID:1776
- C:\Windows\System32\izdZjlX.exe
  C:\Windows\System32\izdZjlX.exe
  2⤵
  PID:6872
- C:\Windows\System32\TOzdMlp.exe
  C:\Windows\System32\TOzdMlp.exe
  2⤵
  PID:6952
- C:\Windows\System32\bmMPbsv.exe
  C:\Windows\System32\bmMPbsv.exe
  2⤵
  PID:6168
- C:\Windows\System32\LCAwlOr.exe
  C:\Windows\System32\LCAwlOr.exe
  2⤵
  PID:4676
- C:\Windows\System32\RTomRIG.exe
  C:\Windows\System32\RTomRIG.exe
  2⤵
  PID:6716
- C:\Windows\System32\uechzUi.exe
  C:\Windows\System32\uechzUi.exe
  2⤵
  PID:6956
- C:\Windows\System32\fcbakkQ.exe
  C:\Windows\System32\fcbakkQ.exe
  2⤵
  PID:6924
- C:\Windows\System32\fpkLYyT.exe
  C:\Windows\System32\fpkLYyT.exe
  2⤵
  PID:6208
- C:\Windows\System32\yclMDaT.exe
  C:\Windows\System32\yclMDaT.exe
  2⤵
  PID:6644
- C:\Windows\System32\eFLEPQR.exe
  C:\Windows\System32\eFLEPQR.exe
  2⤵
  PID:6676
- C:\Windows\System32\Ajvpkfz.exe
  C:\Windows\System32\Ajvpkfz.exe
  2⤵
  PID:4048
- C:\Windows\System32\ZkJMLBK.exe
  C:\Windows\System32\ZkJMLBK.exe
  2⤵
  PID:6672
- C:\Windows\System32\NyNPVNH.exe
  C:\Windows\System32\NyNPVNH.exe
  2⤵
  PID:6516
- C:\Windows\System32\QMKesiH.exe
  C:\Windows\System32\QMKesiH.exe
  2⤵
  PID:6740
- C:\Windows\System32\yfYEXah.exe
  C:\Windows\System32\yfYEXah.exe
  2⤵
  PID:7116
- C:\Windows\System32\vaZQlNe.exe
  C:\Windows\System32\vaZQlNe.exe
  2⤵
  PID:7188
- C:\Windows\System32\pbSQApl.exe
  C:\Windows\System32\pbSQApl.exe
  2⤵
  PID:7216
- C:\Windows\System32\sjlvPYk.exe
  C:\Windows\System32\sjlvPYk.exe
  2⤵
  PID:7244
- C:\Windows\System32\RmWNQlL.exe
  C:\Windows\System32\RmWNQlL.exe
  2⤵
  PID:7272
- C:\Windows\System32\pmOdfPY.exe
  C:\Windows\System32\pmOdfPY.exe
  2⤵
  PID:7300
- C:\Windows\System32\PhGObfH.exe
  C:\Windows\System32\PhGObfH.exe
  2⤵
  PID:7336
- C:\Windows\System32\NWyQkyC.exe
  C:\Windows\System32\NWyQkyC.exe
  2⤵
  PID:7364
- C:\Windows\System32\QDbwWAl.exe
  C:\Windows\System32\QDbwWAl.exe
  2⤵
  PID:7380
- C:\Windows\System32\rWrvRfG.exe
  C:\Windows\System32\rWrvRfG.exe
  2⤵
  PID:7412
- C:\Windows\System32\rPBqhmA.exe
  C:\Windows\System32\rPBqhmA.exe
  2⤵
  PID:7440
- C:\Windows\System32\tLsBIqI.exe
  C:\Windows\System32\tLsBIqI.exe
  2⤵
  PID:7488
- C:\Windows\System32\PYQkEyp.exe
  C:\Windows\System32\PYQkEyp.exe
  2⤵
  PID:7536
- C:\Windows\System32\bnIViIz.exe
  C:\Windows\System32\bnIViIz.exe
  2⤵
  PID:7564
- C:\Windows\System32\kpSFPtn.exe
  C:\Windows\System32\kpSFPtn.exe
  2⤵
  PID:7592
- C:\Windows\System32\ZHBngxd.exe
  C:\Windows\System32\ZHBngxd.exe
  2⤵
  PID:7620
- C:\Windows\System32\GenRssM.exe
  C:\Windows\System32\GenRssM.exe
  2⤵
  PID:7656
- C:\Windows\System32\YhcWmxp.exe
  C:\Windows\System32\YhcWmxp.exe
  2⤵
  PID:7684
- C:\Windows\System32\gDydOGN.exe
  C:\Windows\System32\gDydOGN.exe
  2⤵
  PID:7712
- C:\Windows\System32\XxdVOGt.exe
  C:\Windows\System32\XxdVOGt.exe
  2⤵
  PID:7740
- C:\Windows\System32\ylDdToW.exe
  C:\Windows\System32\ylDdToW.exe
  2⤵
  PID:7768
- C:\Windows\System32\FZBDBcZ.exe
  C:\Windows\System32\FZBDBcZ.exe
  2⤵
  PID:7788
- C:\Windows\System32\pwKOBJg.exe
  C:\Windows\System32\pwKOBJg.exe
  2⤵
  PID:7828
- C:\Windows\System32\cffbbyQ.exe
  C:\Windows\System32\cffbbyQ.exe
  2⤵
  PID:7856
- C:\Windows\System32\mhxWmoe.exe
  C:\Windows\System32\mhxWmoe.exe
  2⤵
  PID:7888
- C:\Windows\System32\kfsyuTf.exe
  C:\Windows\System32\kfsyuTf.exe
  2⤵
  PID:7916
- C:\Windows\System32\qcJqbJj.exe
  C:\Windows\System32\qcJqbJj.exe
  2⤵
  PID:7936
- C:\Windows\System32\zPfanUi.exe
  C:\Windows\System32\zPfanUi.exe
  2⤵
  PID:7972
- C:\Windows\System32\AlGoWLJ.exe
  C:\Windows\System32\AlGoWLJ.exe
  2⤵
  PID:8004
- C:\Windows\System32\Ghitdel.exe
  C:\Windows\System32\Ghitdel.exe
  2⤵
  PID:8032
- C:\Windows\System32\rVHykoA.exe
  C:\Windows\System32\rVHykoA.exe
  2⤵
  PID:8068
- C:\Windows\System32\PGKYBEG.exe
  C:\Windows\System32\PGKYBEG.exe
  2⤵
  PID:8088
- C:\Windows\System32\piXNxrv.exe
  C:\Windows\System32\piXNxrv.exe
  2⤵
  PID:8116
- C:\Windows\System32\tKsnQxw.exe
  C:\Windows\System32\tKsnQxw.exe
  2⤵
  PID:8144
- C:\Windows\System32\xQERMkl.exe
  C:\Windows\System32\xQERMkl.exe
  2⤵
  PID:8172
- C:\Windows\System32\lZoMQty.exe
  C:\Windows\System32\lZoMQty.exe
  2⤵
  PID:7204
- C:\Windows\System32\zuhGCsm.exe
  C:\Windows\System32\zuhGCsm.exe
  2⤵
  PID:7268
- C:\Windows\System32\kCusfOD.exe
  C:\Windows\System32\kCusfOD.exe
  2⤵
  PID:7320
- C:\Windows\System32\tgmeMvE.exe
  C:\Windows\System32\tgmeMvE.exe
  2⤵
  PID:7432
- C:\Windows\System32\tINXVPZ.exe
  C:\Windows\System32\tINXVPZ.exe
  2⤵
  PID:7472
- C:\Windows\System32\NTKAtuU.exe
  C:\Windows\System32\NTKAtuU.exe
  2⤵
  PID:7576
- C:\Windows\System32\jEVgjWR.exe
  C:\Windows\System32\jEVgjWR.exe
  2⤵
  PID:7632
- C:\Windows\System32\JGqtCOu.exe
  C:\Windows\System32\JGqtCOu.exe
  2⤵
  PID:7704
- C:\Windows\System32\XZJfLsX.exe
  C:\Windows\System32\XZJfLsX.exe
  2⤵
  PID:7764
- C:\Windows\System32\KJzBAWT.exe
  C:\Windows\System32\KJzBAWT.exe
  2⤵
  PID:7836
- C:\Windows\System32\ANgcrcy.exe
  C:\Windows\System32\ANgcrcy.exe
  2⤵
  PID:7908
- C:\Windows\System32\KmxdcvJ.exe
  C:\Windows\System32\KmxdcvJ.exe
  2⤵
  PID:7984
- C:\Windows\System32\huFHYVg.exe
  C:\Windows\System32\huFHYVg.exe
  2⤵
  PID:8048
- C:\Windows\System32\tMtJpKm.exe
  C:\Windows\System32\tMtJpKm.exe
  2⤵
  PID:8112
- C:\Windows\System32\WhYMrvj.exe
  C:\Windows\System32\WhYMrvj.exe
  2⤵
  PID:8168
- C:\Windows\System32\fmPxbML.exe
  C:\Windows\System32\fmPxbML.exe
  2⤵
  PID:7296
- C:\Windows\System32\xWCfHsi.exe
  C:\Windows\System32\xWCfHsi.exe
  2⤵
  PID:7468
- C:\Windows\System32\XBNQCQB.exe
  C:\Windows\System32\XBNQCQB.exe
  2⤵
  PID:7676
- C:\Windows\System32\VEcRLbX.exe
  C:\Windows\System32\VEcRLbX.exe
  2⤵
  PID:7808
- C:\Windows\System32\riWWTJx.exe
  C:\Windows\System32\riWWTJx.exe
  2⤵
  PID:7956
- C:\Windows\System32\gvMUqOa.exe
  C:\Windows\System32\gvMUqOa.exe
  2⤵
  PID:8076
- C:\Windows\System32\lbZIexm.exe
  C:\Windows\System32\lbZIexm.exe
  2⤵
  PID:7428
- C:\Windows\System32\OLIYQaZ.exe
  C:\Windows\System32\OLIYQaZ.exe
  2⤵
  PID:7816
- C:\Windows\System32\MbMBqyY.exe
  C:\Windows\System32\MbMBqyY.exe
  2⤵
  PID:7184
- C:\Windows\System32\HLPHnpM.exe
  C:\Windows\System32\HLPHnpM.exe
  2⤵
  PID:7604
- C:\Windows\System32\KYkdOLm.exe
  C:\Windows\System32\KYkdOLm.exe
  2⤵
  PID:8204
- C:\Windows\System32\rrJUnwu.exe
  C:\Windows\System32\rrJUnwu.exe
  2⤵
  PID:8232
- C:\Windows\System32\iZwftfk.exe
  C:\Windows\System32\iZwftfk.exe
  2⤵
  PID:8260
- C:\Windows\System32\djCOZYO.exe
  C:\Windows\System32\djCOZYO.exe
  2⤵
  PID:8288
- C:\Windows\System32\MBfrHIE.exe
  C:\Windows\System32\MBfrHIE.exe
  2⤵
  PID:8316
- C:\Windows\System32\SkvZPLi.exe
  C:\Windows\System32\SkvZPLi.exe
  2⤵
  PID:8344
- C:\Windows\System32\hawcUDK.exe
  C:\Windows\System32\hawcUDK.exe
  2⤵
  PID:8384
- C:\Windows\System32\OmBICwX.exe
  C:\Windows\System32\OmBICwX.exe
  2⤵
  PID:8408
- C:\Windows\System32\aWSTcEb.exe
  C:\Windows\System32\aWSTcEb.exe
  2⤵
  PID:8440
- C:\Windows\System32\DqDpXEH.exe
  C:\Windows\System32\DqDpXEH.exe
  2⤵
  PID:8468
- C:\Windows\System32\fdmwMkm.exe
  C:\Windows\System32\fdmwMkm.exe
  2⤵
  PID:8496
- C:\Windows\System32\CuqkeTK.exe
  C:\Windows\System32\CuqkeTK.exe
  2⤵
  PID:8524
- C:\Windows\System32\ZbynoVI.exe
  C:\Windows\System32\ZbynoVI.exe
  2⤵
  PID:8556
- C:\Windows\System32\lfvrAQN.exe
  C:\Windows\System32\lfvrAQN.exe
  2⤵
  PID:8584
- C:\Windows\System32\ZrNNoiP.exe
  C:\Windows\System32\ZrNNoiP.exe
  2⤵
  PID:8612
- C:\Windows\System32\GERtAFV.exe
  C:\Windows\System32\GERtAFV.exe
  2⤵
  PID:8640
- C:\Windows\System32\JBbwzga.exe
  C:\Windows\System32\JBbwzga.exe
  2⤵
  PID:8656
- C:\Windows\System32\YDonbyJ.exe
  C:\Windows\System32\YDonbyJ.exe
  2⤵
  PID:8696
- C:\Windows\System32\oquwSMR.exe
  C:\Windows\System32\oquwSMR.exe
  2⤵
  PID:8728
- C:\Windows\System32\mrOlEmN.exe
  C:\Windows\System32\mrOlEmN.exe
  2⤵
  PID:8752
- C:\Windows\System32\HMGMYRY.exe
  C:\Windows\System32\HMGMYRY.exe
  2⤵
  PID:8768
- C:\Windows\System32\yxeZLzx.exe
  C:\Windows\System32\yxeZLzx.exe
  2⤵
  PID:8808
- C:\Windows\System32\FQyHzgA.exe
  C:\Windows\System32\FQyHzgA.exe
  2⤵
  PID:8836
- C:\Windows\System32\hFbLilf.exe
  C:\Windows\System32\hFbLilf.exe
  2⤵
  PID:8864
- C:\Windows\System32\qfftrQn.exe
  C:\Windows\System32\qfftrQn.exe
  2⤵
  PID:8892
- C:\Windows\System32\qZuSULw.exe
  C:\Windows\System32\qZuSULw.exe
  2⤵
  PID:8920
- C:\Windows\System32\lUwrHRs.exe
  C:\Windows\System32\lUwrHRs.exe
  2⤵
  PID:8948
- C:\Windows\System32\WdhVvvP.exe
  C:\Windows\System32\WdhVvvP.exe
  2⤵
  PID:8972
- C:\Windows\System32\BMnQLXd.exe
  C:\Windows\System32\BMnQLXd.exe
  2⤵
  PID:8992
- C:\Windows\System32\cECOnnA.exe
  C:\Windows\System32\cECOnnA.exe
  2⤵
  PID:9036
- C:\Windows\System32\JCncIut.exe
  C:\Windows\System32\JCncIut.exe
  2⤵
  PID:9068
- C:\Windows\System32\uCXTGTe.exe
  C:\Windows\System32\uCXTGTe.exe
  2⤵
  PID:9096
- C:\Windows\System32\JwQiUFt.exe
  C:\Windows\System32\JwQiUFt.exe
  2⤵
  PID:9112
- C:\Windows\System32\pgJKDKW.exe
  C:\Windows\System32\pgJKDKW.exe
  2⤵
  PID:9152
- C:\Windows\System32\QOFaVCA.exe
  C:\Windows\System32\QOFaVCA.exe
  2⤵
  PID:9180
- C:\Windows\System32\OJqFQTq.exe
  C:\Windows\System32\OJqFQTq.exe
  2⤵
  PID:9208
- C:\Windows\System32\uugfyJR.exe
  C:\Windows\System32\uugfyJR.exe
  2⤵
  PID:7372
- C:\Windows\System32\GpzimRy.exe
  C:\Windows\System32\GpzimRy.exe
  2⤵
  PID:8280
- C:\Windows\System32\VRccIBU.exe
  C:\Windows\System32\VRccIBU.exe
  2⤵
  PID:8336
- C:\Windows\System32\LPDsAVl.exe
  C:\Windows\System32\LPDsAVl.exe
  2⤵
  PID:8424
- C:\Windows\System32\ZhnEHjG.exe
  C:\Windows\System32\ZhnEHjG.exe
  2⤵
  PID:8508
- C:\Windows\System32\eYZWPaE.exe
  C:\Windows\System32\eYZWPaE.exe
  2⤵
  PID:8568
- C:\Windows\System32\rNjRAGp.exe
  C:\Windows\System32\rNjRAGp.exe
  2⤵
  PID:8636
- C:\Windows\System32\WuXCwGA.exe
  C:\Windows\System32\WuXCwGA.exe
  2⤵
  PID:8692
- C:\Windows\System32\MrdnasY.exe
  C:\Windows\System32\MrdnasY.exe
  2⤵
  PID:8740
- C:\Windows\System32\GvcvoTw.exe
  C:\Windows\System32\GvcvoTw.exe
  2⤵
  PID:8796
- C:\Windows\System32\IaFwznq.exe
  C:\Windows\System32\IaFwznq.exe
  2⤵
  PID:8888
- C:\Windows\System32\KsUHTBK.exe
  C:\Windows\System32\KsUHTBK.exe
  2⤵
  PID:8968
- C:\Windows\System32\rYLanyV.exe
  C:\Windows\System32\rYLanyV.exe
  2⤵
  PID:8988
- C:\Windows\System32\eOJmqTw.exe
  C:\Windows\System32\eOJmqTw.exe
  2⤵
  PID:9092
- C:\Windows\System32\GuXXlfC.exe
  C:\Windows\System32\GuXXlfC.exe
  2⤵
  PID:9120
- C:\Windows\System32\YLVdrsl.exe
  C:\Windows\System32\YLVdrsl.exe
  2⤵
  PID:8100
- C:\Windows\System32\FEmLxmM.exe
  C:\Windows\System32\FEmLxmM.exe
  2⤵
  PID:8304
- C:\Windows\System32\CqygHfx.exe
  C:\Windows\System32\CqygHfx.exe
  2⤵
  PID:8452
- C:\Windows\System32\wBotoqw.exe
  C:\Windows\System32\wBotoqw.exe
  2⤵
  PID:8668
- C:\Windows\System32\gdvVdzD.exe
  C:\Windows\System32\gdvVdzD.exe
  2⤵
  PID:8780
- C:\Windows\System32\oycZvsu.exe
  C:\Windows\System32\oycZvsu.exe
  2⤵
  PID:8944
- C:\Windows\System32\NyPTKpZ.exe
  C:\Windows\System32\NyPTKpZ.exe
  2⤵
  PID:9060
- C:\Windows\System32\lLRtgzb.exe
  C:\Windows\System32\lLRtgzb.exe
  2⤵
  PID:8272
- C:\Windows\System32\RbIJaSv.exe
  C:\Windows\System32\RbIJaSv.exe
  2⤵
  PID:8536
- C:\Windows\System32\OiLmNhW.exe
  C:\Windows\System32\OiLmNhW.exe
  2⤵
  PID:8940
- C:\Windows\System32\aktHWSa.exe
  C:\Windows\System32\aktHWSa.exe
  2⤵
  PID:8392
- C:\Windows\System32\xWuMJBH.exe
  C:\Windows\System32\xWuMJBH.exe
  2⤵
  PID:9136
- C:\Windows\System32\krQulmq.exe
  C:\Windows\System32\krQulmq.exe
  2⤵
  PID:9224
- C:\Windows\System32\VIrEQTw.exe
  C:\Windows\System32\VIrEQTw.exe
  2⤵
  PID:9256
- C:\Windows\System32\fvYSQJN.exe
  C:\Windows\System32\fvYSQJN.exe
  2⤵
  PID:9284
- C:\Windows\System32\bZxOndM.exe
  C:\Windows\System32\bZxOndM.exe
  2⤵
  PID:9324
- C:\Windows\System32\FjRYGYj.exe
  C:\Windows\System32\FjRYGYj.exe
  2⤵
  PID:9352
- C:\Windows\System32\wkKLFJE.exe
  C:\Windows\System32\wkKLFJE.exe
  2⤵
  PID:9380
- C:\Windows\System32\pRTxktO.exe
  C:\Windows\System32\pRTxktO.exe
  2⤵
  PID:9408
- C:\Windows\System32\UdZFwfs.exe
  C:\Windows\System32\UdZFwfs.exe
  2⤵
  PID:9436
- C:\Windows\System32\sEqcnjt.exe
  C:\Windows\System32\sEqcnjt.exe
  2⤵
  PID:9464
- C:\Windows\System32\UvbALEw.exe
  C:\Windows\System32\UvbALEw.exe
  2⤵
  PID:9492
- C:\Windows\System32\ZOwVLjr.exe
  C:\Windows\System32\ZOwVLjr.exe
  2⤵
  PID:9524
- C:\Windows\System32\PYhhwtk.exe
  C:\Windows\System32\PYhhwtk.exe
  2⤵
  PID:9548
- C:\Windows\System32\NHJBtlk.exe
  C:\Windows\System32\NHJBtlk.exe
  2⤵
  PID:9580
- C:\Windows\System32\SDxbvhJ.exe
  C:\Windows\System32\SDxbvhJ.exe
  2⤵
  PID:9608
- C:\Windows\System32\oFBBKuf.exe
  C:\Windows\System32\oFBBKuf.exe
  2⤵
  PID:9636
- C:\Windows\System32\pDQVzUr.exe
  C:\Windows\System32\pDQVzUr.exe
  2⤵
  PID:9668
- C:\Windows\System32\zowPHwJ.exe
  C:\Windows\System32\zowPHwJ.exe
  2⤵
  PID:9692
- C:\Windows\System32\IRrvKGO.exe
  C:\Windows\System32\IRrvKGO.exe
  2⤵
  PID:9708
- C:\Windows\System32\kEVqMzU.exe
  C:\Windows\System32\kEVqMzU.exe
  2⤵
  PID:9748
- C:\Windows\System32\ICTFojq.exe
  C:\Windows\System32\ICTFojq.exe
  2⤵
  PID:9776
- C:\Windows\System32\mcOvymU.exe
  C:\Windows\System32\mcOvymU.exe
  2⤵
  PID:9804
- C:\Windows\System32\CnNJMAZ.exe
  C:\Windows\System32\CnNJMAZ.exe
  2⤵
  PID:9832
- C:\Windows\System32\bfZPCdc.exe
  C:\Windows\System32\bfZPCdc.exe
  2⤵
  PID:9848
- C:\Windows\System32\hBJuENw.exe
  C:\Windows\System32\hBJuENw.exe
  2⤵
  PID:9880
- C:\Windows\System32\dHSgJUw.exe
  C:\Windows\System32\dHSgJUw.exe
  2⤵
  PID:9916
- C:\Windows\System32\wHhhmdB.exe
  C:\Windows\System32\wHhhmdB.exe
  2⤵
  PID:9944
- C:\Windows\System32\iRnDrll.exe
  C:\Windows\System32\iRnDrll.exe
  2⤵
  PID:9972
- C:\Windows\System32\aHsgjkt.exe
  C:\Windows\System32\aHsgjkt.exe
  2⤵
  PID:10000
- C:\Windows\System32\GcuEXOP.exe
  C:\Windows\System32\GcuEXOP.exe
  2⤵
  PID:10028
- C:\Windows\System32\DOdTYMZ.exe
  C:\Windows\System32\DOdTYMZ.exe
  2⤵
  PID:10056
- C:\Windows\System32\wbiRXPN.exe
  C:\Windows\System32\wbiRXPN.exe
  2⤵
  PID:10084
- C:\Windows\System32\bNlDBSZ.exe
  C:\Windows\System32\bNlDBSZ.exe
  2⤵
  PID:10112
- C:\Windows\System32\ZLGHkWW.exe
  C:\Windows\System32\ZLGHkWW.exe
  2⤵
  PID:10152
- C:\Windows\System32\elkadfJ.exe
  C:\Windows\System32\elkadfJ.exe
  2⤵
  PID:10168
- C:\Windows\System32\aEYUWsd.exe
  C:\Windows\System32\aEYUWsd.exe
  2⤵
  PID:10184
- C:\Windows\System32\ZOcIkYQ.exe
  C:\Windows\System32\ZOcIkYQ.exe
  2⤵
  PID:10228
- C:\Windows\System32\bIFfDow.exe
  C:\Windows\System32\bIFfDow.exe
  2⤵
  PID:9244
- C:\Windows\System32\SbRWUop.exe
  C:\Windows\System32\SbRWUop.exe
  2⤵
  PID:9336
- C:\Windows\System32\czfopNr.exe
  C:\Windows\System32\czfopNr.exe
  2⤵
  PID:9400
- C:\Windows\System32\DyzXsVd.exe
  C:\Windows\System32\DyzXsVd.exe
  2⤵
  PID:9456
- C:\Windows\System32\lYrcGwD.exe
  C:\Windows\System32\lYrcGwD.exe
  2⤵
  PID:9532
- C:\Windows\System32\IKrkIyi.exe
  C:\Windows\System32\IKrkIyi.exe
  2⤵
  PID:9064
- C:\Windows\System32\HqERDYf.exe
  C:\Windows\System32\HqERDYf.exe
  2⤵
  PID:9648
- C:\Windows\System32\OFzkvBl.exe
  C:\Windows\System32\OFzkvBl.exe
  2⤵
  PID:9720
- C:\Windows\System32\lBcZLwo.exe
  C:\Windows\System32\lBcZLwo.exe
  2⤵
  PID:9824
- C:\Windows\System32\mTYrEUq.exe
  C:\Windows\System32\mTYrEUq.exe
  2⤵
  PID:9928
- C:\Windows\System32\lNxlHsN.exe
  C:\Windows\System32\lNxlHsN.exe
  2⤵
  PID:10024
- C:\Windows\System32\yukcdqm.exe
  C:\Windows\System32\yukcdqm.exe
  2⤵
  PID:10104
- C:\Windows\System32\Kgobhms.exe
  C:\Windows\System32\Kgobhms.exe
  2⤵
  PID:10164
- C:\Windows\System32\EYsKwnv.exe
  C:\Windows\System32\EYsKwnv.exe
  2⤵
  PID:10224
- C:\Windows\System32\fOhNlJd.exe
  C:\Windows\System32\fOhNlJd.exe
  2⤵
  PID:9392
- C:\Windows\System32\LtvgAqb.exe
  C:\Windows\System32\LtvgAqb.exe
  2⤵
  PID:9512
- C:\Windows\System32\ZvNQqVV.exe
  C:\Windows\System32\ZvNQqVV.exe
  2⤵
  PID:9684
- C:\Windows\System32\cpmSeEw.exe
  C:\Windows\System32\cpmSeEw.exe
  2⤵
  PID:9908
- C:\Windows\System32\mhKAKfL.exe
  C:\Windows\System32\mhKAKfL.exe
  2⤵
  PID:10124
- C:\Windows\System32\voVnSSw.exe
  C:\Windows\System32\voVnSSw.exe
  2⤵
  PID:9868
- C:\Windows\System32\rWhpBJI.exe
  C:\Windows\System32\rWhpBJI.exe
  2⤵
  PID:9504
- C:\Windows\System32\yqIoftj.exe
  C:\Windows\System32\yqIoftj.exe
  2⤵
  PID:10020
- C:\Windows\System32\EwGbOOY.exe
  C:\Windows\System32\EwGbOOY.exe
  2⤵
  PID:9840
- C:\Windows\System32\IuSrgAV.exe
  C:\Windows\System32\IuSrgAV.exe
  2⤵
  PID:10248
- C:\Windows\System32\FIbumEe.exe
  C:\Windows\System32\FIbumEe.exe
  2⤵
  PID:10276
- C:\Windows\System32\plxaljL.exe
  C:\Windows\System32\plxaljL.exe
  2⤵
  PID:10304
- C:\Windows\System32\GKgaXaH.exe
  C:\Windows\System32\GKgaXaH.exe
  2⤵
  PID:10332
- C:\Windows\System32\MVrTJdf.exe
  C:\Windows\System32\MVrTJdf.exe
  2⤵
  PID:10348
- C:\Windows\System32\eZULaHg.exe
  C:\Windows\System32\eZULaHg.exe
  2⤵
  PID:10372
- C:\Windows\System32\keYSAnV.exe
  C:\Windows\System32\keYSAnV.exe
  2⤵
  PID:10416
- C:\Windows\System32\mSLhNww.exe
  C:\Windows\System32\mSLhNww.exe
  2⤵
  PID:10444
- C:\Windows\System32\FEPEAXQ.exe
  C:\Windows\System32\FEPEAXQ.exe
  2⤵
  PID:10472
- C:\Windows\System32\YeEmYyW.exe
  C:\Windows\System32\YeEmYyW.exe
  2⤵
  PID:10500
- C:\Windows\System32\DrUxXQj.exe
  C:\Windows\System32\DrUxXQj.exe
  2⤵
  PID:10528
- C:\Windows\System32\tYQhXLi.exe
  C:\Windows\System32\tYQhXLi.exe
  2⤵
  PID:10564
- C:\Windows\System32\OMWnIpT.exe
  C:\Windows\System32\OMWnIpT.exe
  2⤵
  PID:10596
- C:\Windows\System32\ejhkvTu.exe
  C:\Windows\System32\ejhkvTu.exe
  2⤵
  PID:10624
- C:\Windows\System32\XDtMZLn.exe
  C:\Windows\System32\XDtMZLn.exe
  2⤵
  PID:10652
- C:\Windows\System32\ADhHURN.exe
  C:\Windows\System32\ADhHURN.exe
  2⤵
  PID:10700
- C:\Windows\System32\JBtNujS.exe
  C:\Windows\System32\JBtNujS.exe
  2⤵
  PID:10728
- C:\Windows\System32\UgsfRyP.exe
  C:\Windows\System32\UgsfRyP.exe
  2⤵
  PID:10756
- C:\Windows\System32\MPzkLCg.exe
  C:\Windows\System32\MPzkLCg.exe
  2⤵
  PID:10784
- C:\Windows\System32\YSQTDfY.exe
  C:\Windows\System32\YSQTDfY.exe
  2⤵
  PID:10812
- C:\Windows\System32\wzuZwko.exe
  C:\Windows\System32\wzuZwko.exe
  2⤵
  PID:10840
- C:\Windows\System32\RNNsFPN.exe
  C:\Windows\System32\RNNsFPN.exe
  2⤵
  PID:10884
- C:\Windows\System32\sSxteQJ.exe
  C:\Windows\System32\sSxteQJ.exe
  2⤵
  PID:10912
- C:\Windows\System32\uklOluy.exe
  C:\Windows\System32\uklOluy.exe
  2⤵
  PID:10956
- C:\Windows\System32\lXdSgyf.exe
  C:\Windows\System32\lXdSgyf.exe
  2⤵
  PID:10976
- C:\Windows\System32\IIuzIAc.exe
  C:\Windows\System32\IIuzIAc.exe
  2⤵
  PID:11004
- C:\Windows\System32\AWrvVpb.exe
  C:\Windows\System32\AWrvVpb.exe
  2⤵
  PID:11032
- C:\Windows\System32\uEetEXw.exe
  C:\Windows\System32\uEetEXw.exe
  2⤵
  PID:11088
- C:\Windows\System32\PegPqYS.exe
  C:\Windows\System32\PegPqYS.exe
  2⤵
  PID:11104
- C:\Windows\System32\ojUYXng.exe
  C:\Windows\System32\ojUYXng.exe
  2⤵
  PID:11136
- C:\Windows\System32\emQMzpJ.exe
  C:\Windows\System32\emQMzpJ.exe
  2⤵
  PID:11188
- C:\Windows\System32\suDZPcv.exe
  C:\Windows\System32\suDZPcv.exe
  2⤵
  PID:11220
- C:\Windows\System32\gzqwKbN.exe
  C:\Windows\System32\gzqwKbN.exe
  2⤵
  PID:10288
- C:\Windows\System32\tznwccE.exe
  C:\Windows\System32\tznwccE.exe
  2⤵
  PID:10340
- C:\Windows\System32\Ydbfias.exe
  C:\Windows\System32\Ydbfias.exe
  2⤵
  PID:10436
- C:\Windows\System32\VIszZPS.exe
  C:\Windows\System32\VIszZPS.exe
  2⤵
  PID:10552
- C:\Windows\System32\HUCbkMi.exe
  C:\Windows\System32\HUCbkMi.exe
  2⤵
  PID:10712
- C:\Windows\System32\WeOKIlm.exe
  C:\Windows\System32\WeOKIlm.exe
  2⤵
  PID:10804
- C:\Windows\System32\wImWBWQ.exe
  C:\Windows\System32\wImWBWQ.exe
  2⤵
  PID:3900
- C:\Windows\System32\SrjDGlG.exe
  C:\Windows\System32\SrjDGlG.exe
  2⤵
  PID:10940
- C:\Windows\System32\YIVRmiI.exe
  C:\Windows\System32\YIVRmiI.exe
  2⤵
  PID:11024
- C:\Windows\System32\rIsGbjc.exe
  C:\Windows\System32\rIsGbjc.exe
  2⤵
  PID:11100
- C:\Windows\System32\pMdGOGu.exe
  C:\Windows\System32\pMdGOGu.exe
  2⤵
  PID:11204
- C:\Windows\System32\qjalgtt.exe
  C:\Windows\System32\qjalgtt.exe
  2⤵
  PID:10512
- C:\Windows\System32\cTFbJmD.exe
  C:\Windows\System32\cTFbJmD.exe
  2⤵
  PID:10832
- C:\Windows\System32\UzIPMck.exe
  C:\Windows\System32\UzIPMck.exe
  2⤵
  PID:10936
- C:\Windows\System32\PNJwHaK.exe
  C:\Windows\System32\PNJwHaK.exe
  2⤵
  PID:11096
- C:\Windows\System32\KQnFMhI.exe
  C:\Windows\System32\KQnFMhI.exe
  2⤵
  PID:10588
- C:\Windows\System32\mrABFhl.exe
  C:\Windows\System32\mrABFhl.exe
  2⤵
  PID:11084
- C:\Windows\System32\agBWvYK.exe
  C:\Windows\System32\agBWvYK.exe
  2⤵
  PID:10428
- C:\Windows\System32\aruVWSi.exe
  C:\Windows\System32\aruVWSi.exe
  2⤵
  PID:11284
- C:\Windows\System32\BFzaJBP.exe
  C:\Windows\System32\BFzaJBP.exe
  2⤵
  PID:11312
- C:\Windows\System32\KaqBPTp.exe
  C:\Windows\System32\KaqBPTp.exe
  2⤵
  PID:11344
- C:\Windows\System32\ivtuWzt.exe
  C:\Windows\System32\ivtuWzt.exe
  2⤵
  PID:11372
- C:\Windows\System32\iuviIfI.exe
  C:\Windows\System32\iuviIfI.exe
  2⤵
  PID:11400
- C:\Windows\System32\LPEmJFv.exe
  C:\Windows\System32\LPEmJFv.exe
  2⤵
  PID:11428
- C:\Windows\System32\IJZwNBY.exe
  C:\Windows\System32\IJZwNBY.exe
  2⤵
  PID:11456
- C:\Windows\System32\pYNdGfW.exe
  C:\Windows\System32\pYNdGfW.exe
  2⤵
  PID:11484
- C:\Windows\System32\pGWjzsi.exe
  C:\Windows\System32\pGWjzsi.exe
  2⤵
  PID:11512
- C:\Windows\System32\PfonjPk.exe
  C:\Windows\System32\PfonjPk.exe
  2⤵
  PID:11540
- C:\Windows\System32\ZrpugsQ.exe
  C:\Windows\System32\ZrpugsQ.exe
  2⤵
  PID:11584
- C:\Windows\System32\wiRRMIg.exe
  C:\Windows\System32\wiRRMIg.exe
  2⤵
  PID:11612
- C:\Windows\System32\InSfGSs.exe
  C:\Windows\System32\InSfGSs.exe
  2⤵
  PID:11640
- C:\Windows\System32\SWMDKtR.exe
  C:\Windows\System32\SWMDKtR.exe
  2⤵
  PID:11668
- C:\Windows\System32\UkgBuGP.exe
  C:\Windows\System32\UkgBuGP.exe
  2⤵
  PID:11700
- C:\Windows\System32\PtOhzhC.exe
  C:\Windows\System32\PtOhzhC.exe
  2⤵
  PID:11728
- C:\Windows\System32\jIOKlnO.exe
  C:\Windows\System32\jIOKlnO.exe
  2⤵
  PID:11760
- C:\Windows\System32\bKFUTzz.exe
  C:\Windows\System32\bKFUTzz.exe
  2⤵
  PID:11784
- C:\Windows\System32\WExMtYZ.exe
  C:\Windows\System32\WExMtYZ.exe
  2⤵
  PID:11812
- C:\Windows\System32\oRRAZhd.exe
  C:\Windows\System32\oRRAZhd.exe
  2⤵
  PID:11840
- C:\Windows\System32\NKCLnHr.exe
  C:\Windows\System32\NKCLnHr.exe
  2⤵
  PID:11868
- C:\Windows\System32\DupxIOe.exe
  C:\Windows\System32\DupxIOe.exe
  2⤵
  PID:11896
- C:\Windows\System32\YpjtTdI.exe
  C:\Windows\System32\YpjtTdI.exe
  2⤵
  PID:11924
- C:\Windows\System32\xSbaKru.exe
  C:\Windows\System32\xSbaKru.exe
  2⤵
  PID:11952
- C:\Windows\System32\BKCcZkj.exe
  C:\Windows\System32\BKCcZkj.exe
  2⤵
  PID:11984
- C:\Windows\System32\CYLTRRR.exe
  C:\Windows\System32\CYLTRRR.exe
  2⤵
  PID:12012
- C:\Windows\System32\OzCyyyR.exe
  C:\Windows\System32\OzCyyyR.exe
  2⤵
  PID:12040
- C:\Windows\System32\SBNWxIs.exe
  C:\Windows\System32\SBNWxIs.exe
  2⤵
  PID:12068
- C:\Windows\System32\nBGkZLb.exe
  C:\Windows\System32\nBGkZLb.exe
  2⤵
  PID:12096
- C:\Windows\System32\fHRxFIw.exe
  C:\Windows\System32\fHRxFIw.exe
  2⤵
  PID:12124
- C:\Windows\System32\KgXczso.exe
  C:\Windows\System32\KgXczso.exe
  2⤵
  PID:12152
- C:\Windows\System32\wRzupdg.exe
  C:\Windows\System32\wRzupdg.exe
  2⤵
  PID:12184
- C:\Windows\System32\SfdqAdA.exe
  C:\Windows\System32\SfdqAdA.exe
  2⤵
  PID:12212
- C:\Windows\System32\IlNfeoN.exe
  C:\Windows\System32\IlNfeoN.exe
  2⤵
  PID:12252
- C:\Windows\System32\VrEXQrc.exe
  C:\Windows\System32\VrEXQrc.exe
  2⤵
  PID:12268
- C:\Windows\System32\QNPhNCZ.exe
  C:\Windows\System32\QNPhNCZ.exe
  2⤵
  PID:11280
- C:\Windows\System32\smZGyLM.exe
  C:\Windows\System32\smZGyLM.exe
  2⤵
  PID:11364
- C:\Windows\System32\LhQbIXl.exe
  C:\Windows\System32\LhQbIXl.exe
  2⤵
  PID:11420
- C:\Windows\System32\bqlOTmz.exe
  C:\Windows\System32\bqlOTmz.exe
  2⤵
  PID:11480
- C:\Windows\System32\hdSgqsK.exe
  C:\Windows\System32\hdSgqsK.exe
  2⤵
  PID:11552
- C:\Windows\System32\ghNOrRE.exe
  C:\Windows\System32\ghNOrRE.exe
  2⤵
  PID:11632
- C:\Windows\System32\VqAFUFj.exe
  C:\Windows\System32\VqAFUFj.exe
  2⤵
  PID:11692
- C:\Windows\System32\MHaYUxi.exe
  C:\Windows\System32\MHaYUxi.exe
  2⤵
  PID:11768
- C:\Windows\System32\hqKHfek.exe
  C:\Windows\System32\hqKHfek.exe
  2⤵
  PID:11832
- C:\Windows\System32\gucfrGa.exe
  C:\Windows\System32\gucfrGa.exe
  2⤵
  PID:11892
- C:\Windows\System32\FmrwrSP.exe
  C:\Windows\System32\FmrwrSP.exe
  2⤵
  PID:11964
- C:\Windows\System32\KxVbEnE.exe
  C:\Windows\System32\KxVbEnE.exe
  2⤵
  PID:12036
- C:\Windows\System32\zWAuJbX.exe
  C:\Windows\System32\zWAuJbX.exe
  2⤵
  PID:12092
- C:\Windows\System32\XNYQtvP.exe
  C:\Windows\System32\XNYQtvP.exe
  2⤵
  PID:12164
- C:\Windows\System32\CwDdaQu.exe
  C:\Windows\System32\CwDdaQu.exe
  2⤵
  PID:12224
- C:\Windows\System32\TnzNOUo.exe
  C:\Windows\System32\TnzNOUo.exe
  2⤵
  PID:11268
- C:\Windows\System32\CbEIaBS.exe
  C:\Windows\System32\CbEIaBS.exe
  2⤵
  PID:11396
- C:\Windows\System32\exhlHgI.exe
  C:\Windows\System32\exhlHgI.exe
  2⤵
  PID:11596
- C:\Windows\System32\IzeUufo.exe
  C:\Windows\System32\IzeUufo.exe
  2⤵
  PID:11748
- C:\Windows\System32\ywoSnZT.exe
  C:\Windows\System32\ywoSnZT.exe
  2⤵
  PID:11920
- C:\Windows\System32\KgSOgxl.exe
  C:\Windows\System32\KgSOgxl.exe
  2⤵
  PID:12080
- C:\Windows\System32\udZzFCV.exe
  C:\Windows\System32\udZzFCV.exe
  2⤵
  PID:12208
- C:\Windows\System32\mNldhGy.exe
  C:\Windows\System32\mNldhGy.exe
  2⤵
  PID:11476
- C:\Windows\System32\ogQtPdr.exe
  C:\Windows\System32\ogQtPdr.exe
  2⤵
  PID:11884
- C:\Windows\System32\wXMxbFx.exe
  C:\Windows\System32\wXMxbFx.exe
  2⤵
  PID:12204
- C:\Windows\System32\rGsLASp.exe
  C:\Windows\System32\rGsLASp.exe
  2⤵
  PID:11724
- C:\Windows\System32\PfVvmji.exe
  C:\Windows\System32\PfVvmji.exe
  2⤵
  PID:11972
- C:\Windows\System32\GruSppg.exe
  C:\Windows\System32\GruSppg.exe
  2⤵
  PID:12304
- C:\Windows\System32\iXSnLuy.exe
  C:\Windows\System32\iXSnLuy.exe
  2⤵
  PID:12332
- C:\Windows\System32\xfkfYPT.exe
  C:\Windows\System32\xfkfYPT.exe
  2⤵
  PID:12360
- C:\Windows\System32\dnLKSbM.exe
  C:\Windows\System32\dnLKSbM.exe
  2⤵
  PID:12400
- C:\Windows\System32\NGMMSXx.exe
  C:\Windows\System32\NGMMSXx.exe
  2⤵
  PID:12420
- C:\Windows\System32\Tokopoj.exe
  C:\Windows\System32\Tokopoj.exe
  2⤵
  PID:12448
- C:\Windows\System32\pHYUvrV.exe
  C:\Windows\System32\pHYUvrV.exe
  2⤵
  PID:12476
- C:\Windows\System32\lbIQFbP.exe
  C:\Windows\System32\lbIQFbP.exe
  2⤵
  PID:12504
- C:\Windows\System32\mDIYmAQ.exe
  C:\Windows\System32\mDIYmAQ.exe
  2⤵
  PID:12532
- C:\Windows\System32\bscmnAE.exe
  C:\Windows\System32\bscmnAE.exe
  2⤵
  PID:12560
- C:\Windows\System32\xLSclLF.exe
  C:\Windows\System32\xLSclLF.exe
  2⤵
  PID:12588
- C:\Windows\System32\cOzQTLN.exe
  C:\Windows\System32\cOzQTLN.exe
  2⤵
  PID:12620
- C:\Windows\System32\lziOPUL.exe
  C:\Windows\System32\lziOPUL.exe
  2⤵
  PID:12644
- C:\Windows\System32\IfnvVog.exe
  C:\Windows\System32\IfnvVog.exe
  2⤵
  PID:12692
- C:\Windows\System32\TrmcPGM.exe
  C:\Windows\System32\TrmcPGM.exe
  2⤵
  PID:12736
- C:\Windows\System32\ydGQbeM.exe
  C:\Windows\System32\ydGQbeM.exe
  2⤵
  PID:12764
- C:\Windows\System32\AXoVDPg.exe
  C:\Windows\System32\AXoVDPg.exe
  2⤵
  PID:12796
- C:\Windows\System32\kGJFpbI.exe
  C:\Windows\System32\kGJFpbI.exe
  2⤵
  PID:12824
- C:\Windows\System32\zbXUaVP.exe
  C:\Windows\System32\zbXUaVP.exe
  2⤵
  PID:12852
- C:\Windows\System32\RsjlmPr.exe
  C:\Windows\System32\RsjlmPr.exe
  2⤵
  PID:12880
- C:\Windows\System32\WHGuLBM.exe
  C:\Windows\System32\WHGuLBM.exe
  2⤵
  PID:12908
- C:\Windows\System32\HcDgjGn.exe
  C:\Windows\System32\HcDgjGn.exe
  2⤵
  PID:12940
- C:\Windows\System32\hoeXgIr.exe
  C:\Windows\System32\hoeXgIr.exe
  2⤵
  PID:12972
- C:\Windows\System32\HqARGth.exe
  C:\Windows\System32\HqARGth.exe
  2⤵
  PID:13000
- C:\Windows\System32\nskVtov.exe
  C:\Windows\System32\nskVtov.exe
  2⤵
  PID:13028
- C:\Windows\System32\FORXdpk.exe
  C:\Windows\System32\FORXdpk.exe
  2⤵
  PID:13056
- C:\Windows\System32\ipQXwfw.exe
  C:\Windows\System32\ipQXwfw.exe
  2⤵
  PID:13084
- C:\Windows\System32\AzYZZnP.exe
  C:\Windows\System32\AzYZZnP.exe
  2⤵
  PID:13112
- C:\Windows\System32\dLCagAH.exe
  C:\Windows\System32\dLCagAH.exe
  2⤵
  PID:13140
- C:\Windows\System32\qlTzKUZ.exe
  C:\Windows\System32\qlTzKUZ.exe
  2⤵
  PID:13168
- C:\Windows\System32\XyAiMbe.exe
  C:\Windows\System32\XyAiMbe.exe
  2⤵
  PID:13200
- C:\Windows\System32\IgNNnVC.exe
  C:\Windows\System32\IgNNnVC.exe
  2⤵
  PID:13228
- C:\Windows\System32\NRSDrSJ.exe
  C:\Windows\System32\NRSDrSJ.exe
  2⤵
  PID:13264
- C:\Windows\System32\MaKOKaO.exe
  C:\Windows\System32\MaKOKaO.exe
  2⤵
  PID:13296
- C:\Windows\System32\eLnNpbW.exe
  C:\Windows\System32\eLnNpbW.exe
  2⤵
  PID:12344
- C:\Windows\System32\pyYHAmu.exe
  C:\Windows\System32\pyYHAmu.exe
  2⤵
  PID:12380
- C:\Windows\System32\JPCaWLQ.exe
  C:\Windows\System32\JPCaWLQ.exe
  2⤵
  PID:12444
- C:\Windows\System32\fbTobqY.exe
  C:\Windows\System32\fbTobqY.exe
  2⤵
  PID:12516
- C:\Windows\System32\RLraoFL.exe
  C:\Windows\System32\RLraoFL.exe
  2⤵
  PID:12580
- C:\Windows\System32\GSbpSRt.exe
  C:\Windows\System32\GSbpSRt.exe
  2⤵
  PID:12640
- C:\Windows\System32\JsDFtNX.exe
  C:\Windows\System32\JsDFtNX.exe
  2⤵
  PID:12728
- C:\Windows\System32\leRSNWp.exe
  C:\Windows\System32\leRSNWp.exe
  2⤵
  PID:4872
- C:\Windows\System32\fQCaFGC.exe
  C:\Windows\System32\fQCaFGC.exe
  2⤵
  PID:12792
- C:\Windows\System32\Mectnst.exe
  C:\Windows\System32\Mectnst.exe
  2⤵
  PID:12844
- C:\Windows\System32\opgOAsD.exe
  C:\Windows\System32\opgOAsD.exe
  2⤵
  PID:12904
- C:\Windows\System32\GmzFOpY.exe
  C:\Windows\System32\GmzFOpY.exe
  2⤵
  PID:12988
- C:\Windows\System32\MpLQBnG.exe
  C:\Windows\System32\MpLQBnG.exe
  2⤵
  PID:13048
- C:\Windows\System32\lfPkJCU.exe
  C:\Windows\System32\lfPkJCU.exe
  2⤵
  PID:13132
- C:\Windows\System32\gmydQHv.exe
  C:\Windows\System32\gmydQHv.exe
  2⤵
  PID:13180
- C:\Windows\System32\TxMoHRs.exe
  C:\Windows\System32\TxMoHRs.exe
  2⤵
  PID:13256
- C:\Windows\System32\IcEHMmt.exe
  C:\Windows\System32\IcEHMmt.exe
  2⤵
  PID:12300
- C:\Windows\System32\IJUVaIy.exe
  C:\Windows\System32\IJUVaIy.exe
  2⤵
  PID:12496
- C:\Windows\System32\UXQnGCg.exe
  C:\Windows\System32\UXQnGCg.exe
  2⤵
  PID:12628
- C:\Windows\System32\seDaQEB.exe
  C:\Windows\System32\seDaQEB.exe
  2⤵
  PID:1176
- C:\Windows\System32\FwevjHC.exe
  C:\Windows\System32\FwevjHC.exe
  2⤵
  PID:12876
- C:\Windows\System32\yLEpPcY.exe
  C:\Windows\System32\yLEpPcY.exe
  2⤵
  PID:12964
- C:\Windows\System32\mmYyavy.exe
  C:\Windows\System32\mmYyavy.exe
  2⤵
  PID:13160
- C:\Windows\System32\TTwsVcM.exe
  C:\Windows\System32\TTwsVcM.exe
  2⤵
  PID:12412
- C:\Windows\System32\GyoJgYN.exe
  C:\Windows\System32\GyoJgYN.exe
  2⤵
  PID:12776
- C:\Windows\System32\lRLQBqC.exe
  C:\Windows\System32\lRLQBqC.exe
  2⤵
  PID:13096
- C:\Windows\System32\WOugZjB.exe
  C:\Windows\System32\WOugZjB.exe
  2⤵
  PID:12408
- C:\Windows\System32\AGMOeBK.exe
  C:\Windows\System32\AGMOeBK.exe
  2⤵
  PID:12328
- C:\Windows\System32\DdBxduI.exe
  C:\Windows\System32\DdBxduI.exe
  2⤵
  PID:13320
- C:\Windows\System32\wtKFYUO.exe
  C:\Windows\System32\wtKFYUO.exe
  2⤵
  PID:13348
- C:\Windows\System32\fBruogL.exe
  C:\Windows\System32\fBruogL.exe
  2⤵
  PID:13384
- C:\Windows\System32\xKimRmX.exe
  C:\Windows\System32\xKimRmX.exe
  2⤵
  PID:13412

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\FNfCmEI.exe

Filesize
2.9MB

MD5
defd193cfc30bd8aab7a2100cc1c4e4e

SHA1
ac5c41d645639462a23bfd907d1d852677044f66

SHA256
ac17856675ee7f2be55958e1fb367de4592f0619cf35f719ee386dc375665479

SHA512
20b578e616a9aba9a843fda2f566ea938888d984e82cdc25744b30c74dea78b639a8b89b75e7fc306e1b868c874cdfc0ecd4bf61ea454135596ac33ca649eaac

Download Submit
C:\Windows\System32\HXCxhVP.exe

Filesize
2.9MB

MD5
b6341a3f92284ee21349e02551da9ac8

SHA1
5e6861afc7d1dfe3fb88913870a8b0eabb3bbab8

SHA256
d0c1d5ce974a2394b3ad80f05922ff18f52aedb47b35f8da2f5b953a1adddf84

SHA512
6403e31dfb4002bb646a06993a0f0fbf662cd5189d6f3210494f64f3d986f58053cc37ba382d653cade27d3a345c2fd8b90b3ea523e4facc51dd3e95cac358c6

Download Submit
C:\Windows\System32\HivFmlI.exe

Filesize
2.9MB

MD5
307fc6283e75f0f33a4e6b3231bd4a25

SHA1
4d6f1b5352d8d95fb4999f17656e30269e0c8cdc

SHA256
ceca37671197af11c0ee51bba69941f6bfb98c945eeb14cdbcd9de90b1a9c8a3

SHA512
e741855e8a4bfe1f87d155a7edf4bbba004c7057f7870c8d1818e3042f8827f6f03ede42758228cffc6906af0c3485ab12a0bc67ab46b375a8e15675c68f10a8

Download Submit
C:\Windows\System32\IPhIAMs.exe

Filesize
2.9MB

MD5
9be95ef76f5248fb7b4f1e78af604e2b

SHA1
67c739f6cfcb4d1e22ac7418cbb8cf76182afaea

SHA256
cb7939df6efc8a5bdd061bd5269f3a437166b6901f18b26f284867b0aca5f5f4

SHA512
433fad38e0cf013f62d5ad0c003ed784315f2468c638f3e0a8858f63eff4fb7f5fd03b0d3427746e32a3d85c6ceba6e72378b1970047d43214d495d5c279bc1c

Download Submit
C:\Windows\System32\IXyEDrp.exe

Filesize
2.9MB

MD5
91d43bfeab918431281b242cc7def6af

SHA1
01ba6f22ba85850499c60fc0fbb4be1b00c3215a

SHA256
7389e2aed37f75b3b5e5be7502439057e6215467a1a52fa0a5e3673446a8d524

SHA512
c1f19687d4ebacd2c54e0db8435fe187af2739eb8f3fdfe3c10fd8729d984468318f788a04d69eddd46f7b416c6f13e0a65b8f4462f18ec7e4462bb83f0a902c

Download Submit
C:\Windows\System32\IZuqIXn.exe

Filesize
2.9MB

MD5
c020c6d73f136f9c0f20007b577b3cc5

SHA1
6fe00d7d89b05c482e7612698c1e12b05ec86875

SHA256
68edd4e3c80094a9234b6bcd8c4b452e2125453712b80ad39db94aed84b1a9bd

SHA512
073c636f80eda5993d22e743634b65fc32a7271a215c0029f870bf1694811270e03c551852b906a6af8c98abd1077af87af5c4a17bb824d32cca56d4c775463d

Download Submit
C:\Windows\System32\IdwNxeu.exe

Filesize
2.9MB

MD5
14cf4e1e59695f3ca109d7526f88e027

SHA1
e3b2d8ce070567ff3be5a9559606a0cbd0d82ddb

SHA256
3bea9d01f2da6fab298151b04a059a63b82268a1829a2d170179892104dc5650

SHA512
0aa80084b9bfc6ba07c97053c8bbf97458788807898cfda09992d77887d9f11f9692f5ba90f4f8be1d38ae7c9dd92a4ce798a6ed26f56fcbeb639dabbf13b7be

Download Submit
C:\Windows\System32\JofQIjh.exe

Filesize
2.9MB

MD5
029a31924dd85df8e97809cba357df2d

SHA1
09b1516b75bb6a31804ce8eac27af0280ca4f2f6

SHA256
49eb809f8a6a9418c98e6bdd5d098055e78bd199d1479608d2beb000e72022b7

SHA512
839a80acd35bfc7b6871ab11e7177b3c1e48e0e7e1b4694e873d331ea4ccc4b76a9b8789c6045cca6e3146265c13eee9ad55933afc0696a0c9c6cdac3df39f94

Download Submit
C:\Windows\System32\JwgwqCI.exe

Filesize
2.9MB

MD5
63eb1156ada1d649b6f6c1d8fd73d45a

SHA1
31b91ebd522b25891a012d63bffeb746ae44374d

SHA256
53407726bf89a62a55eec017b271d5b31d6fd65cd05f0c8fa6f31e95bb4de1c1

SHA512
e68a90d523b3bc0469cd430551bc5424e8b67f3a39606215bfceb6003f05f6e18ef1626dd7f403e04ff1a8e59382a5239362abac9ee7c8bed02bc8f48297b57f

Download Submit
C:\Windows\System32\KQknBTF.exe

Filesize
2.9MB

MD5
d91096107463f8e52fd3aaa4dd3e5ffa

SHA1
ca8e43323c019857c6caf9885a30da08175433f2

SHA256
a9b79f79745e660ddf9ab1f1564ea02b5fda2034b2379621cfa46e9863452b6f

SHA512
45c85c0b0265d7e782501829ebb91625a880951694a0f63d5fdd5fd3c587b17bc7e14fdf92d352f7e82485935f961f676d31bda421dfb46e22cdf0c4627dc394

Download Submit
C:\Windows\System32\QIqDAjy.exe

Filesize
2.9MB

MD5
b793b5c5651988c067fe3a573e943973

SHA1
8a05d1c9fa3f972d0b2dc69991c88b53872b20e7

SHA256
9c29b5f7fc46102df9817e069c4ef925657801143569ec0bc3a01be5d99a5dba

SHA512
acc8e60a5db5ffd9ed4bba0fc533a0b2f13abe1aece3fc920b1c09855751de08eaf63f64a64c3c321abc0a1c3b9ba90df5091c85ba1ee8b7c225894fd8cb2004

Download Submit
C:\Windows\System32\UHSuGrc.exe

Filesize
2.9MB

MD5
0731fcc6ea9b189ad0148d7cbbc9d0ba

SHA1
022501265acc42bfe148e39e215c1ea363b455c3

SHA256
7c277d78d76c72d2c86f506784c912bbcb6689cffcaeaa6a06055565c83d1dd2

SHA512
06bba84b65cb909c9a2787a132c69fc88a98062c9cfc39e8d62978a78e6c082f2dde86b3eaf3af8d9f4dd160616dc95ccb0c83272782db6233bfc4464f331142

Download Submit
C:\Windows\System32\VPQNOFB.exe

Filesize
2.9MB

MD5
193f079024055a9e78ba6ad59a54e61a

SHA1
e450918ecc68815eacfe95971226103050ed793b

SHA256
d12a4ec431349df73f5d628cecdf8f7400efb94e1a4ed4e8d2421d1c6a6937c0

SHA512
9a99ccb487e20f41a4d3c93b2f6841b2119b4fcdca8f5fb6a8b35172b553c40d805b4d90e0a06f867a5296bf848c93484ec509439ee6e32b31cd23b2de62016f

Download Submit
C:\Windows\System32\YAMhnCu.exe

Filesize
2.9MB

MD5
2e21e0e21ceedad104dbdf53ec02f13e

SHA1
6aa3eadaf33de9fce813dc0408aca3e4b79b1fa9

SHA256
dc814057a555df0d0c092aa33021ac19cac5b348cec3b0b0f6221f7d2b04aea8

SHA512
c4e79a85cd553c5a44888afd0a615b6613c87272423bcf3994839ff1793bf656265c4ccdae08defbef4a6940e317d478ecd9c31e1a42473a0dcbcc0667377a95

Download Submit
C:\Windows\System32\bOBUive.exe

Filesize
2.9MB

MD5
f6092b30e46c86cbe52dd8f2e5a04efc

SHA1
c060322fe48315eba7af417c66cd75b82b674f02

SHA256
e6114c447687a889b0924b0a9f1a00409e751a10e2b892c8b66a3ee94e54efbc

SHA512
54f71dab39c099a98492a8ca0acd9c429e9b486e9fbd94df8e71e259e1584b741fdbab249ec74adcfa15a6377bc8bd78d810ec170f964000a6c4d65e2a6da5e4

Download Submit
C:\Windows\System32\brmkCzt.exe

Filesize
2.9MB

MD5
950cb88b51f1e4a29974fb901061d814

SHA1
c3ab23c95d4fe96182fe0ad191690049a5d1dfec

SHA256
0e74599dfa089a7fd3c3d967c491e8d1fe8935e5f49a7c6220b7a2be0eafbe1b

SHA512
2d7893a3410fe336aab299b95f652693c23d45677ecbd7e3ab4af1da6000659fb80aaf7c8fc0d03cc72def53ceebd0a1659a2bb7ee4b8540e4c65582f7430d4b

Download Submit
C:\Windows\System32\gNMDLlq.exe

Filesize
2.9MB

MD5
52e7fbbd4130122269ad9f5b0fa50cc5

SHA1
4ca0f84eec2cf2d4d922e7793c8b2729254fb91f

SHA256
6fbfd13a7b064d25236d74a5bfa24ff90b1f958fed1dd2feae9fe17d723dae77

SHA512
c642eaa08e695f2f9c803abebb77ee59100c9da4c95d6f5536a91c75bf4e24e1c2880bc24d0a1f9df0cb7f2ca9973ce1185938716cd2a22fa8e886ce2682851f

Download Submit
C:\Windows\System32\hJDuTTe.exe

Filesize
2.9MB

MD5
88f420bd1eb7b7abac2528245bff92d3

SHA1
243e220c085f11507feff585cac9107dec821825

SHA256
d0ac8739d4cd99281f66558ee3328a5de51446fc19abe6a6ba1bd0da691597a6

SHA512
16e6431bd7ec4333b93ed81afc88e4f9a64126b4d83ac4d214e41bb13a66725ba553793a808d1e1035305a26e1f9c09b6e58a4d2428f5c774232f23ddf7cfd3f

Download Submit
C:\Windows\System32\hPxfvZr.exe

Filesize
2.9MB

MD5
fb36e265934563685ce79d7a29ecd93e

SHA1
655452e9669a7879fb0c974b5add9f07efc8cb09

SHA256
d9827b701dd9e9fa072507062eb2aaa420175ccd68fbdac6037db35e5b33f0df

SHA512
e8f6c8b8c68a107aa46c0c82bf163b43d464d770a55e7ccaa3d7c8c8398a54de5b1f2b473187b10388fa4dde3ea00e8a4fecced7fc3a33652485d07d432c09fb

Download Submit
C:\Windows\System32\hVONZcY.exe

Filesize
2.9MB

MD5
e98ba53c9c62a3b9a5effa1b74103a9e

SHA1
72400dd5c25e0be9150840d8731a821046d3e6ba

SHA256
b9fd241982d3862c990c1d6c4fbb54387b752ed7c1cbc93b286179d491ebeb91

SHA512
a79859dd83d336bbf0b0dfadbae8e4ba6bcdf532bc1ff943f2a033b504ae0252046dd8989d9fc6714d8901873054bf77418f75c0c08f4d3f909256cc22e27825

Download Submit
C:\Windows\System32\iaHlSQB.exe

Filesize
2.9MB

MD5
2098cea462782b44199ec642f900f458

SHA1
af73fb24e561f2bbacb3ee5a6aef91f0657c8c6b

SHA256
e354b4cf98f7fa4ad8af28b7d790ae5fb32a943cef000554bc902369cd766e1c

SHA512
0a3c7d22f89a0a4beedc71b81d100724991e307dfd7213fa9b1fdec2d6d1e4ad030e87a01c0d3d51b79b4210958cd9f177d3d965552baa339dd2d4b1d900eb3d

Download Submit
C:\Windows\System32\jDNIKJS.exe

Filesize
2.9MB

MD5
4cb8481f1d57d64cc954ba0a719cb002

SHA1
5a203fac95775867f7fb990c8e6c0ae26709a998

SHA256
5570402d81c13ac903b96bf2a5de599e31967a554ef70b4fa974dcac5f6175ab

SHA512
08317c4ad0d451fb19f0c9ecedda709490f43ebb166a969293b71551bf785827f1ca3c679dc797e6f1799da445de96ad3ba3aa80183d4e7778e1ebbe04120f4c

Download Submit
C:\Windows\System32\lNFnoZm.exe

Filesize
2.9MB

MD5
6067c188726fd6809c55a6db11576f06

SHA1
970ad51b1dfcd4a2ab2d660f1d547f4f00e48c89

SHA256
54cf982cba7cd7d5965859504349147c8bf02520473ec5accefbd60dc4689dd0

SHA512
1fa54ee7c1e7ea0ac73a72c15cc120646dbbad3092f1011812ce98d7368f0a60ce0ab75e0cb2f543509c615205d01dcd12c277981522a76c267efcb8bc9edae3

Download Submit
C:\Windows\System32\lqAzbTj.exe

Filesize
2.9MB

MD5
b09c99031fe70c5250635ea043266226

SHA1
fa41352c313b76ada0ce08ab95fc613ebaf98a20

SHA256
0ab187dc3d1f4c1b2e6108aa175bfa7dab500f68f31327dae74787017960a3c2

SHA512
8cf168383d73daf5c91a8296fdd056621fcf5134ebcc335913c02eb3553710634a25e9ef668250352039fc4a62f5ca3d09935738e6db232e1a3db7c66739bca9

Download Submit
C:\Windows\System32\lusUDzW.exe

Filesize
2.9MB

MD5
f12669d31d8504b0990402f3281dd952

SHA1
177d62b55906d3653669d74f44dda0e858b55927

SHA256
7019e73a86da668409d1c2502069375bf69053b48173f93d32fa1d2528fc498b

SHA512
987141aa581ba9555d56a3737c1b46092ea0512586f5061213170d87853df73ca94d2bf2d5b8c9342ab0394738f864f497023873669f93dd3b634eb552422276

Download Submit
C:\Windows\System32\mrqhliT.exe

Filesize
2.9MB

MD5
66fd6a3d74fa978b0bde9278ecb8ac00

SHA1
4be2856368106c47648a25b505a15605b506b386

SHA256
29d3ac1647424181bb40818cdba71d28a0eefb0a1d521d5117c290cae4c6083d

SHA512
2d9a254b850d033729cd0955732d03894a81e55991a3f1c6ae3385930be61c07b5aa0caea61434ff3b410847a3742406f8200b5d156ad7de8420aee64cff66fc

Download Submit
C:\Windows\System32\nLizCMz.exe

Filesize
2.9MB

MD5
8b278b421cbfe05ce715c54a5f94f5bb

SHA1
19e79cad79bc56f2ede821a2bc42f5d1eefc8ee6

SHA256
5f2f3560856c6c8d622775b88b61f34d72e69ae8aa1168607f2a42d28d602eb8

SHA512
a9c9f52e2dc8a268bd143c067b2acfe65de4350ecddf52b7eb2555f7ceeb956879eca22fe77462fbf114cf43efb2ac5a63d9d964e33a8fd289fb159b3f6f6b87

Download Submit
C:\Windows\System32\oFvcfJw.exe

Filesize
2.9MB

MD5
db6548764a32cc0c4b00bf628d391fa8

SHA1
8e4fb8b07c9f11c2abfefcdffdf1b88804783caa

SHA256
3a9ccfe8154eb39ed62588bd9d06f63f8ce213c28ec4fa67677ae8af471eee4c

SHA512
35b27332fad50e88b60b1dd4d17584b2645ca5332560b68c6785ab6f7088e3ea54d523ada18cf880651edde8c02dc1514315e7865337809b4ba3ccee7b36a4cf

Download Submit
C:\Windows\System32\qLjoxTW.exe

Filesize
2.9MB

MD5
279f6e395c4b16e84bfccc4440e40f11

SHA1
d52dc0bc1cd44749a53c1aa05f2b5fba63205ac8

SHA256
c7a1c5df418809731800cd5c53e7a697d28bb3c7bff05e36594cb6e13e3bef84

SHA512
92966c716bbeedfd7e44a6fa426a584f9fc83656ddb5d6a8441b6602a9def37624a0f8a41c11b3d3634a7f92231e9915ab1c3fb93f06be8282db0f9881193da3

Download Submit
C:\Windows\System32\vslVMbB.exe

Filesize
2.9MB

MD5
29ed6ad0f580eca2178dfa79dd49c3eb

SHA1
83bd3f699009d9746260d64fa4218bbe8c2b527e

SHA256
a6797d73e9c548bb4a9efba838ccf80f1b7eb1124396dc003403eb5defc2de30

SHA512
aa4f36134ffa7eb677efb0e0ee131040bce00889267919216724d014e458558f0499c1e43e4cc2060f2affa0c872607a06119fe76fdb97d059c8dfaee3e2d564

Download Submit
C:\Windows\System32\wZrdXja.exe

Filesize
2.9MB

MD5
9471e09c735c2a66b02e8d07594454f2

SHA1
2ac2ce8a4f4e3d8e49b15d9c6614ecacaa34a917

SHA256
1bc8b5cea7d2c4463b6e1cc9fe896f4d90d8c801d44491bd154186e482840b2a

SHA512
a22cf5af64b59fd0534f9560763b1d1e8ab7d8aa882661020dc74b9cda17c5f7b0679634ded81ffe68691786959b72107b8f74e01c7de52b30cd5501b13e1d62

Download Submit
C:\Windows\System32\zlOBFfx.exe

Filesize
2.9MB

MD5
6df0b766ccea1488d2ec4b4b5b284bc7

SHA1
17d77984e97454f59cf8aaee86c592ec26d778e8

SHA256
9577d60ef02c42c13e2d299c710a3f1fe9832123b9083822745b6bf5675ad38e

SHA512
c9bb29dedeb975b3a52410ff942bbb7abdfc8565243aadb895a1be00dd2a8e383e520cce91f80bfddb5c77e833a065891c905b7c902465a11d8ef078abe2df54

Download Submit
memory/436-1934-0x00007FF74E4B0000-0x00007FF74E8A5000-memory.dmp

Filesize
4.0MB

Download
memory/436-555-0x00007FF74E4B0000-0x00007FF74E8A5000-memory.dmp

Filesize
4.0MB

Download
memory/468-556-0x00007FF7508D0000-0x00007FF750CC5000-memory.dmp

Filesize
4.0MB

Download
memory/468-1935-0x00007FF7508D0000-0x00007FF750CC5000-memory.dmp

Filesize
4.0MB

Download
memory/644-1937-0x00007FF712780000-0x00007FF712B75000-memory.dmp

Filesize
4.0MB

Download
memory/644-558-0x00007FF712780000-0x00007FF712B75000-memory.dmp

Filesize
4.0MB

Download
memory/1324-1950-0x00007FF701EF0000-0x00007FF7022E5000-memory.dmp

Filesize
4.0MB

Download
memory/1324-601-0x00007FF701EF0000-0x00007FF7022E5000-memory.dmp

Filesize
4.0MB

Download
memory/1472-611-0x00007FF7A3600000-0x00007FF7A39F5000-memory.dmp

Filesize
4.0MB

Download
memory/1472-1933-0x00007FF7A3600000-0x00007FF7A39F5000-memory.dmp

Filesize
4.0MB

Download
memory/1796-1945-0x00007FF6CC1F0000-0x00007FF6CC5E5000-memory.dmp

Filesize
4.0MB

Download
memory/1796-575-0x00007FF6CC1F0000-0x00007FF6CC5E5000-memory.dmp

Filesize
4.0MB

Download
memory/2024-553-0x00007FF767A20000-0x00007FF767E15000-memory.dmp

Filesize
4.0MB

Download
memory/2024-1930-0x00007FF767A20000-0x00007FF767E15000-memory.dmp

Filesize
4.0MB

Download
memory/2164-1931-0x00007FF7288A0000-0x00007FF728C95000-memory.dmp

Filesize
4.0MB

Download
memory/2164-32-0x00007FF7288A0000-0x00007FF728C95000-memory.dmp

Filesize
4.0MB

Download
memory/2188-607-0x00007FF7E37C0000-0x00007FF7E3BB5000-memory.dmp

Filesize
4.0MB

Download
memory/2188-1948-0x00007FF7E37C0000-0x00007FF7E3BB5000-memory.dmp

Filesize
4.0MB

Download
memory/2352-1947-0x00007FF7E7040000-0x00007FF7E7435000-memory.dmp

Filesize
4.0MB

Download
memory/2352-566-0x00007FF7E7040000-0x00007FF7E7435000-memory.dmp

Filesize
4.0MB

Download
memory/2372-1949-0x00007FF7EF3E0000-0x00007FF7EF7D5000-memory.dmp

Filesize
4.0MB

Download
memory/2372-606-0x00007FF7EF3E0000-0x00007FF7EF7D5000-memory.dmp

Filesize
4.0MB

Download
memory/2392-1946-0x00007FF7AC500000-0x00007FF7AC8F5000-memory.dmp

Filesize
4.0MB

Download
memory/2392-570-0x00007FF7AC500000-0x00007FF7AC8F5000-memory.dmp

Filesize
4.0MB

Download
memory/2472-12-0x00007FF7AF810000-0x00007FF7AFC05000-memory.dmp

Filesize
4.0MB

Download
memory/2472-1928-0x00007FF7AF810000-0x00007FF7AFC05000-memory.dmp

Filesize
4.0MB

Download
memory/2472-1925-0x00007FF7AF810000-0x00007FF7AFC05000-memory.dmp

Filesize
4.0MB

Download
memory/2740-1926-0x00007FF6C63D0000-0x00007FF6C67C5000-memory.dmp

Filesize
4.0MB

Download
memory/2740-0-0x00007FF6C63D0000-0x00007FF6C67C5000-memory.dmp

Filesize
4.0MB

Download
memory/2740-1-0x00000188D92A0000-0x00000188D92B0000-memory.dmp

Filesize
64KB

Download
memory/3036-591-0x00007FF7D34F0000-0x00007FF7D38E5000-memory.dmp

Filesize
4.0MB

Download
memory/3036-1943-0x00007FF7D34F0000-0x00007FF7D38E5000-memory.dmp

Filesize
4.0MB

Download
memory/3156-1942-0x00007FF6D6040000-0x00007FF6D6435000-memory.dmp

Filesize
4.0MB

Download
memory/3156-587-0x00007FF6D6040000-0x00007FF6D6435000-memory.dmp

Filesize
4.0MB

Download
memory/3704-603-0x00007FF749D10000-0x00007FF74A105000-memory.dmp

Filesize
4.0MB

Download
memory/3704-1951-0x00007FF749D10000-0x00007FF74A105000-memory.dmp

Filesize
4.0MB

Download
memory/3836-1941-0x00007FF72EF30000-0x00007FF72F325000-memory.dmp

Filesize
4.0MB

Download
memory/3836-595-0x00007FF72EF30000-0x00007FF72F325000-memory.dmp

Filesize
4.0MB

Download
memory/4116-557-0x00007FF72D0B0000-0x00007FF72D4A5000-memory.dmp

Filesize
4.0MB

Download
memory/4116-1938-0x00007FF72D0B0000-0x00007FF72D4A5000-memory.dmp

Filesize
4.0MB

Download
memory/4128-1936-0x00007FF6D8250000-0x00007FF6D8645000-memory.dmp

Filesize
4.0MB

Download
memory/4128-559-0x00007FF6D8250000-0x00007FF6D8645000-memory.dmp

Filesize
4.0MB

Download
memory/4280-1927-0x00007FF7F3EC0000-0x00007FF7F42B5000-memory.dmp

Filesize
4.0MB

Download
memory/4280-1929-0x00007FF7F3EC0000-0x00007FF7F42B5000-memory.dmp

Filesize
4.0MB

Download
memory/4280-24-0x00007FF7F3EC0000-0x00007FF7F42B5000-memory.dmp

Filesize
4.0MB

Download
memory/4296-582-0x00007FF691440000-0x00007FF691835000-memory.dmp

Filesize
4.0MB

Download
memory/4296-1944-0x00007FF691440000-0x00007FF691835000-memory.dmp

Filesize
4.0MB

Download
memory/4884-561-0x00007FF6D5A10000-0x00007FF6D5E05000-memory.dmp

Filesize
4.0MB

Download
memory/4884-1940-0x00007FF6D5A10000-0x00007FF6D5E05000-memory.dmp

Filesize
4.0MB

Download
memory/5048-1932-0x00007FF7B5170000-0x00007FF7B5565000-memory.dmp

Filesize
4.0MB

Download
memory/5048-554-0x00007FF7B5170000-0x00007FF7B5565000-memory.dmp

Filesize
4.0MB

Download
memory/5060-560-0x00007FF6DA170000-0x00007FF6DA565000-memory.dmp

Filesize
4.0MB

Download
memory/5060-1939-0x00007FF6DA170000-0x00007FF6DA565000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads