xmrig | 7ad43ae6b801e34ef6f893e63140b43fe0e558dbd651a66cd2966fe839f3af47

Analysis

max time kernel
130s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
Size

2.9MB
MD5

ce1073ebcaad5383abfd9c400b68aaa0
SHA1

3efb3c0189f0c983bd51df57ad25d133e0c9065c
SHA256

7ad43ae6b801e34ef6f893e63140b43fe0e558dbd651a66cd2966fe839f3af47
SHA512

84c3bae9d86b3f49ee2a3429347fa7f71eb1d822a583c064e5381d25f436c380a640f0d6aef6e28868f17e258b6488424d98d4e17b7f3be0db60cc6ffeda339a
SSDEEP

49152:w0wjnJMOWh50kC1/dVFdx6e0EALKWVTffZiPAcRq6jHjcz8DzcCNfeT5J0aXiJPs:w0GnJMOWPClFdx6e0EALKWVTffZiPAca

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2868-0-0x00007FF72DD90000-0x00007FF72E185000-memory.dmp	xmrig
behavioral2/files/0x0008000000023531-5.dat	xmrig
behavioral2/memory/640-9-0x00007FF6A44E0000-0x00007FF6A48D5000-memory.dmp	xmrig
behavioral2/files/0x0007000000023538-10.dat	xmrig
behavioral2/files/0x0008000000023534-15.dat	xmrig
behavioral2/files/0x000700000002353e-47.dat	xmrig
behavioral2/files/0x000700000002353f-52.dat	xmrig
behavioral2/files/0x0007000000023542-65.dat	xmrig
behavioral2/files/0x0007000000023549-102.dat	xmrig
behavioral2/files/0x000700000002354d-120.dat	xmrig
behavioral2/files/0x0007000000023551-140.dat	xmrig
behavioral2/files/0x0007000000023554-157.dat	xmrig
behavioral2/files/0x0007000000023555-163.dat	xmrig
behavioral2/memory/4484-794-0x00007FF6E1660000-0x00007FF6E1A55000-memory.dmp	xmrig
behavioral2/files/0x0007000000023553-152.dat	xmrig
behavioral2/files/0x0007000000023552-147.dat	xmrig
behavioral2/files/0x0007000000023550-137.dat	xmrig
behavioral2/files/0x000700000002354f-132.dat	xmrig
behavioral2/files/0x000700000002354e-127.dat	xmrig
behavioral2/files/0x000700000002354c-117.dat	xmrig
behavioral2/files/0x000700000002354b-112.dat	xmrig
behavioral2/files/0x000700000002354a-107.dat	xmrig
behavioral2/files/0x0007000000023548-97.dat	xmrig
behavioral2/files/0x0007000000023547-92.dat	xmrig
behavioral2/files/0x0007000000023546-87.dat	xmrig
behavioral2/files/0x0007000000023545-82.dat	xmrig
behavioral2/files/0x0007000000023544-77.dat	xmrig
behavioral2/files/0x0007000000023543-72.dat	xmrig
behavioral2/files/0x0007000000023541-62.dat	xmrig
behavioral2/files/0x0007000000023540-57.dat	xmrig
behavioral2/files/0x000700000002353d-42.dat	xmrig
behavioral2/files/0x000700000002353c-40.dat	xmrig
behavioral2/files/0x000700000002353b-32.dat	xmrig
behavioral2/files/0x000700000002353a-27.dat	xmrig
behavioral2/files/0x0007000000023539-22.dat	xmrig
behavioral2/memory/2488-806-0x00007FF722A80000-0x00007FF722E75000-memory.dmp	xmrig
behavioral2/memory/4076-827-0x00007FF7BDBB0000-0x00007FF7BDFA5000-memory.dmp	xmrig
behavioral2/memory/1076-830-0x00007FF6FF240000-0x00007FF6FF635000-memory.dmp	xmrig
behavioral2/memory/4904-821-0x00007FF688180000-0x00007FF688575000-memory.dmp	xmrig
behavioral2/memory/3424-814-0x00007FF699BE0000-0x00007FF699FD5000-memory.dmp	xmrig
behavioral2/memory/4848-811-0x00007FF73B0E0000-0x00007FF73B4D5000-memory.dmp	xmrig
behavioral2/memory/4124-834-0x00007FF733FB0000-0x00007FF7343A5000-memory.dmp	xmrig
behavioral2/memory/2264-841-0x00007FF7C9AB0000-0x00007FF7C9EA5000-memory.dmp	xmrig
behavioral2/memory/4216-846-0x00007FF7E14A0000-0x00007FF7E1895000-memory.dmp	xmrig
behavioral2/memory/4752-848-0x00007FF77D160000-0x00007FF77D555000-memory.dmp	xmrig
behavioral2/memory/4048-859-0x00007FF63CD10000-0x00007FF63D105000-memory.dmp	xmrig
behavioral2/memory/4080-862-0x00007FF65E0A0000-0x00007FF65E495000-memory.dmp	xmrig
behavioral2/memory/3836-863-0x00007FF7B2940000-0x00007FF7B2D35000-memory.dmp	xmrig
behavioral2/memory/2816-865-0x00007FF6B1C80000-0x00007FF6B2075000-memory.dmp	xmrig
behavioral2/memory/1568-871-0x00007FF76A2B0000-0x00007FF76A6A5000-memory.dmp	xmrig
behavioral2/memory/4084-873-0x00007FF73E2C0000-0x00007FF73E6B5000-memory.dmp	xmrig
behavioral2/memory/3784-855-0x00007FF607B60000-0x00007FF607F55000-memory.dmp	xmrig
behavioral2/memory/1296-879-0x00007FF6A1A50000-0x00007FF6A1E45000-memory.dmp	xmrig
behavioral2/memory/4204-887-0x00007FF6C8BC0000-0x00007FF6C8FB5000-memory.dmp	xmrig
behavioral2/memory/3560-892-0x00007FF761EC0000-0x00007FF7622B5000-memory.dmp	xmrig
behavioral2/memory/3316-900-0x00007FF613DA0000-0x00007FF614195000-memory.dmp	xmrig
behavioral2/memory/2796-908-0x00007FF665860000-0x00007FF665C55000-memory.dmp	xmrig
behavioral2/memory/4484-1933-0x00007FF6E1660000-0x00007FF6E1A55000-memory.dmp	xmrig
behavioral2/memory/640-1934-0x00007FF6A44E0000-0x00007FF6A48D5000-memory.dmp	xmrig
behavioral2/memory/2796-1935-0x00007FF665860000-0x00007FF665C55000-memory.dmp	xmrig
behavioral2/memory/4484-1936-0x00007FF6E1660000-0x00007FF6E1A55000-memory.dmp	xmrig
behavioral2/memory/2488-1937-0x00007FF722A80000-0x00007FF722E75000-memory.dmp	xmrig
behavioral2/memory/3424-1939-0x00007FF699BE0000-0x00007FF699FD5000-memory.dmp	xmrig
behavioral2/memory/4904-1941-0x00007FF688180000-0x00007FF688575000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
640	IvoXKOy.exe
4484	CKEKDDl.exe
2796	gExrHRN.exe
2488	gVORKNB.exe
4848	BdkiiGh.exe
3424	uGdItPH.exe
4904	IeeIThf.exe
4076	tDYHrnO.exe
1076	NarvlzN.exe
4124	stCwOlL.exe
2264	BfLBlTS.exe
4216	wCjfiHd.exe
4752	agprfLJ.exe
3784	MqJqtLL.exe
4048	gtpwmjV.exe
4080	axFcSHy.exe
3836	YAZpsqq.exe
2816	fpOpaps.exe
1568	sfIfiIJ.exe
4084	SyylVHx.exe
1296	IDnMXtX.exe
4204	BGIywXP.exe
3560	IPkaSLR.exe
3316	IJOwhfb.exe
3696	cbeHXsk.exe
3360	OlXWiZD.exe
5068	UefBTmv.exe
1224	AICfgVn.exe
1872	dAhHEAm.exe
1880	RVyqcZA.exe
1100	BetqdlH.exe
3732	MCYNvTl.exe
3124	BGNhsnF.exe
1504	iEqbEtb.exe
2772	mmdPKAv.exe
3272	KTsnlIX.exe
3068	lCZsyvf.exe
2572	TTgyEiV.exe
540	uYYHhZt.exe
3004	nKAhPqW.exe
2212	ZYDIVmB.exe
4900	XpdnZsa.exe
3712	lWcIUTR.exe
876	XPJdkkY.exe
1300	fbRdGNP.exe
4924	DAWcYAi.exe
1472	CBYYGiP.exe
4456	wKLGHZE.exe
2400	tSQDnTz.exe
3312	oLKplTP.exe
3692	oGSXsgA.exe
4964	xowJbvt.exe
1144	BhpHxfp.exe
1356	DXJMBwg.exe
3236	PkpQXlq.exe
4908	cPXhDXB.exe
2860	nAipMmw.exe
3760	hQxwett.exe
4200	YhEDEyB.exe
1000	aARrCxu.exe
3116	TnbgDec.exe
544	GYLvNUt.exe
2700	wBnXTcC.exe
4224	zsXYzmn.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2868-0-0x00007FF72DD90000-0x00007FF72E185000-memory.dmp	upx
behavioral2/files/0x0008000000023531-5.dat	upx
behavioral2/memory/640-9-0x00007FF6A44E0000-0x00007FF6A48D5000-memory.dmp	upx
behavioral2/files/0x0007000000023538-10.dat	upx
behavioral2/files/0x0008000000023534-15.dat	upx
behavioral2/files/0x000700000002353e-47.dat	upx
behavioral2/files/0x000700000002353f-52.dat	upx
behavioral2/files/0x0007000000023542-65.dat	upx
behavioral2/files/0x0007000000023549-102.dat	upx
behavioral2/files/0x000700000002354d-120.dat	upx
behavioral2/files/0x0007000000023551-140.dat	upx
behavioral2/files/0x0007000000023554-157.dat	upx
behavioral2/files/0x0007000000023555-163.dat	upx
behavioral2/memory/4484-794-0x00007FF6E1660000-0x00007FF6E1A55000-memory.dmp	upx
behavioral2/files/0x0007000000023553-152.dat	upx
behavioral2/files/0x0007000000023552-147.dat	upx
behavioral2/files/0x0007000000023550-137.dat	upx
behavioral2/files/0x000700000002354f-132.dat	upx
behavioral2/files/0x000700000002354e-127.dat	upx
behavioral2/files/0x000700000002354c-117.dat	upx
behavioral2/files/0x000700000002354b-112.dat	upx
behavioral2/files/0x000700000002354a-107.dat	upx
behavioral2/files/0x0007000000023548-97.dat	upx
behavioral2/files/0x0007000000023547-92.dat	upx
behavioral2/files/0x0007000000023546-87.dat	upx
behavioral2/files/0x0007000000023545-82.dat	upx
behavioral2/files/0x0007000000023544-77.dat	upx
behavioral2/files/0x0007000000023543-72.dat	upx
behavioral2/files/0x0007000000023541-62.dat	upx
behavioral2/files/0x0007000000023540-57.dat	upx
behavioral2/files/0x000700000002353d-42.dat	upx
behavioral2/files/0x000700000002353c-40.dat	upx
behavioral2/files/0x000700000002353b-32.dat	upx
behavioral2/files/0x000700000002353a-27.dat	upx
behavioral2/files/0x0007000000023539-22.dat	upx
behavioral2/memory/2488-806-0x00007FF722A80000-0x00007FF722E75000-memory.dmp	upx
behavioral2/memory/4076-827-0x00007FF7BDBB0000-0x00007FF7BDFA5000-memory.dmp	upx
behavioral2/memory/1076-830-0x00007FF6FF240000-0x00007FF6FF635000-memory.dmp	upx
behavioral2/memory/4904-821-0x00007FF688180000-0x00007FF688575000-memory.dmp	upx
behavioral2/memory/3424-814-0x00007FF699BE0000-0x00007FF699FD5000-memory.dmp	upx
behavioral2/memory/4848-811-0x00007FF73B0E0000-0x00007FF73B4D5000-memory.dmp	upx
behavioral2/memory/4124-834-0x00007FF733FB0000-0x00007FF7343A5000-memory.dmp	upx
behavioral2/memory/2264-841-0x00007FF7C9AB0000-0x00007FF7C9EA5000-memory.dmp	upx
behavioral2/memory/4216-846-0x00007FF7E14A0000-0x00007FF7E1895000-memory.dmp	upx
behavioral2/memory/4752-848-0x00007FF77D160000-0x00007FF77D555000-memory.dmp	upx
behavioral2/memory/4048-859-0x00007FF63CD10000-0x00007FF63D105000-memory.dmp	upx
behavioral2/memory/4080-862-0x00007FF65E0A0000-0x00007FF65E495000-memory.dmp	upx
behavioral2/memory/3836-863-0x00007FF7B2940000-0x00007FF7B2D35000-memory.dmp	upx
behavioral2/memory/2816-865-0x00007FF6B1C80000-0x00007FF6B2075000-memory.dmp	upx
behavioral2/memory/1568-871-0x00007FF76A2B0000-0x00007FF76A6A5000-memory.dmp	upx
behavioral2/memory/4084-873-0x00007FF73E2C0000-0x00007FF73E6B5000-memory.dmp	upx
behavioral2/memory/3784-855-0x00007FF607B60000-0x00007FF607F55000-memory.dmp	upx
behavioral2/memory/1296-879-0x00007FF6A1A50000-0x00007FF6A1E45000-memory.dmp	upx
behavioral2/memory/4204-887-0x00007FF6C8BC0000-0x00007FF6C8FB5000-memory.dmp	upx
behavioral2/memory/3560-892-0x00007FF761EC0000-0x00007FF7622B5000-memory.dmp	upx
behavioral2/memory/3316-900-0x00007FF613DA0000-0x00007FF614195000-memory.dmp	upx
behavioral2/memory/2796-908-0x00007FF665860000-0x00007FF665C55000-memory.dmp	upx
behavioral2/memory/4484-1933-0x00007FF6E1660000-0x00007FF6E1A55000-memory.dmp	upx
behavioral2/memory/640-1934-0x00007FF6A44E0000-0x00007FF6A48D5000-memory.dmp	upx
behavioral2/memory/2796-1935-0x00007FF665860000-0x00007FF665C55000-memory.dmp	upx
behavioral2/memory/4484-1936-0x00007FF6E1660000-0x00007FF6E1A55000-memory.dmp	upx
behavioral2/memory/2488-1937-0x00007FF722A80000-0x00007FF722E75000-memory.dmp	upx
behavioral2/memory/3424-1939-0x00007FF699BE0000-0x00007FF699FD5000-memory.dmp	upx
behavioral2/memory/4904-1941-0x00007FF688180000-0x00007FF688575000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\hNKgGdV.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\DJMnlDF.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\OLwpzGs.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\ahnQVRT.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\eHlsOJi.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\xxhiOkk.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\ZzRdhsR.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\ZmIFmgd.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\uLqnhof.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\OFUuaSL.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\THHHryM.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\OWEwTwA.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\KFddkPS.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\muhtTLK.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\QbxGuGA.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\XpdnZsa.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\yNSeHqf.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\PYrPTLk.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\xPhXRqd.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\DMreMtH.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\YfRoBPs.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\BpirWXk.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\UHkFaFc.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\hsfKhEM.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\uYYHhZt.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\TtIfkUf.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\ieRAGpb.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\UpvAQxi.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\ZUEzAMa.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\fpOpaps.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\sfIfiIJ.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\isQwalw.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\NilaHCK.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\xKSiozm.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\YhEDEyB.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\uHZmkAs.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\kouRRCx.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\EUYmsMA.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\ejdqelf.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\DxoQSTk.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\uYwRMIQ.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\uGfiOaH.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\kKcCjgj.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\VuSYctZ.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\IltjWtD.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\PDKbaJQ.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\wBnXTcC.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\AqhMHHy.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\WINACvD.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\PcxISfu.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\epfFfmu.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\yvvPUCF.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\oGSXsgA.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\ujiwifi.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\LoiVpQS.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\yOQdFIF.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\ggCMFkj.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\MEcOIaM.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\SVVPwfd.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\qFasOOp.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\xowJbvt.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\PcHPhjk.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\HvNTjZG.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
File created	C:\Windows\System32\gExrHRN.exe	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13204	dwm.exe
Token: SeChangeNotifyPrivilege	13204	dwm.exe
Token: 33	13204	dwm.exe
Token: SeIncBasePriorityPrivilege	13204	dwm.exe
Token: SeShutdownPrivilege	13204	dwm.exe
Token: SeCreatePagefilePrivilege	13204	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 640	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	85
PID 2868 wrote to memory of 640	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	85
PID 2868 wrote to memory of 4484	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	86
PID 2868 wrote to memory of 4484	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	86
PID 2868 wrote to memory of 2796	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	87
PID 2868 wrote to memory of 2796	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	87
PID 2868 wrote to memory of 2488	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	88
PID 2868 wrote to memory of 2488	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	88
PID 2868 wrote to memory of 4848	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	89
PID 2868 wrote to memory of 4848	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	89
PID 2868 wrote to memory of 3424	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	90
PID 2868 wrote to memory of 3424	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	90
PID 2868 wrote to memory of 4904	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	91
PID 2868 wrote to memory of 4904	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	91
PID 2868 wrote to memory of 4076	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	92
PID 2868 wrote to memory of 4076	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	92
PID 2868 wrote to memory of 1076	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	93
PID 2868 wrote to memory of 1076	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	93
PID 2868 wrote to memory of 4124	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	94
PID 2868 wrote to memory of 4124	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	94
PID 2868 wrote to memory of 2264	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	95
PID 2868 wrote to memory of 2264	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	95
PID 2868 wrote to memory of 4216	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	96
PID 2868 wrote to memory of 4216	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	96
PID 2868 wrote to memory of 4752	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	97
PID 2868 wrote to memory of 4752	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	97
PID 2868 wrote to memory of 3784	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	98
PID 2868 wrote to memory of 3784	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	98
PID 2868 wrote to memory of 4048	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	99
PID 2868 wrote to memory of 4048	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	99
PID 2868 wrote to memory of 4080	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	100
PID 2868 wrote to memory of 4080	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	100
PID 2868 wrote to memory of 3836	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	101
PID 2868 wrote to memory of 3836	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	101
PID 2868 wrote to memory of 2816	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	102
PID 2868 wrote to memory of 2816	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	102
PID 2868 wrote to memory of 1568	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	103
PID 2868 wrote to memory of 1568	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	103
PID 2868 wrote to memory of 4084	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	104
PID 2868 wrote to memory of 4084	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	104
PID 2868 wrote to memory of 1296	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	105
PID 2868 wrote to memory of 1296	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	105
PID 2868 wrote to memory of 4204	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	106
PID 2868 wrote to memory of 4204	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	106
PID 2868 wrote to memory of 3560	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	107
PID 2868 wrote to memory of 3560	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	107
PID 2868 wrote to memory of 3316	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	108
PID 2868 wrote to memory of 3316	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	108
PID 2868 wrote to memory of 3696	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	109
PID 2868 wrote to memory of 3696	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	109
PID 2868 wrote to memory of 3360	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	110
PID 2868 wrote to memory of 3360	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	110
PID 2868 wrote to memory of 5068	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	111
PID 2868 wrote to memory of 5068	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	111
PID 2868 wrote to memory of 1224	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	112
PID 2868 wrote to memory of 1224	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	112
PID 2868 wrote to memory of 1872	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	113
PID 2868 wrote to memory of 1872	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	113
PID 2868 wrote to memory of 1880	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	114
PID 2868 wrote to memory of 1880	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	114
PID 2868 wrote to memory of 1100	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	115
PID 2868 wrote to memory of 1100	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	115
PID 2868 wrote to memory of 3732	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	116
PID 2868 wrote to memory of 3732	2868	ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe	116

C:\Users\Admin\AppData\Local\Temp\ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ce1073ebcaad5383abfd9c400b68aaa0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\System32\IvoXKOy.exe
  C:\Windows\System32\IvoXKOy.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System32\CKEKDDl.exe
  C:\Windows\System32\CKEKDDl.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System32\gExrHRN.exe
  C:\Windows\System32\gExrHRN.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System32\gVORKNB.exe
  C:\Windows\System32\gVORKNB.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System32\BdkiiGh.exe
  C:\Windows\System32\BdkiiGh.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System32\uGdItPH.exe
  C:\Windows\System32\uGdItPH.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System32\IeeIThf.exe
  C:\Windows\System32\IeeIThf.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System32\tDYHrnO.exe
  C:\Windows\System32\tDYHrnO.exe
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Windows\System32\NarvlzN.exe
  C:\Windows\System32\NarvlzN.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System32\stCwOlL.exe
  C:\Windows\System32\stCwOlL.exe
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Windows\System32\BfLBlTS.exe
  C:\Windows\System32\BfLBlTS.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System32\wCjfiHd.exe
  C:\Windows\System32\wCjfiHd.exe
  2⤵
  - Executes dropped EXE
  PID:4216
- C:\Windows\System32\agprfLJ.exe
  C:\Windows\System32\agprfLJ.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\System32\MqJqtLL.exe
  C:\Windows\System32\MqJqtLL.exe
  2⤵
  - Executes dropped EXE
  PID:3784
- C:\Windows\System32\gtpwmjV.exe
  C:\Windows\System32\gtpwmjV.exe
  2⤵
  - Executes dropped EXE
  PID:4048
- C:\Windows\System32\axFcSHy.exe
  C:\Windows\System32\axFcSHy.exe
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Windows\System32\YAZpsqq.exe
  C:\Windows\System32\YAZpsqq.exe
  2⤵
  - Executes dropped EXE
  PID:3836
- C:\Windows\System32\fpOpaps.exe
  C:\Windows\System32\fpOpaps.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System32\sfIfiIJ.exe
  C:\Windows\System32\sfIfiIJ.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System32\SyylVHx.exe
  C:\Windows\System32\SyylVHx.exe
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Windows\System32\IDnMXtX.exe
  C:\Windows\System32\IDnMXtX.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System32\BGIywXP.exe
  C:\Windows\System32\BGIywXP.exe
  2⤵
  - Executes dropped EXE
  PID:4204
- C:\Windows\System32\IPkaSLR.exe
  C:\Windows\System32\IPkaSLR.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System32\IJOwhfb.exe
  C:\Windows\System32\IJOwhfb.exe
  2⤵
  - Executes dropped EXE
  PID:3316
- C:\Windows\System32\cbeHXsk.exe
  C:\Windows\System32\cbeHXsk.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System32\OlXWiZD.exe
  C:\Windows\System32\OlXWiZD.exe
  2⤵
  - Executes dropped EXE
  PID:3360
- C:\Windows\System32\UefBTmv.exe
  C:\Windows\System32\UefBTmv.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System32\AICfgVn.exe
  C:\Windows\System32\AICfgVn.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System32\dAhHEAm.exe
  C:\Windows\System32\dAhHEAm.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System32\RVyqcZA.exe
  C:\Windows\System32\RVyqcZA.exe
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\System32\BetqdlH.exe
  C:\Windows\System32\BetqdlH.exe
  2⤵
  - Executes dropped EXE
  PID:1100
- C:\Windows\System32\MCYNvTl.exe
  C:\Windows\System32\MCYNvTl.exe
  2⤵
  - Executes dropped EXE
  PID:3732
- C:\Windows\System32\BGNhsnF.exe
  C:\Windows\System32\BGNhsnF.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System32\iEqbEtb.exe
  C:\Windows\System32\iEqbEtb.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System32\mmdPKAv.exe
  C:\Windows\System32\mmdPKAv.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System32\KTsnlIX.exe
  C:\Windows\System32\KTsnlIX.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System32\lCZsyvf.exe
  C:\Windows\System32\lCZsyvf.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System32\TTgyEiV.exe
  C:\Windows\System32\TTgyEiV.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System32\uYYHhZt.exe
  C:\Windows\System32\uYYHhZt.exe
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Windows\System32\nKAhPqW.exe
  C:\Windows\System32\nKAhPqW.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System32\ZYDIVmB.exe
  C:\Windows\System32\ZYDIVmB.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System32\XpdnZsa.exe
  C:\Windows\System32\XpdnZsa.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System32\lWcIUTR.exe
  C:\Windows\System32\lWcIUTR.exe
  2⤵
  - Executes dropped EXE
  PID:3712
- C:\Windows\System32\XPJdkkY.exe
  C:\Windows\System32\XPJdkkY.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System32\fbRdGNP.exe
  C:\Windows\System32\fbRdGNP.exe
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Windows\System32\DAWcYAi.exe
  C:\Windows\System32\DAWcYAi.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System32\CBYYGiP.exe
  C:\Windows\System32\CBYYGiP.exe
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\System32\wKLGHZE.exe
  C:\Windows\System32\wKLGHZE.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System32\tSQDnTz.exe
  C:\Windows\System32\tSQDnTz.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System32\oLKplTP.exe
  C:\Windows\System32\oLKplTP.exe
  2⤵
  - Executes dropped EXE
  PID:3312
- C:\Windows\System32\oGSXsgA.exe
  C:\Windows\System32\oGSXsgA.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System32\xowJbvt.exe
  C:\Windows\System32\xowJbvt.exe
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\Windows\System32\BhpHxfp.exe
  C:\Windows\System32\BhpHxfp.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\System32\DXJMBwg.exe
  C:\Windows\System32\DXJMBwg.exe
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\System32\PkpQXlq.exe
  C:\Windows\System32\PkpQXlq.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Windows\System32\cPXhDXB.exe
  C:\Windows\System32\cPXhDXB.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System32\nAipMmw.exe
  C:\Windows\System32\nAipMmw.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System32\hQxwett.exe
  C:\Windows\System32\hQxwett.exe
  2⤵
  - Executes dropped EXE
  PID:3760
- C:\Windows\System32\YhEDEyB.exe
  C:\Windows\System32\YhEDEyB.exe
  2⤵
  - Executes dropped EXE
  PID:4200
- C:\Windows\System32\aARrCxu.exe
  C:\Windows\System32\aARrCxu.exe
  2⤵
  - Executes dropped EXE
  PID:1000
- C:\Windows\System32\TnbgDec.exe
  C:\Windows\System32\TnbgDec.exe
  2⤵
  - Executes dropped EXE
  PID:3116
- C:\Windows\System32\GYLvNUt.exe
  C:\Windows\System32\GYLvNUt.exe
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\System32\wBnXTcC.exe
  C:\Windows\System32\wBnXTcC.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System32\zsXYzmn.exe
  C:\Windows\System32\zsXYzmn.exe
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Windows\System32\jUjtNhx.exe
  C:\Windows\System32\jUjtNhx.exe
  2⤵
  PID:1696
- C:\Windows\System32\FvczfMA.exe
  C:\Windows\System32\FvczfMA.exe
  2⤵
  PID:3220
- C:\Windows\System32\AsIxPUH.exe
  C:\Windows\System32\AsIxPUH.exe
  2⤵
  PID:5036
- C:\Windows\System32\BgMEdPF.exe
  C:\Windows\System32\BgMEdPF.exe
  2⤵
  PID:380
- C:\Windows\System32\AqhMHHy.exe
  C:\Windows\System32\AqhMHHy.exe
  2⤵
  PID:3192
- C:\Windows\System32\uHZmkAs.exe
  C:\Windows\System32\uHZmkAs.exe
  2⤵
  PID:1856
- C:\Windows\System32\cVnYHQX.exe
  C:\Windows\System32\cVnYHQX.exe
  2⤵
  PID:3340
- C:\Windows\System32\IPmMnZn.exe
  C:\Windows\System32\IPmMnZn.exe
  2⤵
  PID:1320
- C:\Windows\System32\rqVUzNf.exe
  C:\Windows\System32\rqVUzNf.exe
  2⤵
  PID:3920
- C:\Windows\System32\HSlGsuI.exe
  C:\Windows\System32\HSlGsuI.exe
  2⤵
  PID:3288
- C:\Windows\System32\gQktiSl.exe
  C:\Windows\System32\gQktiSl.exe
  2⤵
  PID:3196
- C:\Windows\System32\veoJVDT.exe
  C:\Windows\System32\veoJVDT.exe
  2⤵
  PID:2828
- C:\Windows\System32\wRuqpIP.exe
  C:\Windows\System32\wRuqpIP.exe
  2⤵
  PID:1668
- C:\Windows\System32\epfFfmu.exe
  C:\Windows\System32\epfFfmu.exe
  2⤵
  PID:4656
- C:\Windows\System32\MyHVkrW.exe
  C:\Windows\System32\MyHVkrW.exe
  2⤵
  PID:5136
- C:\Windows\System32\TLiBlAv.exe
  C:\Windows\System32\TLiBlAv.exe
  2⤵
  PID:5164
- C:\Windows\System32\yNSeHqf.exe
  C:\Windows\System32\yNSeHqf.exe
  2⤵
  PID:5192
- C:\Windows\System32\jbfKZET.exe
  C:\Windows\System32\jbfKZET.exe
  2⤵
  PID:5220
- C:\Windows\System32\THHHryM.exe
  C:\Windows\System32\THHHryM.exe
  2⤵
  PID:5248
- C:\Windows\System32\rAtxLok.exe
  C:\Windows\System32\rAtxLok.exe
  2⤵
  PID:5276
- C:\Windows\System32\rpXGTTj.exe
  C:\Windows\System32\rpXGTTj.exe
  2⤵
  PID:5304
- C:\Windows\System32\EUzzIgy.exe
  C:\Windows\System32\EUzzIgy.exe
  2⤵
  PID:5332
- C:\Windows\System32\TtIfkUf.exe
  C:\Windows\System32\TtIfkUf.exe
  2⤵
  PID:5360
- C:\Windows\System32\gVxJYbx.exe
  C:\Windows\System32\gVxJYbx.exe
  2⤵
  PID:5388
- C:\Windows\System32\yAwAgUA.exe
  C:\Windows\System32\yAwAgUA.exe
  2⤵
  PID:5416
- C:\Windows\System32\vLvhQEg.exe
  C:\Windows\System32\vLvhQEg.exe
  2⤵
  PID:5444
- C:\Windows\System32\JFzapbi.exe
  C:\Windows\System32\JFzapbi.exe
  2⤵
  PID:5472
- C:\Windows\System32\XJTKJii.exe
  C:\Windows\System32\XJTKJii.exe
  2⤵
  PID:5500
- C:\Windows\System32\UXEDiHT.exe
  C:\Windows\System32\UXEDiHT.exe
  2⤵
  PID:5528
- C:\Windows\System32\PRgKVqJ.exe
  C:\Windows\System32\PRgKVqJ.exe
  2⤵
  PID:5556
- C:\Windows\System32\wQqOIex.exe
  C:\Windows\System32\wQqOIex.exe
  2⤵
  PID:5584
- C:\Windows\System32\lcxitlw.exe
  C:\Windows\System32\lcxitlw.exe
  2⤵
  PID:5612
- C:\Windows\System32\PNLoGiJ.exe
  C:\Windows\System32\PNLoGiJ.exe
  2⤵
  PID:5640
- C:\Windows\System32\dpjXhgc.exe
  C:\Windows\System32\dpjXhgc.exe
  2⤵
  PID:5668
- C:\Windows\System32\JTYWnXa.exe
  C:\Windows\System32\JTYWnXa.exe
  2⤵
  PID:5696
- C:\Windows\System32\WdaTlHz.exe
  C:\Windows\System32\WdaTlHz.exe
  2⤵
  PID:5724
- C:\Windows\System32\KNAvXzg.exe
  C:\Windows\System32\KNAvXzg.exe
  2⤵
  PID:5752
- C:\Windows\System32\OLwpzGs.exe
  C:\Windows\System32\OLwpzGs.exe
  2⤵
  PID:5780
- C:\Windows\System32\nxTHLVI.exe
  C:\Windows\System32\nxTHLVI.exe
  2⤵
  PID:5808
- C:\Windows\System32\vZmQIdF.exe
  C:\Windows\System32\vZmQIdF.exe
  2⤵
  PID:5836
- C:\Windows\System32\kImUeiR.exe
  C:\Windows\System32\kImUeiR.exe
  2⤵
  PID:5864
- C:\Windows\System32\QHqhyAW.exe
  C:\Windows\System32\QHqhyAW.exe
  2⤵
  PID:5892
- C:\Windows\System32\ahnQVRT.exe
  C:\Windows\System32\ahnQVRT.exe
  2⤵
  PID:5920
- C:\Windows\System32\krcvVhU.exe
  C:\Windows\System32\krcvVhU.exe
  2⤵
  PID:5948
- C:\Windows\System32\VzTvhjm.exe
  C:\Windows\System32\VzTvhjm.exe
  2⤵
  PID:5976
- C:\Windows\System32\TkaiMNE.exe
  C:\Windows\System32\TkaiMNE.exe
  2⤵
  PID:6004
- C:\Windows\System32\uBuWMlA.exe
  C:\Windows\System32\uBuWMlA.exe
  2⤵
  PID:6032
- C:\Windows\System32\jqrURdQ.exe
  C:\Windows\System32\jqrURdQ.exe
  2⤵
  PID:6060
- C:\Windows\System32\eyROCjl.exe
  C:\Windows\System32\eyROCjl.exe
  2⤵
  PID:6088
- C:\Windows\System32\QJMoSXk.exe
  C:\Windows\System32\QJMoSXk.exe
  2⤵
  PID:6116
- C:\Windows\System32\ztJYfep.exe
  C:\Windows\System32\ztJYfep.exe
  2⤵
  PID:2604
- C:\Windows\System32\ZtPCacB.exe
  C:\Windows\System32\ZtPCacB.exe
  2⤵
  PID:3596
- C:\Windows\System32\qRQxlAZ.exe
  C:\Windows\System32\qRQxlAZ.exe
  2⤵
  PID:4164
- C:\Windows\System32\YHsbVSz.exe
  C:\Windows\System32\YHsbVSz.exe
  2⤵
  PID:3716
- C:\Windows\System32\HKncTQv.exe
  C:\Windows\System32\HKncTQv.exe
  2⤵
  PID:2900
- C:\Windows\System32\ZDfxALT.exe
  C:\Windows\System32\ZDfxALT.exe
  2⤵
  PID:348
- C:\Windows\System32\ymWpbUz.exe
  C:\Windows\System32\ymWpbUz.exe
  2⤵
  PID:5184
- C:\Windows\System32\QYdQXHa.exe
  C:\Windows\System32\QYdQXHa.exe
  2⤵
  PID:5264
- C:\Windows\System32\vmyxJWM.exe
  C:\Windows\System32\vmyxJWM.exe
  2⤵
  PID:5324
- C:\Windows\System32\KynJJos.exe
  C:\Windows\System32\KynJJos.exe
  2⤵
  PID:5404
- C:\Windows\System32\KwyaVZT.exe
  C:\Windows\System32\KwyaVZT.exe
  2⤵
  PID:5452
- C:\Windows\System32\oFOGbPZ.exe
  C:\Windows\System32\oFOGbPZ.exe
  2⤵
  PID:5520
- C:\Windows\System32\mdnEeUI.exe
  C:\Windows\System32\mdnEeUI.exe
  2⤵
  PID:5600
- C:\Windows\System32\WfPtAne.exe
  C:\Windows\System32\WfPtAne.exe
  2⤵
  PID:5648
- C:\Windows\System32\oidWcPW.exe
  C:\Windows\System32\oidWcPW.exe
  2⤵
  PID:5716
- C:\Windows\System32\cEeJtHf.exe
  C:\Windows\System32\cEeJtHf.exe
  2⤵
  PID:5788
- C:\Windows\System32\XBgbGjc.exe
  C:\Windows\System32\XBgbGjc.exe
  2⤵
  PID:5856
- C:\Windows\System32\wdmZVGZ.exe
  C:\Windows\System32\wdmZVGZ.exe
  2⤵
  PID:5936
- C:\Windows\System32\HTOTziv.exe
  C:\Windows\System32\HTOTziv.exe
  2⤵
  PID:5984
- C:\Windows\System32\kKcCjgj.exe
  C:\Windows\System32\kKcCjgj.exe
  2⤵
  PID:1540
- C:\Windows\System32\mTvDHms.exe
  C:\Windows\System32\mTvDHms.exe
  2⤵
  PID:6104
- C:\Windows\System32\YSwyxIE.exe
  C:\Windows\System32\YSwyxIE.exe
  2⤵
  PID:436
- C:\Windows\System32\znCnyPS.exe
  C:\Windows\System32\znCnyPS.exe
  2⤵
  PID:3296
- C:\Windows\System32\OWEwTwA.exe
  C:\Windows\System32\OWEwTwA.exe
  2⤵
  PID:5152
- C:\Windows\System32\zhqtdbL.exe
  C:\Windows\System32\zhqtdbL.exe
  2⤵
  PID:5340
- C:\Windows\System32\FLgDsSh.exe
  C:\Windows\System32\FLgDsSh.exe
  2⤵
  PID:5424
- C:\Windows\System32\uqUepyc.exe
  C:\Windows\System32\uqUepyc.exe
  2⤵
  PID:5572
- C:\Windows\System32\SeEPCYe.exe
  C:\Windows\System32\SeEPCYe.exe
  2⤵
  PID:5684
- C:\Windows\System32\XdUcHOk.exe
  C:\Windows\System32\XdUcHOk.exe
  2⤵
  PID:5852
- C:\Windows\System32\oxpAVbm.exe
  C:\Windows\System32\oxpAVbm.exe
  2⤵
  PID:1456
- C:\Windows\System32\aQbzbuF.exe
  C:\Windows\System32\aQbzbuF.exe
  2⤵
  PID:6164
- C:\Windows\System32\HEuEToh.exe
  C:\Windows\System32\HEuEToh.exe
  2⤵
  PID:6192
- C:\Windows\System32\BOabrRL.exe
  C:\Windows\System32\BOabrRL.exe
  2⤵
  PID:6220
- C:\Windows\System32\brUMiRM.exe
  C:\Windows\System32\brUMiRM.exe
  2⤵
  PID:6248
- C:\Windows\System32\qeFUqOX.exe
  C:\Windows\System32\qeFUqOX.exe
  2⤵
  PID:6276
- C:\Windows\System32\ArFTEpS.exe
  C:\Windows\System32\ArFTEpS.exe
  2⤵
  PID:6304
- C:\Windows\System32\FkECGUH.exe
  C:\Windows\System32\FkECGUH.exe
  2⤵
  PID:6332
- C:\Windows\System32\NZNXKAV.exe
  C:\Windows\System32\NZNXKAV.exe
  2⤵
  PID:6360
- C:\Windows\System32\qWskxsN.exe
  C:\Windows\System32\qWskxsN.exe
  2⤵
  PID:6388
- C:\Windows\System32\MBtlQNd.exe
  C:\Windows\System32\MBtlQNd.exe
  2⤵
  PID:6416
- C:\Windows\System32\yvvPUCF.exe
  C:\Windows\System32\yvvPUCF.exe
  2⤵
  PID:6444
- C:\Windows\System32\wvDcabT.exe
  C:\Windows\System32\wvDcabT.exe
  2⤵
  PID:6472
- C:\Windows\System32\PcHPhjk.exe
  C:\Windows\System32\PcHPhjk.exe
  2⤵
  PID:6500
- C:\Windows\System32\uLVEZWI.exe
  C:\Windows\System32\uLVEZWI.exe
  2⤵
  PID:6528
- C:\Windows\System32\irWxgWc.exe
  C:\Windows\System32\irWxgWc.exe
  2⤵
  PID:6556
- C:\Windows\System32\OusrcAS.exe
  C:\Windows\System32\OusrcAS.exe
  2⤵
  PID:6584
- C:\Windows\System32\XKMeVpD.exe
  C:\Windows\System32\XKMeVpD.exe
  2⤵
  PID:6612
- C:\Windows\System32\guBjcvE.exe
  C:\Windows\System32\guBjcvE.exe
  2⤵
  PID:6640
- C:\Windows\System32\tjprywd.exe
  C:\Windows\System32\tjprywd.exe
  2⤵
  PID:6668
- C:\Windows\System32\ckfKhlU.exe
  C:\Windows\System32\ckfKhlU.exe
  2⤵
  PID:6696
- C:\Windows\System32\fEnKeIw.exe
  C:\Windows\System32\fEnKeIw.exe
  2⤵
  PID:6736
- C:\Windows\System32\AsbquKz.exe
  C:\Windows\System32\AsbquKz.exe
  2⤵
  PID:6752
- C:\Windows\System32\RPwBiGs.exe
  C:\Windows\System32\RPwBiGs.exe
  2⤵
  PID:6780
- C:\Windows\System32\moJxfmv.exe
  C:\Windows\System32\moJxfmv.exe
  2⤵
  PID:6808
- C:\Windows\System32\ZyZWPdf.exe
  C:\Windows\System32\ZyZWPdf.exe
  2⤵
  PID:6836
- C:\Windows\System32\CVocJpe.exe
  C:\Windows\System32\CVocJpe.exe
  2⤵
  PID:6864
- C:\Windows\System32\ffgNzZZ.exe
  C:\Windows\System32\ffgNzZZ.exe
  2⤵
  PID:6892
- C:\Windows\System32\Opigndd.exe
  C:\Windows\System32\Opigndd.exe
  2⤵
  PID:6920
- C:\Windows\System32\rcOBOSc.exe
  C:\Windows\System32\rcOBOSc.exe
  2⤵
  PID:6948
- C:\Windows\System32\ElhPMRn.exe
  C:\Windows\System32\ElhPMRn.exe
  2⤵
  PID:6976
- C:\Windows\System32\EqefPNK.exe
  C:\Windows\System32\EqefPNK.exe
  2⤵
  PID:7004
- C:\Windows\System32\ahEbRyQ.exe
  C:\Windows\System32\ahEbRyQ.exe
  2⤵
  PID:7032
- C:\Windows\System32\lrlguOD.exe
  C:\Windows\System32\lrlguOD.exe
  2⤵
  PID:7060
- C:\Windows\System32\QKndQAj.exe
  C:\Windows\System32\QKndQAj.exe
  2⤵
  PID:7088
- C:\Windows\System32\dQFPwWy.exe
  C:\Windows\System32\dQFPwWy.exe
  2⤵
  PID:7116
- C:\Windows\System32\UXcTpxh.exe
  C:\Windows\System32\UXcTpxh.exe
  2⤵
  PID:7144
- C:\Windows\System32\TvcbWpU.exe
  C:\Windows\System32\TvcbWpU.exe
  2⤵
  PID:6040
- C:\Windows\System32\sVlwNTc.exe
  C:\Windows\System32\sVlwNTc.exe
  2⤵
  PID:5020
- C:\Windows\System32\lKcnzyh.exe
  C:\Windows\System32\lKcnzyh.exe
  2⤵
  PID:5296
- C:\Windows\System32\NLXNKhd.exe
  C:\Windows\System32\NLXNKhd.exe
  2⤵
  PID:5564
- C:\Windows\System32\nJccuCD.exe
  C:\Windows\System32\nJccuCD.exe
  2⤵
  PID:5968
- C:\Windows\System32\rshYyHa.exe
  C:\Windows\System32\rshYyHa.exe
  2⤵
  PID:6208
- C:\Windows\System32\CCVmIQu.exe
  C:\Windows\System32\CCVmIQu.exe
  2⤵
  PID:6256
- C:\Windows\System32\MFJDRXo.exe
  C:\Windows\System32\MFJDRXo.exe
  2⤵
  PID:6324
- C:\Windows\System32\JCSlmGB.exe
  C:\Windows\System32\JCSlmGB.exe
  2⤵
  PID:6380
- C:\Windows\System32\NAJomZS.exe
  C:\Windows\System32\NAJomZS.exe
  2⤵
  PID:6488
- C:\Windows\System32\SruxBZY.exe
  C:\Windows\System32\SruxBZY.exe
  2⤵
  PID:6508
- C:\Windows\System32\ubAfiZQ.exe
  C:\Windows\System32\ubAfiZQ.exe
  2⤵
  PID:6564
- C:\Windows\System32\oiWVqGE.exe
  C:\Windows\System32\oiWVqGE.exe
  2⤵
  PID:6632
- C:\Windows\System32\XYAUtEw.exe
  C:\Windows\System32\XYAUtEw.exe
  2⤵
  PID:6712
- C:\Windows\System32\zMiSqNY.exe
  C:\Windows\System32\zMiSqNY.exe
  2⤵
  PID:6760
- C:\Windows\System32\hfWRlAD.exe
  C:\Windows\System32\hfWRlAD.exe
  2⤵
  PID:6828
- C:\Windows\System32\WQIrZCD.exe
  C:\Windows\System32\WQIrZCD.exe
  2⤵
  PID:6908
- C:\Windows\System32\UKnFqIf.exe
  C:\Windows\System32\UKnFqIf.exe
  2⤵
  PID:6956
- C:\Windows\System32\leKZHEr.exe
  C:\Windows\System32\leKZHEr.exe
  2⤵
  PID:7012
- C:\Windows\System32\DQcoRur.exe
  C:\Windows\System32\DQcoRur.exe
  2⤵
  PID:7104
- C:\Windows\System32\WeqFNMC.exe
  C:\Windows\System32\WeqFNMC.exe
  2⤵
  PID:7160
- C:\Windows\System32\mlpUFoT.exe
  C:\Windows\System32\mlpUFoT.exe
  2⤵
  PID:592
- C:\Windows\System32\HplCyKF.exe
  C:\Windows\System32\HplCyKF.exe
  2⤵
  PID:5956
- C:\Windows\System32\MqUDUQJ.exe
  C:\Windows\System32\MqUDUQJ.exe
  2⤵
  PID:6240
- C:\Windows\System32\MqfLDHo.exe
  C:\Windows\System32\MqfLDHo.exe
  2⤵
  PID:2456
- C:\Windows\System32\gVwHkCI.exe
  C:\Windows\System32\gVwHkCI.exe
  2⤵
  PID:4616
- C:\Windows\System32\otcWBBL.exe
  C:\Windows\System32\otcWBBL.exe
  2⤵
  PID:6628
- C:\Windows\System32\KuAiRPx.exe
  C:\Windows\System32\KuAiRPx.exe
  2⤵
  PID:6720
- C:\Windows\System32\wwvhLtQ.exe
  C:\Windows\System32\wwvhLtQ.exe
  2⤵
  PID:6940
- C:\Windows\System32\LymuLmz.exe
  C:\Windows\System32\LymuLmz.exe
  2⤵
  PID:7180
- C:\Windows\System32\ogeIJmZ.exe
  C:\Windows\System32\ogeIJmZ.exe
  2⤵
  PID:7208
- C:\Windows\System32\IMJidex.exe
  C:\Windows\System32\IMJidex.exe
  2⤵
  PID:7236
- C:\Windows\System32\WyweWaV.exe
  C:\Windows\System32\WyweWaV.exe
  2⤵
  PID:7264
- C:\Windows\System32\HsiFQSs.exe
  C:\Windows\System32\HsiFQSs.exe
  2⤵
  PID:7292
- C:\Windows\System32\sMTEgEM.exe
  C:\Windows\System32\sMTEgEM.exe
  2⤵
  PID:7320
- C:\Windows\System32\egCahLI.exe
  C:\Windows\System32\egCahLI.exe
  2⤵
  PID:7348
- C:\Windows\System32\UXoCSXI.exe
  C:\Windows\System32\UXoCSXI.exe
  2⤵
  PID:7376
- C:\Windows\System32\ZmIFmgd.exe
  C:\Windows\System32\ZmIFmgd.exe
  2⤵
  PID:7404
- C:\Windows\System32\suYCOPb.exe
  C:\Windows\System32\suYCOPb.exe
  2⤵
  PID:7432
- C:\Windows\System32\zEeFIrh.exe
  C:\Windows\System32\zEeFIrh.exe
  2⤵
  PID:7460
- C:\Windows\System32\aKcUfkP.exe
  C:\Windows\System32\aKcUfkP.exe
  2⤵
  PID:7488
- C:\Windows\System32\onGdeqX.exe
  C:\Windows\System32\onGdeqX.exe
  2⤵
  PID:7516
- C:\Windows\System32\FjBvHrg.exe
  C:\Windows\System32\FjBvHrg.exe
  2⤵
  PID:7544
- C:\Windows\System32\UHkFaFc.exe
  C:\Windows\System32\UHkFaFc.exe
  2⤵
  PID:7572
- C:\Windows\System32\SVVPwfd.exe
  C:\Windows\System32\SVVPwfd.exe
  2⤵
  PID:7600
- C:\Windows\System32\rOsrZpP.exe
  C:\Windows\System32\rOsrZpP.exe
  2⤵
  PID:7628
- C:\Windows\System32\AqHcUiv.exe
  C:\Windows\System32\AqHcUiv.exe
  2⤵
  PID:7656
- C:\Windows\System32\EBDDpyS.exe
  C:\Windows\System32\EBDDpyS.exe
  2⤵
  PID:7696
- C:\Windows\System32\IzMyLrT.exe
  C:\Windows\System32\IzMyLrT.exe
  2⤵
  PID:7712
- C:\Windows\System32\PXgaWek.exe
  C:\Windows\System32\PXgaWek.exe
  2⤵
  PID:7740
- C:\Windows\System32\ODZGERR.exe
  C:\Windows\System32\ODZGERR.exe
  2⤵
  PID:7768
- C:\Windows\System32\WGhhQQg.exe
  C:\Windows\System32\WGhhQQg.exe
  2⤵
  PID:7796
- C:\Windows\System32\JevjsIW.exe
  C:\Windows\System32\JevjsIW.exe
  2⤵
  PID:7824
- C:\Windows\System32\jeXbVoR.exe
  C:\Windows\System32\jeXbVoR.exe
  2⤵
  PID:7852
- C:\Windows\System32\ROGaPea.exe
  C:\Windows\System32\ROGaPea.exe
  2⤵
  PID:7880
- C:\Windows\System32\fpiDIic.exe
  C:\Windows\System32\fpiDIic.exe
  2⤵
  PID:7908
- C:\Windows\System32\NwVABjC.exe
  C:\Windows\System32\NwVABjC.exe
  2⤵
  PID:7936
- C:\Windows\System32\fQnftxn.exe
  C:\Windows\System32\fQnftxn.exe
  2⤵
  PID:7964
- C:\Windows\System32\rlWalMd.exe
  C:\Windows\System32\rlWalMd.exe
  2⤵
  PID:7992
- C:\Windows\System32\qUyqzhm.exe
  C:\Windows\System32\qUyqzhm.exe
  2⤵
  PID:8020
- C:\Windows\System32\ieRAGpb.exe
  C:\Windows\System32\ieRAGpb.exe
  2⤵
  PID:8048
- C:\Windows\System32\UDHxRPO.exe
  C:\Windows\System32\UDHxRPO.exe
  2⤵
  PID:8076
- C:\Windows\System32\kjmqrkN.exe
  C:\Windows\System32\kjmqrkN.exe
  2⤵
  PID:8104
- C:\Windows\System32\Qiphbaz.exe
  C:\Windows\System32\Qiphbaz.exe
  2⤵
  PID:8172
- C:\Windows\System32\pCpKqxm.exe
  C:\Windows\System32\pCpKqxm.exe
  2⤵
  PID:8188
- C:\Windows\System32\KluoxjG.exe
  C:\Windows\System32\KluoxjG.exe
  2⤵
  PID:7124
- C:\Windows\System32\RzUJzXc.exe
  C:\Windows\System32\RzUJzXc.exe
  2⤵
  PID:5488
- C:\Windows\System32\miFmXVW.exe
  C:\Windows\System32\miFmXVW.exe
  2⤵
  PID:6544
- C:\Windows\System32\eeOmJDw.exe
  C:\Windows\System32\eeOmJDw.exe
  2⤵
  PID:6928
- C:\Windows\System32\XfnpQwK.exe
  C:\Windows\System32\XfnpQwK.exe
  2⤵
  PID:7200
- C:\Windows\System32\qqRdhgE.exe
  C:\Windows\System32\qqRdhgE.exe
  2⤵
  PID:7280
- C:\Windows\System32\QKRfltQ.exe
  C:\Windows\System32\QKRfltQ.exe
  2⤵
  PID:7328
- C:\Windows\System32\kjvIZhm.exe
  C:\Windows\System32\kjvIZhm.exe
  2⤵
  PID:7420
- C:\Windows\System32\wtHgQjk.exe
  C:\Windows\System32\wtHgQjk.exe
  2⤵
  PID:7440
- C:\Windows\System32\VGVENRZ.exe
  C:\Windows\System32\VGVENRZ.exe
  2⤵
  PID:7504
- C:\Windows\System32\BeXVvcB.exe
  C:\Windows\System32\BeXVvcB.exe
  2⤵
  PID:1236
- C:\Windows\System32\uLqnhof.exe
  C:\Windows\System32\uLqnhof.exe
  2⤵
  PID:2196
- C:\Windows\System32\CooToud.exe
  C:\Windows\System32\CooToud.exe
  2⤵
  PID:7620
- C:\Windows\System32\uYwRMIQ.exe
  C:\Windows\System32\uYwRMIQ.exe
  2⤵
  PID:7732
- C:\Windows\System32\UbKbNJa.exe
  C:\Windows\System32\UbKbNJa.exe
  2⤵
  PID:7840
- C:\Windows\System32\KwMXikF.exe
  C:\Windows\System32\KwMXikF.exe
  2⤵
  PID:7860
- C:\Windows\System32\zkcyZnw.exe
  C:\Windows\System32\zkcyZnw.exe
  2⤵
  PID:7952
- C:\Windows\System32\vvcVHCP.exe
  C:\Windows\System32\vvcVHCP.exe
  2⤵
  PID:1544
- C:\Windows\System32\HvNTjZG.exe
  C:\Windows\System32\HvNTjZG.exe
  2⤵
  PID:3768
- C:\Windows\System32\PeKpcZT.exe
  C:\Windows\System32\PeKpcZT.exe
  2⤵
  PID:5028
- C:\Windows\System32\NYjDNWm.exe
  C:\Windows\System32\NYjDNWm.exe
  2⤵
  PID:1900
- C:\Windows\System32\qFasOOp.exe
  C:\Windows\System32\qFasOOp.exe
  2⤵
  PID:4944
- C:\Windows\System32\umutsau.exe
  C:\Windows\System32\umutsau.exe
  2⤵
  PID:3128
- C:\Windows\System32\aGoRLon.exe
  C:\Windows\System32\aGoRLon.exe
  2⤵
  PID:4820
- C:\Windows\System32\VREKHEL.exe
  C:\Windows\System32\VREKHEL.exe
  2⤵
  PID:4500
- C:\Windows\System32\zHDTvMP.exe
  C:\Windows\System32\zHDTvMP.exe
  2⤵
  PID:2968
- C:\Windows\System32\nXZGOVX.exe
  C:\Windows\System32\nXZGOVX.exe
  2⤵
  PID:1616
- C:\Windows\System32\ceGfTAk.exe
  C:\Windows\System32\ceGfTAk.exe
  2⤵
  PID:8136
- C:\Windows\System32\HbGSJeb.exe
  C:\Windows\System32\HbGSJeb.exe
  2⤵
  PID:748
- C:\Windows\System32\XnEOhwi.exe
  C:\Windows\System32\XnEOhwi.exe
  2⤵
  PID:5052
- C:\Windows\System32\sapyMHv.exe
  C:\Windows\System32\sapyMHv.exe
  2⤵
  PID:6172
- C:\Windows\System32\habRxBr.exe
  C:\Windows\System32\habRxBr.exe
  2⤵
  PID:6292
- C:\Windows\System32\AaGbQqO.exe
  C:\Windows\System32\AaGbQqO.exe
  2⤵
  PID:7336
- C:\Windows\System32\BaNRfQa.exe
  C:\Windows\System32\BaNRfQa.exe
  2⤵
  PID:7564
- C:\Windows\System32\WgwJrnD.exe
  C:\Windows\System32\WgwJrnD.exe
  2⤵
  PID:7720
- C:\Windows\System32\oQwvjGU.exe
  C:\Windows\System32\oQwvjGU.exe
  2⤵
  PID:7928
- C:\Windows\System32\LDAyzsU.exe
  C:\Windows\System32\LDAyzsU.exe
  2⤵
  PID:832
- C:\Windows\System32\tQPcOSA.exe
  C:\Windows\System32\tQPcOSA.exe
  2⤵
  PID:7300
- C:\Windows\System32\EtkIOcM.exe
  C:\Windows\System32\EtkIOcM.exe
  2⤵
  PID:7916
- C:\Windows\System32\FPdyLne.exe
  C:\Windows\System32\FPdyLne.exe
  2⤵
  PID:4328
- C:\Windows\System32\MZFRemA.exe
  C:\Windows\System32\MZFRemA.exe
  2⤵
  PID:1476
- C:\Windows\System32\ehTznGt.exe
  C:\Windows\System32\ehTznGt.exe
  2⤵
  PID:3876
- C:\Windows\System32\RURrqvg.exe
  C:\Windows\System32\RURrqvg.exe
  2⤵
  PID:4492
- C:\Windows\System32\ndRSbUN.exe
  C:\Windows\System32\ndRSbUN.exe
  2⤵
  PID:6604
- C:\Windows\System32\yOQdFIF.exe
  C:\Windows\System32\yOQdFIF.exe
  2⤵
  PID:7312
- C:\Windows\System32\QJWJzOX.exe
  C:\Windows\System32\QJWJzOX.exe
  2⤵
  PID:7900
- C:\Windows\System32\asjHdge.exe
  C:\Windows\System32\asjHdge.exe
  2⤵
  PID:512
- C:\Windows\System32\qRaqacu.exe
  C:\Windows\System32\qRaqacu.exe
  2⤵
  PID:368
- C:\Windows\System32\BQpFdVW.exe
  C:\Windows\System32\BQpFdVW.exe
  2⤵
  PID:4844
- C:\Windows\System32\lNExKlP.exe
  C:\Windows\System32\lNExKlP.exe
  2⤵
  PID:6880
- C:\Windows\System32\GdnrHcF.exe
  C:\Windows\System32\GdnrHcF.exe
  2⤵
  PID:7924
- C:\Windows\System32\bLMrKjW.exe
  C:\Windows\System32\bLMrKjW.exe
  2⤵
  PID:4604
- C:\Windows\System32\sncIAVO.exe
  C:\Windows\System32\sncIAVO.exe
  2⤵
  PID:2276
- C:\Windows\System32\eHlsOJi.exe
  C:\Windows\System32\eHlsOJi.exe
  2⤵
  PID:1340
- C:\Windows\System32\SiWdSGH.exe
  C:\Windows\System32\SiWdSGH.exe
  2⤵
  PID:1336
- C:\Windows\System32\bMmszKe.exe
  C:\Windows\System32\bMmszKe.exe
  2⤵
  PID:6676
- C:\Windows\System32\BVYZmQg.exe
  C:\Windows\System32\BVYZmQg.exe
  2⤵
  PID:8204
- C:\Windows\System32\xmxwkSm.exe
  C:\Windows\System32\xmxwkSm.exe
  2⤵
  PID:8232
- C:\Windows\System32\ZbNasiD.exe
  C:\Windows\System32\ZbNasiD.exe
  2⤵
  PID:8272
- C:\Windows\System32\GbzLSwE.exe
  C:\Windows\System32\GbzLSwE.exe
  2⤵
  PID:8288
- C:\Windows\System32\IgIPUPQ.exe
  C:\Windows\System32\IgIPUPQ.exe
  2⤵
  PID:8328
- C:\Windows\System32\PxceEPA.exe
  C:\Windows\System32\PxceEPA.exe
  2⤵
  PID:8356
- C:\Windows\System32\DTZbrWG.exe
  C:\Windows\System32\DTZbrWG.exe
  2⤵
  PID:8384
- C:\Windows\System32\ywrRMab.exe
  C:\Windows\System32\ywrRMab.exe
  2⤵
  PID:8412
- C:\Windows\System32\CuKyWTd.exe
  C:\Windows\System32\CuKyWTd.exe
  2⤵
  PID:8448
- C:\Windows\System32\AmkBXdJ.exe
  C:\Windows\System32\AmkBXdJ.exe
  2⤵
  PID:8464
- C:\Windows\System32\fprUKKe.exe
  C:\Windows\System32\fprUKKe.exe
  2⤵
  PID:8524
- C:\Windows\System32\PBqqwgu.exe
  C:\Windows\System32\PBqqwgu.exe
  2⤵
  PID:8548
- C:\Windows\System32\qqpSLzV.exe
  C:\Windows\System32\qqpSLzV.exe
  2⤵
  PID:8584
- C:\Windows\System32\VuSYctZ.exe
  C:\Windows\System32\VuSYctZ.exe
  2⤵
  PID:8612
- C:\Windows\System32\KFddkPS.exe
  C:\Windows\System32\KFddkPS.exe
  2⤵
  PID:8644
- C:\Windows\System32\jgZQVxK.exe
  C:\Windows\System32\jgZQVxK.exe
  2⤵
  PID:8668
- C:\Windows\System32\lDsvnEU.exe
  C:\Windows\System32\lDsvnEU.exe
  2⤵
  PID:8696
- C:\Windows\System32\BXXVYIS.exe
  C:\Windows\System32\BXXVYIS.exe
  2⤵
  PID:8728
- C:\Windows\System32\hNKgGdV.exe
  C:\Windows\System32\hNKgGdV.exe
  2⤵
  PID:8752
- C:\Windows\System32\dudkYlb.exe
  C:\Windows\System32\dudkYlb.exe
  2⤵
  PID:8780
- C:\Windows\System32\SQYWAmN.exe
  C:\Windows\System32\SQYWAmN.exe
  2⤵
  PID:8808
- C:\Windows\System32\GDkxdxa.exe
  C:\Windows\System32\GDkxdxa.exe
  2⤵
  PID:8836
- C:\Windows\System32\mZNgBea.exe
  C:\Windows\System32\mZNgBea.exe
  2⤵
  PID:8864
- C:\Windows\System32\NwsYgXb.exe
  C:\Windows\System32\NwsYgXb.exe
  2⤵
  PID:8892
- C:\Windows\System32\QgVKRyH.exe
  C:\Windows\System32\QgVKRyH.exe
  2⤵
  PID:8912
- C:\Windows\System32\DllvcPz.exe
  C:\Windows\System32\DllvcPz.exe
  2⤵
  PID:8936
- C:\Windows\System32\joDzghU.exe
  C:\Windows\System32\joDzghU.exe
  2⤵
  PID:8956
- C:\Windows\System32\WYEAIGu.exe
  C:\Windows\System32\WYEAIGu.exe
  2⤵
  PID:9004
- C:\Windows\System32\VzGATZX.exe
  C:\Windows\System32\VzGATZX.exe
  2⤵
  PID:9036
- C:\Windows\System32\GhDqXDQ.exe
  C:\Windows\System32\GhDqXDQ.exe
  2⤵
  PID:9052
- C:\Windows\System32\SoHqYQM.exe
  C:\Windows\System32\SoHqYQM.exe
  2⤵
  PID:9088
- C:\Windows\System32\UGtXdkt.exe
  C:\Windows\System32\UGtXdkt.exe
  2⤵
  PID:9116
- C:\Windows\System32\rGfEZBS.exe
  C:\Windows\System32\rGfEZBS.exe
  2⤵
  PID:9136
- C:\Windows\System32\kOKWGXc.exe
  C:\Windows\System32\kOKWGXc.exe
  2⤵
  PID:9168
- C:\Windows\System32\hsfKhEM.exe
  C:\Windows\System32\hsfKhEM.exe
  2⤵
  PID:9204
- C:\Windows\System32\vNgrLuy.exe
  C:\Windows\System32\vNgrLuy.exe
  2⤵
  PID:8068
- C:\Windows\System32\LnYlFrj.exe
  C:\Windows\System32\LnYlFrj.exe
  2⤵
  PID:8256
- C:\Windows\System32\dxvwjMe.exe
  C:\Windows\System32\dxvwjMe.exe
  2⤵
  PID:8380
- C:\Windows\System32\muhtTLK.exe
  C:\Windows\System32\muhtTLK.exe
  2⤵
  PID:8440
- C:\Windows\System32\RiIxuJo.exe
  C:\Windows\System32\RiIxuJo.exe
  2⤵
  PID:8496
- C:\Windows\System32\bDdOhOq.exe
  C:\Windows\System32\bDdOhOq.exe
  2⤵
  PID:8564
- C:\Windows\System32\NyeUxnB.exe
  C:\Windows\System32\NyeUxnB.exe
  2⤵
  PID:8664
- C:\Windows\System32\DGXJPdQ.exe
  C:\Windows\System32\DGXJPdQ.exe
  2⤵
  PID:8720
- C:\Windows\System32\PgSDctA.exe
  C:\Windows\System32\PgSDctA.exe
  2⤵
  PID:8792
- C:\Windows\System32\xQKQteb.exe
  C:\Windows\System32\xQKQteb.exe
  2⤵
  PID:8884
- C:\Windows\System32\nVTsUeh.exe
  C:\Windows\System32\nVTsUeh.exe
  2⤵
  PID:8952
- C:\Windows\System32\zpdiELo.exe
  C:\Windows\System32\zpdiELo.exe
  2⤵
  PID:8980
- C:\Windows\System32\YXYYtsI.exe
  C:\Windows\System32\YXYYtsI.exe
  2⤵
  PID:9044
- C:\Windows\System32\qoLPDRW.exe
  C:\Windows\System32\qoLPDRW.exe
  2⤵
  PID:9108
- C:\Windows\System32\qFUqGmo.exe
  C:\Windows\System32\qFUqGmo.exe
  2⤵
  PID:9184
- C:\Windows\System32\PYrPTLk.exe
  C:\Windows\System32\PYrPTLk.exe
  2⤵
  PID:8300
- C:\Windows\System32\KvQoGeh.exe
  C:\Windows\System32\KvQoGeh.exe
  2⤵
  PID:8436
- C:\Windows\System32\NhZzqBf.exe
  C:\Windows\System32\NhZzqBf.exe
  2⤵
  PID:8660
- C:\Windows\System32\ggCMFkj.exe
  C:\Windows\System32\ggCMFkj.exe
  2⤵
  PID:8764
- C:\Windows\System32\TJVRFZO.exe
  C:\Windows\System32\TJVRFZO.exe
  2⤵
  PID:9016
- C:\Windows\System32\fDNvneX.exe
  C:\Windows\System32\fDNvneX.exe
  2⤵
  PID:9192
- C:\Windows\System32\UXButMw.exe
  C:\Windows\System32\UXButMw.exe
  2⤵
  PID:8508
- C:\Windows\System32\CUjjNAn.exe
  C:\Windows\System32\CUjjNAn.exe
  2⤵
  PID:8848
- C:\Windows\System32\iCRFpJo.exe
  C:\Windows\System32\iCRFpJo.exe
  2⤵
  PID:9128
- C:\Windows\System32\jColHev.exe
  C:\Windows\System32\jColHev.exe
  2⤵
  PID:9224
- C:\Windows\System32\WINACvD.exe
  C:\Windows\System32\WINACvD.exe
  2⤵
  PID:9252
- C:\Windows\System32\QtJTGdd.exe
  C:\Windows\System32\QtJTGdd.exe
  2⤵
  PID:9280
- C:\Windows\System32\eFpdYCM.exe
  C:\Windows\System32\eFpdYCM.exe
  2⤵
  PID:9308
- C:\Windows\System32\BIgwqmu.exe
  C:\Windows\System32\BIgwqmu.exe
  2⤵
  PID:9336
- C:\Windows\System32\pwQqOHa.exe
  C:\Windows\System32\pwQqOHa.exe
  2⤵
  PID:9364
- C:\Windows\System32\OsPdnRY.exe
  C:\Windows\System32\OsPdnRY.exe
  2⤵
  PID:9392
- C:\Windows\System32\xxhiOkk.exe
  C:\Windows\System32\xxhiOkk.exe
  2⤵
  PID:9420
- C:\Windows\System32\ztxEGSe.exe
  C:\Windows\System32\ztxEGSe.exe
  2⤵
  PID:9452
- C:\Windows\System32\kQrVhNm.exe
  C:\Windows\System32\kQrVhNm.exe
  2⤵
  PID:9480
- C:\Windows\System32\OeMSPQB.exe
  C:\Windows\System32\OeMSPQB.exe
  2⤵
  PID:9512
- C:\Windows\System32\Iyonimy.exe
  C:\Windows\System32\Iyonimy.exe
  2⤵
  PID:9540
- C:\Windows\System32\sqTmLJI.exe
  C:\Windows\System32\sqTmLJI.exe
  2⤵
  PID:9568
- C:\Windows\System32\kFgbqrZ.exe
  C:\Windows\System32\kFgbqrZ.exe
  2⤵
  PID:9600
- C:\Windows\System32\EfHDsuG.exe
  C:\Windows\System32\EfHDsuG.exe
  2⤵
  PID:9624
- C:\Windows\System32\wQXGSRF.exe
  C:\Windows\System32\wQXGSRF.exe
  2⤵
  PID:9656
- C:\Windows\System32\jpONssW.exe
  C:\Windows\System32\jpONssW.exe
  2⤵
  PID:9684
- C:\Windows\System32\qRNMZwK.exe
  C:\Windows\System32\qRNMZwK.exe
  2⤵
  PID:9712
- C:\Windows\System32\lBkcxMw.exe
  C:\Windows\System32\lBkcxMw.exe
  2⤵
  PID:9728
- C:\Windows\System32\fBQKEdV.exe
  C:\Windows\System32\fBQKEdV.exe
  2⤵
  PID:9776
- C:\Windows\System32\LodJkyS.exe
  C:\Windows\System32\LodJkyS.exe
  2⤵
  PID:9796
- C:\Windows\System32\wzIZWNM.exe
  C:\Windows\System32\wzIZWNM.exe
  2⤵
  PID:9824
- C:\Windows\System32\YyzmcTV.exe
  C:\Windows\System32\YyzmcTV.exe
  2⤵
  PID:9844
- C:\Windows\System32\EXjEDgE.exe
  C:\Windows\System32\EXjEDgE.exe
  2⤵
  PID:9880
- C:\Windows\System32\nfonbeM.exe
  C:\Windows\System32\nfonbeM.exe
  2⤵
  PID:9908
- C:\Windows\System32\ZnyDbsY.exe
  C:\Windows\System32\ZnyDbsY.exe
  2⤵
  PID:9936
- C:\Windows\System32\upMqwLD.exe
  C:\Windows\System32\upMqwLD.exe
  2⤵
  PID:9960
- C:\Windows\System32\lIPQRTP.exe
  C:\Windows\System32\lIPQRTP.exe
  2⤵
  PID:9980
- C:\Windows\System32\hwahMhN.exe
  C:\Windows\System32\hwahMhN.exe
  2⤵
  PID:10008
- C:\Windows\System32\OBkdYZG.exe
  C:\Windows\System32\OBkdYZG.exe
  2⤵
  PID:10044
- C:\Windows\System32\ZlWVMcR.exe
  C:\Windows\System32\ZlWVMcR.exe
  2⤵
  PID:10064
- C:\Windows\System32\beKwurl.exe
  C:\Windows\System32\beKwurl.exe
  2⤵
  PID:10100
- C:\Windows\System32\qgOmHGh.exe
  C:\Windows\System32\qgOmHGh.exe
  2⤵
  PID:10132
- C:\Windows\System32\cSmBnyQ.exe
  C:\Windows\System32\cSmBnyQ.exe
  2⤵
  PID:10160
- C:\Windows\System32\FMGFHTv.exe
  C:\Windows\System32\FMGFHTv.exe
  2⤵
  PID:10188
- C:\Windows\System32\AwkywCz.exe
  C:\Windows\System32\AwkywCz.exe
  2⤵
  PID:10224
- C:\Windows\System32\HZsFeNC.exe
  C:\Windows\System32\HZsFeNC.exe
  2⤵
  PID:8580
- C:\Windows\System32\ctAAoKj.exe
  C:\Windows\System32\ctAAoKj.exe
  2⤵
  PID:9276
- C:\Windows\System32\XDPgNhu.exe
  C:\Windows\System32\XDPgNhu.exe
  2⤵
  PID:9332
- C:\Windows\System32\yMiXrBM.exe
  C:\Windows\System32\yMiXrBM.exe
  2⤵
  PID:9388
- C:\Windows\System32\HuBWnkU.exe
  C:\Windows\System32\HuBWnkU.exe
  2⤵
  PID:9464
- C:\Windows\System32\gLbmnyt.exe
  C:\Windows\System32\gLbmnyt.exe
  2⤵
  PID:9496
- C:\Windows\System32\YWTSLWx.exe
  C:\Windows\System32\YWTSLWx.exe
  2⤵
  PID:9560
- C:\Windows\System32\uXUKOCf.exe
  C:\Windows\System32\uXUKOCf.exe
  2⤵
  PID:9648
- C:\Windows\System32\QCqihGI.exe
  C:\Windows\System32\QCqihGI.exe
  2⤵
  PID:9704
- C:\Windows\System32\JMvkCOv.exe
  C:\Windows\System32\JMvkCOv.exe
  2⤵
  PID:9764
- C:\Windows\System32\jYCWkqJ.exe
  C:\Windows\System32\jYCWkqJ.exe
  2⤵
  PID:9832
- C:\Windows\System32\ItvGdRZ.exe
  C:\Windows\System32\ItvGdRZ.exe
  2⤵
  PID:9920
- C:\Windows\System32\rVXGKbe.exe
  C:\Windows\System32\rVXGKbe.exe
  2⤵
  PID:9972
- C:\Windows\System32\GtkGmBg.exe
  C:\Windows\System32\GtkGmBg.exe
  2⤵
  PID:10052
- C:\Windows\System32\RjLwVvU.exe
  C:\Windows\System32\RjLwVvU.exe
  2⤵
  PID:10120
- C:\Windows\System32\ByZGmnu.exe
  C:\Windows\System32\ByZGmnu.exe
  2⤵
  PID:10180
- C:\Windows\System32\MLUXZzF.exe
  C:\Windows\System32\MLUXZzF.exe
  2⤵
  PID:9028
- C:\Windows\System32\PAZscwF.exe
  C:\Windows\System32\PAZscwF.exe
  2⤵
  PID:9352
- C:\Windows\System32\siYcKVf.exe
  C:\Windows\System32\siYcKVf.exe
  2⤵
  PID:9552
- C:\Windows\System32\FUCfHMv.exe
  C:\Windows\System32\FUCfHMv.exe
  2⤵
  PID:9632
- C:\Windows\System32\PuygNCz.exe
  C:\Windows\System32\PuygNCz.exe
  2⤵
  PID:9812
- C:\Windows\System32\pMzdKjX.exe
  C:\Windows\System32\pMzdKjX.exe
  2⤵
  PID:9952
- C:\Windows\System32\MLTPRLy.exe
  C:\Windows\System32\MLTPRLy.exe
  2⤵
  PID:10024
- C:\Windows\System32\pDCORRI.exe
  C:\Windows\System32\pDCORRI.exe
  2⤵
  PID:9588
- C:\Windows\System32\JsmZbOs.exe
  C:\Windows\System32\JsmZbOs.exe
  2⤵
  PID:9596
- C:\Windows\System32\SbZyEmg.exe
  C:\Windows\System32\SbZyEmg.exe
  2⤵
  PID:9872
- C:\Windows\System32\JtFcjjX.exe
  C:\Windows\System32\JtFcjjX.exe
  2⤵
  PID:9444
- C:\Windows\System32\CvtvgoK.exe
  C:\Windows\System32\CvtvgoK.exe
  2⤵
  PID:8692
- C:\Windows\System32\FCHGIsB.exe
  C:\Windows\System32\FCHGIsB.exe
  2⤵
  PID:10256
- C:\Windows\System32\wkgSlPw.exe
  C:\Windows\System32\wkgSlPw.exe
  2⤵
  PID:10284
- C:\Windows\System32\KyCqVXL.exe
  C:\Windows\System32\KyCqVXL.exe
  2⤵
  PID:10300
- C:\Windows\System32\BdXJKVt.exe
  C:\Windows\System32\BdXJKVt.exe
  2⤵
  PID:10344
- C:\Windows\System32\ITTZQoR.exe
  C:\Windows\System32\ITTZQoR.exe
  2⤵
  PID:10368
- C:\Windows\System32\egzhDSd.exe
  C:\Windows\System32\egzhDSd.exe
  2⤵
  PID:10396
- C:\Windows\System32\YoEUZHy.exe
  C:\Windows\System32\YoEUZHy.exe
  2⤵
  PID:10424
- C:\Windows\System32\xnnPrYD.exe
  C:\Windows\System32\xnnPrYD.exe
  2⤵
  PID:10452
- C:\Windows\System32\HleIuct.exe
  C:\Windows\System32\HleIuct.exe
  2⤵
  PID:10484
- C:\Windows\System32\lAaABly.exe
  C:\Windows\System32\lAaABly.exe
  2⤵
  PID:10508
- C:\Windows\System32\JgcMsLG.exe
  C:\Windows\System32\JgcMsLG.exe
  2⤵
  PID:10540
- C:\Windows\System32\DuPGhdX.exe
  C:\Windows\System32\DuPGhdX.exe
  2⤵
  PID:10568
- C:\Windows\System32\CjryKFP.exe
  C:\Windows\System32\CjryKFP.exe
  2⤵
  PID:10588
- C:\Windows\System32\ZRaLzyS.exe
  C:\Windows\System32\ZRaLzyS.exe
  2⤵
  PID:10616
- C:\Windows\System32\TVIdIul.exe
  C:\Windows\System32\TVIdIul.exe
  2⤵
  PID:10644
- C:\Windows\System32\NKolVNP.exe
  C:\Windows\System32\NKolVNP.exe
  2⤵
  PID:10680
- C:\Windows\System32\oXtPHsi.exe
  C:\Windows\System32\oXtPHsi.exe
  2⤵
  PID:10704
- C:\Windows\System32\KvqChun.exe
  C:\Windows\System32\KvqChun.exe
  2⤵
  PID:10736
- C:\Windows\System32\twwMkgL.exe
  C:\Windows\System32\twwMkgL.exe
  2⤵
  PID:10776
- C:\Windows\System32\pXmCUKk.exe
  C:\Windows\System32\pXmCUKk.exe
  2⤵
  PID:10792
- C:\Windows\System32\CkpGZGl.exe
  C:\Windows\System32\CkpGZGl.exe
  2⤵
  PID:10820
- C:\Windows\System32\yAblVFm.exe
  C:\Windows\System32\yAblVFm.exe
  2⤵
  PID:10836
- C:\Windows\System32\RCzYQmd.exe
  C:\Windows\System32\RCzYQmd.exe
  2⤵
  PID:10864
- C:\Windows\System32\IVJkiUX.exe
  C:\Windows\System32\IVJkiUX.exe
  2⤵
  PID:10884
- C:\Windows\System32\XhGorfO.exe
  C:\Windows\System32\XhGorfO.exe
  2⤵
  PID:10924
- C:\Windows\System32\EyZbkLC.exe
  C:\Windows\System32\EyZbkLC.exe
  2⤵
  PID:10960
- C:\Windows\System32\ewmTNrk.exe
  C:\Windows\System32\ewmTNrk.exe
  2⤵
  PID:10976
- C:\Windows\System32\DJMnlDF.exe
  C:\Windows\System32\DJMnlDF.exe
  2⤵
  PID:11012
- C:\Windows\System32\kzVzTjl.exe
  C:\Windows\System32\kzVzTjl.exe
  2⤵
  PID:11032
- C:\Windows\System32\TkrWYzX.exe
  C:\Windows\System32\TkrWYzX.exe
  2⤵
  PID:11064
- C:\Windows\System32\mPRpNAs.exe
  C:\Windows\System32\mPRpNAs.exe
  2⤵
  PID:11100
- C:\Windows\System32\bfqJrjx.exe
  C:\Windows\System32\bfqJrjx.exe
  2⤵
  PID:11128
- C:\Windows\System32\uJuezKu.exe
  C:\Windows\System32\uJuezKu.exe
  2⤵
  PID:11156
- C:\Windows\System32\sUjzuRn.exe
  C:\Windows\System32\sUjzuRn.exe
  2⤵
  PID:11184
- C:\Windows\System32\ZzRdhsR.exe
  C:\Windows\System32\ZzRdhsR.exe
  2⤵
  PID:11200
- C:\Windows\System32\IlcFAjP.exe
  C:\Windows\System32\IlcFAjP.exe
  2⤵
  PID:11240
- C:\Windows\System32\NUTxUkS.exe
  C:\Windows\System32\NUTxUkS.exe
  2⤵
  PID:10244
- C:\Windows\System32\PCJPTft.exe
  C:\Windows\System32\PCJPTft.exe
  2⤵
  PID:10312
- C:\Windows\System32\QWotUut.exe
  C:\Windows\System32\QWotUut.exe
  2⤵
  PID:10380
- C:\Windows\System32\YweEKcr.exe
  C:\Windows\System32\YweEKcr.exe
  2⤵
  PID:10420
- C:\Windows\System32\aNiznic.exe
  C:\Windows\System32\aNiznic.exe
  2⤵
  PID:10500
- C:\Windows\System32\wXPvnTP.exe
  C:\Windows\System32\wXPvnTP.exe
  2⤵
  PID:10584
- C:\Windows\System32\vLIKqKM.exe
  C:\Windows\System32\vLIKqKM.exe
  2⤵
  PID:10632
- C:\Windows\System32\QbxGuGA.exe
  C:\Windows\System32\QbxGuGA.exe
  2⤵
  PID:10744
- C:\Windows\System32\IltjWtD.exe
  C:\Windows\System32\IltjWtD.exe
  2⤵
  PID:10784
- C:\Windows\System32\oAttyVo.exe
  C:\Windows\System32\oAttyVo.exe
  2⤵
  PID:10816
- C:\Windows\System32\arVLaAq.exe
  C:\Windows\System32\arVLaAq.exe
  2⤵
  PID:10872
- C:\Windows\System32\yPdXJeR.exe
  C:\Windows\System32\yPdXJeR.exe
  2⤵
  PID:10948
- C:\Windows\System32\WzsOLtJ.exe
  C:\Windows\System32\WzsOLtJ.exe
  2⤵
  PID:11044
- C:\Windows\System32\UBoFtqw.exe
  C:\Windows\System32\UBoFtqw.exe
  2⤵
  PID:11112
- C:\Windows\System32\uzhRnnr.exe
  C:\Windows\System32\uzhRnnr.exe
  2⤵
  PID:11168
- C:\Windows\System32\EZZFIKk.exe
  C:\Windows\System32\EZZFIKk.exe
  2⤵
  PID:11232
- C:\Windows\System32\HzVifvV.exe
  C:\Windows\System32\HzVifvV.exe
  2⤵
  PID:10296
- C:\Windows\System32\xPhXRqd.exe
  C:\Windows\System32\xPhXRqd.exe
  2⤵
  PID:10480
- C:\Windows\System32\zFgQObY.exe
  C:\Windows\System32\zFgQObY.exe
  2⤵
  PID:10640
- C:\Windows\System32\nYnntsJ.exe
  C:\Windows\System32\nYnntsJ.exe
  2⤵
  PID:10772
- C:\Windows\System32\WTfrsHi.exe
  C:\Windows\System32\WTfrsHi.exe
  2⤵
  PID:10944
- C:\Windows\System32\UrjhQrL.exe
  C:\Windows\System32\UrjhQrL.exe
  2⤵
  PID:11072
- C:\Windows\System32\EhBiXgk.exe
  C:\Windows\System32\EhBiXgk.exe
  2⤵
  PID:11148
- C:\Windows\System32\uGfiOaH.exe
  C:\Windows\System32\uGfiOaH.exe
  2⤵
  PID:10536
- C:\Windows\System32\zJfXhUY.exe
  C:\Windows\System32\zJfXhUY.exe
  2⤵
  PID:10852
- C:\Windows\System32\mdDBMQl.exe
  C:\Windows\System32\mdDBMQl.exe
  2⤵
  PID:9948
- C:\Windows\System32\PDKbaJQ.exe
  C:\Windows\System32\PDKbaJQ.exe
  2⤵
  PID:10596
- C:\Windows\System32\yEtbCRA.exe
  C:\Windows\System32\yEtbCRA.exe
  2⤵
  PID:11152
- C:\Windows\System32\RYpiGmE.exe
  C:\Windows\System32\RYpiGmE.exe
  2⤵
  PID:11288
- C:\Windows\System32\qYgomgv.exe
  C:\Windows\System32\qYgomgv.exe
  2⤵
  PID:11320
- C:\Windows\System32\EfcqyjI.exe
  C:\Windows\System32\EfcqyjI.exe
  2⤵
  PID:11360
- C:\Windows\System32\PbxWMoo.exe
  C:\Windows\System32\PbxWMoo.exe
  2⤵
  PID:11384
- C:\Windows\System32\OKMjzEX.exe
  C:\Windows\System32\OKMjzEX.exe
  2⤵
  PID:11412
- C:\Windows\System32\SFicsIm.exe
  C:\Windows\System32\SFicsIm.exe
  2⤵
  PID:11440
- C:\Windows\System32\sREGEsy.exe
  C:\Windows\System32\sREGEsy.exe
  2⤵
  PID:11464
- C:\Windows\System32\NRGxdWy.exe
  C:\Windows\System32\NRGxdWy.exe
  2⤵
  PID:11496
- C:\Windows\System32\ASOvupx.exe
  C:\Windows\System32\ASOvupx.exe
  2⤵
  PID:11524
- C:\Windows\System32\tszfWnt.exe
  C:\Windows\System32\tszfWnt.exe
  2⤵
  PID:11568
- C:\Windows\System32\kROxILm.exe
  C:\Windows\System32\kROxILm.exe
  2⤵
  PID:11584
- C:\Windows\System32\QAIPRcJ.exe
  C:\Windows\System32\QAIPRcJ.exe
  2⤵
  PID:11604
- C:\Windows\System32\PcxISfu.exe
  C:\Windows\System32\PcxISfu.exe
  2⤵
  PID:11640
- C:\Windows\System32\nznlsCd.exe
  C:\Windows\System32\nznlsCd.exe
  2⤵
  PID:11664
- C:\Windows\System32\kBFxZvJ.exe
  C:\Windows\System32\kBFxZvJ.exe
  2⤵
  PID:11696
- C:\Windows\System32\qEekbLd.exe
  C:\Windows\System32\qEekbLd.exe
  2⤵
  PID:11724
- C:\Windows\System32\MKDPTUY.exe
  C:\Windows\System32\MKDPTUY.exe
  2⤵
  PID:11760
- C:\Windows\System32\OFUuaSL.exe
  C:\Windows\System32\OFUuaSL.exe
  2⤵
  PID:11792
- C:\Windows\System32\JvIZqDR.exe
  C:\Windows\System32\JvIZqDR.exe
  2⤵
  PID:11808
- C:\Windows\System32\KbjxxPx.exe
  C:\Windows\System32\KbjxxPx.exe
  2⤵
  PID:11840
- C:\Windows\System32\yMjgpTC.exe
  C:\Windows\System32\yMjgpTC.exe
  2⤵
  PID:11876
- C:\Windows\System32\tvVQACp.exe
  C:\Windows\System32\tvVQACp.exe
  2⤵
  PID:11904
- C:\Windows\System32\EkKWsZn.exe
  C:\Windows\System32\EkKWsZn.exe
  2⤵
  PID:11932
- C:\Windows\System32\Yiwwbmo.exe
  C:\Windows\System32\Yiwwbmo.exe
  2⤵
  PID:11948
- C:\Windows\System32\ONqNerm.exe
  C:\Windows\System32\ONqNerm.exe
  2⤵
  PID:11984
- C:\Windows\System32\EYxtDwD.exe
  C:\Windows\System32\EYxtDwD.exe
  2⤵
  PID:12020
- C:\Windows\System32\CdNpwxs.exe
  C:\Windows\System32\CdNpwxs.exe
  2⤵
  PID:12048
- C:\Windows\System32\SHgkinZ.exe
  C:\Windows\System32\SHgkinZ.exe
  2⤵
  PID:12076
- C:\Windows\System32\QSBJcks.exe
  C:\Windows\System32\QSBJcks.exe
  2⤵
  PID:12104
- C:\Windows\System32\ONpWEtg.exe
  C:\Windows\System32\ONpWEtg.exe
  2⤵
  PID:12132
- C:\Windows\System32\UiYXOFs.exe
  C:\Windows\System32\UiYXOFs.exe
  2⤵
  PID:12160
- C:\Windows\System32\bEjqtNs.exe
  C:\Windows\System32\bEjqtNs.exe
  2⤵
  PID:12188
- C:\Windows\System32\XQOpWOs.exe
  C:\Windows\System32\XQOpWOs.exe
  2⤵
  PID:12208
- C:\Windows\System32\YRKliFK.exe
  C:\Windows\System32\YRKliFK.exe
  2⤵
  PID:12244
- C:\Windows\System32\deSdZOm.exe
  C:\Windows\System32\deSdZOm.exe
  2⤵
  PID:12260
- C:\Windows\System32\ewCmMYo.exe
  C:\Windows\System32\ewCmMYo.exe
  2⤵
  PID:11272
- C:\Windows\System32\sHMhtQG.exe
  C:\Windows\System32\sHMhtQG.exe
  2⤵
  PID:11340
- C:\Windows\System32\oNdIuTo.exe
  C:\Windows\System32\oNdIuTo.exe
  2⤵
  PID:11404
- C:\Windows\System32\oywkfEu.exe
  C:\Windows\System32\oywkfEu.exe
  2⤵
  PID:11480
- C:\Windows\System32\GjLysxp.exe
  C:\Windows\System32\GjLysxp.exe
  2⤵
  PID:11536
- C:\Windows\System32\yJZLMjF.exe
  C:\Windows\System32\yJZLMjF.exe
  2⤵
  PID:11616
- C:\Windows\System32\NSJFiJY.exe
  C:\Windows\System32\NSJFiJY.exe
  2⤵
  PID:10556
- C:\Windows\System32\zUSKOPd.exe
  C:\Windows\System32\zUSKOPd.exe
  2⤵
  PID:11704
- C:\Windows\System32\gYmdhND.exe
  C:\Windows\System32\gYmdhND.exe
  2⤵
  PID:11804
- C:\Windows\System32\kouRRCx.exe
  C:\Windows\System32\kouRRCx.exe
  2⤵
  PID:11860
- C:\Windows\System32\GxOFHgT.exe
  C:\Windows\System32\GxOFHgT.exe
  2⤵
  PID:11944
- C:\Windows\System32\UnIWJeE.exe
  C:\Windows\System32\UnIWJeE.exe
  2⤵
  PID:12004
- C:\Windows\System32\TsjcDZc.exe
  C:\Windows\System32\TsjcDZc.exe
  2⤵
  PID:12072
- C:\Windows\System32\iMXOlSl.exe
  C:\Windows\System32\iMXOlSl.exe
  2⤵
  PID:12120
- C:\Windows\System32\isQwalw.exe
  C:\Windows\System32\isQwalw.exe
  2⤵
  PID:12180
- C:\Windows\System32\EUYmsMA.exe
  C:\Windows\System32\EUYmsMA.exe
  2⤵
  PID:12256
- C:\Windows\System32\mFbfuAk.exe
  C:\Windows\System32\mFbfuAk.exe
  2⤵
  PID:11276
- C:\Windows\System32\zDLerdQ.exe
  C:\Windows\System32\zDLerdQ.exe
  2⤵
  PID:11516
- C:\Windows\System32\aaZamkr.exe
  C:\Windows\System32\aaZamkr.exe
  2⤵
  PID:11600
- C:\Windows\System32\FCyjCum.exe
  C:\Windows\System32\FCyjCum.exe
  2⤵
  PID:11684
- C:\Windows\System32\xngsKIS.exe
  C:\Windows\System32\xngsKIS.exe
  2⤵
  PID:11968
- C:\Windows\System32\fmLxATu.exe
  C:\Windows\System32\fmLxATu.exe
  2⤵
  PID:12124
- C:\Windows\System32\UpvAQxi.exe
  C:\Windows\System32\UpvAQxi.exe
  2⤵
  PID:10932
- C:\Windows\System32\NilaHCK.exe
  C:\Windows\System32\NilaHCK.exe
  2⤵
  PID:4876
- C:\Windows\System32\oTLAqRf.exe
  C:\Windows\System32\oTLAqRf.exe
  2⤵
  PID:11420
- C:\Windows\System32\xKSiozm.exe
  C:\Windows\System32\xKSiozm.exe
  2⤵
  PID:11900
- C:\Windows\System32\MEcOIaM.exe
  C:\Windows\System32\MEcOIaM.exe
  2⤵
  PID:12204
- C:\Windows\System32\CMWlpbP.exe
  C:\Windows\System32\CMWlpbP.exe
  2⤵
  PID:11632
- C:\Windows\System32\ypzHNrV.exe
  C:\Windows\System32\ypzHNrV.exe
  2⤵
  PID:1940
- C:\Windows\System32\HwCcQzp.exe
  C:\Windows\System32\HwCcQzp.exe
  2⤵
  PID:12296
- C:\Windows\System32\MEJuGvZ.exe
  C:\Windows\System32\MEJuGvZ.exe
  2⤵
  PID:12324
- C:\Windows\System32\OrzyFRJ.exe
  C:\Windows\System32\OrzyFRJ.exe
  2⤵
  PID:12352
- C:\Windows\System32\mLxLrKA.exe
  C:\Windows\System32\mLxLrKA.exe
  2⤵
  PID:12380
- C:\Windows\System32\ZMRJhdA.exe
  C:\Windows\System32\ZMRJhdA.exe
  2⤵
  PID:12408
- C:\Windows\System32\sBnwOin.exe
  C:\Windows\System32\sBnwOin.exe
  2⤵
  PID:12440
- C:\Windows\System32\DMreMtH.exe
  C:\Windows\System32\DMreMtH.exe
  2⤵
  PID:12496
- C:\Windows\System32\piBrmJk.exe
  C:\Windows\System32\piBrmJk.exe
  2⤵
  PID:12524
- C:\Windows\System32\IKNoXSK.exe
  C:\Windows\System32\IKNoXSK.exe
  2⤵
  PID:12552
- C:\Windows\System32\aDVvOuM.exe
  C:\Windows\System32\aDVvOuM.exe
  2⤵
  PID:12580
- C:\Windows\System32\HFxIZZB.exe
  C:\Windows\System32\HFxIZZB.exe
  2⤵
  PID:12624
- C:\Windows\System32\vsVzYfw.exe
  C:\Windows\System32\vsVzYfw.exe
  2⤵
  PID:12648
- C:\Windows\System32\FAsigPg.exe
  C:\Windows\System32\FAsigPg.exe
  2⤵
  PID:12684
- C:\Windows\System32\IvYitgY.exe
  C:\Windows\System32\IvYitgY.exe
  2⤵
  PID:12712
- C:\Windows\System32\fyJzWCu.exe
  C:\Windows\System32\fyJzWCu.exe
  2⤵
  PID:12740
- C:\Windows\System32\kVdoyHV.exe
  C:\Windows\System32\kVdoyHV.exe
  2⤵
  PID:12776
- C:\Windows\System32\yTwyWXG.exe
  C:\Windows\System32\yTwyWXG.exe
  2⤵
  PID:12804
- C:\Windows\System32\maoJyHa.exe
  C:\Windows\System32\maoJyHa.exe
  2⤵
  PID:12832
- C:\Windows\System32\lhWndOH.exe
  C:\Windows\System32\lhWndOH.exe
  2⤵
  PID:12860
- C:\Windows\System32\xYHCFrE.exe
  C:\Windows\System32\xYHCFrE.exe
  2⤵
  PID:12888
- C:\Windows\System32\ejdqelf.exe
  C:\Windows\System32\ejdqelf.exe
  2⤵
  PID:12916
- C:\Windows\System32\HECJnqY.exe
  C:\Windows\System32\HECJnqY.exe
  2⤵
  PID:12944
- C:\Windows\System32\pIAeQTp.exe
  C:\Windows\System32\pIAeQTp.exe
  2⤵
  PID:12984
- C:\Windows\System32\ETwaOiZ.exe
  C:\Windows\System32\ETwaOiZ.exe
  2⤵
  PID:13012
- C:\Windows\System32\ujiwifi.exe
  C:\Windows\System32\ujiwifi.exe
  2⤵
  PID:13044
- C:\Windows\System32\syuDwyr.exe
  C:\Windows\System32\syuDwyr.exe
  2⤵
  PID:13072
- C:\Windows\System32\nHVTJwq.exe
  C:\Windows\System32\nHVTJwq.exe
  2⤵
  PID:13100
- C:\Windows\System32\AXLnTXB.exe
  C:\Windows\System32\AXLnTXB.exe
  2⤵
  PID:13128
- C:\Windows\System32\scGlfKj.exe
  C:\Windows\System32\scGlfKj.exe
  2⤵
  PID:13156
- C:\Windows\System32\LXeZgTj.exe
  C:\Windows\System32\LXeZgTj.exe
  2⤵
  PID:13184
- C:\Windows\System32\FDmsLAp.exe
  C:\Windows\System32\FDmsLAp.exe
  2⤵
  PID:13220
- C:\Windows\System32\gMqYCwO.exe
  C:\Windows\System32\gMqYCwO.exe
  2⤵
  PID:13240
- C:\Windows\System32\WMBXSpP.exe
  C:\Windows\System32\WMBXSpP.exe
  2⤵
  PID:13268

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AICfgVn.exe

Filesize
2.9MB

MD5
a9590e58abf5bf82dd6ee12d2b00869e

SHA1
75cc4ce1fcd35847727a5ab71abb07afb5254d44

SHA256
42b38692db54ca85ec0c542164a96056dc5463d85735809b9fb13e8ee95bb1f0

SHA512
a91790b41d0310d158e63c74037cb234abd58d5a6fcbb2187eecf97082f06b1f336d4657129c12fd2be3845a261d037f9cd10937b459858b3f313737ca4f1bb6

Download Submit
C:\Windows\System32\BGIywXP.exe

Filesize
2.9MB

MD5
e5fc6f82079f4c7cf7c90c15d1fe8563

SHA1
461e38176ff39543b4ca6d605283e8f4eaa763b6

SHA256
4c99e8380fab0c832fbcd97f8bee95e4b4d823e13059c2ef9d51b4c087ca2fb9

SHA512
0f888f6b6d35acbee8c3ea7cfa51449b6ce493de8cbca7d0d92585e860b54abde3df7ee474ef2055f4c22f8b3fb836f0b6600dec831b6f09cc35ee83ec8465f8

Download Submit
C:\Windows\System32\BdkiiGh.exe

Filesize
2.9MB

MD5
e0eccb38f6bf92e03f9a6196f3ad2f60

SHA1
2663a085274579900ccc035b996c661fc952ef24

SHA256
95d4531807d9788eca5de875d703394eca0d7f39889e3a456b82bed1211290a7

SHA512
0e9b0e9df7704cac41b24ec1bdfd1ac0d2446c28b3c54fdb621708b786230ff34c234556511fb2c411afda530661216ac159f49b2e8e2810edfecf4116a34a0d

Download Submit
C:\Windows\System32\BetqdlH.exe

Filesize
2.9MB

MD5
179dbd3b2f5687b469ef572a6971ab9e

SHA1
aac69efae60814bfa001dd1e9fcc16ad018de7a3

SHA256
b6820974163d684f00b48e460c8ef783c6c3e3a2c085b2d299814ca226e55ee0

SHA512
30375fd0fed0d4a7de2e9e7f4ffd6ac3f2a9a861606a19023505ea5adc62f74d0fae4ee396901749bdcb07cd52411a888ff2101b79c3687d52f9b9b7ffbd0102

Download Submit
C:\Windows\System32\BfLBlTS.exe

Filesize
2.9MB

MD5
a466d39680f14f1c448f43c664dbe618

SHA1
b382d689e3409ed304b5c8b4d6eb7baf1357ea23

SHA256
5da9df962a6425f6fbde23ee7a73b2a859c551c67a34e5ef9079d0e6d387abe2

SHA512
15e5fcc21b32621da3c85a8fb1cbe7b4f4bd317605b97c14221069f355a65fdacbbd88954906a352761a326809854eb1ee0283bb86b7fa66fd101fbf1b2e7b16

Download Submit
C:\Windows\System32\CKEKDDl.exe

Filesize
2.9MB

MD5
7fa2f26d3482acf60f30ba40181045ac

SHA1
580e41319c2d7c1802c708e910dc7a00ad3bb9fc

SHA256
cf94cd4bb5fca1161af65e973ad99e404caef25540b50b0132ce92c9ce37dd04

SHA512
007ec4339a33cbf5a1424c953c8b10b07955cafbb605be2a789fb3e7a18d3c1082affcd3d7486b331124dcbe6407f15bb33d0a44ab05cf113eda0372657e0364

Download Submit
C:\Windows\System32\IDnMXtX.exe

Filesize
2.9MB

MD5
9016a4a8fae730af27babf7401f9a03d

SHA1
c1f130cba3b42fc353ed6aece2202f2453472c3f

SHA256
14b7cdddd77f076576bc02a3576da5430b56458a0f31b6995162f6ca0143c9af

SHA512
4938a3fc9e1f359e58d818f215013ffdec96dd7c9ebd2e13514033e3c90a2e8f648fb84f89269886e2753cdd60e04a4489a6573e126a26e36351ba10c39fa021

Download Submit
C:\Windows\System32\IJOwhfb.exe

Filesize
2.9MB

MD5
2cf41cd7aa621c6a590ae6b7fde6980c

SHA1
7d456d4e9a6b7ad4d57693dbd2ad81501e4243df

SHA256
6a469c056527e1d208ac890db701a2dc12ca9d1ad02a22e6fbe79ba47d2b9f1c

SHA512
817b303fb0ab351c378da59e343e55806fca0ee977723efcc9afe48d1f7028176e53f34233d5a6939b7b448535681717b256af04c0668076444e09857611cd79

Download Submit
C:\Windows\System32\IPkaSLR.exe

Filesize
2.9MB

MD5
e3cf022e5741ad2030b4736b75a2cb54

SHA1
d15e7208f2389764b37f554616d22f76a6292ed0

SHA256
160f6b08a9328f083069422f16b6f0fb8206da13803cf508c2e51a6f4a89cb3e

SHA512
58b60273b74810388e7d8c85594c22aaadc52c746efe5083fc8f2e2513506318f2f537a933a903fb9edcdbedbfd7523e6c1067bdf3b2fd2391705631939f9a0f

Download Submit
C:\Windows\System32\IeeIThf.exe

Filesize
2.9MB

MD5
82e739f1627a41a13c0028ec959eec0c

SHA1
b08687aeece6de32e8f49b375730baf31eaad3be

SHA256
c0b6e279e71e6d09937a59399c4edd3c05b256a94ea0517db021c838d618eda7

SHA512
7e55ef11ca8a1d1424ef4f9f8df18539be188184c9339ad904fe7bf42bdc694d57092802cb1953201d1fbf27287d7d96f79ca6b36a3722264763fd43d17c05f3

Download Submit
C:\Windows\System32\IvoXKOy.exe

Filesize
2.9MB

MD5
5b340901ad651d064b8cde1b6409e3a0

SHA1
a2877258aff07e3795198aa7d5c1e740e4a23337

SHA256
25e017e5f264531029cdf859a7e6ca6c2ceddbfac5b7ed6fceeb3155d44c69c4

SHA512
4a61a6620ef03082b970546605f3ebffeb52d330cd3c223275df6a55ca2e6389197a8356fb5c67c7a6c30b12b99dfbcec09c6060235ea5c4bc2dcffe885637f0

Download Submit
C:\Windows\System32\MCYNvTl.exe

Filesize
2.9MB

MD5
9a23ea41e29ab1401d0a491fe4f00a8e

SHA1
7fe4353837c7b78e139ad4ec633047cd60ca9786

SHA256
46bdb14d452105f19cc36038ce1107dc8702bb6553e6448e0683af1b598d7234

SHA512
bdfe6d9c00317b6a388fcf27014a21a0923cfcfe55af84a8ee697f0bdca5b996b11201fe56848e238abd53fb4b42f33d630914cd2ddce44da3c31cccdbe3796f

Download Submit
C:\Windows\System32\MqJqtLL.exe

Filesize
2.9MB

MD5
02c04e82683c2ce2ab279c3b280dc023

SHA1
702699fe696c8c580c636f4c10430ef17d9556ea

SHA256
80dd2a357e074f9fad3225d5e4b3552910b2e9fe91d66d8c45625ee382c71d14

SHA512
1f8487fad9d7f5079e26824f680a346eeeb040b15ddce301f29e8f880ac0d34a698474b6d7db21ec8aede770bafba37805a996d1488543953903fb17ee2cf4d3

Download Submit
C:\Windows\System32\NarvlzN.exe

Filesize
2.9MB

MD5
07677a775fb4c943421d0abd2308149c

SHA1
425d0a70dd4169bd36ba4368cafa1c0cc80afed1

SHA256
db4fdaec108f9ff93d8cafa35fb3bdf60e8dcd3489ce112ba3518fe8f5a6cc67

SHA512
2f5ce4af9997b52473dafd65f093f206897568326c5cb4292b47f67f3422e1de4a07a5df29a08ef7bdd073b5324ccc06aed43e57326e7b29a182b423b083b9fa

Download Submit
C:\Windows\System32\OlXWiZD.exe

Filesize
2.9MB

MD5
333f3369c65d684a2c40ea68a7199615

SHA1
ab72edffb927b9e7a08b20ff8c0095fd290e6415

SHA256
7b79282cc16c32b7faeee988e7b237c1a69aab9c5bdc4d4bc425b9f54bf35354

SHA512
ae5f3b43f6a146dd4951abe3c099ec6d00a71af7b49215d35b976f0430d30422b926fefcecd5e461d4ad022b55e7f72532be2ef26293e6da759377613be129a1

Download Submit
C:\Windows\System32\RVyqcZA.exe

Filesize
2.9MB

MD5
4e9319a5ebe9428835b4508f60c462ce

SHA1
404334614261ac21c3203a9031cb910b221902af

SHA256
2853071f0b2aa4f3f2442e979e06a44a62c12c80d4c6a4df39d01ad6a7f6479b

SHA512
21596ee88091961f6ad6819d43b924430c64a437feed372e2067f5bba14961d8adec5f81c9c014f3ffb544bd459897afe9e916356c1253ffd2083a5db02c7b61

Download Submit
C:\Windows\System32\SyylVHx.exe

Filesize
2.9MB

MD5
80f07cc4ea69fe45b4fda5d230eb7fc4

SHA1
9d8bf7d23e22c30300b2e6ffbdc4d018aded7421

SHA256
1cd14ca552cfa67d31ef6d8d52978952fef87f4a7dec331e10e8df9396b1fc39

SHA512
a1443544a5dd7b03c26ead53deac054c07ae0896505cf6ff9681a87a44c7892226c0967a4e9b93331cc4c917467a61ad2326215ea0ff73a032881157405f7e1c

Download Submit
C:\Windows\System32\UefBTmv.exe

Filesize
2.9MB

MD5
7cf6f3ab50080c08f9e75e77326e1e0d

SHA1
bc4bc7d9f6b41c155d63931fddabacbcbf50a763

SHA256
f916faa7107183a67f18653974fff5e96547e0824fe4a5553a1d8291e83b1003

SHA512
dabadc83546acf44b85143a9b619866172ea615c7926a0b1a989d4f8734747ec20b7c2b4dc5b0c7dbbd77f579f38b50375c3695af18be4729bb2cfda83cdd2b9

Download Submit
C:\Windows\System32\YAZpsqq.exe

Filesize
2.9MB

MD5
a35006f204a3282dee422c0b8009c7bb

SHA1
041c74849de8629ac28cfa4f28fa07045f220516

SHA256
0229be77cb76925f9ca4743757540d9e408d6e782d16088001dcc2e8b2470c3a

SHA512
4a99740f09aa9614790904931b0d61463d54224cde8809709214a711016ec0fb98ab27e59fffcf4e4fbce1514f4e9e1bfa0c3134f40f85e1a36d490907d6709e

Download Submit
C:\Windows\System32\agprfLJ.exe

Filesize
2.9MB

MD5
73f6739eb8bd605ce2f7179e41f801eb

SHA1
9394fcd65e3ea660a345704e8288cca3bdc7febc

SHA256
33d6a356e199a48667ef976a4fb6055f9ccc781f8ee1e7e004eb33ee73134252

SHA512
6a01f153acd846bc2de3152917bbbf3883163b9d47c4168b5968a8cb713560708e784eceb27c0413c6ef47f18c21970b5953c2abd9c8aeac9427fd7de351bff0

Download Submit
C:\Windows\System32\axFcSHy.exe

Filesize
2.9MB

MD5
4a0e759b66932a16a36f98c16504fde0

SHA1
d62d09a7e17bca64ceb3c953ce753ab12ccd1b8b

SHA256
58dbe97e68c023bc700e9109ade8927fb9b970c2600dcbb4fbfb6b89587280b8

SHA512
2c71cccfd72a910b4d3158d55679b1b8b8e5817ee690d845643f6c5f722932ce717c8a6dff6df050ea555a0caa812a780e0daab34e7bfa4bcc576bc80089da8f

Download Submit
C:\Windows\System32\cbeHXsk.exe

Filesize
2.9MB

MD5
435ce86e1e5ebac0088897c9098d691e

SHA1
ca4d120cf98141b07fd4c519498bf047b7152949

SHA256
382441d020c2efe12e29e7357387563cf4f36f68238fa09e0c856766d1097a36

SHA512
7450f6971dc32f86205837b6354a51e76db3549e0c2a0cdeeaa0678ac93a24c07a498f36c8c57a99b90163fe59b6ce107040a7f59a7cf1f127bc2cbc541b7415

Download Submit
C:\Windows\System32\dAhHEAm.exe

Filesize
2.9MB

MD5
94b4ed1583fe192e90425ba016babbe7

SHA1
0bdcd167606c0bdb8e2f8811f88b2e4818793a48

SHA256
70dfa83f7776fd2c526da27db2f8f9436154de1960e9dda052a2f3d75ea124a8

SHA512
17ae8cc78626a67127877fcb835758abd33788ccf19e7ad1472a9f3fe41702fb90d5391d8d2584044695866ae12cb6cca5b7ac40d51e9f89b84fea2b601e57c5

Download Submit
C:\Windows\System32\fpOpaps.exe

Filesize
2.9MB

MD5
bf571cc4bd785c8f10dc7208435307ab

SHA1
cc4dc99db3780551303fac1f94a79805b62d82eb

SHA256
78912e673ea0898b3b4e8a88585ec14360369a4d0f79b507ea15c6f540659bd4

SHA512
2e699da649481033ea610e92f8e49e935aa11b89b1524b0cbaeae8d7055c35661e34c1fcd1236d75fd0e979590629de166350382c1e740b889d52bf0a0555bcb

Download Submit
C:\Windows\System32\gExrHRN.exe

Filesize
2.9MB

MD5
0d8c4b3db8c7c8cc084c44e927a92621

SHA1
f1eca33a903bb7bcada790a36b973109958e3b79

SHA256
7ea254c89303fdd9db8b39b7d32cee734d466d258d4b825aa87efd02520186e9

SHA512
a99efcf4fea056cdc1c20ec700714ed5c7dc34cbbd965bca6f724933472cc6fd5aff74ccbcd8c8fe50ce5eaa304695ba0ef53a738d4087e88e11a9d078bf8889

Download Submit
C:\Windows\System32\gVORKNB.exe

Filesize
2.9MB

MD5
681396a72fb33feb7f88fcaa82c47e33

SHA1
ba9a84942616f46054452d9e0d945b12c077791f

SHA256
1220355a198788dcba8c12464a4245a9f807b0f731d0abd0d572cee2613a14cd

SHA512
9ea9fa74f4f7d1f56554b192f4e913439a8c8808429010deb6573d1ff694f7ebd9ae10336766a2d44b7f86bd66f48f73c8b8c01bc7dd99b3372270af9ff7f8c3

Download Submit
C:\Windows\System32\gtpwmjV.exe

Filesize
2.9MB

MD5
91d0d6216f6fcce28b1e753e74253588

SHA1
229d58594c97ccae6a6740e25e453c3358e1880c

SHA256
bdb7c4a17d88c77117e9ecdbdf90687d7eacec4d30ba3277569ea5166fd76d2e

SHA512
33e6ec4a110fe73584eb3ae6e6231bb3189ed9fd7e7f5516c0183bcbdc5ff3ee421afe03031c48eab9b0050d46b88df729ba677f392e3a8cf4b28e5a7e3f9fbd

Download Submit
C:\Windows\System32\sfIfiIJ.exe

Filesize
2.9MB

MD5
7d000c1f22f0a93c54381410c5247554

SHA1
89938cf5cf018bd3667352eb25eded4a8ab4245e

SHA256
ac2e461233dc87a3ca2c5c0b19a60f52c5d47408d7ce8e65199a8f47f41c54de

SHA512
e32078ce9a3a98ecfe87a60bab9628423e37e51b33d71522fc118e86aacfc97712a6d2b3622173f5cd457597b2eb8874a535b17aae75ecd377b4eb200e62abec

Download Submit
C:\Windows\System32\stCwOlL.exe

Filesize
2.9MB

MD5
edd976f8d3766dbb14061305808e7d1d

SHA1
88a360fa11781a3768206543bf34518f37d3bd70

SHA256
88a51ca64fd1b991fc8d4a73b175818cb4acebb96c4cf53057a2129209f6b968

SHA512
f7893449fe3e4bb44f16312193ffd57b37b75032119bf8b91e408871e015b869a0d91e5e8e2d2209919ab70d6aadfe9968ba35ade10f53a294cca8cfaeefae20

Download Submit
C:\Windows\System32\tDYHrnO.exe

Filesize
2.9MB

MD5
bc55b8c66e2213dcd58633d63fb70ad4

SHA1
298cc48259c99cf82918a24d1cac56b2a915c72e

SHA256
6e94e1eb7b5399848af1d25ba5ca9527b18c5c18d598b7ea46674114eb2b4e57

SHA512
50f8727b8af83c2fb49fb3d9f05a506e4a96d263ca09d067b58431c7ef8968ca3043d8dbbac5e3c70c994ec4b27248387ef00a086dc455d410b1ef02394679f9

Download Submit
C:\Windows\System32\uGdItPH.exe

Filesize
2.9MB

MD5
dfbed59980b4f06970bea903d8fbd790

SHA1
17052b327fbac4eb775f904283b03ec9e7153587

SHA256
b36ad84ab6aa17261d1ecf86fb70857dfe557cb2c37d51f8f6f7b98609e35307

SHA512
88ba123fbdd19d4fbf369429baf3e79aaa40ab5ca9b62d646f46b70d0154e33bd6742e5f932b44a9364c28e18bc720ecc20a60a59eff26bcb19603bde0d51658

Download Submit
C:\Windows\System32\wCjfiHd.exe

Filesize
2.9MB

MD5
fd6723525ffea24e8a3379ed2f70152e

SHA1
6161bf70a0d09eb8228b5d96948c66da45bddcb4

SHA256
348d98a8b6f456d9b928a8ef5c066a236acc1afddb5b57a54bd2ea8453481aea

SHA512
b59dd2634cff2399147ed6ee570f130863bd9b6fe66ea316a64ac5f35c39840d6fa8cefee2706133ab5763c3ce55040211c8d66d2cc64798af1d10fd7b9ce1a5

Download Submit
memory/640-1934-0x00007FF6A44E0000-0x00007FF6A48D5000-memory.dmp

Filesize
4.0MB

Download
memory/640-9-0x00007FF6A44E0000-0x00007FF6A48D5000-memory.dmp

Filesize
4.0MB

Download
memory/1076-830-0x00007FF6FF240000-0x00007FF6FF635000-memory.dmp

Filesize
4.0MB

Download
memory/1076-1942-0x00007FF6FF240000-0x00007FF6FF635000-memory.dmp

Filesize
4.0MB

Download
memory/1296-879-0x00007FF6A1A50000-0x00007FF6A1E45000-memory.dmp

Filesize
4.0MB

Download
memory/1296-1950-0x00007FF6A1A50000-0x00007FF6A1E45000-memory.dmp

Filesize
4.0MB

Download
memory/1568-1951-0x00007FF76A2B0000-0x00007FF76A6A5000-memory.dmp

Filesize
4.0MB

Download
memory/1568-871-0x00007FF76A2B0000-0x00007FF76A6A5000-memory.dmp

Filesize
4.0MB

Download
memory/2264-1943-0x00007FF7C9AB0000-0x00007FF7C9EA5000-memory.dmp

Filesize
4.0MB

Download
memory/2264-841-0x00007FF7C9AB0000-0x00007FF7C9EA5000-memory.dmp

Filesize
4.0MB

Download
memory/2488-1937-0x00007FF722A80000-0x00007FF722E75000-memory.dmp

Filesize
4.0MB

Download
memory/2488-806-0x00007FF722A80000-0x00007FF722E75000-memory.dmp

Filesize
4.0MB

Download
memory/2796-1935-0x00007FF665860000-0x00007FF665C55000-memory.dmp

Filesize
4.0MB

Download
memory/2796-908-0x00007FF665860000-0x00007FF665C55000-memory.dmp

Filesize
4.0MB

Download
memory/2816-1956-0x00007FF6B1C80000-0x00007FF6B2075000-memory.dmp

Filesize
4.0MB

Download
memory/2816-865-0x00007FF6B1C80000-0x00007FF6B2075000-memory.dmp

Filesize
4.0MB

Download
memory/2868-1-0x000002364C8F0000-0x000002364C900000-memory.dmp

Filesize
64KB

Download
memory/2868-0-0x00007FF72DD90000-0x00007FF72E185000-memory.dmp

Filesize
4.0MB

Download
memory/3316-1954-0x00007FF613DA0000-0x00007FF614195000-memory.dmp

Filesize
4.0MB

Download
memory/3316-900-0x00007FF613DA0000-0x00007FF614195000-memory.dmp

Filesize
4.0MB

Download
memory/3424-814-0x00007FF699BE0000-0x00007FF699FD5000-memory.dmp

Filesize
4.0MB

Download
memory/3424-1939-0x00007FF699BE0000-0x00007FF699FD5000-memory.dmp

Filesize
4.0MB

Download
memory/3560-892-0x00007FF761EC0000-0x00007FF7622B5000-memory.dmp

Filesize
4.0MB

Download
memory/3560-1952-0x00007FF761EC0000-0x00007FF7622B5000-memory.dmp

Filesize
4.0MB

Download
memory/3784-855-0x00007FF607B60000-0x00007FF607F55000-memory.dmp

Filesize
4.0MB

Download
memory/3784-1947-0x00007FF607B60000-0x00007FF607F55000-memory.dmp

Filesize
4.0MB

Download
memory/3836-863-0x00007FF7B2940000-0x00007FF7B2D35000-memory.dmp

Filesize
4.0MB

Download
memory/3836-1955-0x00007FF7B2940000-0x00007FF7B2D35000-memory.dmp

Filesize
4.0MB

Download
memory/4048-1945-0x00007FF63CD10000-0x00007FF63D105000-memory.dmp

Filesize
4.0MB

Download
memory/4048-859-0x00007FF63CD10000-0x00007FF63D105000-memory.dmp

Filesize
4.0MB

Download
memory/4076-827-0x00007FF7BDBB0000-0x00007FF7BDFA5000-memory.dmp

Filesize
4.0MB

Download
memory/4076-1940-0x00007FF7BDBB0000-0x00007FF7BDFA5000-memory.dmp

Filesize
4.0MB

Download
memory/4080-862-0x00007FF65E0A0000-0x00007FF65E495000-memory.dmp

Filesize
4.0MB

Download
memory/4080-1949-0x00007FF65E0A0000-0x00007FF65E495000-memory.dmp

Filesize
4.0MB

Download
memory/4084-1953-0x00007FF73E2C0000-0x00007FF73E6B5000-memory.dmp

Filesize
4.0MB

Download
memory/4084-873-0x00007FF73E2C0000-0x00007FF73E6B5000-memory.dmp

Filesize
4.0MB

Download
memory/4124-1946-0x00007FF733FB0000-0x00007FF7343A5000-memory.dmp

Filesize
4.0MB

Download
memory/4124-834-0x00007FF733FB0000-0x00007FF7343A5000-memory.dmp

Filesize
4.0MB

Download
memory/4204-887-0x00007FF6C8BC0000-0x00007FF6C8FB5000-memory.dmp

Filesize
4.0MB

Download
memory/4204-1957-0x00007FF6C8BC0000-0x00007FF6C8FB5000-memory.dmp

Filesize
4.0MB

Download
memory/4216-846-0x00007FF7E14A0000-0x00007FF7E1895000-memory.dmp

Filesize
4.0MB

Download
memory/4216-1948-0x00007FF7E14A0000-0x00007FF7E1895000-memory.dmp

Filesize
4.0MB

Download
memory/4484-1936-0x00007FF6E1660000-0x00007FF6E1A55000-memory.dmp

Filesize
4.0MB

Download
memory/4484-794-0x00007FF6E1660000-0x00007FF6E1A55000-memory.dmp

Filesize
4.0MB

Download
memory/4484-1933-0x00007FF6E1660000-0x00007FF6E1A55000-memory.dmp

Filesize
4.0MB

Download
memory/4752-848-0x00007FF77D160000-0x00007FF77D555000-memory.dmp

Filesize
4.0MB

Download
memory/4752-1944-0x00007FF77D160000-0x00007FF77D555000-memory.dmp

Filesize
4.0MB

Download
memory/4848-1938-0x00007FF73B0E0000-0x00007FF73B4D5000-memory.dmp

Filesize
4.0MB

Download
memory/4848-811-0x00007FF73B0E0000-0x00007FF73B4D5000-memory.dmp

Filesize
4.0MB

Download
memory/4904-1941-0x00007FF688180000-0x00007FF688575000-memory.dmp

Filesize
4.0MB

Download
memory/4904-821-0x00007FF688180000-0x00007FF688575000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads