xmrig | 50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b

Analysis

max time kernel
126s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
Size

1.3MB
MD5

0f111c74fc936f9d996c0f92ecd34f50
SHA1

da1840333be7eee3f7a428c78c8a7ed07061d313
SHA256

50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b
SHA512

6d4a86254cc2e797348a09bd71594e32f77bc7ae989a8081f773d63a7d0785aba01ca061d02e3704644cf0f8590c38d217bcb5f4993829427cc28dd4c7828f26
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlOqzJO0Rb8bodJj82hokiSbPx2c8wRgo:knw9oUUEEDlOuJPHjlPiS92u

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 50 IoCs

miner

resource	yara_rule
behavioral2/memory/1636-51-0x00007FF730120000-0x00007FF730511000-memory.dmp	xmrig
behavioral2/memory/3504-53-0x00007FF679940000-0x00007FF679D31000-memory.dmp	xmrig
behavioral2/memory/4608-435-0x00007FF7414D0000-0x00007FF7418C1000-memory.dmp	xmrig
behavioral2/memory/3744-452-0x00007FF72DAA0000-0x00007FF72DE91000-memory.dmp	xmrig
behavioral2/memory/4092-521-0x00007FF7C5120000-0x00007FF7C5511000-memory.dmp	xmrig
behavioral2/memory/3472-522-0x00007FF6B7140000-0x00007FF6B7531000-memory.dmp	xmrig
behavioral2/memory/1500-519-0x00007FF708710000-0x00007FF708B01000-memory.dmp	xmrig
behavioral2/memory/5056-518-0x00007FF617E60000-0x00007FF618251000-memory.dmp	xmrig
behavioral2/memory/3524-497-0x00007FF7E23E0000-0x00007FF7E27D1000-memory.dmp	xmrig
behavioral2/memory/3844-496-0x00007FF6CB1A0000-0x00007FF6CB591000-memory.dmp	xmrig
behavioral2/memory/4516-55-0x00007FF7004A0000-0x00007FF700891000-memory.dmp	xmrig
behavioral2/memory/2236-48-0x00007FF6B5E20000-0x00007FF6B6211000-memory.dmp	xmrig
behavioral2/memory/4712-46-0x00007FF7F8390000-0x00007FF7F8781000-memory.dmp	xmrig
behavioral2/memory/64-1940-0x00007FF6B9710000-0x00007FF6B9B01000-memory.dmp	xmrig
behavioral2/memory/768-1941-0x00007FF72D620000-0x00007FF72DA11000-memory.dmp	xmrig
behavioral2/memory/2500-1942-0x00007FF7B3870000-0x00007FF7B3C61000-memory.dmp	xmrig
behavioral2/memory/4712-1943-0x00007FF7F8390000-0x00007FF7F8781000-memory.dmp	xmrig
behavioral2/memory/4588-1976-0x00007FF6908F0000-0x00007FF690CE1000-memory.dmp	xmrig
behavioral2/memory/4872-1978-0x00007FF7BAEB0000-0x00007FF7BB2A1000-memory.dmp	xmrig
behavioral2/memory/5312-1982-0x00007FF6A21C0000-0x00007FF6A25B1000-memory.dmp	xmrig
behavioral2/memory/4768-1983-0x00007FF7CD5B0000-0x00007FF7CD9A1000-memory.dmp	xmrig
behavioral2/memory/1084-1984-0x00007FF61D840000-0x00007FF61DC31000-memory.dmp	xmrig
behavioral2/memory/2868-1986-0x00007FF6E0430000-0x00007FF6E0821000-memory.dmp	xmrig
behavioral2/memory/1212-1985-0x00007FF72AE90000-0x00007FF72B281000-memory.dmp	xmrig
behavioral2/memory/3256-1987-0x00007FF7A5510000-0x00007FF7A5901000-memory.dmp	xmrig
behavioral2/memory/4372-1988-0x00007FF67C850000-0x00007FF67CC41000-memory.dmp	xmrig
behavioral2/memory/3504-2030-0x00007FF679940000-0x00007FF679D31000-memory.dmp	xmrig
behavioral2/memory/4712-2028-0x00007FF7F8390000-0x00007FF7F8781000-memory.dmp	xmrig
behavioral2/memory/1636-2036-0x00007FF730120000-0x00007FF730511000-memory.dmp	xmrig
behavioral2/memory/4516-2034-0x00007FF7004A0000-0x00007FF700891000-memory.dmp	xmrig
behavioral2/memory/2236-2032-0x00007FF6B5E20000-0x00007FF6B6211000-memory.dmp	xmrig
behavioral2/memory/768-2026-0x00007FF72D620000-0x00007FF72DA11000-memory.dmp	xmrig
behavioral2/memory/2500-2024-0x00007FF7B3870000-0x00007FF7B3C61000-memory.dmp	xmrig
behavioral2/memory/4588-2022-0x00007FF6908F0000-0x00007FF690CE1000-memory.dmp	xmrig
behavioral2/memory/3744-2040-0x00007FF72DAA0000-0x00007FF72DE91000-memory.dmp	xmrig
behavioral2/memory/4608-2038-0x00007FF7414D0000-0x00007FF7418C1000-memory.dmp	xmrig
behavioral2/memory/5056-2054-0x00007FF617E60000-0x00007FF618251000-memory.dmp	xmrig
behavioral2/memory/3844-2052-0x00007FF6CB1A0000-0x00007FF6CB591000-memory.dmp	xmrig
behavioral2/memory/3524-2071-0x00007FF7E23E0000-0x00007FF7E27D1000-memory.dmp	xmrig
behavioral2/memory/4092-2081-0x00007FF7C5120000-0x00007FF7C5511000-memory.dmp	xmrig
behavioral2/memory/1500-2102-0x00007FF708710000-0x00007FF708B01000-memory.dmp	xmrig
behavioral2/memory/3472-2122-0x00007FF6B7140000-0x00007FF6B7531000-memory.dmp	xmrig
behavioral2/memory/5312-2079-0x00007FF6A21C0000-0x00007FF6A25B1000-memory.dmp	xmrig
behavioral2/memory/3256-2129-0x00007FF7A5510000-0x00007FF7A5901000-memory.dmp	xmrig
behavioral2/memory/2868-2127-0x00007FF6E0430000-0x00007FF6E0821000-memory.dmp	xmrig
behavioral2/memory/4768-2164-0x00007FF7CD5B0000-0x00007FF7CD9A1000-memory.dmp	xmrig
behavioral2/memory/4872-2171-0x00007FF7BAEB0000-0x00007FF7BB2A1000-memory.dmp	xmrig
behavioral2/memory/1084-2194-0x00007FF61D840000-0x00007FF61DC31000-memory.dmp	xmrig
behavioral2/memory/4372-2217-0x00007FF67C850000-0x00007FF67CC41000-memory.dmp	xmrig
behavioral2/memory/1212-2196-0x00007FF72AE90000-0x00007FF72B281000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
768	WIlkeOQ.exe
2500	UmDzvgL.exe
3504	AiHtZXD.exe
4588	yMtYFMK.exe
4712	EpmAAaT.exe
4516	QMJYnLg.exe
2236	VfkNLNR.exe
1636	XJiiZOq.exe
4872	wMLzPqd.exe
5312	wWLeMCZ.exe
4092	ACcQTpv.exe
4608	eSlYear.exe
4768	pWFHzLE.exe
3744	HyBSIjv.exe
3844	BLKqBGP.exe
3524	HQAxydK.exe
3472	BDjGbOq.exe
1084	eUqZHLM.exe
1212	fqDIUQC.exe
2868	OcrfdPc.exe
3256	yPBVOLO.exe
5056	DzAsHcU.exe
1500	cUBXjye.exe
4372	nCrCYrL.exe
3048	aVOJcSb.exe
2032	kCqZTAp.exe
4560	yGgRPxQ.exe
4660	qKLrIbQ.exe
2940	boDUBOf.exe
436	wNPEvcU.exe
4192	BTqIZJr.exe
4116	VMYNfCu.exe
3660	cPdaUsB.exe
4728	yvohNGD.exe
1064	gTmUXdu.exe
1676	TSbZNBG.exe
744	CUhcFCR.exe
2072	IKeYPBa.exe
1096	UlnisZf.exe
5028	EbHdYaO.exe
4640	ODccghD.exe
4936	yIbWSKL.exe
2452	DGJHmFa.exe
216	jCDnTWp.exe
4724	YpQDKBn.exe
1620	VCgShOv.exe
2100	IXDEkfg.exe
4616	TrSuItD.exe
2028	xWLKVZj.exe
1932	NnLsNsd.exe
4388	bgKWswp.exe
3640	IECivdK.exe
3264	pliYOFJ.exe
2832	wNwiEoE.exe
4436	vHLRznZ.exe
1488	UgrAyOz.exe
4400	QXPJIxX.exe
784	MYrvQMY.exe
676	tzWPmzG.exe
1740	fARivLq.exe
1092	tvdnKrj.exe
1576	UNVCOwA.exe
3168	xpgCnTH.exe
1124	etnRXTw.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/64-0-0x00007FF6B9710000-0x00007FF6B9B01000-memory.dmp	upx
behavioral2/files/0x0008000000023535-5.dat	upx
behavioral2/files/0x000700000002353a-7.dat	upx
behavioral2/files/0x000700000002353d-34.dat	upx
behavioral2/files/0x000700000002353e-38.dat	upx
behavioral2/files/0x000700000002353f-39.dat	upx
behavioral2/memory/1636-51-0x00007FF730120000-0x00007FF730511000-memory.dmp	upx
behavioral2/memory/3504-53-0x00007FF679940000-0x00007FF679D31000-memory.dmp	upx
behavioral2/files/0x00070000000235df-372.dat	upx
behavioral2/files/0x0007000000023544-381.dat	upx
behavioral2/files/0x000700000002356a-426.dat	upx
behavioral2/memory/4608-435-0x00007FF7414D0000-0x00007FF7418C1000-memory.dmp	upx
behavioral2/memory/3744-452-0x00007FF72DAA0000-0x00007FF72DE91000-memory.dmp	upx
behavioral2/memory/2868-501-0x00007FF6E0430000-0x00007FF6E0821000-memory.dmp	upx
behavioral2/memory/1212-499-0x00007FF72AE90000-0x00007FF72B281000-memory.dmp	upx
behavioral2/memory/3256-512-0x00007FF7A5510000-0x00007FF7A5901000-memory.dmp	upx
behavioral2/memory/4092-521-0x00007FF7C5120000-0x00007FF7C5511000-memory.dmp	upx
behavioral2/memory/3472-522-0x00007FF6B7140000-0x00007FF6B7531000-memory.dmp	upx
behavioral2/memory/4372-520-0x00007FF67C850000-0x00007FF67CC41000-memory.dmp	upx
behavioral2/memory/1500-519-0x00007FF708710000-0x00007FF708B01000-memory.dmp	upx
behavioral2/memory/5056-518-0x00007FF617E60000-0x00007FF618251000-memory.dmp	upx
behavioral2/memory/1084-498-0x00007FF61D840000-0x00007FF61DC31000-memory.dmp	upx
behavioral2/memory/3524-497-0x00007FF7E23E0000-0x00007FF7E27D1000-memory.dmp	upx
behavioral2/memory/3844-496-0x00007FF6CB1A0000-0x00007FF6CB591000-memory.dmp	upx
behavioral2/memory/4768-451-0x00007FF7CD5B0000-0x00007FF7CD9A1000-memory.dmp	upx
behavioral2/files/0x0007000000023569-425.dat	upx
behavioral2/files/0x0007000000023568-424.dat	upx
behavioral2/files/0x0007000000023567-423.dat	upx
behavioral2/files/0x0007000000023566-422.dat	upx
behavioral2/files/0x0007000000023565-421.dat	upx
behavioral2/files/0x000700000002355f-420.dat	upx
behavioral2/files/0x0007000000023564-419.dat	upx
behavioral2/files/0x0007000000023563-418.dat	upx
behavioral2/files/0x0007000000023562-417.dat	upx
behavioral2/files/0x0007000000023561-416.dat	upx
behavioral2/files/0x0007000000023560-415.dat	upx
behavioral2/files/0x000700000002355e-412.dat	upx
behavioral2/files/0x000700000002355d-411.dat	upx
behavioral2/files/0x000700000002355c-410.dat	upx
behavioral2/files/0x000700000002355b-409.dat	upx
behavioral2/files/0x000700000002355a-408.dat	upx
behavioral2/files/0x0007000000023559-407.dat	upx
behavioral2/files/0x0007000000023558-406.dat	upx
behavioral2/files/0x0007000000023557-405.dat	upx
behavioral2/files/0x0007000000023556-404.dat	upx
behavioral2/files/0x0007000000023555-403.dat	upx
behavioral2/files/0x0007000000023554-402.dat	upx
behavioral2/files/0x0007000000023553-401.dat	upx
behavioral2/files/0x0007000000023552-400.dat	upx
behavioral2/files/0x0007000000023551-399.dat	upx
behavioral2/files/0x000700000002354c-398.dat	upx
behavioral2/files/0x0007000000023550-397.dat	upx
behavioral2/files/0x000700000002354f-396.dat	upx
behavioral2/files/0x000700000002354d-395.dat	upx
behavioral2/files/0x000700000002354b-392.dat	upx
behavioral2/files/0x000700000002354a-391.dat	upx
behavioral2/files/0x0007000000023549-390.dat	upx
behavioral2/files/0x0007000000023548-389.dat	upx
behavioral2/files/0x0007000000023547-388.dat	upx
behavioral2/memory/5312-387-0x00007FF6A21C0000-0x00007FF6A25B1000-memory.dmp	upx
behavioral2/files/0x0007000000023545-386.dat	upx
behavioral2/files/0x0007000000023546-385.dat	upx
behavioral2/files/0x0007000000023542-382.dat	upx
behavioral2/files/0x0007000000023543-376.dat	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\fjswSfP.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\IrQMuiP.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\WTqlaTp.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\Mzfgpue.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\OcrfdPc.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\yhHhIgF.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\gyccodB.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\aoRIHLc.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\fVyiTOT.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\aTCstiN.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\odMlYae.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\eegWinh.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\gXHVCvp.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\zBKEhVu.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\ztfxHkY.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\qYOLuyq.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\cmDvGsS.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\zHTAqGN.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\iCgKwmi.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\bcLZVpN.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\aIZdIYs.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\eSlYear.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\kCqZTAp.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\MYrvQMY.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\kdIMLsa.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\UczMGxf.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\oWrscnE.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\eXJbLRc.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\leRGYJV.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\moJUJdx.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\XkEaGqT.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\rMPokLR.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\DSSRnCd.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\xFgDEeg.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\EStOPKe.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\RXaTydd.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\xHqtGRg.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\HuHVceK.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\rOxtDGW.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\LlbWdyZ.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\mjTaqST.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\ijwcakV.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\mYuwmok.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\dNDfwQk.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\RYnGWfJ.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\LCOoZOJ.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\lWzHXZP.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\WYiqzTk.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\CkBBfUJ.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\bVQrMaK.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\vhJMLNV.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\CLvokeO.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\cLQhXjv.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\TCyzAsA.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\bnYDyZb.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\gTmUXdu.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\HuWNWiq.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\aQeMVhK.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\qJLHwSV.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\XFhydAG.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\vmoplrC.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\yMtYFMK.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\kmlhTvd.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
File created	C:\Windows\System32\DGJHmFa.exe	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	2684	dwm.exe
Token: SeChangeNotifyPrivilege	2684	dwm.exe
Token: 33	2684	dwm.exe
Token: SeIncBasePriorityPrivilege	2684	dwm.exe
Token: SeShutdownPrivilege	2684	dwm.exe
Token: SeCreatePagefilePrivilege	2684	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 64 wrote to memory of 768	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	90
PID 64 wrote to memory of 768	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	90
PID 64 wrote to memory of 2500	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	91
PID 64 wrote to memory of 2500	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	91
PID 64 wrote to memory of 3504	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	92
PID 64 wrote to memory of 3504	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	92
PID 64 wrote to memory of 4588	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	93
PID 64 wrote to memory of 4588	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	93
PID 64 wrote to memory of 4712	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	94
PID 64 wrote to memory of 4712	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	94
PID 64 wrote to memory of 4516	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	95
PID 64 wrote to memory of 4516	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	95
PID 64 wrote to memory of 2236	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	96
PID 64 wrote to memory of 2236	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	96
PID 64 wrote to memory of 1636	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	97
PID 64 wrote to memory of 1636	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	97
PID 64 wrote to memory of 4872	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	98
PID 64 wrote to memory of 4872	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	98
PID 64 wrote to memory of 4092	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	99
PID 64 wrote to memory of 4092	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	99
PID 64 wrote to memory of 4608	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	100
PID 64 wrote to memory of 4608	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	100
PID 64 wrote to memory of 4768	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	101
PID 64 wrote to memory of 4768	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	101
PID 64 wrote to memory of 3744	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	102
PID 64 wrote to memory of 3744	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	102
PID 64 wrote to memory of 3844	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	103
PID 64 wrote to memory of 3844	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	103
PID 64 wrote to memory of 3524	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	104
PID 64 wrote to memory of 3524	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	104
PID 64 wrote to memory of 3472	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	105
PID 64 wrote to memory of 3472	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	105
PID 64 wrote to memory of 1084	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	106
PID 64 wrote to memory of 1084	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	106
PID 64 wrote to memory of 1212	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	107
PID 64 wrote to memory of 1212	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	107
PID 64 wrote to memory of 2868	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	108
PID 64 wrote to memory of 2868	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	108
PID 64 wrote to memory of 3256	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	109
PID 64 wrote to memory of 3256	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	109
PID 64 wrote to memory of 5056	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	110
PID 64 wrote to memory of 5056	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	110
PID 64 wrote to memory of 1500	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	111
PID 64 wrote to memory of 1500	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	111
PID 64 wrote to memory of 1576	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	112
PID 64 wrote to memory of 1576	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	112
PID 64 wrote to memory of 4372	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	113
PID 64 wrote to memory of 4372	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	113
PID 64 wrote to memory of 3048	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	114
PID 64 wrote to memory of 3048	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	114
PID 64 wrote to memory of 2032	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	115
PID 64 wrote to memory of 2032	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	115
PID 64 wrote to memory of 4560	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	116
PID 64 wrote to memory of 4560	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	116
PID 64 wrote to memory of 4660	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	117
PID 64 wrote to memory of 4660	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	117
PID 64 wrote to memory of 2940	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	118
PID 64 wrote to memory of 2940	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	118
PID 64 wrote to memory of 436	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	119
PID 64 wrote to memory of 436	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	119
PID 64 wrote to memory of 4192	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	120
PID 64 wrote to memory of 4192	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	120
PID 64 wrote to memory of 4116	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	121
PID 64 wrote to memory of 4116	64	50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe	121

C:\Users\Admin\AppData\Local\Temp\50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\50228186e9a3a5c2d90a066f9a67c85e046729b11d4fee4c269caa45c0324c8b_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:64
- C:\Windows\System32\WIlkeOQ.exe
  C:\Windows\System32\WIlkeOQ.exe
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Windows\System32\UmDzvgL.exe
  C:\Windows\System32\UmDzvgL.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System32\AiHtZXD.exe
  C:\Windows\System32\AiHtZXD.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System32\yMtYFMK.exe
  C:\Windows\System32\yMtYFMK.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System32\EpmAAaT.exe
  C:\Windows\System32\EpmAAaT.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\System32\QMJYnLg.exe
  C:\Windows\System32\QMJYnLg.exe
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Windows\System32\VfkNLNR.exe
  C:\Windows\System32\VfkNLNR.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System32\XJiiZOq.exe
  C:\Windows\System32\XJiiZOq.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System32\wMLzPqd.exe
  C:\Windows\System32\wMLzPqd.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System32\ACcQTpv.exe
  C:\Windows\System32\ACcQTpv.exe
  2⤵
  - Executes dropped EXE
  PID:4092
- C:\Windows\System32\eSlYear.exe
  C:\Windows\System32\eSlYear.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System32\pWFHzLE.exe
  C:\Windows\System32\pWFHzLE.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System32\HyBSIjv.exe
  C:\Windows\System32\HyBSIjv.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System32\BLKqBGP.exe
  C:\Windows\System32\BLKqBGP.exe
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Windows\System32\HQAxydK.exe
  C:\Windows\System32\HQAxydK.exe
  2⤵
  - Executes dropped EXE
  PID:3524
- C:\Windows\System32\BDjGbOq.exe
  C:\Windows\System32\BDjGbOq.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System32\eUqZHLM.exe
  C:\Windows\System32\eUqZHLM.exe
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\System32\fqDIUQC.exe
  C:\Windows\System32\fqDIUQC.exe
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\System32\OcrfdPc.exe
  C:\Windows\System32\OcrfdPc.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System32\yPBVOLO.exe
  C:\Windows\System32\yPBVOLO.exe
  2⤵
  - Executes dropped EXE
  PID:3256
- C:\Windows\System32\DzAsHcU.exe
  C:\Windows\System32\DzAsHcU.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System32\cUBXjye.exe
  C:\Windows\System32\cUBXjye.exe
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\System32\UNVCOwA.exe
  C:\Windows\System32\UNVCOwA.exe
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\System32\nCrCYrL.exe
  C:\Windows\System32\nCrCYrL.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System32\aVOJcSb.exe
  C:\Windows\System32\aVOJcSb.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System32\kCqZTAp.exe
  C:\Windows\System32\kCqZTAp.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System32\yGgRPxQ.exe
  C:\Windows\System32\yGgRPxQ.exe
  2⤵
  - Executes dropped EXE
  PID:4560
- C:\Windows\System32\qKLrIbQ.exe
  C:\Windows\System32\qKLrIbQ.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System32\boDUBOf.exe
  C:\Windows\System32\boDUBOf.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System32\wNPEvcU.exe
  C:\Windows\System32\wNPEvcU.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System32\BTqIZJr.exe
  C:\Windows\System32\BTqIZJr.exe
  2⤵
  - Executes dropped EXE
  PID:4192
- C:\Windows\System32\VMYNfCu.exe
  C:\Windows\System32\VMYNfCu.exe
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Windows\System32\cPdaUsB.exe
  C:\Windows\System32\cPdaUsB.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System32\yvohNGD.exe
  C:\Windows\System32\yvohNGD.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System32\gTmUXdu.exe
  C:\Windows\System32\gTmUXdu.exe
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Windows\System32\TSbZNBG.exe
  C:\Windows\System32\TSbZNBG.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System32\CUhcFCR.exe
  C:\Windows\System32\CUhcFCR.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System32\IKeYPBa.exe
  C:\Windows\System32\IKeYPBa.exe
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\System32\UlnisZf.exe
  C:\Windows\System32\UlnisZf.exe
  2⤵
  - Executes dropped EXE
  PID:1096
- C:\Windows\System32\EbHdYaO.exe
  C:\Windows\System32\EbHdYaO.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System32\ODccghD.exe
  C:\Windows\System32\ODccghD.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System32\yIbWSKL.exe
  C:\Windows\System32\yIbWSKL.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System32\DGJHmFa.exe
  C:\Windows\System32\DGJHmFa.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System32\jCDnTWp.exe
  C:\Windows\System32\jCDnTWp.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System32\YpQDKBn.exe
  C:\Windows\System32\YpQDKBn.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System32\VCgShOv.exe
  C:\Windows\System32\VCgShOv.exe
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\System32\IXDEkfg.exe
  C:\Windows\System32\IXDEkfg.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System32\TrSuItD.exe
  C:\Windows\System32\TrSuItD.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System32\xWLKVZj.exe
  C:\Windows\System32\xWLKVZj.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System32\NnLsNsd.exe
  C:\Windows\System32\NnLsNsd.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System32\bgKWswp.exe
  C:\Windows\System32\bgKWswp.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System32\IECivdK.exe
  C:\Windows\System32\IECivdK.exe
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Windows\System32\pliYOFJ.exe
  C:\Windows\System32\pliYOFJ.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System32\wNwiEoE.exe
  C:\Windows\System32\wNwiEoE.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System32\vHLRznZ.exe
  C:\Windows\System32\vHLRznZ.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System32\UgrAyOz.exe
  C:\Windows\System32\UgrAyOz.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System32\QXPJIxX.exe
  C:\Windows\System32\QXPJIxX.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System32\MYrvQMY.exe
  C:\Windows\System32\MYrvQMY.exe
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\System32\tzWPmzG.exe
  C:\Windows\System32\tzWPmzG.exe
  2⤵
  - Executes dropped EXE
  PID:676
- C:\Windows\System32\fARivLq.exe
  C:\Windows\System32\fARivLq.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System32\tvdnKrj.exe
  C:\Windows\System32\tvdnKrj.exe
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\System32\xpgCnTH.exe
  C:\Windows\System32\xpgCnTH.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System32\etnRXTw.exe
  C:\Windows\System32\etnRXTw.exe
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Windows\System32\LTGqAJS.exe
  C:\Windows\System32\LTGqAJS.exe
  2⤵
  PID:1844
- C:\Windows\System32\RwNGyYU.exe
  C:\Windows\System32\RwNGyYU.exe
  2⤵
  PID:948
- C:\Windows\System32\FloBWxb.exe
  C:\Windows\System32\FloBWxb.exe
  2⤵
  PID:1168
- C:\Windows\System32\ErcRhYX.exe
  C:\Windows\System32\ErcRhYX.exe
  2⤵
  PID:2392
- C:\Windows\System32\SqpxqrZ.exe
  C:\Windows\System32\SqpxqrZ.exe
  2⤵
  PID:3148
- C:\Windows\System32\JJvuxMv.exe
  C:\Windows\System32\JJvuxMv.exe
  2⤵
  PID:4368
- C:\Windows\System32\bVMTQVz.exe
  C:\Windows\System32\bVMTQVz.exe
  2⤵
  PID:4344
- C:\Windows\System32\gjGKEla.exe
  C:\Windows\System32\gjGKEla.exe
  2⤵
  PID:4748
- C:\Windows\System32\cwptYzq.exe
  C:\Windows\System32\cwptYzq.exe
  2⤵
  PID:4656
- C:\Windows\System32\BsTMcqO.exe
  C:\Windows\System32\BsTMcqO.exe
  2⤵
  PID:4824
- C:\Windows\System32\pEzsGPZ.exe
  C:\Windows\System32\pEzsGPZ.exe
  2⤵
  PID:2224
- C:\Windows\System32\zvbohpK.exe
  C:\Windows\System32\zvbohpK.exe
  2⤵
  PID:4288
- C:\Windows\System32\eWhQwGj.exe
  C:\Windows\System32\eWhQwGj.exe
  2⤵
  PID:1820
- C:\Windows\System32\LtaeTNA.exe
  C:\Windows\System32\LtaeTNA.exe
  2⤵
  PID:816
- C:\Windows\System32\IMVTKoT.exe
  C:\Windows\System32\IMVTKoT.exe
  2⤵
  PID:212
- C:\Windows\System32\hxgXRZb.exe
  C:\Windows\System32\hxgXRZb.exe
  2⤵
  PID:4644
- C:\Windows\System32\gzuzHXy.exe
  C:\Windows\System32\gzuzHXy.exe
  2⤵
  PID:1512
- C:\Windows\System32\JDbnZPI.exe
  C:\Windows\System32\JDbnZPI.exe
  2⤵
  PID:2980
- C:\Windows\System32\FQotfkc.exe
  C:\Windows\System32\FQotfkc.exe
  2⤵
  PID:1600
- C:\Windows\System32\DSSRnCd.exe
  C:\Windows\System32\DSSRnCd.exe
  2⤵
  PID:5052
- C:\Windows\System32\rZBHiSG.exe
  C:\Windows\System32\rZBHiSG.exe
  2⤵
  PID:1800
- C:\Windows\System32\oZbFCkl.exe
  C:\Windows\System32\oZbFCkl.exe
  2⤵
  PID:228
- C:\Windows\System32\SUmRrGS.exe
  C:\Windows\System32\SUmRrGS.exe
  2⤵
  PID:3140
- C:\Windows\System32\awaEKMu.exe
  C:\Windows\System32\awaEKMu.exe
  2⤵
  PID:3076
- C:\Windows\System32\GzDBvYg.exe
  C:\Windows\System32\GzDBvYg.exe
  2⤵
  PID:4348
- C:\Windows\System32\AdBbIxR.exe
  C:\Windows\System32\AdBbIxR.exe
  2⤵
  PID:2524
- C:\Windows\System32\ofeerJT.exe
  C:\Windows\System32\ofeerJT.exe
  2⤵
  PID:3828
- C:\Windows\System32\ZzcmdMK.exe
  C:\Windows\System32\ZzcmdMK.exe
  2⤵
  PID:1144
- C:\Windows\System32\LVRAklc.exe
  C:\Windows\System32\LVRAklc.exe
  2⤵
  PID:4852
- C:\Windows\System32\ROgIwQj.exe
  C:\Windows\System32\ROgIwQj.exe
  2⤵
  PID:4484
- C:\Windows\System32\wQpdPqt.exe
  C:\Windows\System32\wQpdPqt.exe
  2⤵
  PID:1848
- C:\Windows\System32\JrgRnEs.exe
  C:\Windows\System32\JrgRnEs.exe
  2⤵
  PID:936
- C:\Windows\System32\VeKZDhX.exe
  C:\Windows\System32\VeKZDhX.exe
  2⤵
  PID:3644
- C:\Windows\System32\IqaRtpD.exe
  C:\Windows\System32\IqaRtpD.exe
  2⤵
  PID:3184
- C:\Windows\System32\UhjEizF.exe
  C:\Windows\System32\UhjEizF.exe
  2⤵
  PID:4316
- C:\Windows\System32\OIpuKii.exe
  C:\Windows\System32\OIpuKii.exe
  2⤵
  PID:3368
- C:\Windows\System32\nvMfQfS.exe
  C:\Windows\System32\nvMfQfS.exe
  2⤵
  PID:244
- C:\Windows\System32\HuWNWiq.exe
  C:\Windows\System32\HuWNWiq.exe
  2⤵
  PID:4232
- C:\Windows\System32\fGvNWCD.exe
  C:\Windows\System32\fGvNWCD.exe
  2⤵
  PID:2824
- C:\Windows\System32\xFgDEeg.exe
  C:\Windows\System32\xFgDEeg.exe
  2⤵
  PID:3732
- C:\Windows\System32\XFZCNYF.exe
  C:\Windows\System32\XFZCNYF.exe
  2⤵
  PID:5020
- C:\Windows\System32\qLMYNGt.exe
  C:\Windows\System32\qLMYNGt.exe
  2⤵
  PID:3376
- C:\Windows\System32\LzyKxKX.exe
  C:\Windows\System32\LzyKxKX.exe
  2⤵
  PID:560
- C:\Windows\System32\rEXrTmq.exe
  C:\Windows\System32\rEXrTmq.exe
  2⤵
  PID:4420
- C:\Windows\System32\aqWHYGs.exe
  C:\Windows\System32\aqWHYGs.exe
  2⤵
  PID:2352
- C:\Windows\System32\yTapnzr.exe
  C:\Windows\System32\yTapnzr.exe
  2⤵
  PID:1880
- C:\Windows\System32\LbemVlz.exe
  C:\Windows\System32\LbemVlz.exe
  2⤵
  PID:5088
- C:\Windows\System32\mWkadOH.exe
  C:\Windows\System32\mWkadOH.exe
  2⤵
  PID:2732
- C:\Windows\System32\GFFLFIz.exe
  C:\Windows\System32\GFFLFIz.exe
  2⤵
  PID:4352
- C:\Windows\System32\JzadkNh.exe
  C:\Windows\System32\JzadkNh.exe
  2⤵
  PID:1160
- C:\Windows\System32\lEKrzVL.exe
  C:\Windows\System32\lEKrzVL.exe
  2⤵
  PID:1528
- C:\Windows\System32\llPRRjJ.exe
  C:\Windows\System32\llPRRjJ.exe
  2⤵
  PID:2904
- C:\Windows\System32\WlfhpII.exe
  C:\Windows\System32\WlfhpII.exe
  2⤵
  PID:2920
- C:\Windows\System32\GQNdDnc.exe
  C:\Windows\System32\GQNdDnc.exe
  2⤵
  PID:4688
- C:\Windows\System32\TCGVcAN.exe
  C:\Windows\System32\TCGVcAN.exe
  2⤵
  PID:2160
- C:\Windows\System32\UWmyKDr.exe
  C:\Windows\System32\UWmyKDr.exe
  2⤵
  PID:1428
- C:\Windows\System32\coJokLk.exe
  C:\Windows\System32\coJokLk.exe
  2⤵
  PID:3036
- C:\Windows\System32\EStOPKe.exe
  C:\Windows\System32\EStOPKe.exe
  2⤵
  PID:2864
- C:\Windows\System32\jeXwlYn.exe
  C:\Windows\System32\jeXwlYn.exe
  2⤵
  PID:2340
- C:\Windows\System32\cdNYTkt.exe
  C:\Windows\System32\cdNYTkt.exe
  2⤵
  PID:4920
- C:\Windows\System32\mjTaqST.exe
  C:\Windows\System32\mjTaqST.exe
  2⤵
  PID:2244
- C:\Windows\System32\AIMuzhH.exe
  C:\Windows\System32\AIMuzhH.exe
  2⤵
  PID:3476
- C:\Windows\System32\TUNWPyF.exe
  C:\Windows\System32\TUNWPyF.exe
  2⤵
  PID:3320
- C:\Windows\System32\XbWTGVT.exe
  C:\Windows\System32\XbWTGVT.exe
  2⤵
  PID:4968
- C:\Windows\System32\jGkKgfo.exe
  C:\Windows\System32\jGkKgfo.exe
  2⤵
  PID:5092
- C:\Windows\System32\ORvbCQg.exe
  C:\Windows\System32\ORvbCQg.exe
  2⤵
  PID:4888
- C:\Windows\System32\gPyqSXZ.exe
  C:\Windows\System32\gPyqSXZ.exe
  2⤵
  PID:1564
- C:\Windows\System32\AvFxbyF.exe
  C:\Windows\System32\AvFxbyF.exe
  2⤵
  PID:1172
- C:\Windows\System32\iloPSBH.exe
  C:\Windows\System32\iloPSBH.exe
  2⤵
  PID:4604
- C:\Windows\System32\ArnXKKZ.exe
  C:\Windows\System32\ArnXKKZ.exe
  2⤵
  PID:632
- C:\Windows\System32\rLmgtZH.exe
  C:\Windows\System32\rLmgtZH.exe
  2⤵
  PID:1680
- C:\Windows\System32\jrKRcLv.exe
  C:\Windows\System32\jrKRcLv.exe
  2⤵
  PID:1020
- C:\Windows\System32\ohtgsxn.exe
  C:\Windows\System32\ohtgsxn.exe
  2⤵
  PID:4356
- C:\Windows\System32\ChKbksY.exe
  C:\Windows\System32\ChKbksY.exe
  2⤵
  PID:4732
- C:\Windows\System32\aQeMVhK.exe
  C:\Windows\System32\aQeMVhK.exe
  2⤵
  PID:4692
- C:\Windows\System32\fSJgqZv.exe
  C:\Windows\System32\fSJgqZv.exe
  2⤵
  PID:884
- C:\Windows\System32\jOvOojz.exe
  C:\Windows\System32\jOvOojz.exe
  2⤵
  PID:1696
- C:\Windows\System32\eaSvPsk.exe
  C:\Windows\System32\eaSvPsk.exe
  2⤵
  PID:3496
- C:\Windows\System32\sUelSJA.exe
  C:\Windows\System32\sUelSJA.exe
  2⤵
  PID:1452
- C:\Windows\System32\jfqyQUQ.exe
  C:\Windows\System32\jfqyQUQ.exe
  2⤵
  PID:3940
- C:\Windows\System32\milLEFr.exe
  C:\Windows\System32\milLEFr.exe
  2⤵
  PID:860
- C:\Windows\System32\RqDXuGE.exe
  C:\Windows\System32\RqDXuGE.exe
  2⤵
  PID:4176
- C:\Windows\System32\jkKCHRt.exe
  C:\Windows\System32\jkKCHRt.exe
  2⤵
  PID:1744
- C:\Windows\System32\eXJbLRc.exe
  C:\Windows\System32\eXJbLRc.exe
  2⤵
  PID:3152
- C:\Windows\System32\xovTyBX.exe
  C:\Windows\System32\xovTyBX.exe
  2⤵
  PID:2780
- C:\Windows\System32\JlHUTsx.exe
  C:\Windows\System32\JlHUTsx.exe
  2⤵
  PID:5016
- C:\Windows\System32\VIFeBxe.exe
  C:\Windows\System32\VIFeBxe.exe
  2⤵
  PID:3980
- C:\Windows\System32\urETwSs.exe
  C:\Windows\System32\urETwSs.exe
  2⤵
  PID:2628
- C:\Windows\System32\QjCPnNA.exe
  C:\Windows\System32\QjCPnNA.exe
  2⤵
  PID:3240
- C:\Windows\System32\WYiqzTk.exe
  C:\Windows\System32\WYiqzTk.exe
  2⤵
  PID:4720
- C:\Windows\System32\TCyzAsA.exe
  C:\Windows\System32\TCyzAsA.exe
  2⤵
  PID:5036
- C:\Windows\System32\sazLfYf.exe
  C:\Windows\System32\sazLfYf.exe
  2⤵
  PID:1296
- C:\Windows\System32\dwGzfqN.exe
  C:\Windows\System32\dwGzfqN.exe
  2⤵
  PID:532
- C:\Windows\System32\WKBoEyJ.exe
  C:\Windows\System32\WKBoEyJ.exe
  2⤵
  PID:5136
- C:\Windows\System32\IcQkODn.exe
  C:\Windows\System32\IcQkODn.exe
  2⤵
  PID:5152
- C:\Windows\System32\wLswTFA.exe
  C:\Windows\System32\wLswTFA.exe
  2⤵
  PID:5168
- C:\Windows\System32\AvoAXWK.exe
  C:\Windows\System32\AvoAXWK.exe
  2⤵
  PID:5184
- C:\Windows\System32\iRxzqJl.exe
  C:\Windows\System32\iRxzqJl.exe
  2⤵
  PID:5200
- C:\Windows\System32\BnnvBtS.exe
  C:\Windows\System32\BnnvBtS.exe
  2⤵
  PID:5216
- C:\Windows\System32\bnYDyZb.exe
  C:\Windows\System32\bnYDyZb.exe
  2⤵
  PID:5232
- C:\Windows\System32\wUgmFsT.exe
  C:\Windows\System32\wUgmFsT.exe
  2⤵
  PID:5248
- C:\Windows\System32\GWKyUTh.exe
  C:\Windows\System32\GWKyUTh.exe
  2⤵
  PID:5264
- C:\Windows\System32\wyFuURB.exe
  C:\Windows\System32\wyFuURB.exe
  2⤵
  PID:5280
- C:\Windows\System32\LOjgIqp.exe
  C:\Windows\System32\LOjgIqp.exe
  2⤵
  PID:5296
- C:\Windows\System32\wWLeMCZ.exe
  C:\Windows\System32\wWLeMCZ.exe
  2⤵
  - Executes dropped EXE
  PID:5312
- C:\Windows\System32\aQJClNv.exe
  C:\Windows\System32\aQJClNv.exe
  2⤵
  PID:5380
- C:\Windows\System32\fAxKCPF.exe
  C:\Windows\System32\fAxKCPF.exe
  2⤵
  PID:5664
- C:\Windows\System32\CZVqMoE.exe
  C:\Windows\System32\CZVqMoE.exe
  2⤵
  PID:5656
- C:\Windows\System32\SjocTps.exe
  C:\Windows\System32\SjocTps.exe
  2⤵
  PID:6420
- C:\Windows\System32\vbpvBnS.exe
  C:\Windows\System32\vbpvBnS.exe
  2⤵
  PID:6636
- C:\Windows\System32\VQrXRsM.exe
  C:\Windows\System32\VQrXRsM.exe
  2⤵
  PID:6664
- C:\Windows\System32\xbvblEC.exe
  C:\Windows\System32\xbvblEC.exe
  2⤵
  PID:6700
- C:\Windows\System32\kdIMLsa.exe
  C:\Windows\System32\kdIMLsa.exe
  2⤵
  PID:6716
- C:\Windows\System32\RUqdPzb.exe
  C:\Windows\System32\RUqdPzb.exe
  2⤵
  PID:6060
- C:\Windows\System32\QsaiFme.exe
  C:\Windows\System32\QsaiFme.exe
  2⤵
  PID:5196
- C:\Windows\System32\edkxvDf.exe
  C:\Windows\System32\edkxvDf.exe
  2⤵
  PID:6236
- C:\Windows\System32\YTKmaiH.exe
  C:\Windows\System32\YTKmaiH.exe
  2⤵
  PID:6984
- C:\Windows\System32\KJNIMdk.exe
  C:\Windows\System32\KJNIMdk.exe
  2⤵
  PID:6436
- C:\Windows\System32\jFGHICv.exe
  C:\Windows\System32\jFGHICv.exe
  2⤵
  PID:7260
- C:\Windows\System32\XGUwhbp.exe
  C:\Windows\System32\XGUwhbp.exe
  2⤵
  PID:7300
- C:\Windows\System32\UwTNCtT.exe
  C:\Windows\System32\UwTNCtT.exe
  2⤵
  PID:7316
- C:\Windows\System32\hWmsqJV.exe
  C:\Windows\System32\hWmsqJV.exe
  2⤵
  PID:7344
- C:\Windows\System32\ijwcakV.exe
  C:\Windows\System32\ijwcakV.exe
  2⤵
  PID:7372
- C:\Windows\System32\KtwdubP.exe
  C:\Windows\System32\KtwdubP.exe
  2⤵
  PID:7400
- C:\Windows\System32\PjXPFBT.exe
  C:\Windows\System32\PjXPFBT.exe
  2⤵
  PID:7428
- C:\Windows\System32\OzDsqjU.exe
  C:\Windows\System32\OzDsqjU.exe
  2⤵
  PID:7456
- C:\Windows\System32\iwfLlUq.exe
  C:\Windows\System32\iwfLlUq.exe
  2⤵
  PID:7484
- C:\Windows\System32\qJLHwSV.exe
  C:\Windows\System32\qJLHwSV.exe
  2⤵
  PID:7520
- C:\Windows\System32\NoiZRtR.exe
  C:\Windows\System32\NoiZRtR.exe
  2⤵
  PID:7540
- C:\Windows\System32\cqbdorU.exe
  C:\Windows\System32\cqbdorU.exe
  2⤵
  PID:7564
- C:\Windows\System32\vIPnXqR.exe
  C:\Windows\System32\vIPnXqR.exe
  2⤵
  PID:7596
- C:\Windows\System32\zBKEhVu.exe
  C:\Windows\System32\zBKEhVu.exe
  2⤵
  PID:7632
- C:\Windows\System32\sFEsldO.exe
  C:\Windows\System32\sFEsldO.exe
  2⤵
  PID:7652
- C:\Windows\System32\gFYjxVZ.exe
  C:\Windows\System32\gFYjxVZ.exe
  2⤵
  PID:7676
- C:\Windows\System32\ruVvAri.exe
  C:\Windows\System32\ruVvAri.exe
  2⤵
  PID:7708
- C:\Windows\System32\owUhDFA.exe
  C:\Windows\System32\owUhDFA.exe
  2⤵
  PID:7736
- C:\Windows\System32\XFhydAG.exe
  C:\Windows\System32\XFhydAG.exe
  2⤵
  PID:7760
- C:\Windows\System32\qmDYXRi.exe
  C:\Windows\System32\qmDYXRi.exe
  2⤵
  PID:7792
- C:\Windows\System32\eTtkGEx.exe
  C:\Windows\System32\eTtkGEx.exe
  2⤵
  PID:7820
- C:\Windows\System32\GosTYVe.exe
  C:\Windows\System32\GosTYVe.exe
  2⤵
  PID:7844
- C:\Windows\System32\KXgzHvv.exe
  C:\Windows\System32\KXgzHvv.exe
  2⤵
  PID:7872
- C:\Windows\System32\ECnyAMx.exe
  C:\Windows\System32\ECnyAMx.exe
  2⤵
  PID:7904
- C:\Windows\System32\yGpRWhM.exe
  C:\Windows\System32\yGpRWhM.exe
  2⤵
  PID:7932
- C:\Windows\System32\fGTbyhd.exe
  C:\Windows\System32\fGTbyhd.exe
  2⤵
  PID:7956
- C:\Windows\System32\fjswSfP.exe
  C:\Windows\System32\fjswSfP.exe
  2⤵
  PID:7988
- C:\Windows\System32\GtMwLzE.exe
  C:\Windows\System32\GtMwLzE.exe
  2⤵
  PID:8016
- C:\Windows\System32\UYLjZDP.exe
  C:\Windows\System32\UYLjZDP.exe
  2⤵
  PID:8052
- C:\Windows\System32\gyccodB.exe
  C:\Windows\System32\gyccodB.exe
  2⤵
  PID:8072
- C:\Windows\System32\MIjVNST.exe
  C:\Windows\System32\MIjVNST.exe
  2⤵
  PID:8100
- C:\Windows\System32\RomAlVW.exe
  C:\Windows\System32\RomAlVW.exe
  2⤵
  PID:8128
- C:\Windows\System32\ZBCMiOt.exe
  C:\Windows\System32\ZBCMiOt.exe
  2⤵
  PID:8156
- C:\Windows\System32\rTdQSzr.exe
  C:\Windows\System32\rTdQSzr.exe
  2⤵
  PID:8184
- C:\Windows\System32\duKVwHO.exe
  C:\Windows\System32\duKVwHO.exe
  2⤵
  PID:6496
- C:\Windows\System32\Bhlfxcz.exe
  C:\Windows\System32\Bhlfxcz.exe
  2⤵
  PID:6552
- C:\Windows\System32\tdvHSnq.exe
  C:\Windows\System32\tdvHSnq.exe
  2⤵
  PID:6600
- C:\Windows\System32\RXaTydd.exe
  C:\Windows\System32\RXaTydd.exe
  2⤵
  PID:6728
- C:\Windows\System32\EVpfJaW.exe
  C:\Windows\System32\EVpfJaW.exe
  2⤵
  PID:6776
- C:\Windows\System32\OUeUBdy.exe
  C:\Windows\System32\OUeUBdy.exe
  2⤵
  PID:6816
- C:\Windows\System32\qRKsgik.exe
  C:\Windows\System32\qRKsgik.exe
  2⤵
  PID:6872
- C:\Windows\System32\HgekSdR.exe
  C:\Windows\System32\HgekSdR.exe
  2⤵
  PID:6920
- C:\Windows\System32\ayigtmo.exe
  C:\Windows\System32\ayigtmo.exe
  2⤵
  PID:7112
- C:\Windows\System32\QMeFzTr.exe
  C:\Windows\System32\QMeFzTr.exe
  2⤵
  PID:5628
- C:\Windows\System32\iTmiAIa.exe
  C:\Windows\System32\iTmiAIa.exe
  2⤵
  PID:7040
- C:\Windows\System32\PNTEXAT.exe
  C:\Windows\System32\PNTEXAT.exe
  2⤵
  PID:7240
- C:\Windows\System32\HGFnyoH.exe
  C:\Windows\System32\HGFnyoH.exe
  2⤵
  PID:7288
- C:\Windows\System32\NQvfvYm.exe
  C:\Windows\System32\NQvfvYm.exe
  2⤵
  PID:7356
- C:\Windows\System32\RDiatnv.exe
  C:\Windows\System32\RDiatnv.exe
  2⤵
  PID:7412
- C:\Windows\System32\WTYLbYy.exe
  C:\Windows\System32\WTYLbYy.exe
  2⤵
  PID:7516
- C:\Windows\System32\JtMGTxr.exe
  C:\Windows\System32\JtMGTxr.exe
  2⤵
  PID:7552
- C:\Windows\System32\kmlhTvd.exe
  C:\Windows\System32\kmlhTvd.exe
  2⤵
  PID:7604
- C:\Windows\System32\CkBBfUJ.exe
  C:\Windows\System32\CkBBfUJ.exe
  2⤵
  PID:7700
- C:\Windows\System32\tccSfHU.exe
  C:\Windows\System32\tccSfHU.exe
  2⤵
  PID:7748
- C:\Windows\System32\jQDzmCM.exe
  C:\Windows\System32\jQDzmCM.exe
  2⤵
  PID:7800
- C:\Windows\System32\uuQNpPL.exe
  C:\Windows\System32\uuQNpPL.exe
  2⤵
  PID:7868
- C:\Windows\System32\leRGYJV.exe
  C:\Windows\System32\leRGYJV.exe
  2⤵
  PID:7912
- C:\Windows\System32\moJUJdx.exe
  C:\Windows\System32\moJUJdx.exe
  2⤵
  PID:7996
- C:\Windows\System32\UczMGxf.exe
  C:\Windows\System32\UczMGxf.exe
  2⤵
  PID:8048
- C:\Windows\System32\buVXxUl.exe
  C:\Windows\System32\buVXxUl.exe
  2⤵
  PID:8112
- C:\Windows\System32\GPNZtsU.exe
  C:\Windows\System32\GPNZtsU.exe
  2⤵
  PID:6444
- C:\Windows\System32\WLBoLvn.exe
  C:\Windows\System32\WLBoLvn.exe
  2⤵
  PID:6568
- C:\Windows\System32\oRDUfGV.exe
  C:\Windows\System32\oRDUfGV.exe
  2⤵
  PID:5400
- C:\Windows\System32\iOYYaln.exe
  C:\Windows\System32\iOYYaln.exe
  2⤵
  PID:6840
- C:\Windows\System32\HwUyLSl.exe
  C:\Windows\System32\HwUyLSl.exe
  2⤵
  PID:6936
- C:\Windows\System32\eCPnehA.exe
  C:\Windows\System32\eCPnehA.exe
  2⤵
  PID:5364
- C:\Windows\System32\eWFFSrs.exe
  C:\Windows\System32\eWFFSrs.exe
  2⤵
  PID:7308
- C:\Windows\System32\PvcUXHc.exe
  C:\Windows\System32\PvcUXHc.exe
  2⤵
  PID:7392
- C:\Windows\System32\Ivwotah.exe
  C:\Windows\System32\Ivwotah.exe
  2⤵
  PID:7436
- C:\Windows\System32\vcIJSGz.exe
  C:\Windows\System32\vcIJSGz.exe
  2⤵
  PID:5444
- C:\Windows\System32\MUdrCas.exe
  C:\Windows\System32\MUdrCas.exe
  2⤵
  PID:7684
- C:\Windows\System32\MJaFeqv.exe
  C:\Windows\System32\MJaFeqv.exe
  2⤵
  PID:5504
- C:\Windows\System32\bpIHHVU.exe
  C:\Windows\System32\bpIHHVU.exe
  2⤵
  PID:5524
- C:\Windows\System32\yYmsxxc.exe
  C:\Windows\System32\yYmsxxc.exe
  2⤵
  PID:5552
- C:\Windows\System32\LNUELkP.exe
  C:\Windows\System32\LNUELkP.exe
  2⤵
  PID:5596
- C:\Windows\System32\mYuwmok.exe
  C:\Windows\System32\mYuwmok.exe
  2⤵
  PID:7852
- C:\Windows\System32\FbxbtNn.exe
  C:\Windows\System32\FbxbtNn.exe
  2⤵
  PID:7964
- C:\Windows\System32\oSrThQh.exe
  C:\Windows\System32\oSrThQh.exe
  2⤵
  PID:8108
- C:\Windows\System32\ztfxHkY.exe
  C:\Windows\System32\ztfxHkY.exe
  2⤵
  PID:6468
- C:\Windows\System32\eMlwMYk.exe
  C:\Windows\System32\eMlwMYk.exe
  2⤵
  PID:6428
- C:\Windows\System32\ONXDLIm.exe
  C:\Windows\System32\ONXDLIm.exe
  2⤵
  PID:6896
- C:\Windows\System32\JNIbeAZ.exe
  C:\Windows\System32\JNIbeAZ.exe
  2⤵
  PID:7180
- C:\Windows\System32\aoRIHLc.exe
  C:\Windows\System32\aoRIHLc.exe
  2⤵
  PID:7420
- C:\Windows\System32\ygBSBMY.exe
  C:\Windows\System32\ygBSBMY.exe
  2⤵
  PID:7580
- C:\Windows\System32\sIBbEXP.exe
  C:\Windows\System32\sIBbEXP.exe
  2⤵
  PID:5468
- C:\Windows\System32\fVyiTOT.exe
  C:\Windows\System32\fVyiTOT.exe
  2⤵
  PID:5708
- C:\Windows\System32\aFKApen.exe
  C:\Windows\System32\aFKApen.exe
  2⤵
  PID:5528
- C:\Windows\System32\pcsyakh.exe
  C:\Windows\System32\pcsyakh.exe
  2⤵
  PID:5592
- C:\Windows\System32\EIiLMLl.exe
  C:\Windows\System32\EIiLMLl.exe
  2⤵
  PID:6808
- C:\Windows\System32\oFeiKNy.exe
  C:\Windows\System32\oFeiKNy.exe
  2⤵
  PID:6536
- C:\Windows\System32\oTjgKWK.exe
  C:\Windows\System32\oTjgKWK.exe
  2⤵
  PID:7776
- C:\Windows\System32\IyQzGks.exe
  C:\Windows\System32\IyQzGks.exe
  2⤵
  PID:6172
- C:\Windows\System32\AexLfBA.exe
  C:\Windows\System32\AexLfBA.exe
  2⤵
  PID:5588
- C:\Windows\System32\CMndGVk.exe
  C:\Windows\System32\CMndGVk.exe
  2⤵
  PID:7840
- C:\Windows\System32\sxpEjZk.exe
  C:\Windows\System32\sxpEjZk.exe
  2⤵
  PID:6084
- C:\Windows\System32\MGOPEfm.exe
  C:\Windows\System32\MGOPEfm.exe
  2⤵
  PID:1608
- C:\Windows\System32\aKBonWV.exe
  C:\Windows\System32\aKBonWV.exe
  2⤵
  PID:8224
- C:\Windows\System32\pIzqLmp.exe
  C:\Windows\System32\pIzqLmp.exe
  2⤵
  PID:8244
- C:\Windows\System32\lnCjPle.exe
  C:\Windows\System32\lnCjPle.exe
  2⤵
  PID:8272
- C:\Windows\System32\CSiFOre.exe
  C:\Windows\System32\CSiFOre.exe
  2⤵
  PID:8288
- C:\Windows\System32\vODXeKH.exe
  C:\Windows\System32\vODXeKH.exe
  2⤵
  PID:8332
- C:\Windows\System32\qYOLuyq.exe
  C:\Windows\System32\qYOLuyq.exe
  2⤵
  PID:8352
- C:\Windows\System32\sFiVGMX.exe
  C:\Windows\System32\sFiVGMX.exe
  2⤵
  PID:8388
- C:\Windows\System32\dNDfwQk.exe
  C:\Windows\System32\dNDfwQk.exe
  2⤵
  PID:8412
- C:\Windows\System32\ZqqDlwS.exe
  C:\Windows\System32\ZqqDlwS.exe
  2⤵
  PID:8448
- C:\Windows\System32\ztWOJvK.exe
  C:\Windows\System32\ztWOJvK.exe
  2⤵
  PID:8496
- C:\Windows\System32\AcQfzTP.exe
  C:\Windows\System32\AcQfzTP.exe
  2⤵
  PID:8524
- C:\Windows\System32\PRWyyMt.exe
  C:\Windows\System32\PRWyyMt.exe
  2⤵
  PID:8540
- C:\Windows\System32\GxuYdML.exe
  C:\Windows\System32\GxuYdML.exe
  2⤵
  PID:8560
- C:\Windows\System32\uVftKDg.exe
  C:\Windows\System32\uVftKDg.exe
  2⤵
  PID:8600
- C:\Windows\System32\OhZmpqQ.exe
  C:\Windows\System32\OhZmpqQ.exe
  2⤵
  PID:8628
- C:\Windows\System32\bVQrMaK.exe
  C:\Windows\System32\bVQrMaK.exe
  2⤵
  PID:8644
- C:\Windows\System32\UENbuXZ.exe
  C:\Windows\System32\UENbuXZ.exe
  2⤵
  PID:8672
- C:\Windows\System32\OgnEdJr.exe
  C:\Windows\System32\OgnEdJr.exe
  2⤵
  PID:8692
- C:\Windows\System32\BrSigxc.exe
  C:\Windows\System32\BrSigxc.exe
  2⤵
  PID:8712
- C:\Windows\System32\LAfShor.exe
  C:\Windows\System32\LAfShor.exe
  2⤵
  PID:8752
- C:\Windows\System32\IrQMuiP.exe
  C:\Windows\System32\IrQMuiP.exe
  2⤵
  PID:8804
- C:\Windows\System32\GSWxemn.exe
  C:\Windows\System32\GSWxemn.exe
  2⤵
  PID:8820
- C:\Windows\System32\aGVTsiU.exe
  C:\Windows\System32\aGVTsiU.exe
  2⤵
  PID:8840
- C:\Windows\System32\RYnGWfJ.exe
  C:\Windows\System32\RYnGWfJ.exe
  2⤵
  PID:8864
- C:\Windows\System32\qwZfiIh.exe
  C:\Windows\System32\qwZfiIh.exe
  2⤵
  PID:8884
- C:\Windows\System32\XZRobQI.exe
  C:\Windows\System32\XZRobQI.exe
  2⤵
  PID:8912
- C:\Windows\System32\hBvAarG.exe
  C:\Windows\System32\hBvAarG.exe
  2⤵
  PID:8976
- C:\Windows\System32\ZQKbWPc.exe
  C:\Windows\System32\ZQKbWPc.exe
  2⤵
  PID:8992
- C:\Windows\System32\IYhTCXU.exe
  C:\Windows\System32\IYhTCXU.exe
  2⤵
  PID:9012
- C:\Windows\System32\FgSWbQh.exe
  C:\Windows\System32\FgSWbQh.exe
  2⤵
  PID:9044
- C:\Windows\System32\pEKsWFc.exe
  C:\Windows\System32\pEKsWFc.exe
  2⤵
  PID:9076
- C:\Windows\System32\scoDucM.exe
  C:\Windows\System32\scoDucM.exe
  2⤵
  PID:9104
- C:\Windows\System32\JINOplz.exe
  C:\Windows\System32\JINOplz.exe
  2⤵
  PID:9124
- C:\Windows\System32\bHBNrOy.exe
  C:\Windows\System32\bHBNrOy.exe
  2⤵
  PID:9148
- C:\Windows\System32\YSXgrmT.exe
  C:\Windows\System32\YSXgrmT.exe
  2⤵
  PID:9168
- C:\Windows\System32\KxElIfD.exe
  C:\Windows\System32\KxElIfD.exe
  2⤵
  PID:9192
- C:\Windows\System32\VVJUZUG.exe
  C:\Windows\System32\VVJUZUG.exe
  2⤵
  PID:9208
- C:\Windows\System32\zuTFbZc.exe
  C:\Windows\System32\zuTFbZc.exe
  2⤵
  PID:8240
- C:\Windows\System32\vhJMLNV.exe
  C:\Windows\System32\vhJMLNV.exe
  2⤵
  PID:8316
- C:\Windows\System32\tVtWrGg.exe
  C:\Windows\System32\tVtWrGg.exe
  2⤵
  PID:8364
- C:\Windows\System32\gnDcwAW.exe
  C:\Windows\System32\gnDcwAW.exe
  2⤵
  PID:8504
- C:\Windows\System32\HgPTuXw.exe
  C:\Windows\System32\HgPTuXw.exe
  2⤵
  PID:8556
- C:\Windows\System32\gkPHegs.exe
  C:\Windows\System32\gkPHegs.exe
  2⤵
  PID:8576
- C:\Windows\System32\mjqGnMh.exe
  C:\Windows\System32\mjqGnMh.exe
  2⤵
  PID:8660
- C:\Windows\System32\vZLLQJM.exe
  C:\Windows\System32\vZLLQJM.exe
  2⤵
  PID:8688
- C:\Windows\System32\VeRKisO.exe
  C:\Windows\System32\VeRKisO.exe
  2⤵
  PID:8744
- C:\Windows\System32\IWXNYGr.exe
  C:\Windows\System32\IWXNYGr.exe
  2⤵
  PID:8792
- C:\Windows\System32\HjRopAI.exe
  C:\Windows\System32\HjRopAI.exe
  2⤵
  PID:8860
- C:\Windows\System32\hFLpdMK.exe
  C:\Windows\System32\hFLpdMK.exe
  2⤵
  PID:8940
- C:\Windows\System32\AcmjHzn.exe
  C:\Windows\System32\AcmjHzn.exe
  2⤵
  PID:8936
- C:\Windows\System32\TRVBCLQ.exe
  C:\Windows\System32\TRVBCLQ.exe
  2⤵
  PID:9072
- C:\Windows\System32\HCKdzfW.exe
  C:\Windows\System32\HCKdzfW.exe
  2⤵
  PID:9132
- C:\Windows\System32\WAAivzu.exe
  C:\Windows\System32\WAAivzu.exe
  2⤵
  PID:9116
- C:\Windows\System32\FQRlUEb.exe
  C:\Windows\System32\FQRlUEb.exe
  2⤵
  PID:8348
- C:\Windows\System32\jPvUnnP.exe
  C:\Windows\System32\jPvUnnP.exe
  2⤵
  PID:8460
- C:\Windows\System32\OqRBdRn.exe
  C:\Windows\System32\OqRBdRn.exe
  2⤵
  PID:8776
- C:\Windows\System32\IfSahwy.exe
  C:\Windows\System32\IfSahwy.exe
  2⤵
  PID:8984
- C:\Windows\System32\nxqmCPP.exe
  C:\Windows\System32\nxqmCPP.exe
  2⤵
  PID:8832
- C:\Windows\System32\POegWua.exe
  C:\Windows\System32\POegWua.exe
  2⤵
  PID:8920
- C:\Windows\System32\LCOoZOJ.exe
  C:\Windows\System32\LCOoZOJ.exe
  2⤵
  PID:9204
- C:\Windows\System32\LavLLwn.exe
  C:\Windows\System32\LavLLwn.exe
  2⤵
  PID:8344
- C:\Windows\System32\ToyhBGe.exe
  C:\Windows\System32\ToyhBGe.exe
  2⤵
  PID:8476
- C:\Windows\System32\eCFpsUd.exe
  C:\Windows\System32\eCFpsUd.exe
  2⤵
  PID:8284
- C:\Windows\System32\aWSGoNM.exe
  C:\Windows\System32\aWSGoNM.exe
  2⤵
  PID:9228
- C:\Windows\System32\tsvFHMV.exe
  C:\Windows\System32\tsvFHMV.exe
  2⤵
  PID:9244
- C:\Windows\System32\kNkOQIH.exe
  C:\Windows\System32\kNkOQIH.exe
  2⤵
  PID:9276
- C:\Windows\System32\UHSUmsV.exe
  C:\Windows\System32\UHSUmsV.exe
  2⤵
  PID:9292
- C:\Windows\System32\bjWiWEV.exe
  C:\Windows\System32\bjWiWEV.exe
  2⤵
  PID:9324
- C:\Windows\System32\PRYLCau.exe
  C:\Windows\System32\PRYLCau.exe
  2⤵
  PID:9340
- C:\Windows\System32\iHtDsoR.exe
  C:\Windows\System32\iHtDsoR.exe
  2⤵
  PID:9388
- C:\Windows\System32\xHqtGRg.exe
  C:\Windows\System32\xHqtGRg.exe
  2⤵
  PID:9408
- C:\Windows\System32\nFoabIU.exe
  C:\Windows\System32\nFoabIU.exe
  2⤵
  PID:9440
- C:\Windows\System32\MwwSyNs.exe
  C:\Windows\System32\MwwSyNs.exe
  2⤵
  PID:9468
- C:\Windows\System32\BgwpXIM.exe
  C:\Windows\System32\BgwpXIM.exe
  2⤵
  PID:9512
- C:\Windows\System32\gYvRntN.exe
  C:\Windows\System32\gYvRntN.exe
  2⤵
  PID:9532
- C:\Windows\System32\oWrscnE.exe
  C:\Windows\System32\oWrscnE.exe
  2⤵
  PID:9556
- C:\Windows\System32\oamCrYy.exe
  C:\Windows\System32\oamCrYy.exe
  2⤵
  PID:9592
- C:\Windows\System32\BYaxxjw.exe
  C:\Windows\System32\BYaxxjw.exe
  2⤵
  PID:9616
- C:\Windows\System32\XsXOgvd.exe
  C:\Windows\System32\XsXOgvd.exe
  2⤵
  PID:9644
- C:\Windows\System32\rhJahkf.exe
  C:\Windows\System32\rhJahkf.exe
  2⤵
  PID:9664
- C:\Windows\System32\wDGmNrL.exe
  C:\Windows\System32\wDGmNrL.exe
  2⤵
  PID:9688
- C:\Windows\System32\fvlLZxJ.exe
  C:\Windows\System32\fvlLZxJ.exe
  2⤵
  PID:9704
- C:\Windows\System32\onQtFJH.exe
  C:\Windows\System32\onQtFJH.exe
  2⤵
  PID:9728
- C:\Windows\System32\LPrQeYR.exe
  C:\Windows\System32\LPrQeYR.exe
  2⤵
  PID:9748
- C:\Windows\System32\isYXJcb.exe
  C:\Windows\System32\isYXJcb.exe
  2⤵
  PID:9776
- C:\Windows\System32\frRjLKH.exe
  C:\Windows\System32\frRjLKH.exe
  2⤵
  PID:9808
- C:\Windows\System32\qNZhBso.exe
  C:\Windows\System32\qNZhBso.exe
  2⤵
  PID:9828
- C:\Windows\System32\TpyzLgm.exe
  C:\Windows\System32\TpyzLgm.exe
  2⤵
  PID:9860
- C:\Windows\System32\cLntDja.exe
  C:\Windows\System32\cLntDja.exe
  2⤵
  PID:9884
- C:\Windows\System32\qXfFluL.exe
  C:\Windows\System32\qXfFluL.exe
  2⤵
  PID:9904
- C:\Windows\System32\kNSDjVo.exe
  C:\Windows\System32\kNSDjVo.exe
  2⤵
  PID:9928
- C:\Windows\System32\dANhSJC.exe
  C:\Windows\System32\dANhSJC.exe
  2⤵
  PID:9948
- C:\Windows\System32\MoVRoKS.exe
  C:\Windows\System32\MoVRoKS.exe
  2⤵
  PID:9968
- C:\Windows\System32\bcLZVpN.exe
  C:\Windows\System32\bcLZVpN.exe
  2⤵
  PID:10008
- C:\Windows\System32\rbzuVOz.exe
  C:\Windows\System32\rbzuVOz.exe
  2⤵
  PID:10040
- C:\Windows\System32\qWctOJj.exe
  C:\Windows\System32\qWctOJj.exe
  2⤵
  PID:10116
- C:\Windows\System32\QYLoXPJ.exe
  C:\Windows\System32\QYLoXPJ.exe
  2⤵
  PID:10172
- C:\Windows\System32\EFpgGRx.exe
  C:\Windows\System32\EFpgGRx.exe
  2⤵
  PID:10200
- C:\Windows\System32\NBZPhhQ.exe
  C:\Windows\System32\NBZPhhQ.exe
  2⤵
  PID:10220
- C:\Windows\System32\CLvokeO.exe
  C:\Windows\System32\CLvokeO.exe
  2⤵
  PID:9240
- C:\Windows\System32\BSZUOem.exe
  C:\Windows\System32\BSZUOem.exe
  2⤵
  PID:8256
- C:\Windows\System32\PiTQlBU.exe
  C:\Windows\System32\PiTQlBU.exe
  2⤵
  PID:9288
- C:\Windows\System32\zfAmXvW.exe
  C:\Windows\System32\zfAmXvW.exe
  2⤵
  PID:9304
- C:\Windows\System32\wFYvJCQ.exe
  C:\Windows\System32\wFYvJCQ.exe
  2⤵
  PID:9568
- C:\Windows\System32\yRIyoyg.exe
  C:\Windows\System32\yRIyoyg.exe
  2⤵
  PID:9552
- C:\Windows\System32\dgevdrD.exe
  C:\Windows\System32\dgevdrD.exe
  2⤵
  PID:9628
- C:\Windows\System32\cZdhjwX.exe
  C:\Windows\System32\cZdhjwX.exe
  2⤵
  PID:9660
- C:\Windows\System32\zWxdLXl.exe
  C:\Windows\System32\zWxdLXl.exe
  2⤵
  PID:9700
- C:\Windows\System32\LVkTchu.exe
  C:\Windows\System32\LVkTchu.exe
  2⤵
  PID:9756
- C:\Windows\System32\FkykwVV.exe
  C:\Windows\System32\FkykwVV.exe
  2⤵
  PID:9736
- C:\Windows\System32\FICSpqS.exe
  C:\Windows\System32\FICSpqS.exe
  2⤵
  PID:9796
- C:\Windows\System32\EIufjlb.exe
  C:\Windows\System32\EIufjlb.exe
  2⤵
  PID:9912
- C:\Windows\System32\xNZpeDi.exe
  C:\Windows\System32\xNZpeDi.exe
  2⤵
  PID:9900
- C:\Windows\System32\QKCoYMw.exe
  C:\Windows\System32\QKCoYMw.exe
  2⤵
  PID:10124
- C:\Windows\System32\kJZCasm.exe
  C:\Windows\System32\kJZCasm.exe
  2⤵
  PID:10236
- C:\Windows\System32\eNBTLrk.exe
  C:\Windows\System32\eNBTLrk.exe
  2⤵
  PID:9272
- C:\Windows\System32\njoEwwn.exe
  C:\Windows\System32\njoEwwn.exe
  2⤵
  PID:9316
- C:\Windows\System32\VOXbJCE.exe
  C:\Windows\System32\VOXbJCE.exe
  2⤵
  PID:9496
- C:\Windows\System32\ZGKJPrL.exe
  C:\Windows\System32\ZGKJPrL.exe
  2⤵
  PID:9712
- C:\Windows\System32\NFDMJKT.exe
  C:\Windows\System32\NFDMJKT.exe
  2⤵
  PID:9784
- C:\Windows\System32\cmDvGsS.exe
  C:\Windows\System32\cmDvGsS.exe
  2⤵
  PID:9936
- C:\Windows\System32\KNBAagk.exe
  C:\Windows\System32\KNBAagk.exe
  2⤵
  PID:9956
- C:\Windows\System32\uHiLILg.exe
  C:\Windows\System32\uHiLILg.exe
  2⤵
  PID:9404
- C:\Windows\System32\vgmiiQd.exe
  C:\Windows\System32\vgmiiQd.exe
  2⤵
  PID:9996
- C:\Windows\System32\dFxHnQg.exe
  C:\Windows\System32\dFxHnQg.exe
  2⤵
  PID:9964
- C:\Windows\System32\LfqhyoF.exe
  C:\Windows\System32\LfqhyoF.exe
  2⤵
  PID:9448
- C:\Windows\System32\UjEjMxe.exe
  C:\Windows\System32\UjEjMxe.exe
  2⤵
  PID:9868
- C:\Windows\System32\jpeghEs.exe
  C:\Windows\System32\jpeghEs.exe
  2⤵
  PID:10256
- C:\Windows\System32\wfmUVKq.exe
  C:\Windows\System32\wfmUVKq.exe
  2⤵
  PID:10288
- C:\Windows\System32\wjLYjdG.exe
  C:\Windows\System32\wjLYjdG.exe
  2⤵
  PID:10324
- C:\Windows\System32\ehiRboB.exe
  C:\Windows\System32\ehiRboB.exe
  2⤵
  PID:10352
- C:\Windows\System32\GuPDBZt.exe
  C:\Windows\System32\GuPDBZt.exe
  2⤵
  PID:10368
- C:\Windows\System32\foNaMPX.exe
  C:\Windows\System32\foNaMPX.exe
  2⤵
  PID:10392
- C:\Windows\System32\BoFOTOm.exe
  C:\Windows\System32\BoFOTOm.exe
  2⤵
  PID:10408
- C:\Windows\System32\QtvPJAd.exe
  C:\Windows\System32\QtvPJAd.exe
  2⤵
  PID:10432
- C:\Windows\System32\VolRIxX.exe
  C:\Windows\System32\VolRIxX.exe
  2⤵
  PID:10460
- C:\Windows\System32\RikYRot.exe
  C:\Windows\System32\RikYRot.exe
  2⤵
  PID:10516
- C:\Windows\System32\XahvUwl.exe
  C:\Windows\System32\XahvUwl.exe
  2⤵
  PID:10548
- C:\Windows\System32\PztLUoh.exe
  C:\Windows\System32\PztLUoh.exe
  2⤵
  PID:10564
- C:\Windows\System32\lczoCtC.exe
  C:\Windows\System32\lczoCtC.exe
  2⤵
  PID:10600
- C:\Windows\System32\GKGDaoc.exe
  C:\Windows\System32\GKGDaoc.exe
  2⤵
  PID:10620
- C:\Windows\System32\umxNmES.exe
  C:\Windows\System32\umxNmES.exe
  2⤵
  PID:10636
- C:\Windows\System32\FouUuzS.exe
  C:\Windows\System32\FouUuzS.exe
  2⤵
  PID:10664
- C:\Windows\System32\LYGyTbv.exe
  C:\Windows\System32\LYGyTbv.exe
  2⤵
  PID:10684
- C:\Windows\System32\FRdWwsR.exe
  C:\Windows\System32\FRdWwsR.exe
  2⤵
  PID:10732
- C:\Windows\System32\uykrCDG.exe
  C:\Windows\System32\uykrCDG.exe
  2⤵
  PID:10756
- C:\Windows\System32\yKXcgSk.exe
  C:\Windows\System32\yKXcgSk.exe
  2⤵
  PID:10788
- C:\Windows\System32\cuREeev.exe
  C:\Windows\System32\cuREeev.exe
  2⤵
  PID:10808
- C:\Windows\System32\mMMBaLG.exe
  C:\Windows\System32\mMMBaLG.exe
  2⤵
  PID:10824
- C:\Windows\System32\vmoplrC.exe
  C:\Windows\System32\vmoplrC.exe
  2⤵
  PID:10864
- C:\Windows\System32\eAvZNSo.exe
  C:\Windows\System32\eAvZNSo.exe
  2⤵
  PID:10904
- C:\Windows\System32\wYqnWyq.exe
  C:\Windows\System32\wYqnWyq.exe
  2⤵
  PID:10940
- C:\Windows\System32\cLQhXjv.exe
  C:\Windows\System32\cLQhXjv.exe
  2⤵
  PID:10964
- C:\Windows\System32\iafbheS.exe
  C:\Windows\System32\iafbheS.exe
  2⤵
  PID:11004
- C:\Windows\System32\ikJiBkD.exe
  C:\Windows\System32\ikJiBkD.exe
  2⤵
  PID:11032
- C:\Windows\System32\aTCstiN.exe
  C:\Windows\System32\aTCstiN.exe
  2⤵
  PID:11056
- C:\Windows\System32\QyZGYii.exe
  C:\Windows\System32\QyZGYii.exe
  2⤵
  PID:11072
- C:\Windows\System32\BmhSEHk.exe
  C:\Windows\System32\BmhSEHk.exe
  2⤵
  PID:11092
- C:\Windows\System32\KLGFnOq.exe
  C:\Windows\System32\KLGFnOq.exe
  2⤵
  PID:11120
- C:\Windows\System32\nioXcms.exe
  C:\Windows\System32\nioXcms.exe
  2⤵
  PID:11140
- C:\Windows\System32\NBwsbAb.exe
  C:\Windows\System32\NBwsbAb.exe
  2⤵
  PID:11168
- C:\Windows\System32\DLngJrT.exe
  C:\Windows\System32\DLngJrT.exe
  2⤵
  PID:11200
- C:\Windows\System32\FzPasxv.exe
  C:\Windows\System32\FzPasxv.exe
  2⤵
  PID:11216
- C:\Windows\System32\zZnITUx.exe
  C:\Windows\System32\zZnITUx.exe
  2⤵
  PID:11240
- C:\Windows\System32\ROavMZM.exe
  C:\Windows\System32\ROavMZM.exe
  2⤵
  PID:9024
- C:\Windows\System32\BBvnQOK.exe
  C:\Windows\System32\BBvnQOK.exe
  2⤵
  PID:10248
- C:\Windows\System32\YlIOOkk.exe
  C:\Windows\System32\YlIOOkk.exe
  2⤵
  PID:10348
- C:\Windows\System32\PifMAXO.exe
  C:\Windows\System32\PifMAXO.exe
  2⤵
  PID:10456
- C:\Windows\System32\akvqzjR.exe
  C:\Windows\System32\akvqzjR.exe
  2⤵
  PID:10540
- C:\Windows\System32\odMlYae.exe
  C:\Windows\System32\odMlYae.exe
  2⤵
  PID:10580
- C:\Windows\System32\fCYbYpo.exe
  C:\Windows\System32\fCYbYpo.exe
  2⤵
  PID:10744
- C:\Windows\System32\CexZiMu.exe
  C:\Windows\System32\CexZiMu.exe
  2⤵
  PID:10796
- C:\Windows\System32\SFrWCmj.exe
  C:\Windows\System32\SFrWCmj.exe
  2⤵
  PID:10856
- C:\Windows\System32\wNAqTyO.exe
  C:\Windows\System32\wNAqTyO.exe
  2⤵
  PID:10892
- C:\Windows\System32\fKbgQxp.exe
  C:\Windows\System32\fKbgQxp.exe
  2⤵
  PID:10956
- C:\Windows\System32\XkEaGqT.exe
  C:\Windows\System32\XkEaGqT.exe
  2⤵
  PID:11016
- C:\Windows\System32\zSVGywf.exe
  C:\Windows\System32\zSVGywf.exe
  2⤵
  PID:11080
- C:\Windows\System32\haVvjnC.exe
  C:\Windows\System32\haVvjnC.exe
  2⤵
  PID:11176
- C:\Windows\System32\fXBjAZx.exe
  C:\Windows\System32\fXBjAZx.exe
  2⤵
  PID:11248
- C:\Windows\System32\BFnlzLj.exe
  C:\Windows\System32\BFnlzLj.exe
  2⤵
  PID:11208
- C:\Windows\System32\zIMehhr.exe
  C:\Windows\System32\zIMehhr.exe
  2⤵
  PID:10264
- C:\Windows\System32\gLmZclw.exe
  C:\Windows\System32\gLmZclw.exe
  2⤵
  PID:10508
- C:\Windows\System32\lWzHXZP.exe
  C:\Windows\System32\lWzHXZP.exe
  2⤵
  PID:10676
- C:\Windows\System32\QckSjQa.exe
  C:\Windows\System32\QckSjQa.exe
  2⤵
  PID:10912
- C:\Windows\System32\iifOOic.exe
  C:\Windows\System32\iifOOic.exe
  2⤵
  PID:11068
- C:\Windows\System32\WyarkIS.exe
  C:\Windows\System32\WyarkIS.exe
  2⤵
  PID:11064
- C:\Windows\System32\IXNCngF.exe
  C:\Windows\System32\IXNCngF.exe
  2⤵
  PID:11228
- C:\Windows\System32\VWtmDfa.exe
  C:\Windows\System32\VWtmDfa.exe
  2⤵
  PID:10252
- C:\Windows\System32\iTLKdkz.exe
  C:\Windows\System32\iTLKdkz.exe
  2⤵
  PID:11148
- C:\Windows\System32\lFZRXWL.exe
  C:\Windows\System32\lFZRXWL.exe
  2⤵
  PID:11276
- C:\Windows\System32\YGwLscP.exe
  C:\Windows\System32\YGwLscP.exe
  2⤵
  PID:11392
- C:\Windows\System32\cqmWcHz.exe
  C:\Windows\System32\cqmWcHz.exe
  2⤵
  PID:11408
- C:\Windows\System32\BeIMjRe.exe
  C:\Windows\System32\BeIMjRe.exe
  2⤵
  PID:11424
- C:\Windows\System32\JhoQtYU.exe
  C:\Windows\System32\JhoQtYU.exe
  2⤵
  PID:11440
- C:\Windows\System32\gCfmNEX.exe
  C:\Windows\System32\gCfmNEX.exe
  2⤵
  PID:11460
- C:\Windows\System32\uhLfkgU.exe
  C:\Windows\System32\uhLfkgU.exe
  2⤵
  PID:11476
- C:\Windows\System32\WFBZGNS.exe
  C:\Windows\System32\WFBZGNS.exe
  2⤵
  PID:11492
- C:\Windows\System32\LlJJypZ.exe
  C:\Windows\System32\LlJJypZ.exe
  2⤵
  PID:11508
- C:\Windows\System32\czKKcaW.exe
  C:\Windows\System32\czKKcaW.exe
  2⤵
  PID:11524
- C:\Windows\System32\ZxKvVSE.exe
  C:\Windows\System32\ZxKvVSE.exe
  2⤵
  PID:11540
- C:\Windows\System32\YyyXIeU.exe
  C:\Windows\System32\YyyXIeU.exe
  2⤵
  PID:11556
- C:\Windows\System32\HuHVceK.exe
  C:\Windows\System32\HuHVceK.exe
  2⤵
  PID:11572
- C:\Windows\System32\ulEFijP.exe
  C:\Windows\System32\ulEFijP.exe
  2⤵
  PID:11588
- C:\Windows\System32\IqYpuKl.exe
  C:\Windows\System32\IqYpuKl.exe
  2⤵
  PID:11608
- C:\Windows\System32\PtaoaOj.exe
  C:\Windows\System32\PtaoaOj.exe
  2⤵
  PID:11652
- C:\Windows\System32\rOxtDGW.exe
  C:\Windows\System32\rOxtDGW.exe
  2⤵
  PID:11668
- C:\Windows\System32\AdUPnlv.exe
  C:\Windows\System32\AdUPnlv.exe
  2⤵
  PID:11688
- C:\Windows\System32\XtfhXiN.exe
  C:\Windows\System32\XtfhXiN.exe
  2⤵
  PID:11704
- C:\Windows\System32\rpmwphD.exe
  C:\Windows\System32\rpmwphD.exe
  2⤵
  PID:11732
- C:\Windows\System32\BhyBZME.exe
  C:\Windows\System32\BhyBZME.exe
  2⤵
  PID:11748
- C:\Windows\System32\vcJGkUP.exe
  C:\Windows\System32\vcJGkUP.exe
  2⤵
  PID:11768
- C:\Windows\System32\uWhuWKS.exe
  C:\Windows\System32\uWhuWKS.exe
  2⤵
  PID:11912
- C:\Windows\System32\CGAHMru.exe
  C:\Windows\System32\CGAHMru.exe
  2⤵
  PID:11980
- C:\Windows\System32\dAXDUMa.exe
  C:\Windows\System32\dAXDUMa.exe
  2⤵
  PID:12008
- C:\Windows\System32\MYbPkxE.exe
  C:\Windows\System32\MYbPkxE.exe
  2⤵
  PID:12032
- C:\Windows\System32\RppAugT.exe
  C:\Windows\System32\RppAugT.exe
  2⤵
  PID:12060
- C:\Windows\System32\cPjmWnI.exe
  C:\Windows\System32\cPjmWnI.exe
  2⤵
  PID:12088
- C:\Windows\System32\nWJLJZm.exe
  C:\Windows\System32\nWJLJZm.exe
  2⤵
  PID:12128
- C:\Windows\System32\bhlpdLV.exe
  C:\Windows\System32\bhlpdLV.exe
  2⤵
  PID:12156
- C:\Windows\System32\gchwghw.exe
  C:\Windows\System32\gchwghw.exe
  2⤵
  PID:12176
- C:\Windows\System32\jIVnIaA.exe
  C:\Windows\System32\jIVnIaA.exe
  2⤵
  PID:12252
- C:\Windows\System32\lrnIcel.exe
  C:\Windows\System32\lrnIcel.exe
  2⤵
  PID:11268
- C:\Windows\System32\uscujVB.exe
  C:\Windows\System32\uscujVB.exe
  2⤵
  PID:11380
- C:\Windows\System32\SdcRnEs.exe
  C:\Windows\System32\SdcRnEs.exe
  2⤵
  PID:11548
- C:\Windows\System32\WTqlaTp.exe
  C:\Windows\System32\WTqlaTp.exe
  2⤵
  PID:11484
- C:\Windows\System32\TCfCbUW.exe
  C:\Windows\System32\TCfCbUW.exe
  2⤵
  PID:11532
- C:\Windows\System32\wXpIQix.exe
  C:\Windows\System32\wXpIQix.exe
  2⤵
  PID:11388
- C:\Windows\System32\ecuepox.exe
  C:\Windows\System32\ecuepox.exe
  2⤵
  PID:11432
- C:\Windows\System32\TAHiDtM.exe
  C:\Windows\System32\TAHiDtM.exe
  2⤵
  PID:11336
- C:\Windows\System32\zHjGNgj.exe
  C:\Windows\System32\zHjGNgj.exe
  2⤵
  PID:11700
- C:\Windows\System32\CEDsUHN.exe
  C:\Windows\System32\CEDsUHN.exe
  2⤵
  PID:11616
- C:\Windows\System32\lHPMgVx.exe
  C:\Windows\System32\lHPMgVx.exe
  2⤵
  PID:11640
- C:\Windows\System32\jTEAtmU.exe
  C:\Windows\System32\jTEAtmU.exe
  2⤵
  PID:11724
- C:\Windows\System32\wXbBBAy.exe
  C:\Windows\System32\wXbBBAy.exe
  2⤵
  PID:11784
- C:\Windows\System32\tRmlnez.exe
  C:\Windows\System32\tRmlnez.exe
  2⤵
  PID:11712
- C:\Windows\System32\BDszQor.exe
  C:\Windows\System32\BDszQor.exe
  2⤵
  PID:11800
- C:\Windows\System32\JOFxZbx.exe
  C:\Windows\System32\JOFxZbx.exe
  2⤵
  PID:12000
- C:\Windows\System32\nxhbHgl.exe
  C:\Windows\System32\nxhbHgl.exe
  2⤵
  PID:12080
- C:\Windows\System32\rdqBPfQ.exe
  C:\Windows\System32\rdqBPfQ.exe
  2⤵
  PID:12204
- C:\Windows\System32\WyFhugS.exe
  C:\Windows\System32\WyFhugS.exe
  2⤵
  PID:12236
- C:\Windows\System32\RorItTb.exe
  C:\Windows\System32\RorItTb.exe
  2⤵
  PID:11252
- C:\Windows\System32\zWKQqqY.exe
  C:\Windows\System32\zWKQqqY.exe
  2⤵
  PID:11568
- C:\Windows\System32\eQarens.exe
  C:\Windows\System32\eQarens.exe
  2⤵
  PID:11320
- C:\Windows\System32\yGaiuxJ.exe
  C:\Windows\System32\yGaiuxJ.exe
  2⤵
  PID:11504
- C:\Windows\System32\CgwsQDl.exe
  C:\Windows\System32\CgwsQDl.exe
  2⤵
  PID:11404
- C:\Windows\System32\SmZPnZt.exe
  C:\Windows\System32\SmZPnZt.exe
  2⤵
  PID:11832
- C:\Windows\System32\FCeHSuw.exe
  C:\Windows\System32\FCeHSuw.exe
  2⤵
  PID:11816
- C:\Windows\System32\mJaEdTC.exe
  C:\Windows\System32\mJaEdTC.exe
  2⤵
  PID:11940
- C:\Windows\System32\hTEORHZ.exe
  C:\Windows\System32\hTEORHZ.exe
  2⤵
  PID:12168
- C:\Windows\System32\McxQlWj.exe
  C:\Windows\System32\McxQlWj.exe
  2⤵
  PID:12280
- C:\Windows\System32\RuBQHxX.exe
  C:\Windows\System32\RuBQHxX.exe
  2⤵
  PID:11684
- C:\Windows\System32\PVpzvaK.exe
  C:\Windows\System32\PVpzvaK.exe
  2⤵
  PID:11920
- C:\Windows\System32\aIZdIYs.exe
  C:\Windows\System32\aIZdIYs.exe
  2⤵
  PID:12144
- C:\Windows\System32\YFVUeBG.exe
  C:\Windows\System32\YFVUeBG.exe
  2⤵
  PID:11456
- C:\Windows\System32\FhzJiSY.exe
  C:\Windows\System32\FhzJiSY.exe
  2⤵
  PID:12320
- C:\Windows\System32\HSrQHnb.exe
  C:\Windows\System32\HSrQHnb.exe
  2⤵
  PID:12344
- C:\Windows\System32\fOIqIsO.exe
  C:\Windows\System32\fOIqIsO.exe
  2⤵
  PID:12392
- C:\Windows\System32\YkjNDmz.exe
  C:\Windows\System32\YkjNDmz.exe
  2⤵
  PID:12412
- C:\Windows\System32\smDyPxk.exe
  C:\Windows\System32\smDyPxk.exe
  2⤵
  PID:12444
- C:\Windows\System32\XEtkmOU.exe
  C:\Windows\System32\XEtkmOU.exe
  2⤵
  PID:12464
- C:\Windows\System32\oACwGjX.exe
  C:\Windows\System32\oACwGjX.exe
  2⤵
  PID:12488
- C:\Windows\System32\IvprHxy.exe
  C:\Windows\System32\IvprHxy.exe
  2⤵
  PID:12524
- C:\Windows\System32\cjMStrA.exe
  C:\Windows\System32\cjMStrA.exe
  2⤵
  PID:12552
- C:\Windows\System32\NwMFIYz.exe
  C:\Windows\System32\NwMFIYz.exe
  2⤵
  PID:12572
- C:\Windows\System32\vJaTJaa.exe
  C:\Windows\System32\vJaTJaa.exe
  2⤵
  PID:12592
- C:\Windows\System32\cFIifXY.exe
  C:\Windows\System32\cFIifXY.exe
  2⤵
  PID:12612
- C:\Windows\System32\shbHqnL.exe
  C:\Windows\System32\shbHqnL.exe
  2⤵
  PID:12628
- C:\Windows\System32\oRQkWNE.exe
  C:\Windows\System32\oRQkWNE.exe
  2⤵
  PID:12648
- C:\Windows\System32\jKiBPsF.exe
  C:\Windows\System32\jKiBPsF.exe
  2⤵
  PID:12676
- C:\Windows\System32\jFVkuIt.exe
  C:\Windows\System32\jFVkuIt.exe
  2⤵
  PID:12696
- C:\Windows\System32\giNYMGc.exe
  C:\Windows\System32\giNYMGc.exe
  2⤵
  PID:12740
- C:\Windows\System32\tFwvwTU.exe
  C:\Windows\System32\tFwvwTU.exe
  2⤵
  PID:12792
- C:\Windows\System32\uZlbWIm.exe
  C:\Windows\System32\uZlbWIm.exe
  2⤵
  PID:12812
- C:\Windows\System32\yWRIXgO.exe
  C:\Windows\System32\yWRIXgO.exe
  2⤵
  PID:12836
- C:\Windows\System32\kUzBxes.exe
  C:\Windows\System32\kUzBxes.exe
  2⤵
  PID:12868
- C:\Windows\System32\xXUtsCA.exe
  C:\Windows\System32\xXUtsCA.exe
  2⤵
  PID:12900
- C:\Windows\System32\VkQtzTt.exe
  C:\Windows\System32\VkQtzTt.exe
  2⤵
  PID:12920
- C:\Windows\System32\rFatMWh.exe
  C:\Windows\System32\rFatMWh.exe
  2⤵
  PID:12948
- C:\Windows\System32\fcRqLIx.exe
  C:\Windows\System32\fcRqLIx.exe
  2⤵
  PID:12968
- C:\Windows\System32\ACJDkcC.exe
  C:\Windows\System32\ACJDkcC.exe
  2⤵
  PID:13008
- C:\Windows\System32\qEYldlp.exe
  C:\Windows\System32\qEYldlp.exe
  2⤵
  PID:13076
- C:\Windows\System32\dWtJIDK.exe
  C:\Windows\System32\dWtJIDK.exe
  2⤵
  PID:13100
- C:\Windows\System32\UJpnRDA.exe
  C:\Windows\System32\UJpnRDA.exe
  2⤵
  PID:13124
- C:\Windows\System32\vlDfdju.exe
  C:\Windows\System32\vlDfdju.exe
  2⤵
  PID:13148
- C:\Windows\System32\JnuUlzE.exe
  C:\Windows\System32\JnuUlzE.exe
  2⤵
  PID:13172
- C:\Windows\System32\dPIthtk.exe
  C:\Windows\System32\dPIthtk.exe
  2⤵
  PID:13196
- C:\Windows\System32\wVoIPvc.exe
  C:\Windows\System32\wVoIPvc.exe
  2⤵
  PID:13212
- C:\Windows\System32\tqNrXGl.exe
  C:\Windows\System32\tqNrXGl.exe
  2⤵
  PID:13240
- C:\Windows\System32\QRPodIY.exe
  C:\Windows\System32\QRPodIY.exe
  2⤵
  PID:13264
- C:\Windows\System32\wtlaQTB.exe
  C:\Windows\System32\wtlaQTB.exe
  2⤵
  PID:13280
- C:\Windows\System32\eegWinh.exe
  C:\Windows\System32\eegWinh.exe
  2⤵
  PID:13304
- C:\Windows\System32\RgXWOjA.exe
  C:\Windows\System32\RgXWOjA.exe
  2⤵
  PID:12372
- C:\Windows\System32\NNgwzyH.exe
  C:\Windows\System32\NNgwzyH.exe
  2⤵
  PID:12436
- C:\Windows\System32\zHTAqGN.exe
  C:\Windows\System32\zHTAqGN.exe
  2⤵
  PID:12476
- C:\Windows\System32\GozQtVO.exe
  C:\Windows\System32\GozQtVO.exe
  2⤵
  PID:12540
- C:\Windows\System32\fuKDyrb.exe
  C:\Windows\System32\fuKDyrb.exe
  2⤵
  PID:12588
- C:\Windows\System32\ILwgaTW.exe
  C:\Windows\System32\ILwgaTW.exe
  2⤵
  PID:12672
- C:\Windows\System32\SBZWaUd.exe
  C:\Windows\System32\SBZWaUd.exe
  2⤵
  PID:12716
- C:\Windows\System32\iKZeTxg.exe
  C:\Windows\System32\iKZeTxg.exe
  2⤵
  PID:12820
- C:\Windows\System32\RYBTNbj.exe
  C:\Windows\System32\RYBTNbj.exe
  2⤵
  PID:12800
- C:\Windows\System32\nvDMoiG.exe
  C:\Windows\System32\nvDMoiG.exe
  2⤵
  PID:12864
- C:\Windows\System32\Mzfgpue.exe
  C:\Windows\System32\Mzfgpue.exe
  2⤵
  PID:1908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4076,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=4188 /prefetch:8
1⤵
PID:6628

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\ACcQTpv.exe

Filesize
1.3MB

MD5
09d8da21a36d47da57854886ba431ebf

SHA1
01f299d525c5e98c32ed009c7298654d366e1e11

SHA256
1d37f9c763a5dbe94271f9cf322a42a213f7a96ad90e7639d6e311339d2a2269

SHA512
bf2a90c6a760b5e9d27f8ac7baf708685b3133798c0e2c82eaeb804dfbdbd4f2b4fb94d3a82ba11aa3a6e736702a727b557955f7cea536b2178bdce1ec8398b6

Download Submit
C:\Windows\System32\AiHtZXD.exe

Filesize
1.3MB

MD5
ec180c6136aa6cff28a7bcb4cf451aa5

SHA1
f891275d6a4bb392ff5ee96632ff9441a1c7e978

SHA256
5f24b0e0d20dbfa33ee79d7adc5be4ba56ea4f7cf942d723cc4317b00290275b

SHA512
3b1cf1f254a9db3b2f7b20c4c5dc762a8a30965b843f1c615546a40ee66f1c9b200c794475515559f0612ee66fe3c9245a8bd04a14125a861559691da60852f9

Download Submit
C:\Windows\System32\BDjGbOq.exe

Filesize
1.3MB

MD5
0bffc409be66095e5787c5dcd2cca4ba

SHA1
7db22cbcab72fad252a744efecc8dd5bb974bd1e

SHA256
13cc23863475c8029965551d64efaa03a702fae93727fcb2a828f5e85e44b539

SHA512
d7afb852caed08ab31e948f84b0671df8de32460c71ca54bcf428dced526b0e2b7cc2535fc0eb8f071a29c1a5f49a85bfa9ad34f8660b5f419281965d31072b4

Download Submit
C:\Windows\System32\BLKqBGP.exe

Filesize
1.3MB

MD5
65071b405d76559ccbe2f195917a4ee5

SHA1
eb3ccd10cd6b0562930517c26554d90d415408dc

SHA256
51e563dacba95c646cc6e48cea8325059535242e70bdd2298d87ff8686f7b2ae

SHA512
3e039b10cce881c0e9d867d6039c1d3be450814c9656873a49509906e307c7b01766900459428c8d932ca737a66ea203942bdab789b232dbffff18a8ea439aee

Download Submit
C:\Windows\System32\BTqIZJr.exe

Filesize
1.3MB

MD5
f6829ca65edfcb2c2e89499718b8b96c

SHA1
debf77b9ade76a043a091b91835cd40fd750a561

SHA256
0bd47cf61e3a5aacb909fd7655bb7d2b4f2f00f2fd381bee3329bd6ef43a85a8

SHA512
92a8ac1ff83b1305cd4365fb079d76d9ffae0b4a686f3054d1a89780c9246785f980458a67df836993795a54815a35d2e3302ee3c6c5291b36900257b8a20d51

Download Submit
C:\Windows\System32\CUhcFCR.exe

Filesize
1.3MB

MD5
d87a2329e4cb83ec9a72cbca35e753eb

SHA1
72ecd3d86126e93c992ebd402c3198ecceed0928

SHA256
22488a5a42bc8a3079726b1907568fddbe99df4a43d634337d1a52aa5a1f9a4d

SHA512
8cd299f367edd9a513ba065e0ffedceaf1387db50ec9cbfb9d2fd8017523b04cf733896f1496d4340f6b85d39cf2b58e2adc64b2f9fb736dbc27b38eb5df66b2

Download Submit
C:\Windows\System32\DGJHmFa.exe

Filesize
1.3MB

MD5
299d8d1d7ade909b707145f0ce82865f

SHA1
58820049b824daf7c98e9fdb1567269d988382e8

SHA256
89ff0a746603a6ab805dd6f00eac4215c2586bc252e7a2d87746f5a0a2af4cd8

SHA512
6fa79a640b2aa8262a31328d488b0bd8b6bb329c2635aaae4de0eedc68903e7334a3d3386a191ddd5655db93b41dfb7d24bd348a6f94becb93a35f1033b4052c

Download Submit
C:\Windows\System32\DzAsHcU.exe

Filesize
1.3MB

MD5
157bff6f2f9abc5d605651ff926618aa

SHA1
05773efa34d88311493a86acd5b9b09d73471f29

SHA256
237891ad9c46118babedbfd9aabc7104d6edc8b3feaca013c53713fbdb1344c4

SHA512
8e4f49339d7be8cf7688070ea3a40a7f1b462d45046cc98996888caf4e6ed5ee866c2cf21de650c5e70b6133ca33637bb454e79bd0f73996ba5f31759ce553c4

Download Submit
C:\Windows\System32\EbHdYaO.exe

Filesize
1.3MB

MD5
cad6993d3110acfd8c960952ef11f0f2

SHA1
fd087926e5d1ff17b6c8c7d81ffff1cafb75bcc8

SHA256
5cf3083d027ca5aec831cb97c3cece96fa4cd875ab4ac5e9ce4d0761eb75baa4

SHA512
f8b5399904fcc7be165abb664ffdc108af7ef2683b81388b1f5557952d17d6ecb388c85e01d39c3439c55d493cf354a0048f0ebbfe2b277c823df097bc86cc26

Download Submit
C:\Windows\System32\EpmAAaT.exe

Filesize
1.3MB

MD5
927d71eae4ec28cdfc0e4296cfb53e70

SHA1
767f32b3789e37006cab1bcb037c39272531be14

SHA256
962f07f4e8d36174f5be49933c3d1515a6b87801b0bb6302450787185bc26712

SHA512
ac5a083995a6b248521c723453f65c8d4b73878c944e0864cca5c819a4415b932962cca8fc28f12d9d1a9cf56b38a23aa8b6f0dbaab8ed3b6ff52aec0df37763

Download Submit
C:\Windows\System32\HQAxydK.exe

Filesize
1.3MB

MD5
2e54005c5a8f90ea95f607d5a5235b03

SHA1
8b8d4ae4cc841b9a6f65fcf41ac94a7515ad5d98

SHA256
512c213c0521bc1382bad31ed876d7047960def7197b4ef16aacb6748def50bc

SHA512
2d0d929a1d990d676df9361ab878eb28a872fd7e21e6e75c10c166bdec5b2fb805f7dfaddf889f9faa3fdf222448a1003aef7317e6983fb7a0efc9e105b65fe8

Download Submit
C:\Windows\System32\HyBSIjv.exe

Filesize
1.3MB

MD5
9efa204412c3c273901d4d3266afd82a

SHA1
db779d741edf7e060b114bfb74c56e682cb9bedd

SHA256
038d4e29cf357eedc28fdbdef1ef0d0a596ebc70d99c94754e944672ac13138c

SHA512
7d45a33b994346fa32ac3f7d3cc81e908123f7e4135da50ad6fd8afe40c9f7285ea4eb5e22563d2ad09555b32d8ebdb0574b1b1881b52670e37690ce3a084cb5

Download Submit
C:\Windows\System32\IKeYPBa.exe

Filesize
1.3MB

MD5
0e06cc310a6d1e6630b4788c8f367e72

SHA1
ee746f44dd104ad7b2a2946a046ac6464c8275ef

SHA256
608b59bde0b68b07093ce5ec9c638742a822815efc78a5720fa557128942c82d

SHA512
ef0e8bb14fbb39bf3b86b7208d2e667e3cbbb3a41b75d1ba7d76e74f4b45013c810ee8fef31c71e84ecb89a25101c700ddad62c94d639b7e0e50a5fc67534918

Download Submit
C:\Windows\System32\IXDEkfg.exe

Filesize
1.3MB

MD5
bc38eae6be9dabba4fe082494dda7d61

SHA1
8ec406d313a0d1d53116200b1dbdea6b655ac17f

SHA256
361b9bbff3cfa2804f8e12a540422ad88f84ebe49b06f9124e9d5a047bfbb029

SHA512
5ca468d35cb881c7780e4de13f74d6c97c65c454e929fa326c370a16049f82b07cafa254c7f8e3f0f6fdaea0ad8bf0664e370d03e153be01d7717948ab1982d8

Download Submit
C:\Windows\System32\NnLsNsd.exe

Filesize
1.3MB

MD5
18c4cb6b1b168830b67e75edf88c2d12

SHA1
eb7c96f0062a6768203e2a86695c525aa2fc321b

SHA256
f8df4f9a694bea2214cd4aca6ce0ed50b9aa54cdac24911413bebc4f6f209e42

SHA512
fd2611f18af7260d820e154a6c2d112798a2ec56df5079c4fcef36a43bdfed5e164dde66752278142ddcca4ec52453ae4c537fc25347847d0518ec008b243445

Download Submit
C:\Windows\System32\ODccghD.exe

Filesize
1.3MB

MD5
f11d100af60a04b84c53b7475f3cb799

SHA1
e919deeecc5b6331bbbd4a328505da9c079c21db

SHA256
60a64e6cdcac1288742de015ad5ac4eabf55e23be925a4a707737df05921e470

SHA512
2f03e4c77a2ba503b5fa86c4e31b293183ef72fbdf8e00df1186382e4c89f6bfb979cc9057d0328e2c8d5988180013d6f0509038e849468a638a99b6282ede11

Download Submit
C:\Windows\System32\OcrfdPc.exe

Filesize
1.3MB

MD5
4a76ee5867ce9a2235f9ebf4267297a2

SHA1
6e76f20842e91d74d25839f2c925783c30d9a3ed

SHA256
0b174b9eb9d3989d083c51bebbaa744e2568a72d22c7c9f0a1bca7d4ecd3fd24

SHA512
e4ec6895de90ca4295db069f75188d1c0fa0f1bf97ef6c09c9c0eedd47713f7d79bdd58b481a9cb8c1882bac298e2d44ce9075d0a84345ae4924191bc706c5b8

Download Submit
C:\Windows\System32\QMJYnLg.exe

Filesize
1.3MB

MD5
91de250a217af77020aa46c595c5a394

SHA1
2c31e6a030a16bbc15be968078968510d8039c68

SHA256
19efdab34bb7efd0988e25eb7cdb87aa17a3160b48eef0e56b808cc7e3c12dd4

SHA512
db594ca8e7438c53503fb3d882770fbc6363f63b5dad5895081a2bfd23d20aff89fefdd01a7cc225c03213a8457f8f73629dfce47b4c2d8bf4aa1c56b3998bad

Download Submit
C:\Windows\System32\TSbZNBG.exe

Filesize
1.3MB

MD5
b54bee8cdf5a3172bcc839c58c15702a

SHA1
dfad04ed413edd921bae3f426a801107751fbcbe

SHA256
f3687b32a8bf434a935b12879e073f73af4d79b96941ec731df2627dbedfebce

SHA512
4e5b711f766031ed771a6d6ea6f2c20387c9d494937b9a02abe8734692cdfaa9d3100a75999b2ffd73c999c2411acd080debdfb512b699b1307965820d076c28

Download Submit
C:\Windows\System32\TrSuItD.exe

Filesize
1.3MB

MD5
d1b6c91f211b3f7d0462adc3ba8480c5

SHA1
cc32a2b0ea6536856d518055c19fbe3ce215e9d6

SHA256
33ee34365eb853964a08ffaad620194fd26130cc0b8a79094938e478479ff191

SHA512
dc6f3ed25dff70aa676d6a94a3b16cb04ebc2da0239ed2db158f3d3e88e72e5572873182a6d6c3be3b78252a574f1d303fd2559935d316c3a899755804dee521

Download Submit
C:\Windows\System32\UlnisZf.exe

Filesize
1.3MB

MD5
998dfa8020aaed2da960a47d9e8920c4

SHA1
0b5f44e84db9bae7431fe8f352acb52e79e105dd

SHA256
4bff5fe4c978621692af29561d81e553a552464f41bbf8b79cfd61e82711ba8a

SHA512
3bf8ecd466dc7126e371aacbd05b74aea89c5650bddea2ea5c073f2b7647e352f493d51abff0f8b76966ceac29e096db2be5130e926217185f16119b0b5f4fbd

Download Submit
C:\Windows\System32\UmDzvgL.exe

Filesize
1.3MB

MD5
48a10d8f721fe466901c2e3041649588

SHA1
a7cad1a0053a68caa1b5c3867bf7d62c7887e0a2

SHA256
d62b47974030b8f9b00bd2bbfd07952a1c68eabd0dc286b04f703013853a81df

SHA512
7df8e7bca1436772ff36cef74945cf6a7b98509844e58769236440d64746bdd604a432d2fb1847349992e1f8f4a70069f3e3ee56df30ccb22b59aa3e1173bb72

Download Submit
C:\Windows\System32\VCgShOv.exe

Filesize
1.3MB

MD5
9a667f5cacc72a38842317a667245bad

SHA1
90d799217350e6121182848efdc52b5129e4397f

SHA256
f86a92d6a1eb2e7a3c9fc0cf3c81962585f4c476d0b0869811badbb752ff26bd

SHA512
fb7b00cfc9b36e51ebb2d77dd0c1fba2c12cf8ac3f1d2b63b3489d2f0f6856fc71dd213271e102f58655d8d272a44463e10bbdc0e3332bc12c9fd1b56918d654

Download Submit
C:\Windows\System32\VMYNfCu.exe

Filesize
1.3MB

MD5
0de40b5760b2408e0c7d9c9106ff6cc7

SHA1
3abe519329bc46d80852364f426f807033a58252

SHA256
b41e63da54f09a618235407fed63bd8758fd7bff38b92f09f0655de5c56ef232

SHA512
c953fc8325979fcb25e31b20741f06f9ea37b217f1a41def079aee4b7110282b2551a7618e6000c0fd19dcee8451d0dc65a5fcab471c097ad8ac586b13e4be5b

Download Submit
C:\Windows\System32\VfkNLNR.exe

Filesize
1.3MB

MD5
a9974ac1e01eb939409db8173b314d65

SHA1
3435665968faa714e6dd55655ccfd5a05711d2e7

SHA256
6afd956241fa030535a211547a36f1c38ea11352b1e81974fa9b6f09bdb57b23

SHA512
f4d859e5cad9b2a8c503394504c5bc86c604757568ffade7e058ec57d7bd716ee4ccf8b6cf1a57a87a4ee621a3e7be07bc7c5ebe80c21f99620eab28c98ac6a4

Download Submit
C:\Windows\System32\WIlkeOQ.exe

Filesize
1.3MB

MD5
048f85e33c10cdf4c54fd11816539d46

SHA1
0785c6374906efd111533f0a5ee76a2d2e3c5c3b

SHA256
22e43cae6ac5bf3518b02f385f315dad408e09f4ebdf8481678452a19dca107e

SHA512
6f9357623e17d49a1ae7177de0bce68e1d2de59822df9959e952f9a8eb9dfd857df16fa7bd606f8b4fd869489b719b42c80f4350170c8fb6a57989e19fcae506

Download Submit
C:\Windows\System32\XJiiZOq.exe

Filesize
1.3MB

MD5
c986a0a6af7ed1fb07a329ab1ed1fa26

SHA1
d8876cf7a5efa9ae0f4049698413896c0d0cdc4e

SHA256
86174f1c4ecd0e436d9af95d69fad817e11c244e9cbad2ec1fa16457c75a3181

SHA512
b3535db2c56210c3bb754f9aee70ec027f4964e6c3cb1f6796aeae31bc815ad9af4f2324a3ce6b7f419f2160ea65297e40b9b056e3285370bdda97652ccdfe81

Download Submit
C:\Windows\System32\YpQDKBn.exe

Filesize
1.3MB

MD5
d5444c6448c1520d0fa9af7cef2dc2bd

SHA1
c17b7d0b716b5dde0ff15888a872c19a69570f09

SHA256
b8d144bcf82a37a70b36fd284f89f358fb9fcc724ab09b276f001fcc328931b3

SHA512
f49a144f946f9877c5a3c0b59d021cd2d9c8f22af6f51fc8a0eb29acdadf0f57224fa288176448942f5a3ee7885c1bd68a84941e120965ac78b17de6487b76d6

Download Submit
C:\Windows\System32\aVOJcSb.exe

Filesize
1.3MB

MD5
d8c2cdbe13d3b0cc3ff7cc3e2b313a54

SHA1
00d98afc5ac9b80d2a5721ceed0c967b8bad0843

SHA256
ef42d07c47d806f8d7967821c4a72b889a316a5a6f7050e590cfc4b498b42e6a

SHA512
e21443372b60db5a7c06d2b160ab179ff292afa2ac8bbf5756abfb18fc8cebb5cfc84e23003106eb0aff6c2abd45b4f6f21ed636e575fb4b633b74fcc0e8fd66

Download Submit
C:\Windows\System32\bgKWswp.exe

Filesize
1.3MB

MD5
9df64e2114f7078acffa457b90411cf7

SHA1
9a5ec5a45926033cbdcac6a88d7ac602b962261f

SHA256
d092e7765b1fcf0b96bbe128d8ea9bb625f714ccf33a47fa893715c8240dd8f3

SHA512
40c1d8d660b2e78a0777f107331809d5e7abb25f090d2ffa6d86d2b39cc1794c9f56a75ac7d1143a394a8de7a5df666c8a16cf2060f7801dce42fd8de6bcf0fb

Download Submit
C:\Windows\System32\boDUBOf.exe

Filesize
1.3MB

MD5
6b13a7aa3c3ec3034ded2698373c8c6c

SHA1
da2ea742408a65e1c6fdaa4cbad82f18e709a060

SHA256
51ef430f7e768191cd6decd555dba08213a126ce86191d775433b7ae04327094

SHA512
1afd6bbfe60ea919e80b978e157a1d501696155d5ff89d303e32e5dbd0014bcd2940a10467d9790646d4e5ecca4e1ebdc9ddec6a98206cee2c98fd13c4e6bc3e

Download Submit
C:\Windows\System32\cPdaUsB.exe

Filesize
1.3MB

MD5
8630526c6e70c2d11826b57e9d74384f

SHA1
4e9f470153e824bb91e1ba137ea26ea835077b85

SHA256
a6efac0f5cd5322e6876e22281a41fe0c63b2ed46e02eb84af3d8ab3cfd030d4

SHA512
a66cd1b93c1aeb704647b014d9892fac030a902d9eebe77d0cfeebd013818422e0eb3ecaa81c35a606bb3733d4f7ec3e85b3089b6e05ffddc8eae732c473d56c

Download Submit
C:\Windows\System32\cUBXjye.exe

Filesize
1.3MB

MD5
67a4c996e54b67e2be38b0cde3570533

SHA1
bfe306441f77d44b9fd69e317a304bf9eee4f2cf

SHA256
9430daa2059e84c89c9efe7809025a5947feb06effc0a1e556c6f798e38aefb8

SHA512
f7bf00c0db06ed25be95a61112e96d5b672fec80f7bffab1b4f23b8e55e15e5cf483c8bf384321ed57a66885b533c8b0efe2e50e1149092aff3310efca0f7564

Download Submit
C:\Windows\System32\eSlYear.exe

Filesize
1.3MB

MD5
6ce5ead84bc39191d828ebd4074706c5

SHA1
ff727f9fd5cc9248f0049ef60b67a7904d834949

SHA256
ab49da21ff7de7950f425a0e1c29efde3f78adf5cba14b33f545f4623fe5cbe2

SHA512
d24f27aa2a30f7cb8de9597b75ca0a838f34e1eaa948c89eabfe4eb18a580d4c88c1a91bfa949e2be02cdd3064a962782133db7e4f93dea05f737aeec78f25e5

Download Submit
C:\Windows\System32\eUqZHLM.exe

Filesize
1.3MB

MD5
0c38fac35097db927e89283e87d1333a

SHA1
240aafe890b7d1aca6ee3b8e6ddc550001e72847

SHA256
e5ec44982604ab28fe64b154f395fede8f32aa85c428c1ff2e8897cb587c88d6

SHA512
5c14fda834fc22d3be516992ec84bac34367154b38a40d103e0593f27f647eac8f99b6a0d9ba21d059b0ba58ad61c6bcb81d9280db6dc84eb5533c93a3a10a83

Download Submit
C:\Windows\System32\fqDIUQC.exe

Filesize
1.3MB

MD5
88cfdb8a635dc8a9903832f182ce675c

SHA1
f505c1500aae21725665c99b09040e6c8e85842e

SHA256
8a3a7362b116b65b0710108ef5d78e6fd1648d2e3d85b6a629f0dda8664414f4

SHA512
a821ba41936aa945362df565889758cff30e6324c6ca94e0f93c71e24672b0fb0ba034069da379ff114c711697aea4795734040b569f8570291a7a0db22375dc

Download Submit
C:\Windows\System32\gTmUXdu.exe

Filesize
1.3MB

MD5
afed7ec1799f5c0eb6f2c198049ff867

SHA1
0935e06bc7b57012835f718bf78d84f5d5722562

SHA256
172f6a0d395260cebae32a9355f8bbdfcc9aae2b90effa051f4b716cb954daf6

SHA512
b7ce644f48d903b8565062f08db419b120d0b835cf17d4ec628d067e9878e7897be60a331d4ffdcf34192775cd45067ebf1680cb8515a24d72b9c01f1364f157

Download Submit
C:\Windows\System32\jCDnTWp.exe

Filesize
1.3MB

MD5
31881248a1ebc93c582b19186ca03a06

SHA1
c35abf52b830eadfb8660d204bb6f6411332492c

SHA256
57bcc6e4146fa2a4bc81c2cf584685ba1def7d601dbacb4df4286b2bba95f4bf

SHA512
09789cf5be5208b919d0a824ada96fd723ec530b23a7af483e93baca24a143d39f6d7fe0e5d92840bfcc2c0be2280861df679d16a5c77b7bec397cc9ddf85364

Download Submit
C:\Windows\System32\kCqZTAp.exe

Filesize
1.3MB

MD5
f7425269f11d93d032db6c5ed5146cf7

SHA1
2ad3f43fba71107cef94ae0d9d624bb3ad7387d7

SHA256
2d0653a32b0f78de04718e09fb8481e6b1ed918b2b0b7c5dd36c4ad296b11336

SHA512
00e5368bbad3e22b57ea74042c2481081b4bd9f0d06694afbf30d0cd8ca54a4b7e0143c8bfb147d2fa5af750bea4a4b18d59f31cd6a7288bf57fdbeeb697b37a

Download Submit
C:\Windows\System32\nCrCYrL.exe

Filesize
1.3MB

MD5
81776ee3481ea66f0c29068b90ff0e98

SHA1
ead4e07f9f4590c810881b6b034e6d2d139e41df

SHA256
2e610525f881c9b452f769b25f1f66bb6f6f207d5bb3b057db4bc5ae66354359

SHA512
4991b77815a185f9feb94f63a2c979839386ebb7995e44ef32f61e40811711bc6171d7f19d521ab64244be611d07bd2d0182e27ddb871ebd139f29ca5ba908a7

Download Submit
C:\Windows\System32\pWFHzLE.exe

Filesize
1.3MB

MD5
6fd7ec3acca82d2fcd4759a6644f4734

SHA1
10bcaf873bfdeb6adbd0ae2a41b5c9d512f6be56

SHA256
56e3f5cf39226d724a54f4698c5cb5672cc33e39c54391572b34ac71223d3185

SHA512
41c643d91047cf36990128cfd2f4e35c9a3c12de507d1e1490f66f8b52a235c81dd995d4d7a4860d17d9f805145f48c7086f46dae48ac1c04bd3647090b7affc

Download Submit
C:\Windows\System32\qKLrIbQ.exe

Filesize
1.3MB

MD5
3369b8057dce492bd89cd8d62998ed96

SHA1
c47cd5b26f52023f56aa5a3392885f5bc3cf1e4e

SHA256
6bb86d8a56639c0efb05a2e23188ae233210046b939a600b770cee9f9b423098

SHA512
69298d3efcee5b5da45346194878afd3b8d85130918fc81ab49760f34ad82a0581dac6c6ce20949889b4c62faf4c42f1242fe3bb14bf86dab77f760f35cc52b7

Download Submit
C:\Windows\System32\wMLzPqd.exe

Filesize
1.3MB

MD5
59dfa73f91b5c5b5ac34b39d60d3d5da

SHA1
60c28b18e020e3d63580c7d4d519609e0326e37e

SHA256
2256fcb8d582e6264fc9c92abb5f5417b7444d297d7db7183c898413cdd6c7b7

SHA512
89dd72ddf7c4331c6fa25ecbfa5e28e2f841a8803bd880b9f99b14692ffbd0a24c4d7399fe4e802b039f712fb32c5761fe8ba8449db63d21089cdcf605a1a204

Download Submit
C:\Windows\System32\wNPEvcU.exe

Filesize
1.3MB

MD5
24b27105fc4af210c54dd1537baed9a8

SHA1
45a0c5080905b1689c40be568d2eac59e34918c4

SHA256
f63c06918d581bbdd881947a1eb44fdbed3115b118b4059276480b48255a5695

SHA512
440e1e4b9fc989bb090afe88c27945965fb3118d9af07b4686b6cf7d4729c776f62211c990594a08fee44f647d760b769be027ca4a211d746feefb0e18ca97bb

Download Submit
C:\Windows\System32\wWLeMCZ.exe

Filesize
1.3MB

MD5
63ace5a3724c6bf00af9f3a6ad628e3d

SHA1
5ce7dce420c67d2b149efe849e23d21c549d3ac7

SHA256
fc63310e04e19d806dbb464623fe7c086b59dcd3959ffb02d860d8f9e35cf79b

SHA512
e373fe6f33efb2853330d4a710eb9ab4e57541eeea1a670ed80258fe8cec5faafac98edd9c6f0a75828d39b25b9027c87a3b24a2adb7965c1e7b040f788ea852

Download Submit
C:\Windows\System32\xWLKVZj.exe

Filesize
1.3MB

MD5
e9c2d4ef85cdc805b0cc1f7e163bc1aa

SHA1
172654c661a56fbb7b4684da98acadbe5354272b

SHA256
67dd5237da2f2aa8013390b165275bdeb09f033781a9779602de1d817e57c58f

SHA512
52015c182bf5019dd61745b8a9fe5ac05710c4a52e133afd1b93a3f80d489123e6eca7d4692c1d191d461adc63229f329955a2276a60e96dab3dc7c93498cdf1

Download Submit
C:\Windows\System32\yGgRPxQ.exe

Filesize
1.3MB

MD5
07f1740eef6f00a7d11bee6952e4d472

SHA1
c1ba5e6638e84807e97b20d7894b4e226c6b567e

SHA256
a9e6834d117be48cb38219c0a66751baa1b2daed4b5a19ae8bc9659eafad06b0

SHA512
ac47d045142158731963301143f745debdb0e450e3bb6c8576738d3460e0457d6949151e3b0fe0eddb1f091e032b7f43e5699009647141b9025134d9d0c39f87

Download Submit
C:\Windows\System32\yIbWSKL.exe

Filesize
1.3MB

MD5
31b14e0cad49953292eae47f9aaba646

SHA1
2951ad2eb992e8c1f5c5e48715bca21fda9f7bdb

SHA256
3061fde75167d741998e58e9577b603bfebf362dc962d177d17cb4deab186f04

SHA512
b4eaf71cb8fcc3413093c2a3d663673b808ba34b02fe1bce0dcd280b3f2314e1e6730e7e7b02baa3872ff9a00a0943bfb9d3deda0ce1af9108e8d2320a9ba9c1

Download Submit
C:\Windows\System32\yMtYFMK.exe

Filesize
1.3MB

MD5
23bfa01daec4dcb06c58b16afc2671ff

SHA1
1d21b3a46987772076b3195cea7bac529fbb01e6

SHA256
6bf289191bbe5cdeaf8ac45ca2467fc5ab4f66d8cb14ccd4f9616f14e0bdb898

SHA512
bb099feb08593059c8928c39a044bf078fd7ee8e59f3707fa06b49ed839c47eb4426366c14173ffb89679e6cddfb42bf78bb000256a7492156664e040bb5066a

Download Submit
C:\Windows\System32\yPBVOLO.exe

Filesize
1.3MB

MD5
d71c02d80e40b5e7f9c26bef4f072b12

SHA1
70f7d4b66aabf4d417dde33bea5423c717d58f2b

SHA256
c55110d5d3d8315d6078d94012d74b91ec49f47c29fc11312463b919fdeea96d

SHA512
f2e6895d844a07ff802e2e9b4aeae652131e5c7c19070caa73d53f68d0cb4588d37f91327d62063b20b2996c11eee40fe3e02f414128718e1ff9951f70e66b43

Download Submit
C:\Windows\System32\yvohNGD.exe

Filesize
1.3MB

MD5
b19687679a5dc04125e04107129763e4

SHA1
9b1f65bf26fd5e0f186dff8ec5ae01f75ccde15d

SHA256
d2544eea90152e1c00cf3ee0a0f61c39ab6a10ed21611545cbecad294d3d358a

SHA512
41b05c2f5d4b4f30b0d319795ac79b938e679f96fa28c075b882565e720b7cccb3ea6bd6b6ab317347bdd8e9433841148a5120cdc6ba1fdb4cfcc1a966dc3978

Download Submit
memory/64-0-0x00007FF6B9710000-0x00007FF6B9B01000-memory.dmp

Filesize
3.9MB

Download
memory/64-1940-0x00007FF6B9710000-0x00007FF6B9B01000-memory.dmp

Filesize
3.9MB

Download
memory/64-1-0x000001D2AA1E0000-0x000001D2AA1F0000-memory.dmp

Filesize
64KB

Download
memory/768-12-0x00007FF72D620000-0x00007FF72DA11000-memory.dmp

Filesize
3.9MB

Download
memory/768-2026-0x00007FF72D620000-0x00007FF72DA11000-memory.dmp

Filesize
3.9MB

Download
memory/768-1941-0x00007FF72D620000-0x00007FF72DA11000-memory.dmp

Filesize
3.9MB

Download
memory/1084-1984-0x00007FF61D840000-0x00007FF61DC31000-memory.dmp

Filesize
3.9MB

Download
memory/1084-498-0x00007FF61D840000-0x00007FF61DC31000-memory.dmp

Filesize
3.9MB

Download
memory/1084-2194-0x00007FF61D840000-0x00007FF61DC31000-memory.dmp

Filesize
3.9MB

Download
memory/1212-499-0x00007FF72AE90000-0x00007FF72B281000-memory.dmp

Filesize
3.9MB

Download
memory/1212-1985-0x00007FF72AE90000-0x00007FF72B281000-memory.dmp

Filesize
3.9MB

Download
memory/1212-2196-0x00007FF72AE90000-0x00007FF72B281000-memory.dmp

Filesize
3.9MB

Download
memory/1500-519-0x00007FF708710000-0x00007FF708B01000-memory.dmp

Filesize
3.9MB

Download
memory/1500-2102-0x00007FF708710000-0x00007FF708B01000-memory.dmp

Filesize
3.9MB

Download
memory/1636-2036-0x00007FF730120000-0x00007FF730511000-memory.dmp

Filesize
3.9MB

Download
memory/1636-51-0x00007FF730120000-0x00007FF730511000-memory.dmp

Filesize
3.9MB

Download
memory/2236-2032-0x00007FF6B5E20000-0x00007FF6B6211000-memory.dmp

Filesize
3.9MB

Download
memory/2236-48-0x00007FF6B5E20000-0x00007FF6B6211000-memory.dmp

Filesize
3.9MB

Download
memory/2500-2024-0x00007FF7B3870000-0x00007FF7B3C61000-memory.dmp

Filesize
3.9MB

Download
memory/2500-20-0x00007FF7B3870000-0x00007FF7B3C61000-memory.dmp

Filesize
3.9MB

Download
memory/2500-1942-0x00007FF7B3870000-0x00007FF7B3C61000-memory.dmp

Filesize
3.9MB

Download
memory/2868-2127-0x00007FF6E0430000-0x00007FF6E0821000-memory.dmp

Filesize
3.9MB

Download
memory/2868-1986-0x00007FF6E0430000-0x00007FF6E0821000-memory.dmp

Filesize
3.9MB

Download
memory/2868-501-0x00007FF6E0430000-0x00007FF6E0821000-memory.dmp

Filesize
3.9MB

Download
memory/3256-512-0x00007FF7A5510000-0x00007FF7A5901000-memory.dmp

Filesize
3.9MB

Download
memory/3256-2129-0x00007FF7A5510000-0x00007FF7A5901000-memory.dmp

Filesize
3.9MB

Download
memory/3256-1987-0x00007FF7A5510000-0x00007FF7A5901000-memory.dmp

Filesize
3.9MB

Download
memory/3472-2122-0x00007FF6B7140000-0x00007FF6B7531000-memory.dmp

Filesize
3.9MB

Download
memory/3472-522-0x00007FF6B7140000-0x00007FF6B7531000-memory.dmp

Filesize
3.9MB

Download
memory/3504-2030-0x00007FF679940000-0x00007FF679D31000-memory.dmp

Filesize
3.9MB

Download
memory/3504-53-0x00007FF679940000-0x00007FF679D31000-memory.dmp

Filesize
3.9MB

Download
memory/3524-497-0x00007FF7E23E0000-0x00007FF7E27D1000-memory.dmp

Filesize
3.9MB

Download
memory/3524-2071-0x00007FF7E23E0000-0x00007FF7E27D1000-memory.dmp

Filesize
3.9MB

Download
memory/3744-452-0x00007FF72DAA0000-0x00007FF72DE91000-memory.dmp

Filesize
3.9MB

Download
memory/3744-2040-0x00007FF72DAA0000-0x00007FF72DE91000-memory.dmp

Filesize
3.9MB

Download
memory/3844-496-0x00007FF6CB1A0000-0x00007FF6CB591000-memory.dmp

Filesize
3.9MB

Download
memory/3844-2052-0x00007FF6CB1A0000-0x00007FF6CB591000-memory.dmp

Filesize
3.9MB

Download
memory/4092-521-0x00007FF7C5120000-0x00007FF7C5511000-memory.dmp

Filesize
3.9MB

Download
memory/4092-2081-0x00007FF7C5120000-0x00007FF7C5511000-memory.dmp

Filesize
3.9MB

Download
memory/4372-1988-0x00007FF67C850000-0x00007FF67CC41000-memory.dmp

Filesize
3.9MB

Download
memory/4372-2217-0x00007FF67C850000-0x00007FF67CC41000-memory.dmp

Filesize
3.9MB

Download
memory/4372-520-0x00007FF67C850000-0x00007FF67CC41000-memory.dmp

Filesize
3.9MB

Download
memory/4516-55-0x00007FF7004A0000-0x00007FF700891000-memory.dmp

Filesize
3.9MB

Download
memory/4516-2034-0x00007FF7004A0000-0x00007FF700891000-memory.dmp

Filesize
3.9MB

Download
memory/4588-2022-0x00007FF6908F0000-0x00007FF690CE1000-memory.dmp

Filesize
3.9MB

Download
memory/4588-1976-0x00007FF6908F0000-0x00007FF690CE1000-memory.dmp

Filesize
3.9MB

Download
memory/4588-26-0x00007FF6908F0000-0x00007FF690CE1000-memory.dmp

Filesize
3.9MB

Download
memory/4608-435-0x00007FF7414D0000-0x00007FF7418C1000-memory.dmp

Filesize
3.9MB

Download
memory/4608-2038-0x00007FF7414D0000-0x00007FF7418C1000-memory.dmp

Filesize
3.9MB

Download
memory/4712-1943-0x00007FF7F8390000-0x00007FF7F8781000-memory.dmp

Filesize
3.9MB

Download
memory/4712-46-0x00007FF7F8390000-0x00007FF7F8781000-memory.dmp

Filesize
3.9MB

Download
memory/4712-2028-0x00007FF7F8390000-0x00007FF7F8781000-memory.dmp

Filesize
3.9MB

Download
memory/4768-1983-0x00007FF7CD5B0000-0x00007FF7CD9A1000-memory.dmp

Filesize
3.9MB

Download
memory/4768-2164-0x00007FF7CD5B0000-0x00007FF7CD9A1000-memory.dmp

Filesize
3.9MB

Download
memory/4768-451-0x00007FF7CD5B0000-0x00007FF7CD9A1000-memory.dmp

Filesize
3.9MB

Download
memory/4872-57-0x00007FF7BAEB0000-0x00007FF7BB2A1000-memory.dmp

Filesize
3.9MB

Download
memory/4872-2171-0x00007FF7BAEB0000-0x00007FF7BB2A1000-memory.dmp

Filesize
3.9MB

Download
memory/4872-1978-0x00007FF7BAEB0000-0x00007FF7BB2A1000-memory.dmp

Filesize
3.9MB

Download
memory/5056-518-0x00007FF617E60000-0x00007FF618251000-memory.dmp

Filesize
3.9MB

Download
memory/5056-2054-0x00007FF617E60000-0x00007FF618251000-memory.dmp

Filesize
3.9MB

Download
memory/5312-2079-0x00007FF6A21C0000-0x00007FF6A25B1000-memory.dmp

Filesize
3.9MB

Download
memory/5312-387-0x00007FF6A21C0000-0x00007FF6A25B1000-memory.dmp

Filesize
3.9MB

Download
memory/5312-1982-0x00007FF6A21C0000-0x00007FF6A25B1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads