xmrig | 9b8f3c4d968c5a1be14d5e6c9218d056a5e29da58f7dcf8a29941192ba60d5aa

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
Size

1.3MB
MD5

3f1ba445c42a36b8f5c08a4490a79610
SHA1

a9ac0cfb17e78351c1749d1d5ecc445314656a64
SHA256

9b8f3c4d968c5a1be14d5e6c9218d056a5e29da58f7dcf8a29941192ba60d5aa
SHA512

d536f6ac80e00adf2528fcb5d670fd4ffae703938a0f6d3c5735c464f0fd50f4fdc3d1eb43fb22906750450def54ce29dcf8623dc4baef4cf0e9fa5ddf3c524e
SSDEEP

24576:GezaTnG99Q8FcNrpyNdfE0bLBgDOp2iSLz9LbBwlKensYKkTT7UudBWk0vV:GezaTF8FcNkNdfE0pZ9oztFwI6KJ9

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 36 IoCs

miner

resource	yara_rule
behavioral2/files/0x000b000000023baf-3.dat	xmrig
behavioral2/files/0x000a000000023bb0-13.dat	xmrig
behavioral2/files/0x000a000000023bb2-15.dat	xmrig
behavioral2/files/0x000a000000023bb3-19.dat	xmrig
behavioral2/files/0x000a000000023bb4-29.dat	xmrig
behavioral2/files/0x000a000000023bb8-42.dat	xmrig
behavioral2/files/0x000a000000023bb7-59.dat	xmrig
behavioral2/files/0x0031000000023bbc-70.dat	xmrig
behavioral2/files/0x000a000000023bbb-68.dat	xmrig
behavioral2/files/0x000a000000023bba-66.dat	xmrig
behavioral2/files/0x000a000000023bb9-64.dat	xmrig
behavioral2/files/0x000a000000023bb5-52.dat	xmrig
behavioral2/files/0x000a000000023bb6-46.dat	xmrig
behavioral2/files/0x000a000000023bb1-16.dat	xmrig
behavioral2/files/0x0031000000023bbe-80.dat	xmrig
behavioral2/files/0x000a000000023bc1-97.dat	xmrig
behavioral2/files/0x000a000000023bc4-114.dat	xmrig
behavioral2/files/0x000a000000023bce-145.dat	xmrig
behavioral2/files/0x000a000000023bd1-167.dat	xmrig
behavioral2/files/0x000a000000023bcc-161.dat	xmrig
behavioral2/files/0x000a000000023bc8-160.dat	xmrig
behavioral2/files/0x000a000000023bc7-159.dat	xmrig
behavioral2/files/0x000a000000023bc3-155.dat	xmrig
behavioral2/files/0x000a000000023bca-152.dat	xmrig
behavioral2/files/0x000a000000023bc6-149.dat	xmrig
behavioral2/files/0x000a000000023bcf-148.dat	xmrig
behavioral2/files/0x000a000000023bc5-146.dat	xmrig
behavioral2/files/0x000a000000023bcd-142.dat	xmrig
behavioral2/files/0x000a000000023bc0-140.dat	xmrig
behavioral2/files/0x000a000000023bd0-165.dat	xmrig
behavioral2/files/0x000a000000023bc9-137.dat	xmrig
behavioral2/files/0x000a000000023bcb-154.dat	xmrig
behavioral2/files/0x000a000000023bc2-131.dat	xmrig
behavioral2/files/0x000a000000023bbf-122.dat	xmrig
behavioral2/files/0x000b000000023bad-94.dat	xmrig
behavioral2/files/0x0031000000023bbd-89.dat	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3020	TYvKRDk.exe
1724	knWDUep.exe
4072	caERmfa.exe
4068	mPPeTtG.exe
2188	TRCRArN.exe
4912	zHhGEXQ.exe
2720	DVSgYnD.exe
4524	gzDbZxe.exe
4384	KVTqDFJ.exe
4968	KdOHsmJ.exe
2040	TOZxadc.exe
2640	kNddrsA.exe
1172	jTSDTEg.exe
4412	GyOAixV.exe
1812	FoPnCKI.exe
2220	PHBkPtk.exe
3656	JYFKmIO.exe
3048	OkXSGee.exe
2172	gCPaOgs.exe
4056	EyzQEYZ.exe
3228	GJqjwVW.exe
4820	oXhayhS.exe
3832	ENJjZEk.exe
4808	QzQoEHs.exe
5116	MvHdXJF.exe
3984	IkaofUZ.exe
2972	jQdVSHF.exe
2288	ZkNkivJ.exe
4600	xZbBxyQ.exe
5004	PmSUmtn.exe
2332	hxTzvFr.exe
372	NEssJwz.exe
2260	NqVnxAv.exe
2772	ktPieXW.exe
4236	DThNqLZ.exe
1176	neWsNpW.exe
3944	VBrRMKF.exe
4948	DUfhbOT.exe
3116	vPsrwpx.exe
2280	UfLVImW.exe
4064	UpRisPf.exe
4972	DWjcaAx.exe
4580	xPXnCiu.exe
3508	YNrQpsh.exe
3260	QlwMdvX.exe
2120	BhKhqCA.exe
4792	eMEkPGb.exe
1620	SMGWkMC.exe
944	usIsXaq.exe
4796	PUmlbVb.exe
4456	fSSQmmG.exe
4440	VCFuTTo.exe
2228	ELpARRG.exe
928	abhyVWN.exe
2784	ysTvqOm.exe
2444	bZgsfWg.exe
4896	dhwQEcE.exe
4508	MaYRNOx.exe
5084	JSdPiBf.exe
780	IrsyuLm.exe
3088	JyMGSYC.exe
2368	loRgkLT.exe
2360	JfxleFJ.exe
4248	ztCboiJ.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\DMaixZH.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\ThERdHN.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\kNddrsA.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\dNjFCmS.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\ebvIWmd.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\oMjJRnD.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\ddgqzCg.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\BhKhqCA.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\ZcTlGTd.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\ENJjZEk.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\iljRVaF.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\FyLdXIe.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\ZkNkivJ.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\erPanLx.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\xxppkou.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\rmBqQdr.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\LZXIzbN.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\xjLQRVR.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\GNPkcxT.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\TRCRArN.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\lnbKxms.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\cigEfGj.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\comMxJd.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\gyxhULn.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\UmhIbSy.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\GyOAixV.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\JfxleFJ.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\xSnAStJ.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\QPSkCOc.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\JzQkKXl.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\DYRLMIX.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\iQdRvcp.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\dexQWJX.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\pAmbgxz.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\OkXSGee.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\cyreQJg.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\EkccMaU.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\eyKDIeL.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\WjhVOuE.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\UBzjACN.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\PFxchJi.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\KVTqDFJ.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\arbPMaD.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\VANInJZ.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\eMEkPGb.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\ELpARRG.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\bcctgKk.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\PmSUmtn.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\YPSsrsr.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\JKqrvgR.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\VErJWli.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\neWsNpW.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\TRqAGBr.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\GYfIhUn.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\VBrRMKF.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\ZpfdNHm.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\RniLxrf.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\fdZvyll.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\aPckBUN.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\lMFgDWh.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\UpRisPf.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\PdreCkc.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\nyZXGtW.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
File created	C:\Windows\System\zckNCCF.exe	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
Token: SeLockMemoryPrivilege	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 3020	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	84
PID 1088 wrote to memory of 3020	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	84
PID 1088 wrote to memory of 1724	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	85
PID 1088 wrote to memory of 1724	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	85
PID 1088 wrote to memory of 4072	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	86
PID 1088 wrote to memory of 4072	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	86
PID 1088 wrote to memory of 4068	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	87
PID 1088 wrote to memory of 4068	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	87
PID 1088 wrote to memory of 2188	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	88
PID 1088 wrote to memory of 2188	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	88
PID 1088 wrote to memory of 4912	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	89
PID 1088 wrote to memory of 4912	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	89
PID 1088 wrote to memory of 2720	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	90
PID 1088 wrote to memory of 2720	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	90
PID 1088 wrote to memory of 4524	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	91
PID 1088 wrote to memory of 4524	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	91
PID 1088 wrote to memory of 4384	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	92
PID 1088 wrote to memory of 4384	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	92
PID 1088 wrote to memory of 4968	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	93
PID 1088 wrote to memory of 4968	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	93
PID 1088 wrote to memory of 2040	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	94
PID 1088 wrote to memory of 2040	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	94
PID 1088 wrote to memory of 2640	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	95
PID 1088 wrote to memory of 2640	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	95
PID 1088 wrote to memory of 1172	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	96
PID 1088 wrote to memory of 1172	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	96
PID 1088 wrote to memory of 4412	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	97
PID 1088 wrote to memory of 4412	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	97
PID 1088 wrote to memory of 1812	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	98
PID 1088 wrote to memory of 1812	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	98
PID 1088 wrote to memory of 2220	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	99
PID 1088 wrote to memory of 2220	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	99
PID 1088 wrote to memory of 3656	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	100
PID 1088 wrote to memory of 3656	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	100
PID 1088 wrote to memory of 3048	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	101
PID 1088 wrote to memory of 3048	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	101
PID 1088 wrote to memory of 2172	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	102
PID 1088 wrote to memory of 2172	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	102
PID 1088 wrote to memory of 4056	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	103
PID 1088 wrote to memory of 4056	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	103
PID 1088 wrote to memory of 3228	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	104
PID 1088 wrote to memory of 3228	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	104
PID 1088 wrote to memory of 4820	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	105
PID 1088 wrote to memory of 4820	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	105
PID 1088 wrote to memory of 3832	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	106
PID 1088 wrote to memory of 3832	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	106
PID 1088 wrote to memory of 4808	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	107
PID 1088 wrote to memory of 4808	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	107
PID 1088 wrote to memory of 5116	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	108
PID 1088 wrote to memory of 5116	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	108
PID 1088 wrote to memory of 3984	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	109
PID 1088 wrote to memory of 3984	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	109
PID 1088 wrote to memory of 2972	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	110
PID 1088 wrote to memory of 2972	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	110
PID 1088 wrote to memory of 4600	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	111
PID 1088 wrote to memory of 4600	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	111
PID 1088 wrote to memory of 2260	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	112
PID 1088 wrote to memory of 2260	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	112
PID 1088 wrote to memory of 2772	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	113
PID 1088 wrote to memory of 2772	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	113
PID 1088 wrote to memory of 2288	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	114
PID 1088 wrote to memory of 2288	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	114
PID 1088 wrote to memory of 5004	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	115
PID 1088 wrote to memory of 5004	1088	3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe	115

C:\Users\Admin\AppData\Local\Temp\3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\3f1ba445c42a36b8f5c08a4490a79610_NEAS.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\System\TYvKRDk.exe
  C:\Windows\System\TYvKRDk.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System\knWDUep.exe
  C:\Windows\System\knWDUep.exe
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\System\caERmfa.exe
  C:\Windows\System\caERmfa.exe
  2⤵
  - Executes dropped EXE
  PID:4072
- C:\Windows\System\mPPeTtG.exe
  C:\Windows\System\mPPeTtG.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System\TRCRArN.exe
  C:\Windows\System\TRCRArN.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\zHhGEXQ.exe
  C:\Windows\System\zHhGEXQ.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System\DVSgYnD.exe
  C:\Windows\System\DVSgYnD.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System\gzDbZxe.exe
  C:\Windows\System\gzDbZxe.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System\KVTqDFJ.exe
  C:\Windows\System\KVTqDFJ.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System\KdOHsmJ.exe
  C:\Windows\System\KdOHsmJ.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System\TOZxadc.exe
  C:\Windows\System\TOZxadc.exe
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\System\kNddrsA.exe
  C:\Windows\System\kNddrsA.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\jTSDTEg.exe
  C:\Windows\System\jTSDTEg.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System\GyOAixV.exe
  C:\Windows\System\GyOAixV.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System\FoPnCKI.exe
  C:\Windows\System\FoPnCKI.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System\PHBkPtk.exe
  C:\Windows\System\PHBkPtk.exe
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\System\JYFKmIO.exe
  C:\Windows\System\JYFKmIO.exe
  2⤵
  - Executes dropped EXE
  PID:3656
- C:\Windows\System\OkXSGee.exe
  C:\Windows\System\OkXSGee.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System\gCPaOgs.exe
  C:\Windows\System\gCPaOgs.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System\EyzQEYZ.exe
  C:\Windows\System\EyzQEYZ.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System\GJqjwVW.exe
  C:\Windows\System\GJqjwVW.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System\oXhayhS.exe
  C:\Windows\System\oXhayhS.exe
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Windows\System\ENJjZEk.exe
  C:\Windows\System\ENJjZEk.exe
  2⤵
  - Executes dropped EXE
  PID:3832
- C:\Windows\System\QzQoEHs.exe
  C:\Windows\System\QzQoEHs.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System\MvHdXJF.exe
  C:\Windows\System\MvHdXJF.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System\IkaofUZ.exe
  C:\Windows\System\IkaofUZ.exe
  2⤵
  - Executes dropped EXE
  PID:3984
- C:\Windows\System\jQdVSHF.exe
  C:\Windows\System\jQdVSHF.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\xZbBxyQ.exe
  C:\Windows\System\xZbBxyQ.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\NqVnxAv.exe
  C:\Windows\System\NqVnxAv.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\System\ktPieXW.exe
  C:\Windows\System\ktPieXW.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\ZkNkivJ.exe
  C:\Windows\System\ZkNkivJ.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System\PmSUmtn.exe
  C:\Windows\System\PmSUmtn.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System\hxTzvFr.exe
  C:\Windows\System\hxTzvFr.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System\NEssJwz.exe
  C:\Windows\System\NEssJwz.exe
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Windows\System\DThNqLZ.exe
  C:\Windows\System\DThNqLZ.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System\neWsNpW.exe
  C:\Windows\System\neWsNpW.exe
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\System\VBrRMKF.exe
  C:\Windows\System\VBrRMKF.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System\DUfhbOT.exe
  C:\Windows\System\DUfhbOT.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System\vPsrwpx.exe
  C:\Windows\System\vPsrwpx.exe
  2⤵
  - Executes dropped EXE
  PID:3116
- C:\Windows\System\UfLVImW.exe
  C:\Windows\System\UfLVImW.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\System\UpRisPf.exe
  C:\Windows\System\UpRisPf.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System\DWjcaAx.exe
  C:\Windows\System\DWjcaAx.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\xPXnCiu.exe
  C:\Windows\System\xPXnCiu.exe
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Windows\System\YNrQpsh.exe
  C:\Windows\System\YNrQpsh.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System\QlwMdvX.exe
  C:\Windows\System\QlwMdvX.exe
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Windows\System\BhKhqCA.exe
  C:\Windows\System\BhKhqCA.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System\eMEkPGb.exe
  C:\Windows\System\eMEkPGb.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System\SMGWkMC.exe
  C:\Windows\System\SMGWkMC.exe
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\System\usIsXaq.exe
  C:\Windows\System\usIsXaq.exe
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\System\PUmlbVb.exe
  C:\Windows\System\PUmlbVb.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System\fSSQmmG.exe
  C:\Windows\System\fSSQmmG.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System\VCFuTTo.exe
  C:\Windows\System\VCFuTTo.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System\ELpARRG.exe
  C:\Windows\System\ELpARRG.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System\abhyVWN.exe
  C:\Windows\System\abhyVWN.exe
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Windows\System\ysTvqOm.exe
  C:\Windows\System\ysTvqOm.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System\bZgsfWg.exe
  C:\Windows\System\bZgsfWg.exe
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\System\dhwQEcE.exe
  C:\Windows\System\dhwQEcE.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System\MaYRNOx.exe
  C:\Windows\System\MaYRNOx.exe
  2⤵
  - Executes dropped EXE
  PID:4508
- C:\Windows\System\JSdPiBf.exe
  C:\Windows\System\JSdPiBf.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\IrsyuLm.exe
  C:\Windows\System\IrsyuLm.exe
  2⤵
  - Executes dropped EXE
  PID:780
- C:\Windows\System\JyMGSYC.exe
  C:\Windows\System\JyMGSYC.exe
  2⤵
  - Executes dropped EXE
  PID:3088
- C:\Windows\System\loRgkLT.exe
  C:\Windows\System\loRgkLT.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System\JfxleFJ.exe
  C:\Windows\System\JfxleFJ.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\ztCboiJ.exe
  C:\Windows\System\ztCboiJ.exe
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Windows\System\nRiKkSJ.exe
  C:\Windows\System\nRiKkSJ.exe
  2⤵
  PID:3588
- C:\Windows\System\WjhVOuE.exe
  C:\Windows\System\WjhVOuE.exe
  2⤵
  PID:2700
- C:\Windows\System\paVdBuu.exe
  C:\Windows\System\paVdBuu.exe
  2⤵
  PID:4996
- C:\Windows\System\clvHbKy.exe
  C:\Windows\System\clvHbKy.exe
  2⤵
  PID:5000
- C:\Windows\System\xxppkou.exe
  C:\Windows\System\xxppkou.exe
  2⤵
  PID:1560
- C:\Windows\System\JLLafGX.exe
  C:\Windows\System\JLLafGX.exe
  2⤵
  PID:4100
- C:\Windows\System\VcTwqUl.exe
  C:\Windows\System\VcTwqUl.exe
  2⤵
  PID:644
- C:\Windows\System\lnbKxms.exe
  C:\Windows\System\lnbKxms.exe
  2⤵
  PID:4904
- C:\Windows\System\dKDtRIM.exe
  C:\Windows\System\dKDtRIM.exe
  2⤵
  PID:4548
- C:\Windows\System\PdreCkc.exe
  C:\Windows\System\PdreCkc.exe
  2⤵
  PID:4432
- C:\Windows\System\dNjFCmS.exe
  C:\Windows\System\dNjFCmS.exe
  2⤵
  PID:1324
- C:\Windows\System\WLPAoBc.exe
  C:\Windows\System\WLPAoBc.exe
  2⤵
  PID:3672
- C:\Windows\System\kggpuOu.exe
  C:\Windows\System\kggpuOu.exe
  2⤵
  PID:4920
- C:\Windows\System\ddixTDW.exe
  C:\Windows\System\ddixTDW.exe
  2⤵
  PID:848
- C:\Windows\System\TRqAGBr.exe
  C:\Windows\System\TRqAGBr.exe
  2⤵
  PID:4372
- C:\Windows\System\yIvBSBD.exe
  C:\Windows\System\yIvBSBD.exe
  2⤵
  PID:2644
- C:\Windows\System\ZpfdNHm.exe
  C:\Windows\System\ZpfdNHm.exe
  2⤵
  PID:3308
- C:\Windows\System\BzaiWmx.exe
  C:\Windows\System\BzaiWmx.exe
  2⤵
  PID:2708
- C:\Windows\System\IjyVsLK.exe
  C:\Windows\System\IjyVsLK.exe
  2⤵
  PID:852
- C:\Windows\System\cigEfGj.exe
  C:\Windows\System\cigEfGj.exe
  2⤵
  PID:3888
- C:\Windows\System\jzEOAyi.exe
  C:\Windows\System\jzEOAyi.exe
  2⤵
  PID:1956
- C:\Windows\System\NghBZPN.exe
  C:\Windows\System\NghBZPN.exe
  2⤵
  PID:2564
- C:\Windows\System\rmBqQdr.exe
  C:\Windows\System\rmBqQdr.exe
  2⤵
  PID:3360
- C:\Windows\System\CaEgGOv.exe
  C:\Windows\System\CaEgGOv.exe
  2⤵
  PID:3568
- C:\Windows\System\LZXIzbN.exe
  C:\Windows\System\LZXIzbN.exe
  2⤵
  PID:3584
- C:\Windows\System\PcMYfsO.exe
  C:\Windows\System\PcMYfsO.exe
  2⤵
  PID:1628
- C:\Windows\System\GTDPHjZ.exe
  C:\Windows\System\GTDPHjZ.exe
  2⤵
  PID:2428
- C:\Windows\System\IYdTsSM.exe
  C:\Windows\System\IYdTsSM.exe
  2⤵
  PID:2024
- C:\Windows\System\WqrLxvx.exe
  C:\Windows\System\WqrLxvx.exe
  2⤵
  PID:4964
- C:\Windows\System\MKgLMYX.exe
  C:\Windows\System\MKgLMYX.exe
  2⤵
  PID:2232
- C:\Windows\System\MtnAuMw.exe
  C:\Windows\System\MtnAuMw.exe
  2⤵
  PID:5024
- C:\Windows\System\iljRVaF.exe
  C:\Windows\System\iljRVaF.exe
  2⤵
  PID:2680
- C:\Windows\System\fpDiJop.exe
  C:\Windows\System\fpDiJop.exe
  2⤵
  PID:4360
- C:\Windows\System\WYAmQUk.exe
  C:\Windows\System\WYAmQUk.exe
  2⤵
  PID:4060
- C:\Windows\System\TzYhcbf.exe
  C:\Windows\System\TzYhcbf.exe
  2⤵
  PID:1492
- C:\Windows\System\HuujJaQ.exe
  C:\Windows\System\HuujJaQ.exe
  2⤵
  PID:3772
- C:\Windows\System\nyZXGtW.exe
  C:\Windows\System\nyZXGtW.exe
  2⤵
  PID:4852
- C:\Windows\System\eGxQdFH.exe
  C:\Windows\System\eGxQdFH.exe
  2⤵
  PID:3940
- C:\Windows\System\YPSsrsr.exe
  C:\Windows\System\YPSsrsr.exe
  2⤵
  PID:2312
- C:\Windows\System\UvMoRor.exe
  C:\Windows\System\UvMoRor.exe
  2⤵
  PID:3120
- C:\Windows\System\erPanLx.exe
  C:\Windows\System\erPanLx.exe
  2⤵
  PID:548
- C:\Windows\System\tvwZahE.exe
  C:\Windows\System\tvwZahE.exe
  2⤵
  PID:4952
- C:\Windows\System\bcctgKk.exe
  C:\Windows\System\bcctgKk.exe
  2⤵
  PID:4012
- C:\Windows\System\ebvIWmd.exe
  C:\Windows\System\ebvIWmd.exe
  2⤵
  PID:4516
- C:\Windows\System\cyreQJg.exe
  C:\Windows\System\cyreQJg.exe
  2⤵
  PID:5136
- C:\Windows\System\YldAQeb.exe
  C:\Windows\System\YldAQeb.exe
  2⤵
  PID:5152
- C:\Windows\System\GYfIhUn.exe
  C:\Windows\System\GYfIhUn.exe
  2⤵
  PID:5188
- C:\Windows\System\aPckBUN.exe
  C:\Windows\System\aPckBUN.exe
  2⤵
  PID:5216
- C:\Windows\System\oMjJRnD.exe
  C:\Windows\System\oMjJRnD.exe
  2⤵
  PID:5248
- C:\Windows\System\QPSkCOc.exe
  C:\Windows\System\QPSkCOc.exe
  2⤵
  PID:5280
- C:\Windows\System\arbPMaD.exe
  C:\Windows\System\arbPMaD.exe
  2⤵
  PID:5308
- C:\Windows\System\DMaixZH.exe
  C:\Windows\System\DMaixZH.exe
  2⤵
  PID:5332
- C:\Windows\System\WiuhPYK.exe
  C:\Windows\System\WiuhPYK.exe
  2⤵
  PID:5360
- C:\Windows\System\JKqrvgR.exe
  C:\Windows\System\JKqrvgR.exe
  2⤵
  PID:5396
- C:\Windows\System\UJSArAl.exe
  C:\Windows\System\UJSArAl.exe
  2⤵
  PID:5416
- C:\Windows\System\comMxJd.exe
  C:\Windows\System\comMxJd.exe
  2⤵
  PID:5452
- C:\Windows\System\sEmkknj.exe
  C:\Windows\System\sEmkknj.exe
  2⤵
  PID:5476
- C:\Windows\System\ETRznRm.exe
  C:\Windows\System\ETRznRm.exe
  2⤵
  PID:5516
- C:\Windows\System\RniLxrf.exe
  C:\Windows\System\RniLxrf.exe
  2⤵
  PID:5548
- C:\Windows\System\TWAuiYG.exe
  C:\Windows\System\TWAuiYG.exe
  2⤵
  PID:5576
- C:\Windows\System\FyLdXIe.exe
  C:\Windows\System\FyLdXIe.exe
  2⤵
  PID:5596
- C:\Windows\System\ddgqzCg.exe
  C:\Windows\System\ddgqzCg.exe
  2⤵
  PID:5624
- C:\Windows\System\xjLQRVR.exe
  C:\Windows\System\xjLQRVR.exe
  2⤵
  PID:5652
- C:\Windows\System\Ddytxpv.exe
  C:\Windows\System\Ddytxpv.exe
  2⤵
  PID:5680
- C:\Windows\System\OvqzlEk.exe
  C:\Windows\System\OvqzlEk.exe
  2⤵
  PID:5704
- C:\Windows\System\ajOwRan.exe
  C:\Windows\System\ajOwRan.exe
  2⤵
  PID:5736
- C:\Windows\System\gyxhULn.exe
  C:\Windows\System\gyxhULn.exe
  2⤵
  PID:5772
- C:\Windows\System\ZcTlGTd.exe
  C:\Windows\System\ZcTlGTd.exe
  2⤵
  PID:5800
- C:\Windows\System\IkLMjGL.exe
  C:\Windows\System\IkLMjGL.exe
  2⤵
  PID:5824
- C:\Windows\System\VANInJZ.exe
  C:\Windows\System\VANInJZ.exe
  2⤵
  PID:5848
- C:\Windows\System\eNvqXkL.exe
  C:\Windows\System\eNvqXkL.exe
  2⤵
  PID:5868
- C:\Windows\System\ADaBiYQ.exe
  C:\Windows\System\ADaBiYQ.exe
  2⤵
  PID:5900
- C:\Windows\System\TsSaNZy.exe
  C:\Windows\System\TsSaNZy.exe
  2⤵
  PID:5940
- C:\Windows\System\GsQNLnE.exe
  C:\Windows\System\GsQNLnE.exe
  2⤵
  PID:5964
- C:\Windows\System\QXfsBdR.exe
  C:\Windows\System\QXfsBdR.exe
  2⤵
  PID:5996
- C:\Windows\System\MJlNzYv.exe
  C:\Windows\System\MJlNzYv.exe
  2⤵
  PID:6024
- C:\Windows\System\fdZvyll.exe
  C:\Windows\System\fdZvyll.exe
  2⤵
  PID:6056
- C:\Windows\System\ThERdHN.exe
  C:\Windows\System\ThERdHN.exe
  2⤵
  PID:6084
- C:\Windows\System\lMFgDWh.exe
  C:\Windows\System\lMFgDWh.exe
  2⤵
  PID:6100
- C:\Windows\System\ndsZJDj.exe
  C:\Windows\System\ndsZJDj.exe
  2⤵
  PID:6128
- C:\Windows\System\woKJyUV.exe
  C:\Windows\System\woKJyUV.exe
  2⤵
  PID:3460
- C:\Windows\System\dyzZpsY.exe
  C:\Windows\System\dyzZpsY.exe
  2⤵
  PID:5196
- C:\Windows\System\JzQkKXl.exe
  C:\Windows\System\JzQkKXl.exe
  2⤵
  PID:5264
- C:\Windows\System\DYRLMIX.exe
  C:\Windows\System\DYRLMIX.exe
  2⤵
  PID:5320
- C:\Windows\System\FIQebkq.exe
  C:\Windows\System\FIQebkq.exe
  2⤵
  PID:5440
- C:\Windows\System\mluNiJC.exe
  C:\Windows\System\mluNiJC.exe
  2⤵
  PID:5464
- C:\Windows\System\psGMKaR.exe
  C:\Windows\System\psGMKaR.exe
  2⤵
  PID:5540
- C:\Windows\System\NUOMHpG.exe
  C:\Windows\System\NUOMHpG.exe
  2⤵
  PID:5592
- C:\Windows\System\GNPkcxT.exe
  C:\Windows\System\GNPkcxT.exe
  2⤵
  PID:5712
- C:\Windows\System\zTtxyeH.exe
  C:\Windows\System\zTtxyeH.exe
  2⤵
  PID:5788
- C:\Windows\System\zVYxkwF.exe
  C:\Windows\System\zVYxkwF.exe
  2⤵
  PID:5816
- C:\Windows\System\yofrENw.exe
  C:\Windows\System\yofrENw.exe
  2⤵
  PID:5924
- C:\Windows\System\heLGyjo.exe
  C:\Windows\System\heLGyjo.exe
  2⤵
  PID:5916
- C:\Windows\System\crVyMFP.exe
  C:\Windows\System\crVyMFP.exe
  2⤵
  PID:6020
- C:\Windows\System\iQdRvcp.exe
  C:\Windows\System\iQdRvcp.exe
  2⤵
  PID:6080
- C:\Windows\System\ybydsYY.exe
  C:\Windows\System\ybydsYY.exe
  2⤵
  PID:6140
- C:\Windows\System\UBzjACN.exe
  C:\Windows\System\UBzjACN.exe
  2⤵
  PID:5232
- C:\Windows\System\VErJWli.exe
  C:\Windows\System\VErJWli.exe
  2⤵
  PID:5412
- C:\Windows\System\ZGtxngC.exe
  C:\Windows\System\ZGtxngC.exe
  2⤵
  PID:5496
- C:\Windows\System\iketqKc.exe
  C:\Windows\System\iketqKc.exe
  2⤵
  PID:5728
- C:\Windows\System\nHydrmT.exe
  C:\Windows\System\nHydrmT.exe
  2⤵
  PID:5836
- C:\Windows\System\YKTJEjK.exe
  C:\Windows\System\YKTJEjK.exe
  2⤵
  PID:5972
- C:\Windows\System\NghAcCw.exe
  C:\Windows\System\NghAcCw.exe
  2⤵
  PID:5148
- C:\Windows\System\daFvZmh.exe
  C:\Windows\System\daFvZmh.exe
  2⤵
  PID:5392
- C:\Windows\System\UmhIbSy.exe
  C:\Windows\System\UmhIbSy.exe
  2⤵
  PID:5644
- C:\Windows\System\sEXtBGB.exe
  C:\Windows\System\sEXtBGB.exe
  2⤵
  PID:6068
- C:\Windows\System\bTADJfs.exe
  C:\Windows\System\bTADJfs.exe
  2⤵
  PID:5560
- C:\Windows\System\sikumrr.exe
  C:\Windows\System\sikumrr.exe
  2⤵
  PID:6168
- C:\Windows\System\lmFAHwl.exe
  C:\Windows\System\lmFAHwl.exe
  2⤵
  PID:6196
- C:\Windows\System\mNhdnIW.exe
  C:\Windows\System\mNhdnIW.exe
  2⤵
  PID:6228
- C:\Windows\System\qBzzNJf.exe
  C:\Windows\System\qBzzNJf.exe
  2⤵
  PID:6256
- C:\Windows\System\YdkfycR.exe
  C:\Windows\System\YdkfycR.exe
  2⤵
  PID:6280
- C:\Windows\System\dZmxhQP.exe
  C:\Windows\System\dZmxhQP.exe
  2⤵
  PID:6296
- C:\Windows\System\PFxchJi.exe
  C:\Windows\System\PFxchJi.exe
  2⤵
  PID:6316
- C:\Windows\System\GnaqxaA.exe
  C:\Windows\System\GnaqxaA.exe
  2⤵
  PID:6336
- C:\Windows\System\EkccMaU.exe
  C:\Windows\System\EkccMaU.exe
  2⤵
  PID:6372
- C:\Windows\System\pAmbgxz.exe
  C:\Windows\System\pAmbgxz.exe
  2⤵
  PID:6396
- C:\Windows\System\UqTeStQ.exe
  C:\Windows\System\UqTeStQ.exe
  2⤵
  PID:6424
- C:\Windows\System\Onhjtqe.exe
  C:\Windows\System\Onhjtqe.exe
  2⤵
  PID:6444
- C:\Windows\System\dexQWJX.exe
  C:\Windows\System\dexQWJX.exe
  2⤵
  PID:6464
- C:\Windows\System\zckNCCF.exe
  C:\Windows\System\zckNCCF.exe
  2⤵
  PID:6492
- C:\Windows\System\xvOSQtf.exe
  C:\Windows\System\xvOSQtf.exe
  2⤵
  PID:6524
- C:\Windows\System\eyKDIeL.exe
  C:\Windows\System\eyKDIeL.exe
  2⤵
  PID:6548
- C:\Windows\System\CCtHfxp.exe
  C:\Windows\System\CCtHfxp.exe
  2⤵
  PID:6584
- C:\Windows\System\jNMRzMj.exe
  C:\Windows\System\jNMRzMj.exe
  2⤵
  PID:6608
- C:\Windows\System\YjYfjUj.exe
  C:\Windows\System\YjYfjUj.exe
  2⤵
  PID:6632
- C:\Windows\System\BodBlFc.exe
  C:\Windows\System\BodBlFc.exe
  2⤵
  PID:6672
- C:\Windows\System\gddUOqG.exe
  C:\Windows\System\gddUOqG.exe
  2⤵
  PID:6696
- C:\Windows\System\BXKMPyl.exe
  C:\Windows\System\BXKMPyl.exe
  2⤵
  PID:6732
- C:\Windows\System\biDSXAX.exe
  C:\Windows\System\biDSXAX.exe
  2⤵
  PID:6752
- C:\Windows\System\BwkVqlk.exe
  C:\Windows\System\BwkVqlk.exe
  2⤵
  PID:6776
- C:\Windows\System\yMgaxva.exe
  C:\Windows\System\yMgaxva.exe
  2⤵
  PID:6804
- C:\Windows\System\xSnAStJ.exe
  C:\Windows\System\xSnAStJ.exe
  2⤵
  PID:6828
- C:\Windows\System\KDbsFfV.exe
  C:\Windows\System\KDbsFfV.exe
  2⤵
  PID:6852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DThNqLZ.exe

Filesize
1.3MB

MD5
5d85aa41b85b9172c4c7e17d9376d392

SHA1
a1fb6c3ccb201a1b8c0ac09b0f8768304642fd67

SHA256
e5e8e4c1f049883b756f3590b6472d66e6467fff417f40a91cdf5409ecd9d4af

SHA512
a0dd705996a5b911ce6f3467e1438f668e50c36fa2bb7e5e09b253e0a7f926e427cc4eaee312c779aec7e0c70f7e95b968b111d9dabc5b03c18402946eb79a44

Download Submit
C:\Windows\System\DVSgYnD.exe

Filesize
1.3MB

MD5
582d67a1bc3433704fadc11944248a7d

SHA1
6ea5268eb4ea3b5ca1952631afa9f87b75cd4ec5

SHA256
cb06744b4ae476b83095289ddb70f3f02ffb8cc5ef20832567d0e8850d85ef67

SHA512
da5f3cd85c7790bb466e0addf223bf63b47de271a9844d99516ecc75882b217501f05ff1b868037f1c6482beef5c0138d4b4921a785ab2b3042b1f26c86d6097

Download Submit
C:\Windows\System\ENJjZEk.exe

Filesize
1.3MB

MD5
5ddfdf4e0f542cc9c9afde4225135884

SHA1
203ffdb3299df9bcf011f9975f3d190eb7a90287

SHA256
28908ad92ada3d4efd40c9a40ebcf6ad7ebd94f07f9a2e9978482e57f1bd1034

SHA512
a6f1acd20adfa8438fe4a926ea8a6621d1dff765b10818faf6622c04b68aaa6a37a5f9d6719015a3ea4f500d290c2c7c4016043ebaab5443e38d62a720cc8403

Download Submit
C:\Windows\System\EyzQEYZ.exe

Filesize
1.3MB

MD5
c17de6fd998d55ec0fc3e92153d38ff1

SHA1
0743431f7746a2defc3c3220caf74d87637729b2

SHA256
86b1543608752eaf6d329a10dde8667499c912d4baf17bda113333a0b46ac0cb

SHA512
2d2cf7603f42712042e9bbf472ee5520643be8f4bb1f2c4a461709058039fe6d318b63c6be64aca8ed88c34e0f272a35633deccfcb5fc3fa42d88527a5fc0eb7

Download Submit
C:\Windows\System\FoPnCKI.exe

Filesize
1.3MB

MD5
fc0c200ad4019bf0b2fc52c6ab19cc44

SHA1
b3fb604b3da1cfd069a3f09cae5bc714cb13dbf7

SHA256
0b2e3a1eac759cc6fb0f88c4eb3634655f3f2a2fd332926cd443b7e753633ff8

SHA512
e0bcaad30af55a2525062ef3cca5b02c65e75cb84e7c4bf73e7147d28968d474b783ba064fc6910fa41aec844f46883d776bce04c60dc7a7c29cc5522e3ddab9

Download Submit
C:\Windows\System\GJqjwVW.exe

Filesize
1.3MB

MD5
7aa7812f74bc9ad9f9cfbf7f1346557e

SHA1
81357d629d829d638a6522f8e933fd71b132bff3

SHA256
ff355af54a167b9623ec59f484b485484d791ae8143ccad8836d6f32e6d6353c

SHA512
2646a3d7f91c3600df5f011b345c9bcf86a15e0e8211c6c473aa191619262b2261f17518003486cb863b8324321a1092ff51998e98278f93ac09386378dd79d1

Download Submit
C:\Windows\System\GyOAixV.exe

Filesize
1.3MB

MD5
53c119b1d7a73d33c6455093b9b1dbfb

SHA1
a48788a1e76b059aec4a30792c09ac88bfc0bc18

SHA256
e84709a78f3c48f5dea8c3790a2e02a099af2d56b3aee535e5482441c66b6a88

SHA512
55d100f8f7e6f5ea20f764e62040862944054ee1ab2cebb460be722898f5db2c86bf9bb1033848bbbd3f46ff9aaca3b70b52d10cfa24b3465ca2940725f54e2e

Download Submit
C:\Windows\System\IkaofUZ.exe

Filesize
1.3MB

MD5
5f2bf847c37c689e164bd05b334f139b

SHA1
ff11945827b2150c793fcd4a87f28cbda1544446

SHA256
4b1c539947715eddd085f7545728c4a7e8ce3a837b7699972a7b3131a57049f2

SHA512
dca4ba470b7a7ff79d4a718e6744fd1032fe63fbcd634da807a661ceda66ff8383dea88eacaa6fe0f7d8291da6b85470269b5c8809cf3f7fe15184a81db2fa9a

Download Submit
C:\Windows\System\JYFKmIO.exe

Filesize
1.3MB

MD5
44708eb5389f2cee4c8da71256ac2069

SHA1
4a38ca0fe9156945d5aaa5ed0f0590c905fb56af

SHA256
ca189e4920ba8bc0b5e3827205b0c1029739866267bdcf68ae2d4e1637e754fb

SHA512
3bd31cfd6380f3b2a58da8f0bf618c1061baf7a48d12c5fc8623865c8a29fe9d1b20d5194b7c9af8626272d6750284dbb103bf258bde7fd8a6035b54ed9c6602

Download Submit
C:\Windows\System\KVTqDFJ.exe

Filesize
1.3MB

MD5
a3147ffc9045b0a5abd9545d17331ac1

SHA1
0248bb1c4efa27cbf3dda9ea93cf5066b138a737

SHA256
b085e17a6529fd828cc78d97a6565356821e6c2817cc292b73b592346ffc406b

SHA512
1300664b2c10514ed518d0b59ca944a72c9c5db88dcd6d0c23e2e65271a5f8b53c23566bb09be8d4bcb0626389d81c3de8ae8ef8ea7ca60b3e2c02ad30d37dd6

Download Submit
C:\Windows\System\KdOHsmJ.exe

Filesize
1.3MB

MD5
4303db51f4de0495cfe01add3b1f7e7b

SHA1
8c4ec13a2a500b78a383efa2275b1ffd4fe01935

SHA256
3b4393bada5362cdb3ce7f9780f5a1c9794284b6c5f9f63c3770a4e2e4bed2a6

SHA512
8bd4fe1ad452e314f3d90a3c83900d0839fd2002ea9be02fe70d56fa007a68ce6f4058a7efe806a1141088c2f5f6c85d0b31f34583535119394b0f50f0f33714

Download Submit
C:\Windows\System\MvHdXJF.exe

Filesize
1.3MB

MD5
c797fa31209f2815467ebd383272be55

SHA1
5722c771509e8b4e80c988e8930340a0f3f55d88

SHA256
ea7fb6987d533cb35b1c07840ab8e333deabdf9590afdc7dabfd3ca040eda9d1

SHA512
5d4ca300465711885822ca324f26f6f3c96637ed0a796887ddba1b08d9cd2bbfc4bb7fb694bd262f182ff090a4e8cff091d90692a47987fc40b0defd41aa3a72

Download Submit
C:\Windows\System\NEssJwz.exe

Filesize
1.3MB

MD5
78f0b5db96476e9d604f2ea4a8f3a0d6

SHA1
8955d75638da09cfd713d7149745f678d4404d35

SHA256
90f4c4be275da164bf35a0a9b92732cd1b20777e288cf5e2620f83b34c37edf1

SHA512
1f05adbd4318539619a9ad94b6d55eb30cb660da725083fcae1a8efe675677b608b98227ec3e4c2c22eed7ac6c603c687bd59563f185b62c5ef93a13a19d0a60

Download Submit
C:\Windows\System\NqVnxAv.exe

Filesize
1.3MB

MD5
4070538110f80abf804b99a4c26c4517

SHA1
6f1878064238e10509ff8e6b7f4e5aff63e26225

SHA256
235ac159d7cea42d202cb36db0281d70a64f6a391c501772074c66f2ee5ba04c

SHA512
22aa16b8741d9e3257a0b06fe8669a3b4a86141cdd74a151344a3a45483482ff06c20b6823f2726adb7e408e381b2e27b7d05017d7bc8415758e0ff074bb1fac

Download Submit
C:\Windows\System\OkXSGee.exe

Filesize
1.3MB

MD5
d1f747fab75a119b48305872543ac25a

SHA1
f9368fc5bf5cea975b6ab2e3a7a0f95f48c0d0af

SHA256
b176f60d185a92c8071c522463111ac9f87c3d22cb2510d6d305301814614000

SHA512
e16ab42accd3cb9a100c3cb2367d88cfb401278de5ba622cbba1d4704e77ab2e09b0ab64ab88859905f85ad09c85a96c1a81da60c5a1837fd06e711e439f8a66

Download Submit
C:\Windows\System\PHBkPtk.exe

Filesize
1.3MB

MD5
179162d23e7aec6d682d03889f903e66

SHA1
1470cbea6d3191824bd1fd66e6999a5f08a41fc1

SHA256
064a128ae45348e3d7f07f7a4f900b92262a39e02c636c10c2276625bd20b0ef

SHA512
177ca6f74825c7f83eb2e547c9d71c6891b9730d3a6c5e5ff17bc110b516397224509199d9c8515f61eea4558f284683e0bf51662d003ffeebcc21e8a967c375

Download Submit
C:\Windows\System\PmSUmtn.exe

Filesize
1.3MB

MD5
83e83a87500ad39130fc2859138f798c

SHA1
ad7362194b901550acc890dabf5c8c21bfa00061

SHA256
43fb5acf123a81caa1e7f1baae2d91d3e15f421598e1054cf15c00330fa49fc2

SHA512
0b69f9c7b3b51eec9e1d4e101caa12804477fd37ad5c08617d16deb620032d59d355c73c8b098fcd25d387161acfeeea4f729d054ad4de2fddb8d7149e8bb61d

Download Submit
C:\Windows\System\QzQoEHs.exe

Filesize
1.3MB

MD5
a9f6c92e43f0bd84839e1094ecd0370c

SHA1
c2786ae86ef8e8fcdcf15be4f8f3b16169b8c894

SHA256
83fcd37794ac2ddb7d367459c462ee2aa56530752a74fad203874c67b7e3313b

SHA512
f86ba441797819d25a9fee198ed82110200fd35a94bcd49ba12dc6ad6a3fd794ea4cf24a5f2a9f071c1370dd8d86e75af46fc198c6c89573b0182522c370d71c

Download Submit
C:\Windows\System\TOZxadc.exe

Filesize
1.3MB

MD5
89cdd7fa38e563568277d1c16cd6de9a

SHA1
623a1045a91557aded15c618fd3fccf2c7173d7b

SHA256
2e1d2c5927b761c20e8e73afff91b008a50efbb2dff851a0ee1ef2302e8d463f

SHA512
44cbe9c3b9bfe42bbfa08fee4cc724573fb5b725de71663de0ca8914e2eb94270b2750067dfaf00d42536e3505523da21f90d12f71b6dd2434ec1deb4aa681f4

Download Submit
C:\Windows\System\TRCRArN.exe

Filesize
1.3MB

MD5
4f19ed1f07baee83843fee644246fc62

SHA1
12e20c8da9cb95c06c03b7a26970bb4bcd5db852

SHA256
240d0e612adde77c250e08be2c326d143b8166956961ebec5abf06d22bb11060

SHA512
2554a163cfbd0760f428bea4cc29f356e6a6bbf6feb055ede80f74a2e3229dbc8cb9b598275a044af7eb9c3acf7e1c8e41bf6becc0b3e31af051aff7d5a7284a

Download Submit
C:\Windows\System\TYvKRDk.exe

Filesize
1.3MB

MD5
ed31b4f296ee4a506c8ae4306efe5160

SHA1
95239c1ff63f7458f6268e9832771334ecaa41b5

SHA256
e8aad2ef60e64ad762a7c8cf40c21fda170dc04571cabfdd8e5ee1015d7477a8

SHA512
49f9d151166e266411e13909fbc4434340f45a483c2baf600fba1059d9b55a7b5ae2d4eb3eb9fc4f8f0dae5f6cc4aafb10ac60f4952f87fd80107c966f74a7d0

Download Submit
C:\Windows\System\ZkNkivJ.exe

Filesize
1.3MB

MD5
c9dd9d3d2a511a745acb973251db295a

SHA1
ac7be3993306656a564bfc026f375a7cb0feac5f

SHA256
4c70b808017b9160029af05a196c6381f88fe9b0979a2c310fc4b202b223bbbc

SHA512
bcf7ca8fcca16970dfbb42282e878443577cd32d4fb3749b3afac7f8db5d697d388cffd334eee776d2fecc062252cad0bb14cc31184d52162201497eefe4d819

Download Submit
C:\Windows\System\caERmfa.exe

Filesize
1.3MB

MD5
a3e95fdd79f3f35aabcf76984a0b9c18

SHA1
9de60d54eb8f9573d698072eb05cc638e3c579ff

SHA256
fd51b9503440a775e60c86f23ebd12ac4a2d3aa784c92b4ab643e16c923848bb

SHA512
37377c4aea7d649003242a84e322d01d00160f93e40ef74c24f9ff8e42e8ee1cb90a855e7561bcb31e30370e0ae956cb6dbc59ab74854d6297c8dcdb76e7aa90

Download Submit
C:\Windows\System\gCPaOgs.exe

Filesize
1.3MB

MD5
947127dfe8fe78ccc59510106bdcff21

SHA1
ab1d3fafc887290d1e690ed2d3774ff84dcbaada

SHA256
5992ff912a26b5c43bdfeab6d5e854dd4d60bd04b6fecc3436f98e0df8312047

SHA512
45fb18e84bb3a57b2b0996ee1af270c9fa2ddb02bd18059f83f0459f012afdb0c3ba5db56672f9c6e289af2a3fe1fdb55ade1a777289bd7d624ac88034e23b00

Download Submit
C:\Windows\System\gzDbZxe.exe

Filesize
1.3MB

MD5
94c6ffcf7ca13995f46c46dee6bd8b71

SHA1
6f3c3f339719eda88c1c9b951977247eb1d7008f

SHA256
cee61ea53926ee821dfc757ec287d6c476cff2b63b9f7954a373e6d8a595d1c0

SHA512
7fbf994aec5141f57d1477e0add68c095b4540afac85b34d500e656e8be44e51900f926b54067a25da1c69b640eed5767cbb2ee6bfdb01168d8117b7c4b3ee26

Download Submit
C:\Windows\System\hxTzvFr.exe

Filesize
1.3MB

MD5
575cd2c0a95d94b062d207127057957a

SHA1
346a5271fb351b1650a42c62564a2bc0709644aa

SHA256
91840272b18868ff49c5575077c2eadf14dfc2714255b752d2d2bcd58d28fb4d

SHA512
f1fc12ea8a4549782b0fcb96353ea3fe569f9abd5c58bdfcbed75ac48eb5f384f2ab50271ca0ecd2ac77b5cdf330ef304528084446c46ece6584746281547e83

Download Submit
C:\Windows\System\jQdVSHF.exe

Filesize
1.3MB

MD5
0c636ecc9d5629e87ef813ab1919e0ef

SHA1
f9bc8e0a89712aff19e065cfde334c05e8c98d41

SHA256
edbc8c34ccd7970e47e20fef5966a9d37eb4dde107593109f6037c94465d4653

SHA512
b9a4b1c3668b8957f08dea2390f9599ba895877d3e4dac67443b06a25393749d75c1c0d33dda0cdb425d13878f1a262bbfc8de5b0b03d32a26ac1042da7c2ac9

Download Submit
C:\Windows\System\jTSDTEg.exe

Filesize
1.3MB

MD5
8a854342ee4dbd9f5b3d3fb845f62aa4

SHA1
dd9549317f46666edc0e29363b14f0cb8115abf0

SHA256
50ab9364ff9956fc4efc99eccc81691b9eeb7b4b2d7b18b3e5b81d11de6a0eb3

SHA512
24df9be5c3866ff377dc62c3f3e2bf99583df9f6ce8daf1364028571f3dfe87d6680bd43720d3a5fe4308ccb367d734dc686ade85d7dc5ac0c87cd163f1ab0e0

Download Submit
C:\Windows\System\kNddrsA.exe

Filesize
1.3MB

MD5
597e4eb2206214ecfae7b561114f16bb

SHA1
2c9018138884b3ff9683f2d999930f5ee66dd345

SHA256
d57cb11697a0959223e1d06aaec253b45fefeea36c1cb480150ec25fa29b12da

SHA512
871269e5950eebe9f1c396fdd10216cb4c7f74bdccb611bd0ec38a637341a798f1f65c25bba5afe42cc3dfd4faa69b9bdddb0af525c5f3ad7802e57d63ebc89c

Download Submit
C:\Windows\System\knWDUep.exe

Filesize
1.3MB

MD5
fe2cc1c05f65e17f887cf3c26e478fed

SHA1
fcdf5b4d9f75bc7ef15340cab2ce2c45cdf2a5f4

SHA256
e25d72fd03682ec688bc49766f70e6a8e9885273469ac9596bcb8d845dbfdc9c

SHA512
933a423f84c23976610cecd2ebb74c975765af74d0b97613f34e0ace386d0baa1a4ecae977ab2d57605557b85acd4a3cb882afa6ff1088a28065580f28f780f0

Download Submit
C:\Windows\System\ktPieXW.exe

Filesize
1.3MB

MD5
99bda8d0260887d635ef2ac55ee79df8

SHA1
319b88251e0068d37791c940d84919b2c1fcaa1e

SHA256
d3c5170d76ae370fc6e009700088f8ddac22517dcdbd55afba949cea5ebf16ee

SHA512
bac1714e6ac82057fc70536a3f1f187c03020e38602d52736b0ec4350b4459a2334a5f080d96bbbccc4ac1b7ff0f36fafdf676b0e71dab0b2450bed82a7e1e6b

Download Submit
C:\Windows\System\mPPeTtG.exe

Filesize
1.3MB

MD5
2fc20a0cdda690697c2b69adaba341fd

SHA1
511e3a45a915d28316f06cf60c94c6910b1e20be

SHA256
1a973761ded02b44470c692c57fe54d348620bc99fd9347ed30eaa6a836053f0

SHA512
0f30215f7a48e0f100208af4a0f75517110a4a4eda222ca10febc5960d801b74742972861518866f9303d3d81d85bd4f2e8961844dfc4367af338098c7cee744

Download Submit
C:\Windows\System\neWsNpW.exe

Filesize
1.3MB

MD5
a745b14166e74418de5b59b78e04387e

SHA1
8070802ca79f9a7e20053e6e8cf15fd827891ce6

SHA256
3d2bcdda88fe4eb73e3d0fec705812855f197370ea0cb0861ff488edef3f3b70

SHA512
7f07c2816f3adf7243e8a52b7ea9e27547701b4b7108e9159ba8a8ab441a631ca3b2efa4a4c780cce69944f55a5742eed494707a1f9b6f9034403025f3b9f9ff

Download Submit
C:\Windows\System\oXhayhS.exe

Filesize
1.3MB

MD5
d28f7898628d662312112c3bafae95a6

SHA1
f52c095b52de2643502fb6216757e50944d52103

SHA256
64c49d942100561b5aac0067bd38e77558c7d80f69238ff16f809e731fba650e

SHA512
2a0f81d6b54d32e2e1f8bf17edb7a81d529bbf853dd0995af1e909c45c2ec2a0865b128746e4ca70c56324411afe4752997b48db2de8ee2a8ad58e2fc7ff3dc0

Download Submit
C:\Windows\System\xZbBxyQ.exe

Filesize
1.3MB

MD5
cd91097d78b4024b112dac85075eec08

SHA1
aba3367712bf33f68fb4b235ec7d773fcbb72fca

SHA256
2caa23e35fe01262f2861160d3a931dd29f93a9ced02e9abaa156ba3aa619e7a

SHA512
1a2385492e598964e435c5699fcd1933e61aa893154e780cbd02c9ce2bae0c30bbd41dd86062912c455ed6f2dd5d2b223c306c53683d3e31854467d4a71dfa7d

Download Submit
C:\Windows\System\zHhGEXQ.exe

Filesize
1.3MB

MD5
301d03c98dd3294add4b093975f9268f

SHA1
e9ad298b835b97f1f4a7a6c3fecc703056d349b2

SHA256
839a0083d0582674ed2ccaad758f367f5b9204ab03f7a57e30242a3cc059eedd

SHA512
b133a2a5fe9ecae7aee3d9e409aae2d59bc1bed9f5ee15bc1333769802b832f5273df417a378d9d04a8843a66cc8807824b9616a3e952991e2286419a199923b

Download Submit
memory/1088-0-0x00000147CD980000-0x00000147CD990000-memory.dmp

Filesize
64KB

Download