xmrig | c631762ffafaf90b58cfedc0c5d00ad852a67db71be91b0e5271595811cb253d

Analysis

max time kernel
139s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
Size

1.3MB
MD5

df5194089147f63d672b4ffb67916050
SHA1

58379655a3e8525ba59a746fcedbc732273dd9f1
SHA256

c631762ffafaf90b58cfedc0c5d00ad852a67db71be91b0e5271595811cb253d
SHA512

e7f8667e5b868cf1945e4e0a1e854c51ce71cdc50f473ced4eac3652b8736ea33426db13e5cafff157f8c9051e15086965e688e2b63204feaf3c72194c4864cd
SSDEEP

24576:GezaTnG99Q8FcNrpyNdfE0bLBgDOp2iSLz9LbBwlKensYKkTT7UudBWkTDx:GezaTF8FcNkNdfE0pZ9oztFwI6Kw

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 32 IoCs

miner

resource	yara_rule
behavioral2/files/0x0008000000023262-5.dat	xmrig
behavioral2/files/0x0008000000023265-10.dat	xmrig
behavioral2/files/0x0009000000023269-7.dat	xmrig
behavioral2/files/0x000800000002326a-17.dat	xmrig
behavioral2/files/0x000700000002326b-24.dat	xmrig
behavioral2/files/0x000700000002326d-34.dat	xmrig
behavioral2/files/0x000700000002326c-36.dat	xmrig
behavioral2/files/0x000700000002326e-39.dat	xmrig
behavioral2/files/0x0008000000023266-44.dat	xmrig
behavioral2/files/0x000700000002326f-48.dat	xmrig
behavioral2/files/0x0007000000023270-54.dat	xmrig
behavioral2/files/0x0007000000023271-60.dat	xmrig
behavioral2/files/0x0007000000023272-63.dat	xmrig
behavioral2/files/0x0007000000023273-70.dat	xmrig
behavioral2/files/0x0007000000023274-73.dat	xmrig
behavioral2/files/0x0007000000023275-79.dat	xmrig
behavioral2/files/0x0007000000023276-83.dat	xmrig
behavioral2/files/0x0007000000023277-90.dat	xmrig
behavioral2/files/0x0007000000023278-94.dat	xmrig
behavioral2/files/0x0007000000023279-98.dat	xmrig
behavioral2/files/0x000700000002327a-104.dat	xmrig
behavioral2/files/0x000700000002327b-110.dat	xmrig
behavioral2/files/0x000700000002327c-113.dat	xmrig
behavioral2/files/0x000700000002327e-123.dat	xmrig
behavioral2/files/0x000700000002327d-120.dat	xmrig
behavioral2/files/0x000700000002327f-128.dat	xmrig
behavioral2/files/0x0007000000023280-133.dat	xmrig
behavioral2/files/0x0007000000023281-138.dat	xmrig
behavioral2/files/0x0007000000023282-144.dat	xmrig
behavioral2/files/0x0007000000023283-149.dat	xmrig
behavioral2/files/0x0007000000023285-152.dat	xmrig
behavioral2/files/0x0007000000023286-158.dat	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3236	KODxSbb.exe
3620	lGNFhSZ.exe
4280	UvRYiLQ.exe
532	nRXLJUG.exe
5552	cgCojHf.exe
2760	umFrudu.exe
1080	LJYNnnq.exe
924	EBpEMkq.exe
1420	bJwWJTB.exe
5436	KEHvdDo.exe
5424	ynNgxMN.exe
1644	hDgiQiY.exe
3376	kIxYyvZ.exe
5320	BVvqoZR.exe
5316	bzEPOWi.exe
4608	ElIneyk.exe
560	TTPTHVa.exe
2196	GleTMgN.exe
4640	whQJLaH.exe
5964	yhfNBqd.exe
5996	ogElFKZ.exe
3592	HQnGKPS.exe
5512	oDouawl.exe
1940	yTELCXC.exe
3308	CLcwXtB.exe
5480	rOcQbsW.exe
1004	fPlkgHZ.exe
4584	JcwdQfB.exe
5792	NppKqkl.exe
5800	clMPtnl.exe
1056	bcXsZFM.exe
2440	LItsyEu.exe
5844	UjZPQSq.exe
3804	GpTHKpH.exe
6036	XxRTfle.exe
3084	erQPWCB.exe
3388	QEIQPrD.exe
3848	LdbRcvz.exe
3476	PKcoMNW.exe
5032	FuxeFpp.exe
4008	ZrwkDsq.exe
3768	mNPAvfL.exe
1540	sMWuXhq.exe
4288	RIJWJkv.exe
5088	KVyDiaX.exe
2472	BPVWZSz.exe
1900	gmfggZi.exe
4492	naaBGXE.exe
4388	MpuOZHP.exe
3316	ePScLNz.exe
3124	jjLrgft.exe
4952	WWWjNdv.exe
3532	mVXhLtU.exe
6052	ncCSzBh.exe
2040	UjJFOxE.exe
1436	eWKHVmM.exe
784	RLDYbiy.exe
1640	ZLEAFjP.exe
4652	jASLvmc.exe
528	rUQvWpV.exe
872	OZIXYgu.exe
864	FmUURPu.exe
1712	Morrmze.exe
4904	EqQFDwA.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\gcduPXO.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\OZIXYgu.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\WOtZJmQ.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\kfhgFtR.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\aVUWUZj.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\OMKyafh.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\WpYnqYJ.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\quekysK.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\XElaUoY.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\ObCutPX.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\xgzNVxD.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\LJYNnnq.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\BVvqoZR.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\WWWCPQq.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\nRXLJUG.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\CLcwXtB.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\rnweyDC.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\yzuztAu.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\GleTMgN.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\GpTHKpH.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\RIJWJkv.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\mvwypzY.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\SUgsbDD.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\mRyhnDm.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\qHSerSt.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\vTKyqcS.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\zUKWeEt.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\oDouawl.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\Byeojtn.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\gmfggZi.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\vCBQiYG.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\ZjhNkKH.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\ZLEAFjP.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\oJNXHzI.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\KrSiXVh.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\PBLTwwj.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\MHpzuyU.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\egycGCj.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\YKYCqDR.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\sMWuXhq.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\jBDITuQ.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\fIxftkV.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\WArguTd.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\bChdRNe.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\nWWcAto.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\FuxeFpp.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\BoRowFo.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\vgwszOQ.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\TEoBdGu.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\SXeIXde.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\gPuiSlt.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\zzgukwp.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\PKcoMNW.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\NjqLDZD.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\PgWSQDF.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\DNIGFdU.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\cgCojHf.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\KVyDiaX.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\WWWjNdv.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\mVXhLtU.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\saeSCXo.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\JxZHjLF.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\LYipqQy.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
File created	C:\Windows\System\jizijBY.exe	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 3236	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	92
PID 2260 wrote to memory of 3236	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	92
PID 2260 wrote to memory of 3620	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	93
PID 2260 wrote to memory of 3620	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	93
PID 2260 wrote to memory of 4280	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	94
PID 2260 wrote to memory of 4280	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	94
PID 2260 wrote to memory of 532	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	95
PID 2260 wrote to memory of 532	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	95
PID 2260 wrote to memory of 5552	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	96
PID 2260 wrote to memory of 5552	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	96
PID 2260 wrote to memory of 2760	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	97
PID 2260 wrote to memory of 2760	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	97
PID 2260 wrote to memory of 1080	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	98
PID 2260 wrote to memory of 1080	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	98
PID 2260 wrote to memory of 924	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	99
PID 2260 wrote to memory of 924	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	99
PID 2260 wrote to memory of 1420	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	100
PID 2260 wrote to memory of 1420	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	100
PID 2260 wrote to memory of 5436	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	101
PID 2260 wrote to memory of 5436	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	101
PID 2260 wrote to memory of 5424	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	102
PID 2260 wrote to memory of 5424	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	102
PID 2260 wrote to memory of 1644	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	103
PID 2260 wrote to memory of 1644	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	103
PID 2260 wrote to memory of 3376	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	104
PID 2260 wrote to memory of 3376	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	104
PID 2260 wrote to memory of 5320	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	105
PID 2260 wrote to memory of 5320	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	105
PID 2260 wrote to memory of 5316	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	106
PID 2260 wrote to memory of 5316	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	106
PID 2260 wrote to memory of 4608	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	107
PID 2260 wrote to memory of 4608	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	107
PID 2260 wrote to memory of 560	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	108
PID 2260 wrote to memory of 560	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	108
PID 2260 wrote to memory of 2196	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	109
PID 2260 wrote to memory of 2196	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	109
PID 2260 wrote to memory of 4640	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	110
PID 2260 wrote to memory of 4640	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	110
PID 2260 wrote to memory of 5964	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	111
PID 2260 wrote to memory of 5964	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	111
PID 2260 wrote to memory of 5996	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	112
PID 2260 wrote to memory of 5996	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	112
PID 2260 wrote to memory of 3592	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	113
PID 2260 wrote to memory of 3592	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	113
PID 2260 wrote to memory of 5512	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	114
PID 2260 wrote to memory of 5512	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	114
PID 2260 wrote to memory of 1940	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	115
PID 2260 wrote to memory of 1940	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	115
PID 2260 wrote to memory of 3308	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	116
PID 2260 wrote to memory of 3308	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	116
PID 2260 wrote to memory of 5480	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	117
PID 2260 wrote to memory of 5480	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	117
PID 2260 wrote to memory of 1004	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	118
PID 2260 wrote to memory of 1004	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	118
PID 2260 wrote to memory of 4584	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	119
PID 2260 wrote to memory of 4584	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	119
PID 2260 wrote to memory of 5792	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	120
PID 2260 wrote to memory of 5792	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	120
PID 2260 wrote to memory of 5800	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	121
PID 2260 wrote to memory of 5800	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	121
PID 2260 wrote to memory of 1056	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	122
PID 2260 wrote to memory of 1056	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	122
PID 2260 wrote to memory of 2440	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	123
PID 2260 wrote to memory of 2440	2260	df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe	123

C:\Users\Admin\AppData\Local\Temp\df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\df5194089147f63d672b4ffb67916050_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\System\KODxSbb.exe
  C:\Windows\System\KODxSbb.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Windows\System\lGNFhSZ.exe
  C:\Windows\System\lGNFhSZ.exe
  2⤵
  - Executes dropped EXE
  PID:3620
- C:\Windows\System\UvRYiLQ.exe
  C:\Windows\System\UvRYiLQ.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System\nRXLJUG.exe
  C:\Windows\System\nRXLJUG.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System\cgCojHf.exe
  C:\Windows\System\cgCojHf.exe
  2⤵
  - Executes dropped EXE
  PID:5552
- C:\Windows\System\umFrudu.exe
  C:\Windows\System\umFrudu.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\LJYNnnq.exe
  C:\Windows\System\LJYNnnq.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System\EBpEMkq.exe
  C:\Windows\System\EBpEMkq.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System\bJwWJTB.exe
  C:\Windows\System\bJwWJTB.exe
  2⤵
  - Executes dropped EXE
  PID:1420
- C:\Windows\System\KEHvdDo.exe
  C:\Windows\System\KEHvdDo.exe
  2⤵
  - Executes dropped EXE
  PID:5436
- C:\Windows\System\ynNgxMN.exe
  C:\Windows\System\ynNgxMN.exe
  2⤵
  - Executes dropped EXE
  PID:5424
- C:\Windows\System\hDgiQiY.exe
  C:\Windows\System\hDgiQiY.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\kIxYyvZ.exe
  C:\Windows\System\kIxYyvZ.exe
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Windows\System\BVvqoZR.exe
  C:\Windows\System\BVvqoZR.exe
  2⤵
  - Executes dropped EXE
  PID:5320
- C:\Windows\System\bzEPOWi.exe
  C:\Windows\System\bzEPOWi.exe
  2⤵
  - Executes dropped EXE
  PID:5316
- C:\Windows\System\ElIneyk.exe
  C:\Windows\System\ElIneyk.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System\TTPTHVa.exe
  C:\Windows\System\TTPTHVa.exe
  2⤵
  - Executes dropped EXE
  PID:560
- C:\Windows\System\GleTMgN.exe
  C:\Windows\System\GleTMgN.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\System\whQJLaH.exe
  C:\Windows\System\whQJLaH.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System\yhfNBqd.exe
  C:\Windows\System\yhfNBqd.exe
  2⤵
  - Executes dropped EXE
  PID:5964
- C:\Windows\System\ogElFKZ.exe
  C:\Windows\System\ogElFKZ.exe
  2⤵
  - Executes dropped EXE
  PID:5996
- C:\Windows\System\HQnGKPS.exe
  C:\Windows\System\HQnGKPS.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System\oDouawl.exe
  C:\Windows\System\oDouawl.exe
  2⤵
  - Executes dropped EXE
  PID:5512
- C:\Windows\System\yTELCXC.exe
  C:\Windows\System\yTELCXC.exe
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\System\CLcwXtB.exe
  C:\Windows\System\CLcwXtB.exe
  2⤵
  - Executes dropped EXE
  PID:3308
- C:\Windows\System\rOcQbsW.exe
  C:\Windows\System\rOcQbsW.exe
  2⤵
  - Executes dropped EXE
  PID:5480
- C:\Windows\System\fPlkgHZ.exe
  C:\Windows\System\fPlkgHZ.exe
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\System\JcwdQfB.exe
  C:\Windows\System\JcwdQfB.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System\NppKqkl.exe
  C:\Windows\System\NppKqkl.exe
  2⤵
  - Executes dropped EXE
  PID:5792
- C:\Windows\System\clMPtnl.exe
  C:\Windows\System\clMPtnl.exe
  2⤵
  - Executes dropped EXE
  PID:5800
- C:\Windows\System\bcXsZFM.exe
  C:\Windows\System\bcXsZFM.exe
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\System\LItsyEu.exe
  C:\Windows\System\LItsyEu.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System\UjZPQSq.exe
  C:\Windows\System\UjZPQSq.exe
  2⤵
  - Executes dropped EXE
  PID:5844
- C:\Windows\System\GpTHKpH.exe
  C:\Windows\System\GpTHKpH.exe
  2⤵
  - Executes dropped EXE
  PID:3804
- C:\Windows\System\XxRTfle.exe
  C:\Windows\System\XxRTfle.exe
  2⤵
  - Executes dropped EXE
  PID:6036
- C:\Windows\System\erQPWCB.exe
  C:\Windows\System\erQPWCB.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Windows\System\QEIQPrD.exe
  C:\Windows\System\QEIQPrD.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System\LdbRcvz.exe
  C:\Windows\System\LdbRcvz.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System\PKcoMNW.exe
  C:\Windows\System\PKcoMNW.exe
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Windows\System\FuxeFpp.exe
  C:\Windows\System\FuxeFpp.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System\ZrwkDsq.exe
  C:\Windows\System\ZrwkDsq.exe
  2⤵
  - Executes dropped EXE
  PID:4008
- C:\Windows\System\mNPAvfL.exe
  C:\Windows\System\mNPAvfL.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Windows\System\sMWuXhq.exe
  C:\Windows\System\sMWuXhq.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System\RIJWJkv.exe
  C:\Windows\System\RIJWJkv.exe
  2⤵
  - Executes dropped EXE
  PID:4288
- C:\Windows\System\KVyDiaX.exe
  C:\Windows\System\KVyDiaX.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System\BPVWZSz.exe
  C:\Windows\System\BPVWZSz.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\gmfggZi.exe
  C:\Windows\System\gmfggZi.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System\naaBGXE.exe
  C:\Windows\System\naaBGXE.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\MpuOZHP.exe
  C:\Windows\System\MpuOZHP.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System\ePScLNz.exe
  C:\Windows\System\ePScLNz.exe
  2⤵
  - Executes dropped EXE
  PID:3316
- C:\Windows\System\jjLrgft.exe
  C:\Windows\System\jjLrgft.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System\WWWjNdv.exe
  C:\Windows\System\WWWjNdv.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System\mVXhLtU.exe
  C:\Windows\System\mVXhLtU.exe
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Windows\System\ncCSzBh.exe
  C:\Windows\System\ncCSzBh.exe
  2⤵
  - Executes dropped EXE
  PID:6052
- C:\Windows\System\UjJFOxE.exe
  C:\Windows\System\UjJFOxE.exe
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\System\eWKHVmM.exe
  C:\Windows\System\eWKHVmM.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\RLDYbiy.exe
  C:\Windows\System\RLDYbiy.exe
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\System\ZLEAFjP.exe
  C:\Windows\System\ZLEAFjP.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System\jASLvmc.exe
  C:\Windows\System\jASLvmc.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System\rUQvWpV.exe
  C:\Windows\System\rUQvWpV.exe
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\System\OZIXYgu.exe
  C:\Windows\System\OZIXYgu.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System\FmUURPu.exe
  C:\Windows\System\FmUURPu.exe
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Windows\System\Morrmze.exe
  C:\Windows\System\Morrmze.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\System\EqQFDwA.exe
  C:\Windows\System\EqQFDwA.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System\LYipqQy.exe
  C:\Windows\System\LYipqQy.exe
  2⤵
  PID:6008
- C:\Windows\System\KMCzIRx.exe
  C:\Windows\System\KMCzIRx.exe
  2⤵
  PID:4916
- C:\Windows\System\cSbrZzA.exe
  C:\Windows\System\cSbrZzA.exe
  2⤵
  PID:4372
- C:\Windows\System\WpYnqYJ.exe
  C:\Windows\System\WpYnqYJ.exe
  2⤵
  PID:2220
- C:\Windows\System\SXeIXde.exe
  C:\Windows\System\SXeIXde.exe
  2⤵
  PID:2056
- C:\Windows\System\VPcxohN.exe
  C:\Windows\System\VPcxohN.exe
  2⤵
  PID:4148
- C:\Windows\System\JMhKHPe.exe
  C:\Windows\System\JMhKHPe.exe
  2⤵
  PID:1936
- C:\Windows\System\fIxftkV.exe
  C:\Windows\System\fIxftkV.exe
  2⤵
  PID:5280
- C:\Windows\System\oCTHRBd.exe
  C:\Windows\System\oCTHRBd.exe
  2⤵
  PID:5420
- C:\Windows\System\vrdTrBS.exe
  C:\Windows\System\vrdTrBS.exe
  2⤵
  PID:5392
- C:\Windows\System\dIWfexK.exe
  C:\Windows\System\dIWfexK.exe
  2⤵
  PID:5412
- C:\Windows\System\UIoRsdD.exe
  C:\Windows\System\UIoRsdD.exe
  2⤵
  PID:2224
- C:\Windows\System\nFUCLFQ.exe
  C:\Windows\System\nFUCLFQ.exe
  2⤵
  PID:5380
- C:\Windows\System\rNAIFRf.exe
  C:\Windows\System\rNAIFRf.exe
  2⤵
  PID:2644
- C:\Windows\System\LyvcDJB.exe
  C:\Windows\System\LyvcDJB.exe
  2⤵
  PID:4860
- C:\Windows\System\BoRowFo.exe
  C:\Windows\System\BoRowFo.exe
  2⤵
  PID:2088
- C:\Windows\System\otSokCf.exe
  C:\Windows\System\otSokCf.exe
  2⤵
  PID:4476
- C:\Windows\System\SLRIWcW.exe
  C:\Windows\System\SLRIWcW.exe
  2⤵
  PID:5976
- C:\Windows\System\ujVEjKt.exe
  C:\Windows\System\ujVEjKt.exe
  2⤵
  PID:5940
- C:\Windows\System\sQVcvBA.exe
  C:\Windows\System\sQVcvBA.exe
  2⤵
  PID:5488
- C:\Windows\System\UXgazYn.exe
  C:\Windows\System\UXgazYn.exe
  2⤵
  PID:5536
- C:\Windows\System\SiptwYD.exe
  C:\Windows\System\SiptwYD.exe
  2⤵
  PID:5468
- C:\Windows\System\YTKeSiQ.exe
  C:\Windows\System\YTKeSiQ.exe
  2⤵
  PID:2068
- C:\Windows\System\quekysK.exe
  C:\Windows\System\quekysK.exe
  2⤵
  PID:1320
- C:\Windows\System\pFwwIJc.exe
  C:\Windows\System\pFwwIJc.exe
  2⤵
  PID:6100
- C:\Windows\System\YbdEMga.exe
  C:\Windows\System\YbdEMga.exe
  2⤵
  PID:5076
- C:\Windows\System\WOtZJmQ.exe
  C:\Windows\System\WOtZJmQ.exe
  2⤵
  PID:5116
- C:\Windows\System\mvwypzY.exe
  C:\Windows\System\mvwypzY.exe
  2⤵
  PID:768
- C:\Windows\System\saeSCXo.exe
  C:\Windows\System\saeSCXo.exe
  2⤵
  PID:1580
- C:\Windows\System\Byeojtn.exe
  C:\Windows\System\Byeojtn.exe
  2⤵
  PID:2548
- C:\Windows\System\gPuiSlt.exe
  C:\Windows\System\gPuiSlt.exe
  2⤵
  PID:888
- C:\Windows\System\TLjJBrI.exe
  C:\Windows\System\TLjJBrI.exe
  2⤵
  PID:1852
- C:\Windows\System\NjqLDZD.exe
  C:\Windows\System\NjqLDZD.exe
  2⤵
  PID:4716
- C:\Windows\System\gjeIAwS.exe
  C:\Windows\System\gjeIAwS.exe
  2⤵
  PID:4496
- C:\Windows\System\kfhgFtR.exe
  C:\Windows\System\kfhgFtR.exe
  2⤵
  PID:4884
- C:\Windows\System\hvGwklC.exe
  C:\Windows\System\hvGwklC.exe
  2⤵
  PID:5292
- C:\Windows\System\NFcMkLb.exe
  C:\Windows\System\NFcMkLb.exe
  2⤵
  PID:3480
- C:\Windows\System\jBDITuQ.exe
  C:\Windows\System\jBDITuQ.exe
  2⤵
  PID:3392
- C:\Windows\System\SUgsbDD.exe
  C:\Windows\System\SUgsbDD.exe
  2⤵
  PID:2996
- C:\Windows\System\mEXfRNj.exe
  C:\Windows\System\mEXfRNj.exe
  2⤵
  PID:2856
- C:\Windows\System\YMKwvfu.exe
  C:\Windows\System\YMKwvfu.exe
  2⤵
  PID:1988
- C:\Windows\System\vCBQiYG.exe
  C:\Windows\System\vCBQiYG.exe
  2⤵
  PID:1452
- C:\Windows\System\fHToKIB.exe
  C:\Windows\System\fHToKIB.exe
  2⤵
  PID:2624
- C:\Windows\System\OCIjYMP.exe
  C:\Windows\System\OCIjYMP.exe
  2⤵
  PID:6004
- C:\Windows\System\PxvTOAV.exe
  C:\Windows\System\PxvTOAV.exe
  2⤵
  PID:1404
- C:\Windows\System\yzuztAu.exe
  C:\Windows\System\yzuztAu.exe
  2⤵
  PID:4588
- C:\Windows\System\RroumrT.exe
  C:\Windows\System\RroumrT.exe
  2⤵
  PID:1956
- C:\Windows\System\DPnNZMc.exe
  C:\Windows\System\DPnNZMc.exe
  2⤵
  PID:2484
- C:\Windows\System\mRyhnDm.exe
  C:\Windows\System\mRyhnDm.exe
  2⤵
  PID:1964
- C:\Windows\System\AJDCUJC.exe
  C:\Windows\System\AJDCUJC.exe
  2⤵
  PID:4692
- C:\Windows\System\egycGCj.exe
  C:\Windows\System\egycGCj.exe
  2⤵
  PID:5364
- C:\Windows\System\ZHhvBvB.exe
  C:\Windows\System\ZHhvBvB.exe
  2⤵
  PID:4168
- C:\Windows\System\KVjppBj.exe
  C:\Windows\System\KVjppBj.exe
  2⤵
  PID:5048
- C:\Windows\System\kJpSupR.exe
  C:\Windows\System\kJpSupR.exe
  2⤵
  PID:5872
- C:\Windows\System\yLiwiwv.exe
  C:\Windows\System\yLiwiwv.exe
  2⤵
  PID:1584
- C:\Windows\System\npGykPT.exe
  C:\Windows\System\npGykPT.exe
  2⤵
  PID:5524
- C:\Windows\System\XBybzmh.exe
  C:\Windows\System\XBybzmh.exe
  2⤵
  PID:5564
- C:\Windows\System\mOFXwFw.exe
  C:\Windows\System\mOFXwFw.exe
  2⤵
  PID:1016
- C:\Windows\System\CEDIlzM.exe
  C:\Windows\System\CEDIlzM.exe
  2⤵
  PID:2168
- C:\Windows\System\yCznyOo.exe
  C:\Windows\System\yCznyOo.exe
  2⤵
  PID:1108
- C:\Windows\System\zxTlHsw.exe
  C:\Windows\System\zxTlHsw.exe
  2⤵
  PID:4612
- C:\Windows\System\MHpzuyU.exe
  C:\Windows\System\MHpzuyU.exe
  2⤵
  PID:1164
- C:\Windows\System\lJvWNOR.exe
  C:\Windows\System\lJvWNOR.exe
  2⤵
  PID:4768
- C:\Windows\System\jizijBY.exe
  C:\Windows\System\jizijBY.exe
  2⤵
  PID:4196
- C:\Windows\System\YKYCqDR.exe
  C:\Windows\System\YKYCqDR.exe
  2⤵
  PID:4788
- C:\Windows\System\ChfJNYb.exe
  C:\Windows\System\ChfJNYb.exe
  2⤵
  PID:2912
- C:\Windows\System\rnweyDC.exe
  C:\Windows\System\rnweyDC.exe
  2⤵
  PID:4512
- C:\Windows\System\mLToBOk.exe
  C:\Windows\System\mLToBOk.exe
  2⤵
  PID:4664
- C:\Windows\System\qFablcC.exe
  C:\Windows\System\qFablcC.exe
  2⤵
  PID:5312
- C:\Windows\System\FOMgtHM.exe
  C:\Windows\System\FOMgtHM.exe
  2⤵
  PID:1924
- C:\Windows\System\ffhCFhD.exe
  C:\Windows\System\ffhCFhD.exe
  2⤵
  PID:4572
- C:\Windows\System\aVUWUZj.exe
  C:\Windows\System\aVUWUZj.exe
  2⤵
  PID:2616
- C:\Windows\System\ynsmtNd.exe
  C:\Windows\System\ynsmtNd.exe
  2⤵
  PID:1860
- C:\Windows\System\TlqLLbq.exe
  C:\Windows\System\TlqLLbq.exe
  2⤵
  PID:2364
- C:\Windows\System\TEoBdGu.exe
  C:\Windows\System\TEoBdGu.exe
  2⤵
  PID:5020
- C:\Windows\System\HCStyOT.exe
  C:\Windows\System\HCStyOT.exe
  2⤵
  PID:2816
- C:\Windows\System\WArguTd.exe
  C:\Windows\System\WArguTd.exe
  2⤵
  PID:3604
- C:\Windows\System\SZTMkIi.exe
  C:\Windows\System\SZTMkIi.exe
  2⤵
  PID:2052
- C:\Windows\System\oJNXHzI.exe
  C:\Windows\System\oJNXHzI.exe
  2⤵
  PID:5004
- C:\Windows\System\hOfULcJ.exe
  C:\Windows\System\hOfULcJ.exe
  2⤵
  PID:5764
- C:\Windows\System\TTnbHKc.exe
  C:\Windows\System\TTnbHKc.exe
  2⤵
  PID:5308
- C:\Windows\System\KRYUVYc.exe
  C:\Windows\System\KRYUVYc.exe
  2⤵
  PID:6164
- C:\Windows\System\jaOjIxe.exe
  C:\Windows\System\jaOjIxe.exe
  2⤵
  PID:6192
- C:\Windows\System\wYyVEaU.exe
  C:\Windows\System\wYyVEaU.exe
  2⤵
  PID:6212
- C:\Windows\System\jYtjxHn.exe
  C:\Windows\System\jYtjxHn.exe
  2⤵
  PID:6236
- C:\Windows\System\PgWSQDF.exe
  C:\Windows\System\PgWSQDF.exe
  2⤵
  PID:6256
- C:\Windows\System\RHucKDY.exe
  C:\Windows\System\RHucKDY.exe
  2⤵
  PID:6276
- C:\Windows\System\cMXhrGM.exe
  C:\Windows\System\cMXhrGM.exe
  2⤵
  PID:6300
- C:\Windows\System\ZjhNkKH.exe
  C:\Windows\System\ZjhNkKH.exe
  2⤵
  PID:6324
- C:\Windows\System\lDJeDpQ.exe
  C:\Windows\System\lDJeDpQ.exe
  2⤵
  PID:6352
- C:\Windows\System\qHSerSt.exe
  C:\Windows\System\qHSerSt.exe
  2⤵
  PID:6372
- C:\Windows\System\QiexEie.exe
  C:\Windows\System\QiexEie.exe
  2⤵
  PID:6404
- C:\Windows\System\OKTiDbi.exe
  C:\Windows\System\OKTiDbi.exe
  2⤵
  PID:6424
- C:\Windows\System\KrSiXVh.exe
  C:\Windows\System\KrSiXVh.exe
  2⤵
  PID:6444
- C:\Windows\System\vTKyqcS.exe
  C:\Windows\System\vTKyqcS.exe
  2⤵
  PID:6472
- C:\Windows\System\OMKyafh.exe
  C:\Windows\System\OMKyafh.exe
  2⤵
  PID:6496
- C:\Windows\System\XElaUoY.exe
  C:\Windows\System\XElaUoY.exe
  2⤵
  PID:6516
- C:\Windows\System\iDBYXMD.exe
  C:\Windows\System\iDBYXMD.exe
  2⤵
  PID:6548
- C:\Windows\System\dDsNAOP.exe
  C:\Windows\System\dDsNAOP.exe
  2⤵
  PID:6572
- C:\Windows\System\ObCutPX.exe
  C:\Windows\System\ObCutPX.exe
  2⤵
  PID:6592
- C:\Windows\System\ZAbvmEY.exe
  C:\Windows\System\ZAbvmEY.exe
  2⤵
  PID:6616
- C:\Windows\System\rZMkiEJ.exe
  C:\Windows\System\rZMkiEJ.exe
  2⤵
  PID:6640
- C:\Windows\System\QvnSVHX.exe
  C:\Windows\System\QvnSVHX.exe
  2⤵
  PID:6660
- C:\Windows\System\vgwszOQ.exe
  C:\Windows\System\vgwszOQ.exe
  2⤵
  PID:6688
- C:\Windows\System\oueCiEm.exe
  C:\Windows\System\oueCiEm.exe
  2⤵
  PID:6712
- C:\Windows\System\yhCcOAT.exe
  C:\Windows\System\yhCcOAT.exe
  2⤵
  PID:6736
- C:\Windows\System\poJxZou.exe
  C:\Windows\System\poJxZou.exe
  2⤵
  PID:6752
- C:\Windows\System\gcduPXO.exe
  C:\Windows\System\gcduPXO.exe
  2⤵
  PID:6776
- C:\Windows\System\LTEbfvp.exe
  C:\Windows\System\LTEbfvp.exe
  2⤵
  PID:6796
- C:\Windows\System\zzgukwp.exe
  C:\Windows\System\zzgukwp.exe
  2⤵
  PID:6824
- C:\Windows\System\WtGCMMs.exe
  C:\Windows\System\WtGCMMs.exe
  2⤵
  PID:6852
- C:\Windows\System\bChdRNe.exe
  C:\Windows\System\bChdRNe.exe
  2⤵
  PID:6872
- C:\Windows\System\GelEkvp.exe
  C:\Windows\System\GelEkvp.exe
  2⤵
  PID:6900
- C:\Windows\System\aKgAttY.exe
  C:\Windows\System\aKgAttY.exe
  2⤵
  PID:6928
- C:\Windows\System\tbZUJnv.exe
  C:\Windows\System\tbZUJnv.exe
  2⤵
  PID:6952
- C:\Windows\System\pZqpYfm.exe
  C:\Windows\System\pZqpYfm.exe
  2⤵
  PID:6976
- C:\Windows\System\FswSMCk.exe
  C:\Windows\System\FswSMCk.exe
  2⤵
  PID:6996
- C:\Windows\System\JxXkAfU.exe
  C:\Windows\System\JxXkAfU.exe
  2⤵
  PID:7020
- C:\Windows\System\FfaBdKK.exe
  C:\Windows\System\FfaBdKK.exe
  2⤵
  PID:7036
- C:\Windows\System\nWWcAto.exe
  C:\Windows\System\nWWcAto.exe
  2⤵
  PID:7056
- C:\Windows\System\OYifzFA.exe
  C:\Windows\System\OYifzFA.exe
  2⤵
  PID:7080
- C:\Windows\System\WWWCPQq.exe
  C:\Windows\System\WWWCPQq.exe
  2⤵
  PID:7104
- C:\Windows\System\RPHdAxb.exe
  C:\Windows\System\RPHdAxb.exe
  2⤵
  PID:7120
- C:\Windows\System\naVUVfD.exe
  C:\Windows\System\naVUVfD.exe
  2⤵
  PID:7144
- C:\Windows\System\zUKWeEt.exe
  C:\Windows\System\zUKWeEt.exe
  2⤵
  PID:7164
- C:\Windows\System\QZQNiIS.exe
  C:\Windows\System\QZQNiIS.exe
  2⤵
  PID:1416
- C:\Windows\System\ckRDeQU.exe
  C:\Windows\System\ckRDeQU.exe
  2⤵
  PID:2036
- C:\Windows\System\yNyTBHt.exe
  C:\Windows\System\yNyTBHt.exe
  2⤵
  PID:6248
- C:\Windows\System\DNIGFdU.exe
  C:\Windows\System\DNIGFdU.exe
  2⤵
  PID:3964
- C:\Windows\System\FdQzPYz.exe
  C:\Windows\System\FdQzPYz.exe
  2⤵
  PID:6320
- C:\Windows\System\KPVIAhf.exe
  C:\Windows\System\KPVIAhf.exe
  2⤵
  PID:6208
- C:\Windows\System\PBLTwwj.exe
  C:\Windows\System\PBLTwwj.exe
  2⤵
  PID:6468
- C:\Windows\System\JxZHjLF.exe
  C:\Windows\System\JxZHjLF.exe
  2⤵
  PID:6508
- C:\Windows\System\xgzNVxD.exe
  C:\Windows\System\xgzNVxD.exe
  2⤵
  PID:6204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4044 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:7416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BVvqoZR.exe

Filesize
1.3MB

MD5
02a3e34ee369ba52153b76d8a70d7987

SHA1
6c245dc207627080e072c55bde94931c50fa6435

SHA256
ce9f65032f84909777676e7cdc1dabe74f465b7a4379665eb1c4ff0d269dd5a9

SHA512
e2276e0509e4d6739c6efbc6bbb33a3f57032746963388877196ab5ae23e74a51be6b1a86ca1172ae357febe164de4d89f03fc6b576c68ad1545f98a89a524c5

Download Submit
C:\Windows\System\CLcwXtB.exe

Filesize
1.3MB

MD5
538c1b2fb872d20df59657c650d26b6d

SHA1
680dda5cd6294990178a55240fa28a18dadb66f2

SHA256
02360d01a0287135962397d5efa8263bb3553ce75260bb4dae983666deefc177

SHA512
7eaf482d4f8e3abf666f992fa0cad328ef9b04a520034c9414039656ed8f0c6e9bcac693bd50e1ce4dd412424890d17e2d1ae345bdb1d24cb3ffaa24a8445f78

Download Submit
C:\Windows\System\EBpEMkq.exe

Filesize
1.3MB

MD5
52c32b506a90d62e45fd6c0be2fc79be

SHA1
b61a04108529118a5a31b404d401d7c62ec544f8

SHA256
f2d821e3bb3bcdda4df42c5a3a2ac876528f357f8250b3e97339ee8e4ab99364

SHA512
63e61cd28cf5888a9466cacfd86022315b14dc0cf0dd3c5c2069a2de1a9fe9777e7554d90ed045af5bd1d78b2222d6629cf2f0953780391fe20bd401e256908d

Download Submit
C:\Windows\System\ElIneyk.exe

Filesize
1.3MB

MD5
5a5029edfed8304d56e899f4c60d96ed

SHA1
0cc7851594cb79663d2fe6ad4abe671212d51e1a

SHA256
4e563d3882155b9d32aceb900b556251ee34017ac8a769b01e0485979bb185c4

SHA512
a02e74b4178e2f0987f341ef222e014d9f9b0e15f8fbbb33546f04cbc0a6b01590350e09ff556de7b5602bd1332e3a11508e28275b603737fb73f15c08ecb53a

Download Submit
C:\Windows\System\GleTMgN.exe

Filesize
1.3MB

MD5
2b57fcf2989d839f30b78c4b01836cdf

SHA1
962d255eaf3fa95693de5409d9ac92cc66af2741

SHA256
47b5f2218bcbe92be16df44e786a33c3707f3e2bc44d3b08be8486b85d71d58e

SHA512
36f8368a2362ede7c824439e3375206752ac9b8d79df3eb327f1ee1d0ee1701b44625bc98e3b8196112bf0119c8b3348a025839f1fd1e362c00d34582c383260

Download Submit
C:\Windows\System\HQnGKPS.exe

Filesize
1.3MB

MD5
6d5d09113651f411a398dbf4f6af629e

SHA1
63e452b996be348b0d9d7606037cc2d0551aa474

SHA256
e8b7046d2db77adbd5113444ee4e772c8b4b395776da0e1dbb29ff8d4d0d0bd6

SHA512
f30d17fdad040b56b604b2194fa5ab6c88decba65fa3c81e97b223d8699ef4126b7480f0fceecabcad15e75a7e870a0327e2494403a75ab5d394410e8fb2d117

Download Submit
C:\Windows\System\JcwdQfB.exe

Filesize
1.3MB

MD5
baf32243ffc80e9bfe7d058a7f831529

SHA1
d79c118513f66a9f16de900d2464de684048eefb

SHA256
29366616fe6c78adda264e111a01d4fc40098724e5fba042ed8be5c83580d474

SHA512
17be9bbb10fba438a48654a80383ccbc41e1d01728ee3f758b29af311ee7e31aa36879a9b6e3a14e37b0cd868287e9dc5c0ed345ce310bd91b097056e34ff1b5

Download Submit
C:\Windows\System\KEHvdDo.exe

Filesize
1.3MB

MD5
636d7d31c79356f51f6d3fc89ab03508

SHA1
7626d38d6debbb2a730afbae5dedddc4c1e34bdb

SHA256
6795987db1f425078b304dc33216100e190f77ce433364936c39fcb3de425430

SHA512
da1c9902307bbfca45e822cf03ea82b86cb216896d39fec771505a5f196cc5d767fc90d4c5b96b82ffd7510a674ab2823a1952ee14ff0a83d08536b44ffe028d

Download Submit
C:\Windows\System\KODxSbb.exe

Filesize
1.3MB

MD5
5af2025da105e5fba1ebd6ae5ddefb56

SHA1
9a944de602bb1ce5c0cd618e79cff717c38c3288

SHA256
59a319e9418d15b2bba1592d919afb80465c09112ca40969919b603cc2a86e6a

SHA512
18b439edea3b077cfc6d6c0ac36f2e1aacfbd53966fb7c8ce9f3744f4d49c23cbd8d1481d0db7ef6d1cc4fd2172097f552331b925a8ebbd85996c5e3be5cd985

Download Submit
C:\Windows\System\LItsyEu.exe

Filesize
1.3MB

MD5
f0c98beeb871e345aa3acf9f203e1d96

SHA1
b8fc7c5ae754565ddb64a78b85b1755a5ce34b60

SHA256
eabce435bf9d033df9325de223eb98e88242d7621e282d3e374942a2c47cf3b0

SHA512
7472fb0449abcfba196f61af48a84bba76594a3042d474cf516265659d61cc99f8a33562df87de00d5ce9c04a91fea217f1c8ab3b60aa50eeaa126980871a060

Download Submit
C:\Windows\System\LJYNnnq.exe

Filesize
1.3MB

MD5
d9b5f7672fc2e650a9a17f7610e04cd7

SHA1
d9e52bfaa99491c43c5739d0c9d5bcc539377e96

SHA256
8ce98906089e4a5bb32b19f9567b78a545806fb5a8469f01f11451b2b4c32205

SHA512
286ef8f9a4c54f2af63e233a7d7e05b13526fcd8f6d0dcbfa60f89e9d5645b59f65741dd6f62242c6b5a6601ea1257a8fb3a86f867e8a64a3eddfb689204772c

Download Submit
C:\Windows\System\NppKqkl.exe

Filesize
1.3MB

MD5
689b6ba3b443ee51b899632039cc1e42

SHA1
2a85f2422ee2565551972133ea7f05cc8515bb9b

SHA256
ec7bbe3e2d3caefc3ea497c74926ffc6e39fda650a6e91e48c330d103367d8a5

SHA512
f4c51834e735dbaa51472604e52dc928c4efaf584bfa6814a9b76c5c5e111a861862c6f168cbcda5a7c99bafe0af6c402e2ca56bd82cef30f361afb3a3c2ce8b

Download Submit
C:\Windows\System\TTPTHVa.exe

Filesize
1.3MB

MD5
5d0b1af792cfe21c9b324a8b58ca7cd3

SHA1
8f340bbff47347430cf4bc2bf66e3fcf0e25e783

SHA256
4012efbc8f20cd4a616d974e4c35041205ca264609603db54b85c4e96448b850

SHA512
a58c34461463e22e273b01541cf2e5431a2e1ef016dd093dc249b982af4fe931eda1014e43d1800a5c85af8ed89e302aeddf6c663e6555f6eda0186fd28e8768

Download Submit
C:\Windows\System\UvRYiLQ.exe

Filesize
1.3MB

MD5
f0797c7a03939572103a2f7d91567329

SHA1
424bbd6267de2dd86be9ef9c8092e01ad005d76e

SHA256
30a4712f7a982b1f6a060e51eb360c9c88e0424d697cbaa9eaa04558f80d03ee

SHA512
c5f45fcc0583f7b82f9aefba562d07c380c880ea9b8c8784e3b6c9a330d054bcd3b044dfac52aceceab2ceb05ea4b36cb970255e959f31da8022f556ec734bc7

Download Submit
C:\Windows\System\bJwWJTB.exe

Filesize
1.3MB

MD5
9e32c9a771a3a45dec78fc18066a22b7

SHA1
0ec2a1f349ee264e82204a1b0f7b2c9f66a15d45

SHA256
159c23125a28b29584e789a11988e4ec6625eb0a85ff0c91e9bb2c1c0249e82b

SHA512
046c4c34fd1dec3c12b7eb93ab62f1d902e3f63e3f6198515af71c5529e37bf16f6117a6a5794501417b1860eb9f3b769328a17275ebe95ddd8644794f28dfd3

Download Submit
C:\Windows\System\bcXsZFM.exe

Filesize
1.3MB

MD5
3d0f3ea20867cf494e44317b7ee2c85d

SHA1
edb6ccd49edd0bd9736a2be03ff0c0a81dc615f6

SHA256
69d405a2a5ffb1c693356942e7fcc64223ed4f74c0ef9e6116fffcfded27a785

SHA512
2a1e5350fdfeece7d28189af50a25d59dd04991da21da6355f1e00a51903de994110fc6ce7c96692fed8db163271bb73717ffc42a42c049eef4887e6374e5549

Download Submit
C:\Windows\System\bzEPOWi.exe

Filesize
1.3MB

MD5
d6616039860757d2cac32f73c746e129

SHA1
8698bf07994379f584a578c38ed61659e5ed6e67

SHA256
5e26cb2a59f5743d896809ba7117213bfe7f629406453b79a4cf1581b2f77804

SHA512
54a6b3db338e740f228e1b4ec074c8c0de686d9fe2acd180ffa1a37be98524258e2ba1b28971b3900545caf221b464126e76992f49fdd249ecb710c079c9e209

Download Submit
C:\Windows\System\cgCojHf.exe

Filesize
1.3MB

MD5
86932d5a1eab7e8d7618e8451a6d7210

SHA1
b6fc8494cc0412c63b64b2e69ef6c2398ea5128a

SHA256
d78e444a53bbcc3a5178939b58472479722da4e3268483dae219b237ada5bd56

SHA512
6718729733b9075502c4c09f155c4922aa36e338226c20628897d9bfaf108f927109290c5c04bbedf7ee19849ba696f6474d1fa11fb3402ae5cf2738f3d9f651

Download Submit
C:\Windows\System\clMPtnl.exe

Filesize
1.3MB

MD5
5405a55fbea53cd85a30f59abc0aba93

SHA1
7c0e3c26b94de5c0e9cfbeeabebc129d77dee90b

SHA256
abef465c644a18b68f782067f21e68b68779537784ee68bd5d4860b67db9da09

SHA512
259d01fd10ab58a4acbeddcbd68b2cbd16ebc8daf11f8768cddc4ebaf1f29ba2032233b2d4c1f5233335e4d6cee043c65dbd1ef01cb2cdb3a9f458169de7d8db

Download Submit
C:\Windows\System\fPlkgHZ.exe

Filesize
1.3MB

MD5
32a884a837b5868bbe07e2870653ce77

SHA1
2925438a0bea7dc448ace215c8f212eaee796c3e

SHA256
65d0ec1d1418a1b793cc3fcd0f040151669d510ab41a8d58f1eca901c18df9a7

SHA512
ee02fa111b89c48cd404ea381742b67c8a5098bd20e1f067533254004b1426bf59f82835fc82d6ca867afce2ec664a92be58a651fa845412cd0924201faa93ad

Download Submit
C:\Windows\System\hDgiQiY.exe

Filesize
1.3MB

MD5
8861e0a9aa018827203658008e7c5356

SHA1
4ffc66f3c9a9abeff6b1cc34977438aff1293cd2

SHA256
916637edc8cce15f33ae140e10ef492474a2e7247da96c040f92b0b91bbaf9e9

SHA512
23e0d20af335837563a142ec2d6da8235722a8cb2e67f4ae0978743698e2ae186d850e6a21f561686998cdfc773efe43fc92bc07e23055bc913b16421660028b

Download Submit
C:\Windows\System\kIxYyvZ.exe

Filesize
1.3MB

MD5
4d65d78417ffe85735bbbb5784f0a6ea

SHA1
a0d274fd8acf97c336a93e6d0ca03a2c4bf5e7fb

SHA256
969d973c9f8f416491644acd6144a3dde78dc28c5db72e1604d17a6632e5035f

SHA512
c5ff249aeb8c6840e16196b11b9809af12435fede440d3eb761ff4d744d0c92d3e0d3fdb806970e1042f5b901b6b4326d2d463211fd72e9d5e4a2e2a97ca4035

Download Submit
C:\Windows\System\lGNFhSZ.exe

Filesize
1.3MB

MD5
205e31499f2c2b9b427638a444d7af29

SHA1
5c227b021a1454f5c8d834b39e76465ccb42d5aa

SHA256
15b55d9785e0ea85da52e86db6acb333d394cc714ce3587e0638ba088ab64a62

SHA512
f24bb9511ed8f78e92dd67393fe0348be925d55a3964b1d564fefca9a1eb364404d99c9a37b3d753718073d14a80d9289e32e749d7edeb37a77160e424cffad6

Download Submit
C:\Windows\System\nRXLJUG.exe

Filesize
1.3MB

MD5
b8675478dc7ed113cd87b40e5009932a

SHA1
558767af6e12a7e844515e3f87b82dc512230cbe

SHA256
a7c44cf4444f7578d49766d3de97f41fa633aca2fd849632f68fb120683a7f86

SHA512
117f854ed3d353c4ac828e176285e142c640d9798b392e40d48f028931cdb61b5d0c124d9c00eaf0ee6bd513a7a0f90d5ab1a8486f141f157d28b70de5576edd

Download Submit
C:\Windows\System\oDouawl.exe

Filesize
1.3MB

MD5
981893b6841e0753dee786782cb6f39c

SHA1
b23cd3d8f76c93f9b1f348639679ba56fc82e8e9

SHA256
2b07742e0d3a6487f7b0136e12ec2d0dd881350b306b3c82facbd97a42b67ea6

SHA512
86d2f2ba5c2a87760a2f4d516e88096353750f66d3fcceab01abf358fe0d458d172af04bdf41a47649f7762335b30bfef54447f9d1e99be4a083f18aaf962569

Download Submit
C:\Windows\System\ogElFKZ.exe

Filesize
1.3MB

MD5
f092892d4a022a245f117b8f91ac00fe

SHA1
3d22d1754e65c3c9571a173ccd32bf77ccf7187e

SHA256
ecfe7b9e8dce628f380f039d247da2977b13a2107320049cae967c55fc0cb957

SHA512
413f9752164e466205d9adf1473142204c2c42292268a86b64eaecb5994d0aa46d5565ab00e9086f49639c4982467a4079aa215ca345ca5e85fb445d4a7321c2

Download Submit
C:\Windows\System\rOcQbsW.exe

Filesize
1.3MB

MD5
3e9302f98687a6c142c07dbb00d2e739

SHA1
3496602ad4b57c94576a612502be5ed0b682f125

SHA256
c80c3a5f5f8961e5ecc118138cb1aa4b8a13661083d072072f5d1a2105cbd9a5

SHA512
a74b871ee453d14fd8a167213dda06b420abcea537c00ee72bbe8e29f0f46d3cdc96df49a33aa4ce274e4faf3db3851f3b145ca72ec8b476a4ba02fd63a38160

Download Submit
C:\Windows\System\umFrudu.exe

Filesize
1.3MB

MD5
9c6fc8a1323b30b7ebe7eee26affaeb3

SHA1
32f2489a85878238716b250aaf929a08a3ce74ab

SHA256
bec7c15f18ec8fd1f20280b2c10d0f14c8e74d709c61f51fc374cbd2714bf8bb

SHA512
441d35a1e46ac8f6b8c8e6bae1a23720b6cd8f94e70e485c0bca5eb9f4bbda5a752e53417ced6a3d86005d897f42453997e512a886900aefe6623ae1ce382986

Download Submit
C:\Windows\System\whQJLaH.exe

Filesize
1.3MB

MD5
4fc445ce068cc9741dcc65b28e0ca9ec

SHA1
8663df3a7998cce15c2fe7b2428d07dc0eb5a194

SHA256
d8f5915f7bdf475a9cac13f42b51efe577b4d8850fbe760a656c155cb4bcfb89

SHA512
1f620d751a4e2a63b58be16b7a102d4d025618f9e97c2a74af23b85647c9cfff2b7e2124ee9172afdf8ed7ef52d1ce6fc59fb990d843c005200729ca1b854c6b

Download Submit
C:\Windows\System\yTELCXC.exe

Filesize
1.3MB

MD5
47d7b675e6043662162750a570b82685

SHA1
30454c1c892c0d878ee3a9852d087de9e99f59c6

SHA256
c2b003fc235f465b2b406b4cdc6846a75fcb82b712055732c6c18d45a7e907e8

SHA512
4e2aa17f3bf9ec98c5d206ebae004698d429260894102b11d0ae9a87ae4b3b441fc6e10d088565be653c559d99d7ab2a00c7ee6f6d0a78c9e076b23faa5964f8

Download Submit
C:\Windows\System\yhfNBqd.exe

Filesize
1.3MB

MD5
e3f9f391e48d1a906bb9b30f37b8d36f

SHA1
ff5ffb298f259dc93ebcbe6f3508a6815ba15734

SHA256
b3b75900d34e0d76675495ccd83da713775636a4a086fb523ee077ab5e8794cb

SHA512
6b7ace3eeb9bfa727b2abab55c1a65e6ab2ccd9c78bdb7f823e69864110bca3da3d5a2f100842a338112f2db483336617c22047a327a32aba127ea57c0e805f0

Download Submit
C:\Windows\System\ynNgxMN.exe

Filesize
1.3MB

MD5
4b6f243dfea2c7516f293b7896045c6b

SHA1
54bed09b355ee3b9d6d483969e79b0e34ed30f3e

SHA256
5e08c77adcd765b2b263f35ca166e3ea19434519d59e5d09abd330aa7df4b4fc

SHA512
8e63f9166f83d64d300119c0946a7d21078d16028f1468af32cf11bb736084f82a4dc8bf75609919425b4c4a2416bd2572894253da497482ec25730bd5ce5300

Download Submit
memory/2260-0-0x000001619DD50000-0x000001619DD60000-memory.dmp

Filesize
64KB

Download