xmrig | a5f372ee74836d2cd2637c1eb475fc47503a61cd03ac75c7ddd3404295b10e9a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2024, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
Size

1.3MB
MD5

3999d7909fdbe99cb2508c5f442f8090
SHA1

9a025a65b2a961654ded728a3a3e74c53221663e
SHA256

a5f372ee74836d2cd2637c1eb475fc47503a61cd03ac75c7ddd3404295b10e9a
SHA512

cc76c156fbd2e702f93244a69a8f118fbd8ccf3e153f2094162457529e2ef075e527791128e2b14f5e900d4780e90ba0e841c4eda01e3e707926661999673b4d
SSDEEP

24576:GezaTnG99Q8FcNrpyNdfE0bLBgDOp2iSLz9LbBwlKensYKkTT7UudBWk2c:GezaTF8FcNkNdfE0pZ9oztFwI6KE

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 33 IoCs

miner

resource	yara_rule
behavioral2/files/0x000a00000002328e-4.dat	xmrig
behavioral2/files/0x000900000002340c-10.dat	xmrig
behavioral2/files/0x000700000002341c-14.dat	xmrig
behavioral2/files/0x000700000002341f-33.dat	xmrig
behavioral2/files/0x0007000000023423-53.dat	xmrig
behavioral2/files/0x0007000000023427-69.dat	xmrig
behavioral2/files/0x000700000002342d-99.dat	xmrig
behavioral2/files/0x0007000000023433-124.dat	xmrig
behavioral2/files/0x0007000000023437-142.dat	xmrig
behavioral2/files/0x000700000002343b-162.dat	xmrig
behavioral2/files/0x0007000000023439-160.dat	xmrig
behavioral2/files/0x000700000002343a-157.dat	xmrig
behavioral2/files/0x0007000000023438-155.dat	xmrig
behavioral2/files/0x0007000000023436-145.dat	xmrig
behavioral2/files/0x0007000000023435-140.dat	xmrig
behavioral2/files/0x0007000000023434-135.dat	xmrig
behavioral2/files/0x0007000000023432-122.dat	xmrig
behavioral2/files/0x0007000000023431-118.dat	xmrig
behavioral2/files/0x0007000000023430-112.dat	xmrig
behavioral2/files/0x000700000002342f-108.dat	xmrig
behavioral2/files/0x000700000002342c-95.dat	xmrig
behavioral2/files/0x000700000002342b-93.dat	xmrig
behavioral2/files/0x000700000002342a-87.dat	xmrig
behavioral2/files/0x0007000000023429-83.dat	xmrig
behavioral2/files/0x0007000000023428-77.dat	xmrig
behavioral2/files/0x0007000000023426-67.dat	xmrig
behavioral2/files/0x0007000000023425-63.dat	xmrig
behavioral2/files/0x0007000000023424-57.dat	xmrig
behavioral2/files/0x0007000000023422-47.dat	xmrig
behavioral2/files/0x0007000000023421-43.dat	xmrig
behavioral2/files/0x0007000000023420-37.dat	xmrig
behavioral2/files/0x000700000002341e-27.dat	xmrig
behavioral2/files/0x000700000002341d-21.dat	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3652	Gjchisu.exe
2732	WelbRCU.exe
3360	lpbWMRX.exe
1000	nHtBIBv.exe
5112	YrtMckf.exe
1464	YViIATX.exe
3196	ilsylNN.exe
4456	dcrsbKH.exe
1948	sVEnTnF.exe
812	nRobUlo.exe
3232	YBJaEzn.exe
768	gYfBozP.exe
1896	JJJCxIB.exe
2544	pShiaxb.exe
4852	cruHrXI.exe
2764	HkxMZgC.exe
4884	oQFeEYz.exe
3980	AkQLkFH.exe
3372	XJKeKGG.exe
3692	zBBMpss.exe
1996	oxUhbXb.exe
4752	tSEmcLJ.exe
4700	yYaoVKE.exe
4540	UOInvCQ.exe
1908	skUYEbe.exe
544	zYXCAGe.exe
2444	ggtVoLf.exe
1276	HeYNmQR.exe
1408	ZHnIkGd.exe
4872	KMGFHDZ.exe
3424	pqBXdZZ.exe
1644	nlGbnmU.exe
1512	XaCIHmN.exe
1244	SYtNHrK.exe
8	UOJfStD.exe
2612	woUGqfa.exe
3280	FBOTcCG.exe
4712	CMYFpoy.exe
3416	uARMMdR.exe
3660	bSNVdyU.exe
2572	hxaYKzq.exe
1412	ITqwrpy.exe
3828	RmcegjZ.exe
3756	UUrCPBG.exe
2324	sWLPrUi.exe
4900	EWQhKlu.exe
5052	FBgMVQc.exe
4564	nPcaOIC.exe
1004	KuyDBsL.exe
1416	kpUUOIc.exe
1828	zGqwyRJ.exe
4304	hUnHcKo.exe
2396	yufzRLW.exe
3096	jscWSbg.exe
4756	VCAcPSK.exe
3044	KHOISDX.exe
3984	WHQefso.exe
4044	tnmCkeT.exe
4072	lmgvFXT.exe
3112	UEKsXvA.exe
3396	JSBUbpZ.exe
1916	oQlGzaD.exe
792	bHpTgiN.exe
1272	hmCYigz.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\yLJbuYp.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\YbXXFmY.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\WelbRCU.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\ZYVLJNq.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\VLwWNax.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\YViIATX.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\FBgMVQc.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\zsHcxIo.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\oUiATWm.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\CLPxNDs.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\mpmsyVq.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\SADJozf.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\ilsylNN.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\rEPVhrp.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\lmgvFXT.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\UddKOxq.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\WyPggcG.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\oxUhbXb.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\ITqwrpy.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\bHpTgiN.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\CpFisyz.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\AMFpIPc.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\ZOIvCqi.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\xrbAWnJ.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\XJKeKGG.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\SYtNHrK.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\BYYBsmG.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\sdLxtnQ.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\AFxFkAJ.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\AeKxtgJ.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\HVLDTSq.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\KzJPlhs.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\zBBMpss.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\UEKsXvA.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\spusTBj.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\oUPOnGp.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\bVpzqEv.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\SIdHZEY.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\FBOTcCG.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\ojtjaHt.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\RKUAVgZ.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\nRobUlo.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\nPcaOIC.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\pqBXdZZ.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\NiApZIK.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\jGGLlDH.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\HbKGQbY.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\LcYzIKq.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\GCzKIaS.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\ggtVoLf.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\bCOOtSt.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\ugwrUsX.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\sVEnTnF.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\FceuUXG.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\yqTzUdr.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\nlGbnmU.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\sMdSznc.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\YMOKwBI.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\cgmBTCH.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\EWQhKlu.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\vQclMrS.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\zYXCAGe.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\UTDDCqK.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
File created	C:\Windows\System\fMLfjbp.exe	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 3652	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	84
PID 3252 wrote to memory of 3652	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	84
PID 3252 wrote to memory of 2732	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	85
PID 3252 wrote to memory of 2732	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	85
PID 3252 wrote to memory of 3360	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	86
PID 3252 wrote to memory of 3360	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	86
PID 3252 wrote to memory of 1000	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	87
PID 3252 wrote to memory of 1000	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	87
PID 3252 wrote to memory of 5112	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	88
PID 3252 wrote to memory of 5112	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	88
PID 3252 wrote to memory of 1464	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	89
PID 3252 wrote to memory of 1464	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	89
PID 3252 wrote to memory of 3196	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	90
PID 3252 wrote to memory of 3196	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	90
PID 3252 wrote to memory of 4456	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	91
PID 3252 wrote to memory of 4456	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	91
PID 3252 wrote to memory of 1948	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	92
PID 3252 wrote to memory of 1948	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	92
PID 3252 wrote to memory of 812	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	93
PID 3252 wrote to memory of 812	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	93
PID 3252 wrote to memory of 3232	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	94
PID 3252 wrote to memory of 3232	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	94
PID 3252 wrote to memory of 768	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	95
PID 3252 wrote to memory of 768	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	95
PID 3252 wrote to memory of 1896	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	96
PID 3252 wrote to memory of 1896	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	96
PID 3252 wrote to memory of 2544	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	97
PID 3252 wrote to memory of 2544	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	97
PID 3252 wrote to memory of 4852	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	98
PID 3252 wrote to memory of 4852	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	98
PID 3252 wrote to memory of 2764	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	99
PID 3252 wrote to memory of 2764	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	99
PID 3252 wrote to memory of 4884	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	100
PID 3252 wrote to memory of 4884	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	100
PID 3252 wrote to memory of 3980	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	101
PID 3252 wrote to memory of 3980	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	101
PID 3252 wrote to memory of 3372	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	102
PID 3252 wrote to memory of 3372	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	102
PID 3252 wrote to memory of 3692	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	103
PID 3252 wrote to memory of 3692	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	103
PID 3252 wrote to memory of 1996	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	104
PID 3252 wrote to memory of 1996	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	104
PID 3252 wrote to memory of 4752	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	105
PID 3252 wrote to memory of 4752	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	105
PID 3252 wrote to memory of 4700	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	106
PID 3252 wrote to memory of 4700	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	106
PID 3252 wrote to memory of 4540	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	107
PID 3252 wrote to memory of 4540	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	107
PID 3252 wrote to memory of 1908	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	108
PID 3252 wrote to memory of 1908	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	108
PID 3252 wrote to memory of 544	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	109
PID 3252 wrote to memory of 544	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	109
PID 3252 wrote to memory of 2444	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	110
PID 3252 wrote to memory of 2444	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	110
PID 3252 wrote to memory of 1276	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	111
PID 3252 wrote to memory of 1276	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	111
PID 3252 wrote to memory of 1408	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	112
PID 3252 wrote to memory of 1408	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	112
PID 3252 wrote to memory of 4872	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	113
PID 3252 wrote to memory of 4872	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	113
PID 3252 wrote to memory of 3424	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	114
PID 3252 wrote to memory of 3424	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	114
PID 3252 wrote to memory of 1644	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	115
PID 3252 wrote to memory of 1644	3252	3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe	115

C:\Users\Admin\AppData\Local\Temp\3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3999d7909fdbe99cb2508c5f442f8090_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Windows\System\Gjchisu.exe
  C:\Windows\System\Gjchisu.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System\WelbRCU.exe
  C:\Windows\System\WelbRCU.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\lpbWMRX.exe
  C:\Windows\System\lpbWMRX.exe
  2⤵
  - Executes dropped EXE
  PID:3360
- C:\Windows\System\nHtBIBv.exe
  C:\Windows\System\nHtBIBv.exe
  2⤵
  - Executes dropped EXE
  PID:1000
- C:\Windows\System\YrtMckf.exe
  C:\Windows\System\YrtMckf.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System\YViIATX.exe
  C:\Windows\System\YViIATX.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System\ilsylNN.exe
  C:\Windows\System\ilsylNN.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System\dcrsbKH.exe
  C:\Windows\System\dcrsbKH.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System\sVEnTnF.exe
  C:\Windows\System\sVEnTnF.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System\nRobUlo.exe
  C:\Windows\System\nRobUlo.exe
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Windows\System\YBJaEzn.exe
  C:\Windows\System\YBJaEzn.exe
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Windows\System\gYfBozP.exe
  C:\Windows\System\gYfBozP.exe
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Windows\System\JJJCxIB.exe
  C:\Windows\System\JJJCxIB.exe
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Windows\System\pShiaxb.exe
  C:\Windows\System\pShiaxb.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System\cruHrXI.exe
  C:\Windows\System\cruHrXI.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System\HkxMZgC.exe
  C:\Windows\System\HkxMZgC.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System\oQFeEYz.exe
  C:\Windows\System\oQFeEYz.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System\AkQLkFH.exe
  C:\Windows\System\AkQLkFH.exe
  2⤵
  - Executes dropped EXE
  PID:3980
- C:\Windows\System\XJKeKGG.exe
  C:\Windows\System\XJKeKGG.exe
  2⤵
  - Executes dropped EXE
  PID:3372
- C:\Windows\System\zBBMpss.exe
  C:\Windows\System\zBBMpss.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System\oxUhbXb.exe
  C:\Windows\System\oxUhbXb.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\System\tSEmcLJ.exe
  C:\Windows\System\tSEmcLJ.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\System\yYaoVKE.exe
  C:\Windows\System\yYaoVKE.exe
  2⤵
  - Executes dropped EXE
  PID:4700
- C:\Windows\System\UOInvCQ.exe
  C:\Windows\System\UOInvCQ.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System\skUYEbe.exe
  C:\Windows\System\skUYEbe.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System\zYXCAGe.exe
  C:\Windows\System\zYXCAGe.exe
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\System\ggtVoLf.exe
  C:\Windows\System\ggtVoLf.exe
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\System\HeYNmQR.exe
  C:\Windows\System\HeYNmQR.exe
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\System\ZHnIkGd.exe
  C:\Windows\System\ZHnIkGd.exe
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\System\KMGFHDZ.exe
  C:\Windows\System\KMGFHDZ.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System\pqBXdZZ.exe
  C:\Windows\System\pqBXdZZ.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System\nlGbnmU.exe
  C:\Windows\System\nlGbnmU.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\XaCIHmN.exe
  C:\Windows\System\XaCIHmN.exe
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\System\SYtNHrK.exe
  C:\Windows\System\SYtNHrK.exe
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\System\UOJfStD.exe
  C:\Windows\System\UOJfStD.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System\woUGqfa.exe
  C:\Windows\System\woUGqfa.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\FBOTcCG.exe
  C:\Windows\System\FBOTcCG.exe
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\System\CMYFpoy.exe
  C:\Windows\System\CMYFpoy.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\System\uARMMdR.exe
  C:\Windows\System\uARMMdR.exe
  2⤵
  - Executes dropped EXE
  PID:3416
- C:\Windows\System\bSNVdyU.exe
  C:\Windows\System\bSNVdyU.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System\hxaYKzq.exe
  C:\Windows\System\hxaYKzq.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System\ITqwrpy.exe
  C:\Windows\System\ITqwrpy.exe
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\System\RmcegjZ.exe
  C:\Windows\System\RmcegjZ.exe
  2⤵
  - Executes dropped EXE
  PID:3828
- C:\Windows\System\UUrCPBG.exe
  C:\Windows\System\UUrCPBG.exe
  2⤵
  - Executes dropped EXE
  PID:3756
- C:\Windows\System\sWLPrUi.exe
  C:\Windows\System\sWLPrUi.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System\EWQhKlu.exe
  C:\Windows\System\EWQhKlu.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System\FBgMVQc.exe
  C:\Windows\System\FBgMVQc.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System\nPcaOIC.exe
  C:\Windows\System\nPcaOIC.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System\KuyDBsL.exe
  C:\Windows\System\KuyDBsL.exe
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\System\kpUUOIc.exe
  C:\Windows\System\kpUUOIc.exe
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Windows\System\zGqwyRJ.exe
  C:\Windows\System\zGqwyRJ.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\System\hUnHcKo.exe
  C:\Windows\System\hUnHcKo.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System\yufzRLW.exe
  C:\Windows\System\yufzRLW.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\jscWSbg.exe
  C:\Windows\System\jscWSbg.exe
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Windows\System\VCAcPSK.exe
  C:\Windows\System\VCAcPSK.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\KHOISDX.exe
  C:\Windows\System\KHOISDX.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\WHQefso.exe
  C:\Windows\System\WHQefso.exe
  2⤵
  - Executes dropped EXE
  PID:3984
- C:\Windows\System\tnmCkeT.exe
  C:\Windows\System\tnmCkeT.exe
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Windows\System\lmgvFXT.exe
  C:\Windows\System\lmgvFXT.exe
  2⤵
  - Executes dropped EXE
  PID:4072
- C:\Windows\System\UEKsXvA.exe
  C:\Windows\System\UEKsXvA.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System\JSBUbpZ.exe
  C:\Windows\System\JSBUbpZ.exe
  2⤵
  - Executes dropped EXE
  PID:3396
- C:\Windows\System\oQlGzaD.exe
  C:\Windows\System\oQlGzaD.exe
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\System\bHpTgiN.exe
  C:\Windows\System\bHpTgiN.exe
  2⤵
  - Executes dropped EXE
  PID:792
- C:\Windows\System\hmCYigz.exe
  C:\Windows\System\hmCYigz.exe
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\System\mpmsyVq.exe
  C:\Windows\System\mpmsyVq.exe
  2⤵
  PID:452
- C:\Windows\System\UddKOxq.exe
  C:\Windows\System\UddKOxq.exe
  2⤵
  PID:1296
- C:\Windows\System\JdtYmWV.exe
  C:\Windows\System\JdtYmWV.exe
  2⤵
  PID:4172
- C:\Windows\System\SqMgCTu.exe
  C:\Windows\System\SqMgCTu.exe
  2⤵
  PID:4988
- C:\Windows\System\OBLBCNl.exe
  C:\Windows\System\OBLBCNl.exe
  2⤵
  PID:4896
- C:\Windows\System\WyPggcG.exe
  C:\Windows\System\WyPggcG.exe
  2⤵
  PID:1704
- C:\Windows\System\qZOSobl.exe
  C:\Windows\System\qZOSobl.exe
  2⤵
  PID:4908
- C:\Windows\System\AFxFkAJ.exe
  C:\Windows\System\AFxFkAJ.exe
  2⤵
  PID:440
- C:\Windows\System\lqhwjzW.exe
  C:\Windows\System\lqhwjzW.exe
  2⤵
  PID:5064
- C:\Windows\System\EkqgOLj.exe
  C:\Windows\System\EkqgOLj.exe
  2⤵
  PID:968
- C:\Windows\System\SADJozf.exe
  C:\Windows\System\SADJozf.exe
  2⤵
  PID:4812
- C:\Windows\System\IrbdDoJ.exe
  C:\Windows\System\IrbdDoJ.exe
  2⤵
  PID:1800
- C:\Windows\System\MduRECN.exe
  C:\Windows\System\MduRECN.exe
  2⤵
  PID:396
- C:\Windows\System\eHVzmwv.exe
  C:\Windows\System\eHVzmwv.exe
  2⤵
  PID:816
- C:\Windows\System\CpFisyz.exe
  C:\Windows\System\CpFisyz.exe
  2⤵
  PID:3000
- C:\Windows\System\aKItHuQ.exe
  C:\Windows\System\aKItHuQ.exe
  2⤵
  PID:2156
- C:\Windows\System\LupYDst.exe
  C:\Windows\System\LupYDst.exe
  2⤵
  PID:5132
- C:\Windows\System\kjLfxGg.exe
  C:\Windows\System\kjLfxGg.exe
  2⤵
  PID:5152
- C:\Windows\System\ojtjaHt.exe
  C:\Windows\System\ojtjaHt.exe
  2⤵
  PID:5180
- C:\Windows\System\ugwrUsX.exe
  C:\Windows\System\ugwrUsX.exe
  2⤵
  PID:5208
- C:\Windows\System\IhoDQhg.exe
  C:\Windows\System\IhoDQhg.exe
  2⤵
  PID:5236
- C:\Windows\System\FceuUXG.exe
  C:\Windows\System\FceuUXG.exe
  2⤵
  PID:5264
- C:\Windows\System\yqTzUdr.exe
  C:\Windows\System\yqTzUdr.exe
  2⤵
  PID:5292
- C:\Windows\System\WKImsqt.exe
  C:\Windows\System\WKImsqt.exe
  2⤵
  PID:5320
- C:\Windows\System\MgENIjr.exe
  C:\Windows\System\MgENIjr.exe
  2⤵
  PID:5348
- C:\Windows\System\YndaCTM.exe
  C:\Windows\System\YndaCTM.exe
  2⤵
  PID:5376
- C:\Windows\System\ZYVLJNq.exe
  C:\Windows\System\ZYVLJNq.exe
  2⤵
  PID:5400
- C:\Windows\System\XLOReiW.exe
  C:\Windows\System\XLOReiW.exe
  2⤵
  PID:5436
- C:\Windows\System\rFarvGH.exe
  C:\Windows\System\rFarvGH.exe
  2⤵
  PID:5460
- C:\Windows\System\KWgpLCQ.exe
  C:\Windows\System\KWgpLCQ.exe
  2⤵
  PID:5488
- C:\Windows\System\qJepdgC.exe
  C:\Windows\System\qJepdgC.exe
  2⤵
  PID:5516
- C:\Windows\System\spusTBj.exe
  C:\Windows\System\spusTBj.exe
  2⤵
  PID:5544
- C:\Windows\System\jbpjuvH.exe
  C:\Windows\System\jbpjuvH.exe
  2⤵
  PID:5572
- C:\Windows\System\zsHcxIo.exe
  C:\Windows\System\zsHcxIo.exe
  2⤵
  PID:5600
- C:\Windows\System\AeKxtgJ.exe
  C:\Windows\System\AeKxtgJ.exe
  2⤵
  PID:5628
- C:\Windows\System\lDZUMKv.exe
  C:\Windows\System\lDZUMKv.exe
  2⤵
  PID:5656
- C:\Windows\System\ZdRLyDO.exe
  C:\Windows\System\ZdRLyDO.exe
  2⤵
  PID:5680
- C:\Windows\System\LRONSNX.exe
  C:\Windows\System\LRONSNX.exe
  2⤵
  PID:5712
- C:\Windows\System\bCOOtSt.exe
  C:\Windows\System\bCOOtSt.exe
  2⤵
  PID:5740
- C:\Windows\System\qcBfgaK.exe
  C:\Windows\System\qcBfgaK.exe
  2⤵
  PID:5768
- C:\Windows\System\vUejbyc.exe
  C:\Windows\System\vUejbyc.exe
  2⤵
  PID:5796
- C:\Windows\System\vQclMrS.exe
  C:\Windows\System\vQclMrS.exe
  2⤵
  PID:5824
- C:\Windows\System\oUiATWm.exe
  C:\Windows\System\oUiATWm.exe
  2⤵
  PID:5852
- C:\Windows\System\VdOQAEc.exe
  C:\Windows\System\VdOQAEc.exe
  2⤵
  PID:5884
- C:\Windows\System\rCiTEAF.exe
  C:\Windows\System\rCiTEAF.exe
  2⤵
  PID:5908
- C:\Windows\System\ycjwUjC.exe
  C:\Windows\System\ycjwUjC.exe
  2⤵
  PID:5940
- C:\Windows\System\eHpnzpC.exe
  C:\Windows\System\eHpnzpC.exe
  2⤵
  PID:5964
- C:\Windows\System\oUPOnGp.exe
  C:\Windows\System\oUPOnGp.exe
  2⤵
  PID:5992
- C:\Windows\System\ooOCwxj.exe
  C:\Windows\System\ooOCwxj.exe
  2⤵
  PID:6016
- C:\Windows\System\AMFpIPc.exe
  C:\Windows\System\AMFpIPc.exe
  2⤵
  PID:6048
- C:\Windows\System\Mcvuuwk.exe
  C:\Windows\System\Mcvuuwk.exe
  2⤵
  PID:6076
- C:\Windows\System\HVLDTSq.exe
  C:\Windows\System\HVLDTSq.exe
  2⤵
  PID:6104
- C:\Windows\System\VQTAdZE.exe
  C:\Windows\System\VQTAdZE.exe
  2⤵
  PID:6132
- C:\Windows\System\SaYtqwr.exe
  C:\Windows\System\SaYtqwr.exe
  2⤵
  PID:4060
- C:\Windows\System\JWjuwfl.exe
  C:\Windows\System\JWjuwfl.exe
  2⤵
  PID:4584
- C:\Windows\System\EUoQgln.exe
  C:\Windows\System\EUoQgln.exe
  2⤵
  PID:1588
- C:\Windows\System\rEPVhrp.exe
  C:\Windows\System\rEPVhrp.exe
  2⤵
  PID:436
- C:\Windows\System\kkQVpDq.exe
  C:\Windows\System\kkQVpDq.exe
  2⤵
  PID:4524
- C:\Windows\System\VARQkdw.exe
  C:\Windows\System\VARQkdw.exe
  2⤵
  PID:2512
- C:\Windows\System\ArQpwzK.exe
  C:\Windows\System\ArQpwzK.exe
  2⤵
  PID:5116
- C:\Windows\System\uxeNLjK.exe
  C:\Windows\System\uxeNLjK.exe
  2⤵
  PID:5168
- C:\Windows\System\JYbhZsi.exe
  C:\Windows\System\JYbhZsi.exe
  2⤵
  PID:5228
- C:\Windows\System\qaPhsZh.exe
  C:\Windows\System\qaPhsZh.exe
  2⤵
  PID:5304
- C:\Windows\System\sdLxtnQ.exe
  C:\Windows\System\sdLxtnQ.exe
  2⤵
  PID:5364
- C:\Windows\System\lxKUZXW.exe
  C:\Windows\System\lxKUZXW.exe
  2⤵
  PID:5432
- C:\Windows\System\JZuDNor.exe
  C:\Windows\System\JZuDNor.exe
  2⤵
  PID:5480
- C:\Windows\System\ZOIvCqi.exe
  C:\Windows\System\ZOIvCqi.exe
  2⤵
  PID:5556
- C:\Windows\System\WFqnzjp.exe
  C:\Windows\System\WFqnzjp.exe
  2⤵
  PID:5620
- C:\Windows\System\cjKJidL.exe
  C:\Windows\System\cjKJidL.exe
  2⤵
  PID:5676
- C:\Windows\System\BPDEtly.exe
  C:\Windows\System\BPDEtly.exe
  2⤵
  PID:5732
- C:\Windows\System\cdWeHKt.exe
  C:\Windows\System\cdWeHKt.exe
  2⤵
  PID:5808
- C:\Windows\System\fngcoeG.exe
  C:\Windows\System\fngcoeG.exe
  2⤵
  PID:5868
- C:\Windows\System\fPpxPcV.exe
  C:\Windows\System\fPpxPcV.exe
  2⤵
  PID:5924
- C:\Windows\System\KzJPlhs.exe
  C:\Windows\System\KzJPlhs.exe
  2⤵
  PID:5984
- C:\Windows\System\ogxTCBe.exe
  C:\Windows\System\ogxTCBe.exe
  2⤵
  PID:6064
- C:\Windows\System\mlhAOSo.exe
  C:\Windows\System\mlhAOSo.exe
  2⤵
  PID:6120
- C:\Windows\System\HZnphLf.exe
  C:\Windows\System\HZnphLf.exe
  2⤵
  PID:1444
- C:\Windows\System\ALnPhwM.exe
  C:\Windows\System\ALnPhwM.exe
  2⤵
  PID:884
- C:\Windows\System\CLPxNDs.exe
  C:\Windows\System\CLPxNDs.exe
  2⤵
  PID:924
- C:\Windows\System\dxJRewA.exe
  C:\Windows\System\dxJRewA.exe
  2⤵
  PID:5196
- C:\Windows\System\EsjDxiA.exe
  C:\Windows\System\EsjDxiA.exe
  2⤵
  PID:5336
- C:\Windows\System\caSWTPc.exe
  C:\Windows\System\caSWTPc.exe
  2⤵
  PID:5472
- C:\Windows\System\pVcKPXa.exe
  C:\Windows\System\pVcKPXa.exe
  2⤵
  PID:5612
- C:\Windows\System\bVpzqEv.exe
  C:\Windows\System\bVpzqEv.exe
  2⤵
  PID:5700
- C:\Windows\System\UmMnWmH.exe
  C:\Windows\System\UmMnWmH.exe
  2⤵
  PID:2092
- C:\Windows\System\LiQJEdU.exe
  C:\Windows\System\LiQJEdU.exe
  2⤵
  PID:5976
- C:\Windows\System\vfdrftG.exe
  C:\Windows\System\vfdrftG.exe
  2⤵
  PID:6116
- C:\Windows\System\cclKLZw.exe
  C:\Windows\System\cclKLZw.exe
  2⤵
  PID:6164
- C:\Windows\System\mnWqPts.exe
  C:\Windows\System\mnWqPts.exe
  2⤵
  PID:6192
- C:\Windows\System\xrbAWnJ.exe
  C:\Windows\System\xrbAWnJ.exe
  2⤵
  PID:6220
- C:\Windows\System\fMLfjbp.exe
  C:\Windows\System\fMLfjbp.exe
  2⤵
  PID:6248
- C:\Windows\System\MfsIRkQ.exe
  C:\Windows\System\MfsIRkQ.exe
  2⤵
  PID:6276
- C:\Windows\System\VZFuXqI.exe
  C:\Windows\System\VZFuXqI.exe
  2⤵
  PID:6304
- C:\Windows\System\sMdSznc.exe
  C:\Windows\System\sMdSznc.exe
  2⤵
  PID:6336
- C:\Windows\System\ozVnVcN.exe
  C:\Windows\System\ozVnVcN.exe
  2⤵
  PID:6360
- C:\Windows\System\RKUAVgZ.exe
  C:\Windows\System\RKUAVgZ.exe
  2⤵
  PID:6384
- C:\Windows\System\UTDDCqK.exe
  C:\Windows\System\UTDDCqK.exe
  2⤵
  PID:6416
- C:\Windows\System\YMOKwBI.exe
  C:\Windows\System\YMOKwBI.exe
  2⤵
  PID:6444
- C:\Windows\System\cUHuiKd.exe
  C:\Windows\System\cUHuiKd.exe
  2⤵
  PID:6472
- C:\Windows\System\EyffZiN.exe
  C:\Windows\System\EyffZiN.exe
  2⤵
  PID:6500
- C:\Windows\System\lSAiFbo.exe
  C:\Windows\System\lSAiFbo.exe
  2⤵
  PID:6528
- C:\Windows\System\BtruukK.exe
  C:\Windows\System\BtruukK.exe
  2⤵
  PID:6556
- C:\Windows\System\yLJbuYp.exe
  C:\Windows\System\yLJbuYp.exe
  2⤵
  PID:6584
- C:\Windows\System\BLeEcBp.exe
  C:\Windows\System\BLeEcBp.exe
  2⤵
  PID:6612
- C:\Windows\System\KjdCJiT.exe
  C:\Windows\System\KjdCJiT.exe
  2⤵
  PID:6696
- C:\Windows\System\bCHLyIk.exe
  C:\Windows\System\bCHLyIk.exe
  2⤵
  PID:6720
- C:\Windows\System\keghLYG.exe
  C:\Windows\System\keghLYG.exe
  2⤵
  PID:6756
- C:\Windows\System\sccllhL.exe
  C:\Windows\System\sccllhL.exe
  2⤵
  PID:6780
- C:\Windows\System\VzVMJja.exe
  C:\Windows\System\VzVMJja.exe
  2⤵
  PID:6816
- C:\Windows\System\xmxuOtf.exe
  C:\Windows\System\xmxuOtf.exe
  2⤵
  PID:6840
- C:\Windows\System\IEwiIqU.exe
  C:\Windows\System\IEwiIqU.exe
  2⤵
  PID:6860
- C:\Windows\System\NiApZIK.exe
  C:\Windows\System\NiApZIK.exe
  2⤵
  PID:6880
- C:\Windows\System\YdyIOvY.exe
  C:\Windows\System\YdyIOvY.exe
  2⤵
  PID:6904
- C:\Windows\System\cgmBTCH.exe
  C:\Windows\System\cgmBTCH.exe
  2⤵
  PID:6932
- C:\Windows\System\VLwWNax.exe
  C:\Windows\System\VLwWNax.exe
  2⤵
  PID:6952
- C:\Windows\System\jGGLlDH.exe
  C:\Windows\System\jGGLlDH.exe
  2⤵
  PID:6980
- C:\Windows\System\aTHXumo.exe
  C:\Windows\System\aTHXumo.exe
  2⤵
  PID:7024
- C:\Windows\System\XHmxhKo.exe
  C:\Windows\System\XHmxhKo.exe
  2⤵
  PID:7052
- C:\Windows\System\jlhQZZp.exe
  C:\Windows\System\jlhQZZp.exe
  2⤵
  PID:7068
- C:\Windows\System\GCzKIaS.exe
  C:\Windows\System\GCzKIaS.exe
  2⤵
  PID:7084
- C:\Windows\System\mslsisb.exe
  C:\Windows\System\mslsisb.exe
  2⤵
  PID:7120
- C:\Windows\System\HbKGQbY.exe
  C:\Windows\System\HbKGQbY.exe
  2⤵
  PID:7156
- C:\Windows\System\YbXXFmY.exe
  C:\Windows\System\YbXXFmY.exe
  2⤵
  PID:3556
- C:\Windows\System\SIdHZEY.exe
  C:\Windows\System\SIdHZEY.exe
  2⤵
  PID:1984
- C:\Windows\System\oxoEIHi.exe
  C:\Windows\System\oxoEIHi.exe
  2⤵
  PID:5588
- C:\Windows\System\oDnnGfO.exe
  C:\Windows\System\oDnnGfO.exe
  2⤵
  PID:5668
- C:\Windows\System\LcYzIKq.exe
  C:\Windows\System\LcYzIKq.exe
  2⤵
  PID:5784
- C:\Windows\System\jxAEmtz.exe
  C:\Windows\System\jxAEmtz.exe
  2⤵
  PID:5956
- C:\Windows\System\FFhckmf.exe
  C:\Windows\System\FFhckmf.exe
  2⤵
  PID:3152
- C:\Windows\System\uGkyCeD.exe
  C:\Windows\System\uGkyCeD.exe
  2⤵
  PID:6156
- C:\Windows\System\BYYBsmG.exe
  C:\Windows\System\BYYBsmG.exe
  2⤵
  PID:6208
- C:\Windows\System\EKqWsjl.exe
  C:\Windows\System\EKqWsjl.exe
  2⤵
  PID:6320
- C:\Windows\System\ajSqQdH.exe
  C:\Windows\System\ajSqQdH.exe
  2⤵
  PID:6380
- C:\Windows\System\iHdFNUC.exe
  C:\Windows\System\iHdFNUC.exe
  2⤵
  PID:2116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AkQLkFH.exe

Filesize
1.3MB

MD5
7be627e4902b9a1a0cbc9b2a0029ff9c

SHA1
7425a015b60077c4024b331968a5c48a85a4d7dc

SHA256
5ab2a92da81225cfee70b333dab9508bcaa0745e4653d187d25a882b5ecec710

SHA512
3a352ac7b481cd40cbcbd9ee4ef6a9b72cc93222a38700e5339dabba6717853d2f05f38a8ba2889005f1bb176498062e0fd84bf9f69443c045e3ac6a07263c73

Download Submit
C:\Windows\System\Gjchisu.exe

Filesize
1.3MB

MD5
2a14fc42d8dabfc272d11032658e0afa

SHA1
70d03ce8444ab380f0c10af9a0f27f9e5e97f7ee

SHA256
963023cd14eab70c22e5fbf5812d939247a2420a7a6e6c4a18b007436fd98461

SHA512
7e550aaad2af0bb71830b804938af82b64f392c8290ae541581eded5aa6235ff4c1e9bd4733fac965e9e2117f0ee63f0b9883bdbc8bd1e8f8e267db7ec58ab50

Download Submit
C:\Windows\System\HeYNmQR.exe

Filesize
1.3MB

MD5
17079507f021a29900add7f025ec4046

SHA1
fdfe001f02a761e48ea79ea0085e6a67f50a947a

SHA256
0dd559773c6488eea07f4e273686a026d62ac03d347313484ae845fac689bac5

SHA512
ec5d051a8f0f7154037f18b5ac5e72f2919efe1b73bf85f51a8d21fb13459bc7e40f6b0d681aa3c6b794850ae4ca54fc5557ca779b33a3ab7db49a8c5a275d6e

Download Submit
C:\Windows\System\HkxMZgC.exe

Filesize
1.3MB

MD5
8c82e372884ae8cea09db0b9aa74f9ee

SHA1
6bca45a5d5b4ffe453e185660f86986ceda521f5

SHA256
5f8c0926dbffee09a4ce5826f90aea6646f189a738db580aa6aebedd69069ce6

SHA512
75d72219855a44b554fe531aea983331c4b584c8b184031e010ddda1356c8bf1ca8e47ff6aa027c0376e32bb955cba860ee25f16bbfc3743884c8bd40041435a

Download Submit
C:\Windows\System\JJJCxIB.exe

Filesize
1.3MB

MD5
64da9563d016f6ddad006371ea6ac696

SHA1
c0505298589767def50623c71477d55a78c65427

SHA256
7147412f65ee2655a4e780fac5edf0bb8549c523f00b62fe92710ea3f54eaa04

SHA512
65f93e683b2b6f655e7fc9a6e4315b0bccf647b781f957129c4bc959e7af27c1c4ec5b0794dfb73179ba663362856ace96ef47ce1721116fe43f221682fc5226

Download Submit
C:\Windows\System\KMGFHDZ.exe

Filesize
1.3MB

MD5
e5cc18e216fed96c55d1dd9112f39094

SHA1
726585cfd171f379ffc717340235fdf2c7342a42

SHA256
bb5e7b275f0bea8bfaab0d76182e42199e715379f7abed1d71f8ff34bd194e3b

SHA512
66c5f0d6d4580a44294435230d4c7b58c9e33fa2f3784df4c1fdb5df6f585ce11123d21c81a98da531754d9318f3b8afdf43ffe371ff8d000212feac92e023d7

Download Submit
C:\Windows\System\UOInvCQ.exe

Filesize
1.3MB

MD5
38c4a170b59f2f6a6d1f1288d21dd6db

SHA1
7515bbd63d7df699b16eace0509c66a37cb95644

SHA256
a5de2fc2f061febc08a55584775de2b41dc3e1cb55f7ccd05db9c906fd1f0941

SHA512
b098093962a5e198f5459a13066b75f781c5284e694f15a452d71222a2b9e49f5486026fad6a200f603134f380984cb072df2c289ab8d80ac2a444a3eaa0cc21

Download Submit
C:\Windows\System\WelbRCU.exe

Filesize
1.3MB

MD5
3b91ac801d5784d31ae2b1b6b52bcaf1

SHA1
276a811f2352cc2094cc46a05c4eebe6cfd8a4f9

SHA256
e4b5a42af1ed6e8eb7846535533ac4a4b259481a98ea2b1e05816cd1c243a4be

SHA512
95c790461114d1251c9c2b2aea260d3a4925cb00f89905250a567de45508c5f424dc39217a1fb4ffb84110eaeae17bc6ac4f2bf2618dd37f63887cbe8ffa9ec9

Download Submit
C:\Windows\System\XJKeKGG.exe

Filesize
1.3MB

MD5
28cd710a50d3b21e3b4c77d4affbc097

SHA1
37b9e9ceb1c1354623b2d74e18c44c4c2b6008a0

SHA256
d59b6837b00acda5f2702d6892d89af0d73a8fc797786e397ff3d37263075d53

SHA512
5432384bdc45299d4d25b7cf5772cae9f4a549a1933658c9e9ff1a9a312a2846bd400681151015868d5a6835ba454505aacf692bb13fb57433dd73876d66cf09

Download Submit
C:\Windows\System\XaCIHmN.exe

Filesize
1.3MB

MD5
d7c460e1b49652f43b62b81ce3fa5ae2

SHA1
daa2d3c199e6f3e736c4a33933f3a9aa3de28b73

SHA256
f9db04931b9b609127e08623a608b9817476673775dcb2ab2f5a907e629f1768

SHA512
1984f1181af48ad5a769bc9a9fcb0fb781bd5d8ae3646dadb6c2be98411f4f71b3a5a2fdf405ec612a1174d78c606e6ed2828fc5707e59fddcdf46270801680a

Download Submit
C:\Windows\System\YBJaEzn.exe

Filesize
1.3MB

MD5
aaf21d07e00df3e402cc28d7be56e7fe

SHA1
bba704f8ffab338c952b133bd311ebcb8a4f2fa3

SHA256
1c72d5568f586192285f6c149d12f9e0f1cec06b9d0baace5b3ad548eae65036

SHA512
a259a373d675b1356bca8cb355c6f512e430c65579ed9b5216dd2c8387cd85ab9023afe507faeafbcc24c7147711abcca5f4a980955ad7c7e072887949c2ce8d

Download Submit
C:\Windows\System\YViIATX.exe

Filesize
1.3MB

MD5
ea8e4c1ad76f836a37dde6c0082d2a34

SHA1
310be34d0a3197a34857c68d497986cf0a0febf3

SHA256
874342f9a0ff6d66748896e682f5ff409413a6922e3c51a94fd55f55e670c69d

SHA512
9da2466e3eb0861a08ef1ea73f1262629b019da51d524ba2aa6494d764c225c14d287adee2b6599bb3190a17143a3a93bb899d1ea296e8a133e230b5fe9eeff3

Download Submit
C:\Windows\System\YrtMckf.exe

Filesize
1.3MB

MD5
b900adcaafc0f968ef8d609df8da5961

SHA1
292819b1fb68c21150108651c8e648d689384d18

SHA256
df83e1794281bae5c572a62ad926e2dcbe02e514000aa0a7399134c23b3bc9e2

SHA512
75a794d6a6fdc866fb208af6e302ac1006d1cf8de26992980327264ff0766d42d9d731dd7e8aef5d8cf42477a7516c8bb7894877c16582c71e2813eb746abe92

Download Submit
C:\Windows\System\ZHnIkGd.exe

Filesize
1.3MB

MD5
bd5d8a0fef5a42601a0ed1624a94eb18

SHA1
8b6e9633d7b2330050539f76b3fef066390e768d

SHA256
6cc35bad8f24a4a9aece0b01ec24eb385c54c2394a7467bb5a9a32cdc0b6535f

SHA512
a8a91452090b1526eef910203143a257677bf61c1ea55330716cfa06a14ac4c84edde56d97948960ff1ee14e4b63c6132316be4c54ede13beef6ab5e27f62bd1

Download Submit
C:\Windows\System\cruHrXI.exe

Filesize
1.3MB

MD5
2cf36851689787deb0194603ac92c3d7

SHA1
edb0c3122adcc92a6a4d2feb3f56809434bfd1c8

SHA256
bca52506c9df445b7eb11fb6c1451643a9a6df85ee2140b55f15be02597bb228

SHA512
1e3498a0a055a44905119edb745f531373f5671d3b56b2f39f9871de3f45cc2016d567879cb95499747df06224f66f575148d232507afa5bdfa50550c0c14768

Download Submit
C:\Windows\System\dcrsbKH.exe

Filesize
1.3MB

MD5
807cce2757013ebab88fc29c83a85cd5

SHA1
0a01dca84019fce0ea5a037c9d77a2a9b4c70a71

SHA256
21bd409ab64cc07205b2d13d55754ea89fe042176753f78af11b0a3d4ce20ec3

SHA512
d0095fca6960ed8374197a074e4a28f05348ddf23a8d21512bf7d369023c8b31a2561d4a3691b0185109d555038848b316a555d96505d7aa00b8f9e18739bdd0

Download Submit
C:\Windows\System\gYfBozP.exe

Filesize
1.3MB

MD5
14dd22e301b179f8382911c16da5eb7d

SHA1
dd20aaced92506e07ba262753c1e77dee2546455

SHA256
0a26dc078ed328b746c21cd5eb4b77c6521b1fbc809fa1b7eeae9c2fdfc8fa13

SHA512
90684c30f9968ccaf6812fdbc72e268f646dca0a8dc080ce407c54d466de1df3d3b6096654df30836bdca59563233287313e720c03f32ea439631dfa8ca1b11f

Download Submit
C:\Windows\System\ggtVoLf.exe

Filesize
1.3MB

MD5
0ac5a814518b36c4bbfd5c007f14ce2b

SHA1
fc2e2e02ae770fdb805405e03a34d8f30b6095c5

SHA256
a640958a3f56d355ce97b51d2eb1243485da1bd8fc4bbf05ce899d67f58f6a0b

SHA512
0d82bf27aa93487e02c62dc193f1e3524ce9faf534a846b8ee399388171fa383eab82fccd4d5661e0ae4f2969438e7fc78e4e5066347e28831130ae5dbec2192

Download Submit
C:\Windows\System\ilsylNN.exe

Filesize
1.3MB

MD5
30dc5d4deea1699d27320f926a64406a

SHA1
65ece9b84eeed997856f524483657534728f30f3

SHA256
628e48ef5ad2c8649f928f92287310bd802120ab9cc49b1b30be33c23f74ee36

SHA512
7d380e4b33fe1a5a47641206ac3b3fba180f54ad22427dc7220528550fb797f9ac22cb158745987c8436e0e48a78f760f3bda58cef4ae8d6b64e6ac95ddfa500

Download Submit
C:\Windows\System\lpbWMRX.exe

Filesize
1.3MB

MD5
4a5a6a555dcd6d95b5fd28b270c07471

SHA1
3424926b59906e0cbb337cdeda67bce2225f656d

SHA256
4f813b6a6d286e2495a7d47ca85b6e06d6247d55b0b9aa6d6c0b54f9f5ad3574

SHA512
ad55de4fe5a3495adc82be891ea0bf2237d647ae1e8fa1355b1e26de3966891a21921dc1a28ae7f6dd050d9c96fac80eddbe91cda82554b99faf2e2999ab214c

Download Submit
C:\Windows\System\nHtBIBv.exe

Filesize
1.3MB

MD5
5aff11254a335b67708f2bd047760d4d

SHA1
23286bac43b55b83424fcfdf1f958ed69beefc7a

SHA256
b91ae9292fbd3dec07abbc7595e7bb3793d85fffe1d0ba1978f4688729ab3770

SHA512
9d4fc466c2f80badfb4e61f9be7f6cc81a604acbcbdffb0d7309ad372e1e9cbd4ba297e7ac8d9a75b45e8937fb5a51a03f404b35420286504af470c0250186cf

Download Submit
C:\Windows\System\nRobUlo.exe

Filesize
1.3MB

MD5
cd38a9c6667fb9bb1ab256123704c857

SHA1
5344381c24731d7cfc356185544a3c5040d56b67

SHA256
4debe86e9ce5d16a1c280599f02693902d067d7546a24c4be0abb7852ccf7b02

SHA512
ee809efd801056c91dd66d4dab32672b14a5c4f4d70c0788ff4fcd3a868f36ffce0f8b1e7cddb66e51b00f80d3ac84e1123ce30ee4405f96a312d941d1eb0506

Download Submit
C:\Windows\System\nlGbnmU.exe

Filesize
1.3MB

MD5
d7692716da46ba1b4ac3d7b328db53c6

SHA1
74cc84d2c74d2b03e6b04859a661162de155f187

SHA256
446b15b8ccd819933b4c97c312035f05dd46ded052dcf583b79e13327763eeff

SHA512
c0826207f894a100071162d005a08b5127abb4bf1ceb7eace68c6a638c1ac0c02b99b099ec8c26f38b3ac672bf20a5f76291f98e5aafb9d7921e83c20384d26d

Download Submit
C:\Windows\System\oQFeEYz.exe

Filesize
1.3MB

MD5
e55f364e8eb87d02f96dd70e7d47831f

SHA1
c938488fbd11235cbd9233d1d38ef0b9fac06796

SHA256
0da10d1e43a7252c62df38436adad00fec1656006182065943671cef3b3ccce4

SHA512
113dd466c008c6528fe8807f39bf81c7845a7d431cd9da1cceeaa6f61a3506225eea08aeae08b5e12d9b74a3b3204710a72d39d675a74154bcd3753fdb502456

Download Submit
C:\Windows\System\oxUhbXb.exe

Filesize
1.3MB

MD5
b04090f331705c7ac59fb1b4332d7859

SHA1
34d9020b978a679d4f5ba41697e47a6d8d90a706

SHA256
fabdffcb98ba7b87bf72364f9566306fc26fb8f674365257fff8a6690402fd5b

SHA512
d9a365b9da3b5158395418a997f684a78bf5b061e64334903efbb128af1e7dedfba9aa0c97a8341cea0eda65f2a33e215ba94a40daabbee7d3aa2c5d4033621b

Download Submit
C:\Windows\System\pShiaxb.exe

Filesize
1.3MB

MD5
974045e1dcfd551543e39969b64b797a

SHA1
4c8beb03cc7288a712b8d2c9e5943c0d7f7cf4de

SHA256
29e84d10f4c1dc27319a8181b6b4babe1401ca4226390337b47fba01d3b7b02d

SHA512
7c900d5857d79b41f5410508d8fb7c8bd14699ec22992b8915b3d1da43e19ce4fcfb2a2b9aea294109cae267f7f79b0782ddc99b07bfa72a9499a300f666ad7b

Download Submit
C:\Windows\System\pqBXdZZ.exe

Filesize
1.3MB

MD5
a395c050cb322bfcf9c0bf6ad14b5556

SHA1
65ed9c08b91977531ad6b1adb2384960dc65ffdb

SHA256
19a3a1d517f3f07df750bdd34c25e6f9ee7fc7891dc6889d9c8b2b8dcabe3f10

SHA512
88c789cfbbab33c882a9d5c10d86432e9000cff5581dcc66de202ab55268319c2f5b4fa967aabee8bfdd42296f85a75d7ca3cdceadec455ee4ddc17f945c1ee8

Download Submit
C:\Windows\System\sVEnTnF.exe

Filesize
1.3MB

MD5
60adc55b0b770d2a8cd1b07052cc4588

SHA1
9c80f1c44c6849b3884d9724e2243b94c4bd0cc3

SHA256
4afe4a51e3aae7f02c84750d848aae720a283011f5ec615411bc6a36b519e11f

SHA512
6a57c74cc4a4ea2c0ec3afa0af4b352c38fb8b72a5151c8722f2afad6ab3f5db444d8bffa2972c22a349bd8d47f7218df1b26732dd6972e6548e8901d045c375

Download Submit
C:\Windows\System\skUYEbe.exe

Filesize
1.3MB

MD5
b8b3ca34d6b55cbd825f6a6e661029d9

SHA1
79a7b2e0be8e5df935103a071e0678ffe41fa08c

SHA256
7d5f48ea5a205deda41bf3a1f95ec318584f98c0271435eaf83f126fc70346e3

SHA512
ee3507f5334f4d453dc2197b3b37406827bf40e89145fe7caf5b70acd8436798b01813bc745779739622bb174fbf3845f9725cb6a5cbbb0fb72da0777996a172

Download Submit
C:\Windows\System\tSEmcLJ.exe

Filesize
1.3MB

MD5
41dbcf62e5ae7bba5cbfa31eb499e841

SHA1
27b13d6bb1c7f351b7593662afa286ff8eefbebf

SHA256
3d33e5cf18f6a7832032cd6bcf47dfdadb1461ce6438998585c38944953fee32

SHA512
09de3fac08dca22e8dd749c121554b6593e1c78e76b4421dbf6b2f8746557692c78ad462f8e30e1d8c4ccdea2437c7d52a520c4839d72a1d694ba7a42716abdd

Download Submit
C:\Windows\System\yYaoVKE.exe

Filesize
1.3MB

MD5
2b515ab7ca734fb1e84aba7119e659f7

SHA1
986d80a413c37bb0e3882c095baa07a97e50082d

SHA256
ba874060b92c53197bcf67c6bd46c5971cfc38f8f8addeb0d604e1a46dbc2ec0

SHA512
e14c576bd7b5f4c459fb1bf5135af6038033e4556c1857958dcde8bdaa96d3c17073106d2aed8187c892e485e5b1256b5a7345e67ebebd4b9290bff288cfc055

Download Submit
C:\Windows\System\zBBMpss.exe

Filesize
1.3MB

MD5
2db8cd659eb2056bb332e4c5a07d30d0

SHA1
6cd67addadf5660977e25b5edc8ee27299d9d75f

SHA256
1d5ef647774db97602089d3dc1d9513bfc459859ed79b5e04ac758a250fa8104

SHA512
0f6b9874b7a3ba182a890a98e5ee30fdc82a104fb45decb69be81eb126e3de9ef338518ad99a9ccd0ca482f2f9eaff9d9fad0c0446e69ac080a4533f241bd300

Download Submit
C:\Windows\System\zYXCAGe.exe

Filesize
1.3MB

MD5
3f659808d9d437384ad5e754910953ca

SHA1
980f6ab7b9a50bf59560249e7f13b0a5ee8f7af7

SHA256
3fb876798d3272446a1461e8f6e5e20c0cfdbe1d0ce9a0273e5ba394ff851663

SHA512
b4a635aeaf8c4d51fa4a7f88bf1f014dbaddbe77f2f505fdcd07ad98716813aedbc6c49f0e6e2cf4a28ee64134cbcac97f7b4ceb30d11ce1e8016d90540bf072

Download Submit
memory/3252-0-0x000001B9554D0000-0x000001B9554E0000-memory.dmp

Filesize
64KB

Download