xmrig | c06a048785353c14b6f33062c7129099bef42b48bafdfde1eb872da3ef9c2549

Analysis

max time kernel
136s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
Size

1002KB
MD5

7bf633fdd2f788440f8dc305af3ebed0
SHA1

f817d40d5f9613d06f966cc46e935e3308060e00
SHA256

c06a048785353c14b6f33062c7129099bef42b48bafdfde1eb872da3ef9c2549
SHA512

f599704c20692f4da28904e95890073df6201e55d4123544b14db763ac0e9a0d8beed22ab2fd32d857f5af41b032a2646f5f5e0a2c5eb1d72212c9dd71b322a9
SSDEEP

24576:GezaTnG99Q8FcNrpyNdfE0bLBgDOp2iSLz9LbBwlKensPLNN:GezaTF8FcNkNdfE0pZ9oztFwIhL3

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 33 IoCs

miner

resource	yara_rule
behavioral2/files/0x000b000000023547-4.dat	xmrig
behavioral2/files/0x0008000000023584-10.dat	xmrig
behavioral2/files/0x0007000000023586-17.dat	xmrig
behavioral2/files/0x0007000000023587-19.dat	xmrig
behavioral2/files/0x0007000000023590-61.dat	xmrig
behavioral2/files/0x000700000002358f-60.dat	xmrig
behavioral2/files/0x000700000002358e-59.dat	xmrig
behavioral2/files/0x0007000000023589-55.dat	xmrig
behavioral2/files/0x0007000000023588-52.dat	xmrig
behavioral2/files/0x000700000002358c-49.dat	xmrig
behavioral2/files/0x000700000002358b-46.dat	xmrig
behavioral2/files/0x000700000002358a-38.dat	xmrig
behavioral2/files/0x000700000002358d-58.dat	xmrig
behavioral2/files/0x0007000000023585-23.dat	xmrig
behavioral2/files/0x0007000000023596-98.dat	xmrig
behavioral2/files/0x000700000002359b-112.dat	xmrig
behavioral2/files/0x000700000002359e-140.dat	xmrig
behavioral2/files/0x000700000002359d-138.dat	xmrig
behavioral2/files/0x000700000002359c-136.dat	xmrig
behavioral2/files/0x000700000002359a-132.dat	xmrig
behavioral2/files/0x0007000000023595-130.dat	xmrig
behavioral2/files/0x0007000000023599-128.dat	xmrig
behavioral2/files/0x0007000000023598-126.dat	xmrig
behavioral2/files/0x0007000000023597-124.dat	xmrig
behavioral2/files/0x0007000000023593-122.dat	xmrig
behavioral2/files/0x0007000000023594-116.dat	xmrig
behavioral2/files/0x0007000000023592-93.dat	xmrig
behavioral2/files/0x000700000002359f-144.dat	xmrig
behavioral2/files/0x00070000000235a0-147.dat	xmrig
behavioral2/files/0x0007000000023591-90.dat	xmrig
behavioral2/files/0x00070000000235a2-159.dat	xmrig
behavioral2/files/0x0008000000023582-165.dat	xmrig
behavioral2/files/0x00070000000235a1-158.dat	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3348	QXPWDEN.exe
4656	HWcToDd.exe
2192	zUKbGHV.exe
1220	NFbwktQ.exe
4524	tYXRyfk.exe
5064	MbPNSVe.exe
3196	KszGYhW.exe
316	XwFTAnI.exe
1060	IwQoXcM.exe
4196	GSWcSNK.exe
4508	jRafafn.exe
4440	gwbXrUG.exe
2184	DPDCpcH.exe
4340	evHELFv.exe
1640	TNODkyh.exe
1132	KIVjrYg.exe
2480	QbTlvMb.exe
5068	BwDRlkE.exe
2972	hjSWipn.exe
4832	elHWZRD.exe
652	ymrYBbM.exe
3068	LJxqfnS.exe
2028	KWHrdNS.exe
1600	eUPzrHr.exe
3236	ycwTtLi.exe
2000	sItXcsJ.exe
1812	fZjqLOn.exe
2380	HKEUHSB.exe
4928	swAYQBi.exe
3412	QZBcEeh.exe
436	kKxZJMp.exe
4920	opnewol.exe
1680	gGsNiFD.exe
400	bFxvhlY.exe
4676	AzBccLd.exe
3248	ToFzmKz.exe
364	OAuxSJC.exe
1156	hNPHCyT.exe
4944	IRfEMGn.exe
3208	rdEzRgE.exe
2572	CoKlmcG.exe
4964	bjwRvfr.exe
5024	ZLsuGiY.exe
1284	YfjKEJt.exe
4088	jHSihMy.exe
4848	rYHJJiT.exe
2044	xknQJZU.exe
5084	sWMSCAG.exe
2484	mTKZpvS.exe
3824	irnWyvt.exe
3192	eCdUZPD.exe
4888	PdTTQCA.exe
2244	PhyeBgZ.exe
3996	JGqXQfO.exe
1140	HqXToeh.exe
3116	NKfjULn.exe
3920	ypkTMHq.exe
2392	hQuBDqp.exe
3312	CdhlDpm.exe
3060	BvziwyH.exe
3232	IDJuYdc.exe
1464	PNCutWO.exe
2172	KjYpFnp.exe
3340	cSffLNr.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\kKxZJMp.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\ShYSkSh.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\wVANrig.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\uSycTdP.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\DPDCpcH.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\BwDRlkE.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\tbIOKAk.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\KszGYhW.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\eujxijS.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\EVRaJnP.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\opnewol.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\ZExomJm.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\qqkyyXq.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\ToFzmKz.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\SnWFwUR.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\ohCjuUj.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\fdFflVY.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\qdUTRKm.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\DZhBkqE.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\IwQoXcM.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\sWMSCAG.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\CdhlDpm.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\QWPdIjt.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\HWcToDd.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\kXXlowt.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\kYoNiIu.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\zCDGQaz.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\lQkHUYB.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\POjcHsO.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\cSJfPEd.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\WzEIORq.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\nsWQTxP.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\AzBccLd.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\rdEzRgE.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\QEqNsBa.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\TroxXzX.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\PlzKgfz.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\sItXcsJ.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\ZolKyKw.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\GkTxPjr.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\ccvpYZP.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\mTKZpvS.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\VKvUVof.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\sPtMiqp.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\XKZviHu.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\EuynIzU.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\QXPWDEN.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\bFxvhlY.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\YfjKEJt.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\GmYDezo.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\pknGizf.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\saBrcTt.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\uiWVlPE.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\NThcyTm.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\eCdUZPD.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\vigQmZU.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\GvIugtp.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\vKZYHIb.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\sjMkFvP.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\gGsNiFD.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\PHVNbea.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\DgGLQeK.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\IRfEMGn.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
File created	C:\Windows\System\kEmYlEj.exe	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 3348	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	82
PID 948 wrote to memory of 3348	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	82
PID 948 wrote to memory of 4656	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	83
PID 948 wrote to memory of 4656	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	83
PID 948 wrote to memory of 2192	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	84
PID 948 wrote to memory of 2192	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	84
PID 948 wrote to memory of 1220	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	85
PID 948 wrote to memory of 1220	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	85
PID 948 wrote to memory of 4524	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	86
PID 948 wrote to memory of 4524	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	86
PID 948 wrote to memory of 5064	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	87
PID 948 wrote to memory of 5064	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	87
PID 948 wrote to memory of 3196	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	88
PID 948 wrote to memory of 3196	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	88
PID 948 wrote to memory of 316	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	89
PID 948 wrote to memory of 316	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	89
PID 948 wrote to memory of 1060	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	90
PID 948 wrote to memory of 1060	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	90
PID 948 wrote to memory of 4196	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	91
PID 948 wrote to memory of 4196	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	91
PID 948 wrote to memory of 4508	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	92
PID 948 wrote to memory of 4508	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	92
PID 948 wrote to memory of 4440	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	93
PID 948 wrote to memory of 4440	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	93
PID 948 wrote to memory of 2184	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	94
PID 948 wrote to memory of 2184	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	94
PID 948 wrote to memory of 4340	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	95
PID 948 wrote to memory of 4340	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	95
PID 948 wrote to memory of 1640	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	96
PID 948 wrote to memory of 1640	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	96
PID 948 wrote to memory of 1132	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	97
PID 948 wrote to memory of 1132	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	97
PID 948 wrote to memory of 2480	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	98
PID 948 wrote to memory of 2480	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	98
PID 948 wrote to memory of 5068	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	99
PID 948 wrote to memory of 5068	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	99
PID 948 wrote to memory of 2028	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	100
PID 948 wrote to memory of 2028	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	100
PID 948 wrote to memory of 2972	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	101
PID 948 wrote to memory of 2972	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	101
PID 948 wrote to memory of 4832	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	102
PID 948 wrote to memory of 4832	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	102
PID 948 wrote to memory of 652	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	103
PID 948 wrote to memory of 652	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	103
PID 948 wrote to memory of 3068	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	104
PID 948 wrote to memory of 3068	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	104
PID 948 wrote to memory of 1600	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	105
PID 948 wrote to memory of 1600	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	105
PID 948 wrote to memory of 3236	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	106
PID 948 wrote to memory of 3236	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	106
PID 948 wrote to memory of 2000	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	107
PID 948 wrote to memory of 2000	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	107
PID 948 wrote to memory of 1812	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	108
PID 948 wrote to memory of 1812	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	108
PID 948 wrote to memory of 2380	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	109
PID 948 wrote to memory of 2380	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	109
PID 948 wrote to memory of 4928	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	110
PID 948 wrote to memory of 4928	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	110
PID 948 wrote to memory of 3412	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	111
PID 948 wrote to memory of 3412	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	111
PID 948 wrote to memory of 436	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	112
PID 948 wrote to memory of 436	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	112
PID 948 wrote to memory of 4920	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	113
PID 948 wrote to memory of 4920	948	7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe	113

C:\Users\Admin\AppData\Local\Temp\7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7bf633fdd2f788440f8dc305af3ebed0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\System\QXPWDEN.exe
  C:\Windows\System\QXPWDEN.exe
  2⤵
  - Executes dropped EXE
  PID:3348
- C:\Windows\System\HWcToDd.exe
  C:\Windows\System\HWcToDd.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System\zUKbGHV.exe
  C:\Windows\System\zUKbGHV.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System\NFbwktQ.exe
  C:\Windows\System\NFbwktQ.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System\tYXRyfk.exe
  C:\Windows\System\tYXRyfk.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System\MbPNSVe.exe
  C:\Windows\System\MbPNSVe.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\KszGYhW.exe
  C:\Windows\System\KszGYhW.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System\XwFTAnI.exe
  C:\Windows\System\XwFTAnI.exe
  2⤵
  - Executes dropped EXE
  PID:316
- C:\Windows\System\IwQoXcM.exe
  C:\Windows\System\IwQoXcM.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\System\GSWcSNK.exe
  C:\Windows\System\GSWcSNK.exe
  2⤵
  - Executes dropped EXE
  PID:4196
- C:\Windows\System\jRafafn.exe
  C:\Windows\System\jRafafn.exe
  2⤵
  - Executes dropped EXE
  PID:4508
- C:\Windows\System\gwbXrUG.exe
  C:\Windows\System\gwbXrUG.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System\DPDCpcH.exe
  C:\Windows\System\DPDCpcH.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System\evHELFv.exe
  C:\Windows\System\evHELFv.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System\TNODkyh.exe
  C:\Windows\System\TNODkyh.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System\KIVjrYg.exe
  C:\Windows\System\KIVjrYg.exe
  2⤵
  - Executes dropped EXE
  PID:1132
- C:\Windows\System\QbTlvMb.exe
  C:\Windows\System\QbTlvMb.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System\BwDRlkE.exe
  C:\Windows\System\BwDRlkE.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\KWHrdNS.exe
  C:\Windows\System\KWHrdNS.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System\hjSWipn.exe
  C:\Windows\System\hjSWipn.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\elHWZRD.exe
  C:\Windows\System\elHWZRD.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System\ymrYBbM.exe
  C:\Windows\System\ymrYBbM.exe
  2⤵
  - Executes dropped EXE
  PID:652
- C:\Windows\System\LJxqfnS.exe
  C:\Windows\System\LJxqfnS.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System\eUPzrHr.exe
  C:\Windows\System\eUPzrHr.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System\ycwTtLi.exe
  C:\Windows\System\ycwTtLi.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Windows\System\sItXcsJ.exe
  C:\Windows\System\sItXcsJ.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System\fZjqLOn.exe
  C:\Windows\System\fZjqLOn.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System\HKEUHSB.exe
  C:\Windows\System\HKEUHSB.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\swAYQBi.exe
  C:\Windows\System\swAYQBi.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System\QZBcEeh.exe
  C:\Windows\System\QZBcEeh.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System\kKxZJMp.exe
  C:\Windows\System\kKxZJMp.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System\opnewol.exe
  C:\Windows\System\opnewol.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System\gGsNiFD.exe
  C:\Windows\System\gGsNiFD.exe
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\System\AzBccLd.exe
  C:\Windows\System\AzBccLd.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System\bFxvhlY.exe
  C:\Windows\System\bFxvhlY.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\ToFzmKz.exe
  C:\Windows\System\ToFzmKz.exe
  2⤵
  - Executes dropped EXE
  PID:3248
- C:\Windows\System\OAuxSJC.exe
  C:\Windows\System\OAuxSJC.exe
  2⤵
  - Executes dropped EXE
  PID:364
- C:\Windows\System\hNPHCyT.exe
  C:\Windows\System\hNPHCyT.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System\IRfEMGn.exe
  C:\Windows\System\IRfEMGn.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System\rdEzRgE.exe
  C:\Windows\System\rdEzRgE.exe
  2⤵
  - Executes dropped EXE
  PID:3208
- C:\Windows\System\YfjKEJt.exe
  C:\Windows\System\YfjKEJt.exe
  2⤵
  - Executes dropped EXE
  PID:1284
- C:\Windows\System\CoKlmcG.exe
  C:\Windows\System\CoKlmcG.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System\bjwRvfr.exe
  C:\Windows\System\bjwRvfr.exe
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\Windows\System\ZLsuGiY.exe
  C:\Windows\System\ZLsuGiY.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System\xknQJZU.exe
  C:\Windows\System\xknQJZU.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System\jHSihMy.exe
  C:\Windows\System\jHSihMy.exe
  2⤵
  - Executes dropped EXE
  PID:4088
- C:\Windows\System\rYHJJiT.exe
  C:\Windows\System\rYHJJiT.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System\sWMSCAG.exe
  C:\Windows\System\sWMSCAG.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\mTKZpvS.exe
  C:\Windows\System\mTKZpvS.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System\irnWyvt.exe
  C:\Windows\System\irnWyvt.exe
  2⤵
  - Executes dropped EXE
  PID:3824
- C:\Windows\System\eCdUZPD.exe
  C:\Windows\System\eCdUZPD.exe
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Windows\System\PdTTQCA.exe
  C:\Windows\System\PdTTQCA.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System\PhyeBgZ.exe
  C:\Windows\System\PhyeBgZ.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System\JGqXQfO.exe
  C:\Windows\System\JGqXQfO.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\System\HqXToeh.exe
  C:\Windows\System\HqXToeh.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System\NKfjULn.exe
  C:\Windows\System\NKfjULn.exe
  2⤵
  - Executes dropped EXE
  PID:3116
- C:\Windows\System\ypkTMHq.exe
  C:\Windows\System\ypkTMHq.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\System\hQuBDqp.exe
  C:\Windows\System\hQuBDqp.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\CdhlDpm.exe
  C:\Windows\System\CdhlDpm.exe
  2⤵
  - Executes dropped EXE
  PID:3312
- C:\Windows\System\BvziwyH.exe
  C:\Windows\System\BvziwyH.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System\IDJuYdc.exe
  C:\Windows\System\IDJuYdc.exe
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Windows\System\PNCutWO.exe
  C:\Windows\System\PNCutWO.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System\KjYpFnp.exe
  C:\Windows\System\KjYpFnp.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System\cSffLNr.exe
  C:\Windows\System\cSffLNr.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\System\QhVfwHp.exe
  C:\Windows\System\QhVfwHp.exe
  2⤵
  PID:1368
- C:\Windows\System\IizeWOc.exe
  C:\Windows\System\IizeWOc.exe
  2⤵
  PID:1316
- C:\Windows\System\WzEIORq.exe
  C:\Windows\System\WzEIORq.exe
  2⤵
  PID:2008
- C:\Windows\System\TcgGrNG.exe
  C:\Windows\System\TcgGrNG.exe
  2⤵
  PID:4992
- C:\Windows\System\uRHMacU.exe
  C:\Windows\System\uRHMacU.exe
  2⤵
  PID:3368
- C:\Windows\System\jLRwVJM.exe
  C:\Windows\System\jLRwVJM.exe
  2⤵
  PID:4960
- C:\Windows\System\KlfcnYU.exe
  C:\Windows\System\KlfcnYU.exe
  2⤵
  PID:1568
- C:\Windows\System\UQNDRld.exe
  C:\Windows\System\UQNDRld.exe
  2⤵
  PID:1484
- C:\Windows\System\ZExomJm.exe
  C:\Windows\System\ZExomJm.exe
  2⤵
  PID:1744
- C:\Windows\System\GoshoiO.exe
  C:\Windows\System\GoshoiO.exe
  2⤵
  PID:1712
- C:\Windows\System\fdFflVY.exe
  C:\Windows\System\fdFflVY.exe
  2⤵
  PID:4640
- C:\Windows\System\SnWFwUR.exe
  C:\Windows\System\SnWFwUR.exe
  2⤵
  PID:856
- C:\Windows\System\xTMSvQQ.exe
  C:\Windows\System\xTMSvQQ.exe
  2⤵
  PID:3944
- C:\Windows\System\JdDuPum.exe
  C:\Windows\System\JdDuPum.exe
  2⤵
  PID:3332
- C:\Windows\System\iusmHuv.exe
  C:\Windows\System\iusmHuv.exe
  2⤵
  PID:2468
- C:\Windows\System\yWQsRcT.exe
  C:\Windows\System\yWQsRcT.exe
  2⤵
  PID:4688
- C:\Windows\System\fnPbBZn.exe
  C:\Windows\System\fnPbBZn.exe
  2⤵
  PID:4208
- C:\Windows\System\wiMSaeG.exe
  C:\Windows\System\wiMSaeG.exe
  2⤵
  PID:2608
- C:\Windows\System\vigQmZU.exe
  C:\Windows\System\vigQmZU.exe
  2⤵
  PID:4328
- C:\Windows\System\zCDGQaz.exe
  C:\Windows\System\zCDGQaz.exe
  2⤵
  PID:3644
- C:\Windows\System\QEqNsBa.exe
  C:\Windows\System\QEqNsBa.exe
  2⤵
  PID:4764
- C:\Windows\System\vRMAlOH.exe
  C:\Windows\System\vRMAlOH.exe
  2⤵
  PID:1984
- C:\Windows\System\ShYSkSh.exe
  C:\Windows\System\ShYSkSh.exe
  2⤵
  PID:2876
- C:\Windows\System\POjcHsO.exe
  C:\Windows\System\POjcHsO.exe
  2⤵
  PID:4936
- C:\Windows\System\ibkxeEl.exe
  C:\Windows\System\ibkxeEl.exe
  2⤵
  PID:2920
- C:\Windows\System\BRhHClG.exe
  C:\Windows\System\BRhHClG.exe
  2⤵
  PID:3284
- C:\Windows\System\tbIOKAk.exe
  C:\Windows\System\tbIOKAk.exe
  2⤵
  PID:2640
- C:\Windows\System\pfrVdpe.exe
  C:\Windows\System\pfrVdpe.exe
  2⤵
  PID:3932
- C:\Windows\System\eatilkO.exe
  C:\Windows\System\eatilkO.exe
  2⤵
  PID:2948
- C:\Windows\System\qdUTRKm.exe
  C:\Windows\System\qdUTRKm.exe
  2⤵
  PID:4240
- C:\Windows\System\JVUJhms.exe
  C:\Windows\System\JVUJhms.exe
  2⤵
  PID:2164
- C:\Windows\System\DgGLQeK.exe
  C:\Windows\System\DgGLQeK.exe
  2⤵
  PID:4740
- C:\Windows\System\qqkyyXq.exe
  C:\Windows\System\qqkyyXq.exe
  2⤵
  PID:3972
- C:\Windows\System\JyJtvyw.exe
  C:\Windows\System\JyJtvyw.exe
  2⤵
  PID:664
- C:\Windows\System\ovjWlIl.exe
  C:\Windows\System\ovjWlIl.exe
  2⤵
  PID:560
- C:\Windows\System\DZhBkqE.exe
  C:\Windows\System\DZhBkqE.exe
  2⤵
  PID:796
- C:\Windows\System\diLDEFI.exe
  C:\Windows\System\diLDEFI.exe
  2⤵
  PID:3864
- C:\Windows\System\GLMqQBB.exe
  C:\Windows\System\GLMqQBB.exe
  2⤵
  PID:216
- C:\Windows\System\YSgUVHz.exe
  C:\Windows\System\YSgUVHz.exe
  2⤵
  PID:2388
- C:\Windows\System\KYvcKaJ.exe
  C:\Windows\System\KYvcKaJ.exe
  2⤵
  PID:5140
- C:\Windows\System\IHFgcTQ.exe
  C:\Windows\System\IHFgcTQ.exe
  2⤵
  PID:5168
- C:\Windows\System\LeCNpjV.exe
  C:\Windows\System\LeCNpjV.exe
  2⤵
  PID:5196
- C:\Windows\System\YbNZjIm.exe
  C:\Windows\System\YbNZjIm.exe
  2⤵
  PID:5228
- C:\Windows\System\saBrcTt.exe
  C:\Windows\System\saBrcTt.exe
  2⤵
  PID:5252
- C:\Windows\System\GvIugtp.exe
  C:\Windows\System\GvIugtp.exe
  2⤵
  PID:5296
- C:\Windows\System\pknGizf.exe
  C:\Windows\System\pknGizf.exe
  2⤵
  PID:5312
- C:\Windows\System\kXXlowt.exe
  C:\Windows\System\kXXlowt.exe
  2⤵
  PID:5340
- C:\Windows\System\NIJGuef.exe
  C:\Windows\System\NIJGuef.exe
  2⤵
  PID:5368
- C:\Windows\System\mVoHSPO.exe
  C:\Windows\System\mVoHSPO.exe
  2⤵
  PID:5396
- C:\Windows\System\nsWQTxP.exe
  C:\Windows\System\nsWQTxP.exe
  2⤵
  PID:5424
- C:\Windows\System\NNBbiXB.exe
  C:\Windows\System\NNBbiXB.exe
  2⤵
  PID:5440
- C:\Windows\System\zOfcBiY.exe
  C:\Windows\System\zOfcBiY.exe
  2⤵
  PID:5476
- C:\Windows\System\ZhbxFpa.exe
  C:\Windows\System\ZhbxFpa.exe
  2⤵
  PID:5508
- C:\Windows\System\cSJfPEd.exe
  C:\Windows\System\cSJfPEd.exe
  2⤵
  PID:5544
- C:\Windows\System\DObJOuW.exe
  C:\Windows\System\DObJOuW.exe
  2⤵
  PID:5572
- C:\Windows\System\lkHaAAr.exe
  C:\Windows\System\lkHaAAr.exe
  2⤵
  PID:5604
- C:\Windows\System\KQQneEv.exe
  C:\Windows\System\KQQneEv.exe
  2⤵
  PID:5628
- C:\Windows\System\rezYels.exe
  C:\Windows\System\rezYels.exe
  2⤵
  PID:5656
- C:\Windows\System\YIcQgqy.exe
  C:\Windows\System\YIcQgqy.exe
  2⤵
  PID:5684
- C:\Windows\System\CtKljLy.exe
  C:\Windows\System\CtKljLy.exe
  2⤵
  PID:5708
- C:\Windows\System\WgqaqPU.exe
  C:\Windows\System\WgqaqPU.exe
  2⤵
  PID:5728
- C:\Windows\System\VJOnQDR.exe
  C:\Windows\System\VJOnQDR.exe
  2⤵
  PID:5756
- C:\Windows\System\RHqtgHX.exe
  C:\Windows\System\RHqtgHX.exe
  2⤵
  PID:5788
- C:\Windows\System\VKvUVof.exe
  C:\Windows\System\VKvUVof.exe
  2⤵
  PID:5820
- C:\Windows\System\ojQNgwz.exe
  C:\Windows\System\ojQNgwz.exe
  2⤵
  PID:5844
- C:\Windows\System\kEmYlEj.exe
  C:\Windows\System\kEmYlEj.exe
  2⤵
  PID:5876
- C:\Windows\System\qdxMiYj.exe
  C:\Windows\System\qdxMiYj.exe
  2⤵
  PID:5900
- C:\Windows\System\VrGgYAe.exe
  C:\Windows\System\VrGgYAe.exe
  2⤵
  PID:5936
- C:\Windows\System\WYmFPei.exe
  C:\Windows\System\WYmFPei.exe
  2⤵
  PID:5956
- C:\Windows\System\KbwIjXR.exe
  C:\Windows\System\KbwIjXR.exe
  2⤵
  PID:5984
- C:\Windows\System\nClipOc.exe
  C:\Windows\System\nClipOc.exe
  2⤵
  PID:6016
- C:\Windows\System\eujxijS.exe
  C:\Windows\System\eujxijS.exe
  2⤵
  PID:6036
- C:\Windows\System\GkTxPjr.exe
  C:\Windows\System\GkTxPjr.exe
  2⤵
  PID:6052
- C:\Windows\System\sjMkFvP.exe
  C:\Windows\System\sjMkFvP.exe
  2⤵
  PID:6076
- C:\Windows\System\EtgfzTC.exe
  C:\Windows\System\EtgfzTC.exe
  2⤵
  PID:6104
- C:\Windows\System\hhzIqmE.exe
  C:\Windows\System\hhzIqmE.exe
  2⤵
  PID:6132
- C:\Windows\System\yQHuekh.exe
  C:\Windows\System\yQHuekh.exe
  2⤵
  PID:5152
- C:\Windows\System\wNprpFE.exe
  C:\Windows\System\wNprpFE.exe
  2⤵
  PID:5208
- C:\Windows\System\uiWVlPE.exe
  C:\Windows\System\uiWVlPE.exe
  2⤵
  PID:5360
- C:\Windows\System\ohCjuUj.exe
  C:\Windows\System\ohCjuUj.exe
  2⤵
  PID:5416
- C:\Windows\System\NnwWkMa.exe
  C:\Windows\System\NnwWkMa.exe
  2⤵
  PID:5452
- C:\Windows\System\QWPdIjt.exe
  C:\Windows\System\QWPdIjt.exe
  2⤵
  PID:5520
- C:\Windows\System\SADIfMj.exe
  C:\Windows\System\SADIfMj.exe
  2⤵
  PID:5580
- C:\Windows\System\CBqMPhn.exe
  C:\Windows\System\CBqMPhn.exe
  2⤵
  PID:5624
- C:\Windows\System\zxpnuMJ.exe
  C:\Windows\System\zxpnuMJ.exe
  2⤵
  PID:5704
- C:\Windows\System\sPtMiqp.exe
  C:\Windows\System\sPtMiqp.exe
  2⤵
  PID:5772
- C:\Windows\System\mlxqozI.exe
  C:\Windows\System\mlxqozI.exe
  2⤵
  PID:5836
- C:\Windows\System\uSycTdP.exe
  C:\Windows\System\uSycTdP.exe
  2⤵
  PID:5892
- C:\Windows\System\SFNxBin.exe
  C:\Windows\System\SFNxBin.exe
  2⤵
  PID:5944
- C:\Windows\System\ccvpYZP.exe
  C:\Windows\System\ccvpYZP.exe
  2⤵
  PID:6004
- C:\Windows\System\oTsEdej.exe
  C:\Windows\System\oTsEdej.exe
  2⤵
  PID:6092
- C:\Windows\System\KcPWpGS.exe
  C:\Windows\System\KcPWpGS.exe
  2⤵
  PID:5192
- C:\Windows\System\XKZviHu.exe
  C:\Windows\System\XKZviHu.exe
  2⤵
  PID:3828
- C:\Windows\System\kxhTZlz.exe
  C:\Windows\System\kxhTZlz.exe
  2⤵
  PID:5324
- C:\Windows\System\PHVNbea.exe
  C:\Windows\System\PHVNbea.exe
  2⤵
  PID:5412
- C:\Windows\System\lQkHUYB.exe
  C:\Windows\System\lQkHUYB.exe
  2⤵
  PID:5464
- C:\Windows\System\USCQhiA.exe
  C:\Windows\System\USCQhiA.exe
  2⤵
  PID:5680
- C:\Windows\System\ErTYFIt.exe
  C:\Windows\System\ErTYFIt.exe
  2⤵
  PID:5832
- C:\Windows\System\IzrvBmb.exe
  C:\Windows\System\IzrvBmb.exe
  2⤵
  PID:2320
- C:\Windows\System\EuynIzU.exe
  C:\Windows\System\EuynIzU.exe
  2⤵
  PID:5888
- C:\Windows\System\GmYDezo.exe
  C:\Windows\System\GmYDezo.exe
  2⤵
  PID:6000
- C:\Windows\System\LVeeMyK.exe
  C:\Windows\System\LVeeMyK.exe
  2⤵
  PID:6112
- C:\Windows\System\pbGIEBZ.exe
  C:\Windows\System\pbGIEBZ.exe
  2⤵
  PID:5380
- C:\Windows\System\skZAnUz.exe
  C:\Windows\System\skZAnUz.exe
  2⤵
  PID:5744
- C:\Windows\System\SunMXSa.exe
  C:\Windows\System\SunMXSa.exe
  2⤵
  PID:5812
- C:\Windows\System\WDYIlat.exe
  C:\Windows\System\WDYIlat.exe
  2⤵
  PID:6164
- C:\Windows\System\LklYEjD.exe
  C:\Windows\System\LklYEjD.exe
  2⤵
  PID:6192
- C:\Windows\System\qUyIHKV.exe
  C:\Windows\System\qUyIHKV.exe
  2⤵
  PID:6220
- C:\Windows\System\RrHzuFL.exe
  C:\Windows\System\RrHzuFL.exe
  2⤵
  PID:6244
- C:\Windows\System\EVRaJnP.exe
  C:\Windows\System\EVRaJnP.exe
  2⤵
  PID:6268
- C:\Windows\System\eVggcwx.exe
  C:\Windows\System\eVggcwx.exe
  2⤵
  PID:6296
- C:\Windows\System\kYoNiIu.exe
  C:\Windows\System\kYoNiIu.exe
  2⤵
  PID:6324
- C:\Windows\System\PDonZlt.exe
  C:\Windows\System\PDonZlt.exe
  2⤵
  PID:6360
- C:\Windows\System\ffFlxWj.exe
  C:\Windows\System\ffFlxWj.exe
  2⤵
  PID:6396
- C:\Windows\System\HxcArSo.exe
  C:\Windows\System\HxcArSo.exe
  2⤵
  PID:6420
- C:\Windows\System\TroxXzX.exe
  C:\Windows\System\TroxXzX.exe
  2⤵
  PID:6436
- C:\Windows\System\VSwOmtA.exe
  C:\Windows\System\VSwOmtA.exe
  2⤵
  PID:6464
- C:\Windows\System\vKZYHIb.exe
  C:\Windows\System\vKZYHIb.exe
  2⤵
  PID:6488
- C:\Windows\System\CqpQCbO.exe
  C:\Windows\System\CqpQCbO.exe
  2⤵
  PID:6520
- C:\Windows\System\zzJbYMl.exe
  C:\Windows\System\zzJbYMl.exe
  2⤵
  PID:6540
- C:\Windows\System\eCOJeLz.exe
  C:\Windows\System\eCOJeLz.exe
  2⤵
  PID:6572
- C:\Windows\System\gifhCDQ.exe
  C:\Windows\System\gifhCDQ.exe
  2⤵
  PID:6600
- C:\Windows\System\BVVxtBP.exe
  C:\Windows\System\BVVxtBP.exe
  2⤵
  PID:6620
- C:\Windows\System\EejAkZY.exe
  C:\Windows\System\EejAkZY.exe
  2⤵
  PID:6644
- C:\Windows\System\SfCMDCJ.exe
  C:\Windows\System\SfCMDCJ.exe
  2⤵
  PID:6672
- C:\Windows\System\PlzKgfz.exe
  C:\Windows\System\PlzKgfz.exe
  2⤵
  PID:6700
- C:\Windows\System\ZolKyKw.exe
  C:\Windows\System\ZolKyKw.exe
  2⤵
  PID:6716
- C:\Windows\System\YHrTXUw.exe
  C:\Windows\System\YHrTXUw.exe
  2⤵
  PID:6748
- C:\Windows\System\BxwzBSN.exe
  C:\Windows\System\BxwzBSN.exe
  2⤵
  PID:6772
- C:\Windows\System\SPLwfGU.exe
  C:\Windows\System\SPLwfGU.exe
  2⤵
  PID:6800
- C:\Windows\System\pLhLqaq.exe
  C:\Windows\System\pLhLqaq.exe
  2⤵
  PID:6828
- C:\Windows\System\zCqfQfK.exe
  C:\Windows\System\zCqfQfK.exe
  2⤵
  PID:6848
- C:\Windows\System\wVANrig.exe
  C:\Windows\System\wVANrig.exe
  2⤵
  PID:6868
- C:\Windows\System\NThcyTm.exe
  C:\Windows\System\NThcyTm.exe
  2⤵
  PID:6896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BwDRlkE.exe

Filesize
1006KB

MD5
f5b8e2375d39f4a89b49c78f774e6887

SHA1
3ee09f6eddfa945b5953ff43cc0008d63378646a

SHA256
e2e8d0d5387c65610386c1e3c8087f7736b54628e87d8d0596423fa069b3294a

SHA512
d9c0c408a62d6d4673ca3cc3faba965c8b4836ab22138ecb335f5763b334b9e5ade3332f167bbb001ff3c96030cb440f1d290f30bc653eff720b10598cf5bef8

Download Submit
C:\Windows\System\DPDCpcH.exe

Filesize
1005KB

MD5
ee141c209f5e351790ea55da99292be8

SHA1
54e743dd8aabe380db7fabe644cbd7682e4ca3c7

SHA256
4368c024674596cf86ec0584b9c775e9d999cde4e1d703b91e05b6c9aab02df7

SHA512
e56b5bfe03be8adbb0513a61a89d7fe517a6e2ce15ed5c07b75a94db7513c4964bb1871872bc513ce36274aedee437cb10bd22446323c50401e26fdcefc8b0e9

Download Submit
C:\Windows\System\GSWcSNK.exe

Filesize
1004KB

MD5
11cd62741c0a08f86d3f0c464362bf18

SHA1
076abf175d11b954b16d75263988e1521de33dfc

SHA256
9b5c4226cc33b9e231a96eb1d53d31663c64d16da3c244053b003fbc41caca62

SHA512
189f9d2e558049ec81b4e331031efb86377db5219ee97aca6dc44bc6e7888ef0454e95cd01b3ed48415518efa559b7dcab1db8fef1104b1274f457745b203d59

Download Submit
C:\Windows\System\HKEUHSB.exe

Filesize
1008KB

MD5
2105b33787a859b78f67154e38b54a9c

SHA1
c960c472ff31841e0e777c2136a95cd64f298791

SHA256
8a8fd29b781f90ec8c28ad1ae7f31ee5ff626dd9753a8a9c4e26e491cd2db659

SHA512
543b8d171beb9926b8fe977e26bba8eef8296cd6000b93882c087ac014d713de82d1f48d29db5bf88a667325543bca737a1e8668b3093800246dcb6915bf0f0c

Download Submit
C:\Windows\System\HWcToDd.exe

Filesize
1002KB

MD5
6221db175241c5318d3bee1b3fb3c86e

SHA1
0b1365ecec8bac3920c260e3f3b7ee9e7d0c7248

SHA256
5c0c573322cee7333ccd65cdc104e1aacbf47c665846064afae9a52572e86ac4

SHA512
1fa95abbca87dd5e8b21f0842052c9a26eb8734c7581ea5a3ca86e26984693a4525d42f071561e740daecba0a8a6b78bb98234405fef90fa3cd6140e2302290f

Download Submit
C:\Windows\System\IwQoXcM.exe

Filesize
1004KB

MD5
a7cb93ba71ce5b8fa2dd5ab1f0f3a1e0

SHA1
a8ea296eda468f6feb72a0394b1873f69b679fe9

SHA256
0eb707311239b4ff359405c6bc53eb7489d048f8116836e16f960db1ac0eb8a7

SHA512
9d2f9065de9bc6109f38df1b883f8fe66ab6cf802e59f2f263148be5bfb0866114a4047971261f20bb79a1f8a768676e99d9fc6757af93dc03c2de81db350b09

Download Submit
C:\Windows\System\KIVjrYg.exe

Filesize
1005KB

MD5
9c46237b11ace2438a1a2cd30b5f2595

SHA1
a8b08933d4073b68734b0e152d2a515fbc0b8560

SHA256
0b359eff9a90ce72a36db2c7e96fc011d58c124273c7fb3a052b81430623b64d

SHA512
39e357c6939fd93ab6fd04f7b123d9711987aceeb65e86d01ce5c3feaea21ac3c05ba32b144bb805334afdb79c8d156070ddf13835d626bd2f6adb2c892cb5d7

Download Submit
C:\Windows\System\KWHrdNS.exe

Filesize
1006KB

MD5
30009003967f532685c4923e40fb1d2e

SHA1
8c6a515836f67e55e67228d4c6d4ddf7f92c4751

SHA256
a6b1ad37e4d0d90653af6dd38b92a2200bd817227a5027a20946ebee79307f66

SHA512
7f4a00ce2571f9e536d92dd6a1f75df275b1912c7816a531d105fb41a0629180b9bfffecb520576c3ec540fb1ed540923e88165a3b0f088309520295a28e8f32

Download Submit
C:\Windows\System\KszGYhW.exe

Filesize
1003KB

MD5
7c1fc30602cb21ae6ee773fc95cc92ca

SHA1
11c7e1a1041c1e089ec5976e3ef6fbddb36e2be6

SHA256
315b1801a7d3f988d1a654b2d83c30e6ee73dc18708848fc1f6f13c97f4c80b3

SHA512
08e15cb0962c05c3cbc13d24835e8811028e43cce884a4f608406b4cce032761ea286178057458431666e960e388f8dd95a77566c4345fd9fc780318ffa7659d

Download Submit
C:\Windows\System\LJxqfnS.exe

Filesize
1007KB

MD5
1d3bd687756c51de80ad54d010f96c90

SHA1
7346d9dec27a893fe82ee6a2a7e212796281161d

SHA256
e534522ba5ef4004313fada70ec439e40441de291add7fff4489664f7ef73242

SHA512
c1391c3d255cfa52165756f4791f70225ca8d7b44b57f767b00f71ba1db16f7de78933305de5fa7224861aba2d0d8019ddc94aabf6599945636270a55976621a

Download Submit
C:\Windows\System\MbPNSVe.exe

Filesize
1003KB

MD5
b6736f9911e22245399f88b06b61becc

SHA1
407495ecaa8cf2ca8f794cd743a3d82f84a88c0b

SHA256
6e7e39fb44720fc3e6cb0aa45d54d5a5b87bec02dce38c8819271c6fd647afe4

SHA512
4273173f5ff990e4eb77126741d0a7851e439636083899d64ff6d9c77447f95e24b4828f7ba15317c1be6b45ca66f83059b37c4927897f11d3bef577cac4563e

Download Submit
C:\Windows\System\NFbwktQ.exe

Filesize
1002KB

MD5
07b9feb931199c27a1ef04be5f2c7bd4

SHA1
3a1e756f00338bfb4e60447f3b9aa1221dc190b6

SHA256
45dcf31e45aa058bdee965fa9c9dab07bd2494866a4cbfecec536b72f553f409

SHA512
2a07e77add3dfbc83c4ecf8eda14e7e1b98fca859465f950e2e7e8ab8a4be781461302c4aa608cdf902abcc5429d81ee7abdfea2c3a2adf0b2e48ac3bf2866f9

Download Submit
C:\Windows\System\QXPWDEN.exe

Filesize
1002KB

MD5
44da07e8c195ae600593f9453fc16bd1

SHA1
96dd6f21c35215d6234a43635f1fcde320851151

SHA256
07bbc5f31cf463731567b6d55e41fc52f4d373bf41cfe9cf2279587b9d2a03d0

SHA512
5d19641e125e70a9d1626ed26e02c22b7b0b46c8cd754f1d903d998618e167733b9388073ead413181ad6b5aa733de318aea8dc2fae7173e84314519bcf033e0

Download Submit
C:\Windows\System\QZBcEeh.exe

Filesize
1009KB

MD5
a762c440a94f80ed369db286a53996e0

SHA1
7b00cbd517c6f8d1a2839a901bf9e5dff460fa1c

SHA256
3da053d9000006779214794f37aaa04f468b8fcaab57e4e504ae19cf4420a095

SHA512
9a36fa4dab80dc09dd5be884adb3d806a299ab3cf84c8ef9ca6c7ccea7fa9ab9e17a2e88c6893fde7fbeeed2a773c4333466642f02e36205b1868b81b7feadd2

Download Submit
C:\Windows\System\QbTlvMb.exe

Filesize
1006KB

MD5
186b9c85568242cb6a79888afbb55758

SHA1
b0f11b3ee7496d916436b9dd443fade27a55a5fc

SHA256
a15e626fd1d830a7caccbb6ec2cf0cb91e86ae6d7861b0ab8e15999efb0347a7

SHA512
69e50ffaea7d62e6a648169bdfa26d205c6498c47d3e18512545b77c5f846b091d2f4f5c9004b84a8dedfd9a3ba18b16176de5dabb9ce2cb7ff400157c618f84

Download Submit
C:\Windows\System\TNODkyh.exe

Filesize
1005KB

MD5
8fbfc584eb7f1e8ff303956e46981c60

SHA1
5c0c45e7aee43814107c4b58bd51e108af04fb00

SHA256
616e4fc7daa70e6b4bdbeb8bb6024d6e24757f3dc47f476e1d32a7eace668886

SHA512
930799bc5734f1d36d582292267535e216e3df0a055646ac2935da66b88414810e74467bafa14d8916745c0c9404aa0d3ca6cfa5ff7f00979f271d079c9f7d21

Download Submit
C:\Windows\System\XwFTAnI.exe

Filesize
1003KB

MD5
33aa7ab08558de41f24df79578a303c3

SHA1
cabbec57f06671b6b0f80ad84da225829c690705

SHA256
1c5c8daadad6286c3447d2b7d818e45647539c4be45f7c4ab6659a54bd32df83

SHA512
8c94a6d65c6fd3bbe766f755c2ceef80493fd74d740fa75b8248595afad3230028759d87d911d573a48abe450822bf901123e128bbb268f5331f46c45a753f8f

Download Submit
C:\Windows\System\eUPzrHr.exe

Filesize
1007KB

MD5
b5139f6df0a51573cd8da3db983f1b35

SHA1
f29c2769fe7d840fee7f4acada5314a81a2f329c

SHA256
29ed46786ab9edc43ff8cec216255f25ab6afb7435d6df66d4217a367e141651

SHA512
1a482900868d29ea6a783bfa530e55eff6b8f84843e483a9ae98fe95755865cb18502cd2db1c07c72a10bb982bb8628eb9d51c79c09e373d69b41c367a1aa33f

Download Submit
C:\Windows\System\elHWZRD.exe

Filesize
1007KB

MD5
97d7e0b34556d6098b12abdf5fd20584

SHA1
9a78e1645ed6e025f3bc4bfb7401977a53ef5015

SHA256
91c12e42700d240561e03d3e5af281bfd918e353329e1fb22665bd3bb5e30af4

SHA512
a514461ed1ce1472de3eb09a4914426df668fdc3c6551e8bd4f580673c29142a3834be7276d5dfe07fe5a502d6f27081530c4627179d6fa3c2a6b45ac712d31c

Download Submit
C:\Windows\System\evHELFv.exe

Filesize
1005KB

MD5
f00d93b8e6ac49a9f432176cf139cb8a

SHA1
aafb725f0983d5372b7d5fb754830fd57ee15fea

SHA256
8881ce6600a667f36919cd0b3539c9ff08771ee23cc4d9ed5bf2cee26db1450d

SHA512
c0d0231315da1ebd0bf514945e0b56f40c24da9e9688c30a70d40fa27a87283cd03615193a8409ab5aedc53cf4ac42d31408fb96e30aa18c0c8f354eba80f482

Download Submit
C:\Windows\System\fZjqLOn.exe

Filesize
1008KB

MD5
0b0cfda71df94e615b05187262e0104d

SHA1
60ba3ee06a8393d95d80dd70444a52c7cb8df304

SHA256
28fd6f1f8ff0c4c8859df6b2f0f01a93e681aefaa88c77f194da96a597c5d43f

SHA512
bb4c0012c8325ad9769832e53305b70c1eb8014de6e1b336badfe502ef9ebdc8bffeb2982822663c3d5ace348147680d040879f35e41c6d385a67d76aac47b36

Download Submit
C:\Windows\System\gGsNiFD.exe

Filesize
1010KB

MD5
cba6819b9f5429ad9111649255fe7274

SHA1
287f37319b718e60823de419514bc27d20b05a22

SHA256
44217146f02575ca40139da66ca2d450f43d1309eee71b2b7cc8e27ecb5d38a9

SHA512
e1b0da87ddc077cccd7011ec985543aa365a17c1b103e2530061323c0aa7f433297aff3524db760f5f15866d9dace980e996ee8a8ce4aba828e6427d42578108

Download Submit
C:\Windows\System\gwbXrUG.exe

Filesize
1004KB

MD5
7f49049ac398a2fd007acfc046034c1e

SHA1
c8e4d2a10759c36c9972cec0acbee910b8c788a2

SHA256
f4f605274219704408c45b84c8d08e415fe0ddd3aeac44770cab145679770713

SHA512
1fa6d915e23d725527cecdda5d7f5f344c373effa8759a865b79ec36fa16d0d7a30d926875f3e7820c52dc2f71a35cc662e4a69b6dbfbad005fa268a26ecbacd

Download Submit
C:\Windows\System\hjSWipn.exe

Filesize
1006KB

MD5
0fa9faa065e41b2cf5985ff7e4220872

SHA1
06f4d92101f7d476774397eb10cb317db87ef0dc

SHA256
fc2ede8cf64af6dd0e080ced416707514253b52ee6712fd8a23a13e1ed60c9c7

SHA512
3ea73be94a59e20ca9b332daddd1d4a73b789747c8bb8e3bf2bf69827747f02b58b03d3090733309ad3409ee2841bbf62ec8fb8420aed968da5f3622754bf765

Download Submit
C:\Windows\System\jRafafn.exe

Filesize
1004KB

MD5
5cb2f68b5ccff7781ee3c6947d0eb99a

SHA1
649b4b8401dfa14b6b72cdbb4167a2ed118a75aa

SHA256
00ce12d086f87b419b3f3f5a0aaa0011d2c772ca3278689b014c7bf4fb551a4a

SHA512
d637f1a42a5b9a94de6adc92fba82e9e583601f5305ab018dbcc508dbc0d00e06f77cfb8c501944e6441118da02ba5b38c644abbc7d16defa6fc45c47c07746d

Download Submit
C:\Windows\System\kKxZJMp.exe

Filesize
1009KB

MD5
2e0f5e37245595ee832b9873fa8bee76

SHA1
9d52494ed0465e0fe365df8083ad5cbb8fdfdcef

SHA256
fe9ea87362e3d744c44db001934ff0281308b5d915a81a28f98ead38e70938d2

SHA512
2be2532d12bd059fed2ad1e52d5da469619dda68df7401f4f0f25f9abdea8c882c6c4a96632d52d2a7d3870fb4bde7eedd20b9b84776669aa61d987f3b44024f

Download Submit
C:\Windows\System\opnewol.exe

Filesize
1009KB

MD5
9a309a7e6cb84a888373181edebfec85

SHA1
e2ef1e84f7748627afeb539d7fc91dd0d3ffca6f

SHA256
9cfa968ba3f474a07c36a9c307c29eba04f0c72eec7a4119e0b58fc23d261b0e

SHA512
ed722d0b1a6c812c254620c191469841422726e9e07625f75af0d58f2cdc3c3bffc8329ffdf72992bb07a2c1145c331ba2ec8db09e91b1d03472734f3826fc22

Download Submit
C:\Windows\System\sItXcsJ.exe

Filesize
1008KB

MD5
e35f623e47683fdf3e672d169e2a56de

SHA1
6922b033ae5bdf3fdeaa4118d66c53d4b05fb5d0

SHA256
ddd5231f54f5e21d43954f8ca807d48b7647f840ccf62303a0cf56a3d6488503

SHA512
2ec60ad3570254bab92d5fe8bbd95232edf23eec45bf4a0ad21e2d9e599a0c012e64d6762861f2fbce0e5a5b792cedf6d2e00284f176dca82b5ff96c950926fc

Download Submit
C:\Windows\System\swAYQBi.exe

Filesize
1009KB

MD5
217327e4e209989daa7414fcbe0f99c8

SHA1
df4e1394278307b0deefc5df161ca612b6024934

SHA256
492ccb569f01646d7b2914d56201e714681a23f0cc156fb597f504d2c47fcd83

SHA512
9d4fe91852e334b89755551c6142bd34895ec70e54ec631d305de2bae981f337b517a3e43b99377241df1eb4e7789c9ad681d094334d17f951c72d9a2808c123

Download Submit
C:\Windows\System\tYXRyfk.exe

Filesize
1003KB

MD5
9ced4ca1c9a849c2bda30386fd329bb0

SHA1
4ec5cf61e00e48965b243a9e7ead9dd11fe0e6d8

SHA256
71a33e30a9e4309a36f3b417082434c7b820cff6e579f87391418173774163f2

SHA512
3035654df6bbe469ab9ea840150d9cc753972c0268fc037753ca1e5f028358c04ec98a65e4a1b6f37e0f418868fb752a6a2b621a98fa40ec55afbf3e67958f18

Download Submit
C:\Windows\System\ycwTtLi.exe

Filesize
1008KB

MD5
c52e49a200f5da0d11cf3f30448e9247

SHA1
2e6e910e47e1d5bcacd059259dc9de01eba4b667

SHA256
97a0c0e752abb5234b4c33b82f11464f3363d82ffe35f6f0b50e7a3f55b2a300

SHA512
7c66f4574c9eaf40623e76f3487184e72d67807600c90c71b407cd989b425e593ac73d7274563d06f696b981fac2429d86891d0e3832641f975ff800a340f4cd

Download Submit
C:\Windows\System\ymrYBbM.exe

Filesize
1007KB

MD5
5f7faaca2fef2f550e082fee2b495912

SHA1
b36c51243ac9d0b63261d31b74b8e9719147ea00

SHA256
75e5cd6c71cd3760d06ad4f83dde68b1438d98c5ef6ee8e117a2286e16656fbd

SHA512
2e79b3464765a5f6fdb309e71eb8c787e463dd3678fc3d94adc64620374a19390b9cef4b9513d68a8ddd0ae3df386aa596d7280fb11f5babbdfd436dbc03cd7c

Download Submit
C:\Windows\System\zUKbGHV.exe

Filesize
1002KB

MD5
5299fa616eb774e5ebec4c3b139412f6

SHA1
e085b29a5b46e06920345234e8338f7fac60768e

SHA256
4763d43922056f333c0044ec8351aa86932b9ef0be219e3fd2e77e554ad16d39

SHA512
5f20d7dda667393ab1549a76b7e164150844ae92ee648cd78262775f62f9d2e840bafd176312178ec294e1933c03a000f6744d6c3fe20778578e0b7e4dfdd050

Download Submit
memory/948-0-0x0000020DE87B0000-0x0000020DE87C0000-memory.dmp

Filesize
64KB

Download