xmrig | cbd322506aa0d2cca84dbd0846e6c236d2a6ba779f0fb5a565a82b533d7b7b0f

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2023 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
Size

2.1MB
MD5

8c48d2e894c0023a55b223edcf8baf30
SHA1

d149e11b84a54aef77b711aeed6d0cbee06407ee
SHA256

cbd322506aa0d2cca84dbd0846e6c236d2a6ba779f0fb5a565a82b533d7b7b0f
SHA512

1abef46efc1f6af8a242abf6ae2004e11641cf18c4d9f683ff487ab86fc69672a17b71ad885a3fa0548d82237a7a820fb9bec7a84c5d8719bb92861612072eab
SSDEEP

49152:BezaTF8FcNkNdfE0pZ9ozt4wICbdKuAcem1DbvJ1:BemTLkNdfE0pZr4

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2020-0-0x00007FF7E02B0000-0x00007FF7E0604000-memory.dmp	xmrig
behavioral2/files/0x0008000000022df5-6.dat	xmrig
behavioral2/files/0x0008000000022df5-5.dat	xmrig
behavioral2/memory/4592-8-0x00007FF6B3E70000-0x00007FF6B41C4000-memory.dmp	xmrig
behavioral2/files/0x0008000000022df8-11.dat	xmrig
behavioral2/files/0x0008000000022df8-15.dat	xmrig
behavioral2/files/0x0006000000022e13-21.dat	xmrig
behavioral2/files/0x0006000000022e13-25.dat	xmrig
behavioral2/memory/3152-31-0x00007FF7BBBA0000-0x00007FF7BBEF4000-memory.dmp	xmrig
behavioral2/files/0x0006000000022e14-36.dat	xmrig
behavioral2/files/0x0006000000022e16-37.dat	xmrig
behavioral2/files/0x0006000000022e18-46.dat	xmrig
behavioral2/memory/4128-48-0x00007FF699810000-0x00007FF699B64000-memory.dmp	xmrig
behavioral2/files/0x0006000000022e17-60.dat	xmrig
behavioral2/memory/5032-59-0x00007FF6718B0000-0x00007FF671C04000-memory.dmp	xmrig
behavioral2/memory/4152-67-0x00007FF6D0A20000-0x00007FF6D0D74000-memory.dmp	xmrig
behavioral2/files/0x0006000000022e1a-68.dat	xmrig
behavioral2/files/0x0008000000022dfb-73.dat	xmrig
behavioral2/files/0x0006000000022e1e-78.dat	xmrig
behavioral2/files/0x0006000000022e1f-87.dat	xmrig
behavioral2/files/0x0006000000022e20-90.dat	xmrig
behavioral2/files/0x0006000000022e21-96.dat	xmrig
behavioral2/files/0x0006000000022e20-100.dat	xmrig
behavioral2/memory/2720-102-0x00007FF615660000-0x00007FF6159B4000-memory.dmp	xmrig
behavioral2/files/0x0006000000022e22-104.dat	xmrig
behavioral2/memory/3180-103-0x00007FF7919A0000-0x00007FF791CF4000-memory.dmp	xmrig
behavioral2/memory/1368-106-0x00007FF61A4D0000-0x00007FF61A824000-memory.dmp	xmrig
behavioral2/memory/2872-108-0x00007FF6CE600000-0x00007FF6CE954000-memory.dmp	xmrig
behavioral2/memory/1356-107-0x00007FF7BF0F0000-0x00007FF7BF444000-memory.dmp	xmrig
behavioral2/files/0x0006000000022e22-99.dat	xmrig
behavioral2/memory/3228-94-0x00007FF6D7B80000-0x00007FF6D7ED4000-memory.dmp	xmrig
behavioral2/files/0x0006000000022e1f-93.dat	xmrig
behavioral2/memory/1668-86-0x00007FF66A1C0000-0x00007FF66A514000-memory.dmp	xmrig
behavioral2/files/0x0006000000022e1e-82.dat	xmrig
behavioral2/memory/1060-81-0x00007FF75CE00000-0x00007FF75D154000-memory.dmp	xmrig
behavioral2/files/0x0006000000022e21-109.dat	xmrig
behavioral2/files/0x0006000000022e1c-79.dat	xmrig
behavioral2/memory/4776-75-0x00007FF6D02B0000-0x00007FF6D0604000-memory.dmp	xmrig
behavioral2/files/0x0006000000022e1c-72.dat	xmrig
behavioral2/files/0x0008000000022dfb-66.dat	xmrig
behavioral2/files/0x00040000000222d5-64.dat	xmrig
behavioral2/files/0x00040000000222d5-58.dat	xmrig
behavioral2/files/0x0006000000022e1a-57.dat	xmrig
behavioral2/memory/4396-56-0x00007FF7B44A0000-0x00007FF7B47F4000-memory.dmp	xmrig
behavioral2/files/0x0006000000022e18-49.dat	xmrig
behavioral2/files/0x0006000000022e17-45.dat	xmrig
behavioral2/files/0x0006000000022e15-47.dat	xmrig
behavioral2/memory/1076-44-0x00007FF676040000-0x00007FF676394000-memory.dmp	xmrig
behavioral2/files/0x0006000000022e16-35.dat	xmrig
behavioral2/files/0x0006000000022e15-32.dat	xmrig
behavioral2/files/0x0006000000022e14-30.dat	xmrig
behavioral2/memory/1092-23-0x00007FF74BEE0000-0x00007FF74C234000-memory.dmp	xmrig
behavioral2/memory/4060-20-0x00007FF666A50000-0x00007FF666DA4000-memory.dmp	xmrig
behavioral2/files/0x0007000000022e09-19.dat	xmrig
behavioral2/files/0x0007000000022e09-14.dat	xmrig
behavioral2/files/0x0006000000022e23-119.dat	xmrig
behavioral2/files/0x0006000000022e26-127.dat	xmrig
behavioral2/files/0x0006000000022e27-133.dat	xmrig
behavioral2/memory/2348-136-0x00007FF70CB30000-0x00007FF70CE84000-memory.dmp	xmrig
behavioral2/files/0x0006000000022e28-140.dat	xmrig
behavioral2/memory/808-152-0x00007FF7623E0000-0x00007FF762734000-memory.dmp	xmrig
behavioral2/memory/1012-157-0x00007FF6CBF70000-0x00007FF6CC2C4000-memory.dmp	xmrig
behavioral2/files/0x0006000000022e2f-161.dat	xmrig
behavioral2/files/0x0006000000022e2d-175.dat	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4592	DmGDYbG.exe
4060	POMoVfB.exe
3152	pPNXegy.exe
1092	LKUfyLx.exe
4152	lKvkbEs.exe
1076	UWZGhAL.exe
4776	KsMcLvJ.exe
4128	cogssfX.exe
4396	ivpYsEa.exe
1060	YSrAZaa.exe
5032	SAWPYpI.exe
3228	OnUCMWJ.exe
2720	XjGMTKO.exe
1668	NdvBPEf.exe
3180	aqjHlov.exe
1356	gzAXgtB.exe
1368	eUCcreN.exe
2872	fiKcDKI.exe
2428	WUkwFcG.exe
3308	SFuqMFq.exe
2348	QRbefPv.exe
808	GfwBbns.exe
3536	GGZeUEq.exe
1012	OEapXKO.exe
216	ATdENPS.exe
4004	ygspgMo.exe
2532	eOfpEoj.exe
3084	gyzHtWa.exe
3548	oFYZjet.exe
2988	DYWaVpd.exe
1036	oWJzDsO.exe
4616	SaNWgzP.exe
1928	WhoydTI.exe
4908	hkNvFBQ.exe
4356	RrsXXjq.exe
2520	lqmJYoi.exe
3076	NEBDdjR.exe
1760	nFrQftK.exe
3764	BXsyINP.exe
492	QaSfSFe.exe
2812	wyTgyhB.exe
3776	cxIXQmt.exe
5016	xLPBfox.exe
2844	nRXwEaM.exe
2524	UABpVsT.exe
4500	TzXKwqC.exe
4132	meHZbQn.exe
5080	quysTgD.exe
3364	pmkReJO.exe
4384	MGdWfnM.exe
1784	ZNOVDVZ.exe
5024	XfgPWzH.exe
4076	EDRpQgK.exe
2264	JMEmvRt.exe
4016	qCTSTIq.exe
3524	KDcDLJY.exe
3000	WHdvzRL.exe
3528	iyJoVUH.exe
2052	mkHsdwl.exe
4496	IlDLuXT.exe
4364	AMymtpE.exe
3472	IBOnxCM.exe
2116	tHsvWIw.exe
4484	nnviEFI.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2020-0-0x00007FF7E02B0000-0x00007FF7E0604000-memory.dmp	upx
behavioral2/files/0x0008000000022df5-6.dat	upx
behavioral2/files/0x0008000000022df5-5.dat	upx
behavioral2/memory/4592-8-0x00007FF6B3E70000-0x00007FF6B41C4000-memory.dmp	upx
behavioral2/files/0x0008000000022df8-11.dat	upx
behavioral2/files/0x0008000000022df8-15.dat	upx
behavioral2/files/0x0006000000022e13-21.dat	upx
behavioral2/files/0x0006000000022e13-25.dat	upx
behavioral2/memory/3152-31-0x00007FF7BBBA0000-0x00007FF7BBEF4000-memory.dmp	upx
behavioral2/files/0x0006000000022e14-36.dat	upx
behavioral2/files/0x0006000000022e16-37.dat	upx
behavioral2/files/0x0006000000022e18-46.dat	upx
behavioral2/memory/4128-48-0x00007FF699810000-0x00007FF699B64000-memory.dmp	upx
behavioral2/files/0x0006000000022e17-60.dat	upx
behavioral2/memory/5032-59-0x00007FF6718B0000-0x00007FF671C04000-memory.dmp	upx
behavioral2/memory/4152-67-0x00007FF6D0A20000-0x00007FF6D0D74000-memory.dmp	upx
behavioral2/files/0x0006000000022e1a-68.dat	upx
behavioral2/files/0x0008000000022dfb-73.dat	upx
behavioral2/files/0x0006000000022e1e-78.dat	upx
behavioral2/files/0x0006000000022e1f-87.dat	upx
behavioral2/files/0x0006000000022e20-90.dat	upx
behavioral2/files/0x0006000000022e21-96.dat	upx
behavioral2/files/0x0006000000022e20-100.dat	upx
behavioral2/memory/2720-102-0x00007FF615660000-0x00007FF6159B4000-memory.dmp	upx
behavioral2/files/0x0006000000022e22-104.dat	upx
behavioral2/memory/3180-103-0x00007FF7919A0000-0x00007FF791CF4000-memory.dmp	upx
behavioral2/memory/1368-106-0x00007FF61A4D0000-0x00007FF61A824000-memory.dmp	upx
behavioral2/memory/2872-108-0x00007FF6CE600000-0x00007FF6CE954000-memory.dmp	upx
behavioral2/memory/1356-107-0x00007FF7BF0F0000-0x00007FF7BF444000-memory.dmp	upx
behavioral2/files/0x0006000000022e22-99.dat	upx
behavioral2/memory/3228-94-0x00007FF6D7B80000-0x00007FF6D7ED4000-memory.dmp	upx
behavioral2/files/0x0006000000022e1f-93.dat	upx
behavioral2/memory/1668-86-0x00007FF66A1C0000-0x00007FF66A514000-memory.dmp	upx
behavioral2/files/0x0006000000022e1e-82.dat	upx
behavioral2/memory/1060-81-0x00007FF75CE00000-0x00007FF75D154000-memory.dmp	upx
behavioral2/files/0x0006000000022e21-109.dat	upx
behavioral2/files/0x0006000000022e1c-79.dat	upx
behavioral2/memory/4776-75-0x00007FF6D02B0000-0x00007FF6D0604000-memory.dmp	upx
behavioral2/files/0x0006000000022e1c-72.dat	upx
behavioral2/files/0x0008000000022dfb-66.dat	upx
behavioral2/files/0x00040000000222d5-64.dat	upx
behavioral2/files/0x00040000000222d5-58.dat	upx
behavioral2/files/0x0006000000022e1a-57.dat	upx
behavioral2/memory/4396-56-0x00007FF7B44A0000-0x00007FF7B47F4000-memory.dmp	upx
behavioral2/files/0x0006000000022e18-49.dat	upx
behavioral2/files/0x0006000000022e17-45.dat	upx
behavioral2/files/0x0006000000022e15-47.dat	upx
behavioral2/memory/1076-44-0x00007FF676040000-0x00007FF676394000-memory.dmp	upx
behavioral2/files/0x0006000000022e16-35.dat	upx
behavioral2/files/0x0006000000022e15-32.dat	upx
behavioral2/files/0x0006000000022e14-30.dat	upx
behavioral2/memory/1092-23-0x00007FF74BEE0000-0x00007FF74C234000-memory.dmp	upx
behavioral2/memory/4060-20-0x00007FF666A50000-0x00007FF666DA4000-memory.dmp	upx
behavioral2/files/0x0007000000022e09-19.dat	upx
behavioral2/files/0x0007000000022e09-14.dat	upx
behavioral2/files/0x0006000000022e23-119.dat	upx
behavioral2/files/0x0006000000022e26-127.dat	upx
behavioral2/files/0x0006000000022e27-133.dat	upx
behavioral2/memory/2348-136-0x00007FF70CB30000-0x00007FF70CE84000-memory.dmp	upx
behavioral2/files/0x0006000000022e28-140.dat	upx
behavioral2/memory/808-152-0x00007FF7623E0000-0x00007FF762734000-memory.dmp	upx
behavioral2/memory/1012-157-0x00007FF6CBF70000-0x00007FF6CC2C4000-memory.dmp	upx
behavioral2/files/0x0006000000022e2f-161.dat	upx
behavioral2/files/0x0006000000022e2d-175.dat	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\eBatJAL.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\ITmPBTM.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\ZIYVNeQ.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\CViCJnQ.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\FETriMp.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\tJHPLhy.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\SinMpvk.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\ExpyuQb.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\iYAUahT.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\uZiAMdp.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\UVhGceZ.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\SZijEsW.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\WHdvzRL.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\AMymtpE.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\RGjdOJv.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\quysTgD.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\wopjolz.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\EAyTBqY.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\TtpnUDd.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\ldsFzTy.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\SaNWgzP.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\oPPHNnq.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\zhtEjpz.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\skJUqIb.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\FHaGCGt.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\ZKHKhKU.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\VUqzjZD.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\JwNctoJ.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\NooLQXD.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\UWZGhAL.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\wurDkYE.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\vJHzbnW.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\GsTILrX.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\FsaSdZn.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\htkECKX.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\YgiCTMi.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\ukVDliA.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\OUUvMJr.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\ynJlYrB.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\RYMuFxr.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\NAfQHzg.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\alAHPah.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\zQALaud.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\CMKSIwT.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\bTaqhhJ.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\hkNvFBQ.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\nIEQAHx.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\BCbbres.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\YSrAZaa.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\QOpnlRO.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\xhKcXpV.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\TFpAFdc.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\KYNbPpG.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\jUGDYPp.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\wigWYSU.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\aYGPqtz.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\yaXkIcN.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\CmcXSaG.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\gWywWau.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\LNQVTyz.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\lqmJYoi.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\OSWyTfQ.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\yXwcGkJ.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
File created	C:\Windows\System\fiKcDKI.exe	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	9952	dwm.exe
Token: SeChangeNotifyPrivilege	9952	dwm.exe
Token: 33	9952	dwm.exe
Token: SeIncBasePriorityPrivilege	9952	dwm.exe
Token: SeShutdownPrivilege	9952	dwm.exe
Token: SeCreatePagefilePrivilege	9952	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 4592	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	88
PID 2020 wrote to memory of 4592	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	88
PID 2020 wrote to memory of 4060	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	89
PID 2020 wrote to memory of 4060	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	89
PID 2020 wrote to memory of 3152	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	494
PID 2020 wrote to memory of 3152	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	494
PID 2020 wrote to memory of 1092	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	90
PID 2020 wrote to memory of 1092	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	90
PID 2020 wrote to memory of 4152	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	91
PID 2020 wrote to memory of 4152	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	91
PID 2020 wrote to memory of 1076	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	92
PID 2020 wrote to memory of 1076	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	92
PID 2020 wrote to memory of 4776	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	93
PID 2020 wrote to memory of 4776	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	93
PID 2020 wrote to memory of 4128	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	105
PID 2020 wrote to memory of 4128	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	105
PID 2020 wrote to memory of 4396	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	104
PID 2020 wrote to memory of 4396	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	104
PID 2020 wrote to memory of 1060	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	103
PID 2020 wrote to memory of 1060	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	103
PID 2020 wrote to memory of 5032	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	102
PID 2020 wrote to memory of 5032	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	102
PID 2020 wrote to memory of 3228	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	94
PID 2020 wrote to memory of 3228	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	94
PID 2020 wrote to memory of 2720	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	95
PID 2020 wrote to memory of 2720	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	95
PID 2020 wrote to memory of 1668	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	101
PID 2020 wrote to memory of 1668	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	101
PID 2020 wrote to memory of 3180	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	100
PID 2020 wrote to memory of 3180	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	100
PID 2020 wrote to memory of 1356	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	96
PID 2020 wrote to memory of 1356	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	96
PID 2020 wrote to memory of 1368	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	97
PID 2020 wrote to memory of 1368	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	97
PID 2020 wrote to memory of 2872	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	99
PID 2020 wrote to memory of 2872	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	99
PID 2020 wrote to memory of 2428	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	98
PID 2020 wrote to memory of 2428	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	98
PID 2020 wrote to memory of 3308	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	493
PID 2020 wrote to memory of 3308	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	493
PID 2020 wrote to memory of 808	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	106
PID 2020 wrote to memory of 808	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	106
PID 2020 wrote to memory of 2348	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	107
PID 2020 wrote to memory of 2348	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	107
PID 2020 wrote to memory of 3536	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	492
PID 2020 wrote to memory of 3536	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	492
PID 2020 wrote to memory of 1012	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	108
PID 2020 wrote to memory of 1012	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	108
PID 2020 wrote to memory of 216	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	491
PID 2020 wrote to memory of 216	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	491
PID 2020 wrote to memory of 2532	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	490
PID 2020 wrote to memory of 2532	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	490
PID 2020 wrote to memory of 4004	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	489
PID 2020 wrote to memory of 4004	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	489
PID 2020 wrote to memory of 3084	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	488
PID 2020 wrote to memory of 3084	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	488
PID 2020 wrote to memory of 3548	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	487
PID 2020 wrote to memory of 3548	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	487
PID 2020 wrote to memory of 2988	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	486
PID 2020 wrote to memory of 2988	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	486
PID 2020 wrote to memory of 1036	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	485
PID 2020 wrote to memory of 1036	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	485
PID 2020 wrote to memory of 4616	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	483
PID 2020 wrote to memory of 4616	2020	NEAS.8c48d2e894c0023a55b223edcf8baf30.exe	483

C:\Users\Admin\AppData\Local\Temp\NEAS.8c48d2e894c0023a55b223edcf8baf30.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.8c48d2e894c0023a55b223edcf8baf30.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\System\DmGDYbG.exe
  C:\Windows\System\DmGDYbG.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System\POMoVfB.exe
  C:\Windows\System\POMoVfB.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System\LKUfyLx.exe
  C:\Windows\System\LKUfyLx.exe
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\System\lKvkbEs.exe
  C:\Windows\System\lKvkbEs.exe
  2⤵
  - Executes dropped EXE
  PID:4152
- C:\Windows\System\UWZGhAL.exe
  C:\Windows\System\UWZGhAL.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System\KsMcLvJ.exe
  C:\Windows\System\KsMcLvJ.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System\OnUCMWJ.exe
  C:\Windows\System\OnUCMWJ.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System\XjGMTKO.exe
  C:\Windows\System\XjGMTKO.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System\gzAXgtB.exe
  C:\Windows\System\gzAXgtB.exe
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\System\eUCcreN.exe
  C:\Windows\System\eUCcreN.exe
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\System\WUkwFcG.exe
  C:\Windows\System\WUkwFcG.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\fiKcDKI.exe
  C:\Windows\System\fiKcDKI.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System\aqjHlov.exe
  C:\Windows\System\aqjHlov.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System\NdvBPEf.exe
  C:\Windows\System\NdvBPEf.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System\SAWPYpI.exe
  C:\Windows\System\SAWPYpI.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System\YSrAZaa.exe
  C:\Windows\System\YSrAZaa.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\System\ivpYsEa.exe
  C:\Windows\System\ivpYsEa.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System\cogssfX.exe
  C:\Windows\System\cogssfX.exe
  2⤵
  - Executes dropped EXE
  PID:4128
- C:\Windows\System\GfwBbns.exe
  C:\Windows\System\GfwBbns.exe
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Windows\System\QRbefPv.exe
  C:\Windows\System\QRbefPv.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System\OEapXKO.exe
  C:\Windows\System\OEapXKO.exe
  2⤵
  - Executes dropped EXE
  PID:1012
- C:\Windows\System\RrsXXjq.exe
  C:\Windows\System\RrsXXjq.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System\NEBDdjR.exe
  C:\Windows\System\NEBDdjR.exe
  2⤵
  - Executes dropped EXE
  PID:3076
- C:\Windows\System\QaSfSFe.exe
  C:\Windows\System\QaSfSFe.exe
  2⤵
  - Executes dropped EXE
  PID:492
- C:\Windows\System\BXsyINP.exe
  C:\Windows\System\BXsyINP.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System\wyTgyhB.exe
  C:\Windows\System\wyTgyhB.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\cxIXQmt.exe
  C:\Windows\System\cxIXQmt.exe
  2⤵
  - Executes dropped EXE
  PID:3776
- C:\Windows\System\xLPBfox.exe
  C:\Windows\System\xLPBfox.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System\TzXKwqC.exe
  C:\Windows\System\TzXKwqC.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Windows\System\UABpVsT.exe
  C:\Windows\System\UABpVsT.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\meHZbQn.exe
  C:\Windows\System\meHZbQn.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System\pmkReJO.exe
  C:\Windows\System\pmkReJO.exe
  2⤵
  - Executes dropped EXE
  PID:3364
- C:\Windows\System\ZNOVDVZ.exe
  C:\Windows\System\ZNOVDVZ.exe
  2⤵
  - Executes dropped EXE
  PID:1784
- C:\Windows\System\XfgPWzH.exe
  C:\Windows\System\XfgPWzH.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System\qCTSTIq.exe
  C:\Windows\System\qCTSTIq.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System\KDcDLJY.exe
  C:\Windows\System\KDcDLJY.exe
  2⤵
  - Executes dropped EXE
  PID:3524
- C:\Windows\System\WHdvzRL.exe
  C:\Windows\System\WHdvzRL.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\IlDLuXT.exe
  C:\Windows\System\IlDLuXT.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System\mkHsdwl.exe
  C:\Windows\System\mkHsdwl.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System\iyJoVUH.exe
  C:\Windows\System\iyJoVUH.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System\AMymtpE.exe
  C:\Windows\System\AMymtpE.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System\tHsvWIw.exe
  C:\Windows\System\tHsvWIw.exe
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\System\nnviEFI.exe
  C:\Windows\System\nnviEFI.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System\uxkvCQz.exe
  C:\Windows\System\uxkvCQz.exe
  2⤵
  PID:5084
- C:\Windows\System\wYDirYs.exe
  C:\Windows\System\wYDirYs.exe
  2⤵
  PID:5064
- C:\Windows\System\mkyOGCE.exe
  C:\Windows\System\mkyOGCE.exe
  2⤵
  PID:3468
- C:\Windows\System\BvKDxtK.exe
  C:\Windows\System\BvKDxtK.exe
  2⤵
  PID:1176
- C:\Windows\System\QIboQJY.exe
  C:\Windows\System\QIboQJY.exe
  2⤵
  PID:4924
- C:\Windows\System\ynJlYrB.exe
  C:\Windows\System\ynJlYrB.exe
  2⤵
  PID:1172
- C:\Windows\System\aoknDno.exe
  C:\Windows\System\aoknDno.exe
  2⤵
  PID:1708
- C:\Windows\System\IsQvrpU.exe
  C:\Windows\System\IsQvrpU.exe
  2⤵
  PID:4812
- C:\Windows\System\ajwpOlg.exe
  C:\Windows\System\ajwpOlg.exe
  2⤵
  PID:5216
- C:\Windows\System\EEAjgHf.exe
  C:\Windows\System\EEAjgHf.exe
  2⤵
  PID:5196
- C:\Windows\System\JOQszvK.exe
  C:\Windows\System\JOQszvK.exe
  2⤵
  PID:5288
- C:\Windows\System\pFHwMhx.exe
  C:\Windows\System\pFHwMhx.exe
  2⤵
  PID:5400
- C:\Windows\System\yuhAOAs.exe
  C:\Windows\System\yuhAOAs.exe
  2⤵
  PID:5372
- C:\Windows\System\skJUqIb.exe
  C:\Windows\System\skJUqIb.exe
  2⤵
  PID:5584
- C:\Windows\System\cKbRAYV.exe
  C:\Windows\System\cKbRAYV.exe
  2⤵
  PID:5628
- C:\Windows\System\zuXAkEk.exe
  C:\Windows\System\zuXAkEk.exe
  2⤵
  PID:5704
- C:\Windows\System\PXtPujI.exe
  C:\Windows\System\PXtPujI.exe
  2⤵
  PID:5796
- C:\Windows\System\hICBvXv.exe
  C:\Windows\System\hICBvXv.exe
  2⤵
  PID:5832
- C:\Windows\System\OdjdLPL.exe
  C:\Windows\System\OdjdLPL.exe
  2⤵
  PID:5912
- C:\Windows\System\tRxsBRq.exe
  C:\Windows\System\tRxsBRq.exe
  2⤵
  PID:5996
- C:\Windows\System\ZKHKhKU.exe
  C:\Windows\System\ZKHKhKU.exe
  2⤵
  PID:5964
- C:\Windows\System\tJHPLhy.exe
  C:\Windows\System\tJHPLhy.exe
  2⤵
  PID:5880
- C:\Windows\System\TecylRq.exe
  C:\Windows\System\TecylRq.exe
  2⤵
  PID:5856
- C:\Windows\System\ukVDliA.exe
  C:\Windows\System\ukVDliA.exe
  2⤵
  PID:6060
- C:\Windows\System\lMGyRht.exe
  C:\Windows\System\lMGyRht.exe
  2⤵
  PID:5748
- C:\Windows\System\YYszEUA.exe
  C:\Windows\System\YYszEUA.exe
  2⤵
  PID:5724
- C:\Windows\System\hjFKbIG.exe
  C:\Windows\System\hjFKbIG.exe
  2⤵
  PID:5652
- C:\Windows\System\wMyylTm.exe
  C:\Windows\System\wMyylTm.exe
  2⤵
  PID:2244
- C:\Windows\System\wPNIicu.exe
  C:\Windows\System\wPNIicu.exe
  2⤵
  PID:6124
- C:\Windows\System\hHlUgDD.exe
  C:\Windows\System\hHlUgDD.exe
  2⤵
  PID:4176
- C:\Windows\System\rqapozU.exe
  C:\Windows\System\rqapozU.exe
  2⤵
  PID:5260
- C:\Windows\System\oPPHNnq.exe
  C:\Windows\System\oPPHNnq.exe
  2⤵
  PID:5328
- C:\Windows\System\aYaPuSt.exe
  C:\Windows\System\aYaPuSt.exe
  2⤵
  PID:5416
- C:\Windows\System\bTaqhhJ.exe
  C:\Windows\System\bTaqhhJ.exe
  2⤵
  PID:5572
- C:\Windows\System\qtikXCF.exe
  C:\Windows\System\qtikXCF.exe
  2⤵
  PID:5480
- C:\Windows\System\VdiRAVg.exe
  C:\Windows\System\VdiRAVg.exe
  2⤵
  PID:5740
- C:\Windows\System\oWqBhlP.exe
  C:\Windows\System\oWqBhlP.exe
  2⤵
  PID:5940
- C:\Windows\System\byKEVvd.exe
  C:\Windows\System\byKEVvd.exe
  2⤵
  PID:6096
- C:\Windows\System\SqkmzTM.exe
  C:\Windows\System\SqkmzTM.exe
  2⤵
  PID:5320
- C:\Windows\System\JfjrrwX.exe
  C:\Windows\System\JfjrrwX.exe
  2⤵
  PID:3496
- C:\Windows\System\TKqroqM.exe
  C:\Windows\System\TKqroqM.exe
  2⤵
  PID:5952
- C:\Windows\System\PlyXZUR.exe
  C:\Windows\System\PlyXZUR.exe
  2⤵
  PID:6112
- C:\Windows\System\MhRQXON.exe
  C:\Windows\System\MhRQXON.exe
  2⤵
  PID:4932
- C:\Windows\System\lBIQrht.exe
  C:\Windows\System\lBIQrht.exe
  2⤵
  PID:1932
- C:\Windows\System\iUHJOLJ.exe
  C:\Windows\System\iUHJOLJ.exe
  2⤵
  PID:3520
- C:\Windows\System\tweviFf.exe
  C:\Windows\System\tweviFf.exe
  2⤵
  PID:6168
- C:\Windows\System\EQtyoTN.exe
  C:\Windows\System\EQtyoTN.exe
  2⤵
  PID:5716
- C:\Windows\System\iYAUahT.exe
  C:\Windows\System\iYAUahT.exe
  2⤵
  PID:6280
- C:\Windows\System\MtaqPAS.exe
  C:\Windows\System\MtaqPAS.exe
  2⤵
  PID:6252
- C:\Windows\System\qJOhobA.exe
  C:\Windows\System\qJOhobA.exe
  2⤵
  PID:6352
- C:\Windows\System\TFpAFdc.exe
  C:\Windows\System\TFpAFdc.exe
  2⤵
  PID:6392
- C:\Windows\System\FrwPubc.exe
  C:\Windows\System\FrwPubc.exe
  2⤵
  PID:6376
- C:\Windows\System\zxopvPs.exe
  C:\Windows\System\zxopvPs.exe
  2⤵
  PID:6480
- C:\Windows\System\gHUfKrS.exe
  C:\Windows\System\gHUfKrS.exe
  2⤵
  PID:6516
- C:\Windows\System\ZIYVNeQ.exe
  C:\Windows\System\ZIYVNeQ.exe
  2⤵
  PID:6612
- C:\Windows\System\HQSHdvV.exe
  C:\Windows\System\HQSHdvV.exe
  2⤵
  PID:6676
- C:\Windows\System\RXaYlKi.exe
  C:\Windows\System\RXaYlKi.exe
  2⤵
  PID:6724
- C:\Windows\System\pkwzCIa.exe
  C:\Windows\System\pkwzCIa.exe
  2⤵
  PID:6836
- C:\Windows\System\OaFzuDa.exe
  C:\Windows\System\OaFzuDa.exe
  2⤵
  PID:6896
- C:\Windows\System\PkLFIEO.exe
  C:\Windows\System\PkLFIEO.exe
  2⤵
  PID:6956
- C:\Windows\System\JYqWhus.exe
  C:\Windows\System\JYqWhus.exe
  2⤵
  PID:7032
- C:\Windows\System\EAyTBqY.exe
  C:\Windows\System\EAyTBqY.exe
  2⤵
  PID:7064
- C:\Windows\System\nURUgGf.exe
  C:\Windows\System\nURUgGf.exe
  2⤵
  PID:7104
- C:\Windows\System\GGdxqVe.exe
  C:\Windows\System\GGdxqVe.exe
  2⤵
  PID:5236
- C:\Windows\System\ifbYSEP.exe
  C:\Windows\System\ifbYSEP.exe
  2⤵
  PID:6220
- C:\Windows\System\CmcXSaG.exe
  C:\Windows\System\CmcXSaG.exe
  2⤵
  PID:6368
- C:\Windows\System\TtpnUDd.exe
  C:\Windows\System\TtpnUDd.exe
  2⤵
  PID:6496
- C:\Windows\System\TrAnzmu.exe
  C:\Windows\System\TrAnzmu.exe
  2⤵
  PID:6556
- C:\Windows\System\hXIdfcA.exe
  C:\Windows\System\hXIdfcA.exe
  2⤵
  PID:6528
- C:\Windows\System\qLAbcdB.exe
  C:\Windows\System\qLAbcdB.exe
  2⤵
  PID:6596
- C:\Windows\System\yaXkIcN.exe
  C:\Windows\System\yaXkIcN.exe
  2⤵
  PID:6828
- C:\Windows\System\gWywWau.exe
  C:\Windows\System\gWywWau.exe
  2⤵
  PID:6892
- C:\Windows\System\nKqrRVw.exe
  C:\Windows\System\nKqrRVw.exe
  2⤵
  PID:7000
- C:\Windows\System\ECfPJgI.exe
  C:\Windows\System\ECfPJgI.exe
  2⤵
  PID:7060
- C:\Windows\System\dULwcOD.exe
  C:\Windows\System\dULwcOD.exe
  2⤵
  PID:2140
- C:\Windows\System\OTItWDz.exe
  C:\Windows\System\OTItWDz.exe
  2⤵
  PID:6408
- C:\Windows\System\OfanhZr.exe
  C:\Windows\System\OfanhZr.exe
  2⤵
  PID:6288
- C:\Windows\System\NTOeeIJ.exe
  C:\Windows\System\NTOeeIJ.exe
  2⤵
  PID:6248
- C:\Windows\System\EjGxOIR.exe
  C:\Windows\System\EjGxOIR.exe
  2⤵
  PID:2200
- C:\Windows\System\EOZEgJa.exe
  C:\Windows\System\EOZEgJa.exe
  2⤵
  PID:7040
- C:\Windows\System\YchIZzZ.exe
  C:\Windows\System\YchIZzZ.exe
  2⤵
  PID:6804
- C:\Windows\System\LlGOOqO.exe
  C:\Windows\System\LlGOOqO.exe
  2⤵
  PID:6712
- C:\Windows\System\WDeOmhx.exe
  C:\Windows\System\WDeOmhx.exe
  2⤵
  PID:6308
- C:\Windows\System\GQwMmRE.exe
  C:\Windows\System\GQwMmRE.exe
  2⤵
  PID:6852
- C:\Windows\System\pBohMpV.exe
  C:\Windows\System\pBohMpV.exe
  2⤵
  PID:7112
- C:\Windows\System\DzdthwW.exe
  C:\Windows\System\DzdthwW.exe
  2⤵
  PID:4316
- C:\Windows\System\FzLiRQq.exe
  C:\Windows\System\FzLiRQq.exe
  2⤵
  PID:6508
- C:\Windows\System\LHvaBVT.exe
  C:\Windows\System\LHvaBVT.exe
  2⤵
  PID:7024
- C:\Windows\System\gHJzjEz.exe
  C:\Windows\System\gHJzjEz.exe
  2⤵
  PID:7204
- C:\Windows\System\IcVTGdu.exe
  C:\Windows\System\IcVTGdu.exe
  2⤵
  PID:7228
- C:\Windows\System\CjzkNYA.exe
  C:\Windows\System\CjzkNYA.exe
  2⤵
  PID:7288
- C:\Windows\System\NBwERRR.exe
  C:\Windows\System\NBwERRR.exe
  2⤵
  PID:7344
- C:\Windows\System\BakQYkw.exe
  C:\Windows\System\BakQYkw.exe
  2⤵
  PID:7440
- C:\Windows\System\TpLNVrw.exe
  C:\Windows\System\TpLNVrw.exe
  2⤵
  PID:7544
- C:\Windows\System\HHNbrRN.exe
  C:\Windows\System\HHNbrRN.exe
  2⤵
  PID:7588
- C:\Windows\System\CViCJnQ.exe
  C:\Windows\System\CViCJnQ.exe
  2⤵
  PID:7624
- C:\Windows\System\FfxavDO.exe
  C:\Windows\System\FfxavDO.exe
  2⤵
  PID:7704
- C:\Windows\System\rRRnqoI.exe
  C:\Windows\System\rRRnqoI.exe
  2⤵
  PID:7796
- C:\Windows\System\GCRVJKT.exe
  C:\Windows\System\GCRVJKT.exe
  2⤵
  PID:7868
- C:\Windows\System\GzevDWd.exe
  C:\Windows\System\GzevDWd.exe
  2⤵
  PID:7908
- C:\Windows\System\uipEcxC.exe
  C:\Windows\System\uipEcxC.exe
  2⤵
  PID:7996
- C:\Windows\System\dQhHqgc.exe
  C:\Windows\System\dQhHqgc.exe
  2⤵
  PID:8136
- C:\Windows\System\YxNrvJs.exe
  C:\Windows\System\YxNrvJs.exe
  2⤵
  PID:412
- C:\Windows\System\UOBRhXd.exe
  C:\Windows\System\UOBRhXd.exe
  2⤵
  PID:7192
- C:\Windows\System\NAfQHzg.exe
  C:\Windows\System\NAfQHzg.exe
  2⤵
  PID:7308
- C:\Windows\System\KlyGLri.exe
  C:\Windows\System\KlyGLri.exe
  2⤵
  PID:7644
- C:\Windows\System\hNtaoIP.exe
  C:\Windows\System\hNtaoIP.exe
  2⤵
  PID:7712
- C:\Windows\System\ITmPBTM.exe
  C:\Windows\System\ITmPBTM.exe
  2⤵
  PID:7924
- C:\Windows\System\daLWBdz.exe
  C:\Windows\System\daLWBdz.exe
  2⤵
  PID:8064
- C:\Windows\System\TpAnUxr.exe
  C:\Windows\System\TpAnUxr.exe
  2⤵
  PID:6512
- C:\Windows\System\zbNuooT.exe
  C:\Windows\System\zbNuooT.exe
  2⤵
  PID:7488
- C:\Windows\System\htkECKX.exe
  C:\Windows\System\htkECKX.exe
  2⤵
  PID:5676
- C:\Windows\System\pcmIEFX.exe
  C:\Windows\System\pcmIEFX.exe
  2⤵
  PID:7320
- C:\Windows\System\fGhrzKP.exe
  C:\Windows\System\fGhrzKP.exe
  2⤵
  PID:4232
- C:\Windows\System\alAHPah.exe
  C:\Windows\System\alAHPah.exe
  2⤵
  PID:8188
- C:\Windows\System\MpNOrtW.exe
  C:\Windows\System\MpNOrtW.exe
  2⤵
  PID:8088
- C:\Windows\System\YOtngPU.exe
  C:\Windows\System\YOtngPU.exe
  2⤵
  PID:8004
- C:\Windows\System\xhRdjKA.exe
  C:\Windows\System\xhRdjKA.exe
  2⤵
  PID:7940
- C:\Windows\System\aGinEps.exe
  C:\Windows\System\aGinEps.exe
  2⤵
  PID:7360
- C:\Windows\System\yXwcGkJ.exe
  C:\Windows\System\yXwcGkJ.exe
  2⤵
  PID:7736
- C:\Windows\System\yDEKZDM.exe
  C:\Windows\System\yDEKZDM.exe
  2⤵
  PID:8152
- C:\Windows\System\VXwofNu.exe
  C:\Windows\System\VXwofNu.exe
  2⤵
  PID:8040
- C:\Windows\System\JRPJfBm.exe
  C:\Windows\System\JRPJfBm.exe
  2⤵
  PID:8216
- C:\Windows\System\cubZgRk.exe
  C:\Windows\System\cubZgRk.exe
  2⤵
  PID:8252
- C:\Windows\System\jbXCmfv.exe
  C:\Windows\System\jbXCmfv.exe
  2⤵
  PID:8320
- C:\Windows\System\FETriMp.exe
  C:\Windows\System\FETriMp.exe
  2⤵
  PID:8384
- C:\Windows\System\JFQyAOn.exe
  C:\Windows\System\JFQyAOn.exe
  2⤵
  PID:8448
- C:\Windows\System\tdSmNUm.exe
  C:\Windows\System\tdSmNUm.exe
  2⤵
  PID:8488
- C:\Windows\System\RGjdOJv.exe
  C:\Windows\System\RGjdOJv.exe
  2⤵
  PID:8540
- C:\Windows\System\wQnpAvn.exe
  C:\Windows\System\wQnpAvn.exe
  2⤵
  PID:8660
- C:\Windows\System\rSelWbc.exe
  C:\Windows\System\rSelWbc.exe
  2⤵
  PID:8704
- C:\Windows\System\XJRwEeG.exe
  C:\Windows\System\XJRwEeG.exe
  2⤵
  PID:8824
- C:\Windows\System\JHJOjLY.exe
  C:\Windows\System\JHJOjLY.exe
  2⤵
  PID:8804
- C:\Windows\System\SinMpvk.exe
  C:\Windows\System\SinMpvk.exe
  2⤵
  PID:8992
- C:\Windows\System\IObSGcM.exe
  C:\Windows\System\IObSGcM.exe
  2⤵
  PID:8972
- C:\Windows\System\AzFCytL.exe
  C:\Windows\System\AzFCytL.exe
  2⤵
  PID:9152
- C:\Windows\System\OtXHcag.exe
  C:\Windows\System\OtXHcag.exe
  2⤵
  PID:9192
- C:\Windows\System\WeRwGbv.exe
  C:\Windows\System\WeRwGbv.exe
  2⤵
  PID:8268
- C:\Windows\System\mwPlTiW.exe
  C:\Windows\System\mwPlTiW.exe
  2⤵
  PID:8440
- C:\Windows\System\arCOpST.exe
  C:\Windows\System\arCOpST.exe
  2⤵
  PID:8616
- C:\Windows\System\ykdWwtE.exe
  C:\Windows\System\ykdWwtE.exe
  2⤵
  PID:8684
- C:\Windows\System\XFWLdWz.exe
  C:\Windows\System\XFWLdWz.exe
  2⤵
  PID:8876
- C:\Windows\System\OtQGgog.exe
  C:\Windows\System\OtQGgog.exe
  2⤵
  PID:9036
- C:\Windows\System\fftzepS.exe
  C:\Windows\System\fftzepS.exe
  2⤵
  PID:9140
- C:\Windows\System\vNqZhoT.exe
  C:\Windows\System\vNqZhoT.exe
  2⤵
  PID:7452
- C:\Windows\System\eEQyPSD.exe
  C:\Windows\System\eEQyPSD.exe
  2⤵
  PID:8308
- C:\Windows\System\ZDODhOm.exe
  C:\Windows\System\ZDODhOm.exe
  2⤵
  PID:8908
- C:\Windows\System\zQALaud.exe
  C:\Windows\System\zQALaud.exe
  2⤵
  PID:7992
- C:\Windows\System\wxfBOvd.exe
  C:\Windows\System\wxfBOvd.exe
  2⤵
  PID:8968
- C:\Windows\System\rtYTtyE.exe
  C:\Windows\System\rtYTtyE.exe
  2⤵
  PID:8376
- C:\Windows\System\nxZSAHT.exe
  C:\Windows\System\nxZSAHT.exe
  2⤵
  PID:9280
- C:\Windows\System\sTXurQz.exe
  C:\Windows\System\sTXurQz.exe
  2⤵
  PID:9316
- C:\Windows\System\BPttIMB.exe
  C:\Windows\System\BPttIMB.exe
  2⤵
  PID:9364
- C:\Windows\System\unEvvQv.exe
  C:\Windows\System\unEvvQv.exe
  2⤵
  PID:9412
- C:\Windows\System\BumDRSY.exe
  C:\Windows\System\BumDRSY.exe
  2⤵
  PID:9492
- C:\Windows\System\EwwtPeH.exe
  C:\Windows\System\EwwtPeH.exe
  2⤵
  PID:9476
- C:\Windows\System\UxmvjCf.exe
  C:\Windows\System\UxmvjCf.exe
  2⤵
  PID:9572
- C:\Windows\System\QnpqySy.exe
  C:\Windows\System\QnpqySy.exe
  2⤵
  PID:9616
- C:\Windows\System\LKuhvnt.exe
  C:\Windows\System\LKuhvnt.exe
  2⤵
  PID:9652
- C:\Windows\System\JsZHoSH.exe
  C:\Windows\System\JsZHoSH.exe
  2⤵
  PID:9732
- C:\Windows\System\rJyarRt.exe
  C:\Windows\System\rJyarRt.exe
  2⤵
  PID:9788
- C:\Windows\System\wigWYSU.exe
  C:\Windows\System\wigWYSU.exe
  2⤵
  PID:9872
- C:\Windows\System\AAcrkan.exe
  C:\Windows\System\AAcrkan.exe
  2⤵
  PID:9900
- C:\Windows\System\NooLQXD.exe
  C:\Windows\System\NooLQXD.exe
  2⤵
  PID:10064
- C:\Windows\System\LhjEOJQ.exe
  C:\Windows\System\LhjEOJQ.exe
  2⤵
  PID:10124
- C:\Windows\System\WWUSKhW.exe
  C:\Windows\System\WWUSKhW.exe
  2⤵
  PID:10192
- C:\Windows\System\KFcjJeN.exe
  C:\Windows\System\KFcjJeN.exe
  2⤵
  PID:7788
- C:\Windows\System\KDkyNoy.exe
  C:\Windows\System\KDkyNoy.exe
  2⤵
  PID:9384
- C:\Windows\System\vitmIDG.exe
  C:\Windows\System\vitmIDG.exe
  2⤵
  PID:9340
- C:\Windows\System\OQeynSr.exe
  C:\Windows\System\OQeynSr.exe
  2⤵
  PID:9272
- C:\Windows\System\pYAPbGD.exe
  C:\Windows\System\pYAPbGD.exe
  2⤵
  PID:10164
- C:\Windows\System\YgiCTMi.exe
  C:\Windows\System\YgiCTMi.exe
  2⤵
  PID:10144
- C:\Windows\System\aYGPqtz.exe
  C:\Windows\System\aYGPqtz.exe
  2⤵
  PID:10044
- C:\Windows\System\FrKWKoP.exe
  C:\Windows\System\FrKWKoP.exe
  2⤵
  PID:10028
- C:\Windows\System\jJgdjTq.exe
  C:\Windows\System\jJgdjTq.exe
  2⤵
  PID:10004
- C:\Windows\System\HVrggNF.exe
  C:\Windows\System\HVrggNF.exe
  2⤵
  PID:9988
- C:\Windows\System\RBZxZGT.exe
  C:\Windows\System\RBZxZGT.exe
  2⤵
  PID:9960
- C:\Windows\System\QOpnlRO.exe
  C:\Windows\System\QOpnlRO.exe
  2⤵
  PID:9932
- C:\Windows\System\RBfJeWq.exe
  C:\Windows\System\RBfJeWq.exe
  2⤵
  PID:9852
- C:\Windows\System\JwNctoJ.exe
  C:\Windows\System\JwNctoJ.exe
  2⤵
  PID:9832
- C:\Windows\System\STLUMbc.exe
  C:\Windows\System\STLUMbc.exe
  2⤵
  PID:4516
- C:\Windows\System\GHzjDWj.exe
  C:\Windows\System\GHzjDWj.exe
  2⤵
  PID:4724
- C:\Windows\System\xhKcXpV.exe
  C:\Windows\System\xhKcXpV.exe
  2⤵
  PID:1888
- C:\Windows\System\VINDDtZ.exe
  C:\Windows\System\VINDDtZ.exe
  2⤵
  PID:10100
- C:\Windows\System\cEoChlw.exe
  C:\Windows\System\cEoChlw.exe
  2⤵
  PID:10052
- C:\Windows\System\iqafEQg.exe
  C:\Windows\System\iqafEQg.exe
  2⤵
  PID:10184
- C:\Windows\System\kYPhSOj.exe
  C:\Windows\System\kYPhSOj.exe
  2⤵
  PID:9308
- C:\Windows\System\ldsFzTy.exe
  C:\Windows\System\ldsFzTy.exe
  2⤵
  PID:10200
- C:\Windows\System\zjxHXQp.exe
  C:\Windows\System\zjxHXQp.exe
  2⤵
  PID:4548
- C:\Windows\System\VFapojl.exe
  C:\Windows\System\VFapojl.exe
  2⤵
  PID:9896
- C:\Windows\System\fGjKrMb.exe
  C:\Windows\System\fGjKrMb.exe
  2⤵
  PID:1064
- C:\Windows\System\xNIPqRS.exe
  C:\Windows\System\xNIPqRS.exe
  2⤵
  PID:9780
- C:\Windows\System\Ejsddmm.exe
  C:\Windows\System\Ejsddmm.exe
  2⤵
  PID:9568
- C:\Windows\System\BlPGEZR.exe
  C:\Windows\System\BlPGEZR.exe
  2⤵
  PID:9700
- C:\Windows\System\jGkjTZF.exe
  C:\Windows\System\jGkjTZF.exe
  2⤵
  PID:9672
- C:\Windows\System\jUGDYPp.exe
  C:\Windows\System\jUGDYPp.exe
  2⤵
  PID:9548
- C:\Windows\System\BlmDRbZ.exe
  C:\Windows\System\BlmDRbZ.exe
  2⤵
  PID:9452
- C:\Windows\System\CMKSIwT.exe
  C:\Windows\System\CMKSIwT.exe
  2⤵
  PID:9428
- C:\Windows\System\eSoBZVs.exe
  C:\Windows\System\eSoBZVs.exe
  2⤵
  PID:9396
- C:\Windows\System\zQEiKJY.exe
  C:\Windows\System\zQEiKJY.exe
  2⤵
  PID:8380
- C:\Windows\System\BMCpTIL.exe
  C:\Windows\System\BMCpTIL.exe
  2⤵
  PID:9164
- C:\Windows\System\iYqHEAz.exe
  C:\Windows\System\iYqHEAz.exe
  2⤵
  PID:8984
- C:\Windows\System\VDleTql.exe
  C:\Windows\System\VDleTql.exe
  2⤵
  PID:8912
- C:\Windows\System\ghjpYnK.exe
  C:\Windows\System\ghjpYnK.exe
  2⤵
  PID:8608
- C:\Windows\System\pVZaXhv.exe
  C:\Windows\System\pVZaXhv.exe
  2⤵
  PID:8656
- C:\Windows\System\QDMddLr.exe
  C:\Windows\System\QDMddLr.exe
  2⤵
  PID:8344
- C:\Windows\System\IDLdbfO.exe
  C:\Windows\System\IDLdbfO.exe
  2⤵
  PID:9072
- C:\Windows\System\ugXydvu.exe
  C:\Windows\System\ugXydvu.exe
  2⤵
  PID:8952
- C:\Windows\System\vjNZXTB.exe
  C:\Windows\System\vjNZXTB.exe
  2⤵
  PID:8988
- C:\Windows\System\YVXxejb.exe
  C:\Windows\System\YVXxejb.exe
  2⤵
  PID:8724
- C:\Windows\System\rJgkiMy.exe
  C:\Windows\System\rJgkiMy.exe
  2⤵
  PID:8504
- C:\Windows\System\ussEyVu.exe
  C:\Windows\System\ussEyVu.exe
  2⤵
  PID:8372
- C:\Windows\System\wopjolz.exe
  C:\Windows\System\wopjolz.exe
  2⤵
  PID:8340
- C:\Windows\System\YbqVifo.exe
  C:\Windows\System\YbqVifo.exe
  2⤵
  PID:8248
- C:\Windows\System\hYnJotu.exe
  C:\Windows\System\hYnJotu.exe
  2⤵
  PID:9128
- C:\Windows\System\mRHhndC.exe
  C:\Windows\System\mRHhndC.exe
  2⤵
  PID:9108
- C:\Windows\System\zGnEWHk.exe
  C:\Windows\System\zGnEWHk.exe
  2⤵
  PID:9084
- C:\Windows\System\iZQBFyo.exe
  C:\Windows\System\iZQBFyo.exe
  2⤵
  PID:9064
- C:\Windows\System\IuvxvoB.exe
  C:\Windows\System\IuvxvoB.exe
  2⤵
  PID:8956
- C:\Windows\System\IjcuPKE.exe
  C:\Windows\System\IjcuPKE.exe
  2⤵
  PID:8932
- C:\Windows\System\tLjlahN.exe
  C:\Windows\System\tLjlahN.exe
  2⤵
  PID:8916
- C:\Windows\System\nIRcjux.exe
  C:\Windows\System\nIRcjux.exe
  2⤵
  PID:8880
- C:\Windows\System\IkUoOkt.exe
  C:\Windows\System\IkUoOkt.exe
  2⤵
  PID:8784
- C:\Windows\System\JnYKIzh.exe
  C:\Windows\System\JnYKIzh.exe
  2⤵
  PID:8760
- C:\Windows\System\oiahwYj.exe
  C:\Windows\System\oiahwYj.exe
  2⤵
  PID:8688
- C:\Windows\System\XMBPbpt.exe
  C:\Windows\System\XMBPbpt.exe
  2⤵
  PID:8640
- C:\Windows\System\LHSOcfK.exe
  C:\Windows\System\LHSOcfK.exe
  2⤵
  PID:8620
- C:\Windows\System\NVzeQsY.exe
  C:\Windows\System\NVzeQsY.exe
  2⤵
  PID:8600
- C:\Windows\System\nsvrxIP.exe
  C:\Windows\System\nsvrxIP.exe
  2⤵
  PID:8576
- C:\Windows\System\FHaGCGt.exe
  C:\Windows\System\FHaGCGt.exe
  2⤵
  PID:8516
- C:\Windows\System\cEfoSkh.exe
  C:\Windows\System\cEfoSkh.exe
  2⤵
  PID:8428
- C:\Windows\System\QVTXiSb.exe
  C:\Windows\System\QVTXiSb.exe
  2⤵
  PID:8408
- C:\Windows\System\Fiwuicv.exe
  C:\Windows\System\Fiwuicv.exe
  2⤵
  PID:8352
- C:\Windows\System\aAjoKHP.exe
  C:\Windows\System\aAjoKHP.exe
  2⤵
  PID:8296
- C:\Windows\System\daiVlxI.exe
  C:\Windows\System\daiVlxI.exe
  2⤵
  PID:2000
- C:\Windows\System\uWHsPHS.exe
  C:\Windows\System\uWHsPHS.exe
  2⤵
  PID:8148
- C:\Windows\System\EcIVKsU.exe
  C:\Windows\System\EcIVKsU.exe
  2⤵
  PID:5212
- C:\Windows\System\MmbzJlh.exe
  C:\Windows\System\MmbzJlh.exe
  2⤵
  PID:7680
- C:\Windows\System\UvRrTTO.exe
  C:\Windows\System\UvRrTTO.exe
  2⤵
  PID:7956
- C:\Windows\System\qcjtldS.exe
  C:\Windows\System\qcjtldS.exe
  2⤵
  PID:7840
- C:\Windows\System\xeqhyEN.exe
  C:\Windows\System\xeqhyEN.exe
  2⤵
  PID:7616
- C:\Windows\System\FNUEGtF.exe
  C:\Windows\System\FNUEGtF.exe
  2⤵
  PID:7600
- C:\Windows\System\FsaSdZn.exe
  C:\Windows\System\FsaSdZn.exe
  2⤵
  PID:7496
- C:\Windows\System\KYNbPpG.exe
  C:\Windows\System\KYNbPpG.exe
  2⤵
  PID:7516
- C:\Windows\System\HbGpcjk.exe
  C:\Windows\System\HbGpcjk.exe
  2⤵
  PID:7428
- C:\Windows\System\fKXtilZ.exe
  C:\Windows\System\fKXtilZ.exe
  2⤵
  PID:7244
- C:\Windows\System\GsTILrX.exe
  C:\Windows\System\GsTILrX.exe
  2⤵
  PID:1420
- C:\Windows\System\QqVENvU.exe
  C:\Windows\System\QqVENvU.exe
  2⤵
  PID:8112
- C:\Windows\System\LNQVTyz.exe
  C:\Windows\System\LNQVTyz.exe
  2⤵
  PID:8092
- C:\Windows\System\QpLmOLk.exe
  C:\Windows\System\QpLmOLk.exe
  2⤵
  PID:8068
- C:\Windows\System\nrsUCoT.exe
  C:\Windows\System\nrsUCoT.exe
  2⤵
  PID:8048
- C:\Windows\System\ldgXzbS.exe
  C:\Windows\System\ldgXzbS.exe
  2⤵
  PID:8020
- C:\Windows\System\rurggvn.exe
  C:\Windows\System\rurggvn.exe
  2⤵
  PID:7964
- C:\Windows\System\sNiasGV.exe
  C:\Windows\System\sNiasGV.exe
  2⤵
  PID:7948
- C:\Windows\System\BCbbres.exe
  C:\Windows\System\BCbbres.exe
  2⤵
  PID:7928
- C:\Windows\System\xAHzRXt.exe
  C:\Windows\System\xAHzRXt.exe
  2⤵
  PID:7888
- C:\Windows\System\qkTrTum.exe
  C:\Windows\System\qkTrTum.exe
  2⤵
  PID:7844
- C:\Windows\System\bbZdqTk.exe
  C:\Windows\System\bbZdqTk.exe
  2⤵
  PID:7780
- C:\Windows\System\TFBZkIC.exe
  C:\Windows\System\TFBZkIC.exe
  2⤵
  PID:7740
- C:\Windows\System\OpTrqFC.exe
  C:\Windows\System\OpTrqFC.exe
  2⤵
  PID:7724
- C:\Windows\System\JHLbhWv.exe
  C:\Windows\System\JHLbhWv.exe
  2⤵
  PID:7684
- C:\Windows\System\wRgBqgV.exe
  C:\Windows\System\wRgBqgV.exe
  2⤵
  PID:7520
- C:\Windows\System\uZNjmxp.exe
  C:\Windows\System\uZNjmxp.exe
  2⤵
  PID:7500
- C:\Windows\System\NpUhwsA.exe
  C:\Windows\System\NpUhwsA.exe
  2⤵
  PID:7416
- C:\Windows\System\uZiAMdp.exe
  C:\Windows\System\uZiAMdp.exe
  2⤵
  PID:7400
- C:\Windows\System\nBbQJIy.exe
  C:\Windows\System\nBbQJIy.exe
  2⤵
  PID:7368
- C:\Windows\System\PWsUVtp.exe
  C:\Windows\System\PWsUVtp.exe
  2⤵
  PID:7264
- C:\Windows\System\dVsPOkU.exe
  C:\Windows\System\dVsPOkU.exe
  2⤵
  PID:7248
- C:\Windows\System\funGKad.exe
  C:\Windows\System\funGKad.exe
  2⤵
  PID:7176
- C:\Windows\System\vJHzbnW.exe
  C:\Windows\System\vJHzbnW.exe
  2⤵
  PID:6460
- C:\Windows\System\zhtEjpz.exe
  C:\Windows\System\zhtEjpz.exe
  2⤵
  PID:6884
- C:\Windows\System\Vdclbvr.exe
  C:\Windows\System\Vdclbvr.exe
  2⤵
  PID:7132
- C:\Windows\System\mWUttvP.exe
  C:\Windows\System\mWUttvP.exe
  2⤵
  PID:7084
- C:\Windows\System\jweIaYq.exe
  C:\Windows\System\jweIaYq.exe
  2⤵
  PID:7008
- C:\Windows\System\OUUvMJr.exe
  C:\Windows\System\OUUvMJr.exe
  2⤵
  PID:6936
- C:\Windows\System\SDIfMyQ.exe
  C:\Windows\System\SDIfMyQ.exe
  2⤵
  PID:6204
- C:\Windows\System\KjCICBz.exe
  C:\Windows\System\KjCICBz.exe
  2⤵
  PID:7140
- C:\Windows\System\HkczYTZ.exe
  C:\Windows\System\HkczYTZ.exe
  2⤵
  PID:7124
- C:\Windows\System\PoHslZA.exe
  C:\Windows\System\PoHslZA.exe
  2⤵
  PID:7088
- C:\Windows\System\OuNubvx.exe
  C:\Windows\System\OuNubvx.exe
  2⤵
  PID:6872
- C:\Windows\System\ONxKhzI.exe
  C:\Windows\System\ONxKhzI.exe
  2⤵
  PID:6812
- C:\Windows\System\LFmkHmb.exe
  C:\Windows\System\LFmkHmb.exe
  2⤵
  PID:6796
- C:\Windows\System\RYMuFxr.exe
  C:\Windows\System\RYMuFxr.exe
  2⤵
  PID:6780
- C:\Windows\System\DQlheAb.exe
  C:\Windows\System\DQlheAb.exe
  2⤵
  PID:6760
- C:\Windows\System\wurDkYE.exe
  C:\Windows\System\wurDkYE.exe
  2⤵
  PID:6696
- C:\Windows\System\diQWgTO.exe
  C:\Windows\System\diQWgTO.exe
  2⤵
  PID:6636
- C:\Windows\System\rlXwTuc.exe
  C:\Windows\System\rlXwTuc.exe
  2⤵
  PID:6588
- C:\Windows\System\eBatJAL.exe
  C:\Windows\System\eBatJAL.exe
  2⤵
  PID:6564
- C:\Windows\System\tcktFQK.exe
  C:\Windows\System\tcktFQK.exe
  2⤵
  PID:6544
- C:\Windows\System\TJRNKNo.exe
  C:\Windows\System\TJRNKNo.exe
  2⤵
  PID:6464
- C:\Windows\System\ETRVaAj.exe
  C:\Windows\System\ETRVaAj.exe
  2⤵
  PID:6440
- C:\Windows\System\ktxiuMH.exe
  C:\Windows\System\ktxiuMH.exe
  2⤵
  PID:6232
- C:\Windows\System\EwwrOSm.exe
  C:\Windows\System\EwwrOSm.exe
  2⤵
  PID:6208
- C:\Windows\System\yYlcBYK.exe
  C:\Windows\System\yYlcBYK.exe
  2⤵
  PID:1472
- C:\Windows\System\cdCcUSu.exe
  C:\Windows\System\cdCcUSu.exe
  2⤵
  PID:4524
- C:\Windows\System\KSCThOp.exe
  C:\Windows\System\KSCThOp.exe
  2⤵
  PID:4400
- C:\Windows\System\sLUQSVJ.exe
  C:\Windows\System\sLUQSVJ.exe
  2⤵
  PID:5908
- C:\Windows\System\dwVaekA.exe
  C:\Windows\System\dwVaekA.exe
  2⤵
  PID:5312
- C:\Windows\System\OSWyTfQ.exe
  C:\Windows\System\OSWyTfQ.exe
  2⤵
  PID:6120
- C:\Windows\System\cALtmGj.exe
  C:\Windows\System\cALtmGj.exe
  2⤵
  PID:6048
- C:\Windows\System\dRANyMi.exe
  C:\Windows\System\dRANyMi.exe
  2⤵
  PID:6012
- C:\Windows\System\yWkEwrU.exe
  C:\Windows\System\yWkEwrU.exe
  2⤵
  PID:5896
- C:\Windows\System\nMTeAfC.exe
  C:\Windows\System\nMTeAfC.exe
  2⤵
  PID:5828
- C:\Windows\System\jjzlMDh.exe
  C:\Windows\System\jjzlMDh.exe
  2⤵
  PID:5712
- C:\Windows\System\OJNrgLO.exe
  C:\Windows\System\OJNrgLO.exe
  2⤵
  PID:5516
- C:\Windows\System\VUqzjZD.exe
  C:\Windows\System\VUqzjZD.exe
  2⤵
  PID:5368
- C:\Windows\System\OULWnTl.exe
  C:\Windows\System\OULWnTl.exe
  2⤵
  PID:5228
- C:\Windows\System\AFrZrpl.exe
  C:\Windows\System\AFrZrpl.exe
  2⤵
  PID:6104
- C:\Windows\System\TAtWfCQ.exe
  C:\Windows\System\TAtWfCQ.exe
  2⤵
  PID:5564
- C:\Windows\System\GdnfTWa.exe
  C:\Windows\System\GdnfTWa.exe
  2⤵
  PID:5524
- C:\Windows\System\NcKfpjr.exe
  C:\Windows\System\NcKfpjr.exe
  2⤵
  PID:5500
- C:\Windows\System\FRAHvDf.exe
  C:\Windows\System\FRAHvDf.exe
  2⤵
  PID:5448
- C:\Windows\System\XOkHuZF.exe
  C:\Windows\System\XOkHuZF.exe
  2⤵
  PID:5344
- C:\Windows\System\dDQMwgU.exe
  C:\Windows\System\dDQMwgU.exe
  2⤵
  PID:5264
- C:\Windows\System\zvNQSXi.exe
  C:\Windows\System\zvNQSXi.exe
  2⤵
  PID:5240
- C:\Windows\System\SZijEsW.exe
  C:\Windows\System\SZijEsW.exe
  2⤵
  PID:5172
- C:\Windows\System\DufNLeP.exe
  C:\Windows\System\DufNLeP.exe
  2⤵
  PID:5152
- C:\Windows\System\dOZkvEa.exe
  C:\Windows\System\dOZkvEa.exe
  2⤵
  PID:5124
- C:\Windows\System\pWWdXWi.exe
  C:\Windows\System\pWWdXWi.exe
  2⤵
  PID:4948
- C:\Windows\System\SlIUSYT.exe
  C:\Windows\System\SlIUSYT.exe
  2⤵
  PID:1584
- C:\Windows\System\rbgNyPD.exe
  C:\Windows\System\rbgNyPD.exe
  2⤵
  PID:4512
- C:\Windows\System\vrQiYTj.exe
  C:\Windows\System\vrQiYTj.exe
  2⤵
  PID:5004
- C:\Windows\System\RHMlmfN.exe
  C:\Windows\System\RHMlmfN.exe
  2⤵
  PID:2496
- C:\Windows\System\OjREcdm.exe
  C:\Windows\System\OjREcdm.exe
  2⤵
  PID:3924
- C:\Windows\System\LlAHjoO.exe
  C:\Windows\System\LlAHjoO.exe
  2⤵
  PID:3968
- C:\Windows\System\KaKeLLx.exe
  C:\Windows\System\KaKeLLx.exe
  2⤵
  PID:4896
- C:\Windows\System\nIEQAHx.exe
  C:\Windows\System\nIEQAHx.exe
  2⤵
  PID:228
- C:\Windows\System\XwqElha.exe
  C:\Windows\System\XwqElha.exe
  2⤵
  PID:5100
- C:\Windows\System\neiqupf.exe
  C:\Windows\System\neiqupf.exe
  2⤵
  PID:4112
- C:\Windows\System\VneImAv.exe
  C:\Windows\System\VneImAv.exe
  2⤵
  PID:4344
- C:\Windows\System\IBOnxCM.exe
  C:\Windows\System\IBOnxCM.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System\JMEmvRt.exe
  C:\Windows\System\JMEmvRt.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System\EDRpQgK.exe
  C:\Windows\System\EDRpQgK.exe
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Windows\System\MGdWfnM.exe
  C:\Windows\System\MGdWfnM.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System\quysTgD.exe
  C:\Windows\System\quysTgD.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System\nRXwEaM.exe
  C:\Windows\System\nRXwEaM.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System\nFrQftK.exe
  C:\Windows\System\nFrQftK.exe
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\System\lqmJYoi.exe
  C:\Windows\System\lqmJYoi.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System\WhoydTI.exe
  C:\Windows\System\WhoydTI.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System\hkNvFBQ.exe
  C:\Windows\System\hkNvFBQ.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System\SaNWgzP.exe
  C:\Windows\System\SaNWgzP.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\oWJzDsO.exe
  C:\Windows\System\oWJzDsO.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System\DYWaVpd.exe
  C:\Windows\System\DYWaVpd.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System\oFYZjet.exe
  C:\Windows\System\oFYZjet.exe
  2⤵
  - Executes dropped EXE
  PID:3548
- C:\Windows\System\gyzHtWa.exe
  C:\Windows\System\gyzHtWa.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Windows\System\ygspgMo.exe
  C:\Windows\System\ygspgMo.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\System\eOfpEoj.exe
  C:\Windows\System\eOfpEoj.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System\ATdENPS.exe
  C:\Windows\System\ATdENPS.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System\GGZeUEq.exe
  C:\Windows\System\GGZeUEq.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System\SFuqMFq.exe
  C:\Windows\System\SFuqMFq.exe
  2⤵
  - Executes dropped EXE
  PID:3308
- C:\Windows\System\pPNXegy.exe
  C:\Windows\System\pPNXegy.exe
  2⤵
  - Executes dropped EXE
  PID:3152

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:9952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ATdENPS.exe

Filesize
2.1MB

MD5
18fa44c7c111948079c20297a8d39168

SHA1
9a61a48e7dee3a054397214b380b78998ea474d7

SHA256
d68100627c914b47bb6592dd4bdc65642c5af7d6852d0fa8d20e1a01f21339f1

SHA512
e93c6d5cb3db936da4233836f1a9096fea2178f84e27bdcaa0a002e7c3dc4397b219b69e642c3bcbd5719065629164c46436c8ecabb1354068f3349221e02e9a

Download Submit
C:\Windows\System\ATdENPS.exe

Filesize
2.1MB

MD5
18fa44c7c111948079c20297a8d39168

SHA1
9a61a48e7dee3a054397214b380b78998ea474d7

SHA256
d68100627c914b47bb6592dd4bdc65642c5af7d6852d0fa8d20e1a01f21339f1

SHA512
e93c6d5cb3db936da4233836f1a9096fea2178f84e27bdcaa0a002e7c3dc4397b219b69e642c3bcbd5719065629164c46436c8ecabb1354068f3349221e02e9a

Download Submit
C:\Windows\System\DYWaVpd.exe

Filesize
2.1MB

MD5
c9e98c57a295887c47a80e52f5baba25

SHA1
fb11c7641fa58122a9276a6f98998ae2734a97a3

SHA256
db5de77e4f69eb33167a7f6ea85b1b5696c48d2bea1dd20ca124a3abe013e2e1

SHA512
88ea4b82c39538991c6739d487a34acb42d927e13036160cd9ae911c245682e2aeb2ed32339d38d2dec8fe965829c722f17e78ed3f5c4613516d2fb3cd993f4c

Download Submit
C:\Windows\System\DYWaVpd.exe

Filesize
2.1MB

MD5
c9e98c57a295887c47a80e52f5baba25

SHA1
fb11c7641fa58122a9276a6f98998ae2734a97a3

SHA256
db5de77e4f69eb33167a7f6ea85b1b5696c48d2bea1dd20ca124a3abe013e2e1

SHA512
88ea4b82c39538991c6739d487a34acb42d927e13036160cd9ae911c245682e2aeb2ed32339d38d2dec8fe965829c722f17e78ed3f5c4613516d2fb3cd993f4c

Download Submit
C:\Windows\System\DmGDYbG.exe

Filesize
2.1MB

MD5
4888ec196df7b0aad2bb6807f1e9f7f9

SHA1
6db6dbde24c9e7765f4370b6a6780a992eacb630

SHA256
6b2a48d5fd8ec52a1f2e6992593cf4aff06a046a5dd9722731c6c1d30ff6a2fa

SHA512
f2bbf0becfb1244830a26a079bb2f576818a925dc25d220b50396dbf6fdd6230e56dd76b6bf4fb9d6391fa745c37989b91672687acf6d07d1062d04afd5f23e0

Download Submit
C:\Windows\System\DmGDYbG.exe

Filesize
2.1MB

MD5
4888ec196df7b0aad2bb6807f1e9f7f9

SHA1
6db6dbde24c9e7765f4370b6a6780a992eacb630

SHA256
6b2a48d5fd8ec52a1f2e6992593cf4aff06a046a5dd9722731c6c1d30ff6a2fa

SHA512
f2bbf0becfb1244830a26a079bb2f576818a925dc25d220b50396dbf6fdd6230e56dd76b6bf4fb9d6391fa745c37989b91672687acf6d07d1062d04afd5f23e0

Download Submit
C:\Windows\System\GGZeUEq.exe

Filesize
2.1MB

MD5
efda613e20ed9b0364b745e4bca26a4b

SHA1
e42eb06877e89ac03cfe62ed235f66188780090f

SHA256
7042aa7435fc992e96b8d68c8fe5f9e915272f876df914ff4c7389be9c4045b6

SHA512
6c42f61fe27c7fc073bcd156b334ac2faf1d84f14e238a9392a313a7bbe3e64909fe4eae30161a462ddf11d85c864552eaafdd69105e6013310dfe4fe0e5a188

Download Submit
C:\Windows\System\GGZeUEq.exe

Filesize
2.1MB

MD5
efda613e20ed9b0364b745e4bca26a4b

SHA1
e42eb06877e89ac03cfe62ed235f66188780090f

SHA256
7042aa7435fc992e96b8d68c8fe5f9e915272f876df914ff4c7389be9c4045b6

SHA512
6c42f61fe27c7fc073bcd156b334ac2faf1d84f14e238a9392a313a7bbe3e64909fe4eae30161a462ddf11d85c864552eaafdd69105e6013310dfe4fe0e5a188

Download Submit
C:\Windows\System\GfwBbns.exe

Filesize
2.1MB

MD5
ef8df9c73cf9360332e16a5d89d7c860

SHA1
0b8dade4595077dd506ae9781a2f3e98fa020da2

SHA256
55007de244136896830ff409bebd9356b82e9da7a796311530e9c921b0fa83fd

SHA512
d2fa40feb9b28caed8bb2b8b07d52fc41bfab88aa66d4a53de28b8e545acf0f989f3612e842c2f88fec3934922bcfeabaab6692b9df40fd33756f9c83c905ce8

Download Submit
C:\Windows\System\GfwBbns.exe

Filesize
2.1MB

MD5
ef8df9c73cf9360332e16a5d89d7c860

SHA1
0b8dade4595077dd506ae9781a2f3e98fa020da2

SHA256
55007de244136896830ff409bebd9356b82e9da7a796311530e9c921b0fa83fd

SHA512
d2fa40feb9b28caed8bb2b8b07d52fc41bfab88aa66d4a53de28b8e545acf0f989f3612e842c2f88fec3934922bcfeabaab6692b9df40fd33756f9c83c905ce8

Download Submit
C:\Windows\System\KsMcLvJ.exe

Filesize
2.1MB

MD5
3a4794bbc0b9ce99a4aaf597e30f6910

SHA1
56c9fc9ff0cdd0815ec7c5599e65e2799d142431

SHA256
d2e6c15d85158615ce9211291f86fda937cfbe31b1a7af46f23bbde6cf9b1645

SHA512
b38f28ef1e6572dd93d609d7b1c198e4ce2690f0b301a8beaf1a126ddb63c52f259d43853eaa4dbf40314df6ac5de05487fa2e5f2590f4760eeef1cf7a023149

Download Submit
C:\Windows\System\KsMcLvJ.exe

Filesize
2.1MB

MD5
3a4794bbc0b9ce99a4aaf597e30f6910

SHA1
56c9fc9ff0cdd0815ec7c5599e65e2799d142431

SHA256
d2e6c15d85158615ce9211291f86fda937cfbe31b1a7af46f23bbde6cf9b1645

SHA512
b38f28ef1e6572dd93d609d7b1c198e4ce2690f0b301a8beaf1a126ddb63c52f259d43853eaa4dbf40314df6ac5de05487fa2e5f2590f4760eeef1cf7a023149

Download Submit
C:\Windows\System\LKUfyLx.exe

Filesize
2.1MB

MD5
eca814537568819ea5af4909ee8465f2

SHA1
9d7f1218de6f125a0a8a92cab5ffcaf890df1960

SHA256
abe4473a929eb7afc87787d3fd3990cd3f5a7adbadfab44f6a59af6c0e5abf7f

SHA512
eb5e57552c0286978a43d500230398d984f59db4895a5b5e4eb66e3e59000eee2b46d7bf068bacd816bb3a5c299baa6e8c1883710f9764d6d9398d99875099cd

Download Submit
C:\Windows\System\LKUfyLx.exe

Filesize
2.1MB

MD5
eca814537568819ea5af4909ee8465f2

SHA1
9d7f1218de6f125a0a8a92cab5ffcaf890df1960

SHA256
abe4473a929eb7afc87787d3fd3990cd3f5a7adbadfab44f6a59af6c0e5abf7f

SHA512
eb5e57552c0286978a43d500230398d984f59db4895a5b5e4eb66e3e59000eee2b46d7bf068bacd816bb3a5c299baa6e8c1883710f9764d6d9398d99875099cd

Download Submit
C:\Windows\System\NdvBPEf.exe

Filesize
2.1MB

MD5
28dee048aebd1b4e9f8642370d8a6366

SHA1
a6a1f24abe7321ca8be9e91f96f7065a85609eb6

SHA256
95dd729f4e272f59700f62df83129fea82f429062e21665b7cc01a2713568d38

SHA512
9f09d500b0b4a72bfecfbec8e61ec245509b99b0eb8fb82a661d221c4449e644f4923ef13c13dd6dc07daf7458d212d5b6c2234369c89f11f1ea549af87f556f

Download Submit
C:\Windows\System\NdvBPEf.exe

Filesize
2.1MB

MD5
28dee048aebd1b4e9f8642370d8a6366

SHA1
a6a1f24abe7321ca8be9e91f96f7065a85609eb6

SHA256
95dd729f4e272f59700f62df83129fea82f429062e21665b7cc01a2713568d38

SHA512
9f09d500b0b4a72bfecfbec8e61ec245509b99b0eb8fb82a661d221c4449e644f4923ef13c13dd6dc07daf7458d212d5b6c2234369c89f11f1ea549af87f556f

Download Submit
C:\Windows\System\OEapXKO.exe

Filesize
2.1MB

MD5
b0becde9beecbc499a77ebff802b479c

SHA1
eb173b85f09779db832303b47f8d4006be44de3e

SHA256
5e31d6095491ddf7e2282670295289a3846510240aa76a9efce46eac297f6fbe

SHA512
fb66a87f6fd2dd8658873439602fe4e9dfb7795d812e6fcf74d1380e5984d38d9d8e691a9a3266fbf3f008786a42d6329c5ceb14e604c7bd4df64c7be5acdc8b

Download Submit
C:\Windows\System\OEapXKO.exe

Filesize
2.1MB

MD5
b0becde9beecbc499a77ebff802b479c

SHA1
eb173b85f09779db832303b47f8d4006be44de3e

SHA256
5e31d6095491ddf7e2282670295289a3846510240aa76a9efce46eac297f6fbe

SHA512
fb66a87f6fd2dd8658873439602fe4e9dfb7795d812e6fcf74d1380e5984d38d9d8e691a9a3266fbf3f008786a42d6329c5ceb14e604c7bd4df64c7be5acdc8b

Download Submit
C:\Windows\System\OnUCMWJ.exe

Filesize
2.1MB

MD5
2cd9b413309dfe3eeede0ceff6cf4655

SHA1
ed1c06b121cd6320e42656d72b243be90ecd2786

SHA256
c1803ccc942675e69d7fedd8fbe5d7807aaf23db8e21c904196a1ad3a28f2fdc

SHA512
f4da2045d276e2beb8229887cfe21220edb2238222f3cd8f0662df1549b377b60f957a6ca50efc78ea4d64e64e78d7ff8e32d33b92bbf9cf3812eaa2fb91a3b2

Download Submit
C:\Windows\System\OnUCMWJ.exe

Filesize
2.1MB

MD5
2cd9b413309dfe3eeede0ceff6cf4655

SHA1
ed1c06b121cd6320e42656d72b243be90ecd2786

SHA256
c1803ccc942675e69d7fedd8fbe5d7807aaf23db8e21c904196a1ad3a28f2fdc

SHA512
f4da2045d276e2beb8229887cfe21220edb2238222f3cd8f0662df1549b377b60f957a6ca50efc78ea4d64e64e78d7ff8e32d33b92bbf9cf3812eaa2fb91a3b2

Download Submit
C:\Windows\System\POMoVfB.exe

Filesize
2.1MB

MD5
2c41397e3306295ff8b4a784e0d684ff

SHA1
e80f1d38c87c7ca6a96fe729abaa3e540e71d8c0

SHA256
09396b734f7ae4e642548b662801e6a8e0d9763694c6d74c0e32c3109b15ad27

SHA512
90038e39f11974c045e0980f6428129261e649ac5bd15d8ff77df87f289b10effe1caef0cf51a6c7371e8df4697ed23b0dbe3083d51655a968bafffef5423654

Download Submit
C:\Windows\System\POMoVfB.exe

Filesize
2.1MB

MD5
2c41397e3306295ff8b4a784e0d684ff

SHA1
e80f1d38c87c7ca6a96fe729abaa3e540e71d8c0

SHA256
09396b734f7ae4e642548b662801e6a8e0d9763694c6d74c0e32c3109b15ad27

SHA512
90038e39f11974c045e0980f6428129261e649ac5bd15d8ff77df87f289b10effe1caef0cf51a6c7371e8df4697ed23b0dbe3083d51655a968bafffef5423654

Download Submit
C:\Windows\System\QRbefPv.exe

Filesize
2.1MB

MD5
f54aa25a81e70f6877503f128012836e

SHA1
cb174f6edb0ee43e81b9977f98920a43c75231ab

SHA256
b32f2f6f24251d7fa273d2a3431e29a92935b230a0bb47f36847d282a0f053d8

SHA512
a5bbe58260f2a0cb961b6123b3a335a296cf73e7a586bbaff67395293af8f8b6747d0673ef49c1552fc7430ca073956a18ee590a035ce70bbbaeb0a098d821c2

Download Submit
C:\Windows\System\QRbefPv.exe

Filesize
2.1MB

MD5
f54aa25a81e70f6877503f128012836e

SHA1
cb174f6edb0ee43e81b9977f98920a43c75231ab

SHA256
b32f2f6f24251d7fa273d2a3431e29a92935b230a0bb47f36847d282a0f053d8

SHA512
a5bbe58260f2a0cb961b6123b3a335a296cf73e7a586bbaff67395293af8f8b6747d0673ef49c1552fc7430ca073956a18ee590a035ce70bbbaeb0a098d821c2

Download Submit
C:\Windows\System\SAWPYpI.exe

Filesize
2.1MB

MD5
bc85da9d7506b507fd87318a8ef65c93

SHA1
bd0ec9e03128e0849f315e3d843cee063d58d100

SHA256
069ff7ee70fa0ea1d712f84f80f3e88f6ca2cc887594b4007e5ea137ffa387bd

SHA512
e289a350916f1094a025efb822f1cb043e78f00cebc51386395fe1bd37398e366fbbba66f1e4849e6ad8cdecef49e126bb8892688a9f063bbef0ee40c9e6abb8

Download Submit
C:\Windows\System\SAWPYpI.exe

Filesize
2.1MB

MD5
bc85da9d7506b507fd87318a8ef65c93

SHA1
bd0ec9e03128e0849f315e3d843cee063d58d100

SHA256
069ff7ee70fa0ea1d712f84f80f3e88f6ca2cc887594b4007e5ea137ffa387bd

SHA512
e289a350916f1094a025efb822f1cb043e78f00cebc51386395fe1bd37398e366fbbba66f1e4849e6ad8cdecef49e126bb8892688a9f063bbef0ee40c9e6abb8

Download Submit
C:\Windows\System\SFuqMFq.exe

Filesize
2.1MB

MD5
f4a02d03aa1f4489a75f441553759c01

SHA1
60ce9168f478d06a2deb0b04c4ecc616390701f6

SHA256
d9a509ade6d5ae9148d4a744f0b61bd987ad22d944e85204752a6777d0012ee6

SHA512
f038f077d063d75f3f5e53d9d7c1a8822802f2796d37a016490d999deebe3406b8496bb05bf4657184790e9d924c90cadea52110d0fe2da93bc936b12db16a2e

Download Submit
C:\Windows\System\SFuqMFq.exe

Filesize
2.1MB

MD5
f4a02d03aa1f4489a75f441553759c01

SHA1
60ce9168f478d06a2deb0b04c4ecc616390701f6

SHA256
d9a509ade6d5ae9148d4a744f0b61bd987ad22d944e85204752a6777d0012ee6

SHA512
f038f077d063d75f3f5e53d9d7c1a8822802f2796d37a016490d999deebe3406b8496bb05bf4657184790e9d924c90cadea52110d0fe2da93bc936b12db16a2e

Download Submit
C:\Windows\System\SaNWgzP.exe

Filesize
2.1MB

MD5
fdfc8bb97064732f82f85c0da23cf797

SHA1
e50f8ac4a97a9749e68b781edb3e1df35ff61c74

SHA256
e0fae2bf2cabcadc2199f68fa1ed5db8d17a54974212ad29e8fa2f22ea0fa5fa

SHA512
c69ba95859ad3f91d7bd3ea30c7157a78452a7402287a4d682becba5d9af09eefcaa7ca534f270f1d99c6333bb91e4d8cff6ccc5c494ec39c8c572883b5fe5f8

Download Submit
C:\Windows\System\UWZGhAL.exe

Filesize
2.1MB

MD5
a397dffa31fb82b44f8cc6d52efcc82d

SHA1
e802b2a682422260f7b8563b26df8c0b765ab84b

SHA256
271247087fb23f5c74a8d54eb181850dba4da23e92630327d2690940016160b5

SHA512
0f9980c770bf82e7109ebf1a9a28e37f81022b087d9d1404cd0ddf44e4c8a58a0a17fa0dfb9d76ea69130fd68dd9c18545e3d274e04dca6b60b4205294805fa6

Download Submit
C:\Windows\System\UWZGhAL.exe

Filesize
2.1MB

MD5
a397dffa31fb82b44f8cc6d52efcc82d

SHA1
e802b2a682422260f7b8563b26df8c0b765ab84b

SHA256
271247087fb23f5c74a8d54eb181850dba4da23e92630327d2690940016160b5

SHA512
0f9980c770bf82e7109ebf1a9a28e37f81022b087d9d1404cd0ddf44e4c8a58a0a17fa0dfb9d76ea69130fd68dd9c18545e3d274e04dca6b60b4205294805fa6

Download Submit
C:\Windows\System\WUkwFcG.exe

Filesize
2.1MB

MD5
182e6c14a0c0f33dec0b6148a9b18e31

SHA1
89012a6e0de0eda51e4fc2f53be22178f219cf0d

SHA256
0207a26986b8c62e6abefe7ba9f3de9645d07cecf7328f48e40ef913c53e623c

SHA512
d83b667a8f90a84d2b97548a1ba602af064a92deed3298b654e4760fc928384cc25dc314b6a4c24b1177c96179ab995dbf837727d3d1388b06caf8757015869d

Download Submit
C:\Windows\System\WUkwFcG.exe

Filesize
2.1MB

MD5
182e6c14a0c0f33dec0b6148a9b18e31

SHA1
89012a6e0de0eda51e4fc2f53be22178f219cf0d

SHA256
0207a26986b8c62e6abefe7ba9f3de9645d07cecf7328f48e40ef913c53e623c

SHA512
d83b667a8f90a84d2b97548a1ba602af064a92deed3298b654e4760fc928384cc25dc314b6a4c24b1177c96179ab995dbf837727d3d1388b06caf8757015869d

Download Submit
C:\Windows\System\WhoydTI.exe

Filesize
2.1MB

MD5
6af938c1bb41b8bad3df43409d6c1aaa

SHA1
9c81ce47a855c853362d0a94c4b5877361184fb1

SHA256
8bbe3a6860ab04a1d47d63688781c65ceee967cfff7c1edc1aa1f279714b4403

SHA512
2bd3aaad066570e7bd914efa02efdfbbf0423d568d9daa910e5f49f4887a3a41dffe6d603f19a7570eeeafe45bb4db3103eb4f9258d7e262c4af2c8255bffd01

Download Submit
C:\Windows\System\XjGMTKO.exe

Filesize
2.1MB

MD5
ffc1bfe212c391450c5eeae79347344c

SHA1
b07bab16387041c43e039d186981d7123d7e2692

SHA256
6147a78852becea956cefc1d19fc44e434e3481e0e1d7b3acaf829f4c4335969

SHA512
f67c74b5b13b50134a5d193dc2a03fb688ed9e15c5642104e69fb038f0b2aea18b3c230db7b10124b89a29d2eeb7a9583e198b3f94943c90bdb6e945b68e99bc

Download Submit
C:\Windows\System\XjGMTKO.exe

Filesize
2.1MB

MD5
ffc1bfe212c391450c5eeae79347344c

SHA1
b07bab16387041c43e039d186981d7123d7e2692

SHA256
6147a78852becea956cefc1d19fc44e434e3481e0e1d7b3acaf829f4c4335969

SHA512
f67c74b5b13b50134a5d193dc2a03fb688ed9e15c5642104e69fb038f0b2aea18b3c230db7b10124b89a29d2eeb7a9583e198b3f94943c90bdb6e945b68e99bc

Download Submit
C:\Windows\System\YSrAZaa.exe

Filesize
2.1MB

MD5
ea743e411bc50bc8109d41996e73aae2

SHA1
27f6fba42e9520528bc9ef91ffe6d412c463066d

SHA256
26779b6a9f37c442364332ed4d62a452de3ba644e0a4bec75eeb58d531dfc126

SHA512
38e37db8571cd3f7c3fa297e7c392c857e7863af2632693a0471356b4d3fe21378bd0cc0f22a099d32f49b1cb37af5846be21e656d536ced671e303f45001204

Download Submit
C:\Windows\System\YSrAZaa.exe

Filesize
2.1MB

MD5
ea743e411bc50bc8109d41996e73aae2

SHA1
27f6fba42e9520528bc9ef91ffe6d412c463066d

SHA256
26779b6a9f37c442364332ed4d62a452de3ba644e0a4bec75eeb58d531dfc126

SHA512
38e37db8571cd3f7c3fa297e7c392c857e7863af2632693a0471356b4d3fe21378bd0cc0f22a099d32f49b1cb37af5846be21e656d536ced671e303f45001204

Download Submit
C:\Windows\System\aqjHlov.exe

Filesize
2.1MB

MD5
87c50213923de9ca791156082b2ae6ac

SHA1
b71b8d655978785b0161a36ad8cf78df14923168

SHA256
78b99f339946ad899aa76e15f67ca15820c56cb2ed8325a1bd1167691ce22457

SHA512
0c8d1833deac5b767d35d40264eb4400ca3c92c9d77efc74113b6179d798c82adea65f101d7ed37cdc72830ebc7d8592049fc8bbb7d1913ee66cc3e9e1df4eac

Download Submit
C:\Windows\System\aqjHlov.exe

Filesize
2.1MB

MD5
87c50213923de9ca791156082b2ae6ac

SHA1
b71b8d655978785b0161a36ad8cf78df14923168

SHA256
78b99f339946ad899aa76e15f67ca15820c56cb2ed8325a1bd1167691ce22457

SHA512
0c8d1833deac5b767d35d40264eb4400ca3c92c9d77efc74113b6179d798c82adea65f101d7ed37cdc72830ebc7d8592049fc8bbb7d1913ee66cc3e9e1df4eac

Download Submit
C:\Windows\System\cogssfX.exe

Filesize
2.1MB

MD5
66d237f9a277bc9dda220d87084091c9

SHA1
2be751cf2abbdfca9773c589be6b530cfee8b053

SHA256
770433d664db350be68ab37cfefb49b1585e3a6ed69fbd0c53400f0061a24139

SHA512
768bdc2f726fba45c425d77f5d041325751b0bea601ab7cc63298941a734d4f67731d6037f97f2ad5aad141f581adb0200e0b1b84e79055a0b40a5784d759f63

Download Submit
C:\Windows\System\cogssfX.exe

Filesize
2.1MB

MD5
66d237f9a277bc9dda220d87084091c9

SHA1
2be751cf2abbdfca9773c589be6b530cfee8b053

SHA256
770433d664db350be68ab37cfefb49b1585e3a6ed69fbd0c53400f0061a24139

SHA512
768bdc2f726fba45c425d77f5d041325751b0bea601ab7cc63298941a734d4f67731d6037f97f2ad5aad141f581adb0200e0b1b84e79055a0b40a5784d759f63

Download Submit
C:\Windows\System\eOfpEoj.exe

Filesize
2.1MB

MD5
26dee8bb802d1a52804d93a54bd7f8d0

SHA1
84a1746d935827e2c29ed95497c49d0e8bb0bfbb

SHA256
800ea262c281f7c174129eb28980a6cb650dbd3c50ea996e73afc7518cfa08ec

SHA512
cde02476febcbf52356dc415b5c5a3c86045c5639f604ccea871689db2020355e8edc8c09a1bd1bfa6413a083223a65f00a93fb32fb0107b2d96b215e027d6fd

Download Submit
C:\Windows\System\eOfpEoj.exe

Filesize
2.1MB

MD5
26dee8bb802d1a52804d93a54bd7f8d0

SHA1
84a1746d935827e2c29ed95497c49d0e8bb0bfbb

SHA256
800ea262c281f7c174129eb28980a6cb650dbd3c50ea996e73afc7518cfa08ec

SHA512
cde02476febcbf52356dc415b5c5a3c86045c5639f604ccea871689db2020355e8edc8c09a1bd1bfa6413a083223a65f00a93fb32fb0107b2d96b215e027d6fd

Download Submit
C:\Windows\System\eUCcreN.exe

Filesize
2.1MB

MD5
a6a0f0e86ce428e56aace8cec2911fd0

SHA1
9cc1b6bc8bcd412a928e7917a6c479934e7c395d

SHA256
913ed5932cf80b8db226edca145c32123d1b4731f980b05d4147d3e75b9cd881

SHA512
f827d722ec963f09927178a243def3aa75d473161684f6f960a9310b6584fae04114fb743adb127ae08ec79f889c0e84610943c5d72d726f93e55c7fdddd72d6

Download Submit
C:\Windows\System\eUCcreN.exe

Filesize
2.1MB

MD5
a6a0f0e86ce428e56aace8cec2911fd0

SHA1
9cc1b6bc8bcd412a928e7917a6c479934e7c395d

SHA256
913ed5932cf80b8db226edca145c32123d1b4731f980b05d4147d3e75b9cd881

SHA512
f827d722ec963f09927178a243def3aa75d473161684f6f960a9310b6584fae04114fb743adb127ae08ec79f889c0e84610943c5d72d726f93e55c7fdddd72d6

Download Submit
C:\Windows\System\fiKcDKI.exe

Filesize
2.1MB

MD5
a2b4d7bf939f2478e88637b40ed40f5c

SHA1
a14bf856b6af159501aee66659e1c5570d55a279

SHA256
7e259d0d54f9f7690b40a8ca9e6a9d4133dec57c879c716c760fa8594ad867e3

SHA512
52b73f3cbbcac2236dfaa583e3e085b277a8b3c865b10acea6b881a43b4e7c06d9b59d8dc40d61e9ecec48a5308f2c45cb21ff3f4c0687fec7416b10658e4f13

Download Submit
C:\Windows\System\fiKcDKI.exe

Filesize
2.1MB

MD5
a2b4d7bf939f2478e88637b40ed40f5c

SHA1
a14bf856b6af159501aee66659e1c5570d55a279

SHA256
7e259d0d54f9f7690b40a8ca9e6a9d4133dec57c879c716c760fa8594ad867e3

SHA512
52b73f3cbbcac2236dfaa583e3e085b277a8b3c865b10acea6b881a43b4e7c06d9b59d8dc40d61e9ecec48a5308f2c45cb21ff3f4c0687fec7416b10658e4f13

Download Submit
C:\Windows\System\gyzHtWa.exe

Filesize
2.1MB

MD5
7d91cca1a66650ca5b8eee100ac28a78

SHA1
1e677ce6a6758edecb9878ad362385c8968b380d

SHA256
127f73ce726bf558e5faa4a058cfb9ae6facb1fa87e8fb2e73bffffc99aafc88

SHA512
8c8e4e58262789ef2b7ea2b488b2ce39a8e2e07aee0afa4a0481ad2f2789237f07d123f029a3897d9005b95d1830f501abc3c64376aa45f9643b71b26de32fe8

Download Submit
C:\Windows\System\gyzHtWa.exe

Filesize
2.1MB

MD5
7d91cca1a66650ca5b8eee100ac28a78

SHA1
1e677ce6a6758edecb9878ad362385c8968b380d

SHA256
127f73ce726bf558e5faa4a058cfb9ae6facb1fa87e8fb2e73bffffc99aafc88

SHA512
8c8e4e58262789ef2b7ea2b488b2ce39a8e2e07aee0afa4a0481ad2f2789237f07d123f029a3897d9005b95d1830f501abc3c64376aa45f9643b71b26de32fe8

Download Submit
C:\Windows\System\gzAXgtB.exe

Filesize
2.1MB

MD5
16082fea5fb1daa11d5595f907bfc039

SHA1
1b0c50ee928f8bc8ee058c9bca6679487d9f4197

SHA256
f8a6d33fdabe7c3abd018034ad3ab3481d52d3a8ef6ff1930c16d6c298f85985

SHA512
87bd8454efdbb44b2106d020f283d7b4ab13fb1483726c5f8184cfb03eed4e343da8e31ffd89d87fd1a2f5f035afa8b37f0be2b5f76c7a6eac744ed265f5de3e

Download Submit
C:\Windows\System\gzAXgtB.exe

Filesize
2.1MB

MD5
16082fea5fb1daa11d5595f907bfc039

SHA1
1b0c50ee928f8bc8ee058c9bca6679487d9f4197

SHA256
f8a6d33fdabe7c3abd018034ad3ab3481d52d3a8ef6ff1930c16d6c298f85985

SHA512
87bd8454efdbb44b2106d020f283d7b4ab13fb1483726c5f8184cfb03eed4e343da8e31ffd89d87fd1a2f5f035afa8b37f0be2b5f76c7a6eac744ed265f5de3e

Download Submit
C:\Windows\System\ivpYsEa.exe

Filesize
2.1MB

MD5
f5a2aa3f1ad0dfac68d9e47fc33ed483

SHA1
9827d650c31b0cf798f2d3100fccc18f9ec550e4

SHA256
3873602d3544effa4eccd635dc8f981eb23bf323bd7bbc22cbbc5e2a13b17879

SHA512
293304caf2e895ca44a925c028216f63840e175e17b8e677e49fa65d7ce14811b0f18f748dd546919ca957799abbe8b04848fa782fd9891682e927bba3b1b1f5

Download Submit
C:\Windows\System\ivpYsEa.exe

Filesize
2.1MB

MD5
f5a2aa3f1ad0dfac68d9e47fc33ed483

SHA1
9827d650c31b0cf798f2d3100fccc18f9ec550e4

SHA256
3873602d3544effa4eccd635dc8f981eb23bf323bd7bbc22cbbc5e2a13b17879

SHA512
293304caf2e895ca44a925c028216f63840e175e17b8e677e49fa65d7ce14811b0f18f748dd546919ca957799abbe8b04848fa782fd9891682e927bba3b1b1f5

Download Submit
C:\Windows\System\lKvkbEs.exe

Filesize
2.1MB

MD5
197514aafaf157bc186c3530ba3c7e02

SHA1
98945a5088500c7b9397a282ebf67595663678e9

SHA256
e3fa2121246b4c2419b3a56136edd56760884b1ef663b09f3c67960c72d4686d

SHA512
5dc135a812bd73116aa25a378ef8cc402dbadb5d4fcbd9a51b50bbbdc879f9c87e909dcf48a53b1b1ee851b3b485456dce87944eb14534ad03187d7b57afac00

Download Submit
C:\Windows\System\lKvkbEs.exe

Filesize
2.1MB

MD5
197514aafaf157bc186c3530ba3c7e02

SHA1
98945a5088500c7b9397a282ebf67595663678e9

SHA256
e3fa2121246b4c2419b3a56136edd56760884b1ef663b09f3c67960c72d4686d

SHA512
5dc135a812bd73116aa25a378ef8cc402dbadb5d4fcbd9a51b50bbbdc879f9c87e909dcf48a53b1b1ee851b3b485456dce87944eb14534ad03187d7b57afac00

Download Submit
C:\Windows\System\oFYZjet.exe

Filesize
2.1MB

MD5
9022d8660e4804e7b2de57904f46acd3

SHA1
9820e5b4f5751a93b9fcd4b4554f9675fb37aa1e

SHA256
89f98c9d882361b8a4cf10fc318baba0b7c888e9306517420d2c0ead543217b1

SHA512
3c98679e4276daeb341758dd347954946df26be5463e6e6b3b4f121aa328a33fb91d005dcbff619962abf72c71488468414b0e2c227e80676764f6e9f2fb87d1

Download Submit
C:\Windows\System\oFYZjet.exe

Filesize
2.1MB

MD5
9022d8660e4804e7b2de57904f46acd3

SHA1
9820e5b4f5751a93b9fcd4b4554f9675fb37aa1e

SHA256
89f98c9d882361b8a4cf10fc318baba0b7c888e9306517420d2c0ead543217b1

SHA512
3c98679e4276daeb341758dd347954946df26be5463e6e6b3b4f121aa328a33fb91d005dcbff619962abf72c71488468414b0e2c227e80676764f6e9f2fb87d1

Download Submit
C:\Windows\System\oWJzDsO.exe

Filesize
2.1MB

MD5
59ceab36a31f5aeda300edfe13437733

SHA1
91468f4dfe6aed858437c4ffb03f6027f7ee4a4a

SHA256
3ac7037deccecc7e2a1f45fe8ee338fbcac98ca9af8861af94c5447730e61a85

SHA512
9e70f55749357f9c99e401f1894484d6e5665ac4881f1a53cd3f28571f8671d495b43255922ceb56b237d57eda185142abcb56187a39d308d56dbc365027d6b4

Download Submit
C:\Windows\System\oWJzDsO.exe

Filesize
2.1MB

MD5
59ceab36a31f5aeda300edfe13437733

SHA1
91468f4dfe6aed858437c4ffb03f6027f7ee4a4a

SHA256
3ac7037deccecc7e2a1f45fe8ee338fbcac98ca9af8861af94c5447730e61a85

SHA512
9e70f55749357f9c99e401f1894484d6e5665ac4881f1a53cd3f28571f8671d495b43255922ceb56b237d57eda185142abcb56187a39d308d56dbc365027d6b4

Download Submit
C:\Windows\System\pPNXegy.exe

Filesize
2.1MB

MD5
e12e37b4fedfa947ca251ecb0d8f5c37

SHA1
936793f87e1b916348384bbd72d9abc7666b8277

SHA256
95ea47a67b7b0db14b758dfabe1c1dd5453ecdec2c34a54315b268aad6923124

SHA512
f1cea8a661d422d498cc0756d56eb5b774b0c57389f84b7295ef83374445c63a47b955c13acfcbb15cbb88535003aa46d78d7de66dbc4d60fe0d3a3855505206

Download Submit
C:\Windows\System\pPNXegy.exe

Filesize
2.1MB

MD5
e12e37b4fedfa947ca251ecb0d8f5c37

SHA1
936793f87e1b916348384bbd72d9abc7666b8277

SHA256
95ea47a67b7b0db14b758dfabe1c1dd5453ecdec2c34a54315b268aad6923124

SHA512
f1cea8a661d422d498cc0756d56eb5b774b0c57389f84b7295ef83374445c63a47b955c13acfcbb15cbb88535003aa46d78d7de66dbc4d60fe0d3a3855505206

Download Submit
C:\Windows\System\pPNXegy.exe

Filesize
2.1MB

MD5
e12e37b4fedfa947ca251ecb0d8f5c37

SHA1
936793f87e1b916348384bbd72d9abc7666b8277

SHA256
95ea47a67b7b0db14b758dfabe1c1dd5453ecdec2c34a54315b268aad6923124

SHA512
f1cea8a661d422d498cc0756d56eb5b774b0c57389f84b7295ef83374445c63a47b955c13acfcbb15cbb88535003aa46d78d7de66dbc4d60fe0d3a3855505206

Download Submit
C:\Windows\System\ygspgMo.exe

Filesize
2.1MB

MD5
c0f546977056cf7acd4a3c9cabf1636e

SHA1
0cee5b6a9ab7ce8956c60fd4ef7d2700b56e113d

SHA256
5e74a98c13c223322f6a06b0809c4638c952ee01866bf1505be4309b90b3049d

SHA512
7dc2971699d72eae8208b99c3e7e90382c2573910732df3a520d4c058ff0235d5f3e0a62911ab4e99476cf9be2b3f23a1e8ef004dc31b5fcff5added7aa4b037

Download Submit
C:\Windows\System\ygspgMo.exe

Filesize
2.1MB

MD5
c0f546977056cf7acd4a3c9cabf1636e

SHA1
0cee5b6a9ab7ce8956c60fd4ef7d2700b56e113d

SHA256
5e74a98c13c223322f6a06b0809c4638c952ee01866bf1505be4309b90b3049d

SHA512
7dc2971699d72eae8208b99c3e7e90382c2573910732df3a520d4c058ff0235d5f3e0a62911ab4e99476cf9be2b3f23a1e8ef004dc31b5fcff5added7aa4b037

Download Submit
memory/216-233-0x00007FF6A9F40000-0x00007FF6AA294000-memory.dmp

Filesize
3.3MB

Download
memory/228-406-0x00007FF767560000-0x00007FF7678B4000-memory.dmp

Filesize
3.3MB

Download
memory/492-255-0x00007FF75F810000-0x00007FF75FB64000-memory.dmp

Filesize
3.3MB

Download
memory/808-152-0x00007FF7623E0000-0x00007FF762734000-memory.dmp

Filesize
3.3MB

Download
memory/1012-157-0x00007FF6CBF70000-0x00007FF6CC2C4000-memory.dmp

Filesize
3.3MB

Download
memory/1036-242-0x00007FF783D50000-0x00007FF7840A4000-memory.dmp

Filesize
3.3MB

Download
memory/1060-81-0x00007FF75CE00000-0x00007FF75D154000-memory.dmp

Filesize
3.3MB

Download
memory/1076-44-0x00007FF676040000-0x00007FF676394000-memory.dmp

Filesize
3.3MB

Download
memory/1092-23-0x00007FF74BEE0000-0x00007FF74C234000-memory.dmp

Filesize
3.3MB

Download
memory/1176-442-0x00007FF6E02D0000-0x00007FF6E0624000-memory.dmp

Filesize
3.3MB

Download
memory/1356-107-0x00007FF7BF0F0000-0x00007FF7BF444000-memory.dmp

Filesize
3.3MB

Download
memory/1368-106-0x00007FF61A4D0000-0x00007FF61A824000-memory.dmp

Filesize
3.3MB

Download
memory/1668-86-0x00007FF66A1C0000-0x00007FF66A514000-memory.dmp

Filesize
3.3MB

Download
memory/1760-254-0x00007FF66C2B0000-0x00007FF66C604000-memory.dmp

Filesize
3.3MB

Download
memory/1928-199-0x00007FF793AC0000-0x00007FF793E14000-memory.dmp

Filesize
3.3MB

Download
memory/2020-0-0x00007FF7E02B0000-0x00007FF7E0604000-memory.dmp

Filesize
3.3MB

Download
memory/2020-1-0x000001893E690000-0x000001893E6A0000-memory.dmp

Filesize
64KB

Download
memory/2052-341-0x00007FF7C43C0000-0x00007FF7C4714000-memory.dmp

Filesize
3.3MB

Download
memory/2264-321-0x00007FF62CC60000-0x00007FF62CFB4000-memory.dmp

Filesize
3.3MB

Download
memory/2348-136-0x00007FF70CB30000-0x00007FF70CE84000-memory.dmp

Filesize
3.3MB

Download
memory/2428-123-0x00007FF631F00000-0x00007FF632254000-memory.dmp

Filesize
3.3MB

Download
memory/2496-447-0x00007FF654E30000-0x00007FF655184000-memory.dmp

Filesize
3.3MB

Download
memory/2520-219-0x00007FF671AE0000-0x00007FF671E34000-memory.dmp

Filesize
3.3MB

Download
memory/2524-269-0x00007FF729D60000-0x00007FF72A0B4000-memory.dmp

Filesize
3.3MB

Download
memory/2532-174-0x00007FF6DB3F0000-0x00007FF6DB744000-memory.dmp

Filesize
3.3MB

Download
memory/2720-102-0x00007FF615660000-0x00007FF6159B4000-memory.dmp

Filesize
3.3MB

Download
memory/2812-256-0x00007FF6F1A80000-0x00007FF6F1DD4000-memory.dmp

Filesize
3.3MB

Download
memory/2872-108-0x00007FF6CE600000-0x00007FF6CE954000-memory.dmp

Filesize
3.3MB

Download
memory/2988-237-0x00007FF632EF0000-0x00007FF633244000-memory.dmp

Filesize
3.3MB

Download
memory/3000-323-0x00007FF7889E0000-0x00007FF788D34000-memory.dmp

Filesize
3.3MB

Download
memory/3076-253-0x00007FF751A80000-0x00007FF751DD4000-memory.dmp

Filesize
3.3MB

Download
memory/3084-234-0x00007FF6FCC50000-0x00007FF6FCFA4000-memory.dmp

Filesize
3.3MB

Download
memory/3152-31-0x00007FF7BBBA0000-0x00007FF7BBEF4000-memory.dmp

Filesize
3.3MB

Download
memory/3180-103-0x00007FF7919A0000-0x00007FF791CF4000-memory.dmp

Filesize
3.3MB

Download
memory/3228-94-0x00007FF6D7B80000-0x00007FF6D7ED4000-memory.dmp

Filesize
3.3MB

Download
memory/3308-231-0x00007FF7E7830000-0x00007FF7E7B84000-memory.dmp

Filesize
3.3MB

Download
memory/3364-285-0x00007FF7718E0000-0x00007FF771C34000-memory.dmp

Filesize
3.3MB

Download
memory/3472-349-0x00007FF6786E0000-0x00007FF678A34000-memory.dmp

Filesize
3.3MB

Download
memory/3528-333-0x00007FF7E3900000-0x00007FF7E3C54000-memory.dmp

Filesize
3.3MB

Download
memory/3536-232-0x00007FF769F00000-0x00007FF76A254000-memory.dmp

Filesize
3.3MB

Download
memory/3548-192-0x00007FF71C9A0000-0x00007FF71CCF4000-memory.dmp

Filesize
3.3MB

Download
memory/3764-221-0x00007FF71F490000-0x00007FF71F7E4000-memory.dmp

Filesize
3.3MB

Download
memory/3776-223-0x00007FF79CCD0000-0x00007FF79D024000-memory.dmp

Filesize
3.3MB

Download
memory/3968-437-0x00007FF7D1E90000-0x00007FF7D21E4000-memory.dmp

Filesize
3.3MB

Download
memory/4004-162-0x00007FF62C800000-0x00007FF62CB54000-memory.dmp

Filesize
3.3MB

Download
memory/4060-20-0x00007FF666A50000-0x00007FF666DA4000-memory.dmp

Filesize
3.3MB

Download
memory/4076-307-0x00007FF776200000-0x00007FF776554000-memory.dmp

Filesize
3.3MB

Download
memory/4128-48-0x00007FF699810000-0x00007FF699B64000-memory.dmp

Filesize
3.3MB

Download
memory/4132-274-0x00007FF6CD1F0000-0x00007FF6CD544000-memory.dmp

Filesize
3.3MB

Download
memory/4152-67-0x00007FF6D0A20000-0x00007FF6D0D74000-memory.dmp

Filesize
3.3MB

Download
memory/4344-376-0x00007FF794590000-0x00007FF7948E4000-memory.dmp

Filesize
3.3MB

Download
memory/4356-212-0x00007FF765620000-0x00007FF765974000-memory.dmp

Filesize
3.3MB

Download
memory/4364-343-0x00007FF7FD430000-0x00007FF7FD784000-memory.dmp

Filesize
3.3MB

Download
memory/4396-56-0x00007FF7B44A0000-0x00007FF7B47F4000-memory.dmp

Filesize
3.3MB

Download
memory/4484-358-0x00007FF6F17D0000-0x00007FF6F1B24000-memory.dmp

Filesize
3.3MB

Download
memory/4592-8-0x00007FF6B3E70000-0x00007FF6B41C4000-memory.dmp

Filesize
3.3MB

Download
memory/4616-247-0x00007FF731FF0000-0x00007FF732344000-memory.dmp

Filesize
3.3MB

Download
memory/4776-75-0x00007FF6D02B0000-0x00007FF6D0604000-memory.dmp

Filesize
3.3MB

Download
memory/4896-418-0x00007FF6F34E0000-0x00007FF6F3834000-memory.dmp

Filesize
3.3MB

Download
memory/4908-205-0x00007FF7BCF10000-0x00007FF7BD264000-memory.dmp

Filesize
3.3MB

Download
memory/5016-257-0x00007FF63FE60000-0x00007FF6401B4000-memory.dmp

Filesize
3.3MB

Download
memory/5024-298-0x00007FF7A8870000-0x00007FF7A8BC4000-memory.dmp

Filesize
3.3MB

Download
memory/5032-59-0x00007FF6718B0000-0x00007FF671C04000-memory.dmp

Filesize
3.3MB

Download
memory/5084-427-0x00007FF746E50000-0x00007FF7471A4000-memory.dmp

Filesize
3.3MB

Download
memory/5100-393-0x00007FF680C90000-0x00007FF680FE4000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads