xmrig | e83f874b5f8deff67dbf9698c1ba1b72dafe1a079a2041194a386c65152b3acf

Analysis

max time kernel
100s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
Size

2.7MB
MD5

ec7bb5940ea61d90ea4e754e465dd910
SHA1

6dd4c4b9d77ccccf681fbc6188cbb7635650a01d
SHA256

e83f874b5f8deff67dbf9698c1ba1b72dafe1a079a2041194a386c65152b3acf
SHA512

4d68e442d68ef128f7351b8e817bd0e4ea579be85fe0e58e0ce723508c1778b1e7dffaf88ece8cb10e26aee072fba12819fa67b34149b2206d0a98131c457435
SSDEEP

49152:S1G1NtyBwTI3ySZbrkXV1etEKLlWUTOfeiRA2R76zHrWax9hMkFfdgIZohteb2e:S1ONtyBeSFkXV1etEKLlWUTOfeiRA2R8

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1824-0-0x00007FF663C30000-0x00007FF664026000-memory.dmp	xmrig
behavioral2/files/0x0032000000023bb5-5.dat	xmrig
behavioral2/files/0x000a000000023bba-7.dat	xmrig
behavioral2/files/0x000a000000023bb9-16.dat	xmrig
behavioral2/files/0x000a000000023bbd-22.dat	xmrig
behavioral2/files/0x000a000000023bbf-46.dat	xmrig
behavioral2/files/0x000a000000023bc0-52.dat	xmrig
behavioral2/files/0x000a000000023bc1-55.dat	xmrig
behavioral2/files/0x000a000000023bc2-70.dat	xmrig
behavioral2/files/0x000a000000023bc3-77.dat	xmrig
behavioral2/memory/1676-91-0x00007FF721A90000-0x00007FF721E86000-memory.dmp	xmrig
behavioral2/files/0x000a000000023bc8-100.dat	xmrig
behavioral2/memory/1356-109-0x00007FF75D5D0000-0x00007FF75D9C6000-memory.dmp	xmrig
behavioral2/files/0x000a000000023bca-118.dat	xmrig
behavioral2/files/0x000a000000023bcb-134.dat	xmrig
behavioral2/files/0x000a000000023bd0-154.dat	xmrig
behavioral2/files/0x000a000000023bd3-171.dat	xmrig
behavioral2/files/0x000a000000023bd5-183.dat	xmrig
behavioral2/files/0x000a000000023bd8-200.dat	xmrig
behavioral2/files/0x000a000000023bd6-198.dat	xmrig
behavioral2/files/0x000a000000023bd7-195.dat	xmrig
behavioral2/memory/5088-192-0x00007FF6717E0000-0x00007FF671BD6000-memory.dmp	xmrig
behavioral2/files/0x000a000000023bd4-187.dat	xmrig
behavioral2/memory/4532-186-0x00007FF701B90000-0x00007FF701F86000-memory.dmp	xmrig
behavioral2/memory/2356-180-0x00007FF7E9AC0000-0x00007FF7E9EB6000-memory.dmp	xmrig
behavioral2/files/0x000a000000023bd2-175.dat	xmrig
behavioral2/memory/3028-174-0x00007FF67EAF0000-0x00007FF67EEE6000-memory.dmp	xmrig
behavioral2/files/0x000a000000023bd1-169.dat	xmrig
behavioral2/memory/2536-168-0x00007FF68DF90000-0x00007FF68E386000-memory.dmp	xmrig
behavioral2/memory/5084-162-0x00007FF6A0D90000-0x00007FF6A1186000-memory.dmp	xmrig
behavioral2/files/0x000a000000023bcf-157.dat	xmrig
behavioral2/files/0x000a000000023bce-152.dat	xmrig
behavioral2/memory/3296-151-0x00007FF7CAE10000-0x00007FF7CB206000-memory.dmp	xmrig
behavioral2/files/0x000a000000023bcd-146.dat	xmrig
behavioral2/memory/2968-145-0x00007FF7E8DB0000-0x00007FF7E91A6000-memory.dmp	xmrig
behavioral2/files/0x000a000000023bcc-140.dat	xmrig
behavioral2/memory/5080-139-0x00007FF65D240000-0x00007FF65D636000-memory.dmp	xmrig
behavioral2/memory/2712-133-0x00007FF699C20000-0x00007FF69A016000-memory.dmp	xmrig
behavioral2/memory/4692-127-0x00007FF6634F0000-0x00007FF6638E6000-memory.dmp	xmrig
behavioral2/files/0x000a000000023bc9-122.dat	xmrig
behavioral2/memory/540-121-0x00007FF7309E0000-0x00007FF730DD6000-memory.dmp	xmrig
behavioral2/files/0x000b000000023bc4-116.dat	xmrig
behavioral2/memory/4336-115-0x00007FF6CF660000-0x00007FF6CFA56000-memory.dmp	xmrig
behavioral2/files/0x000a000000023bc7-104.dat	xmrig
behavioral2/memory/1944-103-0x00007FF701540000-0x00007FF701936000-memory.dmp	xmrig
behavioral2/files/0x000a000000023bc6-98.dat	xmrig
behavioral2/memory/4880-97-0x00007FF697AC0000-0x00007FF697EB6000-memory.dmp	xmrig
behavioral2/files/0x000b000000023bc5-92.dat	xmrig
behavioral2/memory/4788-80-0x00007FF6788B0000-0x00007FF678CA6000-memory.dmp	xmrig
behavioral2/memory/4668-73-0x00007FF7B75D0000-0x00007FF7B79C6000-memory.dmp	xmrig
behavioral2/memory/3632-51-0x00007FF600EF0000-0x00007FF6012E6000-memory.dmp	xmrig
behavioral2/memory/3316-48-0x00007FF7C35E0000-0x00007FF7C39D6000-memory.dmp	xmrig
behavioral2/memory/3748-45-0x00007FF7664F0000-0x00007FF7668E6000-memory.dmp	xmrig
behavioral2/memory/1736-43-0x00007FF69DD50000-0x00007FF69E146000-memory.dmp	xmrig
behavioral2/files/0x000a000000023bbe-38.dat	xmrig
behavioral2/files/0x000a000000023bbb-36.dat	xmrig
behavioral2/files/0x000a000000023bbc-31.dat	xmrig
behavioral2/memory/4136-12-0x00007FF6B91B0000-0x00007FF6B95A6000-memory.dmp	xmrig
behavioral2/memory/4136-2172-0x00007FF6B91B0000-0x00007FF6B95A6000-memory.dmp	xmrig
behavioral2/memory/2712-2175-0x00007FF699C20000-0x00007FF69A016000-memory.dmp	xmrig
behavioral2/memory/3632-2185-0x00007FF600EF0000-0x00007FF6012E6000-memory.dmp	xmrig
behavioral2/memory/4136-2186-0x00007FF6B91B0000-0x00007FF6B95A6000-memory.dmp	xmrig
behavioral2/memory/1736-2191-0x00007FF69DD50000-0x00007FF69E146000-memory.dmp	xmrig
behavioral2/memory/4668-2192-0x00007FF7B75D0000-0x00007FF7B79C6000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	2880	powershell.exe
11	2880	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2880	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
4136	KXfWUEw.exe
4880	jVgfdOn.exe
1736	xcQassG.exe
3748	mrNjbhM.exe
3316	gcYZxVt.exe
3632	XXjDELX.exe
4668	FuFxDXH.exe
1944	CPnBjRq.exe
1356	LetrfTM.exe
4788	bJcNwnL.exe
1676	NEgtiYt.exe
4336	NoeXYor.exe
540	gABtTls.exe
4692	sPyXjRN.exe
5080	juIiywe.exe
2968	TzdKhhc.exe
3296	wbsCNFV.exe
5084	EWFtDrm.exe
2536	vQCcVpL.exe
2712	yypWOFS.exe
3028	jDYfIZA.exe
2356	aecuSLS.exe
4532	FkOKAFz.exe
5088	dPyXunB.exe
1952	aVCaRVg.exe
3320	VXnToaA.exe
1812	pnGCscc.exe
4060	tjezIjp.exe
1928	JRZqMWd.exe
1232	RmPjzKt.exe
4420	odQvQwL.exe
2840	LOkQstx.exe
744	KnHKXec.exe
3612	bPTLmly.exe
4560	NAEFebp.exe
3036	lNmthUI.exe
1576	QofjJQD.exe
2084	IQHYgGA.exe
4388	wXEOlTt.exe
4372	WOfCHZU.exe
3556	tTTCsUu.exe
2212	tKZnsUj.exe
2380	sZxpwYL.exe
3536	marlURn.exe
320	FaDoSQU.exe
2160	WDXwgZI.exe
1080	trGZHFk.exe
1280	fAQJGiD.exe
4316	QaiOfJY.exe
2604	IZqirmI.exe
1220	fPagTCO.exe
4340	mQjWkoN.exe
4256	FyAzbdJ.exe
632	TDlGhVR.exe
5072	BeLellb.exe
5044	hAJFpOH.exe
640	zLUPPEX.exe
3944	NOJatcy.exe
4176	mbwrvog.exe
3628	NpSxieO.exe
208	dAWNhxE.exe
2396	MZyvozX.exe
5128	POEqNjX.exe
5152	qaBhsjz.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1824-0-0x00007FF663C30000-0x00007FF664026000-memory.dmp	upx
behavioral2/files/0x0032000000023bb5-5.dat	upx
behavioral2/files/0x000a000000023bba-7.dat	upx
behavioral2/files/0x000a000000023bb9-16.dat	upx
behavioral2/files/0x000a000000023bbd-22.dat	upx
behavioral2/files/0x000a000000023bbf-46.dat	upx
behavioral2/files/0x000a000000023bc0-52.dat	upx
behavioral2/files/0x000a000000023bc1-55.dat	upx
behavioral2/files/0x000a000000023bc2-70.dat	upx
behavioral2/files/0x000a000000023bc3-77.dat	upx
behavioral2/memory/1676-91-0x00007FF721A90000-0x00007FF721E86000-memory.dmp	upx
behavioral2/files/0x000a000000023bc8-100.dat	upx
behavioral2/memory/1356-109-0x00007FF75D5D0000-0x00007FF75D9C6000-memory.dmp	upx
behavioral2/files/0x000a000000023bca-118.dat	upx
behavioral2/files/0x000a000000023bcb-134.dat	upx
behavioral2/files/0x000a000000023bd0-154.dat	upx
behavioral2/files/0x000a000000023bd3-171.dat	upx
behavioral2/files/0x000a000000023bd5-183.dat	upx
behavioral2/files/0x000a000000023bd8-200.dat	upx
behavioral2/files/0x000a000000023bd6-198.dat	upx
behavioral2/files/0x000a000000023bd7-195.dat	upx
behavioral2/memory/5088-192-0x00007FF6717E0000-0x00007FF671BD6000-memory.dmp	upx
behavioral2/files/0x000a000000023bd4-187.dat	upx
behavioral2/memory/4532-186-0x00007FF701B90000-0x00007FF701F86000-memory.dmp	upx
behavioral2/memory/2356-180-0x00007FF7E9AC0000-0x00007FF7E9EB6000-memory.dmp	upx
behavioral2/files/0x000a000000023bd2-175.dat	upx
behavioral2/memory/3028-174-0x00007FF67EAF0000-0x00007FF67EEE6000-memory.dmp	upx
behavioral2/files/0x000a000000023bd1-169.dat	upx
behavioral2/memory/2536-168-0x00007FF68DF90000-0x00007FF68E386000-memory.dmp	upx
behavioral2/memory/5084-162-0x00007FF6A0D90000-0x00007FF6A1186000-memory.dmp	upx
behavioral2/files/0x000a000000023bcf-157.dat	upx
behavioral2/files/0x000a000000023bce-152.dat	upx
behavioral2/memory/3296-151-0x00007FF7CAE10000-0x00007FF7CB206000-memory.dmp	upx
behavioral2/files/0x000a000000023bcd-146.dat	upx
behavioral2/memory/2968-145-0x00007FF7E8DB0000-0x00007FF7E91A6000-memory.dmp	upx
behavioral2/files/0x000a000000023bcc-140.dat	upx
behavioral2/memory/5080-139-0x00007FF65D240000-0x00007FF65D636000-memory.dmp	upx
behavioral2/memory/2712-133-0x00007FF699C20000-0x00007FF69A016000-memory.dmp	upx
behavioral2/memory/4692-127-0x00007FF6634F0000-0x00007FF6638E6000-memory.dmp	upx
behavioral2/files/0x000a000000023bc9-122.dat	upx
behavioral2/memory/540-121-0x00007FF7309E0000-0x00007FF730DD6000-memory.dmp	upx
behavioral2/files/0x000b000000023bc4-116.dat	upx
behavioral2/memory/4336-115-0x00007FF6CF660000-0x00007FF6CFA56000-memory.dmp	upx
behavioral2/files/0x000a000000023bc7-104.dat	upx
behavioral2/memory/1944-103-0x00007FF701540000-0x00007FF701936000-memory.dmp	upx
behavioral2/files/0x000a000000023bc6-98.dat	upx
behavioral2/memory/4880-97-0x00007FF697AC0000-0x00007FF697EB6000-memory.dmp	upx
behavioral2/files/0x000b000000023bc5-92.dat	upx
behavioral2/memory/4788-80-0x00007FF6788B0000-0x00007FF678CA6000-memory.dmp	upx
behavioral2/memory/4668-73-0x00007FF7B75D0000-0x00007FF7B79C6000-memory.dmp	upx
behavioral2/memory/3632-51-0x00007FF600EF0000-0x00007FF6012E6000-memory.dmp	upx
behavioral2/memory/3316-48-0x00007FF7C35E0000-0x00007FF7C39D6000-memory.dmp	upx
behavioral2/memory/3748-45-0x00007FF7664F0000-0x00007FF7668E6000-memory.dmp	upx
behavioral2/memory/1736-43-0x00007FF69DD50000-0x00007FF69E146000-memory.dmp	upx
behavioral2/files/0x000a000000023bbe-38.dat	upx
behavioral2/files/0x000a000000023bbb-36.dat	upx
behavioral2/files/0x000a000000023bbc-31.dat	upx
behavioral2/memory/4136-12-0x00007FF6B91B0000-0x00007FF6B95A6000-memory.dmp	upx
behavioral2/memory/4136-2172-0x00007FF6B91B0000-0x00007FF6B95A6000-memory.dmp	upx
behavioral2/memory/2712-2175-0x00007FF699C20000-0x00007FF69A016000-memory.dmp	upx
behavioral2/memory/3632-2185-0x00007FF600EF0000-0x00007FF6012E6000-memory.dmp	upx
behavioral2/memory/4136-2186-0x00007FF6B91B0000-0x00007FF6B95A6000-memory.dmp	upx
behavioral2/memory/1736-2191-0x00007FF69DD50000-0x00007FF69E146000-memory.dmp	upx
behavioral2/memory/4668-2192-0x00007FF7B75D0000-0x00007FF7B79C6000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\SyQaYtR.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\SYGDmSZ.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\BpzpptW.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\EooTseC.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\suIErdd.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\ESDTMrA.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\eyNwgek.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\QTbhwnD.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\ScqTfzg.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\YgqCuHY.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\CbUmgIm.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\OUeguHA.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\MqidqaL.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\ObMbdqt.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\MIgpcTe.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\VCEAyMc.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\aLEIlNU.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\UABMWrs.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\YHKmEOH.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\ogDngNE.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\Fdbzmsf.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\OZOkABU.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\EqghGjF.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\ulgGybI.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\vLNNxSQ.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\eKJMqoW.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\SCveCqJ.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\EuZuqWP.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\sECHoEg.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\GCrBwNA.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\sjUtPoK.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\ZuNlXeG.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\WsJLLTh.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\sfUDplm.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\MrTnjrZ.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\cJGHEAn.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\GSWtnpN.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\dFnmgqU.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\ipJJCOj.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\wyAIZtc.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\JvgQAdK.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\oGgoZRM.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\UrMwRLA.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\sZyBUEV.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\ddqldBE.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\ylBEpHM.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\sjtndMc.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\PJeEaDT.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\dxNbmfu.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\nPrTPfa.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\JvGqfuT.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\kWdcwZA.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\OzpOogC.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\SpIJyDN.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\qiGVfXl.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\xGdttHX.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\czWDqlj.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\LySskEA.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\KzigqMO.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\LmljtZF.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\BZRKQxM.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\aOraiYV.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\XMPtXYZ.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
File created	C:\Windows\System\cYvGvRU.exe	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2880	powershell.exe
2880	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
Token: SeLockMemoryPrivilege	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeCreateGlobalPrivilege	13288	dwm.exe
Token: SeChangeNotifyPrivilege	13288	dwm.exe
Token: 33	13288	dwm.exe
Token: SeIncBasePriorityPrivilege	13288	dwm.exe
Token: SeShutdownPrivilege	13288	dwm.exe
Token: SeCreatePagefilePrivilege	13288	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 2880	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	85
PID 1824 wrote to memory of 2880	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	85
PID 1824 wrote to memory of 4136	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	86
PID 1824 wrote to memory of 4136	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	86
PID 1824 wrote to memory of 4880	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	87
PID 1824 wrote to memory of 4880	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	87
PID 1824 wrote to memory of 1736	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	88
PID 1824 wrote to memory of 1736	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	88
PID 1824 wrote to memory of 3748	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	89
PID 1824 wrote to memory of 3748	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	89
PID 1824 wrote to memory of 3316	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	90
PID 1824 wrote to memory of 3316	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	90
PID 1824 wrote to memory of 3632	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	91
PID 1824 wrote to memory of 3632	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	91
PID 1824 wrote to memory of 4668	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	92
PID 1824 wrote to memory of 4668	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	92
PID 1824 wrote to memory of 1944	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	93
PID 1824 wrote to memory of 1944	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	93
PID 1824 wrote to memory of 1356	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	94
PID 1824 wrote to memory of 1356	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	94
PID 1824 wrote to memory of 4788	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	95
PID 1824 wrote to memory of 4788	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	95
PID 1824 wrote to memory of 1676	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	96
PID 1824 wrote to memory of 1676	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	96
PID 1824 wrote to memory of 4336	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	97
PID 1824 wrote to memory of 4336	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	97
PID 1824 wrote to memory of 540	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	98
PID 1824 wrote to memory of 540	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	98
PID 1824 wrote to memory of 4692	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	99
PID 1824 wrote to memory of 4692	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	99
PID 1824 wrote to memory of 5080	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	100
PID 1824 wrote to memory of 5080	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	100
PID 1824 wrote to memory of 2968	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	101
PID 1824 wrote to memory of 2968	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	101
PID 1824 wrote to memory of 3296	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	102
PID 1824 wrote to memory of 3296	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	102
PID 1824 wrote to memory of 5084	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	103
PID 1824 wrote to memory of 5084	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	103
PID 1824 wrote to memory of 2536	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	104
PID 1824 wrote to memory of 2536	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	104
PID 1824 wrote to memory of 2712	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	105
PID 1824 wrote to memory of 2712	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	105
PID 1824 wrote to memory of 3028	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	106
PID 1824 wrote to memory of 3028	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	106
PID 1824 wrote to memory of 2356	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	107
PID 1824 wrote to memory of 2356	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	107
PID 1824 wrote to memory of 4532	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	108
PID 1824 wrote to memory of 4532	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	108
PID 1824 wrote to memory of 5088	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	109
PID 1824 wrote to memory of 5088	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	109
PID 1824 wrote to memory of 1952	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	110
PID 1824 wrote to memory of 1952	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	110
PID 1824 wrote to memory of 3320	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	111
PID 1824 wrote to memory of 3320	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	111
PID 1824 wrote to memory of 1812	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	112
PID 1824 wrote to memory of 1812	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	112
PID 1824 wrote to memory of 4060	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	113
PID 1824 wrote to memory of 4060	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	113
PID 1824 wrote to memory of 1928	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	114
PID 1824 wrote to memory of 1928	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	114
PID 1824 wrote to memory of 1232	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	115
PID 1824 wrote to memory of 1232	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	115
PID 1824 wrote to memory of 4420	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	116
PID 1824 wrote to memory of 4420	1824	ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe	116

C:\Users\Admin\AppData\Local\Temp\ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\ec7bb5940ea61d90ea4e754e465dd910_NEAS.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2880" "2960" "2892" "2964" "0" "0" "2968" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:10460
- C:\Windows\System\KXfWUEw.exe
  C:\Windows\System\KXfWUEw.exe
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\Windows\System\jVgfdOn.exe
  C:\Windows\System\jVgfdOn.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System\xcQassG.exe
  C:\Windows\System\xcQassG.exe
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\System\mrNjbhM.exe
  C:\Windows\System\mrNjbhM.exe
  2⤵
  - Executes dropped EXE
  PID:3748
- C:\Windows\System\gcYZxVt.exe
  C:\Windows\System\gcYZxVt.exe
  2⤵
  - Executes dropped EXE
  PID:3316
- C:\Windows\System\XXjDELX.exe
  C:\Windows\System\XXjDELX.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System\FuFxDXH.exe
  C:\Windows\System\FuFxDXH.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Windows\System\CPnBjRq.exe
  C:\Windows\System\CPnBjRq.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\LetrfTM.exe
  C:\Windows\System\LetrfTM.exe
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\System\bJcNwnL.exe
  C:\Windows\System\bJcNwnL.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System\NEgtiYt.exe
  C:\Windows\System\NEgtiYt.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System\NoeXYor.exe
  C:\Windows\System\NoeXYor.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System\gABtTls.exe
  C:\Windows\System\gABtTls.exe
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Windows\System\sPyXjRN.exe
  C:\Windows\System\sPyXjRN.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System\juIiywe.exe
  C:\Windows\System\juIiywe.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System\TzdKhhc.exe
  C:\Windows\System\TzdKhhc.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\wbsCNFV.exe
  C:\Windows\System\wbsCNFV.exe
  2⤵
  - Executes dropped EXE
  PID:3296
- C:\Windows\System\EWFtDrm.exe
  C:\Windows\System\EWFtDrm.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\vQCcVpL.exe
  C:\Windows\System\vQCcVpL.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\yypWOFS.exe
  C:\Windows\System\yypWOFS.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\jDYfIZA.exe
  C:\Windows\System\jDYfIZA.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\aecuSLS.exe
  C:\Windows\System\aecuSLS.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\FkOKAFz.exe
  C:\Windows\System\FkOKAFz.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System\dPyXunB.exe
  C:\Windows\System\dPyXunB.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System\aVCaRVg.exe
  C:\Windows\System\aVCaRVg.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System\VXnToaA.exe
  C:\Windows\System\VXnToaA.exe
  2⤵
  - Executes dropped EXE
  PID:3320
- C:\Windows\System\pnGCscc.exe
  C:\Windows\System\pnGCscc.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System\tjezIjp.exe
  C:\Windows\System\tjezIjp.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System\JRZqMWd.exe
  C:\Windows\System\JRZqMWd.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System\RmPjzKt.exe
  C:\Windows\System\RmPjzKt.exe
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Windows\System\odQvQwL.exe
  C:\Windows\System\odQvQwL.exe
  2⤵
  - Executes dropped EXE
  PID:4420
- C:\Windows\System\LOkQstx.exe
  C:\Windows\System\LOkQstx.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System\KnHKXec.exe
  C:\Windows\System\KnHKXec.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System\bPTLmly.exe
  C:\Windows\System\bPTLmly.exe
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Windows\System\NAEFebp.exe
  C:\Windows\System\NAEFebp.exe
  2⤵
  - Executes dropped EXE
  PID:4560
- C:\Windows\System\lNmthUI.exe
  C:\Windows\System\lNmthUI.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System\QofjJQD.exe
  C:\Windows\System\QofjJQD.exe
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\System\IQHYgGA.exe
  C:\Windows\System\IQHYgGA.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System\wXEOlTt.exe
  C:\Windows\System\wXEOlTt.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System\WOfCHZU.exe
  C:\Windows\System\WOfCHZU.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System\tTTCsUu.exe
  C:\Windows\System\tTTCsUu.exe
  2⤵
  - Executes dropped EXE
  PID:3556
- C:\Windows\System\tKZnsUj.exe
  C:\Windows\System\tKZnsUj.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System\sZxpwYL.exe
  C:\Windows\System\sZxpwYL.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\marlURn.exe
  C:\Windows\System\marlURn.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System\FaDoSQU.exe
  C:\Windows\System\FaDoSQU.exe
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\System\WDXwgZI.exe
  C:\Windows\System\WDXwgZI.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\trGZHFk.exe
  C:\Windows\System\trGZHFk.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System\fAQJGiD.exe
  C:\Windows\System\fAQJGiD.exe
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\System\QaiOfJY.exe
  C:\Windows\System\QaiOfJY.exe
  2⤵
  - Executes dropped EXE
  PID:4316
- C:\Windows\System\IZqirmI.exe
  C:\Windows\System\IZqirmI.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\fPagTCO.exe
  C:\Windows\System\fPagTCO.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System\mQjWkoN.exe
  C:\Windows\System\mQjWkoN.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System\FyAzbdJ.exe
  C:\Windows\System\FyAzbdJ.exe
  2⤵
  - Executes dropped EXE
  PID:4256
- C:\Windows\System\TDlGhVR.exe
  C:\Windows\System\TDlGhVR.exe
  2⤵
  - Executes dropped EXE
  PID:632
- C:\Windows\System\BeLellb.exe
  C:\Windows\System\BeLellb.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\hAJFpOH.exe
  C:\Windows\System\hAJFpOH.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System\zLUPPEX.exe
  C:\Windows\System\zLUPPEX.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System\NOJatcy.exe
  C:\Windows\System\NOJatcy.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System\mbwrvog.exe
  C:\Windows\System\mbwrvog.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System\NpSxieO.exe
  C:\Windows\System\NpSxieO.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System\dAWNhxE.exe
  C:\Windows\System\dAWNhxE.exe
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\System\MZyvozX.exe
  C:\Windows\System\MZyvozX.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\POEqNjX.exe
  C:\Windows\System\POEqNjX.exe
  2⤵
  - Executes dropped EXE
  PID:5128
- C:\Windows\System\qaBhsjz.exe
  C:\Windows\System\qaBhsjz.exe
  2⤵
  - Executes dropped EXE
  PID:5152
- C:\Windows\System\zSPoCtq.exe
  C:\Windows\System\zSPoCtq.exe
  2⤵
  PID:5184
- C:\Windows\System\DFoeJVG.exe
  C:\Windows\System\DFoeJVG.exe
  2⤵
  PID:5208
- C:\Windows\System\dMXaSPY.exe
  C:\Windows\System\dMXaSPY.exe
  2⤵
  PID:5236
- C:\Windows\System\sPRlbtF.exe
  C:\Windows\System\sPRlbtF.exe
  2⤵
  PID:5268
- C:\Windows\System\OvDZDDJ.exe
  C:\Windows\System\OvDZDDJ.exe
  2⤵
  PID:5292
- C:\Windows\System\yKyinfH.exe
  C:\Windows\System\yKyinfH.exe
  2⤵
  PID:5320
- C:\Windows\System\sqakieH.exe
  C:\Windows\System\sqakieH.exe
  2⤵
  PID:5352
- C:\Windows\System\ZEsHsol.exe
  C:\Windows\System\ZEsHsol.exe
  2⤵
  PID:5376
- C:\Windows\System\xGdttHX.exe
  C:\Windows\System\xGdttHX.exe
  2⤵
  PID:5408
- C:\Windows\System\LhVkMsE.exe
  C:\Windows\System\LhVkMsE.exe
  2⤵
  PID:5432
- C:\Windows\System\pGTCfXx.exe
  C:\Windows\System\pGTCfXx.exe
  2⤵
  PID:5460
- C:\Windows\System\wvGmXtN.exe
  C:\Windows\System\wvGmXtN.exe
  2⤵
  PID:5492
- C:\Windows\System\BUDCzZB.exe
  C:\Windows\System\BUDCzZB.exe
  2⤵
  PID:5516
- C:\Windows\System\KalwdbF.exe
  C:\Windows\System\KalwdbF.exe
  2⤵
  PID:5544
- C:\Windows\System\MJfgyRh.exe
  C:\Windows\System\MJfgyRh.exe
  2⤵
  PID:5576
- C:\Windows\System\XbpIrpv.exe
  C:\Windows\System\XbpIrpv.exe
  2⤵
  PID:5600
- C:\Windows\System\EnRGrTa.exe
  C:\Windows\System\EnRGrTa.exe
  2⤵
  PID:5632
- C:\Windows\System\WMAensa.exe
  C:\Windows\System\WMAensa.exe
  2⤵
  PID:5660
- C:\Windows\System\KVSoFNs.exe
  C:\Windows\System\KVSoFNs.exe
  2⤵
  PID:5720
- C:\Windows\System\UJjIohb.exe
  C:\Windows\System\UJjIohb.exe
  2⤵
  PID:5736
- C:\Windows\System\xfMZYkU.exe
  C:\Windows\System\xfMZYkU.exe
  2⤵
  PID:5752
- C:\Windows\System\DOwbuJB.exe
  C:\Windows\System\DOwbuJB.exe
  2⤵
  PID:5780
- C:\Windows\System\jGBtoKP.exe
  C:\Windows\System\jGBtoKP.exe
  2⤵
  PID:5808
- C:\Windows\System\UeuUWom.exe
  C:\Windows\System\UeuUWom.exe
  2⤵
  PID:5832
- C:\Windows\System\sXMAdAn.exe
  C:\Windows\System\sXMAdAn.exe
  2⤵
  PID:5852
- C:\Windows\System\sVIuAOn.exe
  C:\Windows\System\sVIuAOn.exe
  2⤵
  PID:5880
- C:\Windows\System\rEBPFei.exe
  C:\Windows\System\rEBPFei.exe
  2⤵
  PID:5908
- C:\Windows\System\rQnqhze.exe
  C:\Windows\System\rQnqhze.exe
  2⤵
  PID:5936
- C:\Windows\System\fejFGgX.exe
  C:\Windows\System\fejFGgX.exe
  2⤵
  PID:5960
- C:\Windows\System\HrrEnTi.exe
  C:\Windows\System\HrrEnTi.exe
  2⤵
  PID:5992
- C:\Windows\System\gKwGdWx.exe
  C:\Windows\System\gKwGdWx.exe
  2⤵
  PID:6020
- C:\Windows\System\ouCoUag.exe
  C:\Windows\System\ouCoUag.exe
  2⤵
  PID:6048
- C:\Windows\System\iKXbssG.exe
  C:\Windows\System\iKXbssG.exe
  2⤵
  PID:6076
- C:\Windows\System\zcravGW.exe
  C:\Windows\System\zcravGW.exe
  2⤵
  PID:6104
- C:\Windows\System\ZKfkVJr.exe
  C:\Windows\System\ZKfkVJr.exe
  2⤵
  PID:6132
- C:\Windows\System\ZxlKsxs.exe
  C:\Windows\System\ZxlKsxs.exe
  2⤵
  PID:2376
- C:\Windows\System\UzjYyWq.exe
  C:\Windows\System\UzjYyWq.exe
  2⤵
  PID:3988
- C:\Windows\System\hfZxunI.exe
  C:\Windows\System\hfZxunI.exe
  2⤵
  PID:3916
- C:\Windows\System\DNqXNpb.exe
  C:\Windows\System\DNqXNpb.exe
  2⤵
  PID:3544
- C:\Windows\System\pRUUNqo.exe
  C:\Windows\System\pRUUNqo.exe
  2⤵
  PID:4516
- C:\Windows\System\vaANbcf.exe
  C:\Windows\System\vaANbcf.exe
  2⤵
  PID:3912
- C:\Windows\System\zlofPGv.exe
  C:\Windows\System\zlofPGv.exe
  2⤵
  PID:5164
- C:\Windows\System\iiuAIze.exe
  C:\Windows\System\iiuAIze.exe
  2⤵
  PID:5228
- C:\Windows\System\BvgchJT.exe
  C:\Windows\System\BvgchJT.exe
  2⤵
  PID:5304
- C:\Windows\System\tKGVuPi.exe
  C:\Windows\System\tKGVuPi.exe
  2⤵
  PID:5344
- C:\Windows\System\MdTfEzm.exe
  C:\Windows\System\MdTfEzm.exe
  2⤵
  PID:5416
- C:\Windows\System\FqotXLb.exe
  C:\Windows\System\FqotXLb.exe
  2⤵
  PID:5476
- C:\Windows\System\REOFnGd.exe
  C:\Windows\System\REOFnGd.exe
  2⤵
  PID:5536
- C:\Windows\System\yqNKxVt.exe
  C:\Windows\System\yqNKxVt.exe
  2⤵
  PID:5612
- C:\Windows\System\xQZmvpO.exe
  C:\Windows\System\xQZmvpO.exe
  2⤵
  PID:5688
- C:\Windows\System\SxFwrMR.exe
  C:\Windows\System\SxFwrMR.exe
  2⤵
  PID:5744
- C:\Windows\System\KklaSEC.exe
  C:\Windows\System\KklaSEC.exe
  2⤵
  PID:5800
- C:\Windows\System\pWHyRtx.exe
  C:\Windows\System\pWHyRtx.exe
  2⤵
  PID:5864
- C:\Windows\System\CTkmsfQ.exe
  C:\Windows\System\CTkmsfQ.exe
  2⤵
  PID:5924
- C:\Windows\System\DXLmjdZ.exe
  C:\Windows\System\DXLmjdZ.exe
  2⤵
  PID:6004
- C:\Windows\System\EItRNaV.exe
  C:\Windows\System\EItRNaV.exe
  2⤵
  PID:6060
- C:\Windows\System\BHOppzI.exe
  C:\Windows\System\BHOppzI.exe
  2⤵
  PID:6120
- C:\Windows\System\lMcmYAE.exe
  C:\Windows\System\lMcmYAE.exe
  2⤵
  PID:4300
- C:\Windows\System\JTByTjp.exe
  C:\Windows\System\JTByTjp.exe
  2⤵
  PID:4596
- C:\Windows\System\DcQwdxZ.exe
  C:\Windows\System\DcQwdxZ.exe
  2⤵
  PID:5148
- C:\Windows\System\nKnNUWo.exe
  C:\Windows\System\nKnNUWo.exe
  2⤵
  PID:5284
- C:\Windows\System\WoLVWrF.exe
  C:\Windows\System\WoLVWrF.exe
  2⤵
  PID:5444
- C:\Windows\System\tSTEaOp.exe
  C:\Windows\System\tSTEaOp.exe
  2⤵
  PID:5584
- C:\Windows\System\kuxTadx.exe
  C:\Windows\System\kuxTadx.exe
  2⤵
  PID:5732
- C:\Windows\System\eCRAzMg.exe
  C:\Windows\System\eCRAzMg.exe
  2⤵
  PID:6148
- C:\Windows\System\vDnTnYm.exe
  C:\Windows\System\vDnTnYm.exe
  2⤵
  PID:6176
- C:\Windows\System\BUdZqrr.exe
  C:\Windows\System\BUdZqrr.exe
  2⤵
  PID:6204
- C:\Windows\System\vLHoRfF.exe
  C:\Windows\System\vLHoRfF.exe
  2⤵
  PID:6228
- C:\Windows\System\ARlECtT.exe
  C:\Windows\System\ARlECtT.exe
  2⤵
  PID:6260
- C:\Windows\System\pFkOGxH.exe
  C:\Windows\System\pFkOGxH.exe
  2⤵
  PID:6288
- C:\Windows\System\DbpBYHL.exe
  C:\Windows\System\DbpBYHL.exe
  2⤵
  PID:6316
- C:\Windows\System\DwRRqzG.exe
  C:\Windows\System\DwRRqzG.exe
  2⤵
  PID:6344
- C:\Windows\System\YnXNiHW.exe
  C:\Windows\System\YnXNiHW.exe
  2⤵
  PID:6372
- C:\Windows\System\Lziildv.exe
  C:\Windows\System\Lziildv.exe
  2⤵
  PID:6400
- C:\Windows\System\FauLeHv.exe
  C:\Windows\System\FauLeHv.exe
  2⤵
  PID:6428
- C:\Windows\System\HOcntcq.exe
  C:\Windows\System\HOcntcq.exe
  2⤵
  PID:6456
- C:\Windows\System\NyupXCn.exe
  C:\Windows\System\NyupXCn.exe
  2⤵
  PID:6484
- C:\Windows\System\dFCwPly.exe
  C:\Windows\System\dFCwPly.exe
  2⤵
  PID:6512
- C:\Windows\System\qVsHGkd.exe
  C:\Windows\System\qVsHGkd.exe
  2⤵
  PID:6540
- C:\Windows\System\nGdNudA.exe
  C:\Windows\System\nGdNudA.exe
  2⤵
  PID:6568
- C:\Windows\System\Affxdpf.exe
  C:\Windows\System\Affxdpf.exe
  2⤵
  PID:6592
- C:\Windows\System\GcODIKI.exe
  C:\Windows\System\GcODIKI.exe
  2⤵
  PID:6620
- C:\Windows\System\xMtMJVP.exe
  C:\Windows\System\xMtMJVP.exe
  2⤵
  PID:6652
- C:\Windows\System\UoUUJrJ.exe
  C:\Windows\System\UoUUJrJ.exe
  2⤵
  PID:6676
- C:\Windows\System\eCNKZvb.exe
  C:\Windows\System\eCNKZvb.exe
  2⤵
  PID:6708
- C:\Windows\System\AGiqllo.exe
  C:\Windows\System\AGiqllo.exe
  2⤵
  PID:6736
- C:\Windows\System\RpeZrqj.exe
  C:\Windows\System\RpeZrqj.exe
  2⤵
  PID:6764
- C:\Windows\System\rTqRzBg.exe
  C:\Windows\System\rTqRzBg.exe
  2⤵
  PID:6792
- C:\Windows\System\auDjISW.exe
  C:\Windows\System\auDjISW.exe
  2⤵
  PID:6820
- C:\Windows\System\FWBEOrR.exe
  C:\Windows\System\FWBEOrR.exe
  2⤵
  PID:6848
- C:\Windows\System\grEsQpm.exe
  C:\Windows\System\grEsQpm.exe
  2⤵
  PID:6872
- C:\Windows\System\JuyBhpT.exe
  C:\Windows\System\JuyBhpT.exe
  2⤵
  PID:6904
- C:\Windows\System\UJgwaPr.exe
  C:\Windows\System\UJgwaPr.exe
  2⤵
  PID:6932
- C:\Windows\System\JYVLnvC.exe
  C:\Windows\System\JYVLnvC.exe
  2⤵
  PID:6956
- C:\Windows\System\oHpAajD.exe
  C:\Windows\System\oHpAajD.exe
  2⤵
  PID:6988
- C:\Windows\System\TKcTGsy.exe
  C:\Windows\System\TKcTGsy.exe
  2⤵
  PID:7012
- C:\Windows\System\jSoWdZk.exe
  C:\Windows\System\jSoWdZk.exe
  2⤵
  PID:7044
- C:\Windows\System\ngSzaMr.exe
  C:\Windows\System\ngSzaMr.exe
  2⤵
  PID:7072
- C:\Windows\System\pupjRbk.exe
  C:\Windows\System\pupjRbk.exe
  2⤵
  PID:7100
- C:\Windows\System\TVOLSRl.exe
  C:\Windows\System\TVOLSRl.exe
  2⤵
  PID:7124
- C:\Windows\System\vkshLMv.exe
  C:\Windows\System\vkshLMv.exe
  2⤵
  PID:7156
- C:\Windows\System\rjalobY.exe
  C:\Windows\System\rjalobY.exe
  2⤵
  PID:5976
- C:\Windows\System\DYikZSN.exe
  C:\Windows\System\DYikZSN.exe
  2⤵
  PID:3392
- C:\Windows\System\qFmBzva.exe
  C:\Windows\System\qFmBzva.exe
  2⤵
  PID:4744
- C:\Windows\System\TxnaCXE.exe
  C:\Windows\System\TxnaCXE.exe
  2⤵
  PID:5332
- C:\Windows\System\ADfnXTh.exe
  C:\Windows\System\ADfnXTh.exe
  2⤵
  PID:5668
- C:\Windows\System\PCLWxLH.exe
  C:\Windows\System\PCLWxLH.exe
  2⤵
  PID:6168
- C:\Windows\System\JAeOwjG.exe
  C:\Windows\System\JAeOwjG.exe
  2⤵
  PID:6244
- C:\Windows\System\ZWggfui.exe
  C:\Windows\System\ZWggfui.exe
  2⤵
  PID:6304
- C:\Windows\System\EDRHrQU.exe
  C:\Windows\System\EDRHrQU.exe
  2⤵
  PID:6364
- C:\Windows\System\qutDLDn.exe
  C:\Windows\System\qutDLDn.exe
  2⤵
  PID:6440
- C:\Windows\System\WxIEojl.exe
  C:\Windows\System\WxIEojl.exe
  2⤵
  PID:6500
- C:\Windows\System\SnbLiXO.exe
  C:\Windows\System\SnbLiXO.exe
  2⤵
  PID:6560
- C:\Windows\System\FWQjJVR.exe
  C:\Windows\System\FWQjJVR.exe
  2⤵
  PID:6616
- C:\Windows\System\kVhIQaZ.exe
  C:\Windows\System\kVhIQaZ.exe
  2⤵
  PID:6692
- C:\Windows\System\MjNBiAY.exe
  C:\Windows\System\MjNBiAY.exe
  2⤵
  PID:6752
- C:\Windows\System\MAxRhoG.exe
  C:\Windows\System\MAxRhoG.exe
  2⤵
  PID:6812
- C:\Windows\System\aEWwzNc.exe
  C:\Windows\System\aEWwzNc.exe
  2⤵
  PID:6888
- C:\Windows\System\iwpTQBX.exe
  C:\Windows\System\iwpTQBX.exe
  2⤵
  PID:6948
- C:\Windows\System\WehGjWV.exe
  C:\Windows\System\WehGjWV.exe
  2⤵
  PID:7004
- C:\Windows\System\EorlxEp.exe
  C:\Windows\System\EorlxEp.exe
  2⤵
  PID:7064
- C:\Windows\System\QkXqdFJ.exe
  C:\Windows\System\QkXqdFJ.exe
  2⤵
  PID:7116
- C:\Windows\System\kRaIUaB.exe
  C:\Windows\System\kRaIUaB.exe
  2⤵
  PID:5920
- C:\Windows\System\aIctWiF.exe
  C:\Windows\System\aIctWiF.exe
  2⤵
  PID:5220
- C:\Windows\System\DXwLJjN.exe
  C:\Windows\System\DXwLJjN.exe
  2⤵
  PID:5828
- C:\Windows\System\pQitKuk.exe
  C:\Windows\System\pQitKuk.exe
  2⤵
  PID:6272
- C:\Windows\System\wjzgGgY.exe
  C:\Windows\System\wjzgGgY.exe
  2⤵
  PID:6412
- C:\Windows\System\RptEKjK.exe
  C:\Windows\System\RptEKjK.exe
  2⤵
  PID:6552
- C:\Windows\System\hiGNvOe.exe
  C:\Windows\System\hiGNvOe.exe
  2⤵
  PID:6664
- C:\Windows\System\yZwBqNx.exe
  C:\Windows\System\yZwBqNx.exe
  2⤵
  PID:6784
- C:\Windows\System\cSonaEt.exe
  C:\Windows\System\cSonaEt.exe
  2⤵
  PID:6924
- C:\Windows\System\jMotOQS.exe
  C:\Windows\System\jMotOQS.exe
  2⤵
  PID:7056
- C:\Windows\System\YWEfyQS.exe
  C:\Windows\System\YWEfyQS.exe
  2⤵
  PID:7148
- C:\Windows\System\uFEoTGw.exe
  C:\Windows\System\uFEoTGw.exe
  2⤵
  PID:7188
- C:\Windows\System\LImoQPE.exe
  C:\Windows\System\LImoQPE.exe
  2⤵
  PID:7216
- C:\Windows\System\MaOytTt.exe
  C:\Windows\System\MaOytTt.exe
  2⤵
  PID:7244
- C:\Windows\System\UgwaiYh.exe
  C:\Windows\System\UgwaiYh.exe
  2⤵
  PID:7272
- C:\Windows\System\yEXLEPR.exe
  C:\Windows\System\yEXLEPR.exe
  2⤵
  PID:7300
- C:\Windows\System\fBZHhPH.exe
  C:\Windows\System\fBZHhPH.exe
  2⤵
  PID:7328
- C:\Windows\System\sGftyGL.exe
  C:\Windows\System\sGftyGL.exe
  2⤵
  PID:7356
- C:\Windows\System\wmcZVjE.exe
  C:\Windows\System\wmcZVjE.exe
  2⤵
  PID:7384
- C:\Windows\System\exEJgMC.exe
  C:\Windows\System\exEJgMC.exe
  2⤵
  PID:7412
- C:\Windows\System\NqPrhuI.exe
  C:\Windows\System\NqPrhuI.exe
  2⤵
  PID:7440
- C:\Windows\System\OvtSGTD.exe
  C:\Windows\System\OvtSGTD.exe
  2⤵
  PID:7468
- C:\Windows\System\qhQwSYk.exe
  C:\Windows\System\qhQwSYk.exe
  2⤵
  PID:7496
- C:\Windows\System\ubOHWYI.exe
  C:\Windows\System\ubOHWYI.exe
  2⤵
  PID:7524
- C:\Windows\System\qdhHzaR.exe
  C:\Windows\System\qdhHzaR.exe
  2⤵
  PID:7552
- C:\Windows\System\sRfhJHv.exe
  C:\Windows\System\sRfhJHv.exe
  2⤵
  PID:7580
- C:\Windows\System\uLFDIjT.exe
  C:\Windows\System\uLFDIjT.exe
  2⤵
  PID:7608
- C:\Windows\System\vjLubsz.exe
  C:\Windows\System\vjLubsz.exe
  2⤵
  PID:7636
- C:\Windows\System\pocryxf.exe
  C:\Windows\System\pocryxf.exe
  2⤵
  PID:7664
- C:\Windows\System\RfvRGDR.exe
  C:\Windows\System\RfvRGDR.exe
  2⤵
  PID:7692
- C:\Windows\System\aylweKV.exe
  C:\Windows\System\aylweKV.exe
  2⤵
  PID:7720
- C:\Windows\System\ypXtJIh.exe
  C:\Windows\System\ypXtJIh.exe
  2⤵
  PID:7748
- C:\Windows\System\QVEEXph.exe
  C:\Windows\System\QVEEXph.exe
  2⤵
  PID:7776
- C:\Windows\System\ZMvDABt.exe
  C:\Windows\System\ZMvDABt.exe
  2⤵
  PID:7804
- C:\Windows\System\IcNOTuS.exe
  C:\Windows\System\IcNOTuS.exe
  2⤵
  PID:7832
- C:\Windows\System\BXSfJxS.exe
  C:\Windows\System\BXSfJxS.exe
  2⤵
  PID:7860
- C:\Windows\System\eolHKmu.exe
  C:\Windows\System\eolHKmu.exe
  2⤵
  PID:7888
- C:\Windows\System\KbaGIKC.exe
  C:\Windows\System\KbaGIKC.exe
  2⤵
  PID:7916
- C:\Windows\System\hqLmQgO.exe
  C:\Windows\System\hqLmQgO.exe
  2⤵
  PID:7944
- C:\Windows\System\FGLYFXz.exe
  C:\Windows\System\FGLYFXz.exe
  2⤵
  PID:7972
- C:\Windows\System\LVQNGSr.exe
  C:\Windows\System\LVQNGSr.exe
  2⤵
  PID:8000
- C:\Windows\System\FntbnLN.exe
  C:\Windows\System\FntbnLN.exe
  2⤵
  PID:8028
- C:\Windows\System\NowuJzG.exe
  C:\Windows\System\NowuJzG.exe
  2⤵
  PID:8056
- C:\Windows\System\qjFpdCB.exe
  C:\Windows\System\qjFpdCB.exe
  2⤵
  PID:8080
- C:\Windows\System\ortgTdz.exe
  C:\Windows\System\ortgTdz.exe
  2⤵
  PID:8112
- C:\Windows\System\DFLLneu.exe
  C:\Windows\System\DFLLneu.exe
  2⤵
  PID:8140
- C:\Windows\System\gMpoUsJ.exe
  C:\Windows\System\gMpoUsJ.exe
  2⤵
  PID:8168
- C:\Windows\System\RvWSMqt.exe
  C:\Windows\System\RvWSMqt.exe
  2⤵
  PID:4404
- C:\Windows\System\rAdELIi.exe
  C:\Windows\System\rAdELIi.exe
  2⤵
  PID:6216
- C:\Windows\System\urztTJh.exe
  C:\Windows\System\urztTJh.exe
  2⤵
  PID:6528
- C:\Windows\System\IMiMxhX.exe
  C:\Windows\System\IMiMxhX.exe
  2⤵
  PID:6780
- C:\Windows\System\xJFhpjL.exe
  C:\Windows\System\xJFhpjL.exe
  2⤵
  PID:4544
- C:\Windows\System\kjXOViS.exe
  C:\Windows\System\kjXOViS.exe
  2⤵
  PID:7204
- C:\Windows\System\GCejjhL.exe
  C:\Windows\System\GCejjhL.exe
  2⤵
  PID:7260
- C:\Windows\System\SgnRXUH.exe
  C:\Windows\System\SgnRXUH.exe
  2⤵
  PID:7340
- C:\Windows\System\ICjXkCy.exe
  C:\Windows\System\ICjXkCy.exe
  2⤵
  PID:7400
- C:\Windows\System\uUhbmGH.exe
  C:\Windows\System\uUhbmGH.exe
  2⤵
  PID:7460
- C:\Windows\System\fAKAGKt.exe
  C:\Windows\System\fAKAGKt.exe
  2⤵
  PID:7516
- C:\Windows\System\qkIQqRV.exe
  C:\Windows\System\qkIQqRV.exe
  2⤵
  PID:7592
- C:\Windows\System\IxBvphb.exe
  C:\Windows\System\IxBvphb.exe
  2⤵
  PID:7656
- C:\Windows\System\eltxMDm.exe
  C:\Windows\System\eltxMDm.exe
  2⤵
  PID:7708
- C:\Windows\System\QjyayOi.exe
  C:\Windows\System\QjyayOi.exe
  2⤵
  PID:7764
- C:\Windows\System\wWqnpga.exe
  C:\Windows\System\wWqnpga.exe
  2⤵
  PID:7820
- C:\Windows\System\GGrJePU.exe
  C:\Windows\System\GGrJePU.exe
  2⤵
  PID:7880
- C:\Windows\System\CGYSyhC.exe
  C:\Windows\System\CGYSyhC.exe
  2⤵
  PID:2644
- C:\Windows\System\KIvvyyQ.exe
  C:\Windows\System\KIvvyyQ.exe
  2⤵
  PID:7992
- C:\Windows\System\PPWRakF.exe
  C:\Windows\System\PPWRakF.exe
  2⤵
  PID:552
- C:\Windows\System\dJoqyUK.exe
  C:\Windows\System\dJoqyUK.exe
  2⤵
  PID:8104
- C:\Windows\System\FtyiNFi.exe
  C:\Windows\System\FtyiNFi.exe
  2⤵
  PID:8152
- C:\Windows\System\dytlbyZ.exe
  C:\Windows\System\dytlbyZ.exe
  2⤵
  PID:5512
- C:\Windows\System\yygFaDY.exe
  C:\Windows\System\yygFaDY.exe
  2⤵
  PID:6724
- C:\Windows\System\wIMmXGy.exe
  C:\Windows\System\wIMmXGy.exe
  2⤵
  PID:4972
- C:\Windows\System\SqmmYKR.exe
  C:\Windows\System\SqmmYKR.exe
  2⤵
  PID:7292
- C:\Windows\System\JuiTnfz.exe
  C:\Windows\System\JuiTnfz.exe
  2⤵
  PID:7432
- C:\Windows\System\gtmhzLg.exe
  C:\Windows\System\gtmhzLg.exe
  2⤵
  PID:2216
- C:\Windows\System\XtmYMus.exe
  C:\Windows\System\XtmYMus.exe
  2⤵
  PID:7628
- C:\Windows\System\NVSocGI.exe
  C:\Windows\System\NVSocGI.exe
  2⤵
  PID:7760
- C:\Windows\System\AuQXpsK.exe
  C:\Windows\System\AuQXpsK.exe
  2⤵
  PID:2816
- C:\Windows\System\KSWdmNZ.exe
  C:\Windows\System\KSWdmNZ.exe
  2⤵
  PID:4064
- C:\Windows\System\gXlxnuk.exe
  C:\Windows\System\gXlxnuk.exe
  2⤵
  PID:2236
- C:\Windows\System\BLprOcR.exe
  C:\Windows\System\BLprOcR.exe
  2⤵
  PID:8184
- C:\Windows\System\xqBJyLR.exe
  C:\Windows\System\xqBJyLR.exe
  2⤵
  PID:3456
- C:\Windows\System\XmOAUhr.exe
  C:\Windows\System\XmOAUhr.exe
  2⤵
  PID:2560
- C:\Windows\System\fqdvfCr.exe
  C:\Windows\System\fqdvfCr.exe
  2⤵
  PID:7508
- C:\Windows\System\WvVBXuU.exe
  C:\Windows\System\WvVBXuU.exe
  2⤵
  PID:2924
- C:\Windows\System\gzVvXFZ.exe
  C:\Windows\System\gzVvXFZ.exe
  2⤵
  PID:7852
- C:\Windows\System\pGryqXB.exe
  C:\Windows\System\pGryqXB.exe
  2⤵
  PID:752
- C:\Windows\System\EAFXezz.exe
  C:\Windows\System\EAFXezz.exe
  2⤵
  PID:4076
- C:\Windows\System\LtNbSAg.exe
  C:\Windows\System\LtNbSAg.exe
  2⤵
  PID:3008
- C:\Windows\System\WaobhLk.exe
  C:\Windows\System\WaobhLk.exe
  2⤵
  PID:4552
- C:\Windows\System\iLOzPgx.exe
  C:\Windows\System\iLOzPgx.exe
  2⤵
  PID:2164
- C:\Windows\System\nZdEIlz.exe
  C:\Windows\System\nZdEIlz.exe
  2⤵
  PID:4988
- C:\Windows\System\uMhSoGL.exe
  C:\Windows\System\uMhSoGL.exe
  2⤵
  PID:4524
- C:\Windows\System\WpXhFOQ.exe
  C:\Windows\System\WpXhFOQ.exe
  2⤵
  PID:8196
- C:\Windows\System\vadKrVF.exe
  C:\Windows\System\vadKrVF.exe
  2⤵
  PID:8444
- C:\Windows\System\ObgOtiL.exe
  C:\Windows\System\ObgOtiL.exe
  2⤵
  PID:8468
- C:\Windows\System\QZTQcRt.exe
  C:\Windows\System\QZTQcRt.exe
  2⤵
  PID:8484
- C:\Windows\System\COviOpa.exe
  C:\Windows\System\COviOpa.exe
  2⤵
  PID:8500
- C:\Windows\System\rxDhRyK.exe
  C:\Windows\System\rxDhRyK.exe
  2⤵
  PID:8524
- C:\Windows\System\yyIhuOv.exe
  C:\Windows\System\yyIhuOv.exe
  2⤵
  PID:8540
- C:\Windows\System\xybjlgV.exe
  C:\Windows\System\xybjlgV.exe
  2⤵
  PID:8556
- C:\Windows\System\gcZRPNY.exe
  C:\Windows\System\gcZRPNY.exe
  2⤵
  PID:8580
- C:\Windows\System\YTBcnOY.exe
  C:\Windows\System\YTBcnOY.exe
  2⤵
  PID:8612
- C:\Windows\System\uzDJGKF.exe
  C:\Windows\System\uzDJGKF.exe
  2⤵
  PID:8656
- C:\Windows\System\UTfIkqg.exe
  C:\Windows\System\UTfIkqg.exe
  2⤵
  PID:8684
- C:\Windows\System\dRbQzYy.exe
  C:\Windows\System\dRbQzYy.exe
  2⤵
  PID:8780
- C:\Windows\System\eCtmpHv.exe
  C:\Windows\System\eCtmpHv.exe
  2⤵
  PID:8800
- C:\Windows\System\OIeIaLd.exe
  C:\Windows\System\OIeIaLd.exe
  2⤵
  PID:8832
- C:\Windows\System\KDRRULK.exe
  C:\Windows\System\KDRRULK.exe
  2⤵
  PID:8860
- C:\Windows\System\LrhwAdV.exe
  C:\Windows\System\LrhwAdV.exe
  2⤵
  PID:8896
- C:\Windows\System\Sxsgxbj.exe
  C:\Windows\System\Sxsgxbj.exe
  2⤵
  PID:8936
- C:\Windows\System\kFKiOBE.exe
  C:\Windows\System\kFKiOBE.exe
  2⤵
  PID:8976
- C:\Windows\System\WRaiyRv.exe
  C:\Windows\System\WRaiyRv.exe
  2⤵
  PID:9008
- C:\Windows\System\IFyJRlx.exe
  C:\Windows\System\IFyJRlx.exe
  2⤵
  PID:9024
- C:\Windows\System\upBPdhs.exe
  C:\Windows\System\upBPdhs.exe
  2⤵
  PID:9064
- C:\Windows\System\HAPAKoC.exe
  C:\Windows\System\HAPAKoC.exe
  2⤵
  PID:9096
- C:\Windows\System\DEknboC.exe
  C:\Windows\System\DEknboC.exe
  2⤵
  PID:9120
- C:\Windows\System\ulgGybI.exe
  C:\Windows\System\ulgGybI.exe
  2⤵
  PID:9164
- C:\Windows\System\PfVOrwQ.exe
  C:\Windows\System\PfVOrwQ.exe
  2⤵
  PID:9184
- C:\Windows\System\KpyPEYG.exe
  C:\Windows\System\KpyPEYG.exe
  2⤵
  PID:9204
- C:\Windows\System\qOhqeik.exe
  C:\Windows\System\qOhqeik.exe
  2⤵
  PID:3064
- C:\Windows\System\vZOqpSP.exe
  C:\Windows\System\vZOqpSP.exe
  2⤵
  PID:4540
- C:\Windows\System\zAzCHuz.exe
  C:\Windows\System\zAzCHuz.exe
  2⤵
  PID:400
- C:\Windows\System\WTLYCMq.exe
  C:\Windows\System\WTLYCMq.exe
  2⤵
  PID:1948
- C:\Windows\System\MHDacQA.exe
  C:\Windows\System\MHDacQA.exe
  2⤵
  PID:8240
- C:\Windows\System\snqmize.exe
  C:\Windows\System\snqmize.exe
  2⤵
  PID:8260
- C:\Windows\System\dRfGoyc.exe
  C:\Windows\System\dRfGoyc.exe
  2⤵
  PID:8276
- C:\Windows\System\EcaEMJR.exe
  C:\Windows\System\EcaEMJR.exe
  2⤵
  PID:8304
- C:\Windows\System\bGewiyq.exe
  C:\Windows\System\bGewiyq.exe
  2⤵
  PID:8324
- C:\Windows\System\EVXfexA.exe
  C:\Windows\System\EVXfexA.exe
  2⤵
  PID:8404
- C:\Windows\System\pFrLVDO.exe
  C:\Windows\System\pFrLVDO.exe
  2⤵
  PID:8436
- C:\Windows\System\jSHhVYZ.exe
  C:\Windows\System\jSHhVYZ.exe
  2⤵
  PID:8464
- C:\Windows\System\GIzVUIt.exe
  C:\Windows\System\GIzVUIt.exe
  2⤵
  PID:8492
- C:\Windows\System\lClGVtW.exe
  C:\Windows\System\lClGVtW.exe
  2⤵
  PID:8576
- C:\Windows\System\ooFNIOS.exe
  C:\Windows\System\ooFNIOS.exe
  2⤵
  PID:8664
- C:\Windows\System\ZrgTEbR.exe
  C:\Windows\System\ZrgTEbR.exe
  2⤵
  PID:8776
- C:\Windows\System\PJRrnoX.exe
  C:\Windows\System\PJRrnoX.exe
  2⤵
  PID:8812
- C:\Windows\System\TknLfen.exe
  C:\Windows\System\TknLfen.exe
  2⤵
  PID:4652
- C:\Windows\System\jntIJjh.exe
  C:\Windows\System\jntIJjh.exe
  2⤵
  PID:8924
- C:\Windows\System\iDiJzoQ.exe
  C:\Windows\System\iDiJzoQ.exe
  2⤵
  PID:9004
- C:\Windows\System\UIzuvfY.exe
  C:\Windows\System\UIzuvfY.exe
  2⤵
  PID:9076
- C:\Windows\System\seBEfdi.exe
  C:\Windows\System\seBEfdi.exe
  2⤵
  PID:9148
- C:\Windows\System\RtTGUcM.exe
  C:\Windows\System\RtTGUcM.exe
  2⤵
  PID:2072
- C:\Windows\System\txidMed.exe
  C:\Windows\System\txidMed.exe
  2⤵
  PID:3768
- C:\Windows\System\GrBuPph.exe
  C:\Windows\System\GrBuPph.exe
  2⤵
  PID:3088
- C:\Windows\System\EMVyimS.exe
  C:\Windows\System\EMVyimS.exe
  2⤵
  PID:8332
- C:\Windows\System\EkBfsbk.exe
  C:\Windows\System\EkBfsbk.exe
  2⤵
  PID:8408
- C:\Windows\System\uUcnGDA.exe
  C:\Windows\System\uUcnGDA.exe
  2⤵
  PID:2752
- C:\Windows\System\vYAlMFk.exe
  C:\Windows\System\vYAlMFk.exe
  2⤵
  PID:8640
- C:\Windows\System\pVSUlwY.exe
  C:\Windows\System\pVSUlwY.exe
  2⤵
  PID:8760
- C:\Windows\System\ddYFFgn.exe
  C:\Windows\System\ddYFFgn.exe
  2⤵
  PID:8872
- C:\Windows\System\qsszyTj.exe
  C:\Windows\System\qsszyTj.exe
  2⤵
  PID:9044
- C:\Windows\System\fIxVKyu.exe
  C:\Windows\System\fIxVKyu.exe
  2⤵
  PID:9152
- C:\Windows\System\snHULcu.exe
  C:\Windows\System\snHULcu.exe
  2⤵
  PID:4708
- C:\Windows\System\linvTlG.exe
  C:\Windows\System\linvTlG.exe
  2⤵
  PID:8300
- C:\Windows\System\AnGEhtu.exe
  C:\Windows\System\AnGEhtu.exe
  2⤵
  PID:8532
- C:\Windows\System\EwMwhiE.exe
  C:\Windows\System\EwMwhiE.exe
  2⤵
  PID:8948
- C:\Windows\System\OiopCyt.exe
  C:\Windows\System\OiopCyt.exe
  2⤵
  PID:4160
- C:\Windows\System\MLQqDbE.exe
  C:\Windows\System\MLQqDbE.exe
  2⤵
  PID:8352
- C:\Windows\System\VwOLCsX.exe
  C:\Windows\System\VwOLCsX.exe
  2⤵
  PID:8248
- C:\Windows\System\SYbziJo.exe
  C:\Windows\System\SYbziJo.exe
  2⤵
  PID:9224
- C:\Windows\System\MaIHznc.exe
  C:\Windows\System\MaIHznc.exe
  2⤵
  PID:9252
- C:\Windows\System\dUQmFnB.exe
  C:\Windows\System\dUQmFnB.exe
  2⤵
  PID:9280
- C:\Windows\System\ghhlvGY.exe
  C:\Windows\System\ghhlvGY.exe
  2⤵
  PID:9308
- C:\Windows\System\hhXhuFj.exe
  C:\Windows\System\hhXhuFj.exe
  2⤵
  PID:9336
- C:\Windows\System\IbXDwNA.exe
  C:\Windows\System\IbXDwNA.exe
  2⤵
  PID:9356
- C:\Windows\System\ENoQRjO.exe
  C:\Windows\System\ENoQRjO.exe
  2⤵
  PID:9388
- C:\Windows\System\LHXewmt.exe
  C:\Windows\System\LHXewmt.exe
  2⤵
  PID:9412
- C:\Windows\System\REmxgDH.exe
  C:\Windows\System\REmxgDH.exe
  2⤵
  PID:9448
- C:\Windows\System\uzSDiMv.exe
  C:\Windows\System\uzSDiMv.exe
  2⤵
  PID:9492
- C:\Windows\System\zISiOcW.exe
  C:\Windows\System\zISiOcW.exe
  2⤵
  PID:9520
- C:\Windows\System\TpZAZKa.exe
  C:\Windows\System\TpZAZKa.exe
  2⤵
  PID:9548
- C:\Windows\System\pwEbZcU.exe
  C:\Windows\System\pwEbZcU.exe
  2⤵
  PID:9576
- C:\Windows\System\abeIOtK.exe
  C:\Windows\System\abeIOtK.exe
  2⤵
  PID:9592
- C:\Windows\System\pKqqNKN.exe
  C:\Windows\System\pKqqNKN.exe
  2⤵
  PID:9624
- C:\Windows\System\HDVoNQB.exe
  C:\Windows\System\HDVoNQB.exe
  2⤵
  PID:9664
- C:\Windows\System\wNgIeWO.exe
  C:\Windows\System\wNgIeWO.exe
  2⤵
  PID:9692
- C:\Windows\System\kxPPWTI.exe
  C:\Windows\System\kxPPWTI.exe
  2⤵
  PID:9720
- C:\Windows\System\PwvteSW.exe
  C:\Windows\System\PwvteSW.exe
  2⤵
  PID:9748
- C:\Windows\System\HcXtvks.exe
  C:\Windows\System\HcXtvks.exe
  2⤵
  PID:9776
- C:\Windows\System\beWWQwB.exe
  C:\Windows\System\beWWQwB.exe
  2⤵
  PID:9804
- C:\Windows\System\pHvUPGm.exe
  C:\Windows\System\pHvUPGm.exe
  2⤵
  PID:9824
- C:\Windows\System\idZgBmp.exe
  C:\Windows\System\idZgBmp.exe
  2⤵
  PID:9860
- C:\Windows\System\cOaCRab.exe
  C:\Windows\System\cOaCRab.exe
  2⤵
  PID:9888
- C:\Windows\System\pyxVbmP.exe
  C:\Windows\System\pyxVbmP.exe
  2⤵
  PID:9916
- C:\Windows\System\pvNNrNp.exe
  C:\Windows\System\pvNNrNp.exe
  2⤵
  PID:9944
- C:\Windows\System\zKikmDj.exe
  C:\Windows\System\zKikmDj.exe
  2⤵
  PID:9972
- C:\Windows\System\yaCbOJu.exe
  C:\Windows\System\yaCbOJu.exe
  2⤵
  PID:9992
- C:\Windows\System\yubYeXT.exe
  C:\Windows\System\yubYeXT.exe
  2⤵
  PID:10028
- C:\Windows\System\UFTxcBV.exe
  C:\Windows\System\UFTxcBV.exe
  2⤵
  PID:10056
- C:\Windows\System\gMindfm.exe
  C:\Windows\System\gMindfm.exe
  2⤵
  PID:10076
- C:\Windows\System\sECHoEg.exe
  C:\Windows\System\sECHoEg.exe
  2⤵
  PID:10116
- C:\Windows\System\bsjJKzj.exe
  C:\Windows\System\bsjJKzj.exe
  2⤵
  PID:10132
- C:\Windows\System\nvmdxWn.exe
  C:\Windows\System\nvmdxWn.exe
  2⤵
  PID:10160
- C:\Windows\System\LKRxxSa.exe
  C:\Windows\System\LKRxxSa.exe
  2⤵
  PID:10200
- C:\Windows\System\NYJdADY.exe
  C:\Windows\System\NYJdADY.exe
  2⤵
  PID:10232
- C:\Windows\System\EzHqVSE.exe
  C:\Windows\System\EzHqVSE.exe
  2⤵
  PID:9248
- C:\Windows\System\PsuGQNp.exe
  C:\Windows\System\PsuGQNp.exe
  2⤵
  PID:9320
- C:\Windows\System\qmUwOoV.exe
  C:\Windows\System\qmUwOoV.exe
  2⤵
  PID:9364
- C:\Windows\System\VIAbOdm.exe
  C:\Windows\System\VIAbOdm.exe
  2⤵
  PID:9428
- C:\Windows\System\DbsBHjg.exe
  C:\Windows\System\DbsBHjg.exe
  2⤵
  PID:9508
- C:\Windows\System\fjBcSfM.exe
  C:\Windows\System\fjBcSfM.exe
  2⤵
  PID:9560
- C:\Windows\System\NAgpEYb.exe
  C:\Windows\System\NAgpEYb.exe
  2⤵
  PID:9648
- C:\Windows\System\SQMwGNp.exe
  C:\Windows\System\SQMwGNp.exe
  2⤵
  PID:9688
- C:\Windows\System\QnXpRbd.exe
  C:\Windows\System\QnXpRbd.exe
  2⤵
  PID:9760
- C:\Windows\System\qMDIJLQ.exe
  C:\Windows\System\qMDIJLQ.exe
  2⤵
  PID:9820
- C:\Windows\System\wMmICJI.exe
  C:\Windows\System\wMmICJI.exe
  2⤵
  PID:9908
- C:\Windows\System\SGcautF.exe
  C:\Windows\System\SGcautF.exe
  2⤵
  PID:9964
- C:\Windows\System\aqkKiMj.exe
  C:\Windows\System\aqkKiMj.exe
  2⤵
  PID:10040
- C:\Windows\System\AZAFMEQ.exe
  C:\Windows\System\AZAFMEQ.exe
  2⤵
  PID:10048
- C:\Windows\System\NEUiJqc.exe
  C:\Windows\System\NEUiJqc.exe
  2⤵
  PID:10148
- C:\Windows\System\OyaZkvM.exe
  C:\Windows\System\OyaZkvM.exe
  2⤵
  PID:8844
- C:\Windows\System\SKiCBin.exe
  C:\Windows\System\SKiCBin.exe
  2⤵
  PID:9300
- C:\Windows\System\NCuItrG.exe
  C:\Windows\System\NCuItrG.exe
  2⤵
  PID:9444
- C:\Windows\System\WIQGrwQ.exe
  C:\Windows\System\WIQGrwQ.exe
  2⤵
  PID:9572
- C:\Windows\System\nXXmwXi.exe
  C:\Windows\System\nXXmwXi.exe
  2⤵
  PID:9676
- C:\Windows\System\qCxcHlO.exe
  C:\Windows\System\qCxcHlO.exe
  2⤵
  PID:9800
- C:\Windows\System\YlseJNA.exe
  C:\Windows\System\YlseJNA.exe
  2⤵
  PID:10124
- C:\Windows\System\qTATxTt.exe
  C:\Windows\System\qTATxTt.exe
  2⤵
  PID:9272
- C:\Windows\System\OChlsYy.exe
  C:\Windows\System\OChlsYy.exe
  2⤵
  PID:9540
- C:\Windows\System\HlyzFRo.exe
  C:\Windows\System\HlyzFRo.exe
  2⤵
  PID:10096
- C:\Windows\System\qZsgwOA.exe
  C:\Windows\System\qZsgwOA.exe
  2⤵
  PID:9436
- C:\Windows\System\ncAsOro.exe
  C:\Windows\System\ncAsOro.exe
  2⤵
  PID:9348
- C:\Windows\System\rrjMYsh.exe
  C:\Windows\System\rrjMYsh.exe
  2⤵
  PID:10268
- C:\Windows\System\olrWVap.exe
  C:\Windows\System\olrWVap.exe
  2⤵
  PID:10296
- C:\Windows\System\fWsBbnG.exe
  C:\Windows\System\fWsBbnG.exe
  2⤵
  PID:10324
- C:\Windows\System\PHakFkO.exe
  C:\Windows\System\PHakFkO.exe
  2⤵
  PID:10352
- C:\Windows\System\veMCzEx.exe
  C:\Windows\System\veMCzEx.exe
  2⤵
  PID:10380
- C:\Windows\System\KhNJoIS.exe
  C:\Windows\System\KhNJoIS.exe
  2⤵
  PID:10396
- C:\Windows\System\EdyNqay.exe
  C:\Windows\System\EdyNqay.exe
  2⤵
  PID:10436
- C:\Windows\System\WruBKeB.exe
  C:\Windows\System\WruBKeB.exe
  2⤵
  PID:10464
- C:\Windows\System\btAejaH.exe
  C:\Windows\System\btAejaH.exe
  2⤵
  PID:10492
- C:\Windows\System\FjVTcUN.exe
  C:\Windows\System\FjVTcUN.exe
  2⤵
  PID:10520
- C:\Windows\System\EDwXFGc.exe
  C:\Windows\System\EDwXFGc.exe
  2⤵
  PID:10536
- C:\Windows\System\GcPGfVH.exe
  C:\Windows\System\GcPGfVH.exe
  2⤵
  PID:10564
- C:\Windows\System\GrKqbxK.exe
  C:\Windows\System\GrKqbxK.exe
  2⤵
  PID:10592
- C:\Windows\System\SpZoBrr.exe
  C:\Windows\System\SpZoBrr.exe
  2⤵
  PID:10632
- C:\Windows\System\oqcstVc.exe
  C:\Windows\System\oqcstVc.exe
  2⤵
  PID:10660
- C:\Windows\System\uXGZsia.exe
  C:\Windows\System\uXGZsia.exe
  2⤵
  PID:10676
- C:\Windows\System\RWRTeJn.exe
  C:\Windows\System\RWRTeJn.exe
  2⤵
  PID:10716
- C:\Windows\System\OLWZHlX.exe
  C:\Windows\System\OLWZHlX.exe
  2⤵
  PID:10732
- C:\Windows\System\AdzTeds.exe
  C:\Windows\System\AdzTeds.exe
  2⤵
  PID:10772
- C:\Windows\System\vmqIXfy.exe
  C:\Windows\System\vmqIXfy.exe
  2⤵
  PID:10800
- C:\Windows\System\HtxsurP.exe
  C:\Windows\System\HtxsurP.exe
  2⤵
  PID:10828
- C:\Windows\System\IxXazvh.exe
  C:\Windows\System\IxXazvh.exe
  2⤵
  PID:10856
- C:\Windows\System\qHBiVCv.exe
  C:\Windows\System\qHBiVCv.exe
  2⤵
  PID:10884
- C:\Windows\System\mpYzXHP.exe
  C:\Windows\System\mpYzXHP.exe
  2⤵
  PID:10912
- C:\Windows\System\QGdycYL.exe
  C:\Windows\System\QGdycYL.exe
  2⤵
  PID:10940
- C:\Windows\System\UBRfgHT.exe
  C:\Windows\System\UBRfgHT.exe
  2⤵
  PID:10968
- C:\Windows\System\blhetLT.exe
  C:\Windows\System\blhetLT.exe
  2⤵
  PID:10996
- C:\Windows\System\qGNJOJJ.exe
  C:\Windows\System\qGNJOJJ.exe
  2⤵
  PID:11024
- C:\Windows\System\atAzJFt.exe
  C:\Windows\System\atAzJFt.exe
  2⤵
  PID:11052
- C:\Windows\System\ipRsUFN.exe
  C:\Windows\System\ipRsUFN.exe
  2⤵
  PID:11068
- C:\Windows\System\nqYAyoJ.exe
  C:\Windows\System\nqYAyoJ.exe
  2⤵
  PID:11096
- C:\Windows\System\DAchKaj.exe
  C:\Windows\System\DAchKaj.exe
  2⤵
  PID:11136
- C:\Windows\System\seCFxXx.exe
  C:\Windows\System\seCFxXx.exe
  2⤵
  PID:11164
- C:\Windows\System\GNxaoEb.exe
  C:\Windows\System\GNxaoEb.exe
  2⤵
  PID:11180
- C:\Windows\System\ixTMHmP.exe
  C:\Windows\System\ixTMHmP.exe
  2⤵
  PID:11208
- C:\Windows\System\wuLuGdQ.exe
  C:\Windows\System\wuLuGdQ.exe
  2⤵
  PID:11248
- C:\Windows\System\JbxjZJH.exe
  C:\Windows\System\JbxjZJH.exe
  2⤵
  PID:10264
- C:\Windows\System\sXsFWzb.exe
  C:\Windows\System\sXsFWzb.exe
  2⤵
  PID:10308
- C:\Windows\System\gJOKkSu.exe
  C:\Windows\System\gJOKkSu.exe
  2⤵
  PID:10392
- C:\Windows\System\mMEoCtj.exe
  C:\Windows\System\mMEoCtj.exe
  2⤵
  PID:10456
- C:\Windows\System\sjxvWcJ.exe
  C:\Windows\System\sjxvWcJ.exe
  2⤵
  PID:10528
- C:\Windows\System\mEvWYuy.exe
  C:\Windows\System\mEvWYuy.exe
  2⤵
  PID:10580
- C:\Windows\System\bHOnMSR.exe
  C:\Windows\System\bHOnMSR.exe
  2⤵
  PID:10644
- C:\Windows\System\uPPHgWn.exe
  C:\Windows\System\uPPHgWn.exe
  2⤵
  PID:10724
- C:\Windows\System\HzMNUBG.exe
  C:\Windows\System\HzMNUBG.exe
  2⤵
  PID:10792
- C:\Windows\System\BuluTmS.exe
  C:\Windows\System\BuluTmS.exe
  2⤵
  PID:10844
- C:\Windows\System\cMtQxuD.exe
  C:\Windows\System\cMtQxuD.exe
  2⤵
  PID:10928
- C:\Windows\System\JQWILJE.exe
  C:\Windows\System\JQWILJE.exe
  2⤵
  PID:10988
- C:\Windows\System\RJZKhCP.exe
  C:\Windows\System\RJZKhCP.exe
  2⤵
  PID:11060
- C:\Windows\System\lwUByeL.exe
  C:\Windows\System\lwUByeL.exe
  2⤵
  PID:11124
- C:\Windows\System\JMUaCxG.exe
  C:\Windows\System\JMUaCxG.exe
  2⤵
  PID:11172
- C:\Windows\System\xgOQTel.exe
  C:\Windows\System\xgOQTel.exe
  2⤵
  PID:3324
- C:\Windows\System\vMFlxRt.exe
  C:\Windows\System\vMFlxRt.exe
  2⤵
  PID:10348
- C:\Windows\System\OVGlMTb.exe
  C:\Windows\System\OVGlMTb.exe
  2⤵
  PID:10516
- C:\Windows\System\cevXVXK.exe
  C:\Windows\System\cevXVXK.exe
  2⤵
  PID:10696
- C:\Windows\System\cARkBmu.exe
  C:\Windows\System\cARkBmu.exe
  2⤵
  PID:10876
- C:\Windows\System\nYfVncn.exe
  C:\Windows\System\nYfVncn.exe
  2⤵
  PID:10964
- C:\Windows\System\USFqCBM.exe
  C:\Windows\System\USFqCBM.exe
  2⤵
  PID:10376
- C:\Windows\System\lIzBKYS.exe
  C:\Windows\System\lIzBKYS.exe
  2⤵
  PID:10448
- C:\Windows\System\bvBKfam.exe
  C:\Windows\System\bvBKfam.exe
  2⤵
  PID:4428
- C:\Windows\System\iyFkXlx.exe
  C:\Windows\System\iyFkXlx.exe
  2⤵
  PID:10336
- C:\Windows\System\zTxbYOh.exe
  C:\Windows\System\zTxbYOh.exe
  2⤵
  PID:11120
- C:\Windows\System\QgNnqfm.exe
  C:\Windows\System\QgNnqfm.exe
  2⤵
  PID:11268
- C:\Windows\System\cWSDJyQ.exe
  C:\Windows\System\cWSDJyQ.exe
  2⤵
  PID:11296
- C:\Windows\System\ANJwXHF.exe
  C:\Windows\System\ANJwXHF.exe
  2⤵
  PID:11324
- C:\Windows\System\NaXFawH.exe
  C:\Windows\System\NaXFawH.exe
  2⤵
  PID:11360
- C:\Windows\System\smuNzGY.exe
  C:\Windows\System\smuNzGY.exe
  2⤵
  PID:11388
- C:\Windows\System\roYBvik.exe
  C:\Windows\System\roYBvik.exe
  2⤵
  PID:11404
- C:\Windows\System\vvYVmlK.exe
  C:\Windows\System\vvYVmlK.exe
  2⤵
  PID:11444
- C:\Windows\System\YdqyoeN.exe
  C:\Windows\System\YdqyoeN.exe
  2⤵
  PID:11468
- C:\Windows\System\vlUfAHG.exe
  C:\Windows\System\vlUfAHG.exe
  2⤵
  PID:11504
- C:\Windows\System\EGawakT.exe
  C:\Windows\System\EGawakT.exe
  2⤵
  PID:11520
- C:\Windows\System\hiIiTHU.exe
  C:\Windows\System\hiIiTHU.exe
  2⤵
  PID:11560
- C:\Windows\System\YJQkyZE.exe
  C:\Windows\System\YJQkyZE.exe
  2⤵
  PID:11588
- C:\Windows\System\AzcteLh.exe
  C:\Windows\System\AzcteLh.exe
  2⤵
  PID:11616
- C:\Windows\System\xCoBSbD.exe
  C:\Windows\System\xCoBSbD.exe
  2⤵
  PID:11632
- C:\Windows\System\VGuRhOH.exe
  C:\Windows\System\VGuRhOH.exe
  2⤵
  PID:11672
- C:\Windows\System\DHXVMRG.exe
  C:\Windows\System\DHXVMRG.exe
  2⤵
  PID:11700
- C:\Windows\System\ZUyodOZ.exe
  C:\Windows\System\ZUyodOZ.exe
  2⤵
  PID:11728
- C:\Windows\System\zZIRyqA.exe
  C:\Windows\System\zZIRyqA.exe
  2⤵
  PID:11756
- C:\Windows\System\KRddjes.exe
  C:\Windows\System\KRddjes.exe
  2⤵
  PID:11784
- C:\Windows\System\CIwpikP.exe
  C:\Windows\System\CIwpikP.exe
  2⤵
  PID:11812
- C:\Windows\System\SqwVdUI.exe
  C:\Windows\System\SqwVdUI.exe
  2⤵
  PID:11840
- C:\Windows\System\aiZyChw.exe
  C:\Windows\System\aiZyChw.exe
  2⤵
  PID:11868
- C:\Windows\System\cqycpxq.exe
  C:\Windows\System\cqycpxq.exe
  2⤵
  PID:11900
- C:\Windows\System\LASYypd.exe
  C:\Windows\System\LASYypd.exe
  2⤵
  PID:11932
- C:\Windows\System\LGYkoyW.exe
  C:\Windows\System\LGYkoyW.exe
  2⤵
  PID:11960
- C:\Windows\System\rZkgQfp.exe
  C:\Windows\System\rZkgQfp.exe
  2⤵
  PID:11988
- C:\Windows\System\YphkPTB.exe
  C:\Windows\System\YphkPTB.exe
  2⤵
  PID:12016
- C:\Windows\System\iSVhjJW.exe
  C:\Windows\System\iSVhjJW.exe
  2⤵
  PID:12032
- C:\Windows\System\WQLURYh.exe
  C:\Windows\System\WQLURYh.exe
  2⤵
  PID:12072
- C:\Windows\System\ddkWAYs.exe
  C:\Windows\System\ddkWAYs.exe
  2⤵
  PID:12096
- C:\Windows\System\YJoQDTB.exe
  C:\Windows\System\YJoQDTB.exe
  2⤵
  PID:12128
- C:\Windows\System\vFOhwRc.exe
  C:\Windows\System\vFOhwRc.exe
  2⤵
  PID:12148
- C:\Windows\System\NqFbNXr.exe
  C:\Windows\System\NqFbNXr.exe
  2⤵
  PID:12192
- C:\Windows\System\EYLBapV.exe
  C:\Windows\System\EYLBapV.exe
  2⤵
  PID:12224
- C:\Windows\System\zvFPWzc.exe
  C:\Windows\System\zvFPWzc.exe
  2⤵
  PID:12260
- C:\Windows\System\YszLviZ.exe
  C:\Windows\System\YszLviZ.exe
  2⤵
  PID:10648
- C:\Windows\System\HgmJcID.exe
  C:\Windows\System\HgmJcID.exe
  2⤵
  PID:11292
- C:\Windows\System\EMpXkdE.exe
  C:\Windows\System\EMpXkdE.exe
  2⤵
  PID:11356
- C:\Windows\System\KqnvhVa.exe
  C:\Windows\System\KqnvhVa.exe
  2⤵
  PID:11396
- C:\Windows\System\NrblWqi.exe
  C:\Windows\System\NrblWqi.exe
  2⤵
  PID:11428
- C:\Windows\System\pwvxmYK.exe
  C:\Windows\System\pwvxmYK.exe
  2⤵
  PID:11512
- C:\Windows\System\YfLlmIC.exe
  C:\Windows\System\YfLlmIC.exe
  2⤵
  PID:11604
- C:\Windows\System\TiNzrDf.exe
  C:\Windows\System\TiNzrDf.exe
  2⤵
  PID:3884
- C:\Windows\System\hnXrOer.exe
  C:\Windows\System\hnXrOer.exe
  2⤵
  PID:11768
- C:\Windows\System\tzRopQP.exe
  C:\Windows\System\tzRopQP.exe
  2⤵
  PID:11804
- C:\Windows\System\eJeQKwK.exe
  C:\Windows\System\eJeQKwK.exe
  2⤵
  PID:11864
- C:\Windows\System\xOrrJva.exe
  C:\Windows\System\xOrrJva.exe
  2⤵
  PID:11976
- C:\Windows\System\rShljrq.exe
  C:\Windows\System\rShljrq.exe
  2⤵
  PID:12092
- C:\Windows\System\xDfwplJ.exe
  C:\Windows\System\xDfwplJ.exe
  2⤵
  PID:12172
- C:\Windows\System\Dwplqko.exe
  C:\Windows\System\Dwplqko.exe
  2⤵
  PID:12244
- C:\Windows\System\LTjmxzD.exe
  C:\Windows\System\LTjmxzD.exe
  2⤵
  PID:3744
- C:\Windows\System\zYcnTmS.exe
  C:\Windows\System\zYcnTmS.exe
  2⤵
  PID:8
- C:\Windows\System\nTagHQQ.exe
  C:\Windows\System\nTagHQQ.exe
  2⤵
  PID:4656
- C:\Windows\System\wiBljCg.exe
  C:\Windows\System\wiBljCg.exe
  2⤵
  PID:11740
- C:\Windows\System\dMnmRiC.exe
  C:\Windows\System\dMnmRiC.exe
  2⤵
  PID:11780
- C:\Windows\System\nZMeTJn.exe
  C:\Windows\System\nZMeTJn.exe
  2⤵
  PID:12028
- C:\Windows\System\HogPzbg.exe
  C:\Windows\System\HogPzbg.exe
  2⤵
  PID:12236
- C:\Windows\System\EohUxDv.exe
  C:\Windows\System\EohUxDv.exe
  2⤵
  PID:11420
- C:\Windows\System\WIPzTiF.exe
  C:\Windows\System\WIPzTiF.exe
  2⤵
  PID:11572
- C:\Windows\System\hFVgpBs.exe
  C:\Windows\System\hFVgpBs.exe
  2⤵
  PID:1184
- C:\Windows\System\ffdvKSI.exe
  C:\Windows\System\ffdvKSI.exe
  2⤵
  PID:12304
- C:\Windows\System\HlitXxF.exe
  C:\Windows\System\HlitXxF.exe
  2⤵
  PID:12340
- C:\Windows\System\qKEkxRl.exe
  C:\Windows\System\qKEkxRl.exe
  2⤵
  PID:12360
- C:\Windows\System\RNHFmWC.exe
  C:\Windows\System\RNHFmWC.exe
  2⤵
  PID:12404
- C:\Windows\System\WMGpHcJ.exe
  C:\Windows\System\WMGpHcJ.exe
  2⤵
  PID:12424
- C:\Windows\System\RpzgPrw.exe
  C:\Windows\System\RpzgPrw.exe
  2⤵
  PID:12476
- C:\Windows\System\sejAbcf.exe
  C:\Windows\System\sejAbcf.exe
  2⤵
  PID:12492
- C:\Windows\System\lkPjPXF.exe
  C:\Windows\System\lkPjPXF.exe
  2⤵
  PID:12528
- C:\Windows\System\JPWzdgO.exe
  C:\Windows\System\JPWzdgO.exe
  2⤵
  PID:12560
- C:\Windows\System\jHilhkZ.exe
  C:\Windows\System\jHilhkZ.exe
  2⤵
  PID:12576
- C:\Windows\System\gkXBksf.exe
  C:\Windows\System\gkXBksf.exe
  2⤵
  PID:12600
- C:\Windows\System\Xxomjmw.exe
  C:\Windows\System\Xxomjmw.exe
  2⤵
  PID:12616
- C:\Windows\System\OQPoIMR.exe
  C:\Windows\System\OQPoIMR.exe
  2⤵
  PID:12644
- C:\Windows\System\kNAoOti.exe
  C:\Windows\System\kNAoOti.exe
  2⤵
  PID:12660
- C:\Windows\System\zytVFFS.exe
  C:\Windows\System\zytVFFS.exe
  2⤵
  PID:12728
- C:\Windows\System\WdnYAUO.exe
  C:\Windows\System\WdnYAUO.exe
  2⤵
  PID:12768
- C:\Windows\System\IrOxfuS.exe
  C:\Windows\System\IrOxfuS.exe
  2⤵
  PID:12788
- C:\Windows\System\zPlwKlI.exe
  C:\Windows\System\zPlwKlI.exe
  2⤵
  PID:12816
- C:\Windows\System\SVbCFxQ.exe
  C:\Windows\System\SVbCFxQ.exe
  2⤵
  PID:12848
- C:\Windows\System\iRQtWJw.exe
  C:\Windows\System\iRQtWJw.exe
  2⤵
  PID:12884
- C:\Windows\System\ShsHaPk.exe
  C:\Windows\System\ShsHaPk.exe
  2⤵
  PID:12904
- C:\Windows\System\ukcIkcu.exe
  C:\Windows\System\ukcIkcu.exe
  2⤵
  PID:12944
- C:\Windows\System\uyFqmjX.exe
  C:\Windows\System\uyFqmjX.exe
  2⤵
  PID:12972
- C:\Windows\System\qTeuqXd.exe
  C:\Windows\System\qTeuqXd.exe
  2⤵
  PID:13000
- C:\Windows\System\FjbQzvY.exe
  C:\Windows\System\FjbQzvY.exe
  2⤵
  PID:13024
- C:\Windows\System\JdUDioZ.exe
  C:\Windows\System\JdUDioZ.exe
  2⤵
  PID:13056
- C:\Windows\System\vzYOLVN.exe
  C:\Windows\System\vzYOLVN.exe
  2⤵
  PID:13092
- C:\Windows\System\isrTNtK.exe
  C:\Windows\System\isrTNtK.exe
  2⤵
  PID:13120
- C:\Windows\System\bbbVIrD.exe
  C:\Windows\System\bbbVIrD.exe
  2⤵
  PID:13144

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y2rxbf2e.ahl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\CPnBjRq.exe

Filesize
2.7MB

MD5
f45f07ae60854f71dd78849777f6e256

SHA1
57698f9a734ac5b789314e03e7cc82c243f98ed7

SHA256
2e0a4eb7d6357251df8a887538e89f48c4710378f6544737a2f824229cdb9353

SHA512
e10e04f216b8af2cd92fe53703289702782061383f2ae170202ff5b6898482be4340b24024f13abd8f51e9de3d3c120a7d2a804440138c8e95a7d30d9b089607

Download Submit
C:\Windows\System\EWFtDrm.exe

Filesize
2.7MB

MD5
caed676ebbba91dba97f0bbed1a47bde

SHA1
12f3a86f3789ceeaf5e0d41814b7e5b99df60d82

SHA256
da0111be7662eb634e4bcf3c34a4d5034f4c5c5f94e796c9a2324cd28eea4762

SHA512
15964ddbf4d4ca438e8f51c176bff542fe1233f0e218fbd1adab9db018520c7d8ba58f460163cabf0d487ad11f762345139f3338bd6dd5492e4cc4129564b976

Download Submit
C:\Windows\System\FkOKAFz.exe

Filesize
2.7MB

MD5
2991e6ff08975597cddb15ee9aa738d6

SHA1
261f87a67f66e0197f77048b702ae767adb9c19c

SHA256
0767580ae92403944811475927a87efb269324cd50fd8cea3b26f7fda7cc6ff7

SHA512
89a17e30b1f06e89fb95baeede498dab828269155486bd84c530c63b720af19113806a64a0bf9f84cb8bb8dc1b7939d82b8ef8395c2cdabf1462df6e2bd4c3a0

Download Submit
C:\Windows\System\FuFxDXH.exe

Filesize
2.7MB

MD5
9dfe37d2ff0c8e62ae077529d95ca6f9

SHA1
c6b9df1bbef6d49968cf8bce5b7851eec696764d

SHA256
c236bc3803be0ce1cb8d83b8f6f47903702e13a41a4f693dc644b94d3219d93f

SHA512
a0537e19a5f331e535d0a810b564ee4135e6d76854a8462476050593eddc10d58838d17742697b4ef74db57d508339f3043576b039e9a5dc621cc3673e7356ed

Download Submit
C:\Windows\System\JRZqMWd.exe

Filesize
2.7MB

MD5
45168d27bdfb026a20187eae9618a396

SHA1
d1972897082da43b7ba678bc62b893cc9d58a01a

SHA256
bd5c1015c6614e890d76e8887c453d7436783382af3ea8bbf0a377b14355dc54

SHA512
321987d7f2da7638265d1568b449c6775b18bc297539dfefb762076308bec06cc08ceba5c753364060940b487edbe31aa98feb30ffa219d7c2a6fc5d8ac3d2b0

Download Submit
C:\Windows\System\KXfWUEw.exe

Filesize
2.7MB

MD5
adc764f35ad2daaba3831a751dccf778

SHA1
c583d212248e003069f76bba519ed435f7e59831

SHA256
ac0c05c4a9587ecec9ebf8a9fa207a93bb7d1214684135b20c4dcf5d4a55b736

SHA512
39411c5ef891ed8df51b0ab477afd9ce17922c8188e8c93364280dc72312acfa667c62a6118c16ff89d91f1bac6b67e2992a9ea6ced6d3bdb9abd34f410edf19

Download Submit
C:\Windows\System\KnHKXec.exe

Filesize
2.7MB

MD5
2b9ecc488c0a6591297528d00ab5f017

SHA1
992f0c8ac8939fa711f3f46ee6e8d9dd602bb8c5

SHA256
b9390d5bd9d818df8e54663a2f7dcb8ea819e370d9b6451970fdc3cd227082a5

SHA512
0cc32a3ce0ecf1d0a39f0ebe1fbd47d6cbed42ba1ab4d396aff595b809a7af65fc9c715e6e1278d07771f3fee93d8b15000f5d108d50897a8297a89e5f819186

Download Submit
C:\Windows\System\LOkQstx.exe

Filesize
2.7MB

MD5
d96b2ba069a46d7fe7bcefa459fe7754

SHA1
afed5fd9d7d4fc8a8bea51dd9ca1a32eeab50b50

SHA256
4c4091a341e25ce682a77ce81ece6cc857a70b888bd81d6b7a38126abadb1185

SHA512
9edc86e89797d00c753f448032ac88f44965c4d75dc23ef7874dd931151770891aedda13224215203fec734176359f183d1e14719a2801780b696d500146f640

Download Submit
C:\Windows\System\LetrfTM.exe

Filesize
2.7MB

MD5
b64e639307219d2d5270e195f1aa5f0c

SHA1
6b5d9756968ab251b5182695618de2dd665b30f9

SHA256
b3665ef5199cb934f1a55dd2be3839eccb73cb7b5cc311cace745f70f71457bf

SHA512
a0dc566939f07b8baf60d544dff91ccb8cb199214b71d4e3877655406bfe57f455d61d61bf028dca667a6ee2fb9ee3720d8693ca7a448269101d14636c025116

Download Submit
C:\Windows\System\NEgtiYt.exe

Filesize
2.7MB

MD5
87c188608d62a858270c28d49eb72f1e

SHA1
219e2e5fed28e56006f6dfbe806b8af582775dcb

SHA256
23cb3f45eac1175e3abd098acb662433525037efd738d8140e68a2e86b317146

SHA512
e0a1a76a7a14157bc8529e690b641f45379fcc5405ee581c80e66a9d251e77803c2e2efd6876f7536e143744e4572763a15ca53ead4aa47e1267c5e159f8332c

Download Submit
C:\Windows\System\NoeXYor.exe

Filesize
2.7MB

MD5
b25de8392131085e7c1630ea13e951ff

SHA1
c3146b556a4f949385d116c5b446ea8320a888e7

SHA256
500d68f8e5dfea852f3aa05e0afc6fffbb3c6d1a1c44f77ba71e2b9e9f19e11c

SHA512
40f229adcaa31c1df6f9acf69e3196d243f9b563281266759cab2ccea95ad032daec6f9ccbc0743109a1f76f82ba448b070b78f9b92ac387d4357766478913b4

Download Submit
C:\Windows\System\RmPjzKt.exe

Filesize
2.7MB

MD5
61c4a02dad2b62d8415154f0027fd932

SHA1
87c619e0fb67106426ff73de1def7947b91f5657

SHA256
4b423ae4a0683a0b8abdefb198040ee02ef366c2b32e9339d3c210e21a74edd2

SHA512
ff0b5bf4999e255d03e273f0fdc59212f8c29d95507e52b60f11b3d55184b4e0eee55834b451839ae16f9cd1d0cbb454f3cb5edd3e8a486c27bf9f4f5e78069c

Download Submit
C:\Windows\System\TzdKhhc.exe

Filesize
2.7MB

MD5
d0a4b4e7914d3f3787fc2014df854b54

SHA1
9339f797789fabd747172319e2a0c7a843aedab5

SHA256
31babdf8e90b8a6b504922b64d54162c6fa75b4f63f04d483c2064b563286cda

SHA512
f10e8e52df54d8f0f9aa1a9c2d53ad75763184fd7a60ed05a4b929b527011763235f61d3ac43e1f3e44e5443762873b7f2b42c53487fdc9f264fc4a126862d15

Download Submit
C:\Windows\System\VXnToaA.exe

Filesize
2.7MB

MD5
2fefe9cd4d8183cc398fdfcbba76e241

SHA1
b67c9e7697ab4e4b69d3d130f16ecf150a80cfa6

SHA256
1840410698870a39450db8eb765c16b04830ae0f4067578e262fc2f277556594

SHA512
cffe873a1989c964a675493e55e53750d5594d45634e1edc13834a027a8ee55ead689ee2c031a180040541286cb532b04f46f19e4e969d0aabc6f2a85ed73133

Download Submit
C:\Windows\System\XXjDELX.exe

Filesize
2.7MB

MD5
e0ef4261f334fa50f2a5cd3de324f1a1

SHA1
34dcd3221c10be7196e49a34f0220f79ff150bb3

SHA256
cba23009ebb974a77a6479e0a4c1042b47c2b7080e2a4c7d311537deedc68ba5

SHA512
dce8ca0bffd8b71780416d19e8e17fcb97ea92d37603059acd72635740ec64f746541ad82a20bc459ff29ae3c4b82a9cca442d7a8f521a16f07336d3b4e03782

Download Submit
C:\Windows\System\aVCaRVg.exe

Filesize
2.7MB

MD5
096094dc71d096232300ceb4a4b199ec

SHA1
a502cf41d723a14a3c3d4ab39057ce57493ce755

SHA256
f97b32488bd8cf95d1fc32ed8dc817bf07153457ec402098ab53ad7b317f5acb

SHA512
29d2601171b2552eebe9b8d4c5ce9d45fdfff6d92e636a38ed8e50bfb8c1b6ffe6e94cadd0e6a0b610cc818955dc72c97fa80aec531dfbdbb0411aed5db56176

Download Submit
C:\Windows\System\aecuSLS.exe

Filesize
2.7MB

MD5
6e3048945ea3ffc3f10ac097d7c693fc

SHA1
12092d39b175b35598ca217ca48eaa8511296301

SHA256
5981c801e0ade872a7e71eab6803457340151d943e6e6f7dce3c204033227438

SHA512
cffd250e6c46f414194e9f71b602cc5fb5131a4725b6b7e51e2a23e798982f0220de48db9b18ca8f40c981aa137981e01b01b6ada297c441f0b1dc3fa67df1ac

Download Submit
C:\Windows\System\bJcNwnL.exe

Filesize
2.7MB

MD5
9e62aa57d6df45de94297fb10ac8b978

SHA1
83ba1155d830c03fa88f94782fd8d4a975be7183

SHA256
9ca1b810558b94f677909dad45422825cd409107bee03950b490ef31d4b22477

SHA512
f6a0de9fdb89f10f7b642f14442e8acc35bd3c6410cf791e835c4a66f9e08650bbd3c525f123252347790755f89e6f1a50945a0f3256f02f96de2772dea52dea

Download Submit
C:\Windows\System\bcKRCJW.exe

Filesize
8B

MD5
f249cce64f1edf5dc7bee5be6e2d5ad9

SHA1
0d569e38ec2ee4118bd367894784a63582261e47

SHA256
c376b4c1019dfb02d31ea3137efb150405ef95ba0305dcf5e026248ffc8d7cc2

SHA512
fdeb5b006eba899c911e624dadfb6c7b2eb030236757e187df8ba8d194a5a42df30b590d0fcf3f859b2532e60fc00c33154f75c1e6481913447ff2fa15b08be2

Download Submit
C:\Windows\System\dPyXunB.exe

Filesize
2.7MB

MD5
4c9b485f73d8544de3cdcdac1ba0f9f5

SHA1
1ac64f4f643e6125ff0b9723c76c4f342040a68f

SHA256
0fe24d5c0db1db11390fb92562375af27f1157fa374e2fb7d3a1dbe2e3bef06b

SHA512
9e2e8b526f73d6189e3309b0f7fc9ad3115329de8f26ad0261cbd13585e356a5893b926a35a084e158cf72ba443acdfe6f77a58defd83ae93d114008ca53b4be

Download Submit
C:\Windows\System\gABtTls.exe

Filesize
2.7MB

MD5
6809b9584e0049396048e1d27999ddf5

SHA1
abe99d9e75ec3f2fc012829ee312c4323b876c69

SHA256
f20ae3300e63c32039de84adc1439906c5c3afd0397c721325ed93d92783f217

SHA512
da050aaf34de81160f885b7ead4eb9aa89d6c0356b66b7064afc8ce0948596fe95d55c6cd9c3068d38367a641bcba6bd9a0e5e0a5bb7f5ea5b620cd4efc66679

Download Submit
C:\Windows\System\gcYZxVt.exe

Filesize
2.7MB

MD5
304d0a53a64ba5bd745741eb2e49e945

SHA1
7f98631276e0f6d55cf6d929802bac492830ed57

SHA256
334330b58082580dc0f31d870a8b15406435c7aec503bbb153f3b52755fe076f

SHA512
7a54d600d312f7ec9d88386998323bc394c2e41f795806059808faa34aeafe2ad8217c33a3cc50226444a0fe5400350966fd1a2e959292504b38e70dcfbb7bc3

Download Submit
C:\Windows\System\jDYfIZA.exe

Filesize
2.7MB

MD5
5fae04caf9cf487af8f69f1c6f1e4e4a

SHA1
ac50e21d181eb0349167124ed11a293d51035c4f

SHA256
3afca3f22302c8fd15a0e3a87619d2cde6a7117a6356057202004e4f5884a168

SHA512
e4b672999b7099d24b88e50f0b2d85840ee54bbdfa2d91cb84dfe4cdb6baa41aec9dacc80c514cd75923ca84cd59e424d30ba5cdbfb79ea30b5a8ef3ac3f15f3

Download Submit
C:\Windows\System\jVgfdOn.exe

Filesize
2.7MB

MD5
052dcf404edbff0d57392b057e5dfa9e

SHA1
bfb359ab8b86fe31dfaf68afa1e07f1d580aa35b

SHA256
bee80945157667a132c0125f7231875c2a637b2e3faed0f2c68c7e4b4e04b3f3

SHA512
a5b2617fde069aa3014ecc54a882bd7a6c135419f0cf81fcff7fa5d9b0b417d7be56b244882fccb0bc3b73e29fa5cc942bed28183eaff4aec8bbc3700c758505

Download Submit
C:\Windows\System\juIiywe.exe

Filesize
2.7MB

MD5
da80a0aa058bb0c08dc7306dc3a2c904

SHA1
83d7480eb0baac93a2c58eef41e2797f5e980d60

SHA256
4135421be33e8872e10bd3fe31ba6791be9a3123fdb057b5ee27c23f42cde652

SHA512
5fe384f602b3f382167f4db87864fc0faeb966910e08ac1d9ed2d309585c2dfd3071fd451e14c8f575cdfb3c9b413f61e8e1637ba967715e02b2df2b85fa5bfe

Download Submit
C:\Windows\System\mrNjbhM.exe

Filesize
2.7MB

MD5
09c29df03ba74be0794cee0f7db1b050

SHA1
23fff97af005e5ea500bac5afb2772f92b632a0d

SHA256
ef15a2a2b2aafadc87155e86338d13cd5faed3244c2b8a658d93c61444684d09

SHA512
ffad44040f5483a34f268f411e23aab19890a03b8b66a88d9589b6c8ab271874b4edf3ce6f4ae11efbfd25e351563ab5bf8fcf26024609d33442c51930a65fa7

Download Submit
C:\Windows\System\odQvQwL.exe

Filesize
2.7MB

MD5
fe8e74f8bccb4cf2e8258550051f77ce

SHA1
b6d76005b811de56d4e4e46c75d520c8e8bda16a

SHA256
107d70516297dc56f0b8ab7fd0766c585b4a21f7f2e51d85ab2d5240a893bccb

SHA512
4fc83895691d9659af4394a6f21fefa8b53d6cece8f5d57d6c44c7703652c774f7b957491804ca2bdcde10f1d31b6af978e4df7a629e15148e4c9794cfe009d0

Download Submit
C:\Windows\System\pnGCscc.exe

Filesize
2.7MB

MD5
06e4b1a4a91837ca006c1e010aaba8dd

SHA1
75ce8af8b04f01ccfa0a1f4339985965ef3bff05

SHA256
56054a801ace19400b0b655706dbf8113e6a641da210e03e6fc2ac153736200f

SHA512
1b14966c582e812fc5bda585674a25582029e33150c8455d30114264664c61b8446392842c8e94bca15ec771a5c743177703309aa1872c6016f682131e04bea2

Download Submit
C:\Windows\System\sPyXjRN.exe

Filesize
2.7MB

MD5
e08490f735c253bd63268026df1fbd12

SHA1
fae6b82f0c6c62b7a46d9bd6590e7d41b2e02934

SHA256
3395e8dac1338dbd690f7327feeb03f8bc83fc3f8a271193bf6d8406be7b915e

SHA512
03ec7d73b1cc3e756d4315dfc6c8999ac779d24660ccd8ee75fbc66adbad897376fdd3a8741cbd21df58e3493833245ac9f3c87389b8f729e8e0f69046e13fe2

Download Submit
C:\Windows\System\tjezIjp.exe

Filesize
2.7MB

MD5
f3a2242eb00638bd43878920c51519a6

SHA1
eebd0e2862d2737daf6bca54d749f0d7b69061ff

SHA256
33920855e39f7a6b649c05410a4748fb1aca158c8c8597762875a0638f74528d

SHA512
c402b0e3ca4b5194a7893b9618752266ac78559288de076e48d23221fde57c682d74aa68b9f1e0a9664e0f823b10cdeb083df0548c0e26b697332cd67645def8

Download Submit
C:\Windows\System\vQCcVpL.exe

Filesize
2.7MB

MD5
216bffcf828d4c209eff2baf67451300

SHA1
f6fe2ac8b3afdf2dd0f66c12ecf859e18998ba79

SHA256
87f487f2360bb7d23c9d1e0b8cbb4276cfc4310977a726dfdcff00fc6caa140e

SHA512
72498bbd163f7c6a634e54787535ad5a485b8ac0444f2fe40606611962817f2f9c84ae1dc3c3ea09677f5b185138b70374f43af8eba7c85b2c1e47876e0caa8a

Download Submit
C:\Windows\System\wbsCNFV.exe

Filesize
2.7MB

MD5
78fbfdfa0a830768ec30b911419fe185

SHA1
4bfae18b4d78bc1130f652d46a2013c61e23fbe0

SHA256
6e6458599f110a8398d74103878117965bfff47f85d91c809a76b0c7af3e292e

SHA512
b0610fb9b26085de14e89f533d8abb92427a7ea5c94da2199a5cdc962fc08b0ab8bda0a14ad8d064d34a5eec00431a510a2a3d91727f636c08d5f13609175a25

Download Submit
C:\Windows\System\xcQassG.exe

Filesize
2.7MB

MD5
e51f41bc10f06ba81070c24ce49caf08

SHA1
55307d6e4c052f00251568cc7b2f9a10758ff7ad

SHA256
ee252537cfe378ee3c4d5301642facf1dcd4b42ecd2cab328552c594473f0afe

SHA512
ce8d0a73137c0a3757f86e1ebe432e0fa931ab6c958701a9d3fee4343979493a563b082cd18605a89cc8764451b3532dd166b1fc2576f6b5c56f47909e40a841

Download Submit
C:\Windows\System\yypWOFS.exe

Filesize
2.7MB

MD5
c36b97860b1524dac530f088d222afaf

SHA1
705fb036dd64c492ea6423c80a18d47b68b4e8ee

SHA256
795d860af4e08757df0afc2d3a290fcebc770166bc3addbfcba4175a25245c53

SHA512
7bceaa50f42acb86a0ea96d390d7174ec1b678a86ba3e9621c52d98ac90b3b2b609e2c857c9e92504452e8378c271c775da5dab37bab1f0d4e0e2b652bd8f894

Download Submit
memory/540-121-0x00007FF7309E0000-0x00007FF730DD6000-memory.dmp

Filesize
4.0MB

Download
memory/540-2194-0x00007FF7309E0000-0x00007FF730DD6000-memory.dmp

Filesize
4.0MB

Download
memory/1356-2195-0x00007FF75D5D0000-0x00007FF75D9C6000-memory.dmp

Filesize
4.0MB

Download
memory/1356-109-0x00007FF75D5D0000-0x00007FF75D9C6000-memory.dmp

Filesize
4.0MB

Download
memory/1676-91-0x00007FF721A90000-0x00007FF721E86000-memory.dmp

Filesize
4.0MB

Download
memory/1676-2199-0x00007FF721A90000-0x00007FF721E86000-memory.dmp

Filesize
4.0MB

Download
memory/1736-2191-0x00007FF69DD50000-0x00007FF69E146000-memory.dmp

Filesize
4.0MB

Download
memory/1736-43-0x00007FF69DD50000-0x00007FF69E146000-memory.dmp

Filesize
4.0MB

Download
memory/1824-1-0x00000232B7A60000-0x00000232B7A70000-memory.dmp

Filesize
64KB

Download
memory/1824-0-0x00007FF663C30000-0x00007FF664026000-memory.dmp

Filesize
4.0MB

Download
memory/1944-103-0x00007FF701540000-0x00007FF701936000-memory.dmp

Filesize
4.0MB

Download
memory/1944-2187-0x00007FF701540000-0x00007FF701936000-memory.dmp

Filesize
4.0MB

Download
memory/2356-180-0x00007FF7E9AC0000-0x00007FF7E9EB6000-memory.dmp

Filesize
4.0MB

Download
memory/2356-2208-0x00007FF7E9AC0000-0x00007FF7E9EB6000-memory.dmp

Filesize
4.0MB

Download
memory/2536-168-0x00007FF68DF90000-0x00007FF68E386000-memory.dmp

Filesize
4.0MB

Download
memory/2536-2200-0x00007FF68DF90000-0x00007FF68E386000-memory.dmp

Filesize
4.0MB

Download
memory/2712-2175-0x00007FF699C20000-0x00007FF69A016000-memory.dmp

Filesize
4.0MB

Download
memory/2712-2202-0x00007FF699C20000-0x00007FF69A016000-memory.dmp

Filesize
4.0MB

Download
memory/2712-133-0x00007FF699C20000-0x00007FF69A016000-memory.dmp

Filesize
4.0MB

Download
memory/2880-13-0x00007FFFB0323000-0x00007FFFB0325000-memory.dmp

Filesize
8KB

Download
memory/2880-1020-0x000001777BE50000-0x000001777C5F6000-memory.dmp

Filesize
7.6MB

Download
memory/2880-2174-0x00007FFFB0320000-0x00007FFFB0DE1000-memory.dmp

Filesize
10.8MB

Download
memory/2880-2173-0x00007FFFB0323000-0x00007FFFB0325000-memory.dmp

Filesize
8KB

Download
memory/2880-57-0x00007FFFB0320000-0x00007FFFB0DE1000-memory.dmp

Filesize
10.8MB

Download
memory/2880-69-0x0000017762DC0000-0x0000017762DE2000-memory.dmp

Filesize
136KB

Download
memory/2880-40-0x00007FFFB0320000-0x00007FFFB0DE1000-memory.dmp

Filesize
10.8MB

Download
memory/2880-2184-0x00007FFFB0320000-0x00007FFFB0DE1000-memory.dmp

Filesize
10.8MB

Download
memory/2968-145-0x00007FF7E8DB0000-0x00007FF7E91A6000-memory.dmp

Filesize
4.0MB

Download
memory/2968-2196-0x00007FF7E8DB0000-0x00007FF7E91A6000-memory.dmp

Filesize
4.0MB

Download
memory/3028-2204-0x00007FF67EAF0000-0x00007FF67EEE6000-memory.dmp

Filesize
4.0MB

Download
memory/3028-174-0x00007FF67EAF0000-0x00007FF67EEE6000-memory.dmp

Filesize
4.0MB

Download
memory/3296-151-0x00007FF7CAE10000-0x00007FF7CB206000-memory.dmp

Filesize
4.0MB

Download
memory/3296-2205-0x00007FF7CAE10000-0x00007FF7CB206000-memory.dmp

Filesize
4.0MB

Download
memory/3316-2190-0x00007FF7C35E0000-0x00007FF7C39D6000-memory.dmp

Filesize
4.0MB

Download
memory/3316-48-0x00007FF7C35E0000-0x00007FF7C39D6000-memory.dmp

Filesize
4.0MB

Download
memory/3632-2185-0x00007FF600EF0000-0x00007FF6012E6000-memory.dmp

Filesize
4.0MB

Download
memory/3632-51-0x00007FF600EF0000-0x00007FF6012E6000-memory.dmp

Filesize
4.0MB

Download
memory/3748-2189-0x00007FF7664F0000-0x00007FF7668E6000-memory.dmp

Filesize
4.0MB

Download
memory/3748-45-0x00007FF7664F0000-0x00007FF7668E6000-memory.dmp

Filesize
4.0MB

Download
memory/4136-12-0x00007FF6B91B0000-0x00007FF6B95A6000-memory.dmp

Filesize
4.0MB

Download
memory/4136-2172-0x00007FF6B91B0000-0x00007FF6B95A6000-memory.dmp

Filesize
4.0MB

Download
memory/4136-2186-0x00007FF6B91B0000-0x00007FF6B95A6000-memory.dmp

Filesize
4.0MB

Download
memory/4336-2198-0x00007FF6CF660000-0x00007FF6CFA56000-memory.dmp

Filesize
4.0MB

Download
memory/4336-115-0x00007FF6CF660000-0x00007FF6CFA56000-memory.dmp

Filesize
4.0MB

Download
memory/4532-2203-0x00007FF701B90000-0x00007FF701F86000-memory.dmp

Filesize
4.0MB

Download
memory/4532-186-0x00007FF701B90000-0x00007FF701F86000-memory.dmp

Filesize
4.0MB

Download
memory/4668-2192-0x00007FF7B75D0000-0x00007FF7B79C6000-memory.dmp

Filesize
4.0MB

Download
memory/4668-73-0x00007FF7B75D0000-0x00007FF7B79C6000-memory.dmp

Filesize
4.0MB

Download
memory/4692-127-0x00007FF6634F0000-0x00007FF6638E6000-memory.dmp

Filesize
4.0MB

Download
memory/4692-2197-0x00007FF6634F0000-0x00007FF6638E6000-memory.dmp

Filesize
4.0MB

Download
memory/4788-80-0x00007FF6788B0000-0x00007FF678CA6000-memory.dmp

Filesize
4.0MB

Download
memory/4788-2193-0x00007FF6788B0000-0x00007FF678CA6000-memory.dmp

Filesize
4.0MB

Download
memory/4880-97-0x00007FF697AC0000-0x00007FF697EB6000-memory.dmp

Filesize
4.0MB

Download
memory/4880-2188-0x00007FF697AC0000-0x00007FF697EB6000-memory.dmp

Filesize
4.0MB

Download
memory/5080-2206-0x00007FF65D240000-0x00007FF65D636000-memory.dmp

Filesize
4.0MB

Download
memory/5080-139-0x00007FF65D240000-0x00007FF65D636000-memory.dmp

Filesize
4.0MB

Download
memory/5084-2201-0x00007FF6A0D90000-0x00007FF6A1186000-memory.dmp

Filesize
4.0MB

Download
memory/5084-162-0x00007FF6A0D90000-0x00007FF6A1186000-memory.dmp

Filesize
4.0MB

Download
memory/5088-2207-0x00007FF6717E0000-0x00007FF671BD6000-memory.dmp

Filesize
4.0MB

Download
memory/5088-192-0x00007FF6717E0000-0x00007FF671BD6000-memory.dmp

Filesize
4.0MB

Download