xmrig | 74dfa81a243305550e3aad2a6c6b2dd50d0613d0268acabb2ffa842f68a22fe0

Analysis

max time kernel
114s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8903398a431b1e207f1ccee501a474f0N.exe
Size

943KB
MD5

8903398a431b1e207f1ccee501a474f0
SHA1

4426a7276ab5b08ee53aaad9bcdce0dbf1731ac9
SHA256

74dfa81a243305550e3aad2a6c6b2dd50d0613d0268acabb2ffa842f68a22fe0
SHA512

f6110dd90370615bbfea84e72bc2ec390268e79b19b71336fcd64202076a5d638f256a6e2853093401820602fe0b822272e58a30c712cf5cad88e311620e8cbc
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5PbcmalgA:knw9oUUEEDl37jcmaln

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 50 IoCs

miner

resource	yara_rule
behavioral2/memory/2140-451-0x00007FF7A80E0000-0x00007FF7A84D1000-memory.dmp	xmrig
behavioral2/memory/720-452-0x00007FF7DE030000-0x00007FF7DE421000-memory.dmp	xmrig
behavioral2/memory/2340-464-0x00007FF7DB050000-0x00007FF7DB441000-memory.dmp	xmrig
behavioral2/memory/3596-463-0x00007FF6585C0000-0x00007FF6589B1000-memory.dmp	xmrig
behavioral2/memory/3620-466-0x00007FF722F90000-0x00007FF723381000-memory.dmp	xmrig
behavioral2/memory/3488-470-0x00007FF7AFF80000-0x00007FF7B0371000-memory.dmp	xmrig
behavioral2/memory/2676-477-0x00007FF712B60000-0x00007FF712F51000-memory.dmp	xmrig
behavioral2/memory/972-573-0x00007FF6DEC30000-0x00007FF6DF021000-memory.dmp	xmrig
behavioral2/memory/2800-574-0x00007FF6B5410000-0x00007FF6B5801000-memory.dmp	xmrig
behavioral2/memory/3508-572-0x00007FF723090000-0x00007FF723481000-memory.dmp	xmrig
behavioral2/memory/2212-475-0x00007FF66A840000-0x00007FF66AC31000-memory.dmp	xmrig
behavioral2/memory/4968-459-0x00007FF7E86F0000-0x00007FF7E8AE1000-memory.dmp	xmrig
behavioral2/memory/3212-448-0x00007FF796180000-0x00007FF796571000-memory.dmp	xmrig
behavioral2/memory/468-442-0x00007FF6C67F0000-0x00007FF6C6BE1000-memory.dmp	xmrig
behavioral2/memory/4548-57-0x00007FF786EE0000-0x00007FF7872D1000-memory.dmp	xmrig
behavioral2/memory/4700-32-0x00007FF778FB0000-0x00007FF7793A1000-memory.dmp	xmrig
behavioral2/memory/4404-11-0x00007FF6CE630000-0x00007FF6CEA21000-memory.dmp	xmrig
behavioral2/memory/2980-1819-0x00007FF63F620000-0x00007FF63FA11000-memory.dmp	xmrig
behavioral2/memory/3668-1950-0x00007FF6C5780000-0x00007FF6C5B71000-memory.dmp	xmrig
behavioral2/memory/4780-1957-0x00007FF64B8C0000-0x00007FF64BCB1000-memory.dmp	xmrig
behavioral2/memory/1316-1958-0x00007FF6D0BD0000-0x00007FF6D0FC1000-memory.dmp	xmrig
behavioral2/memory/4056-1959-0x00007FF75EA10000-0x00007FF75EE01000-memory.dmp	xmrig
behavioral2/memory/2076-1960-0x00007FF71E9A0000-0x00007FF71ED91000-memory.dmp	xmrig
behavioral2/memory/2812-1987-0x00007FF75C6B0000-0x00007FF75CAA1000-memory.dmp	xmrig
behavioral2/memory/2980-1995-0x00007FF63F620000-0x00007FF63FA11000-memory.dmp	xmrig
behavioral2/memory/2848-1997-0x00007FF6FC7A0000-0x00007FF6FCB91000-memory.dmp	xmrig
behavioral2/memory/4404-2001-0x00007FF6CE630000-0x00007FF6CEA21000-memory.dmp	xmrig
behavioral2/memory/4780-2003-0x00007FF64B8C0000-0x00007FF64BCB1000-memory.dmp	xmrig
behavioral2/memory/4700-2005-0x00007FF778FB0000-0x00007FF7793A1000-memory.dmp	xmrig
behavioral2/memory/3668-2007-0x00007FF6C5780000-0x00007FF6C5B71000-memory.dmp	xmrig
behavioral2/memory/1316-2009-0x00007FF6D0BD0000-0x00007FF6D0FC1000-memory.dmp	xmrig
behavioral2/memory/3596-2019-0x00007FF6585C0000-0x00007FF6589B1000-memory.dmp	xmrig
behavioral2/memory/2800-2047-0x00007FF6B5410000-0x00007FF6B5801000-memory.dmp	xmrig
behavioral2/memory/972-2050-0x00007FF6DEC30000-0x00007FF6DF021000-memory.dmp	xmrig
behavioral2/memory/2676-2041-0x00007FF712B60000-0x00007FF712F51000-memory.dmp	xmrig
behavioral2/memory/2340-2039-0x00007FF7DB050000-0x00007FF7DB441000-memory.dmp	xmrig
behavioral2/memory/2848-2035-0x00007FF6FC7A0000-0x00007FF6FCB91000-memory.dmp	xmrig
behavioral2/memory/3508-2043-0x00007FF723090000-0x00007FF723481000-memory.dmp	xmrig
behavioral2/memory/720-2033-0x00007FF7DE030000-0x00007FF7DE421000-memory.dmp	xmrig
behavioral2/memory/3620-2031-0x00007FF722F90000-0x00007FF723381000-memory.dmp	xmrig
behavioral2/memory/3488-2029-0x00007FF7AFF80000-0x00007FF7B0371000-memory.dmp	xmrig
behavioral2/memory/2212-2037-0x00007FF66A840000-0x00007FF66AC31000-memory.dmp	xmrig
behavioral2/memory/2812-2025-0x00007FF75C6B0000-0x00007FF75CAA1000-memory.dmp	xmrig
behavioral2/memory/468-2023-0x00007FF6C67F0000-0x00007FF6C6BE1000-memory.dmp	xmrig
behavioral2/memory/4968-2018-0x00007FF7E86F0000-0x00007FF7E8AE1000-memory.dmp	xmrig
behavioral2/memory/2140-2015-0x00007FF7A80E0000-0x00007FF7A84D1000-memory.dmp	xmrig
behavioral2/memory/2076-2027-0x00007FF71E9A0000-0x00007FF71ED91000-memory.dmp	xmrig
behavioral2/memory/4056-2013-0x00007FF75EA10000-0x00007FF75EE01000-memory.dmp	xmrig
behavioral2/memory/3212-2021-0x00007FF796180000-0x00007FF796571000-memory.dmp	xmrig
behavioral2/memory/4548-2011-0x00007FF786EE0000-0x00007FF7872D1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4404	DgYlwvX.exe
3668	TBjBPwt.exe
4780	THZYTuj.exe
4700	fUMWmMU.exe
1316	oYDkkSD.exe
4056	NrybJPG.exe
2076	lCItcId.exe
4548	BODiaUj.exe
2812	qPlWIgd.exe
2848	xOpKtsq.exe
468	VveDhrO.exe
3212	msjVlYk.exe
2140	badWOjm.exe
720	uHakhMf.exe
4968	jWvgXrm.exe
3596	tPgexoS.exe
2340	HyqFknd.exe
3620	DmAWJeB.exe
3488	bleuxpi.exe
2212	UAslJmE.exe
2676	jqHfOjO.exe
3508	SBRPvQZ.exe
972	ghqVDDM.exe
2800	ENnxDLV.exe
3760	nNQLlGX.exe
1936	GZWcdAP.exe
1520	qmqmNhH.exe
1836	zwujCkk.exe
3812	gAtxeBv.exe
4108	GZfDEwh.exe
2348	UDCNkxJ.exe
3532	NAgKEnB.exe
652	OcmiqTS.exe
2628	gTUOwCm.exe
4336	eptOMdl.exe
4464	uSEPRjC.exe
3140	xQKyJtX.exe
1392	oUFoqCb.exe
2320	ObWlLix.exe
4800	pJwRbRx.exe
3632	TLLwUNY.exe
4912	MgHDjTU.exe
2260	BekvqKu.exe
924	iBDYVoI.exe
1864	PAJOZnO.exe
3460	ymzeBVG.exe
4412	AeQRBgc.exe
1416	PDYUrOP.exe
2760	IRzPxiG.exe
624	DeIKCKE.exe
3168	uTuwUIE.exe
5112	latXMVW.exe
4240	BTQVTaQ.exe
2884	jrOWEVS.exe
2692	vGyOsjW.exe
2528	fnvvAjt.exe
2984	vHxKizt.exe
5128	GzecaGK.exe
5152	kQCtdYc.exe
5180	SwpfLXx.exe
5208	HhwDyRd.exe
5240	xJYrweg.exe
5268	zqbWdhO.exe
5292	mIuslCo.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2980-0-0x00007FF63F620000-0x00007FF63FA11000-memory.dmp	upx
behavioral2/files/0x000800000002359b-5.dat	upx
behavioral2/files/0x000700000002359f-7.dat	upx
behavioral2/files/0x000800000002359e-16.dat	upx
behavioral2/files/0x00070000000235a1-25.dat	upx
behavioral2/memory/1316-35-0x00007FF6D0BD0000-0x00007FF6D0FC1000-memory.dmp	upx
behavioral2/files/0x00070000000235a4-46.dat	upx
behavioral2/files/0x00070000000235a5-44.dat	upx
behavioral2/memory/2076-52-0x00007FF71E9A0000-0x00007FF71ED91000-memory.dmp	upx
behavioral2/files/0x00070000000235a6-55.dat	upx
behavioral2/files/0x00070000000235a7-69.dat	upx
behavioral2/files/0x00070000000235aa-78.dat	upx
behavioral2/files/0x00070000000235ab-89.dat	upx
behavioral2/files/0x00070000000235ae-104.dat	upx
behavioral2/files/0x00070000000235b9-159.dat	upx
behavioral2/memory/2140-451-0x00007FF7A80E0000-0x00007FF7A84D1000-memory.dmp	upx
behavioral2/memory/720-452-0x00007FF7DE030000-0x00007FF7DE421000-memory.dmp	upx
behavioral2/memory/2340-464-0x00007FF7DB050000-0x00007FF7DB441000-memory.dmp	upx
behavioral2/memory/3596-463-0x00007FF6585C0000-0x00007FF6589B1000-memory.dmp	upx
behavioral2/memory/3620-466-0x00007FF722F90000-0x00007FF723381000-memory.dmp	upx
behavioral2/memory/3488-470-0x00007FF7AFF80000-0x00007FF7B0371000-memory.dmp	upx
behavioral2/memory/2676-477-0x00007FF712B60000-0x00007FF712F51000-memory.dmp	upx
behavioral2/memory/972-573-0x00007FF6DEC30000-0x00007FF6DF021000-memory.dmp	upx
behavioral2/memory/2800-574-0x00007FF6B5410000-0x00007FF6B5801000-memory.dmp	upx
behavioral2/memory/3508-572-0x00007FF723090000-0x00007FF723481000-memory.dmp	upx
behavioral2/memory/2212-475-0x00007FF66A840000-0x00007FF66AC31000-memory.dmp	upx
behavioral2/memory/4968-459-0x00007FF7E86F0000-0x00007FF7E8AE1000-memory.dmp	upx
behavioral2/memory/3212-448-0x00007FF796180000-0x00007FF796571000-memory.dmp	upx
behavioral2/memory/468-442-0x00007FF6C67F0000-0x00007FF6C6BE1000-memory.dmp	upx
behavioral2/files/0x00070000000235bd-172.dat	upx
behavioral2/files/0x00070000000235bb-169.dat	upx
behavioral2/files/0x00070000000235bc-167.dat	upx
behavioral2/files/0x00070000000235ba-164.dat	upx
behavioral2/files/0x00070000000235b8-154.dat	upx
behavioral2/files/0x00070000000235b7-149.dat	upx
behavioral2/files/0x00070000000235b6-144.dat	upx
behavioral2/files/0x00070000000235b5-139.dat	upx
behavioral2/files/0x00070000000235b4-134.dat	upx
behavioral2/files/0x00070000000235b3-129.dat	upx
behavioral2/files/0x00070000000235b2-124.dat	upx
behavioral2/files/0x00070000000235b1-117.dat	upx
behavioral2/files/0x00070000000235b0-114.dat	upx
behavioral2/files/0x00070000000235af-109.dat	upx
behavioral2/files/0x00070000000235ad-96.dat	upx
behavioral2/files/0x00070000000235ac-94.dat	upx
behavioral2/files/0x00070000000235a9-76.dat	upx
behavioral2/files/0x00070000000235a8-71.dat	upx
behavioral2/memory/2848-61-0x00007FF6FC7A0000-0x00007FF6FCB91000-memory.dmp	upx
behavioral2/memory/4548-57-0x00007FF786EE0000-0x00007FF7872D1000-memory.dmp	upx
behavioral2/memory/2812-54-0x00007FF75C6B0000-0x00007FF75CAA1000-memory.dmp	upx
behavioral2/files/0x00070000000235a2-50.dat	upx
behavioral2/files/0x00070000000235a3-48.dat	upx
behavioral2/memory/4056-36-0x00007FF75EA10000-0x00007FF75EE01000-memory.dmp	upx
behavioral2/memory/4700-32-0x00007FF778FB0000-0x00007FF7793A1000-memory.dmp	upx
behavioral2/files/0x00070000000235a0-23.dat	upx
behavioral2/memory/4780-18-0x00007FF64B8C0000-0x00007FF64BCB1000-memory.dmp	upx
behavioral2/memory/3668-13-0x00007FF6C5780000-0x00007FF6C5B71000-memory.dmp	upx
behavioral2/memory/4404-11-0x00007FF6CE630000-0x00007FF6CEA21000-memory.dmp	upx
behavioral2/memory/2980-1819-0x00007FF63F620000-0x00007FF63FA11000-memory.dmp	upx
behavioral2/memory/3668-1950-0x00007FF6C5780000-0x00007FF6C5B71000-memory.dmp	upx
behavioral2/memory/4780-1957-0x00007FF64B8C0000-0x00007FF64BCB1000-memory.dmp	upx
behavioral2/memory/1316-1958-0x00007FF6D0BD0000-0x00007FF6D0FC1000-memory.dmp	upx
behavioral2/memory/4056-1959-0x00007FF75EA10000-0x00007FF75EE01000-memory.dmp	upx
behavioral2/memory/2076-1960-0x00007FF71E9A0000-0x00007FF71ED91000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\kjEHyfI.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\fUMWmMU.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\SxmtdOn.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\rKzeook.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\TQLbbID.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\urTuiEe.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\wZTKvAC.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\QKEfTEA.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\BODiaUj.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\SwpfLXx.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\KBdZEPl.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\cjDvGeq.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\gesxFHG.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\GoFcSMT.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\AeQRBgc.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\GGAqetl.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\RNKIjdD.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\szoKArV.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\TdIEaRT.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\vGFWBPX.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\QxFHEik.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\SbRJVIX.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\hFENqOz.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\WwHTehs.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\cNTWuzK.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\WIcqhbO.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\jAiVshx.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\uEcWSbf.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\DWVQAuq.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\IFiRoZQ.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\zVNjNtO.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\GzecaGK.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\zaBSoLO.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\BVVXltq.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\hNMYSvN.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\LYdSlBP.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\mIuslCo.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\ntgVzdg.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\ZUmZXes.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\FxznFEL.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\JMWmWcr.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\ldnbYaU.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\KUSmSMV.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\koKCvqP.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\ROmsGXl.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\dIfCpZU.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\teGhVBv.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\zqbWdhO.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\kzYCOuF.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\GGMALZY.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\WfGWqcY.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\pesYkqY.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\CejbXOM.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\jxAOJdM.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\KqdABRI.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\RfEKlMu.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\ENwdMaC.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\qPlWIgd.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\cVuDYVZ.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\qMUBqkM.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\vacEQMI.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\aysYElx.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\pQXVhHp.exe	8903398a431b1e207f1ccee501a474f0N.exe
File created	C:\Windows\System32\RcoBMRx.exe	8903398a431b1e207f1ccee501a474f0N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	7956	dwm.exe
Token: SeChangeNotifyPrivilege	7956	dwm.exe
Token: 33	7956	dwm.exe
Token: SeIncBasePriorityPrivilege	7956	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 4404	2980	8903398a431b1e207f1ccee501a474f0N.exe	91
PID 2980 wrote to memory of 4404	2980	8903398a431b1e207f1ccee501a474f0N.exe	91
PID 2980 wrote to memory of 3668	2980	8903398a431b1e207f1ccee501a474f0N.exe	92
PID 2980 wrote to memory of 3668	2980	8903398a431b1e207f1ccee501a474f0N.exe	92
PID 2980 wrote to memory of 4780	2980	8903398a431b1e207f1ccee501a474f0N.exe	93
PID 2980 wrote to memory of 4780	2980	8903398a431b1e207f1ccee501a474f0N.exe	93
PID 2980 wrote to memory of 4700	2980	8903398a431b1e207f1ccee501a474f0N.exe	94
PID 2980 wrote to memory of 4700	2980	8903398a431b1e207f1ccee501a474f0N.exe	94
PID 2980 wrote to memory of 1316	2980	8903398a431b1e207f1ccee501a474f0N.exe	95
PID 2980 wrote to memory of 1316	2980	8903398a431b1e207f1ccee501a474f0N.exe	95
PID 2980 wrote to memory of 2076	2980	8903398a431b1e207f1ccee501a474f0N.exe	96
PID 2980 wrote to memory of 2076	2980	8903398a431b1e207f1ccee501a474f0N.exe	96
PID 2980 wrote to memory of 4056	2980	8903398a431b1e207f1ccee501a474f0N.exe	97
PID 2980 wrote to memory of 4056	2980	8903398a431b1e207f1ccee501a474f0N.exe	97
PID 2980 wrote to memory of 4548	2980	8903398a431b1e207f1ccee501a474f0N.exe	98
PID 2980 wrote to memory of 4548	2980	8903398a431b1e207f1ccee501a474f0N.exe	98
PID 2980 wrote to memory of 2812	2980	8903398a431b1e207f1ccee501a474f0N.exe	99
PID 2980 wrote to memory of 2812	2980	8903398a431b1e207f1ccee501a474f0N.exe	99
PID 2980 wrote to memory of 2848	2980	8903398a431b1e207f1ccee501a474f0N.exe	100
PID 2980 wrote to memory of 2848	2980	8903398a431b1e207f1ccee501a474f0N.exe	100
PID 2980 wrote to memory of 468	2980	8903398a431b1e207f1ccee501a474f0N.exe	101
PID 2980 wrote to memory of 468	2980	8903398a431b1e207f1ccee501a474f0N.exe	101
PID 2980 wrote to memory of 3212	2980	8903398a431b1e207f1ccee501a474f0N.exe	102
PID 2980 wrote to memory of 3212	2980	8903398a431b1e207f1ccee501a474f0N.exe	102
PID 2980 wrote to memory of 2140	2980	8903398a431b1e207f1ccee501a474f0N.exe	103
PID 2980 wrote to memory of 2140	2980	8903398a431b1e207f1ccee501a474f0N.exe	103
PID 2980 wrote to memory of 720	2980	8903398a431b1e207f1ccee501a474f0N.exe	104
PID 2980 wrote to memory of 720	2980	8903398a431b1e207f1ccee501a474f0N.exe	104
PID 2980 wrote to memory of 4968	2980	8903398a431b1e207f1ccee501a474f0N.exe	105
PID 2980 wrote to memory of 4968	2980	8903398a431b1e207f1ccee501a474f0N.exe	105
PID 2980 wrote to memory of 3596	2980	8903398a431b1e207f1ccee501a474f0N.exe	106
PID 2980 wrote to memory of 3596	2980	8903398a431b1e207f1ccee501a474f0N.exe	106
PID 2980 wrote to memory of 2340	2980	8903398a431b1e207f1ccee501a474f0N.exe	107
PID 2980 wrote to memory of 2340	2980	8903398a431b1e207f1ccee501a474f0N.exe	107
PID 2980 wrote to memory of 3620	2980	8903398a431b1e207f1ccee501a474f0N.exe	108
PID 2980 wrote to memory of 3620	2980	8903398a431b1e207f1ccee501a474f0N.exe	108
PID 2980 wrote to memory of 3488	2980	8903398a431b1e207f1ccee501a474f0N.exe	109
PID 2980 wrote to memory of 3488	2980	8903398a431b1e207f1ccee501a474f0N.exe	109
PID 2980 wrote to memory of 2212	2980	8903398a431b1e207f1ccee501a474f0N.exe	110
PID 2980 wrote to memory of 2212	2980	8903398a431b1e207f1ccee501a474f0N.exe	110
PID 2980 wrote to memory of 2676	2980	8903398a431b1e207f1ccee501a474f0N.exe	111
PID 2980 wrote to memory of 2676	2980	8903398a431b1e207f1ccee501a474f0N.exe	111
PID 2980 wrote to memory of 3508	2980	8903398a431b1e207f1ccee501a474f0N.exe	112
PID 2980 wrote to memory of 3508	2980	8903398a431b1e207f1ccee501a474f0N.exe	112
PID 2980 wrote to memory of 972	2980	8903398a431b1e207f1ccee501a474f0N.exe	113
PID 2980 wrote to memory of 972	2980	8903398a431b1e207f1ccee501a474f0N.exe	113
PID 2980 wrote to memory of 2800	2980	8903398a431b1e207f1ccee501a474f0N.exe	114
PID 2980 wrote to memory of 2800	2980	8903398a431b1e207f1ccee501a474f0N.exe	114
PID 2980 wrote to memory of 3760	2980	8903398a431b1e207f1ccee501a474f0N.exe	115
PID 2980 wrote to memory of 3760	2980	8903398a431b1e207f1ccee501a474f0N.exe	115
PID 2980 wrote to memory of 1936	2980	8903398a431b1e207f1ccee501a474f0N.exe	116
PID 2980 wrote to memory of 1936	2980	8903398a431b1e207f1ccee501a474f0N.exe	116
PID 2980 wrote to memory of 1520	2980	8903398a431b1e207f1ccee501a474f0N.exe	117
PID 2980 wrote to memory of 1520	2980	8903398a431b1e207f1ccee501a474f0N.exe	117
PID 2980 wrote to memory of 1836	2980	8903398a431b1e207f1ccee501a474f0N.exe	118
PID 2980 wrote to memory of 1836	2980	8903398a431b1e207f1ccee501a474f0N.exe	118
PID 2980 wrote to memory of 3812	2980	8903398a431b1e207f1ccee501a474f0N.exe	119
PID 2980 wrote to memory of 3812	2980	8903398a431b1e207f1ccee501a474f0N.exe	119
PID 2980 wrote to memory of 4108	2980	8903398a431b1e207f1ccee501a474f0N.exe	120
PID 2980 wrote to memory of 4108	2980	8903398a431b1e207f1ccee501a474f0N.exe	120
PID 2980 wrote to memory of 2348	2980	8903398a431b1e207f1ccee501a474f0N.exe	121
PID 2980 wrote to memory of 2348	2980	8903398a431b1e207f1ccee501a474f0N.exe	121
PID 2980 wrote to memory of 3532	2980	8903398a431b1e207f1ccee501a474f0N.exe	122
PID 2980 wrote to memory of 3532	2980	8903398a431b1e207f1ccee501a474f0N.exe	122

C:\Users\Admin\AppData\Local\Temp\8903398a431b1e207f1ccee501a474f0N.exe
"C:\Users\Admin\AppData\Local\Temp\8903398a431b1e207f1ccee501a474f0N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\System32\DgYlwvX.exe
  C:\Windows\System32\DgYlwvX.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System32\TBjBPwt.exe
  C:\Windows\System32\TBjBPwt.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System32\THZYTuj.exe
  C:\Windows\System32\THZYTuj.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System32\fUMWmMU.exe
  C:\Windows\System32\fUMWmMU.exe
  2⤵
  - Executes dropped EXE
  PID:4700
- C:\Windows\System32\oYDkkSD.exe
  C:\Windows\System32\oYDkkSD.exe
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\System32\lCItcId.exe
  C:\Windows\System32\lCItcId.exe
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\System32\NrybJPG.exe
  C:\Windows\System32\NrybJPG.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System32\BODiaUj.exe
  C:\Windows\System32\BODiaUj.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System32\qPlWIgd.exe
  C:\Windows\System32\qPlWIgd.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System32\xOpKtsq.exe
  C:\Windows\System32\xOpKtsq.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System32\VveDhrO.exe
  C:\Windows\System32\VveDhrO.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System32\msjVlYk.exe
  C:\Windows\System32\msjVlYk.exe
  2⤵
  - Executes dropped EXE
  PID:3212
- C:\Windows\System32\badWOjm.exe
  C:\Windows\System32\badWOjm.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System32\uHakhMf.exe
  C:\Windows\System32\uHakhMf.exe
  2⤵
  - Executes dropped EXE
  PID:720
- C:\Windows\System32\jWvgXrm.exe
  C:\Windows\System32\jWvgXrm.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System32\tPgexoS.exe
  C:\Windows\System32\tPgexoS.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System32\HyqFknd.exe
  C:\Windows\System32\HyqFknd.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System32\DmAWJeB.exe
  C:\Windows\System32\DmAWJeB.exe
  2⤵
  - Executes dropped EXE
  PID:3620
- C:\Windows\System32\bleuxpi.exe
  C:\Windows\System32\bleuxpi.exe
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Windows\System32\UAslJmE.exe
  C:\Windows\System32\UAslJmE.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System32\jqHfOjO.exe
  C:\Windows\System32\jqHfOjO.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System32\SBRPvQZ.exe
  C:\Windows\System32\SBRPvQZ.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System32\ghqVDDM.exe
  C:\Windows\System32\ghqVDDM.exe
  2⤵
  - Executes dropped EXE
  PID:972
- C:\Windows\System32\ENnxDLV.exe
  C:\Windows\System32\ENnxDLV.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System32\nNQLlGX.exe
  C:\Windows\System32\nNQLlGX.exe
  2⤵
  - Executes dropped EXE
  PID:3760
- C:\Windows\System32\GZWcdAP.exe
  C:\Windows\System32\GZWcdAP.exe
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\System32\qmqmNhH.exe
  C:\Windows\System32\qmqmNhH.exe
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\System32\zwujCkk.exe
  C:\Windows\System32\zwujCkk.exe
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\System32\gAtxeBv.exe
  C:\Windows\System32\gAtxeBv.exe
  2⤵
  - Executes dropped EXE
  PID:3812
- C:\Windows\System32\GZfDEwh.exe
  C:\Windows\System32\GZfDEwh.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System32\UDCNkxJ.exe
  C:\Windows\System32\UDCNkxJ.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System32\NAgKEnB.exe
  C:\Windows\System32\NAgKEnB.exe
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Windows\System32\OcmiqTS.exe
  C:\Windows\System32\OcmiqTS.exe
  2⤵
  - Executes dropped EXE
  PID:652
- C:\Windows\System32\gTUOwCm.exe
  C:\Windows\System32\gTUOwCm.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System32\eptOMdl.exe
  C:\Windows\System32\eptOMdl.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System32\uSEPRjC.exe
  C:\Windows\System32\uSEPRjC.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System32\xQKyJtX.exe
  C:\Windows\System32\xQKyJtX.exe
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\System32\oUFoqCb.exe
  C:\Windows\System32\oUFoqCb.exe
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\System32\ObWlLix.exe
  C:\Windows\System32\ObWlLix.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System32\pJwRbRx.exe
  C:\Windows\System32\pJwRbRx.exe
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Windows\System32\TLLwUNY.exe
  C:\Windows\System32\TLLwUNY.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System32\MgHDjTU.exe
  C:\Windows\System32\MgHDjTU.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System32\BekvqKu.exe
  C:\Windows\System32\BekvqKu.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\System32\iBDYVoI.exe
  C:\Windows\System32\iBDYVoI.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System32\PAJOZnO.exe
  C:\Windows\System32\PAJOZnO.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System32\ymzeBVG.exe
  C:\Windows\System32\ymzeBVG.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System32\AeQRBgc.exe
  C:\Windows\System32\AeQRBgc.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System32\PDYUrOP.exe
  C:\Windows\System32\PDYUrOP.exe
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Windows\System32\IRzPxiG.exe
  C:\Windows\System32\IRzPxiG.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System32\DeIKCKE.exe
  C:\Windows\System32\DeIKCKE.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System32\uTuwUIE.exe
  C:\Windows\System32\uTuwUIE.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System32\latXMVW.exe
  C:\Windows\System32\latXMVW.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System32\BTQVTaQ.exe
  C:\Windows\System32\BTQVTaQ.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System32\jrOWEVS.exe
  C:\Windows\System32\jrOWEVS.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System32\vGyOsjW.exe
  C:\Windows\System32\vGyOsjW.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System32\fnvvAjt.exe
  C:\Windows\System32\fnvvAjt.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System32\vHxKizt.exe
  C:\Windows\System32\vHxKizt.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System32\GzecaGK.exe
  C:\Windows\System32\GzecaGK.exe
  2⤵
  - Executes dropped EXE
  PID:5128
- C:\Windows\System32\kQCtdYc.exe
  C:\Windows\System32\kQCtdYc.exe
  2⤵
  - Executes dropped EXE
  PID:5152
- C:\Windows\System32\SwpfLXx.exe
  C:\Windows\System32\SwpfLXx.exe
  2⤵
  - Executes dropped EXE
  PID:5180
- C:\Windows\System32\HhwDyRd.exe
  C:\Windows\System32\HhwDyRd.exe
  2⤵
  - Executes dropped EXE
  PID:5208
- C:\Windows\System32\xJYrweg.exe
  C:\Windows\System32\xJYrweg.exe
  2⤵
  - Executes dropped EXE
  PID:5240
- C:\Windows\System32\zqbWdhO.exe
  C:\Windows\System32\zqbWdhO.exe
  2⤵
  - Executes dropped EXE
  PID:5268
- C:\Windows\System32\mIuslCo.exe
  C:\Windows\System32\mIuslCo.exe
  2⤵
  - Executes dropped EXE
  PID:5292
- C:\Windows\System32\NwBtWbH.exe
  C:\Windows\System32\NwBtWbH.exe
  2⤵
  PID:5320
- C:\Windows\System32\knUdvjU.exe
  C:\Windows\System32\knUdvjU.exe
  2⤵
  PID:5352
- C:\Windows\System32\JWMyjrh.exe
  C:\Windows\System32\JWMyjrh.exe
  2⤵
  PID:5376
- C:\Windows\System32\tPAimhP.exe
  C:\Windows\System32\tPAimhP.exe
  2⤵
  PID:5404
- C:\Windows\System32\LvkRSKs.exe
  C:\Windows\System32\LvkRSKs.exe
  2⤵
  PID:5440
- C:\Windows\System32\cCjBwgB.exe
  C:\Windows\System32\cCjBwgB.exe
  2⤵
  PID:5464
- C:\Windows\System32\XPlkbGq.exe
  C:\Windows\System32\XPlkbGq.exe
  2⤵
  PID:5496
- C:\Windows\System32\rcZdvbH.exe
  C:\Windows\System32\rcZdvbH.exe
  2⤵
  PID:5516
- C:\Windows\System32\ZlmJkOJ.exe
  C:\Windows\System32\ZlmJkOJ.exe
  2⤵
  PID:5544
- C:\Windows\System32\IvFOQKF.exe
  C:\Windows\System32\IvFOQKF.exe
  2⤵
  PID:5576
- C:\Windows\System32\fKgbUcH.exe
  C:\Windows\System32\fKgbUcH.exe
  2⤵
  PID:5604
- C:\Windows\System32\UjjQWmD.exe
  C:\Windows\System32\UjjQWmD.exe
  2⤵
  PID:5628
- C:\Windows\System32\ygwEOrA.exe
  C:\Windows\System32\ygwEOrA.exe
  2⤵
  PID:5660
- C:\Windows\System32\JlVStWO.exe
  C:\Windows\System32\JlVStWO.exe
  2⤵
  PID:5684
- C:\Windows\System32\LbsVkmP.exe
  C:\Windows\System32\LbsVkmP.exe
  2⤵
  PID:5712
- C:\Windows\System32\xLoUPZC.exe
  C:\Windows\System32\xLoUPZC.exe
  2⤵
  PID:5736
- C:\Windows\System32\HZwwSfx.exe
  C:\Windows\System32\HZwwSfx.exe
  2⤵
  PID:5768
- C:\Windows\System32\EsltLFv.exe
  C:\Windows\System32\EsltLFv.exe
  2⤵
  PID:5796
- C:\Windows\System32\CSLyGgN.exe
  C:\Windows\System32\CSLyGgN.exe
  2⤵
  PID:5828
- C:\Windows\System32\BJNRrhJ.exe
  C:\Windows\System32\BJNRrhJ.exe
  2⤵
  PID:5852
- C:\Windows\System32\wYyKSal.exe
  C:\Windows\System32\wYyKSal.exe
  2⤵
  PID:5880
- C:\Windows\System32\LFqRffB.exe
  C:\Windows\System32\LFqRffB.exe
  2⤵
  PID:5908
- C:\Windows\System32\YeUuJrN.exe
  C:\Windows\System32\YeUuJrN.exe
  2⤵
  PID:5936
- C:\Windows\System32\Zveuqyj.exe
  C:\Windows\System32\Zveuqyj.exe
  2⤵
  PID:5960
- C:\Windows\System32\kzYCOuF.exe
  C:\Windows\System32\kzYCOuF.exe
  2⤵
  PID:6020
- C:\Windows\System32\hGsxDzR.exe
  C:\Windows\System32\hGsxDzR.exe
  2⤵
  PID:6036
- C:\Windows\System32\ZWunQnT.exe
  C:\Windows\System32\ZWunQnT.exe
  2⤵
  PID:6052
- C:\Windows\System32\XAmWJaX.exe
  C:\Windows\System32\XAmWJaX.exe
  2⤵
  PID:6080
- C:\Windows\System32\nCAtsNI.exe
  C:\Windows\System32\nCAtsNI.exe
  2⤵
  PID:6104
- C:\Windows\System32\fHZgBzZ.exe
  C:\Windows\System32\fHZgBzZ.exe
  2⤵
  PID:6136
- C:\Windows\System32\SbRJVIX.exe
  C:\Windows\System32\SbRJVIX.exe
  2⤵
  PID:3616
- C:\Windows\System32\JffCzfv.exe
  C:\Windows\System32\JffCzfv.exe
  2⤵
  PID:1268
- C:\Windows\System32\JlkiSZc.exe
  C:\Windows\System32\JlkiSZc.exe
  2⤵
  PID:1516
- C:\Windows\System32\XTfKXvt.exe
  C:\Windows\System32\XTfKXvt.exe
  2⤵
  PID:3876
- C:\Windows\System32\yimdsIv.exe
  C:\Windows\System32\yimdsIv.exe
  2⤵
  PID:2548
- C:\Windows\System32\BDWPzGA.exe
  C:\Windows\System32\BDWPzGA.exe
  2⤵
  PID:5172
- C:\Windows\System32\zDzdseF.exe
  C:\Windows\System32\zDzdseF.exe
  2⤵
  PID:5260
- C:\Windows\System32\dJmIkwa.exe
  C:\Windows\System32\dJmIkwa.exe
  2⤵
  PID:5284
- C:\Windows\System32\wOtIExt.exe
  C:\Windows\System32\wOtIExt.exe
  2⤵
  PID:5368
- C:\Windows\System32\BAFAzSQ.exe
  C:\Windows\System32\BAFAzSQ.exe
  2⤵
  PID:5416
- C:\Windows\System32\BIoAIYJ.exe
  C:\Windows\System32\BIoAIYJ.exe
  2⤵
  PID:5504
- C:\Windows\System32\ntgVzdg.exe
  C:\Windows\System32\ntgVzdg.exe
  2⤵
  PID:4280
- C:\Windows\System32\bxatnwc.exe
  C:\Windows\System32\bxatnwc.exe
  2⤵
  PID:5584
- C:\Windows\System32\fTPNuSr.exe
  C:\Windows\System32\fTPNuSr.exe
  2⤵
  PID:5680
- C:\Windows\System32\QDCMgJg.exe
  C:\Windows\System32\QDCMgJg.exe
  2⤵
  PID:5732
- C:\Windows\System32\gzZAVSS.exe
  C:\Windows\System32\gzZAVSS.exe
  2⤵
  PID:5780
- C:\Windows\System32\mgjFECX.exe
  C:\Windows\System32\mgjFECX.exe
  2⤵
  PID:5844
- C:\Windows\System32\DjMEJkM.exe
  C:\Windows\System32\DjMEJkM.exe
  2⤵
  PID:5888
- C:\Windows\System32\JCPFdcV.exe
  C:\Windows\System32\JCPFdcV.exe
  2⤵
  PID:2788
- C:\Windows\System32\azvJbBq.exe
  C:\Windows\System32\azvJbBq.exe
  2⤵
  PID:6008
- C:\Windows\System32\DWVQAuq.exe
  C:\Windows\System32\DWVQAuq.exe
  2⤵
  PID:6072
- C:\Windows\System32\QwDvAaW.exe
  C:\Windows\System32\QwDvAaW.exe
  2⤵
  PID:3396
- C:\Windows\System32\fIFaoyM.exe
  C:\Windows\System32\fIFaoyM.exe
  2⤵
  PID:1100
- C:\Windows\System32\FTNcmOt.exe
  C:\Windows\System32\FTNcmOt.exe
  2⤵
  PID:1684
- C:\Windows\System32\veokyPn.exe
  C:\Windows\System32\veokyPn.exe
  2⤵
  PID:872
- C:\Windows\System32\mmksqZb.exe
  C:\Windows\System32\mmksqZb.exe
  2⤵
  PID:2776
- C:\Windows\System32\UtoGnXj.exe
  C:\Windows\System32\UtoGnXj.exe
  2⤵
  PID:5216
- C:\Windows\System32\mQEDJeN.exe
  C:\Windows\System32\mQEDJeN.exe
  2⤵
  PID:5304
- C:\Windows\System32\jwuAhrG.exe
  C:\Windows\System32\jwuAhrG.exe
  2⤵
  PID:5396
- C:\Windows\System32\OfEDmau.exe
  C:\Windows\System32\OfEDmau.exe
  2⤵
  PID:5456
- C:\Windows\System32\kUhMDfy.exe
  C:\Windows\System32\kUhMDfy.exe
  2⤵
  PID:5536
- C:\Windows\System32\hitOppp.exe
  C:\Windows\System32\hitOppp.exe
  2⤵
  PID:5564
- C:\Windows\System32\erkiMay.exe
  C:\Windows\System32\erkiMay.exe
  2⤵
  PID:5668
- C:\Windows\System32\OPKqZDn.exe
  C:\Windows\System32\OPKqZDn.exe
  2⤵
  PID:5920
- C:\Windows\System32\KBdZEPl.exe
  C:\Windows\System32\KBdZEPl.exe
  2⤵
  PID:2592
- C:\Windows\System32\ZletJjS.exe
  C:\Windows\System32\ZletJjS.exe
  2⤵
  PID:372
- C:\Windows\System32\yJweWtC.exe
  C:\Windows\System32\yJweWtC.exe
  2⤵
  PID:4024
- C:\Windows\System32\hFENqOz.exe
  C:\Windows\System32\hFENqOz.exe
  2⤵
  PID:5332
- C:\Windows\System32\yRNKzAc.exe
  C:\Windows\System32\yRNKzAc.exe
  2⤵
  PID:5944
- C:\Windows\System32\NfJcPPm.exe
  C:\Windows\System32\NfJcPPm.exe
  2⤵
  PID:2888
- C:\Windows\System32\bqMgcJC.exe
  C:\Windows\System32\bqMgcJC.exe
  2⤵
  PID:3604
- C:\Windows\System32\MNNLyfV.exe
  C:\Windows\System32\MNNLyfV.exe
  2⤵
  PID:6152
- C:\Windows\System32\mqrWsNq.exe
  C:\Windows\System32\mqrWsNq.exe
  2⤵
  PID:6180
- C:\Windows\System32\jfPbJJe.exe
  C:\Windows\System32\jfPbJJe.exe
  2⤵
  PID:6208
- C:\Windows\System32\xZbEVPP.exe
  C:\Windows\System32\xZbEVPP.exe
  2⤵
  PID:6236
- C:\Windows\System32\ABneYPW.exe
  C:\Windows\System32\ABneYPW.exe
  2⤵
  PID:6260
- C:\Windows\System32\NmUGgcl.exe
  C:\Windows\System32\NmUGgcl.exe
  2⤵
  PID:6288
- C:\Windows\System32\VwvNtfC.exe
  C:\Windows\System32\VwvNtfC.exe
  2⤵
  PID:6320
- C:\Windows\System32\mZhptCB.exe
  C:\Windows\System32\mZhptCB.exe
  2⤵
  PID:6356
- C:\Windows\System32\SGFbLYJ.exe
  C:\Windows\System32\SGFbLYJ.exe
  2⤵
  PID:6376
- C:\Windows\System32\FKNKlDf.exe
  C:\Windows\System32\FKNKlDf.exe
  2⤵
  PID:6392
- C:\Windows\System32\habpDGs.exe
  C:\Windows\System32\habpDGs.exe
  2⤵
  PID:6424
- C:\Windows\System32\BHRXlJj.exe
  C:\Windows\System32\BHRXlJj.exe
  2⤵
  PID:6460
- C:\Windows\System32\ZvQhGEo.exe
  C:\Windows\System32\ZvQhGEo.exe
  2⤵
  PID:6488
- C:\Windows\System32\ahXZcnm.exe
  C:\Windows\System32\ahXZcnm.exe
  2⤵
  PID:6512
- C:\Windows\System32\ZmOvuHz.exe
  C:\Windows\System32\ZmOvuHz.exe
  2⤵
  PID:6544
- C:\Windows\System32\PxBRTvS.exe
  C:\Windows\System32\PxBRTvS.exe
  2⤵
  PID:6572
- C:\Windows\System32\Xwxcojx.exe
  C:\Windows\System32\Xwxcojx.exe
  2⤵
  PID:6600
- C:\Windows\System32\XEkLjFr.exe
  C:\Windows\System32\XEkLjFr.exe
  2⤵
  PID:6628
- C:\Windows\System32\xMPCvAa.exe
  C:\Windows\System32\xMPCvAa.exe
  2⤵
  PID:6652
- C:\Windows\System32\ZuiggwX.exe
  C:\Windows\System32\ZuiggwX.exe
  2⤵
  PID:6684
- C:\Windows\System32\GGMALZY.exe
  C:\Windows\System32\GGMALZY.exe
  2⤵
  PID:6708
- C:\Windows\System32\yTsTpTE.exe
  C:\Windows\System32\yTsTpTE.exe
  2⤵
  PID:6740
- C:\Windows\System32\DiZMSVr.exe
  C:\Windows\System32\DiZMSVr.exe
  2⤵
  PID:6768
- C:\Windows\System32\TNQsOsR.exe
  C:\Windows\System32\TNQsOsR.exe
  2⤵
  PID:6792
- C:\Windows\System32\ldnbYaU.exe
  C:\Windows\System32\ldnbYaU.exe
  2⤵
  PID:6820
- C:\Windows\System32\DMyNCrg.exe
  C:\Windows\System32\DMyNCrg.exe
  2⤵
  PID:6852
- C:\Windows\System32\ifTPknm.exe
  C:\Windows\System32\ifTPknm.exe
  2⤵
  PID:6876
- C:\Windows\System32\NHIgKKY.exe
  C:\Windows\System32\NHIgKKY.exe
  2⤵
  PID:6932
- C:\Windows\System32\KNHAtVa.exe
  C:\Windows\System32\KNHAtVa.exe
  2⤵
  PID:6960
- C:\Windows\System32\uZCZCcH.exe
  C:\Windows\System32\uZCZCcH.exe
  2⤵
  PID:6980
- C:\Windows\System32\Dguithm.exe
  C:\Windows\System32\Dguithm.exe
  2⤵
  PID:7000
- C:\Windows\System32\njmJKbu.exe
  C:\Windows\System32\njmJKbu.exe
  2⤵
  PID:7016
- C:\Windows\System32\oPjXRBL.exe
  C:\Windows\System32\oPjXRBL.exe
  2⤵
  PID:7032
- C:\Windows\System32\kvbDIST.exe
  C:\Windows\System32\kvbDIST.exe
  2⤵
  PID:7060
- C:\Windows\System32\SxmtdOn.exe
  C:\Windows\System32\SxmtdOn.exe
  2⤵
  PID:7108
- C:\Windows\System32\yUydtAW.exe
  C:\Windows\System32\yUydtAW.exe
  2⤵
  PID:7140
- C:\Windows\System32\SLrgLLL.exe
  C:\Windows\System32\SLrgLLL.exe
  2⤵
  PID:2664
- C:\Windows\System32\VzBWJlp.exe
  C:\Windows\System32\VzBWJlp.exe
  2⤵
  PID:6172
- C:\Windows\System32\MFPBuvm.exe
  C:\Windows\System32\MFPBuvm.exe
  2⤵
  PID:6188
- C:\Windows\System32\tvKpfPY.exe
  C:\Windows\System32\tvKpfPY.exe
  2⤵
  PID:6296
- C:\Windows\System32\YCqhmoV.exe
  C:\Windows\System32\YCqhmoV.exe
  2⤵
  PID:6352
- C:\Windows\System32\wTeHZKB.exe
  C:\Windows\System32\wTeHZKB.exe
  2⤵
  PID:6388
- C:\Windows\System32\ZqUlrcy.exe
  C:\Windows\System32\ZqUlrcy.exe
  2⤵
  PID:6420
- C:\Windows\System32\IImxWZI.exe
  C:\Windows\System32\IImxWZI.exe
  2⤵
  PID:6480
- C:\Windows\System32\IHQuMLP.exe
  C:\Windows\System32\IHQuMLP.exe
  2⤵
  PID:6528
- C:\Windows\System32\RJisnAj.exe
  C:\Windows\System32\RJisnAj.exe
  2⤵
  PID:6556
- C:\Windows\System32\hpSBrUd.exe
  C:\Windows\System32\hpSBrUd.exe
  2⤵
  PID:6620
- C:\Windows\System32\FPoBsOe.exe
  C:\Windows\System32\FPoBsOe.exe
  2⤵
  PID:6660
- C:\Windows\System32\WxWbfYM.exe
  C:\Windows\System32\WxWbfYM.exe
  2⤵
  PID:6692
- C:\Windows\System32\OQDcMiu.exe
  C:\Windows\System32\OQDcMiu.exe
  2⤵
  PID:6808
- C:\Windows\System32\uisSeEg.exe
  C:\Windows\System32\uisSeEg.exe
  2⤵
  PID:6928
- C:\Windows\System32\fwzoCAD.exe
  C:\Windows\System32\fwzoCAD.exe
  2⤵
  PID:3200
- C:\Windows\System32\cDamEQX.exe
  C:\Windows\System32\cDamEQX.exe
  2⤵
  PID:4788
- C:\Windows\System32\BzUGWja.exe
  C:\Windows\System32\BzUGWja.exe
  2⤵
  PID:6916
- C:\Windows\System32\UYNWGij.exe
  C:\Windows\System32\UYNWGij.exe
  2⤵
  PID:5020
- C:\Windows\System32\LuwzjQj.exe
  C:\Windows\System32\LuwzjQj.exe
  2⤵
  PID:6976
- C:\Windows\System32\elHNLaO.exe
  C:\Windows\System32\elHNLaO.exe
  2⤵
  PID:7044
- C:\Windows\System32\okIXLWz.exe
  C:\Windows\System32\okIXLWz.exe
  2⤵
  PID:7068
- C:\Windows\System32\SvwfUBI.exe
  C:\Windows\System32\SvwfUBI.exe
  2⤵
  PID:7088
- C:\Windows\System32\TsAhTJz.exe
  C:\Windows\System32\TsAhTJz.exe
  2⤵
  PID:7156
- C:\Windows\System32\fkLuXnJ.exe
  C:\Windows\System32\fkLuXnJ.exe
  2⤵
  PID:6340
- C:\Windows\System32\FzIodPb.exe
  C:\Windows\System32\FzIodPb.exe
  2⤵
  PID:6608
- C:\Windows\System32\NjLVaGt.exe
  C:\Windows\System32\NjLVaGt.exe
  2⤵
  PID:6776
- C:\Windows\System32\SVlqxPQ.exe
  C:\Windows\System32\SVlqxPQ.exe
  2⤵
  PID:6696
- C:\Windows\System32\FWCPcdr.exe
  C:\Windows\System32\FWCPcdr.exe
  2⤵
  PID:4696
- C:\Windows\System32\RLGyMbQ.exe
  C:\Windows\System32\RLGyMbQ.exe
  2⤵
  PID:7080
- C:\Windows\System32\WjddXqm.exe
  C:\Windows\System32\WjddXqm.exe
  2⤵
  PID:6432
- C:\Windows\System32\sEnipTK.exe
  C:\Windows\System32\sEnipTK.exe
  2⤵
  PID:6372
- C:\Windows\System32\TPWXpAb.exe
  C:\Windows\System32\TPWXpAb.exe
  2⤵
  PID:6564
- C:\Windows\System32\gPVFMCq.exe
  C:\Windows\System32\gPVFMCq.exe
  2⤵
  PID:4596
- C:\Windows\System32\oBIsqPz.exe
  C:\Windows\System32\oBIsqPz.exe
  2⤵
  PID:6216
- C:\Windows\System32\LxNoSll.exe
  C:\Windows\System32\LxNoSll.exe
  2⤵
  PID:6384
- C:\Windows\System32\rKzeook.exe
  C:\Windows\System32\rKzeook.exe
  2⤵
  PID:7184
- C:\Windows\System32\VFernml.exe
  C:\Windows\System32\VFernml.exe
  2⤵
  PID:7204
- C:\Windows\System32\WfGWqcY.exe
  C:\Windows\System32\WfGWqcY.exe
  2⤵
  PID:7248
- C:\Windows\System32\pLAwDbs.exe
  C:\Windows\System32\pLAwDbs.exe
  2⤵
  PID:7304
- C:\Windows\System32\jgvSEjr.exe
  C:\Windows\System32\jgvSEjr.exe
  2⤵
  PID:7332
- C:\Windows\System32\UCmigBv.exe
  C:\Windows\System32\UCmigBv.exe
  2⤵
  PID:7352
- C:\Windows\System32\aplnZxp.exe
  C:\Windows\System32\aplnZxp.exe
  2⤵
  PID:7368
- C:\Windows\System32\kJpLKKp.exe
  C:\Windows\System32\kJpLKKp.exe
  2⤵
  PID:7396
- C:\Windows\System32\cVuDYVZ.exe
  C:\Windows\System32\cVuDYVZ.exe
  2⤵
  PID:7436
- C:\Windows\System32\ZOiPowC.exe
  C:\Windows\System32\ZOiPowC.exe
  2⤵
  PID:7468
- C:\Windows\System32\ttzUCrO.exe
  C:\Windows\System32\ttzUCrO.exe
  2⤵
  PID:7492
- C:\Windows\System32\NywKbZq.exe
  C:\Windows\System32\NywKbZq.exe
  2⤵
  PID:7520
- C:\Windows\System32\PJiQmmC.exe
  C:\Windows\System32\PJiQmmC.exe
  2⤵
  PID:7548
- C:\Windows\System32\ZUmZXes.exe
  C:\Windows\System32\ZUmZXes.exe
  2⤵
  PID:7568
- C:\Windows\System32\czZisiq.exe
  C:\Windows\System32\czZisiq.exe
  2⤵
  PID:7604
- C:\Windows\System32\dFCZDKF.exe
  C:\Windows\System32\dFCZDKF.exe
  2⤵
  PID:7644
- C:\Windows\System32\lHNwvFU.exe
  C:\Windows\System32\lHNwvFU.exe
  2⤵
  PID:7664
- C:\Windows\System32\KUSmSMV.exe
  C:\Windows\System32\KUSmSMV.exe
  2⤵
  PID:7680
- C:\Windows\System32\GSZsXrH.exe
  C:\Windows\System32\GSZsXrH.exe
  2⤵
  PID:7704
- C:\Windows\System32\IQEdJkQ.exe
  C:\Windows\System32\IQEdJkQ.exe
  2⤵
  PID:7724
- C:\Windows\System32\ZlLlvwe.exe
  C:\Windows\System32\ZlLlvwe.exe
  2⤵
  PID:7740
- C:\Windows\System32\xvdFlYj.exe
  C:\Windows\System32\xvdFlYj.exe
  2⤵
  PID:7764
- C:\Windows\System32\jktmjSb.exe
  C:\Windows\System32\jktmjSb.exe
  2⤵
  PID:7784
- C:\Windows\System32\ERfsPZU.exe
  C:\Windows\System32\ERfsPZU.exe
  2⤵
  PID:7804
- C:\Windows\System32\EKmzJac.exe
  C:\Windows\System32\EKmzJac.exe
  2⤵
  PID:7832
- C:\Windows\System32\SDqUUwp.exe
  C:\Windows\System32\SDqUUwp.exe
  2⤵
  PID:7944
- C:\Windows\System32\xVFMhnk.exe
  C:\Windows\System32\xVFMhnk.exe
  2⤵
  PID:7984
- C:\Windows\System32\USvxRhD.exe
  C:\Windows\System32\USvxRhD.exe
  2⤵
  PID:8000
- C:\Windows\System32\zZRixgh.exe
  C:\Windows\System32\zZRixgh.exe
  2⤵
  PID:8028
- C:\Windows\System32\aahOIbt.exe
  C:\Windows\System32\aahOIbt.exe
  2⤵
  PID:8052
- C:\Windows\System32\eQjNykg.exe
  C:\Windows\System32\eQjNykg.exe
  2⤵
  PID:8084
- C:\Windows\System32\HYfGPAS.exe
  C:\Windows\System32\HYfGPAS.exe
  2⤵
  PID:8100
- C:\Windows\System32\tdlHNtF.exe
  C:\Windows\System32\tdlHNtF.exe
  2⤵
  PID:8136
- C:\Windows\System32\BjkjmTb.exe
  C:\Windows\System32\BjkjmTb.exe
  2⤵
  PID:8152
- C:\Windows\System32\xKBuAOl.exe
  C:\Windows\System32\xKBuAOl.exe
  2⤵
  PID:6836
- C:\Windows\System32\mTjGfOs.exe
  C:\Windows\System32\mTjGfOs.exe
  2⤵
  PID:5164
- C:\Windows\System32\vMwDhnZ.exe
  C:\Windows\System32\vMwDhnZ.exe
  2⤵
  PID:7216
- C:\Windows\System32\zaBSoLO.exe
  C:\Windows\System32\zaBSoLO.exe
  2⤵
  PID:7300
- C:\Windows\System32\HlHEdoL.exe
  C:\Windows\System32\HlHEdoL.exe
  2⤵
  PID:7364
- C:\Windows\System32\UOEULhZ.exe
  C:\Windows\System32\UOEULhZ.exe
  2⤵
  PID:7388
- C:\Windows\System32\qYquaGw.exe
  C:\Windows\System32\qYquaGw.exe
  2⤵
  PID:7428
- C:\Windows\System32\jlZpaRG.exe
  C:\Windows\System32\jlZpaRG.exe
  2⤵
  PID:7476
- C:\Windows\System32\vDwCSbt.exe
  C:\Windows\System32\vDwCSbt.exe
  2⤵
  PID:7516
- C:\Windows\System32\SThwCTX.exe
  C:\Windows\System32\SThwCTX.exe
  2⤵
  PID:7576
- C:\Windows\System32\nuQkDVu.exe
  C:\Windows\System32\nuQkDVu.exe
  2⤵
  PID:7688
- C:\Windows\System32\aysYElx.exe
  C:\Windows\System32\aysYElx.exe
  2⤵
  PID:7712
- C:\Windows\System32\cMpKnMa.exe
  C:\Windows\System32\cMpKnMa.exe
  2⤵
  PID:7780
- C:\Windows\System32\DeUImwy.exe
  C:\Windows\System32\DeUImwy.exe
  2⤵
  PID:7792
- C:\Windows\System32\NvBFzLw.exe
  C:\Windows\System32\NvBFzLw.exe
  2⤵
  PID:7992
- C:\Windows\System32\BVVXltq.exe
  C:\Windows\System32\BVVXltq.exe
  2⤵
  PID:8112
- C:\Windows\System32\UcsAadE.exe
  C:\Windows\System32\UcsAadE.exe
  2⤵
  PID:8128
- C:\Windows\System32\IGCyWLO.exe
  C:\Windows\System32\IGCyWLO.exe
  2⤵
  PID:7196
- C:\Windows\System32\ckJlzLj.exe
  C:\Windows\System32\ckJlzLj.exe
  2⤵
  PID:7328
- C:\Windows\System32\MEULGMZ.exe
  C:\Windows\System32\MEULGMZ.exe
  2⤵
  PID:7280
- C:\Windows\System32\mAHVqVs.exe
  C:\Windows\System32\mAHVqVs.exe
  2⤵
  PID:7480
- C:\Windows\System32\ynJnTZK.exe
  C:\Windows\System32\ynJnTZK.exe
  2⤵
  PID:7640
- C:\Windows\System32\XjnvrEM.exe
  C:\Windows\System32\XjnvrEM.exe
  2⤵
  PID:7976
- C:\Windows\System32\qTFNkRP.exe
  C:\Windows\System32\qTFNkRP.exe
  2⤵
  PID:8160
- C:\Windows\System32\BDdrwtO.exe
  C:\Windows\System32\BDdrwtO.exe
  2⤵
  PID:7456
- C:\Windows\System32\jjlBSJs.exe
  C:\Windows\System32\jjlBSJs.exe
  2⤵
  PID:7324
- C:\Windows\System32\zwMeThV.exe
  C:\Windows\System32\zwMeThV.exe
  2⤵
  PID:7828
- C:\Windows\System32\zbwEmua.exe
  C:\Windows\System32\zbwEmua.exe
  2⤵
  PID:8016
- C:\Windows\System32\xLwxCUC.exe
  C:\Windows\System32\xLwxCUC.exe
  2⤵
  PID:7676
- C:\Windows\System32\ebklQbF.exe
  C:\Windows\System32\ebklQbF.exe
  2⤵
  PID:8220
- C:\Windows\System32\jAOyoyV.exe
  C:\Windows\System32\jAOyoyV.exe
  2⤵
  PID:8236
- C:\Windows\System32\DRyiOBt.exe
  C:\Windows\System32\DRyiOBt.exe
  2⤵
  PID:8256
- C:\Windows\System32\gdWbiUn.exe
  C:\Windows\System32\gdWbiUn.exe
  2⤵
  PID:8300
- C:\Windows\System32\czstuTl.exe
  C:\Windows\System32\czstuTl.exe
  2⤵
  PID:8316
- C:\Windows\System32\WBdDeFk.exe
  C:\Windows\System32\WBdDeFk.exe
  2⤵
  PID:8344
- C:\Windows\System32\WWNquaD.exe
  C:\Windows\System32\WWNquaD.exe
  2⤵
  PID:8360
- C:\Windows\System32\ZxMlZsB.exe
  C:\Windows\System32\ZxMlZsB.exe
  2⤵
  PID:8384
- C:\Windows\System32\bPNcsRd.exe
  C:\Windows\System32\bPNcsRd.exe
  2⤵
  PID:8404
- C:\Windows\System32\GGAqetl.exe
  C:\Windows\System32\GGAqetl.exe
  2⤵
  PID:8456
- C:\Windows\System32\ImTBZDr.exe
  C:\Windows\System32\ImTBZDr.exe
  2⤵
  PID:8508
- C:\Windows\System32\CiAiqzB.exe
  C:\Windows\System32\CiAiqzB.exe
  2⤵
  PID:8536
- C:\Windows\System32\IFiRoZQ.exe
  C:\Windows\System32\IFiRoZQ.exe
  2⤵
  PID:8564
- C:\Windows\System32\KSvfsUR.exe
  C:\Windows\System32\KSvfsUR.exe
  2⤵
  PID:8588
- C:\Windows\System32\AZsrYWi.exe
  C:\Windows\System32\AZsrYWi.exe
  2⤵
  PID:8620
- C:\Windows\System32\cmoGtbd.exe
  C:\Windows\System32\cmoGtbd.exe
  2⤵
  PID:8652
- C:\Windows\System32\ZWDwUlG.exe
  C:\Windows\System32\ZWDwUlG.exe
  2⤵
  PID:8684
- C:\Windows\System32\URjikXw.exe
  C:\Windows\System32\URjikXw.exe
  2⤵
  PID:8700
- C:\Windows\System32\ApeCHVX.exe
  C:\Windows\System32\ApeCHVX.exe
  2⤵
  PID:8748
- C:\Windows\System32\FRfbQeb.exe
  C:\Windows\System32\FRfbQeb.exe
  2⤵
  PID:8780
- C:\Windows\System32\sswNElr.exe
  C:\Windows\System32\sswNElr.exe
  2⤵
  PID:8804
- C:\Windows\System32\vevoqeX.exe
  C:\Windows\System32\vevoqeX.exe
  2⤵
  PID:8848
- C:\Windows\System32\koKCvqP.exe
  C:\Windows\System32\koKCvqP.exe
  2⤵
  PID:8864
- C:\Windows\System32\uOfyMqh.exe
  C:\Windows\System32\uOfyMqh.exe
  2⤵
  PID:8888
- C:\Windows\System32\oJfDJXT.exe
  C:\Windows\System32\oJfDJXT.exe
  2⤵
  PID:8928
- C:\Windows\System32\XgWXkcQ.exe
  C:\Windows\System32\XgWXkcQ.exe
  2⤵
  PID:8952
- C:\Windows\System32\HZxEpxl.exe
  C:\Windows\System32\HZxEpxl.exe
  2⤵
  PID:8976
- C:\Windows\System32\hJJxnPx.exe
  C:\Windows\System32\hJJxnPx.exe
  2⤵
  PID:8992
- C:\Windows\System32\rRtlEUu.exe
  C:\Windows\System32\rRtlEUu.exe
  2⤵
  PID:9032
- C:\Windows\System32\TQLbbID.exe
  C:\Windows\System32\TQLbbID.exe
  2⤵
  PID:9072
- C:\Windows\System32\bcKRNKk.exe
  C:\Windows\System32\bcKRNKk.exe
  2⤵
  PID:9104
- C:\Windows\System32\GWXTuIP.exe
  C:\Windows\System32\GWXTuIP.exe
  2⤵
  PID:9136
- C:\Windows\System32\HbgraIt.exe
  C:\Windows\System32\HbgraIt.exe
  2⤵
  PID:9156
- C:\Windows\System32\qMUBqkM.exe
  C:\Windows\System32\qMUBqkM.exe
  2⤵
  PID:9180
- C:\Windows\System32\IQKqqkp.exe
  C:\Windows\System32\IQKqqkp.exe
  2⤵
  PID:9196
- C:\Windows\System32\MMUXoVE.exe
  C:\Windows\System32\MMUXoVE.exe
  2⤵
  PID:7672
- C:\Windows\System32\DViYFhw.exe
  C:\Windows\System32\DViYFhw.exe
  2⤵
  PID:8232
- C:\Windows\System32\YrkSZok.exe
  C:\Windows\System32\YrkSZok.exe
  2⤵
  PID:8244
- C:\Windows\System32\ZqViHMT.exe
  C:\Windows\System32\ZqViHMT.exe
  2⤵
  PID:8416
- C:\Windows\System32\jmnmeNR.exe
  C:\Windows\System32\jmnmeNR.exe
  2⤵
  PID:8380
- C:\Windows\System32\urTuiEe.exe
  C:\Windows\System32\urTuiEe.exe
  2⤵
  PID:8464
- C:\Windows\System32\RSGBHAA.exe
  C:\Windows\System32\RSGBHAA.exe
  2⤵
  PID:8580
- C:\Windows\System32\xkBRjzv.exe
  C:\Windows\System32\xkBRjzv.exe
  2⤵
  PID:8608
- C:\Windows\System32\jLGXDoa.exe
  C:\Windows\System32\jLGXDoa.exe
  2⤵
  PID:8772
- C:\Windows\System32\aXcNYbv.exe
  C:\Windows\System32\aXcNYbv.exe
  2⤵
  PID:8828
- C:\Windows\System32\hNMYSvN.exe
  C:\Windows\System32\hNMYSvN.exe
  2⤵
  PID:8884
- C:\Windows\System32\jBqPrZH.exe
  C:\Windows\System32\jBqPrZH.exe
  2⤵
  PID:8912
- C:\Windows\System32\jefINtj.exe
  C:\Windows\System32\jefINtj.exe
  2⤵
  PID:8964
- C:\Windows\System32\IMiPaRZ.exe
  C:\Windows\System32\IMiPaRZ.exe
  2⤵
  PID:9040
- C:\Windows\System32\poMhKJN.exe
  C:\Windows\System32\poMhKJN.exe
  2⤵
  PID:9088
- C:\Windows\System32\bsPjggv.exe
  C:\Windows\System32\bsPjggv.exe
  2⤵
  PID:9168
- C:\Windows\System32\xBxfWmX.exe
  C:\Windows\System32\xBxfWmX.exe
  2⤵
  PID:7716
- C:\Windows\System32\eAOXXSh.exe
  C:\Windows\System32\eAOXXSh.exe
  2⤵
  PID:8276
- C:\Windows\System32\ayGcgTn.exe
  C:\Windows\System32\ayGcgTn.exe
  2⤵
  PID:8468
- C:\Windows\System32\HSdugOC.exe
  C:\Windows\System32\HSdugOC.exe
  2⤵
  PID:8632
- C:\Windows\System32\CSPkiXh.exe
  C:\Windows\System32\CSPkiXh.exe
  2⤵
  PID:8788
- C:\Windows\System32\lOxjoHG.exe
  C:\Windows\System32\lOxjoHG.exe
  2⤵
  PID:9052
- C:\Windows\System32\pnaoUlo.exe
  C:\Windows\System32\pnaoUlo.exe
  2⤵
  PID:9164
- C:\Windows\System32\pbKadWQ.exe
  C:\Windows\System32\pbKadWQ.exe
  2⤵
  PID:8356
- C:\Windows\System32\sDqyDlM.exe
  C:\Windows\System32\sDqyDlM.exe
  2⤵
  PID:8712
- C:\Windows\System32\VVnvith.exe
  C:\Windows\System32\VVnvith.exe
  2⤵
  PID:9012
- C:\Windows\System32\KqdABRI.exe
  C:\Windows\System32\KqdABRI.exe
  2⤵
  PID:8372
- C:\Windows\System32\GsfcKwl.exe
  C:\Windows\System32\GsfcKwl.exe
  2⤵
  PID:8596
- C:\Windows\System32\APPwjEB.exe
  C:\Windows\System32\APPwjEB.exe
  2⤵
  PID:9256
- C:\Windows\System32\fjvYBif.exe
  C:\Windows\System32\fjvYBif.exe
  2⤵
  PID:9280
- C:\Windows\System32\cjDvGeq.exe
  C:\Windows\System32\cjDvGeq.exe
  2⤵
  PID:9304
- C:\Windows\System32\zrlAEry.exe
  C:\Windows\System32\zrlAEry.exe
  2⤵
  PID:9356
- C:\Windows\System32\hFvARmF.exe
  C:\Windows\System32\hFvARmF.exe
  2⤵
  PID:9380
- C:\Windows\System32\UPmYQZw.exe
  C:\Windows\System32\UPmYQZw.exe
  2⤵
  PID:9400
- C:\Windows\System32\MZhOtDK.exe
  C:\Windows\System32\MZhOtDK.exe
  2⤵
  PID:9440
- C:\Windows\System32\QWtEikG.exe
  C:\Windows\System32\QWtEikG.exe
  2⤵
  PID:9456
- C:\Windows\System32\SvtHBmm.exe
  C:\Windows\System32\SvtHBmm.exe
  2⤵
  PID:9492
- C:\Windows\System32\QeLXrvy.exe
  C:\Windows\System32\QeLXrvy.exe
  2⤵
  PID:9512
- C:\Windows\System32\QWQmKvg.exe
  C:\Windows\System32\QWQmKvg.exe
  2⤵
  PID:9540
- C:\Windows\System32\ijcuTdx.exe
  C:\Windows\System32\ijcuTdx.exe
  2⤵
  PID:9560
- C:\Windows\System32\SjSNVok.exe
  C:\Windows\System32\SjSNVok.exe
  2⤵
  PID:9576
- C:\Windows\System32\gAOsPqB.exe
  C:\Windows\System32\gAOsPqB.exe
  2⤵
  PID:9596
- C:\Windows\System32\roXcrBZ.exe
  C:\Windows\System32\roXcrBZ.exe
  2⤵
  PID:9612
- C:\Windows\System32\vpMzfpA.exe
  C:\Windows\System32\vpMzfpA.exe
  2⤵
  PID:9636
- C:\Windows\System32\BDqyzYm.exe
  C:\Windows\System32\BDqyzYm.exe
  2⤵
  PID:9672
- C:\Windows\System32\whDzqPU.exe
  C:\Windows\System32\whDzqPU.exe
  2⤵
  PID:9736
- C:\Windows\System32\RGvhwGu.exe
  C:\Windows\System32\RGvhwGu.exe
  2⤵
  PID:9768
- C:\Windows\System32\QdIdkxe.exe
  C:\Windows\System32\QdIdkxe.exe
  2⤵
  PID:9796
- C:\Windows\System32\NcHNzye.exe
  C:\Windows\System32\NcHNzye.exe
  2⤵
  PID:9824
- C:\Windows\System32\fbOTkPl.exe
  C:\Windows\System32\fbOTkPl.exe
  2⤵
  PID:9840
- C:\Windows\System32\SVetAcp.exe
  C:\Windows\System32\SVetAcp.exe
  2⤵
  PID:9876
- C:\Windows\System32\rBPPXtG.exe
  C:\Windows\System32\rBPPXtG.exe
  2⤵
  PID:9908
- C:\Windows\System32\HlYXqTI.exe
  C:\Windows\System32\HlYXqTI.exe
  2⤵
  PID:9932
- C:\Windows\System32\tbvcSsP.exe
  C:\Windows\System32\tbvcSsP.exe
  2⤵
  PID:9952
- C:\Windows\System32\vacEQMI.exe
  C:\Windows\System32\vacEQMI.exe
  2⤵
  PID:9984
- C:\Windows\System32\pNKjZvK.exe
  C:\Windows\System32\pNKjZvK.exe
  2⤵
  PID:10012
- C:\Windows\System32\wZTKvAC.exe
  C:\Windows\System32\wZTKvAC.exe
  2⤵
  PID:10036
- C:\Windows\System32\OOoXAAF.exe
  C:\Windows\System32\OOoXAAF.exe
  2⤵
  PID:10064
- C:\Windows\System32\UVcSZka.exe
  C:\Windows\System32\UVcSZka.exe
  2⤵
  PID:10104
- C:\Windows\System32\NGwyQib.exe
  C:\Windows\System32\NGwyQib.exe
  2⤵
  PID:10136
- C:\Windows\System32\chqAPoU.exe
  C:\Windows\System32\chqAPoU.exe
  2⤵
  PID:10160
- C:\Windows\System32\RfEKlMu.exe
  C:\Windows\System32\RfEKlMu.exe
  2⤵
  PID:10176
- C:\Windows\System32\TKdAtwH.exe
  C:\Windows\System32\TKdAtwH.exe
  2⤵
  PID:10216
- C:\Windows\System32\hDmnfUE.exe
  C:\Windows\System32\hDmnfUE.exe
  2⤵
  PID:8812
- C:\Windows\System32\wnkBpVy.exe
  C:\Windows\System32\wnkBpVy.exe
  2⤵
  PID:9276
- C:\Windows\System32\ZmyHaeT.exe
  C:\Windows\System32\ZmyHaeT.exe
  2⤵
  PID:9316
- C:\Windows\System32\HnmNKbF.exe
  C:\Windows\System32\HnmNKbF.exe
  2⤵
  PID:9368
- C:\Windows\System32\XGylIXg.exe
  C:\Windows\System32\XGylIXg.exe
  2⤵
  PID:9452
- C:\Windows\System32\dhaDAdh.exe
  C:\Windows\System32\dhaDAdh.exe
  2⤵
  PID:9536
- C:\Windows\System32\OxpTQqL.exe
  C:\Windows\System32\OxpTQqL.exe
  2⤵
  PID:9660
- C:\Windows\System32\BYQdqdK.exe
  C:\Windows\System32\BYQdqdK.exe
  2⤵
  PID:9884
- C:\Windows\System32\CcWMANd.exe
  C:\Windows\System32\CcWMANd.exe
  2⤵
  PID:9940
- C:\Windows\System32\HEwIrfC.exe
  C:\Windows\System32\HEwIrfC.exe
  2⤵
  PID:9972
- C:\Windows\System32\WtwShlW.exe
  C:\Windows\System32\WtwShlW.exe
  2⤵
  PID:10020
- C:\Windows\System32\hbEndDy.exe
  C:\Windows\System32\hbEndDy.exe
  2⤵
  PID:10024
- C:\Windows\System32\pPgOVSk.exe
  C:\Windows\System32\pPgOVSk.exe
  2⤵
  PID:10100
- C:\Windows\System32\EphQiyA.exe
  C:\Windows\System32\EphQiyA.exe
  2⤵
  PID:10124
- C:\Windows\System32\sQkoNFO.exe
  C:\Windows\System32\sQkoNFO.exe
  2⤵
  PID:10144
- C:\Windows\System32\ClweCJd.exe
  C:\Windows\System32\ClweCJd.exe
  2⤵
  PID:10192
- C:\Windows\System32\sUvVjKh.exe
  C:\Windows\System32\sUvVjKh.exe
  2⤵
  PID:8940
- C:\Windows\System32\fVvStNq.exe
  C:\Windows\System32\fVvStNq.exe
  2⤵
  PID:9296
- C:\Windows\System32\IlqlyvP.exe
  C:\Windows\System32\IlqlyvP.exe
  2⤵
  PID:9336
- C:\Windows\System32\zmiNErn.exe
  C:\Windows\System32\zmiNErn.exe
  2⤵
  PID:9344
- C:\Windows\System32\mmjWpKC.exe
  C:\Windows\System32\mmjWpKC.exe
  2⤵
  PID:9504
- C:\Windows\System32\QDydCdX.exe
  C:\Windows\System32\QDydCdX.exe
  2⤵
  PID:10244
- C:\Windows\System32\lmYluof.exe
  C:\Windows\System32\lmYluof.exe
  2⤵
  PID:10260
- C:\Windows\System32\rvuhYwr.exe
  C:\Windows\System32\rvuhYwr.exe
  2⤵
  PID:10276
- C:\Windows\System32\aCfeBrZ.exe
  C:\Windows\System32\aCfeBrZ.exe
  2⤵
  PID:10292
- C:\Windows\System32\gesxFHG.exe
  C:\Windows\System32\gesxFHG.exe
  2⤵
  PID:10308
- C:\Windows\System32\USLrQaS.exe
  C:\Windows\System32\USLrQaS.exe
  2⤵
  PID:10324
- C:\Windows\System32\KyiBrxs.exe
  C:\Windows\System32\KyiBrxs.exe
  2⤵
  PID:10340
- C:\Windows\System32\qoMRwIT.exe
  C:\Windows\System32\qoMRwIT.exe
  2⤵
  PID:10376
- C:\Windows\System32\GZSjbvy.exe
  C:\Windows\System32\GZSjbvy.exe
  2⤵
  PID:10404
- C:\Windows\System32\Gsoznwu.exe
  C:\Windows\System32\Gsoznwu.exe
  2⤵
  PID:10420
- C:\Windows\System32\WlIAOne.exe
  C:\Windows\System32\WlIAOne.exe
  2⤵
  PID:10440
- C:\Windows\System32\JDfJbhw.exe
  C:\Windows\System32\JDfJbhw.exe
  2⤵
  PID:10456
- C:\Windows\System32\XaOKFFO.exe
  C:\Windows\System32\XaOKFFO.exe
  2⤵
  PID:10472
- C:\Windows\System32\zCsqsUv.exe
  C:\Windows\System32\zCsqsUv.exe
  2⤵
  PID:10488
- C:\Windows\System32\ZaVHQAB.exe
  C:\Windows\System32\ZaVHQAB.exe
  2⤵
  PID:10504
- C:\Windows\System32\eOvCNjw.exe
  C:\Windows\System32\eOvCNjw.exe
  2⤵
  PID:10520
- C:\Windows\System32\GDCbFUM.exe
  C:\Windows\System32\GDCbFUM.exe
  2⤵
  PID:10604
- C:\Windows\System32\bnthydh.exe
  C:\Windows\System32\bnthydh.exe
  2⤵
  PID:10720
- C:\Windows\System32\GZEHcqO.exe
  C:\Windows\System32\GZEHcqO.exe
  2⤵
  PID:10736
- C:\Windows\System32\CujOsvg.exe
  C:\Windows\System32\CujOsvg.exe
  2⤵
  PID:10760
- C:\Windows\System32\DTlMxYd.exe
  C:\Windows\System32\DTlMxYd.exe
  2⤵
  PID:10912
- C:\Windows\System32\YyjrZRl.exe
  C:\Windows\System32\YyjrZRl.exe
  2⤵
  PID:10992
- C:\Windows\System32\OESBSqb.exe
  C:\Windows\System32\OESBSqb.exe
  2⤵
  PID:11012
- C:\Windows\System32\PZpGXFo.exe
  C:\Windows\System32\PZpGXFo.exe
  2⤵
  PID:11032
- C:\Windows\System32\FlTMYhc.exe
  C:\Windows\System32\FlTMYhc.exe
  2⤵
  PID:11052
- C:\Windows\System32\RNKIjdD.exe
  C:\Windows\System32\RNKIjdD.exe
  2⤵
  PID:11076
- C:\Windows\System32\VzbQqeA.exe
  C:\Windows\System32\VzbQqeA.exe
  2⤵
  PID:11100
- C:\Windows\System32\hdqaFJC.exe
  C:\Windows\System32\hdqaFJC.exe
  2⤵
  PID:11208
- C:\Windows\System32\YKjVswU.exe
  C:\Windows\System32\YKjVswU.exe
  2⤵
  PID:11236
- C:\Windows\System32\TKJpCzO.exe
  C:\Windows\System32\TKJpCzO.exe
  2⤵
  PID:9620
- C:\Windows\System32\UynSLJk.exe
  C:\Windows\System32\UynSLJk.exe
  2⤵
  PID:9964
- C:\Windows\System32\LuuWsCE.exe
  C:\Windows\System32\LuuWsCE.exe
  2⤵
  PID:9236
- C:\Windows\System32\pesYkqY.exe
  C:\Windows\System32\pesYkqY.exe
  2⤵
  PID:9696
- C:\Windows\System32\BjljMRp.exe
  C:\Windows\System32\BjljMRp.exe
  2⤵
  PID:10252
- C:\Windows\System32\jEKaLyL.exe
  C:\Windows\System32\jEKaLyL.exe
  2⤵
  PID:10392
- C:\Windows\System32\ROmsGXl.exe
  C:\Windows\System32\ROmsGXl.exe
  2⤵
  PID:10188
- C:\Windows\System32\codUVjR.exe
  C:\Windows\System32\codUVjR.exe
  2⤵
  PID:9552
- C:\Windows\System32\JcgxjvD.exe
  C:\Windows\System32\JcgxjvD.exe
  2⤵
  PID:10256
- C:\Windows\System32\gkkgrwP.exe
  C:\Windows\System32\gkkgrwP.exe
  2⤵
  PID:10304
- C:\Windows\System32\WwHTehs.exe
  C:\Windows\System32\WwHTehs.exe
  2⤵
  PID:9848
- C:\Windows\System32\hlIMArN.exe
  C:\Windows\System32\hlIMArN.exe
  2⤵
  PID:10360
- C:\Windows\System32\FxznFEL.exe
  C:\Windows\System32\FxznFEL.exe
  2⤵
  PID:10388
- C:\Windows\System32\ooDPuKk.exe
  C:\Windows\System32\ooDPuKk.exe
  2⤵
  PID:10052
- C:\Windows\System32\kDmDQsJ.exe
  C:\Windows\System32\kDmDQsJ.exe
  2⤵
  PID:10484
- C:\Windows\System32\PtNUVbj.exe
  C:\Windows\System32\PtNUVbj.exe
  2⤵
  PID:10752
- C:\Windows\System32\LDvOJQq.exe
  C:\Windows\System32\LDvOJQq.exe
  2⤵
  PID:10684
- C:\Windows\System32\cNTWuzK.exe
  C:\Windows\System32\cNTWuzK.exe
  2⤵
  PID:10948
- C:\Windows\System32\RmYqITv.exe
  C:\Windows\System32\RmYqITv.exe
  2⤵
  PID:10840
- C:\Windows\System32\plAuOYx.exe
  C:\Windows\System32\plAuOYx.exe
  2⤵
  PID:10880
- C:\Windows\System32\xZauvcG.exe
  C:\Windows\System32\xZauvcG.exe
  2⤵
  PID:11004
- C:\Windows\System32\liTajzE.exe
  C:\Windows\System32\liTajzE.exe
  2⤵
  PID:11084
- C:\Windows\System32\ZiJsSHY.exe
  C:\Windows\System32\ZiJsSHY.exe
  2⤵
  PID:11144
- C:\Windows\System32\szoKArV.exe
  C:\Windows\System32\szoKArV.exe
  2⤵
  PID:11204
- C:\Windows\System32\esOkzVE.exe
  C:\Windows\System32\esOkzVE.exe
  2⤵
  PID:11156
- C:\Windows\System32\IiOlMYY.exe
  C:\Windows\System32\IiOlMYY.exe
  2⤵
  PID:11256
- C:\Windows\System32\uUnDBds.exe
  C:\Windows\System32\uUnDBds.exe
  2⤵
  PID:10168
- C:\Windows\System32\maFIIer.exe
  C:\Windows\System32\maFIIer.exe
  2⤵
  PID:9920
- C:\Windows\System32\WxlZtcv.exe
  C:\Windows\System32\WxlZtcv.exe
  2⤵
  PID:9292
- C:\Windows\System32\WWtkZOw.exe
  C:\Windows\System32\WWtkZOw.exe
  2⤵
  PID:9836
- C:\Windows\System32\nSCVlcb.exe
  C:\Windows\System32\nSCVlcb.exe
  2⤵
  PID:10348
- C:\Windows\System32\xGPeZWg.exe
  C:\Windows\System32\xGPeZWg.exe
  2⤵
  PID:10660
- C:\Windows\System32\CejbXOM.exe
  C:\Windows\System32\CejbXOM.exe
  2⤵
  PID:10744
- C:\Windows\System32\tfxUluF.exe
  C:\Windows\System32\tfxUluF.exe
  2⤵
  PID:11096
- C:\Windows\System32\RnTyIEi.exe
  C:\Windows\System32\RnTyIEi.exe
  2⤵
  PID:11132
- C:\Windows\System32\QcwlSmy.exe
  C:\Windows\System32\QcwlSmy.exe
  2⤵
  PID:10336
- C:\Windows\System32\oIqqYpJ.exe
  C:\Windows\System32\oIqqYpJ.exe
  2⤵
  PID:10832
- C:\Windows\System32\xiArGZe.exe
  C:\Windows\System32\xiArGZe.exe
  2⤵
  PID:11232
- C:\Windows\System32\OqzJOwU.exe
  C:\Windows\System32\OqzJOwU.exe
  2⤵
  PID:9604
- C:\Windows\System32\XJHNcTn.exe
  C:\Windows\System32\XJHNcTn.exe
  2⤵
  PID:10320
- C:\Windows\System32\DjELvFF.exe
  C:\Windows\System32\DjELvFF.exe
  2⤵
  PID:11272
- C:\Windows\System32\JbNcRcN.exe
  C:\Windows\System32\JbNcRcN.exe
  2⤵
  PID:11296
- C:\Windows\System32\yfZadZo.exe
  C:\Windows\System32\yfZadZo.exe
  2⤵
  PID:11336
- C:\Windows\System32\NUvwYzs.exe
  C:\Windows\System32\NUvwYzs.exe
  2⤵
  PID:11356
- C:\Windows\System32\TutMwhy.exe
  C:\Windows\System32\TutMwhy.exe
  2⤵
  PID:11396
- C:\Windows\System32\PaTykOB.exe
  C:\Windows\System32\PaTykOB.exe
  2⤵
  PID:11412
- C:\Windows\System32\GAoEGHj.exe
  C:\Windows\System32\GAoEGHj.exe
  2⤵
  PID:11440
- C:\Windows\System32\NKtBIGX.exe
  C:\Windows\System32\NKtBIGX.exe
  2⤵
  PID:11464
- C:\Windows\System32\jxAOJdM.exe
  C:\Windows\System32\jxAOJdM.exe
  2⤵
  PID:11516
- C:\Windows\System32\nBMAqGJ.exe
  C:\Windows\System32\nBMAqGJ.exe
  2⤵
  PID:11536
- C:\Windows\System32\xhdtpIN.exe
  C:\Windows\System32\xhdtpIN.exe
  2⤵
  PID:11576
- C:\Windows\System32\XotJpVU.exe
  C:\Windows\System32\XotJpVU.exe
  2⤵
  PID:11592
- C:\Windows\System32\IqhGRXQ.exe
  C:\Windows\System32\IqhGRXQ.exe
  2⤵
  PID:11628
- C:\Windows\System32\cJCkAbb.exe
  C:\Windows\System32\cJCkAbb.exe
  2⤵
  PID:11648
- C:\Windows\System32\IrakagI.exe
  C:\Windows\System32\IrakagI.exe
  2⤵
  PID:11664
- C:\Windows\System32\zaCBwJS.exe
  C:\Windows\System32\zaCBwJS.exe
  2⤵
  PID:11684
- C:\Windows\System32\ANBIIhV.exe
  C:\Windows\System32\ANBIIhV.exe
  2⤵
  PID:11728
- C:\Windows\System32\TKwXhyF.exe
  C:\Windows\System32\TKwXhyF.exe
  2⤵
  PID:11756
- C:\Windows\System32\LZbnSys.exe
  C:\Windows\System32\LZbnSys.exe
  2⤵
  PID:11776
- C:\Windows\System32\TdIEaRT.exe
  C:\Windows\System32\TdIEaRT.exe
  2⤵
  PID:11804
- C:\Windows\System32\DLovRqv.exe
  C:\Windows\System32\DLovRqv.exe
  2⤵
  PID:11832
- C:\Windows\System32\ljpMFFl.exe
  C:\Windows\System32\ljpMFFl.exe
  2⤵
  PID:11852
- C:\Windows\System32\dIfCpZU.exe
  C:\Windows\System32\dIfCpZU.exe
  2⤵
  PID:11868
- C:\Windows\System32\AINpDPd.exe
  C:\Windows\System32\AINpDPd.exe
  2⤵
  PID:11928
- C:\Windows\System32\DJdkekr.exe
  C:\Windows\System32\DJdkekr.exe
  2⤵
  PID:11948
- C:\Windows\System32\YkUhmud.exe
  C:\Windows\System32\YkUhmud.exe
  2⤵
  PID:11972
- C:\Windows\System32\CKCIlUB.exe
  C:\Windows\System32\CKCIlUB.exe
  2⤵
  PID:11988
- C:\Windows\System32\qFErCie.exe
  C:\Windows\System32\qFErCie.exe
  2⤵
  PID:12032
- C:\Windows\System32\LMqFOKw.exe
  C:\Windows\System32\LMqFOKw.exe
  2⤵
  PID:12072
- C:\Windows\System32\PJmkcdh.exe
  C:\Windows\System32\PJmkcdh.exe
  2⤵
  PID:12088
- C:\Windows\System32\UVWgKkI.exe
  C:\Windows\System32\UVWgKkI.exe
  2⤵
  PID:12128
- C:\Windows\System32\vGFWBPX.exe
  C:\Windows\System32\vGFWBPX.exe
  2⤵
  PID:12152
- C:\Windows\System32\QxFHEik.exe
  C:\Windows\System32\QxFHEik.exe
  2⤵
  PID:12172
- C:\Windows\System32\pQXVhHp.exe
  C:\Windows\System32\pQXVhHp.exe
  2⤵
  PID:12200
- C:\Windows\System32\kNvolhZ.exe
  C:\Windows\System32\kNvolhZ.exe
  2⤵
  PID:12232
- C:\Windows\System32\PPpaMSH.exe
  C:\Windows\System32\PPpaMSH.exe
  2⤵
  PID:12260
- C:\Windows\System32\cgNUBju.exe
  C:\Windows\System32\cgNUBju.exe
  2⤵
  PID:11268
- C:\Windows\System32\yJeThyg.exe
  C:\Windows\System32\yJeThyg.exe
  2⤵
  PID:11316
- C:\Windows\System32\itUBhUy.exe
  C:\Windows\System32\itUBhUy.exe
  2⤵
  PID:11332
- C:\Windows\System32\bLDrTnT.exe
  C:\Windows\System32\bLDrTnT.exe
  2⤵
  PID:11408
- C:\Windows\System32\JMWmWcr.exe
  C:\Windows\System32\JMWmWcr.exe
  2⤵
  PID:11448
- C:\Windows\System32\kFgNjSt.exe
  C:\Windows\System32\kFgNjSt.exe
  2⤵
  PID:11492
- C:\Windows\System32\oVnjxBm.exe
  C:\Windows\System32\oVnjxBm.exe
  2⤵
  PID:11556
- C:\Windows\System32\oPZsMXD.exe
  C:\Windows\System32\oPZsMXD.exe
  2⤵
  PID:11644
- C:\Windows\System32\pGWAKSm.exe
  C:\Windows\System32\pGWAKSm.exe
  2⤵
  PID:11744
- C:\Windows\System32\dLTDeWg.exe
  C:\Windows\System32\dLTDeWg.exe
  2⤵
  PID:11816
- C:\Windows\System32\WpbogQh.exe
  C:\Windows\System32\WpbogQh.exe
  2⤵
  PID:11840
- C:\Windows\System32\oXVcYxD.exe
  C:\Windows\System32\oXVcYxD.exe
  2⤵
  PID:11912
- C:\Windows\System32\yqUfnao.exe
  C:\Windows\System32\yqUfnao.exe
  2⤵
  PID:11956
- C:\Windows\System32\gWYFTYj.exe
  C:\Windows\System32\gWYFTYj.exe
  2⤵
  PID:12008
- C:\Windows\System32\MOYnDFM.exe
  C:\Windows\System32\MOYnDFM.exe
  2⤵
  PID:4888
- C:\Windows\System32\nVNCOGe.exe
  C:\Windows\System32\nVNCOGe.exe
  2⤵
  PID:12136
- C:\Windows\System32\yQVYlPC.exe
  C:\Windows\System32\yQVYlPC.exe
  2⤵
  PID:12208
- C:\Windows\System32\qnMWOVS.exe
  C:\Windows\System32\qnMWOVS.exe
  2⤵
  PID:10640
- C:\Windows\System32\QllwUpj.exe
  C:\Windows\System32\QllwUpj.exe
  2⤵
  PID:11304
- C:\Windows\System32\zVbqfYI.exe
  C:\Windows\System32\zVbqfYI.exe
  2⤵
  PID:11432
- C:\Windows\System32\ULyCbWY.exe
  C:\Windows\System32\ULyCbWY.exe
  2⤵
  PID:11584
- C:\Windows\System32\aWATGNA.exe
  C:\Windows\System32\aWATGNA.exe
  2⤵
  PID:5056
- C:\Windows\System32\VPrMFfU.exe
  C:\Windows\System32\VPrMFfU.exe
  2⤵
  PID:11904
- C:\Windows\System32\yQdnCIS.exe
  C:\Windows\System32\yQdnCIS.exe
  2⤵
  PID:11980
- C:\Windows\System32\psTNidY.exe
  C:\Windows\System32\psTNidY.exe
  2⤵
  PID:12168
- C:\Windows\System32\jBGJNzv.exe
  C:\Windows\System32\jBGJNzv.exe
  2⤵
  PID:10564
- C:\Windows\System32\zwiebgk.exe
  C:\Windows\System32\zwiebgk.exe
  2⤵
  PID:11636
- C:\Windows\System32\rnjeNsT.exe
  C:\Windows\System32\rnjeNsT.exe
  2⤵
  PID:12056
- C:\Windows\System32\jYVUVWQ.exe
  C:\Windows\System32\jYVUVWQ.exe
  2⤵
  PID:4844
- C:\Windows\System32\CGoqrPz.exe
  C:\Windows\System32\CGoqrPz.exe
  2⤵
  PID:12212
- C:\Windows\System32\dyskLcA.exe
  C:\Windows\System32\dyskLcA.exe
  2⤵
  PID:11364
- C:\Windows\System32\TZILVZf.exe
  C:\Windows\System32\TZILVZf.exe
  2⤵
  PID:12112
- C:\Windows\System32\rPkbmSP.exe
  C:\Windows\System32\rPkbmSP.exe
  2⤵
  PID:12052
- C:\Windows\System32\YcKstCb.exe
  C:\Windows\System32\YcKstCb.exe
  2⤵
  PID:12312
- C:\Windows\System32\ZmkyJNr.exe
  C:\Windows\System32\ZmkyJNr.exe
  2⤵
  PID:12328
- C:\Windows\System32\XNCZVZH.exe
  C:\Windows\System32\XNCZVZH.exe
  2⤵
  PID:12356
- C:\Windows\System32\nwBahMF.exe
  C:\Windows\System32\nwBahMF.exe
  2⤵
  PID:12372
- C:\Windows\System32\HJvCpuC.exe
  C:\Windows\System32\HJvCpuC.exe
  2⤵
  PID:12392
- C:\Windows\System32\nMRYIfa.exe
  C:\Windows\System32\nMRYIfa.exe
  2⤵
  PID:12412
- C:\Windows\System32\PXcKdGE.exe
  C:\Windows\System32\PXcKdGE.exe
  2⤵
  PID:12428
- C:\Windows\System32\wOhNskc.exe
  C:\Windows\System32\wOhNskc.exe
  2⤵
  PID:12452
- C:\Windows\System32\eEQJKxz.exe
  C:\Windows\System32\eEQJKxz.exe
  2⤵
  PID:12472
- C:\Windows\System32\EdMBYyZ.exe
  C:\Windows\System32\EdMBYyZ.exe
  2⤵
  PID:12488
- C:\Windows\System32\AynJlrG.exe
  C:\Windows\System32\AynJlrG.exe
  2⤵
  PID:12508
- C:\Windows\System32\tyAtRXP.exe
  C:\Windows\System32\tyAtRXP.exe
  2⤵
  PID:12576
- C:\Windows\System32\mpihUWx.exe
  C:\Windows\System32\mpihUWx.exe
  2⤵
  PID:12672
- C:\Windows\System32\ukCsoZH.exe
  C:\Windows\System32\ukCsoZH.exe
  2⤵
  PID:12716
- C:\Windows\System32\rujXIlo.exe
  C:\Windows\System32\rujXIlo.exe
  2⤵
  PID:12744
- C:\Windows\System32\MnuqfTB.exe
  C:\Windows\System32\MnuqfTB.exe
  2⤵
  PID:12764
- C:\Windows\System32\ZYIZvIk.exe
  C:\Windows\System32\ZYIZvIk.exe
  2⤵
  PID:12792
- C:\Windows\System32\zsDYfwS.exe
  C:\Windows\System32\zsDYfwS.exe
  2⤵
  PID:12808
- C:\Windows\System32\kZMOFsq.exe
  C:\Windows\System32\kZMOFsq.exe
  2⤵
  PID:12832
- C:\Windows\System32\bsqrFrn.exe
  C:\Windows\System32\bsqrFrn.exe
  2⤵
  PID:12848
- C:\Windows\System32\WIcqhbO.exe
  C:\Windows\System32\WIcqhbO.exe
  2⤵
  PID:12876
- C:\Windows\System32\mivkbot.exe
  C:\Windows\System32\mivkbot.exe
  2⤵
  PID:12892
- C:\Windows\System32\RhGZMVZ.exe
  C:\Windows\System32\RhGZMVZ.exe
  2⤵
  PID:12908
- C:\Windows\System32\TCvKYOL.exe
  C:\Windows\System32\TCvKYOL.exe
  2⤵
  PID:12936
- C:\Windows\System32\AGrDHKG.exe
  C:\Windows\System32\AGrDHKG.exe
  2⤵
  PID:12964
- C:\Windows\System32\QKEfTEA.exe
  C:\Windows\System32\QKEfTEA.exe
  2⤵
  PID:12984
- C:\Windows\System32\jAiVshx.exe
  C:\Windows\System32\jAiVshx.exe
  2⤵
  PID:13008
- C:\Windows\System32\viseTUJ.exe
  C:\Windows\System32\viseTUJ.exe
  2⤵
  PID:13060
- C:\Windows\System32\JGtEDqk.exe
  C:\Windows\System32\JGtEDqk.exe
  2⤵
  PID:13128
- C:\Windows\System32\SuEDzGh.exe
  C:\Windows\System32\SuEDzGh.exe
  2⤵
  PID:13144
- C:\Windows\System32\wrlvhhL.exe
  C:\Windows\System32\wrlvhhL.exe
  2⤵
  PID:13196
- C:\Windows\System32\wtiexup.exe
  C:\Windows\System32\wtiexup.exe
  2⤵
  PID:13220
- C:\Windows\System32\zijEHfk.exe
  C:\Windows\System32\zijEHfk.exe
  2⤵
  PID:13264
- C:\Windows\System32\WcGySjx.exe
  C:\Windows\System32\WcGySjx.exe
  2⤵
  PID:13280
- C:\Windows\System32\jISjnBy.exe
  C:\Windows\System32\jISjnBy.exe
  2⤵
  PID:13308
- C:\Windows\System32\LYdSlBP.exe
  C:\Windows\System32\LYdSlBP.exe
  2⤵
  PID:12320
- C:\Windows\System32\Byonkgg.exe
  C:\Windows\System32\Byonkgg.exe
  2⤵
  PID:12368
- C:\Windows\System32\vUfIVds.exe
  C:\Windows\System32\vUfIVds.exe
  2⤵
  PID:12520
- C:\Windows\System32\obSgzqW.exe
  C:\Windows\System32\obSgzqW.exe
  2⤵
  PID:12424
- C:\Windows\System32\AdiRZXT.exe
  C:\Windows\System32\AdiRZXT.exe
  2⤵
  PID:12552
- C:\Windows\System32\OEABkEM.exe
  C:\Windows\System32\OEABkEM.exe
  2⤵
  PID:12600
- C:\Windows\System32\NOAOaNP.exe
  C:\Windows\System32\NOAOaNP.exe
  2⤵
  PID:12700
- C:\Windows\System32\pyrMaQl.exe
  C:\Windows\System32\pyrMaQl.exe
  2⤵
  PID:12736
- C:\Windows\System32\jXcKuJU.exe
  C:\Windows\System32\jXcKuJU.exe
  2⤵
  PID:12828
- C:\Windows\System32\GoFcSMT.exe
  C:\Windows\System32\GoFcSMT.exe
  2⤵
  PID:12784
- C:\Windows\System32\eHCNDPD.exe
  C:\Windows\System32\eHCNDPD.exe
  2⤵
  PID:12872
- C:\Windows\System32\CxMWEZb.exe
  C:\Windows\System32\CxMWEZb.exe
  2⤵
  PID:12924
- C:\Windows\System32\ENwdMaC.exe
  C:\Windows\System32\ENwdMaC.exe
  2⤵
  PID:12928
- C:\Windows\System32\LPfhZmg.exe
  C:\Windows\System32\LPfhZmg.exe
  2⤵
  PID:13040
- C:\Windows\System32\xMUKpvJ.exe
  C:\Windows\System32\xMUKpvJ.exe
  2⤵
  PID:12772
- C:\Windows\System32\EGqhwKm.exe
  C:\Windows\System32\EGqhwKm.exe
  2⤵
  PID:12856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4260,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=3944 /prefetch:8
1⤵
PID:5144

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:7956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BODiaUj.exe

Filesize
945KB

MD5
56c69296050f1acb344c190416ca3ad7

SHA1
c94d951aee814a16674e038a6fe66275f0766f0e

SHA256
d0e07b17f7f2472f1ead12706cec33270ab5f98adf84d32a7cf895998f9cb88e

SHA512
e7cd3e3b30cc0b32f6e1b446ff2cfcf4ee5d36c826a641a73f3b1ab2b6d5d361845a94226af78c106ccf98aafbc3337f141410692281565445713de5d802e3cf

Download Submit
C:\Windows\System32\DgYlwvX.exe

Filesize
943KB

MD5
21b8d0221edc1015796f0bbeff6d71a0

SHA1
a4f69a5e4f1e48ce705af2b23c68783ebfa2828c

SHA256
cff347f0d9f952696878e6f09027dca73172234088431b795a504000f6079c41

SHA512
630ad5f7065f90de7355bc99474af152e4ca4cf4fdfc5621470ccedb2f26623e93863d3028d8ba6131b2032e892dc17a1dcb4208fe2192fe6dc9506148462f02

Download Submit
C:\Windows\System32\DmAWJeB.exe

Filesize
947KB

MD5
0332c4581b31d93729bc3585ab79bbb8

SHA1
a3e302eb1618159b2381f521967197cf55ee060f

SHA256
13b9178203dae14f0d1457bc2c834bd52499fdb7818e0ef0f71ed7a03f89521b

SHA512
6a318faf3ca04ceb51969991cd668785398fae54cf875ba37d82cc04a59fac12befb014bf32fbb6d2e680dec8c6387bcb647552def814fe7d56f87af0725cdfa

Download Submit
C:\Windows\System32\ENnxDLV.exe

Filesize
949KB

MD5
9057a00be576b6108221864130985054

SHA1
22c1d54095e8608eb0963c59bd8a5115d9511b63

SHA256
eec04ba35514d84877197999d014f4913654ddddbf46eb922a793b5aae995ab7

SHA512
c9b9a1e329b52a4105a1cb305a3102a386b4f139d6ba1971b4630340c2db083fbb037002751a45002a23b04f280541b6869a50d96e1f6683fe9a58c06bae5c0e

Download Submit
C:\Windows\System32\GZWcdAP.exe

Filesize
949KB

MD5
04a53e0e77d1ed9ac2de3951bfb60995

SHA1
69ca54e5e11be4bb94acf54938614ce33d42b739

SHA256
224a9dc221b47c4cd3b0c8d2007b3f18795dc9847ab494092d88516baf91635c

SHA512
aa0fcd71611dcf1dcff046fd0d1da380755fb413f7b88a658769bfca0f9f157ad6e1904a8a05671b91148d11df1c5d5d4b024f85c916fe44cd96b4ef67514fc9

Download Submit
C:\Windows\System32\GZfDEwh.exe

Filesize
950KB

MD5
a766d077ce519551941bce0d7d84f5b6

SHA1
bbe418754fa7842a29c473151759e1d984feae04

SHA256
e99cf88164024db2fd4e534f15eedf1535079711ce326be0f3817b4b3d447971

SHA512
b5c7f4d77ab96cab112c7ad8a86ed6adc1baabf6c1bb9b64f61065fae9744d8de08531c20fc76062a580361e199a1bb2244f9eb9a9d3114d4c607b97b5c1358a

Download Submit
C:\Windows\System32\HyqFknd.exe

Filesize
947KB

MD5
bdb0255a16a54860d3592d6f22c2b3f0

SHA1
011c2311ac173ca53ba682864bf65e100de65c96

SHA256
05031a096d8e5af872e673d92b948f0b35c02b6003b69c714c5db97ec6475128

SHA512
cfd089d297c10922e6b689841c6e4cad59e9eede5af3aed1d9f6164bd97f6a67ba82b906306b501e5e6582205b1402839a8fecdecf681ff6c62d28e1f15e1f1d

Download Submit
C:\Windows\System32\NAgKEnB.exe

Filesize
951KB

MD5
4b00fe666b613cc0272f5e5d440f0e25

SHA1
5099a982ffe6bd61c782419599459aeee754df11

SHA256
501ac050694d6706becb72870d38a08fe0e91ec5df9803cb2ed2a5863ab9fad2

SHA512
fbd17bcc30edf6b6c19771e8b413628c6c64ed04ee8900435db677027dd7bf0b7eb1c3ad30ab8702cb3265bf732d8c7736d9c51446df5967c6d878edc2aecd14

Download Submit
C:\Windows\System32\NrybJPG.exe

Filesize
944KB

MD5
70026cbf448b3f3020bc55a3245744c1

SHA1
d0e81cd1b4f271efff43d3a288be459f7eff9984

SHA256
3d2c121e252bd09b58d65d682fb4dfb7299039a611aa54158ac34e57528f118a

SHA512
4ea693d8fbc4f4833a7b0d35e6a0e5d6f50be4c360d8acff43119d9b4bdaba69e8915250a46534eccfff03299e1e0036d91f03038ec87033c30eb0876fffddef

Download Submit
C:\Windows\System32\OcmiqTS.exe

Filesize
951KB

MD5
b829503eac3d4c120787b1a9bca5f5a0

SHA1
fc6334f09c8bdf40fdae8cb06bb23928b2a8a785

SHA256
ddcf0704db1cb72f34c3792f6677eaf93a970907ca85bdb3ecaf305aac18e3bd

SHA512
d9e9a880d6b3caab3bf0cbb320674e231ee6f30dc265b5c3f226ff5af409fcb619067184b33871c6cabe1bce0900a62673b3e3d2fcadad370906c45bfa6bb3ff

Download Submit
C:\Windows\System32\SBRPvQZ.exe

Filesize
948KB

MD5
208efa27e74be67eef4d600b5406292e

SHA1
7f9704b630954915a751762272c22bca52b31d4b

SHA256
bbb9f8b35b5a269b5f35e0fad0ac6bd726bffc101880e07d0d849658462eb835

SHA512
4196b4c30baee494e13c9a7331b641bccb4db29548551a0f5a87e52e840282059dc40436fc9c493e1387ec5893e8e0b649b07283c41f3d5e5381bcd3a1a51821

Download Submit
C:\Windows\System32\TBjBPwt.exe

Filesize
943KB

MD5
5911bf7690cee5176bc9aad6a5748bec

SHA1
24a1b3ccec5ef80a85fc18f78d75fe02c6a9553c

SHA256
8da4d2daee3dcf0277d803211faa7601102578125775e3da030b11b76c0ea7ff

SHA512
161ab7fdb374c4918e062325998ca2ca4ac58662c710086690b833bb3d5d1de7b56e1c43367cd5421c85c0d97d326c506b72fd2cc0636f8ff7d68857647493d3

Download Submit
C:\Windows\System32\THZYTuj.exe

Filesize
943KB

MD5
cb59b8358a7a5c02fe64e83b69a771cc

SHA1
e845c80fe56c591431dd2192d616494a555657bf

SHA256
07cad983b8602080534b8ba6edd44badc08fd3ac6fc90df7a4bb120e2be0cd94

SHA512
ddf6b8ee4c96e337b2d5c27e42b936208d957f7aa2643b6834c4d73f86aa82afb8c4b45514ebbd1a07a8a704eb67463e54fb159f97d895c4d0d1dff6ce1cca93

Download Submit
C:\Windows\System32\UAslJmE.exe

Filesize
948KB

MD5
e5ed83befbf7fa7288a60ec48df398ad

SHA1
2c25c2f13225a0a54817542ff9ba8ad2623f2545

SHA256
aeda2a1683811b5ef265dee1f2b2493b8a82b4e1d4baf1607dd4f29b17bf6473

SHA512
752ca054f43a0ce1dd82af4895fb0d2845c05c250d5cc8a64b2a0c0a7ba960093b4aef0cfbcd40cb9df8ed5f176c6558e85be890e5b6da5865463872d18b98a6

Download Submit
C:\Windows\System32\UDCNkxJ.exe

Filesize
950KB

MD5
e0e4729af5b231fc46be981449a05a82

SHA1
4a8bff7bc5da9e04dcab9adeb7705eb36abb66c1

SHA256
cedefb14b070e652a102df3341801a3616c15f1360f795a282a93757d45c9707

SHA512
b3aa0b40bc4081e0b648d219ebade2e698c025712e56328952c089f8b77d5fa91dfed087521dfc4dc1fa2670b7ce04a4e7a4ac5eacf0d85518174f5afcd5e016

Download Submit
C:\Windows\System32\VveDhrO.exe

Filesize
945KB

MD5
5cd06c524c2a86f120ceccf102d77962

SHA1
6fc4aede54acac75a10ed0591ec83cbfb71aa057

SHA256
65a6188308b69241459973ab6718af8fbf33bbbbf5bd3a25110cdcb11f34be08

SHA512
f4e6f437a131e469d66586feb178ff5bfef93d39199029477687bffae9954d09b044a5c9545145ba42c9976019437816b32fb68045ec735e30dd0f518dd3b0cb

Download Submit
C:\Windows\System32\badWOjm.exe

Filesize
946KB

MD5
4cf86d1bec1fb3c4dbe57c08c69de189

SHA1
ba189b687768aa776f676908231eef75c0c2dbfc

SHA256
750e9cf697626eafe07255e9ad9ecdb37d6c0df94f3df48f4c341689d1fd38a5

SHA512
f73bf0ccdfc9c64b84b3a5aa849ea37e4b9c9beb39e4543c73845c50f53e36cdf6bca32b3235919a2b9800a754fb992a85d22dba474b5540558499c9dc094eb7

Download Submit
C:\Windows\System32\bleuxpi.exe

Filesize
947KB

MD5
bc92da9f2335d35220c25da526f64346

SHA1
8672e73f276893ca154dd48c9533e595751bdd47

SHA256
fb1527a9629c797529c3934413dd878af12a7a48df9fc5d0cf3d0612ab302d53

SHA512
78bd540f0a76a22043f8ff7a5cf5e527a60e2d241e88f776257ee0def29ce6c4aade351094cf138920398f8befd4fd7f87cce60d5e31efe42747dd0162e34f0d

Download Submit
C:\Windows\System32\fUMWmMU.exe

Filesize
944KB

MD5
ad90698ad69f90be987822b7d9272288

SHA1
355649ca946a103c58cd49ec7fff3af6efebcf9f

SHA256
cebafcd194a0b476583d22ccafde4b6666a715090c0d22c77afcf41142553b7c

SHA512
8f7c399c071be0d63244c844d492a79f587be2da8fde7362acf558f2e3d00167b803178336c546362cdbbcb40f91ff5a5f65c16c49cb46f451b2fcfccb00e134

Download Submit
C:\Windows\System32\gAtxeBv.exe

Filesize
950KB

MD5
b7d5f56fbeac1b84af11bc6a0b580f3e

SHA1
af230f4c4f61a14fa4d6bd37a8e3800b61ad5786

SHA256
c88493541bf193d15ba429680b5f54ddabbb3ecb0715bf6359f16d5c854a1659

SHA512
5bd695974a2274c6ef7176c4ad131736f7637f13a5b343314777ed1128f742b37f244c123dbd073e332b40d314f1870ecf0d709d1ed6f2391e20706ff65429b9

Download Submit
C:\Windows\System32\ghqVDDM.exe

Filesize
948KB

MD5
a84b384ee30e79213c3bbc2a4ffeb2d7

SHA1
e19d6831f41a992369438b76c59d0359ce7b51d4

SHA256
578da1fc1632e1dd33d16fc28e963a7b99036540c51949403e759a0c7f4f0afc

SHA512
d12fe6b433c063e87540724132a3dda180d65b0743a413f8b1805384a85e78dd6c312b80c69355a2272ad74c6e8fd7bdf7d276c2e143a75c7b014575f582b438

Download Submit
C:\Windows\System32\jWvgXrm.exe

Filesize
946KB

MD5
e240de60f7dbe809c559226099ce19ce

SHA1
96ef73dc24bf291516c5e5da9f34eb56ded61a8b

SHA256
23adb0d2902ad83d71533918f2348af65801ce093367722d66885e7e3906b48d

SHA512
8d5a4bb55e5893bfb795363db206f4174aa41e8a1ac6f45ab126711325660c23bead86b4b3b40978c7b43a12dca8371edce3daa6ee9cd0c4e0ea97e5a0dfe5b6

Download Submit
C:\Windows\System32\jqHfOjO.exe

Filesize
948KB

MD5
e456ed7e2a572072bdcb714535ac1532

SHA1
0acdb289deae6e0989b70cab8e366b68f8754daf

SHA256
f30dfeb71721ba0d564e8180401c1c032f312aa9a6c08c22681503e38b4a55f8

SHA512
c23d726bc705688b863e59c64eed0256ad2121481a8f2e50ba4fa1b00a253bc517b89393661bfcaea96fb31ecd25fb646fbfde9e4773032698c99e9f2b7b95ac

Download Submit
C:\Windows\System32\lCItcId.exe

Filesize
944KB

MD5
9c6203cc5739917906459b38b35c742c

SHA1
f32ef6944210146d27c5290e1a0b06cf156f93e1

SHA256
47b3a93a3ec2d5498d2072246615746f01f70ccd70fae9dc226ad144de888969

SHA512
169e2139d93634043dc1e56db55b484b6de6c029d5b3f98ef16985c53e3f19cd0941d2d1f5ed74a508d7b743be9ae6f1e3d4de5a7aeb1f111910c4e4ca977b32

Download Submit
C:\Windows\System32\msjVlYk.exe

Filesize
946KB

MD5
21f0b8f081cd93ffd70800cc9abeba39

SHA1
ff53d4088ebd089abd44b98876952a230d3a1481

SHA256
0260431528f3be25199d6831e0faaacfbf2ac11c8fe58efaf581748947e8fe0b

SHA512
b6261d6e552b3deb584fb182df33bd503482c621644d30a60e47edfbe7fbe411887d461541e71da0fb405fb68951acd0d3872a1dd0d4f7ad39cecd8ed78eaf87

Download Submit
C:\Windows\System32\nNQLlGX.exe

Filesize
949KB

MD5
a242a2eb22e244827fb3fe377e2a3f4e

SHA1
2264597fd55e71728bebc71035324e39e7a74aad

SHA256
6440242160ccfcace493c8dfa365817bb6ee7a0916cb2fb8e1ec86e733e09f9c

SHA512
f1c5b42360d52820b58fc824fe1925acac003625756628d05f2788e38f3c10ab960056bb551f5d59293a9bcdfc2d024af6004e46e025697fbf95565b50d95bde

Download Submit
C:\Windows\System32\oYDkkSD.exe

Filesize
944KB

MD5
8ebcef60e453502eb7d83f65ee459c8c

SHA1
7a3a4a929efdbda5a162cc47ba62af6962da2e08

SHA256
69f9cdfbce8cddb92bed3a0db5e529ea720808a8463515d53360541ea26e5f28

SHA512
b51b29909696112f648cd93209fa08518926aaf22533ca14e212ccc76a7014d79960134977fb1ee8415cefb10d53c19cecd0f25d61cc653d2e8bb7a3de69a82b

Download Submit
C:\Windows\System32\qPlWIgd.exe

Filesize
945KB

MD5
d40d0238e4e5f009979f5b5536e54936

SHA1
61abefc7aa9a5b4d6adf5940adae3e3a8d6b4163

SHA256
008431a6b622a61808c0ad22a244c3c6f8e9440f03eb7d80ce77a5cfb6848c15

SHA512
cfdef3288e74e74667f5ac697988e49f49e36511ff463c1067a227f138c67b500fbb648f09d2cfb5138bc537c9e405a90173be887cacd304b0c57f2f15f9d58e

Download Submit
C:\Windows\System32\qmqmNhH.exe

Filesize
949KB

MD5
8d055e27101626e888e1da01ff9d5295

SHA1
6a996b35652c65e58ba91470967af7ef7c8cb535

SHA256
446135475c183ccdbd797809ed531b3a6c01c461d3b0742cbd83f12ffa9df504

SHA512
a4a55a8cfa6671cd37d236c7865a19b3592aae20681f4ac1f32b3f0605d7a17f187a28ee7666deb7daad283b912641f805981d4363e47ff47f04b83521cd6811

Download Submit
C:\Windows\System32\tPgexoS.exe

Filesize
947KB

MD5
e5dc28ef03e288a421a1f1fab8e4d0ed

SHA1
249a23b2ca6e41b3780b5538ecd913709189ac7f

SHA256
fe540520a53081a4ada207bfe9d218bc1bf627c1f4ac3b0fc66c15e4c66d97fb

SHA512
bcb69d6a1785d8480f2bc5940d6c04da938fc227d68273d0f038fe8c5a34feb3b113e41338019dcdeb6fd2b6552e98ab7d5ac0cc4c42e33a0c1268c113c777a4

Download Submit
C:\Windows\System32\uHakhMf.exe

Filesize
946KB

MD5
8cd55a0c09cc043b47fdb7122715a11c

SHA1
7b48231116961ca40870495610637c6d06fa3452

SHA256
b081340f3a81415e82557ade7ee07a184b83162b849c1e83a5dbac3a97509c0f

SHA512
39d3bb528ee9a16548293bfcf584451324ba80c84d2b47d1831423e157cf15304c559f1cf03c64c9deb84ff85737bcf3b81af24bed4135145a4b13f9b80835a6

Download Submit
C:\Windows\System32\xOpKtsq.exe

Filesize
945KB

MD5
ea3d35f43fb4f5072de8fb41135d2398

SHA1
4ebc3fe76c89a24a722567a3c16598204c4010e7

SHA256
eab7d6e0f7a197daafea183aa615f575273516667835632caca9a3be2ff9f54e

SHA512
6735294b5dc1512ae6e33bf904334796855a4936ebb8205df6ba56c042011d72bd7ea6841d767eefecf30999acb20a3c2a880c85db23e1effcd8b3f541531a60

Download Submit
C:\Windows\System32\zwujCkk.exe

Filesize
950KB

MD5
84c31df339914097c1ab1b59cea266cc

SHA1
e7008b359656ddedaef3b4293bafbb29af9d1d7a

SHA256
f4d51a994967b32bbe2caf902018c146df619a9dd665664452fe1bb919046e3f

SHA512
32e489b73fc8953cbdb547ec51f2c323e6b9d4738d3e6d40f35c03b93379c688d0db7754a50492be0898bff5bfca57c5a010a4094401c364f3e717e6c24f05b4

Download Submit
memory/468-2023-0x00007FF6C67F0000-0x00007FF6C6BE1000-memory.dmp

Filesize
3.9MB

Download
memory/468-442-0x00007FF6C67F0000-0x00007FF6C6BE1000-memory.dmp

Filesize
3.9MB

Download
memory/720-2033-0x00007FF7DE030000-0x00007FF7DE421000-memory.dmp

Filesize
3.9MB

Download
memory/720-452-0x00007FF7DE030000-0x00007FF7DE421000-memory.dmp

Filesize
3.9MB

Download
memory/972-573-0x00007FF6DEC30000-0x00007FF6DF021000-memory.dmp

Filesize
3.9MB

Download
memory/972-2050-0x00007FF6DEC30000-0x00007FF6DF021000-memory.dmp

Filesize
3.9MB

Download
memory/1316-1958-0x00007FF6D0BD0000-0x00007FF6D0FC1000-memory.dmp

Filesize
3.9MB

Download
memory/1316-35-0x00007FF6D0BD0000-0x00007FF6D0FC1000-memory.dmp

Filesize
3.9MB

Download
memory/1316-2009-0x00007FF6D0BD0000-0x00007FF6D0FC1000-memory.dmp

Filesize
3.9MB

Download
memory/2076-52-0x00007FF71E9A0000-0x00007FF71ED91000-memory.dmp

Filesize
3.9MB

Download
memory/2076-1960-0x00007FF71E9A0000-0x00007FF71ED91000-memory.dmp

Filesize
3.9MB

Download
memory/2076-2027-0x00007FF71E9A0000-0x00007FF71ED91000-memory.dmp

Filesize
3.9MB

Download
memory/2140-451-0x00007FF7A80E0000-0x00007FF7A84D1000-memory.dmp

Filesize
3.9MB

Download
memory/2140-2015-0x00007FF7A80E0000-0x00007FF7A84D1000-memory.dmp

Filesize
3.9MB

Download
memory/2212-475-0x00007FF66A840000-0x00007FF66AC31000-memory.dmp

Filesize
3.9MB

Download
memory/2212-2037-0x00007FF66A840000-0x00007FF66AC31000-memory.dmp

Filesize
3.9MB

Download
memory/2340-464-0x00007FF7DB050000-0x00007FF7DB441000-memory.dmp

Filesize
3.9MB

Download
memory/2340-2039-0x00007FF7DB050000-0x00007FF7DB441000-memory.dmp

Filesize
3.9MB

Download
memory/2676-477-0x00007FF712B60000-0x00007FF712F51000-memory.dmp

Filesize
3.9MB

Download
memory/2676-2041-0x00007FF712B60000-0x00007FF712F51000-memory.dmp

Filesize
3.9MB

Download
memory/2800-574-0x00007FF6B5410000-0x00007FF6B5801000-memory.dmp

Filesize
3.9MB

Download
memory/2800-2047-0x00007FF6B5410000-0x00007FF6B5801000-memory.dmp

Filesize
3.9MB

Download
memory/2812-2025-0x00007FF75C6B0000-0x00007FF75CAA1000-memory.dmp

Filesize
3.9MB

Download
memory/2812-54-0x00007FF75C6B0000-0x00007FF75CAA1000-memory.dmp

Filesize
3.9MB

Download
memory/2812-1987-0x00007FF75C6B0000-0x00007FF75CAA1000-memory.dmp

Filesize
3.9MB

Download
memory/2848-2035-0x00007FF6FC7A0000-0x00007FF6FCB91000-memory.dmp

Filesize
3.9MB

Download
memory/2848-1997-0x00007FF6FC7A0000-0x00007FF6FCB91000-memory.dmp

Filesize
3.9MB

Download
memory/2848-61-0x00007FF6FC7A0000-0x00007FF6FCB91000-memory.dmp

Filesize
3.9MB

Download
memory/2980-0-0x00007FF63F620000-0x00007FF63FA11000-memory.dmp

Filesize
3.9MB

Download
memory/2980-1819-0x00007FF63F620000-0x00007FF63FA11000-memory.dmp

Filesize
3.9MB

Download
memory/2980-1-0x00000152D1BA0000-0x00000152D1BB0000-memory.dmp

Filesize
64KB

Download
memory/2980-1995-0x00007FF63F620000-0x00007FF63FA11000-memory.dmp

Filesize
3.9MB

Download
memory/3212-2021-0x00007FF796180000-0x00007FF796571000-memory.dmp

Filesize
3.9MB

Download
memory/3212-448-0x00007FF796180000-0x00007FF796571000-memory.dmp

Filesize
3.9MB

Download
memory/3488-2029-0x00007FF7AFF80000-0x00007FF7B0371000-memory.dmp

Filesize
3.9MB

Download
memory/3488-470-0x00007FF7AFF80000-0x00007FF7B0371000-memory.dmp

Filesize
3.9MB

Download
memory/3508-2043-0x00007FF723090000-0x00007FF723481000-memory.dmp

Filesize
3.9MB

Download
memory/3508-572-0x00007FF723090000-0x00007FF723481000-memory.dmp

Filesize
3.9MB

Download
memory/3596-463-0x00007FF6585C0000-0x00007FF6589B1000-memory.dmp

Filesize
3.9MB

Download
memory/3596-2019-0x00007FF6585C0000-0x00007FF6589B1000-memory.dmp

Filesize
3.9MB

Download
memory/3620-466-0x00007FF722F90000-0x00007FF723381000-memory.dmp

Filesize
3.9MB

Download
memory/3620-2031-0x00007FF722F90000-0x00007FF723381000-memory.dmp

Filesize
3.9MB

Download
memory/3668-2007-0x00007FF6C5780000-0x00007FF6C5B71000-memory.dmp

Filesize
3.9MB

Download
memory/3668-13-0x00007FF6C5780000-0x00007FF6C5B71000-memory.dmp

Filesize
3.9MB

Download
memory/3668-1950-0x00007FF6C5780000-0x00007FF6C5B71000-memory.dmp

Filesize
3.9MB

Download
memory/4056-1959-0x00007FF75EA10000-0x00007FF75EE01000-memory.dmp

Filesize
3.9MB

Download
memory/4056-36-0x00007FF75EA10000-0x00007FF75EE01000-memory.dmp

Filesize
3.9MB

Download
memory/4056-2013-0x00007FF75EA10000-0x00007FF75EE01000-memory.dmp

Filesize
3.9MB

Download
memory/4404-11-0x00007FF6CE630000-0x00007FF6CEA21000-memory.dmp

Filesize
3.9MB

Download
memory/4404-2001-0x00007FF6CE630000-0x00007FF6CEA21000-memory.dmp

Filesize
3.9MB

Download
memory/4548-2011-0x00007FF786EE0000-0x00007FF7872D1000-memory.dmp

Filesize
3.9MB

Download
memory/4548-57-0x00007FF786EE0000-0x00007FF7872D1000-memory.dmp

Filesize
3.9MB

Download
memory/4700-32-0x00007FF778FB0000-0x00007FF7793A1000-memory.dmp

Filesize
3.9MB

Download
memory/4700-2005-0x00007FF778FB0000-0x00007FF7793A1000-memory.dmp

Filesize
3.9MB

Download
memory/4780-2003-0x00007FF64B8C0000-0x00007FF64BCB1000-memory.dmp

Filesize
3.9MB

Download
memory/4780-18-0x00007FF64B8C0000-0x00007FF64BCB1000-memory.dmp

Filesize
3.9MB

Download
memory/4780-1957-0x00007FF64B8C0000-0x00007FF64BCB1000-memory.dmp

Filesize
3.9MB

Download
memory/4968-2018-0x00007FF7E86F0000-0x00007FF7E8AE1000-memory.dmp

Filesize
3.9MB

Download
memory/4968-459-0x00007FF7E86F0000-0x00007FF7E8AE1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads