xmrig | 2b3362e9060263c240feef5775a66b4f9ddb06af874b98c9915d3431c94d3b59

Analysis

max time kernel
101s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfee72685889e1ae8ee38f113faf63f0N.exe
Size

1.3MB
MD5

bfee72685889e1ae8ee38f113faf63f0
SHA1

037c5d291f8fd94a20b1fc18cbd10ecfba5fdb7c
SHA256

2b3362e9060263c240feef5775a66b4f9ddb06af874b98c9915d3431c94d3b59
SHA512

5a72a9d17256e26194deadc8da72ae009e248c0d98bde6e5269d0b73a6381f95f77b7591e3a6ee5f5565fb1099a3f253eb7e610b2e684e916e6915436c1dd15c
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5Pbcqdt3/mbq06BS8V2:knw9oUUEEDl37jcqdt3uzgE

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 50 IoCs

miner

resource	yara_rule
behavioral2/memory/1556-47-0x00007FF6C0240000-0x00007FF6C0631000-memory.dmp	xmrig
behavioral2/memory/3456-48-0x00007FF73CB10000-0x00007FF73CF01000-memory.dmp	xmrig
behavioral2/memory/1172-274-0x00007FF7254F0000-0x00007FF7258E1000-memory.dmp	xmrig
behavioral2/memory/756-285-0x00007FF7C59C0000-0x00007FF7C5DB1000-memory.dmp	xmrig
behavioral2/memory/4952-297-0x00007FF733740000-0x00007FF733B31000-memory.dmp	xmrig
behavioral2/memory/468-308-0x00007FF716A80000-0x00007FF716E71000-memory.dmp	xmrig
behavioral2/memory/4348-311-0x00007FF6D89B0000-0x00007FF6D8DA1000-memory.dmp	xmrig
behavioral2/memory/3896-307-0x00007FF6D19E0000-0x00007FF6D1DD1000-memory.dmp	xmrig
behavioral2/memory/2812-318-0x00007FF6D1760000-0x00007FF6D1B51000-memory.dmp	xmrig
behavioral2/memory/1992-321-0x00007FF6B5460000-0x00007FF6B5851000-memory.dmp	xmrig
behavioral2/memory/4536-319-0x00007FF6EE3E0000-0x00007FF6EE7D1000-memory.dmp	xmrig
behavioral2/memory/4912-299-0x00007FF6BD600000-0x00007FF6BD9F1000-memory.dmp	xmrig
behavioral2/memory/1916-291-0x00007FF6B3380000-0x00007FF6B3771000-memory.dmp	xmrig
behavioral2/memory/3660-283-0x00007FF659840000-0x00007FF659C31000-memory.dmp	xmrig
behavioral2/memory/348-280-0x00007FF6C0FB0000-0x00007FF6C13A1000-memory.dmp	xmrig
behavioral2/memory/2912-329-0x00007FF76D0E0000-0x00007FF76D4D1000-memory.dmp	xmrig
behavioral2/memory/4532-342-0x00007FF7FA1A0000-0x00007FF7FA591000-memory.dmp	xmrig
behavioral2/memory/2972-332-0x00007FF618070000-0x00007FF618461000-memory.dmp	xmrig
behavioral2/memory/2464-326-0x00007FF636200000-0x00007FF6365F1000-memory.dmp	xmrig
behavioral2/memory/4684-50-0x00007FF7E23C0000-0x00007FF7E27B1000-memory.dmp	xmrig
behavioral2/memory/1760-45-0x00007FF6FE5F0000-0x00007FF6FE9E1000-memory.dmp	xmrig
behavioral2/memory/2200-1890-0x00007FF7E85A0000-0x00007FF7E8991000-memory.dmp	xmrig
behavioral2/memory/2860-1924-0x00007FF66F470000-0x00007FF66F861000-memory.dmp	xmrig
behavioral2/memory/2556-1925-0x00007FF65AC60000-0x00007FF65B051000-memory.dmp	xmrig
behavioral2/memory/3864-1926-0x00007FF6CDE00000-0x00007FF6CE1F1000-memory.dmp	xmrig
behavioral2/memory/1556-1951-0x00007FF6C0240000-0x00007FF6C0631000-memory.dmp	xmrig
behavioral2/memory/3456-1961-0x00007FF73CB10000-0x00007FF73CF01000-memory.dmp	xmrig
behavioral2/memory/2860-1963-0x00007FF66F470000-0x00007FF66F861000-memory.dmp	xmrig
behavioral2/memory/2556-1965-0x00007FF65AC60000-0x00007FF65B051000-memory.dmp	xmrig
behavioral2/memory/1760-1967-0x00007FF6FE5F0000-0x00007FF6FE9E1000-memory.dmp	xmrig
behavioral2/memory/4684-1973-0x00007FF7E23C0000-0x00007FF7E27B1000-memory.dmp	xmrig
behavioral2/memory/1556-1975-0x00007FF6C0240000-0x00007FF6C0631000-memory.dmp	xmrig
behavioral2/memory/1172-1971-0x00007FF7254F0000-0x00007FF7258E1000-memory.dmp	xmrig
behavioral2/memory/3864-1969-0x00007FF6CDE00000-0x00007FF6CE1F1000-memory.dmp	xmrig
behavioral2/memory/4532-1977-0x00007FF7FA1A0000-0x00007FF7FA591000-memory.dmp	xmrig
behavioral2/memory/348-1979-0x00007FF6C0FB0000-0x00007FF6C13A1000-memory.dmp	xmrig
behavioral2/memory/3660-1981-0x00007FF659840000-0x00007FF659C31000-memory.dmp	xmrig
behavioral2/memory/756-1983-0x00007FF7C59C0000-0x00007FF7C5DB1000-memory.dmp	xmrig
behavioral2/memory/1916-1989-0x00007FF6B3380000-0x00007FF6B3771000-memory.dmp	xmrig
behavioral2/memory/4912-1987-0x00007FF6BD600000-0x00007FF6BD9F1000-memory.dmp	xmrig
behavioral2/memory/4952-1985-0x00007FF733740000-0x00007FF733B31000-memory.dmp	xmrig
behavioral2/memory/4536-1995-0x00007FF6EE3E0000-0x00007FF6EE7D1000-memory.dmp	xmrig
behavioral2/memory/1992-1997-0x00007FF6B5460000-0x00007FF6B5851000-memory.dmp	xmrig
behavioral2/memory/2464-2003-0x00007FF636200000-0x00007FF6365F1000-memory.dmp	xmrig
behavioral2/memory/2912-2005-0x00007FF76D0E0000-0x00007FF76D4D1000-memory.dmp	xmrig
behavioral2/memory/4348-2001-0x00007FF6D89B0000-0x00007FF6D8DA1000-memory.dmp	xmrig
behavioral2/memory/2812-1999-0x00007FF6D1760000-0x00007FF6D1B51000-memory.dmp	xmrig
behavioral2/memory/468-1993-0x00007FF716A80000-0x00007FF716E71000-memory.dmp	xmrig
behavioral2/memory/3896-1991-0x00007FF6D19E0000-0x00007FF6D1DD1000-memory.dmp	xmrig
behavioral2/memory/2972-2008-0x00007FF618070000-0x00007FF618461000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2860	lcXrCjm.exe
3456	DvChgRz.exe
2556	ebwWEdP.exe
4684	jLkEXyu.exe
3864	hkmKcQE.exe
1760	NZXeqNA.exe
1172	BCBDtaR.exe
1556	FRyDWCw.exe
4532	VsaKpKM.exe
348	zpMFfNc.exe
3660	jvUjXYL.exe
756	AjUkjYL.exe
1916	aLtBupf.exe
4952	EkdOrDs.exe
4912	RLsKlGn.exe
3896	QIVYosX.exe
468	kAZRrsv.exe
4348	DFIIECo.exe
2812	WFvKTmb.exe
4536	XaFMHdu.exe
1992	YeJrbsV.exe
2464	PxAWgKW.exe
2912	SECOPom.exe
2972	mzRCXAq.exe
2120	DyIjwmB.exe
924	WeenCsT.exe
4080	mcwucZC.exe
1152	RvwVFTc.exe
336	TKodVuD.exe
3996	hacrwjI.exe
3128	CXdeUTH.exe
3992	vWWqiyi.exe
3204	AxjatmG.exe
1288	tYUwwbQ.exe
4484	rwLNvbj.exe
2640	KaNaTlT.exe
4044	eCJEZDE.exe
636	wxYFDvs.exe
4868	oFZxlxH.exe
4292	EJSbowu.exe
2272	tDuqwOF.exe
3044	BPvmkJx.exe
3828	RkrYRDB.exe
1484	lAtAUnZ.exe
4888	GQujCAm.exe
1492	xeMyphz.exe
2296	qDfHfYM.exe
2700	JJHnpnl.exe
4140	EYHLtTO.exe
3328	UOFyZuJ.exe
4552	CUZNtjL.exe
5032	veqGetn.exe
4352	psdjjsJ.exe
4340	WkfhfLt.exe
2672	jzDrdgl.exe
640	YDUsxHU.exe
3952	YjAZLNB.exe
1728	PbVdMEn.exe
4024	LVPgTIJ.exe
5052	fdlbhgC.exe
4644	NKkmGxJ.exe
4320	IDxqHed.exe
2892	YevOhtX.exe
4312	lOUDBFl.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2200-0-0x00007FF7E85A0000-0x00007FF7E8991000-memory.dmp	upx
behavioral2/files/0x0009000000023444-5.dat	upx
behavioral2/files/0x0007000000023499-8.dat	upx
behavioral2/files/0x0008000000023495-11.dat	upx
behavioral2/files/0x000700000002349b-24.dat	upx
behavioral2/files/0x000700000002349c-25.dat	upx
behavioral2/files/0x000700000002349d-29.dat	upx
behavioral2/files/0x000700000002349a-33.dat	upx
behavioral2/memory/3864-40-0x00007FF6CDE00000-0x00007FF6CE1F1000-memory.dmp	upx
behavioral2/memory/1556-47-0x00007FF6C0240000-0x00007FF6C0631000-memory.dmp	upx
behavioral2/memory/3456-48-0x00007FF73CB10000-0x00007FF73CF01000-memory.dmp	upx
behavioral2/files/0x000700000002349f-53.dat	upx
behavioral2/files/0x00070000000234a0-58.dat	upx
behavioral2/files/0x00070000000234a1-66.dat	upx
behavioral2/files/0x00070000000234a3-70.dat	upx
behavioral2/files/0x00070000000234a5-83.dat	upx
behavioral2/files/0x00070000000234a8-94.dat	upx
behavioral2/files/0x00070000000234a9-99.dat	upx
behavioral2/files/0x00070000000234aa-111.dat	upx
behavioral2/files/0x00070000000234ac-121.dat	upx
behavioral2/files/0x00070000000234ad-126.dat	upx
behavioral2/files/0x00070000000234af-136.dat	upx
behavioral2/files/0x00070000000234b1-146.dat	upx
behavioral2/files/0x00070000000234b4-155.dat	upx
behavioral2/files/0x00070000000234b5-166.dat	upx
behavioral2/memory/1172-274-0x00007FF7254F0000-0x00007FF7258E1000-memory.dmp	upx
behavioral2/memory/756-285-0x00007FF7C59C0000-0x00007FF7C5DB1000-memory.dmp	upx
behavioral2/memory/4952-297-0x00007FF733740000-0x00007FF733B31000-memory.dmp	upx
behavioral2/memory/468-308-0x00007FF716A80000-0x00007FF716E71000-memory.dmp	upx
behavioral2/memory/4348-311-0x00007FF6D89B0000-0x00007FF6D8DA1000-memory.dmp	upx
behavioral2/memory/3896-307-0x00007FF6D19E0000-0x00007FF6D1DD1000-memory.dmp	upx
behavioral2/memory/2812-318-0x00007FF6D1760000-0x00007FF6D1B51000-memory.dmp	upx
behavioral2/memory/1992-321-0x00007FF6B5460000-0x00007FF6B5851000-memory.dmp	upx
behavioral2/memory/4536-319-0x00007FF6EE3E0000-0x00007FF6EE7D1000-memory.dmp	upx
behavioral2/memory/4912-299-0x00007FF6BD600000-0x00007FF6BD9F1000-memory.dmp	upx
behavioral2/memory/1916-291-0x00007FF6B3380000-0x00007FF6B3771000-memory.dmp	upx
behavioral2/memory/3660-283-0x00007FF659840000-0x00007FF659C31000-memory.dmp	upx
behavioral2/memory/348-280-0x00007FF6C0FB0000-0x00007FF6C13A1000-memory.dmp	upx
behavioral2/memory/2912-329-0x00007FF76D0E0000-0x00007FF76D4D1000-memory.dmp	upx
behavioral2/memory/4532-342-0x00007FF7FA1A0000-0x00007FF7FA591000-memory.dmp	upx
behavioral2/memory/2972-332-0x00007FF618070000-0x00007FF618461000-memory.dmp	upx
behavioral2/memory/2464-326-0x00007FF636200000-0x00007FF6365F1000-memory.dmp	upx
behavioral2/files/0x00070000000234b6-168.dat	upx
behavioral2/files/0x00070000000234b3-153.dat	upx
behavioral2/files/0x00070000000234b2-148.dat	upx
behavioral2/files/0x00070000000234b0-138.dat	upx
behavioral2/files/0x00070000000234ae-131.dat	upx
behavioral2/files/0x00070000000234ab-113.dat	upx
behavioral2/files/0x00070000000234a7-96.dat	upx
behavioral2/files/0x00070000000234a6-88.dat	upx
behavioral2/files/0x00070000000234a4-81.dat	upx
behavioral2/files/0x00070000000234a2-68.dat	upx
behavioral2/memory/4684-50-0x00007FF7E23C0000-0x00007FF7E27B1000-memory.dmp	upx
behavioral2/memory/1760-45-0x00007FF6FE5F0000-0x00007FF6FE9E1000-memory.dmp	upx
behavioral2/files/0x000700000002349e-44.dat	upx
behavioral2/memory/2556-23-0x00007FF65AC60000-0x00007FF65B051000-memory.dmp	upx
behavioral2/memory/2860-17-0x00007FF66F470000-0x00007FF66F861000-memory.dmp	upx
behavioral2/memory/2200-1890-0x00007FF7E85A0000-0x00007FF7E8991000-memory.dmp	upx
behavioral2/memory/2860-1924-0x00007FF66F470000-0x00007FF66F861000-memory.dmp	upx
behavioral2/memory/2556-1925-0x00007FF65AC60000-0x00007FF65B051000-memory.dmp	upx
behavioral2/memory/3864-1926-0x00007FF6CDE00000-0x00007FF6CE1F1000-memory.dmp	upx
behavioral2/memory/1556-1951-0x00007FF6C0240000-0x00007FF6C0631000-memory.dmp	upx
behavioral2/memory/3456-1961-0x00007FF73CB10000-0x00007FF73CF01000-memory.dmp	upx
behavioral2/memory/2860-1963-0x00007FF66F470000-0x00007FF66F861000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\QdbuDZV.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\HmHzMZg.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\pkGKsvX.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\RkrYRDB.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\YBcUtnQ.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\IgKsJCl.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\ZWsQLZR.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\PjvMKeb.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\klToBXi.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\hMFgVqZ.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\OtVFRZi.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\LGOHLUI.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\CePEiet.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\WkfhfLt.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\EErjtUm.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\OJceUoG.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\VHBUNni.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\XJoDBKi.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\dHUcAgU.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\nUxxgIE.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\upUkCAl.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\LtNcoLH.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\bCNgzcJ.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\JSAxHLI.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\UOFyZuJ.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\IDxqHed.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\HjVtLcp.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\GXVFUdc.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\OHgRBUM.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\hobTUNc.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\HHPDMnx.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\iqvloHg.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\VdfcYoq.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\bqtTDVd.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\EHvYMOj.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\yFCatgi.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\WsXnCik.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\gxvWqmj.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\TIpYHHI.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\gbnoaFo.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\NxYKECE.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\ERnZkUT.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\srPMVjm.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\qtOhUkM.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\imvTZAj.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\IYKIsqs.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\VKyqIMl.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\rozcLKX.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\RvwVFTc.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\doQcypb.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\BLWTMdA.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\rIDdVjM.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\BKSljWa.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\ZcCvAjO.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\gXZgCYP.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\slUGOiQ.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\rtwdVDP.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\DDQgWFU.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\wKHOzqt.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\UAnfITV.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\ZsWfWDi.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\WeenCsT.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\BPvmkJx.exe	bfee72685889e1ae8ee38f113faf63f0N.exe
File created	C:\Windows\System32\ZsXdFbP.exe	bfee72685889e1ae8ee38f113faf63f0N.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12424	dwm.exe
Token: SeChangeNotifyPrivilege	12424	dwm.exe
Token: 33	12424	dwm.exe
Token: SeIncBasePriorityPrivilege	12424	dwm.exe
Token: SeCreateGlobalPrivilege	14076	dwm.exe
Token: SeChangeNotifyPrivilege	14076	dwm.exe
Token: 33	14076	dwm.exe
Token: SeIncBasePriorityPrivilege	14076	dwm.exe
Token: SeShutdownPrivilege	14076	dwm.exe
Token: SeCreatePagefilePrivilege	14076	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2860	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	85
PID 2200 wrote to memory of 2860	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	85
PID 2200 wrote to memory of 3456	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	86
PID 2200 wrote to memory of 3456	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	86
PID 2200 wrote to memory of 2556	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	87
PID 2200 wrote to memory of 2556	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	87
PID 2200 wrote to memory of 4684	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	88
PID 2200 wrote to memory of 4684	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	88
PID 2200 wrote to memory of 3864	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	89
PID 2200 wrote to memory of 3864	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	89
PID 2200 wrote to memory of 1760	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	90
PID 2200 wrote to memory of 1760	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	90
PID 2200 wrote to memory of 1172	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	91
PID 2200 wrote to memory of 1172	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	91
PID 2200 wrote to memory of 1556	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	92
PID 2200 wrote to memory of 1556	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	92
PID 2200 wrote to memory of 4532	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	93
PID 2200 wrote to memory of 4532	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	93
PID 2200 wrote to memory of 348	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	94
PID 2200 wrote to memory of 348	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	94
PID 2200 wrote to memory of 3660	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	95
PID 2200 wrote to memory of 3660	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	95
PID 2200 wrote to memory of 756	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	96
PID 2200 wrote to memory of 756	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	96
PID 2200 wrote to memory of 1916	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	97
PID 2200 wrote to memory of 1916	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	97
PID 2200 wrote to memory of 4952	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	98
PID 2200 wrote to memory of 4952	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	98
PID 2200 wrote to memory of 4912	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	99
PID 2200 wrote to memory of 4912	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	99
PID 2200 wrote to memory of 3896	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	100
PID 2200 wrote to memory of 3896	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	100
PID 2200 wrote to memory of 468	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	101
PID 2200 wrote to memory of 468	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	101
PID 2200 wrote to memory of 4348	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	102
PID 2200 wrote to memory of 4348	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	102
PID 2200 wrote to memory of 2812	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	103
PID 2200 wrote to memory of 2812	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	103
PID 2200 wrote to memory of 4536	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	104
PID 2200 wrote to memory of 4536	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	104
PID 2200 wrote to memory of 1992	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	105
PID 2200 wrote to memory of 1992	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	105
PID 2200 wrote to memory of 2464	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	106
PID 2200 wrote to memory of 2464	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	106
PID 2200 wrote to memory of 2912	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	107
PID 2200 wrote to memory of 2912	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	107
PID 2200 wrote to memory of 2972	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	108
PID 2200 wrote to memory of 2972	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	108
PID 2200 wrote to memory of 2120	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	109
PID 2200 wrote to memory of 2120	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	109
PID 2200 wrote to memory of 924	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	110
PID 2200 wrote to memory of 924	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	110
PID 2200 wrote to memory of 4080	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	111
PID 2200 wrote to memory of 4080	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	111
PID 2200 wrote to memory of 1152	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	112
PID 2200 wrote to memory of 1152	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	112
PID 2200 wrote to memory of 336	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	113
PID 2200 wrote to memory of 336	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	113
PID 2200 wrote to memory of 3996	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	114
PID 2200 wrote to memory of 3996	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	114
PID 2200 wrote to memory of 3128	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	115
PID 2200 wrote to memory of 3128	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	115
PID 2200 wrote to memory of 3992	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	116
PID 2200 wrote to memory of 3992	2200	bfee72685889e1ae8ee38f113faf63f0N.exe	116

C:\Users\Admin\AppData\Local\Temp\bfee72685889e1ae8ee38f113faf63f0N.exe
"C:\Users\Admin\AppData\Local\Temp\bfee72685889e1ae8ee38f113faf63f0N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\System32\lcXrCjm.exe
  C:\Windows\System32\lcXrCjm.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System32\DvChgRz.exe
  C:\Windows\System32\DvChgRz.exe
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\System32\ebwWEdP.exe
  C:\Windows\System32\ebwWEdP.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System32\jLkEXyu.exe
  C:\Windows\System32\jLkEXyu.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System32\hkmKcQE.exe
  C:\Windows\System32\hkmKcQE.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System32\NZXeqNA.exe
  C:\Windows\System32\NZXeqNA.exe
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\System32\BCBDtaR.exe
  C:\Windows\System32\BCBDtaR.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System32\FRyDWCw.exe
  C:\Windows\System32\FRyDWCw.exe
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\System32\VsaKpKM.exe
  C:\Windows\System32\VsaKpKM.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System32\zpMFfNc.exe
  C:\Windows\System32\zpMFfNc.exe
  2⤵
  - Executes dropped EXE
  PID:348
- C:\Windows\System32\jvUjXYL.exe
  C:\Windows\System32\jvUjXYL.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System32\AjUkjYL.exe
  C:\Windows\System32\AjUkjYL.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System32\aLtBupf.exe
  C:\Windows\System32\aLtBupf.exe
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\System32\EkdOrDs.exe
  C:\Windows\System32\EkdOrDs.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System32\RLsKlGn.exe
  C:\Windows\System32\RLsKlGn.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System32\QIVYosX.exe
  C:\Windows\System32\QIVYosX.exe
  2⤵
  - Executes dropped EXE
  PID:3896
- C:\Windows\System32\kAZRrsv.exe
  C:\Windows\System32\kAZRrsv.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System32\DFIIECo.exe
  C:\Windows\System32\DFIIECo.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System32\WFvKTmb.exe
  C:\Windows\System32\WFvKTmb.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System32\XaFMHdu.exe
  C:\Windows\System32\XaFMHdu.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System32\YeJrbsV.exe
  C:\Windows\System32\YeJrbsV.exe
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\System32\PxAWgKW.exe
  C:\Windows\System32\PxAWgKW.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System32\SECOPom.exe
  C:\Windows\System32\SECOPom.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System32\mzRCXAq.exe
  C:\Windows\System32\mzRCXAq.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System32\DyIjwmB.exe
  C:\Windows\System32\DyIjwmB.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System32\WeenCsT.exe
  C:\Windows\System32\WeenCsT.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System32\mcwucZC.exe
  C:\Windows\System32\mcwucZC.exe
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Windows\System32\RvwVFTc.exe
  C:\Windows\System32\RvwVFTc.exe
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\System32\TKodVuD.exe
  C:\Windows\System32\TKodVuD.exe
  2⤵
  - Executes dropped EXE
  PID:336
- C:\Windows\System32\hacrwjI.exe
  C:\Windows\System32\hacrwjI.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\System32\CXdeUTH.exe
  C:\Windows\System32\CXdeUTH.exe
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Windows\System32\vWWqiyi.exe
  C:\Windows\System32\vWWqiyi.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System32\AxjatmG.exe
  C:\Windows\System32\AxjatmG.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System32\tYUwwbQ.exe
  C:\Windows\System32\tYUwwbQ.exe
  2⤵
  - Executes dropped EXE
  PID:1288
- C:\Windows\System32\rwLNvbj.exe
  C:\Windows\System32\rwLNvbj.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System32\KaNaTlT.exe
  C:\Windows\System32\KaNaTlT.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System32\eCJEZDE.exe
  C:\Windows\System32\eCJEZDE.exe
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Windows\System32\wxYFDvs.exe
  C:\Windows\System32\wxYFDvs.exe
  2⤵
  - Executes dropped EXE
  PID:636
- C:\Windows\System32\oFZxlxH.exe
  C:\Windows\System32\oFZxlxH.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System32\EJSbowu.exe
  C:\Windows\System32\EJSbowu.exe
  2⤵
  - Executes dropped EXE
  PID:4292
- C:\Windows\System32\tDuqwOF.exe
  C:\Windows\System32\tDuqwOF.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System32\BPvmkJx.exe
  C:\Windows\System32\BPvmkJx.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System32\RkrYRDB.exe
  C:\Windows\System32\RkrYRDB.exe
  2⤵
  - Executes dropped EXE
  PID:3828
- C:\Windows\System32\lAtAUnZ.exe
  C:\Windows\System32\lAtAUnZ.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\System32\GQujCAm.exe
  C:\Windows\System32\GQujCAm.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System32\xeMyphz.exe
  C:\Windows\System32\xeMyphz.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\System32\qDfHfYM.exe
  C:\Windows\System32\qDfHfYM.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System32\JJHnpnl.exe
  C:\Windows\System32\JJHnpnl.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System32\EYHLtTO.exe
  C:\Windows\System32\EYHLtTO.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System32\UOFyZuJ.exe
  C:\Windows\System32\UOFyZuJ.exe
  2⤵
  - Executes dropped EXE
  PID:3328
- C:\Windows\System32\CUZNtjL.exe
  C:\Windows\System32\CUZNtjL.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System32\veqGetn.exe
  C:\Windows\System32\veqGetn.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System32\psdjjsJ.exe
  C:\Windows\System32\psdjjsJ.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System32\WkfhfLt.exe
  C:\Windows\System32\WkfhfLt.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System32\jzDrdgl.exe
  C:\Windows\System32\jzDrdgl.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System32\YDUsxHU.exe
  C:\Windows\System32\YDUsxHU.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System32\YjAZLNB.exe
  C:\Windows\System32\YjAZLNB.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System32\PbVdMEn.exe
  C:\Windows\System32\PbVdMEn.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System32\LVPgTIJ.exe
  C:\Windows\System32\LVPgTIJ.exe
  2⤵
  - Executes dropped EXE
  PID:4024
- C:\Windows\System32\fdlbhgC.exe
  C:\Windows\System32\fdlbhgC.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System32\NKkmGxJ.exe
  C:\Windows\System32\NKkmGxJ.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System32\IDxqHed.exe
  C:\Windows\System32\IDxqHed.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System32\YevOhtX.exe
  C:\Windows\System32\YevOhtX.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System32\lOUDBFl.exe
  C:\Windows\System32\lOUDBFl.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\System32\BpFAXTR.exe
  C:\Windows\System32\BpFAXTR.exe
  2⤵
  PID:4364
- C:\Windows\System32\qvONzmR.exe
  C:\Windows\System32\qvONzmR.exe
  2⤵
  PID:3420
- C:\Windows\System32\evQTFmP.exe
  C:\Windows\System32\evQTFmP.exe
  2⤵
  PID:2348
- C:\Windows\System32\vhpnhGL.exe
  C:\Windows\System32\vhpnhGL.exe
  2⤵
  PID:4676
- C:\Windows\System32\BALTUqK.exe
  C:\Windows\System32\BALTUqK.exe
  2⤵
  PID:4640
- C:\Windows\System32\YwrsSmg.exe
  C:\Windows\System32\YwrsSmg.exe
  2⤵
  PID:592
- C:\Windows\System32\rDbYSpm.exe
  C:\Windows\System32\rDbYSpm.exe
  2⤵
  PID:4788
- C:\Windows\System32\MonDKfn.exe
  C:\Windows\System32\MonDKfn.exe
  2⤵
  PID:5100
- C:\Windows\System32\ziKarZG.exe
  C:\Windows\System32\ziKarZG.exe
  2⤵
  PID:3592
- C:\Windows\System32\yDuhxqi.exe
  C:\Windows\System32\yDuhxqi.exe
  2⤵
  PID:1528
- C:\Windows\System32\VyFmsBf.exe
  C:\Windows\System32\VyFmsBf.exe
  2⤵
  PID:184
- C:\Windows\System32\AqQKeyJ.exe
  C:\Windows\System32\AqQKeyJ.exe
  2⤵
  PID:3496
- C:\Windows\System32\bNSHwmE.exe
  C:\Windows\System32\bNSHwmE.exe
  2⤵
  PID:1104
- C:\Windows\System32\EYXbSWW.exe
  C:\Windows\System32\EYXbSWW.exe
  2⤵
  PID:4120
- C:\Windows\System32\LRriBSt.exe
  C:\Windows\System32\LRriBSt.exe
  2⤵
  PID:2456
- C:\Windows\System32\iIRYSjZ.exe
  C:\Windows\System32\iIRYSjZ.exe
  2⤵
  PID:3172
- C:\Windows\System32\HpaaXCS.exe
  C:\Windows\System32\HpaaXCS.exe
  2⤵
  PID:2092
- C:\Windows\System32\VTkwTkz.exe
  C:\Windows\System32\VTkwTkz.exe
  2⤵
  PID:3760
- C:\Windows\System32\vqFviax.exe
  C:\Windows\System32\vqFviax.exe
  2⤵
  PID:4392
- C:\Windows\System32\cOXtNCV.exe
  C:\Windows\System32\cOXtNCV.exe
  2⤵
  PID:4764
- C:\Windows\System32\egRZGKK.exe
  C:\Windows\System32\egRZGKK.exe
  2⤵
  PID:4768
- C:\Windows\System32\UQMlDNS.exe
  C:\Windows\System32\UQMlDNS.exe
  2⤵
  PID:4908
- C:\Windows\System32\EqxZFvI.exe
  C:\Windows\System32\EqxZFvI.exe
  2⤵
  PID:3716
- C:\Windows\System32\oQDMKau.exe
  C:\Windows\System32\oQDMKau.exe
  2⤵
  PID:3200
- C:\Windows\System32\htNIGhQ.exe
  C:\Windows\System32\htNIGhQ.exe
  2⤵
  PID:3536
- C:\Windows\System32\ZcCvAjO.exe
  C:\Windows\System32\ZcCvAjO.exe
  2⤵
  PID:1092
- C:\Windows\System32\sPChist.exe
  C:\Windows\System32\sPChist.exe
  2⤵
  PID:456
- C:\Windows\System32\kfNEsBP.exe
  C:\Windows\System32\kfNEsBP.exe
  2⤵
  PID:3464
- C:\Windows\System32\DydSXLZ.exe
  C:\Windows\System32\DydSXLZ.exe
  2⤵
  PID:3432
- C:\Windows\System32\srMlHtr.exe
  C:\Windows\System32\srMlHtr.exe
  2⤵
  PID:2284
- C:\Windows\System32\XQIdQRW.exe
  C:\Windows\System32\XQIdQRW.exe
  2⤵
  PID:3076
- C:\Windows\System32\gXZgCYP.exe
  C:\Windows\System32\gXZgCYP.exe
  2⤵
  PID:3448
- C:\Windows\System32\McGlDhL.exe
  C:\Windows\System32\McGlDhL.exe
  2⤵
  PID:904
- C:\Windows\System32\gbHApFy.exe
  C:\Windows\System32\gbHApFy.exe
  2⤵
  PID:2840
- C:\Windows\System32\DUZBywz.exe
  C:\Windows\System32\DUZBywz.exe
  2⤵
  PID:2936
- C:\Windows\System32\yGDbEAj.exe
  C:\Windows\System32\yGDbEAj.exe
  2⤵
  PID:888
- C:\Windows\System32\dTbfwDD.exe
  C:\Windows\System32\dTbfwDD.exe
  2⤵
  PID:4776
- C:\Windows\System32\eumaXqf.exe
  C:\Windows\System32\eumaXqf.exe
  2⤵
  PID:3516
- C:\Windows\System32\krzzRad.exe
  C:\Windows\System32\krzzRad.exe
  2⤵
  PID:4404
- C:\Windows\System32\XKCWtxR.exe
  C:\Windows\System32\XKCWtxR.exe
  2⤵
  PID:5140
- C:\Windows\System32\ABifoiX.exe
  C:\Windows\System32\ABifoiX.exe
  2⤵
  PID:5184
- C:\Windows\System32\mCCfxgg.exe
  C:\Windows\System32\mCCfxgg.exe
  2⤵
  PID:5200
- C:\Windows\System32\VMghuaf.exe
  C:\Windows\System32\VMghuaf.exe
  2⤵
  PID:5236
- C:\Windows\System32\DbFyVPD.exe
  C:\Windows\System32\DbFyVPD.exe
  2⤵
  PID:5264
- C:\Windows\System32\jJxdSAz.exe
  C:\Windows\System32\jJxdSAz.exe
  2⤵
  PID:5284
- C:\Windows\System32\yOejvpO.exe
  C:\Windows\System32\yOejvpO.exe
  2⤵
  PID:5300
- C:\Windows\System32\wPQyYsM.exe
  C:\Windows\System32\wPQyYsM.exe
  2⤵
  PID:5336
- C:\Windows\System32\upUkCAl.exe
  C:\Windows\System32\upUkCAl.exe
  2⤵
  PID:5352
- C:\Windows\System32\GqqemVI.exe
  C:\Windows\System32\GqqemVI.exe
  2⤵
  PID:5368
- C:\Windows\System32\OHgRBUM.exe
  C:\Windows\System32\OHgRBUM.exe
  2⤵
  PID:5384
- C:\Windows\System32\fYTxpHx.exe
  C:\Windows\System32\fYTxpHx.exe
  2⤵
  PID:5404
- C:\Windows\System32\UkmlshJ.exe
  C:\Windows\System32\UkmlshJ.exe
  2⤵
  PID:5420
- C:\Windows\System32\qnKXoUo.exe
  C:\Windows\System32\qnKXoUo.exe
  2⤵
  PID:5448
- C:\Windows\System32\uNmyqxw.exe
  C:\Windows\System32\uNmyqxw.exe
  2⤵
  PID:5496
- C:\Windows\System32\TWOblUk.exe
  C:\Windows\System32\TWOblUk.exe
  2⤵
  PID:5528
- C:\Windows\System32\qjVCGFg.exe
  C:\Windows\System32\qjVCGFg.exe
  2⤵
  PID:5548
- C:\Windows\System32\bqtTDVd.exe
  C:\Windows\System32\bqtTDVd.exe
  2⤵
  PID:5588
- C:\Windows\System32\ceqOOKk.exe
  C:\Windows\System32\ceqOOKk.exe
  2⤵
  PID:5604
- C:\Windows\System32\zliJpdd.exe
  C:\Windows\System32\zliJpdd.exe
  2⤵
  PID:5632
- C:\Windows\System32\sZCTbgN.exe
  C:\Windows\System32\sZCTbgN.exe
  2⤵
  PID:5692
- C:\Windows\System32\VGYnBPz.exe
  C:\Windows\System32\VGYnBPz.exe
  2⤵
  PID:5712
- C:\Windows\System32\RkEhRZl.exe
  C:\Windows\System32\RkEhRZl.exe
  2⤵
  PID:5760
- C:\Windows\System32\YBcUtnQ.exe
  C:\Windows\System32\YBcUtnQ.exe
  2⤵
  PID:5808
- C:\Windows\System32\EMcuRSB.exe
  C:\Windows\System32\EMcuRSB.exe
  2⤵
  PID:5824
- C:\Windows\System32\kxyhRpN.exe
  C:\Windows\System32\kxyhRpN.exe
  2⤵
  PID:5860
- C:\Windows\System32\ZsXdFbP.exe
  C:\Windows\System32\ZsXdFbP.exe
  2⤵
  PID:5876
- C:\Windows\System32\ieaOlve.exe
  C:\Windows\System32\ieaOlve.exe
  2⤵
  PID:5896
- C:\Windows\System32\PSAzaAe.exe
  C:\Windows\System32\PSAzaAe.exe
  2⤵
  PID:5924
- C:\Windows\System32\VvKrKLb.exe
  C:\Windows\System32\VvKrKLb.exe
  2⤵
  PID:5944
- C:\Windows\System32\aHETGAG.exe
  C:\Windows\System32\aHETGAG.exe
  2⤵
  PID:5996
- C:\Windows\System32\UYhnhPl.exe
  C:\Windows\System32\UYhnhPl.exe
  2⤵
  PID:6024
- C:\Windows\System32\vBipAUm.exe
  C:\Windows\System32\vBipAUm.exe
  2⤵
  PID:6040
- C:\Windows\System32\IgKsJCl.exe
  C:\Windows\System32\IgKsJCl.exe
  2⤵
  PID:6064
- C:\Windows\System32\ycjAyYb.exe
  C:\Windows\System32\ycjAyYb.exe
  2⤵
  PID:6084
- C:\Windows\System32\PvTsQGb.exe
  C:\Windows\System32\PvTsQGb.exe
  2⤵
  PID:6124
- C:\Windows\System32\bpoJeDU.exe
  C:\Windows\System32\bpoJeDU.exe
  2⤵
  PID:5124
- C:\Windows\System32\VFUdqOp.exe
  C:\Windows\System32\VFUdqOp.exe
  2⤵
  PID:5164
- C:\Windows\System32\SQVwyXO.exe
  C:\Windows\System32\SQVwyXO.exe
  2⤵
  PID:5156
- C:\Windows\System32\QCqayFN.exe
  C:\Windows\System32\QCqayFN.exe
  2⤵
  PID:5192
- C:\Windows\System32\mBTDSBa.exe
  C:\Windows\System32\mBTDSBa.exe
  2⤵
  PID:5348
- C:\Windows\System32\cBHTtDf.exe
  C:\Windows\System32\cBHTtDf.exe
  2⤵
  PID:5360
- C:\Windows\System32\HXmykCy.exe
  C:\Windows\System32\HXmykCy.exe
  2⤵
  PID:5324
- C:\Windows\System32\AWxHcCX.exe
  C:\Windows\System32\AWxHcCX.exe
  2⤵
  PID:5516
- C:\Windows\System32\YeZnAgW.exe
  C:\Windows\System32\YeZnAgW.exe
  2⤵
  PID:5540
- C:\Windows\System32\JYXnznP.exe
  C:\Windows\System32\JYXnznP.exe
  2⤵
  PID:5704
- C:\Windows\System32\YTAISuE.exe
  C:\Windows\System32\YTAISuE.exe
  2⤵
  PID:2720
- C:\Windows\System32\EVcJYjo.exe
  C:\Windows\System32\EVcJYjo.exe
  2⤵
  PID:5892
- C:\Windows\System32\fESBsYm.exe
  C:\Windows\System32\fESBsYm.exe
  2⤵
  PID:5988
- C:\Windows\System32\ylWvhtZ.exe
  C:\Windows\System32\ylWvhtZ.exe
  2⤵
  PID:6032
- C:\Windows\System32\BsoyKzJ.exe
  C:\Windows\System32\BsoyKzJ.exe
  2⤵
  PID:6008
- C:\Windows\System32\GcWXfDK.exe
  C:\Windows\System32\GcWXfDK.exe
  2⤵
  PID:6076
- C:\Windows\System32\XLahQdE.exe
  C:\Windows\System32\XLahQdE.exe
  2⤵
  PID:632
- C:\Windows\System32\fxwPghP.exe
  C:\Windows\System32\fxwPghP.exe
  2⤵
  PID:3524
- C:\Windows\System32\rwuwjdY.exe
  C:\Windows\System32\rwuwjdY.exe
  2⤵
  PID:4588
- C:\Windows\System32\rGXqcSG.exe
  C:\Windows\System32\rGXqcSG.exe
  2⤵
  PID:3964
- C:\Windows\System32\aOmdxTB.exe
  C:\Windows\System32\aOmdxTB.exe
  2⤵
  PID:5436
- C:\Windows\System32\auNxKSK.exe
  C:\Windows\System32\auNxKSK.exe
  2⤵
  PID:5640
- C:\Windows\System32\EHvYMOj.exe
  C:\Windows\System32\EHvYMOj.exe
  2⤵
  PID:5380
- C:\Windows\System32\cSCJvlK.exe
  C:\Windows\System32\cSCJvlK.exe
  2⤵
  PID:5768
- C:\Windows\System32\BSVSeak.exe
  C:\Windows\System32\BSVSeak.exe
  2⤵
  PID:5816
- C:\Windows\System32\PbDpSnS.exe
  C:\Windows\System32\PbDpSnS.exe
  2⤵
  PID:6080
- C:\Windows\System32\TIkrUUw.exe
  C:\Windows\System32\TIkrUUw.exe
  2⤵
  PID:5224
- C:\Windows\System32\yohCyIM.exe
  C:\Windows\System32\yohCyIM.exe
  2⤵
  PID:5392
- C:\Windows\System32\bWAMgBs.exe
  C:\Windows\System32\bWAMgBs.exe
  2⤵
  PID:5596
- C:\Windows\System32\WzyFRMj.exe
  C:\Windows\System32\WzyFRMj.exe
  2⤵
  PID:4744
- C:\Windows\System32\EErjtUm.exe
  C:\Windows\System32\EErjtUm.exe
  2⤵
  PID:6048
- C:\Windows\System32\uDLdhVZ.exe
  C:\Windows\System32\uDLdhVZ.exe
  2⤵
  PID:5720
- C:\Windows\System32\fuJOfpT.exe
  C:\Windows\System32\fuJOfpT.exe
  2⤵
  PID:6160
- C:\Windows\System32\hobTUNc.exe
  C:\Windows\System32\hobTUNc.exe
  2⤵
  PID:6180
- C:\Windows\System32\qmAaJHO.exe
  C:\Windows\System32\qmAaJHO.exe
  2⤵
  PID:6200
- C:\Windows\System32\IyNlJpD.exe
  C:\Windows\System32\IyNlJpD.exe
  2⤵
  PID:6220
- C:\Windows\System32\YvuRmYc.exe
  C:\Windows\System32\YvuRmYc.exe
  2⤵
  PID:6236
- C:\Windows\System32\OZhOzMP.exe
  C:\Windows\System32\OZhOzMP.exe
  2⤵
  PID:6264
- C:\Windows\System32\BKdfoXG.exe
  C:\Windows\System32\BKdfoXG.exe
  2⤵
  PID:6284
- C:\Windows\System32\NfRVbjP.exe
  C:\Windows\System32\NfRVbjP.exe
  2⤵
  PID:6300
- C:\Windows\System32\zGJucfh.exe
  C:\Windows\System32\zGJucfh.exe
  2⤵
  PID:6328
- C:\Windows\System32\TIRyZIX.exe
  C:\Windows\System32\TIRyZIX.exe
  2⤵
  PID:6428
- C:\Windows\System32\evwwKSp.exe
  C:\Windows\System32\evwwKSp.exe
  2⤵
  PID:6480
- C:\Windows\System32\tABbaaJ.exe
  C:\Windows\System32\tABbaaJ.exe
  2⤵
  PID:6512
- C:\Windows\System32\VajLhrM.exe
  C:\Windows\System32\VajLhrM.exe
  2⤵
  PID:6528
- C:\Windows\System32\JphCojX.exe
  C:\Windows\System32\JphCojX.exe
  2⤵
  PID:6556
- C:\Windows\System32\mTkGPbd.exe
  C:\Windows\System32\mTkGPbd.exe
  2⤵
  PID:6592
- C:\Windows\System32\IvKooOl.exe
  C:\Windows\System32\IvKooOl.exe
  2⤵
  PID:6624
- C:\Windows\System32\IdDwJJX.exe
  C:\Windows\System32\IdDwJJX.exe
  2⤵
  PID:6640
- C:\Windows\System32\GMFnspZ.exe
  C:\Windows\System32\GMFnspZ.exe
  2⤵
  PID:6668
- C:\Windows\System32\RFTVnun.exe
  C:\Windows\System32\RFTVnun.exe
  2⤵
  PID:6700
- C:\Windows\System32\XxggRzv.exe
  C:\Windows\System32\XxggRzv.exe
  2⤵
  PID:6716
- C:\Windows\System32\EkuUHDo.exe
  C:\Windows\System32\EkuUHDo.exe
  2⤵
  PID:6740
- C:\Windows\System32\lWSsExj.exe
  C:\Windows\System32\lWSsExj.exe
  2⤵
  PID:6768
- C:\Windows\System32\RsOAKBI.exe
  C:\Windows\System32\RsOAKBI.exe
  2⤵
  PID:6788
- C:\Windows\System32\HjVtLcp.exe
  C:\Windows\System32\HjVtLcp.exe
  2⤵
  PID:6816
- C:\Windows\System32\tYMUFNq.exe
  C:\Windows\System32\tYMUFNq.exe
  2⤵
  PID:6836
- C:\Windows\System32\rnWXrdI.exe
  C:\Windows\System32\rnWXrdI.exe
  2⤵
  PID:6856
- C:\Windows\System32\OXrbXdd.exe
  C:\Windows\System32\OXrbXdd.exe
  2⤵
  PID:6908
- C:\Windows\System32\YmHPcOV.exe
  C:\Windows\System32\YmHPcOV.exe
  2⤵
  PID:6936
- C:\Windows\System32\kTrHNRM.exe
  C:\Windows\System32\kTrHNRM.exe
  2⤵
  PID:6956
- C:\Windows\System32\PHeWApq.exe
  C:\Windows\System32\PHeWApq.exe
  2⤵
  PID:6972
- C:\Windows\System32\iyQuhRr.exe
  C:\Windows\System32\iyQuhRr.exe
  2⤵
  PID:6996
- C:\Windows\System32\SLmunji.exe
  C:\Windows\System32\SLmunji.exe
  2⤵
  PID:7060
- C:\Windows\System32\slUGOiQ.exe
  C:\Windows\System32\slUGOiQ.exe
  2⤵
  PID:7080
- C:\Windows\System32\foYOmzC.exe
  C:\Windows\System32\foYOmzC.exe
  2⤵
  PID:7096
- C:\Windows\System32\wQvUGdH.exe
  C:\Windows\System32\wQvUGdH.exe
  2⤵
  PID:7120
- C:\Windows\System32\sjQovZe.exe
  C:\Windows\System32\sjQovZe.exe
  2⤵
  PID:7136
- C:\Windows\System32\uQiVVsD.exe
  C:\Windows\System32\uQiVVsD.exe
  2⤵
  PID:5708
- C:\Windows\System32\MqoOipN.exe
  C:\Windows\System32\MqoOipN.exe
  2⤵
  PID:6192
- C:\Windows\System32\GRdsRlA.exe
  C:\Windows\System32\GRdsRlA.exe
  2⤵
  PID:6216
- C:\Windows\System32\HHPDMnx.exe
  C:\Windows\System32\HHPDMnx.exe
  2⤵
  PID:6296
- C:\Windows\System32\KuCGHVt.exe
  C:\Windows\System32\KuCGHVt.exe
  2⤵
  PID:6400
- C:\Windows\System32\gbnoaFo.exe
  C:\Windows\System32\gbnoaFo.exe
  2⤵
  PID:6444
- C:\Windows\System32\DDQgWFU.exe
  C:\Windows\System32\DDQgWFU.exe
  2⤵
  PID:6492
- C:\Windows\System32\EgqqjeK.exe
  C:\Windows\System32\EgqqjeK.exe
  2⤵
  PID:6520
- C:\Windows\System32\ylLScKd.exe
  C:\Windows\System32\ylLScKd.exe
  2⤵
  PID:6568
- C:\Windows\System32\FUKnsYb.exe
  C:\Windows\System32\FUKnsYb.exe
  2⤵
  PID:6636
- C:\Windows\System32\ZifruTb.exe
  C:\Windows\System32\ZifruTb.exe
  2⤵
  PID:6688
- C:\Windows\System32\ZTDkuSU.exe
  C:\Windows\System32\ZTDkuSU.exe
  2⤵
  PID:6828
- C:\Windows\System32\MDPHYIK.exe
  C:\Windows\System32\MDPHYIK.exe
  2⤵
  PID:6952
- C:\Windows\System32\AqIvECI.exe
  C:\Windows\System32\AqIvECI.exe
  2⤵
  PID:6980
- C:\Windows\System32\LtNcoLH.exe
  C:\Windows\System32\LtNcoLH.exe
  2⤵
  PID:7156
- C:\Windows\System32\JrNYgpw.exe
  C:\Windows\System32\JrNYgpw.exe
  2⤵
  PID:7144
- C:\Windows\System32\oTxZDmS.exe
  C:\Windows\System32\oTxZDmS.exe
  2⤵
  PID:6152
- C:\Windows\System32\KVHGFWD.exe
  C:\Windows\System32\KVHGFWD.exe
  2⤵
  PID:6252
- C:\Windows\System32\guEeWDM.exe
  C:\Windows\System32\guEeWDM.exe
  2⤵
  PID:6360
- C:\Windows\System32\NSQLXnU.exe
  C:\Windows\System32\NSQLXnU.exe
  2⤵
  PID:6540
- C:\Windows\System32\aKetdRz.exe
  C:\Windows\System32\aKetdRz.exe
  2⤵
  PID:6736
- C:\Windows\System32\PVAJWnN.exe
  C:\Windows\System32\PVAJWnN.exe
  2⤵
  PID:6948
- C:\Windows\System32\yFCatgi.exe
  C:\Windows\System32\yFCatgi.exe
  2⤵
  PID:7088
- C:\Windows\System32\XGXWDQZ.exe
  C:\Windows\System32\XGXWDQZ.exe
  2⤵
  PID:1796
- C:\Windows\System32\AUfNeHe.exe
  C:\Windows\System32\AUfNeHe.exe
  2⤵
  PID:6696
- C:\Windows\System32\bCNgzcJ.exe
  C:\Windows\System32\bCNgzcJ.exe
  2⤵
  PID:6580
- C:\Windows\System32\jjKrYQJ.exe
  C:\Windows\System32\jjKrYQJ.exe
  2⤵
  PID:1180
- C:\Windows\System32\jcQcbkf.exe
  C:\Windows\System32\jcQcbkf.exe
  2⤵
  PID:7176
- C:\Windows\System32\atdXGxY.exe
  C:\Windows\System32\atdXGxY.exe
  2⤵
  PID:7196
- C:\Windows\System32\ztpbuFk.exe
  C:\Windows\System32\ztpbuFk.exe
  2⤵
  PID:7216
- C:\Windows\System32\ImBKreY.exe
  C:\Windows\System32\ImBKreY.exe
  2⤵
  PID:7232
- C:\Windows\System32\LKxNiJf.exe
  C:\Windows\System32\LKxNiJf.exe
  2⤵
  PID:7256
- C:\Windows\System32\msqQkJr.exe
  C:\Windows\System32\msqQkJr.exe
  2⤵
  PID:7272
- C:\Windows\System32\WsXnCik.exe
  C:\Windows\System32\WsXnCik.exe
  2⤵
  PID:7300
- C:\Windows\System32\gfXQKJI.exe
  C:\Windows\System32\gfXQKJI.exe
  2⤵
  PID:7328
- C:\Windows\System32\MIyQlUZ.exe
  C:\Windows\System32\MIyQlUZ.exe
  2⤵
  PID:7404
- C:\Windows\System32\hQQcTTK.exe
  C:\Windows\System32\hQQcTTK.exe
  2⤵
  PID:7428
- C:\Windows\System32\YgaxzwS.exe
  C:\Windows\System32\YgaxzwS.exe
  2⤵
  PID:7456
- C:\Windows\System32\gsJLnoQ.exe
  C:\Windows\System32\gsJLnoQ.exe
  2⤵
  PID:7472
- C:\Windows\System32\VbDtruD.exe
  C:\Windows\System32\VbDtruD.exe
  2⤵
  PID:7488
- C:\Windows\System32\JSfLzRf.exe
  C:\Windows\System32\JSfLzRf.exe
  2⤵
  PID:7508
- C:\Windows\System32\pNFuqSe.exe
  C:\Windows\System32\pNFuqSe.exe
  2⤵
  PID:7528
- C:\Windows\System32\VGMxetl.exe
  C:\Windows\System32\VGMxetl.exe
  2⤵
  PID:7576
- C:\Windows\System32\mHUnDzI.exe
  C:\Windows\System32\mHUnDzI.exe
  2⤵
  PID:7624
- C:\Windows\System32\qibizRh.exe
  C:\Windows\System32\qibizRh.exe
  2⤵
  PID:7656
- C:\Windows\System32\vgICIua.exe
  C:\Windows\System32\vgICIua.exe
  2⤵
  PID:7676
- C:\Windows\System32\viVOOtC.exe
  C:\Windows\System32\viVOOtC.exe
  2⤵
  PID:7704
- C:\Windows\System32\doQcypb.exe
  C:\Windows\System32\doQcypb.exe
  2⤵
  PID:7728
- C:\Windows\System32\dGBOcUv.exe
  C:\Windows\System32\dGBOcUv.exe
  2⤵
  PID:7760
- C:\Windows\System32\tbHTMfz.exe
  C:\Windows\System32\tbHTMfz.exe
  2⤵
  PID:7792
- C:\Windows\System32\tlyGJOJ.exe
  C:\Windows\System32\tlyGJOJ.exe
  2⤵
  PID:7816
- C:\Windows\System32\BLWTMdA.exe
  C:\Windows\System32\BLWTMdA.exe
  2⤵
  PID:7844
- C:\Windows\System32\lXbmUjY.exe
  C:\Windows\System32\lXbmUjY.exe
  2⤵
  PID:7876
- C:\Windows\System32\JSAxHLI.exe
  C:\Windows\System32\JSAxHLI.exe
  2⤵
  PID:7900
- C:\Windows\System32\wWrsBEW.exe
  C:\Windows\System32\wWrsBEW.exe
  2⤵
  PID:7916
- C:\Windows\System32\OcoEjvX.exe
  C:\Windows\System32\OcoEjvX.exe
  2⤵
  PID:7972
- C:\Windows\System32\ohlLMCO.exe
  C:\Windows\System32\ohlLMCO.exe
  2⤵
  PID:7992
- C:\Windows\System32\NxYKECE.exe
  C:\Windows\System32\NxYKECE.exe
  2⤵
  PID:8012
- C:\Windows\System32\Pvsvrnb.exe
  C:\Windows\System32\Pvsvrnb.exe
  2⤵
  PID:8036
- C:\Windows\System32\OJceUoG.exe
  C:\Windows\System32\OJceUoG.exe
  2⤵
  PID:8056
- C:\Windows\System32\YUHzTDr.exe
  C:\Windows\System32\YUHzTDr.exe
  2⤵
  PID:8116
- C:\Windows\System32\WMmecgG.exe
  C:\Windows\System32\WMmecgG.exe
  2⤵
  PID:8144
- C:\Windows\System32\HEcQTai.exe
  C:\Windows\System32\HEcQTai.exe
  2⤵
  PID:8160
- C:\Windows\System32\ypmPJEd.exe
  C:\Windows\System32\ypmPJEd.exe
  2⤵
  PID:7128
- C:\Windows\System32\uSaOCLk.exe
  C:\Windows\System32\uSaOCLk.exe
  2⤵
  PID:7188
- C:\Windows\System32\zjsadWR.exe
  C:\Windows\System32\zjsadWR.exe
  2⤵
  PID:7240
- C:\Windows\System32\SJORQnm.exe
  C:\Windows\System32\SJORQnm.exe
  2⤵
  PID:7208
- C:\Windows\System32\GrutHne.exe
  C:\Windows\System32\GrutHne.exe
  2⤵
  PID:7264
- C:\Windows\System32\DGvDzEh.exe
  C:\Windows\System32\DGvDzEh.exe
  2⤵
  PID:7392
- C:\Windows\System32\kXxYoDA.exe
  C:\Windows\System32\kXxYoDA.exe
  2⤵
  PID:7480
- C:\Windows\System32\wKHOzqt.exe
  C:\Windows\System32\wKHOzqt.exe
  2⤵
  PID:7504
- C:\Windows\System32\pWYYPPZ.exe
  C:\Windows\System32\pWYYPPZ.exe
  2⤵
  PID:7568
- C:\Windows\System32\qtOhUkM.exe
  C:\Windows\System32\qtOhUkM.exe
  2⤵
  PID:7632
- C:\Windows\System32\OguIgtf.exe
  C:\Windows\System32\OguIgtf.exe
  2⤵
  PID:7720
- C:\Windows\System32\SesIUnx.exe
  C:\Windows\System32\SesIUnx.exe
  2⤵
  PID:7752
- C:\Windows\System32\lZtZEdB.exe
  C:\Windows\System32\lZtZEdB.exe
  2⤵
  PID:7832
- C:\Windows\System32\UUDGhcJ.exe
  C:\Windows\System32\UUDGhcJ.exe
  2⤵
  PID:7860
- C:\Windows\System32\ilmJewN.exe
  C:\Windows\System32\ilmJewN.exe
  2⤵
  PID:7988
- C:\Windows\System32\TmrqVcD.exe
  C:\Windows\System32\TmrqVcD.exe
  2⤵
  PID:8052
- C:\Windows\System32\OBWHBWT.exe
  C:\Windows\System32\OBWHBWT.exe
  2⤵
  PID:8068
- C:\Windows\System32\DuJYPJH.exe
  C:\Windows\System32\DuJYPJH.exe
  2⤵
  PID:8100
- C:\Windows\System32\RsNkYrB.exe
  C:\Windows\System32\RsNkYrB.exe
  2⤵
  PID:8156
- C:\Windows\System32\ZWsQLZR.exe
  C:\Windows\System32\ZWsQLZR.exe
  2⤵
  PID:7212
- C:\Windows\System32\LJEEhAH.exe
  C:\Windows\System32\LJEEhAH.exe
  2⤵
  PID:7412
- C:\Windows\System32\uWXOYfQ.exe
  C:\Windows\System32\uWXOYfQ.exe
  2⤵
  PID:7440
- C:\Windows\System32\LEPxljD.exe
  C:\Windows\System32\LEPxljD.exe
  2⤵
  PID:7620
- C:\Windows\System32\ciHCjua.exe
  C:\Windows\System32\ciHCjua.exe
  2⤵
  PID:6784
- C:\Windows\System32\CwvMdPY.exe
  C:\Windows\System32\CwvMdPY.exe
  2⤵
  PID:8032
- C:\Windows\System32\ZgkFPsc.exe
  C:\Windows\System32\ZgkFPsc.exe
  2⤵
  PID:8108
- C:\Windows\System32\eQUIVDU.exe
  C:\Windows\System32\eQUIVDU.exe
  2⤵
  PID:7308
- C:\Windows\System32\qRmWdIu.exe
  C:\Windows\System32\qRmWdIu.exe
  2⤵
  PID:8208
- C:\Windows\System32\VaiWPfU.exe
  C:\Windows\System32\VaiWPfU.exe
  2⤵
  PID:8224
- C:\Windows\System32\rtwdVDP.exe
  C:\Windows\System32\rtwdVDP.exe
  2⤵
  PID:8240
- C:\Windows\System32\eUiHeqE.exe
  C:\Windows\System32\eUiHeqE.exe
  2⤵
  PID:8256
- C:\Windows\System32\xWKGWwg.exe
  C:\Windows\System32\xWKGWwg.exe
  2⤵
  PID:8272
- C:\Windows\System32\BxZWhSJ.exe
  C:\Windows\System32\BxZWhSJ.exe
  2⤵
  PID:8288
- C:\Windows\System32\NznbZqa.exe
  C:\Windows\System32\NznbZqa.exe
  2⤵
  PID:8304
- C:\Windows\System32\TKhCUKT.exe
  C:\Windows\System32\TKhCUKT.exe
  2⤵
  PID:8320
- C:\Windows\System32\oyeNyol.exe
  C:\Windows\System32\oyeNyol.exe
  2⤵
  PID:8336
- C:\Windows\System32\DGUmhAy.exe
  C:\Windows\System32\DGUmhAy.exe
  2⤵
  PID:8396
- C:\Windows\System32\JqrvAtB.exe
  C:\Windows\System32\JqrvAtB.exe
  2⤵
  PID:8456
- C:\Windows\System32\rhUipAE.exe
  C:\Windows\System32\rhUipAE.exe
  2⤵
  PID:8480
- C:\Windows\System32\xlSfcII.exe
  C:\Windows\System32\xlSfcII.exe
  2⤵
  PID:8680
- C:\Windows\System32\sSBUdAz.exe
  C:\Windows\System32\sSBUdAz.exe
  2⤵
  PID:8696
- C:\Windows\System32\FhsaPnm.exe
  C:\Windows\System32\FhsaPnm.exe
  2⤵
  PID:8712
- C:\Windows\System32\oMlrEkW.exe
  C:\Windows\System32\oMlrEkW.exe
  2⤵
  PID:8748
- C:\Windows\System32\xjSIQXp.exe
  C:\Windows\System32\xjSIQXp.exe
  2⤵
  PID:8768
- C:\Windows\System32\ERnZkUT.exe
  C:\Windows\System32\ERnZkUT.exe
  2⤵
  PID:8800
- C:\Windows\System32\raHVTeC.exe
  C:\Windows\System32\raHVTeC.exe
  2⤵
  PID:8824
- C:\Windows\System32\uBZEsUb.exe
  C:\Windows\System32\uBZEsUb.exe
  2⤵
  PID:8852
- C:\Windows\System32\DkrAJnT.exe
  C:\Windows\System32\DkrAJnT.exe
  2⤵
  PID:8868
- C:\Windows\System32\RkQynRq.exe
  C:\Windows\System32\RkQynRq.exe
  2⤵
  PID:8900
- C:\Windows\System32\uqSjftJ.exe
  C:\Windows\System32\uqSjftJ.exe
  2⤵
  PID:8928
- C:\Windows\System32\DsSkMYU.exe
  C:\Windows\System32\DsSkMYU.exe
  2⤵
  PID:8964
- C:\Windows\System32\jpoHzkJ.exe
  C:\Windows\System32\jpoHzkJ.exe
  2⤵
  PID:9000
- C:\Windows\System32\rgJMoLi.exe
  C:\Windows\System32\rgJMoLi.exe
  2⤵
  PID:9024
- C:\Windows\System32\UZaRrgz.exe
  C:\Windows\System32\UZaRrgz.exe
  2⤵
  PID:9044
- C:\Windows\System32\ffIKllM.exe
  C:\Windows\System32\ffIKllM.exe
  2⤵
  PID:9068
- C:\Windows\System32\yaGDrpR.exe
  C:\Windows\System32\yaGDrpR.exe
  2⤵
  PID:9088
- C:\Windows\System32\PGJyoHj.exe
  C:\Windows\System32\PGJyoHj.exe
  2⤵
  PID:9108
- C:\Windows\System32\iwFnrzY.exe
  C:\Windows\System32\iwFnrzY.exe
  2⤵
  PID:9128
- C:\Windows\System32\CgfLQOo.exe
  C:\Windows\System32\CgfLQOo.exe
  2⤵
  PID:9176
- C:\Windows\System32\lKlDbZX.exe
  C:\Windows\System32\lKlDbZX.exe
  2⤵
  PID:9212
- C:\Windows\System32\mBrWApM.exe
  C:\Windows\System32\mBrWApM.exe
  2⤵
  PID:7672
- C:\Windows\System32\fwWGUDz.exe
  C:\Windows\System32\fwWGUDz.exe
  2⤵
  PID:7800
- C:\Windows\System32\xKNtWli.exe
  C:\Windows\System32\xKNtWli.exe
  2⤵
  PID:8232
- C:\Windows\System32\KQwJtZO.exe
  C:\Windows\System32\KQwJtZO.exe
  2⤵
  PID:8344
- C:\Windows\System32\vGILcgd.exe
  C:\Windows\System32\vGILcgd.exe
  2⤵
  PID:8280
- C:\Windows\System32\oaBDSWV.exe
  C:\Windows\System32\oaBDSWV.exe
  2⤵
  PID:8316
- C:\Windows\System32\sTUDwtu.exe
  C:\Windows\System32\sTUDwtu.exe
  2⤵
  PID:8476
- C:\Windows\System32\jvcJNer.exe
  C:\Windows\System32\jvcJNer.exe
  2⤵
  PID:8432
- C:\Windows\System32\lZfzgTH.exe
  C:\Windows\System32\lZfzgTH.exe
  2⤵
  PID:8572
- C:\Windows\System32\jHcgEOn.exe
  C:\Windows\System32\jHcgEOn.exe
  2⤵
  PID:8640
- C:\Windows\System32\laArxmk.exe
  C:\Windows\System32\laArxmk.exe
  2⤵
  PID:8688
- C:\Windows\System32\gKSdQiI.exe
  C:\Windows\System32\gKSdQiI.exe
  2⤵
  PID:8760
- C:\Windows\System32\aVCEXvy.exe
  C:\Windows\System32\aVCEXvy.exe
  2⤵
  PID:8864
- C:\Windows\System32\iqWIFOf.exe
  C:\Windows\System32\iqWIFOf.exe
  2⤵
  PID:8960
- C:\Windows\System32\aHhiFwQ.exe
  C:\Windows\System32\aHhiFwQ.exe
  2⤵
  PID:9016
- C:\Windows\System32\EduEJjv.exe
  C:\Windows\System32\EduEJjv.exe
  2⤵
  PID:9100
- C:\Windows\System32\VAKgUkO.exe
  C:\Windows\System32\VAKgUkO.exe
  2⤵
  PID:9156
- C:\Windows\System32\aQTafPP.exe
  C:\Windows\System32\aQTafPP.exe
  2⤵
  PID:9204
- C:\Windows\System32\ZClbnuu.exe
  C:\Windows\System32\ZClbnuu.exe
  2⤵
  PID:7296
- C:\Windows\System32\RjQMqOt.exe
  C:\Windows\System32\RjQMqOt.exe
  2⤵
  PID:8200
- C:\Windows\System32\yWsoHlA.exe
  C:\Windows\System32\yWsoHlA.exe
  2⤵
  PID:8352
- C:\Windows\System32\KXiSWIb.exe
  C:\Windows\System32\KXiSWIb.exe
  2⤵
  PID:8296
- C:\Windows\System32\vPXgpql.exe
  C:\Windows\System32\vPXgpql.exe
  2⤵
  PID:8592
- C:\Windows\System32\vNNlezN.exe
  C:\Windows\System32\vNNlezN.exe
  2⤵
  PID:8880
- C:\Windows\System32\GNZxuqB.exe
  C:\Windows\System32\GNZxuqB.exe
  2⤵
  PID:8844
- C:\Windows\System32\oWMYwOO.exe
  C:\Windows\System32\oWMYwOO.exe
  2⤵
  PID:9064
- C:\Windows\System32\ASnYSzd.exe
  C:\Windows\System32\ASnYSzd.exe
  2⤵
  PID:8376
- C:\Windows\System32\RAMfZOz.exe
  C:\Windows\System32\RAMfZOz.exe
  2⤵
  PID:7924
- C:\Windows\System32\YWgiYUQ.exe
  C:\Windows\System32\YWgiYUQ.exe
  2⤵
  PID:8416
- C:\Windows\System32\XTzFvZS.exe
  C:\Windows\System32\XTzFvZS.exe
  2⤵
  PID:7452
- C:\Windows\System32\gXCdDzJ.exe
  C:\Windows\System32\gXCdDzJ.exe
  2⤵
  PID:9036
- C:\Windows\System32\qxEMtsQ.exe
  C:\Windows\System32\qxEMtsQ.exe
  2⤵
  PID:9260
- C:\Windows\System32\kHGzCqo.exe
  C:\Windows\System32\kHGzCqo.exe
  2⤵
  PID:9276
- C:\Windows\System32\rIDdVjM.exe
  C:\Windows\System32\rIDdVjM.exe
  2⤵
  PID:9304
- C:\Windows\System32\iqvloHg.exe
  C:\Windows\System32\iqvloHg.exe
  2⤵
  PID:9324
- C:\Windows\System32\dTDQuAB.exe
  C:\Windows\System32\dTDQuAB.exe
  2⤵
  PID:9356
- C:\Windows\System32\hNMBUaU.exe
  C:\Windows\System32\hNMBUaU.exe
  2⤵
  PID:9384
- C:\Windows\System32\hPjRsDo.exe
  C:\Windows\System32\hPjRsDo.exe
  2⤵
  PID:9416
- C:\Windows\System32\QZjGosD.exe
  C:\Windows\System32\QZjGosD.exe
  2⤵
  PID:9448
- C:\Windows\System32\JEUMFbz.exe
  C:\Windows\System32\JEUMFbz.exe
  2⤵
  PID:9472
- C:\Windows\System32\jjkgIdH.exe
  C:\Windows\System32\jjkgIdH.exe
  2⤵
  PID:9500
- C:\Windows\System32\IoifxWq.exe
  C:\Windows\System32\IoifxWq.exe
  2⤵
  PID:9528
- C:\Windows\System32\SRYjtAe.exe
  C:\Windows\System32\SRYjtAe.exe
  2⤵
  PID:9548
- C:\Windows\System32\srPMVjm.exe
  C:\Windows\System32\srPMVjm.exe
  2⤵
  PID:9580
- C:\Windows\System32\OtTcQcd.exe
  C:\Windows\System32\OtTcQcd.exe
  2⤵
  PID:9596
- C:\Windows\System32\CWfoqxg.exe
  C:\Windows\System32\CWfoqxg.exe
  2⤵
  PID:9616
- C:\Windows\System32\OoQqzsl.exe
  C:\Windows\System32\OoQqzsl.exe
  2⤵
  PID:9636
- C:\Windows\System32\lDlKppQ.exe
  C:\Windows\System32\lDlKppQ.exe
  2⤵
  PID:9664
- C:\Windows\System32\CupuMxd.exe
  C:\Windows\System32\CupuMxd.exe
  2⤵
  PID:9708
- C:\Windows\System32\XbfKXqY.exe
  C:\Windows\System32\XbfKXqY.exe
  2⤵
  PID:9756
- C:\Windows\System32\gxvWqmj.exe
  C:\Windows\System32\gxvWqmj.exe
  2⤵
  PID:9788
- C:\Windows\System32\XJoDBKi.exe
  C:\Windows\System32\XJoDBKi.exe
  2⤵
  PID:9804
- C:\Windows\System32\oMPxRfR.exe
  C:\Windows\System32\oMPxRfR.exe
  2⤵
  PID:9832
- C:\Windows\System32\UoNyRuA.exe
  C:\Windows\System32\UoNyRuA.exe
  2⤵
  PID:9848
- C:\Windows\System32\BVaWUqL.exe
  C:\Windows\System32\BVaWUqL.exe
  2⤵
  PID:9872
- C:\Windows\System32\ZTYMcqF.exe
  C:\Windows\System32\ZTYMcqF.exe
  2⤵
  PID:9892
- C:\Windows\System32\WrBoGQT.exe
  C:\Windows\System32\WrBoGQT.exe
  2⤵
  PID:9912
- C:\Windows\System32\KXAibXc.exe
  C:\Windows\System32\KXAibXc.exe
  2⤵
  PID:9952
- C:\Windows\System32\GOBrmYU.exe
  C:\Windows\System32\GOBrmYU.exe
  2⤵
  PID:9972
- C:\Windows\System32\aVEWGAt.exe
  C:\Windows\System32\aVEWGAt.exe
  2⤵
  PID:10024
- C:\Windows\System32\foxdFBM.exe
  C:\Windows\System32\foxdFBM.exe
  2⤵
  PID:10056
- C:\Windows\System32\QdbuDZV.exe
  C:\Windows\System32\QdbuDZV.exe
  2⤵
  PID:10080
- C:\Windows\System32\VHBUNni.exe
  C:\Windows\System32\VHBUNni.exe
  2⤵
  PID:10096
- C:\Windows\System32\rrYvynC.exe
  C:\Windows\System32\rrYvynC.exe
  2⤵
  PID:10116
- C:\Windows\System32\PjvMKeb.exe
  C:\Windows\System32\PjvMKeb.exe
  2⤵
  PID:10152
- C:\Windows\System32\YztaSgU.exe
  C:\Windows\System32\YztaSgU.exe
  2⤵
  PID:10180
- C:\Windows\System32\VDGnxmJ.exe
  C:\Windows\System32\VDGnxmJ.exe
  2⤵
  PID:7808
- C:\Windows\System32\jVVorGQ.exe
  C:\Windows\System32\jVVorGQ.exe
  2⤵
  PID:9224
- C:\Windows\System32\TIpYHHI.exe
  C:\Windows\System32\TIpYHHI.exe
  2⤵
  PID:9296
- C:\Windows\System32\BgxSFFx.exe
  C:\Windows\System32\BgxSFFx.exe
  2⤵
  PID:9320
- C:\Windows\System32\UgnxMyC.exe
  C:\Windows\System32\UgnxMyC.exe
  2⤵
  PID:9456
- C:\Windows\System32\YQIwxBE.exe
  C:\Windows\System32\YQIwxBE.exe
  2⤵
  PID:9536
- C:\Windows\System32\hVuMgUQ.exe
  C:\Windows\System32\hVuMgUQ.exe
  2⤵
  PID:9588
- C:\Windows\System32\VjgnahW.exe
  C:\Windows\System32\VjgnahW.exe
  2⤵
  PID:9608
- C:\Windows\System32\KuUqUgA.exe
  C:\Windows\System32\KuUqUgA.exe
  2⤵
  PID:9696
- C:\Windows\System32\fxhVqYl.exe
  C:\Windows\System32\fxhVqYl.exe
  2⤵
  PID:9752
- C:\Windows\System32\pQDgcAV.exe
  C:\Windows\System32\pQDgcAV.exe
  2⤵
  PID:9800
- C:\Windows\System32\weMlmZx.exe
  C:\Windows\System32\weMlmZx.exe
  2⤵
  PID:9844
- C:\Windows\System32\hTtVeFg.exe
  C:\Windows\System32\hTtVeFg.exe
  2⤵
  PID:9904
- C:\Windows\System32\yhCkFrs.exe
  C:\Windows\System32\yhCkFrs.exe
  2⤵
  PID:9964
- C:\Windows\System32\SGYGDEe.exe
  C:\Windows\System32\SGYGDEe.exe
  2⤵
  PID:10008
- C:\Windows\System32\bxGDdAi.exe
  C:\Windows\System32\bxGDdAi.exe
  2⤵
  PID:10108
- C:\Windows\System32\QRbwWUq.exe
  C:\Windows\System32\QRbwWUq.exe
  2⤵
  PID:10104
- C:\Windows\System32\eNiIdvZ.exe
  C:\Windows\System32\eNiIdvZ.exe
  2⤵
  PID:10196
- C:\Windows\System32\kwBdpnC.exe
  C:\Windows\System32\kwBdpnC.exe
  2⤵
  PID:9368
- C:\Windows\System32\emOnzXz.exe
  C:\Windows\System32\emOnzXz.exe
  2⤵
  PID:9436
- C:\Windows\System32\kSoAiUH.exe
  C:\Windows\System32\kSoAiUH.exe
  2⤵
  PID:9644
- C:\Windows\System32\NyPpwZd.exe
  C:\Windows\System32\NyPpwZd.exe
  2⤵
  PID:9856
- C:\Windows\System32\hjIgGTW.exe
  C:\Windows\System32\hjIgGTW.exe
  2⤵
  PID:9884
- C:\Windows\System32\drcPJAW.exe
  C:\Windows\System32\drcPJAW.exe
  2⤵
  PID:10144
- C:\Windows\System32\OrGmajG.exe
  C:\Windows\System32\OrGmajG.exe
  2⤵
  PID:10092
- C:\Windows\System32\oqcpwoS.exe
  C:\Windows\System32\oqcpwoS.exe
  2⤵
  PID:9460
- C:\Windows\System32\RgEWrju.exe
  C:\Windows\System32\RgEWrju.exe
  2⤵
  PID:9684
- C:\Windows\System32\VjTbVSv.exe
  C:\Windows\System32\VjTbVSv.exe
  2⤵
  PID:10248
- C:\Windows\System32\lWksfiw.exe
  C:\Windows\System32\lWksfiw.exe
  2⤵
  PID:10280
- C:\Windows\System32\HDbdngV.exe
  C:\Windows\System32\HDbdngV.exe
  2⤵
  PID:10324
- C:\Windows\System32\HmHzMZg.exe
  C:\Windows\System32\HmHzMZg.exe
  2⤵
  PID:10352
- C:\Windows\System32\uAVZRxy.exe
  C:\Windows\System32\uAVZRxy.exe
  2⤵
  PID:10372
- C:\Windows\System32\imvTZAj.exe
  C:\Windows\System32\imvTZAj.exe
  2⤵
  PID:10396
- C:\Windows\System32\PXrffvs.exe
  C:\Windows\System32\PXrffvs.exe
  2⤵
  PID:10428
- C:\Windows\System32\klPpPoV.exe
  C:\Windows\System32\klPpPoV.exe
  2⤵
  PID:10456
- C:\Windows\System32\JKvWGIK.exe
  C:\Windows\System32\JKvWGIK.exe
  2⤵
  PID:10500
- C:\Windows\System32\zBkzgAF.exe
  C:\Windows\System32\zBkzgAF.exe
  2⤵
  PID:10528
- C:\Windows\System32\aHHjzpk.exe
  C:\Windows\System32\aHHjzpk.exe
  2⤵
  PID:10556
- C:\Windows\System32\gmBgddH.exe
  C:\Windows\System32\gmBgddH.exe
  2⤵
  PID:10584
- C:\Windows\System32\CfUsnwo.exe
  C:\Windows\System32\CfUsnwo.exe
  2⤵
  PID:10608
- C:\Windows\System32\BmJHQxD.exe
  C:\Windows\System32\BmJHQxD.exe
  2⤵
  PID:10624
- C:\Windows\System32\qdbiYkV.exe
  C:\Windows\System32\qdbiYkV.exe
  2⤵
  PID:10648
- C:\Windows\System32\bckxwuE.exe
  C:\Windows\System32\bckxwuE.exe
  2⤵
  PID:10676
- C:\Windows\System32\gFYZIwu.exe
  C:\Windows\System32\gFYZIwu.exe
  2⤵
  PID:10696
- C:\Windows\System32\eEjWCmh.exe
  C:\Windows\System32\eEjWCmh.exe
  2⤵
  PID:10712
- C:\Windows\System32\pkGKsvX.exe
  C:\Windows\System32\pkGKsvX.exe
  2⤵
  PID:10764
- C:\Windows\System32\KIbWezo.exe
  C:\Windows\System32\KIbWezo.exe
  2⤵
  PID:10804
- C:\Windows\System32\lPKIbwI.exe
  C:\Windows\System32\lPKIbwI.exe
  2⤵
  PID:10840
- C:\Windows\System32\AsDqjMT.exe
  C:\Windows\System32\AsDqjMT.exe
  2⤵
  PID:10864
- C:\Windows\System32\dKlzNYa.exe
  C:\Windows\System32\dKlzNYa.exe
  2⤵
  PID:10888
- C:\Windows\System32\GIikUAH.exe
  C:\Windows\System32\GIikUAH.exe
  2⤵
  PID:10916
- C:\Windows\System32\SJlJOHJ.exe
  C:\Windows\System32\SJlJOHJ.exe
  2⤵
  PID:10952
- C:\Windows\System32\EqdtZbz.exe
  C:\Windows\System32\EqdtZbz.exe
  2⤵
  PID:10976
- C:\Windows\System32\jTVTHwp.exe
  C:\Windows\System32\jTVTHwp.exe
  2⤵
  PID:11000
- C:\Windows\System32\SFHDHuR.exe
  C:\Windows\System32\SFHDHuR.exe
  2⤵
  PID:11016
- C:\Windows\System32\GWOzUIT.exe
  C:\Windows\System32\GWOzUIT.exe
  2⤵
  PID:11044
- C:\Windows\System32\qzYDBaD.exe
  C:\Windows\System32\qzYDBaD.exe
  2⤵
  PID:11076
- C:\Windows\System32\khrnBtL.exe
  C:\Windows\System32\khrnBtL.exe
  2⤵
  PID:11096
- C:\Windows\System32\JiNpKNH.exe
  C:\Windows\System32\JiNpKNH.exe
  2⤵
  PID:11124
- C:\Windows\System32\ylKsvGK.exe
  C:\Windows\System32\ylKsvGK.exe
  2⤵
  PID:11140
- C:\Windows\System32\PtLTnjm.exe
  C:\Windows\System32\PtLTnjm.exe
  2⤵
  PID:11164
- C:\Windows\System32\uecJApt.exe
  C:\Windows\System32\uecJApt.exe
  2⤵
  PID:11188
- C:\Windows\System32\YHWynQZ.exe
  C:\Windows\System32\YHWynQZ.exe
  2⤵
  PID:11204
- C:\Windows\System32\wTPztLL.exe
  C:\Windows\System32\wTPztLL.exe
  2⤵
  PID:11248
- C:\Windows\System32\hasRgvE.exe
  C:\Windows\System32\hasRgvE.exe
  2⤵
  PID:9524
- C:\Windows\System32\fxFfGOo.exe
  C:\Windows\System32\fxFfGOo.exe
  2⤵
  PID:10268
- C:\Windows\System32\FWeqngb.exe
  C:\Windows\System32\FWeqngb.exe
  2⤵
  PID:10296
- C:\Windows\System32\QwGlzko.exe
  C:\Windows\System32\QwGlzko.exe
  2⤵
  PID:10364
- C:\Windows\System32\WmeBYCW.exe
  C:\Windows\System32\WmeBYCW.exe
  2⤵
  PID:10436
- C:\Windows\System32\VKyqIMl.exe
  C:\Windows\System32\VKyqIMl.exe
  2⤵
  PID:10524
- C:\Windows\System32\arOgKBk.exe
  C:\Windows\System32\arOgKBk.exe
  2⤵
  PID:10620
- C:\Windows\System32\SXMncbX.exe
  C:\Windows\System32\SXMncbX.exe
  2⤵
  PID:10600
- C:\Windows\System32\UdvvLyT.exe
  C:\Windows\System32\UdvvLyT.exe
  2⤵
  PID:10756
- C:\Windows\System32\wZbuxPj.exe
  C:\Windows\System32\wZbuxPj.exe
  2⤵
  PID:10908
- C:\Windows\System32\vYwqeXx.exe
  C:\Windows\System32\vYwqeXx.exe
  2⤵
  PID:10968
- C:\Windows\System32\KgMGpHD.exe
  C:\Windows\System32\KgMGpHD.exe
  2⤵
  PID:11012
- C:\Windows\System32\fvPxAoI.exe
  C:\Windows\System32\fvPxAoI.exe
  2⤵
  PID:11060
- C:\Windows\System32\tkUeIDZ.exe
  C:\Windows\System32\tkUeIDZ.exe
  2⤵
  PID:11104
- C:\Windows\System32\klToBXi.exe
  C:\Windows\System32\klToBXi.exe
  2⤵
  PID:11160
- C:\Windows\System32\yyqtEDO.exe
  C:\Windows\System32\yyqtEDO.exe
  2⤵
  PID:11132
- C:\Windows\System32\AOhIsmO.exe
  C:\Windows\System32\AOhIsmO.exe
  2⤵
  PID:10292
- C:\Windows\System32\BKSljWa.exe
  C:\Windows\System32\BKSljWa.exe
  2⤵
  PID:10300
- C:\Windows\System32\JaKLUuu.exe
  C:\Windows\System32\JaKLUuu.exe
  2⤵
  PID:10568
- C:\Windows\System32\rozcLKX.exe
  C:\Windows\System32\rozcLKX.exe
  2⤵
  PID:10636
- C:\Windows\System32\XxBSHQq.exe
  C:\Windows\System32\XxBSHQq.exe
  2⤵
  PID:10960
- C:\Windows\System32\QpvwNTF.exe
  C:\Windows\System32\QpvwNTF.exe
  2⤵
  PID:11088
- C:\Windows\System32\RAhvMpj.exe
  C:\Windows\System32\RAhvMpj.exe
  2⤵
  PID:11184
- C:\Windows\System32\pzLTeQz.exe
  C:\Windows\System32\pzLTeQz.exe
  2⤵
  PID:10380
- C:\Windows\System32\kFFUVEP.exe
  C:\Windows\System32\kFFUVEP.exe
  2⤵
  PID:10812
- C:\Windows\System32\aHIUkwz.exe
  C:\Windows\System32\aHIUkwz.exe
  2⤵
  PID:10996
- C:\Windows\System32\BCcjTEK.exe
  C:\Windows\System32\BCcjTEK.exe
  2⤵
  PID:11340
- C:\Windows\System32\QyJFBwg.exe
  C:\Windows\System32\QyJFBwg.exe
  2⤵
  PID:11356
- C:\Windows\System32\wlabfHU.exe
  C:\Windows\System32\wlabfHU.exe
  2⤵
  PID:11372
- C:\Windows\System32\gLthxQy.exe
  C:\Windows\System32\gLthxQy.exe
  2⤵
  PID:11388
- C:\Windows\System32\DTyyYxs.exe
  C:\Windows\System32\DTyyYxs.exe
  2⤵
  PID:11404
- C:\Windows\System32\zUjymGy.exe
  C:\Windows\System32\zUjymGy.exe
  2⤵
  PID:11420
- C:\Windows\System32\PnkYZJG.exe
  C:\Windows\System32\PnkYZJG.exe
  2⤵
  PID:11436
- C:\Windows\System32\UAnfITV.exe
  C:\Windows\System32\UAnfITV.exe
  2⤵
  PID:11452
- C:\Windows\System32\WxNxjMb.exe
  C:\Windows\System32\WxNxjMb.exe
  2⤵
  PID:11468
- C:\Windows\System32\OLKfjaw.exe
  C:\Windows\System32\OLKfjaw.exe
  2⤵
  PID:11484
- C:\Windows\System32\hMFgVqZ.exe
  C:\Windows\System32\hMFgVqZ.exe
  2⤵
  PID:11500
- C:\Windows\System32\ItnpPsI.exe
  C:\Windows\System32\ItnpPsI.exe
  2⤵
  PID:11516
- C:\Windows\System32\hDIYlqD.exe
  C:\Windows\System32\hDIYlqD.exe
  2⤵
  PID:11576
- C:\Windows\System32\OFlrdNM.exe
  C:\Windows\System32\OFlrdNM.exe
  2⤵
  PID:11652
- C:\Windows\System32\mOZOlxU.exe
  C:\Windows\System32\mOZOlxU.exe
  2⤵
  PID:11732
- C:\Windows\System32\qanyKOe.exe
  C:\Windows\System32\qanyKOe.exe
  2⤵
  PID:11764
- C:\Windows\System32\KLBHkbB.exe
  C:\Windows\System32\KLBHkbB.exe
  2⤵
  PID:11792
- C:\Windows\System32\WeTtoKY.exe
  C:\Windows\System32\WeTtoKY.exe
  2⤵
  PID:11808
- C:\Windows\System32\ZsWfWDi.exe
  C:\Windows\System32\ZsWfWDi.exe
  2⤵
  PID:11828
- C:\Windows\System32\XMwWhyG.exe
  C:\Windows\System32\XMwWhyG.exe
  2⤵
  PID:11844
- C:\Windows\System32\eJIZrsB.exe
  C:\Windows\System32\eJIZrsB.exe
  2⤵
  PID:11868
- C:\Windows\System32\CENqMEV.exe
  C:\Windows\System32\CENqMEV.exe
  2⤵
  PID:11924
- C:\Windows\System32\wQtSeKj.exe
  C:\Windows\System32\wQtSeKj.exe
  2⤵
  PID:11964
- C:\Windows\System32\uciRrkk.exe
  C:\Windows\System32\uciRrkk.exe
  2⤵
  PID:11988
- C:\Windows\System32\KgoWDGa.exe
  C:\Windows\System32\KgoWDGa.exe
  2⤵
  PID:12016
- C:\Windows\System32\BrLjSkf.exe
  C:\Windows\System32\BrLjSkf.exe
  2⤵
  PID:12032
- C:\Windows\System32\nngRvex.exe
  C:\Windows\System32\nngRvex.exe
  2⤵
  PID:12068
- C:\Windows\System32\uBoiVKt.exe
  C:\Windows\System32\uBoiVKt.exe
  2⤵
  PID:12100
- C:\Windows\System32\OFetrMy.exe
  C:\Windows\System32\OFetrMy.exe
  2⤵
  PID:12128
- C:\Windows\System32\NEwSWHT.exe
  C:\Windows\System32\NEwSWHT.exe
  2⤵
  PID:12148
- C:\Windows\System32\GDNaTwu.exe
  C:\Windows\System32\GDNaTwu.exe
  2⤵
  PID:12172
- C:\Windows\System32\OtVFRZi.exe
  C:\Windows\System32\OtVFRZi.exe
  2⤵
  PID:12212
- C:\Windows\System32\xkVvEbD.exe
  C:\Windows\System32\xkVvEbD.exe
  2⤵
  PID:12232
- C:\Windows\System32\eSPZtoj.exe
  C:\Windows\System32\eSPZtoj.exe
  2⤵
  PID:12248
- C:\Windows\System32\wstvhBT.exe
  C:\Windows\System32\wstvhBT.exe
  2⤵
  PID:12284
- C:\Windows\System32\FDKLtoU.exe
  C:\Windows\System32\FDKLtoU.exe
  2⤵
  PID:11200
- C:\Windows\System32\aVZTzlP.exe
  C:\Windows\System32\aVZTzlP.exe
  2⤵
  PID:10688
- C:\Windows\System32\GXVFUdc.exe
  C:\Windows\System32\GXVFUdc.exe
  2⤵
  PID:11280
- C:\Windows\System32\TmodNkT.exe
  C:\Windows\System32\TmodNkT.exe
  2⤵
  PID:11304
- C:\Windows\System32\diIUxPx.exe
  C:\Windows\System32\diIUxPx.exe
  2⤵
  PID:11308
- C:\Windows\System32\qIWyEjp.exe
  C:\Windows\System32\qIWyEjp.exe
  2⤵
  PID:10912
- C:\Windows\System32\LGOHLUI.exe
  C:\Windows\System32\LGOHLUI.exe
  2⤵
  PID:11564
- C:\Windows\System32\HvJFtDh.exe
  C:\Windows\System32\HvJFtDh.exe
  2⤵
  PID:11640
- C:\Windows\System32\oHGHKrR.exe
  C:\Windows\System32\oHGHKrR.exe
  2⤵
  PID:11664
- C:\Windows\System32\cjwLAis.exe
  C:\Windows\System32\cjwLAis.exe
  2⤵
  PID:11756
- C:\Windows\System32\aoskCGy.exe
  C:\Windows\System32\aoskCGy.exe
  2⤵
  PID:11780
- C:\Windows\System32\Pefojdm.exe
  C:\Windows\System32\Pefojdm.exe
  2⤵
  PID:11860
- C:\Windows\System32\wRlsgxT.exe
  C:\Windows\System32\wRlsgxT.exe
  2⤵
  PID:11980
- C:\Windows\System32\zTdEIhD.exe
  C:\Windows\System32\zTdEIhD.exe
  2⤵
  PID:12028
- C:\Windows\System32\gYdKCGJ.exe
  C:\Windows\System32\gYdKCGJ.exe
  2⤵
  PID:12076
- C:\Windows\System32\rrGyeOL.exe
  C:\Windows\System32\rrGyeOL.exe
  2⤵
  PID:12180
- C:\Windows\System32\FcnERHe.exe
  C:\Windows\System32\FcnERHe.exe
  2⤵
  PID:12240
- C:\Windows\System32\mDltZLy.exe
  C:\Windows\System32\mDltZLy.exe
  2⤵
  PID:12280
- C:\Windows\System32\dHUcAgU.exe
  C:\Windows\System32\dHUcAgU.exe
  2⤵
  PID:11288
- C:\Windows\System32\QFGUhxi.exe
  C:\Windows\System32\QFGUhxi.exe
  2⤵
  PID:11432
- C:\Windows\System32\bITzXnd.exe
  C:\Windows\System32\bITzXnd.exe
  2⤵
  PID:11312
- C:\Windows\System32\lgungIg.exe
  C:\Windows\System32\lgungIg.exe
  2⤵
  PID:11788
- C:\Windows\System32\wjdrumO.exe
  C:\Windows\System32\wjdrumO.exe
  2⤵
  PID:11940
- C:\Windows\System32\lMuoieb.exe
  C:\Windows\System32\lMuoieb.exe
  2⤵
  PID:11984
- C:\Windows\System32\rzhKgRE.exe
  C:\Windows\System32\rzhKgRE.exe
  2⤵
  PID:1968
- C:\Windows\System32\WvrVBfA.exe
  C:\Windows\System32\WvrVBfA.exe
  2⤵
  PID:3112
- C:\Windows\System32\HEbUAyO.exe
  C:\Windows\System32\HEbUAyO.exe
  2⤵
  PID:11268
- C:\Windows\System32\iZLcaIE.exe
  C:\Windows\System32\iZLcaIE.exe
  2⤵
  PID:11320
- C:\Windows\System32\jJIZwzF.exe
  C:\Windows\System32\jJIZwzF.exe
  2⤵
  PID:11524
- C:\Windows\System32\HoEtjfn.exe
  C:\Windows\System32\HoEtjfn.exe
  2⤵
  PID:11800
- C:\Windows\System32\gqxOdCQ.exe
  C:\Windows\System32\gqxOdCQ.exe
  2⤵
  PID:12084
- C:\Windows\System32\iAzQnee.exe
  C:\Windows\System32\iAzQnee.exe
  2⤵
  PID:11396
- C:\Windows\System32\VdfcYoq.exe
  C:\Windows\System32\VdfcYoq.exe
  2⤵
  PID:12324
- C:\Windows\System32\nHDRDpI.exe
  C:\Windows\System32\nHDRDpI.exe
  2⤵
  PID:12340
- C:\Windows\System32\nUxxgIE.exe
  C:\Windows\System32\nUxxgIE.exe
  2⤵
  PID:12360
- C:\Windows\System32\FnToTXE.exe
  C:\Windows\System32\FnToTXE.exe
  2⤵
  PID:12384
- C:\Windows\System32\scmVpVb.exe
  C:\Windows\System32\scmVpVb.exe
  2⤵
  PID:12412
- C:\Windows\System32\aZMLgiv.exe
  C:\Windows\System32\aZMLgiv.exe
  2⤵
  PID:12448
- C:\Windows\System32\zeiqWXV.exe
  C:\Windows\System32\zeiqWXV.exe
  2⤵
  PID:12480
- C:\Windows\System32\RHhPSLG.exe
  C:\Windows\System32\RHhPSLG.exe
  2⤵
  PID:12516
- C:\Windows\System32\bVFOeUs.exe
  C:\Windows\System32\bVFOeUs.exe
  2⤵
  PID:12568
- C:\Windows\System32\aLxeHfn.exe
  C:\Windows\System32\aLxeHfn.exe
  2⤵
  PID:12588
- C:\Windows\System32\FcvWkHC.exe
  C:\Windows\System32\FcvWkHC.exe
  2⤵
  PID:12624
- C:\Windows\System32\jUdwVKV.exe
  C:\Windows\System32\jUdwVKV.exe
  2⤵
  PID:12644
- C:\Windows\System32\aILPGnB.exe
  C:\Windows\System32\aILPGnB.exe
  2⤵
  PID:12672
- C:\Windows\System32\zPhaIWU.exe
  C:\Windows\System32\zPhaIWU.exe
  2⤵
  PID:12688
- C:\Windows\System32\spbNvRd.exe
  C:\Windows\System32\spbNvRd.exe
  2⤵
  PID:12708
- C:\Windows\System32\usUgfdy.exe
  C:\Windows\System32\usUgfdy.exe
  2⤵
  PID:12744
- C:\Windows\System32\VKphuco.exe
  C:\Windows\System32\VKphuco.exe
  2⤵
  PID:12772
- C:\Windows\System32\eUePnib.exe
  C:\Windows\System32\eUePnib.exe
  2⤵
  PID:12796
- C:\Windows\System32\etHuqmE.exe
  C:\Windows\System32\etHuqmE.exe
  2⤵
  PID:12816
- C:\Windows\System32\RacRgZX.exe
  C:\Windows\System32\RacRgZX.exe
  2⤵
  PID:12848
- C:\Windows\System32\xKmvsCc.exe
  C:\Windows\System32\xKmvsCc.exe
  2⤵
  PID:12872
- C:\Windows\System32\pQCEDje.exe
  C:\Windows\System32\pQCEDje.exe
  2⤵
  PID:12912
- C:\Windows\System32\IYKIsqs.exe
  C:\Windows\System32\IYKIsqs.exe
  2⤵
  PID:12944
- C:\Windows\System32\IkOzCLd.exe
  C:\Windows\System32\IkOzCLd.exe
  2⤵
  PID:12992
- C:\Windows\System32\KCxbxsc.exe
  C:\Windows\System32\KCxbxsc.exe
  2⤵
  PID:13020
- C:\Windows\System32\PrTLlOO.exe
  C:\Windows\System32\PrTLlOO.exe
  2⤵
  PID:13056
- C:\Windows\System32\TDxuYwl.exe
  C:\Windows\System32\TDxuYwl.exe
  2⤵
  PID:13080
- C:\Windows\System32\DEHDLrN.exe
  C:\Windows\System32\DEHDLrN.exe
  2⤵
  PID:13104
- C:\Windows\System32\ZBekueL.exe
  C:\Windows\System32\ZBekueL.exe
  2⤵
  PID:13128
- C:\Windows\System32\xrcerPd.exe
  C:\Windows\System32\xrcerPd.exe
  2⤵
  PID:13148
- C:\Windows\System32\qaNuZmT.exe
  C:\Windows\System32\qaNuZmT.exe
  2⤵
  PID:13164

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12424

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:14076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AjUkjYL.exe

Filesize
1.3MB

MD5
64cf10ffd8dde759b87cd883780b6308

SHA1
60ae37e309bcc967a9dcdfaf68b150f76297aec4

SHA256
ea8bb45443030c3dde87f5d5fa604be97d20996be9088fdd2d9db4c49a392617

SHA512
6ce4c7dcbc76b1c7ebd451b485b2ef7419b2ede9ae410a2e3c8f4daf3d0ff6228ba929fc12c459e4b9600f4312e47bfac6c3f71e6e90c4079a5c27bab3b3d864

Download Submit
C:\Windows\System32\BCBDtaR.exe

Filesize
1.3MB

MD5
b37af51aea8725a7e77a2e704e501635

SHA1
5ffcc4c10b7571990fd5a09913c563dc9feb40c7

SHA256
0e22223994497d52c03618e81fb1c1076182ec75389aab4caa609bfe21ae8b2b

SHA512
46b6b6379e6b47e4d893eb97dd653abc2e00861b079cc6d3d98374f9427d1f1753513bdfda3417b6ff9c56df3cf4f22e93950b8b3963d3bff0358bf961ae5922

Download Submit
C:\Windows\System32\CXdeUTH.exe

Filesize
1.3MB

MD5
c7113fa70723730270bdaeebe7f54f79

SHA1
ce0c8b8dcd1478e35e9b5ea59ec4e9657454dea2

SHA256
14a429a12287eb4c0870586fe364e336ad56889b8ffbb77dd4d62997024f0509

SHA512
1becac2c22e0a74dbabeac425cfa83a62b3bda7755e70fadde1c9c5252f45b559a4eed607b773a1c278e82c8c8f60f48afd2c48a80b81879b0ae5ed3d2e6cc47

Download Submit
C:\Windows\System32\DFIIECo.exe

Filesize
1.3MB

MD5
c489bf7964c8bbf679507ed8728857d1

SHA1
965a39f7124935b174c7bbfcd193b9efe73bf231

SHA256
aa4cbd3bb48b7c446a49d272c4f5420db496f8065c644c96cebfe6baa33f517b

SHA512
41a5543504deb0aa03af2e0359d235c6410ea6a49551d20a4db211bf90afeda3442ae0946ba108c751e3c32b9819463010ee7ed148f46944338f2e0223587076

Download Submit
C:\Windows\System32\DvChgRz.exe

Filesize
1.3MB

MD5
3d455799b2ae106222da51cde7413f98

SHA1
4779c6f88fecc08946740b111235b31e186da84a

SHA256
1cd9cb41bf1b5f10ea3d56ce18fc71f37c7ed1c4778e2f4fccace873708f421c

SHA512
e12a0e5b6bccc1cf77bfd31e8d9573780e7af4035a0614bca024fa5c76a178c39ac2e404ff849e2c33448a12698d6f38785d7c36de8a35c6d4effc7e7c004b62

Download Submit
C:\Windows\System32\DyIjwmB.exe

Filesize
1.3MB

MD5
042207284992825fbe89ebb3ae6f17c9

SHA1
1c1c019c0a35c3ee6dfedbef07aff1a3d7e24c00

SHA256
712902d98ae557197db4f2ce2fe469a5b34738529dd905ba4d416db13cf0e44b

SHA512
d170601e614156a79252e060ffe0e73b77aaf7b1cdd871fff70506237d5e75ac7dfd66621b8cb31c732a1e28b6bf7e8f2858441083a800796b6fb00a7ac4d4c8

Download Submit
C:\Windows\System32\EkdOrDs.exe

Filesize
1.3MB

MD5
3f822d056bb1dff16617615b550ab558

SHA1
e88c0a449a2d5621f8e41e9a3ff56cd654215969

SHA256
ddbc4c55bdd4fc155c82dd21bb409b2cadcda2c56127521d96c559ea78b34df9

SHA512
df2d94e1141dba0db40e9d38c2e30c7b1eb75351e08f505a25b9235de11910527c1e2c485ec29263a0e36acb56563bbf824cf22e2bae41dba084e4cb3156c6bc

Download Submit
C:\Windows\System32\FRyDWCw.exe

Filesize
1.3MB

MD5
86d2b6342ca1992aa82bb508cf4c680e

SHA1
fbca31ff511df5f10649425ad2399b544f827258

SHA256
d68b5d85a6544ef54dedbf0b791e68c9714ccce59d7a447361064fa6744531aa

SHA512
749aeb8f06c5547908d12a240839989ce661f31bcae0d9040f35bc0542305f9244601b056b703ade94ea1d2806097df46ce948561ce9ce73ed7ddf2ef87d425c

Download Submit
C:\Windows\System32\NZXeqNA.exe

Filesize
1.3MB

MD5
c511edd36c5015209877be957ef00c34

SHA1
e258fbc7d3bfa1adb532f8d0a299fab6c0bf36e9

SHA256
82c0fd0b67ad193d70fe2d71ff914bc49cb568b65ec377b448f8e0d135856b91

SHA512
b6c35b18706a299764d83f2da8041d97e95b789b80950409f494b7dc52cce87566d034cddbb40d9f0e82f12bfa6636ef26be90e89beff887e4e94abcc1f24d7e

Download Submit
C:\Windows\System32\PxAWgKW.exe

Filesize
1.3MB

MD5
965483decb8cde1370fcd7b43cf43ab7

SHA1
452f057bd7574367d9aa5cb5f52148cc610be015

SHA256
1c140354f740793bf8ce063a12b2672c36a6e3c4f60de08ac8393ae875685f7e

SHA512
6f5448620a87309b1a1fe2cf79028f81953d9b2bf13f122bcffbcf677ea299f8c21996032937e2cde5dedfd15dfbb1937fa0bc6fcdf9814b574ddca811615b21

Download Submit
C:\Windows\System32\QIVYosX.exe

Filesize
1.3MB

MD5
cb93c02c49591ea7d60d399f7ddc1442

SHA1
26aaa971fd24910412fdb87f03cc68a00f1de673

SHA256
9828d8737b50295f5560727ad2267e6eb9f836adb43c67970a90962b8593d82a

SHA512
8043f912be9f330eb35ec8f8c6e633ec6b98fe7a9f618cd0ec4a0f72b7f9c5207c89c662c5f61adafbff0c57865e11b2f220793dc6738544305a22996fe2bac2

Download Submit
C:\Windows\System32\RLsKlGn.exe

Filesize
1.3MB

MD5
514a361e9850e300c56655667bf4bb86

SHA1
674199c503cee99ddb1ed38b08a4608e774625cf

SHA256
9c59543239ffe9820e056d82c3175c9bc606dcc783663b78e527e3a8cac8585e

SHA512
0d2466f17b8311c6fdbccb670b382f39ddecf7533ffb8b749011b75083d0ec19788d285abe3f4fd687d95ff46a68bc90de04dbe2d0fe2152b1c015a26e986fc6

Download Submit
C:\Windows\System32\RvwVFTc.exe

Filesize
1.3MB

MD5
46f5b352b62d2c519d485e88274cd4ca

SHA1
97cef20276fa7782d7a484778fdb107808259fcb

SHA256
17e734047adf5540439f2cd311732c6d6ef137f5f210dbfad3b4c4bca8ace5aa

SHA512
c75d31504483c5713aeff017490a08ad3b4121159625b8c1c71e0000b0aca599d80df44e2f9733ae46b977b72c567e8359a089810b71e766d49166e727f16846

Download Submit
C:\Windows\System32\SECOPom.exe

Filesize
1.3MB

MD5
d62aa01adba4b51eeb11e2853be2d5f0

SHA1
919699c1574fb8468cf13786cfacde47834c4dc8

SHA256
85b23b618de1e24df3b49d02a12b1ecb77ca5056b6588f05844a42a8f95171a2

SHA512
b0b96aaa53db7e33f4b715091b81ea8cb11e456def2cf4219102933dd5f11d866e62f464b9b38c69fc02cdd2ca9e553147c3c8ab227a916bb7ade661d3c11b73

Download Submit
C:\Windows\System32\TKodVuD.exe

Filesize
1.3MB

MD5
b6304ca4058882f9eeabb874b0f9886d

SHA1
fb6c5f72196fae5e3e1c08507a1744ec8c3e3f76

SHA256
7bbbc3c4bae9354b3e267973f36d56b2098b35976237bc2a985db8f53adf3bb0

SHA512
9fec40102c7b26a83adfb137c498b46fe44da082711c9db452927498b4c3718c5d68ab836eb8921d237e98ba2811c9dde76a5c2e3820f9c949b2138e9617fc0c

Download Submit
C:\Windows\System32\VsaKpKM.exe

Filesize
1.3MB

MD5
bb4cbaf4661c51a1ecc2abdfdde1c3b0

SHA1
efea7be98465bf399bb7866b1d391b64404b20a7

SHA256
e43caf35d36ab38a04beebade6bca2d205fdab61e28e1fa97892bceebad594f2

SHA512
131af35a002d895c4b66cb8cfaa7308e9c97bddce91a9fd59de323eb0099486b891f7747e3b98468452ed325855535bab5e595a1c95baf090c8004bc7b1b3633

Download Submit
C:\Windows\System32\WFvKTmb.exe

Filesize
1.3MB

MD5
bab602591eb3a083d7360302232b1ffc

SHA1
a3da07169ac557eb759dc959ebdeea54c6ea1c5a

SHA256
818a676a7162f8dedc1120c18187b54a6ec3909ae33e72977922e5bdc0484207

SHA512
838b0984ca5e9ad7b8b7995f60e8e2274e0d497ddc481d588e1a98edfc4b1b3dd2e597b726a1cdf9edf94955a3cf13bb66c04c363e17fff2b8b540c6710fd26d

Download Submit
C:\Windows\System32\WeenCsT.exe

Filesize
1.3MB

MD5
e79bb5c7420d127243a91bac37c7190b

SHA1
089ec733aa13052ee7f28868144571e8e3ffaf17

SHA256
ffad284e805d6794964c54765bcd8818ffbe679d200101e77c5344c0389ee401

SHA512
849a356cfe1f3c8d7c3d717114939daa331a9c113475d8e9f0ac7ccb519537f8bf2656310c4208c5b3d6d9c2e955d023d3ddcd50eb1adfb13fb55d2dc3e2be5d

Download Submit
C:\Windows\System32\XaFMHdu.exe

Filesize
1.3MB

MD5
e50df10e5508e9569d133f3e673f2392

SHA1
6529c966ae2f8ac152bcc023da0b9220f89456b6

SHA256
3dd33b295c931984c51cfd443915e86502c4d158db8018e7107ff736cfaa75e6

SHA512
e183a7c264205a302661084323fce1b081a26015fff7824ed4c693d9abb628631cb7e5191316c8b861928683308e2c2ad3d6c2edd1e86c5e509f4df30f32315f

Download Submit
C:\Windows\System32\YeJrbsV.exe

Filesize
1.3MB

MD5
368841d6ab64f0a72f786514b3f5fb95

SHA1
dcae9f08333ef10690673e7d8b35e7f118440a91

SHA256
f82ed3788e6407bda407762d113671a024e1562932db957d4ea2fcc4393c01b0

SHA512
a8d141ec6fbe48cf5885b200392caa581531f16db12be3a7f5aed6bd92e8974e888d478405efdb1b6937e99bf0dbff8df679dd942e113eb4d74dfe26f068f23b

Download Submit
C:\Windows\System32\aLtBupf.exe

Filesize
1.3MB

MD5
6841a39364b0f97f51fac5cd968bb992

SHA1
029da21340ceb3f1fcb398474bb32f118d829b8e

SHA256
1cb7dc5a8872c8476f685e87d3873673fa6bdd4534c44772e5902520e4402b6e

SHA512
f764663769529de8aae869819f68b0b258e563f89fd21554e48e835792cb19fe56667730170083ed25c22c75db1ac2168e9495ccd868b92a0da790f718f89191

Download Submit
C:\Windows\System32\ebwWEdP.exe

Filesize
1.3MB

MD5
b8fef73d82f2ccc9f781204d17b4fba9

SHA1
0551eab5d9ea63bac14d81f385e30ff1d8e5abbb

SHA256
81aef78a7ebbf39965e262f65942f06091ac49eb3c449009c47abb35cead5162

SHA512
55c13a3b68d1f1a25a074354c2bb96bda9f7d10a06f14c576aeb91d366f2f40dcd779c50f4e72eb323591fb4fd2d95ae454cbf5d8c581caf60f1bb67e9046a0d

Download Submit
C:\Windows\System32\hacrwjI.exe

Filesize
1.3MB

MD5
1f874cbac230f9a42051daa0c8b19913

SHA1
273d048c8255a855efd3ae282cf23f0fb45a6d88

SHA256
81c3cdb0635c196a209cd293c157011f570252aa6e0bd6ba4eac230ecffba1a0

SHA512
1e9cc9b843da55c8badc4d4ed12b839719a280bb7b41d03d8d1fbb1633c5b27457269193b604c6a4bbe92efa5875e9e43f23f672944066d2493d086a3349efd2

Download Submit
C:\Windows\System32\hkmKcQE.exe

Filesize
1.3MB

MD5
272a3143f1bbbf70b96a552084786a59

SHA1
8e8f70ea1ed861e9f4e927447a9fb95899c0f0d7

SHA256
19a83ca0ea2312a68b47e0a8ec5c2fdf69bf11971200ff8c6d6cad00c65c79ab

SHA512
185964768fe778222d10dfe472dcab7644b07a1e504f83d7af0cf70dc5206d97cb06cc4349b84a0fc320be4f104e31d38135bed7fbc8380cc89ce21639f0a6d9

Download Submit
C:\Windows\System32\jLkEXyu.exe

Filesize
1.3MB

MD5
e608457b0058fbcac9997ed271d5a024

SHA1
48ce7bddd31f043a839e5fd8155c1af7e5076781

SHA256
b89501e8e2d7751f79e5285379f372af633b1f24304dfaa96565dead88a52886

SHA512
f820c277b7a5b6cc1c81fab2428c26f0818473d5db0096104e6455a0de9dadb2c64aa196d98a48116c5d21e98aa926e410c377175065bc95ef353ea71bd6fa55

Download Submit
C:\Windows\System32\jvUjXYL.exe

Filesize
1.3MB

MD5
c15c151942850ebaf701258bac0a4f96

SHA1
6e318635dbe743b8d869185cd3218e8019d9cb38

SHA256
e18ff66230a35bb7bacc7591ac21535f929e0028ccab2068d8b1d4b95b53956e

SHA512
980432147b44eed9e6fa4d90c0d7686655be220b033b86463fab9bae31bed2c7546cb44d2e6d51da80303478275043d9dae3d25c1be2d52181ff92c22a58e5dc

Download Submit
C:\Windows\System32\kAZRrsv.exe

Filesize
1.3MB

MD5
7ec84ce2cea491456b44a4e85333c4b9

SHA1
2ef26f317273293fec7f37f94b15b9a2a549983f

SHA256
5aac686cd464a5d355be6b3a601b1ab327dffdce6b64214db045bfac03a227ad

SHA512
fc8576c6f2ed7465c1c01b9e77ae3ce9f38fe9f70239408a18e04fae66f6f72df635a35ac9cc527289efe0ae289904587450f50c445e2749a52eb2c53acdf6ef

Download Submit
C:\Windows\System32\lcXrCjm.exe

Filesize
1.3MB

MD5
ecde9fad65ed3d74baa3f41a0542394e

SHA1
f4581aa1a0add4cf22f32d863a594acb362f9642

SHA256
2171521d732da07524822ff9eabf274b76f5f1c9b43db903d7dad1dbcfe36b97

SHA512
ee80fdac70a8d7d5dada889420a246d678b8a4cfcb74f7730b67eb19c13f626a79b33e7f75b56255bb178dd6064475bcafd68d1dd15852b277de95e30ac720ba

Download Submit
C:\Windows\System32\mcwucZC.exe

Filesize
1.3MB

MD5
1ea7f90d59bf543c0cd1b7a5ed27d4e3

SHA1
341553f6e92172d377431f11a60d419d6fd2e0af

SHA256
26e634c2f98704c290a4979f0ee85b22f3872de89e9dd4c51fff560b58d9ec0c

SHA512
bfe147182feee1c4c6c85203b66b510e68c2c67d42ee5ee2387c38f46ccc30246b592a3c8a0dd48e305c934f3a69245ea7b87206e060bb6e82412509881a4c15

Download Submit
C:\Windows\System32\mzRCXAq.exe

Filesize
1.3MB

MD5
5baebf97cd2e2fcb9c7579238ae7567b

SHA1
1d2ca8e3f8425062598a6da6c92774800b71a2f0

SHA256
12ec660143f91432dedd147bdce0f244c63864792c77e823153362cc425c0684

SHA512
3c5df230a44aa167375535604ca8e89f0ba7577aebbd6aa5dc6be5ced03cb9c05fc392efe9c0e6433575967ee7f058b4122b55441f9a8f5081418c620c01d7e1

Download Submit
C:\Windows\System32\vWWqiyi.exe

Filesize
1.3MB

MD5
93541c4ff81f7dab2c38807eb7c17d3c

SHA1
20b4b1b9fbf5b469ef7d64eca3cfa6ce91a15670

SHA256
f1e4991a096f4305425c782e590639a6cbc73bfcbd439838fdf0c88a0b263af2

SHA512
b5f52a082a2287313efb916b832184695e1bf4335d2457c3d9680fadfcdd4d3237bd69db22a6b9012f122d4b3254596372da0d94a19a51b725afa59b2eac73ac

Download Submit
C:\Windows\System32\zpMFfNc.exe

Filesize
1.3MB

MD5
a5e842c02f36f455fc77e7bdfb23cd79

SHA1
05203f6e5715b5c79fc2d65ceed5b574521e55dc

SHA256
67a7eadca8b86fb7570311d1d9cbc77501b660fb87c19d3c1083f0202845be84

SHA512
00afdec4f289c2ccbb5772e8e6df4b20d540c397800e6f9e5e33fc90b504234915c171d586f4f1ce6dea31de9b226e6ae1e1543945caa8f38822575e73d8a457

Download Submit
memory/348-280-0x00007FF6C0FB0000-0x00007FF6C13A1000-memory.dmp

Filesize
3.9MB

Download
memory/348-1979-0x00007FF6C0FB0000-0x00007FF6C13A1000-memory.dmp

Filesize
3.9MB

Download
memory/468-1993-0x00007FF716A80000-0x00007FF716E71000-memory.dmp

Filesize
3.9MB

Download
memory/468-308-0x00007FF716A80000-0x00007FF716E71000-memory.dmp

Filesize
3.9MB

Download
memory/756-1983-0x00007FF7C59C0000-0x00007FF7C5DB1000-memory.dmp

Filesize
3.9MB

Download
memory/756-285-0x00007FF7C59C0000-0x00007FF7C5DB1000-memory.dmp

Filesize
3.9MB

Download
memory/1172-1971-0x00007FF7254F0000-0x00007FF7258E1000-memory.dmp

Filesize
3.9MB

Download
memory/1172-274-0x00007FF7254F0000-0x00007FF7258E1000-memory.dmp

Filesize
3.9MB

Download
memory/1556-1975-0x00007FF6C0240000-0x00007FF6C0631000-memory.dmp

Filesize
3.9MB

Download
memory/1556-47-0x00007FF6C0240000-0x00007FF6C0631000-memory.dmp

Filesize
3.9MB

Download
memory/1556-1951-0x00007FF6C0240000-0x00007FF6C0631000-memory.dmp

Filesize
3.9MB

Download
memory/1760-45-0x00007FF6FE5F0000-0x00007FF6FE9E1000-memory.dmp

Filesize
3.9MB

Download
memory/1760-1967-0x00007FF6FE5F0000-0x00007FF6FE9E1000-memory.dmp

Filesize
3.9MB

Download
memory/1916-1989-0x00007FF6B3380000-0x00007FF6B3771000-memory.dmp

Filesize
3.9MB

Download
memory/1916-291-0x00007FF6B3380000-0x00007FF6B3771000-memory.dmp

Filesize
3.9MB

Download
memory/1992-321-0x00007FF6B5460000-0x00007FF6B5851000-memory.dmp

Filesize
3.9MB

Download
memory/1992-1997-0x00007FF6B5460000-0x00007FF6B5851000-memory.dmp

Filesize
3.9MB

Download
memory/2200-0-0x00007FF7E85A0000-0x00007FF7E8991000-memory.dmp

Filesize
3.9MB

Download
memory/2200-1890-0x00007FF7E85A0000-0x00007FF7E8991000-memory.dmp

Filesize
3.9MB

Download
memory/2200-1-0x00000182EEAF0000-0x00000182EEB00000-memory.dmp

Filesize
64KB

Download
memory/2464-326-0x00007FF636200000-0x00007FF6365F1000-memory.dmp

Filesize
3.9MB

Download
memory/2464-2003-0x00007FF636200000-0x00007FF6365F1000-memory.dmp

Filesize
3.9MB

Download
memory/2556-1925-0x00007FF65AC60000-0x00007FF65B051000-memory.dmp

Filesize
3.9MB

Download
memory/2556-1965-0x00007FF65AC60000-0x00007FF65B051000-memory.dmp

Filesize
3.9MB

Download
memory/2556-23-0x00007FF65AC60000-0x00007FF65B051000-memory.dmp

Filesize
3.9MB

Download
memory/2812-1999-0x00007FF6D1760000-0x00007FF6D1B51000-memory.dmp

Filesize
3.9MB

Download
memory/2812-318-0x00007FF6D1760000-0x00007FF6D1B51000-memory.dmp

Filesize
3.9MB

Download
memory/2860-1924-0x00007FF66F470000-0x00007FF66F861000-memory.dmp

Filesize
3.9MB

Download
memory/2860-17-0x00007FF66F470000-0x00007FF66F861000-memory.dmp

Filesize
3.9MB

Download
memory/2860-1963-0x00007FF66F470000-0x00007FF66F861000-memory.dmp

Filesize
3.9MB

Download
memory/2912-329-0x00007FF76D0E0000-0x00007FF76D4D1000-memory.dmp

Filesize
3.9MB

Download
memory/2912-2005-0x00007FF76D0E0000-0x00007FF76D4D1000-memory.dmp

Filesize
3.9MB

Download
memory/2972-2008-0x00007FF618070000-0x00007FF618461000-memory.dmp

Filesize
3.9MB

Download
memory/2972-332-0x00007FF618070000-0x00007FF618461000-memory.dmp

Filesize
3.9MB

Download
memory/3456-1961-0x00007FF73CB10000-0x00007FF73CF01000-memory.dmp

Filesize
3.9MB

Download
memory/3456-48-0x00007FF73CB10000-0x00007FF73CF01000-memory.dmp

Filesize
3.9MB

Download
memory/3660-1981-0x00007FF659840000-0x00007FF659C31000-memory.dmp

Filesize
3.9MB

Download
memory/3660-283-0x00007FF659840000-0x00007FF659C31000-memory.dmp

Filesize
3.9MB

Download
memory/3864-1926-0x00007FF6CDE00000-0x00007FF6CE1F1000-memory.dmp

Filesize
3.9MB

Download
memory/3864-1969-0x00007FF6CDE00000-0x00007FF6CE1F1000-memory.dmp

Filesize
3.9MB

Download
memory/3864-40-0x00007FF6CDE00000-0x00007FF6CE1F1000-memory.dmp

Filesize
3.9MB

Download
memory/3896-307-0x00007FF6D19E0000-0x00007FF6D1DD1000-memory.dmp

Filesize
3.9MB

Download
memory/3896-1991-0x00007FF6D19E0000-0x00007FF6D1DD1000-memory.dmp

Filesize
3.9MB

Download
memory/4348-2001-0x00007FF6D89B0000-0x00007FF6D8DA1000-memory.dmp

Filesize
3.9MB

Download
memory/4348-311-0x00007FF6D89B0000-0x00007FF6D8DA1000-memory.dmp

Filesize
3.9MB

Download
memory/4532-342-0x00007FF7FA1A0000-0x00007FF7FA591000-memory.dmp

Filesize
3.9MB

Download
memory/4532-1977-0x00007FF7FA1A0000-0x00007FF7FA591000-memory.dmp

Filesize
3.9MB

Download
memory/4536-1995-0x00007FF6EE3E0000-0x00007FF6EE7D1000-memory.dmp

Filesize
3.9MB

Download
memory/4536-319-0x00007FF6EE3E0000-0x00007FF6EE7D1000-memory.dmp

Filesize
3.9MB

Download
memory/4684-50-0x00007FF7E23C0000-0x00007FF7E27B1000-memory.dmp

Filesize
3.9MB

Download
memory/4684-1973-0x00007FF7E23C0000-0x00007FF7E27B1000-memory.dmp

Filesize
3.9MB

Download
memory/4912-299-0x00007FF6BD600000-0x00007FF6BD9F1000-memory.dmp

Filesize
3.9MB

Download
memory/4912-1987-0x00007FF6BD600000-0x00007FF6BD9F1000-memory.dmp

Filesize
3.9MB

Download
memory/4952-1985-0x00007FF733740000-0x00007FF733B31000-memory.dmp

Filesize
3.9MB

Download
memory/4952-297-0x00007FF733740000-0x00007FF733B31000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads