xmrig | 9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3

Analysis

max time kernel
31s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 05:06

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
Size

1.6MB
MD5

89a284a7e59f3189befa88b9ad13f820
SHA1

68e36e012f0144185d5ab7d9a41eae25b614301a
SHA256

9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3
SHA512

47e9c0000ba8bf86ca2c8c10e5846f5df62434d4912992a36c1cb0cc032f08b67d0c6dbf3f133670fc618170b8ce5af4a11c78f7443a337119b9b178bc99fb84
SSDEEP

49152:Lz071uv4BPMkyW10/wKV7hjSe5CtAlM22Cd:NAB0

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 12604 created 1532	12604	WerFaultSecure.exe	80

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 25 IoCs

miner

resource	yara_rule
behavioral2/memory/3948-78-0x00007FF610DA0000-0x00007FF611192000-memory.dmp	xmrig
behavioral2/memory/396-87-0x00007FF7EAB40000-0x00007FF7EAF32000-memory.dmp	xmrig
behavioral2/memory/1416-170-0x00007FF75E630000-0x00007FF75EA22000-memory.dmp	xmrig
behavioral2/memory/5020-511-0x00007FF797A00000-0x00007FF797DF2000-memory.dmp	xmrig
behavioral2/memory/3876-510-0x00007FF701710000-0x00007FF701B02000-memory.dmp	xmrig
behavioral2/memory/1504-172-0x00007FF66CCB0000-0x00007FF66D0A2000-memory.dmp	xmrig
behavioral2/memory/1232-171-0x00007FF6D26A0000-0x00007FF6D2A92000-memory.dmp	xmrig
behavioral2/memory/1316-164-0x00007FF7B4AE0000-0x00007FF7B4ED2000-memory.dmp	xmrig
behavioral2/memory/2960-163-0x00007FF7BBC80000-0x00007FF7BC072000-memory.dmp	xmrig
behavioral2/memory/3204-162-0x00007FF634310000-0x00007FF634702000-memory.dmp	xmrig
behavioral2/memory/2064-155-0x00007FF7136D0000-0x00007FF713AC2000-memory.dmp	xmrig
behavioral2/memory/4360-137-0x00007FF6AE0D0000-0x00007FF6AE4C2000-memory.dmp	xmrig
behavioral2/memory/4228-136-0x00007FF77E5D0000-0x00007FF77E9C2000-memory.dmp	xmrig
behavioral2/memory/3636-88-0x00007FF7B8710000-0x00007FF7B8B02000-memory.dmp	xmrig
behavioral2/memory/1272-72-0x00007FF71B350000-0x00007FF71B742000-memory.dmp	xmrig
behavioral2/memory/1416-67-0x00007FF75E630000-0x00007FF75EA22000-memory.dmp	xmrig
behavioral2/memory/1036-35-0x00007FF6F1510000-0x00007FF6F1902000-memory.dmp	xmrig
behavioral2/memory/1872-26-0x00007FF78BEE0000-0x00007FF78C2D2000-memory.dmp	xmrig
behavioral2/memory/2060-524-0x00007FF6B4130000-0x00007FF6B4522000-memory.dmp	xmrig
behavioral2/memory/3592-700-0x00007FF794680000-0x00007FF794A72000-memory.dmp	xmrig
behavioral2/memory/2540-1707-0x00007FF69A8F0000-0x00007FF69ACE2000-memory.dmp	xmrig
behavioral2/memory/4412-1802-0x00007FF731DB0000-0x00007FF7321A2000-memory.dmp	xmrig
behavioral2/memory/3712-1801-0x00007FF7E9E80000-0x00007FF7EA272000-memory.dmp	xmrig
behavioral2/memory/3420-2033-0x00007FF6BC730000-0x00007FF6BCB22000-memory.dmp	xmrig
behavioral2/memory/5004-2156-0x00007FF7FA270000-0x00007FF7FA662000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	2768	powershell.exe
11	2768	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2768	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
4360	mdOYWmn.exe
1872	uXBrPkb.exe
2064	dkYJbsD.exe
1036	EBRktwf.exe
3204	jySrLQH.exe
1272	syJvrDb.exe
2960	aQMwBVJ.exe
1316	ZzCYKyw.exe
1416	FnlqFad.exe
3948	FdBiXsP.exe
396	yKAquHk.exe
3636	wfFuQUB.exe
1504	sKXhPVb.exe
5020	oLrSFMO.exe
3876	RRvzwZQ.exe
2060	AXlAgBI.exe
3592	NrYorKd.exe
2540	esvHiCP.exe
3712	NXiNwZs.exe
4412	aTUTAjq.exe
3956	voukNve.exe
3420	AEsYoAG.exe
5004	aYpNnyo.exe
1232	dphgpIc.exe
3852	FPoBmGy.exe
2504	tYyRcXQ.exe
1668	NYWUuSy.exe
436	nHqSgbI.exe
4828	JxBmvBv.exe
872	hgdvLQv.exe
2484	EyKQRTV.exe
3784	BvSAIZd.exe
3596	XDDsHMZ.exe
1812	uZFrXnM.exe
368	MIojMFY.exe
2964	bZFJjIh.exe
4368	DkpCDGZ.exe
2372	zzAJmDS.exe
2272	QOXLBEx.exe
4280	xtxoIkF.exe
5008	FecjSrf.exe
2652	tplcxiM.exe
3004	qRAzIem.exe
4076	tHAdcTj.exe
4792	ErqKmyw.exe
452	tcoayFj.exe
1496	ukPznCE.exe
4420	TUSKPTU.exe
2508	lLGYdXI.exe
4512	EAwAUnk.exe
2848	sofUIFG.exe
392	CKCpnYl.exe
4636	uKxMGmP.exe
4440	uTQZMSJ.exe
1004	oDCRJVR.exe
4688	yhhCYEa.exe
1460	CFvidxf.exe
4568	YbOpnwv.exe
4124	kqRHHwW.exe
4960	eORVKJG.exe
2492	NoslPxM.exe
1648	RjURSRr.exe
1312	ZVwAPMX.exe
4676	oIfiRCI.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4228-0-0x00007FF77E5D0000-0x00007FF77E9C2000-memory.dmp	upx
behavioral2/files/0x000700000002345d-7.dat	upx
behavioral2/memory/4360-10-0x00007FF6AE0D0000-0x00007FF6AE4C2000-memory.dmp	upx
behavioral2/files/0x0008000000023458-13.dat	upx
behavioral2/files/0x000700000002345e-19.dat	upx
behavioral2/files/0x000700000002345f-37.dat	upx
behavioral2/files/0x0007000000023463-44.dat	upx
behavioral2/files/0x0007000000023465-57.dat	upx
behavioral2/memory/1316-59-0x00007FF7B4AE0000-0x00007FF7B4ED2000-memory.dmp	upx
behavioral2/files/0x0007000000023464-70.dat	upx
behavioral2/files/0x0007000000023466-75.dat	upx
behavioral2/memory/3948-78-0x00007FF610DA0000-0x00007FF611192000-memory.dmp	upx
behavioral2/memory/396-87-0x00007FF7EAB40000-0x00007FF7EAF32000-memory.dmp	upx
behavioral2/memory/5020-98-0x00007FF797A00000-0x00007FF797DF2000-memory.dmp	upx
behavioral2/memory/3592-102-0x00007FF794680000-0x00007FF794A72000-memory.dmp	upx
behavioral2/files/0x000700000002346c-109.dat	upx
behavioral2/memory/4412-135-0x00007FF731DB0000-0x00007FF7321A2000-memory.dmp	upx
behavioral2/files/0x000700000002346e-144.dat	upx
behavioral2/files/0x0007000000023472-152.dat	upx
behavioral2/memory/1416-170-0x00007FF75E630000-0x00007FF75EA22000-memory.dmp	upx
behavioral2/files/0x0007000000023475-180.dat	upx
behavioral2/files/0x0007000000023478-203.dat	upx
behavioral2/memory/5020-511-0x00007FF797A00000-0x00007FF797DF2000-memory.dmp	upx
behavioral2/memory/3876-510-0x00007FF701710000-0x00007FF701B02000-memory.dmp	upx
behavioral2/files/0x000700000002347a-205.dat	upx
behavioral2/files/0x0007000000023479-200.dat	upx
behavioral2/files/0x0007000000023477-198.dat	upx
behavioral2/files/0x0007000000023476-193.dat	upx
behavioral2/files/0x000800000002346f-183.dat	upx
behavioral2/files/0x0007000000023474-178.dat	upx
behavioral2/files/0x0007000000023473-173.dat	upx
behavioral2/memory/1504-172-0x00007FF66CCB0000-0x00007FF66D0A2000-memory.dmp	upx
behavioral2/memory/1232-171-0x00007FF6D26A0000-0x00007FF6D2A92000-memory.dmp	upx
behavioral2/memory/1316-164-0x00007FF7B4AE0000-0x00007FF7B4ED2000-memory.dmp	upx
behavioral2/memory/2960-163-0x00007FF7BBC80000-0x00007FF7BC072000-memory.dmp	upx
behavioral2/memory/3204-162-0x00007FF634310000-0x00007FF634702000-memory.dmp	upx
behavioral2/files/0x0008000000023470-157.dat	upx
behavioral2/memory/5004-156-0x00007FF7FA270000-0x00007FF7FA662000-memory.dmp	upx
behavioral2/memory/2064-155-0x00007FF7136D0000-0x00007FF713AC2000-memory.dmp	upx
behavioral2/files/0x0007000000023471-150.dat	upx
behavioral2/memory/3420-149-0x00007FF6BC730000-0x00007FF6BCB22000-memory.dmp	upx
behavioral2/memory/3956-143-0x00007FF7F5850000-0x00007FF7F5C42000-memory.dmp	upx
behavioral2/files/0x000700000002346d-138.dat	upx
behavioral2/memory/4360-137-0x00007FF6AE0D0000-0x00007FF6AE4C2000-memory.dmp	upx
behavioral2/memory/4228-136-0x00007FF77E5D0000-0x00007FF77E9C2000-memory.dmp	upx
behavioral2/files/0x0008000000023459-130.dat	upx
behavioral2/memory/3712-116-0x00007FF7E9E80000-0x00007FF7EA272000-memory.dmp	upx
behavioral2/files/0x000700000002346b-107.dat	upx
behavioral2/memory/2540-106-0x00007FF69A8F0000-0x00007FF69ACE2000-memory.dmp	upx
behavioral2/files/0x000700000002346a-104.dat	upx
behavioral2/memory/2060-99-0x00007FF6B4130000-0x00007FF6B4522000-memory.dmp	upx
behavioral2/files/0x0007000000023469-94.dat	upx
behavioral2/memory/3876-93-0x00007FF701710000-0x00007FF701B02000-memory.dmp	upx
behavioral2/files/0x0007000000023468-89.dat	upx
behavioral2/memory/3636-88-0x00007FF7B8710000-0x00007FF7B8B02000-memory.dmp	upx
behavioral2/files/0x0007000000023467-81.dat	upx
behavioral2/memory/1272-72-0x00007FF71B350000-0x00007FF71B742000-memory.dmp	upx
behavioral2/memory/1504-68-0x00007FF66CCB0000-0x00007FF66D0A2000-memory.dmp	upx
behavioral2/memory/1416-67-0x00007FF75E630000-0x00007FF75EA22000-memory.dmp	upx
behavioral2/memory/2960-55-0x00007FF7BBC80000-0x00007FF7BC072000-memory.dmp	upx
behavioral2/files/0x0007000000023462-50.dat	upx
behavioral2/files/0x0007000000023461-49.dat	upx
behavioral2/files/0x0007000000023460-47.dat	upx
behavioral2/memory/3204-43-0x00007FF634310000-0x00007FF634702000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\mWnccHX.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\DeljxnF.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\clxmoHz.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\nkfHpgD.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\BRlYIUl.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\vsnPzZF.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\HwZNzJg.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\BEEWUIn.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\MMFaciH.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\uIWIEPM.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\IdRaSxe.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\HWqGlBm.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\ClLMKAT.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\HpmsUbl.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\uVTLKhe.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\kZOgNCz.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\jySrLQH.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\QsmbqFi.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\zJTzCaG.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\ypDQXXq.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\lgXHugi.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\KLEGWVj.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\nOnpAym.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\LduKntQ.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\OABrMFz.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\jnRtWiY.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\lvBSHqW.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\mkSPAuz.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\POMblxT.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\ebxKqYq.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\REdXUZf.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\qPkyjDi.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\kgTgvCR.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\dgwmKfW.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\XNpXQMr.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\qzAZryQ.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\dgKLFii.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\qBNTosh.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\zeLtEuG.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\NeKKWBc.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\xaAZuKw.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\yixAMHO.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\WHamMIy.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\nUYjftv.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\BaQePKM.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\vtCtxzc.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\xLjOWSN.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\GEwGrdO.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\syJvrDb.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\PemZUWK.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\cZkqxjR.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\KlCUEMm.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\ZjISgeb.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\MyARwXY.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\dkYJbsD.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\GMwAvzq.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\cxPCsaJ.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\ucXdkKY.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\ISqMfwL.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\FQTxvKm.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\EAwAUnk.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\NpylfAx.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\icXCOCC.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
File created	C:\Windows\System\DguOZDo.exe	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFaultSecure.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFaultSecure.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2768	powershell.exe
2768	powershell.exe
2768	powershell.exe
2768	powershell.exe
556	WerFaultSecure.exe
556	WerFaultSecure.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
Token: SeLockMemoryPrivilege	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
Token: SeDebugPrivilege	2768	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 2768	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	83
PID 4228 wrote to memory of 2768	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	83
PID 4228 wrote to memory of 4360	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	84
PID 4228 wrote to memory of 4360	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	84
PID 4228 wrote to memory of 2064	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	85
PID 4228 wrote to memory of 2064	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	85
PID 4228 wrote to memory of 1872	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	86
PID 4228 wrote to memory of 1872	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	86
PID 4228 wrote to memory of 1036	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	87
PID 4228 wrote to memory of 1036	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	87
PID 4228 wrote to memory of 3204	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	88
PID 4228 wrote to memory of 3204	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	88
PID 4228 wrote to memory of 1272	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	89
PID 4228 wrote to memory of 1272	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	89
PID 4228 wrote to memory of 2960	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	90
PID 4228 wrote to memory of 2960	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	90
PID 4228 wrote to memory of 1316	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	91
PID 4228 wrote to memory of 1316	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	91
PID 4228 wrote to memory of 1416	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	92
PID 4228 wrote to memory of 1416	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	92
PID 4228 wrote to memory of 3948	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	93
PID 4228 wrote to memory of 3948	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	93
PID 4228 wrote to memory of 396	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	94
PID 4228 wrote to memory of 396	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	94
PID 4228 wrote to memory of 3636	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	95
PID 4228 wrote to memory of 3636	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	95
PID 4228 wrote to memory of 1504	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	96
PID 4228 wrote to memory of 1504	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	96
PID 4228 wrote to memory of 3876	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	97
PID 4228 wrote to memory of 3876	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	97
PID 4228 wrote to memory of 5020	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	98
PID 4228 wrote to memory of 5020	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	98
PID 4228 wrote to memory of 2060	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	99
PID 4228 wrote to memory of 2060	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	99
PID 4228 wrote to memory of 3592	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	100
PID 4228 wrote to memory of 3592	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	100
PID 4228 wrote to memory of 2540	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	101
PID 4228 wrote to memory of 2540	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	101
PID 4228 wrote to memory of 3712	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	102
PID 4228 wrote to memory of 3712	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	102
PID 4228 wrote to memory of 4412	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	103
PID 4228 wrote to memory of 4412	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	103
PID 4228 wrote to memory of 3956	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	104
PID 4228 wrote to memory of 3956	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	104
PID 4228 wrote to memory of 3420	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	105
PID 4228 wrote to memory of 3420	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	105
PID 4228 wrote to memory of 5004	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	106
PID 4228 wrote to memory of 5004	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	106
PID 4228 wrote to memory of 1232	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	107
PID 4228 wrote to memory of 1232	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	107
PID 4228 wrote to memory of 3852	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	108
PID 4228 wrote to memory of 3852	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	108
PID 4228 wrote to memory of 2504	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	109
PID 4228 wrote to memory of 2504	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	109
PID 4228 wrote to memory of 1668	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	110
PID 4228 wrote to memory of 1668	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	110
PID 4228 wrote to memory of 436	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	111
PID 4228 wrote to memory of 436	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	111
PID 4228 wrote to memory of 4828	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	112
PID 4228 wrote to memory of 4828	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	112
PID 4228 wrote to memory of 872	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	113
PID 4228 wrote to memory of 872	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	113
PID 4228 wrote to memory of 2484	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	114
PID 4228 wrote to memory of 2484	4228	9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe	114

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
1⤵
PID:1532
- C:\Windows\system32\WerFaultSecure.exe
  C:\Windows\system32\WerFaultSecure.exe -u -p 1532 -s 1740
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:556

C:\Users\Admin\AppData\Local\Temp\9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe
"C:\Users\Admin\AppData\Local\Temp\9866e1f61fb1b38d92fd0a24bb9451f1790c48b288e0ed081b8b408f587555c3N.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2768" "2972" "2904" "2976" "0" "0" "2980" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:12556
- C:\Windows\System\mdOYWmn.exe
  C:\Windows\System\mdOYWmn.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System\dkYJbsD.exe
  C:\Windows\System\dkYJbsD.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\System\uXBrPkb.exe
  C:\Windows\System\uXBrPkb.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System\EBRktwf.exe
  C:\Windows\System\EBRktwf.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System\jySrLQH.exe
  C:\Windows\System\jySrLQH.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System\syJvrDb.exe
  C:\Windows\System\syJvrDb.exe
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\System\aQMwBVJ.exe
  C:\Windows\System\aQMwBVJ.exe
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\System\ZzCYKyw.exe
  C:\Windows\System\ZzCYKyw.exe
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\System\FnlqFad.exe
  C:\Windows\System\FnlqFad.exe
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Windows\System\FdBiXsP.exe
  C:\Windows\System\FdBiXsP.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Windows\System\yKAquHk.exe
  C:\Windows\System\yKAquHk.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System\wfFuQUB.exe
  C:\Windows\System\wfFuQUB.exe
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Windows\System\sKXhPVb.exe
  C:\Windows\System\sKXhPVb.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System\RRvzwZQ.exe
  C:\Windows\System\RRvzwZQ.exe
  2⤵
  - Executes dropped EXE
  PID:3876
- C:\Windows\System\oLrSFMO.exe
  C:\Windows\System\oLrSFMO.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\AXlAgBI.exe
  C:\Windows\System\AXlAgBI.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\NrYorKd.exe
  C:\Windows\System\NrYorKd.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System\esvHiCP.exe
  C:\Windows\System\esvHiCP.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\NXiNwZs.exe
  C:\Windows\System\NXiNwZs.exe
  2⤵
  - Executes dropped EXE
  PID:3712
- C:\Windows\System\aTUTAjq.exe
  C:\Windows\System\aTUTAjq.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System\voukNve.exe
  C:\Windows\System\voukNve.exe
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Windows\System\AEsYoAG.exe
  C:\Windows\System\AEsYoAG.exe
  2⤵
  - Executes dropped EXE
  PID:3420
- C:\Windows\System\aYpNnyo.exe
  C:\Windows\System\aYpNnyo.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System\dphgpIc.exe
  C:\Windows\System\dphgpIc.exe
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Windows\System\FPoBmGy.exe
  C:\Windows\System\FPoBmGy.exe
  2⤵
  - Executes dropped EXE
  PID:3852
- C:\Windows\System\tYyRcXQ.exe
  C:\Windows\System\tYyRcXQ.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System\NYWUuSy.exe
  C:\Windows\System\NYWUuSy.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System\nHqSgbI.exe
  C:\Windows\System\nHqSgbI.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System\JxBmvBv.exe
  C:\Windows\System\JxBmvBv.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System\hgdvLQv.exe
  C:\Windows\System\hgdvLQv.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System\EyKQRTV.exe
  C:\Windows\System\EyKQRTV.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System\BvSAIZd.exe
  C:\Windows\System\BvSAIZd.exe
  2⤵
  - Executes dropped EXE
  PID:3784
- C:\Windows\System\XDDsHMZ.exe
  C:\Windows\System\XDDsHMZ.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System\uZFrXnM.exe
  C:\Windows\System\uZFrXnM.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System\MIojMFY.exe
  C:\Windows\System\MIojMFY.exe
  2⤵
  - Executes dropped EXE
  PID:368
- C:\Windows\System\bZFJjIh.exe
  C:\Windows\System\bZFJjIh.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System\DkpCDGZ.exe
  C:\Windows\System\DkpCDGZ.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System\zzAJmDS.exe
  C:\Windows\System\zzAJmDS.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\QOXLBEx.exe
  C:\Windows\System\QOXLBEx.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\xtxoIkF.exe
  C:\Windows\System\xtxoIkF.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System\FecjSrf.exe
  C:\Windows\System\FecjSrf.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\tplcxiM.exe
  C:\Windows\System\tplcxiM.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\qRAzIem.exe
  C:\Windows\System\qRAzIem.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\tHAdcTj.exe
  C:\Windows\System\tHAdcTj.exe
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Windows\System\ErqKmyw.exe
  C:\Windows\System\ErqKmyw.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System\tcoayFj.exe
  C:\Windows\System\tcoayFj.exe
  2⤵
  - Executes dropped EXE
  PID:452
- C:\Windows\System\ukPznCE.exe
  C:\Windows\System\ukPznCE.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System\TUSKPTU.exe
  C:\Windows\System\TUSKPTU.exe
  2⤵
  - Executes dropped EXE
  PID:4420
- C:\Windows\System\lLGYdXI.exe
  C:\Windows\System\lLGYdXI.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System\EAwAUnk.exe
  C:\Windows\System\EAwAUnk.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System\sofUIFG.exe
  C:\Windows\System\sofUIFG.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System\CKCpnYl.exe
  C:\Windows\System\CKCpnYl.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System\uKxMGmP.exe
  C:\Windows\System\uKxMGmP.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System\uTQZMSJ.exe
  C:\Windows\System\uTQZMSJ.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System\oDCRJVR.exe
  C:\Windows\System\oDCRJVR.exe
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\System\yhhCYEa.exe
  C:\Windows\System\yhhCYEa.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System\CFvidxf.exe
  C:\Windows\System\CFvidxf.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System\YbOpnwv.exe
  C:\Windows\System\YbOpnwv.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System\kqRHHwW.exe
  C:\Windows\System\kqRHHwW.exe
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Windows\System\eORVKJG.exe
  C:\Windows\System\eORVKJG.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System\NoslPxM.exe
  C:\Windows\System\NoslPxM.exe
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\System\RjURSRr.exe
  C:\Windows\System\RjURSRr.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System\ZVwAPMX.exe
  C:\Windows\System\ZVwAPMX.exe
  2⤵
  - Executes dropped EXE
  PID:1312
- C:\Windows\System\oIfiRCI.exe
  C:\Windows\System\oIfiRCI.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System\cboZKoR.exe
  C:\Windows\System\cboZKoR.exe
  2⤵
  PID:4388
- C:\Windows\System\ZBjXYJd.exe
  C:\Windows\System\ZBjXYJd.exe
  2⤵
  PID:5152
- C:\Windows\System\YzxwZLS.exe
  C:\Windows\System\YzxwZLS.exe
  2⤵
  PID:5180
- C:\Windows\System\ayhbfnJ.exe
  C:\Windows\System\ayhbfnJ.exe
  2⤵
  PID:5212
- C:\Windows\System\UKRSWWK.exe
  C:\Windows\System\UKRSWWK.exe
  2⤵
  PID:5240
- C:\Windows\System\lpfzfAv.exe
  C:\Windows\System\lpfzfAv.exe
  2⤵
  PID:5264
- C:\Windows\System\cMuZvHG.exe
  C:\Windows\System\cMuZvHG.exe
  2⤵
  PID:5296
- C:\Windows\System\mKgvovS.exe
  C:\Windows\System\mKgvovS.exe
  2⤵
  PID:5324
- C:\Windows\System\pXFhRrU.exe
  C:\Windows\System\pXFhRrU.exe
  2⤵
  PID:5352
- C:\Windows\System\QBxUZDu.exe
  C:\Windows\System\QBxUZDu.exe
  2⤵
  PID:5380
- C:\Windows\System\qZpgZev.exe
  C:\Windows\System\qZpgZev.exe
  2⤵
  PID:5404
- C:\Windows\System\kjuIxkf.exe
  C:\Windows\System\kjuIxkf.exe
  2⤵
  PID:5436
- C:\Windows\System\yNOkJyp.exe
  C:\Windows\System\yNOkJyp.exe
  2⤵
  PID:5464
- C:\Windows\System\vyuPCQp.exe
  C:\Windows\System\vyuPCQp.exe
  2⤵
  PID:5496
- C:\Windows\System\OABrMFz.exe
  C:\Windows\System\OABrMFz.exe
  2⤵
  PID:5524
- C:\Windows\System\VXOXLnV.exe
  C:\Windows\System\VXOXLnV.exe
  2⤵
  PID:5552
- C:\Windows\System\zLSbyrH.exe
  C:\Windows\System\zLSbyrH.exe
  2⤵
  PID:5580
- C:\Windows\System\tIBTRZX.exe
  C:\Windows\System\tIBTRZX.exe
  2⤵
  PID:5612
- C:\Windows\System\EUIGWRL.exe
  C:\Windows\System\EUIGWRL.exe
  2⤵
  PID:5640
- C:\Windows\System\jsiaDIQ.exe
  C:\Windows\System\jsiaDIQ.exe
  2⤵
  PID:5672
- C:\Windows\System\hOLVkgW.exe
  C:\Windows\System\hOLVkgW.exe
  2⤵
  PID:5696
- C:\Windows\System\NpylfAx.exe
  C:\Windows\System\NpylfAx.exe
  2⤵
  PID:5724
- C:\Windows\System\ylsAVfV.exe
  C:\Windows\System\ylsAVfV.exe
  2⤵
  PID:5756
- C:\Windows\System\RTjVYLM.exe
  C:\Windows\System\RTjVYLM.exe
  2⤵
  PID:5784
- C:\Windows\System\hXpKpqp.exe
  C:\Windows\System\hXpKpqp.exe
  2⤵
  PID:5816
- C:\Windows\System\gwLStSZ.exe
  C:\Windows\System\gwLStSZ.exe
  2⤵
  PID:5840
- C:\Windows\System\qzAZryQ.exe
  C:\Windows\System\qzAZryQ.exe
  2⤵
  PID:5868
- C:\Windows\System\hsNTkWr.exe
  C:\Windows\System\hsNTkWr.exe
  2⤵
  PID:5896
- C:\Windows\System\OLDcWhP.exe
  C:\Windows\System\OLDcWhP.exe
  2⤵
  PID:5924
- C:\Windows\System\QHyKGiM.exe
  C:\Windows\System\QHyKGiM.exe
  2⤵
  PID:5948
- C:\Windows\System\GpZezkE.exe
  C:\Windows\System\GpZezkE.exe
  2⤵
  PID:5976
- C:\Windows\System\YWxAcxz.exe
  C:\Windows\System\YWxAcxz.exe
  2⤵
  PID:6004
- C:\Windows\System\UgdDbKA.exe
  C:\Windows\System\UgdDbKA.exe
  2⤵
  PID:6032
- C:\Windows\System\OLIrSUX.exe
  C:\Windows\System\OLIrSUX.exe
  2⤵
  PID:6060
- C:\Windows\System\WYpKrxN.exe
  C:\Windows\System\WYpKrxN.exe
  2⤵
  PID:6088
- C:\Windows\System\dpUeFEj.exe
  C:\Windows\System\dpUeFEj.exe
  2⤵
  PID:6116
- C:\Windows\System\FuaShjs.exe
  C:\Windows\System\FuaShjs.exe
  2⤵
  PID:956
- C:\Windows\System\OlVeKsi.exe
  C:\Windows\System\OlVeKsi.exe
  2⤵
  PID:740
- C:\Windows\System\HorHlvI.exe
  C:\Windows\System\HorHlvI.exe
  2⤵
  PID:3732
- C:\Windows\System\icXCOCC.exe
  C:\Windows\System\icXCOCC.exe
  2⤵
  PID:2424
- C:\Windows\System\VPqdTtp.exe
  C:\Windows\System\VPqdTtp.exe
  2⤵
  PID:4712
- C:\Windows\System\GjYiODW.exe
  C:\Windows\System\GjYiODW.exe
  2⤵
  PID:1408
- C:\Windows\System\dWYddME.exe
  C:\Windows\System\dWYddME.exe
  2⤵
  PID:5144
- C:\Windows\System\aovPbos.exe
  C:\Windows\System\aovPbos.exe
  2⤵
  PID:5224
- C:\Windows\System\POAYNYI.exe
  C:\Windows\System\POAYNYI.exe
  2⤵
  PID:5284
- C:\Windows\System\IdRaSxe.exe
  C:\Windows\System\IdRaSxe.exe
  2⤵
  PID:5340
- C:\Windows\System\zYJtCMF.exe
  C:\Windows\System\zYJtCMF.exe
  2⤵
  PID:5400
- C:\Windows\System\juONZso.exe
  C:\Windows\System\juONZso.exe
  2⤵
  PID:5484
- C:\Windows\System\yXYgIcK.exe
  C:\Windows\System\yXYgIcK.exe
  2⤵
  PID:5544
- C:\Windows\System\TsnKsom.exe
  C:\Windows\System\TsnKsom.exe
  2⤵
  PID:3236
- C:\Windows\System\XpNDnui.exe
  C:\Windows\System\XpNDnui.exe
  2⤵
  PID:5660
- C:\Windows\System\GSUZiEY.exe
  C:\Windows\System\GSUZiEY.exe
  2⤵
  PID:5712
- C:\Windows\System\rycEMhf.exe
  C:\Windows\System\rycEMhf.exe
  2⤵
  PID:5744
- C:\Windows\System\GLKQPOB.exe
  C:\Windows\System\GLKQPOB.exe
  2⤵
  PID:5804
- C:\Windows\System\QMfQJwd.exe
  C:\Windows\System\QMfQJwd.exe
  2⤵
  PID:5860
- C:\Windows\System\erbFcxj.exe
  C:\Windows\System\erbFcxj.exe
  2⤵
  PID:5916
- C:\Windows\System\cFyrqDd.exe
  C:\Windows\System\cFyrqDd.exe
  2⤵
  PID:5972
- C:\Windows\System\hJJneqM.exe
  C:\Windows\System\hJJneqM.exe
  2⤵
  PID:6056
- C:\Windows\System\zUCJXjE.exe
  C:\Windows\System\zUCJXjE.exe
  2⤵
  PID:6104
- C:\Windows\System\hzKixif.exe
  C:\Windows\System\hzKixif.exe
  2⤵
  PID:2828
- C:\Windows\System\PemZUWK.exe
  C:\Windows\System\PemZUWK.exe
  2⤵
  PID:3188
- C:\Windows\System\mMyPqRK.exe
  C:\Windows\System\mMyPqRK.exe
  2⤵
  PID:788
- C:\Windows\System\nbusNtb.exe
  C:\Windows\System\nbusNtb.exe
  2⤵
  PID:5204
- C:\Windows\System\yQlWEiR.exe
  C:\Windows\System\yQlWEiR.exe
  2⤵
  PID:1572
- C:\Windows\System\jnRtWiY.exe
  C:\Windows\System\jnRtWiY.exe
  2⤵
  PID:5516
- C:\Windows\System\dOjJsDf.exe
  C:\Windows\System\dOjJsDf.exe
  2⤵
  PID:5624
- C:\Windows\System\ivHVikc.exe
  C:\Windows\System\ivHVikc.exe
  2⤵
  PID:3200
- C:\Windows\System\zpPFZCL.exe
  C:\Windows\System\zpPFZCL.exe
  2⤵
  PID:5800
- C:\Windows\System\ULMujlB.exe
  C:\Windows\System\ULMujlB.exe
  2⤵
  PID:1172
- C:\Windows\System\sSUlvtA.exe
  C:\Windows\System\sSUlvtA.exe
  2⤵
  PID:6024
- C:\Windows\System\cvvENHE.exe
  C:\Windows\System\cvvENHE.exe
  2⤵
  PID:1064
- C:\Windows\System\ChnHDlI.exe
  C:\Windows\System\ChnHDlI.exe
  2⤵
  PID:5316
- C:\Windows\System\aVozcvV.exe
  C:\Windows\System\aVozcvV.exe
  2⤵
  PID:5460
- C:\Windows\System\DguOZDo.exe
  C:\Windows\System\DguOZDo.exe
  2⤵
  PID:5576
- C:\Windows\System\cZkqxjR.exe
  C:\Windows\System\cZkqxjR.exe
  2⤵
  PID:1224
- C:\Windows\System\TmKlmGS.exe
  C:\Windows\System\TmKlmGS.exe
  2⤵
  PID:3588
- C:\Windows\System\ZIRQloz.exe
  C:\Windows\System\ZIRQloz.exe
  2⤵
  PID:2248
- C:\Windows\System\vXByNyL.exe
  C:\Windows\System\vXByNyL.exe
  2⤵
  PID:5024
- C:\Windows\System\CjWKPaI.exe
  C:\Windows\System\CjWKPaI.exe
  2⤵
  PID:2644
- C:\Windows\System\vwsyxng.exe
  C:\Windows\System\vwsyxng.exe
  2⤵
  PID:784
- C:\Windows\System\rOIxmMh.exe
  C:\Windows\System\rOIxmMh.exe
  2⤵
  PID:2572
- C:\Windows\System\gwQYibv.exe
  C:\Windows\System\gwQYibv.exe
  2⤵
  PID:1012
- C:\Windows\System\HdjnWYh.exe
  C:\Windows\System\HdjnWYh.exe
  2⤵
  PID:2176
- C:\Windows\System\DUYTOUM.exe
  C:\Windows\System\DUYTOUM.exe
  2⤵
  PID:776
- C:\Windows\System\olpmedR.exe
  C:\Windows\System\olpmedR.exe
  2⤵
  PID:1308
- C:\Windows\System\hNkZuIS.exe
  C:\Windows\System\hNkZuIS.exe
  2⤵
  PID:5092
- C:\Windows\System\rfTWbwE.exe
  C:\Windows\System\rfTWbwE.exe
  2⤵
  PID:1796
- C:\Windows\System\RRxrBZg.exe
  C:\Windows\System\RRxrBZg.exe
  2⤵
  PID:2404
- C:\Windows\System\dgKLFii.exe
  C:\Windows\System\dgKLFii.exe
  2⤵
  PID:1760
- C:\Windows\System\wTQbkjO.exe
  C:\Windows\System\wTQbkjO.exe
  2⤵
  PID:4536
- C:\Windows\System\jHXnCLp.exe
  C:\Windows\System\jHXnCLp.exe
  2⤵
  PID:3036
- C:\Windows\System\BWTOJcu.exe
  C:\Windows\System\BWTOJcu.exe
  2⤵
  PID:3504
- C:\Windows\System\clxmoHz.exe
  C:\Windows\System\clxmoHz.exe
  2⤵
  PID:3496
- C:\Windows\System\KlCUEMm.exe
  C:\Windows\System\KlCUEMm.exe
  2⤵
  PID:3460
- C:\Windows\System\HSvXqzR.exe
  C:\Windows\System\HSvXqzR.exe
  2⤵
  PID:2388
- C:\Windows\System\sImUPgD.exe
  C:\Windows\System\sImUPgD.exe
  2⤵
  PID:2732
- C:\Windows\System\mHltrkz.exe
  C:\Windows\System\mHltrkz.exe
  2⤵
  PID:5136
- C:\Windows\System\GMwAvzq.exe
  C:\Windows\System\GMwAvzq.exe
  2⤵
  PID:2340
- C:\Windows\System\VAnqpqU.exe
  C:\Windows\System\VAnqpqU.exe
  2⤵
  PID:5908
- C:\Windows\System\xjuFPaW.exe
  C:\Windows\System\xjuFPaW.exe
  2⤵
  PID:2408
- C:\Windows\System\MAgaRhu.exe
  C:\Windows\System\MAgaRhu.exe
  2⤵
  PID:4900
- C:\Windows\System\kwydOAc.exe
  C:\Windows\System\kwydOAc.exe
  2⤵
  PID:5112
- C:\Windows\System\ILFWdNJ.exe
  C:\Windows\System\ILFWdNJ.exe
  2⤵
  PID:384
- C:\Windows\System\fCncrUN.exe
  C:\Windows\System\fCncrUN.exe
  2⤵
  PID:3252
- C:\Windows\System\QdSiVro.exe
  C:\Windows\System\QdSiVro.exe
  2⤵
  PID:1636
- C:\Windows\System\TMzleDD.exe
  C:\Windows\System\TMzleDD.exe
  2⤵
  PID:1964
- C:\Windows\System\IcJktYq.exe
  C:\Windows\System\IcJktYq.exe
  2⤵
  PID:5776
- C:\Windows\System\uYUjKFO.exe
  C:\Windows\System\uYUjKFO.exe
  2⤵
  PID:1524
- C:\Windows\System\FBsSOzb.exe
  C:\Windows\System\FBsSOzb.exe
  2⤵
  PID:744
- C:\Windows\System\BQdEfZj.exe
  C:\Windows\System\BQdEfZj.exe
  2⤵
  PID:1552
- C:\Windows\System\CpWpdEv.exe
  C:\Windows\System\CpWpdEv.exe
  2⤵
  PID:6028
- C:\Windows\System\SVudyWL.exe
  C:\Windows\System\SVudyWL.exe
  2⤵
  PID:636
- C:\Windows\System\OUNEfQh.exe
  C:\Windows\System\OUNEfQh.exe
  2⤵
  PID:5192
- C:\Windows\System\OYaVPCC.exe
  C:\Windows\System\OYaVPCC.exe
  2⤵
  PID:6156
- C:\Windows\System\ntNPwRG.exe
  C:\Windows\System\ntNPwRG.exe
  2⤵
  PID:6184
- C:\Windows\System\NQVwigM.exe
  C:\Windows\System\NQVwigM.exe
  2⤵
  PID:6200
- C:\Windows\System\MeBaFRN.exe
  C:\Windows\System\MeBaFRN.exe
  2⤵
  PID:6224
- C:\Windows\System\RFIheGz.exe
  C:\Windows\System\RFIheGz.exe
  2⤵
  PID:6272
- C:\Windows\System\vHLytHu.exe
  C:\Windows\System\vHLytHu.exe
  2⤵
  PID:6352
- C:\Windows\System\iZaCDrI.exe
  C:\Windows\System\iZaCDrI.exe
  2⤵
  PID:6396
- C:\Windows\System\AzxyQdQ.exe
  C:\Windows\System\AzxyQdQ.exe
  2⤵
  PID:6424
- C:\Windows\System\fmgEcRw.exe
  C:\Windows\System\fmgEcRw.exe
  2⤵
  PID:6440
- C:\Windows\System\qdrXazw.exe
  C:\Windows\System\qdrXazw.exe
  2⤵
  PID:6456
- C:\Windows\System\iSZYQKt.exe
  C:\Windows\System\iSZYQKt.exe
  2⤵
  PID:6472
- C:\Windows\System\wcpKWVa.exe
  C:\Windows\System\wcpKWVa.exe
  2⤵
  PID:6488
- C:\Windows\System\YSUUTAn.exe
  C:\Windows\System\YSUUTAn.exe
  2⤵
  PID:6504
- C:\Windows\System\iXkycws.exe
  C:\Windows\System\iXkycws.exe
  2⤵
  PID:6544
- C:\Windows\System\rJsjlnR.exe
  C:\Windows\System\rJsjlnR.exe
  2⤵
  PID:6572
- C:\Windows\System\tEdEGoF.exe
  C:\Windows\System\tEdEGoF.exe
  2⤵
  PID:6644
- C:\Windows\System\FPnBKCD.exe
  C:\Windows\System\FPnBKCD.exe
  2⤵
  PID:6664
- C:\Windows\System\hGGfYnZ.exe
  C:\Windows\System\hGGfYnZ.exe
  2⤵
  PID:6720
- C:\Windows\System\GyVlsdy.exe
  C:\Windows\System\GyVlsdy.exe
  2⤵
  PID:6744
- C:\Windows\System\lvBSHqW.exe
  C:\Windows\System\lvBSHqW.exe
  2⤵
  PID:6760
- C:\Windows\System\JUYCEZn.exe
  C:\Windows\System\JUYCEZn.exe
  2⤵
  PID:6784
- C:\Windows\System\GjPHPkD.exe
  C:\Windows\System\GjPHPkD.exe
  2⤵
  PID:6816
- C:\Windows\System\bfLopQQ.exe
  C:\Windows\System\bfLopQQ.exe
  2⤵
  PID:6832
- C:\Windows\System\mkSPAuz.exe
  C:\Windows\System\mkSPAuz.exe
  2⤵
  PID:6856
- C:\Windows\System\fjIdAxd.exe
  C:\Windows\System\fjIdAxd.exe
  2⤵
  PID:6900
- C:\Windows\System\ZjISgeb.exe
  C:\Windows\System\ZjISgeb.exe
  2⤵
  PID:6920
- C:\Windows\System\neaIXBi.exe
  C:\Windows\System\neaIXBi.exe
  2⤵
  PID:6940
- C:\Windows\System\PzGVXgw.exe
  C:\Windows\System\PzGVXgw.exe
  2⤵
  PID:6988
- C:\Windows\System\JjKIHbe.exe
  C:\Windows\System\JjKIHbe.exe
  2⤵
  PID:7020
- C:\Windows\System\gvrMHnm.exe
  C:\Windows\System\gvrMHnm.exe
  2⤵
  PID:7040
- C:\Windows\System\pwwKZxn.exe
  C:\Windows\System\pwwKZxn.exe
  2⤵
  PID:7072
- C:\Windows\System\lyEtBYs.exe
  C:\Windows\System\lyEtBYs.exe
  2⤵
  PID:7104
- C:\Windows\System\vUAdWSl.exe
  C:\Windows\System\vUAdWSl.exe
  2⤵
  PID:7120
- C:\Windows\System\HhvVFne.exe
  C:\Windows\System\HhvVFne.exe
  2⤵
  PID:7144
- C:\Windows\System\UZknpTg.exe
  C:\Windows\System\UZknpTg.exe
  2⤵
  PID:7164
- C:\Windows\System\POMblxT.exe
  C:\Windows\System\POMblxT.exe
  2⤵
  PID:4396
- C:\Windows\System\GJFwWbE.exe
  C:\Windows\System\GJFwWbE.exe
  2⤵
  PID:6236
- C:\Windows\System\fGNTBYn.exe
  C:\Windows\System\fGNTBYn.exe
  2⤵
  PID:6312
- C:\Windows\System\BqJOFYe.exe
  C:\Windows\System\BqJOFYe.exe
  2⤵
  PID:6380
- C:\Windows\System\CnKaYto.exe
  C:\Windows\System\CnKaYto.exe
  2⤵
  PID:6512
- C:\Windows\System\HWqGlBm.exe
  C:\Windows\System\HWqGlBm.exe
  2⤵
  PID:6556
- C:\Windows\System\IGHdPiB.exe
  C:\Windows\System\IGHdPiB.exe
  2⤵
  PID:6436
- C:\Windows\System\TNwsyfn.exe
  C:\Windows\System\TNwsyfn.exe
  2⤵
  PID:6448
- C:\Windows\System\xbNVjal.exe
  C:\Windows\System\xbNVjal.exe
  2⤵
  PID:6680
- C:\Windows\System\dPlUHOl.exe
  C:\Windows\System\dPlUHOl.exe
  2⤵
  PID:6800
- C:\Windows\System\dJUSkHe.exe
  C:\Windows\System\dJUSkHe.exe
  2⤵
  PID:6824
- C:\Windows\System\YabBPwr.exe
  C:\Windows\System\YabBPwr.exe
  2⤵
  PID:6876
- C:\Windows\System\vzxVkNo.exe
  C:\Windows\System\vzxVkNo.exe
  2⤵
  PID:7052
- C:\Windows\System\elZWiog.exe
  C:\Windows\System\elZWiog.exe
  2⤵
  PID:6996
- C:\Windows\System\rzrGwBj.exe
  C:\Windows\System\rzrGwBj.exe
  2⤵
  PID:7140
- C:\Windows\System\rGnXCRq.exe
  C:\Windows\System\rGnXCRq.exe
  2⤵
  PID:7152
- C:\Windows\System\jKTafxr.exe
  C:\Windows\System\jKTafxr.exe
  2⤵
  PID:6192
- C:\Windows\System\ISqMfwL.exe
  C:\Windows\System\ISqMfwL.exe
  2⤵
  PID:6412
- C:\Windows\System\nkfHpgD.exe
  C:\Windows\System\nkfHpgD.exe
  2⤵
  PID:6468
- C:\Windows\System\kAUnehb.exe
  C:\Windows\System\kAUnehb.exe
  2⤵
  PID:6716
- C:\Windows\System\sOSeadc.exe
  C:\Windows\System\sOSeadc.exe
  2⤵
  PID:6848
- C:\Windows\System\BJAYXgE.exe
  C:\Windows\System\BJAYXgE.exe
  2⤵
  PID:2184
- C:\Windows\System\nUYjftv.exe
  C:\Windows\System\nUYjftv.exe
  2⤵
  PID:6652
- C:\Windows\System\PxNClBF.exe
  C:\Windows\System\PxNClBF.exe
  2⤵
  PID:6384
- C:\Windows\System\oXKRlEh.exe
  C:\Windows\System\oXKRlEh.exe
  2⤵
  PID:6984
- C:\Windows\System\MYMFXsQ.exe
  C:\Windows\System\MYMFXsQ.exe
  2⤵
  PID:7176
- C:\Windows\System\PARAwxm.exe
  C:\Windows\System\PARAwxm.exe
  2⤵
  PID:7192
- C:\Windows\System\iiAZdTR.exe
  C:\Windows\System\iiAZdTR.exe
  2⤵
  PID:7208
- C:\Windows\System\jDhdXIN.exe
  C:\Windows\System\jDhdXIN.exe
  2⤵
  PID:7228
- C:\Windows\System\FQTxvKm.exe
  C:\Windows\System\FQTxvKm.exe
  2⤵
  PID:7244
- C:\Windows\System\aldHzKo.exe
  C:\Windows\System\aldHzKo.exe
  2⤵
  PID:7260
- C:\Windows\System\lgVFJrZ.exe
  C:\Windows\System\lgVFJrZ.exe
  2⤵
  PID:7280
- C:\Windows\System\hSWvrPf.exe
  C:\Windows\System\hSWvrPf.exe
  2⤵
  PID:7312
- C:\Windows\System\xlYNqhZ.exe
  C:\Windows\System\xlYNqhZ.exe
  2⤵
  PID:7380
- C:\Windows\System\vQbalRr.exe
  C:\Windows\System\vQbalRr.exe
  2⤵
  PID:7404
- C:\Windows\System\qmivrjg.exe
  C:\Windows\System\qmivrjg.exe
  2⤵
  PID:7460
- C:\Windows\System\aPmJGaR.exe
  C:\Windows\System\aPmJGaR.exe
  2⤵
  PID:7524
- C:\Windows\System\IbJXcnA.exe
  C:\Windows\System\IbJXcnA.exe
  2⤵
  PID:7544
- C:\Windows\System\RpyiWYM.exe
  C:\Windows\System\RpyiWYM.exe
  2⤵
  PID:7568
- C:\Windows\System\BaQePKM.exe
  C:\Windows\System\BaQePKM.exe
  2⤵
  PID:7596
- C:\Windows\System\idOnzxf.exe
  C:\Windows\System\idOnzxf.exe
  2⤵
  PID:7616
- C:\Windows\System\BRlYIUl.exe
  C:\Windows\System\BRlYIUl.exe
  2⤵
  PID:7632
- C:\Windows\System\sogPqQD.exe
  C:\Windows\System\sogPqQD.exe
  2⤵
  PID:7672
- C:\Windows\System\pAYsRyA.exe
  C:\Windows\System\pAYsRyA.exe
  2⤵
  PID:7720
- C:\Windows\System\RvoujVC.exe
  C:\Windows\System\RvoujVC.exe
  2⤵
  PID:7764
- C:\Windows\System\ZspkCoz.exe
  C:\Windows\System\ZspkCoz.exe
  2⤵
  PID:7788
- C:\Windows\System\HJGWFTx.exe
  C:\Windows\System\HJGWFTx.exe
  2⤵
  PID:7808
- C:\Windows\System\PsKYCfb.exe
  C:\Windows\System\PsKYCfb.exe
  2⤵
  PID:7832
- C:\Windows\System\qajjUxv.exe
  C:\Windows\System\qajjUxv.exe
  2⤵
  PID:7852
- C:\Windows\System\skbKYFi.exe
  C:\Windows\System\skbKYFi.exe
  2⤵
  PID:7876
- C:\Windows\System\uRqvFAb.exe
  C:\Windows\System\uRqvFAb.exe
  2⤵
  PID:7896
- C:\Windows\System\VJFFySM.exe
  C:\Windows\System\VJFFySM.exe
  2⤵
  PID:7920
- C:\Windows\System\cxPCsaJ.exe
  C:\Windows\System\cxPCsaJ.exe
  2⤵
  PID:7936
- C:\Windows\System\GCzpAtx.exe
  C:\Windows\System\GCzpAtx.exe
  2⤵
  PID:7964
- C:\Windows\System\iydVtKb.exe
  C:\Windows\System\iydVtKb.exe
  2⤵
  PID:7984
- C:\Windows\System\qYMGgno.exe
  C:\Windows\System\qYMGgno.exe
  2⤵
  PID:8032
- C:\Windows\System\KFAzwWk.exe
  C:\Windows\System\KFAzwWk.exe
  2⤵
  PID:8048
- C:\Windows\System\NIKUKca.exe
  C:\Windows\System\NIKUKca.exe
  2⤵
  PID:8072
- C:\Windows\System\YECQGHq.exe
  C:\Windows\System\YECQGHq.exe
  2⤵
  PID:8104
- C:\Windows\System\LIkWLsp.exe
  C:\Windows\System\LIkWLsp.exe
  2⤵
  PID:8124
- C:\Windows\System\GzkAkkl.exe
  C:\Windows\System\GzkAkkl.exe
  2⤵
  PID:8144
- C:\Windows\System\zQVHHjS.exe
  C:\Windows\System\zQVHHjS.exe
  2⤵
  PID:8188
- C:\Windows\System\mpgYBVC.exe
  C:\Windows\System\mpgYBVC.exe
  2⤵
  PID:6932
- C:\Windows\System\MTgWdvi.exe
  C:\Windows\System\MTgWdvi.exe
  2⤵
  PID:6620
- C:\Windows\System\ScEazad.exe
  C:\Windows\System\ScEazad.exe
  2⤵
  PID:7200
- C:\Windows\System\mcBNhKu.exe
  C:\Windows\System\mcBNhKu.exe
  2⤵
  PID:7172
- C:\Windows\System\ljmPbAD.exe
  C:\Windows\System\ljmPbAD.exe
  2⤵
  PID:7240
- C:\Windows\System\tXiJeQA.exe
  C:\Windows\System\tXiJeQA.exe
  2⤵
  PID:7308
- C:\Windows\System\hPdfwdL.exe
  C:\Windows\System\hPdfwdL.exe
  2⤵
  PID:7452
- C:\Windows\System\fFiYMOZ.exe
  C:\Windows\System\fFiYMOZ.exe
  2⤵
  PID:7584
- C:\Windows\System\lcAkqKk.exe
  C:\Windows\System\lcAkqKk.exe
  2⤵
  PID:7624
- C:\Windows\System\bmtpoZY.exe
  C:\Windows\System\bmtpoZY.exe
  2⤵
  PID:7664
- C:\Windows\System\HkmIZvD.exe
  C:\Windows\System\HkmIZvD.exe
  2⤵
  PID:7784
- C:\Windows\System\bUjfGrp.exe
  C:\Windows\System\bUjfGrp.exe
  2⤵
  PID:7860
- C:\Windows\System\mpociqh.exe
  C:\Windows\System\mpociqh.exe
  2⤵
  PID:7928
- C:\Windows\System\QsmbqFi.exe
  C:\Windows\System\QsmbqFi.exe
  2⤵
  PID:7904
- C:\Windows\System\SNXTgOq.exe
  C:\Windows\System\SNXTgOq.exe
  2⤵
  PID:7996
- C:\Windows\System\aBYcXeB.exe
  C:\Windows\System\aBYcXeB.exe
  2⤵
  PID:8024
- C:\Windows\System\mdHvWad.exe
  C:\Windows\System\mdHvWad.exe
  2⤵
  PID:8184
- C:\Windows\System\HbsnsPD.exe
  C:\Windows\System\HbsnsPD.exe
  2⤵
  PID:7064
- C:\Windows\System\avEQgyz.exe
  C:\Windows\System\avEQgyz.exe
  2⤵
  PID:7360
- C:\Windows\System\bokVYQU.exe
  C:\Windows\System\bokVYQU.exe
  2⤵
  PID:7472
- C:\Windows\System\IOErBxZ.exe
  C:\Windows\System\IOErBxZ.exe
  2⤵
  PID:7576
- C:\Windows\System\JaOKHnU.exe
  C:\Windows\System\JaOKHnU.exe
  2⤵
  PID:7828
- C:\Windows\System\PgVoEON.exe
  C:\Windows\System\PgVoEON.exe
  2⤵
  PID:7892
- C:\Windows\System\neuoPuM.exe
  C:\Windows\System\neuoPuM.exe
  2⤵
  PID:8088
- C:\Windows\System\ClLMKAT.exe
  C:\Windows\System\ClLMKAT.exe
  2⤵
  PID:7184
- C:\Windows\System\PvpnsNh.exe
  C:\Windows\System\PvpnsNh.exe
  2⤵
  PID:7328
- C:\Windows\System\vNwNDKn.exe
  C:\Windows\System\vNwNDKn.exe
  2⤵
  PID:7696
- C:\Windows\System\GuGJwLD.exe
  C:\Windows\System\GuGJwLD.exe
  2⤵
  PID:8080
- C:\Windows\System\LkcSsNi.exe
  C:\Windows\System\LkcSsNi.exe
  2⤵
  PID:7804
- C:\Windows\System\qIPGjJL.exe
  C:\Windows\System\qIPGjJL.exe
  2⤵
  PID:8200
- C:\Windows\System\ebxKqYq.exe
  C:\Windows\System\ebxKqYq.exe
  2⤵
  PID:8244
- C:\Windows\System\szMpOIp.exe
  C:\Windows\System\szMpOIp.exe
  2⤵
  PID:8264
- C:\Windows\System\yMDklAS.exe
  C:\Windows\System\yMDklAS.exe
  2⤵
  PID:8284
- C:\Windows\System\ouEBoOk.exe
  C:\Windows\System\ouEBoOk.exe
  2⤵
  PID:8308
- C:\Windows\System\ylFqsXA.exe
  C:\Windows\System\ylFqsXA.exe
  2⤵
  PID:8328
- C:\Windows\System\Emoktno.exe
  C:\Windows\System\Emoktno.exe
  2⤵
  PID:8348
- C:\Windows\System\GVCptbr.exe
  C:\Windows\System\GVCptbr.exe
  2⤵
  PID:8392
- C:\Windows\System\SaHcWkc.exe
  C:\Windows\System\SaHcWkc.exe
  2⤵
  PID:8416
- C:\Windows\System\jEWqwjW.exe
  C:\Windows\System\jEWqwjW.exe
  2⤵
  PID:8456
- C:\Windows\System\aoIqrSq.exe
  C:\Windows\System\aoIqrSq.exe
  2⤵
  PID:8484
- C:\Windows\System\ROBFUMO.exe
  C:\Windows\System\ROBFUMO.exe
  2⤵
  PID:8508
- C:\Windows\System\uIOKHGk.exe
  C:\Windows\System\uIOKHGk.exe
  2⤵
  PID:8532
- C:\Windows\System\gSHJeXW.exe
  C:\Windows\System\gSHJeXW.exe
  2⤵
  PID:8548
- C:\Windows\System\LLgWVen.exe
  C:\Windows\System\LLgWVen.exe
  2⤵
  PID:8596
- C:\Windows\System\IrgKdbm.exe
  C:\Windows\System\IrgKdbm.exe
  2⤵
  PID:8616
- C:\Windows\System\noVqjaj.exe
  C:\Windows\System\noVqjaj.exe
  2⤵
  PID:8640
- C:\Windows\System\vkOyvlo.exe
  C:\Windows\System\vkOyvlo.exe
  2⤵
  PID:8664
- C:\Windows\System\GgkBsfR.exe
  C:\Windows\System\GgkBsfR.exe
  2⤵
  PID:8692
- C:\Windows\System\mbfZsIp.exe
  C:\Windows\System\mbfZsIp.exe
  2⤵
  PID:8744
- C:\Windows\System\qsOmxtp.exe
  C:\Windows\System\qsOmxtp.exe
  2⤵
  PID:8776
- C:\Windows\System\btadXhH.exe
  C:\Windows\System\btadXhH.exe
  2⤵
  PID:8796
- C:\Windows\System\tSNgtNH.exe
  C:\Windows\System\tSNgtNH.exe
  2⤵
  PID:8812
- C:\Windows\System\NMEzzQV.exe
  C:\Windows\System\NMEzzQV.exe
  2⤵
  PID:8840
- C:\Windows\System\WXjToQv.exe
  C:\Windows\System\WXjToQv.exe
  2⤵
  PID:8888
- C:\Windows\System\vsnPzZF.exe
  C:\Windows\System\vsnPzZF.exe
  2⤵
  PID:8904
- C:\Windows\System\qsoJrns.exe
  C:\Windows\System\qsoJrns.exe
  2⤵
  PID:8924
- C:\Windows\System\ccPiobT.exe
  C:\Windows\System\ccPiobT.exe
  2⤵
  PID:8940
- C:\Windows\System\bjeHWkn.exe
  C:\Windows\System\bjeHWkn.exe
  2⤵
  PID:8968
- C:\Windows\System\xrydyly.exe
  C:\Windows\System\xrydyly.exe
  2⤵
  PID:9008
- C:\Windows\System\veObFhv.exe
  C:\Windows\System\veObFhv.exe
  2⤵
  PID:9028
- C:\Windows\System\DggDmrn.exe
  C:\Windows\System\DggDmrn.exe
  2⤵
  PID:9072
- C:\Windows\System\BfZDjta.exe
  C:\Windows\System\BfZDjta.exe
  2⤵
  PID:9088
- C:\Windows\System\wWDycwz.exe
  C:\Windows\System\wWDycwz.exe
  2⤵
  PID:9116
- C:\Windows\System\KDsCTNz.exe
  C:\Windows\System\KDsCTNz.exe
  2⤵
  PID:9136
- C:\Windows\System\WUPbPAd.exe
  C:\Windows\System\WUPbPAd.exe
  2⤵
  PID:9160
- C:\Windows\System\KMrDUlx.exe
  C:\Windows\System\KMrDUlx.exe
  2⤵
  PID:7916
- C:\Windows\System\NJhMDQZ.exe
  C:\Windows\System\NJhMDQZ.exe
  2⤵
  PID:8296
- C:\Windows\System\cEQpNxK.exe
  C:\Windows\System\cEQpNxK.exe
  2⤵
  PID:8364
- C:\Windows\System\VyCdWwp.exe
  C:\Windows\System\VyCdWwp.exe
  2⤵
  PID:8356
- C:\Windows\System\asENyTo.exe
  C:\Windows\System\asENyTo.exe
  2⤵
  PID:8492
- C:\Windows\System\XqDwkzL.exe
  C:\Windows\System\XqDwkzL.exe
  2⤵
  PID:8520
- C:\Windows\System\ujHkVHj.exe
  C:\Windows\System\ujHkVHj.exe
  2⤵
  PID:8576
- C:\Windows\System\PSiwkUv.exe
  C:\Windows\System\PSiwkUv.exe
  2⤵
  PID:8652
- C:\Windows\System\xJwwBSz.exe
  C:\Windows\System\xJwwBSz.exe
  2⤵
  PID:8704
- C:\Windows\System\NhYdxiX.exe
  C:\Windows\System\NhYdxiX.exe
  2⤵
  PID:8784
- C:\Windows\System\jqoJxrv.exe
  C:\Windows\System\jqoJxrv.exe
  2⤵
  PID:8808
- C:\Windows\System\JWnJNlN.exe
  C:\Windows\System\JWnJNlN.exe
  2⤵
  PID:8880
- C:\Windows\System\UZChfNU.exe
  C:\Windows\System\UZChfNU.exe
  2⤵
  PID:8916
- C:\Windows\System\PpZcFTF.exe
  C:\Windows\System\PpZcFTF.exe
  2⤵
  PID:9020
- C:\Windows\System\zJTzCaG.exe
  C:\Windows\System\zJTzCaG.exe
  2⤵
  PID:9084
- C:\Windows\System\VUZRude.exe
  C:\Windows\System\VUZRude.exe
  2⤵
  PID:9096
- C:\Windows\System\VizSbtx.exe
  C:\Windows\System\VizSbtx.exe
  2⤵
  PID:6980
- C:\Windows\System\xMxiSVG.exe
  C:\Windows\System\xMxiSVG.exe
  2⤵
  PID:8324
- C:\Windows\System\HpmsUbl.exe
  C:\Windows\System\HpmsUbl.exe
  2⤵
  PID:8344
- C:\Windows\System\kDYOOPZ.exe
  C:\Windows\System\kDYOOPZ.exe
  2⤵
  PID:8528
- C:\Windows\System\jMxOrKZ.exe
  C:\Windows\System\jMxOrKZ.exe
  2⤵
  PID:8720
- C:\Windows\System\MLiZeuw.exe
  C:\Windows\System\MLiZeuw.exe
  2⤵
  PID:9036
- C:\Windows\System\cWNNZeD.exe
  C:\Windows\System\cWNNZeD.exe
  2⤵
  PID:9144
- C:\Windows\System\ypcQIAy.exe
  C:\Windows\System\ypcQIAy.exe
  2⤵
  PID:3516
- C:\Windows\System\JvBDQFW.exe
  C:\Windows\System\JvBDQFW.exe
  2⤵
  PID:8340
- C:\Windows\System\GnPBuyz.exe
  C:\Windows\System\GnPBuyz.exe
  2⤵
  PID:8368
- C:\Windows\System\txDzNmK.exe
  C:\Windows\System\txDzNmK.exe
  2⤵
  PID:8672
- C:\Windows\System\gLyCrtT.exe
  C:\Windows\System\gLyCrtT.exe
  2⤵
  PID:9004
- C:\Windows\System\eFbXisY.exe
  C:\Windows\System\eFbXisY.exe
  2⤵
  PID:8756
- C:\Windows\System\QdPwOcw.exe
  C:\Windows\System\QdPwOcw.exe
  2⤵
  PID:9236
- C:\Windows\System\gSDybLv.exe
  C:\Windows\System\gSDybLv.exe
  2⤵
  PID:9256
- C:\Windows\System\SAqugon.exe
  C:\Windows\System\SAqugon.exe
  2⤵
  PID:9280
- C:\Windows\System\VNXYgRP.exe
  C:\Windows\System\VNXYgRP.exe
  2⤵
  PID:9324
- C:\Windows\System\HwZNzJg.exe
  C:\Windows\System\HwZNzJg.exe
  2⤵
  PID:9348
- C:\Windows\System\hBOdFeV.exe
  C:\Windows\System\hBOdFeV.exe
  2⤵
  PID:9364
- C:\Windows\System\rtXCVkP.exe
  C:\Windows\System\rtXCVkP.exe
  2⤵
  PID:9384
- C:\Windows\System\nnmbTfy.exe
  C:\Windows\System\nnmbTfy.exe
  2⤵
  PID:9416
- C:\Windows\System\lrqdKEh.exe
  C:\Windows\System\lrqdKEh.exe
  2⤵
  PID:9436
- C:\Windows\System\UYjiDKA.exe
  C:\Windows\System\UYjiDKA.exe
  2⤵
  PID:9452
- C:\Windows\System\AVSJJMw.exe
  C:\Windows\System\AVSJJMw.exe
  2⤵
  PID:9468
- C:\Windows\System\BUPZqNO.exe
  C:\Windows\System\BUPZqNO.exe
  2⤵
  PID:9508
- C:\Windows\System\yPKHnWw.exe
  C:\Windows\System\yPKHnWw.exe
  2⤵
  PID:9540
- C:\Windows\System\gxPPeZT.exe
  C:\Windows\System\gxPPeZT.exe
  2⤵
  PID:9560
- C:\Windows\System\qnfgLNf.exe
  C:\Windows\System\qnfgLNf.exe
  2⤵
  PID:9584
- C:\Windows\System\qbbJqwA.exe
  C:\Windows\System\qbbJqwA.exe
  2⤵
  PID:9636
- C:\Windows\System\vXvswqY.exe
  C:\Windows\System\vXvswqY.exe
  2⤵
  PID:9656
- C:\Windows\System\qEMWxHn.exe
  C:\Windows\System\qEMWxHn.exe
  2⤵
  PID:9708
- C:\Windows\System\ZeVphkb.exe
  C:\Windows\System\ZeVphkb.exe
  2⤵
  PID:9744
- C:\Windows\System\oxduvXk.exe
  C:\Windows\System\oxduvXk.exe
  2⤵
  PID:9760
- C:\Windows\System\JISLRXW.exe
  C:\Windows\System\JISLRXW.exe
  2⤵
  PID:9788
- C:\Windows\System\QhHlmQh.exe
  C:\Windows\System\QhHlmQh.exe
  2⤵
  PID:9808
- C:\Windows\System\VRqBhDf.exe
  C:\Windows\System\VRqBhDf.exe
  2⤵
  PID:9828
- C:\Windows\System\TEvZopV.exe
  C:\Windows\System\TEvZopV.exe
  2⤵
  PID:9888
- C:\Windows\System\ypDQXXq.exe
  C:\Windows\System\ypDQXXq.exe
  2⤵
  PID:9908
- C:\Windows\System\iSZqEWL.exe
  C:\Windows\System\iSZqEWL.exe
  2⤵
  PID:9928
- C:\Windows\System\tGaHJTB.exe
  C:\Windows\System\tGaHJTB.exe
  2⤵
  PID:9952
- C:\Windows\System\akqXLuS.exe
  C:\Windows\System\akqXLuS.exe
  2⤵
  PID:9992
- C:\Windows\System\ARGDrKV.exe
  C:\Windows\System\ARGDrKV.exe
  2⤵
  PID:10012
- C:\Windows\System\PLMhgBB.exe
  C:\Windows\System\PLMhgBB.exe
  2⤵
  PID:10040
- C:\Windows\System\vtCtxzc.exe
  C:\Windows\System\vtCtxzc.exe
  2⤵
  PID:10068
- C:\Windows\System\LOMJOXn.exe
  C:\Windows\System\LOMJOXn.exe
  2⤵
  PID:10092
- C:\Windows\System\tPNaMDq.exe
  C:\Windows\System\tPNaMDq.exe
  2⤵
  PID:10120
- C:\Windows\System\ehTVdRi.exe
  C:\Windows\System\ehTVdRi.exe
  2⤵
  PID:10140
- C:\Windows\System\qPmrQln.exe
  C:\Windows\System\qPmrQln.exe
  2⤵
  PID:10184
- C:\Windows\System\qBNTosh.exe
  C:\Windows\System\qBNTosh.exe
  2⤵
  PID:10208
- C:\Windows\System\siXwRpt.exe
  C:\Windows\System\siXwRpt.exe
  2⤵
  PID:10232
- C:\Windows\System\sGPIZjs.exe
  C:\Windows\System\sGPIZjs.exe
  2⤵
  PID:9248
- C:\Windows\System\nKJhozQ.exe
  C:\Windows\System\nKJhozQ.exe
  2⤵
  PID:9300
- C:\Windows\System\ucXdkKY.exe
  C:\Windows\System\ucXdkKY.exe
  2⤵
  PID:9412
- C:\Windows\System\qZYeMuU.exe
  C:\Windows\System\qZYeMuU.exe
  2⤵
  PID:9524
- C:\Windows\System\atwIQDc.exe
  C:\Windows\System\atwIQDc.exe
  2⤵
  PID:9496
- C:\Windows\System\EsqILkE.exe
  C:\Windows\System\EsqILkE.exe
  2⤵
  PID:9576
- C:\Windows\System\CNmOGLL.exe
  C:\Windows\System\CNmOGLL.exe
  2⤵
  PID:9652
- C:\Windows\System\HRDxbiP.exe
  C:\Windows\System\HRDxbiP.exe
  2⤵
  PID:9728
- C:\Windows\System\JeRZwUV.exe
  C:\Windows\System\JeRZwUV.exe
  2⤵
  PID:9816
- C:\Windows\System\qaqYDcO.exe
  C:\Windows\System\qaqYDcO.exe
  2⤵
  PID:9840
- C:\Windows\System\kmKwWJF.exe
  C:\Windows\System\kmKwWJF.exe
  2⤵
  PID:9924
- C:\Windows\System\mmysibp.exe
  C:\Windows\System\mmysibp.exe
  2⤵
  PID:9976
- C:\Windows\System\oxgCoLh.exe
  C:\Windows\System\oxgCoLh.exe
  2⤵
  PID:10048
- C:\Windows\System\fVozcNq.exe
  C:\Windows\System\fVozcNq.exe
  2⤵
  PID:10088
- C:\Windows\System\WiuYOuE.exe
  C:\Windows\System\WiuYOuE.exe
  2⤵
  PID:10132
- C:\Windows\System\xVksHGN.exe
  C:\Windows\System\xVksHGN.exe
  2⤵
  PID:10224
- C:\Windows\System\NDPPJaj.exe
  C:\Windows\System\NDPPJaj.exe
  2⤵
  PID:9272
- C:\Windows\System\lgXHugi.exe
  C:\Windows\System\lgXHugi.exe
  2⤵
  PID:9380
- C:\Windows\System\ElBPMwA.exe
  C:\Windows\System\ElBPMwA.exe
  2⤵
  PID:9612
- C:\Windows\System\DwPcUPb.exe
  C:\Windows\System\DwPcUPb.exe
  2⤵
  PID:9632
- C:\Windows\System\CCxeBkx.exe
  C:\Windows\System\CCxeBkx.exe
  2⤵
  PID:9768
- C:\Windows\System\FsVSVOQ.exe
  C:\Windows\System\FsVSVOQ.exe
  2⤵
  PID:8680
- C:\Windows\System\tNDqzko.exe
  C:\Windows\System\tNDqzko.exe
  2⤵
  PID:10176
- C:\Windows\System\BEEWUIn.exe
  C:\Windows\System\BEEWUIn.exe
  2⤵
  PID:9376
- C:\Windows\System\eunkCwD.exe
  C:\Windows\System\eunkCwD.exe
  2⤵
  PID:9824
- C:\Windows\System\waIhboK.exe
  C:\Windows\System\waIhboK.exe
  2⤵
  PID:9516
- C:\Windows\System\vCwBnez.exe
  C:\Windows\System\vCwBnez.exe
  2⤵
  PID:10248
- C:\Windows\System\bJtaaTD.exe
  C:\Windows\System\bJtaaTD.exe
  2⤵
  PID:10268
- C:\Windows\System\YIrfhQI.exe
  C:\Windows\System\YIrfhQI.exe
  2⤵
  PID:10288
- C:\Windows\System\aeyYGCf.exe
  C:\Windows\System\aeyYGCf.exe
  2⤵
  PID:10336
- C:\Windows\System\MyARwXY.exe
  C:\Windows\System\MyARwXY.exe
  2⤵
  PID:10352
- C:\Windows\System\ESVRZsc.exe
  C:\Windows\System\ESVRZsc.exe
  2⤵
  PID:10392
- C:\Windows\System\wqkVRkD.exe
  C:\Windows\System\wqkVRkD.exe
  2⤵
  PID:10408
- C:\Windows\System\eCoiWdk.exe
  C:\Windows\System\eCoiWdk.exe
  2⤵
  PID:10436
- C:\Windows\System\HrxluEv.exe
  C:\Windows\System\HrxluEv.exe
  2⤵
  PID:10464
- C:\Windows\System\aUJnoEp.exe
  C:\Windows\System\aUJnoEp.exe
  2⤵
  PID:10480
- C:\Windows\System\CTHaFJd.exe
  C:\Windows\System\CTHaFJd.exe
  2⤵
  PID:10500
- C:\Windows\System\ohQukfd.exe
  C:\Windows\System\ohQukfd.exe
  2⤵
  PID:10548
- C:\Windows\System\PpjmOkg.exe
  C:\Windows\System\PpjmOkg.exe
  2⤵
  PID:10572
- C:\Windows\System\kbOXuDx.exe
  C:\Windows\System\kbOXuDx.exe
  2⤵
  PID:10616
- C:\Windows\System\rWBSHDA.exe
  C:\Windows\System\rWBSHDA.exe
  2⤵
  PID:10632
- C:\Windows\System\OCNwKEs.exe
  C:\Windows\System\OCNwKEs.exe
  2⤵
  PID:10656
- C:\Windows\System\kGLsMER.exe
  C:\Windows\System\kGLsMER.exe
  2⤵
  PID:10672
- C:\Windows\System\RTsdNep.exe
  C:\Windows\System\RTsdNep.exe
  2⤵
  PID:10708
- C:\Windows\System\nfyETZk.exe
  C:\Windows\System\nfyETZk.exe
  2⤵
  PID:10756
- C:\Windows\System\kfxxkFp.exe
  C:\Windows\System\kfxxkFp.exe
  2⤵
  PID:10772
- C:\Windows\System\XJjNaor.exe
  C:\Windows\System\XJjNaor.exe
  2⤵
  PID:10812
- C:\Windows\System\OzjmJyI.exe
  C:\Windows\System\OzjmJyI.exe
  2⤵
  PID:10828
- C:\Windows\System\qCghWbQ.exe
  C:\Windows\System\qCghWbQ.exe
  2⤵
  PID:10856
- C:\Windows\System\kETVIiz.exe
  C:\Windows\System\kETVIiz.exe
  2⤵
  PID:10880
- C:\Windows\System\BNooTvW.exe
  C:\Windows\System\BNooTvW.exe
  2⤵
  PID:10924
- C:\Windows\System\SKRCspw.exe
  C:\Windows\System\SKRCspw.exe
  2⤵
  PID:10940
- C:\Windows\System\WssgHad.exe
  C:\Windows\System\WssgHad.exe
  2⤵
  PID:10980
- C:\Windows\System\XXCJMLf.exe
  C:\Windows\System\XXCJMLf.exe
  2⤵
  PID:10996
- C:\Windows\System\HOyRtGT.exe
  C:\Windows\System\HOyRtGT.exe
  2⤵
  PID:11028
- C:\Windows\System\rKfblIa.exe
  C:\Windows\System\rKfblIa.exe
  2⤵
  PID:11048
- C:\Windows\System\GlylbSc.exe
  C:\Windows\System\GlylbSc.exe
  2⤵
  PID:11068
- C:\Windows\System\GnntJWb.exe
  C:\Windows\System\GnntJWb.exe
  2⤵
  PID:11084
- C:\Windows\System\hFovunq.exe
  C:\Windows\System\hFovunq.exe
  2⤵
  PID:11136
- C:\Windows\System\zeLtEuG.exe
  C:\Windows\System\zeLtEuG.exe
  2⤵
  PID:11160
- C:\Windows\System\OIwxJjR.exe
  C:\Windows\System\OIwxJjR.exe
  2⤵
  PID:11188
- C:\Windows\System\qevkDrx.exe
  C:\Windows\System\qevkDrx.exe
  2⤵
  PID:11244
- C:\Windows\System\ElZScSD.exe
  C:\Windows\System\ElZScSD.exe
  2⤵
  PID:9484
- C:\Windows\System\kObEJCI.exe
  C:\Windows\System\kObEJCI.exe
  2⤵
  PID:10164
- C:\Windows\System\aNkhZAi.exe
  C:\Windows\System\aNkhZAi.exe
  2⤵
  PID:10308
- C:\Windows\System\vhgpvyQ.exe
  C:\Windows\System\vhgpvyQ.exe
  2⤵
  PID:10372
- C:\Windows\System\TwzDoMr.exe
  C:\Windows\System\TwzDoMr.exe
  2⤵
  PID:10432
- C:\Windows\System\UrUoIQq.exe
  C:\Windows\System\UrUoIQq.exe
  2⤵
  PID:10520
- C:\Windows\System\yrrRCgt.exe
  C:\Windows\System\yrrRCgt.exe
  2⤵
  PID:10560
- C:\Windows\System\GpatNhd.exe
  C:\Windows\System\GpatNhd.exe
  2⤵
  PID:10592
- C:\Windows\System\wLgfcsw.exe
  C:\Windows\System\wLgfcsw.exe
  2⤵
  PID:10684
- C:\Windows\System\pFQzMQm.exe
  C:\Windows\System\pFQzMQm.exe
  2⤵
  PID:10744
- C:\Windows\System\VTwjvMB.exe
  C:\Windows\System\VTwjvMB.exe
  2⤵
  PID:10824
- C:\Windows\System\xLjOWSN.exe
  C:\Windows\System\xLjOWSN.exe
  2⤵
  PID:10896
- C:\Windows\System\xSoYDwZ.exe
  C:\Windows\System\xSoYDwZ.exe
  2⤵
  PID:10960
- C:\Windows\System\vlGTGGe.exe
  C:\Windows\System\vlGTGGe.exe
  2⤵
  PID:10992
- C:\Windows\System\MQiKzSg.exe
  C:\Windows\System\MQiKzSg.exe
  2⤵
  PID:11064
- C:\Windows\System\WXsthHt.exe
  C:\Windows\System\WXsthHt.exe
  2⤵
  PID:11132
- C:\Windows\System\koEAcXV.exe
  C:\Windows\System\koEAcXV.exe
  2⤵
  PID:10284
- C:\Windows\System\wNcsakr.exe
  C:\Windows\System\wNcsakr.exe
  2⤵
  PID:10332
- C:\Windows\System\mzEXOpn.exe
  C:\Windows\System\mzEXOpn.exe
  2⤵
  PID:10428
- C:\Windows\System\pwtfjhY.exe
  C:\Windows\System\pwtfjhY.exe
  2⤵
  PID:10540
- C:\Windows\System\mWnccHX.exe
  C:\Windows\System\mWnccHX.exe
  2⤵
  PID:10768
- C:\Windows\System\xHYiirg.exe
  C:\Windows\System\xHYiirg.exe
  2⤵
  PID:10900
- C:\Windows\System\kNagLYa.exe
  C:\Windows\System\kNagLYa.exe
  2⤵
  PID:11040
- C:\Windows\System\tLMQHqq.exe
  C:\Windows\System\tLMQHqq.exe
  2⤵
  PID:11044
- C:\Windows\System\TMozPeD.exe
  C:\Windows\System\TMozPeD.exe
  2⤵
  PID:9460
- C:\Windows\System\oZZQsHe.exe
  C:\Windows\System\oZZQsHe.exe
  2⤵
  PID:10652
- C:\Windows\System\eNSzfiV.exe
  C:\Windows\System\eNSzfiV.exe
  2⤵
  PID:11076
- C:\Windows\System\lEwvvrN.exe
  C:\Windows\System\lEwvvrN.exe
  2⤵
  PID:10952
- C:\Windows\System\bqGEDxy.exe
  C:\Windows\System\bqGEDxy.exe
  2⤵
  PID:11272
- C:\Windows\System\NeKKWBc.exe
  C:\Windows\System\NeKKWBc.exe
  2⤵
  PID:11296
- C:\Windows\System\frwOXWB.exe
  C:\Windows\System\frwOXWB.exe
  2⤵
  PID:11316
- C:\Windows\System\uVTLKhe.exe
  C:\Windows\System\uVTLKhe.exe
  2⤵
  PID:11340
- C:\Windows\System\NwRtchS.exe
  C:\Windows\System\NwRtchS.exe
  2⤵
  PID:11364
- C:\Windows\System\mtbJspm.exe
  C:\Windows\System\mtbJspm.exe
  2⤵
  PID:11416
- C:\Windows\System\RolMplR.exe
  C:\Windows\System\RolMplR.exe
  2⤵
  PID:11432
- C:\Windows\System\Qtgdeyi.exe
  C:\Windows\System\Qtgdeyi.exe
  2⤵
  PID:11452
- C:\Windows\System\cmeZTmg.exe
  C:\Windows\System\cmeZTmg.exe
  2⤵
  PID:11480
- C:\Windows\System\wiPAqYl.exe
  C:\Windows\System\wiPAqYl.exe
  2⤵
  PID:11512
- C:\Windows\System\cbBjeQt.exe
  C:\Windows\System\cbBjeQt.exe
  2⤵
  PID:11536
- C:\Windows\System\gcjfIrq.exe
  C:\Windows\System\gcjfIrq.exe
  2⤵
  PID:11592
- C:\Windows\System\WMuuBbg.exe
  C:\Windows\System\WMuuBbg.exe
  2⤵
  PID:11616
- C:\Windows\System\ajiSwqG.exe
  C:\Windows\System\ajiSwqG.exe
  2⤵
  PID:11632
- C:\Windows\System\AYuYIBX.exe
  C:\Windows\System\AYuYIBX.exe
  2⤵
  PID:11656
- C:\Windows\System\kZOgNCz.exe
  C:\Windows\System\kZOgNCz.exe
  2⤵
  PID:11676
- C:\Windows\System\uUfLsNk.exe
  C:\Windows\System\uUfLsNk.exe
  2⤵
  PID:11696
- C:\Windows\System\RUvdaBm.exe
  C:\Windows\System\RUvdaBm.exe
  2⤵
  PID:11716
- C:\Windows\System\cScWUhs.exe
  C:\Windows\System\cScWUhs.exe
  2⤵
  PID:11736
- C:\Windows\System\TlZyWDu.exe
  C:\Windows\System\TlZyWDu.exe
  2⤵
  PID:11800
- C:\Windows\System\plMHRld.exe
  C:\Windows\System\plMHRld.exe
  2⤵
  PID:11844
- C:\Windows\System\bFdqSkZ.exe
  C:\Windows\System\bFdqSkZ.exe
  2⤵
  PID:11868
- C:\Windows\System\CtnHEpM.exe
  C:\Windows\System\CtnHEpM.exe
  2⤵
  PID:11900
- C:\Windows\System\oMulHNT.exe
  C:\Windows\System\oMulHNT.exe
  2⤵
  PID:11916
- C:\Windows\System\rOKwnzv.exe
  C:\Windows\System\rOKwnzv.exe
  2⤵
  PID:11940
- C:\Windows\System\sWXUADL.exe
  C:\Windows\System\sWXUADL.exe
  2⤵
  PID:11960
- C:\Windows\System\KFESUtV.exe
  C:\Windows\System\KFESUtV.exe
  2⤵
  PID:12060
- C:\Windows\System\FMHTVuM.exe
  C:\Windows\System\FMHTVuM.exe
  2⤵
  PID:12084
- C:\Windows\System\Cjlpebl.exe
  C:\Windows\System\Cjlpebl.exe
  2⤵
  PID:12104
- C:\Windows\System\ujuuCEm.exe
  C:\Windows\System\ujuuCEm.exe
  2⤵
  PID:12120
- C:\Windows\System\PAvTTRZ.exe
  C:\Windows\System\PAvTTRZ.exe
  2⤵
  PID:12148
- C:\Windows\System\rTrAJBH.exe
  C:\Windows\System\rTrAJBH.exe
  2⤵
  PID:12176
- C:\Windows\System\sPByxtU.exe
  C:\Windows\System\sPByxtU.exe
  2⤵
  PID:12204
- C:\Windows\System\sCreYNn.exe
  C:\Windows\System\sCreYNn.exe
  2⤵
  PID:12224
- C:\Windows\System\JmZRzaz.exe
  C:\Windows\System\JmZRzaz.exe
  2⤵
  PID:12256
- C:\Windows\System\qMMJUvR.exe
  C:\Windows\System\qMMJUvR.exe
  2⤵
  PID:11352
- C:\Windows\System\cuKfIAB.exe
  C:\Windows\System\cuKfIAB.exe
  2⤵
  PID:11292
- C:\Windows\System\nOnpAym.exe
  C:\Windows\System\nOnpAym.exe
  2⤵
  PID:11360
- C:\Windows\System\CqhdNWF.exe
  C:\Windows\System\CqhdNWF.exe
  2⤵
  PID:11424
- C:\Windows\System\VYpzpZw.exe
  C:\Windows\System\VYpzpZw.exe
  2⤵
  PID:11448
- C:\Windows\System\vzkUirF.exe
  C:\Windows\System\vzkUirF.exe
  2⤵
  PID:11548
- C:\Windows\System\ciIUZly.exe
  C:\Windows\System\ciIUZly.exe
  2⤵
  PID:11600
- C:\Windows\System\qoXWxCo.exe
  C:\Windows\System\qoXWxCo.exe
  2⤵
  PID:11588
- C:\Windows\System\EKUbdUM.exe
  C:\Windows\System\EKUbdUM.exe
  2⤵
  PID:11688
- C:\Windows\System\BjBaKAn.exe
  C:\Windows\System\BjBaKAn.exe
  2⤵
  PID:11764
- C:\Windows\System\vdZZKAA.exe
  C:\Windows\System\vdZZKAA.exe
  2⤵
  PID:11788
- C:\Windows\System\zCbdyru.exe
  C:\Windows\System\zCbdyru.exe
  2⤵
  PID:11840
- C:\Windows\System\PJQSBbg.exe
  C:\Windows\System\PJQSBbg.exe
  2⤵
  PID:11952
- C:\Windows\System\hfUsqoI.exe
  C:\Windows\System\hfUsqoI.exe
  2⤵
  PID:12048
- C:\Windows\System\TZNwDyR.exe
  C:\Windows\System\TZNwDyR.exe
  2⤵
  PID:12080
- C:\Windows\System\NDZXxXd.exe
  C:\Windows\System\NDZXxXd.exe
  2⤵
  PID:12144
- C:\Windows\System\VApRrOg.exe
  C:\Windows\System\VApRrOg.exe
  2⤵
  PID:12220
- C:\Windows\System\lEMjXsK.exe
  C:\Windows\System\lEMjXsK.exe
  2⤵
  PID:12244
- C:\Windows\System\kpskWEj.exe
  C:\Windows\System\kpskWEj.exe
  2⤵
  PID:11092
- C:\Windows\System\NobfTHz.exe
  C:\Windows\System\NobfTHz.exe
  2⤵
  PID:11460
- C:\Windows\System\LduKntQ.exe
  C:\Windows\System\LduKntQ.exe
  2⤵
  PID:11528
- C:\Windows\System\TiVytbt.exe
  C:\Windows\System\TiVytbt.exe
  2⤵
  PID:11628
- C:\Windows\System\EXrPQWu.exe
  C:\Windows\System\EXrPQWu.exe
  2⤵
  PID:12072
- C:\Windows\System\CMcabBW.exe
  C:\Windows\System\CMcabBW.exe
  2⤵
  PID:12264
- C:\Windows\System\xqEPLby.exe
  C:\Windows\System\xqEPLby.exe
  2⤵
  PID:11496
- C:\Windows\System\nFJTjdI.exe
  C:\Windows\System\nFJTjdI.exe
  2⤵
  PID:11624
- C:\Windows\System\jKkuNoj.exe
  C:\Windows\System\jKkuNoj.exe
  2⤵
  PID:11504
- C:\Windows\System\EFhlRng.exe
  C:\Windows\System\EFhlRng.exe
  2⤵
  PID:11644
- C:\Windows\System\BXPTTuS.exe
  C:\Windows\System\BXPTTuS.exe
  2⤵
  PID:12304
- C:\Windows\System\vmKnhRA.exe
  C:\Windows\System\vmKnhRA.exe
  2⤵
  PID:12324
- C:\Windows\System\ddWFKAi.exe
  C:\Windows\System\ddWFKAi.exe
  2⤵
  PID:12344
- C:\Windows\System\LoHgOKA.exe
  C:\Windows\System\LoHgOKA.exe
  2⤵
  PID:12368
- C:\Windows\System\inOfQiw.exe
  C:\Windows\System\inOfQiw.exe
  2⤵
  PID:12416
- C:\Windows\System\oYwncWh.exe
  C:\Windows\System\oYwncWh.exe
  2⤵
  PID:12448
- C:\Windows\System\TeLaJHA.exe
  C:\Windows\System\TeLaJHA.exe
  2⤵
  PID:12464
- C:\Windows\System\oshVxyV.exe
  C:\Windows\System\oshVxyV.exe
  2⤵
  PID:12496
- C:\Windows\System\Pmfynee.exe
  C:\Windows\System\Pmfynee.exe
  2⤵
  PID:12516
- C:\Windows\System\xaAZuKw.exe
  C:\Windows\System\xaAZuKw.exe
  2⤵
  PID:12564
- C:\Windows\System\BeYvsMs.exe
  C:\Windows\System\BeYvsMs.exe
  2⤵
  PID:12588
- C:\Windows\System\uKfdwKA.exe
  C:\Windows\System\uKfdwKA.exe
  2⤵
  PID:12608
- C:\Windows\System\jTfdntR.exe
  C:\Windows\System\jTfdntR.exe
  2⤵
  PID:12624
- C:\Windows\System\IwUtBlh.exe
  C:\Windows\System\IwUtBlh.exe
  2⤵
  PID:12652
- C:\Windows\System\EawfDWy.exe
  C:\Windows\System\EawfDWy.exe
  2⤵
  PID:12680
- C:\Windows\System\UYrpdmK.exe
  C:\Windows\System\UYrpdmK.exe
  2⤵
  PID:12724
- C:\Windows\System\Yzyukbz.exe
  C:\Windows\System\Yzyukbz.exe
  2⤵
  PID:12748
- C:\Windows\System\JqZsrwX.exe
  C:\Windows\System\JqZsrwX.exe
  2⤵
  PID:12796
- C:\Windows\System\QbiobUt.exe
  C:\Windows\System\QbiobUt.exe
  2⤵
  PID:12820
- C:\Windows\System\FVQZijP.exe
  C:\Windows\System\FVQZijP.exe
  2⤵
  PID:12844
- C:\Windows\System\WCTsxXK.exe
  C:\Windows\System\WCTsxXK.exe
  2⤵
  PID:12864
- C:\Windows\System\REdXUZf.exe
  C:\Windows\System\REdXUZf.exe
  2⤵
  PID:12888
- C:\Windows\System\pmZGCaJ.exe
  C:\Windows\System\pmZGCaJ.exe
  2⤵
  PID:12944
- C:\Windows\System\LdqMxDh.exe
  C:\Windows\System\LdqMxDh.exe
  2⤵
  PID:12964
- C:\Windows\System\DeljxnF.exe
  C:\Windows\System\DeljxnF.exe
  2⤵
  PID:12988
- C:\Windows\System\EudkmwC.exe
  C:\Windows\System\EudkmwC.exe
  2⤵
  PID:13008
- C:\Windows\System\sjUEEUI.exe
  C:\Windows\System\sjUEEUI.exe
  2⤵
  PID:13024
- C:\Windows\System\KyRwTgN.exe
  C:\Windows\System\KyRwTgN.exe
  2⤵
  PID:13044
- C:\Windows\System\TxWKhWE.exe
  C:\Windows\System\TxWKhWE.exe
  2⤵
  PID:13068
- C:\Windows\System\fcvwEjk.exe
  C:\Windows\System\fcvwEjk.exe
  2⤵
  PID:13096
- C:\Windows\System\KzprdmK.exe
  C:\Windows\System\KzprdmK.exe
  2⤵
  PID:13152
- C:\Windows\System\xJzJSYy.exe
  C:\Windows\System\xJzJSYy.exe
  2⤵
  PID:13168
- C:\Windows\System\mpaVFPZ.exe
  C:\Windows\System\mpaVFPZ.exe
  2⤵
  PID:13216
- C:\Windows\System\SxaWCsq.exe
  C:\Windows\System\SxaWCsq.exe
  2⤵
  PID:13232
- C:\Windows\System\vXmasTB.exe
  C:\Windows\System\vXmasTB.exe
  2⤵
  PID:13260
- C:\Windows\System\NHgOLzA.exe
  C:\Windows\System\NHgOLzA.exe
  2⤵
  PID:13284
- C:\Windows\System\aufXCVt.exe
  C:\Windows\System\aufXCVt.exe
  2⤵
  PID:12040
- C:\Windows\System\uNRvkpc.exe
  C:\Windows\System\uNRvkpc.exe
  2⤵
  PID:12296
- C:\Windows\System\XCRKsHn.exe
  C:\Windows\System\XCRKsHn.exe
  2⤵
  PID:12428
- C:\Windows\System\oxgfBTy.exe
  C:\Windows\System\oxgfBTy.exe
  2⤵
  PID:12460
- C:\Windows\System\ZhqHcHT.exe
  C:\Windows\System\ZhqHcHT.exe
  2⤵
  PID:12512
- C:\Windows\System\UKirKIn.exe
  C:\Windows\System\UKirKIn.exe
  2⤵
  PID:12052
- C:\Windows\System\eKDLxHO.exe
  C:\Windows\System\eKDLxHO.exe
  2⤵
  PID:12672
- C:\Windows\System\DshwTbj.exe
  C:\Windows\System\DshwTbj.exe
  2⤵
  PID:12740
- C:\Windows\System\ejHdDtv.exe
  C:\Windows\System\ejHdDtv.exe
  2⤵
  PID:12860
- C:\Windows\System\PYNkbMO.exe
  C:\Windows\System\PYNkbMO.exe
  2⤵
  PID:12908
- C:\Windows\System\SoUseBO.exe
  C:\Windows\System\SoUseBO.exe
  2⤵
  PID:13016
- C:\Windows\System\TyhxlqY.exe
  C:\Windows\System\TyhxlqY.exe
  2⤵
  PID:13036
- C:\Windows\System\maEVoRs.exe
  C:\Windows\System\maEVoRs.exe
  2⤵
  PID:13080
- C:\Windows\System\KyMwPqq.exe
  C:\Windows\System\KyMwPqq.exe
  2⤵
  PID:13112
- C:\Windows\System\AfXUBBc.exe
  C:\Windows\System\AfXUBBc.exe
  2⤵
  PID:13228
- C:\Windows\System\yVRwoxG.exe
  C:\Windows\System\yVRwoxG.exe
  2⤵
  PID:12364
- C:\Windows\System\NsFOgwR.exe
  C:\Windows\System\NsFOgwR.exe
  2⤵
  PID:12876

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 1532 -i 1532 -h 484 -j 492 -s 496 -d 12996
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:12604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s3pvgonh.chd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AEsYoAG.exe

Filesize
1.6MB

MD5
4c21a3d0ba19b67c827e68064d19de70

SHA1
b8e9da7c5649b3c325dbf4f12e70f07a0a0c3ffb

SHA256
c0880f26de8a805023340c84dd4b35705e516673c6eab6ff2a74c0aa52484fd7

SHA512
4b732b900ef26304bdf9dad71b90778bbbde799485b1eb77e65335c4ea8a585a24b7108881b152045aeb26a26873a5bd532bcfb1c90ff39a4c862f35ea10ae2c

Download Submit
C:\Windows\System\AXlAgBI.exe

Filesize
1.6MB

MD5
adf6b9f6b0cbca0dfd5e333c99070685

SHA1
cd030f86d9cf2db290353748020dca29e7e81bb8

SHA256
d9257f6ebc37783234d24e03b7f5d323be7803c068e35339e518e61fd85d12a3

SHA512
056ac0ee56c36d55171d9315b6768124d58bea1e11500e746b0cef17ec0f3387301997aa571b7170b72ec37fcdefff71e5511086cbcafd9247e2233c7261f2ab

Download Submit
C:\Windows\System\BvSAIZd.exe

Filesize
1.6MB

MD5
68aeea2d759a354e73a1e3150113ffad

SHA1
d0e8383a858dbce99cfdd3351aaf98b94e6a8f03

SHA256
1c71f3921d84c6f4c3c154fe07d34299c55d52e4a210692e224128a15ffe0a91

SHA512
3922670fb48b37a1c7e0840cb7f0a3015cfcfa8d26c91d0f5c66cba0560d40d909b125da05d0885ea007517190a82a7112f75ec92afa3cb5b818c058b7a0180d

Download Submit
C:\Windows\System\EBRktwf.exe

Filesize
1.6MB

MD5
fb3eccd3d52cbaa3a55e908597809322

SHA1
53dfd7e16024b4b8e329c8916bfb22a2621cc4cc

SHA256
0694dd8283fb8d7ebca72153b72fab527a165e9a77a85eb4d1f6ee4c9d15588b

SHA512
83f6a9bee9670f404a4b595e02778bedf8abd9aa206c6df15247c87c15cbc431bdf0c4891278cfe822f12450fe3d4534d55b190a0bc8827dc4c5dfec724daa9e

Download Submit
C:\Windows\System\EyKQRTV.exe

Filesize
1.6MB

MD5
6843de3fadcc23e2550de8276cc581d7

SHA1
422dd64b404d050955d9a651db420887e0ffda1c

SHA256
935bbab96c96e6a623b9a89c3995042d13fe57bdb90e52395b9c3ae77c06f271

SHA512
230b9bf4b78f1aa9b9ecbd7897d90c8b41e958753217ce8fdaea0fb5dea0db670f8c3a2fb64e6929aba7d7e81fe65ec90399c4e3ad09d938241e2c92a14a4d64

Download Submit
C:\Windows\System\FPoBmGy.exe

Filesize
1.6MB

MD5
8b2d5323de413a02f37f2391b9307e99

SHA1
e62889380fab7b141b993428c2e06b0bd50ddc78

SHA256
0f8820e0fd3bb9dab47b9511d37183da176ad60ff217fb453c3019a4dfa4b5a0

SHA512
5c994932dd21fd82622fff1ac28a68673640586bedbeb794f9a6e8c4b161e5890f4209d36b3cb8953aad8c14e5c9b45d36371b40ea43573362b13e039d47cb4a

Download Submit
C:\Windows\System\FdBiXsP.exe

Filesize
1.6MB

MD5
40da8670e8debd1efc80864d68d2af84

SHA1
4d61bd640dad605ebd2efeb92308e631b874c702

SHA256
7b876f27f205c73f25e92106f8f2efc7be463397a8fed0481f01dbcd2054a6e1

SHA512
865810cef68214c2179c902a953fbda456fd9f8f6591e273aac829eb1fa90e230470ba6d4c3209fe193b4bc68f9785427958f3d283644979835bb9cc4c80fc4c

Download Submit
C:\Windows\System\FnlqFad.exe

Filesize
1.6MB

MD5
573226a3e8e972ab2c98f5729813dc72

SHA1
6520ff126cef09746b8b9c20fa86be5dd823f122

SHA256
7454c377cfbd0418055864b1252dba43ee837dbb92234a04410b8350c22e4cc0

SHA512
e076027b219c755f97539913c1eb34ee1f9efff11c7a21cce155d7c067cd8e65929532d7bdd5179111a601cbb01c0e4ba0f01f5c5caf681329d6124d71ed13dc

Download Submit
C:\Windows\System\JxBmvBv.exe

Filesize
1.6MB

MD5
c9aa360cb4ee9f0e5a8e740fba923af1

SHA1
c163047d19e9fe2e4ad487552087418a97b8e4fb

SHA256
b2e9a0c4688cb707a7296a35f2b1be44fe0430c709702e06618731676243246c

SHA512
5b827fd879f6c5eb9f7afafc5fd96b374132f5b6af89598d4df8fbaf3e2e8ced14882d3f4802e1778fd96258821081854d7bb063b4e1710acb95fddc0326bba7

Download Submit
C:\Windows\System\NXiNwZs.exe

Filesize
1.6MB

MD5
38b086b66fafda7bc891641bd203c20e

SHA1
8a9795fdb06b3b214bf439cb7830a98902c5b6b0

SHA256
3440ba726efe72255edd34d7b8d9752e44be501dbb9998912041d175c28b3caa

SHA512
b7df8aad2fab5001bc1990f2991b728ac9f0fc7fb11c0cc0f0717c4d35d16579361f51ff13986b2df1ade4dc4afe33f718a2cda8d4bb323832a82a6449f9bd2e

Download Submit
C:\Windows\System\NYWUuSy.exe

Filesize
1.6MB

MD5
cbefea1b1cb0008dbc43caf78107d773

SHA1
3b489a7ea8f492d2b8c8e78d1c115b17815da702

SHA256
252daa7568ee1b642e2b1701f67d459641cdbdaa03cdc2d21407ccc9eafc7b75

SHA512
ea324ffca0c7586d6437f471bdc5f0ada1b0355fce010f7bb76f233dcefa9656985b4af3e666e0c89fccde284f8f253f078db4d8f018e08f5ef6ecb54586644d

Download Submit
C:\Windows\System\NrYorKd.exe

Filesize
1.6MB

MD5
3d63813b3cd47ea747a536e4bfd9202b

SHA1
870f7413b987a3fd7894aa316377d65f4e59d3c6

SHA256
343864f9fc1fcbcc19a304da786cd7434dea1b4c0653466035f61a557e1e4b0a

SHA512
5ac8743320fbd2fb6d598fd9f633c5ec78a49693fb453c040eaa9c6c227014ea27138568a44c266d26e02b1d8ab388765ec81e2aaf4d93e481656a8ed9c072c5

Download Submit
C:\Windows\System\PBSRCTS.exe

Filesize
8B

MD5
e5887cbf15080c2573c029e77e0112c4

SHA1
77883e6cbf92c6723320e67d2b310fb7683f26b5

SHA256
6e0f921d01f2a205118da85653320fc9691e0390f29471a099d9604f23b86d26

SHA512
2b5abf35307295043db6c11c29cc7b7cb5c045d2cc14c27aee312af0fb8b7f484d1989c5c2e58dad4588d3359d2befc9099ee3efa3b2bf8f5a9f357d3f2c5fb9

Download Submit
C:\Windows\System\RRvzwZQ.exe

Filesize
1.6MB

MD5
4fce8826a511ce654252ff80ecd33df8

SHA1
3c3875368498f873b3d2ae2133cf05bb5055d57a

SHA256
07003a386db39d3ba284b562bb98ae51a5c97c2d0cc8c556abcdb6f28c090df9

SHA512
3f178f0076b6784abe9eb2e5ab0e7c723e2e3c84de2c0483063f520959024095d0667ebb7b71bbab286d97c02e0a2726b382273339660f353e9df3aaea286b33

Download Submit
C:\Windows\System\XDDsHMZ.exe

Filesize
1.6MB

MD5
6cf6ffabc85338476162d8f004541457

SHA1
547ca498fa426791f05004b353ca2f71eb6556d2

SHA256
226e6770f689bab4edbf9bb9d1e7eb8ea011b56b013f5769edff0d5dc4c19961

SHA512
c9e5788af4ce3e5d89eceb16fcf9948a852fbdcd8be3bbe57df30021d57709f8277358b35ad3892923177a1e037661b347e95cfcf8206183d22e12ae8b0904ed

Download Submit
C:\Windows\System\ZzCYKyw.exe

Filesize
1.6MB

MD5
cc104808de2d08d6cd835f9d7054dba9

SHA1
412a07cc3be98dc733b29b9c8262cbe159099dcf

SHA256
08e25193b4e67eaba9517df184ef00639761c7bbe6138a0b3dbb8b2eba45291c

SHA512
83ccb37030785343d36a69d7aedf09281c0c85c537f3e8c004b61afc57c84c78f59026bb7607032bdec6f4429fb37987587f34c4d92e72c57743880b0e8a9296

Download Submit
C:\Windows\System\aQMwBVJ.exe

Filesize
1.6MB

MD5
7d91c38a5179177232913f1dca1a1867

SHA1
a1903234db44465d39fb9bc72a83c6712ea2dffb

SHA256
fb0b480540991cac5982afc88da3b8d9ba7bc3e1a3354167860b993f8292d012

SHA512
9e66b60cf0155ceb45ee0f270a95a0f46078df3206e7ede54cf7ad9f6ea93be72de2804495ce1c924235abd1171c53960fcb20d8a1e6f4b72b11bb054e488195

Download Submit
C:\Windows\System\aTUTAjq.exe

Filesize
1.6MB

MD5
9bfed4921dd87481ef304c6539b2ea63

SHA1
f8e10099fdb96c89e0667fd84278861db64b1112

SHA256
20de396a46e6609b9d7c582e7316b8ad12364fb4af1809838c0eb9e2a2e9fee6

SHA512
7b8c876b98b2b19278966f4ce087262c1588d09875e220c9c033bb1115c674baaa1db7e168b1089b4c959e3a0549bae1d2dee3349f36907c53a10543a887135e

Download Submit
C:\Windows\System\aYpNnyo.exe

Filesize
1.6MB

MD5
931ea351f751fc16645d9b95dd976e55

SHA1
40e0b1ca751c5bf15330b590a54cc1fa4a33f3bc

SHA256
1a0d6b92acf1f9bf56149c259280aca55183e2a263363f310fefd990d43cda18

SHA512
340000d86cdec780c9ccf20b9575343b0bcb7735b9cdfd9fec82f02c9ec44f143960611d7695488250244e87b5a1449be5cf3efdd82c7db91c81916b6d3b6a51

Download Submit
C:\Windows\System\dkYJbsD.exe

Filesize
1.6MB

MD5
f629c7a41fcd218eacd40bd249a3736e

SHA1
7d9039b8d3f0f292efef9530e0215ab1f5b68d67

SHA256
dcdf5af19fe2e72b34c42012cb29d7220727e750fc6fe47a90c8fe86642f1ee7

SHA512
f3752700124099853fb3ea5518b013213f9c5cbe3ff87319ae448e8c6f8ad422d58658338eed6aa3e66be6e7b2241c3b550908f51211ce9075b41e6207c7807c

Download Submit
C:\Windows\System\dphgpIc.exe

Filesize
1.6MB

MD5
808b8f329793b0a29a041fac16d404ed

SHA1
487bcd7cf5d36a3fffa2ca88194126a09bb81fd2

SHA256
05339651ae0338521228755bcab6d91c7596ab53aabc04275255935b5ab323a7

SHA512
a2842ee9a16fc0603a7ba50cc8245b30335ababfdf92b41d65629bbebe3207e8edf8da1a9fe870a8ff7dc3b2c959d030ceeedabe5906b41b60ffbca512dc5c07

Download Submit
C:\Windows\System\esvHiCP.exe

Filesize
1.6MB

MD5
2171f1a4a9c61a0d818b0792786fd08a

SHA1
879416302d6e0533026307cb174a62c004373122

SHA256
b7c42e8e95485d1080bde36bf91819eb29918da1db1390411378fc19f37b26ef

SHA512
6c3f8a342498402aa6bf54f4e4b77668b73e427541378e4a0877f6c1b83ece385a300b4c5eb19c6eb8c4f8ee30fe322c688ebfda7e918ff145b569ede322f7c8

Download Submit
C:\Windows\System\hgdvLQv.exe

Filesize
1.6MB

MD5
c9b0da0272d666d900d99573a5af0cb4

SHA1
cf3045748e4f25b6e4c3c357b33e0b1226223f3c

SHA256
89729fd69c2ed888799981cea93c2cd8bad96f5715ee5407278db621d0b6c026

SHA512
2ed9ac56166e2faecb1f005341e5233ecac982da50bba58f8e73e115a7a4be6993cc4c1c4bd840c04cae26faa8f5510638361fdfdb83207bd73366f82420402d

Download Submit
C:\Windows\System\jySrLQH.exe

Filesize
1.6MB

MD5
3f1551857c25088ecccc40740cec5648

SHA1
2cfef76a0daff00a064411bbcadd7bf99f604f32

SHA256
72d1248e2d4f7c0ef5cc55ea3fe7a418b0d4f635d650c49d57d8c1be4d244d08

SHA512
32e17f54494c0a7d7057b1296340de88e3bb44c2e24daf74768af507a8902af5fbd5d0c24b0cf36a2a48c53e2b77c8995ba6685ec180ad7626f2d5044dc5b6a2

Download Submit
C:\Windows\System\mdOYWmn.exe

Filesize
1.6MB

MD5
2f1394458fab35354f92b4769971ec4b

SHA1
fd21fd8d0e4e0301adfff8b45fab08e621a8d939

SHA256
decfc583a337dc6cd225a1eadb9281d68e281551c1788f614d635abd9a601ac6

SHA512
04689f0471b93a99bba33e8fca480dd0226e5d7c02e48f0fb086ce1ec0d4eca5ef71ec47ab57790815528a65483634c47eb58b717830493391100616a808bf76

Download Submit
C:\Windows\System\nHqSgbI.exe

Filesize
1.6MB

MD5
d1a7f8aa9939f804443e6dd7b9cd6832

SHA1
cd993be44b489192eb81cade7a57e935d8df8067

SHA256
5651999c4d45b90aca23f8b45a4386d7843db5a2a5389f5985a2101bb6d19fc5

SHA512
bda1407123f0fc249451cf15a2f6bd9b3e8a0d371677b20df5ba24b010894359e58e0d769c778c68cf38a1da951f4150b23ccc3aafeba3b80d9b1e5226e2e588

Download Submit
C:\Windows\System\oLrSFMO.exe

Filesize
1.6MB

MD5
adcd609fc11d7adc520d302640dcb609

SHA1
d015bc7d7a1dcd5295357aeaa01f2107266f6c5c

SHA256
d053e0ec89384ce2dd477bd85c9f81dba8a1252c9c1483aa6874c1f554777db7

SHA512
a5293bad82d40934498efcb10e9db46012ae238bb331e414e50f07c1012ab77938f542eeb48f81168c3673d9ae606ebaf4f0b6366c9b994ac2e731944708a4f9

Download Submit
C:\Windows\System\sKXhPVb.exe

Filesize
1.6MB

MD5
1c059461c8e37af9d5ac6b74375ec235

SHA1
bc20d49490cf640310ce5c4666085d96091410e3

SHA256
1165a61ef6b526d0caf533d8815a3e73b5b1ffd095b5584206b390c2f5612e0b

SHA512
37f8391d957d5a7e01bc146ee9c0bcff01689c144d277d457e33eb33d641285ee0c78546012d2f2e3d990a393fb2d117898912b9aa873b72398f6427e424f77b

Download Submit
C:\Windows\System\syJvrDb.exe

Filesize
1.6MB

MD5
b09eb513fe67f07022b1a20700945346

SHA1
e3ee1c989cf0b4fa5eae656341fca2df9774af88

SHA256
eefb4b94486c59c6de3e817b7d164f7510ae370d34353f3b3afec9b483604597

SHA512
343048f001bcc4a72dafd0f3c6fd7e32a239cc2ce382e27d05374155ae94f445e94e8ccbd4b30510c1445f617b31937cc0066039d45bdb8d2674a6fc2f54eeef

Download Submit
C:\Windows\System\tYyRcXQ.exe

Filesize
1.6MB

MD5
81dcf86e751a007da07311ce7ef2771c

SHA1
8afc716c239f97b0570dbb283cc1cdb01bce4266

SHA256
64dff0d3ea9585637946b2d9104dba3653c3d734509441ad9eaedc185c68a48e

SHA512
84cb4a6bf05fa8ddc3c3e28497cfb939084115ca886b0a11836ae9dd7eff7fd2415efc5d28c3d78a0a90b8c4869b057f8871b5a1631a4fc506de54e5a83336b5

Download Submit
C:\Windows\System\uXBrPkb.exe

Filesize
1.6MB

MD5
71489c190afe549a0f1046629d18fe71

SHA1
17c958c87c04305ec63be1f60d0a2c286e78b36c

SHA256
cb426beed26a76e697076ae75dc39852d2f227194de99921855fcf936c620a24

SHA512
039984dc9213f2c1e3ad90c8e1933f1115127fe43f278e3906070cdffce6532c621c3b15f9bf394b736637b279d6e78dc44873cdc9f4c94b1e328c872763f15e

Download Submit
C:\Windows\System\voukNve.exe

Filesize
1.6MB

MD5
5971d71a4766cf0a9282cb8484b28e86

SHA1
1d1e5aa9e16be1ba2667fe9b7e1877185bbe0a51

SHA256
82d9f7bf45ea396e1de42fa3a9ee0213dbabbceca4a662203ac3863757c3bafd

SHA512
3c308619cf95b6cd2c67b97a1e3232e230c349f871cd842466a56409763c7f0245a6235f1612c6d83bbb08fa078ef27508ded78d28501195387ce44a0bc02e3e

Download Submit
C:\Windows\System\wfFuQUB.exe

Filesize
1.6MB

MD5
d580b2e4b05c3cec451a28509b49487d

SHA1
7a16f13bc8e6aa02c8fc7898a6c7ae23448ebb48

SHA256
80358abcd87663b3243887c7d050ca28c73bcf8777790ccdc3e0b7f965a5ae04

SHA512
09c55034388222c59a02282fbc5f737e1a3d6822d55dcf678c4bc053b03ab6f98b939d242c5f9e470236c1be3615cd0a6875bd5fe338599d19429448c61ac142

Download Submit
C:\Windows\System\yKAquHk.exe

Filesize
1.6MB

MD5
169328de433ca44ab1f2ce291686deba

SHA1
2e5a5b1eeca0ff561d1b9ba871032c2ba23ba020

SHA256
bb617e3595f7144398609dfd6007d26ad33ef7cafe919e9295b0be7ff0a44bbc

SHA512
0acf39b50dc3e5b49afc65655df677f36ff685419ba124a5afde942e8b8034b9ff6197b4123879a07aa4cc50a1a754aa896ac33bd7e1a7b149ae9ff5cf398db5

Download Submit
memory/396-87-0x00007FF7EAB40000-0x00007FF7EAF32000-memory.dmp

Filesize
3.9MB

Download
memory/1036-35-0x00007FF6F1510000-0x00007FF6F1902000-memory.dmp

Filesize
3.9MB

Download
memory/1232-171-0x00007FF6D26A0000-0x00007FF6D2A92000-memory.dmp

Filesize
3.9MB

Download
memory/1272-72-0x00007FF71B350000-0x00007FF71B742000-memory.dmp

Filesize
3.9MB

Download
memory/1316-164-0x00007FF7B4AE0000-0x00007FF7B4ED2000-memory.dmp

Filesize
3.9MB

Download
memory/1316-59-0x00007FF7B4AE0000-0x00007FF7B4ED2000-memory.dmp

Filesize
3.9MB

Download
memory/1416-170-0x00007FF75E630000-0x00007FF75EA22000-memory.dmp

Filesize
3.9MB

Download
memory/1416-67-0x00007FF75E630000-0x00007FF75EA22000-memory.dmp

Filesize
3.9MB

Download
memory/1504-172-0x00007FF66CCB0000-0x00007FF66D0A2000-memory.dmp

Filesize
3.9MB

Download
memory/1504-68-0x00007FF66CCB0000-0x00007FF66D0A2000-memory.dmp

Filesize
3.9MB

Download
memory/1872-26-0x00007FF78BEE0000-0x00007FF78C2D2000-memory.dmp

Filesize
3.9MB

Download
memory/2060-524-0x00007FF6B4130000-0x00007FF6B4522000-memory.dmp

Filesize
3.9MB

Download
memory/2060-99-0x00007FF6B4130000-0x00007FF6B4522000-memory.dmp

Filesize
3.9MB

Download
memory/2064-31-0x00007FF7136D0000-0x00007FF713AC2000-memory.dmp

Filesize
3.9MB

Download
memory/2064-155-0x00007FF7136D0000-0x00007FF713AC2000-memory.dmp

Filesize
3.9MB

Download
memory/2540-106-0x00007FF69A8F0000-0x00007FF69ACE2000-memory.dmp

Filesize
3.9MB

Download
memory/2540-1707-0x00007FF69A8F0000-0x00007FF69ACE2000-memory.dmp

Filesize
3.9MB

Download
memory/2768-127-0x0000016273310000-0x0000016273332000-memory.dmp

Filesize
136KB

Download
memory/2768-467-0x0000016273EB0000-0x0000016274656000-memory.dmp

Filesize
7.6MB

Download
memory/2960-55-0x00007FF7BBC80000-0x00007FF7BC072000-memory.dmp

Filesize
3.9MB

Download
memory/2960-163-0x00007FF7BBC80000-0x00007FF7BC072000-memory.dmp

Filesize
3.9MB

Download
memory/3204-43-0x00007FF634310000-0x00007FF634702000-memory.dmp

Filesize
3.9MB

Download
memory/3204-162-0x00007FF634310000-0x00007FF634702000-memory.dmp

Filesize
3.9MB

Download
memory/3420-149-0x00007FF6BC730000-0x00007FF6BCB22000-memory.dmp

Filesize
3.9MB

Download
memory/3420-2033-0x00007FF6BC730000-0x00007FF6BCB22000-memory.dmp

Filesize
3.9MB

Download
memory/3592-700-0x00007FF794680000-0x00007FF794A72000-memory.dmp

Filesize
3.9MB

Download
memory/3592-102-0x00007FF794680000-0x00007FF794A72000-memory.dmp

Filesize
3.9MB

Download
memory/3636-88-0x00007FF7B8710000-0x00007FF7B8B02000-memory.dmp

Filesize
3.9MB

Download
memory/3712-1801-0x00007FF7E9E80000-0x00007FF7EA272000-memory.dmp

Filesize
3.9MB

Download
memory/3712-116-0x00007FF7E9E80000-0x00007FF7EA272000-memory.dmp

Filesize
3.9MB

Download
memory/3876-510-0x00007FF701710000-0x00007FF701B02000-memory.dmp

Filesize
3.9MB

Download
memory/3876-93-0x00007FF701710000-0x00007FF701B02000-memory.dmp

Filesize
3.9MB

Download
memory/3948-78-0x00007FF610DA0000-0x00007FF611192000-memory.dmp

Filesize
3.9MB

Download
memory/3956-143-0x00007FF7F5850000-0x00007FF7F5C42000-memory.dmp

Filesize
3.9MB

Download
memory/4228-136-0x00007FF77E5D0000-0x00007FF77E9C2000-memory.dmp

Filesize
3.9MB

Download
memory/4228-0-0x00007FF77E5D0000-0x00007FF77E9C2000-memory.dmp

Filesize
3.9MB

Download
memory/4228-1-0x000001A620CF0000-0x000001A620D00000-memory.dmp

Filesize
64KB

Download
memory/4360-137-0x00007FF6AE0D0000-0x00007FF6AE4C2000-memory.dmp

Filesize
3.9MB

Download
memory/4360-10-0x00007FF6AE0D0000-0x00007FF6AE4C2000-memory.dmp

Filesize
3.9MB

Download
memory/4412-135-0x00007FF731DB0000-0x00007FF7321A2000-memory.dmp

Filesize
3.9MB

Download
memory/4412-1802-0x00007FF731DB0000-0x00007FF7321A2000-memory.dmp

Filesize
3.9MB

Download
memory/5004-156-0x00007FF7FA270000-0x00007FF7FA662000-memory.dmp

Filesize
3.9MB

Download
memory/5004-2156-0x00007FF7FA270000-0x00007FF7FA662000-memory.dmp

Filesize
3.9MB

Download
memory/5020-98-0x00007FF797A00000-0x00007FF797DF2000-memory.dmp

Filesize
3.9MB

Download
memory/5020-511-0x00007FF797A00000-0x00007FF797DF2000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads