xmrig | 0a670c13ec5828acf52a9327787e38d884633f656e1a319233a8c44cc74d72e4

Analysis

max time kernel
102s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
Size

5.0MB
MD5

89b72f237138fba0300c8d8b4df90923
SHA1

fb8a8f5bb5446e5f7d026c69ead34ce609fd7e6d
SHA256

0a670c13ec5828acf52a9327787e38d884633f656e1a319233a8c44cc74d72e4
SHA512

7b3ae1ee2dd3bf1db48337596614a7db4a747fda8812fc6b63d17ae5e24e97b8188840eeba247eeb36a9e10dc3a10ea1c0a094c985ac99d95f4bc0618c9ced91
SSDEEP

98304:z1ONtyBeSFkXV1etEKLlWUTOfeiRA2R76zHr8E:zbBeSFkC

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 13660 created 3492	13660	WerFaultSecure.exe	82

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4168-0-0x00007FF7B1260000-0x00007FF7B1653000-memory.dmp	xmrig
behavioral2/files/0x0010000000023f59-5.dat	xmrig
behavioral2/memory/2228-6-0x00007FF79F570000-0x00007FF79F963000-memory.dmp	xmrig
behavioral2/files/0x00070000000240bf-10.dat	xmrig
behavioral2/memory/1876-18-0x00007FF635F60000-0x00007FF636353000-memory.dmp	xmrig
behavioral2/files/0x00070000000240c0-25.dat	xmrig
behavioral2/memory/4044-27-0x00007FF616AF0000-0x00007FF616EE3000-memory.dmp	xmrig
behavioral2/memory/3448-37-0x00007FF6A8BF0000-0x00007FF6A8FE3000-memory.dmp	xmrig
behavioral2/files/0x00070000000240c3-41.dat	xmrig
behavioral2/files/0x00070000000240c4-49.dat	xmrig
behavioral2/files/0x00080000000240bb-53.dat	xmrig
behavioral2/files/0x00070000000240c5-57.dat	xmrig
behavioral2/memory/4168-62-0x00007FF7B1260000-0x00007FF7B1653000-memory.dmp	xmrig
behavioral2/files/0x00070000000240c6-63.dat	xmrig
behavioral2/files/0x00070000000240ca-89.dat	xmrig
behavioral2/files/0x00070000000240cf-121.dat	xmrig
behavioral2/files/0x00070000000240d4-143.dat	xmrig
behavioral2/files/0x00070000000240db-178.dat	xmrig
behavioral2/memory/4988-1185-0x00007FF6CB4A0000-0x00007FF6CB893000-memory.dmp	xmrig
behavioral2/files/0x00070000000240dc-183.dat	xmrig
behavioral2/files/0x00070000000240da-181.dat	xmrig
behavioral2/files/0x00070000000240d9-176.dat	xmrig
behavioral2/files/0x00070000000240d8-171.dat	xmrig
behavioral2/files/0x00070000000240d7-166.dat	xmrig
behavioral2/files/0x00070000000240d6-161.dat	xmrig
behavioral2/files/0x00070000000240d5-156.dat	xmrig
behavioral2/files/0x00070000000240d3-146.dat	xmrig
behavioral2/files/0x00070000000240d2-141.dat	xmrig
behavioral2/files/0x00070000000240d1-136.dat	xmrig
behavioral2/files/0x00070000000240d0-129.dat	xmrig
behavioral2/files/0x00080000000240c8-119.dat	xmrig
behavioral2/files/0x00070000000240ce-116.dat	xmrig
behavioral2/files/0x00070000000240cd-111.dat	xmrig
behavioral2/files/0x00070000000240cc-106.dat	xmrig
behavioral2/files/0x00070000000240cb-99.dat	xmrig
behavioral2/files/0x00080000000240c9-93.dat	xmrig
behavioral2/files/0x00070000000240c7-84.dat	xmrig
behavioral2/memory/3568-56-0x00007FF775A40000-0x00007FF775E33000-memory.dmp	xmrig
behavioral2/memory/4336-48-0x00007FF78BD70000-0x00007FF78C163000-memory.dmp	xmrig
behavioral2/memory/2148-42-0x00007FF7C2EA0000-0x00007FF7C3293000-memory.dmp	xmrig
behavioral2/files/0x00070000000240c2-38.dat	xmrig
behavioral2/files/0x00070000000240c1-33.dat	xmrig
behavioral2/memory/4512-29-0x00007FF787E90000-0x00007FF788283000-memory.dmp	xmrig
behavioral2/files/0x00070000000240be-15.dat	xmrig
behavioral2/memory/1144-12-0x00007FF7C9740000-0x00007FF7C9B33000-memory.dmp	xmrig
behavioral2/memory/3204-1187-0x00007FF73BAC0000-0x00007FF73BEB3000-memory.dmp	xmrig
behavioral2/memory/4456-1188-0x00007FF7F4E40000-0x00007FF7F5233000-memory.dmp	xmrig
behavioral2/memory/396-1191-0x00007FF63B340000-0x00007FF63B733000-memory.dmp	xmrig
behavioral2/memory/4300-1193-0x00007FF729400000-0x00007FF7297F3000-memory.dmp	xmrig
behavioral2/memory/2652-1192-0x00007FF6FEE50000-0x00007FF6FF243000-memory.dmp	xmrig
behavioral2/memory/4540-1198-0x00007FF7604F0000-0x00007FF7608E3000-memory.dmp	xmrig
behavioral2/memory/2104-1202-0x00007FF789000000-0x00007FF7893F3000-memory.dmp	xmrig
behavioral2/memory/1436-1203-0x00007FF7C6C20000-0x00007FF7C7013000-memory.dmp	xmrig
behavioral2/memory/2108-1197-0x00007FF6CD910000-0x00007FF6CDD03000-memory.dmp	xmrig
behavioral2/memory/3440-1210-0x00007FF79B180000-0x00007FF79B573000-memory.dmp	xmrig
behavioral2/memory/752-1208-0x00007FF766F10000-0x00007FF767303000-memory.dmp	xmrig
behavioral2/memory/4360-1214-0x00007FF77D690000-0x00007FF77DA83000-memory.dmp	xmrig
behavioral2/memory/4800-1218-0x00007FF724CD0000-0x00007FF7250C3000-memory.dmp	xmrig
behavioral2/memory/1728-1224-0x00007FF728320000-0x00007FF728713000-memory.dmp	xmrig
behavioral2/memory/2228-1219-0x00007FF79F570000-0x00007FF79F963000-memory.dmp	xmrig
behavioral2/memory/1144-1229-0x00007FF7C9740000-0x00007FF7C9B33000-memory.dmp	xmrig
behavioral2/memory/1876-1297-0x00007FF635F60000-0x00007FF636353000-memory.dmp	xmrig
behavioral2/memory/4044-1369-0x00007FF616AF0000-0x00007FF616EE3000-memory.dmp	xmrig
behavioral2/memory/4512-1372-0x00007FF787E90000-0x00007FF788283000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	1960	powershell.exe
10	1960	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
1960	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
2228	XfCISfk.exe
1144	HVOsOuQ.exe
1876	pPXrwVG.exe
4044	QkoOtML.exe
4512	RMfmKHW.exe
3448	HzqhwgW.exe
2148	lnHykwA.exe
4336	NYJdzhi.exe
3568	KzAUAvU.exe
4988	HaATDUj.exe
1728	YlZBayV.exe
3204	qtazOEt.exe
4456	VbpiHbS.exe
396	CwDBfsn.exe
2652	EVLnlKS.exe
4300	bFcBHmx.exe
2108	IHCcZry.exe
4540	DyzvPAH.exe
2104	LHsKKss.exe
1436	RiNeHDq.exe
752	buvEedq.exe
3440	qQcdFOY.exe
4360	oVVIQaE.exe
4800	mFVfRUm.exe
788	qoeubFP.exe
1844	mBWTBIn.exe
4380	EjCmipK.exe
956	pJyAuZW.exe
180	hueUtqB.exe
4676	VGFZkkl.exe
5032	uKxDdgK.exe
2268	mskVDzP.exe
4960	dcWFcpx.exe
1636	qnxVRcV.exe
3092	TegkNDb.exe
3240	hXJqIul.exe
4248	MDHZTBz.exe
1384	TDgNgTI.exe
3056	eEFifCW.exe
3732	IGvAZKh.exe
4904	sfFDAvM.exe
2556	gLpnsHs.exe
2412	FsAntOZ.exe
2016	DBGNMXi.exe
4412	tghDZfs.exe
692	qaRsUTI.exe
2260	EQPvjdq.exe
4684	hAczFCH.exe
5100	LXuqziI.exe
676	FMvVFOS.exe
2184	KPvZrzg.exe
2708	zIXsXjv.exe
1200	UwrmNIk.exe
3264	jzJShWX.exe
3484	irSwCwv.exe
392	oPTfOUr.exe
2764	PQxjUgb.exe
2876	JnXwHmp.exe
3000	jPBeztq.exe
3880	yptwWGO.exe
4148	oQHHVme.exe
2896	KhnEJLL.exe
4640	OkwtLkm.exe
2752	rGBWTUb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4168-0-0x00007FF7B1260000-0x00007FF7B1653000-memory.dmp	upx
behavioral2/files/0x0010000000023f59-5.dat	upx
behavioral2/memory/2228-6-0x00007FF79F570000-0x00007FF79F963000-memory.dmp	upx
behavioral2/files/0x00070000000240bf-10.dat	upx
behavioral2/memory/1876-18-0x00007FF635F60000-0x00007FF636353000-memory.dmp	upx
behavioral2/files/0x00070000000240c0-25.dat	upx
behavioral2/memory/4044-27-0x00007FF616AF0000-0x00007FF616EE3000-memory.dmp	upx
behavioral2/memory/3448-37-0x00007FF6A8BF0000-0x00007FF6A8FE3000-memory.dmp	upx
behavioral2/files/0x00070000000240c3-41.dat	upx
behavioral2/files/0x00070000000240c4-49.dat	upx
behavioral2/files/0x00080000000240bb-53.dat	upx
behavioral2/files/0x00070000000240c5-57.dat	upx
behavioral2/memory/4168-62-0x00007FF7B1260000-0x00007FF7B1653000-memory.dmp	upx
behavioral2/files/0x00070000000240c6-63.dat	upx
behavioral2/files/0x00070000000240ca-89.dat	upx
behavioral2/files/0x00070000000240cf-121.dat	upx
behavioral2/files/0x00070000000240d4-143.dat	upx
behavioral2/files/0x00070000000240db-178.dat	upx
behavioral2/memory/4988-1185-0x00007FF6CB4A0000-0x00007FF6CB893000-memory.dmp	upx
behavioral2/files/0x00070000000240dc-183.dat	upx
behavioral2/files/0x00070000000240da-181.dat	upx
behavioral2/files/0x00070000000240d9-176.dat	upx
behavioral2/files/0x00070000000240d8-171.dat	upx
behavioral2/files/0x00070000000240d7-166.dat	upx
behavioral2/files/0x00070000000240d6-161.dat	upx
behavioral2/files/0x00070000000240d5-156.dat	upx
behavioral2/files/0x00070000000240d3-146.dat	upx
behavioral2/files/0x00070000000240d2-141.dat	upx
behavioral2/files/0x00070000000240d1-136.dat	upx
behavioral2/files/0x00070000000240d0-129.dat	upx
behavioral2/files/0x00080000000240c8-119.dat	upx
behavioral2/files/0x00070000000240ce-116.dat	upx
behavioral2/files/0x00070000000240cd-111.dat	upx
behavioral2/files/0x00070000000240cc-106.dat	upx
behavioral2/files/0x00070000000240cb-99.dat	upx
behavioral2/files/0x00080000000240c9-93.dat	upx
behavioral2/files/0x00070000000240c7-84.dat	upx
behavioral2/memory/3568-56-0x00007FF775A40000-0x00007FF775E33000-memory.dmp	upx
behavioral2/memory/4336-48-0x00007FF78BD70000-0x00007FF78C163000-memory.dmp	upx
behavioral2/memory/2148-42-0x00007FF7C2EA0000-0x00007FF7C3293000-memory.dmp	upx
behavioral2/files/0x00070000000240c2-38.dat	upx
behavioral2/files/0x00070000000240c1-33.dat	upx
behavioral2/memory/4512-29-0x00007FF787E90000-0x00007FF788283000-memory.dmp	upx
behavioral2/files/0x00070000000240be-15.dat	upx
behavioral2/memory/1144-12-0x00007FF7C9740000-0x00007FF7C9B33000-memory.dmp	upx
behavioral2/memory/3204-1187-0x00007FF73BAC0000-0x00007FF73BEB3000-memory.dmp	upx
behavioral2/memory/4456-1188-0x00007FF7F4E40000-0x00007FF7F5233000-memory.dmp	upx
behavioral2/memory/396-1191-0x00007FF63B340000-0x00007FF63B733000-memory.dmp	upx
behavioral2/memory/4300-1193-0x00007FF729400000-0x00007FF7297F3000-memory.dmp	upx
behavioral2/memory/2652-1192-0x00007FF6FEE50000-0x00007FF6FF243000-memory.dmp	upx
behavioral2/memory/4540-1198-0x00007FF7604F0000-0x00007FF7608E3000-memory.dmp	upx
behavioral2/memory/2104-1202-0x00007FF789000000-0x00007FF7893F3000-memory.dmp	upx
behavioral2/memory/1436-1203-0x00007FF7C6C20000-0x00007FF7C7013000-memory.dmp	upx
behavioral2/memory/2108-1197-0x00007FF6CD910000-0x00007FF6CDD03000-memory.dmp	upx
behavioral2/memory/3440-1210-0x00007FF79B180000-0x00007FF79B573000-memory.dmp	upx
behavioral2/memory/752-1208-0x00007FF766F10000-0x00007FF767303000-memory.dmp	upx
behavioral2/memory/4360-1214-0x00007FF77D690000-0x00007FF77DA83000-memory.dmp	upx
behavioral2/memory/4800-1218-0x00007FF724CD0000-0x00007FF7250C3000-memory.dmp	upx
behavioral2/memory/1728-1224-0x00007FF728320000-0x00007FF728713000-memory.dmp	upx
behavioral2/memory/2228-1219-0x00007FF79F570000-0x00007FF79F963000-memory.dmp	upx
behavioral2/memory/1144-1229-0x00007FF7C9740000-0x00007FF7C9B33000-memory.dmp	upx
behavioral2/memory/1876-1297-0x00007FF635F60000-0x00007FF636353000-memory.dmp	upx
behavioral2/memory/4044-1369-0x00007FF616AF0000-0x00007FF616EE3000-memory.dmp	upx
behavioral2/memory/4512-1372-0x00007FF787E90000-0x00007FF788283000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\qPOfKng.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\erTmIEU.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\CdppAEa.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\ErIjBCL.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\qwqChEC.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\TGePaRJ.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\VsBXTaV.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\qCfyHmg.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\YSniEfF.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\UdELzWN.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\IGvAZKh.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\VjBWdBX.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\BGvdOjU.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\fZszKKF.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\GqHQdQb.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\yzzisRL.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\zyXvVwF.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\VvJJUeS.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\IarvAgz.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\uumqwtB.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\PyKEktN.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\uGHudtc.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\viqfPIF.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\cemXvep.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\eDqUpWL.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\qGbGRGY.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\agiVVJq.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\ggZvWoE.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\mIhhmpn.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\tbWvzFb.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\mzJfBcM.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\txGmHEj.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\dBOJhph.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\UqsiHzR.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\iyUoxvU.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\ScNrXAb.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\QaCJXdf.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\fQmtcJo.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\vbzJViO.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\eTTMcuF.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\rcZXJoc.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\fOepShO.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\lgOhZuK.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\NOITRmj.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\zYNOCjr.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\SjPCZfC.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\MWdPkao.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\rGBWTUb.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\QhbCYBt.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\vYTwbWm.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\HrzDcJe.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\rKDsqrR.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\kSZVbHl.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\sCGuLNx.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\Vvbvlgy.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\kZtJUzI.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\cuFGXGj.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\xHiHmbs.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\jZOguiX.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\CWmyXFb.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\pOjoSeD.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\GsEoMnO.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\nlGvtHz.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
File created	C:\Windows\System\TvpZJGY.exe	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFaultSecure.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFaultSecure.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFaultSecure.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1960	powershell.exe
1960	powershell.exe
13696	WerFaultSecure.exe
13696	WerFaultSecure.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
Token: SeLockMemoryPrivilege	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
Token: SeDebugPrivilege	1960	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 1960	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	87
PID 4168 wrote to memory of 1960	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	87
PID 4168 wrote to memory of 2228	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	88
PID 4168 wrote to memory of 2228	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	88
PID 4168 wrote to memory of 1144	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	89
PID 4168 wrote to memory of 1144	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	89
PID 4168 wrote to memory of 1876	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	90
PID 4168 wrote to memory of 1876	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	90
PID 4168 wrote to memory of 4044	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	91
PID 4168 wrote to memory of 4044	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	91
PID 4168 wrote to memory of 4512	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	92
PID 4168 wrote to memory of 4512	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	92
PID 4168 wrote to memory of 3448	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	93
PID 4168 wrote to memory of 3448	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	93
PID 4168 wrote to memory of 2148	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	94
PID 4168 wrote to memory of 2148	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	94
PID 4168 wrote to memory of 4336	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	95
PID 4168 wrote to memory of 4336	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	95
PID 4168 wrote to memory of 3568	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	96
PID 4168 wrote to memory of 3568	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	96
PID 4168 wrote to memory of 4988	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	97
PID 4168 wrote to memory of 4988	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	97
PID 4168 wrote to memory of 1728	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	98
PID 4168 wrote to memory of 1728	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	98
PID 4168 wrote to memory of 3204	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	99
PID 4168 wrote to memory of 3204	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	99
PID 4168 wrote to memory of 4456	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	100
PID 4168 wrote to memory of 4456	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	100
PID 4168 wrote to memory of 396	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	101
PID 4168 wrote to memory of 396	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	101
PID 4168 wrote to memory of 2652	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	102
PID 4168 wrote to memory of 2652	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	102
PID 4168 wrote to memory of 4300	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	103
PID 4168 wrote to memory of 4300	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	103
PID 4168 wrote to memory of 2108	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	104
PID 4168 wrote to memory of 2108	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	104
PID 4168 wrote to memory of 4540	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	105
PID 4168 wrote to memory of 4540	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	105
PID 4168 wrote to memory of 2104	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	106
PID 4168 wrote to memory of 2104	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	106
PID 4168 wrote to memory of 1436	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	107
PID 4168 wrote to memory of 1436	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	107
PID 4168 wrote to memory of 752	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	108
PID 4168 wrote to memory of 752	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	108
PID 4168 wrote to memory of 3440	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	109
PID 4168 wrote to memory of 3440	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	109
PID 4168 wrote to memory of 4360	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	110
PID 4168 wrote to memory of 4360	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	110
PID 4168 wrote to memory of 4800	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	111
PID 4168 wrote to memory of 4800	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	111
PID 4168 wrote to memory of 788	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	112
PID 4168 wrote to memory of 788	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	112
PID 4168 wrote to memory of 1844	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	113
PID 4168 wrote to memory of 1844	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	113
PID 4168 wrote to memory of 4380	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	114
PID 4168 wrote to memory of 4380	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	114
PID 4168 wrote to memory of 956	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	115
PID 4168 wrote to memory of 956	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	115
PID 4168 wrote to memory of 180	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	116
PID 4168 wrote to memory of 180	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	116
PID 4168 wrote to memory of 4676	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	117
PID 4168 wrote to memory of 4676	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	117
PID 4168 wrote to memory of 5032	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	118
PID 4168 wrote to memory of 5032	4168	2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe	118

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
1⤵
PID:3492
- C:\Windows\system32\WerFaultSecure.exe
  C:\Windows\system32\WerFaultSecure.exe -u -p 3492 -s 2124
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:13696

C:\Users\Admin\AppData\Local\Temp\2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_89b72f237138fba0300c8d8b4df90923_aspxspy_black-basta_ezcob_xmrig.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1960" "2988" "2928" "2992" "0" "0" "2996" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:13584
- C:\Windows\System\XfCISfk.exe
  C:\Windows\System\XfCISfk.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System\HVOsOuQ.exe
  C:\Windows\System\HVOsOuQ.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\System\pPXrwVG.exe
  C:\Windows\System\pPXrwVG.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System\QkoOtML.exe
  C:\Windows\System\QkoOtML.exe
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Windows\System\RMfmKHW.exe
  C:\Windows\System\RMfmKHW.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System\HzqhwgW.exe
  C:\Windows\System\HzqhwgW.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System\lnHykwA.exe
  C:\Windows\System\lnHykwA.exe
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\System\NYJdzhi.exe
  C:\Windows\System\NYJdzhi.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System\KzAUAvU.exe
  C:\Windows\System\KzAUAvU.exe
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Windows\System\HaATDUj.exe
  C:\Windows\System\HaATDUj.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\YlZBayV.exe
  C:\Windows\System\YlZBayV.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System\qtazOEt.exe
  C:\Windows\System\qtazOEt.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System\VbpiHbS.exe
  C:\Windows\System\VbpiHbS.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System\CwDBfsn.exe
  C:\Windows\System\CwDBfsn.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System\EVLnlKS.exe
  C:\Windows\System\EVLnlKS.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\bFcBHmx.exe
  C:\Windows\System\bFcBHmx.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System\IHCcZry.exe
  C:\Windows\System\IHCcZry.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\DyzvPAH.exe
  C:\Windows\System\DyzvPAH.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System\LHsKKss.exe
  C:\Windows\System\LHsKKss.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System\RiNeHDq.exe
  C:\Windows\System\RiNeHDq.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\buvEedq.exe
  C:\Windows\System\buvEedq.exe
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Windows\System\qQcdFOY.exe
  C:\Windows\System\qQcdFOY.exe
  2⤵
  - Executes dropped EXE
  PID:3440
- C:\Windows\System\oVVIQaE.exe
  C:\Windows\System\oVVIQaE.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System\mFVfRUm.exe
  C:\Windows\System\mFVfRUm.exe
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Windows\System\qoeubFP.exe
  C:\Windows\System\qoeubFP.exe
  2⤵
  - Executes dropped EXE
  PID:788
- C:\Windows\System\mBWTBIn.exe
  C:\Windows\System\mBWTBIn.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System\EjCmipK.exe
  C:\Windows\System\EjCmipK.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System\pJyAuZW.exe
  C:\Windows\System\pJyAuZW.exe
  2⤵
  - Executes dropped EXE
  PID:956
- C:\Windows\System\hueUtqB.exe
  C:\Windows\System\hueUtqB.exe
  2⤵
  - Executes dropped EXE
  PID:180
- C:\Windows\System\VGFZkkl.exe
  C:\Windows\System\VGFZkkl.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System\uKxDdgK.exe
  C:\Windows\System\uKxDdgK.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System\mskVDzP.exe
  C:\Windows\System\mskVDzP.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\dcWFcpx.exe
  C:\Windows\System\dcWFcpx.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System\qnxVRcV.exe
  C:\Windows\System\qnxVRcV.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System\TegkNDb.exe
  C:\Windows\System\TegkNDb.exe
  2⤵
  - Executes dropped EXE
  PID:3092
- C:\Windows\System\hXJqIul.exe
  C:\Windows\System\hXJqIul.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System\MDHZTBz.exe
  C:\Windows\System\MDHZTBz.exe
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Windows\System\TDgNgTI.exe
  C:\Windows\System\TDgNgTI.exe
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\System\eEFifCW.exe
  C:\Windows\System\eEFifCW.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System\IGvAZKh.exe
  C:\Windows\System\IGvAZKh.exe
  2⤵
  - Executes dropped EXE
  PID:3732
- C:\Windows\System\sfFDAvM.exe
  C:\Windows\System\sfFDAvM.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System\gLpnsHs.exe
  C:\Windows\System\gLpnsHs.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\FsAntOZ.exe
  C:\Windows\System\FsAntOZ.exe
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\System\DBGNMXi.exe
  C:\Windows\System\DBGNMXi.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System\tghDZfs.exe
  C:\Windows\System\tghDZfs.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System\qaRsUTI.exe
  C:\Windows\System\qaRsUTI.exe
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Windows\System\EQPvjdq.exe
  C:\Windows\System\EQPvjdq.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\System\hAczFCH.exe
  C:\Windows\System\hAczFCH.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System\LXuqziI.exe
  C:\Windows\System\LXuqziI.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System\FMvVFOS.exe
  C:\Windows\System\FMvVFOS.exe
  2⤵
  - Executes dropped EXE
  PID:676
- C:\Windows\System\KPvZrzg.exe
  C:\Windows\System\KPvZrzg.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System\zIXsXjv.exe
  C:\Windows\System\zIXsXjv.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System\UwrmNIk.exe
  C:\Windows\System\UwrmNIk.exe
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\System\jzJShWX.exe
  C:\Windows\System\jzJShWX.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System\irSwCwv.exe
  C:\Windows\System\irSwCwv.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System\oPTfOUr.exe
  C:\Windows\System\oPTfOUr.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System\PQxjUgb.exe
  C:\Windows\System\PQxjUgb.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System\JnXwHmp.exe
  C:\Windows\System\JnXwHmp.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\jPBeztq.exe
  C:\Windows\System\jPBeztq.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\yptwWGO.exe
  C:\Windows\System\yptwWGO.exe
  2⤵
  - Executes dropped EXE
  PID:3880
- C:\Windows\System\oQHHVme.exe
  C:\Windows\System\oQHHVme.exe
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Windows\System\KhnEJLL.exe
  C:\Windows\System\KhnEJLL.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System\OkwtLkm.exe
  C:\Windows\System\OkwtLkm.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System\rGBWTUb.exe
  C:\Windows\System\rGBWTUb.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System\tvOhWiI.exe
  C:\Windows\System\tvOhWiI.exe
  2⤵
  PID:3644
- C:\Windows\System\touiLKD.exe
  C:\Windows\System\touiLKD.exe
  2⤵
  PID:2888
- C:\Windows\System\OgQdJdt.exe
  C:\Windows\System\OgQdJdt.exe
  2⤵
  PID:2604
- C:\Windows\System\rMaKwEj.exe
  C:\Windows\System\rMaKwEj.exe
  2⤵
  PID:4544
- C:\Windows\System\uJkrdFA.exe
  C:\Windows\System\uJkrdFA.exe
  2⤵
  PID:5080
- C:\Windows\System\eHiUoyp.exe
  C:\Windows\System\eHiUoyp.exe
  2⤵
  PID:3704
- C:\Windows\System\YOFBcXN.exe
  C:\Windows\System\YOFBcXN.exe
  2⤵
  PID:2996
- C:\Windows\System\IIUFhhf.exe
  C:\Windows\System\IIUFhhf.exe
  2⤵
  PID:4688
- C:\Windows\System\xLHHJUE.exe
  C:\Windows\System\xLHHJUE.exe
  2⤵
  PID:3212
- C:\Windows\System\WYfLwBj.exe
  C:\Windows\System\WYfLwBj.exe
  2⤵
  PID:4920
- C:\Windows\System\FJARadQ.exe
  C:\Windows\System\FJARadQ.exe
  2⤵
  PID:4212
- C:\Windows\System\trCNpck.exe
  C:\Windows\System\trCNpck.exe
  2⤵
  PID:5152
- C:\Windows\System\gXbwknE.exe
  C:\Windows\System\gXbwknE.exe
  2⤵
  PID:5180
- C:\Windows\System\RgkDqHN.exe
  C:\Windows\System\RgkDqHN.exe
  2⤵
  PID:5208
- C:\Windows\System\zEQdIBx.exe
  C:\Windows\System\zEQdIBx.exe
  2⤵
  PID:5236
- C:\Windows\System\ogMuOOg.exe
  C:\Windows\System\ogMuOOg.exe
  2⤵
  PID:5264
- C:\Windows\System\FfMSPai.exe
  C:\Windows\System\FfMSPai.exe
  2⤵
  PID:5292
- C:\Windows\System\uUKmkJB.exe
  C:\Windows\System\uUKmkJB.exe
  2⤵
  PID:5320
- C:\Windows\System\flmXBAv.exe
  C:\Windows\System\flmXBAv.exe
  2⤵
  PID:5348
- C:\Windows\System\NwWtOhs.exe
  C:\Windows\System\NwWtOhs.exe
  2⤵
  PID:5376
- C:\Windows\System\jviFrrV.exe
  C:\Windows\System\jviFrrV.exe
  2⤵
  PID:5404
- C:\Windows\System\UrsACvK.exe
  C:\Windows\System\UrsACvK.exe
  2⤵
  PID:5428
- C:\Windows\System\jppBaSC.exe
  C:\Windows\System\jppBaSC.exe
  2⤵
  PID:5460
- C:\Windows\System\exAkvAc.exe
  C:\Windows\System\exAkvAc.exe
  2⤵
  PID:5488
- C:\Windows\System\hFLrtwA.exe
  C:\Windows\System\hFLrtwA.exe
  2⤵
  PID:5516
- C:\Windows\System\PvStSDG.exe
  C:\Windows\System\PvStSDG.exe
  2⤵
  PID:5540
- C:\Windows\System\zAWYnis.exe
  C:\Windows\System\zAWYnis.exe
  2⤵
  PID:5572
- C:\Windows\System\NtgJgLN.exe
  C:\Windows\System\NtgJgLN.exe
  2⤵
  PID:5600
- C:\Windows\System\xvYsanB.exe
  C:\Windows\System\xvYsanB.exe
  2⤵
  PID:5628
- C:\Windows\System\waUiyIz.exe
  C:\Windows\System\waUiyIz.exe
  2⤵
  PID:5656
- C:\Windows\System\gYcKIkM.exe
  C:\Windows\System\gYcKIkM.exe
  2⤵
  PID:5684
- C:\Windows\System\vmPvILb.exe
  C:\Windows\System\vmPvILb.exe
  2⤵
  PID:5712
- C:\Windows\System\PlHylOK.exe
  C:\Windows\System\PlHylOK.exe
  2⤵
  PID:5740
- C:\Windows\System\ZQdQnHf.exe
  C:\Windows\System\ZQdQnHf.exe
  2⤵
  PID:5764
- C:\Windows\System\sMKyzbM.exe
  C:\Windows\System\sMKyzbM.exe
  2⤵
  PID:5792
- C:\Windows\System\nJPCwIC.exe
  C:\Windows\System\nJPCwIC.exe
  2⤵
  PID:5820
- C:\Windows\System\vNWQlEF.exe
  C:\Windows\System\vNWQlEF.exe
  2⤵
  PID:5852
- C:\Windows\System\qBoPFnw.exe
  C:\Windows\System\qBoPFnw.exe
  2⤵
  PID:5876
- C:\Windows\System\jfEHlVy.exe
  C:\Windows\System\jfEHlVy.exe
  2⤵
  PID:5908
- C:\Windows\System\fcHRVdw.exe
  C:\Windows\System\fcHRVdw.exe
  2⤵
  PID:5936
- C:\Windows\System\hDyzvRz.exe
  C:\Windows\System\hDyzvRz.exe
  2⤵
  PID:5964
- C:\Windows\System\lUwpLFQ.exe
  C:\Windows\System\lUwpLFQ.exe
  2⤵
  PID:6000
- C:\Windows\System\AtOqZfc.exe
  C:\Windows\System\AtOqZfc.exe
  2⤵
  PID:6032
- C:\Windows\System\sfwtmvs.exe
  C:\Windows\System\sfwtmvs.exe
  2⤵
  PID:6052
- C:\Windows\System\IzsurKY.exe
  C:\Windows\System\IzsurKY.exe
  2⤵
  PID:6080
- C:\Windows\System\LJckijR.exe
  C:\Windows\System\LJckijR.exe
  2⤵
  PID:6108
- C:\Windows\System\mQsVSrN.exe
  C:\Windows\System\mQsVSrN.exe
  2⤵
  PID:6136
- C:\Windows\System\lLLrfjG.exe
  C:\Windows\System\lLLrfjG.exe
  2⤵
  PID:2608
- C:\Windows\System\rgrgBsN.exe
  C:\Windows\System\rgrgBsN.exe
  2⤵
  PID:328
- C:\Windows\System\JJbyrWO.exe
  C:\Windows\System\JJbyrWO.exe
  2⤵
  PID:1456
- C:\Windows\System\SoSzTGt.exe
  C:\Windows\System\SoSzTGt.exe
  2⤵
  PID:2868
- C:\Windows\System\OsgPabB.exe
  C:\Windows\System\OsgPabB.exe
  2⤵
  PID:3784
- C:\Windows\System\sddimjg.exe
  C:\Windows\System\sddimjg.exe
  2⤵
  PID:5160
- C:\Windows\System\wMiVSKG.exe
  C:\Windows\System\wMiVSKG.exe
  2⤵
  PID:5224
- C:\Windows\System\rnIibgc.exe
  C:\Windows\System\rnIibgc.exe
  2⤵
  PID:5304
- C:\Windows\System\dSjeWwD.exe
  C:\Windows\System\dSjeWwD.exe
  2⤵
  PID:5364
- C:\Windows\System\vIECVzq.exe
  C:\Windows\System\vIECVzq.exe
  2⤵
  PID:5424
- C:\Windows\System\JuuVLSw.exe
  C:\Windows\System\JuuVLSw.exe
  2⤵
  PID:5500
- C:\Windows\System\UBEsHfY.exe
  C:\Windows\System\UBEsHfY.exe
  2⤵
  PID:5560
- C:\Windows\System\jAIjCsY.exe
  C:\Windows\System\jAIjCsY.exe
  2⤵
  PID:5620
- C:\Windows\System\tbWvzFb.exe
  C:\Windows\System\tbWvzFb.exe
  2⤵
  PID:5676
- C:\Windows\System\GpcPVMI.exe
  C:\Windows\System\GpcPVMI.exe
  2⤵
  PID:5752
- C:\Windows\System\HnjoLSJ.exe
  C:\Windows\System\HnjoLSJ.exe
  2⤵
  PID:5816
- C:\Windows\System\KAKTcpD.exe
  C:\Windows\System\KAKTcpD.exe
  2⤵
  PID:5892
- C:\Windows\System\SabTrVT.exe
  C:\Windows\System\SabTrVT.exe
  2⤵
  PID:5948
- C:\Windows\System\hfgevoz.exe
  C:\Windows\System\hfgevoz.exe
  2⤵
  PID:6020
- C:\Windows\System\wMacAxI.exe
  C:\Windows\System\wMacAxI.exe
  2⤵
  PID:6068
- C:\Windows\System\VLwWwwh.exe
  C:\Windows\System\VLwWwwh.exe
  2⤵
  PID:4720
- C:\Windows\System\fvaJXaO.exe
  C:\Windows\System\fvaJXaO.exe
  2⤵
  PID:4944
- C:\Windows\System\EhCaugq.exe
  C:\Windows\System\EhCaugq.exe
  2⤵
  PID:4564
- C:\Windows\System\HNCHdmN.exe
  C:\Windows\System\HNCHdmN.exe
  2⤵
  PID:5200
- C:\Windows\System\JpKXKzQ.exe
  C:\Windows\System\JpKXKzQ.exe
  2⤵
  PID:5340
- C:\Windows\System\ojihSDl.exe
  C:\Windows\System\ojihSDl.exe
  2⤵
  PID:5476
- C:\Windows\System\GeQNnFH.exe
  C:\Windows\System\GeQNnFH.exe
  2⤵
  PID:5648
- C:\Windows\System\HmCXVPr.exe
  C:\Windows\System\HmCXVPr.exe
  2⤵
  PID:5788
- C:\Windows\System\cINsZVl.exe
  C:\Windows\System\cINsZVl.exe
  2⤵
  PID:5928
- C:\Windows\System\ZdkkQVN.exe
  C:\Windows\System\ZdkkQVN.exe
  2⤵
  PID:6148
- C:\Windows\System\cOVGbjo.exe
  C:\Windows\System\cOVGbjo.exe
  2⤵
  PID:6176
- C:\Windows\System\tJamTlS.exe
  C:\Windows\System\tJamTlS.exe
  2⤵
  PID:6208
- C:\Windows\System\qzuxMdv.exe
  C:\Windows\System\qzuxMdv.exe
  2⤵
  PID:6232
- C:\Windows\System\VJxEtCs.exe
  C:\Windows\System\VJxEtCs.exe
  2⤵
  PID:6260
- C:\Windows\System\bIsUPwq.exe
  C:\Windows\System\bIsUPwq.exe
  2⤵
  PID:6296
- C:\Windows\System\QgOZeRW.exe
  C:\Windows\System\QgOZeRW.exe
  2⤵
  PID:6324
- C:\Windows\System\EdrfhDo.exe
  C:\Windows\System\EdrfhDo.exe
  2⤵
  PID:6352
- C:\Windows\System\RooMUXA.exe
  C:\Windows\System\RooMUXA.exe
  2⤵
  PID:6372
- C:\Windows\System\FdtbdSv.exe
  C:\Windows\System\FdtbdSv.exe
  2⤵
  PID:6400
- C:\Windows\System\aEYlByy.exe
  C:\Windows\System\aEYlByy.exe
  2⤵
  PID:6428
- C:\Windows\System\EKwwLTf.exe
  C:\Windows\System\EKwwLTf.exe
  2⤵
  PID:6456
- C:\Windows\System\vhEztcS.exe
  C:\Windows\System\vhEztcS.exe
  2⤵
  PID:6480
- C:\Windows\System\xKnxqgG.exe
  C:\Windows\System\xKnxqgG.exe
  2⤵
  PID:6508
- C:\Windows\System\zKMJnxu.exe
  C:\Windows\System\zKMJnxu.exe
  2⤵
  PID:6540
- C:\Windows\System\Tfydmtr.exe
  C:\Windows\System\Tfydmtr.exe
  2⤵
  PID:6564
- C:\Windows\System\fclhNWM.exe
  C:\Windows\System\fclhNWM.exe
  2⤵
  PID:6596
- C:\Windows\System\mVHusWD.exe
  C:\Windows\System\mVHusWD.exe
  2⤵
  PID:6620
- C:\Windows\System\YZOxVQp.exe
  C:\Windows\System\YZOxVQp.exe
  2⤵
  PID:6652
- C:\Windows\System\pkoyOCX.exe
  C:\Windows\System\pkoyOCX.exe
  2⤵
  PID:6680
- C:\Windows\System\UVvnKIS.exe
  C:\Windows\System\UVvnKIS.exe
  2⤵
  PID:6708
- C:\Windows\System\RVENlVI.exe
  C:\Windows\System\RVENlVI.exe
  2⤵
  PID:6736
- C:\Windows\System\PHpasSV.exe
  C:\Windows\System\PHpasSV.exe
  2⤵
  PID:6764
- C:\Windows\System\ZlFZpbS.exe
  C:\Windows\System\ZlFZpbS.exe
  2⤵
  PID:6792
- C:\Windows\System\THYRDeA.exe
  C:\Windows\System\THYRDeA.exe
  2⤵
  PID:6820
- C:\Windows\System\UBPlDsX.exe
  C:\Windows\System\UBPlDsX.exe
  2⤵
  PID:6848
- C:\Windows\System\UVnztFZ.exe
  C:\Windows\System\UVnztFZ.exe
  2⤵
  PID:6876
- C:\Windows\System\MDJkcfX.exe
  C:\Windows\System\MDJkcfX.exe
  2⤵
  PID:6904
- C:\Windows\System\xenvrsk.exe
  C:\Windows\System\xenvrsk.exe
  2⤵
  PID:6932
- C:\Windows\System\kLYxKuY.exe
  C:\Windows\System\kLYxKuY.exe
  2⤵
  PID:6960
- C:\Windows\System\sGzrfWP.exe
  C:\Windows\System\sGzrfWP.exe
  2⤵
  PID:6988
- C:\Windows\System\wcytkpQ.exe
  C:\Windows\System\wcytkpQ.exe
  2⤵
  PID:7016
- C:\Windows\System\NGCrRgP.exe
  C:\Windows\System\NGCrRgP.exe
  2⤵
  PID:7044
- C:\Windows\System\bnHkZvT.exe
  C:\Windows\System\bnHkZvT.exe
  2⤵
  PID:7072
- C:\Windows\System\XmyyyBb.exe
  C:\Windows\System\XmyyyBb.exe
  2⤵
  PID:7100
- C:\Windows\System\lfgNljW.exe
  C:\Windows\System\lfgNljW.exe
  2⤵
  PID:7128
- C:\Windows\System\XQxSPVY.exe
  C:\Windows\System\XQxSPVY.exe
  2⤵
  PID:7156
- C:\Windows\System\zXhQAdR.exe
  C:\Windows\System\zXhQAdR.exe
  2⤵
  PID:960
- C:\Windows\System\AJDqWvG.exe
  C:\Windows\System\AJDqWvG.exe
  2⤵
  PID:5280
- C:\Windows\System\dyNxHMa.exe
  C:\Windows\System\dyNxHMa.exe
  2⤵
  PID:5592
- C:\Windows\System\gqqTGEr.exe
  C:\Windows\System\gqqTGEr.exe
  2⤵
  PID:6044
- C:\Windows\System\tsXgJLg.exe
  C:\Windows\System\tsXgJLg.exe
  2⤵
  PID:6192
- C:\Windows\System\XlpwBkb.exe
  C:\Windows\System\XlpwBkb.exe
  2⤵
  PID:6252
- C:\Windows\System\vZhiUuU.exe
  C:\Windows\System\vZhiUuU.exe
  2⤵
  PID:6320
- C:\Windows\System\DvHkImz.exe
  C:\Windows\System\DvHkImz.exe
  2⤵
  PID:6388
- C:\Windows\System\VNbovtP.exe
  C:\Windows\System\VNbovtP.exe
  2⤵
  PID:6448
- C:\Windows\System\LzBXiQy.exe
  C:\Windows\System\LzBXiQy.exe
  2⤵
  PID:6524
- C:\Windows\System\TxIlDKB.exe
  C:\Windows\System\TxIlDKB.exe
  2⤵
  PID:6580
- C:\Windows\System\nLcmtIZ.exe
  C:\Windows\System\nLcmtIZ.exe
  2⤵
  PID:6644
- C:\Windows\System\KjNNfFf.exe
  C:\Windows\System\KjNNfFf.exe
  2⤵
  PID:6720
- C:\Windows\System\bJGKIVv.exe
  C:\Windows\System\bJGKIVv.exe
  2⤵
  PID:6780
- C:\Windows\System\rGChZxn.exe
  C:\Windows\System\rGChZxn.exe
  2⤵
  PID:6840
- C:\Windows\System\TTHHJJT.exe
  C:\Windows\System\TTHHJJT.exe
  2⤵
  PID:6916
- C:\Windows\System\BjnEVuq.exe
  C:\Windows\System\BjnEVuq.exe
  2⤵
  PID:6976
- C:\Windows\System\fFbEbGP.exe
  C:\Windows\System\fFbEbGP.exe
  2⤵
  PID:7036
- C:\Windows\System\qNONytZ.exe
  C:\Windows\System\qNONytZ.exe
  2⤵
  PID:7112
- C:\Windows\System\CqDpYxh.exe
  C:\Windows\System\CqDpYxh.exe
  2⤵
  PID:6124
- C:\Windows\System\SPxgwzp.exe
  C:\Windows\System\SPxgwzp.exe
  2⤵
  PID:5588
- C:\Windows\System\RGMVEdq.exe
  C:\Windows\System\RGMVEdq.exe
  2⤵
  PID:6224
- C:\Windows\System\SDxLecN.exe
  C:\Windows\System\SDxLecN.exe
  2⤵
  PID:6364
- C:\Windows\System\hNxDRpJ.exe
  C:\Windows\System\hNxDRpJ.exe
  2⤵
  PID:6496
- C:\Windows\System\nAAcNIv.exe
  C:\Windows\System\nAAcNIv.exe
  2⤵
  PID:6636
- C:\Windows\System\qIKqzgr.exe
  C:\Windows\System\qIKqzgr.exe
  2⤵
  PID:6808
- C:\Windows\System\KkhaLCR.exe
  C:\Windows\System\KkhaLCR.exe
  2⤵
  PID:6952
- C:\Windows\System\yjvKcur.exe
  C:\Windows\System\yjvKcur.exe
  2⤵
  PID:7188
- C:\Windows\System\pnWkcMC.exe
  C:\Windows\System\pnWkcMC.exe
  2⤵
  PID:7216
- C:\Windows\System\aAwkkyh.exe
  C:\Windows\System\aAwkkyh.exe
  2⤵
  PID:7244
- C:\Windows\System\KzauCSi.exe
  C:\Windows\System\KzauCSi.exe
  2⤵
  PID:7272
- C:\Windows\System\gODWQio.exe
  C:\Windows\System\gODWQio.exe
  2⤵
  PID:7300
- C:\Windows\System\RMTbZOk.exe
  C:\Windows\System\RMTbZOk.exe
  2⤵
  PID:7328
- C:\Windows\System\CLdhTKB.exe
  C:\Windows\System\CLdhTKB.exe
  2⤵
  PID:7356
- C:\Windows\System\eYUtujR.exe
  C:\Windows\System\eYUtujR.exe
  2⤵
  PID:7384
- C:\Windows\System\cZvcEiM.exe
  C:\Windows\System\cZvcEiM.exe
  2⤵
  PID:7412
- C:\Windows\System\pyCOsJK.exe
  C:\Windows\System\pyCOsJK.exe
  2⤵
  PID:7440
- C:\Windows\System\feYRiTo.exe
  C:\Windows\System\feYRiTo.exe
  2⤵
  PID:7468
- C:\Windows\System\DrbxjIj.exe
  C:\Windows\System\DrbxjIj.exe
  2⤵
  PID:7496
- C:\Windows\System\ooVfikK.exe
  C:\Windows\System\ooVfikK.exe
  2⤵
  PID:7524
- C:\Windows\System\JKjvtoF.exe
  C:\Windows\System\JKjvtoF.exe
  2⤵
  PID:7552
- C:\Windows\System\AdxHJzA.exe
  C:\Windows\System\AdxHJzA.exe
  2⤵
  PID:7580
- C:\Windows\System\tbYZmHT.exe
  C:\Windows\System\tbYZmHT.exe
  2⤵
  PID:7608
- C:\Windows\System\qiTZYnw.exe
  C:\Windows\System\qiTZYnw.exe
  2⤵
  PID:7636
- C:\Windows\System\faHmEvd.exe
  C:\Windows\System\faHmEvd.exe
  2⤵
  PID:7664
- C:\Windows\System\EkdvrML.exe
  C:\Windows\System\EkdvrML.exe
  2⤵
  PID:7692
- C:\Windows\System\xHiHmbs.exe
  C:\Windows\System\xHiHmbs.exe
  2⤵
  PID:7720
- C:\Windows\System\kAowZmH.exe
  C:\Windows\System\kAowZmH.exe
  2⤵
  PID:7748
- C:\Windows\System\eMFvhSy.exe
  C:\Windows\System\eMFvhSy.exe
  2⤵
  PID:7776
- C:\Windows\System\HbLjxve.exe
  C:\Windows\System\HbLjxve.exe
  2⤵
  PID:7804
- C:\Windows\System\GUPUbCT.exe
  C:\Windows\System\GUPUbCT.exe
  2⤵
  PID:7832
- C:\Windows\System\guMkLry.exe
  C:\Windows\System\guMkLry.exe
  2⤵
  PID:7856
- C:\Windows\System\BHjzJNz.exe
  C:\Windows\System\BHjzJNz.exe
  2⤵
  PID:7888
- C:\Windows\System\fZnLmsl.exe
  C:\Windows\System\fZnLmsl.exe
  2⤵
  PID:7916
- C:\Windows\System\aXRYFnC.exe
  C:\Windows\System\aXRYFnC.exe
  2⤵
  PID:7944
- C:\Windows\System\YTwLYfb.exe
  C:\Windows\System\YTwLYfb.exe
  2⤵
  PID:7972
- C:\Windows\System\PeLfEmZ.exe
  C:\Windows\System\PeLfEmZ.exe
  2⤵
  PID:8000
- C:\Windows\System\eAythEm.exe
  C:\Windows\System\eAythEm.exe
  2⤵
  PID:8028
- C:\Windows\System\sbodEaD.exe
  C:\Windows\System\sbodEaD.exe
  2⤵
  PID:8056
- C:\Windows\System\bWWKNsX.exe
  C:\Windows\System\bWWKNsX.exe
  2⤵
  PID:8084
- C:\Windows\System\KHSAxQg.exe
  C:\Windows\System\KHSAxQg.exe
  2⤵
  PID:8112
- C:\Windows\System\wjczkEr.exe
  C:\Windows\System\wjczkEr.exe
  2⤵
  PID:8140
- C:\Windows\System\rTQNGKx.exe
  C:\Windows\System\rTQNGKx.exe
  2⤵
  PID:8164
- C:\Windows\System\iGzfvYt.exe
  C:\Windows\System\iGzfvYt.exe
  2⤵
  PID:7028
- C:\Windows\System\htuckWh.exe
  C:\Windows\System\htuckWh.exe
  2⤵
  PID:5136
- C:\Windows\System\HKObJnv.exe
  C:\Windows\System\HKObJnv.exe
  2⤵
  PID:6292
- C:\Windows\System\qrmjoep.exe
  C:\Windows\System\qrmjoep.exe
  2⤵
  PID:6612
- C:\Windows\System\VoMCZJe.exe
  C:\Windows\System\VoMCZJe.exe
  2⤵
  PID:7172
- C:\Windows\System\leoGZYM.exe
  C:\Windows\System\leoGZYM.exe
  2⤵
  PID:7232
- C:\Windows\System\CuPuEac.exe
  C:\Windows\System\CuPuEac.exe
  2⤵
  PID:7292
- C:\Windows\System\aVYoKfm.exe
  C:\Windows\System\aVYoKfm.exe
  2⤵
  PID:7368
- C:\Windows\System\uNSePvL.exe
  C:\Windows\System\uNSePvL.exe
  2⤵
  PID:7428
- C:\Windows\System\LxWgWSX.exe
  C:\Windows\System\LxWgWSX.exe
  2⤵
  PID:7488
- C:\Windows\System\XncQtPB.exe
  C:\Windows\System\XncQtPB.exe
  2⤵
  PID:7564
- C:\Windows\System\CFsvmhQ.exe
  C:\Windows\System\CFsvmhQ.exe
  2⤵
  PID:7624
- C:\Windows\System\mbXShVa.exe
  C:\Windows\System\mbXShVa.exe
  2⤵
  PID:7684
- C:\Windows\System\ZkTGFnx.exe
  C:\Windows\System\ZkTGFnx.exe
  2⤵
  PID:7760
- C:\Windows\System\PdxgnPG.exe
  C:\Windows\System\PdxgnPG.exe
  2⤵
  PID:7816
- C:\Windows\System\uaEpUfo.exe
  C:\Windows\System\uaEpUfo.exe
  2⤵
  PID:2192
- C:\Windows\System\aPYEFeR.exe
  C:\Windows\System\aPYEFeR.exe
  2⤵
  PID:7928
- C:\Windows\System\DHeTDWq.exe
  C:\Windows\System\DHeTDWq.exe
  2⤵
  PID:7988
- C:\Windows\System\DPWWRfC.exe
  C:\Windows\System\DPWWRfC.exe
  2⤵
  PID:8048
- C:\Windows\System\Huccwrr.exe
  C:\Windows\System\Huccwrr.exe
  2⤵
  PID:8124
- C:\Windows\System\aZSqknf.exe
  C:\Windows\System\aZSqknf.exe
  2⤵
  PID:8180
- C:\Windows\System\SWZZfCX.exe
  C:\Windows\System\SWZZfCX.exe
  2⤵
  PID:6160
- C:\Windows\System\yGxDzaa.exe
  C:\Windows\System\yGxDzaa.exe
  2⤵
  PID:6888
- C:\Windows\System\FlOQJbW.exe
  C:\Windows\System\FlOQJbW.exe
  2⤵
  PID:7320
- C:\Windows\System\GRQREVT.exe
  C:\Windows\System\GRQREVT.exe
  2⤵
  PID:7460
- C:\Windows\System\pgpoDVs.exe
  C:\Windows\System\pgpoDVs.exe
  2⤵
  PID:3680
- C:\Windows\System\WmLHozC.exe
  C:\Windows\System\WmLHozC.exe
  2⤵
  PID:7732
- C:\Windows\System\LfdMFYG.exe
  C:\Windows\System\LfdMFYG.exe
  2⤵
  PID:3908
- C:\Windows\System\BJISGSU.exe
  C:\Windows\System\BJISGSU.exe
  2⤵
  PID:8016
- C:\Windows\System\mCHJvRe.exe
  C:\Windows\System\mCHJvRe.exe
  2⤵
  PID:8152
- C:\Windows\System\aOWpWDe.exe
  C:\Windows\System\aOWpWDe.exe
  2⤵
  PID:8220
- C:\Windows\System\aXFISqu.exe
  C:\Windows\System\aXFISqu.exe
  2⤵
  PID:8248
- C:\Windows\System\XmYHdXm.exe
  C:\Windows\System\XmYHdXm.exe
  2⤵
  PID:8276
- C:\Windows\System\wINXvDh.exe
  C:\Windows\System\wINXvDh.exe
  2⤵
  PID:8304
- C:\Windows\System\WTVXTBY.exe
  C:\Windows\System\WTVXTBY.exe
  2⤵
  PID:8332
- C:\Windows\System\jKpPISF.exe
  C:\Windows\System\jKpPISF.exe
  2⤵
  PID:8360
- C:\Windows\System\YoJCToj.exe
  C:\Windows\System\YoJCToj.exe
  2⤵
  PID:8388
- C:\Windows\System\oOTURgu.exe
  C:\Windows\System\oOTURgu.exe
  2⤵
  PID:8416
- C:\Windows\System\cyXxAoo.exe
  C:\Windows\System\cyXxAoo.exe
  2⤵
  PID:8444
- C:\Windows\System\WWYgfYi.exe
  C:\Windows\System\WWYgfYi.exe
  2⤵
  PID:8472
- C:\Windows\System\NZGPkol.exe
  C:\Windows\System\NZGPkol.exe
  2⤵
  PID:8500
- C:\Windows\System\xfOWMHh.exe
  C:\Windows\System\xfOWMHh.exe
  2⤵
  PID:8528
- C:\Windows\System\ekXejgT.exe
  C:\Windows\System\ekXejgT.exe
  2⤵
  PID:8556
- C:\Windows\System\mmitPCB.exe
  C:\Windows\System\mmitPCB.exe
  2⤵
  PID:8584
- C:\Windows\System\uFsZaUI.exe
  C:\Windows\System\uFsZaUI.exe
  2⤵
  PID:8612
- C:\Windows\System\oPqepCa.exe
  C:\Windows\System\oPqepCa.exe
  2⤵
  PID:8640
- C:\Windows\System\LCcleKY.exe
  C:\Windows\System\LCcleKY.exe
  2⤵
  PID:8668
- C:\Windows\System\qGbGRGY.exe
  C:\Windows\System\qGbGRGY.exe
  2⤵
  PID:8696
- C:\Windows\System\fJQYtFr.exe
  C:\Windows\System\fJQYtFr.exe
  2⤵
  PID:8724
- C:\Windows\System\kKkvkpQ.exe
  C:\Windows\System\kKkvkpQ.exe
  2⤵
  PID:8752
- C:\Windows\System\fHjOFXf.exe
  C:\Windows\System\fHjOFXf.exe
  2⤵
  PID:8780
- C:\Windows\System\KiJDKqy.exe
  C:\Windows\System\KiJDKqy.exe
  2⤵
  PID:8808
- C:\Windows\System\fmesrqh.exe
  C:\Windows\System\fmesrqh.exe
  2⤵
  PID:8836
- C:\Windows\System\pkgshbh.exe
  C:\Windows\System\pkgshbh.exe
  2⤵
  PID:8864
- C:\Windows\System\OICGQds.exe
  C:\Windows\System\OICGQds.exe
  2⤵
  PID:8892
- C:\Windows\System\JngjGCJ.exe
  C:\Windows\System\JngjGCJ.exe
  2⤵
  PID:8920
- C:\Windows\System\mrZrmvk.exe
  C:\Windows\System\mrZrmvk.exe
  2⤵
  PID:8948
- C:\Windows\System\INLnNAR.exe
  C:\Windows\System\INLnNAR.exe
  2⤵
  PID:8976
- C:\Windows\System\RvLhtIa.exe
  C:\Windows\System\RvLhtIa.exe
  2⤵
  PID:9004
- C:\Windows\System\iReRpRr.exe
  C:\Windows\System\iReRpRr.exe
  2⤵
  PID:9032
- C:\Windows\System\frUOdzL.exe
  C:\Windows\System\frUOdzL.exe
  2⤵
  PID:9060
- C:\Windows\System\tRhvOuD.exe
  C:\Windows\System\tRhvOuD.exe
  2⤵
  PID:9088
- C:\Windows\System\zGtcWrK.exe
  C:\Windows\System\zGtcWrK.exe
  2⤵
  PID:9116
- C:\Windows\System\OPNOeDZ.exe
  C:\Windows\System\OPNOeDZ.exe
  2⤵
  PID:9144
- C:\Windows\System\frIxhbs.exe
  C:\Windows\System\frIxhbs.exe
  2⤵
  PID:9172
- C:\Windows\System\VIlRLyl.exe
  C:\Windows\System\VIlRLyl.exe
  2⤵
  PID:9200
- C:\Windows\System\fVsJWBU.exe
  C:\Windows\System\fVsJWBU.exe
  2⤵
  PID:7140
- C:\Windows\System\nCTtegi.exe
  C:\Windows\System\nCTtegi.exe
  2⤵
  PID:7260
- C:\Windows\System\APFTkUO.exe
  C:\Windows\System\APFTkUO.exe
  2⤵
  PID:7536
- C:\Windows\System\kGFEzWq.exe
  C:\Windows\System\kGFEzWq.exe
  2⤵
  PID:7844
- C:\Windows\System\QKtcszL.exe
  C:\Windows\System\QKtcszL.exe
  2⤵
  PID:8204
- C:\Windows\System\TBysOuj.exe
  C:\Windows\System\TBysOuj.exe
  2⤵
  PID:8264
- C:\Windows\System\MKdHwwM.exe
  C:\Windows\System\MKdHwwM.exe
  2⤵
  PID:8320
- C:\Windows\System\euHyDeK.exe
  C:\Windows\System\euHyDeK.exe
  2⤵
  PID:8380
- C:\Windows\System\gShyqVn.exe
  C:\Windows\System\gShyqVn.exe
  2⤵
  PID:8436
- C:\Windows\System\MTIAhcN.exe
  C:\Windows\System\MTIAhcN.exe
  2⤵
  PID:8492
- C:\Windows\System\rcZXJoc.exe
  C:\Windows\System\rcZXJoc.exe
  2⤵
  PID:8568
- C:\Windows\System\LrIUBCg.exe
  C:\Windows\System\LrIUBCg.exe
  2⤵
  PID:8628
- C:\Windows\System\dpLqWPQ.exe
  C:\Windows\System\dpLqWPQ.exe
  2⤵
  PID:4892
- C:\Windows\System\xpkzHwY.exe
  C:\Windows\System\xpkzHwY.exe
  2⤵
  PID:8744
- C:\Windows\System\FClglrK.exe
  C:\Windows\System\FClglrK.exe
  2⤵
  PID:3632
- C:\Windows\System\qRGQcAa.exe
  C:\Windows\System\qRGQcAa.exe
  2⤵
  PID:8876
- C:\Windows\System\ouXWGah.exe
  C:\Windows\System\ouXWGah.exe
  2⤵
  PID:8964
- C:\Windows\System\GpqKopo.exe
  C:\Windows\System\GpqKopo.exe
  2⤵
  PID:9024
- C:\Windows\System\bFvtYQm.exe
  C:\Windows\System\bFvtYQm.exe
  2⤵
  PID:9100
- C:\Windows\System\etyeUui.exe
  C:\Windows\System\etyeUui.exe
  2⤵
  PID:9156
- C:\Windows\System\OUfskjM.exe
  C:\Windows\System\OUfskjM.exe
  2⤵
  PID:4108
- C:\Windows\System\ATejgdQ.exe
  C:\Windows\System\ATejgdQ.exe
  2⤵
  PID:3064
- C:\Windows\System\WYrCxdk.exe
  C:\Windows\System\WYrCxdk.exe
  2⤵
  PID:8076
- C:\Windows\System\UTBXnEd.exe
  C:\Windows\System\UTBXnEd.exe
  2⤵
  PID:8296
- C:\Windows\System\zZTWJAy.exe
  C:\Windows\System\zZTWJAy.exe
  2⤵
  PID:8408
- C:\Windows\System\jgJNJrR.exe
  C:\Windows\System\jgJNJrR.exe
  2⤵
  PID:8540
- C:\Windows\System\ZUnjXwO.exe
  C:\Windows\System\ZUnjXwO.exe
  2⤵
  PID:8680
- C:\Windows\System\OcVbLPk.exe
  C:\Windows\System\OcVbLPk.exe
  2⤵
  PID:8792
- C:\Windows\System\FPnphdt.exe
  C:\Windows\System\FPnphdt.exe
  2⤵
  PID:8912
- C:\Windows\System\fERUKJF.exe
  C:\Windows\System\fERUKJF.exe
  2⤵
  PID:9072
- C:\Windows\System\EMKATwi.exe
  C:\Windows\System\EMKATwi.exe
  2⤵
  PID:9188
- C:\Windows\System\YyNesWX.exe
  C:\Windows\System\YyNesWX.exe
  2⤵
  PID:4716
- C:\Windows\System\mITCiHr.exe
  C:\Windows\System\mITCiHr.exe
  2⤵
  PID:8352
- C:\Windows\System\PXrlvLj.exe
  C:\Windows\System\PXrlvLj.exe
  2⤵
  PID:4696
- C:\Windows\System\JTwBZoT.exe
  C:\Windows\System\JTwBZoT.exe
  2⤵
  PID:9240
- C:\Windows\System\boEuHsl.exe
  C:\Windows\System\boEuHsl.exe
  2⤵
  PID:9268
- C:\Windows\System\sNbQWii.exe
  C:\Windows\System\sNbQWii.exe
  2⤵
  PID:9296
- C:\Windows\System\DUvMJnB.exe
  C:\Windows\System\DUvMJnB.exe
  2⤵
  PID:9324
- C:\Windows\System\IxPuzBW.exe
  C:\Windows\System\IxPuzBW.exe
  2⤵
  PID:9352
- C:\Windows\System\jUGixYs.exe
  C:\Windows\System\jUGixYs.exe
  2⤵
  PID:9380
- C:\Windows\System\OYHLMrx.exe
  C:\Windows\System\OYHLMrx.exe
  2⤵
  PID:9408
- C:\Windows\System\aQQolml.exe
  C:\Windows\System\aQQolml.exe
  2⤵
  PID:9436
- C:\Windows\System\ngKociA.exe
  C:\Windows\System\ngKociA.exe
  2⤵
  PID:9464
- C:\Windows\System\nNdZnpU.exe
  C:\Windows\System\nNdZnpU.exe
  2⤵
  PID:9492
- C:\Windows\System\VqLyHor.exe
  C:\Windows\System\VqLyHor.exe
  2⤵
  PID:9520
- C:\Windows\System\XjWDPdx.exe
  C:\Windows\System\XjWDPdx.exe
  2⤵
  PID:9548
- C:\Windows\System\JFxYaJs.exe
  C:\Windows\System\JFxYaJs.exe
  2⤵
  PID:9576
- C:\Windows\System\raOxPfp.exe
  C:\Windows\System\raOxPfp.exe
  2⤵
  PID:9604
- C:\Windows\System\NwdrPZp.exe
  C:\Windows\System\NwdrPZp.exe
  2⤵
  PID:9632
- C:\Windows\System\VWYKWzw.exe
  C:\Windows\System\VWYKWzw.exe
  2⤵
  PID:9660
- C:\Windows\System\ymSWeYP.exe
  C:\Windows\System\ymSWeYP.exe
  2⤵
  PID:9688
- C:\Windows\System\cgQhCFS.exe
  C:\Windows\System\cgQhCFS.exe
  2⤵
  PID:9716
- C:\Windows\System\vVKNDWV.exe
  C:\Windows\System\vVKNDWV.exe
  2⤵
  PID:9744
- C:\Windows\System\Vssmajt.exe
  C:\Windows\System\Vssmajt.exe
  2⤵
  PID:9772
- C:\Windows\System\IpmCBLD.exe
  C:\Windows\System\IpmCBLD.exe
  2⤵
  PID:9800
- C:\Windows\System\qCaYxhq.exe
  C:\Windows\System\qCaYxhq.exe
  2⤵
  PID:9828
- C:\Windows\System\oCCvJzi.exe
  C:\Windows\System\oCCvJzi.exe
  2⤵
  PID:9856
- C:\Windows\System\Qdgcwga.exe
  C:\Windows\System\Qdgcwga.exe
  2⤵
  PID:9884
- C:\Windows\System\bgBkEYD.exe
  C:\Windows\System\bgBkEYD.exe
  2⤵
  PID:9912
- C:\Windows\System\mzJfBcM.exe
  C:\Windows\System\mzJfBcM.exe
  2⤵
  PID:9940
- C:\Windows\System\OtccGLG.exe
  C:\Windows\System\OtccGLG.exe
  2⤵
  PID:10044
- C:\Windows\System\mVZEpTg.exe
  C:\Windows\System\mVZEpTg.exe
  2⤵
  PID:10064
- C:\Windows\System\oiyVTPt.exe
  C:\Windows\System\oiyVTPt.exe
  2⤵
  PID:10088
- C:\Windows\System\RAZYVEF.exe
  C:\Windows\System\RAZYVEF.exe
  2⤵
  PID:10128
- C:\Windows\System\AsnRqqt.exe
  C:\Windows\System\AsnRqqt.exe
  2⤵
  PID:10172
- C:\Windows\System\LcUGufF.exe
  C:\Windows\System\LcUGufF.exe
  2⤵
  PID:10196
- C:\Windows\System\oSYpiNW.exe
  C:\Windows\System\oSYpiNW.exe
  2⤵
  PID:10232
- C:\Windows\System\iemapwO.exe
  C:\Windows\System\iemapwO.exe
  2⤵
  PID:9128
- C:\Windows\System\OIOlqiR.exe
  C:\Windows\System\OIOlqiR.exe
  2⤵
  PID:4332
- C:\Windows\System\ArCNask.exe
  C:\Windows\System\ArCNask.exe
  2⤵
  PID:9232
- C:\Windows\System\xJcwNVw.exe
  C:\Windows\System\xJcwNVw.exe
  2⤵
  PID:9340
- C:\Windows\System\OkKekBm.exe
  C:\Windows\System\OkKekBm.exe
  2⤵
  PID:9420
- C:\Windows\System\iLFmXaq.exe
  C:\Windows\System\iLFmXaq.exe
  2⤵
  PID:9476
- C:\Windows\System\iIEpBYw.exe
  C:\Windows\System\iIEpBYw.exe
  2⤵
  PID:9532
- C:\Windows\System\JCgfDui.exe
  C:\Windows\System\JCgfDui.exe
  2⤵
  PID:9568
- C:\Windows\System\wBetZVG.exe
  C:\Windows\System\wBetZVG.exe
  2⤵
  PID:3084
- C:\Windows\System\rynDrLQ.exe
  C:\Windows\System\rynDrLQ.exe
  2⤵
  PID:9652
- C:\Windows\System\tyGShIl.exe
  C:\Windows\System\tyGShIl.exe
  2⤵
  PID:9704
- C:\Windows\System\PHuDLBZ.exe
  C:\Windows\System\PHuDLBZ.exe
  2⤵
  PID:9760
- C:\Windows\System\uSEGEle.exe
  C:\Windows\System\uSEGEle.exe
  2⤵
  PID:9792
- C:\Windows\System\XRWHXIZ.exe
  C:\Windows\System\XRWHXIZ.exe
  2⤵
  PID:9820
- C:\Windows\System\VqxlxQW.exe
  C:\Windows\System\VqxlxQW.exe
  2⤵
  PID:9868
- C:\Windows\System\NBnuijN.exe
  C:\Windows\System\NBnuijN.exe
  2⤵
  PID:2400
- C:\Windows\System\FqSbtTE.exe
  C:\Windows\System\FqSbtTE.exe
  2⤵
  PID:9900
- C:\Windows\System\FtdlVgH.exe
  C:\Windows\System\FtdlVgH.exe
  2⤵
  PID:9956
- C:\Windows\System\hfXsGqd.exe
  C:\Windows\System\hfXsGqd.exe
  2⤵
  PID:1312
- C:\Windows\System\xiiTDGm.exe
  C:\Windows\System\xiiTDGm.exe
  2⤵
  PID:2660
- C:\Windows\System\EsfDnOp.exe
  C:\Windows\System\EsfDnOp.exe
  2⤵
  PID:1100
- C:\Windows\System\ttRvgsx.exe
  C:\Windows\System\ttRvgsx.exe
  2⤵
  PID:10056
- C:\Windows\System\icdaGmr.exe
  C:\Windows\System\icdaGmr.exe
  2⤵
  PID:10152
- C:\Windows\System\GYsRcdE.exe
  C:\Windows\System\GYsRcdE.exe
  2⤵
  PID:10192
- C:\Windows\System\hNCnUhc.exe
  C:\Windows\System\hNCnUhc.exe
  2⤵
  PID:8852
- C:\Windows\System\zPepVfv.exe
  C:\Windows\System\zPepVfv.exe
  2⤵
  PID:3864
- C:\Windows\System\aSwShSJ.exe
  C:\Windows\System\aSwShSJ.exe
  2⤵
  PID:9228
- C:\Windows\System\hdAdZGc.exe
  C:\Windows\System\hdAdZGc.exe
  2⤵
  PID:10040
- C:\Windows\System\RHnBUgt.exe
  C:\Windows\System\RHnBUgt.exe
  2⤵
  PID:10148
- C:\Windows\System\cpEjAjr.exe
  C:\Windows\System\cpEjAjr.exe
  2⤵
  PID:8600
- C:\Windows\System\uKAaHoX.exe
  C:\Windows\System\uKAaHoX.exe
  2⤵
  PID:9560
- C:\Windows\System\kmWymnv.exe
  C:\Windows\System\kmWymnv.exe
  2⤵
  PID:9648
- C:\Windows\System\EdGoWxO.exe
  C:\Windows\System\EdGoWxO.exe
  2⤵
  PID:9784
- C:\Windows\System\Hzzbyhb.exe
  C:\Windows\System\Hzzbyhb.exe
  2⤵
  PID:9848
- C:\Windows\System\VEcOWtF.exe
  C:\Windows\System\VEcOWtF.exe
  2⤵
  PID:2468
- C:\Windows\System\bvMxbnY.exe
  C:\Windows\System\bvMxbnY.exe
  2⤵
  PID:9976
- C:\Windows\System\NFIlaUM.exe
  C:\Windows\System\NFIlaUM.exe
  2⤵
  PID:10052
- C:\Windows\System\bRuGFRs.exe
  C:\Windows\System\bRuGFRs.exe
  2⤵
  PID:10220
- C:\Windows\System\dpSDUzP.exe
  C:\Windows\System\dpSDUzP.exe
  2⤵
  PID:3164
- C:\Windows\System\NsbwQkM.exe
  C:\Windows\System\NsbwQkM.exe
  2⤵
  PID:10108
- C:\Windows\System\GuhLvUB.exe
  C:\Windows\System\GuhLvUB.exe
  2⤵
  PID:9620
- C:\Windows\System\KhiHMas.exe
  C:\Windows\System\KhiHMas.exe
  2⤵
  PID:1792
- C:\Windows\System\CffsxCB.exe
  C:\Windows\System\CffsxCB.exe
  2⤵
  PID:6008
- C:\Windows\System\iTWjkxQ.exe
  C:\Windows\System\iTWjkxQ.exe
  2⤵
  PID:9336
- C:\Windows\System\MyxQIXr.exe
  C:\Windows\System\MyxQIXr.exe
  2⤵
  PID:10184
- C:\Windows\System\MhlRJyu.exe
  C:\Windows\System\MhlRJyu.exe
  2⤵
  PID:10248
- C:\Windows\System\fhWssUn.exe
  C:\Windows\System\fhWssUn.exe
  2⤵
  PID:10284
- C:\Windows\System\TexiwlG.exe
  C:\Windows\System\TexiwlG.exe
  2⤵
  PID:10320
- C:\Windows\System\XeUxQUM.exe
  C:\Windows\System\XeUxQUM.exe
  2⤵
  PID:10348
- C:\Windows\System\UOqgnkQ.exe
  C:\Windows\System\UOqgnkQ.exe
  2⤵
  PID:10380
- C:\Windows\System\HOnYyfw.exe
  C:\Windows\System\HOnYyfw.exe
  2⤵
  PID:10404
- C:\Windows\System\EWTkGgk.exe
  C:\Windows\System\EWTkGgk.exe
  2⤵
  PID:10440
- C:\Windows\System\RrvnRtr.exe
  C:\Windows\System\RrvnRtr.exe
  2⤵
  PID:10460
- C:\Windows\System\BSLSwld.exe
  C:\Windows\System\BSLSwld.exe
  2⤵
  PID:10496
- C:\Windows\System\BQibvDa.exe
  C:\Windows\System\BQibvDa.exe
  2⤵
  PID:10516
- C:\Windows\System\RjDjWJX.exe
  C:\Windows\System\RjDjWJX.exe
  2⤵
  PID:10540
- C:\Windows\System\LXABgzX.exe
  C:\Windows\System\LXABgzX.exe
  2⤵
  PID:10592
- C:\Windows\System\cNuEOwc.exe
  C:\Windows\System\cNuEOwc.exe
  2⤵
  PID:10612
- C:\Windows\System\PLKpMeA.exe
  C:\Windows\System\PLKpMeA.exe
  2⤵
  PID:10656
- C:\Windows\System\RQYimvg.exe
  C:\Windows\System\RQYimvg.exe
  2⤵
  PID:10684
- C:\Windows\System\PEQpTNN.exe
  C:\Windows\System\PEQpTNN.exe
  2⤵
  PID:10720
- C:\Windows\System\qnZXqSH.exe
  C:\Windows\System\qnZXqSH.exe
  2⤵
  PID:10748
- C:\Windows\System\mdiPzKu.exe
  C:\Windows\System\mdiPzKu.exe
  2⤵
  PID:10776
- C:\Windows\System\tecFueF.exe
  C:\Windows\System\tecFueF.exe
  2⤵
  PID:10804
- C:\Windows\System\vAnDcPM.exe
  C:\Windows\System\vAnDcPM.exe
  2⤵
  PID:10832
- C:\Windows\System\SlkFstU.exe
  C:\Windows\System\SlkFstU.exe
  2⤵
  PID:10860
- C:\Windows\System\PQRARFO.exe
  C:\Windows\System\PQRARFO.exe
  2⤵
  PID:10896
- C:\Windows\System\BrzAwYm.exe
  C:\Windows\System\BrzAwYm.exe
  2⤵
  PID:10924
- C:\Windows\System\vGozVGq.exe
  C:\Windows\System\vGozVGq.exe
  2⤵
  PID:10952
- C:\Windows\System\tMrAmFE.exe
  C:\Windows\System\tMrAmFE.exe
  2⤵
  PID:10980
- C:\Windows\System\SYFqLNh.exe
  C:\Windows\System\SYFqLNh.exe
  2⤵
  PID:11008
- C:\Windows\System\PsuUdPY.exe
  C:\Windows\System\PsuUdPY.exe
  2⤵
  PID:11036
- C:\Windows\System\FGTdTVp.exe
  C:\Windows\System\FGTdTVp.exe
  2⤵
  PID:11064
- C:\Windows\System\rrKktAi.exe
  C:\Windows\System\rrKktAi.exe
  2⤵
  PID:11092
- C:\Windows\System\PPGreKu.exe
  C:\Windows\System\PPGreKu.exe
  2⤵
  PID:11120
- C:\Windows\System\MznTtQq.exe
  C:\Windows\System\MznTtQq.exe
  2⤵
  PID:11148
- C:\Windows\System\XNhiHti.exe
  C:\Windows\System\XNhiHti.exe
  2⤵
  PID:11176
- C:\Windows\System\WdLOucM.exe
  C:\Windows\System\WdLOucM.exe
  2⤵
  PID:11204
- C:\Windows\System\XfjuDAv.exe
  C:\Windows\System\XfjuDAv.exe
  2⤵
  PID:11232
- C:\Windows\System\gKMVIBL.exe
  C:\Windows\System\gKMVIBL.exe
  2⤵
  PID:11260
- C:\Windows\System\HemXQEb.exe
  C:\Windows\System\HemXQEb.exe
  2⤵
  PID:10308
- C:\Windows\System\QUHGYSp.exe
  C:\Windows\System\QUHGYSp.exe
  2⤵
  PID:10372
- C:\Windows\System\HXbyqhD.exe
  C:\Windows\System\HXbyqhD.exe
  2⤵
  PID:10452
- C:\Windows\System\DKVjGLm.exe
  C:\Windows\System\DKVjGLm.exe
  2⤵
  PID:10488
- C:\Windows\System\adnoGvq.exe
  C:\Windows\System\adnoGvq.exe
  2⤵
  PID:10368
- C:\Windows\System\llxdyrV.exe
  C:\Windows\System\llxdyrV.exe
  2⤵
  PID:10648
- C:\Windows\System\xuuqfGz.exe
  C:\Windows\System\xuuqfGz.exe
  2⤵
  PID:10716
- C:\Windows\System\IwAKoAq.exe
  C:\Windows\System\IwAKoAq.exe
  2⤵
  PID:10792
- C:\Windows\System\bUIAica.exe
  C:\Windows\System\bUIAica.exe
  2⤵
  PID:10852
- C:\Windows\System\JFMdeOO.exe
  C:\Windows\System\JFMdeOO.exe
  2⤵
  PID:10880
- C:\Windows\System\ucdViaR.exe
  C:\Windows\System\ucdViaR.exe
  2⤵
  PID:10972
- C:\Windows\System\QQeBNhR.exe
  C:\Windows\System\QQeBNhR.exe
  2⤵
  PID:11032
- C:\Windows\System\XyPvfZX.exe
  C:\Windows\System\XyPvfZX.exe
  2⤵
  PID:11104
- C:\Windows\System\vbzJViO.exe
  C:\Windows\System\vbzJViO.exe
  2⤵
  PID:11168
- C:\Windows\System\xEqHIKW.exe
  C:\Windows\System\xEqHIKW.exe
  2⤵
  PID:11244
- C:\Windows\System\fOepShO.exe
  C:\Windows\System\fOepShO.exe
  2⤵
  PID:10376
- C:\Windows\System\tgPlGvu.exe
  C:\Windows\System\tgPlGvu.exe
  2⤵
  PID:10512
- C:\Windows\System\BzrtHsp.exe
  C:\Windows\System\BzrtHsp.exe
  2⤵
  PID:10676
- C:\Windows\System\AkEyPAY.exe
  C:\Windows\System\AkEyPAY.exe
  2⤵
  PID:10828
- C:\Windows\System\tABvYyp.exe
  C:\Windows\System\tABvYyp.exe
  2⤵
  PID:10948
- C:\Windows\System\lYhltLM.exe
  C:\Windows\System\lYhltLM.exe
  2⤵
  PID:11028
- C:\Windows\System\YybGQhz.exe
  C:\Windows\System\YybGQhz.exe
  2⤵
  PID:11144
- C:\Windows\System\PAENIAT.exe
  C:\Windows\System\PAENIAT.exe
  2⤵
  PID:10428
- C:\Windows\System\IBearEY.exe
  C:\Windows\System\IBearEY.exe
  2⤵
  PID:3956
- C:\Windows\System\gGJCXlr.exe
  C:\Windows\System\gGJCXlr.exe
  2⤵
  PID:11132
- C:\Windows\System\mjhMOlX.exe
  C:\Windows\System\mjhMOlX.exe
  2⤵
  PID:10772
- C:\Windows\System\itHAaJC.exe
  C:\Windows\System\itHAaJC.exe
  2⤵
  PID:10820
- C:\Windows\System\PozyXyK.exe
  C:\Windows\System\PozyXyK.exe
  2⤵
  PID:11292
- C:\Windows\System\aunNZmi.exe
  C:\Windows\System\aunNZmi.exe
  2⤵
  PID:11308
- C:\Windows\System\MnXZKys.exe
  C:\Windows\System\MnXZKys.exe
  2⤵
  PID:11336
- C:\Windows\System\APBZCiF.exe
  C:\Windows\System\APBZCiF.exe
  2⤵
  PID:11380
- C:\Windows\System\QItDFUN.exe
  C:\Windows\System\QItDFUN.exe
  2⤵
  PID:11396
- C:\Windows\System\gLlpkLl.exe
  C:\Windows\System\gLlpkLl.exe
  2⤵
  PID:11428
- C:\Windows\System\IUCnQPt.exe
  C:\Windows\System\IUCnQPt.exe
  2⤵
  PID:11460
- C:\Windows\System\BgAvEiE.exe
  C:\Windows\System\BgAvEiE.exe
  2⤵
  PID:11488
- C:\Windows\System\YScXviY.exe
  C:\Windows\System\YScXviY.exe
  2⤵
  PID:11524
- C:\Windows\System\ZoCLLXw.exe
  C:\Windows\System\ZoCLLXw.exe
  2⤵
  PID:11552
- C:\Windows\System\LmGHmhp.exe
  C:\Windows\System\LmGHmhp.exe
  2⤵
  PID:11608
- C:\Windows\System\VWExbHV.exe
  C:\Windows\System\VWExbHV.exe
  2⤵
  PID:11652
- C:\Windows\System\DlfgQXT.exe
  C:\Windows\System\DlfgQXT.exe
  2⤵
  PID:11708
- C:\Windows\System\OREvNqA.exe
  C:\Windows\System\OREvNqA.exe
  2⤵
  PID:11740
- C:\Windows\System\tFEYgdx.exe
  C:\Windows\System\tFEYgdx.exe
  2⤵
  PID:11776
- C:\Windows\System\iZGDNjw.exe
  C:\Windows\System\iZGDNjw.exe
  2⤵
  PID:11812
- C:\Windows\System\EpjKDIG.exe
  C:\Windows\System\EpjKDIG.exe
  2⤵
  PID:11860
- C:\Windows\System\yZRfjpZ.exe
  C:\Windows\System\yZRfjpZ.exe
  2⤵
  PID:11912
- C:\Windows\System\eUxSFUM.exe
  C:\Windows\System\eUxSFUM.exe
  2⤵
  PID:11940
- C:\Windows\System\koEocem.exe
  C:\Windows\System\koEocem.exe
  2⤵
  PID:11976
- C:\Windows\System\rfPiCgN.exe
  C:\Windows\System\rfPiCgN.exe
  2⤵
  PID:12008
- C:\Windows\System\nJNYBLc.exe
  C:\Windows\System\nJNYBLc.exe
  2⤵
  PID:12040
- C:\Windows\System\aMaOMwa.exe
  C:\Windows\System\aMaOMwa.exe
  2⤵
  PID:12076
- C:\Windows\System\OvlNzYb.exe
  C:\Windows\System\OvlNzYb.exe
  2⤵
  PID:12104
- C:\Windows\System\tbTlIma.exe
  C:\Windows\System\tbTlIma.exe
  2⤵
  PID:12144
- C:\Windows\System\KYXiwSC.exe
  C:\Windows\System\KYXiwSC.exe
  2⤵
  PID:12172
- C:\Windows\System\FJmvFvj.exe
  C:\Windows\System\FJmvFvj.exe
  2⤵
  PID:12188
- C:\Windows\System\CHJGGDo.exe
  C:\Windows\System\CHJGGDo.exe
  2⤵
  PID:12216
- C:\Windows\System\LjGyyTe.exe
  C:\Windows\System\LjGyyTe.exe
  2⤵
  PID:12244
- C:\Windows\System\kVlRWan.exe
  C:\Windows\System\kVlRWan.exe
  2⤵
  PID:11268
- C:\Windows\System\HSpAEay.exe
  C:\Windows\System\HSpAEay.exe
  2⤵
  PID:11412
- C:\Windows\System\VRFZXTb.exe
  C:\Windows\System\VRFZXTb.exe
  2⤵
  PID:11472
- C:\Windows\System\wtQOdjt.exe
  C:\Windows\System\wtQOdjt.exe
  2⤵
  PID:11536
- C:\Windows\System\lkDcWvC.exe
  C:\Windows\System\lkDcWvC.exe
  2⤵
  PID:2744
- C:\Windows\System\vBWXRbU.exe
  C:\Windows\System\vBWXRbU.exe
  2⤵
  PID:11644
- C:\Windows\System\ruWAeQC.exe
  C:\Windows\System\ruWAeQC.exe
  2⤵
  PID:11756
- C:\Windows\System\ggwEsCe.exe
  C:\Windows\System\ggwEsCe.exe
  2⤵
  PID:3960
- C:\Windows\System\EUvbMmF.exe
  C:\Windows\System\EUvbMmF.exe
  2⤵
  PID:12000
- C:\Windows\System\ReByspN.exe
  C:\Windows\System\ReByspN.exe
  2⤵
  PID:12036
- C:\Windows\System\mjdSybg.exe
  C:\Windows\System\mjdSybg.exe
  2⤵
  PID:12136
- C:\Windows\System\ktFXGRJ.exe
  C:\Windows\System\ktFXGRJ.exe
  2⤵
  PID:12180
- C:\Windows\System\xLBzQvH.exe
  C:\Windows\System\xLBzQvH.exe
  2⤵
  PID:12236
- C:\Windows\System\ZtsIwpJ.exe
  C:\Windows\System\ZtsIwpJ.exe
  2⤵
  PID:220
- C:\Windows\System\WTmuSjR.exe
  C:\Windows\System\WTmuSjR.exe
  2⤵
  PID:11516
- C:\Windows\System\TNRPyGp.exe
  C:\Windows\System\TNRPyGp.exe
  2⤵
  PID:11624
- C:\Windows\System\wiCsdES.exe
  C:\Windows\System\wiCsdES.exe
  2⤵
  PID:3792
- C:\Windows\System\pFGlAms.exe
  C:\Windows\System\pFGlAms.exe
  2⤵
  PID:12096
- C:\Windows\System\fLQeDJx.exe
  C:\Windows\System\fLQeDJx.exe
  2⤵
  PID:12224
- C:\Windows\System\DnFBWEj.exe
  C:\Windows\System\DnFBWEj.exe
  2⤵
  PID:11512
- C:\Windows\System\HxtKhUu.exe
  C:\Windows\System\HxtKhUu.exe
  2⤵
  PID:1904
- C:\Windows\System\HWHZFwi.exe
  C:\Windows\System\HWHZFwi.exe
  2⤵
  PID:12020
- C:\Windows\System\vBXvbYy.exe
  C:\Windows\System\vBXvbYy.exe
  2⤵
  PID:12164
- C:\Windows\System\gTQBSNS.exe
  C:\Windows\System\gTQBSNS.exe
  2⤵
  PID:11792
- C:\Windows\System\VmJWzZv.exe
  C:\Windows\System\VmJWzZv.exe
  2⤵
  PID:12320
- C:\Windows\System\WKHzmoK.exe
  C:\Windows\System\WKHzmoK.exe
  2⤵
  PID:12348
- C:\Windows\System\ZJBjerA.exe
  C:\Windows\System\ZJBjerA.exe
  2⤵
  PID:12376
- C:\Windows\System\uojpTVc.exe
  C:\Windows\System\uojpTVc.exe
  2⤵
  PID:12404
- C:\Windows\System\erTmIEU.exe
  C:\Windows\System\erTmIEU.exe
  2⤵
  PID:12436
- C:\Windows\System\TUicuZu.exe
  C:\Windows\System\TUicuZu.exe
  2⤵
  PID:12476
- C:\Windows\System\odnIVCh.exe
  C:\Windows\System\odnIVCh.exe
  2⤵
  PID:12504
- C:\Windows\System\RiHJmTY.exe
  C:\Windows\System\RiHJmTY.exe
  2⤵
  PID:12536
- C:\Windows\System\VNAUViE.exe
  C:\Windows\System\VNAUViE.exe
  2⤵
  PID:12572
- C:\Windows\System\SLtUqZE.exe
  C:\Windows\System\SLtUqZE.exe
  2⤵
  PID:12600
- C:\Windows\System\HnwJxjH.exe
  C:\Windows\System\HnwJxjH.exe
  2⤵
  PID:12628
- C:\Windows\System\qcptfze.exe
  C:\Windows\System\qcptfze.exe
  2⤵
  PID:12656
- C:\Windows\System\okOEpAM.exe
  C:\Windows\System\okOEpAM.exe
  2⤵
  PID:12688
- C:\Windows\System\qmcyCUB.exe
  C:\Windows\System\qmcyCUB.exe
  2⤵
  PID:12716
- C:\Windows\System\BLTPSlt.exe
  C:\Windows\System\BLTPSlt.exe
  2⤵
  PID:12748
- C:\Windows\System\PKkqduc.exe
  C:\Windows\System\PKkqduc.exe
  2⤵
  PID:12764
- C:\Windows\System\JLZZkAs.exe
  C:\Windows\System\JLZZkAs.exe
  2⤵
  PID:12780
- C:\Windows\System\baOBfeg.exe
  C:\Windows\System\baOBfeg.exe
  2⤵
  PID:12800
- C:\Windows\System\lLHYdTI.exe
  C:\Windows\System\lLHYdTI.exe
  2⤵
  PID:12824
- C:\Windows\System\TYaJKAx.exe
  C:\Windows\System\TYaJKAx.exe
  2⤵
  PID:12840
- C:\Windows\System\qiTVdIp.exe
  C:\Windows\System\qiTVdIp.exe
  2⤵
  PID:12872
- C:\Windows\System\KPPxgYZ.exe
  C:\Windows\System\KPPxgYZ.exe
  2⤵
  PID:12924
- C:\Windows\System\MWLLNIK.exe
  C:\Windows\System\MWLLNIK.exe
  2⤵
  PID:12952
- C:\Windows\System\fdOTAxH.exe
  C:\Windows\System\fdOTAxH.exe
  2⤵
  PID:12976
- C:\Windows\System\FucFjeQ.exe
  C:\Windows\System\FucFjeQ.exe
  2⤵
  PID:13028
- C:\Windows\System\pnynXTA.exe
  C:\Windows\System\pnynXTA.exe
  2⤵
  PID:13056
- C:\Windows\System\NcYnKvs.exe
  C:\Windows\System\NcYnKvs.exe
  2⤵
  PID:13084
- C:\Windows\System\KNhdgyl.exe
  C:\Windows\System\KNhdgyl.exe
  2⤵
  PID:13112
- C:\Windows\System\GedPDYt.exe
  C:\Windows\System\GedPDYt.exe
  2⤵
  PID:13140
- C:\Windows\System\SZbvfBm.exe
  C:\Windows\System\SZbvfBm.exe
  2⤵
  PID:13168
- C:\Windows\System\ZaZQXLD.exe
  C:\Windows\System\ZaZQXLD.exe
  2⤵
  PID:13196
- C:\Windows\System\aEZehOF.exe
  C:\Windows\System\aEZehOF.exe
  2⤵
  PID:13216
- C:\Windows\System\OADdXjW.exe
  C:\Windows\System\OADdXjW.exe
  2⤵
  PID:13248
- C:\Windows\System\hChmZxV.exe
  C:\Windows\System\hChmZxV.exe
  2⤵
  PID:13268
- C:\Windows\System\jCTfoah.exe
  C:\Windows\System\jCTfoah.exe
  2⤵
  PID:13296
- C:\Windows\System\ziKkNyM.exe
  C:\Windows\System\ziKkNyM.exe
  2⤵
  PID:12312
- C:\Windows\System\ZLBGysG.exe
  C:\Windows\System\ZLBGysG.exe
  2⤵
  PID:12396
- C:\Windows\System\HHAcXPe.exe
  C:\Windows\System\HHAcXPe.exe
  2⤵
  PID:12472
- C:\Windows\System\hwiauhK.exe
  C:\Windows\System\hwiauhK.exe
  2⤵
  PID:1816
- C:\Windows\System\IyAWjFh.exe
  C:\Windows\System\IyAWjFh.exe
  2⤵
  PID:12568
- C:\Windows\System\rnHlWvz.exe
  C:\Windows\System\rnHlWvz.exe
  2⤵
  PID:12624
- C:\Windows\System\GoZAIQE.exe
  C:\Windows\System\GoZAIQE.exe
  2⤵
  PID:12708
- C:\Windows\System\lHZtuSc.exe
  C:\Windows\System\lHZtuSc.exe
  2⤵
  PID:12776
- C:\Windows\System\LOtEqnq.exe
  C:\Windows\System\LOtEqnq.exe
  2⤵
  PID:12816
- C:\Windows\System\YjQPPRr.exe
  C:\Windows\System\YjQPPRr.exe
  2⤵
  PID:12944
- C:\Windows\System\lusRGEc.exe
  C:\Windows\System\lusRGEc.exe
  2⤵
  PID:12936
- C:\Windows\System\ffxRyZX.exe
  C:\Windows\System\ffxRyZX.exe
  2⤵
  PID:13040
- C:\Windows\System\CGtGQpV.exe
  C:\Windows\System\CGtGQpV.exe
  2⤵
  PID:13104
- C:\Windows\System\MxsuRoV.exe
  C:\Windows\System\MxsuRoV.exe
  2⤵
  PID:13164
- C:\Windows\System\GPnWZFs.exe
  C:\Windows\System\GPnWZFs.exe
  2⤵
  PID:13228
- C:\Windows\System\estYdwq.exe
  C:\Windows\System\estYdwq.exe
  2⤵
  PID:13284
- C:\Windows\System\wvIHfkp.exe
  C:\Windows\System\wvIHfkp.exe
  2⤵
  PID:12452
- C:\Windows\System\wJVsJlg.exe
  C:\Windows\System\wJVsJlg.exe
  2⤵
  PID:12512
- C:\Windows\System\fDYtpll.exe
  C:\Windows\System\fDYtpll.exe
  2⤵
  PID:12740
- C:\Windows\System\frziXoh.exe
  C:\Windows\System\frziXoh.exe
  2⤵
  PID:13000
- C:\Windows\System\rfNfMPr.exe
  C:\Windows\System\rfNfMPr.exe
  2⤵
  PID:13224
- C:\Windows\System\ZqcEOFF.exe
  C:\Windows\System\ZqcEOFF.exe
  2⤵
  PID:12428
- C:\Windows\System\pldsAmQ.exe
  C:\Windows\System\pldsAmQ.exe
  2⤵
  PID:12940
- C:\Windows\System\tOtkcOF.exe
  C:\Windows\System\tOtkcOF.exe
  2⤵
  PID:2528
- C:\Windows\System\ZTLMtkE.exe
  C:\Windows\System\ZTLMtkE.exe
  2⤵
  PID:13072
- C:\Windows\System\nRFjCVQ.exe
  C:\Windows\System\nRFjCVQ.exe
  2⤵
  PID:12564
- C:\Windows\System\wFGXtQe.exe
  C:\Windows\System\wFGXtQe.exe
  2⤵
  PID:13332
- C:\Windows\System\vUVvSbx.exe
  C:\Windows\System\vUVvSbx.exe
  2⤵
  PID:13360
- C:\Windows\System\ZJUDYAH.exe
  C:\Windows\System\ZJUDYAH.exe
  2⤵
  PID:13388
- C:\Windows\System\smaWdTW.exe
  C:\Windows\System\smaWdTW.exe
  2⤵
  PID:13416
- C:\Windows\System\mfTRZNM.exe
  C:\Windows\System\mfTRZNM.exe
  2⤵
  PID:13444

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 3492 -i 3492 -h 468 -j 476 -s 484 -d 13620
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:13660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kwtljmpf.cpi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\CwDBfsn.exe

Filesize
5.0MB

MD5
2f4477502be392d7ac3e917e73652fd0

SHA1
35098e4cf6b80f03ead3842526e50441af8630e2

SHA256
678f1801619ec7a316640b1f779cc65459fcb97bb9a8d7cd76a91fb8c0418268

SHA512
64dd2b0794dc70d8857581f86771abbc99c88e1799cb6f6746467fd1ccd18f6a7e598b6111f04420ff1f5845b52dad6862b6615e7d7732b46c4185792c624d88

Download Submit
C:\Windows\System\DyzvPAH.exe

Filesize
5.0MB

MD5
bb09af53a73777551beeea7065260ca5

SHA1
da4b58bc625c779e00f4711184813eb4eb003344

SHA256
b4486d138e9295f8deba0cf9b5547f0b102932ef905b2e81e5868a0bce05b7c0

SHA512
25749c2a4de43f505c3e3f6d4504809685da5a1b35f88e84b482586e85d719c49ac03259d9f0a9ba08997a071f52b9a0d75559e59155de531ee875ddae6e424b

Download Submit
C:\Windows\System\EVLnlKS.exe

Filesize
5.0MB

MD5
7f5572ca9954780675a0682f49577eca

SHA1
35b41a89d9835184eec5148ae1162ff6ddb74180

SHA256
5c52b185a5fb73651e8c928e425c0431425f43241bdfc89ddbe79e508e247e45

SHA512
bf662b000f8f2e01044216882dff03bea25540fdb96795c69aab4d92c3d6951b1029af02035ee2565a2bc39549668c9ed88a368addf0d879677f182030196c83

Download Submit
C:\Windows\System\EjCmipK.exe

Filesize
5.0MB

MD5
388b46fff05ac547325ecac9fb2cfd55

SHA1
b9e4323216592c2877f59f646d47a7bbaa4b7724

SHA256
d5b191ccb673715a0713784dc3949f69e9b5ae22f72f2fbfec8b7b7a81bee034

SHA512
4dcd505ab62190dff2054bd9a2d45496a9f315ea703f7572f6d4f48ad91df2c5b6982ea8554a3c55626cac8f7071b45c7733a03e16296290e7e2e61b75bdf30f

Download Submit
C:\Windows\System\HVOsOuQ.exe

Filesize
5.0MB

MD5
1bd98486c178a44338a651be68c29ba7

SHA1
e546b0e4f6c96dabef589a4ff83223afd6a9d3ae

SHA256
e54fb83481ddbe36280eab42136b2f83ee9aeec59c82dc10bea2f6a3ed54d13c

SHA512
11fbba8e6a3071880df357accceb045f450bf7205926826ee44c1131b8ddcd3c65e368181094fcb4f7067b1de6515fd0347ed233e47dd1a9f5d3860e5bc64551

Download Submit
C:\Windows\System\HaATDUj.exe

Filesize
5.0MB

MD5
7c2255a5ac010aecf532e40b04a12cdc

SHA1
c7d552e5b9e74603458da4c33707473de92fd8b4

SHA256
01515c770aca6c8214bf27bf664921ac06455948d75e9c86c0f52aed219fc37b

SHA512
15f855a87c45332fc12d29b64c943d647aa57dfe351e778d6571b4c1f3deafd34e6618a7bcb7806b192a9c988866876409e2dd24cf0497d7c31a4dcd16b8ea20

Download Submit
C:\Windows\System\HzqhwgW.exe

Filesize
5.0MB

MD5
a8ddb7a3c17e63407e7edec988cb42ab

SHA1
6d57fe9637522da0c5d3a89a807c820268162932

SHA256
1ec3f1ed4863fd3fe12ab3bf2e94a63ec76df8ac6de8d3687813abb68bac5969

SHA512
21e65a9583f624e63f08a0a5cbd30fc5f5c6b44ebca08616b791261a7a8f32f7fb8d0fe9a5995a733662001df05e80c4f8657ec33d94c7931151898fe263a5e2

Download Submit
C:\Windows\System\IHCcZry.exe

Filesize
5.0MB

MD5
6cf8248bb854b2660d19198f25192d9b

SHA1
7e1819fac5128f124ff62922d8e4a4ea5b4744a6

SHA256
536ce288d71fbd420efa9036fea808ebb47a63eb346dbdd3295589064317ce7c

SHA512
5c4127c91234cafb3625785f071dbea6f5986b71410d40c22935fec948e2ab6d77fa75b96190c5787819676d7615869ae843226b5f3781caafe5d9552b83c728

Download Submit
C:\Windows\System\KzAUAvU.exe

Filesize
5.0MB

MD5
72db62c083f7f6205cb4275fca9b8b14

SHA1
891b423812d1d42d91f4ff922682e7949345065d

SHA256
f44bcd6d772ce36ffb6758876512060ac7c07a2ddcf74ed123f5be9fd747790e

SHA512
98a79f01396f8ed3c5dcc8ce500c5a45444f4f9518fab8d2e40be4dda3f70ba2d25d9897d2c31cc883452d5e1142e45cf7977afb73ba08152332b36dff5bc16e

Download Submit
C:\Windows\System\LHsKKss.exe

Filesize
5.0MB

MD5
604b02eb3b762b9c1beb48be6f294f27

SHA1
12f63673c30280311041511b1de33907317b836a

SHA256
84358f29d40a603e691d8d90d60888cb0ffa6ff24d9877c3b4c58386b407352d

SHA512
cc721e6b9273c052326d1ff36be050cf3cf869aee8401e9a49b57070b6cd5ffe87e90d655bec35fe1cbbef87152a78c25f377e00a53a7ba7e74386fbe51153ba

Download Submit
C:\Windows\System\NYJdzhi.exe

Filesize
5.0MB

MD5
cda83447fd349a5b3ef1a725f9e4ae1d

SHA1
204c6f864f49910f63da5d4c42c86074057e0c04

SHA256
25e263d2556aab622c51ea840bba5f07022ac49294b87d83768e9d480db342ff

SHA512
2d59aae392882c66e79afed2c8bc08cac2d8c8c743f81e03ceecc155489dd2ed4ac07d2d8f82e4c245f513ada4919d8fd784aab08eaac21d942f500f793cca89

Download Submit
C:\Windows\System\QkoOtML.exe

Filesize
5.0MB

MD5
feadaad8b654b3884c6b365fc5e3fd3c

SHA1
b4fe0662ff81862cceedc3bfeefd056e776a95c4

SHA256
df3dd2f4c9de5e317e34daee48fecf3c277896a136bd3a91682485984ffd597b

SHA512
2a7bab7b661a68e3dd29f57c33f7a051e54f1465a6d6b8f116926cb31e5a3a2aecf14ab2ca462f9f1e26e8bc75f76d7eb21ae1f76fc8c86eef393af8324a1fba

Download Submit
C:\Windows\System\RMfmKHW.exe

Filesize
5.0MB

MD5
608eab5aeb88391793ce265ab178096f

SHA1
0c8424050424c977d9e2c38afc27e48644fde0ee

SHA256
6d7e3841c1ee27c6d753c0280e84cd26a9b4500413fa69403ae59d6608167f2d

SHA512
b08c52fc85e721c5ec2addba1aa905e9a967cdc35c7f91896db23785ecfe42174cf83cba187b4f11c2a55aa644565b4657eb6d54da568f1e3aab50889046251a

Download Submit
C:\Windows\System\RiNeHDq.exe

Filesize
5.0MB

MD5
e8261e98af2fcd5603e5890c1a667c47

SHA1
53db30bafb06d5592d4356b5c6f6d4b4ffeebd58

SHA256
19736096277b9188ebfa89227b39f446a0c72153a6ecb1ed3aba6327a705911b

SHA512
9efb845d7ab48b55c13243acb98ed1e1e6c6084b1334e1eeba19f0ae30fe4f61b575775774828996c8cf4146dd30795413232a5d78e770f9bd5a16422c15819b

Download Submit
C:\Windows\System\VGFZkkl.exe

Filesize
5.0MB

MD5
082b9e94f1bbef0d37f0bb501e807241

SHA1
4a2b5da51f89e096b023d50f1724d6498f16f3b3

SHA256
c1e7a7e266947e4ca81d2d9aae96f714b45cee6e461a6a62d1df86c57d2c2010

SHA512
e0ccb947b8c66668f22a1c08077686186d86b20ff9c28492fd56c955a8aee338514cd1d49e65a32cb97f0192372e6628175957fafed533934110d47c0e0fcc5d

Download Submit
C:\Windows\System\VbpiHbS.exe

Filesize
5.0MB

MD5
57d9f57e72dd8aebfbd99c9c917c92e2

SHA1
4b164b6afdf7e066c1b8eba01cd259646f23ec49

SHA256
abcd5b8c4cdbbedd059d4587a8425e8c19fc236bae8e5e2d676458eb569e9bd6

SHA512
46e0e92bfc6c117dd85e3e1cbb888e66419197e0851845c7a8906c8d0d851a5778fae80eaf6001441816e2fab59d12b73a3902b0161f8188897f9c5717eac45e

Download Submit
C:\Windows\System\XfCISfk.exe

Filesize
5.0MB

MD5
37cc4be707eebe7f34994a56be1539da

SHA1
2823bc7e8ad1b2b79adb837ba19ae02053233cba

SHA256
cb15dfc9e48bb29e6934ef473b2a74c65f99102d9e853f12c232915c3d4c39a9

SHA512
cf735b2b8f5ad0b423594450602359630c4d56522a5964cf8c6e62bffe9647d5743044ef23dd0b98611fcb59483944216c62fa4a09d294c314ad10415eaa6c78

Download Submit
C:\Windows\System\YlZBayV.exe

Filesize
5.0MB

MD5
250886532787d2f886e02d0177ec31e4

SHA1
62dc6f896107f530f0fb8330a72c91863cce5296

SHA256
e9078dd754e64c23d74e9c21592698c2b38dd58fb4b867f47ef0b176750b04da

SHA512
383b7a567b34c8d99d0b68bf4b0e7efdd6aabafc1d42141e018c5624910af357397ed1fcf4f24ea3c33d1052689c1361038b398df5b02a1b9210da3c751f5141

Download Submit
C:\Windows\System\bFcBHmx.exe

Filesize
5.0MB

MD5
77c3124e89c38f36844c58b1b61caaa2

SHA1
d617ae698285b42c7d73931666c967f8e4d049cd

SHA256
ab80c21b1556c4746e41ebed410c54337aa7ec65728887c6bf3111d9486439b4

SHA512
95ef77d9e098d8d19e57a823efa1ad068b9480d24f0a76687bad458b8d04d18d731c80c7c1e867001c4a6ad722cf393dd4a50055361964dfc511b92c7d8a8c98

Download Submit
C:\Windows\System\buvEedq.exe

Filesize
5.0MB

MD5
d5ad06552567b7a79f76a20799e8e1d0

SHA1
30283ba22ad6bff7df36716dbbf88d53939814d2

SHA256
fc0a784ddae02b05ed1734439f789afb4bd25164254cf42d235a03d7d1d72401

SHA512
86443d1406c1c213458036b011b899b7e5b02844ee33457cd94e8d6066b0a6f5cb02125eb01eb9842bc77b8e9b73476c3d67e624c3e9cc70cd1b2015dffd134a

Download Submit
C:\Windows\System\dcWFcpx.exe

Filesize
5.0MB

MD5
f3c1f238d62fea9b7344dc9eef566911

SHA1
b1a537a90e90e8b84f7924d2f3e75d6170e71ea1

SHA256
2c157c08959293c633dce81b37f837b866fd5c77f77af374924ad57071b6ad44

SHA512
2a89047302885aad743b52c95a6e0efa3b5962254671d188143a82e40013e5786c663229a3ea75c316186ec5d05e2f6c5393cadae24ac4676a24beb42d3ba10d

Download Submit
C:\Windows\System\hueUtqB.exe

Filesize
5.0MB

MD5
3e33db6761e555bedaf8598504b8922d

SHA1
64d4b07d4f32734df321a8e0ed5bff4b66e3d70a

SHA256
65b36f5ae4e6743afb13fc43a59c6bfaaeb860ecb2761127236ab6c14a72647b

SHA512
20f3b8dfa77854477ff8f094286cb8281661e7e11b35940937c148f4eeececa4f8a0227e1e1eb52522ffc63d1531c1ba559eab4d953ea1fba77eebfe1ecfef20

Download Submit
C:\Windows\System\lnHykwA.exe

Filesize
5.0MB

MD5
f1ae940bb6ecb2797f9c1e7b9a48f15c

SHA1
6782d9882b635c9628439eae6c9c649d8c58efd0

SHA256
bf8dbecbc5df3451c365897b8101d6ae6666d3eed70951b4da91a63526b296e0

SHA512
1e0cb472c0e5ebd081de033f17066f51629efec1324c055ba4351c712cbb34af6fff0daaa74f62d142262d27fc976f76c10946c2121eb9531013865c89d75262

Download Submit
C:\Windows\System\mBWTBIn.exe

Filesize
5.0MB

MD5
2a974ce333f93d7b470285fae6a210e1

SHA1
719d7f8bb750ef225c0953105694319c23796e22

SHA256
b4b2c9874565b5cb62d7cc4c67dec2e7dd758bfee05ae6e8b6cc07e56757f1f6

SHA512
fa66bb5f2482f63b30a983f4591f29ed972a8f41afd8b77dc5f2d9fa61002f700d9977fe314a703db1a16c78d6fb2db2f208eb7673efadb64e1d2f0813f10f57

Download Submit
C:\Windows\System\mFVfRUm.exe

Filesize
5.0MB

MD5
4fe16527762b061518fa49bd9f3138e4

SHA1
f715a34c9d53a3b8f25d0eea9e6d62bfc43ea178

SHA256
55a658b248a89749bfef01bd78db6c668aeeed5a2f633f814202d79dea7453ab

SHA512
43df689d6be8c404190281dadf1ad66ec21438fb8146723a0c138ce86ec433d2c19f176ca06c98299b51a42284724600a1e23ef81227d6ded094fb691222124b

Download Submit
C:\Windows\System\mskVDzP.exe

Filesize
5.0MB

MD5
ca7c43ff03b299ba7807af214eeb9f8b

SHA1
338cd835ec3a3dc5b6dbb6fc991613be53ecb9c5

SHA256
2cffabc3caf021ff63845b5da91d4129e67686d13dde4430ee2c8c010e6dc860

SHA512
48fdc9086a1290084c12d672f80cc99a9c435dd6a9d3d268221a32c998f723962591a2eb48b80129642d87936d43dee706dadcbfc60ec5877654056dd78b476b

Download Submit
C:\Windows\System\oVVIQaE.exe

Filesize
5.0MB

MD5
cc10c3bd245495726b85e7af6c375d9d

SHA1
179d9376fb2fd80255726fa822755e92bb362ed7

SHA256
1a72365bb34bca28b824622e0e47e26dbece87660a85c69ea67ada363accc18f

SHA512
5006b151421280181e081ece0a8d36644048271c160bdef945bfd2032e38b32335d0097cf336007c5faa0dab1743b69dfa367870e3a2e15624ce64f557224c9d

Download Submit
C:\Windows\System\pJyAuZW.exe

Filesize
5.0MB

MD5
72cd4e663ed29ca28620404c317a034b

SHA1
28ae3d747a270b4bd20580e756fcf73829d8111c

SHA256
ff7dfd99222832700a660b164606da714a46fa9dc3f6b8f496a29aa664c9b2cd

SHA512
e800f37010df5fbe6d98abf0b7399e99ed4da0061712f90a0706fa6ba8f170dfdca8f7cd49bb85c1cf7562c22f51613752f6bf8a71bb3a50dd81450df08b7fb9

Download Submit
C:\Windows\System\pPXrwVG.exe

Filesize
5.0MB

MD5
678fe4fd5ac58a3aaf7071c093eae89c

SHA1
e1739e7bb2ef2b82b1a779bdb84567be2b12390a

SHA256
f982d6d0ac2b629724408d7d089c911fca0e828786528d9270ddac3593497d97

SHA512
56b7aa0866ea47aff9d40646e82cd95f53b2f582f830f12d33720e1e2fdb4521de76be5ad0afa9d71ea5e7f09c5e3969e459e36399e207073d85ca9d774b5be4

Download Submit
C:\Windows\System\qQcdFOY.exe

Filesize
5.0MB

MD5
44c723492f5565203f3b5b715611df4a

SHA1
f14096e2993f5f73ad4eb147ac80a4aaebbb6b8c

SHA256
4fe1ddeb22479ccb516df201056d02409ece18cb55cbf41032215b3bfb04d849

SHA512
7f05a36097ca8002bcf6bc4966d8fab54ac7974bf544761f2336530cd846023990c033e557bb817cb9aa0e751411ca1fb918187d4438dc6cf0ee7fe356ce4640

Download Submit
C:\Windows\System\qoeubFP.exe

Filesize
5.0MB

MD5
b0df4ba215f65e6c801f325c792eeca8

SHA1
5a23772a08ab28f3f6fa7b8ba656b1b0a5588ef4

SHA256
5ae5a958d983d338b0eaa57ba2b65b654fa84e423877ff915f65cb6d8fe8f6fd

SHA512
d339cbd9afd5904809bfc66af361c5c2ae7374d1ef0d760660f308c76c0c71c37ba0a3b6f45d6c4968ea0b67b5af99bc0523ca6682ac956f1530e6a50caecf88

Download Submit
C:\Windows\System\qtazOEt.exe

Filesize
5.0MB

MD5
e22fa4bf8e66a6786506fbc129d7d878

SHA1
ea45139f8b84b794dcc29174f2dbb331ad4a75fd

SHA256
7bbf2c7392dcf4d287752c30ce1c95303c4ff09a3c16aca5fa01a5d6eb33e190

SHA512
de547ec33668e08cdf140d41d524d5b5f0300751a00ffd0d88cf549b5ab004250b1c8bb2c4d76c4ff45722a56fea979ff8f8307aaca172f4c951b06076e888d8

Download Submit
C:\Windows\System\uKxDdgK.exe

Filesize
5.0MB

MD5
082ffe75fc71d1e36e5859616d2b6d44

SHA1
29777d3297453d6a85afc49d1de7a21dfaf7f8a3

SHA256
2a9b8f9fe624f5279ebe04bcb918d5198b8e84037986e4c2a30658122d36e4f9

SHA512
bbfa69937b7ea391d27d14f8b4be79e5d72f4d27f57cef1caaee874d2469adfa4c5e83b712e20276b1d9ebccf3fbef9b9af97f6b6228d70c5f8c0a50e323b404

Download Submit
C:\Windows\System\vdwiQTA.exe

Filesize
8B

MD5
9a0015125aa420d4d07d351c530831ca

SHA1
a3326c016429670b0daf82d1ade4cda2e48f0388

SHA256
00e6ae3acba6f391579d0638488ca8b8fb89114354e9029b06ca8d52f63af39e

SHA512
bb00bcdb1012a6e96980b14aaef118962dcb9bf0b615eecce820ba6a22d906794d2e2aa530ce7e923246fe84d6447829881048a77992a8509be01af7f1fce80d

Download Submit
memory/396-1191-0x00007FF63B340000-0x00007FF63B733000-memory.dmp

Filesize
3.9MB

Download
memory/396-2129-0x00007FF63B340000-0x00007FF63B733000-memory.dmp

Filesize
3.9MB

Download
memory/752-1208-0x00007FF766F10000-0x00007FF767303000-memory.dmp

Filesize
3.9MB

Download
memory/752-2134-0x00007FF766F10000-0x00007FF767303000-memory.dmp

Filesize
3.9MB

Download
memory/1144-12-0x00007FF7C9740000-0x00007FF7C9B33000-memory.dmp

Filesize
3.9MB

Download
memory/1144-1229-0x00007FF7C9740000-0x00007FF7C9B33000-memory.dmp

Filesize
3.9MB

Download
memory/1144-2112-0x00007FF7C9740000-0x00007FF7C9B33000-memory.dmp

Filesize
3.9MB

Download
memory/1436-1203-0x00007FF7C6C20000-0x00007FF7C7013000-memory.dmp

Filesize
3.9MB

Download
memory/1436-2124-0x00007FF7C6C20000-0x00007FF7C7013000-memory.dmp

Filesize
3.9MB

Download
memory/1728-1224-0x00007FF728320000-0x00007FF728713000-memory.dmp

Filesize
3.9MB

Download
memory/1728-2122-0x00007FF728320000-0x00007FF728713000-memory.dmp

Filesize
3.9MB

Download
memory/1876-2113-0x00007FF635F60000-0x00007FF636353000-memory.dmp

Filesize
3.9MB

Download
memory/1876-18-0x00007FF635F60000-0x00007FF636353000-memory.dmp

Filesize
3.9MB

Download
memory/1876-1297-0x00007FF635F60000-0x00007FF636353000-memory.dmp

Filesize
3.9MB

Download
memory/1960-400-0x000001C71FF70000-0x000001C720716000-memory.dmp

Filesize
7.6MB

Download
memory/1960-70-0x000001C7067F0000-0x000001C706812000-memory.dmp

Filesize
136KB

Download
memory/2104-2123-0x00007FF789000000-0x00007FF7893F3000-memory.dmp

Filesize
3.9MB

Download
memory/2104-1202-0x00007FF789000000-0x00007FF7893F3000-memory.dmp

Filesize
3.9MB

Download
memory/2108-2125-0x00007FF6CD910000-0x00007FF6CDD03000-memory.dmp

Filesize
3.9MB

Download
memory/2108-1197-0x00007FF6CD910000-0x00007FF6CDD03000-memory.dmp

Filesize
3.9MB

Download
memory/2148-2118-0x00007FF7C2EA0000-0x00007FF7C3293000-memory.dmp

Filesize
3.9MB

Download
memory/2148-42-0x00007FF7C2EA0000-0x00007FF7C3293000-memory.dmp

Filesize
3.9MB

Download
memory/2148-1560-0x00007FF7C2EA0000-0x00007FF7C3293000-memory.dmp

Filesize
3.9MB

Download
memory/2228-6-0x00007FF79F570000-0x00007FF79F963000-memory.dmp

Filesize
3.9MB

Download
memory/2228-2111-0x00007FF79F570000-0x00007FF79F963000-memory.dmp

Filesize
3.9MB

Download
memory/2228-1219-0x00007FF79F570000-0x00007FF79F963000-memory.dmp

Filesize
3.9MB

Download
memory/2652-1192-0x00007FF6FEE50000-0x00007FF6FF243000-memory.dmp

Filesize
3.9MB

Download
memory/2652-2128-0x00007FF6FEE50000-0x00007FF6FF243000-memory.dmp

Filesize
3.9MB

Download
memory/3204-2121-0x00007FF73BAC0000-0x00007FF73BEB3000-memory.dmp

Filesize
3.9MB

Download
memory/3204-1187-0x00007FF73BAC0000-0x00007FF73BEB3000-memory.dmp

Filesize
3.9MB

Download
memory/3440-1210-0x00007FF79B180000-0x00007FF79B573000-memory.dmp

Filesize
3.9MB

Download
memory/3440-2133-0x00007FF79B180000-0x00007FF79B573000-memory.dmp

Filesize
3.9MB

Download
memory/3448-1521-0x00007FF6A8BF0000-0x00007FF6A8FE3000-memory.dmp

Filesize
3.9MB

Download
memory/3448-2115-0x00007FF6A8BF0000-0x00007FF6A8FE3000-memory.dmp

Filesize
3.9MB

Download
memory/3448-37-0x00007FF6A8BF0000-0x00007FF6A8FE3000-memory.dmp

Filesize
3.9MB

Download
memory/3568-56-0x00007FF775A40000-0x00007FF775E33000-memory.dmp

Filesize
3.9MB

Download
memory/3568-2119-0x00007FF775A40000-0x00007FF775E33000-memory.dmp

Filesize
3.9MB

Download
memory/3568-1633-0x00007FF775A40000-0x00007FF775E33000-memory.dmp

Filesize
3.9MB

Download
memory/4044-1369-0x00007FF616AF0000-0x00007FF616EE3000-memory.dmp

Filesize
3.9MB

Download
memory/4044-27-0x00007FF616AF0000-0x00007FF616EE3000-memory.dmp

Filesize
3.9MB

Download
memory/4044-2116-0x00007FF616AF0000-0x00007FF616EE3000-memory.dmp

Filesize
3.9MB

Download
memory/4168-62-0x00007FF7B1260000-0x00007FF7B1653000-memory.dmp

Filesize
3.9MB

Download
memory/4168-0-0x00007FF7B1260000-0x00007FF7B1653000-memory.dmp

Filesize
3.9MB

Download
memory/4168-1-0x000001D497B00000-0x000001D497B10000-memory.dmp

Filesize
64KB

Download
memory/4300-2127-0x00007FF729400000-0x00007FF7297F3000-memory.dmp

Filesize
3.9MB

Download
memory/4300-1193-0x00007FF729400000-0x00007FF7297F3000-memory.dmp

Filesize
3.9MB

Download
memory/4336-1626-0x00007FF78BD70000-0x00007FF78C163000-memory.dmp

Filesize
3.9MB

Download
memory/4336-48-0x00007FF78BD70000-0x00007FF78C163000-memory.dmp

Filesize
3.9MB

Download
memory/4336-2117-0x00007FF78BD70000-0x00007FF78C163000-memory.dmp

Filesize
3.9MB

Download
memory/4360-1214-0x00007FF77D690000-0x00007FF77DA83000-memory.dmp

Filesize
3.9MB

Download
memory/4360-2132-0x00007FF77D690000-0x00007FF77DA83000-memory.dmp

Filesize
3.9MB

Download
memory/4456-1188-0x00007FF7F4E40000-0x00007FF7F5233000-memory.dmp

Filesize
3.9MB

Download
memory/4456-2130-0x00007FF7F4E40000-0x00007FF7F5233000-memory.dmp

Filesize
3.9MB

Download
memory/4512-29-0x00007FF787E90000-0x00007FF788283000-memory.dmp

Filesize
3.9MB

Download
memory/4512-1372-0x00007FF787E90000-0x00007FF788283000-memory.dmp

Filesize
3.9MB

Download
memory/4512-2114-0x00007FF787E90000-0x00007FF788283000-memory.dmp

Filesize
3.9MB

Download
memory/4540-2126-0x00007FF7604F0000-0x00007FF7608E3000-memory.dmp

Filesize
3.9MB

Download
memory/4540-1198-0x00007FF7604F0000-0x00007FF7608E3000-memory.dmp

Filesize
3.9MB

Download
memory/4800-1218-0x00007FF724CD0000-0x00007FF7250C3000-memory.dmp

Filesize
3.9MB

Download
memory/4800-2131-0x00007FF724CD0000-0x00007FF7250C3000-memory.dmp

Filesize
3.9MB

Download
memory/4988-2120-0x00007FF6CB4A0000-0x00007FF6CB893000-memory.dmp

Filesize
3.9MB

Download
memory/4988-1185-0x00007FF6CB4A0000-0x00007FF6CB893000-memory.dmp

Filesize
3.9MB

Download