xmrig | 7e9e1997f679ecf01fb8a737c062d74ce560737bb6ee312a42aef980b42f372e

Analysis

max time kernel
109s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
Size

2.9MB
MD5

086e89c427107ec7733231281f048bd0
SHA1

62211e0ad1fba519a98abb121937ed2424269011
SHA256

7e9e1997f679ecf01fb8a737c062d74ce560737bb6ee312a42aef980b42f372e
SHA512

b0861157cfd03fc60b4654b68012d10946f1462e3f12f00f8a86dba42b867abb80dffd27ef6784d3f8130c806ba5a099e79e3cd62932361c828dc93021bbd5fc
SSDEEP

49152:S1G1NtyBwTI3ySZbrkXV1etEKLlWUTOfeiRA2R76zHrWax9hMkiFGlObLe:S1ONtyBeSFkXV1etEKLlWUTOfeiRA2Rc

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/696-0-0x00007FF66B410000-0x00007FF66B806000-memory.dmp	xmrig
behavioral2/files/0x000600000002329e-4.dat	xmrig
behavioral2/files/0x000700000002342b-10.dat	xmrig
behavioral2/memory/4724-15-0x00007FF721020000-0x00007FF721416000-memory.dmp	xmrig
behavioral2/files/0x000700000002342c-25.dat	xmrig
behavioral2/files/0x0007000000023431-51.dat	xmrig
behavioral2/files/0x0008000000023430-58.dat	xmrig
behavioral2/files/0x0007000000023432-68.dat	xmrig
behavioral2/files/0x0007000000023433-77.dat	xmrig
behavioral2/files/0x0007000000023435-87.dat	xmrig
behavioral2/files/0x0007000000023437-97.dat	xmrig
behavioral2/files/0x0007000000023438-102.dat	xmrig
behavioral2/files/0x000700000002343f-131.dat	xmrig
behavioral2/files/0x0007000000023441-141.dat	xmrig
behavioral2/files/0x0007000000023442-154.dat	xmrig
behavioral2/files/0x0007000000023447-171.dat	xmrig
behavioral2/files/0x0007000000023449-181.dat	xmrig
behavioral2/files/0x0007000000023448-176.dat	xmrig
behavioral2/files/0x0007000000023446-174.dat	xmrig
behavioral2/files/0x0007000000023445-169.dat	xmrig
behavioral2/files/0x0007000000023444-164.dat	xmrig
behavioral2/files/0x0007000000023443-159.dat	xmrig
behavioral2/files/0x0007000000023440-144.dat	xmrig
behavioral2/files/0x000700000002343e-134.dat	xmrig
behavioral2/files/0x000700000002343d-129.dat	xmrig
behavioral2/files/0x000700000002343c-124.dat	xmrig
behavioral2/files/0x000700000002343b-119.dat	xmrig
behavioral2/files/0x000700000002343a-114.dat	xmrig
behavioral2/files/0x0007000000023439-109.dat	xmrig
behavioral2/files/0x0007000000023436-92.dat	xmrig
behavioral2/files/0x0007000000023434-82.dat	xmrig
behavioral2/files/0x000800000002342f-66.dat	xmrig
behavioral2/files/0x000700000002342e-54.dat	xmrig
behavioral2/memory/1428-49-0x00007FF6053D0000-0x00007FF6057C6000-memory.dmp	xmrig
behavioral2/memory/3484-41-0x00007FF7BCF60000-0x00007FF7BD356000-memory.dmp	xmrig
behavioral2/files/0x000700000002342d-40.dat	xmrig
behavioral2/memory/4476-36-0x00007FF748910000-0x00007FF748D06000-memory.dmp	xmrig
behavioral2/files/0x000800000002342a-13.dat	xmrig
behavioral2/memory/744-6-0x00007FF77EA70000-0x00007FF77EE66000-memory.dmp	xmrig
behavioral2/memory/1516-845-0x00007FF67E280000-0x00007FF67E676000-memory.dmp	xmrig
behavioral2/memory/2188-851-0x00007FF6E3C20000-0x00007FF6E4016000-memory.dmp	xmrig
behavioral2/memory/2588-866-0x00007FF7BABB0000-0x00007FF7BAFA6000-memory.dmp	xmrig
behavioral2/memory/4152-898-0x00007FF6FF3C0000-0x00007FF6FF7B6000-memory.dmp	xmrig
behavioral2/memory/1776-886-0x00007FF64A440000-0x00007FF64A836000-memory.dmp	xmrig
behavioral2/memory/2116-878-0x00007FF71FE70000-0x00007FF720266000-memory.dmp	xmrig
behavioral2/memory/3816-903-0x00007FF70D320000-0x00007FF70D716000-memory.dmp	xmrig
behavioral2/memory/4224-913-0x00007FF6ED1A0000-0x00007FF6ED596000-memory.dmp	xmrig
behavioral2/memory/3188-909-0x00007FF6BBF90000-0x00007FF6BC386000-memory.dmp	xmrig
behavioral2/memory/3964-862-0x00007FF6018F0000-0x00007FF601CE6000-memory.dmp	xmrig
behavioral2/memory/4888-923-0x00007FF6BEAF0000-0x00007FF6BEEE6000-memory.dmp	xmrig
behavioral2/memory/436-926-0x00007FF60B840000-0x00007FF60BC36000-memory.dmp	xmrig
behavioral2/memory/3212-935-0x00007FF655E40000-0x00007FF656236000-memory.dmp	xmrig
behavioral2/memory/3068-936-0x00007FF628DD0000-0x00007FF6291C6000-memory.dmp	xmrig
behavioral2/memory/2568-941-0x00007FF645B40000-0x00007FF645F36000-memory.dmp	xmrig
behavioral2/memory/3312-944-0x00007FF78DD40000-0x00007FF78E136000-memory.dmp	xmrig
behavioral2/memory/508-945-0x00007FF6632B0000-0x00007FF6636A6000-memory.dmp	xmrig
behavioral2/memory/4320-939-0x00007FF6B50B0000-0x00007FF6B54A6000-memory.dmp	xmrig
behavioral2/memory/4084-931-0x00007FF7EE890000-0x00007FF7EEC86000-memory.dmp	xmrig
behavioral2/memory/744-2151-0x00007FF77EA70000-0x00007FF77EE66000-memory.dmp	xmrig
behavioral2/memory/4724-2153-0x00007FF721020000-0x00007FF721416000-memory.dmp	xmrig
behavioral2/memory/1428-2154-0x00007FF6053D0000-0x00007FF6057C6000-memory.dmp	xmrig
behavioral2/memory/744-2155-0x00007FF77EA70000-0x00007FF77EE66000-memory.dmp	xmrig
behavioral2/memory/4724-2156-0x00007FF721020000-0x00007FF721416000-memory.dmp	xmrig
behavioral2/memory/4476-2157-0x00007FF748910000-0x00007FF748D06000-memory.dmp	xmrig

Blocklisted process makes network request 9 IoCs

flow	pid	Process
3	4136	powershell.exe
5	4136	powershell.exe
10	4136	powershell.exe
11	4136	powershell.exe
13	4136	powershell.exe
14	4136	powershell.exe
16	4136	powershell.exe
19	4136	powershell.exe
20	4136	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
4136	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
744	SiKBaBV.exe
4724	chQXryE.exe
4476	GrHLjHO.exe
3484	oQYfTIF.exe
1428	xAfkkrR.exe
1516	MJvaEin.exe
2188	PdiOPpP.exe
3964	DJKiNXn.exe
2588	mTwgYBW.exe
2116	TkrYGDX.exe
1776	eBnYHZM.exe
4152	ztZadOD.exe
3816	FPrbbkb.exe
3188	EnfCAIf.exe
4224	KfxXnVT.exe
4888	iQtvRdM.exe
436	wNcFDHs.exe
4084	bAqAbGs.exe
3212	ydRiKGw.exe
3068	MDALvjD.exe
4320	jwQazmT.exe
2568	GlHstck.exe
3312	xpYQSSZ.exe
508	kxBYMcf.exe
4768	aezcYKO.exe
3476	ORjYgcW.exe
3060	Dvtaftt.exe
5112	DLeLElx.exe
1412	chHyEbD.exe
2244	YKbnShN.exe
1988	ZUUKadh.exe
8	olroVsv.exe
3848	PnfLBYO.exe
4472	AiETBNk.exe
3608	LUGTKPN.exe
1148	LUEMfUk.exe
5088	ItbDZjL.exe
4920	aHqUjUA.exe
4808	yFNkHvg.exe
4780	JgcwBRN.exe
4288	FORmVnj.exe
2564	yzAvfEp.exe
4340	WfmaeVV.exe
1348	YAskfCx.exe
4092	OggFDMA.exe
1400	zbuSgKk.exe
4592	JSuQHKK.exe
5012	cQAhLkt.exe
1828	mcrFluj.exe
3328	EGaLwTQ.exe
1912	wLJuWWk.exe
2584	kufsDwL.exe
212	GjupbGQ.exe
3888	sEsFYPE.exe
1520	limIfyR.exe
2192	iYrKXZO.exe
2272	UEQizwZ.exe
4408	LdlHSQD.exe
4016	pSWYkMU.exe
4132	XtFxxKt.exe
4884	MHgTrKV.exe
2500	oTQZGSm.exe
4352	BiWdOnD.exe
1652	pGhOuPb.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/696-0-0x00007FF66B410000-0x00007FF66B806000-memory.dmp	upx
behavioral2/files/0x000600000002329e-4.dat	upx
behavioral2/files/0x000700000002342b-10.dat	upx
behavioral2/memory/4724-15-0x00007FF721020000-0x00007FF721416000-memory.dmp	upx
behavioral2/files/0x000700000002342c-25.dat	upx
behavioral2/files/0x0007000000023431-51.dat	upx
behavioral2/files/0x0008000000023430-58.dat	upx
behavioral2/files/0x0007000000023432-68.dat	upx
behavioral2/files/0x0007000000023433-77.dat	upx
behavioral2/files/0x0007000000023435-87.dat	upx
behavioral2/files/0x0007000000023437-97.dat	upx
behavioral2/files/0x0007000000023438-102.dat	upx
behavioral2/files/0x000700000002343f-131.dat	upx
behavioral2/files/0x0007000000023441-141.dat	upx
behavioral2/files/0x0007000000023442-154.dat	upx
behavioral2/files/0x0007000000023447-171.dat	upx
behavioral2/files/0x0007000000023449-181.dat	upx
behavioral2/files/0x0007000000023448-176.dat	upx
behavioral2/files/0x0007000000023446-174.dat	upx
behavioral2/files/0x0007000000023445-169.dat	upx
behavioral2/files/0x0007000000023444-164.dat	upx
behavioral2/files/0x0007000000023443-159.dat	upx
behavioral2/files/0x0007000000023440-144.dat	upx
behavioral2/files/0x000700000002343e-134.dat	upx
behavioral2/files/0x000700000002343d-129.dat	upx
behavioral2/files/0x000700000002343c-124.dat	upx
behavioral2/files/0x000700000002343b-119.dat	upx
behavioral2/files/0x000700000002343a-114.dat	upx
behavioral2/files/0x0007000000023439-109.dat	upx
behavioral2/files/0x0007000000023436-92.dat	upx
behavioral2/files/0x0007000000023434-82.dat	upx
behavioral2/files/0x000800000002342f-66.dat	upx
behavioral2/files/0x000700000002342e-54.dat	upx
behavioral2/memory/1428-49-0x00007FF6053D0000-0x00007FF6057C6000-memory.dmp	upx
behavioral2/memory/3484-41-0x00007FF7BCF60000-0x00007FF7BD356000-memory.dmp	upx
behavioral2/files/0x000700000002342d-40.dat	upx
behavioral2/memory/4476-36-0x00007FF748910000-0x00007FF748D06000-memory.dmp	upx
behavioral2/files/0x000800000002342a-13.dat	upx
behavioral2/memory/744-6-0x00007FF77EA70000-0x00007FF77EE66000-memory.dmp	upx
behavioral2/memory/1516-845-0x00007FF67E280000-0x00007FF67E676000-memory.dmp	upx
behavioral2/memory/2188-851-0x00007FF6E3C20000-0x00007FF6E4016000-memory.dmp	upx
behavioral2/memory/2588-866-0x00007FF7BABB0000-0x00007FF7BAFA6000-memory.dmp	upx
behavioral2/memory/4152-898-0x00007FF6FF3C0000-0x00007FF6FF7B6000-memory.dmp	upx
behavioral2/memory/1776-886-0x00007FF64A440000-0x00007FF64A836000-memory.dmp	upx
behavioral2/memory/2116-878-0x00007FF71FE70000-0x00007FF720266000-memory.dmp	upx
behavioral2/memory/3816-903-0x00007FF70D320000-0x00007FF70D716000-memory.dmp	upx
behavioral2/memory/4224-913-0x00007FF6ED1A0000-0x00007FF6ED596000-memory.dmp	upx
behavioral2/memory/3188-909-0x00007FF6BBF90000-0x00007FF6BC386000-memory.dmp	upx
behavioral2/memory/3964-862-0x00007FF6018F0000-0x00007FF601CE6000-memory.dmp	upx
behavioral2/memory/4888-923-0x00007FF6BEAF0000-0x00007FF6BEEE6000-memory.dmp	upx
behavioral2/memory/436-926-0x00007FF60B840000-0x00007FF60BC36000-memory.dmp	upx
behavioral2/memory/3212-935-0x00007FF655E40000-0x00007FF656236000-memory.dmp	upx
behavioral2/memory/3068-936-0x00007FF628DD0000-0x00007FF6291C6000-memory.dmp	upx
behavioral2/memory/2568-941-0x00007FF645B40000-0x00007FF645F36000-memory.dmp	upx
behavioral2/memory/3312-944-0x00007FF78DD40000-0x00007FF78E136000-memory.dmp	upx
behavioral2/memory/508-945-0x00007FF6632B0000-0x00007FF6636A6000-memory.dmp	upx
behavioral2/memory/4320-939-0x00007FF6B50B0000-0x00007FF6B54A6000-memory.dmp	upx
behavioral2/memory/4084-931-0x00007FF7EE890000-0x00007FF7EEC86000-memory.dmp	upx
behavioral2/memory/744-2151-0x00007FF77EA70000-0x00007FF77EE66000-memory.dmp	upx
behavioral2/memory/4724-2153-0x00007FF721020000-0x00007FF721416000-memory.dmp	upx
behavioral2/memory/1428-2154-0x00007FF6053D0000-0x00007FF6057C6000-memory.dmp	upx
behavioral2/memory/744-2155-0x00007FF77EA70000-0x00007FF77EE66000-memory.dmp	upx
behavioral2/memory/4724-2156-0x00007FF721020000-0x00007FF721416000-memory.dmp	upx
behavioral2/memory/4476-2157-0x00007FF748910000-0x00007FF748D06000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
3	raw.githubusercontent.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm	OfficeClickToRun.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\IaAsnEN.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\QoRnytd.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\kEiufkh.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\MHhMKkj.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\IkAuGGv.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\yTcfcLr.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\bkIyhRC.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\PtaWJNH.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\PQKHtnE.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\oHiOIns.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\pqbzMbi.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\nGcjEYc.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\XygStqC.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\RHGcIIP.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\aHqUjUA.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\XoCTBbj.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\GAloLRb.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\hjRiZyd.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\Qxxydbh.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\wLXRQsj.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\ckgquIh.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\dCSjbbK.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\pHvrzys.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\PYVEEGP.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\ZGwrmzY.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\gUBAmwr.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\rayHLBQ.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\GIHLLHp.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\hOjtCNQ.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\eKLUfFM.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\lKoGEeg.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\ZgkwZZf.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\vbuyHOf.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\dxcUlJD.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\UIQCiUl.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\ntFDfhR.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\vbJqZZY.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\hInMmmZ.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\cwvYPHA.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\fhAjmhi.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\AWXmNmC.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\UEQizwZ.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\eXlcHxg.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\NOEsyJu.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\UpfPGqt.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\ENmDoUX.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\hDUanSQ.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\ZYLjbdV.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\AsjNgVt.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\LjzEUwO.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\jBOnVEq.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\wbGDAEu.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\vuAPKhy.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\jPFmvdj.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\oZtFgNS.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\BGNMGAd.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\HMwTgJY.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\NGfEGCQ.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\UpNQvpm.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\VEBeFAj.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\cmSUUcz.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\hTvydzh.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\HLtGGSY.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
File created	C:\Windows\System\PDTmOIk.exe	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OfficeClickToRun.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	OfficeClickToRun.exe

Modifies data under HKEY_USERS 53 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1715515193"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ETag = "std::wstring\|\"G6zFjsv96kDOfJ14fjFvrCrPL2yLFCcYMKxfWxNHtAQ=\""	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\Expires = "int64_t\|1715558333"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4136	powershell.exe
4136	powershell.exe
4136	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeLockMemoryPrivilege	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
Token: SeCreateGlobalPrivilege	13148	dwm.exe
Token: SeChangeNotifyPrivilege	13148	dwm.exe
Token: 33	13148	dwm.exe
Token: SeIncBasePriorityPrivilege	13148	dwm.exe
Token: SeShutdownPrivilege	13148	dwm.exe
Token: SeCreatePagefilePrivilege	13148	dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
12844	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 696 wrote to memory of 4136	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	83
PID 696 wrote to memory of 4136	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	83
PID 696 wrote to memory of 744	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	84
PID 696 wrote to memory of 744	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	84
PID 696 wrote to memory of 4724	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	85
PID 696 wrote to memory of 4724	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	85
PID 696 wrote to memory of 4476	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	86
PID 696 wrote to memory of 4476	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	86
PID 696 wrote to memory of 3484	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	87
PID 696 wrote to memory of 3484	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	87
PID 696 wrote to memory of 1428	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	88
PID 696 wrote to memory of 1428	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	88
PID 696 wrote to memory of 1516	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	89
PID 696 wrote to memory of 1516	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	89
PID 696 wrote to memory of 2188	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	90
PID 696 wrote to memory of 2188	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	90
PID 696 wrote to memory of 3964	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	91
PID 696 wrote to memory of 3964	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	91
PID 696 wrote to memory of 2588	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	92
PID 696 wrote to memory of 2588	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	92
PID 696 wrote to memory of 2116	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	93
PID 696 wrote to memory of 2116	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	93
PID 696 wrote to memory of 1776	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	94
PID 696 wrote to memory of 1776	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	94
PID 696 wrote to memory of 4152	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	95
PID 696 wrote to memory of 4152	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	95
PID 696 wrote to memory of 3816	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	96
PID 696 wrote to memory of 3816	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	96
PID 696 wrote to memory of 3188	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	97
PID 696 wrote to memory of 3188	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	97
PID 696 wrote to memory of 4224	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	98
PID 696 wrote to memory of 4224	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	98
PID 696 wrote to memory of 4888	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	99
PID 696 wrote to memory of 4888	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	99
PID 696 wrote to memory of 436	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	100
PID 696 wrote to memory of 436	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	100
PID 696 wrote to memory of 4084	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	101
PID 696 wrote to memory of 4084	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	101
PID 696 wrote to memory of 3212	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	102
PID 696 wrote to memory of 3212	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	102
PID 696 wrote to memory of 3068	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	103
PID 696 wrote to memory of 3068	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	103
PID 696 wrote to memory of 4320	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	104
PID 696 wrote to memory of 4320	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	104
PID 696 wrote to memory of 2568	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	105
PID 696 wrote to memory of 2568	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	105
PID 696 wrote to memory of 3312	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	106
PID 696 wrote to memory of 3312	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	106
PID 696 wrote to memory of 508	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	107
PID 696 wrote to memory of 508	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	107
PID 696 wrote to memory of 4768	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	108
PID 696 wrote to memory of 4768	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	108
PID 696 wrote to memory of 3476	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	109
PID 696 wrote to memory of 3476	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	109
PID 696 wrote to memory of 3060	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	110
PID 696 wrote to memory of 3060	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	110
PID 696 wrote to memory of 5112	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	111
PID 696 wrote to memory of 5112	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	111
PID 696 wrote to memory of 1412	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	112
PID 696 wrote to memory of 1412	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	112
PID 696 wrote to memory of 2244	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	113
PID 696 wrote to memory of 2244	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	113
PID 696 wrote to memory of 1988	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	114
PID 696 wrote to memory of 1988	696	086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe	114

C:\Users\Admin\AppData\Local\Temp\086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\086e89c427107ec7733231281f048bd0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4136
- C:\Windows\System\SiKBaBV.exe
  C:\Windows\System\SiKBaBV.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System\chQXryE.exe
  C:\Windows\System\chQXryE.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System\GrHLjHO.exe
  C:\Windows\System\GrHLjHO.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System\oQYfTIF.exe
  C:\Windows\System\oQYfTIF.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System\xAfkkrR.exe
  C:\Windows\System\xAfkkrR.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System\MJvaEin.exe
  C:\Windows\System\MJvaEin.exe
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\System\PdiOPpP.exe
  C:\Windows\System\PdiOPpP.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\DJKiNXn.exe
  C:\Windows\System\DJKiNXn.exe
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Windows\System\mTwgYBW.exe
  C:\Windows\System\mTwgYBW.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System\TkrYGDX.exe
  C:\Windows\System\TkrYGDX.exe
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\System\eBnYHZM.exe
  C:\Windows\System\eBnYHZM.exe
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\System\ztZadOD.exe
  C:\Windows\System\ztZadOD.exe
  2⤵
  - Executes dropped EXE
  PID:4152
- C:\Windows\System\FPrbbkb.exe
  C:\Windows\System\FPrbbkb.exe
  2⤵
  - Executes dropped EXE
  PID:3816
- C:\Windows\System\EnfCAIf.exe
  C:\Windows\System\EnfCAIf.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System\KfxXnVT.exe
  C:\Windows\System\KfxXnVT.exe
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Windows\System\iQtvRdM.exe
  C:\Windows\System\iQtvRdM.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System\wNcFDHs.exe
  C:\Windows\System\wNcFDHs.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System\bAqAbGs.exe
  C:\Windows\System\bAqAbGs.exe
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Windows\System\ydRiKGw.exe
  C:\Windows\System\ydRiKGw.exe
  2⤵
  - Executes dropped EXE
  PID:3212
- C:\Windows\System\MDALvjD.exe
  C:\Windows\System\MDALvjD.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System\jwQazmT.exe
  C:\Windows\System\jwQazmT.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System\GlHstck.exe
  C:\Windows\System\GlHstck.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System\xpYQSSZ.exe
  C:\Windows\System\xpYQSSZ.exe
  2⤵
  - Executes dropped EXE
  PID:3312
- C:\Windows\System\kxBYMcf.exe
  C:\Windows\System\kxBYMcf.exe
  2⤵
  - Executes dropped EXE
  PID:508
- C:\Windows\System\aezcYKO.exe
  C:\Windows\System\aezcYKO.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System\ORjYgcW.exe
  C:\Windows\System\ORjYgcW.exe
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Windows\System\Dvtaftt.exe
  C:\Windows\System\Dvtaftt.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System\DLeLElx.exe
  C:\Windows\System\DLeLElx.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System\chHyEbD.exe
  C:\Windows\System\chHyEbD.exe
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\System\YKbnShN.exe
  C:\Windows\System\YKbnShN.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System\ZUUKadh.exe
  C:\Windows\System\ZUUKadh.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\olroVsv.exe
  C:\Windows\System\olroVsv.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System\PnfLBYO.exe
  C:\Windows\System\PnfLBYO.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System\AiETBNk.exe
  C:\Windows\System\AiETBNk.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System\LUGTKPN.exe
  C:\Windows\System\LUGTKPN.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System\LUEMfUk.exe
  C:\Windows\System\LUEMfUk.exe
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\System\ItbDZjL.exe
  C:\Windows\System\ItbDZjL.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System\aHqUjUA.exe
  C:\Windows\System\aHqUjUA.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System\yFNkHvg.exe
  C:\Windows\System\yFNkHvg.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System\JgcwBRN.exe
  C:\Windows\System\JgcwBRN.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System\FORmVnj.exe
  C:\Windows\System\FORmVnj.exe
  2⤵
  - Executes dropped EXE
  PID:4288
- C:\Windows\System\yzAvfEp.exe
  C:\Windows\System\yzAvfEp.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System\WfmaeVV.exe
  C:\Windows\System\WfmaeVV.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System\YAskfCx.exe
  C:\Windows\System\YAskfCx.exe
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\System\OggFDMA.exe
  C:\Windows\System\OggFDMA.exe
  2⤵
  - Executes dropped EXE
  PID:4092
- C:\Windows\System\zbuSgKk.exe
  C:\Windows\System\zbuSgKk.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\System\JSuQHKK.exe
  C:\Windows\System\JSuQHKK.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System\cQAhLkt.exe
  C:\Windows\System\cQAhLkt.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\mcrFluj.exe
  C:\Windows\System\mcrFluj.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\System\EGaLwTQ.exe
  C:\Windows\System\EGaLwTQ.exe
  2⤵
  - Executes dropped EXE
  PID:3328
- C:\Windows\System\wLJuWWk.exe
  C:\Windows\System\wLJuWWk.exe
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\System\kufsDwL.exe
  C:\Windows\System\kufsDwL.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\GjupbGQ.exe
  C:\Windows\System\GjupbGQ.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System\sEsFYPE.exe
  C:\Windows\System\sEsFYPE.exe
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\System\limIfyR.exe
  C:\Windows\System\limIfyR.exe
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\System\iYrKXZO.exe
  C:\Windows\System\iYrKXZO.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System\UEQizwZ.exe
  C:\Windows\System\UEQizwZ.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\LdlHSQD.exe
  C:\Windows\System\LdlHSQD.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System\pSWYkMU.exe
  C:\Windows\System\pSWYkMU.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System\XtFxxKt.exe
  C:\Windows\System\XtFxxKt.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System\MHgTrKV.exe
  C:\Windows\System\MHgTrKV.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System\oTQZGSm.exe
  C:\Windows\System\oTQZGSm.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System\BiWdOnD.exe
  C:\Windows\System\BiWdOnD.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System\pGhOuPb.exe
  C:\Windows\System\pGhOuPb.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System\FypvMZh.exe
  C:\Windows\System\FypvMZh.exe
  2⤵
  PID:1956
- C:\Windows\System\mlvihqg.exe
  C:\Windows\System\mlvihqg.exe
  2⤵
  PID:2932
- C:\Windows\System\BjlxUaW.exe
  C:\Windows\System\BjlxUaW.exe
  2⤵
  PID:1628
- C:\Windows\System\YuJcGhS.exe
  C:\Windows\System\YuJcGhS.exe
  2⤵
  PID:3496
- C:\Windows\System\AqhXEUQ.exe
  C:\Windows\System\AqhXEUQ.exe
  2⤵
  PID:540
- C:\Windows\System\GNipLoA.exe
  C:\Windows\System\GNipLoA.exe
  2⤵
  PID:5148
- C:\Windows\System\yOQTLhS.exe
  C:\Windows\System\yOQTLhS.exe
  2⤵
  PID:5176
- C:\Windows\System\GyMPToj.exe
  C:\Windows\System\GyMPToj.exe
  2⤵
  PID:5204
- C:\Windows\System\jknwXbk.exe
  C:\Windows\System\jknwXbk.exe
  2⤵
  PID:5232
- C:\Windows\System\qaMWsDO.exe
  C:\Windows\System\qaMWsDO.exe
  2⤵
  PID:5260
- C:\Windows\System\KdTzrqr.exe
  C:\Windows\System\KdTzrqr.exe
  2⤵
  PID:5284
- C:\Windows\System\fsKHwuS.exe
  C:\Windows\System\fsKHwuS.exe
  2⤵
  PID:5320
- C:\Windows\System\ngUxKGP.exe
  C:\Windows\System\ngUxKGP.exe
  2⤵
  PID:5344
- C:\Windows\System\KSiqWXJ.exe
  C:\Windows\System\KSiqWXJ.exe
  2⤵
  PID:5372
- C:\Windows\System\AFmZxcG.exe
  C:\Windows\System\AFmZxcG.exe
  2⤵
  PID:5400
- C:\Windows\System\XGLTdGU.exe
  C:\Windows\System\XGLTdGU.exe
  2⤵
  PID:5428
- C:\Windows\System\zDYSHRU.exe
  C:\Windows\System\zDYSHRU.exe
  2⤵
  PID:5456
- C:\Windows\System\THCLuFj.exe
  C:\Windows\System\THCLuFj.exe
  2⤵
  PID:5480
- C:\Windows\System\ZGyimqR.exe
  C:\Windows\System\ZGyimqR.exe
  2⤵
  PID:5512
- C:\Windows\System\xdhSBZf.exe
  C:\Windows\System\xdhSBZf.exe
  2⤵
  PID:5540
- C:\Windows\System\fIwMbun.exe
  C:\Windows\System\fIwMbun.exe
  2⤵
  PID:5568
- C:\Windows\System\nfQrptO.exe
  C:\Windows\System\nfQrptO.exe
  2⤵
  PID:5596
- C:\Windows\System\MxsSxJh.exe
  C:\Windows\System\MxsSxJh.exe
  2⤵
  PID:5624
- C:\Windows\System\NwHaPsK.exe
  C:\Windows\System\NwHaPsK.exe
  2⤵
  PID:5652
- C:\Windows\System\XRFlajq.exe
  C:\Windows\System\XRFlajq.exe
  2⤵
  PID:5680
- C:\Windows\System\TXNDXNk.exe
  C:\Windows\System\TXNDXNk.exe
  2⤵
  PID:5708
- C:\Windows\System\pLiJlqD.exe
  C:\Windows\System\pLiJlqD.exe
  2⤵
  PID:5736
- C:\Windows\System\giCtidc.exe
  C:\Windows\System\giCtidc.exe
  2⤵
  PID:5764
- C:\Windows\System\UpNQvpm.exe
  C:\Windows\System\UpNQvpm.exe
  2⤵
  PID:5800
- C:\Windows\System\mwxEezs.exe
  C:\Windows\System\mwxEezs.exe
  2⤵
  PID:5832
- C:\Windows\System\XBRbKzA.exe
  C:\Windows\System\XBRbKzA.exe
  2⤵
  PID:5860
- C:\Windows\System\ykIGIDp.exe
  C:\Windows\System\ykIGIDp.exe
  2⤵
  PID:5888
- C:\Windows\System\XajNtfo.exe
  C:\Windows\System\XajNtfo.exe
  2⤵
  PID:5916
- C:\Windows\System\YGuktVD.exe
  C:\Windows\System\YGuktVD.exe
  2⤵
  PID:5944
- C:\Windows\System\wcrzSeQ.exe
  C:\Windows\System\wcrzSeQ.exe
  2⤵
  PID:5972
- C:\Windows\System\PBXDTss.exe
  C:\Windows\System\PBXDTss.exe
  2⤵
  PID:6000
- C:\Windows\System\bgcdezO.exe
  C:\Windows\System\bgcdezO.exe
  2⤵
  PID:6028
- C:\Windows\System\lpTUnFE.exe
  C:\Windows\System\lpTUnFE.exe
  2⤵
  PID:6056
- C:\Windows\System\szWMyjC.exe
  C:\Windows\System\szWMyjC.exe
  2⤵
  PID:6084
- C:\Windows\System\mbtELmU.exe
  C:\Windows\System\mbtELmU.exe
  2⤵
  PID:6112
- C:\Windows\System\UfLWfmG.exe
  C:\Windows\System\UfLWfmG.exe
  2⤵
  PID:6136
- C:\Windows\System\obldlGF.exe
  C:\Windows\System\obldlGF.exe
  2⤵
  PID:4904
- C:\Windows\System\houZDsF.exe
  C:\Windows\System\houZDsF.exe
  2⤵
  PID:2380
- C:\Windows\System\YYMEeXA.exe
  C:\Windows\System\YYMEeXA.exe
  2⤵
  PID:2384
- C:\Windows\System\BZsIMbD.exe
  C:\Windows\System\BZsIMbD.exe
  2⤵
  PID:3612
- C:\Windows\System\YGQmWLW.exe
  C:\Windows\System\YGQmWLW.exe
  2⤵
  PID:5136
- C:\Windows\System\UMLvbxS.exe
  C:\Windows\System\UMLvbxS.exe
  2⤵
  PID:5192
- C:\Windows\System\RXGFczf.exe
  C:\Windows\System\RXGFczf.exe
  2⤵
  PID:5252
- C:\Windows\System\hZsLbAi.exe
  C:\Windows\System\hZsLbAi.exe
  2⤵
  PID:5336
- C:\Windows\System\tsvIZih.exe
  C:\Windows\System\tsvIZih.exe
  2⤵
  PID:5392
- C:\Windows\System\lUsEQaw.exe
  C:\Windows\System\lUsEQaw.exe
  2⤵
  PID:5468
- C:\Windows\System\eXlcHxg.exe
  C:\Windows\System\eXlcHxg.exe
  2⤵
  PID:5528
- C:\Windows\System\pYPbzBx.exe
  C:\Windows\System\pYPbzBx.exe
  2⤵
  PID:5588
- C:\Windows\System\KFiBuyE.exe
  C:\Windows\System\KFiBuyE.exe
  2⤵
  PID:5664
- C:\Windows\System\nStMpPh.exe
  C:\Windows\System\nStMpPh.exe
  2⤵
  PID:5720
- C:\Windows\System\FKLthyk.exe
  C:\Windows\System\FKLthyk.exe
  2⤵
  PID:5792
- C:\Windows\System\TfldgrF.exe
  C:\Windows\System\TfldgrF.exe
  2⤵
  PID:5852
- C:\Windows\System\UwkRqXa.exe
  C:\Windows\System\UwkRqXa.exe
  2⤵
  PID:5936
- C:\Windows\System\zrrnebk.exe
  C:\Windows\System\zrrnebk.exe
  2⤵
  PID:5992
- C:\Windows\System\DokZGLM.exe
  C:\Windows\System\DokZGLM.exe
  2⤵
  PID:6068
- C:\Windows\System\OGjmEcW.exe
  C:\Windows\System\OGjmEcW.exe
  2⤵
  PID:6104
- C:\Windows\System\hNdIbyx.exe
  C:\Windows\System\hNdIbyx.exe
  2⤵
  PID:4748
- C:\Windows\System\YdhIYhH.exe
  C:\Windows\System\YdhIYhH.exe
  2⤵
  PID:2460
- C:\Windows\System\WveNycz.exe
  C:\Windows\System\WveNycz.exe
  2⤵
  PID:5164
- C:\Windows\System\WzCLqzm.exe
  C:\Windows\System\WzCLqzm.exe
  2⤵
  PID:5304
- C:\Windows\System\yAnhQuC.exe
  C:\Windows\System\yAnhQuC.exe
  2⤵
  PID:5444
- C:\Windows\System\wrIvLZs.exe
  C:\Windows\System\wrIvLZs.exe
  2⤵
  PID:5616
- C:\Windows\System\lwdEwtg.exe
  C:\Windows\System\lwdEwtg.exe
  2⤵
  PID:5756
- C:\Windows\System\JfqhJvJ.exe
  C:\Windows\System\JfqhJvJ.exe
  2⤵
  PID:5932
- C:\Windows\System\tioJAYq.exe
  C:\Windows\System\tioJAYq.exe
  2⤵
  PID:6172
- C:\Windows\System\SsHLODF.exe
  C:\Windows\System\SsHLODF.exe
  2⤵
  PID:6200
- C:\Windows\System\UUvxbpl.exe
  C:\Windows\System\UUvxbpl.exe
  2⤵
  PID:6228
- C:\Windows\System\RdgKFkv.exe
  C:\Windows\System\RdgKFkv.exe
  2⤵
  PID:6252
- C:\Windows\System\nqOkfgD.exe
  C:\Windows\System\nqOkfgD.exe
  2⤵
  PID:6284
- C:\Windows\System\UkHpJnv.exe
  C:\Windows\System\UkHpJnv.exe
  2⤵
  PID:6308
- C:\Windows\System\FgKGfth.exe
  C:\Windows\System\FgKGfth.exe
  2⤵
  PID:6336
- C:\Windows\System\ovqLmWl.exe
  C:\Windows\System\ovqLmWl.exe
  2⤵
  PID:6372
- C:\Windows\System\xxbMfNU.exe
  C:\Windows\System\xxbMfNU.exe
  2⤵
  PID:6396
- C:\Windows\System\MRgdjKU.exe
  C:\Windows\System\MRgdjKU.exe
  2⤵
  PID:6424
- C:\Windows\System\cTxuDTX.exe
  C:\Windows\System\cTxuDTX.exe
  2⤵
  PID:6452
- C:\Windows\System\LzDJiWp.exe
  C:\Windows\System\LzDJiWp.exe
  2⤵
  PID:6480
- C:\Windows\System\VEBeFAj.exe
  C:\Windows\System\VEBeFAj.exe
  2⤵
  PID:6508
- C:\Windows\System\HuPajWj.exe
  C:\Windows\System\HuPajWj.exe
  2⤵
  PID:6536
- C:\Windows\System\PswzbhC.exe
  C:\Windows\System\PswzbhC.exe
  2⤵
  PID:6568
- C:\Windows\System\ODlFTjK.exe
  C:\Windows\System\ODlFTjK.exe
  2⤵
  PID:6592
- C:\Windows\System\NujLlgA.exe
  C:\Windows\System\NujLlgA.exe
  2⤵
  PID:6620
- C:\Windows\System\tyXGHjh.exe
  C:\Windows\System\tyXGHjh.exe
  2⤵
  PID:6648
- C:\Windows\System\VaCLfpb.exe
  C:\Windows\System\VaCLfpb.exe
  2⤵
  PID:6676
- C:\Windows\System\FytbiIm.exe
  C:\Windows\System\FytbiIm.exe
  2⤵
  PID:6704
- C:\Windows\System\gfsCfyx.exe
  C:\Windows\System\gfsCfyx.exe
  2⤵
  PID:6732
- C:\Windows\System\eRLFAUL.exe
  C:\Windows\System\eRLFAUL.exe
  2⤵
  PID:6760
- C:\Windows\System\ixgNzQk.exe
  C:\Windows\System\ixgNzQk.exe
  2⤵
  PID:6788
- C:\Windows\System\CnDSnkH.exe
  C:\Windows\System\CnDSnkH.exe
  2⤵
  PID:6816
- C:\Windows\System\OzMqzVo.exe
  C:\Windows\System\OzMqzVo.exe
  2⤵
  PID:6844
- C:\Windows\System\uuhGaIO.exe
  C:\Windows\System\uuhGaIO.exe
  2⤵
  PID:6872
- C:\Windows\System\jyJhNnd.exe
  C:\Windows\System\jyJhNnd.exe
  2⤵
  PID:6900
- C:\Windows\System\QKdGXxn.exe
  C:\Windows\System\QKdGXxn.exe
  2⤵
  PID:6928
- C:\Windows\System\iXfZPmA.exe
  C:\Windows\System\iXfZPmA.exe
  2⤵
  PID:6956
- C:\Windows\System\EbczXSK.exe
  C:\Windows\System\EbczXSK.exe
  2⤵
  PID:6984
- C:\Windows\System\RaLDrvL.exe
  C:\Windows\System\RaLDrvL.exe
  2⤵
  PID:7012
- C:\Windows\System\UXGzLwo.exe
  C:\Windows\System\UXGzLwo.exe
  2⤵
  PID:7040
- C:\Windows\System\oEFZeFj.exe
  C:\Windows\System\oEFZeFj.exe
  2⤵
  PID:7068
- C:\Windows\System\vNNChOt.exe
  C:\Windows\System\vNNChOt.exe
  2⤵
  PID:7096
- C:\Windows\System\dBSfZEC.exe
  C:\Windows\System\dBSfZEC.exe
  2⤵
  PID:7124
- C:\Windows\System\xYLvVEs.exe
  C:\Windows\System\xYLvVEs.exe
  2⤵
  PID:7152
- C:\Windows\System\RpWGUhA.exe
  C:\Windows\System\RpWGUhA.exe
  2⤵
  PID:6020
- C:\Windows\System\TAufKzH.exe
  C:\Windows\System\TAufKzH.exe
  2⤵
  PID:1812
- C:\Windows\System\IkryXgr.exe
  C:\Windows\System\IkryXgr.exe
  2⤵
  PID:1784
- C:\Windows\System\TXrkaXd.exe
  C:\Windows\System\TXrkaXd.exe
  2⤵
  PID:5420
- C:\Windows\System\GKUWTyh.exe
  C:\Windows\System\GKUWTyh.exe
  2⤵
  PID:5700
- C:\Windows\System\ANXXuCv.exe
  C:\Windows\System\ANXXuCv.exe
  2⤵
  PID:6184
- C:\Windows\System\JBEYmnr.exe
  C:\Windows\System\JBEYmnr.exe
  2⤵
  PID:6248
- C:\Windows\System\VbojzZd.exe
  C:\Windows\System\VbojzZd.exe
  2⤵
  PID:6324
- C:\Windows\System\VItcGap.exe
  C:\Windows\System\VItcGap.exe
  2⤵
  PID:6388
- C:\Windows\System\xzvyPjC.exe
  C:\Windows\System\xzvyPjC.exe
  2⤵
  PID:6444
- C:\Windows\System\RgJNeYS.exe
  C:\Windows\System\RgJNeYS.exe
  2⤵
  PID:6520
- C:\Windows\System\koTkYsx.exe
  C:\Windows\System\koTkYsx.exe
  2⤵
  PID:6584
- C:\Windows\System\pOuFfdY.exe
  C:\Windows\System\pOuFfdY.exe
  2⤵
  PID:6640
- C:\Windows\System\KnWjmNN.exe
  C:\Windows\System\KnWjmNN.exe
  2⤵
  PID:6716
- C:\Windows\System\ufkIwHg.exe
  C:\Windows\System\ufkIwHg.exe
  2⤵
  PID:6772
- C:\Windows\System\coIDMtU.exe
  C:\Windows\System\coIDMtU.exe
  2⤵
  PID:6832
- C:\Windows\System\AiiYvSc.exe
  C:\Windows\System\AiiYvSc.exe
  2⤵
  PID:6912
- C:\Windows\System\EzACObF.exe
  C:\Windows\System\EzACObF.exe
  2⤵
  PID:6968
- C:\Windows\System\YAZsezI.exe
  C:\Windows\System\YAZsezI.exe
  2⤵
  PID:7028
- C:\Windows\System\aczGTPq.exe
  C:\Windows\System\aczGTPq.exe
  2⤵
  PID:7088
- C:\Windows\System\nEQReoh.exe
  C:\Windows\System\nEQReoh.exe
  2⤵
  PID:7140
- C:\Windows\System\fxSsglM.exe
  C:\Windows\System\fxSsglM.exe
  2⤵
  PID:4972
- C:\Windows\System\nurTzak.exe
  C:\Windows\System\nurTzak.exe
  2⤵
  PID:5560
- C:\Windows\System\DNlUiIj.exe
  C:\Windows\System\DNlUiIj.exe
  2⤵
  PID:6220
- C:\Windows\System\jZzDwMv.exe
  C:\Windows\System\jZzDwMv.exe
  2⤵
  PID:6360
- C:\Windows\System\lEblKhx.exe
  C:\Windows\System\lEblKhx.exe
  2⤵
  PID:6492
- C:\Windows\System\romsKeq.exe
  C:\Windows\System\romsKeq.exe
  2⤵
  PID:6612
- C:\Windows\System\yfXvwKo.exe
  C:\Windows\System\yfXvwKo.exe
  2⤵
  PID:6748
- C:\Windows\System\dvgIxgc.exe
  C:\Windows\System\dvgIxgc.exe
  2⤵
  PID:6888
- C:\Windows\System\AaRHAbc.exe
  C:\Windows\System\AaRHAbc.exe
  2⤵
  PID:7004
- C:\Windows\System\tWqBkMC.exe
  C:\Windows\System\tWqBkMC.exe
  2⤵
  PID:7136
- C:\Windows\System\MmsqOLK.exe
  C:\Windows\System\MmsqOLK.exe
  2⤵
  PID:7172
- C:\Windows\System\ICDFzCS.exe
  C:\Windows\System\ICDFzCS.exe
  2⤵
  PID:7200
- C:\Windows\System\WRfzwtC.exe
  C:\Windows\System\WRfzwtC.exe
  2⤵
  PID:7228
- C:\Windows\System\UtbnAvb.exe
  C:\Windows\System\UtbnAvb.exe
  2⤵
  PID:7256
- C:\Windows\System\QZsQjqy.exe
  C:\Windows\System\QZsQjqy.exe
  2⤵
  PID:7284
- C:\Windows\System\GtKwUhe.exe
  C:\Windows\System\GtKwUhe.exe
  2⤵
  PID:7312
- C:\Windows\System\RRomDOv.exe
  C:\Windows\System\RRomDOv.exe
  2⤵
  PID:7340
- C:\Windows\System\bKPFRNg.exe
  C:\Windows\System\bKPFRNg.exe
  2⤵
  PID:7364
- C:\Windows\System\IrwmwKe.exe
  C:\Windows\System\IrwmwKe.exe
  2⤵
  PID:7392
- C:\Windows\System\botExQa.exe
  C:\Windows\System\botExQa.exe
  2⤵
  PID:7424
- C:\Windows\System\hccyUvE.exe
  C:\Windows\System\hccyUvE.exe
  2⤵
  PID:7452
- C:\Windows\System\fXFpMjG.exe
  C:\Windows\System\fXFpMjG.exe
  2⤵
  PID:7480
- C:\Windows\System\TYtqNwq.exe
  C:\Windows\System\TYtqNwq.exe
  2⤵
  PID:7508
- C:\Windows\System\chwVnyx.exe
  C:\Windows\System\chwVnyx.exe
  2⤵
  PID:7536
- C:\Windows\System\avXTfnx.exe
  C:\Windows\System\avXTfnx.exe
  2⤵
  PID:7564
- C:\Windows\System\oGxkgre.exe
  C:\Windows\System\oGxkgre.exe
  2⤵
  PID:7592
- C:\Windows\System\gKPQCqd.exe
  C:\Windows\System\gKPQCqd.exe
  2⤵
  PID:7620
- C:\Windows\System\rWWQRDw.exe
  C:\Windows\System\rWWQRDw.exe
  2⤵
  PID:7644
- C:\Windows\System\PmgbkuG.exe
  C:\Windows\System\PmgbkuG.exe
  2⤵
  PID:7672
- C:\Windows\System\FhweXhE.exe
  C:\Windows\System\FhweXhE.exe
  2⤵
  PID:7704
- C:\Windows\System\Yswbgju.exe
  C:\Windows\System\Yswbgju.exe
  2⤵
  PID:7732
- C:\Windows\System\jKCGClk.exe
  C:\Windows\System\jKCGClk.exe
  2⤵
  PID:7760
- C:\Windows\System\apfrwft.exe
  C:\Windows\System\apfrwft.exe
  2⤵
  PID:7784
- C:\Windows\System\DXSzHjE.exe
  C:\Windows\System\DXSzHjE.exe
  2⤵
  PID:7816
- C:\Windows\System\SCFoRBi.exe
  C:\Windows\System\SCFoRBi.exe
  2⤵
  PID:7844
- C:\Windows\System\kghtdLb.exe
  C:\Windows\System\kghtdLb.exe
  2⤵
  PID:7872
- C:\Windows\System\PEVCByl.exe
  C:\Windows\System\PEVCByl.exe
  2⤵
  PID:7900
- C:\Windows\System\THywxcL.exe
  C:\Windows\System\THywxcL.exe
  2⤵
  PID:7928
- C:\Windows\System\ZUvBiVF.exe
  C:\Windows\System\ZUvBiVF.exe
  2⤵
  PID:7956
- C:\Windows\System\dMGwBkz.exe
  C:\Windows\System\dMGwBkz.exe
  2⤵
  PID:7984
- C:\Windows\System\nfSaWUR.exe
  C:\Windows\System\nfSaWUR.exe
  2⤵
  PID:8008
- C:\Windows\System\kCHplfO.exe
  C:\Windows\System\kCHplfO.exe
  2⤵
  PID:8036
- C:\Windows\System\auOhhFH.exe
  C:\Windows\System\auOhhFH.exe
  2⤵
  PID:8068
- C:\Windows\System\RBgrxtw.exe
  C:\Windows\System\RBgrxtw.exe
  2⤵
  PID:8096
- C:\Windows\System\ZDuBVHX.exe
  C:\Windows\System\ZDuBVHX.exe
  2⤵
  PID:8124
- C:\Windows\System\FZHWUSu.exe
  C:\Windows\System\FZHWUSu.exe
  2⤵
  PID:8152
- C:\Windows\System\lZLrOnB.exe
  C:\Windows\System\lZLrOnB.exe
  2⤵
  PID:8180
- C:\Windows\System\pSeVPfc.exe
  C:\Windows\System\pSeVPfc.exe
  2⤵
  PID:6352
- C:\Windows\System\pcUqYeI.exe
  C:\Windows\System\pcUqYeI.exe
  2⤵
  PID:6692
- C:\Windows\System\MRmvFTN.exe
  C:\Windows\System\MRmvFTN.exe
  2⤵
  PID:5020
- C:\Windows\System\eZCtjYc.exe
  C:\Windows\System\eZCtjYc.exe
  2⤵
  PID:5248
- C:\Windows\System\EvjQlbi.exe
  C:\Windows\System\EvjQlbi.exe
  2⤵
  PID:7240
- C:\Windows\System\YRqfbcG.exe
  C:\Windows\System\YRqfbcG.exe
  2⤵
  PID:7300
- C:\Windows\System\xyocpqL.exe
  C:\Windows\System\xyocpqL.exe
  2⤵
  PID:7356
- C:\Windows\System\dHQdqLG.exe
  C:\Windows\System\dHQdqLG.exe
  2⤵
  PID:3972
- C:\Windows\System\toFsrqM.exe
  C:\Windows\System\toFsrqM.exe
  2⤵
  PID:4896
- C:\Windows\System\yVejGrt.exe
  C:\Windows\System\yVejGrt.exe
  2⤵
  PID:7500
- C:\Windows\System\reBeQhG.exe
  C:\Windows\System\reBeQhG.exe
  2⤵
  PID:7576
- C:\Windows\System\aNFKclY.exe
  C:\Windows\System\aNFKclY.exe
  2⤵
  PID:7632
- C:\Windows\System\bSZGFas.exe
  C:\Windows\System\bSZGFas.exe
  2⤵
  PID:7688
- C:\Windows\System\cpRJjXp.exe
  C:\Windows\System\cpRJjXp.exe
  2⤵
  PID:7888
- C:\Windows\System\JYssKBI.exe
  C:\Windows\System\JYssKBI.exe
  2⤵
  PID:7920
- C:\Windows\System\ZAnVvnp.exe
  C:\Windows\System\ZAnVvnp.exe
  2⤵
  PID:7972
- C:\Windows\System\zQoABKp.exe
  C:\Windows\System\zQoABKp.exe
  2⤵
  PID:8000
- C:\Windows\System\YZBVUHR.exe
  C:\Windows\System\YZBVUHR.exe
  2⤵
  PID:8028
- C:\Windows\System\HUIkldk.exe
  C:\Windows\System\HUIkldk.exe
  2⤵
  PID:8080
- C:\Windows\System\GAuPyMg.exe
  C:\Windows\System\GAuPyMg.exe
  2⤵
  PID:8108
- C:\Windows\System\WtCVOhZ.exe
  C:\Windows\System\WtCVOhZ.exe
  2⤵
  PID:4296
- C:\Windows\System\WtCiTaT.exe
  C:\Windows\System\WtCiTaT.exe
  2⤵
  PID:8168
- C:\Windows\System\WMqrqPf.exe
  C:\Windows\System\WMqrqPf.exe
  2⤵
  PID:4784
- C:\Windows\System\OFJBjGZ.exe
  C:\Windows\System\OFJBjGZ.exe
  2⤵
  PID:6864
- C:\Windows\System\ahxkdSq.exe
  C:\Windows\System\ahxkdSq.exe
  2⤵
  PID:2912
- C:\Windows\System\uVVOJan.exe
  C:\Windows\System\uVVOJan.exe
  2⤵
  PID:7272
- C:\Windows\System\SeNiPLZ.exe
  C:\Windows\System\SeNiPLZ.exe
  2⤵
  PID:3616
- C:\Windows\System\MJacqdZ.exe
  C:\Windows\System\MJacqdZ.exe
  2⤵
  PID:7388
- C:\Windows\System\IUFNQQA.exe
  C:\Windows\System\IUFNQQA.exe
  2⤵
  PID:7496
- C:\Windows\System\fFEUUbL.exe
  C:\Windows\System\fFEUUbL.exe
  2⤵
  PID:2448
- C:\Windows\System\MWLakPe.exe
  C:\Windows\System\MWLakPe.exe
  2⤵
  PID:2936
- C:\Windows\System\vaytRmh.exe
  C:\Windows\System\vaytRmh.exe
  2⤵
  PID:7608
- C:\Windows\System\nugZvIB.exe
  C:\Windows\System\nugZvIB.exe
  2⤵
  PID:7772
- C:\Windows\System\nWvFLSu.exe
  C:\Windows\System\nWvFLSu.exe
  2⤵
  PID:5080
- C:\Windows\System\qYBEBoo.exe
  C:\Windows\System\qYBEBoo.exe
  2⤵
  PID:4964
- C:\Windows\System\JnWEFtD.exe
  C:\Windows\System\JnWEFtD.exe
  2⤵
  PID:4552
- C:\Windows\System\oHNGLJv.exe
  C:\Windows\System\oHNGLJv.exe
  2⤵
  PID:3420
- C:\Windows\System\phxdPRg.exe
  C:\Windows\System\phxdPRg.exe
  2⤵
  PID:7916
- C:\Windows\System\rTYZQZW.exe
  C:\Windows\System\rTYZQZW.exe
  2⤵
  PID:1884
- C:\Windows\System\wAyDAKp.exe
  C:\Windows\System\wAyDAKp.exe
  2⤵
  PID:4756
- C:\Windows\System\JVzgFOY.exe
  C:\Windows\System\JVzgFOY.exe
  2⤵
  PID:640
- C:\Windows\System\ZhKuvuF.exe
  C:\Windows\System\ZhKuvuF.exe
  2⤵
  PID:4956
- C:\Windows\System\fRggnxb.exe
  C:\Windows\System\fRggnxb.exe
  2⤵
  PID:3216
- C:\Windows\System\VQPdRAZ.exe
  C:\Windows\System\VQPdRAZ.exe
  2⤵
  PID:7968
- C:\Windows\System\OcltnRU.exe
  C:\Windows\System\OcltnRU.exe
  2⤵
  PID:8088
- C:\Windows\System\OWeeFoG.exe
  C:\Windows\System\OWeeFoG.exe
  2⤵
  PID:7860
- C:\Windows\System\NtiFnxo.exe
  C:\Windows\System\NtiFnxo.exe
  2⤵
  PID:3468
- C:\Windows\System\FoiLyfP.exe
  C:\Windows\System\FoiLyfP.exe
  2⤵
  PID:2608
- C:\Windows\System\ICSAIzr.exe
  C:\Windows\System\ICSAIzr.exe
  2⤵
  PID:3480
- C:\Windows\System\gvbpSRk.exe
  C:\Windows\System\gvbpSRk.exe
  2⤵
  PID:2304
- C:\Windows\System\mqUYCsR.exe
  C:\Windows\System\mqUYCsR.exe
  2⤵
  PID:4184
- C:\Windows\System\pvvEXYe.exe
  C:\Windows\System\pvvEXYe.exe
  2⤵
  PID:8200
- C:\Windows\System\BbrhplM.exe
  C:\Windows\System\BbrhplM.exe
  2⤵
  PID:8220
- C:\Windows\System\FcKRAzP.exe
  C:\Windows\System\FcKRAzP.exe
  2⤵
  PID:8240
- C:\Windows\System\fdHIfQH.exe
  C:\Windows\System\fdHIfQH.exe
  2⤵
  PID:8280
- C:\Windows\System\UXBjfXn.exe
  C:\Windows\System\UXBjfXn.exe
  2⤵
  PID:8304
- C:\Windows\System\vENFSZL.exe
  C:\Windows\System\vENFSZL.exe
  2⤵
  PID:8332
- C:\Windows\System\oiRrzJg.exe
  C:\Windows\System\oiRrzJg.exe
  2⤵
  PID:8364
- C:\Windows\System\aacUaer.exe
  C:\Windows\System\aacUaer.exe
  2⤵
  PID:8384
- C:\Windows\System\VtXlJMu.exe
  C:\Windows\System\VtXlJMu.exe
  2⤵
  PID:8420
- C:\Windows\System\lhucvVO.exe
  C:\Windows\System\lhucvVO.exe
  2⤵
  PID:8460
- C:\Windows\System\BUnWmgV.exe
  C:\Windows\System\BUnWmgV.exe
  2⤵
  PID:8480
- C:\Windows\System\ALiTEQx.exe
  C:\Windows\System\ALiTEQx.exe
  2⤵
  PID:8520
- C:\Windows\System\WRPRKgq.exe
  C:\Windows\System\WRPRKgq.exe
  2⤵
  PID:8568
- C:\Windows\System\prfNiUm.exe
  C:\Windows\System\prfNiUm.exe
  2⤵
  PID:8592
- C:\Windows\System\MXQNltp.exe
  C:\Windows\System\MXQNltp.exe
  2⤵
  PID:8616
- C:\Windows\System\WYElNwx.exe
  C:\Windows\System\WYElNwx.exe
  2⤵
  PID:8656
- C:\Windows\System\VkVkiVE.exe
  C:\Windows\System\VkVkiVE.exe
  2⤵
  PID:8680
- C:\Windows\System\rpUAZkC.exe
  C:\Windows\System\rpUAZkC.exe
  2⤵
  PID:8720
- C:\Windows\System\aBBIlSc.exe
  C:\Windows\System\aBBIlSc.exe
  2⤵
  PID:8748
- C:\Windows\System\WgQRaTR.exe
  C:\Windows\System\WgQRaTR.exe
  2⤵
  PID:8772
- C:\Windows\System\VkcliHa.exe
  C:\Windows\System\VkcliHa.exe
  2⤵
  PID:8808
- C:\Windows\System\GilcqOY.exe
  C:\Windows\System\GilcqOY.exe
  2⤵
  PID:8836
- C:\Windows\System\XnDdObt.exe
  C:\Windows\System\XnDdObt.exe
  2⤵
  PID:8864
- C:\Windows\System\DhqsVzG.exe
  C:\Windows\System\DhqsVzG.exe
  2⤵
  PID:8900
- C:\Windows\System\lbpyuUs.exe
  C:\Windows\System\lbpyuUs.exe
  2⤵
  PID:8932
- C:\Windows\System\hxPbUWm.exe
  C:\Windows\System\hxPbUWm.exe
  2⤵
  PID:8968
- C:\Windows\System\beifEcm.exe
  C:\Windows\System\beifEcm.exe
  2⤵
  PID:9020
- C:\Windows\System\oUyZJCE.exe
  C:\Windows\System\oUyZJCE.exe
  2⤵
  PID:9044
- C:\Windows\System\APvbHXl.exe
  C:\Windows\System\APvbHXl.exe
  2⤵
  PID:9084
- C:\Windows\System\nAnRraI.exe
  C:\Windows\System\nAnRraI.exe
  2⤵
  PID:9132
- C:\Windows\System\arKMHcG.exe
  C:\Windows\System\arKMHcG.exe
  2⤵
  PID:9200
- C:\Windows\System\eVhiIYi.exe
  C:\Windows\System\eVhiIYi.exe
  2⤵
  PID:8212
- C:\Windows\System\KTBPseW.exe
  C:\Windows\System\KTBPseW.exe
  2⤵
  PID:8444
- C:\Windows\System\UzCnYAl.exe
  C:\Windows\System\UzCnYAl.exe
  2⤵
  PID:8576
- C:\Windows\System\ecVTVHI.exe
  C:\Windows\System\ecVTVHI.exe
  2⤵
  PID:8828
- C:\Windows\System\GUgHtCh.exe
  C:\Windows\System\GUgHtCh.exe
  2⤵
  PID:8908
- C:\Windows\System\WWPCoOl.exe
  C:\Windows\System\WWPCoOl.exe
  2⤵
  PID:8984
- C:\Windows\System\lERVUSo.exe
  C:\Windows\System\lERVUSo.exe
  2⤵
  PID:9104
- C:\Windows\System\CgPqVIS.exe
  C:\Windows\System\CgPqVIS.exe
  2⤵
  PID:8328
- C:\Windows\System\KNUCOKK.exe
  C:\Windows\System\KNUCOKK.exe
  2⤵
  PID:9176
- C:\Windows\System\lElTmaE.exe
  C:\Windows\System\lElTmaE.exe
  2⤵
  PID:8440
- C:\Windows\System\XEymaWX.exe
  C:\Windows\System\XEymaWX.exe
  2⤵
  PID:8588
- C:\Windows\System\nQspFiv.exe
  C:\Windows\System\nQspFiv.exe
  2⤵
  PID:8896
- C:\Windows\System\xwJWkaG.exe
  C:\Windows\System\xwJWkaG.exe
  2⤵
  PID:8948
- C:\Windows\System\luQpUUu.exe
  C:\Windows\System\luQpUUu.exe
  2⤵
  PID:9052
- C:\Windows\System\GrTkaWs.exe
  C:\Windows\System\GrTkaWs.exe
  2⤵
  PID:8216
- C:\Windows\System\WTLmKrp.exe
  C:\Windows\System\WTLmKrp.exe
  2⤵
  PID:8232
- C:\Windows\System\cEMahfh.exe
  C:\Windows\System\cEMahfh.exe
  2⤵
  PID:8516
- C:\Windows\System\NFTkSyR.exe
  C:\Windows\System\NFTkSyR.exe
  2⤵
  PID:8608
- C:\Windows\System\goJklDy.exe
  C:\Windows\System\goJklDy.exe
  2⤵
  PID:8964
- C:\Windows\System\NNaETQp.exe
  C:\Windows\System\NNaETQp.exe
  2⤵
  PID:9076
- C:\Windows\System\toGSnIC.exe
  C:\Windows\System\toGSnIC.exe
  2⤵
  PID:9168
- C:\Windows\System\YHLPAwq.exe
  C:\Windows\System\YHLPAwq.exe
  2⤵
  PID:8492
- C:\Windows\System\rqBxaVq.exe
  C:\Windows\System\rqBxaVq.exe
  2⤵
  PID:8856
- C:\Windows\System\xESzqrt.exe
  C:\Windows\System\xESzqrt.exe
  2⤵
  PID:8300
- C:\Windows\System\QSbsGbD.exe
  C:\Windows\System\QSbsGbD.exe
  2⤵
  PID:9068
- C:\Windows\System\yaWFfkl.exe
  C:\Windows\System\yaWFfkl.exe
  2⤵
  PID:8612
- C:\Windows\System\EkYbnkD.exe
  C:\Windows\System\EkYbnkD.exe
  2⤵
  PID:8792
- C:\Windows\System\JUDUcDh.exe
  C:\Windows\System\JUDUcDh.exe
  2⤵
  PID:3916
- C:\Windows\System\vGXpxjI.exe
  C:\Windows\System\vGXpxjI.exe
  2⤵
  PID:9160
- C:\Windows\System\dWAkSzS.exe
  C:\Windows\System\dWAkSzS.exe
  2⤵
  PID:8832
- C:\Windows\System\zKUXpwP.exe
  C:\Windows\System\zKUXpwP.exe
  2⤵
  PID:9004
- C:\Windows\System\iPZJuBv.exe
  C:\Windows\System\iPZJuBv.exe
  2⤵
  PID:8536
- C:\Windows\System\xoNlOis.exe
  C:\Windows\System\xoNlOis.exe
  2⤵
  PID:9248
- C:\Windows\System\xwspzCJ.exe
  C:\Windows\System\xwspzCJ.exe
  2⤵
  PID:9280
- C:\Windows\System\QZBYuwo.exe
  C:\Windows\System\QZBYuwo.exe
  2⤵
  PID:9320
- C:\Windows\System\DabEcZT.exe
  C:\Windows\System\DabEcZT.exe
  2⤵
  PID:9360
- C:\Windows\System\YUxsEqD.exe
  C:\Windows\System\YUxsEqD.exe
  2⤵
  PID:9376
- C:\Windows\System\jSjMEuz.exe
  C:\Windows\System\jSjMEuz.exe
  2⤵
  PID:9428
- C:\Windows\System\NVinjJA.exe
  C:\Windows\System\NVinjJA.exe
  2⤵
  PID:9448
- C:\Windows\System\KqWGvAv.exe
  C:\Windows\System\KqWGvAv.exe
  2⤵
  PID:9496
- C:\Windows\System\rwlVDmj.exe
  C:\Windows\System\rwlVDmj.exe
  2⤵
  PID:9532
- C:\Windows\System\cAavAWJ.exe
  C:\Windows\System\cAavAWJ.exe
  2⤵
  PID:9568
- C:\Windows\System\fLHgaaP.exe
  C:\Windows\System\fLHgaaP.exe
  2⤵
  PID:9604
- C:\Windows\System\ZYLjbdV.exe
  C:\Windows\System\ZYLjbdV.exe
  2⤵
  PID:9640
- C:\Windows\System\cVfibok.exe
  C:\Windows\System\cVfibok.exe
  2⤵
  PID:9676
- C:\Windows\System\ekbQEtm.exe
  C:\Windows\System\ekbQEtm.exe
  2⤵
  PID:9696
- C:\Windows\System\eFpHEON.exe
  C:\Windows\System\eFpHEON.exe
  2⤵
  PID:9736
- C:\Windows\System\sOGbaiu.exe
  C:\Windows\System\sOGbaiu.exe
  2⤵
  PID:9772
- C:\Windows\System\XSzbaeH.exe
  C:\Windows\System\XSzbaeH.exe
  2⤵
  PID:9820
- C:\Windows\System\ponZIyr.exe
  C:\Windows\System\ponZIyr.exe
  2⤵
  PID:9852
- C:\Windows\System\ZaywvaY.exe
  C:\Windows\System\ZaywvaY.exe
  2⤵
  PID:9868
- C:\Windows\System\jUodvdR.exe
  C:\Windows\System\jUodvdR.exe
  2⤵
  PID:9908
- C:\Windows\System\oLODrKT.exe
  C:\Windows\System\oLODrKT.exe
  2⤵
  PID:9932
- C:\Windows\System\toVtaIo.exe
  C:\Windows\System\toVtaIo.exe
  2⤵
  PID:9972
- C:\Windows\System\kFwCcco.exe
  C:\Windows\System\kFwCcco.exe
  2⤵
  PID:10020
- C:\Windows\System\umjwoit.exe
  C:\Windows\System\umjwoit.exe
  2⤵
  PID:10048
- C:\Windows\System\udzyvWV.exe
  C:\Windows\System\udzyvWV.exe
  2⤵
  PID:10064
- C:\Windows\System\xBSFMZI.exe
  C:\Windows\System\xBSFMZI.exe
  2⤵
  PID:10104
- C:\Windows\System\efmAYPi.exe
  C:\Windows\System\efmAYPi.exe
  2⤵
  PID:10132
- C:\Windows\System\FKItvuu.exe
  C:\Windows\System\FKItvuu.exe
  2⤵
  PID:10160
- C:\Windows\System\oalUniJ.exe
  C:\Windows\System\oalUniJ.exe
  2⤵
  PID:10188
- C:\Windows\System\NxDhtPr.exe
  C:\Windows\System\NxDhtPr.exe
  2⤵
  PID:10220
- C:\Windows\System\dBNHAwM.exe
  C:\Windows\System\dBNHAwM.exe
  2⤵
  PID:8392
- C:\Windows\System\gwxpygb.exe
  C:\Windows\System\gwxpygb.exe
  2⤵
  PID:9268
- C:\Windows\System\AknLhMW.exe
  C:\Windows\System\AknLhMW.exe
  2⤵
  PID:9336
- C:\Windows\System\vaLCiLL.exe
  C:\Windows\System\vaLCiLL.exe
  2⤵
  PID:9396
- C:\Windows\System\ONCcorM.exe
  C:\Windows\System\ONCcorM.exe
  2⤵
  PID:9416
- C:\Windows\System\EapkDFX.exe
  C:\Windows\System\EapkDFX.exe
  2⤵
  PID:9508
- C:\Windows\System\EJEgQcf.exe
  C:\Windows\System\EJEgQcf.exe
  2⤵
  PID:9552
- C:\Windows\System\Aahjeza.exe
  C:\Windows\System\Aahjeza.exe
  2⤵
  PID:9600
- C:\Windows\System\gTYsGZq.exe
  C:\Windows\System\gTYsGZq.exe
  2⤵
  PID:9648
- C:\Windows\System\bAQkoEa.exe
  C:\Windows\System\bAQkoEa.exe
  2⤵
  PID:9728
- C:\Windows\System\sCbCOWk.exe
  C:\Windows\System\sCbCOWk.exe
  2⤵
  PID:9752
- C:\Windows\System\DXHrUpX.exe
  C:\Windows\System\DXHrUpX.exe
  2⤵
  PID:9812
- C:\Windows\System\NoMyhyJ.exe
  C:\Windows\System\NoMyhyJ.exe
  2⤵
  PID:9892
- C:\Windows\System\GldCIiA.exe
  C:\Windows\System\GldCIiA.exe
  2⤵
  PID:9952
- C:\Windows\System\IqFXjXh.exe
  C:\Windows\System\IqFXjXh.exe
  2⤵
  PID:10040
- C:\Windows\System\HMaRspk.exe
  C:\Windows\System\HMaRspk.exe
  2⤵
  PID:10088
- C:\Windows\System\uRRlEqn.exe
  C:\Windows\System\uRRlEqn.exe
  2⤵
  PID:10172
- C:\Windows\System\uJmUcII.exe
  C:\Windows\System\uJmUcII.exe
  2⤵
  PID:9244
- C:\Windows\System\EbSMbjg.exe
  C:\Windows\System\EbSMbjg.exe
  2⤵
  PID:9352
- C:\Windows\System\duqmxaa.exe
  C:\Windows\System\duqmxaa.exe
  2⤵
  PID:9436
- C:\Windows\System\oQxdtFT.exe
  C:\Windows\System\oQxdtFT.exe
  2⤵
  PID:9588
- C:\Windows\System\PDUmgfg.exe
  C:\Windows\System\PDUmgfg.exe
  2⤵
  PID:9692
- C:\Windows\System\bVBlObe.exe
  C:\Windows\System\bVBlObe.exe
  2⤵
  PID:9864
- C:\Windows\System\zMkPFYd.exe
  C:\Windows\System\zMkPFYd.exe
  2⤵
  PID:10060
- C:\Windows\System\xLlXCPw.exe
  C:\Windows\System\xLlXCPw.exe
  2⤵
  PID:10116
- C:\Windows\System\qXZVgnu.exe
  C:\Windows\System\qXZVgnu.exe
  2⤵
  PID:9476
- C:\Windows\System\Iifrrbs.exe
  C:\Windows\System\Iifrrbs.exe
  2⤵
  PID:9656
- C:\Windows\System\BpWKEjN.exe
  C:\Windows\System\BpWKEjN.exe
  2⤵
  PID:9944
- C:\Windows\System\cLGoDEY.exe
  C:\Windows\System\cLGoDEY.exe
  2⤵
  PID:9524
- C:\Windows\System\HhVtDva.exe
  C:\Windows\System\HhVtDva.exe
  2⤵
  PID:10248
- C:\Windows\System\RQxLOIl.exe
  C:\Windows\System\RQxLOIl.exe
  2⤵
  PID:10276
- C:\Windows\System\AfCwaIM.exe
  C:\Windows\System\AfCwaIM.exe
  2⤵
  PID:10292
- C:\Windows\System\QHoQGIn.exe
  C:\Windows\System\QHoQGIn.exe
  2⤵
  PID:10324
- C:\Windows\System\lPWTScS.exe
  C:\Windows\System\lPWTScS.exe
  2⤵
  PID:10364
- C:\Windows\System\WxTivAR.exe
  C:\Windows\System\WxTivAR.exe
  2⤵
  PID:10412
- C:\Windows\System\PeSMCiM.exe
  C:\Windows\System\PeSMCiM.exe
  2⤵
  PID:10440
- C:\Windows\System\zOzHAjR.exe
  C:\Windows\System\zOzHAjR.exe
  2⤵
  PID:10456
- C:\Windows\System\fzpeKrc.exe
  C:\Windows\System\fzpeKrc.exe
  2⤵
  PID:10500
- C:\Windows\System\OIuPocz.exe
  C:\Windows\System\OIuPocz.exe
  2⤵
  PID:10528
- C:\Windows\System\ZHFoaiC.exe
  C:\Windows\System\ZHFoaiC.exe
  2⤵
  PID:10544
- C:\Windows\System\VuxPmjg.exe
  C:\Windows\System\VuxPmjg.exe
  2⤵
  PID:10584
- C:\Windows\System\JSJHmBD.exe
  C:\Windows\System\JSJHmBD.exe
  2⤵
  PID:10612
- C:\Windows\System\gtrvmzd.exe
  C:\Windows\System\gtrvmzd.exe
  2⤵
  PID:10644
- C:\Windows\System\xMbbKeQ.exe
  C:\Windows\System\xMbbKeQ.exe
  2⤵
  PID:10672
- C:\Windows\System\trxYCgp.exe
  C:\Windows\System\trxYCgp.exe
  2⤵
  PID:10704
- C:\Windows\System\jnMHGAX.exe
  C:\Windows\System\jnMHGAX.exe
  2⤵
  PID:10732
- C:\Windows\System\poOGOPM.exe
  C:\Windows\System\poOGOPM.exe
  2⤵
  PID:10760
- C:\Windows\System\VxvGfQI.exe
  C:\Windows\System\VxvGfQI.exe
  2⤵
  PID:10788
- C:\Windows\System\NLiaZwg.exe
  C:\Windows\System\NLiaZwg.exe
  2⤵
  PID:10820
- C:\Windows\System\sWpWtyD.exe
  C:\Windows\System\sWpWtyD.exe
  2⤵
  PID:10848
- C:\Windows\System\oGqVhAw.exe
  C:\Windows\System\oGqVhAw.exe
  2⤵
  PID:10876
- C:\Windows\System\xwHvxRW.exe
  C:\Windows\System\xwHvxRW.exe
  2⤵
  PID:10904
- C:\Windows\System\dVxfxEg.exe
  C:\Windows\System\dVxfxEg.exe
  2⤵
  PID:10920
- C:\Windows\System\reIpvwP.exe
  C:\Windows\System\reIpvwP.exe
  2⤵
  PID:10960
- C:\Windows\System\TTLfTQN.exe
  C:\Windows\System\TTLfTQN.exe
  2⤵
  PID:10988
- C:\Windows\System\XeeBkug.exe
  C:\Windows\System\XeeBkug.exe
  2⤵
  PID:11016
- C:\Windows\System\nAoRKtJ.exe
  C:\Windows\System\nAoRKtJ.exe
  2⤵
  PID:11044
- C:\Windows\System\maFFOfC.exe
  C:\Windows\System\maFFOfC.exe
  2⤵
  PID:11072
- C:\Windows\System\QZlcWGd.exe
  C:\Windows\System\QZlcWGd.exe
  2⤵
  PID:11088
- C:\Windows\System\Kkuhhpp.exe
  C:\Windows\System\Kkuhhpp.exe
  2⤵
  PID:11128
- C:\Windows\System\rflRhZk.exe
  C:\Windows\System\rflRhZk.exe
  2⤵
  PID:11144
- C:\Windows\System\SQWGbcQ.exe
  C:\Windows\System\SQWGbcQ.exe
  2⤵
  PID:11184
- C:\Windows\System\eoHtsZV.exe
  C:\Windows\System\eoHtsZV.exe
  2⤵
  PID:11212
- C:\Windows\System\mBHPwpw.exe
  C:\Windows\System\mBHPwpw.exe
  2⤵
  PID:11240
- C:\Windows\System\gWgPYhk.exe
  C:\Windows\System\gWgPYhk.exe
  2⤵
  PID:10084
- C:\Windows\System\pHvrzys.exe
  C:\Windows\System\pHvrzys.exe
  2⤵
  PID:10264
- C:\Windows\System\duULzVM.exe
  C:\Windows\System\duULzVM.exe
  2⤵
  PID:10208
- C:\Windows\System\dDOavXV.exe
  C:\Windows\System\dDOavXV.exe
  2⤵
  PID:10484
- C:\Windows\System\aQnlMqc.exe
  C:\Windows\System\aQnlMqc.exe
  2⤵
  PID:10556
- C:\Windows\System\WqowjQQ.exe
  C:\Windows\System\WqowjQQ.exe
  2⤵
  PID:10628
- C:\Windows\System\ezWcehx.exe
  C:\Windows\System\ezWcehx.exe
  2⤵
  PID:10684
- C:\Windows\System\BEbENxO.exe
  C:\Windows\System\BEbENxO.exe
  2⤵
  PID:10756
- C:\Windows\System\ZvoJLrl.exe
  C:\Windows\System\ZvoJLrl.exe
  2⤵
  PID:10800
- C:\Windows\System\VRWjjbd.exe
  C:\Windows\System\VRWjjbd.exe
  2⤵
  PID:10860
- C:\Windows\System\uGThQjm.exe
  C:\Windows\System\uGThQjm.exe
  2⤵
  PID:10932
- C:\Windows\System\zzfmaGW.exe
  C:\Windows\System\zzfmaGW.exe
  2⤵
  PID:11012
- C:\Windows\System\mROCmeU.exe
  C:\Windows\System\mROCmeU.exe
  2⤵
  PID:11084
- C:\Windows\System\QRVfrGX.exe
  C:\Windows\System\QRVfrGX.exe
  2⤵
  PID:11156
- C:\Windows\System\zhXeJbI.exe
  C:\Windows\System\zhXeJbI.exe
  2⤵
  PID:3168
- C:\Windows\System\zlUBxgO.exe
  C:\Windows\System\zlUBxgO.exe
  2⤵
  PID:10260
- C:\Windows\System\bMlrBhy.exe
  C:\Windows\System\bMlrBhy.exe
  2⤵
  PID:10452
- C:\Windows\System\rffkxnL.exe
  C:\Windows\System\rffkxnL.exe
  2⤵
  PID:10664
- C:\Windows\System\YgJWuYi.exe
  C:\Windows\System\YgJWuYi.exe
  2⤵
  PID:10832
- C:\Windows\System\CdDlYwc.exe
  C:\Windows\System\CdDlYwc.exe
  2⤵
  PID:10980
- C:\Windows\System\WuRmGQG.exe
  C:\Windows\System\WuRmGQG.exe
  2⤵
  PID:11056
- C:\Windows\System\htJtPqe.exe
  C:\Windows\System\htJtPqe.exe
  2⤵
  PID:11208
- C:\Windows\System\TLzqjIq.exe
  C:\Windows\System\TLzqjIq.exe
  2⤵
  PID:10720
- C:\Windows\System\VcZqDPe.exe
  C:\Windows\System\VcZqDPe.exe
  2⤵
  PID:10748
- C:\Windows\System\tFGnpve.exe
  C:\Windows\System\tFGnpve.exe
  2⤵
  PID:11036
- C:\Windows\System\QjuImGi.exe
  C:\Windows\System\QjuImGi.exe
  2⤵
  PID:10376
- C:\Windows\System\AFGDlno.exe
  C:\Windows\System\AFGDlno.exe
  2⤵
  PID:9920
- C:\Windows\System\YAdtdAC.exe
  C:\Windows\System\YAdtdAC.exe
  2⤵
  PID:10000
- C:\Windows\System\YMxEhwo.exe
  C:\Windows\System\YMxEhwo.exe
  2⤵
  PID:11260
- C:\Windows\System\UBbnYIB.exe
  C:\Windows\System\UBbnYIB.exe
  2⤵
  PID:11272
- C:\Windows\System\taKXjIx.exe
  C:\Windows\System\taKXjIx.exe
  2⤵
  PID:11300
- C:\Windows\System\DixDcWE.exe
  C:\Windows\System\DixDcWE.exe
  2⤵
  PID:11332
- C:\Windows\System\FFzXCLo.exe
  C:\Windows\System\FFzXCLo.exe
  2⤵
  PID:11364
- C:\Windows\System\KoYSZyy.exe
  C:\Windows\System\KoYSZyy.exe
  2⤵
  PID:11396
- C:\Windows\System\PYUjhDI.exe
  C:\Windows\System\PYUjhDI.exe
  2⤵
  PID:11432
- C:\Windows\System\dpzNVlg.exe
  C:\Windows\System\dpzNVlg.exe
  2⤵
  PID:11468
- C:\Windows\System\SBRCbLh.exe
  C:\Windows\System\SBRCbLh.exe
  2⤵
  PID:11496
- C:\Windows\System\nPqwAqY.exe
  C:\Windows\System\nPqwAqY.exe
  2⤵
  PID:11528
- C:\Windows\System\JUubcjj.exe
  C:\Windows\System\JUubcjj.exe
  2⤵
  PID:11572
- C:\Windows\System\CyDFitq.exe
  C:\Windows\System\CyDFitq.exe
  2⤵
  PID:11592
- C:\Windows\System\XsfJVUg.exe
  C:\Windows\System\XsfJVUg.exe
  2⤵
  PID:11632
- C:\Windows\System\ubfhICq.exe
  C:\Windows\System\ubfhICq.exe
  2⤵
  PID:11664
- C:\Windows\System\jEkQvEp.exe
  C:\Windows\System\jEkQvEp.exe
  2⤵
  PID:11684
- C:\Windows\System\Dgqwnlc.exe
  C:\Windows\System\Dgqwnlc.exe
  2⤵
  PID:11720
- C:\Windows\System\mWrHTaO.exe
  C:\Windows\System\mWrHTaO.exe
  2⤵
  PID:11748
- C:\Windows\System\BUJsyeA.exe
  C:\Windows\System\BUJsyeA.exe
  2⤵
  PID:11776
- C:\Windows\System\zvfMjwn.exe
  C:\Windows\System\zvfMjwn.exe
  2⤵
  PID:11796
- C:\Windows\System\jegXbas.exe
  C:\Windows\System\jegXbas.exe
  2⤵
  PID:11844
- C:\Windows\System\AKBjWQg.exe
  C:\Windows\System\AKBjWQg.exe
  2⤵
  PID:11872
- C:\Windows\System\WLnawUJ.exe
  C:\Windows\System\WLnawUJ.exe
  2⤵
  PID:11900
- C:\Windows\System\LJUmAPL.exe
  C:\Windows\System\LJUmAPL.exe
  2⤵
  PID:11924
- C:\Windows\System\jdxDqLG.exe
  C:\Windows\System\jdxDqLG.exe
  2⤵
  PID:11944
- C:\Windows\System\JDPBIzr.exe
  C:\Windows\System\JDPBIzr.exe
  2⤵
  PID:11972
- C:\Windows\System\SeHZEwE.exe
  C:\Windows\System\SeHZEwE.exe
  2⤵
  PID:12000
- C:\Windows\System\EfFBmsU.exe
  C:\Windows\System\EfFBmsU.exe
  2⤵
  PID:12028
- C:\Windows\System\hgLIfgW.exe
  C:\Windows\System\hgLIfgW.exe
  2⤵
  PID:12068
- C:\Windows\System\ExDObdt.exe
  C:\Windows\System\ExDObdt.exe
  2⤵
  PID:12096
- C:\Windows\System\yGlTHbf.exe
  C:\Windows\System\yGlTHbf.exe
  2⤵
  PID:12124
- C:\Windows\System\hzeZTKM.exe
  C:\Windows\System\hzeZTKM.exe
  2⤵
  PID:12152
- C:\Windows\System\wEDmJcR.exe
  C:\Windows\System\wEDmJcR.exe
  2⤵
  PID:12180
- C:\Windows\System\aWgpbkM.exe
  C:\Windows\System\aWgpbkM.exe
  2⤵
  PID:12212
- C:\Windows\System\PpUvFHU.exe
  C:\Windows\System\PpUvFHU.exe
  2⤵
  PID:12240
- C:\Windows\System\MiqocWd.exe
  C:\Windows\System\MiqocWd.exe
  2⤵
  PID:12256
- C:\Windows\System\aPXNNXv.exe
  C:\Windows\System\aPXNNXv.exe
  2⤵
  PID:12284
- C:\Windows\System\HohYzVh.exe
  C:\Windows\System\HohYzVh.exe
  2⤵
  PID:11320
- C:\Windows\System\iqWPEIy.exe
  C:\Windows\System\iqWPEIy.exe
  2⤵
  PID:11344
- C:\Windows\System\drCQRuo.exe
  C:\Windows\System\drCQRuo.exe
  2⤵
  PID:11424
- C:\Windows\System\YMQLflq.exe
  C:\Windows\System\YMQLflq.exe
  2⤵
  PID:11540
- C:\Windows\System\mPPGuaT.exe
  C:\Windows\System\mPPGuaT.exe
  2⤵
  PID:11604
- C:\Windows\System\slAoFjj.exe
  C:\Windows\System\slAoFjj.exe
  2⤵
  PID:11672
- C:\Windows\System\aqeJWQo.exe
  C:\Windows\System\aqeJWQo.exe
  2⤵
  PID:11740
- C:\Windows\System\GRhMdDn.exe
  C:\Windows\System\GRhMdDn.exe
  2⤵
  PID:11840
- C:\Windows\System\bLeLYbf.exe
  C:\Windows\System\bLeLYbf.exe
  2⤵
  PID:11908
- C:\Windows\System\wGXcNNJ.exe
  C:\Windows\System\wGXcNNJ.exe
  2⤵
  PID:11964
- C:\Windows\System\XluIrNh.exe
  C:\Windows\System\XluIrNh.exe
  2⤵
  PID:12056
- C:\Windows\System\LgmKOTi.exe
  C:\Windows\System\LgmKOTi.exe
  2⤵
  PID:12120
- C:\Windows\System\fewVQyS.exe
  C:\Windows\System\fewVQyS.exe
  2⤵
  PID:12196
- C:\Windows\System\SQGrrHF.exe
  C:\Windows\System\SQGrrHF.exe
  2⤵
  PID:12224
- C:\Windows\System\oZDTlGo.exe
  C:\Windows\System\oZDTlGo.exe
  2⤵
  PID:11352
- C:\Windows\System\LUGAcHF.exe
  C:\Windows\System\LUGAcHF.exe
  2⤵
  PID:11512
- C:\Windows\System\JjOTlyx.exe
  C:\Windows\System\JjOTlyx.exe
  2⤵
  PID:11680
- C:\Windows\System\OSeNBln.exe
  C:\Windows\System\OSeNBln.exe
  2⤵
  PID:2140
- C:\Windows\System\fhAjmhi.exe
  C:\Windows\System\fhAjmhi.exe
  2⤵
  PID:11836
- C:\Windows\System\RYKGmtF.exe
  C:\Windows\System\RYKGmtF.exe
  2⤵
  PID:11940
- C:\Windows\System\LzeigTb.exe
  C:\Windows\System\LzeigTb.exe
  2⤵
  PID:12116
- C:\Windows\System\SAjiiXN.exe
  C:\Windows\System\SAjiiXN.exe
  2⤵
  PID:10916
- C:\Windows\System\EurkUoK.exe
  C:\Windows\System\EurkUoK.exe
  2⤵
  PID:11452
- C:\Windows\System\vKKdnEN.exe
  C:\Windows\System\vKKdnEN.exe
  2⤵
  PID:11832
- C:\Windows\System\icmxvmp.exe
  C:\Windows\System\icmxvmp.exe
  2⤵
  PID:12048
- C:\Windows\System\sjVmanX.exe
  C:\Windows\System\sjVmanX.exe
  2⤵
  PID:11284
- C:\Windows\System\vuOdsDu.exe
  C:\Windows\System\vuOdsDu.exe
  2⤵
  PID:1496
- C:\Windows\System\dENlEwm.exe
  C:\Windows\System\dENlEwm.exe
  2⤵
  PID:12304
- C:\Windows\System\wEhAslV.exe
  C:\Windows\System\wEhAslV.exe
  2⤵
  PID:12332
- C:\Windows\System\snQgmhq.exe
  C:\Windows\System\snQgmhq.exe
  2⤵
  PID:12348
- C:\Windows\System\idcwLKC.exe
  C:\Windows\System\idcwLKC.exe
  2⤵
  PID:12388
- C:\Windows\System\MAXnnIN.exe
  C:\Windows\System\MAXnnIN.exe
  2⤵
  PID:12428
- C:\Windows\System\HLLLpcE.exe
  C:\Windows\System\HLLLpcE.exe
  2⤵
  PID:12444
- C:\Windows\System\ghtbzHB.exe
  C:\Windows\System\ghtbzHB.exe
  2⤵
  PID:12472
- C:\Windows\System\rumXcSl.exe
  C:\Windows\System\rumXcSl.exe
  2⤵
  PID:12492
- C:\Windows\System\hYBviLg.exe
  C:\Windows\System\hYBviLg.exe
  2⤵
  PID:12508
- C:\Windows\System\TSQhUwT.exe
  C:\Windows\System\TSQhUwT.exe
  2⤵
  PID:12556
- C:\Windows\System\lNYiQZr.exe
  C:\Windows\System\lNYiQZr.exe
  2⤵
  PID:12572
- C:\Windows\System\BFnVuaz.exe
  C:\Windows\System\BFnVuaz.exe
  2⤵
  PID:12600
- C:\Windows\System\ikZBuOV.exe
  C:\Windows\System\ikZBuOV.exe
  2⤵
  PID:12640
- C:\Windows\System\BHWQLYh.exe
  C:\Windows\System\BHWQLYh.exe
  2⤵
  PID:12668
- C:\Windows\System\vRiMBBy.exe
  C:\Windows\System\vRiMBBy.exe
  2⤵
  PID:12684
- C:\Windows\System\aWKNUeI.exe
  C:\Windows\System\aWKNUeI.exe
  2⤵
  PID:12704
- C:\Windows\System\DKPDfrr.exe
  C:\Windows\System\DKPDfrr.exe
  2⤵
  PID:12740
- C:\Windows\System\RQFKdhB.exe
  C:\Windows\System\RQFKdhB.exe
  2⤵
  PID:12768
- C:\Windows\System\GcmbPRr.exe
  C:\Windows\System\GcmbPRr.exe
  2⤵
  PID:12796
- C:\Windows\System\aPmQQkD.exe
  C:\Windows\System\aPmQQkD.exe
  2⤵
  PID:12836
- C:\Windows\System\YsYowun.exe
  C:\Windows\System\YsYowun.exe
  2⤵
  PID:12856
- C:\Windows\System\lyWilDL.exe
  C:\Windows\System\lyWilDL.exe
  2⤵
  PID:12892
- C:\Windows\System\tdvYuZO.exe
  C:\Windows\System\tdvYuZO.exe
  2⤵
  PID:12920
- C:\Windows\System\qXrbNvn.exe
  C:\Windows\System\qXrbNvn.exe
  2⤵
  PID:12936
- C:\Windows\System\eaidhPK.exe
  C:\Windows\System\eaidhPK.exe
  2⤵
  PID:12976
- C:\Windows\System\gbZYJbT.exe
  C:\Windows\System\gbZYJbT.exe
  2⤵
  PID:12992

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13148

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:12844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xjdizgp1.och.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\DJKiNXn.exe

Filesize
2.9MB

MD5
515ef052d00358ce3b4991395ced4e31

SHA1
8cc359435f0e0e3a966da4808594e35867ac61ef

SHA256
09f54d50c2ce8ac070b1762cdebeeafb772f731a676d3f4090393eafa8cbd77a

SHA512
faf547490dd379d1f83f422534a29d8eec2edbbcb0c83491acdf2e8ffe5bd7e07b6803578bbd9c42fce0212d03c6bae40b9beb9c3ac458d12a2c5af7cda78c19

Download Submit
C:\Windows\System\DLeLElx.exe

Filesize
2.9MB

MD5
7bc4990d9b15a8486ef3f2434151d1f1

SHA1
1fb6b4ce20a4b89952804111758314d1da4b983f

SHA256
0d33da6d97f9c44e10f813ea714f7135f146700ac99d217e54c04e7f20f1ac80

SHA512
388af865f9d7b492b2fd8c1f0ca42f320e2ba57ef6f4bc855aca7cb729987273b48d57507eda273eee51e231dbec8671a795b6a7d8596ca5bd305c898f3052be

Download Submit
C:\Windows\System\Dvtaftt.exe

Filesize
2.9MB

MD5
83ee82120c5afec4340455fb5fb4676c

SHA1
4111e69edc71b6d0de6dc484e2aa395898912c3e

SHA256
b6569f7d7edb08f089c2be7c2f258ebe4ecac21edcbde55aaf737a5230e7cc1e

SHA512
192b25594528ab886a9f1d4437419e6f017f4ec043c6c18e571c3dd251233b12ab9572d48d601dcacb5da284996dc6ebb4fa4c5adf3fa7e21f257565efef2e33

Download Submit
C:\Windows\System\EnfCAIf.exe

Filesize
2.9MB

MD5
e79bf422863cba61c504e353a6565362

SHA1
9d720cb502acd3bd33e85d0c86e24139553a8286

SHA256
24975c8dcb1dd71f338d10edfc8c8195959806c3892d48611b465cc2592f93f1

SHA512
2cdc39340bc59cfc7d1680fbc93ce6710bbd9addf77e2e749139f12fd21a83ec1630e7eac28280e723f396b0b611b60ac7a943490cce881db691e840b7f46916

Download Submit
C:\Windows\System\FPrbbkb.exe

Filesize
2.9MB

MD5
d1fe5d68532622ddc112577a1896acc6

SHA1
1ab4896b97d18040e6383c9212b3b94816c79832

SHA256
d32d5fa2709d7b2327bac2def38bbd9c5eb4ec2ccc49efa4316db91ac602bf43

SHA512
42d0d737865b309922c5745923c9852b94904a7511d73d4462ef5d4ca4638d78d04a58e89b5ac1c7eadc640d40db4c8a5d4ff7f334649164e268079369ed123d

Download Submit
C:\Windows\System\GlHstck.exe

Filesize
2.9MB

MD5
2a195872a61c2afa3e396d45c8b4c2cf

SHA1
52d34cfa3b5c9970ab42d5fe191c534562a67e54

SHA256
837beece96c04593e2899f1d4c4e4739ab7706bddadc4007b80ef9d8c7176b05

SHA512
926b1b4136dbc8ca2b6734dc19abc9f12084766d8bf96071939e5c07c42e4447f02c48b9a94a2b997041b7310a3be549d3dd4ba0eb21b337d9274be59f517fd7

Download Submit
C:\Windows\System\GrHLjHO.exe

Filesize
2.9MB

MD5
39a6b3b8de627dbab2bda426a09066da

SHA1
0e9ffdb4c24b46e5adfa62cabece3ad4769463ce

SHA256
3e99d34afa76845be606c6a63db6a07d9e431a37ef0c4f24e54ddec19ed9ebfe

SHA512
4dea9bb5aca1596fc84bcf0ee4751392193be55c2d3658024fa35ae1c768592c99cf5158175cbf2da7431ac26a60cbb5cd95b8bc9c70ffca47bc7781050d2f52

Download Submit
C:\Windows\System\KfxXnVT.exe

Filesize
2.9MB

MD5
1c8971471bf4f0ad3972c7c0f79614d1

SHA1
e2c6cec696a0decb0e526cfed65a77445533753d

SHA256
56ab2d45ecb8687d5f44271205c9e930cb86c8a277eeb6f053f04ebacf6c84e7

SHA512
9d2516e218537f169ea87c4da0ea55d59753b4cd946aae92015efe8c260846161a8e1bdac742071edca66206bc44e6f320e915b777bab18c274c40abd5adbbd1

Download Submit
C:\Windows\System\MDALvjD.exe

Filesize
2.9MB

MD5
a3528d7d463e5043b3d89413947dbd68

SHA1
0a525f99657017cd1005fd8fb414b3950da7487a

SHA256
6585aeca7cab2191e478735d474151eb79531738cab168c5516d78d7ed65611b

SHA512
7d8b4559e97d563882772fcbef1ae61ebcf1f9276c9f1a878f5a830615ccbd22f1c23d4e365b00be595dadd999b6d4c993643f0c8aff3339896cf18f7a7c388a

Download Submit
C:\Windows\System\MJvaEin.exe

Filesize
2.9MB

MD5
4993d70e9b00e3fefe92f80bbcc23568

SHA1
901a54889f88da70c8a7f65fc63334b23b492d69

SHA256
c62bfac2991d248037bd0c7a803587ab7620b569382719951d534a4992aa3258

SHA512
f8ac6b74c1191f9641a927b4eb05d618510cb4dfe4fa121071d9d49d4df0c82dbc9a65b7459988279f93afa9b494aab94d37e5dbc88d500d3123b41ffad5f429

Download Submit
C:\Windows\System\ORjYgcW.exe

Filesize
2.9MB

MD5
32198c04ceed5fa922b6562ef7d8d601

SHA1
6abc3cd6089407501961d6310a5cdf0807fbc839

SHA256
bb919989a892f7959a00fa9c5370b3b52c5a74197f6fcbc0a7fd8113baeb1d7b

SHA512
3af6b3287ae05a39393ca209b5facf3c0d31e398c4cfacd2df447f7d224643ec47038cf04a2924e1ff48944679aa835e9995a10f52311db2788e83dac8d9bfdc

Download Submit
C:\Windows\System\PdiOPpP.exe

Filesize
2.9MB

MD5
7b336b6f3f914c745f80dffd52023329

SHA1
d4501f35d91fe99f2f336a67e00b51aa8d39ab3c

SHA256
8621155797ea720efc367073096d26b15852da0b8dcc31a95fa604672f073f2d

SHA512
138b9a14289114740016785b4271578f09c87cc9178a488af5eee6b0411ea956ecea87e254ac7a8c6617979769f4414ed2235749c9bed44031f10715ed99e796

Download Submit
C:\Windows\System\PnfLBYO.exe

Filesize
2.9MB

MD5
47ffb8426fe3b103d31535286932fdb3

SHA1
b3dc7a4d38d180876620ecc66011bb24eb803661

SHA256
dfb7c8731919e7e8d807c265d3f26385477ec3246a27fcdda4b0a835f014fa78

SHA512
867ec314d4eb48a94ba911cc2f3757e93f1aab6af0d80828cfbf0bef925cdf6c5c37aa8600e2422d1a8749eb43953633e8073264df1475f761710e6c27e62892

Download Submit
C:\Windows\System\QrwoeEw.exe

Filesize
8B

MD5
9962fa9c120fa4be5b0a3f7a74dbcadf

SHA1
b6f88aa1c093b2340de068ac2ff30cce108e3fc6

SHA256
945d12760562a76bb5610a082b9c7801a49c6c9de534141d0c528ee6828f8992

SHA512
b2eeefcd3c65dccb02eb4079fd8fe88b36ae6927cd8ddb4de7afd16b396b895522c8feb1cc1373ad7adcb7732e1d37129de60c1aaea95865a3c1e13ac02b6cac

Download Submit
C:\Windows\System\SiKBaBV.exe

Filesize
2.9MB

MD5
9bacc0427075e8835ff755ef54bc47d2

SHA1
8cdcf8172182199d40f228346474d2985f95b7ba

SHA256
4d49fe7a6fb4b3dc1be77150c07b4b4945665e8f6fbe90af69ad76ffd46db4fa

SHA512
ce3286d454f34fd2fcdc21abd1e596e1a2a62407876587a577c8b3526e53c1becc8da93621e1a91dad274c4d3de367a92b0c9003421105c04a3d7866224177ef

Download Submit
C:\Windows\System\TkrYGDX.exe

Filesize
2.9MB

MD5
e33929c3eff75eb3e43a5d79b2c798ac

SHA1
942d0f996b007f0c6b040f6fd9019a29044879eb

SHA256
9f81fcfb606cf11626de39e3c53b5871c0bec6103e70fb3212987568c83ab3d3

SHA512
c21a03875a1edf5fcf8417e0369fcd0d93b4d6dc2ed6b03981be87196c60ec1e11b1105326879d1a23d291a6bc204506a918703d40c917180536ff0366511b70

Download Submit
C:\Windows\System\YKbnShN.exe

Filesize
2.9MB

MD5
74ccad191f7398dc61086135cd1aee02

SHA1
cf3eca7a5ce5736f67473c408b922e80655ef648

SHA256
620334337a9915b17eb02452d601ce97e7307d0e2ebd2bb2fcf07e6d445f8f56

SHA512
39296c639e16dbefa5311c580ef2cba179d93b9fad65be0d0b52fa147045721d60927fbf552d1680637a99e8bdf82515c70845ab8bfb24e366463fb4fb6fe50e

Download Submit
C:\Windows\System\ZUUKadh.exe

Filesize
2.9MB

MD5
c6fd3e0f28c55e8ada851ba808512791

SHA1
d20e8e1ba7036aaf145a82434528114881411c18

SHA256
5ca6217f12ea83cfff6537f139c302abec923edd3c21935a2f7b7c0545a9e1ba

SHA512
08f8f7fef9cadd0da29670a52684cba6e339b75771292f2ca14206ba90aed48d3130cbe6e2d2ad43fb6e3993bd75f7c3c80bbad2c6cce0a3f52f1a2d2c2e1bf7

Download Submit
C:\Windows\System\aezcYKO.exe

Filesize
2.9MB

MD5
90368cc4bcd6eb1d7e34dc78a8617c82

SHA1
1fd13ca0bbc0aeb0e075859c43b99362eaae5531

SHA256
f9ce542c1c822e4e3524cab63175cff0918ea3153f9ef54e87ce4853c2d7d326

SHA512
04f307c1926cb328aa177d849ca1653a44eb760b11c13f8ff7e162445d8d96a907cef5e806bd7acb03dc22600de3a6deb2bd5aaf9e7b907d74b111a041979a7d

Download Submit
C:\Windows\System\bAqAbGs.exe

Filesize
2.9MB

MD5
1c57683a52945678e0c9303b05b37876

SHA1
981072ecf2c869e79708c3863c12da1e50d4f27a

SHA256
3b751d22978e15a61ba8a80591cc04831a9146946beb8ddb9a95f07f61c89866

SHA512
24f9116c53e3f840beedc996e34f1b8575440c8b8a7942fd0d177d11d61f779b52c7c28967132694512f0b4cec85a8fea0e8f68b81d64676d68b16765b9b4640

Download Submit
C:\Windows\System\chHyEbD.exe

Filesize
2.9MB

MD5
f6c9110fec19ad51d9ef3d778192068a

SHA1
251ca975f5060aa926b89b9b95fff09743aa86f1

SHA256
553603c89d251cde8a8e08c1e5e595a619fa2637aeca58ed9b47fa213de525d5

SHA512
b8e3ca84ff6237f57708b6fa5238a428dde9dfa9a60bddc8e361beaa0bd851f1be4329f96117b266cc6fa54fb10cabe4f3b36a434a4d03518446f6e3d27b95db

Download Submit
C:\Windows\System\chQXryE.exe

Filesize
2.9MB

MD5
cb857aa24c24b6224d80604a024c1c9d

SHA1
6ae1519882e81a43f45e362cb77b6547ebb1fe22

SHA256
bf5727a76ab5c847e2978695a7e646482d63041f7f877628b97c2d75d9b8fe18

SHA512
5b7508a1527654c31cc33a0b67598c94aba84225571d98760fc32a602ef5662ac9073a60c9979bf16ff07bac48a99db61971c5952350910562a2aaa09765c7e5

Download Submit
C:\Windows\System\eBnYHZM.exe

Filesize
2.9MB

MD5
63809601f4002879e78fa72869c349a7

SHA1
ee64cefd8cc691406d75e9a9cd1e2a5e1f09dc64

SHA256
09151d49e23a3d7a46c3b02fd6b6fa2c70005a4b82f71c64b411ab86479b606b

SHA512
bdae66396ab03062d7c19b0a96dc8973f76c6785c81236568de4d4e47e8be4e9d11ac3bad24f3c7ea3a36b4213dc6bc79cb053697110e90291695a58970454ec

Download Submit
C:\Windows\System\iQtvRdM.exe

Filesize
2.9MB

MD5
24fa0c9cca32415cf106c7507328efa7

SHA1
e5e7a7c904160624db4b474cfee248600efe7d37

SHA256
ddcee4f52a4f6ce391e39597e1ea1eae64f640074ce4f3adecaa1f64af1d9245

SHA512
2f20a99d7e9a90fda9d09265f5faf7213c2d6f420d5a22b95c9ca46be85645ec81fe4f091d776fe293b0f97d980aa2752e499460a78a45f5d1eb928a6937c17b

Download Submit
C:\Windows\System\jwQazmT.exe

Filesize
2.9MB

MD5
ac18e4447e315ca910da3338b40cbac8

SHA1
4e097e52598d7e2a0ed65ea41605d1facd5d065e

SHA256
37e52dbbc279f01ddcdb1c80e17abf70e59779dcde3a436727de83c33c780e0a

SHA512
c426544119dda5ec521b019a5667ba69ee5c1b4277259721599b777dfd9b4de57a559008864e3648a081921a5bb1098fdda11faa2c42c2442aba4971ec669880

Download Submit
C:\Windows\System\kxBYMcf.exe

Filesize
2.9MB

MD5
cd83cc1e126f28e767f0ed180c4ee944

SHA1
5f4df9539c7e141d56aca7982006d76e6ecd736a

SHA256
d3e060570331095fb30dcd4cf3da84104f79abbd057c776b0dfb2f50caeb5bb6

SHA512
d0aec066a2177042f681f99c6d6b218dc5e0a05e76f3adea42e19374564c14dc8df69422008d6ba087f6a3fce7e56fc64726e6bb78c5ec7f07201a876e4f815b

Download Submit
C:\Windows\System\mTwgYBW.exe

Filesize
2.9MB

MD5
378d7464ffdabcfe0b9f19cff80ef2d5

SHA1
f0a493173f1e3c7685b1537259a1de5a6fdc5903

SHA256
f3f786f847ce28b0bdbef4b8335f7d7cb997333adf8d4e9f51b29e4a1f8443ef

SHA512
a87348e123f947368d7a0689d3f3f91537323c6185462ab7a758a1f17f4153a842e489db2b9023e048b504d9de8be38d6869f28bd06ba2a343c36b0e5881afb9

Download Submit
C:\Windows\System\oQYfTIF.exe

Filesize
2.9MB

MD5
bc230ec41fbc534872307e8621795813

SHA1
16a48149a9081d4beb6af52349d2a8f43495de4e

SHA256
a955d65ae055b9de6e6084522df7f5d1a5d44d036df48af3d71816beac83ac35

SHA512
f577cffac644e5a032a04d3ce5746e0eaa9629901d172a2a0e11aedbbea9eef9811a98be4d51b3aa5838cec4308280925e99ac0d900a83ed097afe1233bae4ab

Download Submit
C:\Windows\System\olroVsv.exe

Filesize
2.9MB

MD5
3a348905eb1a82f2223b7e513cc7e1bc

SHA1
7e8e1c45a33c6455ba6e782fd1a14e39562b8207

SHA256
b6078470129548f01c9ef45775f3e8b88529ac940a3f6095e6a9a7e7fe70d9eb

SHA512
6bb190ee83fd6e0a7f17562f411103857bc16928e9e44e487a4c0165f46d0575a5366ad3a063691e13fa765bf12d30005ccbb545b780715b41c08d33b10e70eb

Download Submit
C:\Windows\System\wNcFDHs.exe

Filesize
2.9MB

MD5
62f9edd18c0326791179a1eb755abb4a

SHA1
a9ad4450595414a3e8146378919913886845fb2d

SHA256
301c412cfecdb8b8bea5745fa1c7e68967e26c7211b7fde6cae9fc0ca9a3ea6a

SHA512
560620433771d402ce6807d761a6df991dd22d34bcc81f48f8a26cd83cd6250abd0b82286241fc80f89d37ceb38d0c4df79ab690a61f9be122ada78eaf8e6643

Download Submit
C:\Windows\System\xAfkkrR.exe

Filesize
2.9MB

MD5
52548c395f436b36ec992af3d4f82360

SHA1
9a8c3572434da3ad17ab41b89206686690913f64

SHA256
854049899857bf54c6168dd55cf19cc7bf7133bd39538d4270a7f5c503f724e7

SHA512
f205fd982aa729c1d05255821587e1105e9fd2fbfa4467a307fa6f22153b06a8421fd6eec83d1c51afa9f2f75cf7c6c68c25bc019134021d4b4d239f0c2c6481

Download Submit
C:\Windows\System\xpYQSSZ.exe

Filesize
2.9MB

MD5
ba80fc44ce488464890fa98574424dcd

SHA1
6c4b319851ae41523261ebf7652612b4a22dc869

SHA256
d95cc0d2caf1f79b51d0153a9ef17c380e7b3459df4e31aec92160b59949b8a6

SHA512
7440c22ba02a87765503173c14dd211e8b669c3bbc1e41ee967a3a61ab93dbaa03c89a2fd3a3a4c52cfe26bb7274f915ef41f3b05e0a8668ea580f49ca9d1182

Download Submit
C:\Windows\System\ydRiKGw.exe

Filesize
2.9MB

MD5
6174fc8d2b048f8f7f403a44776256ee

SHA1
62b06f62b955ef56ba3b1b115e4deedd699a8821

SHA256
cd541b24c9d2550cc379e03e0178c2368e1a20928d602d92fa8d1ba12fac8f41

SHA512
4ee1a31bb38af260d2d97e36e8a60dce1ac1e78597a2349a8de28bd3116f5b0c17117b56cb34514e42b17d15693d2b35d33065394687e2f822b2fede6c911093

Download Submit
C:\Windows\System\ztZadOD.exe

Filesize
2.9MB

MD5
97f63f327d2d6f60340917b8bd6e50fc

SHA1
e190492dbe46ac20d3b0fe022620f7e8c6e87ba3

SHA256
fc9d640dd1123b463fc74ad7d4527cf951d8bfc18ec775f641da69fdf8a4f568

SHA512
27a4bc50250523c7bf18dce37032175992ecca9ce2b212a039b786e719a01762a1cc039c349686bcab9c9aec5e56b9a130c462a1f02c1a6eb167d0918c108c6b

Download Submit
memory/436-2171-0x00007FF60B840000-0x00007FF60BC36000-memory.dmp

Filesize
4.0MB

Download
memory/436-926-0x00007FF60B840000-0x00007FF60BC36000-memory.dmp

Filesize
4.0MB

Download
memory/508-2173-0x00007FF6632B0000-0x00007FF6636A6000-memory.dmp

Filesize
4.0MB

Download
memory/508-945-0x00007FF6632B0000-0x00007FF6636A6000-memory.dmp

Filesize
4.0MB

Download
memory/696-1-0x0000016AEDE10000-0x0000016AEDE20000-memory.dmp

Filesize
64KB

Download
memory/696-0-0x00007FF66B410000-0x00007FF66B806000-memory.dmp

Filesize
4.0MB

Download
memory/744-2155-0x00007FF77EA70000-0x00007FF77EE66000-memory.dmp

Filesize
4.0MB

Download
memory/744-2151-0x00007FF77EA70000-0x00007FF77EE66000-memory.dmp

Filesize
4.0MB

Download
memory/744-6-0x00007FF77EA70000-0x00007FF77EE66000-memory.dmp

Filesize
4.0MB

Download
memory/1428-2154-0x00007FF6053D0000-0x00007FF6057C6000-memory.dmp

Filesize
4.0MB

Download
memory/1428-2159-0x00007FF6053D0000-0x00007FF6057C6000-memory.dmp

Filesize
4.0MB

Download
memory/1428-49-0x00007FF6053D0000-0x00007FF6057C6000-memory.dmp

Filesize
4.0MB

Download
memory/1516-845-0x00007FF67E280000-0x00007FF67E676000-memory.dmp

Filesize
4.0MB

Download
memory/1516-2166-0x00007FF67E280000-0x00007FF67E676000-memory.dmp

Filesize
4.0MB

Download
memory/1776-886-0x00007FF64A440000-0x00007FF64A836000-memory.dmp

Filesize
4.0MB

Download
memory/1776-2164-0x00007FF64A440000-0x00007FF64A836000-memory.dmp

Filesize
4.0MB

Download
memory/2116-878-0x00007FF71FE70000-0x00007FF720266000-memory.dmp

Filesize
4.0MB

Download
memory/2116-2162-0x00007FF71FE70000-0x00007FF720266000-memory.dmp

Filesize
4.0MB

Download
memory/2188-851-0x00007FF6E3C20000-0x00007FF6E4016000-memory.dmp

Filesize
4.0MB

Download
memory/2188-2160-0x00007FF6E3C20000-0x00007FF6E4016000-memory.dmp

Filesize
4.0MB

Download
memory/2568-941-0x00007FF645B40000-0x00007FF645F36000-memory.dmp

Filesize
4.0MB

Download
memory/2568-2174-0x00007FF645B40000-0x00007FF645F36000-memory.dmp

Filesize
4.0MB

Download
memory/2588-866-0x00007FF7BABB0000-0x00007FF7BAFA6000-memory.dmp

Filesize
4.0MB

Download
memory/2588-2161-0x00007FF7BABB0000-0x00007FF7BAFA6000-memory.dmp

Filesize
4.0MB

Download
memory/3068-936-0x00007FF628DD0000-0x00007FF6291C6000-memory.dmp

Filesize
4.0MB

Download
memory/3068-2177-0x00007FF628DD0000-0x00007FF6291C6000-memory.dmp

Filesize
4.0MB

Download
memory/3188-2168-0x00007FF6BBF90000-0x00007FF6BC386000-memory.dmp

Filesize
4.0MB

Download
memory/3188-909-0x00007FF6BBF90000-0x00007FF6BC386000-memory.dmp

Filesize
4.0MB

Download
memory/3212-2172-0x00007FF655E40000-0x00007FF656236000-memory.dmp

Filesize
4.0MB

Download
memory/3212-935-0x00007FF655E40000-0x00007FF656236000-memory.dmp

Filesize
4.0MB

Download
memory/3312-944-0x00007FF78DD40000-0x00007FF78E136000-memory.dmp

Filesize
4.0MB

Download
memory/3312-2175-0x00007FF78DD40000-0x00007FF78E136000-memory.dmp

Filesize
4.0MB

Download
memory/3484-2158-0x00007FF7BCF60000-0x00007FF7BD356000-memory.dmp

Filesize
4.0MB

Download
memory/3484-41-0x00007FF7BCF60000-0x00007FF7BD356000-memory.dmp

Filesize
4.0MB

Download
memory/3816-2167-0x00007FF70D320000-0x00007FF70D716000-memory.dmp

Filesize
4.0MB

Download
memory/3816-903-0x00007FF70D320000-0x00007FF70D716000-memory.dmp

Filesize
4.0MB

Download
memory/3964-2163-0x00007FF6018F0000-0x00007FF601CE6000-memory.dmp

Filesize
4.0MB

Download
memory/3964-862-0x00007FF6018F0000-0x00007FF601CE6000-memory.dmp

Filesize
4.0MB

Download
memory/4084-931-0x00007FF7EE890000-0x00007FF7EEC86000-memory.dmp

Filesize
4.0MB

Download
memory/4084-2178-0x00007FF7EE890000-0x00007FF7EEC86000-memory.dmp

Filesize
4.0MB

Download
memory/4136-398-0x0000021637EC0000-0x0000021638666000-memory.dmp

Filesize
7.6MB

Download
memory/4136-2152-0x00007FFA71593000-0x00007FFA71595000-memory.dmp

Filesize
8KB

Download
memory/4136-14-0x00007FFA71593000-0x00007FFA71595000-memory.dmp

Filesize
8KB

Download
memory/4136-8-0x000002161E770000-0x000002161E780000-memory.dmp

Filesize
64KB

Download
memory/4136-7-0x000002161E770000-0x000002161E780000-memory.dmp

Filesize
64KB

Download
memory/4136-42-0x0000021637300000-0x0000021637322000-memory.dmp

Filesize
136KB

Download
memory/4152-2165-0x00007FF6FF3C0000-0x00007FF6FF7B6000-memory.dmp

Filesize
4.0MB

Download
memory/4152-898-0x00007FF6FF3C0000-0x00007FF6FF7B6000-memory.dmp

Filesize
4.0MB

Download
memory/4224-913-0x00007FF6ED1A0000-0x00007FF6ED596000-memory.dmp

Filesize
4.0MB

Download
memory/4224-2169-0x00007FF6ED1A0000-0x00007FF6ED596000-memory.dmp

Filesize
4.0MB

Download
memory/4320-2176-0x00007FF6B50B0000-0x00007FF6B54A6000-memory.dmp

Filesize
4.0MB

Download
memory/4320-939-0x00007FF6B50B0000-0x00007FF6B54A6000-memory.dmp

Filesize
4.0MB

Download
memory/4476-2157-0x00007FF748910000-0x00007FF748D06000-memory.dmp

Filesize
4.0MB

Download
memory/4476-36-0x00007FF748910000-0x00007FF748D06000-memory.dmp

Filesize
4.0MB

Download
memory/4724-2156-0x00007FF721020000-0x00007FF721416000-memory.dmp

Filesize
4.0MB

Download
memory/4724-2153-0x00007FF721020000-0x00007FF721416000-memory.dmp

Filesize
4.0MB

Download
memory/4724-15-0x00007FF721020000-0x00007FF721416000-memory.dmp

Filesize
4.0MB

Download
memory/4888-923-0x00007FF6BEAF0000-0x00007FF6BEEE6000-memory.dmp

Filesize
4.0MB

Download
memory/4888-2170-0x00007FF6BEAF0000-0x00007FF6BEEE6000-memory.dmp

Filesize
4.0MB

Download