xmrig | 22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64

Analysis

max time kernel
129s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 23:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
Size

1.6MB
MD5

ffbd8a82541314dbe18ffd8bdfd1db90
SHA1

dc5c576c2bcc8cfe31345bd19db70be9c2395df3
SHA256

22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64
SHA512

108370c16c9d13e218a43da485f0fe962729382e111580b8592e062abbfd05cbe77d8c496b548604690e97a30794b270cb21e99247104bb72066b57679fc8f4d
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5PbcquVoVbvVkNgoZ1ssoPi75BYMZVBwnBD:knw9oUUEEDl37jcquVoVJjDNOh9wnB

Score

10^/10

xmrig miner persistence privilege_escalation upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/2604-430-0x00007FF70D780000-0x00007FF70DB71000-memory.dmp	xmrig
behavioral2/memory/3068-431-0x00007FF7B1950000-0x00007FF7B1D41000-memory.dmp	xmrig
behavioral2/memory/1292-432-0x00007FF7447D0000-0x00007FF744BC1000-memory.dmp	xmrig
behavioral2/memory/4068-65-0x00007FF6FF960000-0x00007FF6FFD51000-memory.dmp	xmrig
behavioral2/memory/3972-64-0x00007FF635F00000-0x00007FF6362F1000-memory.dmp	xmrig
behavioral2/memory/1648-61-0x00007FF76D6F0000-0x00007FF76DAE1000-memory.dmp	xmrig
behavioral2/memory/3684-56-0x00007FF65ACD0000-0x00007FF65B0C1000-memory.dmp	xmrig
behavioral2/memory/3140-26-0x00007FF786370000-0x00007FF786761000-memory.dmp	xmrig
behavioral2/memory/2116-17-0x00007FF7F4B90000-0x00007FF7F4F81000-memory.dmp	xmrig
behavioral2/memory/3584-433-0x00007FF7961C0000-0x00007FF7965B1000-memory.dmp	xmrig
behavioral2/memory/4848-435-0x00007FF6E8010000-0x00007FF6E8401000-memory.dmp	xmrig
behavioral2/memory/5112-434-0x00007FF6A0CD0000-0x00007FF6A10C1000-memory.dmp	xmrig
behavioral2/memory/872-437-0x00007FF675400000-0x00007FF6757F1000-memory.dmp	xmrig
behavioral2/memory/4104-436-0x00007FF6616C0000-0x00007FF661AB1000-memory.dmp	xmrig
behavioral2/memory/4752-438-0x00007FF7C01A0000-0x00007FF7C0591000-memory.dmp	xmrig
behavioral2/memory/4916-447-0x00007FF7268C0000-0x00007FF726CB1000-memory.dmp	xmrig
behavioral2/memory/4652-450-0x00007FF7D3360000-0x00007FF7D3751000-memory.dmp	xmrig
behavioral2/memory/2536-456-0x00007FF7F6D10000-0x00007FF7F7101000-memory.dmp	xmrig
behavioral2/memory/1020-1982-0x00007FF639C40000-0x00007FF63A031000-memory.dmp	xmrig
behavioral2/memory/1832-1983-0x00007FF6EDDC0000-0x00007FF6EE1B1000-memory.dmp	xmrig
behavioral2/memory/884-1984-0x00007FF6A6320000-0x00007FF6A6711000-memory.dmp	xmrig
behavioral2/memory/3624-1985-0x00007FF7080B0000-0x00007FF7084A1000-memory.dmp	xmrig
behavioral2/memory/4324-2019-0x00007FF72F9B0000-0x00007FF72FDA1000-memory.dmp	xmrig
behavioral2/memory/1644-2021-0x00007FF7CF230000-0x00007FF7CF621000-memory.dmp	xmrig
behavioral2/memory/1020-2025-0x00007FF639C40000-0x00007FF63A031000-memory.dmp	xmrig
behavioral2/memory/2116-2027-0x00007FF7F4B90000-0x00007FF7F4F81000-memory.dmp	xmrig
behavioral2/memory/3140-2029-0x00007FF786370000-0x00007FF786761000-memory.dmp	xmrig
behavioral2/memory/3684-2031-0x00007FF65ACD0000-0x00007FF65B0C1000-memory.dmp	xmrig
behavioral2/memory/1648-2037-0x00007FF76D6F0000-0x00007FF76DAE1000-memory.dmp	xmrig
behavioral2/memory/3972-2039-0x00007FF635F00000-0x00007FF6362F1000-memory.dmp	xmrig
behavioral2/memory/4068-2041-0x00007FF6FF960000-0x00007FF6FFD51000-memory.dmp	xmrig
behavioral2/memory/3388-2035-0x00007FF7ACD60000-0x00007FF7AD151000-memory.dmp	xmrig
behavioral2/memory/1832-2033-0x00007FF6EDDC0000-0x00007FF6EE1B1000-memory.dmp	xmrig
behavioral2/memory/4848-2059-0x00007FF6E8010000-0x00007FF6E8401000-memory.dmp	xmrig
behavioral2/memory/4752-2065-0x00007FF7C01A0000-0x00007FF7C0591000-memory.dmp	xmrig
behavioral2/memory/4652-2069-0x00007FF7D3360000-0x00007FF7D3751000-memory.dmp	xmrig
behavioral2/memory/2536-2072-0x00007FF7F6D10000-0x00007FF7F7101000-memory.dmp	xmrig
behavioral2/memory/4104-2061-0x00007FF6616C0000-0x00007FF661AB1000-memory.dmp	xmrig
behavioral2/memory/4916-2067-0x00007FF7268C0000-0x00007FF726CB1000-memory.dmp	xmrig
behavioral2/memory/872-2063-0x00007FF675400000-0x00007FF6757F1000-memory.dmp	xmrig
behavioral2/memory/3624-2057-0x00007FF7080B0000-0x00007FF7084A1000-memory.dmp	xmrig
behavioral2/memory/1644-2055-0x00007FF7CF230000-0x00007FF7CF621000-memory.dmp	xmrig
behavioral2/memory/3068-2053-0x00007FF7B1950000-0x00007FF7B1D41000-memory.dmp	xmrig
behavioral2/memory/3584-2051-0x00007FF7961C0000-0x00007FF7965B1000-memory.dmp	xmrig
behavioral2/memory/884-2049-0x00007FF6A6320000-0x00007FF6A6711000-memory.dmp	xmrig
behavioral2/memory/2604-2047-0x00007FF70D780000-0x00007FF70DB71000-memory.dmp	xmrig
behavioral2/memory/1292-2045-0x00007FF7447D0000-0x00007FF744BC1000-memory.dmp	xmrig
behavioral2/memory/5112-2043-0x00007FF6A0CD0000-0x00007FF6A10C1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1020	IdzoxXX.exe
2116	elHSsah.exe
3140	ZlQwPEX.exe
3684	HpMRJlY.exe
3388	XGQZIla.exe
1648	lbeQDbQ.exe
1832	YpxSVas.exe
884	kepSIAm.exe
3972	UFqfHZE.exe
4068	Pbsihkz.exe
3624	YCXOLdp.exe
1644	wVAPYyn.exe
2604	vtBIiSy.exe
3068	DmRwgfS.exe
1292	jNPXOYL.exe
3584	zkQcleB.exe
5112	DPOFTpL.exe
4848	HLPLVCG.exe
4104	CRmoAZY.exe
872	miOynAX.exe
4752	uzJMMUt.exe
4916	Yzxmlxn.exe
4652	PZamVEa.exe
2536	ZZDHSvv.exe
3744	KVydXFY.exe
3676	ZFllYKO.exe
4572	ZgqNznj.exe
3020	HHulijr.exe
1308	yWgCuAa.exe
3360	rRekwoC.exe
2220	ftOlAHH.exe
752	vZYlOjW.exe
556	DbMFFID.exe
4452	uUozSHf.exe
2464	BYUNLNc.exe
3552	FgqNtat.exe
4088	xYkLeua.exe
1272	PIHCOWh.exe
2608	QZjVkoR.exe
4660	AsEJZOx.exe
4672	umcRrJo.exe
2336	JEiVIlc.exe
2544	EnEDPvh.exe
3448	TbLaYdS.exe
1480	fttIGHw.exe
2744	SiqxLiC.exe
3924	DtUBQbi.exe
2140	UsFMKtw.exe
4476	xYtXSxc.exe
4492	ngBzAmh.exe
2964	HgASyGX.exe
1356	HYnlcIb.exe
1776	zwiQpwS.exe
1996	MCEVvus.exe
1556	FFDlwOZ.exe
4316	ZRIxefD.exe
3080	oQgVqIE.exe
5052	AWGQqrR.exe
3596	WorzfIy.exe
4996	vfdTvdC.exe
724	FdmpSjc.exe
4216	hWOQfEE.exe
2772	ZEBZlXr.exe
1588	adSijRS.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4324-0-0x00007FF72F9B0000-0x00007FF72FDA1000-memory.dmp	upx
behavioral2/files/0x0008000000023545-4.dat	upx
behavioral2/files/0x000700000002354a-9.dat	upx
behavioral2/files/0x000700000002354c-25.dat	upx
behavioral2/memory/3388-35-0x00007FF7ACD60000-0x00007FF7AD151000-memory.dmp	upx
behavioral2/memory/1832-44-0x00007FF6EDDC0000-0x00007FF6EE1B1000-memory.dmp	upx
behavioral2/files/0x000700000002354f-48.dat	upx
behavioral2/files/0x0007000000023550-53.dat	upx
behavioral2/files/0x0007000000023551-60.dat	upx
behavioral2/memory/3624-68-0x00007FF7080B0000-0x00007FF7084A1000-memory.dmp	upx
behavioral2/files/0x0007000000023552-73.dat	upx
behavioral2/files/0x0007000000023555-81.dat	upx
behavioral2/files/0x0007000000023557-98.dat	upx
behavioral2/files/0x0007000000023559-109.dat	upx
behavioral2/files/0x000700000002355b-119.dat	upx
behavioral2/files/0x0007000000023560-143.dat	upx
behavioral2/files/0x0007000000023563-156.dat	upx
behavioral2/memory/2604-430-0x00007FF70D780000-0x00007FF70DB71000-memory.dmp	upx
behavioral2/memory/3068-431-0x00007FF7B1950000-0x00007FF7B1D41000-memory.dmp	upx
behavioral2/memory/1292-432-0x00007FF7447D0000-0x00007FF744BC1000-memory.dmp	upx
behavioral2/files/0x0007000000023566-173.dat	upx
behavioral2/files/0x0007000000023565-168.dat	upx
behavioral2/files/0x0007000000023564-163.dat	upx
behavioral2/files/0x0007000000023562-153.dat	upx
behavioral2/files/0x0007000000023561-149.dat	upx
behavioral2/files/0x000700000002355f-138.dat	upx
behavioral2/files/0x000700000002355e-133.dat	upx
behavioral2/files/0x000700000002355d-128.dat	upx
behavioral2/files/0x000700000002355c-123.dat	upx
behavioral2/files/0x000700000002355a-114.dat	upx
behavioral2/files/0x0007000000023558-103.dat	upx
behavioral2/files/0x0007000000023556-93.dat	upx
behavioral2/files/0x0008000000023546-88.dat	upx
behavioral2/files/0x0007000000023554-78.dat	upx
behavioral2/files/0x0007000000023553-71.dat	upx
behavioral2/memory/1644-70-0x00007FF7CF230000-0x00007FF7CF621000-memory.dmp	upx
behavioral2/memory/4068-65-0x00007FF6FF960000-0x00007FF6FFD51000-memory.dmp	upx
behavioral2/memory/3972-64-0x00007FF635F00000-0x00007FF6362F1000-memory.dmp	upx
behavioral2/memory/1648-61-0x00007FF76D6F0000-0x00007FF76DAE1000-memory.dmp	upx
behavioral2/memory/3684-56-0x00007FF65ACD0000-0x00007FF65B0C1000-memory.dmp	upx
behavioral2/memory/884-50-0x00007FF6A6320000-0x00007FF6A6711000-memory.dmp	upx
behavioral2/files/0x000700000002354d-49.dat	upx
behavioral2/files/0x000700000002354e-47.dat	upx
behavioral2/files/0x000700000002354b-37.dat	upx
behavioral2/memory/3140-26-0x00007FF786370000-0x00007FF786761000-memory.dmp	upx
behavioral2/memory/2116-17-0x00007FF7F4B90000-0x00007FF7F4F81000-memory.dmp	upx
behavioral2/files/0x0007000000023549-14.dat	upx
behavioral2/memory/1020-10-0x00007FF639C40000-0x00007FF63A031000-memory.dmp	upx
behavioral2/memory/3584-433-0x00007FF7961C0000-0x00007FF7965B1000-memory.dmp	upx
behavioral2/memory/4848-435-0x00007FF6E8010000-0x00007FF6E8401000-memory.dmp	upx
behavioral2/memory/5112-434-0x00007FF6A0CD0000-0x00007FF6A10C1000-memory.dmp	upx
behavioral2/memory/872-437-0x00007FF675400000-0x00007FF6757F1000-memory.dmp	upx
behavioral2/memory/4104-436-0x00007FF6616C0000-0x00007FF661AB1000-memory.dmp	upx
behavioral2/memory/4752-438-0x00007FF7C01A0000-0x00007FF7C0591000-memory.dmp	upx
behavioral2/memory/4916-447-0x00007FF7268C0000-0x00007FF726CB1000-memory.dmp	upx
behavioral2/memory/4652-450-0x00007FF7D3360000-0x00007FF7D3751000-memory.dmp	upx
behavioral2/memory/2536-456-0x00007FF7F6D10000-0x00007FF7F7101000-memory.dmp	upx
behavioral2/memory/1020-1982-0x00007FF639C40000-0x00007FF63A031000-memory.dmp	upx
behavioral2/memory/1832-1983-0x00007FF6EDDC0000-0x00007FF6EE1B1000-memory.dmp	upx
behavioral2/memory/884-1984-0x00007FF6A6320000-0x00007FF6A6711000-memory.dmp	upx
behavioral2/memory/3624-1985-0x00007FF7080B0000-0x00007FF7084A1000-memory.dmp	upx
behavioral2/memory/4324-2019-0x00007FF72F9B0000-0x00007FF72FDA1000-memory.dmp	upx
behavioral2/memory/1644-2021-0x00007FF7CF230000-0x00007FF7CF621000-memory.dmp	upx
behavioral2/memory/1020-2025-0x00007FF639C40000-0x00007FF63A031000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\umcRrJo.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\HKTaRfD.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\tgKIcqR.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\osasstJ.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\wDEmLvV.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\xGwVyXe.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\EYcVknd.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\bTCQbSE.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\dcCnjIF.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\Psezist.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\pasUKNX.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\gcLKbiU.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\SXYCVCQ.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\oKMZtlF.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\fnXJfXZ.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\PBnIBPT.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\SkvxCTD.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\jtcXOhS.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\XjOIcML.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\PKzRvDO.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\OSfzYRB.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\uYDAfKd.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\QmsGkFm.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\WocrUqL.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\bmtvsGI.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\BOVgtmj.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\rWYXdXK.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\mazOWvK.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\TlrlSnA.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\chQnGpA.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\CqfNbPz.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\agucAuQ.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\OIMVvSL.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\IwqBmzX.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\MAoSPlr.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\bwCMIno.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\uikMuxI.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\PQSMsdE.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\sUXjIdO.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\bhjUDwS.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\vfdTvdC.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\ZZXSwkk.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\oyvtcMs.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\AruqHWE.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\BkrySAM.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\uGsDbYP.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\JczJBkF.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\IbHMEbf.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\kxuiBZI.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\xCdcOWj.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\cIvtZCD.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\QOzdrTg.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\FERXXYp.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\RWcikPx.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\pjKNoxk.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\WZgvMzo.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\TVLrCnv.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\NnoVGJz.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\lpcIEZa.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\mGnvvfN.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\DmRwgfS.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\CRmoAZY.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\PChfTfz.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
File created	C:\Windows\System32\DDazVkl.exe	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13632	dwm.exe
Token: SeChangeNotifyPrivilege	13632	dwm.exe
Token: 33	13632	dwm.exe
Token: SeIncBasePriorityPrivilege	13632	dwm.exe
Token: SeShutdownPrivilege	13632	dwm.exe
Token: SeCreatePagefilePrivilege	13632	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 1020	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	83
PID 4324 wrote to memory of 1020	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	83
PID 4324 wrote to memory of 2116	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	84
PID 4324 wrote to memory of 2116	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	84
PID 4324 wrote to memory of 3140	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	85
PID 4324 wrote to memory of 3140	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	85
PID 4324 wrote to memory of 3684	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	86
PID 4324 wrote to memory of 3684	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	86
PID 4324 wrote to memory of 3388	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	87
PID 4324 wrote to memory of 3388	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	87
PID 4324 wrote to memory of 1648	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	88
PID 4324 wrote to memory of 1648	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	88
PID 4324 wrote to memory of 1832	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	89
PID 4324 wrote to memory of 1832	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	89
PID 4324 wrote to memory of 884	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	90
PID 4324 wrote to memory of 884	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	90
PID 4324 wrote to memory of 3972	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	91
PID 4324 wrote to memory of 3972	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	91
PID 4324 wrote to memory of 4068	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	92
PID 4324 wrote to memory of 4068	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	92
PID 4324 wrote to memory of 3624	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	93
PID 4324 wrote to memory of 3624	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	93
PID 4324 wrote to memory of 1644	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	94
PID 4324 wrote to memory of 1644	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	94
PID 4324 wrote to memory of 2604	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	95
PID 4324 wrote to memory of 2604	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	95
PID 4324 wrote to memory of 3068	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	96
PID 4324 wrote to memory of 3068	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	96
PID 4324 wrote to memory of 1292	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	97
PID 4324 wrote to memory of 1292	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	97
PID 4324 wrote to memory of 3584	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	98
PID 4324 wrote to memory of 3584	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	98
PID 4324 wrote to memory of 5112	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	99
PID 4324 wrote to memory of 5112	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	99
PID 4324 wrote to memory of 4848	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	100
PID 4324 wrote to memory of 4848	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	100
PID 4324 wrote to memory of 4104	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	101
PID 4324 wrote to memory of 4104	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	101
PID 4324 wrote to memory of 872	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	102
PID 4324 wrote to memory of 872	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	102
PID 4324 wrote to memory of 4752	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	103
PID 4324 wrote to memory of 4752	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	103
PID 4324 wrote to memory of 4916	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	104
PID 4324 wrote to memory of 4916	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	104
PID 4324 wrote to memory of 4652	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	105
PID 4324 wrote to memory of 4652	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	105
PID 4324 wrote to memory of 2536	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	106
PID 4324 wrote to memory of 2536	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	106
PID 4324 wrote to memory of 3744	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	107
PID 4324 wrote to memory of 3744	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	107
PID 4324 wrote to memory of 3676	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	108
PID 4324 wrote to memory of 3676	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	108
PID 4324 wrote to memory of 4572	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	109
PID 4324 wrote to memory of 4572	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	109
PID 4324 wrote to memory of 3020	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	110
PID 4324 wrote to memory of 3020	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	110
PID 4324 wrote to memory of 1308	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	111
PID 4324 wrote to memory of 1308	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	111
PID 4324 wrote to memory of 3360	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	112
PID 4324 wrote to memory of 3360	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	112
PID 4324 wrote to memory of 2220	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	113
PID 4324 wrote to memory of 2220	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	113
PID 4324 wrote to memory of 752	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	114
PID 4324 wrote to memory of 752	4324	22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe	114

C:\Users\Admin\AppData\Local\Temp\22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\22dc8c368a7bd11f8cddb13406be6723c2e3417bb46b60763b13cf9b28270f64_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\System32\IdzoxXX.exe
  C:\Windows\System32\IdzoxXX.exe
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\System32\elHSsah.exe
  C:\Windows\System32\elHSsah.exe
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\System32\ZlQwPEX.exe
  C:\Windows\System32\ZlQwPEX.exe
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\System32\HpMRJlY.exe
  C:\Windows\System32\HpMRJlY.exe
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Windows\System32\XGQZIla.exe
  C:\Windows\System32\XGQZIla.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System32\lbeQDbQ.exe
  C:\Windows\System32\lbeQDbQ.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System32\YpxSVas.exe
  C:\Windows\System32\YpxSVas.exe
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\System32\kepSIAm.exe
  C:\Windows\System32\kepSIAm.exe
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\System32\UFqfHZE.exe
  C:\Windows\System32\UFqfHZE.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System32\Pbsihkz.exe
  C:\Windows\System32\Pbsihkz.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System32\YCXOLdp.exe
  C:\Windows\System32\YCXOLdp.exe
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Windows\System32\wVAPYyn.exe
  C:\Windows\System32\wVAPYyn.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System32\vtBIiSy.exe
  C:\Windows\System32\vtBIiSy.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System32\DmRwgfS.exe
  C:\Windows\System32\DmRwgfS.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System32\jNPXOYL.exe
  C:\Windows\System32\jNPXOYL.exe
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\System32\zkQcleB.exe
  C:\Windows\System32\zkQcleB.exe
  2⤵
  - Executes dropped EXE
  PID:3584
- C:\Windows\System32\DPOFTpL.exe
  C:\Windows\System32\DPOFTpL.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System32\HLPLVCG.exe
  C:\Windows\System32\HLPLVCG.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System32\CRmoAZY.exe
  C:\Windows\System32\CRmoAZY.exe
  2⤵
  - Executes dropped EXE
  PID:4104
- C:\Windows\System32\miOynAX.exe
  C:\Windows\System32\miOynAX.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System32\uzJMMUt.exe
  C:\Windows\System32\uzJMMUt.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\System32\Yzxmlxn.exe
  C:\Windows\System32\Yzxmlxn.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System32\PZamVEa.exe
  C:\Windows\System32\PZamVEa.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System32\ZZDHSvv.exe
  C:\Windows\System32\ZZDHSvv.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System32\KVydXFY.exe
  C:\Windows\System32\KVydXFY.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System32\ZFllYKO.exe
  C:\Windows\System32\ZFllYKO.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System32\ZgqNznj.exe
  C:\Windows\System32\ZgqNznj.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System32\HHulijr.exe
  C:\Windows\System32\HHulijr.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System32\yWgCuAa.exe
  C:\Windows\System32\yWgCuAa.exe
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\System32\rRekwoC.exe
  C:\Windows\System32\rRekwoC.exe
  2⤵
  - Executes dropped EXE
  PID:3360
- C:\Windows\System32\ftOlAHH.exe
  C:\Windows\System32\ftOlAHH.exe
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\System32\vZYlOjW.exe
  C:\Windows\System32\vZYlOjW.exe
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Windows\System32\DbMFFID.exe
  C:\Windows\System32\DbMFFID.exe
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\System32\uUozSHf.exe
  C:\Windows\System32\uUozSHf.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System32\BYUNLNc.exe
  C:\Windows\System32\BYUNLNc.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System32\FgqNtat.exe
  C:\Windows\System32\FgqNtat.exe
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\System32\xYkLeua.exe
  C:\Windows\System32\xYkLeua.exe
  2⤵
  - Executes dropped EXE
  PID:4088
- C:\Windows\System32\PIHCOWh.exe
  C:\Windows\System32\PIHCOWh.exe
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\System32\QZjVkoR.exe
  C:\Windows\System32\QZjVkoR.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System32\AsEJZOx.exe
  C:\Windows\System32\AsEJZOx.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System32\umcRrJo.exe
  C:\Windows\System32\umcRrJo.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System32\JEiVIlc.exe
  C:\Windows\System32\JEiVIlc.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System32\EnEDPvh.exe
  C:\Windows\System32\EnEDPvh.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System32\TbLaYdS.exe
  C:\Windows\System32\TbLaYdS.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System32\fttIGHw.exe
  C:\Windows\System32\fttIGHw.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\System32\SiqxLiC.exe
  C:\Windows\System32\SiqxLiC.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System32\DtUBQbi.exe
  C:\Windows\System32\DtUBQbi.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System32\UsFMKtw.exe
  C:\Windows\System32\UsFMKtw.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System32\xYtXSxc.exe
  C:\Windows\System32\xYtXSxc.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System32\ngBzAmh.exe
  C:\Windows\System32\ngBzAmh.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System32\HgASyGX.exe
  C:\Windows\System32\HgASyGX.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System32\HYnlcIb.exe
  C:\Windows\System32\HYnlcIb.exe
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\System32\zwiQpwS.exe
  C:\Windows\System32\zwiQpwS.exe
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\System32\MCEVvus.exe
  C:\Windows\System32\MCEVvus.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\System32\FFDlwOZ.exe
  C:\Windows\System32\FFDlwOZ.exe
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\System32\ZRIxefD.exe
  C:\Windows\System32\ZRIxefD.exe
  2⤵
  - Executes dropped EXE
  PID:4316
- C:\Windows\System32\oQgVqIE.exe
  C:\Windows\System32\oQgVqIE.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System32\AWGQqrR.exe
  C:\Windows\System32\AWGQqrR.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System32\WorzfIy.exe
  C:\Windows\System32\WorzfIy.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System32\vfdTvdC.exe
  C:\Windows\System32\vfdTvdC.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System32\FdmpSjc.exe
  C:\Windows\System32\FdmpSjc.exe
  2⤵
  - Executes dropped EXE
  PID:724
- C:\Windows\System32\hWOQfEE.exe
  C:\Windows\System32\hWOQfEE.exe
  2⤵
  - Executes dropped EXE
  PID:4216
- C:\Windows\System32\ZEBZlXr.exe
  C:\Windows\System32\ZEBZlXr.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System32\adSijRS.exe
  C:\Windows\System32\adSijRS.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System32\YvuyRzW.exe
  C:\Windows\System32\YvuyRzW.exe
  2⤵
  PID:3188
- C:\Windows\System32\PVUQbOb.exe
  C:\Windows\System32\PVUQbOb.exe
  2⤵
  PID:5044
- C:\Windows\System32\chQnGpA.exe
  C:\Windows\System32\chQnGpA.exe
  2⤵
  PID:4556
- C:\Windows\System32\ZgwuRgr.exe
  C:\Windows\System32\ZgwuRgr.exe
  2⤵
  PID:1060
- C:\Windows\System32\HKTaRfD.exe
  C:\Windows\System32\HKTaRfD.exe
  2⤵
  PID:968
- C:\Windows\System32\FFsnJjk.exe
  C:\Windows\System32\FFsnJjk.exe
  2⤵
  PID:3004
- C:\Windows\System32\UpxPCqY.exe
  C:\Windows\System32\UpxPCqY.exe
  2⤵
  PID:812
- C:\Windows\System32\mxJXRLJ.exe
  C:\Windows\System32\mxJXRLJ.exe
  2⤵
  PID:3704
- C:\Windows\System32\lJAkskt.exe
  C:\Windows\System32\lJAkskt.exe
  2⤵
  PID:1260
- C:\Windows\System32\OIMVvSL.exe
  C:\Windows\System32\OIMVvSL.exe
  2⤵
  PID:464
- C:\Windows\System32\ZtQAxSb.exe
  C:\Windows\System32\ZtQAxSb.exe
  2⤵
  PID:3452
- C:\Windows\System32\WcngvEf.exe
  C:\Windows\System32\WcngvEf.exe
  2⤵
  PID:1304
- C:\Windows\System32\zKNMZCj.exe
  C:\Windows\System32\zKNMZCj.exe
  2⤵
  PID:4532
- C:\Windows\System32\fwJyPsz.exe
  C:\Windows\System32\fwJyPsz.exe
  2⤵
  PID:208
- C:\Windows\System32\OZYBrEL.exe
  C:\Windows\System32\OZYBrEL.exe
  2⤵
  PID:4388
- C:\Windows\System32\NXgKXDH.exe
  C:\Windows\System32\NXgKXDH.exe
  2⤵
  PID:1056
- C:\Windows\System32\JXTgGsa.exe
  C:\Windows\System32\JXTgGsa.exe
  2⤵
  PID:2568
- C:\Windows\System32\BhliLKw.exe
  C:\Windows\System32\BhliLKw.exe
  2⤵
  PID:4692
- C:\Windows\System32\MutSsfC.exe
  C:\Windows\System32\MutSsfC.exe
  2⤵
  PID:528
- C:\Windows\System32\IeLuSTs.exe
  C:\Windows\System32\IeLuSTs.exe
  2⤵
  PID:3688
- C:\Windows\System32\JkAuSLV.exe
  C:\Windows\System32\JkAuSLV.exe
  2⤵
  PID:4596
- C:\Windows\System32\CHKeTzc.exe
  C:\Windows\System32\CHKeTzc.exe
  2⤵
  PID:2928
- C:\Windows\System32\iYetfbs.exe
  C:\Windows\System32\iYetfbs.exe
  2⤵
  PID:3696
- C:\Windows\System32\oKMZtlF.exe
  C:\Windows\System32\oKMZtlF.exe
  2⤵
  PID:5132
- C:\Windows\System32\yPbUObX.exe
  C:\Windows\System32\yPbUObX.exe
  2⤵
  PID:5160
- C:\Windows\System32\peijapa.exe
  C:\Windows\System32\peijapa.exe
  2⤵
  PID:5188
- C:\Windows\System32\MjNuRQY.exe
  C:\Windows\System32\MjNuRQY.exe
  2⤵
  PID:5216
- C:\Windows\System32\wdUJKBN.exe
  C:\Windows\System32\wdUJKBN.exe
  2⤵
  PID:5244
- C:\Windows\System32\PChfTfz.exe
  C:\Windows\System32\PChfTfz.exe
  2⤵
  PID:5272
- C:\Windows\System32\ayWDlFN.exe
  C:\Windows\System32\ayWDlFN.exe
  2⤵
  PID:5300
- C:\Windows\System32\nvCFqJE.exe
  C:\Windows\System32\nvCFqJE.exe
  2⤵
  PID:5328
- C:\Windows\System32\IivvSlS.exe
  C:\Windows\System32\IivvSlS.exe
  2⤵
  PID:5356
- C:\Windows\System32\yjpXcYZ.exe
  C:\Windows\System32\yjpXcYZ.exe
  2⤵
  PID:5384
- C:\Windows\System32\yCldBnC.exe
  C:\Windows\System32\yCldBnC.exe
  2⤵
  PID:5412
- C:\Windows\System32\fnXJfXZ.exe
  C:\Windows\System32\fnXJfXZ.exe
  2⤵
  PID:5440
- C:\Windows\System32\JaMexAQ.exe
  C:\Windows\System32\JaMexAQ.exe
  2⤵
  PID:5468
- C:\Windows\System32\OwgkkAi.exe
  C:\Windows\System32\OwgkkAi.exe
  2⤵
  PID:5496
- C:\Windows\System32\lPfRzZw.exe
  C:\Windows\System32\lPfRzZw.exe
  2⤵
  PID:5524
- C:\Windows\System32\YdwJaVW.exe
  C:\Windows\System32\YdwJaVW.exe
  2⤵
  PID:5552
- C:\Windows\System32\uZgzdYh.exe
  C:\Windows\System32\uZgzdYh.exe
  2⤵
  PID:5580
- C:\Windows\System32\HpCEtVu.exe
  C:\Windows\System32\HpCEtVu.exe
  2⤵
  PID:5608
- C:\Windows\System32\cqDXpWG.exe
  C:\Windows\System32\cqDXpWG.exe
  2⤵
  PID:5636
- C:\Windows\System32\uYDAfKd.exe
  C:\Windows\System32\uYDAfKd.exe
  2⤵
  PID:5664
- C:\Windows\System32\ZZXSwkk.exe
  C:\Windows\System32\ZZXSwkk.exe
  2⤵
  PID:5692
- C:\Windows\System32\vlMUVTp.exe
  C:\Windows\System32\vlMUVTp.exe
  2⤵
  PID:5720
- C:\Windows\System32\CZWYDUp.exe
  C:\Windows\System32\CZWYDUp.exe
  2⤵
  PID:5748
- C:\Windows\System32\HnEsDKC.exe
  C:\Windows\System32\HnEsDKC.exe
  2⤵
  PID:5776
- C:\Windows\System32\WdzNuLB.exe
  C:\Windows\System32\WdzNuLB.exe
  2⤵
  PID:5804
- C:\Windows\System32\hRNnBXz.exe
  C:\Windows\System32\hRNnBXz.exe
  2⤵
  PID:5832
- C:\Windows\System32\YxvMuFr.exe
  C:\Windows\System32\YxvMuFr.exe
  2⤵
  PID:5860
- C:\Windows\System32\cTTGCkd.exe
  C:\Windows\System32\cTTGCkd.exe
  2⤵
  PID:5888
- C:\Windows\System32\bGWRyKE.exe
  C:\Windows\System32\bGWRyKE.exe
  2⤵
  PID:5916
- C:\Windows\System32\YOOpiAM.exe
  C:\Windows\System32\YOOpiAM.exe
  2⤵
  PID:5944
- C:\Windows\System32\sbPhRvl.exe
  C:\Windows\System32\sbPhRvl.exe
  2⤵
  PID:5972
- C:\Windows\System32\IofeDXM.exe
  C:\Windows\System32\IofeDXM.exe
  2⤵
  PID:6064
- C:\Windows\System32\KhdFClO.exe
  C:\Windows\System32\KhdFClO.exe
  2⤵
  PID:6080
- C:\Windows\System32\YaybKbw.exe
  C:\Windows\System32\YaybKbw.exe
  2⤵
  PID:6100
- C:\Windows\System32\RfJZfnM.exe
  C:\Windows\System32\RfJZfnM.exe
  2⤵
  PID:6120
- C:\Windows\System32\KMgDSvi.exe
  C:\Windows\System32\KMgDSvi.exe
  2⤵
  PID:2764
- C:\Windows\System32\EYcVknd.exe
  C:\Windows\System32\EYcVknd.exe
  2⤵
  PID:1840
- C:\Windows\System32\tgKIcqR.exe
  C:\Windows\System32\tgKIcqR.exe
  2⤵
  PID:5124
- C:\Windows\System32\vTiCFpd.exe
  C:\Windows\System32\vTiCFpd.exe
  2⤵
  PID:5168
- C:\Windows\System32\DHodWZo.exe
  C:\Windows\System32\DHodWZo.exe
  2⤵
  PID:5208
- C:\Windows\System32\JrXspKB.exe
  C:\Windows\System32\JrXspKB.exe
  2⤵
  PID:5344
- C:\Windows\System32\QsuNupY.exe
  C:\Windows\System32\QsuNupY.exe
  2⤵
  PID:5392
- C:\Windows\System32\xCdcOWj.exe
  C:\Windows\System32\xCdcOWj.exe
  2⤵
  PID:5512
- C:\Windows\System32\GLqVVWR.exe
  C:\Windows\System32\GLqVVWR.exe
  2⤵
  PID:5532
- C:\Windows\System32\DkenYZg.exe
  C:\Windows\System32\DkenYZg.exe
  2⤵
  PID:5568
- C:\Windows\System32\ZWNCpri.exe
  C:\Windows\System32\ZWNCpri.exe
  2⤵
  PID:5596
- C:\Windows\System32\VnfThUk.exe
  C:\Windows\System32\VnfThUk.exe
  2⤵
  PID:5040
- C:\Windows\System32\wZDxlIL.exe
  C:\Windows\System32\wZDxlIL.exe
  2⤵
  PID:972
- C:\Windows\System32\TFMeyht.exe
  C:\Windows\System32\TFMeyht.exe
  2⤵
  PID:5728
- C:\Windows\System32\CAfevwt.exe
  C:\Windows\System32\CAfevwt.exe
  2⤵
  PID:900
- C:\Windows\System32\DDazVkl.exe
  C:\Windows\System32\DDazVkl.exe
  2⤵
  PID:5768
- C:\Windows\System32\cDlVjmV.exe
  C:\Windows\System32\cDlVjmV.exe
  2⤵
  PID:4580
- C:\Windows\System32\UzvLXgn.exe
  C:\Windows\System32\UzvLXgn.exe
  2⤵
  PID:5932
- C:\Windows\System32\pyICXxq.exe
  C:\Windows\System32\pyICXxq.exe
  2⤵
  PID:3076
- C:\Windows\System32\SLyAAaY.exe
  C:\Windows\System32\SLyAAaY.exe
  2⤵
  PID:5936
- C:\Windows\System32\EQfYOey.exe
  C:\Windows\System32\EQfYOey.exe
  2⤵
  PID:1564
- C:\Windows\System32\ZNTOwnq.exe
  C:\Windows\System32\ZNTOwnq.exe
  2⤵
  PID:3488
- C:\Windows\System32\cTaYEJt.exe
  C:\Windows\System32\cTaYEJt.exe
  2⤵
  PID:628
- C:\Windows\System32\goiMFAT.exe
  C:\Windows\System32\goiMFAT.exe
  2⤵
  PID:6092
- C:\Windows\System32\osasstJ.exe
  C:\Windows\System32\osasstJ.exe
  2⤵
  PID:6116
- C:\Windows\System32\aNkWAUl.exe
  C:\Windows\System32\aNkWAUl.exe
  2⤵
  PID:4928
- C:\Windows\System32\LCGudFC.exe
  C:\Windows\System32\LCGudFC.exe
  2⤵
  PID:3656
- C:\Windows\System32\EuHnoHo.exe
  C:\Windows\System32\EuHnoHo.exe
  2⤵
  PID:5288
- C:\Windows\System32\oyvtcMs.exe
  C:\Windows\System32\oyvtcMs.exe
  2⤵
  PID:5316
- C:\Windows\System32\BJMKGCV.exe
  C:\Windows\System32\BJMKGCV.exe
  2⤵
  PID:5476
- C:\Windows\System32\WlVIvng.exe
  C:\Windows\System32\WlVIvng.exe
  2⤵
  PID:1584
- C:\Windows\System32\jsbrhXE.exe
  C:\Windows\System32\jsbrhXE.exe
  2⤵
  PID:5572
- C:\Windows\System32\MAoSPlr.exe
  C:\Windows\System32\MAoSPlr.exe
  2⤵
  PID:5796
- C:\Windows\System32\eOXWQAe.exe
  C:\Windows\System32\eOXWQAe.exe
  2⤵
  PID:5764
- C:\Windows\System32\CQZrNxA.exe
  C:\Windows\System32\CQZrNxA.exe
  2⤵
  PID:3372
- C:\Windows\System32\BouMLGv.exe
  C:\Windows\System32\BouMLGv.exe
  2⤵
  PID:5904
- C:\Windows\System32\cIvtZCD.exe
  C:\Windows\System32\cIvtZCD.exe
  2⤵
  PID:3720
- C:\Windows\System32\UJaIRrM.exe
  C:\Windows\System32\UJaIRrM.exe
  2⤵
  PID:4700
- C:\Windows\System32\QmsGkFm.exe
  C:\Windows\System32\QmsGkFm.exe
  2⤵
  PID:6096
- C:\Windows\System32\EiljcLq.exe
  C:\Windows\System32\EiljcLq.exe
  2⤵
  PID:6048
- C:\Windows\System32\IwqBmzX.exe
  C:\Windows\System32\IwqBmzX.exe
  2⤵
  PID:5504
- C:\Windows\System32\lzAUPnl.exe
  C:\Windows\System32\lzAUPnl.exe
  2⤵
  PID:5880
- C:\Windows\System32\xdIffHT.exe
  C:\Windows\System32\xdIffHT.exe
  2⤵
  PID:1924
- C:\Windows\System32\bjRBXRj.exe
  C:\Windows\System32\bjRBXRj.exe
  2⤵
  PID:5964
- C:\Windows\System32\nQilSAq.exe
  C:\Windows\System32\nQilSAq.exe
  2⤵
  PID:2580
- C:\Windows\System32\dcjsDSG.exe
  C:\Windows\System32\dcjsDSG.exe
  2⤵
  PID:6040
- C:\Windows\System32\EIyoGaM.exe
  C:\Windows\System32\EIyoGaM.exe
  2⤵
  PID:6164
- C:\Windows\System32\mWbYNWC.exe
  C:\Windows\System32\mWbYNWC.exe
  2⤵
  PID:6184
- C:\Windows\System32\GqFcvYq.exe
  C:\Windows\System32\GqFcvYq.exe
  2⤵
  PID:6212
- C:\Windows\System32\QcbbtFM.exe
  C:\Windows\System32\QcbbtFM.exe
  2⤵
  PID:6240
- C:\Windows\System32\wjfcvWs.exe
  C:\Windows\System32\wjfcvWs.exe
  2⤵
  PID:6256
- C:\Windows\System32\dyIhhrr.exe
  C:\Windows\System32\dyIhhrr.exe
  2⤵
  PID:6284
- C:\Windows\System32\wwpvJOM.exe
  C:\Windows\System32\wwpvJOM.exe
  2⤵
  PID:6300
- C:\Windows\System32\kDLlWJz.exe
  C:\Windows\System32\kDLlWJz.exe
  2⤵
  PID:6324
- C:\Windows\System32\mPKzObB.exe
  C:\Windows\System32\mPKzObB.exe
  2⤵
  PID:6344
- C:\Windows\System32\ynwbIsn.exe
  C:\Windows\System32\ynwbIsn.exe
  2⤵
  PID:6368
- C:\Windows\System32\LIgVmmx.exe
  C:\Windows\System32\LIgVmmx.exe
  2⤵
  PID:6416
- C:\Windows\System32\AruqHWE.exe
  C:\Windows\System32\AruqHWE.exe
  2⤵
  PID:6484
- C:\Windows\System32\CJShLVv.exe
  C:\Windows\System32\CJShLVv.exe
  2⤵
  PID:6504
- C:\Windows\System32\UMjvISk.exe
  C:\Windows\System32\UMjvISk.exe
  2⤵
  PID:6528
- C:\Windows\System32\LDlBhZu.exe
  C:\Windows\System32\LDlBhZu.exe
  2⤵
  PID:6548
- C:\Windows\System32\vGgkTqS.exe
  C:\Windows\System32\vGgkTqS.exe
  2⤵
  PID:6584
- C:\Windows\System32\sgtFIfr.exe
  C:\Windows\System32\sgtFIfr.exe
  2⤵
  PID:6624
- C:\Windows\System32\QOzdrTg.exe
  C:\Windows\System32\QOzdrTg.exe
  2⤵
  PID:6656
- C:\Windows\System32\cSUmbyH.exe
  C:\Windows\System32\cSUmbyH.exe
  2⤵
  PID:6680
- C:\Windows\System32\iOfULzw.exe
  C:\Windows\System32\iOfULzw.exe
  2⤵
  PID:6704
- C:\Windows\System32\LQNFNwc.exe
  C:\Windows\System32\LQNFNwc.exe
  2⤵
  PID:6720
- C:\Windows\System32\aYnpcwB.exe
  C:\Windows\System32\aYnpcwB.exe
  2⤵
  PID:6764
- C:\Windows\System32\uKbCoET.exe
  C:\Windows\System32\uKbCoET.exe
  2⤵
  PID:6784
- C:\Windows\System32\BrQQbxN.exe
  C:\Windows\System32\BrQQbxN.exe
  2⤵
  PID:6804
- C:\Windows\System32\dlnUOJh.exe
  C:\Windows\System32\dlnUOJh.exe
  2⤵
  PID:6840
- C:\Windows\System32\mQQLZWs.exe
  C:\Windows\System32\mQQLZWs.exe
  2⤵
  PID:6872
- C:\Windows\System32\NnQFYXM.exe
  C:\Windows\System32\NnQFYXM.exe
  2⤵
  PID:6912
- C:\Windows\System32\hjEddzR.exe
  C:\Windows\System32\hjEddzR.exe
  2⤵
  PID:6936
- C:\Windows\System32\hNyEiQp.exe
  C:\Windows\System32\hNyEiQp.exe
  2⤵
  PID:6956
- C:\Windows\System32\agMQzjy.exe
  C:\Windows\System32\agMQzjy.exe
  2⤵
  PID:6976
- C:\Windows\System32\TwdUmXZ.exe
  C:\Windows\System32\TwdUmXZ.exe
  2⤵
  PID:7004
- C:\Windows\System32\CqfNbPz.exe
  C:\Windows\System32\CqfNbPz.exe
  2⤵
  PID:7028
- C:\Windows\System32\nfXUVKA.exe
  C:\Windows\System32\nfXUVKA.exe
  2⤵
  PID:7056
- C:\Windows\System32\WocrUqL.exe
  C:\Windows\System32\WocrUqL.exe
  2⤵
  PID:7076
- C:\Windows\System32\GmAchrZ.exe
  C:\Windows\System32\GmAchrZ.exe
  2⤵
  PID:7104
- C:\Windows\System32\LNrySqB.exe
  C:\Windows\System32\LNrySqB.exe
  2⤵
  PID:7124
- C:\Windows\System32\aHSPNYV.exe
  C:\Windows\System32\aHSPNYV.exe
  2⤵
  PID:440
- C:\Windows\System32\ekQXbub.exe
  C:\Windows\System32\ekQXbub.exe
  2⤵
  PID:6192
- C:\Windows\System32\bTCQbSE.exe
  C:\Windows\System32\bTCQbSE.exe
  2⤵
  PID:6248
- C:\Windows\System32\PgFWCPv.exe
  C:\Windows\System32\PgFWCPv.exe
  2⤵
  PID:6252
- C:\Windows\System32\iOZooTG.exe
  C:\Windows\System32\iOZooTG.exe
  2⤵
  PID:6308
- C:\Windows\System32\mxDUHLP.exe
  C:\Windows\System32\mxDUHLP.exe
  2⤵
  PID:6448
- C:\Windows\System32\XwHMUbh.exe
  C:\Windows\System32\XwHMUbh.exe
  2⤵
  PID:6500
- C:\Windows\System32\QwXszrZ.exe
  C:\Windows\System32\QwXszrZ.exe
  2⤵
  PID:6572
- C:\Windows\System32\mmzCffk.exe
  C:\Windows\System32\mmzCffk.exe
  2⤵
  PID:6620
- C:\Windows\System32\GliVipP.exe
  C:\Windows\System32\GliVipP.exe
  2⤵
  PID:6712
- C:\Windows\System32\PhlmiHs.exe
  C:\Windows\System32\PhlmiHs.exe
  2⤵
  PID:6832
- C:\Windows\System32\ktEqKXC.exe
  C:\Windows\System32\ktEqKXC.exe
  2⤵
  PID:6868
- C:\Windows\System32\uzVduIt.exe
  C:\Windows\System32\uzVduIt.exe
  2⤵
  PID:6948
- C:\Windows\System32\kcGizlq.exe
  C:\Windows\System32\kcGizlq.exe
  2⤵
  PID:6996
- C:\Windows\System32\DaVsdtr.exe
  C:\Windows\System32\DaVsdtr.exe
  2⤵
  PID:7092
- C:\Windows\System32\jHjHsdn.exe
  C:\Windows\System32\jHjHsdn.exe
  2⤵
  PID:7120
- C:\Windows\System32\DvnJePD.exe
  C:\Windows\System32\DvnJePD.exe
  2⤵
  PID:7112
- C:\Windows\System32\MwktEal.exe
  C:\Windows\System32\MwktEal.exe
  2⤵
  PID:2856
- C:\Windows\System32\ktsmDom.exe
  C:\Windows\System32\ktsmDom.exe
  2⤵
  PID:6384
- C:\Windows\System32\pKMgNhn.exe
  C:\Windows\System32\pKMgNhn.exe
  2⤵
  PID:6496
- C:\Windows\System32\PFktXfj.exe
  C:\Windows\System32\PFktXfj.exe
  2⤵
  PID:6412
- C:\Windows\System32\UgorUmg.exe
  C:\Windows\System32\UgorUmg.exe
  2⤵
  PID:6672
- C:\Windows\System32\CGXmlsX.exe
  C:\Windows\System32\CGXmlsX.exe
  2⤵
  PID:6860
- C:\Windows\System32\FERXXYp.exe
  C:\Windows\System32\FERXXYp.exe
  2⤵
  PID:7036
- C:\Windows\System32\yFjZyBh.exe
  C:\Windows\System32\yFjZyBh.exe
  2⤵
  PID:7132
- C:\Windows\System32\RWcikPx.exe
  C:\Windows\System32\RWcikPx.exe
  2⤵
  PID:6560
- C:\Windows\System32\TgVWIYK.exe
  C:\Windows\System32\TgVWIYK.exe
  2⤵
  PID:7024
- C:\Windows\System32\vstAMEw.exe
  C:\Windows\System32\vstAMEw.exe
  2⤵
  PID:6176
- C:\Windows\System32\pjKNoxk.exe
  C:\Windows\System32\pjKNoxk.exe
  2⤵
  PID:7196
- C:\Windows\System32\uTigGRP.exe
  C:\Windows\System32\uTigGRP.exe
  2⤵
  PID:7224
- C:\Windows\System32\Ymunfeh.exe
  C:\Windows\System32\Ymunfeh.exe
  2⤵
  PID:7240
- C:\Windows\System32\umEQhvA.exe
  C:\Windows\System32\umEQhvA.exe
  2⤵
  PID:7264
- C:\Windows\System32\gjACeJE.exe
  C:\Windows\System32\gjACeJE.exe
  2⤵
  PID:7288
- C:\Windows\System32\BkrySAM.exe
  C:\Windows\System32\BkrySAM.exe
  2⤵
  PID:7308
- C:\Windows\System32\MRDXWhq.exe
  C:\Windows\System32\MRDXWhq.exe
  2⤵
  PID:7344
- C:\Windows\System32\DDDoevG.exe
  C:\Windows\System32\DDDoevG.exe
  2⤵
  PID:7364
- C:\Windows\System32\SfUPRge.exe
  C:\Windows\System32\SfUPRge.exe
  2⤵
  PID:7416
- C:\Windows\System32\nnsNPez.exe
  C:\Windows\System32\nnsNPez.exe
  2⤵
  PID:7444
- C:\Windows\System32\wDEmLvV.exe
  C:\Windows\System32\wDEmLvV.exe
  2⤵
  PID:7472
- C:\Windows\System32\cojctfv.exe
  C:\Windows\System32\cojctfv.exe
  2⤵
  PID:7500
- C:\Windows\System32\LZBgPdL.exe
  C:\Windows\System32\LZBgPdL.exe
  2⤵
  PID:7524
- C:\Windows\System32\gFMtmqf.exe
  C:\Windows\System32\gFMtmqf.exe
  2⤵
  PID:7568
- C:\Windows\System32\lIzgcQf.exe
  C:\Windows\System32\lIzgcQf.exe
  2⤵
  PID:7616
- C:\Windows\System32\xZPdjKn.exe
  C:\Windows\System32\xZPdjKn.exe
  2⤵
  PID:7632
- C:\Windows\System32\gaBwclS.exe
  C:\Windows\System32\gaBwclS.exe
  2⤵
  PID:7660
- C:\Windows\System32\mrAzIHB.exe
  C:\Windows\System32\mrAzIHB.exe
  2⤵
  PID:7692
- C:\Windows\System32\bhjUDwS.exe
  C:\Windows\System32\bhjUDwS.exe
  2⤵
  PID:7728
- C:\Windows\System32\nLgTdxW.exe
  C:\Windows\System32\nLgTdxW.exe
  2⤵
  PID:7748
- C:\Windows\System32\DmrsPWj.exe
  C:\Windows\System32\DmrsPWj.exe
  2⤵
  PID:7768
- C:\Windows\System32\pAhkCUz.exe
  C:\Windows\System32\pAhkCUz.exe
  2⤵
  PID:7788
- C:\Windows\System32\oJnPZNR.exe
  C:\Windows\System32\oJnPZNR.exe
  2⤵
  PID:7832
- C:\Windows\System32\QBfwppS.exe
  C:\Windows\System32\QBfwppS.exe
  2⤵
  PID:7848
- C:\Windows\System32\pahrrHk.exe
  C:\Windows\System32\pahrrHk.exe
  2⤵
  PID:7872
- C:\Windows\System32\pRDoVZK.exe
  C:\Windows\System32\pRDoVZK.exe
  2⤵
  PID:7888
- C:\Windows\System32\bwCMIno.exe
  C:\Windows\System32\bwCMIno.exe
  2⤵
  PID:7916
- C:\Windows\System32\DhcMtTl.exe
  C:\Windows\System32\DhcMtTl.exe
  2⤵
  PID:7936
- C:\Windows\System32\vJeWjjq.exe
  C:\Windows\System32\vJeWjjq.exe
  2⤵
  PID:7972
- C:\Windows\System32\CAVZIYL.exe
  C:\Windows\System32\CAVZIYL.exe
  2⤵
  PID:7992
- C:\Windows\System32\HTFnxRW.exe
  C:\Windows\System32\HTFnxRW.exe
  2⤵
  PID:8016
- C:\Windows\System32\uuYFgZx.exe
  C:\Windows\System32\uuYFgZx.exe
  2⤵
  PID:8036
- C:\Windows\System32\BZEDlVK.exe
  C:\Windows\System32\BZEDlVK.exe
  2⤵
  PID:8064
- C:\Windows\System32\Xilazjm.exe
  C:\Windows\System32\Xilazjm.exe
  2⤵
  PID:8080
- C:\Windows\System32\NGTSLHq.exe
  C:\Windows\System32\NGTSLHq.exe
  2⤵
  PID:8144
- C:\Windows\System32\RrVxKVX.exe
  C:\Windows\System32\RrVxKVX.exe
  2⤵
  PID:8164
- C:\Windows\System32\FVrCInK.exe
  C:\Windows\System32\FVrCInK.exe
  2⤵
  PID:8188
- C:\Windows\System32\CeoycIt.exe
  C:\Windows\System32\CeoycIt.exe
  2⤵
  PID:5896
- C:\Windows\System32\ldbJCzi.exe
  C:\Windows\System32\ldbJCzi.exe
  2⤵
  PID:7256
- C:\Windows\System32\fVmfQuQ.exe
  C:\Windows\System32\fVmfQuQ.exe
  2⤵
  PID:7332
- C:\Windows\System32\JEKAHXH.exe
  C:\Windows\System32\JEKAHXH.exe
  2⤵
  PID:7452
- C:\Windows\System32\NUqzKBY.exe
  C:\Windows\System32\NUqzKBY.exe
  2⤵
  PID:7536
- C:\Windows\System32\Puvzlwu.exe
  C:\Windows\System32\Puvzlwu.exe
  2⤵
  PID:7596
- C:\Windows\System32\CajyNPn.exe
  C:\Windows\System32\CajyNPn.exe
  2⤵
  PID:7656
- C:\Windows\System32\MDrwWBb.exe
  C:\Windows\System32\MDrwWBb.exe
  2⤵
  PID:7708
- C:\Windows\System32\dcCnjIF.exe
  C:\Windows\System32\dcCnjIF.exe
  2⤵
  PID:7756
- C:\Windows\System32\uGsDbYP.exe
  C:\Windows\System32\uGsDbYP.exe
  2⤵
  PID:7868
- C:\Windows\System32\FKygOoz.exe
  C:\Windows\System32\FKygOoz.exe
  2⤵
  PID:7944
- C:\Windows\System32\vEVWkbV.exe
  C:\Windows\System32\vEVWkbV.exe
  2⤵
  PID:7928
- C:\Windows\System32\yaloKeW.exe
  C:\Windows\System32\yaloKeW.exe
  2⤵
  PID:8028
- C:\Windows\System32\kSSxzhU.exe
  C:\Windows\System32\kSSxzhU.exe
  2⤵
  PID:6900
- C:\Windows\System32\NEAoSgm.exe
  C:\Windows\System32\NEAoSgm.exe
  2⤵
  PID:8160
- C:\Windows\System32\SIlKIYn.exe
  C:\Windows\System32\SIlKIYn.exe
  2⤵
  PID:7232
- C:\Windows\System32\vsWmzrp.exe
  C:\Windows\System32\vsWmzrp.exe
  2⤵
  PID:7336
- C:\Windows\System32\tWbgaHQ.exe
  C:\Windows\System32\tWbgaHQ.exe
  2⤵
  PID:7480
- C:\Windows\System32\psJjiSS.exe
  C:\Windows\System32\psJjiSS.exe
  2⤵
  PID:7668
- C:\Windows\System32\xUxhjsW.exe
  C:\Windows\System32\xUxhjsW.exe
  2⤵
  PID:7812
- C:\Windows\System32\STiyPlS.exe
  C:\Windows\System32\STiyPlS.exe
  2⤵
  PID:7956
- C:\Windows\System32\zGYrNUb.exe
  C:\Windows\System32\zGYrNUb.exe
  2⤵
  PID:7952
- C:\Windows\System32\SgAGevp.exe
  C:\Windows\System32\SgAGevp.exe
  2⤵
  PID:8156
- C:\Windows\System32\aRZGZnM.exe
  C:\Windows\System32\aRZGZnM.exe
  2⤵
  PID:7172
- C:\Windows\System32\rkMbbyi.exe
  C:\Windows\System32\rkMbbyi.exe
  2⤵
  PID:3816
- C:\Windows\System32\bmtvsGI.exe
  C:\Windows\System32\bmtvsGI.exe
  2⤵
  PID:8116
- C:\Windows\System32\rPKmlWT.exe
  C:\Windows\System32\rPKmlWT.exe
  2⤵
  PID:8224
- C:\Windows\System32\jNUSJNE.exe
  C:\Windows\System32\jNUSJNE.exe
  2⤵
  PID:8252
- C:\Windows\System32\sDomrcB.exe
  C:\Windows\System32\sDomrcB.exe
  2⤵
  PID:8276
- C:\Windows\System32\MvbVToE.exe
  C:\Windows\System32\MvbVToE.exe
  2⤵
  PID:8292
- C:\Windows\System32\Fknujbs.exe
  C:\Windows\System32\Fknujbs.exe
  2⤵
  PID:8316
- C:\Windows\System32\tohOwvJ.exe
  C:\Windows\System32\tohOwvJ.exe
  2⤵
  PID:8352
- C:\Windows\System32\ldToYKk.exe
  C:\Windows\System32\ldToYKk.exe
  2⤵
  PID:8404
- C:\Windows\System32\BlCQoMD.exe
  C:\Windows\System32\BlCQoMD.exe
  2⤵
  PID:8420
- C:\Windows\System32\IVaVycq.exe
  C:\Windows\System32\IVaVycq.exe
  2⤵
  PID:8436
- C:\Windows\System32\PkrQSWe.exe
  C:\Windows\System32\PkrQSWe.exe
  2⤵
  PID:8464
- C:\Windows\System32\JczJBkF.exe
  C:\Windows\System32\JczJBkF.exe
  2⤵
  PID:8504
- C:\Windows\System32\DLACvMv.exe
  C:\Windows\System32\DLACvMv.exe
  2⤵
  PID:8524
- C:\Windows\System32\EgSKimV.exe
  C:\Windows\System32\EgSKimV.exe
  2⤵
  PID:8548
- C:\Windows\System32\ukelgtZ.exe
  C:\Windows\System32\ukelgtZ.exe
  2⤵
  PID:8596
- C:\Windows\System32\EdPXCQh.exe
  C:\Windows\System32\EdPXCQh.exe
  2⤵
  PID:8616
- C:\Windows\System32\ECTXyKQ.exe
  C:\Windows\System32\ECTXyKQ.exe
  2⤵
  PID:8644
- C:\Windows\System32\dtpNjfK.exe
  C:\Windows\System32\dtpNjfK.exe
  2⤵
  PID:8672
- C:\Windows\System32\ljGDGNz.exe
  C:\Windows\System32\ljGDGNz.exe
  2⤵
  PID:8696
- C:\Windows\System32\yGwUJek.exe
  C:\Windows\System32\yGwUJek.exe
  2⤵
  PID:8720
- C:\Windows\System32\NWVwzBN.exe
  C:\Windows\System32\NWVwzBN.exe
  2⤵
  PID:8740
- C:\Windows\System32\ZDyfwJj.exe
  C:\Windows\System32\ZDyfwJj.exe
  2⤵
  PID:8776
- C:\Windows\System32\aGhnVzL.exe
  C:\Windows\System32\aGhnVzL.exe
  2⤵
  PID:8804
- C:\Windows\System32\NsIQuix.exe
  C:\Windows\System32\NsIQuix.exe
  2⤵
  PID:8832
- C:\Windows\System32\jfpZDrz.exe
  C:\Windows\System32\jfpZDrz.exe
  2⤵
  PID:8852
- C:\Windows\System32\FjSVnAE.exe
  C:\Windows\System32\FjSVnAE.exe
  2⤵
  PID:8880
- C:\Windows\System32\eXtzvWf.exe
  C:\Windows\System32\eXtzvWf.exe
  2⤵
  PID:8904
- C:\Windows\System32\LuVwQfd.exe
  C:\Windows\System32\LuVwQfd.exe
  2⤵
  PID:8924
- C:\Windows\System32\vCSCTTZ.exe
  C:\Windows\System32\vCSCTTZ.exe
  2⤵
  PID:8948
- C:\Windows\System32\hwtHuEw.exe
  C:\Windows\System32\hwtHuEw.exe
  2⤵
  PID:8968
- C:\Windows\System32\zSqiIPo.exe
  C:\Windows\System32\zSqiIPo.exe
  2⤵
  PID:8996
- C:\Windows\System32\SpAmOGE.exe
  C:\Windows\System32\SpAmOGE.exe
  2⤵
  PID:9052
- C:\Windows\System32\XtmHeLi.exe
  C:\Windows\System32\XtmHeLi.exe
  2⤵
  PID:9076
- C:\Windows\System32\dTJluOh.exe
  C:\Windows\System32\dTJluOh.exe
  2⤵
  PID:9092
- C:\Windows\System32\uPKrevb.exe
  C:\Windows\System32\uPKrevb.exe
  2⤵
  PID:9144
- C:\Windows\System32\ayhQiEj.exe
  C:\Windows\System32\ayhQiEj.exe
  2⤵
  PID:9168
- C:\Windows\System32\CUhPNys.exe
  C:\Windows\System32\CUhPNys.exe
  2⤵
  PID:8388
- C:\Windows\System32\AABBNWr.exe
  C:\Windows\System32\AABBNWr.exe
  2⤵
  PID:8448
- C:\Windows\System32\WlnQDNn.exe
  C:\Windows\System32\WlnQDNn.exe
  2⤵
  PID:8576
- C:\Windows\System32\fzIqgPL.exe
  C:\Windows\System32\fzIqgPL.exe
  2⤵
  PID:8636
- C:\Windows\System32\UUJWLum.exe
  C:\Windows\System32\UUJWLum.exe
  2⤵
  PID:8668
- C:\Windows\System32\tnakPxf.exe
  C:\Windows\System32\tnakPxf.exe
  2⤵
  PID:8704
- C:\Windows\System32\QqXyTFX.exe
  C:\Windows\System32\QqXyTFX.exe
  2⤵
  PID:8752
- C:\Windows\System32\fohJFHj.exe
  C:\Windows\System32\fohJFHj.exe
  2⤵
  PID:8784
- C:\Windows\System32\tVmwZQE.exe
  C:\Windows\System32\tVmwZQE.exe
  2⤵
  PID:8872
- C:\Windows\System32\xJogNpt.exe
  C:\Windows\System32\xJogNpt.exe
  2⤵
  PID:8888
- C:\Windows\System32\IiaUZTP.exe
  C:\Windows\System32\IiaUZTP.exe
  2⤵
  PID:8944
- C:\Windows\System32\janyCgi.exe
  C:\Windows\System32\janyCgi.exe
  2⤵
  PID:8960
- C:\Windows\System32\NoYlKGV.exe
  C:\Windows\System32\NoYlKGV.exe
  2⤵
  PID:8984
- C:\Windows\System32\VeExKgC.exe
  C:\Windows\System32\VeExKgC.exe
  2⤵
  PID:9004
- C:\Windows\System32\nxnnTIg.exe
  C:\Windows\System32\nxnnTIg.exe
  2⤵
  PID:8240
- C:\Windows\System32\PBnIBPT.exe
  C:\Windows\System32\PBnIBPT.exe
  2⤵
  PID:8304
- C:\Windows\System32\fIFkKwu.exe
  C:\Windows\System32\fIFkKwu.exe
  2⤵
  PID:8284
- C:\Windows\System32\Psezist.exe
  C:\Windows\System32\Psezist.exe
  2⤵
  PID:8544
- C:\Windows\System32\njqGlSM.exe
  C:\Windows\System32\njqGlSM.exe
  2⤵
  PID:8760
- C:\Windows\System32\agucAuQ.exe
  C:\Windows\System32\agucAuQ.exe
  2⤵
  PID:8712
- C:\Windows\System32\OebKgEB.exe
  C:\Windows\System32\OebKgEB.exe
  2⤵
  PID:8976
- C:\Windows\System32\XwBMmTP.exe
  C:\Windows\System32\XwBMmTP.exe
  2⤵
  PID:9060
- C:\Windows\System32\YWWyyON.exe
  C:\Windows\System32\YWWyyON.exe
  2⤵
  PID:9128
- C:\Windows\System32\DIrzbgK.exe
  C:\Windows\System32\DIrzbgK.exe
  2⤵
  PID:9208
- C:\Windows\System32\yogGsDh.exe
  C:\Windows\System32\yogGsDh.exe
  2⤵
  PID:8608
- C:\Windows\System32\SkvxCTD.exe
  C:\Windows\System32\SkvxCTD.exe
  2⤵
  PID:9072
- C:\Windows\System32\bYypcks.exe
  C:\Windows\System32\bYypcks.exe
  2⤵
  PID:8900
- C:\Windows\System32\mKlRgLi.exe
  C:\Windows\System32\mKlRgLi.exe
  2⤵
  PID:8860
- C:\Windows\System32\rdLdqlC.exe
  C:\Windows\System32\rdLdqlC.exe
  2⤵
  PID:7984
- C:\Windows\System32\tOWSrHT.exe
  C:\Windows\System32\tOWSrHT.exe
  2⤵
  PID:9236
- C:\Windows\System32\IbHMEbf.exe
  C:\Windows\System32\IbHMEbf.exe
  2⤵
  PID:9260
- C:\Windows\System32\dnyrsTQ.exe
  C:\Windows\System32\dnyrsTQ.exe
  2⤵
  PID:9284
- C:\Windows\System32\vqWNEtY.exe
  C:\Windows\System32\vqWNEtY.exe
  2⤵
  PID:9304
- C:\Windows\System32\cxzAzlW.exe
  C:\Windows\System32\cxzAzlW.exe
  2⤵
  PID:9324
- C:\Windows\System32\ZzlKLNA.exe
  C:\Windows\System32\ZzlKLNA.exe
  2⤵
  PID:9348
- C:\Windows\System32\KqMmIOD.exe
  C:\Windows\System32\KqMmIOD.exe
  2⤵
  PID:9372
- C:\Windows\System32\uVvVQyf.exe
  C:\Windows\System32\uVvVQyf.exe
  2⤵
  PID:9436
- C:\Windows\System32\fcYlClD.exe
  C:\Windows\System32\fcYlClD.exe
  2⤵
  PID:9456
- C:\Windows\System32\MILGNLZ.exe
  C:\Windows\System32\MILGNLZ.exe
  2⤵
  PID:9484
- C:\Windows\System32\ajJMgRY.exe
  C:\Windows\System32\ajJMgRY.exe
  2⤵
  PID:9512
- C:\Windows\System32\JlmcEFK.exe
  C:\Windows\System32\JlmcEFK.exe
  2⤵
  PID:9540
- C:\Windows\System32\JQxFBbb.exe
  C:\Windows\System32\JQxFBbb.exe
  2⤵
  PID:9556
- C:\Windows\System32\DjvZdkE.exe
  C:\Windows\System32\DjvZdkE.exe
  2⤵
  PID:9596
- C:\Windows\System32\BxuugAh.exe
  C:\Windows\System32\BxuugAh.exe
  2⤵
  PID:9632
- C:\Windows\System32\kfEketL.exe
  C:\Windows\System32\kfEketL.exe
  2⤵
  PID:9652
- C:\Windows\System32\AwuTcnh.exe
  C:\Windows\System32\AwuTcnh.exe
  2⤵
  PID:9672
- C:\Windows\System32\xMcnmGs.exe
  C:\Windows\System32\xMcnmGs.exe
  2⤵
  PID:9696
- C:\Windows\System32\jCInyhv.exe
  C:\Windows\System32\jCInyhv.exe
  2⤵
  PID:9712
- C:\Windows\System32\NouuvWe.exe
  C:\Windows\System32\NouuvWe.exe
  2⤵
  PID:9732
- C:\Windows\System32\iPBMxyb.exe
  C:\Windows\System32\iPBMxyb.exe
  2⤵
  PID:9788
- C:\Windows\System32\GXVgCEd.exe
  C:\Windows\System32\GXVgCEd.exe
  2⤵
  PID:9820
- C:\Windows\System32\IQIQEJK.exe
  C:\Windows\System32\IQIQEJK.exe
  2⤵
  PID:9848
- C:\Windows\System32\uNrrIjw.exe
  C:\Windows\System32\uNrrIjw.exe
  2⤵
  PID:9868
- C:\Windows\System32\QwvmJLI.exe
  C:\Windows\System32\QwvmJLI.exe
  2⤵
  PID:9892
- C:\Windows\System32\jHdcdjq.exe
  C:\Windows\System32\jHdcdjq.exe
  2⤵
  PID:9920
- C:\Windows\System32\maaqcCt.exe
  C:\Windows\System32\maaqcCt.exe
  2⤵
  PID:9940
- C:\Windows\System32\VLNGLKL.exe
  C:\Windows\System32\VLNGLKL.exe
  2⤵
  PID:9988
- C:\Windows\System32\wKqzePO.exe
  C:\Windows\System32\wKqzePO.exe
  2⤵
  PID:10024
- C:\Windows\System32\BOVgtmj.exe
  C:\Windows\System32\BOVgtmj.exe
  2⤵
  PID:10052
- C:\Windows\System32\fpgJDmQ.exe
  C:\Windows\System32\fpgJDmQ.exe
  2⤵
  PID:10080
- C:\Windows\System32\fEsvFgp.exe
  C:\Windows\System32\fEsvFgp.exe
  2⤵
  PID:10104
- C:\Windows\System32\uNFLHfi.exe
  C:\Windows\System32\uNFLHfi.exe
  2⤵
  PID:10128
- C:\Windows\System32\MJSDORX.exe
  C:\Windows\System32\MJSDORX.exe
  2⤵
  PID:10148
- C:\Windows\System32\QnggBtx.exe
  C:\Windows\System32\QnggBtx.exe
  2⤵
  PID:10176
- C:\Windows\System32\aQuOwtX.exe
  C:\Windows\System32\aQuOwtX.exe
  2⤵
  PID:10224
- C:\Windows\System32\TZBmqdf.exe
  C:\Windows\System32\TZBmqdf.exe
  2⤵
  PID:9184
- C:\Windows\System32\IbyoSni.exe
  C:\Windows\System32\IbyoSni.exe
  2⤵
  PID:9280
- C:\Windows\System32\fDKbJYc.exe
  C:\Windows\System32\fDKbJYc.exe
  2⤵
  PID:9316
- C:\Windows\System32\DOobOSK.exe
  C:\Windows\System32\DOobOSK.exe
  2⤵
  PID:9356
- C:\Windows\System32\mHuPRQS.exe
  C:\Windows\System32\mHuPRQS.exe
  2⤵
  PID:9396
- C:\Windows\System32\DsqsFou.exe
  C:\Windows\System32\DsqsFou.exe
  2⤵
  PID:9492
- C:\Windows\System32\XKDpfYe.exe
  C:\Windows\System32\XKDpfYe.exe
  2⤵
  PID:9548
- C:\Windows\System32\uikMuxI.exe
  C:\Windows\System32\uikMuxI.exe
  2⤵
  PID:9668
- C:\Windows\System32\IWyHfVy.exe
  C:\Windows\System32\IWyHfVy.exe
  2⤵
  PID:9680
- C:\Windows\System32\yfFbwcA.exe
  C:\Windows\System32\yfFbwcA.exe
  2⤵
  PID:9728
- C:\Windows\System32\aEBFzzv.exe
  C:\Windows\System32\aEBFzzv.exe
  2⤵
  PID:9796
- C:\Windows\System32\sNBzyKW.exe
  C:\Windows\System32\sNBzyKW.exe
  2⤵
  PID:9884
- C:\Windows\System32\ujABjoK.exe
  C:\Windows\System32\ujABjoK.exe
  2⤵
  PID:10012
- C:\Windows\System32\kSBaEee.exe
  C:\Windows\System32\kSBaEee.exe
  2⤵
  PID:10088
- C:\Windows\System32\OiDXAjF.exe
  C:\Windows\System32\OiDXAjF.exe
  2⤵
  PID:10100
- C:\Windows\System32\cfwKEzB.exe
  C:\Windows\System32\cfwKEzB.exe
  2⤵
  PID:10140
- C:\Windows\System32\gImqdaO.exe
  C:\Windows\System32\gImqdaO.exe
  2⤵
  PID:10232
- C:\Windows\System32\rLOcXaG.exe
  C:\Windows\System32\rLOcXaG.exe
  2⤵
  PID:8200
- C:\Windows\System32\lAHvvyT.exe
  C:\Windows\System32\lAHvvyT.exe
  2⤵
  PID:9336
- C:\Windows\System32\PeNxAbm.exe
  C:\Windows\System32\PeNxAbm.exe
  2⤵
  PID:9612
- C:\Windows\System32\bpEQKrB.exe
  C:\Windows\System32\bpEQKrB.exe
  2⤵
  PID:9648
- C:\Windows\System32\fYabTBy.exe
  C:\Windows\System32\fYabTBy.exe
  2⤵
  PID:10068
- C:\Windows\System32\lyArfOH.exe
  C:\Windows\System32\lyArfOH.exe
  2⤵
  PID:9256
- C:\Windows\System32\XrDfsPn.exe
  C:\Windows\System32\XrDfsPn.exe
  2⤵
  PID:9576
- C:\Windows\System32\HorqBNt.exe
  C:\Windows\System32\HorqBNt.exe
  2⤵
  PID:9608
- C:\Windows\System32\uwOnblq.exe
  C:\Windows\System32\uwOnblq.exe
  2⤵
  PID:9904
- C:\Windows\System32\ZoXEkKh.exe
  C:\Windows\System32\ZoXEkKh.exe
  2⤵
  PID:9388
- C:\Windows\System32\XnJkfPv.exe
  C:\Windows\System32\XnJkfPv.exe
  2⤵
  PID:10256
- C:\Windows\System32\pgFikfx.exe
  C:\Windows\System32\pgFikfx.exe
  2⤵
  PID:10292
- C:\Windows\System32\yRvzRKU.exe
  C:\Windows\System32\yRvzRKU.exe
  2⤵
  PID:10316
- C:\Windows\System32\nNHOFuQ.exe
  C:\Windows\System32\nNHOFuQ.exe
  2⤵
  PID:10348
- C:\Windows\System32\LjZfIyK.exe
  C:\Windows\System32\LjZfIyK.exe
  2⤵
  PID:10372
- C:\Windows\System32\uCvnJgH.exe
  C:\Windows\System32\uCvnJgH.exe
  2⤵
  PID:10392
- C:\Windows\System32\DIoUCzX.exe
  C:\Windows\System32\DIoUCzX.exe
  2⤵
  PID:10432
- C:\Windows\System32\aSylrEq.exe
  C:\Windows\System32\aSylrEq.exe
  2⤵
  PID:10464
- C:\Windows\System32\jtcXOhS.exe
  C:\Windows\System32\jtcXOhS.exe
  2⤵
  PID:10488
- C:\Windows\System32\lNpXPZx.exe
  C:\Windows\System32\lNpXPZx.exe
  2⤵
  PID:10504
- C:\Windows\System32\xQoEvNw.exe
  C:\Windows\System32\xQoEvNw.exe
  2⤵
  PID:10528
- C:\Windows\System32\BISRnmc.exe
  C:\Windows\System32\BISRnmc.exe
  2⤵
  PID:10564
- C:\Windows\System32\VdYCoRy.exe
  C:\Windows\System32\VdYCoRy.exe
  2⤵
  PID:10584
- C:\Windows\System32\dsukWtX.exe
  C:\Windows\System32\dsukWtX.exe
  2⤵
  PID:10608
- C:\Windows\System32\KlzzbLP.exe
  C:\Windows\System32\KlzzbLP.exe
  2⤵
  PID:10644
- C:\Windows\System32\KdzyoBZ.exe
  C:\Windows\System32\KdzyoBZ.exe
  2⤵
  PID:10696
- C:\Windows\System32\joxMgNC.exe
  C:\Windows\System32\joxMgNC.exe
  2⤵
  PID:10720
- C:\Windows\System32\QLawomi.exe
  C:\Windows\System32\QLawomi.exe
  2⤵
  PID:10744
- C:\Windows\System32\qAzsthz.exe
  C:\Windows\System32\qAzsthz.exe
  2⤵
  PID:10764
- C:\Windows\System32\vXOeTTc.exe
  C:\Windows\System32\vXOeTTc.exe
  2⤵
  PID:10780
- C:\Windows\System32\bIjwELM.exe
  C:\Windows\System32\bIjwELM.exe
  2⤵
  PID:10812
- C:\Windows\System32\MPJNBZO.exe
  C:\Windows\System32\MPJNBZO.exe
  2⤵
  PID:10844
- C:\Windows\System32\duBjsBk.exe
  C:\Windows\System32\duBjsBk.exe
  2⤵
  PID:10868
- C:\Windows\System32\fMypsXy.exe
  C:\Windows\System32\fMypsXy.exe
  2⤵
  PID:10896
- C:\Windows\System32\xDHDDYU.exe
  C:\Windows\System32\xDHDDYU.exe
  2⤵
  PID:10920
- C:\Windows\System32\JyQdMhg.exe
  C:\Windows\System32\JyQdMhg.exe
  2⤵
  PID:10960
- C:\Windows\System32\Aenaxlf.exe
  C:\Windows\System32\Aenaxlf.exe
  2⤵
  PID:10992
- C:\Windows\System32\DzmAcgX.exe
  C:\Windows\System32\DzmAcgX.exe
  2⤵
  PID:11012
- C:\Windows\System32\xlglvFO.exe
  C:\Windows\System32\xlglvFO.exe
  2⤵
  PID:11056
- C:\Windows\System32\LjBEPwE.exe
  C:\Windows\System32\LjBEPwE.exe
  2⤵
  PID:11080
- C:\Windows\System32\mbvdqNf.exe
  C:\Windows\System32\mbvdqNf.exe
  2⤵
  PID:11112
- C:\Windows\System32\HksQlUq.exe
  C:\Windows\System32\HksQlUq.exe
  2⤵
  PID:11136
- C:\Windows\System32\QBHQbqE.exe
  C:\Windows\System32\QBHQbqE.exe
  2⤵
  PID:11160
- C:\Windows\System32\BNwvBAU.exe
  C:\Windows\System32\BNwvBAU.exe
  2⤵
  PID:11184
- C:\Windows\System32\GqugEGf.exe
  C:\Windows\System32\GqugEGf.exe
  2⤵
  PID:11204
- C:\Windows\System32\zOuXQZb.exe
  C:\Windows\System32\zOuXQZb.exe
  2⤵
  PID:11236
- C:\Windows\System32\QCeYyIH.exe
  C:\Windows\System32\QCeYyIH.exe
  2⤵
  PID:11252
- C:\Windows\System32\aKikpVW.exe
  C:\Windows\System32\aKikpVW.exe
  2⤵
  PID:10264
- C:\Windows\System32\BShjxZa.exe
  C:\Windows\System32\BShjxZa.exe
  2⤵
  PID:10248
- C:\Windows\System32\jcosVSg.exe
  C:\Windows\System32\jcosVSg.exe
  2⤵
  PID:10416
- C:\Windows\System32\CrEekIA.exe
  C:\Windows\System32\CrEekIA.exe
  2⤵
  PID:10476
- C:\Windows\System32\ZhEljGr.exe
  C:\Windows\System32\ZhEljGr.exe
  2⤵
  PID:10604
- C:\Windows\System32\aGqKWxk.exe
  C:\Windows\System32\aGqKWxk.exe
  2⤵
  PID:10576
- C:\Windows\System32\pasUKNX.exe
  C:\Windows\System32\pasUKNX.exe
  2⤵
  PID:10676
- C:\Windows\System32\pQambVk.exe
  C:\Windows\System32\pQambVk.exe
  2⤵
  PID:10752
- C:\Windows\System32\mcRPzuS.exe
  C:\Windows\System32\mcRPzuS.exe
  2⤵
  PID:10792
- C:\Windows\System32\iNOxUhG.exe
  C:\Windows\System32\iNOxUhG.exe
  2⤵
  PID:10852
- C:\Windows\System32\MVMBiPm.exe
  C:\Windows\System32\MVMBiPm.exe
  2⤵
  PID:10880
- C:\Windows\System32\rWYXdXK.exe
  C:\Windows\System32\rWYXdXK.exe
  2⤵
  PID:11024
- C:\Windows\System32\WZgvMzo.exe
  C:\Windows\System32\WZgvMzo.exe
  2⤵
  PID:11068
- C:\Windows\System32\dqdVEtb.exe
  C:\Windows\System32\dqdVEtb.exe
  2⤵
  PID:11108
- C:\Windows\System32\PVDYzbs.exe
  C:\Windows\System32\PVDYzbs.exe
  2⤵
  PID:11192
- C:\Windows\System32\fIqTfeG.exe
  C:\Windows\System32\fIqTfeG.exe
  2⤵
  PID:11212
- C:\Windows\System32\GUuZCaz.exe
  C:\Windows\System32\GUuZCaz.exe
  2⤵
  PID:10332
- C:\Windows\System32\UJpJFXN.exe
  C:\Windows\System32\UJpJFXN.exe
  2⤵
  PID:9480
- C:\Windows\System32\ZvBvUMt.exe
  C:\Windows\System32\ZvBvUMt.exe
  2⤵
  PID:10524
- C:\Windows\System32\EJvEavt.exe
  C:\Windows\System32\EJvEavt.exe
  2⤵
  PID:10552
- C:\Windows\System32\xsLuHvg.exe
  C:\Windows\System32\xsLuHvg.exe
  2⤵
  PID:10860
- C:\Windows\System32\CNGhyqz.exe
  C:\Windows\System32\CNGhyqz.exe
  2⤵
  PID:10940
- C:\Windows\System32\BmEFLcF.exe
  C:\Windows\System32\BmEFLcF.exe
  2⤵
  PID:11144
- C:\Windows\System32\TktHAKH.exe
  C:\Windows\System32\TktHAKH.exe
  2⤵
  PID:10592
- C:\Windows\System32\YbFHVgW.exe
  C:\Windows\System32\YbFHVgW.exe
  2⤵
  PID:10956
- C:\Windows\System32\AGaDqGZ.exe
  C:\Windows\System32\AGaDqGZ.exe
  2⤵
  PID:11088
- C:\Windows\System32\TVLrCnv.exe
  C:\Windows\System32\TVLrCnv.exe
  2⤵
  PID:10512
- C:\Windows\System32\oIlThNH.exe
  C:\Windows\System32\oIlThNH.exe
  2⤵
  PID:10660
- C:\Windows\System32\jbckicz.exe
  C:\Windows\System32\jbckicz.exe
  2⤵
  PID:11304
- C:\Windows\System32\EusSsPO.exe
  C:\Windows\System32\EusSsPO.exe
  2⤵
  PID:11340
- C:\Windows\System32\AlWpyUK.exe
  C:\Windows\System32\AlWpyUK.exe
  2⤵
  PID:11364
- C:\Windows\System32\exmxdPJ.exe
  C:\Windows\System32\exmxdPJ.exe
  2⤵
  PID:11380
- C:\Windows\System32\ZWlrppk.exe
  C:\Windows\System32\ZWlrppk.exe
  2⤵
  PID:11412
- C:\Windows\System32\LmuMZwc.exe
  C:\Windows\System32\LmuMZwc.exe
  2⤵
  PID:11444
- C:\Windows\System32\HrFxMfj.exe
  C:\Windows\System32\HrFxMfj.exe
  2⤵
  PID:11464
- C:\Windows\System32\gcLKbiU.exe
  C:\Windows\System32\gcLKbiU.exe
  2⤵
  PID:11496
- C:\Windows\System32\xXNIbNJ.exe
  C:\Windows\System32\xXNIbNJ.exe
  2⤵
  PID:11520
- C:\Windows\System32\ibLDvkK.exe
  C:\Windows\System32\ibLDvkK.exe
  2⤵
  PID:11556
- C:\Windows\System32\mazOWvK.exe
  C:\Windows\System32\mazOWvK.exe
  2⤵
  PID:11576
- C:\Windows\System32\KKJGlBf.exe
  C:\Windows\System32\KKJGlBf.exe
  2⤵
  PID:11596
- C:\Windows\System32\aLoEFFX.exe
  C:\Windows\System32\aLoEFFX.exe
  2⤵
  PID:11628
- C:\Windows\System32\PQSMsdE.exe
  C:\Windows\System32\PQSMsdE.exe
  2⤵
  PID:11660
- C:\Windows\System32\WUMmiEh.exe
  C:\Windows\System32\WUMmiEh.exe
  2⤵
  PID:11708
- C:\Windows\System32\uBsycAY.exe
  C:\Windows\System32\uBsycAY.exe
  2⤵
  PID:11752
- C:\Windows\System32\PZGfxaM.exe
  C:\Windows\System32\PZGfxaM.exe
  2⤵
  PID:11768
- C:\Windows\System32\jschtai.exe
  C:\Windows\System32\jschtai.exe
  2⤵
  PID:11792
- C:\Windows\System32\NHQiEFp.exe
  C:\Windows\System32\NHQiEFp.exe
  2⤵
  PID:11812
- C:\Windows\System32\cKyMdEb.exe
  C:\Windows\System32\cKyMdEb.exe
  2⤵
  PID:11852
- C:\Windows\System32\mHaPXFg.exe
  C:\Windows\System32\mHaPXFg.exe
  2⤵
  PID:11880
- C:\Windows\System32\NnoVGJz.exe
  C:\Windows\System32\NnoVGJz.exe
  2⤵
  PID:11908
- C:\Windows\System32\bHQfidS.exe
  C:\Windows\System32\bHQfidS.exe
  2⤵
  PID:11932
- C:\Windows\System32\EoUCAnX.exe
  C:\Windows\System32\EoUCAnX.exe
  2⤵
  PID:11956
- C:\Windows\System32\IiQHCre.exe
  C:\Windows\System32\IiQHCre.exe
  2⤵
  PID:11980
- C:\Windows\System32\JBOAHpn.exe
  C:\Windows\System32\JBOAHpn.exe
  2⤵
  PID:12012
- C:\Windows\System32\DSlIkqF.exe
  C:\Windows\System32\DSlIkqF.exe
  2⤵
  PID:12032
- C:\Windows\System32\XQSWXcy.exe
  C:\Windows\System32\XQSWXcy.exe
  2⤵
  PID:12064
- C:\Windows\System32\dspBjmQ.exe
  C:\Windows\System32\dspBjmQ.exe
  2⤵
  PID:12092
- C:\Windows\System32\ZZvFXDU.exe
  C:\Windows\System32\ZZvFXDU.exe
  2⤵
  PID:12140
- C:\Windows\System32\wTyXObQ.exe
  C:\Windows\System32\wTyXObQ.exe
  2⤵
  PID:12160
- C:\Windows\System32\oLvWupt.exe
  C:\Windows\System32\oLvWupt.exe
  2⤵
  PID:12176
- C:\Windows\System32\ireuLQz.exe
  C:\Windows\System32\ireuLQz.exe
  2⤵
  PID:12192
- C:\Windows\System32\vHExMcV.exe
  C:\Windows\System32\vHExMcV.exe
  2⤵
  PID:12212
- C:\Windows\System32\RHMsvhP.exe
  C:\Windows\System32\RHMsvhP.exe
  2⤵
  PID:12256
- C:\Windows\System32\LBlRRfU.exe
  C:\Windows\System32\LBlRRfU.exe
  2⤵
  PID:12280
- C:\Windows\System32\NGBaLHk.exe
  C:\Windows\System32\NGBaLHk.exe
  2⤵
  PID:11292
- C:\Windows\System32\NfqJQGT.exe
  C:\Windows\System32\NfqJQGT.exe
  2⤵
  PID:11316
- C:\Windows\System32\ADUKjjL.exe
  C:\Windows\System32\ADUKjjL.exe
  2⤵
  PID:11356
- C:\Windows\System32\RwhdYvy.exe
  C:\Windows\System32\RwhdYvy.exe
  2⤵
  PID:11420
- C:\Windows\System32\VQOZmAh.exe
  C:\Windows\System32\VQOZmAh.exe
  2⤵
  PID:11528
- C:\Windows\System32\pnruhHN.exe
  C:\Windows\System32\pnruhHN.exe
  2⤵
  PID:11684
- C:\Windows\System32\NHIqNNB.exe
  C:\Windows\System32\NHIqNNB.exe
  2⤵
  PID:11724
- C:\Windows\System32\uMqAQwm.exe
  C:\Windows\System32\uMqAQwm.exe
  2⤵
  PID:11764
- C:\Windows\System32\VhxPZEt.exe
  C:\Windows\System32\VhxPZEt.exe
  2⤵
  PID:11824
- C:\Windows\System32\cZzpzBS.exe
  C:\Windows\System32\cZzpzBS.exe
  2⤵
  PID:11904
- C:\Windows\System32\biwaEQJ.exe
  C:\Windows\System32\biwaEQJ.exe
  2⤵
  PID:11972
- C:\Windows\System32\nijaTKm.exe
  C:\Windows\System32\nijaTKm.exe
  2⤵
  PID:12040
- C:\Windows\System32\zijYdGm.exe
  C:\Windows\System32\zijYdGm.exe
  2⤵
  PID:12104
- C:\Windows\System32\VuaACTM.exe
  C:\Windows\System32\VuaACTM.exe
  2⤵
  PID:12168
- C:\Windows\System32\uZbUqjc.exe
  C:\Windows\System32\uZbUqjc.exe
  2⤵
  PID:12200
- C:\Windows\System32\ZSnGVpP.exe
  C:\Windows\System32\ZSnGVpP.exe
  2⤵
  PID:2440
- C:\Windows\System32\IHwukjr.exe
  C:\Windows\System32\IHwukjr.exe
  2⤵
  PID:10732
- C:\Windows\System32\kMoMkjq.exe
  C:\Windows\System32\kMoMkjq.exe
  2⤵
  PID:11388
- C:\Windows\System32\MGErjzR.exe
  C:\Windows\System32\MGErjzR.exe
  2⤵
  PID:11440
- C:\Windows\System32\ZAaMCdg.exe
  C:\Windows\System32\ZAaMCdg.exe
  2⤵
  PID:11504
- C:\Windows\System32\SxUffTF.exe
  C:\Windows\System32\SxUffTF.exe
  2⤵
  PID:11688
- C:\Windows\System32\lyrfMdT.exe
  C:\Windows\System32\lyrfMdT.exe
  2⤵
  PID:11808
- C:\Windows\System32\APqOrxc.exe
  C:\Windows\System32\APqOrxc.exe
  2⤵
  PID:11916
- C:\Windows\System32\wqGWEss.exe
  C:\Windows\System32\wqGWEss.exe
  2⤵
  PID:12056
- C:\Windows\System32\kSPUMqa.exe
  C:\Windows\System32\kSPUMqa.exe
  2⤵
  PID:12188
- C:\Windows\System32\cFYCaaQ.exe
  C:\Windows\System32\cFYCaaQ.exe
  2⤵
  PID:11328
- C:\Windows\System32\qKrfGlN.exe
  C:\Windows\System32\qKrfGlN.exe
  2⤵
  PID:11372
- C:\Windows\System32\cRuXyie.exe
  C:\Windows\System32\cRuXyie.exe
  2⤵
  PID:11564
- C:\Windows\System32\XjOIcML.exe
  C:\Windows\System32\XjOIcML.exe
  2⤵
  PID:12312
- C:\Windows\System32\djGBBua.exe
  C:\Windows\System32\djGBBua.exe
  2⤵
  PID:12344
- C:\Windows\System32\qvNtHZI.exe
  C:\Windows\System32\qvNtHZI.exe
  2⤵
  PID:12364
- C:\Windows\System32\TlrlSnA.exe
  C:\Windows\System32\TlrlSnA.exe
  2⤵
  PID:12388
- C:\Windows\System32\sOkwzAP.exe
  C:\Windows\System32\sOkwzAP.exe
  2⤵
  PID:12412
- C:\Windows\System32\OSfzYRB.exe
  C:\Windows\System32\OSfzYRB.exe
  2⤵
  PID:12448
- C:\Windows\System32\vGiVaUo.exe
  C:\Windows\System32\vGiVaUo.exe
  2⤵
  PID:12476
- C:\Windows\System32\RfGBecV.exe
  C:\Windows\System32\RfGBecV.exe
  2⤵
  PID:12508
- C:\Windows\System32\PrMcElZ.exe
  C:\Windows\System32\PrMcElZ.exe
  2⤵
  PID:12524
- C:\Windows\System32\runDoam.exe
  C:\Windows\System32\runDoam.exe
  2⤵
  PID:12560
- C:\Windows\System32\NeCQxwo.exe
  C:\Windows\System32\NeCQxwo.exe
  2⤵
  PID:12592
- C:\Windows\System32\SRhkKsl.exe
  C:\Windows\System32\SRhkKsl.exe
  2⤵
  PID:12636
- C:\Windows\System32\PKzRvDO.exe
  C:\Windows\System32\PKzRvDO.exe
  2⤵
  PID:12664
- C:\Windows\System32\iRBwRTe.exe
  C:\Windows\System32\iRBwRTe.exe
  2⤵
  PID:12688
- C:\Windows\System32\HnbczAz.exe
  C:\Windows\System32\HnbczAz.exe
  2⤵
  PID:12712
- C:\Windows\System32\WpNoujF.exe
  C:\Windows\System32\WpNoujF.exe
  2⤵
  PID:12732
- C:\Windows\System32\sEYKWIP.exe
  C:\Windows\System32\sEYKWIP.exe
  2⤵
  PID:12752
- C:\Windows\System32\IcNnMgY.exe
  C:\Windows\System32\IcNnMgY.exe
  2⤵
  PID:12816
- C:\Windows\System32\SXYCVCQ.exe
  C:\Windows\System32\SXYCVCQ.exe
  2⤵
  PID:12832
- C:\Windows\System32\uBxOREP.exe
  C:\Windows\System32\uBxOREP.exe
  2⤵
  PID:12848
- C:\Windows\System32\xGwVyXe.exe
  C:\Windows\System32\xGwVyXe.exe
  2⤵
  PID:12868
- C:\Windows\System32\kxuiBZI.exe
  C:\Windows\System32\kxuiBZI.exe
  2⤵
  PID:12920
- C:\Windows\System32\utYRbmI.exe
  C:\Windows\System32\utYRbmI.exe
  2⤵
  PID:12960
- C:\Windows\System32\nBmjEwx.exe
  C:\Windows\System32\nBmjEwx.exe
  2⤵
  PID:12980
- C:\Windows\System32\usnLpYx.exe
  C:\Windows\System32\usnLpYx.exe
  2⤵
  PID:13004
- C:\Windows\System32\ycyzjTH.exe
  C:\Windows\System32\ycyzjTH.exe
  2⤵
  PID:13028
- C:\Windows\System32\BGnyMfp.exe
  C:\Windows\System32\BGnyMfp.exe
  2⤵
  PID:13052
- C:\Windows\System32\ICKnrKA.exe
  C:\Windows\System32\ICKnrKA.exe
  2⤵
  PID:13092
- C:\Windows\System32\AdfXxCk.exe
  C:\Windows\System32\AdfXxCk.exe
  2⤵
  PID:13120
- C:\Windows\System32\FlrLhui.exe
  C:\Windows\System32\FlrLhui.exe
  2⤵
  PID:13144
- C:\Windows\System32\FKaPlMh.exe
  C:\Windows\System32\FKaPlMh.exe
  2⤵
  PID:13172
- C:\Windows\System32\QwRAIva.exe
  C:\Windows\System32\QwRAIva.exe
  2⤵
  PID:13200
- C:\Windows\System32\qnDwtAj.exe
  C:\Windows\System32\qnDwtAj.exe
  2⤵
  PID:13228
- C:\Windows\System32\VYzjvfT.exe
  C:\Windows\System32\VYzjvfT.exe
  2⤵
  PID:13248
- C:\Windows\System32\wVEcqZs.exe
  C:\Windows\System32\wVEcqZs.exe
  2⤵
  PID:13288
- C:\Windows\System32\lpcIEZa.exe
  C:\Windows\System32\lpcIEZa.exe
  2⤵
  PID:13308
- C:\Windows\System32\UOINqeh.exe
  C:\Windows\System32\UOINqeh.exe
  2⤵
  PID:12300
- C:\Windows\System32\SOrGbSd.exe
  C:\Windows\System32\SOrGbSd.exe
  2⤵
  PID:12380
- C:\Windows\System32\ETNJvEt.exe
  C:\Windows\System32\ETNJvEt.exe
  2⤵
  PID:12424
- C:\Windows\System32\QtrcZFb.exe
  C:\Windows\System32\QtrcZFb.exe
  2⤵
  PID:12484
- C:\Windows\System32\ktbkMlk.exe
  C:\Windows\System32\ktbkMlk.exe
  2⤵
  PID:12588
- C:\Windows\System32\kYxaqHp.exe
  C:\Windows\System32\kYxaqHp.exe
  2⤵
  PID:12676
- C:\Windows\System32\XZTWIuI.exe
  C:\Windows\System32\XZTWIuI.exe
  2⤵
  PID:12748
- C:\Windows\System32\UiWjRAo.exe
  C:\Windows\System32\UiWjRAo.exe
  2⤵
  PID:12828
- C:\Windows\System32\EVfdSdU.exe
  C:\Windows\System32\EVfdSdU.exe
  2⤵
  PID:12856

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\CRmoAZY.exe

Filesize
1.6MB

MD5
df3f6bd69875f1dbb5f0e26b1faf0adc

SHA1
eb95a2e14453306a9e64766b2bb9e5b73bbfc692

SHA256
50e3e12e476f93dbca084c91b22171fb59bbde85066f027782fc9a7dd7dc0661

SHA512
076946767cbe66ccf6bd00306335a6f29b8d6b31dae184f3cde7a65d796a8550424bfe49923f00bbd2b7507461787133d50e33ca8af806a23fb7a44da52c7d35

Download Submit
C:\Windows\System32\DPOFTpL.exe

Filesize
1.6MB

MD5
b292e0ed1294bf59f45b7f2450d8d6cf

SHA1
918edafebbcb5564ac909a47a18c0cd29ce41269

SHA256
a8368a5a20ce359ef1c8b52e085d7f22bc93c997d92261f73526afbb0c0adadc

SHA512
93f8e6d1aec4ece1d8277fe00243be37bdd37e26206e11d4a6e7b6b2b8aa9c4256559f2a3d69ea88a32f9385280c87ff0dde8c9357543e07277623a1a67b31c8

Download Submit
C:\Windows\System32\DmRwgfS.exe

Filesize
1.6MB

MD5
de1db2c2a2648ce850f0e7c776ae2884

SHA1
d49cc1feeced7d5abe079e979d15c5d22ff6ab65

SHA256
2a5fcc21c371958e3f317ea99711838db9687a8d4ad041073d5296624fa73e4c

SHA512
86c6fb084dd55c0f5ff2e039d7f4660f84cac19503c643513eff28db491de1a1be0e8c31ced15b11ebac8fbb13ab5d209c223c7f685aa24e38982812ef81ea50

Download Submit
C:\Windows\System32\HHulijr.exe

Filesize
1.6MB

MD5
4495d307754a773127ff7a05519e2475

SHA1
042fba2843b4e138d9582263acbea90bb1b490fb

SHA256
82bb4607b07cbfc83c1b5ba039705164faedeb2d02f0d3151872886a022646bd

SHA512
b720f6780587c0a622a8a5f5de81651661c784a9cb26ed7b3b8e734d43b4b435150527a58dbad2b2e35c0a3478d59756454c087d3e72cb0cc622164ff50a1905

Download Submit
C:\Windows\System32\HLPLVCG.exe

Filesize
1.6MB

MD5
e9ef8ba0cdefd0b248e28e9d526ed31e

SHA1
38d4a397080226d6d8893c2a7d1f91a71fe5fe1e

SHA256
d4e043df905bfc09944601997f2d8881b42ad776b5cce105a593e84288ca63af

SHA512
efe6bec5cb8b71640e0088b76fe12b4e8f53662f8b61262ba295b8ef2101096b90d4340071cab1c109710a2b549dbf8c73044f2fc6e2a9f0bbcd0abfee45d8d8

Download Submit
C:\Windows\System32\HpMRJlY.exe

Filesize
1.6MB

MD5
e536d05553c2eecdf08ca1448c7554c8

SHA1
f8fb89777a0055432d1fbe734386d2bf7b35cde9

SHA256
1637f75a50ba07b47e6bebadacf7a6cbc9b3eb454c61da79ba913827cb11b1e8

SHA512
63e91528f53f987f6cd95c78b669442ed37682620667d524cc9adcef95287a0901fc2e3773420f1878ceaccc65d292bde2cf0f06a7f218ec5ff1809c05837220

Download Submit
C:\Windows\System32\IdzoxXX.exe

Filesize
1.6MB

MD5
2f84a8587b016006ea70e41b584a68dd

SHA1
d193ab15879c31025ccb7e1008d4ecad61085a1d

SHA256
10782ea1a8fdf6c072d68bb43d271449f34752d53861c0c558498151c2243fd2

SHA512
ec54f2eef6e39b54e384b8ab07c6b8b80748cc3bda591fab012a7e7576b9f98d3abb3c520c2495c552cd28c2c344540f836604eebd678d103fa90876e633f5da

Download Submit
C:\Windows\System32\KVydXFY.exe

Filesize
1.6MB

MD5
8076834dd720c0bcda36c1292bce7cd8

SHA1
b15526ec4b38f8b581248772c81f2752469604a4

SHA256
b4545b1609eebca00d2e1b229b29014cf019a1cfb77f8fc24fbee545a72f2ebf

SHA512
c26373a67126baff8a1b64d4d729c0535319c4842c8c6fcadafc235914e220d4e2425be9233e818b364befc8e6c4c4b1faab26282975b9ed866bb35abc749622

Download Submit
C:\Windows\System32\PZamVEa.exe

Filesize
1.6MB

MD5
70c4a9078cabe5c4b0efddbbf00e44c2

SHA1
569630f1ac6be72d1fdcf7b0042547a6a432e4f1

SHA256
8c69bb24f339103967fb990447e88564a509968350c205615d1e0db6358627de

SHA512
7d8fa479dceb81119ac08980864c822238689c023b61c82cf818e05e9923193b7e5356b545d28901d33a8bf70f12e683da1cdb6ada5d27e46ba6ea8cf38a5866

Download Submit
C:\Windows\System32\Pbsihkz.exe

Filesize
1.6MB

MD5
87d23958fcbd7a9a9636d81116700054

SHA1
0c1fe39dc3d002d7449184c5808c75c7b9ffb39d

SHA256
4c70c77a8c49a48e352a8dbd48040efd6a4e9dad523529d346fe4b374a425a8e

SHA512
44a24464e689664ee3be95b8c3d7695858ef04cd5a0622f5b380801a8cd4eb52a09150bb59ed82bb481b0fe69926a2e1f3eb094cd909df40589e65758d16c7b1

Download Submit
C:\Windows\System32\UFqfHZE.exe

Filesize
1.6MB

MD5
3d328b92158a60d88b7aecebd04e8410

SHA1
81238048444a7795d9a79c00961e66e993c24ec9

SHA256
e3d91d75eea890a58e33b577a74b0371a04424fa4fadb2d1524ab93e78c60770

SHA512
0203f55d227a7a1a3e0f663d6d5144e09d39a50441e8c2124745667fd8184c187db4e304beb905e614e4e5cc906dac5e4b459bee789d2b5b4bfe38ff87895014

Download Submit
C:\Windows\System32\XGQZIla.exe

Filesize
1.6MB

MD5
3db697a90123974f64edb7efea4290fe

SHA1
4d57b234dabe079b48923408ac547394c4806ac1

SHA256
594138c597390a1f47927725ab2dab466530b6601b0ee388f1cc52e757ffad0d

SHA512
9b8d288e12bb8eedfef7102063d15ff3bea56a3c24b49b6516e758b6c91fc8bc7f1b1b7af18fc78a4bcf9c53b9eaaab955df47c5c49dfd7ed0a0bacec3188868

Download Submit
C:\Windows\System32\YCXOLdp.exe

Filesize
1.6MB

MD5
861f180b16b7390b66bcaf9f456b4bf1

SHA1
bc3596ee1dfec23faf6b93e2d2e63e3de06c7a24

SHA256
2cc009c33237f1453f357e0ad62a1ad44bf73997162e3344b6df69ac11a815b4

SHA512
a9d958314aec83313c4b374f3b81b2f8e4f744f7aa7a3980a9a194d07222d6ce10fa35c2b9debaed96679559c81fa33a5589df259800839462f6e3de1c834b75

Download Submit
C:\Windows\System32\YpxSVas.exe

Filesize
1.6MB

MD5
f736db4821be455f73d215bb488f45c7

SHA1
2ede02818f947cf5b1a39a9d4cba7359f13d2395

SHA256
af41746e8c504607e87718a6be566fce599c6af1d437875d53ca04d86a7d0bae

SHA512
afd8622f08847ef025f02692beff6aa28a0335aaa9e167d79dfe3d063998d353bc1ee5c2503c21252b3c0cf7b2d2aa027976550d8aa2c1d38d9869da6de17ca0

Download Submit
C:\Windows\System32\Yzxmlxn.exe

Filesize
1.6MB

MD5
8402c76fd32baceeb6ee81c40fb76621

SHA1
44ab6a4b0657783c3c6eecc222880e3b5ac424d1

SHA256
e831032609d402196be32eebf2438c2522e84dd8217847298d6aed0da4a94075

SHA512
b4b4e95667fd0c0c74e8a5209fcb9afc9306cc634d3e25123969557db64bd6641fad15379ec07140dafda5cfa38d246240e511ce61c71e5654d6293b7cb532df

Download Submit
C:\Windows\System32\ZFllYKO.exe

Filesize
1.6MB

MD5
09991341b37cb86c6b337e3906945e6e

SHA1
f08cd8ea2e70d3066cf7e5a6a8e76564a8d6a9d1

SHA256
c43dad34214090cf383ee2134392ad417082a3826babeacfe010b8bf5eb22dcc

SHA512
38c390f64841598eeed55c3ef9d5836de82c7f0465d0a48fbae4e4f815f28e4d07d6b26310256efcb1bbab8858379c198cb3e4f66b2419a74d2c6fc039ac32c3

Download Submit
C:\Windows\System32\ZZDHSvv.exe

Filesize
1.6MB

MD5
ac0ef4432036c930361c712953291aea

SHA1
a8281d93539efb9b96301f5aa5ef34033c9b7920

SHA256
9cb1214829bc677773c699cde57554f09d3fbccd2c790f40472a1c5c1a3f0cb4

SHA512
ab6111e3f4145817b58bd6c12fff5380daec26ad1bcc8b839ac09e3f4a11508a97a8a93c67c39f0ea40eba4e09b849d00d751c0d0b6e6961077adb3ae8ab9696

Download Submit
C:\Windows\System32\ZgqNznj.exe

Filesize
1.6MB

MD5
1b5ad96f14312fec629a93cd1e1b446a

SHA1
47197ac48726c9920a88f35469462d125ae00f2b

SHA256
3f84cb59103bfe67cf39bdbcb1841bd35c460ffdbfa142137fef5fcd92e18758

SHA512
55433fedf4c26c278f271eb9207278213d9305fa5c849a0b22b02ceaa99f1a78d34ec273180a726bae9f39dad248d46db5fe0a93c6b3c461875e45c41b6d5919

Download Submit
C:\Windows\System32\ZlQwPEX.exe

Filesize
1.6MB

MD5
d19917c12c7466eaf4b05f0b007ca529

SHA1
f5d71690a9baee3260df3af1b91bf3c20b7a044a

SHA256
2847784efb36e4c0e5c4dbcc85c0f941a4594865daee2fbbdcd5c37dc3545f81

SHA512
abe4d112f647b9407cdcd207aa08978727ad2b10833978db98abeed293777c9ebfde5b881e617df4ddaa9ce1060d5c56504624d198f143ee7a754c32ee0d0ce5

Download Submit
C:\Windows\System32\elHSsah.exe

Filesize
1.6MB

MD5
5740806896ae72749bc402d725386a17

SHA1
1196501f8e778adda5db6b920ef8b87a2b566e5c

SHA256
86beb39d49ac1378d09968ce5f2ab73bd7b0f3a8ae0724ae79d1b340b6a948b9

SHA512
8abb65d00ea0c81c9697e765aec2eb34a9ed5bfd08359743532eeaf0aae9a377d2acf3303ffcf5d9146432ca00d3b31b8f30edab703c8cbb3f823876cef9992a

Download Submit
C:\Windows\System32\ftOlAHH.exe

Filesize
1.6MB

MD5
23ef3e4159c71230bd804a5078ba2d51

SHA1
878d51e625e42187989b0a0d0605eec0e6c0dfb8

SHA256
31452960584dc032c5fe3a5c75c6f3ea0ca5dcedcbf6c9b2784200fb8418568f

SHA512
c52245d3b1fbef015443e2e99e913d22ef1a2201cea390eb99f9f00f020b1a4ee18b9bba20dd2662727369f14aecdc005219db3cf76e03a2c70601cf541966f3

Download Submit
C:\Windows\System32\jNPXOYL.exe

Filesize
1.6MB

MD5
83ed1ac936d833dbdc8c92c8f77a5d23

SHA1
3a0616245ec3fa72e6a055255c42bd7f641c76ac

SHA256
131dbdc3cb7f4a3dbc73050b461878aa4655a031a923903fd031594df99e2b25

SHA512
a5f080cf1d806bfa217c4e028e51dfa9e4d46e1a30ac9eddd3a71272341298540c0e50436626726e0ffec37432b0f5ac419ea0423c17e7992f59f337ac4b6c3a

Download Submit
C:\Windows\System32\kepSIAm.exe

Filesize
1.6MB

MD5
ef98f10b277658335cba6060c7331ffc

SHA1
f2de34b53361d911bafc2a8a5f10c33efb21a364

SHA256
ab97895026c43526e6b7da44a7b68443067f2ce194b80ece41bab8294caa4580

SHA512
655e4ac040deedfc4b8e85372c211e9a4f1f5ee2b9a5e077e04c1b343898d7cd7f2ebe9dd0a8be3e62a4b01a8868172beb20969ae295cf6bb2974a840cff905f

Download Submit
C:\Windows\System32\lbeQDbQ.exe

Filesize
1.6MB

MD5
6579b5459273a53dd5f8216835ab001d

SHA1
e406890d172c2bbf99ab8373a3b6cb820861dc6c

SHA256
ae9a3f0d7352bce37aaaad36ad295c43ef8154d0d1534d64d97de1f2e57ba4cd

SHA512
ee43c9f7dc7472bf4d104574543d77aab032452e7a6e9aa8ea1ac9ec4ca611175a99ed202d3af117a8563ca42a24263a8a8be6fdb5f538ae9299b7daaa677c03

Download Submit
C:\Windows\System32\miOynAX.exe

Filesize
1.6MB

MD5
ccc610f8dcfa7f070756924403e3101c

SHA1
746477e81b96f5e1105fbe67233523c48846af49

SHA256
fdeb8ed4a20cd9ab98c814c7ceac4aefd2dd326b886012fcb7b2a70dbcfabe29

SHA512
8eaca4c774f3667854ec97bde3ecdb6a12e5a7d7d02cc75990c9a7695fda96c5e59b460f0458ffc3316c5546bc0cb61e01339f94787c3dfd02cf5e63564ecf34

Download Submit
C:\Windows\System32\rRekwoC.exe

Filesize
1.6MB

MD5
1cc31862414733302fbc556e6b8d25f2

SHA1
27ecfe4d36d6cd16a3a89b4d84d9138e3f439c15

SHA256
83780b640d14e6b3f15f6c9da7c7ec1e36b754dad2f38cff7000770535ef5e8e

SHA512
56f637c1cfa5a3644acb08e1aa0758d21f2cd1a697efd63bd7a60e9f69710c6bacaaf2f241bb98bf073d0b6fd0f8399582d40e319bb85ae99d64b57311eb42d9

Download Submit
C:\Windows\System32\uzJMMUt.exe

Filesize
1.6MB

MD5
d59b93cc90aa78b912dbe362b39e5ce6

SHA1
ef9cce6259a69c182e4dfb168f071671cea1d276

SHA256
c6bbb67993d7de21c8d129486e69a84c5c179f58d148fe06ecb664099fa26022

SHA512
acd6e10a0ddd6ede84322955a6cf91221c50863e0e7d87baaa9e4cc0fcd64cdf47e9a0d9213b968f3f0b5bcd470c1f2664e1832514a678874592038f95a8d69b

Download Submit
C:\Windows\System32\vZYlOjW.exe

Filesize
1.6MB

MD5
fafa83312ce2326859e240667fb0aafb

SHA1
432798932115996e8a479cea4cb3ca48e9045e18

SHA256
be51f39ca7ed8fbab9f5380ee938f08739dfbc4ef123ee72ba868e683ed8cdd5

SHA512
e1848bbe6f5653215c80cd515ebb59845bbb179c9c0c6cb291f5f59ee814f92dbb45ed88edef9bc735cefdb6c675431bcf4a8a81e4d40d2c59037511892055ae

Download Submit
C:\Windows\System32\vtBIiSy.exe

Filesize
1.6MB

MD5
e9179d232c4e0f55e8729e6357b62de6

SHA1
4d94e4225ef68d1c0df8a858eb41b0e4cbbfaffd

SHA256
990d01cdda941f486053578b58357450513749b30abe8902d6fe52815f70dd1a

SHA512
0581d1cb9469a239ff98f4ad238cfec4255f534a6eab10788ccf911d0e0ff99ef833c405c5b1070008f5f7488ed5db7720ab79b894188ef23cbdc9f956a99607

Download Submit
C:\Windows\System32\wVAPYyn.exe

Filesize
1.6MB

MD5
df85b974dfe7bdc23efdcf8f29a634da

SHA1
a261fc8bce249d40e5f2e0c8eeb73901893d10b7

SHA256
51ef1d24ded220a16a0fbc366ffd5b9fedc8bd6ad1a3c3daa0e89bb91965ac04

SHA512
1683c0cad7a1b005a4265d9ebd8e02697ee38279985543dff8d6bd892911811cbf7839209f49fb12d1e621088b97d8c465db2317734a416c16093d3ee0a657b7

Download Submit
C:\Windows\System32\yWgCuAa.exe

Filesize
1.6MB

MD5
05ade49dba32e6c5c6b7448a5b7760bd

SHA1
37d1c73b906ff618e40bdbf9d5cde9203a31e3a8

SHA256
52318bb7ae4de016cdf6feee9e83d84893da536600c8eb305c40ff84811d6cb3

SHA512
9c097576455f1a25c4422a7fa422a5046c1d34fd8d803038a7eb42ab3608d5a71533f7e7f8e98ae7609928bd3c17e5de7b2b1fe20f69e6440fde578d424d13a3

Download Submit
C:\Windows\System32\zkQcleB.exe

Filesize
1.6MB

MD5
a33788a3002c998a687ee81427b2e91c

SHA1
be2e186d1d7c04d2e679776d0b3a88738cc0a120

SHA256
fef070cd307df769aefa15981e6b94ceaefb3879e2dae89711f2214b9cc50274

SHA512
fe0d6b97a41e56389f695dd04d560f068522f748b4c418a1eee02d099c69fd635bc89290982bdd95a58d2c553b4a98bdcc2603063e69fb8b7237ee24ccf10092

Download Submit
memory/872-2063-0x00007FF675400000-0x00007FF6757F1000-memory.dmp

Filesize
3.9MB

Download
memory/872-437-0x00007FF675400000-0x00007FF6757F1000-memory.dmp

Filesize
3.9MB

Download
memory/884-1984-0x00007FF6A6320000-0x00007FF6A6711000-memory.dmp

Filesize
3.9MB

Download
memory/884-2049-0x00007FF6A6320000-0x00007FF6A6711000-memory.dmp

Filesize
3.9MB

Download
memory/884-50-0x00007FF6A6320000-0x00007FF6A6711000-memory.dmp

Filesize
3.9MB

Download
memory/1020-10-0x00007FF639C40000-0x00007FF63A031000-memory.dmp

Filesize
3.9MB

Download
memory/1020-1982-0x00007FF639C40000-0x00007FF63A031000-memory.dmp

Filesize
3.9MB

Download
memory/1020-2025-0x00007FF639C40000-0x00007FF63A031000-memory.dmp

Filesize
3.9MB

Download
memory/1292-2045-0x00007FF7447D0000-0x00007FF744BC1000-memory.dmp

Filesize
3.9MB

Download
memory/1292-432-0x00007FF7447D0000-0x00007FF744BC1000-memory.dmp

Filesize
3.9MB

Download
memory/1644-70-0x00007FF7CF230000-0x00007FF7CF621000-memory.dmp

Filesize
3.9MB

Download
memory/1644-2021-0x00007FF7CF230000-0x00007FF7CF621000-memory.dmp

Filesize
3.9MB

Download
memory/1644-2055-0x00007FF7CF230000-0x00007FF7CF621000-memory.dmp

Filesize
3.9MB

Download
memory/1648-61-0x00007FF76D6F0000-0x00007FF76DAE1000-memory.dmp

Filesize
3.9MB

Download
memory/1648-2037-0x00007FF76D6F0000-0x00007FF76DAE1000-memory.dmp

Filesize
3.9MB

Download
memory/1832-44-0x00007FF6EDDC0000-0x00007FF6EE1B1000-memory.dmp

Filesize
3.9MB

Download
memory/1832-2033-0x00007FF6EDDC0000-0x00007FF6EE1B1000-memory.dmp

Filesize
3.9MB

Download
memory/1832-1983-0x00007FF6EDDC0000-0x00007FF6EE1B1000-memory.dmp

Filesize
3.9MB

Download
memory/2116-17-0x00007FF7F4B90000-0x00007FF7F4F81000-memory.dmp

Filesize
3.9MB

Download
memory/2116-2027-0x00007FF7F4B90000-0x00007FF7F4F81000-memory.dmp

Filesize
3.9MB

Download
memory/2536-2072-0x00007FF7F6D10000-0x00007FF7F7101000-memory.dmp

Filesize
3.9MB

Download
memory/2536-456-0x00007FF7F6D10000-0x00007FF7F7101000-memory.dmp

Filesize
3.9MB

Download
memory/2604-2047-0x00007FF70D780000-0x00007FF70DB71000-memory.dmp

Filesize
3.9MB

Download
memory/2604-430-0x00007FF70D780000-0x00007FF70DB71000-memory.dmp

Filesize
3.9MB

Download
memory/3068-2053-0x00007FF7B1950000-0x00007FF7B1D41000-memory.dmp

Filesize
3.9MB

Download
memory/3068-431-0x00007FF7B1950000-0x00007FF7B1D41000-memory.dmp

Filesize
3.9MB

Download
memory/3140-26-0x00007FF786370000-0x00007FF786761000-memory.dmp

Filesize
3.9MB

Download
memory/3140-2029-0x00007FF786370000-0x00007FF786761000-memory.dmp

Filesize
3.9MB

Download
memory/3388-2035-0x00007FF7ACD60000-0x00007FF7AD151000-memory.dmp

Filesize
3.9MB

Download
memory/3388-35-0x00007FF7ACD60000-0x00007FF7AD151000-memory.dmp

Filesize
3.9MB

Download
memory/3584-433-0x00007FF7961C0000-0x00007FF7965B1000-memory.dmp

Filesize
3.9MB

Download
memory/3584-2051-0x00007FF7961C0000-0x00007FF7965B1000-memory.dmp

Filesize
3.9MB

Download
memory/3624-68-0x00007FF7080B0000-0x00007FF7084A1000-memory.dmp

Filesize
3.9MB

Download
memory/3624-2057-0x00007FF7080B0000-0x00007FF7084A1000-memory.dmp

Filesize
3.9MB

Download
memory/3624-1985-0x00007FF7080B0000-0x00007FF7084A1000-memory.dmp

Filesize
3.9MB

Download
memory/3684-2031-0x00007FF65ACD0000-0x00007FF65B0C1000-memory.dmp

Filesize
3.9MB

Download
memory/3684-56-0x00007FF65ACD0000-0x00007FF65B0C1000-memory.dmp

Filesize
3.9MB

Download
memory/3972-64-0x00007FF635F00000-0x00007FF6362F1000-memory.dmp

Filesize
3.9MB

Download
memory/3972-2039-0x00007FF635F00000-0x00007FF6362F1000-memory.dmp

Filesize
3.9MB

Download
memory/4068-2041-0x00007FF6FF960000-0x00007FF6FFD51000-memory.dmp

Filesize
3.9MB

Download
memory/4068-65-0x00007FF6FF960000-0x00007FF6FFD51000-memory.dmp

Filesize
3.9MB

Download
memory/4104-436-0x00007FF6616C0000-0x00007FF661AB1000-memory.dmp

Filesize
3.9MB

Download
memory/4104-2061-0x00007FF6616C0000-0x00007FF661AB1000-memory.dmp

Filesize
3.9MB

Download
memory/4324-2019-0x00007FF72F9B0000-0x00007FF72FDA1000-memory.dmp

Filesize
3.9MB

Download
memory/4324-1-0x00000179600C0000-0x00000179600D0000-memory.dmp

Filesize
64KB

Download
memory/4324-0-0x00007FF72F9B0000-0x00007FF72FDA1000-memory.dmp

Filesize
3.9MB

Download
memory/4652-2069-0x00007FF7D3360000-0x00007FF7D3751000-memory.dmp

Filesize
3.9MB

Download
memory/4652-450-0x00007FF7D3360000-0x00007FF7D3751000-memory.dmp

Filesize
3.9MB

Download
memory/4752-2065-0x00007FF7C01A0000-0x00007FF7C0591000-memory.dmp

Filesize
3.9MB

Download
memory/4752-438-0x00007FF7C01A0000-0x00007FF7C0591000-memory.dmp

Filesize
3.9MB

Download
memory/4848-435-0x00007FF6E8010000-0x00007FF6E8401000-memory.dmp

Filesize
3.9MB

Download
memory/4848-2059-0x00007FF6E8010000-0x00007FF6E8401000-memory.dmp

Filesize
3.9MB

Download
memory/4916-2067-0x00007FF7268C0000-0x00007FF726CB1000-memory.dmp

Filesize
3.9MB

Download
memory/4916-447-0x00007FF7268C0000-0x00007FF726CB1000-memory.dmp

Filesize
3.9MB

Download
memory/5112-434-0x00007FF6A0CD0000-0x00007FF6A10C1000-memory.dmp

Filesize
3.9MB

Download
memory/5112-2043-0x00007FF6A0CD0000-0x00007FF6A10C1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads