xmrig | ebf44ea6a7f94cab9a8b895e837d172fd75158a95d342daa9141c17aa195b87f

Analysis

max time kernel
71s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6777681840142e5a9b1533a6c5be030_NEIKI.exe
Size

3.0MB
MD5

c6777681840142e5a9b1533a6c5be030
SHA1

bc9c02110042752b862a7705fdf7daf2c4e11243
SHA256

ebf44ea6a7f94cab9a8b895e837d172fd75158a95d342daa9141c17aa195b87f
SHA512

87d366fe4ee532a6f31927e3f35ffd0bfcfa302c141f45e34bc02c1a78c68058caac5e3d9501ef860fbe6db4c9d2959c2f0f4dca3b72bfd0943feefa00a63a48
SSDEEP

98304:N0GnJMOWPClFdx6e0EALKWVTffZiPAcRq6jHjc40H:NFWPClFkH

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2252-0-0x00007FF72DCF0000-0x00007FF72E0E5000-memory.dmp	xmrig
behavioral2/files/0x000700000002328e-5.dat	xmrig
behavioral2/files/0x00090000000233f3-9.dat	xmrig
behavioral2/files/0x00080000000233f9-10.dat	xmrig
behavioral2/files/0x00070000000233fb-26.dat	xmrig
behavioral2/files/0x00070000000233fc-33.dat	xmrig
behavioral2/files/0x00070000000233fe-43.dat	xmrig
behavioral2/files/0x00070000000233ff-48.dat	xmrig
behavioral2/files/0x0007000000023404-73.dat	xmrig
behavioral2/files/0x0007000000023406-81.dat	xmrig
behavioral2/files/0x0007000000023408-93.dat	xmrig
behavioral2/files/0x000700000002340d-116.dat	xmrig
behavioral2/memory/1996-799-0x00007FF667F80000-0x00007FF668375000-memory.dmp	xmrig
behavioral2/files/0x0007000000023417-164.dat	xmrig
behavioral2/files/0x0007000000023416-160.dat	xmrig
behavioral2/files/0x0007000000023415-159.dat	xmrig
behavioral2/files/0x0007000000023414-153.dat	xmrig
behavioral2/files/0x0007000000023413-148.dat	xmrig
behavioral2/files/0x0007000000023412-143.dat	xmrig
behavioral2/files/0x0007000000023411-138.dat	xmrig
behavioral2/files/0x0007000000023410-133.dat	xmrig
behavioral2/files/0x000700000002340f-128.dat	xmrig
behavioral2/files/0x000700000002340e-123.dat	xmrig
behavioral2/files/0x000700000002340c-113.dat	xmrig
behavioral2/files/0x000700000002340b-108.dat	xmrig
behavioral2/files/0x000700000002340a-103.dat	xmrig
behavioral2/files/0x0007000000023409-98.dat	xmrig
behavioral2/files/0x0007000000023407-88.dat	xmrig
behavioral2/files/0x0007000000023405-78.dat	xmrig
behavioral2/memory/4660-801-0x00007FF7081E0000-0x00007FF7085D5000-memory.dmp	xmrig
behavioral2/files/0x0007000000023403-68.dat	xmrig
behavioral2/memory/5080-802-0x00007FF7BA5E0000-0x00007FF7BA9D5000-memory.dmp	xmrig
behavioral2/files/0x0007000000023402-63.dat	xmrig
behavioral2/files/0x0007000000023401-58.dat	xmrig
behavioral2/files/0x0007000000023400-53.dat	xmrig
behavioral2/files/0x00070000000233fd-38.dat	xmrig
behavioral2/memory/2384-24-0x00007FF735920000-0x00007FF735D15000-memory.dmp	xmrig
behavioral2/files/0x00070000000233fa-22.dat	xmrig
behavioral2/memory/1652-18-0x00007FF68CC00000-0x00007FF68CFF5000-memory.dmp	xmrig
behavioral2/memory/4340-806-0x00007FF710DE0000-0x00007FF7111D5000-memory.dmp	xmrig
behavioral2/memory/4368-811-0x00007FF67AC00000-0x00007FF67AFF5000-memory.dmp	xmrig
behavioral2/memory/3952-818-0x00007FF6503F0000-0x00007FF6507E5000-memory.dmp	xmrig
behavioral2/memory/4244-823-0x00007FF7AE890000-0x00007FF7AEC85000-memory.dmp	xmrig
behavioral2/memory/2120-835-0x00007FF7A9B10000-0x00007FF7A9F05000-memory.dmp	xmrig
behavioral2/memory/3340-839-0x00007FF67E040000-0x00007FF67E435000-memory.dmp	xmrig
behavioral2/memory/1600-842-0x00007FF7F34A0000-0x00007FF7F3895000-memory.dmp	xmrig
behavioral2/memory/3188-832-0x00007FF6438C0000-0x00007FF643CB5000-memory.dmp	xmrig
behavioral2/memory/3004-856-0x00007FF75FD40000-0x00007FF760135000-memory.dmp	xmrig
behavioral2/memory/4672-860-0x00007FF6AA320000-0x00007FF6AA715000-memory.dmp	xmrig
behavioral2/memory/5092-864-0x00007FF6279A0000-0x00007FF627D95000-memory.dmp	xmrig
behavioral2/memory/2516-863-0x00007FF6F2520000-0x00007FF6F2915000-memory.dmp	xmrig
behavioral2/memory/4648-865-0x00007FF777E70000-0x00007FF778265000-memory.dmp	xmrig
behavioral2/memory/4704-874-0x00007FF6267F0000-0x00007FF626BE5000-memory.dmp	xmrig
behavioral2/memory/4724-877-0x00007FF6800D0000-0x00007FF6804C5000-memory.dmp	xmrig
behavioral2/memory/5060-880-0x00007FF6E8260000-0x00007FF6E8655000-memory.dmp	xmrig
behavioral2/memory/2484-907-0x00007FF714B10000-0x00007FF714F05000-memory.dmp	xmrig
behavioral2/memory/3632-909-0x00007FF7AB250000-0x00007FF7AB645000-memory.dmp	xmrig
behavioral2/memory/4968-905-0x00007FF60E720000-0x00007FF60EB15000-memory.dmp	xmrig
behavioral2/memory/1652-1918-0x00007FF68CC00000-0x00007FF68CFF5000-memory.dmp	xmrig
behavioral2/memory/1996-1919-0x00007FF667F80000-0x00007FF668375000-memory.dmp	xmrig
behavioral2/memory/2384-1920-0x00007FF735920000-0x00007FF735D15000-memory.dmp	xmrig
behavioral2/memory/4660-1921-0x00007FF7081E0000-0x00007FF7085D5000-memory.dmp	xmrig
behavioral2/memory/3632-1922-0x00007FF7AB250000-0x00007FF7AB645000-memory.dmp	xmrig
behavioral2/memory/4368-1925-0x00007FF67AC00000-0x00007FF67AFF5000-memory.dmp	xmrig

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
1652	LRboMcN.exe
1996	WchiRXO.exe
2384	ZXnUXDw.exe
4660	euEBaxs.exe
3632	CvzkAJB.exe
5080	JSEdndg.exe
4340	rLpNdaO.exe
4368	cjSNIWw.exe
3952	wGTBIqE.exe
4244	niiLZsl.exe
3188	YPIwNuT.exe
2120	CpsoxbL.exe
3340	GPEhDYy.exe
1600	RCYENms.exe
3004	ygBclbU.exe
4672	iUZyDUe.exe
2516	RPKNPHY.exe
5092	GkaiXHx.exe
4648	OyvnEBQ.exe
4704	SHoCdhK.exe
4724	nkdemCn.exe
5060	nOXcPQy.exe
4968	PehKLOK.exe
2484	ePsAYbB.exe
1252	UkqAXrQ.exe
4788	WcdklGr.exe
1944	OqAgtVn.exe
4512	bbsSpXB.exe
4896	dbdGQzA.exe
548	kVJThVE.exe
2196	fbjRQke.exe
3928	AcTlGCa.exe
1332	lqgiCkX.exe
1352	dCGIghW.exe
1732	ihanwic.exe
4688	ONfXmCX.exe
5100	LzujTlU.exe
5012	sbdTWXb.exe
2444	DqREBTF.exe
4824	wUswiTw.exe
412	voMqzBo.exe
3724	bXiYDEK.exe
4128	FLWfggK.exe
4240	lYTwUdF.exe
2940	cyHdfzR.exe
1920	EVFUBRP.exe
3348	cFgdnsX.exe
3740	VnyyoRN.exe
4276	CtOVMhu.exe
212	JZTNZOQ.exe
3296	AHbcnTQ.exe
4328	VxgARUy.exe
4732	jcnPppw.exe
5000	dlVaako.exe
740	iBTzCzC.exe
2408	oFSgTKQ.exe
3372	QnWtzju.exe
1916	kCyyGkJ.exe
916	mgkcrcj.exe
2348	XwadKjZ.exe
804	uUJPgYf.exe
3000	ezPAMHc.exe
3652	XNOtOWZ.exe
640	fWEAHZo.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2252-0-0x00007FF72DCF0000-0x00007FF72E0E5000-memory.dmp	upx
behavioral2/files/0x000700000002328e-5.dat	upx
behavioral2/files/0x00090000000233f3-9.dat	upx
behavioral2/files/0x00080000000233f9-10.dat	upx
behavioral2/files/0x00070000000233fb-26.dat	upx
behavioral2/files/0x00070000000233fc-33.dat	upx
behavioral2/files/0x00070000000233fe-43.dat	upx
behavioral2/files/0x00070000000233ff-48.dat	upx
behavioral2/files/0x0007000000023404-73.dat	upx
behavioral2/files/0x0007000000023406-81.dat	upx
behavioral2/files/0x0007000000023408-93.dat	upx
behavioral2/files/0x000700000002340d-116.dat	upx
behavioral2/memory/1996-799-0x00007FF667F80000-0x00007FF668375000-memory.dmp	upx
behavioral2/files/0x0007000000023417-164.dat	upx
behavioral2/files/0x0007000000023416-160.dat	upx
behavioral2/files/0x0007000000023415-159.dat	upx
behavioral2/files/0x0007000000023414-153.dat	upx
behavioral2/files/0x0007000000023413-148.dat	upx
behavioral2/files/0x0007000000023412-143.dat	upx
behavioral2/files/0x0007000000023411-138.dat	upx
behavioral2/files/0x0007000000023410-133.dat	upx
behavioral2/files/0x000700000002340f-128.dat	upx
behavioral2/files/0x000700000002340e-123.dat	upx
behavioral2/files/0x000700000002340c-113.dat	upx
behavioral2/files/0x000700000002340b-108.dat	upx
behavioral2/files/0x000700000002340a-103.dat	upx
behavioral2/files/0x0007000000023409-98.dat	upx
behavioral2/files/0x0007000000023407-88.dat	upx
behavioral2/files/0x0007000000023405-78.dat	upx
behavioral2/memory/4660-801-0x00007FF7081E0000-0x00007FF7085D5000-memory.dmp	upx
behavioral2/files/0x0007000000023403-68.dat	upx
behavioral2/memory/5080-802-0x00007FF7BA5E0000-0x00007FF7BA9D5000-memory.dmp	upx
behavioral2/files/0x0007000000023402-63.dat	upx
behavioral2/files/0x0007000000023401-58.dat	upx
behavioral2/files/0x0007000000023400-53.dat	upx
behavioral2/files/0x00070000000233fd-38.dat	upx
behavioral2/memory/2384-24-0x00007FF735920000-0x00007FF735D15000-memory.dmp	upx
behavioral2/files/0x00070000000233fa-22.dat	upx
behavioral2/memory/1652-18-0x00007FF68CC00000-0x00007FF68CFF5000-memory.dmp	upx
behavioral2/memory/4340-806-0x00007FF710DE0000-0x00007FF7111D5000-memory.dmp	upx
behavioral2/memory/4368-811-0x00007FF67AC00000-0x00007FF67AFF5000-memory.dmp	upx
behavioral2/memory/3952-818-0x00007FF6503F0000-0x00007FF6507E5000-memory.dmp	upx
behavioral2/memory/4244-823-0x00007FF7AE890000-0x00007FF7AEC85000-memory.dmp	upx
behavioral2/memory/2120-835-0x00007FF7A9B10000-0x00007FF7A9F05000-memory.dmp	upx
behavioral2/memory/3340-839-0x00007FF67E040000-0x00007FF67E435000-memory.dmp	upx
behavioral2/memory/1600-842-0x00007FF7F34A0000-0x00007FF7F3895000-memory.dmp	upx
behavioral2/memory/3188-832-0x00007FF6438C0000-0x00007FF643CB5000-memory.dmp	upx
behavioral2/memory/3004-856-0x00007FF75FD40000-0x00007FF760135000-memory.dmp	upx
behavioral2/memory/4672-860-0x00007FF6AA320000-0x00007FF6AA715000-memory.dmp	upx
behavioral2/memory/5092-864-0x00007FF6279A0000-0x00007FF627D95000-memory.dmp	upx
behavioral2/memory/2516-863-0x00007FF6F2520000-0x00007FF6F2915000-memory.dmp	upx
behavioral2/memory/4648-865-0x00007FF777E70000-0x00007FF778265000-memory.dmp	upx
behavioral2/memory/4704-874-0x00007FF6267F0000-0x00007FF626BE5000-memory.dmp	upx
behavioral2/memory/4724-877-0x00007FF6800D0000-0x00007FF6804C5000-memory.dmp	upx
behavioral2/memory/5060-880-0x00007FF6E8260000-0x00007FF6E8655000-memory.dmp	upx
behavioral2/memory/2484-907-0x00007FF714B10000-0x00007FF714F05000-memory.dmp	upx
behavioral2/memory/3632-909-0x00007FF7AB250000-0x00007FF7AB645000-memory.dmp	upx
behavioral2/memory/4968-905-0x00007FF60E720000-0x00007FF60EB15000-memory.dmp	upx
behavioral2/memory/1652-1918-0x00007FF68CC00000-0x00007FF68CFF5000-memory.dmp	upx
behavioral2/memory/1996-1919-0x00007FF667F80000-0x00007FF668375000-memory.dmp	upx
behavioral2/memory/2384-1920-0x00007FF735920000-0x00007FF735D15000-memory.dmp	upx
behavioral2/memory/4660-1921-0x00007FF7081E0000-0x00007FF7085D5000-memory.dmp	upx
behavioral2/memory/3632-1922-0x00007FF7AB250000-0x00007FF7AB645000-memory.dmp	upx
behavioral2/memory/4368-1925-0x00007FF67AC00000-0x00007FF67AFF5000-memory.dmp	upx

Enumerates connected drives 3 TTPs 14 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\ayHrSVB.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\bqkLutU.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\jMhtpgd.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\hkCPCjT.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\YToGBxy.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\KDcpDvw.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\tmcNikC.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\BGibLHq.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\ONfXmCX.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\RRmNDYJ.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\BGzxujG.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\lkCxHfs.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\mqLPxPL.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\GOwPCei.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\FWItpWx.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\FkvWCnV.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\xzSxxRb.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\plgEywg.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\tgNfynz.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\XMbdzfA.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\xdTfAHo.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\yQLSRXt.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\jprokSp.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\xFWMwHe.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\lOtYjIm.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\fpztJbY.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\pmIYEXN.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\wrGTRhu.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\eplbOpg.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\FLwyqIY.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\UNlLrGY.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\mxXaDEK.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\xVYvXaZ.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\mScGvlk.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\pPmRmbE.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\WLRMXKd.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\ICCFxyx.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\dbdGQzA.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\FNOjVDt.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\sTggaSx.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\YlzBSVK.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\SLtqeuO.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\ZvvkKgO.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\cmfYXud.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\qlhJuGj.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\QwcaXjO.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\dpCrLui.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\GzkpNHO.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\fhhtqWk.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\PhSMRtM.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\oyvfwyX.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\DlBwqqO.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\nlRmvZK.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\jmLvegZ.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\ZFJPNzq.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\OOZWPkI.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\JXFyLmz.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\MOyYhTE.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\AJXmOzW.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\VhNsNid.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\lqgiCkX.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\JZTNZOQ.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\hDeqHRC.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe
File created	C:\Windows\System32\VHzLlJz.exe	c6777681840142e5a9b1533a6c5be030_NEIKI.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{01277F0C-18AD-4F31-8DE1-4D4EF13CB3C7}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{8585FA1D-69A6-467E-B242-A55EF3404E15}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{FFF0B1E7-9D16-4670-93E8-A2CFC5081372}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeCreatePagefilePrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeCreatePagefilePrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeCreatePagefilePrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeCreatePagefilePrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeCreatePagefilePrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeCreatePagefilePrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeCreatePagefilePrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	2148	explorer.exe
Token: SeCreatePagefilePrivilege	2148	explorer.exe
Token: SeShutdownPrivilege	5428	explorer.exe
Token: SeCreatePagefilePrivilege	5428	explorer.exe
Token: SeShutdownPrivilege	5428	explorer.exe
Token: SeCreatePagefilePrivilege	5428	explorer.exe
Token: SeShutdownPrivilege	5428	explorer.exe
Token: SeCreatePagefilePrivilege	5428	explorer.exe
Token: SeShutdownPrivilege	5428	explorer.exe
Token: SeCreatePagefilePrivilege	5428	explorer.exe
Token: SeShutdownPrivilege	5428	explorer.exe
Token: SeCreatePagefilePrivilege	5428	explorer.exe
Token: SeShutdownPrivilege	5428	explorer.exe
Token: SeCreatePagefilePrivilege	5428	explorer.exe
Token: SeShutdownPrivilege	5428	explorer.exe
Token: SeCreatePagefilePrivilege	5428	explorer.exe
Token: SeShutdownPrivilege	5428	explorer.exe
Token: SeCreatePagefilePrivilege	5428	explorer.exe
Token: SeShutdownPrivilege	5428	explorer.exe
Token: SeCreatePagefilePrivilege	5428	explorer.exe
Token: SeShutdownPrivilege	5428	explorer.exe
Token: SeCreatePagefilePrivilege	5428	explorer.exe
Token: SeShutdownPrivilege	5428	explorer.exe
Token: SeCreatePagefilePrivilege	5428	explorer.exe
Token: SeShutdownPrivilege	5428	explorer.exe
Token: SeCreatePagefilePrivilege	5428	explorer.exe
Token: SeShutdownPrivilege	5428	explorer.exe
Token: SeCreatePagefilePrivilege	5428	explorer.exe
Token: SeShutdownPrivilege	5428	explorer.exe
Token: SeCreatePagefilePrivilege	5428	explorer.exe
Token: SeShutdownPrivilege	7860	explorer.exe
Token: SeCreatePagefilePrivilege	7860	explorer.exe
Token: SeShutdownPrivilege	7860	explorer.exe
Token: SeCreatePagefilePrivilege	7860	explorer.exe
Token: SeShutdownPrivilege	7860	explorer.exe
Token: SeCreatePagefilePrivilege	7860	explorer.exe
Token: SeShutdownPrivilege	7860	explorer.exe
Token: SeCreatePagefilePrivilege	7860	explorer.exe
Token: SeShutdownPrivilege	7860	explorer.exe
Token: SeCreatePagefilePrivilege	7860	explorer.exe
Token: SeShutdownPrivilege	7860	explorer.exe
Token: SeCreatePagefilePrivilege	7860	explorer.exe
Token: SeShutdownPrivilege	7860	explorer.exe
Token: SeCreatePagefilePrivilege	7860	explorer.exe
Token: SeShutdownPrivilege	7860	explorer.exe
Token: SeCreatePagefilePrivilege	7860	explorer.exe
Token: SeShutdownPrivilege	7860	explorer.exe
Token: SeCreatePagefilePrivilege	7860	explorer.exe
Token: SeShutdownPrivilege	7860	explorer.exe
Token: SeCreatePagefilePrivilege	7860	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
12700	sihost.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
2148	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
5428	explorer.exe
7860	explorer.exe
7860	explorer.exe
7860	explorer.exe
7860	explorer.exe
7860	explorer.exe
7860	explorer.exe
7860	explorer.exe
7860	explorer.exe
7860	explorer.exe
7860	explorer.exe
7860	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1276	StartMenuExperienceHost.exe
3704	StartMenuExperienceHost.exe
1600	StartMenuExperienceHost.exe
5728	SearchApp.exe
5624	StartMenuExperienceHost.exe
5960	SearchApp.exe
6220	StartMenuExperienceHost.exe
6432	SearchApp.exe
11068	StartMenuExperienceHost.exe
10284	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 1652	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	83
PID 2252 wrote to memory of 1652	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	83
PID 2252 wrote to memory of 1996	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	84
PID 2252 wrote to memory of 1996	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	84
PID 2252 wrote to memory of 2384	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	85
PID 2252 wrote to memory of 2384	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	85
PID 2252 wrote to memory of 4660	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	86
PID 2252 wrote to memory of 4660	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	86
PID 2252 wrote to memory of 3632	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	87
PID 2252 wrote to memory of 3632	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	87
PID 2252 wrote to memory of 5080	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	88
PID 2252 wrote to memory of 5080	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	88
PID 2252 wrote to memory of 4340	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	89
PID 2252 wrote to memory of 4340	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	89
PID 2252 wrote to memory of 4368	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	90
PID 2252 wrote to memory of 4368	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	90
PID 2252 wrote to memory of 3952	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	91
PID 2252 wrote to memory of 3952	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	91
PID 2252 wrote to memory of 4244	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	92
PID 2252 wrote to memory of 4244	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	92
PID 2252 wrote to memory of 3188	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	93
PID 2252 wrote to memory of 3188	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	93
PID 2252 wrote to memory of 2120	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	94
PID 2252 wrote to memory of 2120	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	94
PID 2252 wrote to memory of 3340	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	95
PID 2252 wrote to memory of 3340	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	95
PID 2252 wrote to memory of 1600	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	96
PID 2252 wrote to memory of 1600	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	96
PID 2252 wrote to memory of 3004	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	97
PID 2252 wrote to memory of 3004	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	97
PID 2252 wrote to memory of 4672	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	98
PID 2252 wrote to memory of 4672	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	98
PID 2252 wrote to memory of 2516	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	99
PID 2252 wrote to memory of 2516	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	99
PID 2252 wrote to memory of 5092	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	100
PID 2252 wrote to memory of 5092	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	100
PID 2252 wrote to memory of 4648	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	101
PID 2252 wrote to memory of 4648	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	101
PID 2252 wrote to memory of 4704	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	102
PID 2252 wrote to memory of 4704	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	102
PID 2252 wrote to memory of 4724	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	103
PID 2252 wrote to memory of 4724	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	103
PID 2252 wrote to memory of 5060	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	104
PID 2252 wrote to memory of 5060	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	104
PID 2252 wrote to memory of 4968	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	105
PID 2252 wrote to memory of 4968	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	105
PID 2252 wrote to memory of 2484	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	106
PID 2252 wrote to memory of 2484	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	106
PID 2252 wrote to memory of 1252	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	107
PID 2252 wrote to memory of 1252	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	107
PID 2252 wrote to memory of 4788	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	108
PID 2252 wrote to memory of 4788	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	108
PID 2252 wrote to memory of 1944	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	109
PID 2252 wrote to memory of 1944	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	109
PID 2252 wrote to memory of 4512	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	110
PID 2252 wrote to memory of 4512	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	110
PID 2252 wrote to memory of 4896	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	111
PID 2252 wrote to memory of 4896	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	111
PID 2252 wrote to memory of 548	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	112
PID 2252 wrote to memory of 548	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	112
PID 2252 wrote to memory of 2196	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	113
PID 2252 wrote to memory of 2196	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	113
PID 2252 wrote to memory of 3928	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	114
PID 2252 wrote to memory of 3928	2252	c6777681840142e5a9b1533a6c5be030_NEIKI.exe	114

C:\Users\Admin\AppData\Local\Temp\c6777681840142e5a9b1533a6c5be030_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\c6777681840142e5a9b1533a6c5be030_NEIKI.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\System32\LRboMcN.exe
  C:\Windows\System32\LRboMcN.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System32\WchiRXO.exe
  C:\Windows\System32\WchiRXO.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\System32\ZXnUXDw.exe
  C:\Windows\System32\ZXnUXDw.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System32\euEBaxs.exe
  C:\Windows\System32\euEBaxs.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System32\CvzkAJB.exe
  C:\Windows\System32\CvzkAJB.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System32\JSEdndg.exe
  C:\Windows\System32\JSEdndg.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System32\rLpNdaO.exe
  C:\Windows\System32\rLpNdaO.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System32\cjSNIWw.exe
  C:\Windows\System32\cjSNIWw.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System32\wGTBIqE.exe
  C:\Windows\System32\wGTBIqE.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System32\niiLZsl.exe
  C:\Windows\System32\niiLZsl.exe
  2⤵
  - Executes dropped EXE
  PID:4244
- C:\Windows\System32\YPIwNuT.exe
  C:\Windows\System32\YPIwNuT.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System32\CpsoxbL.exe
  C:\Windows\System32\CpsoxbL.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System32\GPEhDYy.exe
  C:\Windows\System32\GPEhDYy.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\System32\RCYENms.exe
  C:\Windows\System32\RCYENms.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System32\ygBclbU.exe
  C:\Windows\System32\ygBclbU.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System32\iUZyDUe.exe
  C:\Windows\System32\iUZyDUe.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System32\RPKNPHY.exe
  C:\Windows\System32\RPKNPHY.exe
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\System32\GkaiXHx.exe
  C:\Windows\System32\GkaiXHx.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System32\OyvnEBQ.exe
  C:\Windows\System32\OyvnEBQ.exe
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Windows\System32\SHoCdhK.exe
  C:\Windows\System32\SHoCdhK.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System32\nkdemCn.exe
  C:\Windows\System32\nkdemCn.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System32\nOXcPQy.exe
  C:\Windows\System32\nOXcPQy.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System32\PehKLOK.exe
  C:\Windows\System32\PehKLOK.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System32\ePsAYbB.exe
  C:\Windows\System32\ePsAYbB.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System32\UkqAXrQ.exe
  C:\Windows\System32\UkqAXrQ.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\System32\WcdklGr.exe
  C:\Windows\System32\WcdklGr.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System32\OqAgtVn.exe
  C:\Windows\System32\OqAgtVn.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System32\bbsSpXB.exe
  C:\Windows\System32\bbsSpXB.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System32\dbdGQzA.exe
  C:\Windows\System32\dbdGQzA.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System32\kVJThVE.exe
  C:\Windows\System32\kVJThVE.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System32\fbjRQke.exe
  C:\Windows\System32\fbjRQke.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\System32\AcTlGCa.exe
  C:\Windows\System32\AcTlGCa.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System32\lqgiCkX.exe
  C:\Windows\System32\lqgiCkX.exe
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Windows\System32\dCGIghW.exe
  C:\Windows\System32\dCGIghW.exe
  2⤵
  - Executes dropped EXE
  PID:1352
- C:\Windows\System32\ihanwic.exe
  C:\Windows\System32\ihanwic.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System32\ONfXmCX.exe
  C:\Windows\System32\ONfXmCX.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System32\LzujTlU.exe
  C:\Windows\System32\LzujTlU.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System32\sbdTWXb.exe
  C:\Windows\System32\sbdTWXb.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System32\DqREBTF.exe
  C:\Windows\System32\DqREBTF.exe
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\System32\wUswiTw.exe
  C:\Windows\System32\wUswiTw.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System32\voMqzBo.exe
  C:\Windows\System32\voMqzBo.exe
  2⤵
  - Executes dropped EXE
  PID:412
- C:\Windows\System32\bXiYDEK.exe
  C:\Windows\System32\bXiYDEK.exe
  2⤵
  - Executes dropped EXE
  PID:3724
- C:\Windows\System32\FLWfggK.exe
  C:\Windows\System32\FLWfggK.exe
  2⤵
  - Executes dropped EXE
  PID:4128
- C:\Windows\System32\lYTwUdF.exe
  C:\Windows\System32\lYTwUdF.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System32\cyHdfzR.exe
  C:\Windows\System32\cyHdfzR.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System32\EVFUBRP.exe
  C:\Windows\System32\EVFUBRP.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System32\cFgdnsX.exe
  C:\Windows\System32\cFgdnsX.exe
  2⤵
  - Executes dropped EXE
  PID:3348
- C:\Windows\System32\VnyyoRN.exe
  C:\Windows\System32\VnyyoRN.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System32\CtOVMhu.exe
  C:\Windows\System32\CtOVMhu.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System32\JZTNZOQ.exe
  C:\Windows\System32\JZTNZOQ.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System32\AHbcnTQ.exe
  C:\Windows\System32\AHbcnTQ.exe
  2⤵
  - Executes dropped EXE
  PID:3296
- C:\Windows\System32\VxgARUy.exe
  C:\Windows\System32\VxgARUy.exe
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\System32\jcnPppw.exe
  C:\Windows\System32\jcnPppw.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System32\dlVaako.exe
  C:\Windows\System32\dlVaako.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System32\iBTzCzC.exe
  C:\Windows\System32\iBTzCzC.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System32\oFSgTKQ.exe
  C:\Windows\System32\oFSgTKQ.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System32\QnWtzju.exe
  C:\Windows\System32\QnWtzju.exe
  2⤵
  - Executes dropped EXE
  PID:3372
- C:\Windows\System32\kCyyGkJ.exe
  C:\Windows\System32\kCyyGkJ.exe
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\System32\mgkcrcj.exe
  C:\Windows\System32\mgkcrcj.exe
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\System32\XwadKjZ.exe
  C:\Windows\System32\XwadKjZ.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System32\uUJPgYf.exe
  C:\Windows\System32\uUJPgYf.exe
  2⤵
  - Executes dropped EXE
  PID:804
- C:\Windows\System32\ezPAMHc.exe
  C:\Windows\System32\ezPAMHc.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System32\XNOtOWZ.exe
  C:\Windows\System32\XNOtOWZ.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System32\fWEAHZo.exe
  C:\Windows\System32\fWEAHZo.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System32\hDeqHRC.exe
  C:\Windows\System32\hDeqHRC.exe
  2⤵
  PID:624
- C:\Windows\System32\phoJcwU.exe
  C:\Windows\System32\phoJcwU.exe
  2⤵
  PID:5116
- C:\Windows\System32\ojWkMib.exe
  C:\Windows\System32\ojWkMib.exe
  2⤵
  PID:4048
- C:\Windows\System32\zcfYZii.exe
  C:\Windows\System32\zcfYZii.exe
  2⤵
  PID:1768
- C:\Windows\System32\mCQjLNA.exe
  C:\Windows\System32\mCQjLNA.exe
  2⤵
  PID:3292
- C:\Windows\System32\SMhRWqB.exe
  C:\Windows\System32\SMhRWqB.exe
  2⤵
  PID:1784
- C:\Windows\System32\XMbdzfA.exe
  C:\Windows\System32\XMbdzfA.exe
  2⤵
  PID:3828
- C:\Windows\System32\pmIYEXN.exe
  C:\Windows\System32\pmIYEXN.exe
  2⤵
  PID:4884
- C:\Windows\System32\AhnjWFJ.exe
  C:\Windows\System32\AhnjWFJ.exe
  2⤵
  PID:2428
- C:\Windows\System32\cUmhUey.exe
  C:\Windows\System32\cUmhUey.exe
  2⤵
  PID:4076
- C:\Windows\System32\RKPwlEW.exe
  C:\Windows\System32\RKPwlEW.exe
  2⤵
  PID:4700
- C:\Windows\System32\ohbhKaK.exe
  C:\Windows\System32\ohbhKaK.exe
  2⤵
  PID:2340
- C:\Windows\System32\aRUQorT.exe
  C:\Windows\System32\aRUQorT.exe
  2⤵
  PID:1012
- C:\Windows\System32\WoVwOjg.exe
  C:\Windows\System32\WoVwOjg.exe
  2⤵
  PID:2076
- C:\Windows\System32\JfXiraN.exe
  C:\Windows\System32\JfXiraN.exe
  2⤵
  PID:4224
- C:\Windows\System32\isVzhKg.exe
  C:\Windows\System32\isVzhKg.exe
  2⤵
  PID:4908
- C:\Windows\System32\zxPHLly.exe
  C:\Windows\System32\zxPHLly.exe
  2⤵
  PID:4064
- C:\Windows\System32\xzSxxRb.exe
  C:\Windows\System32\xzSxxRb.exe
  2⤵
  PID:1936
- C:\Windows\System32\RRmNDYJ.exe
  C:\Windows\System32\RRmNDYJ.exe
  2⤵
  PID:5124
- C:\Windows\System32\gHLTXtA.exe
  C:\Windows\System32\gHLTXtA.exe
  2⤵
  PID:5152
- C:\Windows\System32\DkuAIOx.exe
  C:\Windows\System32\DkuAIOx.exe
  2⤵
  PID:5180
- C:\Windows\System32\qFzwbpZ.exe
  C:\Windows\System32\qFzwbpZ.exe
  2⤵
  PID:5208
- C:\Windows\System32\kdvPPZf.exe
  C:\Windows\System32\kdvPPZf.exe
  2⤵
  PID:5236
- C:\Windows\System32\LvELcJG.exe
  C:\Windows\System32\LvELcJG.exe
  2⤵
  PID:5264
- C:\Windows\System32\kFybGXE.exe
  C:\Windows\System32\kFybGXE.exe
  2⤵
  PID:5292
- C:\Windows\System32\dYPXkGp.exe
  C:\Windows\System32\dYPXkGp.exe
  2⤵
  PID:5320
- C:\Windows\System32\yvmZNRK.exe
  C:\Windows\System32\yvmZNRK.exe
  2⤵
  PID:5348
- C:\Windows\System32\NZjQUIO.exe
  C:\Windows\System32\NZjQUIO.exe
  2⤵
  PID:5376
- C:\Windows\System32\qGnxRfi.exe
  C:\Windows\System32\qGnxRfi.exe
  2⤵
  PID:5416
- C:\Windows\System32\gMRfnYb.exe
  C:\Windows\System32\gMRfnYb.exe
  2⤵
  PID:5432
- C:\Windows\System32\BDbfkwk.exe
  C:\Windows\System32\BDbfkwk.exe
  2⤵
  PID:5460
- C:\Windows\System32\RUEZSgY.exe
  C:\Windows\System32\RUEZSgY.exe
  2⤵
  PID:5488
- C:\Windows\System32\vvCJdlM.exe
  C:\Windows\System32\vvCJdlM.exe
  2⤵
  PID:5516
- C:\Windows\System32\Qwmxwft.exe
  C:\Windows\System32\Qwmxwft.exe
  2⤵
  PID:5552
- C:\Windows\System32\ONCliWZ.exe
  C:\Windows\System32\ONCliWZ.exe
  2⤵
  PID:5572
- C:\Windows\System32\GmwvVGu.exe
  C:\Windows\System32\GmwvVGu.exe
  2⤵
  PID:5600
- C:\Windows\System32\UZuGFpH.exe
  C:\Windows\System32\UZuGFpH.exe
  2⤵
  PID:5628
- C:\Windows\System32\lYJRFgs.exe
  C:\Windows\System32\lYJRFgs.exe
  2⤵
  PID:5656
- C:\Windows\System32\UIdXVVD.exe
  C:\Windows\System32\UIdXVVD.exe
  2⤵
  PID:5684
- C:\Windows\System32\VLLtnlj.exe
  C:\Windows\System32\VLLtnlj.exe
  2⤵
  PID:5712
- C:\Windows\System32\snCImZP.exe
  C:\Windows\System32\snCImZP.exe
  2⤵
  PID:5752
- C:\Windows\System32\GDUCAln.exe
  C:\Windows\System32\GDUCAln.exe
  2⤵
  PID:5768
- C:\Windows\System32\QkAEwZM.exe
  C:\Windows\System32\QkAEwZM.exe
  2⤵
  PID:5796
- C:\Windows\System32\kBfsLOS.exe
  C:\Windows\System32\kBfsLOS.exe
  2⤵
  PID:5824
- C:\Windows\System32\QXYupeQ.exe
  C:\Windows\System32\QXYupeQ.exe
  2⤵
  PID:5852
- C:\Windows\System32\LQTbTLq.exe
  C:\Windows\System32\LQTbTLq.exe
  2⤵
  PID:5880
- C:\Windows\System32\LblENnJ.exe
  C:\Windows\System32\LblENnJ.exe
  2⤵
  PID:5908
- C:\Windows\System32\ENVnlxX.exe
  C:\Windows\System32\ENVnlxX.exe
  2⤵
  PID:5936
- C:\Windows\System32\PywoYzt.exe
  C:\Windows\System32\PywoYzt.exe
  2⤵
  PID:5964
- C:\Windows\System32\wzgXtpb.exe
  C:\Windows\System32\wzgXtpb.exe
  2⤵
  PID:5992
- C:\Windows\System32\jyTwreH.exe
  C:\Windows\System32\jyTwreH.exe
  2⤵
  PID:6020
- C:\Windows\System32\egCWjXs.exe
  C:\Windows\System32\egCWjXs.exe
  2⤵
  PID:6048
- C:\Windows\System32\YlzBSVK.exe
  C:\Windows\System32\YlzBSVK.exe
  2⤵
  PID:6076
- C:\Windows\System32\zKgfuxf.exe
  C:\Windows\System32\zKgfuxf.exe
  2⤵
  PID:6104
- C:\Windows\System32\rsCqEAR.exe
  C:\Windows\System32\rsCqEAR.exe
  2⤵
  PID:6132
- C:\Windows\System32\OFKZMZy.exe
  C:\Windows\System32\OFKZMZy.exe
  2⤵
  PID:2788
- C:\Windows\System32\wszXVuM.exe
  C:\Windows\System32\wszXVuM.exe
  2⤵
  PID:1108
- C:\Windows\System32\dpLyocT.exe
  C:\Windows\System32\dpLyocT.exe
  2⤵
  PID:1204
- C:\Windows\System32\frtaTgC.exe
  C:\Windows\System32\frtaTgC.exe
  2⤵
  PID:4208
- C:\Windows\System32\NyneHCc.exe
  C:\Windows\System32\NyneHCc.exe
  2⤵
  PID:2492
- C:\Windows\System32\QyLEOtO.exe
  C:\Windows\System32\QyLEOtO.exe
  2⤵
  PID:5144
- C:\Windows\System32\LoFsdHh.exe
  C:\Windows\System32\LoFsdHh.exe
  2⤵
  PID:5200
- C:\Windows\System32\oIyMdzU.exe
  C:\Windows\System32\oIyMdzU.exe
  2⤵
  PID:5244
- C:\Windows\System32\OUXFSiR.exe
  C:\Windows\System32\OUXFSiR.exe
  2⤵
  PID:5340
- C:\Windows\System32\yuMTWKv.exe
  C:\Windows\System32\yuMTWKv.exe
  2⤵
  PID:5396
- C:\Windows\System32\zWdgqmB.exe
  C:\Windows\System32\zWdgqmB.exe
  2⤵
  PID:5440
- C:\Windows\System32\ErngPXK.exe
  C:\Windows\System32\ErngPXK.exe
  2⤵
  PID:5524
- C:\Windows\System32\rjctcaC.exe
  C:\Windows\System32\rjctcaC.exe
  2⤵
  PID:5612
- C:\Windows\System32\mqLPxPL.exe
  C:\Windows\System32\mqLPxPL.exe
  2⤵
  PID:5648
- C:\Windows\System32\tAMYZmg.exe
  C:\Windows\System32\tAMYZmg.exe
  2⤵
  PID:5732
- C:\Windows\System32\emYLxnY.exe
  C:\Windows\System32\emYLxnY.exe
  2⤵
  PID:5780
- C:\Windows\System32\CdoDvpS.exe
  C:\Windows\System32\CdoDvpS.exe
  2⤵
  PID:5832
- C:\Windows\System32\OGLojXD.exe
  C:\Windows\System32\OGLojXD.exe
  2⤵
  PID:5928
- C:\Windows\System32\VHzLlJz.exe
  C:\Windows\System32\VHzLlJz.exe
  2⤵
  PID:5976
- C:\Windows\System32\GlMlnow.exe
  C:\Windows\System32\GlMlnow.exe
  2⤵
  PID:6032
- C:\Windows\System32\ofVpTFd.exe
  C:\Windows\System32\ofVpTFd.exe
  2⤵
  PID:6124
- C:\Windows\System32\HOZzces.exe
  C:\Windows\System32\HOZzces.exe
  2⤵
  PID:2176
- C:\Windows\System32\hQACuIe.exe
  C:\Windows\System32\hQACuIe.exe
  2⤵
  PID:3260
- C:\Windows\System32\TtjHdyr.exe
  C:\Windows\System32\TtjHdyr.exe
  2⤵
  PID:1756
- C:\Windows\System32\LbKYgae.exe
  C:\Windows\System32\LbKYgae.exe
  2⤵
  PID:5276
- C:\Windows\System32\GVcHzLF.exe
  C:\Windows\System32\GVcHzLF.exe
  2⤵
  PID:5424
- C:\Windows\System32\dkkRKsX.exe
  C:\Windows\System32\dkkRKsX.exe
  2⤵
  PID:5536
- C:\Windows\System32\fIOEcQR.exe
  C:\Windows\System32\fIOEcQR.exe
  2⤵
  PID:5764
- C:\Windows\System32\EZlWdvO.exe
  C:\Windows\System32\EZlWdvO.exe
  2⤵
  PID:5872
- C:\Windows\System32\jrFDsFH.exe
  C:\Windows\System32\jrFDsFH.exe
  2⤵
  PID:6000
- C:\Windows\System32\IJxnXDw.exe
  C:\Windows\System32\IJxnXDw.exe
  2⤵
  PID:6156
- C:\Windows\System32\CkMhXPV.exe
  C:\Windows\System32\CkMhXPV.exe
  2⤵
  PID:6184
- C:\Windows\System32\xGJSqNa.exe
  C:\Windows\System32\xGJSqNa.exe
  2⤵
  PID:6224
- C:\Windows\System32\VWJhmvI.exe
  C:\Windows\System32\VWJhmvI.exe
  2⤵
  PID:6240
- C:\Windows\System32\xAyuecu.exe
  C:\Windows\System32\xAyuecu.exe
  2⤵
  PID:6268
- C:\Windows\System32\ZQlfgXB.exe
  C:\Windows\System32\ZQlfgXB.exe
  2⤵
  PID:6296
- C:\Windows\System32\sgNoTMU.exe
  C:\Windows\System32\sgNoTMU.exe
  2⤵
  PID:6324
- C:\Windows\System32\MkVIIMm.exe
  C:\Windows\System32\MkVIIMm.exe
  2⤵
  PID:6352
- C:\Windows\System32\ridetaX.exe
  C:\Windows\System32\ridetaX.exe
  2⤵
  PID:6380
- C:\Windows\System32\FNvInRo.exe
  C:\Windows\System32\FNvInRo.exe
  2⤵
  PID:6408
- C:\Windows\System32\JDVewjI.exe
  C:\Windows\System32\JDVewjI.exe
  2⤵
  PID:6436
- C:\Windows\System32\LZsDAyP.exe
  C:\Windows\System32\LZsDAyP.exe
  2⤵
  PID:6464
- C:\Windows\System32\fooDKOv.exe
  C:\Windows\System32\fooDKOv.exe
  2⤵
  PID:6492
- C:\Windows\System32\NBknnvl.exe
  C:\Windows\System32\NBknnvl.exe
  2⤵
  PID:6532
- C:\Windows\System32\lUFOkqO.exe
  C:\Windows\System32\lUFOkqO.exe
  2⤵
  PID:6548
- C:\Windows\System32\OyjeqJl.exe
  C:\Windows\System32\OyjeqJl.exe
  2⤵
  PID:6576
- C:\Windows\System32\LHNpgoD.exe
  C:\Windows\System32\LHNpgoD.exe
  2⤵
  PID:6604
- C:\Windows\System32\EnUdFjx.exe
  C:\Windows\System32\EnUdFjx.exe
  2⤵
  PID:6632
- C:\Windows\System32\CpHmjkt.exe
  C:\Windows\System32\CpHmjkt.exe
  2⤵
  PID:6660
- C:\Windows\System32\PhSMRtM.exe
  C:\Windows\System32\PhSMRtM.exe
  2⤵
  PID:6688
- C:\Windows\System32\hfEdsnH.exe
  C:\Windows\System32\hfEdsnH.exe
  2⤵
  PID:6728
- C:\Windows\System32\HpfBFTt.exe
  C:\Windows\System32\HpfBFTt.exe
  2⤵
  PID:6744
- C:\Windows\System32\FkPXCus.exe
  C:\Windows\System32\FkPXCus.exe
  2⤵
  PID:6772
- C:\Windows\System32\hkCPCjT.exe
  C:\Windows\System32\hkCPCjT.exe
  2⤵
  PID:6800
- C:\Windows\System32\jdoZGGD.exe
  C:\Windows\System32\jdoZGGD.exe
  2⤵
  PID:6828
- C:\Windows\System32\XfNSUKI.exe
  C:\Windows\System32\XfNSUKI.exe
  2⤵
  PID:6856
- C:\Windows\System32\TiVdLrk.exe
  C:\Windows\System32\TiVdLrk.exe
  2⤵
  PID:6884
- C:\Windows\System32\RJoGxBc.exe
  C:\Windows\System32\RJoGxBc.exe
  2⤵
  PID:6912
- C:\Windows\System32\gUvtjyh.exe
  C:\Windows\System32\gUvtjyh.exe
  2⤵
  PID:6940
- C:\Windows\System32\mwXFNXd.exe
  C:\Windows\System32\mwXFNXd.exe
  2⤵
  PID:6968
- C:\Windows\System32\lwYLJyD.exe
  C:\Windows\System32\lwYLJyD.exe
  2⤵
  PID:6996
- C:\Windows\System32\KysFNSb.exe
  C:\Windows\System32\KysFNSb.exe
  2⤵
  PID:7024
- C:\Windows\System32\MOOvKaT.exe
  C:\Windows\System32\MOOvKaT.exe
  2⤵
  PID:7052
- C:\Windows\System32\zFtwWzW.exe
  C:\Windows\System32\zFtwWzW.exe
  2⤵
  PID:7080
- C:\Windows\System32\IEjSHmc.exe
  C:\Windows\System32\IEjSHmc.exe
  2⤵
  PID:7108
- C:\Windows\System32\HzXwCfD.exe
  C:\Windows\System32\HzXwCfD.exe
  2⤵
  PID:7136
- C:\Windows\System32\rKRpZlg.exe
  C:\Windows\System32\rKRpZlg.exe
  2⤵
  PID:7164
- C:\Windows\System32\shyodwY.exe
  C:\Windows\System32\shyodwY.exe
  2⤵
  PID:5160
- C:\Windows\System32\GimKAMl.exe
  C:\Windows\System32\GimKAMl.exe
  2⤵
  PID:5560
- C:\Windows\System32\JoaBjXA.exe
  C:\Windows\System32\JoaBjXA.exe
  2⤵
  PID:5720
- C:\Windows\System32\rWWWxAQ.exe
  C:\Windows\System32\rWWWxAQ.exe
  2⤵
  PID:6056
- C:\Windows\System32\QkNCZHE.exe
  C:\Windows\System32\QkNCZHE.exe
  2⤵
  PID:6196
- C:\Windows\System32\ENjJDgF.exe
  C:\Windows\System32\ENjJDgF.exe
  2⤵
  PID:6260
- C:\Windows\System32\SLtqeuO.exe
  C:\Windows\System32\SLtqeuO.exe
  2⤵
  PID:1656
- C:\Windows\System32\yfjdZOJ.exe
  C:\Windows\System32\yfjdZOJ.exe
  2⤵
  PID:6388
- C:\Windows\System32\rPhKJxL.exe
  C:\Windows\System32\rPhKJxL.exe
  2⤵
  PID:6448
- C:\Windows\System32\UowpAly.exe
  C:\Windows\System32\UowpAly.exe
  2⤵
  PID:6504
- C:\Windows\System32\FNOjVDt.exe
  C:\Windows\System32\FNOjVDt.exe
  2⤵
  PID:6556
- C:\Windows\System32\elbhAuH.exe
  C:\Windows\System32\elbhAuH.exe
  2⤵
  PID:6640
- C:\Windows\System32\vuRoQXl.exe
  C:\Windows\System32\vuRoQXl.exe
  2⤵
  PID:6708
- C:\Windows\System32\rjQynBJ.exe
  C:\Windows\System32\rjQynBJ.exe
  2⤵
  PID:6752
- C:\Windows\System32\WkBQFEW.exe
  C:\Windows\System32\WkBQFEW.exe
  2⤵
  PID:6836
- C:\Windows\System32\aUuCvzS.exe
  C:\Windows\System32\aUuCvzS.exe
  2⤵
  PID:6896
- C:\Windows\System32\PnNHYJU.exe
  C:\Windows\System32\PnNHYJU.exe
  2⤵
  PID:6952
- C:\Windows\System32\qKazIzW.exe
  C:\Windows\System32\qKazIzW.exe
  2⤵
  PID:7008
- C:\Windows\System32\XPHWeYQ.exe
  C:\Windows\System32\XPHWeYQ.exe
  2⤵
  PID:7088
- C:\Windows\System32\jmLvegZ.exe
  C:\Windows\System32\jmLvegZ.exe
  2⤵
  PID:7148
- C:\Windows\System32\XfPCYRT.exe
  C:\Windows\System32\XfPCYRT.exe
  2⤵
  PID:5328
- C:\Windows\System32\IaZyGCr.exe
  C:\Windows\System32\IaZyGCr.exe
  2⤵
  PID:5920
- C:\Windows\System32\AicVANC.exe
  C:\Windows\System32\AicVANC.exe
  2⤵
  PID:3748
- C:\Windows\System32\ByzVcBf.exe
  C:\Windows\System32\ByzVcBf.exe
  2⤵
  PID:6336
- C:\Windows\System32\ayHrSVB.exe
  C:\Windows\System32\ayHrSVB.exe
  2⤵
  PID:6512
- C:\Windows\System32\SJOEvOe.exe
  C:\Windows\System32\SJOEvOe.exe
  2⤵
  PID:6680
- C:\Windows\System32\SaoGexL.exe
  C:\Windows\System32\SaoGexL.exe
  2⤵
  PID:6864
- C:\Windows\System32\kXOcosR.exe
  C:\Windows\System32\kXOcosR.exe
  2⤵
  PID:6980
- C:\Windows\System32\eaxHvtY.exe
  C:\Windows\System32\eaxHvtY.exe
  2⤵
  PID:7120
- C:\Windows\System32\TCSSiLh.exe
  C:\Windows\System32\TCSSiLh.exe
  2⤵
  PID:5640
- C:\Windows\System32\BGzxujG.exe
  C:\Windows\System32\BGzxujG.exe
  2⤵
  PID:7180
- C:\Windows\System32\YcHGVEb.exe
  C:\Windows\System32\YcHGVEb.exe
  2⤵
  PID:7208
- C:\Windows\System32\EYxRRHK.exe
  C:\Windows\System32\EYxRRHK.exe
  2⤵
  PID:7232
- C:\Windows\System32\mtaPmgP.exe
  C:\Windows\System32\mtaPmgP.exe
  2⤵
  PID:7264
- C:\Windows\System32\ZFJPNzq.exe
  C:\Windows\System32\ZFJPNzq.exe
  2⤵
  PID:7292
- C:\Windows\System32\IBjMIsg.exe
  C:\Windows\System32\IBjMIsg.exe
  2⤵
  PID:7320
- C:\Windows\System32\rYhLTtd.exe
  C:\Windows\System32\rYhLTtd.exe
  2⤵
  PID:7344
- C:\Windows\System32\OiAfQtT.exe
  C:\Windows\System32\OiAfQtT.exe
  2⤵
  PID:7376
- C:\Windows\System32\BhxnPqG.exe
  C:\Windows\System32\BhxnPqG.exe
  2⤵
  PID:7404
- C:\Windows\System32\OZSteXN.exe
  C:\Windows\System32\OZSteXN.exe
  2⤵
  PID:7432
- C:\Windows\System32\JRaDJnM.exe
  C:\Windows\System32\JRaDJnM.exe
  2⤵
  PID:7460
- C:\Windows\System32\tkBnLFv.exe
  C:\Windows\System32\tkBnLFv.exe
  2⤵
  PID:7488
- C:\Windows\System32\cfJHlsC.exe
  C:\Windows\System32\cfJHlsC.exe
  2⤵
  PID:7516
- C:\Windows\System32\LTnEUgL.exe
  C:\Windows\System32\LTnEUgL.exe
  2⤵
  PID:7544
- C:\Windows\System32\qYaRFxV.exe
  C:\Windows\System32\qYaRFxV.exe
  2⤵
  PID:7572
- C:\Windows\System32\bHkkIFy.exe
  C:\Windows\System32\bHkkIFy.exe
  2⤵
  PID:7596
- C:\Windows\System32\wrGTRhu.exe
  C:\Windows\System32\wrGTRhu.exe
  2⤵
  PID:7628
- C:\Windows\System32\krlIWbe.exe
  C:\Windows\System32\krlIWbe.exe
  2⤵
  PID:7656
- C:\Windows\System32\LpvmoPF.exe
  C:\Windows\System32\LpvmoPF.exe
  2⤵
  PID:7684
- C:\Windows\System32\QYVoZyn.exe
  C:\Windows\System32\QYVoZyn.exe
  2⤵
  PID:7712
- C:\Windows\System32\qRhNYJU.exe
  C:\Windows\System32\qRhNYJU.exe
  2⤵
  PID:7740
- C:\Windows\System32\hLdpUUI.exe
  C:\Windows\System32\hLdpUUI.exe
  2⤵
  PID:7768
- C:\Windows\System32\eplbOpg.exe
  C:\Windows\System32\eplbOpg.exe
  2⤵
  PID:7796
- C:\Windows\System32\uXKrUDM.exe
  C:\Windows\System32\uXKrUDM.exe
  2⤵
  PID:7824
- C:\Windows\System32\qlUqZyp.exe
  C:\Windows\System32\qlUqZyp.exe
  2⤵
  PID:7852
- C:\Windows\System32\UOWfHwi.exe
  C:\Windows\System32\UOWfHwi.exe
  2⤵
  PID:7880
- C:\Windows\System32\ELJaZei.exe
  C:\Windows\System32\ELJaZei.exe
  2⤵
  PID:7908
- C:\Windows\System32\OOZWPkI.exe
  C:\Windows\System32\OOZWPkI.exe
  2⤵
  PID:7932
- C:\Windows\System32\AfqAjFv.exe
  C:\Windows\System32\AfqAjFv.exe
  2⤵
  PID:8040
- C:\Windows\System32\vubxfXV.exe
  C:\Windows\System32\vubxfXV.exe
  2⤵
  PID:8068
- C:\Windows\System32\oLPVBLg.exe
  C:\Windows\System32\oLPVBLg.exe
  2⤵
  PID:8092
- C:\Windows\System32\TXOsMQx.exe
  C:\Windows\System32\TXOsMQx.exe
  2⤵
  PID:8112
- C:\Windows\System32\cXDwEtj.exe
  C:\Windows\System32\cXDwEtj.exe
  2⤵
  PID:8128
- C:\Windows\System32\UccqTvE.exe
  C:\Windows\System32\UccqTvE.exe
  2⤵
  PID:8152
- C:\Windows\System32\uTFrhLJ.exe
  C:\Windows\System32\uTFrhLJ.exe
  2⤵
  PID:6276
- C:\Windows\System32\scEMJCy.exe
  C:\Windows\System32\scEMJCy.exe
  2⤵
  PID:2496
- C:\Windows\System32\bFCDJSh.exe
  C:\Windows\System32\bFCDJSh.exe
  2⤵
  PID:6740
- C:\Windows\System32\dKOLOEc.exe
  C:\Windows\System32\dKOLOEc.exe
  2⤵
  PID:6932
- C:\Windows\System32\tTvqgmZ.exe
  C:\Windows\System32\tTvqgmZ.exe
  2⤵
  PID:7188
- C:\Windows\System32\bqkLutU.exe
  C:\Windows\System32\bqkLutU.exe
  2⤵
  PID:7312
- C:\Windows\System32\jyCrpei.exe
  C:\Windows\System32\jyCrpei.exe
  2⤵
  PID:3964
- C:\Windows\System32\pPmRmbE.exe
  C:\Windows\System32\pPmRmbE.exe
  2⤵
  PID:7384
- C:\Windows\System32\juwTsZI.exe
  C:\Windows\System32\juwTsZI.exe
  2⤵
  PID:7452
- C:\Windows\System32\MzgAnNQ.exe
  C:\Windows\System32\MzgAnNQ.exe
  2⤵
  PID:4980
- C:\Windows\System32\ZvvkKgO.exe
  C:\Windows\System32\ZvvkKgO.exe
  2⤵
  PID:7524
- C:\Windows\System32\eZdZzGU.exe
  C:\Windows\System32\eZdZzGU.exe
  2⤵
  PID:7580
- C:\Windows\System32\usxTOaw.exe
  C:\Windows\System32\usxTOaw.exe
  2⤵
  PID:964
- C:\Windows\System32\cxOvijE.exe
  C:\Windows\System32\cxOvijE.exe
  2⤵
  PID:3328
- C:\Windows\System32\gQyOKKL.exe
  C:\Windows\System32\gQyOKKL.exe
  2⤵
  PID:7704
- C:\Windows\System32\YKpCMOx.exe
  C:\Windows\System32\YKpCMOx.exe
  2⤵
  PID:7788
- C:\Windows\System32\plgEywg.exe
  C:\Windows\System32\plgEywg.exe
  2⤵
  PID:7808
- C:\Windows\System32\eoWXdxz.exe
  C:\Windows\System32\eoWXdxz.exe
  2⤵
  PID:7892
- C:\Windows\System32\wHaHNnH.exe
  C:\Windows\System32\wHaHNnH.exe
  2⤵
  PID:4544
- C:\Windows\System32\WxlnDMV.exe
  C:\Windows\System32\WxlnDMV.exe
  2⤵
  PID:4004
- C:\Windows\System32\VUGQroD.exe
  C:\Windows\System32\VUGQroD.exe
  2⤵
  PID:3840
- C:\Windows\System32\lZFdJFi.exe
  C:\Windows\System32\lZFdJFi.exe
  2⤵
  PID:3984
- C:\Windows\System32\oyvfwyX.exe
  C:\Windows\System32\oyvfwyX.exe
  2⤵
  PID:8052
- C:\Windows\System32\evoOVcy.exe
  C:\Windows\System32\evoOVcy.exe
  2⤵
  PID:636
- C:\Windows\System32\tltHYxP.exe
  C:\Windows\System32\tltHYxP.exe
  2⤵
  PID:8108
- C:\Windows\System32\GmngOIY.exe
  C:\Windows\System32\GmngOIY.exe
  2⤵
  PID:8148
- C:\Windows\System32\KNtajmf.exe
  C:\Windows\System32\KNtajmf.exe
  2⤵
  PID:6764
- C:\Windows\System32\uHvYUsP.exe
  C:\Windows\System32\uHvYUsP.exe
  2⤵
  PID:7352
- C:\Windows\System32\xVYvXaZ.exe
  C:\Windows\System32\xVYvXaZ.exe
  2⤵
  PID:7248
- C:\Windows\System32\msaasyw.exe
  C:\Windows\System32\msaasyw.exe
  2⤵
  PID:7416
- C:\Windows\System32\PTIEpGA.exe
  C:\Windows\System32\PTIEpGA.exe
  2⤵
  PID:8004
- C:\Windows\System32\bLkDGBe.exe
  C:\Windows\System32\bLkDGBe.exe
  2⤵
  PID:4460
- C:\Windows\System32\QMuNccn.exe
  C:\Windows\System32\QMuNccn.exe
  2⤵
  PID:4504
- C:\Windows\System32\RsCcxYL.exe
  C:\Windows\System32\RsCcxYL.exe
  2⤵
  PID:7844
- C:\Windows\System32\fjxcxEB.exe
  C:\Windows\System32\fjxcxEB.exe
  2⤵
  PID:7968
- C:\Windows\System32\DlBwqqO.exe
  C:\Windows\System32\DlBwqqO.exe
  2⤵
  PID:7032
- C:\Windows\System32\wVPESMO.exe
  C:\Windows\System32\wVPESMO.exe
  2⤵
  PID:7220
- C:\Windows\System32\zAEFqwi.exe
  C:\Windows\System32\zAEFqwi.exe
  2⤵
  PID:3796
- C:\Windows\System32\GjYKPSH.exe
  C:\Windows\System32\GjYKPSH.exe
  2⤵
  PID:8036
- C:\Windows\System32\pplgxZi.exe
  C:\Windows\System32\pplgxZi.exe
  2⤵
  PID:1900
- C:\Windows\System32\tgNfynz.exe
  C:\Windows\System32\tgNfynz.exe
  2⤵
  PID:4044
- C:\Windows\System32\cZQvbcS.exe
  C:\Windows\System32\cZQvbcS.exe
  2⤵
  PID:7760
- C:\Windows\System32\CzUEeIz.exe
  C:\Windows\System32\CzUEeIz.exe
  2⤵
  PID:1608
- C:\Windows\System32\CRANHzN.exe
  C:\Windows\System32\CRANHzN.exe
  2⤵
  PID:7496
- C:\Windows\System32\GOwPCei.exe
  C:\Windows\System32\GOwPCei.exe
  2⤵
  PID:7648
- C:\Windows\System32\ExKngru.exe
  C:\Windows\System32\ExKngru.exe
  2⤵
  PID:1388
- C:\Windows\System32\jMhtpgd.exe
  C:\Windows\System32\jMhtpgd.exe
  2⤵
  PID:752
- C:\Windows\System32\wGicKxs.exe
  C:\Windows\System32\wGicKxs.exe
  2⤵
  PID:1888
- C:\Windows\System32\WgRluBp.exe
  C:\Windows\System32\WgRluBp.exe
  2⤵
  PID:8236
- C:\Windows\System32\pmXMcqv.exe
  C:\Windows\System32\pmXMcqv.exe
  2⤵
  PID:8256
- C:\Windows\System32\WNRfNhN.exe
  C:\Windows\System32\WNRfNhN.exe
  2⤵
  PID:8292
- C:\Windows\System32\GnccvNH.exe
  C:\Windows\System32\GnccvNH.exe
  2⤵
  PID:8312
- C:\Windows\System32\fMzKBUN.exe
  C:\Windows\System32\fMzKBUN.exe
  2⤵
  PID:8340
- C:\Windows\System32\FLwyqIY.exe
  C:\Windows\System32\FLwyqIY.exe
  2⤵
  PID:8372
- C:\Windows\System32\VbGkWXf.exe
  C:\Windows\System32\VbGkWXf.exe
  2⤵
  PID:8396
- C:\Windows\System32\tKLOwPz.exe
  C:\Windows\System32\tKLOwPz.exe
  2⤵
  PID:8412
- C:\Windows\System32\bskYPyu.exe
  C:\Windows\System32\bskYPyu.exe
  2⤵
  PID:8440
- C:\Windows\System32\BuBvOqS.exe
  C:\Windows\System32\BuBvOqS.exe
  2⤵
  PID:8472
- C:\Windows\System32\OjlJKBf.exe
  C:\Windows\System32\OjlJKBf.exe
  2⤵
  PID:8512
- C:\Windows\System32\IxrynrX.exe
  C:\Windows\System32\IxrynrX.exe
  2⤵
  PID:8532
- C:\Windows\System32\grwEPWP.exe
  C:\Windows\System32\grwEPWP.exe
  2⤵
  PID:8568
- C:\Windows\System32\heRrjct.exe
  C:\Windows\System32\heRrjct.exe
  2⤵
  PID:8584
- C:\Windows\System32\bpWSWuF.exe
  C:\Windows\System32\bpWSWuF.exe
  2⤵
  PID:8624
- C:\Windows\System32\ZJYjfDP.exe
  C:\Windows\System32\ZJYjfDP.exe
  2⤵
  PID:8656
- C:\Windows\System32\TFsiTDZ.exe
  C:\Windows\System32\TFsiTDZ.exe
  2⤵
  PID:8684
- C:\Windows\System32\drmlaQR.exe
  C:\Windows\System32\drmlaQR.exe
  2⤵
  PID:8712
- C:\Windows\System32\JOPaJEy.exe
  C:\Windows\System32\JOPaJEy.exe
  2⤵
  PID:8740
- C:\Windows\System32\NPxrGfo.exe
  C:\Windows\System32\NPxrGfo.exe
  2⤵
  PID:8768
- C:\Windows\System32\BWIRQKI.exe
  C:\Windows\System32\BWIRQKI.exe
  2⤵
  PID:8792
- C:\Windows\System32\KaLpHmy.exe
  C:\Windows\System32\KaLpHmy.exe
  2⤵
  PID:8812
- C:\Windows\System32\qGFQNqQ.exe
  C:\Windows\System32\qGFQNqQ.exe
  2⤵
  PID:8852
- C:\Windows\System32\JvCDeva.exe
  C:\Windows\System32\JvCDeva.exe
  2⤵
  PID:8880
- C:\Windows\System32\bdAJiio.exe
  C:\Windows\System32\bdAJiio.exe
  2⤵
  PID:8908
- C:\Windows\System32\KjXprDD.exe
  C:\Windows\System32\KjXprDD.exe
  2⤵
  PID:8924
- C:\Windows\System32\picOWra.exe
  C:\Windows\System32\picOWra.exe
  2⤵
  PID:8956
- C:\Windows\System32\HuucrFm.exe
  C:\Windows\System32\HuucrFm.exe
  2⤵
  PID:8992
- C:\Windows\System32\bPoFhxL.exe
  C:\Windows\System32\bPoFhxL.exe
  2⤵
  PID:9020
- C:\Windows\System32\WLRMXKd.exe
  C:\Windows\System32\WLRMXKd.exe
  2⤵
  PID:9064
- C:\Windows\System32\xdTfAHo.exe
  C:\Windows\System32\xdTfAHo.exe
  2⤵
  PID:9080
- C:\Windows\System32\JXFyLmz.exe
  C:\Windows\System32\JXFyLmz.exe
  2⤵
  PID:9108
- C:\Windows\System32\jDUPfND.exe
  C:\Windows\System32\jDUPfND.exe
  2⤵
  PID:9136
- C:\Windows\System32\IWJvHeC.exe
  C:\Windows\System32\IWJvHeC.exe
  2⤵
  PID:9156
- C:\Windows\System32\BnLXjwh.exe
  C:\Windows\System32\BnLXjwh.exe
  2⤵
  PID:9192
- C:\Windows\System32\UWSBAIC.exe
  C:\Windows\System32\UWSBAIC.exe
  2⤵
  PID:8028
- C:\Windows\System32\FWItpWx.exe
  C:\Windows\System32\FWItpWx.exe
  2⤵
  PID:8272
- C:\Windows\System32\WzZcfRR.exe
  C:\Windows\System32\WzZcfRR.exe
  2⤵
  PID:8324
- C:\Windows\System32\imhvtmJ.exe
  C:\Windows\System32\imhvtmJ.exe
  2⤵
  PID:8364
- C:\Windows\System32\uQVUYlg.exe
  C:\Windows\System32\uQVUYlg.exe
  2⤵
  PID:8404
- C:\Windows\System32\cmBHXGJ.exe
  C:\Windows\System32\cmBHXGJ.exe
  2⤵
  PID:8508
- C:\Windows\System32\koqzYiy.exe
  C:\Windows\System32\koqzYiy.exe
  2⤵
  PID:8552
- C:\Windows\System32\jLTTVlm.exe
  C:\Windows\System32\jLTTVlm.exe
  2⤵
  PID:8620
- C:\Windows\System32\OkjCgku.exe
  C:\Windows\System32\OkjCgku.exe
  2⤵
  PID:8704
- C:\Windows\System32\htnRMvu.exe
  C:\Windows\System32\htnRMvu.exe
  2⤵
  PID:8760
- C:\Windows\System32\gfaTgeZ.exe
  C:\Windows\System32\gfaTgeZ.exe
  2⤵
  PID:8848
- C:\Windows\System32\LSoWFJM.exe
  C:\Windows\System32\LSoWFJM.exe
  2⤵
  PID:8140
- C:\Windows\System32\bOPYegp.exe
  C:\Windows\System32\bOPYegp.exe
  2⤵
  PID:8984
- C:\Windows\System32\kLAceXf.exe
  C:\Windows\System32\kLAceXf.exe
  2⤵
  PID:9060
- C:\Windows\System32\TUZsVow.exe
  C:\Windows\System32\TUZsVow.exe
  2⤵
  PID:9120
- C:\Windows\System32\dAnJCuX.exe
  C:\Windows\System32\dAnJCuX.exe
  2⤵
  PID:9148
- C:\Windows\System32\QsuPZTG.exe
  C:\Windows\System32\QsuPZTG.exe
  2⤵
  PID:8248
- C:\Windows\System32\PrXsSjR.exe
  C:\Windows\System32\PrXsSjR.exe
  2⤵
  PID:8408
- C:\Windows\System32\sixXuEP.exe
  C:\Windows\System32\sixXuEP.exe
  2⤵
  PID:8564
- C:\Windows\System32\cmfYXud.exe
  C:\Windows\System32\cmfYXud.exe
  2⤵
  PID:8680
- C:\Windows\System32\EcOctJl.exe
  C:\Windows\System32\EcOctJl.exe
  2⤵
  PID:8864
- C:\Windows\System32\ZOGvlGs.exe
  C:\Windows\System32\ZOGvlGs.exe
  2⤵
  PID:9032
- C:\Windows\System32\FkvWCnV.exe
  C:\Windows\System32\FkvWCnV.exe
  2⤵
  PID:9188
- C:\Windows\System32\YToGBxy.exe
  C:\Windows\System32\YToGBxy.exe
  2⤵
  PID:8424
- C:\Windows\System32\qlhJuGj.exe
  C:\Windows\System32\qlhJuGj.exe
  2⤵
  PID:8776
- C:\Windows\System32\oCUxiLn.exe
  C:\Windows\System32\oCUxiLn.exe
  2⤵
  PID:9144
- C:\Windows\System32\xaeaiXR.exe
  C:\Windows\System32\xaeaiXR.exe
  2⤵
  PID:8540
- C:\Windows\System32\xCTRxLN.exe
  C:\Windows\System32\xCTRxLN.exe
  2⤵
  PID:9220
- C:\Windows\System32\rFdcgYh.exe
  C:\Windows\System32\rFdcgYh.exe
  2⤵
  PID:9236
- C:\Windows\System32\asXMGET.exe
  C:\Windows\System32\asXMGET.exe
  2⤵
  PID:9288
- C:\Windows\System32\YpMbslR.exe
  C:\Windows\System32\YpMbslR.exe
  2⤵
  PID:9304
- C:\Windows\System32\jlOvsXB.exe
  C:\Windows\System32\jlOvsXB.exe
  2⤵
  PID:9336
- C:\Windows\System32\AFnWVjC.exe
  C:\Windows\System32\AFnWVjC.exe
  2⤵
  PID:9364
- C:\Windows\System32\mNocMGL.exe
  C:\Windows\System32\mNocMGL.exe
  2⤵
  PID:9384
- C:\Windows\System32\QwcaXjO.exe
  C:\Windows\System32\QwcaXjO.exe
  2⤵
  PID:9420
- C:\Windows\System32\uDMGywi.exe
  C:\Windows\System32\uDMGywi.exe
  2⤵
  PID:9436
- C:\Windows\System32\pXViVFK.exe
  C:\Windows\System32\pXViVFK.exe
  2⤵
  PID:9464
- C:\Windows\System32\WKIPfMN.exe
  C:\Windows\System32\WKIPfMN.exe
  2⤵
  PID:9504
- C:\Windows\System32\rEkMFIs.exe
  C:\Windows\System32\rEkMFIs.exe
  2⤵
  PID:9536
- C:\Windows\System32\kPuKrTF.exe
  C:\Windows\System32\kPuKrTF.exe
  2⤵
  PID:9552
- C:\Windows\System32\TFqKofn.exe
  C:\Windows\System32\TFqKofn.exe
  2⤵
  PID:9588
- C:\Windows\System32\xEsmydr.exe
  C:\Windows\System32\xEsmydr.exe
  2⤵
  PID:9616
- C:\Windows\System32\vYKrAtw.exe
  C:\Windows\System32\vYKrAtw.exe
  2⤵
  PID:9644
- C:\Windows\System32\UFgnoXf.exe
  C:\Windows\System32\UFgnoXf.exe
  2⤵
  PID:9668
- C:\Windows\System32\PCVMOBt.exe
  C:\Windows\System32\PCVMOBt.exe
  2⤵
  PID:9692
- C:\Windows\System32\ByFmftM.exe
  C:\Windows\System32\ByFmftM.exe
  2⤵
  PID:9736
- C:\Windows\System32\EAzowdo.exe
  C:\Windows\System32\EAzowdo.exe
  2⤵
  PID:9764
- C:\Windows\System32\zThtQLR.exe
  C:\Windows\System32\zThtQLR.exe
  2⤵
  PID:9792
- C:\Windows\System32\bqwdHiq.exe
  C:\Windows\System32\bqwdHiq.exe
  2⤵
  PID:9824
- C:\Windows\System32\uwMHwJX.exe
  C:\Windows\System32\uwMHwJX.exe
  2⤵
  PID:9848
- C:\Windows\System32\OezwrSr.exe
  C:\Windows\System32\OezwrSr.exe
  2⤵
  PID:9888
- C:\Windows\System32\AcPbAiW.exe
  C:\Windows\System32\AcPbAiW.exe
  2⤵
  PID:9912
- C:\Windows\System32\weXFDDX.exe
  C:\Windows\System32\weXFDDX.exe
  2⤵
  PID:9928
- C:\Windows\System32\vzhYKpb.exe
  C:\Windows\System32\vzhYKpb.exe
  2⤵
  PID:9960
- C:\Windows\System32\ipNVGWn.exe
  C:\Windows\System32\ipNVGWn.exe
  2⤵
  PID:9988
- C:\Windows\System32\awHscjt.exe
  C:\Windows\System32\awHscjt.exe
  2⤵
  PID:10028
- C:\Windows\System32\zsaNOwA.exe
  C:\Windows\System32\zsaNOwA.exe
  2⤵
  PID:10068
- C:\Windows\System32\KMFqbgD.exe
  C:\Windows\System32\KMFqbgD.exe
  2⤵
  PID:10096
- C:\Windows\System32\rMptGvy.exe
  C:\Windows\System32\rMptGvy.exe
  2⤵
  PID:10128
- C:\Windows\System32\bQqCeHT.exe
  C:\Windows\System32\bQqCeHT.exe
  2⤵
  PID:10152
- C:\Windows\System32\TzzncAE.exe
  C:\Windows\System32\TzzncAE.exe
  2⤵
  PID:10180
- C:\Windows\System32\YktiiHx.exe
  C:\Windows\System32\YktiiHx.exe
  2⤵
  PID:10200
- C:\Windows\System32\hXoRkXa.exe
  C:\Windows\System32\hXoRkXa.exe
  2⤵
  PID:10236
- C:\Windows\System32\miFZvuL.exe
  C:\Windows\System32\miFZvuL.exe
  2⤵
  PID:9256
- C:\Windows\System32\bEfqkbE.exe
  C:\Windows\System32\bEfqkbE.exe
  2⤵
  PID:9328
- C:\Windows\System32\HqRQgsQ.exe
  C:\Windows\System32\HqRQgsQ.exe
  2⤵
  PID:9412
- C:\Windows\System32\bZvorfr.exe
  C:\Windows\System32\bZvorfr.exe
  2⤵
  PID:9484
- C:\Windows\System32\qBKlaTF.exe
  C:\Windows\System32\qBKlaTF.exe
  2⤵
  PID:9524
- C:\Windows\System32\yQLSRXt.exe
  C:\Windows\System32\yQLSRXt.exe
  2⤵
  PID:9596
- C:\Windows\System32\HktIsMa.exe
  C:\Windows\System32\HktIsMa.exe
  2⤵
  PID:9660
- C:\Windows\System32\RRJNzLZ.exe
  C:\Windows\System32\RRJNzLZ.exe
  2⤵
  PID:9748
- C:\Windows\System32\LVKwqek.exe
  C:\Windows\System32\LVKwqek.exe
  2⤵
  PID:9868
- C:\Windows\System32\MDVHJYS.exe
  C:\Windows\System32\MDVHJYS.exe
  2⤵
  PID:9936
- C:\Windows\System32\MMBvYwJ.exe
  C:\Windows\System32\MMBvYwJ.exe
  2⤵
  PID:9976
- C:\Windows\System32\bFnRXxO.exe
  C:\Windows\System32\bFnRXxO.exe
  2⤵
  PID:10084
- C:\Windows\System32\dCgaBPl.exe
  C:\Windows\System32\dCgaBPl.exe
  2⤵
  PID:10136
- C:\Windows\System32\msXOXRz.exe
  C:\Windows\System32\msXOXRz.exe
  2⤵
  PID:10188
- C:\Windows\System32\kqzJBsC.exe
  C:\Windows\System32\kqzJBsC.exe
  2⤵
  PID:9300
- C:\Windows\System32\rdXrUXK.exe
  C:\Windows\System32\rdXrUXK.exe
  2⤵
  PID:9460
- C:\Windows\System32\nQaXueE.exe
  C:\Windows\System32\nQaXueE.exe
  2⤵
  PID:9544
- C:\Windows\System32\HPKlAky.exe
  C:\Windows\System32\HPKlAky.exe
  2⤵
  PID:9680
- C:\Windows\System32\LInTimd.exe
  C:\Windows\System32\LInTimd.exe
  2⤵
  PID:10060
- C:\Windows\System32\qMjWdvk.exe
  C:\Windows\System32\qMjWdvk.exe
  2⤵
  PID:10224
- C:\Windows\System32\pDxwGpX.exe
  C:\Windows\System32\pDxwGpX.exe
  2⤵
  PID:9372
- C:\Windows\System32\MMAcIuQ.exe
  C:\Windows\System32\MMAcIuQ.exe
  2⤵
  PID:3012
- C:\Windows\System32\pYQJJKV.exe
  C:\Windows\System32\pYQJJKV.exe
  2⤵
  PID:9972
- C:\Windows\System32\IpUnutq.exe
  C:\Windows\System32\IpUnutq.exe
  2⤵
  PID:1036
- C:\Windows\System32\KPRYqdd.exe
  C:\Windows\System32\KPRYqdd.exe
  2⤵
  PID:10108
- C:\Windows\System32\FKsgaVa.exe
  C:\Windows\System32\FKsgaVa.exe
  2⤵
  PID:9252
- C:\Windows\System32\hgcpbgu.exe
  C:\Windows\System32\hgcpbgu.exe
  2⤵
  PID:10272
- C:\Windows\System32\LvimCRU.exe
  C:\Windows\System32\LvimCRU.exe
  2⤵
  PID:10292
- C:\Windows\System32\QmoQVty.exe
  C:\Windows\System32\QmoQVty.exe
  2⤵
  PID:10312
- C:\Windows\System32\jrmtgdS.exe
  C:\Windows\System32\jrmtgdS.exe
  2⤵
  PID:10340
- C:\Windows\System32\yTzzIVZ.exe
  C:\Windows\System32\yTzzIVZ.exe
  2⤵
  PID:10376
- C:\Windows\System32\SGoonEj.exe
  C:\Windows\System32\SGoonEj.exe
  2⤵
  PID:10412
- C:\Windows\System32\cUAWpCM.exe
  C:\Windows\System32\cUAWpCM.exe
  2⤵
  PID:10444
- C:\Windows\System32\xkpuckj.exe
  C:\Windows\System32\xkpuckj.exe
  2⤵
  PID:10472
- C:\Windows\System32\gApALky.exe
  C:\Windows\System32\gApALky.exe
  2⤵
  PID:10492
- C:\Windows\System32\rvsemEw.exe
  C:\Windows\System32\rvsemEw.exe
  2⤵
  PID:10520
- C:\Windows\System32\hkxafYS.exe
  C:\Windows\System32\hkxafYS.exe
  2⤵
  PID:10544
- C:\Windows\System32\VPELjgh.exe
  C:\Windows\System32\VPELjgh.exe
  2⤵
  PID:10584
- C:\Windows\System32\RzhXGDz.exe
  C:\Windows\System32\RzhXGDz.exe
  2⤵
  PID:10612
- C:\Windows\System32\ejOGrRo.exe
  C:\Windows\System32\ejOGrRo.exe
  2⤵
  PID:10628
- C:\Windows\System32\yrkDnjT.exe
  C:\Windows\System32\yrkDnjT.exe
  2⤵
  PID:10668
- C:\Windows\System32\Qvlcorc.exe
  C:\Windows\System32\Qvlcorc.exe
  2⤵
  PID:10688
- C:\Windows\System32\pHgDMbE.exe
  C:\Windows\System32\pHgDMbE.exe
  2⤵
  PID:10728
- C:\Windows\System32\aeoXMEi.exe
  C:\Windows\System32\aeoXMEi.exe
  2⤵
  PID:10748
- C:\Windows\System32\TydquTC.exe
  C:\Windows\System32\TydquTC.exe
  2⤵
  PID:10776
- C:\Windows\System32\hSYDPUy.exe
  C:\Windows\System32\hSYDPUy.exe
  2⤵
  PID:10804
- C:\Windows\System32\fnLvuoL.exe
  C:\Windows\System32\fnLvuoL.exe
  2⤵
  PID:10828
- C:\Windows\System32\BvWaFet.exe
  C:\Windows\System32\BvWaFet.exe
  2⤵
  PID:10860
- C:\Windows\System32\JPdVwPM.exe
  C:\Windows\System32\JPdVwPM.exe
  2⤵
  PID:10900
- C:\Windows\System32\ArlusJu.exe
  C:\Windows\System32\ArlusJu.exe
  2⤵
  PID:10932
- C:\Windows\System32\yHITcvc.exe
  C:\Windows\System32\yHITcvc.exe
  2⤵
  PID:10956
- C:\Windows\System32\tVbzEbX.exe
  C:\Windows\System32\tVbzEbX.exe
  2⤵
  PID:10980
- C:\Windows\System32\XItEEFN.exe
  C:\Windows\System32\XItEEFN.exe
  2⤵
  PID:11012
- C:\Windows\System32\UNlLrGY.exe
  C:\Windows\System32\UNlLrGY.exe
  2⤵
  PID:11032
- C:\Windows\System32\jprokSp.exe
  C:\Windows\System32\jprokSp.exe
  2⤵
  PID:11072
- C:\Windows\System32\YIGEaMw.exe
  C:\Windows\System32\YIGEaMw.exe
  2⤵
  PID:11088
- C:\Windows\System32\CBrXQRz.exe
  C:\Windows\System32\CBrXQRz.exe
  2⤵
  PID:11112
- C:\Windows\System32\JsdtyOM.exe
  C:\Windows\System32\JsdtyOM.exe
  2⤵
  PID:11144
- C:\Windows\System32\sCbdSKd.exe
  C:\Windows\System32\sCbdSKd.exe
  2⤵
  PID:11176
- C:\Windows\System32\dpCrLui.exe
  C:\Windows\System32\dpCrLui.exe
  2⤵
  PID:11208
- C:\Windows\System32\QoRJgcX.exe
  C:\Windows\System32\QoRJgcX.exe
  2⤵
  PID:11244
- C:\Windows\System32\UoWsbIU.exe
  C:\Windows\System32\UoWsbIU.exe
  2⤵
  PID:11260
- C:\Windows\System32\SEnOTqT.exe
  C:\Windows\System32\SEnOTqT.exe
  2⤵
  PID:10304
- C:\Windows\System32\vdBuSoz.exe
  C:\Windows\System32\vdBuSoz.exe
  2⤵
  PID:10352
- C:\Windows\System32\Dmnbuuz.exe
  C:\Windows\System32\Dmnbuuz.exe
  2⤵
  PID:4304
- C:\Windows\System32\xwuGRRA.exe
  C:\Windows\System32\xwuGRRA.exe
  2⤵
  PID:10460
- C:\Windows\System32\IfVWLRn.exe
  C:\Windows\System32\IfVWLRn.exe
  2⤵
  PID:10556
- C:\Windows\System32\MOyYhTE.exe
  C:\Windows\System32\MOyYhTE.exe
  2⤵
  PID:10620
- C:\Windows\System32\AJXmOzW.exe
  C:\Windows\System32\AJXmOzW.exe
  2⤵
  PID:10664
- C:\Windows\System32\PMDpZDd.exe
  C:\Windows\System32\PMDpZDd.exe
  2⤵
  PID:3304
- C:\Windows\System32\mxXaDEK.exe
  C:\Windows\System32\mxXaDEK.exe
  2⤵
  PID:10784
- C:\Windows\System32\PCLFKEq.exe
  C:\Windows\System32\PCLFKEq.exe
  2⤵
  PID:10820
- C:\Windows\System32\fCSiABh.exe
  C:\Windows\System32\fCSiABh.exe
  2⤵
  PID:10908
- C:\Windows\System32\wcXiGwT.exe
  C:\Windows\System32\wcXiGwT.exe
  2⤵
  PID:10948
- C:\Windows\System32\RXyTxEl.exe
  C:\Windows\System32\RXyTxEl.exe
  2⤵
  PID:11044
- C:\Windows\System32\JztbDIN.exe
  C:\Windows\System32\JztbDIN.exe
  2⤵
  PID:11104
- C:\Windows\System32\tMORdBT.exe
  C:\Windows\System32\tMORdBT.exe
  2⤵
  PID:11156
- C:\Windows\System32\KDcpDvw.exe
  C:\Windows\System32\KDcpDvw.exe
  2⤵
  PID:11200
- C:\Windows\System32\fZoCGaE.exe
  C:\Windows\System32\fZoCGaE.exe
  2⤵
  PID:10280
- C:\Windows\System32\xtNMIyh.exe
  C:\Windows\System32\xtNMIyh.exe
  2⤵
  PID:10408
- C:\Windows\System32\lkCxHfs.exe
  C:\Windows\System32\lkCxHfs.exe
  2⤵
  PID:10580
- C:\Windows\System32\pRRJvpQ.exe
  C:\Windows\System32\pRRJvpQ.exe
  2⤵
  PID:10724
- C:\Windows\System32\OVOdihP.exe
  C:\Windows\System32\OVOdihP.exe
  2⤵
  PID:1124
- C:\Windows\System32\TCXCpLs.exe
  C:\Windows\System32\TCXCpLs.exe
  2⤵
  PID:11060
- C:\Windows\System32\vFDnqID.exe
  C:\Windows\System32\vFDnqID.exe
  2⤵
  PID:11160
- C:\Windows\System32\fCflJpS.exe
  C:\Windows\System32\fCflJpS.exe
  2⤵
  PID:11256
- C:\Windows\System32\lOveoXY.exe
  C:\Windows\System32\lOveoXY.exe
  2⤵
  PID:10508
- C:\Windows\System32\FfxLaPv.exe
  C:\Windows\System32\FfxLaPv.exe
  2⤵
  PID:11004
- C:\Windows\System32\pWMnNND.exe
  C:\Windows\System32\pWMnNND.exe
  2⤵
  PID:10440
- C:\Windows\System32\qBDdmLv.exe
  C:\Windows\System32\qBDdmLv.exe
  2⤵
  PID:10792
- C:\Windows\System32\TbeHkUu.exe
  C:\Windows\System32\TbeHkUu.exe
  2⤵
  PID:3468
- C:\Windows\System32\xoMGcwV.exe
  C:\Windows\System32\xoMGcwV.exe
  2⤵
  PID:11284
- C:\Windows\System32\KXlJdvc.exe
  C:\Windows\System32\KXlJdvc.exe
  2⤵
  PID:11312
- C:\Windows\System32\nhbLuEm.exe
  C:\Windows\System32\nhbLuEm.exe
  2⤵
  PID:11336
- C:\Windows\System32\GdgPILi.exe
  C:\Windows\System32\GdgPILi.exe
  2⤵
  PID:11368
- C:\Windows\System32\Rhvgvrj.exe
  C:\Windows\System32\Rhvgvrj.exe
  2⤵
  PID:11396
- C:\Windows\System32\RHDjEfa.exe
  C:\Windows\System32\RHDjEfa.exe
  2⤵
  PID:11428
- C:\Windows\System32\otWRrUd.exe
  C:\Windows\System32\otWRrUd.exe
  2⤵
  PID:11456
- C:\Windows\System32\TQBIKxH.exe
  C:\Windows\System32\TQBIKxH.exe
  2⤵
  PID:11484
- C:\Windows\System32\rDaLXaA.exe
  C:\Windows\System32\rDaLXaA.exe
  2⤵
  PID:11500
- C:\Windows\System32\ybJwwHb.exe
  C:\Windows\System32\ybJwwHb.exe
  2⤵
  PID:11540
- C:\Windows\System32\WHkUjkr.exe
  C:\Windows\System32\WHkUjkr.exe
  2⤵
  PID:11560
- C:\Windows\System32\dwDfaot.exe
  C:\Windows\System32\dwDfaot.exe
  2⤵
  PID:11596
- C:\Windows\System32\kwvwSyB.exe
  C:\Windows\System32\kwvwSyB.exe
  2⤵
  PID:11624
- C:\Windows\System32\JOWCxcf.exe
  C:\Windows\System32\JOWCxcf.exe
  2⤵
  PID:11644
- C:\Windows\System32\ICCFxyx.exe
  C:\Windows\System32\ICCFxyx.exe
  2⤵
  PID:11680
- C:\Windows\System32\TQuaPhT.exe
  C:\Windows\System32\TQuaPhT.exe
  2⤵
  PID:11708
- C:\Windows\System32\ALDzldb.exe
  C:\Windows\System32\ALDzldb.exe
  2⤵
  PID:11736
- C:\Windows\System32\YxdlQDP.exe
  C:\Windows\System32\YxdlQDP.exe
  2⤵
  PID:11768
- C:\Windows\System32\HuraBVX.exe
  C:\Windows\System32\HuraBVX.exe
  2⤵
  PID:11792
- C:\Windows\System32\VHyIqJJ.exe
  C:\Windows\System32\VHyIqJJ.exe
  2⤵
  PID:11824
- C:\Windows\System32\EvNrjSH.exe
  C:\Windows\System32\EvNrjSH.exe
  2⤵
  PID:11852
- C:\Windows\System32\fvOOjmC.exe
  C:\Windows\System32\fvOOjmC.exe
  2⤵
  PID:11868
- C:\Windows\System32\KFWaRnS.exe
  C:\Windows\System32\KFWaRnS.exe
  2⤵
  PID:11908
- C:\Windows\System32\InSWIim.exe
  C:\Windows\System32\InSWIim.exe
  2⤵
  PID:11936
- C:\Windows\System32\IBRXEOj.exe
  C:\Windows\System32\IBRXEOj.exe
  2⤵
  PID:11952
- C:\Windows\System32\xFWMwHe.exe
  C:\Windows\System32\xFWMwHe.exe
  2⤵
  PID:12000
- C:\Windows\System32\XoQSdWX.exe
  C:\Windows\System32\XoQSdWX.exe
  2⤵
  PID:12020
- C:\Windows\System32\rjPYcJq.exe
  C:\Windows\System32\rjPYcJq.exe
  2⤵
  PID:12048
- C:\Windows\System32\chuxOqH.exe
  C:\Windows\System32\chuxOqH.exe
  2⤵
  PID:12076
- C:\Windows\System32\mScGvlk.exe
  C:\Windows\System32\mScGvlk.exe
  2⤵
  PID:12092
- C:\Windows\System32\ZSbUGEt.exe
  C:\Windows\System32\ZSbUGEt.exe
  2⤵
  PID:12132
- C:\Windows\System32\feDDtMv.exe
  C:\Windows\System32\feDDtMv.exe
  2⤵
  PID:12152
- C:\Windows\System32\iFEiWSh.exe
  C:\Windows\System32\iFEiWSh.exe
  2⤵
  PID:12184
- C:\Windows\System32\HfDZDrM.exe
  C:\Windows\System32\HfDZDrM.exe
  2⤵
  PID:12208
- C:\Windows\System32\WIZmphH.exe
  C:\Windows\System32\WIZmphH.exe
  2⤵
  PID:12244
- C:\Windows\System32\gJzvyAf.exe
  C:\Windows\System32\gJzvyAf.exe
  2⤵
  PID:12272
- C:\Windows\System32\ogqZvBy.exe
  C:\Windows\System32\ogqZvBy.exe
  2⤵
  PID:11268
- C:\Windows\System32\IFPWKgv.exe
  C:\Windows\System32\IFPWKgv.exe
  2⤵
  PID:11320
- C:\Windows\System32\NeQkOIM.exe
  C:\Windows\System32\NeQkOIM.exe
  2⤵
  PID:11388
- C:\Windows\System32\ieoSeGU.exe
  C:\Windows\System32\ieoSeGU.exe
  2⤵
  PID:11412
- C:\Windows\System32\aYeGRMw.exe
  C:\Windows\System32\aYeGRMw.exe
  2⤵
  PID:11492
- C:\Windows\System32\EiaOvyr.exe
  C:\Windows\System32\EiaOvyr.exe
  2⤵
  PID:1344
- C:\Windows\System32\nEIsyQF.exe
  C:\Windows\System32\nEIsyQF.exe
  2⤵
  PID:11668
- C:\Windows\System32\VhNsNid.exe
  C:\Windows\System32\VhNsNid.exe
  2⤵
  PID:11724
- C:\Windows\System32\cmQEdhz.exe
  C:\Windows\System32\cmQEdhz.exe
  2⤵
  PID:11780
- C:\Windows\System32\snIltZp.exe
  C:\Windows\System32\snIltZp.exe
  2⤵
  PID:11836
- C:\Windows\System32\bmlhujq.exe
  C:\Windows\System32\bmlhujq.exe
  2⤵
  PID:11916
- C:\Windows\System32\odWlqEm.exe
  C:\Windows\System32\odWlqEm.exe
  2⤵
  PID:11964
- C:\Windows\System32\wANyGOU.exe
  C:\Windows\System32\wANyGOU.exe
  2⤵
  PID:12060
- C:\Windows\System32\nccKify.exe
  C:\Windows\System32\nccKify.exe
  2⤵
  PID:12124
- C:\Windows\System32\iUCYRLo.exe
  C:\Windows\System32\iUCYRLo.exe
  2⤵
  PID:2324
- C:\Windows\System32\cPhLOyh.exe
  C:\Windows\System32\cPhLOyh.exe
  2⤵
  PID:12192
- C:\Windows\System32\lOtYjIm.exe
  C:\Windows\System32\lOtYjIm.exe
  2⤵
  PID:12264
- C:\Windows\System32\HIzAjeY.exe
  C:\Windows\System32\HIzAjeY.exe
  2⤵
  PID:11356
- C:\Windows\System32\kUrwqBn.exe
  C:\Windows\System32\kUrwqBn.exe
  2⤵
  PID:392
- C:\Windows\System32\jNUxefx.exe
  C:\Windows\System32\jNUxefx.exe
  2⤵
  PID:4632
- C:\Windows\System32\JfzSgYz.exe
  C:\Windows\System32\JfzSgYz.exe
  2⤵
  PID:11520
- C:\Windows\System32\wJLwePA.exe
  C:\Windows\System32\wJLwePA.exe
  2⤵
  PID:11692
- C:\Windows\System32\LhXrXGf.exe
  C:\Windows\System32\LhXrXGf.exe
  2⤵
  PID:11816
- C:\Windows\System32\acntCqT.exe
  C:\Windows\System32\acntCqT.exe
  2⤵
  PID:12036
- C:\Windows\System32\MbQCqEO.exe
  C:\Windows\System32\MbQCqEO.exe
  2⤵
  PID:536
- C:\Windows\System32\XxAjqIc.exe
  C:\Windows\System32\XxAjqIc.exe
  2⤵
  PID:12256
- C:\Windows\System32\xCxJuZg.exe
  C:\Windows\System32\xCxJuZg.exe
  2⤵
  PID:11404
- C:\Windows\System32\gIMMpQM.exe
  C:\Windows\System32\gIMMpQM.exe
  2⤵
  PID:11476
- C:\Windows\System32\mwrnYdK.exe
  C:\Windows\System32\mwrnYdK.exe
  2⤵
  PID:11580
- C:\Windows\System32\mOYpVls.exe
  C:\Windows\System32\mOYpVls.exe
  2⤵
  PID:12140
- C:\Windows\System32\vfliHox.exe
  C:\Windows\System32\vfliHox.exe
  2⤵
  PID:11568
- C:\Windows\System32\ODpkesq.exe
  C:\Windows\System32\ODpkesq.exe
  2⤵
  PID:1864
- C:\Windows\System32\HeazTpc.exe
  C:\Windows\System32\HeazTpc.exe
  2⤵
  PID:12340
- C:\Windows\System32\fWcseJL.exe
  C:\Windows\System32\fWcseJL.exe
  2⤵
  PID:12356
- C:\Windows\System32\dnuKSEk.exe
  C:\Windows\System32\dnuKSEk.exe
  2⤵
  PID:12380
- C:\Windows\System32\NCMNFeE.exe
  C:\Windows\System32\NCMNFeE.exe
  2⤵
  PID:12400
- C:\Windows\System32\yZQYeSg.exe
  C:\Windows\System32\yZQYeSg.exe
  2⤵
  PID:12444
- C:\Windows\System32\GzkpNHO.exe
  C:\Windows\System32\GzkpNHO.exe
  2⤵
  PID:12472
- C:\Windows\System32\jqORiaU.exe
  C:\Windows\System32\jqORiaU.exe
  2⤵
  PID:12500
- C:\Windows\System32\UoGvFnt.exe
  C:\Windows\System32\UoGvFnt.exe
  2⤵
  PID:12528
- C:\Windows\System32\oWEAdmc.exe
  C:\Windows\System32\oWEAdmc.exe
  2⤵
  PID:12556
- C:\Windows\System32\bFCsFHf.exe
  C:\Windows\System32\bFCsFHf.exe
  2⤵
  PID:12584
- C:\Windows\System32\VnjZKhA.exe
  C:\Windows\System32\VnjZKhA.exe
  2⤵
  PID:12600
- C:\Windows\System32\PGAYGbO.exe
  C:\Windows\System32\PGAYGbO.exe
  2⤵
  PID:12640
- C:\Windows\System32\fpztJbY.exe
  C:\Windows\System32\fpztJbY.exe
  2⤵
  PID:12668
- C:\Windows\System32\fVMBSOJ.exe
  C:\Windows\System32\fVMBSOJ.exe
  2⤵
  PID:12684
- C:\Windows\System32\tmcNikC.exe
  C:\Windows\System32\tmcNikC.exe
  2⤵
  PID:12716
- C:\Windows\System32\zESKtEp.exe
  C:\Windows\System32\zESKtEp.exe
  2⤵
  PID:12744
- C:\Windows\System32\lRoGJWy.exe
  C:\Windows\System32\lRoGJWy.exe
  2⤵
  PID:12776
- C:\Windows\System32\ZDfPISm.exe
  C:\Windows\System32\ZDfPISm.exe
  2⤵
  PID:12808
- C:\Windows\System32\TVuACST.exe
  C:\Windows\System32\TVuACST.exe
  2⤵
  PID:12840
- C:\Windows\System32\ciIXYQo.exe
  C:\Windows\System32\ciIXYQo.exe
  2⤵
  PID:12868
- C:\Windows\System32\sTggaSx.exe
  C:\Windows\System32\sTggaSx.exe
  2⤵
  PID:12884
- C:\Windows\System32\tUKTUmH.exe
  C:\Windows\System32\tUKTUmH.exe
  2⤵
  PID:12912
- C:\Windows\System32\vCFGFDe.exe
  C:\Windows\System32\vCFGFDe.exe
  2⤵
  PID:12952
- C:\Windows\System32\AovNetv.exe
  C:\Windows\System32\AovNetv.exe
  2⤵
  PID:12976
- C:\Windows\System32\OshtOje.exe
  C:\Windows\System32\OshtOje.exe
  2⤵
  PID:12996
- C:\Windows\System32\nHOSnmp.exe
  C:\Windows\System32\nHOSnmp.exe
  2⤵
  PID:13032
- C:\Windows\System32\fhhtqWk.exe
  C:\Windows\System32\fhhtqWk.exe
  2⤵
  PID:13052
- C:\Windows\System32\twevMGz.exe
  C:\Windows\System32\twevMGz.exe
  2⤵
  PID:13080
- C:\Windows\System32\oBHGHIk.exe
  C:\Windows\System32\oBHGHIk.exe
  2⤵
  PID:13104
- C:\Windows\System32\YuARVXK.exe
  C:\Windows\System32\YuARVXK.exe
  2⤵
  PID:13148
- C:\Windows\System32\UnqtMMO.exe
  C:\Windows\System32\UnqtMMO.exe
  2⤵
  PID:13176
- C:\Windows\System32\nhzQPfT.exe
  C:\Windows\System32\nhzQPfT.exe
  2⤵
  PID:13204

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:12700
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Modifies Installed Components in the registry
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2148

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1276

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5428

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:7860

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3704

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3432

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1600

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5728

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:6476

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5624

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5960

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:8940

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6220

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6432

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:5844

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:11068

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:10284

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:11732

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12260

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3276

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:548

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13220

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7780

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8036

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5748

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2480

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9932

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8892

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5204

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5552

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10928

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8652

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7020

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12844

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4184

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10328

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2880

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1636

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8184

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3880

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2568

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:428

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7836

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4072

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8856

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9004

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9144

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9524

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10352

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7360

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11324

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12256

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6168

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5560

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6296

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9968

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2460

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6612

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10716

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12772

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12280

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7520

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7468

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7620

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\U23Z080G\microsoft.windows[1].xml

Filesize
97B

MD5
292a283bdecf4cd89c3ad863a28bc72f

SHA1
18e896fec5f8b3ea2963d0a5cb45a244050c35c1

SHA256
09794c6006f357000111d7d13c1c20075eaea58f68df78e118d14b4547835ec2

SHA512
71349774dcf41cd9e72c881cd374ffaf2527b2156a616cc064f10f34e7bbf0ea6174916acb2b8b06428f2b2f29315359e66dde317965463ea1eb70fef52beaaa

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596934587638178.txt

Filesize
75KB

MD5
79ea60e4feeffe4483ba2d0ea61852fb

SHA1
7d5921a1b6240cc717ad4f4478bbcfc42f3af8e8

SHA256
1e85f6cd486b20682b1a6af9f34e7993a558f3b5dccd1e80a55178847e794923

SHA512
4d0866c2b63af9570fa20bca628a6e67b3704d7ab5a8a1311fb614f38b54444cc6630390092282f075751cae38000a17e4bf1cb992a8900b0c72965c0b24dbf4

Download Submit
C:\Windows\System32\AcTlGCa.exe

Filesize
3.0MB

MD5
03cf22e9d48c708514dc51089788b7ee

SHA1
07262c162d8e0c8c9f174c0cb5fdb95757877b45

SHA256
63edfbf0eeb6571b613cf616af5e758d3652fc693f2fa16a5bb37a6aff87ac22

SHA512
f001f62fca879e3fa60f27bc120212717177c434ef6d8ebb2aa5aabbf11ea6b390047dae37daab9c5d014a64cc328144aec0a4da4ec4ee54cbc9726ec2fff4f1

Download Submit
C:\Windows\System32\CpsoxbL.exe

Filesize
3.0MB

MD5
f519bfa98f12084058837414eafbe4b0

SHA1
f5a9e14c60a2555e1513438bb91a662a06f3ab55

SHA256
657746b0f99690abbcc2570c529b63012b61e4103dc021a8fbce48ded1e0b764

SHA512
13ce1394db5d0f2f20aff51d92368d7718ce39bc93f22723f68dea2e7848c1da26f3d9e19dd50dff9052e2a9b063c98831195bbbeb6fe87ce27fa469ef5c25bf

Download Submit
C:\Windows\System32\CvzkAJB.exe

Filesize
3.0MB

MD5
4127ec4c7be2ec1f79fb6cf56dab7288

SHA1
b62d19c3f1bceb62429a8f5fff6a433eed4edfe5

SHA256
a8379f4ecddd02b9a60af895f34d7b609bf9d145633a4fc558dd60301e1c61c6

SHA512
80136912c12ee87c57a8686f1c48b33038be6c075ce14e13e1c267734db965f2ba05f723ec09efed54d03cc9c54cb70415c03cabea3c8eb13145ae3a2e990bb3

Download Submit
C:\Windows\System32\GPEhDYy.exe

Filesize
3.0MB

MD5
e3f61cb7ca8d7d0f5e861ecde42720e3

SHA1
e54c314ab08326dc938a6b52dfddea1ee2e4cfde

SHA256
78e9f3aad51edbeebefcd09829f34aaa09604edca05b361b03c8d5e48d99d573

SHA512
b7eb9d05fabd579c0fd6cc7929066abf6a1e8bc5786290e57e2f064268c0cd2f3a7cadcf6661f57d1597cef55d21abf8322462c9a0e0e4fdb77b8802764e8569

Download Submit
C:\Windows\System32\GkaiXHx.exe

Filesize
3.0MB

MD5
2e11f0ccec90740efac90b0c0121299c

SHA1
2399535bb7965a015fafa99836f122bb26ab5866

SHA256
9be2c571a5f5193d0b4aea7c278fca124c97bbe249e199cc7ba2ee37a4025d25

SHA512
b8b8d80937b007edfd561208eca0f18ffa135036ca5b13e5ab1ad49b8b125691ff78c45dc26d04468f0e928ba5e04c8f077c33fe6c0077d1f77cb533b56fa5fd

Download Submit
C:\Windows\System32\JSEdndg.exe

Filesize
3.0MB

MD5
32a774143ef6e847276030829dd72d07

SHA1
ced54ccb7d7bf0c9336ec32e02dee764974bc078

SHA256
352a531137f706ab91c54d3e10c6bc15c5b03c5a3db3bdc7eb6440b48c56d32b

SHA512
cdf3a96b52a4208ebd69613b8df9ab13d3ab30691b33a96484145b3c4b016a2c8273cd90d7d80fa52ef2362cc44d199458764b617c7f32cca485cf7a8747d5da

Download Submit
C:\Windows\System32\LRboMcN.exe

Filesize
3.0MB

MD5
6832e06d6f80f62e792db0779c5a7f80

SHA1
92a99e630c5cc8e01ce925644be016a9fb736746

SHA256
42dd642938e60f889b88939119018a506666833095d2884f99d93ea603a2f17a

SHA512
ab07701b6de918f678a372336f02f2b7e67e44c4f55cff016564961ddcee94028d7aa772a7f8d82592aa9e5d479d4356fd68accd7ab9cfa95947b3ef22fa1378

Download Submit
C:\Windows\System32\OqAgtVn.exe

Filesize
3.0MB

MD5
8d3ad797e9b6b92d35374352f03ce7e9

SHA1
9b722b8ca989016ebed416d17c077005362b1c21

SHA256
02d8ee49241d1d462eae0462b9b4567f3745dbbb4b616ee32f08fb9ee3682f82

SHA512
4ff663de4578e56e111c67d14701d187413ad08666b240f4f5ca409ba8e9874a9bedf631b1a683c9562ca1d5cc6969db8dc621bd7941586fa810a7f222a1f4aa

Download Submit
C:\Windows\System32\OyvnEBQ.exe

Filesize
3.0MB

MD5
1dd914916d569e0ed21361641ba39906

SHA1
488a19e0c7ac680df384f520d326ee6e0965bfc8

SHA256
f2a85f6f4138c97f1144ad643b46500f3593cc1bcdf06b78b0e6f1d3011ffd81

SHA512
bda18b15a460e0e9d023016bfe4f1248af9b095bd8fb2f8765b7103be949b4740bd444f16598e104fce5e984c3c3eb23d9f16e3829ce60773a5efdc697a06616

Download Submit
C:\Windows\System32\PehKLOK.exe

Filesize
3.0MB

MD5
4698639cc01a35f87e3659df71db377b

SHA1
365702d57d38f443fc59c5fe27f3366b591a1956

SHA256
163900584ae2bb7a99673712478cda9b8b09706e7f581f882d377a4c38cc1608

SHA512
d4938129f3fa75a7b88ff2e357cb0543b50a5735fc594959c5c45af34b8c2d563dba009394a8804fdce12e96b3419271e81d98fbf611c4b9e122fca34cf5cd3c

Download Submit
C:\Windows\System32\RCYENms.exe

Filesize
3.0MB

MD5
33be964e3ffe8c71fcc72fa26b527440

SHA1
68e579b1d8edda708830a3d2cf265e939959a861

SHA256
dc9078a8c4f79f72e5306bf20ac8c2d56c9b126f1af6f38d69de72d4849e6628

SHA512
5ab565c05095850f44987589051c8078de95fe6be53e01a2a4855199eeb0f68db776c1df1f0f1b1c64e0205da89b3e8c77a1cc12411d2153e891b91ee0d140cd

Download Submit
C:\Windows\System32\RPKNPHY.exe

Filesize
3.0MB

MD5
de16ba1978348b45b73e967a536bc089

SHA1
bdd77f89279fe55b116fa487e6c3fcb49d1e0ee2

SHA256
46b913ed097f3ed38505230b6545e5818c172aafc3b8fce87575a785b58bcde6

SHA512
984cd372003d85dab7a603c2b0b0204fb66033361e30c806e0a6ca15dd600acc3fe8e6ce617830757289a455561314df2f6c7601e5112170f276a5544e3aa316

Download Submit
C:\Windows\System32\SHoCdhK.exe

Filesize
3.0MB

MD5
0b08fa4d85e495bcf9e2a946d3532085

SHA1
f6bfa1716b34002b18f3ebbc85ad6cf709af2cb5

SHA256
5a32bd9bc3c32dae24c71d9bf1626e0437b6e6c63173c7711c530c1502938ba4

SHA512
5e5aaf17f957fc4d11535840cd2493258da5e1130a0f861c992d025c2852abd19e233e51cf25df039e12b977aecff0c0c12b4ffde9f758def3807ad76579fa2c

Download Submit
C:\Windows\System32\UkqAXrQ.exe

Filesize
3.0MB

MD5
d973fe1841adb1a2d984079bfbf0230d

SHA1
5a4e967c5c5d13710cd3ab93fa0d36fb82feb73d

SHA256
f1aa9bccdfe7367a0840411cc67c5abdab04e45531c78e3bd902184d0ca5f468

SHA512
35a47aeeba5459a01ccff64b1fefed769426c5728a6088414b7e62b4117ac1c012c1b5d8321ed1383cf02c004390a88449af4b7d5cadebdbf4d7585f8af8c4ba

Download Submit
C:\Windows\System32\WcdklGr.exe

Filesize
3.0MB

MD5
50f69cd580f3c6d729df5813486cd9c6

SHA1
94108fa6d2cc719240f21981da76ad2d05f18299

SHA256
6fc7d5e7d0ea704f6efe19e49d006a30f98c1114f7fc3f1ff2c3d3a9e4ec6226

SHA512
e71dc0c32259a0602cfc6f1a8b652245dc1db94b75f3ddbee7f22267d910f1d6c162c449f7d3fc10bc8230c28be7125f5b85f5b15543fb9de98494671b885e9f

Download Submit
C:\Windows\System32\WchiRXO.exe

Filesize
3.0MB

MD5
bd45b1ca128ce63cca40e959a0f2b70e

SHA1
d4e4248a6d1fd7387e3916b65186f1486a32b87b

SHA256
feb2b57ce8ef113c274b22fd4a406ace7ee000962c2c5952a08b3cc765cb6a65

SHA512
a42d15801d7851ae22173105c971ce9616667af4a2a4e7dbee72cdca0b3021aa7a0c81621757a2752f91370dec44e2f416d3458f3adf825445ba8c3a241b7fc8

Download Submit
C:\Windows\System32\YPIwNuT.exe

Filesize
3.0MB

MD5
a212cec9aabf11d2fd4df12e4edb9bc5

SHA1
d7f3d376ccd8a291d345c73bb6f6deb9c0c2b5d8

SHA256
7e898856a2d2b825807b51639c6896d59fc5b4b5e3abf719df1e8f19025a0ece

SHA512
9d5ae0d5f354e3fd70aa67c06467b0aa8af9cd2f09a7eb520a576d32a33c44c88ebbbc7ac5824b640a56e41d910e47aca80d0262b773e822655c1be3cd723b4f

Download Submit
C:\Windows\System32\ZXnUXDw.exe

Filesize
3.0MB

MD5
756da7c1f23ee1be286db8efdc1e684e

SHA1
319da8e64d5c9a2f157f5ac69a3596f5e6ad9789

SHA256
6b05cc0fe2aa2053329c69f94d2081df604be78514ddbfc6cc9499b0e164bf44

SHA512
c9c17e46d648af0bba469bde7a583d00c843b554768a4f3ce04a8c8f9436c9c59b76f63c6b10b00c9952c2e7ee5f3acf1ba32a049fde9b32981a34b059333868

Download Submit
C:\Windows\System32\bbsSpXB.exe

Filesize
3.0MB

MD5
df3bdf95251f8399f618e863ca4468dd

SHA1
d96692aedb33036a5e15ba4b4dde1e54f9c5232d

SHA256
16213c8ce7f11e8c28408b4ba18676bbf40450bee4d6f4ad5d60da39c363c888

SHA512
9ef4604b07cb5de754b03b3fe46e625757fe48e24709474991f2a8d7ab1133318a72f683052833360b0f2764ec221174a04ef1a76d076396933e9a00b80551d5

Download Submit
C:\Windows\System32\cjSNIWw.exe

Filesize
3.0MB

MD5
3e4b0d5a24e2f98f7ed32ce47d721a58

SHA1
0a1674fbb13f7db10907212e938611a8864aa2ef

SHA256
63a20ab75e418503170ec910802677fe5c4ab190e53dafe5b30172e215326ca4

SHA512
dcf9b6b17f4f4a1a23b8ec158b763fcbdfd57e85f43db6d1376e38acc720ec20e1b1603ff6a3474bcab919719fa0244a18b65228ab7f76cd0dee4a37df3daec7

Download Submit
C:\Windows\System32\dbdGQzA.exe

Filesize
3.0MB

MD5
d696229b1c14f55e9e7e211897efe38b

SHA1
d8a11625faa0e10058e83764498794718f7f3f57

SHA256
ed3b10b7871408811b5a3bcfa6d07d41a5ed1e8160ab4fa70edeefe25208b9d6

SHA512
3f66500e40b44275eb804a8fd2309619a857cbfdd7606397f180414e8750c84d209b504aba19c28e86be38f46a6a7297d8c6fc53533436fb5ebd44bb18190942

Download Submit
C:\Windows\System32\ePsAYbB.exe

Filesize
3.0MB

MD5
69799832a6ffcd134eb4217835c8de67

SHA1
b9cdccdd1eeb89e16fdcb1188e3c7a67e36d62d7

SHA256
080f0233362ceeac511b6e2d6010a6a63398deb0582c2183cf6854028f5cf74f

SHA512
2b7f68b6802719ea88e5880b5c702be4fec14c9159faf2e668ec1625fb36a5c982698619885bed59933b69cb24544786d05d06da783b51f765641731bece4ff6

Download Submit
C:\Windows\System32\euEBaxs.exe

Filesize
3.0MB

MD5
75fd298d8b0eaa99a35128b15c841e4d

SHA1
c72ee360c13557cb4d9bacb2117737b413082b56

SHA256
65ee76d14e829ba9f243a73684e3a09746a4cfbced8371ca490f2d9fb51f78ef

SHA512
beaf2cac3b0a9e3d830c1b0f196d834c4816fe3bd4d9b94eb70a1c19688d1837947b759cec4e6d1034e7fd568ef6dbb8caf37f7c499c358f0100d7ce93ca4cec

Download Submit
C:\Windows\System32\fbjRQke.exe

Filesize
3.0MB

MD5
450e53b1a9bd57c861797cbf1fe64103

SHA1
a10ebe9ab1e9ca2a0d5cd84a76174f7877f415d1

SHA256
f05339a071e93829e0d431e60fb9ca54f45cbb062937fa4969709bf158a8d212

SHA512
45e072ccf0e93db5075edd29fbe70c5e6b33ec1c070ce8bf75ded8e7815f14c8041c4cb7a8856842141cee37142504ffc6d02bb6275df1d24e42fad49cee4367

Download Submit
C:\Windows\System32\iUZyDUe.exe

Filesize
3.0MB

MD5
43060c7f3cd14013a61f2e2e048c1459

SHA1
67b6e1f4b5bf8715e0512b3d4879fac09f15f926

SHA256
06b010fbb8e5871b841fa824d272731ae704c230eb8e6da93f117a062a5d6e62

SHA512
8d14220590bcd338703c60e6355de9a8a972be80904a6166b4550da77574463616b25c659dee6114f4038ff052e15ff51ca907ec8295665638c999cfdfdabf4d

Download Submit
C:\Windows\System32\kVJThVE.exe

Filesize
3.0MB

MD5
deee2b5a290d874406e65b360ed685ba

SHA1
84c3c2628b134ddc2368b8cfb6c5db9985c567f0

SHA256
d0304567a260e08a14d8400e7320478655402ccee1ec04b1b78c8de806b3fb71

SHA512
b2c51cf801526813f52f7b111263a5cb19cb76ae9f4b6972d042185a94ab64edd0ec4068fc0a4c7798d12703feaa2e4f1d6a2e9aca2d336c4096e1bcebf509e4

Download Submit
C:\Windows\System32\lqgiCkX.exe

Filesize
3.0MB

MD5
b51b1635be40131a39c8f29ed2649963

SHA1
5552f3e3471ccaf1975763d5f3dd4d3d72d7cd53

SHA256
93625c11064a2a745e83eaae5d29b9b99459911a157caa1354f3f59def9923ba

SHA512
c00ea104ef17d80488db875929af16441c38fe20d4ab6f418133abd12465a1645affd38ccb2659c4808f58d27fcde55ebf4e077b0d4146dd9611e0131a959fbf

Download Submit
C:\Windows\System32\nOXcPQy.exe

Filesize
3.0MB

MD5
84db5e57ea85d63d559360cc017afdd8

SHA1
661aa2ceab56f876a3733f1c2a65500430c0a2ea

SHA256
23a6446c7692ce05ef797d807fa116a200fff63dc97f6fb7474ae2ee6031cd0c

SHA512
f8a111349f9545f8c54e0d4358fe0b1bdc1794140c1019835b6ffc00f752dc03debc4cda3a73fca191c09f92349d0c05969c66d2370d42e16277635967b097cf

Download Submit
C:\Windows\System32\niiLZsl.exe

Filesize
3.0MB

MD5
6b84edbb6f5baf3ba454358ee51e6fa0

SHA1
9cef747e36a91e851c1e858812920bbb6c2859cf

SHA256
fedd63cffce15ab874ad9541892c3789c0ecc89fcc1b064feb0fc2da0c5e3345

SHA512
df895f1990b128fccbf2fc5a425d4161a41279e29422e54718d5d6a89bf45f8f375482564145a00dea5dc9592d9b1f06298f3e9ac7f89f801d1c2cac520a1e23

Download Submit
C:\Windows\System32\nkdemCn.exe

Filesize
3.0MB

MD5
63eacbfd2e7637d2217893386ddb11de

SHA1
d8517f7b82324beec4da01d3877f23b9ac4c5ba5

SHA256
f3b8127a6daddc46a1bf1a82db50fce1422a46534aec142aacd6e5ee96a20915

SHA512
236de07f92fca47332d5abc2d557f35815b88b9b68fa58f9e226f1d8f6d0e6a09cb8ee1fb1bd509f2bdc784c62c3b79db192c3bafd45ded0c36f2ccec8849df7

Download Submit
C:\Windows\System32\rLpNdaO.exe

Filesize
3.0MB

MD5
891ec552940ef14771e9c83f906ac880

SHA1
059ef900b7db71622003a27bf9f15d6f5bc990e0

SHA256
a556cc1cf6cd442bb3b372b452f13703fb0bc835cb702764a2e1f59ee070308a

SHA512
fac1682ab52268c1f84717d328b0a750fc455c3b4bec4fa1b458fc0bd5f01e79b9cb9f8249f0edb2eb6d22677b0a043edcf467a861a6697f4df3ae905fd6f9cf

Download Submit
C:\Windows\System32\wGTBIqE.exe

Filesize
3.0MB

MD5
738aae18b04b411aa68a4b9f4d9ac926

SHA1
ad3e6a8455b9edfcb2bad4c0bec04b082485d74e

SHA256
2394d6baa88a42b442ea78b7af59768539ff1e7e6302b3a068d150d5ff81d8fc

SHA512
9997f389b29ca5dd62f1f9d3b0a072127cd9885298fec85e2b24501c42bf890072bba09145eb30b8485699c1ae5753023b4b0427edb289b37abd92b2e547f399

Download Submit
C:\Windows\System32\ygBclbU.exe

Filesize
3.0MB

MD5
45b87bcc13d868a635ef172f3f4d72bf

SHA1
fec9c073171b8d92a5c3450ee3fbbc8615ca7bc9

SHA256
094a27378bf28ce23bdb21dea59997cc4e0a6fae82d2539951d2a5a022ea4b1d

SHA512
7550ef424f99770d6c0c4b163e6cc542ffc9cd8a3d4515f5a2fdfd58edb810210cfadd2ee568c6bfb75009f0d6ce4f3e6d2f47f50ac5f71b73552beeb4933617

Download Submit
memory/1600-1932-0x00007FF7F34A0000-0x00007FF7F3895000-memory.dmp

Filesize
4.0MB

Download
memory/1600-842-0x00007FF7F34A0000-0x00007FF7F3895000-memory.dmp

Filesize
4.0MB

Download
memory/1652-1918-0x00007FF68CC00000-0x00007FF68CFF5000-memory.dmp

Filesize
4.0MB

Download
memory/1652-18-0x00007FF68CC00000-0x00007FF68CFF5000-memory.dmp

Filesize
4.0MB

Download
memory/1996-1919-0x00007FF667F80000-0x00007FF668375000-memory.dmp

Filesize
4.0MB

Download
memory/1996-799-0x00007FF667F80000-0x00007FF668375000-memory.dmp

Filesize
4.0MB

Download
memory/2120-835-0x00007FF7A9B10000-0x00007FF7A9F05000-memory.dmp

Filesize
4.0MB

Download
memory/2120-1928-0x00007FF7A9B10000-0x00007FF7A9F05000-memory.dmp

Filesize
4.0MB

Download
memory/2252-1-0x0000029394BD0000-0x0000029394BE0000-memory.dmp

Filesize
64KB

Download
memory/2252-0-0x00007FF72DCF0000-0x00007FF72E0E5000-memory.dmp

Filesize
4.0MB

Download
memory/2384-24-0x00007FF735920000-0x00007FF735D15000-memory.dmp

Filesize
4.0MB

Download
memory/2384-1920-0x00007FF735920000-0x00007FF735D15000-memory.dmp

Filesize
4.0MB

Download
memory/2484-1941-0x00007FF714B10000-0x00007FF714F05000-memory.dmp

Filesize
4.0MB

Download
memory/2484-907-0x00007FF714B10000-0x00007FF714F05000-memory.dmp

Filesize
4.0MB

Download
memory/2516-863-0x00007FF6F2520000-0x00007FF6F2915000-memory.dmp

Filesize
4.0MB

Download
memory/2516-1933-0x00007FF6F2520000-0x00007FF6F2915000-memory.dmp

Filesize
4.0MB

Download
memory/3004-856-0x00007FF75FD40000-0x00007FF760135000-memory.dmp

Filesize
4.0MB

Download
memory/3004-1930-0x00007FF75FD40000-0x00007FF760135000-memory.dmp

Filesize
4.0MB

Download
memory/3188-832-0x00007FF6438C0000-0x00007FF643CB5000-memory.dmp

Filesize
4.0MB

Download
memory/3188-1931-0x00007FF6438C0000-0x00007FF643CB5000-memory.dmp

Filesize
4.0MB

Download
memory/3340-1929-0x00007FF67E040000-0x00007FF67E435000-memory.dmp

Filesize
4.0MB

Download
memory/3340-839-0x00007FF67E040000-0x00007FF67E435000-memory.dmp

Filesize
4.0MB

Download
memory/3632-909-0x00007FF7AB250000-0x00007FF7AB645000-memory.dmp

Filesize
4.0MB

Download
memory/3632-1922-0x00007FF7AB250000-0x00007FF7AB645000-memory.dmp

Filesize
4.0MB

Download
memory/3952-818-0x00007FF6503F0000-0x00007FF6507E5000-memory.dmp

Filesize
4.0MB

Download
memory/3952-1927-0x00007FF6503F0000-0x00007FF6507E5000-memory.dmp

Filesize
4.0MB

Download
memory/4244-823-0x00007FF7AE890000-0x00007FF7AEC85000-memory.dmp

Filesize
4.0MB

Download
memory/4244-1926-0x00007FF7AE890000-0x00007FF7AEC85000-memory.dmp

Filesize
4.0MB

Download
memory/4340-1924-0x00007FF710DE0000-0x00007FF7111D5000-memory.dmp

Filesize
4.0MB

Download
memory/4340-806-0x00007FF710DE0000-0x00007FF7111D5000-memory.dmp

Filesize
4.0MB

Download
memory/4368-1925-0x00007FF67AC00000-0x00007FF67AFF5000-memory.dmp

Filesize
4.0MB

Download
memory/4368-811-0x00007FF67AC00000-0x00007FF67AFF5000-memory.dmp

Filesize
4.0MB

Download
memory/4648-1936-0x00007FF777E70000-0x00007FF778265000-memory.dmp

Filesize
4.0MB

Download
memory/4648-865-0x00007FF777E70000-0x00007FF778265000-memory.dmp

Filesize
4.0MB

Download
memory/4660-801-0x00007FF7081E0000-0x00007FF7085D5000-memory.dmp

Filesize
4.0MB

Download
memory/4660-1921-0x00007FF7081E0000-0x00007FF7085D5000-memory.dmp

Filesize
4.0MB

Download
memory/4672-1934-0x00007FF6AA320000-0x00007FF6AA715000-memory.dmp

Filesize
4.0MB

Download
memory/4672-860-0x00007FF6AA320000-0x00007FF6AA715000-memory.dmp

Filesize
4.0MB

Download
memory/4704-874-0x00007FF6267F0000-0x00007FF626BE5000-memory.dmp

Filesize
4.0MB

Download
memory/4704-1938-0x00007FF6267F0000-0x00007FF626BE5000-memory.dmp

Filesize
4.0MB

Download
memory/4724-1940-0x00007FF6800D0000-0x00007FF6804C5000-memory.dmp

Filesize
4.0MB

Download
memory/4724-877-0x00007FF6800D0000-0x00007FF6804C5000-memory.dmp

Filesize
4.0MB

Download
memory/4968-1939-0x00007FF60E720000-0x00007FF60EB15000-memory.dmp

Filesize
4.0MB

Download
memory/4968-905-0x00007FF60E720000-0x00007FF60EB15000-memory.dmp

Filesize
4.0MB

Download
memory/5060-880-0x00007FF6E8260000-0x00007FF6E8655000-memory.dmp

Filesize
4.0MB

Download
memory/5060-1937-0x00007FF6E8260000-0x00007FF6E8655000-memory.dmp

Filesize
4.0MB

Download
memory/5080-1923-0x00007FF7BA5E0000-0x00007FF7BA9D5000-memory.dmp

Filesize
4.0MB

Download
memory/5080-802-0x00007FF7BA5E0000-0x00007FF7BA9D5000-memory.dmp

Filesize
4.0MB

Download
memory/5092-1935-0x00007FF6279A0000-0x00007FF627D95000-memory.dmp

Filesize
4.0MB

Download
memory/5092-864-0x00007FF6279A0000-0x00007FF627D95000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads