xmrig | 81e69546a840e90689b3e07f78dffdf280dc4890cb0834fa5215b4abea940aaa

Analysis

max time kernel
66s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 17:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
Size

1.9MB
MD5

0a75c1de42a66de73e7598b250147f10
SHA1

272b2ba48549472bc60c1b8f65dc3a24b26dc28c
SHA256

81e69546a840e90689b3e07f78dffdf280dc4890cb0834fa5215b4abea940aaa
SHA512

e5a3217d43a52f1d0e4ca70a331aadba4080c7c049894d08469d71009b6e06b81bb5b513edaa2276e4f608eb367368dc3b4fa92cc19e9f068a0ae856b475bdeb
SSDEEP

49152:knw9oUUEEDlMrL6T33MnTx1vYtkjC8oTTd:kQUEEx

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/2024-25-0x00007FF7EA610000-0x00007FF7EAA01000-memory.dmp	xmrig
behavioral2/memory/4668-15-0x00007FF71E3E0000-0x00007FF71E7D1000-memory.dmp	xmrig
behavioral2/memory/2264-438-0x00007FF75B050000-0x00007FF75B441000-memory.dmp	xmrig
behavioral2/memory/4712-439-0x00007FF6B6460000-0x00007FF6B6851000-memory.dmp	xmrig
behavioral2/memory/4524-440-0x00007FF780320000-0x00007FF780711000-memory.dmp	xmrig
behavioral2/memory/512-441-0x00007FF675B10000-0x00007FF675F01000-memory.dmp	xmrig
behavioral2/memory/1956-442-0x00007FF79FDC0000-0x00007FF7A01B1000-memory.dmp	xmrig
behavioral2/memory/4228-455-0x00007FF691480000-0x00007FF691871000-memory.dmp	xmrig
behavioral2/memory/3056-474-0x00007FF66E7C0000-0x00007FF66EBB1000-memory.dmp	xmrig
behavioral2/memory/2380-508-0x00007FF754480000-0x00007FF754871000-memory.dmp	xmrig
behavioral2/memory/2868-531-0x00007FF65BB70000-0x00007FF65BF61000-memory.dmp	xmrig
behavioral2/memory/4772-540-0x00007FF75AD90000-0x00007FF75B181000-memory.dmp	xmrig
behavioral2/memory/4568-541-0x00007FF6E9CF0000-0x00007FF6EA0E1000-memory.dmp	xmrig
behavioral2/memory/3496-550-0x00007FF69F900000-0x00007FF69FCF1000-memory.dmp	xmrig
behavioral2/memory/1944-553-0x00007FF6FAC80000-0x00007FF6FB071000-memory.dmp	xmrig
behavioral2/memory/4264-551-0x00007FF7ECEA0000-0x00007FF7ED291000-memory.dmp	xmrig
behavioral2/memory/232-545-0x00007FF79E280000-0x00007FF79E671000-memory.dmp	xmrig
behavioral2/memory/1212-526-0x00007FF7742C0000-0x00007FF7746B1000-memory.dmp	xmrig
behavioral2/memory/908-491-0x00007FF7DBEC0000-0x00007FF7DC2B1000-memory.dmp	xmrig
behavioral2/memory/1504-482-0x00007FF713FE0000-0x00007FF7143D1000-memory.dmp	xmrig
behavioral2/memory/1440-477-0x00007FF7FCB60000-0x00007FF7FCF51000-memory.dmp	xmrig
behavioral2/memory/396-465-0x00007FF7D5090000-0x00007FF7D5481000-memory.dmp	xmrig
behavioral2/memory/3780-451-0x00007FF783840000-0x00007FF783C31000-memory.dmp	xmrig
behavioral2/memory/4572-443-0x00007FF7D21E0000-0x00007FF7D25D1000-memory.dmp	xmrig
behavioral2/memory/4668-2010-0x00007FF71E3E0000-0x00007FF71E7D1000-memory.dmp	xmrig
behavioral2/memory/2024-2012-0x00007FF7EA610000-0x00007FF7EAA01000-memory.dmp	xmrig
behavioral2/memory/4264-2016-0x00007FF7ECEA0000-0x00007FF7ED291000-memory.dmp	xmrig
behavioral2/memory/1944-2018-0x00007FF6FAC80000-0x00007FF6FB071000-memory.dmp	xmrig
behavioral2/memory/2264-2014-0x00007FF75B050000-0x00007FF75B441000-memory.dmp	xmrig
behavioral2/memory/4712-2020-0x00007FF6B6460000-0x00007FF6B6851000-memory.dmp	xmrig
behavioral2/memory/1956-2026-0x00007FF79FDC0000-0x00007FF7A01B1000-memory.dmp	xmrig
behavioral2/memory/4572-2028-0x00007FF7D21E0000-0x00007FF7D25D1000-memory.dmp	xmrig
behavioral2/memory/3780-2030-0x00007FF783840000-0x00007FF783C31000-memory.dmp	xmrig
behavioral2/memory/4228-2032-0x00007FF691480000-0x00007FF691871000-memory.dmp	xmrig
behavioral2/memory/512-2024-0x00007FF675B10000-0x00007FF675F01000-memory.dmp	xmrig
behavioral2/memory/4524-2023-0x00007FF780320000-0x00007FF780711000-memory.dmp	xmrig
behavioral2/memory/3056-2036-0x00007FF66E7C0000-0x00007FF66EBB1000-memory.dmp	xmrig
behavioral2/memory/908-2042-0x00007FF7DBEC0000-0x00007FF7DC2B1000-memory.dmp	xmrig
behavioral2/memory/2868-2046-0x00007FF65BB70000-0x00007FF65BF61000-memory.dmp	xmrig
behavioral2/memory/2380-2050-0x00007FF754480000-0x00007FF754871000-memory.dmp	xmrig
behavioral2/memory/4568-2054-0x00007FF6E9CF0000-0x00007FF6EA0E1000-memory.dmp	xmrig
behavioral2/memory/232-2052-0x00007FF79E280000-0x00007FF79E671000-memory.dmp	xmrig
behavioral2/memory/4772-2049-0x00007FF75AD90000-0x00007FF75B181000-memory.dmp	xmrig
behavioral2/memory/1212-2045-0x00007FF7742C0000-0x00007FF7746B1000-memory.dmp	xmrig
behavioral2/memory/1504-2040-0x00007FF713FE0000-0x00007FF7143D1000-memory.dmp	xmrig
behavioral2/memory/1440-2038-0x00007FF7FCB60000-0x00007FF7FCF51000-memory.dmp	xmrig
behavioral2/memory/396-2035-0x00007FF7D5090000-0x00007FF7D5481000-memory.dmp	xmrig
behavioral2/memory/3496-2080-0x00007FF69F900000-0x00007FF69FCF1000-memory.dmp	xmrig

Modifies Installed Components in the registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
4668	zfmQVul.exe
2024	hSfCclD.exe
4264	rQlPDpH.exe
2264	NSMuzUu.exe
1944	dtpdzXk.exe
4712	jzfPbWw.exe
4524	giMhdfA.exe
512	TjIFzbH.exe
1956	XjAfnTo.exe
4572	TUzTTdc.exe
3780	tzqooQC.exe
4228	YSBnQaA.exe
396	XHuFFdL.exe
3056	kphceux.exe
1440	FCdFbnB.exe
1504	IiARdTq.exe
908	xliGlTc.exe
2380	UTkLYNk.exe
1212	bjnPgQd.exe
2868	QauiNCb.exe
4772	bBedbEf.exe
4568	dXTKSmo.exe
232	ZoUYrrX.exe
3496	EOYTttc.exe
3364	tRUXXDo.exe
1812	tMSsjDV.exe
228	QxyqCsX.exe
664	iNaYtHz.exe
4844	NZiSfBx.exe
928	FPOonea.exe
3384	UnGnTRj.exe
3224	DlPhVJa.exe
2580	fbSUejN.exe
5056	kanrLsb.exe
2568	KzGpIZQ.exe
1508	zRAMjiQ.exe
1428	NOSWljk.exe
3468	RFPDUmX.exe
2028	LgNLLgQ.exe
556	jIpXYwI.exe
4244	wEWZMtR.exe
2096	dFFDbIH.exe
4744	DySZcjH.exe
4548	vxEQnkB.exe
3572	kZIjxkm.exe
960	DZXKSAd.exe
4968	nmnDHTJ.exe
2956	HUVcSQh.exe
3380	yAetYEc.exe
3460	lGwJacj.exe
1636	YFuVpxr.exe
1912	xAMKYEO.exe
3484	EayAvZC.exe
2736	wDUUMAG.exe
2644	ZqbmTlM.exe
3308	ZeBNFsx.exe
1028	FRtTQBY.exe
3508	MkuZQhR.exe
4752	RQdsYeC.exe
1968	TjDYwJe.exe
4392	PezRFzT.exe
4920	BQpHZNT.exe
2832	fWQbtHy.exe
2528	PjvWkCU.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1196-0-0x00007FF635CA0000-0x00007FF636091000-memory.dmp	upx
behavioral2/files/0x000c0000000233be-6.dat	upx
behavioral2/files/0x0009000000023409-9.dat	upx
behavioral2/files/0x000800000002340a-16.dat	upx
behavioral2/files/0x000700000002340b-20.dat	upx
behavioral2/files/0x000700000002340d-32.dat	upx
behavioral2/files/0x000700000002340e-35.dat	upx
behavioral2/files/0x000700000002340f-40.dat	upx
behavioral2/files/0x0007000000023410-45.dat	upx
behavioral2/files/0x0007000000023411-50.dat	upx
behavioral2/files/0x0007000000023412-58.dat	upx
behavioral2/files/0x0007000000023413-63.dat	upx
behavioral2/files/0x0007000000023415-72.dat	upx
behavioral2/files/0x0007000000023416-78.dat	upx
behavioral2/files/0x0007000000023418-88.dat	upx
behavioral2/files/0x000700000002341a-98.dat	upx
behavioral2/files/0x000700000002341b-103.dat	upx
behavioral2/files/0x000700000002341e-117.dat	upx
behavioral2/files/0x0007000000023420-131.dat	upx
behavioral2/files/0x0007000000023427-163.dat	upx
behavioral2/files/0x0007000000023426-161.dat	upx
behavioral2/files/0x0007000000023425-153.dat	upx
behavioral2/files/0x0007000000023424-148.dat	upx
behavioral2/files/0x0007000000023423-146.dat	upx
behavioral2/files/0x0007000000023422-138.dat	upx
behavioral2/files/0x0007000000023421-136.dat	upx
behavioral2/files/0x000700000002341f-123.dat	upx
behavioral2/files/0x000700000002341d-113.dat	upx
behavioral2/files/0x000700000002341c-108.dat	upx
behavioral2/files/0x0007000000023419-93.dat	upx
behavioral2/files/0x0007000000023417-83.dat	upx
behavioral2/files/0x0007000000023414-68.dat	upx
behavioral2/files/0x000700000002340c-28.dat	upx
behavioral2/memory/2024-25-0x00007FF7EA610000-0x00007FF7EAA01000-memory.dmp	upx
behavioral2/memory/4668-15-0x00007FF71E3E0000-0x00007FF71E7D1000-memory.dmp	upx
behavioral2/memory/2264-438-0x00007FF75B050000-0x00007FF75B441000-memory.dmp	upx
behavioral2/memory/4712-439-0x00007FF6B6460000-0x00007FF6B6851000-memory.dmp	upx
behavioral2/memory/4524-440-0x00007FF780320000-0x00007FF780711000-memory.dmp	upx
behavioral2/memory/512-441-0x00007FF675B10000-0x00007FF675F01000-memory.dmp	upx
behavioral2/memory/1956-442-0x00007FF79FDC0000-0x00007FF7A01B1000-memory.dmp	upx
behavioral2/memory/4228-455-0x00007FF691480000-0x00007FF691871000-memory.dmp	upx
behavioral2/memory/3056-474-0x00007FF66E7C0000-0x00007FF66EBB1000-memory.dmp	upx
behavioral2/memory/2380-508-0x00007FF754480000-0x00007FF754871000-memory.dmp	upx
behavioral2/memory/2868-531-0x00007FF65BB70000-0x00007FF65BF61000-memory.dmp	upx
behavioral2/memory/4772-540-0x00007FF75AD90000-0x00007FF75B181000-memory.dmp	upx
behavioral2/memory/4568-541-0x00007FF6E9CF0000-0x00007FF6EA0E1000-memory.dmp	upx
behavioral2/memory/3496-550-0x00007FF69F900000-0x00007FF69FCF1000-memory.dmp	upx
behavioral2/memory/1944-553-0x00007FF6FAC80000-0x00007FF6FB071000-memory.dmp	upx
behavioral2/memory/4264-551-0x00007FF7ECEA0000-0x00007FF7ED291000-memory.dmp	upx
behavioral2/memory/232-545-0x00007FF79E280000-0x00007FF79E671000-memory.dmp	upx
behavioral2/memory/1212-526-0x00007FF7742C0000-0x00007FF7746B1000-memory.dmp	upx
behavioral2/memory/908-491-0x00007FF7DBEC0000-0x00007FF7DC2B1000-memory.dmp	upx
behavioral2/memory/1504-482-0x00007FF713FE0000-0x00007FF7143D1000-memory.dmp	upx
behavioral2/memory/1440-477-0x00007FF7FCB60000-0x00007FF7FCF51000-memory.dmp	upx
behavioral2/memory/396-465-0x00007FF7D5090000-0x00007FF7D5481000-memory.dmp	upx
behavioral2/memory/3780-451-0x00007FF783840000-0x00007FF783C31000-memory.dmp	upx
behavioral2/memory/4572-443-0x00007FF7D21E0000-0x00007FF7D25D1000-memory.dmp	upx
behavioral2/memory/4668-2010-0x00007FF71E3E0000-0x00007FF71E7D1000-memory.dmp	upx
behavioral2/memory/2024-2012-0x00007FF7EA610000-0x00007FF7EAA01000-memory.dmp	upx
behavioral2/memory/4264-2016-0x00007FF7ECEA0000-0x00007FF7ED291000-memory.dmp	upx
behavioral2/memory/1944-2018-0x00007FF6FAC80000-0x00007FF6FB071000-memory.dmp	upx
behavioral2/memory/2264-2014-0x00007FF75B050000-0x00007FF75B441000-memory.dmp	upx
behavioral2/memory/4712-2020-0x00007FF6B6460000-0x00007FF6B6851000-memory.dmp	upx
behavioral2/memory/1956-2026-0x00007FF79FDC0000-0x00007FF7A01B1000-memory.dmp	upx

Enumerates connected drives 3 TTPs 14 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\OpKimcO.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\OVTqcih.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\UQAdxBs.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\eXqblWQ.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\sGPrevF.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\PgbuegA.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\uSpexrI.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\FIMLAUk.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\BWukmFj.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\qBKSSus.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\tegthRc.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\zYbJcHM.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\yXCpzFg.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\lGwJacj.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\QkWnpmz.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\TnNgxYe.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\xuGnBZW.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\BGFGxST.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\itvCQWu.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\CNbxiIJ.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\deijDWY.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\mqcKWPi.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\DCMuBKj.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\YYrLgun.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\iZoJNJb.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\NSMuzUu.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\iztfxRa.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\UFIVGPv.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\vAxEqAz.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\CCKWxiC.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\vmRVHDf.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\RgMzRMa.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\rzHraKG.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\PezRFzT.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\OjVPQFr.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\FqwqkwB.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\zJZHjVr.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\iNPDhbo.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\tgOWtwk.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\UEjLMBp.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\LaMFvNe.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\zQkZLNJ.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\YLOMMQY.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\nGQLqZw.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\OhRPQsE.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\RlCVTbv.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\YJRErVg.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\YbWjQPi.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\uWSSckV.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\EMRNnIW.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\iPPQHUj.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\AthyOih.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\kWGdodI.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\qdaCjmj.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\MzHIagB.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\dIhpPwT.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\DtIOVfF.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\NzZffeX.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\hIjOKUZ.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\SOjkfyY.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\YsixZUy.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\JdHvYPq.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\GUBxTvU.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
File created	C:\Windows\System32\iBGFmGy.exe	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{8CF9D9AD-6C84-400B-882B-98C106776A48}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	12900	explorer.exe
Token: SeCreatePagefilePrivilege	12900	explorer.exe
Token: SeShutdownPrivilege	12900	explorer.exe
Token: SeCreatePagefilePrivilege	12900	explorer.exe
Token: SeShutdownPrivilege	12900	explorer.exe
Token: SeCreatePagefilePrivilege	12900	explorer.exe
Token: SeShutdownPrivilege	12900	explorer.exe
Token: SeCreatePagefilePrivilege	12900	explorer.exe
Token: SeShutdownPrivilege	12900	explorer.exe
Token: SeCreatePagefilePrivilege	12900	explorer.exe
Token: SeShutdownPrivilege	12900	explorer.exe
Token: SeCreatePagefilePrivilege	12900	explorer.exe
Token: SeShutdownPrivilege	12900	explorer.exe
Token: SeCreatePagefilePrivilege	12900	explorer.exe
Token: SeShutdownPrivilege	12900	explorer.exe
Token: SeCreatePagefilePrivilege	12900	explorer.exe
Token: SeShutdownPrivilege	12900	explorer.exe
Token: SeCreatePagefilePrivilege	12900	explorer.exe
Token: SeShutdownPrivilege	12900	explorer.exe
Token: SeCreatePagefilePrivilege	12900	explorer.exe
Token: SeShutdownPrivilege	12900	explorer.exe
Token: SeCreatePagefilePrivilege	12900	explorer.exe
Token: SeShutdownPrivilege	12900	explorer.exe
Token: SeCreatePagefilePrivilege	12900	explorer.exe
Token: SeShutdownPrivilege	12900	explorer.exe
Token: SeCreatePagefilePrivilege	12900	explorer.exe
Token: SeShutdownPrivilege	12900	explorer.exe
Token: SeCreatePagefilePrivilege	12900	explorer.exe
Token: SeShutdownPrivilege	12900	explorer.exe
Token: SeCreatePagefilePrivilege	12900	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe
Token: SeCreatePagefilePrivilege	456	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe
Token: SeCreatePagefilePrivilege	456	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe
Token: SeCreatePagefilePrivilege	456	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe
Token: SeCreatePagefilePrivilege	456	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe
Token: SeCreatePagefilePrivilege	456	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe
Token: SeCreatePagefilePrivilege	456	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe
Token: SeCreatePagefilePrivilege	456	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe
Token: SeCreatePagefilePrivilege	456	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe
Token: SeCreatePagefilePrivilege	456	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe
Token: SeCreatePagefilePrivilege	456	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe
Token: SeCreatePagefilePrivilege	456	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe
Token: SeCreatePagefilePrivilege	456	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe
Token: SeCreatePagefilePrivilege	456	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe
Token: SeCreatePagefilePrivilege	456	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe
Token: SeCreatePagefilePrivilege	456	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe
Token: SeCreatePagefilePrivilege	456	explorer.exe
Token: SeShutdownPrivilege	456	explorer.exe
Token: SeCreatePagefilePrivilege	456	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
13180	sihost.exe
12900	explorer.exe
12900	explorer.exe
12900	explorer.exe
12900	explorer.exe
12900	explorer.exe
12900	explorer.exe
12900	explorer.exe
12900	explorer.exe
12900	explorer.exe
12900	explorer.exe
12900	explorer.exe
12900	explorer.exe
12900	explorer.exe
12900	explorer.exe
12900	explorer.exe
12900	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
12900	explorer.exe
12900	explorer.exe
12900	explorer.exe
12900	explorer.exe
12900	explorer.exe
12900	explorer.exe
12900	explorer.exe
12900	explorer.exe
12900	explorer.exe
12900	explorer.exe
12900	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
456	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6264	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
6072	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe
2584	explorer.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4140	StartMenuExperienceHost.exe
7448	StartMenuExperienceHost.exe
8176	StartMenuExperienceHost.exe
8472	SearchApp.exe
3620	StartMenuExperienceHost.exe
11164	StartMenuExperienceHost.exe
8120	SearchApp.exe
12872	StartMenuExperienceHost.exe
2736	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 4668	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	82
PID 1196 wrote to memory of 4668	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	82
PID 1196 wrote to memory of 2024	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	83
PID 1196 wrote to memory of 2024	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	83
PID 1196 wrote to memory of 4264	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	84
PID 1196 wrote to memory of 4264	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	84
PID 1196 wrote to memory of 2264	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	85
PID 1196 wrote to memory of 2264	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	85
PID 1196 wrote to memory of 1944	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	86
PID 1196 wrote to memory of 1944	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	86
PID 1196 wrote to memory of 4712	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	87
PID 1196 wrote to memory of 4712	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	87
PID 1196 wrote to memory of 4524	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	88
PID 1196 wrote to memory of 4524	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	88
PID 1196 wrote to memory of 512	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	89
PID 1196 wrote to memory of 512	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	89
PID 1196 wrote to memory of 1956	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	90
PID 1196 wrote to memory of 1956	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	90
PID 1196 wrote to memory of 4572	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	91
PID 1196 wrote to memory of 4572	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	91
PID 1196 wrote to memory of 3780	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	92
PID 1196 wrote to memory of 3780	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	92
PID 1196 wrote to memory of 4228	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	93
PID 1196 wrote to memory of 4228	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	93
PID 1196 wrote to memory of 396	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	94
PID 1196 wrote to memory of 396	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	94
PID 1196 wrote to memory of 3056	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	95
PID 1196 wrote to memory of 3056	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	95
PID 1196 wrote to memory of 1440	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	96
PID 1196 wrote to memory of 1440	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	96
PID 1196 wrote to memory of 1504	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	97
PID 1196 wrote to memory of 1504	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	97
PID 1196 wrote to memory of 908	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	98
PID 1196 wrote to memory of 908	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	98
PID 1196 wrote to memory of 2380	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	99
PID 1196 wrote to memory of 2380	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	99
PID 1196 wrote to memory of 1212	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	100
PID 1196 wrote to memory of 1212	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	100
PID 1196 wrote to memory of 2868	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	101
PID 1196 wrote to memory of 2868	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	101
PID 1196 wrote to memory of 4772	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	102
PID 1196 wrote to memory of 4772	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	102
PID 1196 wrote to memory of 4568	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	103
PID 1196 wrote to memory of 4568	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	103
PID 1196 wrote to memory of 232	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	104
PID 1196 wrote to memory of 232	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	104
PID 1196 wrote to memory of 3496	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	105
PID 1196 wrote to memory of 3496	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	105
PID 1196 wrote to memory of 3364	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	106
PID 1196 wrote to memory of 3364	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	106
PID 1196 wrote to memory of 1812	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	107
PID 1196 wrote to memory of 1812	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	107
PID 1196 wrote to memory of 228	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	108
PID 1196 wrote to memory of 228	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	108
PID 1196 wrote to memory of 664	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	109
PID 1196 wrote to memory of 664	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	109
PID 1196 wrote to memory of 4844	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	110
PID 1196 wrote to memory of 4844	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	110
PID 1196 wrote to memory of 928	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	111
PID 1196 wrote to memory of 928	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	111
PID 1196 wrote to memory of 3384	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	112
PID 1196 wrote to memory of 3384	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	112
PID 1196 wrote to memory of 3224	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	113
PID 1196 wrote to memory of 3224	1196	0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0a75c1de42a66de73e7598b250147f10_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\System32\zfmQVul.exe
  C:\Windows\System32\zfmQVul.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Windows\System32\hSfCclD.exe
  C:\Windows\System32\hSfCclD.exe
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\System32\rQlPDpH.exe
  C:\Windows\System32\rQlPDpH.exe
  2⤵
  - Executes dropped EXE
  PID:4264
- C:\Windows\System32\NSMuzUu.exe
  C:\Windows\System32\NSMuzUu.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System32\dtpdzXk.exe
  C:\Windows\System32\dtpdzXk.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System32\jzfPbWw.exe
  C:\Windows\System32\jzfPbWw.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\System32\giMhdfA.exe
  C:\Windows\System32\giMhdfA.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System32\TjIFzbH.exe
  C:\Windows\System32\TjIFzbH.exe
  2⤵
  - Executes dropped EXE
  PID:512
- C:\Windows\System32\XjAfnTo.exe
  C:\Windows\System32\XjAfnTo.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System32\TUzTTdc.exe
  C:\Windows\System32\TUzTTdc.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System32\tzqooQC.exe
  C:\Windows\System32\tzqooQC.exe
  2⤵
  - Executes dropped EXE
  PID:3780
- C:\Windows\System32\YSBnQaA.exe
  C:\Windows\System32\YSBnQaA.exe
  2⤵
  - Executes dropped EXE
  PID:4228
- C:\Windows\System32\XHuFFdL.exe
  C:\Windows\System32\XHuFFdL.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System32\kphceux.exe
  C:\Windows\System32\kphceux.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System32\FCdFbnB.exe
  C:\Windows\System32\FCdFbnB.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System32\IiARdTq.exe
  C:\Windows\System32\IiARdTq.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System32\xliGlTc.exe
  C:\Windows\System32\xliGlTc.exe
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Windows\System32\UTkLYNk.exe
  C:\Windows\System32\UTkLYNk.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System32\bjnPgQd.exe
  C:\Windows\System32\bjnPgQd.exe
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\System32\QauiNCb.exe
  C:\Windows\System32\QauiNCb.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System32\bBedbEf.exe
  C:\Windows\System32\bBedbEf.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System32\dXTKSmo.exe
  C:\Windows\System32\dXTKSmo.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System32\ZoUYrrX.exe
  C:\Windows\System32\ZoUYrrX.exe
  2⤵
  - Executes dropped EXE
  PID:232
- C:\Windows\System32\EOYTttc.exe
  C:\Windows\System32\EOYTttc.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System32\tRUXXDo.exe
  C:\Windows\System32\tRUXXDo.exe
  2⤵
  - Executes dropped EXE
  PID:3364
- C:\Windows\System32\tMSsjDV.exe
  C:\Windows\System32\tMSsjDV.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System32\QxyqCsX.exe
  C:\Windows\System32\QxyqCsX.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System32\iNaYtHz.exe
  C:\Windows\System32\iNaYtHz.exe
  2⤵
  - Executes dropped EXE
  PID:664
- C:\Windows\System32\NZiSfBx.exe
  C:\Windows\System32\NZiSfBx.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System32\FPOonea.exe
  C:\Windows\System32\FPOonea.exe
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Windows\System32\UnGnTRj.exe
  C:\Windows\System32\UnGnTRj.exe
  2⤵
  - Executes dropped EXE
  PID:3384
- C:\Windows\System32\DlPhVJa.exe
  C:\Windows\System32\DlPhVJa.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System32\fbSUejN.exe
  C:\Windows\System32\fbSUejN.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System32\kanrLsb.exe
  C:\Windows\System32\kanrLsb.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System32\KzGpIZQ.exe
  C:\Windows\System32\KzGpIZQ.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System32\zRAMjiQ.exe
  C:\Windows\System32\zRAMjiQ.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System32\NOSWljk.exe
  C:\Windows\System32\NOSWljk.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System32\RFPDUmX.exe
  C:\Windows\System32\RFPDUmX.exe
  2⤵
  - Executes dropped EXE
  PID:3468
- C:\Windows\System32\LgNLLgQ.exe
  C:\Windows\System32\LgNLLgQ.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System32\jIpXYwI.exe
  C:\Windows\System32\jIpXYwI.exe
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\System32\wEWZMtR.exe
  C:\Windows\System32\wEWZMtR.exe
  2⤵
  - Executes dropped EXE
  PID:4244
- C:\Windows\System32\dFFDbIH.exe
  C:\Windows\System32\dFFDbIH.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System32\DySZcjH.exe
  C:\Windows\System32\DySZcjH.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\System32\vxEQnkB.exe
  C:\Windows\System32\vxEQnkB.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System32\kZIjxkm.exe
  C:\Windows\System32\kZIjxkm.exe
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\System32\DZXKSAd.exe
  C:\Windows\System32\DZXKSAd.exe
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\System32\nmnDHTJ.exe
  C:\Windows\System32\nmnDHTJ.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System32\HUVcSQh.exe
  C:\Windows\System32\HUVcSQh.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System32\yAetYEc.exe
  C:\Windows\System32\yAetYEc.exe
  2⤵
  - Executes dropped EXE
  PID:3380
- C:\Windows\System32\lGwJacj.exe
  C:\Windows\System32\lGwJacj.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System32\YFuVpxr.exe
  C:\Windows\System32\YFuVpxr.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System32\xAMKYEO.exe
  C:\Windows\System32\xAMKYEO.exe
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\System32\EayAvZC.exe
  C:\Windows\System32\EayAvZC.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System32\wDUUMAG.exe
  C:\Windows\System32\wDUUMAG.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System32\ZqbmTlM.exe
  C:\Windows\System32\ZqbmTlM.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System32\ZeBNFsx.exe
  C:\Windows\System32\ZeBNFsx.exe
  2⤵
  - Executes dropped EXE
  PID:3308
- C:\Windows\System32\FRtTQBY.exe
  C:\Windows\System32\FRtTQBY.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System32\MkuZQhR.exe
  C:\Windows\System32\MkuZQhR.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System32\RQdsYeC.exe
  C:\Windows\System32\RQdsYeC.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\System32\TjDYwJe.exe
  C:\Windows\System32\TjDYwJe.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System32\PezRFzT.exe
  C:\Windows\System32\PezRFzT.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System32\BQpHZNT.exe
  C:\Windows\System32\BQpHZNT.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System32\fWQbtHy.exe
  C:\Windows\System32\fWQbtHy.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System32\PjvWkCU.exe
  C:\Windows\System32\PjvWkCU.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System32\GVsGkLB.exe
  C:\Windows\System32\GVsGkLB.exe
  2⤵
  PID:2980
- C:\Windows\System32\DtIOVfF.exe
  C:\Windows\System32\DtIOVfF.exe
  2⤵
  PID:2280
- C:\Windows\System32\dMMzvxt.exe
  C:\Windows\System32\dMMzvxt.exe
  2⤵
  PID:1744
- C:\Windows\System32\AuenAuD.exe
  C:\Windows\System32\AuenAuD.exe
  2⤵
  PID:224
- C:\Windows\System32\Apisgdb.exe
  C:\Windows\System32\Apisgdb.exe
  2⤵
  PID:3500
- C:\Windows\System32\qZRAMQX.exe
  C:\Windows\System32\qZRAMQX.exe
  2⤵
  PID:2252
- C:\Windows\System32\zvXVleA.exe
  C:\Windows\System32\zvXVleA.exe
  2⤵
  PID:528
- C:\Windows\System32\dBEUGyv.exe
  C:\Windows\System32\dBEUGyv.exe
  2⤵
  PID:1156
- C:\Windows\System32\dfPoLfh.exe
  C:\Windows\System32\dfPoLfh.exe
  2⤵
  PID:5112
- C:\Windows\System32\OWtqSGV.exe
  C:\Windows\System32\OWtqSGV.exe
  2⤵
  PID:808
- C:\Windows\System32\nXOzGob.exe
  C:\Windows\System32\nXOzGob.exe
  2⤵
  PID:4476
- C:\Windows\System32\KdkxxMl.exe
  C:\Windows\System32\KdkxxMl.exe
  2⤵
  PID:4180
- C:\Windows\System32\deijDWY.exe
  C:\Windows\System32\deijDWY.exe
  2⤵
  PID:4900
- C:\Windows\System32\VlzzPdv.exe
  C:\Windows\System32\VlzzPdv.exe
  2⤵
  PID:1644
- C:\Windows\System32\CWEXSis.exe
  C:\Windows\System32\CWEXSis.exe
  2⤵
  PID:1584
- C:\Windows\System32\zWXRXoo.exe
  C:\Windows\System32\zWXRXoo.exe
  2⤵
  PID:1496
- C:\Windows\System32\Pybyywu.exe
  C:\Windows\System32\Pybyywu.exe
  2⤵
  PID:740
- C:\Windows\System32\cWAmpPe.exe
  C:\Windows\System32\cWAmpPe.exe
  2⤵
  PID:2612
- C:\Windows\System32\UEDgXuN.exe
  C:\Windows\System32\UEDgXuN.exe
  2⤵
  PID:1560
- C:\Windows\System32\dWVXyar.exe
  C:\Windows\System32\dWVXyar.exe
  2⤵
  PID:1228
- C:\Windows\System32\XLMeHNB.exe
  C:\Windows\System32\XLMeHNB.exe
  2⤵
  PID:1904
- C:\Windows\System32\eAEpkjc.exe
  C:\Windows\System32\eAEpkjc.exe
  2⤵
  PID:3764
- C:\Windows\System32\cUsHFLq.exe
  C:\Windows\System32\cUsHFLq.exe
  2⤵
  PID:4352
- C:\Windows\System32\rgrJMrN.exe
  C:\Windows\System32\rgrJMrN.exe
  2⤵
  PID:2952
- C:\Windows\System32\jSPblXU.exe
  C:\Windows\System32\jSPblXU.exe
  2⤵
  PID:3600
- C:\Windows\System32\SGbjbxo.exe
  C:\Windows\System32\SGbjbxo.exe
  2⤵
  PID:4040
- C:\Windows\System32\oydVuFp.exe
  C:\Windows\System32\oydVuFp.exe
  2⤵
  PID:2596
- C:\Windows\System32\swMVNOy.exe
  C:\Windows\System32\swMVNOy.exe
  2⤵
  PID:4280
- C:\Windows\System32\pvojdye.exe
  C:\Windows\System32\pvojdye.exe
  2⤵
  PID:2000
- C:\Windows\System32\qOpfixD.exe
  C:\Windows\System32\qOpfixD.exe
  2⤵
  PID:1612
- C:\Windows\System32\syAojYX.exe
  C:\Windows\System32\syAojYX.exe
  2⤵
  PID:4676
- C:\Windows\System32\DffnVpH.exe
  C:\Windows\System32\DffnVpH.exe
  2⤵
  PID:1132
- C:\Windows\System32\yJQUSxj.exe
  C:\Windows\System32\yJQUSxj.exe
  2⤵
  PID:5136
- C:\Windows\System32\XGaTSYf.exe
  C:\Windows\System32\XGaTSYf.exe
  2⤵
  PID:5164
- C:\Windows\System32\dgHczjU.exe
  C:\Windows\System32\dgHczjU.exe
  2⤵
  PID:5192
- C:\Windows\System32\DAiXpRW.exe
  C:\Windows\System32\DAiXpRW.exe
  2⤵
  PID:5220
- C:\Windows\System32\nZWLuFH.exe
  C:\Windows\System32\nZWLuFH.exe
  2⤵
  PID:5248
- C:\Windows\System32\IrBOGNP.exe
  C:\Windows\System32\IrBOGNP.exe
  2⤵
  PID:5276
- C:\Windows\System32\oWbPmas.exe
  C:\Windows\System32\oWbPmas.exe
  2⤵
  PID:5304
- C:\Windows\System32\BrbVMID.exe
  C:\Windows\System32\BrbVMID.exe
  2⤵
  PID:5332
- C:\Windows\System32\IykqPAa.exe
  C:\Windows\System32\IykqPAa.exe
  2⤵
  PID:5360
- C:\Windows\System32\jCXbewx.exe
  C:\Windows\System32\jCXbewx.exe
  2⤵
  PID:5388
- C:\Windows\System32\AthyOih.exe
  C:\Windows\System32\AthyOih.exe
  2⤵
  PID:5416
- C:\Windows\System32\jGdWTFd.exe
  C:\Windows\System32\jGdWTFd.exe
  2⤵
  PID:5440
- C:\Windows\System32\LppZZnZ.exe
  C:\Windows\System32\LppZZnZ.exe
  2⤵
  PID:5472
- C:\Windows\System32\WmfqFqG.exe
  C:\Windows\System32\WmfqFqG.exe
  2⤵
  PID:5500
- C:\Windows\System32\QOqXHft.exe
  C:\Windows\System32\QOqXHft.exe
  2⤵
  PID:5528
- C:\Windows\System32\djvKwEv.exe
  C:\Windows\System32\djvKwEv.exe
  2⤵
  PID:5552
- C:\Windows\System32\ghXDOhX.exe
  C:\Windows\System32\ghXDOhX.exe
  2⤵
  PID:5584
- C:\Windows\System32\RuNcBQf.exe
  C:\Windows\System32\RuNcBQf.exe
  2⤵
  PID:5612
- C:\Windows\System32\fEGhegx.exe
  C:\Windows\System32\fEGhegx.exe
  2⤵
  PID:5648
- C:\Windows\System32\ZoHKKJQ.exe
  C:\Windows\System32\ZoHKKJQ.exe
  2⤵
  PID:5680
- C:\Windows\System32\ULcHIyk.exe
  C:\Windows\System32\ULcHIyk.exe
  2⤵
  PID:5696
- C:\Windows\System32\BEtJfeI.exe
  C:\Windows\System32\BEtJfeI.exe
  2⤵
  PID:5724
- C:\Windows\System32\CcVKlXK.exe
  C:\Windows\System32\CcVKlXK.exe
  2⤵
  PID:5760
- C:\Windows\System32\tgOWtwk.exe
  C:\Windows\System32\tgOWtwk.exe
  2⤵
  PID:5780
- C:\Windows\System32\azawNQb.exe
  C:\Windows\System32\azawNQb.exe
  2⤵
  PID:5808
- C:\Windows\System32\IBHNYPZ.exe
  C:\Windows\System32\IBHNYPZ.exe
  2⤵
  PID:5832
- C:\Windows\System32\lXvRfLh.exe
  C:\Windows\System32\lXvRfLh.exe
  2⤵
  PID:5864
- C:\Windows\System32\IodFviR.exe
  C:\Windows\System32\IodFviR.exe
  2⤵
  PID:5892
- C:\Windows\System32\kRLFJSf.exe
  C:\Windows\System32\kRLFJSf.exe
  2⤵
  PID:5980
- C:\Windows\System32\MNqCzTf.exe
  C:\Windows\System32\MNqCzTf.exe
  2⤵
  PID:6000
- C:\Windows\System32\jpPpOTU.exe
  C:\Windows\System32\jpPpOTU.exe
  2⤵
  PID:6020
- C:\Windows\System32\yJipptJ.exe
  C:\Windows\System32\yJipptJ.exe
  2⤵
  PID:6040
- C:\Windows\System32\RXywBGt.exe
  C:\Windows\System32\RXywBGt.exe
  2⤵
  PID:6080
- C:\Windows\System32\DKZaiMk.exe
  C:\Windows\System32\DKZaiMk.exe
  2⤵
  PID:6100
- C:\Windows\System32\RefuhAr.exe
  C:\Windows\System32\RefuhAr.exe
  2⤵
  PID:6124
- C:\Windows\System32\nBoUvGH.exe
  C:\Windows\System32\nBoUvGH.exe
  2⤵
  PID:6140
- C:\Windows\System32\qGOnGTy.exe
  C:\Windows\System32\qGOnGTy.exe
  2⤵
  PID:4308
- C:\Windows\System32\MvvlMks.exe
  C:\Windows\System32\MvvlMks.exe
  2⤵
  PID:756
- C:\Windows\System32\nTYajbX.exe
  C:\Windows\System32\nTYajbX.exe
  2⤵
  PID:5148
- C:\Windows\System32\spwukzV.exe
  C:\Windows\System32\spwukzV.exe
  2⤵
  PID:5172
- C:\Windows\System32\DALnYgJ.exe
  C:\Windows\System32\DALnYgJ.exe
  2⤵
  PID:5232
- C:\Windows\System32\WdXPZio.exe
  C:\Windows\System32\WdXPZio.exe
  2⤵
  PID:5284
- C:\Windows\System32\UFpeYfF.exe
  C:\Windows\System32\UFpeYfF.exe
  2⤵
  PID:5340
- C:\Windows\System32\RsXMoUZ.exe
  C:\Windows\System32\RsXMoUZ.exe
  2⤵
  PID:5380
- C:\Windows\System32\eOxYZfC.exe
  C:\Windows\System32\eOxYZfC.exe
  2⤵
  PID:5408
- C:\Windows\System32\qjyfiqA.exe
  C:\Windows\System32\qjyfiqA.exe
  2⤵
  PID:5436
- C:\Windows\System32\mqcKWPi.exe
  C:\Windows\System32\mqcKWPi.exe
  2⤵
  PID:5464
- C:\Windows\System32\Qgtlhgj.exe
  C:\Windows\System32\Qgtlhgj.exe
  2⤵
  PID:5480
- C:\Windows\System32\ZztrorL.exe
  C:\Windows\System32\ZztrorL.exe
  2⤵
  PID:5548
- C:\Windows\System32\haSYWNt.exe
  C:\Windows\System32\haSYWNt.exe
  2⤵
  PID:2260
- C:\Windows\System32\cIRzGbi.exe
  C:\Windows\System32\cIRzGbi.exe
  2⤵
  PID:5692
- C:\Windows\System32\haZckjL.exe
  C:\Windows\System32\haZckjL.exe
  2⤵
  PID:2012
- C:\Windows\System32\xTtCMSI.exe
  C:\Windows\System32\xTtCMSI.exe
  2⤵
  PID:1400
- C:\Windows\System32\cAWYxWX.exe
  C:\Windows\System32\cAWYxWX.exe
  2⤵
  PID:5768
- C:\Windows\System32\LkNPmrQ.exe
  C:\Windows\System32\LkNPmrQ.exe
  2⤵
  PID:5820
- C:\Windows\System32\DHlNelH.exe
  C:\Windows\System32\DHlNelH.exe
  2⤵
  PID:5900
- C:\Windows\System32\hurZNVj.exe
  C:\Windows\System32\hurZNVj.exe
  2⤵
  PID:2672
- C:\Windows\System32\SOjkfyY.exe
  C:\Windows\System32\SOjkfyY.exe
  2⤵
  PID:6028
- C:\Windows\System32\PsqHJBM.exe
  C:\Windows\System32\PsqHJBM.exe
  2⤵
  PID:1352
- C:\Windows\System32\GvAnjWZ.exe
  C:\Windows\System32\GvAnjWZ.exe
  2⤵
  PID:1880
- C:\Windows\System32\XfZnXfR.exe
  C:\Windows\System32\XfZnXfR.exe
  2⤵
  PID:1148
- C:\Windows\System32\HVQWobn.exe
  C:\Windows\System32\HVQWobn.exe
  2⤵
  PID:5492
- C:\Windows\System32\YSsQVkj.exe
  C:\Windows\System32\YSsQVkj.exe
  2⤵
  PID:3984
- C:\Windows\System32\pLicewK.exe
  C:\Windows\System32\pLicewK.exe
  2⤵
  PID:5540
- C:\Windows\System32\xzrtcdE.exe
  C:\Windows\System32\xzrtcdE.exe
  2⤵
  PID:5776
- C:\Windows\System32\gwVGGDg.exe
  C:\Windows\System32\gwVGGDg.exe
  2⤵
  PID:5792
- C:\Windows\System32\enwSOst.exe
  C:\Windows\System32\enwSOst.exe
  2⤵
  PID:5872
- C:\Windows\System32\GrZXJyU.exe
  C:\Windows\System32\GrZXJyU.exe
  2⤵
  PID:6032
- C:\Windows\System32\UNuLkLY.exe
  C:\Windows\System32\UNuLkLY.exe
  2⤵
  PID:5240
- C:\Windows\System32\vUQSSpa.exe
  C:\Windows\System32\vUQSSpa.exe
  2⤵
  PID:2744
- C:\Windows\System32\uUikzRG.exe
  C:\Windows\System32\uUikzRG.exe
  2⤵
  PID:2776
- C:\Windows\System32\hPcyRkc.exe
  C:\Windows\System32\hPcyRkc.exe
  2⤵
  PID:4760
- C:\Windows\System32\tgaZwYy.exe
  C:\Windows\System32\tgaZwYy.exe
  2⤵
  PID:5256
- C:\Windows\System32\HkUqlsA.exe
  C:\Windows\System32\HkUqlsA.exe
  2⤵
  PID:6168
- C:\Windows\System32\DCMuBKj.exe
  C:\Windows\System32\DCMuBKj.exe
  2⤵
  PID:6196
- C:\Windows\System32\XePFdcx.exe
  C:\Windows\System32\XePFdcx.exe
  2⤵
  PID:6224
- C:\Windows\System32\ReuJxGS.exe
  C:\Windows\System32\ReuJxGS.exe
  2⤵
  PID:6252
- C:\Windows\System32\NzZffeX.exe
  C:\Windows\System32\NzZffeX.exe
  2⤵
  PID:6280
- C:\Windows\System32\xaHgQEZ.exe
  C:\Windows\System32\xaHgQEZ.exe
  2⤵
  PID:6308
- C:\Windows\System32\xQhyewT.exe
  C:\Windows\System32\xQhyewT.exe
  2⤵
  PID:6336
- C:\Windows\System32\OpKimcO.exe
  C:\Windows\System32\OpKimcO.exe
  2⤵
  PID:6368
- C:\Windows\System32\ALVVJzt.exe
  C:\Windows\System32\ALVVJzt.exe
  2⤵
  PID:6424
- C:\Windows\System32\AkWYjrp.exe
  C:\Windows\System32\AkWYjrp.exe
  2⤵
  PID:6448
- C:\Windows\System32\CAQqWzJ.exe
  C:\Windows\System32\CAQqWzJ.exe
  2⤵
  PID:6468
- C:\Windows\System32\NCwwwaQ.exe
  C:\Windows\System32\NCwwwaQ.exe
  2⤵
  PID:6496
- C:\Windows\System32\jwwvhWA.exe
  C:\Windows\System32\jwwvhWA.exe
  2⤵
  PID:6536
- C:\Windows\System32\guoeUzM.exe
  C:\Windows\System32\guoeUzM.exe
  2⤵
  PID:6552
- C:\Windows\System32\nVxWyIx.exe
  C:\Windows\System32\nVxWyIx.exe
  2⤵
  PID:6580
- C:\Windows\System32\adZaMQG.exe
  C:\Windows\System32\adZaMQG.exe
  2⤵
  PID:6608
- C:\Windows\System32\rAKLEsp.exe
  C:\Windows\System32\rAKLEsp.exe
  2⤵
  PID:6636
- C:\Windows\System32\HAEwrfN.exe
  C:\Windows\System32\HAEwrfN.exe
  2⤵
  PID:6664
- C:\Windows\System32\YYrLgun.exe
  C:\Windows\System32\YYrLgun.exe
  2⤵
  PID:6688
- C:\Windows\System32\wVNgNNY.exe
  C:\Windows\System32\wVNgNNY.exe
  2⤵
  PID:6720
- C:\Windows\System32\vWTOAHC.exe
  C:\Windows\System32\vWTOAHC.exe
  2⤵
  PID:6748
- C:\Windows\System32\bADIBIG.exe
  C:\Windows\System32\bADIBIG.exe
  2⤵
  PID:6776
- C:\Windows\System32\DwZDqsg.exe
  C:\Windows\System32\DwZDqsg.exe
  2⤵
  PID:6804
- C:\Windows\System32\gRGDwrn.exe
  C:\Windows\System32\gRGDwrn.exe
  2⤵
  PID:6832
- C:\Windows\System32\WtJYUWQ.exe
  C:\Windows\System32\WtJYUWQ.exe
  2⤵
  PID:6860
- C:\Windows\System32\YeZPKPn.exe
  C:\Windows\System32\YeZPKPn.exe
  2⤵
  PID:6888
- C:\Windows\System32\XHcmEcO.exe
  C:\Windows\System32\XHcmEcO.exe
  2⤵
  PID:6916
- C:\Windows\System32\iKekkMP.exe
  C:\Windows\System32\iKekkMP.exe
  2⤵
  PID:6944
- C:\Windows\System32\bYjDpNt.exe
  C:\Windows\System32\bYjDpNt.exe
  2⤵
  PID:6984
- C:\Windows\System32\uCBDzdF.exe
  C:\Windows\System32\uCBDzdF.exe
  2⤵
  PID:7000
- C:\Windows\System32\lKXGPZk.exe
  C:\Windows\System32\lKXGPZk.exe
  2⤵
  PID:7028
- C:\Windows\System32\drVCoDY.exe
  C:\Windows\System32\drVCoDY.exe
  2⤵
  PID:7052
- C:\Windows\System32\VObPlOI.exe
  C:\Windows\System32\VObPlOI.exe
  2⤵
  PID:7080
- C:\Windows\System32\ONbKHqo.exe
  C:\Windows\System32\ONbKHqo.exe
  2⤵
  PID:7112
- C:\Windows\System32\nGQLqZw.exe
  C:\Windows\System32\nGQLqZw.exe
  2⤵
  PID:4748
- C:\Windows\System32\lNIkvQd.exe
  C:\Windows\System32\lNIkvQd.exe
  2⤵
  PID:5976
- C:\Windows\System32\TiPYXRk.exe
  C:\Windows\System32\TiPYXRk.exe
  2⤵
  PID:6136
- C:\Windows\System32\bOtxByr.exe
  C:\Windows\System32\bOtxByr.exe
  2⤵
  PID:6204
- C:\Windows\System32\HXizPQP.exe
  C:\Windows\System32\HXizPQP.exe
  2⤵
  PID:5972
- C:\Windows\System32\zMQglPo.exe
  C:\Windows\System32\zMQglPo.exe
  2⤵
  PID:6348
- C:\Windows\System32\ZMMVkSd.exe
  C:\Windows\System32\ZMMVkSd.exe
  2⤵
  PID:6376
- C:\Windows\System32\WtjAxwE.exe
  C:\Windows\System32\WtjAxwE.exe
  2⤵
  PID:6480
- C:\Windows\System32\CCKWxiC.exe
  C:\Windows\System32\CCKWxiC.exe
  2⤵
  PID:6504
- C:\Windows\System32\WQpVNyg.exe
  C:\Windows\System32\WQpVNyg.exe
  2⤵
  PID:6564
- C:\Windows\System32\uEVwcOV.exe
  C:\Windows\System32\uEVwcOV.exe
  2⤵
  PID:6620
- C:\Windows\System32\DDLMsOd.exe
  C:\Windows\System32\DDLMsOd.exe
  2⤵
  PID:6768
- C:\Windows\System32\KsaspKm.exe
  C:\Windows\System32\KsaspKm.exe
  2⤵
  PID:6852
- C:\Windows\System32\jJxzrtV.exe
  C:\Windows\System32\jJxzrtV.exe
  2⤵
  PID:6900
- C:\Windows\System32\DPmorzp.exe
  C:\Windows\System32\DPmorzp.exe
  2⤵
  PID:6956
- C:\Windows\System32\UEjLMBp.exe
  C:\Windows\System32\UEjLMBp.exe
  2⤵
  PID:7020
- C:\Windows\System32\tZZOHEr.exe
  C:\Windows\System32\tZZOHEr.exe
  2⤵
  PID:7036
- C:\Windows\System32\TgFpdvM.exe
  C:\Windows\System32\TgFpdvM.exe
  2⤵
  PID:7076
- C:\Windows\System32\wHMKnKu.exe
  C:\Windows\System32\wHMKnKu.exe
  2⤵
  PID:7152
- C:\Windows\System32\gQUyOOh.exe
  C:\Windows\System32\gQUyOOh.exe
  2⤵
  PID:5424
- C:\Windows\System32\xhMjjiJ.exe
  C:\Windows\System32\xhMjjiJ.exe
  2⤵
  PID:5288
- C:\Windows\System32\cgvXFfw.exe
  C:\Windows\System32\cgvXFfw.exe
  2⤵
  PID:6088
- C:\Windows\System32\QkWnpmz.exe
  C:\Windows\System32\QkWnpmz.exe
  2⤵
  PID:6300
- C:\Windows\System32\efzmVhU.exe
  C:\Windows\System32\efzmVhU.exe
  2⤵
  PID:6508
- C:\Windows\System32\OhRPQsE.exe
  C:\Windows\System32\OhRPQsE.exe
  2⤵
  PID:6656
- C:\Windows\System32\HDZdmgZ.exe
  C:\Windows\System32\HDZdmgZ.exe
  2⤵
  PID:6788
- C:\Windows\System32\uSpexrI.exe
  C:\Windows\System32\uSpexrI.exe
  2⤵
  PID:6928
- C:\Windows\System32\ExauOeU.exe
  C:\Windows\System32\ExauOeU.exe
  2⤵
  PID:7012
- C:\Windows\System32\oepyybJ.exe
  C:\Windows\System32\oepyybJ.exe
  2⤵
  PID:6016
- C:\Windows\System32\BGuMSaZ.exe
  C:\Windows\System32\BGuMSaZ.exe
  2⤵
  PID:6188
- C:\Windows\System32\FIMLAUk.exe
  C:\Windows\System32\FIMLAUk.exe
  2⤵
  PID:6600
- C:\Windows\System32\sUBgjpz.exe
  C:\Windows\System32\sUBgjpz.exe
  2⤵
  PID:6976
- C:\Windows\System32\saKZGYL.exe
  C:\Windows\System32\saKZGYL.exe
  2⤵
  PID:6784
- C:\Windows\System32\ZFWgdIX.exe
  C:\Windows\System32\ZFWgdIX.exe
  2⤵
  PID:6560
- C:\Windows\System32\sfAwTzf.exe
  C:\Windows\System32\sfAwTzf.exe
  2⤵
  PID:7180
- C:\Windows\System32\CCMWwoX.exe
  C:\Windows\System32\CCMWwoX.exe
  2⤵
  PID:7200
- C:\Windows\System32\fyyxcgM.exe
  C:\Windows\System32\fyyxcgM.exe
  2⤵
  PID:7236
- C:\Windows\System32\kWGdodI.exe
  C:\Windows\System32\kWGdodI.exe
  2⤵
  PID:7260
- C:\Windows\System32\hytdgGT.exe
  C:\Windows\System32\hytdgGT.exe
  2⤵
  PID:7284
- C:\Windows\System32\uKmlIed.exe
  C:\Windows\System32\uKmlIed.exe
  2⤵
  PID:7308
- C:\Windows\System32\SvpasOR.exe
  C:\Windows\System32\SvpasOR.exe
  2⤵
  PID:7332
- C:\Windows\System32\MOIchqg.exe
  C:\Windows\System32\MOIchqg.exe
  2⤵
  PID:7356
- C:\Windows\System32\xMrFifs.exe
  C:\Windows\System32\xMrFifs.exe
  2⤵
  PID:7372
- C:\Windows\System32\NYRTCko.exe
  C:\Windows\System32\NYRTCko.exe
  2⤵
  PID:7404
- C:\Windows\System32\HiDMbzm.exe
  C:\Windows\System32\HiDMbzm.exe
  2⤵
  PID:7424
- C:\Windows\System32\mjRkiKs.exe
  C:\Windows\System32\mjRkiKs.exe
  2⤵
  PID:7492
- C:\Windows\System32\jEhNEIj.exe
  C:\Windows\System32\jEhNEIj.exe
  2⤵
  PID:7516
- C:\Windows\System32\vvwtmju.exe
  C:\Windows\System32\vvwtmju.exe
  2⤵
  PID:7540
- C:\Windows\System32\oYLajmZ.exe
  C:\Windows\System32\oYLajmZ.exe
  2⤵
  PID:7560
- C:\Windows\System32\Jgflhje.exe
  C:\Windows\System32\Jgflhje.exe
  2⤵
  PID:7600
- C:\Windows\System32\uKPKipR.exe
  C:\Windows\System32\uKPKipR.exe
  2⤵
  PID:7644
- C:\Windows\System32\rabcajy.exe
  C:\Windows\System32\rabcajy.exe
  2⤵
  PID:7664
- C:\Windows\System32\OQiwnXU.exe
  C:\Windows\System32\OQiwnXU.exe
  2⤵
  PID:7680
- C:\Windows\System32\fCHzudx.exe
  C:\Windows\System32\fCHzudx.exe
  2⤵
  PID:7716
- C:\Windows\System32\itgFpSp.exe
  C:\Windows\System32\itgFpSp.exe
  2⤵
  PID:7752
- C:\Windows\System32\UrGrvVA.exe
  C:\Windows\System32\UrGrvVA.exe
  2⤵
  PID:7776
- C:\Windows\System32\vBVJUHo.exe
  C:\Windows\System32\vBVJUHo.exe
  2⤵
  PID:7800
- C:\Windows\System32\MmIDCJV.exe
  C:\Windows\System32\MmIDCJV.exe
  2⤵
  PID:7832
- C:\Windows\System32\mFkWhDo.exe
  C:\Windows\System32\mFkWhDo.exe
  2⤵
  PID:7856
- C:\Windows\System32\iZoJNJb.exe
  C:\Windows\System32\iZoJNJb.exe
  2⤵
  PID:7876
- C:\Windows\System32\RZaBGyE.exe
  C:\Windows\System32\RZaBGyE.exe
  2⤵
  PID:7920
- C:\Windows\System32\wvXhWgP.exe
  C:\Windows\System32\wvXhWgP.exe
  2⤵
  PID:7936
- C:\Windows\System32\OVTqcih.exe
  C:\Windows\System32\OVTqcih.exe
  2⤵
  PID:7968
- C:\Windows\System32\iekuRho.exe
  C:\Windows\System32\iekuRho.exe
  2⤵
  PID:7984
- C:\Windows\System32\aUizNoW.exe
  C:\Windows\System32\aUizNoW.exe
  2⤵
  PID:8028
- C:\Windows\System32\CEdWtEN.exe
  C:\Windows\System32\CEdWtEN.exe
  2⤵
  PID:8052
- C:\Windows\System32\EUwmipL.exe
  C:\Windows\System32\EUwmipL.exe
  2⤵
  PID:8076
- C:\Windows\System32\EWDheiL.exe
  C:\Windows\System32\EWDheiL.exe
  2⤵
  PID:8092
- C:\Windows\System32\hoXXNXJ.exe
  C:\Windows\System32\hoXXNXJ.exe
  2⤵
  PID:8128
- C:\Windows\System32\JkAOkIv.exe
  C:\Windows\System32\JkAOkIv.exe
  2⤵
  PID:8148
- C:\Windows\System32\bsoURfb.exe
  C:\Windows\System32\bsoURfb.exe
  2⤵
  PID:7196
- C:\Windows\System32\WTbRVBj.exe
  C:\Windows\System32\WTbRVBj.exe
  2⤵
  PID:7272
- C:\Windows\System32\HdoBEXL.exe
  C:\Windows\System32\HdoBEXL.exe
  2⤵
  PID:7292
- C:\Windows\System32\wMcaiKR.exe
  C:\Windows\System32\wMcaiKR.exe
  2⤵
  PID:7388
- C:\Windows\System32\YsixZUy.exe
  C:\Windows\System32\YsixZUy.exe
  2⤵
  PID:7472
- C:\Windows\System32\rTqVBSh.exe
  C:\Windows\System32\rTqVBSh.exe
  2⤵
  PID:7524
- C:\Windows\System32\PbaukLS.exe
  C:\Windows\System32\PbaukLS.exe
  2⤵
  PID:7636
- C:\Windows\System32\itvCQWu.exe
  C:\Windows\System32\itvCQWu.exe
  2⤵
  PID:7656
- C:\Windows\System32\COsesnz.exe
  C:\Windows\System32\COsesnz.exe
  2⤵
  PID:7696
- C:\Windows\System32\PufekxG.exe
  C:\Windows\System32\PufekxG.exe
  2⤵
  PID:7740
- C:\Windows\System32\vvTtVMY.exe
  C:\Windows\System32\vvTtVMY.exe
  2⤵
  PID:7824
- C:\Windows\System32\ezsmnvB.exe
  C:\Windows\System32\ezsmnvB.exe
  2⤵
  PID:7884
- C:\Windows\System32\VNCflCE.exe
  C:\Windows\System32\VNCflCE.exe
  2⤵
  PID:7928
- C:\Windows\System32\gDJIQOX.exe
  C:\Windows\System32\gDJIQOX.exe
  2⤵
  PID:8012
- C:\Windows\System32\vdlGwNO.exe
  C:\Windows\System32\vdlGwNO.exe
  2⤵
  PID:8036
- C:\Windows\System32\rdNlrib.exe
  C:\Windows\System32\rdNlrib.exe
  2⤵
  PID:8108
- C:\Windows\System32\JxzPBRy.exe
  C:\Windows\System32\JxzPBRy.exe
  2⤵
  PID:8160
- C:\Windows\System32\fdxVgFf.exe
  C:\Windows\System32\fdxVgFf.exe
  2⤵
  PID:7328
- C:\Windows\System32\qPfcksw.exe
  C:\Windows\System32\qPfcksw.exe
  2⤵
  PID:7432
- C:\Windows\System32\UjvaQMH.exe
  C:\Windows\System32\UjvaQMH.exe
  2⤵
  PID:7552
- C:\Windows\System32\oGSfOaZ.exe
  C:\Windows\System32\oGSfOaZ.exe
  2⤵
  PID:7652
- C:\Windows\System32\duElbMJ.exe
  C:\Windows\System32\duElbMJ.exe
  2⤵
  PID:7796
- C:\Windows\System32\QelEbqU.exe
  C:\Windows\System32\QelEbqU.exe
  2⤵
  PID:7944
- C:\Windows\System32\lTDITWH.exe
  C:\Windows\System32\lTDITWH.exe
  2⤵
  PID:8100
- C:\Windows\System32\JdHvYPq.exe
  C:\Windows\System32\JdHvYPq.exe
  2⤵
  PID:7852
- C:\Windows\System32\kEKIanY.exe
  C:\Windows\System32\kEKIanY.exe
  2⤵
  PID:7844
- C:\Windows\System32\EmvVMWJ.exe
  C:\Windows\System32\EmvVMWJ.exe
  2⤵
  PID:8156
- C:\Windows\System32\jKZRBmm.exe
  C:\Windows\System32\jKZRBmm.exe
  2⤵
  PID:7324
- C:\Windows\System32\ffLOKeh.exe
  C:\Windows\System32\ffLOKeh.exe
  2⤵
  PID:8236
- C:\Windows\System32\npHIGlB.exe
  C:\Windows\System32\npHIGlB.exe
  2⤵
  PID:8264
- C:\Windows\System32\MyOPOTa.exe
  C:\Windows\System32\MyOPOTa.exe
  2⤵
  PID:8288
- C:\Windows\System32\uWSSckV.exe
  C:\Windows\System32\uWSSckV.exe
  2⤵
  PID:8308
- C:\Windows\System32\YmHwEYH.exe
  C:\Windows\System32\YmHwEYH.exe
  2⤵
  PID:8332
- C:\Windows\System32\kVAZuwL.exe
  C:\Windows\System32\kVAZuwL.exe
  2⤵
  PID:8352
- C:\Windows\System32\fiUbMwg.exe
  C:\Windows\System32\fiUbMwg.exe
  2⤵
  PID:8380
- C:\Windows\System32\WMqjSCC.exe
  C:\Windows\System32\WMqjSCC.exe
  2⤵
  PID:8396
- C:\Windows\System32\XQMoAaz.exe
  C:\Windows\System32\XQMoAaz.exe
  2⤵
  PID:8428
- C:\Windows\System32\XAapyPU.exe
  C:\Windows\System32\XAapyPU.exe
  2⤵
  PID:8452
- C:\Windows\System32\RelNEKh.exe
  C:\Windows\System32\RelNEKh.exe
  2⤵
  PID:8476
- C:\Windows\System32\XYvvpuk.exe
  C:\Windows\System32\XYvvpuk.exe
  2⤵
  PID:8500
- C:\Windows\System32\iODctMZ.exe
  C:\Windows\System32\iODctMZ.exe
  2⤵
  PID:8540
- C:\Windows\System32\pscFyGw.exe
  C:\Windows\System32\pscFyGw.exe
  2⤵
  PID:8604
- C:\Windows\System32\pAfWIJZ.exe
  C:\Windows\System32\pAfWIJZ.exe
  2⤵
  PID:8632
- C:\Windows\System32\dkwxCxt.exe
  C:\Windows\System32\dkwxCxt.exe
  2⤵
  PID:8652
- C:\Windows\System32\hWnzjEL.exe
  C:\Windows\System32\hWnzjEL.exe
  2⤵
  PID:8680
- C:\Windows\System32\rReZSfp.exe
  C:\Windows\System32\rReZSfp.exe
  2⤵
  PID:8712
- C:\Windows\System32\HuXsQhW.exe
  C:\Windows\System32\HuXsQhW.exe
  2⤵
  PID:8744
- C:\Windows\System32\iztfxRa.exe
  C:\Windows\System32\iztfxRa.exe
  2⤵
  PID:8788
- C:\Windows\System32\ZHKALbn.exe
  C:\Windows\System32\ZHKALbn.exe
  2⤵
  PID:8812
- C:\Windows\System32\LGyFdbu.exe
  C:\Windows\System32\LGyFdbu.exe
  2⤵
  PID:8832
- C:\Windows\System32\nzDUlQZ.exe
  C:\Windows\System32\nzDUlQZ.exe
  2⤵
  PID:8852
- C:\Windows\System32\cdhxMKc.exe
  C:\Windows\System32\cdhxMKc.exe
  2⤵
  PID:8880
- C:\Windows\System32\RlCVTbv.exe
  C:\Windows\System32\RlCVTbv.exe
  2⤵
  PID:8904
- C:\Windows\System32\GMUAJST.exe
  C:\Windows\System32\GMUAJST.exe
  2⤵
  PID:8924
- C:\Windows\System32\qiTvULh.exe
  C:\Windows\System32\qiTvULh.exe
  2⤵
  PID:8944
- C:\Windows\System32\WyGBCCc.exe
  C:\Windows\System32\WyGBCCc.exe
  2⤵
  PID:8988
- C:\Windows\System32\JFtPjFj.exe
  C:\Windows\System32\JFtPjFj.exe
  2⤵
  PID:9016
- C:\Windows\System32\ddUrYXe.exe
  C:\Windows\System32\ddUrYXe.exe
  2⤵
  PID:9036
- C:\Windows\System32\YJRErVg.exe
  C:\Windows\System32\YJRErVg.exe
  2⤵
  PID:9084
- C:\Windows\System32\pmmroXn.exe
  C:\Windows\System32\pmmroXn.exe
  2⤵
  PID:9124
- C:\Windows\System32\lJSszeG.exe
  C:\Windows\System32\lJSszeG.exe
  2⤵
  PID:9140
- C:\Windows\System32\pBzOFUy.exe
  C:\Windows\System32\pBzOFUy.exe
  2⤵
  PID:9168
- C:\Windows\System32\pDWWbSn.exe
  C:\Windows\System32\pDWWbSn.exe
  2⤵
  PID:9184
- C:\Windows\System32\TnNgxYe.exe
  C:\Windows\System32\TnNgxYe.exe
  2⤵
  PID:7812
- C:\Windows\System32\XZMyPDR.exe
  C:\Windows\System32\XZMyPDR.exe
  2⤵
  PID:8252
- C:\Windows\System32\EMnUEBs.exe
  C:\Windows\System32\EMnUEBs.exe
  2⤵
  PID:8324
- C:\Windows\System32\UQAdxBs.exe
  C:\Windows\System32\UQAdxBs.exe
  2⤵
  PID:8328
- C:\Windows\System32\tcWmXNf.exe
  C:\Windows\System32\tcWmXNf.exe
  2⤵
  PID:8468
- C:\Windows\System32\afvLBwT.exe
  C:\Windows\System32\afvLBwT.exe
  2⤵
  PID:8444
- C:\Windows\System32\jxWrsgo.exe
  C:\Windows\System32\jxWrsgo.exe
  2⤵
  PID:8528
- C:\Windows\System32\WDNSHkM.exe
  C:\Windows\System32\WDNSHkM.exe
  2⤵
  PID:8612
- C:\Windows\System32\QYbNeMG.exe
  C:\Windows\System32\QYbNeMG.exe
  2⤵
  PID:8704
- C:\Windows\System32\YbWjQPi.exe
  C:\Windows\System32\YbWjQPi.exe
  2⤵
  PID:8820
- C:\Windows\System32\QNyQoAJ.exe
  C:\Windows\System32\QNyQoAJ.exe
  2⤵
  PID:8848
- C:\Windows\System32\qMKFlxs.exe
  C:\Windows\System32\qMKFlxs.exe
  2⤵
  PID:8916
- C:\Windows\System32\KMeNBvG.exe
  C:\Windows\System32\KMeNBvG.exe
  2⤵
  PID:9024
- C:\Windows\System32\uLBMxQd.exe
  C:\Windows\System32\uLBMxQd.exe
  2⤵
  PID:9076
- C:\Windows\System32\gtYrkfI.exe
  C:\Windows\System32\gtYrkfI.exe
  2⤵
  PID:9156
- C:\Windows\System32\LitOxDk.exe
  C:\Windows\System32\LitOxDk.exe
  2⤵
  PID:9196
- C:\Windows\System32\HGUvcmm.exe
  C:\Windows\System32\HGUvcmm.exe
  2⤵
  PID:8280
- C:\Windows\System32\FzqGkfH.exe
  C:\Windows\System32\FzqGkfH.exe
  2⤵
  PID:8412
- C:\Windows\System32\XdXfMdo.exe
  C:\Windows\System32\XdXfMdo.exe
  2⤵
  PID:8404
- C:\Windows\System32\qdaCjmj.exe
  C:\Windows\System32\qdaCjmj.exe
  2⤵
  PID:8648
- C:\Windows\System32\HQQZehX.exe
  C:\Windows\System32\HQQZehX.exe
  2⤵
  PID:8756
- C:\Windows\System32\cydVozi.exe
  C:\Windows\System32\cydVozi.exe
  2⤵
  PID:8868
- C:\Windows\System32\jbqYjhR.exe
  C:\Windows\System32\jbqYjhR.exe
  2⤵
  PID:9004
- C:\Windows\System32\TLUVDtf.exe
  C:\Windows\System32\TLUVDtf.exe
  2⤵
  PID:3816
- C:\Windows\System32\GUBxTvU.exe
  C:\Windows\System32\GUBxTvU.exe
  2⤵
  PID:8760
- C:\Windows\System32\flJmnuQ.exe
  C:\Windows\System32\flJmnuQ.exe
  2⤵
  PID:8828
- C:\Windows\System32\xuGnBZW.exe
  C:\Windows\System32\xuGnBZW.exe
  2⤵
  PID:8696
- C:\Windows\System32\ZZkiNhm.exe
  C:\Windows\System32\ZZkiNhm.exe
  2⤵
  PID:9228
- C:\Windows\System32\vsXVVcC.exe
  C:\Windows\System32\vsXVVcC.exe
  2⤵
  PID:9272
- C:\Windows\System32\PDtsSuX.exe
  C:\Windows\System32\PDtsSuX.exe
  2⤵
  PID:9292
- C:\Windows\System32\EMrbmrN.exe
  C:\Windows\System32\EMrbmrN.exe
  2⤵
  PID:9308
- C:\Windows\System32\zPhAAKF.exe
  C:\Windows\System32\zPhAAKF.exe
  2⤵
  PID:9344
- C:\Windows\System32\gRUaGAK.exe
  C:\Windows\System32\gRUaGAK.exe
  2⤵
  PID:9368
- C:\Windows\System32\dUYxcPs.exe
  C:\Windows\System32\dUYxcPs.exe
  2⤵
  PID:9392
- C:\Windows\System32\DGpXjCW.exe
  C:\Windows\System32\DGpXjCW.exe
  2⤵
  PID:9436
- C:\Windows\System32\UFIVGPv.exe
  C:\Windows\System32\UFIVGPv.exe
  2⤵
  PID:9460
- C:\Windows\System32\BcoMXhZ.exe
  C:\Windows\System32\BcoMXhZ.exe
  2⤵
  PID:9480
- C:\Windows\System32\BXKsECZ.exe
  C:\Windows\System32\BXKsECZ.exe
  2⤵
  PID:9500
- C:\Windows\System32\BBpzcQP.exe
  C:\Windows\System32\BBpzcQP.exe
  2⤵
  PID:9532
- C:\Windows\System32\RGVMRtd.exe
  C:\Windows\System32\RGVMRtd.exe
  2⤵
  PID:9552
- C:\Windows\System32\nYdrfII.exe
  C:\Windows\System32\nYdrfII.exe
  2⤵
  PID:9572
- C:\Windows\System32\iBorpgV.exe
  C:\Windows\System32\iBorpgV.exe
  2⤵
  PID:9600
- C:\Windows\System32\BWukmFj.exe
  C:\Windows\System32\BWukmFj.exe
  2⤵
  PID:9684
- C:\Windows\System32\yTRmvsN.exe
  C:\Windows\System32\yTRmvsN.exe
  2⤵
  PID:9700
- C:\Windows\System32\GlkEOiR.exe
  C:\Windows\System32\GlkEOiR.exe
  2⤵
  PID:9716
- C:\Windows\System32\hZgdGNv.exe
  C:\Windows\System32\hZgdGNv.exe
  2⤵
  PID:9736
- C:\Windows\System32\XmVubFE.exe
  C:\Windows\System32\XmVubFE.exe
  2⤵
  PID:9840
- C:\Windows\System32\uijyJSE.exe
  C:\Windows\System32\uijyJSE.exe
  2⤵
  PID:9860
- C:\Windows\System32\VLkYXyi.exe
  C:\Windows\System32\VLkYXyi.exe
  2⤵
  PID:9880
- C:\Windows\System32\laLyhzG.exe
  C:\Windows\System32\laLyhzG.exe
  2⤵
  PID:9896
- C:\Windows\System32\PmBWKFV.exe
  C:\Windows\System32\PmBWKFV.exe
  2⤵
  PID:9924
- C:\Windows\System32\LNWcpqF.exe
  C:\Windows\System32\LNWcpqF.exe
  2⤵
  PID:9944
- C:\Windows\System32\qBKSSus.exe
  C:\Windows\System32\qBKSSus.exe
  2⤵
  PID:9964
- C:\Windows\System32\sNWxfVh.exe
  C:\Windows\System32\sNWxfVh.exe
  2⤵
  PID:9996
- C:\Windows\System32\OjVPQFr.exe
  C:\Windows\System32\OjVPQFr.exe
  2⤵
  PID:10120
- C:\Windows\System32\CknPMjv.exe
  C:\Windows\System32\CknPMjv.exe
  2⤵
  PID:10148
- C:\Windows\System32\ZsfqgGt.exe
  C:\Windows\System32\ZsfqgGt.exe
  2⤵
  PID:10168
- C:\Windows\System32\GvfPXIq.exe
  C:\Windows\System32\GvfPXIq.exe
  2⤵
  PID:10196
- C:\Windows\System32\OVngLRQ.exe
  C:\Windows\System32\OVngLRQ.exe
  2⤵
  PID:10220
- C:\Windows\System32\TWdBXbE.exe
  C:\Windows\System32\TWdBXbE.exe
  2⤵
  PID:5116
- C:\Windows\System32\mUaWyDN.exe
  C:\Windows\System32\mUaWyDN.exe
  2⤵
  PID:9280
- C:\Windows\System32\LbSrCWD.exe
  C:\Windows\System32\LbSrCWD.exe
  2⤵
  PID:9320
- C:\Windows\System32\rjnfGzc.exe
  C:\Windows\System32\rjnfGzc.exe
  2⤵
  PID:9376
- C:\Windows\System32\GfpQZpf.exe
  C:\Windows\System32\GfpQZpf.exe
  2⤵
  PID:9424
- C:\Windows\System32\ivEUpoA.exe
  C:\Windows\System32\ivEUpoA.exe
  2⤵
  PID:9476
- C:\Windows\System32\iUjrxfZ.exe
  C:\Windows\System32\iUjrxfZ.exe
  2⤵
  PID:9568
- C:\Windows\System32\MlmRUcZ.exe
  C:\Windows\System32\MlmRUcZ.exe
  2⤵
  PID:9584
- C:\Windows\System32\tegthRc.exe
  C:\Windows\System32\tegthRc.exe
  2⤵
  PID:9768
- C:\Windows\System32\HTUcosL.exe
  C:\Windows\System32\HTUcosL.exe
  2⤵
  PID:9608
- C:\Windows\System32\giNtmBv.exe
  C:\Windows\System32\giNtmBv.exe
  2⤵
  PID:9656
- C:\Windows\System32\HUoxhfj.exe
  C:\Windows\System32\HUoxhfj.exe
  2⤵
  PID:9792
- C:\Windows\System32\UVvpSkS.exe
  C:\Windows\System32\UVvpSkS.exe
  2⤵
  PID:9824
- C:\Windows\System32\LaMFvNe.exe
  C:\Windows\System32\LaMFvNe.exe
  2⤵
  PID:9804
- C:\Windows\System32\QxSPxDH.exe
  C:\Windows\System32\QxSPxDH.exe
  2⤵
  PID:9836
- C:\Windows\System32\XWAQUDN.exe
  C:\Windows\System32\XWAQUDN.exe
  2⤵
  PID:10096
- C:\Windows\System32\FZLpzAr.exe
  C:\Windows\System32\FZLpzAr.exe
  2⤵
  PID:10140
- C:\Windows\System32\xGUDEyx.exe
  C:\Windows\System32\xGUDEyx.exe
  2⤵
  PID:10176
- C:\Windows\System32\MQFSzot.exe
  C:\Windows\System32\MQFSzot.exe
  2⤵
  PID:10232
- C:\Windows\System32\AWUOXug.exe
  C:\Windows\System32\AWUOXug.exe
  2⤵
  PID:9304
- C:\Windows\System32\FwMCbUf.exe
  C:\Windows\System32\FwMCbUf.exe
  2⤵
  PID:9384
- C:\Windows\System32\uazXfNk.exe
  C:\Windows\System32\uazXfNk.exe
  2⤵
  PID:9448
- C:\Windows\System32\CDNnkFl.exe
  C:\Windows\System32\CDNnkFl.exe
  2⤵
  PID:9728
- C:\Windows\System32\gikbDVh.exe
  C:\Windows\System32\gikbDVh.exe
  2⤵
  PID:9820
- C:\Windows\System32\OeVEYxw.exe
  C:\Windows\System32\OeVEYxw.exe
  2⤵
  PID:9976
- C:\Windows\System32\gTUjkRr.exe
  C:\Windows\System32\gTUjkRr.exe
  2⤵
  PID:9936
- C:\Windows\System32\niNfpOR.exe
  C:\Windows\System32\niNfpOR.exe
  2⤵
  PID:10228
- C:\Windows\System32\eXqblWQ.exe
  C:\Windows\System32\eXqblWQ.exe
  2⤵
  PID:9404
- C:\Windows\System32\smSFlfU.exe
  C:\Windows\System32\smSFlfU.exe
  2⤵
  PID:9620
- C:\Windows\System32\rAkOgRA.exe
  C:\Windows\System32\rAkOgRA.exe
  2⤵
  PID:9492
- C:\Windows\System32\fVXjLpg.exe
  C:\Windows\System32\fVXjLpg.exe
  2⤵
  PID:9888
- C:\Windows\System32\tZspLzd.exe
  C:\Windows\System32\tZspLzd.exe
  2⤵
  PID:10256
- C:\Windows\System32\OUvIUXa.exe
  C:\Windows\System32\OUvIUXa.exe
  2⤵
  PID:10276
- C:\Windows\System32\CkFAGRz.exe
  C:\Windows\System32\CkFAGRz.exe
  2⤵
  PID:10300
- C:\Windows\System32\KinzMAs.exe
  C:\Windows\System32\KinzMAs.exe
  2⤵
  PID:10320
- C:\Windows\System32\FqwqkwB.exe
  C:\Windows\System32\FqwqkwB.exe
  2⤵
  PID:10344
- C:\Windows\System32\LCfHKwl.exe
  C:\Windows\System32\LCfHKwl.exe
  2⤵
  PID:10380
- C:\Windows\System32\HsnECVR.exe
  C:\Windows\System32\HsnECVR.exe
  2⤵
  PID:10400
- C:\Windows\System32\EMRNnIW.exe
  C:\Windows\System32\EMRNnIW.exe
  2⤵
  PID:10420
- C:\Windows\System32\sRKkBjC.exe
  C:\Windows\System32\sRKkBjC.exe
  2⤵
  PID:10464
- C:\Windows\System32\VPlsqPB.exe
  C:\Windows\System32\VPlsqPB.exe
  2⤵
  PID:10508
- C:\Windows\System32\zVZcscJ.exe
  C:\Windows\System32\zVZcscJ.exe
  2⤵
  PID:10528
- C:\Windows\System32\nGFQvIX.exe
  C:\Windows\System32\nGFQvIX.exe
  2⤵
  PID:10564
- C:\Windows\System32\LZFKkGR.exe
  C:\Windows\System32\LZFKkGR.exe
  2⤵
  PID:10580
- C:\Windows\System32\rhpaqTu.exe
  C:\Windows\System32\rhpaqTu.exe
  2⤵
  PID:10600
- C:\Windows\System32\ohcPTzL.exe
  C:\Windows\System32\ohcPTzL.exe
  2⤵
  PID:10616
- C:\Windows\System32\NuIXuAO.exe
  C:\Windows\System32\NuIXuAO.exe
  2⤵
  PID:10652
- C:\Windows\System32\HtAeeIf.exe
  C:\Windows\System32\HtAeeIf.exe
  2⤵
  PID:10672
- C:\Windows\System32\rekLACw.exe
  C:\Windows\System32\rekLACw.exe
  2⤵
  PID:10700
- C:\Windows\System32\aMzGCDu.exe
  C:\Windows\System32\aMzGCDu.exe
  2⤵
  PID:10752
- C:\Windows\System32\EgvfXwP.exe
  C:\Windows\System32\EgvfXwP.exe
  2⤵
  PID:10788
- C:\Windows\System32\UYhznll.exe
  C:\Windows\System32\UYhznll.exe
  2⤵
  PID:10828
- C:\Windows\System32\nEOqKAH.exe
  C:\Windows\System32\nEOqKAH.exe
  2⤵
  PID:10856
- C:\Windows\System32\xfJqHNK.exe
  C:\Windows\System32\xfJqHNK.exe
  2⤵
  PID:10880
- C:\Windows\System32\snbGrvW.exe
  C:\Windows\System32\snbGrvW.exe
  2⤵
  PID:10900
- C:\Windows\System32\KQTiUrp.exe
  C:\Windows\System32\KQTiUrp.exe
  2⤵
  PID:10916
- C:\Windows\System32\nKvxbiZ.exe
  C:\Windows\System32\nKvxbiZ.exe
  2⤵
  PID:10956
- C:\Windows\System32\eyeFgaV.exe
  C:\Windows\System32\eyeFgaV.exe
  2⤵
  PID:10976
- C:\Windows\System32\bRaSthm.exe
  C:\Windows\System32\bRaSthm.exe
  2⤵
  PID:11000
- C:\Windows\System32\qRrnNFS.exe
  C:\Windows\System32\qRrnNFS.exe
  2⤵
  PID:11016
- C:\Windows\System32\sUzWrYq.exe
  C:\Windows\System32\sUzWrYq.exe
  2⤵
  PID:11036
- C:\Windows\System32\bjZDxcd.exe
  C:\Windows\System32\bjZDxcd.exe
  2⤵
  PID:11064
- C:\Windows\System32\uzUqPGG.exe
  C:\Windows\System32\uzUqPGG.exe
  2⤵
  PID:11104
- C:\Windows\System32\EHKfmbM.exe
  C:\Windows\System32\EHKfmbM.exe
  2⤵
  PID:11132
- C:\Windows\System32\qPmzQvY.exe
  C:\Windows\System32\qPmzQvY.exe
  2⤵
  PID:11168
- C:\Windows\System32\ppEIMap.exe
  C:\Windows\System32\ppEIMap.exe
  2⤵
  PID:11184
- C:\Windows\System32\MkzGQLU.exe
  C:\Windows\System32\MkzGQLU.exe
  2⤵
  PID:11212
- C:\Windows\System32\ImZhVAt.exe
  C:\Windows\System32\ImZhVAt.exe
  2⤵
  PID:11236
- C:\Windows\System32\ihmsIHb.exe
  C:\Windows\System32\ihmsIHb.exe
  2⤵
  PID:10272
- C:\Windows\System32\sGPrevF.exe
  C:\Windows\System32\sGPrevF.exe
  2⤵
  PID:10340
- C:\Windows\System32\OUNSrPZ.exe
  C:\Windows\System32\OUNSrPZ.exe
  2⤵
  PID:10388
- C:\Windows\System32\SpwSjsY.exe
  C:\Windows\System32\SpwSjsY.exe
  2⤵
  PID:10428
- C:\Windows\System32\mEWxyqM.exe
  C:\Windows\System32\mEWxyqM.exe
  2⤵
  PID:10472
- C:\Windows\System32\cDcxpzH.exe
  C:\Windows\System32\cDcxpzH.exe
  2⤵
  PID:10540
- C:\Windows\System32\iBNXqUt.exe
  C:\Windows\System32\iBNXqUt.exe
  2⤵
  PID:10592
- C:\Windows\System32\zCOQwUQ.exe
  C:\Windows\System32\zCOQwUQ.exe
  2⤵
  PID:10684
- C:\Windows\System32\DcUyJEi.exe
  C:\Windows\System32\DcUyJEi.exe
  2⤵
  PID:10780
- C:\Windows\System32\yICxCTx.exe
  C:\Windows\System32\yICxCTx.exe
  2⤵
  PID:10812
- C:\Windows\System32\SdqxBmY.exe
  C:\Windows\System32\SdqxBmY.exe
  2⤵
  PID:10888
- C:\Windows\System32\hEJLkBu.exe
  C:\Windows\System32\hEJLkBu.exe
  2⤵
  PID:10944
- C:\Windows\System32\kSgGHUm.exe
  C:\Windows\System32\kSgGHUm.exe
  2⤵
  PID:10992
- C:\Windows\System32\qGgwOJF.exe
  C:\Windows\System32\qGgwOJF.exe
  2⤵
  PID:11028
- C:\Windows\System32\xBaUDBd.exe
  C:\Windows\System32\xBaUDBd.exe
  2⤵
  PID:11140
- C:\Windows\System32\NDNeYub.exe
  C:\Windows\System32\NDNeYub.exe
  2⤵
  PID:11176
- C:\Windows\System32\ZRrQENu.exe
  C:\Windows\System32\ZRrQENu.exe
  2⤵
  PID:11224
- C:\Windows\System32\yyYGgxM.exe
  C:\Windows\System32\yyYGgxM.exe
  2⤵
  PID:10284
- C:\Windows\System32\yZjncXQ.exe
  C:\Windows\System32\yZjncXQ.exe
  2⤵
  PID:10544
- C:\Windows\System32\QhoWLQM.exe
  C:\Windows\System32\QhoWLQM.exe
  2⤵
  PID:10840
- C:\Windows\System32\iLWXDah.exe
  C:\Windows\System32\iLWXDah.exe
  2⤵
  PID:10984
- C:\Windows\System32\MzHIagB.exe
  C:\Windows\System32\MzHIagB.exe
  2⤵
  PID:11180
- C:\Windows\System32\OaNeUCI.exe
  C:\Windows\System32\OaNeUCI.exe
  2⤵
  PID:10364
- C:\Windows\System32\QrGEsan.exe
  C:\Windows\System32\QrGEsan.exe
  2⤵
  PID:10708
- C:\Windows\System32\azjradm.exe
  C:\Windows\System32\azjradm.exe
  2⤵
  PID:11008
- C:\Windows\System32\bAYXLuP.exe
  C:\Windows\System32\bAYXLuP.exe
  2⤵
  PID:10524
- C:\Windows\System32\CQnPvrZ.exe
  C:\Windows\System32\CQnPvrZ.exe
  2⤵
  PID:10968
- C:\Windows\System32\PSeaWJp.exe
  C:\Windows\System32\PSeaWJp.exe
  2⤵
  PID:11268
- C:\Windows\System32\PPzGhhx.exe
  C:\Windows\System32\PPzGhhx.exe
  2⤵
  PID:11296
- C:\Windows\System32\mRphKmx.exe
  C:\Windows\System32\mRphKmx.exe
  2⤵
  PID:11312
- C:\Windows\System32\uRKfxYh.exe
  C:\Windows\System32\uRKfxYh.exe
  2⤵
  PID:11368
- C:\Windows\System32\XBKyglY.exe
  C:\Windows\System32\XBKyglY.exe
  2⤵
  PID:11396
- C:\Windows\System32\yPgARCG.exe
  C:\Windows\System32\yPgARCG.exe
  2⤵
  PID:11412
- C:\Windows\System32\BfYqwpk.exe
  C:\Windows\System32\BfYqwpk.exe
  2⤵
  PID:11440
- C:\Windows\System32\ChlzjKS.exe
  C:\Windows\System32\ChlzjKS.exe
  2⤵
  PID:11464
- C:\Windows\System32\zJZHjVr.exe
  C:\Windows\System32\zJZHjVr.exe
  2⤵
  PID:11480
- C:\Windows\System32\zlbXkyZ.exe
  C:\Windows\System32\zlbXkyZ.exe
  2⤵
  PID:11524
- C:\Windows\System32\vcZOaqO.exe
  C:\Windows\System32\vcZOaqO.exe
  2⤵
  PID:11544
- C:\Windows\System32\dIhpPwT.exe
  C:\Windows\System32\dIhpPwT.exe
  2⤵
  PID:11576
- C:\Windows\System32\iBGFmGy.exe
  C:\Windows\System32\iBGFmGy.exe
  2⤵
  PID:11596
- C:\Windows\System32\cBUXvlE.exe
  C:\Windows\System32\cBUXvlE.exe
  2⤵
  PID:11632
- C:\Windows\System32\RNFotgm.exe
  C:\Windows\System32\RNFotgm.exe
  2⤵
  PID:11656
- C:\Windows\System32\WRQbffQ.exe
  C:\Windows\System32\WRQbffQ.exe
  2⤵
  PID:11684
- C:\Windows\System32\sipKaWp.exe
  C:\Windows\System32\sipKaWp.exe
  2⤵
  PID:11708
- C:\Windows\System32\cAAUIZK.exe
  C:\Windows\System32\cAAUIZK.exe
  2⤵
  PID:11728
- C:\Windows\System32\YVNVvUV.exe
  C:\Windows\System32\YVNVvUV.exe
  2⤵
  PID:11744
- C:\Windows\System32\MDCCKkK.exe
  C:\Windows\System32\MDCCKkK.exe
  2⤵
  PID:11784
- C:\Windows\System32\QZeVZGq.exe
  C:\Windows\System32\QZeVZGq.exe
  2⤵
  PID:11800
- C:\Windows\System32\rnwKops.exe
  C:\Windows\System32\rnwKops.exe
  2⤵
  PID:11844
- C:\Windows\System32\UraEBys.exe
  C:\Windows\System32\UraEBys.exe
  2⤵
  PID:11868
- C:\Windows\System32\pWbxlKw.exe
  C:\Windows\System32\pWbxlKw.exe
  2⤵
  PID:11892
- C:\Windows\System32\vAxEqAz.exe
  C:\Windows\System32\vAxEqAz.exe
  2⤵
  PID:11912
- C:\Windows\System32\nqcazUP.exe
  C:\Windows\System32\nqcazUP.exe
  2⤵
  PID:11936
- C:\Windows\System32\FVQQqxb.exe
  C:\Windows\System32\FVQQqxb.exe
  2⤵
  PID:11956
- C:\Windows\System32\jVDTNGS.exe
  C:\Windows\System32\jVDTNGS.exe
  2⤵
  PID:11980
- C:\Windows\System32\iPPQHUj.exe
  C:\Windows\System32\iPPQHUj.exe
  2⤵
  PID:12008
- C:\Windows\System32\oaGPiDv.exe
  C:\Windows\System32\oaGPiDv.exe
  2⤵
  PID:12040
- C:\Windows\System32\aJnRbbU.exe
  C:\Windows\System32\aJnRbbU.exe
  2⤵
  PID:12112
- C:\Windows\System32\TMsTPEU.exe
  C:\Windows\System32\TMsTPEU.exe
  2⤵
  PID:12156
- C:\Windows\System32\VrnlhYE.exe
  C:\Windows\System32\VrnlhYE.exe
  2⤵
  PID:12200
- C:\Windows\System32\BQEdUJK.exe
  C:\Windows\System32\BQEdUJK.exe
  2⤵
  PID:12224
- C:\Windows\System32\PnSQrcN.exe
  C:\Windows\System32\PnSQrcN.exe
  2⤵
  PID:12244
- C:\Windows\System32\CAhOYJr.exe
  C:\Windows\System32\CAhOYJr.exe
  2⤵
  PID:12264
- C:\Windows\System32\CQLrGPK.exe
  C:\Windows\System32\CQLrGPK.exe
  2⤵
  PID:11280
- C:\Windows\System32\gMzTexx.exe
  C:\Windows\System32\gMzTexx.exe
  2⤵
  PID:11356
- C:\Windows\System32\DEogRLR.exe
  C:\Windows\System32\DEogRLR.exe
  2⤵
  PID:11392
- C:\Windows\System32\gGboNSX.exe
  C:\Windows\System32\gGboNSX.exe
  2⤵
  PID:11424
- C:\Windows\System32\vmRVHDf.exe
  C:\Windows\System32\vmRVHDf.exe
  2⤵
  PID:11488
- C:\Windows\System32\vBlPlJK.exe
  C:\Windows\System32\vBlPlJK.exe
  2⤵
  PID:11472
- C:\Windows\System32\zQkZLNJ.exe
  C:\Windows\System32\zQkZLNJ.exe
  2⤵
  PID:11560
- C:\Windows\System32\tzCHfkD.exe
  C:\Windows\System32\tzCHfkD.exe
  2⤵
  PID:11620
- C:\Windows\System32\jjOMiTR.exe
  C:\Windows\System32\jjOMiTR.exe
  2⤵
  PID:11700
- C:\Windows\System32\xRdKkkG.exe
  C:\Windows\System32\xRdKkkG.exe
  2⤵
  PID:11752
- C:\Windows\System32\pmVbvWK.exe
  C:\Windows\System32\pmVbvWK.exe
  2⤵
  PID:11776
- C:\Windows\System32\qPZeuZv.exe
  C:\Windows\System32\qPZeuZv.exe
  2⤵
  PID:11876
- C:\Windows\System32\oACwcIY.exe
  C:\Windows\System32\oACwcIY.exe
  2⤵
  PID:11964
- C:\Windows\System32\PmrsiST.exe
  C:\Windows\System32\PmrsiST.exe
  2⤵
  PID:12048
- C:\Windows\System32\RgMzRMa.exe
  C:\Windows\System32\RgMzRMa.exe
  2⤵
  PID:4496
- C:\Windows\System32\TJgXpsv.exe
  C:\Windows\System32\TJgXpsv.exe
  2⤵
  PID:4464
- C:\Windows\System32\hIjOKUZ.exe
  C:\Windows\System32\hIjOKUZ.exe
  2⤵
  PID:12216
- C:\Windows\System32\gXsAGmQ.exe
  C:\Windows\System32\gXsAGmQ.exe
  2⤵
  PID:12260
- C:\Windows\System32\xiuHrqw.exe
  C:\Windows\System32\xiuHrqw.exe
  2⤵
  PID:11308
- C:\Windows\System32\gJARcsg.exe
  C:\Windows\System32\gJARcsg.exe
  2⤵
  PID:11552
- C:\Windows\System32\iVzLXTo.exe
  C:\Windows\System32\iVzLXTo.exe
  2⤵
  PID:11588
- C:\Windows\System32\yEguUQG.exe
  C:\Windows\System32\yEguUQG.exe
  2⤵
  PID:11676
- C:\Windows\System32\RRpsBIQ.exe
  C:\Windows\System32\RRpsBIQ.exe
  2⤵
  PID:11988
- C:\Windows\System32\CNbxiIJ.exe
  C:\Windows\System32\CNbxiIJ.exe
  2⤵
  PID:12164
- C:\Windows\System32\argAKTk.exe
  C:\Windows\System32\argAKTk.exe
  2⤵
  PID:12276
- C:\Windows\System32\zxvjDOd.exe
  C:\Windows\System32\zxvjDOd.exe
  2⤵
  PID:11388
- C:\Windows\System32\AkWWJkm.exe
  C:\Windows\System32\AkWWJkm.exe
  2⤵
  PID:11508
- C:\Windows\System32\CwbemhL.exe
  C:\Windows\System32\CwbemhL.exe
  2⤵
  PID:11716
- C:\Windows\System32\bJAFWKe.exe
  C:\Windows\System32\bJAFWKe.exe
  2⤵
  PID:948
- C:\Windows\System32\gVvNwib.exe
  C:\Windows\System32\gVvNwib.exe
  2⤵
  PID:11456
- C:\Windows\System32\cIBlXyl.exe
  C:\Windows\System32\cIBlXyl.exe
  2⤵
  PID:4488
- C:\Windows\System32\NXqjoCM.exe
  C:\Windows\System32\NXqjoCM.exe
  2⤵
  PID:12292
- C:\Windows\System32\wyRPLdC.exe
  C:\Windows\System32\wyRPLdC.exe
  2⤵
  PID:12324
- C:\Windows\System32\XlMhkYt.exe
  C:\Windows\System32\XlMhkYt.exe
  2⤵
  PID:12348
- C:\Windows\System32\kmRIZip.exe
  C:\Windows\System32\kmRIZip.exe
  2⤵
  PID:12368
- C:\Windows\System32\JEjgcTO.exe
  C:\Windows\System32\JEjgcTO.exe
  2⤵
  PID:12388
- C:\Windows\System32\FbMClxp.exe
  C:\Windows\System32\FbMClxp.exe
  2⤵
  PID:12412
- C:\Windows\System32\oKKSFpt.exe
  C:\Windows\System32\oKKSFpt.exe
  2⤵
  PID:12440
- C:\Windows\System32\lgEbXQI.exe
  C:\Windows\System32\lgEbXQI.exe
  2⤵
  PID:12480
- C:\Windows\System32\YerHShX.exe
  C:\Windows\System32\YerHShX.exe
  2⤵
  PID:12500
- C:\Windows\System32\QhMZCDq.exe
  C:\Windows\System32\QhMZCDq.exe
  2⤵
  PID:12536
- C:\Windows\System32\GbiHsKM.exe
  C:\Windows\System32\GbiHsKM.exe
  2⤵
  PID:12556
- C:\Windows\System32\KkOBhqb.exe
  C:\Windows\System32\KkOBhqb.exe
  2⤵
  PID:12576
- C:\Windows\System32\RVaFkGs.exe
  C:\Windows\System32\RVaFkGs.exe
  2⤵
  PID:12612
- C:\Windows\System32\mtsJqAz.exe
  C:\Windows\System32\mtsJqAz.exe
  2⤵
  PID:12648
- C:\Windows\System32\BGFGxST.exe
  C:\Windows\System32\BGFGxST.exe
  2⤵
  PID:12684
- C:\Windows\System32\YLOMMQY.exe
  C:\Windows\System32\YLOMMQY.exe
  2⤵
  PID:12720
- C:\Windows\System32\LtjdnSw.exe
  C:\Windows\System32\LtjdnSw.exe
  2⤵
  PID:12744
- C:\Windows\System32\tRJUBtC.exe
  C:\Windows\System32\tRJUBtC.exe
  2⤵
  PID:12764
- C:\Windows\System32\IwFMFla.exe
  C:\Windows\System32\IwFMFla.exe
  2⤵
  PID:12784
- C:\Windows\System32\AqFXlgV.exe
  C:\Windows\System32\AqFXlgV.exe
  2⤵
  PID:12808
- C:\Windows\System32\oyhnjdL.exe
  C:\Windows\System32\oyhnjdL.exe
  2⤵
  PID:12828
- C:\Windows\System32\CNldwAx.exe
  C:\Windows\System32\CNldwAx.exe
  2⤵
  PID:12856
- C:\Windows\System32\MzHYxnp.exe
  C:\Windows\System32\MzHYxnp.exe
  2⤵
  PID:12884
- C:\Windows\System32\lyCMlMj.exe
  C:\Windows\System32\lyCMlMj.exe
  2⤵
  PID:12908
- C:\Windows\System32\OvWJTRJ.exe
  C:\Windows\System32\OvWJTRJ.exe
  2⤵
  PID:12952
- C:\Windows\System32\zYbJcHM.exe
  C:\Windows\System32\zYbJcHM.exe
  2⤵
  PID:13000
- C:\Windows\System32\iNPDhbo.exe
  C:\Windows\System32\iNPDhbo.exe
  2⤵
  PID:13016
- C:\Windows\System32\dKfQAkS.exe
  C:\Windows\System32\dKfQAkS.exe
  2⤵
  PID:13044
- C:\Windows\System32\rzHraKG.exe
  C:\Windows\System32\rzHraKG.exe
  2⤵
  PID:13068
- C:\Windows\System32\QYwBklC.exe
  C:\Windows\System32\QYwBklC.exe
  2⤵
  PID:13096
- C:\Windows\System32\ocUcuIo.exe
  C:\Windows\System32\ocUcuIo.exe
  2⤵
  PID:13124
- C:\Windows\System32\GDvoinj.exe
  C:\Windows\System32\GDvoinj.exe
  2⤵
  PID:13156
- C:\Windows\System32\UQYWFNK.exe
  C:\Windows\System32\UQYWFNK.exe
  2⤵
  PID:13192
- C:\Windows\System32\LtLmiDS.exe
  C:\Windows\System32\LtLmiDS.exe
  2⤵
  PID:13216
- C:\Windows\System32\kWfNRTk.exe
  C:\Windows\System32\kWfNRTk.exe
  2⤵
  PID:13240
- C:\Windows\System32\yXCpzFg.exe
  C:\Windows\System32\yXCpzFg.exe
  2⤵
  PID:13264
- C:\Windows\System32\ZeLQjlq.exe
  C:\Windows\System32\ZeLQjlq.exe
  2⤵
  PID:13288
- C:\Windows\System32\xJaSvFk.exe
  C:\Windows\System32\xJaSvFk.exe
  2⤵
  PID:12300
- C:\Windows\System32\FvEZfqv.exe
  C:\Windows\System32\FvEZfqv.exe
  2⤵
  PID:12364

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:13180
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Modifies Installed Components in the registry
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:12900

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4140

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:456

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:7448

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6264

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8176

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8472

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:6072

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3620

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:2584

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:11164

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8120

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:2888

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:12872

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2736

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:7216

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4812

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6408

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5388

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8396

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8716

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10660

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11204

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9376

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9112

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11320

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11680

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12052

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12012

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10632

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6400

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13292

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:228

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12872

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2596

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7564

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4812

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7216

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3304

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8792

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9540

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5344

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9944

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9424

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2040

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12064

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10820

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1004

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11700

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11944

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6828

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2728

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7144

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13112

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3380

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7560

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8504

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8708

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6068

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10032

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8884

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9640

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8940

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12256

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11400

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4908

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\U23Z080G\microsoft.windows[1].xml

Filesize
97B

MD5
292a283bdecf4cd89c3ad863a28bc72f

SHA1
18e896fec5f8b3ea2963d0a5cb45a244050c35c1

SHA256
09794c6006f357000111d7d13c1c20075eaea58f68df78e118d14b4547835ec2

SHA512
71349774dcf41cd9e72c881cd374ffaf2527b2156a616cc064f10f34e7bbf0ea6174916acb2b8b06428f2b2f29315359e66dde317965463ea1eb70fef52beaaa

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133602690596309740.txt

Filesize
75KB

MD5
79ea60e4feeffe4483ba2d0ea61852fb

SHA1
7d5921a1b6240cc717ad4f4478bbcfc42f3af8e8

SHA256
1e85f6cd486b20682b1a6af9f34e7993a558f3b5dccd1e80a55178847e794923

SHA512
4d0866c2b63af9570fa20bca628a6e67b3704d7ab5a8a1311fb614f38b54444cc6630390092282f075751cae38000a17e4bf1cb992a8900b0c72965c0b24dbf4

Download Submit
C:\Windows\System32\DlPhVJa.exe

Filesize
1.9MB

MD5
72e031aa6428eb4ce77d98fac089ce3b

SHA1
ae0ca1587c01d759503069810018bbf646384b55

SHA256
ccb1f87c1d9a51b36f5290b41dcdb27a6fb00be9672a8ea593efbde2940fccc8

SHA512
f07b1dde7fb7eb3dd4ea70fe7887fc77dcd4e584e34c89962089be625550086499b6ec8634e0ffa5842861185c6f7c13f6dc426334a0d60ec10bb09868bcd2e6

Download Submit
C:\Windows\System32\EOYTttc.exe

Filesize
1.9MB

MD5
e56e17373d7e85aaaa73e5810ef2d99a

SHA1
1cdf0c38a306b2a1ccc79315951420ff926826fa

SHA256
4ce722bf709fba056919df17957e6b8eeda84e8b01bdf31534ca7a1fa33a292a

SHA512
261f2c8963bdbc2befcf81155b05c0fb529ba1426d28029eda2d03d301ecbf8579501b4aea93f2f1bff8c8fc84bf5e4e7242acbc2867205ca81f8818e1dde129

Download Submit
C:\Windows\System32\FCdFbnB.exe

Filesize
1.9MB

MD5
dda2141352cc5d8b3ea95465919a6af6

SHA1
c9ef58783f1233897368ab62241b733563555cd9

SHA256
02d82c30cb191fed55b6441beced248598eb7b42e2c73b4aa6f11d4a2dbd3b5b

SHA512
49f86d4da8041e04a41ef21f79d50d6ed855a38038f9e3ecf3a6344789d3872315a769b257b403de214023e0eed45873d5fc4ce6291b80ed60ef8638b44109d6

Download Submit
C:\Windows\System32\FPOonea.exe

Filesize
1.9MB

MD5
04d796dbbde383f7a04e625d59a96cee

SHA1
c7a7a044e6af7d34c68e6777e6b6d7e719fc2c7e

SHA256
8f1af2b1e1764f93d64da9bc91f81396917985e2deb126e28c6248028f48ad2d

SHA512
096e100adb286295c3d69ecffe6fa8635d5ba12256d3078d7fbac63497db0e5f6b782bf7cf52a8bc73927ac884b5dd4ccef7d8e84b4fc99aac995150fc88b45a

Download Submit
C:\Windows\System32\IiARdTq.exe

Filesize
1.9MB

MD5
0df7785b81c390b4093a447d3993d47b

SHA1
0be23facf336da1123d2ea480bdba78045d52090

SHA256
ac956e29a76ad56a6ddad0ac56dd01b7829a929dbfa3ee10b73e961474a8f7aa

SHA512
d4d424e894f74301e2c77749126499e085589f4f11c46fd908bf31b3481b8c53f7349a52f0e293d20d444cd326e3c68b894345d31843903b928256eb61a1af2d

Download Submit
C:\Windows\System32\NSMuzUu.exe

Filesize
1.9MB

MD5
03008e2a5434660f826cbdfe02d66f14

SHA1
df4f1b2980bbee87a21c39ef86df2a1e7e9b28ca

SHA256
ff7e636e11830733d6e4d3e3f7d70697810a896d0670e1143d962deb3c0897f5

SHA512
69f57fe5f9ce990c5238ee428d45e0d8193dc6d99c876a1949f61891c4dff3f03f38e8d7b3c3498a4754f71db49eea3e843ee115cf871bdc9cb755f18e8c849e

Download Submit
C:\Windows\System32\NZiSfBx.exe

Filesize
1.9MB

MD5
5c867645228032af41eebb1f16c06374

SHA1
10d27e569b16c09b9a036738ed5de0bf640a220a

SHA256
7a89a72a924740082ac19f389e8185580e690200ceb7046584c4da6c279f21f4

SHA512
89d221c6135f303e7cd13d40866be406566c59e78e557f8df6d313060fecf8c83635babfd2674afe4ce62b0cc8c447aa9b17f7843ee200ab1845dc79630457f8

Download Submit
C:\Windows\System32\QauiNCb.exe

Filesize
1.9MB

MD5
35108b33da4ccd504400470a2c0b8b0e

SHA1
9fdaaa8d2030da0fcb21f098701398c8c72e42a3

SHA256
245b0552ba84c8f9e371ed96342c061b951c1ec8db1641a745c3085046cd8c41

SHA512
0666281f77ff191a5055b6eb9d87dc254ea23fc700468faab50ec32d8854b04359637fd26f70a881e67b286805d027ae40397169a8f65de1114f5261f10ff26a

Download Submit
C:\Windows\System32\QxyqCsX.exe

Filesize
1.9MB

MD5
66ddc77c002d151b97be028c2fd5840c

SHA1
73f41459bc6d8fce9bff9484dc662cb9c1b83362

SHA256
ebf6e4a3ae23394978b1c7bd9fe708fa9222e506670367e46c7e6ea772e1f8be

SHA512
5009304c0f0440dd7795617e30aa868baca329c11a4da60df96ecd31d3dc300663b4286fd9ba0bc12b6b0ecce840fd2d8ea0ef05e465a0ec14a531d9454b6124

Download Submit
C:\Windows\System32\TUzTTdc.exe

Filesize
1.9MB

MD5
1ed9a7ffce18b4ea486a31dd850ec874

SHA1
ce5afd6421a92b9ddc41fefde71270ddaca4f2a1

SHA256
0290d7368cacbe84fe5cb40ac043f4fb36618fa991f81873db65bf351c44b37f

SHA512
b90d89459a0718baa2ba8058bb00b40e3e345d81baef6074b7672cad116d80ec1451a89a2d7437c48af67548b39b82cd54db2810508a59a44bda247418614cb5

Download Submit
C:\Windows\System32\TjIFzbH.exe

Filesize
1.9MB

MD5
a431c015dae9acb20d113c0cdaf4096c

SHA1
d9989dab3f403fcccecc8c5a67fa5c906eae8036

SHA256
7d5d06fd0465decde92376bb68c02fd2c5831b74bb6b96448fc7cfca32f620cc

SHA512
606dc395c4d612104e588fc74fe2f58cbe2ddd6dd50034fc0ec7a855a8c4a0d0cc904ca646f2b6c8f1a3bd61677510e746fd3ee4a0c58b96f3896c0b8c285361

Download Submit
C:\Windows\System32\UTkLYNk.exe

Filesize
1.9MB

MD5
0d2f92bb0f06302c1a517a33b47364ab

SHA1
030515f810a78e35d1e5a6ee5e5538c1d767b93b

SHA256
6735dee14f7682ff0a86fa8154f8723399e5378b57f236e7efd98c9728cc17d4

SHA512
5c170d6df7a1e3641d917204ff75fd94a494b16195afd4703f39422e47569adb543fdc1f98b3dc3847a286176329831cad325da110bb1e35e57d2071a5576279

Download Submit
C:\Windows\System32\UnGnTRj.exe

Filesize
1.9MB

MD5
e5da47bbcfb6aa4949df9e25109d6e2d

SHA1
7d37dec2b4bec2708cab3b311bc4ee70c5e6c172

SHA256
7166d9936baed8c8f38e27f1a2c6adcc9ed1fb8c7e08160544eb15558befc599

SHA512
680f0dc8ae73bad19be51f0dbca1dd05d564b4b7cd67e673265e61286e7cfb86da6f28ac0b98ab4af5b1140498b4e942892ce6eb0a1e70ebd4b41e36136ae9d0

Download Submit
C:\Windows\System32\XHuFFdL.exe

Filesize
1.9MB

MD5
92bca365581f0d19216ce9df3fdbecd0

SHA1
ae2b17a589587e91fdb423f3137577d6562dd245

SHA256
ac1ecdfc25794f973079f8a234b906281fedc4d26783d40d1945270a988d75d3

SHA512
921eaa01039d11f6b2738b95857925bd39f2133ee57331fd67a8499809ef2ad75a2fe76f3d25d2b01d2f5673543040ad558b6bc068cc10e86cb961160e139323

Download Submit
C:\Windows\System32\XjAfnTo.exe

Filesize
1.9MB

MD5
a7b30db101eb3b07627059df8e504f59

SHA1
ed0db422cf46cf6c1704da6c271257980df70682

SHA256
0edf405617fb7203e5215bc81e6da5331b92cb8e6ed7e17be25c363126f5e4b8

SHA512
fcbed18466fb429ff3f121e8cd41906bfe6971876c91f5a47ea187441035ce228f420f7ec0bc2f127565753d69ab3fe932d16ffd1a681ad9e80083402aa94bd9

Download Submit
C:\Windows\System32\YSBnQaA.exe

Filesize
1.9MB

MD5
9219f1a85a0951e568b781317ea1e7aa

SHA1
05610c11767e0795e7a597c2f9a16f5f131d0428

SHA256
2d6e04edba10746377aad319b1e8eb77c4e27f2e86c3ddea9f41f333bfbe6b1a

SHA512
82a25d9f3e1c92bab4d41fd28b9f184e588c950a0b780e389d7c8fee1918b96de3b3d94e41898da32003c9cf5c36f2f5f6ef8e19b2d9a33e814dad860f6e8f29

Download Submit
C:\Windows\System32\ZoUYrrX.exe

Filesize
1.9MB

MD5
651fba7f54a01237907d3e7e4d35102d

SHA1
0ad5308c10f8930fda78ab71491444776deef3a9

SHA256
c7d2415643773840810d55df5c5c90a16ac261ad0b947aeea424a5a9436d792c

SHA512
97321fdbe3cbd466257c3b9d30a899576e693c28d4d2b5ae97c0abebaf62a56da247959127dcd281128f30e35830cf665fce260676f39eedaa0439fcdf2712ce

Download Submit
C:\Windows\System32\bBedbEf.exe

Filesize
1.9MB

MD5
93f645ec9057628366a961fc45c2e179

SHA1
446715898ef27ec75102658039ad9dc9438b3017

SHA256
3daf1b2fb68c196d15a62446626e5c061117dce05399c68d7d3e56d485127ad1

SHA512
202c2963c1ed3c8fa0457a3e163978665f8f0f7866c6670bdc0b1cd1ebe62b5cf54ec339cbaecfc0a09b700042c2b18ef8bd7997bd62967e85961d90cb7a4b10

Download Submit
C:\Windows\System32\bjnPgQd.exe

Filesize
1.9MB

MD5
473fb7a067e9e320751d2ccc4f2a5f39

SHA1
8b1bd3c98ae72f8910ab4669ba35898ce9c423ef

SHA256
657ac1725cf4c0a0868505e6af0dca3cd969864d70ad844cba4e96195d72abce

SHA512
0b767d8f2a70b2ffd9e37cd9b0f97d734845c835a08bb4964211e2bb126c1c5fabcd7fb2a751d9bd87c32002565f416c401504522f000260df1b1e6885651e17

Download Submit
C:\Windows\System32\dXTKSmo.exe

Filesize
1.9MB

MD5
ba435c6731508de1e70e05407de61c1e

SHA1
7924f53358497ee9b1e8d90c222d309d4dba5cc9

SHA256
24e86d71427aa49a0b59963eb9c9598151118811443fa1bcccc66a23e24c4204

SHA512
3c46788b3f4e412abc076398dccad20290c4b04a26f8e3edbfbaed7fae4bf44bd24a8528feb2e4f85521d9e66a552ef93d477d3d124bd415218cbd62002a43ba

Download Submit
C:\Windows\System32\dtpdzXk.exe

Filesize
1.9MB

MD5
bbe3ee833b991f53b57cf5374a5020c8

SHA1
823df6f1031c21ae2bb81c3e767adbb8da7dde6b

SHA256
4d08e22a355c1a56e7ca0972b37dc5b4eea6ad8d0a792ad942c3faaeeed1572c

SHA512
22a670bab95cf5928461615730840cc5b63eedce1b71c4fa59b6577bc5b43df6c0dc1c2a11b1e091ce9d66cbaeb9b9bd6cc769b537c2264b1bcd752fc3384c27

Download Submit
C:\Windows\System32\giMhdfA.exe

Filesize
1.9MB

MD5
0215f5989ead5414dc2716028dae07dd

SHA1
bee54020b75a6d88a5b7205a25bf66ac2033dcb7

SHA256
3ca0bf4591bdd9f8ea4b1dc28192041d7d63203ccad770dd88d684b353d1fdbb

SHA512
57f0dbec3eb5092ff2562ff8b2964eb3d524330a988c0d315c97f3aeddddfb7aea56f83331724c4d2590b6b937feb1bf3f75d64c812379f6125f8da73ba149d4

Download Submit
C:\Windows\System32\hSfCclD.exe

Filesize
1.9MB

MD5
5a03ee1188f8c259e835e2329188d90f

SHA1
a775b17d279efe6495d7223b398592729d2e4137

SHA256
6c2b2de056dbc826eee8658525b603d668ddad12a47c76ed3b7ac0f7ac7f0880

SHA512
492edacb1f86780c58d73ac0ffc28fd0007f92353b26b9ef821f128476498e38cffa09c9503ce5d84f37661fc73ae810dc7b58e7d5224907f786f77f440ea11d

Download Submit
C:\Windows\System32\iNaYtHz.exe

Filesize
1.9MB

MD5
81765cfee320dbff5bac9aab85fabcc2

SHA1
e051458bda6adb79451b201b2989b376febb3842

SHA256
4cacef1f8f2a190844d493e01e1e057d74879129fdb7af14eecfdb71fec43375

SHA512
3d2ecf8a7d3b073da96fd682b669db0f7e1c40fdd4401245f73549cbb1600dc142d5fe0b5f18e518c4fe8f8f838898010c3e1b79b61f1fe4b19687cf11fa27c1

Download Submit
C:\Windows\System32\jzfPbWw.exe

Filesize
1.9MB

MD5
dfc373bdff88441038bd7aa29bcf1e1e

SHA1
c6668abb12519b2436489e5203645004c329daa0

SHA256
8e511c1fff8bac4cc44943ef498942cb90d0ae06d91d50b40ad3e987b7189b42

SHA512
4922a3599a4081d00ee53c18dc8e2ecdbf34f3f2d9c7a9d6acdb7f4d2dbb5e13fecda26e9e51062863689385178365b7246e0cd878e248074227b7fb14ffb6e7

Download Submit
C:\Windows\System32\kphceux.exe

Filesize
1.9MB

MD5
ee640fa10f901c5efacb4596f373ea75

SHA1
0d1974f2e3d44f2e26bd539561529d0fb10b1478

SHA256
77bb2f4241608cda405e1a42b17fbf7784060ebc7c2ef1016402e72d7d05d8ba

SHA512
d120d888cc5da26c7b12b043cc77cf89fd15c32ac22a3d2bbd6599e6b65003b68945172b3cec0f5075ee2b12380af0764ac60db2d4d655c92aa879943e98e950

Download Submit
C:\Windows\System32\rQlPDpH.exe

Filesize
1.9MB

MD5
6648dc43fc506e50eb92342efcac2bf5

SHA1
6d1372c855b494b8a00609a86341d98c950cf92f

SHA256
9d6b1304775586f5f1cb072ba19db28c19283c73fc3fcdf2d879530468215487

SHA512
a5f50ba88820465c01c7a2972352deebd48f821a015696961a560828b73fc84b4174d1ba41335916f024aec5a4887324156cef69002bb9f4abbb496c4bdf90cd

Download Submit
C:\Windows\System32\tMSsjDV.exe

Filesize
1.9MB

MD5
ae9bcdfe77d6676b113748af0c147c2c

SHA1
7618c4dde3a097f73f5414cf404ea0a7223f5fda

SHA256
0e8f47acab5d98291b13ef5504561c429eece9b806ce6b850dfbb7ac31693258

SHA512
6fa8ff5c8bcfc7dba170b58457d2372359092d5b5f50ae6d4fa895bfcdeed0fa28a12379f596590c6137210961f934058c2497abdb87cd4aeacde3a66e48ddd0

Download Submit
C:\Windows\System32\tRUXXDo.exe

Filesize
1.9MB

MD5
83ad175549a68d0c0255d5fa895e4514

SHA1
f52e19b9a552d912e70672b2b016abedd2103c5a

SHA256
29d25e74e6bb4731396374498ce171f6ce8ec1740ea5da44551b3ffbdd6b3fae

SHA512
969cef625600545892ab3c79eb8a158a5be705b027ca5d8d01a4860eaec359aab35af5ac184da54581046eac6a43d57e6405f708f89eb695852e97b79e84b0d7

Download Submit
C:\Windows\System32\tzqooQC.exe

Filesize
1.9MB

MD5
ccbc2f6d34e0d53605760bb0b2f17287

SHA1
b07a235574a77747e307e06e0db32f0902274f0c

SHA256
95b8dc061042e349c5e71d5ceb91eedeba3b294cc27ff00709536bc0937bc7a3

SHA512
253bdaf50210f7ab432d977194b1fb0f92b20f84d7ed9ed8688ff4223b987d1565ed619bbde8ad2947eaa9ac20a9e740166bd2badd12fbcfb8db007093bf3d88

Download Submit
C:\Windows\System32\xliGlTc.exe

Filesize
1.9MB

MD5
091375b892e8e992d144f6cdf98e27eb

SHA1
96f966989b3c0a5778f4d04fb9f077130aafa782

SHA256
340ab5db59eef63096f16c2b9f505c7a24f47331ab4b4d5fe29764a808ce9be7

SHA512
32d8581f4db7a8be9ce3ff551ac04ba771151744815bf658ad2dae545fe7561787b8ee93de0b7659d93010b214b6eee119887d04f2363be61c812c2462e0fadf

Download Submit
C:\Windows\System32\zfmQVul.exe

Filesize
1.9MB

MD5
56905a175bc1fba081ec13cef8ee982b

SHA1
3a30a87db0e1d3ef7198aad19fdda6da41b1e65c

SHA256
6ff299df313cf4e70f7f6b02b6a86f5c8a824ba01fa8b8fd2199eb212a3b1fad

SHA512
6332b037141d9b6121a6d1a588c37122080191f5b61fd41146cfb10eb9e617faa9bf5b47e64a35ee932aeceff2c33fac1abae4821117b59981de76e91bb727ed

Download Submit
memory/232-2052-0x00007FF79E280000-0x00007FF79E671000-memory.dmp

Filesize
3.9MB

Download
memory/232-545-0x00007FF79E280000-0x00007FF79E671000-memory.dmp

Filesize
3.9MB

Download
memory/396-2035-0x00007FF7D5090000-0x00007FF7D5481000-memory.dmp

Filesize
3.9MB

Download
memory/396-465-0x00007FF7D5090000-0x00007FF7D5481000-memory.dmp

Filesize
3.9MB

Download
memory/512-441-0x00007FF675B10000-0x00007FF675F01000-memory.dmp

Filesize
3.9MB

Download
memory/512-2024-0x00007FF675B10000-0x00007FF675F01000-memory.dmp

Filesize
3.9MB

Download
memory/908-2042-0x00007FF7DBEC0000-0x00007FF7DC2B1000-memory.dmp

Filesize
3.9MB

Download
memory/908-491-0x00007FF7DBEC0000-0x00007FF7DC2B1000-memory.dmp

Filesize
3.9MB

Download
memory/1196-1-0x000001EEF9650000-0x000001EEF9660000-memory.dmp

Filesize
64KB

Download
memory/1196-0-0x00007FF635CA0000-0x00007FF636091000-memory.dmp

Filesize
3.9MB

Download
memory/1212-2045-0x00007FF7742C0000-0x00007FF7746B1000-memory.dmp

Filesize
3.9MB

Download
memory/1212-526-0x00007FF7742C0000-0x00007FF7746B1000-memory.dmp

Filesize
3.9MB

Download
memory/1440-2038-0x00007FF7FCB60000-0x00007FF7FCF51000-memory.dmp

Filesize
3.9MB

Download
memory/1440-477-0x00007FF7FCB60000-0x00007FF7FCF51000-memory.dmp

Filesize
3.9MB

Download
memory/1504-2040-0x00007FF713FE0000-0x00007FF7143D1000-memory.dmp

Filesize
3.9MB

Download
memory/1504-482-0x00007FF713FE0000-0x00007FF7143D1000-memory.dmp

Filesize
3.9MB

Download
memory/1944-553-0x00007FF6FAC80000-0x00007FF6FB071000-memory.dmp

Filesize
3.9MB

Download
memory/1944-2018-0x00007FF6FAC80000-0x00007FF6FB071000-memory.dmp

Filesize
3.9MB

Download
memory/1956-2026-0x00007FF79FDC0000-0x00007FF7A01B1000-memory.dmp

Filesize
3.9MB

Download
memory/1956-442-0x00007FF79FDC0000-0x00007FF7A01B1000-memory.dmp

Filesize
3.9MB

Download
memory/2024-25-0x00007FF7EA610000-0x00007FF7EAA01000-memory.dmp

Filesize
3.9MB

Download
memory/2024-2012-0x00007FF7EA610000-0x00007FF7EAA01000-memory.dmp

Filesize
3.9MB

Download
memory/2264-2014-0x00007FF75B050000-0x00007FF75B441000-memory.dmp

Filesize
3.9MB

Download
memory/2264-438-0x00007FF75B050000-0x00007FF75B441000-memory.dmp

Filesize
3.9MB

Download
memory/2380-2050-0x00007FF754480000-0x00007FF754871000-memory.dmp

Filesize
3.9MB

Download
memory/2380-508-0x00007FF754480000-0x00007FF754871000-memory.dmp

Filesize
3.9MB

Download
memory/2868-2046-0x00007FF65BB70000-0x00007FF65BF61000-memory.dmp

Filesize
3.9MB

Download
memory/2868-531-0x00007FF65BB70000-0x00007FF65BF61000-memory.dmp

Filesize
3.9MB

Download
memory/3056-2036-0x00007FF66E7C0000-0x00007FF66EBB1000-memory.dmp

Filesize
3.9MB

Download
memory/3056-474-0x00007FF66E7C0000-0x00007FF66EBB1000-memory.dmp

Filesize
3.9MB

Download
memory/3496-550-0x00007FF69F900000-0x00007FF69FCF1000-memory.dmp

Filesize
3.9MB

Download
memory/3496-2080-0x00007FF69F900000-0x00007FF69FCF1000-memory.dmp

Filesize
3.9MB

Download
memory/3780-2030-0x00007FF783840000-0x00007FF783C31000-memory.dmp

Filesize
3.9MB

Download
memory/3780-451-0x00007FF783840000-0x00007FF783C31000-memory.dmp

Filesize
3.9MB

Download
memory/4228-2032-0x00007FF691480000-0x00007FF691871000-memory.dmp

Filesize
3.9MB

Download
memory/4228-455-0x00007FF691480000-0x00007FF691871000-memory.dmp

Filesize
3.9MB

Download
memory/4264-551-0x00007FF7ECEA0000-0x00007FF7ED291000-memory.dmp

Filesize
3.9MB

Download
memory/4264-2016-0x00007FF7ECEA0000-0x00007FF7ED291000-memory.dmp

Filesize
3.9MB

Download
memory/4524-2023-0x00007FF780320000-0x00007FF780711000-memory.dmp

Filesize
3.9MB

Download
memory/4524-440-0x00007FF780320000-0x00007FF780711000-memory.dmp

Filesize
3.9MB

Download
memory/4568-2054-0x00007FF6E9CF0000-0x00007FF6EA0E1000-memory.dmp

Filesize
3.9MB

Download
memory/4568-541-0x00007FF6E9CF0000-0x00007FF6EA0E1000-memory.dmp

Filesize
3.9MB

Download
memory/4572-443-0x00007FF7D21E0000-0x00007FF7D25D1000-memory.dmp

Filesize
3.9MB

Download
memory/4572-2028-0x00007FF7D21E0000-0x00007FF7D25D1000-memory.dmp

Filesize
3.9MB

Download
memory/4668-2010-0x00007FF71E3E0000-0x00007FF71E7D1000-memory.dmp

Filesize
3.9MB

Download
memory/4668-15-0x00007FF71E3E0000-0x00007FF71E7D1000-memory.dmp

Filesize
3.9MB

Download
memory/4712-439-0x00007FF6B6460000-0x00007FF6B6851000-memory.dmp

Filesize
3.9MB

Download
memory/4712-2020-0x00007FF6B6460000-0x00007FF6B6851000-memory.dmp

Filesize
3.9MB

Download
memory/4772-540-0x00007FF75AD90000-0x00007FF75B181000-memory.dmp

Filesize
3.9MB

Download
memory/4772-2049-0x00007FF75AD90000-0x00007FF75B181000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads