xmrig | 6b39185ec47f174f31e481d1f51ee57f72ecca48dd3a0436bec7d820759272a6

Analysis

max time kernel
66s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
Size

2.0MB
MD5

39dc1dd29af0e46e14ff17d4ccd547d0
SHA1

c2c2b03b38cc573e7aa9e39e117ddb5990c70172
SHA256

6b39185ec47f174f31e481d1f51ee57f72ecca48dd3a0436bec7d820759272a6
SHA512

50f267ecd43764fbe06e04fc4fe95728e357cd09ca4f0bc1deb9671d1b6336f5fca0bf9e6f529ee2245a5340895b78b676d7bd9e195d1e03883d23568412e791
SSDEEP

49152:BezaTF8FcNkNdfE0pZ9ozt4wIQF3OioF5qds74:BemTLkNdfE0pZrQz

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3900-0-0x00007FF67E060000-0x00007FF67E3B4000-memory.dmp	xmrig
C:\Windows\System\mrMnOfw.exe	xmrig
behavioral2/memory/4568-8-0x00007FF7A2B40000-0x00007FF7A2E94000-memory.dmp	xmrig
C:\Windows\System\VZpIGwh.exe	xmrig
C:\Windows\System\dQIfZWC.exe	xmrig
C:\Windows\System\HpWOXIk.exe	xmrig
C:\Windows\System\uNbyylM.exe	xmrig
C:\Windows\System\JRootCo.exe	xmrig
C:\Windows\System\EpVMaSj.exe	xmrig
C:\Windows\System\SeuFNpd.exe	xmrig
behavioral2/memory/1804-730-0x00007FF741AC0000-0x00007FF741E14000-memory.dmp	xmrig
behavioral2/memory/1724-731-0x00007FF76D9F0000-0x00007FF76DD44000-memory.dmp	xmrig
behavioral2/memory/1404-732-0x00007FF65A9F0000-0x00007FF65AD44000-memory.dmp	xmrig
behavioral2/memory/5024-733-0x00007FF64AED0000-0x00007FF64B224000-memory.dmp	xmrig
C:\Windows\System\pVUwqjp.exe	xmrig
C:\Windows\System\peUEJpX.exe	xmrig
C:\Windows\System\PBSqChy.exe	xmrig
C:\Windows\System\MpEZgLQ.exe	xmrig
C:\Windows\System\cCrRkBh.exe	xmrig
C:\Windows\System\ZxKulla.exe	xmrig
C:\Windows\System\WwOZpmW.exe	xmrig
C:\Windows\System\qdCBNPb.exe	xmrig
C:\Windows\System\FyINZLa.exe	xmrig
C:\Windows\System\sJufnjl.exe	xmrig
C:\Windows\System\akbpTDp.exe	xmrig
C:\Windows\System\GRxuXGb.exe	xmrig
C:\Windows\System\TCUAEbL.exe	xmrig
C:\Windows\System\UFDlcDj.exe	xmrig
C:\Windows\System\cxrHagk.exe	xmrig
C:\Windows\System\Lajzrrc.exe	xmrig
C:\Windows\System\yutgOlc.exe	xmrig
C:\Windows\System\NTDFROn.exe	xmrig
C:\Windows\System\WknDaTk.exe	xmrig
C:\Windows\System\GHAczAk.exe	xmrig
C:\Windows\System\EKabxIS.exe	xmrig
C:\Windows\System\OKlUlRx.exe	xmrig
C:\Windows\System\HvlJKdt.exe	xmrig
C:\Windows\System\NcVqpje.exe	xmrig
behavioral2/memory/3400-30-0x00007FF640930000-0x00007FF640C84000-memory.dmp	xmrig
C:\Windows\System\tSoeZSb.exe	xmrig
behavioral2/memory/2184-734-0x00007FF6F91D0000-0x00007FF6F9524000-memory.dmp	xmrig
behavioral2/memory/1356-735-0x00007FF653E10000-0x00007FF654164000-memory.dmp	xmrig
behavioral2/memory/540-736-0x00007FF676130000-0x00007FF676484000-memory.dmp	xmrig
behavioral2/memory/1944-737-0x00007FF794780000-0x00007FF794AD4000-memory.dmp	xmrig
behavioral2/memory/1352-738-0x00007FF6978A0000-0x00007FF697BF4000-memory.dmp	xmrig
behavioral2/memory/3124-744-0x00007FF782570000-0x00007FF7828C4000-memory.dmp	xmrig
behavioral2/memory/760-753-0x00007FF6D2590000-0x00007FF6D28E4000-memory.dmp	xmrig
behavioral2/memory/4404-759-0x00007FF79B6D0000-0x00007FF79BA24000-memory.dmp	xmrig
behavioral2/memory/2216-770-0x00007FF65B880000-0x00007FF65BBD4000-memory.dmp	xmrig
behavioral2/memory/1592-771-0x00007FF7CD860000-0x00007FF7CDBB4000-memory.dmp	xmrig
behavioral2/memory/2124-788-0x00007FF782EB0000-0x00007FF783204000-memory.dmp	xmrig
behavioral2/memory/3804-793-0x00007FF773400000-0x00007FF773754000-memory.dmp	xmrig
behavioral2/memory/4452-809-0x00007FF71FFD0000-0x00007FF720324000-memory.dmp	xmrig
behavioral2/memory/1984-810-0x00007FF6AF920000-0x00007FF6AFC74000-memory.dmp	xmrig
behavioral2/memory/2560-806-0x00007FF676A60000-0x00007FF676DB4000-memory.dmp	xmrig
behavioral2/memory/5016-801-0x00007FF799410000-0x00007FF799764000-memory.dmp	xmrig
behavioral2/memory/652-800-0x00007FF7CA1A0000-0x00007FF7CA4F4000-memory.dmp	xmrig
behavioral2/memory/1544-781-0x00007FF6A5710000-0x00007FF6A5A64000-memory.dmp	xmrig
behavioral2/memory/4104-780-0x00007FF769620000-0x00007FF769974000-memory.dmp	xmrig
behavioral2/memory/1308-776-0x00007FF67B050000-0x00007FF67B3A4000-memory.dmp	xmrig
behavioral2/memory/2188-764-0x00007FF793D60000-0x00007FF7940B4000-memory.dmp	xmrig
behavioral2/memory/396-747-0x00007FF64A7F0000-0x00007FF64AB44000-memory.dmp	xmrig
behavioral2/memory/4600-739-0x00007FF6C5470000-0x00007FF6C57C4000-memory.dmp	xmrig
behavioral2/memory/3900-2149-0x00007FF67E060000-0x00007FF67E3B4000-memory.dmp	xmrig

Modifies Installed Components in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

Processes:

mrMnOfw.exedQIfZWC.exeVZpIGwh.exetSoeZSb.exeNcVqpje.exeHvlJKdt.exeHpWOXIk.exeOKlUlRx.exeEKabxIS.exeGHAczAk.exeWknDaTk.exeNTDFROn.exeuNbyylM.exeyutgOlc.exeLajzrrc.execxrHagk.exeJRootCo.exeUFDlcDj.exeTCUAEbL.exeGRxuXGb.exeakbpTDp.exesJufnjl.exeFyINZLa.exeEpVMaSj.exeqdCBNPb.exeWwOZpmW.exeZxKulla.execCrRkBh.exeSeuFNpd.exeMpEZgLQ.exepeUEJpX.exePBSqChy.exepVUwqjp.exeWOMsoyS.exeuVQUaTh.exeEDvtiPe.exeIfhlKNJ.exeLVafGcR.exeofQznTE.execlqaewC.exekIFxmbS.exevXYefnK.exemNuhZJy.exeLPexIQV.exeHYzaDEl.exeZgjTQfp.exevOeEaSZ.exeFTELYDM.exeFRQUFax.exexTwIdkE.exeBfBLHwx.exeEmxNVIf.exeWvBRlui.exenWEcnqN.exeeCZWAmt.exeiEzPSjN.exepkWoLQJ.exefHTgwRR.exehQyNEPi.exeMXWuMmE.exesNPqBNn.exeDCSvZZY.exejtoUYom.exeWKivLot.exe

pid	process
4568	mrMnOfw.exe
3400	dQIfZWC.exe
1804	VZpIGwh.exe
4452	tSoeZSb.exe
1724	NcVqpje.exe
1984	HvlJKdt.exe
1404	HpWOXIk.exe
5024	OKlUlRx.exe
2184	EKabxIS.exe
1356	GHAczAk.exe
540	WknDaTk.exe
1944	NTDFROn.exe
1352	uNbyylM.exe
4600	yutgOlc.exe
3124	Lajzrrc.exe
396	cxrHagk.exe
760	JRootCo.exe
4404	UFDlcDj.exe
2188	TCUAEbL.exe
2216	GRxuXGb.exe
1592	akbpTDp.exe
1308	sJufnjl.exe
4104	FyINZLa.exe
1544	EpVMaSj.exe
2124	qdCBNPb.exe
3804	WwOZpmW.exe
652	ZxKulla.exe
5016	cCrRkBh.exe
2560	SeuFNpd.exe
1636	MpEZgLQ.exe
4776	peUEJpX.exe
4576	PBSqChy.exe
856	pVUwqjp.exe
3500	WOMsoyS.exe
4980	uVQUaTh.exe
3384	EDvtiPe.exe
1972	IfhlKNJ.exe
3908	LVafGcR.exe
408	ofQznTE.exe
3656	clqaewC.exe
4124	kIFxmbS.exe
3196	vXYefnK.exe
4728	mNuhZJy.exe
2208	LPexIQV.exe
3344	HYzaDEl.exe
3628	ZgjTQfp.exe
4412	vOeEaSZ.exe
232	FTELYDM.exe
4292	FRQUFax.exe
4720	xTwIdkE.exe
4364	BfBLHwx.exe
1420	EmxNVIf.exe
596	WvBRlui.exe
3752	nWEcnqN.exe
3576	eCZWAmt.exe
2316	iEzPSjN.exe
3676	pkWoLQJ.exe
4040	fHTgwRR.exe
3460	hQyNEPi.exe
4136	MXWuMmE.exe
4248	sNPqBNn.exe
4112	DCSvZZY.exe
1124	jtoUYom.exe
2036	WKivLot.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3900-0-0x00007FF67E060000-0x00007FF67E3B4000-memory.dmp	upx
C:\Windows\System\mrMnOfw.exe	upx
behavioral2/memory/4568-8-0x00007FF7A2B40000-0x00007FF7A2E94000-memory.dmp	upx
C:\Windows\System\VZpIGwh.exe	upx
C:\Windows\System\dQIfZWC.exe	upx
C:\Windows\System\HpWOXIk.exe	upx
C:\Windows\System\uNbyylM.exe	upx
C:\Windows\System\JRootCo.exe	upx
C:\Windows\System\EpVMaSj.exe	upx
C:\Windows\System\SeuFNpd.exe	upx
behavioral2/memory/1804-730-0x00007FF741AC0000-0x00007FF741E14000-memory.dmp	upx
behavioral2/memory/1724-731-0x00007FF76D9F0000-0x00007FF76DD44000-memory.dmp	upx
behavioral2/memory/1404-732-0x00007FF65A9F0000-0x00007FF65AD44000-memory.dmp	upx
behavioral2/memory/5024-733-0x00007FF64AED0000-0x00007FF64B224000-memory.dmp	upx
C:\Windows\System\pVUwqjp.exe	upx
C:\Windows\System\peUEJpX.exe	upx
C:\Windows\System\PBSqChy.exe	upx
C:\Windows\System\MpEZgLQ.exe	upx
C:\Windows\System\cCrRkBh.exe	upx
C:\Windows\System\ZxKulla.exe	upx
C:\Windows\System\WwOZpmW.exe	upx
C:\Windows\System\qdCBNPb.exe	upx
C:\Windows\System\FyINZLa.exe	upx
C:\Windows\System\sJufnjl.exe	upx
C:\Windows\System\akbpTDp.exe	upx
C:\Windows\System\GRxuXGb.exe	upx
C:\Windows\System\TCUAEbL.exe	upx
C:\Windows\System\UFDlcDj.exe	upx
C:\Windows\System\cxrHagk.exe	upx
C:\Windows\System\Lajzrrc.exe	upx
C:\Windows\System\yutgOlc.exe	upx
C:\Windows\System\NTDFROn.exe	upx
C:\Windows\System\WknDaTk.exe	upx
C:\Windows\System\GHAczAk.exe	upx
C:\Windows\System\EKabxIS.exe	upx
C:\Windows\System\OKlUlRx.exe	upx
C:\Windows\System\HvlJKdt.exe	upx
C:\Windows\System\NcVqpje.exe	upx
behavioral2/memory/3400-30-0x00007FF640930000-0x00007FF640C84000-memory.dmp	upx
C:\Windows\System\tSoeZSb.exe	upx
behavioral2/memory/2184-734-0x00007FF6F91D0000-0x00007FF6F9524000-memory.dmp	upx
behavioral2/memory/1356-735-0x00007FF653E10000-0x00007FF654164000-memory.dmp	upx
behavioral2/memory/540-736-0x00007FF676130000-0x00007FF676484000-memory.dmp	upx
behavioral2/memory/1944-737-0x00007FF794780000-0x00007FF794AD4000-memory.dmp	upx
behavioral2/memory/1352-738-0x00007FF6978A0000-0x00007FF697BF4000-memory.dmp	upx
behavioral2/memory/3124-744-0x00007FF782570000-0x00007FF7828C4000-memory.dmp	upx
behavioral2/memory/760-753-0x00007FF6D2590000-0x00007FF6D28E4000-memory.dmp	upx
behavioral2/memory/4404-759-0x00007FF79B6D0000-0x00007FF79BA24000-memory.dmp	upx
behavioral2/memory/2216-770-0x00007FF65B880000-0x00007FF65BBD4000-memory.dmp	upx
behavioral2/memory/1592-771-0x00007FF7CD860000-0x00007FF7CDBB4000-memory.dmp	upx
behavioral2/memory/2124-788-0x00007FF782EB0000-0x00007FF783204000-memory.dmp	upx
behavioral2/memory/3804-793-0x00007FF773400000-0x00007FF773754000-memory.dmp	upx
behavioral2/memory/4452-809-0x00007FF71FFD0000-0x00007FF720324000-memory.dmp	upx
behavioral2/memory/1984-810-0x00007FF6AF920000-0x00007FF6AFC74000-memory.dmp	upx
behavioral2/memory/2560-806-0x00007FF676A60000-0x00007FF676DB4000-memory.dmp	upx
behavioral2/memory/5016-801-0x00007FF799410000-0x00007FF799764000-memory.dmp	upx
behavioral2/memory/652-800-0x00007FF7CA1A0000-0x00007FF7CA4F4000-memory.dmp	upx
behavioral2/memory/1544-781-0x00007FF6A5710000-0x00007FF6A5A64000-memory.dmp	upx
behavioral2/memory/4104-780-0x00007FF769620000-0x00007FF769974000-memory.dmp	upx
behavioral2/memory/1308-776-0x00007FF67B050000-0x00007FF67B3A4000-memory.dmp	upx
behavioral2/memory/2188-764-0x00007FF793D60000-0x00007FF7940B4000-memory.dmp	upx
behavioral2/memory/396-747-0x00007FF64A7F0000-0x00007FF64AB44000-memory.dmp	upx
behavioral2/memory/4600-739-0x00007FF6C5470000-0x00007FF6C57C4000-memory.dmp	upx
behavioral2/memory/3900-2149-0x00007FF67E060000-0x00007FF67E3B4000-memory.dmp	upx

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Drops file in Windows directory 64 IoCs

Processes:

39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\System\QIivkgz.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\kloOnYm.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\nAVfcSQ.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\jkJjLSi.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\GOAQDro.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\LXoQKJe.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\dDhpita.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\WknDaTk.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\NgZggFs.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\qDoOLOj.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\jzBUkKr.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\yZeglgT.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\EPitpoD.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\qOZSMNm.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\GjpOiFz.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\cacvySF.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\JYLyKvU.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\WronODM.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\qxvPPzG.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\KiOBkOZ.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\mhoEXGw.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\hIHIbfE.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\HavpuwZ.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\PsxTdio.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\fUNOhTB.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\aYAmIom.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\NgFEIMC.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\VZpIGwh.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\uscIALJ.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\jzhtnFn.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\dMFFTJO.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\geBMTlj.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\kicHSwl.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\orTFuom.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\lGptaOQ.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\jDFWAHy.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\qICnoTe.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\VFsyFFL.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\PUMUzoJ.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\cCrRkBh.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\KBpHxrH.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\APBkhvs.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\vOdaxGh.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\vXYefnK.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\HKdVewn.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\NgEnUTB.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\iYMrJsP.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\AWSjNcB.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\cmXKVLG.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\XhFXWWV.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\XoLxBWS.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\lWDyWMX.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\gbMgVrU.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\ItrbPpe.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\YVuCcwP.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\NpSjwXf.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\eumiCMN.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\uyxOgzR.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\lRLNkXF.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\kzBiTZC.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\abUZwMw.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\gcUMYHG.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\jPKKQhp.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
File created	C:\Windows\System\CTJlJdm.exe	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

Processes:

explorer.exeSearchApp.exeSearchApp.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeStartMenuExperienceHost.exeSearchApp.exeexplorer.exeSearchApp.exeStartMenuExperienceHost.exesihost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{E614D252-7F05-4113-9527-AADB929162CC}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{21431789-E2E8-4AFB-8211-016730E5B7D7}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	14952	explorer.exe
Token: SeCreatePagefilePrivilege	14952	explorer.exe
Token: SeShutdownPrivilege	14952	explorer.exe
Token: SeCreatePagefilePrivilege	14952	explorer.exe
Token: SeShutdownPrivilege	14952	explorer.exe
Token: SeCreatePagefilePrivilege	14952	explorer.exe
Token: SeShutdownPrivilege	14952	explorer.exe
Token: SeCreatePagefilePrivilege	14952	explorer.exe
Token: SeShutdownPrivilege	14952	explorer.exe
Token: SeCreatePagefilePrivilege	14952	explorer.exe
Token: SeShutdownPrivilege	14952	explorer.exe
Token: SeCreatePagefilePrivilege	14952	explorer.exe
Token: SeShutdownPrivilege	14952	explorer.exe
Token: SeCreatePagefilePrivilege	14952	explorer.exe
Token: SeShutdownPrivilege	14952	explorer.exe
Token: SeCreatePagefilePrivilege	14952	explorer.exe
Token: SeShutdownPrivilege	14952	explorer.exe
Token: SeCreatePagefilePrivilege	14952	explorer.exe
Token: SeShutdownPrivilege	14952	explorer.exe
Token: SeCreatePagefilePrivilege	14952	explorer.exe
Token: SeShutdownPrivilege	14952	explorer.exe
Token: SeCreatePagefilePrivilege	14952	explorer.exe
Token: SeShutdownPrivilege	14952	explorer.exe
Token: SeCreatePagefilePrivilege	14952	explorer.exe
Token: SeShutdownPrivilege	14952	explorer.exe
Token: SeCreatePagefilePrivilege	14952	explorer.exe
Token: SeShutdownPrivilege	4580	explorer.exe
Token: SeCreatePagefilePrivilege	4580	explorer.exe
Token: SeShutdownPrivilege	4580	explorer.exe
Token: SeCreatePagefilePrivilege	4580	explorer.exe
Token: SeShutdownPrivilege	4580	explorer.exe
Token: SeCreatePagefilePrivilege	4580	explorer.exe
Token: SeShutdownPrivilege	4580	explorer.exe
Token: SeCreatePagefilePrivilege	4580	explorer.exe
Token: SeShutdownPrivilege	4580	explorer.exe
Token: SeCreatePagefilePrivilege	4580	explorer.exe
Token: SeShutdownPrivilege	4580	explorer.exe
Token: SeCreatePagefilePrivilege	4580	explorer.exe
Token: SeShutdownPrivilege	4580	explorer.exe
Token: SeCreatePagefilePrivilege	4580	explorer.exe
Token: SeShutdownPrivilege	4580	explorer.exe
Token: SeCreatePagefilePrivilege	4580	explorer.exe
Token: SeShutdownPrivilege	4580	explorer.exe
Token: SeCreatePagefilePrivilege	4580	explorer.exe
Token: SeShutdownPrivilege	4580	explorer.exe
Token: SeCreatePagefilePrivilege	4580	explorer.exe
Token: SeShutdownPrivilege	4580	explorer.exe
Token: SeCreatePagefilePrivilege	4580	explorer.exe
Token: SeShutdownPrivilege	4580	explorer.exe
Token: SeCreatePagefilePrivilege	4580	explorer.exe
Token: SeShutdownPrivilege	4580	explorer.exe
Token: SeCreatePagefilePrivilege	4580	explorer.exe
Token: SeShutdownPrivilege	4580	explorer.exe
Token: SeCreatePagefilePrivilege	4580	explorer.exe
Token: SeShutdownPrivilege	4580	explorer.exe
Token: SeCreatePagefilePrivilege	4580	explorer.exe
Token: SeShutdownPrivilege	3632	explorer.exe
Token: SeCreatePagefilePrivilege	3632	explorer.exe
Token: SeShutdownPrivilege	3632	explorer.exe
Token: SeCreatePagefilePrivilege	3632	explorer.exe
Token: SeShutdownPrivilege	3632	explorer.exe
Token: SeCreatePagefilePrivilege	3632	explorer.exe
Token: SeShutdownPrivilege	3632	explorer.exe
Token: SeCreatePagefilePrivilege	3632	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

sihost.exeexplorer.exeexplorer.exe

pid	process
14784	sihost.exe
14952	explorer.exe
14952	explorer.exe
14952	explorer.exe
14952	explorer.exe
14952	explorer.exe
14952	explorer.exe
14952	explorer.exe
14952	explorer.exe
14952	explorer.exe
14952	explorer.exe
14952	explorer.exe
14952	explorer.exe
14952	explorer.exe
14952	explorer.exe
14952	explorer.exe
14952	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
14952	explorer.exe
14952	explorer.exe
14952	explorer.exe
14952	explorer.exe
14952	explorer.exe
14952	explorer.exe
14952	explorer.exe
14952	explorer.exe
14952	explorer.exe
14952	explorer.exe
14952	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
3632	explorer.exe
3632	explorer.exe
3632	explorer.exe
3632	explorer.exe
3632	explorer.exe
3632	explorer.exe
3632	explorer.exe
3632	explorer.exe
3632	explorer.exe
3632	explorer.exe
3632	explorer.exe
3632	explorer.exe
3632	explorer.exe
3632	explorer.exe
3632	explorer.exe
3632	explorer.exe
3632	explorer.exe
3632	explorer.exe
3632	explorer.exe
3632	explorer.exe
3632	explorer.exe
3632	explorer.exe
3632	explorer.exe
3632	explorer.exe
3632	explorer.exe
3632	explorer.exe
8272	explorer.exe
8272	explorer.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

StartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exe

pid	process
14236	StartMenuExperienceHost.exe
14868	StartMenuExperienceHost.exe
15244	SearchApp.exe
9584	StartMenuExperienceHost.exe
5484	SearchApp.exe
3344	StartMenuExperienceHost.exe
5488	SearchApp.exe
6900	StartMenuExperienceHost.exe
14624	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe

description	pid	process	target process
PID 3900 wrote to memory of 4568	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	mrMnOfw.exe
PID 3900 wrote to memory of 4568	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	mrMnOfw.exe
PID 3900 wrote to memory of 3400	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	dQIfZWC.exe
PID 3900 wrote to memory of 3400	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	dQIfZWC.exe
PID 3900 wrote to memory of 1804	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	VZpIGwh.exe
PID 3900 wrote to memory of 1804	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	VZpIGwh.exe
PID 3900 wrote to memory of 4452	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	tSoeZSb.exe
PID 3900 wrote to memory of 4452	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	tSoeZSb.exe
PID 3900 wrote to memory of 1724	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	NcVqpje.exe
PID 3900 wrote to memory of 1724	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	NcVqpje.exe
PID 3900 wrote to memory of 1984	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	HvlJKdt.exe
PID 3900 wrote to memory of 1984	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	HvlJKdt.exe
PID 3900 wrote to memory of 1404	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	HpWOXIk.exe
PID 3900 wrote to memory of 1404	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	HpWOXIk.exe
PID 3900 wrote to memory of 5024	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	OKlUlRx.exe
PID 3900 wrote to memory of 5024	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	OKlUlRx.exe
PID 3900 wrote to memory of 2184	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	EKabxIS.exe
PID 3900 wrote to memory of 2184	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	EKabxIS.exe
PID 3900 wrote to memory of 1356	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	GHAczAk.exe
PID 3900 wrote to memory of 1356	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	GHAczAk.exe
PID 3900 wrote to memory of 540	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	WknDaTk.exe
PID 3900 wrote to memory of 540	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	WknDaTk.exe
PID 3900 wrote to memory of 1944	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	NTDFROn.exe
PID 3900 wrote to memory of 1944	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	NTDFROn.exe
PID 3900 wrote to memory of 1352	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	uNbyylM.exe
PID 3900 wrote to memory of 1352	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	uNbyylM.exe
PID 3900 wrote to memory of 4600	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	yutgOlc.exe
PID 3900 wrote to memory of 4600	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	yutgOlc.exe
PID 3900 wrote to memory of 3124	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	Lajzrrc.exe
PID 3900 wrote to memory of 3124	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	Lajzrrc.exe
PID 3900 wrote to memory of 396	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	cxrHagk.exe
PID 3900 wrote to memory of 396	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	cxrHagk.exe
PID 3900 wrote to memory of 760	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	JRootCo.exe
PID 3900 wrote to memory of 760	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	JRootCo.exe
PID 3900 wrote to memory of 4404	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	UFDlcDj.exe
PID 3900 wrote to memory of 4404	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	UFDlcDj.exe
PID 3900 wrote to memory of 2188	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	TCUAEbL.exe
PID 3900 wrote to memory of 2188	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	TCUAEbL.exe
PID 3900 wrote to memory of 2216	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	GRxuXGb.exe
PID 3900 wrote to memory of 2216	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	GRxuXGb.exe
PID 3900 wrote to memory of 1592	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	akbpTDp.exe
PID 3900 wrote to memory of 1592	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	akbpTDp.exe
PID 3900 wrote to memory of 1308	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	sJufnjl.exe
PID 3900 wrote to memory of 1308	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	sJufnjl.exe
PID 3900 wrote to memory of 4104	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	FyINZLa.exe
PID 3900 wrote to memory of 4104	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	FyINZLa.exe
PID 3900 wrote to memory of 1544	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	EpVMaSj.exe
PID 3900 wrote to memory of 1544	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	EpVMaSj.exe
PID 3900 wrote to memory of 2124	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	qdCBNPb.exe
PID 3900 wrote to memory of 2124	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	qdCBNPb.exe
PID 3900 wrote to memory of 3804	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	WwOZpmW.exe
PID 3900 wrote to memory of 3804	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	WwOZpmW.exe
PID 3900 wrote to memory of 652	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	ZxKulla.exe
PID 3900 wrote to memory of 652	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	ZxKulla.exe
PID 3900 wrote to memory of 5016	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	cCrRkBh.exe
PID 3900 wrote to memory of 5016	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	cCrRkBh.exe
PID 3900 wrote to memory of 2560	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	SeuFNpd.exe
PID 3900 wrote to memory of 2560	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	SeuFNpd.exe
PID 3900 wrote to memory of 1636	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	MpEZgLQ.exe
PID 3900 wrote to memory of 1636	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	MpEZgLQ.exe
PID 3900 wrote to memory of 4776	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	peUEJpX.exe
PID 3900 wrote to memory of 4776	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	peUEJpX.exe
PID 3900 wrote to memory of 4576	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	PBSqChy.exe
PID 3900 wrote to memory of 4576	3900	39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe	PBSqChy.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\39dc1dd29af0e46e14ff17d4ccd547d0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Windows\System\mrMnOfw.exe
  C:\Windows\System\mrMnOfw.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System\dQIfZWC.exe
  C:\Windows\System\dQIfZWC.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System\VZpIGwh.exe
  C:\Windows\System\VZpIGwh.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System\tSoeZSb.exe
  C:\Windows\System\tSoeZSb.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System\NcVqpje.exe
  C:\Windows\System\NcVqpje.exe
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\System\HvlJKdt.exe
  C:\Windows\System\HvlJKdt.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System\HpWOXIk.exe
  C:\Windows\System\HpWOXIk.exe
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\System\OKlUlRx.exe
  C:\Windows\System\OKlUlRx.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System\EKabxIS.exe
  C:\Windows\System\EKabxIS.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System\GHAczAk.exe
  C:\Windows\System\GHAczAk.exe
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\System\WknDaTk.exe
  C:\Windows\System\WknDaTk.exe
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Windows\System\NTDFROn.exe
  C:\Windows\System\NTDFROn.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\uNbyylM.exe
  C:\Windows\System\uNbyylM.exe
  2⤵
  - Executes dropped EXE
  PID:1352
- C:\Windows\System\yutgOlc.exe
  C:\Windows\System\yutgOlc.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\Lajzrrc.exe
  C:\Windows\System\Lajzrrc.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System\cxrHagk.exe
  C:\Windows\System\cxrHagk.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System\JRootCo.exe
  C:\Windows\System\JRootCo.exe
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\System\UFDlcDj.exe
  C:\Windows\System\UFDlcDj.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System\TCUAEbL.exe
  C:\Windows\System\TCUAEbL.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\GRxuXGb.exe
  C:\Windows\System\GRxuXGb.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System\akbpTDp.exe
  C:\Windows\System\akbpTDp.exe
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\System\sJufnjl.exe
  C:\Windows\System\sJufnjl.exe
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\System\FyINZLa.exe
  C:\Windows\System\FyINZLa.exe
  2⤵
  - Executes dropped EXE
  PID:4104
- C:\Windows\System\EpVMaSj.exe
  C:\Windows\System\EpVMaSj.exe
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\System\qdCBNPb.exe
  C:\Windows\System\qdCBNPb.exe
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\System\WwOZpmW.exe
  C:\Windows\System\WwOZpmW.exe
  2⤵
  - Executes dropped EXE
  PID:3804
- C:\Windows\System\ZxKulla.exe
  C:\Windows\System\ZxKulla.exe
  2⤵
  - Executes dropped EXE
  PID:652
- C:\Windows\System\cCrRkBh.exe
  C:\Windows\System\cCrRkBh.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System\SeuFNpd.exe
  C:\Windows\System\SeuFNpd.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System\MpEZgLQ.exe
  C:\Windows\System\MpEZgLQ.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System\peUEJpX.exe
  C:\Windows\System\peUEJpX.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System\PBSqChy.exe
  C:\Windows\System\PBSqChy.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System\pVUwqjp.exe
  C:\Windows\System\pVUwqjp.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System\WOMsoyS.exe
  C:\Windows\System\WOMsoyS.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System\uVQUaTh.exe
  C:\Windows\System\uVQUaTh.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\EDvtiPe.exe
  C:\Windows\System\EDvtiPe.exe
  2⤵
  - Executes dropped EXE
  PID:3384
- C:\Windows\System\IfhlKNJ.exe
  C:\Windows\System\IfhlKNJ.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\LVafGcR.exe
  C:\Windows\System\LVafGcR.exe
  2⤵
  - Executes dropped EXE
  PID:3908
- C:\Windows\System\ofQznTE.exe
  C:\Windows\System\ofQznTE.exe
  2⤵
  - Executes dropped EXE
  PID:408
- C:\Windows\System\clqaewC.exe
  C:\Windows\System\clqaewC.exe
  2⤵
  - Executes dropped EXE
  PID:3656
- C:\Windows\System\kIFxmbS.exe
  C:\Windows\System\kIFxmbS.exe
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Windows\System\vXYefnK.exe
  C:\Windows\System\vXYefnK.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System\mNuhZJy.exe
  C:\Windows\System\mNuhZJy.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System\LPexIQV.exe
  C:\Windows\System\LPexIQV.exe
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\System\HYzaDEl.exe
  C:\Windows\System\HYzaDEl.exe
  2⤵
  - Executes dropped EXE
  PID:3344
- C:\Windows\System\ZgjTQfp.exe
  C:\Windows\System\ZgjTQfp.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System\vOeEaSZ.exe
  C:\Windows\System\vOeEaSZ.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System\FTELYDM.exe
  C:\Windows\System\FTELYDM.exe
  2⤵
  - Executes dropped EXE
  PID:232
- C:\Windows\System\FRQUFax.exe
  C:\Windows\System\FRQUFax.exe
  2⤵
  - Executes dropped EXE
  PID:4292
- C:\Windows\System\xTwIdkE.exe
  C:\Windows\System\xTwIdkE.exe
  2⤵
  - Executes dropped EXE
  PID:4720
- C:\Windows\System\BfBLHwx.exe
  C:\Windows\System\BfBLHwx.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System\EmxNVIf.exe
  C:\Windows\System\EmxNVIf.exe
  2⤵
  - Executes dropped EXE
  PID:1420
- C:\Windows\System\WvBRlui.exe
  C:\Windows\System\WvBRlui.exe
  2⤵
  - Executes dropped EXE
  PID:596
- C:\Windows\System\nWEcnqN.exe
  C:\Windows\System\nWEcnqN.exe
  2⤵
  - Executes dropped EXE
  PID:3752
- C:\Windows\System\eCZWAmt.exe
  C:\Windows\System\eCZWAmt.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System\iEzPSjN.exe
  C:\Windows\System\iEzPSjN.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\pkWoLQJ.exe
  C:\Windows\System\pkWoLQJ.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System\fHTgwRR.exe
  C:\Windows\System\fHTgwRR.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System\hQyNEPi.exe
  C:\Windows\System\hQyNEPi.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System\MXWuMmE.exe
  C:\Windows\System\MXWuMmE.exe
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\Windows\System\sNPqBNn.exe
  C:\Windows\System\sNPqBNn.exe
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Windows\System\DCSvZZY.exe
  C:\Windows\System\DCSvZZY.exe
  2⤵
  - Executes dropped EXE
  PID:4112
- C:\Windows\System\jtoUYom.exe
  C:\Windows\System\jtoUYom.exe
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Windows\System\WKivLot.exe
  C:\Windows\System\WKivLot.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System\cdNDwAo.exe
  C:\Windows\System\cdNDwAo.exe
  2⤵
  PID:2440
- C:\Windows\System\EMWSkuA.exe
  C:\Windows\System\EMWSkuA.exe
  2⤵
  PID:5100
- C:\Windows\System\VyeFEKh.exe
  C:\Windows\System\VyeFEKh.exe
  2⤵
  PID:4836
- C:\Windows\System\QucdhFv.exe
  C:\Windows\System\QucdhFv.exe
  2⤵
  PID:1892
- C:\Windows\System\aaroIpt.exe
  C:\Windows\System\aaroIpt.exe
  2⤵
  PID:3428
- C:\Windows\System\gKJLMEO.exe
  C:\Windows\System\gKJLMEO.exe
  2⤵
  PID:4344
- C:\Windows\System\xGKGsBF.exe
  C:\Windows\System\xGKGsBF.exe
  2⤵
  PID:4288
- C:\Windows\System\dbTGWsE.exe
  C:\Windows\System\dbTGWsE.exe
  2⤵
  PID:1824
- C:\Windows\System\upAuZQa.exe
  C:\Windows\System\upAuZQa.exe
  2⤵
  PID:932
- C:\Windows\System\CNouKPH.exe
  C:\Windows\System\CNouKPH.exe
  2⤵
  PID:4936
- C:\Windows\System\lGaKORK.exe
  C:\Windows\System\lGaKORK.exe
  2⤵
  PID:4864
- C:\Windows\System\dIRbkfZ.exe
  C:\Windows\System\dIRbkfZ.exe
  2⤵
  PID:5056
- C:\Windows\System\lvCGKSs.exe
  C:\Windows\System\lvCGKSs.exe
  2⤵
  PID:5144
- C:\Windows\System\qNMJIRl.exe
  C:\Windows\System\qNMJIRl.exe
  2⤵
  PID:5172
- C:\Windows\System\aGFRowM.exe
  C:\Windows\System\aGFRowM.exe
  2⤵
  PID:5196
- C:\Windows\System\RWhQXBg.exe
  C:\Windows\System\RWhQXBg.exe
  2⤵
  PID:5224
- C:\Windows\System\JpNftsX.exe
  C:\Windows\System\JpNftsX.exe
  2⤵
  PID:5256
- C:\Windows\System\pWVWpHK.exe
  C:\Windows\System\pWVWpHK.exe
  2⤵
  PID:5280
- C:\Windows\System\jSTRXnw.exe
  C:\Windows\System\jSTRXnw.exe
  2⤵
  PID:5312
- C:\Windows\System\UjOrjYc.exe
  C:\Windows\System\UjOrjYc.exe
  2⤵
  PID:5340
- C:\Windows\System\QavsdhX.exe
  C:\Windows\System\QavsdhX.exe
  2⤵
  PID:5368
- C:\Windows\System\gbNhHPd.exe
  C:\Windows\System\gbNhHPd.exe
  2⤵
  PID:5396
- C:\Windows\System\lyAqCmQ.exe
  C:\Windows\System\lyAqCmQ.exe
  2⤵
  PID:5424
- C:\Windows\System\pwXfaSG.exe
  C:\Windows\System\pwXfaSG.exe
  2⤵
  PID:5452
- C:\Windows\System\LcssYJU.exe
  C:\Windows\System\LcssYJU.exe
  2⤵
  PID:5480
- C:\Windows\System\hdBKnWC.exe
  C:\Windows\System\hdBKnWC.exe
  2⤵
  PID:5508
- C:\Windows\System\citNpwJ.exe
  C:\Windows\System\citNpwJ.exe
  2⤵
  PID:5536
- C:\Windows\System\yTYXuJf.exe
  C:\Windows\System\yTYXuJf.exe
  2⤵
  PID:5560
- C:\Windows\System\AmpSouV.exe
  C:\Windows\System\AmpSouV.exe
  2⤵
  PID:5592
- C:\Windows\System\OMYWGuh.exe
  C:\Windows\System\OMYWGuh.exe
  2⤵
  PID:5620
- C:\Windows\System\CeFpwjr.exe
  C:\Windows\System\CeFpwjr.exe
  2⤵
  PID:5648
- C:\Windows\System\VuXQsEh.exe
  C:\Windows\System\VuXQsEh.exe
  2⤵
  PID:5676
- C:\Windows\System\lLRlvqJ.exe
  C:\Windows\System\lLRlvqJ.exe
  2⤵
  PID:5704
- C:\Windows\System\reHpeUe.exe
  C:\Windows\System\reHpeUe.exe
  2⤵
  PID:5732
- C:\Windows\System\BXqPoED.exe
  C:\Windows\System\BXqPoED.exe
  2⤵
  PID:5760
- C:\Windows\System\YknIVUT.exe
  C:\Windows\System\YknIVUT.exe
  2⤵
  PID:5788
- C:\Windows\System\hMqzHrI.exe
  C:\Windows\System\hMqzHrI.exe
  2⤵
  PID:5816
- C:\Windows\System\KgaSKEy.exe
  C:\Windows\System\KgaSKEy.exe
  2⤵
  PID:5844
- C:\Windows\System\lGWaNmM.exe
  C:\Windows\System\lGWaNmM.exe
  2⤵
  PID:5872
- C:\Windows\System\eztUmlX.exe
  C:\Windows\System\eztUmlX.exe
  2⤵
  PID:5900
- C:\Windows\System\iBJjnGZ.exe
  C:\Windows\System\iBJjnGZ.exe
  2⤵
  PID:5928
- C:\Windows\System\cYeYTPd.exe
  C:\Windows\System\cYeYTPd.exe
  2⤵
  PID:5956
- C:\Windows\System\RzIcCro.exe
  C:\Windows\System\RzIcCro.exe
  2⤵
  PID:5984
- C:\Windows\System\qOZSMNm.exe
  C:\Windows\System\qOZSMNm.exe
  2⤵
  PID:6012
- C:\Windows\System\sbjDTHn.exe
  C:\Windows\System\sbjDTHn.exe
  2⤵
  PID:6040
- C:\Windows\System\QFQvHeg.exe
  C:\Windows\System\QFQvHeg.exe
  2⤵
  PID:6068
- C:\Windows\System\zqMqyAK.exe
  C:\Windows\System\zqMqyAK.exe
  2⤵
  PID:6096
- C:\Windows\System\SPRAuvz.exe
  C:\Windows\System\SPRAuvz.exe
  2⤵
  PID:6124
- C:\Windows\System\XClUwxB.exe
  C:\Windows\System\XClUwxB.exe
  2⤵
  PID:3624
- C:\Windows\System\AxHvxyw.exe
  C:\Windows\System\AxHvxyw.exe
  2⤵
  PID:336
- C:\Windows\System\MYJKZrQ.exe
  C:\Windows\System\MYJKZrQ.exe
  2⤵
  PID:3736
- C:\Windows\System\DAOdMPG.exe
  C:\Windows\System\DAOdMPG.exe
  2⤵
  PID:4392
- C:\Windows\System\xIIMzLM.exe
  C:\Windows\System\xIIMzLM.exe
  2⤵
  PID:3464
- C:\Windows\System\XkzepLe.exe
  C:\Windows\System\XkzepLe.exe
  2⤵
  PID:2448
- C:\Windows\System\JxCBpcO.exe
  C:\Windows\System\JxCBpcO.exe
  2⤵
  PID:5128
- C:\Windows\System\aotsxUm.exe
  C:\Windows\System\aotsxUm.exe
  2⤵
  PID:5192
- C:\Windows\System\htqauig.exe
  C:\Windows\System\htqauig.exe
  2⤵
  PID:5248
- C:\Windows\System\vXtoYyd.exe
  C:\Windows\System\vXtoYyd.exe
  2⤵
  PID:5324
- C:\Windows\System\IJsHApA.exe
  C:\Windows\System\IJsHApA.exe
  2⤵
  PID:5384
- C:\Windows\System\tKlzvtG.exe
  C:\Windows\System\tKlzvtG.exe
  2⤵
  PID:5444
- C:\Windows\System\vqmxnQp.exe
  C:\Windows\System\vqmxnQp.exe
  2⤵
  PID:5520
- C:\Windows\System\VDXDzPb.exe
  C:\Windows\System\VDXDzPb.exe
  2⤵
  PID:5580
- C:\Windows\System\xopRBbi.exe
  C:\Windows\System\xopRBbi.exe
  2⤵
  PID:5636
- C:\Windows\System\oyhdDPr.exe
  C:\Windows\System\oyhdDPr.exe
  2⤵
  PID:5716
- C:\Windows\System\xHmIPDN.exe
  C:\Windows\System\xHmIPDN.exe
  2⤵
  PID:5776
- C:\Windows\System\jufhhCe.exe
  C:\Windows\System\jufhhCe.exe
  2⤵
  PID:5836
- C:\Windows\System\BIEKVQE.exe
  C:\Windows\System\BIEKVQE.exe
  2⤵
  PID:5912
- C:\Windows\System\JfAeiDp.exe
  C:\Windows\System\JfAeiDp.exe
  2⤵
  PID:5972
- C:\Windows\System\UNnSKEU.exe
  C:\Windows\System\UNnSKEU.exe
  2⤵
  PID:6032
- C:\Windows\System\EpJLqIh.exe
  C:\Windows\System\EpJLqIh.exe
  2⤵
  PID:6108
- C:\Windows\System\tnCnyfc.exe
  C:\Windows\System\tnCnyfc.exe
  2⤵
  PID:1840
- C:\Windows\System\lWDyWMX.exe
  C:\Windows\System\lWDyWMX.exe
  2⤵
  PID:4572
- C:\Windows\System\HYNjGVD.exe
  C:\Windows\System\HYNjGVD.exe
  2⤵
  PID:912
- C:\Windows\System\XJsAHni.exe
  C:\Windows\System\XJsAHni.exe
  2⤵
  PID:5216
- C:\Windows\System\BLTdQfX.exe
  C:\Windows\System\BLTdQfX.exe
  2⤵
  PID:5356
- C:\Windows\System\HKWGgqo.exe
  C:\Windows\System\HKWGgqo.exe
  2⤵
  PID:5496
- C:\Windows\System\tYvQpfw.exe
  C:\Windows\System\tYvQpfw.exe
  2⤵
  PID:5668
- C:\Windows\System\JMzkzIv.exe
  C:\Windows\System\JMzkzIv.exe
  2⤵
  PID:5808
- C:\Windows\System\rGPkazB.exe
  C:\Windows\System\rGPkazB.exe
  2⤵
  PID:6164
- C:\Windows\System\qihZLuX.exe
  C:\Windows\System\qihZLuX.exe
  2⤵
  PID:6192
- C:\Windows\System\rGNkPRH.exe
  C:\Windows\System\rGNkPRH.exe
  2⤵
  PID:6220
- C:\Windows\System\iatfFjb.exe
  C:\Windows\System\iatfFjb.exe
  2⤵
  PID:6248
- C:\Windows\System\kgvigUp.exe
  C:\Windows\System\kgvigUp.exe
  2⤵
  PID:6276
- C:\Windows\System\VFSUUZb.exe
  C:\Windows\System\VFSUUZb.exe
  2⤵
  PID:6304
- C:\Windows\System\nbpSACF.exe
  C:\Windows\System\nbpSACF.exe
  2⤵
  PID:6332
- C:\Windows\System\NhIkDmL.exe
  C:\Windows\System\NhIkDmL.exe
  2⤵
  PID:6360
- C:\Windows\System\zbILDzH.exe
  C:\Windows\System\zbILDzH.exe
  2⤵
  PID:6388
- C:\Windows\System\PUKpJRp.exe
  C:\Windows\System\PUKpJRp.exe
  2⤵
  PID:6416
- C:\Windows\System\CTJlJdm.exe
  C:\Windows\System\CTJlJdm.exe
  2⤵
  PID:6444
- C:\Windows\System\NACisbO.exe
  C:\Windows\System\NACisbO.exe
  2⤵
  PID:6472
- C:\Windows\System\XNeubDL.exe
  C:\Windows\System\XNeubDL.exe
  2⤵
  PID:6500
- C:\Windows\System\rgSvSrj.exe
  C:\Windows\System\rgSvSrj.exe
  2⤵
  PID:6528
- C:\Windows\System\eINjteV.exe
  C:\Windows\System\eINjteV.exe
  2⤵
  PID:6556
- C:\Windows\System\obDIgjn.exe
  C:\Windows\System\obDIgjn.exe
  2⤵
  PID:6584
- C:\Windows\System\hpyTcMI.exe
  C:\Windows\System\hpyTcMI.exe
  2⤵
  PID:6612
- C:\Windows\System\HKdVewn.exe
  C:\Windows\System\HKdVewn.exe
  2⤵
  PID:6640
- C:\Windows\System\DFquhyj.exe
  C:\Windows\System\DFquhyj.exe
  2⤵
  PID:6668
- C:\Windows\System\wZsmquK.exe
  C:\Windows\System\wZsmquK.exe
  2⤵
  PID:6696
- C:\Windows\System\PadJoMr.exe
  C:\Windows\System\PadJoMr.exe
  2⤵
  PID:6724
- C:\Windows\System\SszVMWS.exe
  C:\Windows\System\SszVMWS.exe
  2⤵
  PID:6752
- C:\Windows\System\XKoQeOS.exe
  C:\Windows\System\XKoQeOS.exe
  2⤵
  PID:6780
- C:\Windows\System\nkGOvuO.exe
  C:\Windows\System\nkGOvuO.exe
  2⤵
  PID:6808
- C:\Windows\System\INzOPMK.exe
  C:\Windows\System\INzOPMK.exe
  2⤵
  PID:6836
- C:\Windows\System\sAFDWjr.exe
  C:\Windows\System\sAFDWjr.exe
  2⤵
  PID:6864
- C:\Windows\System\xyYCwSt.exe
  C:\Windows\System\xyYCwSt.exe
  2⤵
  PID:6892
- C:\Windows\System\xsOJKHn.exe
  C:\Windows\System\xsOJKHn.exe
  2⤵
  PID:6920
- C:\Windows\System\BaHuyBJ.exe
  C:\Windows\System\BaHuyBJ.exe
  2⤵
  PID:6948
- C:\Windows\System\bSVgpbQ.exe
  C:\Windows\System\bSVgpbQ.exe
  2⤵
  PID:6976
- C:\Windows\System\ntBLdiR.exe
  C:\Windows\System\ntBLdiR.exe
  2⤵
  PID:7004
- C:\Windows\System\GjRwmTF.exe
  C:\Windows\System\GjRwmTF.exe
  2⤵
  PID:7032
- C:\Windows\System\eumiCMN.exe
  C:\Windows\System\eumiCMN.exe
  2⤵
  PID:7060
- C:\Windows\System\opcgrMy.exe
  C:\Windows\System\opcgrMy.exe
  2⤵
  PID:7088
- C:\Windows\System\LnEwIPi.exe
  C:\Windows\System\LnEwIPi.exe
  2⤵
  PID:7116
- C:\Windows\System\AZbNIAI.exe
  C:\Windows\System\AZbNIAI.exe
  2⤵
  PID:7144
- C:\Windows\System\PnZQWOX.exe
  C:\Windows\System\PnZQWOX.exe
  2⤵
  PID:5940
- C:\Windows\System\ZRXkvVS.exe
  C:\Windows\System\ZRXkvVS.exe
  2⤵
  PID:6060
- C:\Windows\System\ALFyAxy.exe
  C:\Windows\System\ALFyAxy.exe
  2⤵
  PID:4736
- C:\Windows\System\uyxOgzR.exe
  C:\Windows\System\uyxOgzR.exe
  2⤵
  PID:5160
- C:\Windows\System\jwoVLMI.exe
  C:\Windows\System\jwoVLMI.exe
  2⤵
  PID:5556
- C:\Windows\System\eqZkvKu.exe
  C:\Windows\System\eqZkvKu.exe
  2⤵
  PID:6152
- C:\Windows\System\feVFfhp.exe
  C:\Windows\System\feVFfhp.exe
  2⤵
  PID:6212
- C:\Windows\System\sBhcieM.exe
  C:\Windows\System\sBhcieM.exe
  2⤵
  PID:6284
- C:\Windows\System\DbAYEwa.exe
  C:\Windows\System\DbAYEwa.exe
  2⤵
  PID:6348
- C:\Windows\System\lGptaOQ.exe
  C:\Windows\System\lGptaOQ.exe
  2⤵
  PID:6408
- C:\Windows\System\UJDjLuv.exe
  C:\Windows\System\UJDjLuv.exe
  2⤵
  PID:6484
- C:\Windows\System\upMYFDx.exe
  C:\Windows\System\upMYFDx.exe
  2⤵
  PID:6544
- C:\Windows\System\NgZggFs.exe
  C:\Windows\System\NgZggFs.exe
  2⤵
  PID:6604
- C:\Windows\System\PVCmNLk.exe
  C:\Windows\System\PVCmNLk.exe
  2⤵
  PID:6680
- C:\Windows\System\BVrDfZI.exe
  C:\Windows\System\BVrDfZI.exe
  2⤵
  PID:6736
- C:\Windows\System\TSwvZOg.exe
  C:\Windows\System\TSwvZOg.exe
  2⤵
  PID:6796
- C:\Windows\System\HFRqYre.exe
  C:\Windows\System\HFRqYre.exe
  2⤵
  PID:4688
- C:\Windows\System\IwzzDqV.exe
  C:\Windows\System\IwzzDqV.exe
  2⤵
  PID:6908
- C:\Windows\System\qDoOLOj.exe
  C:\Windows\System\qDoOLOj.exe
  2⤵
  PID:6968
- C:\Windows\System\joEABUp.exe
  C:\Windows\System\joEABUp.exe
  2⤵
  PID:7044
- C:\Windows\System\XYZWpot.exe
  C:\Windows\System\XYZWpot.exe
  2⤵
  PID:7104
- C:\Windows\System\ikkiNvN.exe
  C:\Windows\System\ikkiNvN.exe
  2⤵
  PID:5884
- C:\Windows\System\WHCwgBX.exe
  C:\Windows\System\WHCwgBX.exe
  2⤵
  PID:4272
- C:\Windows\System\hIHIbfE.exe
  C:\Windows\System\hIHIbfE.exe
  2⤵
  PID:5436
- C:\Windows\System\iulrFZc.exe
  C:\Windows\System\iulrFZc.exe
  2⤵
  PID:6204
- C:\Windows\System\jbwGZny.exe
  C:\Windows\System\jbwGZny.exe
  2⤵
  PID:6376
- C:\Windows\System\aTdKeUk.exe
  C:\Windows\System\aTdKeUk.exe
  2⤵
  PID:4948
- C:\Windows\System\acSvjAP.exe
  C:\Windows\System\acSvjAP.exe
  2⤵
  PID:6632
- C:\Windows\System\zucMlAp.exe
  C:\Windows\System\zucMlAp.exe
  2⤵
  PID:6716
- C:\Windows\System\MbuNdHV.exe
  C:\Windows\System\MbuNdHV.exe
  2⤵
  PID:4552
- C:\Windows\System\QDghNXC.exe
  C:\Windows\System\QDghNXC.exe
  2⤵
  PID:6876
- C:\Windows\System\wvOfbzR.exe
  C:\Windows\System\wvOfbzR.exe
  2⤵
  PID:6996
- C:\Windows\System\logtkEO.exe
  C:\Windows\System\logtkEO.exe
  2⤵
  PID:4672
- C:\Windows\System\IuXLpIY.exe
  C:\Windows\System\IuXLpIY.exe
  2⤵
  PID:7136
- C:\Windows\System\qBRsaAi.exe
  C:\Windows\System\qBRsaAi.exe
  2⤵
  PID:5748
- C:\Windows\System\yUjQsqH.exe
  C:\Windows\System\yUjQsqH.exe
  2⤵
  PID:2856
- C:\Windows\System\EgrCVuc.exe
  C:\Windows\System\EgrCVuc.exe
  2⤵
  PID:2380
- C:\Windows\System\WLaPCNb.exe
  C:\Windows\System\WLaPCNb.exe
  2⤵
  PID:7192
- C:\Windows\System\AWSjNcB.exe
  C:\Windows\System\AWSjNcB.exe
  2⤵
  PID:7220
- C:\Windows\System\uhJyIwR.exe
  C:\Windows\System\uhJyIwR.exe
  2⤵
  PID:7248
- C:\Windows\System\aidXnOh.exe
  C:\Windows\System\aidXnOh.exe
  2⤵
  PID:7276
- C:\Windows\System\WKbDtzN.exe
  C:\Windows\System\WKbDtzN.exe
  2⤵
  PID:7304
- C:\Windows\System\lMaexPN.exe
  C:\Windows\System\lMaexPN.exe
  2⤵
  PID:7332
- C:\Windows\System\Ivxoban.exe
  C:\Windows\System\Ivxoban.exe
  2⤵
  PID:7360
- C:\Windows\System\LEGbpnK.exe
  C:\Windows\System\LEGbpnK.exe
  2⤵
  PID:7476
- C:\Windows\System\jwgidIE.exe
  C:\Windows\System\jwgidIE.exe
  2⤵
  PID:7512
- C:\Windows\System\IjORjkv.exe
  C:\Windows\System\IjORjkv.exe
  2⤵
  PID:7540
- C:\Windows\System\HavpuwZ.exe
  C:\Windows\System\HavpuwZ.exe
  2⤵
  PID:7564
- C:\Windows\System\fwOzyZc.exe
  C:\Windows\System\fwOzyZc.exe
  2⤵
  PID:7592
- C:\Windows\System\jxaXzKe.exe
  C:\Windows\System\jxaXzKe.exe
  2⤵
  PID:7616
- C:\Windows\System\NnJkUNl.exe
  C:\Windows\System\NnJkUNl.exe
  2⤵
  PID:7652
- C:\Windows\System\jzBUkKr.exe
  C:\Windows\System\jzBUkKr.exe
  2⤵
  PID:7676
- C:\Windows\System\SwoXSPG.exe
  C:\Windows\System\SwoXSPG.exe
  2⤵
  PID:7704
- C:\Windows\System\PebYPpf.exe
  C:\Windows\System\PebYPpf.exe
  2⤵
  PID:7728
- C:\Windows\System\cYfCONz.exe
  C:\Windows\System\cYfCONz.exe
  2⤵
  PID:7772
- C:\Windows\System\bZHRnjB.exe
  C:\Windows\System\bZHRnjB.exe
  2⤵
  PID:7820
- C:\Windows\System\uscIALJ.exe
  C:\Windows\System\uscIALJ.exe
  2⤵
  PID:7848
- C:\Windows\System\LhriOHc.exe
  C:\Windows\System\LhriOHc.exe
  2⤵
  PID:7868
- C:\Windows\System\iBsaFlO.exe
  C:\Windows\System\iBsaFlO.exe
  2⤵
  PID:7888
- C:\Windows\System\XkWVqvE.exe
  C:\Windows\System\XkWVqvE.exe
  2⤵
  PID:7948
- C:\Windows\System\nTruXmd.exe
  C:\Windows\System\nTruXmd.exe
  2⤵
  PID:8000
- C:\Windows\System\CycveJo.exe
  C:\Windows\System\CycveJo.exe
  2⤵
  PID:8044
- C:\Windows\System\xAgbwnt.exe
  C:\Windows\System\xAgbwnt.exe
  2⤵
  PID:8080
- C:\Windows\System\IwRzKiz.exe
  C:\Windows\System\IwRzKiz.exe
  2⤵
  PID:316
- C:\Windows\System\iEsBVIO.exe
  C:\Windows\System\iEsBVIO.exe
  2⤵
  PID:4652
- C:\Windows\System\OrrrHtb.exe
  C:\Windows\System\OrrrHtb.exe
  2⤵
  PID:7020
- C:\Windows\System\DkQfMjz.exe
  C:\Windows\System\DkQfMjz.exe
  2⤵
  PID:2340
- C:\Windows\System\kloOnYm.exe
  C:\Windows\System\kloOnYm.exe
  2⤵
  PID:2484
- C:\Windows\System\PsxTdio.exe
  C:\Windows\System\PsxTdio.exe
  2⤵
  PID:2376
- C:\Windows\System\reKfvcm.exe
  C:\Windows\System\reKfvcm.exe
  2⤵
  PID:7184
- C:\Windows\System\kgMeYaX.exe
  C:\Windows\System\kgMeYaX.exe
  2⤵
  PID:1184
- C:\Windows\System\Rhiffzz.exe
  C:\Windows\System\Rhiffzz.exe
  2⤵
  PID:7240
- C:\Windows\System\XThYNbT.exe
  C:\Windows\System\XThYNbT.exe
  2⤵
  PID:3684
- C:\Windows\System\MxDAjNd.exe
  C:\Windows\System\MxDAjNd.exe
  2⤵
  PID:1876
- C:\Windows\System\lqCAexE.exe
  C:\Windows\System\lqCAexE.exe
  2⤵
  PID:868
- C:\Windows\System\ZaUyVJM.exe
  C:\Windows\System\ZaUyVJM.exe
  2⤵
  PID:7388
- C:\Windows\System\kHtwbhz.exe
  C:\Windows\System\kHtwbhz.exe
  2⤵
  PID:3532
- C:\Windows\System\OawSefS.exe
  C:\Windows\System\OawSefS.exe
  2⤵
  PID:3968
- C:\Windows\System\XPwukAg.exe
  C:\Windows\System\XPwukAg.exe
  2⤵
  PID:2632
- C:\Windows\System\LIsYMOl.exe
  C:\Windows\System\LIsYMOl.exe
  2⤵
  PID:7464
- C:\Windows\System\toSsaCs.exe
  C:\Windows\System\toSsaCs.exe
  2⤵
  PID:7584
- C:\Windows\System\OcSuBTZ.exe
  C:\Windows\System\OcSuBTZ.exe
  2⤵
  PID:7600
- C:\Windows\System\NrbiCJB.exe
  C:\Windows\System\NrbiCJB.exe
  2⤵
  PID:7632
- C:\Windows\System\wQPWURH.exe
  C:\Windows\System\wQPWURH.exe
  2⤵
  PID:7724
- C:\Windows\System\QdoqMDM.exe
  C:\Windows\System\QdoqMDM.exe
  2⤵
  PID:7812
- C:\Windows\System\rbLRanb.exe
  C:\Windows\System\rbLRanb.exe
  2⤵
  PID:7840
- C:\Windows\System\YjiXCfb.exe
  C:\Windows\System\YjiXCfb.exe
  2⤵
  PID:7996
- C:\Windows\System\XASgmaa.exe
  C:\Windows\System\XASgmaa.exe
  2⤵
  PID:7716
- C:\Windows\System\vKdMMvA.exe
  C:\Windows\System\vKdMMvA.exe
  2⤵
  PID:7752
- C:\Windows\System\TtkMOLc.exe
  C:\Windows\System\TtkMOLc.exe
  2⤵
  PID:7856
- C:\Windows\System\vwhXShP.exe
  C:\Windows\System\vwhXShP.exe
  2⤵
  PID:2800
- C:\Windows\System\eMxLbXk.exe
  C:\Windows\System\eMxLbXk.exe
  2⤵
  PID:6140
- C:\Windows\System\GvpVYbZ.exe
  C:\Windows\System\GvpVYbZ.exe
  2⤵
  PID:548
- C:\Windows\System\vyNkGUj.exe
  C:\Windows\System\vyNkGUj.exe
  2⤵
  PID:4668
- C:\Windows\System\kIYwnIh.exe
  C:\Windows\System\kIYwnIh.exe
  2⤵
  PID:7260
- C:\Windows\System\jDFWAHy.exe
  C:\Windows\System\jDFWAHy.exe
  2⤵
  PID:7396
- C:\Windows\System\LXoQKJe.exe
  C:\Windows\System\LXoQKJe.exe
  2⤵
  PID:7352
- C:\Windows\System\qgjTflW.exe
  C:\Windows\System\qgjTflW.exe
  2⤵
  PID:1896
- C:\Windows\System\WpiwDuT.exe
  C:\Windows\System\WpiwDuT.exe
  2⤵
  PID:7748
- C:\Windows\System\ZqVtOpo.exe
  C:\Windows\System\ZqVtOpo.exe
  2⤵
  PID:2492
- C:\Windows\System\oyWGTfv.exe
  C:\Windows\System\oyWGTfv.exe
  2⤵
  PID:8128
- C:\Windows\System\SUdzOVp.exe
  C:\Windows\System\SUdzOVp.exe
  2⤵
  PID:7964
- C:\Windows\System\weCqrUH.exe
  C:\Windows\System\weCqrUH.exe
  2⤵
  PID:6316
- C:\Windows\System\MYBUmBL.exe
  C:\Windows\System\MYBUmBL.exe
  2⤵
  PID:7208
- C:\Windows\System\nyxvStS.exe
  C:\Windows\System\nyxvStS.exe
  2⤵
  PID:3468
- C:\Windows\System\snrZKpw.exe
  C:\Windows\System\snrZKpw.exe
  2⤵
  PID:7936
- C:\Windows\System\AjdVMVc.exe
  C:\Windows\System\AjdVMVc.exe
  2⤵
  PID:7800
- C:\Windows\System\SbEhacJ.exe
  C:\Windows\System\SbEhacJ.exe
  2⤵
  PID:1492
- C:\Windows\System\HAmLGvD.exe
  C:\Windows\System\HAmLGvD.exe
  2⤵
  PID:7664
- C:\Windows\System\CkBSgAd.exe
  C:\Windows\System\CkBSgAd.exe
  2⤵
  PID:7432
- C:\Windows\System\vBnJBkc.exe
  C:\Windows\System\vBnJBkc.exe
  2⤵
  PID:8208
- C:\Windows\System\pRbsjmk.exe
  C:\Windows\System\pRbsjmk.exe
  2⤵
  PID:8252
- C:\Windows\System\nAVfcSQ.exe
  C:\Windows\System\nAVfcSQ.exe
  2⤵
  PID:8276
- C:\Windows\System\jqhCIZM.exe
  C:\Windows\System\jqhCIZM.exe
  2⤵
  PID:8304
- C:\Windows\System\RquEMXP.exe
  C:\Windows\System\RquEMXP.exe
  2⤵
  PID:8344
- C:\Windows\System\aOIHZgG.exe
  C:\Windows\System\aOIHZgG.exe
  2⤵
  PID:8360
- C:\Windows\System\GjpOiFz.exe
  C:\Windows\System\GjpOiFz.exe
  2⤵
  PID:8404
- C:\Windows\System\vnXkwLf.exe
  C:\Windows\System\vnXkwLf.exe
  2⤵
  PID:8424
- C:\Windows\System\FBdjMeb.exe
  C:\Windows\System\FBdjMeb.exe
  2⤵
  PID:8464
- C:\Windows\System\CJGMHur.exe
  C:\Windows\System\CJGMHur.exe
  2⤵
  PID:8480
- C:\Windows\System\QYzAZRC.exe
  C:\Windows\System\QYzAZRC.exe
  2⤵
  PID:8516
- C:\Windows\System\KVOavam.exe
  C:\Windows\System\KVOavam.exe
  2⤵
  PID:8544
- C:\Windows\System\VTkpAwH.exe
  C:\Windows\System\VTkpAwH.exe
  2⤵
  PID:8572
- C:\Windows\System\eymAHJU.exe
  C:\Windows\System\eymAHJU.exe
  2⤵
  PID:8600
- C:\Windows\System\zHAsQnu.exe
  C:\Windows\System\zHAsQnu.exe
  2⤵
  PID:8620
- C:\Windows\System\NdBigPi.exe
  C:\Windows\System\NdBigPi.exe
  2⤵
  PID:8640
- C:\Windows\System\qhPutpu.exe
  C:\Windows\System\qhPutpu.exe
  2⤵
  PID:8672
- C:\Windows\System\FgVDTwO.exe
  C:\Windows\System\FgVDTwO.exe
  2⤵
  PID:8692
- C:\Windows\System\jkkRXvf.exe
  C:\Windows\System\jkkRXvf.exe
  2⤵
  PID:8724
- C:\Windows\System\FtiXnPW.exe
  C:\Windows\System\FtiXnPW.exe
  2⤵
  PID:8752
- C:\Windows\System\kwUPaBg.exe
  C:\Windows\System\kwUPaBg.exe
  2⤵
  PID:8788
- C:\Windows\System\MfSQjgY.exe
  C:\Windows\System\MfSQjgY.exe
  2⤵
  PID:8820
- C:\Windows\System\aDJhwOi.exe
  C:\Windows\System\aDJhwOi.exe
  2⤵
  PID:8848
- C:\Windows\System\tsNNDCm.exe
  C:\Windows\System\tsNNDCm.exe
  2⤵
  PID:8876
- C:\Windows\System\wRqoyCT.exe
  C:\Windows\System\wRqoyCT.exe
  2⤵
  PID:8908
- C:\Windows\System\PDuBKkS.exe
  C:\Windows\System\PDuBKkS.exe
  2⤵
  PID:8940
- C:\Windows\System\cacvySF.exe
  C:\Windows\System\cacvySF.exe
  2⤵
  PID:8964
- C:\Windows\System\ZpmcPeT.exe
  C:\Windows\System\ZpmcPeT.exe
  2⤵
  PID:8992
- C:\Windows\System\vuetUtx.exe
  C:\Windows\System\vuetUtx.exe
  2⤵
  PID:9008
- C:\Windows\System\rkoJIdY.exe
  C:\Windows\System\rkoJIdY.exe
  2⤵
  PID:9024
- C:\Windows\System\OSNNebo.exe
  C:\Windows\System\OSNNebo.exe
  2⤵
  PID:9064
- C:\Windows\System\vlsNiwL.exe
  C:\Windows\System\vlsNiwL.exe
  2⤵
  PID:9092
- C:\Windows\System\cZYbtBS.exe
  C:\Windows\System\cZYbtBS.exe
  2⤵
  PID:9132
- C:\Windows\System\wQZcBSe.exe
  C:\Windows\System\wQZcBSe.exe
  2⤵
  PID:9148
- C:\Windows\System\nNCavNS.exe
  C:\Windows\System\nNCavNS.exe
  2⤵
  PID:9176
- C:\Windows\System\XhtpATE.exe
  C:\Windows\System\XhtpATE.exe
  2⤵
  PID:9196
- C:\Windows\System\EhTFoMm.exe
  C:\Windows\System\EhTFoMm.exe
  2⤵
  PID:7452
- C:\Windows\System\kvuNcQL.exe
  C:\Windows\System\kvuNcQL.exe
  2⤵
  PID:8320
- C:\Windows\System\AmfvsvQ.exe
  C:\Windows\System\AmfvsvQ.exe
  2⤵
  PID:6768
- C:\Windows\System\xVXiuvN.exe
  C:\Windows\System\xVXiuvN.exe
  2⤵
  PID:8420
- C:\Windows\System\wqHPVTq.exe
  C:\Windows\System\wqHPVTq.exe
  2⤵
  PID:8524
- C:\Windows\System\Kfcfzif.exe
  C:\Windows\System\Kfcfzif.exe
  2⤵
  PID:8564
- C:\Windows\System\xBOMmFZ.exe
  C:\Windows\System\xBOMmFZ.exe
  2⤵
  PID:8616
- C:\Windows\System\oixislx.exe
  C:\Windows\System\oixislx.exe
  2⤵
  PID:8688
- C:\Windows\System\BfSjsqe.exe
  C:\Windows\System\BfSjsqe.exe
  2⤵
  PID:8708
- C:\Windows\System\MnyJoEr.exe
  C:\Windows\System\MnyJoEr.exe
  2⤵
  PID:8808
- C:\Windows\System\jrSjYRs.exe
  C:\Windows\System\jrSjYRs.exe
  2⤵
  PID:8864
- C:\Windows\System\aYdidVN.exe
  C:\Windows\System\aYdidVN.exe
  2⤵
  PID:8924
- C:\Windows\System\vJaICHn.exe
  C:\Windows\System\vJaICHn.exe
  2⤵
  PID:9040
- C:\Windows\System\qICnoTe.exe
  C:\Windows\System\qICnoTe.exe
  2⤵
  PID:9140
- C:\Windows\System\azZiMOK.exe
  C:\Windows\System\azZiMOK.exe
  2⤵
  PID:9080
- C:\Windows\System\HyCQqse.exe
  C:\Windows\System\HyCQqse.exe
  2⤵
  PID:8224
- C:\Windows\System\LABQTUo.exe
  C:\Windows\System\LABQTUo.exe
  2⤵
  PID:8244
- C:\Windows\System\yVykQyf.exe
  C:\Windows\System\yVykQyf.exe
  2⤵
  PID:8436
- C:\Windows\System\ePYXijo.exe
  C:\Windows\System\ePYXijo.exe
  2⤵
  PID:8660
- C:\Windows\System\igNDtdK.exe
  C:\Windows\System\igNDtdK.exe
  2⤵
  PID:8764
- C:\Windows\System\PlamtnF.exe
  C:\Windows\System\PlamtnF.exe
  2⤵
  PID:8904
- C:\Windows\System\WZziDSS.exe
  C:\Windows\System\WZziDSS.exe
  2⤵
  PID:9048
- C:\Windows\System\gHLqAYD.exe
  C:\Windows\System\gHLqAYD.exe
  2⤵
  PID:8264
- C:\Windows\System\sNPMXpl.exe
  C:\Windows\System\sNPMXpl.exe
  2⤵
  PID:8628
- C:\Windows\System\kLmblqD.exe
  C:\Windows\System\kLmblqD.exe
  2⤵
  PID:8856
- C:\Windows\System\rLKWaHV.exe
  C:\Windows\System\rLKWaHV.exe
  2⤵
  PID:8560
- C:\Windows\System\KHapIqI.exe
  C:\Windows\System\KHapIqI.exe
  2⤵
  PID:8804
- C:\Windows\System\viIttZe.exe
  C:\Windows\System\viIttZe.exe
  2⤵
  PID:9220
- C:\Windows\System\dneWJDr.exe
  C:\Windows\System\dneWJDr.exe
  2⤵
  PID:9244
- C:\Windows\System\ZGxpIVa.exe
  C:\Windows\System\ZGxpIVa.exe
  2⤵
  PID:9292
- C:\Windows\System\gqJnfbw.exe
  C:\Windows\System\gqJnfbw.exe
  2⤵
  PID:9324
- C:\Windows\System\RTDeBmX.exe
  C:\Windows\System\RTDeBmX.exe
  2⤵
  PID:9352
- C:\Windows\System\gPaywGE.exe
  C:\Windows\System\gPaywGE.exe
  2⤵
  PID:9384
- C:\Windows\System\rKmqgsW.exe
  C:\Windows\System\rKmqgsW.exe
  2⤵
  PID:9408
- C:\Windows\System\dDhpita.exe
  C:\Windows\System\dDhpita.exe
  2⤵
  PID:9428
- C:\Windows\System\DSoYvhP.exe
  C:\Windows\System\DSoYvhP.exe
  2⤵
  PID:9464
- C:\Windows\System\haviYtM.exe
  C:\Windows\System\haviYtM.exe
  2⤵
  PID:9484
- C:\Windows\System\dOiXtzU.exe
  C:\Windows\System\dOiXtzU.exe
  2⤵
  PID:9516
- C:\Windows\System\SGHIUvd.exe
  C:\Windows\System\SGHIUvd.exe
  2⤵
  PID:9544
- C:\Windows\System\LZcYpfl.exe
  C:\Windows\System\LZcYpfl.exe
  2⤵
  PID:9576
- C:\Windows\System\pHTySvc.exe
  C:\Windows\System\pHTySvc.exe
  2⤵
  PID:9616
- C:\Windows\System\oYiYEVu.exe
  C:\Windows\System\oYiYEVu.exe
  2⤵
  PID:9632
- C:\Windows\System\ascfmdu.exe
  C:\Windows\System\ascfmdu.exe
  2⤵
  PID:9660
- C:\Windows\System\tBBDJwA.exe
  C:\Windows\System\tBBDJwA.exe
  2⤵
  PID:9700
- C:\Windows\System\GeKKvZA.exe
  C:\Windows\System\GeKKvZA.exe
  2⤵
  PID:9728
- C:\Windows\System\nXqnCHY.exe
  C:\Windows\System\nXqnCHY.exe
  2⤵
  PID:9756
- C:\Windows\System\QxehkKF.exe
  C:\Windows\System\QxehkKF.exe
  2⤵
  PID:9784
- C:\Windows\System\rDWJEnL.exe
  C:\Windows\System\rDWJEnL.exe
  2⤵
  PID:9800
- C:\Windows\System\VZWGnPY.exe
  C:\Windows\System\VZWGnPY.exe
  2⤵
  PID:9828
- C:\Windows\System\rCHjgeo.exe
  C:\Windows\System\rCHjgeo.exe
  2⤵
  PID:9868
- C:\Windows\System\Uuapzlt.exe
  C:\Windows\System\Uuapzlt.exe
  2⤵
  PID:9884
- C:\Windows\System\UMaOEAx.exe
  C:\Windows\System\UMaOEAx.exe
  2⤵
  PID:9912
- C:\Windows\System\mTwSIfV.exe
  C:\Windows\System\mTwSIfV.exe
  2⤵
  PID:9940
- C:\Windows\System\xjOOwlo.exe
  C:\Windows\System\xjOOwlo.exe
  2⤵
  PID:9960
- C:\Windows\System\VahyRSl.exe
  C:\Windows\System\VahyRSl.exe
  2⤵
  PID:10000
- C:\Windows\System\VFsyFFL.exe
  C:\Windows\System\VFsyFFL.exe
  2⤵
  PID:10024
- C:\Windows\System\JjLwtkW.exe
  C:\Windows\System\JjLwtkW.exe
  2⤵
  PID:10040
- C:\Windows\System\PWUJZcD.exe
  C:\Windows\System\PWUJZcD.exe
  2⤵
  PID:10064
- C:\Windows\System\miBbySD.exe
  C:\Windows\System\miBbySD.exe
  2⤵
  PID:10092
- C:\Windows\System\TDSMJgf.exe
  C:\Windows\System\TDSMJgf.exe
  2⤵
  PID:10148
- C:\Windows\System\fvfwWBG.exe
  C:\Windows\System\fvfwWBG.exe
  2⤵
  PID:10176
- C:\Windows\System\WyMncqa.exe
  C:\Windows\System\WyMncqa.exe
  2⤵
  PID:10204
- C:\Windows\System\iYPgeUw.exe
  C:\Windows\System\iYPgeUw.exe
  2⤵
  PID:10220
- C:\Windows\System\PezavJs.exe
  C:\Windows\System\PezavJs.exe
  2⤵
  PID:9232
- C:\Windows\System\lFtbIng.exe
  C:\Windows\System\lFtbIng.exe
  2⤵
  PID:9300
- C:\Windows\System\LjxxttE.exe
  C:\Windows\System\LjxxttE.exe
  2⤵
  PID:9336
- C:\Windows\System\yglZcix.exe
  C:\Windows\System\yglZcix.exe
  2⤵
  PID:9404
- C:\Windows\System\EFOjMDu.exe
  C:\Windows\System\EFOjMDu.exe
  2⤵
  PID:9500
- C:\Windows\System\rGTwMJq.exe
  C:\Windows\System\rGTwMJq.exe
  2⤵
  PID:9524
- C:\Windows\System\WjrFbbQ.exe
  C:\Windows\System\WjrFbbQ.exe
  2⤵
  PID:9600
- C:\Windows\System\nLtHnPQ.exe
  C:\Windows\System\nLtHnPQ.exe
  2⤵
  PID:9656
- C:\Windows\System\VYRajsX.exe
  C:\Windows\System\VYRajsX.exe
  2⤵
  PID:9768
- C:\Windows\System\fUNOhTB.exe
  C:\Windows\System\fUNOhTB.exe
  2⤵
  PID:9836
- C:\Windows\System\WronODM.exe
  C:\Windows\System\WronODM.exe
  2⤵
  PID:9896
- C:\Windows\System\LETXQUU.exe
  C:\Windows\System\LETXQUU.exe
  2⤵
  PID:9908
- C:\Windows\System\WoHbPSv.exe
  C:\Windows\System\WoHbPSv.exe
  2⤵
  PID:9976
- C:\Windows\System\gLZRuti.exe
  C:\Windows\System\gLZRuti.exe
  2⤵
  PID:10052
- C:\Windows\System\qMEsPEf.exe
  C:\Windows\System\qMEsPEf.exe
  2⤵
  PID:10124
- C:\Windows\System\VGjjbHR.exe
  C:\Windows\System\VGjjbHR.exe
  2⤵
  PID:10232
- C:\Windows\System\uAhquZE.exe
  C:\Windows\System\uAhquZE.exe
  2⤵
  PID:9312
- C:\Windows\System\QEKHJuk.exe
  C:\Windows\System\QEKHJuk.exe
  2⤵
  PID:9368
- C:\Windows\System\vrIDXZo.exe
  C:\Windows\System\vrIDXZo.exe
  2⤵
  PID:9564
- C:\Windows\System\PFuieAC.exe
  C:\Windows\System\PFuieAC.exe
  2⤵
  PID:9720
- C:\Windows\System\PdSWulj.exe
  C:\Windows\System\PdSWulj.exe
  2⤵
  PID:9780
- C:\Windows\System\lBuELne.exe
  C:\Windows\System\lBuELne.exe
  2⤵
  PID:9928
- C:\Windows\System\JYLyKvU.exe
  C:\Windows\System\JYLyKvU.exe
  2⤵
  PID:10116
- C:\Windows\System\xLSgcPc.exe
  C:\Windows\System\xLSgcPc.exe
  2⤵
  PID:9480
- C:\Windows\System\sTbTVzA.exe
  C:\Windows\System\sTbTVzA.exe
  2⤵
  PID:9876
- C:\Windows\System\tWhoMXd.exe
  C:\Windows\System\tWhoMXd.exe
  2⤵
  PID:9228
- C:\Windows\System\LDnJDkS.exe
  C:\Windows\System\LDnJDkS.exe
  2⤵
  PID:9968
- C:\Windows\System\YbFrCDI.exe
  C:\Windows\System\YbFrCDI.exe
  2⤵
  PID:10248
- C:\Windows\System\UbBatpq.exe
  C:\Windows\System\UbBatpq.exe
  2⤵
  PID:10264
- C:\Windows\System\yZeglgT.exe
  C:\Windows\System\yZeglgT.exe
  2⤵
  PID:10280
- C:\Windows\System\xSxGDfJ.exe
  C:\Windows\System\xSxGDfJ.exe
  2⤵
  PID:10304
- C:\Windows\System\deDpSsb.exe
  C:\Windows\System\deDpSsb.exe
  2⤵
  PID:10372
- C:\Windows\System\asdAqdI.exe
  C:\Windows\System\asdAqdI.exe
  2⤵
  PID:10400
- C:\Windows\System\JqjIdqp.exe
  C:\Windows\System\JqjIdqp.exe
  2⤵
  PID:10428
- C:\Windows\System\DGljjPE.exe
  C:\Windows\System\DGljjPE.exe
  2⤵
  PID:10444
- C:\Windows\System\TSJeHjS.exe
  C:\Windows\System\TSJeHjS.exe
  2⤵
  PID:10476
- C:\Windows\System\cmXKVLG.exe
  C:\Windows\System\cmXKVLG.exe
  2⤵
  PID:10500
- C:\Windows\System\PIVZPun.exe
  C:\Windows\System\PIVZPun.exe
  2⤵
  PID:10540
- C:\Windows\System\lSksuTd.exe
  C:\Windows\System\lSksuTd.exe
  2⤵
  PID:10556
- C:\Windows\System\hKZnuZt.exe
  C:\Windows\System\hKZnuZt.exe
  2⤵
  PID:10584
- C:\Windows\System\LxuigSe.exe
  C:\Windows\System\LxuigSe.exe
  2⤵
  PID:10624
- C:\Windows\System\ONPLWyM.exe
  C:\Windows\System\ONPLWyM.exe
  2⤵
  PID:10652
- C:\Windows\System\ZmBCGrx.exe
  C:\Windows\System\ZmBCGrx.exe
  2⤵
  PID:10668
- C:\Windows\System\HZpTBCz.exe
  C:\Windows\System\HZpTBCz.exe
  2⤵
  PID:10684
- C:\Windows\System\lsGoQhh.exe
  C:\Windows\System\lsGoQhh.exe
  2⤵
  PID:10720
- C:\Windows\System\gbMgVrU.exe
  C:\Windows\System\gbMgVrU.exe
  2⤵
  PID:10752
- C:\Windows\System\dMFFTJO.exe
  C:\Windows\System\dMFFTJO.exe
  2⤵
  PID:10784
- C:\Windows\System\tlNTPRW.exe
  C:\Windows\System\tlNTPRW.exe
  2⤵
  PID:10816
- C:\Windows\System\XhFXWWV.exe
  C:\Windows\System\XhFXWWV.exe
  2⤵
  PID:10848
- C:\Windows\System\qVhhuxo.exe
  C:\Windows\System\qVhhuxo.exe
  2⤵
  PID:10864
- C:\Windows\System\lRYzlKl.exe
  C:\Windows\System\lRYzlKl.exe
  2⤵
  PID:10892
- C:\Windows\System\EqBarRq.exe
  C:\Windows\System\EqBarRq.exe
  2⤵
  PID:10932
- C:\Windows\System\PSFmlmY.exe
  C:\Windows\System\PSFmlmY.exe
  2⤵
  PID:10960
- C:\Windows\System\LoduHTg.exe
  C:\Windows\System\LoduHTg.exe
  2⤵
  PID:10988
- C:\Windows\System\gRZCdTi.exe
  C:\Windows\System\gRZCdTi.exe
  2⤵
  PID:11016
- C:\Windows\System\rxLHnlW.exe
  C:\Windows\System\rxLHnlW.exe
  2⤵
  PID:11044
- C:\Windows\System\kpKMnPM.exe
  C:\Windows\System\kpKMnPM.exe
  2⤵
  PID:11072
- C:\Windows\System\ILriALm.exe
  C:\Windows\System\ILriALm.exe
  2⤵
  PID:11100
- C:\Windows\System\boXLiou.exe
  C:\Windows\System\boXLiou.exe
  2⤵
  PID:11116
- C:\Windows\System\xqQKDhD.exe
  C:\Windows\System\xqQKDhD.exe
  2⤵
  PID:11156
- C:\Windows\System\ZStxiAP.exe
  C:\Windows\System\ZStxiAP.exe
  2⤵
  PID:11176
- C:\Windows\System\dymbYDL.exe
  C:\Windows\System\dymbYDL.exe
  2⤵
  PID:11196
- C:\Windows\System\FCgObfu.exe
  C:\Windows\System\FCgObfu.exe
  2⤵
  PID:11216
- C:\Windows\System\qxiMYjV.exe
  C:\Windows\System\qxiMYjV.exe
  2⤵
  PID:11248
- C:\Windows\System\JMVErNW.exe
  C:\Windows\System\JMVErNW.exe
  2⤵
  PID:10300
- C:\Windows\System\NHBwvCJ.exe
  C:\Windows\System\NHBwvCJ.exe
  2⤵
  PID:10276
- C:\Windows\System\IvbDyxH.exe
  C:\Windows\System\IvbDyxH.exe
  2⤵
  PID:10384
- C:\Windows\System\HpbAejk.exe
  C:\Windows\System\HpbAejk.exe
  2⤵
  PID:10492
- C:\Windows\System\jTxgBvD.exe
  C:\Windows\System\jTxgBvD.exe
  2⤵
  PID:10552
- C:\Windows\System\oRqGINo.exe
  C:\Windows\System\oRqGINo.exe
  2⤵
  PID:10600
- C:\Windows\System\GuEqdrt.exe
  C:\Windows\System\GuEqdrt.exe
  2⤵
  PID:10660
- C:\Windows\System\KKyueak.exe
  C:\Windows\System\KKyueak.exe
  2⤵
  PID:10696
- C:\Windows\System\omgzquL.exe
  C:\Windows\System\omgzquL.exe
  2⤵
  PID:10768
- C:\Windows\System\aXKVNhj.exe
  C:\Windows\System\aXKVNhj.exe
  2⤵
  PID:10884
- C:\Windows\System\hkpPwwe.exe
  C:\Windows\System\hkpPwwe.exe
  2⤵
  PID:10944
- C:\Windows\System\aNzDdWa.exe
  C:\Windows\System\aNzDdWa.exe
  2⤵
  PID:11036
- C:\Windows\System\qKnjokk.exe
  C:\Windows\System\qKnjokk.exe
  2⤵
  PID:11084
- C:\Windows\System\rkfvGsD.exe
  C:\Windows\System\rkfvGsD.exe
  2⤵
  PID:11112
- C:\Windows\System\XmYBYUj.exe
  C:\Windows\System\XmYBYUj.exe
  2⤵
  PID:11184
- C:\Windows\System\NzLzSQs.exe
  C:\Windows\System\NzLzSQs.exe
  2⤵
  PID:9508
- C:\Windows\System\oewtmtr.exe
  C:\Windows\System\oewtmtr.exe
  2⤵
  PID:10472
- C:\Windows\System\iLIpqYg.exe
  C:\Windows\System\iLIpqYg.exe
  2⤵
  PID:10512
- C:\Windows\System\yiNwaee.exe
  C:\Windows\System\yiNwaee.exe
  2⤵
  PID:10636
- C:\Windows\System\PuohSwF.exe
  C:\Windows\System\PuohSwF.exe
  2⤵
  PID:10856
- C:\Windows\System\YodoORo.exe
  C:\Windows\System\YodoORo.exe
  2⤵
  PID:11000
- C:\Windows\System\NFRWTuc.exe
  C:\Windows\System\NFRWTuc.exe
  2⤵
  PID:11164
- C:\Windows\System\QSwqRIx.exe
  C:\Windows\System\QSwqRIx.exe
  2⤵
  PID:10084
- C:\Windows\System\YhzpTvI.exe
  C:\Windows\System\YhzpTvI.exe
  2⤵
  PID:10712
- C:\Windows\System\qVzRroU.exe
  C:\Windows\System\qVzRroU.exe
  2⤵
  PID:11008
- C:\Windows\System\qLJcnNn.exe
  C:\Windows\System\qLJcnNn.exe
  2⤵
  PID:10440
- C:\Windows\System\abUZwMw.exe
  C:\Windows\System\abUZwMw.exe
  2⤵
  PID:11088
- C:\Windows\System\EjUnNaR.exe
  C:\Windows\System\EjUnNaR.exe
  2⤵
  PID:11272
- C:\Windows\System\mVvDbSO.exe
  C:\Windows\System\mVvDbSO.exe
  2⤵
  PID:11312
- C:\Windows\System\xctYtqJ.exe
  C:\Windows\System\xctYtqJ.exe
  2⤵
  PID:11340
- C:\Windows\System\mnuasiL.exe
  C:\Windows\System\mnuasiL.exe
  2⤵
  PID:11368
- C:\Windows\System\ItrbPpe.exe
  C:\Windows\System\ItrbPpe.exe
  2⤵
  PID:11396
- C:\Windows\System\pRnKwxz.exe
  C:\Windows\System\pRnKwxz.exe
  2⤵
  PID:11424
- C:\Windows\System\KAlsulC.exe
  C:\Windows\System\KAlsulC.exe
  2⤵
  PID:11452
- C:\Windows\System\iOHNiUw.exe
  C:\Windows\System\iOHNiUw.exe
  2⤵
  PID:11468
- C:\Windows\System\PudvEbE.exe
  C:\Windows\System\PudvEbE.exe
  2⤵
  PID:11508
- C:\Windows\System\ZhAopRQ.exe
  C:\Windows\System\ZhAopRQ.exe
  2⤵
  PID:11536
- C:\Windows\System\AyCmQmg.exe
  C:\Windows\System\AyCmQmg.exe
  2⤵
  PID:11564
- C:\Windows\System\VUwxGXl.exe
  C:\Windows\System\VUwxGXl.exe
  2⤵
  PID:11592
- C:\Windows\System\UxNFHUg.exe
  C:\Windows\System\UxNFHUg.exe
  2⤵
  PID:11620
- C:\Windows\System\lRLNkXF.exe
  C:\Windows\System\lRLNkXF.exe
  2⤵
  PID:11648
- C:\Windows\System\LpkrNWA.exe
  C:\Windows\System\LpkrNWA.exe
  2⤵
  PID:11676
- C:\Windows\System\gcUMYHG.exe
  C:\Windows\System\gcUMYHG.exe
  2⤵
  PID:11704
- C:\Windows\System\zVkAEch.exe
  C:\Windows\System\zVkAEch.exe
  2⤵
  PID:11728
- C:\Windows\System\ChMAKbe.exe
  C:\Windows\System\ChMAKbe.exe
  2⤵
  PID:11748
- C:\Windows\System\NVyWvnO.exe
  C:\Windows\System\NVyWvnO.exe
  2⤵
  PID:11776
- C:\Windows\System\IfCroIQ.exe
  C:\Windows\System\IfCroIQ.exe
  2⤵
  PID:11804
- C:\Windows\System\EPitpoD.exe
  C:\Windows\System\EPitpoD.exe
  2⤵
  PID:11832
- C:\Windows\System\mMnnIaq.exe
  C:\Windows\System\mMnnIaq.exe
  2⤵
  PID:11860
- C:\Windows\System\hrueozE.exe
  C:\Windows\System\hrueozE.exe
  2⤵
  PID:11900
- C:\Windows\System\tQxRDMU.exe
  C:\Windows\System\tQxRDMU.exe
  2⤵
  PID:11928
- C:\Windows\System\LdpwsUM.exe
  C:\Windows\System\LdpwsUM.exe
  2⤵
  PID:11956
- C:\Windows\System\SjpyYMz.exe
  C:\Windows\System\SjpyYMz.exe
  2⤵
  PID:11984
- C:\Windows\System\fCOvedh.exe
  C:\Windows\System\fCOvedh.exe
  2⤵
  PID:12000
- C:\Windows\System\MSJmdwH.exe
  C:\Windows\System\MSJmdwH.exe
  2⤵
  PID:12020
- C:\Windows\System\mSbEfIO.exe
  C:\Windows\System\mSbEfIO.exe
  2⤵
  PID:12040
- C:\Windows\System\ZBfMOqr.exe
  C:\Windows\System\ZBfMOqr.exe
  2⤵
  PID:12084
- C:\Windows\System\rZcYpLe.exe
  C:\Windows\System\rZcYpLe.exe
  2⤵
  PID:12112
- C:\Windows\System\UmapnTo.exe
  C:\Windows\System\UmapnTo.exe
  2⤵
  PID:12140
- C:\Windows\System\jyTrJlJ.exe
  C:\Windows\System\jyTrJlJ.exe
  2⤵
  PID:12160
- C:\Windows\System\DYeeNdz.exe
  C:\Windows\System\DYeeNdz.exe
  2⤵
  PID:12196
- C:\Windows\System\awpHLPS.exe
  C:\Windows\System\awpHLPS.exe
  2⤵
  PID:12232
- C:\Windows\System\kZmfgDC.exe
  C:\Windows\System\kZmfgDC.exe
  2⤵
  PID:12252
- C:\Windows\System\uNmbQqS.exe
  C:\Windows\System\uNmbQqS.exe
  2⤵
  PID:12280
- C:\Windows\System\qxvPPzG.exe
  C:\Windows\System\qxvPPzG.exe
  2⤵
  PID:11308
- C:\Windows\System\nDPUNWh.exe
  C:\Windows\System\nDPUNWh.exe
  2⤵
  PID:11364
- C:\Windows\System\QPEFozH.exe
  C:\Windows\System\QPEFozH.exe
  2⤵
  PID:11416
- C:\Windows\System\rjgsbvx.exe
  C:\Windows\System\rjgsbvx.exe
  2⤵
  PID:11488
- C:\Windows\System\fbHHVQP.exe
  C:\Windows\System\fbHHVQP.exe
  2⤵
  PID:11604
- C:\Windows\System\dlZBpYH.exe
  C:\Windows\System\dlZBpYH.exe
  2⤵
  PID:11640
- C:\Windows\System\bfXqmjl.exe
  C:\Windows\System\bfXqmjl.exe
  2⤵
  PID:11700
- C:\Windows\System\yfkTwIG.exe
  C:\Windows\System\yfkTwIG.exe
  2⤵
  PID:11760
- C:\Windows\System\WUXlaGQ.exe
  C:\Windows\System\WUXlaGQ.exe
  2⤵
  PID:11824
- C:\Windows\System\OYgOHKp.exe
  C:\Windows\System\OYgOHKp.exe
  2⤵
  PID:11896
- C:\Windows\System\UoqkWfG.exe
  C:\Windows\System\UoqkWfG.exe
  2⤵
  PID:11980
- C:\Windows\System\fSSVaJd.exe
  C:\Windows\System\fSSVaJd.exe
  2⤵
  PID:12016
- C:\Windows\System\rChKjmA.exe
  C:\Windows\System\rChKjmA.exe
  2⤵
  PID:12056
- C:\Windows\System\emhePVt.exe
  C:\Windows\System\emhePVt.exe
  2⤵
  PID:12136
- C:\Windows\System\AyZEnpK.exe
  C:\Windows\System\AyZEnpK.exe
  2⤵
  PID:12184
- C:\Windows\System\dmBGPSj.exe
  C:\Windows\System\dmBGPSj.exe
  2⤵
  PID:12240
- C:\Windows\System\YZmFOmg.exe
  C:\Windows\System\YZmFOmg.exe
  2⤵
  PID:11444
- C:\Windows\System\JMgOxSz.exe
  C:\Windows\System\JMgOxSz.exe
  2⤵
  PID:11552
- C:\Windows\System\fBVSitm.exe
  C:\Windows\System\fBVSitm.exe
  2⤵
  PID:11716
- C:\Windows\System\loBiHNf.exe
  C:\Windows\System\loBiHNf.exe
  2⤵
  PID:11744
- C:\Windows\System\KiOBkOZ.exe
  C:\Windows\System\KiOBkOZ.exe
  2⤵
  PID:12008
- C:\Windows\System\gQwGSrE.exe
  C:\Windows\System\gQwGSrE.exe
  2⤵
  PID:12188
- C:\Windows\System\MJPBtCv.exe
  C:\Windows\System\MJPBtCv.exe
  2⤵
  PID:11288
- C:\Windows\System\yJattyM.exe
  C:\Windows\System\yJattyM.exe
  2⤵
  PID:11992
- C:\Windows\System\mLajOyC.exe
  C:\Windows\System\mLajOyC.exe
  2⤵
  PID:12220
- C:\Windows\System\MKnLsqh.exe
  C:\Windows\System\MKnLsqh.exe
  2⤵
  PID:11968
- C:\Windows\System\XfdHSeF.exe
  C:\Windows\System\XfdHSeF.exe
  2⤵
  PID:12296
- C:\Windows\System\PTnoZMA.exe
  C:\Windows\System\PTnoZMA.exe
  2⤵
  PID:12312
- C:\Windows\System\kCXcACe.exe
  C:\Windows\System\kCXcACe.exe
  2⤵
  PID:12352
- C:\Windows\System\raAYubZ.exe
  C:\Windows\System\raAYubZ.exe
  2⤵
  PID:12368
- C:\Windows\System\PfxJJsM.exe
  C:\Windows\System\PfxJJsM.exe
  2⤵
  PID:12396
- C:\Windows\System\mhoEXGw.exe
  C:\Windows\System\mhoEXGw.exe
  2⤵
  PID:12436
- C:\Windows\System\zvIqLlf.exe
  C:\Windows\System\zvIqLlf.exe
  2⤵
  PID:12464
- C:\Windows\System\sXFkxgW.exe
  C:\Windows\System\sXFkxgW.exe
  2⤵
  PID:12516
- C:\Windows\System\jGYwLWF.exe
  C:\Windows\System\jGYwLWF.exe
  2⤵
  PID:12532
- C:\Windows\System\mtgyexE.exe
  C:\Windows\System\mtgyexE.exe
  2⤵
  PID:12556
- C:\Windows\System\XOORsbP.exe
  C:\Windows\System\XOORsbP.exe
  2⤵
  PID:12584
- C:\Windows\System\bkjgJzC.exe
  C:\Windows\System\bkjgJzC.exe
  2⤵
  PID:12636
- C:\Windows\System\qsVNpXd.exe
  C:\Windows\System\qsVNpXd.exe
  2⤵
  PID:12656
- C:\Windows\System\EZuWymP.exe
  C:\Windows\System\EZuWymP.exe
  2⤵
  PID:12688
- C:\Windows\System\OdUqIqN.exe
  C:\Windows\System\OdUqIqN.exe
  2⤵
  PID:12712
- C:\Windows\System\BkziLdU.exe
  C:\Windows\System\BkziLdU.exe
  2⤵
  PID:12740
- C:\Windows\System\uCrwXRh.exe
  C:\Windows\System\uCrwXRh.exe
  2⤵
  PID:12776
- C:\Windows\System\lGYSYVJ.exe
  C:\Windows\System\lGYSYVJ.exe
  2⤵
  PID:12808
- C:\Windows\System\XUonbwn.exe
  C:\Windows\System\XUonbwn.exe
  2⤵
  PID:12836
- C:\Windows\System\dnEanGN.exe
  C:\Windows\System\dnEanGN.exe
  2⤵
  PID:12876
- C:\Windows\System\HQAomnp.exe
  C:\Windows\System\HQAomnp.exe
  2⤵
  PID:12892
- C:\Windows\System\uHNRBIU.exe
  C:\Windows\System\uHNRBIU.exe
  2⤵
  PID:12932
- C:\Windows\System\geBMTlj.exe
  C:\Windows\System\geBMTlj.exe
  2⤵
  PID:12960
- C:\Windows\System\TfZjheD.exe
  C:\Windows\System\TfZjheD.exe
  2⤵
  PID:12976
- C:\Windows\System\MTdDRJl.exe
  C:\Windows\System\MTdDRJl.exe
  2⤵
  PID:13008
- C:\Windows\System\hVgbpBN.exe
  C:\Windows\System\hVgbpBN.exe
  2⤵
  PID:13048
- C:\Windows\System\XiaIiqR.exe
  C:\Windows\System\XiaIiqR.exe
  2⤵
  PID:13076
- C:\Windows\System\dwzhTBg.exe
  C:\Windows\System\dwzhTBg.exe
  2⤵
  PID:13092
- C:\Windows\System\EsjgDZY.exe
  C:\Windows\System\EsjgDZY.exe
  2⤵
  PID:13132
- C:\Windows\System\dlNEOsx.exe
  C:\Windows\System\dlNEOsx.exe
  2⤵
  PID:13164
- C:\Windows\System\FdYpNAo.exe
  C:\Windows\System\FdYpNAo.exe
  2⤵
  PID:13184
- C:\Windows\System\fRqhSXx.exe
  C:\Windows\System\fRqhSXx.exe
  2⤵
  PID:13220
- C:\Windows\System\VtFFZYf.exe
  C:\Windows\System\VtFFZYf.exe
  2⤵
  PID:13248
- C:\Windows\System\HalwDbp.exe
  C:\Windows\System\HalwDbp.exe
  2⤵
  PID:13264
- C:\Windows\System\hLdpPGD.exe
  C:\Windows\System\hLdpPGD.exe
  2⤵
  PID:13304
- C:\Windows\System\xLwITpX.exe
  C:\Windows\System\xLwITpX.exe
  2⤵
  PID:12308
- C:\Windows\System\PZWcLwl.exe
  C:\Windows\System\PZWcLwl.exe
  2⤵
  PID:12384
- C:\Windows\System\zywSvie.exe
  C:\Windows\System\zywSvie.exe
  2⤵
  PID:12432
- C:\Windows\System\JGMnYLX.exe
  C:\Windows\System\JGMnYLX.exe
  2⤵
  PID:12512
- C:\Windows\System\VSOgFdB.exe
  C:\Windows\System\VSOgFdB.exe
  2⤵
  PID:12548
- C:\Windows\System\aDmxnjB.exe
  C:\Windows\System\aDmxnjB.exe
  2⤵
  PID:12648
- C:\Windows\System\xhFdaYE.exe
  C:\Windows\System\xhFdaYE.exe
  2⤵
  PID:12756
- C:\Windows\System\LlCRvYz.exe
  C:\Windows\System\LlCRvYz.exe
  2⤵
  PID:12800
- C:\Windows\System\cVYGKMg.exe
  C:\Windows\System\cVYGKMg.exe
  2⤵
  PID:12872
- C:\Windows\System\YbHdGoN.exe
  C:\Windows\System\YbHdGoN.exe
  2⤵
  PID:12944
- C:\Windows\System\ujcgpnR.exe
  C:\Windows\System\ujcgpnR.exe
  2⤵
  PID:13000
- C:\Windows\System\SnaoOhb.exe
  C:\Windows\System\SnaoOhb.exe
  2⤵
  PID:13068
- C:\Windows\System\aYAmIom.exe
  C:\Windows\System\aYAmIom.exe
  2⤵
  PID:13120
- C:\Windows\System\twzKOFL.exe
  C:\Windows\System\twzKOFL.exe
  2⤵
  PID:13204
- C:\Windows\System\rXZoVri.exe
  C:\Windows\System\rXZoVri.exe
  2⤵
  PID:13292
- C:\Windows\System\tYARlfd.exe
  C:\Windows\System\tYARlfd.exe
  2⤵
  PID:12388
- C:\Windows\System\nHmiBpd.exe
  C:\Windows\System\nHmiBpd.exe
  2⤵
  PID:12420
- C:\Windows\System\yIoOZld.exe
  C:\Windows\System\yIoOZld.exe
  2⤵
  PID:12524
- C:\Windows\System\TPYYzTp.exe
  C:\Windows\System\TPYYzTp.exe
  2⤵
  PID:12568
- C:\Windows\System\HDgbMSP.exe
  C:\Windows\System\HDgbMSP.exe
  2⤵
  PID:12820
- C:\Windows\System\kzBiTZC.exe
  C:\Windows\System\kzBiTZC.exe
  2⤵
  PID:13028
- C:\Windows\System\LEptXbM.exe
  C:\Windows\System\LEptXbM.exe
  2⤵
  PID:13112
- C:\Windows\System\GKejlxO.exe
  C:\Windows\System\GKejlxO.exe
  2⤵
  PID:13256
- C:\Windows\System\BWxVdah.exe
  C:\Windows\System\BWxVdah.exe
  2⤵
  PID:12452
- C:\Windows\System\SYHWzux.exe
  C:\Windows\System\SYHWzux.exe
  2⤵
  PID:12620
- C:\Windows\System\ZrLzRfk.exe
  C:\Windows\System\ZrLzRfk.exe
  2⤵
  PID:2196
- C:\Windows\System\CLThNyP.exe
  C:\Windows\System\CLThNyP.exe
  2⤵
  PID:13284
- C:\Windows\System\VqtKWLZ.exe
  C:\Windows\System\VqtKWLZ.exe
  2⤵
  PID:12768
- C:\Windows\System\SXKtDwC.exe
  C:\Windows\System\SXKtDwC.exe
  2⤵
  PID:13336
- C:\Windows\System\eTVZpif.exe
  C:\Windows\System\eTVZpif.exe
  2⤵
  PID:13368
- C:\Windows\System\wvluRzY.exe
  C:\Windows\System\wvluRzY.exe
  2⤵
  PID:13392
- C:\Windows\System\XEsjAPh.exe
  C:\Windows\System\XEsjAPh.exe
  2⤵
  PID:13412
- C:\Windows\System\kNmCwCK.exe
  C:\Windows\System\kNmCwCK.exe
  2⤵
  PID:13440
- C:\Windows\System\lkRngzp.exe
  C:\Windows\System\lkRngzp.exe
  2⤵
  PID:13468
- C:\Windows\System\WUbsRMC.exe
  C:\Windows\System\WUbsRMC.exe
  2⤵
  PID:13540
- C:\Windows\System\YsBWbCl.exe
  C:\Windows\System\YsBWbCl.exe
  2⤵
  PID:13568
- C:\Windows\System\OYnnnoS.exe
  C:\Windows\System\OYnnnoS.exe
  2⤵
  PID:13592
- C:\Windows\System\XKhIsjQ.exe
  C:\Windows\System\XKhIsjQ.exe
  2⤵
  PID:13624
- C:\Windows\System\QFDiBmV.exe
  C:\Windows\System\QFDiBmV.exe
  2⤵
  PID:13656
- C:\Windows\System\aCmNuKd.exe
  C:\Windows\System\aCmNuKd.exe
  2⤵
  PID:13708
- C:\Windows\System\dCvjKfi.exe
  C:\Windows\System\dCvjKfi.exe
  2⤵
  PID:13724
- C:\Windows\System\kicHSwl.exe
  C:\Windows\System\kicHSwl.exe
  2⤵
  PID:13744
- C:\Windows\System\RIAioZd.exe
  C:\Windows\System\RIAioZd.exe
  2⤵
  PID:13780
- C:\Windows\System\KBpHxrH.exe
  C:\Windows\System\KBpHxrH.exe
  2⤵
  PID:13816
- C:\Windows\System\AcAAvVT.exe
  C:\Windows\System\AcAAvVT.exe
  2⤵
  PID:13856
- C:\Windows\System\aFtkrCl.exe
  C:\Windows\System\aFtkrCl.exe
  2⤵
  PID:13892
- C:\Windows\System\zofJFgX.exe
  C:\Windows\System\zofJFgX.exe
  2⤵
  PID:13940
- C:\Windows\System\pNOFKqv.exe
  C:\Windows\System\pNOFKqv.exe
  2⤵
  PID:13960
- C:\Windows\System\jkJjLSi.exe
  C:\Windows\System\jkJjLSi.exe
  2⤵
  PID:14004
- C:\Windows\System\TfYkkpC.exe
  C:\Windows\System\TfYkkpC.exe
  2⤵
  PID:14032
- C:\Windows\System\mZFlcHc.exe
  C:\Windows\System\mZFlcHc.exe
  2⤵
  PID:14060
- C:\Windows\System\QtnunGn.exe
  C:\Windows\System\QtnunGn.exe
  2⤵
  PID:14088
- C:\Windows\System\rldLEkK.exe
  C:\Windows\System\rldLEkK.exe
  2⤵
  PID:14108
- C:\Windows\System\ZGZnQbf.exe
  C:\Windows\System\ZGZnQbf.exe
  2⤵
  PID:14160
- C:\Windows\System\FBDDvDO.exe
  C:\Windows\System\FBDDvDO.exe
  2⤵
  PID:14200
- C:\Windows\System\gWZSmBH.exe
  C:\Windows\System\gWZSmBH.exe
  2⤵
  PID:14216
- C:\Windows\System\GOAQDro.exe
  C:\Windows\System\GOAQDro.exe
  2⤵
  PID:14260
- C:\Windows\System\hxaujXR.exe
  C:\Windows\System\hxaujXR.exe
  2⤵
  PID:14276
- C:\Windows\System\FSIrsEF.exe
  C:\Windows\System\FSIrsEF.exe
  2⤵
  PID:14316
- C:\Windows\System\PFsfhMS.exe
  C:\Windows\System\PFsfhMS.exe
  2⤵
  PID:4608
- C:\Windows\System\UPnVxKY.exe
  C:\Windows\System\UPnVxKY.exe
  2⤵
  PID:13324
- C:\Windows\System\YLzeYDI.exe
  C:\Windows\System\YLzeYDI.exe
  2⤵
  PID:13460
- C:\Windows\System\qafjlby.exe
  C:\Windows\System\qafjlby.exe
  2⤵
  PID:13560
- C:\Windows\System\IJBgsya.exe
  C:\Windows\System\IJBgsya.exe
  2⤵
  PID:13588
- C:\Windows\System\DqayvVx.exe
  C:\Windows\System\DqayvVx.exe
  2⤵
  PID:13676
- C:\Windows\System\TMzUdBw.exe
  C:\Windows\System\TMzUdBw.exe
  2⤵
  PID:13716
- C:\Windows\System\ROcvlZC.exe
  C:\Windows\System\ROcvlZC.exe
  2⤵
  PID:13776
- C:\Windows\System\nAMEaJZ.exe
  C:\Windows\System\nAMEaJZ.exe
  2⤵
  PID:13956
- C:\Windows\System\jPKKQhp.exe
  C:\Windows\System\jPKKQhp.exe
  2⤵
  PID:14016
- C:\Windows\System\Djnuaot.exe
  C:\Windows\System\Djnuaot.exe
  2⤵
  PID:13148
- C:\Windows\System\azeQpvQ.exe
  C:\Windows\System\azeQpvQ.exe
  2⤵
  PID:14100
- C:\Windows\System\sVnnYxH.exe
  C:\Windows\System\sVnnYxH.exe
  2⤵
  PID:14208
- C:\Windows\System\NpSjwXf.exe
  C:\Windows\System\NpSjwXf.exe
  2⤵
  PID:14240
- C:\Windows\System\CQInQEp.exe
  C:\Windows\System\CQInQEp.exe
  2⤵
  PID:2168
- C:\Windows\System\ToCAcST.exe
  C:\Windows\System\ToCAcST.exe
  2⤵
  PID:13456
- C:\Windows\System\lltoHdk.exe
  C:\Windows\System\lltoHdk.exe
  2⤵
  PID:13548
- C:\Windows\System\TFeCkir.exe
  C:\Windows\System\TFeCkir.exe
  2⤵
  PID:1716
- C:\Windows\System\dlPByUq.exe
  C:\Windows\System\dlPByUq.exe
  2⤵
  PID:14148
- C:\Windows\System\NgEnUTB.exe
  C:\Windows\System\NgEnUTB.exe
  2⤵
  PID:12968
- C:\Windows\System\MgsjSBR.exe
  C:\Windows\System\MgsjSBR.exe
  2⤵
  PID:376
- C:\Windows\System\Wtzkfyi.exe
  C:\Windows\System\Wtzkfyi.exe
  2⤵
  PID:13992
- C:\Windows\System\QkRMGec.exe
  C:\Windows\System\QkRMGec.exe
  2⤵
  PID:14272
- C:\Windows\System\IuKJttb.exe
  C:\Windows\System\IuKJttb.exe
  2⤵
  PID:14348
- C:\Windows\System\OXWAiNk.exe
  C:\Windows\System\OXWAiNk.exe
  2⤵
  PID:14412

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:14784
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Modifies Installed Components in the registry
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:14952

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:14236

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4580

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3632

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:14868

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:15244

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:8272

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:9584

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5484

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:6036

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3344

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5488

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3848

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6900

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:14624

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11964

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6876

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7284

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7616

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7652

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1164

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:15332

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8404

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9008

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10208

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9480

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2448

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8296

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7624

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11328

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6288

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1948

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13036

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6020

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5448

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5912

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10548

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6840

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10888

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3768

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11788

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11632

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4052

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7708

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:760

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5620

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7372

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8480

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9640

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13496

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10476

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12588

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2328

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5632

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13880

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1012

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:14292

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6604

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14644

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5700

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8828

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3960

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\U23Z080G\microsoft.windows[1].xml

Filesize
97B

MD5
292a283bdecf4cd89c3ad863a28bc72f

SHA1
18e896fec5f8b3ea2963d0a5cb45a244050c35c1

SHA256
09794c6006f357000111d7d13c1c20075eaea58f68df78e118d14b4547835ec2

SHA512
71349774dcf41cd9e72c881cd374ffaf2527b2156a616cc064f10f34e7bbf0ea6174916acb2b8b06428f2b2f29315359e66dde317965463ea1eb70fef52beaaa

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133608851343539538.txt.~tmp

Filesize
75KB

MD5
ce88a108043a3d69e5325754ba9c7181

SHA1
c64f06b8081f5ec0ae7c0e1fe7b0f248aa6550c4

SHA256
b2552766ebb3469549cea5b6b609077fa6e38c000eba6befadfd275e11a8095e

SHA512
cb5e53fb1520b68178ad465cde801ed779521b843de44f894fc8fdbd071f33f663a60f570b134ff0996bf407ef9ecee72810b16dd9276469e6b0efb5d5c85829

Download Submit
C:\Windows\System\EKabxIS.exe

Filesize
2.0MB

MD5
3cd55e4f5532ec686b461a066bc2610d

SHA1
eaff2e0f7a7e1599e0f3a3d17be6b76a89cfe977

SHA256
99e9055e36c8945ea8d5dc54c95fee2c099d7bff89b16bcec09b18d8f550d01c

SHA512
2846540202b61a03a16228335e216179918a339996e3724afb627bf469b59d924d0cc474659b59b71b1febcb04e4c75e0cddb00e11e5ff3e6e9f86f43c59a3a9

Download Submit
C:\Windows\System\EpVMaSj.exe

Filesize
2.0MB

MD5
581e4b8dfe4fa7899a064112cfddd7b4

SHA1
241e8bef79ca6d18c718b01df433a13a819a5c34

SHA256
8875b525fb07700dc3e3c4cb3909311f7122729095948b3509d8aa40a70fe49a

SHA512
5b05e6584bdcbbd9682879d1b41e646d7470885f7145cf1fd06ece9b7204ab89230753be184304a5a582b90eaf913f0fc7003990c90da28fe2734de808759a49

Download Submit
C:\Windows\System\FyINZLa.exe

Filesize
2.0MB

MD5
db43f62c58eaae10bd585a3266eb2328

SHA1
9fa15cebf29c24dfd7d92d851dc5f82c7152bb51

SHA256
b9259376861fd83a431d5915528d0cb99c5b4eed02020dc40e2ea874d3af187c

SHA512
2fe39788a4c367ed291bf48e0b7f361cd8d10f98a1b3b102c3459a08a4b1e8055f007a2140c4ac71528b16ab2461bda338f374cc40bb9ee6630f01532a7d38c8

Download Submit
C:\Windows\System\GHAczAk.exe

Filesize
2.0MB

MD5
2fe83c41c58ee88a29e954ffcd60bc3c

SHA1
31c6bc4984a37a112d114141ad3ae45955989ca5

SHA256
6aa82a8a42f76e7241cac4b0bd0ecf18574cb8e40ceca2768a612938cb799579

SHA512
86993dd918475ee02fdee3b0eaa796cc0ec694b7bdd01431954d1aa6d1c2a81ce84decdfc43993f9dae667303f9fe12c58281866909b2096d16b1326b00eaf41

Download Submit
C:\Windows\System\GRxuXGb.exe

Filesize
2.0MB

MD5
d91b902b278bae14373e38a2653c5b53

SHA1
88866a3e3f58d6f74f73534b601817c48dc9625c

SHA256
9f121df0cc8fd7c9c73d3a85733389322f422fd398aaa5aa589049461c143f27

SHA512
b167ed7b1283f216fab3bd92de6d8e81d642455637c8f98af5aeb46bef4c75b95ab0113ec94eccada50bccbb185ac4ee51d0a395003d2b3208ee37a41e8fd82f

Download Submit
C:\Windows\System\HpWOXIk.exe

Filesize
2.0MB

MD5
582c35764fc6760f575a504cce1d0648

SHA1
4edbb334cc080fb60584eaee8a849d026a8f2ee3

SHA256
3708323c6b3eb5324e9386334b9aac73d7ecb2cba506194436fee858b6dda105

SHA512
242762336902e84a869b5826a5e2f46d5b133ad4df7c115c821c1975dac4e32dfa8a565b9b5cd016cd4957aa5a27e95ea8e5029ec5be7518b695ca1def484f33

Download Submit
C:\Windows\System\HvlJKdt.exe

Filesize
2.0MB

MD5
ef01e6b42d6a23865936ae66c497ed6d

SHA1
dd1168b76e31b04e8e1da8c6d9f66e17fa4c3306

SHA256
ee4cc7787b1fa113ba4c9e142c0ebedaade88a432c3dfdd83dd9013e6197c21f

SHA512
6bb35f773ce7bd0847710b7c69e5d27fff3d038dc3da426e6972661a5797a3581733522f3eb70b06ef88ff06e62c60eb1e17e5c2fb700d2ac0aef376455f0ce7

Download Submit
C:\Windows\System\JRootCo.exe

Filesize
2.0MB

MD5
a6aa6340c18fefc3f9d21f8ed5ec1ad1

SHA1
70822d243af5ccc35812595194ac001633b7056f

SHA256
184d08ba30ee9399f98426679a4f655badb19d6fb44f6ea35a10ab5613fcfb38

SHA512
e7b3b35ca571bcb258e9bd8135398e76742adfbc935746a89193a60f6e7b03d7aa066168ab06126ac4085defdff0cb0b934ab595af50b4f31e8a9bd5c0410e73

Download Submit
C:\Windows\System\Lajzrrc.exe

Filesize
2.0MB

MD5
b09dfd40254cb4264d55c0cf11c6ed07

SHA1
c1aaa8a32d582afa0163980c1fc8d88b79adc116

SHA256
78c1dcfb3a342d320f92a229ee0514274f5cddb7749f4bfec95739ef6124d86c

SHA512
aebb7add254c7b7441141ada046fd7dddfdd0ffc50052d5fa5b88455ad423b8aa38a0b42357891c734ac8af0b6a9e1d73403e6159ea3a88cda039fe31ae013d4

Download Submit
C:\Windows\System\MpEZgLQ.exe

Filesize
2.0MB

MD5
61dccd0f77f94a7763c0d524ddf5ba57

SHA1
d75ab8897531490c4b5c4d80efb778ef2b75c297

SHA256
1296bcc99a104af528709947a1a47c1b77bc3a06d87f2de4e6081d5bec441f91

SHA512
5bbaf71f93c872f79879de96cef50e12ccc510f63159eff08d81003e0aa118c223c172450d8696c41689330202f970d3f9e05086d5f909743eb92cc691bd4c42

Download Submit
C:\Windows\System\NTDFROn.exe

Filesize
2.0MB

MD5
cd260942aeda29ee56555ff9db8b6553

SHA1
de0b86c78e68f83b656521ba18debd0ec8e47520

SHA256
8f7dab5993e64645870dce1ebb0083fcd597908913c70c8f4432b6c292777bc7

SHA512
c9b96b4026c4eb86d8df245b512a2741f3037b5d7add537772dc51c0d1ce6be75639008ab3c0db16fd6aab69663b8e81dc36a03be3e04e58f3b6bbe47fa08fa1

Download Submit
C:\Windows\System\NcVqpje.exe

Filesize
2.0MB

MD5
4eac02a86ff5bbdf9be33822857aa132

SHA1
46bf4ea8734d5645201f8ffc4cb5e0eaa188cf93

SHA256
24fc125fa7e7e08ba3e51d718de31c3cc4a1b8627f9d1bc03a7c7012658eda31

SHA512
ebcb77c59db15efc5a5474c3d8e2cdc86cf57aa4e8fb3e0a75a62bf19b8de385ec6696574313c17ce28842b8b27648674d5cc540bb6b55da648d7abbd2055824

Download Submit
C:\Windows\System\OKlUlRx.exe

Filesize
2.0MB

MD5
0b72c06bd2c555ee28facf1489d1a4d5

SHA1
c703f8d4695e417731e9c65a9e1d41c979624359

SHA256
d4ba4eae8dbe3f124133ce187e5435c1a02b61027741b0c51d02e0f0dbb040f3

SHA512
e811c7e434ee05e502c7abac59e4bc117a7b032586c2de91836d40584d8f837c38ebfb992c52b070e05795d3ceae3d3d63bfebac6e781c074110df4da6a8d711

Download Submit
C:\Windows\System\PBSqChy.exe

Filesize
2.0MB

MD5
996fabc41232f02b85d385f8946cc5d1

SHA1
a6997de39119599260e8a947ee6758b343268b29

SHA256
8efdd062c3e739499157a3215db5d26a32e79d42bdf984b7b80ee12f473d7d93

SHA512
89b7baa794d74245258bbd3b654da295bc131007646388772c89b4653b038624f612977aff75a38ec2ed95e3d548d33f827ec75125e9a2198673e7d20bcbc0ba

Download Submit
C:\Windows\System\SeuFNpd.exe

Filesize
2.0MB

MD5
c26559567b08934b72de1722723dd028

SHA1
f6778eae7a689db5ee9ec82ba809d2c6536d9a33

SHA256
0b78af143694faa5f16172bc2b0881472907391a98da8e6a6d49846d81e71932

SHA512
85e2b5d401c71fa682a1e3abc9624776a70655a9dbca33940737b0730e9adf1b81392b3cd13e21bff0879e3491f5bae1640d4dbe80894eaea1696f34f3fe8d68

Download Submit
C:\Windows\System\TCUAEbL.exe

Filesize
2.0MB

MD5
8b245d68b75386683bfd06782bb61154

SHA1
d5a149cce97956e748689a26ebc473e9c6ff1e29

SHA256
2ce32fd11dc2a9a7dea7c84ee0f7e6b32b7966a90a89ca3f46d22403b549c287

SHA512
99aff0693779559fbf844778e1e80b3c6adb579daa318088c81546729804a0592045c6031066cd7ef7ab03b6e2be8941ebf62b83b4d62f5750dd81eac21aac9d

Download Submit
C:\Windows\System\UFDlcDj.exe

Filesize
2.0MB

MD5
a731206d058696eb222259793f57d37f

SHA1
558d9a75a206a057ee499ffe2f82a57f3aa4c429

SHA256
ae1db9c4a8f6d9a31803e9079054f92479336a3508dedd6baf1061f97a813d0a

SHA512
185fb1cd7e12435e950fed08cc566c363db75a249f64785d3223fa6925af4a966b08d648de8df68ce94b508f48447e22dd8429077efec5bc33b2f36c2cd4a3fd

Download Submit
C:\Windows\System\VZpIGwh.exe

Filesize
2.0MB

MD5
75bd4d90ff34494ea2e1b67a169f9ffa

SHA1
30a32845e86fd7d5b460da4894c9f5f34d8a2633

SHA256
60c9dea9e1d1ad9dd1b629b88a635ee2f419a37d6217826d7236cc218123e31c

SHA512
415e304743d26042ae1098812b15243eb75c57418e743c6354db369685a2d0c09bd50bc8032d44da8bdaccef3da73b54f612a16ddebcf569b0c62a30ec2673ee

Download Submit
C:\Windows\System\WknDaTk.exe

Filesize
2.0MB

MD5
0013e764cd1f477121750cc77ced46b3

SHA1
a2908f64f062341cfaf782515ae3b93ca2436b13

SHA256
9c1ceada5be3d35bc13c151e9987dc6e4a9dd373d7b61fd209c9ddcc372df52f

SHA512
7bc55307f40c59f2aab522ec51dae4d2fe0b5d5a0f39b00e31bc18adf50d2355344f55ae382fcabd0281d8dec215dbeea32ae3ac8d8c80b4b079a7c9c216326a

Download Submit
C:\Windows\System\WwOZpmW.exe

Filesize
2.0MB

MD5
658732c0df5362b8e9797175e649580f

SHA1
d43af3c64ed50eef173db796e62cbf5dcb18b385

SHA256
743efd39a515adedf98009f87ce911921b0f3aa06ee4ab28e81e7707f25aeeb9

SHA512
99c897283fedc0e1827b836bdc4826edc341d2aadbfef69c2b6d4330db9c47f3ab1bc9234646b2dc08b3c1eb7c33fe086685a55bcf0f01a526d9ae6960859927

Download Submit
C:\Windows\System\ZxKulla.exe

Filesize
2.0MB

MD5
165305bf3bb065e99bf319716ba74b19

SHA1
531ef3b1ee39ff929cbabbba84a0f5376bbea657

SHA256
bbed842d35dd537388204651180d0a1726c374dd515634b7222838b7a63ccdf0

SHA512
69335d2adbf19440c4e736471e219ebd1f2bad4f55883441f1e1d3e19e595430106cc19ded03cb76aa4949557efedd2be680e15738b1fac05b925218e0a9dbeb

Download Submit
C:\Windows\System\akbpTDp.exe

Filesize
2.0MB

MD5
49c22ae8e0b8d51606c9099bd4189540

SHA1
05c8e7cf7d259a08464491a8808b2922c2c727f3

SHA256
24e5a4d96c2681b95ca520ac6bfa881775c68f46d507646656dc4be0b0500b37

SHA512
ced771d551a5a6bd93f6aed62f57e029bb84d7e4f9cf08699faab27f22913e26ac36e3fc2b362e03184dd4254a824804a4c50b2f8cad682c487b2379e172213f

Download Submit
C:\Windows\System\cCrRkBh.exe

Filesize
2.0MB

MD5
5c7a156d609fedaba7ac431b5cb9f948

SHA1
a46ab0c2ee1298a6f67f6e04bf079641ecdb7561

SHA256
a006a0e36c194d5859a8673364cead5f47908418aaf870dfe4d6e593b1c88c22

SHA512
f9d3442402070214c7388c1d21e744712f8087bc7055f267a5ea3b8d13826920dc90a3d5d743f5742c421bc46d0b8ca15f60bd2be65d4141bddf858cbd7525aa

Download Submit
C:\Windows\System\cxrHagk.exe

Filesize
2.0MB

MD5
688ba81335c49bd970a284a6be1190c3

SHA1
72f8226e7f02c5591ff0c16f3812b80514038463

SHA256
7b43096130836e71f35d772ebc0844d4c7514968e7d1c1133453f44b1d8926f6

SHA512
3e5d5bee413f2e4c6126b4d4d9a72fe833f9b50ce1cc983b467774820733b087b0581c6288345e494bd68806ba81610cd73ff32aa7763c5931e767b69fc78caf

Download Submit
C:\Windows\System\dQIfZWC.exe

Filesize
2.0MB

MD5
5203400a2609740a86fab6e15e92c943

SHA1
bac9935fe3180e1d91190e59dee32ad79075506b

SHA256
ebef40a8b61531ec98dd9a58eafb60cc113c390ce85ba9a1a7ba6f491eaad18d

SHA512
8dc46edf29472a4b44175cc3fd611924d2f149272d8e8db828b091f397467b15e9118f4c9e67fcaf6a7d16e78cd88afc1aecbcdcdc4da99fa6fd3dcac48d5745

Download Submit
C:\Windows\System\mrMnOfw.exe

Filesize
2.0MB

MD5
c78f8addc93b6eeb3e1cebeed7b47579

SHA1
250e012da15f815d8a8c50ea571068357eab21d3

SHA256
2f32e311e056d99eefe73098e5b0369af5aad65096aa43406dc66790c6b36d39

SHA512
19d412495cc783cedb0dbd7adaaacee078d20bec2516032b41c7edba28191800942e3911beb35de928d6c3cd08f9729a02f72b7e0f7776e9d8b3dbf61afcbd00

Download Submit
C:\Windows\System\pVUwqjp.exe

Filesize
2.0MB

MD5
bee819e06f32741b7a919f0342d63a14

SHA1
b70018c79d27dda5037a316c4ef88a21a8cc9491

SHA256
968036dbaee2d59edad102d2c4bdd2e55297dec71476d2ab2e21f6dc8c29318b

SHA512
578b5ad9bd1fbe1d03f72fd8f18c0b7da0b18363d3b36d0747b0ee109b525d9a271291bcb3638c9c1de1c7696ffdecbce308563945950b42a565f82107a3a98b

Download Submit
C:\Windows\System\peUEJpX.exe

Filesize
2.0MB

MD5
ad53a482e3e68d17159a19890fccf46e

SHA1
32b103e1ae854c5506e00d1b6846a5fe790c24a6

SHA256
1a2edd2bc0e7064869781baaf0b68e3222fe9d8dbd8597745a289125ddb53ca1

SHA512
b1f92701e63773bf5fe5fcef4791329f3efa40adc83ee2adf6d4407f046f5fa607c021ef5a20aed0a648cc717fec724d4baece812ad5db7af76f0741e657cdbb

Download Submit
C:\Windows\System\qdCBNPb.exe

Filesize
2.0MB

MD5
53e2333f9f7b6a3841913ff797da6f9b

SHA1
dd981b5a3dc602dfe4a33cb49b9a8e3006736ec2

SHA256
d4cecf336dd4eb4eb83a7e003096503d477ad718e95f8d7f66e0fb3759390e41

SHA512
ab8b38155c516378a723e10b4946d3d5745ba01162645c8c573cbb41e338e42d08db9fd08200b22014567e6537988e49aa7adbc44a4ba9ffd7f6fc408d8d0d9e

Download Submit
C:\Windows\System\sJufnjl.exe

Filesize
2.0MB

MD5
7cc327d72f2fb4798337d6394dc13c9d

SHA1
b4fc7315147c108d17c5278f5ab4ca541c96d9c9

SHA256
0d50e9852c621cd0215a38838f9e99d3c560bf090b8e96d553b3e597e2b8df8c

SHA512
26391c5bdeaecf03c6c0eaf63dbec3bf0a2ebd0926ce8a9f413b8935539b60640ce9fb143dabfa4704e6c487c91e171130820d93a4530740bcf15bdd23c2475e

Download Submit
C:\Windows\System\tSoeZSb.exe

Filesize
2.0MB

MD5
97527e6a29d2e62bf26e3aba9534ea24

SHA1
13036a0020d46202f7d9dd5558f7e5d1ff26cac1

SHA256
fdaad397eb44f5ac352fe6357665026e4a9f5fcb9883cb849a2c7bafcc594811

SHA512
2047700241cc824550ec1482fa70e0bafb4277eb657ca0b931f3d2ab7fb65007085fc0117e0f3073566d1ccaccbf21d4593488421d6221ae654459726a7e695e

Download Submit
C:\Windows\System\uNbyylM.exe

Filesize
2.0MB

MD5
2bc96f0ed066e9d8bbb582c57fbd3814

SHA1
d5c2155c4376dab9d37f154430d9c13b00676895

SHA256
1e932ba0c6fe861c3e8a31337c595bcb76a0375c9d16e5a3103a02b767198f16

SHA512
5a27fc6cd26a8ed9c6db7c500d2bd57144bab2e25fa96073ee9ec2bcaf643d0255bc0c340aa9958c91c265fcd4bbb729965797e82bf3ed048e8d7e06c4b41e00

Download Submit
C:\Windows\System\yutgOlc.exe

Filesize
2.0MB

MD5
d213289a7f759125c5fc25ee3f7571fe

SHA1
d23e626250a41d608acf506adae01aa823ec2d94

SHA256
5a7d0d2aedd67559d35d37303ebf4abd99b65e5a5ad7c7590879c3a2ca2a9405

SHA512
6baa813a3b95d4f90422e30735f2d82e34868d062a166be712cec18e71bd679ab986fe17d663da71498efb5af950d5153c94ba466f9b6e7b14b0157a901c7077

Download Submit
memory/396-2171-0x00007FF64A7F0000-0x00007FF64AB44000-memory.dmp

Filesize
3.3MB

Download
memory/396-747-0x00007FF64A7F0000-0x00007FF64AB44000-memory.dmp

Filesize
3.3MB

Download
memory/540-736-0x00007FF676130000-0x00007FF676484000-memory.dmp

Filesize
3.3MB

Download
memory/540-2166-0x00007FF676130000-0x00007FF676484000-memory.dmp

Filesize
3.3MB

Download
memory/652-800-0x00007FF7CA1A0000-0x00007FF7CA4F4000-memory.dmp

Filesize
3.3MB

Download
memory/652-2181-0x00007FF7CA1A0000-0x00007FF7CA4F4000-memory.dmp

Filesize
3.3MB

Download
memory/760-753-0x00007FF6D2590000-0x00007FF6D28E4000-memory.dmp

Filesize
3.3MB

Download
memory/760-2173-0x00007FF6D2590000-0x00007FF6D28E4000-memory.dmp

Filesize
3.3MB

Download
memory/1308-776-0x00007FF67B050000-0x00007FF67B3A4000-memory.dmp

Filesize
3.3MB

Download
memory/1308-2177-0x00007FF67B050000-0x00007FF67B3A4000-memory.dmp

Filesize
3.3MB

Download
memory/1352-2169-0x00007FF6978A0000-0x00007FF697BF4000-memory.dmp

Filesize
3.3MB

Download
memory/1352-738-0x00007FF6978A0000-0x00007FF697BF4000-memory.dmp

Filesize
3.3MB

Download
memory/1356-735-0x00007FF653E10000-0x00007FF654164000-memory.dmp

Filesize
3.3MB

Download
memory/1356-2165-0x00007FF653E10000-0x00007FF654164000-memory.dmp

Filesize
3.3MB

Download
memory/1404-2162-0x00007FF65A9F0000-0x00007FF65AD44000-memory.dmp

Filesize
3.3MB

Download
memory/1404-732-0x00007FF65A9F0000-0x00007FF65AD44000-memory.dmp

Filesize
3.3MB

Download
memory/1544-2180-0x00007FF6A5710000-0x00007FF6A5A64000-memory.dmp

Filesize
3.3MB

Download
memory/1544-781-0x00007FF6A5710000-0x00007FF6A5A64000-memory.dmp

Filesize
3.3MB

Download
memory/1592-771-0x00007FF7CD860000-0x00007FF7CDBB4000-memory.dmp

Filesize
3.3MB

Download
memory/1592-2176-0x00007FF7CD860000-0x00007FF7CDBB4000-memory.dmp

Filesize
3.3MB

Download
memory/1724-2160-0x00007FF76D9F0000-0x00007FF76DD44000-memory.dmp

Filesize
3.3MB

Download
memory/1724-731-0x00007FF76D9F0000-0x00007FF76DD44000-memory.dmp

Filesize
3.3MB

Download
memory/1804-730-0x00007FF741AC0000-0x00007FF741E14000-memory.dmp

Filesize
3.3MB

Download
memory/1804-2158-0x00007FF741AC0000-0x00007FF741E14000-memory.dmp

Filesize
3.3MB

Download
memory/1944-2167-0x00007FF794780000-0x00007FF794AD4000-memory.dmp

Filesize
3.3MB

Download
memory/1944-737-0x00007FF794780000-0x00007FF794AD4000-memory.dmp

Filesize
3.3MB

Download
memory/1984-2163-0x00007FF6AF920000-0x00007FF6AFC74000-memory.dmp

Filesize
3.3MB

Download
memory/1984-810-0x00007FF6AF920000-0x00007FF6AFC74000-memory.dmp

Filesize
3.3MB

Download
memory/2124-2179-0x00007FF782EB0000-0x00007FF783204000-memory.dmp

Filesize
3.3MB

Download
memory/2124-788-0x00007FF782EB0000-0x00007FF783204000-memory.dmp

Filesize
3.3MB

Download
memory/2184-734-0x00007FF6F91D0000-0x00007FF6F9524000-memory.dmp

Filesize
3.3MB

Download
memory/2184-2164-0x00007FF6F91D0000-0x00007FF6F9524000-memory.dmp

Filesize
3.3MB

Download
memory/2188-2174-0x00007FF793D60000-0x00007FF7940B4000-memory.dmp

Filesize
3.3MB

Download
memory/2188-764-0x00007FF793D60000-0x00007FF7940B4000-memory.dmp

Filesize
3.3MB

Download
memory/2216-770-0x00007FF65B880000-0x00007FF65BBD4000-memory.dmp

Filesize
3.3MB

Download
memory/2216-2175-0x00007FF65B880000-0x00007FF65BBD4000-memory.dmp

Filesize
3.3MB

Download
memory/2560-2184-0x00007FF676A60000-0x00007FF676DB4000-memory.dmp

Filesize
3.3MB

Download
memory/2560-806-0x00007FF676A60000-0x00007FF676DB4000-memory.dmp

Filesize
3.3MB

Download
memory/3124-744-0x00007FF782570000-0x00007FF7828C4000-memory.dmp

Filesize
3.3MB

Download
memory/3124-2170-0x00007FF782570000-0x00007FF7828C4000-memory.dmp

Filesize
3.3MB

Download
memory/3400-2151-0x00007FF640930000-0x00007FF640C84000-memory.dmp

Filesize
3.3MB

Download
memory/3400-2157-0x00007FF640930000-0x00007FF640C84000-memory.dmp

Filesize
3.3MB

Download
memory/3400-30-0x00007FF640930000-0x00007FF640C84000-memory.dmp

Filesize
3.3MB

Download
memory/3804-793-0x00007FF773400000-0x00007FF773754000-memory.dmp

Filesize
3.3MB

Download
memory/3804-2182-0x00007FF773400000-0x00007FF773754000-memory.dmp

Filesize
3.3MB

Download
memory/3900-2149-0x00007FF67E060000-0x00007FF67E3B4000-memory.dmp

Filesize
3.3MB

Download
memory/3900-0-0x00007FF67E060000-0x00007FF67E3B4000-memory.dmp

Filesize
3.3MB

Download
memory/3900-1-0x0000015C31E30000-0x0000015C31E40000-memory.dmp

Filesize
64KB

Download
memory/4104-780-0x00007FF769620000-0x00007FF769974000-memory.dmp

Filesize
3.3MB

Download
memory/4104-2178-0x00007FF769620000-0x00007FF769974000-memory.dmp

Filesize
3.3MB

Download
memory/4404-759-0x00007FF79B6D0000-0x00007FF79BA24000-memory.dmp

Filesize
3.3MB

Download
memory/4404-2172-0x00007FF79B6D0000-0x00007FF79BA24000-memory.dmp

Filesize
3.3MB

Download
memory/4452-2159-0x00007FF71FFD0000-0x00007FF720324000-memory.dmp

Filesize
3.3MB

Download
memory/4452-809-0x00007FF71FFD0000-0x00007FF720324000-memory.dmp

Filesize
3.3MB

Download
memory/4568-2150-0x00007FF7A2B40000-0x00007FF7A2E94000-memory.dmp

Filesize
3.3MB

Download
memory/4568-2156-0x00007FF7A2B40000-0x00007FF7A2E94000-memory.dmp

Filesize
3.3MB

Download
memory/4568-8-0x00007FF7A2B40000-0x00007FF7A2E94000-memory.dmp

Filesize
3.3MB

Download
memory/4600-739-0x00007FF6C5470000-0x00007FF6C57C4000-memory.dmp

Filesize
3.3MB

Download
memory/4600-2168-0x00007FF6C5470000-0x00007FF6C57C4000-memory.dmp

Filesize
3.3MB

Download
memory/5016-801-0x00007FF799410000-0x00007FF799764000-memory.dmp

Filesize
3.3MB

Download
memory/5016-2183-0x00007FF799410000-0x00007FF799764000-memory.dmp

Filesize
3.3MB

Download
memory/5024-2161-0x00007FF64AED0000-0x00007FF64B224000-memory.dmp

Filesize
3.3MB

Download
memory/5024-733-0x00007FF64AED0000-0x00007FF64B224000-memory.dmp

Filesize
3.3MB

Download