xmrig | fa1343fd464b03ca04c4c2a800889deef301ff31ad1b2b6546a580880dcf7fb8

Analysis

max time kernel
63s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
Size

1.3MB
MD5

c5686a7fb77c2a284fbc336d1cdc2e10
SHA1

c1ef2a1adb3c219f0b67b6df9beb155d0cb8a59a
SHA256

fa1343fd464b03ca04c4c2a800889deef301ff31ad1b2b6546a580880dcf7fb8
SHA512

ab588e64a63351f647afe5b767d9f39c4bf6fb4a7a83007c3cfb682f47b662ae6ac1b7736713f62b309c5e2b8dadabf11c72caba1bff3b02bc53c7e2279d1cfa
SSDEEP

24576:RVIl/WDGCi7/qkat6OBC6y90Xli7w4G8h9HWrYAQW9SKj5:ROdWCCi7/ra7Kr5KSKt

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 58 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4660-317-0x00007FF679210000-0x00007FF679561000-memory.dmp	xmrig
behavioral2/memory/2488-318-0x00007FF714260000-0x00007FF7145B1000-memory.dmp	xmrig
behavioral2/memory/3592-333-0x00007FF667A80000-0x00007FF667DD1000-memory.dmp	xmrig
behavioral2/memory/4192-329-0x00007FF683560000-0x00007FF6838B1000-memory.dmp	xmrig
behavioral2/memory/4220-382-0x00007FF68F510000-0x00007FF68F861000-memory.dmp	xmrig
behavioral2/memory/2188-394-0x00007FF6EECE0000-0x00007FF6EF031000-memory.dmp	xmrig
behavioral2/memory/4716-419-0x00007FF7CC1D0000-0x00007FF7CC521000-memory.dmp	xmrig
behavioral2/memory/3024-436-0x00007FF6DE870000-0x00007FF6DEBC1000-memory.dmp	xmrig
behavioral2/memory/2744-455-0x00007FF6AA7F0000-0x00007FF6AAB41000-memory.dmp	xmrig
behavioral2/memory/4532-451-0x00007FF66EF00000-0x00007FF66F251000-memory.dmp	xmrig
behavioral2/memory/4792-445-0x00007FF6A9D50000-0x00007FF6AA0A1000-memory.dmp	xmrig
behavioral2/memory/664-416-0x00007FF63D3E0000-0x00007FF63D731000-memory.dmp	xmrig
behavioral2/memory/4680-413-0x00007FF792520000-0x00007FF792871000-memory.dmp	xmrig
behavioral2/memory/440-409-0x00007FF7893D0000-0x00007FF789721000-memory.dmp	xmrig
behavioral2/memory/2512-405-0x00007FF6251A0000-0x00007FF6254F1000-memory.dmp	xmrig
behavioral2/memory/3252-395-0x00007FF75A700000-0x00007FF75AA51000-memory.dmp	xmrig
behavioral2/memory/2392-386-0x00007FF77E700000-0x00007FF77EA51000-memory.dmp	xmrig
behavioral2/memory/3776-374-0x00007FF74D2E0000-0x00007FF74D631000-memory.dmp	xmrig
behavioral2/memory/3260-369-0x00007FF6F11E0000-0x00007FF6F1531000-memory.dmp	xmrig
behavioral2/memory/4120-366-0x00007FF7C7A50000-0x00007FF7C7DA1000-memory.dmp	xmrig
behavioral2/memory/3088-363-0x00007FF7AE870000-0x00007FF7AEBC1000-memory.dmp	xmrig
behavioral2/memory/3856-356-0x00007FF6BBCC0000-0x00007FF6BC011000-memory.dmp	xmrig
behavioral2/memory/4556-344-0x00007FF61D050000-0x00007FF61D3A1000-memory.dmp	xmrig
behavioral2/memory/4584-349-0x00007FF60E910000-0x00007FF60EC61000-memory.dmp	xmrig
behavioral2/memory/1928-341-0x00007FF644630000-0x00007FF644981000-memory.dmp	xmrig
behavioral2/memory/3696-25-0x00007FF633F80000-0x00007FF6342D1000-memory.dmp	xmrig
behavioral2/memory/1408-11-0x00007FF660630000-0x00007FF660981000-memory.dmp	xmrig
behavioral2/memory/4016-2188-0x00007FF62C4B0000-0x00007FF62C801000-memory.dmp	xmrig
behavioral2/memory/1296-2190-0x00007FF61AB30000-0x00007FF61AE81000-memory.dmp	xmrig
behavioral2/memory/1408-2242-0x00007FF660630000-0x00007FF660981000-memory.dmp	xmrig
behavioral2/memory/2020-2244-0x00007FF69C670000-0x00007FF69C9C1000-memory.dmp	xmrig
behavioral2/memory/1296-2248-0x00007FF61AB30000-0x00007FF61AE81000-memory.dmp	xmrig
behavioral2/memory/4660-2251-0x00007FF679210000-0x00007FF679561000-memory.dmp	xmrig
behavioral2/memory/2488-2254-0x00007FF714260000-0x00007FF7145B1000-memory.dmp	xmrig
behavioral2/memory/4584-2262-0x00007FF60E910000-0x00007FF60EC61000-memory.dmp	xmrig
behavioral2/memory/4556-2272-0x00007FF61D050000-0x00007FF61D3A1000-memory.dmp	xmrig
behavioral2/memory/4680-2288-0x00007FF792520000-0x00007FF792871000-memory.dmp	xmrig
behavioral2/memory/4792-2296-0x00007FF6A9D50000-0x00007FF6AA0A1000-memory.dmp	xmrig
behavioral2/memory/3024-2294-0x00007FF6DE870000-0x00007FF6DEBC1000-memory.dmp	xmrig
behavioral2/memory/4716-2292-0x00007FF7CC1D0000-0x00007FF7CC521000-memory.dmp	xmrig
behavioral2/memory/4532-2298-0x00007FF66EF00000-0x00007FF66F251000-memory.dmp	xmrig
behavioral2/memory/664-2290-0x00007FF63D3E0000-0x00007FF63D731000-memory.dmp	xmrig
behavioral2/memory/440-2286-0x00007FF7893D0000-0x00007FF789721000-memory.dmp	xmrig
behavioral2/memory/3252-2282-0x00007FF75A700000-0x00007FF75AA51000-memory.dmp	xmrig
behavioral2/memory/2512-2284-0x00007FF6251A0000-0x00007FF6254F1000-memory.dmp	xmrig
behavioral2/memory/2392-2274-0x00007FF77E700000-0x00007FF77EA51000-memory.dmp	xmrig
behavioral2/memory/3776-2271-0x00007FF74D2E0000-0x00007FF74D631000-memory.dmp	xmrig
behavioral2/memory/2188-2280-0x00007FF6EECE0000-0x00007FF6EF031000-memory.dmp	xmrig
behavioral2/memory/3260-2269-0x00007FF6F11E0000-0x00007FF6F1531000-memory.dmp	xmrig
behavioral2/memory/4220-2278-0x00007FF68F510000-0x00007FF68F861000-memory.dmp	xmrig
behavioral2/memory/4120-2276-0x00007FF7C7A50000-0x00007FF7C7DA1000-memory.dmp	xmrig
behavioral2/memory/3088-2266-0x00007FF7AE870000-0x00007FF7AEBC1000-memory.dmp	xmrig
behavioral2/memory/3856-2264-0x00007FF6BBCC0000-0x00007FF6BC011000-memory.dmp	xmrig
behavioral2/memory/1928-2260-0x00007FF644630000-0x00007FF644981000-memory.dmp	xmrig
behavioral2/memory/3592-2258-0x00007FF667A80000-0x00007FF667DD1000-memory.dmp	xmrig
behavioral2/memory/2744-2253-0x00007FF6AA7F0000-0x00007FF6AAB41000-memory.dmp	xmrig
behavioral2/memory/4192-2256-0x00007FF683560000-0x00007FF6838B1000-memory.dmp	xmrig
behavioral2/memory/3696-2246-0x00007FF633F80000-0x00007FF6342D1000-memory.dmp	xmrig

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

Processes:

UHlQDwz.exeRWmtliy.exeVBWbhhs.exefEKxSpX.exeZylEHdH.exeQXmXARP.exepCAfuaY.exeVXMUJQc.exeZcUAtbB.exeGTTpuFc.exeZFzjvap.exeFuStvam.exePssygJA.execLrhOEN.exewkqJWgg.exeyFLOEcL.exeDxPHkVA.exeVAxcsgo.exeFtqIeVJ.exeHcexuLC.exesNgxLXs.exeOGdATZY.exeiSdoBWE.exegBpwLIV.exesciWLmQ.exejnKCRpU.exebDQKhxL.exeWmWrUBR.exedcuCknp.exeSTiobRz.exeNDFCNSa.exeypFCaGu.execkaCHOB.exeDAdWdKv.exejKBayDq.exefTPYHKX.exePMOqOoW.execsiZHiX.exepWQwkza.exeRCSFwLm.exeqfXZNbg.exewtVAPGW.exeVZpdvgX.exezqyLdWK.exeOblVuaU.exeqmLmnJe.exeqibmbZu.exeFBRVFeD.exeUVLPnSd.exeSlEOWMx.exebfBJtEv.exeoabauoT.exeaxmDoyh.exeupEMFKn.exeRGUvBAL.exegoSbpxr.exeejWkaqk.exeUOIkEgz.exeKNNnuNi.exeKaVFhrR.exekyWmDBZ.exeigETVOW.exeUqyFALU.exeybcBiEj.exe

pid	process
1408	UHlQDwz.exe
2020	RWmtliy.exe
3696	VBWbhhs.exe
1296	fEKxSpX.exe
4660	ZylEHdH.exe
2488	QXmXARP.exe
2744	pCAfuaY.exe
4192	VXMUJQc.exe
3592	ZcUAtbB.exe
1928	GTTpuFc.exe
4556	ZFzjvap.exe
4584	FuStvam.exe
3856	PssygJA.exe
3088	cLrhOEN.exe
4120	wkqJWgg.exe
3260	yFLOEcL.exe
3776	DxPHkVA.exe
4220	VAxcsgo.exe
2392	FtqIeVJ.exe
2188	HcexuLC.exe
3252	sNgxLXs.exe
2512	OGdATZY.exe
440	iSdoBWE.exe
4680	gBpwLIV.exe
664	sciWLmQ.exe
4716	jnKCRpU.exe
3024	bDQKhxL.exe
4792	WmWrUBR.exe
4532	dcuCknp.exe
3704	STiobRz.exe
3240	NDFCNSa.exe
3128	ypFCaGu.exe
3576	ckaCHOB.exe
4876	DAdWdKv.exe
3060	jKBayDq.exe
1584	fTPYHKX.exe
4132	PMOqOoW.exe
4060	csiZHiX.exe
3716	pWQwkza.exe
4700	RCSFwLm.exe
3116	qfXZNbg.exe
2980	wtVAPGW.exe
2480	VZpdvgX.exe
1492	zqyLdWK.exe
1088	OblVuaU.exe
788	qmLmnJe.exe
3988	qibmbZu.exe
3408	FBRVFeD.exe
4388	UVLPnSd.exe
3272	SlEOWMx.exe
4432	bfBJtEv.exe
1904	oabauoT.exe
372	axmDoyh.exe
2580	upEMFKn.exe
4008	RGUvBAL.exe
5060	goSbpxr.exe
1176	ejWkaqk.exe
2216	UOIkEgz.exe
792	KNNnuNi.exe
1348	KaVFhrR.exe
3588	kyWmDBZ.exe
4596	igETVOW.exe
3492	UqyFALU.exe
2408	ybcBiEj.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4016-0-0x00007FF62C4B0000-0x00007FF62C801000-memory.dmp	upx
C:\Windows\System\UHlQDwz.exe	upx
C:\Windows\System\VBWbhhs.exe	upx
C:\Windows\System\RWmtliy.exe	upx
C:\Windows\System\ZylEHdH.exe	upx
C:\Windows\System\QXmXARP.exe	upx
C:\Windows\System\pCAfuaY.exe	upx
C:\Windows\System\GTTpuFc.exe	upx
C:\Windows\System\ZFzjvap.exe	upx
C:\Windows\System\FuStvam.exe	upx
C:\Windows\System\VAxcsgo.exe	upx
C:\Windows\System\sNgxLXs.exe	upx
C:\Windows\System\OGdATZY.exe	upx
C:\Windows\System\gBpwLIV.exe	upx
C:\Windows\System\jnKCRpU.exe	upx
C:\Windows\System\WmWrUBR.exe	upx
C:\Windows\System\ypFCaGu.exe	upx
behavioral2/memory/4660-317-0x00007FF679210000-0x00007FF679561000-memory.dmp	upx
behavioral2/memory/2488-318-0x00007FF714260000-0x00007FF7145B1000-memory.dmp	upx
behavioral2/memory/3592-333-0x00007FF667A80000-0x00007FF667DD1000-memory.dmp	upx
behavioral2/memory/4192-329-0x00007FF683560000-0x00007FF6838B1000-memory.dmp	upx
behavioral2/memory/4220-382-0x00007FF68F510000-0x00007FF68F861000-memory.dmp	upx
behavioral2/memory/2188-394-0x00007FF6EECE0000-0x00007FF6EF031000-memory.dmp	upx
behavioral2/memory/4716-419-0x00007FF7CC1D0000-0x00007FF7CC521000-memory.dmp	upx
behavioral2/memory/3024-436-0x00007FF6DE870000-0x00007FF6DEBC1000-memory.dmp	upx
behavioral2/memory/2744-455-0x00007FF6AA7F0000-0x00007FF6AAB41000-memory.dmp	upx
behavioral2/memory/4532-451-0x00007FF66EF00000-0x00007FF66F251000-memory.dmp	upx
behavioral2/memory/4792-445-0x00007FF6A9D50000-0x00007FF6AA0A1000-memory.dmp	upx
behavioral2/memory/664-416-0x00007FF63D3E0000-0x00007FF63D731000-memory.dmp	upx
behavioral2/memory/4680-413-0x00007FF792520000-0x00007FF792871000-memory.dmp	upx
behavioral2/memory/440-409-0x00007FF7893D0000-0x00007FF789721000-memory.dmp	upx
behavioral2/memory/2512-405-0x00007FF6251A0000-0x00007FF6254F1000-memory.dmp	upx
behavioral2/memory/3252-395-0x00007FF75A700000-0x00007FF75AA51000-memory.dmp	upx
behavioral2/memory/2392-386-0x00007FF77E700000-0x00007FF77EA51000-memory.dmp	upx
behavioral2/memory/3776-374-0x00007FF74D2E0000-0x00007FF74D631000-memory.dmp	upx
behavioral2/memory/3260-369-0x00007FF6F11E0000-0x00007FF6F1531000-memory.dmp	upx
behavioral2/memory/4120-366-0x00007FF7C7A50000-0x00007FF7C7DA1000-memory.dmp	upx
behavioral2/memory/3088-363-0x00007FF7AE870000-0x00007FF7AEBC1000-memory.dmp	upx
behavioral2/memory/3856-356-0x00007FF6BBCC0000-0x00007FF6BC011000-memory.dmp	upx
behavioral2/memory/4556-344-0x00007FF61D050000-0x00007FF61D3A1000-memory.dmp	upx
behavioral2/memory/4584-349-0x00007FF60E910000-0x00007FF60EC61000-memory.dmp	upx
behavioral2/memory/1928-341-0x00007FF644630000-0x00007FF644981000-memory.dmp	upx
C:\Windows\System\ckaCHOB.exe	upx
C:\Windows\System\NDFCNSa.exe	upx
C:\Windows\System\STiobRz.exe	upx
C:\Windows\System\dcuCknp.exe	upx
C:\Windows\System\bDQKhxL.exe	upx
C:\Windows\System\sciWLmQ.exe	upx
C:\Windows\System\iSdoBWE.exe	upx
C:\Windows\System\HcexuLC.exe	upx
C:\Windows\System\FtqIeVJ.exe	upx
C:\Windows\System\DxPHkVA.exe	upx
C:\Windows\System\yFLOEcL.exe	upx
C:\Windows\System\wkqJWgg.exe	upx
C:\Windows\System\cLrhOEN.exe	upx
C:\Windows\System\PssygJA.exe	upx
C:\Windows\System\ZcUAtbB.exe	upx
C:\Windows\System\VXMUJQc.exe	upx
C:\Windows\System\fEKxSpX.exe	upx
behavioral2/memory/1296-28-0x00007FF61AB30000-0x00007FF61AE81000-memory.dmp	upx
behavioral2/memory/3696-25-0x00007FF633F80000-0x00007FF6342D1000-memory.dmp	upx
behavioral2/memory/2020-18-0x00007FF69C670000-0x00007FF69C9C1000-memory.dmp	upx
behavioral2/memory/1408-11-0x00007FF660630000-0x00007FF660981000-memory.dmp	upx
behavioral2/memory/4016-2188-0x00007FF62C4B0000-0x00007FF62C801000-memory.dmp	upx

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Drops file in Windows directory 64 IoCs

Processes:

c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\System\RGUvBAL.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\Jdnwjmr.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\NkyobjA.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\uZivJLH.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\nWiHQfy.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\vOcSVUK.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\lOHYdeu.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\NDFCNSa.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\fQxyQKu.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\VXEBJXO.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\RAvaldZ.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\TKTKyph.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\RcJHPWl.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\OGmjaYY.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\jrCkbkc.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\CnbKPRA.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\ZFPYAAm.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\IwMiaqm.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\ttDRoAi.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\VjNNEcO.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\mjDVktc.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\QewxDkY.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\jEJyvvL.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\UOIkEgz.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\pbRNXkF.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\fRUpOpI.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\IUnxPQF.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\YEDIpEE.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\yFLOEcL.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\MgwmgWT.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\sBSThoS.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\CZKqeNo.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\gfefjQB.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\kgEiAZS.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\FBRVFeD.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\GMVGgzr.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\KkBLBBa.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\tNimPym.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\EeYqAlm.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\OYnfOuG.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\PltTYBs.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\OeXGiFU.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\TYvANhr.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\pmpJKnH.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\ghcUpRX.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\sDxeyFL.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\kDKumqG.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\BTAcSaZ.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\YlpNGZh.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\gmAoOmM.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\HOYEldi.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\nmZAHQr.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\RWmtliy.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\SSljUAe.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\YNWZZxG.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\JfXNyto.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\kGPGmCr.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\sscObUH.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\fBYlxzD.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\fnYLMyT.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\WmWrUBR.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\OblVuaU.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\qmLmnJe.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
File created	C:\Windows\System\ybcBiEj.exe	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exedwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

SearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

dwm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Modifies registry class 64 IoCs

Processes:

SearchApp.exeexplorer.exeSearchApp.exeexplorer.exeexplorer.exeSearchApp.exeexplorer.exeexplorer.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exesihost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4018855536-2201274732-320770143-1000\{FB179A0E-886B-4104-A4D2-861F3751CAD5}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

dwm.exeexplorer.exeexplorer.exeexplorer.exe

description	pid	process
Token: SeCreateGlobalPrivilege	1468	dwm.exe
Token: SeChangeNotifyPrivilege	1468	dwm.exe
Token: 33	1468	dwm.exe
Token: SeIncBasePriorityPrivilege	1468	dwm.exe
Token: SeShutdownPrivilege	4812	explorer.exe
Token: SeCreatePagefilePrivilege	4812	explorer.exe
Token: SeShutdownPrivilege	4812	explorer.exe
Token: SeCreatePagefilePrivilege	4812	explorer.exe
Token: SeShutdownPrivilege	4812	explorer.exe
Token: SeCreatePagefilePrivilege	4812	explorer.exe
Token: SeShutdownPrivilege	4812	explorer.exe
Token: SeCreatePagefilePrivilege	4812	explorer.exe
Token: SeShutdownPrivilege	4812	explorer.exe
Token: SeCreatePagefilePrivilege	4812	explorer.exe
Token: SeShutdownPrivilege	4812	explorer.exe
Token: SeCreatePagefilePrivilege	4812	explorer.exe
Token: SeShutdownPrivilege	4812	explorer.exe
Token: SeCreatePagefilePrivilege	4812	explorer.exe
Token: SeShutdownPrivilege	4812	explorer.exe
Token: SeCreatePagefilePrivilege	4812	explorer.exe
Token: SeShutdownPrivilege	4812	explorer.exe
Token: SeCreatePagefilePrivilege	4812	explorer.exe
Token: SeShutdownPrivilege	6380	explorer.exe
Token: SeCreatePagefilePrivilege	6380	explorer.exe
Token: SeShutdownPrivilege	6380	explorer.exe
Token: SeCreatePagefilePrivilege	6380	explorer.exe
Token: SeShutdownPrivilege	6380	explorer.exe
Token: SeCreatePagefilePrivilege	6380	explorer.exe
Token: SeShutdownPrivilege	6380	explorer.exe
Token: SeCreatePagefilePrivilege	6380	explorer.exe
Token: SeShutdownPrivilege	6380	explorer.exe
Token: SeCreatePagefilePrivilege	6380	explorer.exe
Token: SeShutdownPrivilege	6380	explorer.exe
Token: SeCreatePagefilePrivilege	6380	explorer.exe
Token: SeShutdownPrivilege	6380	explorer.exe
Token: SeCreatePagefilePrivilege	6380	explorer.exe
Token: SeShutdownPrivilege	6380	explorer.exe
Token: SeCreatePagefilePrivilege	6380	explorer.exe
Token: SeShutdownPrivilege	6380	explorer.exe
Token: SeCreatePagefilePrivilege	6380	explorer.exe
Token: SeShutdownPrivilege	6380	explorer.exe
Token: SeCreatePagefilePrivilege	6380	explorer.exe
Token: SeShutdownPrivilege	6380	explorer.exe
Token: SeCreatePagefilePrivilege	6380	explorer.exe
Token: SeShutdownPrivilege	6380	explorer.exe
Token: SeCreatePagefilePrivilege	6380	explorer.exe
Token: SeShutdownPrivilege	6380	explorer.exe
Token: SeCreatePagefilePrivilege	6380	explorer.exe
Token: SeShutdownPrivilege	6380	explorer.exe
Token: SeCreatePagefilePrivilege	6380	explorer.exe
Token: SeShutdownPrivilege	6380	explorer.exe
Token: SeCreatePagefilePrivilege	6380	explorer.exe
Token: SeShutdownPrivilege	6380	explorer.exe
Token: SeCreatePagefilePrivilege	6380	explorer.exe
Token: SeShutdownPrivilege	6380	explorer.exe
Token: SeCreatePagefilePrivilege	6380	explorer.exe
Token: SeShutdownPrivilege	6380	explorer.exe
Token: SeCreatePagefilePrivilege	6380	explorer.exe
Token: SeShutdownPrivilege	6380	explorer.exe
Token: SeCreatePagefilePrivilege	6380	explorer.exe
Token: SeShutdownPrivilege	3576	explorer.exe
Token: SeCreatePagefilePrivilege	3576	explorer.exe
Token: SeShutdownPrivilege	3576	explorer.exe
Token: SeCreatePagefilePrivilege	3576	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

sihost.exeexplorer.exeexplorer.exe

pid	process
4020	sihost.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
4812	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
6380	explorer.exe
3576	explorer.exe
3576	explorer.exe
3576	explorer.exe
3576	explorer.exe
3576	explorer.exe
3576	explorer.exe
3576	explorer.exe
3576	explorer.exe
3576	explorer.exe
3576	explorer.exe
3576	explorer.exe
3576	explorer.exe
3576	explorer.exe
3576	explorer.exe
3576	explorer.exe
3576	explorer.exe
3576	explorer.exe
3576	explorer.exe
3576	explorer.exe
3576	explorer.exe
3576	explorer.exe
3576	explorer.exe
6228	explorer.exe
6228	explorer.exe
6228	explorer.exe
6228	explorer.exe
6228	explorer.exe
6228	explorer.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

StartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exe

pid	process
4820	StartMenuExperienceHost.exe
7824	StartMenuExperienceHost.exe
5740	SearchApp.exe
9932	StartMenuExperienceHost.exe
5576	SearchApp.exe
4824	StartMenuExperienceHost.exe
7780	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe

description	pid	process	target process
PID 4016 wrote to memory of 1408	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	UHlQDwz.exe
PID 4016 wrote to memory of 1408	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	UHlQDwz.exe
PID 4016 wrote to memory of 2020	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	RWmtliy.exe
PID 4016 wrote to memory of 2020	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	RWmtliy.exe
PID 4016 wrote to memory of 3696	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	VBWbhhs.exe
PID 4016 wrote to memory of 3696	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	VBWbhhs.exe
PID 4016 wrote to memory of 1296	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	fEKxSpX.exe
PID 4016 wrote to memory of 1296	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	fEKxSpX.exe
PID 4016 wrote to memory of 4660	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	ZylEHdH.exe
PID 4016 wrote to memory of 4660	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	ZylEHdH.exe
PID 4016 wrote to memory of 2488	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	QXmXARP.exe
PID 4016 wrote to memory of 2488	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	QXmXARP.exe
PID 4016 wrote to memory of 3592	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	ZcUAtbB.exe
PID 4016 wrote to memory of 3592	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	ZcUAtbB.exe
PID 4016 wrote to memory of 2744	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	pCAfuaY.exe
PID 4016 wrote to memory of 2744	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	pCAfuaY.exe
PID 4016 wrote to memory of 4192	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	VXMUJQc.exe
PID 4016 wrote to memory of 4192	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	VXMUJQc.exe
PID 4016 wrote to memory of 1928	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	GTTpuFc.exe
PID 4016 wrote to memory of 1928	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	GTTpuFc.exe
PID 4016 wrote to memory of 4556	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	ZFzjvap.exe
PID 4016 wrote to memory of 4556	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	ZFzjvap.exe
PID 4016 wrote to memory of 4584	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	FuStvam.exe
PID 4016 wrote to memory of 4584	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	FuStvam.exe
PID 4016 wrote to memory of 3856	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	PssygJA.exe
PID 4016 wrote to memory of 3856	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	PssygJA.exe
PID 4016 wrote to memory of 3088	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	cLrhOEN.exe
PID 4016 wrote to memory of 3088	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	cLrhOEN.exe
PID 4016 wrote to memory of 4120	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	wkqJWgg.exe
PID 4016 wrote to memory of 4120	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	wkqJWgg.exe
PID 4016 wrote to memory of 3260	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	yFLOEcL.exe
PID 4016 wrote to memory of 3260	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	yFLOEcL.exe
PID 4016 wrote to memory of 3776	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	DxPHkVA.exe
PID 4016 wrote to memory of 3776	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	DxPHkVA.exe
PID 4016 wrote to memory of 4220	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	VAxcsgo.exe
PID 4016 wrote to memory of 4220	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	VAxcsgo.exe
PID 4016 wrote to memory of 2392	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	FtqIeVJ.exe
PID 4016 wrote to memory of 2392	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	FtqIeVJ.exe
PID 4016 wrote to memory of 2188	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	HcexuLC.exe
PID 4016 wrote to memory of 2188	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	HcexuLC.exe
PID 4016 wrote to memory of 3252	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	sNgxLXs.exe
PID 4016 wrote to memory of 3252	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	sNgxLXs.exe
PID 4016 wrote to memory of 2512	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	OGdATZY.exe
PID 4016 wrote to memory of 2512	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	OGdATZY.exe
PID 4016 wrote to memory of 440	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	iSdoBWE.exe
PID 4016 wrote to memory of 440	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	iSdoBWE.exe
PID 4016 wrote to memory of 4680	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	gBpwLIV.exe
PID 4016 wrote to memory of 4680	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	gBpwLIV.exe
PID 4016 wrote to memory of 664	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	sciWLmQ.exe
PID 4016 wrote to memory of 664	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	sciWLmQ.exe
PID 4016 wrote to memory of 4716	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	jnKCRpU.exe
PID 4016 wrote to memory of 4716	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	jnKCRpU.exe
PID 4016 wrote to memory of 3024	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	bDQKhxL.exe
PID 4016 wrote to memory of 3024	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	bDQKhxL.exe
PID 4016 wrote to memory of 4792	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	WmWrUBR.exe
PID 4016 wrote to memory of 4792	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	WmWrUBR.exe
PID 4016 wrote to memory of 4532	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	dcuCknp.exe
PID 4016 wrote to memory of 4532	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	dcuCknp.exe
PID 4016 wrote to memory of 3704	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	STiobRz.exe
PID 4016 wrote to memory of 3704	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	STiobRz.exe
PID 4016 wrote to memory of 3240	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	NDFCNSa.exe
PID 4016 wrote to memory of 3240	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	NDFCNSa.exe
PID 4016 wrote to memory of 3128	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	ypFCaGu.exe
PID 4016 wrote to memory of 3128	4016	c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe	ypFCaGu.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c5686a7fb77c2a284fbc336d1cdc2e10_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\System\UHlQDwz.exe
  C:\Windows\System\UHlQDwz.exe
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\System\RWmtliy.exe
  C:\Windows\System\RWmtliy.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\VBWbhhs.exe
  C:\Windows\System\VBWbhhs.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System\fEKxSpX.exe
  C:\Windows\System\fEKxSpX.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System\ZylEHdH.exe
  C:\Windows\System\ZylEHdH.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System\QXmXARP.exe
  C:\Windows\System\QXmXARP.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System\ZcUAtbB.exe
  C:\Windows\System\ZcUAtbB.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System\pCAfuaY.exe
  C:\Windows\System\pCAfuaY.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System\VXMUJQc.exe
  C:\Windows\System\VXMUJQc.exe
  2⤵
  - Executes dropped EXE
  PID:4192
- C:\Windows\System\GTTpuFc.exe
  C:\Windows\System\GTTpuFc.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System\ZFzjvap.exe
  C:\Windows\System\ZFzjvap.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System\FuStvam.exe
  C:\Windows\System\FuStvam.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System\PssygJA.exe
  C:\Windows\System\PssygJA.exe
  2⤵
  - Executes dropped EXE
  PID:3856
- C:\Windows\System\cLrhOEN.exe
  C:\Windows\System\cLrhOEN.exe
  2⤵
  - Executes dropped EXE
  PID:3088
- C:\Windows\System\wkqJWgg.exe
  C:\Windows\System\wkqJWgg.exe
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\System\yFLOEcL.exe
  C:\Windows\System\yFLOEcL.exe
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Windows\System\DxPHkVA.exe
  C:\Windows\System\DxPHkVA.exe
  2⤵
  - Executes dropped EXE
  PID:3776
- C:\Windows\System\VAxcsgo.exe
  C:\Windows\System\VAxcsgo.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System\FtqIeVJ.exe
  C:\Windows\System\FtqIeVJ.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\HcexuLC.exe
  C:\Windows\System\HcexuLC.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\sNgxLXs.exe
  C:\Windows\System\sNgxLXs.exe
  2⤵
  - Executes dropped EXE
  PID:3252
- C:\Windows\System\OGdATZY.exe
  C:\Windows\System\OGdATZY.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\iSdoBWE.exe
  C:\Windows\System\iSdoBWE.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\System\gBpwLIV.exe
  C:\Windows\System\gBpwLIV.exe
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Windows\System\sciWLmQ.exe
  C:\Windows\System\sciWLmQ.exe
  2⤵
  - Executes dropped EXE
  PID:664
- C:\Windows\System\jnKCRpU.exe
  C:\Windows\System\jnKCRpU.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System\bDQKhxL.exe
  C:\Windows\System\bDQKhxL.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System\WmWrUBR.exe
  C:\Windows\System\WmWrUBR.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System\dcuCknp.exe
  C:\Windows\System\dcuCknp.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System\STiobRz.exe
  C:\Windows\System\STiobRz.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System\NDFCNSa.exe
  C:\Windows\System\NDFCNSa.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System\ypFCaGu.exe
  C:\Windows\System\ypFCaGu.exe
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Windows\System\ckaCHOB.exe
  C:\Windows\System\ckaCHOB.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System\DAdWdKv.exe
  C:\Windows\System\DAdWdKv.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Windows\System\jKBayDq.exe
  C:\Windows\System\jKBayDq.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System\fTPYHKX.exe
  C:\Windows\System\fTPYHKX.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\System\PMOqOoW.exe
  C:\Windows\System\PMOqOoW.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System\csiZHiX.exe
  C:\Windows\System\csiZHiX.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System\pWQwkza.exe
  C:\Windows\System\pWQwkza.exe
  2⤵
  - Executes dropped EXE
  PID:3716
- C:\Windows\System\RCSFwLm.exe
  C:\Windows\System\RCSFwLm.exe
  2⤵
  - Executes dropped EXE
  PID:4700
- C:\Windows\System\qfXZNbg.exe
  C:\Windows\System\qfXZNbg.exe
  2⤵
  - Executes dropped EXE
  PID:3116
- C:\Windows\System\wtVAPGW.exe
  C:\Windows\System\wtVAPGW.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\VZpdvgX.exe
  C:\Windows\System\VZpdvgX.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System\zqyLdWK.exe
  C:\Windows\System\zqyLdWK.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\System\OblVuaU.exe
  C:\Windows\System\OblVuaU.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System\qmLmnJe.exe
  C:\Windows\System\qmLmnJe.exe
  2⤵
  - Executes dropped EXE
  PID:788
- C:\Windows\System\qibmbZu.exe
  C:\Windows\System\qibmbZu.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System\FBRVFeD.exe
  C:\Windows\System\FBRVFeD.exe
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Windows\System\UVLPnSd.exe
  C:\Windows\System\UVLPnSd.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System\SlEOWMx.exe
  C:\Windows\System\SlEOWMx.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System\bfBJtEv.exe
  C:\Windows\System\bfBJtEv.exe
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Windows\System\oabauoT.exe
  C:\Windows\System\oabauoT.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System\axmDoyh.exe
  C:\Windows\System\axmDoyh.exe
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Windows\System\upEMFKn.exe
  C:\Windows\System\upEMFKn.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System\RGUvBAL.exe
  C:\Windows\System\RGUvBAL.exe
  2⤵
  - Executes dropped EXE
  PID:4008
- C:\Windows\System\goSbpxr.exe
  C:\Windows\System\goSbpxr.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System\ejWkaqk.exe
  C:\Windows\System\ejWkaqk.exe
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\System\UOIkEgz.exe
  C:\Windows\System\UOIkEgz.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System\KNNnuNi.exe
  C:\Windows\System\KNNnuNi.exe
  2⤵
  - Executes dropped EXE
  PID:792
- C:\Windows\System\KaVFhrR.exe
  C:\Windows\System\KaVFhrR.exe
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\System\kyWmDBZ.exe
  C:\Windows\System\kyWmDBZ.exe
  2⤵
  - Executes dropped EXE
  PID:3588
- C:\Windows\System\igETVOW.exe
  C:\Windows\System\igETVOW.exe
  2⤵
  - Executes dropped EXE
  PID:4596
- C:\Windows\System\UqyFALU.exe
  C:\Windows\System\UqyFALU.exe
  2⤵
  - Executes dropped EXE
  PID:3492
- C:\Windows\System\ybcBiEj.exe
  C:\Windows\System\ybcBiEj.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System\feHFqMS.exe
  C:\Windows\System\feHFqMS.exe
  2⤵
  PID:428
- C:\Windows\System\IwoxtDg.exe
  C:\Windows\System\IwoxtDg.exe
  2⤵
  PID:3956
- C:\Windows\System\gmAoOmM.exe
  C:\Windows\System\gmAoOmM.exe
  2⤵
  PID:3312
- C:\Windows\System\NPDbWds.exe
  C:\Windows\System\NPDbWds.exe
  2⤵
  PID:4592
- C:\Windows\System\OfbhWLR.exe
  C:\Windows\System\OfbhWLR.exe
  2⤵
  PID:3064
- C:\Windows\System\qWKoeus.exe
  C:\Windows\System\qWKoeus.exe
  2⤵
  PID:1684
- C:\Windows\System\CLskdUy.exe
  C:\Windows\System\CLskdUy.exe
  2⤵
  PID:1656
- C:\Windows\System\jrCkbkc.exe
  C:\Windows\System\jrCkbkc.exe
  2⤵
  PID:2916
- C:\Windows\System\HvIjpdi.exe
  C:\Windows\System\HvIjpdi.exe
  2⤵
  PID:4468
- C:\Windows\System\iThjxti.exe
  C:\Windows\System\iThjxti.exe
  2⤵
  PID:2332
- C:\Windows\System\XgGExtN.exe
  C:\Windows\System\XgGExtN.exe
  2⤵
  PID:3700
- C:\Windows\System\vpoxJvA.exe
  C:\Windows\System\vpoxJvA.exe
  2⤵
  PID:212
- C:\Windows\System\dYGTzxu.exe
  C:\Windows\System\dYGTzxu.exe
  2⤵
  PID:1564
- C:\Windows\System\jZkEsaM.exe
  C:\Windows\System\jZkEsaM.exe
  2⤵
  PID:4140
- C:\Windows\System\pOPeZUu.exe
  C:\Windows\System\pOPeZUu.exe
  2⤵
  PID:4364
- C:\Windows\System\QhgrfPC.exe
  C:\Windows\System\QhgrfPC.exe
  2⤵
  PID:1440
- C:\Windows\System\GqRlfAk.exe
  C:\Windows\System\GqRlfAk.exe
  2⤵
  PID:1664
- C:\Windows\System\wOllgzo.exe
  C:\Windows\System\wOllgzo.exe
  2⤵
  PID:2616
- C:\Windows\System\jNjKdKw.exe
  C:\Windows\System\jNjKdKw.exe
  2⤵
  PID:1460
- C:\Windows\System\CydOUJK.exe
  C:\Windows\System\CydOUJK.exe
  2⤵
  PID:388
- C:\Windows\System\cAJJSDT.exe
  C:\Windows\System\cAJJSDT.exe
  2⤵
  PID:4040
- C:\Windows\System\DKiTFmG.exe
  C:\Windows\System\DKiTFmG.exe
  2⤵
  PID:2028
- C:\Windows\System\zHHfSff.exe
  C:\Windows\System\zHHfSff.exe
  2⤵
  PID:5136
- C:\Windows\System\bdApUgb.exe
  C:\Windows\System\bdApUgb.exe
  2⤵
  PID:5172
- C:\Windows\System\uacQvEE.exe
  C:\Windows\System\uacQvEE.exe
  2⤵
  PID:5216
- C:\Windows\System\MTqhtMt.exe
  C:\Windows\System\MTqhtMt.exe
  2⤵
  PID:5244
- C:\Windows\System\eeQYUXK.exe
  C:\Windows\System\eeQYUXK.exe
  2⤵
  PID:5276
- C:\Windows\System\BzxFnPq.exe
  C:\Windows\System\BzxFnPq.exe
  2⤵
  PID:5296
- C:\Windows\System\QoYjDdR.exe
  C:\Windows\System\QoYjDdR.exe
  2⤵
  PID:5312
- C:\Windows\System\pkFNKot.exe
  C:\Windows\System\pkFNKot.exe
  2⤵
  PID:5336
- C:\Windows\System\CCngHuu.exe
  C:\Windows\System\CCngHuu.exe
  2⤵
  PID:5356
- C:\Windows\System\ozmtBRJ.exe
  C:\Windows\System\ozmtBRJ.exe
  2⤵
  PID:5372
- C:\Windows\System\ocLIojE.exe
  C:\Windows\System\ocLIojE.exe
  2⤵
  PID:5392
- C:\Windows\System\tDggsRb.exe
  C:\Windows\System\tDggsRb.exe
  2⤵
  PID:5412
- C:\Windows\System\Jdnwjmr.exe
  C:\Windows\System\Jdnwjmr.exe
  2⤵
  PID:5448
- C:\Windows\System\ZLHjNbd.exe
  C:\Windows\System\ZLHjNbd.exe
  2⤵
  PID:5472
- C:\Windows\System\kzWaWDQ.exe
  C:\Windows\System\kzWaWDQ.exe
  2⤵
  PID:5512
- C:\Windows\System\OINDXxR.exe
  C:\Windows\System\OINDXxR.exe
  2⤵
  PID:5532
- C:\Windows\System\oQWoMqG.exe
  C:\Windows\System\oQWoMqG.exe
  2⤵
  PID:5548
- C:\Windows\System\OYFkovU.exe
  C:\Windows\System\OYFkovU.exe
  2⤵
  PID:5604
- C:\Windows\System\zQxvBbN.exe
  C:\Windows\System\zQxvBbN.exe
  2⤵
  PID:5676
- C:\Windows\System\kkWaXuw.exe
  C:\Windows\System\kkWaXuw.exe
  2⤵
  PID:5724
- C:\Windows\System\zDOmCbP.exe
  C:\Windows\System\zDOmCbP.exe
  2⤵
  PID:5744
- C:\Windows\System\cTlOUyW.exe
  C:\Windows\System\cTlOUyW.exe
  2⤵
  PID:5760
- C:\Windows\System\jUDsQhM.exe
  C:\Windows\System\jUDsQhM.exe
  2⤵
  PID:5776
- C:\Windows\System\kajHFKM.exe
  C:\Windows\System\kajHFKM.exe
  2⤵
  PID:5796
- C:\Windows\System\IIsIMOp.exe
  C:\Windows\System\IIsIMOp.exe
  2⤵
  PID:5844
- C:\Windows\System\cMppCdO.exe
  C:\Windows\System\cMppCdO.exe
  2⤵
  PID:5864
- C:\Windows\System\IdUmszx.exe
  C:\Windows\System\IdUmszx.exe
  2⤵
  PID:5892
- C:\Windows\System\MUcghpf.exe
  C:\Windows\System\MUcghpf.exe
  2⤵
  PID:5920
- C:\Windows\System\znflgPA.exe
  C:\Windows\System\znflgPA.exe
  2⤵
  PID:5940
- C:\Windows\System\NkyobjA.exe
  C:\Windows\System\NkyobjA.exe
  2⤵
  PID:6020
- C:\Windows\System\rneroiz.exe
  C:\Windows\System\rneroiz.exe
  2⤵
  PID:6036
- C:\Windows\System\YRtzqcm.exe
  C:\Windows\System\YRtzqcm.exe
  2⤵
  PID:6068
- C:\Windows\System\JWrMTMJ.exe
  C:\Windows\System\JWrMTMJ.exe
  2⤵
  PID:6100
- C:\Windows\System\gpLiiXT.exe
  C:\Windows\System\gpLiiXT.exe
  2⤵
  PID:6132
- C:\Windows\System\sHGsHfP.exe
  C:\Windows\System\sHGsHfP.exe
  2⤵
  PID:3456
- C:\Windows\System\yiDrNzs.exe
  C:\Windows\System\yiDrNzs.exe
  2⤵
  PID:3268
- C:\Windows\System\pbRNXkF.exe
  C:\Windows\System\pbRNXkF.exe
  2⤵
  PID:1624
- C:\Windows\System\rJCClLA.exe
  C:\Windows\System\rJCClLA.exe
  2⤵
  PID:640
- C:\Windows\System\NLtVapj.exe
  C:\Windows\System\NLtVapj.exe
  2⤵
  PID:5128
- C:\Windows\System\FHdSMoP.exe
  C:\Windows\System\FHdSMoP.exe
  2⤵
  PID:5164
- C:\Windows\System\iNXAOfI.exe
  C:\Windows\System\iNXAOfI.exe
  2⤵
  PID:5240
- C:\Windows\System\cdYMajD.exe
  C:\Windows\System\cdYMajD.exe
  2⤵
  PID:5048
- C:\Windows\System\QFvHJCW.exe
  C:\Windows\System\QFvHJCW.exe
  2⤵
  PID:5292
- C:\Windows\System\shQdvIm.exe
  C:\Windows\System\shQdvIm.exe
  2⤵
  PID:5348
- C:\Windows\System\sabzCbS.exe
  C:\Windows\System\sabzCbS.exe
  2⤵
  PID:2348
- C:\Windows\System\terOnEX.exe
  C:\Windows\System\terOnEX.exe
  2⤵
  PID:5544
- C:\Windows\System\cxpdMSW.exe
  C:\Windows\System\cxpdMSW.exe
  2⤵
  PID:1816
- C:\Windows\System\KFdykay.exe
  C:\Windows\System\KFdykay.exe
  2⤵
  PID:5584
- C:\Windows\System\tvDOlql.exe
  C:\Windows\System\tvDOlql.exe
  2⤵
  PID:5600
- C:\Windows\System\eWyJuWD.exe
  C:\Windows\System\eWyJuWD.exe
  2⤵
  PID:5716
- C:\Windows\System\HOYEldi.exe
  C:\Windows\System\HOYEldi.exe
  2⤵
  PID:5836
- C:\Windows\System\fRUpOpI.exe
  C:\Windows\System\fRUpOpI.exe
  2⤵
  PID:5860
- C:\Windows\System\SgGdJpd.exe
  C:\Windows\System\SgGdJpd.exe
  2⤵
  PID:5932
- C:\Windows\System\rQUiYOI.exe
  C:\Windows\System\rQUiYOI.exe
  2⤵
  PID:6032
- C:\Windows\System\dXgTVdH.exe
  C:\Windows\System\dXgTVdH.exe
  2⤵
  PID:5996
- C:\Windows\System\hEyofOF.exe
  C:\Windows\System\hEyofOF.exe
  2⤵
  PID:6112
- C:\Windows\System\AwUsoeS.exe
  C:\Windows\System\AwUsoeS.exe
  2⤵
  PID:5084
- C:\Windows\System\fPHjdho.exe
  C:\Windows\System\fPHjdho.exe
  2⤵
  PID:4600
- C:\Windows\System\PeOJqWl.exe
  C:\Windows\System\PeOJqWl.exe
  2⤵
  PID:5148
- C:\Windows\System\UKeMnmI.exe
  C:\Windows\System\UKeMnmI.exe
  2⤵
  PID:5256
- C:\Windows\System\pKJEIvL.exe
  C:\Windows\System\pKJEIvL.exe
  2⤵
  PID:5100
- C:\Windows\System\oIcAShk.exe
  C:\Windows\System\oIcAShk.exe
  2⤵
  PID:5364
- C:\Windows\System\pZQoPDd.exe
  C:\Windows\System\pZQoPDd.exe
  2⤵
  PID:5528
- C:\Windows\System\uTCywyB.exe
  C:\Windows\System\uTCywyB.exe
  2⤵
  PID:3804
- C:\Windows\System\DtJHUmw.exe
  C:\Windows\System\DtJHUmw.exe
  2⤵
  PID:5828
- C:\Windows\System\ZoJmwEs.exe
  C:\Windows\System\ZoJmwEs.exe
  2⤵
  PID:5968
- C:\Windows\System\DLqPhMS.exe
  C:\Windows\System\DLqPhMS.exe
  2⤵
  PID:1036
- C:\Windows\System\amILoPK.exe
  C:\Windows\System\amILoPK.exe
  2⤵
  PID:5344
- C:\Windows\System\NHnuOOR.exe
  C:\Windows\System\NHnuOOR.exe
  2⤵
  PID:4868
- C:\Windows\System\NcMIvzc.exe
  C:\Windows\System\NcMIvzc.exe
  2⤵
  PID:5656
- C:\Windows\System\XuwXVsw.exe
  C:\Windows\System\XuwXVsw.exe
  2⤵
  PID:5736
- C:\Windows\System\fhUXJBs.exe
  C:\Windows\System\fhUXJBs.exe
  2⤵
  PID:5288
- C:\Windows\System\RxkIfDT.exe
  C:\Windows\System\RxkIfDT.exe
  2⤵
  PID:5960
- C:\Windows\System\OkBwehI.exe
  C:\Windows\System\OkBwehI.exe
  2⤵
  PID:6168
- C:\Windows\System\fzgfWDF.exe
  C:\Windows\System\fzgfWDF.exe
  2⤵
  PID:6192
- C:\Windows\System\PVtZFkL.exe
  C:\Windows\System\PVtZFkL.exe
  2⤵
  PID:6208
- C:\Windows\System\nSbRqmH.exe
  C:\Windows\System\nSbRqmH.exe
  2⤵
  PID:6232
- C:\Windows\System\bqvqrfp.exe
  C:\Windows\System\bqvqrfp.exe
  2⤵
  PID:6268
- C:\Windows\System\DZIyhmF.exe
  C:\Windows\System\DZIyhmF.exe
  2⤵
  PID:6284
- C:\Windows\System\IboawaY.exe
  C:\Windows\System\IboawaY.exe
  2⤵
  PID:6316
- C:\Windows\System\XpLgJkv.exe
  C:\Windows\System\XpLgJkv.exe
  2⤵
  PID:6364
- C:\Windows\System\nRNHKrd.exe
  C:\Windows\System\nRNHKrd.exe
  2⤵
  PID:6404
- C:\Windows\System\bevuFaQ.exe
  C:\Windows\System\bevuFaQ.exe
  2⤵
  PID:6432
- C:\Windows\System\xlczCWl.exe
  C:\Windows\System\xlczCWl.exe
  2⤵
  PID:6448
- C:\Windows\System\ejpyAjz.exe
  C:\Windows\System\ejpyAjz.exe
  2⤵
  PID:6464
- C:\Windows\System\IUnxPQF.exe
  C:\Windows\System\IUnxPQF.exe
  2⤵
  PID:6480
- C:\Windows\System\doayZHP.exe
  C:\Windows\System\doayZHP.exe
  2⤵
  PID:6496
- C:\Windows\System\pjKloSk.exe
  C:\Windows\System\pjKloSk.exe
  2⤵
  PID:6512
- C:\Windows\System\pKRrmyC.exe
  C:\Windows\System\pKRrmyC.exe
  2⤵
  PID:6528
- C:\Windows\System\rCORZHo.exe
  C:\Windows\System\rCORZHo.exe
  2⤵
  PID:6548
- C:\Windows\System\HteuaZE.exe
  C:\Windows\System\HteuaZE.exe
  2⤵
  PID:6572
- C:\Windows\System\CxuhXOx.exe
  C:\Windows\System\CxuhXOx.exe
  2⤵
  PID:6588
- C:\Windows\System\whGgdiZ.exe
  C:\Windows\System\whGgdiZ.exe
  2⤵
  PID:6612
- C:\Windows\System\omlDvMf.exe
  C:\Windows\System\omlDvMf.exe
  2⤵
  PID:6692
- C:\Windows\System\IfoRrux.exe
  C:\Windows\System\IfoRrux.exe
  2⤵
  PID:6716
- C:\Windows\System\hOQPPcT.exe
  C:\Windows\System\hOQPPcT.exe
  2⤵
  PID:6736
- C:\Windows\System\oVLzdvp.exe
  C:\Windows\System\oVLzdvp.exe
  2⤵
  PID:6792
- C:\Windows\System\GBYoVKG.exe
  C:\Windows\System\GBYoVKG.exe
  2⤵
  PID:6824
- C:\Windows\System\IWNqJSo.exe
  C:\Windows\System\IWNqJSo.exe
  2⤵
  PID:6848
- C:\Windows\System\skAtNqY.exe
  C:\Windows\System\skAtNqY.exe
  2⤵
  PID:6868
- C:\Windows\System\RLiCmSA.exe
  C:\Windows\System\RLiCmSA.exe
  2⤵
  PID:6892
- C:\Windows\System\DgbIBOh.exe
  C:\Windows\System\DgbIBOh.exe
  2⤵
  PID:6912
- C:\Windows\System\zmGCzlM.exe
  C:\Windows\System\zmGCzlM.exe
  2⤵
  PID:6948
- C:\Windows\System\PqybwsZ.exe
  C:\Windows\System\PqybwsZ.exe
  2⤵
  PID:7012
- C:\Windows\System\jAdMsmS.exe
  C:\Windows\System\jAdMsmS.exe
  2⤵
  PID:7032
- C:\Windows\System\mBRyJOu.exe
  C:\Windows\System\mBRyJOu.exe
  2⤵
  PID:7060
- C:\Windows\System\dlYjtSk.exe
  C:\Windows\System\dlYjtSk.exe
  2⤵
  PID:7080
- C:\Windows\System\koakfpk.exe
  C:\Windows\System\koakfpk.exe
  2⤵
  PID:7100
- C:\Windows\System\RAvaldZ.exe
  C:\Windows\System\RAvaldZ.exe
  2⤵
  PID:7116
- C:\Windows\System\sdHacwv.exe
  C:\Windows\System\sdHacwv.exe
  2⤵
  PID:7136
- C:\Windows\System\PmuJVSH.exe
  C:\Windows\System\PmuJVSH.exe
  2⤵
  PID:7152
- C:\Windows\System\IlDWLga.exe
  C:\Windows\System\IlDWLga.exe
  2⤵
  PID:6160
- C:\Windows\System\ajiZLPJ.exe
  C:\Windows\System\ajiZLPJ.exe
  2⤵
  PID:6216
- C:\Windows\System\dcPNEgS.exe
  C:\Windows\System\dcPNEgS.exe
  2⤵
  PID:6344
- C:\Windows\System\SezqWuj.exe
  C:\Windows\System\SezqWuj.exe
  2⤵
  PID:6472
- C:\Windows\System\YlpNGZh.exe
  C:\Windows\System\YlpNGZh.exe
  2⤵
  PID:6504
- C:\Windows\System\prnhkgV.exe
  C:\Windows\System\prnhkgV.exe
  2⤵
  PID:6524
- C:\Windows\System\CrJkXst.exe
  C:\Windows\System\CrJkXst.exe
  2⤵
  PID:6688
- C:\Windows\System\dwFTtaU.exe
  C:\Windows\System\dwFTtaU.exe
  2⤵
  PID:6608
- C:\Windows\System\BvDMuFo.exe
  C:\Windows\System\BvDMuFo.exe
  2⤵
  PID:6772
- C:\Windows\System\OysoMms.exe
  C:\Windows\System\OysoMms.exe
  2⤵
  PID:6744
- C:\Windows\System\jEjGFoq.exe
  C:\Windows\System\jEjGFoq.exe
  2⤵
  PID:6816
- C:\Windows\System\TKTKyph.exe
  C:\Windows\System\TKTKyph.exe
  2⤵
  PID:6844
- C:\Windows\System\ZVxHNiE.exe
  C:\Windows\System\ZVxHNiE.exe
  2⤵
  PID:6860
- C:\Windows\System\QRNgNVp.exe
  C:\Windows\System\QRNgNVp.exe
  2⤵
  PID:6944
- C:\Windows\System\UeDkmXc.exe
  C:\Windows\System\UeDkmXc.exe
  2⤵
  PID:7008
- C:\Windows\System\jEJyvvL.exe
  C:\Windows\System\jEJyvvL.exe
  2⤵
  PID:7068
- C:\Windows\System\JfZfLXj.exe
  C:\Windows\System\JfZfLXj.exe
  2⤵
  PID:7132
- C:\Windows\System\tzyIaDj.exe
  C:\Windows\System\tzyIaDj.exe
  2⤵
  PID:7108
- C:\Windows\System\pNwyuEY.exe
  C:\Windows\System\pNwyuEY.exe
  2⤵
  PID:7144
- C:\Windows\System\vBMnjSK.exe
  C:\Windows\System\vBMnjSK.exe
  2⤵
  PID:6440
- C:\Windows\System\AzrsqqS.exe
  C:\Windows\System\AzrsqqS.exe
  2⤵
  PID:6520
- C:\Windows\System\CnbKPRA.exe
  C:\Windows\System\CnbKPRA.exe
  2⤵
  PID:6760
- C:\Windows\System\pxPNbtz.exe
  C:\Windows\System\pxPNbtz.exe
  2⤵
  PID:6980
- C:\Windows\System\DHuSeik.exe
  C:\Windows\System\DHuSeik.exe
  2⤵
  PID:6904
- C:\Windows\System\oijulst.exe
  C:\Windows\System\oijulst.exe
  2⤵
  PID:7052
- C:\Windows\System\jkhQDfu.exe
  C:\Windows\System\jkhQDfu.exe
  2⤵
  PID:6276
- C:\Windows\System\dntSiUn.exe
  C:\Windows\System\dntSiUn.exe
  2⤵
  PID:5184
- C:\Windows\System\VSQnMwM.exe
  C:\Windows\System\VSQnMwM.exe
  2⤵
  PID:6308
- C:\Windows\System\RlzWJMq.exe
  C:\Windows\System\RlzWJMq.exe
  2⤵
  PID:7216
- C:\Windows\System\qdYKDpY.exe
  C:\Windows\System\qdYKDpY.exe
  2⤵
  PID:7236
- C:\Windows\System\jNrDzca.exe
  C:\Windows\System\jNrDzca.exe
  2⤵
  PID:7264
- C:\Windows\System\xVLlHNC.exe
  C:\Windows\System\xVLlHNC.exe
  2⤵
  PID:7284
- C:\Windows\System\zPvaGAh.exe
  C:\Windows\System\zPvaGAh.exe
  2⤵
  PID:7300
- C:\Windows\System\AjEKqky.exe
  C:\Windows\System\AjEKqky.exe
  2⤵
  PID:7332
- C:\Windows\System\dLfEDIl.exe
  C:\Windows\System\dLfEDIl.exe
  2⤵
  PID:7368
- C:\Windows\System\tvcXDLc.exe
  C:\Windows\System\tvcXDLc.exe
  2⤵
  PID:7384
- C:\Windows\System\PpkbPaz.exe
  C:\Windows\System\PpkbPaz.exe
  2⤵
  PID:7404
- C:\Windows\System\CVlucOK.exe
  C:\Windows\System\CVlucOK.exe
  2⤵
  PID:7420
- C:\Windows\System\OxWuKBp.exe
  C:\Windows\System\OxWuKBp.exe
  2⤵
  PID:7460
- C:\Windows\System\DCzfIxS.exe
  C:\Windows\System\DCzfIxS.exe
  2⤵
  PID:7480
- C:\Windows\System\pQcNfvB.exe
  C:\Windows\System\pQcNfvB.exe
  2⤵
  PID:7500
- C:\Windows\System\sANLQXU.exe
  C:\Windows\System\sANLQXU.exe
  2⤵
  PID:7568
- C:\Windows\System\PlBzzOC.exe
  C:\Windows\System\PlBzzOC.exe
  2⤵
  PID:7588
- C:\Windows\System\YunPYeY.exe
  C:\Windows\System\YunPYeY.exe
  2⤵
  PID:7632
- C:\Windows\System\JZCZoUu.exe
  C:\Windows\System\JZCZoUu.exe
  2⤵
  PID:7668
- C:\Windows\System\JuDWWyV.exe
  C:\Windows\System\JuDWWyV.exe
  2⤵
  PID:7712
- C:\Windows\System\pVXTJrr.exe
  C:\Windows\System\pVXTJrr.exe
  2⤵
  PID:7732
- C:\Windows\System\CdQDQer.exe
  C:\Windows\System\CdQDQer.exe
  2⤵
  PID:7772
- C:\Windows\System\FbUNYTR.exe
  C:\Windows\System\FbUNYTR.exe
  2⤵
  PID:7800
- C:\Windows\System\adlzXra.exe
  C:\Windows\System\adlzXra.exe
  2⤵
  PID:7816
- C:\Windows\System\bzQKPMI.exe
  C:\Windows\System\bzQKPMI.exe
  2⤵
  PID:7840
- C:\Windows\System\nmZAHQr.exe
  C:\Windows\System\nmZAHQr.exe
  2⤵
  PID:7860
- C:\Windows\System\ivWacVU.exe
  C:\Windows\System\ivWacVU.exe
  2⤵
  PID:7916
- C:\Windows\System\qGJaEJG.exe
  C:\Windows\System\qGJaEJG.exe
  2⤵
  PID:7940
- C:\Windows\System\iLrnqvX.exe
  C:\Windows\System\iLrnqvX.exe
  2⤵
  PID:7968
- C:\Windows\System\RcJHPWl.exe
  C:\Windows\System\RcJHPWl.exe
  2⤵
  PID:7984
- C:\Windows\System\bhvYJmE.exe
  C:\Windows\System\bhvYJmE.exe
  2⤵
  PID:8040
- C:\Windows\System\WvGheri.exe
  C:\Windows\System\WvGheri.exe
  2⤵
  PID:8060
- C:\Windows\System\xnFYiCd.exe
  C:\Windows\System\xnFYiCd.exe
  2⤵
  PID:8076
- C:\Windows\System\Ygknigs.exe
  C:\Windows\System\Ygknigs.exe
  2⤵
  PID:8096
- C:\Windows\System\lQVWfrp.exe
  C:\Windows\System\lQVWfrp.exe
  2⤵
  PID:8132
- C:\Windows\System\fkOICyf.exe
  C:\Windows\System\fkOICyf.exe
  2⤵
  PID:8160
- C:\Windows\System\lRqcRrR.exe
  C:\Windows\System\lRqcRrR.exe
  2⤵
  PID:6932
- C:\Windows\System\KpITkdg.exe
  C:\Windows\System\KpITkdg.exe
  2⤵
  PID:7228
- C:\Windows\System\BJOiTII.exe
  C:\Windows\System\BJOiTII.exe
  2⤵
  PID:7204
- C:\Windows\System\fHhWwKP.exe
  C:\Windows\System\fHhWwKP.exe
  2⤵
  PID:5520
- C:\Windows\System\hTKgkWs.exe
  C:\Windows\System\hTKgkWs.exe
  2⤵
  PID:7412
- C:\Windows\System\cuixryO.exe
  C:\Windows\System\cuixryO.exe
  2⤵
  PID:7392
- C:\Windows\System\OIkhcVa.exe
  C:\Windows\System\OIkhcVa.exe
  2⤵
  PID:7496
- C:\Windows\System\ddeUOwI.exe
  C:\Windows\System\ddeUOwI.exe
  2⤵
  PID:7452
- C:\Windows\System\zGFHPrM.exe
  C:\Windows\System\zGFHPrM.exe
  2⤵
  PID:7608
- C:\Windows\System\lvDaXSd.exe
  C:\Windows\System\lvDaXSd.exe
  2⤵
  PID:7680
- C:\Windows\System\oCjKBBQ.exe
  C:\Windows\System\oCjKBBQ.exe
  2⤵
  PID:7748
- C:\Windows\System\bcIplZv.exe
  C:\Windows\System\bcIplZv.exe
  2⤵
  PID:7796
- C:\Windows\System\nWxsIqr.exe
  C:\Windows\System\nWxsIqr.exe
  2⤵
  PID:7852
- C:\Windows\System\CTkYrDq.exe
  C:\Windows\System\CTkYrDq.exe
  2⤵
  PID:7948
- C:\Windows\System\uVyxhZX.exe
  C:\Windows\System\uVyxhZX.exe
  2⤵
  PID:7992
- C:\Windows\System\EXHwIib.exe
  C:\Windows\System\EXHwIib.exe
  2⤵
  PID:8056
- C:\Windows\System\nJlIVjN.exe
  C:\Windows\System\nJlIVjN.exe
  2⤵
  PID:6052
- C:\Windows\System\aucEmnl.exe
  C:\Windows\System\aucEmnl.exe
  2⤵
  PID:8156
- C:\Windows\System\eowZrLq.exe
  C:\Windows\System\eowZrLq.exe
  2⤵
  PID:7260
- C:\Windows\System\uZivJLH.exe
  C:\Windows\System\uZivJLH.exe
  2⤵
  PID:7296
- C:\Windows\System\tIYVXNZ.exe
  C:\Windows\System\tIYVXNZ.exe
  2⤵
  PID:7488
- C:\Windows\System\xHVRyjD.exe
  C:\Windows\System\xHVRyjD.exe
  2⤵
  PID:7724
- C:\Windows\System\XaoBONy.exe
  C:\Windows\System\XaoBONy.exe
  2⤵
  PID:7648
- C:\Windows\System\rdcGCbS.exe
  C:\Windows\System\rdcGCbS.exe
  2⤵
  PID:7828
- C:\Windows\System\zWxewBZ.exe
  C:\Windows\System\zWxewBZ.exe
  2⤵
  PID:7976
- C:\Windows\System\YNWZZxG.exe
  C:\Windows\System\YNWZZxG.exe
  2⤵
  PID:8152
- C:\Windows\System\sDxeyFL.exe
  C:\Windows\System\sDxeyFL.exe
  2⤵
  PID:6292
- C:\Windows\System\jTeeQlD.exe
  C:\Windows\System\jTeeQlD.exe
  2⤵
  PID:7396
- C:\Windows\System\gkMnpUW.exe
  C:\Windows\System\gkMnpUW.exe
  2⤵
  PID:5880
- C:\Windows\System\dSjcrPA.exe
  C:\Windows\System\dSjcrPA.exe
  2⤵
  PID:8116
- C:\Windows\System\IbPJYrx.exe
  C:\Windows\System\IbPJYrx.exe
  2⤵
  PID:8196
- C:\Windows\System\maLdABD.exe
  C:\Windows\System\maLdABD.exe
  2⤵
  PID:8216
- C:\Windows\System\uwqdjQg.exe
  C:\Windows\System\uwqdjQg.exe
  2⤵
  PID:8244
- C:\Windows\System\lGALbpK.exe
  C:\Windows\System\lGALbpK.exe
  2⤵
  PID:8272
- C:\Windows\System\urtnQmX.exe
  C:\Windows\System\urtnQmX.exe
  2⤵
  PID:8312
- C:\Windows\System\HVVxVOC.exe
  C:\Windows\System\HVVxVOC.exe
  2⤵
  PID:8340
- C:\Windows\System\TALVfYi.exe
  C:\Windows\System\TALVfYi.exe
  2⤵
  PID:8364
- C:\Windows\System\epZcsyy.exe
  C:\Windows\System\epZcsyy.exe
  2⤵
  PID:8388
- C:\Windows\System\hmlerCX.exe
  C:\Windows\System\hmlerCX.exe
  2⤵
  PID:8440
- C:\Windows\System\eZDsXaN.exe
  C:\Windows\System\eZDsXaN.exe
  2⤵
  PID:8484
- C:\Windows\System\TKjEToS.exe
  C:\Windows\System\TKjEToS.exe
  2⤵
  PID:8504
- C:\Windows\System\CyWTKEJ.exe
  C:\Windows\System\CyWTKEJ.exe
  2⤵
  PID:8528
- C:\Windows\System\XdrhLXQ.exe
  C:\Windows\System\XdrhLXQ.exe
  2⤵
  PID:8548
- C:\Windows\System\WKFUbTY.exe
  C:\Windows\System\WKFUbTY.exe
  2⤵
  PID:8600
- C:\Windows\System\EXulfBH.exe
  C:\Windows\System\EXulfBH.exe
  2⤵
  PID:8624
- C:\Windows\System\EeYqAlm.exe
  C:\Windows\System\EeYqAlm.exe
  2⤵
  PID:8652
- C:\Windows\System\QabFvVb.exe
  C:\Windows\System\QabFvVb.exe
  2⤵
  PID:8684
- C:\Windows\System\flRntlN.exe
  C:\Windows\System\flRntlN.exe
  2⤵
  PID:8704
- C:\Windows\System\GLBEbox.exe
  C:\Windows\System\GLBEbox.exe
  2⤵
  PID:8732
- C:\Windows\System\NmVAIPE.exe
  C:\Windows\System\NmVAIPE.exe
  2⤵
  PID:8752
- C:\Windows\System\PjrTnTR.exe
  C:\Windows\System\PjrTnTR.exe
  2⤵
  PID:8780
- C:\Windows\System\aFYkHOZ.exe
  C:\Windows\System\aFYkHOZ.exe
  2⤵
  PID:8808
- C:\Windows\System\SolijSm.exe
  C:\Windows\System\SolijSm.exe
  2⤵
  PID:8828
- C:\Windows\System\ZaoIajb.exe
  C:\Windows\System\ZaoIajb.exe
  2⤵
  PID:8864
- C:\Windows\System\CZKqeNo.exe
  C:\Windows\System\CZKqeNo.exe
  2⤵
  PID:8888
- C:\Windows\System\fflGZkQ.exe
  C:\Windows\System\fflGZkQ.exe
  2⤵
  PID:8908
- C:\Windows\System\syLHPqD.exe
  C:\Windows\System\syLHPqD.exe
  2⤵
  PID:8932
- C:\Windows\System\YfRTqzq.exe
  C:\Windows\System\YfRTqzq.exe
  2⤵
  PID:8956
- C:\Windows\System\OYnfOuG.exe
  C:\Windows\System\OYnfOuG.exe
  2⤵
  PID:8976
- C:\Windows\System\kjzIZqg.exe
  C:\Windows\System\kjzIZqg.exe
  2⤵
  PID:8996
- C:\Windows\System\pPGsSyT.exe
  C:\Windows\System\pPGsSyT.exe
  2⤵
  PID:9024
- C:\Windows\System\xcLpHdF.exe
  C:\Windows\System\xcLpHdF.exe
  2⤵
  PID:9096
- C:\Windows\System\DzmDZMO.exe
  C:\Windows\System\DzmDZMO.exe
  2⤵
  PID:9116
- C:\Windows\System\duBBhEx.exe
  C:\Windows\System\duBBhEx.exe
  2⤵
  PID:9132
- C:\Windows\System\ZYVKzTQ.exe
  C:\Windows\System\ZYVKzTQ.exe
  2⤵
  PID:9160
- C:\Windows\System\majJNEg.exe
  C:\Windows\System\majJNEg.exe
  2⤵
  PID:9200
- C:\Windows\System\BhcscaX.exe
  C:\Windows\System\BhcscaX.exe
  2⤵
  PID:7376
- C:\Windows\System\RHPXfvq.exe
  C:\Windows\System\RHPXfvq.exe
  2⤵
  PID:7980
- C:\Windows\System\qByKXZa.exe
  C:\Windows\System\qByKXZa.exe
  2⤵
  PID:8208
- C:\Windows\System\UCpVCET.exe
  C:\Windows\System\UCpVCET.exe
  2⤵
  PID:8292
- C:\Windows\System\cIUQZFb.exe
  C:\Windows\System\cIUQZFb.exe
  2⤵
  PID:8332
- C:\Windows\System\FETOSkj.exe
  C:\Windows\System\FETOSkj.exe
  2⤵
  PID:8380
- C:\Windows\System\PltTYBs.exe
  C:\Windows\System\PltTYBs.exe
  2⤵
  PID:8576
- C:\Windows\System\WLGzoHm.exe
  C:\Windows\System\WLGzoHm.exe
  2⤵
  PID:8636
- C:\Windows\System\tRHFOMh.exe
  C:\Windows\System\tRHFOMh.exe
  2⤵
  PID:8692
- C:\Windows\System\OeXGiFU.exe
  C:\Windows\System\OeXGiFU.exe
  2⤵
  PID:8748
- C:\Windows\System\gLgaipJ.exe
  C:\Windows\System\gLgaipJ.exe
  2⤵
  PID:8804
- C:\Windows\System\zkNTxvc.exe
  C:\Windows\System\zkNTxvc.exe
  2⤵
  PID:8848
- C:\Windows\System\zfsWXhO.exe
  C:\Windows\System\zfsWXhO.exe
  2⤵
  PID:8964
- C:\Windows\System\gfefjQB.exe
  C:\Windows\System\gfefjQB.exe
  2⤵
  PID:8972
- C:\Windows\System\lvzqytg.exe
  C:\Windows\System\lvzqytg.exe
  2⤵
  PID:9140
- C:\Windows\System\hxQIDoe.exe
  C:\Windows\System\hxQIDoe.exe
  2⤵
  PID:9108
- C:\Windows\System\ZFPYAAm.exe
  C:\Windows\System\ZFPYAAm.exe
  2⤵
  PID:8008
- C:\Windows\System\pnfDxAZ.exe
  C:\Windows\System\pnfDxAZ.exe
  2⤵
  PID:7200
- C:\Windows\System\ehSOXRV.exe
  C:\Windows\System\ehSOXRV.exe
  2⤵
  PID:8432
- C:\Windows\System\KkBLBBa.exe
  C:\Windows\System\KkBLBBa.exe
  2⤵
  PID:8520
- C:\Windows\System\iLPdgUe.exe
  C:\Windows\System\iLPdgUe.exe
  2⤵
  PID:8588
- C:\Windows\System\oAXJUuo.exe
  C:\Windows\System\oAXJUuo.exe
  2⤵
  PID:8700
- C:\Windows\System\ELydmnD.exe
  C:\Windows\System\ELydmnD.exe
  2⤵
  PID:8772
- C:\Windows\System\Rananzx.exe
  C:\Windows\System\Rananzx.exe
  2⤵
  PID:8988
- C:\Windows\System\ywErksT.exe
  C:\Windows\System\ywErksT.exe
  2⤵
  PID:7720
- C:\Windows\System\myLdKtZ.exe
  C:\Windows\System\myLdKtZ.exe
  2⤵
  PID:8480
- C:\Windows\System\sMfrusk.exe
  C:\Windows\System\sMfrusk.exe
  2⤵
  PID:8916
- C:\Windows\System\wGjCPVC.exe
  C:\Windows\System\wGjCPVC.exe
  2⤵
  PID:8348
- C:\Windows\System\gXBwpLY.exe
  C:\Windows\System\gXBwpLY.exe
  2⤵
  PID:9224
- C:\Windows\System\PxYkHwj.exe
  C:\Windows\System\PxYkHwj.exe
  2⤵
  PID:9244
- C:\Windows\System\TwlIfBJ.exe
  C:\Windows\System\TwlIfBJ.exe
  2⤵
  PID:9272
- C:\Windows\System\dSCsiQW.exe
  C:\Windows\System\dSCsiQW.exe
  2⤵
  PID:9292
- C:\Windows\System\LDClXNT.exe
  C:\Windows\System\LDClXNT.exe
  2⤵
  PID:9324
- C:\Windows\System\xbNhvyp.exe
  C:\Windows\System\xbNhvyp.exe
  2⤵
  PID:9368
- C:\Windows\System\eHEgNxN.exe
  C:\Windows\System\eHEgNxN.exe
  2⤵
  PID:9396
- C:\Windows\System\KnuLHLd.exe
  C:\Windows\System\KnuLHLd.exe
  2⤵
  PID:9420
- C:\Windows\System\PRUdteQ.exe
  C:\Windows\System\PRUdteQ.exe
  2⤵
  PID:9444
- C:\Windows\System\uYvWQSc.exe
  C:\Windows\System\uYvWQSc.exe
  2⤵
  PID:9484
- C:\Windows\System\ivFagom.exe
  C:\Windows\System\ivFagom.exe
  2⤵
  PID:9508
- C:\Windows\System\WYbyjjX.exe
  C:\Windows\System\WYbyjjX.exe
  2⤵
  PID:9524
- C:\Windows\System\AOxfYAI.exe
  C:\Windows\System\AOxfYAI.exe
  2⤵
  PID:9572
- C:\Windows\System\jgIfvUu.exe
  C:\Windows\System\jgIfvUu.exe
  2⤵
  PID:9596
- C:\Windows\System\NDkiqXY.exe
  C:\Windows\System\NDkiqXY.exe
  2⤵
  PID:9624
- C:\Windows\System\fLYpXqJ.exe
  C:\Windows\System\fLYpXqJ.exe
  2⤵
  PID:9664
- C:\Windows\System\AlyDZzY.exe
  C:\Windows\System\AlyDZzY.exe
  2⤵
  PID:9684
- C:\Windows\System\WRFvOJE.exe
  C:\Windows\System\WRFvOJE.exe
  2⤵
  PID:9708
- C:\Windows\System\xSvmaHN.exe
  C:\Windows\System\xSvmaHN.exe
  2⤵
  PID:9744
- C:\Windows\System\UAsYrvR.exe
  C:\Windows\System\UAsYrvR.exe
  2⤵
  PID:9780
- C:\Windows\System\gQWbWam.exe
  C:\Windows\System\gQWbWam.exe
  2⤵
  PID:9804
- C:\Windows\System\tNimPym.exe
  C:\Windows\System\tNimPym.exe
  2⤵
  PID:9820
- C:\Windows\System\NOgSmZk.exe
  C:\Windows\System\NOgSmZk.exe
  2⤵
  PID:9848
- C:\Windows\System\ZOaNWNZ.exe
  C:\Windows\System\ZOaNWNZ.exe
  2⤵
  PID:9872
- C:\Windows\System\dBndiUb.exe
  C:\Windows\System\dBndiUb.exe
  2⤵
  PID:9896
- C:\Windows\System\FhvsEfC.exe
  C:\Windows\System\FhvsEfC.exe
  2⤵
  PID:9948
- C:\Windows\System\YVOIZwZ.exe
  C:\Windows\System\YVOIZwZ.exe
  2⤵
  PID:9968
- C:\Windows\System\opvuvjS.exe
  C:\Windows\System\opvuvjS.exe
  2⤵
  PID:9988
- C:\Windows\System\TLzXoIB.exe
  C:\Windows\System\TLzXoIB.exe
  2⤵
  PID:10024
- C:\Windows\System\YmHTNrv.exe
  C:\Windows\System\YmHTNrv.exe
  2⤵
  PID:10052
- C:\Windows\System\mtwUtmh.exe
  C:\Windows\System\mtwUtmh.exe
  2⤵
  PID:10084
- C:\Windows\System\yMOUdvw.exe
  C:\Windows\System\yMOUdvw.exe
  2⤵
  PID:10112
- C:\Windows\System\VMEglyH.exe
  C:\Windows\System\VMEglyH.exe
  2⤵
  PID:10160
- C:\Windows\System\QjPdsiC.exe
  C:\Windows\System\QjPdsiC.exe
  2⤵
  PID:10184
- C:\Windows\System\IwMiaqm.exe
  C:\Windows\System\IwMiaqm.exe
  2⤵
  PID:10204
- C:\Windows\System\aNRRGAw.exe
  C:\Windows\System\aNRRGAw.exe
  2⤵
  PID:10224
- C:\Windows\System\QxFfZSo.exe
  C:\Windows\System\QxFfZSo.exe
  2⤵
  PID:8992
- C:\Windows\System\DLhdauD.exe
  C:\Windows\System\DLhdauD.exe
  2⤵
  PID:9284
- C:\Windows\System\btcLlws.exe
  C:\Windows\System\btcLlws.exe
  2⤵
  PID:9320
- C:\Windows\System\XyEykoV.exe
  C:\Windows\System\XyEykoV.exe
  2⤵
  PID:9412
- C:\Windows\System\jHqOdGf.exe
  C:\Windows\System\jHqOdGf.exe
  2⤵
  PID:9460
- C:\Windows\System\mRaHtcl.exe
  C:\Windows\System\mRaHtcl.exe
  2⤵
  PID:9496
- C:\Windows\System\axcJBZe.exe
  C:\Windows\System\axcJBZe.exe
  2⤵
  PID:9544
- C:\Windows\System\YnvAsAm.exe
  C:\Windows\System\YnvAsAm.exe
  2⤵
  PID:9636
- C:\Windows\System\GArendd.exe
  C:\Windows\System\GArendd.exe
  2⤵
  PID:9652
- C:\Windows\System\ttDRoAi.exe
  C:\Windows\System\ttDRoAi.exe
  2⤵
  PID:9704
- C:\Windows\System\OWtGmcG.exe
  C:\Windows\System\OWtGmcG.exe
  2⤵
  PID:9772
- C:\Windows\System\LkdXHNs.exe
  C:\Windows\System\LkdXHNs.exe
  2⤵
  PID:9812
- C:\Windows\System\CQQeNwQ.exe
  C:\Windows\System\CQQeNwQ.exe
  2⤵
  PID:9884
- C:\Windows\System\RRzQExy.exe
  C:\Windows\System\RRzQExy.exe
  2⤵
  PID:9940
- C:\Windows\System\deFBLio.exe
  C:\Windows\System\deFBLio.exe
  2⤵
  PID:9996
- C:\Windows\System\YvlLDoz.exe
  C:\Windows\System\YvlLDoz.exe
  2⤵
  PID:10068
- C:\Windows\System\fmCcNox.exe
  C:\Windows\System\fmCcNox.exe
  2⤵
  PID:10136
- C:\Windows\System\DNePxsc.exe
  C:\Windows\System\DNePxsc.exe
  2⤵
  PID:10220
- C:\Windows\System\ftVwpOE.exe
  C:\Windows\System\ftVwpOE.exe
  2⤵
  PID:9360
- C:\Windows\System\qjuDNqD.exe
  C:\Windows\System\qjuDNqD.exe
  2⤵
  PID:9616
- C:\Windows\System\vyzrKgx.exe
  C:\Windows\System\vyzrKgx.exe
  2⤵
  PID:9960
- C:\Windows\System\aSArZFx.exe
  C:\Windows\System\aSArZFx.exe
  2⤵
  PID:9236
- C:\Windows\System\nVkwtQc.exe
  C:\Windows\System\nVkwtQc.exe
  2⤵
  PID:10216
- C:\Windows\System\vQBbEuf.exe
  C:\Windows\System\vQBbEuf.exe
  2⤵
  PID:9492
- C:\Windows\System\LBBWmtZ.exe
  C:\Windows\System\LBBWmtZ.exe
  2⤵
  PID:9924
- C:\Windows\System\kuLaYoh.exe
  C:\Windows\System\kuLaYoh.exe
  2⤵
  PID:10020
- C:\Windows\System\JllCeMy.exe
  C:\Windows\System\JllCeMy.exe
  2⤵
  PID:10252
- C:\Windows\System\iCCSrwq.exe
  C:\Windows\System\iCCSrwq.exe
  2⤵
  PID:10276
- C:\Windows\System\dpQSVuq.exe
  C:\Windows\System\dpQSVuq.exe
  2⤵
  PID:10300
- C:\Windows\System\kHGdkcO.exe
  C:\Windows\System\kHGdkcO.exe
  2⤵
  PID:10344
- C:\Windows\System\TYvANhr.exe
  C:\Windows\System\TYvANhr.exe
  2⤵
  PID:10376
- C:\Windows\System\mRCowsC.exe
  C:\Windows\System\mRCowsC.exe
  2⤵
  PID:10400
- C:\Windows\System\vXUBiOd.exe
  C:\Windows\System\vXUBiOd.exe
  2⤵
  PID:10416
- C:\Windows\System\ixduPIg.exe
  C:\Windows\System\ixduPIg.exe
  2⤵
  PID:10440
- C:\Windows\System\pXvfCtV.exe
  C:\Windows\System\pXvfCtV.exe
  2⤵
  PID:10460
- C:\Windows\System\UhGHayO.exe
  C:\Windows\System\UhGHayO.exe
  2⤵
  PID:10488
- C:\Windows\System\vvViCjA.exe
  C:\Windows\System\vvViCjA.exe
  2⤵
  PID:10508
- C:\Windows\System\MgwmgWT.exe
  C:\Windows\System\MgwmgWT.exe
  2⤵
  PID:10532
- C:\Windows\System\UFyaxnr.exe
  C:\Windows\System\UFyaxnr.exe
  2⤵
  PID:10552
- C:\Windows\System\qIxlSCt.exe
  C:\Windows\System\qIxlSCt.exe
  2⤵
  PID:10600
- C:\Windows\System\vcaihEa.exe
  C:\Windows\System\vcaihEa.exe
  2⤵
  PID:10620
- C:\Windows\System\TbXargx.exe
  C:\Windows\System\TbXargx.exe
  2⤵
  PID:10668
- C:\Windows\System\vcwOHCd.exe
  C:\Windows\System\vcwOHCd.exe
  2⤵
  PID:10688
- C:\Windows\System\kgEiAZS.exe
  C:\Windows\System\kgEiAZS.exe
  2⤵
  PID:10716
- C:\Windows\System\JfXNyto.exe
  C:\Windows\System\JfXNyto.exe
  2⤵
  PID:10732
- C:\Windows\System\JQzPDZn.exe
  C:\Windows\System\JQzPDZn.exe
  2⤵
  PID:10760
- C:\Windows\System\yQkmFFu.exe
  C:\Windows\System\yQkmFFu.exe
  2⤵
  PID:10780
- C:\Windows\System\IRYHsMO.exe
  C:\Windows\System\IRYHsMO.exe
  2⤵
  PID:10800
- C:\Windows\System\TporlDh.exe
  C:\Windows\System\TporlDh.exe
  2⤵
  PID:10828
- C:\Windows\System\GSUabxc.exe
  C:\Windows\System\GSUabxc.exe
  2⤵
  PID:10856
- C:\Windows\System\JuEcYMB.exe
  C:\Windows\System\JuEcYMB.exe
  2⤵
  PID:10888
- C:\Windows\System\MaYryMU.exe
  C:\Windows\System\MaYryMU.exe
  2⤵
  PID:10916
- C:\Windows\System\ePSnEEy.exe
  C:\Windows\System\ePSnEEy.exe
  2⤵
  PID:10936
- C:\Windows\System\kGPGmCr.exe
  C:\Windows\System\kGPGmCr.exe
  2⤵
  PID:10956
- C:\Windows\System\KNuqMfU.exe
  C:\Windows\System\KNuqMfU.exe
  2⤵
  PID:11004
- C:\Windows\System\soywDYq.exe
  C:\Windows\System\soywDYq.exe
  2⤵
  PID:11036
- C:\Windows\System\HaasqwF.exe
  C:\Windows\System\HaasqwF.exe
  2⤵
  PID:11056
- C:\Windows\System\LOjclOf.exe
  C:\Windows\System\LOjclOf.exe
  2⤵
  PID:11104
- C:\Windows\System\PKlDSKG.exe
  C:\Windows\System\PKlDSKG.exe
  2⤵
  PID:11128
- C:\Windows\System\BcNgQgQ.exe
  C:\Windows\System\BcNgQgQ.exe
  2⤵
  PID:11152
- C:\Windows\System\gIQHhwX.exe
  C:\Windows\System\gIQHhwX.exe
  2⤵
  PID:11172
- C:\Windows\System\nVKoEnj.exe
  C:\Windows\System\nVKoEnj.exe
  2⤵
  PID:11232
- C:\Windows\System\hcmWifY.exe
  C:\Windows\System\hcmWifY.exe
  2⤵
  PID:11256
- C:\Windows\System\oeDdtDE.exe
  C:\Windows\System\oeDdtDE.exe
  2⤵
  PID:10244
- C:\Windows\System\pBmbfkS.exe
  C:\Windows\System\pBmbfkS.exe
  2⤵
  PID:10296
- C:\Windows\System\zrrpCkp.exe
  C:\Windows\System\zrrpCkp.exe
  2⤵
  PID:10372
- C:\Windows\System\dbAYFeV.exe
  C:\Windows\System\dbAYFeV.exe
  2⤵
  PID:10528
- C:\Windows\System\kumNsnF.exe
  C:\Windows\System\kumNsnF.exe
  2⤵
  PID:10540
- C:\Windows\System\vDNbjGD.exe
  C:\Windows\System\vDNbjGD.exe
  2⤵
  PID:10628
- C:\Windows\System\olyMrws.exe
  C:\Windows\System\olyMrws.exe
  2⤵
  PID:10640
- C:\Windows\System\zsXXvrq.exe
  C:\Windows\System\zsXXvrq.exe
  2⤵
  PID:10724
- C:\Windows\System\qISIDxW.exe
  C:\Windows\System\qISIDxW.exe
  2⤵
  PID:10756
- C:\Windows\System\YIejULi.exe
  C:\Windows\System\YIejULi.exe
  2⤵
  PID:10852
- C:\Windows\System\xTqNDFq.exe
  C:\Windows\System\xTqNDFq.exe
  2⤵
  PID:10952
- C:\Windows\System\EvYuZfm.exe
  C:\Windows\System\EvYuZfm.exe
  2⤵
  PID:11016
- C:\Windows\System\itdEWiq.exe
  C:\Windows\System\itdEWiq.exe
  2⤵
  PID:11028
- C:\Windows\System\VjNNEcO.exe
  C:\Windows\System\VjNNEcO.exe
  2⤵
  PID:11068
- C:\Windows\System\mZZZbrT.exe
  C:\Windows\System\mZZZbrT.exe
  2⤵
  PID:11140
- C:\Windows\System\UBGRJcO.exe
  C:\Windows\System\UBGRJcO.exe
  2⤵
  PID:11220
- C:\Windows\System\IqZKGpT.exe
  C:\Windows\System\IqZKGpT.exe
  2⤵
  PID:11240
- C:\Windows\System\cjwJbKl.exe
  C:\Windows\System\cjwJbKl.exe
  2⤵
  PID:10272
- C:\Windows\System\EzqxGSZ.exe
  C:\Windows\System\EzqxGSZ.exe
  2⤵
  PID:10568
- C:\Windows\System\NircWbz.exe
  C:\Windows\System\NircWbz.exe
  2⤵
  PID:10796
- C:\Windows\System\ctmfGVB.exe
  C:\Windows\System\ctmfGVB.exe
  2⤵
  PID:10908
- C:\Windows\System\TnlROHI.exe
  C:\Windows\System\TnlROHI.exe
  2⤵
  PID:10992
- C:\Windows\System\BabEIoy.exe
  C:\Windows\System\BabEIoy.exe
  2⤵
  PID:10196
- C:\Windows\System\ZuwhkSK.exe
  C:\Windows\System\ZuwhkSK.exe
  2⤵
  PID:9552
- C:\Windows\System\aRxvbpU.exe
  C:\Windows\System\aRxvbpU.exe
  2⤵
  PID:11096
- C:\Windows\System\mjDVktc.exe
  C:\Windows\System\mjDVktc.exe
  2⤵
  PID:10948
- C:\Windows\System\otHnaoi.exe
  C:\Windows\System\otHnaoi.exe
  2⤵
  PID:10788
- C:\Windows\System\mMsxcYT.exe
  C:\Windows\System\mMsxcYT.exe
  2⤵
  PID:11288
- C:\Windows\System\iGBuIqr.exe
  C:\Windows\System\iGBuIqr.exe
  2⤵
  PID:11304
- C:\Windows\System\ihVDcKM.exe
  C:\Windows\System\ihVDcKM.exe
  2⤵
  PID:11324
- C:\Windows\System\dWOmMIF.exe
  C:\Windows\System\dWOmMIF.exe
  2⤵
  PID:11348
- C:\Windows\System\tHJhSbS.exe
  C:\Windows\System\tHJhSbS.exe
  2⤵
  PID:11372
- C:\Windows\System\DVYEMTR.exe
  C:\Windows\System\DVYEMTR.exe
  2⤵
  PID:11396
- C:\Windows\System\BTxlCJY.exe
  C:\Windows\System\BTxlCJY.exe
  2⤵
  PID:11412
- C:\Windows\System\JAMUTRu.exe
  C:\Windows\System\JAMUTRu.exe
  2⤵
  PID:11436
- C:\Windows\System\JyHFKOo.exe
  C:\Windows\System\JyHFKOo.exe
  2⤵
  PID:11460
- C:\Windows\System\hjGsCTV.exe
  C:\Windows\System\hjGsCTV.exe
  2⤵
  PID:11480
- C:\Windows\System\fzLbyYU.exe
  C:\Windows\System\fzLbyYU.exe
  2⤵
  PID:11544
- C:\Windows\System\qPnqjqx.exe
  C:\Windows\System\qPnqjqx.exe
  2⤵
  PID:11580
- C:\Windows\System\NCXojQZ.exe
  C:\Windows\System\NCXojQZ.exe
  2⤵
  PID:11596
- C:\Windows\System\mqAGUtf.exe
  C:\Windows\System\mqAGUtf.exe
  2⤵
  PID:11616
- C:\Windows\System\FxHGPiq.exe
  C:\Windows\System\FxHGPiq.exe
  2⤵
  PID:11632
- C:\Windows\System\YiyHsyy.exe
  C:\Windows\System\YiyHsyy.exe
  2⤵
  PID:11656
- C:\Windows\System\tgRVrll.exe
  C:\Windows\System\tgRVrll.exe
  2⤵
  PID:11692
- C:\Windows\System\wdrgxSJ.exe
  C:\Windows\System\wdrgxSJ.exe
  2⤵
  PID:11720
- C:\Windows\System\KXduRfg.exe
  C:\Windows\System\KXduRfg.exe
  2⤵
  PID:11740
- C:\Windows\System\NFiFNNK.exe
  C:\Windows\System\NFiFNNK.exe
  2⤵
  PID:11760
- C:\Windows\System\DzpOpUp.exe
  C:\Windows\System\DzpOpUp.exe
  2⤵
  PID:11784
- C:\Windows\System\ZIqBQJG.exe
  C:\Windows\System\ZIqBQJG.exe
  2⤵
  PID:11804
- C:\Windows\System\qXKFxWW.exe
  C:\Windows\System\qXKFxWW.exe
  2⤵
  PID:11820
- C:\Windows\System\aCNKcWY.exe
  C:\Windows\System\aCNKcWY.exe
  2⤵
  PID:11840
- C:\Windows\System\VFaOEvS.exe
  C:\Windows\System\VFaOEvS.exe
  2⤵
  PID:11860
- C:\Windows\System\heqeLyh.exe
  C:\Windows\System\heqeLyh.exe
  2⤵
  PID:11936
- C:\Windows\System\LkPRCPd.exe
  C:\Windows\System\LkPRCPd.exe
  2⤵
  PID:12008
- C:\Windows\System\XpIiWhs.exe
  C:\Windows\System\XpIiWhs.exe
  2⤵
  PID:12036
- C:\Windows\System\kUkyPBN.exe
  C:\Windows\System\kUkyPBN.exe
  2⤵
  PID:12060
- C:\Windows\System\BynaxRG.exe
  C:\Windows\System\BynaxRG.exe
  2⤵
  PID:12104
- C:\Windows\System\GCqyZzD.exe
  C:\Windows\System\GCqyZzD.exe
  2⤵
  PID:12144
- C:\Windows\System\ZFWizMG.exe
  C:\Windows\System\ZFWizMG.exe
  2⤵
  PID:12168
- C:\Windows\System\MAfgSCM.exe
  C:\Windows\System\MAfgSCM.exe
  2⤵
  PID:12188
- C:\Windows\System\qwgxbPS.exe
  C:\Windows\System\qwgxbPS.exe
  2⤵
  PID:12208
- C:\Windows\System\LhuWaav.exe
  C:\Windows\System\LhuWaav.exe
  2⤵
  PID:12244
- C:\Windows\System\jijCMpc.exe
  C:\Windows\System\jijCMpc.exe
  2⤵
  PID:12284
- C:\Windows\System\BTAcSaZ.exe
  C:\Windows\System\BTAcSaZ.exe
  2⤵
  PID:10408
- C:\Windows\System\dVcQODf.exe
  C:\Windows\System\dVcQODf.exe
  2⤵
  PID:11344
- C:\Windows\System\ZBjsJJP.exe
  C:\Windows\System\ZBjsJJP.exe
  2⤵
  PID:11364
- C:\Windows\System\qQUmizC.exe
  C:\Windows\System\qQUmizC.exe
  2⤵
  PID:11420
- C:\Windows\System\XvtHgpa.exe
  C:\Windows\System\XvtHgpa.exe
  2⤵
  PID:11524
- C:\Windows\System\wmLsgLS.exe
  C:\Windows\System\wmLsgLS.exe
  2⤵
  PID:11648
- C:\Windows\System\nWiHQfy.exe
  C:\Windows\System\nWiHQfy.exe
  2⤵
  PID:11592
- C:\Windows\System\SezzrUp.exe
  C:\Windows\System\SezzrUp.exe
  2⤵
  PID:11728
- C:\Windows\System\noOPGrA.exe
  C:\Windows\System\noOPGrA.exe
  2⤵
  PID:11812
- C:\Windows\System\urrXAqN.exe
  C:\Windows\System\urrXAqN.exe
  2⤵
  PID:11732
- C:\Windows\System\WvFhucU.exe
  C:\Windows\System\WvFhucU.exe
  2⤵
  PID:11900
- C:\Windows\System\USsCKkM.exe
  C:\Windows\System\USsCKkM.exe
  2⤵
  PID:11960
- C:\Windows\System\rSYIyqG.exe
  C:\Windows\System\rSYIyqG.exe
  2⤵
  PID:12028
- C:\Windows\System\vOcSVUK.exe
  C:\Windows\System\vOcSVUK.exe
  2⤵
  PID:12084
- C:\Windows\System\IYULTwY.exe
  C:\Windows\System\IYULTwY.exe
  2⤵
  PID:12176
- C:\Windows\System\FbRmZhw.exe
  C:\Windows\System\FbRmZhw.exe
  2⤵
  PID:12220
- C:\Windows\System\GcLiPBC.exe
  C:\Windows\System\GcLiPBC.exe
  2⤵
  PID:12272
- C:\Windows\System\dQtozab.exe
  C:\Windows\System\dQtozab.exe
  2⤵
  PID:11296
- C:\Windows\System\IIyHJiC.exe
  C:\Windows\System\IIyHJiC.exe
  2⤵
  PID:11496
- C:\Windows\System\raponiI.exe
  C:\Windows\System\raponiI.exe
  2⤵
  PID:11668
- C:\Windows\System\kuZPlbm.exe
  C:\Windows\System\kuZPlbm.exe
  2⤵
  PID:11608
- C:\Windows\System\gvNJfmV.exe
  C:\Windows\System\gvNJfmV.exe
  2⤵
  PID:11736
- C:\Windows\System\ZKUCkzq.exe
  C:\Windows\System\ZKUCkzq.exe
  2⤵
  PID:12092
- C:\Windows\System\ZgfYGUj.exe
  C:\Windows\System\ZgfYGUj.exe
  2⤵
  PID:12140
- C:\Windows\System\eQhXvzO.exe
  C:\Windows\System\eQhXvzO.exe
  2⤵
  PID:12264
- C:\Windows\System\pQPytIe.exe
  C:\Windows\System\pQPytIe.exe
  2⤵
  PID:11392
- C:\Windows\System\IEzSQal.exe
  C:\Windows\System\IEzSQal.exe
  2⤵
  PID:11828
- C:\Windows\System\zNSRGil.exe
  C:\Windows\System\zNSRGil.exe
  2⤵
  PID:12292
- C:\Windows\System\UChqtAE.exe
  C:\Windows\System\UChqtAE.exe
  2⤵
  PID:12436
- C:\Windows\System\lOHYdeu.exe
  C:\Windows\System\lOHYdeu.exe
  2⤵
  PID:12456
- C:\Windows\System\YTrbVmC.exe
  C:\Windows\System\YTrbVmC.exe
  2⤵
  PID:12552
- C:\Windows\System\sscObUH.exe
  C:\Windows\System\sscObUH.exe
  2⤵
  PID:12588
- C:\Windows\System\DLjnJXD.exe
  C:\Windows\System\DLjnJXD.exe
  2⤵
  PID:12616
- C:\Windows\System\dbDmXPU.exe
  C:\Windows\System\dbDmXPU.exe
  2⤵
  PID:12636
- C:\Windows\System\LLZDHfF.exe
  C:\Windows\System\LLZDHfF.exe
  2⤵
  PID:12668
- C:\Windows\System\vqvrEXJ.exe
  C:\Windows\System\vqvrEXJ.exe
  2⤵
  PID:12688
- C:\Windows\System\GMVGgzr.exe
  C:\Windows\System\GMVGgzr.exe
  2⤵
  PID:12724
- C:\Windows\System\kummeGp.exe
  C:\Windows\System\kummeGp.exe
  2⤵
  PID:12744
- C:\Windows\System\bFTrMcf.exe
  C:\Windows\System\bFTrMcf.exe
  2⤵
  PID:12804
- C:\Windows\System\kLLBpny.exe
  C:\Windows\System\kLLBpny.exe
  2⤵
  PID:12828
- C:\Windows\System\koDyuHF.exe
  C:\Windows\System\koDyuHF.exe
  2⤵
  PID:12864
- C:\Windows\System\gnJLAIU.exe
  C:\Windows\System\gnJLAIU.exe
  2⤵
  PID:12892
- C:\Windows\System\uDQnmiT.exe
  C:\Windows\System\uDQnmiT.exe
  2⤵
  PID:12916
- C:\Windows\System\RAkElGx.exe
  C:\Windows\System\RAkElGx.exe
  2⤵
  PID:12940
- C:\Windows\System\czQTaxF.exe
  C:\Windows\System\czQTaxF.exe
  2⤵
  PID:12976
- C:\Windows\System\Omjfvex.exe
  C:\Windows\System\Omjfvex.exe
  2⤵
  PID:13000
- C:\Windows\System\ARFeDdv.exe
  C:\Windows\System\ARFeDdv.exe
  2⤵
  PID:13020
- C:\Windows\System\ttnbzxM.exe
  C:\Windows\System\ttnbzxM.exe
  2⤵
  PID:13044
- C:\Windows\System\ZeGQKuu.exe
  C:\Windows\System\ZeGQKuu.exe
  2⤵
  PID:13084
- C:\Windows\System\GVairRu.exe
  C:\Windows\System\GVairRu.exe
  2⤵
  PID:13108
- C:\Windows\System\mEPUurI.exe
  C:\Windows\System\mEPUurI.exe
  2⤵
  PID:13136
- C:\Windows\System\NPCkiJZ.exe
  C:\Windows\System\NPCkiJZ.exe
  2⤵
  PID:13156
- C:\Windows\System\qxlznxX.exe
  C:\Windows\System\qxlznxX.exe
  2⤵
  PID:13180
- C:\Windows\System\xbDvBak.exe
  C:\Windows\System\xbDvBak.exe
  2⤵
  PID:13204
- C:\Windows\System\pmpJKnH.exe
  C:\Windows\System\pmpJKnH.exe
  2⤵
  PID:13228
- C:\Windows\System\XXLStQY.exe
  C:\Windows\System\XXLStQY.exe
  2⤵
  PID:13248
- C:\Windows\System\ckTWXsc.exe
  C:\Windows\System\ckTWXsc.exe
  2⤵
  PID:13272
- C:\Windows\System\quySquJ.exe
  C:\Windows\System\quySquJ.exe
  2⤵
  PID:13304
- C:\Windows\System\fBYlxzD.exe
  C:\Windows\System\fBYlxzD.exe
  2⤵
  PID:12336
- C:\Windows\System\lliVsHa.exe
  C:\Windows\System\lliVsHa.exe
  2⤵
  PID:12392
- C:\Windows\System\DtaiYiB.exe
  C:\Windows\System\DtaiYiB.exe
  2⤵
  PID:12412
- C:\Windows\System\qguHTkq.exe
  C:\Windows\System\qguHTkq.exe
  2⤵
  PID:12452
- C:\Windows\System\nUtPTcG.exe
  C:\Windows\System\nUtPTcG.exe
  2⤵
  PID:12480
- C:\Windows\System\jVNsmoo.exe
  C:\Windows\System\jVNsmoo.exe
  2⤵
  PID:12488
- C:\Windows\System\bzGLzzf.exe
  C:\Windows\System\bzGLzzf.exe
  2⤵
  PID:12476
- C:\Windows\System\MriyDfi.exe
  C:\Windows\System\MriyDfi.exe
  2⤵
  PID:12520
- C:\Windows\System\HpUWgLg.exe
  C:\Windows\System\HpUWgLg.exe
  2⤵
  PID:12580
- C:\Windows\System\XkJYXxU.exe
  C:\Windows\System\XkJYXxU.exe
  2⤵
  PID:12664
- C:\Windows\System\WhIOpMO.exe
  C:\Windows\System\WhIOpMO.exe
  2⤵
  PID:12756
- C:\Windows\System\nmNVxBp.exe
  C:\Windows\System\nmNVxBp.exe
  2⤵
  PID:12796
- C:\Windows\System\ArlewIS.exe
  C:\Windows\System\ArlewIS.exe
  2⤵
  PID:12860
- C:\Windows\System\ZGnelBz.exe
  C:\Windows\System\ZGnelBz.exe
  2⤵
  PID:12984
- C:\Windows\System\GYEARhO.exe
  C:\Windows\System\GYEARhO.exe
  2⤵
  PID:12992
- C:\Windows\System\tZRRsfA.exe
  C:\Windows\System\tZRRsfA.exe
  2⤵
  PID:13064
- C:\Windows\System\abYJJcM.exe
  C:\Windows\System\abYJJcM.exe
  2⤵
  PID:13168
- C:\Windows\System\WlmYCZH.exe
  C:\Windows\System\WlmYCZH.exe
  2⤵
  PID:13172
- C:\Windows\System\aHyaaVy.exe
  C:\Windows\System\aHyaaVy.exe
  2⤵
  PID:11852
- C:\Windows\System\bLDKtsz.exe
  C:\Windows\System\bLDKtsz.exe
  2⤵
  PID:11284
- C:\Windows\System\wuRpAsd.exe
  C:\Windows\System\wuRpAsd.exe
  2⤵
  PID:12432
- C:\Windows\System\XDTBiTo.exe
  C:\Windows\System\XDTBiTo.exe
  2⤵
  PID:12568
- C:\Windows\System\OrDwqzc.exe
  C:\Windows\System\OrDwqzc.exe
  2⤵
  PID:12600
- C:\Windows\System\vkMdjfb.exe
  C:\Windows\System\vkMdjfb.exe
  2⤵
  PID:12696
- C:\Windows\System\mivjkoF.exe
  C:\Windows\System\mivjkoF.exe
  2⤵
  PID:12844
- C:\Windows\System\dcUsZQE.exe
  C:\Windows\System\dcUsZQE.exe
  2⤵
  PID:12972
- C:\Windows\System\fEKqEgV.exe
  C:\Windows\System\fEKqEgV.exe
  2⤵
  PID:13036
- C:\Windows\System\ghcUpRX.exe
  C:\Windows\System\ghcUpRX.exe
  2⤵
  PID:13132
- C:\Windows\System\HEVSSfk.exe
  C:\Windows\System\HEVSSfk.exe
  2⤵
  PID:12156
- C:\Windows\System\tVEoCPb.exe
  C:\Windows\System\tVEoCPb.exe
  2⤵
  PID:11196
- C:\Windows\System\NuVGklr.exe
  C:\Windows\System\NuVGklr.exe
  2⤵
  PID:12584
- C:\Windows\System\RNrUxHT.exe
  C:\Windows\System\RNrUxHT.exe
  2⤵
  PID:1884
- C:\Windows\System\JawwAOs.exe
  C:\Windows\System\JawwAOs.exe
  2⤵
  PID:12088
- C:\Windows\System\FdFNazy.exe
  C:\Windows\System\FdFNazy.exe
  2⤵
  PID:13224
- C:\Windows\System\vSrnJIt.exe
  C:\Windows\System\vSrnJIt.exe
  2⤵
  PID:12596
- C:\Windows\System\SSljUAe.exe
  C:\Windows\System\SSljUAe.exe
  2⤵
  PID:7904
- C:\Windows\System\SsjWxeX.exe
  C:\Windows\System\SsjWxeX.exe
  2⤵
  PID:13364
- C:\Windows\System\yczZpQR.exe
  C:\Windows\System\yczZpQR.exe
  2⤵
  PID:13388
- C:\Windows\System\ironEqi.exe
  C:\Windows\System\ironEqi.exe
  2⤵
  PID:13416
- C:\Windows\System\AogkFXP.exe
  C:\Windows\System\AogkFXP.exe
  2⤵
  PID:13444
- C:\Windows\System\aIytkjQ.exe
  C:\Windows\System\aIytkjQ.exe
  2⤵
  PID:13476
- C:\Windows\System\sBSThoS.exe
  C:\Windows\System\sBSThoS.exe
  2⤵
  PID:13500
- C:\Windows\System\UDFHRst.exe
  C:\Windows\System\UDFHRst.exe
  2⤵
  PID:13524
- C:\Windows\System\ispZjUT.exe
  C:\Windows\System\ispZjUT.exe
  2⤵
  PID:13540
- C:\Windows\System\kptqBlS.exe
  C:\Windows\System\kptqBlS.exe
  2⤵
  PID:13560
- C:\Windows\System\kipAxDT.exe
  C:\Windows\System\kipAxDT.exe
  2⤵
  PID:13592
- C:\Windows\System\KGfpZdH.exe
  C:\Windows\System\KGfpZdH.exe
  2⤵
  PID:13644
- C:\Windows\System\mVkDHXB.exe
  C:\Windows\System\mVkDHXB.exe
  2⤵
  PID:13664
- C:\Windows\System\BEZJtki.exe
  C:\Windows\System\BEZJtki.exe
  2⤵
  PID:13692
- C:\Windows\System\ozCHzYB.exe
  C:\Windows\System\ozCHzYB.exe
  2⤵
  PID:13708
- C:\Windows\System\ArFlsAh.exe
  C:\Windows\System\ArFlsAh.exe
  2⤵
  PID:13728
- C:\Windows\System\bntrFnL.exe
  C:\Windows\System\bntrFnL.exe
  2⤵
  PID:13812
- C:\Windows\System\ahTRjva.exe
  C:\Windows\System\ahTRjva.exe
  2⤵
  PID:13832
- C:\Windows\System\yiqMPpK.exe
  C:\Windows\System\yiqMPpK.exe
  2⤵
  PID:13852
- C:\Windows\System\DpGDTRs.exe
  C:\Windows\System\DpGDTRs.exe
  2⤵
  PID:13872
- C:\Windows\System\gUrvESK.exe
  C:\Windows\System\gUrvESK.exe
  2⤵
  PID:13928
- C:\Windows\System\WFEokeg.exe
  C:\Windows\System\WFEokeg.exe
  2⤵
  PID:13944
- C:\Windows\System\GrbWNSA.exe
  C:\Windows\System\GrbWNSA.exe
  2⤵
  PID:13968
- C:\Windows\System\YgCnotj.exe
  C:\Windows\System\YgCnotj.exe
  2⤵
  PID:13988
- C:\Windows\System\ALAILAc.exe
  C:\Windows\System\ALAILAc.exe
  2⤵
  PID:14008
- C:\Windows\System\HPdZcLR.exe
  C:\Windows\System\HPdZcLR.exe
  2⤵
  PID:14036
- C:\Windows\System\fWHBXYk.exe
  C:\Windows\System\fWHBXYk.exe
  2⤵
  PID:14052
- C:\Windows\System\ygtgEyg.exe
  C:\Windows\System\ygtgEyg.exe
  2⤵
  PID:14076
- C:\Windows\System\BwuieIr.exe
  C:\Windows\System\BwuieIr.exe
  2⤵
  PID:14124
- C:\Windows\System\jFbCpiw.exe
  C:\Windows\System\jFbCpiw.exe
  2⤵
  PID:14164
- C:\Windows\System\slUVWNr.exe
  C:\Windows\System\slUVWNr.exe
  2⤵
  PID:14188
- C:\Windows\System\NUjKBOx.exe
  C:\Windows\System\NUjKBOx.exe
  2⤵
  PID:14212
- C:\Windows\System\REYjfPr.exe
  C:\Windows\System\REYjfPr.exe
  2⤵
  PID:14236
- C:\Windows\System\gOmICKp.exe
  C:\Windows\System\gOmICKp.exe
  2⤵
  PID:14252
- C:\Windows\System\NVlJHiw.exe
  C:\Windows\System\NVlJHiw.exe
  2⤵
  PID:14272
- C:\Windows\System\IALHEiK.exe
  C:\Windows\System\IALHEiK.exe
  2⤵
  PID:14296
- C:\Windows\System\PuasNPs.exe
  C:\Windows\System\PuasNPs.exe
  2⤵
  PID:14316
- C:\Windows\System\QewxDkY.exe
  C:\Windows\System\QewxDkY.exe
  2⤵
  PID:13372
- C:\Windows\System\vNmLNsj.exe
  C:\Windows\System\vNmLNsj.exe
  2⤵
  PID:13436
- C:\Windows\System\qZRMFfr.exe
  C:\Windows\System\qZRMFfr.exe
  2⤵
  PID:13508
- C:\Windows\System\kDKumqG.exe
  C:\Windows\System\kDKumqG.exe
  2⤵
  PID:13608
- C:\Windows\System\tSJtqJo.exe
  C:\Windows\System\tSJtqJo.exe
  2⤵
  PID:13656
- C:\Windows\System\BgADrFc.exe
  C:\Windows\System\BgADrFc.exe
  2⤵
  PID:13724
- C:\Windows\System\zniaAJv.exe
  C:\Windows\System\zniaAJv.exe
  2⤵
  PID:13804
- C:\Windows\System\iAsbycf.exe
  C:\Windows\System\iAsbycf.exe
  2⤵
  PID:13888
- C:\Windows\System\ADKmhdS.exe
  C:\Windows\System\ADKmhdS.exe
  2⤵
  PID:13936
- C:\Windows\System\DQYgiUI.exe
  C:\Windows\System\DQYgiUI.exe
  2⤵
  PID:14060
- C:\Windows\System\yqpHRhN.exe
  C:\Windows\System\yqpHRhN.exe
  2⤵
  PID:14004
- C:\Windows\System\tRSiKTV.exe
  C:\Windows\System\tRSiKTV.exe
  2⤵
  PID:14172
- C:\Windows\System\xkPpEcm.exe
  C:\Windows\System\xkPpEcm.exe
  2⤵
  PID:14204
- C:\Windows\System\fBjnKCj.exe
  C:\Windows\System\fBjnKCj.exe
  2⤵
  PID:14248
- C:\Windows\System\lCvTxwP.exe
  C:\Windows\System\lCvTxwP.exe
  2⤵
  PID:14308
- C:\Windows\System\hWQNtYC.exe
  C:\Windows\System\hWQNtYC.exe
  2⤵
  PID:13408
- C:\Windows\System\aPYPYkW.exe
  C:\Windows\System\aPYPYkW.exe
  2⤵
  PID:13400
- C:\Windows\System\GXyeIoy.exe
  C:\Windows\System\GXyeIoy.exe
  2⤵
  PID:13672
- C:\Windows\System\fnYLMyT.exe
  C:\Windows\System\fnYLMyT.exe
  2⤵
  PID:13628
- C:\Windows\System\CUbUvim.exe
  C:\Windows\System\CUbUvim.exe
  2⤵
  PID:13956
- C:\Windows\System\VXEBJXO.exe
  C:\Windows\System\VXEBJXO.exe
  2⤵
  PID:13332
- C:\Windows\System\KfgGRvD.exe
  C:\Windows\System\KfgGRvD.exe
  2⤵
  PID:13720

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4020
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Modifies Installed Components in the registry
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4812

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4820

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6380

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7824

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5740

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3576

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:9932

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5576

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:6228

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4824

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7780

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
PID:11248

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3416

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7476

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8628

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9028

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5040

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10064

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9984

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9956

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10432

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10316

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11268

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1076

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11496

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2016

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12340

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5792

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6148

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5696

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14096

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13492

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6908

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6944

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6520

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7232

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3156

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8548

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10168

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9852

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9656

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2028

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9876

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11184

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11704

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11572

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10680

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12960

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5252

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11332

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13540

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5216

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13860

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13052

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7164

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6300

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6616

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5596

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6456

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7968

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9628

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\MS6XK32D\microsoft.windows[1].xml

Filesize
97B

MD5
7f3bec2ea3dd9544194bf0f38222acbf

SHA1
a02fd5379f0f96d29272716f6b91e4cdd06f5fd7

SHA256
fe71b3f76715a00a50e647221b24d0591ffed9b384f078c7dddbadcbaf8a1ce9

SHA512
eac9b0d373aeabc3c8b554d82ee123d90ef61fa4186291f1c41412237bdb725da79d1fc2adda0547e0c1936f535cdd458a166e134ce535e9450060ce7c5b36eb

Download Submit
C:\Windows\System\DxPHkVA.exe

Filesize
1.3MB

MD5
d9e45e04cd19ebd6eeb62dfdb68b70de

SHA1
980528439e9c95dd956c3480b43be796cc557896

SHA256
706e275e7b03442af101d1d3a456badb962a9cb7a1a9a2e0b7f89dcf789d31a4

SHA512
749a1bbbd6f36b85cedb117ee48f2902f6bbcc30473101f2e3e9689fc2cb239e6dabf6d727e79d47037cf9e8789ecb781dce4b9910404b49b17e2e15fd19a79f

Download Submit
C:\Windows\System\FtqIeVJ.exe

Filesize
1.3MB

MD5
d0b851b0f03a1bb507ecedda43eb8d62

SHA1
357256f0b59d4551700bf7277511c7d8ab3edc9b

SHA256
eb64344d66bf90091784ae13cdce3af9b6a951385f259d1170a8d47910447072

SHA512
b0329830a0cad044268d21f5f59e005baf85b2c4a12ba08da40a6a8e825065f13d59ed8dca6cd0f274e3c1a3cae0068867e69b7c706e85951205b991d9cb33d9

Download Submit
C:\Windows\System\FuStvam.exe

Filesize
1.3MB

MD5
633596ee46ee4f400c065fbfa4a6d1d3

SHA1
2013570a245be070c9701e3ef69190a36349f7d5

SHA256
4d1cd913dfbcdc9a48b8180ddf34687ac4d43a6ecc985e8d38cb9bc22ef64e3e

SHA512
23d78a567ceb5e633f5d2e2688cc6e302f397369d5d4b333f4b1e43de289003b31faee914ca774dd3529ffab7e45740b386681a53d89435d788c7e7f4a607df9

Download Submit
C:\Windows\System\GTTpuFc.exe

Filesize
1.3MB

MD5
107dd642f4737b1e0a5850ea2d7187b5

SHA1
5b58d9c035cce76b9185bb0cd5f958e4d3993ae7

SHA256
5236f1bedfad5b38647b14e0f2c522b0ac2386a2aed9e73055105faddc4fa2fa

SHA512
55eef4643f7be6c693a91eeb3e964448da46aab46a8841f215efa4682076292fb8bdadc9036a73ca2c1629989908ef3d9f0d19638ca392e03c91065a7359f76b

Download Submit
C:\Windows\System\HcexuLC.exe

Filesize
1.3MB

MD5
4912d40e910462a58c3d404b7939ab00

SHA1
a7ecf5dd97c92cf7251ebe8b65cc2f854effde66

SHA256
9f2c8c93204e85b5d22d698d3562631443240b077cb20ec4997f2ba1f4cf1a18

SHA512
78f67ff8ff9f625a351aa994b7ffe28087aa6df4b2f3b93a9374599914bcf0690ca83d3d298b3ad0afcda23eb6c60cc73f9668d9918b3c6a6ab0691264a8f8ba

Download Submit
C:\Windows\System\NDFCNSa.exe

Filesize
1.3MB

MD5
ef44f4a2a98494297df796580a216a95

SHA1
32cd01ff6a8dd69cbf27d641d4b941c19897c5ba

SHA256
ac2b5444e4e4951bdab0cc225811bc65c608bd1023499e42f9b6ad2081a864f2

SHA512
9b175504bbbd6eb48f6544c45254b8b9108dbda6b0de59e52b38818905044540f0c37d9ce1082e4fb200f0efc227197c5f3edec48af7f2f5dc3e80988444ad9c

Download Submit
C:\Windows\System\OGdATZY.exe

Filesize
1.3MB

MD5
7f864dada7186b4ce26514d5f87cd6f9

SHA1
668a7435d5592ac2068cc36816ba77ab7787ee48

SHA256
0918db4999bd7da25c9d92d03406cd673f5618e5fd984be52fbb1f4bef237564

SHA512
9f019f328935c880a469300cce1865ce1afd92f494a05b3401e79a9a75f1979b70876ea0e842d6cb009dcb5555be9f8e3a3398d69e44ebd4f4ca2102890cb3a9

Download Submit
C:\Windows\System\PssygJA.exe

Filesize
1.3MB

MD5
e473552e437eca40d30a17fe54f6d576

SHA1
1a0b34038e6629c5cbe0b9f8165384babe0ad1ff

SHA256
d43d22d62618dd4a599e12fba1870b3523a6512460fbc58921559a977cc7730e

SHA512
d338c281d47e77475703c74c05b02be21429f2fe1bd4f0bd55b7d4add0425586b591c258483ce427044d335dbc048d38d72f49720678d4cef5ea947634d68859

Download Submit
C:\Windows\System\QXmXARP.exe

Filesize
1.3MB

MD5
b7a03c6cc23a0a711ecf682fcb6fcd33

SHA1
832c147f0de14a13b7ffc622cbb282c0186f225c

SHA256
3e00f7d632eef439ac16d41bff2a7f5874dfc182769f68bca99cc77793f23496

SHA512
e0a4f2c63e33ee13906b0fb8e1673a5a6112439e67968b67d79cf1d49eb3ba1c69d24f75d6939688b0b7bbc74533c104509fc58e3fc61220642458c0871cefee

Download Submit
C:\Windows\System\RWmtliy.exe

Filesize
1.3MB

MD5
edd2769e919eabd1a067ccf635c900f2

SHA1
975498aa439f8638b3ccd105a9fc7af89c8cde9c

SHA256
8bc665dd86d9cad57ecd62894b1a02f860bea4be718c636f6de68dd690db0400

SHA512
c25bd2ad531bdbab33c16fab42da59acf50ba693f5548c967cbe673d8ef16bbe6879ed1b21f5599c10bb0542ad7ecb1b1a949fd886035262a4c52fed932086cc

Download Submit
C:\Windows\System\STiobRz.exe

Filesize
1.3MB

MD5
ef802b6958d31d906c95195ed60661d1

SHA1
e68017e2e2b455e7c5de51daeaf386b4c93ee2db

SHA256
b848aa112f81d4ce2bd0c1de21acfd1fd33b33fed7811916262daf1985719472

SHA512
9813458cf34b9a3fbbb12d4afadfbd0e4f8c5cbaba837bca9c00966be1b6a09109fd6dc757bc4339fa7942f1d040003e7f3a19fc5c056857ac9a0a117fb35331

Download Submit
C:\Windows\System\UHlQDwz.exe

Filesize
1.3MB

MD5
a2a42437f5debda8ec2013a159b4e58d

SHA1
71d8b9af1e4fa2639fdb85e63ed82234bd22f766

SHA256
c6abd3d55ca0834575231c26efbe368a5fa97faa874a1df4595143e4a76dffc7

SHA512
10a6c499e14c09aece0f00c7213b52c26a6c82f6adc80b8fea88f1ad02820dba673c903ae38573693691b87d953528dcd63a8a1e090542802bfa62b4bd3c8c25

Download Submit
C:\Windows\System\VAxcsgo.exe

Filesize
1.3MB

MD5
925b98fc9c1c9f3fa3c748d9ea0d624c

SHA1
321c5c734582e2774a27dacf9ba6f745c1910b19

SHA256
50cbdf4e506416e5399ae193757e509c783289387555cb39ccd21f3717331da2

SHA512
c2d7b2ed33426eb59c6b43ec16d9c737c71a2ce7a5968c1c7cc2761fdbe683f1f198fc5376d97fb62da036c16231957caf10b0a57982fc4213ff33ff9562aa1d

Download Submit
C:\Windows\System\VBWbhhs.exe

Filesize
1.3MB

MD5
a5df0bc387d5fe97c85bd2ee00433e4c

SHA1
1048c4b5d819ce3f7e8ef2eb6bbad29a3f58af12

SHA256
094e49187faa2a57b6f544dc104e19127b7318c4f8c9231e48ef9c1d53684fa3

SHA512
a1d4d868b4b57ebce9980a8a905efb187671d384835eb0e7feb7326ebd4055bd718c3934a6b62efd27d44ea7f45ae56640c81384b7ce306a75e7b558b685b021

Download Submit
C:\Windows\System\VXMUJQc.exe

Filesize
1.3MB

MD5
27c3dd97200965df475078069418361e

SHA1
e48c28934da7412d8f41fe44e9359f3e4ed042fd

SHA256
5d67c6b81cbe18f8296a3c05221fa2c812cf0db2e44d5748c41a1e36bf57ed78

SHA512
9cfafaf1514af09e60a70023fa31f83ae62530223a42fe9a00379f5dbd74f1f77a8bad8b50d4e91b435b465dc08b79ee4c7c1fb1f248022a4b3a6f676bd97c27

Download Submit
C:\Windows\System\WmWrUBR.exe

Filesize
1.3MB

MD5
006599c5344b0c1bb65a3c0454f310a8

SHA1
8f29a01f7dcf59f27846fd130eda4da3bb9e4d17

SHA256
a797bedb0ba272608c12ea4d90c7c1a98f65b2c88c31ba98bd10fe152f791021

SHA512
24acb6a909d48643a1b19a6f2dfa8c119d0dd21be7b9f144d31d9ba2a2f875da8dec3349d08f24bf7d578740690fad99a8ddee3541bde7d41662de391f30755b

Download Submit
C:\Windows\System\ZFzjvap.exe

Filesize
1.3MB

MD5
77161e9af7b3b27a2b8262a7d4506945

SHA1
a0df75200f2887f8d30f045eb75aed0d6f65063f

SHA256
57dceb9f5b42dcacda171169e91781a6d5687e4e55337f18a310e04b739ea4f6

SHA512
f542a3ee25d1d8e2eaef761b67bddbb7596f828c7e92dea6baa6375e4eabc3f59767e282950f8afbd89a960229a1b5a15aa55acb78d6a5874152556763990652

Download Submit
C:\Windows\System\ZcUAtbB.exe

Filesize
1.3MB

MD5
c25c8eb35c307274d6d08f24160f7e97

SHA1
5f74230d4aab78f74a48693b32577939f5dbaa09

SHA256
1c33b2ab2cbae5468c2552eab008e691ed08099cb78948f3e6288faa09d984bd

SHA512
e3624b8c28567d06e5c6fac07d0cb5c3589e189fb2b4087d0d104385c7a5925f9b4b4ee9fd1eb79e5dd0155fc654433a27a2c13213a47574ec79ee02d6313158

Download Submit
C:\Windows\System\ZylEHdH.exe

Filesize
1.3MB

MD5
777c23ad95ad16ba96a72d780fbda62e

SHA1
a224c9ef9ce60c45cd1b1a8aa5437a60bdd18ce4

SHA256
f15d726793c56f4141e17c95cfbd3089153ccc6285203eefe4bb0d091973b9c1

SHA512
488c1773f3d1d6b1d3f8832a838f54f4aed04f34c7ce8dda96376a6800415b7279ec5927ec58397fd23b226818f72d0f3ac56ea43b121024863c839c2e8bf72e

Download Submit
C:\Windows\System\bDQKhxL.exe

Filesize
1.3MB

MD5
c33b8e2cdd60650bf6fc99e8edd24511

SHA1
803ec629b27ce1f3739b86c34c4a86412d406d3f

SHA256
8a1f7ef74826d1be32e2d3f16f3d685b2aeec1078136c707c15561d7a034a340

SHA512
e014f6d10de0e8edf7b98b8b59568836559cc78ba4c1a1d9e05087edfa4e798b0266fb138dc080a9468a69c44840194e6c82b507026286326a4a1b0a815f279d

Download Submit
C:\Windows\System\cLrhOEN.exe

Filesize
1.3MB

MD5
ef6a0cbf8516737875b51539457cafac

SHA1
11954c86b162fa6e91a6189be7e3eb13e234f433

SHA256
559397e3c121ceebd3d9a84a6eff4791a20eb1368d3d0cda88304f4cf2c523e8

SHA512
8d7fb76f14d674d0799e9376e8da289b7f5dd118863b2657f221c6f3f591de6675327d792d5ceda0804b37c48ef422ed2fb6487ecd0832fddda2b0e9aba5afcf

Download Submit
C:\Windows\System\ckaCHOB.exe

Filesize
1.3MB

MD5
6743e5eed0ea2fdc7eae1da284111308

SHA1
217f7ea7a08ab59c6f1fb0ca68053e7a701df4a7

SHA256
c9f9a1683b9765363369479aa41a4d54df900508f529299486d759c9c9181d83

SHA512
a0724c8165ac9376491e3f2f4634847fec356ab87224d4373ac78408bae90b937a96bf227f84b6c9d3f77659c220de093119ab83bf4456043b62c2e63b4d9026

Download Submit
C:\Windows\System\dcuCknp.exe

Filesize
1.3MB

MD5
c7880b6ec1bd898fc4ec555e10391475

SHA1
0d8b73854984b7c072fd349523a00ca76e18fc77

SHA256
0c8c129b5e6a2624edf66dbed5e09a73dc71ee0488030ba7389b731f50220536

SHA512
b01788eaa5a21f93bd485dc0407697ff4e67d9ddc447cd803e4cf699609c1425e547891a32802433f5030d2b7c5dacfba036776ebbe5eb586dcbcd90d2ae2601

Download Submit
C:\Windows\System\fEKxSpX.exe

Filesize
1.3MB

MD5
a291efaeccdcb632c6d7d21e4f394195

SHA1
a4d395e1f3561cfe369d20c148d433b42d7673b9

SHA256
9597a6dd3e388b9b94322d92a00f344e56228a3ba052f222550a74276b149327

SHA512
0c04b232c0420d3274b823524e50a3c33a442dfad970c8d197a3fe1c4e36b3f631b1e3a8e621c9cedce5563241dbaf4dde49d31ab57e64575b49a4697a3a5f45

Download Submit
C:\Windows\System\gBpwLIV.exe

Filesize
1.3MB

MD5
e3f8e7b9de0a54093b2a2bdebed45492

SHA1
c1cc15df2ff5298e1902f796cf1e735cac32fdc5

SHA256
500a69fc517bb2ed6dd93a827fe2f0900d1eeafe086fde7cdf81b532c6818606

SHA512
3cdb4a964c70a359c9308a7b594619b8eb7f567c4b3ded11a5ee05d0eb407eb54d39287445b627896619309b02fb595c07b724e5dd99041b0c73456c7aa47418

Download Submit
C:\Windows\System\iSdoBWE.exe

Filesize
1.3MB

MD5
e577db68e9e869c70d642c1fe9febcfe

SHA1
1e2c3fd51e68b965fd67649bf5eec228ccc183a4

SHA256
d8470f6ca4b3365e51eec1e7fa83f9b24748440de0ef0e4bfff4c30ff857ef28

SHA512
6eb5a861eb0d2b70ebc3042eee8f3fb52fd0b0843368dd89c9f3e544d76f45aae5293a9c92b7531e704b3a42c61b703dac47c94f4dd16b35d4e4e6e5cc10c30c

Download Submit
C:\Windows\System\jnKCRpU.exe

Filesize
1.3MB

MD5
75f2c56a2cce864e5f92e149a5492247

SHA1
cf03e5c96ffb748324c02464988fd534a60caccc

SHA256
3ecbb0354a86e6df1ffca5bf29e7261323440bf264ab1d9d9c50d6cd966bee84

SHA512
9d4efc950b26c5b2beba4c79f2796a4bd81f1a149329f488c700c277c289aa662c4521036b0803d9a8bfa51ab80ac35004c322ff2e5c57c05af5931839ae958e

Download Submit
C:\Windows\System\pCAfuaY.exe

Filesize
1.3MB

MD5
954e9cf7031e353dfa6fac582a2e2f32

SHA1
008ec45c1e96a640ce190fb575cb773d9cc9114e

SHA256
674e550a61021c41a6a3a0eace78768f98b1eda0f3aeba933ec428e76461a58c

SHA512
8d043de1a01bd27f9d23cc4825d687ea117aa4598da1b784543043e4f5f57f9963de9ee46e9c193872a2643dec1c8ee46682a3e0ec4ff2ff750222bb492e8a60

Download Submit
C:\Windows\System\sNgxLXs.exe

Filesize
1.3MB

MD5
a476637db117bd77a37fd150d58c5a28

SHA1
e7b4682566c38df3b66eb295372ce68424aaa7ac

SHA256
863231baac2fa9b749bc2781714dc680d7c68183c1a5fc8c834ef9de4678ba8e

SHA512
ffbf1f7b6adbe3d68f81b9502230d4565138f7bb9de8c8ea5ed187bc053524e71f5b1ca27493c5c3d79d14f9c973320461569f235d2b0b0396516840809e64b0

Download Submit
C:\Windows\System\sciWLmQ.exe

Filesize
1.3MB

MD5
a701ce00bd8c7f322a9eacbd90f4aa1c

SHA1
b6d4eff3b424c300454e30f3755db7ba565cb519

SHA256
6a896ac41359a382c54e4d1788629e50d0fc9dd3b4d63c708c21855f9b07481a

SHA512
2fd03781714bf33f2ed93074b6c712e0bf7d5e1035849683fee116ac8843f588360952d6617d1626ab9e0a21b23cb1f5afcc4e4d7d824cde0878d270c9d58840

Download Submit
C:\Windows\System\wkqJWgg.exe

Filesize
1.3MB

MD5
01f899ea62b03605c1fa2e7c57d657fb

SHA1
99e7c1c4fb307420b3457224bd8bc92d7d602fe4

SHA256
e7ca742de0a398f9f0800d1aeb6b64d754ae025d789e49e4a74cd342161fdb86

SHA512
609760fb83cdff498bfc3095a0a86a61a82af4fe55660c8c8cde2be3757d3f1253e7d260b0864eab94615e912895c661be567c867d52085c498a0061ce682ddd

Download Submit
C:\Windows\System\yFLOEcL.exe

Filesize
1.3MB

MD5
1fe3eef304ae0807f89f191903eeecae

SHA1
a4c5ff8f9d478e2f15766b5baa02619b1dfb3ab2

SHA256
d39cf179a18efb6d89d51935251926a0a5c9eb72966bd6f2ba327791c17680a6

SHA512
daca6b9f9670281cf3878d6ee8608bce30b00d1051c206c4c3539cb6ee43a7a5e7a562cba42b8db4e887a8bcd44e8d9d51e7d5c6d28bb6cc6ecdfd6d35ba0ff4

Download Submit
C:\Windows\System\ypFCaGu.exe

Filesize
1.3MB

MD5
44e9a06d5c02853056fbbb33bf9b69cc

SHA1
737ec9dba7c9dfb247831b670587bb204d33fbc6

SHA256
43085e8e11b3deb72ba8f57cab340d3e126163cfec484d7765d4c90cc849a5fd

SHA512
62d5ff2d9b1d32736cc8193edc15146920c65b907ef2c8bd8587fc9bff0daec0b8e6a0081272ed76f2252b13c5e9d59c3f031a8b0a87915c90bde44ed0bdc655

Download Submit
memory/440-409-0x00007FF7893D0000-0x00007FF789721000-memory.dmp

Filesize
3.3MB

Download
memory/440-2286-0x00007FF7893D0000-0x00007FF789721000-memory.dmp

Filesize
3.3MB

Download
memory/664-416-0x00007FF63D3E0000-0x00007FF63D731000-memory.dmp

Filesize
3.3MB

Download
memory/664-2290-0x00007FF63D3E0000-0x00007FF63D731000-memory.dmp

Filesize
3.3MB

Download
memory/1296-2190-0x00007FF61AB30000-0x00007FF61AE81000-memory.dmp

Filesize
3.3MB

Download
memory/1296-2248-0x00007FF61AB30000-0x00007FF61AE81000-memory.dmp

Filesize
3.3MB

Download
memory/1296-28-0x00007FF61AB30000-0x00007FF61AE81000-memory.dmp

Filesize
3.3MB

Download
memory/1408-2242-0x00007FF660630000-0x00007FF660981000-memory.dmp

Filesize
3.3MB

Download
memory/1408-11-0x00007FF660630000-0x00007FF660981000-memory.dmp

Filesize
3.3MB

Download
memory/1928-2260-0x00007FF644630000-0x00007FF644981000-memory.dmp

Filesize
3.3MB

Download
memory/1928-341-0x00007FF644630000-0x00007FF644981000-memory.dmp

Filesize
3.3MB

Download
memory/2020-2244-0x00007FF69C670000-0x00007FF69C9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2020-18-0x00007FF69C670000-0x00007FF69C9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2188-2280-0x00007FF6EECE0000-0x00007FF6EF031000-memory.dmp

Filesize
3.3MB

Download
memory/2188-394-0x00007FF6EECE0000-0x00007FF6EF031000-memory.dmp

Filesize
3.3MB

Download
memory/2392-2274-0x00007FF77E700000-0x00007FF77EA51000-memory.dmp

Filesize
3.3MB

Download
memory/2392-386-0x00007FF77E700000-0x00007FF77EA51000-memory.dmp

Filesize
3.3MB

Download
memory/2488-318-0x00007FF714260000-0x00007FF7145B1000-memory.dmp

Filesize
3.3MB

Download
memory/2488-2254-0x00007FF714260000-0x00007FF7145B1000-memory.dmp

Filesize
3.3MB

Download
memory/2512-2284-0x00007FF6251A0000-0x00007FF6254F1000-memory.dmp

Filesize
3.3MB

Download
memory/2512-405-0x00007FF6251A0000-0x00007FF6254F1000-memory.dmp

Filesize
3.3MB

Download
memory/2744-2253-0x00007FF6AA7F0000-0x00007FF6AAB41000-memory.dmp

Filesize
3.3MB

Download
memory/2744-455-0x00007FF6AA7F0000-0x00007FF6AAB41000-memory.dmp

Filesize
3.3MB

Download
memory/3024-436-0x00007FF6DE870000-0x00007FF6DEBC1000-memory.dmp

Filesize
3.3MB

Download
memory/3024-2294-0x00007FF6DE870000-0x00007FF6DEBC1000-memory.dmp

Filesize
3.3MB

Download
memory/3088-2266-0x00007FF7AE870000-0x00007FF7AEBC1000-memory.dmp

Filesize
3.3MB

Download
memory/3088-363-0x00007FF7AE870000-0x00007FF7AEBC1000-memory.dmp

Filesize
3.3MB

Download
memory/3252-395-0x00007FF75A700000-0x00007FF75AA51000-memory.dmp

Filesize
3.3MB

Download
memory/3252-2282-0x00007FF75A700000-0x00007FF75AA51000-memory.dmp

Filesize
3.3MB

Download
memory/3260-2269-0x00007FF6F11E0000-0x00007FF6F1531000-memory.dmp

Filesize
3.3MB

Download
memory/3260-369-0x00007FF6F11E0000-0x00007FF6F1531000-memory.dmp

Filesize
3.3MB

Download
memory/3592-2258-0x00007FF667A80000-0x00007FF667DD1000-memory.dmp

Filesize
3.3MB

Download
memory/3592-333-0x00007FF667A80000-0x00007FF667DD1000-memory.dmp

Filesize
3.3MB

Download
memory/3696-25-0x00007FF633F80000-0x00007FF6342D1000-memory.dmp

Filesize
3.3MB

Download
memory/3696-2246-0x00007FF633F80000-0x00007FF6342D1000-memory.dmp

Filesize
3.3MB

Download
memory/3776-374-0x00007FF74D2E0000-0x00007FF74D631000-memory.dmp

Filesize
3.3MB

Download
memory/3776-2271-0x00007FF74D2E0000-0x00007FF74D631000-memory.dmp

Filesize
3.3MB

Download
memory/3856-2264-0x00007FF6BBCC0000-0x00007FF6BC011000-memory.dmp

Filesize
3.3MB

Download
memory/3856-356-0x00007FF6BBCC0000-0x00007FF6BC011000-memory.dmp

Filesize
3.3MB

Download
memory/4016-2188-0x00007FF62C4B0000-0x00007FF62C801000-memory.dmp

Filesize
3.3MB

Download
memory/4016-1-0x000001BACD730000-0x000001BACD740000-memory.dmp

Filesize
64KB

Download
memory/4016-0-0x00007FF62C4B0000-0x00007FF62C801000-memory.dmp

Filesize
3.3MB

Download
memory/4120-2276-0x00007FF7C7A50000-0x00007FF7C7DA1000-memory.dmp

Filesize
3.3MB

Download
memory/4120-366-0x00007FF7C7A50000-0x00007FF7C7DA1000-memory.dmp

Filesize
3.3MB

Download
memory/4192-2256-0x00007FF683560000-0x00007FF6838B1000-memory.dmp

Filesize
3.3MB

Download
memory/4192-329-0x00007FF683560000-0x00007FF6838B1000-memory.dmp

Filesize
3.3MB

Download
memory/4220-2278-0x00007FF68F510000-0x00007FF68F861000-memory.dmp

Filesize
3.3MB

Download
memory/4220-382-0x00007FF68F510000-0x00007FF68F861000-memory.dmp

Filesize
3.3MB

Download
memory/4532-2298-0x00007FF66EF00000-0x00007FF66F251000-memory.dmp

Filesize
3.3MB

Download
memory/4532-451-0x00007FF66EF00000-0x00007FF66F251000-memory.dmp

Filesize
3.3MB

Download
memory/4556-2272-0x00007FF61D050000-0x00007FF61D3A1000-memory.dmp

Filesize
3.3MB

Download
memory/4556-344-0x00007FF61D050000-0x00007FF61D3A1000-memory.dmp

Filesize
3.3MB

Download
memory/4584-349-0x00007FF60E910000-0x00007FF60EC61000-memory.dmp

Filesize
3.3MB

Download
memory/4584-2262-0x00007FF60E910000-0x00007FF60EC61000-memory.dmp

Filesize
3.3MB

Download
memory/4660-317-0x00007FF679210000-0x00007FF679561000-memory.dmp

Filesize
3.3MB

Download
memory/4660-2251-0x00007FF679210000-0x00007FF679561000-memory.dmp

Filesize
3.3MB

Download
memory/4680-2288-0x00007FF792520000-0x00007FF792871000-memory.dmp

Filesize
3.3MB

Download
memory/4680-413-0x00007FF792520000-0x00007FF792871000-memory.dmp

Filesize
3.3MB

Download
memory/4716-419-0x00007FF7CC1D0000-0x00007FF7CC521000-memory.dmp

Filesize
3.3MB

Download
memory/4716-2292-0x00007FF7CC1D0000-0x00007FF7CC521000-memory.dmp

Filesize
3.3MB

Download
memory/4792-2296-0x00007FF6A9D50000-0x00007FF6AA0A1000-memory.dmp

Filesize
3.3MB

Download
memory/4792-445-0x00007FF6A9D50000-0x00007FF6AA0A1000-memory.dmp

Filesize
3.3MB

Download