Analysis
-
max time kernel
60s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 18:29
Behavioral task
behavioral1
Sample
0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe
-
Size
1.8MB
-
MD5
0b1122e3b7f581c09cf1f103f859c6a0
-
SHA1
f20b9a27ed4753021543a4c1ac561efb413fe660
-
SHA256
4c4c2d1f70b34ee6f3fa9122527d6a5b947c87f4a0ab51931662a29115794b45
-
SHA512
1ac1e1255e98132730b94f59492661072297462b21ce6789ac4f1d4f9872a80ca73856255c4d0621e6da811698f6179ada7b7f6fdd16e35e02770d94b7f62011
-
SSDEEP
24576:JanwhSe11QSONCpGJCjETPlWXWZ5Pbcq92zEeBosWqf+C1Yxj/ipsyVfVCP3L5WV:knw9oUUEEDl37jcq4zW530Vp5DQ8r5
Malware Config
Signatures
-
XMRig Miner payload 50 IoCs
resource yara_rule behavioral2/memory/4412-46-0x00007FF778080000-0x00007FF778471000-memory.dmp xmrig behavioral2/memory/3584-62-0x00007FF70F010000-0x00007FF70F401000-memory.dmp xmrig behavioral2/memory/4164-78-0x00007FF722C90000-0x00007FF723081000-memory.dmp xmrig behavioral2/memory/4432-348-0x00007FF6409A0000-0x00007FF640D91000-memory.dmp xmrig behavioral2/memory/688-349-0x00007FF6E70E0000-0x00007FF6E74D1000-memory.dmp xmrig behavioral2/memory/4808-347-0x00007FF712A70000-0x00007FF712E61000-memory.dmp xmrig behavioral2/memory/1504-351-0x00007FF7E7360000-0x00007FF7E7751000-memory.dmp xmrig behavioral2/memory/1772-353-0x00007FF7C67F0000-0x00007FF7C6BE1000-memory.dmp xmrig behavioral2/memory/2556-352-0x00007FF6ADD30000-0x00007FF6AE121000-memory.dmp xmrig behavioral2/memory/1544-350-0x00007FF71E570000-0x00007FF71E961000-memory.dmp xmrig behavioral2/memory/2396-346-0x00007FF71B980000-0x00007FF71BD71000-memory.dmp xmrig behavioral2/memory/924-344-0x00007FF669F50000-0x00007FF66A341000-memory.dmp xmrig behavioral2/memory/512-1966-0x00007FF6D56A0000-0x00007FF6D5A91000-memory.dmp xmrig behavioral2/memory/1964-1968-0x00007FF74F0A0000-0x00007FF74F491000-memory.dmp xmrig behavioral2/memory/2348-1967-0x00007FF7ADAD0000-0x00007FF7ADEC1000-memory.dmp xmrig behavioral2/memory/3864-1969-0x00007FF621370000-0x00007FF621761000-memory.dmp xmrig behavioral2/memory/2876-1972-0x00007FF7D1C60000-0x00007FF7D2051000-memory.dmp xmrig behavioral2/memory/4772-76-0x00007FF7FC5A0000-0x00007FF7FC991000-memory.dmp xmrig behavioral2/memory/1448-75-0x00007FF69FA60000-0x00007FF69FE51000-memory.dmp xmrig behavioral2/memory/3620-72-0x00007FF6B5D30000-0x00007FF6B6121000-memory.dmp xmrig behavioral2/memory/1636-67-0x00007FF736620000-0x00007FF736A11000-memory.dmp xmrig behavioral2/memory/2064-66-0x00007FF7520E0000-0x00007FF7524D1000-memory.dmp xmrig behavioral2/memory/2348-29-0x00007FF7ADAD0000-0x00007FF7ADEC1000-memory.dmp xmrig behavioral2/memory/3904-9-0x00007FF6A75A0000-0x00007FF6A7991000-memory.dmp xmrig behavioral2/memory/4512-2003-0x00007FF6CA100000-0x00007FF6CA4F1000-memory.dmp xmrig behavioral2/memory/512-2005-0x00007FF6D56A0000-0x00007FF6D5A91000-memory.dmp xmrig behavioral2/memory/3904-2023-0x00007FF6A75A0000-0x00007FF6A7991000-memory.dmp xmrig behavioral2/memory/2348-2025-0x00007FF7ADAD0000-0x00007FF7ADEC1000-memory.dmp xmrig behavioral2/memory/4412-2027-0x00007FF778080000-0x00007FF778471000-memory.dmp xmrig behavioral2/memory/3584-2030-0x00007FF70F010000-0x00007FF70F401000-memory.dmp xmrig behavioral2/memory/1448-2033-0x00007FF69FA60000-0x00007FF69FE51000-memory.dmp xmrig behavioral2/memory/4772-2035-0x00007FF7FC5A0000-0x00007FF7FC991000-memory.dmp xmrig behavioral2/memory/1964-2031-0x00007FF74F0A0000-0x00007FF74F491000-memory.dmp xmrig behavioral2/memory/3620-2037-0x00007FF6B5D30000-0x00007FF6B6121000-memory.dmp xmrig behavioral2/memory/1636-2042-0x00007FF736620000-0x00007FF736A11000-memory.dmp xmrig behavioral2/memory/4164-2043-0x00007FF722C90000-0x00007FF723081000-memory.dmp xmrig behavioral2/memory/3864-2045-0x00007FF621370000-0x00007FF621761000-memory.dmp xmrig behavioral2/memory/2064-2039-0x00007FF7520E0000-0x00007FF7524D1000-memory.dmp xmrig behavioral2/memory/2876-2047-0x00007FF7D1C60000-0x00007FF7D2051000-memory.dmp xmrig behavioral2/memory/924-2056-0x00007FF669F50000-0x00007FF66A341000-memory.dmp xmrig behavioral2/memory/4808-2054-0x00007FF712A70000-0x00007FF712E61000-memory.dmp xmrig behavioral2/memory/688-2061-0x00007FF6E70E0000-0x00007FF6E74D1000-memory.dmp xmrig behavioral2/memory/1504-2064-0x00007FF7E7360000-0x00007FF7E7751000-memory.dmp xmrig behavioral2/memory/2556-2066-0x00007FF6ADD30000-0x00007FF6AE121000-memory.dmp xmrig behavioral2/memory/1772-2068-0x00007FF7C67F0000-0x00007FF7C6BE1000-memory.dmp xmrig behavioral2/memory/1544-2062-0x00007FF71E570000-0x00007FF71E961000-memory.dmp xmrig behavioral2/memory/3296-2059-0x00007FF7D3F70000-0x00007FF7D4361000-memory.dmp xmrig behavioral2/memory/4432-2052-0x00007FF6409A0000-0x00007FF640D91000-memory.dmp xmrig behavioral2/memory/2396-2051-0x00007FF71B980000-0x00007FF71BD71000-memory.dmp xmrig behavioral2/memory/4512-2286-0x00007FF6CA100000-0x00007FF6CA4F1000-memory.dmp xmrig -
Modifies Installed Components in the registry 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 64 IoCs
pid Process 3904 cTcVByd.exe 2348 PRYPoXb.exe 3620 gLTjkyP.exe 1964 WLgQvjF.exe 4412 ojoLLnW.exe 3584 IqAWmNV.exe 1448 YbMtorS.exe 2064 VQTWPMu.exe 4772 cWwxFCj.exe 4164 yHcjHgK.exe 1636 oZLbfTk.exe 3864 yzTdZyW.exe 2876 JAXbmIr.exe 4512 eRTGUwC.exe 924 oWtMPMK.exe 3296 ydysmSB.exe 2396 tFJIJlz.exe 4808 iTUCJBx.exe 4432 rSmovkN.exe 688 YKeAeRk.exe 1544 kgbdnhI.exe 1504 eDByXsa.exe 2556 yGxzFFU.exe 1772 DdnosZu.exe 2640 rqwOKAk.exe 1780 CkMYezR.exe 404 GwtnAxv.exe 2852 mBFuhcw.exe 468 nwmbVho.exe 3820 GVmdjXE.exe 4064 hFNMIwz.exe 2144 KUSBnBq.exe 916 JfMMtnF.exe 3968 RFhgVCE.exe 4732 OtLEZok.exe 1108 qXXEnHg.exe 3964 IbLSnwT.exe 4868 hVDCuzq.exe 3832 PvwdbBi.exe 1048 SbqnLyv.exe 4196 rafQSXW.exe 2124 lWlvuqx.exe 1292 uasNvwA.exe 4072 kyxOXFm.exe 1724 aVqMjeG.exe 4580 PmLZXSG.exe 4476 zIBNGnD.exe 1548 Hzcnrrt.exe 1148 GFwrnzm.exe 4564 qjdtOFW.exe 3328 VORKwZV.exe 1360 HVCIlHt.exe 1008 mUPBxjH.exe 2968 nkjRdcB.exe 3600 biWOuJO.exe 5040 rogMAcM.exe 1668 jUPDPDe.exe 4052 oVstWhk.exe 4044 WHaKliI.exe 544 VxKhadT.exe 2236 fZXefcH.exe 4520 KOjMbKC.exe 1328 NvFUdDP.exe 4452 smkeLTe.exe -
resource yara_rule behavioral2/memory/512-0-0x00007FF6D56A0000-0x00007FF6D5A91000-memory.dmp upx behavioral2/files/0x0008000000023450-4.dat upx behavioral2/files/0x0007000000023457-25.dat upx behavioral2/files/0x000700000002345a-32.dat upx behavioral2/files/0x0007000000023459-31.dat upx behavioral2/memory/4412-46-0x00007FF778080000-0x00007FF778471000-memory.dmp upx behavioral2/files/0x000700000002345c-58.dat upx behavioral2/memory/3584-62-0x00007FF70F010000-0x00007FF70F401000-memory.dmp upx behavioral2/files/0x000700000002345f-73.dat upx behavioral2/memory/4164-78-0x00007FF722C90000-0x00007FF723081000-memory.dmp upx behavioral2/memory/2876-83-0x00007FF7D1C60000-0x00007FF7D2051000-memory.dmp upx behavioral2/files/0x0008000000023451-86.dat upx behavioral2/files/0x0007000000023469-132.dat upx behavioral2/files/0x000700000002346d-154.dat upx behavioral2/files/0x0007000000023470-169.dat upx behavioral2/memory/3296-345-0x00007FF7D3F70000-0x00007FF7D4361000-memory.dmp upx behavioral2/memory/4432-348-0x00007FF6409A0000-0x00007FF640D91000-memory.dmp upx behavioral2/memory/688-349-0x00007FF6E70E0000-0x00007FF6E74D1000-memory.dmp upx behavioral2/memory/4808-347-0x00007FF712A70000-0x00007FF712E61000-memory.dmp upx behavioral2/memory/1504-351-0x00007FF7E7360000-0x00007FF7E7751000-memory.dmp upx behavioral2/memory/1772-353-0x00007FF7C67F0000-0x00007FF7C6BE1000-memory.dmp upx behavioral2/memory/2556-352-0x00007FF6ADD30000-0x00007FF6AE121000-memory.dmp upx behavioral2/memory/1544-350-0x00007FF71E570000-0x00007FF71E961000-memory.dmp upx behavioral2/memory/2396-346-0x00007FF71B980000-0x00007FF71BD71000-memory.dmp upx behavioral2/memory/924-344-0x00007FF669F50000-0x00007FF66A341000-memory.dmp upx behavioral2/memory/512-1966-0x00007FF6D56A0000-0x00007FF6D5A91000-memory.dmp upx behavioral2/memory/1964-1968-0x00007FF74F0A0000-0x00007FF74F491000-memory.dmp upx behavioral2/memory/2348-1967-0x00007FF7ADAD0000-0x00007FF7ADEC1000-memory.dmp upx behavioral2/memory/3864-1969-0x00007FF621370000-0x00007FF621761000-memory.dmp upx behavioral2/memory/2876-1972-0x00007FF7D1C60000-0x00007FF7D2051000-memory.dmp upx behavioral2/files/0x0007000000023471-174.dat upx behavioral2/files/0x000700000002346f-164.dat upx behavioral2/files/0x000700000002346e-159.dat upx behavioral2/files/0x000700000002346c-150.dat upx behavioral2/files/0x000700000002346b-144.dat upx behavioral2/files/0x000700000002346a-139.dat upx behavioral2/files/0x0007000000023468-129.dat upx behavioral2/files/0x0007000000023467-124.dat upx behavioral2/files/0x0007000000023466-119.dat upx behavioral2/files/0x0007000000023465-114.dat upx behavioral2/files/0x0007000000023464-109.dat upx behavioral2/files/0x0007000000023463-104.dat upx behavioral2/files/0x0007000000023462-100.dat upx behavioral2/files/0x0007000000023461-95.dat upx behavioral2/files/0x0007000000023460-92.dat upx behavioral2/memory/4512-85-0x00007FF6CA100000-0x00007FF6CA4F1000-memory.dmp upx behavioral2/memory/4772-76-0x00007FF7FC5A0000-0x00007FF7FC991000-memory.dmp upx behavioral2/memory/1448-75-0x00007FF69FA60000-0x00007FF69FE51000-memory.dmp upx behavioral2/memory/3620-72-0x00007FF6B5D30000-0x00007FF6B6121000-memory.dmp upx behavioral2/files/0x000700000002345e-69.dat upx behavioral2/memory/3864-68-0x00007FF621370000-0x00007FF621761000-memory.dmp upx behavioral2/memory/1636-67-0x00007FF736620000-0x00007FF736A11000-memory.dmp upx behavioral2/memory/2064-66-0x00007FF7520E0000-0x00007FF7524D1000-memory.dmp upx behavioral2/files/0x000700000002345d-60.dat upx behavioral2/files/0x000700000002345b-50.dat upx behavioral2/files/0x0007000000023455-41.dat upx behavioral2/memory/1964-37-0x00007FF74F0A0000-0x00007FF74F491000-memory.dmp upx behavioral2/files/0x0007000000023458-33.dat upx behavioral2/files/0x0007000000023456-36.dat upx behavioral2/memory/2348-29-0x00007FF7ADAD0000-0x00007FF7ADEC1000-memory.dmp upx behavioral2/files/0x0007000000023454-12.dat upx behavioral2/memory/3904-9-0x00007FF6A75A0000-0x00007FF6A7991000-memory.dmp upx behavioral2/memory/4512-2003-0x00007FF6CA100000-0x00007FF6CA4F1000-memory.dmp upx behavioral2/memory/512-2005-0x00007FF6D56A0000-0x00007FF6D5A91000-memory.dmp upx -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\System32\wYckuXX.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\uasNvwA.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\NvFUdDP.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\XXiUYQD.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\sJkyFHR.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\GYRjUyG.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\WtessKD.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\GBVEtTH.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\MMArCOS.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\RVKzcdr.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\asZvfdg.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\QVTJetC.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\DHNYOrl.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\csFZKqG.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\AjCsbGh.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\oabRFql.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\xClpHzH.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\aDksQGW.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\UfRozqh.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\jsTubZw.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\KFEikit.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\gLTjkyP.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\FvZlcwA.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\nqDkDke.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\gcysjwM.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\cSuJuEo.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\UIrbvnE.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\MpFPtnu.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\fZGKwLi.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\rafQSXW.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\Hzcnrrt.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\WHbkYvp.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\kKmrrIk.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\gvRVjHO.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\KCmjdas.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\QEEddej.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\gbKVNzu.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\XvEbyLy.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\xTJbIQM.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\VxoxJLz.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\uUhKFrx.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\IyqCvbj.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\XbkORTT.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\fvXYJSy.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\trlxCEs.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\QcEdktJ.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\NoMIFiW.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\ojoLLnW.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\jZltRkx.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\iHnjFaN.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\otGaoqx.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\goyUyQM.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\HHmwimJ.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\tURsMEB.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\IqAWmNV.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\SklfodK.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\xwGAvXB.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\qBCYtmV.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\cEqxtNC.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\lslqJHR.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\nkjRdcB.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\rBBOZAI.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\qjnhfAC.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe File created C:\Windows\System32\JNwhtUY.exe 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4018855536-2201274732-320770143-1000\{AD9E51A6-9A8C-4D7B-9F73-5629E69A74C0} explorer.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\MuiCache SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4018855536-2201274732-320770143-1000\{9244700D-F28E-4E54-94C0-1827F8DD6080} explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" SearchApp.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4018855536-2201274732-320770143-1000\{A37090A7-27FA-4B34-AACC-4467F5718182} explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4018855536-2201274732-320770143-1000\{496B4C1B-7CCC-4067-BCA1-A69463DB365E} explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4018855536-2201274732-320770143-1000\{A279C403-4A39-4043-814F-74B3D75B9C81} explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search SearchApp.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 12400 explorer.exe Token: SeCreatePagefilePrivilege 12400 explorer.exe Token: SeShutdownPrivilege 12400 explorer.exe Token: SeCreatePagefilePrivilege 12400 explorer.exe Token: SeShutdownPrivilege 12400 explorer.exe Token: SeCreatePagefilePrivilege 12400 explorer.exe Token: SeShutdownPrivilege 12400 explorer.exe Token: SeCreatePagefilePrivilege 12400 explorer.exe Token: SeShutdownPrivilege 12400 explorer.exe Token: SeCreatePagefilePrivilege 12400 explorer.exe Token: SeShutdownPrivilege 12400 explorer.exe Token: SeCreatePagefilePrivilege 12400 explorer.exe Token: SeShutdownPrivilege 12400 explorer.exe Token: SeCreatePagefilePrivilege 12400 explorer.exe Token: SeShutdownPrivilege 12400 explorer.exe Token: SeCreatePagefilePrivilege 12400 explorer.exe Token: SeShutdownPrivilege 12400 explorer.exe Token: SeCreatePagefilePrivilege 12400 explorer.exe Token: SeShutdownPrivilege 1036 explorer.exe Token: SeCreatePagefilePrivilege 1036 explorer.exe Token: SeShutdownPrivilege 1036 explorer.exe Token: SeCreatePagefilePrivilege 1036 explorer.exe Token: SeShutdownPrivilege 1036 explorer.exe Token: SeCreatePagefilePrivilege 1036 explorer.exe Token: SeShutdownPrivilege 1036 explorer.exe Token: SeCreatePagefilePrivilege 1036 explorer.exe Token: SeShutdownPrivilege 1036 explorer.exe Token: SeCreatePagefilePrivilege 1036 explorer.exe Token: SeShutdownPrivilege 1036 explorer.exe Token: SeCreatePagefilePrivilege 1036 explorer.exe Token: SeShutdownPrivilege 1036 explorer.exe Token: SeCreatePagefilePrivilege 1036 explorer.exe Token: SeShutdownPrivilege 1036 explorer.exe Token: SeCreatePagefilePrivilege 1036 explorer.exe Token: SeShutdownPrivilege 1036 explorer.exe Token: SeCreatePagefilePrivilege 1036 explorer.exe Token: SeShutdownPrivilege 1036 explorer.exe Token: SeCreatePagefilePrivilege 1036 explorer.exe Token: SeShutdownPrivilege 1036 explorer.exe Token: SeCreatePagefilePrivilege 1036 explorer.exe Token: SeShutdownPrivilege 1036 explorer.exe Token: SeCreatePagefilePrivilege 1036 explorer.exe Token: SeShutdownPrivilege 1036 explorer.exe Token: SeCreatePagefilePrivilege 1036 explorer.exe Token: SeShutdownPrivilege 1036 explorer.exe Token: SeCreatePagefilePrivilege 1036 explorer.exe Token: SeShutdownPrivilege 1036 explorer.exe Token: SeCreatePagefilePrivilege 1036 explorer.exe Token: SeShutdownPrivilege 1036 explorer.exe Token: SeCreatePagefilePrivilege 1036 explorer.exe Token: SeShutdownPrivilege 1036 explorer.exe Token: SeCreatePagefilePrivilege 1036 explorer.exe Token: SeShutdownPrivilege 1036 explorer.exe Token: SeCreatePagefilePrivilege 1036 explorer.exe Token: SeShutdownPrivilege 2672 explorer.exe Token: SeCreatePagefilePrivilege 2672 explorer.exe Token: SeShutdownPrivilege 2672 explorer.exe Token: SeCreatePagefilePrivilege 2672 explorer.exe Token: SeShutdownPrivilege 2672 explorer.exe Token: SeCreatePagefilePrivilege 2672 explorer.exe Token: SeShutdownPrivilege 2672 explorer.exe Token: SeCreatePagefilePrivilege 2672 explorer.exe Token: SeShutdownPrivilege 2672 explorer.exe Token: SeCreatePagefilePrivilege 2672 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4544 sihost.exe 12400 explorer.exe 12400 explorer.exe 12400 explorer.exe 12400 explorer.exe 12400 explorer.exe 12400 explorer.exe 12400 explorer.exe 12400 explorer.exe 12400 explorer.exe 12400 explorer.exe 12400 explorer.exe 12400 explorer.exe 12400 explorer.exe 12400 explorer.exe 12400 explorer.exe 12400 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 12400 explorer.exe 12400 explorer.exe 12400 explorer.exe 12400 explorer.exe 12400 explorer.exe 12400 explorer.exe 12400 explorer.exe 12400 explorer.exe 12400 explorer.exe 12400 explorer.exe 12400 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 1036 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 8612 explorer.exe 8612 explorer.exe 8612 explorer.exe 8612 explorer.exe 8612 explorer.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 12628 StartMenuExperienceHost.exe 7636 StartMenuExperienceHost.exe 7784 SearchApp.exe 10284 StartMenuExperienceHost.exe 10636 SearchApp.exe 9440 StartMenuExperienceHost.exe 2036 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 512 wrote to memory of 3904 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 83 PID 512 wrote to memory of 3904 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 83 PID 512 wrote to memory of 2348 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 84 PID 512 wrote to memory of 2348 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 84 PID 512 wrote to memory of 3584 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 85 PID 512 wrote to memory of 3584 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 85 PID 512 wrote to memory of 3620 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 86 PID 512 wrote to memory of 3620 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 86 PID 512 wrote to memory of 1964 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 87 PID 512 wrote to memory of 1964 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 87 PID 512 wrote to memory of 4412 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 88 PID 512 wrote to memory of 4412 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 88 PID 512 wrote to memory of 1448 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 89 PID 512 wrote to memory of 1448 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 89 PID 512 wrote to memory of 2064 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 90 PID 512 wrote to memory of 2064 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 90 PID 512 wrote to memory of 4772 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 91 PID 512 wrote to memory of 4772 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 91 PID 512 wrote to memory of 4164 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 92 PID 512 wrote to memory of 4164 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 92 PID 512 wrote to memory of 1636 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 93 PID 512 wrote to memory of 1636 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 93 PID 512 wrote to memory of 3864 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 94 PID 512 wrote to memory of 3864 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 94 PID 512 wrote to memory of 2876 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 95 PID 512 wrote to memory of 2876 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 95 PID 512 wrote to memory of 4512 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 96 PID 512 wrote to memory of 4512 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 96 PID 512 wrote to memory of 924 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 97 PID 512 wrote to memory of 924 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 97 PID 512 wrote to memory of 3296 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 98 PID 512 wrote to memory of 3296 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 98 PID 512 wrote to memory of 2396 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 99 PID 512 wrote to memory of 2396 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 99 PID 512 wrote to memory of 4808 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 100 PID 512 wrote to memory of 4808 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 100 PID 512 wrote to memory of 4432 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 101 PID 512 wrote to memory of 4432 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 101 PID 512 wrote to memory of 688 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 102 PID 512 wrote to memory of 688 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 102 PID 512 wrote to memory of 1544 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 103 PID 512 wrote to memory of 1544 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 103 PID 512 wrote to memory of 1504 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 104 PID 512 wrote to memory of 1504 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 104 PID 512 wrote to memory of 2556 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 105 PID 512 wrote to memory of 2556 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 105 PID 512 wrote to memory of 1772 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 106 PID 512 wrote to memory of 1772 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 106 PID 512 wrote to memory of 2640 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 107 PID 512 wrote to memory of 2640 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 107 PID 512 wrote to memory of 1780 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 108 PID 512 wrote to memory of 1780 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 108 PID 512 wrote to memory of 404 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 109 PID 512 wrote to memory of 404 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 109 PID 512 wrote to memory of 2852 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 110 PID 512 wrote to memory of 2852 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 110 PID 512 wrote to memory of 468 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 111 PID 512 wrote to memory of 468 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 111 PID 512 wrote to memory of 3820 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 112 PID 512 wrote to memory of 3820 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 112 PID 512 wrote to memory of 4064 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 113 PID 512 wrote to memory of 4064 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 113 PID 512 wrote to memory of 2144 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 114 PID 512 wrote to memory of 2144 512 0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe 114 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0b1122e3b7f581c09cf1f103f859c6a0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\System32\cTcVByd.exeC:\Windows\System32\cTcVByd.exe2⤵
- Executes dropped EXE
PID:3904
-
-
C:\Windows\System32\PRYPoXb.exeC:\Windows\System32\PRYPoXb.exe2⤵
- Executes dropped EXE
PID:2348
-
-
C:\Windows\System32\IqAWmNV.exeC:\Windows\System32\IqAWmNV.exe2⤵
- Executes dropped EXE
PID:3584
-
-
C:\Windows\System32\gLTjkyP.exeC:\Windows\System32\gLTjkyP.exe2⤵
- Executes dropped EXE
PID:3620
-
-
C:\Windows\System32\WLgQvjF.exeC:\Windows\System32\WLgQvjF.exe2⤵
- Executes dropped EXE
PID:1964
-
-
C:\Windows\System32\ojoLLnW.exeC:\Windows\System32\ojoLLnW.exe2⤵
- Executes dropped EXE
PID:4412
-
-
C:\Windows\System32\YbMtorS.exeC:\Windows\System32\YbMtorS.exe2⤵
- Executes dropped EXE
PID:1448
-
-
C:\Windows\System32\VQTWPMu.exeC:\Windows\System32\VQTWPMu.exe2⤵
- Executes dropped EXE
PID:2064
-
-
C:\Windows\System32\cWwxFCj.exeC:\Windows\System32\cWwxFCj.exe2⤵
- Executes dropped EXE
PID:4772
-
-
C:\Windows\System32\yHcjHgK.exeC:\Windows\System32\yHcjHgK.exe2⤵
- Executes dropped EXE
PID:4164
-
-
C:\Windows\System32\oZLbfTk.exeC:\Windows\System32\oZLbfTk.exe2⤵
- Executes dropped EXE
PID:1636
-
-
C:\Windows\System32\yzTdZyW.exeC:\Windows\System32\yzTdZyW.exe2⤵
- Executes dropped EXE
PID:3864
-
-
C:\Windows\System32\JAXbmIr.exeC:\Windows\System32\JAXbmIr.exe2⤵
- Executes dropped EXE
PID:2876
-
-
C:\Windows\System32\eRTGUwC.exeC:\Windows\System32\eRTGUwC.exe2⤵
- Executes dropped EXE
PID:4512
-
-
C:\Windows\System32\oWtMPMK.exeC:\Windows\System32\oWtMPMK.exe2⤵
- Executes dropped EXE
PID:924
-
-
C:\Windows\System32\ydysmSB.exeC:\Windows\System32\ydysmSB.exe2⤵
- Executes dropped EXE
PID:3296
-
-
C:\Windows\System32\tFJIJlz.exeC:\Windows\System32\tFJIJlz.exe2⤵
- Executes dropped EXE
PID:2396
-
-
C:\Windows\System32\iTUCJBx.exeC:\Windows\System32\iTUCJBx.exe2⤵
- Executes dropped EXE
PID:4808
-
-
C:\Windows\System32\rSmovkN.exeC:\Windows\System32\rSmovkN.exe2⤵
- Executes dropped EXE
PID:4432
-
-
C:\Windows\System32\YKeAeRk.exeC:\Windows\System32\YKeAeRk.exe2⤵
- Executes dropped EXE
PID:688
-
-
C:\Windows\System32\kgbdnhI.exeC:\Windows\System32\kgbdnhI.exe2⤵
- Executes dropped EXE
PID:1544
-
-
C:\Windows\System32\eDByXsa.exeC:\Windows\System32\eDByXsa.exe2⤵
- Executes dropped EXE
PID:1504
-
-
C:\Windows\System32\yGxzFFU.exeC:\Windows\System32\yGxzFFU.exe2⤵
- Executes dropped EXE
PID:2556
-
-
C:\Windows\System32\DdnosZu.exeC:\Windows\System32\DdnosZu.exe2⤵
- Executes dropped EXE
PID:1772
-
-
C:\Windows\System32\rqwOKAk.exeC:\Windows\System32\rqwOKAk.exe2⤵
- Executes dropped EXE
PID:2640
-
-
C:\Windows\System32\CkMYezR.exeC:\Windows\System32\CkMYezR.exe2⤵
- Executes dropped EXE
PID:1780
-
-
C:\Windows\System32\GwtnAxv.exeC:\Windows\System32\GwtnAxv.exe2⤵
- Executes dropped EXE
PID:404
-
-
C:\Windows\System32\mBFuhcw.exeC:\Windows\System32\mBFuhcw.exe2⤵
- Executes dropped EXE
PID:2852
-
-
C:\Windows\System32\nwmbVho.exeC:\Windows\System32\nwmbVho.exe2⤵
- Executes dropped EXE
PID:468
-
-
C:\Windows\System32\GVmdjXE.exeC:\Windows\System32\GVmdjXE.exe2⤵
- Executes dropped EXE
PID:3820
-
-
C:\Windows\System32\hFNMIwz.exeC:\Windows\System32\hFNMIwz.exe2⤵
- Executes dropped EXE
PID:4064
-
-
C:\Windows\System32\KUSBnBq.exeC:\Windows\System32\KUSBnBq.exe2⤵
- Executes dropped EXE
PID:2144
-
-
C:\Windows\System32\JfMMtnF.exeC:\Windows\System32\JfMMtnF.exe2⤵
- Executes dropped EXE
PID:916
-
-
C:\Windows\System32\RFhgVCE.exeC:\Windows\System32\RFhgVCE.exe2⤵
- Executes dropped EXE
PID:3968
-
-
C:\Windows\System32\OtLEZok.exeC:\Windows\System32\OtLEZok.exe2⤵
- Executes dropped EXE
PID:4732
-
-
C:\Windows\System32\qXXEnHg.exeC:\Windows\System32\qXXEnHg.exe2⤵
- Executes dropped EXE
PID:1108
-
-
C:\Windows\System32\IbLSnwT.exeC:\Windows\System32\IbLSnwT.exe2⤵
- Executes dropped EXE
PID:3964
-
-
C:\Windows\System32\hVDCuzq.exeC:\Windows\System32\hVDCuzq.exe2⤵
- Executes dropped EXE
PID:4868
-
-
C:\Windows\System32\PvwdbBi.exeC:\Windows\System32\PvwdbBi.exe2⤵
- Executes dropped EXE
PID:3832
-
-
C:\Windows\System32\SbqnLyv.exeC:\Windows\System32\SbqnLyv.exe2⤵
- Executes dropped EXE
PID:1048
-
-
C:\Windows\System32\rafQSXW.exeC:\Windows\System32\rafQSXW.exe2⤵
- Executes dropped EXE
PID:4196
-
-
C:\Windows\System32\lWlvuqx.exeC:\Windows\System32\lWlvuqx.exe2⤵
- Executes dropped EXE
PID:2124
-
-
C:\Windows\System32\uasNvwA.exeC:\Windows\System32\uasNvwA.exe2⤵
- Executes dropped EXE
PID:1292
-
-
C:\Windows\System32\kyxOXFm.exeC:\Windows\System32\kyxOXFm.exe2⤵
- Executes dropped EXE
PID:4072
-
-
C:\Windows\System32\aVqMjeG.exeC:\Windows\System32\aVqMjeG.exe2⤵
- Executes dropped EXE
PID:1724
-
-
C:\Windows\System32\PmLZXSG.exeC:\Windows\System32\PmLZXSG.exe2⤵
- Executes dropped EXE
PID:4580
-
-
C:\Windows\System32\zIBNGnD.exeC:\Windows\System32\zIBNGnD.exe2⤵
- Executes dropped EXE
PID:4476
-
-
C:\Windows\System32\Hzcnrrt.exeC:\Windows\System32\Hzcnrrt.exe2⤵
- Executes dropped EXE
PID:1548
-
-
C:\Windows\System32\GFwrnzm.exeC:\Windows\System32\GFwrnzm.exe2⤵
- Executes dropped EXE
PID:1148
-
-
C:\Windows\System32\qjdtOFW.exeC:\Windows\System32\qjdtOFW.exe2⤵
- Executes dropped EXE
PID:4564
-
-
C:\Windows\System32\VORKwZV.exeC:\Windows\System32\VORKwZV.exe2⤵
- Executes dropped EXE
PID:3328
-
-
C:\Windows\System32\HVCIlHt.exeC:\Windows\System32\HVCIlHt.exe2⤵
- Executes dropped EXE
PID:1360
-
-
C:\Windows\System32\mUPBxjH.exeC:\Windows\System32\mUPBxjH.exe2⤵
- Executes dropped EXE
PID:1008
-
-
C:\Windows\System32\nkjRdcB.exeC:\Windows\System32\nkjRdcB.exe2⤵
- Executes dropped EXE
PID:2968
-
-
C:\Windows\System32\biWOuJO.exeC:\Windows\System32\biWOuJO.exe2⤵
- Executes dropped EXE
PID:3600
-
-
C:\Windows\System32\rogMAcM.exeC:\Windows\System32\rogMAcM.exe2⤵
- Executes dropped EXE
PID:5040
-
-
C:\Windows\System32\jUPDPDe.exeC:\Windows\System32\jUPDPDe.exe2⤵
- Executes dropped EXE
PID:1668
-
-
C:\Windows\System32\oVstWhk.exeC:\Windows\System32\oVstWhk.exe2⤵
- Executes dropped EXE
PID:4052
-
-
C:\Windows\System32\WHaKliI.exeC:\Windows\System32\WHaKliI.exe2⤵
- Executes dropped EXE
PID:4044
-
-
C:\Windows\System32\VxKhadT.exeC:\Windows\System32\VxKhadT.exe2⤵
- Executes dropped EXE
PID:544
-
-
C:\Windows\System32\fZXefcH.exeC:\Windows\System32\fZXefcH.exe2⤵
- Executes dropped EXE
PID:2236
-
-
C:\Windows\System32\KOjMbKC.exeC:\Windows\System32\KOjMbKC.exe2⤵
- Executes dropped EXE
PID:4520
-
-
C:\Windows\System32\NvFUdDP.exeC:\Windows\System32\NvFUdDP.exe2⤵
- Executes dropped EXE
PID:1328
-
-
C:\Windows\System32\smkeLTe.exeC:\Windows\System32\smkeLTe.exe2⤵
- Executes dropped EXE
PID:4452
-
-
C:\Windows\System32\nKXPnrc.exeC:\Windows\System32\nKXPnrc.exe2⤵PID:4924
-
-
C:\Windows\System32\UWKmoEC.exeC:\Windows\System32\UWKmoEC.exe2⤵PID:5116
-
-
C:\Windows\System32\eGFEjvo.exeC:\Windows\System32\eGFEjvo.exe2⤵PID:4112
-
-
C:\Windows\System32\KZpAFBk.exeC:\Windows\System32\KZpAFBk.exe2⤵PID:4320
-
-
C:\Windows\System32\jZltRkx.exeC:\Windows\System32\jZltRkx.exe2⤵PID:2576
-
-
C:\Windows\System32\jCdtMxh.exeC:\Windows\System32\jCdtMxh.exe2⤵PID:4640
-
-
C:\Windows\System32\CNJaQVc.exeC:\Windows\System32\CNJaQVc.exe2⤵PID:4972
-
-
C:\Windows\System32\vxJJcBv.exeC:\Windows\System32\vxJJcBv.exe2⤵PID:1940
-
-
C:\Windows\System32\prOPDGZ.exeC:\Windows\System32\prOPDGZ.exe2⤵PID:4588
-
-
C:\Windows\System32\XTumFNc.exeC:\Windows\System32\XTumFNc.exe2⤵PID:2976
-
-
C:\Windows\System32\gjYjkgL.exeC:\Windows\System32\gjYjkgL.exe2⤵PID:4656
-
-
C:\Windows\System32\zTlZbMQ.exeC:\Windows\System32\zTlZbMQ.exe2⤵PID:4724
-
-
C:\Windows\System32\qvPuwge.exeC:\Windows\System32\qvPuwge.exe2⤵PID:400
-
-
C:\Windows\System32\mEDMFwX.exeC:\Windows\System32\mEDMFwX.exe2⤵PID:2420
-
-
C:\Windows\System32\iHnjFaN.exeC:\Windows\System32\iHnjFaN.exe2⤵PID:3636
-
-
C:\Windows\System32\HbGMJlp.exeC:\Windows\System32\HbGMJlp.exe2⤵PID:880
-
-
C:\Windows\System32\qFUvCEe.exeC:\Windows\System32\qFUvCEe.exe2⤵PID:4388
-
-
C:\Windows\System32\WHbkYvp.exeC:\Windows\System32\WHbkYvp.exe2⤵PID:1936
-
-
C:\Windows\System32\quxrJIy.exeC:\Windows\System32\quxrJIy.exe2⤵PID:5140
-
-
C:\Windows\System32\KSaCoQE.exeC:\Windows\System32\KSaCoQE.exe2⤵PID:5164
-
-
C:\Windows\System32\bXsgcyw.exeC:\Windows\System32\bXsgcyw.exe2⤵PID:5192
-
-
C:\Windows\System32\vqOdggq.exeC:\Windows\System32\vqOdggq.exe2⤵PID:5220
-
-
C:\Windows\System32\kZPdhev.exeC:\Windows\System32\kZPdhev.exe2⤵PID:5248
-
-
C:\Windows\System32\pZgqgnt.exeC:\Windows\System32\pZgqgnt.exe2⤵PID:5276
-
-
C:\Windows\System32\MIvKxIP.exeC:\Windows\System32\MIvKxIP.exe2⤵PID:5304
-
-
C:\Windows\System32\wPXGFCp.exeC:\Windows\System32\wPXGFCp.exe2⤵PID:5396
-
-
C:\Windows\System32\lxQECUx.exeC:\Windows\System32\lxQECUx.exe2⤵PID:5424
-
-
C:\Windows\System32\nuIvbVq.exeC:\Windows\System32\nuIvbVq.exe2⤵PID:5444
-
-
C:\Windows\System32\suehamU.exeC:\Windows\System32\suehamU.exe2⤵PID:5460
-
-
C:\Windows\System32\CWKoQKz.exeC:\Windows\System32\CWKoQKz.exe2⤵PID:5484
-
-
C:\Windows\System32\SznjFxP.exeC:\Windows\System32\SznjFxP.exe2⤵PID:5520
-
-
C:\Windows\System32\SklfodK.exeC:\Windows\System32\SklfodK.exe2⤵PID:5544
-
-
C:\Windows\System32\PllyXkq.exeC:\Windows\System32\PllyXkq.exe2⤵PID:5576
-
-
C:\Windows\System32\uprzdbX.exeC:\Windows\System32\uprzdbX.exe2⤵PID:5596
-
-
C:\Windows\System32\AoqGoZf.exeC:\Windows\System32\AoqGoZf.exe2⤵PID:5620
-
-
C:\Windows\System32\bbDXURM.exeC:\Windows\System32\bbDXURM.exe2⤵PID:5680
-
-
C:\Windows\System32\PeNZdDZ.exeC:\Windows\System32\PeNZdDZ.exe2⤵PID:5696
-
-
C:\Windows\System32\XiuYIdw.exeC:\Windows\System32\XiuYIdw.exe2⤵PID:5720
-
-
C:\Windows\System32\rBBOZAI.exeC:\Windows\System32\rBBOZAI.exe2⤵PID:5740
-
-
C:\Windows\System32\ojSyFbw.exeC:\Windows\System32\ojSyFbw.exe2⤵PID:5764
-
-
C:\Windows\System32\GghjHkM.exeC:\Windows\System32\GghjHkM.exe2⤵PID:5800
-
-
C:\Windows\System32\AHPzUdd.exeC:\Windows\System32\AHPzUdd.exe2⤵PID:5820
-
-
C:\Windows\System32\ENKPDHR.exeC:\Windows\System32\ENKPDHR.exe2⤵PID:5880
-
-
C:\Windows\System32\jqkjcbI.exeC:\Windows\System32\jqkjcbI.exe2⤵PID:5896
-
-
C:\Windows\System32\cHJKuWZ.exeC:\Windows\System32\cHJKuWZ.exe2⤵PID:5912
-
-
C:\Windows\System32\kKmrrIk.exeC:\Windows\System32\kKmrrIk.exe2⤵PID:5944
-
-
C:\Windows\System32\NHFmYhs.exeC:\Windows\System32\NHFmYhs.exe2⤵PID:5968
-
-
C:\Windows\System32\jSlcZob.exeC:\Windows\System32\jSlcZob.exe2⤵PID:5988
-
-
C:\Windows\System32\jOJstqs.exeC:\Windows\System32\jOJstqs.exe2⤵PID:6008
-
-
C:\Windows\System32\iCPjjTO.exeC:\Windows\System32\iCPjjTO.exe2⤵PID:6056
-
-
C:\Windows\System32\ktvYElG.exeC:\Windows\System32\ktvYElG.exe2⤵PID:6088
-
-
C:\Windows\System32\xEgqvlf.exeC:\Windows\System32\xEgqvlf.exe2⤵PID:6104
-
-
C:\Windows\System32\DhFyWiN.exeC:\Windows\System32\DhFyWiN.exe2⤵PID:6124
-
-
C:\Windows\System32\EVmPXwn.exeC:\Windows\System32\EVmPXwn.exe2⤵PID:6140
-
-
C:\Windows\System32\PdAgMHS.exeC:\Windows\System32\PdAgMHS.exe2⤵PID:3088
-
-
C:\Windows\System32\xbFhiHm.exeC:\Windows\System32\xbFhiHm.exe2⤵PID:2268
-
-
C:\Windows\System32\hrVjUoy.exeC:\Windows\System32\hrVjUoy.exe2⤵PID:5180
-
-
C:\Windows\System32\IqYJMSG.exeC:\Windows\System32\IqYJMSG.exe2⤵PID:5200
-
-
C:\Windows\System32\IWCUSfG.exeC:\Windows\System32\IWCUSfG.exe2⤵PID:4344
-
-
C:\Windows\System32\IyqCvbj.exeC:\Windows\System32\IyqCvbj.exe2⤵PID:5320
-
-
C:\Windows\System32\hGnwRdP.exeC:\Windows\System32\hGnwRdP.exe2⤵PID:4032
-
-
C:\Windows\System32\bfTzmPJ.exeC:\Windows\System32\bfTzmPJ.exe2⤵PID:4496
-
-
C:\Windows\System32\deQqnQR.exeC:\Windows\System32\deQqnQR.exe2⤵PID:1352
-
-
C:\Windows\System32\SyExXZk.exeC:\Windows\System32\SyExXZk.exe2⤵PID:4976
-
-
C:\Windows\System32\UGWvKug.exeC:\Windows\System32\UGWvKug.exe2⤵PID:4776
-
-
C:\Windows\System32\WtnRGxl.exeC:\Windows\System32\WtnRGxl.exe2⤵PID:5416
-
-
C:\Windows\System32\QPDFngC.exeC:\Windows\System32\QPDFngC.exe2⤵PID:5468
-
-
C:\Windows\System32\KAHlZKz.exeC:\Windows\System32\KAHlZKz.exe2⤵PID:5568
-
-
C:\Windows\System32\NxTiHpk.exeC:\Windows\System32\NxTiHpk.exe2⤵PID:2044
-
-
C:\Windows\System32\BRGBrlC.exeC:\Windows\System32\BRGBrlC.exe2⤵PID:5588
-
-
C:\Windows\System32\XXiUYQD.exeC:\Windows\System32\XXiUYQD.exe2⤵PID:5688
-
-
C:\Windows\System32\KNMrbrQ.exeC:\Windows\System32\KNMrbrQ.exe2⤵PID:5732
-
-
C:\Windows\System32\lBDjTRI.exeC:\Windows\System32\lBDjTRI.exe2⤵PID:5892
-
-
C:\Windows\System32\xhZPGyO.exeC:\Windows\System32\xhZPGyO.exe2⤵PID:5904
-
-
C:\Windows\System32\YLTzMty.exeC:\Windows\System32\YLTzMty.exe2⤵PID:5956
-
-
C:\Windows\System32\XbkORTT.exeC:\Windows\System32\XbkORTT.exe2⤵PID:6004
-
-
C:\Windows\System32\BxWoMgF.exeC:\Windows\System32\BxWoMgF.exe2⤵PID:6096
-
-
C:\Windows\System32\dIFyTmC.exeC:\Windows\System32\dIFyTmC.exe2⤵PID:4672
-
-
C:\Windows\System32\blwvQzx.exeC:\Windows\System32\blwvQzx.exe2⤵PID:3104
-
-
C:\Windows\System32\SHsHekp.exeC:\Windows\System32\SHsHekp.exe2⤵PID:5284
-
-
C:\Windows\System32\HVPDwGH.exeC:\Windows\System32\HVPDwGH.exe2⤵PID:1100
-
-
C:\Windows\System32\vYUlmJB.exeC:\Windows\System32\vYUlmJB.exe2⤵PID:4912
-
-
C:\Windows\System32\aESBXpr.exeC:\Windows\System32\aESBXpr.exe2⤵PID:5500
-
-
C:\Windows\System32\nnqeuOl.exeC:\Windows\System32\nnqeuOl.exe2⤵PID:5668
-
-
C:\Windows\System32\HdmGgjb.exeC:\Windows\System32\HdmGgjb.exe2⤵PID:4508
-
-
C:\Windows\System32\ItTpBnX.exeC:\Windows\System32\ItTpBnX.exe2⤵PID:5840
-
-
C:\Windows\System32\McpABGo.exeC:\Windows\System32\McpABGo.exe2⤵PID:756
-
-
C:\Windows\System32\rnIzfCr.exeC:\Windows\System32\rnIzfCr.exe2⤵PID:5952
-
-
C:\Windows\System32\jjGvNGv.exeC:\Windows\System32\jjGvNGv.exe2⤵PID:6100
-
-
C:\Windows\System32\KtEgGtJ.exeC:\Windows\System32\KtEgGtJ.exe2⤵PID:5156
-
-
C:\Windows\System32\OtgrKDJ.exeC:\Windows\System32\OtgrKDJ.exe2⤵PID:1280
-
-
C:\Windows\System32\jrfSmAb.exeC:\Windows\System32\jrfSmAb.exe2⤵PID:5756
-
-
C:\Windows\System32\JGRWCnT.exeC:\Windows\System32\JGRWCnT.exe2⤵PID:5864
-
-
C:\Windows\System32\wKmwWAD.exeC:\Windows\System32\wKmwWAD.exe2⤵PID:5456
-
-
C:\Windows\System32\SBkLbMk.exeC:\Windows\System32\SBkLbMk.exe2⤵PID:6020
-
-
C:\Windows\System32\blKjMMJ.exeC:\Windows\System32\blKjMMJ.exe2⤵PID:5268
-
-
C:\Windows\System32\AjCsbGh.exeC:\Windows\System32\AjCsbGh.exe2⤵PID:6168
-
-
C:\Windows\System32\gbKVNzu.exeC:\Windows\System32\gbKVNzu.exe2⤵PID:6184
-
-
C:\Windows\System32\vMYiZXt.exeC:\Windows\System32\vMYiZXt.exe2⤵PID:6212
-
-
C:\Windows\System32\rUjThty.exeC:\Windows\System32\rUjThty.exe2⤵PID:6232
-
-
C:\Windows\System32\XvEbyLy.exeC:\Windows\System32\XvEbyLy.exe2⤵PID:6280
-
-
C:\Windows\System32\UrdKjcH.exeC:\Windows\System32\UrdKjcH.exe2⤵PID:6316
-
-
C:\Windows\System32\VzFpEFh.exeC:\Windows\System32\VzFpEFh.exe2⤵PID:6340
-
-
C:\Windows\System32\LmwvyxZ.exeC:\Windows\System32\LmwvyxZ.exe2⤵PID:6364
-
-
C:\Windows\System32\veSPpcU.exeC:\Windows\System32\veSPpcU.exe2⤵PID:6384
-
-
C:\Windows\System32\xSjmMUt.exeC:\Windows\System32\xSjmMUt.exe2⤵PID:6408
-
-
C:\Windows\System32\KSGgSfC.exeC:\Windows\System32\KSGgSfC.exe2⤵PID:6456
-
-
C:\Windows\System32\QaCkZsE.exeC:\Windows\System32\QaCkZsE.exe2⤵PID:6472
-
-
C:\Windows\System32\nEywcmo.exeC:\Windows\System32\nEywcmo.exe2⤵PID:6520
-
-
C:\Windows\System32\AhBuDnA.exeC:\Windows\System32\AhBuDnA.exe2⤵PID:6536
-
-
C:\Windows\System32\RbYFbQw.exeC:\Windows\System32\RbYFbQw.exe2⤵PID:6556
-
-
C:\Windows\System32\sXLgCls.exeC:\Windows\System32\sXLgCls.exe2⤵PID:6588
-
-
C:\Windows\System32\KkizEjT.exeC:\Windows\System32\KkizEjT.exe2⤵PID:6608
-
-
C:\Windows\System32\zmjASNu.exeC:\Windows\System32\zmjASNu.exe2⤵PID:6628
-
-
C:\Windows\System32\sCOlWSL.exeC:\Windows\System32\sCOlWSL.exe2⤵PID:6648
-
-
C:\Windows\System32\dSqsJyr.exeC:\Windows\System32\dSqsJyr.exe2⤵PID:6668
-
-
C:\Windows\System32\ZHUqtZt.exeC:\Windows\System32\ZHUqtZt.exe2⤵PID:6688
-
-
C:\Windows\System32\DqdJoub.exeC:\Windows\System32\DqdJoub.exe2⤵PID:6740
-
-
C:\Windows\System32\sYKUGTH.exeC:\Windows\System32\sYKUGTH.exe2⤵PID:6768
-
-
C:\Windows\System32\nErmetP.exeC:\Windows\System32\nErmetP.exe2⤵PID:6784
-
-
C:\Windows\System32\idwJmXP.exeC:\Windows\System32\idwJmXP.exe2⤵PID:6840
-
-
C:\Windows\System32\AhKEhrT.exeC:\Windows\System32\AhKEhrT.exe2⤵PID:6880
-
-
C:\Windows\System32\vmThWAN.exeC:\Windows\System32\vmThWAN.exe2⤵PID:6912
-
-
C:\Windows\System32\ZLthkTc.exeC:\Windows\System32\ZLthkTc.exe2⤵PID:6936
-
-
C:\Windows\System32\qhYETuS.exeC:\Windows\System32\qhYETuS.exe2⤵PID:6964
-
-
C:\Windows\System32\yQbnnuy.exeC:\Windows\System32\yQbnnuy.exe2⤵PID:6996
-
-
C:\Windows\System32\oabRFql.exeC:\Windows\System32\oabRFql.exe2⤵PID:7024
-
-
C:\Windows\System32\xhCbvil.exeC:\Windows\System32\xhCbvil.exe2⤵PID:7048
-
-
C:\Windows\System32\VyEQKYe.exeC:\Windows\System32\VyEQKYe.exe2⤵PID:7072
-
-
C:\Windows\System32\cSdybWP.exeC:\Windows\System32\cSdybWP.exe2⤵PID:7092
-
-
C:\Windows\System32\DmDlxWE.exeC:\Windows\System32\DmDlxWE.exe2⤵PID:7116
-
-
C:\Windows\System32\NahIPpj.exeC:\Windows\System32\NahIPpj.exe2⤵PID:7152
-
-
C:\Windows\System32\zzspeXm.exeC:\Windows\System32\zzspeXm.exe2⤵PID:3116
-
-
C:\Windows\System32\Jgvauss.exeC:\Windows\System32\Jgvauss.exe2⤵PID:6152
-
-
C:\Windows\System32\jxqQpeE.exeC:\Windows\System32\jxqQpeE.exe2⤵PID:6224
-
-
C:\Windows\System32\RKxYRFh.exeC:\Windows\System32\RKxYRFh.exe2⤵PID:6380
-
-
C:\Windows\System32\HHlofRw.exeC:\Windows\System32\HHlofRw.exe2⤵PID:6500
-
-
C:\Windows\System32\XRuMpvA.exeC:\Windows\System32\XRuMpvA.exe2⤵PID:6528
-
-
C:\Windows\System32\lpsSizQ.exeC:\Windows\System32\lpsSizQ.exe2⤵PID:6596
-
-
C:\Windows\System32\KuFwdBg.exeC:\Windows\System32\KuFwdBg.exe2⤵PID:6656
-
-
C:\Windows\System32\QUdZTAb.exeC:\Windows\System32\QUdZTAb.exe2⤵PID:6684
-
-
C:\Windows\System32\GLoyWme.exeC:\Windows\System32\GLoyWme.exe2⤵PID:6760
-
-
C:\Windows\System32\XzRszCb.exeC:\Windows\System32\XzRszCb.exe2⤵PID:6808
-
-
C:\Windows\System32\RNjwOoo.exeC:\Windows\System32\RNjwOoo.exe2⤵PID:6932
-
-
C:\Windows\System32\lFNULad.exeC:\Windows\System32\lFNULad.exe2⤵PID:6976
-
-
C:\Windows\System32\cAXySDM.exeC:\Windows\System32\cAXySDM.exe2⤵PID:7032
-
-
C:\Windows\System32\ykYKfpo.exeC:\Windows\System32\ykYKfpo.exe2⤵PID:7124
-
-
C:\Windows\System32\zDmjohD.exeC:\Windows\System32\zDmjohD.exe2⤵PID:6176
-
-
C:\Windows\System32\roCsyFR.exeC:\Windows\System32\roCsyFR.exe2⤵PID:6244
-
-
C:\Windows\System32\eQUqgsy.exeC:\Windows\System32\eQUqgsy.exe2⤵PID:6468
-
-
C:\Windows\System32\bXaBybn.exeC:\Windows\System32\bXaBybn.exe2⤵PID:6548
-
-
C:\Windows\System32\xTJbIQM.exeC:\Windows\System32\xTJbIQM.exe2⤵PID:6616
-
-
C:\Windows\System32\dmUtxSS.exeC:\Windows\System32\dmUtxSS.exe2⤵PID:6748
-
-
C:\Windows\System32\EJeoulN.exeC:\Windows\System32\EJeoulN.exe2⤵PID:7064
-
-
C:\Windows\System32\LmqpVuK.exeC:\Windows\System32\LmqpVuK.exe2⤵PID:6436
-
-
C:\Windows\System32\JzuNxlt.exeC:\Windows\System32\JzuNxlt.exe2⤵PID:816
-
-
C:\Windows\System32\jMlWAUv.exeC:\Windows\System32\jMlWAUv.exe2⤵PID:7164
-
-
C:\Windows\System32\FvZlcwA.exeC:\Windows\System32\FvZlcwA.exe2⤵PID:6360
-
-
C:\Windows\System32\AeRlhBW.exeC:\Windows\System32\AeRlhBW.exe2⤵PID:6908
-
-
C:\Windows\System32\Ahxzbjs.exeC:\Windows\System32\Ahxzbjs.exe2⤵PID:7200
-
-
C:\Windows\System32\PxWQLDu.exeC:\Windows\System32\PxWQLDu.exe2⤵PID:7228
-
-
C:\Windows\System32\SXXavxY.exeC:\Windows\System32\SXXavxY.exe2⤵PID:7252
-
-
C:\Windows\System32\iijqcsq.exeC:\Windows\System32\iijqcsq.exe2⤵PID:7280
-
-
C:\Windows\System32\xwGAvXB.exeC:\Windows\System32\xwGAvXB.exe2⤵PID:7308
-
-
C:\Windows\System32\bKqYNeW.exeC:\Windows\System32\bKqYNeW.exe2⤵PID:7328
-
-
C:\Windows\System32\IwUFndY.exeC:\Windows\System32\IwUFndY.exe2⤵PID:7352
-
-
C:\Windows\System32\ehNVHMv.exeC:\Windows\System32\ehNVHMv.exe2⤵PID:7380
-
-
C:\Windows\System32\fvXYJSy.exeC:\Windows\System32\fvXYJSy.exe2⤵PID:7400
-
-
C:\Windows\System32\SMrZXZd.exeC:\Windows\System32\SMrZXZd.exe2⤵PID:7440
-
-
C:\Windows\System32\trlxCEs.exeC:\Windows\System32\trlxCEs.exe2⤵PID:7484
-
-
C:\Windows\System32\llrUMmK.exeC:\Windows\System32\llrUMmK.exe2⤵PID:7512
-
-
C:\Windows\System32\wBrzqWW.exeC:\Windows\System32\wBrzqWW.exe2⤵PID:7536
-
-
C:\Windows\System32\SWslgSe.exeC:\Windows\System32\SWslgSe.exe2⤵PID:7556
-
-
C:\Windows\System32\ThLKssF.exeC:\Windows\System32\ThLKssF.exe2⤵PID:7604
-
-
C:\Windows\System32\gDDUXSF.exeC:\Windows\System32\gDDUXSF.exe2⤵PID:7628
-
-
C:\Windows\System32\ZanwtLB.exeC:\Windows\System32\ZanwtLB.exe2⤵PID:7660
-
-
C:\Windows\System32\sKqPLyw.exeC:\Windows\System32\sKqPLyw.exe2⤵PID:7684
-
-
C:\Windows\System32\NlcbETB.exeC:\Windows\System32\NlcbETB.exe2⤵PID:7704
-
-
C:\Windows\System32\gdMisrD.exeC:\Windows\System32\gdMisrD.exe2⤵PID:7724
-
-
C:\Windows\System32\wxfLAtJ.exeC:\Windows\System32\wxfLAtJ.exe2⤵PID:7748
-
-
C:\Windows\System32\owABjNy.exeC:\Windows\System32\owABjNy.exe2⤵PID:7776
-
-
C:\Windows\System32\JnwpDeR.exeC:\Windows\System32\JnwpDeR.exe2⤵PID:7796
-
-
C:\Windows\System32\JLPhKRz.exeC:\Windows\System32\JLPhKRz.exe2⤵PID:7824
-
-
C:\Windows\System32\lrvthQJ.exeC:\Windows\System32\lrvthQJ.exe2⤵PID:7840
-
-
C:\Windows\System32\dsCDNsq.exeC:\Windows\System32\dsCDNsq.exe2⤵PID:7872
-
-
C:\Windows\System32\BlZClhp.exeC:\Windows\System32\BlZClhp.exe2⤵PID:7912
-
-
C:\Windows\System32\uNihIOX.exeC:\Windows\System32\uNihIOX.exe2⤵PID:7972
-
-
C:\Windows\System32\MMLNaxf.exeC:\Windows\System32\MMLNaxf.exe2⤵PID:7992
-
-
C:\Windows\System32\hOXUenh.exeC:\Windows\System32\hOXUenh.exe2⤵PID:8012
-
-
C:\Windows\System32\EwSBjTp.exeC:\Windows\System32\EwSBjTp.exe2⤵PID:8032
-
-
C:\Windows\System32\mqOgEaG.exeC:\Windows\System32\mqOgEaG.exe2⤵PID:8060
-
-
C:\Windows\System32\tduERYa.exeC:\Windows\System32\tduERYa.exe2⤵PID:8108
-
-
C:\Windows\System32\rSvuuEV.exeC:\Windows\System32\rSvuuEV.exe2⤵PID:8124
-
-
C:\Windows\System32\eCszSnZ.exeC:\Windows\System32\eCszSnZ.exe2⤵PID:8144
-
-
C:\Windows\System32\LsBsOnx.exeC:\Windows\System32\LsBsOnx.exe2⤵PID:8176
-
-
C:\Windows\System32\qBCYtmV.exeC:\Windows\System32\qBCYtmV.exe2⤵PID:6600
-
-
C:\Windows\System32\dHaslgx.exeC:\Windows\System32\dHaslgx.exe2⤵PID:7176
-
-
C:\Windows\System32\ozYIlgI.exeC:\Windows\System32\ozYIlgI.exe2⤵PID:7288
-
-
C:\Windows\System32\xzyoGmP.exeC:\Windows\System32\xzyoGmP.exe2⤵PID:7368
-
-
C:\Windows\System32\FyPEZyF.exeC:\Windows\System32\FyPEZyF.exe2⤵PID:7320
-
-
C:\Windows\System32\cFpGHgz.exeC:\Windows\System32\cFpGHgz.exe2⤵PID:7408
-
-
C:\Windows\System32\OYFoXJp.exeC:\Windows\System32\OYFoXJp.exe2⤵PID:7524
-
-
C:\Windows\System32\ndeTfkW.exeC:\Windows\System32\ndeTfkW.exe2⤵PID:7696
-
-
C:\Windows\System32\LSjrple.exeC:\Windows\System32\LSjrple.exe2⤵PID:7900
-
-
C:\Windows\System32\zebGEYF.exeC:\Windows\System32\zebGEYF.exe2⤵PID:7956
-
-
C:\Windows\System32\iDOjxFg.exeC:\Windows\System32\iDOjxFg.exe2⤵PID:8004
-
-
C:\Windows\System32\psCCjuL.exeC:\Windows\System32\psCCjuL.exe2⤵PID:8044
-
-
C:\Windows\System32\VxoxJLz.exeC:\Windows\System32\VxoxJLz.exe2⤵PID:8040
-
-
C:\Windows\System32\jxbTvlR.exeC:\Windows\System32\jxbTvlR.exe2⤵PID:8076
-
-
C:\Windows\System32\iqTNBFz.exeC:\Windows\System32\iqTNBFz.exe2⤵PID:8120
-
-
C:\Windows\System32\HqpOdWI.exeC:\Windows\System32\HqpOdWI.exe2⤵PID:8164
-
-
C:\Windows\System32\VgVZojQ.exeC:\Windows\System32\VgVZojQ.exe2⤵PID:7160
-
-
C:\Windows\System32\kOvQrCD.exeC:\Windows\System32\kOvQrCD.exe2⤵PID:7272
-
-
C:\Windows\System32\gvRVjHO.exeC:\Windows\System32\gvRVjHO.exe2⤵PID:7412
-
-
C:\Windows\System32\lCzSkmj.exeC:\Windows\System32\lCzSkmj.exe2⤵PID:7392
-
-
C:\Windows\System32\sJkyFHR.exeC:\Windows\System32\sJkyFHR.exe2⤵PID:7564
-
-
C:\Windows\System32\tppsSMB.exeC:\Windows\System32\tppsSMB.exe2⤵PID:8188
-
-
C:\Windows\System32\jGukBEc.exeC:\Windows\System32\jGukBEc.exe2⤵PID:7788
-
-
C:\Windows\System32\kiCPXyW.exeC:\Windows\System32\kiCPXyW.exe2⤵PID:7836
-
-
C:\Windows\System32\yBsFtAN.exeC:\Windows\System32\yBsFtAN.exe2⤵PID:7592
-
-
C:\Windows\System32\ucjdNdW.exeC:\Windows\System32\ucjdNdW.exe2⤵PID:7300
-
-
C:\Windows\System32\JopbgqU.exeC:\Windows\System32\JopbgqU.exe2⤵PID:7336
-
-
C:\Windows\System32\poKHIZu.exeC:\Windows\System32\poKHIZu.exe2⤵PID:8200
-
-
C:\Windows\System32\OPNGEvP.exeC:\Windows\System32\OPNGEvP.exe2⤵PID:8292
-
-
C:\Windows\System32\ZHGczyU.exeC:\Windows\System32\ZHGczyU.exe2⤵PID:8316
-
-
C:\Windows\System32\pCZOIyK.exeC:\Windows\System32\pCZOIyK.exe2⤵PID:8336
-
-
C:\Windows\System32\avLBneb.exeC:\Windows\System32\avLBneb.exe2⤵PID:8356
-
-
C:\Windows\System32\uphbBjl.exeC:\Windows\System32\uphbBjl.exe2⤵PID:8384
-
-
C:\Windows\System32\dsMwyNq.exeC:\Windows\System32\dsMwyNq.exe2⤵PID:8412
-
-
C:\Windows\System32\yJLSDhL.exeC:\Windows\System32\yJLSDhL.exe2⤵PID:8440
-
-
C:\Windows\System32\ZnlWPVq.exeC:\Windows\System32\ZnlWPVq.exe2⤵PID:8464
-
-
C:\Windows\System32\LxBoToK.exeC:\Windows\System32\LxBoToK.exe2⤵PID:8480
-
-
C:\Windows\System32\ElUzGxt.exeC:\Windows\System32\ElUzGxt.exe2⤵PID:8528
-
-
C:\Windows\System32\nbIWsbX.exeC:\Windows\System32\nbIWsbX.exe2⤵PID:8568
-
-
C:\Windows\System32\xeiTQaS.exeC:\Windows\System32\xeiTQaS.exe2⤵PID:8592
-
-
C:\Windows\System32\SKAOczt.exeC:\Windows\System32\SKAOczt.exe2⤵PID:8616
-
-
C:\Windows\System32\SXBVbqA.exeC:\Windows\System32\SXBVbqA.exe2⤵PID:8636
-
-
C:\Windows\System32\khRYZUw.exeC:\Windows\System32\khRYZUw.exe2⤵PID:8656
-
-
C:\Windows\System32\FHiJHKr.exeC:\Windows\System32\FHiJHKr.exe2⤵PID:8688
-
-
C:\Windows\System32\MDZGnQK.exeC:\Windows\System32\MDZGnQK.exe2⤵PID:8708
-
-
C:\Windows\System32\xlKEGTz.exeC:\Windows\System32\xlKEGTz.exe2⤵PID:8736
-
-
C:\Windows\System32\fmHSIJc.exeC:\Windows\System32\fmHSIJc.exe2⤵PID:8760
-
-
C:\Windows\System32\GGPtQfT.exeC:\Windows\System32\GGPtQfT.exe2⤵PID:8800
-
-
C:\Windows\System32\yMEETJI.exeC:\Windows\System32\yMEETJI.exe2⤵PID:8820
-
-
C:\Windows\System32\DzOLDsO.exeC:\Windows\System32\DzOLDsO.exe2⤵PID:8860
-
-
C:\Windows\System32\OgymyEQ.exeC:\Windows\System32\OgymyEQ.exe2⤵PID:8888
-
-
C:\Windows\System32\YCITius.exeC:\Windows\System32\YCITius.exe2⤵PID:8904
-
-
C:\Windows\System32\NcVEjHO.exeC:\Windows\System32\NcVEjHO.exe2⤵PID:8944
-
-
C:\Windows\System32\bLjvQsX.exeC:\Windows\System32\bLjvQsX.exe2⤵PID:8988
-
-
C:\Windows\System32\TcufvGW.exeC:\Windows\System32\TcufvGW.exe2⤵PID:9004
-
-
C:\Windows\System32\SFiYJXl.exeC:\Windows\System32\SFiYJXl.exe2⤵PID:9040
-
-
C:\Windows\System32\OBNWUtc.exeC:\Windows\System32\OBNWUtc.exe2⤵PID:9060
-
-
C:\Windows\System32\YNAKJVw.exeC:\Windows\System32\YNAKJVw.exe2⤵PID:9084
-
-
C:\Windows\System32\JtpsZaJ.exeC:\Windows\System32\JtpsZaJ.exe2⤵PID:9112
-
-
C:\Windows\System32\SChBLNt.exeC:\Windows\System32\SChBLNt.exe2⤵PID:9140
-
-
C:\Windows\System32\tYLoBFj.exeC:\Windows\System32\tYLoBFj.exe2⤵PID:9156
-
-
C:\Windows\System32\NrMlDda.exeC:\Windows\System32\NrMlDda.exe2⤵PID:9176
-
-
C:\Windows\System32\OrifQwn.exeC:\Windows\System32\OrifQwn.exe2⤵PID:7988
-
-
C:\Windows\System32\PoFTOdu.exeC:\Windows\System32\PoFTOdu.exe2⤵PID:7740
-
-
C:\Windows\System32\HILRUKZ.exeC:\Windows\System32\HILRUKZ.exe2⤵PID:8324
-
-
C:\Windows\System32\hpZyCKX.exeC:\Windows\System32\hpZyCKX.exe2⤵PID:2540
-
-
C:\Windows\System32\tGEfifK.exeC:\Windows\System32\tGEfifK.exe2⤵PID:8400
-
-
C:\Windows\System32\iZWRscU.exeC:\Windows\System32\iZWRscU.exe2⤵PID:8476
-
-
C:\Windows\System32\hUnndQl.exeC:\Windows\System32\hUnndQl.exe2⤵PID:8576
-
-
C:\Windows\System32\bvqNcVP.exeC:\Windows\System32\bvqNcVP.exe2⤵PID:8632
-
-
C:\Windows\System32\GYRjUyG.exeC:\Windows\System32\GYRjUyG.exe2⤵PID:8644
-
-
C:\Windows\System32\pjawLyU.exeC:\Windows\System32\pjawLyU.exe2⤵PID:8768
-
-
C:\Windows\System32\PLAAVmm.exeC:\Windows\System32\PLAAVmm.exe2⤵PID:8828
-
-
C:\Windows\System32\vyqhMkL.exeC:\Windows\System32\vyqhMkL.exe2⤵PID:8876
-
-
C:\Windows\System32\NHURkSg.exeC:\Windows\System32\NHURkSg.exe2⤵PID:8940
-
-
C:\Windows\System32\KjjSrex.exeC:\Windows\System32\KjjSrex.exe2⤵PID:9028
-
-
C:\Windows\System32\FoyNCDq.exeC:\Windows\System32\FoyNCDq.exe2⤵PID:9036
-
-
C:\Windows\System32\rlluzNG.exeC:\Windows\System32\rlluzNG.exe2⤵PID:9188
-
-
C:\Windows\System32\cqQMzQG.exeC:\Windows\System32\cqQMzQG.exe2⤵PID:7964
-
-
C:\Windows\System32\oOKlyzQ.exeC:\Windows\System32\oOKlyzQ.exe2⤵PID:8208
-
-
C:\Windows\System32\aFAoPbO.exeC:\Windows\System32\aFAoPbO.exe2⤵PID:8376
-
-
C:\Windows\System32\auqAzsJ.exeC:\Windows\System32\auqAzsJ.exe2⤵PID:8556
-
-
C:\Windows\System32\wKpQOsg.exeC:\Windows\System32\wKpQOsg.exe2⤵PID:8676
-
-
C:\Windows\System32\BGIZmkB.exeC:\Windows\System32\BGIZmkB.exe2⤵PID:8796
-
-
C:\Windows\System32\EJQwcCi.exeC:\Windows\System32\EJQwcCi.exe2⤵PID:8812
-
-
C:\Windows\System32\pwrJvoL.exeC:\Windows\System32\pwrJvoL.exe2⤵PID:5340
-
-
C:\Windows\System32\fykbWkj.exeC:\Windows\System32\fykbWkj.exe2⤵PID:9204
-
-
C:\Windows\System32\LHHIbxF.exeC:\Windows\System32\LHHIbxF.exe2⤵PID:8448
-
-
C:\Windows\System32\Bmejypy.exeC:\Windows\System32\Bmejypy.exe2⤵PID:8700
-
-
C:\Windows\System32\KCmjdas.exeC:\Windows\System32\KCmjdas.exe2⤵PID:9100
-
-
C:\Windows\System32\rVXyrad.exeC:\Windows\System32\rVXyrad.exe2⤵PID:8868
-
-
C:\Windows\System32\weKzAGs.exeC:\Windows\System32\weKzAGs.exe2⤵PID:9220
-
-
C:\Windows\System32\VKTPoKK.exeC:\Windows\System32\VKTPoKK.exe2⤵PID:9248
-
-
C:\Windows\System32\KdOiYbM.exeC:\Windows\System32\KdOiYbM.exe2⤵PID:9268
-
-
C:\Windows\System32\xClpHzH.exeC:\Windows\System32\xClpHzH.exe2⤵PID:9312
-
-
C:\Windows\System32\jyRzjYI.exeC:\Windows\System32\jyRzjYI.exe2⤵PID:9336
-
-
C:\Windows\System32\NuImQpM.exeC:\Windows\System32\NuImQpM.exe2⤵PID:9360
-
-
C:\Windows\System32\KLloTtS.exeC:\Windows\System32\KLloTtS.exe2⤵PID:9380
-
-
C:\Windows\System32\LSkjXHc.exeC:\Windows\System32\LSkjXHc.exe2⤵PID:9420
-
-
C:\Windows\System32\ThlgLIn.exeC:\Windows\System32\ThlgLIn.exe2⤵PID:9452
-
-
C:\Windows\System32\oqPTjKB.exeC:\Windows\System32\oqPTjKB.exe2⤵PID:9480
-
-
C:\Windows\System32\loIHmnl.exeC:\Windows\System32\loIHmnl.exe2⤵PID:9504
-
-
C:\Windows\System32\REdPEPC.exeC:\Windows\System32\REdPEPC.exe2⤵PID:9524
-
-
C:\Windows\System32\thravxF.exeC:\Windows\System32\thravxF.exe2⤵PID:9556
-
-
C:\Windows\System32\rGJLHmy.exeC:\Windows\System32\rGJLHmy.exe2⤵PID:9596
-
-
C:\Windows\System32\XSCIQil.exeC:\Windows\System32\XSCIQil.exe2⤵PID:9644
-
-
C:\Windows\System32\QxTGLyM.exeC:\Windows\System32\QxTGLyM.exe2⤵PID:9660
-
-
C:\Windows\System32\dHAnwAj.exeC:\Windows\System32\dHAnwAj.exe2⤵PID:9688
-
-
C:\Windows\System32\aDksQGW.exeC:\Windows\System32\aDksQGW.exe2⤵PID:9708
-
-
C:\Windows\System32\UnJGHqn.exeC:\Windows\System32\UnJGHqn.exe2⤵PID:9728
-
-
C:\Windows\System32\SRzNDwC.exeC:\Windows\System32\SRzNDwC.exe2⤵PID:9764
-
-
C:\Windows\System32\vOTUCwv.exeC:\Windows\System32\vOTUCwv.exe2⤵PID:9804
-
-
C:\Windows\System32\ufkCcYR.exeC:\Windows\System32\ufkCcYR.exe2⤵PID:9832
-
-
C:\Windows\System32\nsGcKMa.exeC:\Windows\System32\nsGcKMa.exe2⤵PID:9868
-
-
C:\Windows\System32\alAMqIZ.exeC:\Windows\System32\alAMqIZ.exe2⤵PID:9896
-
-
C:\Windows\System32\SlwzqdK.exeC:\Windows\System32\SlwzqdK.exe2⤵PID:9924
-
-
C:\Windows\System32\lIAWHeW.exeC:\Windows\System32\lIAWHeW.exe2⤵PID:9944
-
-
C:\Windows\System32\rOAMvtp.exeC:\Windows\System32\rOAMvtp.exe2⤵PID:9968
-
-
C:\Windows\System32\tVkzPgy.exeC:\Windows\System32\tVkzPgy.exe2⤵PID:9992
-
-
C:\Windows\System32\TMcWdVi.exeC:\Windows\System32\TMcWdVi.exe2⤵PID:10024
-
-
C:\Windows\System32\nqDkDke.exeC:\Windows\System32\nqDkDke.exe2⤵PID:10072
-
-
C:\Windows\System32\MzmUyWG.exeC:\Windows\System32\MzmUyWG.exe2⤵PID:10092
-
-
C:\Windows\System32\hGofzXj.exeC:\Windows\System32\hGofzXj.exe2⤵PID:10116
-
-
C:\Windows\System32\QGrIbVy.exeC:\Windows\System32\QGrIbVy.exe2⤵PID:10136
-
-
C:\Windows\System32\GBVEtTH.exeC:\Windows\System32\GBVEtTH.exe2⤵PID:10156
-
-
C:\Windows\System32\ZbKugJp.exeC:\Windows\System32\ZbKugJp.exe2⤵PID:10192
-
-
C:\Windows\System32\WbImRyg.exeC:\Windows\System32\WbImRyg.exe2⤵PID:8312
-
-
C:\Windows\System32\MxCogva.exeC:\Windows\System32\MxCogva.exe2⤵PID:8964
-
-
C:\Windows\System32\lXbDHvO.exeC:\Windows\System32\lXbDHvO.exe2⤵PID:9264
-
-
C:\Windows\System32\pKGLRHk.exeC:\Windows\System32\pKGLRHk.exe2⤵PID:9320
-
-
C:\Windows\System32\pdIXjAt.exeC:\Windows\System32\pdIXjAt.exe2⤵PID:9388
-
-
C:\Windows\System32\lztAjIu.exeC:\Windows\System32\lztAjIu.exe2⤵PID:9428
-
-
C:\Windows\System32\TIxCGGo.exeC:\Windows\System32\TIxCGGo.exe2⤵PID:9544
-
-
C:\Windows\System32\BRyVaQw.exeC:\Windows\System32\BRyVaQw.exe2⤵PID:9584
-
-
C:\Windows\System32\qjnhfAC.exeC:\Windows\System32\qjnhfAC.exe2⤵PID:9632
-
-
C:\Windows\System32\vUHMpIa.exeC:\Windows\System32\vUHMpIa.exe2⤵PID:9680
-
-
C:\Windows\System32\BjVhqiM.exeC:\Windows\System32\BjVhqiM.exe2⤵PID:9760
-
-
C:\Windows\System32\gcysjwM.exeC:\Windows\System32\gcysjwM.exe2⤵PID:9888
-
-
C:\Windows\System32\qHCYckp.exeC:\Windows\System32\qHCYckp.exe2⤵PID:9952
-
-
C:\Windows\System32\JdjuAvo.exeC:\Windows\System32\JdjuAvo.exe2⤵PID:9980
-
-
C:\Windows\System32\aYStuOU.exeC:\Windows\System32\aYStuOU.exe2⤵PID:10044
-
-
C:\Windows\System32\CmSPDXJ.exeC:\Windows\System32\CmSPDXJ.exe2⤵PID:10132
-
-
C:\Windows\System32\TkcJXqA.exeC:\Windows\System32\TkcJXqA.exe2⤵PID:10148
-
-
C:\Windows\System32\aFCTWQY.exeC:\Windows\System32\aFCTWQY.exe2⤵PID:9148
-
-
C:\Windows\System32\daetQFV.exeC:\Windows\System32\daetQFV.exe2⤵PID:9332
-
-
C:\Windows\System32\UQaPVtH.exeC:\Windows\System32\UQaPVtH.exe2⤵PID:9448
-
-
C:\Windows\System32\nloEGIw.exeC:\Windows\System32\nloEGIw.exe2⤵PID:9656
-
-
C:\Windows\System32\JNwhtUY.exeC:\Windows\System32\JNwhtUY.exe2⤵PID:9652
-
-
C:\Windows\System32\cEqxtNC.exeC:\Windows\System32\cEqxtNC.exe2⤵PID:9856
-
-
C:\Windows\System32\CHgOlvG.exeC:\Windows\System32\CHgOlvG.exe2⤵PID:10012
-
-
C:\Windows\System32\olvUejl.exeC:\Windows\System32\olvUejl.exe2⤵PID:10056
-
-
C:\Windows\System32\WvGgylc.exeC:\Windows\System32\WvGgylc.exe2⤵PID:9280
-
-
C:\Windows\System32\zPcWrNu.exeC:\Windows\System32\zPcWrNu.exe2⤵PID:9616
-
-
C:\Windows\System32\SvnFLsX.exeC:\Windows\System32\SvnFLsX.exe2⤵PID:10224
-
-
C:\Windows\System32\AyKLsgw.exeC:\Windows\System32\AyKLsgw.exe2⤵PID:9696
-
-
C:\Windows\System32\WtessKD.exeC:\Windows\System32\WtessKD.exe2⤵PID:10256
-
-
C:\Windows\System32\YEKcHek.exeC:\Windows\System32\YEKcHek.exe2⤵PID:10296
-
-
C:\Windows\System32\hkdVCSu.exeC:\Windows\System32\hkdVCSu.exe2⤵PID:10316
-
-
C:\Windows\System32\RdnkRdA.exeC:\Windows\System32\RdnkRdA.exe2⤵PID:10340
-
-
C:\Windows\System32\UfRozqh.exeC:\Windows\System32\UfRozqh.exe2⤵PID:10364
-
-
C:\Windows\System32\LLSbMGY.exeC:\Windows\System32\LLSbMGY.exe2⤵PID:10388
-
-
C:\Windows\System32\VNTOeZt.exeC:\Windows\System32\VNTOeZt.exe2⤵PID:10428
-
-
C:\Windows\System32\qfeCQaG.exeC:\Windows\System32\qfeCQaG.exe2⤵PID:10456
-
-
C:\Windows\System32\kAAbEFO.exeC:\Windows\System32\kAAbEFO.exe2⤵PID:10480
-
-
C:\Windows\System32\RNANKgN.exeC:\Windows\System32\RNANKgN.exe2⤵PID:10500
-
-
C:\Windows\System32\pSMUSTA.exeC:\Windows\System32\pSMUSTA.exe2⤵PID:10536
-
-
C:\Windows\System32\LEMWmTU.exeC:\Windows\System32\LEMWmTU.exe2⤵PID:10560
-
-
C:\Windows\System32\avRgtZl.exeC:\Windows\System32\avRgtZl.exe2⤵PID:10584
-
-
C:\Windows\System32\zWSNTLg.exeC:\Windows\System32\zWSNTLg.exe2⤵PID:10612
-
-
C:\Windows\System32\cLmSsPf.exeC:\Windows\System32\cLmSsPf.exe2⤵PID:10652
-
-
C:\Windows\System32\ypAqBxG.exeC:\Windows\System32\ypAqBxG.exe2⤵PID:10676
-
-
C:\Windows\System32\QLmOVBp.exeC:\Windows\System32\QLmOVBp.exe2⤵PID:10704
-
-
C:\Windows\System32\ukhQDki.exeC:\Windows\System32\ukhQDki.exe2⤵PID:10728
-
-
C:\Windows\System32\GhElQAJ.exeC:\Windows\System32\GhElQAJ.exe2⤵PID:10752
-
-
C:\Windows\System32\hKBCpGw.exeC:\Windows\System32\hKBCpGw.exe2⤵PID:10776
-
-
C:\Windows\System32\aPumDJS.exeC:\Windows\System32\aPumDJS.exe2⤵PID:10808
-
-
C:\Windows\System32\dGZVMRr.exeC:\Windows\System32\dGZVMRr.exe2⤵PID:10852
-
-
C:\Windows\System32\YLfgEIR.exeC:\Windows\System32\YLfgEIR.exe2⤵PID:10912
-
-
C:\Windows\System32\cCSrGys.exeC:\Windows\System32\cCSrGys.exe2⤵PID:10932
-
-
C:\Windows\System32\KNgLgpf.exeC:\Windows\System32\KNgLgpf.exe2⤵PID:10948
-
-
C:\Windows\System32\WxtvaRq.exeC:\Windows\System32\WxtvaRq.exe2⤵PID:10968
-
-
C:\Windows\System32\eedyEZN.exeC:\Windows\System32\eedyEZN.exe2⤵PID:10992
-
-
C:\Windows\System32\MMArCOS.exeC:\Windows\System32\MMArCOS.exe2⤵PID:11016
-
-
C:\Windows\System32\AdocfPH.exeC:\Windows\System32\AdocfPH.exe2⤵PID:11080
-
-
C:\Windows\System32\eQgfLIi.exeC:\Windows\System32\eQgfLIi.exe2⤵PID:11108
-
-
C:\Windows\System32\cSuJuEo.exeC:\Windows\System32\cSuJuEo.exe2⤵PID:11136
-
-
C:\Windows\System32\HbCAOCK.exeC:\Windows\System32\HbCAOCK.exe2⤵PID:11164
-
-
C:\Windows\System32\GaFnDow.exeC:\Windows\System32\GaFnDow.exe2⤵PID:11184
-
-
C:\Windows\System32\HomynZH.exeC:\Windows\System32\HomynZH.exe2⤵PID:11208
-
-
C:\Windows\System32\krLPqnd.exeC:\Windows\System32\krLPqnd.exe2⤵PID:11228
-
-
C:\Windows\System32\eYNAgfx.exeC:\Windows\System32\eYNAgfx.exe2⤵PID:9240
-
-
C:\Windows\System32\OBcBlJT.exeC:\Windows\System32\OBcBlJT.exe2⤵PID:10308
-
-
C:\Windows\System32\PSwCLXt.exeC:\Windows\System32\PSwCLXt.exe2⤵PID:10356
-
-
C:\Windows\System32\VUtnYti.exeC:\Windows\System32\VUtnYti.exe2⤵PID:10452
-
-
C:\Windows\System32\gMboEry.exeC:\Windows\System32\gMboEry.exe2⤵PID:10492
-
-
C:\Windows\System32\bKQEjyJ.exeC:\Windows\System32\bKQEjyJ.exe2⤵PID:10572
-
-
C:\Windows\System32\syEkLEv.exeC:\Windows\System32\syEkLEv.exe2⤵PID:10608
-
-
C:\Windows\System32\mLSyZVU.exeC:\Windows\System32\mLSyZVU.exe2⤵PID:10640
-
-
C:\Windows\System32\vXyKNOX.exeC:\Windows\System32\vXyKNOX.exe2⤵PID:10748
-
-
C:\Windows\System32\vWyEaxK.exeC:\Windows\System32\vWyEaxK.exe2⤵PID:10860
-
-
C:\Windows\System32\qnNIIgf.exeC:\Windows\System32\qnNIIgf.exe2⤵PID:10864
-
-
C:\Windows\System32\mIROIVZ.exeC:\Windows\System32\mIROIVZ.exe2⤵PID:10900
-
-
C:\Windows\System32\yHzgpZo.exeC:\Windows\System32\yHzgpZo.exe2⤵PID:11004
-
-
C:\Windows\System32\vPiQaGI.exeC:\Windows\System32\vPiQaGI.exe2⤵PID:11036
-
-
C:\Windows\System32\oXkjECu.exeC:\Windows\System32\oXkjECu.exe2⤵PID:4124
-
-
C:\Windows\System32\XurAFMO.exeC:\Windows\System32\XurAFMO.exe2⤵PID:11160
-
-
C:\Windows\System32\PQQyiVa.exeC:\Windows\System32\PQQyiVa.exe2⤵PID:11180
-
-
C:\Windows\System32\xNDYVJn.exeC:\Windows\System32\xNDYVJn.exe2⤵PID:11244
-
-
C:\Windows\System32\kDomZlD.exeC:\Windows\System32\kDomZlD.exe2⤵PID:10332
-
-
C:\Windows\System32\nwdRizA.exeC:\Windows\System32\nwdRizA.exe2⤵PID:10488
-
-
C:\Windows\System32\oEgOHtx.exeC:\Windows\System32\oEgOHtx.exe2⤵PID:10720
-
-
C:\Windows\System32\CtMKpBB.exeC:\Windows\System32\CtMKpBB.exe2⤵PID:10908
-
-
C:\Windows\System32\FcOaRQi.exeC:\Windows\System32\FcOaRQi.exe2⤵PID:11024
-
-
C:\Windows\System32\nKEZQfL.exeC:\Windows\System32\nKEZQfL.exe2⤵PID:11128
-
-
C:\Windows\System32\pZEFxzz.exeC:\Windows\System32\pZEFxzz.exe2⤵PID:10272
-
-
C:\Windows\System32\RVKzcdr.exeC:\Windows\System32\RVKzcdr.exe2⤵PID:10524
-
-
C:\Windows\System32\gMtadGi.exeC:\Windows\System32\gMtadGi.exe2⤵PID:4940
-
-
C:\Windows\System32\SFuRUZs.exeC:\Windows\System32\SFuRUZs.exe2⤵PID:11104
-
-
C:\Windows\System32\LrsYdhU.exeC:\Windows\System32\LrsYdhU.exe2⤵PID:10664
-
-
C:\Windows\System32\bbWyJAY.exeC:\Windows\System32\bbWyJAY.exe2⤵PID:11288
-
-
C:\Windows\System32\YZgVouF.exeC:\Windows\System32\YZgVouF.exe2⤵PID:11304
-
-
C:\Windows\System32\LKEtFjR.exeC:\Windows\System32\LKEtFjR.exe2⤵PID:11324
-
-
C:\Windows\System32\SFqqWKV.exeC:\Windows\System32\SFqqWKV.exe2⤵PID:11344
-
-
C:\Windows\System32\umXIxch.exeC:\Windows\System32\umXIxch.exe2⤵PID:11384
-
-
C:\Windows\System32\QcEdktJ.exeC:\Windows\System32\QcEdktJ.exe2⤵PID:11428
-
-
C:\Windows\System32\YAOInkV.exeC:\Windows\System32\YAOInkV.exe2⤵PID:11444
-
-
C:\Windows\System32\IZbiaEi.exeC:\Windows\System32\IZbiaEi.exe2⤵PID:11464
-
-
C:\Windows\System32\vCTTOsn.exeC:\Windows\System32\vCTTOsn.exe2⤵PID:11508
-
-
C:\Windows\System32\bemqAeQ.exeC:\Windows\System32\bemqAeQ.exe2⤵PID:11552
-
-
C:\Windows\System32\jsTubZw.exeC:\Windows\System32\jsTubZw.exe2⤵PID:11584
-
-
C:\Windows\System32\KFsljeu.exeC:\Windows\System32\KFsljeu.exe2⤵PID:11608
-
-
C:\Windows\System32\AaxwZNn.exeC:\Windows\System32\AaxwZNn.exe2⤵PID:11628
-
-
C:\Windows\System32\ibWUHCk.exeC:\Windows\System32\ibWUHCk.exe2⤵PID:11648
-
-
C:\Windows\System32\OyXHzvf.exeC:\Windows\System32\OyXHzvf.exe2⤵PID:11700
-
-
C:\Windows\System32\MpFPtnu.exeC:\Windows\System32\MpFPtnu.exe2⤵PID:11724
-
-
C:\Windows\System32\ikzaXzd.exeC:\Windows\System32\ikzaXzd.exe2⤵PID:11740
-
-
C:\Windows\System32\NoMIFiW.exeC:\Windows\System32\NoMIFiW.exe2⤵PID:11768
-
-
C:\Windows\System32\rEDRVkc.exeC:\Windows\System32\rEDRVkc.exe2⤵PID:11788
-
-
C:\Windows\System32\JZhGRhx.exeC:\Windows\System32\JZhGRhx.exe2⤵PID:11808
-
-
C:\Windows\System32\hjFrPTZ.exeC:\Windows\System32\hjFrPTZ.exe2⤵PID:11856
-
-
C:\Windows\System32\GJoJSAz.exeC:\Windows\System32\GJoJSAz.exe2⤵PID:11908
-
-
C:\Windows\System32\ZoqAgDw.exeC:\Windows\System32\ZoqAgDw.exe2⤵PID:11932
-
-
C:\Windows\System32\UIrbvnE.exeC:\Windows\System32\UIrbvnE.exe2⤵PID:11960
-
-
C:\Windows\System32\JAEVSoB.exeC:\Windows\System32\JAEVSoB.exe2⤵PID:11976
-
-
C:\Windows\System32\LtPPHIm.exeC:\Windows\System32\LtPPHIm.exe2⤵PID:12000
-
-
C:\Windows\System32\kNWhdqu.exeC:\Windows\System32\kNWhdqu.exe2⤵PID:12024
-
-
C:\Windows\System32\reqhoAG.exeC:\Windows\System32\reqhoAG.exe2⤵PID:12064
-
-
C:\Windows\System32\CgBswdY.exeC:\Windows\System32\CgBswdY.exe2⤵PID:12104
-
-
C:\Windows\System32\kdhEzTX.exeC:\Windows\System32\kdhEzTX.exe2⤵PID:12128
-
-
C:\Windows\System32\pAUFcpm.exeC:\Windows\System32\pAUFcpm.exe2⤵PID:12160
-
-
C:\Windows\System32\EQMCtEI.exeC:\Windows\System32\EQMCtEI.exe2⤵PID:12188
-
-
C:\Windows\System32\GvubJRg.exeC:\Windows\System32\GvubJRg.exe2⤵PID:12216
-
-
C:\Windows\System32\tNAwzDD.exeC:\Windows\System32\tNAwzDD.exe2⤵PID:12244
-
-
C:\Windows\System32\pgzehET.exeC:\Windows\System32\pgzehET.exe2⤵PID:12280
-
-
C:\Windows\System32\IcjpWpF.exeC:\Windows\System32\IcjpWpF.exe2⤵PID:3696
-
-
C:\Windows\System32\YMVMEbf.exeC:\Windows\System32\YMVMEbf.exe2⤵PID:5348
-
-
C:\Windows\System32\PxTGUcV.exeC:\Windows\System32\PxTGUcV.exe2⤵PID:11364
-
-
C:\Windows\System32\fZGKwLi.exeC:\Windows\System32\fZGKwLi.exe2⤵PID:11480
-
-
C:\Windows\System32\SIePeLN.exeC:\Windows\System32\SIePeLN.exe2⤵PID:11536
-
-
C:\Windows\System32\ctfgLDT.exeC:\Windows\System32\ctfgLDT.exe2⤵PID:11572
-
-
C:\Windows\System32\PKlNaDK.exeC:\Windows\System32\PKlNaDK.exe2⤵PID:11656
-
-
C:\Windows\System32\KBNBwch.exeC:\Windows\System32\KBNBwch.exe2⤵PID:11616
-
-
C:\Windows\System32\NuzqKwK.exeC:\Windows\System32\NuzqKwK.exe2⤵PID:11800
-
-
C:\Windows\System32\rjLWKTT.exeC:\Windows\System32\rjLWKTT.exe2⤵PID:11840
-
-
C:\Windows\System32\asZvfdg.exeC:\Windows\System32\asZvfdg.exe2⤵PID:11864
-
-
C:\Windows\System32\EqJiAiV.exeC:\Windows\System32\EqJiAiV.exe2⤵PID:11924
-
-
C:\Windows\System32\wfjOrct.exeC:\Windows\System32\wfjOrct.exe2⤵PID:11968
-
-
C:\Windows\System32\YpFacTC.exeC:\Windows\System32\YpFacTC.exe2⤵PID:12020
-
-
C:\Windows\System32\uHjcOmL.exeC:\Windows\System32\uHjcOmL.exe2⤵PID:12088
-
-
C:\Windows\System32\HvoLenE.exeC:\Windows\System32\HvoLenE.exe2⤵PID:396
-
-
C:\Windows\System32\rGfKUHb.exeC:\Windows\System32\rGfKUHb.exe2⤵PID:12208
-
-
C:\Windows\System32\csFZKqG.exeC:\Windows\System32\csFZKqG.exe2⤵PID:12256
-
-
C:\Windows\System32\MwWlLjB.exeC:\Windows\System32\MwWlLjB.exe2⤵PID:11276
-
-
C:\Windows\System32\aWZCRdJ.exeC:\Windows\System32\aWZCRdJ.exe2⤵PID:2440
-
-
C:\Windows\System32\gQHRsEY.exeC:\Windows\System32\gQHRsEY.exe2⤵PID:11532
-
-
C:\Windows\System32\CIjIhdU.exeC:\Windows\System32\CIjIhdU.exe2⤵PID:1652
-
-
C:\Windows\System32\frbZwAO.exeC:\Windows\System32\frbZwAO.exe2⤵PID:11848
-
-
C:\Windows\System32\GGJgDit.exeC:\Windows\System32\GGJgDit.exe2⤵PID:3324
-
-
C:\Windows\System32\GXaeqLl.exeC:\Windows\System32\GXaeqLl.exe2⤵PID:12116
-
-
C:\Windows\System32\pNcFcNq.exeC:\Windows\System32\pNcFcNq.exe2⤵PID:11052
-
-
C:\Windows\System32\PuaDUWg.exeC:\Windows\System32\PuaDUWg.exe2⤵PID:11396
-
-
C:\Windows\System32\YSmdkLO.exeC:\Windows\System32\YSmdkLO.exe2⤵PID:11664
-
-
C:\Windows\System32\ZwxrODK.exeC:\Windows\System32\ZwxrODK.exe2⤵PID:12196
-
-
C:\Windows\System32\uBRtKUb.exeC:\Windows\System32\uBRtKUb.exe2⤵PID:2868
-
-
C:\Windows\System32\EXWUsiT.exeC:\Windows\System32\EXWUsiT.exe2⤵PID:12296
-
-
C:\Windows\System32\otGaoqx.exeC:\Windows\System32\otGaoqx.exe2⤵PID:12316
-
-
C:\Windows\System32\TsLqlUJ.exeC:\Windows\System32\TsLqlUJ.exe2⤵PID:12360
-
-
C:\Windows\System32\gfarKWE.exeC:\Windows\System32\gfarKWE.exe2⤵PID:12384
-
-
C:\Windows\System32\gmpLNtN.exeC:\Windows\System32\gmpLNtN.exe2⤵PID:12408
-
-
C:\Windows\System32\DmjVjsT.exeC:\Windows\System32\DmjVjsT.exe2⤵PID:12448
-
-
C:\Windows\System32\leoLxMH.exeC:\Windows\System32\leoLxMH.exe2⤵PID:12488
-
-
C:\Windows\System32\RxdQoiV.exeC:\Windows\System32\RxdQoiV.exe2⤵PID:12512
-
-
C:\Windows\System32\CWynFhm.exeC:\Windows\System32\CWynFhm.exe2⤵PID:12540
-
-
C:\Windows\System32\bHPZwdq.exeC:\Windows\System32\bHPZwdq.exe2⤵PID:12576
-
-
C:\Windows\System32\mROjnmj.exeC:\Windows\System32\mROjnmj.exe2⤵PID:12600
-
-
C:\Windows\System32\ecbMYVK.exeC:\Windows\System32\ecbMYVK.exe2⤵PID:12620
-
-
C:\Windows\System32\bzKFInm.exeC:\Windows\System32\bzKFInm.exe2⤵PID:12644
-
-
C:\Windows\System32\ILuPgos.exeC:\Windows\System32\ILuPgos.exe2⤵PID:12664
-
-
C:\Windows\System32\zVCVcsP.exeC:\Windows\System32\zVCVcsP.exe2⤵PID:12704
-
-
C:\Windows\System32\OQMkiTq.exeC:\Windows\System32\OQMkiTq.exe2⤵PID:12736
-
-
C:\Windows\System32\OBAPmwl.exeC:\Windows\System32\OBAPmwl.exe2⤵PID:12760
-
-
C:\Windows\System32\aDJrQFV.exeC:\Windows\System32\aDJrQFV.exe2⤵PID:12800
-
-
C:\Windows\System32\GrOGsgL.exeC:\Windows\System32\GrOGsgL.exe2⤵PID:12824
-
-
C:\Windows\System32\gYXzNYM.exeC:\Windows\System32\gYXzNYM.exe2⤵PID:12848
-
-
C:\Windows\System32\KFEikit.exeC:\Windows\System32\KFEikit.exe2⤵PID:12868
-
-
C:\Windows\System32\SnDOPfu.exeC:\Windows\System32\SnDOPfu.exe2⤵PID:12888
-
-
C:\Windows\System32\QZXgNOe.exeC:\Windows\System32\QZXgNOe.exe2⤵PID:12924
-
-
C:\Windows\System32\TojnYBA.exeC:\Windows\System32\TojnYBA.exe2⤵PID:12964
-
-
C:\Windows\System32\JLvOPPy.exeC:\Windows\System32\JLvOPPy.exe2⤵PID:12988
-
-
C:\Windows\System32\AsuCyGS.exeC:\Windows\System32\AsuCyGS.exe2⤵PID:13008
-
-
C:\Windows\System32\LxJrhCu.exeC:\Windows\System32\LxJrhCu.exe2⤵PID:13048
-
-
C:\Windows\System32\MNoszzI.exeC:\Windows\System32\MNoszzI.exe2⤵PID:13092
-
-
C:\Windows\System32\ZHuhIgS.exeC:\Windows\System32\ZHuhIgS.exe2⤵PID:13108
-
-
C:\Windows\System32\KATMhTP.exeC:\Windows\System32\KATMhTP.exe2⤵PID:13132
-
-
C:\Windows\System32\zqxSNrO.exeC:\Windows\System32\zqxSNrO.exe2⤵PID:13160
-
-
C:\Windows\System32\pLPtOgW.exeC:\Windows\System32\pLPtOgW.exe2⤵PID:13180
-
-
C:\Windows\System32\QVTJetC.exeC:\Windows\System32\QVTJetC.exe2⤵PID:13204
-
-
C:\Windows\System32\dxoapGH.exeC:\Windows\System32\dxoapGH.exe2⤵PID:13276
-
-
C:\Windows\System32\RmHJTnN.exeC:\Windows\System32\RmHJTnN.exe2⤵PID:13296
-
-
C:\Windows\System32\XEqzqOO.exeC:\Windows\System32\XEqzqOO.exe2⤵PID:11676
-
-
C:\Windows\System32\KdPkJYn.exeC:\Windows\System32\KdPkJYn.exe2⤵PID:12348
-
-
C:\Windows\System32\hEwUsdH.exeC:\Windows\System32\hEwUsdH.exe2⤵PID:12324
-
-
C:\Windows\System32\lslqJHR.exeC:\Windows\System32\lslqJHR.exe2⤵PID:12432
-
-
C:\Windows\System32\HrFWLly.exeC:\Windows\System32\HrFWLly.exe2⤵PID:12528
-
-
C:\Windows\System32\aVcAYds.exeC:\Windows\System32\aVcAYds.exe2⤵PID:12588
-
-
C:\Windows\System32\kIUYEpn.exeC:\Windows\System32\kIUYEpn.exe2⤵PID:12636
-
-
C:\Windows\System32\vzWqFCK.exeC:\Windows\System32\vzWqFCK.exe2⤵PID:12680
-
-
C:\Windows\System32\HpJbkCn.exeC:\Windows\System32\HpJbkCn.exe2⤵PID:12776
-
-
C:\Windows\System32\wYckuXX.exeC:\Windows\System32\wYckuXX.exe2⤵PID:12908
-
-
C:\Windows\System32\TCWenWq.exeC:\Windows\System32\TCWenWq.exe2⤵PID:13004
-
-
C:\Windows\System32\HgAmHjm.exeC:\Windows\System32\HgAmHjm.exe2⤵PID:13156
-
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4544 -
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:12400
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:12628
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1036
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:7636
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7784
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:2672
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:10284
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:10636
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:8612
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:9440
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4868
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3960
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2036
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:456
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:7936
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4972
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:7328
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:10828
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2920
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3368
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2184
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:5812
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:9100
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:9680
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4060
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:10392
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:5008
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:10720
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:11288
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:12180
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:12620
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:12876
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:9676
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:5828
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4924
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:5252
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:6292
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3512
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:8900
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2396
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4084
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:5868
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:8228
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:8920
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4016
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:8924
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:6040
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:11456
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1656
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:10488
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:9936
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:11796
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:6892
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:6796
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:5144
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:10280
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:9236
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:6216
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:6580
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:8100
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:7988
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:7760
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:7900
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2888
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:10972
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:10356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\MS6XK32D\microsoft.windows[1].xml
Filesize97B
MD57f3bec2ea3dd9544194bf0f38222acbf
SHA1a02fd5379f0f96d29272716f6b91e4cdd06f5fd7
SHA256fe71b3f76715a00a50e647221b24d0591ffed9b384f078c7dddbadcbaf8a1ce9
SHA512eac9b0d373aeabc3c8b554d82ee123d90ef61fa4186291f1c41412237bdb725da79d1fc2adda0547e0c1936f535cdd458a166e134ce535e9450060ce7c5b36eb
-
Filesize
1.8MB
MD56bda9287dc989ae9b57c18955ecec944
SHA12d314b897438c99b4b4e8a4b8e8a871899501dd4
SHA256f4ee69caa40ea7d9c41788f110da74733f21d913a9054074785ff766799094b3
SHA5125d84af931480149f147dbea78121f3e79759a10b92e3cb9c673f11af2842164facabe94f21ca57270c6e6ef4e326f3b66f0e26439410632f57f96f2570836239
-
Filesize
1.8MB
MD53edf56f63e98aa6892351b391b99162c
SHA1d4f763e450e7ee6bbf308c0c3195d839a90d4ed2
SHA256ddf98873d55f1d108dfb0117c0ae15026b855bf8fa780b99fc1c10ba279ebacb
SHA5120238728195e54d5709eee19f9754d82b2d380853111570662fe8a51d4aa4ac63658eb2ddcb675b640437189375f74c30bad5761e8309f3de9efe4be411145809
-
Filesize
1.8MB
MD53bbf777b0614342fa7a083b0aabed540
SHA1e50a43d83692795d2c618dffe411ef3ea970e585
SHA25642bfc316c8ac0b362c2c2511888ee4b5a506cd06e345630ac883ac28b720f240
SHA512da132d094e0795ffbfa0466ed7c07e1ad22894588459afac7121db02eb4e674b742e2c79e59552cdd64a9eae1b27551db0dd46fdf72e84b9476e0788aacf52ee
-
Filesize
1.8MB
MD59513e720952b53415f5e4a6471857435
SHA1473a6eddcbdfc1cd2b80b368b4c677cbd3bdf94c
SHA256aa2c0589c81455d0a2fbc3fd597527ee2e55940e1c8bb87303eb7b53902d78ac
SHA5129726ae4633c83aa351a9dcec6407e4577a4bc11a4b50d56bc03ed0dd81b6dbd9834c55e8514654f2a71a6b284bf08f56d327460b51b1d69f523c7103724ee8f0
-
Filesize
1.8MB
MD5618ac82b1e4a5ae436f6d2ef1ad95452
SHA14cdcfc31f3a964c10ebddb91b7c58904f671669f
SHA256725afccd150a5f358615227728eed42b16f762ade30ee7d5523457e4d7d70d99
SHA512e4b4db7447fd79e208eea5f40f615502f991ab1939d84ef5715f29f0a62ef5ed5055f6ea46aafadabf4d49d8072e88c4fb9085cf9b2fe1be88f0f1248d600d37
-
Filesize
1.8MB
MD588a1e85dfbf2003331c179a3a38bca9b
SHA1a699e29a39774ed6d47e05663f0fdc558d72bd2c
SHA256da1db610b93f9a57b30d30b40c0e6d255e1b9f2638ef464022bb749be8fd3689
SHA5120e1c955d56c6c2e098067b1794152e9eb86b98bdea83aa56206f6b736b5b7048b71ad9d3ed342b89695f96d9dee7271599b1c022edb344de5d77433f75632acc
-
Filesize
1.8MB
MD5e939cbbcc0610872f372cc79dcdcd513
SHA151bd1f9878e0fef74d7ee614094681f327a6cd8e
SHA25674227de78ba1d6331ed37406278d7ee55780e723046676b6ec32befe659551c2
SHA512a9d87d9470418efaad758de8498428dfc1a0e3e4cbaf3bf277f74e6472a23e8ed579160bc887ffa10853db30003e19cd241919b7a6c4a015e0815e05aa3ff22a
-
Filesize
1.8MB
MD554b65aaa4f1436515be0fd32aa13a8ba
SHA1095331d436c3bfd6b5146ba54c1a267340469e3f
SHA2562daa54ab7191b3ce73abdb65895c34f4841768fc53f9ac87f17cf4ef244a3f6b
SHA512c21a3ec352b1f635bb1291c76ee00bb1cbd1b7264b68a5fe149ddca30dddcf4b8bfea48de27e4d29ce0bc15f98e8b5bf9933a2e4c9aa9b64da5967d1baa101eb
-
Filesize
1.8MB
MD5da3b4836d531128beb0fb54ae762bf2f
SHA1d3ca9ae5579d2055946acf1762c10fafb4076b9e
SHA2567d91c3dc4faf4b47aaef512f6b896bf00c19f7a8174ab74f36d0533ca9d21680
SHA512e9062d6e206037aa8b5cb4e0ac443b8a811b37189840b571daf8042839d88de0e09ba4e84273f77a6b1aa208436d7e0ebf5e41c1a35b81a7b2083f5adc000d8c
-
Filesize
1.8MB
MD5cd6d4c1cc73434c5a945178f238c54b1
SHA1a0b5afaf0fa89779c20b32192db2af84405ea3aa
SHA2567a2908ed2ac6b31e910df12e76dcc40b401a408f5807bfb17b6bb1deb45dd6db
SHA512d6041930dc1e9f6880975fe178036a5024c28da845f131396fd4018e167d93bac4af54e09487f25bdd400eaf59d747a0241469d9aa520e0de0e0880588279b30
-
Filesize
1.8MB
MD5710bf2a010a2346e47276e882598d280
SHA11e8888166f501ff98ac73a421d243f5e68583be5
SHA2564e3265effabcefc740c1a2044cd1435b1199d1d047fb3264862e006a304f223f
SHA512fa018269140ce8a1de3c72c0b6c34dcb5a5dfda350fa522bfb017ae3ceac842663c6bef5068650bb761c65065a05f60d689dc73dce14cdc69c2064a4f4485b1f
-
Filesize
1.8MB
MD55c0bae97ef6545a3ae0c8fa4a433e9b8
SHA11cde10f0b91f995dfb3c3218a417d117d418aed6
SHA256480dea03a5ee3c5a2d4ede1fa89587d855145232e693fb7c58064e07a2bf3cb4
SHA51293e4d1d4a06980b8246016dc1b4f861b48ba856edb45e2aa7759c3e106e09d4a15f8caee6f8e05dc51e5ad1fb5d7ac279924087f965381b885c350ea2d4f40f0
-
Filesize
1.8MB
MD56c62ad9056891370ad49da80713eb315
SHA1d9ed6d45c8bf7e61933dd72dadbfec1a5c1e00f7
SHA2568e439ca1054b2d2d86f935860c32800c2c0f552c07512a77b11a0e86b9c101d9
SHA512144aec1a51ed27b05d7346a241e5880dcddcde496c065d80e8f2ae8007b56963a48870d55588ce38a2e2cd7c6e0878206da21df4012be735caf49238c27970e5
-
Filesize
1.8MB
MD5f9a8a8f42d5f268c7e599c2284c91193
SHA16dadcffa6446d6eaaf28e1f2b05144553c8c0bc4
SHA25640870349a910f7dd2e62ad6b7fe2715219ff73ea1a48af113f9eda3b5acc7970
SHA5128b2c323928efad10e1ae18b83e6203c41097fe2cb5f6aec889589860be6dea0a51d3e5dbc8e64520d4016ea03c8ddd0c6f0d433e34b8763deb73f801655d725c
-
Filesize
1.8MB
MD5be39131e396a406267d80fd7e038d749
SHA16136918db30cd316487e779e5492d53b4b9d1809
SHA2567cda4afe2614faf2451767f4617eb685105638f46478bacc9336cafeb125877a
SHA512193a984828c0698b019e0ced215ad31b57af13f30693aaec582ec830fb639250454c5ed95843bf5faedeaf0c00c5ea231f8c7ec68df90925854bc97e51d964e0
-
Filesize
1.8MB
MD58df814167c96110d03e16406bbc48d20
SHA1fa9ceb0f4720576add35136efc95d5284ee48927
SHA25620e14b22a8400e5b44e6a8068cb29c9759af1e4f412c1ad802e681e2fdb17fb9
SHA51292941fdfe4747f24acd40fae092a8056d5a5e89f9ee4aafd655964cc9570dfeb336beee45b92b08cf0babf0c6fee5d5ad5351e7435d0bbf9bf8d23cb63f23f77
-
Filesize
1.8MB
MD54464e7990c62c7f9ee6d4b80c3f505f7
SHA1d6a9d7475eea69701cf0e4e76cf2ae12e409d31c
SHA256c8d6a24e0b59d7b73b5ca376322c7ced3985175d47f30f28722c188ff5da2284
SHA512b33a481e53b9c9468323787413ee317d97a254d873be1cf5a006c2bce41e74d339f682d3cf4b08fc6bade4a4eca397e921a93d33f2753101cfb1751bebee98cb
-
Filesize
1.8MB
MD5632c09a28082b467358acc523d754857
SHA1f3af41c3b561a8682acee1ae3b0e1095679bd9ac
SHA256b127acc1a3995babb05c0af78b7594af0eb8bc8663809f1b9f0c8c2ec5aa8e83
SHA512de0951f2fb3887487be317dd15721130104e17159aa30d597f8fe1d30c8f57bb8168a374a15e4de671bae576a96b3195efd8f660f26c9e58da86bc3f387f053c
-
Filesize
1.8MB
MD5ab163a0343ed4b7bcea3e78621c4b298
SHA1fb7dce0fda6ea4a41d258e9873c87208f5c469c1
SHA256d7391d1847598108f3b476c27dc013875f8b98a756612894de06fa37e3460fbc
SHA512c69b696bcf05f5f9d1d16df537d877c9a69da46e1670040183257f3c458ca1b92a16d8e035472eaed2953eb8dc5e4f286f2e57a2906b499f99ef73e57d884975
-
Filesize
1.8MB
MD504399be67a3ad545c01dd06ffbbee24a
SHA176ff89b4d24ba8208f1aede7a8c0efdc5348bb23
SHA256139d5f15f3bf8be6f31a966a30c63d8b38edfd5285b6ae1c63256a9a227f2d2c
SHA512b32e464ca8a88845eae1722401156512c2ff4c3a71748cc42fc1ef0a9264a54793ca040ad38646ef43dc1d871452fdb2743a1117386e0dd1daec8f56b16a6c30
-
Filesize
1.8MB
MD58d127954f79b8747ab0387773f660ae7
SHA176b8c124f022eec6bb8ce51e07e437b0aef85f0e
SHA25623202989ca012992cd66639cb2c6376300e26cb32bc9d04ec34cc7a4a8371c3a
SHA51233320d2f51c5c3194f736d1a833437681b6debac52980a15ef6d76f9f9459bdf2f8213c53b867777fc15622f7908f38433c77e2a124faa73aa481143aa4b6205
-
Filesize
1.8MB
MD574717bf2f1c2c45b23f530e4cad5890d
SHA1f4818923ae941ac7d8702bdd5b1497e92fd7d329
SHA256351a83b5d5c97cd3b05360b57ccb968f8d7f1ee1a4b8f50971800ab1fec8017a
SHA5127a9f8dba7fa5954bcf02200501525227a04f6e3c8e039612f013d41cef7fa363c3ccf2b71d3b62f06687764b6de95ad5b57852277a983c189a1bc6728d193e60
-
Filesize
1.8MB
MD581b608e9eca2d8fefe483279e8b98a21
SHA1ed6209c27024e93f38d221d4cf039fa3427a9e7f
SHA256b3863cfa65f5fbb55ae554428a39deab9b2eda90527bb38d5c8dc6c112f082b3
SHA512d546bd74862027a93da4ff12fed53afdb95f5d474a69affcd65ab440dc40c61d693b58ea464ea8adade54f787a681d7a7ff99e0396ae46054c17cf7eca12de44
-
Filesize
1.8MB
MD5b1ce2a4a7f00f60c5d1d15a14f718bab
SHA1f774c148586d1701b8f0658874a7b7bdae052c12
SHA25614293f27e798c83ccb337ceab7cbb3dcc19b5e09b0fc5f7a353a578d212e22c6
SHA512986e0447456725b0f264e0cebd6119b5b6be61b5f73745d13f9a6c2f5e6e8263932d695e869280fc69c1768adf4b5f5d20ad226fe0f464c373dd424c1a0541c9
-
Filesize
1.8MB
MD5f4b036e012c91d1d5d0d85ebd37063cc
SHA123a295edd3111f20b241794c43f42e14d8945f7f
SHA2567868652e399bec351a80c07658e7be4711b8695612eecea84ed4d49d0d693d09
SHA5125a6fdfef6a253fa83b389ad42b4625cddfedc2442dde02ca75916b44d39658977f3a41df3068eb9f60ae2077e9a5768c929d4e5f5f5cee4cdf5d9d1450bcea87
-
Filesize
1.8MB
MD55a3ed6afb08f8f49a473eaedb5f46a4b
SHA143ea21cbbcf50e609d288a26a9a767b4ad1eb3cf
SHA256d2398cf9a389a84bb9581a25becddd1152b1e11aa9db060a4a616f1ed4af0d58
SHA51251f3e519e5fc8f86965d050cc1e117ac04b87470a8115c76c05c271bb401bd7ca5f847557504abb73f8fe0c5693be18242031f4cca77bec60ac114745e171e21
-
Filesize
1.8MB
MD50354548b85964f1a2386c53e381ac317
SHA191705227a6fede891762816169d204b452a23e44
SHA256d0bffd97818cce8a13e94dcec1a6ddacee57edeee1ecb3d64a7a26b804425e1c
SHA5125bd6273cd36402e85461c62e8a3c77f8b163ac6f6bd179e83ebafe231f5256f7aaaa4113d5ee048d00d8182f6b2e4a7c871055a2f7a247692af7f7a62b359585
-
Filesize
1.8MB
MD5c39a1773e15899cdcb37ba55b7962872
SHA174ba015847c465b7b37e18ace12f35117c7e7f86
SHA2565b3c10403a452d01f796eced8e4c56fcd4b017ea0d9f4a06b2b36676aebc9e8c
SHA51253ff4701a8d139c41d83de115ed0b59533f26801ac5ebbf9cde09592a8dbc98c73790dee10dd6e0fc5766793a1eeac6165575ccb93b04be901f7d3b18cf55beb
-
Filesize
1.8MB
MD51d55539bdc5fda7d26e759b4127bcf04
SHA1dc73adf694f4fc49b7addd088f10bf5c2f386a43
SHA2564204b3b69eef04a9fd5271eab0da438633dc70f19ce92938e05e69d9564ec2af
SHA5123d751f90894128fd18ab352a307e6cff9a8b7cc8e3eea9e00cc4552ca46efc6bb4b87cc29fd3f6c78754bb6135187e46dab01e6ca1ea9954484abaaa8986b0dc
-
Filesize
1.8MB
MD53dd58e2f0adfe0d589bf438aadb28802
SHA19660574407341f5e85135d50ecf605e779332b8a
SHA2560c759bd90f456d191cf5460122db562db8645958b1d4ef545211aa0829878c4a
SHA512bdb111327e5750c24191e31e83439ab912360a6cd961e615cc20eb9fe3488847bc75bf9aedf05a2b28db04d1d47464dc3b92440f2ca27ae08f683400f2a7de22
-
Filesize
1.8MB
MD533b2df5a37224f9f15c7ded91ad19ab5
SHA123b8b28ebda111d1877756d8750e20a9aa1dacfa
SHA25617439b51b9612db5b898a3a7a767f31a9cd6ffad7bb50094ea337915ec319643
SHA51257e39a2479f05701d72c9002dcd9947b0a15cf4d417c7bf95e46792efb78519d0968f7d8df7ac32401aeeb32e4434706cde19ac8bc9896f289ce1575dd242e00
-
Filesize
1.8MB
MD53cf942752892ffcec3b3aaea7d9180bb
SHA1c13d27964ada91f18ba56fa467b9b3db7bf6f99e
SHA256bf5ceb311f9206ec6046efdaca6b73b0dffdd00551cd34abf0f464e1d4fc419e
SHA512fea2814f192df1d6c1a7566a09d678409b7a8f2882658ac82b3cad2ebd73404bd2c2835bc504f5b35fc205dd3a3bfa1d2085dafb633c13d0a5c2dfd8168717fb