xmrig | 32ab93d8257de76a0c13557b37c15b30ea46e9cb36b0fdd583abb568c4cb9666

Analysis

max time kernel
75s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
Size

1.6MB
MD5

80dc2d7acd231de40f111d1119717ed0
SHA1

7dc12c36964111ea14e73a12ddae54725d05bf97
SHA256

32ab93d8257de76a0c13557b37c15b30ea46e9cb36b0fdd583abb568c4cb9666
SHA512

b7c3908e9b5ebb04a8e413019ba2476309e5525c84bb5a2317aacecd56044088b87d531744fe86eeb43c06185027c327d89d2ce06ca820a56a1a393f9706df91
SSDEEP

24576:zv3/fTLF671TilQFG4P5PMkUCCWvLEvjuJoz5XdUK6S1uBkJdyFPNZmfsCJgio:Lz071uv4BPMkHC0I6Gz3N1p3EZmEagt

Score

10^/10

xmrig execution miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4856-76-0x00007FF777C70000-0x00007FF778062000-memory.dmp	xmrig
behavioral2/memory/2016-368-0x00007FF6289F0000-0x00007FF628DE2000-memory.dmp	xmrig
behavioral2/memory/3160-371-0x00007FF7261D0000-0x00007FF7265C2000-memory.dmp	xmrig
behavioral2/memory/2948-373-0x00007FF674EC0000-0x00007FF6752B2000-memory.dmp	xmrig
behavioral2/memory/2960-374-0x00007FF63A600000-0x00007FF63A9F2000-memory.dmp	xmrig
behavioral2/memory/1928-372-0x00007FF79CB60000-0x00007FF79CF52000-memory.dmp	xmrig
behavioral2/memory/1948-370-0x00007FF780B30000-0x00007FF780F22000-memory.dmp	xmrig
behavioral2/memory/960-375-0x00007FF721660000-0x00007FF721A52000-memory.dmp	xmrig
behavioral2/memory/1976-75-0x00007FF731BA0000-0x00007FF731F92000-memory.dmp	xmrig
behavioral2/memory/3428-33-0x00007FF6D5EE0000-0x00007FF6D62D2000-memory.dmp	xmrig
behavioral2/memory/4404-22-0x00007FF67D820000-0x00007FF67DC12000-memory.dmp	xmrig
behavioral2/memory/2956-377-0x00007FF7BD750000-0x00007FF7BDB42000-memory.dmp	xmrig
behavioral2/memory/60-376-0x00007FF78DE10000-0x00007FF78E202000-memory.dmp	xmrig
behavioral2/memory/2664-379-0x00007FF6B0EE0000-0x00007FF6B12D2000-memory.dmp	xmrig
behavioral2/memory/788-380-0x00007FF7E2220000-0x00007FF7E2612000-memory.dmp	xmrig
behavioral2/memory/4880-381-0x00007FF713260000-0x00007FF713652000-memory.dmp	xmrig
behavioral2/memory/1444-382-0x00007FF7AA510000-0x00007FF7AA902000-memory.dmp	xmrig
behavioral2/memory/3920-384-0x00007FF786360000-0x00007FF786752000-memory.dmp	xmrig
behavioral2/memory/4716-385-0x00007FF6B1220000-0x00007FF6B1612000-memory.dmp	xmrig
behavioral2/memory/3316-386-0x00007FF79BBB0000-0x00007FF79BFA2000-memory.dmp	xmrig
behavioral2/memory/3756-383-0x00007FF717650000-0x00007FF717A42000-memory.dmp	xmrig
behavioral2/memory/3724-378-0x00007FF64DD60000-0x00007FF64E152000-memory.dmp	xmrig
behavioral2/memory/4184-3465-0x00007FF6D1800000-0x00007FF6D1BF2000-memory.dmp	xmrig
behavioral2/memory/3700-3625-0x00007FF6FF220000-0x00007FF6FF612000-memory.dmp	xmrig
behavioral2/memory/4404-3624-0x00007FF67D820000-0x00007FF67DC12000-memory.dmp	xmrig
behavioral2/memory/1976-3628-0x00007FF731BA0000-0x00007FF731F92000-memory.dmp	xmrig
behavioral2/memory/3428-3629-0x00007FF6D5EE0000-0x00007FF6D62D2000-memory.dmp	xmrig
behavioral2/memory/4856-3631-0x00007FF777C70000-0x00007FF778062000-memory.dmp	xmrig
behavioral2/memory/4716-3637-0x00007FF6B1220000-0x00007FF6B1612000-memory.dmp	xmrig
behavioral2/memory/4184-3639-0x00007FF6D1800000-0x00007FF6D1BF2000-memory.dmp	xmrig
behavioral2/memory/3920-3643-0x00007FF786360000-0x00007FF786752000-memory.dmp	xmrig
behavioral2/memory/3160-3642-0x00007FF7261D0000-0x00007FF7265C2000-memory.dmp	xmrig
behavioral2/memory/2016-3635-0x00007FF6289F0000-0x00007FF628DE2000-memory.dmp	xmrig
behavioral2/memory/1948-3634-0x00007FF780B30000-0x00007FF780F22000-memory.dmp	xmrig
behavioral2/memory/1928-3671-0x00007FF79CB60000-0x00007FF79CF52000-memory.dmp	xmrig
behavioral2/memory/3316-3673-0x00007FF79BBB0000-0x00007FF79BFA2000-memory.dmp	xmrig
behavioral2/memory/2948-3675-0x00007FF674EC0000-0x00007FF6752B2000-memory.dmp	xmrig
behavioral2/memory/60-3681-0x00007FF78DE10000-0x00007FF78E202000-memory.dmp	xmrig
behavioral2/memory/2956-3683-0x00007FF7BD750000-0x00007FF7BDB42000-memory.dmp	xmrig
behavioral2/memory/788-3699-0x00007FF7E2220000-0x00007FF7E2612000-memory.dmp	xmrig
behavioral2/memory/2664-3687-0x00007FF6B0EE0000-0x00007FF6B12D2000-memory.dmp	xmrig
behavioral2/memory/1444-3702-0x00007FF7AA510000-0x00007FF7AA902000-memory.dmp	xmrig
behavioral2/memory/3756-3705-0x00007FF717650000-0x00007FF717A42000-memory.dmp	xmrig
behavioral2/memory/4880-3703-0x00007FF713260000-0x00007FF713652000-memory.dmp	xmrig
behavioral2/memory/3724-3685-0x00007FF64DD60000-0x00007FF64E152000-memory.dmp	xmrig
behavioral2/memory/960-3679-0x00007FF721660000-0x00007FF721A52000-memory.dmp	xmrig
behavioral2/memory/2960-3677-0x00007FF63A600000-0x00007FF63A9F2000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

3 5000 powershell.exe
5 5000 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

5000 powershell.exe

flow	pid	process
3	5000	powershell.exe
5	5000	powershell.exe

pid	process
5000	powershell.exe

Modifies Installed Components in the registry 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

Processes:

xPvWnKI.exezjvilka.exePtHygGf.exeVSsDrNE.exezaiqPaj.exeCgNEims.exeapclgLI.exembFMNHX.exeftUyhaz.exetYQDfah.exejzIopth.exepEmheoo.exeaTwTwnd.exehiotGkt.exeokpqglc.exeHwmblCG.exeXQTtzST.exelFbNZEF.exesFVTSRL.exefTTgQna.exeRdEdqzy.exevXzWkaT.exelTfPfop.exeQjGQrCH.exeIPOwzGT.exeRCUfeaX.exertfeKkF.execcVncHe.exezYhdmZi.exeYrINZoJ.exeSUoppDE.exevKdbnhm.exelaaHjvu.exegQlUVPj.exeOMBnxmd.exexJHTMEJ.exeTsWltXN.exegFxlOlJ.exebedNttN.exeHhrsQFg.exeyFtKeCC.exerQiDVIk.exeNpkKkbu.exeMRBjkBv.exejnuIJSX.exeEXQlSZf.exejcDXVsw.exeuGvJajE.exeOxhTLtW.exeqYytScm.exeKakYBPF.exedBaWaQc.exeSoCpjhw.exelJmEeHE.exedDGAroB.exeGnVOqoL.exeEjKcJGv.exepOofyuB.exeqGzoPqC.exeJlTQbtj.exeWdQJwgb.exeeeRPtTj.exeCdcTbzd.exedioDzCg.exe

pid	process
3700	xPvWnKI.exe
4404	zjvilka.exe
1976	PtHygGf.exe
3428	VSsDrNE.exe
4856	zaiqPaj.exe
4184	CgNEims.exe
2016	apclgLI.exe
3920	mbFMNHX.exe
4716	ftUyhaz.exe
1948	tYQDfah.exe
3160	jzIopth.exe
1928	pEmheoo.exe
3316	aTwTwnd.exe
2948	hiotGkt.exe
2960	okpqglc.exe
960	HwmblCG.exe
60	XQTtzST.exe
2956	lFbNZEF.exe
3724	sFVTSRL.exe
2664	fTTgQna.exe
788	RdEdqzy.exe
4880	vXzWkaT.exe
1444	lTfPfop.exe
3756	QjGQrCH.exe
2304	IPOwzGT.exe
3596	RCUfeaX.exe
3936	rtfeKkF.exe
3912	ccVncHe.exe
2464	zYhdmZi.exe
2220	YrINZoJ.exe
2700	SUoppDE.exe
4832	vKdbnhm.exe
3476	laaHjvu.exe
4548	gQlUVPj.exe
2988	OMBnxmd.exe
2916	xJHTMEJ.exe
2528	TsWltXN.exe
3808	gFxlOlJ.exe
4748	bedNttN.exe
3184	HhrsQFg.exe
2708	yFtKeCC.exe
4624	rQiDVIk.exe
2272	NpkKkbu.exe
1112	MRBjkBv.exe
5104	jnuIJSX.exe
4900	EXQlSZf.exe
3568	jcDXVsw.exe
4104	uGvJajE.exe
1516	OxhTLtW.exe
696	qYytScm.exe
3636	KakYBPF.exe
1700	dBaWaQc.exe
2228	SoCpjhw.exe
3468	lJmEeHE.exe
848	dDGAroB.exe
2060	GnVOqoL.exe
5044	EjKcJGv.exe
684	pOofyuB.exe
5148	qGzoPqC.exe
5176	JlTQbtj.exe
5204	WdQJwgb.exe
5228	eeRPtTj.exe
5256	CdcTbzd.exe
5288	dioDzCg.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4108-0-0x00007FF74F010000-0x00007FF74F402000-memory.dmp	upx
C:\Windows\System\PtHygGf.exe	upx
C:\Windows\System\xPvWnKI.exe	upx
C:\Windows\System\VSsDrNE.exe	upx
C:\Windows\System\zaiqPaj.exe	upx
C:\Windows\System\CgNEims.exe	upx
C:\Windows\System\apclgLI.exe	upx
C:\Windows\System\mbFMNHX.exe	upx
C:\Windows\System\ftUyhaz.exe	upx
C:\Windows\System\jzIopth.exe	upx
behavioral2/memory/4856-76-0x00007FF777C70000-0x00007FF778062000-memory.dmp	upx
C:\Windows\System\HwmblCG.exe	upx
C:\Windows\System\lFbNZEF.exe	upx
C:\Windows\System\fTTgQna.exe	upx
C:\Windows\System\lTfPfop.exe	upx
C:\Windows\System\RCUfeaX.exe	upx
C:\Windows\System\zYhdmZi.exe	upx
C:\Windows\System\YrINZoJ.exe	upx
behavioral2/memory/2016-368-0x00007FF6289F0000-0x00007FF628DE2000-memory.dmp	upx
behavioral2/memory/3160-371-0x00007FF7261D0000-0x00007FF7265C2000-memory.dmp	upx
behavioral2/memory/2948-373-0x00007FF674EC0000-0x00007FF6752B2000-memory.dmp	upx
behavioral2/memory/2960-374-0x00007FF63A600000-0x00007FF63A9F2000-memory.dmp	upx
behavioral2/memory/1928-372-0x00007FF79CB60000-0x00007FF79CF52000-memory.dmp	upx
behavioral2/memory/1948-370-0x00007FF780B30000-0x00007FF780F22000-memory.dmp	upx
C:\Windows\System\laaHjvu.exe	upx
C:\Windows\System\SUoppDE.exe	upx
C:\Windows\System\vKdbnhm.exe	upx
C:\Windows\System\ccVncHe.exe	upx
behavioral2/memory/960-375-0x00007FF721660000-0x00007FF721A52000-memory.dmp	upx
C:\Windows\System\rtfeKkF.exe	upx
C:\Windows\System\IPOwzGT.exe	upx
C:\Windows\System\QjGQrCH.exe	upx
C:\Windows\System\vXzWkaT.exe	upx
C:\Windows\System\RdEdqzy.exe	upx
C:\Windows\System\sFVTSRL.exe	upx
C:\Windows\System\XQTtzST.exe	upx
C:\Windows\System\okpqglc.exe	upx
C:\Windows\System\hiotGkt.exe	upx
C:\Windows\System\aTwTwnd.exe	upx
C:\Windows\System\pEmheoo.exe	upx
behavioral2/memory/1976-75-0x00007FF731BA0000-0x00007FF731F92000-memory.dmp	upx
C:\Windows\System\tYQDfah.exe	upx
behavioral2/memory/4184-39-0x00007FF6D1800000-0x00007FF6D1BF2000-memory.dmp	upx
behavioral2/memory/3428-33-0x00007FF6D5EE0000-0x00007FF6D62D2000-memory.dmp	upx
behavioral2/memory/4404-22-0x00007FF67D820000-0x00007FF67DC12000-memory.dmp	upx
behavioral2/memory/3700-15-0x00007FF6FF220000-0x00007FF6FF612000-memory.dmp	upx
C:\Windows\System\zjvilka.exe	upx
behavioral2/memory/2956-377-0x00007FF7BD750000-0x00007FF7BDB42000-memory.dmp	upx
behavioral2/memory/60-376-0x00007FF78DE10000-0x00007FF78E202000-memory.dmp	upx
behavioral2/memory/2664-379-0x00007FF6B0EE0000-0x00007FF6B12D2000-memory.dmp	upx
behavioral2/memory/788-380-0x00007FF7E2220000-0x00007FF7E2612000-memory.dmp	upx
behavioral2/memory/4880-381-0x00007FF713260000-0x00007FF713652000-memory.dmp	upx
behavioral2/memory/1444-382-0x00007FF7AA510000-0x00007FF7AA902000-memory.dmp	upx
behavioral2/memory/3920-384-0x00007FF786360000-0x00007FF786752000-memory.dmp	upx
behavioral2/memory/4716-385-0x00007FF6B1220000-0x00007FF6B1612000-memory.dmp	upx
behavioral2/memory/3316-386-0x00007FF79BBB0000-0x00007FF79BFA2000-memory.dmp	upx
behavioral2/memory/3756-383-0x00007FF717650000-0x00007FF717A42000-memory.dmp	upx
behavioral2/memory/3724-378-0x00007FF64DD60000-0x00007FF64E152000-memory.dmp	upx
behavioral2/memory/4184-3465-0x00007FF6D1800000-0x00007FF6D1BF2000-memory.dmp	upx
behavioral2/memory/3700-3625-0x00007FF6FF220000-0x00007FF6FF612000-memory.dmp	upx
behavioral2/memory/4404-3624-0x00007FF67D820000-0x00007FF67DC12000-memory.dmp	upx
behavioral2/memory/1976-3628-0x00007FF731BA0000-0x00007FF731F92000-memory.dmp	upx
behavioral2/memory/3428-3629-0x00007FF6D5EE0000-0x00007FF6D62D2000-memory.dmp	upx
behavioral2/memory/4856-3631-0x00007FF777C70000-0x00007FF778062000-memory.dmp	upx

Enumerates connected drives 3 TTPs 20 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 raw.githubusercontent.com
3 raw.githubusercontent.com

flow	ioc
2	raw.githubusercontent.com
3	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

Processes:

80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\System\kUXLQCT.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\GIgVblS.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\LBvLaBC.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\JSMPjQJ.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\fxrRBnF.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\zZlCmQJ.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\wUNIoRr.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\pQZXslT.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\XexaTyS.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\rvCKgum.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\dMmrSvs.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\axowrmS.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\HAKzeYi.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\gNdeHsU.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\YfzKDGD.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\vvuLeOO.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\TkyVsca.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\FyQLTMo.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\euwYeRn.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\uZRdMHn.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\wBzDOXa.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\FhnxtiA.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\poXDuHO.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\MbYHqTb.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\csYjvOh.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\tLupble.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\oeRvEEd.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\SJqOjuw.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\dcyDfCG.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\IdlvcPG.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\HReFFmy.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\nFaMFxl.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\GffVPqY.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\fWEhbdR.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\AaNkUBg.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\jIMgcoz.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\GpvzeiA.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\LPScxHo.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\HAjqZIz.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\tNjGCtM.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\hEQVfDZ.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\JvmoEqP.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\FaUdLhc.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\aJOteEt.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\ZgdRRKe.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\mVQCJcK.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\migSSmy.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\OkPeUkI.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\LmZYskP.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\LQmfUWU.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\aKzmFqX.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\nSiQKtE.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\XQlQgvE.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\fngBjuD.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\jJBYdgJ.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\HCBLsKS.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\OADrXKp.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\uBaUEHP.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\QbkhbRA.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\qvpgeGS.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\uiIcUoT.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\hjxShoF.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\HVyCYxC.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
File created	C:\Windows\System\APmRsBC.exe	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeSearchApp.exeSearchApp.exeexplorer.exeSearchApp.exeStartMenuExperienceHost.exeexplorer.exeexplorer.exeSearchApp.exeexplorer.exeSearchApp.exeexplorer.exeexplorer.exeStartMenuExperienceHost.exeexplorer.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3665033694-1447845302-680750983-1000\{76C49466-DA07-4439-80EE-9EA3E5CCA9AB}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3665033694-1447845302-680750983-1000\{F3053133-2A2F-46B7-9967-996889E948CF}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3665033694-1447845302-680750983-1000\{A2FB658B-7217-4070-9E7C-189BDB5EB4B0}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3665033694-1447845302-680750983-1000\{B21A3476-85DC-497A-933E-D264C818C2DC}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exe

pid process

5000 powershell.exe
5000 powershell.exe
5000 powershell.exe
5000 powershell.exe

pid	process
5000	powershell.exe
5000	powershell.exe
5000	powershell.exe
5000	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exepowershell.exeexplorer.exeexplorer.exeexplorer.exe

description	pid	process
Token: SeLockMemoryPrivilege	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeCreatePagefilePrivilege	836	explorer.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeCreatePagefilePrivilege	836	explorer.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeCreatePagefilePrivilege	836	explorer.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeCreatePagefilePrivilege	836	explorer.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeCreatePagefilePrivilege	836	explorer.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeCreatePagefilePrivilege	836	explorer.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeCreatePagefilePrivilege	836	explorer.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeCreatePagefilePrivilege	836	explorer.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeCreatePagefilePrivilege	836	explorer.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeCreatePagefilePrivilege	836	explorer.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeCreatePagefilePrivilege	836	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	2884	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

sihost.exeexplorer.exeexplorer.exe

pid	process
832	sihost.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
5748	explorer.exe
5748	explorer.exe
5748	explorer.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

StartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exe

pid	process
12212	StartMenuExperienceHost.exe
1128	StartMenuExperienceHost.exe
756	SearchApp.exe
8820	StartMenuExperienceHost.exe
3712	SearchApp.exe
3728	StartMenuExperienceHost.exe
4692	StartMenuExperienceHost.exe
10224	SearchApp.exe
3192	StartMenuExperienceHost.exe
5580	StartMenuExperienceHost.exe
7600	SearchApp.exe
7300	StartMenuExperienceHost.exe
8600	StartMenuExperienceHost.exe
4260	SearchApp.exe
9672	StartMenuExperienceHost.exe
1444	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe

description	pid	process	target process
PID 4108 wrote to memory of 5000	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	powershell.exe
PID 4108 wrote to memory of 5000	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	powershell.exe
PID 4108 wrote to memory of 3700	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	xPvWnKI.exe
PID 4108 wrote to memory of 3700	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	xPvWnKI.exe
PID 4108 wrote to memory of 4404	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	zjvilka.exe
PID 4108 wrote to memory of 4404	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	zjvilka.exe
PID 4108 wrote to memory of 1976	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	PtHygGf.exe
PID 4108 wrote to memory of 1976	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	PtHygGf.exe
PID 4108 wrote to memory of 3428	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	VSsDrNE.exe
PID 4108 wrote to memory of 3428	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	VSsDrNE.exe
PID 4108 wrote to memory of 4856	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	zaiqPaj.exe
PID 4108 wrote to memory of 4856	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	zaiqPaj.exe
PID 4108 wrote to memory of 4184	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	CgNEims.exe
PID 4108 wrote to memory of 4184	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	CgNEims.exe
PID 4108 wrote to memory of 2016	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	apclgLI.exe
PID 4108 wrote to memory of 2016	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	apclgLI.exe
PID 4108 wrote to memory of 3920	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	mbFMNHX.exe
PID 4108 wrote to memory of 3920	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	mbFMNHX.exe
PID 4108 wrote to memory of 4716	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	ftUyhaz.exe
PID 4108 wrote to memory of 4716	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	ftUyhaz.exe
PID 4108 wrote to memory of 1948	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	tYQDfah.exe
PID 4108 wrote to memory of 1948	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	tYQDfah.exe
PID 4108 wrote to memory of 3160	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	jzIopth.exe
PID 4108 wrote to memory of 3160	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	jzIopth.exe
PID 4108 wrote to memory of 1928	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	pEmheoo.exe
PID 4108 wrote to memory of 1928	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	pEmheoo.exe
PID 4108 wrote to memory of 3316	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	aTwTwnd.exe
PID 4108 wrote to memory of 3316	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	aTwTwnd.exe
PID 4108 wrote to memory of 2948	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	hiotGkt.exe
PID 4108 wrote to memory of 2948	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	hiotGkt.exe
PID 4108 wrote to memory of 2960	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	okpqglc.exe
PID 4108 wrote to memory of 2960	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	okpqglc.exe
PID 4108 wrote to memory of 960	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	HwmblCG.exe
PID 4108 wrote to memory of 960	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	HwmblCG.exe
PID 4108 wrote to memory of 60	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	XQTtzST.exe
PID 4108 wrote to memory of 60	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	XQTtzST.exe
PID 4108 wrote to memory of 2956	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	lFbNZEF.exe
PID 4108 wrote to memory of 2956	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	lFbNZEF.exe
PID 4108 wrote to memory of 3724	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	sFVTSRL.exe
PID 4108 wrote to memory of 3724	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	sFVTSRL.exe
PID 4108 wrote to memory of 2664	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	fTTgQna.exe
PID 4108 wrote to memory of 2664	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	fTTgQna.exe
PID 4108 wrote to memory of 788	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	RdEdqzy.exe
PID 4108 wrote to memory of 788	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	RdEdqzy.exe
PID 4108 wrote to memory of 4880	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	vXzWkaT.exe
PID 4108 wrote to memory of 4880	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	vXzWkaT.exe
PID 4108 wrote to memory of 1444	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	lTfPfop.exe
PID 4108 wrote to memory of 1444	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	lTfPfop.exe
PID 4108 wrote to memory of 3756	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	QjGQrCH.exe
PID 4108 wrote to memory of 3756	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	QjGQrCH.exe
PID 4108 wrote to memory of 2304	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	IPOwzGT.exe
PID 4108 wrote to memory of 2304	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	IPOwzGT.exe
PID 4108 wrote to memory of 3596	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	RCUfeaX.exe
PID 4108 wrote to memory of 3596	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	RCUfeaX.exe
PID 4108 wrote to memory of 3936	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	rtfeKkF.exe
PID 4108 wrote to memory of 3936	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	rtfeKkF.exe
PID 4108 wrote to memory of 3912	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	ccVncHe.exe
PID 4108 wrote to memory of 3912	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	ccVncHe.exe
PID 4108 wrote to memory of 2464	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	zYhdmZi.exe
PID 4108 wrote to memory of 2464	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	zYhdmZi.exe
PID 4108 wrote to memory of 2220	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	YrINZoJ.exe
PID 4108 wrote to memory of 2220	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	YrINZoJ.exe
PID 4108 wrote to memory of 2700	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	SUoppDE.exe
PID 4108 wrote to memory of 2700	4108	80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe	SUoppDE.exe

C:\Users\Admin\AppData\Local\Temp\80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\80dc2d7acd231de40f111d1119717ed0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "5000" "2936" "2848" "2940" "0" "0" "2944" "0" "0" "0" "0" "0"
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:13216

C:\Windows\System\xPvWnKI.exe
C:\Windows\System\xPvWnKI.exe
2⤵
- Executes dropped EXE
PID:3700

C:\Windows\System\zjvilka.exe
C:\Windows\System\zjvilka.exe
2⤵
- Executes dropped EXE
PID:4404

C:\Windows\System\PtHygGf.exe
C:\Windows\System\PtHygGf.exe
2⤵
- Executes dropped EXE
PID:1976

C:\Windows\System\VSsDrNE.exe
C:\Windows\System\VSsDrNE.exe
2⤵
- Executes dropped EXE
PID:3428

C:\Windows\System\zaiqPaj.exe
C:\Windows\System\zaiqPaj.exe
2⤵
- Executes dropped EXE
PID:4856

C:\Windows\System\CgNEims.exe
C:\Windows\System\CgNEims.exe
2⤵
- Executes dropped EXE
PID:4184

C:\Windows\System\apclgLI.exe
C:\Windows\System\apclgLI.exe
2⤵
- Executes dropped EXE
PID:2016

C:\Windows\System\mbFMNHX.exe
C:\Windows\System\mbFMNHX.exe
2⤵
- Executes dropped EXE
PID:3920

C:\Windows\System\ftUyhaz.exe
C:\Windows\System\ftUyhaz.exe
2⤵
- Executes dropped EXE
PID:4716

C:\Windows\System\tYQDfah.exe
C:\Windows\System\tYQDfah.exe
2⤵
- Executes dropped EXE
PID:1948

C:\Windows\System\jzIopth.exe
C:\Windows\System\jzIopth.exe
2⤵
- Executes dropped EXE
PID:3160

C:\Windows\System\pEmheoo.exe
C:\Windows\System\pEmheoo.exe
2⤵
- Executes dropped EXE
PID:1928

C:\Windows\System\aTwTwnd.exe
C:\Windows\System\aTwTwnd.exe
2⤵
- Executes dropped EXE
PID:3316

C:\Windows\System\hiotGkt.exe
C:\Windows\System\hiotGkt.exe
2⤵
- Executes dropped EXE
PID:2948

C:\Windows\System\okpqglc.exe
C:\Windows\System\okpqglc.exe
2⤵
- Executes dropped EXE
PID:2960

C:\Windows\System\HwmblCG.exe
C:\Windows\System\HwmblCG.exe
2⤵
- Executes dropped EXE
PID:960

C:\Windows\System\XQTtzST.exe
C:\Windows\System\XQTtzST.exe
2⤵
- Executes dropped EXE
PID:60

C:\Windows\System\lFbNZEF.exe
C:\Windows\System\lFbNZEF.exe
2⤵
- Executes dropped EXE
PID:2956

C:\Windows\System\sFVTSRL.exe
C:\Windows\System\sFVTSRL.exe
2⤵
- Executes dropped EXE
PID:3724

C:\Windows\System\fTTgQna.exe
C:\Windows\System\fTTgQna.exe
2⤵
- Executes dropped EXE
PID:2664

C:\Windows\System\RdEdqzy.exe
C:\Windows\System\RdEdqzy.exe
2⤵
- Executes dropped EXE
PID:788

C:\Windows\System\vXzWkaT.exe
C:\Windows\System\vXzWkaT.exe
2⤵
- Executes dropped EXE
PID:4880

C:\Windows\System\lTfPfop.exe
C:\Windows\System\lTfPfop.exe
2⤵
- Executes dropped EXE
PID:1444

C:\Windows\System\QjGQrCH.exe
C:\Windows\System\QjGQrCH.exe
2⤵
- Executes dropped EXE
PID:3756

C:\Windows\System\IPOwzGT.exe
C:\Windows\System\IPOwzGT.exe
2⤵
- Executes dropped EXE
PID:2304

C:\Windows\System\RCUfeaX.exe
C:\Windows\System\RCUfeaX.exe
2⤵
- Executes dropped EXE
PID:3596

C:\Windows\System\rtfeKkF.exe
C:\Windows\System\rtfeKkF.exe
2⤵
- Executes dropped EXE
PID:3936

C:\Windows\System\ccVncHe.exe
C:\Windows\System\ccVncHe.exe
2⤵
- Executes dropped EXE
PID:3912

C:\Windows\System\zYhdmZi.exe
C:\Windows\System\zYhdmZi.exe
2⤵
- Executes dropped EXE
PID:2464

C:\Windows\System\YrINZoJ.exe
C:\Windows\System\YrINZoJ.exe
2⤵
- Executes dropped EXE
PID:2220

C:\Windows\System\SUoppDE.exe
C:\Windows\System\SUoppDE.exe
2⤵
- Executes dropped EXE
PID:2700

C:\Windows\System\vKdbnhm.exe
C:\Windows\System\vKdbnhm.exe
2⤵
- Executes dropped EXE
PID:4832

C:\Windows\System\laaHjvu.exe
C:\Windows\System\laaHjvu.exe
2⤵
- Executes dropped EXE
PID:3476

C:\Windows\System\gQlUVPj.exe
C:\Windows\System\gQlUVPj.exe
2⤵
- Executes dropped EXE
PID:4548

C:\Windows\System\OMBnxmd.exe
C:\Windows\System\OMBnxmd.exe
2⤵
- Executes dropped EXE
PID:2988

C:\Windows\System\xJHTMEJ.exe
C:\Windows\System\xJHTMEJ.exe
2⤵
- Executes dropped EXE
PID:2916

C:\Windows\System\TsWltXN.exe
C:\Windows\System\TsWltXN.exe
2⤵
- Executes dropped EXE
PID:2528

C:\Windows\System\gFxlOlJ.exe
C:\Windows\System\gFxlOlJ.exe
2⤵
- Executes dropped EXE
PID:3808

C:\Windows\System\bedNttN.exe
C:\Windows\System\bedNttN.exe
2⤵
- Executes dropped EXE
PID:4748

C:\Windows\System\HhrsQFg.exe
C:\Windows\System\HhrsQFg.exe
2⤵
- Executes dropped EXE
PID:3184

C:\Windows\System\yFtKeCC.exe
C:\Windows\System\yFtKeCC.exe
2⤵
- Executes dropped EXE
PID:2708

C:\Windows\System\rQiDVIk.exe
C:\Windows\System\rQiDVIk.exe
2⤵
- Executes dropped EXE
PID:4624

C:\Windows\System\NpkKkbu.exe
C:\Windows\System\NpkKkbu.exe
2⤵
- Executes dropped EXE
PID:2272

C:\Windows\System\MRBjkBv.exe
C:\Windows\System\MRBjkBv.exe
2⤵
- Executes dropped EXE
PID:1112

C:\Windows\System\jnuIJSX.exe
C:\Windows\System\jnuIJSX.exe
2⤵
- Executes dropped EXE
PID:5104

C:\Windows\System\EXQlSZf.exe
C:\Windows\System\EXQlSZf.exe
2⤵
- Executes dropped EXE
PID:4900

C:\Windows\System\jcDXVsw.exe
C:\Windows\System\jcDXVsw.exe
2⤵
- Executes dropped EXE
PID:3568

C:\Windows\System\uGvJajE.exe
C:\Windows\System\uGvJajE.exe
2⤵
- Executes dropped EXE
PID:4104

C:\Windows\System\OxhTLtW.exe
C:\Windows\System\OxhTLtW.exe
2⤵
- Executes dropped EXE
PID:1516

C:\Windows\System\qYytScm.exe
C:\Windows\System\qYytScm.exe
2⤵
- Executes dropped EXE
PID:696

C:\Windows\System\KakYBPF.exe
C:\Windows\System\KakYBPF.exe
2⤵
- Executes dropped EXE
PID:3636

C:\Windows\System\dBaWaQc.exe
C:\Windows\System\dBaWaQc.exe
2⤵
- Executes dropped EXE
PID:1700

C:\Windows\System\SoCpjhw.exe
C:\Windows\System\SoCpjhw.exe
2⤵
- Executes dropped EXE
PID:2228

C:\Windows\System\lJmEeHE.exe
C:\Windows\System\lJmEeHE.exe
2⤵
- Executes dropped EXE
PID:3468

C:\Windows\System\dDGAroB.exe
C:\Windows\System\dDGAroB.exe
2⤵
- Executes dropped EXE
PID:848

C:\Windows\System\GnVOqoL.exe
C:\Windows\System\GnVOqoL.exe
2⤵
- Executes dropped EXE
PID:2060

C:\Windows\System\EjKcJGv.exe
C:\Windows\System\EjKcJGv.exe
2⤵
- Executes dropped EXE
PID:5044

C:\Windows\System\pOofyuB.exe
C:\Windows\System\pOofyuB.exe
2⤵
- Executes dropped EXE
PID:684

C:\Windows\System\qGzoPqC.exe
C:\Windows\System\qGzoPqC.exe
2⤵
- Executes dropped EXE
PID:5148

C:\Windows\System\JlTQbtj.exe
C:\Windows\System\JlTQbtj.exe
2⤵
- Executes dropped EXE
PID:5176

C:\Windows\System\WdQJwgb.exe
C:\Windows\System\WdQJwgb.exe
2⤵
- Executes dropped EXE
PID:5204

C:\Windows\System\eeRPtTj.exe
C:\Windows\System\eeRPtTj.exe
2⤵
- Executes dropped EXE
PID:5228

C:\Windows\System\CdcTbzd.exe
C:\Windows\System\CdcTbzd.exe
2⤵
- Executes dropped EXE
PID:5256

C:\Windows\System\dioDzCg.exe
C:\Windows\System\dioDzCg.exe
2⤵
- Executes dropped EXE
PID:5288

C:\Windows\System\SFfOJQW.exe
C:\Windows\System\SFfOJQW.exe
2⤵
PID:5320

C:\Windows\System\DdifYEg.exe
C:\Windows\System\DdifYEg.exe
2⤵
PID:5348

C:\Windows\System\xWMFeDh.exe
C:\Windows\System\xWMFeDh.exe
2⤵
PID:5376

C:\Windows\System\gNQxjys.exe
C:\Windows\System\gNQxjys.exe
2⤵
PID:5404

C:\Windows\System\oNTzaOQ.exe
C:\Windows\System\oNTzaOQ.exe
2⤵
PID:5436

C:\Windows\System\waIauYr.exe
C:\Windows\System\waIauYr.exe
2⤵
PID:5464

C:\Windows\System\CLceUKo.exe
C:\Windows\System\CLceUKo.exe
2⤵
PID:5488

C:\Windows\System\AJdordm.exe
C:\Windows\System\AJdordm.exe
2⤵
PID:5520

C:\Windows\System\kWwqDqo.exe
C:\Windows\System\kWwqDqo.exe
2⤵
PID:5548

C:\Windows\System\BJwRXDs.exe
C:\Windows\System\BJwRXDs.exe
2⤵
PID:5576

C:\Windows\System\wdUgNDi.exe
C:\Windows\System\wdUgNDi.exe
2⤵
PID:5604

C:\Windows\System\iCECABg.exe
C:\Windows\System\iCECABg.exe
2⤵
PID:5628

C:\Windows\System\zuPvEzj.exe
C:\Windows\System\zuPvEzj.exe
2⤵
PID:5660

C:\Windows\System\XKWtevB.exe
C:\Windows\System\XKWtevB.exe
2⤵
PID:5688

C:\Windows\System\vCHoLYt.exe
C:\Windows\System\vCHoLYt.exe
2⤵
PID:5716

C:\Windows\System\dVAOIXe.exe
C:\Windows\System\dVAOIXe.exe
2⤵
PID:5744

C:\Windows\System\TMyxEVh.exe
C:\Windows\System\TMyxEVh.exe
2⤵
PID:5772

C:\Windows\System\IwUtEzD.exe
C:\Windows\System\IwUtEzD.exe
2⤵
PID:5800

C:\Windows\System\ZAbbVDX.exe
C:\Windows\System\ZAbbVDX.exe
2⤵
PID:5828

C:\Windows\System\XScsdyL.exe
C:\Windows\System\XScsdyL.exe
2⤵
PID:5856

C:\Windows\System\YTfTRVK.exe
C:\Windows\System\YTfTRVK.exe
2⤵
PID:5884

C:\Windows\System\ofBUwxy.exe
C:\Windows\System\ofBUwxy.exe
2⤵
PID:5908

C:\Windows\System\SAnhcxh.exe
C:\Windows\System\SAnhcxh.exe
2⤵
PID:5940

C:\Windows\System\yZJKNvy.exe
C:\Windows\System\yZJKNvy.exe
2⤵
PID:5968

C:\Windows\System\aySxKYl.exe
C:\Windows\System\aySxKYl.exe
2⤵
PID:5996

C:\Windows\System\OQhYvfK.exe
C:\Windows\System\OQhYvfK.exe
2⤵
PID:6028

C:\Windows\System\tgPdDOj.exe
C:\Windows\System\tgPdDOj.exe
2⤵
PID:6056

C:\Windows\System\tbnVnvG.exe
C:\Windows\System\tbnVnvG.exe
2⤵
PID:6092

C:\Windows\System\NsotrTQ.exe
C:\Windows\System\NsotrTQ.exe
2⤵
PID:6120

C:\Windows\System\mxWLOdu.exe
C:\Windows\System\mxWLOdu.exe
2⤵
PID:1788

C:\Windows\System\BERIYiA.exe
C:\Windows\System\BERIYiA.exe
2⤵
PID:4100

C:\Windows\System\cLtvVvQ.exe
C:\Windows\System\cLtvVvQ.exe
2⤵
PID:1000

C:\Windows\System\mipxjQF.exe
C:\Windows\System\mipxjQF.exe
2⤵
PID:4220

C:\Windows\System\MZEUGWW.exe
C:\Windows\System\MZEUGWW.exe
2⤵
PID:2128

C:\Windows\System\LTJFBrp.exe
C:\Windows\System\LTJFBrp.exe
2⤵
PID:5532

C:\Windows\System\JJHrdHK.exe
C:\Windows\System\JJHrdHK.exe
2⤵
PID:5564

C:\Windows\System\fcZXJtq.exe
C:\Windows\System\fcZXJtq.exe
2⤵
PID:5648

C:\Windows\System\HpcpBWg.exe
C:\Windows\System\HpcpBWg.exe
2⤵
PID:5736

C:\Windows\System\zczeBtA.exe
C:\Windows\System\zczeBtA.exe
2⤵
PID:5792

C:\Windows\System\merTMyt.exe
C:\Windows\System\merTMyt.exe
2⤵
PID:4988

C:\Windows\System\axiaMvp.exe
C:\Windows\System\axiaMvp.exe
2⤵
PID:5928

C:\Windows\System\fFZqVqi.exe
C:\Windows\System\fFZqVqi.exe
2⤵
PID:6008

C:\Windows\System\xoabMDC.exe
C:\Windows\System\xoabMDC.exe
2⤵
PID:6044

C:\Windows\System\QydIeAd.exe
C:\Windows\System\QydIeAd.exe
2⤵
PID:6084

C:\Windows\System\bJXcgZv.exe
C:\Windows\System\bJXcgZv.exe
2⤵
PID:6136

C:\Windows\System\ADwqqwu.exe
C:\Windows\System\ADwqqwu.exe
2⤵
PID:4916

C:\Windows\System\HcwrSaJ.exe
C:\Windows\System\HcwrSaJ.exe
2⤵
PID:4188

C:\Windows\System\kcjxhJf.exe
C:\Windows\System\kcjxhJf.exe
2⤵
PID:5216

C:\Windows\System\zWfhjHk.exe
C:\Windows\System\zWfhjHk.exe
2⤵
PID:4912

C:\Windows\System\LFfYsyF.exe
C:\Windows\System\LFfYsyF.exe
2⤵
PID:3872

C:\Windows\System\RLeujYX.exe
C:\Windows\System\RLeujYX.exe
2⤵
PID:1688

C:\Windows\System\iaWAZBq.exe
C:\Windows\System\iaWAZBq.exe
2⤵
PID:3804

C:\Windows\System\JnTliAs.exe
C:\Windows\System\JnTliAs.exe
2⤵
PID:3068

C:\Windows\System\PrDUMsD.exe
C:\Windows\System\PrDUMsD.exe
2⤵
PID:1500

C:\Windows\System\RnbKsRs.exe
C:\Windows\System\RnbKsRs.exe
2⤵
PID:4728

C:\Windows\System\prYYXwn.exe
C:\Windows\System\prYYXwn.exe
2⤵
PID:4340

C:\Windows\System\BuPNtkX.exe
C:\Windows\System\BuPNtkX.exe
2⤵
PID:2376

C:\Windows\System\dEHSvNc.exe
C:\Windows\System\dEHSvNc.exe
2⤵
PID:5276

C:\Windows\System\PuGcMBD.exe
C:\Windows\System\PuGcMBD.exe
2⤵
PID:1960

C:\Windows\System\NMWCuNZ.exe
C:\Windows\System\NMWCuNZ.exe
2⤵
PID:5308

C:\Windows\System\lsQATyX.exe
C:\Windows\System\lsQATyX.exe
2⤵
PID:5332

C:\Windows\System\zkgsWsO.exe
C:\Windows\System\zkgsWsO.exe
2⤵
PID:5844

C:\Windows\System\eUIEwdh.exe
C:\Windows\System\eUIEwdh.exe
2⤵
PID:436

C:\Windows\System\RHnEJqq.exe
C:\Windows\System\RHnEJqq.exe
2⤵
PID:6080

C:\Windows\System\JTuGnEl.exe
C:\Windows\System\JTuGnEl.exe
2⤵
PID:4596

C:\Windows\System\FtIGUrY.exe
C:\Windows\System\FtIGUrY.exe
2⤵
PID:5220

C:\Windows\System\HYJmQAn.exe
C:\Windows\System\HYJmQAn.exe
2⤵
PID:4924

C:\Windows\System\EDDDSbh.exe
C:\Windows\System\EDDDSbh.exe
2⤵
PID:3136

C:\Windows\System\AhRvmVR.exe
C:\Windows\System\AhRvmVR.exe
2⤵
PID:5240

C:\Windows\System\MEmveXD.exe
C:\Windows\System\MEmveXD.exe
2⤵
PID:5168

C:\Windows\System\lIurAfF.exe
C:\Windows\System\lIurAfF.exe
2⤵
PID:5432

C:\Windows\System\aoZiDDM.exe
C:\Windows\System\aoZiDDM.exe
2⤵
PID:668

C:\Windows\System\nmzOCcZ.exe
C:\Windows\System\nmzOCcZ.exe
2⤵
PID:5312

C:\Windows\System\MapVYIh.exe
C:\Windows\System\MapVYIh.exe
2⤵
PID:5644

C:\Windows\System\YcliakF.exe
C:\Windows\System\YcliakF.exe
2⤵
PID:5960

C:\Windows\System\suREVEU.exe
C:\Windows\System\suREVEU.exe
2⤵
PID:3592

C:\Windows\System\hjceyGx.exe
C:\Windows\System\hjceyGx.exe
2⤵
PID:5368

C:\Windows\System\Kpfeqba.exe
C:\Windows\System\Kpfeqba.exe
2⤵
PID:5340

C:\Windows\System\wgAzBRK.exe
C:\Windows\System\wgAzBRK.exe
2⤵
PID:4304

C:\Windows\System\XgSiASU.exe
C:\Windows\System\XgSiASU.exe
2⤵
PID:6164

C:\Windows\System\BbQyqxb.exe
C:\Windows\System\BbQyqxb.exe
2⤵
PID:6180

C:\Windows\System\esGSNtf.exe
C:\Windows\System\esGSNtf.exe
2⤵
PID:6200

C:\Windows\System\twJxeFX.exe
C:\Windows\System\twJxeFX.exe
2⤵
PID:6216

C:\Windows\System\dsEMSeZ.exe
C:\Windows\System\dsEMSeZ.exe
2⤵
PID:6240

C:\Windows\System\rSvQoiV.exe
C:\Windows\System\rSvQoiV.exe
2⤵
PID:6288

C:\Windows\System\XqpKoMt.exe
C:\Windows\System\XqpKoMt.exe
2⤵
PID:6304

C:\Windows\System\FUlrNWG.exe
C:\Windows\System\FUlrNWG.exe
2⤵
PID:6328

C:\Windows\System\HNJTZzI.exe
C:\Windows\System\HNJTZzI.exe
2⤵
PID:6344

C:\Windows\System\xhseJDq.exe
C:\Windows\System\xhseJDq.exe
2⤵
PID:6416

C:\Windows\System\ubmgOTr.exe
C:\Windows\System\ubmgOTr.exe
2⤵
PID:6448

C:\Windows\System\CRMmuXj.exe
C:\Windows\System\CRMmuXj.exe
2⤵
PID:6464

C:\Windows\System\oqosdDT.exe
C:\Windows\System\oqosdDT.exe
2⤵
PID:6508

C:\Windows\System\CRkixxF.exe
C:\Windows\System\CRkixxF.exe
2⤵
PID:6536

C:\Windows\System\FvmwDer.exe
C:\Windows\System\FvmwDer.exe
2⤵
PID:6552

C:\Windows\System\dQwmOvY.exe
C:\Windows\System\dQwmOvY.exe
2⤵
PID:6584

C:\Windows\System\hVZVopB.exe
C:\Windows\System\hVZVopB.exe
2⤵
PID:6612

C:\Windows\System\JIbPKrE.exe
C:\Windows\System\JIbPKrE.exe
2⤵
PID:6628

C:\Windows\System\BLzmtRg.exe
C:\Windows\System\BLzmtRg.exe
2⤵
PID:6652

C:\Windows\System\bkTlPLj.exe
C:\Windows\System\bkTlPLj.exe
2⤵
PID:6704

C:\Windows\System\yVdruvz.exe
C:\Windows\System\yVdruvz.exe
2⤵
PID:6760

C:\Windows\System\rRpzSyF.exe
C:\Windows\System\rRpzSyF.exe
2⤵
PID:6812

C:\Windows\System\HrRdbcA.exe
C:\Windows\System\HrRdbcA.exe
2⤵
PID:6844

C:\Windows\System\ERnKJGb.exe
C:\Windows\System\ERnKJGb.exe
2⤵
PID:6860

C:\Windows\System\iHYImTY.exe
C:\Windows\System\iHYImTY.exe
2⤵
PID:6908

C:\Windows\System\ckOyTRh.exe
C:\Windows\System\ckOyTRh.exe
2⤵
PID:6936

C:\Windows\System\urNrzUz.exe
C:\Windows\System\urNrzUz.exe
2⤵
PID:6960

C:\Windows\System\GLleqFt.exe
C:\Windows\System\GLleqFt.exe
2⤵
PID:6988

C:\Windows\System\RunCnPY.exe
C:\Windows\System\RunCnPY.exe
2⤵
PID:7016

C:\Windows\System\OEjmEAd.exe
C:\Windows\System\OEjmEAd.exe
2⤵
PID:7032

C:\Windows\System\uhSCedB.exe
C:\Windows\System\uhSCedB.exe
2⤵
PID:7080

C:\Windows\System\BoAQWdP.exe
C:\Windows\System\BoAQWdP.exe
2⤵
PID:7100

C:\Windows\System\CrAOmSp.exe
C:\Windows\System\CrAOmSp.exe
2⤵
PID:7144

C:\Windows\System\arorKJj.exe
C:\Windows\System\arorKJj.exe
2⤵
PID:7164

C:\Windows\System\jMdwfjS.exe
C:\Windows\System\jMdwfjS.exe
2⤵
PID:4896

C:\Windows\System\yaYPPhD.exe
C:\Windows\System\yaYPPhD.exe
2⤵
PID:6176

C:\Windows\System\ohtugvU.exe
C:\Windows\System\ohtugvU.exe
2⤵
PID:6300

C:\Windows\System\wDhPXHO.exe
C:\Windows\System\wDhPXHO.exe
2⤵
PID:6312

C:\Windows\System\jHDgSaW.exe
C:\Windows\System\jHDgSaW.exe
2⤵
PID:6340

C:\Windows\System\HjyoNUM.exe
C:\Windows\System\HjyoNUM.exe
2⤵
PID:6412

C:\Windows\System\oJoDSAi.exe
C:\Windows\System\oJoDSAi.exe
2⤵
PID:6660

C:\Windows\System\bgnKAkD.exe
C:\Windows\System\bgnKAkD.exe
2⤵
PID:6620

C:\Windows\System\FMfrHOh.exe
C:\Windows\System\FMfrHOh.exe
2⤵
PID:6624

C:\Windows\System\BzqTUbS.exe
C:\Windows\System\BzqTUbS.exe
2⤵
PID:6700

C:\Windows\System\GjENEdY.exe
C:\Windows\System\GjENEdY.exe
2⤵
PID:6768

C:\Windows\System\InEMcAl.exe
C:\Windows\System\InEMcAl.exe
2⤵
PID:6892

C:\Windows\System\lCSWaCR.exe
C:\Windows\System\lCSWaCR.exe
2⤵
PID:6856

C:\Windows\System\nZOUMsq.exe
C:\Windows\System\nZOUMsq.exe
2⤵
PID:7072

C:\Windows\System\ahFLRNW.exe
C:\Windows\System\ahFLRNW.exe
2⤵
PID:7096

C:\Windows\System\VTvbolV.exe
C:\Windows\System\VTvbolV.exe
2⤵
PID:7136

C:\Windows\System\nNALuBH.exe
C:\Windows\System\nNALuBH.exe
2⤵
PID:5896

C:\Windows\System\lXPGRHj.exe
C:\Windows\System\lXPGRHj.exe
2⤵
PID:6268

C:\Windows\System\yAtBtqW.exe
C:\Windows\System\yAtBtqW.exe
2⤵
PID:6476

C:\Windows\System\gjzQEgY.exe
C:\Windows\System\gjzQEgY.exe
2⤵
PID:6696

C:\Windows\System\dQqxCQf.exe
C:\Windows\System\dQqxCQf.exe
2⤵
PID:6720

C:\Windows\System\FVIEYoT.exe
C:\Windows\System\FVIEYoT.exe
2⤵
PID:7068

C:\Windows\System\rwqqQfN.exe
C:\Windows\System\rwqqQfN.exe
2⤵
PID:6224

C:\Windows\System\cpQqHjr.exe
C:\Windows\System\cpQqHjr.exe
2⤵
PID:6208

C:\Windows\System\nFnrXfs.exe
C:\Windows\System\nFnrXfs.exe
2⤵
PID:6968

C:\Windows\System\JdXyVcT.exe
C:\Windows\System\JdXyVcT.exe
2⤵
PID:6276

C:\Windows\System\whpJPhR.exe
C:\Windows\System\whpJPhR.exe
2⤵
PID:6692

C:\Windows\System\uxJLqMt.exe
C:\Windows\System\uxJLqMt.exe
2⤵
PID:7176

C:\Windows\System\abjfRUc.exe
C:\Windows\System\abjfRUc.exe
2⤵
PID:7192

C:\Windows\System\WibCsiA.exe
C:\Windows\System\WibCsiA.exe
2⤵
PID:7212

C:\Windows\System\MrVBZxF.exe
C:\Windows\System\MrVBZxF.exe
2⤵
PID:7236

C:\Windows\System\QpkOTaq.exe
C:\Windows\System\QpkOTaq.exe
2⤵
PID:7256

C:\Windows\System\VxViHKa.exe
C:\Windows\System\VxViHKa.exe
2⤵
PID:7292

C:\Windows\System\NNcNRxc.exe
C:\Windows\System\NNcNRxc.exe
2⤵
PID:7308

C:\Windows\System\klGJTDn.exe
C:\Windows\System\klGJTDn.exe
2⤵
PID:7340

C:\Windows\System\VzrfKPv.exe
C:\Windows\System\VzrfKPv.exe
2⤵
PID:7388

C:\Windows\System\YIwPIxQ.exe
C:\Windows\System\YIwPIxQ.exe
2⤵
PID:7408

C:\Windows\System\treppJM.exe
C:\Windows\System\treppJM.exe
2⤵
PID:7436

C:\Windows\System\gtdeDyo.exe
C:\Windows\System\gtdeDyo.exe
2⤵
PID:7452

C:\Windows\System\uHmjszp.exe
C:\Windows\System\uHmjszp.exe
2⤵
PID:7480

C:\Windows\System\Kvsquyk.exe
C:\Windows\System\Kvsquyk.exe
2⤵
PID:7496

C:\Windows\System\HuaWGrp.exe
C:\Windows\System\HuaWGrp.exe
2⤵
PID:7560

C:\Windows\System\MZXWvMg.exe
C:\Windows\System\MZXWvMg.exe
2⤵
PID:7580

C:\Windows\System\XjIKBeh.exe
C:\Windows\System\XjIKBeh.exe
2⤵
PID:7608

C:\Windows\System\CQWqXJB.exe
C:\Windows\System\CQWqXJB.exe
2⤵
PID:7628

C:\Windows\System\rTalhNN.exe
C:\Windows\System\rTalhNN.exe
2⤵
PID:7652

C:\Windows\System\trDFlth.exe
C:\Windows\System\trDFlth.exe
2⤵
PID:7724

C:\Windows\System\meoqROw.exe
C:\Windows\System\meoqROw.exe
2⤵
PID:7744

C:\Windows\System\RjjumWF.exe
C:\Windows\System\RjjumWF.exe
2⤵
PID:7784

C:\Windows\System\TNlcCSx.exe
C:\Windows\System\TNlcCSx.exe
2⤵
PID:7804

C:\Windows\System\RAeXHUA.exe
C:\Windows\System\RAeXHUA.exe
2⤵
PID:7828

C:\Windows\System\KbWiFOw.exe
C:\Windows\System\KbWiFOw.exe
2⤵
PID:7848

C:\Windows\System\JZxFoHF.exe
C:\Windows\System\JZxFoHF.exe
2⤵
PID:7876

C:\Windows\System\XtxPdUT.exe
C:\Windows\System\XtxPdUT.exe
2⤵
PID:7912

C:\Windows\System\hSRnOfK.exe
C:\Windows\System\hSRnOfK.exe
2⤵
PID:7932

C:\Windows\System\fbFGUVZ.exe
C:\Windows\System\fbFGUVZ.exe
2⤵
PID:7956

C:\Windows\System\tGNCDZi.exe
C:\Windows\System\tGNCDZi.exe
2⤵
PID:7976

C:\Windows\System\pIdPmTf.exe
C:\Windows\System\pIdPmTf.exe
2⤵
PID:8000

C:\Windows\System\QxDPskL.exe
C:\Windows\System\QxDPskL.exe
2⤵
PID:8016

C:\Windows\System\colSnev.exe
C:\Windows\System\colSnev.exe
2⤵
PID:8048

C:\Windows\System\RfDfxrl.exe
C:\Windows\System\RfDfxrl.exe
2⤵
PID:8068

C:\Windows\System\QCuUWtd.exe
C:\Windows\System\QCuUWtd.exe
2⤵
PID:8092

C:\Windows\System\XnVqJnB.exe
C:\Windows\System\XnVqJnB.exe
2⤵
PID:8120

C:\Windows\System\erLOZFy.exe
C:\Windows\System\erLOZFy.exe
2⤵
PID:8184

C:\Windows\System\LzcLskC.exe
C:\Windows\System\LzcLskC.exe
2⤵
PID:7228

C:\Windows\System\YSbWdJW.exe
C:\Windows\System\YSbWdJW.exe
2⤵
PID:7252

C:\Windows\System\dcbobPD.exe
C:\Windows\System\dcbobPD.exe
2⤵
PID:7316

C:\Windows\System\jgEvRVT.exe
C:\Windows\System\jgEvRVT.exe
2⤵
PID:7372

C:\Windows\System\YfZkrxW.exe
C:\Windows\System\YfZkrxW.exe
2⤵
PID:7380

C:\Windows\System\eWEalnY.exe
C:\Windows\System\eWEalnY.exe
2⤵
PID:7448

C:\Windows\System\XwRpGGY.exe
C:\Windows\System\XwRpGGY.exe
2⤵
PID:7548

C:\Windows\System\meRPCMD.exe
C:\Windows\System\meRPCMD.exe
2⤵
PID:7568

C:\Windows\System\FQjSIfY.exe
C:\Windows\System\FQjSIfY.exe
2⤵
PID:7588

C:\Windows\System\VSSDRdY.exe
C:\Windows\System\VSSDRdY.exe
2⤵
PID:7648

C:\Windows\System\tEoHeTA.exe
C:\Windows\System\tEoHeTA.exe
2⤵
PID:7800

C:\Windows\System\jwEbnUO.exe
C:\Windows\System\jwEbnUO.exe
2⤵
PID:7984

C:\Windows\System\FCCwapa.exe
C:\Windows\System\FCCwapa.exe
2⤵
PID:8008

C:\Windows\System\JNQFcYT.exe
C:\Windows\System\JNQFcYT.exe
2⤵
PID:8064

C:\Windows\System\ykxMnDV.exe
C:\Windows\System\ykxMnDV.exe
2⤵
PID:8080

C:\Windows\System\GnHbhvm.exe
C:\Windows\System\GnHbhvm.exe
2⤵
PID:8156

C:\Windows\System\BjESlON.exe
C:\Windows\System\BjESlON.exe
2⤵
PID:7160

C:\Windows\System\Xbtfvqt.exe
C:\Windows\System\Xbtfvqt.exe
2⤵
PID:7404

C:\Windows\System\WslUgqU.exe
C:\Windows\System\WslUgqU.exe
2⤵
PID:7468

C:\Windows\System\bxCAkiJ.exe
C:\Windows\System\bxCAkiJ.exe
2⤵
PID:7524

C:\Windows\System\bbuXdVo.exe
C:\Windows\System\bbuXdVo.exe
2⤵
PID:5076

C:\Windows\System\esDRnnd.exe
C:\Windows\System\esDRnnd.exe
2⤵
PID:7928

C:\Windows\System\YpAAOGZ.exe
C:\Windows\System\YpAAOGZ.exe
2⤵
PID:8040

C:\Windows\System\mvoidLW.exe
C:\Windows\System\mvoidLW.exe
2⤵
PID:7220

C:\Windows\System\OUlwvFv.exe
C:\Windows\System\OUlwvFv.exe
2⤵
PID:7428

C:\Windows\System\gedUNnk.exe
C:\Windows\System\gedUNnk.exe
2⤵
PID:7488

C:\Windows\System\akbfLKH.exe
C:\Windows\System\akbfLKH.exe
2⤵
PID:8200

C:\Windows\System\iDHKrpj.exe
C:\Windows\System\iDHKrpj.exe
2⤵
PID:8216

C:\Windows\System\goRDcKO.exe
C:\Windows\System\goRDcKO.exe
2⤵
PID:8248

C:\Windows\System\aSdYOFy.exe
C:\Windows\System\aSdYOFy.exe
2⤵
PID:8280

C:\Windows\System\BYBSAHo.exe
C:\Windows\System\BYBSAHo.exe
2⤵
PID:8304

C:\Windows\System\Bberolm.exe
C:\Windows\System\Bberolm.exe
2⤵
PID:8324

C:\Windows\System\CXEATij.exe
C:\Windows\System\CXEATij.exe
2⤵
PID:8372

C:\Windows\System\EoPTdcg.exe
C:\Windows\System\EoPTdcg.exe
2⤵
PID:8392

C:\Windows\System\txXFslG.exe
C:\Windows\System\txXFslG.exe
2⤵
PID:8412

C:\Windows\System\MxMgtaL.exe
C:\Windows\System\MxMgtaL.exe
2⤵
PID:8436

C:\Windows\System\SJqOjuw.exe
C:\Windows\System\SJqOjuw.exe
2⤵
PID:8452

C:\Windows\System\rGRrVNe.exe
C:\Windows\System\rGRrVNe.exe
2⤵
PID:8476

C:\Windows\System\xbCeaQX.exe
C:\Windows\System\xbCeaQX.exe
2⤵
PID:8508

C:\Windows\System\wAtljkH.exe
C:\Windows\System\wAtljkH.exe
2⤵
PID:8524

C:\Windows\System\WwPWEgv.exe
C:\Windows\System\WwPWEgv.exe
2⤵
PID:8544

C:\Windows\System\QhQjAev.exe
C:\Windows\System\QhQjAev.exe
2⤵
PID:8576

C:\Windows\System\Gmcpdva.exe
C:\Windows\System\Gmcpdva.exe
2⤵
PID:8596

C:\Windows\System\rCZXWOf.exe
C:\Windows\System\rCZXWOf.exe
2⤵
PID:8620

C:\Windows\System\tEcQnkL.exe
C:\Windows\System\tEcQnkL.exe
2⤵
PID:8640

C:\Windows\System\alboXQv.exe
C:\Windows\System\alboXQv.exe
2⤵
PID:8716

C:\Windows\System\FjEYcVf.exe
C:\Windows\System\FjEYcVf.exe
2⤵
PID:8740

C:\Windows\System\BXLcEvR.exe
C:\Windows\System\BXLcEvR.exe
2⤵
PID:8756

C:\Windows\System\RjLYkns.exe
C:\Windows\System\RjLYkns.exe
2⤵
PID:8784

C:\Windows\System\ysjMjkN.exe
C:\Windows\System\ysjMjkN.exe
2⤵
PID:8812

C:\Windows\System\paGjQXf.exe
C:\Windows\System\paGjQXf.exe
2⤵
PID:8832

C:\Windows\System\tSzbdax.exe
C:\Windows\System\tSzbdax.exe
2⤵
PID:8892

C:\Windows\System\oWIJNvO.exe
C:\Windows\System\oWIJNvO.exe
2⤵
PID:8912

C:\Windows\System\PUmlwEs.exe
C:\Windows\System\PUmlwEs.exe
2⤵
PID:8984

C:\Windows\System\XufBEub.exe
C:\Windows\System\XufBEub.exe
2⤵
PID:9020

C:\Windows\System\INyDmBK.exe
C:\Windows\System\INyDmBK.exe
2⤵
PID:9036

C:\Windows\System\vzhkoVv.exe
C:\Windows\System\vzhkoVv.exe
2⤵
PID:9056

C:\Windows\System\JWGWvof.exe
C:\Windows\System\JWGWvof.exe
2⤵
PID:9084

C:\Windows\System\prnlcSQ.exe
C:\Windows\System\prnlcSQ.exe
2⤵
PID:9128

C:\Windows\System\PSPACOf.exe
C:\Windows\System\PSPACOf.exe
2⤵
PID:9144

C:\Windows\System\ePeoUGe.exe
C:\Windows\System\ePeoUGe.exe
2⤵
PID:9172

C:\Windows\System\lYgNimY.exe
C:\Windows\System\lYgNimY.exe
2⤵
PID:9200

C:\Windows\System\wBTMpyw.exe
C:\Windows\System\wBTMpyw.exe
2⤵
PID:6756

C:\Windows\System\cpptPay.exe
C:\Windows\System\cpptPay.exe
2⤵
PID:8176

C:\Windows\System\fowcDbJ.exe
C:\Windows\System\fowcDbJ.exe
2⤵
PID:7760

C:\Windows\System\VPzbwUI.exe
C:\Windows\System\VPzbwUI.exe
2⤵
PID:8428

C:\Windows\System\jhvfBgu.exe
C:\Windows\System\jhvfBgu.exe
2⤵
PID:8364

C:\Windows\System\ZecppyL.exe
C:\Windows\System\ZecppyL.exe
2⤵
PID:8404

C:\Windows\System\HyKEQJf.exe
C:\Windows\System\HyKEQJf.exe
2⤵
PID:8472

C:\Windows\System\zEpMNwY.exe
C:\Windows\System\zEpMNwY.exe
2⤵
PID:8516

C:\Windows\System\CEqZsMl.exe
C:\Windows\System\CEqZsMl.exe
2⤵
PID:8588

C:\Windows\System\EGmlRuF.exe
C:\Windows\System\EGmlRuF.exe
2⤵
PID:8616

C:\Windows\System\IiYLeDD.exe
C:\Windows\System\IiYLeDD.exe
2⤵
PID:8724

C:\Windows\System\mhWavJV.exe
C:\Windows\System\mhWavJV.exe
2⤵
PID:8676

C:\Windows\System\ylHeALw.exe
C:\Windows\System\ylHeALw.exe
2⤵
PID:8800

C:\Windows\System\xeKPPom.exe
C:\Windows\System\xeKPPom.exe
2⤵
PID:8944

C:\Windows\System\eNSiqGy.exe
C:\Windows\System\eNSiqGy.exe
2⤵
PID:8992

C:\Windows\System\qlHqwaF.exe
C:\Windows\System\qlHqwaF.exe
2⤵
PID:9064

C:\Windows\System\yFlovAW.exe
C:\Windows\System\yFlovAW.exe
2⤵
PID:9140

C:\Windows\System\qFBkVCb.exe
C:\Windows\System\qFBkVCb.exe
2⤵
PID:9180

C:\Windows\System\LOhYOyd.exe
C:\Windows\System\LOhYOyd.exe
2⤵
PID:8116

C:\Windows\System\soovSsH.exe
C:\Windows\System\soovSsH.exe
2⤵
PID:4060

C:\Windows\System\LMAmKDf.exe
C:\Windows\System\LMAmKDf.exe
2⤵
PID:8272

C:\Windows\System\OZmWVel.exe
C:\Windows\System\OZmWVel.exe
2⤵
PID:8448

C:\Windows\System\YqfyIQa.exe
C:\Windows\System\YqfyIQa.exe
2⤵
PID:8748

C:\Windows\System\qDKymHQ.exe
C:\Windows\System\qDKymHQ.exe
2⤵
PID:8612

C:\Windows\System\YIuBHtH.exe
C:\Windows\System\YIuBHtH.exe
2⤵
PID:8132

C:\Windows\System\uETHikt.exe
C:\Windows\System\uETHikt.exe
2⤵
PID:7304

C:\Windows\System\sxwyJXg.exe
C:\Windows\System\sxwyJXg.exe
2⤵
PID:9108

C:\Windows\System\cBwMvBH.exe
C:\Windows\System\cBwMvBH.exe
2⤵
PID:8708

C:\Windows\System\ltnZYsZ.exe
C:\Windows\System\ltnZYsZ.exe
2⤵
PID:9240

C:\Windows\System\CAdMOCl.exe
C:\Windows\System\CAdMOCl.exe
2⤵
PID:9264

C:\Windows\System\QMasbep.exe
C:\Windows\System\QMasbep.exe
2⤵
PID:9284

C:\Windows\System\oBybvxG.exe
C:\Windows\System\oBybvxG.exe
2⤵
PID:9316

C:\Windows\System\uydgBwf.exe
C:\Windows\System\uydgBwf.exe
2⤵
PID:9340

C:\Windows\System\sHfjsYa.exe
C:\Windows\System\sHfjsYa.exe
2⤵
PID:9360

C:\Windows\System\wCcYYRn.exe
C:\Windows\System\wCcYYRn.exe
2⤵
PID:9408

C:\Windows\System\vfrbHnv.exe
C:\Windows\System\vfrbHnv.exe
2⤵
PID:9432

C:\Windows\System\YErxUsG.exe
C:\Windows\System\YErxUsG.exe
2⤵
PID:9452

C:\Windows\System\uMKQllG.exe
C:\Windows\System\uMKQllG.exe
2⤵
PID:9468

C:\Windows\System\ZlnQyVp.exe
C:\Windows\System\ZlnQyVp.exe
2⤵
PID:9496

C:\Windows\System\PHgpdud.exe
C:\Windows\System\PHgpdud.exe
2⤵
PID:9536

C:\Windows\System\ZNsBWNJ.exe
C:\Windows\System\ZNsBWNJ.exe
2⤵
PID:9564

C:\Windows\System\UosCROv.exe
C:\Windows\System\UosCROv.exe
2⤵
PID:9588

C:\Windows\System\dmSADyI.exe
C:\Windows\System\dmSADyI.exe
2⤵
PID:9608

C:\Windows\System\INfnrML.exe
C:\Windows\System\INfnrML.exe
2⤵
PID:9632

C:\Windows\System\SikQKSN.exe
C:\Windows\System\SikQKSN.exe
2⤵
PID:9656

C:\Windows\System\nSvbCxU.exe
C:\Windows\System\nSvbCxU.exe
2⤵
PID:9672

C:\Windows\System\lnMWHVG.exe
C:\Windows\System\lnMWHVG.exe
2⤵
PID:9724

C:\Windows\System\PemrgQB.exe
C:\Windows\System\PemrgQB.exe
2⤵
PID:9740

C:\Windows\System\wkzokUY.exe
C:\Windows\System\wkzokUY.exe
2⤵
PID:9760

C:\Windows\System\ZAljyEX.exe
C:\Windows\System\ZAljyEX.exe
2⤵
PID:9780

C:\Windows\System\oJklczx.exe
C:\Windows\System\oJklczx.exe
2⤵
PID:9808

C:\Windows\System\ZQzrJhr.exe
C:\Windows\System\ZQzrJhr.exe
2⤵
PID:9836

C:\Windows\System\rnMIomp.exe
C:\Windows\System\rnMIomp.exe
2⤵
PID:9864

C:\Windows\System\YiBtDck.exe
C:\Windows\System\YiBtDck.exe
2⤵
PID:9900

C:\Windows\System\RaNpiUI.exe
C:\Windows\System\RaNpiUI.exe
2⤵
PID:9928

C:\Windows\System\OmKaKcJ.exe
C:\Windows\System\OmKaKcJ.exe
2⤵
PID:9980

C:\Windows\System\RfigDMP.exe
C:\Windows\System\RfigDMP.exe
2⤵
PID:10000

C:\Windows\System\LCuHvjg.exe
C:\Windows\System\LCuHvjg.exe
2⤵
PID:10024

C:\Windows\System\ZonnvUY.exe
C:\Windows\System\ZonnvUY.exe
2⤵
PID:10040

C:\Windows\System\QxPTKgh.exe
C:\Windows\System\QxPTKgh.exe
2⤵
PID:10060

C:\Windows\System\bwIiVlw.exe
C:\Windows\System\bwIiVlw.exe
2⤵
PID:10112

C:\Windows\System\twGtgSd.exe
C:\Windows\System\twGtgSd.exe
2⤵
PID:10176

C:\Windows\System\xnEhCyH.exe
C:\Windows\System\xnEhCyH.exe
2⤵
PID:10192

C:\Windows\System\nFnClEr.exe
C:\Windows\System\nFnClEr.exe
2⤵
PID:10216

C:\Windows\System\MbCcmNh.exe
C:\Windows\System\MbCcmNh.exe
2⤵
PID:8444

C:\Windows\System\wrSXOgL.exe
C:\Windows\System\wrSXOgL.exe
2⤵
PID:9400

C:\Windows\System\iaUfzGy.exe
C:\Windows\System\iaUfzGy.exe
2⤵
PID:9476

C:\Windows\System\iFcGpOk.exe
C:\Windows\System\iFcGpOk.exe
2⤵
PID:9488

C:\Windows\System\SuSlbuW.exe
C:\Windows\System\SuSlbuW.exe
2⤵
PID:9556

C:\Windows\System\SeAluKd.exe
C:\Windows\System\SeAluKd.exe
2⤵
PID:9620

C:\Windows\System\AIyoNjs.exe
C:\Windows\System\AIyoNjs.exe
2⤵
PID:9580

C:\Windows\System\allSlZW.exe
C:\Windows\System\allSlZW.exe
2⤵
PID:9668

C:\Windows\System\cisboJs.exe
C:\Windows\System\cisboJs.exe
2⤵
PID:9664

C:\Windows\System\PqKKDRL.exe
C:\Windows\System\PqKKDRL.exe
2⤵
PID:9752

C:\Windows\System\rwtKPBU.exe
C:\Windows\System\rwtKPBU.exe
2⤵
PID:9816

C:\Windows\System\GdLPwNU.exe
C:\Windows\System\GdLPwNU.exe
2⤵
PID:9776

C:\Windows\System\hZNRdHN.exe
C:\Windows\System\hZNRdHN.exe
2⤵
PID:9876

C:\Windows\System\rIYuFTM.exe
C:\Windows\System\rIYuFTM.exe
2⤵
PID:9852

C:\Windows\System\RwnQavo.exe
C:\Windows\System\RwnQavo.exe
2⤵
PID:9892

C:\Windows\System\EAuDzJI.exe
C:\Windows\System\EAuDzJI.exe
2⤵
PID:9960

C:\Windows\System\tuexMRS.exe
C:\Windows\System\tuexMRS.exe
2⤵
PID:10012

C:\Windows\System\XfzxFSF.exe
C:\Windows\System\XfzxFSF.exe
2⤵
PID:9992

C:\Windows\System\kueodiU.exe
C:\Windows\System\kueodiU.exe
2⤵
PID:10104

C:\Windows\System\VyPBbgm.exe
C:\Windows\System\VyPBbgm.exe
2⤵
PID:8572

C:\Windows\System\qmKRwVy.exe
C:\Windows\System\qmKRwVy.exe
2⤵
PID:10124

C:\Windows\System\kOSCsCY.exe
C:\Windows\System\kOSCsCY.exe
2⤵
PID:10228

C:\Windows\System\hEYorIo.exe
C:\Windows\System\hEYorIo.exe
2⤵
PID:9720

C:\Windows\System\TBHoNcX.exe
C:\Windows\System\TBHoNcX.exe
2⤵
PID:9484

C:\Windows\System\cTdHZmb.exe
C:\Windows\System\cTdHZmb.exe
2⤵
PID:9256

C:\Windows\System\XJEIDqd.exe
C:\Windows\System\XJEIDqd.exe
2⤵
PID:9860

C:\Windows\System\ujYLhnD.exe
C:\Windows\System\ujYLhnD.exe
2⤵
PID:10072

C:\Windows\System\KgjyTXp.exe
C:\Windows\System\KgjyTXp.exe
2⤵
PID:10244

C:\Windows\System\GeKuEIA.exe
C:\Windows\System\GeKuEIA.exe
2⤵
PID:10272

C:\Windows\System\OpsbWxh.exe
C:\Windows\System\OpsbWxh.exe
2⤵
PID:10300

C:\Windows\System\BEllhzF.exe
C:\Windows\System\BEllhzF.exe
2⤵
PID:10320

C:\Windows\System\rkFrpOp.exe
C:\Windows\System\rkFrpOp.exe
2⤵
PID:10348

C:\Windows\System\SEylcxj.exe
C:\Windows\System\SEylcxj.exe
2⤵
PID:10376

C:\Windows\System\IzHQsdz.exe
C:\Windows\System\IzHQsdz.exe
2⤵
PID:10392

C:\Windows\System\BfAKDrC.exe
C:\Windows\System\BfAKDrC.exe
2⤵
PID:10416

C:\Windows\System\eQclzNx.exe
C:\Windows\System\eQclzNx.exe
2⤵
PID:10432

C:\Windows\System\VjhmHYO.exe
C:\Windows\System\VjhmHYO.exe
2⤵
PID:10460

C:\Windows\System\HcllsaD.exe
C:\Windows\System\HcllsaD.exe
2⤵
PID:10528

C:\Windows\System\HVyCYxC.exe
C:\Windows\System\HVyCYxC.exe
2⤵
PID:10552

C:\Windows\System\kYEnRVp.exe
C:\Windows\System\kYEnRVp.exe
2⤵
PID:10572

C:\Windows\System\lpWKJWt.exe
C:\Windows\System\lpWKJWt.exe
2⤵
PID:10608

C:\Windows\System\qrpAKSD.exe
C:\Windows\System\qrpAKSD.exe
2⤵
PID:10648

C:\Windows\System\bdmcsGZ.exe
C:\Windows\System\bdmcsGZ.exe
2⤵
PID:10668

C:\Windows\System\MqzRUVV.exe
C:\Windows\System\MqzRUVV.exe
2⤵
PID:10696

C:\Windows\System\LKPyLnw.exe
C:\Windows\System\LKPyLnw.exe
2⤵
PID:10720

C:\Windows\System\bIZFiQg.exe
C:\Windows\System\bIZFiQg.exe
2⤵
PID:10736

C:\Windows\System\vlHUmPa.exe
C:\Windows\System\vlHUmPa.exe
2⤵
PID:10756

C:\Windows\System\uCASFpA.exe
C:\Windows\System\uCASFpA.exe
2⤵
PID:10780

C:\Windows\System\jnKjWmf.exe
C:\Windows\System\jnKjWmf.exe
2⤵
PID:10800

C:\Windows\System\TfmWMvd.exe
C:\Windows\System\TfmWMvd.exe
2⤵
PID:10848

C:\Windows\System\rXCkxCW.exe
C:\Windows\System\rXCkxCW.exe
2⤵
PID:10864

C:\Windows\System\bAnYxyE.exe
C:\Windows\System\bAnYxyE.exe
2⤵
PID:10896

C:\Windows\System\nzBtXrt.exe
C:\Windows\System\nzBtXrt.exe
2⤵
PID:10928

C:\Windows\System\DjwSLVi.exe
C:\Windows\System\DjwSLVi.exe
2⤵
PID:10980

C:\Windows\System\wKAKODH.exe
C:\Windows\System\wKAKODH.exe
2⤵
PID:10996

C:\Windows\System\FfAzJyb.exe
C:\Windows\System\FfAzJyb.exe
2⤵
PID:11020

C:\Windows\System\HlViEdc.exe
C:\Windows\System\HlViEdc.exe
2⤵
PID:11056

C:\Windows\System\HlZsDxC.exe
C:\Windows\System\HlZsDxC.exe
2⤵
PID:11076

C:\Windows\System\bzNFziS.exe
C:\Windows\System\bzNFziS.exe
2⤵
PID:11096

C:\Windows\System\DScyaXr.exe
C:\Windows\System\DScyaXr.exe
2⤵
PID:11144

C:\Windows\System\ioRgcxi.exe
C:\Windows\System\ioRgcxi.exe
2⤵
PID:11164

C:\Windows\System\iYVbreW.exe
C:\Windows\System\iYVbreW.exe
2⤵
PID:11200

C:\Windows\System\ROhqwDd.exe
C:\Windows\System\ROhqwDd.exe
2⤵
PID:11240

C:\Windows\System\IRKkwsX.exe
C:\Windows\System\IRKkwsX.exe
2⤵
PID:9772

C:\Windows\System\sapepnV.exe
C:\Windows\System\sapepnV.exe
2⤵
PID:10256

C:\Windows\System\ZZhiDns.exe
C:\Windows\System\ZZhiDns.exe
2⤵
PID:10344

C:\Windows\System\tZJNpQG.exe
C:\Windows\System\tZJNpQG.exe
2⤵
PID:10368

C:\Windows\System\rEdEXDL.exe
C:\Windows\System\rEdEXDL.exe
2⤵
PID:10428

C:\Windows\System\nWIgZFr.exe
C:\Windows\System\nWIgZFr.exe
2⤵
PID:10524

C:\Windows\System\QGcwBpN.exe
C:\Windows\System\QGcwBpN.exe
2⤵
PID:10540

C:\Windows\System\CtRtFJl.exe
C:\Windows\System\CtRtFJl.exe
2⤵
PID:10588

C:\Windows\System\OJfpgcE.exe
C:\Windows\System\OJfpgcE.exe
2⤵
PID:10596

C:\Windows\System\GAmPlVt.exe
C:\Windows\System\GAmPlVt.exe
2⤵
PID:10708

C:\Windows\System\rsQgQFp.exe
C:\Windows\System\rsQgQFp.exe
2⤵
PID:10828

C:\Windows\System\WEzjUXz.exe
C:\Windows\System\WEzjUXz.exe
2⤵
PID:10860

C:\Windows\System\xfFKWYy.exe
C:\Windows\System\xfFKWYy.exe
2⤵
PID:10924

C:\Windows\System\VIZERMu.exe
C:\Windows\System\VIZERMu.exe
2⤵
PID:11016

C:\Windows\System\gginVZt.exe
C:\Windows\System\gginVZt.exe
2⤵
PID:11120

C:\Windows\System\KugihFO.exe
C:\Windows\System\KugihFO.exe
2⤵
PID:11092

C:\Windows\System\fdHEqIP.exe
C:\Windows\System\fdHEqIP.exe
2⤵
PID:11172

C:\Windows\System\kdXFWoh.exe
C:\Windows\System\kdXFWoh.exe
2⤵
PID:11252

C:\Windows\System\NMbSdwD.exe
C:\Windows\System\NMbSdwD.exe
2⤵
PID:10316

C:\Windows\System\FfcpFoS.exe
C:\Windows\System\FfcpFoS.exe
2⤵
PID:10412

C:\Windows\System\JOsluYl.exe
C:\Windows\System\JOsluYl.exe
2⤵
PID:10504

C:\Windows\System\LACHRMC.exe
C:\Windows\System\LACHRMC.exe
2⤵
PID:10704

C:\Windows\System\zzvYMNW.exe
C:\Windows\System\zzvYMNW.exe
2⤵
PID:10884

C:\Windows\System\NBjKdVL.exe
C:\Windows\System\NBjKdVL.exe
2⤵
PID:11048

C:\Windows\System\JuqlrKX.exe
C:\Windows\System\JuqlrKX.exe
2⤵
PID:11212

C:\Windows\System\MEhswra.exe
C:\Windows\System\MEhswra.exe
2⤵
PID:10792

C:\Windows\System\mIssLFm.exe
C:\Windows\System\mIssLFm.exe
2⤵
PID:11004

C:\Windows\System\HCEmWfh.exe
C:\Windows\System\HCEmWfh.exe
2⤵
PID:11072

C:\Windows\System\BVDjAQW.exe
C:\Windows\System\BVDjAQW.exe
2⤵
PID:11268

C:\Windows\System\oCscLAI.exe
C:\Windows\System\oCscLAI.exe
2⤵
PID:11288

C:\Windows\System\iLEJggr.exe
C:\Windows\System\iLEJggr.exe
2⤵
PID:11308

C:\Windows\System\Meozbgh.exe
C:\Windows\System\Meozbgh.exe
2⤵
PID:11336

C:\Windows\System\IFzSZQC.exe
C:\Windows\System\IFzSZQC.exe
2⤵
PID:11356

C:\Windows\System\mADZgsj.exe
C:\Windows\System\mADZgsj.exe
2⤵
PID:11376

C:\Windows\System\WtuxEeh.exe
C:\Windows\System\WtuxEeh.exe
2⤵
PID:11396

C:\Windows\System\WABSUAH.exe
C:\Windows\System\WABSUAH.exe
2⤵
PID:11432

C:\Windows\System\QhxywFp.exe
C:\Windows\System\QhxywFp.exe
2⤵
PID:11460

C:\Windows\System\rEebLef.exe
C:\Windows\System\rEebLef.exe
2⤵
PID:11488

C:\Windows\System\cVvZgPf.exe
C:\Windows\System\cVvZgPf.exe
2⤵
PID:11516

C:\Windows\System\aTXRbfw.exe
C:\Windows\System\aTXRbfw.exe
2⤵
PID:11532

C:\Windows\System\nEMCIgZ.exe
C:\Windows\System\nEMCIgZ.exe
2⤵
PID:11552

C:\Windows\System\puhlhVg.exe
C:\Windows\System\puhlhVg.exe
2⤵
PID:11588

C:\Windows\System\GVkiYCU.exe
C:\Windows\System\GVkiYCU.exe
2⤵
PID:11620

C:\Windows\System\CBeaDib.exe
C:\Windows\System\CBeaDib.exe
2⤵
PID:11640

C:\Windows\System\PoDNrev.exe
C:\Windows\System\PoDNrev.exe
2⤵
PID:11676

C:\Windows\System\eFtJMFU.exe
C:\Windows\System\eFtJMFU.exe
2⤵
PID:11728

C:\Windows\System\WKcxpFG.exe
C:\Windows\System\WKcxpFG.exe
2⤵
PID:11776

C:\Windows\System\OGVyNSm.exe
C:\Windows\System\OGVyNSm.exe
2⤵
PID:11796

C:\Windows\System\aFMBifA.exe
C:\Windows\System\aFMBifA.exe
2⤵
PID:11812

C:\Windows\System\uWlzFPR.exe
C:\Windows\System\uWlzFPR.exe
2⤵
PID:11844

C:\Windows\System\CRtRlnX.exe
C:\Windows\System\CRtRlnX.exe
2⤵
PID:11876

C:\Windows\System\xTkckoJ.exe
C:\Windows\System\xTkckoJ.exe
2⤵
PID:11892

C:\Windows\System\FubDbFM.exe
C:\Windows\System\FubDbFM.exe
2⤵
PID:11936

C:\Windows\System\NuhVSFp.exe
C:\Windows\System\NuhVSFp.exe
2⤵
PID:11972

C:\Windows\System\ByHxEmr.exe
C:\Windows\System\ByHxEmr.exe
2⤵
PID:11996

C:\Windows\System\oMHOqKa.exe
C:\Windows\System\oMHOqKa.exe
2⤵
PID:12016

C:\Windows\System\HoxBHYp.exe
C:\Windows\System\HoxBHYp.exe
2⤵
PID:12044

C:\Windows\System\lEBpGlp.exe
C:\Windows\System\lEBpGlp.exe
2⤵
PID:12064

C:\Windows\System\ttatLJN.exe
C:\Windows\System\ttatLJN.exe
2⤵
PID:12104

C:\Windows\System\AmHRpLA.exe
C:\Windows\System\AmHRpLA.exe
2⤵
PID:12124

C:\Windows\System\JHrMMZm.exe
C:\Windows\System\JHrMMZm.exe
2⤵
PID:12144

C:\Windows\System\wYUGYuP.exe
C:\Windows\System\wYUGYuP.exe
2⤵
PID:12172

C:\Windows\System\IpxswQK.exe
C:\Windows\System\IpxswQK.exe
2⤵
PID:12192

C:\Windows\System\vYFXuuE.exe
C:\Windows\System\vYFXuuE.exe
2⤵
PID:12220

C:\Windows\System\FsDxPts.exe
C:\Windows\System\FsDxPts.exe
2⤵
PID:12252

C:\Windows\System\InVCCcQ.exe
C:\Windows\System\InVCCcQ.exe
2⤵
PID:12268

C:\Windows\System\khHRxbK.exe
C:\Windows\System\khHRxbK.exe
2⤵
PID:12284

C:\Windows\System\nFaMFxl.exe
C:\Windows\System\nFaMFxl.exe
2⤵
PID:11276

C:\Windows\System\PoOrzLA.exe
C:\Windows\System\PoOrzLA.exe
2⤵
PID:11280

C:\Windows\System\KBUrKNM.exe
C:\Windows\System\KBUrKNM.exe
2⤵
PID:11632

C:\Windows\System\pASsukt.exe
C:\Windows\System\pASsukt.exe
2⤵
PID:11604

C:\Windows\System\WpupBFk.exe
C:\Windows\System\WpupBFk.exe
2⤵
PID:11652

C:\Windows\System\YIfrbQG.exe
C:\Windows\System\YIfrbQG.exe
2⤵
PID:11760

C:\Windows\System\bXtJAgB.exe
C:\Windows\System\bXtJAgB.exe
2⤵
PID:11836

C:\Windows\System\NaFOxes.exe
C:\Windows\System\NaFOxes.exe
2⤵
PID:11868

C:\Windows\System\sleCYRl.exe
C:\Windows\System\sleCYRl.exe
2⤵
PID:11904

C:\Windows\System\pKwXJmL.exe
C:\Windows\System\pKwXJmL.exe
2⤵
PID:11988

C:\Windows\System\PjsXqno.exe
C:\Windows\System\PjsXqno.exe
2⤵
PID:12040

C:\Windows\System\FGhmuKU.exe
C:\Windows\System\FGhmuKU.exe
2⤵
PID:9092

C:\Windows\System\QmzIzxI.exe
C:\Windows\System\QmzIzxI.exe
2⤵
PID:12116

C:\Windows\System\cSzKthT.exe
C:\Windows\System\cSzKthT.exe
2⤵
PID:12168

C:\Windows\System\mJFaefW.exe
C:\Windows\System\mJFaefW.exe
2⤵
PID:11304

C:\Windows\System\BYRTdia.exe
C:\Windows\System\BYRTdia.exe
2⤵
PID:11440

C:\Windows\System\RmWlnCe.exe
C:\Windows\System\RmWlnCe.exe
2⤵
PID:11412

C:\Windows\System\hudfrka.exe
C:\Windows\System\hudfrka.exe
2⤵
PID:11672

C:\Windows\System\hJJOCFq.exe
C:\Windows\System\hJJOCFq.exe
2⤵
PID:11804

C:\Windows\System\sygkaLW.exe
C:\Windows\System\sygkaLW.exe
2⤵
PID:11960

C:\Windows\System\Ogkhvrr.exe
C:\Windows\System\Ogkhvrr.exe
2⤵
PID:12280

C:\Windows\System\VOlTAZA.exe
C:\Windows\System\VOlTAZA.exe
2⤵
PID:12112

C:\Windows\System\zixXBfQ.exe
C:\Windows\System\zixXBfQ.exe
2⤵
PID:12152

C:\Windows\System\HPntbqb.exe
C:\Windows\System\HPntbqb.exe
2⤵
PID:12076

C:\Windows\System\smtLRKO.exe
C:\Windows\System\smtLRKO.exe
2⤵
PID:11504

C:\Windows\System\zvwVrXh.exe
C:\Windows\System\zvwVrXh.exe
2⤵
PID:12208

C:\Windows\System\lZJanSI.exe
C:\Windows\System\lZJanSI.exe
2⤵
PID:12308

C:\Windows\System\BSccXmY.exe
C:\Windows\System\BSccXmY.exe
2⤵
PID:12324

C:\Windows\System\dssYNDW.exe
C:\Windows\System\dssYNDW.exe
2⤵
PID:12360

C:\Windows\System\vKbJmnn.exe
C:\Windows\System\vKbJmnn.exe
2⤵
PID:12384

C:\Windows\System\BaVORPZ.exe
C:\Windows\System\BaVORPZ.exe
2⤵
PID:12412

C:\Windows\System\iPjWTBf.exe
C:\Windows\System\iPjWTBf.exe
2⤵
PID:12432

C:\Windows\System\GXjVuFv.exe
C:\Windows\System\GXjVuFv.exe
2⤵
PID:12452

C:\Windows\System\yEzcPhc.exe
C:\Windows\System\yEzcPhc.exe
2⤵
PID:12492

C:\Windows\System\OtisaBt.exe
C:\Windows\System\OtisaBt.exe
2⤵
PID:12528

C:\Windows\System\pLfaBbG.exe
C:\Windows\System\pLfaBbG.exe
2⤵
PID:12588

C:\Windows\System\SBATMlz.exe
C:\Windows\System\SBATMlz.exe
2⤵
PID:12612

C:\Windows\System\fyWhaJq.exe
C:\Windows\System\fyWhaJq.exe
2⤵
PID:12640

C:\Windows\System\YEsfSkV.exe
C:\Windows\System\YEsfSkV.exe
2⤵
PID:12660

C:\Windows\System\fnaANsp.exe
C:\Windows\System\fnaANsp.exe
2⤵
PID:12680

C:\Windows\System\sPXjbAB.exe
C:\Windows\System\sPXjbAB.exe
2⤵
PID:12704

C:\Windows\System\ergzvVe.exe
C:\Windows\System\ergzvVe.exe
2⤵
PID:12720

C:\Windows\System\TydwMcE.exe
C:\Windows\System\TydwMcE.exe
2⤵
PID:12756

C:\Windows\System\VmXPZuX.exe
C:\Windows\System\VmXPZuX.exe
2⤵
PID:12772

C:\Windows\System\jeRRrCP.exe
C:\Windows\System\jeRRrCP.exe
2⤵
PID:12792

C:\Windows\System\korFeDU.exe
C:\Windows\System\korFeDU.exe
2⤵
PID:12808

C:\Windows\System\gepKOsa.exe
C:\Windows\System\gepKOsa.exe
2⤵
PID:12832

C:\Windows\System\bzLgfMT.exe
C:\Windows\System\bzLgfMT.exe
2⤵
PID:12852

C:\Windows\System\AAfPBKe.exe
C:\Windows\System\AAfPBKe.exe
2⤵
PID:12880

C:\Windows\System\bqAUqoL.exe
C:\Windows\System\bqAUqoL.exe
2⤵
PID:12900

C:\Windows\System\wlDCJwO.exe
C:\Windows\System\wlDCJwO.exe
2⤵
PID:12928

C:\Windows\System\CVrHTum.exe
C:\Windows\System\CVrHTum.exe
2⤵
PID:12944

C:\Windows\System\qeMvqLC.exe
C:\Windows\System\qeMvqLC.exe
2⤵
PID:13000

C:\Windows\System\yrlycsI.exe
C:\Windows\System\yrlycsI.exe
2⤵
PID:13028

C:\Windows\System\agJzqhA.exe
C:\Windows\System\agJzqhA.exe
2⤵
PID:13092

C:\Windows\System\UPKJfyZ.exe
C:\Windows\System\UPKJfyZ.exe
2⤵
PID:13112

C:\Windows\System\tXGTdwY.exe
C:\Windows\System\tXGTdwY.exe
2⤵
PID:13164

C:\Windows\System\LlenIKR.exe
C:\Windows\System\LlenIKR.exe
2⤵
PID:13200

C:\Windows\System\LKqRLkC.exe
C:\Windows\System\LKqRLkC.exe
2⤵
PID:13220

C:\Windows\System\YbWGCth.exe
C:\Windows\System\YbWGCth.exe
2⤵
PID:13256

C:\Windows\System\OVjpntr.exe
C:\Windows\System\OVjpntr.exe
2⤵
PID:13292

C:\Windows\System\BGvyxiC.exe
C:\Windows\System\BGvyxiC.exe
2⤵
PID:12304

C:\Windows\System\jJBYdgJ.exe
C:\Windows\System\jJBYdgJ.exe
2⤵
PID:12320

C:\Windows\System\MUDwKcA.exe
C:\Windows\System\MUDwKcA.exe
2⤵
PID:12372

C:\Windows\System\hWQBmxG.exe
C:\Windows\System\hWQBmxG.exe
2⤵
PID:12424

C:\Windows\System\aGptNDo.exe
C:\Windows\System\aGptNDo.exe
2⤵
PID:12480

C:\Windows\System\ncXSnKO.exe
C:\Windows\System\ncXSnKO.exe
2⤵
PID:12544

C:\Windows\System\tfMPRlH.exe
C:\Windows\System\tfMPRlH.exe
2⤵
PID:12600

C:\Windows\System\HUtmZir.exe
C:\Windows\System\HUtmZir.exe
2⤵
PID:12648

C:\Windows\System\nObeypJ.exe
C:\Windows\System\nObeypJ.exe
2⤵
PID:12716

C:\Windows\System\RCpKvyL.exe
C:\Windows\System\RCpKvyL.exe
2⤵
PID:12980

C:\Windows\System\eHwRdNN.exe
C:\Windows\System\eHwRdNN.exe
2⤵
PID:13020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4168,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=3908 /prefetch:8
1⤵
PID:5396

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:832

C:\Windows\explorer.exe
explorer.exe /LOADSAVEDWINDOWS
2⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:836

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:12212

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1876

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1128

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:756

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:2884

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:8820

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3712

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:5748

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3728

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:2288

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4692

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:10224

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:7184

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3192

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4484

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5580

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7600

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:8920

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:7300

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:5080

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:8600

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4260

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:5100

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:9672

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1444

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10932

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:408

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11124

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6076

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12128

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12256

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12864

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6932

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11724

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6340

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8024

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7936

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7728

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5776

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7616

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9320

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8704

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8548

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5080

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3728

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9712

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11472

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8856

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10940

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6868

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11880

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12124

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3272

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12968

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5292

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7664

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3192

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9768

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7344

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9184

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7868

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4404

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4840

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11740

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11508

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10000

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9656

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12232

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11092

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\LH3V79HX\microsoft.windows[1].xml
Filesize
97B

MD5
de1306e442e8f8a902d2623363175928

SHA1
d5b28352c742e56b522112dbea4b9dd50bb26721

SHA256
34f21a5c66749b3afe1a5f2a9fbfb0b34084c19cd7b576ef854778b795bc1af8

SHA512
b727a28ac0640130790fd0bc43229dec8c1e8ec3170131ab7434339dc6171f5a5c6c31276439354f203bbb42b37d8771fbd991cc280acef4e0756acc161a926d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133627597084804078.txt
Filesize
75KB

MD5
ec861d1b31e9e99a4a6548f1e0b504e1

SHA1
8bf1243597aba54793caf29c5e6c258507f15652

SHA256
9dcf45126bd51fcc0ef73e54cc07f8eec145bc17eef189acd15fba199972d7da

SHA512
30cf8103a2043fd7b1a54ce06ff2ca14ba382040297a177fc612bcf55878f9d0abbe3f7ea0e7be6b6981f7c67f8be09d77730670365af3d52a1e25640a224ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_er2fqpr5.u20.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\CgNEims.exe
Filesize
1.6MB

MD5
93b9a193b4e6a21004b27cd06aa61d9f

SHA1
7de158f65a4641a278daa2054b00201b1ee4a1cd

SHA256
d5be5525e02f6d4085f74968d2499c8fa3294575a0c349aa311dfaf7b8be2eb0

SHA512
6d8ed6f995295254e09a1876e45ce6307c8ae694330b5937f7d9aa25c1eba54e1a0cd0a6111f2be42f4bdf367a3cb08ac036200ffdb70885196cc8f19e8c1dd4

Download Submit
C:\Windows\System\HwmblCG.exe
Filesize
1.6MB

MD5
15ae6b6924d1775ccbccd53f2f744abe

SHA1
8538e34967e4619f1e0b5e5927725a945f99dfcb

SHA256
3af467007e7ee8abf409097161c4601ccb78cb5aa730a010598e85952cd949a6

SHA512
79a456fbe975df81a11ad0a04c570e0b1cd648d17df5d7fc300b638b7df4fcc756a4700fc07c2809ff136ba1a53f0bceae5dca4daef2581d0775833be67c994a

Download Submit
C:\Windows\System\IPOwzGT.exe
Filesize
1.6MB

MD5
bcdf6b3cc67d0999a80df63d8320123e

SHA1
407fd5522fb9e7f2d41d3d4c8f3c07116a14ad0e

SHA256
cebe67f68e6e9f3b6865a1e3e6309fc05dc36dbc1dc2bf83525c50a2b6a1f750

SHA512
2fa341fbf5fa8ca1904c1e4eaf6af79b23cc447ca1d3b022ace0a79ca3abab93604c23bdc2dbd58c2717a862d95000071aaaa79281cd867b4a2a2e60fd9512bd

Download Submit
C:\Windows\System\PtHygGf.exe
Filesize
1.6MB

MD5
5165eafb8a7475f48765581e0e4891b7

SHA1
fef4ca84515233576a34dbd378bddfbad87b696e

SHA256
f8eb1b93d5a169e242b27e66d5d495d9c96ab4782da9a15c221d66b97a7f0c3d

SHA512
73329d0fcd9f4edb80d5199ffcaae30d167e5c35190296d19eef7e1eee40d4247126f25181d1f041b715e30faf412b0a91b506be7c68b6564215f92e81aabf00

Download Submit
C:\Windows\System\QjGQrCH.exe
Filesize
1.6MB

MD5
7112b97f5f7177a9eac4b85f6b82d07b

SHA1
70a60c41631eeba346ba4f36193db52a4f583425

SHA256
0d9ac015be55bafcea5d3e42662f2b36e695296e7266d658fb6f8e5a8db0600a

SHA512
4aee4ee7be5bf3b1302593271808967a91617f567849ac5b7f06209367f3b95f2c7da0e7fd86f3fbd6b606a8bcf5e11082991d791eb11dbf2955811eab9ea9c2

Download Submit
C:\Windows\System\RCUfeaX.exe
Filesize
1.6MB

MD5
4da69e9bfd31d0dd7f1e8025e61b1d34

SHA1
4f70dca9e82da6169a35dcd5379c42225abcb389

SHA256
aa8fa9a5c91f6953bf963ae9476988858ca5803a8e2a92cdf453b6b26a40b7c3

SHA512
7a6223a78a6b5dd868c9d851c5a7a5556f5e0b9161db7b9497175c33f23a84930921ba7d20cb9fb59163da80a7759e5272cf15ea378b3e94da4835b624406072

Download Submit
C:\Windows\System\RdEdqzy.exe
Filesize
1.6MB

MD5
1df8aa20e2a5ce6eb8194359e050628e

SHA1
ac79160b23294079d59a0f65ec3d06841d79871f

SHA256
230b6f3458a9e0ebf4f3d63080866d1c9cfdf0d8aee38a61c88d9418b7c93f3c

SHA512
9e5bf52391347bbf2905c4ffad94e5809eed849bc7f207366183866e7c4210d3eb4e424f2e2dd641be78cd77caef323253ccaeba1f02fe96584cde6df42f884e

Download Submit
C:\Windows\System\SUoppDE.exe
Filesize
1.6MB

MD5
d9c755ca9c6acaa454a20a8cfc3e927c

SHA1
a0ee5e02425909e93a39b43a4d774dbd2e54c95a

SHA256
6cd1435b26f6c9196e30493927c00cd9e12401a2531a6e515231c0b0d9e55371

SHA512
77d440a75bccab112585a4b69516999ef01dc93786fa4618bc8964b931da753461db74dd698352ee4e5b87e84bfc13b08d39f77e946abc846b9286b8ac3ff1b9

Download Submit
C:\Windows\System\VSsDrNE.exe
Filesize
1.6MB

MD5
20c0b338ae7c4b9d020446d977f9f513

SHA1
0249d7872b169340c01a641d130ff9e09d7b27dc

SHA256
38a34391cf01d5dbd19c159ed223bfe13ec0874cfd467deae6b55e103594fd41

SHA512
6082eed77a649a89e2b4e276bc02cba10fb5c7b45ab939991b0eb2578e2e4bd50843dd151f7ff37d43993819373d996f81ae5e3c21700e36f8579b4fd94a54d7

Download Submit
C:\Windows\System\XQTtzST.exe
Filesize
1.6MB

MD5
78e06e73e5e9b88e67dc65b53cd5df66

SHA1
5598ebaf65f3bd5af63848d09ae93147f779a101

SHA256
c41155dbe5fdddef58e2f38c884738a24667c5b9a24d90abc87084309e61fdc9

SHA512
aee27a7aa13df6bc93b7581f32979d6345083f401c2293a3dc1efe274377ca71566c08520acc8b34f5d336c1c8f16fe2b7942f8c5174a5be32571172d95ae71e

Download Submit
C:\Windows\System\YrINZoJ.exe
Filesize
1.6MB

MD5
e5faa2685e6e8198cc05a86824b84659

SHA1
cf672859b51fcf6c099397afa6143481f22872f8

SHA256
78048d53ad39e64bb1d31f6228f9f62dfd7f76b0bd46307ad0815e494a778de4

SHA512
8eb16c0fc088eca8da8e1c5c1c8e809895462662f6b07030f39ece60bf9136a7938b1561903832cdf6a916b1b05efddcd313b878f4d9373eb20a24fb7c11454b

Download Submit
C:\Windows\System\aTwTwnd.exe
Filesize
1.6MB

MD5
5f8b0fcaf78d69f79f15afdd54fb82f5

SHA1
fc9046a507dbcfad34269740b91d4f0c29aae297

SHA256
e69dd0b1f518aeb705ebe8907176c1dc955387d9d51c1f18b9b6e7c54e4b393b

SHA512
186269b6b7efa29870229b4b104333833cbcdf0c5ad65f7cf327b6ff0645abd3f8bd4ddce031657aaeeb68fcfb79c577228a87105662e6e2412d31c07cf4bc93

Download Submit
C:\Windows\System\apclgLI.exe
Filesize
1.6MB

MD5
5bdd0d80683b9d43bbf4b1ef60e9b686

SHA1
e1f7aba3e065485174ae4859e9d0ce0e9ec1195b

SHA256
ac14b9b8704fc18a3e847787fb874ef929c88bfc4744aab329010e46a20537e6

SHA512
53cf554cce4b1d0e376caf356a11856ab29a62df32483be849cf0657e913a176506065c4aaa3455ee91ade959a50c7b932b08486eee7c4e25beb2b6e9a83ec6f

Download Submit
C:\Windows\System\ccVncHe.exe
Filesize
1.6MB

MD5
ad0ff80f435612b634c5952426ff74c2

SHA1
19c3be15bbb169a35dbed495f38fed673e0262be

SHA256
843fb018763aa01b73f17bc03384a0d1b8349bb397bbc30faf6d63c79fbd174a

SHA512
2c4e182e279648c6e47e2f6f2ef09a879d1ca32f0824e448b805f77b4f29279df907fb4e4cc4a854582d34fb38c822ee9598ed7395f256b58e3ed60c71ec3b9e

Download Submit
C:\Windows\System\fTTgQna.exe
Filesize
1.6MB

MD5
ee5aac64e82eb916887adfb7a90d7903

SHA1
b7f6f114e65c6e180b64787eb06dd93f86fb8ab0

SHA256
7cc3205ed17dbd641d9cf8ca2b33752b927cb4288587a0f4a979529f19dd8510

SHA512
ad601cae619d6ecb7b9b7d59bdc28c3293478c4de74e5f84d31468c32554a512552b17bc57c4a10a38ac388eecb952bed3e3f48c0972d40024d4c8ed28eb22bf

Download Submit
C:\Windows\System\ftUyhaz.exe
Filesize
1.6MB

MD5
7d06788397cd2abad3526d68dd09f4ae

SHA1
954e98801bafdac9b2978dee2227aecef3abb8b7

SHA256
ebdcc266158a00c7c32efa137012fd6f9b3c910e9d864cadecb9b7d580f14aa5

SHA512
eb84b413ae863f8182ee8430967c17ce34ec3eef204547fc87530c819cad491f387a00b4adeacdf2a198459b65d3b06f512e56344a3b6868de44d38a7972b868

Download Submit
C:\Windows\System\hiotGkt.exe
Filesize
1.6MB

MD5
c91ec06d57aa6aea5bdce064e1a6b898

SHA1
b326ce68d9579fd32bb977928856b92b1a1a9ef2

SHA256
89c78c889f03e0a0850746646bccde4bb2ad6ae025c44531959b17af856404a7

SHA512
75ba216b96c130ca19176d3ae28afd48333c03fc53e407173003a4862f36a2865a015127a23aee690c493c6e0b3f9d7a25188d2979d7fd569e5c93f26115971e

Download Submit
C:\Windows\System\jzIopth.exe
Filesize
1.6MB

MD5
abb3b8c9cb5c3cc779b19078098ab96b

SHA1
c0e4f6fe18f359b5a21e03f5b29c1be4bfdb8f71

SHA256
264ba523a53d0932389e0a598386f61917f99f4901fdf770fa0a80f4b8066dca

SHA512
83c0a6b440fc24419ed22f4042b68b424dc73d5a8e99292388947bbbc3e2533f373db3d925e48038bfc8ea5b699b2e65bc0e3b08665d619c11257bc6b3d9012f

Download Submit
C:\Windows\System\lFbNZEF.exe
Filesize
1.6MB

MD5
51bffacfd5d1d011b1da591ce8771720

SHA1
6a8b8bf3b3a744719d09add896b3c31c660c6a16

SHA256
0473da583075a14bab9788f1342ce8d4207f4edbfaea0b889ad6a0fb8fbffb26

SHA512
1436d3129b1bc950d0f58a62bd84e04fd63f1161ea922f0ad6cbe036b9af42ca947cab3df83f74c5ecd81daa41e25ae637342cd33318538dee4774e8bb09d6a1

Download Submit
C:\Windows\System\lTfPfop.exe
Filesize
1.6MB

MD5
9e5e32797deb7fb39a81057f8128c095

SHA1
48ecf0378e9e0bdbd7b494f388b6b8f88401fd14

SHA256
63f68012c72693fbba0efc0734140c713d55def26218ff033a9561be9664b73d

SHA512
6369cbb0e5fda63e4127c2d100bd0b85eaa1176cb86db7b0b5f2ce5c3dfa357e034d6031a227ca075ed3fbd630b98d59b5008863dd86522a2f4f9cfe8c8e4448

Download Submit
C:\Windows\System\laaHjvu.exe
Filesize
1.6MB

MD5
af2ce6343e2e2447df8512a45b9d3b9d

SHA1
49f961b83a6394cf7def498c6423d8d0620211f0

SHA256
664cee42f98c6deb306aa02f4c1a6aad66243d945c855342a6a61c168cf33998

SHA512
a00898e60d0444091862bb4a27aaa25b8af5d8fe059d2f1b1aab543118bc246383fbf26e59b9ccef54c8a8b17a270696c1989cf6d92141c9fc565dc3ffd9dbe0

Download Submit
C:\Windows\System\mbFMNHX.exe
Filesize
1.6MB

MD5
46d8120e1016cd1f3fbf07035727c46c

SHA1
fd3a3f13b127a2ed0abb59ea7497825757988c81

SHA256
27b4e93a89cd59a1e919f0bae050c1e8009f51be278ed9881cbc657a97b21e7f

SHA512
fb8facc438fd87d2c59cbb17fba1660e2446a06b8958c57bb32da9ad70e838f1cc86932656911749f5665092218b11c1a9900e907a64f6377a048b5e8d5183d0

Download Submit
C:\Windows\System\okpqglc.exe
Filesize
1.6MB

MD5
7032f1ca25f414ae375f81f2574d8752

SHA1
58b34a86509722f727764ab5de4eb8e7de9a2a1e

SHA256
c672e495087fed5de3dbcf5b171d5ccd2b66bb9b1fc659d2b69836a4af59f630

SHA512
6f11740995111cf512ae0ab9c848dc2400f56c5b9ba396606fc530403ea519701483de286cb31a7cfd61f38dd7f9c511f09a14649aa6a2124327a793fd715e74

Download Submit
C:\Windows\System\pEmheoo.exe
Filesize
1.6MB

MD5
7937d87bcb11e592797286883c2f6dad

SHA1
bb38fc6aff83430f5861238ce77adc4b0d75db70

SHA256
cdc4dde80a14ad1341bad29a4085d3589ce8660d8fb0d25b76762705d013a6fd

SHA512
3b230033b82a7bc4812dd2691c79fe5b891e67d8befa3acdf0011d11e43e122b0292c6de8c7b3b15ce412eb744efe0e5690a3f34e5152380b4b7207261e14df5

Download Submit
C:\Windows\System\rtfeKkF.exe
Filesize
1.6MB

MD5
45be6b737903a6e0423c7a58dace0002

SHA1
40129ef1cf8a29d880b6bc457f34de967c2a7054

SHA256
d254095ef94e5a1c2efe9a26f70bab7ebfa72319a94d35cc7712e91cebc7da6e

SHA512
4138b0643842444d03af6d57818e57d7ced6561be114b62f5e479e024a37dc9a19bd42a83dedcdcd130801d320ba1bd0faf7bea51877f743856bb75fa422f603

Download Submit
C:\Windows\System\sFVTSRL.exe
Filesize
1.6MB

MD5
3667b976d33a0f178de62c9af59955a6

SHA1
091ac50887b947f2b0a9f697a832a0f1b8f610f2

SHA256
c7f4bf45bce1a38f702205870f4bc97a92a9df2920ff65270b7848d8c1126edb

SHA512
6e597ca4799e775c2d74e2033525fd4c6adf486993e2d824edcfc9f32c579cbc8f5e85719c8078eaae3867380647f4a238666fd1c0be29b2acbf46015b9ade7c

Download Submit
C:\Windows\System\tYQDfah.exe
Filesize
1.6MB

MD5
74095ede78cd680cc9f5fd877098ddd3

SHA1
4eb131b69abc184dd7e16415ed20e4da74d88c31

SHA256
e54ebba1b2ba46fdb8ce44db1c16f7d7b82969f5d8e627c15d55cf11c22a6f7e

SHA512
566d4163ec3f65223582536293220eb382af8dba3043d8b051dba1f25827cb39ab4222ff177a97278a7756c032d597678643656b013f6d85621b0a0ad7fbb4bc

Download Submit
C:\Windows\System\vKdbnhm.exe
Filesize
1.6MB

MD5
d4ecb9110b28a90938e95935fc2b9845

SHA1
d6dc95100e71f0e89c06e5bbe90e89e46d6e7039

SHA256
75cc920ace9a931d92859c5b401688ba9f9dc8b1c1ce270c5cf86637366348a0

SHA512
7a085377a4824481d6de4d780f42fbb8160982e93239eaf954ad03625c49e57cdab8a3d613e2315e52bf844e7b77028a98e741983a3e0ad6ca1a96ae80c81649

Download Submit
C:\Windows\System\vXzWkaT.exe
Filesize
1.6MB

MD5
176773fbbf5dce90013c293b3aa739bb

SHA1
debe0c7b86595d38ae2a6759d0da0b1edaee578a

SHA256
c4961c992a1d05d9e1ca2b188677d3e5c69e8a2979137c32605cceb20eb66e3b

SHA512
e378b6fad3d8288243519d78b59770a242a49c668b942deae1c78036faa711bd7ebf44089140eb51767d732f90452c34dd1b965b080b53e00907ec63e7364f18

Download Submit
C:\Windows\System\wDYTMdV.exe
Filesize
8B

MD5
67d893d1a2095d39d451d08ee1cc05e9

SHA1
dad7ef4487e41ff3c3e600250e691ed16832dc94

SHA256
cc871666e89dd430f5e3dc9cc361cd1a4ecf7214b4b8daeb86cca2257079f3ce

SHA512
7799e4db272ac6c136cb55f2e50c1582a5027767dc6d148dbf159fdb6f776a047cf2ac573fbb2f2ca5a994173cf0465c93ef3f6e6c86e8981136e854def9801d

Download Submit
C:\Windows\System\xPvWnKI.exe
Filesize
1.6MB

MD5
026575b569a901f88826e8a29e815ed9

SHA1
63e1050499bab7f0bdb811a631a7176a6676ce82

SHA256
4127a459046356f0bb3f3b27c49cbf093e89e22dc47b80a7dbf8ff7899a7b895

SHA512
020b85243fa9f5306ed3131b392bb743b70646ecbf05e374dd7c909f3f2c49c32271c42c123bd6567c9a8c11cc0b89eec24164fbdcbf113159452382112bb590

Download Submit
C:\Windows\System\zYhdmZi.exe
Filesize
1.6MB

MD5
5ac3cd7f87a29fb208e719902246a6de

SHA1
e5fb24e681c6a81520aaede85d5ae4aabd216a05

SHA256
eda7dd1a6fc0ad6acb563f13a63ea1f3d79714fa62524e49ecf3656e95530df6

SHA512
ab77ff72f1a08b94e63c01551a3e71e043eb3ac1a0c334e9e50c6f46c01f670d37b63afe9d8cd2d016152af158e392c9d407365c4eeee532e3fe4d55afea70b2

Download Submit
C:\Windows\System\zaiqPaj.exe
Filesize
1.6MB

MD5
601abe3e9c6506773c4e3b9f0fd1a37d

SHA1
fc8a89f95f5055b82b958ae55e31977e48f6a42d

SHA256
75f43fd830da9dfafac13cabf6a9fd15099a3e6fb3918d55010b007d99bd96b6

SHA512
b2405b33e683740dc86f0c0f72d5880235252c4b44daa8e303f8c53091688451399a5961840166e24b63b8d885cabf06b0406f8b310e0a83125350a989c99a3d

Download Submit
C:\Windows\System\zjvilka.exe
Filesize
1.6MB

MD5
852e6c8ee1ef6ca72d530de3a3e65c27

SHA1
fb8e61b51b7580a5bf494744bd8054f2320da977

SHA256
4f8581b871e0b198ca2abf2b5234162bbc66eab8d5efc889f7b49ebd63ed349d

SHA512
d4c7d0e4eb428a2f3d2ad260f106d67113e2683bb41d359974f2545a57af7654f8dcbdab278924888ba2cb0e5892aa5ab45a85303fa319149a0c9c81d069ef7d

Download Submit
memory/60-3681-0x00007FF78DE10000-0x00007FF78E202000-memory.dmp

Filesize
3.9MB

Download
memory/60-376-0x00007FF78DE10000-0x00007FF78E202000-memory.dmp

Filesize
3.9MB

Download
memory/788-3699-0x00007FF7E2220000-0x00007FF7E2612000-memory.dmp

Filesize
3.9MB

Download
memory/788-380-0x00007FF7E2220000-0x00007FF7E2612000-memory.dmp

Filesize
3.9MB

Download
memory/960-3679-0x00007FF721660000-0x00007FF721A52000-memory.dmp

Filesize
3.9MB

Download
memory/960-375-0x00007FF721660000-0x00007FF721A52000-memory.dmp

Filesize
3.9MB

Download
memory/1444-3702-0x00007FF7AA510000-0x00007FF7AA902000-memory.dmp

Filesize
3.9MB

Download
memory/1444-382-0x00007FF7AA510000-0x00007FF7AA902000-memory.dmp

Filesize
3.9MB

Download
memory/1928-372-0x00007FF79CB60000-0x00007FF79CF52000-memory.dmp

Filesize
3.9MB

Download
memory/1928-3671-0x00007FF79CB60000-0x00007FF79CF52000-memory.dmp

Filesize
3.9MB

Download
memory/1948-370-0x00007FF780B30000-0x00007FF780F22000-memory.dmp

Filesize
3.9MB

Download
memory/1948-3634-0x00007FF780B30000-0x00007FF780F22000-memory.dmp

Filesize
3.9MB

Download
memory/1976-75-0x00007FF731BA0000-0x00007FF731F92000-memory.dmp

Filesize
3.9MB

Download
memory/1976-3628-0x00007FF731BA0000-0x00007FF731F92000-memory.dmp

Filesize
3.9MB

Download
memory/2016-3635-0x00007FF6289F0000-0x00007FF628DE2000-memory.dmp

Filesize
3.9MB

Download
memory/2016-368-0x00007FF6289F0000-0x00007FF628DE2000-memory.dmp

Filesize
3.9MB

Download
memory/2664-3687-0x00007FF6B0EE0000-0x00007FF6B12D2000-memory.dmp

Filesize
3.9MB

Download
memory/2664-379-0x00007FF6B0EE0000-0x00007FF6B12D2000-memory.dmp

Filesize
3.9MB

Download
memory/2948-373-0x00007FF674EC0000-0x00007FF6752B2000-memory.dmp

Filesize
3.9MB

Download
memory/2948-3675-0x00007FF674EC0000-0x00007FF6752B2000-memory.dmp

Filesize
3.9MB

Download
memory/2956-3683-0x00007FF7BD750000-0x00007FF7BDB42000-memory.dmp

Filesize
3.9MB

Download
memory/2956-377-0x00007FF7BD750000-0x00007FF7BDB42000-memory.dmp

Filesize
3.9MB

Download
memory/2960-374-0x00007FF63A600000-0x00007FF63A9F2000-memory.dmp

Filesize
3.9MB

Download
memory/2960-3677-0x00007FF63A600000-0x00007FF63A9F2000-memory.dmp

Filesize
3.9MB

Download
memory/3160-371-0x00007FF7261D0000-0x00007FF7265C2000-memory.dmp

Filesize
3.9MB

Download
memory/3160-3642-0x00007FF7261D0000-0x00007FF7265C2000-memory.dmp

Filesize
3.9MB

Download
memory/3316-386-0x00007FF79BBB0000-0x00007FF79BFA2000-memory.dmp

Filesize
3.9MB

Download
memory/3316-3673-0x00007FF79BBB0000-0x00007FF79BFA2000-memory.dmp

Filesize
3.9MB

Download
memory/3428-33-0x00007FF6D5EE0000-0x00007FF6D62D2000-memory.dmp

Filesize
3.9MB

Download
memory/3428-3629-0x00007FF6D5EE0000-0x00007FF6D62D2000-memory.dmp

Filesize
3.9MB

Download
memory/3700-15-0x00007FF6FF220000-0x00007FF6FF612000-memory.dmp

Filesize
3.9MB

Download
memory/3700-3625-0x00007FF6FF220000-0x00007FF6FF612000-memory.dmp

Filesize
3.9MB

Download
memory/3724-3685-0x00007FF64DD60000-0x00007FF64E152000-memory.dmp

Filesize
3.9MB

Download
memory/3724-378-0x00007FF64DD60000-0x00007FF64E152000-memory.dmp

Filesize
3.9MB

Download
memory/3756-3705-0x00007FF717650000-0x00007FF717A42000-memory.dmp

Filesize
3.9MB

Download
memory/3756-383-0x00007FF717650000-0x00007FF717A42000-memory.dmp

Filesize
3.9MB

Download
memory/3920-384-0x00007FF786360000-0x00007FF786752000-memory.dmp

Filesize
3.9MB

Download
memory/3920-3643-0x00007FF786360000-0x00007FF786752000-memory.dmp

Filesize
3.9MB

Download
memory/4108-0-0x00007FF74F010000-0x00007FF74F402000-memory.dmp

Filesize
3.9MB

Download
memory/4108-1-0x0000024299BD0000-0x0000024299BE0000-memory.dmp

Filesize
64KB

Download
memory/4184-3639-0x00007FF6D1800000-0x00007FF6D1BF2000-memory.dmp

Filesize
3.9MB

Download
memory/4184-39-0x00007FF6D1800000-0x00007FF6D1BF2000-memory.dmp

Filesize
3.9MB

Download
memory/4184-3465-0x00007FF6D1800000-0x00007FF6D1BF2000-memory.dmp

Filesize
3.9MB

Download
memory/4404-3624-0x00007FF67D820000-0x00007FF67DC12000-memory.dmp

Filesize
3.9MB

Download
memory/4404-22-0x00007FF67D820000-0x00007FF67DC12000-memory.dmp

Filesize
3.9MB

Download
memory/4716-3637-0x00007FF6B1220000-0x00007FF6B1612000-memory.dmp

Filesize
3.9MB

Download
memory/4716-385-0x00007FF6B1220000-0x00007FF6B1612000-memory.dmp

Filesize
3.9MB

Download
memory/4856-3631-0x00007FF777C70000-0x00007FF778062000-memory.dmp

Filesize
3.9MB

Download
memory/4856-76-0x00007FF777C70000-0x00007FF778062000-memory.dmp

Filesize
3.9MB

Download
memory/4880-3703-0x00007FF713260000-0x00007FF713652000-memory.dmp

Filesize
3.9MB

Download
memory/4880-381-0x00007FF713260000-0x00007FF713652000-memory.dmp

Filesize
3.9MB

Download
memory/5000-58-0x000001B579FD0000-0x000001B579FF2000-memory.dmp

Filesize
136KB

Download
memory/5000-367-0x000001B57ACE0000-0x000001B57B486000-memory.dmp

Filesize
7.6MB

Download