xmrig | 51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9

Analysis

max time kernel
59s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
Size

1.7MB
MD5

f6ae5762591e6783f2bce18c3afa4292
SHA1

3a49673d4858a567ad5a2d72ebc4e10050231d52
SHA256

51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9
SHA512

c1a77827535dbcd64986793ccc7474bf3a85485db5f36a40aca31766d6c0cca3a8c5225b9b4efd58d047f459026e67e42d04b7b98b0814d6a04101f77880aaf9
SSDEEP

49152:GezaTF8FcNkNdfE0pZ9oztFwIR1Dy2NRGK3J78:GemTLkNdfE0pZas

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 33 IoCs

miner

resource	yara_rule
behavioral2/files/0x0008000000022f51-4.dat	xmrig
behavioral2/files/0x00070000000233f2-9.dat	xmrig
behavioral2/files/0x00070000000233f3-15.dat	xmrig
behavioral2/files/0x00070000000233f4-20.dat	xmrig
behavioral2/files/0x00070000000233f7-28.dat	xmrig
behavioral2/files/0x00070000000233f5-25.dat	xmrig
behavioral2/files/0x00070000000233f8-34.dat	xmrig
behavioral2/files/0x00070000000233fb-53.dat	xmrig
behavioral2/files/0x00070000000233fa-57.dat	xmrig
behavioral2/files/0x00070000000233fc-64.dat	xmrig
behavioral2/files/0x00070000000233fe-72.dat	xmrig
behavioral2/files/0x0007000000023400-83.dat	xmrig
behavioral2/files/0x000700000002340b-138.dat	xmrig
behavioral2/files/0x0007000000023411-162.dat	xmrig
behavioral2/files/0x000700000002340f-160.dat	xmrig
behavioral2/files/0x0007000000023410-157.dat	xmrig
behavioral2/files/0x000700000002340e-153.dat	xmrig
behavioral2/files/0x000700000002340d-148.dat	xmrig
behavioral2/files/0x000700000002340c-143.dat	xmrig
behavioral2/files/0x000700000002340a-133.dat	xmrig
behavioral2/files/0x0007000000023409-128.dat	xmrig
behavioral2/files/0x0007000000023408-123.dat	xmrig
behavioral2/files/0x0007000000023407-118.dat	xmrig
behavioral2/files/0x0007000000023406-113.dat	xmrig
behavioral2/files/0x0007000000023405-108.dat	xmrig
behavioral2/files/0x0007000000023404-102.dat	xmrig
behavioral2/files/0x0007000000023403-98.dat	xmrig
behavioral2/files/0x0007000000023402-92.dat	xmrig
behavioral2/files/0x0007000000023401-88.dat	xmrig
behavioral2/files/0x00070000000233ff-78.dat	xmrig
behavioral2/files/0x00080000000233ef-70.dat	xmrig
behavioral2/files/0x00070000000233fd-60.dat	xmrig
behavioral2/files/0x00070000000233f9-52.dat	xmrig

Modifies Installed Components in the registry 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
3948	sRdZFNj.exe
2644	WmzKdso.exe
1492	cAuoyCD.exe
552	eZPTufa.exe
2092	DNHZkNl.exe
1312	tJzTmuB.exe
376	XqBUfEC.exe
3620	LyNzoWJ.exe
3160	tTuQujd.exe
1696	pTQfeYh.exe
1308	DdBMDqH.exe
2244	BjdmjJH.exe
4004	wuSxBcz.exe
2456	BaFKfCz.exe
2912	udZzdEh.exe
1664	uQgHZSW.exe
2708	psHRrJd.exe
3516	MhKdKqw.exe
900	bvWgDkk.exe
3952	zUHipdG.exe
2120	rykymyX.exe
1684	aknaYYs.exe
4900	lJEddEj.exe
1928	YReadpj.exe
4188	NRvDrVd.exe
4984	WzZtjAy.exe
4068	jpOjtTq.exe
2732	lpVmfUM.exe
3956	CbmzBhj.exe
1628	HyvUqfl.exe
2932	GzsSeGV.exe
548	AgGQabu.exe
4748	yrLxHNA.exe
4000	EnVSNNa.exe
864	rYGFDbC.exe
4040	PZwYqxu.exe
4688	Ywadugn.exe
4144	nZwVgVz.exe
3060	hWcUYuY.exe
2276	SPKJfQV.exe
3500	SbhMEXC.exe
432	swxjEah.exe
3512	VGZKdnC.exe
4252	YAtBSTX.exe
4536	iRdfgKq.exe
732	EuRlqio.exe
2752	RBXyphZ.exe
1204	RCxDyRN.exe
1480	UotEDLd.exe
2764	MIynRhT.exe
4404	pWOUIcK.exe
1244	mqwKwaO.exe
2844	NlkRSBt.exe
1632	dpkbUyY.exe
1252	llOMdjw.exe
4948	OQVBwAM.exe
1996	CnFTScX.exe
4440	RLqGDdq.exe
3996	FlKfVnF.exe
1008	jxasTBR.exe
1248	xdNaCTE.exe
1324	ZitVhdg.exe
3680	qgBgzZW.exe
4236	dhhDDSe.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\ediNBzn.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\BBINipB.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\PKBlQUU.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\SxRRTOE.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\pFBtOqM.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\QLmHMEF.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\KzRQtPX.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\oPelubF.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\UhqCDSR.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\fQmJxGK.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\zwZBWDl.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\gIXKPZL.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\HnTfTTh.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\WAgXyYk.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\nObbSnt.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\vOjxvis.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\hwUiUNk.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\hyQgSIW.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\oholNTl.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\cuceuoo.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\HgfFLuv.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\qMzwMeg.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\SWRAWZp.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\eSXShBW.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\yTaCgQb.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\yrCOEgc.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\FyytlIs.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\XCYYUgk.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\Ywadugn.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\WBCgPRZ.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\viNxGCO.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\OAZbUBB.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\wiEdqEs.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\aUJoQUT.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\BSCiuzt.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\LZpazYV.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\sVXPxNX.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\lkkrAOS.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\soNhKTg.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\tJzTmuB.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\hXxRtlk.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\gfahere.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\QzWgWzG.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\rIhVnjt.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\ZVudrxo.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\psrUJKD.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\NSgVSNp.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\KuMSrAV.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\MIynRhT.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\mmPWQPz.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\oqQnosY.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\DcLatzH.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\DEjHBWj.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\waUfiAb.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\fVWiBMa.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\ZOoUpaZ.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\sVdvQjP.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\HPjcJJl.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\EsHSQZQ.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\eyOtxXT.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\YWEvCgy.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\gnPprBN.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\iWwbePk.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
File created	C:\Windows\System\PLvudXU.exe	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{B5F95161-F2F0-4198-AD35-1550916D0FAB}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{55EF15DE-3B66-48C2-8C5C-FCDA131278FE}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{80937B50-2AA2-439E-B3F2-7E113C5031F5}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{827D61E9-6597-42E4-B15E-E1DD73CF7FD2}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{995B5AAE-36C4-4436-8E38-BF04B4C73856}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	16740	explorer.exe
Token: SeCreatePagefilePrivilege	16740	explorer.exe
Token: SeShutdownPrivilege	16740	explorer.exe
Token: SeCreatePagefilePrivilege	16740	explorer.exe
Token: SeShutdownPrivilege	16740	explorer.exe
Token: SeCreatePagefilePrivilege	16740	explorer.exe
Token: SeShutdownPrivilege	16740	explorer.exe
Token: SeCreatePagefilePrivilege	16740	explorer.exe
Token: SeShutdownPrivilege	16740	explorer.exe
Token: SeCreatePagefilePrivilege	16740	explorer.exe
Token: SeShutdownPrivilege	16740	explorer.exe
Token: SeCreatePagefilePrivilege	16740	explorer.exe
Token: SeShutdownPrivilege	16740	explorer.exe
Token: SeCreatePagefilePrivilege	16740	explorer.exe
Token: SeShutdownPrivilege	16740	explorer.exe
Token: SeCreatePagefilePrivilege	16740	explorer.exe
Token: SeShutdownPrivilege	16740	explorer.exe
Token: SeCreatePagefilePrivilege	16740	explorer.exe
Token: SeShutdownPrivilege	16740	explorer.exe
Token: SeCreatePagefilePrivilege	16740	explorer.exe
Token: SeShutdownPrivilege	16740	explorer.exe
Token: SeCreatePagefilePrivilege	16740	explorer.exe
Token: SeShutdownPrivilege	3480	explorer.exe
Token: SeCreatePagefilePrivilege	3480	explorer.exe
Token: SeShutdownPrivilege	3480	explorer.exe
Token: SeCreatePagefilePrivilege	3480	explorer.exe
Token: SeShutdownPrivilege	3480	explorer.exe
Token: SeCreatePagefilePrivilege	3480	explorer.exe
Token: SeShutdownPrivilege	3480	explorer.exe
Token: SeCreatePagefilePrivilege	3480	explorer.exe
Token: SeShutdownPrivilege	3480	explorer.exe
Token: SeCreatePagefilePrivilege	3480	explorer.exe
Token: SeShutdownPrivilege	3480	explorer.exe
Token: SeCreatePagefilePrivilege	3480	explorer.exe
Token: SeShutdownPrivilege	3480	explorer.exe
Token: SeCreatePagefilePrivilege	3480	explorer.exe
Token: SeShutdownPrivilege	3480	explorer.exe
Token: SeCreatePagefilePrivilege	3480	explorer.exe
Token: SeShutdownPrivilege	3480	explorer.exe
Token: SeCreatePagefilePrivilege	3480	explorer.exe
Token: SeShutdownPrivilege	3480	explorer.exe
Token: SeCreatePagefilePrivilege	3480	explorer.exe
Token: SeShutdownPrivilege	3480	explorer.exe
Token: SeCreatePagefilePrivilege	3480	explorer.exe
Token: SeShutdownPrivilege	16744	explorer.exe
Token: SeCreatePagefilePrivilege	16744	explorer.exe
Token: SeShutdownPrivilege	16744	explorer.exe
Token: SeCreatePagefilePrivilege	16744	explorer.exe
Token: SeShutdownPrivilege	16744	explorer.exe
Token: SeCreatePagefilePrivilege	16744	explorer.exe
Token: SeShutdownPrivilege	16744	explorer.exe
Token: SeCreatePagefilePrivilege	16744	explorer.exe
Token: SeShutdownPrivilege	16744	explorer.exe
Token: SeCreatePagefilePrivilege	16744	explorer.exe
Token: SeShutdownPrivilege	16744	explorer.exe
Token: SeCreatePagefilePrivilege	16744	explorer.exe
Token: SeShutdownPrivilege	16744	explorer.exe
Token: SeCreatePagefilePrivilege	16744	explorer.exe
Token: SeShutdownPrivilege	16744	explorer.exe
Token: SeCreatePagefilePrivilege	16744	explorer.exe
Token: SeShutdownPrivilege	16744	explorer.exe
Token: SeCreatePagefilePrivilege	16744	explorer.exe
Token: SeShutdownPrivilege	16744	explorer.exe
Token: SeCreatePagefilePrivilege	16744	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
17080	sihost.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
3480	explorer.exe
3480	explorer.exe
3480	explorer.exe
3480	explorer.exe
3480	explorer.exe
3480	explorer.exe
3480	explorer.exe
3480	explorer.exe
3480	explorer.exe
3480	explorer.exe
3480	explorer.exe
3480	explorer.exe
3480	explorer.exe
3480	explorer.exe
3480	explorer.exe
3480	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
16740	explorer.exe
3480	explorer.exe
3480	explorer.exe
3480	explorer.exe
3480	explorer.exe
3480	explorer.exe
3480	explorer.exe
3480	explorer.exe
3480	explorer.exe
3480	explorer.exe
3480	explorer.exe
3480	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
16744	explorer.exe
18224	explorer.exe
18224	explorer.exe
18224	explorer.exe
18224	explorer.exe
18224	explorer.exe
18224	explorer.exe
18224	explorer.exe
18224	explorer.exe
18224	explorer.exe
18224	explorer.exe
18224	explorer.exe
18224	explorer.exe
18224	explorer.exe
18224	explorer.exe
18224	explorer.exe
18224	explorer.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
4788	StartMenuExperienceHost.exe
4424	StartMenuExperienceHost.exe
2872	StartMenuExperienceHost.exe
14684	SearchApp.exe
17808	StartMenuExperienceHost.exe
17932	SearchApp.exe
2068	StartMenuExperienceHost.exe
1140	StartMenuExperienceHost.exe
3312	SearchApp.exe
7516	StartMenuExperienceHost.exe
7976	SearchApp.exe
9460	StartMenuExperienceHost.exe
10508	SearchApp.exe
12084	StartMenuExperienceHost.exe
1644	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 3948	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	84
PID 1624 wrote to memory of 3948	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	84
PID 1624 wrote to memory of 2644	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	85
PID 1624 wrote to memory of 2644	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	85
PID 1624 wrote to memory of 1492	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	86
PID 1624 wrote to memory of 1492	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	86
PID 1624 wrote to memory of 552	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	87
PID 1624 wrote to memory of 552	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	87
PID 1624 wrote to memory of 2092	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	88
PID 1624 wrote to memory of 2092	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	88
PID 1624 wrote to memory of 1312	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	89
PID 1624 wrote to memory of 1312	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	89
PID 1624 wrote to memory of 376	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	90
PID 1624 wrote to memory of 376	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	90
PID 1624 wrote to memory of 3620	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	91
PID 1624 wrote to memory of 3620	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	91
PID 1624 wrote to memory of 3160	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	92
PID 1624 wrote to memory of 3160	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	92
PID 1624 wrote to memory of 1696	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	93
PID 1624 wrote to memory of 1696	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	93
PID 1624 wrote to memory of 1308	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	94
PID 1624 wrote to memory of 1308	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	94
PID 1624 wrote to memory of 2244	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	95
PID 1624 wrote to memory of 2244	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	95
PID 1624 wrote to memory of 2456	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	96
PID 1624 wrote to memory of 2456	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	96
PID 1624 wrote to memory of 4004	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	97
PID 1624 wrote to memory of 4004	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	97
PID 1624 wrote to memory of 2912	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	98
PID 1624 wrote to memory of 2912	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	98
PID 1624 wrote to memory of 1664	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	99
PID 1624 wrote to memory of 1664	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	99
PID 1624 wrote to memory of 2708	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	100
PID 1624 wrote to memory of 2708	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	100
PID 1624 wrote to memory of 3516	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	101
PID 1624 wrote to memory of 3516	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	101
PID 1624 wrote to memory of 900	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	102
PID 1624 wrote to memory of 900	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	102
PID 1624 wrote to memory of 3952	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	103
PID 1624 wrote to memory of 3952	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	103
PID 1624 wrote to memory of 2120	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	104
PID 1624 wrote to memory of 2120	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	104
PID 1624 wrote to memory of 1684	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	105
PID 1624 wrote to memory of 1684	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	105
PID 1624 wrote to memory of 4900	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	106
PID 1624 wrote to memory of 4900	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	106
PID 1624 wrote to memory of 1928	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	107
PID 1624 wrote to memory of 1928	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	107
PID 1624 wrote to memory of 4188	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	108
PID 1624 wrote to memory of 4188	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	108
PID 1624 wrote to memory of 4984	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	109
PID 1624 wrote to memory of 4984	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	109
PID 1624 wrote to memory of 4068	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	110
PID 1624 wrote to memory of 4068	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	110
PID 1624 wrote to memory of 2732	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	111
PID 1624 wrote to memory of 2732	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	111
PID 1624 wrote to memory of 3956	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	112
PID 1624 wrote to memory of 3956	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	112
PID 1624 wrote to memory of 1628	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	113
PID 1624 wrote to memory of 1628	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	113
PID 1624 wrote to memory of 2932	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	114
PID 1624 wrote to memory of 2932	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	114
PID 1624 wrote to memory of 548	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	115
PID 1624 wrote to memory of 548	1624	51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe
"C:\Users\Admin\AppData\Local\Temp\51dae1c766b29c4e7d9facf4f9ffb795e61789e1d1b631e4870561d0de058de9.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\System\sRdZFNj.exe
  C:\Windows\System\sRdZFNj.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Windows\System\WmzKdso.exe
  C:\Windows\System\WmzKdso.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System\cAuoyCD.exe
  C:\Windows\System\cAuoyCD.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\System\eZPTufa.exe
  C:\Windows\System\eZPTufa.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\System\DNHZkNl.exe
  C:\Windows\System\DNHZkNl.exe
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\System\tJzTmuB.exe
  C:\Windows\System\tJzTmuB.exe
  2⤵
  - Executes dropped EXE
  PID:1312
- C:\Windows\System\XqBUfEC.exe
  C:\Windows\System\XqBUfEC.exe
  2⤵
  - Executes dropped EXE
  PID:376
- C:\Windows\System\LyNzoWJ.exe
  C:\Windows\System\LyNzoWJ.exe
  2⤵
  - Executes dropped EXE
  PID:3620
- C:\Windows\System\tTuQujd.exe
  C:\Windows\System\tTuQujd.exe
  2⤵
  - Executes dropped EXE
  PID:3160
- C:\Windows\System\pTQfeYh.exe
  C:\Windows\System\pTQfeYh.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\System\DdBMDqH.exe
  C:\Windows\System\DdBMDqH.exe
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\System\BjdmjJH.exe
  C:\Windows\System\BjdmjJH.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System\BaFKfCz.exe
  C:\Windows\System\BaFKfCz.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\wuSxBcz.exe
  C:\Windows\System\wuSxBcz.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\System\udZzdEh.exe
  C:\Windows\System\udZzdEh.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\uQgHZSW.exe
  C:\Windows\System\uQgHZSW.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\psHRrJd.exe
  C:\Windows\System\psHRrJd.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System\MhKdKqw.exe
  C:\Windows\System\MhKdKqw.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Windows\System\bvWgDkk.exe
  C:\Windows\System\bvWgDkk.exe
  2⤵
  - Executes dropped EXE
  PID:900
- C:\Windows\System\zUHipdG.exe
  C:\Windows\System\zUHipdG.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System\rykymyX.exe
  C:\Windows\System\rykymyX.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System\aknaYYs.exe
  C:\Windows\System\aknaYYs.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System\lJEddEj.exe
  C:\Windows\System\lJEddEj.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System\YReadpj.exe
  C:\Windows\System\YReadpj.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System\NRvDrVd.exe
  C:\Windows\System\NRvDrVd.exe
  2⤵
  - Executes dropped EXE
  PID:4188
- C:\Windows\System\WzZtjAy.exe
  C:\Windows\System\WzZtjAy.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System\jpOjtTq.exe
  C:\Windows\System\jpOjtTq.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System\lpVmfUM.exe
  C:\Windows\System\lpVmfUM.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\CbmzBhj.exe
  C:\Windows\System\CbmzBhj.exe
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Windows\System\HyvUqfl.exe
  C:\Windows\System\HyvUqfl.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System\GzsSeGV.exe
  C:\Windows\System\GzsSeGV.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\AgGQabu.exe
  C:\Windows\System\AgGQabu.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System\yrLxHNA.exe
  C:\Windows\System\yrLxHNA.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System\EnVSNNa.exe
  C:\Windows\System\EnVSNNa.exe
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\System\rYGFDbC.exe
  C:\Windows\System\rYGFDbC.exe
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Windows\System\PZwYqxu.exe
  C:\Windows\System\PZwYqxu.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System\Ywadugn.exe
  C:\Windows\System\Ywadugn.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System\nZwVgVz.exe
  C:\Windows\System\nZwVgVz.exe
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Windows\System\hWcUYuY.exe
  C:\Windows\System\hWcUYuY.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System\SPKJfQV.exe
  C:\Windows\System\SPKJfQV.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System\SbhMEXC.exe
  C:\Windows\System\SbhMEXC.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System\swxjEah.exe
  C:\Windows\System\swxjEah.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System\VGZKdnC.exe
  C:\Windows\System\VGZKdnC.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System\YAtBSTX.exe
  C:\Windows\System\YAtBSTX.exe
  2⤵
  - Executes dropped EXE
  PID:4252
- C:\Windows\System\iRdfgKq.exe
  C:\Windows\System\iRdfgKq.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System\EuRlqio.exe
  C:\Windows\System\EuRlqio.exe
  2⤵
  - Executes dropped EXE
  PID:732
- C:\Windows\System\RBXyphZ.exe
  C:\Windows\System\RBXyphZ.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System\RCxDyRN.exe
  C:\Windows\System\RCxDyRN.exe
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\System\UotEDLd.exe
  C:\Windows\System\UotEDLd.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\System\MIynRhT.exe
  C:\Windows\System\MIynRhT.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System\pWOUIcK.exe
  C:\Windows\System\pWOUIcK.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System\mqwKwaO.exe
  C:\Windows\System\mqwKwaO.exe
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\System\NlkRSBt.exe
  C:\Windows\System\NlkRSBt.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System\dpkbUyY.exe
  C:\Windows\System\dpkbUyY.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\System\llOMdjw.exe
  C:\Windows\System\llOMdjw.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\System\OQVBwAM.exe
  C:\Windows\System\OQVBwAM.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System\CnFTScX.exe
  C:\Windows\System\CnFTScX.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\System\RLqGDdq.exe
  C:\Windows\System\RLqGDdq.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System\FlKfVnF.exe
  C:\Windows\System\FlKfVnF.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\System\jxasTBR.exe
  C:\Windows\System\jxasTBR.exe
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\System\xdNaCTE.exe
  C:\Windows\System\xdNaCTE.exe
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\System\ZitVhdg.exe
  C:\Windows\System\ZitVhdg.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\System\qgBgzZW.exe
  C:\Windows\System\qgBgzZW.exe
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Windows\System\dhhDDSe.exe
  C:\Windows\System\dhhDDSe.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System\fZURyZn.exe
  C:\Windows\System\fZURyZn.exe
  2⤵
  PID:4692
- C:\Windows\System\kVVKkIn.exe
  C:\Windows\System\kVVKkIn.exe
  2⤵
  PID:3752
- C:\Windows\System\UGMLndp.exe
  C:\Windows\System\UGMLndp.exe
  2⤵
  PID:2648
- C:\Windows\System\LhYQfZc.exe
  C:\Windows\System\LhYQfZc.exe
  2⤵
  PID:5076
- C:\Windows\System\tPJZeMo.exe
  C:\Windows\System\tPJZeMo.exe
  2⤵
  PID:4636
- C:\Windows\System\XZdKrWm.exe
  C:\Windows\System\XZdKrWm.exe
  2⤵
  PID:3048
- C:\Windows\System\BxVUeFP.exe
  C:\Windows\System\BxVUeFP.exe
  2⤵
  PID:1924
- C:\Windows\System\MPqyUJa.exe
  C:\Windows\System\MPqyUJa.exe
  2⤵
  PID:3532
- C:\Windows\System\zkJBwpZ.exe
  C:\Windows\System\zkJBwpZ.exe
  2⤵
  PID:5008
- C:\Windows\System\ccpznCy.exe
  C:\Windows\System\ccpznCy.exe
  2⤵
  PID:1256
- C:\Windows\System\PjxLaNf.exe
  C:\Windows\System\PjxLaNf.exe
  2⤵
  PID:1016
- C:\Windows\System\RpGmpuQ.exe
  C:\Windows\System\RpGmpuQ.exe
  2⤵
  PID:2024
- C:\Windows\System\JSbhScC.exe
  C:\Windows\System\JSbhScC.exe
  2⤵
  PID:4196
- C:\Windows\System\EbDhpay.exe
  C:\Windows\System\EbDhpay.exe
  2⤵
  PID:2596
- C:\Windows\System\OQWLbRn.exe
  C:\Windows\System\OQWLbRn.exe
  2⤵
  PID:1780
- C:\Windows\System\WOJYUmS.exe
  C:\Windows\System\WOJYUmS.exe
  2⤵
  PID:220
- C:\Windows\System\gaDpKzw.exe
  C:\Windows\System\gaDpKzw.exe
  2⤵
  PID:3772
- C:\Windows\System\gquOJIz.exe
  C:\Windows\System\gquOJIz.exe
  2⤵
  PID:760
- C:\Windows\System\fxESDPt.exe
  C:\Windows\System\fxESDPt.exe
  2⤵
  PID:2164
- C:\Windows\System\tjvxzCZ.exe
  C:\Windows\System\tjvxzCZ.exe
  2⤵
  PID:2156
- C:\Windows\System\daeVECV.exe
  C:\Windows\System\daeVECV.exe
  2⤵
  PID:5152
- C:\Windows\System\sahiPrb.exe
  C:\Windows\System\sahiPrb.exe
  2⤵
  PID:5180
- C:\Windows\System\sSsYvAP.exe
  C:\Windows\System\sSsYvAP.exe
  2⤵
  PID:5204
- C:\Windows\System\UAOFidc.exe
  C:\Windows\System\UAOFidc.exe
  2⤵
  PID:5232
- C:\Windows\System\MRnJISw.exe
  C:\Windows\System\MRnJISw.exe
  2⤵
  PID:5260
- C:\Windows\System\oTdLpON.exe
  C:\Windows\System\oTdLpON.exe
  2⤵
  PID:5288
- C:\Windows\System\iKJkZRY.exe
  C:\Windows\System\iKJkZRY.exe
  2⤵
  PID:5320
- C:\Windows\System\xaDnonk.exe
  C:\Windows\System\xaDnonk.exe
  2⤵
  PID:5344
- C:\Windows\System\IuPspFz.exe
  C:\Windows\System\IuPspFz.exe
  2⤵
  PID:5376
- C:\Windows\System\gNZhdDs.exe
  C:\Windows\System\gNZhdDs.exe
  2⤵
  PID:5400
- C:\Windows\System\tfMWmld.exe
  C:\Windows\System\tfMWmld.exe
  2⤵
  PID:5428
- C:\Windows\System\lfExJMm.exe
  C:\Windows\System\lfExJMm.exe
  2⤵
  PID:5456
- C:\Windows\System\LQsoKrv.exe
  C:\Windows\System\LQsoKrv.exe
  2⤵
  PID:5488
- C:\Windows\System\skmKHgI.exe
  C:\Windows\System\skmKHgI.exe
  2⤵
  PID:5516
- C:\Windows\System\NlKgfho.exe
  C:\Windows\System\NlKgfho.exe
  2⤵
  PID:5544
- C:\Windows\System\JJngmto.exe
  C:\Windows\System\JJngmto.exe
  2⤵
  PID:5568
- C:\Windows\System\tGTThcr.exe
  C:\Windows\System\tGTThcr.exe
  2⤵
  PID:5596
- C:\Windows\System\OWQkekT.exe
  C:\Windows\System\OWQkekT.exe
  2⤵
  PID:5628
- C:\Windows\System\rszGHLq.exe
  C:\Windows\System\rszGHLq.exe
  2⤵
  PID:5652
- C:\Windows\System\SWRAWZp.exe
  C:\Windows\System\SWRAWZp.exe
  2⤵
  PID:5680
- C:\Windows\System\EHcTiRO.exe
  C:\Windows\System\EHcTiRO.exe
  2⤵
  PID:5708
- C:\Windows\System\zxmYKRz.exe
  C:\Windows\System\zxmYKRz.exe
  2⤵
  PID:5736
- C:\Windows\System\FHGPVjL.exe
  C:\Windows\System\FHGPVjL.exe
  2⤵
  PID:5764
- C:\Windows\System\DdFpAUx.exe
  C:\Windows\System\DdFpAUx.exe
  2⤵
  PID:5792
- C:\Windows\System\VwujaHR.exe
  C:\Windows\System\VwujaHR.exe
  2⤵
  PID:5820
- C:\Windows\System\XOFWODn.exe
  C:\Windows\System\XOFWODn.exe
  2⤵
  PID:5852
- C:\Windows\System\GBOpRUR.exe
  C:\Windows\System\GBOpRUR.exe
  2⤵
  PID:5880
- C:\Windows\System\FIXiHBj.exe
  C:\Windows\System\FIXiHBj.exe
  2⤵
  PID:5908
- C:\Windows\System\UqJIgjK.exe
  C:\Windows\System\UqJIgjK.exe
  2⤵
  PID:5932
- C:\Windows\System\yjJEvPS.exe
  C:\Windows\System\yjJEvPS.exe
  2⤵
  PID:5960
- C:\Windows\System\XXuuXKq.exe
  C:\Windows\System\XXuuXKq.exe
  2⤵
  PID:5988
- C:\Windows\System\lCpZQGz.exe
  C:\Windows\System\lCpZQGz.exe
  2⤵
  PID:6016
- C:\Windows\System\PAbftiF.exe
  C:\Windows\System\PAbftiF.exe
  2⤵
  PID:6044
- C:\Windows\System\XkDfkuC.exe
  C:\Windows\System\XkDfkuC.exe
  2⤵
  PID:6072
- C:\Windows\System\zVGIfvl.exe
  C:\Windows\System\zVGIfvl.exe
  2⤵
  PID:6100
- C:\Windows\System\LsbpjgN.exe
  C:\Windows\System\LsbpjgN.exe
  2⤵
  PID:6128
- C:\Windows\System\YWEvCgy.exe
  C:\Windows\System\YWEvCgy.exe
  2⤵
  PID:4024
- C:\Windows\System\rnTubra.exe
  C:\Windows\System\rnTubra.exe
  2⤵
  PID:2324
- C:\Windows\System\FZuTCmk.exe
  C:\Windows\System\FZuTCmk.exe
  2⤵
  PID:2144
- C:\Windows\System\mVbyzMC.exe
  C:\Windows\System\mVbyzMC.exe
  2⤵
  PID:3064
- C:\Windows\System\mpsrZqY.exe
  C:\Windows\System\mpsrZqY.exe
  2⤵
  PID:400
- C:\Windows\System\AAqIQxU.exe
  C:\Windows\System\AAqIQxU.exe
  2⤵
  PID:4140
- C:\Windows\System\fhXHduh.exe
  C:\Windows\System\fhXHduh.exe
  2⤵
  PID:5172
- C:\Windows\System\WAgXyYk.exe
  C:\Windows\System\WAgXyYk.exe
  2⤵
  PID:5228
- C:\Windows\System\FLDrbNB.exe
  C:\Windows\System\FLDrbNB.exe
  2⤵
  PID:5304
- C:\Windows\System\ucUTyOx.exe
  C:\Windows\System\ucUTyOx.exe
  2⤵
  PID:5368
- C:\Windows\System\UcOuGaf.exe
  C:\Windows\System\UcOuGaf.exe
  2⤵
  PID:5424
- C:\Windows\System\KKRnFeU.exe
  C:\Windows\System\KKRnFeU.exe
  2⤵
  PID:5480
- C:\Windows\System\CdbhTBi.exe
  C:\Windows\System\CdbhTBi.exe
  2⤵
  PID:5556
- C:\Windows\System\vcehHnt.exe
  C:\Windows\System\vcehHnt.exe
  2⤵
  PID:5620
- C:\Windows\System\yKDrlaF.exe
  C:\Windows\System\yKDrlaF.exe
  2⤵
  PID:5676
- C:\Windows\System\WXQRydW.exe
  C:\Windows\System\WXQRydW.exe
  2⤵
  PID:5752
- C:\Windows\System\horhqOZ.exe
  C:\Windows\System\horhqOZ.exe
  2⤵
  PID:5812
- C:\Windows\System\TUDTWGe.exe
  C:\Windows\System\TUDTWGe.exe
  2⤵
  PID:5892
- C:\Windows\System\AoeXvZe.exe
  C:\Windows\System\AoeXvZe.exe
  2⤵
  PID:5924
- C:\Windows\System\ntyHmmK.exe
  C:\Windows\System\ntyHmmK.exe
  2⤵
  PID:5984
- C:\Windows\System\KHLpLfQ.exe
  C:\Windows\System\KHLpLfQ.exe
  2⤵
  PID:6040
- C:\Windows\System\uSbwBjH.exe
  C:\Windows\System\uSbwBjH.exe
  2⤵
  PID:6116
- C:\Windows\System\skSNxie.exe
  C:\Windows\System\skSNxie.exe
  2⤵
  PID:2552
- C:\Windows\System\mLAqWjl.exe
  C:\Windows\System\mLAqWjl.exe
  2⤵
  PID:5044
- C:\Windows\System\VFBQNVg.exe
  C:\Windows\System\VFBQNVg.exe
  2⤵
  PID:5164
- C:\Windows\System\YLbcbtG.exe
  C:\Windows\System\YLbcbtG.exe
  2⤵
  PID:5284
- C:\Windows\System\HPjcJJl.exe
  C:\Windows\System\HPjcJJl.exe
  2⤵
  PID:5472
- C:\Windows\System\mrJXIMJ.exe
  C:\Windows\System\mrJXIMJ.exe
  2⤵
  PID:5536
- C:\Windows\System\AJmREln.exe
  C:\Windows\System\AJmREln.exe
  2⤵
  PID:5668
- C:\Windows\System\DdCNdpg.exe
  C:\Windows\System\DdCNdpg.exe
  2⤵
  PID:5808
- C:\Windows\System\tSocaDg.exe
  C:\Windows\System\tSocaDg.exe
  2⤵
  PID:5952
- C:\Windows\System\MqOyQoJ.exe
  C:\Windows\System\MqOyQoJ.exe
  2⤵
  PID:6032
- C:\Windows\System\SLazNWw.exe
  C:\Windows\System\SLazNWw.exe
  2⤵
  PID:1816
- C:\Windows\System\yLaBWtG.exe
  C:\Windows\System\yLaBWtG.exe
  2⤵
  PID:3928
- C:\Windows\System\OmxCDJB.exe
  C:\Windows\System\OmxCDJB.exe
  2⤵
  PID:6176
- C:\Windows\System\vgIShPB.exe
  C:\Windows\System\vgIShPB.exe
  2⤵
  PID:6204
- C:\Windows\System\XIJtGfq.exe
  C:\Windows\System\XIJtGfq.exe
  2⤵
  PID:6232
- C:\Windows\System\LuBRgLk.exe
  C:\Windows\System\LuBRgLk.exe
  2⤵
  PID:6260
- C:\Windows\System\jgQJmjH.exe
  C:\Windows\System\jgQJmjH.exe
  2⤵
  PID:6288
- C:\Windows\System\ORszOTF.exe
  C:\Windows\System\ORszOTF.exe
  2⤵
  PID:6316
- C:\Windows\System\dLcahEP.exe
  C:\Windows\System\dLcahEP.exe
  2⤵
  PID:6344
- C:\Windows\System\JRjXARN.exe
  C:\Windows\System\JRjXARN.exe
  2⤵
  PID:6372
- C:\Windows\System\UAfMVtd.exe
  C:\Windows\System\UAfMVtd.exe
  2⤵
  PID:6400
- C:\Windows\System\JndKlcS.exe
  C:\Windows\System\JndKlcS.exe
  2⤵
  PID:6428
- C:\Windows\System\PoqdbKD.exe
  C:\Windows\System\PoqdbKD.exe
  2⤵
  PID:6456
- C:\Windows\System\elmRhiY.exe
  C:\Windows\System\elmRhiY.exe
  2⤵
  PID:6484
- C:\Windows\System\KnpXzAN.exe
  C:\Windows\System\KnpXzAN.exe
  2⤵
  PID:6508
- C:\Windows\System\WQWkDAg.exe
  C:\Windows\System\WQWkDAg.exe
  2⤵
  PID:6544
- C:\Windows\System\keinkGr.exe
  C:\Windows\System\keinkGr.exe
  2⤵
  PID:6568
- C:\Windows\System\yxVjnWd.exe
  C:\Windows\System\yxVjnWd.exe
  2⤵
  PID:6592
- C:\Windows\System\qwzCHQs.exe
  C:\Windows\System\qwzCHQs.exe
  2⤵
  PID:6644
- C:\Windows\System\QMUYxQH.exe
  C:\Windows\System\QMUYxQH.exe
  2⤵
  PID:6668
- C:\Windows\System\IGIDCxL.exe
  C:\Windows\System\IGIDCxL.exe
  2⤵
  PID:6684
- C:\Windows\System\cDAarEF.exe
  C:\Windows\System\cDAarEF.exe
  2⤵
  PID:6708
- C:\Windows\System\CevGpGX.exe
  C:\Windows\System\CevGpGX.exe
  2⤵
  PID:6768
- C:\Windows\System\pNKnxPw.exe
  C:\Windows\System\pNKnxPw.exe
  2⤵
  PID:6796
- C:\Windows\System\iqRCxuZ.exe
  C:\Windows\System\iqRCxuZ.exe
  2⤵
  PID:6824
- C:\Windows\System\patiMuE.exe
  C:\Windows\System\patiMuE.exe
  2⤵
  PID:6844
- C:\Windows\System\eizpsDm.exe
  C:\Windows\System\eizpsDm.exe
  2⤵
  PID:6880
- C:\Windows\System\nzxrDJS.exe
  C:\Windows\System\nzxrDJS.exe
  2⤵
  PID:6908
- C:\Windows\System\mfvFOWl.exe
  C:\Windows\System\mfvFOWl.exe
  2⤵
  PID:6936
- C:\Windows\System\fQmJxGK.exe
  C:\Windows\System\fQmJxGK.exe
  2⤵
  PID:6976
- C:\Windows\System\HXFmeWz.exe
  C:\Windows\System\HXFmeWz.exe
  2⤵
  PID:6992
- C:\Windows\System\dNqSJFR.exe
  C:\Windows\System\dNqSJFR.exe
  2⤵
  PID:7032
- C:\Windows\System\hvzlPwG.exe
  C:\Windows\System\hvzlPwG.exe
  2⤵
  PID:7048
- C:\Windows\System\JalfIrN.exe
  C:\Windows\System\JalfIrN.exe
  2⤵
  PID:7064
- C:\Windows\System\YJTfRfL.exe
  C:\Windows\System\YJTfRfL.exe
  2⤵
  PID:7088
- C:\Windows\System\gGwjUTU.exe
  C:\Windows\System\gGwjUTU.exe
  2⤵
  PID:7108
- C:\Windows\System\zlsARDa.exe
  C:\Windows\System\zlsARDa.exe
  2⤵
  PID:7124
- C:\Windows\System\uwaVQpw.exe
  C:\Windows\System\uwaVQpw.exe
  2⤵
  PID:7148
- C:\Windows\System\yIclLaJ.exe
  C:\Windows\System\yIclLaJ.exe
  2⤵
  PID:5276
- C:\Windows\System\TSgDcXN.exe
  C:\Windows\System\TSgDcXN.exe
  2⤵
  PID:692
- C:\Windows\System\IDZEYcY.exe
  C:\Windows\System\IDZEYcY.exe
  2⤵
  PID:5784
- C:\Windows\System\knwAtWu.exe
  C:\Windows\System\knwAtWu.exe
  2⤵
  PID:2000
- C:\Windows\System\EOSZgpM.exe
  C:\Windows\System\EOSZgpM.exe
  2⤵
  PID:3648
- C:\Windows\System\zwZBWDl.exe
  C:\Windows\System\zwZBWDl.exe
  2⤵
  PID:6244
- C:\Windows\System\MLuJdcv.exe
  C:\Windows\System\MLuJdcv.exe
  2⤵
  PID:6304
- C:\Windows\System\ZHCaoiA.exe
  C:\Windows\System\ZHCaoiA.exe
  2⤵
  PID:2128
- C:\Windows\System\hQBlYGc.exe
  C:\Windows\System\hQBlYGc.exe
  2⤵
  PID:6384
- C:\Windows\System\QHnxWas.exe
  C:\Windows\System\QHnxWas.exe
  2⤵
  PID:4980
- C:\Windows\System\sVdvQjP.exe
  C:\Windows\System\sVdvQjP.exe
  2⤵
  PID:6440
- C:\Windows\System\CoVIoMt.exe
  C:\Windows\System\CoVIoMt.exe
  2⤵
  PID:6496
- C:\Windows\System\MxYUhfw.exe
  C:\Windows\System\MxYUhfw.exe
  2⤵
  PID:6528
- C:\Windows\System\vjdQUeN.exe
  C:\Windows\System\vjdQUeN.exe
  2⤵
  PID:4872
- C:\Windows\System\fOzlugO.exe
  C:\Windows\System\fOzlugO.exe
  2⤵
  PID:6608
- C:\Windows\System\OmeFafE.exe
  C:\Windows\System\OmeFafE.exe
  2⤵
  PID:3304
- C:\Windows\System\EOplbyH.exe
  C:\Windows\System\EOplbyH.exe
  2⤵
  PID:3336
- C:\Windows\System\exTZpus.exe
  C:\Windows\System\exTZpus.exe
  2⤵
  PID:6676
- C:\Windows\System\YeHqcKJ.exe
  C:\Windows\System\YeHqcKJ.exe
  2⤵
  PID:6744
- C:\Windows\System\cDpzLvE.exe
  C:\Windows\System\cDpzLvE.exe
  2⤵
  PID:6816
- C:\Windows\System\jIPzYgB.exe
  C:\Windows\System\jIPzYgB.exe
  2⤵
  PID:6900
- C:\Windows\System\MZLcSEu.exe
  C:\Windows\System\MZLcSEu.exe
  2⤵
  PID:1520
- C:\Windows\System\iEmaCJH.exe
  C:\Windows\System\iEmaCJH.exe
  2⤵
  PID:6988
- C:\Windows\System\siKLUjS.exe
  C:\Windows\System\siKLUjS.exe
  2⤵
  PID:7096
- C:\Windows\System\EGKcMLr.exe
  C:\Windows\System\EGKcMLr.exe
  2⤵
  PID:7100
- C:\Windows\System\sMDPRgQ.exe
  C:\Windows\System\sMDPRgQ.exe
  2⤵
  PID:5220
- C:\Windows\System\JWNvGat.exe
  C:\Windows\System\JWNvGat.exe
  2⤵
  PID:7136
- C:\Windows\System\ZewgZqH.exe
  C:\Windows\System\ZewgZqH.exe
  2⤵
  PID:5728
- C:\Windows\System\xmGhfft.exe
  C:\Windows\System\xmGhfft.exe
  2⤵
  PID:6224
- C:\Windows\System\EMjVtOQ.exe
  C:\Windows\System\EMjVtOQ.exe
  2⤵
  PID:6360
- C:\Windows\System\SmTSWaI.exe
  C:\Windows\System\SmTSWaI.exe
  2⤵
  PID:3220
- C:\Windows\System\YhxIvzx.exe
  C:\Windows\System\YhxIvzx.exe
  2⤵
  PID:3208
- C:\Windows\System\PrbiGdN.exe
  C:\Windows\System\PrbiGdN.exe
  2⤵
  PID:1384
- C:\Windows\System\jzpehMf.exe
  C:\Windows\System\jzpehMf.exe
  2⤵
  PID:6932
- C:\Windows\System\uDIWIpl.exe
  C:\Windows\System\uDIWIpl.exe
  2⤵
  PID:7008
- C:\Windows\System\plKFKnu.exe
  C:\Windows\System\plKFKnu.exe
  2⤵
  PID:7164
- C:\Windows\System\qAxQaiu.exe
  C:\Windows\System\qAxQaiu.exe
  2⤵
  PID:2080
- C:\Windows\System\PKfghfB.exe
  C:\Windows\System\PKfghfB.exe
  2⤵
  PID:6412
- C:\Windows\System\EGysKhh.exe
  C:\Windows\System\EGysKhh.exe
  2⤵
  PID:4760
- C:\Windows\System\ZWgGvIK.exe
  C:\Windows\System\ZWgGvIK.exe
  2⤵
  PID:6836
- C:\Windows\System\oxiCyIE.exe
  C:\Windows\System\oxiCyIE.exe
  2⤵
  PID:5900
- C:\Windows\System\hyQgSIW.exe
  C:\Windows\System\hyQgSIW.exe
  2⤵
  PID:7180
- C:\Windows\System\nObbSnt.exe
  C:\Windows\System\nObbSnt.exe
  2⤵
  PID:7236
- C:\Windows\System\tZMWhYa.exe
  C:\Windows\System\tZMWhYa.exe
  2⤵
  PID:7252
- C:\Windows\System\fhtpvvw.exe
  C:\Windows\System\fhtpvvw.exe
  2⤵
  PID:7280
- C:\Windows\System\PUDGnAP.exe
  C:\Windows\System\PUDGnAP.exe
  2⤵
  PID:7300
- C:\Windows\System\vAQMtFM.exe
  C:\Windows\System\vAQMtFM.exe
  2⤵
  PID:7328
- C:\Windows\System\MaDonoH.exe
  C:\Windows\System\MaDonoH.exe
  2⤵
  PID:7356
- C:\Windows\System\fIIepMi.exe
  C:\Windows\System\fIIepMi.exe
  2⤵
  PID:7392
- C:\Windows\System\VqXMyzc.exe
  C:\Windows\System\VqXMyzc.exe
  2⤵
  PID:7424
- C:\Windows\System\CcRfmdw.exe
  C:\Windows\System\CcRfmdw.exe
  2⤵
  PID:7452
- C:\Windows\System\rIhVnjt.exe
  C:\Windows\System\rIhVnjt.exe
  2⤵
  PID:7484
- C:\Windows\System\gOxsnod.exe
  C:\Windows\System\gOxsnod.exe
  2⤵
  PID:7508
- C:\Windows\System\mNJybPS.exe
  C:\Windows\System\mNJybPS.exe
  2⤵
  PID:7536
- C:\Windows\System\lqgEeqv.exe
  C:\Windows\System\lqgEeqv.exe
  2⤵
  PID:7556
- C:\Windows\System\WqrSpqO.exe
  C:\Windows\System\WqrSpqO.exe
  2⤵
  PID:7584
- C:\Windows\System\xjLCMxq.exe
  C:\Windows\System\xjLCMxq.exe
  2⤵
  PID:7612
- C:\Windows\System\HMOnUYc.exe
  C:\Windows\System\HMOnUYc.exe
  2⤵
  PID:7640
- C:\Windows\System\oNAvIsI.exe
  C:\Windows\System\oNAvIsI.exe
  2⤵
  PID:7672
- C:\Windows\System\IpzYYJU.exe
  C:\Windows\System\IpzYYJU.exe
  2⤵
  PID:7704
- C:\Windows\System\AYlgaBo.exe
  C:\Windows\System\AYlgaBo.exe
  2⤵
  PID:7724
- C:\Windows\System\DEjHBWj.exe
  C:\Windows\System\DEjHBWj.exe
  2⤵
  PID:7760
- C:\Windows\System\kliuEls.exe
  C:\Windows\System\kliuEls.exe
  2⤵
  PID:7788
- C:\Windows\System\OSRFLot.exe
  C:\Windows\System\OSRFLot.exe
  2⤵
  PID:7828
- C:\Windows\System\urtmquy.exe
  C:\Windows\System\urtmquy.exe
  2⤵
  PID:7844
- C:\Windows\System\QMSsgEM.exe
  C:\Windows\System\QMSsgEM.exe
  2⤵
  PID:7872
- C:\Windows\System\uEWYhfD.exe
  C:\Windows\System\uEWYhfD.exe
  2⤵
  PID:7896
- C:\Windows\System\XdFqGDS.exe
  C:\Windows\System\XdFqGDS.exe
  2⤵
  PID:7924
- C:\Windows\System\BvyOTdj.exe
  C:\Windows\System\BvyOTdj.exe
  2⤵
  PID:7944
- C:\Windows\System\qUcmoXD.exe
  C:\Windows\System\qUcmoXD.exe
  2⤵
  PID:7960
- C:\Windows\System\Bkmrusz.exe
  C:\Windows\System\Bkmrusz.exe
  2⤵
  PID:8024
- C:\Windows\System\xJVJomV.exe
  C:\Windows\System\xJVJomV.exe
  2⤵
  PID:8052
- C:\Windows\System\JgNVAid.exe
  C:\Windows\System\JgNVAid.exe
  2⤵
  PID:8072
- C:\Windows\System\yHUdkdq.exe
  C:\Windows\System\yHUdkdq.exe
  2⤵
  PID:8100
- C:\Windows\System\RMdUGEq.exe
  C:\Windows\System\RMdUGEq.exe
  2⤵
  PID:8140
- C:\Windows\System\ZQeVDrn.exe
  C:\Windows\System\ZQeVDrn.exe
  2⤵
  PID:8156
- C:\Windows\System\NlDByzW.exe
  C:\Windows\System\NlDByzW.exe
  2⤵
  PID:8188
- C:\Windows\System\tCDXqiS.exe
  C:\Windows\System\tCDXqiS.exe
  2⤵
  PID:6700
- C:\Windows\System\MSRWnzH.exe
  C:\Windows\System\MSRWnzH.exe
  2⤵
  PID:7216
- C:\Windows\System\NoTUaPf.exe
  C:\Windows\System\NoTUaPf.exe
  2⤵
  PID:7292
- C:\Windows\System\SdIVCpk.exe
  C:\Windows\System\SdIVCpk.exe
  2⤵
  PID:7352
- C:\Windows\System\CGAIvrx.exe
  C:\Windows\System\CGAIvrx.exe
  2⤵
  PID:7412
- C:\Windows\System\BNPanjr.exe
  C:\Windows\System\BNPanjr.exe
  2⤵
  PID:7472
- C:\Windows\System\VjpSlmQ.exe
  C:\Windows\System\VjpSlmQ.exe
  2⤵
  PID:7528
- C:\Windows\System\waUfiAb.exe
  C:\Windows\System\waUfiAb.exe
  2⤵
  PID:7600
- C:\Windows\System\JEjDPtw.exe
  C:\Windows\System\JEjDPtw.exe
  2⤵
  PID:7648
- C:\Windows\System\xmsoyWT.exe
  C:\Windows\System\xmsoyWT.exe
  2⤵
  PID:7720
- C:\Windows\System\IlRTSYd.exe
  C:\Windows\System\IlRTSYd.exe
  2⤵
  PID:7800
- C:\Windows\System\elzCumD.exe
  C:\Windows\System\elzCumD.exe
  2⤵
  PID:7860
- C:\Windows\System\DKuUnZT.exe
  C:\Windows\System\DKuUnZT.exe
  2⤵
  PID:7912
- C:\Windows\System\PTuRjpv.exe
  C:\Windows\System\PTuRjpv.exe
  2⤵
  PID:8012
- C:\Windows\System\vRjHqIn.exe
  C:\Windows\System\vRjHqIn.exe
  2⤵
  PID:8084
- C:\Windows\System\pFhsmCY.exe
  C:\Windows\System\pFhsmCY.exe
  2⤵
  PID:8096
- C:\Windows\System\aOKpKUg.exe
  C:\Windows\System\aOKpKUg.exe
  2⤵
  PID:6476
- C:\Windows\System\dXklEbq.exe
  C:\Windows\System\dXklEbq.exe
  2⤵
  PID:7364
- C:\Windows\System\nFwdvyP.exe
  C:\Windows\System\nFwdvyP.exe
  2⤵
  PID:7316
- C:\Windows\System\VcheaLt.exe
  C:\Windows\System\VcheaLt.exe
  2⤵
  PID:7620
- C:\Windows\System\gJDOimQ.exe
  C:\Windows\System\gJDOimQ.exe
  2⤵
  PID:7668
- C:\Windows\System\RRalkOH.exe
  C:\Windows\System\RRalkOH.exe
  2⤵
  PID:7840
- C:\Windows\System\OlFzuPq.exe
  C:\Windows\System\OlFzuPq.exe
  2⤵
  PID:8004
- C:\Windows\System\JnlMkNN.exe
  C:\Windows\System\JnlMkNN.exe
  2⤵
  PID:8088
- C:\Windows\System\HTbcERa.exe
  C:\Windows\System\HTbcERa.exe
  2⤵
  PID:7448
- C:\Windows\System\yznIUyX.exe
  C:\Windows\System\yznIUyX.exe
  2⤵
  PID:7776
- C:\Windows\System\OQJNydy.exe
  C:\Windows\System\OQJNydy.exe
  2⤵
  PID:312
- C:\Windows\System\gbKrOAR.exe
  C:\Windows\System\gbKrOAR.exe
  2⤵
  PID:6984
- C:\Windows\System\VzXNHWU.exe
  C:\Windows\System\VzXNHWU.exe
  2⤵
  PID:7664
- C:\Windows\System\DXbZkzU.exe
  C:\Windows\System\DXbZkzU.exe
  2⤵
  PID:8204
- C:\Windows\System\glJCukZ.exe
  C:\Windows\System\glJCukZ.exe
  2⤵
  PID:8244
- C:\Windows\System\zZxgZfP.exe
  C:\Windows\System\zZxgZfP.exe
  2⤵
  PID:8272
- C:\Windows\System\kaVztcI.exe
  C:\Windows\System\kaVztcI.exe
  2⤵
  PID:8308
- C:\Windows\System\CpYBNSF.exe
  C:\Windows\System\CpYBNSF.exe
  2⤵
  PID:8352
- C:\Windows\System\OrcBngC.exe
  C:\Windows\System\OrcBngC.exe
  2⤵
  PID:8368
- C:\Windows\System\SUYdtqm.exe
  C:\Windows\System\SUYdtqm.exe
  2⤵
  PID:8400
- C:\Windows\System\ZPsVMdP.exe
  C:\Windows\System\ZPsVMdP.exe
  2⤵
  PID:8428
- C:\Windows\System\BzHfPfZ.exe
  C:\Windows\System\BzHfPfZ.exe
  2⤵
  PID:8452
- C:\Windows\System\emThwpW.exe
  C:\Windows\System\emThwpW.exe
  2⤵
  PID:8476
- C:\Windows\System\rRJsAAP.exe
  C:\Windows\System\rRJsAAP.exe
  2⤵
  PID:8508
- C:\Windows\System\AuXdLpy.exe
  C:\Windows\System\AuXdLpy.exe
  2⤵
  PID:8536
- C:\Windows\System\rkSQvBs.exe
  C:\Windows\System\rkSQvBs.exe
  2⤵
  PID:8564
- C:\Windows\System\jmIWixY.exe
  C:\Windows\System\jmIWixY.exe
  2⤵
  PID:8592
- C:\Windows\System\GUIGfsm.exe
  C:\Windows\System\GUIGfsm.exe
  2⤵
  PID:8632
- C:\Windows\System\hwLtCYC.exe
  C:\Windows\System\hwLtCYC.exe
  2⤵
  PID:8652
- C:\Windows\System\cxpSVXO.exe
  C:\Windows\System\cxpSVXO.exe
  2⤵
  PID:8672
- C:\Windows\System\iInWCcx.exe
  C:\Windows\System\iInWCcx.exe
  2⤵
  PID:8692
- C:\Windows\System\okbmexZ.exe
  C:\Windows\System\okbmexZ.exe
  2⤵
  PID:8720
- C:\Windows\System\htRVWpf.exe
  C:\Windows\System\htRVWpf.exe
  2⤵
  PID:8748
- C:\Windows\System\loddRlB.exe
  C:\Windows\System\loddRlB.exe
  2⤵
  PID:8792
- C:\Windows\System\ItQUTfY.exe
  C:\Windows\System\ItQUTfY.exe
  2⤵
  PID:8816
- C:\Windows\System\NxNSAto.exe
  C:\Windows\System\NxNSAto.exe
  2⤵
  PID:8844
- C:\Windows\System\BSMqvXH.exe
  C:\Windows\System\BSMqvXH.exe
  2⤵
  PID:8872
- C:\Windows\System\GvyKXSU.exe
  C:\Windows\System\GvyKXSU.exe
  2⤵
  PID:8888
- C:\Windows\System\VXrFKdR.exe
  C:\Windows\System\VXrFKdR.exe
  2⤵
  PID:8916
- C:\Windows\System\ZYEXlfi.exe
  C:\Windows\System\ZYEXlfi.exe
  2⤵
  PID:8940
- C:\Windows\System\HyqpKki.exe
  C:\Windows\System\HyqpKki.exe
  2⤵
  PID:8976
- C:\Windows\System\fhoMtZO.exe
  C:\Windows\System\fhoMtZO.exe
  2⤵
  PID:9012
- C:\Windows\System\XoAURZX.exe
  C:\Windows\System\XoAURZX.exe
  2⤵
  PID:9032
- C:\Windows\System\oCdUzSi.exe
  C:\Windows\System\oCdUzSi.exe
  2⤵
  PID:9060
- C:\Windows\System\gmticWv.exe
  C:\Windows\System\gmticWv.exe
  2⤵
  PID:9092
- C:\Windows\System\kUdDkYO.exe
  C:\Windows\System\kUdDkYO.exe
  2⤵
  PID:9128
- C:\Windows\System\VsXDVPU.exe
  C:\Windows\System\VsXDVPU.exe
  2⤵
  PID:9152
- C:\Windows\System\uBbTdUS.exe
  C:\Windows\System\uBbTdUS.exe
  2⤵
  PID:9196
- C:\Windows\System\FCExktf.exe
  C:\Windows\System\FCExktf.exe
  2⤵
  PID:9212
- C:\Windows\System\ZdoYDjm.exe
  C:\Windows\System\ZdoYDjm.exe
  2⤵
  PID:8200
- C:\Windows\System\irlHPHv.exe
  C:\Windows\System\irlHPHv.exe
  2⤵
  PID:8300
- C:\Windows\System\XilHENm.exe
  C:\Windows\System\XilHENm.exe
  2⤵
  PID:8348
- C:\Windows\System\emKgrFu.exe
  C:\Windows\System\emKgrFu.exe
  2⤵
  PID:8408
- C:\Windows\System\FFPNiby.exe
  C:\Windows\System\FFPNiby.exe
  2⤵
  PID:8464
- C:\Windows\System\NXNqFvw.exe
  C:\Windows\System\NXNqFvw.exe
  2⤵
  PID:8532
- C:\Windows\System\IaazmTp.exe
  C:\Windows\System\IaazmTp.exe
  2⤵
  PID:8608
- C:\Windows\System\oCrttZA.exe
  C:\Windows\System\oCrttZA.exe
  2⤵
  PID:8732
- C:\Windows\System\MILatRy.exe
  C:\Windows\System\MILatRy.exe
  2⤵
  PID:8708
- C:\Windows\System\eSXShBW.exe
  C:\Windows\System\eSXShBW.exe
  2⤵
  PID:8760
- C:\Windows\System\FNYOJMo.exe
  C:\Windows\System\FNYOJMo.exe
  2⤵
  PID:8884
- C:\Windows\System\QLmHMEF.exe
  C:\Windows\System\QLmHMEF.exe
  2⤵
  PID:8936
- C:\Windows\System\rWSKgwS.exe
  C:\Windows\System\rWSKgwS.exe
  2⤵
  PID:9044
- C:\Windows\System\RjIgVMO.exe
  C:\Windows\System\RjIgVMO.exe
  2⤵
  PID:9072
- C:\Windows\System\BkgoSeP.exe
  C:\Windows\System\BkgoSeP.exe
  2⤵
  PID:9168
- C:\Windows\System\DlcZjns.exe
  C:\Windows\System\DlcZjns.exe
  2⤵
  PID:8212
- C:\Windows\System\UIprgie.exe
  C:\Windows\System\UIprgie.exe
  2⤵
  PID:8336
- C:\Windows\System\UDNFWhK.exe
  C:\Windows\System\UDNFWhK.exe
  2⤵
  PID:8420
- C:\Windows\System\NCnVTIZ.exe
  C:\Windows\System\NCnVTIZ.exe
  2⤵
  PID:8588
- C:\Windows\System\qzmqKFt.exe
  C:\Windows\System\qzmqKFt.exe
  2⤵
  PID:8808
- C:\Windows\System\OJYXXeP.exe
  C:\Windows\System\OJYXXeP.exe
  2⤵
  PID:9028
- C:\Windows\System\OdyOdBc.exe
  C:\Windows\System\OdyOdBc.exe
  2⤵
  PID:9120
- C:\Windows\System\zWdGxOv.exe
  C:\Windows\System\zWdGxOv.exe
  2⤵
  PID:8228
- C:\Windows\System\mmPWQPz.exe
  C:\Windows\System\mmPWQPz.exe
  2⤵
  PID:8548
- C:\Windows\System\IURQIJE.exe
  C:\Windows\System\IURQIJE.exe
  2⤵
  PID:8836
- C:\Windows\System\yAVSdGO.exe
  C:\Windows\System\yAVSdGO.exe
  2⤵
  PID:9188
- C:\Windows\System\SQSUpHv.exe
  C:\Windows\System\SQSUpHv.exe
  2⤵
  PID:8784
- C:\Windows\System\ZRvCzmt.exe
  C:\Windows\System\ZRvCzmt.exe
  2⤵
  PID:9244
- C:\Windows\System\BSCiuzt.exe
  C:\Windows\System\BSCiuzt.exe
  2⤵
  PID:9276
- C:\Windows\System\EsHSQZQ.exe
  C:\Windows\System\EsHSQZQ.exe
  2⤵
  PID:9292
- C:\Windows\System\IpCYhRd.exe
  C:\Windows\System\IpCYhRd.exe
  2⤵
  PID:9320
- C:\Windows\System\PWdWTDy.exe
  C:\Windows\System\PWdWTDy.exe
  2⤵
  PID:9356
- C:\Windows\System\xCdrcxE.exe
  C:\Windows\System\xCdrcxE.exe
  2⤵
  PID:9384
- C:\Windows\System\xFdpMMO.exe
  C:\Windows\System\xFdpMMO.exe
  2⤵
  PID:9412
- C:\Windows\System\oWTiyDX.exe
  C:\Windows\System\oWTiyDX.exe
  2⤵
  PID:9440
- C:\Windows\System\tDSItwW.exe
  C:\Windows\System\tDSItwW.exe
  2⤵
  PID:9468
- C:\Windows\System\NdIptKj.exe
  C:\Windows\System\NdIptKj.exe
  2⤵
  PID:9496
- C:\Windows\System\gnPprBN.exe
  C:\Windows\System\gnPprBN.exe
  2⤵
  PID:9524
- C:\Windows\System\dbqUfVh.exe
  C:\Windows\System\dbqUfVh.exe
  2⤵
  PID:9556
- C:\Windows\System\YoUyPnE.exe
  C:\Windows\System\YoUyPnE.exe
  2⤵
  PID:9580
- C:\Windows\System\WBCgPRZ.exe
  C:\Windows\System\WBCgPRZ.exe
  2⤵
  PID:9620
- C:\Windows\System\ZDogXMn.exe
  C:\Windows\System\ZDogXMn.exe
  2⤵
  PID:9636
- C:\Windows\System\QXcsJiX.exe
  C:\Windows\System\QXcsJiX.exe
  2⤵
  PID:9676
- C:\Windows\System\PjaMiCY.exe
  C:\Windows\System\PjaMiCY.exe
  2⤵
  PID:9708
- C:\Windows\System\viNxGCO.exe
  C:\Windows\System\viNxGCO.exe
  2⤵
  PID:9724
- C:\Windows\System\gCMcPNm.exe
  C:\Windows\System\gCMcPNm.exe
  2⤵
  PID:9752
- C:\Windows\System\QKAYUCV.exe
  C:\Windows\System\QKAYUCV.exe
  2⤵
  PID:9780
- C:\Windows\System\hDfeTvQ.exe
  C:\Windows\System\hDfeTvQ.exe
  2⤵
  PID:9812
- C:\Windows\System\SLowMOB.exe
  C:\Windows\System\SLowMOB.exe
  2⤵
  PID:9836
- C:\Windows\System\pFBtOqM.exe
  C:\Windows\System\pFBtOqM.exe
  2⤵
  PID:9864
- C:\Windows\System\ikzgWsQ.exe
  C:\Windows\System\ikzgWsQ.exe
  2⤵
  PID:9904
- C:\Windows\System\zrshnEF.exe
  C:\Windows\System\zrshnEF.exe
  2⤵
  PID:9932
- C:\Windows\System\gDVnkwX.exe
  C:\Windows\System\gDVnkwX.exe
  2⤵
  PID:9960
- C:\Windows\System\coHccGT.exe
  C:\Windows\System\coHccGT.exe
  2⤵
  PID:9988
- C:\Windows\System\qMzwMeg.exe
  C:\Windows\System\qMzwMeg.exe
  2⤵
  PID:10024
- C:\Windows\System\mOXfkDu.exe
  C:\Windows\System\mOXfkDu.exe
  2⤵
  PID:10064
- C:\Windows\System\VeHTmhw.exe
  C:\Windows\System\VeHTmhw.exe
  2⤵
  PID:10092
- C:\Windows\System\LIJAqIO.exe
  C:\Windows\System\LIJAqIO.exe
  2⤵
  PID:10112
- C:\Windows\System\SdsWLll.exe
  C:\Windows\System\SdsWLll.exe
  2⤵
  PID:10148
- C:\Windows\System\KRAMfNs.exe
  C:\Windows\System\KRAMfNs.exe
  2⤵
  PID:10176
- C:\Windows\System\Smgxmsn.exe
  C:\Windows\System\Smgxmsn.exe
  2⤵
  PID:10204
- C:\Windows\System\QrJCAaR.exe
  C:\Windows\System\QrJCAaR.exe
  2⤵
  PID:10228
- C:\Windows\System\PNxlvLW.exe
  C:\Windows\System\PNxlvLW.exe
  2⤵
  PID:8640
- C:\Windows\System\jhQhiwu.exe
  C:\Windows\System\jhQhiwu.exe
  2⤵
  PID:9228
- C:\Windows\System\moouAJR.exe
  C:\Windows\System\moouAJR.exe
  2⤵
  PID:9312
- C:\Windows\System\MkRUnrU.exe
  C:\Windows\System\MkRUnrU.exe
  2⤵
  PID:9352
- C:\Windows\System\qpisCEi.exe
  C:\Windows\System\qpisCEi.exe
  2⤵
  PID:9452
- C:\Windows\System\rqBQghe.exe
  C:\Windows\System\rqBQghe.exe
  2⤵
  PID:9488
- C:\Windows\System\evmDGjj.exe
  C:\Windows\System\evmDGjj.exe
  2⤵
  PID:9536
- C:\Windows\System\eCDiPuI.exe
  C:\Windows\System\eCDiPuI.exe
  2⤵
  PID:9604
- C:\Windows\System\tTBgBXK.exe
  C:\Windows\System\tTBgBXK.exe
  2⤵
  PID:9700
- C:\Windows\System\ZVudrxo.exe
  C:\Windows\System\ZVudrxo.exe
  2⤵
  PID:9764
- C:\Windows\System\nZDYlqU.exe
  C:\Windows\System\nZDYlqU.exe
  2⤵
  PID:9852
- C:\Windows\System\pQVsgSL.exe
  C:\Windows\System\pQVsgSL.exe
  2⤵
  PID:9888
- C:\Windows\System\rWMeICK.exe
  C:\Windows\System\rWMeICK.exe
  2⤵
  PID:9980
- C:\Windows\System\wcjVLtm.exe
  C:\Windows\System\wcjVLtm.exe
  2⤵
  PID:10012
- C:\Windows\System\BmOilDD.exe
  C:\Windows\System\BmOilDD.exe
  2⤵
  PID:10124
- C:\Windows\System\IJxkeip.exe
  C:\Windows\System\IJxkeip.exe
  2⤵
  PID:10192
- C:\Windows\System\hXxRtlk.exe
  C:\Windows\System\hXxRtlk.exe
  2⤵
  PID:10236
- C:\Windows\System\ayNrRhG.exe
  C:\Windows\System\ayNrRhG.exe
  2⤵
  PID:9404
- C:\Windows\System\ThPDGSO.exe
  C:\Windows\System\ThPDGSO.exe
  2⤵
  PID:9484
- C:\Windows\System\LzmoenO.exe
  C:\Windows\System\LzmoenO.exe
  2⤵
  PID:9540
- C:\Windows\System\fbLqvpj.exe
  C:\Windows\System\fbLqvpj.exe
  2⤵
  PID:9652
- C:\Windows\System\vgiTfLt.exe
  C:\Windows\System\vgiTfLt.exe
  2⤵
  PID:9832
- C:\Windows\System\tOdbDqc.exe
  C:\Windows\System\tOdbDqc.exe
  2⤵
  PID:10084
- C:\Windows\System\roUaGYa.exe
  C:\Windows\System\roUaGYa.exe
  2⤵
  PID:10224
- C:\Windows\System\qwHrzgh.exe
  C:\Windows\System\qwHrzgh.exe
  2⤵
  PID:9432
- C:\Windows\System\aCWXwde.exe
  C:\Windows\System\aCWXwde.exe
  2⤵
  PID:10140
- C:\Windows\System\mYIJKVT.exe
  C:\Windows\System\mYIJKVT.exe
  2⤵
  PID:9564
- C:\Windows\System\XNgiAbY.exe
  C:\Windows\System\XNgiAbY.exe
  2⤵
  PID:10252
- C:\Windows\System\iWAyRmv.exe
  C:\Windows\System\iWAyRmv.exe
  2⤵
  PID:10268
- C:\Windows\System\yJsUcPk.exe
  C:\Windows\System\yJsUcPk.exe
  2⤵
  PID:10296
- C:\Windows\System\KzJJcrr.exe
  C:\Windows\System\KzJJcrr.exe
  2⤵
  PID:10336
- C:\Windows\System\LnyDlhO.exe
  C:\Windows\System\LnyDlhO.exe
  2⤵
  PID:10352
- C:\Windows\System\VRMNvFK.exe
  C:\Windows\System\VRMNvFK.exe
  2⤵
  PID:10392
- C:\Windows\System\hjdgVNR.exe
  C:\Windows\System\hjdgVNR.exe
  2⤵
  PID:10412
- C:\Windows\System\ALYOAWu.exe
  C:\Windows\System\ALYOAWu.exe
  2⤵
  PID:10428
- C:\Windows\System\zFAjhvQ.exe
  C:\Windows\System\zFAjhvQ.exe
  2⤵
  PID:10464
- C:\Windows\System\sWVqSgB.exe
  C:\Windows\System\sWVqSgB.exe
  2⤵
  PID:10496
- C:\Windows\System\yTaCgQb.exe
  C:\Windows\System\yTaCgQb.exe
  2⤵
  PID:10516
- C:\Windows\System\wHNeeHO.exe
  C:\Windows\System\wHNeeHO.exe
  2⤵
  PID:10544
- C:\Windows\System\LczmALc.exe
  C:\Windows\System\LczmALc.exe
  2⤵
  PID:10568
- C:\Windows\System\UpAFQAZ.exe
  C:\Windows\System\UpAFQAZ.exe
  2⤵
  PID:10592
- C:\Windows\System\isBujNL.exe
  C:\Windows\System\isBujNL.exe
  2⤵
  PID:10612
- C:\Windows\System\ZTudEKo.exe
  C:\Windows\System\ZTudEKo.exe
  2⤵
  PID:10636
- C:\Windows\System\GCehArL.exe
  C:\Windows\System\GCehArL.exe
  2⤵
  PID:10676
- C:\Windows\System\BTzwEoO.exe
  C:\Windows\System\BTzwEoO.exe
  2⤵
  PID:10704
- C:\Windows\System\hiNXwuw.exe
  C:\Windows\System\hiNXwuw.exe
  2⤵
  PID:10736
- C:\Windows\System\VSJiQQT.exe
  C:\Windows\System\VSJiQQT.exe
  2⤵
  PID:10792
- C:\Windows\System\vcuftcC.exe
  C:\Windows\System\vcuftcC.exe
  2⤵
  PID:10808
- C:\Windows\System\oJRHbGk.exe
  C:\Windows\System\oJRHbGk.exe
  2⤵
  PID:10824
- C:\Windows\System\XysRoET.exe
  C:\Windows\System\XysRoET.exe
  2⤵
  PID:10856
- C:\Windows\System\HaJkpFx.exe
  C:\Windows\System\HaJkpFx.exe
  2⤵
  PID:10884
- C:\Windows\System\XUGVmgl.exe
  C:\Windows\System\XUGVmgl.exe
  2⤵
  PID:10912
- C:\Windows\System\mJtUdLU.exe
  C:\Windows\System\mJtUdLU.exe
  2⤵
  PID:10940
- C:\Windows\System\oQhElqH.exe
  C:\Windows\System\oQhElqH.exe
  2⤵
  PID:10968
- C:\Windows\System\EpjPKdO.exe
  C:\Windows\System\EpjPKdO.exe
  2⤵
  PID:10992
- C:\Windows\System\TlbkMgl.exe
  C:\Windows\System\TlbkMgl.exe
  2⤵
  PID:11012
- C:\Windows\System\vpLzSzB.exe
  C:\Windows\System\vpLzSzB.exe
  2⤵
  PID:11040
- C:\Windows\System\EHXzCzr.exe
  C:\Windows\System\EHXzCzr.exe
  2⤵
  PID:11068
- C:\Windows\System\XuSStOK.exe
  C:\Windows\System\XuSStOK.exe
  2⤵
  PID:11096
- C:\Windows\System\RDKoPOL.exe
  C:\Windows\System\RDKoPOL.exe
  2⤵
  PID:11128
- C:\Windows\System\ZSiSrAJ.exe
  C:\Windows\System\ZSiSrAJ.exe
  2⤵
  PID:11156
- C:\Windows\System\gIXKPZL.exe
  C:\Windows\System\gIXKPZL.exe
  2⤵
  PID:11184
- C:\Windows\System\mtGaUHB.exe
  C:\Windows\System\mtGaUHB.exe
  2⤵
  PID:11212
- C:\Windows\System\choNeaY.exe
  C:\Windows\System\choNeaY.exe
  2⤵
  PID:11236
- C:\Windows\System\EALgOoV.exe
  C:\Windows\System\EALgOoV.exe
  2⤵
  PID:11260
- C:\Windows\System\oholNTl.exe
  C:\Windows\System\oholNTl.exe
  2⤵
  PID:10284
- C:\Windows\System\LWdBAMX.exe
  C:\Windows\System\LWdBAMX.exe
  2⤵
  PID:10332
- C:\Windows\System\pXozMeK.exe
  C:\Windows\System\pXozMeK.exe
  2⤵
  PID:10424
- C:\Windows\System\yJtLJSj.exe
  C:\Windows\System\yJtLJSj.exe
  2⤵
  PID:10532
- C:\Windows\System\TGxGwyt.exe
  C:\Windows\System\TGxGwyt.exe
  2⤵
  PID:10584
- C:\Windows\System\iWwbePk.exe
  C:\Windows\System\iWwbePk.exe
  2⤵
  PID:10632
- C:\Windows\System\LdWLzmy.exe
  C:\Windows\System\LdWLzmy.exe
  2⤵
  PID:10724
- C:\Windows\System\GXNFNMK.exe
  C:\Windows\System\GXNFNMK.exe
  2⤵
  PID:10044
- C:\Windows\System\kZowVoy.exe
  C:\Windows\System\kZowVoy.exe
  2⤵
  PID:10840
- C:\Windows\System\miUswZt.exe
  C:\Windows\System\miUswZt.exe
  2⤵
  PID:10920
- C:\Windows\System\vDxIvGK.exe
  C:\Windows\System\vDxIvGK.exe
  2⤵
  PID:10984
- C:\Windows\System\zpDHnQl.exe
  C:\Windows\System\zpDHnQl.exe
  2⤵
  PID:11036
- C:\Windows\System\YoVBYQW.exe
  C:\Windows\System\YoVBYQW.exe
  2⤵
  PID:11108
- C:\Windows\System\BIdsaes.exe
  C:\Windows\System\BIdsaes.exe
  2⤵
  PID:11196
- C:\Windows\System\CWUWyNS.exe
  C:\Windows\System\CWUWyNS.exe
  2⤵
  PID:11252
- C:\Windows\System\hlrGiRZ.exe
  C:\Windows\System\hlrGiRZ.exe
  2⤵
  PID:10384
- C:\Windows\System\rEmkumt.exe
  C:\Windows\System\rEmkumt.exe
  2⤵
  PID:10408
- C:\Windows\System\bZfDicV.exe
  C:\Windows\System\bZfDicV.exe
  2⤵
  PID:10600
- C:\Windows\System\RAyxyRf.exe
  C:\Windows\System\RAyxyRf.exe
  2⤵
  PID:10692
- C:\Windows\System\XEDGEaW.exe
  C:\Windows\System\XEDGEaW.exe
  2⤵
  PID:10848
- C:\Windows\System\JpoYPmn.exe
  C:\Windows\System\JpoYPmn.exe
  2⤵
  PID:11064
- C:\Windows\System\SFIqeGe.exe
  C:\Windows\System\SFIqeGe.exe
  2⤵
  PID:11208
- C:\Windows\System\UrbKhxP.exe
  C:\Windows\System\UrbKhxP.exe
  2⤵
  PID:10472
- C:\Windows\System\pWJaMYy.exe
  C:\Windows\System\pWJaMYy.exe
  2⤵
  PID:10816
- C:\Windows\System\lkkrAOS.exe
  C:\Windows\System\lkkrAOS.exe
  2⤵
  PID:10948
- C:\Windows\System\EQNafzq.exe
  C:\Windows\System\EQNafzq.exe
  2⤵
  PID:10556
- C:\Windows\System\aUORrjr.exe
  C:\Windows\System\aUORrjr.exe
  2⤵
  PID:10512
- C:\Windows\System\FtuQtNj.exe
  C:\Windows\System\FtuQtNj.exe
  2⤵
  PID:11276
- C:\Windows\System\eGaDEGH.exe
  C:\Windows\System\eGaDEGH.exe
  2⤵
  PID:11332
- C:\Windows\System\hBOrjON.exe
  C:\Windows\System\hBOrjON.exe
  2⤵
  PID:11360
- C:\Windows\System\baSAkRD.exe
  C:\Windows\System\baSAkRD.exe
  2⤵
  PID:11388
- C:\Windows\System\KEruzbu.exe
  C:\Windows\System\KEruzbu.exe
  2⤵
  PID:11404
- C:\Windows\System\ICUswcu.exe
  C:\Windows\System\ICUswcu.exe
  2⤵
  PID:11436
- C:\Windows\System\YPoBTYU.exe
  C:\Windows\System\YPoBTYU.exe
  2⤵
  PID:11460
- C:\Windows\System\XvfwqOj.exe
  C:\Windows\System\XvfwqOj.exe
  2⤵
  PID:11500
- C:\Windows\System\hLWJvUI.exe
  C:\Windows\System\hLWJvUI.exe
  2⤵
  PID:11524
- C:\Windows\System\PLvudXU.exe
  C:\Windows\System\PLvudXU.exe
  2⤵
  PID:11544
- C:\Windows\System\dvgiUNK.exe
  C:\Windows\System\dvgiUNK.exe
  2⤵
  PID:11588
- C:\Windows\System\CZYvAGe.exe
  C:\Windows\System\CZYvAGe.exe
  2⤵
  PID:11612
- C:\Windows\System\fbiHDQt.exe
  C:\Windows\System\fbiHDQt.exe
  2⤵
  PID:11632
- C:\Windows\System\SxRRTOE.exe
  C:\Windows\System\SxRRTOE.exe
  2⤵
  PID:11672
- C:\Windows\System\RkcvQBT.exe
  C:\Windows\System\RkcvQBT.exe
  2⤵
  PID:11688
- C:\Windows\System\hToclxg.exe
  C:\Windows\System\hToclxg.exe
  2⤵
  PID:11716
- C:\Windows\System\ktujfGa.exe
  C:\Windows\System\ktujfGa.exe
  2⤵
  PID:11744
- C:\Windows\System\wsCzUTE.exe
  C:\Windows\System\wsCzUTE.exe
  2⤵
  PID:11784
- C:\Windows\System\YezaJTB.exe
  C:\Windows\System\YezaJTB.exe
  2⤵
  PID:11800
- C:\Windows\System\SpGDRkN.exe
  C:\Windows\System\SpGDRkN.exe
  2⤵
  PID:11836
- C:\Windows\System\IrPGpam.exe
  C:\Windows\System\IrPGpam.exe
  2⤵
  PID:11856
- C:\Windows\System\DHXTyue.exe
  C:\Windows\System\DHXTyue.exe
  2⤵
  PID:11896
- C:\Windows\System\psrUJKD.exe
  C:\Windows\System\psrUJKD.exe
  2⤵
  PID:11912
- C:\Windows\System\AAhYuOb.exe
  C:\Windows\System\AAhYuOb.exe
  2⤵
  PID:11940
- C:\Windows\System\rQzfoRB.exe
  C:\Windows\System\rQzfoRB.exe
  2⤵
  PID:11956
- C:\Windows\System\edrXCaD.exe
  C:\Windows\System\edrXCaD.exe
  2⤵
  PID:11972
- C:\Windows\System\qlodgbe.exe
  C:\Windows\System\qlodgbe.exe
  2⤵
  PID:12016
- C:\Windows\System\GKhMhDJ.exe
  C:\Windows\System\GKhMhDJ.exe
  2⤵
  PID:12040
- C:\Windows\System\IcAKWiW.exe
  C:\Windows\System\IcAKWiW.exe
  2⤵
  PID:12068
- C:\Windows\System\oxzyoiW.exe
  C:\Windows\System\oxzyoiW.exe
  2⤵
  PID:12112
- C:\Windows\System\lmPuSJu.exe
  C:\Windows\System\lmPuSJu.exe
  2⤵
  PID:12136
- C:\Windows\System\yrCOEgc.exe
  C:\Windows\System\yrCOEgc.exe
  2⤵
  PID:12164
- C:\Windows\System\ascNbOa.exe
  C:\Windows\System\ascNbOa.exe
  2⤵
  PID:12204
- C:\Windows\System\TKkRyCV.exe
  C:\Windows\System\TKkRyCV.exe
  2⤵
  PID:12224
- C:\Windows\System\vOjxvis.exe
  C:\Windows\System\vOjxvis.exe
  2⤵
  PID:12248
- C:\Windows\System\coRJGPP.exe
  C:\Windows\System\coRJGPP.exe
  2⤵
  PID:10956
- C:\Windows\System\BTTgnWv.exe
  C:\Windows\System\BTTgnWv.exe
  2⤵
  PID:11320
- C:\Windows\System\qWPWnFy.exe
  C:\Windows\System\qWPWnFy.exe
  2⤵
  PID:11376
- C:\Windows\System\BBINipB.exe
  C:\Windows\System\BBINipB.exe
  2⤵
  PID:11420
- C:\Windows\System\kjmlNhZ.exe
  C:\Windows\System\kjmlNhZ.exe
  2⤵
  PID:11520
- C:\Windows\System\Bngdglg.exe
  C:\Windows\System\Bngdglg.exe
  2⤵
  PID:11536
- C:\Windows\System\UeenjyT.exe
  C:\Windows\System\UeenjyT.exe
  2⤵
  PID:11604
- C:\Windows\System\gbhWVKH.exe
  C:\Windows\System\gbhWVKH.exe
  2⤵
  PID:11684
- C:\Windows\System\MjyJCoD.exe
  C:\Windows\System\MjyJCoD.exe
  2⤵
  PID:11704
- C:\Windows\System\HnTfTTh.exe
  C:\Windows\System\HnTfTTh.exe
  2⤵
  PID:11728
- C:\Windows\System\NjeKLfx.exe
  C:\Windows\System\NjeKLfx.exe
  2⤵
  PID:11828
- C:\Windows\System\FXyzJdm.exe
  C:\Windows\System\FXyzJdm.exe
  2⤵
  PID:11892
- C:\Windows\System\bxBTiuN.exe
  C:\Windows\System\bxBTiuN.exe
  2⤵
  PID:11952
- C:\Windows\System\hKRAiKl.exe
  C:\Windows\System\hKRAiKl.exe
  2⤵
  PID:11948
- C:\Windows\System\BwshzQV.exe
  C:\Windows\System\BwshzQV.exe
  2⤵
  PID:12128
- C:\Windows\System\owTFYEP.exe
  C:\Windows\System\owTFYEP.exe
  2⤵
  PID:12220
- C:\Windows\System\ZIkQDaH.exe
  C:\Windows\System\ZIkQDaH.exe
  2⤵
  PID:11288
- C:\Windows\System\ZXWwtOo.exe
  C:\Windows\System\ZXWwtOo.exe
  2⤵
  PID:11428
- C:\Windows\System\aMJvnXl.exe
  C:\Windows\System\aMJvnXl.exe
  2⤵
  PID:11516
- C:\Windows\System\SxHoBHP.exe
  C:\Windows\System\SxHoBHP.exe
  2⤵
  PID:11660
- C:\Windows\System\gfahere.exe
  C:\Windows\System\gfahere.exe
  2⤵
  PID:11848
- C:\Windows\System\tXVVRSK.exe
  C:\Windows\System\tXVVRSK.exe
  2⤵
  PID:11964
- C:\Windows\System\HpmKQOB.exe
  C:\Windows\System\HpmKQOB.exe
  2⤵
  PID:12024
- C:\Windows\System\dFjIStp.exe
  C:\Windows\System\dFjIStp.exe
  2⤵
  PID:11396
- C:\Windows\System\ldoDarn.exe
  C:\Windows\System\ldoDarn.exe
  2⤵
  PID:11648
- C:\Windows\System\MUFlTlW.exe
  C:\Windows\System\MUFlTlW.exe
  2⤵
  PID:11792
- C:\Windows\System\xfJptHL.exe
  C:\Windows\System\xfJptHL.exe
  2⤵
  PID:12272
- C:\Windows\System\rsKoFqp.exe
  C:\Windows\System\rsKoFqp.exe
  2⤵
  PID:11780
- C:\Windows\System\ktYPGrO.exe
  C:\Windows\System\ktYPGrO.exe
  2⤵
  PID:12300
- C:\Windows\System\FyzUZUF.exe
  C:\Windows\System\FyzUZUF.exe
  2⤵
  PID:12328
- C:\Windows\System\zWmKNut.exe
  C:\Windows\System\zWmKNut.exe
  2⤵
  PID:12352
- C:\Windows\System\uVzAtht.exe
  C:\Windows\System\uVzAtht.exe
  2⤵
  PID:12396
- C:\Windows\System\XYvuhEg.exe
  C:\Windows\System\XYvuhEg.exe
  2⤵
  PID:12412
- C:\Windows\System\wrjkuWm.exe
  C:\Windows\System\wrjkuWm.exe
  2⤵
  PID:12436
- C:\Windows\System\GKXnmCL.exe
  C:\Windows\System\GKXnmCL.exe
  2⤵
  PID:12468
- C:\Windows\System\LTJpokF.exe
  C:\Windows\System\LTJpokF.exe
  2⤵
  PID:12496
- C:\Windows\System\xGBrzBW.exe
  C:\Windows\System\xGBrzBW.exe
  2⤵
  PID:12536
- C:\Windows\System\NxvikIs.exe
  C:\Windows\System\NxvikIs.exe
  2⤵
  PID:12552
- C:\Windows\System\vewSAzX.exe
  C:\Windows\System\vewSAzX.exe
  2⤵
  PID:12588
- C:\Windows\System\IVrAGGb.exe
  C:\Windows\System\IVrAGGb.exe
  2⤵
  PID:12616
- C:\Windows\System\plrBFPP.exe
  C:\Windows\System\plrBFPP.exe
  2⤵
  PID:12636
- C:\Windows\System\iJmpxaf.exe
  C:\Windows\System\iJmpxaf.exe
  2⤵
  PID:12664
- C:\Windows\System\MYzePTl.exe
  C:\Windows\System\MYzePTl.exe
  2⤵
  PID:12696
- C:\Windows\System\oIDhKKp.exe
  C:\Windows\System\oIDhKKp.exe
  2⤵
  PID:12720
- C:\Windows\System\KNKCiXa.exe
  C:\Windows\System\KNKCiXa.exe
  2⤵
  PID:12760
- C:\Windows\System\dhPpGnK.exe
  C:\Windows\System\dhPpGnK.exe
  2⤵
  PID:12780
- C:\Windows\System\KujLyyP.exe
  C:\Windows\System\KujLyyP.exe
  2⤵
  PID:12804
- C:\Windows\System\ZNIcPgA.exe
  C:\Windows\System\ZNIcPgA.exe
  2⤵
  PID:12844
- C:\Windows\System\UmWrYqH.exe
  C:\Windows\System\UmWrYqH.exe
  2⤵
  PID:12872
- C:\Windows\System\UBLHVdf.exe
  C:\Windows\System\UBLHVdf.exe
  2⤵
  PID:12888
- C:\Windows\System\laqQznb.exe
  C:\Windows\System\laqQznb.exe
  2⤵
  PID:12916
- C:\Windows\System\rqOZKkt.exe
  C:\Windows\System\rqOZKkt.exe
  2⤵
  PID:12956
- C:\Windows\System\yNIdWIy.exe
  C:\Windows\System\yNIdWIy.exe
  2⤵
  PID:12984
- C:\Windows\System\KIjxzHI.exe
  C:\Windows\System\KIjxzHI.exe
  2⤵
  PID:13012
- C:\Windows\System\AFWIxLu.exe
  C:\Windows\System\AFWIxLu.exe
  2⤵
  PID:13028
- C:\Windows\System\LaRidoY.exe
  C:\Windows\System\LaRidoY.exe
  2⤵
  PID:13068
- C:\Windows\System\NSgVSNp.exe
  C:\Windows\System\NSgVSNp.exe
  2⤵
  PID:13084
- C:\Windows\System\pYrRQet.exe
  C:\Windows\System\pYrRQet.exe
  2⤵
  PID:13124
- C:\Windows\System\halAaUl.exe
  C:\Windows\System\halAaUl.exe
  2⤵
  PID:13140
- C:\Windows\System\UFBCGVy.exe
  C:\Windows\System\UFBCGVy.exe
  2⤵
  PID:13168
- C:\Windows\System\ZktndOi.exe
  C:\Windows\System\ZktndOi.exe
  2⤵
  PID:13188
- C:\Windows\System\SoYaTho.exe
  C:\Windows\System\SoYaTho.exe
  2⤵
  PID:13212
- C:\Windows\System\JYyRCCf.exe
  C:\Windows\System\JYyRCCf.exe
  2⤵
  PID:13244
- C:\Windows\System\DhjTVVt.exe
  C:\Windows\System\DhjTVVt.exe
  2⤵
  PID:13268
- C:\Windows\System\bOPdEjR.exe
  C:\Windows\System\bOPdEjR.exe
  2⤵
  PID:13296
- C:\Windows\System\aawknCg.exe
  C:\Windows\System\aawknCg.exe
  2⤵
  PID:12312
- C:\Windows\System\zqkDmPs.exe
  C:\Windows\System\zqkDmPs.exe
  2⤵
  PID:11568
- C:\Windows\System\LeXxuUd.exe
  C:\Windows\System\LeXxuUd.exe
  2⤵
  PID:12432
- C:\Windows\System\KBMWeDC.exe
  C:\Windows\System\KBMWeDC.exe
  2⤵
  PID:12492
- C:\Windows\System\WOOdbfj.exe
  C:\Windows\System\WOOdbfj.exe
  2⤵
  PID:12524
- C:\Windows\System\RlpuXmQ.exe
  C:\Windows\System\RlpuXmQ.exe
  2⤵
  PID:12600
- C:\Windows\System\QWuAxhf.exe
  C:\Windows\System\QWuAxhf.exe
  2⤵
  PID:12660
- C:\Windows\System\lKjjDwc.exe
  C:\Windows\System\lKjjDwc.exe
  2⤵
  PID:12748
- C:\Windows\System\oCVOEcD.exe
  C:\Windows\System\oCVOEcD.exe
  2⤵
  PID:12792
- C:\Windows\System\Mbuvatw.exe
  C:\Windows\System\Mbuvatw.exe
  2⤵
  PID:12856
- C:\Windows\System\pbRkAut.exe
  C:\Windows\System\pbRkAut.exe
  2⤵
  PID:12940
- C:\Windows\System\iLjEeKG.exe
  C:\Windows\System\iLjEeKG.exe
  2⤵
  PID:13008
- C:\Windows\System\ptunVji.exe
  C:\Windows\System\ptunVji.exe
  2⤵
  PID:13052
- C:\Windows\System\hwUiUNk.exe
  C:\Windows\System\hwUiUNk.exe
  2⤵
  PID:13136
- C:\Windows\System\EhIRqlK.exe
  C:\Windows\System\EhIRqlK.exe
  2⤵
  PID:13236
- C:\Windows\System\ghxuzFi.exe
  C:\Windows\System\ghxuzFi.exe
  2⤵
  PID:12292
- C:\Windows\System\FkmSyaX.exe
  C:\Windows\System\FkmSyaX.exe
  2⤵
  PID:12428
- C:\Windows\System\oGsNlEH.exe
  C:\Windows\System\oGsNlEH.exe
  2⤵
  PID:12520
- C:\Windows\System\OtJhNAQ.exe
  C:\Windows\System\OtJhNAQ.exe
  2⤵
  PID:12772
- C:\Windows\System\qfsgqEC.exe
  C:\Windows\System\qfsgqEC.exe
  2⤵
  PID:12908
- C:\Windows\System\yYDGCmf.exe
  C:\Windows\System\yYDGCmf.exe
  2⤵
  PID:13024
- C:\Windows\System\cxKcwYa.exe
  C:\Windows\System\cxKcwYa.exe
  2⤵
  PID:13164
- C:\Windows\System\HzZsOIx.exe
  C:\Windows\System\HzZsOIx.exe
  2⤵
  PID:12480
- C:\Windows\System\KzRQtPX.exe
  C:\Windows\System\KzRQtPX.exe
  2⤵
  PID:12788
- C:\Windows\System\DZWNUxh.exe
  C:\Windows\System\DZWNUxh.exe
  2⤵
  PID:12948
- C:\Windows\System\YcZDFTF.exe
  C:\Windows\System\YcZDFTF.exe
  2⤵
  PID:12820
- C:\Windows\System\tfFbxIe.exe
  C:\Windows\System\tfFbxIe.exe
  2⤵
  PID:13316
- C:\Windows\System\krkTCmE.exe
  C:\Windows\System\krkTCmE.exe
  2⤵
  PID:13356
- C:\Windows\System\sVXPxNX.exe
  C:\Windows\System\sVXPxNX.exe
  2⤵
  PID:13380
- C:\Windows\System\fVWiBMa.exe
  C:\Windows\System\fVWiBMa.exe
  2⤵
  PID:13396
- C:\Windows\System\dnbvcHK.exe
  C:\Windows\System\dnbvcHK.exe
  2⤵
  PID:13412
- C:\Windows\System\SdxFEEL.exe
  C:\Windows\System\SdxFEEL.exe
  2⤵
  PID:13460
- C:\Windows\System\pFsXSOR.exe
  C:\Windows\System\pFsXSOR.exe
  2⤵
  PID:13488
- C:\Windows\System\qAsdZwq.exe
  C:\Windows\System\qAsdZwq.exe
  2⤵
  PID:13504
- C:\Windows\System\TajRvet.exe
  C:\Windows\System\TajRvet.exe
  2⤵
  PID:13548
- C:\Windows\System\uDuiwfv.exe
  C:\Windows\System\uDuiwfv.exe
  2⤵
  PID:13588
- C:\Windows\System\bKeOJMW.exe
  C:\Windows\System\bKeOJMW.exe
  2⤵
  PID:13604
- C:\Windows\System\EFvTukS.exe
  C:\Windows\System\EFvTukS.exe
  2⤵
  PID:13620
- C:\Windows\System\pVxFcPe.exe
  C:\Windows\System\pVxFcPe.exe
  2⤵
  PID:13652
- C:\Windows\System\EhGDpBn.exe
  C:\Windows\System\EhGDpBn.exe
  2⤵
  PID:13700
- C:\Windows\System\ZOoUpaZ.exe
  C:\Windows\System\ZOoUpaZ.exe
  2⤵
  PID:13728
- C:\Windows\System\hQtVzXj.exe
  C:\Windows\System\hQtVzXj.exe
  2⤵
  PID:13756
- C:\Windows\System\TVugWdq.exe
  C:\Windows\System\TVugWdq.exe
  2⤵
  PID:13784
- C:\Windows\System\apWnAcl.exe
  C:\Windows\System\apWnAcl.exe
  2⤵
  PID:13800
- C:\Windows\System\cuceuoo.exe
  C:\Windows\System\cuceuoo.exe
  2⤵
  PID:13828
- C:\Windows\System\drOMKGB.exe
  C:\Windows\System\drOMKGB.exe
  2⤵
  PID:13856
- C:\Windows\System\xdJlcyp.exe
  C:\Windows\System\xdJlcyp.exe
  2⤵
  PID:13880
- C:\Windows\System\jLQMldI.exe
  C:\Windows\System\jLQMldI.exe
  2⤵
  PID:13912
- C:\Windows\System\ViXjvhY.exe
  C:\Windows\System\ViXjvhY.exe
  2⤵
  PID:13932
- C:\Windows\System\GLsftPN.exe
  C:\Windows\System\GLsftPN.exe
  2⤵
  PID:13964
- C:\Windows\System\gnXHVkR.exe
  C:\Windows\System\gnXHVkR.exe
  2⤵
  PID:13992
- C:\Windows\System\zAqBWJG.exe
  C:\Windows\System\zAqBWJG.exe
  2⤵
  PID:14020
- C:\Windows\System\IJquqtc.exe
  C:\Windows\System\IJquqtc.exe
  2⤵
  PID:14040
- C:\Windows\System\lZiUKeB.exe
  C:\Windows\System\lZiUKeB.exe
  2⤵
  PID:14068
- C:\Windows\System\llROnAH.exe
  C:\Windows\System\llROnAH.exe
  2⤵
  PID:14100
- C:\Windows\System\oqQnosY.exe
  C:\Windows\System\oqQnosY.exe
  2⤵
  PID:14124
- C:\Windows\System\GjSBYIc.exe
  C:\Windows\System\GjSBYIc.exe
  2⤵
  PID:14176
- C:\Windows\System\RwbBhvK.exe
  C:\Windows\System\RwbBhvK.exe
  2⤵
  PID:14200
- C:\Windows\System\yxdHvbF.exe
  C:\Windows\System\yxdHvbF.exe
  2⤵
  PID:14220
- C:\Windows\System\FvzqHPi.exe
  C:\Windows\System\FvzqHPi.exe
  2⤵
  PID:14248
- C:\Windows\System\vyLurqT.exe
  C:\Windows\System\vyLurqT.exe
  2⤵
  PID:14284
- C:\Windows\System\cudddHA.exe
  C:\Windows\System\cudddHA.exe
  2⤵
  PID:14312
- C:\Windows\System\NCWYcPa.exe
  C:\Windows\System\NCWYcPa.exe
  2⤵
  PID:14332
- C:\Windows\System\fHZmNHq.exe
  C:\Windows\System\fHZmNHq.exe
  2⤵
  PID:13364
- C:\Windows\System\Eghxhjg.exe
  C:\Windows\System\Eghxhjg.exe
  2⤵
  PID:13372
- C:\Windows\System\evdhIYv.exe
  C:\Windows\System\evdhIYv.exe
  2⤵
  PID:13496
- C:\Windows\System\kcYWgAc.exe
  C:\Windows\System\kcYWgAc.exe
  2⤵
  PID:13560
- C:\Windows\System\lNtWrxD.exe
  C:\Windows\System\lNtWrxD.exe
  2⤵
  PID:13600
- C:\Windows\System\lbrNqof.exe
  C:\Windows\System\lbrNqof.exe
  2⤵
  PID:13644
- C:\Windows\System\uLgRdhZ.exe
  C:\Windows\System\uLgRdhZ.exe
  2⤵
  PID:13724
- C:\Windows\System\CepwVnk.exe
  C:\Windows\System\CepwVnk.exe
  2⤵
  PID:13768
- C:\Windows\System\KXNWZBj.exe
  C:\Windows\System\KXNWZBj.exe
  2⤵
  PID:13824
- C:\Windows\System\tJJNLuw.exe
  C:\Windows\System\tJJNLuw.exe
  2⤵
  PID:13920
- C:\Windows\System\ZAhCEzR.exe
  C:\Windows\System\ZAhCEzR.exe
  2⤵
  PID:13980
- C:\Windows\System\MXWNhaQ.exe
  C:\Windows\System\MXWNhaQ.exe
  2⤵
  PID:14076
- C:\Windows\System\aEpwNNw.exe
  C:\Windows\System\aEpwNNw.exe
  2⤵
  PID:14096
- C:\Windows\System\zBedgXB.exe
  C:\Windows\System\zBedgXB.exe
  2⤵
  PID:14208
- C:\Windows\System\OAZbUBB.exe
  C:\Windows\System\OAZbUBB.exe
  2⤵
  PID:14236
- C:\Windows\System\fAUvbKr.exe
  C:\Windows\System\fAUvbKr.exe
  2⤵
  PID:14328
- C:\Windows\System\bxzWtJl.exe
  C:\Windows\System\bxzWtJl.exe
  2⤵
  PID:13352
- C:\Windows\System\eprldiN.exe
  C:\Windows\System\eprldiN.exe
  2⤵
  PID:13672
- C:\Windows\System\LZpazYV.exe
  C:\Windows\System\LZpazYV.exe
  2⤵
  PID:13744
- C:\Windows\System\awcTsHg.exe
  C:\Windows\System\awcTsHg.exe
  2⤵
  PID:14004
- C:\Windows\System\ORRlyFG.exe
  C:\Windows\System\ORRlyFG.exe
  2⤵
  PID:13948
- C:\Windows\System\dzwuXNC.exe
  C:\Windows\System\dzwuXNC.exe
  2⤵
  PID:14276
- C:\Windows\System\yITcucq.exe
  C:\Windows\System\yITcucq.exe
  2⤵
  PID:13368
- C:\Windows\System\CTbbSWe.exe
  C:\Windows\System\CTbbSWe.exe
  2⤵
  PID:13692
- C:\Windows\System\ThLKClx.exe
  C:\Windows\System\ThLKClx.exe
  2⤵
  PID:13792
- C:\Windows\System\KSQVoBX.exe
  C:\Windows\System\KSQVoBX.exe
  2⤵
  PID:13540
- C:\Windows\System\xDMWBPg.exe
  C:\Windows\System\xDMWBPg.exe
  2⤵
  PID:13816
- C:\Windows\System\zedyoaO.exe
  C:\Windows\System\zedyoaO.exe
  2⤵
  PID:14344
- C:\Windows\System\iPcRdJe.exe
  C:\Windows\System\iPcRdJe.exe
  2⤵
  PID:14368
- C:\Windows\System\cCuIOnD.exe
  C:\Windows\System\cCuIOnD.exe
  2⤵
  PID:14428
- C:\Windows\System\ElAKXwv.exe
  C:\Windows\System\ElAKXwv.exe
  2⤵
  PID:14444
- C:\Windows\System\CmKdHtY.exe
  C:\Windows\System\CmKdHtY.exe
  2⤵
  PID:14488
- C:\Windows\System\qLsBtZu.exe
  C:\Windows\System\qLsBtZu.exe
  2⤵
  PID:14512
- C:\Windows\System\qTHWJYK.exe
  C:\Windows\System\qTHWJYK.exe
  2⤵
  PID:14536
- C:\Windows\System\IMkhANx.exe
  C:\Windows\System\IMkhANx.exe
  2⤵
  PID:14572
- C:\Windows\System\jWGbYBg.exe
  C:\Windows\System\jWGbYBg.exe
  2⤵
  PID:14596
- C:\Windows\System\ohjChlF.exe
  C:\Windows\System\ohjChlF.exe
  2⤵
  PID:14616
- C:\Windows\System\soNhKTg.exe
  C:\Windows\System\soNhKTg.exe
  2⤵
  PID:14656
- C:\Windows\System\trDsRvE.exe
  C:\Windows\System\trDsRvE.exe
  2⤵
  PID:14696
- C:\Windows\System\QaudKHF.exe
  C:\Windows\System\QaudKHF.exe
  2⤵
  PID:14748
- C:\Windows\System\UpTfzly.exe
  C:\Windows\System\UpTfzly.exe
  2⤵
  PID:14768
- C:\Windows\System\QzWgWzG.exe
  C:\Windows\System\QzWgWzG.exe
  2⤵
  PID:14812
- C:\Windows\System\nSqMMrD.exe
  C:\Windows\System\nSqMMrD.exe
  2⤵
  PID:14836
- C:\Windows\System\HYrXEFi.exe
  C:\Windows\System\HYrXEFi.exe
  2⤵
  PID:14856
- C:\Windows\System\PCFDFhO.exe
  C:\Windows\System\PCFDFhO.exe
  2⤵
  PID:14872
- C:\Windows\System\xloNJhn.exe
  C:\Windows\System\xloNJhn.exe
  2⤵
  PID:14892
- C:\Windows\System\wFySthi.exe
  C:\Windows\System\wFySthi.exe
  2⤵
  PID:14916
- C:\Windows\System\mGscSXy.exe
  C:\Windows\System\mGscSXy.exe
  2⤵
  PID:14944
- C:\Windows\System\XrWezCl.exe
  C:\Windows\System\XrWezCl.exe
  2⤵
  PID:14996
- C:\Windows\System\lPxBQmz.exe
  C:\Windows\System\lPxBQmz.exe
  2⤵
  PID:15016
- C:\Windows\System\IFiRTnQ.exe
  C:\Windows\System\IFiRTnQ.exe
  2⤵
  PID:15052
- C:\Windows\System\WQcBryx.exe
  C:\Windows\System\WQcBryx.exe
  2⤵
  PID:15068
- C:\Windows\System\uNXLSxb.exe
  C:\Windows\System\uNXLSxb.exe
  2⤵
  PID:15096
- C:\Windows\System\cRdxhOl.exe
  C:\Windows\System\cRdxhOl.exe
  2⤵
  PID:15120
- C:\Windows\System\DcLatzH.exe
  C:\Windows\System\DcLatzH.exe
  2⤵
  PID:15140
- C:\Windows\System\OqvMJJi.exe
  C:\Windows\System\OqvMJJi.exe
  2⤵
  PID:15196
- C:\Windows\System\oVZSEIa.exe
  C:\Windows\System\oVZSEIa.exe
  2⤵
  PID:15224
- C:\Windows\System\XNreKcN.exe
  C:\Windows\System\XNreKcN.exe
  2⤵
  PID:15248
- C:\Windows\System\LfoUfUg.exe
  C:\Windows\System\LfoUfUg.exe
  2⤵
  PID:15264
- C:\Windows\System\BXZtjCn.exe
  C:\Windows\System\BXZtjCn.exe
  2⤵
  PID:15308
- C:\Windows\System\scgcEQj.exe
  C:\Windows\System\scgcEQj.exe
  2⤵
  PID:15332
- C:\Windows\System\TFehQgH.exe
  C:\Windows\System\TFehQgH.exe
  2⤵
  PID:15356
- C:\Windows\System\vLeiaZg.exe
  C:\Windows\System\vLeiaZg.exe
  2⤵
  PID:14356
- C:\Windows\System\REBbfFF.exe
  C:\Windows\System\REBbfFF.exe
  2⤵
  PID:14396
- C:\Windows\System\YQBsjKK.exe
  C:\Windows\System\YQBsjKK.exe
  2⤵
  PID:14508
- C:\Windows\System\tesvkKT.exe
  C:\Windows\System\tesvkKT.exe
  2⤵
  PID:14532
- C:\Windows\System\XVFvzVT.exe
  C:\Windows\System\XVFvzVT.exe
  2⤵
  PID:14612
- C:\Windows\System\GcpbIiL.exe
  C:\Windows\System\GcpbIiL.exe
  2⤵
  PID:14688
- C:\Windows\System\OSNUlvy.exe
  C:\Windows\System\OSNUlvy.exe
  2⤵
  PID:14760
- C:\Windows\System\HyYqNdJ.exe
  C:\Windows\System\HyYqNdJ.exe
  2⤵
  PID:14828
- C:\Windows\System\LGRRito.exe
  C:\Windows\System\LGRRito.exe
  2⤵
  PID:14848
- C:\Windows\System\KIUDpmu.exe
  C:\Windows\System\KIUDpmu.exe
  2⤵
  PID:15108
- C:\Windows\System\UFIyWkS.exe
  C:\Windows\System\UFIyWkS.exe
  2⤵
  PID:15204
- C:\Windows\System\CviVvGV.exe
  C:\Windows\System\CviVvGV.exe
  2⤵
  PID:15180
- C:\Windows\System\pPIvTJM.exe
  C:\Windows\System\pPIvTJM.exe
  2⤵
  PID:15184
- C:\Windows\System\UjXTIbx.exe
  C:\Windows\System\UjXTIbx.exe
  2⤵
  PID:15276
- C:\Windows\System\sSKDRQr.exe
  C:\Windows\System\sSKDRQr.exe
  2⤵
  PID:15348
- C:\Windows\System\PKBlQUU.exe
  C:\Windows\System\PKBlQUU.exe
  2⤵
  PID:14364
- C:\Windows\System\rjUVNWO.exe
  C:\Windows\System\rjUVNWO.exe
  2⤵
  PID:14608
- C:\Windows\System\rcvcBPl.exe
  C:\Windows\System\rcvcBPl.exe
  2⤵
  PID:14568
- C:\Windows\System\ediNBzn.exe
  C:\Windows\System\ediNBzn.exe
  2⤵
  PID:14804
- C:\Windows\System\uqRJDNa.exe
  C:\Windows\System\uqRJDNa.exe
  2⤵
  PID:15160
- C:\Windows\System\FyytlIs.exe
  C:\Windows\System\FyytlIs.exe
  2⤵
  PID:15220
- C:\Windows\System\VfQCccQ.exe
  C:\Windows\System\VfQCccQ.exe
  2⤵
  PID:13544
- C:\Windows\System\oRGcauY.exe
  C:\Windows\System\oRGcauY.exe
  2⤵
  PID:15136
- C:\Windows\System\JbUskst.exe
  C:\Windows\System\JbUskst.exe
  2⤵
  PID:15048
- C:\Windows\System\tklvGta.exe
  C:\Windows\System\tklvGta.exe
  2⤵
  PID:15388
- C:\Windows\System\YBrcKEQ.exe
  C:\Windows\System\YBrcKEQ.exe
  2⤵
  PID:15412
- C:\Windows\System\FazxaoP.exe
  C:\Windows\System\FazxaoP.exe
  2⤵
  PID:15464
- C:\Windows\System\ZKfqVcU.exe
  C:\Windows\System\ZKfqVcU.exe
  2⤵
  PID:15484
- C:\Windows\System\gMKdynV.exe
  C:\Windows\System\gMKdynV.exe
  2⤵
  PID:15508
- C:\Windows\System\qwheRLC.exe
  C:\Windows\System\qwheRLC.exe
  2⤵
  PID:15532
- C:\Windows\System\CVzvhEF.exe
  C:\Windows\System\CVzvhEF.exe
  2⤵
  PID:15564
- C:\Windows\System\PckgGUI.exe
  C:\Windows\System\PckgGUI.exe
  2⤵
  PID:15608
- C:\Windows\System\VcTHfKK.exe
  C:\Windows\System\VcTHfKK.exe
  2⤵
  PID:15632
- C:\Windows\System\ZXoOtrM.exe
  C:\Windows\System\ZXoOtrM.exe
  2⤵
  PID:15648
- C:\Windows\System\bkllhxj.exe
  C:\Windows\System\bkllhxj.exe
  2⤵
  PID:15704
- C:\Windows\System\ItCqWIf.exe
  C:\Windows\System\ItCqWIf.exe
  2⤵
  PID:15744
- C:\Windows\System\Atcsfqq.exe
  C:\Windows\System\Atcsfqq.exe
  2⤵
  PID:15772
- C:\Windows\System\noKszmC.exe
  C:\Windows\System\noKszmC.exe
  2⤵
  PID:15792
- C:\Windows\System\EleOaCh.exe
  C:\Windows\System\EleOaCh.exe
  2⤵
  PID:15852
- C:\Windows\System\OvnOHec.exe
  C:\Windows\System\OvnOHec.exe
  2⤵
  PID:15896
- C:\Windows\System\KuMSrAV.exe
  C:\Windows\System\KuMSrAV.exe
  2⤵
  PID:15928
- C:\Windows\System\ZNunsPO.exe
  C:\Windows\System\ZNunsPO.exe
  2⤵
  PID:15948
- C:\Windows\System\nUxXvjI.exe
  C:\Windows\System\nUxXvjI.exe
  2⤵
  PID:15992
- C:\Windows\System\kTRQaCC.exe
  C:\Windows\System\kTRQaCC.exe
  2⤵
  PID:16008
- C:\Windows\System\wODNNDv.exe
  C:\Windows\System\wODNNDv.exe
  2⤵
  PID:16040
- C:\Windows\System\XgmoMni.exe
  C:\Windows\System\XgmoMni.exe
  2⤵
  PID:16064
- C:\Windows\System\KFgUDqD.exe
  C:\Windows\System\KFgUDqD.exe
  2⤵
  PID:16116
- C:\Windows\System\YZXiANH.exe
  C:\Windows\System\YZXiANH.exe
  2⤵
  PID:16140
- C:\Windows\System\DZLMBkS.exe
  C:\Windows\System\DZLMBkS.exe
  2⤵
  PID:16156
- C:\Windows\System\uyTmYrd.exe
  C:\Windows\System\uyTmYrd.exe
  2⤵
  PID:16180
- C:\Windows\System\uPKsAhs.exe
  C:\Windows\System\uPKsAhs.exe
  2⤵
  PID:16216
- C:\Windows\System\CjsbuqO.exe
  C:\Windows\System\CjsbuqO.exe
  2⤵
  PID:16248
- C:\Windows\System\dNGBBTo.exe
  C:\Windows\System\dNGBBTo.exe
  2⤵
  PID:16272
- C:\Windows\System\ghLgjZU.exe
  C:\Windows\System\ghLgjZU.exe
  2⤵
  PID:16288
- C:\Windows\System\LkzAfee.exe
  C:\Windows\System\LkzAfee.exe
  2⤵
  PID:16316
- C:\Windows\System\WmSPkzD.exe
  C:\Windows\System\WmSPkzD.exe
  2⤵
  PID:16364
- C:\Windows\System\mDuQmFf.exe
  C:\Windows\System\mDuQmFf.exe
  2⤵
  PID:14924
- C:\Windows\System\twxlEtj.exe
  C:\Windows\System\twxlEtj.exe
  2⤵
  PID:15372
- C:\Windows\System\HgfFLuv.exe
  C:\Windows\System\HgfFLuv.exe
  2⤵
  PID:15444
- C:\Windows\System\VwlfnZy.exe
  C:\Windows\System\VwlfnZy.exe
  2⤵
  PID:15496
- C:\Windows\System\vQIRSKX.exe
  C:\Windows\System\vQIRSKX.exe
  2⤵
  PID:4580
- C:\Windows\System\TmaPBXg.exe
  C:\Windows\System\TmaPBXg.exe
  2⤵
  PID:1280
- C:\Windows\System\lKAxOpd.exe
  C:\Windows\System\lKAxOpd.exe
  2⤵
  PID:872
- C:\Windows\System\FuoKQhF.exe
  C:\Windows\System\FuoKQhF.exe
  2⤵
  PID:15788
- C:\Windows\System\OjHnlNL.exe
  C:\Windows\System\OjHnlNL.exe
  2⤵
  PID:15880
- C:\Windows\System\oPelubF.exe
  C:\Windows\System\oPelubF.exe
  2⤵
  PID:15964
- C:\Windows\System\UhqCDSR.exe
  C:\Windows\System\UhqCDSR.exe
  2⤵
  PID:3732
- C:\Windows\System\LIMZWLC.exe
  C:\Windows\System\LIMZWLC.exe
  2⤵
  PID:16096
- C:\Windows\System\exszKeR.exe
  C:\Windows\System\exszKeR.exe
  2⤵
  PID:16152
- C:\Windows\System\MpQJOGt.exe
  C:\Windows\System\MpQJOGt.exe
  2⤵
  PID:16164
- C:\Windows\System\GpDQysO.exe
  C:\Windows\System\GpDQysO.exe
  2⤵
  PID:16264
- C:\Windows\System\ODvXcyf.exe
  C:\Windows\System\ODvXcyf.exe
  2⤵
  PID:16332
- C:\Windows\System\QIaZkaj.exe
  C:\Windows\System\QIaZkaj.exe
  2⤵
  PID:1932
- C:\Windows\System\EcZsKfZ.exe
  C:\Windows\System\EcZsKfZ.exe
  2⤵
  PID:15580
- C:\Windows\System\VStydxg.exe
  C:\Windows\System\VStydxg.exe
  2⤵
  PID:15500
- C:\Windows\System\wiEdqEs.exe
  C:\Windows\System\wiEdqEs.exe
  2⤵
  PID:15848
- C:\Windows\System\jYKQJfb.exe
  C:\Windows\System\jYKQJfb.exe
  2⤵
  PID:15920
- C:\Windows\System\TaupxBK.exe
  C:\Windows\System\TaupxBK.exe
  2⤵
  PID:16028
- C:\Windows\System\dCaEAWn.exe
  C:\Windows\System\dCaEAWn.exe
  2⤵
  PID:16212
- C:\Windows\System\tCAwHIJ.exe
  C:\Windows\System\tCAwHIJ.exe
  2⤵
  PID:15396
- C:\Windows\System\opckdEu.exe
  C:\Windows\System\opckdEu.exe
  2⤵
  PID:976
- C:\Windows\System\WmtMrIw.exe
  C:\Windows\System\WmtMrIw.exe
  2⤵
  PID:15904
- C:\Windows\System\RFCSnrQ.exe
  C:\Windows\System\RFCSnrQ.exe
  2⤵
  PID:16244
- C:\Windows\System\fDUCqhK.exe
  C:\Windows\System\fDUCqhK.exe
  2⤵
  PID:14556
- C:\Windows\System\MFyDPYR.exe
  C:\Windows\System\MFyDPYR.exe
  2⤵
  PID:16400
- C:\Windows\System\NiRVjGK.exe
  C:\Windows\System\NiRVjGK.exe
  2⤵
  PID:16432
- C:\Windows\System\QWWjrqj.exe
  C:\Windows\System\QWWjrqj.exe
  2⤵
  PID:16464
- C:\Windows\System\wJHhxPG.exe
  C:\Windows\System\wJHhxPG.exe
  2⤵
  PID:16504
- C:\Windows\System\XCYYUgk.exe
  C:\Windows\System\XCYYUgk.exe
  2⤵
  PID:16532
- C:\Windows\System\MILAiKM.exe
  C:\Windows\System\MILAiKM.exe
  2⤵
  PID:16548
- C:\Windows\System\qjsQXVH.exe
  C:\Windows\System\qjsQXVH.exe
  2⤵
  PID:16576
- C:\Windows\System\hargcoU.exe
  C:\Windows\System\hargcoU.exe
  2⤵
  PID:16620
- C:\Windows\System\RqcRnqm.exe
  C:\Windows\System\RqcRnqm.exe
  2⤵
  PID:16648
- C:\Windows\System\hXTvENo.exe
  C:\Windows\System\hXTvENo.exe
  2⤵
  PID:16664
- C:\Windows\System\wkwjsfp.exe
  C:\Windows\System\wkwjsfp.exe
  2⤵
  PID:16680
- C:\Windows\System\EQpjHly.exe
  C:\Windows\System\EQpjHly.exe
  2⤵
  PID:16724
- C:\Windows\System\CWfZNdx.exe
  C:\Windows\System\CWfZNdx.exe
  2⤵
  PID:16748
- C:\Windows\System\ORlZxAk.exe
  C:\Windows\System\ORlZxAk.exe
  2⤵
  PID:16764
- C:\Windows\System\nMiVymE.exe
  C:\Windows\System\nMiVymE.exe
  2⤵
  PID:16792
- C:\Windows\System\WKPnpmX.exe
  C:\Windows\System\WKPnpmX.exe
  2⤵
  PID:16828
- C:\Windows\System\WgmZaOU.exe
  C:\Windows\System\WgmZaOU.exe
  2⤵
  PID:16848
- C:\Windows\System\LTPXsUv.exe
  C:\Windows\System\LTPXsUv.exe
  2⤵
  PID:16872
- C:\Windows\System\rnlkQfl.exe
  C:\Windows\System\rnlkQfl.exe
  2⤵
  PID:16916
- C:\Windows\System\qQohYBl.exe
  C:\Windows\System\qQohYBl.exe
  2⤵
  PID:16944
- C:\Windows\System\kLbNSbl.exe
  C:\Windows\System\kLbNSbl.exe
  2⤵
  PID:16984
- C:\Windows\System\AldDePk.exe
  C:\Windows\System\AldDePk.exe
  2⤵
  PID:17012
- C:\Windows\System\fzgjNyW.exe
  C:\Windows\System\fzgjNyW.exe
  2⤵
  PID:17040
- C:\Windows\System\nPahgCZ.exe
  C:\Windows\System\nPahgCZ.exe
  2⤵
  PID:17068
- C:\Windows\System\CAyYhSJ.exe
  C:\Windows\System\CAyYhSJ.exe
  2⤵
  PID:17084
- C:\Windows\System\ijhoHGs.exe
  C:\Windows\System\ijhoHGs.exe
  2⤵
  PID:17112
- C:\Windows\System\wWhBJym.exe
  C:\Windows\System\wWhBJym.exe
  2⤵
  PID:17140
- C:\Windows\System\CzpvQFd.exe
  C:\Windows\System\CzpvQFd.exe
  2⤵
  PID:17160
- C:\Windows\System\OulzQSB.exe
  C:\Windows\System\OulzQSB.exe
  2⤵
  PID:17184
- C:\Windows\System\QWtfGAA.exe
  C:\Windows\System\QWtfGAA.exe
  2⤵
  PID:17204
- C:\Windows\System\JvLTfFD.exe
  C:\Windows\System\JvLTfFD.exe
  2⤵
  PID:17228
- C:\Windows\System\iEsFXrw.exe
  C:\Windows\System\iEsFXrw.exe
  2⤵
  PID:17252
- C:\Windows\System\fylVfXl.exe
  C:\Windows\System\fylVfXl.exe
  2⤵
  PID:17292
- C:\Windows\System\yxaURii.exe
  C:\Windows\System\yxaURii.exe
  2⤵
  PID:17336
- C:\Windows\System\mISQjil.exe
  C:\Windows\System\mISQjil.exe
  2⤵
  PID:17352
- C:\Windows\System\esXHXvC.exe
  C:\Windows\System\esXHXvC.exe
  2⤵
  PID:17404
- C:\Windows\System\UaafNFr.exe
  C:\Windows\System\UaafNFr.exe
  2⤵
  PID:16416
- C:\Windows\System\WYGYmYN.exe
  C:\Windows\System\WYGYmYN.exe
  2⤵
  PID:16480
- C:\Windows\System\frKEjKf.exe
  C:\Windows\System\frKEjKf.exe
  2⤵
  PID:16540

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:17080
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Modifies Installed Components in the registry
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:16740

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4788

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3480

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4424

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:16744

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2872

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:14684

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:18224

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:17808

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:17932

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:16980

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2068

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4768

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1140

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3312

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:17576

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:7516

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7976

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:9880

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:9460

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:10508

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4900

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:12084

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1644

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:2236

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:17796

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5208

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13812

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13444

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5640

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8256

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:18024

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6800

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:16260

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7828

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7320

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5732

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8656

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8848

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9852

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:18428

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:18296

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10932

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2720

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1684

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12808

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13040

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13060

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:17736

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14428

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:14916

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:15444

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1348

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:15944

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5468

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5876

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3664

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7716

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:15040

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10304

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:15428

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14780

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:16208

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9748

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5060

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7340

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7804

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10228

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7224

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11060

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11036

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10236

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11272

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11852

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12412

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:232

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14300

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11680

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12528

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:15608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\92G8RFY9\microsoft.windows[1].xml

Filesize
97B

MD5
154014c190bcc3ee57ed7e94a2f5d4b9

SHA1
20848fea26d00af1a18c235031228444530ec9d4

SHA256
bcd046aa48862e2cc160ed1dc72283cfeeffce82c66d4aae555664ae3043ac53

SHA512
91c232d6bb42bebe9f998bae5e1a08d9ea0a8ed86ead98ab733fcf8170ecb100f3294ba378ac4b07ed7b8023760a20324145fcd3884d8848334de81a718d8be5

Download Submit
C:\Windows\System\AgGQabu.exe

Filesize
1.7MB

MD5
f3fed52b6341d2d52669f0aa261a76d0

SHA1
aef2f44a968b02628822df7362d5bfc0002fb2d8

SHA256
3f0bcc1ab4ab4f87a5452f888df88d05d47c91276a4ef695ffad4ea61247e687

SHA512
52973d2eb9e653de1a7c4c7aa2bc59d28b3847ba6554c4bb340753525da2de114aac6ed23ba795100816d7ba6a2bea47845cbfe53f6ab5f05fdf77e61323ab82

Download Submit
C:\Windows\System\BaFKfCz.exe

Filesize
1.7MB

MD5
8135e8c3c977d4b4caa31f38eeedeafc

SHA1
04fc0f10b573ac35dc556a8e544df202b804059c

SHA256
593375c18f747f0fce49bbed68dd8067877a304e9a8cbe9d9de8cf859d41709e

SHA512
8e32f92214eb668a777d6ca95445da22b128e2e1369f30e75dd123d25dc2d4ce35caa360f2bff05fb0ad88b0fcc88f622b3678998c7e78985539fac308a826fe

Download Submit
C:\Windows\System\BjdmjJH.exe

Filesize
1.7MB

MD5
b3bca902dc907f1e899946d032b272fb

SHA1
3524da22dad8565bf3a30f18b9630ea4731fc3f1

SHA256
dfeba9bfbed85589391a8a1a07b46c7380754b9f8cdfa58d77388cd617e151d7

SHA512
0b5bc224374dc2fb46168df64e5b24e8a91902b836307e3082772f195a25de387b14763a0d9fc15269d5ce9bff57d2212396e8e94af25b68205226bd57903274

Download Submit
C:\Windows\System\CbmzBhj.exe

Filesize
1.7MB

MD5
408b7758aca04cfb14eac22b077d008b

SHA1
8ce4818255a6a6665359103fcebf94c19829bbfe

SHA256
ad65fd229ed629995eda0c351f33e66817d375be7d319f6bed903f3d635ede5d

SHA512
b7ce6a83c354bb4b472d6ad9b507fb9560ca0582776efb05141907912922006156f7651dc6ece8432d26b36ecde4c1709dea680952bee547dac714214abf4c77

Download Submit
C:\Windows\System\DNHZkNl.exe

Filesize
1.7MB

MD5
6a651c571b983d34a15865ae7ba30b6f

SHA1
4f92ecdfffdec84695fbe0938edc9760b72b69ba

SHA256
59bb03de2048cf201e898b4bcd29b2752632b7e94a9f150760607977f6933574

SHA512
3a544414c268fdd50d6db9169c789eb03589a2489048bb5a45f2bd8a7a8f9a3cc71ef1dd2338a9f0a3e26eb0f79a0c249caa2738ef8fb54f2768e5b537da86f3

Download Submit
C:\Windows\System\DdBMDqH.exe

Filesize
1.7MB

MD5
8d798f7c250e664ecccb5fd7d46c0ca1

SHA1
5dd82dc8561ac28b9f6b0ab1ca44fc8d0f26b707

SHA256
62e05433ed662c1f29ef8e453bb9ac73f36ded5c936b3ba43357de8b633e40e2

SHA512
55cd1a9497df70f7c5c8fc77936b3505b0dd7b31a2a44357ee5b711c687afb1137cc8bf06945fa742ec1c894e4cd14c2b380807c0973fe2d77cae1df5b822f5c

Download Submit
C:\Windows\System\GzsSeGV.exe

Filesize
1.7MB

MD5
4ea269d6ba22021180e338acc270c4fc

SHA1
9ac03a2fe588d8d5e244444a238c25113cfa8cc0

SHA256
406c5717c92d5d654509d420d7105656c05b35360784609e22ab5491f1e1f047

SHA512
749dd7f84e415650d35f0fec1c4f8ab35201b9b8b17c1a17a37c2cea4adbdced900c93d3eb67184fa80f349ba040ed114a810642bd29d1de382b55362fb32578

Download Submit
C:\Windows\System\HyvUqfl.exe

Filesize
1.7MB

MD5
dc4e442d7f1c8ad9b6ab80f40931ac3d

SHA1
31bda7224bf78d3dabdc59cc1ba6b38209957b24

SHA256
71c25c95459c3bdb22ff9f55757d905b5766e7ae0eb74bc97c6fb8fac277675a

SHA512
675efa17980d7f9a38e03785f79d2f127d71106e604ff1cb77c53f85bdf319ba7a39491fbe6b5d748b3c9a65ec80dbde4e13932a27d4f101c2172d30fc32ab09

Download Submit
C:\Windows\System\LyNzoWJ.exe

Filesize
1.7MB

MD5
63ebe4b831d42046d3fe72798f8f239b

SHA1
c1586df155627a9e775df1e68b9bb4fb59007d0f

SHA256
ef242610e032c5043b867dfc254a07ae3289f91e983bf589716052fe1ce096e6

SHA512
f2f836171bb678406cd446a07d3994e28367da4bc4461a6817379706ff29ec5384f060d73fede0af967631e2e8e541343ff8beca21d8781a69b286acfeb7ffd0

Download Submit
C:\Windows\System\MhKdKqw.exe

Filesize
1.7MB

MD5
e8a48578a2071dc59061ec579d54e4e2

SHA1
4b7da5f84ce1f41698db3bb85f92ab29e06a7411

SHA256
16185e74c313cd8e9731e7cded4cc8af0b75bcd075c87ad83998fd4c58daa428

SHA512
c7da1443122a571502301da4c5d0267eb1110f60daaddcac24616027eb0b6cc01f19e0c4e04572f8b71ef13ebe5d842a6833d43f07ea81924d72714323e0dbb0

Download Submit
C:\Windows\System\NRvDrVd.exe

Filesize
1.7MB

MD5
0612e7bbe4fde8cffa33da7e8038c0d4

SHA1
7f3d087654521f8653759ed557141b51cc913e9c

SHA256
c99d7d427ab0905558fa0b57cf75e9f7b25f14bcb65ceafd4231a97d1b8e221c

SHA512
dd5546c0dcb107b41a72a120a614714aea41e74510b154e1dbf8aafaadb420484920c9870faaf02f1a92871714b884d7737704d2aad81fd5a613831bbb1dbe0c

Download Submit
C:\Windows\System\WmzKdso.exe

Filesize
1.7MB

MD5
142b4b4752db8c1fff3de34558ff0b65

SHA1
94ad4112bc27baa8a3b76da0a0d6599b327576ef

SHA256
20a4b719b7b054babc20e964ce2af1f662c1b723cba7ce4221a54ad86b8b2e82

SHA512
359c55e57da4093e0d2248aabe0512fb2d861cd9cbf9b5fab15e413cf1d495cf9495a15c4da646dbff0ec53e4c4bb906eee0b0fbc075c74780389ddf7128bb6d

Download Submit
C:\Windows\System\WzZtjAy.exe

Filesize
1.7MB

MD5
573eecedc76c1ee143439ee2cde71e6c

SHA1
0c2af8aa8330ca0c1395f0ed2f41c6f32048897f

SHA256
778cdf832fb8336daa7a9048200577ac86c8a6f9ee526cbe972bfd1d5de8a41b

SHA512
b0613e5bd27de45ec887880cc62b62efb3dbb586c00e8015dc211ca0c2e2971ccd2980a6816ff3c96cea33e967526bfcc3f7ead11d83a624e73552f32de1c647

Download Submit
C:\Windows\System\XqBUfEC.exe

Filesize
1.7MB

MD5
39f76461827454fdba32a82e124244b7

SHA1
e1f7b077d2eed552f638042d9255601d0493cdf5

SHA256
a1e535587e8ae8288fe72dbee0919e26d4592b54750673c846f1cea7a8c46514

SHA512
1a22a11cda026d69137e1a26777ac02b03b2636997a0796ab06ddde3afad4d56fa9cb904ac288d9e11ce9640a4844cdd6d21937adf16bf0abddabbbaa9685531

Download Submit
C:\Windows\System\YReadpj.exe

Filesize
1.7MB

MD5
7e9bbd95c604a4d1ff7928d8eeed2d65

SHA1
9385db99f71132d5bbe6844564157872b886703a

SHA256
e392e64a520611f85f9d1d9cb73409e91cbbce46b9d8b8c528156fc03ba0776b

SHA512
76b6621459fc75e2a1ff39daeb566bf4ee657dc47316230a9abbb13ad54717079f4eb410f71962712dc0f2a7fb74617ea694ecba93acdca6f2ab76088ac44de0

Download Submit
C:\Windows\System\aknaYYs.exe

Filesize
1.7MB

MD5
c0a36186e04a4da9f6e6ce6e7365bbc3

SHA1
80aaae00ae5d12da2d128db9954885cce90aa08f

SHA256
62230f42d3286e841c3ae42e0cc4ac3d9619c99f34cc1e029cb531d069be160e

SHA512
42e6317afd60c00bf1ea74f34caa394f0df7f5d816c1a09a187b1b598082cab2d3d3281fc32258edd3e66e49b5efbf90ccb08e288c646d0e5f398b9a46cb609f

Download Submit
C:\Windows\System\bvWgDkk.exe

Filesize
1.7MB

MD5
2dda8c65b219f4c404f6ff533284fa07

SHA1
e05e1b64a7a03734fd18f40caf2ddcfd9127f58a

SHA256
9a63aa6d2ce320d0af69d49e68d37b6437f8136a5e38ccee901160327a88d458

SHA512
8a2769eb15344c6594be481b611c8b432d68b7592a85e54b9e878db70be95cb363ef968b649ab2a7d2dbb15b185e1a7703871679ef93f72e98c9d833ceeb9727

Download Submit
C:\Windows\System\cAuoyCD.exe

Filesize
1.7MB

MD5
b28d1fc6db6da257a6c4838186c4e265

SHA1
9ab0d14e86cfe0a17ca49ab3072b147910789471

SHA256
5ec2c4ff7c58a9f6ef94f218a13648cce7a087118ffe45dcb2d67f3a08e3c146

SHA512
bb1cdc6b0a99676e926f5d42dd67d527db8b02ffd0b31022c5ddf06ff66754a1a58b5b5f892c6402b853e76fadd099b9d38b214ac5128ab2beb4c864378c5a3e

Download Submit
C:\Windows\System\eZPTufa.exe

Filesize
1.7MB

MD5
e09a2c430e2979a6d3ddb268a49d9aa3

SHA1
37512f3853e32d3877aa2226c1aaf2b6656ab77f

SHA256
7f5bb04ce1bbac11ffae9656961d03d042387b0c12af533d709f86809fe34402

SHA512
d431bf7b3446ea5842bb4e4eeedea1af5bf0e0ca35c7629c3a8834fdf14cecc3965c8d911151941814bb824d47a686afbfbaaea084b07486d854ad258fc76122

Download Submit
C:\Windows\System\jpOjtTq.exe

Filesize
1.7MB

MD5
ddc0efd7d56558271a9a819be7aad2b8

SHA1
fa28301a320bc23238bb7afa6e3ac9e13756d9a7

SHA256
827b5e1e4d427892b7cc52261198400d2e112c092cfa25634394db5a88a64ba5

SHA512
31ad4f420cb63b8927100e8ee6da5febfd30e561eda1174040da3e26309fb40508a2b4d2ea6c5205b08180ebd48f80fcdb5e9a37df2fa1182d5e362dc436ffce

Download Submit
C:\Windows\System\lJEddEj.exe

Filesize
1.7MB

MD5
68d3ed8578224aac46a9f88a93402cd3

SHA1
95144c49ca3e87c9c0e6180ef1136c4bfb638cc9

SHA256
02f929bac23ec1646d8c615d8203cd5ba35d75d72572c88fb4e93ed03ce00d10

SHA512
ccf9994afd3b04a9935160fe760cbaa1ab9eec68cb8bedbef124be355e8b340586b89473816ff6cce3125793a2df24a08eb187c24c806f634e676ae819b0de96

Download Submit
C:\Windows\System\lpVmfUM.exe

Filesize
1.7MB

MD5
90e8d4f01a7a50f677b123edd798be94

SHA1
ec75d48694e5ed22d6f031b1abf34689893cdd9c

SHA256
d8f35d4e35fc8fe16446b3ba38619beb4836701a7406bd737d09dcc222938aa7

SHA512
afa92e460234fbd5b0a9acaddce3f30405e9a18b5165aabe68979879317bab1c43109d1a8b3be4482fa86fa86ba42111b37bd1d5401d7051cf547be56c02bd92

Download Submit
C:\Windows\System\pTQfeYh.exe

Filesize
1.7MB

MD5
02352cd7da3e0d90ebcf72fbae60baec

SHA1
d38bafe380d5e842582013efece038ce636d08cd

SHA256
3576ba42b8965fe79e8a4358978b88619051c1389f43a2ae89fd93b6b8a3ffbd

SHA512
ee1c2f99822431d98dbebdf6223444025ad7f6d0b9a4bc4be2ab6a91a3e9bbb13bd52b5f924d2ec10b10afaf2187558c503d53e6bd31d1b3f9f2ddb6a8f8e691

Download Submit
C:\Windows\System\psHRrJd.exe

Filesize
1.7MB

MD5
d6b6b0f547dce0513878c18e1482c180

SHA1
53b30d865f192c5711c9a181e473b6260b2bb12c

SHA256
121cb11733c76aae793a809dc31f9c4ec9bafcdf4c08be1ef442e46028ae16b5

SHA512
6fec260693459e3a6b9f829f8aa6f8b515bfcdb52f6351ecba6926fb240af9acec073d930cf12b95e80cdd8c2164173fc2d978a9998218d236a0c5e8ec315fb8

Download Submit
C:\Windows\System\rykymyX.exe

Filesize
1.7MB

MD5
c5b28e4e073b83712d8940fd57123d2c

SHA1
fd90bdf53c327d4990378eb9f22a5947a2cc6426

SHA256
939f5a618b75f4730e0e4bc62fe0f54223863d36ee3e16cf694bf47d617466ad

SHA512
7ea7801f78ee1135833f55b7ca02028d42f4034136615e57ac57dde8767df16f92b0f370ca67fbf68d633d5f4b534772864d42e178c1d22edde84a3eee1b71e8

Download Submit
C:\Windows\System\sRdZFNj.exe

Filesize
1.7MB

MD5
2b60b1ed969d0fa1e2111d143f5d0037

SHA1
9c38cdf357969b2e08f77dee38bd48141699789e

SHA256
e7332d1cd7be6c1d1b55d0ddff0d5e752f0e8eb5598711971d0ee3e8975e631e

SHA512
826946d5513852670e1b974b48c0207bc23facc5eae15a08409c7301aeca80a027b83f8ef36791f431589c5220ca7eb20c6f74283084c81c185a4c94b90d3b68

Download Submit
C:\Windows\System\tJzTmuB.exe

Filesize
1.7MB

MD5
b83a5ef62651d3a7d046a0387ac72bdb

SHA1
6d57eab5ea5f91fea338eb62cb1fba9c979bc985

SHA256
d1c8de66f7318d6d41c9ba5039cea6f49512e90d3ae74ce9c47631f6d8ef3dca

SHA512
0333368cd3e397f21bab1f7d608319747ddec82085f19675989ecdea7d7366418fc3872f8e714bf94c2d826c054ec65c650aeb4f31a2af944e62d21c55c448a1

Download Submit
C:\Windows\System\tTuQujd.exe

Filesize
1.7MB

MD5
6c7d1e4bce9533d071a88b53e577554b

SHA1
247b0d71ea18a8e3cdee74998c20c3f5daca1b06

SHA256
8cbed877a2a63a5124835b5987a8590a75f130b284b1f5aed8cdc16629500cc2

SHA512
29d195a3c2deba4cdee149b1de80e902f4597eb088a67c6a4415fca8389cf8d5bef8f30100b6bd55231eae8bdd219297caaf5fa61cabeffe8c0836f700553ada

Download Submit
C:\Windows\System\uQgHZSW.exe

Filesize
1.7MB

MD5
1d969e26630ba48abeedd7622cd2be01

SHA1
2e77befa340acd462038bedaf63d5333b9b8b7ec

SHA256
fb1a79cf63b98da85c05ebb3c522a067e1f343b7eb21f6aeb4510c3dbad308f7

SHA512
b900d3f6ec20d9bd5deae488c09cf3735d146ebc912ac15b948d3b491c6ae15af7ccd1252a085a3e8559769e4973041edba7640e7c1d789d447030555c2b7bc8

Download Submit
C:\Windows\System\udZzdEh.exe

Filesize
1.7MB

MD5
999376b089c167012c08b76045bba0bb

SHA1
453f96cd7f326921c9331518bbe171162cfdbd79

SHA256
9bf5a3ff015c37ed1c87788a6c9f7efac18f1a6021375a04d7f9d0c0c9e56309

SHA512
90099b63c4c81009f55ce14cc0648563f397cb44f1b6fd536628106c44770142e62e0ab81d8716adcc7d912ba51aea1687866da8cad0232abd942de54e68d077

Download Submit
C:\Windows\System\wuSxBcz.exe

Filesize
1.7MB

MD5
3f44ed1827914c484fb5bb27e0b538d4

SHA1
c1d39215327af2d8a3825bb7b47e779bcf4ff131

SHA256
98c7c4e91af06e4d3db3c2073d8575eae41d7b4f9b1b462c1be47644921602af

SHA512
a92fa291c64355a71f8e4fce2d955c7a8f5e517d8fc70adea138365c4b8fdc368b1557fabed987e5366782756df934cd7416ee4312c4207f0ccb9eb3e6c3b904

Download Submit
C:\Windows\System\yrLxHNA.exe

Filesize
1.7MB

MD5
b6346358941c60a651f994f83c85ddcd

SHA1
441d3eb3d3c973785097929c6b8d377a20fe52f6

SHA256
69c5dbdcc173f86fb535d0a68d03dbe894c5bde0f67b73f60febd294d5a38264

SHA512
ce8e6e0d813773506e3e28fe562d5e53b22fe8e034fe9cd865a78c4d787065ea1e0404bfae1bc49370085e1c8c33e10e4bd9fc4bb50c03c06a064d3203f8e52c

Download Submit
C:\Windows\System\zUHipdG.exe

Filesize
1.7MB

MD5
5e76d94cc58a84ff63ba6c5067ecdd41

SHA1
4d9692ace9cb1d785939699521994d5486a62d68

SHA256
e7cd7c99eafb63201c8b9d7524a4a64ba9fbdc7358e9bd5674a57375c78288e4

SHA512
9837fad1f8057bce6255513ceaf30c98a4cba42a22fc53e37eef7ba6294ba6704b3477feb70c615da258ee29613e5ccc1d15f234060efd3e643ca0b4036154da

Download Submit
memory/1624-0-0x000001E6FA550000-0x000001E6FA560000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads