xmrig | 1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888

Analysis

max time kernel
54s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
Size

2.1MB
MD5

3221599982d4f3a4afa3fa3ec597200b
SHA1

2c04f37e5f595f8f0182b1e652481e53820a191a
SHA256

1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888
SHA512

fb323d99c549657c07b7e340987e0bb6451a0bb03a25e929b672322f796f944ca27a0a6ca3095b4bc1c67eebb6241e0191fa27100baae4738e0d7b314fd7c457
SSDEEP

24576:BezaTnG99Q8FcNrpyNdfE0bLBgDOp2iSLz9LbEwlKjpuzBF6727XL1+Kwen8Z2I4:BezaTF8FcNkNdfE0pZ9ozt4wIQHxlUy

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/756-0-0x00007FF730100000-0x00007FF730454000-memory.dmp	UPX
behavioral2/files/0x000800000002343b-5.dat	UPX
behavioral2/files/0x0007000000023440-13.dat	UPX
behavioral2/files/0x0007000000023442-24.dat	UPX
behavioral2/files/0x0007000000023445-41.dat	UPX
behavioral2/files/0x000700000002344b-66.dat	UPX
behavioral2/files/0x000700000002344a-96.dat	UPX
behavioral2/memory/2996-133-0x00007FF7FF1D0000-0x00007FF7FF524000-memory.dmp	UPX
behavioral2/files/0x0007000000023455-147.dat	UPX
behavioral2/memory/1968-163-0x00007FF645130000-0x00007FF645484000-memory.dmp	UPX
behavioral2/memory/2636-169-0x00007FF67A390000-0x00007FF67A6E4000-memory.dmp	UPX
behavioral2/memory/5056-173-0x00007FF64FA60000-0x00007FF64FDB4000-memory.dmp	UPX
behavioral2/memory/4384-175-0x00007FF6AF4B0000-0x00007FF6AF804000-memory.dmp	UPX
behavioral2/memory/4668-174-0x00007FF7B1F60000-0x00007FF7B22B4000-memory.dmp	UPX
behavioral2/memory/4648-172-0x00007FF79F8D0000-0x00007FF79FC24000-memory.dmp	UPX
behavioral2/memory/2308-171-0x00007FF686B30000-0x00007FF686E84000-memory.dmp	UPX
behavioral2/memory/4588-170-0x00007FF7B7510000-0x00007FF7B7864000-memory.dmp	UPX
behavioral2/memory/3660-168-0x00007FF646DC0000-0x00007FF647114000-memory.dmp	UPX
behavioral2/memory/1948-167-0x00007FF72B8C0000-0x00007FF72BC14000-memory.dmp	UPX
behavioral2/memory/3632-166-0x00007FF727080000-0x00007FF7273D4000-memory.dmp	UPX
behavioral2/memory/4984-165-0x00007FF7C66D0000-0x00007FF7C6A24000-memory.dmp	UPX
behavioral2/memory/3956-164-0x00007FF73A880000-0x00007FF73ABD4000-memory.dmp	UPX
behavioral2/memory/3424-162-0x00007FF772310000-0x00007FF772664000-memory.dmp	UPX
behavioral2/memory/2132-161-0x00007FF7096F0000-0x00007FF709A44000-memory.dmp	UPX
behavioral2/files/0x000700000002345a-159.dat	UPX
behavioral2/files/0x0007000000023459-157.dat	UPX
behavioral2/files/0x0007000000023458-155.dat	UPX
behavioral2/files/0x0007000000023451-153.dat	UPX
behavioral2/files/0x0007000000023457-151.dat	UPX
behavioral2/files/0x0007000000023456-149.dat	UPX
behavioral2/files/0x0007000000023454-145.dat	UPX
behavioral2/memory/2464-144-0x00007FF7C69B0000-0x00007FF7C6D04000-memory.dmp	UPX
behavioral2/files/0x0007000000023453-142.dat	UPX
behavioral2/memory/2244-141-0x00007FF7455B0000-0x00007FF745904000-memory.dmp	UPX
behavioral2/memory/4976-134-0x00007FF758380000-0x00007FF7586D4000-memory.dmp	UPX
behavioral2/files/0x0007000000023452-131.dat	UPX
behavioral2/files/0x000700000002344c-130.dat	UPX
behavioral2/files/0x000700000002344f-128.dat	UPX
behavioral2/files/0x0007000000023450-127.dat	UPX
behavioral2/memory/4980-126-0x00007FF676CB0000-0x00007FF677004000-memory.dmp	UPX
behavioral2/files/0x000700000002344e-112.dat	UPX
behavioral2/memory/2108-107-0x00007FF6C7580000-0x00007FF6C78D4000-memory.dmp	UPX
behavioral2/files/0x000700000002344d-93.dat	UPX
behavioral2/files/0x0007000000023447-89.dat	UPX
behavioral2/memory/3460-86-0x00007FF7FC8F0000-0x00007FF7FCC44000-memory.dmp	UPX
behavioral2/files/0x0007000000023449-78.dat	UPX
behavioral2/memory/4972-76-0x00007FF74D730000-0x00007FF74DA84000-memory.dmp	UPX
behavioral2/files/0x0007000000023446-62.dat	UPX
behavioral2/files/0x0007000000023448-58.dat	UPX
behavioral2/memory/4992-55-0x00007FF71B010000-0x00007FF71B364000-memory.dmp	UPX
behavioral2/files/0x0007000000023444-63.dat	UPX
behavioral2/memory/4352-46-0x00007FF766890000-0x00007FF766BE4000-memory.dmp	UPX
behavioral2/memory/4184-42-0x00007FF794B20000-0x00007FF794E74000-memory.dmp	UPX
behavioral2/files/0x0007000000023441-32.dat	UPX
behavioral2/files/0x0007000000023443-30.dat	UPX
behavioral2/memory/2256-26-0x00007FF76AFD0000-0x00007FF76B324000-memory.dmp	UPX
behavioral2/memory/2964-20-0x00007FF633E90000-0x00007FF6341E4000-memory.dmp	UPX
behavioral2/files/0x000700000002343f-18.dat	UPX
behavioral2/memory/2284-14-0x00007FF61B710000-0x00007FF61BA64000-memory.dmp	UPX
behavioral2/files/0x000700000002345b-179.dat	UPX
behavioral2/files/0x000700000002345c-184.dat	UPX
behavioral2/files/0x000700000002345d-190.dat	UPX
behavioral2/memory/2256-2148-0x00007FF76AFD0000-0x00007FF76B324000-memory.dmp	UPX
behavioral2/memory/4184-2149-0x00007FF794B20000-0x00007FF794E74000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/756-0-0x00007FF730100000-0x00007FF730454000-memory.dmp	xmrig
behavioral2/files/0x000800000002343b-5.dat	xmrig
behavioral2/files/0x0007000000023440-13.dat	xmrig
behavioral2/files/0x0007000000023442-24.dat	xmrig
behavioral2/files/0x0007000000023445-41.dat	xmrig
behavioral2/files/0x000700000002344b-66.dat	xmrig
behavioral2/files/0x000700000002344a-96.dat	xmrig
behavioral2/memory/2996-133-0x00007FF7FF1D0000-0x00007FF7FF524000-memory.dmp	xmrig
behavioral2/files/0x0007000000023455-147.dat	xmrig
behavioral2/memory/1968-163-0x00007FF645130000-0x00007FF645484000-memory.dmp	xmrig
behavioral2/memory/2636-169-0x00007FF67A390000-0x00007FF67A6E4000-memory.dmp	xmrig
behavioral2/memory/5056-173-0x00007FF64FA60000-0x00007FF64FDB4000-memory.dmp	xmrig
behavioral2/memory/4384-175-0x00007FF6AF4B0000-0x00007FF6AF804000-memory.dmp	xmrig
behavioral2/memory/4668-174-0x00007FF7B1F60000-0x00007FF7B22B4000-memory.dmp	xmrig
behavioral2/memory/4648-172-0x00007FF79F8D0000-0x00007FF79FC24000-memory.dmp	xmrig
behavioral2/memory/2308-171-0x00007FF686B30000-0x00007FF686E84000-memory.dmp	xmrig
behavioral2/memory/4588-170-0x00007FF7B7510000-0x00007FF7B7864000-memory.dmp	xmrig
behavioral2/memory/3660-168-0x00007FF646DC0000-0x00007FF647114000-memory.dmp	xmrig
behavioral2/memory/1948-167-0x00007FF72B8C0000-0x00007FF72BC14000-memory.dmp	xmrig
behavioral2/memory/3632-166-0x00007FF727080000-0x00007FF7273D4000-memory.dmp	xmrig
behavioral2/memory/4984-165-0x00007FF7C66D0000-0x00007FF7C6A24000-memory.dmp	xmrig
behavioral2/memory/3956-164-0x00007FF73A880000-0x00007FF73ABD4000-memory.dmp	xmrig
behavioral2/memory/3424-162-0x00007FF772310000-0x00007FF772664000-memory.dmp	xmrig
behavioral2/memory/2132-161-0x00007FF7096F0000-0x00007FF709A44000-memory.dmp	xmrig
behavioral2/files/0x000700000002345a-159.dat	xmrig
behavioral2/files/0x0007000000023459-157.dat	xmrig
behavioral2/files/0x0007000000023458-155.dat	xmrig
behavioral2/files/0x0007000000023451-153.dat	xmrig
behavioral2/files/0x0007000000023457-151.dat	xmrig
behavioral2/files/0x0007000000023456-149.dat	xmrig
behavioral2/files/0x0007000000023454-145.dat	xmrig
behavioral2/memory/2464-144-0x00007FF7C69B0000-0x00007FF7C6D04000-memory.dmp	xmrig
behavioral2/files/0x0007000000023453-142.dat	xmrig
behavioral2/memory/2244-141-0x00007FF7455B0000-0x00007FF745904000-memory.dmp	xmrig
behavioral2/memory/4976-134-0x00007FF758380000-0x00007FF7586D4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023452-131.dat	xmrig
behavioral2/files/0x000700000002344c-130.dat	xmrig
behavioral2/files/0x000700000002344f-128.dat	xmrig
behavioral2/files/0x0007000000023450-127.dat	xmrig
behavioral2/memory/4980-126-0x00007FF676CB0000-0x00007FF677004000-memory.dmp	xmrig
behavioral2/files/0x000700000002344e-112.dat	xmrig
behavioral2/memory/2108-107-0x00007FF6C7580000-0x00007FF6C78D4000-memory.dmp	xmrig
behavioral2/files/0x000700000002344d-93.dat	xmrig
behavioral2/files/0x0007000000023447-89.dat	xmrig
behavioral2/memory/3460-86-0x00007FF7FC8F0000-0x00007FF7FCC44000-memory.dmp	xmrig
behavioral2/files/0x0007000000023449-78.dat	xmrig
behavioral2/memory/4972-76-0x00007FF74D730000-0x00007FF74DA84000-memory.dmp	xmrig
behavioral2/files/0x0007000000023446-62.dat	xmrig
behavioral2/files/0x0007000000023448-58.dat	xmrig
behavioral2/memory/4992-55-0x00007FF71B010000-0x00007FF71B364000-memory.dmp	xmrig
behavioral2/files/0x0007000000023444-63.dat	xmrig
behavioral2/memory/4352-46-0x00007FF766890000-0x00007FF766BE4000-memory.dmp	xmrig
behavioral2/memory/4184-42-0x00007FF794B20000-0x00007FF794E74000-memory.dmp	xmrig
behavioral2/files/0x0007000000023441-32.dat	xmrig
behavioral2/files/0x0007000000023443-30.dat	xmrig
behavioral2/memory/2256-26-0x00007FF76AFD0000-0x00007FF76B324000-memory.dmp	xmrig
behavioral2/memory/2964-20-0x00007FF633E90000-0x00007FF6341E4000-memory.dmp	xmrig
behavioral2/files/0x000700000002343f-18.dat	xmrig
behavioral2/memory/2284-14-0x00007FF61B710000-0x00007FF61BA64000-memory.dmp	xmrig
behavioral2/files/0x000700000002345b-179.dat	xmrig
behavioral2/files/0x000700000002345c-184.dat	xmrig
behavioral2/files/0x000700000002345d-190.dat	xmrig
behavioral2/memory/2256-2148-0x00007FF76AFD0000-0x00007FF76B324000-memory.dmp	xmrig
behavioral2/memory/4184-2149-0x00007FF794B20000-0x00007FF794E74000-memory.dmp	xmrig

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
2284	vffxSTF.exe
2256	bJGEyTI.exe
2964	aPsNiRr.exe
4184	wEoDotC.exe
1948	hxlzqrZ.exe
4352	FXDmBej.exe
3660	zqzPqsR.exe
4992	WiWsIce.exe
2636	Imomnqq.exe
4972	sacfSjz.exe
4588	exHMZuf.exe
2308	rAWhGwS.exe
3460	lpeMsKH.exe
2108	IfWZOMc.exe
4648	jBzhRCu.exe
4980	bvNbyWM.exe
2996	SOLISWO.exe
4976	hSWloXB.exe
5056	ccDOart.exe
4668	zeJkqQF.exe
2244	KZBGhkx.exe
2464	kGzbPmv.exe
2132	gjlTIkh.exe
3424	pzgbesC.exe
1968	puqZxIY.exe
3956	wfbCIcD.exe
4984	KrkVPjH.exe
4384	iaovoJD.exe
3632	bFqScNB.exe
464	hxCuXfk.exe
4468	KHqllUo.exe
4804	qGnHEkH.exe
3624	DcOXvQd.exe
1600	YDfTxZa.exe
4880	anPlJbe.exe
4076	NFdDIWi.exe
4596	SfXklTV.exe
2248	LOnZepi.exe
3348	SVsgsUj.exe
3280	ilVwDPB.exe
208	jXOIvdx.exe
4296	ENkxHuF.exe
4304	AXOKOSb.exe
3432	gSoMoLz.exe
2372	UQBdRON.exe
4416	sqwgSgf.exe
4828	ctGIIVl.exe
1084	eGiawJi.exe
2720	zrMZZuk.exe
2952	gEdxwwi.exe
2056	mUocDOU.exe
4896	bOruGdi.exe
4660	XzlRUuy.exe
1972	elVssmd.exe
2376	HJanBSp.exe
700	OyqQByE.exe
3572	mvqzvpO.exe
2784	mzcbwQa.exe
1952	pnJSiEE.exe
4532	YTZoXVd.exe
3184	sLucLYP.exe
4120	FZhBUmf.exe
4924	wYkflfE.exe
3160	IUTGpJp.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/756-0-0x00007FF730100000-0x00007FF730454000-memory.dmp	upx
behavioral2/files/0x000800000002343b-5.dat	upx
behavioral2/files/0x0007000000023440-13.dat	upx
behavioral2/files/0x0007000000023442-24.dat	upx
behavioral2/files/0x0007000000023445-41.dat	upx
behavioral2/files/0x000700000002344b-66.dat	upx
behavioral2/files/0x000700000002344a-96.dat	upx
behavioral2/memory/2996-133-0x00007FF7FF1D0000-0x00007FF7FF524000-memory.dmp	upx
behavioral2/files/0x0007000000023455-147.dat	upx
behavioral2/memory/1968-163-0x00007FF645130000-0x00007FF645484000-memory.dmp	upx
behavioral2/memory/2636-169-0x00007FF67A390000-0x00007FF67A6E4000-memory.dmp	upx
behavioral2/memory/5056-173-0x00007FF64FA60000-0x00007FF64FDB4000-memory.dmp	upx
behavioral2/memory/4384-175-0x00007FF6AF4B0000-0x00007FF6AF804000-memory.dmp	upx
behavioral2/memory/4668-174-0x00007FF7B1F60000-0x00007FF7B22B4000-memory.dmp	upx
behavioral2/memory/4648-172-0x00007FF79F8D0000-0x00007FF79FC24000-memory.dmp	upx
behavioral2/memory/2308-171-0x00007FF686B30000-0x00007FF686E84000-memory.dmp	upx
behavioral2/memory/4588-170-0x00007FF7B7510000-0x00007FF7B7864000-memory.dmp	upx
behavioral2/memory/3660-168-0x00007FF646DC0000-0x00007FF647114000-memory.dmp	upx
behavioral2/memory/1948-167-0x00007FF72B8C0000-0x00007FF72BC14000-memory.dmp	upx
behavioral2/memory/3632-166-0x00007FF727080000-0x00007FF7273D4000-memory.dmp	upx
behavioral2/memory/4984-165-0x00007FF7C66D0000-0x00007FF7C6A24000-memory.dmp	upx
behavioral2/memory/3956-164-0x00007FF73A880000-0x00007FF73ABD4000-memory.dmp	upx
behavioral2/memory/3424-162-0x00007FF772310000-0x00007FF772664000-memory.dmp	upx
behavioral2/memory/2132-161-0x00007FF7096F0000-0x00007FF709A44000-memory.dmp	upx
behavioral2/files/0x000700000002345a-159.dat	upx
behavioral2/files/0x0007000000023459-157.dat	upx
behavioral2/files/0x0007000000023458-155.dat	upx
behavioral2/files/0x0007000000023451-153.dat	upx
behavioral2/files/0x0007000000023457-151.dat	upx
behavioral2/files/0x0007000000023456-149.dat	upx
behavioral2/files/0x0007000000023454-145.dat	upx
behavioral2/memory/2464-144-0x00007FF7C69B0000-0x00007FF7C6D04000-memory.dmp	upx
behavioral2/files/0x0007000000023453-142.dat	upx
behavioral2/memory/2244-141-0x00007FF7455B0000-0x00007FF745904000-memory.dmp	upx
behavioral2/memory/4976-134-0x00007FF758380000-0x00007FF7586D4000-memory.dmp	upx
behavioral2/files/0x0007000000023452-131.dat	upx
behavioral2/files/0x000700000002344c-130.dat	upx
behavioral2/files/0x000700000002344f-128.dat	upx
behavioral2/files/0x0007000000023450-127.dat	upx
behavioral2/memory/4980-126-0x00007FF676CB0000-0x00007FF677004000-memory.dmp	upx
behavioral2/files/0x000700000002344e-112.dat	upx
behavioral2/memory/2108-107-0x00007FF6C7580000-0x00007FF6C78D4000-memory.dmp	upx
behavioral2/files/0x000700000002344d-93.dat	upx
behavioral2/files/0x0007000000023447-89.dat	upx
behavioral2/memory/3460-86-0x00007FF7FC8F0000-0x00007FF7FCC44000-memory.dmp	upx
behavioral2/files/0x0007000000023449-78.dat	upx
behavioral2/memory/4972-76-0x00007FF74D730000-0x00007FF74DA84000-memory.dmp	upx
behavioral2/files/0x0007000000023446-62.dat	upx
behavioral2/files/0x0007000000023448-58.dat	upx
behavioral2/memory/4992-55-0x00007FF71B010000-0x00007FF71B364000-memory.dmp	upx
behavioral2/files/0x0007000000023444-63.dat	upx
behavioral2/memory/4352-46-0x00007FF766890000-0x00007FF766BE4000-memory.dmp	upx
behavioral2/memory/4184-42-0x00007FF794B20000-0x00007FF794E74000-memory.dmp	upx
behavioral2/files/0x0007000000023441-32.dat	upx
behavioral2/files/0x0007000000023443-30.dat	upx
behavioral2/memory/2256-26-0x00007FF76AFD0000-0x00007FF76B324000-memory.dmp	upx
behavioral2/memory/2964-20-0x00007FF633E90000-0x00007FF6341E4000-memory.dmp	upx
behavioral2/files/0x000700000002343f-18.dat	upx
behavioral2/memory/2284-14-0x00007FF61B710000-0x00007FF61BA64000-memory.dmp	upx
behavioral2/files/0x000700000002345b-179.dat	upx
behavioral2/files/0x000700000002345c-184.dat	upx
behavioral2/files/0x000700000002345d-190.dat	upx
behavioral2/memory/2256-2148-0x00007FF76AFD0000-0x00007FF76B324000-memory.dmp	upx
behavioral2/memory/4184-2149-0x00007FF794B20000-0x00007FF794E74000-memory.dmp	upx

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\zrMZZuk.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\KqnfcUo.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\kdrTDvo.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\rTedAFP.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\uOPXdIN.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\VnOEgDM.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\qGnHEkH.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\xmBUbsS.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\EcjMYRU.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\rxqYVvN.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\hwAuoTQ.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\QWuKXzn.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\NFUPeoG.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\ydAFtLG.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\FDyejDY.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\ToHOYWe.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\mBmXLEq.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\pNWKblL.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\IYopyLP.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\KZbJHQn.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\bFqScNB.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\qmYbxhV.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\TQuasyH.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\hyvFiAo.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\AsXNXMa.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\fWoJtFI.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\lFYjyVO.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\PxTKDXL.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\ccDOart.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\ilVwDPB.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\VPWxnDO.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\RnxuPbv.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\DbITkQI.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\pvmgciN.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\sFmJByo.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\qIqDSVQ.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\XgkpALG.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\PULsidi.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\WpFbWKV.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\RnyaBfY.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\IHmaVtk.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\sLucLYP.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\JxSXWih.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\kZunctt.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\GxWGGJK.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\WuDmVCr.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\CBhZoeb.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\SSirPxH.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\CYfPoMC.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\BbmZrNV.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\hxmctIx.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\umVhsHo.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\gGAPgwj.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\QkWyzJX.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\hxlzqrZ.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\gGJYMVi.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\gKJijKd.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\CsAUslG.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\SAkXBSE.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\UQBdRON.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\KcVWXNj.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\kCEAPoF.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\wdVkIuG.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
File created	C:\Windows\System\yOcIDgg.exe	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Modifies registry class 55 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2804150937-2146708401-419095071-1000\{F16E6762-D520-4998-A928-B8B6958D6278}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2804150937-2146708401-419095071-1000\{7DD65FBC-001F-4415-ABC8-065D8C5271A9}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2804150937-2146708401-419095071-1000\{B176B969-D0C1-4996-A13F-BCDB5FBA040B}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	4756	dwm.exe
Token: SeChangeNotifyPrivilege	4756	dwm.exe
Token: 33	4756	dwm.exe
Token: SeIncBasePriorityPrivilege	4756	dwm.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	744	explorer.exe
Token: SeCreatePagefilePrivilege	744	explorer.exe
Token: SeShutdownPrivilege	744	explorer.exe
Token: SeCreatePagefilePrivilege	744	explorer.exe
Token: SeShutdownPrivilege	744	explorer.exe
Token: SeCreatePagefilePrivilege	744	explorer.exe
Token: SeShutdownPrivilege	744	explorer.exe
Token: SeCreatePagefilePrivilege	744	explorer.exe
Token: SeShutdownPrivilege	744	explorer.exe
Token: SeCreatePagefilePrivilege	744	explorer.exe
Token: SeShutdownPrivilege	744	explorer.exe
Token: SeCreatePagefilePrivilege	744	explorer.exe
Token: SeShutdownPrivilege	744	explorer.exe
Token: SeCreatePagefilePrivilege	744	explorer.exe
Token: SeShutdownPrivilege	744	explorer.exe
Token: SeCreatePagefilePrivilege	744	explorer.exe
Token: SeShutdownPrivilege	744	explorer.exe
Token: SeCreatePagefilePrivilege	744	explorer.exe
Token: SeShutdownPrivilege	744	explorer.exe
Token: SeCreatePagefilePrivilege	744	explorer.exe
Token: SeShutdownPrivilege	744	explorer.exe
Token: SeCreatePagefilePrivilege	744	explorer.exe
Token: SeShutdownPrivilege	744	explorer.exe
Token: SeCreatePagefilePrivilege	744	explorer.exe
Token: SeShutdownPrivilege	744	explorer.exe
Token: SeCreatePagefilePrivilege	744	explorer.exe
Token: SeShutdownPrivilege	744	explorer.exe
Token: SeCreatePagefilePrivilege	744	explorer.exe
Token: SeShutdownPrivilege	744	explorer.exe
Token: SeCreatePagefilePrivilege	744	explorer.exe
Token: SeShutdownPrivilege	744	explorer.exe
Token: SeCreatePagefilePrivilege	744	explorer.exe
Token: SeShutdownPrivilege	7248	explorer.exe
Token: SeCreatePagefilePrivilege	7248	explorer.exe
Token: SeShutdownPrivilege	7248	explorer.exe
Token: SeCreatePagefilePrivilege	7248	explorer.exe
Token: SeShutdownPrivilege	7248	explorer.exe
Token: SeCreatePagefilePrivilege	7248	explorer.exe
Token: SeShutdownPrivilege	7248	explorer.exe
Token: SeCreatePagefilePrivilege	7248	explorer.exe
Token: SeShutdownPrivilege	7248	explorer.exe
Token: SeCreatePagefilePrivilege	7248	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3212	sihost.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
7248	explorer.exe
7248	explorer.exe
7248	explorer.exe
7248	explorer.exe
7248	explorer.exe
7248	explorer.exe
7248	explorer.exe
7248	explorer.exe
7248	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2528	StartMenuExperienceHost.exe
3588	StartMenuExperienceHost.exe
4984	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 2284	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	84
PID 756 wrote to memory of 2284	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	84
PID 756 wrote to memory of 2256	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	85
PID 756 wrote to memory of 2256	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	85
PID 756 wrote to memory of 2964	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	86
PID 756 wrote to memory of 2964	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	86
PID 756 wrote to memory of 4184	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	87
PID 756 wrote to memory of 4184	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	87
PID 756 wrote to memory of 1948	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	88
PID 756 wrote to memory of 1948	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	88
PID 756 wrote to memory of 4352	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	89
PID 756 wrote to memory of 4352	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	89
PID 756 wrote to memory of 3660	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	90
PID 756 wrote to memory of 3660	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	90
PID 756 wrote to memory of 4992	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	91
PID 756 wrote to memory of 4992	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	91
PID 756 wrote to memory of 2636	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	92
PID 756 wrote to memory of 2636	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	92
PID 756 wrote to memory of 4972	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	93
PID 756 wrote to memory of 4972	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	93
PID 756 wrote to memory of 4588	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	94
PID 756 wrote to memory of 4588	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	94
PID 756 wrote to memory of 2308	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	95
PID 756 wrote to memory of 2308	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	95
PID 756 wrote to memory of 3460	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	96
PID 756 wrote to memory of 3460	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	96
PID 756 wrote to memory of 2108	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	97
PID 756 wrote to memory of 2108	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	97
PID 756 wrote to memory of 4648	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	98
PID 756 wrote to memory of 4648	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	98
PID 756 wrote to memory of 4980	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	99
PID 756 wrote to memory of 4980	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	99
PID 756 wrote to memory of 2996	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	100
PID 756 wrote to memory of 2996	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	100
PID 756 wrote to memory of 4976	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	101
PID 756 wrote to memory of 4976	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	101
PID 756 wrote to memory of 5056	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	102
PID 756 wrote to memory of 5056	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	102
PID 756 wrote to memory of 3956	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	103
PID 756 wrote to memory of 3956	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	103
PID 756 wrote to memory of 4668	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	104
PID 756 wrote to memory of 4668	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	104
PID 756 wrote to memory of 2244	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	105
PID 756 wrote to memory of 2244	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	105
PID 756 wrote to memory of 2464	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	106
PID 756 wrote to memory of 2464	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	106
PID 756 wrote to memory of 2132	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	107
PID 756 wrote to memory of 2132	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	107
PID 756 wrote to memory of 3424	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	108
PID 756 wrote to memory of 3424	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	108
PID 756 wrote to memory of 1968	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	109
PID 756 wrote to memory of 1968	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	109
PID 756 wrote to memory of 4984	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	110
PID 756 wrote to memory of 4984	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	110
PID 756 wrote to memory of 4384	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	111
PID 756 wrote to memory of 4384	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	111
PID 756 wrote to memory of 3632	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	112
PID 756 wrote to memory of 3632	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	112
PID 756 wrote to memory of 464	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	113
PID 756 wrote to memory of 464	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	113
PID 756 wrote to memory of 4468	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	114
PID 756 wrote to memory of 4468	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	114
PID 756 wrote to memory of 4804	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	115
PID 756 wrote to memory of 4804	756	1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe
"C:\Users\Admin\AppData\Local\Temp\1cba4f1ded2035497e39d29dbee0cba41832318bdae097a181e6050dfbd92888.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\System\vffxSTF.exe
  C:\Windows\System\vffxSTF.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\bJGEyTI.exe
  C:\Windows\System\bJGEyTI.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System\aPsNiRr.exe
  C:\Windows\System\aPsNiRr.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System\wEoDotC.exe
  C:\Windows\System\wEoDotC.exe
  2⤵
  - Executes dropped EXE
  PID:4184
- C:\Windows\System\hxlzqrZ.exe
  C:\Windows\System\hxlzqrZ.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System\FXDmBej.exe
  C:\Windows\System\FXDmBej.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System\zqzPqsR.exe
  C:\Windows\System\zqzPqsR.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System\WiWsIce.exe
  C:\Windows\System\WiWsIce.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System\Imomnqq.exe
  C:\Windows\System\Imomnqq.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\sacfSjz.exe
  C:\Windows\System\sacfSjz.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\exHMZuf.exe
  C:\Windows\System\exHMZuf.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System\rAWhGwS.exe
  C:\Windows\System\rAWhGwS.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System\lpeMsKH.exe
  C:\Windows\System\lpeMsKH.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System\IfWZOMc.exe
  C:\Windows\System\IfWZOMc.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\jBzhRCu.exe
  C:\Windows\System\jBzhRCu.exe
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Windows\System\bvNbyWM.exe
  C:\Windows\System\bvNbyWM.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\SOLISWO.exe
  C:\Windows\System\SOLISWO.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\hSWloXB.exe
  C:\Windows\System\hSWloXB.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\ccDOart.exe
  C:\Windows\System\ccDOart.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System\wfbCIcD.exe
  C:\Windows\System\wfbCIcD.exe
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Windows\System\zeJkqQF.exe
  C:\Windows\System\zeJkqQF.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Windows\System\KZBGhkx.exe
  C:\Windows\System\KZBGhkx.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System\kGzbPmv.exe
  C:\Windows\System\kGzbPmv.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System\gjlTIkh.exe
  C:\Windows\System\gjlTIkh.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System\pzgbesC.exe
  C:\Windows\System\pzgbesC.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System\puqZxIY.exe
  C:\Windows\System\puqZxIY.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System\KrkVPjH.exe
  C:\Windows\System\KrkVPjH.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System\iaovoJD.exe
  C:\Windows\System\iaovoJD.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System\bFqScNB.exe
  C:\Windows\System\bFqScNB.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System\hxCuXfk.exe
  C:\Windows\System\hxCuXfk.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System\KHqllUo.exe
  C:\Windows\System\KHqllUo.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System\qGnHEkH.exe
  C:\Windows\System\qGnHEkH.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System\DcOXvQd.exe
  C:\Windows\System\DcOXvQd.exe
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Windows\System\YDfTxZa.exe
  C:\Windows\System\YDfTxZa.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System\anPlJbe.exe
  C:\Windows\System\anPlJbe.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System\NFdDIWi.exe
  C:\Windows\System\NFdDIWi.exe
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Windows\System\SfXklTV.exe
  C:\Windows\System\SfXklTV.exe
  2⤵
  - Executes dropped EXE
  PID:4596
- C:\Windows\System\LOnZepi.exe
  C:\Windows\System\LOnZepi.exe
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\System\SVsgsUj.exe
  C:\Windows\System\SVsgsUj.exe
  2⤵
  - Executes dropped EXE
  PID:3348
- C:\Windows\System\ilVwDPB.exe
  C:\Windows\System\ilVwDPB.exe
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\System\jXOIvdx.exe
  C:\Windows\System\jXOIvdx.exe
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\System\ENkxHuF.exe
  C:\Windows\System\ENkxHuF.exe
  2⤵
  - Executes dropped EXE
  PID:4296
- C:\Windows\System\AXOKOSb.exe
  C:\Windows\System\AXOKOSb.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System\gSoMoLz.exe
  C:\Windows\System\gSoMoLz.exe
  2⤵
  - Executes dropped EXE
  PID:3432
- C:\Windows\System\UQBdRON.exe
  C:\Windows\System\UQBdRON.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\sqwgSgf.exe
  C:\Windows\System\sqwgSgf.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System\ctGIIVl.exe
  C:\Windows\System\ctGIIVl.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System\eGiawJi.exe
  C:\Windows\System\eGiawJi.exe
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\System\zrMZZuk.exe
  C:\Windows\System\zrMZZuk.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System\gEdxwwi.exe
  C:\Windows\System\gEdxwwi.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System\mUocDOU.exe
  C:\Windows\System\mUocDOU.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System\bOruGdi.exe
  C:\Windows\System\bOruGdi.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System\XzlRUuy.exe
  C:\Windows\System\XzlRUuy.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System\elVssmd.exe
  C:\Windows\System\elVssmd.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\HJanBSp.exe
  C:\Windows\System\HJanBSp.exe
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\System\OyqQByE.exe
  C:\Windows\System\OyqQByE.exe
  2⤵
  - Executes dropped EXE
  PID:700
- C:\Windows\System\mvqzvpO.exe
  C:\Windows\System\mvqzvpO.exe
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\System\mzcbwQa.exe
  C:\Windows\System\mzcbwQa.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System\pnJSiEE.exe
  C:\Windows\System\pnJSiEE.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System\YTZoXVd.exe
  C:\Windows\System\YTZoXVd.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System\sLucLYP.exe
  C:\Windows\System\sLucLYP.exe
  2⤵
  - Executes dropped EXE
  PID:3184
- C:\Windows\System\FZhBUmf.exe
  C:\Windows\System\FZhBUmf.exe
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\System\wYkflfE.exe
  C:\Windows\System\wYkflfE.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System\IUTGpJp.exe
  C:\Windows\System\IUTGpJp.exe
  2⤵
  - Executes dropped EXE
  PID:3160
- C:\Windows\System\GQkYkFc.exe
  C:\Windows\System\GQkYkFc.exe
  2⤵
  PID:3792
- C:\Windows\System\pNsRQdc.exe
  C:\Windows\System\pNsRQdc.exe
  2⤵
  PID:4560
- C:\Windows\System\VTtsQEI.exe
  C:\Windows\System\VTtsQEI.exe
  2⤵
  PID:1640
- C:\Windows\System\xVIjoKV.exe
  C:\Windows\System\xVIjoKV.exe
  2⤵
  PID:3940
- C:\Windows\System\KcjuHpD.exe
  C:\Windows\System\KcjuHpD.exe
  2⤵
  PID:1484
- C:\Windows\System\pXmHPTs.exe
  C:\Windows\System\pXmHPTs.exe
  2⤵
  PID:1956
- C:\Windows\System\PgnjZLM.exe
  C:\Windows\System\PgnjZLM.exe
  2⤵
  PID:740
- C:\Windows\System\JfGBMfl.exe
  C:\Windows\System\JfGBMfl.exe
  2⤵
  PID:4912
- C:\Windows\System\zAJLrZc.exe
  C:\Windows\System\zAJLrZc.exe
  2⤵
  PID:5052
- C:\Windows\System\QSVPaUb.exe
  C:\Windows\System\QSVPaUb.exe
  2⤵
  PID:3960
- C:\Windows\System\cYIdOUO.exe
  C:\Windows\System\cYIdOUO.exe
  2⤵
  PID:4960
- C:\Windows\System\WpkmIdu.exe
  C:\Windows\System\WpkmIdu.exe
  2⤵
  PID:932
- C:\Windows\System\rTTRTeb.exe
  C:\Windows\System\rTTRTeb.exe
  2⤵
  PID:392
- C:\Windows\System\wopHcFb.exe
  C:\Windows\System\wopHcFb.exe
  2⤵
  PID:4168
- C:\Windows\System\JWKNoud.exe
  C:\Windows\System\JWKNoud.exe
  2⤵
  PID:4948
- C:\Windows\System\SmLVfTQ.exe
  C:\Windows\System\SmLVfTQ.exe
  2⤵
  PID:4524
- C:\Windows\System\RFzkdNi.exe
  C:\Windows\System\RFzkdNi.exe
  2⤵
  PID:4796
- C:\Windows\System\wrgWzVh.exe
  C:\Windows\System\wrgWzVh.exe
  2⤵
  PID:4592
- C:\Windows\System\SqGyHYN.exe
  C:\Windows\System\SqGyHYN.exe
  2⤵
  PID:4676
- C:\Windows\System\AMIEyIJ.exe
  C:\Windows\System\AMIEyIJ.exe
  2⤵
  PID:3316
- C:\Windows\System\ANqCnkc.exe
  C:\Windows\System\ANqCnkc.exe
  2⤵
  PID:888
- C:\Windows\System\GwQYkTW.exe
  C:\Windows\System\GwQYkTW.exe
  2⤵
  PID:4448
- C:\Windows\System\hQUVgDH.exe
  C:\Windows\System\hQUVgDH.exe
  2⤵
  PID:2568
- C:\Windows\System\XBBLBHJ.exe
  C:\Windows\System\XBBLBHJ.exe
  2⤵
  PID:2592
- C:\Windows\System\ScWOjZN.exe
  C:\Windows\System\ScWOjZN.exe
  2⤵
  PID:3904
- C:\Windows\System\LwgavuT.exe
  C:\Windows\System\LwgavuT.exe
  2⤵
  PID:1052
- C:\Windows\System\JxSXWih.exe
  C:\Windows\System\JxSXWih.exe
  2⤵
  PID:2916
- C:\Windows\System\HfzmQHf.exe
  C:\Windows\System\HfzmQHf.exe
  2⤵
  PID:5068
- C:\Windows\System\CYfPoMC.exe
  C:\Windows\System\CYfPoMC.exe
  2⤵
  PID:4336
- C:\Windows\System\iptKjaA.exe
  C:\Windows\System\iptKjaA.exe
  2⤵
  PID:1332
- C:\Windows\System\BXVuVyU.exe
  C:\Windows\System\BXVuVyU.exe
  2⤵
  PID:2864
- C:\Windows\System\NFUPeoG.exe
  C:\Windows\System\NFUPeoG.exe
  2⤵
  PID:3544
- C:\Windows\System\YVcZlLz.exe
  C:\Windows\System\YVcZlLz.exe
  2⤵
  PID:4704
- C:\Windows\System\rzMBEEt.exe
  C:\Windows\System\rzMBEEt.exe
  2⤵
  PID:5140
- C:\Windows\System\VPWxnDO.exe
  C:\Windows\System\VPWxnDO.exe
  2⤵
  PID:5168
- C:\Windows\System\pdyaLnj.exe
  C:\Windows\System\pdyaLnj.exe
  2⤵
  PID:5196
- C:\Windows\System\dEtOVUY.exe
  C:\Windows\System\dEtOVUY.exe
  2⤵
  PID:5212
- C:\Windows\System\amAusfu.exe
  C:\Windows\System\amAusfu.exe
  2⤵
  PID:5244
- C:\Windows\System\mEQmJhK.exe
  C:\Windows\System\mEQmJhK.exe
  2⤵
  PID:5276
- C:\Windows\System\hKrmEgb.exe
  C:\Windows\System\hKrmEgb.exe
  2⤵
  PID:5308
- C:\Windows\System\sXTTgeY.exe
  C:\Windows\System\sXTTgeY.exe
  2⤵
  PID:5340
- C:\Windows\System\tshplnz.exe
  C:\Windows\System\tshplnz.exe
  2⤵
  PID:5376
- C:\Windows\System\fhbTlAg.exe
  C:\Windows\System\fhbTlAg.exe
  2⤵
  PID:5416
- C:\Windows\System\URGLYSD.exe
  C:\Windows\System\URGLYSD.exe
  2⤵
  PID:5456
- C:\Windows\System\KPQEhfN.exe
  C:\Windows\System\KPQEhfN.exe
  2⤵
  PID:5484
- C:\Windows\System\goCsuHf.exe
  C:\Windows\System\goCsuHf.exe
  2⤵
  PID:5512
- C:\Windows\System\BCDgeen.exe
  C:\Windows\System\BCDgeen.exe
  2⤵
  PID:5540
- C:\Windows\System\mTZroxz.exe
  C:\Windows\System\mTZroxz.exe
  2⤵
  PID:5576
- C:\Windows\System\tGuZfTp.exe
  C:\Windows\System\tGuZfTp.exe
  2⤵
  PID:5604
- C:\Windows\System\vRZLcfq.exe
  C:\Windows\System\vRZLcfq.exe
  2⤵
  PID:5632
- C:\Windows\System\kzpxhIP.exe
  C:\Windows\System\kzpxhIP.exe
  2⤵
  PID:5668
- C:\Windows\System\pvmgciN.exe
  C:\Windows\System\pvmgciN.exe
  2⤵
  PID:5700
- C:\Windows\System\BcqyIGi.exe
  C:\Windows\System\BcqyIGi.exe
  2⤵
  PID:5724
- C:\Windows\System\osxfqOw.exe
  C:\Windows\System\osxfqOw.exe
  2⤵
  PID:5740
- C:\Windows\System\kZunctt.exe
  C:\Windows\System\kZunctt.exe
  2⤵
  PID:5780
- C:\Windows\System\xcUpzPn.exe
  C:\Windows\System\xcUpzPn.exe
  2⤵
  PID:5808
- C:\Windows\System\UmfkOQe.exe
  C:\Windows\System\UmfkOQe.exe
  2⤵
  PID:5856
- C:\Windows\System\ilHHpKq.exe
  C:\Windows\System\ilHHpKq.exe
  2⤵
  PID:5880
- C:\Windows\System\HXEUUvm.exe
  C:\Windows\System\HXEUUvm.exe
  2⤵
  PID:5900
- C:\Windows\System\ydAFtLG.exe
  C:\Windows\System\ydAFtLG.exe
  2⤵
  PID:5924
- C:\Windows\System\ubeiwVf.exe
  C:\Windows\System\ubeiwVf.exe
  2⤵
  PID:5952
- C:\Windows\System\DPYbCwL.exe
  C:\Windows\System\DPYbCwL.exe
  2⤵
  PID:5972
- C:\Windows\System\dwAgsxG.exe
  C:\Windows\System\dwAgsxG.exe
  2⤵
  PID:6008
- C:\Windows\System\xZMaKMS.exe
  C:\Windows\System\xZMaKMS.exe
  2⤵
  PID:6036
- C:\Windows\System\KPLjydI.exe
  C:\Windows\System\KPLjydI.exe
  2⤵
  PID:6076
- C:\Windows\System\gmjsseO.exe
  C:\Windows\System\gmjsseO.exe
  2⤵
  PID:6100
- C:\Windows\System\EjaFHao.exe
  C:\Windows\System\EjaFHao.exe
  2⤵
  PID:6124
- C:\Windows\System\EAHSnUV.exe
  C:\Windows\System\EAHSnUV.exe
  2⤵
  PID:3620
- C:\Windows\System\GcVzKhM.exe
  C:\Windows\System\GcVzKhM.exe
  2⤵
  PID:5188
- C:\Windows\System\erstUeC.exe
  C:\Windows\System\erstUeC.exe
  2⤵
  PID:5184
- C:\Windows\System\gBiDIOf.exe
  C:\Windows\System\gBiDIOf.exe
  2⤵
  PID:5284
- C:\Windows\System\mUufeKb.exe
  C:\Windows\System\mUufeKb.exe
  2⤵
  PID:5332
- C:\Windows\System\kUcQFFz.exe
  C:\Windows\System\kUcQFFz.exe
  2⤵
  PID:5476
- C:\Windows\System\vjiWrtD.exe
  C:\Windows\System\vjiWrtD.exe
  2⤵
  PID:5500
- C:\Windows\System\toFCIKx.exe
  C:\Windows\System\toFCIKx.exe
  2⤵
  PID:5568
- C:\Windows\System\sllLeWi.exe
  C:\Windows\System\sllLeWi.exe
  2⤵
  PID:5624
- C:\Windows\System\xmBUbsS.exe
  C:\Windows\System\xmBUbsS.exe
  2⤵
  PID:5712
- C:\Windows\System\ZoLGOTG.exe
  C:\Windows\System\ZoLGOTG.exe
  2⤵
  PID:5796
- C:\Windows\System\ueMBqIO.exe
  C:\Windows\System\ueMBqIO.exe
  2⤵
  PID:5896
- C:\Windows\System\ABaRKju.exe
  C:\Windows\System\ABaRKju.exe
  2⤵
  PID:5960
- C:\Windows\System\WMmkwiK.exe
  C:\Windows\System\WMmkwiK.exe
  2⤵
  PID:6060
- C:\Windows\System\fuHdgCY.exe
  C:\Windows\System\fuHdgCY.exe
  2⤵
  PID:6092
- C:\Windows\System\DGdNGUL.exe
  C:\Windows\System\DGdNGUL.exe
  2⤵
  PID:5164
- C:\Windows\System\FhhLElD.exe
  C:\Windows\System\FhhLElD.exe
  2⤵
  PID:5364
- C:\Windows\System\ERTBaHB.exe
  C:\Windows\System\ERTBaHB.exe
  2⤵
  PID:5468
- C:\Windows\System\kLWTzHo.exe
  C:\Windows\System\kLWTzHo.exe
  2⤵
  PID:5612
- C:\Windows\System\AUTXJtQ.exe
  C:\Windows\System\AUTXJtQ.exe
  2⤵
  PID:5848
- C:\Windows\System\qERmxOM.exe
  C:\Windows\System\qERmxOM.exe
  2⤵
  PID:6004
- C:\Windows\System\sBulkDB.exe
  C:\Windows\System\sBulkDB.exe
  2⤵
  PID:6120
- C:\Windows\System\IMfmiMA.exe
  C:\Windows\System\IMfmiMA.exe
  2⤵
  PID:5536
- C:\Windows\System\dPJsPcZ.exe
  C:\Windows\System\dPJsPcZ.exe
  2⤵
  PID:5776
- C:\Windows\System\OTwVgkN.exe
  C:\Windows\System\OTwVgkN.exe
  2⤵
  PID:5936
- C:\Windows\System\FsxKmvK.exe
  C:\Windows\System\FsxKmvK.exe
  2⤵
  PID:5980
- C:\Windows\System\VdcnHSB.exe
  C:\Windows\System\VdcnHSB.exe
  2⤵
  PID:5804
- C:\Windows\System\FyKvUFI.exe
  C:\Windows\System\FyKvUFI.exe
  2⤵
  PID:6168
- C:\Windows\System\sFmJByo.exe
  C:\Windows\System\sFmJByo.exe
  2⤵
  PID:6184
- C:\Windows\System\fwdMDfR.exe
  C:\Windows\System\fwdMDfR.exe
  2⤵
  PID:6204
- C:\Windows\System\ZNhqMLu.exe
  C:\Windows\System\ZNhqMLu.exe
  2⤵
  PID:6228
- C:\Windows\System\boZgPvR.exe
  C:\Windows\System\boZgPvR.exe
  2⤵
  PID:6244
- C:\Windows\System\GxWGGJK.exe
  C:\Windows\System\GxWGGJK.exe
  2⤵
  PID:6264
- C:\Windows\System\qroOacL.exe
  C:\Windows\System\qroOacL.exe
  2⤵
  PID:6288
- C:\Windows\System\KefDtye.exe
  C:\Windows\System\KefDtye.exe
  2⤵
  PID:6304
- C:\Windows\System\YzaPmLi.exe
  C:\Windows\System\YzaPmLi.exe
  2⤵
  PID:6328
- C:\Windows\System\GdyNSsw.exe
  C:\Windows\System\GdyNSsw.exe
  2⤵
  PID:6356
- C:\Windows\System\OFiSkoj.exe
  C:\Windows\System\OFiSkoj.exe
  2⤵
  PID:6384
- C:\Windows\System\CAbrBvX.exe
  C:\Windows\System\CAbrBvX.exe
  2⤵
  PID:6420
- C:\Windows\System\GLhaSZQ.exe
  C:\Windows\System\GLhaSZQ.exe
  2⤵
  PID:6452
- C:\Windows\System\SSGKTGQ.exe
  C:\Windows\System\SSGKTGQ.exe
  2⤵
  PID:6492
- C:\Windows\System\nOsAOQz.exe
  C:\Windows\System\nOsAOQz.exe
  2⤵
  PID:6528
- C:\Windows\System\KqvhqUq.exe
  C:\Windows\System\KqvhqUq.exe
  2⤵
  PID:6552
- C:\Windows\System\gGJYMVi.exe
  C:\Windows\System\gGJYMVi.exe
  2⤵
  PID:6588
- C:\Windows\System\HZketEK.exe
  C:\Windows\System\HZketEK.exe
  2⤵
  PID:6616
- C:\Windows\System\YFqZiwc.exe
  C:\Windows\System\YFqZiwc.exe
  2⤵
  PID:6652
- C:\Windows\System\qIqDSVQ.exe
  C:\Windows\System\qIqDSVQ.exe
  2⤵
  PID:6692
- C:\Windows\System\pjLZlCB.exe
  C:\Windows\System\pjLZlCB.exe
  2⤵
  PID:6716
- C:\Windows\System\hXwnevu.exe
  C:\Windows\System\hXwnevu.exe
  2⤵
  PID:6748
- C:\Windows\System\DXsRqFs.exe
  C:\Windows\System\DXsRqFs.exe
  2⤵
  PID:6776
- C:\Windows\System\VecdBSk.exe
  C:\Windows\System\VecdBSk.exe
  2⤵
  PID:6804
- C:\Windows\System\gHVrDKW.exe
  C:\Windows\System\gHVrDKW.exe
  2⤵
  PID:6836
- C:\Windows\System\DsmIDXc.exe
  C:\Windows\System\DsmIDXc.exe
  2⤵
  PID:6872
- C:\Windows\System\jZjJJNG.exe
  C:\Windows\System\jZjJJNG.exe
  2⤵
  PID:6912
- C:\Windows\System\FDyejDY.exe
  C:\Windows\System\FDyejDY.exe
  2⤵
  PID:6928
- C:\Windows\System\AIXHHtE.exe
  C:\Windows\System\AIXHHtE.exe
  2⤵
  PID:6956
- C:\Windows\System\xjsSLRU.exe
  C:\Windows\System\xjsSLRU.exe
  2⤵
  PID:6996
- C:\Windows\System\RDuGrNK.exe
  C:\Windows\System\RDuGrNK.exe
  2⤵
  PID:7016
- C:\Windows\System\aolaTnc.exe
  C:\Windows\System\aolaTnc.exe
  2⤵
  PID:7044
- C:\Windows\System\BbmZrNV.exe
  C:\Windows\System\BbmZrNV.exe
  2⤵
  PID:7068
- C:\Windows\System\hMCPLOp.exe
  C:\Windows\System\hMCPLOp.exe
  2⤵
  PID:7096
- C:\Windows\System\gKJijKd.exe
  C:\Windows\System\gKJijKd.exe
  2⤵
  PID:7124
- C:\Windows\System\dwKOtaX.exe
  C:\Windows\System\dwKOtaX.exe
  2⤵
  PID:7152
- C:\Windows\System\iNAYgby.exe
  C:\Windows\System\iNAYgby.exe
  2⤵
  PID:6196
- C:\Windows\System\AzYaCzx.exe
  C:\Windows\System\AzYaCzx.exe
  2⤵
  PID:6252
- C:\Windows\System\WpsXilg.exe
  C:\Windows\System\WpsXilg.exe
  2⤵
  PID:6300
- C:\Windows\System\ZGRWOmY.exe
  C:\Windows\System\ZGRWOmY.exe
  2⤵
  PID:6280
- C:\Windows\System\KSrLvLb.exe
  C:\Windows\System\KSrLvLb.exe
  2⤵
  PID:6428
- C:\Windows\System\YjHkxwH.exe
  C:\Windows\System\YjHkxwH.exe
  2⤵
  PID:6512
- C:\Windows\System\ToHOYWe.exe
  C:\Windows\System\ToHOYWe.exe
  2⤵
  PID:6508
- C:\Windows\System\qmYbxhV.exe
  C:\Windows\System\qmYbxhV.exe
  2⤵
  PID:6636
- C:\Windows\System\WGnMgua.exe
  C:\Windows\System\WGnMgua.exe
  2⤵
  PID:6676
- C:\Windows\System\SIZksBv.exe
  C:\Windows\System\SIZksBv.exe
  2⤵
  PID:6796
- C:\Windows\System\WuDmVCr.exe
  C:\Windows\System\WuDmVCr.exe
  2⤵
  PID:6784
- C:\Windows\System\kDDpruy.exe
  C:\Windows\System\kDDpruy.exe
  2⤵
  PID:6884
- C:\Windows\System\vGAxkIT.exe
  C:\Windows\System\vGAxkIT.exe
  2⤵
  PID:6940
- C:\Windows\System\ailOepf.exe
  C:\Windows\System\ailOepf.exe
  2⤵
  PID:7024
- C:\Windows\System\MJjsqcb.exe
  C:\Windows\System\MJjsqcb.exe
  2⤵
  PID:7088
- C:\Windows\System\ylrOLuJ.exe
  C:\Windows\System\ylrOLuJ.exe
  2⤵
  PID:7136
- C:\Windows\System\RzpBmEE.exe
  C:\Windows\System\RzpBmEE.exe
  2⤵
  PID:6284
- C:\Windows\System\zUIRCkK.exe
  C:\Windows\System\zUIRCkK.exe
  2⤵
  PID:6376
- C:\Windows\System\jnJnPag.exe
  C:\Windows\System\jnJnPag.exe
  2⤵
  PID:6488
- C:\Windows\System\DRrVZUe.exe
  C:\Windows\System\DRrVZUe.exe
  2⤵
  PID:6772
- C:\Windows\System\YxeNuYl.exe
  C:\Windows\System\YxeNuYl.exe
  2⤵
  PID:6764
- C:\Windows\System\UsrClnp.exe
  C:\Windows\System\UsrClnp.exe
  2⤵
  PID:7008
- C:\Windows\System\wdVkIuG.exe
  C:\Windows\System\wdVkIuG.exe
  2⤵
  PID:7116
- C:\Windows\System\NduzjIX.exe
  C:\Windows\System\NduzjIX.exe
  2⤵
  PID:6028
- C:\Windows\System\YTYKBdb.exe
  C:\Windows\System\YTYKBdb.exe
  2⤵
  PID:6712
- C:\Windows\System\CqMUbpz.exe
  C:\Windows\System\CqMUbpz.exe
  2⤵
  PID:6156
- C:\Windows\System\fZAfOkk.exe
  C:\Windows\System\fZAfOkk.exe
  2⤵
  PID:6584
- C:\Windows\System\RstQCzK.exe
  C:\Windows\System\RstQCzK.exe
  2⤵
  PID:7196
- C:\Windows\System\LZBcGqd.exe
  C:\Windows\System\LZBcGqd.exe
  2⤵
  PID:7224
- C:\Windows\System\eqgChAY.exe
  C:\Windows\System\eqgChAY.exe
  2⤵
  PID:7252
- C:\Windows\System\YycUUow.exe
  C:\Windows\System\YycUUow.exe
  2⤵
  PID:7280
- C:\Windows\System\KDfQGRe.exe
  C:\Windows\System\KDfQGRe.exe
  2⤵
  PID:7296
- C:\Windows\System\hidQhiH.exe
  C:\Windows\System\hidQhiH.exe
  2⤵
  PID:7336
- C:\Windows\System\JTFdxhM.exe
  C:\Windows\System\JTFdxhM.exe
  2⤵
  PID:7352
- C:\Windows\System\crXdBjo.exe
  C:\Windows\System\crXdBjo.exe
  2⤵
  PID:7388
- C:\Windows\System\MkZZWeC.exe
  C:\Windows\System\MkZZWeC.exe
  2⤵
  PID:7408
- C:\Windows\System\XlHybyz.exe
  C:\Windows\System\XlHybyz.exe
  2⤵
  PID:7428
- C:\Windows\System\oERjmwI.exe
  C:\Windows\System\oERjmwI.exe
  2⤵
  PID:7464
- C:\Windows\System\RrMSVUO.exe
  C:\Windows\System\RrMSVUO.exe
  2⤵
  PID:7500
- C:\Windows\System\HpGHeqe.exe
  C:\Windows\System\HpGHeqe.exe
  2⤵
  PID:7532
- C:\Windows\System\ZHQfNtK.exe
  C:\Windows\System\ZHQfNtK.exe
  2⤵
  PID:7560
- C:\Windows\System\dbpmrnZ.exe
  C:\Windows\System\dbpmrnZ.exe
  2⤵
  PID:7600
- C:\Windows\System\ZbJWNLY.exe
  C:\Windows\System\ZbJWNLY.exe
  2⤵
  PID:7620
- C:\Windows\System\WCfKdyT.exe
  C:\Windows\System\WCfKdyT.exe
  2⤵
  PID:7644
- C:\Windows\System\khfoaBZ.exe
  C:\Windows\System\khfoaBZ.exe
  2⤵
  PID:7680
- C:\Windows\System\jgbuMPo.exe
  C:\Windows\System\jgbuMPo.exe
  2⤵
  PID:7700
- C:\Windows\System\paZVUbj.exe
  C:\Windows\System\paZVUbj.exe
  2⤵
  PID:7716
- C:\Windows\System\gUUhVHF.exe
  C:\Windows\System\gUUhVHF.exe
  2⤵
  PID:7756
- C:\Windows\System\WpFbWKV.exe
  C:\Windows\System\WpFbWKV.exe
  2⤵
  PID:7780
- C:\Windows\System\beUqoyH.exe
  C:\Windows\System\beUqoyH.exe
  2⤵
  PID:7812
- C:\Windows\System\FTfiufh.exe
  C:\Windows\System\FTfiufh.exe
  2⤵
  PID:7844
- C:\Windows\System\jzyznkV.exe
  C:\Windows\System\jzyznkV.exe
  2⤵
  PID:7868
- C:\Windows\System\EtCzlzM.exe
  C:\Windows\System\EtCzlzM.exe
  2⤵
  PID:7896
- C:\Windows\System\hVOiIWE.exe
  C:\Windows\System\hVOiIWE.exe
  2⤵
  PID:7936
- C:\Windows\System\kWtbDrv.exe
  C:\Windows\System\kWtbDrv.exe
  2⤵
  PID:7964
- C:\Windows\System\wahCSrF.exe
  C:\Windows\System\wahCSrF.exe
  2⤵
  PID:7992
- C:\Windows\System\pLyhBOM.exe
  C:\Windows\System\pLyhBOM.exe
  2⤵
  PID:8012
- C:\Windows\System\CsAUslG.exe
  C:\Windows\System\CsAUslG.exe
  2⤵
  PID:8036
- C:\Windows\System\LhjUPgP.exe
  C:\Windows\System\LhjUPgP.exe
  2⤵
  PID:8056
- C:\Windows\System\fBatUza.exe
  C:\Windows\System\fBatUza.exe
  2⤵
  PID:8088
- C:\Windows\System\xhrTlax.exe
  C:\Windows\System\xhrTlax.exe
  2⤵
  PID:8112
- C:\Windows\System\RnxuPbv.exe
  C:\Windows\System\RnxuPbv.exe
  2⤵
  PID:8148
- C:\Windows\System\DQRtUPC.exe
  C:\Windows\System\DQRtUPC.exe
  2⤵
  PID:8184
- C:\Windows\System\vjmZYiq.exe
  C:\Windows\System\vjmZYiq.exe
  2⤵
  PID:6192
- C:\Windows\System\UjWCjwT.exe
  C:\Windows\System\UjWCjwT.exe
  2⤵
  PID:7236
- C:\Windows\System\ixcFQfH.exe
  C:\Windows\System\ixcFQfH.exe
  2⤵
  PID:7308
- C:\Windows\System\dXEMsbj.exe
  C:\Windows\System\dXEMsbj.exe
  2⤵
  PID:7320
- C:\Windows\System\qgcwbrP.exe
  C:\Windows\System\qgcwbrP.exe
  2⤵
  PID:7444
- C:\Windows\System\zhcfpFE.exe
  C:\Windows\System\zhcfpFE.exe
  2⤵
  PID:7496
- C:\Windows\System\VXEjyha.exe
  C:\Windows\System\VXEjyha.exe
  2⤵
  PID:7584
- C:\Windows\System\AkIjyYW.exe
  C:\Windows\System\AkIjyYW.exe
  2⤵
  PID:7628
- C:\Windows\System\FFrmlgZ.exe
  C:\Windows\System\FFrmlgZ.exe
  2⤵
  PID:7692
- C:\Windows\System\joGoCCV.exe
  C:\Windows\System\joGoCCV.exe
  2⤵
  PID:7804
- C:\Windows\System\bbzWFJh.exe
  C:\Windows\System\bbzWFJh.exe
  2⤵
  PID:7792
- C:\Windows\System\HnCZpXY.exe
  C:\Windows\System\HnCZpXY.exe
  2⤵
  PID:7880
- C:\Windows\System\cpqEgif.exe
  C:\Windows\System\cpqEgif.exe
  2⤵
  PID:7948
- C:\Windows\System\DwmtpQg.exe
  C:\Windows\System\DwmtpQg.exe
  2⤵
  PID:8028
- C:\Windows\System\IMlOwzf.exe
  C:\Windows\System\IMlOwzf.exe
  2⤵
  PID:8072
- C:\Windows\System\wKbcYrI.exe
  C:\Windows\System\wKbcYrI.exe
  2⤵
  PID:8124
- C:\Windows\System\wprBDdx.exe
  C:\Windows\System\wprBDdx.exe
  2⤵
  PID:7120
- C:\Windows\System\xRaIUaY.exe
  C:\Windows\System\xRaIUaY.exe
  2⤵
  PID:7268
- C:\Windows\System\InFYITh.exe
  C:\Windows\System\InFYITh.exe
  2⤵
  PID:7456
- C:\Windows\System\PxwvxLq.exe
  C:\Windows\System\PxwvxLq.exe
  2⤵
  PID:7688
- C:\Windows\System\EeCgbax.exe
  C:\Windows\System\EeCgbax.exe
  2⤵
  PID:7740
- C:\Windows\System\WIaLGof.exe
  C:\Windows\System\WIaLGof.exe
  2⤵
  PID:7924
- C:\Windows\System\yOcIDgg.exe
  C:\Windows\System\yOcIDgg.exe
  2⤵
  PID:8064
- C:\Windows\System\eIzcUPv.exe
  C:\Windows\System\eIzcUPv.exe
  2⤵
  PID:7220
- C:\Windows\System\mvifRkZ.exe
  C:\Windows\System\mvifRkZ.exe
  2⤵
  PID:7596
- C:\Windows\System\SAkXBSE.exe
  C:\Windows\System\SAkXBSE.exe
  2⤵
  PID:8020
- C:\Windows\System\jQjUefS.exe
  C:\Windows\System\jQjUefS.exe
  2⤵
  PID:7656
- C:\Windows\System\hcPertd.exe
  C:\Windows\System\hcPertd.exe
  2⤵
  PID:8136
- C:\Windows\System\XuQBheg.exe
  C:\Windows\System\XuQBheg.exe
  2⤵
  PID:8200
- C:\Windows\System\TCQdVvn.exe
  C:\Windows\System\TCQdVvn.exe
  2⤵
  PID:8232
- C:\Windows\System\EcjMYRU.exe
  C:\Windows\System\EcjMYRU.exe
  2⤵
  PID:8256
- C:\Windows\System\eoSrcLr.exe
  C:\Windows\System\eoSrcLr.exe
  2⤵
  PID:8288
- C:\Windows\System\zDFpRdh.exe
  C:\Windows\System\zDFpRdh.exe
  2⤵
  PID:8324
- C:\Windows\System\zhWWNov.exe
  C:\Windows\System\zhWWNov.exe
  2⤵
  PID:8344
- C:\Windows\System\uUeRHSU.exe
  C:\Windows\System\uUeRHSU.exe
  2⤵
  PID:8372
- C:\Windows\System\FrzxelI.exe
  C:\Windows\System\FrzxelI.exe
  2⤵
  PID:8396
- C:\Windows\System\jSyyHwA.exe
  C:\Windows\System\jSyyHwA.exe
  2⤵
  PID:8420
- C:\Windows\System\oiGkrvQ.exe
  C:\Windows\System\oiGkrvQ.exe
  2⤵
  PID:8452
- C:\Windows\System\Ztdzwym.exe
  C:\Windows\System\Ztdzwym.exe
  2⤵
  PID:8480
- C:\Windows\System\zXQdopf.exe
  C:\Windows\System\zXQdopf.exe
  2⤵
  PID:8504
- C:\Windows\System\wjRFdto.exe
  C:\Windows\System\wjRFdto.exe
  2⤵
  PID:8536
- C:\Windows\System\AVvSFxX.exe
  C:\Windows\System\AVvSFxX.exe
  2⤵
  PID:8568
- C:\Windows\System\SDetSCL.exe
  C:\Windows\System\SDetSCL.exe
  2⤵
  PID:8592
- C:\Windows\System\KgKnuln.exe
  C:\Windows\System\KgKnuln.exe
  2⤵
  PID:8620
- C:\Windows\System\zexGQMU.exe
  C:\Windows\System\zexGQMU.exe
  2⤵
  PID:8648
- C:\Windows\System\inHlXJF.exe
  C:\Windows\System\inHlXJF.exe
  2⤵
  PID:8680
- C:\Windows\System\DtvhRYN.exe
  C:\Windows\System\DtvhRYN.exe
  2⤵
  PID:8704
- C:\Windows\System\AaiZRCm.exe
  C:\Windows\System\AaiZRCm.exe
  2⤵
  PID:8728
- C:\Windows\System\uVvlmUE.exe
  C:\Windows\System\uVvlmUE.exe
  2⤵
  PID:8748
- C:\Windows\System\fbIXVSc.exe
  C:\Windows\System\fbIXVSc.exe
  2⤵
  PID:8768
- C:\Windows\System\eQvohqx.exe
  C:\Windows\System\eQvohqx.exe
  2⤵
  PID:8808
- C:\Windows\System\qoihbwI.exe
  C:\Windows\System\qoihbwI.exe
  2⤵
  PID:8836
- C:\Windows\System\TQuasyH.exe
  C:\Windows\System\TQuasyH.exe
  2⤵
  PID:8856
- C:\Windows\System\zSePLWq.exe
  C:\Windows\System\zSePLWq.exe
  2⤵
  PID:8880
- C:\Windows\System\XjKJLsL.exe
  C:\Windows\System\XjKJLsL.exe
  2⤵
  PID:8904
- C:\Windows\System\bfCUVON.exe
  C:\Windows\System\bfCUVON.exe
  2⤵
  PID:8936
- C:\Windows\System\umVhsHo.exe
  C:\Windows\System\umVhsHo.exe
  2⤵
  PID:8968
- C:\Windows\System\ZGmtTKK.exe
  C:\Windows\System\ZGmtTKK.exe
  2⤵
  PID:8992
- C:\Windows\System\VgKNBed.exe
  C:\Windows\System\VgKNBed.exe
  2⤵
  PID:9024
- C:\Windows\System\NoYgmKH.exe
  C:\Windows\System\NoYgmKH.exe
  2⤵
  PID:9064
- C:\Windows\System\iEpQlQo.exe
  C:\Windows\System\iEpQlQo.exe
  2⤵
  PID:9084
- C:\Windows\System\YdjQssx.exe
  C:\Windows\System\YdjQssx.exe
  2⤵
  PID:9124
- C:\Windows\System\JsYccAr.exe
  C:\Windows\System\JsYccAr.exe
  2⤵
  PID:9140
- C:\Windows\System\oNYVNSk.exe
  C:\Windows\System\oNYVNSk.exe
  2⤵
  PID:9168
- C:\Windows\System\wcfnEkQ.exe
  C:\Windows\System\wcfnEkQ.exe
  2⤵
  PID:9200
- C:\Windows\System\qflJfTH.exe
  C:\Windows\System\qflJfTH.exe
  2⤵
  PID:8224
- C:\Windows\System\hyvFiAo.exe
  C:\Windows\System\hyvFiAo.exe
  2⤵
  PID:8296
- C:\Windows\System\YDEEMxg.exe
  C:\Windows\System\YDEEMxg.exe
  2⤵
  PID:8388
- C:\Windows\System\whGxfJP.exe
  C:\Windows\System\whGxfJP.exe
  2⤵
  PID:8408
- C:\Windows\System\JIunfsB.exe
  C:\Windows\System\JIunfsB.exe
  2⤵
  PID:8496
- C:\Windows\System\aAvIthc.exe
  C:\Windows\System\aAvIthc.exe
  2⤵
  PID:8576
- C:\Windows\System\yaIRcbL.exe
  C:\Windows\System\yaIRcbL.exe
  2⤵
  PID:8672
- C:\Windows\System\vGfbnGs.exe
  C:\Windows\System\vGfbnGs.exe
  2⤵
  PID:8724
- C:\Windows\System\jwhClJH.exe
  C:\Windows\System\jwhClJH.exe
  2⤵
  PID:8756
- C:\Windows\System\VtrbWuH.exe
  C:\Windows\System\VtrbWuH.exe
  2⤵
  PID:8868
- C:\Windows\System\oKWrbXm.exe
  C:\Windows\System\oKWrbXm.exe
  2⤵
  PID:8932
- C:\Windows\System\fSsOlQh.exe
  C:\Windows\System\fSsOlQh.exe
  2⤵
  PID:8956
- C:\Windows\System\XGwmCdH.exe
  C:\Windows\System\XGwmCdH.exe
  2⤵
  PID:9044
- C:\Windows\System\CPCArdN.exe
  C:\Windows\System\CPCArdN.exe
  2⤵
  PID:9080
- C:\Windows\System\JyWZBPa.exe
  C:\Windows\System\JyWZBPa.exe
  2⤵
  PID:9152
- C:\Windows\System\afcucDY.exe
  C:\Windows\System\afcucDY.exe
  2⤵
  PID:9212
- C:\Windows\System\eIDZUna.exe
  C:\Windows\System\eIDZUna.exe
  2⤵
  PID:8248
- C:\Windows\System\NJKDVMJ.exe
  C:\Windows\System\NJKDVMJ.exe
  2⤵
  PID:8588
- C:\Windows\System\qlMmpcf.exe
  C:\Windows\System\qlMmpcf.exe
  2⤵
  PID:8608
- C:\Windows\System\fOvKEhJ.exe
  C:\Windows\System\fOvKEhJ.exe
  2⤵
  PID:8776
- C:\Windows\System\NuSVRJx.exe
  C:\Windows\System\NuSVRJx.exe
  2⤵
  PID:8964
- C:\Windows\System\AsXNXMa.exe
  C:\Windows\System\AsXNXMa.exe
  2⤵
  PID:8276
- C:\Windows\System\KqnfcUo.exe
  C:\Windows\System\KqnfcUo.exe
  2⤵
  PID:8212
- C:\Windows\System\uaXByvW.exe
  C:\Windows\System\uaXByvW.exe
  2⤵
  PID:8640
- C:\Windows\System\oeBGHtk.exe
  C:\Windows\System\oeBGHtk.exe
  2⤵
  PID:8900
- C:\Windows\System\PuQzNyF.exe
  C:\Windows\System\PuQzNyF.exe
  2⤵
  PID:8472
- C:\Windows\System\DDnLmMo.exe
  C:\Windows\System\DDnLmMo.exe
  2⤵
  PID:9208
- C:\Windows\System\LLWmIme.exe
  C:\Windows\System\LLWmIme.exe
  2⤵
  PID:9248
- C:\Windows\System\InJjiuC.exe
  C:\Windows\System\InJjiuC.exe
  2⤵
  PID:9276
- C:\Windows\System\NjLRfIR.exe
  C:\Windows\System\NjLRfIR.exe
  2⤵
  PID:9304
- C:\Windows\System\mdyqxKH.exe
  C:\Windows\System\mdyqxKH.exe
  2⤵
  PID:9332
- C:\Windows\System\QwYofSD.exe
  C:\Windows\System\QwYofSD.exe
  2⤵
  PID:9352
- C:\Windows\System\AhzLqpC.exe
  C:\Windows\System\AhzLqpC.exe
  2⤵
  PID:9396
- C:\Windows\System\MJipVfI.exe
  C:\Windows\System\MJipVfI.exe
  2⤵
  PID:9412
- C:\Windows\System\ylQQxDf.exe
  C:\Windows\System\ylQQxDf.exe
  2⤵
  PID:9432
- C:\Windows\System\QLpgfGt.exe
  C:\Windows\System\QLpgfGt.exe
  2⤵
  PID:9456
- C:\Windows\System\DCsuSQN.exe
  C:\Windows\System\DCsuSQN.exe
  2⤵
  PID:9496
- C:\Windows\System\ZupBjwT.exe
  C:\Windows\System\ZupBjwT.exe
  2⤵
  PID:9520
- C:\Windows\System\RLnxInU.exe
  C:\Windows\System\RLnxInU.exe
  2⤵
  PID:9556
- C:\Windows\System\gKNNmzN.exe
  C:\Windows\System\gKNNmzN.exe
  2⤵
  PID:9580
- C:\Windows\System\GrSUsTq.exe
  C:\Windows\System\GrSUsTq.exe
  2⤵
  PID:9612
- C:\Windows\System\FKOBAKR.exe
  C:\Windows\System\FKOBAKR.exe
  2⤵
  PID:9644
- C:\Windows\System\SrMCoLR.exe
  C:\Windows\System\SrMCoLR.exe
  2⤵
  PID:9668
- C:\Windows\System\mBmXLEq.exe
  C:\Windows\System\mBmXLEq.exe
  2⤵
  PID:9700
- C:\Windows\System\mhVNAzV.exe
  C:\Windows\System\mhVNAzV.exe
  2⤵
  PID:9724
- C:\Windows\System\OCkbDBB.exe
  C:\Windows\System\OCkbDBB.exe
  2⤵
  PID:9752
- C:\Windows\System\QWuKXzn.exe
  C:\Windows\System\QWuKXzn.exe
  2⤵
  PID:9780
- C:\Windows\System\MzuUpsu.exe
  C:\Windows\System\MzuUpsu.exe
  2⤵
  PID:9808
- C:\Windows\System\THflSNp.exe
  C:\Windows\System\THflSNp.exe
  2⤵
  PID:9844
- C:\Windows\System\LRVLavz.exe
  C:\Windows\System\LRVLavz.exe
  2⤵
  PID:9868
- C:\Windows\System\SLGSCkr.exe
  C:\Windows\System\SLGSCkr.exe
  2⤵
  PID:9892
- C:\Windows\System\ETNFiKV.exe
  C:\Windows\System\ETNFiKV.exe
  2⤵
  PID:9928
- C:\Windows\System\TWtstyx.exe
  C:\Windows\System\TWtstyx.exe
  2⤵
  PID:9948
- C:\Windows\System\VeirgOB.exe
  C:\Windows\System\VeirgOB.exe
  2⤵
  PID:9976
- C:\Windows\System\riquuqD.exe
  C:\Windows\System\riquuqD.exe
  2⤵
  PID:10016
- C:\Windows\System\ksCKnhi.exe
  C:\Windows\System\ksCKnhi.exe
  2⤵
  PID:10032
- C:\Windows\System\BrrXcVr.exe
  C:\Windows\System\BrrXcVr.exe
  2⤵
  PID:10056
- C:\Windows\System\VbyzKkV.exe
  C:\Windows\System\VbyzKkV.exe
  2⤵
  PID:10080
- C:\Windows\System\zweqhgC.exe
  C:\Windows\System\zweqhgC.exe
  2⤵
  PID:10100
- C:\Windows\System\qjaTCOz.exe
  C:\Windows\System\qjaTCOz.exe
  2⤵
  PID:10120
- C:\Windows\System\gitqhwm.exe
  C:\Windows\System\gitqhwm.exe
  2⤵
  PID:10140
- C:\Windows\System\sCkXXPy.exe
  C:\Windows\System\sCkXXPy.exe
  2⤵
  PID:10168
- C:\Windows\System\TKGUdaK.exe
  C:\Windows\System\TKGUdaK.exe
  2⤵
  PID:10188
- C:\Windows\System\tpoDSml.exe
  C:\Windows\System\tpoDSml.exe
  2⤵
  PID:10216
- C:\Windows\System\zcZXBOd.exe
  C:\Windows\System\zcZXBOd.exe
  2⤵
  PID:9220
- C:\Windows\System\aakRUHn.exe
  C:\Windows\System\aakRUHn.exe
  2⤵
  PID:9236
- C:\Windows\System\bfFaBCU.exe
  C:\Windows\System\bfFaBCU.exe
  2⤵
  PID:9292
- C:\Windows\System\rGfLHUX.exe
  C:\Windows\System\rGfLHUX.exe
  2⤵
  PID:9384
- C:\Windows\System\MeswUQP.exe
  C:\Windows\System\MeswUQP.exe
  2⤵
  PID:2232
- C:\Windows\System\WvVDJIE.exe
  C:\Windows\System\WvVDJIE.exe
  2⤵
  PID:9484
- C:\Windows\System\RnyaBfY.exe
  C:\Windows\System\RnyaBfY.exe
  2⤵
  PID:9536
- C:\Windows\System\tsXjOrO.exe
  C:\Windows\System\tsXjOrO.exe
  2⤵
  PID:9596
- C:\Windows\System\DpZnufs.exe
  C:\Windows\System\DpZnufs.exe
  2⤵
  PID:9624
- C:\Windows\System\INOFusK.exe
  C:\Windows\System\INOFusK.exe
  2⤵
  PID:9692
- C:\Windows\System\MpKDWaU.exe
  C:\Windows\System\MpKDWaU.exe
  2⤵
  PID:9796
- C:\Windows\System\ajAFBeH.exe
  C:\Windows\System\ajAFBeH.exe
  2⤵
  PID:9876
- C:\Windows\System\OLgqTAZ.exe
  C:\Windows\System\OLgqTAZ.exe
  2⤵
  PID:9960
- C:\Windows\System\DPXIVdR.exe
  C:\Windows\System\DPXIVdR.exe
  2⤵
  PID:10048
- C:\Windows\System\xVbNils.exe
  C:\Windows\System\xVbNils.exe
  2⤵
  PID:10136
- C:\Windows\System\gahGApV.exe
  C:\Windows\System\gahGApV.exe
  2⤵
  PID:10092
- C:\Windows\System\eIdIpYT.exe
  C:\Windows\System\eIdIpYT.exe
  2⤵
  PID:10184
- C:\Windows\System\VWcyJVi.exe
  C:\Windows\System\VWcyJVi.exe
  2⤵
  PID:8844
- C:\Windows\System\oKcOPoL.exe
  C:\Windows\System\oKcOPoL.exe
  2⤵
  PID:1436
- C:\Windows\System\XZrxJqR.exe
  C:\Windows\System\XZrxJqR.exe
  2⤵
  PID:9516
- C:\Windows\System\SggXpUt.exe
  C:\Windows\System\SggXpUt.exe
  2⤵
  PID:9576
- C:\Windows\System\lTSjJXz.exe
  C:\Windows\System\lTSjJXz.exe
  2⤵
  PID:9840
- C:\Windows\System\TbKLrLn.exe
  C:\Windows\System\TbKLrLn.exe
  2⤵
  PID:9908
- C:\Windows\System\iWEJnVK.exe
  C:\Windows\System\iWEJnVK.exe
  2⤵
  PID:9996
- C:\Windows\System\SlenGkT.exe
  C:\Windows\System\SlenGkT.exe
  2⤵
  PID:10068
- C:\Windows\System\smsPrfl.exe
  C:\Windows\System\smsPrfl.exe
  2⤵
  PID:9316
- C:\Windows\System\AwreDLG.exe
  C:\Windows\System\AwreDLG.exe
  2⤵
  PID:9320
- C:\Windows\System\YbTTiSJ.exe
  C:\Windows\System\YbTTiSJ.exe
  2⤵
  PID:10024
- C:\Windows\System\XOUNUiF.exe
  C:\Windows\System\XOUNUiF.exe
  2⤵
  PID:10088
- C:\Windows\System\SEvLdHW.exe
  C:\Windows\System\SEvLdHW.exe
  2⤵
  PID:10264
- C:\Windows\System\ckJyJvU.exe
  C:\Windows\System\ckJyJvU.exe
  2⤵
  PID:10284
- C:\Windows\System\BSrxJdT.exe
  C:\Windows\System\BSrxJdT.exe
  2⤵
  PID:10312
- C:\Windows\System\xHBhZag.exe
  C:\Windows\System\xHBhZag.exe
  2⤵
  PID:10352
- C:\Windows\System\owcNrSB.exe
  C:\Windows\System\owcNrSB.exe
  2⤵
  PID:10388
- C:\Windows\System\PEdJJHk.exe
  C:\Windows\System\PEdJJHk.exe
  2⤵
  PID:10420
- C:\Windows\System\mPzKzWo.exe
  C:\Windows\System\mPzKzWo.exe
  2⤵
  PID:10440
- C:\Windows\System\UmxIxzk.exe
  C:\Windows\System\UmxIxzk.exe
  2⤵
  PID:10472
- C:\Windows\System\pxGpQYa.exe
  C:\Windows\System\pxGpQYa.exe
  2⤵
  PID:10492
- C:\Windows\System\GSstLid.exe
  C:\Windows\System\GSstLid.exe
  2⤵
  PID:10520
- C:\Windows\System\kmJgEgo.exe
  C:\Windows\System\kmJgEgo.exe
  2⤵
  PID:10564
- C:\Windows\System\bSnYjcI.exe
  C:\Windows\System\bSnYjcI.exe
  2⤵
  PID:10588
- C:\Windows\System\ClxxXjc.exe
  C:\Windows\System\ClxxXjc.exe
  2⤵
  PID:10616
- C:\Windows\System\WHrLQnK.exe
  C:\Windows\System\WHrLQnK.exe
  2⤵
  PID:10656
- C:\Windows\System\vTRNFZY.exe
  C:\Windows\System\vTRNFZY.exe
  2⤵
  PID:10672
- C:\Windows\System\zRPCErH.exe
  C:\Windows\System\zRPCErH.exe
  2⤵
  PID:10700
- C:\Windows\System\pNWKblL.exe
  C:\Windows\System\pNWKblL.exe
  2⤵
  PID:10728
- C:\Windows\System\KcVWXNj.exe
  C:\Windows\System\KcVWXNj.exe
  2⤵
  PID:10756
- C:\Windows\System\mXJIVWH.exe
  C:\Windows\System\mXJIVWH.exe
  2⤵
  PID:10784
- C:\Windows\System\XgkpALG.exe
  C:\Windows\System\XgkpALG.exe
  2⤵
  PID:10816
- C:\Windows\System\RKFqSNi.exe
  C:\Windows\System\RKFqSNi.exe
  2⤵
  PID:10844
- C:\Windows\System\TGSlCfj.exe
  C:\Windows\System\TGSlCfj.exe
  2⤵
  PID:10860
- C:\Windows\System\XaeIirr.exe
  C:\Windows\System\XaeIirr.exe
  2⤵
  PID:10892
- C:\Windows\System\hliYubA.exe
  C:\Windows\System\hliYubA.exe
  2⤵
  PID:10928
- C:\Windows\System\eWkvSOx.exe
  C:\Windows\System\eWkvSOx.exe
  2⤵
  PID:10956
- C:\Windows\System\RZgcXLF.exe
  C:\Windows\System\RZgcXLF.exe
  2⤵
  PID:10988
- C:\Windows\System\qHsBnfb.exe
  C:\Windows\System\qHsBnfb.exe
  2⤵
  PID:11012
- C:\Windows\System\cYhPCLj.exe
  C:\Windows\System\cYhPCLj.exe
  2⤵
  PID:11040
- C:\Windows\System\HxCJmbR.exe
  C:\Windows\System\HxCJmbR.exe
  2⤵
  PID:11064
- C:\Windows\System\kSJrjEj.exe
  C:\Windows\System\kSJrjEj.exe
  2⤵
  PID:11084
- C:\Windows\System\ENSaiKi.exe
  C:\Windows\System\ENSaiKi.exe
  2⤵
  PID:11120
- C:\Windows\System\qxqbXwn.exe
  C:\Windows\System\qxqbXwn.exe
  2⤵
  PID:11140
- C:\Windows\System\zFplfWE.exe
  C:\Windows\System\zFplfWE.exe
  2⤵
  PID:11176
- C:\Windows\System\rxqYVvN.exe
  C:\Windows\System\rxqYVvN.exe
  2⤵
  PID:11196
- C:\Windows\System\VoOFNKg.exe
  C:\Windows\System\VoOFNKg.exe
  2⤵
  PID:11228
- C:\Windows\System\QuhyFUi.exe
  C:\Windows\System\QuhyFUi.exe
  2⤵
  PID:10004
- C:\Windows\System\hJUlZOK.exe
  C:\Windows\System\hJUlZOK.exe
  2⤵
  PID:2648
- C:\Windows\System\NRLSQqW.exe
  C:\Windows\System\NRLSQqW.exe
  2⤵
  PID:10292
- C:\Windows\System\FNqFHkc.exe
  C:\Windows\System\FNqFHkc.exe
  2⤵
  PID:10368
- C:\Windows\System\yCUMpJK.exe
  C:\Windows\System\yCUMpJK.exe
  2⤵
  PID:10448
- C:\Windows\System\uOlIuab.exe
  C:\Windows\System\uOlIuab.exe
  2⤵
  PID:10484
- C:\Windows\System\PULsidi.exe
  C:\Windows\System\PULsidi.exe
  2⤵
  PID:10548
- C:\Windows\System\zTvcvky.exe
  C:\Windows\System\zTvcvky.exe
  2⤵
  PID:10644
- C:\Windows\System\friucQj.exe
  C:\Windows\System\friucQj.exe
  2⤵
  PID:10748
- C:\Windows\System\hZUPSoV.exe
  C:\Windows\System\hZUPSoV.exe
  2⤵
  PID:10768
- C:\Windows\System\AOnljcc.exe
  C:\Windows\System\AOnljcc.exe
  2⤵
  PID:10832
- C:\Windows\System\keShhud.exe
  C:\Windows\System\keShhud.exe
  2⤵
  PID:10912
- C:\Windows\System\SbyrbYZ.exe
  C:\Windows\System\SbyrbYZ.exe
  2⤵
  PID:10904
- C:\Windows\System\EYEPrsB.exe
  C:\Windows\System\EYEPrsB.exe
  2⤵
  PID:11000
- C:\Windows\System\RnnmPbU.exe
  C:\Windows\System\RnnmPbU.exe
  2⤵
  PID:10980
- C:\Windows\System\xObLRpZ.exe
  C:\Windows\System\xObLRpZ.exe
  2⤵
  PID:11128
- C:\Windows\System\WODxgoK.exe
  C:\Windows\System\WODxgoK.exe
  2⤵
  PID:11160
- C:\Windows\System\SqqRxgn.exe
  C:\Windows\System\SqqRxgn.exe
  2⤵
  PID:9440
- C:\Windows\System\uAcYaON.exe
  C:\Windows\System\uAcYaON.exe
  2⤵
  PID:10276
- C:\Windows\System\snisSvW.exe
  C:\Windows\System\snisSvW.exe
  2⤵
  PID:10308
- C:\Windows\System\hwAuoTQ.exe
  C:\Windows\System\hwAuoTQ.exe
  2⤵
  PID:10400
- C:\Windows\System\icxYgRf.exe
  C:\Windows\System\icxYgRf.exe
  2⤵
  PID:10636
- C:\Windows\System\WkTPCnG.exe
  C:\Windows\System\WkTPCnG.exe
  2⤵
  PID:10880
- C:\Windows\System\JbyPnmE.exe
  C:\Windows\System\JbyPnmE.exe
  2⤵
  PID:4580
- C:\Windows\System\QNUSrWo.exe
  C:\Windows\System\QNUSrWo.exe
  2⤵
  PID:11072
- C:\Windows\System\uOPXdIN.exe
  C:\Windows\System\uOPXdIN.exe
  2⤵
  PID:11216
- C:\Windows\System\huMgZRD.exe
  C:\Windows\System\huMgZRD.exe
  2⤵
  PID:10528
- C:\Windows\System\SXjUwAN.exe
  C:\Windows\System\SXjUwAN.exe
  2⤵
  PID:10772
- C:\Windows\System\Uxrelfw.exe
  C:\Windows\System\Uxrelfw.exe
  2⤵
  PID:11148
- C:\Windows\System\LpkAUSV.exe
  C:\Windows\System\LpkAUSV.exe
  2⤵
  PID:10300
- C:\Windows\System\TznpEIt.exe
  C:\Windows\System\TznpEIt.exe
  2⤵
  PID:11272
- C:\Windows\System\NpngSDF.exe
  C:\Windows\System\NpngSDF.exe
  2⤵
  PID:11296
- C:\Windows\System\iGAChZc.exe
  C:\Windows\System\iGAChZc.exe
  2⤵
  PID:11324
- C:\Windows\System\WLxFAuG.exe
  C:\Windows\System\WLxFAuG.exe
  2⤵
  PID:11356
- C:\Windows\System\HRPwybX.exe
  C:\Windows\System\HRPwybX.exe
  2⤵
  PID:11384
- C:\Windows\System\XKIUfvH.exe
  C:\Windows\System\XKIUfvH.exe
  2⤵
  PID:11420
- C:\Windows\System\CIQzAHD.exe
  C:\Windows\System\CIQzAHD.exe
  2⤵
  PID:11452
- C:\Windows\System\NlgcLMJ.exe
  C:\Windows\System\NlgcLMJ.exe
  2⤵
  PID:11472
- C:\Windows\System\EENZCGj.exe
  C:\Windows\System\EENZCGj.exe
  2⤵
  PID:11500
- C:\Windows\System\DYmgcfV.exe
  C:\Windows\System\DYmgcfV.exe
  2⤵
  PID:11544
- C:\Windows\System\BPPpVxp.exe
  C:\Windows\System\BPPpVxp.exe
  2⤵
  PID:11568
- C:\Windows\System\gaOsJMI.exe
  C:\Windows\System\gaOsJMI.exe
  2⤵
  PID:11612
- C:\Windows\System\aYKJunV.exe
  C:\Windows\System\aYKJunV.exe
  2⤵
  PID:11644
- C:\Windows\System\JILerwj.exe
  C:\Windows\System\JILerwj.exe
  2⤵
  PID:11672
- C:\Windows\System\KxLrQbk.exe
  C:\Windows\System\KxLrQbk.exe
  2⤵
  PID:11700
- C:\Windows\System\TJIDNgI.exe
  C:\Windows\System\TJIDNgI.exe
  2⤵
  PID:11732
- C:\Windows\System\yeabEAR.exe
  C:\Windows\System\yeabEAR.exe
  2⤵
  PID:11756
- C:\Windows\System\jPuvLxW.exe
  C:\Windows\System\jPuvLxW.exe
  2⤵
  PID:11776
- C:\Windows\System\CiQPfxc.exe
  C:\Windows\System\CiQPfxc.exe
  2⤵
  PID:11808
- C:\Windows\System\FFkZmlF.exe
  C:\Windows\System\FFkZmlF.exe
  2⤵
  PID:11840
- C:\Windows\System\vfjrwND.exe
  C:\Windows\System\vfjrwND.exe
  2⤵
  PID:11868
- C:\Windows\System\DADfnxa.exe
  C:\Windows\System\DADfnxa.exe
  2⤵
  PID:11884
- C:\Windows\System\czKlHRJ.exe
  C:\Windows\System\czKlHRJ.exe
  2⤵
  PID:11900
- C:\Windows\System\rHKQeOA.exe
  C:\Windows\System\rHKQeOA.exe
  2⤵
  PID:11928
- C:\Windows\System\ZftycWN.exe
  C:\Windows\System\ZftycWN.exe
  2⤵
  PID:11952
- C:\Windows\System\fmeOSgj.exe
  C:\Windows\System\fmeOSgj.exe
  2⤵
  PID:11976
- C:\Windows\System\sDfpCsV.exe
  C:\Windows\System\sDfpCsV.exe
  2⤵
  PID:12016
- C:\Windows\System\eGbTKri.exe
  C:\Windows\System\eGbTKri.exe
  2⤵
  PID:12048
- C:\Windows\System\IYopyLP.exe
  C:\Windows\System\IYopyLP.exe
  2⤵
  PID:12076
- C:\Windows\System\HpNtxiG.exe
  C:\Windows\System\HpNtxiG.exe
  2⤵
  PID:12108
- C:\Windows\System\hjiJkOJ.exe
  C:\Windows\System\hjiJkOJ.exe
  2⤵
  PID:12136
- C:\Windows\System\ZVeVFrY.exe
  C:\Windows\System\ZVeVFrY.exe
  2⤵
  PID:12164
- C:\Windows\System\dslfcWt.exe
  C:\Windows\System\dslfcWt.exe
  2⤵
  PID:12204
- C:\Windows\System\pbERfGS.exe
  C:\Windows\System\pbERfGS.exe
  2⤵
  PID:12220
- C:\Windows\System\UxaMGVV.exe
  C:\Windows\System\UxaMGVV.exe
  2⤵
  PID:12244
- C:\Windows\System\ZPmhCDC.exe
  C:\Windows\System\ZPmhCDC.exe
  2⤵
  PID:12272
- C:\Windows\System\jEVsMBX.exe
  C:\Windows\System\jEVsMBX.exe
  2⤵
  PID:2764
- C:\Windows\System\EoQLCZF.exe
  C:\Windows\System\EoQLCZF.exe
  2⤵
  PID:11316
- C:\Windows\System\wuGtOEh.exe
  C:\Windows\System\wuGtOEh.exe
  2⤵
  PID:11428
- C:\Windows\System\KbNwKvo.exe
  C:\Windows\System\KbNwKvo.exe
  2⤵
  PID:11444
- C:\Windows\System\ioaSTUV.exe
  C:\Windows\System\ioaSTUV.exe
  2⤵
  PID:11508
- C:\Windows\System\crVkmHd.exe
  C:\Windows\System\crVkmHd.exe
  2⤵
  PID:11564
- C:\Windows\System\WSzeYcp.exe
  C:\Windows\System\WSzeYcp.exe
  2⤵
  PID:11628
- C:\Windows\System\wQBtSIZ.exe
  C:\Windows\System\wQBtSIZ.exe
  2⤵
  PID:11724
- C:\Windows\System\QnspBlS.exe
  C:\Windows\System\QnspBlS.exe
  2⤵
  PID:11748
- C:\Windows\System\aFoARns.exe
  C:\Windows\System\aFoARns.exe
  2⤵
  PID:11800
- C:\Windows\System\kCEAPoF.exe
  C:\Windows\System\kCEAPoF.exe
  2⤵
  PID:11912
- C:\Windows\System\ozbvsTz.exe
  C:\Windows\System\ozbvsTz.exe
  2⤵
  PID:11948
- C:\Windows\System\MpaSTLz.exe
  C:\Windows\System\MpaSTLz.exe
  2⤵
  PID:11992
- C:\Windows\System\yDeLTFw.exe
  C:\Windows\System\yDeLTFw.exe
  2⤵
  PID:12072
- C:\Windows\System\RwqpxCk.exe
  C:\Windows\System\RwqpxCk.exe
  2⤵
  PID:12128
- C:\Windows\System\hxmctIx.exe
  C:\Windows\System\hxmctIx.exe
  2⤵
  PID:12148
- C:\Windows\System\QrKVjgl.exe
  C:\Windows\System\QrKVjgl.exe
  2⤵
  PID:2004
- C:\Windows\System\cYQXWCE.exe
  C:\Windows\System\cYQXWCE.exe
  2⤵
  PID:12192
- C:\Windows\System\JogxuYp.exe
  C:\Windows\System\JogxuYp.exe
  2⤵
  PID:10796
- C:\Windows\System\jatrBmp.exe
  C:\Windows\System\jatrBmp.exe
  2⤵
  PID:11532
- C:\Windows\System\mrkzJci.exe
  C:\Windows\System\mrkzJci.exe
  2⤵
  PID:11632
- C:\Windows\System\EZoTAXM.exe
  C:\Windows\System\EZoTAXM.exe
  2⤵
  PID:11892
- C:\Windows\System\xnGkubz.exe
  C:\Windows\System\xnGkubz.exe
  2⤵
  PID:12124
- C:\Windows\System\blgjbDP.exe
  C:\Windows\System\blgjbDP.exe
  2⤵
  PID:11972
- C:\Windows\System\uhuDVSe.exe
  C:\Windows\System\uhuDVSe.exe
  2⤵
  PID:12216
- C:\Windows\System\XNJJmLm.exe
  C:\Windows\System\XNJJmLm.exe
  2⤵
  PID:11464
- C:\Windows\System\avEkqxF.exe
  C:\Windows\System\avEkqxF.exe
  2⤵
  PID:11828
- C:\Windows\System\bsCXRfz.exe
  C:\Windows\System\bsCXRfz.exe
  2⤵
  PID:12100
- C:\Windows\System\XavJMHf.exe
  C:\Windows\System\XavJMHf.exe
  2⤵
  PID:11916
- C:\Windows\System\VVcdUki.exe
  C:\Windows\System\VVcdUki.exe
  2⤵
  PID:12312
- C:\Windows\System\KZbJHQn.exe
  C:\Windows\System\KZbJHQn.exe
  2⤵
  PID:12344
- C:\Windows\System\JdlBpjc.exe
  C:\Windows\System\JdlBpjc.exe
  2⤵
  PID:12384
- C:\Windows\System\eCNNBRG.exe
  C:\Windows\System\eCNNBRG.exe
  2⤵
  PID:12412
- C:\Windows\System\kkjeeNn.exe
  C:\Windows\System\kkjeeNn.exe
  2⤵
  PID:12440
- C:\Windows\System\ZpWWLIu.exe
  C:\Windows\System\ZpWWLIu.exe
  2⤵
  PID:12472
- C:\Windows\System\ZyXEvnB.exe
  C:\Windows\System\ZyXEvnB.exe
  2⤵
  PID:12500
- C:\Windows\System\cSbBwvW.exe
  C:\Windows\System\cSbBwvW.exe
  2⤵
  PID:12524
- C:\Windows\System\CbULanq.exe
  C:\Windows\System\CbULanq.exe
  2⤵
  PID:12552
- C:\Windows\System\qYZpLlk.exe
  C:\Windows\System\qYZpLlk.exe
  2⤵
  PID:12584
- C:\Windows\System\TTyEeDY.exe
  C:\Windows\System\TTyEeDY.exe
  2⤵
  PID:12620
- C:\Windows\System\qrqfJav.exe
  C:\Windows\System\qrqfJav.exe
  2⤵
  PID:12648
- C:\Windows\System\ZkgXUHO.exe
  C:\Windows\System\ZkgXUHO.exe
  2⤵
  PID:12676
- C:\Windows\System\XrlPQUb.exe
  C:\Windows\System\XrlPQUb.exe
  2⤵
  PID:12708
- C:\Windows\System\GWmawKf.exe
  C:\Windows\System\GWmawKf.exe
  2⤵
  PID:12740
- C:\Windows\System\jjSMcsX.exe
  C:\Windows\System\jjSMcsX.exe
  2⤵
  PID:12756
- C:\Windows\System\zQTfOKE.exe
  C:\Windows\System\zQTfOKE.exe
  2⤵
  PID:12780
- C:\Windows\System\WZefhZu.exe
  C:\Windows\System\WZefhZu.exe
  2⤵
  PID:12828
- C:\Windows\System\CoZFOVy.exe
  C:\Windows\System\CoZFOVy.exe
  2⤵
  PID:12852
- C:\Windows\System\uoZWMvp.exe
  C:\Windows\System\uoZWMvp.exe
  2⤵
  PID:12876
- C:\Windows\System\OpBWXgu.exe
  C:\Windows\System\OpBWXgu.exe
  2⤵
  PID:12908
- C:\Windows\System\KQFZHwh.exe
  C:\Windows\System\KQFZHwh.exe
  2⤵
  PID:12936
- C:\Windows\System\PVoUoVd.exe
  C:\Windows\System\PVoUoVd.exe
  2⤵
  PID:12952
- C:\Windows\System\mcwUsBB.exe
  C:\Windows\System\mcwUsBB.exe
  2⤵
  PID:12980
- C:\Windows\System\UfVJmTN.exe
  C:\Windows\System\UfVJmTN.exe
  2⤵
  PID:13012
- C:\Windows\System\PbySPNW.exe
  C:\Windows\System\PbySPNW.exe
  2⤵
  PID:13036
- C:\Windows\System\fWoJtFI.exe
  C:\Windows\System\fWoJtFI.exe
  2⤵
  PID:13056
- C:\Windows\System\REAGmyK.exe
  C:\Windows\System\REAGmyK.exe
  2⤵
  PID:13096
- C:\Windows\System\sVWsxgn.exe
  C:\Windows\System\sVWsxgn.exe
  2⤵
  PID:13132
- C:\Windows\System\uUgDEgP.exe
  C:\Windows\System\uUgDEgP.exe
  2⤵
  PID:13160
- C:\Windows\System\gGAPgwj.exe
  C:\Windows\System\gGAPgwj.exe
  2⤵
  PID:13176
- C:\Windows\System\RVPXzth.exe
  C:\Windows\System\RVPXzth.exe
  2⤵
  PID:13208
- C:\Windows\System\kAnrlVT.exe
  C:\Windows\System\kAnrlVT.exe
  2⤵
  PID:13236
- C:\Windows\System\geTAoBb.exe
  C:\Windows\System\geTAoBb.exe
  2⤵
  PID:13284
- C:\Windows\System\vJrdbgK.exe
  C:\Windows\System\vJrdbgK.exe
  2⤵
  PID:13300
- C:\Windows\System\NgUMaTL.exe
  C:\Windows\System\NgUMaTL.exe
  2⤵
  PID:12156
- C:\Windows\System\AhwVtoX.exe
  C:\Windows\System\AhwVtoX.exe
  2⤵
  PID:1132
- C:\Windows\System\RtglOfh.exe
  C:\Windows\System\RtglOfh.exe
  2⤵
  PID:12324
- C:\Windows\System\NYtprEk.exe
  C:\Windows\System\NYtprEk.exe
  2⤵
  PID:12352
- C:\Windows\System\CaEQHnY.exe
  C:\Windows\System\CaEQHnY.exe
  2⤵
  PID:3836
- C:\Windows\System\VgfGuuj.exe
  C:\Windows\System\VgfGuuj.exe
  2⤵
  PID:12536
- C:\Windows\System\ZeJpaTK.exe
  C:\Windows\System\ZeJpaTK.exe
  2⤵
  PID:12512
- C:\Windows\System\RSQTxWG.exe
  C:\Windows\System\RSQTxWG.exe
  2⤵
  PID:12636
- C:\Windows\System\zqazdxD.exe
  C:\Windows\System\zqazdxD.exe
  2⤵
  PID:12724
- C:\Windows\System\DbITkQI.exe
  C:\Windows\System\DbITkQI.exe
  2⤵
  PID:12800
- C:\Windows\System\HcfpzWe.exe
  C:\Windows\System\HcfpzWe.exe
  2⤵
  PID:12772
- C:\Windows\System\guaOmgH.exe
  C:\Windows\System\guaOmgH.exe
  2⤵
  PID:13120
- C:\Windows\System\kdrTDvo.exe
  C:\Windows\System\kdrTDvo.exe
  2⤵
  PID:13144
- C:\Windows\System\TlBdMMx.exe
  C:\Windows\System\TlBdMMx.exe
  2⤵
  PID:13152
- C:\Windows\System\QkWKHol.exe
  C:\Windows\System\QkWKHol.exe
  2⤵
  PID:13292
- C:\Windows\System\hzdvJdz.exe
  C:\Windows\System\hzdvJdz.exe
  2⤵
  PID:13260
- C:\Windows\System\SPwsiBB.exe
  C:\Windows\System\SPwsiBB.exe
  2⤵
  PID:11592
- C:\Windows\System\lFYjyVO.exe
  C:\Windows\System\lFYjyVO.exe
  2⤵
  PID:12372
- C:\Windows\System\vbOLhmy.exe
  C:\Windows\System\vbOLhmy.exe
  2⤵
  PID:12560
- C:\Windows\System\vZOYDGV.exe
  C:\Windows\System\vZOYDGV.exe
  2⤵
  PID:4276
- C:\Windows\System\EiqDnWO.exe
  C:\Windows\System\EiqDnWO.exe
  2⤵
  PID:1588
- C:\Windows\System\LFnNDyA.exe
  C:\Windows\System\LFnNDyA.exe
  2⤵
  PID:12776
- C:\Windows\System\JxpTiLu.exe
  C:\Windows\System\JxpTiLu.exe
  2⤵
  PID:12868
- C:\Windows\System\tOwrkrh.exe
  C:\Windows\System\tOwrkrh.exe
  2⤵
  PID:11484
- C:\Windows\System\qZUVyHo.exe
  C:\Windows\System\qZUVyHo.exe
  2⤵
  PID:12492
- C:\Windows\System\VLpPjPP.exe
  C:\Windows\System\VLpPjPP.exe
  2⤵
  PID:12700
- C:\Windows\System\yEzGqAd.exe
  C:\Windows\System\yEzGqAd.exe
  2⤵
  PID:12672
- C:\Windows\System\DAYgDrT.exe
  C:\Windows\System\DAYgDrT.exe
  2⤵
  PID:12404
- C:\Windows\System\yzKZKLa.exe
  C:\Windows\System\yzKZKLa.exe
  2⤵
  PID:13336
- C:\Windows\System\gfWcLVO.exe
  C:\Windows\System\gfWcLVO.exe
  2⤵
  PID:13352
- C:\Windows\System\WCniKKs.exe
  C:\Windows\System\WCniKKs.exe
  2⤵
  PID:13384
- C:\Windows\System\uuYGVuj.exe
  C:\Windows\System\uuYGVuj.exe
  2⤵
  PID:13408
- C:\Windows\System\SRgwqbX.exe
  C:\Windows\System\SRgwqbX.exe
  2⤵
  PID:13428
- C:\Windows\System\AtQUxgf.exe
  C:\Windows\System\AtQUxgf.exe
  2⤵
  PID:13456
- C:\Windows\System\LmLkxCb.exe
  C:\Windows\System\LmLkxCb.exe
  2⤵
  PID:13476
- C:\Windows\System\MMyjFZt.exe
  C:\Windows\System\MMyjFZt.exe
  2⤵
  PID:13496
- C:\Windows\System\ZKVhmpp.exe
  C:\Windows\System\ZKVhmpp.exe
  2⤵
  PID:13524
- C:\Windows\System\cGeQlhd.exe
  C:\Windows\System\cGeQlhd.exe
  2⤵
  PID:13556
- C:\Windows\System\KrTfQDe.exe
  C:\Windows\System\KrTfQDe.exe
  2⤵
  PID:13584
- C:\Windows\System\ceglzwd.exe
  C:\Windows\System\ceglzwd.exe
  2⤵
  PID:13608
- C:\Windows\System\RqSCakb.exe
  C:\Windows\System\RqSCakb.exe
  2⤵
  PID:13632
- C:\Windows\System\KgzFBTe.exe
  C:\Windows\System\KgzFBTe.exe
  2⤵
  PID:13672
- C:\Windows\System\JBqdjvC.exe
  C:\Windows\System\JBqdjvC.exe
  2⤵
  PID:13700
- C:\Windows\System\bMCoRjh.exe
  C:\Windows\System\bMCoRjh.exe
  2⤵
  PID:13720
- C:\Windows\System\GTlVQxW.exe
  C:\Windows\System\GTlVQxW.exe
  2⤵
  PID:13752
- C:\Windows\System\kzkCvOM.exe
  C:\Windows\System\kzkCvOM.exe
  2⤵
  PID:13780
- C:\Windows\System\YVEWIQm.exe
  C:\Windows\System\YVEWIQm.exe
  2⤵
  PID:13800
- C:\Windows\System\GypMxny.exe
  C:\Windows\System\GypMxny.exe
  2⤵
  PID:13840
- C:\Windows\System\aXPYhIh.exe
  C:\Windows\System\aXPYhIh.exe
  2⤵
  PID:13872
- C:\Windows\System\RVrBPdL.exe
  C:\Windows\System\RVrBPdL.exe
  2⤵
  PID:13896
- C:\Windows\System\QkWyzJX.exe
  C:\Windows\System\QkWyzJX.exe
  2⤵
  PID:13924
- C:\Windows\System\PJXeHuF.exe
  C:\Windows\System\PJXeHuF.exe
  2⤵
  PID:13956
- C:\Windows\System\hkqOgqB.exe
  C:\Windows\System\hkqOgqB.exe
  2⤵
  PID:13984
- C:\Windows\System\MRoyLWV.exe
  C:\Windows\System\MRoyLWV.exe
  2⤵
  PID:14012
- C:\Windows\System\hIBEylG.exe
  C:\Windows\System\hIBEylG.exe
  2⤵
  PID:14028
- C:\Windows\System\yizHoXm.exe
  C:\Windows\System\yizHoXm.exe
  2⤵
  PID:14052
- C:\Windows\System\VQBQNYb.exe
  C:\Windows\System\VQBQNYb.exe
  2⤵
  PID:14088
- C:\Windows\System\nRSMIGc.exe
  C:\Windows\System\nRSMIGc.exe
  2⤵
  PID:14112
- C:\Windows\System\ZNlRpIz.exe
  C:\Windows\System\ZNlRpIz.exe
  2⤵
  PID:14144
- C:\Windows\System\BgaztIh.exe
  C:\Windows\System\BgaztIh.exe
  2⤵
  PID:14172
- C:\Windows\System\yiPbOyi.exe
  C:\Windows\System\yiPbOyi.exe
  2⤵
  PID:14204
- C:\Windows\System\YSzcWHi.exe
  C:\Windows\System\YSzcWHi.exe
  2⤵
  PID:14236
- C:\Windows\System\IHmaVtk.exe
  C:\Windows\System\IHmaVtk.exe
  2⤵
  PID:14252
- C:\Windows\System\PxTKDXL.exe
  C:\Windows\System\PxTKDXL.exe
  2⤵
  PID:14276
- C:\Windows\System\mpDumRR.exe
  C:\Windows\System\mpDumRR.exe
  2⤵
  PID:14308
- C:\Windows\System\XKfMgcO.exe
  C:\Windows\System\XKfMgcO.exe
  2⤵
  PID:14332
- C:\Windows\System\fMXeOky.exe
  C:\Windows\System\fMXeOky.exe
  2⤵
  PID:11364
- C:\Windows\System\kLrFtvz.exe
  C:\Windows\System\kLrFtvz.exe
  2⤵
  PID:13328
- C:\Windows\System\NsRebEL.exe
  C:\Windows\System\NsRebEL.exe
  2⤵
  PID:13416
- C:\Windows\System\dqVGIHv.exe
  C:\Windows\System\dqVGIHv.exe
  2⤵
  PID:13520
- C:\Windows\System\XYwWNSV.exe
  C:\Windows\System\XYwWNSV.exe
  2⤵
  PID:13600
- C:\Windows\System\rTedAFP.exe
  C:\Windows\System\rTedAFP.exe
  2⤵
  PID:13604
- C:\Windows\System\eWVbjpf.exe
  C:\Windows\System\eWVbjpf.exe
  2⤵
  PID:13736
- C:\Windows\System\VwvbTvF.exe
  C:\Windows\System\VwvbTvF.exe
  2⤵
  PID:13744
- C:\Windows\System\MOauSJP.exe
  C:\Windows\System\MOauSJP.exe
  2⤵
  PID:13816
- C:\Windows\System\UDZepVj.exe
  C:\Windows\System\UDZepVj.exe
  2⤵
  PID:13864
- C:\Windows\System\BVLEPFF.exe
  C:\Windows\System\BVLEPFF.exe
  2⤵
  PID:13892
- C:\Windows\System\PAxJWNx.exe
  C:\Windows\System\PAxJWNx.exe
  2⤵
  PID:14048

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3212
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Modifies Installed Components in the registry
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4508

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2528

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:744

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3588

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4984

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:7248

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8156

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8160

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8912

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8584

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3140

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11244

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11076

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5368

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:448

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13252

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5340

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4500

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5384

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6160

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7252

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7736

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8768

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8208

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8476

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10616

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10740

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11160

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7696

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11632

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12348

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8896

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13500

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13860

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5328

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5992

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10572

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1892

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4704

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7192

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6496

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6780

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5684

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:536

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8680

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8104

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7424

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8868

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8640

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7860

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11736

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11356

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3168

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3688

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12316

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12148

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9160

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\6KUWUA35\microsoft.windows[1].xml

Filesize
97B

MD5
689df38489ed790b0068b7f3cae1d440

SHA1
6df6ffaae31903b96024a7b81f25f1ed61c3f152

SHA256
fc336b0ef0f4f06ea66d92f25dd66dd1b0d697da62b5073ed5199fffac8a08aa

SHA512
1f26ccb99ee3babc3617eb635a75f02d34be865c200a866eb28024ad0d8ccbe4110b0dd1a3d2ab14fd84b2eb345fed8bb65a19437ff99c1b2d84e2b3ce9acbb2

Download Submit
C:\Windows\System\FXDmBej.exe

Filesize
2.1MB

MD5
ccd7bce36c7d809502a206db22e51708

SHA1
2b3917d8b993065aa62c083658e4c50523303ed1

SHA256
018cf77c2b1340d9e52f49d9cd8fde045c85e5477abf9950094b12eb1faaa1ca

SHA512
43fa5578477ec4a5aa23b8097076b12c8e740c0431c9bd3530613fdb177f459018eeb7d2d820f374201e315bbe42110a4111ce0a2f0223a9235f6ddcc4546919

Download Submit
C:\Windows\System\IfWZOMc.exe

Filesize
2.1MB

MD5
4ff7bb0f6343f537b0dc3f23edff4853

SHA1
ca4f5ce2c8dd4126d1fdb45602f5a0edc30b8b3f

SHA256
6848ef4198841218dccb5df1480e197d2c33505e149cc8049c2607d3fe90c712

SHA512
0db306c41e6ae887f7d385665bdb4b9c849ffe2decdaec695f44fad9db5d9d78038db7ff591c86c4b88405a2f8776510b81436a8249688ad3961159fbbbfd3bd

Download Submit
C:\Windows\System\Imomnqq.exe

Filesize
2.1MB

MD5
99b12f5794be689fff4531a0f40ec3b4

SHA1
7e4e34ea1c01fb80bf8669b462140fa4f708b231

SHA256
a55b7f2455b80afff50690e2c11c7a2a7a25ebeb80471b880eeec853787a9f80

SHA512
201d64f2687b3d0cafcbd5c45ad5572c863730f46fad7f95f556d8aa892d2b30131a3b3749f599a13dbdb149ce5abe2bce68a19f9f12f322e40ee6bb5db66fa4

Download Submit
C:\Windows\System\KHqllUo.exe

Filesize
2.1MB

MD5
3111700be9866bd8c11f3ba7d4c8f184

SHA1
82747fb6f5ec9e5ee18d385f0259bdcacfad67fc

SHA256
22de6df448477cc0dc9f934efa01a0b77b7ba3d0443ee32cde54582c59e2d17d

SHA512
71e5e4b3cd70235bb1b64c2dbe358d45093e454606256a287be607454bd96bf12c842e7e6d8b6788a3173d5ce755c583a3effd5d661411457add0cca68f1f741

Download Submit
C:\Windows\System\KZBGhkx.exe

Filesize
2.1MB

MD5
3f6e67c9d1f60a86363a2c3922160630

SHA1
57d13ef85bd5aa556395525c6b5d1e8aaa368b0c

SHA256
ef85800c9720ce4b55a72cb241cacaf395f3eb625354fe8e5f3ef6e9abf62060

SHA512
b02b7acf9e7dd50df028326edb8bf8b12f99f4acc8657102d145778374cad828b206ebc518160a9cd6c91fb322cf3255afa1390519ec9f54915a183142d1e005

Download Submit
C:\Windows\System\KrkVPjH.exe

Filesize
2.1MB

MD5
2aa8555be1e3bc0c09a97d1a0ec2a709

SHA1
f411bd71a97ee6d4d15c67a30b36f5e91c0c672c

SHA256
d8db13cab8731f3cac199047861a85d414f90b52c65b1a28c77a3a8444843679

SHA512
7304821244437828ab6537461cb31983d9e75cc584e9463be4aa149c0844814f0569b22ba0300219424e4dff5d1b469968e7de5847255934bae30495372cea8e

Download Submit
C:\Windows\System\SOLISWO.exe

Filesize
2.1MB

MD5
60796ab0ed5da7b3bb0b1897af4c9ec1

SHA1
a21129a808a838a08b1ea9d2f76d4ce878641c92

SHA256
1f8842da5b1e439a23fed7c80a1d9248b6b189b4ae7bb4aa9bd35b754e17a5c7

SHA512
dc228186f07fdbfd9526fa762095ece46018cca232665765082a22ff44156a9e24a2dbe08ee1befee077967e7a6fb2e4c4e5da9592130a4f536df8eda29388fb

Download Submit
C:\Windows\System\WiWsIce.exe

Filesize
2.1MB

MD5
9923f6b9690472321a7a4d5f6652531c

SHA1
e91164f3bcf549cc9242dae1545c742f506eba29

SHA256
baf9333db8547f875dfb014bd6684406926e0f0749ab541a30f11193494196cb

SHA512
acd224135a41171977661096ef15b0cb4be9e8828eeed49dbda3ef66785f7566fba94147737acdff1590d40eee4774f245bc6f5482e633304c0a2afa37902f77

Download Submit
C:\Windows\System\aPsNiRr.exe

Filesize
2.1MB

MD5
c4f052c9a31b6d736ce781a36a3a37c3

SHA1
a08eb49eccc4b8267cd9951cbe64d0f02ce7dcd5

SHA256
38625f5deb87c3ec03ddd78e433662746f67aa53d02f7f3c4b71a3a7e44fecab

SHA512
e4018a32e21fe55d711687f0fdb17d9653db756666a0eebbb234903875e5c7424690eb13d7d7c48f5c667fb303369d646f0dab308b35cdeb094f810b9b20a6c7

Download Submit
C:\Windows\System\bFqScNB.exe

Filesize
2.1MB

MD5
d9fb249a0fe1cdb4f564fe73b8627280

SHA1
1d6ccba0f21cee4609a3bd152be7975ae4677762

SHA256
958a2af07df1c37b5712083c5b002843c7c754a1e5556f897c174c496fc93584

SHA512
9650e0d50de86f3f2c8ea16a0b4d4e4e9da3a2d9d5e7365bfa4206479bf2decd59c62515daf5483e4d702816584eca96eb73125c1a2deaafbbf4dbe3361ca638

Download Submit
C:\Windows\System\bJGEyTI.exe

Filesize
2.1MB

MD5
36eda4fb3af774d287d4da07828a775f

SHA1
56e45b2843b52b5bf37c0ec981403462d5cf6ade

SHA256
260b50045d0c74a624fb82871b1e9832066747692edaded313ed391269726f4c

SHA512
c9fbd1e0f9b4aaca9c60edfb807e326156fdb7e1b8fbda8145c27acb009a06b465e5c203196ebc9066ca8717df5e894a7596144413cd15d97ab2d0585df7208e

Download Submit
C:\Windows\System\bvNbyWM.exe

Filesize
2.1MB

MD5
b8c9fe34e68518bf23fc7d1aad82a44b

SHA1
cf1ff039abbb13e0df6dba80433be0c7e68a00e9

SHA256
2404763e2aaea5206edfa0afb9b797602610ff8029d2153f2657dbd8f46bc752

SHA512
bac9d39dae33846629c0250b46b15ac59d0808f5a5a0fbac727a7b4b42aad135b57c79d291349e39511e5401823d12a647717beee98849f8d3b6e0f5c58caaf0

Download Submit
C:\Windows\System\ccDOart.exe

Filesize
2.1MB

MD5
2afe943a568b8299ee5a9583c502efcc

SHA1
5df3d15934a8b9ddcd035eb8f5a55529e3d0f516

SHA256
a605216b71aa8c41b688896305902c1f0b310750e481c704e93d38a6c9901968

SHA512
a2215fc3334eaf36ec18298957629ad3a999bef26d2e00f2bb1bfd0d5f4465fa1370f50b8d6f9fe8dafc52eec13e067d4e996adbed2d7f3edfc854da4e719d0e

Download Submit
C:\Windows\System\exHMZuf.exe

Filesize
2.1MB

MD5
bf86fa6ee6a08052e329eb9a70545c60

SHA1
b05e0c637d327dd47603a86453f188db36f39709

SHA256
8a9cb8d29e70b460756c1086ef36ea5f10f984e6e7188a83804b4df5cb64dbd7

SHA512
758b539c203611f22b126949d7b8bc018bf33318091e49efde505bcc79477e838f8831040866558ce0bb57a959469205cd6e12c5ae0dc34b093a34300ffd049a

Download Submit
C:\Windows\System\gjlTIkh.exe

Filesize
2.1MB

MD5
3ac20a65fb38ae911d9e529ac52498fa

SHA1
c1d5cd61a2843b2a8b84960b93ed4babce7b1934

SHA256
7667f6c0b7b5c9c5d9495cc68ed17bbe59bf9efde7a6679d7df7441bbfbaeb0c

SHA512
b94164084771af60bd6ae2d48555ab8024b96b751405179b545cd038ac99cf59854b2ffb47480fa640cbb320ff6ce4b27d753886fe560bdc0735ba4b9079e7a3

Download Submit
C:\Windows\System\hSWloXB.exe

Filesize
2.1MB

MD5
a63252289fccea65c8d0ac61ded8126f

SHA1
6686b4e4ceaa9cc56af307e27583ca3ffc888d24

SHA256
8d817f2c4811bebcb8cd4f6627376406f407059bc8e7f8ebc38c69b2c958db8b

SHA512
3340820b647b00ee8f7e6c0889e956e03f0576a3ec65861cfc61a8279600b05e310444c9d1444a4595a6f660ed69dbee0f6046e4440c70b12f09042b271c0929

Download Submit
C:\Windows\System\hxCuXfk.exe

Filesize
2.1MB

MD5
2f4a555c7f237cc33151bd12e828c73b

SHA1
ecd3ddd798e66f8ddf7d3ec318e83fc9655d81e2

SHA256
531dcf9a30ca6fb6d2285213e61ec6092422743fa84ed41ed7e03beb30f76c73

SHA512
9a0a44044f062402146684c38bb00264ab14b9eb4dcb354a1dd6a22688585bfc3eb713b6332027cdc7404952d20608bd8173e24aa6a53c2b3a664055a833d187

Download Submit
C:\Windows\System\hxlzqrZ.exe

Filesize
2.1MB

MD5
f295988c66cb4b691a79113537fce5ae

SHA1
b7848a1a9212347eac479e7663fd18d219fbfb75

SHA256
3ed45bfec82295e178ca986d4f2c0faf1081aa5db45b1025de20edb84c9c489a

SHA512
5b93306055b140189570d94149d44f08fa37e00a85d5e868008b8f484ff17ff02d5eb43484548e4d1d045d846b3e10b76d856d23840bc5a9e220b3c7f23f71ed

Download Submit
C:\Windows\System\iaovoJD.exe

Filesize
2.1MB

MD5
e341c9cf61c2ed08de9438da91d05df4

SHA1
745b2c21c1282a47f7fbc36b63840750fd133b65

SHA256
f97953122d9a1bf38ccd170ce669e15438726fc00a811884ee3c6fdfd5cbb1f0

SHA512
97c32c8ed59868c5358ebb27ec87b6124fa56e998d03245dcf408fb5e684da242b4e8bdbf17729011cc0351df4a01acd237e46b08e777bf43705da9384f277d4

Download Submit
C:\Windows\System\jBzhRCu.exe

Filesize
2.1MB

MD5
11c2fffd1be49943cdc588880690d8a2

SHA1
6b23b6e83b6a805245fcd224f55c7fe80707e6ef

SHA256
f086f0c4756f236c87760b78b3c50e0f7d4281683e965230eccb9ecb8a2ab979

SHA512
7ca0d6e4d0f048855b6c775052fd31a1813b393912919c640e5041059e90b4f92a6883874ec7f42053e55abd44d7962aec158871d11360bbf50e2be718d570ab

Download Submit
C:\Windows\System\kGzbPmv.exe

Filesize
2.1MB

MD5
bf6a36f58e83a5fae5a1baf795cd23f9

SHA1
f3ce03579871a96d7e143ce41c03a6456bfe032e

SHA256
5ad7d186f7afe601cc6a8bf990473d9f3cd4859128da8e447183d9efa6ba8cda

SHA512
91ca23f894498a7ba371ce5838ba742fc19304c467b798cf0958294379e740c724a49ced6b969e82a6c26fc70ea5a12adc09e75dea90ebbd4454fccdfb49f60e

Download Submit
C:\Windows\System\lpeMsKH.exe

Filesize
2.1MB

MD5
8844478cf0ffd66e5481142018a0ef83

SHA1
73e4cd1347202f9abf281a4dcfb77a14e38b350e

SHA256
208c459336a20a71488ce4d5773f56bc3a6232cf697951614da86b8a9dd8c794

SHA512
f03883246ad99025352bcb79f86069c83e55cc9a87ae889dcbde28b0d09a98592cc65d9d1916d4c257ab9ab7b851b4e6d4ae8c8f13520245984d3c0636a43ccb

Download Submit
C:\Windows\System\puqZxIY.exe

Filesize
2.1MB

MD5
1b1563ab9f2597d70065df491edc4bab

SHA1
f67a7d6ca63c5df0af073abfcd5b808dc00a788c

SHA256
df9d81d80896adaf95c9f1b3e9f08447c2263cc1e90765515d04cfc11d74075c

SHA512
7444acfa955599dcb9c38a4ee8503b331db128932090652e1d6843b091636fe619d698be724021e5df7af973e7d572d6ea0d80ec5c8aa3dba568eba56cbae679

Download Submit
C:\Windows\System\pzgbesC.exe

Filesize
2.1MB

MD5
9d6dec8a614b8dd5310d5a0f8911898d

SHA1
e50165cf9dfce79ab09d7651b56b2c42665c4e3d

SHA256
d578d194f7a9bfd07ca8964fd674ce77b81132af742d563f447b84f3d863b7e4

SHA512
0c9fb453ad7b189d9df09eb259d98a6acbd9e0485fe73dde4e51d7ed3b349f00153decb94c588a5214f1a346cac3ce393a4b74772a6e906c53278549cb96fa00

Download Submit
C:\Windows\System\qGnHEkH.exe

Filesize
2.1MB

MD5
75c81ae6058f49054610a700c4799c3d

SHA1
6740b52df1e695df7dac0094fb9d576c768e5e45

SHA256
065233c4e9a4cb616361480bd177d2d0e745eed0a139bf03a62f39d10f00fad0

SHA512
bf5b85e232fa51b3db5d0447977581f2c48b3bada3ae0281da587aff6f599d6d3f071591d2e7b3eae9c70103255b495b7bcaf2e996ba1c048c02c1fbf16e67e2

Download Submit
C:\Windows\System\rAWhGwS.exe

Filesize
2.1MB

MD5
e0f891cb1b6e81c8361cb6b3a2515a0c

SHA1
41f9f40b1477d095d9a06cd859991fbeb8356344

SHA256
7b02efa0af8dc81be33fa3f0f7e2c3839a0f821354cbc23c7a177b28b2c9c54c

SHA512
08b91f9bba56edc75748d6f6938c9e0dcf188731c329bbf10a912d2c2649d70efa30bb926664eba26ca9bb73cd2186fa0a81c38e2943f5145dfbbe02caf2ac92

Download Submit
C:\Windows\System\sacfSjz.exe

Filesize
2.1MB

MD5
b6fdfc0ae5cf44c33a24efb6af6b472f

SHA1
e96c2a306ea1fa246715d0c0577b1c1ba7c0882d

SHA256
3ff0eee1e9487efe68ca29cc043b891a4bc2447accfa10feb1946d9b6424854b

SHA512
909fd950bdabdd90d561613a791d4f9c7fb5ee1168d76baf3934cfd109f28be5caf9eac35d38e2f7a1d8e0b3df82e1c196730281f648530002c8b68dcf3979b5

Download Submit
C:\Windows\System\vffxSTF.exe

Filesize
2.1MB

MD5
e8f578d47a0b265b00e8c0b114a501c8

SHA1
c10a8eda702aa48f750c068233fe412cfd2e1607

SHA256
141125b5e10fb17e55c4b4bbf1a93a5d47b4dbb8ec7d90eee93c21165c1ed4f2

SHA512
f1a20925b62d64652325bfda88c8de30ca7505f58b7f40eeaa358acbbdedbc45483092c480b75affc5f5a48d08759d83d2bdac0258fcb60b5f2d12660271d947

Download Submit
C:\Windows\System\wEoDotC.exe

Filesize
2.1MB

MD5
d1f7ef5f078a15ad7451e14617d3cbdb

SHA1
9c768c2fe5fcb55ef4844de4b861222b7d196c1c

SHA256
ecaab8d0daa42355f486f32705075d1e1e07ddeff59a6b6834f0dbe44efaeb96

SHA512
a2f11a03c5f8578b2157d467a0e5ca527a1106bb20d7d0176805385a9ff49cd3cbb8e8d81db149dcb609fece74bf5d6a21aa94138a5958835221ccae76e81199

Download Submit
C:\Windows\System\wfbCIcD.exe

Filesize
2.1MB

MD5
7f82429e016c7cbe6fca8d49d0745540

SHA1
0d487c7b99df410115d722997b3135ec9fc63df9

SHA256
48c8dff70c17affa4b2bdb2693674d2818c508d6d084b568fc59d37ee5a36f39

SHA512
0f293f5c6c591a35175f2c77e0e0d39bf0187ad334ffa8eb27b85cd6eddfd7ffcd90087a0bfbe6f52302aa9062020fe0a136e440a7964b1f38443944579d58ef

Download Submit
C:\Windows\System\zeJkqQF.exe

Filesize
2.1MB

MD5
89c8245bd90cf6d03e9edcd4337bf002

SHA1
2d62de66eb77f749a6832534de82731a463cbcca

SHA256
37f62b3e1f1d4ebeff8ebe2d16f719f75f8af5475567233ceb45e8c0e72fde8b

SHA512
ca6889510cd54557ba0404ea454c12334b8e8f2c9f0a63e9a0f29a4d48e3938002d973d282a19f46fe95742ae359bbcfe78c81f6247a8d7ed79c62ade6879dc5

Download Submit
C:\Windows\System\zqzPqsR.exe

Filesize
2.1MB

MD5
b3db92b0e6b5077d35229066c6d4ffb7

SHA1
40d193e1d48b2b9c2d7ebdf51de7b377e30f168c

SHA256
de8137e0b6bf2b1a1e801da7de8b1bad3484578c57648883c71e8c7964079bf2

SHA512
b2c34276bb5f7af3c72d71dacded4f417766bf1b4283222f202e40bf9c2690facb7ffba58784220e2b0da34963e63e8915ef578d03d8d3304b138e76c1e9b978

Download Submit
memory/756-0-0x00007FF730100000-0x00007FF730454000-memory.dmp

Filesize
3.3MB

Download
memory/756-1-0x000001F8445D0000-0x000001F8445E0000-memory.dmp

Filesize
64KB

Download
memory/1948-167-0x00007FF72B8C0000-0x00007FF72BC14000-memory.dmp

Filesize
3.3MB

Download
memory/1948-2164-0x00007FF72B8C0000-0x00007FF72BC14000-memory.dmp

Filesize
3.3MB

Download
memory/1968-2187-0x00007FF645130000-0x00007FF645484000-memory.dmp

Filesize
3.3MB

Download
memory/1968-163-0x00007FF645130000-0x00007FF645484000-memory.dmp

Filesize
3.3MB

Download
memory/2108-2153-0x00007FF6C7580000-0x00007FF6C78D4000-memory.dmp

Filesize
3.3MB

Download
memory/2108-107-0x00007FF6C7580000-0x00007FF6C78D4000-memory.dmp

Filesize
3.3MB

Download
memory/2108-2172-0x00007FF6C7580000-0x00007FF6C78D4000-memory.dmp

Filesize
3.3MB

Download
memory/2132-161-0x00007FF7096F0000-0x00007FF709A44000-memory.dmp

Filesize
3.3MB

Download
memory/2132-2158-0x00007FF7096F0000-0x00007FF709A44000-memory.dmp

Filesize
3.3MB

Download
memory/2132-2181-0x00007FF7096F0000-0x00007FF709A44000-memory.dmp

Filesize
3.3MB

Download
memory/2244-2180-0x00007FF7455B0000-0x00007FF745904000-memory.dmp

Filesize
3.3MB

Download
memory/2244-141-0x00007FF7455B0000-0x00007FF745904000-memory.dmp

Filesize
3.3MB

Download
memory/2244-2156-0x00007FF7455B0000-0x00007FF745904000-memory.dmp

Filesize
3.3MB

Download
memory/2256-26-0x00007FF76AFD0000-0x00007FF76B324000-memory.dmp

Filesize
3.3MB

Download
memory/2256-2148-0x00007FF76AFD0000-0x00007FF76B324000-memory.dmp

Filesize
3.3MB

Download
memory/2256-2161-0x00007FF76AFD0000-0x00007FF76B324000-memory.dmp

Filesize
3.3MB

Download
memory/2284-2159-0x00007FF61B710000-0x00007FF61BA64000-memory.dmp

Filesize
3.3MB

Download
memory/2284-14-0x00007FF61B710000-0x00007FF61BA64000-memory.dmp

Filesize
3.3MB

Download
memory/2308-2168-0x00007FF686B30000-0x00007FF686E84000-memory.dmp

Filesize
3.3MB

Download
memory/2308-171-0x00007FF686B30000-0x00007FF686E84000-memory.dmp

Filesize
3.3MB

Download
memory/2464-2174-0x00007FF7C69B0000-0x00007FF7C6D04000-memory.dmp

Filesize
3.3MB

Download
memory/2464-2157-0x00007FF7C69B0000-0x00007FF7C6D04000-memory.dmp

Filesize
3.3MB

Download
memory/2464-144-0x00007FF7C69B0000-0x00007FF7C6D04000-memory.dmp

Filesize
3.3MB

Download
memory/2636-2171-0x00007FF67A390000-0x00007FF67A6E4000-memory.dmp

Filesize
3.3MB

Download
memory/2636-169-0x00007FF67A390000-0x00007FF67A6E4000-memory.dmp

Filesize
3.3MB

Download
memory/2964-20-0x00007FF633E90000-0x00007FF6341E4000-memory.dmp

Filesize
3.3MB

Download
memory/2964-2160-0x00007FF633E90000-0x00007FF6341E4000-memory.dmp

Filesize
3.3MB

Download
memory/2996-2154-0x00007FF7FF1D0000-0x00007FF7FF524000-memory.dmp

Filesize
3.3MB

Download
memory/2996-2175-0x00007FF7FF1D0000-0x00007FF7FF524000-memory.dmp

Filesize
3.3MB

Download
memory/2996-133-0x00007FF7FF1D0000-0x00007FF7FF524000-memory.dmp

Filesize
3.3MB

Download
memory/3424-162-0x00007FF772310000-0x00007FF772664000-memory.dmp

Filesize
3.3MB

Download
memory/3424-2183-0x00007FF772310000-0x00007FF772664000-memory.dmp

Filesize
3.3MB

Download
memory/3460-2169-0x00007FF7FC8F0000-0x00007FF7FCC44000-memory.dmp

Filesize
3.3MB

Download
memory/3460-2152-0x00007FF7FC8F0000-0x00007FF7FCC44000-memory.dmp

Filesize
3.3MB

Download
memory/3460-86-0x00007FF7FC8F0000-0x00007FF7FCC44000-memory.dmp

Filesize
3.3MB

Download
memory/3632-166-0x00007FF727080000-0x00007FF7273D4000-memory.dmp

Filesize
3.3MB

Download
memory/3632-2186-0x00007FF727080000-0x00007FF7273D4000-memory.dmp

Filesize
3.3MB

Download
memory/3660-2166-0x00007FF646DC0000-0x00007FF647114000-memory.dmp

Filesize
3.3MB

Download
memory/3660-168-0x00007FF646DC0000-0x00007FF647114000-memory.dmp

Filesize
3.3MB

Download
memory/3956-164-0x00007FF73A880000-0x00007FF73ABD4000-memory.dmp

Filesize
3.3MB

Download
memory/3956-2184-0x00007FF73A880000-0x00007FF73ABD4000-memory.dmp

Filesize
3.3MB

Download
memory/4184-42-0x00007FF794B20000-0x00007FF794E74000-memory.dmp

Filesize
3.3MB

Download
memory/4184-2163-0x00007FF794B20000-0x00007FF794E74000-memory.dmp

Filesize
3.3MB

Download
memory/4184-2149-0x00007FF794B20000-0x00007FF794E74000-memory.dmp

Filesize
3.3MB

Download
memory/4352-2162-0x00007FF766890000-0x00007FF766BE4000-memory.dmp

Filesize
3.3MB

Download
memory/4352-46-0x00007FF766890000-0x00007FF766BE4000-memory.dmp

Filesize
3.3MB

Download
memory/4384-2185-0x00007FF6AF4B0000-0x00007FF6AF804000-memory.dmp

Filesize
3.3MB

Download
memory/4384-175-0x00007FF6AF4B0000-0x00007FF6AF804000-memory.dmp

Filesize
3.3MB

Download
memory/4588-170-0x00007FF7B7510000-0x00007FF7B7864000-memory.dmp

Filesize
3.3MB

Download
memory/4588-2165-0x00007FF7B7510000-0x00007FF7B7864000-memory.dmp

Filesize
3.3MB

Download
memory/4648-2178-0x00007FF79F8D0000-0x00007FF79FC24000-memory.dmp

Filesize
3.3MB

Download
memory/4648-172-0x00007FF79F8D0000-0x00007FF79FC24000-memory.dmp

Filesize
3.3MB

Download
memory/4668-2176-0x00007FF7B1F60000-0x00007FF7B22B4000-memory.dmp

Filesize
3.3MB

Download
memory/4668-174-0x00007FF7B1F60000-0x00007FF7B22B4000-memory.dmp

Filesize
3.3MB

Download
memory/4972-76-0x00007FF74D730000-0x00007FF74DA84000-memory.dmp

Filesize
3.3MB

Download
memory/4972-2177-0x00007FF74D730000-0x00007FF74DA84000-memory.dmp

Filesize
3.3MB

Download
memory/4972-2151-0x00007FF74D730000-0x00007FF74DA84000-memory.dmp

Filesize
3.3MB

Download
memory/4976-2155-0x00007FF758380000-0x00007FF7586D4000-memory.dmp

Filesize
3.3MB

Download
memory/4976-134-0x00007FF758380000-0x00007FF7586D4000-memory.dmp

Filesize
3.3MB

Download
memory/4976-2173-0x00007FF758380000-0x00007FF7586D4000-memory.dmp

Filesize
3.3MB

Download
memory/4980-2170-0x00007FF676CB0000-0x00007FF677004000-memory.dmp

Filesize
3.3MB

Download
memory/4980-126-0x00007FF676CB0000-0x00007FF677004000-memory.dmp

Filesize
3.3MB

Download
memory/4984-165-0x00007FF7C66D0000-0x00007FF7C6A24000-memory.dmp

Filesize
3.3MB

Download
memory/4984-2182-0x00007FF7C66D0000-0x00007FF7C6A24000-memory.dmp

Filesize
3.3MB

Download
memory/4992-55-0x00007FF71B010000-0x00007FF71B364000-memory.dmp

Filesize
3.3MB

Download
memory/4992-2150-0x00007FF71B010000-0x00007FF71B364000-memory.dmp

Filesize
3.3MB

Download
memory/4992-2167-0x00007FF71B010000-0x00007FF71B364000-memory.dmp

Filesize
3.3MB

Download
memory/5056-2179-0x00007FF64FA60000-0x00007FF64FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/5056-173-0x00007FF64FA60000-0x00007FF64FDB4000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads