kpot | d1b4c012402c10c58e979b4fa3c39a9ca50bdfc223982c9830bf5f1ae63d9768

Analysis

max time kernel
61s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
Size

2.4MB
MD5

3ec5526153daf29fe95a8fefbd0d2f60
SHA1

c4ee57a6b61ec2660e7a4b7b33854e14599d6ce2
SHA256

d1b4c012402c10c58e979b4fa3c39a9ca50bdfc223982c9830bf5f1ae63d9768
SHA512

d7a7de180dc6b5ce634ef62a8d6bc1ee62a6905c9b30153a208ea24a7db6a5f296c94e582b6ff7891184ed36b53d67f3048cdb5f8f869812b8915bcd0ea00c11
SSDEEP

49152:BezaTF8FcNkNdfE0pZ9ozt4wIC5aIwC+Agr6tdlmU1/eoQ:BemTLkNdfE0pZrwu

Score

10^/10

kpot xmrig miner persistence stealer trojan upx

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 33 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023304-5.dat	family_kpot
behavioral2/files/0x0008000000023309-8.dat	family_kpot
behavioral2/files/0x000800000002330c-25.dat	family_kpot
behavioral2/files/0x000800000002330a-28.dat	family_kpot
behavioral2/files/0x000800000002330d-27.dat	family_kpot
behavioral2/files/0x000d000000023397-24.dat	family_kpot
behavioral2/files/0x000800000002353b-35.dat	family_kpot
behavioral2/files/0x000700000002353e-50.dat	family_kpot
behavioral2/files/0x000700000002353d-52.dat	family_kpot
behavioral2/files/0x000700000002353c-53.dat	family_kpot
behavioral2/files/0x000700000002353f-65.dat	family_kpot
behavioral2/files/0x0009000000023305-74.dat	family_kpot
behavioral2/files/0x0007000000023540-77.dat	family_kpot
behavioral2/files/0x0007000000023542-102.dat	family_kpot
behavioral2/files/0x0007000000023548-122.dat	family_kpot
behavioral2/files/0x0007000000023547-126.dat	family_kpot
behavioral2/files/0x000700000002354a-137.dat	family_kpot
behavioral2/files/0x000700000002354b-144.dat	family_kpot
behavioral2/files/0x0007000000023549-134.dat	family_kpot
behavioral2/files/0x0007000000023546-114.dat	family_kpot
behavioral2/files/0x0007000000023543-107.dat	family_kpot
behavioral2/files/0x0007000000023545-105.dat	family_kpot
behavioral2/files/0x0007000000023544-111.dat	family_kpot
behavioral2/files/0x0007000000023541-82.dat	family_kpot
behavioral2/files/0x000700000002354d-149.dat	family_kpot
behavioral2/files/0x000700000002354e-153.dat	family_kpot
behavioral2/files/0x000700000002354f-162.dat	family_kpot
behavioral2/files/0x0007000000023550-165.dat	family_kpot
behavioral2/files/0x0007000000023551-172.dat	family_kpot
behavioral2/files/0x0007000000023554-183.dat	family_kpot
behavioral2/files/0x0007000000023555-185.dat	family_kpot
behavioral2/files/0x0007000000023556-195.dat	family_kpot
behavioral2/files/0x0007000000023553-193.dat	family_kpot

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2140-0-0x00007FF7E9030000-0x00007FF7E9384000-memory.dmp	xmrig
behavioral2/files/0x0009000000023304-5.dat	xmrig
behavioral2/files/0x0008000000023309-8.dat	xmrig
behavioral2/files/0x000800000002330c-25.dat	xmrig
behavioral2/files/0x000800000002330a-28.dat	xmrig
behavioral2/files/0x000800000002330d-27.dat	xmrig
behavioral2/files/0x000d000000023397-24.dat	xmrig
behavioral2/memory/3056-14-0x00007FF796150000-0x00007FF7964A4000-memory.dmp	xmrig
behavioral2/files/0x000800000002353b-35.dat	xmrig
behavioral2/files/0x000700000002353e-50.dat	xmrig
behavioral2/files/0x000700000002353d-52.dat	xmrig
behavioral2/memory/4492-56-0x00007FF6C2CE0000-0x00007FF6C3034000-memory.dmp	xmrig
behavioral2/memory/464-60-0x00007FF7402A0000-0x00007FF7405F4000-memory.dmp	xmrig
behavioral2/memory/1544-62-0x00007FF601450000-0x00007FF6017A4000-memory.dmp	xmrig
behavioral2/memory/2284-61-0x00007FF61F1F0000-0x00007FF61F544000-memory.dmp	xmrig
behavioral2/memory/4944-57-0x00007FF728B90000-0x00007FF728EE4000-memory.dmp	xmrig
behavioral2/files/0x000700000002353c-53.dat	xmrig
behavioral2/memory/4572-51-0x00007FF6D1FB0000-0x00007FF6D2304000-memory.dmp	xmrig
behavioral2/memory/1196-48-0x00007FF7490D0000-0x00007FF749424000-memory.dmp	xmrig
behavioral2/memory/800-46-0x00007FF673450000-0x00007FF6737A4000-memory.dmp	xmrig
behavioral2/memory/3732-30-0x00007FF70AD90000-0x00007FF70B0E4000-memory.dmp	xmrig
behavioral2/files/0x000700000002353f-65.dat	xmrig
behavioral2/memory/676-68-0x00007FF7EC880000-0x00007FF7ECBD4000-memory.dmp	xmrig
behavioral2/files/0x0009000000023305-74.dat	xmrig
behavioral2/files/0x0007000000023540-77.dat	xmrig
behavioral2/files/0x0007000000023542-102.dat	xmrig
behavioral2/files/0x0007000000023548-122.dat	xmrig
behavioral2/files/0x0007000000023547-126.dat	xmrig
behavioral2/memory/4764-130-0x00007FF6D75E0000-0x00007FF6D7934000-memory.dmp	xmrig
behavioral2/memory/860-136-0x00007FF6EE650000-0x00007FF6EE9A4000-memory.dmp	xmrig
behavioral2/memory/4316-140-0x00007FF78FBE0000-0x00007FF78FF34000-memory.dmp	xmrig
behavioral2/memory/4904-139-0x00007FF6F6560000-0x00007FF6F68B4000-memory.dmp	xmrig
behavioral2/files/0x000700000002354a-137.dat	xmrig
behavioral2/files/0x000700000002354b-144.dat	xmrig
behavioral2/files/0x0007000000023549-134.dat	xmrig
behavioral2/memory/3436-131-0x00007FF67AD80000-0x00007FF67B0D4000-memory.dmp	xmrig
behavioral2/memory/5076-128-0x00007FF7F2B20000-0x00007FF7F2E74000-memory.dmp	xmrig
behavioral2/memory/664-125-0x00007FF796ED0000-0x00007FF797224000-memory.dmp	xmrig
behavioral2/memory/4164-116-0x00007FF678420000-0x00007FF678774000-memory.dmp	xmrig
behavioral2/files/0x0007000000023546-114.dat	xmrig
behavioral2/memory/2640-110-0x00007FF627ED0000-0x00007FF628224000-memory.dmp	xmrig
behavioral2/files/0x0007000000023543-107.dat	xmrig
behavioral2/files/0x0007000000023545-105.dat	xmrig
behavioral2/files/0x0007000000023544-111.dat	xmrig
behavioral2/memory/1044-98-0x00007FF62BDE0000-0x00007FF62C134000-memory.dmp	xmrig
behavioral2/memory/3592-95-0x00007FF70ED30000-0x00007FF70F084000-memory.dmp	xmrig
behavioral2/memory/4592-84-0x00007FF76E240000-0x00007FF76E594000-memory.dmp	xmrig
behavioral2/files/0x0007000000023541-82.dat	xmrig
behavioral2/memory/4392-146-0x00007FF67E610000-0x00007FF67E964000-memory.dmp	xmrig
behavioral2/files/0x000700000002354d-149.dat	xmrig
behavioral2/files/0x000700000002354e-153.dat	xmrig
behavioral2/files/0x000700000002354f-162.dat	xmrig
behavioral2/files/0x0007000000023550-165.dat	xmrig
behavioral2/memory/2260-152-0x00007FF614360000-0x00007FF6146B4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023551-172.dat	xmrig
behavioral2/memory/2460-174-0x00007FF61A940000-0x00007FF61AC94000-memory.dmp	xmrig
behavioral2/memory/3056-169-0x00007FF796150000-0x00007FF7964A4000-memory.dmp	xmrig
behavioral2/memory/2140-168-0x00007FF7E9030000-0x00007FF7E9384000-memory.dmp	xmrig
behavioral2/memory/3160-184-0x00007FF68AD40000-0x00007FF68B094000-memory.dmp	xmrig
behavioral2/files/0x0007000000023554-183.dat	xmrig
behavioral2/files/0x0007000000023555-185.dat	xmrig
behavioral2/files/0x0007000000023556-195.dat	xmrig
behavioral2/memory/4580-196-0x00007FF62D970000-0x00007FF62DCC4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023553-193.dat	xmrig

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
3056	vUtpjsm.exe
3732	IDcCPcU.exe
464	ZnMPqbK.exe
800	PiftHPz.exe
1196	hdJgLVT.exe
4572	QarmDEt.exe
2284	MGSKRsz.exe
4492	OLMetud.exe
4944	JEFOiDe.exe
1544	mHkjhPd.exe
676	ARvfkdu.exe
4592	PRAAdAi.exe
3592	LYfDMXq.exe
664	jHEXrYf.exe
5076	txitkoD.exe
1044	rQEnuqJ.exe
4764	MipfZmE.exe
2640	oJJuKUr.exe
4164	QopUNSG.exe
4904	QLnHQcI.exe
3436	AePkrmL.exe
860	OViIUYD.exe
4316	zKboLkA.exe
4392	hqaLszl.exe
2260	lpxALFe.exe
2460	RZAYppi.exe
3160	fHfQNdz.exe
1760	JFHfNSn.exe
4580	GEOQfEy.exe
4176	MrwWUyp.exe
444	sWOLeRR.exe
3992	lEqULfG.exe
4808	MvTsLOi.exe
436	cUTZHrs.exe
3328	DRdKkfC.exe
4680	OiMDxNN.exe
4996	maawkQl.exe
5112	lLMuUTa.exe
2704	khQrquP.exe
5008	jeqqapU.exe
4828	UyYxsyL.exe
2204	QxdUYHK.exe
5048	QqQUpfh.exe
2744	oWEuZwI.exe
956	ojspHZz.exe
2212	gGnvdQA.exe
5024	parwckj.exe
4540	yWYqXvL.exe
4464	ATfFXVh.exe
2324	OnSYcPu.exe
4120	qQtzBOV.exe
5060	KvBZGrI.exe
4748	rNqrtqp.exe
4988	dixZEuM.exe
4756	nvmeAlG.exe
1880	wdyCPUm.exe
3708	CCTYNdT.exe
3420	boRFnws.exe
1808	wuZeSfD.exe
5136	ICmNDTF.exe
5168	qsxGjJK.exe
5196	BvrDJRs.exe
5224	zOjZtea.exe
5256	TNzoSlq.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2140-0-0x00007FF7E9030000-0x00007FF7E9384000-memory.dmp	upx
behavioral2/files/0x0009000000023304-5.dat	upx
behavioral2/files/0x0008000000023309-8.dat	upx
behavioral2/files/0x000800000002330c-25.dat	upx
behavioral2/files/0x000800000002330a-28.dat	upx
behavioral2/files/0x000800000002330d-27.dat	upx
behavioral2/files/0x000d000000023397-24.dat	upx
behavioral2/memory/3056-14-0x00007FF796150000-0x00007FF7964A4000-memory.dmp	upx
behavioral2/files/0x000800000002353b-35.dat	upx
behavioral2/files/0x000700000002353e-50.dat	upx
behavioral2/files/0x000700000002353d-52.dat	upx
behavioral2/memory/4492-56-0x00007FF6C2CE0000-0x00007FF6C3034000-memory.dmp	upx
behavioral2/memory/464-60-0x00007FF7402A0000-0x00007FF7405F4000-memory.dmp	upx
behavioral2/memory/1544-62-0x00007FF601450000-0x00007FF6017A4000-memory.dmp	upx
behavioral2/memory/2284-61-0x00007FF61F1F0000-0x00007FF61F544000-memory.dmp	upx
behavioral2/memory/4944-57-0x00007FF728B90000-0x00007FF728EE4000-memory.dmp	upx
behavioral2/files/0x000700000002353c-53.dat	upx
behavioral2/memory/4572-51-0x00007FF6D1FB0000-0x00007FF6D2304000-memory.dmp	upx
behavioral2/memory/1196-48-0x00007FF7490D0000-0x00007FF749424000-memory.dmp	upx
behavioral2/memory/800-46-0x00007FF673450000-0x00007FF6737A4000-memory.dmp	upx
behavioral2/memory/3732-30-0x00007FF70AD90000-0x00007FF70B0E4000-memory.dmp	upx
behavioral2/files/0x000700000002353f-65.dat	upx
behavioral2/memory/676-68-0x00007FF7EC880000-0x00007FF7ECBD4000-memory.dmp	upx
behavioral2/files/0x0009000000023305-74.dat	upx
behavioral2/files/0x0007000000023540-77.dat	upx
behavioral2/files/0x0007000000023542-102.dat	upx
behavioral2/files/0x0007000000023548-122.dat	upx
behavioral2/files/0x0007000000023547-126.dat	upx
behavioral2/memory/4764-130-0x00007FF6D75E0000-0x00007FF6D7934000-memory.dmp	upx
behavioral2/memory/860-136-0x00007FF6EE650000-0x00007FF6EE9A4000-memory.dmp	upx
behavioral2/memory/4316-140-0x00007FF78FBE0000-0x00007FF78FF34000-memory.dmp	upx
behavioral2/memory/4904-139-0x00007FF6F6560000-0x00007FF6F68B4000-memory.dmp	upx
behavioral2/files/0x000700000002354a-137.dat	upx
behavioral2/files/0x000700000002354b-144.dat	upx
behavioral2/files/0x0007000000023549-134.dat	upx
behavioral2/memory/3436-131-0x00007FF67AD80000-0x00007FF67B0D4000-memory.dmp	upx
behavioral2/memory/5076-128-0x00007FF7F2B20000-0x00007FF7F2E74000-memory.dmp	upx
behavioral2/memory/664-125-0x00007FF796ED0000-0x00007FF797224000-memory.dmp	upx
behavioral2/memory/4164-116-0x00007FF678420000-0x00007FF678774000-memory.dmp	upx
behavioral2/files/0x0007000000023546-114.dat	upx
behavioral2/memory/2640-110-0x00007FF627ED0000-0x00007FF628224000-memory.dmp	upx
behavioral2/files/0x0007000000023543-107.dat	upx
behavioral2/files/0x0007000000023545-105.dat	upx
behavioral2/files/0x0007000000023544-111.dat	upx
behavioral2/memory/1044-98-0x00007FF62BDE0000-0x00007FF62C134000-memory.dmp	upx
behavioral2/memory/3592-95-0x00007FF70ED30000-0x00007FF70F084000-memory.dmp	upx
behavioral2/memory/4592-84-0x00007FF76E240000-0x00007FF76E594000-memory.dmp	upx
behavioral2/files/0x0007000000023541-82.dat	upx
behavioral2/memory/4392-146-0x00007FF67E610000-0x00007FF67E964000-memory.dmp	upx
behavioral2/files/0x000700000002354d-149.dat	upx
behavioral2/files/0x000700000002354e-153.dat	upx
behavioral2/files/0x000700000002354f-162.dat	upx
behavioral2/files/0x0007000000023550-165.dat	upx
behavioral2/memory/2260-152-0x00007FF614360000-0x00007FF6146B4000-memory.dmp	upx
behavioral2/files/0x0007000000023551-172.dat	upx
behavioral2/memory/2460-174-0x00007FF61A940000-0x00007FF61AC94000-memory.dmp	upx
behavioral2/memory/3056-169-0x00007FF796150000-0x00007FF7964A4000-memory.dmp	upx
behavioral2/memory/2140-168-0x00007FF7E9030000-0x00007FF7E9384000-memory.dmp	upx
behavioral2/memory/3160-184-0x00007FF68AD40000-0x00007FF68B094000-memory.dmp	upx
behavioral2/files/0x0007000000023554-183.dat	upx
behavioral2/files/0x0007000000023555-185.dat	upx
behavioral2/files/0x0007000000023556-195.dat	upx
behavioral2/memory/4580-196-0x00007FF62D970000-0x00007FF62DCC4000-memory.dmp	upx
behavioral2/files/0x0007000000023553-193.dat	upx

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\cUTZHrs.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\KrVYxgy.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\AKUaTBo.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\OXNmdvW.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\UyluiOF.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\MipfZmE.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\nUDMrJo.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\ikQEBpC.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\XZrbluA.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\AUtbbmZ.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\IyJeSXT.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\JpzLGNG.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\ukoHyhF.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\iqXAwIz.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\rAxxjeR.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\uKHHUSr.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\indFqMH.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\khQrquP.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\CjhlXqy.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\IgFXglJ.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\IGUJumi.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\HFSCFCQ.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\JUFXWAc.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\KxtEyZP.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\PRAAdAi.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\wpOHTYC.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\cXWzGpm.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\MhRvvdR.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\vpkLSdX.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\wJBbfsR.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\avuXfly.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\itgJTjD.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\gtEoVBd.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\ySZpMee.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\pbgIrbz.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\NlZLYGT.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\jHEXrYf.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\BrXdOpJ.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\DjJRzzj.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\VLgRxQH.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\pVfvMai.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\WcgdfOR.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\jbLBQep.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\QYbpqqx.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\FuHfDgH.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\fNTjJSE.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\jgqbGao.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\nwIZooH.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\nNJRqPZ.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\WCiENft.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\ZnmvRFA.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\vKhEicS.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\lcOQoIr.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\wrbndTR.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\OsQRlNR.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\MrwWUyp.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\dDfkzpI.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\CdZAUrH.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\YSHKTSr.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\Neryurl.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\ZbFJbkl.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\vGXSxEz.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\XxNDGeT.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
File created	C:\Windows\System\BDDRSyQ.exe	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{5BDCCAD0-2339-41AE-B27C-E79CA1BA533D}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{8928CD56-E7D6-41A0-8225-13B503F123BD}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{D8F6CAE4-D005-4D0B-AD83-D32A55ED6319}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{4CE4EEDB-FD0E-474D-9E7A-6D8979F1EBDA}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	3740	dwm.exe
Token: SeChangeNotifyPrivilege	3740	dwm.exe
Token: 33	3740	dwm.exe
Token: SeIncBasePriorityPrivilege	3740	dwm.exe
Token: SeShutdownPrivilege	4760	explorer.exe
Token: SeCreatePagefilePrivilege	4760	explorer.exe
Token: SeShutdownPrivilege	4760	explorer.exe
Token: SeCreatePagefilePrivilege	4760	explorer.exe
Token: SeShutdownPrivilege	4760	explorer.exe
Token: SeCreatePagefilePrivilege	4760	explorer.exe
Token: SeShutdownPrivilege	4760	explorer.exe
Token: SeCreatePagefilePrivilege	4760	explorer.exe
Token: SeShutdownPrivilege	4760	explorer.exe
Token: SeCreatePagefilePrivilege	4760	explorer.exe
Token: SeShutdownPrivilege	4760	explorer.exe
Token: SeCreatePagefilePrivilege	4760	explorer.exe
Token: SeShutdownPrivilege	4760	explorer.exe
Token: SeCreatePagefilePrivilege	4760	explorer.exe
Token: SeShutdownPrivilege	4760	explorer.exe
Token: SeCreatePagefilePrivilege	4760	explorer.exe
Token: SeShutdownPrivilege	4760	explorer.exe
Token: SeCreatePagefilePrivilege	4760	explorer.exe
Token: SeShutdownPrivilege	4760	explorer.exe
Token: SeCreatePagefilePrivilege	4760	explorer.exe
Token: SeShutdownPrivilege	4760	explorer.exe
Token: SeCreatePagefilePrivilege	4760	explorer.exe
Token: SeShutdownPrivilege	4136	explorer.exe
Token: SeCreatePagefilePrivilege	4136	explorer.exe
Token: SeShutdownPrivilege	4136	explorer.exe
Token: SeCreatePagefilePrivilege	4136	explorer.exe
Token: SeShutdownPrivilege	4136	explorer.exe
Token: SeCreatePagefilePrivilege	4136	explorer.exe
Token: SeShutdownPrivilege	4136	explorer.exe
Token: SeCreatePagefilePrivilege	4136	explorer.exe
Token: SeShutdownPrivilege	4136	explorer.exe
Token: SeCreatePagefilePrivilege	4136	explorer.exe
Token: SeShutdownPrivilege	4136	explorer.exe
Token: SeCreatePagefilePrivilege	4136	explorer.exe
Token: SeShutdownPrivilege	4136	explorer.exe
Token: SeCreatePagefilePrivilege	4136	explorer.exe
Token: SeShutdownPrivilege	4136	explorer.exe
Token: SeCreatePagefilePrivilege	4136	explorer.exe
Token: SeShutdownPrivilege	4136	explorer.exe
Token: SeCreatePagefilePrivilege	4136	explorer.exe
Token: SeShutdownPrivilege	4136	explorer.exe
Token: SeCreatePagefilePrivilege	4136	explorer.exe
Token: SeShutdownPrivilege	4136	explorer.exe
Token: SeCreatePagefilePrivilege	4136	explorer.exe
Token: SeShutdownPrivilege	4136	explorer.exe
Token: SeCreatePagefilePrivilege	4136	explorer.exe
Token: SeShutdownPrivilege	4136	explorer.exe
Token: SeCreatePagefilePrivilege	4136	explorer.exe
Token: SeShutdownPrivilege	4136	explorer.exe
Token: SeCreatePagefilePrivilege	4136	explorer.exe
Token: SeShutdownPrivilege	4136	explorer.exe
Token: SeCreatePagefilePrivilege	4136	explorer.exe
Token: SeShutdownPrivilege	4136	explorer.exe
Token: SeCreatePagefilePrivilege	4136	explorer.exe
Token: SeShutdownPrivilege	4136	explorer.exe
Token: SeCreatePagefilePrivilege	4136	explorer.exe
Token: SeShutdownPrivilege	4136	explorer.exe
Token: SeCreatePagefilePrivilege	4136	explorer.exe
Token: SeShutdownPrivilege	8256	explorer.exe
Token: SeCreatePagefilePrivilege	8256	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
14580	sihost.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe

Suspicious use of SendNotifyMessage 61 IoCs

pid	Process
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4760	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
8256	explorer.exe
8256	explorer.exe
8256	explorer.exe
8256	explorer.exe
8256	explorer.exe
8256	explorer.exe
8256	explorer.exe
8256	explorer.exe
8256	explorer.exe
8256	explorer.exe
8256	explorer.exe
8848	explorer.exe
8848	explorer.exe
8848	explorer.exe
8848	explorer.exe
8848	explorer.exe
8848	explorer.exe
8848	explorer.exe
8848	explorer.exe
8848	explorer.exe
8848	explorer.exe
8848	explorer.exe
8848	explorer.exe
8848	explorer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5864	StartMenuExperienceHost.exe
3788	StartMenuExperienceHost.exe
3940	SearchApp.exe
8296	StartMenuExperienceHost.exe
5272	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 3056	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	93
PID 2140 wrote to memory of 3056	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	93
PID 2140 wrote to memory of 3732	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	94
PID 2140 wrote to memory of 3732	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	94
PID 2140 wrote to memory of 464	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	95
PID 2140 wrote to memory of 464	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	95
PID 2140 wrote to memory of 800	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	96
PID 2140 wrote to memory of 800	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	96
PID 2140 wrote to memory of 4572	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	97
PID 2140 wrote to memory of 4572	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	97
PID 2140 wrote to memory of 1196	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	98
PID 2140 wrote to memory of 1196	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	98
PID 2140 wrote to memory of 2284	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	99
PID 2140 wrote to memory of 2284	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	99
PID 2140 wrote to memory of 4492	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	100
PID 2140 wrote to memory of 4492	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	100
PID 2140 wrote to memory of 4944	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	101
PID 2140 wrote to memory of 4944	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	101
PID 2140 wrote to memory of 1544	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	102
PID 2140 wrote to memory of 1544	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	102
PID 2140 wrote to memory of 676	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	103
PID 2140 wrote to memory of 676	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	103
PID 2140 wrote to memory of 4592	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	104
PID 2140 wrote to memory of 4592	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	104
PID 2140 wrote to memory of 3592	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	105
PID 2140 wrote to memory of 3592	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	105
PID 2140 wrote to memory of 664	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	106
PID 2140 wrote to memory of 664	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	106
PID 2140 wrote to memory of 5076	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	107
PID 2140 wrote to memory of 5076	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	107
PID 2140 wrote to memory of 1044	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	108
PID 2140 wrote to memory of 1044	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	108
PID 2140 wrote to memory of 4764	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	109
PID 2140 wrote to memory of 4764	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	109
PID 2140 wrote to memory of 2640	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	110
PID 2140 wrote to memory of 2640	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	110
PID 2140 wrote to memory of 4164	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	111
PID 2140 wrote to memory of 4164	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	111
PID 2140 wrote to memory of 4904	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	112
PID 2140 wrote to memory of 4904	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	112
PID 2140 wrote to memory of 3436	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	113
PID 2140 wrote to memory of 3436	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	113
PID 2140 wrote to memory of 860	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	115
PID 2140 wrote to memory of 860	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	115
PID 2140 wrote to memory of 4316	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	116
PID 2140 wrote to memory of 4316	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	116
PID 2140 wrote to memory of 4392	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	117
PID 2140 wrote to memory of 4392	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	117
PID 2140 wrote to memory of 2260	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	119
PID 2140 wrote to memory of 2260	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	119
PID 2140 wrote to memory of 2460	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	120
PID 2140 wrote to memory of 2460	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	120
PID 2140 wrote to memory of 3160	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	121
PID 2140 wrote to memory of 3160	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	121
PID 2140 wrote to memory of 1760	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	122
PID 2140 wrote to memory of 1760	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	122
PID 2140 wrote to memory of 4580	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	123
PID 2140 wrote to memory of 4580	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	123
PID 2140 wrote to memory of 4176	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	124
PID 2140 wrote to memory of 4176	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	124
PID 2140 wrote to memory of 444	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	125
PID 2140 wrote to memory of 444	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	125
PID 2140 wrote to memory of 3992	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	126
PID 2140 wrote to memory of 3992	2140	virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_3ec5526153daf29fe95a8fefbd0d2f60.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\System\vUtpjsm.exe
  C:\Windows\System\vUtpjsm.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System\IDcCPcU.exe
  C:\Windows\System\IDcCPcU.exe
  2⤵
  - Executes dropped EXE
  PID:3732
- C:\Windows\System\ZnMPqbK.exe
  C:\Windows\System\ZnMPqbK.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System\PiftHPz.exe
  C:\Windows\System\PiftHPz.exe
  2⤵
  - Executes dropped EXE
  PID:800
- C:\Windows\System\QarmDEt.exe
  C:\Windows\System\QarmDEt.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\hdJgLVT.exe
  C:\Windows\System\hdJgLVT.exe
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\System\MGSKRsz.exe
  C:\Windows\System\MGSKRsz.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\OLMetud.exe
  C:\Windows\System\OLMetud.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\JEFOiDe.exe
  C:\Windows\System\JEFOiDe.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System\mHkjhPd.exe
  C:\Windows\System\mHkjhPd.exe
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\System\ARvfkdu.exe
  C:\Windows\System\ARvfkdu.exe
  2⤵
  - Executes dropped EXE
  PID:676
- C:\Windows\System\PRAAdAi.exe
  C:\Windows\System\PRAAdAi.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System\LYfDMXq.exe
  C:\Windows\System\LYfDMXq.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System\jHEXrYf.exe
  C:\Windows\System\jHEXrYf.exe
  2⤵
  - Executes dropped EXE
  PID:664
- C:\Windows\System\txitkoD.exe
  C:\Windows\System\txitkoD.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System\rQEnuqJ.exe
  C:\Windows\System\rQEnuqJ.exe
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\System\MipfZmE.exe
  C:\Windows\System\MipfZmE.exe
  2⤵
  - Executes dropped EXE
  PID:4764
- C:\Windows\System\oJJuKUr.exe
  C:\Windows\System\oJJuKUr.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\QopUNSG.exe
  C:\Windows\System\QopUNSG.exe
  2⤵
  - Executes dropped EXE
  PID:4164
- C:\Windows\System\QLnHQcI.exe
  C:\Windows\System\QLnHQcI.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System\AePkrmL.exe
  C:\Windows\System\AePkrmL.exe
  2⤵
  - Executes dropped EXE
  PID:3436
- C:\Windows\System\OViIUYD.exe
  C:\Windows\System\OViIUYD.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System\zKboLkA.exe
  C:\Windows\System\zKboLkA.exe
  2⤵
  - Executes dropped EXE
  PID:4316
- C:\Windows\System\hqaLszl.exe
  C:\Windows\System\hqaLszl.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System\lpxALFe.exe
  C:\Windows\System\lpxALFe.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\System\RZAYppi.exe
  C:\Windows\System\RZAYppi.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System\fHfQNdz.exe
  C:\Windows\System\fHfQNdz.exe
  2⤵
  - Executes dropped EXE
  PID:3160
- C:\Windows\System\JFHfNSn.exe
  C:\Windows\System\JFHfNSn.exe
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\System\GEOQfEy.exe
  C:\Windows\System\GEOQfEy.exe
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Windows\System\MrwWUyp.exe
  C:\Windows\System\MrwWUyp.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System\sWOLeRR.exe
  C:\Windows\System\sWOLeRR.exe
  2⤵
  - Executes dropped EXE
  PID:444
- C:\Windows\System\lEqULfG.exe
  C:\Windows\System\lEqULfG.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System\MvTsLOi.exe
  C:\Windows\System\MvTsLOi.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System\cUTZHrs.exe
  C:\Windows\System\cUTZHrs.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System\DRdKkfC.exe
  C:\Windows\System\DRdKkfC.exe
  2⤵
  - Executes dropped EXE
  PID:3328
- C:\Windows\System\OiMDxNN.exe
  C:\Windows\System\OiMDxNN.exe
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Windows\System\maawkQl.exe
  C:\Windows\System\maawkQl.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System\lLMuUTa.exe
  C:\Windows\System\lLMuUTa.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System\khQrquP.exe
  C:\Windows\System\khQrquP.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\jeqqapU.exe
  C:\Windows\System\jeqqapU.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\UyYxsyL.exe
  C:\Windows\System\UyYxsyL.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System\QxdUYHK.exe
  C:\Windows\System\QxdUYHK.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System\QqQUpfh.exe
  C:\Windows\System\QqQUpfh.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System\oWEuZwI.exe
  C:\Windows\System\oWEuZwI.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System\ojspHZz.exe
  C:\Windows\System\ojspHZz.exe
  2⤵
  - Executes dropped EXE
  PID:956
- C:\Windows\System\gGnvdQA.exe
  C:\Windows\System\gGnvdQA.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System\parwckj.exe
  C:\Windows\System\parwckj.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System\yWYqXvL.exe
  C:\Windows\System\yWYqXvL.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System\ATfFXVh.exe
  C:\Windows\System\ATfFXVh.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System\OnSYcPu.exe
  C:\Windows\System\OnSYcPu.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System\qQtzBOV.exe
  C:\Windows\System\qQtzBOV.exe
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\System\KvBZGrI.exe
  C:\Windows\System\KvBZGrI.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System\rNqrtqp.exe
  C:\Windows\System\rNqrtqp.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System\dixZEuM.exe
  C:\Windows\System\dixZEuM.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\nvmeAlG.exe
  C:\Windows\System\nvmeAlG.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\wdyCPUm.exe
  C:\Windows\System\wdyCPUm.exe
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\System\CCTYNdT.exe
  C:\Windows\System\CCTYNdT.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System\boRFnws.exe
  C:\Windows\System\boRFnws.exe
  2⤵
  - Executes dropped EXE
  PID:3420
- C:\Windows\System\wuZeSfD.exe
  C:\Windows\System\wuZeSfD.exe
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\System\ICmNDTF.exe
  C:\Windows\System\ICmNDTF.exe
  2⤵
  - Executes dropped EXE
  PID:5136
- C:\Windows\System\qsxGjJK.exe
  C:\Windows\System\qsxGjJK.exe
  2⤵
  - Executes dropped EXE
  PID:5168
- C:\Windows\System\BvrDJRs.exe
  C:\Windows\System\BvrDJRs.exe
  2⤵
  - Executes dropped EXE
  PID:5196
- C:\Windows\System\zOjZtea.exe
  C:\Windows\System\zOjZtea.exe
  2⤵
  - Executes dropped EXE
  PID:5224
- C:\Windows\System\TNzoSlq.exe
  C:\Windows\System\TNzoSlq.exe
  2⤵
  - Executes dropped EXE
  PID:5256
- C:\Windows\System\JTPuJTt.exe
  C:\Windows\System\JTPuJTt.exe
  2⤵
  PID:5296
- C:\Windows\System\Ssniyfm.exe
  C:\Windows\System\Ssniyfm.exe
  2⤵
  PID:5312
- C:\Windows\System\QqbUGOg.exe
  C:\Windows\System\QqbUGOg.exe
  2⤵
  PID:5340
- C:\Windows\System\ANJwOZG.exe
  C:\Windows\System\ANJwOZG.exe
  2⤵
  PID:5368
- C:\Windows\System\rkXBVJe.exe
  C:\Windows\System\rkXBVJe.exe
  2⤵
  PID:5396
- C:\Windows\System\tLcOUry.exe
  C:\Windows\System\tLcOUry.exe
  2⤵
  PID:5424
- C:\Windows\System\jCPNVRv.exe
  C:\Windows\System\jCPNVRv.exe
  2⤵
  PID:5456
- C:\Windows\System\zBLXJJX.exe
  C:\Windows\System\zBLXJJX.exe
  2⤵
  PID:5488
- C:\Windows\System\jYSVslq.exe
  C:\Windows\System\jYSVslq.exe
  2⤵
  PID:5516
- C:\Windows\System\EnniLPR.exe
  C:\Windows\System\EnniLPR.exe
  2⤵
  PID:5544
- C:\Windows\System\FINJxDd.exe
  C:\Windows\System\FINJxDd.exe
  2⤵
  PID:5572
- C:\Windows\System\jGsDmKN.exe
  C:\Windows\System\jGsDmKN.exe
  2⤵
  PID:5600
- C:\Windows\System\XxNDGeT.exe
  C:\Windows\System\XxNDGeT.exe
  2⤵
  PID:5628
- C:\Windows\System\mUAjKzG.exe
  C:\Windows\System\mUAjKzG.exe
  2⤵
  PID:5656
- C:\Windows\System\qIAxpdB.exe
  C:\Windows\System\qIAxpdB.exe
  2⤵
  PID:5684
- C:\Windows\System\FsdGdYZ.exe
  C:\Windows\System\FsdGdYZ.exe
  2⤵
  PID:5712
- C:\Windows\System\eRtwmJw.exe
  C:\Windows\System\eRtwmJw.exe
  2⤵
  PID:5748
- C:\Windows\System\xaZzLkp.exe
  C:\Windows\System\xaZzLkp.exe
  2⤵
  PID:5776
- C:\Windows\System\QNDMkwp.exe
  C:\Windows\System\QNDMkwp.exe
  2⤵
  PID:5808
- C:\Windows\System\XoSRcXm.exe
  C:\Windows\System\XoSRcXm.exe
  2⤵
  PID:5836
- C:\Windows\System\VvXnVqO.exe
  C:\Windows\System\VvXnVqO.exe
  2⤵
  PID:5872
- C:\Windows\System\mWfjkdL.exe
  C:\Windows\System\mWfjkdL.exe
  2⤵
  PID:5892
- C:\Windows\System\jSkcfpy.exe
  C:\Windows\System\jSkcfpy.exe
  2⤵
  PID:5924
- C:\Windows\System\RXKtxxu.exe
  C:\Windows\System\RXKtxxu.exe
  2⤵
  PID:5948
- C:\Windows\System\lNKVEvD.exe
  C:\Windows\System\lNKVEvD.exe
  2⤵
  PID:5976
- C:\Windows\System\bxVBVqL.exe
  C:\Windows\System\bxVBVqL.exe
  2⤵
  PID:6004
- C:\Windows\System\TjwAFAq.exe
  C:\Windows\System\TjwAFAq.exe
  2⤵
  PID:6032
- C:\Windows\System\zefEGsg.exe
  C:\Windows\System\zefEGsg.exe
  2⤵
  PID:6060
- C:\Windows\System\uRCtqvq.exe
  C:\Windows\System\uRCtqvq.exe
  2⤵
  PID:6100
- C:\Windows\System\RoAbviN.exe
  C:\Windows\System\RoAbviN.exe
  2⤵
  PID:6124
- C:\Windows\System\ZnmvRFA.exe
  C:\Windows\System\ZnmvRFA.exe
  2⤵
  PID:5128
- C:\Windows\System\dDfkzpI.exe
  C:\Windows\System\dDfkzpI.exe
  2⤵
  PID:5184
- C:\Windows\System\JCwjhCB.exe
  C:\Windows\System\JCwjhCB.exe
  2⤵
  PID:5248
- C:\Windows\System\KbnwDtD.exe
  C:\Windows\System\KbnwDtD.exe
  2⤵
  PID:4776
- C:\Windows\System\lOEPQZV.exe
  C:\Windows\System\lOEPQZV.exe
  2⤵
  PID:4000
- C:\Windows\System\xhtZUMs.exe
  C:\Windows\System\xhtZUMs.exe
  2⤵
  PID:5336
- C:\Windows\System\qjPtkFw.exe
  C:\Windows\System\qjPtkFw.exe
  2⤵
  PID:5408
- C:\Windows\System\ANxCpWO.exe
  C:\Windows\System\ANxCpWO.exe
  2⤵
  PID:5476
- C:\Windows\System\NvqqbVJ.exe
  C:\Windows\System\NvqqbVJ.exe
  2⤵
  PID:5540
- C:\Windows\System\LoRnqFa.exe
  C:\Windows\System\LoRnqFa.exe
  2⤵
  PID:5596
- C:\Windows\System\XgKeHjZ.exe
  C:\Windows\System\XgKeHjZ.exe
  2⤵
  PID:5668
- C:\Windows\System\nFHpwHt.exe
  C:\Windows\System\nFHpwHt.exe
  2⤵
  PID:4340
- C:\Windows\System\DQFVhZW.exe
  C:\Windows\System\DQFVhZW.exe
  2⤵
  PID:5800
- C:\Windows\System\peWKsRJ.exe
  C:\Windows\System\peWKsRJ.exe
  2⤵
  PID:5848
- C:\Windows\System\gVeMyex.exe
  C:\Windows\System\gVeMyex.exe
  2⤵
  PID:5912
- C:\Windows\System\kGskyCp.exe
  C:\Windows\System\kGskyCp.exe
  2⤵
  PID:5972
- C:\Windows\System\xtITMaV.exe
  C:\Windows\System\xtITMaV.exe
  2⤵
  PID:6044
- C:\Windows\System\qNrQNeO.exe
  C:\Windows\System\qNrQNeO.exe
  2⤵
  PID:6116
- C:\Windows\System\OuTJIxZ.exe
  C:\Windows\System\OuTJIxZ.exe
  2⤵
  PID:5216
- C:\Windows\System\zOXAZpV.exe
  C:\Windows\System\zOXAZpV.exe
  2⤵
  PID:5284
- C:\Windows\System\tSvnJfC.exe
  C:\Windows\System\tSvnJfC.exe
  2⤵
  PID:5384
- C:\Windows\System\QcuBlca.exe
  C:\Windows\System\QcuBlca.exe
  2⤵
  PID:5468
- C:\Windows\System\pcosCXH.exe
  C:\Windows\System\pcosCXH.exe
  2⤵
  PID:5556
- C:\Windows\System\oTVWfJc.exe
  C:\Windows\System\oTVWfJc.exe
  2⤵
  PID:5696
- C:\Windows\System\IdEnchS.exe
  C:\Windows\System\IdEnchS.exe
  2⤵
  PID:5820
- C:\Windows\System\ggWUYZs.exe
  C:\Windows\System\ggWUYZs.exe
  2⤵
  PID:6016
- C:\Windows\System\edBtALH.exe
  C:\Windows\System\edBtALH.exe
  2⤵
  PID:5180
- C:\Windows\System\iscoulT.exe
  C:\Windows\System\iscoulT.exe
  2⤵
  PID:5624
- C:\Windows\System\GJQARSt.exe
  C:\Windows\System\GJQARSt.exe
  2⤵
  PID:5960
- C:\Windows\System\iqDDZdI.exe
  C:\Windows\System\iqDDZdI.exe
  2⤵
  PID:5452
- C:\Windows\System\duxiAyT.exe
  C:\Windows\System\duxiAyT.exe
  2⤵
  PID:6108
- C:\Windows\System\KuMWGQO.exe
  C:\Windows\System\KuMWGQO.exe
  2⤵
  PID:6152
- C:\Windows\System\TnrQAUZ.exe
  C:\Windows\System\TnrQAUZ.exe
  2⤵
  PID:6200
- C:\Windows\System\gaCqQXE.exe
  C:\Windows\System\gaCqQXE.exe
  2⤵
  PID:6220
- C:\Windows\System\YDPojBZ.exe
  C:\Windows\System\YDPojBZ.exe
  2⤵
  PID:6260
- C:\Windows\System\UMaGDSD.exe
  C:\Windows\System\UMaGDSD.exe
  2⤵
  PID:6288
- C:\Windows\System\FQySWuc.exe
  C:\Windows\System\FQySWuc.exe
  2⤵
  PID:6312
- C:\Windows\System\iEShzlt.exe
  C:\Windows\System\iEShzlt.exe
  2⤵
  PID:6332
- C:\Windows\System\WgTcfnY.exe
  C:\Windows\System\WgTcfnY.exe
  2⤵
  PID:6368
- C:\Windows\System\KRUeVLp.exe
  C:\Windows\System\KRUeVLp.exe
  2⤵
  PID:6388
- C:\Windows\System\gKKWDAS.exe
  C:\Windows\System\gKKWDAS.exe
  2⤵
  PID:6424
- C:\Windows\System\gtmkmXu.exe
  C:\Windows\System\gtmkmXu.exe
  2⤵
  PID:6456
- C:\Windows\System\jgRzotR.exe
  C:\Windows\System\jgRzotR.exe
  2⤵
  PID:6484
- C:\Windows\System\hGPVaTb.exe
  C:\Windows\System\hGPVaTb.exe
  2⤵
  PID:6512
- C:\Windows\System\ZqcPQBK.exe
  C:\Windows\System\ZqcPQBK.exe
  2⤵
  PID:6536
- C:\Windows\System\BPDwGWA.exe
  C:\Windows\System\BPDwGWA.exe
  2⤵
  PID:6564
- C:\Windows\System\zUkhaFu.exe
  C:\Windows\System\zUkhaFu.exe
  2⤵
  PID:6596
- C:\Windows\System\eKTBBNR.exe
  C:\Windows\System\eKTBBNR.exe
  2⤵
  PID:6624
- C:\Windows\System\tikCQZf.exe
  C:\Windows\System\tikCQZf.exe
  2⤵
  PID:6652
- C:\Windows\System\SupiGvL.exe
  C:\Windows\System\SupiGvL.exe
  2⤵
  PID:6680
- C:\Windows\System\KIgbabU.exe
  C:\Windows\System\KIgbabU.exe
  2⤵
  PID:6712
- C:\Windows\System\WCiENft.exe
  C:\Windows\System\WCiENft.exe
  2⤵
  PID:6740
- C:\Windows\System\iINMEuj.exe
  C:\Windows\System\iINMEuj.exe
  2⤵
  PID:6796
- C:\Windows\System\bgDguhw.exe
  C:\Windows\System\bgDguhw.exe
  2⤵
  PID:6812
- C:\Windows\System\RWCOQPb.exe
  C:\Windows\System\RWCOQPb.exe
  2⤵
  PID:6840
- C:\Windows\System\EryfvZs.exe
  C:\Windows\System\EryfvZs.exe
  2⤵
  PID:6868
- C:\Windows\System\RTPCBVT.exe
  C:\Windows\System\RTPCBVT.exe
  2⤵
  PID:6900
- C:\Windows\System\gzibzkh.exe
  C:\Windows\System\gzibzkh.exe
  2⤵
  PID:6932
- C:\Windows\System\WZUwlwB.exe
  C:\Windows\System\WZUwlwB.exe
  2⤵
  PID:6956
- C:\Windows\System\TVbmqDp.exe
  C:\Windows\System\TVbmqDp.exe
  2⤵
  PID:6988
- C:\Windows\System\PyRcSoI.exe
  C:\Windows\System\PyRcSoI.exe
  2⤵
  PID:7016
- C:\Windows\System\NEuGTxR.exe
  C:\Windows\System\NEuGTxR.exe
  2⤵
  PID:7032
- C:\Windows\System\gkJAwHI.exe
  C:\Windows\System\gkJAwHI.exe
  2⤵
  PID:7048
- C:\Windows\System\SSiGaYm.exe
  C:\Windows\System\SSiGaYm.exe
  2⤵
  PID:7064
- C:\Windows\System\wxxhkZH.exe
  C:\Windows\System\wxxhkZH.exe
  2⤵
  PID:7088
- C:\Windows\System\QXHTtbJ.exe
  C:\Windows\System\QXHTtbJ.exe
  2⤵
  PID:7144
- C:\Windows\System\rrHAuaU.exe
  C:\Windows\System\rrHAuaU.exe
  2⤵
  PID:6148
- C:\Windows\System\UMCkwLR.exe
  C:\Windows\System\UMCkwLR.exe
  2⤵
  PID:6212
- C:\Windows\System\nNXcRXi.exe
  C:\Windows\System\nNXcRXi.exe
  2⤵
  PID:6304
- C:\Windows\System\GaUMdxn.exe
  C:\Windows\System\GaUMdxn.exe
  2⤵
  PID:6384
- C:\Windows\System\imBeOcS.exe
  C:\Windows\System\imBeOcS.exe
  2⤵
  PID:6472
- C:\Windows\System\nTtVtbp.exe
  C:\Windows\System\nTtVtbp.exe
  2⤵
  PID:6548
- C:\Windows\System\GqTgTUL.exe
  C:\Windows\System\GqTgTUL.exe
  2⤵
  PID:6608
- C:\Windows\System\raUIXqa.exe
  C:\Windows\System\raUIXqa.exe
  2⤵
  PID:6676
- C:\Windows\System\rHngFTq.exe
  C:\Windows\System\rHngFTq.exe
  2⤵
  PID:6752
- C:\Windows\System\SrMGeQS.exe
  C:\Windows\System\SrMGeQS.exe
  2⤵
  PID:6824
- C:\Windows\System\YqmcyMC.exe
  C:\Windows\System\YqmcyMC.exe
  2⤵
  PID:6916
- C:\Windows\System\vKhEicS.exe
  C:\Windows\System\vKhEicS.exe
  2⤵
  PID:6976
- C:\Windows\System\cuBLWrR.exe
  C:\Windows\System\cuBLWrR.exe
  2⤵
  PID:7044
- C:\Windows\System\Auwmbva.exe
  C:\Windows\System\Auwmbva.exe
  2⤵
  PID:7132
- C:\Windows\System\eoELcLD.exe
  C:\Windows\System\eoELcLD.exe
  2⤵
  PID:6168
- C:\Windows\System\UOxphxk.exe
  C:\Windows\System\UOxphxk.exe
  2⤵
  PID:6352
- C:\Windows\System\cSwzUYR.exe
  C:\Windows\System\cSwzUYR.exe
  2⤵
  PID:6084
- C:\Windows\System\ozbZDDW.exe
  C:\Windows\System\ozbZDDW.exe
  2⤵
  PID:6708
- C:\Windows\System\TLRDJTA.exe
  C:\Windows\System\TLRDJTA.exe
  2⤵
  PID:6880
- C:\Windows\System\LxqLHDN.exe
  C:\Windows\System\LxqLHDN.exe
  2⤵
  PID:7024
- C:\Windows\System\XbKxzwr.exe
  C:\Windows\System\XbKxzwr.exe
  2⤵
  PID:5332
- C:\Windows\System\QYbpqqx.exe
  C:\Windows\System\QYbpqqx.exe
  2⤵
  PID:6584
- C:\Windows\System\TQUysMq.exe
  C:\Windows\System\TQUysMq.exe
  2⤵
  PID:6972
- C:\Windows\System\XliSrWw.exe
  C:\Windows\System\XliSrWw.exe
  2⤵
  PID:6524
- C:\Windows\System\bEkJujW.exe
  C:\Windows\System\bEkJujW.exe
  2⤵
  PID:6444
- C:\Windows\System\BbUbejt.exe
  C:\Windows\System\BbUbejt.exe
  2⤵
  PID:7196
- C:\Windows\System\YzrRMKe.exe
  C:\Windows\System\YzrRMKe.exe
  2⤵
  PID:7224
- C:\Windows\System\RqfSXxb.exe
  C:\Windows\System\RqfSXxb.exe
  2⤵
  PID:7256
- C:\Windows\System\fyMFJgO.exe
  C:\Windows\System\fyMFJgO.exe
  2⤵
  PID:7280
- C:\Windows\System\EewRyGV.exe
  C:\Windows\System\EewRyGV.exe
  2⤵
  PID:7308
- C:\Windows\System\ltJJSsI.exe
  C:\Windows\System\ltJJSsI.exe
  2⤵
  PID:7336
- C:\Windows\System\gCwfAhM.exe
  C:\Windows\System\gCwfAhM.exe
  2⤵
  PID:7364
- C:\Windows\System\tAtwcFA.exe
  C:\Windows\System\tAtwcFA.exe
  2⤵
  PID:7396
- C:\Windows\System\dfOlxGN.exe
  C:\Windows\System\dfOlxGN.exe
  2⤵
  PID:7424
- C:\Windows\System\ekRHkfq.exe
  C:\Windows\System\ekRHkfq.exe
  2⤵
  PID:7448
- C:\Windows\System\JBsHIwt.exe
  C:\Windows\System\JBsHIwt.exe
  2⤵
  PID:7476
- C:\Windows\System\DXXbLaV.exe
  C:\Windows\System\DXXbLaV.exe
  2⤵
  PID:7508
- C:\Windows\System\ckLPYqF.exe
  C:\Windows\System\ckLPYqF.exe
  2⤵
  PID:7540
- C:\Windows\System\OXUIpNe.exe
  C:\Windows\System\OXUIpNe.exe
  2⤵
  PID:7564
- C:\Windows\System\bAldYbP.exe
  C:\Windows\System\bAldYbP.exe
  2⤵
  PID:7592
- C:\Windows\System\LteeEsZ.exe
  C:\Windows\System\LteeEsZ.exe
  2⤵
  PID:7620
- C:\Windows\System\ZDPwSMf.exe
  C:\Windows\System\ZDPwSMf.exe
  2⤵
  PID:7648
- C:\Windows\System\cjbFUch.exe
  C:\Windows\System\cjbFUch.exe
  2⤵
  PID:7680
- C:\Windows\System\vpkLSdX.exe
  C:\Windows\System\vpkLSdX.exe
  2⤵
  PID:7724
- C:\Windows\System\ieesDZa.exe
  C:\Windows\System\ieesDZa.exe
  2⤵
  PID:7752
- C:\Windows\System\DsgwHlg.exe
  C:\Windows\System\DsgwHlg.exe
  2⤵
  PID:7788
- C:\Windows\System\lWumDTF.exe
  C:\Windows\System\lWumDTF.exe
  2⤵
  PID:7812
- C:\Windows\System\GnutszA.exe
  C:\Windows\System\GnutszA.exe
  2⤵
  PID:7852
- C:\Windows\System\TwxPGjF.exe
  C:\Windows\System\TwxPGjF.exe
  2⤵
  PID:7884
- C:\Windows\System\lcOQoIr.exe
  C:\Windows\System\lcOQoIr.exe
  2⤵
  PID:7920
- C:\Windows\System\juvYJxK.exe
  C:\Windows\System\juvYJxK.exe
  2⤵
  PID:7952
- C:\Windows\System\YyiMcpn.exe
  C:\Windows\System\YyiMcpn.exe
  2⤵
  PID:7988
- C:\Windows\System\wjiZIFS.exe
  C:\Windows\System\wjiZIFS.exe
  2⤵
  PID:8024
- C:\Windows\System\qWnclXU.exe
  C:\Windows\System\qWnclXU.exe
  2⤵
  PID:8048
- C:\Windows\System\ckwCubl.exe
  C:\Windows\System\ckwCubl.exe
  2⤵
  PID:8080
- C:\Windows\System\XOKUXXG.exe
  C:\Windows\System\XOKUXXG.exe
  2⤵
  PID:8152
- C:\Windows\System\rvlQsMf.exe
  C:\Windows\System\rvlQsMf.exe
  2⤵
  PID:8188
- C:\Windows\System\XOEvEWC.exe
  C:\Windows\System\XOEvEWC.exe
  2⤵
  PID:7268
- C:\Windows\System\nbKoAgH.exe
  C:\Windows\System\nbKoAgH.exe
  2⤵
  PID:7360
- C:\Windows\System\NeyLCNe.exe
  C:\Windows\System\NeyLCNe.exe
  2⤵
  PID:7416
- C:\Windows\System\CBhYibE.exe
  C:\Windows\System\CBhYibE.exe
  2⤵
  PID:7488
- C:\Windows\System\MoufvVH.exe
  C:\Windows\System\MoufvVH.exe
  2⤵
  PID:7556
- C:\Windows\System\QcOFNiq.exe
  C:\Windows\System\QcOFNiq.exe
  2⤵
  PID:7632
- C:\Windows\System\OrMirmI.exe
  C:\Windows\System\OrMirmI.exe
  2⤵
  PID:7744
- C:\Windows\System\qoMzXTU.exe
  C:\Windows\System\qoMzXTU.exe
  2⤵
  PID:7780
- C:\Windows\System\EkNbeJt.exe
  C:\Windows\System\EkNbeJt.exe
  2⤵
  PID:7868
- C:\Windows\System\jbLBQep.exe
  C:\Windows\System\jbLBQep.exe
  2⤵
  PID:7948
- C:\Windows\System\UaOtmtu.exe
  C:\Windows\System\UaOtmtu.exe
  2⤵
  PID:8008
- C:\Windows\System\pVfvMai.exe
  C:\Windows\System\pVfvMai.exe
  2⤵
  PID:8092
- C:\Windows\System\MWPxVbx.exe
  C:\Windows\System\MWPxVbx.exe
  2⤵
  PID:6784
- C:\Windows\System\wJBbfsR.exe
  C:\Windows\System\wJBbfsR.exe
  2⤵
  PID:7384
- C:\Windows\System\jWfkuct.exe
  C:\Windows\System\jWfkuct.exe
  2⤵
  PID:7548
- C:\Windows\System\kLhYKFo.exe
  C:\Windows\System\kLhYKFo.exe
  2⤵
  PID:7736
- C:\Windows\System\DHueMlZ.exe
  C:\Windows\System\DHueMlZ.exe
  2⤵
  PID:7980
- C:\Windows\System\JRHMobM.exe
  C:\Windows\System\JRHMobM.exe
  2⤵
  PID:7244
- C:\Windows\System\KezYbDX.exe
  C:\Windows\System\KezYbDX.exe
  2⤵
  PID:7720
- C:\Windows\System\yZMtomu.exe
  C:\Windows\System\yZMtomu.exe
  2⤵
  PID:8124
- C:\Windows\System\ySCySXL.exe
  C:\Windows\System\ySCySXL.exe
  2⤵
  PID:8224
- C:\Windows\System\dsNNOPJ.exe
  C:\Windows\System\dsNNOPJ.exe
  2⤵
  PID:8248
- C:\Windows\System\WjcmlRX.exe
  C:\Windows\System\WjcmlRX.exe
  2⤵
  PID:8272
- C:\Windows\System\zyoyTWO.exe
  C:\Windows\System\zyoyTWO.exe
  2⤵
  PID:8308
- C:\Windows\System\HSXRDat.exe
  C:\Windows\System\HSXRDat.exe
  2⤵
  PID:8336
- C:\Windows\System\YaDXPJF.exe
  C:\Windows\System\YaDXPJF.exe
  2⤵
  PID:8364
- C:\Windows\System\XnEzpBH.exe
  C:\Windows\System\XnEzpBH.exe
  2⤵
  PID:8396
- C:\Windows\System\fDsmeiV.exe
  C:\Windows\System\fDsmeiV.exe
  2⤵
  PID:8420
- C:\Windows\System\lHTVAZK.exe
  C:\Windows\System\lHTVAZK.exe
  2⤵
  PID:8452
- C:\Windows\System\avuXfly.exe
  C:\Windows\System\avuXfly.exe
  2⤵
  PID:8480
- C:\Windows\System\wpOHTYC.exe
  C:\Windows\System\wpOHTYC.exe
  2⤵
  PID:8508
- C:\Windows\System\GbeWzKO.exe
  C:\Windows\System\GbeWzKO.exe
  2⤵
  PID:8532
- C:\Windows\System\WcgdfOR.exe
  C:\Windows\System\WcgdfOR.exe
  2⤵
  PID:8564
- C:\Windows\System\wzeHZbE.exe
  C:\Windows\System\wzeHZbE.exe
  2⤵
  PID:8592
- C:\Windows\System\ZOgTAge.exe
  C:\Windows\System\ZOgTAge.exe
  2⤵
  PID:8620
- C:\Windows\System\gNgQsmD.exe
  C:\Windows\System\gNgQsmD.exe
  2⤵
  PID:8648
- C:\Windows\System\jjpDRWM.exe
  C:\Windows\System\jjpDRWM.exe
  2⤵
  PID:8684
- C:\Windows\System\Hkhsvrr.exe
  C:\Windows\System\Hkhsvrr.exe
  2⤵
  PID:8704
- C:\Windows\System\wVjoBkG.exe
  C:\Windows\System\wVjoBkG.exe
  2⤵
  PID:8744
- C:\Windows\System\zCZeAgE.exe
  C:\Windows\System\zCZeAgE.exe
  2⤵
  PID:8768
- C:\Windows\System\VkxcEvS.exe
  C:\Windows\System\VkxcEvS.exe
  2⤵
  PID:8796
- C:\Windows\System\yPMHTpm.exe
  C:\Windows\System\yPMHTpm.exe
  2⤵
  PID:8824
- C:\Windows\System\BuFTUpQ.exe
  C:\Windows\System\BuFTUpQ.exe
  2⤵
  PID:8852
- C:\Windows\System\rkLCVNM.exe
  C:\Windows\System\rkLCVNM.exe
  2⤵
  PID:8880
- C:\Windows\System\YTsKvDx.exe
  C:\Windows\System\YTsKvDx.exe
  2⤵
  PID:8912
- C:\Windows\System\hNzoxlu.exe
  C:\Windows\System\hNzoxlu.exe
  2⤵
  PID:8936
- C:\Windows\System\itgJTjD.exe
  C:\Windows\System\itgJTjD.exe
  2⤵
  PID:8964
- C:\Windows\System\lbqCDmJ.exe
  C:\Windows\System\lbqCDmJ.exe
  2⤵
  PID:8992
- C:\Windows\System\cfCyIua.exe
  C:\Windows\System\cfCyIua.exe
  2⤵
  PID:9020
- C:\Windows\System\TaGCkMC.exe
  C:\Windows\System\TaGCkMC.exe
  2⤵
  PID:9048
- C:\Windows\System\TsvftKK.exe
  C:\Windows\System\TsvftKK.exe
  2⤵
  PID:9080
- C:\Windows\System\EjlytuF.exe
  C:\Windows\System\EjlytuF.exe
  2⤵
  PID:9104
- C:\Windows\System\RDWJsYf.exe
  C:\Windows\System\RDWJsYf.exe
  2⤵
  PID:9120
- C:\Windows\System\SmzjFzb.exe
  C:\Windows\System\SmzjFzb.exe
  2⤵
  PID:9136
- C:\Windows\System\ZGnQbvi.exe
  C:\Windows\System\ZGnQbvi.exe
  2⤵
  PID:9164
- C:\Windows\System\NBrFAJB.exe
  C:\Windows\System\NBrFAJB.exe
  2⤵
  PID:9204
- C:\Windows\System\oNnQIlE.exe
  C:\Windows\System\oNnQIlE.exe
  2⤵
  PID:8060
- C:\Windows\System\orJvHNI.exe
  C:\Windows\System\orJvHNI.exe
  2⤵
  PID:8284
- C:\Windows\System\rkriZQN.exe
  C:\Windows\System\rkriZQN.exe
  2⤵
  PID:8348
- C:\Windows\System\OfOfGkA.exe
  C:\Windows\System\OfOfGkA.exe
  2⤵
  PID:8388
- C:\Windows\System\WkngzgN.exe
  C:\Windows\System\WkngzgN.exe
  2⤵
  PID:8460
- C:\Windows\System\FuHfDgH.exe
  C:\Windows\System\FuHfDgH.exe
  2⤵
  PID:8560
- C:\Windows\System\cjyBTsZ.exe
  C:\Windows\System\cjyBTsZ.exe
  2⤵
  PID:8612
- C:\Windows\System\GJoOfiA.exe
  C:\Windows\System\GJoOfiA.exe
  2⤵
  PID:8668
- C:\Windows\System\uDuXQkt.exe
  C:\Windows\System\uDuXQkt.exe
  2⤵
  PID:8760
- C:\Windows\System\hvDvrBp.exe
  C:\Windows\System\hvDvrBp.exe
  2⤵
  PID:8820
- C:\Windows\System\CdZAUrH.exe
  C:\Windows\System\CdZAUrH.exe
  2⤵
  PID:8868
- C:\Windows\System\PetLBjb.exe
  C:\Windows\System\PetLBjb.exe
  2⤵
  PID:8932
- C:\Windows\System\UTUlwJI.exe
  C:\Windows\System\UTUlwJI.exe
  2⤵
  PID:9016
- C:\Windows\System\VrpyePx.exe
  C:\Windows\System\VrpyePx.exe
  2⤵
  PID:9068
- C:\Windows\System\TVhdSVp.exe
  C:\Windows\System\TVhdSVp.exe
  2⤵
  PID:9132
- C:\Windows\System\CekbGcT.exe
  C:\Windows\System\CekbGcT.exe
  2⤵
  PID:9176
- C:\Windows\System\kXNydhi.exe
  C:\Windows\System\kXNydhi.exe
  2⤵
  PID:8232
- C:\Windows\System\eXaFHOO.exe
  C:\Windows\System\eXaFHOO.exe
  2⤵
  PID:8416
- C:\Windows\System\KrVYxgy.exe
  C:\Windows\System\KrVYxgy.exe
  2⤵
  PID:8604
- C:\Windows\System\SJJPwuT.exe
  C:\Windows\System\SJJPwuT.exe
  2⤵
  PID:8788
- C:\Windows\System\WKnDPJl.exe
  C:\Windows\System\WKnDPJl.exe
  2⤵
  PID:8956
- C:\Windows\System\YleAVsr.exe
  C:\Windows\System\YleAVsr.exe
  2⤵
  PID:9044
- C:\Windows\System\ZpnkiGt.exe
  C:\Windows\System\ZpnkiGt.exe
  2⤵
  PID:9196
- C:\Windows\System\CjhlXqy.exe
  C:\Windows\System\CjhlXqy.exe
  2⤵
  PID:8524
- C:\Windows\System\IukqsjG.exe
  C:\Windows\System\IukqsjG.exe
  2⤵
  PID:8552
- C:\Windows\System\dsUfonN.exe
  C:\Windows\System\dsUfonN.exe
  2⤵
  PID:9112
- C:\Windows\System\CDUxvPw.exe
  C:\Windows\System\CDUxvPw.exe
  2⤵
  PID:8804
- C:\Windows\System\cXWzGpm.exe
  C:\Windows\System\cXWzGpm.exe
  2⤵
  PID:9116
- C:\Windows\System\hLicMVM.exe
  C:\Windows\System\hLicMVM.exe
  2⤵
  PID:9244
- C:\Windows\System\kghNvpD.exe
  C:\Windows\System\kghNvpD.exe
  2⤵
  PID:9272
- C:\Windows\System\niXTLml.exe
  C:\Windows\System\niXTLml.exe
  2⤵
  PID:9300
- C:\Windows\System\oPWiJFf.exe
  C:\Windows\System\oPWiJFf.exe
  2⤵
  PID:9332
- C:\Windows\System\VxUoghX.exe
  C:\Windows\System\VxUoghX.exe
  2⤵
  PID:9360
- C:\Windows\System\MMKSOqD.exe
  C:\Windows\System\MMKSOqD.exe
  2⤵
  PID:9388
- C:\Windows\System\gtEoVBd.exe
  C:\Windows\System\gtEoVBd.exe
  2⤵
  PID:9416
- C:\Windows\System\frKSqdi.exe
  C:\Windows\System\frKSqdi.exe
  2⤵
  PID:9444
- C:\Windows\System\fWCAlju.exe
  C:\Windows\System\fWCAlju.exe
  2⤵
  PID:9472
- C:\Windows\System\PTmRhOK.exe
  C:\Windows\System\PTmRhOK.exe
  2⤵
  PID:9500
- C:\Windows\System\tbqwcee.exe
  C:\Windows\System\tbqwcee.exe
  2⤵
  PID:9528
- C:\Windows\System\VbuxogG.exe
  C:\Windows\System\VbuxogG.exe
  2⤵
  PID:9556
- C:\Windows\System\PoQzlVf.exe
  C:\Windows\System\PoQzlVf.exe
  2⤵
  PID:9584
- C:\Windows\System\UOVsrAp.exe
  C:\Windows\System\UOVsrAp.exe
  2⤵
  PID:9612
- C:\Windows\System\PnUOEph.exe
  C:\Windows\System\PnUOEph.exe
  2⤵
  PID:9640
- C:\Windows\System\dnkXwRn.exe
  C:\Windows\System\dnkXwRn.exe
  2⤵
  PID:9668
- C:\Windows\System\PgYiPRf.exe
  C:\Windows\System\PgYiPRf.exe
  2⤵
  PID:9696
- C:\Windows\System\fwrwzNf.exe
  C:\Windows\System\fwrwzNf.exe
  2⤵
  PID:9724
- C:\Windows\System\zDqNPMW.exe
  C:\Windows\System\zDqNPMW.exe
  2⤵
  PID:9752
- C:\Windows\System\WAIxyaz.exe
  C:\Windows\System\WAIxyaz.exe
  2⤵
  PID:9780
- C:\Windows\System\IgFXglJ.exe
  C:\Windows\System\IgFXglJ.exe
  2⤵
  PID:9808
- C:\Windows\System\BdMjjbo.exe
  C:\Windows\System\BdMjjbo.exe
  2⤵
  PID:9836
- C:\Windows\System\jXjUMRc.exe
  C:\Windows\System\jXjUMRc.exe
  2⤵
  PID:9864
- C:\Windows\System\PIDovhJ.exe
  C:\Windows\System\PIDovhJ.exe
  2⤵
  PID:9892
- C:\Windows\System\wrbndTR.exe
  C:\Windows\System\wrbndTR.exe
  2⤵
  PID:9920
- C:\Windows\System\lXFOFoe.exe
  C:\Windows\System\lXFOFoe.exe
  2⤵
  PID:9948
- C:\Windows\System\wJLtLXN.exe
  C:\Windows\System\wJLtLXN.exe
  2⤵
  PID:9976
- C:\Windows\System\wxDotuU.exe
  C:\Windows\System\wxDotuU.exe
  2⤵
  PID:10004
- C:\Windows\System\rOSLylO.exe
  C:\Windows\System\rOSLylO.exe
  2⤵
  PID:10032
- C:\Windows\System\VEJziVt.exe
  C:\Windows\System\VEJziVt.exe
  2⤵
  PID:10060
- C:\Windows\System\TQgZyGp.exe
  C:\Windows\System\TQgZyGp.exe
  2⤵
  PID:10084
- C:\Windows\System\haYwIji.exe
  C:\Windows\System\haYwIji.exe
  2⤵
  PID:10116
- C:\Windows\System\IzDDgRO.exe
  C:\Windows\System\IzDDgRO.exe
  2⤵
  PID:10144
- C:\Windows\System\wquNyDN.exe
  C:\Windows\System\wquNyDN.exe
  2⤵
  PID:10164
- C:\Windows\System\sMkGzYT.exe
  C:\Windows\System\sMkGzYT.exe
  2⤵
  PID:10196
- C:\Windows\System\IGUJumi.exe
  C:\Windows\System\IGUJumi.exe
  2⤵
  PID:10216
- C:\Windows\System\KxHvCrG.exe
  C:\Windows\System\KxHvCrG.exe
  2⤵
  PID:9240
- C:\Windows\System\AKUaTBo.exe
  C:\Windows\System\AKUaTBo.exe
  2⤵
  PID:9320
- C:\Windows\System\CvSCBSg.exe
  C:\Windows\System\CvSCBSg.exe
  2⤵
  PID:9380
- C:\Windows\System\bCrJwfT.exe
  C:\Windows\System\bCrJwfT.exe
  2⤵
  PID:9436
- C:\Windows\System\CQkxIEq.exe
  C:\Windows\System\CQkxIEq.exe
  2⤵
  PID:9548
- C:\Windows\System\SEACjbl.exe
  C:\Windows\System\SEACjbl.exe
  2⤵
  PID:9652
- C:\Windows\System\dyqepsK.exe
  C:\Windows\System\dyqepsK.exe
  2⤵
  PID:9716
- C:\Windows\System\OXNmdvW.exe
  C:\Windows\System\OXNmdvW.exe
  2⤵
  PID:9776
- C:\Windows\System\smgaZYi.exe
  C:\Windows\System\smgaZYi.exe
  2⤵
  PID:9852
- C:\Windows\System\GJMhffk.exe
  C:\Windows\System\GJMhffk.exe
  2⤵
  PID:9912
- C:\Windows\System\kxNQCLA.exe
  C:\Windows\System\kxNQCLA.exe
  2⤵
  PID:9972
- C:\Windows\System\XYRepBb.exe
  C:\Windows\System\XYRepBb.exe
  2⤵
  PID:10048
- C:\Windows\System\IvNVgnR.exe
  C:\Windows\System\IvNVgnR.exe
  2⤵
  PID:10108
- C:\Windows\System\kDahumU.exe
  C:\Windows\System\kDahumU.exe
  2⤵
  PID:10152
- C:\Windows\System\PiGLzNR.exe
  C:\Windows\System\PiGLzNR.exe
  2⤵
  PID:10236
- C:\Windows\System\kkVdNqz.exe
  C:\Windows\System\kkVdNqz.exe
  2⤵
  PID:9356
- C:\Windows\System\zopgKcC.exe
  C:\Windows\System\zopgKcC.exe
  2⤵
  PID:9544
- C:\Windows\System\ZGpVAfB.exe
  C:\Windows\System\ZGpVAfB.exe
  2⤵
  PID:9708
- C:\Windows\System\KFbAQNt.exe
  C:\Windows\System\KFbAQNt.exe
  2⤵
  PID:9820
- C:\Windows\System\fNTjJSE.exe
  C:\Windows\System\fNTjJSE.exe
  2⤵
  PID:10020
- C:\Windows\System\BTteMTd.exe
  C:\Windows\System\BTteMTd.exe
  2⤵
  PID:10156
- C:\Windows\System\UyluiOF.exe
  C:\Windows\System\UyluiOF.exe
  2⤵
  PID:9412
- C:\Windows\System\OKGnnFs.exe
  C:\Windows\System\OKGnnFs.exe
  2⤵
  PID:9768
- C:\Windows\System\BjsMHJg.exe
  C:\Windows\System\BjsMHJg.exe
  2⤵
  PID:10172
- C:\Windows\System\kommtym.exe
  C:\Windows\System\kommtym.exe
  2⤵
  PID:9960
- C:\Windows\System\AFKtkgv.exe
  C:\Windows\System\AFKtkgv.exe
  2⤵
  PID:9748
- C:\Windows\System\LlCbGbV.exe
  C:\Windows\System\LlCbGbV.exe
  2⤵
  PID:10272
- C:\Windows\System\UnlROEo.exe
  C:\Windows\System\UnlROEo.exe
  2⤵
  PID:10300
- C:\Windows\System\BNoDiJN.exe
  C:\Windows\System\BNoDiJN.exe
  2⤵
  PID:10328
- C:\Windows\System\gdGSoet.exe
  C:\Windows\System\gdGSoet.exe
  2⤵
  PID:10356
- C:\Windows\System\XPCnFbh.exe
  C:\Windows\System\XPCnFbh.exe
  2⤵
  PID:10384
- C:\Windows\System\CBCBDoL.exe
  C:\Windows\System\CBCBDoL.exe
  2⤵
  PID:10412
- C:\Windows\System\vmxAOJq.exe
  C:\Windows\System\vmxAOJq.exe
  2⤵
  PID:10440
- C:\Windows\System\PdUJOtY.exe
  C:\Windows\System\PdUJOtY.exe
  2⤵
  PID:10468
- C:\Windows\System\ykzOMQI.exe
  C:\Windows\System\ykzOMQI.exe
  2⤵
  PID:10496
- C:\Windows\System\qpkuLMg.exe
  C:\Windows\System\qpkuLMg.exe
  2⤵
  PID:10524
- C:\Windows\System\XRSDKwf.exe
  C:\Windows\System\XRSDKwf.exe
  2⤵
  PID:10552
- C:\Windows\System\JYEkHoW.exe
  C:\Windows\System\JYEkHoW.exe
  2⤵
  PID:10580
- C:\Windows\System\qYfcmZg.exe
  C:\Windows\System\qYfcmZg.exe
  2⤵
  PID:10608
- C:\Windows\System\KYodHEa.exe
  C:\Windows\System\KYodHEa.exe
  2⤵
  PID:10636
- C:\Windows\System\CqIkYVX.exe
  C:\Windows\System\CqIkYVX.exe
  2⤵
  PID:10664
- C:\Windows\System\fMhclCU.exe
  C:\Windows\System\fMhclCU.exe
  2⤵
  PID:10692
- C:\Windows\System\tVCuXBg.exe
  C:\Windows\System\tVCuXBg.exe
  2⤵
  PID:10720
- C:\Windows\System\wboGBxA.exe
  C:\Windows\System\wboGBxA.exe
  2⤵
  PID:10748
- C:\Windows\System\IyafVKe.exe
  C:\Windows\System\IyafVKe.exe
  2⤵
  PID:10776
- C:\Windows\System\AYflSpa.exe
  C:\Windows\System\AYflSpa.exe
  2⤵
  PID:10804
- C:\Windows\System\sXtValV.exe
  C:\Windows\System\sXtValV.exe
  2⤵
  PID:10832
- C:\Windows\System\piQaVqL.exe
  C:\Windows\System\piQaVqL.exe
  2⤵
  PID:10860
- C:\Windows\System\HzVhpTS.exe
  C:\Windows\System\HzVhpTS.exe
  2⤵
  PID:10888
- C:\Windows\System\XZrbluA.exe
  C:\Windows\System\XZrbluA.exe
  2⤵
  PID:10916
- C:\Windows\System\lasvysf.exe
  C:\Windows\System\lasvysf.exe
  2⤵
  PID:10944
- C:\Windows\System\JHLtCho.exe
  C:\Windows\System\JHLtCho.exe
  2⤵
  PID:10972
- C:\Windows\System\GIUlSlF.exe
  C:\Windows\System\GIUlSlF.exe
  2⤵
  PID:11000
- C:\Windows\System\ySZpMee.exe
  C:\Windows\System\ySZpMee.exe
  2⤵
  PID:11020
- C:\Windows\System\FQjkkwE.exe
  C:\Windows\System\FQjkkwE.exe
  2⤵
  PID:11044
- C:\Windows\System\nUDMrJo.exe
  C:\Windows\System\nUDMrJo.exe
  2⤵
  PID:11072
- C:\Windows\System\kneZhMh.exe
  C:\Windows\System\kneZhMh.exe
  2⤵
  PID:11100
- C:\Windows\System\ZQNLuaC.exe
  C:\Windows\System\ZQNLuaC.exe
  2⤵
  PID:11140
- C:\Windows\System\NIUQHlU.exe
  C:\Windows\System\NIUQHlU.exe
  2⤵
  PID:11156
- C:\Windows\System\pAnpUZB.exe
  C:\Windows\System\pAnpUZB.exe
  2⤵
  PID:11212
- C:\Windows\System\RrHErNJ.exe
  C:\Windows\System\RrHErNJ.exe
  2⤵
  PID:11240
- C:\Windows\System\TTfJalg.exe
  C:\Windows\System\TTfJalg.exe
  2⤵
  PID:11260
- C:\Windows\System\pdZptaG.exe
  C:\Windows\System\pdZptaG.exe
  2⤵
  PID:10320
- C:\Windows\System\wUPODaj.exe
  C:\Windows\System\wUPODaj.exe
  2⤵
  PID:10396
- C:\Windows\System\bTYuAlH.exe
  C:\Windows\System\bTYuAlH.exe
  2⤵
  PID:10464
- C:\Windows\System\iwGpnqd.exe
  C:\Windows\System\iwGpnqd.exe
  2⤵
  PID:10508
- C:\Windows\System\TyvgkKW.exe
  C:\Windows\System\TyvgkKW.exe
  2⤵
  PID:10596
- C:\Windows\System\IrzjImd.exe
  C:\Windows\System\IrzjImd.exe
  2⤵
  PID:10660
- C:\Windows\System\gYQHraT.exe
  C:\Windows\System\gYQHraT.exe
  2⤵
  PID:10732
- C:\Windows\System\tbHzJdD.exe
  C:\Windows\System\tbHzJdD.exe
  2⤵
  PID:10796
- C:\Windows\System\oBnKguF.exe
  C:\Windows\System\oBnKguF.exe
  2⤵
  PID:10856
- C:\Windows\System\HKYHCWo.exe
  C:\Windows\System\HKYHCWo.exe
  2⤵
  PID:10900
- C:\Windows\System\dgitGEx.exe
  C:\Windows\System\dgitGEx.exe
  2⤵
  PID:10956
- C:\Windows\System\nmuoJpy.exe
  C:\Windows\System\nmuoJpy.exe
  2⤵
  PID:11016
- C:\Windows\System\HhokvzZ.exe
  C:\Windows\System\HhokvzZ.exe
  2⤵
  PID:11088
- C:\Windows\System\qupYjnm.exe
  C:\Windows\System\qupYjnm.exe
  2⤵
  PID:11148
- C:\Windows\System\CTwnrTX.exe
  C:\Windows\System\CTwnrTX.exe
  2⤵
  PID:11220
- C:\Windows\System\rTyZRAs.exe
  C:\Windows\System\rTyZRAs.exe
  2⤵
  PID:11060
- C:\Windows\System\rNzFAuW.exe
  C:\Windows\System\rNzFAuW.exe
  2⤵
  PID:10380
- C:\Windows\System\indFqMH.exe
  C:\Windows\System\indFqMH.exe
  2⤵
  PID:10260
- C:\Windows\System\pEZWwhY.exe
  C:\Windows\System\pEZWwhY.exe
  2⤵
  PID:10760
- C:\Windows\System\CwBZmYq.exe
  C:\Windows\System\CwBZmYq.exe
  2⤵
  PID:10936
- C:\Windows\System\bcbieRt.exe
  C:\Windows\System\bcbieRt.exe
  2⤵
  PID:11064
- C:\Windows\System\cfSHHrO.exe
  C:\Windows\System\cfSHHrO.exe
  2⤵
  PID:11204
- C:\Windows\System\hkxfxaF.exe
  C:\Windows\System\hkxfxaF.exe
  2⤵
  PID:10492
- C:\Windows\System\GzFKTbT.exe
  C:\Windows\System\GzFKTbT.exe
  2⤵
  PID:10844
- C:\Windows\System\bKBrdpZ.exe
  C:\Windows\System\bKBrdpZ.exe
  2⤵
  PID:11176
- C:\Windows\System\SlkUNDm.exe
  C:\Windows\System\SlkUNDm.exe
  2⤵
  PID:10368
- C:\Windows\System\bJERXtL.exe
  C:\Windows\System\bJERXtL.exe
  2⤵
  PID:10984
- C:\Windows\System\jljomRL.exe
  C:\Windows\System\jljomRL.exe
  2⤵
  PID:11280
- C:\Windows\System\xfGQZxv.exe
  C:\Windows\System\xfGQZxv.exe
  2⤵
  PID:11320
- C:\Windows\System\IOsWLEh.exe
  C:\Windows\System\IOsWLEh.exe
  2⤵
  PID:11348
- C:\Windows\System\GAYkHxS.exe
  C:\Windows\System\GAYkHxS.exe
  2⤵
  PID:11380
- C:\Windows\System\WKOBMlk.exe
  C:\Windows\System\WKOBMlk.exe
  2⤵
  PID:11412
- C:\Windows\System\iXtXZZv.exe
  C:\Windows\System\iXtXZZv.exe
  2⤵
  PID:11440
- C:\Windows\System\YfAZfhQ.exe
  C:\Windows\System\YfAZfhQ.exe
  2⤵
  PID:11468
- C:\Windows\System\HFSCFCQ.exe
  C:\Windows\System\HFSCFCQ.exe
  2⤵
  PID:11496
- C:\Windows\System\iobvrkr.exe
  C:\Windows\System\iobvrkr.exe
  2⤵
  PID:11524
- C:\Windows\System\FobXDez.exe
  C:\Windows\System\FobXDez.exe
  2⤵
  PID:11552
- C:\Windows\System\cubdpMN.exe
  C:\Windows\System\cubdpMN.exe
  2⤵
  PID:11580
- C:\Windows\System\fiJldUc.exe
  C:\Windows\System\fiJldUc.exe
  2⤵
  PID:11608
- C:\Windows\System\EeleHWO.exe
  C:\Windows\System\EeleHWO.exe
  2⤵
  PID:11636
- C:\Windows\System\JUXoNVF.exe
  C:\Windows\System\JUXoNVF.exe
  2⤵
  PID:11664
- C:\Windows\System\LCIbOLu.exe
  C:\Windows\System\LCIbOLu.exe
  2⤵
  PID:11692
- C:\Windows\System\dTsJUdh.exe
  C:\Windows\System\dTsJUdh.exe
  2⤵
  PID:11736
- C:\Windows\System\lwkcdsR.exe
  C:\Windows\System\lwkcdsR.exe
  2⤵
  PID:11756
- C:\Windows\System\xMZQdQk.exe
  C:\Windows\System\xMZQdQk.exe
  2⤵
  PID:11784
- C:\Windows\System\LCIMDRk.exe
  C:\Windows\System\LCIMDRk.exe
  2⤵
  PID:11812
- C:\Windows\System\KByFZia.exe
  C:\Windows\System\KByFZia.exe
  2⤵
  PID:11840
- C:\Windows\System\ClKlNMW.exe
  C:\Windows\System\ClKlNMW.exe
  2⤵
  PID:11868
- C:\Windows\System\lyVFuad.exe
  C:\Windows\System\lyVFuad.exe
  2⤵
  PID:11896
- C:\Windows\System\fiTgaxf.exe
  C:\Windows\System\fiTgaxf.exe
  2⤵
  PID:11924
- C:\Windows\System\AUtbbmZ.exe
  C:\Windows\System\AUtbbmZ.exe
  2⤵
  PID:11956
- C:\Windows\System\owLiDpj.exe
  C:\Windows\System\owLiDpj.exe
  2⤵
  PID:11984
- C:\Windows\System\JUvYPpb.exe
  C:\Windows\System\JUvYPpb.exe
  2⤵
  PID:12020
- C:\Windows\System\nIMbXPV.exe
  C:\Windows\System\nIMbXPV.exe
  2⤵
  PID:12068
- C:\Windows\System\oanxKKJ.exe
  C:\Windows\System\oanxKKJ.exe
  2⤵
  PID:12096
- C:\Windows\System\YSHKTSr.exe
  C:\Windows\System\YSHKTSr.exe
  2⤵
  PID:12144
- C:\Windows\System\pdOfPOS.exe
  C:\Windows\System\pdOfPOS.exe
  2⤵
  PID:12164
- C:\Windows\System\AcddXet.exe
  C:\Windows\System\AcddXet.exe
  2⤵
  PID:12192
- C:\Windows\System\Neryurl.exe
  C:\Windows\System\Neryurl.exe
  2⤵
  PID:12220
- C:\Windows\System\djYHurq.exe
  C:\Windows\System\djYHurq.exe
  2⤵
  PID:12248
- C:\Windows\System\kkNFTSc.exe
  C:\Windows\System\kkNFTSc.exe
  2⤵
  PID:12284
- C:\Windows\System\ZoKOyXm.exe
  C:\Windows\System\ZoKOyXm.exe
  2⤵
  PID:11316
- C:\Windows\System\LXgJlww.exe
  C:\Windows\System\LXgJlww.exe
  2⤵
  PID:11428
- C:\Windows\System\fRpbtam.exe
  C:\Windows\System\fRpbtam.exe
  2⤵
  PID:11516
- C:\Windows\System\mxXujUf.exe
  C:\Windows\System\mxXujUf.exe
  2⤵
  PID:11656
- C:\Windows\System\WOBdDNM.exe
  C:\Windows\System\WOBdDNM.exe
  2⤵
  PID:11712
- C:\Windows\System\zItRPgV.exe
  C:\Windows\System\zItRPgV.exe
  2⤵
  PID:11776
- C:\Windows\System\QFxbhIV.exe
  C:\Windows\System\QFxbhIV.exe
  2⤵
  PID:11832
- C:\Windows\System\NujPShV.exe
  C:\Windows\System\NujPShV.exe
  2⤵
  PID:11888
- C:\Windows\System\zvjUUeB.exe
  C:\Windows\System\zvjUUeB.exe
  2⤵
  PID:11952
- C:\Windows\System\jgqbGao.exe
  C:\Windows\System\jgqbGao.exe
  2⤵
  PID:12064
- C:\Windows\System\oTVlbGS.exe
  C:\Windows\System\oTVlbGS.exe
  2⤵
  PID:12156
- C:\Windows\System\rSXybUL.exe
  C:\Windows\System\rSXybUL.exe
  2⤵
  PID:12236
- C:\Windows\System\OSFaqAv.exe
  C:\Windows\System\OSFaqAv.exe
  2⤵
  PID:12268
- C:\Windows\System\ikQEBpC.exe
  C:\Windows\System\ikQEBpC.exe
  2⤵
  PID:11400
- C:\Windows\System\eivqnYq.exe
  C:\Windows\System\eivqnYq.exe
  2⤵
  PID:11460
- C:\Windows\System\XKVDXlz.exe
  C:\Windows\System\XKVDXlz.exe
  2⤵
  PID:11748
- C:\Windows\System\ICNGFZv.exe
  C:\Windows\System\ICNGFZv.exe
  2⤵
  PID:12012
- C:\Windows\System\BUEKdvY.exe
  C:\Windows\System\BUEKdvY.exe
  2⤵
  PID:12260
- C:\Windows\System\TsDnLIv.exe
  C:\Windows\System\TsDnLIv.exe
  2⤵
  PID:11684
- C:\Windows\System\hgdPjnB.exe
  C:\Windows\System\hgdPjnB.exe
  2⤵
  PID:12128
- C:\Windows\System\yquSLkz.exe
  C:\Windows\System\yquSLkz.exe
  2⤵
  PID:11708
- C:\Windows\System\yDtrrut.exe
  C:\Windows\System\yDtrrut.exe
  2⤵
  PID:12296
- C:\Windows\System\bQNgNpa.exe
  C:\Windows\System\bQNgNpa.exe
  2⤵
  PID:12320
- C:\Windows\System\ZbFJbkl.exe
  C:\Windows\System\ZbFJbkl.exe
  2⤵
  PID:12360
- C:\Windows\System\DoMSKYC.exe
  C:\Windows\System\DoMSKYC.exe
  2⤵
  PID:12388
- C:\Windows\System\SebiVBt.exe
  C:\Windows\System\SebiVBt.exe
  2⤵
  PID:12404
- C:\Windows\System\xhMwzSx.exe
  C:\Windows\System\xhMwzSx.exe
  2⤵
  PID:12444
- C:\Windows\System\KZpFoZo.exe
  C:\Windows\System\KZpFoZo.exe
  2⤵
  PID:12460
- C:\Windows\System\bqHrrok.exe
  C:\Windows\System\bqHrrok.exe
  2⤵
  PID:12488
- C:\Windows\System\Rgekalj.exe
  C:\Windows\System\Rgekalj.exe
  2⤵
  PID:12516
- C:\Windows\System\cHRKVHa.exe
  C:\Windows\System\cHRKVHa.exe
  2⤵
  PID:12544
- C:\Windows\System\tWlKrds.exe
  C:\Windows\System\tWlKrds.exe
  2⤵
  PID:12584
- C:\Windows\System\jMgHlhn.exe
  C:\Windows\System\jMgHlhn.exe
  2⤵
  PID:12624
- C:\Windows\System\cvinCDz.exe
  C:\Windows\System\cvinCDz.exe
  2⤵
  PID:12640
- C:\Windows\System\JkgWTDP.exe
  C:\Windows\System\JkgWTDP.exe
  2⤵
  PID:12672
- C:\Windows\System\IyJeSXT.exe
  C:\Windows\System\IyJeSXT.exe
  2⤵
  PID:12704
- C:\Windows\System\MhRvvdR.exe
  C:\Windows\System\MhRvvdR.exe
  2⤵
  PID:12732
- C:\Windows\System\nDjxFfU.exe
  C:\Windows\System\nDjxFfU.exe
  2⤵
  PID:12756
- C:\Windows\System\jWuhtcY.exe
  C:\Windows\System\jWuhtcY.exe
  2⤵
  PID:12780
- C:\Windows\System\qNetRiC.exe
  C:\Windows\System\qNetRiC.exe
  2⤵
  PID:12816
- C:\Windows\System\BJhMZpA.exe
  C:\Windows\System\BJhMZpA.exe
  2⤵
  PID:12840
- C:\Windows\System\JLWgrOS.exe
  C:\Windows\System\JLWgrOS.exe
  2⤵
  PID:12868
- C:\Windows\System\EQbdWiG.exe
  C:\Windows\System\EQbdWiG.exe
  2⤵
  PID:12908
- C:\Windows\System\LGoUaRv.exe
  C:\Windows\System\LGoUaRv.exe
  2⤵
  PID:12936
- C:\Windows\System\GUnXvoi.exe
  C:\Windows\System\GUnXvoi.exe
  2⤵
  PID:12952
- C:\Windows\System\bXkiqSV.exe
  C:\Windows\System\bXkiqSV.exe
  2⤵
  PID:12972
- C:\Windows\System\eXswOso.exe
  C:\Windows\System\eXswOso.exe
  2⤵
  PID:12988
- C:\Windows\System\RPXzTFf.exe
  C:\Windows\System\RPXzTFf.exe
  2⤵
  PID:13052
- C:\Windows\System\ofYKuaK.exe
  C:\Windows\System\ofYKuaK.exe
  2⤵
  PID:13084
- C:\Windows\System\OsQRlNR.exe
  C:\Windows\System\OsQRlNR.exe
  2⤵
  PID:13100
- C:\Windows\System\NOKmCyB.exe
  C:\Windows\System\NOKmCyB.exe
  2⤵
  PID:13128
- C:\Windows\System\pbgIrbz.exe
  C:\Windows\System\pbgIrbz.exe
  2⤵
  PID:13156
- C:\Windows\System\pRgcemX.exe
  C:\Windows\System\pRgcemX.exe
  2⤵
  PID:13184
- C:\Windows\System\JYpAqRz.exe
  C:\Windows\System\JYpAqRz.exe
  2⤵
  PID:13224
- C:\Windows\System\oujtOtY.exe
  C:\Windows\System\oujtOtY.exe
  2⤵
  PID:13248
- C:\Windows\System\RkoqgVL.exe
  C:\Windows\System\RkoqgVL.exe
  2⤵
  PID:13268
- C:\Windows\System\QIsgoIQ.exe
  C:\Windows\System\QIsgoIQ.exe
  2⤵
  PID:13308
- C:\Windows\System\sodCRil.exe
  C:\Windows\System\sodCRil.exe
  2⤵
  PID:12336
- C:\Windows\System\QeXQUoX.exe
  C:\Windows\System\QeXQUoX.exe
  2⤵
  PID:12396
- C:\Windows\System\YFaGjRq.exe
  C:\Windows\System\YFaGjRq.exe
  2⤵
  PID:12456
- C:\Windows\System\OsEAueV.exe
  C:\Windows\System\OsEAueV.exe
  2⤵
  PID:12532
- C:\Windows\System\QJTWofc.exe
  C:\Windows\System\QJTWofc.exe
  2⤵
  PID:12600
- C:\Windows\System\EhgLTej.exe
  C:\Windows\System\EhgLTej.exe
  2⤵
  PID:12660
- C:\Windows\System\UCZEjKE.exe
  C:\Windows\System\UCZEjKE.exe
  2⤵
  PID:12720
- C:\Windows\System\zLdTAyS.exe
  C:\Windows\System\zLdTAyS.exe
  2⤵
  PID:12776
- C:\Windows\System\hpflzFk.exe
  C:\Windows\System\hpflzFk.exe
  2⤵
  PID:12856
- C:\Windows\System\sUeSklB.exe
  C:\Windows\System\sUeSklB.exe
  2⤵
  PID:12920
- C:\Windows\System\qfssnLa.exe
  C:\Windows\System\qfssnLa.exe
  2⤵
  PID:12968
- C:\Windows\System\YdUFued.exe
  C:\Windows\System\YdUFued.exe
  2⤵
  PID:13036
- C:\Windows\System\DnqrIfm.exe
  C:\Windows\System\DnqrIfm.exe
  2⤵
  PID:13112
- C:\Windows\System\KYwxMGg.exe
  C:\Windows\System\KYwxMGg.exe
  2⤵
  PID:13176
- C:\Windows\System\YrAEjvQ.exe
  C:\Windows\System\YrAEjvQ.exe
  2⤵
  PID:13240
- C:\Windows\System\qWANKHa.exe
  C:\Windows\System\qWANKHa.exe
  2⤵
  PID:13304
- C:\Windows\System\ftyNcyF.exe
  C:\Windows\System\ftyNcyF.exe
  2⤵
  PID:12420
- C:\Windows\System\FLAlwRE.exe
  C:\Windows\System\FLAlwRE.exe
  2⤵
  PID:12576
- C:\Windows\System\llgiQaC.exe
  C:\Windows\System\llgiQaC.exe
  2⤵
  PID:12688
- C:\Windows\System\ZOJCtld.exe
  C:\Windows\System\ZOJCtld.exe
  2⤵
  PID:12884
- C:\Windows\System\VcvvhyN.exe
  C:\Windows\System\VcvvhyN.exe
  2⤵
  PID:13004
- C:\Windows\System\xsdDHDx.exe
  C:\Windows\System\xsdDHDx.exe
  2⤵
  PID:13096
- C:\Windows\System\EfQXGdF.exe
  C:\Windows\System\EfQXGdF.exe
  2⤵
  PID:13264
- C:\Windows\System\RVtnZoR.exe
  C:\Windows\System\RVtnZoR.exe
  2⤵
  PID:12632
- C:\Windows\System\JpzLGNG.exe
  C:\Windows\System\JpzLGNG.exe
  2⤵
  PID:13080
- C:\Windows\System\JaHTQLv.exe
  C:\Windows\System\JaHTQLv.exe
  2⤵
  PID:12508
- C:\Windows\System\LIOsPVj.exe
  C:\Windows\System\LIOsPVj.exe
  2⤵
  PID:13168
- C:\Windows\System\vPGNXHX.exe
  C:\Windows\System\vPGNXHX.exe
  2⤵
  PID:12800
- C:\Windows\System\yMZxycv.exe
  C:\Windows\System\yMZxycv.exe
  2⤵
  PID:13324
- C:\Windows\System\LbRDJMg.exe
  C:\Windows\System\LbRDJMg.exe
  2⤵
  PID:13348
- C:\Windows\System\xvdKfhR.exe
  C:\Windows\System\xvdKfhR.exe
  2⤵
  PID:13384
- C:\Windows\System\BDDRSyQ.exe
  C:\Windows\System\BDDRSyQ.exe
  2⤵
  PID:13420
- C:\Windows\System\FQciTSF.exe
  C:\Windows\System\FQciTSF.exe
  2⤵
  PID:13440
- C:\Windows\System\JUFXWAc.exe
  C:\Windows\System\JUFXWAc.exe
  2⤵
  PID:13480
- C:\Windows\System\RSVYQed.exe
  C:\Windows\System\RSVYQed.exe
  2⤵
  PID:13496
- C:\Windows\System\OdIqUMT.exe
  C:\Windows\System\OdIqUMT.exe
  2⤵
  PID:13536
- C:\Windows\System\CSVazaZ.exe
  C:\Windows\System\CSVazaZ.exe
  2⤵
  PID:13552
- C:\Windows\System\lAerxyj.exe
  C:\Windows\System\lAerxyj.exe
  2⤵
  PID:13588
- C:\Windows\System\eKxtPVy.exe
  C:\Windows\System\eKxtPVy.exe
  2⤵
  PID:13612
- C:\Windows\System\FxXPIqv.exe
  C:\Windows\System\FxXPIqv.exe
  2⤵
  PID:13648
- C:\Windows\System\DSDvdUB.exe
  C:\Windows\System\DSDvdUB.exe
  2⤵
  PID:13664
- C:\Windows\System\VPgkJDh.exe
  C:\Windows\System\VPgkJDh.exe
  2⤵
  PID:13692
- C:\Windows\System\SnQaoOd.exe
  C:\Windows\System\SnQaoOd.exe
  2⤵
  PID:13732
- C:\Windows\System\dNvSNcO.exe
  C:\Windows\System\dNvSNcO.exe
  2⤵
  PID:13760
- C:\Windows\System\ukoHyhF.exe
  C:\Windows\System\ukoHyhF.exe
  2⤵
  PID:13788
- C:\Windows\System\QbMLtgj.exe
  C:\Windows\System\QbMLtgj.exe
  2⤵
  PID:13804
- C:\Windows\System\TdCMqJk.exe
  C:\Windows\System\TdCMqJk.exe
  2⤵
  PID:13836
- C:\Windows\System\FLMnxSh.exe
  C:\Windows\System\FLMnxSh.exe
  2⤵
  PID:13872
- C:\Windows\System\zYFcxfr.exe
  C:\Windows\System\zYFcxfr.exe
  2⤵
  PID:13888
- C:\Windows\System\uCUhdRT.exe
  C:\Windows\System\uCUhdRT.exe
  2⤵
  PID:13908
- C:\Windows\System\NTMvPOk.exe
  C:\Windows\System\NTMvPOk.exe
  2⤵
  PID:13956
- C:\Windows\System\iqXAwIz.exe
  C:\Windows\System\iqXAwIz.exe
  2⤵
  PID:13984
- C:\Windows\System\cmZqkwX.exe
  C:\Windows\System\cmZqkwX.exe
  2⤵
  PID:14012
- C:\Windows\System\PdHURnx.exe
  C:\Windows\System\PdHURnx.exe
  2⤵
  PID:14028
- C:\Windows\System\fbAwzJL.exe
  C:\Windows\System\fbAwzJL.exe
  2⤵
  PID:14060
- C:\Windows\System\pHVrfAu.exe
  C:\Windows\System\pHVrfAu.exe
  2⤵
  PID:14116
- C:\Windows\System\CYcDkyJ.exe
  C:\Windows\System\CYcDkyJ.exe
  2⤵
  PID:14132
- C:\Windows\System\FUhEnOF.exe
  C:\Windows\System\FUhEnOF.exe
  2⤵
  PID:14164
- C:\Windows\System\xPfTyOo.exe
  C:\Windows\System\xPfTyOo.exe
  2⤵
  PID:14204
- C:\Windows\System\kOPmeSP.exe
  C:\Windows\System\kOPmeSP.exe
  2⤵
  PID:14240
- C:\Windows\System\wiNRDlC.exe
  C:\Windows\System\wiNRDlC.exe
  2⤵
  PID:14268
- C:\Windows\System\QCzkfua.exe
  C:\Windows\System\QCzkfua.exe
  2⤵
  PID:14284
- C:\Windows\System\DUXOoDL.exe
  C:\Windows\System\DUXOoDL.exe
  2⤵
  PID:14324
- C:\Windows\System\UXJMrnO.exe
  C:\Windows\System\UXJMrnO.exe
  2⤵
  PID:13336
- C:\Windows\System\tikBfsl.exe
  C:\Windows\System\tikBfsl.exe
  2⤵
  PID:13396
- C:\Windows\System\QHRkUGk.exe
  C:\Windows\System\QHRkUGk.exe
  2⤵
  PID:13476
- C:\Windows\System\uIBEsQV.exe
  C:\Windows\System\uIBEsQV.exe
  2⤵
  PID:13532
- C:\Windows\System\KZGZtNZ.exe
  C:\Windows\System\KZGZtNZ.exe
  2⤵
  PID:13608
- C:\Windows\System\vuLjXoJ.exe
  C:\Windows\System\vuLjXoJ.exe
  2⤵
  PID:13660
- C:\Windows\System\KpgKidj.exe
  C:\Windows\System\KpgKidj.exe
  2⤵
  PID:13716
- C:\Windows\System\BLjBtVv.exe
  C:\Windows\System\BLjBtVv.exe
  2⤵
  PID:13796
- C:\Windows\System\NlZLYGT.exe
  C:\Windows\System\NlZLYGT.exe
  2⤵
  PID:13860
- C:\Windows\System\ZjBSDJz.exe
  C:\Windows\System\ZjBSDJz.exe
  2⤵
  PID:13936
- C:\Windows\System\XHGntPE.exe
  C:\Windows\System\XHGntPE.exe
  2⤵
  PID:14008
- C:\Windows\System\NHlIXqb.exe
  C:\Windows\System\NHlIXqb.exe
  2⤵
  PID:14080
- C:\Windows\System\YReIoCy.exe
  C:\Windows\System\YReIoCy.exe
  2⤵
  PID:14148
- C:\Windows\System\dZUhuoZ.exe
  C:\Windows\System\dZUhuoZ.exe
  2⤵
  PID:14188
- C:\Windows\System\myDjwww.exe
  C:\Windows\System\myDjwww.exe
  2⤵
  PID:14264
- C:\Windows\System\QUMiMTT.exe
  C:\Windows\System\QUMiMTT.exe
  2⤵
  PID:13316
- C:\Windows\System\jLsSdRa.exe
  C:\Windows\System\jLsSdRa.exe
  2⤵
  PID:13456
- C:\Windows\System\VLgRxQH.exe
  C:\Windows\System\VLgRxQH.exe
  2⤵
  PID:13576
- C:\Windows\System\vEeqFHn.exe
  C:\Windows\System\vEeqFHn.exe
  2⤵
  PID:13776
- C:\Windows\System\uQhxSqg.exe
  C:\Windows\System\uQhxSqg.exe
  2⤵
  PID:13932
- C:\Windows\System\BTuUkxP.exe
  C:\Windows\System\BTuUkxP.exe
  2⤵
  PID:4892
- C:\Windows\System\wFRlbUT.exe
  C:\Windows\System\wFRlbUT.exe
  2⤵
  PID:14176
- C:\Windows\System\jxTFAPZ.exe
  C:\Windows\System\jxTFAPZ.exe
  2⤵
  PID:14316
- C:\Windows\System\jJuRUhe.exe
  C:\Windows\System\jJuRUhe.exe
  2⤵
  PID:13640
- C:\Windows\System\pGqdyAa.exe
  C:\Windows\System\pGqdyAa.exe
  2⤵
  PID:3468
- C:\Windows\System\ewwNWxz.exe
  C:\Windows\System\ewwNWxz.exe
  2⤵
  PID:14300
- C:\Windows\System\AwslUwb.exe
  C:\Windows\System\AwslUwb.exe
  2⤵
  PID:4816
- C:\Windows\System\nwIZooH.exe
  C:\Windows\System\nwIZooH.exe
  2⤵
  PID:14128
- C:\Windows\System\ZrsGuwb.exe
  C:\Windows\System\ZrsGuwb.exe
  2⤵
  PID:14364
- C:\Windows\System\NkZVcGz.exe
  C:\Windows\System\NkZVcGz.exe
  2⤵
  PID:14392
- C:\Windows\System\isxhKLn.exe
  C:\Windows\System\isxhKLn.exe
  2⤵
  PID:14428
- C:\Windows\System\BrXdOpJ.exe
  C:\Windows\System\BrXdOpJ.exe
  2⤵
  PID:14456
- C:\Windows\System\vhqTbNZ.exe
  C:\Windows\System\vhqTbNZ.exe
  2⤵
  PID:14484
- C:\Windows\System\cHWkpey.exe
  C:\Windows\System\cHWkpey.exe
  2⤵
  PID:14512
- C:\Windows\System\evdoExS.exe
  C:\Windows\System\evdoExS.exe
  2⤵
  PID:14540
- C:\Windows\System\XyICJjM.exe
  C:\Windows\System\XyICJjM.exe
  2⤵
  PID:14568
- C:\Windows\System\yQbgoCZ.exe
  C:\Windows\System\yQbgoCZ.exe
  2⤵
  PID:14584
- C:\Windows\System\rmjkcbh.exe
  C:\Windows\System\rmjkcbh.exe
  2⤵
  PID:14616
- C:\Windows\System\oXsIatx.exe
  C:\Windows\System\oXsIatx.exe
  2⤵
  PID:14632
- C:\Windows\System\jSgufDU.exe
  C:\Windows\System\jSgufDU.exe
  2⤵
  PID:14652
- C:\Windows\System\OMPjQMW.exe
  C:\Windows\System\OMPjQMW.exe
  2⤵
  PID:14716
- C:\Windows\System\DjJRzzj.exe
  C:\Windows\System\DjJRzzj.exe
  2⤵
  PID:14744
- C:\Windows\System\OrPsyXQ.exe
  C:\Windows\System\OrPsyXQ.exe
  2⤵
  PID:14772
- C:\Windows\System\GrUEIWt.exe
  C:\Windows\System\GrUEIWt.exe
  2⤵
  PID:14800
- C:\Windows\System\PZoHPBf.exe
  C:\Windows\System\PZoHPBf.exe
  2⤵
  PID:14824
- C:\Windows\System\UTphELl.exe
  C:\Windows\System\UTphELl.exe
  2⤵
  PID:14864
- C:\Windows\System\MeccBKd.exe
  C:\Windows\System\MeccBKd.exe
  2⤵
  PID:14892
- C:\Windows\System\WTRpqWc.exe
  C:\Windows\System\WTRpqWc.exe
  2⤵
  PID:14920
- C:\Windows\System\csylHgY.exe
  C:\Windows\System\csylHgY.exe
  2⤵
  PID:14948
- C:\Windows\System\biKfyWM.exe
  C:\Windows\System\biKfyWM.exe
  2⤵
  PID:14976
- C:\Windows\System\IxjATmY.exe
  C:\Windows\System\IxjATmY.exe
  2⤵
  PID:15004
- C:\Windows\System\JvVmuYL.exe
  C:\Windows\System\JvVmuYL.exe
  2⤵
  PID:15028
- C:\Windows\System\zOangvf.exe
  C:\Windows\System\zOangvf.exe
  2⤵
  PID:15056
- C:\Windows\System\gLNCgzo.exe
  C:\Windows\System\gLNCgzo.exe
  2⤵
  PID:15088
- C:\Windows\System\GJfjMco.exe
  C:\Windows\System\GJfjMco.exe
  2⤵
  PID:15116
- C:\Windows\System\OXSKnYz.exe
  C:\Windows\System\OXSKnYz.exe
  2⤵
  PID:15144
- C:\Windows\System\ZWxIcuQ.exe
  C:\Windows\System\ZWxIcuQ.exe
  2⤵
  PID:15172
- C:\Windows\System\IEeWSKZ.exe
  C:\Windows\System\IEeWSKZ.exe
  2⤵
  PID:15200
- C:\Windows\System\KKugTdx.exe
  C:\Windows\System\KKugTdx.exe
  2⤵
  PID:15228
- C:\Windows\System\vGXSxEz.exe
  C:\Windows\System\vGXSxEz.exe
  2⤵
  PID:15256
- C:\Windows\System\RXUJgVX.exe
  C:\Windows\System\RXUJgVX.exe
  2⤵
  PID:15284
- C:\Windows\System\XIZGYGA.exe
  C:\Windows\System\XIZGYGA.exe
  2⤵
  PID:15316
- C:\Windows\System\uFTeZXH.exe
  C:\Windows\System\uFTeZXH.exe
  2⤵
  PID:15344
- C:\Windows\System\KxtEyZP.exe
  C:\Windows\System\KxtEyZP.exe
  2⤵
  PID:14356
- C:\Windows\System\rAxxjeR.exe
  C:\Windows\System\rAxxjeR.exe
  2⤵
  PID:14424
- C:\Windows\System\bqumJRO.exe
  C:\Windows\System\bqumJRO.exe
  2⤵
  PID:14480
- C:\Windows\System\SshugmY.exe
  C:\Windows\System\SshugmY.exe
  2⤵
  PID:14552
- C:\Windows\System\fZtyBcd.exe
  C:\Windows\System\fZtyBcd.exe
  2⤵
  PID:14604
- C:\Windows\System\mimHnam.exe
  C:\Windows\System\mimHnam.exe
  2⤵
  PID:14644
- C:\Windows\System\haAGfOU.exe
  C:\Windows\System\haAGfOU.exe
  2⤵
  PID:14728
- C:\Windows\System\HArVJoV.exe
  C:\Windows\System\HArVJoV.exe
  2⤵
  PID:6320
- C:\Windows\System\AqCDyuD.exe
  C:\Windows\System\AqCDyuD.exe
  2⤵
  PID:14756
- C:\Windows\System\xtUfZCD.exe
  C:\Windows\System\xtUfZCD.exe
  2⤵
  PID:14792
- C:\Windows\System\KlkEPYv.exe
  C:\Windows\System\KlkEPYv.exe
  2⤵
  PID:14840
- C:\Windows\System\CzDiqDL.exe
  C:\Windows\System\CzDiqDL.exe
  2⤵
  PID:14888
- C:\Windows\System\vfTtxuu.exe
  C:\Windows\System\vfTtxuu.exe
  2⤵
  PID:14960
- C:\Windows\System\EVxbOIL.exe
  C:\Windows\System\EVxbOIL.exe
  2⤵
  PID:15024
- C:\Windows\System\nipmBsm.exe
  C:\Windows\System\nipmBsm.exe
  2⤵
  PID:15080
- C:\Windows\System\ZnqwtcO.exe
  C:\Windows\System\ZnqwtcO.exe
  2⤵
  PID:15140
- C:\Windows\System\NaGiDuu.exe
  C:\Windows\System\NaGiDuu.exe
  2⤵
  PID:15212
- C:\Windows\System\ETJalng.exe
  C:\Windows\System\ETJalng.exe
  2⤵
  PID:15272
- C:\Windows\System\TWAmShs.exe
  C:\Windows\System\TWAmShs.exe
  2⤵
  PID:15340
- C:\Windows\System\GeOBssh.exe
  C:\Windows\System\GeOBssh.exe
  2⤵
  PID:14444
- C:\Windows\System\uhukGCQ.exe
  C:\Windows\System\uhukGCQ.exe
  2⤵
  PID:14600
- C:\Windows\System\PhWUFam.exe
  C:\Windows\System\PhWUFam.exe
  2⤵
  PID:7704
- C:\Windows\System\OxArlPe.exe
  C:\Windows\System\OxArlPe.exe
  2⤵
  PID:14768
- C:\Windows\System\sBJBCID.exe
  C:\Windows\System\sBJBCID.exe
  2⤵
  PID:14880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3920,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=3668 /prefetch:8
1⤵
PID:3656

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:14580
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Modifies Installed Components in the registry
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4760

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5864

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4136

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3788

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3940

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:8256

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8296

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:8848

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5272

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8660

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5380

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11680

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12272

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12852

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5480

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13572

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7324

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2740

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13512

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2640

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4916

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:14696

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8632

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9644

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10120

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9632

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5016

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11816

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10460

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1580

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5908

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9492

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14176

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:14612

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1444

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12232

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12140

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13676

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5752

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6736

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14196

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6524

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3732

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8856

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7276

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8092

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8476

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11212

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9244

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13132

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11712

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11788

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2604

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13716

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13168

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13748

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13936

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\OE9DJ3LK\microsoft.windows[1].xml

Filesize
96B

MD5
0f6abe1ee9fa77b6b269e1a5401bbaf1

SHA1
e0805afe225412725e7c5e902fd5d7cfbfc30437

SHA256
6133a01b57b98ac5362bc51c436b99e58ba44d9b0e7db95b43dfb7d02423e056

SHA512
2a810ccad4f37df09425138c474d947223fe7206e045b117991ed6210101615b0e503eeb6c7454ae98b2aff0e52dcbbf4d041f728d0c7d7cf00c1f4c430cce25

Download Submit
C:\Windows\System\ARvfkdu.exe

Filesize
2.4MB

MD5
7b8ae8d4c8587b03d02ae2759bb042d5

SHA1
12da747cea2bc70e377f27e78919985725d9eeff

SHA256
af9fb2b5475b93f446501ffa58a86b815b801c3af7f9284a5857ff28c7bb41f4

SHA512
0087f92a299602317482d94db211f9b53200cb2475dcd519578a91d1abcabf9d94392d91679a462f1cb49c90b26b3685126f9d021791257d7265dc51fe6347fd

Download Submit
C:\Windows\System\AePkrmL.exe

Filesize
2.5MB

MD5
4da6adf35afe0d0bfa6e6d18f61be040

SHA1
9eccab45a6eabfb4ae05152bc734af07fb2afa4e

SHA256
6569716d6f57295c8b76468c1dfa7c222ec37911280eaffabe2aab5f7f267266

SHA512
fc145fcbb18256a456c590270aa14c29fb5dfa32e2d075a528b52e4cafc083d1cd1bccccdae773719e0701d8023a5c5cc461cc4e91114939037a08da77fabe8c

Download Submit
C:\Windows\System\GEOQfEy.exe

Filesize
2.5MB

MD5
a37fdd227db0ee068641e7c8cb445528

SHA1
44b455b41aeea3b788207467c7fcec929c136b64

SHA256
45dfc7769e5a893550e4c6d61f1f0afad2e6b10253520320d7405d865a0ab562

SHA512
3f22e22cb47b778da38a733243a4c99e4ce2cac6fa47cd8032d9b80acb23c24fdff363d84d754d0553c94d3c8785cf2707faec3a2a518d4f47e715dbfb18ff36

Download Submit
C:\Windows\System\IDcCPcU.exe

Filesize
2.4MB

MD5
38c2cd7f64cae432a92c03c96c816703

SHA1
23dd4e5861b1abeedb0ec711d50513b5673321fd

SHA256
063b7349d77c5a5278f2836a4903aa0faa59ade222b11d01bda274e263bdae8a

SHA512
ca1c80cd3321d6a9495a06a9d84cffadef357fc727eb2bb95d0aee5cadeb5f4780e02dd9bc5a6b204069b67cbc683f6db35c20477e642acccc1f0fa386e9ac12

Download Submit
C:\Windows\System\JEFOiDe.exe

Filesize
2.4MB

MD5
99ce2da85cd9f9e8952af1dc38f9503a

SHA1
c353ef1bd342b3dcd69636e3da385c3e24ea4f45

SHA256
7175238f0ba574bf4f13885c52ad6562e38ce0c612d2ddcabc92533951794c0a

SHA512
275c3cf6368903039206ab79b60fec145cad3557c0e76cb25719ab11d2ea1039b6d8a6dcf2869c212bcbfa831a0954258a21d79204a87168835ff8b13adc4045

Download Submit
C:\Windows\System\JFHfNSn.exe

Filesize
2.5MB

MD5
ac9e1555db04718df062da281c7a2e4d

SHA1
0e779b698d804ea09314b627e336ea2b83ebeeba

SHA256
2f5583823378ef338a8c43cc59fdef6ce996e201a9ab26939a18a14c92b21e94

SHA512
dc7b9e0f41778cb0faabdba54ea9927ba2d8a855238a057c02d147236be6b5120c554fe8e76a96c8f921e9dbca760b24b63078d120a53cb18eaad8d565e6e61e

Download Submit
C:\Windows\System\LYfDMXq.exe

Filesize
2.4MB

MD5
58fe7bc4da53707fc26ef9cbc2c8342b

SHA1
77c64a92f4443888ac0b4cbc88db22016294ac93

SHA256
885108a26b438204c9b3a8d6ac355b28b089a1fd091525e7f95c2d316ddf2e9f

SHA512
93b7104bbc004b1839bc39a102ee7fca94764e7cd1d87f8b9ea1b72a812f7cc1fe73090d63f9fb2d4f5ccb71af764cd3f3d0fe17ba774028bb41de0445e81b8d

Download Submit
C:\Windows\System\MGSKRsz.exe

Filesize
2.4MB

MD5
30d5a1e487c481afbbc9e459529226d7

SHA1
b538ff596b54fbb15efd7e43b137955d14e18dbb

SHA256
0f194eb2891bdd31232ee3704b0c4f0a0542b6fdccef3a281a40bd6e697c5580

SHA512
0c89fdc1700c30b0eea8e10148f0cde33c3dff9ca56025c4897bfdb0a79c1b1489db8dba6b9cac5c619dae0f36262d639a0f91c657e294586335d022dfb7d98c

Download Submit
C:\Windows\System\MipfZmE.exe

Filesize
2.4MB

MD5
b899d2f95d8d12d38c44aa3807569560

SHA1
0b98aaca475efd5a0ee59cff321c7a26330dacc7

SHA256
2fac222366f621c1b164ee96a9ada2fc84c2fbc138e7d2f93acc0218e5342eff

SHA512
115412992225dbaeea38827898eda2fe1a242d620ce3d0655aa00ae5b9d3e7e7b9e1c2a93eb5cb95ed2578ab5436108323d604bb1ba83e9b1d0fe2d0fe80036e

Download Submit
C:\Windows\System\MrwWUyp.exe

Filesize
2.5MB

MD5
5026b9468ce3f4bafe8e0bec6209d6df

SHA1
bf239437be9335df97a7a68db69edd94d5d36bd4

SHA256
aded95501db01dfcaeb293ae6080383599841063450dd7fcd1683cb5f7ce2dcc

SHA512
739438880ff00d2e79abf7450d81e2cfea1027e0d274f8bb075dfc2419249329e98e41876ae802be945eb8e6766795877c2c058f8124b91169728148164b26a7

Download Submit
C:\Windows\System\MvTsLOi.exe

Filesize
2.5MB

MD5
7d716621dfb78c7d55658cb57ebe059d

SHA1
b90567646998e85fce232536c3e0f6a630f570e4

SHA256
1440eb58c3959feae1a4414f649290795a5442eaeb02ea794a056ba529ed819d

SHA512
d03149f79c79a69c5c84fc64ad35f7b6d37e513eed8e4cf8fb18ea2c115c26077c32aabcee968897baae193469b34e92eef98a097da2c9b2342a6bb8738ec60f

Download Submit
C:\Windows\System\OLMetud.exe

Filesize
2.4MB

MD5
1d9b3855b9e72433b9cd69c85b20cbfc

SHA1
581e4701797bf9a43d4816ddccae004bd5cd4f3b

SHA256
67cfe2d9aa9cf83728a96db58aca1287b48cd834f3e67c5b7d49945da13c7187

SHA512
4930e27b25a3d151431b46b876577a1ee847a320ab2d439d6a256c8e45ae209fab534d57259db444e42b7c8b3aec9428e1b4d7e9e301b0a3f0efa5bae1a4038e

Download Submit
C:\Windows\System\OViIUYD.exe

Filesize
2.5MB

MD5
99ec6033190febd06c85de5a4ec28560

SHA1
09ac12e7000e87c86bd825ee5d0ac00ce3b9b90c

SHA256
87260c85d7242abe4aa9920466471843d0057b081b830f68d733d8838b4ef333

SHA512
de49adff0633a0632febacc2739bb7359fa2ac8de8cab7ca424b22d24b25d0403601d005977fb4074924bd498f94183eafe64e10dcfd7399a40616a6bb168b35

Download Submit
C:\Windows\System\PRAAdAi.exe

Filesize
2.4MB

MD5
c170783d5d1a500c58b1fdcb21c5f2ac

SHA1
3553e64b9d12acc50c93ea4a07bec5b89837c992

SHA256
545b0c9ddee448219e8152f673b56c76a0bf6e0da9e27589eed1cb57c77011b5

SHA512
cc30b3a5aa09b2cecfeadc04a97b3d5df1bc483b105300c61e07f032085389ffa1ea016c852b5f2e02b0d8f54f986fd3d557491fa1bf61928910b4730ed283a1

Download Submit
C:\Windows\System\PiftHPz.exe

Filesize
2.4MB

MD5
3ec3e354c96ff18efe2236de679b6f24

SHA1
0e30eb7d5ef8c84fdb3d14d6ffc37637494539c4

SHA256
667d5291c0d67d782f126ce4690598088ffbc77350b4ebb74e978ddb9ba4f241

SHA512
2a68d846f998cf3a4a06bdd0091cb9cb4ef72890c64bdfbf6a4916a6474ca8b8582ddb473221fc244a316beae9ed9c7494e3d00f7e10726efcdbd60a41235830

Download Submit
C:\Windows\System\QLnHQcI.exe

Filesize
2.4MB

MD5
b1d33bce08a5fa45ea590f8bb1ceaa85

SHA1
356645cbc4c066e6427da820f22f6c00102a50bd

SHA256
cce84123aba04c60da7a5a399efe4b76331e03766f524cb55d1939646b1905cf

SHA512
da1f76c0e1a857e8b17e550da6725a49456e4d47c3c9be2a7ab685e5d457cf7b5795fd727e04f05552e64af0a64ed909d80db30324652e46d6c015430c3ca6e1

Download Submit
C:\Windows\System\QarmDEt.exe

Filesize
2.4MB

MD5
8dfcd6a2fada360105ed916e77ecdee4

SHA1
966dacc2939ba8a67dcf62ac3dedd71f73e7d91e

SHA256
61f9d5b5387320732a6c041d4de97ebec27d6745729f28c154504fddbbabbe6b

SHA512
599270f71b9138afe6a01285e91f9b93dca3a9970f56b30cc0893bc1545c754aeb79fa07869cc952804b2bba2337dab7e3150b03d333f6c604b4a3aa2846d4a1

Download Submit
C:\Windows\System\QopUNSG.exe

Filesize
2.4MB

MD5
5437c2fc03e47c1459486513ccab80a3

SHA1
5cb526fc8261ba2ee78089275b50ddac2bfe3c89

SHA256
2d41532c04ad0d0d6ef0885c8b61811edff7512749abe428421587d405b0a763

SHA512
5bab065a972e022ec52cdc096bdd0bc50b8bb18ae3f2638493be4165ec582e1457970a449b6db5f9391bfff6b13b31dcf0878a11a96039a266ce0b669a0c3216

Download Submit
C:\Windows\System\RZAYppi.exe

Filesize
2.5MB

MD5
e4a6211545d0b2d40765fe61546aa64d

SHA1
171b3b42dbe19a98e06bfe71aa8ca9eda0b035b1

SHA256
40465251c33ade9698bcc153a241592b981ed14311a0343d17252b7d35dd8da8

SHA512
942d6898ce96c49b007d29c4b18f51506c1decc92b9992015dd9e0d7d1040132b6470f2d813a3623750e2bc92cf98e715057363c300705100dc33dd3a4f5decf

Download Submit
C:\Windows\System\ZnMPqbK.exe

Filesize
2.4MB

MD5
682ef3a3ed1bff406b2fe41719a3cdee

SHA1
8debed7a224c7fc498bf17670d985cdae019fad0

SHA256
c154d289686f827d2089f05ed8cc1c7cf7bd7a110930fc0890ecb18a7d7c74d0

SHA512
879c3e906b67e9148ea563ad5a7148b8ac6427132f1986da9635a59b466ff0f1c1bbb403d6025030413ba14e910d3804a73bd7152fb61f9872221c9557921ca9

Download Submit
C:\Windows\System\fHfQNdz.exe

Filesize
2.5MB

MD5
8094bdf98d9333e6eeee6b486cbec2d4

SHA1
df16d590b1bcfa2b0c2b936b0ffa930fc5ab087d

SHA256
a0e65bcd9908fee39c0a58d29052f93717500f7c331183a5432f4c907417c4cf

SHA512
c1393a2f51857347b159162fa0435e5bc10192a552bea37eb93b36867c7b56ffb7d1d761949357b96ffd9b3e532ec8f9d4903b43e152a1d0b569d6b0b8d27391

Download Submit
C:\Windows\System\hdJgLVT.exe

Filesize
2.4MB

MD5
1dc13b9a42e15380ac4376a16cfddc79

SHA1
e2261157f33d16fb819142a987372b62cb3e229e

SHA256
8b9bd7d9ffd6506f0bec941d95d12eee4193a49294bb426f0a78b6301af713d2

SHA512
82843ae716dbd5b441c606df0a6d17419bbef1e06b1a8b25c97bf554ada5e5203c61d11ba1cf6c8a94636742bb3a5177cd6ced056155b9645349094c3e287718

Download Submit
C:\Windows\System\hqaLszl.exe

Filesize
2.5MB

MD5
83ebbadfb4e6d6b1e18d79c61d728a3a

SHA1
08dc03b2c6d107798cdff9b0b278f89c588fe818

SHA256
2baf8ad964c49bc98ae1c528ebde5940557ffb6b56fe123dc77b53a68892c895

SHA512
3048307e42edb9239905e3bf5b341297c9ef251e2fd5bff0850797ef3e417eba70fa22667e746e9ee2ece31ffa8b70b07f3abc65e157c2db8af4fde5b2321620

Download Submit
C:\Windows\System\jHEXrYf.exe

Filesize
2.4MB

MD5
cc36c12dbc89bd6b27c5496798fb1405

SHA1
e9c99829ba3c5a41e35d7de82fe187674e6d6c50

SHA256
111ddb136b13a80b98f1352042829eddae9c5f808c70618d5186232f36bcff3a

SHA512
df2fba525df125af4bb1cb32e0e3d3db7b612e7e3af04d87741e62a535bff7d4b8031ec5a968b01aa5de0a8458dff0668a2bb6fa3377cdf8e884656312f38e1e

Download Submit
C:\Windows\System\lEqULfG.exe

Filesize
2.5MB

MD5
90dca081479e02b5dbfa0202d0ecb08f

SHA1
026837534b08824593bc6695fd31876de3a8dc6f

SHA256
6e661ad40b13029e96bbd601bfcbef0fe61d2b9eddc79d21c4d50aa01fb02537

SHA512
95596a822c7b8fb45dc9070f7824f565709bbe5f94ea9af7dfd57dc191ba4229d4f6678ce61a122d038665e4bbadfdad0dcd343c281074ac34a91a269aabe2ec

Download Submit
C:\Windows\System\lpxALFe.exe

Filesize
2.5MB

MD5
af323a535d403bf6f362cbddb82b0882

SHA1
a99f9b74cc3a19729a698c6c97ae83989ff4ad44

SHA256
b5bf8076660853db00274d4ccb2f0977d0af356d2f75414f4da0dc05471072e4

SHA512
aaa35ef031ec1184736f1ba24dbd8a78b7cb00b478eb396bf6d85c59e7ef77e2bc2703638c2fad002f4f28ff658d44505bed55ee23311654f05e4144dd5de644

Download Submit
C:\Windows\System\mHkjhPd.exe

Filesize
2.4MB

MD5
3b847a97777321d2268bb0599040686b

SHA1
fd40119115a085e3efc016659e2bc25c367038cc

SHA256
20993df844dbd214c0a55f07fdfb7f7cc7da3b67f4ae18b77ff25d9f6d396688

SHA512
ef1aec8bad9ce2869488f8a3503ab21d3a06974575633b91539ee489d7dd39cd43123b4a4c95df5caea9649fa9ec7c46a12d38add0ed2b812ce7eba758d36f7b

Download Submit
C:\Windows\System\oJJuKUr.exe

Filesize
2.4MB

MD5
1f4f386bc5f338eddaf6d237a594ab94

SHA1
227a846fbceb8cd1e3965803f1a5032c5b602223

SHA256
bdc43ff686cae54f57f1bbaf53b6baa8c1ab22aa1b265abddd9593e38aef6345

SHA512
d3e28685b305fbc8cb496189b94405de0d708a8f1052e871c62d0597b8cfd316d0dfbb1d5a5a00f1f6f457b320fa7dab476573759794bf3ae8928f31ddb05ab0

Download Submit
C:\Windows\System\rQEnuqJ.exe

Filesize
2.4MB

MD5
b39253bf3fdba2af562d922f21a56435

SHA1
e9079d43a529357a3f562c127dc6b5c85823ecb0

SHA256
1f795622db8f29339b0cbc16e529b2c2efafbf388038a9879eb1e29ca7af50dd

SHA512
1fb3e0db850ee0d29ce636448943d6d1a9b41c50c2de810456e3d7d8c7926cb014d814dfa03f67b02e8ced1fae12f8342b137e565cf4754f73378a62df543d43

Download Submit
C:\Windows\System\sWOLeRR.exe

Filesize
2.5MB

MD5
3904100642853e286aaab81cdff1b972

SHA1
d343536cbc193adabc2fefd44fa9ee48b5e60bc8

SHA256
3668adb551655bd1be50ded89a5a4673a30f5a83c48d527047fb681782f73b7e

SHA512
1428feb05f8a55dd04e93ee7234cd8a88bba1565a0a93cc2fe08d3e818d6f29b06d6144667cfe41fb1566f1ad26905026bb80d2dfb7ef91a0265fba2ab2ea0ef

Download Submit
C:\Windows\System\txitkoD.exe

Filesize
2.4MB

MD5
afb09a676740e95db060e6c7e2373cb8

SHA1
6b8a5693742366221826f7b9eedcd077cfb5953a

SHA256
6e5c042b1317ced50b7a3384ee3e78bdf410305d160ff9fd3599446af7ec2573

SHA512
099e05ef26ca4caf1a064af3bdb82755946a1d4b7381041069a741b8150d2a9f932783a7dde8939c5028f09ffba73748634a018f5fa92c444aabd6657497ee9f

Download Submit
C:\Windows\System\vUtpjsm.exe

Filesize
2.4MB

MD5
c9510f745ce885178a68de5e45e8a89e

SHA1
d88ca2aedf62a68a12aa5f9788ee26db63fb257d

SHA256
b019428e427ccf4b974838f9df73bdd1135b0d4658c12d7c3eda2787505578d4

SHA512
e2be0c50578b23fe411a0e448d076c7aab9260f57bdef97687bb37b70b749c06005a5ec67320fb48e9d9571983a374a1af3337807b3eaad13d6b4f6a7c129d0d

Download Submit
C:\Windows\System\zKboLkA.exe

Filesize
2.5MB

MD5
958520c9ad6eaa3e3b9b8da6b8457dc6

SHA1
d70a3f7f9e510f3397685697d975c98d6b1f50a0

SHA256
fc6b22b73a0962ac7ec17d85a9f611c5cab570cf351b5915410be17d21ea05cf

SHA512
ec38c1afb0aa49624b5467729253dbef748d081b9d2fdc9570a064e3d490d6454c04e7051c9923583e5abab31fa380e49728ffb46f689630bcb44fdf7a21f9df

Download Submit
memory/464-2138-0x00007FF7402A0000-0x00007FF7405F4000-memory.dmp

Filesize
3.3MB

Download
memory/464-60-0x00007FF7402A0000-0x00007FF7405F4000-memory.dmp

Filesize
3.3MB

Download
memory/664-125-0x00007FF796ED0000-0x00007FF797224000-memory.dmp

Filesize
3.3MB

Download
memory/664-2145-0x00007FF796ED0000-0x00007FF797224000-memory.dmp

Filesize
3.3MB

Download
memory/676-2144-0x00007FF7EC880000-0x00007FF7ECBD4000-memory.dmp

Filesize
3.3MB

Download
memory/676-1263-0x00007FF7EC880000-0x00007FF7ECBD4000-memory.dmp

Filesize
3.3MB

Download
memory/676-68-0x00007FF7EC880000-0x00007FF7ECBD4000-memory.dmp

Filesize
3.3MB

Download
memory/800-2136-0x00007FF673450000-0x00007FF6737A4000-memory.dmp

Filesize
3.3MB

Download
memory/800-46-0x00007FF673450000-0x00007FF6737A4000-memory.dmp

Filesize
3.3MB

Download
memory/860-2152-0x00007FF6EE650000-0x00007FF6EE9A4000-memory.dmp

Filesize
3.3MB

Download
memory/860-136-0x00007FF6EE650000-0x00007FF6EE9A4000-memory.dmp

Filesize
3.3MB

Download
memory/1044-98-0x00007FF62BDE0000-0x00007FF62C134000-memory.dmp

Filesize
3.3MB

Download
memory/1044-2149-0x00007FF62BDE0000-0x00007FF62C134000-memory.dmp

Filesize
3.3MB

Download
memory/1044-1273-0x00007FF62BDE0000-0x00007FF62C134000-memory.dmp

Filesize
3.3MB

Download
memory/1196-48-0x00007FF7490D0000-0x00007FF749424000-memory.dmp

Filesize
3.3MB

Download
memory/1196-2139-0x00007FF7490D0000-0x00007FF749424000-memory.dmp

Filesize
3.3MB

Download
memory/1544-2143-0x00007FF601450000-0x00007FF6017A4000-memory.dmp

Filesize
3.3MB

Download
memory/1544-62-0x00007FF601450000-0x00007FF6017A4000-memory.dmp

Filesize
3.3MB

Download
memory/1760-182-0x00007FF70F270000-0x00007FF70F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/1760-2165-0x00007FF70F270000-0x00007FF70F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/2140-168-0x00007FF7E9030000-0x00007FF7E9384000-memory.dmp

Filesize
3.3MB

Download
memory/2140-1-0x00000179BF160000-0x00000179BF170000-memory.dmp

Filesize
64KB

Download
memory/2140-0-0x00007FF7E9030000-0x00007FF7E9384000-memory.dmp

Filesize
3.3MB

Download
memory/2260-152-0x00007FF614360000-0x00007FF6146B4000-memory.dmp

Filesize
3.3MB

Download
memory/2260-2133-0x00007FF614360000-0x00007FF6146B4000-memory.dmp

Filesize
3.3MB

Download
memory/2260-2162-0x00007FF614360000-0x00007FF6146B4000-memory.dmp

Filesize
3.3MB

Download
memory/2284-2137-0x00007FF61F1F0000-0x00007FF61F544000-memory.dmp

Filesize
3.3MB

Download
memory/2284-61-0x00007FF61F1F0000-0x00007FF61F544000-memory.dmp

Filesize
3.3MB

Download
memory/2460-174-0x00007FF61A940000-0x00007FF61AC94000-memory.dmp

Filesize
3.3MB

Download
memory/2460-2163-0x00007FF61A940000-0x00007FF61AC94000-memory.dmp

Filesize
3.3MB

Download
memory/2640-2150-0x00007FF627ED0000-0x00007FF628224000-memory.dmp

Filesize
3.3MB

Download
memory/2640-110-0x00007FF627ED0000-0x00007FF628224000-memory.dmp

Filesize
3.3MB

Download
memory/3056-2135-0x00007FF796150000-0x00007FF7964A4000-memory.dmp

Filesize
3.3MB

Download
memory/3056-14-0x00007FF796150000-0x00007FF7964A4000-memory.dmp

Filesize
3.3MB

Download
memory/3056-169-0x00007FF796150000-0x00007FF7964A4000-memory.dmp

Filesize
3.3MB

Download
memory/3160-2164-0x00007FF68AD40000-0x00007FF68B094000-memory.dmp

Filesize
3.3MB

Download
memory/3160-184-0x00007FF68AD40000-0x00007FF68B094000-memory.dmp

Filesize
3.3MB

Download
memory/3436-2156-0x00007FF67AD80000-0x00007FF67B0D4000-memory.dmp

Filesize
3.3MB

Download
memory/3436-1953-0x00007FF67AD80000-0x00007FF67B0D4000-memory.dmp

Filesize
3.3MB

Download
memory/3436-131-0x00007FF67AD80000-0x00007FF67B0D4000-memory.dmp

Filesize
3.3MB

Download
memory/3592-2147-0x00007FF70ED30000-0x00007FF70F084000-memory.dmp

Filesize
3.3MB

Download
memory/3592-1271-0x00007FF70ED30000-0x00007FF70F084000-memory.dmp

Filesize
3.3MB

Download
memory/3592-95-0x00007FF70ED30000-0x00007FF70F084000-memory.dmp

Filesize
3.3MB

Download
memory/3732-2134-0x00007FF70AD90000-0x00007FF70B0E4000-memory.dmp

Filesize
3.3MB

Download
memory/3732-30-0x00007FF70AD90000-0x00007FF70B0E4000-memory.dmp

Filesize
3.3MB

Download
memory/4164-1611-0x00007FF678420000-0x00007FF678774000-memory.dmp

Filesize
3.3MB

Download
memory/4164-116-0x00007FF678420000-0x00007FF678774000-memory.dmp

Filesize
3.3MB

Download
memory/4164-2151-0x00007FF678420000-0x00007FF678774000-memory.dmp

Filesize
3.3MB

Download
memory/4316-2153-0x00007FF78FBE0000-0x00007FF78FF34000-memory.dmp

Filesize
3.3MB

Download
memory/4316-140-0x00007FF78FBE0000-0x00007FF78FF34000-memory.dmp

Filesize
3.3MB

Download
memory/4392-146-0x00007FF67E610000-0x00007FF67E964000-memory.dmp

Filesize
3.3MB

Download
memory/4392-2157-0x00007FF67E610000-0x00007FF67E964000-memory.dmp

Filesize
3.3MB

Download
memory/4492-2141-0x00007FF6C2CE0000-0x00007FF6C3034000-memory.dmp

Filesize
3.3MB

Download
memory/4492-56-0x00007FF6C2CE0000-0x00007FF6C3034000-memory.dmp

Filesize
3.3MB

Download
memory/4572-2140-0x00007FF6D1FB0000-0x00007FF6D2304000-memory.dmp

Filesize
3.3MB

Download
memory/4572-51-0x00007FF6D1FB0000-0x00007FF6D2304000-memory.dmp

Filesize
3.3MB

Download
memory/4580-196-0x00007FF62D970000-0x00007FF62DCC4000-memory.dmp

Filesize
3.3MB

Download
memory/4580-2166-0x00007FF62D970000-0x00007FF62DCC4000-memory.dmp

Filesize
3.3MB

Download
memory/4592-84-0x00007FF76E240000-0x00007FF76E594000-memory.dmp

Filesize
3.3MB

Download
memory/4592-1266-0x00007FF76E240000-0x00007FF76E594000-memory.dmp

Filesize
3.3MB

Download
memory/4592-2146-0x00007FF76E240000-0x00007FF76E594000-memory.dmp

Filesize
3.3MB

Download
memory/4764-2155-0x00007FF6D75E0000-0x00007FF6D7934000-memory.dmp

Filesize
3.3MB

Download
memory/4764-130-0x00007FF6D75E0000-0x00007FF6D7934000-memory.dmp

Filesize
3.3MB

Download
memory/4904-2154-0x00007FF6F6560000-0x00007FF6F68B4000-memory.dmp

Filesize
3.3MB

Download
memory/4904-139-0x00007FF6F6560000-0x00007FF6F68B4000-memory.dmp

Filesize
3.3MB

Download
memory/4944-2142-0x00007FF728B90000-0x00007FF728EE4000-memory.dmp

Filesize
3.3MB

Download
memory/4944-57-0x00007FF728B90000-0x00007FF728EE4000-memory.dmp

Filesize
3.3MB

Download
memory/5076-2148-0x00007FF7F2B20000-0x00007FF7F2E74000-memory.dmp

Filesize
3.3MB

Download
memory/5076-128-0x00007FF7F2B20000-0x00007FF7F2E74000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads