xmrig | 9f991cd494335c11d6ae2bd4756b33574825f5b53e788132937e9d6ce92f6a70

Analysis

max time kernel
55s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4726b9d1243b990575bc1245450fc0b0N.exe
Size

3.4MB
MD5

4726b9d1243b990575bc1245450fc0b0
SHA1

130d31067b2c1934bec5f0abeeb3abd9e42fda55
SHA256

9f991cd494335c11d6ae2bd4756b33574825f5b53e788132937e9d6ce92f6a70
SHA512

9322fbec8c028f672d2a5db1edd6cb27e8b92832203b66ebb339f4ef4c1fdd3bef25458d242dc14c5985e04992dc353745187791368668511974c3a366856da0
SSDEEP

98304:71ONtyBeSFkXV1etEKLlWUTOfeiRA2R76zHrW4:7bBeSFkE

Score

10^/10

xmrig execution miner persistence privilege_escalation upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1000-0-0x00007FF6F45A0000-0x00007FF6F4996000-memory.dmp	xmrig
behavioral2/files/0x000800000002343a-10.dat	xmrig
behavioral2/files/0x000800000002343d-14.dat	xmrig
behavioral2/files/0x000700000002343e-18.dat	xmrig
behavioral2/files/0x0007000000023440-38.dat	xmrig
behavioral2/files/0x0008000000023441-57.dat	xmrig
behavioral2/files/0x0007000000023444-63.dat	xmrig
behavioral2/files/0x0007000000023446-73.dat	xmrig
behavioral2/files/0x0007000000023447-77.dat	xmrig
behavioral2/files/0x0007000000023449-85.dat	xmrig
behavioral2/files/0x0007000000023448-87.dat	xmrig
behavioral2/files/0x000700000002344c-106.dat	xmrig
behavioral2/files/0x000700000002344d-113.dat	xmrig
behavioral2/files/0x000700000002344e-121.dat	xmrig
behavioral2/files/0x0007000000023451-137.dat	xmrig
behavioral2/files/0x0007000000023456-158.dat	xmrig
behavioral2/memory/1736-661-0x00007FF75F7B0000-0x00007FF75FBA6000-memory.dmp	xmrig
behavioral2/memory/4624-662-0x00007FF74F250000-0x00007FF74F646000-memory.dmp	xmrig
behavioral2/memory/2088-663-0x00007FF78A050000-0x00007FF78A446000-memory.dmp	xmrig
behavioral2/memory/4652-680-0x00007FF7EDD80000-0x00007FF7EE176000-memory.dmp	xmrig
behavioral2/memory/4892-688-0x00007FF6DCFA0000-0x00007FF6DD396000-memory.dmp	xmrig
behavioral2/memory/3016-726-0x00007FF66B380000-0x00007FF66B776000-memory.dmp	xmrig
behavioral2/memory/2372-743-0x00007FF61FCE0000-0x00007FF6200D6000-memory.dmp	xmrig
behavioral2/memory/932-747-0x00007FF60B720000-0x00007FF60BB16000-memory.dmp	xmrig
behavioral2/memory/3228-756-0x00007FF78D0F0000-0x00007FF78D4E6000-memory.dmp	xmrig
behavioral2/memory/4972-760-0x00007FF78FA20000-0x00007FF78FE16000-memory.dmp	xmrig
behavioral2/memory/1876-763-0x00007FF7FAF70000-0x00007FF7FB366000-memory.dmp	xmrig
behavioral2/memory/1948-768-0x00007FF68F730000-0x00007FF68FB26000-memory.dmp	xmrig
behavioral2/memory/1280-737-0x00007FF67BB00000-0x00007FF67BEF6000-memory.dmp	xmrig
behavioral2/memory/1148-718-0x00007FF6550C0000-0x00007FF6554B6000-memory.dmp	xmrig
behavioral2/memory/4260-710-0x00007FF740C40000-0x00007FF741036000-memory.dmp	xmrig
behavioral2/memory/4404-702-0x00007FF739580000-0x00007FF739976000-memory.dmp	xmrig
behavioral2/memory/3692-695-0x00007FF76ABB0000-0x00007FF76AFA6000-memory.dmp	xmrig
behavioral2/memory/2772-676-0x00007FF7955C0000-0x00007FF7959B6000-memory.dmp	xmrig
behavioral2/memory/1776-671-0x00007FF764130000-0x00007FF764526000-memory.dmp	xmrig
behavioral2/files/0x000700000002345b-181.dat	xmrig
behavioral2/files/0x0007000000023459-179.dat	xmrig
behavioral2/files/0x000700000002345a-176.dat	xmrig
behavioral2/files/0x0007000000023458-174.dat	xmrig
behavioral2/files/0x0007000000023457-167.dat	xmrig
behavioral2/files/0x0007000000023455-154.dat	xmrig
behavioral2/files/0x0007000000023454-152.dat	xmrig
behavioral2/files/0x0007000000023453-146.dat	xmrig
behavioral2/files/0x0007000000023452-142.dat	xmrig
behavioral2/files/0x0007000000023450-131.dat	xmrig
behavioral2/files/0x000700000002344f-127.dat	xmrig
behavioral2/files/0x000700000002344b-107.dat	xmrig
behavioral2/files/0x000800000002343b-101.dat	xmrig
behavioral2/files/0x000700000002344a-97.dat	xmrig
behavioral2/memory/2108-86-0x00007FF6F0690000-0x00007FF6F0A86000-memory.dmp	xmrig
behavioral2/files/0x0007000000023445-68.dat	xmrig
behavioral2/files/0x0008000000023442-54.dat	xmrig
behavioral2/files/0x0007000000023443-50.dat	xmrig
behavioral2/memory/1524-42-0x00007FF799C20000-0x00007FF79A016000-memory.dmp	xmrig
behavioral2/memory/1064-40-0x00007FF6A51D0000-0x00007FF6A55C6000-memory.dmp	xmrig
behavioral2/memory/4492-39-0x00007FF6F0150000-0x00007FF6F0546000-memory.dmp	xmrig
behavioral2/files/0x000700000002343f-23.dat	xmrig
behavioral2/memory/1972-6-0x00007FF60DA20000-0x00007FF60DE16000-memory.dmp	xmrig
behavioral2/memory/2772-4049-0x00007FF7955C0000-0x00007FF7959B6000-memory.dmp	xmrig
behavioral2/memory/1972-4059-0x00007FF60DA20000-0x00007FF60DE16000-memory.dmp	xmrig
behavioral2/memory/3692-4060-0x00007FF76ABB0000-0x00007FF76AFA6000-memory.dmp	xmrig
behavioral2/memory/4404-4062-0x00007FF739580000-0x00007FF739976000-memory.dmp	xmrig
behavioral2/memory/1948-4061-0x00007FF68F730000-0x00007FF68FB26000-memory.dmp	xmrig
behavioral2/memory/4492-4058-0x00007FF6F0150000-0x00007FF6F0546000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	3920	powershell.exe
5	3920	powershell.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3920	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
1972	gZKzOKp.exe
4492	xxiiroy.exe
1064	xGmXngX.exe
1524	sNySPZx.exe
2108	JQoiyFX.exe
1736	qloluyY.exe
1876	gvhhpUx.exe
4624	INrrxGH.exe
2088	inzPHHd.exe
1776	GMrvoKe.exe
2772	nqXzaIS.exe
4652	ihUIEwI.exe
4892	PcMKZOh.exe
3692	rfqhUNy.exe
1948	ukNiCuT.exe
4404	MEYibhh.exe
4260	zmOwWoD.exe
1148	LRLsLnd.exe
3016	DiWhVRN.exe
1280	dGaqTzg.exe
2372	fUYazyB.exe
932	cTAABxo.exe
3228	zbublho.exe
4972	SqOgwMK.exe
4152	NpZpImy.exe
3556	MAQiJck.exe
4796	FKAzaTZ.exe
3680	trVCbyg.exe
4748	WwtiQMu.exe
4976	ZCOFaLv.exe
3364	kOBrZzT.exe
4004	GandwmZ.exe
3464	bOoVVYA.exe
4672	sfbhBnv.exe
228	COUYvvE.exe
2356	SVqBkpK.exe
2660	mqoeABf.exe
4900	GgJowZW.exe
4440	sFQpFnm.exe
3808	ZUNjVAs.exe
212	TAYBfBD.exe
3728	hqMNkrg.exe
3044	MFSQbVB.exe
2352	mpMaxfN.exe
1844	rSKuOsK.exe
2984	CoDqXWS.exe
696	LwWplgV.exe
3356	mDmXtmZ.exe
1516	tMIjWkN.exe
1716	DMvnnvl.exe
2456	aNUjIfx.exe
464	AYWnNlZ.exe
1384	sdOnqSW.exe
4680	IQJQYGY.exe
5020	HVdXKxQ.exe
1252	ByCsuYJ.exe
2860	hMFJjqG.exe
1944	vwWDKsf.exe
3080	dEckszd.exe
736	HpyNwQm.exe
2676	GfyqzcA.exe
1380	kyiWuvb.exe
3596	QEVXdWo.exe
2172	RUsUDKb.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1000-0-0x00007FF6F45A0000-0x00007FF6F4996000-memory.dmp	upx
behavioral2/files/0x000800000002343a-10.dat	upx
behavioral2/files/0x000800000002343d-14.dat	upx
behavioral2/files/0x000700000002343e-18.dat	upx
behavioral2/files/0x0007000000023440-38.dat	upx
behavioral2/files/0x0008000000023441-57.dat	upx
behavioral2/files/0x0007000000023444-63.dat	upx
behavioral2/files/0x0007000000023446-73.dat	upx
behavioral2/files/0x0007000000023447-77.dat	upx
behavioral2/files/0x0007000000023449-85.dat	upx
behavioral2/files/0x0007000000023448-87.dat	upx
behavioral2/files/0x000700000002344c-106.dat	upx
behavioral2/files/0x000700000002344d-113.dat	upx
behavioral2/files/0x000700000002344e-121.dat	upx
behavioral2/files/0x0007000000023451-137.dat	upx
behavioral2/files/0x0007000000023456-158.dat	upx
behavioral2/memory/1736-661-0x00007FF75F7B0000-0x00007FF75FBA6000-memory.dmp	upx
behavioral2/memory/4624-662-0x00007FF74F250000-0x00007FF74F646000-memory.dmp	upx
behavioral2/memory/2088-663-0x00007FF78A050000-0x00007FF78A446000-memory.dmp	upx
behavioral2/memory/4652-680-0x00007FF7EDD80000-0x00007FF7EE176000-memory.dmp	upx
behavioral2/memory/4892-688-0x00007FF6DCFA0000-0x00007FF6DD396000-memory.dmp	upx
behavioral2/memory/3016-726-0x00007FF66B380000-0x00007FF66B776000-memory.dmp	upx
behavioral2/memory/2372-743-0x00007FF61FCE0000-0x00007FF6200D6000-memory.dmp	upx
behavioral2/memory/932-747-0x00007FF60B720000-0x00007FF60BB16000-memory.dmp	upx
behavioral2/memory/3228-756-0x00007FF78D0F0000-0x00007FF78D4E6000-memory.dmp	upx
behavioral2/memory/4972-760-0x00007FF78FA20000-0x00007FF78FE16000-memory.dmp	upx
behavioral2/memory/1876-763-0x00007FF7FAF70000-0x00007FF7FB366000-memory.dmp	upx
behavioral2/memory/1948-768-0x00007FF68F730000-0x00007FF68FB26000-memory.dmp	upx
behavioral2/memory/1280-737-0x00007FF67BB00000-0x00007FF67BEF6000-memory.dmp	upx
behavioral2/memory/1148-718-0x00007FF6550C0000-0x00007FF6554B6000-memory.dmp	upx
behavioral2/memory/4260-710-0x00007FF740C40000-0x00007FF741036000-memory.dmp	upx
behavioral2/memory/4404-702-0x00007FF739580000-0x00007FF739976000-memory.dmp	upx
behavioral2/memory/3692-695-0x00007FF76ABB0000-0x00007FF76AFA6000-memory.dmp	upx
behavioral2/memory/2772-676-0x00007FF7955C0000-0x00007FF7959B6000-memory.dmp	upx
behavioral2/memory/1776-671-0x00007FF764130000-0x00007FF764526000-memory.dmp	upx
behavioral2/files/0x000700000002345b-181.dat	upx
behavioral2/files/0x0007000000023459-179.dat	upx
behavioral2/files/0x000700000002345a-176.dat	upx
behavioral2/files/0x0007000000023458-174.dat	upx
behavioral2/files/0x0007000000023457-167.dat	upx
behavioral2/files/0x0007000000023455-154.dat	upx
behavioral2/files/0x0007000000023454-152.dat	upx
behavioral2/files/0x0007000000023453-146.dat	upx
behavioral2/files/0x0007000000023452-142.dat	upx
behavioral2/files/0x0007000000023450-131.dat	upx
behavioral2/files/0x000700000002344f-127.dat	upx
behavioral2/files/0x000700000002344b-107.dat	upx
behavioral2/files/0x000800000002343b-101.dat	upx
behavioral2/files/0x000700000002344a-97.dat	upx
behavioral2/memory/2108-86-0x00007FF6F0690000-0x00007FF6F0A86000-memory.dmp	upx
behavioral2/files/0x0007000000023445-68.dat	upx
behavioral2/files/0x0008000000023442-54.dat	upx
behavioral2/files/0x0007000000023443-50.dat	upx
behavioral2/memory/1524-42-0x00007FF799C20000-0x00007FF79A016000-memory.dmp	upx
behavioral2/memory/1064-40-0x00007FF6A51D0000-0x00007FF6A55C6000-memory.dmp	upx
behavioral2/memory/4492-39-0x00007FF6F0150000-0x00007FF6F0546000-memory.dmp	upx
behavioral2/files/0x000700000002343f-23.dat	upx
behavioral2/memory/1972-6-0x00007FF60DA20000-0x00007FF60DE16000-memory.dmp	upx
behavioral2/memory/2772-4049-0x00007FF7955C0000-0x00007FF7959B6000-memory.dmp	upx
behavioral2/memory/1972-4059-0x00007FF60DA20000-0x00007FF60DE16000-memory.dmp	upx
behavioral2/memory/3692-4060-0x00007FF76ABB0000-0x00007FF76AFA6000-memory.dmp	upx
behavioral2/memory/4404-4062-0x00007FF739580000-0x00007FF739976000-memory.dmp	upx
behavioral2/memory/1948-4061-0x00007FF68F730000-0x00007FF68FB26000-memory.dmp	upx
behavioral2/memory/4492-4058-0x00007FF6F0150000-0x00007FF6F0546000-memory.dmp	upx

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com
2	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\eZhVkDU.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\dUppqPK.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\tsHGJhj.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\smpcAxW.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\frstqjd.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\wLmmaky.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\aKWZUPn.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\sOtmkiX.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\KzNSYZO.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\NVqYKdw.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\xrIlfoG.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\tvwDVcK.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\agVuVGv.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\PMZagMJ.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\JiVglco.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\igaCUTx.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\rkOqiey.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\tqvEULq.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\VZYKUJr.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\TXkkSsI.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\tjbQDMa.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\OrqqPqV.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\EYgzdbc.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\GmatMoO.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\EGpqayK.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\cIMoolR.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\qYQOyho.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\EetEadi.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\ysggwvc.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\xYgKkMu.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\yaZgpMa.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\hchQWTj.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\GLIcEnE.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\JODAgeO.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\Etxadla.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\dFTcxXa.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\DadKXqV.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\UxFaqpH.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\eyaAczZ.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\DnYPDjD.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\NdaVxbl.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\eSzgTxc.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\YjNeGKb.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\qvVSjUC.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\dvqpmfk.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\TcdNNGJ.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\dHnFwdI.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\AzkwWfy.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\RnqLOmh.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\iGtadOQ.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\JdYVfCD.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\foCRbRB.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\rvwIKQE.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\Fkynnyx.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\iabxaFy.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\dYQDOei.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\sHZWtUZ.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\ScNDuMq.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\NHvfTqF.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\ppiBJME.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\MZJYnCh.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\jDFhAtI.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\vGWADbW.exe	4726b9d1243b990575bc1245450fc0b0N.exe
File created	C:\Windows\System\RDFmtlD.exe	4726b9d1243b990575bc1245450fc0b0N.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 50 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2721909339-1374969515-2476821579-1000\{9861BA3C-F7E7-4841-8BDB-C975B65E968C}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2721909339-1374969515-2476821579-1000\{779A9A3F-D051-4FD7-9C14-475E00F2CBC0}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2721909339-1374969515-2476821579-1000\{E5A5F3F2-4491-4990-B4D7-634B2B616A1C}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721909339-1374969515-2476821579-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3920	powershell.exe
3920	powershell.exe
3920	powershell.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1000	4726b9d1243b990575bc1245450fc0b0N.exe
Token: SeDebugPrivilege	3920	powershell.exe
Token: SeLockMemoryPrivilege	1000	4726b9d1243b990575bc1245450fc0b0N.exe
Token: SeShutdownPrivilege	7180	explorer.exe
Token: SeCreatePagefilePrivilege	7180	explorer.exe
Token: SeShutdownPrivilege	7180	explorer.exe
Token: SeCreatePagefilePrivilege	7180	explorer.exe
Token: SeShutdownPrivilege	7180	explorer.exe
Token: SeCreatePagefilePrivilege	7180	explorer.exe
Token: SeShutdownPrivilege	7180	explorer.exe
Token: SeCreatePagefilePrivilege	7180	explorer.exe
Token: SeShutdownPrivilege	7180	explorer.exe
Token: SeCreatePagefilePrivilege	7180	explorer.exe
Token: SeShutdownPrivilege	7180	explorer.exe
Token: SeCreatePagefilePrivilege	7180	explorer.exe
Token: SeShutdownPrivilege	7180	explorer.exe
Token: SeCreatePagefilePrivilege	7180	explorer.exe
Token: SeShutdownPrivilege	4888	explorer.exe
Token: SeCreatePagefilePrivilege	4888	explorer.exe
Token: SeShutdownPrivilege	4888	explorer.exe
Token: SeCreatePagefilePrivilege	4888	explorer.exe
Token: SeShutdownPrivilege	4888	explorer.exe
Token: SeCreatePagefilePrivilege	4888	explorer.exe
Token: SeShutdownPrivilege	4888	explorer.exe
Token: SeCreatePagefilePrivilege	4888	explorer.exe
Token: SeShutdownPrivilege	4888	explorer.exe
Token: SeCreatePagefilePrivilege	4888	explorer.exe
Token: SeShutdownPrivilege	4888	explorer.exe
Token: SeCreatePagefilePrivilege	4888	explorer.exe
Token: SeShutdownPrivilege	4888	explorer.exe
Token: SeCreatePagefilePrivilege	4888	explorer.exe
Token: SeShutdownPrivilege	4888	explorer.exe
Token: SeCreatePagefilePrivilege	4888	explorer.exe
Token: SeShutdownPrivilege	4888	explorer.exe
Token: SeCreatePagefilePrivilege	4888	explorer.exe
Token: SeShutdownPrivilege	4888	explorer.exe
Token: SeCreatePagefilePrivilege	4888	explorer.exe
Token: SeShutdownPrivilege	4888	explorer.exe
Token: SeCreatePagefilePrivilege	4888	explorer.exe
Token: SeShutdownPrivilege	4888	explorer.exe
Token: SeCreatePagefilePrivilege	4888	explorer.exe
Token: SeShutdownPrivilege	4888	explorer.exe
Token: SeCreatePagefilePrivilege	4888	explorer.exe
Token: SeShutdownPrivilege	4888	explorer.exe
Token: SeCreatePagefilePrivilege	4888	explorer.exe
Token: SeShutdownPrivilege	4888	explorer.exe
Token: SeCreatePagefilePrivilege	4888	explorer.exe
Token: SeShutdownPrivilege	4888	explorer.exe
Token: SeCreatePagefilePrivilege	4888	explorer.exe
Token: SeShutdownPrivilege	4888	explorer.exe
Token: SeCreatePagefilePrivilege	4888	explorer.exe
Token: SeShutdownPrivilege	3840	explorer.exe
Token: SeCreatePagefilePrivilege	3840	explorer.exe
Token: SeShutdownPrivilege	3840	explorer.exe
Token: SeCreatePagefilePrivilege	3840	explorer.exe
Token: SeShutdownPrivilege	3840	explorer.exe
Token: SeCreatePagefilePrivilege	3840	explorer.exe
Token: SeShutdownPrivilege	3840	explorer.exe
Token: SeCreatePagefilePrivilege	3840	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
12440	sihost.exe
7180	explorer.exe
7180	explorer.exe
7180	explorer.exe
7180	explorer.exe
7180	explorer.exe
7180	explorer.exe
7180	explorer.exe
7180	explorer.exe
7180	explorer.exe
7180	explorer.exe
7180	explorer.exe
7180	explorer.exe
7180	explorer.exe
7180	explorer.exe
7180	explorer.exe
7180	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe

Suspicious use of SendNotifyMessage 46 IoCs

pid	Process
7180	explorer.exe
7180	explorer.exe
7180	explorer.exe
7180	explorer.exe
7180	explorer.exe
7180	explorer.exe
7180	explorer.exe
7180	explorer.exe
7180	explorer.exe
7180	explorer.exe
7180	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
3840	explorer.exe
3840	explorer.exe
3840	explorer.exe
3840	explorer.exe
3840	explorer.exe
3840	explorer.exe
3840	explorer.exe
3840	explorer.exe
3840	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
7904	StartMenuExperienceHost.exe
8276	StartMenuExperienceHost.exe
9072	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 3920	1000	4726b9d1243b990575bc1245450fc0b0N.exe	84
PID 1000 wrote to memory of 3920	1000	4726b9d1243b990575bc1245450fc0b0N.exe	84
PID 1000 wrote to memory of 1972	1000	4726b9d1243b990575bc1245450fc0b0N.exe	85
PID 1000 wrote to memory of 1972	1000	4726b9d1243b990575bc1245450fc0b0N.exe	85
PID 1000 wrote to memory of 4492	1000	4726b9d1243b990575bc1245450fc0b0N.exe	86
PID 1000 wrote to memory of 4492	1000	4726b9d1243b990575bc1245450fc0b0N.exe	86
PID 1000 wrote to memory of 1064	1000	4726b9d1243b990575bc1245450fc0b0N.exe	87
PID 1000 wrote to memory of 1064	1000	4726b9d1243b990575bc1245450fc0b0N.exe	87
PID 1000 wrote to memory of 1524	1000	4726b9d1243b990575bc1245450fc0b0N.exe	89
PID 1000 wrote to memory of 1524	1000	4726b9d1243b990575bc1245450fc0b0N.exe	89
PID 1000 wrote to memory of 2108	1000	4726b9d1243b990575bc1245450fc0b0N.exe	90
PID 1000 wrote to memory of 2108	1000	4726b9d1243b990575bc1245450fc0b0N.exe	90
PID 1000 wrote to memory of 1736	1000	4726b9d1243b990575bc1245450fc0b0N.exe	91
PID 1000 wrote to memory of 1736	1000	4726b9d1243b990575bc1245450fc0b0N.exe	91
PID 1000 wrote to memory of 1876	1000	4726b9d1243b990575bc1245450fc0b0N.exe	92
PID 1000 wrote to memory of 1876	1000	4726b9d1243b990575bc1245450fc0b0N.exe	92
PID 1000 wrote to memory of 4624	1000	4726b9d1243b990575bc1245450fc0b0N.exe	93
PID 1000 wrote to memory of 4624	1000	4726b9d1243b990575bc1245450fc0b0N.exe	93
PID 1000 wrote to memory of 2088	1000	4726b9d1243b990575bc1245450fc0b0N.exe	94
PID 1000 wrote to memory of 2088	1000	4726b9d1243b990575bc1245450fc0b0N.exe	94
PID 1000 wrote to memory of 1776	1000	4726b9d1243b990575bc1245450fc0b0N.exe	95
PID 1000 wrote to memory of 1776	1000	4726b9d1243b990575bc1245450fc0b0N.exe	95
PID 1000 wrote to memory of 2772	1000	4726b9d1243b990575bc1245450fc0b0N.exe	96
PID 1000 wrote to memory of 2772	1000	4726b9d1243b990575bc1245450fc0b0N.exe	96
PID 1000 wrote to memory of 4652	1000	4726b9d1243b990575bc1245450fc0b0N.exe	97
PID 1000 wrote to memory of 4652	1000	4726b9d1243b990575bc1245450fc0b0N.exe	97
PID 1000 wrote to memory of 4892	1000	4726b9d1243b990575bc1245450fc0b0N.exe	98
PID 1000 wrote to memory of 4892	1000	4726b9d1243b990575bc1245450fc0b0N.exe	98
PID 1000 wrote to memory of 3692	1000	4726b9d1243b990575bc1245450fc0b0N.exe	99
PID 1000 wrote to memory of 3692	1000	4726b9d1243b990575bc1245450fc0b0N.exe	99
PID 1000 wrote to memory of 1948	1000	4726b9d1243b990575bc1245450fc0b0N.exe	100
PID 1000 wrote to memory of 1948	1000	4726b9d1243b990575bc1245450fc0b0N.exe	100
PID 1000 wrote to memory of 4404	1000	4726b9d1243b990575bc1245450fc0b0N.exe	101
PID 1000 wrote to memory of 4404	1000	4726b9d1243b990575bc1245450fc0b0N.exe	101
PID 1000 wrote to memory of 4260	1000	4726b9d1243b990575bc1245450fc0b0N.exe	102
PID 1000 wrote to memory of 4260	1000	4726b9d1243b990575bc1245450fc0b0N.exe	102
PID 1000 wrote to memory of 1148	1000	4726b9d1243b990575bc1245450fc0b0N.exe	103
PID 1000 wrote to memory of 1148	1000	4726b9d1243b990575bc1245450fc0b0N.exe	103
PID 1000 wrote to memory of 3016	1000	4726b9d1243b990575bc1245450fc0b0N.exe	104
PID 1000 wrote to memory of 3016	1000	4726b9d1243b990575bc1245450fc0b0N.exe	104
PID 1000 wrote to memory of 1280	1000	4726b9d1243b990575bc1245450fc0b0N.exe	105
PID 1000 wrote to memory of 1280	1000	4726b9d1243b990575bc1245450fc0b0N.exe	105
PID 1000 wrote to memory of 2372	1000	4726b9d1243b990575bc1245450fc0b0N.exe	106
PID 1000 wrote to memory of 2372	1000	4726b9d1243b990575bc1245450fc0b0N.exe	106
PID 1000 wrote to memory of 932	1000	4726b9d1243b990575bc1245450fc0b0N.exe	107
PID 1000 wrote to memory of 932	1000	4726b9d1243b990575bc1245450fc0b0N.exe	107
PID 1000 wrote to memory of 3228	1000	4726b9d1243b990575bc1245450fc0b0N.exe	108
PID 1000 wrote to memory of 3228	1000	4726b9d1243b990575bc1245450fc0b0N.exe	108
PID 1000 wrote to memory of 4972	1000	4726b9d1243b990575bc1245450fc0b0N.exe	109
PID 1000 wrote to memory of 4972	1000	4726b9d1243b990575bc1245450fc0b0N.exe	109
PID 1000 wrote to memory of 4152	1000	4726b9d1243b990575bc1245450fc0b0N.exe	110
PID 1000 wrote to memory of 4152	1000	4726b9d1243b990575bc1245450fc0b0N.exe	110
PID 1000 wrote to memory of 3556	1000	4726b9d1243b990575bc1245450fc0b0N.exe	111
PID 1000 wrote to memory of 3556	1000	4726b9d1243b990575bc1245450fc0b0N.exe	111
PID 1000 wrote to memory of 4796	1000	4726b9d1243b990575bc1245450fc0b0N.exe	112
PID 1000 wrote to memory of 4796	1000	4726b9d1243b990575bc1245450fc0b0N.exe	112
PID 1000 wrote to memory of 3680	1000	4726b9d1243b990575bc1245450fc0b0N.exe	113
PID 1000 wrote to memory of 3680	1000	4726b9d1243b990575bc1245450fc0b0N.exe	113
PID 1000 wrote to memory of 4748	1000	4726b9d1243b990575bc1245450fc0b0N.exe	114
PID 1000 wrote to memory of 4748	1000	4726b9d1243b990575bc1245450fc0b0N.exe	114
PID 1000 wrote to memory of 4976	1000	4726b9d1243b990575bc1245450fc0b0N.exe	115
PID 1000 wrote to memory of 4976	1000	4726b9d1243b990575bc1245450fc0b0N.exe	115
PID 1000 wrote to memory of 3364	1000	4726b9d1243b990575bc1245450fc0b0N.exe	116
PID 1000 wrote to memory of 3364	1000	4726b9d1243b990575bc1245450fc0b0N.exe	116

C:\Users\Admin\AppData\Local\Temp\4726b9d1243b990575bc1245450fc0b0N.exe
"C:\Users\Admin\AppData\Local\Temp\4726b9d1243b990575bc1245450fc0b0N.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3920
- C:\Windows\System\gZKzOKp.exe
  C:\Windows\System\gZKzOKp.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\xxiiroy.exe
  C:\Windows\System\xxiiroy.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\xGmXngX.exe
  C:\Windows\System\xGmXngX.exe
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Windows\System\sNySPZx.exe
  C:\Windows\System\sNySPZx.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\JQoiyFX.exe
  C:\Windows\System\JQoiyFX.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\qloluyY.exe
  C:\Windows\System\qloluyY.exe
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\System\gvhhpUx.exe
  C:\Windows\System\gvhhpUx.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System\INrrxGH.exe
  C:\Windows\System\INrrxGH.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System\inzPHHd.exe
  C:\Windows\System\inzPHHd.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\GMrvoKe.exe
  C:\Windows\System\GMrvoKe.exe
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\System\nqXzaIS.exe
  C:\Windows\System\nqXzaIS.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\ihUIEwI.exe
  C:\Windows\System\ihUIEwI.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System\PcMKZOh.exe
  C:\Windows\System\PcMKZOh.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System\rfqhUNy.exe
  C:\Windows\System\rfqhUNy.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System\ukNiCuT.exe
  C:\Windows\System\ukNiCuT.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System\MEYibhh.exe
  C:\Windows\System\MEYibhh.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System\zmOwWoD.exe
  C:\Windows\System\zmOwWoD.exe
  2⤵
  - Executes dropped EXE
  PID:4260
- C:\Windows\System\LRLsLnd.exe
  C:\Windows\System\LRLsLnd.exe
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\System\DiWhVRN.exe
  C:\Windows\System\DiWhVRN.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System\dGaqTzg.exe
  C:\Windows\System\dGaqTzg.exe
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\System\fUYazyB.exe
  C:\Windows\System\fUYazyB.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\cTAABxo.exe
  C:\Windows\System\cTAABxo.exe
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\System\zbublho.exe
  C:\Windows\System\zbublho.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System\SqOgwMK.exe
  C:\Windows\System\SqOgwMK.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\NpZpImy.exe
  C:\Windows\System\NpZpImy.exe
  2⤵
  - Executes dropped EXE
  PID:4152
- C:\Windows\System\MAQiJck.exe
  C:\Windows\System\MAQiJck.exe
  2⤵
  - Executes dropped EXE
  PID:3556
- C:\Windows\System\FKAzaTZ.exe
  C:\Windows\System\FKAzaTZ.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System\trVCbyg.exe
  C:\Windows\System\trVCbyg.exe
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Windows\System\WwtiQMu.exe
  C:\Windows\System\WwtiQMu.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System\ZCOFaLv.exe
  C:\Windows\System\ZCOFaLv.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\kOBrZzT.exe
  C:\Windows\System\kOBrZzT.exe
  2⤵
  - Executes dropped EXE
  PID:3364
- C:\Windows\System\GandwmZ.exe
  C:\Windows\System\GandwmZ.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\System\bOoVVYA.exe
  C:\Windows\System\bOoVVYA.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System\sfbhBnv.exe
  C:\Windows\System\sfbhBnv.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System\COUYvvE.exe
  C:\Windows\System\COUYvvE.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System\SVqBkpK.exe
  C:\Windows\System\SVqBkpK.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\mqoeABf.exe
  C:\Windows\System\mqoeABf.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\GgJowZW.exe
  C:\Windows\System\GgJowZW.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System\sFQpFnm.exe
  C:\Windows\System\sFQpFnm.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System\ZUNjVAs.exe
  C:\Windows\System\ZUNjVAs.exe
  2⤵
  - Executes dropped EXE
  PID:3808
- C:\Windows\System\TAYBfBD.exe
  C:\Windows\System\TAYBfBD.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System\hqMNkrg.exe
  C:\Windows\System\hqMNkrg.exe
  2⤵
  - Executes dropped EXE
  PID:3728
- C:\Windows\System\MFSQbVB.exe
  C:\Windows\System\MFSQbVB.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\mpMaxfN.exe
  C:\Windows\System\mpMaxfN.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\rSKuOsK.exe
  C:\Windows\System\rSKuOsK.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System\CoDqXWS.exe
  C:\Windows\System\CoDqXWS.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System\LwWplgV.exe
  C:\Windows\System\LwWplgV.exe
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\System\mDmXtmZ.exe
  C:\Windows\System\mDmXtmZ.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System\tMIjWkN.exe
  C:\Windows\System\tMIjWkN.exe
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\System\DMvnnvl.exe
  C:\Windows\System\DMvnnvl.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System\aNUjIfx.exe
  C:\Windows\System\aNUjIfx.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\AYWnNlZ.exe
  C:\Windows\System\AYWnNlZ.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System\sdOnqSW.exe
  C:\Windows\System\sdOnqSW.exe
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\System\IQJQYGY.exe
  C:\Windows\System\IQJQYGY.exe
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Windows\System\HVdXKxQ.exe
  C:\Windows\System\HVdXKxQ.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\ByCsuYJ.exe
  C:\Windows\System\ByCsuYJ.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\System\hMFJjqG.exe
  C:\Windows\System\hMFJjqG.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System\vwWDKsf.exe
  C:\Windows\System\vwWDKsf.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\dEckszd.exe
  C:\Windows\System\dEckszd.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System\HpyNwQm.exe
  C:\Windows\System\HpyNwQm.exe
  2⤵
  - Executes dropped EXE
  PID:736
- C:\Windows\System\GfyqzcA.exe
  C:\Windows\System\GfyqzcA.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System\kyiWuvb.exe
  C:\Windows\System\kyiWuvb.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System\QEVXdWo.exe
  C:\Windows\System\QEVXdWo.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System\RUsUDKb.exe
  C:\Windows\System\RUsUDKb.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System\SKKZaCy.exe
  C:\Windows\System\SKKZaCy.exe
  2⤵
  PID:5144
- C:\Windows\System\BsXkAja.exe
  C:\Windows\System\BsXkAja.exe
  2⤵
  PID:5172
- C:\Windows\System\CbSBgDD.exe
  C:\Windows\System\CbSBgDD.exe
  2⤵
  PID:5208
- C:\Windows\System\QplPnpp.exe
  C:\Windows\System\QplPnpp.exe
  2⤵
  PID:5240
- C:\Windows\System\FXNddlj.exe
  C:\Windows\System\FXNddlj.exe
  2⤵
  PID:5264
- C:\Windows\System\rLanxMK.exe
  C:\Windows\System\rLanxMK.exe
  2⤵
  PID:5296
- C:\Windows\System\MeCPraI.exe
  C:\Windows\System\MeCPraI.exe
  2⤵
  PID:5324
- C:\Windows\System\zoTGwlt.exe
  C:\Windows\System\zoTGwlt.exe
  2⤵
  PID:5352
- C:\Windows\System\qpjnmNB.exe
  C:\Windows\System\qpjnmNB.exe
  2⤵
  PID:5380
- C:\Windows\System\UVgfGnh.exe
  C:\Windows\System\UVgfGnh.exe
  2⤵
  PID:5412
- C:\Windows\System\ThOcwGc.exe
  C:\Windows\System\ThOcwGc.exe
  2⤵
  PID:5436
- C:\Windows\System\YsrtDmj.exe
  C:\Windows\System\YsrtDmj.exe
  2⤵
  PID:5464
- C:\Windows\System\CgfKcIz.exe
  C:\Windows\System\CgfKcIz.exe
  2⤵
  PID:5488
- C:\Windows\System\BJQEhsu.exe
  C:\Windows\System\BJQEhsu.exe
  2⤵
  PID:5516
- C:\Windows\System\irJVVTg.exe
  C:\Windows\System\irJVVTg.exe
  2⤵
  PID:5544
- C:\Windows\System\IsBtFhk.exe
  C:\Windows\System\IsBtFhk.exe
  2⤵
  PID:5572
- C:\Windows\System\VswKSab.exe
  C:\Windows\System\VswKSab.exe
  2⤵
  PID:5600
- C:\Windows\System\WyAfejH.exe
  C:\Windows\System\WyAfejH.exe
  2⤵
  PID:5628
- C:\Windows\System\FeMGWYt.exe
  C:\Windows\System\FeMGWYt.exe
  2⤵
  PID:5656
- C:\Windows\System\kFkFtSy.exe
  C:\Windows\System\kFkFtSy.exe
  2⤵
  PID:5684
- C:\Windows\System\JLAUkHm.exe
  C:\Windows\System\JLAUkHm.exe
  2⤵
  PID:5708
- C:\Windows\System\iScxvBd.exe
  C:\Windows\System\iScxvBd.exe
  2⤵
  PID:5736
- C:\Windows\System\QoFmTik.exe
  C:\Windows\System\QoFmTik.exe
  2⤵
  PID:5768
- C:\Windows\System\iGRXRpe.exe
  C:\Windows\System\iGRXRpe.exe
  2⤵
  PID:5796
- C:\Windows\System\jmEfvNM.exe
  C:\Windows\System\jmEfvNM.exe
  2⤵
  PID:5828
- C:\Windows\System\TUOHSjW.exe
  C:\Windows\System\TUOHSjW.exe
  2⤵
  PID:5864
- C:\Windows\System\JwQVHYq.exe
  C:\Windows\System\JwQVHYq.exe
  2⤵
  PID:5888
- C:\Windows\System\tYuYvjQ.exe
  C:\Windows\System\tYuYvjQ.exe
  2⤵
  PID:5920
- C:\Windows\System\DaAgxAN.exe
  C:\Windows\System\DaAgxAN.exe
  2⤵
  PID:5948
- C:\Windows\System\BNiFTDU.exe
  C:\Windows\System\BNiFTDU.exe
  2⤵
  PID:5972
- C:\Windows\System\NVWirKo.exe
  C:\Windows\System\NVWirKo.exe
  2⤵
  PID:6000
- C:\Windows\System\qOmELbh.exe
  C:\Windows\System\qOmELbh.exe
  2⤵
  PID:6032
- C:\Windows\System\pLxRpBu.exe
  C:\Windows\System\pLxRpBu.exe
  2⤵
  PID:6060
- C:\Windows\System\svyuELR.exe
  C:\Windows\System\svyuELR.exe
  2⤵
  PID:6088
- C:\Windows\System\wLmmaky.exe
  C:\Windows\System\wLmmaky.exe
  2⤵
  PID:6116
- C:\Windows\System\PxdIVxI.exe
  C:\Windows\System\PxdIVxI.exe
  2⤵
  PID:4520
- C:\Windows\System\VrsyvhD.exe
  C:\Windows\System\VrsyvhD.exe
  2⤵
  PID:4816
- C:\Windows\System\YqQIcod.exe
  C:\Windows\System\YqQIcod.exe
  2⤵
  PID:4512
- C:\Windows\System\uHIEiYR.exe
  C:\Windows\System\uHIEiYR.exe
  2⤵
  PID:3116
- C:\Windows\System\uzaZCVx.exe
  C:\Windows\System\uzaZCVx.exe
  2⤵
  PID:2388
- C:\Windows\System\dUcahyj.exe
  C:\Windows\System\dUcahyj.exe
  2⤵
  PID:5160
- C:\Windows\System\niElqkX.exe
  C:\Windows\System\niElqkX.exe
  2⤵
  PID:5228
- C:\Windows\System\XnpGRnn.exe
  C:\Windows\System\XnpGRnn.exe
  2⤵
  PID:5288
- C:\Windows\System\CKZXTRI.exe
  C:\Windows\System\CKZXTRI.exe
  2⤵
  PID:5364
- C:\Windows\System\WPvGPES.exe
  C:\Windows\System\WPvGPES.exe
  2⤵
  PID:5428
- C:\Windows\System\KTHWbbq.exe
  C:\Windows\System\KTHWbbq.exe
  2⤵
  PID:5500
- C:\Windows\System\rTaztlQ.exe
  C:\Windows\System\rTaztlQ.exe
  2⤵
  PID:5560
- C:\Windows\System\CSHAzeI.exe
  C:\Windows\System\CSHAzeI.exe
  2⤵
  PID:5616
- C:\Windows\System\guKXqyD.exe
  C:\Windows\System\guKXqyD.exe
  2⤵
  PID:5676
- C:\Windows\System\WaSZcKl.exe
  C:\Windows\System\WaSZcKl.exe
  2⤵
  PID:5732
- C:\Windows\System\VBgbPAD.exe
  C:\Windows\System\VBgbPAD.exe
  2⤵
  PID:5816
- C:\Windows\System\TjUthhR.exe
  C:\Windows\System\TjUthhR.exe
  2⤵
  PID:5876
- C:\Windows\System\yHNfrbI.exe
  C:\Windows\System\yHNfrbI.exe
  2⤵
  PID:5936
- C:\Windows\System\OyBIjCD.exe
  C:\Windows\System\OyBIjCD.exe
  2⤵
  PID:5996
- C:\Windows\System\bBPSUkU.exe
  C:\Windows\System\bBPSUkU.exe
  2⤵
  PID:6072
- C:\Windows\System\xPnzRHU.exe
  C:\Windows\System\xPnzRHU.exe
  2⤵
  PID:6132
- C:\Windows\System\FeSTlsf.exe
  C:\Windows\System\FeSTlsf.exe
  2⤵
  PID:1052
- C:\Windows\System\JyXxqHt.exe
  C:\Windows\System\JyXxqHt.exe
  2⤵
  PID:5128
- C:\Windows\System\AJIkYsm.exe
  C:\Windows\System\AJIkYsm.exe
  2⤵
  PID:5260
- C:\Windows\System\pcaYXwy.exe
  C:\Windows\System\pcaYXwy.exe
  2⤵
  PID:5396
- C:\Windows\System\RWiHauW.exe
  C:\Windows\System\RWiHauW.exe
  2⤵
  PID:5536
- C:\Windows\System\WoZDPTL.exe
  C:\Windows\System\WoZDPTL.exe
  2⤵
  PID:5704
- C:\Windows\System\dnjVAKW.exe
  C:\Windows\System\dnjVAKW.exe
  2⤵
  PID:5848
- C:\Windows\System\jXvIibj.exe
  C:\Windows\System\jXvIibj.exe
  2⤵
  PID:5988
- C:\Windows\System\rzLnzcl.exe
  C:\Windows\System\rzLnzcl.exe
  2⤵
  PID:3736
- C:\Windows\System\aqjxtpj.exe
  C:\Windows\System\aqjxtpj.exe
  2⤵
  PID:5204
- C:\Windows\System\sARahxb.exe
  C:\Windows\System\sARahxb.exe
  2⤵
  PID:6164
- C:\Windows\System\JtJNCqR.exe
  C:\Windows\System\JtJNCqR.exe
  2⤵
  PID:6192
- C:\Windows\System\LnZSRFY.exe
  C:\Windows\System\LnZSRFY.exe
  2⤵
  PID:6220
- C:\Windows\System\QISNKsL.exe
  C:\Windows\System\QISNKsL.exe
  2⤵
  PID:6248
- C:\Windows\System\oitSmNv.exe
  C:\Windows\System\oitSmNv.exe
  2⤵
  PID:6276
- C:\Windows\System\RASfAUc.exe
  C:\Windows\System\RASfAUc.exe
  2⤵
  PID:6304
- C:\Windows\System\aINAYAo.exe
  C:\Windows\System\aINAYAo.exe
  2⤵
  PID:6332
- C:\Windows\System\xwEZUnc.exe
  C:\Windows\System\xwEZUnc.exe
  2⤵
  PID:6360
- C:\Windows\System\xRVjVoH.exe
  C:\Windows\System\xRVjVoH.exe
  2⤵
  PID:6388
- C:\Windows\System\nrbXlLm.exe
  C:\Windows\System\nrbXlLm.exe
  2⤵
  PID:6416
- C:\Windows\System\WyZOjyq.exe
  C:\Windows\System\WyZOjyq.exe
  2⤵
  PID:6444
- C:\Windows\System\wfnAUEu.exe
  C:\Windows\System\wfnAUEu.exe
  2⤵
  PID:6472
- C:\Windows\System\KNmZKWE.exe
  C:\Windows\System\KNmZKWE.exe
  2⤵
  PID:6500
- C:\Windows\System\XNJnjRv.exe
  C:\Windows\System\XNJnjRv.exe
  2⤵
  PID:6536
- C:\Windows\System\MGiVjhr.exe
  C:\Windows\System\MGiVjhr.exe
  2⤵
  PID:6564
- C:\Windows\System\TMYkVHW.exe
  C:\Windows\System\TMYkVHW.exe
  2⤵
  PID:6592
- C:\Windows\System\ZvpKISe.exe
  C:\Windows\System\ZvpKISe.exe
  2⤵
  PID:6620
- C:\Windows\System\EcPFBKk.exe
  C:\Windows\System\EcPFBKk.exe
  2⤵
  PID:6640
- C:\Windows\System\egHuIoR.exe
  C:\Windows\System\egHuIoR.exe
  2⤵
  PID:6668
- C:\Windows\System\NQtgXtG.exe
  C:\Windows\System\NQtgXtG.exe
  2⤵
  PID:6696
- C:\Windows\System\CWmaUzT.exe
  C:\Windows\System\CWmaUzT.exe
  2⤵
  PID:6724
- C:\Windows\System\HAURLur.exe
  C:\Windows\System\HAURLur.exe
  2⤵
  PID:6752
- C:\Windows\System\NOcBFvM.exe
  C:\Windows\System\NOcBFvM.exe
  2⤵
  PID:6780
- C:\Windows\System\xZnqLaB.exe
  C:\Windows\System\xZnqLaB.exe
  2⤵
  PID:6808
- C:\Windows\System\bbLjQFJ.exe
  C:\Windows\System\bbLjQFJ.exe
  2⤵
  PID:6836
- C:\Windows\System\WhYDmuw.exe
  C:\Windows\System\WhYDmuw.exe
  2⤵
  PID:6864
- C:\Windows\System\TZunaki.exe
  C:\Windows\System\TZunaki.exe
  2⤵
  PID:6892
- C:\Windows\System\uJArfWo.exe
  C:\Windows\System\uJArfWo.exe
  2⤵
  PID:6920
- C:\Windows\System\iFEmAGs.exe
  C:\Windows\System\iFEmAGs.exe
  2⤵
  PID:6948
- C:\Windows\System\XTViWkF.exe
  C:\Windows\System\XTViWkF.exe
  2⤵
  PID:6976
- C:\Windows\System\OUblArQ.exe
  C:\Windows\System\OUblArQ.exe
  2⤵
  PID:7004
- C:\Windows\System\XRsnXDR.exe
  C:\Windows\System\XRsnXDR.exe
  2⤵
  PID:7032
- C:\Windows\System\AqnmpwS.exe
  C:\Windows\System\AqnmpwS.exe
  2⤵
  PID:7060
- C:\Windows\System\ThioRDN.exe
  C:\Windows\System\ThioRDN.exe
  2⤵
  PID:7088
- C:\Windows\System\eSQZLxF.exe
  C:\Windows\System\eSQZLxF.exe
  2⤵
  PID:7116
- C:\Windows\System\FjMZuAT.exe
  C:\Windows\System\FjMZuAT.exe
  2⤵
  PID:7144
- C:\Windows\System\EgFnRaX.exe
  C:\Windows\System\EgFnRaX.exe
  2⤵
  PID:5392
- C:\Windows\System\tICeoGC.exe
  C:\Windows\System\tICeoGC.exe
  2⤵
  PID:5784
- C:\Windows\System\DQkPlkO.exe
  C:\Windows\System\DQkPlkO.exe
  2⤵
  PID:6104
- C:\Windows\System\bvYgYbU.exe
  C:\Windows\System\bvYgYbU.exe
  2⤵
  PID:3440
- C:\Windows\System\YHuPChP.exe
  C:\Windows\System\YHuPChP.exe
  2⤵
  PID:6212
- C:\Windows\System\qzEGQEa.exe
  C:\Windows\System\qzEGQEa.exe
  2⤵
  PID:6288
- C:\Windows\System\carJXwX.exe
  C:\Windows\System\carJXwX.exe
  2⤵
  PID:6344
- C:\Windows\System\jDdeFKh.exe
  C:\Windows\System\jDdeFKh.exe
  2⤵
  PID:6408
- C:\Windows\System\bdMZPhi.exe
  C:\Windows\System\bdMZPhi.exe
  2⤵
  PID:6484
- C:\Windows\System\sOmPpWM.exe
  C:\Windows\System\sOmPpWM.exe
  2⤵
  PID:6552
- C:\Windows\System\LAJswOI.exe
  C:\Windows\System\LAJswOI.exe
  2⤵
  PID:1060
- C:\Windows\System\llvGGsr.exe
  C:\Windows\System\llvGGsr.exe
  2⤵
  PID:6680
- C:\Windows\System\uHWOPgz.exe
  C:\Windows\System\uHWOPgz.exe
  2⤵
  PID:6716
- C:\Windows\System\zqkTCGw.exe
  C:\Windows\System\zqkTCGw.exe
  2⤵
  PID:6792
- C:\Windows\System\SiYhoHs.exe
  C:\Windows\System\SiYhoHs.exe
  2⤵
  PID:6848
- C:\Windows\System\xEbNkMp.exe
  C:\Windows\System\xEbNkMp.exe
  2⤵
  PID:6908
- C:\Windows\System\zorLrgn.exe
  C:\Windows\System\zorLrgn.exe
  2⤵
  PID:6968
- C:\Windows\System\LhbYxSb.exe
  C:\Windows\System\LhbYxSb.exe
  2⤵
  PID:7044
- C:\Windows\System\pMVxSBi.exe
  C:\Windows\System\pMVxSBi.exe
  2⤵
  PID:7100
- C:\Windows\System\iCsmzZh.exe
  C:\Windows\System\iCsmzZh.exe
  2⤵
  PID:7140
- C:\Windows\System\qTWCdEJ.exe
  C:\Windows\System\qTWCdEJ.exe
  2⤵
  PID:5912
- C:\Windows\System\nmvLYVJ.exe
  C:\Windows\System\nmvLYVJ.exe
  2⤵
  PID:6152
- C:\Windows\System\iWmalou.exe
  C:\Windows\System\iWmalou.exe
  2⤵
  PID:6316
- C:\Windows\System\NBBstcL.exe
  C:\Windows\System\NBBstcL.exe
  2⤵
  PID:6456
- C:\Windows\System\niKbufs.exe
  C:\Windows\System\niKbufs.exe
  2⤵
  PID:6588
- C:\Windows\System\gDVnpwg.exe
  C:\Windows\System\gDVnpwg.exe
  2⤵
  PID:6712
- C:\Windows\System\pYaOHnc.exe
  C:\Windows\System\pYaOHnc.exe
  2⤵
  PID:6824
- C:\Windows\System\acDoyfs.exe
  C:\Windows\System\acDoyfs.exe
  2⤵
  PID:7076
- C:\Windows\System\dQPKrYZ.exe
  C:\Windows\System\dQPKrYZ.exe
  2⤵
  PID:7164
- C:\Windows\System\CIyjLJg.exe
  C:\Windows\System\CIyjLJg.exe
  2⤵
  PID:6204
- C:\Windows\System\jkVHNwv.exe
  C:\Windows\System\jkVHNwv.exe
  2⤵
  PID:6400
- C:\Windows\System\mFXEcZf.exe
  C:\Windows\System\mFXEcZf.exe
  2⤵
  PID:6884
- C:\Windows\System\TlpGMCZ.exe
  C:\Windows\System\TlpGMCZ.exe
  2⤵
  PID:3064
- C:\Windows\System\FGvbzeg.exe
  C:\Windows\System\FGvbzeg.exe
  2⤵
  PID:784
- C:\Windows\System\mxwWfpL.exe
  C:\Windows\System\mxwWfpL.exe
  2⤵
  PID:4884
- C:\Windows\System\wIbNemR.exe
  C:\Windows\System\wIbNemR.exe
  2⤵
  PID:364
- C:\Windows\System\RoiWrab.exe
  C:\Windows\System\RoiWrab.exe
  2⤵
  PID:2484
- C:\Windows\System\JlsqxUM.exe
  C:\Windows\System\JlsqxUM.exe
  2⤵
  PID:2168
- C:\Windows\System\MqLDxPR.exe
  C:\Windows\System\MqLDxPR.exe
  2⤵
  PID:5036
- C:\Windows\System\jIIZylh.exe
  C:\Windows\System\jIIZylh.exe
  2⤵
  PID:1588
- C:\Windows\System\SngFJCo.exe
  C:\Windows\System\SngFJCo.exe
  2⤵
  PID:1888
- C:\Windows\System\QUwYxxL.exe
  C:\Windows\System\QUwYxxL.exe
  2⤵
  PID:2504
- C:\Windows\System\bbCEWhe.exe
  C:\Windows\System\bbCEWhe.exe
  2⤵
  PID:3572
- C:\Windows\System\aYPwtDq.exe
  C:\Windows\System\aYPwtDq.exe
  2⤵
  PID:2580
- C:\Windows\System\AaNIVBo.exe
  C:\Windows\System\AaNIVBo.exe
  2⤵
  PID:2368
- C:\Windows\System\ACHaHxw.exe
  C:\Windows\System\ACHaHxw.exe
  2⤵
  PID:1496
- C:\Windows\System\pWRRhYp.exe
  C:\Windows\System\pWRRhYp.exe
  2⤵
  PID:2116
- C:\Windows\System\jCbvtsm.exe
  C:\Windows\System\jCbvtsm.exe
  2⤵
  PID:1240
- C:\Windows\System\ILwjuXG.exe
  C:\Windows\System\ILwjuXG.exe
  2⤵
  PID:2876
- C:\Windows\System\aTRSAmt.exe
  C:\Windows\System\aTRSAmt.exe
  2⤵
  PID:4788
- C:\Windows\System\kWhQtin.exe
  C:\Windows\System\kWhQtin.exe
  2⤵
  PID:4576
- C:\Windows\System\wLiUQoh.exe
  C:\Windows\System\wLiUQoh.exe
  2⤵
  PID:1920
- C:\Windows\System\scZfwmA.exe
  C:\Windows\System\scZfwmA.exe
  2⤵
  PID:2452
- C:\Windows\System\qtrTmWe.exe
  C:\Windows\System\qtrTmWe.exe
  2⤵
  PID:800
- C:\Windows\System\lKXKbbY.exe
  C:\Windows\System\lKXKbbY.exe
  2⤵
  PID:4560
- C:\Windows\System\PoeINmA.exe
  C:\Windows\System\PoeINmA.exe
  2⤵
  PID:2096
- C:\Windows\System\jgLbDcT.exe
  C:\Windows\System\jgLbDcT.exe
  2⤵
  PID:4084
- C:\Windows\System\GnHeBIn.exe
  C:\Windows\System\GnHeBIn.exe
  2⤵
  PID:2560
- C:\Windows\System\ssGbprw.exe
  C:\Windows\System\ssGbprw.exe
  2⤵
  PID:7188
- C:\Windows\System\bANpWnB.exe
  C:\Windows\System\bANpWnB.exe
  2⤵
  PID:7224
- C:\Windows\System\eOulJUe.exe
  C:\Windows\System\eOulJUe.exe
  2⤵
  PID:7276
- C:\Windows\System\kErhfLR.exe
  C:\Windows\System\kErhfLR.exe
  2⤵
  PID:7332
- C:\Windows\System\WqPDHAU.exe
  C:\Windows\System\WqPDHAU.exe
  2⤵
  PID:7360
- C:\Windows\System\PfyGeaJ.exe
  C:\Windows\System\PfyGeaJ.exe
  2⤵
  PID:7416
- C:\Windows\System\WFDXGys.exe
  C:\Windows\System\WFDXGys.exe
  2⤵
  PID:7444
- C:\Windows\System\NzaxOuh.exe
  C:\Windows\System\NzaxOuh.exe
  2⤵
  PID:7492
- C:\Windows\System\ywxdovw.exe
  C:\Windows\System\ywxdovw.exe
  2⤵
  PID:7528
- C:\Windows\System\JWWGizh.exe
  C:\Windows\System\JWWGizh.exe
  2⤵
  PID:7568
- C:\Windows\System\DkzPUyj.exe
  C:\Windows\System\DkzPUyj.exe
  2⤵
  PID:7588
- C:\Windows\System\XzXYzdL.exe
  C:\Windows\System\XzXYzdL.exe
  2⤵
  PID:7612
- C:\Windows\System\rHOKtsp.exe
  C:\Windows\System\rHOKtsp.exe
  2⤵
  PID:7652
- C:\Windows\System\IucjOSU.exe
  C:\Windows\System\IucjOSU.exe
  2⤵
  PID:7692
- C:\Windows\System\nHOXYOb.exe
  C:\Windows\System\nHOXYOb.exe
  2⤵
  PID:7716
- C:\Windows\System\cTFZfKV.exe
  C:\Windows\System\cTFZfKV.exe
  2⤵
  PID:7736
- C:\Windows\System\eZhVkDU.exe
  C:\Windows\System\eZhVkDU.exe
  2⤵
  PID:7768
- C:\Windows\System\pWIJzFJ.exe
  C:\Windows\System\pWIJzFJ.exe
  2⤵
  PID:7804
- C:\Windows\System\CHMACwj.exe
  C:\Windows\System\CHMACwj.exe
  2⤵
  PID:7860
- C:\Windows\System\uURdBVC.exe
  C:\Windows\System\uURdBVC.exe
  2⤵
  PID:7888
- C:\Windows\System\IHuWEDo.exe
  C:\Windows\System\IHuWEDo.exe
  2⤵
  PID:7928
- C:\Windows\System\zGKmXDL.exe
  C:\Windows\System\zGKmXDL.exe
  2⤵
  PID:7956
- C:\Windows\System\uCDIoSd.exe
  C:\Windows\System\uCDIoSd.exe
  2⤵
  PID:7976
- C:\Windows\System\QZWQBQE.exe
  C:\Windows\System\QZWQBQE.exe
  2⤵
  PID:8008
- C:\Windows\System\NWpkZWx.exe
  C:\Windows\System\NWpkZWx.exe
  2⤵
  PID:8036
- C:\Windows\System\skHxVEl.exe
  C:\Windows\System\skHxVEl.exe
  2⤵
  PID:8076
- C:\Windows\System\KqwAatl.exe
  C:\Windows\System\KqwAatl.exe
  2⤵
  PID:8104
- C:\Windows\System\WYYzcFj.exe
  C:\Windows\System\WYYzcFj.exe
  2⤵
  PID:8136
- C:\Windows\System\tQFwIxy.exe
  C:\Windows\System\tQFwIxy.exe
  2⤵
  PID:8164
- C:\Windows\System\Miyvavm.exe
  C:\Windows\System\Miyvavm.exe
  2⤵
  PID:1984
- C:\Windows\System\MFaiyxB.exe
  C:\Windows\System\MFaiyxB.exe
  2⤵
  PID:7220
- C:\Windows\System\ChyQcVb.exe
  C:\Windows\System\ChyQcVb.exe
  2⤵
  PID:7352
- C:\Windows\System\PQGWlQu.exe
  C:\Windows\System\PQGWlQu.exe
  2⤵
  PID:2000
- C:\Windows\System\TpRuzIj.exe
  C:\Windows\System\TpRuzIj.exe
  2⤵
  PID:4232
- C:\Windows\System\ZBEoYyw.exe
  C:\Windows\System\ZBEoYyw.exe
  2⤵
  PID:7540
- C:\Windows\System\evMCGhd.exe
  C:\Windows\System\evMCGhd.exe
  2⤵
  PID:7604
- C:\Windows\System\NMjhhLO.exe
  C:\Windows\System\NMjhhLO.exe
  2⤵
  PID:7680
- C:\Windows\System\YGVsJTa.exe
  C:\Windows\System\YGVsJTa.exe
  2⤵
  PID:7752
- C:\Windows\System\vTVSMph.exe
  C:\Windows\System\vTVSMph.exe
  2⤵
  PID:7796
- C:\Windows\System\nOIxnUZ.exe
  C:\Windows\System\nOIxnUZ.exe
  2⤵
  PID:7912
- C:\Windows\System\GLIcEnE.exe
  C:\Windows\System\GLIcEnE.exe
  2⤵
  PID:7968
- C:\Windows\System\yOJwQtv.exe
  C:\Windows\System\yOJwQtv.exe
  2⤵
  PID:8032
- C:\Windows\System\zsXnBXE.exe
  C:\Windows\System\zsXnBXE.exe
  2⤵
  PID:8116
- C:\Windows\System\kniZfoF.exe
  C:\Windows\System\kniZfoF.exe
  2⤵
  PID:7208
- C:\Windows\System\crbchRm.exe
  C:\Windows\System\crbchRm.exe
  2⤵
  PID:5112
- C:\Windows\System\aMNiBcq.exe
  C:\Windows\System\aMNiBcq.exe
  2⤵
  PID:7748
- C:\Windows\System\KpzGDMq.exe
  C:\Windows\System\KpzGDMq.exe
  2⤵
  PID:7940
- C:\Windows\System\PECbzoZ.exe
  C:\Windows\System\PECbzoZ.exe
  2⤵
  PID:3752
- C:\Windows\System\KxfvDML.exe
  C:\Windows\System\KxfvDML.exe
  2⤵
  PID:8196
- C:\Windows\System\wWtfsHo.exe
  C:\Windows\System\wWtfsHo.exe
  2⤵
  PID:8224
- C:\Windows\System\tOAlbib.exe
  C:\Windows\System\tOAlbib.exe
  2⤵
  PID:8260
- C:\Windows\System\rgNnQJk.exe
  C:\Windows\System\rgNnQJk.exe
  2⤵
  PID:8300
- C:\Windows\System\qFKsuYJ.exe
  C:\Windows\System\qFKsuYJ.exe
  2⤵
  PID:8324
- C:\Windows\System\OzaTicR.exe
  C:\Windows\System\OzaTicR.exe
  2⤵
  PID:8348
- C:\Windows\System\ufztugD.exe
  C:\Windows\System\ufztugD.exe
  2⤵
  PID:8384
- C:\Windows\System\YgCFeeV.exe
  C:\Windows\System\YgCFeeV.exe
  2⤵
  PID:8400
- C:\Windows\System\SFYPrnG.exe
  C:\Windows\System\SFYPrnG.exe
  2⤵
  PID:8440
- C:\Windows\System\WnRxxni.exe
  C:\Windows\System\WnRxxni.exe
  2⤵
  PID:8484
- C:\Windows\System\vuPVlCU.exe
  C:\Windows\System\vuPVlCU.exe
  2⤵
  PID:8516
- C:\Windows\System\rwbXZUg.exe
  C:\Windows\System\rwbXZUg.exe
  2⤵
  PID:8544
- C:\Windows\System\VVUrkWA.exe
  C:\Windows\System\VVUrkWA.exe
  2⤵
  PID:8564
- C:\Windows\System\ImCrFPO.exe
  C:\Windows\System\ImCrFPO.exe
  2⤵
  PID:8600
- C:\Windows\System\IHUMQbd.exe
  C:\Windows\System\IHUMQbd.exe
  2⤵
  PID:8632
- C:\Windows\System\ogolIBS.exe
  C:\Windows\System\ogolIBS.exe
  2⤵
  PID:8660
- C:\Windows\System\LwqwIJs.exe
  C:\Windows\System\LwqwIJs.exe
  2⤵
  PID:8696
- C:\Windows\System\yJhTyGr.exe
  C:\Windows\System\yJhTyGr.exe
  2⤵
  PID:8728
- C:\Windows\System\OYlHtwX.exe
  C:\Windows\System\OYlHtwX.exe
  2⤵
  PID:8748
- C:\Windows\System\NzOafEN.exe
  C:\Windows\System\NzOafEN.exe
  2⤵
  PID:8768
- C:\Windows\System\bJRrfnU.exe
  C:\Windows\System\bJRrfnU.exe
  2⤵
  PID:8804
- C:\Windows\System\JsMwYtS.exe
  C:\Windows\System\JsMwYtS.exe
  2⤵
  PID:8840
- C:\Windows\System\YFnbBDQ.exe
  C:\Windows\System\YFnbBDQ.exe
  2⤵
  PID:8868
- C:\Windows\System\ZrkHUiR.exe
  C:\Windows\System\ZrkHUiR.exe
  2⤵
  PID:8904
- C:\Windows\System\cXIMQUd.exe
  C:\Windows\System\cXIMQUd.exe
  2⤵
  PID:8940
- C:\Windows\System\WrsnQuz.exe
  C:\Windows\System\WrsnQuz.exe
  2⤵
  PID:8992
- C:\Windows\System\EjTpaHB.exe
  C:\Windows\System\EjTpaHB.exe
  2⤵
  PID:9008
- C:\Windows\System\DOMIAzw.exe
  C:\Windows\System\DOMIAzw.exe
  2⤵
  PID:9036
- C:\Windows\System\ANwuunN.exe
  C:\Windows\System\ANwuunN.exe
  2⤵
  PID:9064
- C:\Windows\System\lYoRYYJ.exe
  C:\Windows\System\lYoRYYJ.exe
  2⤵
  PID:9092
- C:\Windows\System\LliXudH.exe
  C:\Windows\System\LliXudH.exe
  2⤵
  PID:9132
- C:\Windows\System\abSadxz.exe
  C:\Windows\System\abSadxz.exe
  2⤵
  PID:9164
- C:\Windows\System\lazHPej.exe
  C:\Windows\System\lazHPej.exe
  2⤵
  PID:9192
- C:\Windows\System\npALIPJ.exe
  C:\Windows\System\npALIPJ.exe
  2⤵
  PID:7200
- C:\Windows\System\wYNYWgt.exe
  C:\Windows\System\wYNYWgt.exe
  2⤵
  PID:8248
- C:\Windows\System\aCHpDqn.exe
  C:\Windows\System\aCHpDqn.exe
  2⤵
  PID:8316
- C:\Windows\System\EJjeRnJ.exe
  C:\Windows\System\EJjeRnJ.exe
  2⤵
  PID:8380
- C:\Windows\System\SzRIxon.exe
  C:\Windows\System\SzRIxon.exe
  2⤵
  PID:8432
- C:\Windows\System\DVtNUiW.exe
  C:\Windows\System\DVtNUiW.exe
  2⤵
  PID:8496
- C:\Windows\System\yPgmluz.exe
  C:\Windows\System\yPgmluz.exe
  2⤵
  PID:8528
- C:\Windows\System\ivSEKWn.exe
  C:\Windows\System\ivSEKWn.exe
  2⤵
  PID:8592
- C:\Windows\System\ZTNsaxD.exe
  C:\Windows\System\ZTNsaxD.exe
  2⤵
  PID:8616
- C:\Windows\System\rflMrwe.exe
  C:\Windows\System\rflMrwe.exe
  2⤵
  PID:8692
- C:\Windows\System\dCjMZpo.exe
  C:\Windows\System\dCjMZpo.exe
  2⤵
  PID:8744
- C:\Windows\System\uwDEjOc.exe
  C:\Windows\System\uwDEjOc.exe
  2⤵
  PID:8816
- C:\Windows\System\jOJZlPI.exe
  C:\Windows\System\jOJZlPI.exe
  2⤵
  PID:8896
- C:\Windows\System\hwPNEFU.exe
  C:\Windows\System\hwPNEFU.exe
  2⤵
  PID:8924
- C:\Windows\System\nVHMXNO.exe
  C:\Windows\System\nVHMXNO.exe
  2⤵
  PID:8980
- C:\Windows\System\mQaexuE.exe
  C:\Windows\System\mQaexuE.exe
  2⤵
  PID:9020
- C:\Windows\System\zzjThJg.exe
  C:\Windows\System\zzjThJg.exe
  2⤵
  PID:9084
- C:\Windows\System\akVFuvU.exe
  C:\Windows\System\akVFuvU.exe
  2⤵
  PID:9112
- C:\Windows\System\HegdjgG.exe
  C:\Windows\System\HegdjgG.exe
  2⤵
  PID:8184
- C:\Windows\System\OFNvJGb.exe
  C:\Windows\System\OFNvJGb.exe
  2⤵
  PID:9212
- C:\Windows\System\lOkooww.exe
  C:\Windows\System\lOkooww.exe
  2⤵
  PID:8292
- C:\Windows\System\nxLDCdZ.exe
  C:\Windows\System\nxLDCdZ.exe
  2⤵
  PID:8420
- C:\Windows\System\nDxvrmo.exe
  C:\Windows\System\nDxvrmo.exe
  2⤵
  PID:8508
- C:\Windows\System\bAlTcfZ.exe
  C:\Windows\System\bAlTcfZ.exe
  2⤵
  PID:8688
- C:\Windows\System\pZqKacu.exe
  C:\Windows\System\pZqKacu.exe
  2⤵
  PID:8796
- C:\Windows\System\bdaizrH.exe
  C:\Windows\System\bdaizrH.exe
  2⤵
  PID:7184
- C:\Windows\System\yAJJXBp.exe
  C:\Windows\System\yAJJXBp.exe
  2⤵
  PID:9048
- C:\Windows\System\rCfzodE.exe
  C:\Windows\System\rCfzodE.exe
  2⤵
  PID:8912
- C:\Windows\System\JlHYrRX.exe
  C:\Windows\System\JlHYrRX.exe
  2⤵
  PID:8376
- C:\Windows\System\TPzYbkk.exe
  C:\Windows\System\TPzYbkk.exe
  2⤵
  PID:8624
- C:\Windows\System\oaTtJHw.exe
  C:\Windows\System\oaTtJHw.exe
  2⤵
  PID:4132
- C:\Windows\System\JpdwPno.exe
  C:\Windows\System\JpdwPno.exe
  2⤵
  PID:9204
- C:\Windows\System\HyjBYye.exe
  C:\Windows\System\HyjBYye.exe
  2⤵
  PID:8864
- C:\Windows\System\IEqdMIH.exe
  C:\Windows\System\IEqdMIH.exe
  2⤵
  PID:8740
- C:\Windows\System\niQYjuT.exe
  C:\Windows\System\niQYjuT.exe
  2⤵
  PID:9232
- C:\Windows\System\RHvlrQD.exe
  C:\Windows\System\RHvlrQD.exe
  2⤵
  PID:9260
- C:\Windows\System\lwXDgGX.exe
  C:\Windows\System\lwXDgGX.exe
  2⤵
  PID:9288
- C:\Windows\System\UDrmhiA.exe
  C:\Windows\System\UDrmhiA.exe
  2⤵
  PID:9320
- C:\Windows\System\DWyfUWt.exe
  C:\Windows\System\DWyfUWt.exe
  2⤵
  PID:9356
- C:\Windows\System\gwXrHZn.exe
  C:\Windows\System\gwXrHZn.exe
  2⤵
  PID:9384
- C:\Windows\System\CdPdeAs.exe
  C:\Windows\System\CdPdeAs.exe
  2⤵
  PID:9412
- C:\Windows\System\QyPaaJW.exe
  C:\Windows\System\QyPaaJW.exe
  2⤵
  PID:9440
- C:\Windows\System\gspYdkZ.exe
  C:\Windows\System\gspYdkZ.exe
  2⤵
  PID:9468
- C:\Windows\System\bRXrWFY.exe
  C:\Windows\System\bRXrWFY.exe
  2⤵
  PID:9496
- C:\Windows\System\ZpfWzHY.exe
  C:\Windows\System\ZpfWzHY.exe
  2⤵
  PID:9524
- C:\Windows\System\ShduXsP.exe
  C:\Windows\System\ShduXsP.exe
  2⤵
  PID:9552
- C:\Windows\System\HiMeHgO.exe
  C:\Windows\System\HiMeHgO.exe
  2⤵
  PID:9580
- C:\Windows\System\JQbzBMe.exe
  C:\Windows\System\JQbzBMe.exe
  2⤵
  PID:9608
- C:\Windows\System\fkIvNRq.exe
  C:\Windows\System\fkIvNRq.exe
  2⤵
  PID:9636
- C:\Windows\System\IfPDkHq.exe
  C:\Windows\System\IfPDkHq.exe
  2⤵
  PID:9664
- C:\Windows\System\ylOohDr.exe
  C:\Windows\System\ylOohDr.exe
  2⤵
  PID:9692
- C:\Windows\System\DoXqTta.exe
  C:\Windows\System\DoXqTta.exe
  2⤵
  PID:9720
- C:\Windows\System\WAQyoHy.exe
  C:\Windows\System\WAQyoHy.exe
  2⤵
  PID:9760
- C:\Windows\System\yBrQyWM.exe
  C:\Windows\System\yBrQyWM.exe
  2⤵
  PID:9776
- C:\Windows\System\CliwipG.exe
  C:\Windows\System\CliwipG.exe
  2⤵
  PID:9804
- C:\Windows\System\vikTrfx.exe
  C:\Windows\System\vikTrfx.exe
  2⤵
  PID:9832
- C:\Windows\System\khFKasn.exe
  C:\Windows\System\khFKasn.exe
  2⤵
  PID:9868
- C:\Windows\System\UTPisEY.exe
  C:\Windows\System\UTPisEY.exe
  2⤵
  PID:9888
- C:\Windows\System\wReEXjc.exe
  C:\Windows\System\wReEXjc.exe
  2⤵
  PID:9916
- C:\Windows\System\oEpIzlF.exe
  C:\Windows\System\oEpIzlF.exe
  2⤵
  PID:9944
- C:\Windows\System\qWlDNIB.exe
  C:\Windows\System\qWlDNIB.exe
  2⤵
  PID:9972
- C:\Windows\System\IuPnjVK.exe
  C:\Windows\System\IuPnjVK.exe
  2⤵
  PID:10004
- C:\Windows\System\yIfxzMT.exe
  C:\Windows\System\yIfxzMT.exe
  2⤵
  PID:10032
- C:\Windows\System\UnOSEvO.exe
  C:\Windows\System\UnOSEvO.exe
  2⤵
  PID:10060
- C:\Windows\System\PRXQiXO.exe
  C:\Windows\System\PRXQiXO.exe
  2⤵
  PID:10088
- C:\Windows\System\ULEfGrY.exe
  C:\Windows\System\ULEfGrY.exe
  2⤵
  PID:10116
- C:\Windows\System\mvqxzJr.exe
  C:\Windows\System\mvqxzJr.exe
  2⤵
  PID:10148
- C:\Windows\System\qmLFSiU.exe
  C:\Windows\System\qmLFSiU.exe
  2⤵
  PID:10204
- C:\Windows\System\ZsmbBnf.exe
  C:\Windows\System\ZsmbBnf.exe
  2⤵
  PID:9244
- C:\Windows\System\vDDkycO.exe
  C:\Windows\System\vDDkycO.exe
  2⤵
  PID:9312
- C:\Windows\System\TGaUtnS.exe
  C:\Windows\System\TGaUtnS.exe
  2⤵
  PID:9380
- C:\Windows\System\SAghxvd.exe
  C:\Windows\System\SAghxvd.exe
  2⤵
  PID:9452
- C:\Windows\System\sHjYLrW.exe
  C:\Windows\System\sHjYLrW.exe
  2⤵
  PID:9516
- C:\Windows\System\fepysQE.exe
  C:\Windows\System\fepysQE.exe
  2⤵
  PID:9572
- C:\Windows\System\TfAJNMZ.exe
  C:\Windows\System\TfAJNMZ.exe
  2⤵
  PID:9632
- C:\Windows\System\BdknTHD.exe
  C:\Windows\System\BdknTHD.exe
  2⤵
  PID:9708
- C:\Windows\System\eSotqJS.exe
  C:\Windows\System\eSotqJS.exe
  2⤵
  PID:9744
- C:\Windows\System\HOlBwfv.exe
  C:\Windows\System\HOlBwfv.exe
  2⤵
  PID:9824
- C:\Windows\System\iaCnXEL.exe
  C:\Windows\System\iaCnXEL.exe
  2⤵
  PID:9884
- C:\Windows\System\cMgnHCM.exe
  C:\Windows\System\cMgnHCM.exe
  2⤵
  PID:9960
- C:\Windows\System\ZqwmieB.exe
  C:\Windows\System\ZqwmieB.exe
  2⤵
  PID:10024
- C:\Windows\System\lwtBQEZ.exe
  C:\Windows\System\lwtBQEZ.exe
  2⤵
  PID:10084
- C:\Windows\System\MREhOPD.exe
  C:\Windows\System\MREhOPD.exe
  2⤵
  PID:1760
- C:\Windows\System\lzSXlUZ.exe
  C:\Windows\System\lzSXlUZ.exe
  2⤵
  PID:3540
- C:\Windows\System\jZsYGKa.exe
  C:\Windows\System\jZsYGKa.exe
  2⤵
  PID:9376
- C:\Windows\System\UnWATHc.exe
  C:\Windows\System\UnWATHc.exe
  2⤵
  PID:9544
- C:\Windows\System\VmQmnPb.exe
  C:\Windows\System\VmQmnPb.exe
  2⤵
  PID:9684
- C:\Windows\System\LhMDVUB.exe
  C:\Windows\System\LhMDVUB.exe
  2⤵
  PID:9880
- C:\Windows\System\HinWVXG.exe
  C:\Windows\System\HinWVXG.exe
  2⤵
  PID:10020
- C:\Windows\System\SNtkhsa.exe
  C:\Windows\System\SNtkhsa.exe
  2⤵
  PID:10216
- C:\Windows\System\ppiBJME.exe
  C:\Windows\System\ppiBJME.exe
  2⤵
  PID:9600
- C:\Windows\System\kDCxzyE.exe
  C:\Windows\System\kDCxzyE.exe
  2⤵
  PID:9940
- C:\Windows\System\AxDnqcz.exe
  C:\Windows\System\AxDnqcz.exe
  2⤵
  PID:9512
- C:\Windows\System\TMdqINR.exe
  C:\Windows\System\TMdqINR.exe
  2⤵
  PID:9876
- C:\Windows\System\syTpfiE.exe
  C:\Windows\System\syTpfiE.exe
  2⤵
  PID:10260
- C:\Windows\System\NuIldtc.exe
  C:\Windows\System\NuIldtc.exe
  2⤵
  PID:10288
- C:\Windows\System\tjbQDMa.exe
  C:\Windows\System\tjbQDMa.exe
  2⤵
  PID:10320
- C:\Windows\System\sckbiNI.exe
  C:\Windows\System\sckbiNI.exe
  2⤵
  PID:10348
- C:\Windows\System\rDHerhF.exe
  C:\Windows\System\rDHerhF.exe
  2⤵
  PID:10376
- C:\Windows\System\ueKxMTC.exe
  C:\Windows\System\ueKxMTC.exe
  2⤵
  PID:10404
- C:\Windows\System\cJwMRdg.exe
  C:\Windows\System\cJwMRdg.exe
  2⤵
  PID:10432
- C:\Windows\System\ynVhWKs.exe
  C:\Windows\System\ynVhWKs.exe
  2⤵
  PID:10460
- C:\Windows\System\BHxEGVz.exe
  C:\Windows\System\BHxEGVz.exe
  2⤵
  PID:10488
- C:\Windows\System\fXMUVBs.exe
  C:\Windows\System\fXMUVBs.exe
  2⤵
  PID:10516
- C:\Windows\System\gZgfQyc.exe
  C:\Windows\System\gZgfQyc.exe
  2⤵
  PID:10544
- C:\Windows\System\OwPWXkF.exe
  C:\Windows\System\OwPWXkF.exe
  2⤵
  PID:10572
- C:\Windows\System\ofzWMBt.exe
  C:\Windows\System\ofzWMBt.exe
  2⤵
  PID:10600
- C:\Windows\System\DLutLbC.exe
  C:\Windows\System\DLutLbC.exe
  2⤵
  PID:10628
- C:\Windows\System\qWpqPEd.exe
  C:\Windows\System\qWpqPEd.exe
  2⤵
  PID:10656
- C:\Windows\System\zzEckHL.exe
  C:\Windows\System\zzEckHL.exe
  2⤵
  PID:10684
- C:\Windows\System\tCTaGAH.exe
  C:\Windows\System\tCTaGAH.exe
  2⤵
  PID:10712
- C:\Windows\System\jTeiwNE.exe
  C:\Windows\System\jTeiwNE.exe
  2⤵
  PID:10740
- C:\Windows\System\mhuVtoF.exe
  C:\Windows\System\mhuVtoF.exe
  2⤵
  PID:10780
- C:\Windows\System\ZVNykeZ.exe
  C:\Windows\System\ZVNykeZ.exe
  2⤵
  PID:10796
- C:\Windows\System\jwzyqMp.exe
  C:\Windows\System\jwzyqMp.exe
  2⤵
  PID:10824
- C:\Windows\System\IKbvLDI.exe
  C:\Windows\System\IKbvLDI.exe
  2⤵
  PID:10852
- C:\Windows\System\IHNyyWB.exe
  C:\Windows\System\IHNyyWB.exe
  2⤵
  PID:10880
- C:\Windows\System\UFpCNzP.exe
  C:\Windows\System\UFpCNzP.exe
  2⤵
  PID:10896
- C:\Windows\System\BpvXIIY.exe
  C:\Windows\System\BpvXIIY.exe
  2⤵
  PID:10912
- C:\Windows\System\BsFjATB.exe
  C:\Windows\System\BsFjATB.exe
  2⤵
  PID:10932
- C:\Windows\System\JJNzxPY.exe
  C:\Windows\System\JJNzxPY.exe
  2⤵
  PID:10968
- C:\Windows\System\NtZlKIU.exe
  C:\Windows\System\NtZlKIU.exe
  2⤵
  PID:11020
- C:\Windows\System\JIxhJQS.exe
  C:\Windows\System\JIxhJQS.exe
  2⤵
  PID:11056
- C:\Windows\System\aKWZUPn.exe
  C:\Windows\System\aKWZUPn.exe
  2⤵
  PID:11076
- C:\Windows\System\XMrCHJt.exe
  C:\Windows\System\XMrCHJt.exe
  2⤵
  PID:11108
- C:\Windows\System\AjpfWQA.exe
  C:\Windows\System\AjpfWQA.exe
  2⤵
  PID:11136
- C:\Windows\System\IerGtKb.exe
  C:\Windows\System\IerGtKb.exe
  2⤵
  PID:11164
- C:\Windows\System\QHdpeZc.exe
  C:\Windows\System\QHdpeZc.exe
  2⤵
  PID:11192
- C:\Windows\System\WvRbcgx.exe
  C:\Windows\System\WvRbcgx.exe
  2⤵
  PID:11220
- C:\Windows\System\GTHlNyw.exe
  C:\Windows\System\GTHlNyw.exe
  2⤵
  PID:11248
- C:\Windows\System\HcvNhVn.exe
  C:\Windows\System\HcvNhVn.exe
  2⤵
  PID:10276
- C:\Windows\System\uziSAtP.exe
  C:\Windows\System\uziSAtP.exe
  2⤵
  PID:10312
- C:\Windows\System\cIRCmvi.exe
  C:\Windows\System\cIRCmvi.exe
  2⤵
  PID:10400
- C:\Windows\System\rcPTWXS.exe
  C:\Windows\System\rcPTWXS.exe
  2⤵
  PID:10476
- C:\Windows\System\iDDTZcG.exe
  C:\Windows\System\iDDTZcG.exe
  2⤵
  PID:10536
- C:\Windows\System\jEHuqaZ.exe
  C:\Windows\System\jEHuqaZ.exe
  2⤵
  PID:10596
- C:\Windows\System\dJogQYi.exe
  C:\Windows\System\dJogQYi.exe
  2⤵
  PID:10668
- C:\Windows\System\xjsXlfM.exe
  C:\Windows\System\xjsXlfM.exe
  2⤵
  PID:10732
- C:\Windows\System\KUlLjkp.exe
  C:\Windows\System\KUlLjkp.exe
  2⤵
  PID:1264
- C:\Windows\System\uAsFmzT.exe
  C:\Windows\System\uAsFmzT.exe
  2⤵
  PID:4904
- C:\Windows\System\tikBGFe.exe
  C:\Windows\System\tikBGFe.exe
  2⤵
  PID:7644
- C:\Windows\System\osMOzHi.exe
  C:\Windows\System\osMOzHi.exe
  2⤵
  PID:7788
- C:\Windows\System\KNNAWrE.exe
  C:\Windows\System\KNNAWrE.exe
  2⤵
  PID:4536
- C:\Windows\System\WnDMMUT.exe
  C:\Windows\System\WnDMMUT.exe
  2⤵
  PID:10836
- C:\Windows\System\ZXjokLr.exe
  C:\Windows\System\ZXjokLr.exe
  2⤵
  PID:10892
- C:\Windows\System\riXvyhb.exe
  C:\Windows\System\riXvyhb.exe
  2⤵
  PID:10952
- C:\Windows\System\CKqGkBi.exe
  C:\Windows\System\CKqGkBi.exe
  2⤵
  PID:11004
- C:\Windows\System\dfeCpOw.exe
  C:\Windows\System\dfeCpOw.exe
  2⤵
  PID:11124
- C:\Windows\System\BlWKhOG.exe
  C:\Windows\System\BlWKhOG.exe
  2⤵
  PID:11156
- C:\Windows\System\oFemVGr.exe
  C:\Windows\System\oFemVGr.exe
  2⤵
  PID:11212
- C:\Windows\System\tiidnMo.exe
  C:\Windows\System\tiidnMo.exe
  2⤵
  PID:10304
- C:\Windows\System\gFHbtfY.exe
  C:\Windows\System\gFHbtfY.exe
  2⤵
  PID:10452
- C:\Windows\System\alSRzps.exe
  C:\Windows\System\alSRzps.exe
  2⤵
  PID:10592
- C:\Windows\System\ilntvUX.exe
  C:\Windows\System\ilntvUX.exe
  2⤵
  PID:7832
- C:\Windows\System\USXSGAX.exe
  C:\Windows\System\USXSGAX.exe
  2⤵
  PID:2832
- C:\Windows\System\WZcpTag.exe
  C:\Windows\System\WZcpTag.exe
  2⤵
  PID:3272
- C:\Windows\System\TgsOsYb.exe
  C:\Windows\System\TgsOsYb.exe
  2⤵
  PID:10920
- C:\Windows\System\oMnxIYx.exe
  C:\Windows\System\oMnxIYx.exe
  2⤵
  PID:11068
- C:\Windows\System\dbXIKkV.exe
  C:\Windows\System\dbXIKkV.exe
  2⤵
  PID:11216
- C:\Windows\System\sWRSMcc.exe
  C:\Windows\System\sWRSMcc.exe
  2⤵
  PID:10512
- C:\Windows\System\MNzbjOO.exe
  C:\Windows\System\MNzbjOO.exe
  2⤵
  PID:916
- C:\Windows\System\ItIIIhb.exe
  C:\Windows\System\ItIIIhb.exe
  2⤵
  PID:4112
- C:\Windows\System\MsIpaSG.exe
  C:\Windows\System\MsIpaSG.exe
  2⤵
  PID:11132
- C:\Windows\System\JOZXlGj.exe
  C:\Windows\System\JOZXlGj.exe
  2⤵
  PID:1824
- C:\Windows\System\vtLZMuk.exe
  C:\Windows\System\vtLZMuk.exe
  2⤵
  PID:10388
- C:\Windows\System\tybMVMH.exe
  C:\Windows\System\tybMVMH.exe
  2⤵
  PID:11152
- C:\Windows\System\FIPfosu.exe
  C:\Windows\System\FIPfosu.exe
  2⤵
  PID:11292
- C:\Windows\System\qBxCJek.exe
  C:\Windows\System\qBxCJek.exe
  2⤵
  PID:11324
- C:\Windows\System\kGhbBXV.exe
  C:\Windows\System\kGhbBXV.exe
  2⤵
  PID:11352
- C:\Windows\System\cHVxIfN.exe
  C:\Windows\System\cHVxIfN.exe
  2⤵
  PID:11380
- C:\Windows\System\JpLEpwo.exe
  C:\Windows\System\JpLEpwo.exe
  2⤵
  PID:11408
- C:\Windows\System\FLIuIJY.exe
  C:\Windows\System\FLIuIJY.exe
  2⤵
  PID:11436
- C:\Windows\System\wEQGiGt.exe
  C:\Windows\System\wEQGiGt.exe
  2⤵
  PID:11464
- C:\Windows\System\NAcDczr.exe
  C:\Windows\System\NAcDczr.exe
  2⤵
  PID:11488
- C:\Windows\System\dUppqPK.exe
  C:\Windows\System\dUppqPK.exe
  2⤵
  PID:11520
- C:\Windows\System\eOdWZbN.exe
  C:\Windows\System\eOdWZbN.exe
  2⤵
  PID:11548
- C:\Windows\System\XjouoWW.exe
  C:\Windows\System\XjouoWW.exe
  2⤵
  PID:11576
- C:\Windows\System\DfVYgdO.exe
  C:\Windows\System\DfVYgdO.exe
  2⤵
  PID:11604
- C:\Windows\System\IdVFwei.exe
  C:\Windows\System\IdVFwei.exe
  2⤵
  PID:11632
- C:\Windows\System\kdWfnhf.exe
  C:\Windows\System\kdWfnhf.exe
  2⤵
  PID:11660
- C:\Windows\System\qKDhaeT.exe
  C:\Windows\System\qKDhaeT.exe
  2⤵
  PID:11688
- C:\Windows\System\HcDkuRY.exe
  C:\Windows\System\HcDkuRY.exe
  2⤵
  PID:11716
- C:\Windows\System\iieMenL.exe
  C:\Windows\System\iieMenL.exe
  2⤵
  PID:11736
- C:\Windows\System\kfnsqhL.exe
  C:\Windows\System\kfnsqhL.exe
  2⤵
  PID:11764
- C:\Windows\System\DqQUPhC.exe
  C:\Windows\System\DqQUPhC.exe
  2⤵
  PID:11796
- C:\Windows\System\RBObwjt.exe
  C:\Windows\System\RBObwjt.exe
  2⤵
  PID:11828
- C:\Windows\System\eHJSUYs.exe
  C:\Windows\System\eHJSUYs.exe
  2⤵
  PID:11856
- C:\Windows\System\WVplehS.exe
  C:\Windows\System\WVplehS.exe
  2⤵
  PID:11884
- C:\Windows\System\dRCSYUY.exe
  C:\Windows\System\dRCSYUY.exe
  2⤵
  PID:11912
- C:\Windows\System\pkkArjm.exe
  C:\Windows\System\pkkArjm.exe
  2⤵
  PID:11940
- C:\Windows\System\tKyHEsl.exe
  C:\Windows\System\tKyHEsl.exe
  2⤵
  PID:11968
- C:\Windows\System\vzydntE.exe
  C:\Windows\System\vzydntE.exe
  2⤵
  PID:11996
- C:\Windows\System\XmmxdkM.exe
  C:\Windows\System\XmmxdkM.exe
  2⤵
  PID:12020
- C:\Windows\System\mtyNqAh.exe
  C:\Windows\System\mtyNqAh.exe
  2⤵
  PID:12052
- C:\Windows\System\rlwOUGF.exe
  C:\Windows\System\rlwOUGF.exe
  2⤵
  PID:12080
- C:\Windows\System\sbEWpgw.exe
  C:\Windows\System\sbEWpgw.exe
  2⤵
  PID:12108
- C:\Windows\System\nEgOGRI.exe
  C:\Windows\System\nEgOGRI.exe
  2⤵
  PID:12136
- C:\Windows\System\whAGcTQ.exe
  C:\Windows\System\whAGcTQ.exe
  2⤵
  PID:12164
- C:\Windows\System\HGmGFlr.exe
  C:\Windows\System\HGmGFlr.exe
  2⤵
  PID:12180
- C:\Windows\System\cFHkqSU.exe
  C:\Windows\System\cFHkqSU.exe
  2⤵
  PID:12220
- C:\Windows\System\sVoaaNz.exe
  C:\Windows\System\sVoaaNz.exe
  2⤵
  PID:12248
- C:\Windows\System\pVyfKaE.exe
  C:\Windows\System\pVyfKaE.exe
  2⤵
  PID:12276
- C:\Windows\System\FAbuTRb.exe
  C:\Windows\System\FAbuTRb.exe
  2⤵
  PID:11308
- C:\Windows\System\hQQxmHo.exe
  C:\Windows\System\hQQxmHo.exe
  2⤵
  PID:11364
- C:\Windows\System\RJmezua.exe
  C:\Windows\System\RJmezua.exe
  2⤵
  PID:11372
- C:\Windows\System\iZoMrMP.exe
  C:\Windows\System\iZoMrMP.exe
  2⤵
  PID:11456
- C:\Windows\System\tyfsaCf.exe
  C:\Windows\System\tyfsaCf.exe
  2⤵
  PID:11504
- C:\Windows\System\dyIiana.exe
  C:\Windows\System\dyIiana.exe
  2⤵
  PID:11596
- C:\Windows\System\nOeVqTb.exe
  C:\Windows\System\nOeVqTb.exe
  2⤵
  PID:11672
- C:\Windows\System\iRBIkJK.exe
  C:\Windows\System\iRBIkJK.exe
  2⤵
  PID:11708
- C:\Windows\System\fIhHHwk.exe
  C:\Windows\System\fIhHHwk.exe
  2⤵
  PID:11804
- C:\Windows\System\AdJjFIc.exe
  C:\Windows\System\AdJjFIc.exe
  2⤵
  PID:11876
- C:\Windows\System\AUMwCvK.exe
  C:\Windows\System\AUMwCvK.exe
  2⤵
  PID:11904
- C:\Windows\System\ByMtZHQ.exe
  C:\Windows\System\ByMtZHQ.exe
  2⤵
  PID:11992
- C:\Windows\System\IcwaEdl.exe
  C:\Windows\System\IcwaEdl.exe
  2⤵
  PID:12068
- C:\Windows\System\JZosjEO.exe
  C:\Windows\System\JZosjEO.exe
  2⤵
  PID:12128
- C:\Windows\System\wJdzyOa.exe
  C:\Windows\System\wJdzyOa.exe
  2⤵
  PID:12160
- C:\Windows\System\ZAUcJzk.exe
  C:\Windows\System\ZAUcJzk.exe
  2⤵
  PID:12244
- C:\Windows\System\LCaMoKA.exe
  C:\Windows\System\LCaMoKA.exe
  2⤵
  PID:11044
- C:\Windows\System\LVlsSSF.exe
  C:\Windows\System\LVlsSSF.exe
  2⤵
  PID:11448
- C:\Windows\System\LrimQWx.exe
  C:\Windows\System\LrimQWx.exe
  2⤵
  PID:11588
- C:\Windows\System\JZzFCdT.exe
  C:\Windows\System\JZzFCdT.exe
  2⤵
  PID:5000
- C:\Windows\System\sOtmkiX.exe
  C:\Windows\System\sOtmkiX.exe
  2⤵
  PID:3348
- C:\Windows\System\oiGoiBe.exe
  C:\Windows\System\oiGoiBe.exe
  2⤵
  PID:11872
- C:\Windows\System\mtagPQM.exe
  C:\Windows\System\mtagPQM.exe
  2⤵
  PID:12044
- C:\Windows\System\ZsIjeqq.exe
  C:\Windows\System\ZsIjeqq.exe
  2⤵
  PID:12120
- C:\Windows\System\UcmhftG.exe
  C:\Windows\System\UcmhftG.exe
  2⤵
  PID:11348
- C:\Windows\System\fhTknIE.exe
  C:\Windows\System\fhTknIE.exe
  2⤵
  PID:1056
- C:\Windows\System\GRzERFQ.exe
  C:\Windows\System\GRzERFQ.exe
  2⤵
  PID:11700
- C:\Windows\System\bdvcqwt.exe
  C:\Windows\System\bdvcqwt.exe
  2⤵
  PID:12104
- C:\Windows\System\bYMAvzy.exe
  C:\Windows\System\bYMAvzy.exe
  2⤵
  PID:2592
- C:\Windows\System\dPMkopH.exe
  C:\Windows\System\dPMkopH.exe
  2⤵
  PID:408
- C:\Windows\System\esAXnbC.exe
  C:\Windows\System\esAXnbC.exe
  2⤵
  PID:12304
- C:\Windows\System\DwjOmqa.exe
  C:\Windows\System\DwjOmqa.exe
  2⤵
  PID:12332
- C:\Windows\System\WvcLIAC.exe
  C:\Windows\System\WvcLIAC.exe
  2⤵
  PID:12360
- C:\Windows\System\uYZuKbg.exe
  C:\Windows\System\uYZuKbg.exe
  2⤵
  PID:12376
- C:\Windows\System\VpgfKGY.exe
  C:\Windows\System\VpgfKGY.exe
  2⤵
  PID:12416
- C:\Windows\System\bORvptB.exe
  C:\Windows\System\bORvptB.exe
  2⤵
  PID:12444
- C:\Windows\System\bHDqBOd.exe
  C:\Windows\System\bHDqBOd.exe
  2⤵
  PID:12464
- C:\Windows\System\oJyCNgB.exe
  C:\Windows\System\oJyCNgB.exe
  2⤵
  PID:12500
- C:\Windows\System\aWYSQMd.exe
  C:\Windows\System\aWYSQMd.exe
  2⤵
  PID:12528
- C:\Windows\System\EoskUPI.exe
  C:\Windows\System\EoskUPI.exe
  2⤵
  PID:12556
- C:\Windows\System\iDUhxah.exe
  C:\Windows\System\iDUhxah.exe
  2⤵
  PID:12584
- C:\Windows\System\iJxmXSs.exe
  C:\Windows\System\iJxmXSs.exe
  2⤵
  PID:12612
- C:\Windows\System\FZuWRog.exe
  C:\Windows\System\FZuWRog.exe
  2⤵
  PID:12628
- C:\Windows\System\VHvTqFN.exe
  C:\Windows\System\VHvTqFN.exe
  2⤵
  PID:12668
- C:\Windows\System\CVadsSj.exe
  C:\Windows\System\CVadsSj.exe
  2⤵
  PID:12696
- C:\Windows\System\foCRbRB.exe
  C:\Windows\System\foCRbRB.exe
  2⤵
  PID:12724
- C:\Windows\System\YdynuGh.exe
  C:\Windows\System\YdynuGh.exe
  2⤵
  PID:12752
- C:\Windows\System\imvgWvE.exe
  C:\Windows\System\imvgWvE.exe
  2⤵
  PID:12768
- C:\Windows\System\rtWcqUR.exe
  C:\Windows\System\rtWcqUR.exe
  2⤵
  PID:12796
- C:\Windows\System\EJkvInq.exe
  C:\Windows\System\EJkvInq.exe
  2⤵
  PID:12840
- C:\Windows\System\CmnyLNa.exe
  C:\Windows\System\CmnyLNa.exe
  2⤵
  PID:12868
- C:\Windows\System\uocuGJW.exe
  C:\Windows\System\uocuGJW.exe
  2⤵
  PID:12884
- C:\Windows\System\HMsmPOf.exe
  C:\Windows\System\HMsmPOf.exe
  2⤵
  PID:12924
- C:\Windows\System\vyUtGHs.exe
  C:\Windows\System\vyUtGHs.exe
  2⤵
  PID:12952
- C:\Windows\System\ybqZXEU.exe
  C:\Windows\System\ybqZXEU.exe
  2⤵
  PID:12968
- C:\Windows\System\slzrauH.exe
  C:\Windows\System\slzrauH.exe
  2⤵
  PID:13008
- C:\Windows\System\LdHIPKL.exe
  C:\Windows\System\LdHIPKL.exe
  2⤵
  PID:13036
- C:\Windows\System\FgZQymu.exe
  C:\Windows\System\FgZQymu.exe
  2⤵
  PID:13064
- C:\Windows\System\foAyIYp.exe
  C:\Windows\System\foAyIYp.exe
  2⤵
  PID:13092
- C:\Windows\System\QWOWIRC.exe
  C:\Windows\System\QWOWIRC.exe
  2⤵
  PID:13120
- C:\Windows\System\iGlLmpO.exe
  C:\Windows\System\iGlLmpO.exe
  2⤵
  PID:13148
- C:\Windows\System\cbDRmYe.exe
  C:\Windows\System\cbDRmYe.exe
  2⤵
  PID:12552
- C:\Windows\System\YpuLLyM.exe
  C:\Windows\System\YpuLLyM.exe
  2⤵
  PID:12600
- C:\Windows\System\jOidwUt.exe
  C:\Windows\System\jOidwUt.exe
  2⤵
  PID:12656
- C:\Windows\System\CLyIwVV.exe
  C:\Windows\System\CLyIwVV.exe
  2⤵
  PID:12740
- C:\Windows\System\JqyHyZz.exe
  C:\Windows\System\JqyHyZz.exe
  2⤵
  PID:12792
- C:\Windows\System\vsXGety.exe
  C:\Windows\System\vsXGety.exe
  2⤵
  PID:12864
- C:\Windows\System\aIbdXIQ.exe
  C:\Windows\System\aIbdXIQ.exe
  2⤵
  PID:12912
- C:\Windows\System\VCdJihp.exe
  C:\Windows\System\VCdJihp.exe
  2⤵
  PID:12992
- C:\Windows\System\oKkutmk.exe
  C:\Windows\System\oKkutmk.exe
  2⤵
  PID:13060
- C:\Windows\System\EsDwRdW.exe
  C:\Windows\System\EsDwRdW.exe
  2⤵
  PID:13136
- C:\Windows\System\mewqtpO.exe
  C:\Windows\System\mewqtpO.exe
  2⤵
  PID:13192
- C:\Windows\System\YrlRYKG.exe
  C:\Windows\System\YrlRYKG.exe
  2⤵
  PID:13208
- C:\Windows\System\qjoMXLy.exe
  C:\Windows\System\qjoMXLy.exe
  2⤵
  PID:13248
- C:\Windows\System\qQgsRTE.exe
  C:\Windows\System\qQgsRTE.exe
  2⤵
  PID:13264
- C:\Windows\System\fOXEJzg.exe
  C:\Windows\System\fOXEJzg.exe
  2⤵
  PID:13308
- C:\Windows\System\GVyOuRR.exe
  C:\Windows\System\GVyOuRR.exe
  2⤵
  PID:12344
- C:\Windows\System\UReGsFx.exe
  C:\Windows\System\UReGsFx.exe
  2⤵
  PID:12408
- C:\Windows\System\yapEAzu.exe
  C:\Windows\System\yapEAzu.exe
  2⤵
  PID:5084
- C:\Windows\System\pTqcCfq.exe
  C:\Windows\System\pTqcCfq.exe
  2⤵
  PID:13184
- C:\Windows\System\lqsuyUd.exe
  C:\Windows\System\lqsuyUd.exe
  2⤵
  PID:3696
- C:\Windows\System\QFaOKEq.exe
  C:\Windows\System\QFaOKEq.exe
  2⤵
  PID:4584
- C:\Windows\System\KIAKgAr.exe
  C:\Windows\System\KIAKgAr.exe
  2⤵
  PID:12980
- C:\Windows\System\gDOyBQL.exe
  C:\Windows\System\gDOyBQL.exe
  2⤵
  PID:12436
- C:\Windows\System\VJpWEGu.exe
  C:\Windows\System\VJpWEGu.exe
  2⤵
  PID:1996
- C:\Windows\System\TvWCFlI.exe
  C:\Windows\System\TvWCFlI.exe
  2⤵
  PID:1652
- C:\Windows\System\XVmbqMc.exe
  C:\Windows\System\XVmbqMc.exe
  2⤵
  PID:12388
- C:\Windows\System\HoJBGBZ.exe
  C:\Windows\System\HoJBGBZ.exe
  2⤵
  PID:12496
- C:\Windows\System\ZQnUtfs.exe
  C:\Windows\System\ZQnUtfs.exe
  2⤵
  PID:5664
- C:\Windows\System\iAwUcSR.exe
  C:\Windows\System\iAwUcSR.exe
  2⤵
  PID:5100
- C:\Windows\System\JTVjDvJ.exe
  C:\Windows\System\JTVjDvJ.exe
  2⤵
  PID:2008
- C:\Windows\System\JKkfWPz.exe
  C:\Windows\System\JKkfWPz.exe
  2⤵
  PID:12780
- C:\Windows\System\DhkJwpT.exe
  C:\Windows\System\DhkJwpT.exe
  2⤵
  PID:13028
- C:\Windows\System\BWQQbLB.exe
  C:\Windows\System\BWQQbLB.exe
  2⤵
  PID:13048
- C:\Windows\System\EwkblRn.exe
  C:\Windows\System\EwkblRn.exe
  2⤵
  PID:13244
- C:\Windows\System\SPYegOG.exe
  C:\Windows\System\SPYegOG.exe
  2⤵
  PID:1840
- C:\Windows\System\fMhXihd.exe
  C:\Windows\System\fMhXihd.exe
  2⤵
  PID:5180
- C:\Windows\System\hJXxhqY.exe
  C:\Windows\System\hJXxhqY.exe
  2⤵
  PID:5136
- C:\Windows\System\BVqBLar.exe
  C:\Windows\System\BVqBLar.exe
  2⤵
  PID:12624
- C:\Windows\System\mYeKgUd.exe
  C:\Windows\System\mYeKgUd.exe
  2⤵
  PID:4160
- C:\Windows\System\KjSyIjc.exe
  C:\Windows\System\KjSyIjc.exe
  2⤵
  PID:12964
- C:\Windows\System\uNxrXCV.exe
  C:\Windows\System\uNxrXCV.exe
  2⤵
  PID:13220
- C:\Windows\System\pZCKecX.exe
  C:\Windows\System\pZCKecX.exe
  2⤵
  PID:12524
- C:\Windows\System\tojPmJG.exe
  C:\Windows\System\tojPmJG.exe
  2⤵
  PID:2416
- C:\Windows\System\stvkTSi.exe
  C:\Windows\System\stvkTSi.exe
  2⤵
  PID:12932

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 4592 -i 4592 -h 452 -j 456 -s 468 -d 6604
1⤵
PID:7096

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:12440
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:7180

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7904

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4888

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8276

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:9072

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3840

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5160

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1676

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3940

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6888

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10356

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7052

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8044

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5052

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12192

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:736

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4980

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7980

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5148

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4900

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8616

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5588

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8244

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6368

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5684

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10380

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6724

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10480

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2584

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11992

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3348

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12600

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3204

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4884

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8020

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12268

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7588

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7216

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3800

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5972

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5976

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9068

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10176

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5584

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10288

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10088

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10000

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\F1NI158F\microsoft.windows[1].xml

Filesize
97B

MD5
bdec77c88ca603e43887984c78e2412b

SHA1
6163faf9daa9a50f37019a74707c5145e81f6587

SHA256
00c588fff1d4728ae0e8e50a36ad99143300c656d00552aabc02d20e27caa61d

SHA512
1140a545baca7ef47e0759c5c90f2a100830406300dc9195145b5320c0a2b79ab322286d1b9dd469a5e0cdf2967ad14ea451abbafc3deb9b8610695b5fa0c639

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670419731256039.txt

Filesize
75KB

MD5
2b82b79676d8b96c2eed5d53161f3bb5

SHA1
8a21847d62c14ae3f76c1ca53faf496103d3c86d

SHA256
c383aee337a767b6567fc27a86af80651456e18495d0b9101924e32a08fafe84

SHA512
81a6f222c711b224643bf63c8a7f3d521375efa84b1aa58a21111623cad24f5896eafb74950efd74c1ee8efd2eba2dea9e9109bc56358b7386778bd20980428a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cvt1sfvi.0gx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\DiWhVRN.exe

Filesize
3.4MB

MD5
ad2b82aa2c555f1140f49cdf59f2cfc3

SHA1
27f982cfa86e58889b0369c1db33889de67cfdf9

SHA256
39acd5efda388ede1afb1648dbaed6795490de1e0f0ac8a4caa5019328e92171

SHA512
a4c300258ead8a69ba48e737cb347cbe01ed48f69c6599e34703cc09f809a2a89833781db508d8fef076dcc495c35b3bf74083e38e6b89a3a89d396e9557bca7

Download Submit
C:\Windows\System\FKAzaTZ.exe

Filesize
3.4MB

MD5
9384c02c0caf443c448a5a1d5bf3472f

SHA1
b33e5ffabc59e724704c4305be73d48e74cc37af

SHA256
e79bd75c3f5e5b6c9ce08dec9612869453850facfb35e661d01df73fe8fe6681

SHA512
9f5206ec304c0af366a9751a3f5066f25162e9fd92903d163a097c28cd9237088669591ebadb7ae3271b8e1bc2c183d6810d04e9502a0d9c05232a0bb1565278

Download Submit
C:\Windows\System\GMrvoKe.exe

Filesize
3.4MB

MD5
1dc6de041e199cab35cb186e6e3ca49c

SHA1
7bc33eaf2c983e65f577c939cc81d5b608869f10

SHA256
d2cd72bb015987525c620ba5bd41d714fa82dfea9a062d88ae9d242b7ef37dee

SHA512
336f266c436d5c6576050f5a4cf141101bbfaff7e150bf48d9999b0c18ef8f9a9517a4ff6dd871f94ca7820eff5d33591e5cfa452b491ea4eb73ec26cc4c5c55

Download Submit
C:\Windows\System\GandwmZ.exe

Filesize
3.4MB

MD5
76b00bd0f2f927fad782e4c47f75fa2f

SHA1
f5f7c4af6019931f57ea1a808733733ab35bfe07

SHA256
91f13b2555d4abf0b79f79819d24698e5b53d7db14f26c79255b55d4a7abbc79

SHA512
9d4eb37f1c9a9056b35731943a55465cc6f59f3f6231b9cd482c54c857ca2900fb35675b9a6e1e9e25ede175537e0bc9e459acf2cc04ff00c5e2b80eebc80c02

Download Submit
C:\Windows\System\INrrxGH.exe

Filesize
3.4MB

MD5
c5655c507d5ef01f09d73f54a16ab916

SHA1
d3d27db278a31ab21d89e0d223ce42a41d210ece

SHA256
788e3a413e3023444c43061baf56e44b51e64d5b240e34bde07db3fca5cd6c1a

SHA512
d74df3467660f976a14f4842ab4265a1b6fb1b538856f485e571a931328e0154aea97da5225ef6d52e58ee15fa9ef8b474b3a47eecf56ab2319c0cccca8dce88

Download Submit
C:\Windows\System\JQoiyFX.exe

Filesize
3.4MB

MD5
9034e4d01e3358b2678fb3d2647c8b9d

SHA1
7caa942d58637b2020ccf34b340f344b2c3a4a0d

SHA256
568dfe90740a6c758bdd628a090938fea3ab359b8aba5727e7cff275edbd9f95

SHA512
95b0af1e23db545f91b2109a3e753c8625edc84945fce12691033c514bb5029105b772d19a399cbe5a0d3cdbb922876cd48fe43bb1930e88705c4385ea229140

Download Submit
C:\Windows\System\LRLsLnd.exe

Filesize
3.4MB

MD5
4513be7c535576626c26c93a60d2da4b

SHA1
7623f5f8afe1f8a8c830c4870943d452cbc999c3

SHA256
be2d1800d04c3e4a7df14656551533685e8d8d227940d0a1ad2026009c2c38be

SHA512
c54576bfa3ffb0a02b24657490ab09d9f8e117c75f54893ad238c671fae174c6038c93f203243cb2d08b358eb896c1491178ff61692b0cb95bb4d084f92377dc

Download Submit
C:\Windows\System\MAQiJck.exe

Filesize
3.4MB

MD5
091cfbd19344ea4404d5238d50c351e2

SHA1
c91e21a66ca97d1c2ac08af4d5689dc46cdf0476

SHA256
33ef9e6bcff465c0c595ab368c643fc05a1eb9b09f720ae92f45d35da88c7cc9

SHA512
528a721eb7f7b1f0e6fa897a403e438b3271fb7daf5c85a78c7cd287f2a3e6e069a4eee789f56b5d58636ca3f4a28feabb44964d5e717819b827b7dc4f493b13

Download Submit
C:\Windows\System\MEYibhh.exe

Filesize
3.4MB

MD5
0ff85117398469e7fe411a2bea6dff4b

SHA1
71e6ec22adabe67b0d759225a48849e56be586a3

SHA256
216194e1f8acf2e0631dc0000da85774e5af51578a1d8f754a9be08f200edacd

SHA512
7b66bd5b982a463c1f993d62bd5bbc4958ed515d83a3e248ef49fe5c4df03d2b6c1bb81cc20adce4acb7980ff9b4942073e9a3d1a6f06e4f973127d4033e4126

Download Submit
C:\Windows\System\NpZpImy.exe

Filesize
3.4MB

MD5
2fc89f52e43e0896245fcd7931da1ffb

SHA1
72c6c1d469c3f8780c7e2199f930a3b1171ed4c8

SHA256
6ab401080281f82a3047b853ce1c283814b38812ebd9239ab4032af9a7e3976f

SHA512
2f9e5b16c99f4e98976277a40d1fa78a63e3ea607adaa8a6d15493f762526f3e6cd604730a7e403c0b5ea9916769cef2d0eb72f9082fec6e3f2f8418f69907cd

Download Submit
C:\Windows\System\PcMKZOh.exe

Filesize
3.4MB

MD5
77e75e17191554bc6bc165013b7f46c3

SHA1
7c7eeec32626727858b83502a5ee13acdc725803

SHA256
4aca13c1d217e0c9f44e62dcfb779b48f7353950c912994195af55d45ad32fca

SHA512
1171a885c72f80b69239538a4783b06f43beef8a433bb26a7ddbbc75a6ed19c2e9d45b7875307c3ecde6ac7a89671126e9ea0d934e860f2b03546c99628801d1

Download Submit
C:\Windows\System\SqOgwMK.exe

Filesize
3.4MB

MD5
9998e1bbf4a6e4d54ab6d146be3df271

SHA1
3d9c14652703ce614c141cedb33a838ea22b870e

SHA256
7fccad83b120fe5c8b3b8679e8bf14860a339a24fea7a4270785765e684b7c6e

SHA512
29993fa89f90702e403890141ae1350d1c98e79b742fc674f3005240dc4fb5b4c3997e43e56fd830ee17f94a4f9b5477b4af1f2b96baf44b7ec70d9990b00856

Download Submit
C:\Windows\System\WwtiQMu.exe

Filesize
3.4MB

MD5
9fdad278a96978e590be08614015d194

SHA1
26ce7c462d6a6066529c94df57e6a7a54fd6bad1

SHA256
5e00046e1bc4f1f4cb9680fcc565265970f93f5bbb6282553b250af3160f5667

SHA512
feef5b2fb1ccbf06c52940047a5c09eb11fa3db58a30587c32b85ac95cdbdbc46b1c188e6a9ad3845446cc8fdef2ad764c3c31524f928b7ababac07c018c4e6f

Download Submit
C:\Windows\System\ZCOFaLv.exe

Filesize
3.4MB

MD5
7182b144a69cbff66ec4ea92944e7d73

SHA1
59f558a8cf44f5f1e635214dd0a5df56c6ddb844

SHA256
a77160c211441e30a54d0767162df768bb8828a618a3c09276a8c82b44b317c0

SHA512
719a0ed4921e619255c3b6cc2e26c8f70c9f22a6c951744760149b813669cc022b1cc80ff0a77f05d95a00fcc6fe69cd50220c971ecd68ad97de086f1bd96133

Download Submit
C:\Windows\System\bOoVVYA.exe

Filesize
3.4MB

MD5
849c247e38b6963c749836af96c7a1fb

SHA1
e51b765733b6386da35664ef038503e21eaf4a14

SHA256
fc2ef25d4dc88b170cb239a2f1cbdf01b9bb73da62568a9c6a96459bcb05d555

SHA512
25e1510f77e79c3ecf746e2647e0778e94bde6d0a1beb131280e50de002c167bc0689125166365be9a2da3de8cdccf144d67ea279e0770bd84d215cad2a5d4f4

Download Submit
C:\Windows\System\cTAABxo.exe

Filesize
3.4MB

MD5
a1c91698b8142cad59c6d2095ab64f9d

SHA1
50785774056c89c1402b30427f00f911bbc8445b

SHA256
09e9ad70de3e815ec2952d5ab0cd187e7955675a07633f56223a6675eee17257

SHA512
08ed44e443b94da46f8194e3039479394b41ced173b9e657b7f2bf78289f4ffa991128215b78c2985c25d96fa0e5a7604bfbf2463cb51117b1bd0b6a72ddac90

Download Submit
C:\Windows\System\dGaqTzg.exe

Filesize
3.4MB

MD5
cd9a75509be82d3ca4de654ae531c8f9

SHA1
44af55213d1ee6fa5f463171f789e7eea635fca5

SHA256
610deb6d1438690805cb11104fa8cd05b1fbfa683026343b330692edd2522d93

SHA512
656feff2441131323cfc1064e4d3513bb80a9adc5952418bec61f15012eaf740308f71f5063541791df555fd6d1b1253ba7a3fa411859b1f646f45b54dd4d41c

Download Submit
C:\Windows\System\fUYazyB.exe

Filesize
3.4MB

MD5
fa9443ed52214af2f7c2224394b89014

SHA1
41298c152babe0823a43084ccf4b9c1b5290b845

SHA256
dc1c03ba3cff9c93bea4d35ce2b56c3c2804994ab75e383b2ed7a7b74225140e

SHA512
473b8a8f848a57df771093a211833f78d2690c0d93cdf16be5c8499dad65bebbc397e9515cf36989d51cc61e439ddfda019509956cbe67f5bc4f5cc0d8dea2b8

Download Submit
C:\Windows\System\gZKzOKp.exe

Filesize
3.4MB

MD5
9f683ed3594ac8c249b3937a13ae1b39

SHA1
615c5ec71c812f3ef52cd89cd74083787c579309

SHA256
cc2673d7b00dc8258e53ae134f29ec87b62f66039eba078ce633d45f71c504db

SHA512
2dc9e2604b54d4d185bbaf93c1f35aa808c0a7cac2973ff7488a6df4bf45eeb47d1ba75bcea228a0723669ab9eb34130846b6e84e6b55e282cd86c243a0d09be

Download Submit
C:\Windows\System\gvhhpUx.exe

Filesize
3.4MB

MD5
7411ed1c57922799f84e2cf8007f4e90

SHA1
cabe2fefe538cac97051119b32da32abe90ecb13

SHA256
c9b8f9c1f6e7723d3e2528d57ed131c3c359447a4f85cc000558911885d2c481

SHA512
e08bf9159179e68be53e9205e9bac3f9b910d39b6d8eeff481a9f7979cd39807b7a2aeaef12cc2f4b5e0e5bd370bf8774d340fa166c40e3f2530485eab202946

Download Submit
C:\Windows\System\ihUIEwI.exe

Filesize
3.4MB

MD5
afa4c5d7e7029c521555286d179bf0ed

SHA1
2ebd8c994175cdfa9b43664db9be867996ec9418

SHA256
1caab56e35dff9cd1f56767ad6c8fead2ba34140ec27982f1a7a7648d7b9a83f

SHA512
5a66536e1e8dae3a01707ae96e5689026692014e745e56137b635e430aa300620daa595e30bbb3662985e93f5cf9b3b97391b8d3ce56a2c021bd8c12a162165c

Download Submit
C:\Windows\System\inzPHHd.exe

Filesize
3.4MB

MD5
d9bfe98a50d73fa220d2827a9f32f1ac

SHA1
316ea5b57791b37f255ab23643722ac1b9bd9cc0

SHA256
7bf2a21e6fd5bcab1bbf19c2831e93d17aac9a7f1584b7cefbb3c6c163010754

SHA512
e3e3f7e3a96a21bacc7eec67067251c11d46cb08b98a49b7f825f5feb254009cb90ec4e98409bd367ffb9378d6507a62e57dbe27f2ece30705a94abfb8f70979

Download Submit
C:\Windows\System\kOBrZzT.exe

Filesize
3.4MB

MD5
6d09397e9517c34d48be229d9903b69f

SHA1
eb9eb37182c76d66b8c4eaafd2b8ffcaa46285cc

SHA256
178227d8fff5b542347eff757c92b80ee0a6db3f1f97f5fbd2b699eea2cfb475

SHA512
dda0c91b86a87246fe62d9d58db7932870233576d33d5bd3de1feec78cd534facd70a5a4ef26e66f47d91ce60ea380f400787350640264417970438e64367b80

Download Submit
C:\Windows\System\nqXzaIS.exe

Filesize
3.4MB

MD5
cb07b8808e9e66732592a6a3986e0bd5

SHA1
45a3dbcf8430914d20fc38ebfea37a76cf4cc25f

SHA256
c25555d195aa2d4375198e714a761807eda4cf369c820d5292e2c2959823cf3e

SHA512
a29379cafe921d3ea28968ed8646a7bbfc6301482498d601f8c61665ac2d305bf65931ced39628af1e0bad5cdd7d3041460a7065aa5016ecc59801041bf0490a

Download Submit
C:\Windows\System\qloluyY.exe

Filesize
3.4MB

MD5
51350be23166766be14e63973b0e358f

SHA1
e09c2ea63029427867412a358df090c6a0ac1b61

SHA256
72733329b93c41f6ffa2aaf8a6d2c1648182e343aa349bde1052a104d1793146

SHA512
5a0211e69a3555dcc35839187d167f44f24a7838ea7cde7e135b1c7a3793930d6fceec7bf2b6e1b58b7e6cebc0f0f34988274fc9bf5b3cb79c54b49f859e623c

Download Submit
C:\Windows\System\rfqhUNy.exe

Filesize
3.4MB

MD5
43436b73e287f2fcf563e7ae83e218e7

SHA1
e8ac6684ed750a928db02c33a29bf65e4f38932d

SHA256
a72f663e4351dc5b191447d8962300c88427c5f58344d8303a5a1dbd3f4d14da

SHA512
f35c7e9ece661f0a56c766d4d63b2bb8b97a5f11811b93ece690d4d1120cc8898e6518f08603748cb9f43da0832bbd106ddca717b5da53afeebee726a780f903

Download Submit
C:\Windows\System\sNySPZx.exe

Filesize
3.4MB

MD5
0ae7e2c4915e21f86a8d4662e3595aca

SHA1
5c42230c0be25bbbc1046b9a2b5c7e631372f044

SHA256
19f697ab540f229da5cafccee4e61534e52af3800ad880655080ec984e231a07

SHA512
76d2e86517116f99213012c24f2fcd7364966374810023d95000083ac9953c79d2a3208d35ec0a5b82a10952455bf7f1b12b52ee3d73cd234e2f4654a405f1c4

Download Submit
C:\Windows\System\trVCbyg.exe

Filesize
3.4MB

MD5
b3193a7fc89c1f52646a407a94d5dfd0

SHA1
484f70eec92b6f3823b71867b2721cc948df111b

SHA256
e3016bca90b647b4a9cb6857a70552f8dc567464aa5cd2d5690f9a0afe922a32

SHA512
3e6a5055c58453f1d1cf7b4a17d45c6fea5c8e2d7fc2e8df2e888c68b575b4e527dbe29056630f9b500cc77f5af9e25815338b453eef13eaaff606eb8905b51a

Download Submit
C:\Windows\System\ukNiCuT.exe

Filesize
3.4MB

MD5
3085e82dad3c9c0d2b6a95c8f127a2da

SHA1
9a0276ba11cb1b562e307b3834a20f9f67ce65d2

SHA256
9e374a4ddac69f910c51ea512a7887c78754da00245cc384cd7a47a0ef73cda5

SHA512
aab5d3ef9d11a2d5e0a6948a021286ef108b9527d5e710cae0f9b710e4ee8026308e9f4c692ba1b3ec3a6b8d966facb5363e4959e303e385055259222371ba23

Download Submit
C:\Windows\System\xGmXngX.exe

Filesize
3.4MB

MD5
1db51603df08fc6927e1d234f6581499

SHA1
376ff3f5f6713405c016f677d0fe5c508a3f85ad

SHA256
27f70cec124ff66511f2cdd5e565321ec4ff3963fa416e43563afff3e636a815

SHA512
0abfbe5fef230c68deb93842a6fbeed7cb4952b9572e6f76c41d02d4a021be70b0ad16616a3c2932d52c31ada0ac16f96010c3657b37f8460cbeb24e3f0d3d63

Download Submit
C:\Windows\System\xxiiroy.exe

Filesize
3.4MB

MD5
ee001e83efdc8bb35ae2ec1802e0f165

SHA1
cce9cef4a787cb888ec73992a28751527a65a88b

SHA256
9f2fd835b34995a1eff728e43b6889959b35878607a275dfa68fc7aeb47f9de4

SHA512
0df99c743aa3b1f09d19ed128f89bdd870f2526075c86d7af5d08c2e72158c199fdd9ff18afdff2847f3c67163e37c1b6e36e3bd852f43643630d168c55a4de1

Download Submit
C:\Windows\System\zbublho.exe

Filesize
3.4MB

MD5
a76776b299352596bb15e6c6d4cf8078

SHA1
51ee930f950a229b6596949bcaa02776d7618f42

SHA256
6ae00e74d5b6c444944ed43842af674c8e16a92f2fb30f6b4125f1c9dc9da50c

SHA512
951db9f820c618617a349f3f028c59d4e618cbcf62cd47dfeed7cfd69e0643fcf9cf928ff2f350886208f6096e7b7b08315318f7fd750b169afd9da3510b0116

Download Submit
C:\Windows\System\zmOwWoD.exe

Filesize
3.4MB

MD5
cc559278eeb94cc21b039b11636bca7b

SHA1
cd4c38f67237d8c78c95dcb2e43749848531d2d5

SHA256
b2b02aef6406fcace696e512b0a15db297f98d07a542cd6c71dc222a02e9d0f5

SHA512
c303ea13953e9d133d395167d3e486297a97e79b31e3f40f7133359e3c96bdcc0894621e93ff89da6814b8ca3b02c4e845b57d3509d8dbc532a8d809e47f5457

Download Submit
memory/932-747-0x00007FF60B720000-0x00007FF60BB16000-memory.dmp

Filesize
4.0MB

Download
memory/932-4067-0x00007FF60B720000-0x00007FF60BB16000-memory.dmp

Filesize
4.0MB

Download
memory/1000-1-0x0000022C0CFF0000-0x0000022C0D000000-memory.dmp

Filesize
64KB

Download
memory/1000-0-0x00007FF6F45A0000-0x00007FF6F4996000-memory.dmp

Filesize
4.0MB

Download
memory/1064-40-0x00007FF6A51D0000-0x00007FF6A55C6000-memory.dmp

Filesize
4.0MB

Download
memory/1064-4057-0x00007FF6A51D0000-0x00007FF6A55C6000-memory.dmp

Filesize
4.0MB

Download
memory/1148-718-0x00007FF6550C0000-0x00007FF6554B6000-memory.dmp

Filesize
4.0MB

Download
memory/1148-4064-0x00007FF6550C0000-0x00007FF6554B6000-memory.dmp

Filesize
4.0MB

Download
memory/1280-4069-0x00007FF67BB00000-0x00007FF67BEF6000-memory.dmp

Filesize
4.0MB

Download
memory/1280-737-0x00007FF67BB00000-0x00007FF67BEF6000-memory.dmp

Filesize
4.0MB

Download
memory/1524-4056-0x00007FF799C20000-0x00007FF79A016000-memory.dmp

Filesize
4.0MB

Download
memory/1524-42-0x00007FF799C20000-0x00007FF79A016000-memory.dmp

Filesize
4.0MB

Download
memory/1736-661-0x00007FF75F7B0000-0x00007FF75FBA6000-memory.dmp

Filesize
4.0MB

Download
memory/1736-4054-0x00007FF75F7B0000-0x00007FF75FBA6000-memory.dmp

Filesize
4.0MB

Download
memory/1776-671-0x00007FF764130000-0x00007FF764526000-memory.dmp

Filesize
4.0MB

Download
memory/1776-4050-0x00007FF764130000-0x00007FF764526000-memory.dmp

Filesize
4.0MB

Download
memory/1876-763-0x00007FF7FAF70000-0x00007FF7FB366000-memory.dmp

Filesize
4.0MB

Download
memory/1876-4053-0x00007FF7FAF70000-0x00007FF7FB366000-memory.dmp

Filesize
4.0MB

Download
memory/1948-768-0x00007FF68F730000-0x00007FF68FB26000-memory.dmp

Filesize
4.0MB

Download
memory/1948-4061-0x00007FF68F730000-0x00007FF68FB26000-memory.dmp

Filesize
4.0MB

Download
memory/1972-6-0x00007FF60DA20000-0x00007FF60DE16000-memory.dmp

Filesize
4.0MB

Download
memory/1972-4059-0x00007FF60DA20000-0x00007FF60DE16000-memory.dmp

Filesize
4.0MB

Download
memory/2088-663-0x00007FF78A050000-0x00007FF78A446000-memory.dmp

Filesize
4.0MB

Download
memory/2088-4051-0x00007FF78A050000-0x00007FF78A446000-memory.dmp

Filesize
4.0MB

Download
memory/2108-86-0x00007FF6F0690000-0x00007FF6F0A86000-memory.dmp

Filesize
4.0MB

Download
memory/2108-4055-0x00007FF6F0690000-0x00007FF6F0A86000-memory.dmp

Filesize
4.0MB

Download
memory/2372-743-0x00007FF61FCE0000-0x00007FF6200D6000-memory.dmp

Filesize
4.0MB

Download
memory/2372-4068-0x00007FF61FCE0000-0x00007FF6200D6000-memory.dmp

Filesize
4.0MB

Download
memory/2772-4049-0x00007FF7955C0000-0x00007FF7959B6000-memory.dmp

Filesize
4.0MB

Download
memory/2772-676-0x00007FF7955C0000-0x00007FF7959B6000-memory.dmp

Filesize
4.0MB

Download
memory/3016-4063-0x00007FF66B380000-0x00007FF66B776000-memory.dmp

Filesize
4.0MB

Download
memory/3016-726-0x00007FF66B380000-0x00007FF66B776000-memory.dmp

Filesize
4.0MB

Download
memory/3228-4066-0x00007FF78D0F0000-0x00007FF78D4E6000-memory.dmp

Filesize
4.0MB

Download
memory/3228-756-0x00007FF78D0F0000-0x00007FF78D4E6000-memory.dmp

Filesize
4.0MB

Download
memory/3692-4060-0x00007FF76ABB0000-0x00007FF76AFA6000-memory.dmp

Filesize
4.0MB

Download
memory/3692-695-0x00007FF76ABB0000-0x00007FF76AFA6000-memory.dmp

Filesize
4.0MB

Download
memory/3920-37-0x00007FF983FA0000-0x00007FF984A61000-memory.dmp

Filesize
10.8MB

Download
memory/3920-55-0x00007FF983FA0000-0x00007FF984A61000-memory.dmp

Filesize
10.8MB

Download
memory/3920-337-0x000002AECA450000-0x000002AECABF6000-memory.dmp

Filesize
7.6MB

Download
memory/3920-24-0x000002AEB1480000-0x000002AEB14A2000-memory.dmp

Filesize
136KB

Download
memory/3920-9-0x00007FF983FA3000-0x00007FF983FA5000-memory.dmp

Filesize
8KB

Download
memory/4260-4070-0x00007FF740C40000-0x00007FF741036000-memory.dmp

Filesize
4.0MB

Download
memory/4260-710-0x00007FF740C40000-0x00007FF741036000-memory.dmp

Filesize
4.0MB

Download
memory/4404-702-0x00007FF739580000-0x00007FF739976000-memory.dmp

Filesize
4.0MB

Download
memory/4404-4062-0x00007FF739580000-0x00007FF739976000-memory.dmp

Filesize
4.0MB

Download
memory/4492-39-0x00007FF6F0150000-0x00007FF6F0546000-memory.dmp

Filesize
4.0MB

Download
memory/4492-4058-0x00007FF6F0150000-0x00007FF6F0546000-memory.dmp

Filesize
4.0MB

Download
memory/4624-4052-0x00007FF74F250000-0x00007FF74F646000-memory.dmp

Filesize
4.0MB

Download
memory/4624-662-0x00007FF74F250000-0x00007FF74F646000-memory.dmp

Filesize
4.0MB

Download
memory/4652-4048-0x00007FF7EDD80000-0x00007FF7EE176000-memory.dmp

Filesize
4.0MB

Download
memory/4652-680-0x00007FF7EDD80000-0x00007FF7EE176000-memory.dmp

Filesize
4.0MB

Download
memory/4892-4047-0x00007FF6DCFA0000-0x00007FF6DD396000-memory.dmp

Filesize
4.0MB

Download
memory/4892-688-0x00007FF6DCFA0000-0x00007FF6DD396000-memory.dmp

Filesize
4.0MB

Download
memory/4972-760-0x00007FF78FA20000-0x00007FF78FE16000-memory.dmp

Filesize
4.0MB

Download
memory/4972-4065-0x00007FF78FA20000-0x00007FF78FE16000-memory.dmp

Filesize
4.0MB

Download