xmrig | 1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952

Analysis

max time kernel
56s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
Size

1.3MB
MD5

004959f7df5fd7b8b493f33154a1de71
SHA1

c3e9a94af6bf5a5acba19c5342f79f02f55c4c6a
SHA256

1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952
SHA512

6822dcb01d30825c1ebd2e12788dffb6a4f901e77d5c86930225f101c91cda8e12e08a07d8ca47c0306a5b8c184d2720c64b5a09b784a50b9f010c463e103a60
SSDEEP

24576:GezaTnG99Q8FcNrpyNdfE0bLBgDOp2iSLz9LbpwlKensziXoSPqZ650Ggk:GezaTF8FcNkNdfE0pZ9ozttwIRReyk

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 37 IoCs

miner

resource	yara_rule
behavioral2/files/0x000d000000023c1f-4.dat	xmrig
behavioral2/files/0x0008000000023c99-13.dat	xmrig
behavioral2/files/0x0007000000023c9e-20.dat	xmrig
behavioral2/files/0x0007000000023ca2-31.dat	xmrig
behavioral2/files/0x0007000000023ca0-38.dat	xmrig
behavioral2/files/0x0007000000023ca3-40.dat	xmrig
behavioral2/files/0x0008000000023c9f-29.dat	xmrig
behavioral2/files/0x0007000000023c9d-16.dat	xmrig
behavioral2/files/0x0007000000023ca4-45.dat	xmrig
behavioral2/files/0x0007000000023ca6-52.dat	xmrig
behavioral2/files/0x0007000000023caa-88.dat	xmrig
behavioral2/files/0x0007000000023cb1-110.dat	xmrig
behavioral2/files/0x0007000000023cc0-173.dat	xmrig
behavioral2/files/0x0007000000023cb6-168.dat	xmrig
behavioral2/files/0x0007000000023cb4-165.dat	xmrig
behavioral2/files/0x0007000000023cb9-162.dat	xmrig
behavioral2/files/0x0007000000023cb3-161.dat	xmrig
behavioral2/files/0x0007000000023cbf-160.dat	xmrig
behavioral2/files/0x0007000000023cb8-158.dat	xmrig
behavioral2/files/0x0007000000023cbe-157.dat	xmrig
behavioral2/files/0x0007000000023cbd-154.dat	xmrig
behavioral2/files/0x0007000000023cbc-150.dat	xmrig
behavioral2/files/0x0007000000023caf-141.dat	xmrig
behavioral2/files/0x0007000000023cb2-136.dat	xmrig
behavioral2/files/0x0007000000023cb7-132.dat	xmrig
behavioral2/files/0x0007000000023cbb-147.dat	xmrig
behavioral2/files/0x0008000000023c9a-122.dat	xmrig
behavioral2/files/0x0007000000023cba-146.dat	xmrig
behavioral2/files/0x0007000000023cae-114.dat	xmrig
behavioral2/files/0x0007000000023cb5-125.dat	xmrig
behavioral2/files/0x0007000000023cb0-104.dat	xmrig
behavioral2/files/0x0007000000023cab-100.dat	xmrig
behavioral2/files/0x0007000000023cac-83.dat	xmrig
behavioral2/files/0x0007000000023cad-86.dat	xmrig
behavioral2/files/0x0007000000023ca8-79.dat	xmrig
behavioral2/files/0x0007000000023ca9-75.dat	xmrig
behavioral2/files/0x0007000000023ca7-61.dat	xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 12 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
528	uulcBUV.exe
2488	brTzzAm.exe
4896	TChZkCW.exe
4224	UaVBTvM.exe
1156	cSvjfwy.exe
4160	chElttx.exe
5092	IxUPKkT.exe
664	wwDtYOR.exe
3300	dKGLyct.exe
1020	ghtazEI.exe
1356	NihvcoV.exe
4584	ZwuuiNd.exe
1936	vOjZZDB.exe
3360	HczbJFU.exe
4500	KmWiABY.exe
2012	GMPjZNw.exe
4832	gTCHMHl.exe
684	qUpavfI.exe
2780	NvXyzEI.exe
840	LBmnpVg.exe
1488	sDNZRKa.exe
2816	ysyLdXL.exe
2868	qnwymDW.exe
996	uVRONWu.exe
4844	yNuTRyI.exe
5068	LRSbuju.exe
2032	rHjVopi.exe
3836	CbnQQld.exe
2652	mowzBlc.exe
3480	vshShIK.exe
4432	CzNbzmj.exe
3156	QUWQKpM.exe
3564	TcPBhhq.exe
4420	YYibNmn.exe
972	AhKFWNS.exe
8	bsfQFaB.exe
2852	PPVXffZ.exe
836	pHrryEx.exe
2340	gRDMGAf.exe
232	IoLMhGV.exe
4348	qyuwsXB.exe
1040	TkJbcKM.exe
1984	HLkzUPS.exe
3896	cOQWxAR.exe
3428	nXuDHBr.exe
2044	DZYDtLx.exe
3368	wetJUUM.exe
1500	ouPXMGy.exe
2024	SquFihv.exe
5052	FKYAJGh.exe
3548	JsRzKeY.exe
4504	rhfvnTb.exe
3668	JvnOtQg.exe
2892	svyutQn.exe
4368	DuwlYOr.exe
4988	YCCgyDh.exe
3228	yfmygaf.exe
640	LyGzdSd.exe
3192	KaJkefE.exe
3988	DQESoMk.exe
3744	bQwupqy.exe
4292	sNYCHDU.exe
3432	grmnRfc.exe
3472	TNGwZsE.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\aPTRXNT.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\LBDpqFm.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\QlaxnRX.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\nXuDHBr.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\rRdUwSe.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\rPeWBRM.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\fDLuRTR.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\gTHTArm.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\PPVXffZ.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\FPfgBvM.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\hJiMqUj.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\pTsDryC.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\siSKRIy.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\NbVloaj.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\tpCWWRJ.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\qdziCQk.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\ZrsXxmQ.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\mJUDLmT.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\eTAvElJ.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\FLsRMeS.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\EbTpkdD.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\qLPLMTc.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\MkOZtyY.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\tAydAKH.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\amAmsFL.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\jJfshGq.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\NvuuFsk.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\piUQjwW.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\ghvWhkd.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\Trumpdl.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\Bpamgwc.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\NYjElTO.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\yvGIXAd.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\pEbaGZr.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\dvRdjjS.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\SVbKoKb.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\NiDcxtG.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\FZwDSaU.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\suUDNCX.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\XXzbOGh.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\EvSmahA.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\eoZjaLs.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\NrYySpq.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\cmIbYcI.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\fbufaqY.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\VBHuIIW.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\OoouJtx.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\nIYmmGY.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\LoZyjBk.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\GzUreHv.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\tFpjLMM.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\ScOxvGQ.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\zYBJkmV.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\bNnvLpM.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\ZRJrRiG.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\mnvwutk.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\YxjQoNv.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\kcEhtFU.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\VoGGSMe.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\rqcepum.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\mhaTLBC.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\FXDqmIs.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\oHhOOuq.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
File created	C:\Windows\System\hUMNlKg.exe	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "German Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR es-ES Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\M1036Hortense"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\AI041036"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Universal Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Has seleccionado %1 como voz predeterminada."	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\M1041Ayumi"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "404"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - English (United States)"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2878641211-696417878-3864914810-1000\{4DF40539-AF2E-40A9-B73F-3FD19E977C3A}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{179F3D56-1B0B-42B2-A962-59B7EF59FE1B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\r1036sr.lxa"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - de-DE Embedded DNN v11.1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Female"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "409"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 a 000a e 000b i 000c o 000d u 000e t 000f d 0010 p 0011 b 0012 k 0013 g 0014 ch 0015 jj 0016 f 0017 s 0018 x 0019 m 001a n 001b nj 001c l 001d ll 001e r 001f rr 0020 j 0021 w 0022 th 0023"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Paul - French (France)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR it-IT Locale Handler"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Italian (Italy)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\r3082sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "既定の音声として%1を選びました"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR ja-JP Locale Handler"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "309C 309C 30A1 30A1 30A2 30A2 30A3 30A3 30A4 30A4 30A5 30A5 30A6 30A6 30A7 30A7 30A8 30A8 30A9 30A9 30AA 30AA 30AB 30AB 30AC 30AC 30AD 30AD 30AE 30AE 30AF 30AF 30B0 30B0 30B1 30B1 30B2 30B2 30B3 30B3 30B4 30B4 30B5 30B5 30B6 30B6 30B7 30B7 30B8 30B8 30B9 30B9 30BA 30BA 30BB 30BB 30BC 30BC 30BD 30BD 30BE 30BE 30BF 30BF 30C0 30C0 30C1 30C1 30C2 30C2 30C3 30C3 30C4 30C4 30C5 30C5 30C6 30C6 30C7 30C7 30C8 30C8 30C9 30C9 30CA 30CA 30CB 30CB 30CC 30CC 30CD 30CD 30CE 30CE 30CF 30CF 30D0 30D0 30D1 30D1 30D2 30D2 30D3 30D3 30D4 30D4 30D5 30D5 30D6 30D6 30D7 30D7 30D8 30D8 30D9 30D9 30DA 30DA 30DB 30DB 30DC 30DC 30DD 30DD 30DE 30DE 30DF 30DF 30E0 30E0 30E1 30E1 30E2 30E2 30E3 30E3 30E4 30E4 30E5 30E5 30E6 30E6 30E7 30E7 30E8 30E8 30E9 30E9 30EA 30EA 30EB 30EB 30EC 30EC 30ED 30ED 30EE 30EE 30EF 30EF 30F0 30F0 30F1 30F1 30F2 30F2 30F3 30F3 30F4 30F4 30F5 30F5 30F6 30F6 30F7 30F7 30F8 30F8 30F9 30F9 30FA 30FA 30FB 30FB 30FC 30FC 30FD 30FD 30FE 30FE 0021 0021 0027 0027 002B 002B 002E 002E 003F 003F 005F 005F 007C 007C"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{6BFCACDC-A6A6-4343-9CF6-83A83727367B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - German (Germany)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Helena"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR it-IT Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{15E16AEC-F2F0-4E52-B0DF-029D11E58E4B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Mark - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Haruka - Japanese (Japan)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "40C"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Elsa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Ayumi"	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	17276	explorer.exe
Token: SeCreatePagefilePrivilege	17276	explorer.exe
Token: SeShutdownPrivilege	17276	explorer.exe
Token: SeCreatePagefilePrivilege	17276	explorer.exe
Token: SeShutdownPrivilege	17276	explorer.exe
Token: SeCreatePagefilePrivilege	17276	explorer.exe
Token: SeShutdownPrivilege	17276	explorer.exe
Token: SeCreatePagefilePrivilege	17276	explorer.exe
Token: SeShutdownPrivilege	17276	explorer.exe
Token: SeCreatePagefilePrivilege	17276	explorer.exe
Token: SeShutdownPrivilege	17276	explorer.exe
Token: SeCreatePagefilePrivilege	17276	explorer.exe
Token: SeShutdownPrivilege	17276	explorer.exe
Token: SeCreatePagefilePrivilege	17276	explorer.exe
Token: SeShutdownPrivilege	17276	explorer.exe
Token: SeCreatePagefilePrivilege	17276	explorer.exe
Token: SeShutdownPrivilege	17276	explorer.exe
Token: SeCreatePagefilePrivilege	17276	explorer.exe
Token: SeShutdownPrivilege	17276	explorer.exe
Token: SeCreatePagefilePrivilege	17276	explorer.exe
Token: SeShutdownPrivilege	17276	explorer.exe
Token: SeCreatePagefilePrivilege	17276	explorer.exe
Token: SeShutdownPrivilege	17276	explorer.exe
Token: SeCreatePagefilePrivilege	17276	explorer.exe
Token: SeShutdownPrivilege	17276	explorer.exe
Token: SeCreatePagefilePrivilege	17276	explorer.exe
Token: SeShutdownPrivilege	17276	explorer.exe
Token: SeCreatePagefilePrivilege	17276	explorer.exe
Token: SeShutdownPrivilege	1848	explorer.exe
Token: SeCreatePagefilePrivilege	1848	explorer.exe
Token: SeShutdownPrivilege	1848	explorer.exe
Token: SeCreatePagefilePrivilege	1848	explorer.exe
Token: SeShutdownPrivilege	1848	explorer.exe
Token: SeCreatePagefilePrivilege	1848	explorer.exe
Token: SeShutdownPrivilege	1848	explorer.exe
Token: SeCreatePagefilePrivilege	1848	explorer.exe
Token: SeShutdownPrivilege	1848	explorer.exe
Token: SeCreatePagefilePrivilege	1848	explorer.exe
Token: SeShutdownPrivilege	1848	explorer.exe
Token: SeCreatePagefilePrivilege	1848	explorer.exe
Token: SeShutdownPrivilege	1848	explorer.exe
Token: SeCreatePagefilePrivilege	1848	explorer.exe
Token: SeShutdownPrivilege	1848	explorer.exe
Token: SeCreatePagefilePrivilege	1848	explorer.exe
Token: SeShutdownPrivilege	1848	explorer.exe
Token: SeCreatePagefilePrivilege	1848	explorer.exe
Token: SeShutdownPrivilege	1848	explorer.exe
Token: SeCreatePagefilePrivilege	1848	explorer.exe
Token: SeShutdownPrivilege	1848	explorer.exe
Token: SeCreatePagefilePrivilege	1848	explorer.exe
Token: SeShutdownPrivilege	1848	explorer.exe
Token: SeCreatePagefilePrivilege	1848	explorer.exe
Token: SeShutdownPrivilege	1848	explorer.exe
Token: SeCreatePagefilePrivilege	1848	explorer.exe
Token: SeShutdownPrivilege	1848	explorer.exe
Token: SeCreatePagefilePrivilege	1848	explorer.exe
Token: SeShutdownPrivilege	1848	explorer.exe
Token: SeCreatePagefilePrivilege	1848	explorer.exe
Token: SeShutdownPrivilege	1848	explorer.exe
Token: SeCreatePagefilePrivilege	1848	explorer.exe
Token: SeShutdownPrivilege	1848	explorer.exe
Token: SeCreatePagefilePrivilege	1848	explorer.exe
Token: SeShutdownPrivilege	1848	explorer.exe
Token: SeCreatePagefilePrivilege	1848	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
16088	sihost.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
17276	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
1848	explorer.exe
18300	explorer.exe
18300	explorer.exe
18300	explorer.exe
18300	explorer.exe
18300	explorer.exe
18300	explorer.exe
18300	explorer.exe
18300	explorer.exe
18300	explorer.exe
18300	explorer.exe
18300	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
3636	explorer.exe
3636	explorer.exe
3636	explorer.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
16640	StartMenuExperienceHost.exe
16896	StartMenuExperienceHost.exe
17152	SearchApp.exe
17656	StartMenuExperienceHost.exe
16412	StartMenuExperienceHost.exe
3644	StartMenuExperienceHost.exe
17816	SearchApp.exe
18096	StartMenuExperienceHost.exe
17952	StartMenuExperienceHost.exe
17712	SearchApp.exe
2660	StartMenuExperienceHost.exe
6736	StartMenuExperienceHost.exe
17256	SearchApp.exe
4980	StartMenuExperienceHost.exe
10136	StartMenuExperienceHost.exe
18196	StartMenuExperienceHost.exe
17700	SearchApp.exe
4520	StartMenuExperienceHost.exe
4848	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 528	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	84
PID 1508 wrote to memory of 528	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	84
PID 1508 wrote to memory of 2488	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	85
PID 1508 wrote to memory of 2488	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	85
PID 1508 wrote to memory of 4896	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	86
PID 1508 wrote to memory of 4896	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	86
PID 1508 wrote to memory of 4224	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	87
PID 1508 wrote to memory of 4224	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	87
PID 1508 wrote to memory of 1156	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	88
PID 1508 wrote to memory of 1156	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	88
PID 1508 wrote to memory of 4160	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	89
PID 1508 wrote to memory of 4160	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	89
PID 1508 wrote to memory of 5092	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	90
PID 1508 wrote to memory of 5092	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	90
PID 1508 wrote to memory of 664	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	91
PID 1508 wrote to memory of 664	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	91
PID 1508 wrote to memory of 3300	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	92
PID 1508 wrote to memory of 3300	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	92
PID 1508 wrote to memory of 1020	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	93
PID 1508 wrote to memory of 1020	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	93
PID 1508 wrote to memory of 1356	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	94
PID 1508 wrote to memory of 1356	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	94
PID 1508 wrote to memory of 1936	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	95
PID 1508 wrote to memory of 1936	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	95
PID 1508 wrote to memory of 4584	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	96
PID 1508 wrote to memory of 4584	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	96
PID 1508 wrote to memory of 3360	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	97
PID 1508 wrote to memory of 3360	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	97
PID 1508 wrote to memory of 4500	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	98
PID 1508 wrote to memory of 4500	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	98
PID 1508 wrote to memory of 2012	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	99
PID 1508 wrote to memory of 2012	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	99
PID 1508 wrote to memory of 4832	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	100
PID 1508 wrote to memory of 4832	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	100
PID 1508 wrote to memory of 684	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	101
PID 1508 wrote to memory of 684	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	101
PID 1508 wrote to memory of 2780	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	102
PID 1508 wrote to memory of 2780	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	102
PID 1508 wrote to memory of 840	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	103
PID 1508 wrote to memory of 840	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	103
PID 1508 wrote to memory of 1488	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	104
PID 1508 wrote to memory of 1488	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	104
PID 1508 wrote to memory of 2816	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	105
PID 1508 wrote to memory of 2816	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	105
PID 1508 wrote to memory of 2868	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	106
PID 1508 wrote to memory of 2868	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	106
PID 1508 wrote to memory of 996	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	107
PID 1508 wrote to memory of 996	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	107
PID 1508 wrote to memory of 4844	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	108
PID 1508 wrote to memory of 4844	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	108
PID 1508 wrote to memory of 5068	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	109
PID 1508 wrote to memory of 5068	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	109
PID 1508 wrote to memory of 2032	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	110
PID 1508 wrote to memory of 2032	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	110
PID 1508 wrote to memory of 3836	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	111
PID 1508 wrote to memory of 3836	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	111
PID 1508 wrote to memory of 2652	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	112
PID 1508 wrote to memory of 2652	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	112
PID 1508 wrote to memory of 3480	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	113
PID 1508 wrote to memory of 3480	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	113
PID 1508 wrote to memory of 4432	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	114
PID 1508 wrote to memory of 4432	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	114
PID 1508 wrote to memory of 3156	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	115
PID 1508 wrote to memory of 3156	1508	1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe
"C:\Users\Admin\AppData\Local\Temp\1b446f122edda2acf1264d67b760473b952db412be688e982ecea2e3b223a952.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\System\uulcBUV.exe
  C:\Windows\System\uulcBUV.exe
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\System\brTzzAm.exe
  C:\Windows\System\brTzzAm.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System\TChZkCW.exe
  C:\Windows\System\TChZkCW.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System\UaVBTvM.exe
  C:\Windows\System\UaVBTvM.exe
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Windows\System\cSvjfwy.exe
  C:\Windows\System\cSvjfwy.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System\chElttx.exe
  C:\Windows\System\chElttx.exe
  2⤵
  - Executes dropped EXE
  PID:4160
- C:\Windows\System\IxUPKkT.exe
  C:\Windows\System\IxUPKkT.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\wwDtYOR.exe
  C:\Windows\System\wwDtYOR.exe
  2⤵
  - Executes dropped EXE
  PID:664
- C:\Windows\System\dKGLyct.exe
  C:\Windows\System\dKGLyct.exe
  2⤵
  - Executes dropped EXE
  PID:3300
- C:\Windows\System\ghtazEI.exe
  C:\Windows\System\ghtazEI.exe
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\System\NihvcoV.exe
  C:\Windows\System\NihvcoV.exe
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\System\vOjZZDB.exe
  C:\Windows\System\vOjZZDB.exe
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\System\ZwuuiNd.exe
  C:\Windows\System\ZwuuiNd.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System\HczbJFU.exe
  C:\Windows\System\HczbJFU.exe
  2⤵
  - Executes dropped EXE
  PID:3360
- C:\Windows\System\KmWiABY.exe
  C:\Windows\System\KmWiABY.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Windows\System\GMPjZNw.exe
  C:\Windows\System\GMPjZNw.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\gTCHMHl.exe
  C:\Windows\System\gTCHMHl.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System\qUpavfI.exe
  C:\Windows\System\qUpavfI.exe
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\System\NvXyzEI.exe
  C:\Windows\System\NvXyzEI.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\LBmnpVg.exe
  C:\Windows\System\LBmnpVg.exe
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\System\sDNZRKa.exe
  C:\Windows\System\sDNZRKa.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System\ysyLdXL.exe
  C:\Windows\System\ysyLdXL.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System\qnwymDW.exe
  C:\Windows\System\qnwymDW.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\uVRONWu.exe
  C:\Windows\System\uVRONWu.exe
  2⤵
  - Executes dropped EXE
  PID:996
- C:\Windows\System\yNuTRyI.exe
  C:\Windows\System\yNuTRyI.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System\LRSbuju.exe
  C:\Windows\System\LRSbuju.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\rHjVopi.exe
  C:\Windows\System\rHjVopi.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System\CbnQQld.exe
  C:\Windows\System\CbnQQld.exe
  2⤵
  - Executes dropped EXE
  PID:3836
- C:\Windows\System\mowzBlc.exe
  C:\Windows\System\mowzBlc.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\vshShIK.exe
  C:\Windows\System\vshShIK.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System\CzNbzmj.exe
  C:\Windows\System\CzNbzmj.exe
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Windows\System\QUWQKpM.exe
  C:\Windows\System\QUWQKpM.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System\TcPBhhq.exe
  C:\Windows\System\TcPBhhq.exe
  2⤵
  - Executes dropped EXE
  PID:3564
- C:\Windows\System\YYibNmn.exe
  C:\Windows\System\YYibNmn.exe
  2⤵
  - Executes dropped EXE
  PID:4420
- C:\Windows\System\AhKFWNS.exe
  C:\Windows\System\AhKFWNS.exe
  2⤵
  - Executes dropped EXE
  PID:972
- C:\Windows\System\bsfQFaB.exe
  C:\Windows\System\bsfQFaB.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System\PPVXffZ.exe
  C:\Windows\System\PPVXffZ.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\pHrryEx.exe
  C:\Windows\System\pHrryEx.exe
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\System\gRDMGAf.exe
  C:\Windows\System\gRDMGAf.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System\IoLMhGV.exe
  C:\Windows\System\IoLMhGV.exe
  2⤵
  - Executes dropped EXE
  PID:232
- C:\Windows\System\qyuwsXB.exe
  C:\Windows\System\qyuwsXB.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System\TkJbcKM.exe
  C:\Windows\System\TkJbcKM.exe
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Windows\System\HLkzUPS.exe
  C:\Windows\System\HLkzUPS.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System\cOQWxAR.exe
  C:\Windows\System\cOQWxAR.exe
  2⤵
  - Executes dropped EXE
  PID:3896
- C:\Windows\System\nXuDHBr.exe
  C:\Windows\System\nXuDHBr.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System\DZYDtLx.exe
  C:\Windows\System\DZYDtLx.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System\wetJUUM.exe
  C:\Windows\System\wetJUUM.exe
  2⤵
  - Executes dropped EXE
  PID:3368
- C:\Windows\System\ouPXMGy.exe
  C:\Windows\System\ouPXMGy.exe
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\System\SquFihv.exe
  C:\Windows\System\SquFihv.exe
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\System\FKYAJGh.exe
  C:\Windows\System\FKYAJGh.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System\JsRzKeY.exe
  C:\Windows\System\JsRzKeY.exe
  2⤵
  - Executes dropped EXE
  PID:3548
- C:\Windows\System\rhfvnTb.exe
  C:\Windows\System\rhfvnTb.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System\JvnOtQg.exe
  C:\Windows\System\JvnOtQg.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System\svyutQn.exe
  C:\Windows\System\svyutQn.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\DuwlYOr.exe
  C:\Windows\System\DuwlYOr.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System\YCCgyDh.exe
  C:\Windows\System\YCCgyDh.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\yfmygaf.exe
  C:\Windows\System\yfmygaf.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System\LyGzdSd.exe
  C:\Windows\System\LyGzdSd.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System\KaJkefE.exe
  C:\Windows\System\KaJkefE.exe
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Windows\System\DQESoMk.exe
  C:\Windows\System\DQESoMk.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System\bQwupqy.exe
  C:\Windows\System\bQwupqy.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System\sNYCHDU.exe
  C:\Windows\System\sNYCHDU.exe
  2⤵
  - Executes dropped EXE
  PID:4292
- C:\Windows\System\grmnRfc.exe
  C:\Windows\System\grmnRfc.exe
  2⤵
  - Executes dropped EXE
  PID:3432
- C:\Windows\System\TNGwZsE.exe
  C:\Windows\System\TNGwZsE.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System\QxZMPdq.exe
  C:\Windows\System\QxZMPdq.exe
  2⤵
  PID:696
- C:\Windows\System\nIuILrF.exe
  C:\Windows\System\nIuILrF.exe
  2⤵
  PID:1392
- C:\Windows\System\PIQYpIO.exe
  C:\Windows\System\PIQYpIO.exe
  2⤵
  PID:3956
- C:\Windows\System\BhssVJQ.exe
  C:\Windows\System\BhssVJQ.exe
  2⤵
  PID:3108
- C:\Windows\System\KGwavFn.exe
  C:\Windows\System\KGwavFn.exe
  2⤵
  PID:3536
- C:\Windows\System\dQxXeTv.exe
  C:\Windows\System\dQxXeTv.exe
  2⤵
  PID:2244
- C:\Windows\System\eiURGyM.exe
  C:\Windows\System\eiURGyM.exe
  2⤵
  PID:5100
- C:\Windows\System\PhYoojv.exe
  C:\Windows\System\PhYoojv.exe
  2⤵
  PID:916
- C:\Windows\System\maLhRiL.exe
  C:\Windows\System\maLhRiL.exe
  2⤵
  PID:2916
- C:\Windows\System\lYNACsv.exe
  C:\Windows\System\lYNACsv.exe
  2⤵
  PID:2764
- C:\Windows\System\mTANjxV.exe
  C:\Windows\System\mTANjxV.exe
  2⤵
  PID:4800
- C:\Windows\System\LzckwgG.exe
  C:\Windows\System\LzckwgG.exe
  2⤵
  PID:772
- C:\Windows\System\XqPmrQl.exe
  C:\Windows\System\XqPmrQl.exe
  2⤵
  PID:3464
- C:\Windows\System\anxqLCx.exe
  C:\Windows\System\anxqLCx.exe
  2⤵
  PID:2188
- C:\Windows\System\uqmonpc.exe
  C:\Windows\System\uqmonpc.exe
  2⤵
  PID:4356
- C:\Windows\System\ghvWhkd.exe
  C:\Windows\System\ghvWhkd.exe
  2⤵
  PID:412
- C:\Windows\System\Bpamgwc.exe
  C:\Windows\System\Bpamgwc.exe
  2⤵
  PID:4052
- C:\Windows\System\YifahbM.exe
  C:\Windows\System\YifahbM.exe
  2⤵
  PID:3980
- C:\Windows\System\ZTuQzyc.exe
  C:\Windows\System\ZTuQzyc.exe
  2⤵
  PID:2424
- C:\Windows\System\ResgIyZ.exe
  C:\Windows\System\ResgIyZ.exe
  2⤵
  PID:1540
- C:\Windows\System\Euobhbr.exe
  C:\Windows\System\Euobhbr.exe
  2⤵
  PID:548
- C:\Windows\System\bzUksmL.exe
  C:\Windows\System\bzUksmL.exe
  2⤵
  PID:1148
- C:\Windows\System\sJRDCSb.exe
  C:\Windows\System\sJRDCSb.exe
  2⤵
  PID:4576
- C:\Windows\System\HiFIKZh.exe
  C:\Windows\System\HiFIKZh.exe
  2⤵
  PID:1808
- C:\Windows\System\guVBXxe.exe
  C:\Windows\System\guVBXxe.exe
  2⤵
  PID:732
- C:\Windows\System\MlKRHNL.exe
  C:\Windows\System\MlKRHNL.exe
  2⤵
  PID:4856
- C:\Windows\System\Htunppk.exe
  C:\Windows\System\Htunppk.exe
  2⤵
  PID:3832
- C:\Windows\System\PFtneQC.exe
  C:\Windows\System\PFtneQC.exe
  2⤵
  PID:4404
- C:\Windows\System\XlcOfIS.exe
  C:\Windows\System\XlcOfIS.exe
  2⤵
  PID:4796
- C:\Windows\System\cUJaWvb.exe
  C:\Windows\System\cUJaWvb.exe
  2⤵
  PID:2804
- C:\Windows\System\aPyodTj.exe
  C:\Windows\System\aPyodTj.exe
  2⤵
  PID:1424
- C:\Windows\System\vBPRGrk.exe
  C:\Windows\System\vBPRGrk.exe
  2⤵
  PID:3308
- C:\Windows\System\zJudOVP.exe
  C:\Windows\System\zJudOVP.exe
  2⤵
  PID:4956
- C:\Windows\System\PsIxuNj.exe
  C:\Windows\System\PsIxuNj.exe
  2⤵
  PID:3060
- C:\Windows\System\DmHyfrz.exe
  C:\Windows\System\DmHyfrz.exe
  2⤵
  PID:5000
- C:\Windows\System\KdJDrkh.exe
  C:\Windows\System\KdJDrkh.exe
  2⤵
  PID:3440
- C:\Windows\System\OEMFGGA.exe
  C:\Windows\System\OEMFGGA.exe
  2⤵
  PID:3572
- C:\Windows\System\wUPuXZC.exe
  C:\Windows\System\wUPuXZC.exe
  2⤵
  PID:740
- C:\Windows\System\JqEbTeS.exe
  C:\Windows\System\JqEbTeS.exe
  2⤵
  PID:2768
- C:\Windows\System\iUoIdXU.exe
  C:\Windows\System\iUoIdXU.exe
  2⤵
  PID:4304
- C:\Windows\System\fRshQCA.exe
  C:\Windows\System\fRshQCA.exe
  2⤵
  PID:3456
- C:\Windows\System\NYjElTO.exe
  C:\Windows\System\NYjElTO.exe
  2⤵
  PID:2268
- C:\Windows\System\pRZYVKw.exe
  C:\Windows\System\pRZYVKw.exe
  2⤵
  PID:752
- C:\Windows\System\YqufdyA.exe
  C:\Windows\System\YqufdyA.exe
  2⤵
  PID:3224
- C:\Windows\System\IfKwwfD.exe
  C:\Windows\System\IfKwwfD.exe
  2⤵
  PID:5156
- C:\Windows\System\ScOxvGQ.exe
  C:\Windows\System\ScOxvGQ.exe
  2⤵
  PID:5188
- C:\Windows\System\lgMXavc.exe
  C:\Windows\System\lgMXavc.exe
  2⤵
  PID:5216
- C:\Windows\System\eYtdeCp.exe
  C:\Windows\System\eYtdeCp.exe
  2⤵
  PID:5248
- C:\Windows\System\lGwIWpe.exe
  C:\Windows\System\lGwIWpe.exe
  2⤵
  PID:5268
- C:\Windows\System\HzWenql.exe
  C:\Windows\System\HzWenql.exe
  2⤵
  PID:5284
- C:\Windows\System\xTjdWrt.exe
  C:\Windows\System\xTjdWrt.exe
  2⤵
  PID:5312
- C:\Windows\System\FPfgBvM.exe
  C:\Windows\System\FPfgBvM.exe
  2⤵
  PID:5340
- C:\Windows\System\qjEPjns.exe
  C:\Windows\System\qjEPjns.exe
  2⤵
  PID:5360
- C:\Windows\System\XMqrvRP.exe
  C:\Windows\System\XMqrvRP.exe
  2⤵
  PID:5388
- C:\Windows\System\yUSVFdS.exe
  C:\Windows\System\yUSVFdS.exe
  2⤵
  PID:5424
- C:\Windows\System\gaWvLWq.exe
  C:\Windows\System\gaWvLWq.exe
  2⤵
  PID:5448
- C:\Windows\System\sLSynbK.exe
  C:\Windows\System\sLSynbK.exe
  2⤵
  PID:5484
- C:\Windows\System\xPnctSI.exe
  C:\Windows\System\xPnctSI.exe
  2⤵
  PID:5516
- C:\Windows\System\fEtqpgt.exe
  C:\Windows\System\fEtqpgt.exe
  2⤵
  PID:5576
- C:\Windows\System\MtWcfPa.exe
  C:\Windows\System\MtWcfPa.exe
  2⤵
  PID:5592
- C:\Windows\System\uIcbcBw.exe
  C:\Windows\System\uIcbcBw.exe
  2⤵
  PID:5608
- C:\Windows\System\ppkDVLL.exe
  C:\Windows\System\ppkDVLL.exe
  2⤵
  PID:5636
- C:\Windows\System\eFBAGyH.exe
  C:\Windows\System\eFBAGyH.exe
  2⤵
  PID:5652
- C:\Windows\System\bjxIyUI.exe
  C:\Windows\System\bjxIyUI.exe
  2⤵
  PID:5680
- C:\Windows\System\FUCcngi.exe
  C:\Windows\System\FUCcngi.exe
  2⤵
  PID:5720
- C:\Windows\System\tgIckaF.exe
  C:\Windows\System\tgIckaF.exe
  2⤵
  PID:5744
- C:\Windows\System\RsRrSXI.exe
  C:\Windows\System\RsRrSXI.exe
  2⤵
  PID:5772
- C:\Windows\System\ejhAOZg.exe
  C:\Windows\System\ejhAOZg.exe
  2⤵
  PID:5796
- C:\Windows\System\KIBXYqJ.exe
  C:\Windows\System\KIBXYqJ.exe
  2⤵
  PID:5824
- C:\Windows\System\ObUCZqA.exe
  C:\Windows\System\ObUCZqA.exe
  2⤵
  PID:5848
- C:\Windows\System\bveHBUU.exe
  C:\Windows\System\bveHBUU.exe
  2⤵
  PID:5884
- C:\Windows\System\UAExUZf.exe
  C:\Windows\System\UAExUZf.exe
  2⤵
  PID:5904
- C:\Windows\System\oxesSOQ.exe
  C:\Windows\System\oxesSOQ.exe
  2⤵
  PID:5928
- C:\Windows\System\QwooOMH.exe
  C:\Windows\System\QwooOMH.exe
  2⤵
  PID:5948
- C:\Windows\System\BVKyjiP.exe
  C:\Windows\System\BVKyjiP.exe
  2⤵
  PID:5964
- C:\Windows\System\HMOvZGC.exe
  C:\Windows\System\HMOvZGC.exe
  2⤵
  PID:5988
- C:\Windows\System\zYbAJCK.exe
  C:\Windows\System\zYbAJCK.exe
  2⤵
  PID:6016
- C:\Windows\System\SSYOyiq.exe
  C:\Windows\System\SSYOyiq.exe
  2⤵
  PID:6044
- C:\Windows\System\dOTWZTw.exe
  C:\Windows\System\dOTWZTw.exe
  2⤵
  PID:6064
- C:\Windows\System\fgxLsKi.exe
  C:\Windows\System\fgxLsKi.exe
  2⤵
  PID:6088
- C:\Windows\System\qIHZyAf.exe
  C:\Windows\System\qIHZyAf.exe
  2⤵
  PID:6112
- C:\Windows\System\dZkSbfJ.exe
  C:\Windows\System\dZkSbfJ.exe
  2⤵
  PID:1384
- C:\Windows\System\UxwgTjY.exe
  C:\Windows\System\UxwgTjY.exe
  2⤵
  PID:5168
- C:\Windows\System\NiDcxtG.exe
  C:\Windows\System\NiDcxtG.exe
  2⤵
  PID:5256
- C:\Windows\System\OreTqEq.exe
  C:\Windows\System\OreTqEq.exe
  2⤵
  PID:5304
- C:\Windows\System\MKKmmSP.exe
  C:\Windows\System\MKKmmSP.exe
  2⤵
  PID:5404
- C:\Windows\System\rHExoGz.exe
  C:\Windows\System\rHExoGz.exe
  2⤵
  PID:5444
- C:\Windows\System\zhglsry.exe
  C:\Windows\System\zhglsry.exe
  2⤵
  PID:5496
- C:\Windows\System\Cyxkcvb.exe
  C:\Windows\System\Cyxkcvb.exe
  2⤵
  PID:5560
- C:\Windows\System\Pblxxjp.exe
  C:\Windows\System\Pblxxjp.exe
  2⤵
  PID:5588
- C:\Windows\System\SsHMiUU.exe
  C:\Windows\System\SsHMiUU.exe
  2⤵
  PID:5664
- C:\Windows\System\VucnbQC.exe
  C:\Windows\System\VucnbQC.exe
  2⤵
  PID:5700
- C:\Windows\System\BdzEyQE.exe
  C:\Windows\System\BdzEyQE.exe
  2⤵
  PID:5756
- C:\Windows\System\UftypII.exe
  C:\Windows\System\UftypII.exe
  2⤵
  PID:5808
- C:\Windows\System\lygCBZF.exe
  C:\Windows\System\lygCBZF.exe
  2⤵
  PID:5868
- C:\Windows\System\knoxaVu.exe
  C:\Windows\System\knoxaVu.exe
  2⤵
  PID:5924
- C:\Windows\System\qlBKZTe.exe
  C:\Windows\System\qlBKZTe.exe
  2⤵
  PID:6036
- C:\Windows\System\wCiOnrz.exe
  C:\Windows\System\wCiOnrz.exe
  2⤵
  PID:6080
- C:\Windows\System\dxgiRGJ.exe
  C:\Windows\System\dxgiRGJ.exe
  2⤵
  PID:6124
- C:\Windows\System\FZwDSaU.exe
  C:\Windows\System\FZwDSaU.exe
  2⤵
  PID:5300
- C:\Windows\System\rWmOZlp.exe
  C:\Windows\System\rWmOZlp.exe
  2⤵
  PID:5212
- C:\Windows\System\HZgRhzD.exe
  C:\Windows\System\HZgRhzD.exe
  2⤵
  PID:5468
- C:\Windows\System\vHGbnhU.exe
  C:\Windows\System\vHGbnhU.exe
  2⤵
  PID:5620
- C:\Windows\System\qdziCQk.exe
  C:\Windows\System\qdziCQk.exe
  2⤵
  PID:5792
- C:\Windows\System\gwceeHz.exe
  C:\Windows\System\gwceeHz.exe
  2⤵
  PID:5940
- C:\Windows\System\NNkrTRl.exe
  C:\Windows\System\NNkrTRl.exe
  2⤵
  PID:5980
- C:\Windows\System\NAgMjlQ.exe
  C:\Windows\System\NAgMjlQ.exe
  2⤵
  PID:5356
- C:\Windows\System\wTsxfZd.exe
  C:\Windows\System\wTsxfZd.exe
  2⤵
  PID:5584
- C:\Windows\System\rtyQVKh.exe
  C:\Windows\System\rtyQVKh.exe
  2⤵
  PID:6084
- C:\Windows\System\ubOjPij.exe
  C:\Windows\System\ubOjPij.exe
  2⤵
  PID:6188
- C:\Windows\System\bFUOjgL.exe
  C:\Windows\System\bFUOjgL.exe
  2⤵
  PID:6216
- C:\Windows\System\zYBJkmV.exe
  C:\Windows\System\zYBJkmV.exe
  2⤵
  PID:6244
- C:\Windows\System\pqAHffs.exe
  C:\Windows\System\pqAHffs.exe
  2⤵
  PID:6272
- C:\Windows\System\PtyOFJL.exe
  C:\Windows\System\PtyOFJL.exe
  2⤵
  PID:6308
- C:\Windows\System\vkZjDMC.exe
  C:\Windows\System\vkZjDMC.exe
  2⤵
  PID:6332
- C:\Windows\System\OVIJhsH.exe
  C:\Windows\System\OVIJhsH.exe
  2⤵
  PID:6356
- C:\Windows\System\xkniahd.exe
  C:\Windows\System\xkniahd.exe
  2⤵
  PID:6384
- C:\Windows\System\VBHuIIW.exe
  C:\Windows\System\VBHuIIW.exe
  2⤵
  PID:6420
- C:\Windows\System\ZmGhFmD.exe
  C:\Windows\System\ZmGhFmD.exe
  2⤵
  PID:6452
- C:\Windows\System\jzwdcAn.exe
  C:\Windows\System\jzwdcAn.exe
  2⤵
  PID:6480
- C:\Windows\System\yjeHJhI.exe
  C:\Windows\System\yjeHJhI.exe
  2⤵
  PID:6508
- C:\Windows\System\RFoYsiG.exe
  C:\Windows\System\RFoYsiG.exe
  2⤵
  PID:6540
- C:\Windows\System\DJQuMQU.exe
  C:\Windows\System\DJQuMQU.exe
  2⤵
  PID:6572
- C:\Windows\System\NvuuFsk.exe
  C:\Windows\System\NvuuFsk.exe
  2⤵
  PID:6604
- C:\Windows\System\Emyumgr.exe
  C:\Windows\System\Emyumgr.exe
  2⤵
  PID:6628
- C:\Windows\System\ucliRQB.exe
  C:\Windows\System\ucliRQB.exe
  2⤵
  PID:6660
- C:\Windows\System\sSZqdjB.exe
  C:\Windows\System\sSZqdjB.exe
  2⤵
  PID:6692
- C:\Windows\System\tePnAUg.exe
  C:\Windows\System\tePnAUg.exe
  2⤵
  PID:6728
- C:\Windows\System\OSEdJVp.exe
  C:\Windows\System\OSEdJVp.exe
  2⤵
  PID:6752
- C:\Windows\System\tkFuiAl.exe
  C:\Windows\System\tkFuiAl.exe
  2⤵
  PID:6776
- C:\Windows\System\OtiIERv.exe
  C:\Windows\System\OtiIERv.exe
  2⤵
  PID:6808
- C:\Windows\System\jpnooHj.exe
  C:\Windows\System\jpnooHj.exe
  2⤵
  PID:6840
- C:\Windows\System\ZrsXxmQ.exe
  C:\Windows\System\ZrsXxmQ.exe
  2⤵
  PID:6860
- C:\Windows\System\PmHVmgH.exe
  C:\Windows\System\PmHVmgH.exe
  2⤵
  PID:6884
- C:\Windows\System\hkhxSlo.exe
  C:\Windows\System\hkhxSlo.exe
  2⤵
  PID:6912
- C:\Windows\System\HUDJlmg.exe
  C:\Windows\System\HUDJlmg.exe
  2⤵
  PID:6932
- C:\Windows\System\xYartkk.exe
  C:\Windows\System\xYartkk.exe
  2⤵
  PID:6956
- C:\Windows\System\NymrNLg.exe
  C:\Windows\System\NymrNLg.exe
  2⤵
  PID:6988
- C:\Windows\System\SZXFiTt.exe
  C:\Windows\System\SZXFiTt.exe
  2⤵
  PID:7008
- C:\Windows\System\QwVTwKF.exe
  C:\Windows\System\QwVTwKF.exe
  2⤵
  PID:7040
- C:\Windows\System\hBGNuxk.exe
  C:\Windows\System\hBGNuxk.exe
  2⤵
  PID:7072
- C:\Windows\System\mAMXffS.exe
  C:\Windows\System\mAMXffS.exe
  2⤵
  PID:7104
- C:\Windows\System\VtKNZqa.exe
  C:\Windows\System\VtKNZqa.exe
  2⤵
  PID:7124
- C:\Windows\System\VdXnEbV.exe
  C:\Windows\System\VdXnEbV.exe
  2⤵
  PID:7156
- C:\Windows\System\kKtRzhp.exe
  C:\Windows\System\kKtRzhp.exe
  2⤵
  PID:5984
- C:\Windows\System\suUDNCX.exe
  C:\Windows\System\suUDNCX.exe
  2⤵
  PID:6056
- C:\Windows\System\dpyWEIq.exe
  C:\Windows\System\dpyWEIq.exe
  2⤵
  PID:6240
- C:\Windows\System\QGbCYpt.exe
  C:\Windows\System\QGbCYpt.exe
  2⤵
  PID:6208
- C:\Windows\System\iKrJTsR.exe
  C:\Windows\System\iKrJTsR.exe
  2⤵
  PID:6324
- C:\Windows\System\ApyJerp.exe
  C:\Windows\System\ApyJerp.exe
  2⤵
  PID:6472
- C:\Windows\System\qcEQski.exe
  C:\Windows\System\qcEQski.exe
  2⤵
  PID:6528
- C:\Windows\System\RlGshpQ.exe
  C:\Windows\System\RlGshpQ.exe
  2⤵
  PID:6536
- C:\Windows\System\wWuHKqj.exe
  C:\Windows\System\wWuHKqj.exe
  2⤵
  PID:6688
- C:\Windows\System\PGndigp.exe
  C:\Windows\System\PGndigp.exe
  2⤵
  PID:6744
- C:\Windows\System\KlccHeh.exe
  C:\Windows\System\KlccHeh.exe
  2⤵
  PID:6684
- C:\Windows\System\ezNvJtJ.exe
  C:\Windows\System\ezNvJtJ.exe
  2⤵
  PID:6872
- C:\Windows\System\mZptUvj.exe
  C:\Windows\System\mZptUvj.exe
  2⤵
  PID:6820
- C:\Windows\System\NHTnCnc.exe
  C:\Windows\System\NHTnCnc.exe
  2⤵
  PID:6896
- C:\Windows\System\tNqMLsC.exe
  C:\Windows\System\tNqMLsC.exe
  2⤵
  PID:7064
- C:\Windows\System\XXzbOGh.exe
  C:\Windows\System\XXzbOGh.exe
  2⤵
  PID:7028
- C:\Windows\System\SxdPmaZ.exe
  C:\Windows\System\SxdPmaZ.exe
  2⤵
  PID:5784
- C:\Windows\System\jOWJAFg.exe
  C:\Windows\System\jOWJAFg.exe
  2⤵
  PID:7140
- C:\Windows\System\kdMIbPt.exe
  C:\Windows\System\kdMIbPt.exe
  2⤵
  PID:6268
- C:\Windows\System\AMBoUHu.exe
  C:\Windows\System\AMBoUHu.exe
  2⤵
  PID:6448
- C:\Windows\System\XmrlHHL.exe
  C:\Windows\System\XmrlHHL.exe
  2⤵
  PID:2908
- C:\Windows\System\yeCwdnO.exe
  C:\Windows\System\yeCwdnO.exe
  2⤵
  PID:6852
- C:\Windows\System\VDVoZux.exe
  C:\Windows\System\VDVoZux.exe
  2⤵
  PID:6868
- C:\Windows\System\IoKjyZO.exe
  C:\Windows\System\IoKjyZO.exe
  2⤵
  PID:6904
- C:\Windows\System\dvsbOZI.exe
  C:\Windows\System\dvsbOZI.exe
  2⤵
  PID:7004
- C:\Windows\System\QzzpUGJ.exe
  C:\Windows\System\QzzpUGJ.exe
  2⤵
  PID:6488
- C:\Windows\System\zMjzgMu.exe
  C:\Windows\System\zMjzgMu.exe
  2⤵
  PID:6284
- C:\Windows\System\pTsDryC.exe
  C:\Windows\System\pTsDryC.exe
  2⤵
  PID:6672
- C:\Windows\System\UMIarjX.exe
  C:\Windows\System\UMIarjX.exe
  2⤵
  PID:7196
- C:\Windows\System\ytvGiws.exe
  C:\Windows\System\ytvGiws.exe
  2⤵
  PID:7228
- C:\Windows\System\NSRhKal.exe
  C:\Windows\System\NSRhKal.exe
  2⤵
  PID:7252
- C:\Windows\System\OFIcmlm.exe
  C:\Windows\System\OFIcmlm.exe
  2⤵
  PID:7280
- C:\Windows\System\UOYQfvd.exe
  C:\Windows\System\UOYQfvd.exe
  2⤵
  PID:7308
- C:\Windows\System\gNxprUi.exe
  C:\Windows\System\gNxprUi.exe
  2⤵
  PID:7356
- C:\Windows\System\HjqvLpp.exe
  C:\Windows\System\HjqvLpp.exe
  2⤵
  PID:7376
- C:\Windows\System\DXvTHHu.exe
  C:\Windows\System\DXvTHHu.exe
  2⤵
  PID:7412
- C:\Windows\System\GPSUZwH.exe
  C:\Windows\System\GPSUZwH.exe
  2⤵
  PID:7440
- C:\Windows\System\taqwzUY.exe
  C:\Windows\System\taqwzUY.exe
  2⤵
  PID:7472
- C:\Windows\System\EvSmahA.exe
  C:\Windows\System\EvSmahA.exe
  2⤵
  PID:7500
- C:\Windows\System\IXumNla.exe
  C:\Windows\System\IXumNla.exe
  2⤵
  PID:7536
- C:\Windows\System\UvAhohC.exe
  C:\Windows\System\UvAhohC.exe
  2⤵
  PID:7572
- C:\Windows\System\bNnvLpM.exe
  C:\Windows\System\bNnvLpM.exe
  2⤵
  PID:7592
- C:\Windows\System\EbTpkdD.exe
  C:\Windows\System\EbTpkdD.exe
  2⤵
  PID:7608
- C:\Windows\System\nzjowyd.exe
  C:\Windows\System\nzjowyd.exe
  2⤵
  PID:7628
- C:\Windows\System\bCMolbH.exe
  C:\Windows\System\bCMolbH.exe
  2⤵
  PID:7644
- C:\Windows\System\CDDNbMX.exe
  C:\Windows\System\CDDNbMX.exe
  2⤵
  PID:7672
- C:\Windows\System\JjnYeVK.exe
  C:\Windows\System\JjnYeVK.exe
  2⤵
  PID:7700
- C:\Windows\System\uzcZusF.exe
  C:\Windows\System\uzcZusF.exe
  2⤵
  PID:7732
- C:\Windows\System\gcPrxPT.exe
  C:\Windows\System\gcPrxPT.exe
  2⤵
  PID:7776
- C:\Windows\System\TvJHvyc.exe
  C:\Windows\System\TvJHvyc.exe
  2⤵
  PID:7808
- C:\Windows\System\oElTNSv.exe
  C:\Windows\System\oElTNSv.exe
  2⤵
  PID:7844
- C:\Windows\System\sLuRtis.exe
  C:\Windows\System\sLuRtis.exe
  2⤵
  PID:7872
- C:\Windows\System\xzLZdmR.exe
  C:\Windows\System\xzLZdmR.exe
  2⤵
  PID:7900
- C:\Windows\System\QEotmPS.exe
  C:\Windows\System\QEotmPS.exe
  2⤵
  PID:7932
- C:\Windows\System\nAkhlXK.exe
  C:\Windows\System\nAkhlXK.exe
  2⤵
  PID:7960
- C:\Windows\System\ZRJrRiG.exe
  C:\Windows\System\ZRJrRiG.exe
  2⤵
  PID:7988
- C:\Windows\System\imjCiXP.exe
  C:\Windows\System\imjCiXP.exe
  2⤵
  PID:8024
- C:\Windows\System\dpMkUOj.exe
  C:\Windows\System\dpMkUOj.exe
  2⤵
  PID:8052
- C:\Windows\System\tCoKpzx.exe
  C:\Windows\System\tCoKpzx.exe
  2⤵
  PID:8080
- C:\Windows\System\wDZgKAk.exe
  C:\Windows\System\wDZgKAk.exe
  2⤵
  PID:8108
- C:\Windows\System\NbVloaj.exe
  C:\Windows\System\NbVloaj.exe
  2⤵
  PID:8136
- C:\Windows\System\yqyYzqt.exe
  C:\Windows\System\yqyYzqt.exe
  2⤵
  PID:8152
- C:\Windows\System\VUZZeLk.exe
  C:\Windows\System\VUZZeLk.exe
  2⤵
  PID:8180
- C:\Windows\System\BHIxcYl.exe
  C:\Windows\System\BHIxcYl.exe
  2⤵
  PID:6176
- C:\Windows\System\NcxKmjK.exe
  C:\Windows\System\NcxKmjK.exe
  2⤵
  PID:6292
- C:\Windows\System\VhTIbwa.exe
  C:\Windows\System\VhTIbwa.exe
  2⤵
  PID:7184
- C:\Windows\System\oOugRAF.exe
  C:\Windows\System\oOugRAF.exe
  2⤵
  PID:7268
- C:\Windows\System\rRkQqaI.exe
  C:\Windows\System\rRkQqaI.exe
  2⤵
  PID:7316
- C:\Windows\System\YWIackG.exe
  C:\Windows\System\YWIackG.exe
  2⤵
  PID:7384
- C:\Windows\System\OzTIQnX.exe
  C:\Windows\System\OzTIQnX.exe
  2⤵
  PID:7484
- C:\Windows\System\piVDyDl.exe
  C:\Windows\System\piVDyDl.exe
  2⤵
  PID:7580
- C:\Windows\System\gvLSCOD.exe
  C:\Windows\System\gvLSCOD.exe
  2⤵
  PID:7692
- C:\Windows\System\vlkDzuW.exe
  C:\Windows\System\vlkDzuW.exe
  2⤵
  PID:7656
- C:\Windows\System\aiUzQtm.exe
  C:\Windows\System\aiUzQtm.exe
  2⤵
  PID:7748
- C:\Windows\System\RkEitgf.exe
  C:\Windows\System\RkEitgf.exe
  2⤵
  PID:7864
- C:\Windows\System\oAWsmQf.exe
  C:\Windows\System\oAWsmQf.exe
  2⤵
  PID:7892
- C:\Windows\System\UgqYTVk.exe
  C:\Windows\System\UgqYTVk.exe
  2⤵
  PID:7956
- C:\Windows\System\COdYdjP.exe
  C:\Windows\System\COdYdjP.exe
  2⤵
  PID:8036
- C:\Windows\System\pMSmLev.exe
  C:\Windows\System\pMSmLev.exe
  2⤵
  PID:8092
- C:\Windows\System\ZVSESMt.exe
  C:\Windows\System\ZVSESMt.exe
  2⤵
  PID:8144
- C:\Windows\System\htvdhfv.exe
  C:\Windows\System\htvdhfv.exe
  2⤵
  PID:6468
- C:\Windows\System\RbyTtHX.exe
  C:\Windows\System\RbyTtHX.exe
  2⤵
  PID:7304
- C:\Windows\System\CrItUNR.exe
  C:\Windows\System\CrItUNR.exe
  2⤵
  PID:7464
- C:\Windows\System\LQypoZY.exe
  C:\Windows\System\LQypoZY.exe
  2⤵
  PID:7696
- C:\Windows\System\BzrPOhe.exe
  C:\Windows\System\BzrPOhe.exe
  2⤵
  PID:7760
- C:\Windows\System\tqxVQdY.exe
  C:\Windows\System\tqxVQdY.exe
  2⤵
  PID:7856
- C:\Windows\System\Trumpdl.exe
  C:\Windows\System\Trumpdl.exe
  2⤵
  PID:8064
- C:\Windows\System\logbOhY.exe
  C:\Windows\System\logbOhY.exe
  2⤵
  PID:8048
- C:\Windows\System\LGVZQlh.exe
  C:\Windows\System\LGVZQlh.exe
  2⤵
  PID:8148
- C:\Windows\System\ojmCKDS.exe
  C:\Windows\System\ojmCKDS.exe
  2⤵
  PID:6740
- C:\Windows\System\DOdYWCc.exe
  C:\Windows\System\DOdYWCc.exe
  2⤵
  PID:7368
- C:\Windows\System\qqJmFIG.exe
  C:\Windows\System\qqJmFIG.exe
  2⤵
  PID:7548
- C:\Windows\System\HBeTpRb.exe
  C:\Windows\System\HBeTpRb.exe
  2⤵
  PID:8012
- C:\Windows\System\mvdeWQB.exe
  C:\Windows\System\mvdeWQB.exe
  2⤵
  PID:8200
- C:\Windows\System\aPTRXNT.exe
  C:\Windows\System\aPTRXNT.exe
  2⤵
  PID:8224
- C:\Windows\System\WcvecQI.exe
  C:\Windows\System\WcvecQI.exe
  2⤵
  PID:8248
- C:\Windows\System\weGdcEe.exe
  C:\Windows\System\weGdcEe.exe
  2⤵
  PID:8264
- C:\Windows\System\UPEzubG.exe
  C:\Windows\System\UPEzubG.exe
  2⤵
  PID:8296
- C:\Windows\System\dnytcxE.exe
  C:\Windows\System\dnytcxE.exe
  2⤵
  PID:8316
- C:\Windows\System\UMrNrjY.exe
  C:\Windows\System\UMrNrjY.exe
  2⤵
  PID:8344
- C:\Windows\System\NwAswpW.exe
  C:\Windows\System\NwAswpW.exe
  2⤵
  PID:8376
- C:\Windows\System\UGpsAaZ.exe
  C:\Windows\System\UGpsAaZ.exe
  2⤵
  PID:8400
- C:\Windows\System\voMoxFQ.exe
  C:\Windows\System\voMoxFQ.exe
  2⤵
  PID:8436
- C:\Windows\System\vguZjbF.exe
  C:\Windows\System\vguZjbF.exe
  2⤵
  PID:8460
- C:\Windows\System\PCnLeya.exe
  C:\Windows\System\PCnLeya.exe
  2⤵
  PID:8492
- C:\Windows\System\ySmsjgv.exe
  C:\Windows\System\ySmsjgv.exe
  2⤵
  PID:8520
- C:\Windows\System\sqZLvxM.exe
  C:\Windows\System\sqZLvxM.exe
  2⤵
  PID:8548
- C:\Windows\System\JYRDOGE.exe
  C:\Windows\System\JYRDOGE.exe
  2⤵
  PID:8576
- C:\Windows\System\BjgFDSo.exe
  C:\Windows\System\BjgFDSo.exe
  2⤵
  PID:8604
- C:\Windows\System\XeSVHhD.exe
  C:\Windows\System\XeSVHhD.exe
  2⤵
  PID:8636
- C:\Windows\System\DQtvOuW.exe
  C:\Windows\System\DQtvOuW.exe
  2⤵
  PID:8672
- C:\Windows\System\AZhKYCk.exe
  C:\Windows\System\AZhKYCk.exe
  2⤵
  PID:8696
- C:\Windows\System\qdnJjuE.exe
  C:\Windows\System\qdnJjuE.exe
  2⤵
  PID:8728
- C:\Windows\System\IfNeQbz.exe
  C:\Windows\System\IfNeQbz.exe
  2⤵
  PID:8760
- C:\Windows\System\NVchTzU.exe
  C:\Windows\System\NVchTzU.exe
  2⤵
  PID:8780
- C:\Windows\System\WsCfMrd.exe
  C:\Windows\System\WsCfMrd.exe
  2⤵
  PID:8820
- C:\Windows\System\EpRfeWi.exe
  C:\Windows\System\EpRfeWi.exe
  2⤵
  PID:8844
- C:\Windows\System\lmhikTQ.exe
  C:\Windows\System\lmhikTQ.exe
  2⤵
  PID:8864
- C:\Windows\System\OkpwKyE.exe
  C:\Windows\System\OkpwKyE.exe
  2⤵
  PID:8892
- C:\Windows\System\kJrIBqR.exe
  C:\Windows\System\kJrIBqR.exe
  2⤵
  PID:8920
- C:\Windows\System\vRpPVfC.exe
  C:\Windows\System\vRpPVfC.exe
  2⤵
  PID:8952
- C:\Windows\System\yuQowxi.exe
  C:\Windows\System\yuQowxi.exe
  2⤵
  PID:8988
- C:\Windows\System\mhzLtTG.exe
  C:\Windows\System\mhzLtTG.exe
  2⤵
  PID:9020
- C:\Windows\System\BTnhlDh.exe
  C:\Windows\System\BTnhlDh.exe
  2⤵
  PID:9052
- C:\Windows\System\DbejuIM.exe
  C:\Windows\System\DbejuIM.exe
  2⤵
  PID:9084
- C:\Windows\System\NQMOtqr.exe
  C:\Windows\System\NQMOtqr.exe
  2⤵
  PID:9100
- C:\Windows\System\hzuluJJ.exe
  C:\Windows\System\hzuluJJ.exe
  2⤵
  PID:9132
- C:\Windows\System\XaMWBdC.exe
  C:\Windows\System\XaMWBdC.exe
  2⤵
  PID:9164
- C:\Windows\System\vlFfWDe.exe
  C:\Windows\System\vlFfWDe.exe
  2⤵
  PID:9188
- C:\Windows\System\gGBbSbv.exe
  C:\Windows\System\gGBbSbv.exe
  2⤵
  PID:9212
- C:\Windows\System\dxlLhIG.exe
  C:\Windows\System\dxlLhIG.exe
  2⤵
  PID:7244
- C:\Windows\System\voufhSR.exe
  C:\Windows\System\voufhSR.exe
  2⤵
  PID:8244
- C:\Windows\System\wzLOdEg.exe
  C:\Windows\System\wzLOdEg.exe
  2⤵
  PID:8288
- C:\Windows\System\LxkwMHM.exe
  C:\Windows\System\LxkwMHM.exe
  2⤵
  PID:8392
- C:\Windows\System\xKXfjwG.exe
  C:\Windows\System\xKXfjwG.exe
  2⤵
  PID:8312
- C:\Windows\System\qLPLMTc.exe
  C:\Windows\System\qLPLMTc.exe
  2⤵
  PID:8356
- C:\Windows\System\JcPYSUY.exe
  C:\Windows\System\JcPYSUY.exe
  2⤵
  PID:8560
- C:\Windows\System\nVlbdVc.exe
  C:\Windows\System\nVlbdVc.exe
  2⤵
  PID:8540
- C:\Windows\System\FxArSqW.exe
  C:\Windows\System\FxArSqW.exe
  2⤵
  PID:8776
- C:\Windows\System\KgNSFlI.exe
  C:\Windows\System\KgNSFlI.exe
  2⤵
  PID:8660
- C:\Windows\System\VoGGSMe.exe
  C:\Windows\System\VoGGSMe.exe
  2⤵
  PID:8716
- C:\Windows\System\XABzqRZ.exe
  C:\Windows\System\XABzqRZ.exe
  2⤵
  PID:8816
- C:\Windows\System\NrHSSNi.exe
  C:\Windows\System\NrHSSNi.exe
  2⤵
  PID:8832
- C:\Windows\System\kUsgywO.exe
  C:\Windows\System\kUsgywO.exe
  2⤵
  PID:8980
- C:\Windows\System\JQGrLxf.exe
  C:\Windows\System\JQGrLxf.exe
  2⤵
  PID:8960
- C:\Windows\System\oeZkXUr.exe
  C:\Windows\System\oeZkXUr.exe
  2⤵
  PID:9028
- C:\Windows\System\dKmJGmy.exe
  C:\Windows\System\dKmJGmy.exe
  2⤵
  PID:9176
- C:\Windows\System\TnpvuRM.exe
  C:\Windows\System\TnpvuRM.exe
  2⤵
  PID:9156
- C:\Windows\System\AqbMBuO.exe
  C:\Windows\System\AqbMBuO.exe
  2⤵
  PID:7860
- C:\Windows\System\saJCZUC.exe
  C:\Windows\System\saJCZUC.exe
  2⤵
  PID:8804
- C:\Windows\System\eLTgjSc.exe
  C:\Windows\System\eLTgjSc.exe
  2⤵
  PID:8308
- C:\Windows\System\jGVKXhw.exe
  C:\Windows\System\jGVKXhw.exe
  2⤵
  PID:8748
- C:\Windows\System\MgQIAKJ.exe
  C:\Windows\System\MgQIAKJ.exe
  2⤵
  PID:8912
- C:\Windows\System\bNYVPoo.exe
  C:\Windows\System\bNYVPoo.exe
  2⤵
  PID:8768
- C:\Windows\System\tqeDPjH.exe
  C:\Windows\System\tqeDPjH.exe
  2⤵
  PID:8132
- C:\Windows\System\ipzCuVJ.exe
  C:\Windows\System\ipzCuVJ.exe
  2⤵
  PID:8388
- C:\Windows\System\lAnzSGQ.exe
  C:\Windows\System\lAnzSGQ.exe
  2⤵
  PID:8808
- C:\Windows\System\OoouJtx.exe
  C:\Windows\System\OoouJtx.exe
  2⤵
  PID:9220
- C:\Windows\System\IDXBCnD.exe
  C:\Windows\System\IDXBCnD.exe
  2⤵
  PID:9252
- C:\Windows\System\RhRyGrI.exe
  C:\Windows\System\RhRyGrI.exe
  2⤵
  PID:9280
- C:\Windows\System\DJlmcDl.exe
  C:\Windows\System\DJlmcDl.exe
  2⤵
  PID:9312
- C:\Windows\System\OCyTgVX.exe
  C:\Windows\System\OCyTgVX.exe
  2⤵
  PID:9340
- C:\Windows\System\tJFupNR.exe
  C:\Windows\System\tJFupNR.exe
  2⤵
  PID:9368
- C:\Windows\System\iJUcOBK.exe
  C:\Windows\System\iJUcOBK.exe
  2⤵
  PID:9396
- C:\Windows\System\ebxUzzr.exe
  C:\Windows\System\ebxUzzr.exe
  2⤵
  PID:9420
- C:\Windows\System\rRdUwSe.exe
  C:\Windows\System\rRdUwSe.exe
  2⤵
  PID:9444
- C:\Windows\System\SRbmnHX.exe
  C:\Windows\System\SRbmnHX.exe
  2⤵
  PID:9472
- C:\Windows\System\QCyXEoy.exe
  C:\Windows\System\QCyXEoy.exe
  2⤵
  PID:9508
- C:\Windows\System\VJLySti.exe
  C:\Windows\System\VJLySti.exe
  2⤵
  PID:9536
- C:\Windows\System\ZyEQriX.exe
  C:\Windows\System\ZyEQriX.exe
  2⤵
  PID:9564
- C:\Windows\System\pApTnsN.exe
  C:\Windows\System\pApTnsN.exe
  2⤵
  PID:9588
- C:\Windows\System\qANDigf.exe
  C:\Windows\System\qANDigf.exe
  2⤵
  PID:9620
- C:\Windows\System\leUcyge.exe
  C:\Windows\System\leUcyge.exe
  2⤵
  PID:9652
- C:\Windows\System\wAmxdMH.exe
  C:\Windows\System\wAmxdMH.exe
  2⤵
  PID:9684
- C:\Windows\System\BsNPfDp.exe
  C:\Windows\System\BsNPfDp.exe
  2⤵
  PID:9708
- C:\Windows\System\slEVPhk.exe
  C:\Windows\System\slEVPhk.exe
  2⤵
  PID:9736
- C:\Windows\System\XusvgUo.exe
  C:\Windows\System\XusvgUo.exe
  2⤵
  PID:9760
- C:\Windows\System\WMLIiAT.exe
  C:\Windows\System\WMLIiAT.exe
  2⤵
  PID:9784
- C:\Windows\System\ITKeJYK.exe
  C:\Windows\System\ITKeJYK.exe
  2⤵
  PID:9812
- C:\Windows\System\nlfhRyB.exe
  C:\Windows\System\nlfhRyB.exe
  2⤵
  PID:9848
- C:\Windows\System\RthSvVZ.exe
  C:\Windows\System\RthSvVZ.exe
  2⤵
  PID:9876
- C:\Windows\System\OkwPXph.exe
  C:\Windows\System\OkwPXph.exe
  2⤵
  PID:9900
- C:\Windows\System\MfHlBTl.exe
  C:\Windows\System\MfHlBTl.exe
  2⤵
  PID:9936
- C:\Windows\System\WKngmKF.exe
  C:\Windows\System\WKngmKF.exe
  2⤵
  PID:9960
- C:\Windows\System\xGcoear.exe
  C:\Windows\System\xGcoear.exe
  2⤵
  PID:9996
- C:\Windows\System\GZIWAbj.exe
  C:\Windows\System\GZIWAbj.exe
  2⤵
  PID:10012
- C:\Windows\System\NeCKwGM.exe
  C:\Windows\System\NeCKwGM.exe
  2⤵
  PID:10044
- C:\Windows\System\qednXIa.exe
  C:\Windows\System\qednXIa.exe
  2⤵
  PID:10072
- C:\Windows\System\gIisjtZ.exe
  C:\Windows\System\gIisjtZ.exe
  2⤵
  PID:10092
- C:\Windows\System\uVclccl.exe
  C:\Windows\System\uVclccl.exe
  2⤵
  PID:10120
- C:\Windows\System\tVAukSF.exe
  C:\Windows\System\tVAukSF.exe
  2⤵
  PID:10144
- C:\Windows\System\bAQeVKA.exe
  C:\Windows\System\bAQeVKA.exe
  2⤵
  PID:10172
- C:\Windows\System\xqHNBNd.exe
  C:\Windows\System\xqHNBNd.exe
  2⤵
  PID:10196
- C:\Windows\System\RwiRgNl.exe
  C:\Windows\System\RwiRgNl.exe
  2⤵
  PID:10224
- C:\Windows\System\guIqKYb.exe
  C:\Windows\System\guIqKYb.exe
  2⤵
  PID:8428
- C:\Windows\System\iXymmzS.exe
  C:\Windows\System\iXymmzS.exe
  2⤵
  PID:8236
- C:\Windows\System\zPixaLT.exe
  C:\Windows\System\zPixaLT.exe
  2⤵
  PID:8916
- C:\Windows\System\YOgovWw.exe
  C:\Windows\System\YOgovWw.exe
  2⤵
  PID:8588
- C:\Windows\System\IrCMlPH.exe
  C:\Windows\System\IrCMlPH.exe
  2⤵
  PID:9408
- C:\Windows\System\KVjaZEp.exe
  C:\Windows\System\KVjaZEp.exe
  2⤵
  PID:9524
- C:\Windows\System\MHQJTQB.exe
  C:\Windows\System\MHQJTQB.exe
  2⤵
  PID:9428
- C:\Windows\System\mJUDLmT.exe
  C:\Windows\System\mJUDLmT.exe
  2⤵
  PID:9720
- C:\Windows\System\EbanIvC.exe
  C:\Windows\System\EbanIvC.exe
  2⤵
  PID:9632
- C:\Windows\System\zUBEqrJ.exe
  C:\Windows\System\zUBEqrJ.exe
  2⤵
  PID:9776
- C:\Windows\System\IyNXRel.exe
  C:\Windows\System\IyNXRel.exe
  2⤵
  PID:9728
- C:\Windows\System\sieBVUK.exe
  C:\Windows\System\sieBVUK.exe
  2⤵
  PID:9780
- C:\Windows\System\tpCWWRJ.exe
  C:\Windows\System\tpCWWRJ.exe
  2⤵
  PID:9840
- C:\Windows\System\yJdDWNZ.exe
  C:\Windows\System\yJdDWNZ.exe
  2⤵
  PID:9456
- C:\Windows\System\dDmuKmT.exe
  C:\Windows\System\dDmuKmT.exe
  2⤵
  PID:9460
- C:\Windows\System\eOvLUps.exe
  C:\Windows\System\eOvLUps.exe
  2⤵
  PID:9352
- C:\Windows\System\fXLfUWt.exe
  C:\Windows\System\fXLfUWt.exe
  2⤵
  PID:9660
- C:\Windows\System\PhsZmac.exe
  C:\Windows\System\PhsZmac.exe
  2⤵
  PID:9556
- C:\Windows\System\ujdHUfX.exe
  C:\Windows\System\ujdHUfX.exe
  2⤵
  PID:9752
- C:\Windows\System\PRuLMVb.exe
  C:\Windows\System\PRuLMVb.exe
  2⤵
  PID:9956
- C:\Windows\System\oqefjIv.exe
  C:\Windows\System\oqefjIv.exe
  2⤵
  PID:9432
- C:\Windows\System\gaZeTZs.exe
  C:\Windows\System\gaZeTZs.exe
  2⤵
  PID:9700
- C:\Windows\System\GBkrPKk.exe
  C:\Windows\System\GBkrPKk.exe
  2⤵
  PID:4972
- C:\Windows\System\TNGztMn.exe
  C:\Windows\System\TNGztMn.exe
  2⤵
  PID:10244
- C:\Windows\System\GgeVRRM.exe
  C:\Windows\System\GgeVRRM.exe
  2⤵
  PID:10268
- C:\Windows\System\jEmSsKn.exe
  C:\Windows\System\jEmSsKn.exe
  2⤵
  PID:10296
- C:\Windows\System\McPpsDi.exe
  C:\Windows\System\McPpsDi.exe
  2⤵
  PID:10312
- C:\Windows\System\KZMDykc.exe
  C:\Windows\System\KZMDykc.exe
  2⤵
  PID:10340
- C:\Windows\System\XHXaPaD.exe
  C:\Windows\System\XHXaPaD.exe
  2⤵
  PID:10364
- C:\Windows\System\rPeWBRM.exe
  C:\Windows\System\rPeWBRM.exe
  2⤵
  PID:10392
- C:\Windows\System\XoBkmkc.exe
  C:\Windows\System\XoBkmkc.exe
  2⤵
  PID:10424
- C:\Windows\System\HjvKnrp.exe
  C:\Windows\System\HjvKnrp.exe
  2⤵
  PID:10456
- C:\Windows\System\vMXGCJP.exe
  C:\Windows\System\vMXGCJP.exe
  2⤵
  PID:10476
- C:\Windows\System\QmVEXlC.exe
  C:\Windows\System\QmVEXlC.exe
  2⤵
  PID:10508
- C:\Windows\System\mfBNiYk.exe
  C:\Windows\System\mfBNiYk.exe
  2⤵
  PID:10532
- C:\Windows\System\GhnFFbl.exe
  C:\Windows\System\GhnFFbl.exe
  2⤵
  PID:10556
- C:\Windows\System\CxONPOh.exe
  C:\Windows\System\CxONPOh.exe
  2⤵
  PID:10584
- C:\Windows\System\DWdYSYA.exe
  C:\Windows\System\DWdYSYA.exe
  2⤵
  PID:10620
- C:\Windows\System\YbwNwVt.exe
  C:\Windows\System\YbwNwVt.exe
  2⤵
  PID:10652
- C:\Windows\System\NbVryoJ.exe
  C:\Windows\System\NbVryoJ.exe
  2⤵
  PID:10672
- C:\Windows\System\tOByuwo.exe
  C:\Windows\System\tOByuwo.exe
  2⤵
  PID:10700
- C:\Windows\System\kURMMjp.exe
  C:\Windows\System\kURMMjp.exe
  2⤵
  PID:10732
- C:\Windows\System\vzzaNtZ.exe
  C:\Windows\System\vzzaNtZ.exe
  2⤵
  PID:10752
- C:\Windows\System\NegymUR.exe
  C:\Windows\System\NegymUR.exe
  2⤵
  PID:10788
- C:\Windows\System\YMOLzLb.exe
  C:\Windows\System\YMOLzLb.exe
  2⤵
  PID:10812
- C:\Windows\System\fDLuRTR.exe
  C:\Windows\System\fDLuRTR.exe
  2⤵
  PID:10848
- C:\Windows\System\FvqjuPI.exe
  C:\Windows\System\FvqjuPI.exe
  2⤵
  PID:10880
- C:\Windows\System\vwttbFM.exe
  C:\Windows\System\vwttbFM.exe
  2⤵
  PID:10908
- C:\Windows\System\oPPSLxR.exe
  C:\Windows\System\oPPSLxR.exe
  2⤵
  PID:10936
- C:\Windows\System\JRFAkus.exe
  C:\Windows\System\JRFAkus.exe
  2⤵
  PID:10960
- C:\Windows\System\IHWNhox.exe
  C:\Windows\System\IHWNhox.exe
  2⤵
  PID:10988
- C:\Windows\System\AhEtBpq.exe
  C:\Windows\System\AhEtBpq.exe
  2⤵
  PID:11012
- C:\Windows\System\SHiWKCl.exe
  C:\Windows\System\SHiWKCl.exe
  2⤵
  PID:11028
- C:\Windows\System\NYLunVK.exe
  C:\Windows\System\NYLunVK.exe
  2⤵
  PID:11052
- C:\Windows\System\nIYmmGY.exe
  C:\Windows\System\nIYmmGY.exe
  2⤵
  PID:11084
- C:\Windows\System\blOwgNB.exe
  C:\Windows\System\blOwgNB.exe
  2⤵
  PID:11104
- C:\Windows\System\bELvcyT.exe
  C:\Windows\System\bELvcyT.exe
  2⤵
  PID:11120
- C:\Windows\System\HIBeSXa.exe
  C:\Windows\System\HIBeSXa.exe
  2⤵
  PID:11148
- C:\Windows\System\yfmQppk.exe
  C:\Windows\System\yfmQppk.exe
  2⤵
  PID:11172
- C:\Windows\System\yCwkmEt.exe
  C:\Windows\System\yCwkmEt.exe
  2⤵
  PID:11192
- C:\Windows\System\hbbHtPw.exe
  C:\Windows\System\hbbHtPw.exe
  2⤵
  PID:11208
- C:\Windows\System\FTChBaX.exe
  C:\Windows\System\FTChBaX.exe
  2⤵
  PID:11240
- C:\Windows\System\XXZYmEv.exe
  C:\Windows\System\XXZYmEv.exe
  2⤵
  PID:9804
- C:\Windows\System\sfHJzCv.exe
  C:\Windows\System\sfHJzCv.exe
  2⤵
  PID:10308
- C:\Windows\System\ygGfXzS.exe
  C:\Windows\System\ygGfXzS.exe
  2⤵
  PID:10264
- C:\Windows\System\ClCeGRW.exe
  C:\Windows\System\ClCeGRW.exe
  2⤵
  PID:10352
- C:\Windows\System\LrAKHCb.exe
  C:\Windows\System\LrAKHCb.exe
  2⤵
  PID:10504
- C:\Windows\System\mQQhDiH.exe
  C:\Windows\System\mQQhDiH.exe
  2⤵
  PID:10436
- C:\Windows\System\wHTZGbb.exe
  C:\Windows\System\wHTZGbb.exe
  2⤵
  PID:10492
- C:\Windows\System\NUVArEA.exe
  C:\Windows\System\NUVArEA.exe
  2⤵
  PID:10684
- C:\Windows\System\GxBPSJC.exe
  C:\Windows\System\GxBPSJC.exe
  2⤵
  PID:10644
- C:\Windows\System\wDHwBBv.exe
  C:\Windows\System\wDHwBBv.exe
  2⤵
  PID:10720
- C:\Windows\System\dWfhWwE.exe
  C:\Windows\System\dWfhWwE.exe
  2⤵
  PID:10808
- C:\Windows\System\NnunpjQ.exe
  C:\Windows\System\NnunpjQ.exe
  2⤵
  PID:10972
- C:\Windows\System\dhIWQnc.exe
  C:\Windows\System\dhIWQnc.exe
  2⤵
  PID:10916
- C:\Windows\System\tEUBXOe.exe
  C:\Windows\System\tEUBXOe.exe
  2⤵
  PID:11000
- C:\Windows\System\JDlGdgL.exe
  C:\Windows\System\JDlGdgL.exe
  2⤵
  PID:10952
- C:\Windows\System\tHJkjBA.exe
  C:\Windows\System\tHJkjBA.exe
  2⤵
  PID:11132
- C:\Windows\System\FWaKQjq.exe
  C:\Windows\System\FWaKQjq.exe
  2⤵
  PID:11200
- C:\Windows\System\WEcZmRa.exe
  C:\Windows\System\WEcZmRa.exe
  2⤵
  PID:11188
- C:\Windows\System\nmgwqzB.exe
  C:\Windows\System\nmgwqzB.exe
  2⤵
  PID:10088
- C:\Windows\System\eAdMEVK.exe
  C:\Windows\System\eAdMEVK.exe
  2⤵
  PID:11168
- C:\Windows\System\ypnJUUu.exe
  C:\Windows\System\ypnJUUu.exe
  2⤵
  PID:10632
- C:\Windows\System\rQtVZof.exe
  C:\Windows\System\rQtVZof.exe
  2⤵
  PID:11260
- C:\Windows\System\jFpmtLc.exe
  C:\Windows\System\jFpmtLc.exe
  2⤵
  PID:10892
- C:\Windows\System\uolSUwe.exe
  C:\Windows\System\uolSUwe.exe
  2⤵
  PID:11276
- C:\Windows\System\EuJXHGj.exe
  C:\Windows\System\EuJXHGj.exe
  2⤵
  PID:11296
- C:\Windows\System\yOqIbvP.exe
  C:\Windows\System\yOqIbvP.exe
  2⤵
  PID:11328
- C:\Windows\System\wbRWLud.exe
  C:\Windows\System\wbRWLud.exe
  2⤵
  PID:11352
- C:\Windows\System\MjOjJKN.exe
  C:\Windows\System\MjOjJKN.exe
  2⤵
  PID:11388
- C:\Windows\System\uCfiufC.exe
  C:\Windows\System\uCfiufC.exe
  2⤵
  PID:11416
- C:\Windows\System\qCVYFlC.exe
  C:\Windows\System\qCVYFlC.exe
  2⤵
  PID:11432
- C:\Windows\System\xjxAeCB.exe
  C:\Windows\System\xjxAeCB.exe
  2⤵
  PID:11464
- C:\Windows\System\eXBjvvW.exe
  C:\Windows\System\eXBjvvW.exe
  2⤵
  PID:11492
- C:\Windows\System\nWbvmqm.exe
  C:\Windows\System\nWbvmqm.exe
  2⤵
  PID:11520
- C:\Windows\System\dhWsVYo.exe
  C:\Windows\System\dhWsVYo.exe
  2⤵
  PID:11544
- C:\Windows\System\AJQtzwG.exe
  C:\Windows\System\AJQtzwG.exe
  2⤵
  PID:11580
- C:\Windows\System\tKpIlaJ.exe
  C:\Windows\System\tKpIlaJ.exe
  2⤵
  PID:11608
- C:\Windows\System\ftRmhkH.exe
  C:\Windows\System\ftRmhkH.exe
  2⤵
  PID:11636
- C:\Windows\System\CPmOReY.exe
  C:\Windows\System\CPmOReY.exe
  2⤵
  PID:11660
- C:\Windows\System\VZnZQEz.exe
  C:\Windows\System\VZnZQEz.exe
  2⤵
  PID:11692
- C:\Windows\System\EwTDogP.exe
  C:\Windows\System\EwTDogP.exe
  2⤵
  PID:11724
- C:\Windows\System\vFWxooT.exe
  C:\Windows\System\vFWxooT.exe
  2⤵
  PID:11744
- C:\Windows\System\rNtMSmI.exe
  C:\Windows\System\rNtMSmI.exe
  2⤵
  PID:11768
- C:\Windows\System\zzEMiKU.exe
  C:\Windows\System\zzEMiKU.exe
  2⤵
  PID:11796
- C:\Windows\System\ODihNwi.exe
  C:\Windows\System\ODihNwi.exe
  2⤵
  PID:11828
- C:\Windows\System\nVRfMfK.exe
  C:\Windows\System\nVRfMfK.exe
  2⤵
  PID:11852
- C:\Windows\System\vEDgoab.exe
  C:\Windows\System\vEDgoab.exe
  2⤵
  PID:11884
- C:\Windows\System\SwUkRsZ.exe
  C:\Windows\System\SwUkRsZ.exe
  2⤵
  PID:11908
- C:\Windows\System\UCUjIhH.exe
  C:\Windows\System\UCUjIhH.exe
  2⤵
  PID:11936
- C:\Windows\System\vrWLfTX.exe
  C:\Windows\System\vrWLfTX.exe
  2⤵
  PID:11956
- C:\Windows\System\eZCQRxT.exe
  C:\Windows\System\eZCQRxT.exe
  2⤵
  PID:11980
- C:\Windows\System\DcjEBRV.exe
  C:\Windows\System\DcjEBRV.exe
  2⤵
  PID:12012
- C:\Windows\System\XhEbpTW.exe
  C:\Windows\System\XhEbpTW.exe
  2⤵
  PID:12036
- C:\Windows\System\lihyaLe.exe
  C:\Windows\System\lihyaLe.exe
  2⤵
  PID:12068
- C:\Windows\System\VetEJOJ.exe
  C:\Windows\System\VetEJOJ.exe
  2⤵
  PID:12100
- C:\Windows\System\ZFnYlvs.exe
  C:\Windows\System\ZFnYlvs.exe
  2⤵
  PID:12128
- C:\Windows\System\DMaTcNI.exe
  C:\Windows\System\DMaTcNI.exe
  2⤵
  PID:12156
- C:\Windows\System\xFpYALM.exe
  C:\Windows\System\xFpYALM.exe
  2⤵
  PID:12180
- C:\Windows\System\njofUHE.exe
  C:\Windows\System\njofUHE.exe
  2⤵
  PID:12220
- C:\Windows\System\mIcHcQz.exe
  C:\Windows\System\mIcHcQz.exe
  2⤵
  PID:12244
- C:\Windows\System\gjuRMXA.exe
  C:\Windows\System\gjuRMXA.exe
  2⤵
  PID:12276
- C:\Windows\System\LoZyjBk.exe
  C:\Windows\System\LoZyjBk.exe
  2⤵
  PID:10832
- C:\Windows\System\aGGoaBB.exe
  C:\Windows\System\aGGoaBB.exe
  2⤵
  PID:11112
- C:\Windows\System\igrVnTW.exe
  C:\Windows\System\igrVnTW.exe
  2⤵
  PID:11100
- C:\Windows\System\dkwJqGz.exe
  C:\Windows\System\dkwJqGz.exe
  2⤵
  PID:11316
- C:\Windows\System\dPprmpp.exe
  C:\Windows\System\dPprmpp.exe
  2⤵
  PID:11048
- C:\Windows\System\hJiMqUj.exe
  C:\Windows\System\hJiMqUj.exe
  2⤵
  PID:11384
- C:\Windows\System\RwnjsOt.exe
  C:\Windows\System\RwnjsOt.exe
  2⤵
  PID:11448
- C:\Windows\System\eTAvElJ.exe
  C:\Windows\System\eTAvElJ.exe
  2⤵
  PID:11512
- C:\Windows\System\eaNpMMI.exe
  C:\Windows\System\eaNpMMI.exe
  2⤵
  PID:11572
- C:\Windows\System\bQlTaYx.exe
  C:\Windows\System\bQlTaYx.exe
  2⤵
  PID:11624
- C:\Windows\System\vmQTdJy.exe
  C:\Windows\System\vmQTdJy.exe
  2⤵
  PID:11540
- C:\Windows\System\xUTlxkv.exe
  C:\Windows\System\xUTlxkv.exe
  2⤵
  PID:11780
- C:\Windows\System\tzwVDMt.exe
  C:\Windows\System\tzwVDMt.exe
  2⤵
  PID:11656
- C:\Windows\System\DWcBLxM.exe
  C:\Windows\System\DWcBLxM.exe
  2⤵
  PID:11716
- C:\Windows\System\kIsmgRK.exe
  C:\Windows\System\kIsmgRK.exe
  2⤵
  PID:11756
- C:\Windows\System\InkaXhX.exe
  C:\Windows\System\InkaXhX.exe
  2⤵
  PID:11844
- C:\Windows\System\AeRQPoC.exe
  C:\Windows\System\AeRQPoC.exe
  2⤵
  PID:11944
- C:\Windows\System\qGnNGIZ.exe
  C:\Windows\System\qGnNGIZ.exe
  2⤵
  PID:12152
- C:\Windows\System\eoZjaLs.exe
  C:\Windows\System\eoZjaLs.exe
  2⤵
  PID:12204
- C:\Windows\System\PPgjAAJ.exe
  C:\Windows\System\PPgjAAJ.exe
  2⤵
  PID:11184
- C:\Windows\System\VMdGrnF.exe
  C:\Windows\System\VMdGrnF.exe
  2⤵
  PID:11040
- C:\Windows\System\gcxmwhZ.exe
  C:\Windows\System\gcxmwhZ.exe
  2⤵
  PID:11236
- C:\Windows\System\NaojQue.exe
  C:\Windows\System\NaojQue.exe
  2⤵
  PID:12252
- C:\Windows\System\iRHQoxw.exe
  C:\Windows\System\iRHQoxw.exe
  2⤵
  PID:11376
- C:\Windows\System\Nlfljkl.exe
  C:\Windows\System\Nlfljkl.exe
  2⤵
  PID:11536
- C:\Windows\System\mzsUQQu.exe
  C:\Windows\System\mzsUQQu.exe
  2⤵
  PID:11732
- C:\Windows\System\RkGmeRV.exe
  C:\Windows\System\RkGmeRV.exe
  2⤵
  PID:12092
- C:\Windows\System\nbjQpvR.exe
  C:\Windows\System\nbjQpvR.exe
  2⤵
  PID:11992
- C:\Windows\System\mnvwutk.exe
  C:\Windows\System\mnvwutk.exe
  2⤵
  PID:11916
- C:\Windows\System\DsVrljF.exe
  C:\Windows\System\DsVrljF.exe
  2⤵
  PID:12308
- C:\Windows\System\psXmFKg.exe
  C:\Windows\System\psXmFKg.exe
  2⤵
  PID:12336
- C:\Windows\System\ZhfRMjt.exe
  C:\Windows\System\ZhfRMjt.exe
  2⤵
  PID:12364
- C:\Windows\System\pRphxri.exe
  C:\Windows\System\pRphxri.exe
  2⤵
  PID:12388
- C:\Windows\System\KGgHOjP.exe
  C:\Windows\System\KGgHOjP.exe
  2⤵
  PID:12412
- C:\Windows\System\jinOsZH.exe
  C:\Windows\System\jinOsZH.exe
  2⤵
  PID:12444
- C:\Windows\System\HRdnKVF.exe
  C:\Windows\System\HRdnKVF.exe
  2⤵
  PID:12468
- C:\Windows\System\owZPUuT.exe
  C:\Windows\System\owZPUuT.exe
  2⤵
  PID:12496
- C:\Windows\System\RyicExI.exe
  C:\Windows\System\RyicExI.exe
  2⤵
  PID:12524
- C:\Windows\System\usBGgjS.exe
  C:\Windows\System\usBGgjS.exe
  2⤵
  PID:12552
- C:\Windows\System\TqRdyNI.exe
  C:\Windows\System\TqRdyNI.exe
  2⤵
  PID:12584
- C:\Windows\System\rITlxhT.exe
  C:\Windows\System\rITlxhT.exe
  2⤵
  PID:12608
- C:\Windows\System\WSCQerm.exe
  C:\Windows\System\WSCQerm.exe
  2⤵
  PID:12632
- C:\Windows\System\tAydAKH.exe
  C:\Windows\System\tAydAKH.exe
  2⤵
  PID:12668
- C:\Windows\System\nIABusX.exe
  C:\Windows\System\nIABusX.exe
  2⤵
  PID:12696
- C:\Windows\System\WXxKOnE.exe
  C:\Windows\System\WXxKOnE.exe
  2⤵
  PID:12728
- C:\Windows\System\MRIETbH.exe
  C:\Windows\System\MRIETbH.exe
  2⤵
  PID:12756
- C:\Windows\System\zhOEitJ.exe
  C:\Windows\System\zhOEitJ.exe
  2⤵
  PID:12784
- C:\Windows\System\xeJbbae.exe
  C:\Windows\System\xeJbbae.exe
  2⤵
  PID:12808
- C:\Windows\System\FteqXwQ.exe
  C:\Windows\System\FteqXwQ.exe
  2⤵
  PID:12840
- C:\Windows\System\cNCaVpI.exe
  C:\Windows\System\cNCaVpI.exe
  2⤵
  PID:12868
- C:\Windows\System\AjvBFKh.exe
  C:\Windows\System\AjvBFKh.exe
  2⤵
  PID:12896
- C:\Windows\System\DjpWqPS.exe
  C:\Windows\System\DjpWqPS.exe
  2⤵
  PID:12920
- C:\Windows\System\NrvDlyA.exe
  C:\Windows\System\NrvDlyA.exe
  2⤵
  PID:12956
- C:\Windows\System\fHFSXxD.exe
  C:\Windows\System\fHFSXxD.exe
  2⤵
  PID:12988
- C:\Windows\System\VXChngD.exe
  C:\Windows\System\VXChngD.exe
  2⤵
  PID:13004
- C:\Windows\System\lhhbdDM.exe
  C:\Windows\System\lhhbdDM.exe
  2⤵
  PID:13028
- C:\Windows\System\IfTmPds.exe
  C:\Windows\System\IfTmPds.exe
  2⤵
  PID:13064
- C:\Windows\System\zCTLMBI.exe
  C:\Windows\System\zCTLMBI.exe
  2⤵
  PID:13080
- C:\Windows\System\MgcWTBi.exe
  C:\Windows\System\MgcWTBi.exe
  2⤵
  PID:13104
- C:\Windows\System\PusSMfo.exe
  C:\Windows\System\PusSMfo.exe
  2⤵
  PID:13136
- C:\Windows\System\Tlwzffv.exe
  C:\Windows\System\Tlwzffv.exe
  2⤵
  PID:13160
- C:\Windows\System\xSxGcUU.exe
  C:\Windows\System\xSxGcUU.exe
  2⤵
  PID:13192
- C:\Windows\System\ouoaEnF.exe
  C:\Windows\System\ouoaEnF.exe
  2⤵
  PID:13216
- C:\Windows\System\FJUNoNG.exe
  C:\Windows\System\FJUNoNG.exe
  2⤵
  PID:13248
- C:\Windows\System\WmjLiJV.exe
  C:\Windows\System\WmjLiJV.exe
  2⤵
  PID:13272
- C:\Windows\System\PXhcJIk.exe
  C:\Windows\System\PXhcJIk.exe
  2⤵
  PID:13304
- C:\Windows\System\KdFckss.exe
  C:\Windows\System\KdFckss.exe
  2⤵
  PID:11292
- C:\Windows\System\oqQFnhQ.exe
  C:\Windows\System\oqQFnhQ.exe
  2⤵
  PID:12056
- C:\Windows\System\LfSGTkp.exe
  C:\Windows\System\LfSGTkp.exe
  2⤵
  PID:12112
- C:\Windows\System\hAJhpAw.exe
  C:\Windows\System\hAJhpAw.exe
  2⤵
  PID:12656
- C:\Windows\System\LBDpqFm.exe
  C:\Windows\System\LBDpqFm.exe
  2⤵
  PID:12492
- C:\Windows\System\uVTQAzb.exe
  C:\Windows\System\uVTQAzb.exe
  2⤵
  PID:12424
- C:\Windows\System\jWxkmqe.exe
  C:\Windows\System\jWxkmqe.exe
  2⤵
  PID:12604
- C:\Windows\System\JRzdeDS.exe
  C:\Windows\System\JRzdeDS.exe
  2⤵
  PID:12736
- C:\Windows\System\jqjGigP.exe
  C:\Windows\System\jqjGigP.exe
  2⤵
  PID:12968
- C:\Windows\System\fOYIjAU.exe
  C:\Windows\System\fOYIjAU.exe
  2⤵
  PID:13076
- C:\Windows\System\cRAMipQ.exe
  C:\Windows\System\cRAMipQ.exe
  2⤵
  PID:13148
- C:\Windows\System\VTxkRci.exe
  C:\Windows\System\VTxkRci.exe
  2⤵
  PID:13000
- C:\Windows\System\NrYySpq.exe
  C:\Windows\System\NrYySpq.exe
  2⤵
  PID:12912
- C:\Windows\System\etXqKYx.exe
  C:\Windows\System\etXqKYx.exe
  2⤵
  PID:13300
- C:\Windows\System\FBGIGVQ.exe
  C:\Windows\System\FBGIGVQ.exe
  2⤵
  PID:11836
- C:\Windows\System\oPwFgRc.exe
  C:\Windows\System\oPwFgRc.exe
  2⤵
  PID:12192
- C:\Windows\System\StPxFZA.exe
  C:\Windows\System\StPxFZA.exe
  2⤵
  PID:12404
- C:\Windows\System\LhPOkIa.exe
  C:\Windows\System\LhPOkIa.exe
  2⤵
  PID:13292
- C:\Windows\System\BWgDRYi.exe
  C:\Windows\System\BWgDRYi.exe
  2⤵
  PID:12572
- C:\Windows\System\gyABmld.exe
  C:\Windows\System\gyABmld.exe
  2⤵
  PID:12764
- C:\Windows\System\ZgeRzaI.exe
  C:\Windows\System\ZgeRzaI.exe
  2⤵
  PID:12952
- C:\Windows\System\yvGIXAd.exe
  C:\Windows\System\yvGIXAd.exe
  2⤵
  PID:13048
- C:\Windows\System\BHXczwW.exe
  C:\Windows\System\BHXczwW.exe
  2⤵
  PID:13268
- C:\Windows\System\WtVQdus.exe
  C:\Windows\System\WtVQdus.exe
  2⤵
  PID:11428
- C:\Windows\System\cmIbYcI.exe
  C:\Windows\System\cmIbYcI.exe
  2⤵
  PID:12680
- C:\Windows\System\GbFlupx.exe
  C:\Windows\System\GbFlupx.exe
  2⤵
  PID:13320
- C:\Windows\System\sESxbhM.exe
  C:\Windows\System\sESxbhM.exe
  2⤵
  PID:13344
- C:\Windows\System\CRkprig.exe
  C:\Windows\System\CRkprig.exe
  2⤵
  PID:13392
- C:\Windows\System\fGpwPSw.exe
  C:\Windows\System\fGpwPSw.exe
  2⤵
  PID:13412
- C:\Windows\System\bCWnJhd.exe
  C:\Windows\System\bCWnJhd.exe
  2⤵
  PID:13440
- C:\Windows\System\jmGTHrr.exe
  C:\Windows\System\jmGTHrr.exe
  2⤵
  PID:13468
- C:\Windows\System\PeLxlCX.exe
  C:\Windows\System\PeLxlCX.exe
  2⤵
  PID:13496
- C:\Windows\System\CxTNTJk.exe
  C:\Windows\System\CxTNTJk.exe
  2⤵
  PID:13528
- C:\Windows\System\vonaNix.exe
  C:\Windows\System\vonaNix.exe
  2⤵
  PID:13564
- C:\Windows\System\UGUnJbr.exe
  C:\Windows\System\UGUnJbr.exe
  2⤵
  PID:13588
- C:\Windows\System\UvcLjaa.exe
  C:\Windows\System\UvcLjaa.exe
  2⤵
  PID:13616
- C:\Windows\System\bIptyhw.exe
  C:\Windows\System\bIptyhw.exe
  2⤵
  PID:13636
- C:\Windows\System\tRmLFii.exe
  C:\Windows\System\tRmLFii.exe
  2⤵
  PID:13664
- C:\Windows\System\tFxCwIQ.exe
  C:\Windows\System\tFxCwIQ.exe
  2⤵
  PID:13684
- C:\Windows\System\pEbaGZr.exe
  C:\Windows\System\pEbaGZr.exe
  2⤵
  PID:13708
- C:\Windows\System\JvBSufX.exe
  C:\Windows\System\JvBSufX.exe
  2⤵
  PID:13732
- C:\Windows\System\BtVRUDd.exe
  C:\Windows\System\BtVRUDd.exe
  2⤵
  PID:13764
- C:\Windows\System\RodguRh.exe
  C:\Windows\System\RodguRh.exe
  2⤵
  PID:13796
- C:\Windows\System\mznmroQ.exe
  C:\Windows\System\mznmroQ.exe
  2⤵
  PID:13820
- C:\Windows\System\mxIfqHb.exe
  C:\Windows\System\mxIfqHb.exe
  2⤵
  PID:13844
- C:\Windows\System\HJhlryO.exe
  C:\Windows\System\HJhlryO.exe
  2⤵
  PID:13876
- C:\Windows\System\xySrvoK.exe
  C:\Windows\System\xySrvoK.exe
  2⤵
  PID:13900
- C:\Windows\System\WmXZUSk.exe
  C:\Windows\System\WmXZUSk.exe
  2⤵
  PID:13920
- C:\Windows\System\Tqnvbbh.exe
  C:\Windows\System\Tqnvbbh.exe
  2⤵
  PID:13936
- C:\Windows\System\wFJvBYS.exe
  C:\Windows\System\wFJvBYS.exe
  2⤵
  PID:13960
- C:\Windows\System\IvcwuVN.exe
  C:\Windows\System\IvcwuVN.exe
  2⤵
  PID:13984
- C:\Windows\System\CXcOtVz.exe
  C:\Windows\System\CXcOtVz.exe
  2⤵
  PID:14016
- C:\Windows\System\QMlAmYF.exe
  C:\Windows\System\QMlAmYF.exe
  2⤵
  PID:14044
- C:\Windows\System\fQqgGgs.exe
  C:\Windows\System\fQqgGgs.exe
  2⤵
  PID:14064
- C:\Windows\System\SZQAhHr.exe
  C:\Windows\System\SZQAhHr.exe
  2⤵
  PID:14092
- C:\Windows\System\JXGqQyl.exe
  C:\Windows\System\JXGqQyl.exe
  2⤵
  PID:14116
- C:\Windows\System\DCDNetc.exe
  C:\Windows\System\DCDNetc.exe
  2⤵
  PID:14144
- C:\Windows\System\xmFBSBU.exe
  C:\Windows\System\xmFBSBU.exe
  2⤵
  PID:14168
- C:\Windows\System\ZSoudDh.exe
  C:\Windows\System\ZSoudDh.exe
  2⤵
  PID:14196
- C:\Windows\System\NLRjYkx.exe
  C:\Windows\System\NLRjYkx.exe
  2⤵
  PID:14224
- C:\Windows\System\YxjQoNv.exe
  C:\Windows\System\YxjQoNv.exe
  2⤵
  PID:14260
- C:\Windows\System\KGrSeIw.exe
  C:\Windows\System\KGrSeIw.exe
  2⤵
  PID:14292
- C:\Windows\System\amAmsFL.exe
  C:\Windows\System\amAmsFL.exe
  2⤵
  PID:14324
- C:\Windows\System\DeyNlNZ.exe
  C:\Windows\System\DeyNlNZ.exe
  2⤵
  PID:12704
- C:\Windows\System\fSvPyvA.exe
  C:\Windows\System\fSvPyvA.exe
  2⤵
  PID:13372
- C:\Windows\System\oOcfYYn.exe
  C:\Windows\System\oOcfYYn.exe
  2⤵
  PID:12932
- C:\Windows\System\OGQvaEx.exe
  C:\Windows\System\OGQvaEx.exe
  2⤵
  PID:13448
- C:\Windows\System\ToTNwpy.exe
  C:\Windows\System\ToTNwpy.exe
  2⤵
  PID:13556
- C:\Windows\System\HVqCjrY.exe
  C:\Windows\System\HVqCjrY.exe
  2⤵
  PID:13600
- C:\Windows\System\qSrKSKE.exe
  C:\Windows\System\qSrKSKE.exe
  2⤵
  PID:13652
- C:\Windows\System\iUwNvEW.exe
  C:\Windows\System\iUwNvEW.exe
  2⤵
  PID:13724
- C:\Windows\System\zRHMlov.exe
  C:\Windows\System\zRHMlov.exe
  2⤵
  PID:13784
- C:\Windows\System\bhjNtFl.exe
  C:\Windows\System\bhjNtFl.exe
  2⤵
  PID:13700
- C:\Windows\System\EuUydvu.exe
  C:\Windows\System\EuUydvu.exe
  2⤵
  PID:13832
- C:\Windows\System\jmdInTG.exe
  C:\Windows\System\jmdInTG.exe
  2⤵
  PID:14024
- C:\Windows\System\YxtSTyC.exe
  C:\Windows\System\YxtSTyC.exe
  2⤵
  PID:14040
- C:\Windows\System\ZfeMAxi.exe
  C:\Windows\System\ZfeMAxi.exe
  2⤵
  PID:13976
- C:\Windows\System\EwbfQha.exe
  C:\Windows\System\EwbfQha.exe
  2⤵
  PID:14128
- C:\Windows\System\xhmrRdH.exe
  C:\Windows\System\xhmrRdH.exe
  2⤵
  PID:14184
- C:\Windows\System\qXxWgrp.exe
  C:\Windows\System\qXxWgrp.exe
  2⤵
  PID:13284
- C:\Windows\System\bKmIWUr.exe
  C:\Windows\System\bKmIWUr.exe
  2⤵
  PID:13040
- C:\Windows\System\ZgweNjl.exe
  C:\Windows\System\ZgweNjl.exe
  2⤵
  PID:14236
- C:\Windows\System\dPYIxLa.exe
  C:\Windows\System\dPYIxLa.exe
  2⤵
  PID:13356
- C:\Windows\System\SdDHMsK.exe
  C:\Windows\System\SdDHMsK.exe
  2⤵
  PID:13808
- C:\Windows\System\QbUyZlT.exe
  C:\Windows\System\QbUyZlT.exe
  2⤵
  PID:12860
- C:\Windows\System\ekOdfDp.exe
  C:\Windows\System\ekOdfDp.exe
  2⤵
  PID:13780
- C:\Windows\System\zaaqiQr.exe
  C:\Windows\System\zaaqiQr.exe
  2⤵
  PID:13520
- C:\Windows\System\qTLwoBd.exe
  C:\Windows\System\qTLwoBd.exe
  2⤵
  PID:11892
- C:\Windows\System\zUngpYb.exe
  C:\Windows\System\zUngpYb.exe
  2⤵
  PID:13208
- C:\Windows\System\vuNJjQS.exe
  C:\Windows\System\vuNJjQS.exe
  2⤵
  PID:14352
- C:\Windows\System\esSDSug.exe
  C:\Windows\System\esSDSug.exe
  2⤵
  PID:14380
- C:\Windows\System\PvOFeMz.exe
  C:\Windows\System\PvOFeMz.exe
  2⤵
  PID:14408
- C:\Windows\System\gaeRVmV.exe
  C:\Windows\System\gaeRVmV.exe
  2⤵
  PID:14432
- C:\Windows\System\YwdKomL.exe
  C:\Windows\System\YwdKomL.exe
  2⤵
  PID:14460
- C:\Windows\System\jJfshGq.exe
  C:\Windows\System\jJfshGq.exe
  2⤵
  PID:14476
- C:\Windows\System\LigxvYq.exe
  C:\Windows\System\LigxvYq.exe
  2⤵
  PID:14512
- C:\Windows\System\hUMNlKg.exe
  C:\Windows\System\hUMNlKg.exe
  2⤵
  PID:14544
- C:\Windows\System\MoYcQHu.exe
  C:\Windows\System\MoYcQHu.exe
  2⤵
  PID:14564
- C:\Windows\System\EDNrfHS.exe
  C:\Windows\System\EDNrfHS.exe
  2⤵
  PID:14600
- C:\Windows\System\VDFxOWJ.exe
  C:\Windows\System\VDFxOWJ.exe
  2⤵
  PID:14624
- C:\Windows\System\OyTcDTG.exe
  C:\Windows\System\OyTcDTG.exe
  2⤵
  PID:14648
- C:\Windows\System\LEVhiIb.exe
  C:\Windows\System\LEVhiIb.exe
  2⤵
  PID:14680
- C:\Windows\System\RfWXIIu.exe
  C:\Windows\System\RfWXIIu.exe
  2⤵
  PID:14716
- C:\Windows\System\hChqAlP.exe
  C:\Windows\System\hChqAlP.exe
  2⤵
  PID:14740
- C:\Windows\System\xOVzDoJ.exe
  C:\Windows\System\xOVzDoJ.exe
  2⤵
  PID:14768
- C:\Windows\System\wXsVqin.exe
  C:\Windows\System\wXsVqin.exe
  2⤵
  PID:14796
- C:\Windows\System\sFTGdwE.exe
  C:\Windows\System\sFTGdwE.exe
  2⤵
  PID:14832
- C:\Windows\System\zCMXvkC.exe
  C:\Windows\System\zCMXvkC.exe
  2⤵
  PID:14860
- C:\Windows\System\iOosbdf.exe
  C:\Windows\System\iOosbdf.exe
  2⤵
  PID:14884
- C:\Windows\System\xPiUuMM.exe
  C:\Windows\System\xPiUuMM.exe
  2⤵
  PID:14912
- C:\Windows\System\IJiQyUK.exe
  C:\Windows\System\IJiQyUK.exe
  2⤵
  PID:14948
- C:\Windows\System\rzttRFb.exe
  C:\Windows\System\rzttRFb.exe
  2⤵
  PID:14976
- C:\Windows\System\uQAartU.exe
  C:\Windows\System\uQAartU.exe
  2⤵
  PID:15008
- C:\Windows\System\TGsfkYv.exe
  C:\Windows\System\TGsfkYv.exe
  2⤵
  PID:15024
- C:\Windows\System\ayXyxrF.exe
  C:\Windows\System\ayXyxrF.exe
  2⤵
  PID:15064
- C:\Windows\System\jBbiDwF.exe
  C:\Windows\System\jBbiDwF.exe
  2⤵
  PID:15088
- C:\Windows\System\heymcTR.exe
  C:\Windows\System\heymcTR.exe
  2⤵
  PID:15112
- C:\Windows\System\xXtteGE.exe
  C:\Windows\System\xXtteGE.exe
  2⤵
  PID:15140
- C:\Windows\System\NFVZrUj.exe
  C:\Windows\System\NFVZrUj.exe
  2⤵
  PID:15164
- C:\Windows\System\bOzDKUu.exe
  C:\Windows\System\bOzDKUu.exe
  2⤵
  PID:15184
- C:\Windows\System\RXKFMKo.exe
  C:\Windows\System\RXKFMKo.exe
  2⤵
  PID:15204
- C:\Windows\System\dvRdjjS.exe
  C:\Windows\System\dvRdjjS.exe
  2⤵
  PID:15232
- C:\Windows\System\rqcepum.exe
  C:\Windows\System\rqcepum.exe
  2⤵
  PID:15260
- C:\Windows\System\oGJnktn.exe
  C:\Windows\System\oGJnktn.exe
  2⤵
  PID:15288
- C:\Windows\System\VOFIduL.exe
  C:\Windows\System\VOFIduL.exe
  2⤵
  PID:15324
- C:\Windows\System\ATHfutI.exe
  C:\Windows\System\ATHfutI.exe
  2⤵
  PID:15352
- C:\Windows\System\xngsWQu.exe
  C:\Windows\System\xngsWQu.exe
  2⤵
  PID:14272
- C:\Windows\System\UuTTTPC.exe
  C:\Windows\System\UuTTTPC.exe
  2⤵
  PID:14388
- C:\Windows\System\LimvbTg.exe
  C:\Windows\System\LimvbTg.exe
  2⤵
  PID:14440
- C:\Windows\System\zjbIxHa.exe
  C:\Windows\System\zjbIxHa.exe
  2⤵
  PID:14472
- C:\Windows\System\IdzkECU.exe
  C:\Windows\System\IdzkECU.exe
  2⤵
  PID:14396
- C:\Windows\System\Senwrhx.exe
  C:\Windows\System\Senwrhx.exe
  2⤵
  PID:14448
- C:\Windows\System\ZFYCZhj.exe
  C:\Windows\System\ZFYCZhj.exe
  2⤵
  PID:14524
- C:\Windows\System\SzwMKAJ.exe
  C:\Windows\System\SzwMKAJ.exe
  2⤵
  PID:14748
- C:\Windows\System\HPOsVpi.exe
  C:\Windows\System\HPOsVpi.exe
  2⤵
  PID:14612
- C:\Windows\System\JIgbCTK.exe
  C:\Windows\System\JIgbCTK.exe
  2⤵
  PID:14876
- C:\Windows\System\fLYAmsF.exe
  C:\Windows\System\fLYAmsF.exe
  2⤵
  PID:14816
- C:\Windows\System\KADOPqF.exe
  C:\Windows\System\KADOPqF.exe
  2⤵
  PID:14872
- C:\Windows\System\LDXgDLD.exe
  C:\Windows\System\LDXgDLD.exe
  2⤵
  PID:14792
- C:\Windows\System\yhEKiBe.exe
  C:\Windows\System\yhEKiBe.exe
  2⤵
  PID:15152
- C:\Windows\System\CBEgGtY.exe
  C:\Windows\System\CBEgGtY.exe
  2⤵
  PID:15200
- C:\Windows\System\PmoUvMS.exe
  C:\Windows\System\PmoUvMS.exe
  2⤵
  PID:14988
- C:\Windows\System\GHZtRpc.exe
  C:\Windows\System\GHZtRpc.exe
  2⤵
  PID:15076
- C:\Windows\System\DskYCWK.exe
  C:\Windows\System\DskYCWK.exe
  2⤵
  PID:15284
- C:\Windows\System\XSZreFC.exe
  C:\Windows\System\XSZreFC.exe
  2⤵
  PID:15312
- C:\Windows\System\hJZGiNB.exe
  C:\Windows\System\hJZGiNB.exe
  2⤵
  PID:14400
- C:\Windows\System\WsmWvny.exe
  C:\Windows\System\WsmWvny.exe
  2⤵
  PID:14640
- C:\Windows\System\KZEHyfF.exe
  C:\Windows\System\KZEHyfF.exe
  2⤵
  PID:14424
- C:\Windows\System\kpJJAsD.exe
  C:\Windows\System\kpJJAsD.exe
  2⤵
  PID:14112
- C:\Windows\System\rVcnexs.exe
  C:\Windows\System\rVcnexs.exe
  2⤵
  PID:14932
- C:\Windows\System\IPMCOjW.exe
  C:\Windows\System\IPMCOjW.exe
  2⤵
  PID:14724
- C:\Windows\System\CsGwuGd.exe
  C:\Windows\System\CsGwuGd.exe
  2⤵
  PID:15048
- C:\Windows\System\SxXismx.exe
  C:\Windows\System\SxXismx.exe
  2⤵
  PID:14968
- C:\Windows\System\KNlrINU.exe
  C:\Windows\System\KNlrINU.exe
  2⤵
  PID:15276
- C:\Windows\System\APnlnij.exe
  C:\Windows\System\APnlnij.exe
  2⤵
  PID:15380
- C:\Windows\System\zercgmo.exe
  C:\Windows\System\zercgmo.exe
  2⤵
  PID:15408
- C:\Windows\System\bUNMrGT.exe
  C:\Windows\System\bUNMrGT.exe
  2⤵
  PID:15432
- C:\Windows\System\GhWlJcx.exe
  C:\Windows\System\GhWlJcx.exe
  2⤵
  PID:15452
- C:\Windows\System\BNHXYBO.exe
  C:\Windows\System\BNHXYBO.exe
  2⤵
  PID:15472
- C:\Windows\System\kBKliLZ.exe
  C:\Windows\System\kBKliLZ.exe
  2⤵
  PID:15504
- C:\Windows\System\fiWBFZj.exe
  C:\Windows\System\fiWBFZj.exe
  2⤵
  PID:15532
- C:\Windows\System\MzIYXfg.exe
  C:\Windows\System\MzIYXfg.exe
  2⤵
  PID:15552
- C:\Windows\System\FkLdAnt.exe
  C:\Windows\System\FkLdAnt.exe
  2⤵
  PID:15580
- C:\Windows\System\MkOZtyY.exe
  C:\Windows\System\MkOZtyY.exe
  2⤵
  PID:15600
- C:\Windows\System\zuxFtxa.exe
  C:\Windows\System\zuxFtxa.exe
  2⤵
  PID:15632
- C:\Windows\System\iXAbVUq.exe
  C:\Windows\System\iXAbVUq.exe
  2⤵
  PID:15648
- C:\Windows\System\DoOiIPd.exe
  C:\Windows\System\DoOiIPd.exe
  2⤵
  PID:15684
- C:\Windows\System\FLsRMeS.exe
  C:\Windows\System\FLsRMeS.exe
  2⤵
  PID:15708
- C:\Windows\System\VQDthcH.exe
  C:\Windows\System\VQDthcH.exe
  2⤵
  PID:15732
- C:\Windows\System\GgfOsJz.exe
  C:\Windows\System\GgfOsJz.exe
  2⤵
  PID:15760
- C:\Windows\System\zGFwmUC.exe
  C:\Windows\System\zGFwmUC.exe
  2⤵
  PID:15796
- C:\Windows\System\CHJXwEF.exe
  C:\Windows\System\CHJXwEF.exe
  2⤵
  PID:15812
- C:\Windows\System\VRfQfKv.exe
  C:\Windows\System\VRfQfKv.exe
  2⤵
  PID:15844
- C:\Windows\System\UhkjfXe.exe
  C:\Windows\System\UhkjfXe.exe
  2⤵
  PID:15868
- C:\Windows\System\NuwTKYb.exe
  C:\Windows\System\NuwTKYb.exe
  2⤵
  PID:15888
- C:\Windows\System\xfERoGu.exe
  C:\Windows\System\xfERoGu.exe
  2⤵
  PID:15924
- C:\Windows\System\siSKRIy.exe
  C:\Windows\System\siSKRIy.exe
  2⤵
  PID:15948
- C:\Windows\System\EvXuDVO.exe
  C:\Windows\System\EvXuDVO.exe
  2⤵
  PID:15972
- C:\Windows\System\JhvZSio.exe
  C:\Windows\System\JhvZSio.exe
  2⤵
  PID:15992
- C:\Windows\System\TlcfZjk.exe
  C:\Windows\System\TlcfZjk.exe
  2⤵
  PID:16016
- C:\Windows\System\JWLrnFa.exe
  C:\Windows\System\JWLrnFa.exe
  2⤵
  PID:16044
- C:\Windows\System\DaVjoLL.exe
  C:\Windows\System\DaVjoLL.exe
  2⤵
  PID:16076
- C:\Windows\System\nDIcQlA.exe
  C:\Windows\System\nDIcQlA.exe
  2⤵
  PID:16092
- C:\Windows\System\piUQjwW.exe
  C:\Windows\System\piUQjwW.exe
  2⤵
  PID:16132
- C:\Windows\System\RpvtUhk.exe
  C:\Windows\System\RpvtUhk.exe
  2⤵
  PID:16156
- C:\Windows\System\PKNxMdl.exe
  C:\Windows\System\PKNxMdl.exe
  2⤵
  PID:16180
- C:\Windows\System\tBCHHiK.exe
  C:\Windows\System\tBCHHiK.exe
  2⤵
  PID:16212
- C:\Windows\System\cbDFVdv.exe
  C:\Windows\System\cbDFVdv.exe
  2⤵
  PID:16248
- C:\Windows\System\VMWCpAz.exe
  C:\Windows\System\VMWCpAz.exe
  2⤵
  PID:16268
- C:\Windows\System\xIghIQf.exe
  C:\Windows\System\xIghIQf.exe
  2⤵
  PID:16296
- C:\Windows\System\TODtFHq.exe
  C:\Windows\System\TODtFHq.exe
  2⤵
  PID:16320
- C:\Windows\System\ppFpYDO.exe
  C:\Windows\System\ppFpYDO.exe
  2⤵
  PID:16344
- C:\Windows\System\kCHIWNy.exe
  C:\Windows\System\kCHIWNy.exe
  2⤵
  PID:16376
- C:\Windows\System\PadEKRn.exe
  C:\Windows\System\PadEKRn.exe
  2⤵
  PID:14852
- C:\Windows\System\nYDhnKy.exe
  C:\Windows\System\nYDhnKy.exe
  2⤵
  PID:13548
- C:\Windows\System\wGziGpq.exe
  C:\Windows\System\wGziGpq.exe
  2⤵
  PID:15484
- C:\Windows\System\VICMSCH.exe
  C:\Windows\System\VICMSCH.exe
  2⤵
  PID:15304
- C:\Windows\System\CXuPcCU.exe
  C:\Windows\System\CXuPcCU.exe
  2⤵
  PID:15572
- C:\Windows\System\GkkHTKo.exe
  C:\Windows\System\GkkHTKo.exe
  2⤵
  PID:15424
- C:\Windows\System\jTJAlHt.exe
  C:\Windows\System\jTJAlHt.exe
  2⤵
  PID:14956
- C:\Windows\System\HdmhSgU.exe
  C:\Windows\System\HdmhSgU.exe
  2⤵
  PID:15676
- C:\Windows\System\rTdxFkZ.exe
  C:\Windows\System\rTdxFkZ.exe
  2⤵
  PID:15744
- C:\Windows\System\aziFton.exe
  C:\Windows\System\aziFton.exe
  2⤵
  PID:15616
- C:\Windows\System\KrCREjg.exe
  C:\Windows\System\KrCREjg.exe
  2⤵
  PID:15444
- C:\Windows\System\adtgVsv.exe
  C:\Windows\System\adtgVsv.exe
  2⤵
  PID:15488
- C:\Windows\System\tIXWFgl.exe
  C:\Windows\System\tIXWFgl.exe
  2⤵
  PID:15776
- C:\Windows\System\GyPBoxp.exe
  C:\Windows\System\GyPBoxp.exe
  2⤵
  PID:16032
- C:\Windows\System\xsHDaDe.exe
  C:\Windows\System\xsHDaDe.exe
  2⤵
  PID:16108
- C:\Windows\System\gKOnLPL.exe
  C:\Windows\System\gKOnLPL.exe
  2⤵
  PID:16144
- C:\Windows\System\kkdwvvW.exe
  C:\Windows\System\kkdwvvW.exe
  2⤵
  PID:16176
- C:\Windows\System\vRkpvxl.exe
  C:\Windows\System\vRkpvxl.exe
  2⤵
  PID:16068
- C:\Windows\System\lbtawOQ.exe
  C:\Windows\System\lbtawOQ.exe
  2⤵
  PID:13420
- C:\Windows\System\fbufaqY.exe
  C:\Windows\System\fbufaqY.exe
  2⤵
  PID:16232
- C:\Windows\System\fVqNfEP.exe
  C:\Windows\System\fVqNfEP.exe
  2⤵
  PID:15364
- C:\Windows\System\vdVRuKW.exe
  C:\Windows\System\vdVRuKW.exe
  2⤵
  PID:16284
- C:\Windows\System\imuGttl.exe
  C:\Windows\System\imuGttl.exe
  2⤵
  PID:15728
- C:\Windows\System\xGdBZqn.exe
  C:\Windows\System\xGdBZqn.exe
  2⤵
  PID:15756
- C:\Windows\System\YjYvSfU.exe
  C:\Windows\System\YjYvSfU.exe
  2⤵
  PID:15628
- C:\Windows\System\abeMuGl.exe
  C:\Windows\System\abeMuGl.exe
  2⤵
  PID:16364
- C:\Windows\System\UPWOXwu.exe
  C:\Windows\System\UPWOXwu.exe
  2⤵
  PID:16412
- C:\Windows\System\IPsqGlb.exe
  C:\Windows\System\IPsqGlb.exe
  2⤵
  PID:16440
- C:\Windows\System\zFURAfK.exe
  C:\Windows\System\zFURAfK.exe
  2⤵
  PID:16464
- C:\Windows\System\VrWxWkX.exe
  C:\Windows\System\VrWxWkX.exe
  2⤵
  PID:16492
- C:\Windows\System\RwVpUfT.exe
  C:\Windows\System\RwVpUfT.exe
  2⤵
  PID:16516
- C:\Windows\System\aQJmiqt.exe
  C:\Windows\System\aQJmiqt.exe
  2⤵
  PID:16548
- C:\Windows\System\GzUreHv.exe
  C:\Windows\System\GzUreHv.exe
  2⤵
  PID:16580
- C:\Windows\System\FtGKfuO.exe
  C:\Windows\System\FtGKfuO.exe
  2⤵
  PID:16604
- C:\Windows\System\ACZPBNV.exe
  C:\Windows\System\ACZPBNV.exe
  2⤵
  PID:16620
- C:\Windows\System\yPCwuCG.exe
  C:\Windows\System\yPCwuCG.exe
  2⤵
  PID:16648
- C:\Windows\System\URZDnWO.exe
  C:\Windows\System\URZDnWO.exe
  2⤵
  PID:16672
- C:\Windows\System\jFdHrCN.exe
  C:\Windows\System\jFdHrCN.exe
  2⤵
  PID:16700
- C:\Windows\System\lQUeShI.exe
  C:\Windows\System\lQUeShI.exe
  2⤵
  PID:16724
- C:\Windows\System\xqRsZxk.exe
  C:\Windows\System\xqRsZxk.exe
  2⤵
  PID:16748
- C:\Windows\System\SKRzfnD.exe
  C:\Windows\System\SKRzfnD.exe
  2⤵
  PID:16768
- C:\Windows\System\jKlvArk.exe
  C:\Windows\System\jKlvArk.exe
  2⤵
  PID:16800
- C:\Windows\System\XGYpEAy.exe
  C:\Windows\System\XGYpEAy.exe
  2⤵
  PID:16828
- C:\Windows\System\BuSnEft.exe
  C:\Windows\System\BuSnEft.exe
  2⤵
  PID:16864
- C:\Windows\System\TeLsCQi.exe
  C:\Windows\System\TeLsCQi.exe
  2⤵
  PID:16888
- C:\Windows\System\fQmkxsR.exe
  C:\Windows\System\fQmkxsR.exe
  2⤵
  PID:16908
- C:\Windows\System\rfYCpsf.exe
  C:\Windows\System\rfYCpsf.exe
  2⤵
  PID:16928
- C:\Windows\System\TsqqmBL.exe
  C:\Windows\System\TsqqmBL.exe
  2⤵
  PID:16952
- C:\Windows\System\nfYAuJt.exe
  C:\Windows\System\nfYAuJt.exe
  2⤵
  PID:16984
- C:\Windows\System\vnMcifv.exe
  C:\Windows\System\vnMcifv.exe
  2⤵
  PID:17008
- C:\Windows\System\gaEUbNp.exe
  C:\Windows\System\gaEUbNp.exe
  2⤵
  PID:17024
- C:\Windows\System\KgKSmvQ.exe
  C:\Windows\System\KgKSmvQ.exe
  2⤵
  PID:17056
- C:\Windows\System\iIKmHtc.exe
  C:\Windows\System\iIKmHtc.exe
  2⤵
  PID:17088
- C:\Windows\System\DmvjOCz.exe
  C:\Windows\System\DmvjOCz.exe
  2⤵
  PID:17112
- C:\Windows\System\PprdWBV.exe
  C:\Windows\System\PprdWBV.exe
  2⤵
  PID:17136
- C:\Windows\System\QxVWiiC.exe
  C:\Windows\System\QxVWiiC.exe
  2⤵
  PID:17152
- C:\Windows\System\IgRwDTd.exe
  C:\Windows\System\IgRwDTd.exe
  2⤵
  PID:16528
- C:\Windows\System\bBYruFz.exe
  C:\Windows\System\bBYruFz.exe
  2⤵
  PID:15876
- C:\Windows\System\nqRbzqp.exe
  C:\Windows\System\nqRbzqp.exe
  2⤵
  PID:17104

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:16088
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:17276

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:16640

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1848

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:16896

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:17152

C:\Windows\system32\WerFault.exe
"C:\Windows\system32\WerFault.exe" -k -l WATCHDOG WATCHDOG-20241111-2008.dmp
1⤵
PID:18200

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:18300

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:17656

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:2516

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:16412

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
PID:3636

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3644

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:17816

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:14700

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:18096

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:2248

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:17952

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:17712

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2660

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:5400

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6736

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1036

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6440

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:17256

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4980

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:18108

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:10136

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:17516

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:18196

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:17700

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1640

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4520

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4848

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Modifies registry class
PID:8584

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5652

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5168

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7108

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6948

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9452

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8484

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8700

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8868

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10064

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4844

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9548

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11340

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11496

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12124

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1184

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12904

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12324

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14100

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14116

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:14296

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14544

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:15228

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:14156

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:16216

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2676

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4384

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5576

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5804

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6332

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:940

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7736

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8180

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8520

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8808

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9424

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4500

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4948

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11156

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9548

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12220

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11484

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12208

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13196

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13096

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14208

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5528

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4612

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13580

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:16120

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2804

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3712

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3880

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:17736

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6004

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5344

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5224

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:17712

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1868

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\2C1DWAXK\microsoft.windows[1].xml

Filesize
96B

MD5
e348d00fe7b19d8e8f6efc5cd8f3be59

SHA1
de85b87da07da2e4b4215ef312d318f1b329ca6e

SHA256
4ee26da36e3b7d5c9f14f2ed8d6c75c10434acec949dc6e550f176b9acb84dd7

SHA512
a0a9a671e08cb35904098426cf1b50a11d6a0c7be57f684f9808f5c953ac2732dd1f090c3d12260870056a1ee5f9097ad9872715c798fba196d7212a536afcbe

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133758293482986681.txt

Filesize
75KB

MD5
c91d0affec041692f7a3b14468daefcb

SHA1
be47434a92c4a6f3f21c5a02b63df53cba2c3e52

SHA256
7d464afbbd2028086d1690ec3a145e297612a1b7c40df2774f5d3217270a7334

SHA512
0960289af4f207f09661d987c05cc99e39c5ffcb6d9ffd77c1585d87d9e584e074d8574e35609939d38b72196c79ce67e5f52bcf969dbf4810503a4dde10a8d5

Download Submit
C:\Windows\System\AhKFWNS.exe

Filesize
1.3MB

MD5
97a9cc4b6cc22ee05fdc5a93b64ab3d8

SHA1
d9d8a1d7cd85dd7737ba6e2ce3365ed3c09b448e

SHA256
184272ad09f112a7d451611c4137ea670bad67dd1cebba421fb7e381e691e6d5

SHA512
bd0cade4a7fe32ed6e43aa4dd9c1b1b8308869b5f424b519e1399ee56177c20b9cb3869d18a7b52727d9f11f4d0f9d425b9f3c72ee50200faaf24710218462c5

Download Submit
C:\Windows\System\CbnQQld.exe

Filesize
1.3MB

MD5
e86fdc10369004ec3456c8b74d767f0e

SHA1
69636227fb6d75acf740257169e2527446c7bb1a

SHA256
53b1050078cca9ffd65bbeeae82083cac930b7efabade52bd96eefc47ef9acc1

SHA512
5005ce7d67611f27aaa7f6058bb43579e2cc40e6a1af81538be15bfc5873462ca7e3a9678c7d4cae094d5f0dd741a3ad09d1928306359e81bbf1df842ae783ac

Download Submit
C:\Windows\System\CzNbzmj.exe

Filesize
1.3MB

MD5
ac964cd693c2f2391a4b5b21673256ed

SHA1
135e6e5594e0101ee41f0901bcaac053422cd133

SHA256
4fdfd93cc9a8ff116db0bb71d39855e6540d053d99aef9e6c0b835a3e617dec1

SHA512
891168a03879b49c4d55b047679187adfdb04a2f5832a6e33db24abfddc2adf0f5c91b367f0ab220b910f2636a867b22f1ad600222ae93eb55fee114e7fab18d

Download Submit
C:\Windows\System\GMPjZNw.exe

Filesize
1.3MB

MD5
ac59a491398b6c67edaaf04b5ad9ea82

SHA1
70f5b7e58f8adcf518131958b5257c1878fdb145

SHA256
f950f14c7154b33b074952dc26db34dde4ff16df946b4f3d65b47f564214b084

SHA512
01ecff9a395e5e873947c60673f3bc3a7de6187fc43a8fa16be6fd0f26a9c3fd98bb1afd14b353eef3eb8319860eb76071d92777d3615544e0fd1c8d9016f7c1

Download Submit
C:\Windows\System\HczbJFU.exe

Filesize
1.3MB

MD5
cc33c0d7a10266737a8315f4f6ecd183

SHA1
32f3c757ff1f8c680e5232fff7ef38868b5433c8

SHA256
f36c781119aafc7b4890047eec62a8c9f57a7f32e31af48f4afc31e0324589c5

SHA512
55d6027f56700d9cf6062854c9d42d4e5baf0ff0c6e98f2142c69597810d29aca994fa002bf07679dbdba9c4e2c57dc27b05b605539d6d4fd627cb297ef1859a

Download Submit
C:\Windows\System\IxUPKkT.exe

Filesize
1.3MB

MD5
09db9467e0e3a6d31c04396f56b777e2

SHA1
964f43098dc33a81b603785decd50d7adba64f9c

SHA256
656fbd24b53271a9f5965d5f18b7ad71fd7b200b0feca6eaba1b65364cb1043f

SHA512
36fcf61d5f17c647da6d70f038112205424299648032b9b22b1460cf1b86ea533fdad40f0f95642cb3f4352816669206c4308980798268540059b7c4c9a8d9b4

Download Submit
C:\Windows\System\KmWiABY.exe

Filesize
1.3MB

MD5
5aa73db4e6f4b0d89f28f37660086e2b

SHA1
6a83909885300b6eb13a2a4e11f59104bb24f7fd

SHA256
e285d3c1edefbf4bd1cb5f8b4fde6e50a2093ff186ddd806ffc6281588d3b0e3

SHA512
aa099dbb17f8a3ba1f5bacc0f7a8822c199df4c98c584c036b0979ff7dacc21c492d85cc8c62f5b45b99ea83b7809753e9cfbd27de99f85686474466c0577715

Download Submit
C:\Windows\System\LBmnpVg.exe

Filesize
1.3MB

MD5
b08646d9b0211805b0f07010715f0e30

SHA1
f515a22767c8e49244406007f50793ab7e5323a0

SHA256
0397cdf6c92339b0ec78fe56474eab9be4337b2fd685291774c23e72d84bbba7

SHA512
a8552cc38f6ae6c86d9d98c1224f60ef74075d818a665d8751b29908002b5acafc1e3aea68fdc4493be5f42eb4696f51a3d8ed3697db6340308366bc9cef230d

Download Submit
C:\Windows\System\LRSbuju.exe

Filesize
1.3MB

MD5
73146844bec25a2b52f7c9de34bf927e

SHA1
a868fa0625c3bac7ddd785906758f9b6a4666b5a

SHA256
f74ee577892e6bff0a6f11796e32d4201f2b38c72693c18f09a4c9380d2219c3

SHA512
8335969278b8be5e084fde8f94aa0779c2dfc5440710c53d51b70618eb454887d01baf72290630ee030dad9dc122c9974c0717f63ea043d55003065065e6dde8

Download Submit
C:\Windows\System\NihvcoV.exe

Filesize
1.3MB

MD5
e74d9a3213b3591f48006edbd4bb4766

SHA1
f2b02c5c225f1a6a7466e250309ca15cee15fdf2

SHA256
0b10d677c6735d2778e4abfcc34c6641241e149174c80b318e456cdeb2bb50e4

SHA512
8d9bef52b8ce2b5860699b45bb0c475da01c9c052e5225d31e11f319824a1f50da591e83371bba760ae3152dc4b9bbda416e61992fa0bede164ff2d3ba68a2d2

Download Submit
C:\Windows\System\NvXyzEI.exe

Filesize
1.3MB

MD5
3b662a38f51fba6620eabf95bb58ecc2

SHA1
fd3b4e64433f346ea3265d431b2b3cec8e52f6eb

SHA256
0ddf5329bb2fa3655303a1d98737f1d21be404651c47bc4577615fcfed0c9e57

SHA512
bf27c670a2c23d194f4de306f43d88f33928b4e444bf55c85b89eef4e86373c08ae6ebf246bada6aa0cb42a06b8b7078d333b24e476da5730627035e7bf05c86

Download Submit
C:\Windows\System\PPVXffZ.exe

Filesize
1.3MB

MD5
ac043797fbabc512fd8ea563ef34442e

SHA1
91dd8bd4cda9d9c81811338d2e2e01544a258ee7

SHA256
615587d87ca8c013be0c4a174ad0cf41293b154348ed7bc55f02cd70e994044d

SHA512
d750791789482d027fe7b886573a1374ee1477d489aae1ebc078e1bb23f482461eb529f46d314af8732695fc9d0fe7b8c696512ce5e33c8539eea80b1d8a0fe2

Download Submit
C:\Windows\System\QUWQKpM.exe

Filesize
1.3MB

MD5
4831832aa6a1e7c5f2ff1faf9282358f

SHA1
aedd08e2d278427e2d7414522ae64609b9ab950d

SHA256
a0229694f23bcb2bf9509ccba45cf7bc9fbc0d494106bf366f83fea1ddccd359

SHA512
21ac28597efd404c8bcfec0a9e82850e6a1bd240b2cd96173f63db8acbbd6788e85f92630c7973b4f95859c07ce46ac08b810e0c640187d007e034b8ee26ff2f

Download Submit
C:\Windows\System\TChZkCW.exe

Filesize
1.3MB

MD5
7e7bc310db8040e42340d0a2ebafc071

SHA1
9a515fae1df5c68ad717d1a83db33e3b3b9f116f

SHA256
cf92e65dfaa7ebd78d722951db3f91d492ba7111b543eafaae081fc5b8196d1a

SHA512
f580876f22bc5e5654539ddf872492ed243222129dd50cc3edb064d500cf723068eaa5aeb25b13ceb29630bf9adad49cbb031cf1ebf67c6cfb883435fecfd129

Download Submit
C:\Windows\System\TcPBhhq.exe

Filesize
1.3MB

MD5
17e0859bb788b7ef19b212a35188b3a5

SHA1
3474c0689fd0d3b09d17b830171051a872654d41

SHA256
1d91804aa17c994a1d91d63383a24903ff1dafaf9f44cb8d61bda5a3f017dc44

SHA512
d65d7a1eca3b5e1d7a9dddf9e5b3c69b30607077be53ba743fbd491eaa25cf5231331e484bb0e767155f09db68f0654e78db1d596bd163cef6ca8f841bd7f351

Download Submit
C:\Windows\System\UaVBTvM.exe

Filesize
1.3MB

MD5
dbde720a466cb338bd50d12423b3a830

SHA1
91327bff10851960de3675f821bc8fd862eea686

SHA256
bc61370e58ce2214036802b1391b60cd9360e75bc0f1a1090ebc9f5b9ea9c3ff

SHA512
a7374a6822e27d404e0df4286ec2098af19465192f3af08732076d9d37dfb3e837d4c434bdc1b803d41240b5a25e4cc4f0749535994deb14de92f32c8b7df778

Download Submit
C:\Windows\System\YYibNmn.exe

Filesize
1.3MB

MD5
5b6ebfeec6d7a406ddf499f91bd5b76b

SHA1
00ae475fa8dc608b21cbd3c8033399d4239b71a2

SHA256
22549911ea2e2d5abfe3aa90ab0c4fc1e9c9b07f32d01a248eb868e3105f017d

SHA512
74151e998dffbe553a8ed83784012d575e4daf672ee7ddd2d2c2f3ca1661a49d780254f114fe00015ae1453dc479b4501000b0f95b457238cf30d0cac6c363be

Download Submit
C:\Windows\System\ZwuuiNd.exe

Filesize
1.3MB

MD5
b775aa815faa39df6fade01b088d55ea

SHA1
d0a8515a54540e4cdd032bfe1b7ab45e2b1e32be

SHA256
062beba1678d8abcca7735f54f67ec08123c970c5a2dfe104e0d4d534dd4f4b8

SHA512
19f4d196dc3802542c2734bb677e7b8d6755359cd409d3ea124bcd575da2e708c2b2ca623244f7314e9447515dd8ec7b31aad0d1e0cf99fd5843bbf5df2ec40d

Download Submit
C:\Windows\System\brTzzAm.exe

Filesize
1.3MB

MD5
124a079e2bb929ef231413a04decce1a

SHA1
a0d0ad5a659b2bf92cfe1231492d415427aae8f2

SHA256
d04fb8bbf6464d1d275aa1745afdcc34aaaf038771bb5e0884fc8de36654d8d4

SHA512
f5f20f1d75c60dff111ad0f0da319b7a3b82c691d032fe3c56729e8601fdba2b92ed5086964994821d0d33bd33cbf7a05e108cefe215b94cf35444aafd4dd599

Download Submit
C:\Windows\System\bsfQFaB.exe

Filesize
1.3MB

MD5
7418c2c75610990706924e9234b23d04

SHA1
bddea70373584306b73fd896629ddea066209e87

SHA256
451250aa68d72a7b4610235f1a25039497810ef9960c3411c69a8deeb9dc82e0

SHA512
e1c4995872f91a77a6d18929cd5ed632e5ccb17ab3abadecd31a7bc5a29746c60002ae8be8c1e607d237d723fe41729ec22aab4ab28208c3b5e33b892e40b27b

Download Submit
C:\Windows\System\cSvjfwy.exe

Filesize
1.3MB

MD5
4a88e6f42c47daa5648d8043b2551851

SHA1
ce94a9fd182da8aa72cb97a50a60b24af618773e

SHA256
d3a1cfea9279d248f2f0d8333bd5e99e7b7e74dc7a182b0aebd1429632b05d4b

SHA512
2957b05bab5d44352250db7b4c2d148fe873c4db889fb9f86474a58fb9911df305b7fb06d79ca0f9494aaa269fa1af7e61da9ba8fb2e04b8bb1bf46f4825d2bf

Download Submit
C:\Windows\System\chElttx.exe

Filesize
1.3MB

MD5
5453bc6c37495aaeab52aff8fbad2d42

SHA1
7e7a2cd64c4e26d5ff7de122bc4dc1f96591b5b5

SHA256
fcb82d7dd0f9d581a5c1c3237056d5e8ca7147799fac53ef64adf8327ae8375d

SHA512
998415ce45f820821d8addcbace9573f28c331859ddba43647f7b963d93a99ae0c699896ecb429c7b3d84d31687e4badf7b49dbcf6e6a7d52eeddd6217b032d1

Download Submit
C:\Windows\System\dKGLyct.exe

Filesize
1.3MB

MD5
b86fbd94fd2660c1cce0f2a29ed2aff5

SHA1
b8e1b42b0e569197667175383fc339cb456ebf5f

SHA256
142617dcae282a99b8c5fc310996745e5c7f43d636c6631987f192874f2a6e7d

SHA512
9d1861d4fafd84bd21ff640cd660330acf3a80841aa124204ec806482907bbf4db8bde5d016e6c36020f3ff9f14467a6974c6d1a3bde2c27fd52c6a996814e58

Download Submit
C:\Windows\System\gTCHMHl.exe

Filesize
1.3MB

MD5
b2a3d589fd5bf9359e94edd3b961d6be

SHA1
b99d04c042b42d2be507e5475bbc57ae2a203fef

SHA256
4e7f1681e026272c8d3944b48d98e702e6cc7bb05908ee790f476176c4bc9ffb

SHA512
65a291e2dbe67774d62b0f9f155c6f3bc0a863a09afe9b5668fca00eef3826dd93cbb4442b1a2d170472c366d44cc1103e469a74bebe5fc5d12f092d0f6c302c

Download Submit
C:\Windows\System\ghtazEI.exe

Filesize
1.3MB

MD5
42969988ed4c222815de358d87428ddf

SHA1
25379e7fae91db8d0535ad5bd9cb7ef887a85e64

SHA256
cdc662572e164763f8110ca2e959a2cc66885cd2b69c4d038dd3911842dec907

SHA512
8e78f1657b59b3d233d4eaeb551225411f5e606d05e4a992cd78aa58d7ea7ab5673692a07c99ae62072f92dce3a9315869a504068c9817c9452ed188360ab48e

Download Submit
C:\Windows\System\mowzBlc.exe

Filesize
1.3MB

MD5
61d2f5f102be0b62a7596c70b9a93fc5

SHA1
367a8a22f35db5d779492ff1011443be88cd0137

SHA256
53f387056e71b87ba8d19edbe4cdd85996510b885e147835882cbc3b5ef9e9cf

SHA512
0fa8c452de15d49ae20d505957f0867a4325262e8c4d164ada28bb6eea35fddd8c529cb6046e54fee411bc21db70a02f7ed70c6f677dd024e557e139d3832c8d

Download Submit
C:\Windows\System\qUpavfI.exe

Filesize
1.3MB

MD5
f1a0e145580b11cbce7157bac463e00b

SHA1
3aced8bcd0c77e0ae09aa9401a748956fbbb60c9

SHA256
1203f7937f19bd4009a5e69f1e5ffc8a1b2d72e1769cbf3766cc7f696142357b

SHA512
c71e555cd008831a3c3cf21deae83eb1e6c60035fe3cafcb82dfe41dbedb1cdedfdb3253fca64d6296a4952e6cd527613f800f6fd9b64bd8085e51c07ed7a331

Download Submit
C:\Windows\System\qnwymDW.exe

Filesize
1.3MB

MD5
a54244f125671f7030ff31dd1a076fc7

SHA1
e58f9c9ae1412827fa8e96e94929dcf622b0a283

SHA256
e0c31cfa85d25e8cba8f7b065882f17d8fddb63e65b089f1f33bbb29cf2555b8

SHA512
81c046dae619fdc4aca98dea2656ae35a9dd162cef303516bd2d43da64a2c0bb49d57e7d6c34a6d2b40f97f3fe4dee0c8eb26b7d52488f6e7656314cf77abc52

Download Submit
C:\Windows\System\rHjVopi.exe

Filesize
1.3MB

MD5
5895946e7f79439b92a91efc921a9184

SHA1
f9dc5712669b3b710f52834a6f9e5fb0a4858d2e

SHA256
0e02e22c1ecb7502fa9d5f00c5ec503a8caa4a4d9fd83b559f7e4d968046e43a

SHA512
81b3a1c02ea1b8af591a0a670d665237adcaa4bdf43ea9f54eed92e0399aac686c31fbddc3c2d4225c4ecb050dade43fc252769c7148244c48a3d12533aee039

Download Submit
C:\Windows\System\sDNZRKa.exe

Filesize
1.3MB

MD5
8eb2528a3739681c79914de2c299eb21

SHA1
a1dba97134cb909e3433bad5dddebc77163adca6

SHA256
4330be3a145699c7860ecb305ec710faadd3f1899a7e29270cf60a59ba32780b

SHA512
ed6a77c1d3921182d4a407a7604afbe8d1c894e52bb8828ab182b80043af9918027f0cc45093c02585c1bf265b3a399938083459e17c409bb88f55d48a39c420

Download Submit
C:\Windows\System\uVRONWu.exe

Filesize
1.3MB

MD5
69772594456744194041e23a47267ded

SHA1
3aa5cdae8a7841605f5e5390853107551a9fa53c

SHA256
c2bdeaaec4e20bebcbbaefd72fea734daa9581c04f0092f684536e5da3a288a8

SHA512
aa0fdf7791ce7bd30f4f58fe3d3c8d6e2a3b674746375647cfc6d07cfe3949bde16698d5cbaf0df5293a4ae1cb3a2d4ad40977a26c646df770e001567f084165

Download Submit
C:\Windows\System\uulcBUV.exe

Filesize
1.3MB

MD5
49049ba68721270a3dd770283e0450a5

SHA1
ba0a78fe6256bedd23480c5756240af080c790cf

SHA256
a0b7013538c18fe891a52e8ff85387c9935a553dd471e649bf99cdbcde36f42e

SHA512
aa3c6db178ffdd9318f80512aa04d8efe9bb959bc72661394ac9aea72b84c3ca09242eda8a1f96eaa0fb9fa5658adbe873e614bfaba3537fc40e455cc757bcc7

Download Submit
C:\Windows\System\vOjZZDB.exe

Filesize
1.3MB

MD5
707c27262e0ab87b8e7813bad0159072

SHA1
336a29d7874e9ecfc275630133f879a5410cd3f4

SHA256
29fff0900c24aa82089570677e90262b4f4e8c619e7ca0a8cad6d756ca5568da

SHA512
28ffd4d13e1f4abaae1e0284ac4f730c0045ee91914e000d65f28ba8d967e2560fdbcb9a18dab6cb1ee85377cce15307116afa9c1a801b3ffcafe16aaf1c5b9b

Download Submit
C:\Windows\System\vshShIK.exe

Filesize
1.3MB

MD5
31fd2b0f5e8c874cc7b0af1622c9e334

SHA1
8a4313e0e88d6b638270d8f0d6cd77b470629da3

SHA256
287bd05362b20b69203905c70d619d4c4b82e52ccadee99f195009bb5124df8a

SHA512
cc25381d54a27d7bc7dff7f0f8c986ce91ee0e446964a0c8f05f2dafa157ff263f8955da0df082498da41d3b93568ce62dda76657736baeb73978de0119af06c

Download Submit
C:\Windows\System\wwDtYOR.exe

Filesize
1.3MB

MD5
1216a4927a8e8aaf7e1a5682eda6c561

SHA1
9d8df69ceb482dad4c8118286292e615806a9055

SHA256
e520888565c11485366f4d8fd5d27033bcbaafceee92822ea85f2158249f15f0

SHA512
daba90756ec5eea5f131a8eb114b680fb732255a07986dfde1b03aeac12c727448fc4a5a46b1c5688d0b17178f2c4dc8dbdca2d7030f1c2e823a80ead945ba7f

Download Submit
C:\Windows\System\yNuTRyI.exe

Filesize
1.3MB

MD5
18564411fc232e8a68692448504dde2f

SHA1
6392ebf2883acccfc10badb9f6bf3c4b62dd3356

SHA256
1d39afbd522423d63aa90d943820872279531f9d6497763ae3b7aa9f424770d1

SHA512
bea198a5f248b0c823f58503324aa0395ffca28b92cbf1424ceb7d15f703db4d193271e534e31cea964f88592173fc5d63cf2bb8a5d2afebb968e784f23163f6

Download Submit
C:\Windows\System\ysyLdXL.exe

Filesize
1.3MB

MD5
2be979bfdd59b0f8d1cdfc11ee4410db

SHA1
302fc3ca04bc283422f41f0290b879ac2109708a

SHA256
fc9524633b650de70ec0a2d59f2f64de1602356333b56869c67fb28b6b615e40

SHA512
acbcfc7aa149a61339d6760a4f8391a370d51ab3306d7c0f38ffb986c36fbafc586e241d6ce9377b0cd018e6e47a03080faab08bffb0660ec6696707f4a3aadc

Download Submit
memory/1508-0-0x000002128A240000-0x000002128A250000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads