xmrig | dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e

Analysis

max time kernel
33s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
Size

1.6MB
MD5

dd9ccb02ae6a2de752f3cc62a492ce1a
SHA1

1012e5a8adab1b2b594c715111790b6f24b1f1e7
SHA256

dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e
SHA512

b7025022482eaf42dc27e82a437515797d92a46468b09725fbe7a0be9e831d15dde4c6fe412fd5d84c50307bdd20057a386e2995bc820163f1dadb9b8c586961
SSDEEP

49152:GezaTF8FcNkNdfE0pZ9ozttwIRxj4c5yOBZb5:GemTLkNdfE0pZy3

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 33 IoCs

miner

Processes:

resource	yara_rule
C:\Windows\System\XIQTKvp.exe	xmrig
C:\Windows\System\kllnnMB.exe	xmrig
C:\Windows\System\SVwTyDc.exe	xmrig
C:\Windows\System\XNZozBh.exe	xmrig
C:\Windows\System\SoMEyTo.exe	xmrig
C:\Windows\System\rdUlLUg.exe	xmrig
C:\Windows\System\xfcncwX.exe	xmrig
C:\Windows\System\XwvWYpB.exe	xmrig
C:\Windows\System\tVcWduu.exe	xmrig
C:\Windows\System\WKzvcyR.exe	xmrig
C:\Windows\System\xmwcSAh.exe	xmrig
C:\Windows\System\MGjlHQJ.exe	xmrig
C:\Windows\System\HlLjrvk.exe	xmrig
C:\Windows\System\jaaEZEo.exe	xmrig
C:\Windows\System\eQZJZxp.exe	xmrig
C:\Windows\System\qSeeThc.exe	xmrig
C:\Windows\System\OzZVbrr.exe	xmrig
C:\Windows\System\wZMOMMY.exe	xmrig
C:\Windows\System\AwTTQHk.exe	xmrig
C:\Windows\System\YToTVNM.exe	xmrig
C:\Windows\System\TDJSPeY.exe	xmrig
C:\Windows\System\vLMBWxc.exe	xmrig
C:\Windows\System\mdKcVVh.exe	xmrig
C:\Windows\System\yivTLxe.exe	xmrig
C:\Windows\System\uuWJTDw.exe	xmrig
C:\Windows\System\DbTdfJO.exe	xmrig
C:\Windows\System\qtaTEra.exe	xmrig
C:\Windows\System\SGrXxXx.exe	xmrig
C:\Windows\System\wrmalcA.exe	xmrig
C:\Windows\System\pPxlQpK.exe	xmrig
C:\Windows\System\BfVJJSr.exe	xmrig
C:\Windows\System\YpFKiuq.exe	xmrig
C:\Windows\System\YglWFnA.exe	xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

Processes:

XIQTKvp.exeSVwTyDc.exekllnnMB.exeYglWFnA.exeXNZozBh.exeSoMEyTo.exeeQZJZxp.exeYpFKiuq.exeBfVJJSr.exepPxlQpK.exerdUlLUg.exexfcncwX.exeXwvWYpB.exetVcWduu.exewrmalcA.exeWKzvcyR.exeSGrXxXx.exeqtaTEra.exexmwcSAh.exeDbTdfJO.exeMGjlHQJ.exeuuWJTDw.exeyivTLxe.exemdKcVVh.exevLMBWxc.exeTDJSPeY.exeHlLjrvk.exejaaEZEo.exeYToTVNM.exeAwTTQHk.exeOzZVbrr.exewZMOMMY.exeqSeeThc.exeNMMeGHa.exeEVUvAsE.exemszkbcC.exerzoTBYy.exexbiKnsL.exeEBPkwfR.exetQUcmQe.exenyXJyTH.exexOXgTpV.exeuYCTOrx.exeJReVVoi.exeMVmvyXZ.exesKsDWMF.exeEwaoPfM.exePRlYfVw.exeycGUVpa.exeMIhWQXy.exeAHfJMJf.exebZSaArv.exeOuIqUtG.exefljlzES.exeumAGlqa.exeugRChoH.exeYDNUEgM.exeneruYzD.exenhRdYDh.exebJzgnJk.exebJKknMb.exeYoTgYIT.exevAotznl.exevOMMOpw.exe

pid	process
4808	XIQTKvp.exe
2016	SVwTyDc.exe
216	kllnnMB.exe
3988	YglWFnA.exe
3440	XNZozBh.exe
4872	SoMEyTo.exe
2856	eQZJZxp.exe
1100	YpFKiuq.exe
4960	BfVJJSr.exe
2328	pPxlQpK.exe
5088	rdUlLUg.exe
3960	xfcncwX.exe
2232	XwvWYpB.exe
868	tVcWduu.exe
3388	wrmalcA.exe
3680	WKzvcyR.exe
4712	SGrXxXx.exe
8	qtaTEra.exe
3660	xmwcSAh.exe
4652	DbTdfJO.exe
3520	MGjlHQJ.exe
2352	uuWJTDw.exe
4540	yivTLxe.exe
1212	mdKcVVh.exe
2344	vLMBWxc.exe
2624	TDJSPeY.exe
5000	HlLjrvk.exe
2324	jaaEZEo.exe
2076	YToTVNM.exe
3676	AwTTQHk.exe
1072	OzZVbrr.exe
2192	wZMOMMY.exe
2160	qSeeThc.exe
3120	NMMeGHa.exe
2224	EVUvAsE.exe
1496	mszkbcC.exe
940	rzoTBYy.exe
1044	xbiKnsL.exe
440	EBPkwfR.exe
4804	tQUcmQe.exe
2980	nyXJyTH.exe
1988	xOXgTpV.exe
2968	uYCTOrx.exe
4064	JReVVoi.exe
4380	MVmvyXZ.exe
4524	sKsDWMF.exe
1872	EwaoPfM.exe
2208	PRlYfVw.exe
3124	ycGUVpa.exe
4188	MIhWQXy.exe
4364	AHfJMJf.exe
2600	bZSaArv.exe
2188	OuIqUtG.exe
4696	fljlzES.exe
4428	umAGlqa.exe
2348	ugRChoH.exe
64	YDNUEgM.exe
3976	neruYzD.exe
1480	nhRdYDh.exe
5052	bJzgnJk.exe
3824	bJKknMb.exe
3092	YoTgYIT.exe
2668	vAotznl.exe
1268	vOMMOpw.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in Windows directory 64 IoCs

Processes:

dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe

description	ioc	process
File created	C:\Windows\System\vQZuIHc.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\XtHCiph.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\KXplYyw.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\fljlzES.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\cmDHVsT.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\EzMZHnx.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\DtOQGNl.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\JyVdtkE.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\VdVitcp.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\AHbvVBV.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\viBxvqL.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\kTuLswQ.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\vPUInUP.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\pwJuWSK.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\etHbFUb.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\xZeuYny.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\rMQlutD.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\sKsDWMF.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\BUkCgaJ.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\RUNFHMM.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\nOUYBAG.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\ESNdWNb.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\Fkwkdvh.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\jzvRqRR.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\vSJwfDh.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\HNSEHnQ.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\pbchYId.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\NORygen.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\MGjlHQJ.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\YoTgYIT.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\KjMynce.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\EBPkwfR.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\PrjlMyN.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\OHiWYYl.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\uxxBbPg.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\IuvyhuG.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\ZSGgkFw.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\VYnjpoA.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\ZYvbuIK.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\AYXgIcE.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\TaOkBjb.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\BAAOQPo.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\bhtVOVc.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\KwWAvht.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\pbQgyBl.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\zQJwASm.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\cNwIJMC.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\BydfygU.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\CRTIgdI.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\jssKniM.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\ZdyqFye.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\ZfzRjMH.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\vZpcRSO.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\PQwtdzF.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\qFRvORi.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\WNVSvXW.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\jysGYpb.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\SRVExEt.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\OABfZvt.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\kLoDtse.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\FDkLLRn.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\LKNOPJl.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\tWyPqVC.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
File created	C:\Windows\System\OYFvHEK.exe	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe

Modifies registry class 20 IoCs

Processes:

explorer.exeexplorer.exeStartMenuExperienceHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-940901362-3608833189-1915618603-1000\{98F60924-9B7E-4799-9E55-6ED89D313C56}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-940901362-3608833189-1915618603-1000\{57641CB3-E7F9-4F53-8E4D-588E5A93AB38}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

explorer.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	16984	explorer.exe
Token: SeCreatePagefilePrivilege	16984	explorer.exe
Token: SeShutdownPrivilege	16984	explorer.exe
Token: SeCreatePagefilePrivilege	16984	explorer.exe
Token: SeShutdownPrivilege	16984	explorer.exe
Token: SeCreatePagefilePrivilege	16984	explorer.exe
Token: SeShutdownPrivilege	16984	explorer.exe
Token: SeCreatePagefilePrivilege	16984	explorer.exe
Token: SeShutdownPrivilege	16984	explorer.exe
Token: SeCreatePagefilePrivilege	16984	explorer.exe
Token: SeShutdownPrivilege	16984	explorer.exe
Token: SeCreatePagefilePrivilege	16984	explorer.exe
Token: SeShutdownPrivilege	16984	explorer.exe
Token: SeCreatePagefilePrivilege	16984	explorer.exe
Token: SeShutdownPrivilege	16984	explorer.exe
Token: SeCreatePagefilePrivilege	16984	explorer.exe
Token: SeShutdownPrivilege	16984	explorer.exe
Token: SeCreatePagefilePrivilege	16984	explorer.exe
Token: SeShutdownPrivilege	15376	explorer.exe
Token: SeCreatePagefilePrivilege	15376	explorer.exe
Token: SeShutdownPrivilege	15376	explorer.exe
Token: SeCreatePagefilePrivilege	15376	explorer.exe
Token: SeShutdownPrivilege	15376	explorer.exe
Token: SeCreatePagefilePrivilege	15376	explorer.exe
Token: SeShutdownPrivilege	15376	explorer.exe
Token: SeCreatePagefilePrivilege	15376	explorer.exe

Suspicious use of FindShellTrayWindow 24 IoCs

Processes:

sihost.exeexplorer.exeexplorer.exe

pid	process
17108	sihost.exe
16984	explorer.exe
16984	explorer.exe
16984	explorer.exe
16984	explorer.exe
16984	explorer.exe
16984	explorer.exe
16984	explorer.exe
16984	explorer.exe
16984	explorer.exe
16984	explorer.exe
16984	explorer.exe
16984	explorer.exe
16984	explorer.exe
16984	explorer.exe
16984	explorer.exe
16984	explorer.exe
15376	explorer.exe
15376	explorer.exe
15376	explorer.exe
15376	explorer.exe
15376	explorer.exe
15376	explorer.exe
15376	explorer.exe

Suspicious use of SendNotifyMessage 20 IoCs

Processes:

explorer.exeexplorer.exe

pid	process
16984	explorer.exe
16984	explorer.exe
16984	explorer.exe
16984	explorer.exe
16984	explorer.exe
16984	explorer.exe
16984	explorer.exe
16984	explorer.exe
16984	explorer.exe
16984	explorer.exe
16984	explorer.exe
15376	explorer.exe
15376	explorer.exe
15376	explorer.exe
15376	explorer.exe
15376	explorer.exe
15376	explorer.exe
15376	explorer.exe
15376	explorer.exe
15376	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

StartMenuExperienceHost.exe

pid process

17016 StartMenuExperienceHost.exe

pid	process
17016	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe

description	pid	process	target process
PID 3248 wrote to memory of 4808	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	XIQTKvp.exe
PID 3248 wrote to memory of 4808	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	XIQTKvp.exe
PID 3248 wrote to memory of 2016	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	SVwTyDc.exe
PID 3248 wrote to memory of 2016	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	SVwTyDc.exe
PID 3248 wrote to memory of 216	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	kllnnMB.exe
PID 3248 wrote to memory of 216	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	kllnnMB.exe
PID 3248 wrote to memory of 3988	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	YglWFnA.exe
PID 3248 wrote to memory of 3988	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	YglWFnA.exe
PID 3248 wrote to memory of 3440	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	XNZozBh.exe
PID 3248 wrote to memory of 3440	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	XNZozBh.exe
PID 3248 wrote to memory of 4872	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	SoMEyTo.exe
PID 3248 wrote to memory of 4872	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	SoMEyTo.exe
PID 3248 wrote to memory of 2856	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	eQZJZxp.exe
PID 3248 wrote to memory of 2856	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	eQZJZxp.exe
PID 3248 wrote to memory of 1100	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	YpFKiuq.exe
PID 3248 wrote to memory of 1100	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	YpFKiuq.exe
PID 3248 wrote to memory of 4960	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	BfVJJSr.exe
PID 3248 wrote to memory of 4960	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	BfVJJSr.exe
PID 3248 wrote to memory of 2328	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	pPxlQpK.exe
PID 3248 wrote to memory of 2328	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	pPxlQpK.exe
PID 3248 wrote to memory of 5088	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	rdUlLUg.exe
PID 3248 wrote to memory of 5088	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	rdUlLUg.exe
PID 3248 wrote to memory of 3960	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	xfcncwX.exe
PID 3248 wrote to memory of 3960	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	xfcncwX.exe
PID 3248 wrote to memory of 2232	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	XwvWYpB.exe
PID 3248 wrote to memory of 2232	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	XwvWYpB.exe
PID 3248 wrote to memory of 868	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	tVcWduu.exe
PID 3248 wrote to memory of 868	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	tVcWduu.exe
PID 3248 wrote to memory of 3388	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	wrmalcA.exe
PID 3248 wrote to memory of 3388	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	wrmalcA.exe
PID 3248 wrote to memory of 3680	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	WKzvcyR.exe
PID 3248 wrote to memory of 3680	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	WKzvcyR.exe
PID 3248 wrote to memory of 4712	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	SGrXxXx.exe
PID 3248 wrote to memory of 4712	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	SGrXxXx.exe
PID 3248 wrote to memory of 8	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	qtaTEra.exe
PID 3248 wrote to memory of 8	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	qtaTEra.exe
PID 3248 wrote to memory of 3660	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	xmwcSAh.exe
PID 3248 wrote to memory of 3660	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	xmwcSAh.exe
PID 3248 wrote to memory of 4652	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	DbTdfJO.exe
PID 3248 wrote to memory of 4652	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	DbTdfJO.exe
PID 3248 wrote to memory of 3520	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	MGjlHQJ.exe
PID 3248 wrote to memory of 3520	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	MGjlHQJ.exe
PID 3248 wrote to memory of 2352	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	uuWJTDw.exe
PID 3248 wrote to memory of 2352	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	uuWJTDw.exe
PID 3248 wrote to memory of 4540	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	yivTLxe.exe
PID 3248 wrote to memory of 4540	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	yivTLxe.exe
PID 3248 wrote to memory of 1212	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	mdKcVVh.exe
PID 3248 wrote to memory of 1212	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	mdKcVVh.exe
PID 3248 wrote to memory of 2344	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	vLMBWxc.exe
PID 3248 wrote to memory of 2344	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	vLMBWxc.exe
PID 3248 wrote to memory of 2624	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	TDJSPeY.exe
PID 3248 wrote to memory of 2624	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	TDJSPeY.exe
PID 3248 wrote to memory of 5000	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	HlLjrvk.exe
PID 3248 wrote to memory of 5000	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	HlLjrvk.exe
PID 3248 wrote to memory of 2324	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	jaaEZEo.exe
PID 3248 wrote to memory of 2324	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	jaaEZEo.exe
PID 3248 wrote to memory of 2076	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	YToTVNM.exe
PID 3248 wrote to memory of 2076	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	YToTVNM.exe
PID 3248 wrote to memory of 3676	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	AwTTQHk.exe
PID 3248 wrote to memory of 3676	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	AwTTQHk.exe
PID 3248 wrote to memory of 1072	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	OzZVbrr.exe
PID 3248 wrote to memory of 1072	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	OzZVbrr.exe
PID 3248 wrote to memory of 2192	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	wZMOMMY.exe
PID 3248 wrote to memory of 2192	3248	dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe	wZMOMMY.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe
"C:\Users\Admin\AppData\Local\Temp\dae79a102df6567ebfd911d1580d1ee86d33fe2fd7c53ebed0839e9a3dcd7e3e.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Windows\System\XIQTKvp.exe
  C:\Windows\System\XIQTKvp.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System\SVwTyDc.exe
  C:\Windows\System\SVwTyDc.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System\kllnnMB.exe
  C:\Windows\System\kllnnMB.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System\YglWFnA.exe
  C:\Windows\System\YglWFnA.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System\XNZozBh.exe
  C:\Windows\System\XNZozBh.exe
  2⤵
  - Executes dropped EXE
  PID:3440
- C:\Windows\System\SoMEyTo.exe
  C:\Windows\System\SoMEyTo.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System\eQZJZxp.exe
  C:\Windows\System\eQZJZxp.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\YpFKiuq.exe
  C:\Windows\System\YpFKiuq.exe
  2⤵
  - Executes dropped EXE
  PID:1100
- C:\Windows\System\BfVJJSr.exe
  C:\Windows\System\BfVJJSr.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System\pPxlQpK.exe
  C:\Windows\System\pPxlQpK.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System\rdUlLUg.exe
  C:\Windows\System\rdUlLUg.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System\xfcncwX.exe
  C:\Windows\System\xfcncwX.exe
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Windows\System\XwvWYpB.exe
  C:\Windows\System\XwvWYpB.exe
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\System\tVcWduu.exe
  C:\Windows\System\tVcWduu.exe
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\System\wrmalcA.exe
  C:\Windows\System\wrmalcA.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System\WKzvcyR.exe
  C:\Windows\System\WKzvcyR.exe
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Windows\System\SGrXxXx.exe
  C:\Windows\System\SGrXxXx.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\System\qtaTEra.exe
  C:\Windows\System\qtaTEra.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System\xmwcSAh.exe
  C:\Windows\System\xmwcSAh.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System\DbTdfJO.exe
  C:\Windows\System\DbTdfJO.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System\MGjlHQJ.exe
  C:\Windows\System\MGjlHQJ.exe
  2⤵
  - Executes dropped EXE
  PID:3520
- C:\Windows\System\uuWJTDw.exe
  C:\Windows\System\uuWJTDw.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\yivTLxe.exe
  C:\Windows\System\yivTLxe.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System\mdKcVVh.exe
  C:\Windows\System\mdKcVVh.exe
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\System\vLMBWxc.exe
  C:\Windows\System\vLMBWxc.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\TDJSPeY.exe
  C:\Windows\System\TDJSPeY.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System\HlLjrvk.exe
  C:\Windows\System\HlLjrvk.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System\jaaEZEo.exe
  C:\Windows\System\jaaEZEo.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System\YToTVNM.exe
  C:\Windows\System\YToTVNM.exe
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\System\AwTTQHk.exe
  C:\Windows\System\AwTTQHk.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System\OzZVbrr.exe
  C:\Windows\System\OzZVbrr.exe
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\System\wZMOMMY.exe
  C:\Windows\System\wZMOMMY.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System\qSeeThc.exe
  C:\Windows\System\qSeeThc.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\NMMeGHa.exe
  C:\Windows\System\NMMeGHa.exe
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Windows\System\EVUvAsE.exe
  C:\Windows\System\EVUvAsE.exe
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\System\mszkbcC.exe
  C:\Windows\System\mszkbcC.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System\rzoTBYy.exe
  C:\Windows\System\rzoTBYy.exe
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\System\xbiKnsL.exe
  C:\Windows\System\xbiKnsL.exe
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\System\EBPkwfR.exe
  C:\Windows\System\EBPkwfR.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\System\tQUcmQe.exe
  C:\Windows\System\tQUcmQe.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System\nyXJyTH.exe
  C:\Windows\System\nyXJyTH.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\xOXgTpV.exe
  C:\Windows\System\xOXgTpV.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\uYCTOrx.exe
  C:\Windows\System\uYCTOrx.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\JReVVoi.exe
  C:\Windows\System\JReVVoi.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System\MVmvyXZ.exe
  C:\Windows\System\MVmvyXZ.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System\sKsDWMF.exe
  C:\Windows\System\sKsDWMF.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System\EwaoPfM.exe
  C:\Windows\System\EwaoPfM.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System\PRlYfVw.exe
  C:\Windows\System\PRlYfVw.exe
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\System\ycGUVpa.exe
  C:\Windows\System\ycGUVpa.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System\MIhWQXy.exe
  C:\Windows\System\MIhWQXy.exe
  2⤵
  - Executes dropped EXE
  PID:4188
- C:\Windows\System\AHfJMJf.exe
  C:\Windows\System\AHfJMJf.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System\bZSaArv.exe
  C:\Windows\System\bZSaArv.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System\OuIqUtG.exe
  C:\Windows\System\OuIqUtG.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\fljlzES.exe
  C:\Windows\System\fljlzES.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System\umAGlqa.exe
  C:\Windows\System\umAGlqa.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System\ugRChoH.exe
  C:\Windows\System\ugRChoH.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System\YDNUEgM.exe
  C:\Windows\System\YDNUEgM.exe
  2⤵
  - Executes dropped EXE
  PID:64
- C:\Windows\System\neruYzD.exe
  C:\Windows\System\neruYzD.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System\nhRdYDh.exe
  C:\Windows\System\nhRdYDh.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\System\bJzgnJk.exe
  C:\Windows\System\bJzgnJk.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System\bJKknMb.exe
  C:\Windows\System\bJKknMb.exe
  2⤵
  - Executes dropped EXE
  PID:3824
- C:\Windows\System\YoTgYIT.exe
  C:\Windows\System\YoTgYIT.exe
  2⤵
  - Executes dropped EXE
  PID:3092
- C:\Windows\System\vAotznl.exe
  C:\Windows\System\vAotznl.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\System\vOMMOpw.exe
  C:\Windows\System\vOMMOpw.exe
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Windows\System\EJJpKlw.exe
  C:\Windows\System\EJJpKlw.exe
  2⤵
  PID:4704
- C:\Windows\System\iVmtHel.exe
  C:\Windows\System\iVmtHel.exe
  2⤵
  PID:2868
- C:\Windows\System\aPWrCCp.exe
  C:\Windows\System\aPWrCCp.exe
  2⤵
  PID:516
- C:\Windows\System\vSJwfDh.exe
  C:\Windows\System\vSJwfDh.exe
  2⤵
  PID:5048
- C:\Windows\System\DtwOvci.exe
  C:\Windows\System\DtwOvci.exe
  2⤵
  PID:3336
- C:\Windows\System\cHjpijY.exe
  C:\Windows\System\cHjpijY.exe
  2⤵
  PID:1600
- C:\Windows\System\gDgOJCX.exe
  C:\Windows\System\gDgOJCX.exe
  2⤵
  PID:1440
- C:\Windows\System\OKgNUzV.exe
  C:\Windows\System\OKgNUzV.exe
  2⤵
  PID:4496
- C:\Windows\System\NkWDWcx.exe
  C:\Windows\System\NkWDWcx.exe
  2⤵
  PID:2560
- C:\Windows\System\DPXtLMC.exe
  C:\Windows\System\DPXtLMC.exe
  2⤵
  PID:3816
- C:\Windows\System\KQsRwMq.exe
  C:\Windows\System\KQsRwMq.exe
  2⤵
  PID:3608
- C:\Windows\System\EHHSTVi.exe
  C:\Windows\System\EHHSTVi.exe
  2⤵
  PID:1388
- C:\Windows\System\XZrGlYL.exe
  C:\Windows\System\XZrGlYL.exe
  2⤵
  PID:3484
- C:\Windows\System\avOGqZA.exe
  C:\Windows\System\avOGqZA.exe
  2⤵
  PID:3572
- C:\Windows\System\lYnFQjU.exe
  C:\Windows\System\lYnFQjU.exe
  2⤵
  PID:1264
- C:\Windows\System\ILLbzwo.exe
  C:\Windows\System\ILLbzwo.exe
  2⤵
  PID:224
- C:\Windows\System\vFVUoHr.exe
  C:\Windows\System\vFVUoHr.exe
  2⤵
  PID:3264
- C:\Windows\System\lUszXwF.exe
  C:\Windows\System\lUszXwF.exe
  2⤵
  PID:1484
- C:\Windows\System\oYqhNDQ.exe
  C:\Windows\System\oYqhNDQ.exe
  2⤵
  PID:2376
- C:\Windows\System\JuaiGBQ.exe
  C:\Windows\System\JuaiGBQ.exe
  2⤵
  PID:1096
- C:\Windows\System\OtUIzli.exe
  C:\Windows\System\OtUIzli.exe
  2⤵
  PID:696
- C:\Windows\System\lIisvqU.exe
  C:\Windows\System\lIisvqU.exe
  2⤵
  PID:2180
- C:\Windows\System\CsPjOKB.exe
  C:\Windows\System\CsPjOKB.exe
  2⤵
  PID:4376
- C:\Windows\System\QZlRtqi.exe
  C:\Windows\System\QZlRtqi.exe
  2⤵
  PID:2628
- C:\Windows\System\FkUunLS.exe
  C:\Windows\System\FkUunLS.exe
  2⤵
  PID:1172
- C:\Windows\System\lHrxhZy.exe
  C:\Windows\System\lHrxhZy.exe
  2⤵
  PID:3800
- C:\Windows\System\uXSGDnV.exe
  C:\Windows\System\uXSGDnV.exe
  2⤵
  PID:3632
- C:\Windows\System\cacyUZY.exe
  C:\Windows\System\cacyUZY.exe
  2⤵
  PID:1892
- C:\Windows\System\XTkZXcU.exe
  C:\Windows\System\XTkZXcU.exe
  2⤵
  PID:2252
- C:\Windows\System\CZqFkqb.exe
  C:\Windows\System\CZqFkqb.exe
  2⤵
  PID:4736
- C:\Windows\System\LrmaAhy.exe
  C:\Windows\System\LrmaAhy.exe
  2⤵
  PID:3304
- C:\Windows\System\zQSfvET.exe
  C:\Windows\System\zQSfvET.exe
  2⤵
  PID:2696
- C:\Windows\System\FeXWLvH.exe
  C:\Windows\System\FeXWLvH.exe
  2⤵
  PID:2904
- C:\Windows\System\dUfGcmQ.exe
  C:\Windows\System\dUfGcmQ.exe
  2⤵
  PID:2848
- C:\Windows\System\CueZEKi.exe
  C:\Windows\System\CueZEKi.exe
  2⤵
  PID:3648
- C:\Windows\System\cmDHVsT.exe
  C:\Windows\System\cmDHVsT.exe
  2⤵
  PID:676
- C:\Windows\System\JhOdYty.exe
  C:\Windows\System\JhOdYty.exe
  2⤵
  PID:2272
- C:\Windows\System\PQIRwcM.exe
  C:\Windows\System\PQIRwcM.exe
  2⤵
  PID:3692
- C:\Windows\System\rFcVOZP.exe
  C:\Windows\System\rFcVOZP.exe
  2⤵
  PID:4968
- C:\Windows\System\UBUhRXv.exe
  C:\Windows\System\UBUhRXv.exe
  2⤵
  PID:4792
- C:\Windows\System\YwKDGjb.exe
  C:\Windows\System\YwKDGjb.exe
  2⤵
  PID:3804
- C:\Windows\System\wArAeiA.exe
  C:\Windows\System\wArAeiA.exe
  2⤵
  PID:5080
- C:\Windows\System\LZQjmxD.exe
  C:\Windows\System\LZQjmxD.exe
  2⤵
  PID:3556
- C:\Windows\System\pGPzGPM.exe
  C:\Windows\System\pGPzGPM.exe
  2⤵
  PID:1040
- C:\Windows\System\hKDJAQx.exe
  C:\Windows\System\hKDJAQx.exe
  2⤵
  PID:4556
- C:\Windows\System\WRUelpy.exe
  C:\Windows\System\WRUelpy.exe
  2⤵
  PID:2888
- C:\Windows\System\PcmtBOJ.exe
  C:\Windows\System\PcmtBOJ.exe
  2⤵
  PID:3964
- C:\Windows\System\HUMwAmC.exe
  C:\Windows\System\HUMwAmC.exe
  2⤵
  PID:624
- C:\Windows\System\WmjaIaI.exe
  C:\Windows\System\WmjaIaI.exe
  2⤵
  PID:5140
- C:\Windows\System\vHPcUur.exe
  C:\Windows\System\vHPcUur.exe
  2⤵
  PID:5164
- C:\Windows\System\rNlsYBI.exe
  C:\Windows\System\rNlsYBI.exe
  2⤵
  PID:5196
- C:\Windows\System\EzMZHnx.exe
  C:\Windows\System\EzMZHnx.exe
  2⤵
  PID:5224
- C:\Windows\System\SOchUpk.exe
  C:\Windows\System\SOchUpk.exe
  2⤵
  PID:5252
- C:\Windows\System\sqytbzO.exe
  C:\Windows\System\sqytbzO.exe
  2⤵
  PID:5280
- C:\Windows\System\TlTGWQv.exe
  C:\Windows\System\TlTGWQv.exe
  2⤵
  PID:5308
- C:\Windows\System\AQwhmKB.exe
  C:\Windows\System\AQwhmKB.exe
  2⤵
  PID:5324
- C:\Windows\System\wsNEzAZ.exe
  C:\Windows\System\wsNEzAZ.exe
  2⤵
  PID:5364
- C:\Windows\System\PxAxxdJ.exe
  C:\Windows\System\PxAxxdJ.exe
  2⤵
  PID:5380
- C:\Windows\System\UxrJLSO.exe
  C:\Windows\System\UxrJLSO.exe
  2⤵
  PID:5396
- C:\Windows\System\dlGdsEP.exe
  C:\Windows\System\dlGdsEP.exe
  2⤵
  PID:5420
- C:\Windows\System\XVHcPsM.exe
  C:\Windows\System\XVHcPsM.exe
  2⤵
  PID:5440
- C:\Windows\System\MjRFCJJ.exe
  C:\Windows\System\MjRFCJJ.exe
  2⤵
  PID:5460
- C:\Windows\System\Pzlwgdl.exe
  C:\Windows\System\Pzlwgdl.exe
  2⤵
  PID:5488
- C:\Windows\System\YHWeskb.exe
  C:\Windows\System\YHWeskb.exe
  2⤵
  PID:5516
- C:\Windows\System\CglrHXE.exe
  C:\Windows\System\CglrHXE.exe
  2⤵
  PID:5560
- C:\Windows\System\DtOQGNl.exe
  C:\Windows\System\DtOQGNl.exe
  2⤵
  PID:5608
- C:\Windows\System\QUgxHtA.exe
  C:\Windows\System\QUgxHtA.exe
  2⤵
  PID:5632
- C:\Windows\System\BmoIZKr.exe
  C:\Windows\System\BmoIZKr.exe
  2⤵
  PID:5648
- C:\Windows\System\cNwIJMC.exe
  C:\Windows\System\cNwIJMC.exe
  2⤵
  PID:5668
- C:\Windows\System\ZHZdznl.exe
  C:\Windows\System\ZHZdznl.exe
  2⤵
  PID:5696
- C:\Windows\System\NYGvkmf.exe
  C:\Windows\System\NYGvkmf.exe
  2⤵
  PID:5712
- C:\Windows\System\VLBUJyz.exe
  C:\Windows\System\VLBUJyz.exe
  2⤵
  PID:5740
- C:\Windows\System\sryIkOk.exe
  C:\Windows\System\sryIkOk.exe
  2⤵
  PID:5764
- C:\Windows\System\xQKylUp.exe
  C:\Windows\System\xQKylUp.exe
  2⤵
  PID:5840
- C:\Windows\System\wDttsBs.exe
  C:\Windows\System\wDttsBs.exe
  2⤵
  PID:5856
- C:\Windows\System\pZSoGOX.exe
  C:\Windows\System\pZSoGOX.exe
  2⤵
  PID:5872
- C:\Windows\System\wqCmIuk.exe
  C:\Windows\System\wqCmIuk.exe
  2⤵
  PID:5900
- C:\Windows\System\aWHcvbI.exe
  C:\Windows\System\aWHcvbI.exe
  2⤵
  PID:5924
- C:\Windows\System\nvjXLFm.exe
  C:\Windows\System\nvjXLFm.exe
  2⤵
  PID:5956
- C:\Windows\System\tsoUzTW.exe
  C:\Windows\System\tsoUzTW.exe
  2⤵
  PID:5984
- C:\Windows\System\TSLbMwm.exe
  C:\Windows\System\TSLbMwm.exe
  2⤵
  PID:6032
- C:\Windows\System\tXLAzYP.exe
  C:\Windows\System\tXLAzYP.exe
  2⤵
  PID:6060
- C:\Windows\System\LiNOpEv.exe
  C:\Windows\System\LiNOpEv.exe
  2⤵
  PID:6096
- C:\Windows\System\lDAWlNr.exe
  C:\Windows\System\lDAWlNr.exe
  2⤵
  PID:6124
- C:\Windows\System\NLaryrn.exe
  C:\Windows\System\NLaryrn.exe
  2⤵
  PID:5068
- C:\Windows\System\WPIJDAA.exe
  C:\Windows\System\WPIJDAA.exe
  2⤵
  PID:5192
- C:\Windows\System\QtLiBWp.exe
  C:\Windows\System\QtLiBWp.exe
  2⤵
  PID:5220
- C:\Windows\System\Sldmgcp.exe
  C:\Windows\System\Sldmgcp.exe
  2⤵
  PID:5304
- C:\Windows\System\pqiqVZF.exe
  C:\Windows\System\pqiqVZF.exe
  2⤵
  PID:5412
- C:\Windows\System\WHCFNew.exe
  C:\Windows\System\WHCFNew.exe
  2⤵
  PID:5428
- C:\Windows\System\kmDpkMZ.exe
  C:\Windows\System\kmDpkMZ.exe
  2⤵
  PID:5408
- C:\Windows\System\fLoOLOp.exe
  C:\Windows\System\fLoOLOp.exe
  2⤵
  PID:5500
- C:\Windows\System\bmejQRj.exe
  C:\Windows\System\bmejQRj.exe
  2⤵
  PID:5584
- C:\Windows\System\LIBmdRD.exe
  C:\Windows\System\LIBmdRD.exe
  2⤵
  PID:5684
- C:\Windows\System\iwzOGub.exe
  C:\Windows\System\iwzOGub.exe
  2⤵
  PID:5756
- C:\Windows\System\vzOdIuW.exe
  C:\Windows\System\vzOdIuW.exe
  2⤵
  PID:5848
- C:\Windows\System\HMToYoP.exe
  C:\Windows\System\HMToYoP.exe
  2⤵
  PID:5920
- C:\Windows\System\WcbzkTa.exe
  C:\Windows\System\WcbzkTa.exe
  2⤵
  PID:5912
- C:\Windows\System\oHAtaaW.exe
  C:\Windows\System\oHAtaaW.exe
  2⤵
  PID:6004
- C:\Windows\System\hhZJPfV.exe
  C:\Windows\System\hhZJPfV.exe
  2⤵
  PID:6112
- C:\Windows\System\kLoDtse.exe
  C:\Windows\System\kLoDtse.exe
  2⤵
  PID:6140
- C:\Windows\System\CUqKAzx.exe
  C:\Windows\System\CUqKAzx.exe
  2⤵
  PID:5300
- C:\Windows\System\FzfwzXF.exe
  C:\Windows\System\FzfwzXF.exe
  2⤵
  PID:5452
- C:\Windows\System\vSyPLzu.exe
  C:\Windows\System\vSyPLzu.exe
  2⤵
  PID:5644
- C:\Windows\System\AgszZLl.exe
  C:\Windows\System\AgszZLl.exe
  2⤵
  PID:5640
- C:\Windows\System\ESNdWNb.exe
  C:\Windows\System\ESNdWNb.exe
  2⤵
  PID:5864
- C:\Windows\System\PVfnYVI.exe
  C:\Windows\System\PVfnYVI.exe
  2⤵
  PID:6052
- C:\Windows\System\ocAALeX.exe
  C:\Windows\System\ocAALeX.exe
  2⤵
  PID:5212
- C:\Windows\System\hHeAdOY.exe
  C:\Windows\System\hHeAdOY.exe
  2⤵
  PID:5548
- C:\Windows\System\ydjDEdZ.exe
  C:\Windows\System\ydjDEdZ.exe
  2⤵
  PID:5980
- C:\Windows\System\FqeEAkL.exe
  C:\Windows\System\FqeEAkL.exe
  2⤵
  PID:5472
- C:\Windows\System\vnIKEUY.exe
  C:\Windows\System\vnIKEUY.exe
  2⤵
  PID:5736
- C:\Windows\System\kmoynqU.exe
  C:\Windows\System\kmoynqU.exe
  2⤵
  PID:6156
- C:\Windows\System\HWjgGWK.exe
  C:\Windows\System\HWjgGWK.exe
  2⤵
  PID:6184
- C:\Windows\System\mDhXdud.exe
  C:\Windows\System\mDhXdud.exe
  2⤵
  PID:6212
- C:\Windows\System\ECJeWvt.exe
  C:\Windows\System\ECJeWvt.exe
  2⤵
  PID:6232
- C:\Windows\System\HuVMBqI.exe
  C:\Windows\System\HuVMBqI.exe
  2⤵
  PID:6252
- C:\Windows\System\ULQfypn.exe
  C:\Windows\System\ULQfypn.exe
  2⤵
  PID:6296
- C:\Windows\System\iaIwQua.exe
  C:\Windows\System\iaIwQua.exe
  2⤵
  PID:6328
- C:\Windows\System\qIYxatm.exe
  C:\Windows\System\qIYxatm.exe
  2⤵
  PID:6356
- C:\Windows\System\NjZfHzX.exe
  C:\Windows\System\NjZfHzX.exe
  2⤵
  PID:6380
- C:\Windows\System\TjeVNwa.exe
  C:\Windows\System\TjeVNwa.exe
  2⤵
  PID:6404
- C:\Windows\System\MOfRTyJ.exe
  C:\Windows\System\MOfRTyJ.exe
  2⤵
  PID:6428
- C:\Windows\System\ZvkoJju.exe
  C:\Windows\System\ZvkoJju.exe
  2⤵
  PID:6456
- C:\Windows\System\KstBMZc.exe
  C:\Windows\System\KstBMZc.exe
  2⤵
  PID:6488
- C:\Windows\System\FWNVdFf.exe
  C:\Windows\System\FWNVdFf.exe
  2⤵
  PID:6516
- C:\Windows\System\hfKFqWb.exe
  C:\Windows\System\hfKFqWb.exe
  2⤵
  PID:6540
- C:\Windows\System\OXotQsN.exe
  C:\Windows\System\OXotQsN.exe
  2⤵
  PID:6572
- C:\Windows\System\bMFzzwk.exe
  C:\Windows\System\bMFzzwk.exe
  2⤵
  PID:6600
- C:\Windows\System\HNSEHnQ.exe
  C:\Windows\System\HNSEHnQ.exe
  2⤵
  PID:6636
- C:\Windows\System\CkPKKCC.exe
  C:\Windows\System\CkPKKCC.exe
  2⤵
  PID:6672
- C:\Windows\System\tQSbbRi.exe
  C:\Windows\System\tQSbbRi.exe
  2⤵
  PID:6708
- C:\Windows\System\hJuTluF.exe
  C:\Windows\System\hJuTluF.exe
  2⤵
  PID:6732
- C:\Windows\System\zeKrAqM.exe
  C:\Windows\System\zeKrAqM.exe
  2⤵
  PID:6752
- C:\Windows\System\gCbmAOZ.exe
  C:\Windows\System\gCbmAOZ.exe
  2⤵
  PID:6784
- C:\Windows\System\IgHUwDE.exe
  C:\Windows\System\IgHUwDE.exe
  2⤵
  PID:6820
- C:\Windows\System\gbKkCXI.exe
  C:\Windows\System\gbKkCXI.exe
  2⤵
  PID:6852
- C:\Windows\System\LbazJyX.exe
  C:\Windows\System\LbazJyX.exe
  2⤵
  PID:6880
- C:\Windows\System\DVCilzU.exe
  C:\Windows\System\DVCilzU.exe
  2⤵
  PID:6908
- C:\Windows\System\Fkwkdvh.exe
  C:\Windows\System\Fkwkdvh.exe
  2⤵
  PID:6936
- C:\Windows\System\BydfygU.exe
  C:\Windows\System\BydfygU.exe
  2⤵
  PID:6964
- C:\Windows\System\PrjlMyN.exe
  C:\Windows\System\PrjlMyN.exe
  2⤵
  PID:6992
- C:\Windows\System\kPjfhXI.exe
  C:\Windows\System\kPjfhXI.exe
  2⤵
  PID:7020
- C:\Windows\System\HgTVicg.exe
  C:\Windows\System\HgTVicg.exe
  2⤵
  PID:7048
- C:\Windows\System\YFfQLwe.exe
  C:\Windows\System\YFfQLwe.exe
  2⤵
  PID:7064
- C:\Windows\System\ABLqqos.exe
  C:\Windows\System\ABLqqos.exe
  2⤵
  PID:7092
- C:\Windows\System\GMxMoSJ.exe
  C:\Windows\System\GMxMoSJ.exe
  2⤵
  PID:7120
- C:\Windows\System\gNddcFn.exe
  C:\Windows\System\gNddcFn.exe
  2⤵
  PID:7144
- C:\Windows\System\MwWPKsr.exe
  C:\Windows\System\MwWPKsr.exe
  2⤵
  PID:6152
- C:\Windows\System\xbiJiOC.exe
  C:\Windows\System\xbiJiOC.exe
  2⤵
  PID:6204
- C:\Windows\System\wjqQRJy.exe
  C:\Windows\System\wjqQRJy.exe
  2⤵
  PID:6308
- C:\Windows\System\sNaJwQU.exe
  C:\Windows\System\sNaJwQU.exe
  2⤵
  PID:6388
- C:\Windows\System\fdbImCe.exe
  C:\Windows\System\fdbImCe.exe
  2⤵
  PID:6448
- C:\Windows\System\EfbxckN.exe
  C:\Windows\System\EfbxckN.exe
  2⤵
  PID:6524
- C:\Windows\System\vQZuIHc.exe
  C:\Windows\System\vQZuIHc.exe
  2⤵
  PID:6552
- C:\Windows\System\fNghSLz.exe
  C:\Windows\System\fNghSLz.exe
  2⤵
  PID:6624
- C:\Windows\System\mGsfjzR.exe
  C:\Windows\System\mGsfjzR.exe
  2⤵
  PID:6728
- C:\Windows\System\yFjlzfw.exe
  C:\Windows\System\yFjlzfw.exe
  2⤵
  PID:6776
- C:\Windows\System\fPjIcXJ.exe
  C:\Windows\System\fPjIcXJ.exe
  2⤵
  PID:6840
- C:\Windows\System\CRTIgdI.exe
  C:\Windows\System\CRTIgdI.exe
  2⤵
  PID:6900
- C:\Windows\System\rXWOctQ.exe
  C:\Windows\System\rXWOctQ.exe
  2⤵
  PID:7008
- C:\Windows\System\jnYdHRL.exe
  C:\Windows\System\jnYdHRL.exe
  2⤵
  PID:7076
- C:\Windows\System\yXXtOIi.exe
  C:\Windows\System\yXXtOIi.exe
  2⤵
  PID:7112
- C:\Windows\System\QpfuVBV.exe
  C:\Windows\System\QpfuVBV.exe
  2⤵
  PID:6148
- C:\Windows\System\LcgeIto.exe
  C:\Windows\System\LcgeIto.exe
  2⤵
  PID:6348
- C:\Windows\System\QVzVlmM.exe
  C:\Windows\System\QVzVlmM.exe
  2⤵
  PID:6476
- C:\Windows\System\hSmrdxF.exe
  C:\Windows\System\hSmrdxF.exe
  2⤵
  PID:6720
- C:\Windows\System\eCAFTgV.exe
  C:\Windows\System\eCAFTgV.exe
  2⤵
  PID:6664
- C:\Windows\System\iZtader.exe
  C:\Windows\System\iZtader.exe
  2⤵
  PID:6848
- C:\Windows\System\AMTTNSc.exe
  C:\Windows\System\AMTTNSc.exe
  2⤵
  PID:7140
- C:\Windows\System\AFDBZLk.exe
  C:\Windows\System\AFDBZLk.exe
  2⤵
  PID:6504
- C:\Windows\System\AYXgIcE.exe
  C:\Windows\System\AYXgIcE.exe
  2⤵
  PID:6768
- C:\Windows\System\iPeczBV.exe
  C:\Windows\System\iPeczBV.exe
  2⤵
  PID:6396
- C:\Windows\System\BPUDDdg.exe
  C:\Windows\System\BPUDDdg.exe
  2⤵
  PID:6896
- C:\Windows\System\pZlqLaa.exe
  C:\Windows\System\pZlqLaa.exe
  2⤵
  PID:6536
- C:\Windows\System\KZpXmDd.exe
  C:\Windows\System\KZpXmDd.exe
  2⤵
  PID:7196
- C:\Windows\System\NYsJfuo.exe
  C:\Windows\System\NYsJfuo.exe
  2⤵
  PID:7220
- C:\Windows\System\GwHzWfl.exe
  C:\Windows\System\GwHzWfl.exe
  2⤵
  PID:7248
- C:\Windows\System\pohfRxc.exe
  C:\Windows\System\pohfRxc.exe
  2⤵
  PID:7272
- C:\Windows\System\NHSCSPm.exe
  C:\Windows\System\NHSCSPm.exe
  2⤵
  PID:7308
- C:\Windows\System\wmfExVo.exe
  C:\Windows\System\wmfExVo.exe
  2⤵
  PID:7332
- C:\Windows\System\GTaViHZ.exe
  C:\Windows\System\GTaViHZ.exe
  2⤵
  PID:7352
- C:\Windows\System\LxlxRAm.exe
  C:\Windows\System\LxlxRAm.exe
  2⤵
  PID:7384
- C:\Windows\System\snGSHKv.exe
  C:\Windows\System\snGSHKv.exe
  2⤵
  PID:7408
- C:\Windows\System\UsAhzmy.exe
  C:\Windows\System\UsAhzmy.exe
  2⤵
  PID:7460
- C:\Windows\System\jshSqdf.exe
  C:\Windows\System\jshSqdf.exe
  2⤵
  PID:7484
- C:\Windows\System\xeHNGYE.exe
  C:\Windows\System\xeHNGYE.exe
  2⤵
  PID:7516
- C:\Windows\System\zepfSdr.exe
  C:\Windows\System\zepfSdr.exe
  2⤵
  PID:7540
- C:\Windows\System\SzMXEgY.exe
  C:\Windows\System\SzMXEgY.exe
  2⤵
  PID:7560
- C:\Windows\System\iwZExFH.exe
  C:\Windows\System\iwZExFH.exe
  2⤵
  PID:7600
- C:\Windows\System\xYlokKp.exe
  C:\Windows\System\xYlokKp.exe
  2⤵
  PID:7620
- C:\Windows\System\gzHkzSv.exe
  C:\Windows\System\gzHkzSv.exe
  2⤵
  PID:7648
- C:\Windows\System\quXpsVa.exe
  C:\Windows\System\quXpsVa.exe
  2⤵
  PID:7684
- C:\Windows\System\kEkAfWT.exe
  C:\Windows\System\kEkAfWT.exe
  2⤵
  PID:7716
- C:\Windows\System\gIjhLgj.exe
  C:\Windows\System\gIjhLgj.exe
  2⤵
  PID:7744
- C:\Windows\System\zkshpki.exe
  C:\Windows\System\zkshpki.exe
  2⤵
  PID:7772
- C:\Windows\System\mtcafxb.exe
  C:\Windows\System\mtcafxb.exe
  2⤵
  PID:7800
- C:\Windows\System\ItPstUr.exe
  C:\Windows\System\ItPstUr.exe
  2⤵
  PID:7828
- C:\Windows\System\FDkLLRn.exe
  C:\Windows\System\FDkLLRn.exe
  2⤵
  PID:7856
- C:\Windows\System\joeltKI.exe
  C:\Windows\System\joeltKI.exe
  2⤵
  PID:7884
- C:\Windows\System\jJVmIkO.exe
  C:\Windows\System\jJVmIkO.exe
  2⤵
  PID:7912
- C:\Windows\System\FPXNPBk.exe
  C:\Windows\System\FPXNPBk.exe
  2⤵
  PID:7932
- C:\Windows\System\WfVAgQk.exe
  C:\Windows\System\WfVAgQk.exe
  2⤵
  PID:7956
- C:\Windows\System\SdpPcDg.exe
  C:\Windows\System\SdpPcDg.exe
  2⤵
  PID:7988
- C:\Windows\System\xCdldRj.exe
  C:\Windows\System\xCdldRj.exe
  2⤵
  PID:8012
- C:\Windows\System\TaOkBjb.exe
  C:\Windows\System\TaOkBjb.exe
  2⤵
  PID:8032
- C:\Windows\System\bRhPwRI.exe
  C:\Windows\System\bRhPwRI.exe
  2⤵
  PID:8052
- C:\Windows\System\RMfEfyc.exe
  C:\Windows\System\RMfEfyc.exe
  2⤵
  PID:8084
- C:\Windows\System\DZalHEr.exe
  C:\Windows\System\DZalHEr.exe
  2⤵
  PID:8112
- C:\Windows\System\wjQAjrF.exe
  C:\Windows\System\wjQAjrF.exe
  2⤵
  PID:8144
- C:\Windows\System\ZdyqFye.exe
  C:\Windows\System\ZdyqFye.exe
  2⤵
  PID:8180
- C:\Windows\System\IhFSrts.exe
  C:\Windows\System\IhFSrts.exe
  2⤵
  PID:6372
- C:\Windows\System\PWPopCi.exe
  C:\Windows\System\PWPopCi.exe
  2⤵
  PID:7288
- C:\Windows\System\mtnnijJ.exe
  C:\Windows\System\mtnnijJ.exe
  2⤵
  PID:7320
- C:\Windows\System\HyMkttl.exe
  C:\Windows\System\HyMkttl.exe
  2⤵
  PID:7420
- C:\Windows\System\isUMrei.exe
  C:\Windows\System\isUMrei.exe
  2⤵
  PID:7472
- C:\Windows\System\UvwFofr.exe
  C:\Windows\System\UvwFofr.exe
  2⤵
  PID:7532
- C:\Windows\System\SOcaYIN.exe
  C:\Windows\System\SOcaYIN.exe
  2⤵
  PID:7616
- C:\Windows\System\Welraoe.exe
  C:\Windows\System\Welraoe.exe
  2⤵
  PID:7680
- C:\Windows\System\fyGahPe.exe
  C:\Windows\System\fyGahPe.exe
  2⤵
  PID:7768
- C:\Windows\System\KFoioiq.exe
  C:\Windows\System\KFoioiq.exe
  2⤵
  PID:7796
- C:\Windows\System\XPFHEUq.exe
  C:\Windows\System\XPFHEUq.exe
  2⤵
  PID:7848
- C:\Windows\System\nfnlqgo.exe
  C:\Windows\System\nfnlqgo.exe
  2⤵
  PID:7900
- C:\Windows\System\iDhXNKC.exe
  C:\Windows\System\iDhXNKC.exe
  2⤵
  PID:7948
- C:\Windows\System\ZvkitKT.exe
  C:\Windows\System\ZvkitKT.exe
  2⤵
  PID:8040
- C:\Windows\System\HCDLbFH.exe
  C:\Windows\System\HCDLbFH.exe
  2⤵
  PID:8124
- C:\Windows\System\EToaBnp.exe
  C:\Windows\System\EToaBnp.exe
  2⤵
  PID:8168
- C:\Windows\System\pbchYId.exe
  C:\Windows\System\pbchYId.exe
  2⤵
  PID:7232
- C:\Windows\System\mGluOHa.exe
  C:\Windows\System\mGluOHa.exe
  2⤵
  PID:7340
- C:\Windows\System\HvuzqBc.exe
  C:\Windows\System\HvuzqBc.exe
  2⤵
  PID:7656
- C:\Windows\System\fPMozGS.exe
  C:\Windows\System\fPMozGS.exe
  2⤵
  PID:7820
- C:\Windows\System\tarMprj.exe
  C:\Windows\System\tarMprj.exe
  2⤵
  PID:7996
- C:\Windows\System\xbVsVhn.exe
  C:\Windows\System\xbVsVhn.exe
  2⤵
  PID:8080
- C:\Windows\System\cZHpyAV.exe
  C:\Windows\System\cZHpyAV.exe
  2⤵
  PID:7376
- C:\Windows\System\xhNjDqj.exe
  C:\Windows\System\xhNjDqj.exe
  2⤵
  PID:7132
- C:\Windows\System\DGVyByV.exe
  C:\Windows\System\DGVyByV.exe
  2⤵
  PID:8104
- C:\Windows\System\bTegrmi.exe
  C:\Windows\System\bTegrmi.exe
  2⤵
  PID:7452
- C:\Windows\System\JvNuHhI.exe
  C:\Windows\System\JvNuHhI.exe
  2⤵
  PID:7876
- C:\Windows\System\TSzKWra.exe
  C:\Windows\System\TSzKWra.exe
  2⤵
  PID:8216
- C:\Windows\System\STEGeYF.exe
  C:\Windows\System\STEGeYF.exe
  2⤵
  PID:8232
- C:\Windows\System\XnfPbui.exe
  C:\Windows\System\XnfPbui.exe
  2⤵
  PID:8272
- C:\Windows\System\aaFIkyT.exe
  C:\Windows\System\aaFIkyT.exe
  2⤵
  PID:8300
- C:\Windows\System\NdnQHaz.exe
  C:\Windows\System\NdnQHaz.exe
  2⤵
  PID:8328
- C:\Windows\System\BWtNliz.exe
  C:\Windows\System\BWtNliz.exe
  2⤵
  PID:8356
- C:\Windows\System\FduBnKa.exe
  C:\Windows\System\FduBnKa.exe
  2⤵
  PID:8384
- C:\Windows\System\LESpOoJ.exe
  C:\Windows\System\LESpOoJ.exe
  2⤵
  PID:8412
- C:\Windows\System\LBYhXxb.exe
  C:\Windows\System\LBYhXxb.exe
  2⤵
  PID:8436
- C:\Windows\System\yCNrPVD.exe
  C:\Windows\System\yCNrPVD.exe
  2⤵
  PID:8468
- C:\Windows\System\aKGRLhu.exe
  C:\Windows\System\aKGRLhu.exe
  2⤵
  PID:8496
- C:\Windows\System\LZRjmEq.exe
  C:\Windows\System\LZRjmEq.exe
  2⤵
  PID:8524
- C:\Windows\System\WNVSvXW.exe
  C:\Windows\System\WNVSvXW.exe
  2⤵
  PID:8552
- C:\Windows\System\DjZvffk.exe
  C:\Windows\System\DjZvffk.exe
  2⤵
  PID:8580
- C:\Windows\System\aushyZf.exe
  C:\Windows\System\aushyZf.exe
  2⤵
  PID:8600
- C:\Windows\System\IyHCIlD.exe
  C:\Windows\System\IyHCIlD.exe
  2⤵
  PID:8624
- C:\Windows\System\QUQqmvd.exe
  C:\Windows\System\QUQqmvd.exe
  2⤵
  PID:8652
- C:\Windows\System\yrYvzmg.exe
  C:\Windows\System\yrYvzmg.exe
  2⤵
  PID:8672
- C:\Windows\System\nqhXUhh.exe
  C:\Windows\System\nqhXUhh.exe
  2⤵
  PID:8708
- C:\Windows\System\xjDIhWE.exe
  C:\Windows\System\xjDIhWE.exe
  2⤵
  PID:8724
- C:\Windows\System\WokEzYc.exe
  C:\Windows\System\WokEzYc.exe
  2⤵
  PID:8744
- C:\Windows\System\HhYpEiD.exe
  C:\Windows\System\HhYpEiD.exe
  2⤵
  PID:8776
- C:\Windows\System\XkXywyR.exe
  C:\Windows\System\XkXywyR.exe
  2⤵
  PID:8808
- C:\Windows\System\ebSnGXI.exe
  C:\Windows\System\ebSnGXI.exe
  2⤵
  PID:8836
- C:\Windows\System\nAnMnIW.exe
  C:\Windows\System\nAnMnIW.exe
  2⤵
  PID:8860
- C:\Windows\System\WweLYCg.exe
  C:\Windows\System\WweLYCg.exe
  2⤵
  PID:8896
- C:\Windows\System\scXHFVg.exe
  C:\Windows\System\scXHFVg.exe
  2⤵
  PID:8928
- C:\Windows\System\PiqfLyQ.exe
  C:\Windows\System\PiqfLyQ.exe
  2⤵
  PID:8960
- C:\Windows\System\pwJuWSK.exe
  C:\Windows\System\pwJuWSK.exe
  2⤵
  PID:8980
- C:\Windows\System\mXFsbTY.exe
  C:\Windows\System\mXFsbTY.exe
  2⤵
  PID:9028
- C:\Windows\System\GmyHWTS.exe
  C:\Windows\System\GmyHWTS.exe
  2⤵
  PID:9056
- C:\Windows\System\FaNSfZi.exe
  C:\Windows\System\FaNSfZi.exe
  2⤵
  PID:9076
- C:\Windows\System\wVbEEKR.exe
  C:\Windows\System\wVbEEKR.exe
  2⤵
  PID:9092
- C:\Windows\System\jssKniM.exe
  C:\Windows\System\jssKniM.exe
  2⤵
  PID:9120
- C:\Windows\System\FTtoezp.exe
  C:\Windows\System\FTtoezp.exe
  2⤵
  PID:9148
- C:\Windows\System\ANajXjs.exe
  C:\Windows\System\ANajXjs.exe
  2⤵
  PID:9176
- C:\Windows\System\oFNJsDj.exe
  C:\Windows\System\oFNJsDj.exe
  2⤵
  PID:9200
- C:\Windows\System\rmIefUn.exe
  C:\Windows\System\rmIefUn.exe
  2⤵
  PID:8264
- C:\Windows\System\DLgteRo.exe
  C:\Windows\System\DLgteRo.exe
  2⤵
  PID:8288
- C:\Windows\System\pNDEbdV.exe
  C:\Windows\System\pNDEbdV.exe
  2⤵
  PID:8400
- C:\Windows\System\znVDdst.exe
  C:\Windows\System\znVDdst.exe
  2⤵
  PID:8456
- C:\Windows\System\QvAvjyg.exe
  C:\Windows\System\QvAvjyg.exe
  2⤵
  PID:8540
- C:\Windows\System\eWPwWMa.exe
  C:\Windows\System\eWPwWMa.exe
  2⤵
  PID:8608
- C:\Windows\System\dFPgvZo.exe
  C:\Windows\System\dFPgvZo.exe
  2⤵
  PID:8680
- C:\Windows\System\ZPRgeez.exe
  C:\Windows\System\ZPRgeez.exe
  2⤵
  PID:8716
- C:\Windows\System\YQEykTq.exe
  C:\Windows\System\YQEykTq.exe
  2⤵
  PID:8740
- C:\Windows\System\iLYPzUK.exe
  C:\Windows\System\iLYPzUK.exe
  2⤵
  PID:8856
- C:\Windows\System\DPBIlaW.exe
  C:\Windows\System\DPBIlaW.exe
  2⤵
  PID:8948
- C:\Windows\System\cdNccMo.exe
  C:\Windows\System\cdNccMo.exe
  2⤵
  PID:8968
- C:\Windows\System\ygYDVQW.exe
  C:\Windows\System\ygYDVQW.exe
  2⤵
  PID:9012
- C:\Windows\System\BuOQeGy.exe
  C:\Windows\System\BuOQeGy.exe
  2⤵
  PID:9084
- C:\Windows\System\QBiSuSS.exe
  C:\Windows\System\QBiSuSS.exe
  2⤵
  PID:9168
- C:\Windows\System\WviPZkz.exe
  C:\Windows\System\WviPZkz.exe
  2⤵
  PID:9192
- C:\Windows\System\wzYGSaz.exe
  C:\Windows\System\wzYGSaz.exe
  2⤵
  PID:8312
- C:\Windows\System\xaDeNDX.exe
  C:\Windows\System\xaDeNDX.exe
  2⤵
  PID:8428
- C:\Windows\System\lQdMfDS.exe
  C:\Windows\System\lQdMfDS.exe
  2⤵
  PID:8636
- C:\Windows\System\jKNrRXE.exe
  C:\Windows\System\jKNrRXE.exe
  2⤵
  PID:8668
- C:\Windows\System\oeEwKcM.exe
  C:\Windows\System\oeEwKcM.exe
  2⤵
  PID:8988
- C:\Windows\System\wAZIZEI.exe
  C:\Windows\System\wAZIZEI.exe
  2⤵
  PID:9112
- C:\Windows\System\VOsQyMp.exe
  C:\Windows\System\VOsQyMp.exe
  2⤵
  PID:8224
- C:\Windows\System\mUTiIvJ.exe
  C:\Windows\System\mUTiIvJ.exe
  2⤵
  PID:8488
- C:\Windows\System\cFDqqcY.exe
  C:\Windows\System\cFDqqcY.exe
  2⤵
  PID:8904
- C:\Windows\System\YLEACdO.exe
  C:\Windows\System\YLEACdO.exe
  2⤵
  PID:8404
- C:\Windows\System\wgdwWQm.exe
  C:\Windows\System\wgdwWQm.exe
  2⤵
  PID:9224
- C:\Windows\System\vAchVQP.exe
  C:\Windows\System\vAchVQP.exe
  2⤵
  PID:9240
- C:\Windows\System\aozZMvY.exe
  C:\Windows\System\aozZMvY.exe
  2⤵
  PID:9276
- C:\Windows\System\YABXeBZ.exe
  C:\Windows\System\YABXeBZ.exe
  2⤵
  PID:9296
- C:\Windows\System\WQsJgnk.exe
  C:\Windows\System\WQsJgnk.exe
  2⤵
  PID:9320
- C:\Windows\System\wCSCLMF.exe
  C:\Windows\System\wCSCLMF.exe
  2⤵
  PID:9340
- C:\Windows\System\TyEuBpW.exe
  C:\Windows\System\TyEuBpW.exe
  2⤵
  PID:9400
- C:\Windows\System\jjqXfMQ.exe
  C:\Windows\System\jjqXfMQ.exe
  2⤵
  PID:9416
- C:\Windows\System\ROenLRN.exe
  C:\Windows\System\ROenLRN.exe
  2⤵
  PID:9432
- C:\Windows\System\AHbvVBV.exe
  C:\Windows\System\AHbvVBV.exe
  2⤵
  PID:9456
- C:\Windows\System\kVtdsRp.exe
  C:\Windows\System\kVtdsRp.exe
  2⤵
  PID:9480
- C:\Windows\System\hyfIHPD.exe
  C:\Windows\System\hyfIHPD.exe
  2⤵
  PID:9508
- C:\Windows\System\XCiRUYR.exe
  C:\Windows\System\XCiRUYR.exe
  2⤵
  PID:9568
- C:\Windows\System\DssUaBT.exe
  C:\Windows\System\DssUaBT.exe
  2⤵
  PID:9592
- C:\Windows\System\NakHMBT.exe
  C:\Windows\System\NakHMBT.exe
  2⤵
  PID:9620
- C:\Windows\System\mVdISXh.exe
  C:\Windows\System\mVdISXh.exe
  2⤵
  PID:9644
- C:\Windows\System\EPJiXoZ.exe
  C:\Windows\System\EPJiXoZ.exe
  2⤵
  PID:9668
- C:\Windows\System\ApWzAbd.exe
  C:\Windows\System\ApWzAbd.exe
  2⤵
  PID:9696
- C:\Windows\System\YSynabs.exe
  C:\Windows\System\YSynabs.exe
  2⤵
  PID:9712
- C:\Windows\System\ivqLVhF.exe
  C:\Windows\System\ivqLVhF.exe
  2⤵
  PID:9736
- C:\Windows\System\WNnpMtd.exe
  C:\Windows\System\WNnpMtd.exe
  2⤵
  PID:9764
- C:\Windows\System\YsSvlSH.exe
  C:\Windows\System\YsSvlSH.exe
  2⤵
  PID:9796
- C:\Windows\System\VTYoOLp.exe
  C:\Windows\System\VTYoOLp.exe
  2⤵
  PID:9820
- C:\Windows\System\VigzWZl.exe
  C:\Windows\System\VigzWZl.exe
  2⤵
  PID:9856
- C:\Windows\System\zyQhjJy.exe
  C:\Windows\System\zyQhjJy.exe
  2⤵
  PID:9888
- C:\Windows\System\pAKmrrP.exe
  C:\Windows\System\pAKmrrP.exe
  2⤵
  PID:9932
- C:\Windows\System\ODfhpfe.exe
  C:\Windows\System\ODfhpfe.exe
  2⤵
  PID:9952
- C:\Windows\System\fagKQpI.exe
  C:\Windows\System\fagKQpI.exe
  2⤵
  PID:9972
- C:\Windows\System\xhdCWlo.exe
  C:\Windows\System\xhdCWlo.exe
  2⤵
  PID:10000
- C:\Windows\System\EZzZxxE.exe
  C:\Windows\System\EZzZxxE.exe
  2⤵
  PID:10024
- C:\Windows\System\swYYCCd.exe
  C:\Windows\System\swYYCCd.exe
  2⤵
  PID:10072
- C:\Windows\System\LRhimyg.exe
  C:\Windows\System\LRhimyg.exe
  2⤵
  PID:10092
- C:\Windows\System\cUnXwOq.exe
  C:\Windows\System\cUnXwOq.exe
  2⤵
  PID:10116
- C:\Windows\System\TSrtHDu.exe
  C:\Windows\System\TSrtHDu.exe
  2⤵
  PID:10136
- C:\Windows\System\NLGmUEm.exe
  C:\Windows\System\NLGmUEm.exe
  2⤵
  PID:10180
- C:\Windows\System\EbeByap.exe
  C:\Windows\System\EbeByap.exe
  2⤵
  PID:10204
- C:\Windows\System\ozWWowD.exe
  C:\Windows\System\ozWWowD.exe
  2⤵
  PID:10232
- C:\Windows\System\EWYRtuK.exe
  C:\Windows\System\EWYRtuK.exe
  2⤵
  PID:8760
- C:\Windows\System\YhKBvmC.exe
  C:\Windows\System\YhKBvmC.exe
  2⤵
  PID:9308
- C:\Windows\System\GXzfKyZ.exe
  C:\Windows\System\GXzfKyZ.exe
  2⤵
  PID:9348
- C:\Windows\System\SjjgLhK.exe
  C:\Windows\System\SjjgLhK.exe
  2⤵
  PID:9412
- C:\Windows\System\KeWZdKB.exe
  C:\Windows\System\KeWZdKB.exe
  2⤵
  PID:9496
- C:\Windows\System\KpkwiLQ.exe
  C:\Windows\System\KpkwiLQ.exe
  2⤵
  PID:9588
- C:\Windows\System\XqGOkUa.exe
  C:\Windows\System\XqGOkUa.exe
  2⤵
  PID:9684
- C:\Windows\System\PcGOoAC.exe
  C:\Windows\System\PcGOoAC.exe
  2⤵
  PID:9724
- C:\Windows\System\YUaGUek.exe
  C:\Windows\System\YUaGUek.exe
  2⤵
  PID:9748
- C:\Windows\System\nvdVUKw.exe
  C:\Windows\System\nvdVUKw.exe
  2⤵
  PID:9812
- C:\Windows\System\CCucMvq.exe
  C:\Windows\System\CCucMvq.exe
  2⤵
  PID:9880
- C:\Windows\System\UEMjHje.exe
  C:\Windows\System\UEMjHje.exe
  2⤵
  PID:9940
- C:\Windows\System\YVmuusp.exe
  C:\Windows\System\YVmuusp.exe
  2⤵
  PID:9988
- C:\Windows\System\LZlIDwJ.exe
  C:\Windows\System\LZlIDwJ.exe
  2⤵
  PID:10020
- C:\Windows\System\PamquOH.exe
  C:\Windows\System\PamquOH.exe
  2⤵
  PID:10164
- C:\Windows\System\pbDKrlJ.exe
  C:\Windows\System\pbDKrlJ.exe
  2⤵
  PID:10200
- C:\Windows\System\NOlpEOY.exe
  C:\Windows\System\NOlpEOY.exe
  2⤵
  PID:8616
- C:\Windows\System\qdTThXu.exe
  C:\Windows\System\qdTThXu.exe
  2⤵
  PID:9408
- C:\Windows\System\drOLnYL.exe
  C:\Windows\System\drOLnYL.exe
  2⤵
  PID:9640
- C:\Windows\System\lhrsxgs.exe
  C:\Windows\System\lhrsxgs.exe
  2⤵
  PID:9756
- C:\Windows\System\xGdtTDr.exe
  C:\Windows\System\xGdtTDr.exe
  2⤵
  PID:9916
- C:\Windows\System\QFWFMjk.exe
  C:\Windows\System\QFWFMjk.exe
  2⤵
  PID:10088
- C:\Windows\System\ganndam.exe
  C:\Windows\System\ganndam.exe
  2⤵
  PID:9232
- C:\Windows\System\dWSHvVQ.exe
  C:\Windows\System\dWSHvVQ.exe
  2⤵
  PID:9632
- C:\Windows\System\fzfByxq.exe
  C:\Windows\System\fzfByxq.exe
  2⤵
  PID:9948
- C:\Windows\System\jysGYpb.exe
  C:\Windows\System\jysGYpb.exe
  2⤵
  PID:10080
- C:\Windows\System\dqHuzWy.exe
  C:\Windows\System\dqHuzWy.exe
  2⤵
  PID:9376
- C:\Windows\System\pjxIhPl.exe
  C:\Windows\System\pjxIhPl.exe
  2⤵
  PID:10264
- C:\Windows\System\loQzIFO.exe
  C:\Windows\System\loQzIFO.exe
  2⤵
  PID:10296
- C:\Windows\System\idAdRkO.exe
  C:\Windows\System\idAdRkO.exe
  2⤵
  PID:10320
- C:\Windows\System\SGqWigd.exe
  C:\Windows\System\SGqWigd.exe
  2⤵
  PID:10344
- C:\Windows\System\qBEjKaQ.exe
  C:\Windows\System\qBEjKaQ.exe
  2⤵
  PID:10384
- C:\Windows\System\rSvYVoi.exe
  C:\Windows\System\rSvYVoi.exe
  2⤵
  PID:10424
- C:\Windows\System\bcqWYUT.exe
  C:\Windows\System\bcqWYUT.exe
  2⤵
  PID:10444
- C:\Windows\System\QisppoB.exe
  C:\Windows\System\QisppoB.exe
  2⤵
  PID:10472
- C:\Windows\System\FiZsnOL.exe
  C:\Windows\System\FiZsnOL.exe
  2⤵
  PID:10508
- C:\Windows\System\UHNoLOF.exe
  C:\Windows\System\UHNoLOF.exe
  2⤵
  PID:10524
- C:\Windows\System\XbuPIHb.exe
  C:\Windows\System\XbuPIHb.exe
  2⤵
  PID:10540
- C:\Windows\System\bngJzBm.exe
  C:\Windows\System\bngJzBm.exe
  2⤵
  PID:10580
- C:\Windows\System\IScMQiz.exe
  C:\Windows\System\IScMQiz.exe
  2⤵
  PID:10624
- C:\Windows\System\cPAeYXf.exe
  C:\Windows\System\cPAeYXf.exe
  2⤵
  PID:10652
- C:\Windows\System\WuTpSeH.exe
  C:\Windows\System\WuTpSeH.exe
  2⤵
  PID:10668
- C:\Windows\System\ivjXETK.exe
  C:\Windows\System\ivjXETK.exe
  2⤵
  PID:10700
- C:\Windows\System\qdqUnzY.exe
  C:\Windows\System\qdqUnzY.exe
  2⤵
  PID:10736
- C:\Windows\System\DHjGWWf.exe
  C:\Windows\System\DHjGWWf.exe
  2⤵
  PID:10764
- C:\Windows\System\GlVIbuP.exe
  C:\Windows\System\GlVIbuP.exe
  2⤵
  PID:10792
- C:\Windows\System\fKaBGxH.exe
  C:\Windows\System\fKaBGxH.exe
  2⤵
  PID:10808
- C:\Windows\System\HHZHakZ.exe
  C:\Windows\System\HHZHakZ.exe
  2⤵
  PID:10836
- C:\Windows\System\fLJkoxW.exe
  C:\Windows\System\fLJkoxW.exe
  2⤵
  PID:10864
- C:\Windows\System\WIWOdNg.exe
  C:\Windows\System\WIWOdNg.exe
  2⤵
  PID:10892
- C:\Windows\System\KwWAvht.exe
  C:\Windows\System\KwWAvht.exe
  2⤵
  PID:10920
- C:\Windows\System\mSeKAah.exe
  C:\Windows\System\mSeKAah.exe
  2⤵
  PID:10948
- C:\Windows\System\swDAXdw.exe
  C:\Windows\System\swDAXdw.exe
  2⤵
  PID:10976
- C:\Windows\System\BatoBvQ.exe
  C:\Windows\System\BatoBvQ.exe
  2⤵
  PID:10996
- C:\Windows\System\hcYEKZQ.exe
  C:\Windows\System\hcYEKZQ.exe
  2⤵
  PID:11032
- C:\Windows\System\MHOGqZW.exe
  C:\Windows\System\MHOGqZW.exe
  2⤵
  PID:11048
- C:\Windows\System\jOpZjCd.exe
  C:\Windows\System\jOpZjCd.exe
  2⤵
  PID:11076
- C:\Windows\System\sVCDWRr.exe
  C:\Windows\System\sVCDWRr.exe
  2⤵
  PID:11128
- C:\Windows\System\BAAOQPo.exe
  C:\Windows\System\BAAOQPo.exe
  2⤵
  PID:11156
- C:\Windows\System\uEraqLH.exe
  C:\Windows\System\uEraqLH.exe
  2⤵
  PID:11172
- C:\Windows\System\QVXoCbN.exe
  C:\Windows\System\QVXoCbN.exe
  2⤵
  PID:11212
- C:\Windows\System\POxOHjo.exe
  C:\Windows\System\POxOHjo.exe
  2⤵
  PID:11232
- C:\Windows\System\ikHReBF.exe
  C:\Windows\System\ikHReBF.exe
  2⤵
  PID:9852
- C:\Windows\System\UcyuzcQ.exe
  C:\Windows\System\UcyuzcQ.exe
  2⤵
  PID:10256
- C:\Windows\System\XaJWIHx.exe
  C:\Windows\System\XaJWIHx.exe
  2⤵
  PID:10316
- C:\Windows\System\TifSedD.exe
  C:\Windows\System\TifSedD.exe
  2⤵
  PID:10416
- C:\Windows\System\NHntfhC.exe
  C:\Windows\System\NHntfhC.exe
  2⤵
  PID:10460
- C:\Windows\System\uOxvrOQ.exe
  C:\Windows\System\uOxvrOQ.exe
  2⤵
  PID:10516
- C:\Windows\System\eqxBlAX.exe
  C:\Windows\System\eqxBlAX.exe
  2⤵
  PID:10572
- C:\Windows\System\BLqszJP.exe
  C:\Windows\System\BLqszJP.exe
  2⤵
  PID:10648
- C:\Windows\System\NYcTKwH.exe
  C:\Windows\System\NYcTKwH.exe
  2⤵
  PID:10724
- C:\Windows\System\ZirBrxL.exe
  C:\Windows\System\ZirBrxL.exe
  2⤵
  PID:10788
- C:\Windows\System\URhRdUk.exe
  C:\Windows\System\URhRdUk.exe
  2⤵
  PID:10820
- C:\Windows\System\xcJyHFi.exe
  C:\Windows\System\xcJyHFi.exe
  2⤵
  PID:10880
- C:\Windows\System\yjJmnAc.exe
  C:\Windows\System\yjJmnAc.exe
  2⤵
  PID:10956
- C:\Windows\System\vDXloTE.exe
  C:\Windows\System\vDXloTE.exe
  2⤵
  PID:11024
- C:\Windows\System\uiTvNXv.exe
  C:\Windows\System\uiTvNXv.exe
  2⤵
  PID:11100
- C:\Windows\System\PuOFDak.exe
  C:\Windows\System\PuOFDak.exe
  2⤵
  PID:11148
- C:\Windows\System\vgmNbyV.exe
  C:\Windows\System\vgmNbyV.exe
  2⤵
  PID:11192
- C:\Windows\System\zJtiOWW.exe
  C:\Windows\System\zJtiOWW.exe
  2⤵
  PID:9384
- C:\Windows\System\nRNbROt.exe
  C:\Windows\System\nRNbROt.exe
  2⤵
  PID:10372
- C:\Windows\System\xAxGDAu.exe
  C:\Windows\System\xAxGDAu.exe
  2⤵
  PID:10496
- C:\Windows\System\EXDJTbK.exe
  C:\Windows\System\EXDJTbK.exe
  2⤵
  PID:10644
- C:\Windows\System\nRgqeiP.exe
  C:\Windows\System\nRgqeiP.exe
  2⤵
  PID:10776
- C:\Windows\System\dAUaxsv.exe
  C:\Windows\System\dAUaxsv.exe
  2⤵
  PID:10908
- C:\Windows\System\HshuQfn.exe
  C:\Windows\System\HshuQfn.exe
  2⤵
  PID:10992
- C:\Windows\System\SRVExEt.exe
  C:\Windows\System\SRVExEt.exe
  2⤵
  PID:11124
- C:\Windows\System\xqdfqNe.exe
  C:\Windows\System\xqdfqNe.exe
  2⤵
  PID:10440
- C:\Windows\System\FqgVDRv.exe
  C:\Windows\System\FqgVDRv.exe
  2⤵
  PID:10684
- C:\Windows\System\nNDMhSg.exe
  C:\Windows\System\nNDMhSg.exe
  2⤵
  PID:11008
- C:\Windows\System\KFELVEg.exe
  C:\Windows\System\KFELVEg.exe
  2⤵
  PID:10636
- C:\Windows\System\szHyNFR.exe
  C:\Windows\System\szHyNFR.exe
  2⤵
  PID:11288
- C:\Windows\System\xyEPoRp.exe
  C:\Windows\System\xyEPoRp.exe
  2⤵
  PID:11328
- C:\Windows\System\rlpVHmg.exe
  C:\Windows\System\rlpVHmg.exe
  2⤵
  PID:11348
- C:\Windows\System\HyiYKqu.exe
  C:\Windows\System\HyiYKqu.exe
  2⤵
  PID:11372
- C:\Windows\System\viBxvqL.exe
  C:\Windows\System\viBxvqL.exe
  2⤵
  PID:11396
- C:\Windows\System\PqcvCKi.exe
  C:\Windows\System\PqcvCKi.exe
  2⤵
  PID:11440
- C:\Windows\System\ZHnJkiM.exe
  C:\Windows\System\ZHnJkiM.exe
  2⤵
  PID:11468
- C:\Windows\System\OsSEKhN.exe
  C:\Windows\System\OsSEKhN.exe
  2⤵
  PID:11488
- C:\Windows\System\IAzwnux.exe
  C:\Windows\System\IAzwnux.exe
  2⤵
  PID:11512
- C:\Windows\System\hUKPFad.exe
  C:\Windows\System\hUKPFad.exe
  2⤵
  PID:11532
- C:\Windows\System\lNIrymM.exe
  C:\Windows\System\lNIrymM.exe
  2⤵
  PID:11560
- C:\Windows\System\vOXZDTd.exe
  C:\Windows\System\vOXZDTd.exe
  2⤵
  PID:11588
- C:\Windows\System\cuQjyCz.exe
  C:\Windows\System\cuQjyCz.exe
  2⤵
  PID:11608
- C:\Windows\System\KOxWHke.exe
  C:\Windows\System\KOxWHke.exe
  2⤵
  PID:11644
- C:\Windows\System\gwwlvPs.exe
  C:\Windows\System\gwwlvPs.exe
  2⤵
  PID:11668
- C:\Windows\System\vsXjRUq.exe
  C:\Windows\System\vsXjRUq.exe
  2⤵
  PID:11696
- C:\Windows\System\HJmSTds.exe
  C:\Windows\System\HJmSTds.exe
  2⤵
  PID:11728
- C:\Windows\System\knPAJaC.exe
  C:\Windows\System\knPAJaC.exe
  2⤵
  PID:11760
- C:\Windows\System\gotymXV.exe
  C:\Windows\System\gotymXV.exe
  2⤵
  PID:11804
- C:\Windows\System\LKNOPJl.exe
  C:\Windows\System\LKNOPJl.exe
  2⤵
  PID:11824
- C:\Windows\System\UNzOCuk.exe
  C:\Windows\System\UNzOCuk.exe
  2⤵
  PID:11860
- C:\Windows\System\etyECms.exe
  C:\Windows\System\etyECms.exe
  2⤵
  PID:11920
- C:\Windows\System\MWQiIip.exe
  C:\Windows\System\MWQiIip.exe
  2⤵
  PID:11936
- C:\Windows\System\YOtmaXc.exe
  C:\Windows\System\YOtmaXc.exe
  2⤵
  PID:11964
- C:\Windows\System\XtrSyTd.exe
  C:\Windows\System\XtrSyTd.exe
  2⤵
  PID:11984
- C:\Windows\System\JnYYfHX.exe
  C:\Windows\System\JnYYfHX.exe
  2⤵
  PID:12016
- C:\Windows\System\ltMPusZ.exe
  C:\Windows\System\ltMPusZ.exe
  2⤵
  PID:12056
- C:\Windows\System\URzBQJe.exe
  C:\Windows\System\URzBQJe.exe
  2⤵
  PID:12072
- C:\Windows\System\CtcSYnc.exe
  C:\Windows\System\CtcSYnc.exe
  2⤵
  PID:12100
- C:\Windows\System\PCItLZN.exe
  C:\Windows\System\PCItLZN.exe
  2⤵
  PID:12124
- C:\Windows\System\CxAgtUT.exe
  C:\Windows\System\CxAgtUT.exe
  2⤵
  PID:12148
- C:\Windows\System\urpKAiE.exe
  C:\Windows\System\urpKAiE.exe
  2⤵
  PID:12168
- C:\Windows\System\yhXIHvW.exe
  C:\Windows\System\yhXIHvW.exe
  2⤵
  PID:12216
- C:\Windows\System\XiaaaPO.exe
  C:\Windows\System\XiaaaPO.exe
  2⤵
  PID:12240
- C:\Windows\System\VEJqJsF.exe
  C:\Windows\System\VEJqJsF.exe
  2⤵
  PID:12260
- C:\Windows\System\CXXISzf.exe
  C:\Windows\System\CXXISzf.exe
  2⤵
  PID:10748
- C:\Windows\System\JckbtpJ.exe
  C:\Windows\System\JckbtpJ.exe
  2⤵
  PID:11324
- C:\Windows\System\fdrPKdW.exe
  C:\Windows\System\fdrPKdW.exe
  2⤵
  PID:11392
- C:\Windows\System\MgkGGjF.exe
  C:\Windows\System\MgkGGjF.exe
  2⤵
  PID:11428
- C:\Windows\System\pbQgyBl.exe
  C:\Windows\System\pbQgyBl.exe
  2⤵
  PID:11496
- C:\Windows\System\bSuksmz.exe
  C:\Windows\System\bSuksmz.exe
  2⤵
  PID:11556
- C:\Windows\System\xAcAxCC.exe
  C:\Windows\System\xAcAxCC.exe
  2⤵
  PID:11584
- C:\Windows\System\kgkCCOS.exe
  C:\Windows\System\kgkCCOS.exe
  2⤵
  PID:11708
- C:\Windows\System\OABfZvt.exe
  C:\Windows\System\OABfZvt.exe
  2⤵
  PID:11832
- C:\Windows\System\cQddQIY.exe
  C:\Windows\System\cQddQIY.exe
  2⤵
  PID:11848
- C:\Windows\System\bJRojbi.exe
  C:\Windows\System\bJRojbi.exe
  2⤵
  PID:11932
- C:\Windows\System\UvcSjvG.exe
  C:\Windows\System\UvcSjvG.exe
  2⤵
  PID:11980
- C:\Windows\System\vZpcRSO.exe
  C:\Windows\System\vZpcRSO.exe
  2⤵
  PID:12088
- C:\Windows\System\tgQmawq.exe
  C:\Windows\System\tgQmawq.exe
  2⤵
  PID:12156
- C:\Windows\System\ldHaTGr.exe
  C:\Windows\System\ldHaTGr.exe
  2⤵
  PID:12192
- C:\Windows\System\PKBTNhi.exe
  C:\Windows\System\PKBTNhi.exe
  2⤵
  PID:11308
- C:\Windows\System\uPssddQ.exe
  C:\Windows\System\uPssddQ.exe
  2⤵
  PID:11344
- C:\Windows\System\MTojPET.exe
  C:\Windows\System\MTojPET.exe
  2⤵
  PID:11572
- C:\Windows\System\irqvUAY.exe
  C:\Windows\System\irqvUAY.exe
  2⤵
  PID:11528
- C:\Windows\System\PJCzuJv.exe
  C:\Windows\System\PJCzuJv.exe
  2⤵
  PID:11820
- C:\Windows\System\obkndkl.exe
  C:\Windows\System\obkndkl.exe
  2⤵
  PID:12092
- C:\Windows\System\XOliHDc.exe
  C:\Windows\System\XOliHDc.exe
  2⤵
  PID:12116
- C:\Windows\System\LnHGXfQ.exe
  C:\Windows\System\LnHGXfQ.exe
  2⤵
  PID:12268
- C:\Windows\System\HWFrrZd.exe
  C:\Windows\System\HWFrrZd.exe
  2⤵
  PID:11660
- C:\Windows\System\evqUOZy.exe
  C:\Windows\System\evqUOZy.exe
  2⤵
  PID:12064
- C:\Windows\System\KGNQARP.exe
  C:\Windows\System\KGNQARP.exe
  2⤵
  PID:11800
- C:\Windows\System\KQqlOLa.exe
  C:\Windows\System\KQqlOLa.exe
  2⤵
  PID:12292
- C:\Windows\System\DdeIHLW.exe
  C:\Windows\System\DdeIHLW.exe
  2⤵
  PID:12320
- C:\Windows\System\IzhqOTp.exe
  C:\Windows\System\IzhqOTp.exe
  2⤵
  PID:12360
- C:\Windows\System\VZsvtAu.exe
  C:\Windows\System\VZsvtAu.exe
  2⤵
  PID:12388
- C:\Windows\System\rBSGHBK.exe
  C:\Windows\System\rBSGHBK.exe
  2⤵
  PID:12404
- C:\Windows\System\zCsisVY.exe
  C:\Windows\System\zCsisVY.exe
  2⤵
  PID:12444
- C:\Windows\System\mMGEusQ.exe
  C:\Windows\System\mMGEusQ.exe
  2⤵
  PID:12460
- C:\Windows\System\bmPgpUG.exe
  C:\Windows\System\bmPgpUG.exe
  2⤵
  PID:12488
- C:\Windows\System\TNiukph.exe
  C:\Windows\System\TNiukph.exe
  2⤵
  PID:12508
- C:\Windows\System\BYfKYDK.exe
  C:\Windows\System\BYfKYDK.exe
  2⤵
  PID:12544
- C:\Windows\System\DNajEAk.exe
  C:\Windows\System\DNajEAk.exe
  2⤵
  PID:12560
- C:\Windows\System\BUkCgaJ.exe
  C:\Windows\System\BUkCgaJ.exe
  2⤵
  PID:12604
- C:\Windows\System\RzSBzuX.exe
  C:\Windows\System\RzSBzuX.exe
  2⤵
  PID:12628
- C:\Windows\System\YCXqWoQ.exe
  C:\Windows\System\YCXqWoQ.exe
  2⤵
  PID:12656
- C:\Windows\System\RvOwXEy.exe
  C:\Windows\System\RvOwXEy.exe
  2⤵
  PID:12676
- C:\Windows\System\tKEPiLz.exe
  C:\Windows\System\tKEPiLz.exe
  2⤵
  PID:12724
- C:\Windows\System\PMIpsmw.exe
  C:\Windows\System\PMIpsmw.exe
  2⤵
  PID:12752
- C:\Windows\System\lEBdBTb.exe
  C:\Windows\System\lEBdBTb.exe
  2⤵
  PID:12780
- C:\Windows\System\vuIMfQh.exe
  C:\Windows\System\vuIMfQh.exe
  2⤵
  PID:12804
- C:\Windows\System\Kipxivq.exe
  C:\Windows\System\Kipxivq.exe
  2⤵
  PID:12824
- C:\Windows\System\bxqtfEW.exe
  C:\Windows\System\bxqtfEW.exe
  2⤵
  PID:12848
- C:\Windows\System\HWikzFe.exe
  C:\Windows\System\HWikzFe.exe
  2⤵
  PID:12884
- C:\Windows\System\MdfKsgE.exe
  C:\Windows\System\MdfKsgE.exe
  2⤵
  PID:12904
- C:\Windows\System\qOupkxq.exe
  C:\Windows\System\qOupkxq.exe
  2⤵
  PID:12932
- C:\Windows\System\ITICiMF.exe
  C:\Windows\System\ITICiMF.exe
  2⤵
  PID:12960
- C:\Windows\System\BltFfCf.exe
  C:\Windows\System\BltFfCf.exe
  2⤵
  PID:12988
- C:\Windows\System\RoBUzqd.exe
  C:\Windows\System\RoBUzqd.exe
  2⤵
  PID:13012
- C:\Windows\System\OILYPEu.exe
  C:\Windows\System\OILYPEu.exe
  2⤵
  PID:13036
- C:\Windows\System\oLMnERj.exe
  C:\Windows\System\oLMnERj.exe
  2⤵
  PID:13056
- C:\Windows\System\lLhfmSI.exe
  C:\Windows\System\lLhfmSI.exe
  2⤵
  PID:13096
- C:\Windows\System\xzWxyMN.exe
  C:\Windows\System\xzWxyMN.exe
  2⤵
  PID:13148
- C:\Windows\System\ROiXFXN.exe
  C:\Windows\System\ROiXFXN.exe
  2⤵
  PID:13176
- C:\Windows\System\CqlCxuQ.exe
  C:\Windows\System\CqlCxuQ.exe
  2⤵
  PID:13204
- C:\Windows\System\WmYkdCn.exe
  C:\Windows\System\WmYkdCn.exe
  2⤵
  PID:13232
- C:\Windows\System\XtPLybT.exe
  C:\Windows\System\XtPLybT.exe
  2⤵
  PID:13248
- C:\Windows\System\lcOghjB.exe
  C:\Windows\System\lcOghjB.exe
  2⤵
  PID:13280
- C:\Windows\System\VgoCtbT.exe
  C:\Windows\System\VgoCtbT.exe
  2⤵
  PID:13304
- C:\Windows\System\civgpyN.exe
  C:\Windows\System\civgpyN.exe
  2⤵
  PID:12308
- C:\Windows\System\sIiGOlW.exe
  C:\Windows\System\sIiGOlW.exe
  2⤵
  PID:12372
- C:\Windows\System\JlGYIXJ.exe
  C:\Windows\System\JlGYIXJ.exe
  2⤵
  PID:12440
- C:\Windows\System\jgugdtn.exe
  C:\Windows\System\jgugdtn.exe
  2⤵
  PID:12496
- C:\Windows\System\LgUhSYQ.exe
  C:\Windows\System\LgUhSYQ.exe
  2⤵
  PID:12580
- C:\Windows\System\tTXAAnQ.exe
  C:\Windows\System\tTXAAnQ.exe
  2⤵
  PID:12616
- C:\Windows\System\bhbLUCo.exe
  C:\Windows\System\bhbLUCo.exe
  2⤵
  PID:12712
- C:\Windows\System\WMpxdMa.exe
  C:\Windows\System\WMpxdMa.exe
  2⤵
  PID:12764
- C:\Windows\System\WacALoH.exe
  C:\Windows\System\WacALoH.exe
  2⤵
  PID:12836
- C:\Windows\System\ROdxzGA.exe
  C:\Windows\System\ROdxzGA.exe
  2⤵
  PID:12916
- C:\Windows\System\HVsNDsz.exe
  C:\Windows\System\HVsNDsz.exe
  2⤵
  PID:12972
- C:\Windows\System\jpmQHIU.exe
  C:\Windows\System\jpmQHIU.exe
  2⤵
  PID:13020
- C:\Windows\System\WDPZymv.exe
  C:\Windows\System\WDPZymv.exe
  2⤵
  PID:13068
- C:\Windows\System\PKeDcin.exe
  C:\Windows\System\PKeDcin.exe
  2⤵
  PID:13144
- C:\Windows\System\JylVcgm.exe
  C:\Windows\System\JylVcgm.exe
  2⤵
  PID:13240
- C:\Windows\System\PCGAmdD.exe
  C:\Windows\System\PCGAmdD.exe
  2⤵
  PID:13292
- C:\Windows\System\cGUVJOq.exe
  C:\Windows\System\cGUVJOq.exe
  2⤵
  PID:12348
- C:\Windows\System\KQeZaAM.exe
  C:\Windows\System\KQeZaAM.exe
  2⤵
  PID:12504
- C:\Windows\System\dUcIeYX.exe
  C:\Windows\System\dUcIeYX.exe
  2⤵
  PID:12644
- C:\Windows\System\FZIGVDb.exe
  C:\Windows\System\FZIGVDb.exe
  2⤵
  PID:12788
- C:\Windows\System\DnLLVCV.exe
  C:\Windows\System\DnLLVCV.exe
  2⤵
  PID:12952
- C:\Windows\System\IuvyhuG.exe
  C:\Windows\System\IuvyhuG.exe
  2⤵
  PID:13088
- C:\Windows\System\RNYNRHm.exe
  C:\Windows\System\RNYNRHm.exe
  2⤵
  PID:13272
- C:\Windows\System\IAgQpTz.exe
  C:\Windows\System\IAgQpTz.exe
  2⤵
  PID:12800
- C:\Windows\System\zEOlAYj.exe
  C:\Windows\System\zEOlAYj.exe
  2⤵
  PID:12176
- C:\Windows\System\RxaLCaT.exe
  C:\Windows\System\RxaLCaT.exe
  2⤵
  PID:13052
- C:\Windows\System\jtzlMcc.exe
  C:\Windows\System\jtzlMcc.exe
  2⤵
  PID:12820
- C:\Windows\System\weRWvid.exe
  C:\Windows\System\weRWvid.exe
  2⤵
  PID:13332
- C:\Windows\System\MndwZvp.exe
  C:\Windows\System\MndwZvp.exe
  2⤵
  PID:13360
- C:\Windows\System\RtrFRtq.exe
  C:\Windows\System\RtrFRtq.exe
  2⤵
  PID:13392
- C:\Windows\System\RphLlRc.exe
  C:\Windows\System\RphLlRc.exe
  2⤵
  PID:13428
- C:\Windows\System\sqsMHtw.exe
  C:\Windows\System\sqsMHtw.exe
  2⤵
  PID:13464
- C:\Windows\System\cGkQffM.exe
  C:\Windows\System\cGkQffM.exe
  2⤵
  PID:13492
- C:\Windows\System\bjcqLiz.exe
  C:\Windows\System\bjcqLiz.exe
  2⤵
  PID:13536
- C:\Windows\System\TyesqTv.exe
  C:\Windows\System\TyesqTv.exe
  2⤵
  PID:13564
- C:\Windows\System\GsuORZM.exe
  C:\Windows\System\GsuORZM.exe
  2⤵
  PID:13588
- C:\Windows\System\zHuuwxW.exe
  C:\Windows\System\zHuuwxW.exe
  2⤵
  PID:13608
- C:\Windows\System\xDTTBZi.exe
  C:\Windows\System\xDTTBZi.exe
  2⤵
  PID:13632
- C:\Windows\System\flQnxxW.exe
  C:\Windows\System\flQnxxW.exe
  2⤵
  PID:13664
- C:\Windows\System\TPZmmpZ.exe
  C:\Windows\System\TPZmmpZ.exe
  2⤵
  PID:13688
- C:\Windows\System\nzPjtef.exe
  C:\Windows\System\nzPjtef.exe
  2⤵
  PID:13716
- C:\Windows\System\FVERAZH.exe
  C:\Windows\System\FVERAZH.exe
  2⤵
  PID:13736
- C:\Windows\System\VNybIWr.exe
  C:\Windows\System\VNybIWr.exe
  2⤵
  PID:13752
- C:\Windows\System\pdXJgZC.exe
  C:\Windows\System\pdXJgZC.exe
  2⤵
  PID:13784
- C:\Windows\System\XJFDDna.exe
  C:\Windows\System\XJFDDna.exe
  2⤵
  PID:13804
- C:\Windows\System\zutdokn.exe
  C:\Windows\System\zutdokn.exe
  2⤵
  PID:13824
- C:\Windows\System\jFIImFY.exe
  C:\Windows\System\jFIImFY.exe
  2⤵
  PID:13856
- C:\Windows\System\cUxIqXv.exe
  C:\Windows\System\cUxIqXv.exe
  2⤵
  PID:13884
- C:\Windows\System\SgsHjwy.exe
  C:\Windows\System\SgsHjwy.exe
  2⤵
  PID:13900
- C:\Windows\System\kkxEFqh.exe
  C:\Windows\System\kkxEFqh.exe
  2⤵
  PID:13924
- C:\Windows\System\nHDZtaI.exe
  C:\Windows\System\nHDZtaI.exe
  2⤵
  PID:13956
- C:\Windows\System\vlGoEpd.exe
  C:\Windows\System\vlGoEpd.exe
  2⤵
  PID:13980
- C:\Windows\System\kWNuqHp.exe
  C:\Windows\System\kWNuqHp.exe
  2⤵
  PID:14004
- C:\Windows\System\HZefiAe.exe
  C:\Windows\System\HZefiAe.exe
  2⤵
  PID:14024
- C:\Windows\System\QWSYpcw.exe
  C:\Windows\System\QWSYpcw.exe
  2⤵
  PID:14048
- C:\Windows\System\qFTsgCY.exe
  C:\Windows\System\qFTsgCY.exe
  2⤵
  PID:14064
- C:\Windows\System\sxDHUGv.exe
  C:\Windows\System\sxDHUGv.exe
  2⤵
  PID:14088
- C:\Windows\System\hDXiFHR.exe
  C:\Windows\System\hDXiFHR.exe
  2⤵
  PID:14116
- C:\Windows\System\owKZkAk.exe
  C:\Windows\System\owKZkAk.exe
  2⤵
  PID:14132
- C:\Windows\System\OuvjxgG.exe
  C:\Windows\System\OuvjxgG.exe
  2⤵
  PID:14156
- C:\Windows\System\IcIvNch.exe
  C:\Windows\System\IcIvNch.exe
  2⤵
  PID:14176
- C:\Windows\System\pjCYWxm.exe
  C:\Windows\System\pjCYWxm.exe
  2⤵
  PID:14204
- C:\Windows\System\dsIMbjK.exe
  C:\Windows\System\dsIMbjK.exe
  2⤵
  PID:14220
- C:\Windows\System\gwBZFmB.exe
  C:\Windows\System\gwBZFmB.exe
  2⤵
  PID:14240
- C:\Windows\System\XshGymk.exe
  C:\Windows\System\XshGymk.exe
  2⤵
  PID:14272
- C:\Windows\System\sGUOXPF.exe
  C:\Windows\System\sGUOXPF.exe
  2⤵
  PID:14288
- C:\Windows\System\SgWKebg.exe
  C:\Windows\System\SgWKebg.exe
  2⤵
  PID:14316
- C:\Windows\System\qXWHbST.exe
  C:\Windows\System\qXWHbST.exe
  2⤵
  PID:13000
- C:\Windows\System\cOGKeVk.exe
  C:\Windows\System\cOGKeVk.exe
  2⤵
  PID:13340
- C:\Windows\System\wKqEjXi.exe
  C:\Windows\System\wKqEjXi.exe
  2⤵
  PID:13420
- C:\Windows\System\hxnZlZh.exe
  C:\Windows\System\hxnZlZh.exe
  2⤵
  PID:13456
- C:\Windows\System\tlKleJI.exe
  C:\Windows\System\tlKleJI.exe
  2⤵
  PID:13532
- C:\Windows\System\RvNjnPs.exe
  C:\Windows\System\RvNjnPs.exe
  2⤵
  PID:13584
- C:\Windows\System\bhtVOVc.exe
  C:\Windows\System\bhtVOVc.exe
  2⤵
  PID:13652
- C:\Windows\System\NaZZEVG.exe
  C:\Windows\System\NaZZEVG.exe
  2⤵
  PID:13700
- C:\Windows\System\eFcRaaR.exe
  C:\Windows\System\eFcRaaR.exe
  2⤵
  PID:13744
- C:\Windows\System\WhUOOAp.exe
  C:\Windows\System\WhUOOAp.exe
  2⤵
  PID:13832
- C:\Windows\System\QDBnKvb.exe
  C:\Windows\System\QDBnKvb.exe
  2⤵
  PID:13920
- C:\Windows\System\XSdLSfb.exe
  C:\Windows\System\XSdLSfb.exe
  2⤵
  PID:13892
- C:\Windows\System\PQwtdzF.exe
  C:\Windows\System\PQwtdzF.exe
  2⤵
  PID:14012
- C:\Windows\System\wyFgTEC.exe
  C:\Windows\System\wyFgTEC.exe
  2⤵
  PID:13952
- C:\Windows\System\dSDNHeV.exe
  C:\Windows\System\dSDNHeV.exe
  2⤵
  PID:14020
- C:\Windows\System\HRpeHuh.exe
  C:\Windows\System\HRpeHuh.exe
  2⤵
  PID:14108
- C:\Windows\System\cDvHQYE.exe
  C:\Windows\System\cDvHQYE.exe
  2⤵
  PID:14248
- C:\Windows\System\kbzituA.exe
  C:\Windows\System\kbzituA.exe
  2⤵
  PID:14072
- C:\Windows\System\IRitDiX.exe
  C:\Windows\System\IRitDiX.exe
  2⤵
  PID:14332
- C:\Windows\System\iRXbTkR.exe
  C:\Windows\System\iRXbTkR.exe
  2⤵
  PID:14280
- C:\Windows\System\rTJIISG.exe
  C:\Windows\System\rTJIISG.exe
  2⤵
  PID:13708
- C:\Windows\System\uaMICBD.exe
  C:\Windows\System\uaMICBD.exe
  2⤵
  PID:13796
- C:\Windows\System\CiBELXC.exe
  C:\Windows\System\CiBELXC.exe
  2⤵
  PID:13628
- C:\Windows\System\TQNHuQf.exe
  C:\Windows\System\TQNHuQf.exe
  2⤵
  PID:13868
- C:\Windows\System\JfJAfjL.exe
  C:\Windows\System\JfJAfjL.exe
  2⤵
  PID:12880
- C:\Windows\System\TaiGyvN.exe
  C:\Windows\System\TaiGyvN.exe
  2⤵
  PID:14360
- C:\Windows\System\jXPxDAC.exe
  C:\Windows\System\jXPxDAC.exe
  2⤵
  PID:14384
- C:\Windows\System\aqYGBLD.exe
  C:\Windows\System\aqYGBLD.exe
  2⤵
  PID:14408
- C:\Windows\System\GRBQPkf.exe
  C:\Windows\System\GRBQPkf.exe
  2⤵
  PID:14440
- C:\Windows\System\QRRmUyW.exe
  C:\Windows\System\QRRmUyW.exe
  2⤵
  PID:14468
- C:\Windows\System\WgKQTLY.exe
  C:\Windows\System\WgKQTLY.exe
  2⤵
  PID:14496
- C:\Windows\System\wePohQo.exe
  C:\Windows\System\wePohQo.exe
  2⤵
  PID:14528
- C:\Windows\System\OHiWYYl.exe
  C:\Windows\System\OHiWYYl.exe
  2⤵
  PID:14552
- C:\Windows\System\zQJwASm.exe
  C:\Windows\System\zQJwASm.exe
  2⤵
  PID:14572
- C:\Windows\System\zHxzrjb.exe
  C:\Windows\System\zHxzrjb.exe
  2⤵
  PID:14608
- C:\Windows\System\coTjlVk.exe
  C:\Windows\System\coTjlVk.exe
  2⤵
  PID:14632
- C:\Windows\System\EVMxAEF.exe
  C:\Windows\System\EVMxAEF.exe
  2⤵
  PID:14652
- C:\Windows\System\iAJAVLC.exe
  C:\Windows\System\iAJAVLC.exe
  2⤵
  PID:14680
- C:\Windows\System\npkJRGu.exe
  C:\Windows\System\npkJRGu.exe
  2⤵
  PID:14704
- C:\Windows\System\SYVkAyl.exe
  C:\Windows\System\SYVkAyl.exe
  2⤵
  PID:14732
- C:\Windows\System\DXDmibr.exe
  C:\Windows\System\DXDmibr.exe
  2⤵
  PID:14748
- C:\Windows\System\MgQHxXj.exe
  C:\Windows\System\MgQHxXj.exe
  2⤵
  PID:14776
- C:\Windows\System\YPgPLHZ.exe
  C:\Windows\System\YPgPLHZ.exe
  2⤵
  PID:14800
- C:\Windows\System\hethmao.exe
  C:\Windows\System\hethmao.exe
  2⤵
  PID:14824
- C:\Windows\System\HVGOppp.exe
  C:\Windows\System\HVGOppp.exe
  2⤵
  PID:14844
- C:\Windows\System\YdPWYqq.exe
  C:\Windows\System\YdPWYqq.exe
  2⤵
  PID:14864
- C:\Windows\System\RKZyHsf.exe
  C:\Windows\System\RKZyHsf.exe
  2⤵
  PID:14896
- C:\Windows\System\RUNFHMM.exe
  C:\Windows\System\RUNFHMM.exe
  2⤵
  PID:14924
- C:\Windows\System\KrGbdOU.exe
  C:\Windows\System\KrGbdOU.exe
  2⤵
  PID:14952
- C:\Windows\System\FJMyRHl.exe
  C:\Windows\System\FJMyRHl.exe
  2⤵
  PID:14972
- C:\Windows\System\BeILTSH.exe
  C:\Windows\System\BeILTSH.exe
  2⤵
  PID:14992
- C:\Windows\System\fJAPPwH.exe
  C:\Windows\System\fJAPPwH.exe
  2⤵
  PID:15020
- C:\Windows\System\SsRUpmG.exe
  C:\Windows\System\SsRUpmG.exe
  2⤵
  PID:15052
- C:\Windows\System\MnxFQka.exe
  C:\Windows\System\MnxFQka.exe
  2⤵
  PID:15068
- C:\Windows\System\bgYDktG.exe
  C:\Windows\System\bgYDktG.exe
  2⤵
  PID:15096
- C:\Windows\System\KUEzdLj.exe
  C:\Windows\System\KUEzdLj.exe
  2⤵
  PID:15124
- C:\Windows\System\uxxBbPg.exe
  C:\Windows\System\uxxBbPg.exe
  2⤵
  PID:15144
- C:\Windows\System\ZUnsxKn.exe
  C:\Windows\System\ZUnsxKn.exe
  2⤵
  PID:15168
- C:\Windows\System\bMuiMhj.exe
  C:\Windows\System\bMuiMhj.exe
  2⤵
  PID:15188
- C:\Windows\System\UudBdmw.exe
  C:\Windows\System\UudBdmw.exe
  2⤵
  PID:15224
- C:\Windows\System\ypiqBpR.exe
  C:\Windows\System\ypiqBpR.exe
  2⤵
  PID:15248
- C:\Windows\System\NNBoegi.exe
  C:\Windows\System\NNBoegi.exe
  2⤵
  PID:15268
- C:\Windows\System\KiZsToS.exe
  C:\Windows\System\KiZsToS.exe
  2⤵
  PID:15296
- C:\Windows\System\KUDdiRa.exe
  C:\Windows\System\KUDdiRa.exe
  2⤵
  PID:15316
- C:\Windows\System\qmTKnmO.exe
  C:\Windows\System\qmTKnmO.exe
  2⤵
  PID:15332
- C:\Windows\System\MFEuKiF.exe
  C:\Windows\System\MFEuKiF.exe
  2⤵
  PID:13872
- C:\Windows\System\sAfxVAj.exe
  C:\Windows\System\sAfxVAj.exe
  2⤵
  PID:13572
- C:\Windows\System\BGKuegw.exe
  C:\Windows\System\BGKuegw.exe
  2⤵
  PID:14056
- C:\Windows\System\CUyMCRO.exe
  C:\Windows\System\CUyMCRO.exe
  2⤵
  PID:14396
- C:\Windows\System\ILzaUhA.exe
  C:\Windows\System\ILzaUhA.exe
  2⤵
  PID:14312
- C:\Windows\System\SBvhYAi.exe
  C:\Windows\System\SBvhYAi.exe
  2⤵
  PID:13712
- C:\Windows\System\kTuLswQ.exe
  C:\Windows\System\kTuLswQ.exe
  2⤵
  PID:14040
- C:\Windows\System\GobCfvC.exe
  C:\Windows\System\GobCfvC.exe
  2⤵
  PID:14344
- C:\Windows\System\EhhymVM.exe
  C:\Windows\System\EhhymVM.exe
  2⤵
  PID:14308
- C:\Windows\System\UfYXmeC.exe
  C:\Windows\System\UfYXmeC.exe
  2⤵
  PID:14504
- C:\Windows\System\vrYTMuR.exe
  C:\Windows\System\vrYTMuR.exe
  2⤵
  PID:14540
- C:\Windows\System\iIVovRU.exe
  C:\Windows\System\iIVovRU.exe
  2⤵
  PID:14352
- C:\Windows\System\xJPgUgh.exe
  C:\Windows\System\xJPgUgh.exe
  2⤵
  PID:14872
- C:\Windows\System\OifjlsD.exe
  C:\Windows\System\OifjlsD.exe
  2⤵
  PID:14568
- C:\Windows\System\dRTlPFL.exe
  C:\Windows\System\dRTlPFL.exe
  2⤵
  PID:14884
- C:\Windows\System\vhYAJTJ.exe
  C:\Windows\System\vhYAJTJ.exe
  2⤵
  PID:14728
- C:\Windows\System\gpdzMtJ.exe
  C:\Windows\System\gpdzMtJ.exe
  2⤵
  PID:14764
- C:\Windows\System\rnLVbUe.exe
  C:\Windows\System\rnLVbUe.exe
  2⤵
  PID:14812
- C:\Windows\System\kzoYlrV.exe
  C:\Windows\System\kzoYlrV.exe
  2⤵
  PID:15108
- C:\Windows\System\vPUInUP.exe
  C:\Windows\System\vPUInUP.exe
  2⤵
  PID:14936
- C:\Windows\System\XcPcDUr.exe
  C:\Windows\System\XcPcDUr.exe
  2⤵
  PID:15244
- C:\Windows\System\MkXYAHB.exe
  C:\Windows\System\MkXYAHB.exe
  2⤵
  PID:15388
- C:\Windows\System\sHdlSJa.exe
  C:\Windows\System\sHdlSJa.exe
  2⤵
  PID:15420
- C:\Windows\System\nYXnkBs.exe
  C:\Windows\System\nYXnkBs.exe
  2⤵
  PID:15456
- C:\Windows\System\RPeatqT.exe
  C:\Windows\System\RPeatqT.exe
  2⤵
  PID:15472
- C:\Windows\System\gskluMh.exe
  C:\Windows\System\gskluMh.exe
  2⤵
  PID:15500
- C:\Windows\System\etHbFUb.exe
  C:\Windows\System\etHbFUb.exe
  2⤵
  PID:15524
- C:\Windows\System\DNBTTDf.exe
  C:\Windows\System\DNBTTDf.exe
  2⤵
  PID:15544
- C:\Windows\System\tMsdDGs.exe
  C:\Windows\System\tMsdDGs.exe
  2⤵
  PID:15564
- C:\Windows\System\sfHscoN.exe
  C:\Windows\System\sfHscoN.exe
  2⤵
  PID:15584
- C:\Windows\System\xyINOuU.exe
  C:\Windows\System\xyINOuU.exe
  2⤵
  PID:15616
- C:\Windows\System\axUwYYi.exe
  C:\Windows\System\axUwYYi.exe
  2⤵
  PID:15636
- C:\Windows\System\OiqRVCA.exe
  C:\Windows\System\OiqRVCA.exe
  2⤵
  PID:15656
- C:\Windows\System\FYINEPY.exe
  C:\Windows\System\FYINEPY.exe
  2⤵
  PID:15680
- C:\Windows\System\bAShSjo.exe
  C:\Windows\System\bAShSjo.exe
  2⤵
  PID:15708
- C:\Windows\System\GNxzXyi.exe
  C:\Windows\System\GNxzXyi.exe
  2⤵
  PID:15736
- C:\Windows\System\xoXpwRH.exe
  C:\Windows\System\xoXpwRH.exe
  2⤵
  PID:15760
- C:\Windows\System\XOsUNKe.exe
  C:\Windows\System\XOsUNKe.exe
  2⤵
  PID:15788
- C:\Windows\System\HbVifwe.exe
  C:\Windows\System\HbVifwe.exe
  2⤵
  PID:15820
- C:\Windows\System\YMhEuOu.exe
  C:\Windows\System\YMhEuOu.exe
  2⤵
  PID:15844
- C:\Windows\System\jkyaDGM.exe
  C:\Windows\System\jkyaDGM.exe
  2⤵
  PID:15952
- C:\Windows\System\RfAifPW.exe
  C:\Windows\System\RfAifPW.exe
  2⤵
  PID:15968
- C:\Windows\System\PAeRbvo.exe
  C:\Windows\System\PAeRbvo.exe
  2⤵
  PID:15984
- C:\Windows\System\wczLcTA.exe
  C:\Windows\System\wczLcTA.exe
  2⤵
  PID:16000
- C:\Windows\System\DyoGfdx.exe
  C:\Windows\System\DyoGfdx.exe
  2⤵
  PID:16024
- C:\Windows\System\tFJlouu.exe
  C:\Windows\System\tFJlouu.exe
  2⤵
  PID:16048
- C:\Windows\System\jgMyjIz.exe
  C:\Windows\System\jgMyjIz.exe
  2⤵
  PID:16080
- C:\Windows\System\JsPuzuv.exe
  C:\Windows\System\JsPuzuv.exe
  2⤵
  PID:16120
- C:\Windows\System\kZydYai.exe
  C:\Windows\System\kZydYai.exe
  2⤵
  PID:16144
- C:\Windows\System\jCXofva.exe
  C:\Windows\System\jCXofva.exe
  2⤵
  PID:16164
- C:\Windows\System\JyVdtkE.exe
  C:\Windows\System\JyVdtkE.exe
  2⤵
  PID:16188
- C:\Windows\System\sqmLpnV.exe
  C:\Windows\System\sqmLpnV.exe
  2⤵
  PID:16220
- C:\Windows\System\VwBaKLH.exe
  C:\Windows\System\VwBaKLH.exe
  2⤵
  PID:16256
- C:\Windows\System\XjbmqzQ.exe
  C:\Windows\System\XjbmqzQ.exe
  2⤵
  PID:14488
- C:\Windows\System\xZeuYny.exe
  C:\Windows\System\xZeuYny.exe
  2⤵
  PID:13604
- C:\Windows\System\GIxQcto.exe
  C:\Windows\System\GIxQcto.exe
  2⤵
  PID:15312
- C:\Windows\System\jyMoVrX.exe
  C:\Windows\System\jyMoVrX.exe
  2⤵
  PID:15748
- C:\Windows\System\EtMNgyz.exe
  C:\Windows\System\EtMNgyz.exe
  2⤵
  PID:15436
- C:\Windows\System\UOyCoBa.exe
  C:\Windows\System\UOyCoBa.exe
  2⤵
  PID:15464
- C:\Windows\System\akZrZMh.exe
  C:\Windows\System\akZrZMh.exe
  2⤵
  PID:15540
- C:\Windows\System\oiubYDQ.exe
  C:\Windows\System\oiubYDQ.exe
  2⤵
  PID:14904
- C:\Windows\System\rjGusJt.exe
  C:\Windows\System\rjGusJt.exe
  2⤵
  PID:15804
- C:\Windows\System\vXxkksM.exe
  C:\Windows\System\vXxkksM.exe
  2⤵
  PID:15440
- C:\Windows\System\DEJJFyk.exe
  C:\Windows\System\DEJJFyk.exe
  2⤵
  PID:15964
- C:\Windows\System\JqlwLeb.exe
  C:\Windows\System\JqlwLeb.exe
  2⤵
  PID:15496
- C:\Windows\System\grQnlzD.exe
  C:\Windows\System\grQnlzD.exe
  2⤵
  PID:15560
- C:\Windows\System\DVUOzeM.exe
  C:\Windows\System\DVUOzeM.exe
  2⤵
  PID:15604
- C:\Windows\System\WIJRXKi.exe
  C:\Windows\System\WIJRXKi.exe
  2⤵
  PID:15668
- C:\Windows\System\rHCuUzn.exe
  C:\Windows\System\rHCuUzn.exe
  2⤵
  PID:15696
- C:\Windows\System\nQNijqI.exe
  C:\Windows\System\nQNijqI.exe
  2⤵
  PID:16236
- C:\Windows\System\DTppFhZ.exe
  C:\Windows\System\DTppFhZ.exe
  2⤵
  PID:15960
- C:\Windows\System\qOrkuMd.exe
  C:\Windows\System\qOrkuMd.exe
  2⤵
  PID:15920
- C:\Windows\System\YOcEOKk.exe
  C:\Windows\System\YOcEOKk.exe
  2⤵
  PID:15996
- C:\Windows\System\NjFUgnk.exe
  C:\Windows\System\NjFUgnk.exe
  2⤵
  PID:16324
- C:\Windows\System\pSqSWJQ.exe
  C:\Windows\System\pSqSWJQ.exe
  2⤵
  PID:14836
- C:\Windows\System\GJFaWqr.exe
  C:\Windows\System\GJFaWqr.exe
  2⤵
  PID:14788
- C:\Windows\System\ukKAPSH.exe
  C:\Windows\System\ukKAPSH.exe
  2⤵
  PID:15612
- C:\Windows\System\EICgqmz.exe
  C:\Windows\System\EICgqmz.exe
  2⤵
  PID:14592
- C:\Windows\System\DRasoyo.exe
  C:\Windows\System\DRasoyo.exe
  2⤵
  PID:15084
- C:\Windows\System\WptSlnZ.exe
  C:\Windows\System\WptSlnZ.exe
  2⤵
  PID:15556
- C:\Windows\System\qwLrXFu.exe
  C:\Windows\System\qwLrXFu.exe
  2⤵
  PID:15624
- C:\Windows\System\IedOaLV.exe
  C:\Windows\System\IedOaLV.exe
  2⤵
  PID:16200
- C:\Windows\System\RipbbDK.exe
  C:\Windows\System\RipbbDK.exe
  2⤵
  PID:15976
- C:\Windows\System\yFLJhmJ.exe
  C:\Windows\System\yFLJhmJ.exe
  2⤵
  PID:16288
- C:\Windows\System\rhUEjoi.exe
  C:\Windows\System\rhUEjoi.exe
  2⤵
  PID:16388
- C:\Windows\System\NsIikbO.exe
  C:\Windows\System\NsIikbO.exe
  2⤵
  PID:16412
- C:\Windows\System\CFuRgBX.exe
  C:\Windows\System\CFuRgBX.exe
  2⤵
  PID:16432
- C:\Windows\System\RlBqPOU.exe
  C:\Windows\System\RlBqPOU.exe
  2⤵
  PID:16452
- C:\Windows\System\cWCZPtR.exe
  C:\Windows\System\cWCZPtR.exe
  2⤵
  PID:16480
- C:\Windows\System\qdaePir.exe
  C:\Windows\System\qdaePir.exe
  2⤵
  PID:16508
- C:\Windows\System\TWNjZxJ.exe
  C:\Windows\System\TWNjZxJ.exe
  2⤵
  PID:16532
- C:\Windows\System\OfwFbhQ.exe
  C:\Windows\System\OfwFbhQ.exe
  2⤵
  PID:16548
- C:\Windows\System\GHToQAR.exe
  C:\Windows\System\GHToQAR.exe
  2⤵
  PID:16572
- C:\Windows\System\vjPiwdw.exe
  C:\Windows\System\vjPiwdw.exe
  2⤵
  PID:16592
- C:\Windows\System\iALeBba.exe
  C:\Windows\System\iALeBba.exe
  2⤵
  PID:16612
- C:\Windows\System\PbryrBx.exe
  C:\Windows\System\PbryrBx.exe
  2⤵
  PID:16632
- C:\Windows\System\WxnllKD.exe
  C:\Windows\System\WxnllKD.exe
  2⤵
  PID:16648
- C:\Windows\System\DUcDPdb.exe
  C:\Windows\System\DUcDPdb.exe
  2⤵
  PID:16676
- C:\Windows\System\gKbyfSU.exe
  C:\Windows\System\gKbyfSU.exe
  2⤵
  PID:16700
- C:\Windows\System\eWuMaAQ.exe
  C:\Windows\System\eWuMaAQ.exe
  2⤵
  PID:16724
- C:\Windows\System\MIPYMks.exe
  C:\Windows\System\MIPYMks.exe
  2⤵
  PID:16748
- C:\Windows\System\GxEtWCj.exe
  C:\Windows\System\GxEtWCj.exe
  2⤵
  PID:16772
- C:\Windows\System\IhSkLQH.exe
  C:\Windows\System\IhSkLQH.exe
  2⤵
  PID:16796
- C:\Windows\System\KoAKkOp.exe
  C:\Windows\System\KoAKkOp.exe
  2⤵
  PID:16816
- C:\Windows\System\JfDsldn.exe
  C:\Windows\System\JfDsldn.exe
  2⤵
  PID:16836
- C:\Windows\System\ePtdKAd.exe
  C:\Windows\System\ePtdKAd.exe
  2⤵
  PID:16864
- C:\Windows\System\OYFvHEK.exe
  C:\Windows\System\OYFvHEK.exe
  2⤵
  PID:16892
- C:\Windows\System\EYXuroZ.exe
  C:\Windows\System\EYXuroZ.exe
  2⤵
  PID:16912
- C:\Windows\System\aHGPRhG.exe
  C:\Windows\System\aHGPRhG.exe
  2⤵
  PID:16936
- C:\Windows\System\nVMPigW.exe
  C:\Windows\System\nVMPigW.exe
  2⤵
  PID:16964
- C:\Windows\System\pMrkmqC.exe
  C:\Windows\System\pMrkmqC.exe
  2⤵
  PID:16988
- C:\Windows\System\RNaqbbA.exe
  C:\Windows\System\RNaqbbA.exe
  2⤵
  PID:17016
- C:\Windows\System\ZfzRjMH.exe
  C:\Windows\System\ZfzRjMH.exe
  2⤵
  PID:17316
- C:\Windows\System\AJBzYsb.exe
  C:\Windows\System\AJBzYsb.exe
  2⤵
  PID:17348
- C:\Windows\System\CjRvyCt.exe
  C:\Windows\System\CjRvyCt.exe
  2⤵
  PID:17364
- C:\Windows\System\sfJLaie.exe
  C:\Windows\System\sfJLaie.exe
  2⤵
  PID:17400
- C:\Windows\System\qJpkScO.exe
  C:\Windows\System\qJpkScO.exe
  2⤵
  PID:15596
- C:\Windows\System\rCMkIip.exe
  C:\Windows\System\rCMkIip.exe
  2⤵
  PID:16216
- C:\Windows\System\RlKMhZK.exe
  C:\Windows\System\RlKMhZK.exe
  2⤵
  PID:16280
- C:\Windows\System\bFNQIrG.exe
  C:\Windows\System\bFNQIrG.exe
  2⤵
  PID:16516
- C:\Windows\System\icaRaAK.exe
  C:\Windows\System\icaRaAK.exe
  2⤵
  PID:16668
- C:\Windows\System\jzvRqRR.exe
  C:\Windows\System\jzvRqRR.exe
  2⤵
  PID:16908
- C:\Windows\System\AkLXOFe.exe
  C:\Windows\System\AkLXOFe.exe
  2⤵
  PID:17192
- C:\Windows\System\XjKIfTF.exe
  C:\Windows\System\XjKIfTF.exe
  2⤵
  PID:17304
- C:\Windows\System\VYnjpoA.exe
  C:\Windows\System\VYnjpoA.exe
  2⤵
  PID:17312
- C:\Windows\System\tAYhAaq.exe
  C:\Windows\System\tAYhAaq.exe
  2⤵
  PID:17392
- C:\Windows\System\yqgkZpD.exe
  C:\Windows\System\yqgkZpD.exe
  2⤵
  PID:16448
- C:\Windows\System\fnHPinu.exe
  C:\Windows\System\fnHPinu.exe
  2⤵
  PID:16424
- C:\Windows\System\KBesDUK.exe
  C:\Windows\System\KBesDUK.exe
  2⤵
  PID:16780
- C:\Windows\System\mmGhEBC.exe
  C:\Windows\System\mmGhEBC.exe
  2⤵
  PID:16492
- C:\Windows\System\aPSatQI.exe
  C:\Windows\System\aPSatQI.exe
  2⤵
  PID:16856
- C:\Windows\System\LCxIVjr.exe
  C:\Windows\System\LCxIVjr.exe
  2⤵
  PID:16952
- C:\Windows\System\VDzENrr.exe
  C:\Windows\System\VDzENrr.exe
  2⤵
  PID:2244
- C:\Windows\System\tStfKZs.exe
  C:\Windows\System\tStfKZs.exe
  2⤵
  PID:4180
- C:\Windows\System\GMafuJe.exe
  C:\Windows\System\GMafuJe.exe
  2⤵
  PID:4108
- C:\Windows\System\tKALWzR.exe
  C:\Windows\System\tKALWzR.exe
  2⤵
  PID:3512
- C:\Windows\System\sDveyht.exe
  C:\Windows\System\sDveyht.exe
  2⤵
  PID:17144
- C:\Windows\System\HlyuxSi.exe
  C:\Windows\System\HlyuxSi.exe
  2⤵
  PID:17292
- C:\Windows\System\oPCZFoX.exe
  C:\Windows\System\oPCZFoX.exe
  2⤵
  PID:17308
- C:\Windows\System\IteoqgF.exe
  C:\Windows\System\IteoqgF.exe
  2⤵
  PID:5040
- C:\Windows\System\xiBrRBt.exe
  C:\Windows\System\xiBrRBt.exe
  2⤵
  PID:3508
- C:\Windows\System\UCEJUPM.exe
  C:\Windows\System\UCEJUPM.exe
  2⤵
  PID:4632
- C:\Windows\System\zgkaTiK.exe
  C:\Windows\System\zgkaTiK.exe
  2⤵
  PID:2484

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:17108

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3564

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:16656

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3500

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:17028
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:16984

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:17016

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:15376

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:17108

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4780

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1620

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1448

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3544

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5132

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6844

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4012

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8504

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3140

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:16712

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1496

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4064

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5800

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4708

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2888

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6080

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12624

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6908

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8272

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7016

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6612

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7608

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10228

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9968

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10260

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9384

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11292

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4828

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8444

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13308

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14188

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14548

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:14616

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14696

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:15260

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:16328

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:17112

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10360

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10676

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1668

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3084

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:832

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2696

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1752

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13048

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7264

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7116

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6420

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8524

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\FKEP33TV\microsoft.windows[1].xml

Filesize
96B

MD5
dcfd0f22889d8b3a982fbe019d01d543

SHA1
fe866022f3fdf8fba4d3bd366ff0e2683fe58e59

SHA256
2337927b5b24c83c8ab37dfc0fe7ddcd832ffb16d0cee5d50344478218893f5b

SHA512
11b59e18705c1d95508e298938525f931c12c9010cdc03fad15f5585bc503713670d93739668d886ed9446d528c3dc7ac8cbc8e52198eb85ea6557821a124cc8

Download Submit
C:\Windows\System\AwTTQHk.exe

Filesize
1.6MB

MD5
366b8a1bd3045dbe9a6700c45e0d2859

SHA1
82826dcdbf1d6bd089cb99e1ee7ea262770ea902

SHA256
55893a8b14c0952cf7df533c8c0ba2cb4a032e18459ea4ecb2d06902d7549c1a

SHA512
d5755e4a687017a8434337395696168a59eb5e2754d43a3631417c50b86e916bfd482d8fe3e4f03c6199170ef860a9ddf33c00f6b927b4de1c2d90f3a3cb2733

Download Submit
C:\Windows\System\BfVJJSr.exe

Filesize
1.6MB

MD5
f1612e42274a88730378d6785a761f8c

SHA1
f78ac8a6c6929396900ae54da5c4368dddbbbcd6

SHA256
e42527d534c69930224f7596f19a5e6278212c29125caed2e69f963f683079b2

SHA512
ec3ac5d02f234432ea7152d39dbea664bde53413fb90904ddbe899032a005be6f744ed09a4f3d16cadfa69748ab424a07d7b8bcc13e47a915e1a733788405a98

Download Submit
C:\Windows\System\DbTdfJO.exe

Filesize
1.6MB

MD5
0a171c445f7ba70fc3d9fc5aab7e503e

SHA1
122e7fb999b303b85c1af9ee849be344495c1ec6

SHA256
7acdcc3a4e2bab44713860ebe7b724c7bff95a0337c8ece4e02eb2312483ef22

SHA512
efa6aab03ced8c75c6199c8c97f58ae91e064658a0cbe7ddf8598e4b94fd278571cce7b431365153f4596f5fa94c708ef29e1dd17478508f64485c39fcdf6648

Download Submit
C:\Windows\System\HlLjrvk.exe

Filesize
1.6MB

MD5
b14d5e09f848c9687408908396192827

SHA1
5564d00db891942833765c0aa4a3fd565b923def

SHA256
f1035f0d5af92a6be29e9699f42c7db511744533680d7594a89960792b3cecf5

SHA512
657a3464d1dec71f334857eeb5f80fe5caa35c7ccaa92190668abd56756f60528f688b55c5a2fc7c123a2e3aeb4b5f7000e8f078d2f959c6f6560ca47e35327c

Download Submit
C:\Windows\System\MGjlHQJ.exe

Filesize
1.6MB

MD5
870f12c1e9c9b7521d56d2fa79a15bf2

SHA1
2259209b0efb23075fb4b3011e2dd1427b21268b

SHA256
bc9fdf05eb0b0a8c54ce012d3f34c28bd67dcbaced8a1edd62ef0b0884b5680c

SHA512
21f4cf387cfc041ba38752f63b08f68f820143aaa9ff8c329e9930279a33b254c8c961fdc2449f3252810f8dbe3e251bbd8d6a210b8e2cd5699429bdf6eeb442

Download Submit
C:\Windows\System\OzZVbrr.exe

Filesize
1.6MB

MD5
45bb16c081770b3267e078b6810eb443

SHA1
ea441943bb1fde27832c70dfcaebd5ecdbf57191

SHA256
099e1f6d54041df64ad5b0b94a23739ac9fb6ff48f50288f9297b117904cd147

SHA512
7079ef521102fe8707bd49347b188b27904b411f66b732a169af785e44e4e8391573ad0a3dcf8bb9cf9890eaf99ad8eb5344c72bed5bf4e6069d6b5844b3c7d3

Download Submit
C:\Windows\System\SGrXxXx.exe

Filesize
1.6MB

MD5
5e725d09894441d974102ed85137ca00

SHA1
b0d744765ddfe8ade035358c39a92468985e6e73

SHA256
29f9df099512513c079d66d483724e83c735cf7bd3d385f34a7bb2455aa2fd62

SHA512
6e41b7144d1a60f230dfa2cf69ddd132d08e0b0e8c14b30eb3e7299d4aa997a06375b28f205e359af14c49023de9c2af3e1002c08027489aa3e5363b0b3b9ce0

Download Submit
C:\Windows\System\SVwTyDc.exe

Filesize
1.6MB

MD5
6e17620bbe213824cf3c204dd12799b9

SHA1
9451540830a9fe4caad7e1685c79753bd7fd47f2

SHA256
235c97a904ff3e7140eb51ee9949716dc79297c4055b652c2bc7825a9aad6763

SHA512
03ff4931aeee43ec949ca6f20504f3e4ea87ddc61515b0d38453ec1cacc0073a6430e079aca953f975482e598f499076243f5173129e0ec88eac820f4dc2e279

Download Submit
C:\Windows\System\SoMEyTo.exe

Filesize
1.6MB

MD5
ad599931d3f5492cb3cf3b4cbd80b768

SHA1
c222021ea43c6c4fb5d82e246da9b48a0770161e

SHA256
528cd1dc6bc10f2f1cb0880c67997d860b072b7a658784e096d50b8211bdb8bc

SHA512
e55b2b015a5912e46b16c26d631001b6bb5b1884197cfca7567154affac0ed79a419249f41da46df4bc7a067e3ec434cf1bfdb019d1e003ca83d7f7b4bfdf4c9

Download Submit
C:\Windows\System\TDJSPeY.exe

Filesize
1.6MB

MD5
98eb30b42d2d89fed33bacf9da4d0ca0

SHA1
0371c16fff8500cdcc380eefe1112110a2b8925d

SHA256
265d4b221ef3329b9fbb4f5cf65a7e19b88e3ebda0d1d7cc25ee5617679c2bbd

SHA512
33e137e03712579e9e0e078525dafa8af938d275b7aebcee5a94ad0e95dfe254ad7ef0b0fe1ba02eee8028320488d1b51d0964eea276cd071e50e8483996c449

Download Submit
C:\Windows\System\WKzvcyR.exe

Filesize
1.6MB

MD5
8adcae42e3c0253357a8033f13b2de4e

SHA1
4cc66817aa379c1dd501d65171ac05971e0d495c

SHA256
8ccb8321cd2ff687c31a55bd905fbac1eede5a653ae16ee77d649f642d483fe1

SHA512
9c3c37dd4f1c98d0b64d3f867c8b478e1b395166dc8d841dc621350b17df7eef646144dd95a7adc2f6453f96967d6cf0e0562f69c3712ae5705c8c8447c551e8

Download Submit
C:\Windows\System\XIQTKvp.exe

Filesize
1.6MB

MD5
3039cff09a124224c19f113eaee17870

SHA1
b9f51860cb216ba9c68da0a95e413902108c77b2

SHA256
4d8c42cd2b39bd39a6524a81dacfd97053e076fd1a8419820365bf7151da9295

SHA512
4bc7a7484a9cba77846b4912815bceda279c519caa2a0b6b947317fd8aa947f05e591a90c9c386ca8303a56d94580dae734aac03931b2f919f65b9fcaec03464

Download Submit
C:\Windows\System\XNZozBh.exe

Filesize
1.6MB

MD5
e23c2f9aa734b853fe67ee281dc8479e

SHA1
a542da5796c1f21fca0b6edee00c22340de1fe9a

SHA256
60ded7e1256439baf8be7f0e14da012d62907dbf25af8f71b9456ee6da1dbb5c

SHA512
ba1025d9187697c30727d2a857e2b49304adeab6dd5f17584c12cb4940c18b7865d4d9538d07621141e999a105024232c07191452c91e8e4c0b3593c4760fc75

Download Submit
C:\Windows\System\XwvWYpB.exe

Filesize
1.6MB

MD5
98603fba14f20d1298d8602af3187443

SHA1
242e48ddc907f8f4feb0580b1c1fad6311893213

SHA256
947e21203ad9de7403545acc3aee08e41ef9814785d1bbd0a27875bc5ba09897

SHA512
8065d3d599f1c2bffff40367daab1c48790ab3beed82e09aefdcdd8439c5f23d60c26293c684d6d57442d7d1608fecf0e2e8e4f9456412a9a7518347289af193

Download Submit
C:\Windows\System\YToTVNM.exe

Filesize
1.6MB

MD5
1782f023e91090d7db5f7d5ffc580cdc

SHA1
9e7b56d4898abcfeecb03c70f660e8875c6e0fd2

SHA256
96e62225703723ff4f34c7b64b7ffbcf59eb2b9f1042669f0e4c5fec2282f641

SHA512
97a76241bc5a4fc306edf446fdb84c3ee6b20540a1b0f91b9736620f92482553174abc66445e0ffbbb39c2471c956fa06606051ee3d75198062d1e4d4efaeb38

Download Submit
C:\Windows\System\YglWFnA.exe

Filesize
1.6MB

MD5
2971f77ca6468e4a20149ebce7f13dd4

SHA1
5c18d9eed51f1fbd54fda037eeae93a52f16d4d6

SHA256
f3170bbcefde52b25faad4666049987de250248d0dd7f0ee1109ca51daf2d0c9

SHA512
4c680922cc9961987fa8511a4aa53c8ef6b33694248b9db64dc003f7c5a9ece520c404102086e47f0b3beb296ce739da5c6c52cd99a4eb754af631dee319e5f1

Download Submit
C:\Windows\System\YpFKiuq.exe

Filesize
1.6MB

MD5
81368e49ff2f3bd3d8e847db0c81ccfd

SHA1
1080949243a4cbf8b8f151128bdc3ee9bc0de29c

SHA256
39d1c964306a3469a30bbf57367204fd4fa0407dc4f02be569c95bd900f6283b

SHA512
5c9566b2657131ed1149d9eca3313fc9525f1e1eab29f7e3e38eaab3bdbb0a8a3431fd18faffe3d0d4158acdd833c92468a664f7416a15f626c9e7966b08acdf

Download Submit
C:\Windows\System\eQZJZxp.exe

Filesize
1.6MB

MD5
48881e0129933b5690401aaba7991ce9

SHA1
12f3147910d792fefdc713cb8ac53fd04805a2c1

SHA256
5749b50f18b42ff56dfebdc0f271c59693da1cb4670bbca82e850fb7b9f37452

SHA512
c7f19ee05af38630b50a03ea3fb022e11237953c8f28302f21a4d3460e9ac05c74e773da6028773dc2f05da80fab7328268f044b6cbf3d670a2d491f75d9a759

Download Submit
C:\Windows\System\jaaEZEo.exe

Filesize
1.6MB

MD5
6d9da43c83d1d1cb383f2ff1329a4cd5

SHA1
fa9bca5231d7226cceb65e78e967e730fd0b9a35

SHA256
0f4e03d5ea0846a5640c579274a77ae393c595bb95742bc188009d70c401afdf

SHA512
4062c25cd11fc1636d9f72ba4a59d39479354dffbfa6548dbe47ddba3785e1a5e229005e7697f4df7ad9c118e9bea9a57fe8f27876c44365fa1699fc61dbbc77

Download Submit
C:\Windows\System\kllnnMB.exe

Filesize
1.6MB

MD5
bcfccceeba34ca4e3f03b58ffc878234

SHA1
3eb1485e32233b58dcb403e3a1cf452b46933675

SHA256
adb41c13be27df4796af34ee417099d1cf8c5a67cf3f30daac1dd7e246f99433

SHA512
b66c1be9a688755f1b4b0d8b5ec030f576f8603c255d6fc3507f1afa23032b968fad1b16e6e10f719389f2c4d145ee508dff96702588cb10fc9a8c17f9cfd741

Download Submit
C:\Windows\System\mdKcVVh.exe

Filesize
1.6MB

MD5
67dfa018fe1acb6ce854edceadc4c11b

SHA1
f2f28f67a0a3f1852a2d47df20cd647d0cac4d57

SHA256
54ac9fd53ad62c34ddf67d27eaa374910532f1ae9dd8157bd0f1b86110ad472c

SHA512
31ae470462b8f30332ee29d5a832bca98305146b2a841e9231ae8e6222d8419493f79778ab426861754da349e0df3cc6ec4cba525059a2cdd61c50e6e0bd6a33

Download Submit
C:\Windows\System\pPxlQpK.exe

Filesize
1.6MB

MD5
458551d227b3edf40eef81a3d00a5426

SHA1
6bcbb447af23d74af32aef90bd0b1b717ac01460

SHA256
073065d33877f1c10179819771ac5412f1c8a9f623f0389d3af80a094a0692be

SHA512
91a12ee3c590dc9197e2a378bee95e5c055a408de24b4e2b9683f2032c272e5112bab9d4bfab21638e43bbd2b5144aa49e3ad675c72b8f943c7864beb3e171d7

Download Submit
C:\Windows\System\qSeeThc.exe

Filesize
1.6MB

MD5
c18554543e30dcf33ac14371b117aace

SHA1
8038c2c3b9f307a51d314a6b883fc86ca801b9f9

SHA256
6449e0b65689a6aa27f2e378b01b7ff93ea03fc4df271eb17f14cc0470c091f7

SHA512
14b6f244f552f0bb25ed38aa3afe39712bef0fd97eb8bba82dfb123ef99e5077513f567c5e8762ad8d7cafcfc32985976defa291baa27c4c537c5e2151cd585a

Download Submit
C:\Windows\System\qtaTEra.exe

Filesize
1.6MB

MD5
e8b1b3d0e593af4d47548899b4bd4b8d

SHA1
41aa33d78c93030b5c8fedf330cbbc02ad71e87d

SHA256
7f4e0161989a508dcbd206a86a354c888247661d6d287f9df257f8fd2dd34c1b

SHA512
a3e6795a0637ad96bf35565a3f3ebc6da9ac8aa3aea62b3d8213cd2d8a331d14a25554a2e75b0d666f610da164cb3d01c424d96c63afd6972daecd34e2d7f90e

Download Submit
C:\Windows\System\rdUlLUg.exe

Filesize
1.6MB

MD5
b6ee940b3f0269b0cd129936c803ec2c

SHA1
5ea73744166772c562a06291d8729130c6aceae3

SHA256
d00ee483bd2efaefaad70b3d0e749d3a12da10427381fcff2eab9b6c73c15e9c

SHA512
f2718a7c320a4f9fbbe8401ccf8b41754dc6a675d6a5354b07ee5de27ea122480f39d89a02a87f2a84d3dc3f18584484f0bdb0e9a03a698851e54138169df2a4

Download Submit
C:\Windows\System\tVcWduu.exe

Filesize
1.6MB

MD5
9ed71e1a09393ec0fff4731ea40e4ce2

SHA1
5538a7b063de7779ba857c8e2e3885b8e156193b

SHA256
6db1f4854c0321eeb1b34273b19cfc3b062a27ffae44f076c4465cff83fb262b

SHA512
23c95e22a08a6f34ae0bf6f6a79d2d7f9d6bb35d6ef37fcb06516df88e2472b016a2a5e0771b3230fd577451c6ba4c61c892c8dfb27ef392e0f52809e596c7bb

Download Submit
C:\Windows\System\uuWJTDw.exe

Filesize
1.6MB

MD5
b4e530604930e475fe988868d3045164

SHA1
17072c32ad60c319a23908dd49a1ce16751eec3b

SHA256
840958d93f05ba91df60932de2ad23924ffcbb7b0933bf2db4a4caaf8fba3e40

SHA512
bb3e4517b355c69bc42e7135871d87359faaca7be15178a4ea22500e12923cd86a339fe2c1a8be8d7542ee2d2f006b509aa235111d7ea5ccf6db0261b1099e54

Download Submit
C:\Windows\System\vLMBWxc.exe

Filesize
1.6MB

MD5
369c5b2c83c4aedb8f8fdffb935289f3

SHA1
2a09c404d4b5d530ccd23e4f82845dce35de5592

SHA256
dfab0993dffa83ffda778c0434977be521630b6d8e51653577a9646bfca8b517

SHA512
d19916c0b2bcfc0589110eb356f952061b78446a7cff8d56ff4e797e91c53537fac950b12ef1106c77d137c1f08dd17833c57f2a0c3074ebc805e0fb99422502

Download Submit
C:\Windows\System\wZMOMMY.exe

Filesize
1.6MB

MD5
f8552cc333178b463f8b3696af45c613

SHA1
5a5be5fef76d43a764ee2fb146d4e57daff2d68a

SHA256
906ada114edf4818ff95bc93b7210f4a12e5753e1a014a88befebfd3576b2eb0

SHA512
129a1e8aee33db0d1be90fb3285ac756055b46b84dfa995db33859ede3d034a88c28b8b823558c1ba4319f155ead80e056493302c5dbc70c3d69951ebf600d32

Download Submit
C:\Windows\System\wrmalcA.exe

Filesize
1.6MB

MD5
8f6eda68cf290a7557baa49a33e03489

SHA1
1f1d2f0f5966bf2ed2655c652648751c74dd973b

SHA256
036967c94476e1d23878043d5ba1788c92f9c2a649621b6d926b7d62b8c4971b

SHA512
177e86313307bec9099f8d48e0f04b613b0eab5cd5ebdfe76fbf172ad0c0f7a774ee8be238e89ec69a09c84e36991db70b9b5b024060f0121882dcc53a6a9933

Download Submit
C:\Windows\System\xfcncwX.exe

Filesize
1.6MB

MD5
af8a2935fcb4aacfa0bd914158925804

SHA1
df362861f9b6b123d3320bd1c44540adf272278b

SHA256
5de59203d34f84c137d9c37879c33c4fc246c58a42ed749261c33cc0a68c2fc4

SHA512
108b281cf14a7a9227f188cd50e7205fc318c800049a07921cdb1f8f2f258d966ed1fcd3c1177ae311ee15efc28b6ba2d62074ca5d6ebb7500a188335a772383

Download Submit
C:\Windows\System\xmwcSAh.exe

Filesize
1.6MB

MD5
cf087b2c98ec6e15d28e98785450f07c

SHA1
bb920809142f6b9c3a4dc897403ab49fbf3cddd4

SHA256
43d7bdb4f1477cbf1868bcbde14117c50d64d0e520e8f13da17cac7d56f31c41

SHA512
cc9f643c3b5f93ccd204d3c5fbc683ee847dee3e81d827141c4b305a02c9a7197b03cefd4c517996acbadcb2fbce7b1d4fcaac7aebc642040b57c094021bfa37

Download Submit
C:\Windows\System\yivTLxe.exe

Filesize
1.6MB

MD5
279002cc8c274070b976b3f926b69446

SHA1
3bf7eb9a2fddeaacf8ed447b568b49504d49a069

SHA256
a33433e371eaa74aecb875710f05bf72596cb4ea2f97a76d9543d2b5e3752034

SHA512
812d744aa6b7fdef3fdd67bd8c6b93818b6697e096b62c127e9d2ad7c72aaca5a9a4ea93a545f48986a3faf6dcc40f47cf8645823780181983b89680237e6b5d

Download Submit
memory/3248-0-0x0000028BE8630000-0x0000028BE8640000-memory.dmp

Filesize
64KB

Download