xmrig | 4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9

Analysis

max time kernel
87s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/12/2024, 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
Size

1.6MB
MD5

323834f42b1ac8eafc843077d59eb240
SHA1

91ca3ea566d6f594c008cde75942305b2f24f550
SHA256

4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9
SHA512

9bfd31c0abfdf2c764efd443f9d65f13c78186d6e954aeaf8db0b9264794f806ac196a25c895ff5fc6c405463722b111ef7b1b10d97d42f779f757f946795e07
SSDEEP

49152:GezaTF8FcNkNdfE0pZ9ozttwIRakGN8r7+9/ShKmlCL:GemTLkNdfE0pZyc

Score

10^/10

xmrig miner persistence privilege_escalation

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 33 IoCs

miner

resource	yara_rule
behavioral2/files/0x000b000000023bc3-4.dat	xmrig
behavioral2/files/0x0008000000023c97-7.dat	xmrig
behavioral2/files/0x0007000000023c9b-6.dat	xmrig
behavioral2/files/0x0007000000023c9d-19.dat	xmrig
behavioral2/files/0x0007000000023c9e-23.dat	xmrig
behavioral2/files/0x0007000000023c9f-30.dat	xmrig
behavioral2/files/0x0007000000023ca0-34.dat	xmrig
behavioral2/files/0x0007000000023ca1-40.dat	xmrig
behavioral2/files/0x0007000000023ca2-45.dat	xmrig
behavioral2/files/0x0008000000023c98-49.dat	xmrig
behavioral2/files/0x0007000000023ca4-58.dat	xmrig
behavioral2/files/0x0007000000023ca5-68.dat	xmrig
behavioral2/files/0x0007000000023ca9-82.dat	xmrig
behavioral2/files/0x0007000000023caa-87.dat	xmrig
behavioral2/files/0x0007000000023caf-118.dat	xmrig
behavioral2/files/0x0007000000023cb3-140.dat	xmrig
behavioral2/files/0x0007000000023cb9-162.dat	xmrig
behavioral2/files/0x0007000000023cb7-160.dat	xmrig
behavioral2/files/0x0007000000023cb8-157.dat	xmrig
behavioral2/files/0x0007000000023cb6-155.dat	xmrig
behavioral2/files/0x0007000000023cb5-150.dat	xmrig
behavioral2/files/0x0007000000023cb4-145.dat	xmrig
behavioral2/files/0x0007000000023cb2-132.dat	xmrig
behavioral2/files/0x0007000000023cb1-128.dat	xmrig
behavioral2/files/0x0007000000023cb0-122.dat	xmrig
behavioral2/files/0x0007000000023cae-113.dat	xmrig
behavioral2/files/0x0007000000023cad-108.dat	xmrig
behavioral2/files/0x0007000000023cab-105.dat	xmrig
behavioral2/files/0x0007000000023cac-101.dat	xmrig
behavioral2/files/0x0007000000023ca8-83.dat	xmrig
behavioral2/files/0x0007000000023ca7-80.dat	xmrig
behavioral2/files/0x0007000000023ca6-72.dat	xmrig
behavioral2/files/0x0007000000023ca3-56.dat	xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 10 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
4860	LVJCKYl.exe
2476	EgDmIpf.exe
3504	pHjlwvY.exe
1776	SZIPPlE.exe
1096	vZzLsDp.exe
804	wQDNYSF.exe
212	zBuDTVD.exe
3992	BqdBIAU.exe
4392	cenZFZW.exe
2868	rcxOHje.exe
5072	wTsKReN.exe
4576	VuHgzUf.exe
740	ogXYSPo.exe
812	IHiNSrI.exe
1580	TnoWiWm.exe
2692	kvgjyEy.exe
432	vDSeWzt.exe
444	pMFQwNj.exe
760	kEKWHzr.exe
1536	KGmNMpl.exe
4900	EnQlKll.exe
2924	ubztSdd.exe
1172	lvnTYNv.exe
2316	oOnHUqW.exe
1860	fwytwqJ.exe
1192	bXFMxLj.exe
3732	edWrqJE.exe
872	gMgUzgz.exe
4872	SrHNdSx.exe
3676	uQroEdk.exe
4964	zTrITgX.exe
1988	urmQIWo.exe
2032	KCVXgvb.exe
396	ASQzBso.exe
4892	CKivBED.exe
3080	vDjvSsX.exe
2320	QhmesHk.exe
1564	GerAIAb.exe
1064	LudgrlP.exe
2984	WQzIHcl.exe
4268	hQUsGDA.exe
4640	SBtIDts.exe
2540	XatQoxE.exe
3020	DplABij.exe
3008	RiZJeZl.exe
2580	AqkpycA.exe
1212	CbRqwvM.exe
756	JNleFgD.exe
4276	WWjRbcy.exe
2968	kglwpxl.exe
1768	mCxkMRt.exe
4668	vrPknBX.exe
3624	zsZWzuO.exe
60	fQguBaX.exe
4492	jHcSPDN.exe
4476	cOYtCXR.exe
1428	ffgUVsu.exe
2480	eTNXFIX.exe
4512	GYjlhIh.exe
4792	dlnQVee.exe
3296	vicFMdc.exe
3188	ouxnjtx.exe
312	Fmpewzs.exe
3948	bPDtgSg.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\KVLhrJy.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\EcmaaVv.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\uyxmpcR.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\OWXkhEW.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\SoBzvXS.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\VYRHtaD.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\XkBEJCx.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\CycgiUA.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\NJONeZm.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\XsZgOSJ.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\NqgqRlz.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\QRjQLSp.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\HWQhRdI.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\DtFwFAS.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\CIZupjG.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\ILjfJDl.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\NMaxQNI.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\vcPzZoe.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\BKbTXxd.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\LitSnVl.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\gQTbldm.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\eXPwJBe.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\CKivBED.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\AqkpycA.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\qbyjESM.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\bZNfdCg.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\hJkqHGy.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\CyvvuKk.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\nCrwkcr.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\JTOtrop.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\DplABij.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\OJqHWuF.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\tSwwFzF.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\BbardDN.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\kgzNjEh.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\myFUvWI.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\ZcGBroV.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\UZwcAdD.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\nXNApQg.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\VuHgzUf.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\ZfDWLgw.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\gqtNIlX.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\rRiePGn.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\TrNobrf.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\FZpucUO.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\WONVdLy.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\UTFzGNN.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\WtXPzKd.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\cdaKECl.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\QhmesHk.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\WVCRfSW.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\JskUjGq.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\vakpokp.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\OsOhpPb.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\TqWoGZZ.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\mLQvmBM.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\hbliFDI.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\IPvBSEU.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\WhCAneV.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\Agtunep.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\kEKWHzr.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\lvnTYNv.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\fQguBaX.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
File created	C:\Windows\System\gAYnuyg.exe	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 aa 000a ae 000b ah 000c ao 000d aw 000e ax 000f ay 0010 b 0011 ch 0012 d 0013 dh 0014 eh 0015 er 0016 ey 0017 f 0018 g 0019 h 001a ih 001b iy 001c jh 001d k 001e l 001f m 0020 n 0021 ng 0022 ow 0023 oy 0024 p 0025 r 0026 s 0027 sh 0028 t 0029 th 002a uh 002b uw 002c v 002d w 002e y 002f z 0030 zh 0031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\L1031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Japanese (Japan)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "You have selected %1 as the default voice."	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR ja-JP Lts Lexicon"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\lsr1033.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR ja-JP Lookup Lexicon"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "5233694"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; computer=NativeSupported; address=NativeSupported; currency=NativeSupported; message=NativeSupported; media=NativeSupported; url=NativeSupported; alphanumeric=NativeSupported"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\es-ES\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\sidubm.table"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4050598569-1597076380-177084960-1000\{1B9E9320-051A-479A-92BC-7B13A78F1ACB}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - ja-JP Embedded DNN v11.1"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR it-IT Locale Handler"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR ja-JP Locale Handler"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Voices\\Tokens\\MSTTS_V110_EnUS_ZiraM"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{BAE3E62C-37D4-49AC-A6F1-0E485ECD6757}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Male"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hortense"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4050598569-1597076380-177084960-1000\{BBB6D5EE-D648-4BA8-82BB-931E2763DC03}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Hedda"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Cosimo - Italian (Italy)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat.prev"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\MSTTSLocesES.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\r1040sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "436;41c;401;801;c01;1001;1401;1801;1c01;2001;2401;2801;2c01;3001;3401;3801;3c01;4001;42b;42c;82c;42d;423;402;455;403;c04;1004;1404;41a;405;406;465;413;813;809;c09;1009;1409;1809;1c09;2009;2409;2809;2c09;3009;3409;425;438;429;40b;80c;c0c;100c;140c;180c;456;437;807;c07;1007;1407;408;447;40d;439;40e;40f;421;410;810;44b;457;412;812;440;426;427;827;42f;43e;83e;44e;450;414;814;415;416;816;446;418;419;44f;c1a;81a;41b;424;80a;100a;140a;180a;1c0a;200a;240a;280a;2c0a;300a;340a;380a;3c0a;400a;440a;480a;4c0a;500a;430;441;41d;81d;45a;449;444;44a;41e;41f;422;420;820;443;843;42a;540a"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\MSTTSLocfrFR.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Pablo"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\VoiceActivation_fr-FR.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\tn1041.bin"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 a 000a e 000b i 000c o 000d u 000e t 000f d 0010 p 0011 b 0012 k 0013 g 0014 ch 0015 jj 0016 f 0017 s 0018 x 0019 m 001a n 001b nj 001c l 001d ll 001e r 001f rr 0020 j 0021 w 0022 th 0023"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Mark - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Haruka"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Paul - French (France)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\r1041sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Laura - Spanish (Spain)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "C0A"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	16356	explorer.exe
Token: SeCreatePagefilePrivilege	16356	explorer.exe
Token: SeShutdownPrivilege	16356	explorer.exe
Token: SeCreatePagefilePrivilege	16356	explorer.exe
Token: SeShutdownPrivilege	16356	explorer.exe
Token: SeCreatePagefilePrivilege	16356	explorer.exe
Token: SeShutdownPrivilege	16356	explorer.exe
Token: SeCreatePagefilePrivilege	16356	explorer.exe
Token: SeShutdownPrivilege	16356	explorer.exe
Token: SeCreatePagefilePrivilege	16356	explorer.exe
Token: SeShutdownPrivilege	16356	explorer.exe
Token: SeCreatePagefilePrivilege	16356	explorer.exe
Token: SeShutdownPrivilege	16356	explorer.exe
Token: SeCreatePagefilePrivilege	16356	explorer.exe
Token: SeShutdownPrivilege	16356	explorer.exe
Token: SeCreatePagefilePrivilege	16356	explorer.exe
Token: SeShutdownPrivilege	5364	explorer.exe
Token: SeCreatePagefilePrivilege	5364	explorer.exe
Token: SeShutdownPrivilege	5364	explorer.exe
Token: SeCreatePagefilePrivilege	5364	explorer.exe
Token: SeShutdownPrivilege	5364	explorer.exe
Token: SeCreatePagefilePrivilege	5364	explorer.exe
Token: SeShutdownPrivilege	5364	explorer.exe
Token: SeCreatePagefilePrivilege	5364	explorer.exe
Token: SeShutdownPrivilege	5364	explorer.exe
Token: SeCreatePagefilePrivilege	5364	explorer.exe
Token: SeShutdownPrivilege	5364	explorer.exe
Token: SeCreatePagefilePrivilege	5364	explorer.exe
Token: SeShutdownPrivilege	5364	explorer.exe
Token: SeCreatePagefilePrivilege	5364	explorer.exe
Token: SeShutdownPrivilege	5364	explorer.exe
Token: SeCreatePagefilePrivilege	5364	explorer.exe
Token: SeShutdownPrivilege	5364	explorer.exe
Token: SeCreatePagefilePrivilege	5364	explorer.exe
Token: SeShutdownPrivilege	6516	explorer.exe
Token: SeCreatePagefilePrivilege	6516	explorer.exe
Token: SeShutdownPrivilege	6516	explorer.exe
Token: SeCreatePagefilePrivilege	6516	explorer.exe
Token: SeShutdownPrivilege	6516	explorer.exe
Token: SeCreatePagefilePrivilege	6516	explorer.exe
Token: SeShutdownPrivilege	6516	explorer.exe
Token: SeCreatePagefilePrivilege	6516	explorer.exe
Token: SeShutdownPrivilege	6516	explorer.exe
Token: SeCreatePagefilePrivilege	6516	explorer.exe
Token: SeShutdownPrivilege	6516	explorer.exe
Token: SeCreatePagefilePrivilege	6516	explorer.exe
Token: SeShutdownPrivilege	6516	explorer.exe
Token: SeCreatePagefilePrivilege	6516	explorer.exe
Token: SeShutdownPrivilege	6516	explorer.exe
Token: SeCreatePagefilePrivilege	6516	explorer.exe
Token: SeShutdownPrivilege	6516	explorer.exe
Token: SeCreatePagefilePrivilege	6516	explorer.exe
Token: SeShutdownPrivilege	8344	explorer.exe
Token: SeCreatePagefilePrivilege	8344	explorer.exe
Token: SeShutdownPrivilege	8344	explorer.exe
Token: SeCreatePagefilePrivilege	8344	explorer.exe
Token: SeShutdownPrivilege	8344	explorer.exe
Token: SeCreatePagefilePrivilege	8344	explorer.exe
Token: SeShutdownPrivilege	8344	explorer.exe
Token: SeCreatePagefilePrivilege	8344	explorer.exe
Token: SeShutdownPrivilege	8344	explorer.exe
Token: SeCreatePagefilePrivilege	8344	explorer.exe
Token: SeShutdownPrivilege	8344	explorer.exe
Token: SeCreatePagefilePrivilege	8344	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
17276	sihost.exe
16356	explorer.exe
16356	explorer.exe
16356	explorer.exe
16356	explorer.exe
16356	explorer.exe
16356	explorer.exe
16356	explorer.exe
16356	explorer.exe
16356	explorer.exe
16356	explorer.exe
16356	explorer.exe
16356	explorer.exe
16356	explorer.exe
16356	explorer.exe
16356	explorer.exe
16356	explorer.exe
16356	explorer.exe
5364	explorer.exe
5364	explorer.exe
5364	explorer.exe
5364	explorer.exe
5364	explorer.exe
5364	explorer.exe
5364	explorer.exe
5364	explorer.exe
5364	explorer.exe
5364	explorer.exe
5364	explorer.exe
5364	explorer.exe
5364	explorer.exe
5364	explorer.exe
5364	explorer.exe
5364	explorer.exe
6516	explorer.exe
6516	explorer.exe
6516	explorer.exe
6516	explorer.exe
6516	explorer.exe
6516	explorer.exe
6516	explorer.exe
6516	explorer.exe
6516	explorer.exe
6516	explorer.exe
6516	explorer.exe
6516	explorer.exe
6516	explorer.exe
6516	explorer.exe
6516	explorer.exe
6516	explorer.exe
6516	explorer.exe
8344	explorer.exe
8344	explorer.exe
8344	explorer.exe
8344	explorer.exe
8344	explorer.exe
8344	explorer.exe
8344	explorer.exe
8344	explorer.exe
8344	explorer.exe
8344	explorer.exe
8344	explorer.exe
8344	explorer.exe
8344	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
16356	explorer.exe
16356	explorer.exe
16356	explorer.exe
16356	explorer.exe
16356	explorer.exe
16356	explorer.exe
16356	explorer.exe
16356	explorer.exe
16356	explorer.exe
16356	explorer.exe
16356	explorer.exe
5364	explorer.exe
5364	explorer.exe
5364	explorer.exe
5364	explorer.exe
5364	explorer.exe
5364	explorer.exe
5364	explorer.exe
5364	explorer.exe
5364	explorer.exe
5364	explorer.exe
5364	explorer.exe
6516	explorer.exe
6516	explorer.exe
6516	explorer.exe
6516	explorer.exe
6516	explorer.exe
6516	explorer.exe
6516	explorer.exe
6516	explorer.exe
6516	explorer.exe
6516	explorer.exe
6516	explorer.exe
6516	explorer.exe
8344	explorer.exe
8344	explorer.exe
8344	explorer.exe
8344	explorer.exe
8344	explorer.exe
8344	explorer.exe
8344	explorer.exe
8344	explorer.exe
8344	explorer.exe
8344	explorer.exe
8344	explorer.exe
10196	explorer.exe
10196	explorer.exe
10196	explorer.exe
10196	explorer.exe
10196	explorer.exe
10196	explorer.exe
10196	explorer.exe
10196	explorer.exe
10196	explorer.exe
10196	explorer.exe
10196	explorer.exe
10196	explorer.exe
10196	explorer.exe
10196	explorer.exe
10196	explorer.exe
10196	explorer.exe
10196	explorer.exe
10196	explorer.exe
10196	explorer.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
17060	StartMenuExperienceHost.exe
1604	StartMenuExperienceHost.exe
7968	StartMenuExperienceHost.exe
9096	StartMenuExperienceHost.exe
10404	StartMenuExperienceHost.exe
10892	SearchApp.exe
3684	StartMenuExperienceHost.exe
1988	SearchApp.exe
4940	StartMenuExperienceHost.exe
16992	SearchApp.exe
16832	StartMenuExperienceHost.exe
16716	SearchApp.exe
6308	StartMenuExperienceHost.exe
17072	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 4860	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	83
PID 4724 wrote to memory of 4860	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	83
PID 4724 wrote to memory of 2476	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	84
PID 4724 wrote to memory of 2476	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	84
PID 4724 wrote to memory of 3504	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	85
PID 4724 wrote to memory of 3504	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	85
PID 4724 wrote to memory of 1776	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	86
PID 4724 wrote to memory of 1776	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	86
PID 4724 wrote to memory of 1096	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	87
PID 4724 wrote to memory of 1096	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	87
PID 4724 wrote to memory of 804	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	88
PID 4724 wrote to memory of 804	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	88
PID 4724 wrote to memory of 212	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	89
PID 4724 wrote to memory of 212	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	89
PID 4724 wrote to memory of 3992	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	90
PID 4724 wrote to memory of 3992	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	90
PID 4724 wrote to memory of 4392	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	91
PID 4724 wrote to memory of 4392	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	91
PID 4724 wrote to memory of 2868	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	92
PID 4724 wrote to memory of 2868	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	92
PID 4724 wrote to memory of 5072	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	93
PID 4724 wrote to memory of 5072	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	93
PID 4724 wrote to memory of 4576	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	94
PID 4724 wrote to memory of 4576	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	94
PID 4724 wrote to memory of 740	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	95
PID 4724 wrote to memory of 740	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	95
PID 4724 wrote to memory of 812	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	96
PID 4724 wrote to memory of 812	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	96
PID 4724 wrote to memory of 1580	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	97
PID 4724 wrote to memory of 1580	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	97
PID 4724 wrote to memory of 2692	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	98
PID 4724 wrote to memory of 2692	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	98
PID 4724 wrote to memory of 432	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	99
PID 4724 wrote to memory of 432	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	99
PID 4724 wrote to memory of 444	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	100
PID 4724 wrote to memory of 444	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	100
PID 4724 wrote to memory of 760	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	101
PID 4724 wrote to memory of 760	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	101
PID 4724 wrote to memory of 1536	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	102
PID 4724 wrote to memory of 1536	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	102
PID 4724 wrote to memory of 4900	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	103
PID 4724 wrote to memory of 4900	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	103
PID 4724 wrote to memory of 2924	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	104
PID 4724 wrote to memory of 2924	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	104
PID 4724 wrote to memory of 1172	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	105
PID 4724 wrote to memory of 1172	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	105
PID 4724 wrote to memory of 2316	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	106
PID 4724 wrote to memory of 2316	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	106
PID 4724 wrote to memory of 1860	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	107
PID 4724 wrote to memory of 1860	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	107
PID 4724 wrote to memory of 1192	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	108
PID 4724 wrote to memory of 1192	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	108
PID 4724 wrote to memory of 3732	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	109
PID 4724 wrote to memory of 3732	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	109
PID 4724 wrote to memory of 872	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	110
PID 4724 wrote to memory of 872	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	110
PID 4724 wrote to memory of 4872	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	111
PID 4724 wrote to memory of 4872	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	111
PID 4724 wrote to memory of 3676	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	112
PID 4724 wrote to memory of 3676	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	112
PID 4724 wrote to memory of 4964	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	113
PID 4724 wrote to memory of 4964	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	113
PID 4724 wrote to memory of 1988	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	114
PID 4724 wrote to memory of 1988	4724	4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe
"C:\Users\Admin\AppData\Local\Temp\4151abfb73827d4110f720bb4e5076220bc09b44e22d386f8cdf949515d82dc9.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\System\LVJCKYl.exe
  C:\Windows\System\LVJCKYl.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System\EgDmIpf.exe
  C:\Windows\System\EgDmIpf.exe
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\System\pHjlwvY.exe
  C:\Windows\System\pHjlwvY.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System\SZIPPlE.exe
  C:\Windows\System\SZIPPlE.exe
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\System\vZzLsDp.exe
  C:\Windows\System\vZzLsDp.exe
  2⤵
  - Executes dropped EXE
  PID:1096
- C:\Windows\System\wQDNYSF.exe
  C:\Windows\System\wQDNYSF.exe
  2⤵
  - Executes dropped EXE
  PID:804
- C:\Windows\System\zBuDTVD.exe
  C:\Windows\System\zBuDTVD.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System\BqdBIAU.exe
  C:\Windows\System\BqdBIAU.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System\cenZFZW.exe
  C:\Windows\System\cenZFZW.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System\rcxOHje.exe
  C:\Windows\System\rcxOHje.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\wTsKReN.exe
  C:\Windows\System\wTsKReN.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\VuHgzUf.exe
  C:\Windows\System\VuHgzUf.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System\ogXYSPo.exe
  C:\Windows\System\ogXYSPo.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System\IHiNSrI.exe
  C:\Windows\System\IHiNSrI.exe
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Windows\System\TnoWiWm.exe
  C:\Windows\System\TnoWiWm.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System\kvgjyEy.exe
  C:\Windows\System\kvgjyEy.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System\vDSeWzt.exe
  C:\Windows\System\vDSeWzt.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System\pMFQwNj.exe
  C:\Windows\System\pMFQwNj.exe
  2⤵
  - Executes dropped EXE
  PID:444
- C:\Windows\System\kEKWHzr.exe
  C:\Windows\System\kEKWHzr.exe
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\System\KGmNMpl.exe
  C:\Windows\System\KGmNMpl.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\System\EnQlKll.exe
  C:\Windows\System\EnQlKll.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System\ubztSdd.exe
  C:\Windows\System\ubztSdd.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\lvnTYNv.exe
  C:\Windows\System\lvnTYNv.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System\oOnHUqW.exe
  C:\Windows\System\oOnHUqW.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\fwytwqJ.exe
  C:\Windows\System\fwytwqJ.exe
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\System\bXFMxLj.exe
  C:\Windows\System\bXFMxLj.exe
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\System\edWrqJE.exe
  C:\Windows\System\edWrqJE.exe
  2⤵
  - Executes dropped EXE
  PID:3732
- C:\Windows\System\gMgUzgz.exe
  C:\Windows\System\gMgUzgz.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System\SrHNdSx.exe
  C:\Windows\System\SrHNdSx.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System\uQroEdk.exe
  C:\Windows\System\uQroEdk.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System\zTrITgX.exe
  C:\Windows\System\zTrITgX.exe
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\Windows\System\urmQIWo.exe
  C:\Windows\System\urmQIWo.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\KCVXgvb.exe
  C:\Windows\System\KCVXgvb.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System\ASQzBso.exe
  C:\Windows\System\ASQzBso.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System\CKivBED.exe
  C:\Windows\System\CKivBED.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System\vDjvSsX.exe
  C:\Windows\System\vDjvSsX.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System\QhmesHk.exe
  C:\Windows\System\QhmesHk.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System\GerAIAb.exe
  C:\Windows\System\GerAIAb.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System\LudgrlP.exe
  C:\Windows\System\LudgrlP.exe
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Windows\System\WQzIHcl.exe
  C:\Windows\System\WQzIHcl.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System\hQUsGDA.exe
  C:\Windows\System\hQUsGDA.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System\SBtIDts.exe
  C:\Windows\System\SBtIDts.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System\XatQoxE.exe
  C:\Windows\System\XatQoxE.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\DplABij.exe
  C:\Windows\System\DplABij.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System\RiZJeZl.exe
  C:\Windows\System\RiZJeZl.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System\AqkpycA.exe
  C:\Windows\System\AqkpycA.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System\CbRqwvM.exe
  C:\Windows\System\CbRqwvM.exe
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\System\JNleFgD.exe
  C:\Windows\System\JNleFgD.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System\WWjRbcy.exe
  C:\Windows\System\WWjRbcy.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System\kglwpxl.exe
  C:\Windows\System\kglwpxl.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\mCxkMRt.exe
  C:\Windows\System\mCxkMRt.exe
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\System\vrPknBX.exe
  C:\Windows\System\vrPknBX.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Windows\System\zsZWzuO.exe
  C:\Windows\System\zsZWzuO.exe
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Windows\System\fQguBaX.exe
  C:\Windows\System\fQguBaX.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System\jHcSPDN.exe
  C:\Windows\System\jHcSPDN.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\cOYtCXR.exe
  C:\Windows\System\cOYtCXR.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System\ffgUVsu.exe
  C:\Windows\System\ffgUVsu.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System\eTNXFIX.exe
  C:\Windows\System\eTNXFIX.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System\GYjlhIh.exe
  C:\Windows\System\GYjlhIh.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System\dlnQVee.exe
  C:\Windows\System\dlnQVee.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System\vicFMdc.exe
  C:\Windows\System\vicFMdc.exe
  2⤵
  - Executes dropped EXE
  PID:3296
- C:\Windows\System\ouxnjtx.exe
  C:\Windows\System\ouxnjtx.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System\Fmpewzs.exe
  C:\Windows\System\Fmpewzs.exe
  2⤵
  - Executes dropped EXE
  PID:312
- C:\Windows\System\bPDtgSg.exe
  C:\Windows\System\bPDtgSg.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Windows\System\xAgQJCI.exe
  C:\Windows\System\xAgQJCI.exe
  2⤵
  PID:2184
- C:\Windows\System\gAYnuyg.exe
  C:\Windows\System\gAYnuyg.exe
  2⤵
  PID:1480
- C:\Windows\System\ipIAmjb.exe
  C:\Windows\System\ipIAmjb.exe
  2⤵
  PID:3360
- C:\Windows\System\LWVblqs.exe
  C:\Windows\System\LWVblqs.exe
  2⤵
  PID:4632
- C:\Windows\System\RogTvlJ.exe
  C:\Windows\System\RogTvlJ.exe
  2⤵
  PID:1460
- C:\Windows\System\uuSXwYd.exe
  C:\Windows\System\uuSXwYd.exe
  2⤵
  PID:4876
- C:\Windows\System\KkRcztZ.exe
  C:\Windows\System\KkRcztZ.exe
  2⤵
  PID:4908
- C:\Windows\System\wpirsNQ.exe
  C:\Windows\System\wpirsNQ.exe
  2⤵
  PID:4924
- C:\Windows\System\KcJgQeq.exe
  C:\Windows\System\KcJgQeq.exe
  2⤵
  PID:4864
- C:\Windows\System\WHmFtKf.exe
  C:\Windows\System\WHmFtKf.exe
  2⤵
  PID:2844
- C:\Windows\System\SkEKzOh.exe
  C:\Windows\System\SkEKzOh.exe
  2⤵
  PID:2888
- C:\Windows\System\mWsnejl.exe
  C:\Windows\System\mWsnejl.exe
  2⤵
  PID:1184
- C:\Windows\System\pACUVdf.exe
  C:\Windows\System\pACUVdf.exe
  2⤵
  PID:3400
- C:\Windows\System\cLiXnao.exe
  C:\Windows\System\cLiXnao.exe
  2⤵
  PID:2892
- C:\Windows\System\rPvRMuX.exe
  C:\Windows\System\rPvRMuX.exe
  2⤵
  PID:1420
- C:\Windows\System\iBLwRDJ.exe
  C:\Windows\System\iBLwRDJ.exe
  2⤵
  PID:2680
- C:\Windows\System\rVBuizk.exe
  C:\Windows\System\rVBuizk.exe
  2⤵
  PID:4176
- C:\Windows\System\KWqRoeJ.exe
  C:\Windows\System\KWqRoeJ.exe
  2⤵
  PID:4020
- C:\Windows\System\dzmegwl.exe
  C:\Windows\System\dzmegwl.exe
  2⤵
  PID:4940
- C:\Windows\System\BAFcRpa.exe
  C:\Windows\System\BAFcRpa.exe
  2⤵
  PID:2976
- C:\Windows\System\quRrNGU.exe
  C:\Windows\System\quRrNGU.exe
  2⤵
  PID:3012
- C:\Windows\System\MMtgyAt.exe
  C:\Windows\System\MMtgyAt.exe
  2⤵
  PID:4704
- C:\Windows\System\VaeSqDz.exe
  C:\Windows\System\VaeSqDz.exe
  2⤵
  PID:5076
- C:\Windows\System\cmNFBGT.exe
  C:\Windows\System\cmNFBGT.exe
  2⤵
  PID:624
- C:\Windows\System\GTICdla.exe
  C:\Windows\System\GTICdla.exe
  2⤵
  PID:2840
- C:\Windows\System\ILjfJDl.exe
  C:\Windows\System\ILjfJDl.exe
  2⤵
  PID:1060
- C:\Windows\System\yYrjnDS.exe
  C:\Windows\System\yYrjnDS.exe
  2⤵
  PID:4720
- C:\Windows\System\jwuJcJS.exe
  C:\Windows\System\jwuJcJS.exe
  2⤵
  PID:1588
- C:\Windows\System\xAWcygd.exe
  C:\Windows\System\xAWcygd.exe
  2⤵
  PID:1764
- C:\Windows\System\AoFEozE.exe
  C:\Windows\System\AoFEozE.exe
  2⤵
  PID:4152
- C:\Windows\System\fCyQpCg.exe
  C:\Windows\System\fCyQpCg.exe
  2⤵
  PID:4104
- C:\Windows\System\AyzYzoC.exe
  C:\Windows\System\AyzYzoC.exe
  2⤵
  PID:2268
- C:\Windows\System\AhmmfiI.exe
  C:\Windows\System\AhmmfiI.exe
  2⤵
  PID:5144
- C:\Windows\System\sunKwrl.exe
  C:\Windows\System\sunKwrl.exe
  2⤵
  PID:5168
- C:\Windows\System\zxGHDNK.exe
  C:\Windows\System\zxGHDNK.exe
  2⤵
  PID:5200
- C:\Windows\System\LEyTMFY.exe
  C:\Windows\System\LEyTMFY.exe
  2⤵
  PID:5228
- C:\Windows\System\wLclCRU.exe
  C:\Windows\System\wLclCRU.exe
  2⤵
  PID:5256
- C:\Windows\System\GoXGrbN.exe
  C:\Windows\System\GoXGrbN.exe
  2⤵
  PID:5284
- C:\Windows\System\HePndgy.exe
  C:\Windows\System\HePndgy.exe
  2⤵
  PID:5312
- C:\Windows\System\wrTDfmp.exe
  C:\Windows\System\wrTDfmp.exe
  2⤵
  PID:5336
- C:\Windows\System\HMpwGnQ.exe
  C:\Windows\System\HMpwGnQ.exe
  2⤵
  PID:5368
- C:\Windows\System\DujKvza.exe
  C:\Windows\System\DujKvza.exe
  2⤵
  PID:5396
- C:\Windows\System\kNVXtuJ.exe
  C:\Windows\System\kNVXtuJ.exe
  2⤵
  PID:5456
- C:\Windows\System\JbZmujB.exe
  C:\Windows\System\JbZmujB.exe
  2⤵
  PID:5472
- C:\Windows\System\qrGdeNU.exe
  C:\Windows\System\qrGdeNU.exe
  2⤵
  PID:5488
- C:\Windows\System\QYAJRaQ.exe
  C:\Windows\System\QYAJRaQ.exe
  2⤵
  PID:5512
- C:\Windows\System\lHeVBgT.exe
  C:\Windows\System\lHeVBgT.exe
  2⤵
  PID:5540
- C:\Windows\System\guYCuXT.exe
  C:\Windows\System\guYCuXT.exe
  2⤵
  PID:5568
- C:\Windows\System\MwsFvkD.exe
  C:\Windows\System\MwsFvkD.exe
  2⤵
  PID:5600
- C:\Windows\System\tGgSRQa.exe
  C:\Windows\System\tGgSRQa.exe
  2⤵
  PID:5624
- C:\Windows\System\mNXdKsX.exe
  C:\Windows\System\mNXdKsX.exe
  2⤵
  PID:5644
- C:\Windows\System\tVvyMKT.exe
  C:\Windows\System\tVvyMKT.exe
  2⤵
  PID:5672
- C:\Windows\System\OlGMpnW.exe
  C:\Windows\System\OlGMpnW.exe
  2⤵
  PID:5700
- C:\Windows\System\Igkhxal.exe
  C:\Windows\System\Igkhxal.exe
  2⤵
  PID:5728
- C:\Windows\System\MjLejoB.exe
  C:\Windows\System\MjLejoB.exe
  2⤵
  PID:5756
- C:\Windows\System\EexfMNp.exe
  C:\Windows\System\EexfMNp.exe
  2⤵
  PID:5784
- C:\Windows\System\gAmvzeg.exe
  C:\Windows\System\gAmvzeg.exe
  2⤵
  PID:5812
- C:\Windows\System\pXYdwvq.exe
  C:\Windows\System\pXYdwvq.exe
  2⤵
  PID:5840
- C:\Windows\System\kqQFFaQ.exe
  C:\Windows\System\kqQFFaQ.exe
  2⤵
  PID:5868
- C:\Windows\System\NmkITJR.exe
  C:\Windows\System\NmkITJR.exe
  2⤵
  PID:5896
- C:\Windows\System\FUFpqxT.exe
  C:\Windows\System\FUFpqxT.exe
  2⤵
  PID:5920
- C:\Windows\System\yUywEtq.exe
  C:\Windows\System\yUywEtq.exe
  2⤵
  PID:5952
- C:\Windows\System\RMVKSFs.exe
  C:\Windows\System\RMVKSFs.exe
  2⤵
  PID:5976
- C:\Windows\System\jAdgeUY.exe
  C:\Windows\System\jAdgeUY.exe
  2⤵
  PID:6008
- C:\Windows\System\qbyjESM.exe
  C:\Windows\System\qbyjESM.exe
  2⤵
  PID:6036
- C:\Windows\System\XVezOzE.exe
  C:\Windows\System\XVezOzE.exe
  2⤵
  PID:6064
- C:\Windows\System\kFbJhWd.exe
  C:\Windows\System\kFbJhWd.exe
  2⤵
  PID:6096
- C:\Windows\System\CvBHncI.exe
  C:\Windows\System\CvBHncI.exe
  2⤵
  PID:6120
- C:\Windows\System\SseRwuf.exe
  C:\Windows\System\SseRwuf.exe
  2⤵
  PID:5000
- C:\Windows\System\SwYeSfx.exe
  C:\Windows\System\SwYeSfx.exe
  2⤵
  PID:856
- C:\Windows\System\fCGNjGM.exe
  C:\Windows\System\fCGNjGM.exe
  2⤵
  PID:3028
- C:\Windows\System\TUpTxwL.exe
  C:\Windows\System\TUpTxwL.exe
  2⤵
  PID:1620
- C:\Windows\System\BehiCYv.exe
  C:\Windows\System\BehiCYv.exe
  2⤵
  PID:3228
- C:\Windows\System\krImUsp.exe
  C:\Windows\System\krImUsp.exe
  2⤵
  PID:5152
- C:\Windows\System\cCxxHKX.exe
  C:\Windows\System\cCxxHKX.exe
  2⤵
  PID:5208
- C:\Windows\System\xVoXljc.exe
  C:\Windows\System\xVoXljc.exe
  2⤵
  PID:5272
- C:\Windows\System\SxqySvo.exe
  C:\Windows\System\SxqySvo.exe
  2⤵
  PID:64
- C:\Windows\System\Vjasovs.exe
  C:\Windows\System\Vjasovs.exe
  2⤵
  PID:5384
- C:\Windows\System\NSdIBkR.exe
  C:\Windows\System\NSdIBkR.exe
  2⤵
  PID:5416
- C:\Windows\System\LFhjhaW.exe
  C:\Windows\System\LFhjhaW.exe
  2⤵
  PID:5508
- C:\Windows\System\IPvBSEU.exe
  C:\Windows\System\IPvBSEU.exe
  2⤵
  PID:5564
- C:\Windows\System\uIzgdLl.exe
  C:\Windows\System\uIzgdLl.exe
  2⤵
  PID:5636
- C:\Windows\System\KqOdvxK.exe
  C:\Windows\System\KqOdvxK.exe
  2⤵
  PID:5692
- C:\Windows\System\OJqHWuF.exe
  C:\Windows\System\OJqHWuF.exe
  2⤵
  PID:5744
- C:\Windows\System\zqToPnu.exe
  C:\Windows\System\zqToPnu.exe
  2⤵
  PID:5804
- C:\Windows\System\gQTbldm.exe
  C:\Windows\System\gQTbldm.exe
  2⤵
  PID:5888
- C:\Windows\System\IjQwIjT.exe
  C:\Windows\System\IjQwIjT.exe
  2⤵
  PID:2180
- C:\Windows\System\kznojWW.exe
  C:\Windows\System\kznojWW.exe
  2⤵
  PID:6000
- C:\Windows\System\bZNfdCg.exe
  C:\Windows\System\bZNfdCg.exe
  2⤵
  PID:6080
- C:\Windows\System\UqvJOWu.exe
  C:\Windows\System\UqvJOWu.exe
  2⤵
  PID:6140
- C:\Windows\System\WplKJoy.exe
  C:\Windows\System\WplKJoy.exe
  2⤵
  PID:2312
- C:\Windows\System\bnCXYbJ.exe
  C:\Windows\System\bnCXYbJ.exe
  2⤵
  PID:2084
- C:\Windows\System\ziZCYKL.exe
  C:\Windows\System\ziZCYKL.exe
  2⤵
  PID:2668
- C:\Windows\System\uUBnPWK.exe
  C:\Windows\System\uUBnPWK.exe
  2⤵
  PID:5352
- C:\Windows\System\eTrUvBi.exe
  C:\Windows\System\eTrUvBi.exe
  2⤵
  PID:5484
- C:\Windows\System\JeNxkGL.exe
  C:\Windows\System\JeNxkGL.exe
  2⤵
  PID:5556
- C:\Windows\System\HjdIqCC.exe
  C:\Windows\System\HjdIqCC.exe
  2⤵
  PID:5664
- C:\Windows\System\rcLKkJs.exe
  C:\Windows\System\rcLKkJs.exe
  2⤵
  PID:4000
- C:\Windows\System\BCPVfBn.exe
  C:\Windows\System\BCPVfBn.exe
  2⤵
  PID:1944
- C:\Windows\System\YcDDibP.exe
  C:\Windows\System\YcDDibP.exe
  2⤵
  PID:3672
- C:\Windows\System\XhbCGqw.exe
  C:\Windows\System\XhbCGqw.exe
  2⤵
  PID:5972
- C:\Windows\System\cxadSfw.exe
  C:\Windows\System\cxadSfw.exe
  2⤵
  PID:2808
- C:\Windows\System\VWTKvoJ.exe
  C:\Windows\System\VWTKvoJ.exe
  2⤵
  PID:1504
- C:\Windows\System\bkogiHP.exe
  C:\Windows\System\bkogiHP.exe
  2⤵
  PID:1332
- C:\Windows\System\UUlxGvl.exe
  C:\Windows\System\UUlxGvl.exe
  2⤵
  PID:2660
- C:\Windows\System\zsmydlK.exe
  C:\Windows\System\zsmydlK.exe
  2⤵
  PID:4732
- C:\Windows\System\oeHQMhh.exe
  C:\Windows\System\oeHQMhh.exe
  2⤵
  PID:1348
- C:\Windows\System\EcsXztY.exe
  C:\Windows\System\EcsXztY.exe
  2⤵
  PID:4916
- C:\Windows\System\PEEgkkZ.exe
  C:\Windows\System\PEEgkkZ.exe
  2⤵
  PID:5796
- C:\Windows\System\GtvUMhg.exe
  C:\Windows\System\GtvUMhg.exe
  2⤵
  PID:736
- C:\Windows\System\StVBSSb.exe
  C:\Windows\System\StVBSSb.exe
  2⤵
  PID:5856
- C:\Windows\System\HZHEBRG.exe
  C:\Windows\System\HZHEBRG.exe
  2⤵
  PID:4592
- C:\Windows\System\QRjQLSp.exe
  C:\Windows\System\QRjQLSp.exe
  2⤵
  PID:5992
- C:\Windows\System\hJkqHGy.exe
  C:\Windows\System\hJkqHGy.exe
  2⤵
  PID:5684
- C:\Windows\System\TRKBueb.exe
  C:\Windows\System\TRKBueb.exe
  2⤵
  PID:6168
- C:\Windows\System\kuepZsA.exe
  C:\Windows\System\kuepZsA.exe
  2⤵
  PID:6204
- C:\Windows\System\KkYTeuJ.exe
  C:\Windows\System\KkYTeuJ.exe
  2⤵
  PID:6220
- C:\Windows\System\WYXkoOY.exe
  C:\Windows\System\WYXkoOY.exe
  2⤵
  PID:6260
- C:\Windows\System\fyccGWB.exe
  C:\Windows\System\fyccGWB.exe
  2⤵
  PID:6284
- C:\Windows\System\LMOMTuE.exe
  C:\Windows\System\LMOMTuE.exe
  2⤵
  PID:6304
- C:\Windows\System\ZzfmdNS.exe
  C:\Windows\System\ZzfmdNS.exe
  2⤵
  PID:6332
- C:\Windows\System\vXgKIqA.exe
  C:\Windows\System\vXgKIqA.exe
  2⤵
  PID:6372
- C:\Windows\System\CdaaLGd.exe
  C:\Windows\System\CdaaLGd.exe
  2⤵
  PID:6400
- C:\Windows\System\GTobOep.exe
  C:\Windows\System\GTobOep.exe
  2⤵
  PID:6428
- C:\Windows\System\PWPPxQl.exe
  C:\Windows\System\PWPPxQl.exe
  2⤵
  PID:6456
- C:\Windows\System\dElGgCI.exe
  C:\Windows\System\dElGgCI.exe
  2⤵
  PID:6480
- C:\Windows\System\ShgXcZw.exe
  C:\Windows\System\ShgXcZw.exe
  2⤵
  PID:6504
- C:\Windows\System\eXPwJBe.exe
  C:\Windows\System\eXPwJBe.exe
  2⤵
  PID:6540
- C:\Windows\System\IlzSjrk.exe
  C:\Windows\System\IlzSjrk.exe
  2⤵
  PID:6556
- C:\Windows\System\yIwcLWr.exe
  C:\Windows\System\yIwcLWr.exe
  2⤵
  PID:6584
- C:\Windows\System\FDKQKcO.exe
  C:\Windows\System\FDKQKcO.exe
  2⤵
  PID:6600
- C:\Windows\System\lGYTFfB.exe
  C:\Windows\System\lGYTFfB.exe
  2⤵
  PID:6648
- C:\Windows\System\juhtXHb.exe
  C:\Windows\System\juhtXHb.exe
  2⤵
  PID:6664
- C:\Windows\System\rsAMNDa.exe
  C:\Windows\System\rsAMNDa.exe
  2⤵
  PID:6680
- C:\Windows\System\OueSGsw.exe
  C:\Windows\System\OueSGsw.exe
  2⤵
  PID:6696
- C:\Windows\System\hZYFMvU.exe
  C:\Windows\System\hZYFMvU.exe
  2⤵
  PID:6732
- C:\Windows\System\WvBlEHE.exe
  C:\Windows\System\WvBlEHE.exe
  2⤵
  PID:6748
- C:\Windows\System\fbHVEtj.exe
  C:\Windows\System\fbHVEtj.exe
  2⤵
  PID:6776
- C:\Windows\System\WZyJZGB.exe
  C:\Windows\System\WZyJZGB.exe
  2⤵
  PID:6800
- C:\Windows\System\NbjfLbb.exe
  C:\Windows\System\NbjfLbb.exe
  2⤵
  PID:6840
- C:\Windows\System\LTGeZwF.exe
  C:\Windows\System\LTGeZwF.exe
  2⤵
  PID:6856
- C:\Windows\System\odUipYB.exe
  C:\Windows\System\odUipYB.exe
  2⤵
  PID:6888
- C:\Windows\System\VYRHtaD.exe
  C:\Windows\System\VYRHtaD.exe
  2⤵
  PID:6908
- C:\Windows\System\kSlAvMa.exe
  C:\Windows\System\kSlAvMa.exe
  2⤵
  PID:6932
- C:\Windows\System\ewrtpSo.exe
  C:\Windows\System\ewrtpSo.exe
  2⤵
  PID:7016
- C:\Windows\System\yklBXuo.exe
  C:\Windows\System\yklBXuo.exe
  2⤵
  PID:7036
- C:\Windows\System\uGPCjNx.exe
  C:\Windows\System\uGPCjNx.exe
  2⤵
  PID:7076
- C:\Windows\System\MKCGGIQ.exe
  C:\Windows\System\MKCGGIQ.exe
  2⤵
  PID:7092
- C:\Windows\System\gMVaauG.exe
  C:\Windows\System\gMVaauG.exe
  2⤵
  PID:7120
- C:\Windows\System\mTnzhCP.exe
  C:\Windows\System\mTnzhCP.exe
  2⤵
  PID:7144
- C:\Windows\System\YwAMBnr.exe
  C:\Windows\System\YwAMBnr.exe
  2⤵
  PID:7164
- C:\Windows\System\bFfmoQY.exe
  C:\Windows\System\bFfmoQY.exe
  2⤵
  PID:6156
- C:\Windows\System\CyNEgvS.exe
  C:\Windows\System\CyNEgvS.exe
  2⤵
  PID:6196
- C:\Windows\System\opbYpgB.exe
  C:\Windows\System\opbYpgB.exe
  2⤵
  PID:6276
- C:\Windows\System\COozhkZ.exe
  C:\Windows\System\COozhkZ.exe
  2⤵
  PID:6328
- C:\Windows\System\VdqVAyW.exe
  C:\Windows\System\VdqVAyW.exe
  2⤵
  PID:6396
- C:\Windows\System\FFKtoWc.exe
  C:\Windows\System\FFKtoWc.exe
  2⤵
  PID:6476
- C:\Windows\System\DKjLlSk.exe
  C:\Windows\System\DKjLlSk.exe
  2⤵
  PID:6528
- C:\Windows\System\aMTlFZZ.exe
  C:\Windows\System\aMTlFZZ.exe
  2⤵
  PID:6572
- C:\Windows\System\mXLNySj.exe
  C:\Windows\System\mXLNySj.exe
  2⤵
  PID:6744
- C:\Windows\System\UdvPYDl.exe
  C:\Windows\System\UdvPYDl.exe
  2⤵
  PID:6720
- C:\Windows\System\yDvYiKy.exe
  C:\Windows\System\yDvYiKy.exe
  2⤵
  PID:6836
- C:\Windows\System\FMYZdxj.exe
  C:\Windows\System\FMYZdxj.exe
  2⤵
  PID:6964
- C:\Windows\System\XnDHXLS.exe
  C:\Windows\System\XnDHXLS.exe
  2⤵
  PID:7004
- C:\Windows\System\WVCRfSW.exe
  C:\Windows\System\WVCRfSW.exe
  2⤵
  PID:7068
- C:\Windows\System\YhwTIrX.exe
  C:\Windows\System\YhwTIrX.exe
  2⤵
  PID:7084
- C:\Windows\System\NMaxQNI.exe
  C:\Windows\System\NMaxQNI.exe
  2⤵
  PID:6252
- C:\Windows\System\FFVLFLQ.exe
  C:\Windows\System\FFVLFLQ.exe
  2⤵
  PID:6160
- C:\Windows\System\aykiWxz.exe
  C:\Windows\System\aykiWxz.exe
  2⤵
  PID:6500
- C:\Windows\System\XkBEJCx.exe
  C:\Windows\System\XkBEJCx.exe
  2⤵
  PID:6472
- C:\Windows\System\zronBon.exe
  C:\Windows\System\zronBon.exe
  2⤵
  PID:6640
- C:\Windows\System\xUChbRH.exe
  C:\Windows\System\xUChbRH.exe
  2⤵
  PID:6868
- C:\Windows\System\zvnRnms.exe
  C:\Windows\System\zvnRnms.exe
  2⤵
  PID:7032
- C:\Windows\System\GFsYipB.exe
  C:\Windows\System\GFsYipB.exe
  2⤵
  PID:6552
- C:\Windows\System\oTSgGpM.exe
  C:\Windows\System\oTSgGpM.exe
  2⤵
  PID:6612
- C:\Windows\System\ycXwiKD.exe
  C:\Windows\System\ycXwiKD.exe
  2⤵
  PID:6740
- C:\Windows\System\CycgiUA.exe
  C:\Windows\System\CycgiUA.exe
  2⤵
  PID:7024
- C:\Windows\System\dacYmrh.exe
  C:\Windows\System\dacYmrh.exe
  2⤵
  PID:6904
- C:\Windows\System\SCGnrAB.exe
  C:\Windows\System\SCGnrAB.exe
  2⤵
  PID:6300
- C:\Windows\System\OWjJVuB.exe
  C:\Windows\System\OWjJVuB.exe
  2⤵
  PID:7224
- C:\Windows\System\oEGJslz.exe
  C:\Windows\System\oEGJslz.exe
  2⤵
  PID:7240
- C:\Windows\System\DLYvzQb.exe
  C:\Windows\System\DLYvzQb.exe
  2⤵
  PID:7268
- C:\Windows\System\ggkNpyC.exe
  C:\Windows\System\ggkNpyC.exe
  2⤵
  PID:7296
- C:\Windows\System\OGHDNOx.exe
  C:\Windows\System\OGHDNOx.exe
  2⤵
  PID:7336
- C:\Windows\System\FNihapk.exe
  C:\Windows\System\FNihapk.exe
  2⤵
  PID:7364
- C:\Windows\System\dtMMiYB.exe
  C:\Windows\System\dtMMiYB.exe
  2⤵
  PID:7392
- C:\Windows\System\nJtGqRx.exe
  C:\Windows\System\nJtGqRx.exe
  2⤵
  PID:7420
- C:\Windows\System\YmzDIry.exe
  C:\Windows\System\YmzDIry.exe
  2⤵
  PID:7436
- C:\Windows\System\cKGIeKN.exe
  C:\Windows\System\cKGIeKN.exe
  2⤵
  PID:7464
- C:\Windows\System\vcPzZoe.exe
  C:\Windows\System\vcPzZoe.exe
  2⤵
  PID:7492
- C:\Windows\System\BtZjVRV.exe
  C:\Windows\System\BtZjVRV.exe
  2⤵
  PID:7520
- C:\Windows\System\EimnWlv.exe
  C:\Windows\System\EimnWlv.exe
  2⤵
  PID:7548
- C:\Windows\System\YWKQpoN.exe
  C:\Windows\System\YWKQpoN.exe
  2⤵
  PID:7576
- C:\Windows\System\JnebmZk.exe
  C:\Windows\System\JnebmZk.exe
  2⤵
  PID:7604
- C:\Windows\System\KliZtpR.exe
  C:\Windows\System\KliZtpR.exe
  2⤵
  PID:7644
- C:\Windows\System\fZBjiDm.exe
  C:\Windows\System\fZBjiDm.exe
  2⤵
  PID:7672
- C:\Windows\System\oMNvfHr.exe
  C:\Windows\System\oMNvfHr.exe
  2⤵
  PID:7700
- C:\Windows\System\ZfDWLgw.exe
  C:\Windows\System\ZfDWLgw.exe
  2⤵
  PID:7716
- C:\Windows\System\mWcLVwc.exe
  C:\Windows\System\mWcLVwc.exe
  2⤵
  PID:7756
- C:\Windows\System\rHMKhNU.exe
  C:\Windows\System\rHMKhNU.exe
  2⤵
  PID:7780
- C:\Windows\System\ZwGgVoS.exe
  C:\Windows\System\ZwGgVoS.exe
  2⤵
  PID:7796
- C:\Windows\System\olPWXCD.exe
  C:\Windows\System\olPWXCD.exe
  2⤵
  PID:7812
- C:\Windows\System\kNsrosk.exe
  C:\Windows\System\kNsrosk.exe
  2⤵
  PID:7836
- C:\Windows\System\wRMnZdC.exe
  C:\Windows\System\wRMnZdC.exe
  2⤵
  PID:7880
- C:\Windows\System\MzDIljs.exe
  C:\Windows\System\MzDIljs.exe
  2⤵
  PID:7912
- C:\Windows\System\BzITVXK.exe
  C:\Windows\System\BzITVXK.exe
  2⤵
  PID:7940
- C:\Windows\System\mxEbtuW.exe
  C:\Windows\System\mxEbtuW.exe
  2⤵
  PID:7980
- C:\Windows\System\lXlQelB.exe
  C:\Windows\System\lXlQelB.exe
  2⤵
  PID:8000
- C:\Windows\System\CjOJtFl.exe
  C:\Windows\System\CjOJtFl.exe
  2⤵
  PID:8024
- C:\Windows\System\FRYAsVO.exe
  C:\Windows\System\FRYAsVO.exe
  2⤵
  PID:8052
- C:\Windows\System\VItktcj.exe
  C:\Windows\System\VItktcj.exe
  2⤵
  PID:8096
- C:\Windows\System\oxdhGvH.exe
  C:\Windows\System\oxdhGvH.exe
  2⤵
  PID:8124
- C:\Windows\System\BKbTXxd.exe
  C:\Windows\System\BKbTXxd.exe
  2⤵
  PID:8144
- C:\Windows\System\NSyecxZ.exe
  C:\Windows\System\NSyecxZ.exe
  2⤵
  PID:8188
- C:\Windows\System\RADXShp.exe
  C:\Windows\System\RADXShp.exe
  2⤵
  PID:7192
- C:\Windows\System\qMHCeat.exe
  C:\Windows\System\qMHCeat.exe
  2⤵
  PID:7252
- C:\Windows\System\WiwZYaV.exe
  C:\Windows\System\WiwZYaV.exe
  2⤵
  PID:7292
- C:\Windows\System\IlQSmBT.exe
  C:\Windows\System\IlQSmBT.exe
  2⤵
  PID:7376
- C:\Windows\System\qMTNPnG.exe
  C:\Windows\System\qMTNPnG.exe
  2⤵
  PID:7448
- C:\Windows\System\wSPfgiW.exe
  C:\Windows\System\wSPfgiW.exe
  2⤵
  PID:7512
- C:\Windows\System\CyvvuKk.exe
  C:\Windows\System\CyvvuKk.exe
  2⤵
  PID:7596
- C:\Windows\System\RbsjHrG.exe
  C:\Windows\System\RbsjHrG.exe
  2⤵
  PID:7640
- C:\Windows\System\HwipyaE.exe
  C:\Windows\System\HwipyaE.exe
  2⤵
  PID:7732
- C:\Windows\System\OFHHqaB.exe
  C:\Windows\System\OFHHqaB.exe
  2⤵
  PID:7772
- C:\Windows\System\TZbeKCk.exe
  C:\Windows\System\TZbeKCk.exe
  2⤵
  PID:7832
- C:\Windows\System\kowFKfi.exe
  C:\Windows\System\kowFKfi.exe
  2⤵
  PID:7868
- C:\Windows\System\uSqowAW.exe
  C:\Windows\System\uSqowAW.exe
  2⤵
  PID:7972
- C:\Windows\System\zlxLgLO.exe
  C:\Windows\System\zlxLgLO.exe
  2⤵
  PID:8020
- C:\Windows\System\FSaKiZe.exe
  C:\Windows\System\FSaKiZe.exe
  2⤵
  PID:8072
- C:\Windows\System\SscCeBn.exe
  C:\Windows\System\SscCeBn.exe
  2⤵
  PID:7188
- C:\Windows\System\tSwwFzF.exe
  C:\Windows\System\tSwwFzF.exe
  2⤵
  PID:7280
- C:\Windows\System\njbMPLr.exe
  C:\Windows\System\njbMPLr.exe
  2⤵
  PID:7348
- C:\Windows\System\JURPtYB.exe
  C:\Windows\System\JURPtYB.exe
  2⤵
  PID:7624
- C:\Windows\System\rcxgSKm.exe
  C:\Windows\System\rcxgSKm.exe
  2⤵
  PID:7708
- C:\Windows\System\fSjNPmw.exe
  C:\Windows\System\fSjNPmw.exe
  2⤵
  PID:7860
- C:\Windows\System\QfnDmVL.exe
  C:\Windows\System\QfnDmVL.exe
  2⤵
  PID:7992
- C:\Windows\System\YLmkwEH.exe
  C:\Windows\System\YLmkwEH.exe
  2⤵
  PID:8136
- C:\Windows\System\kscggqD.exe
  C:\Windows\System\kscggqD.exe
  2⤵
  PID:7428
- C:\Windows\System\cAPoCqZ.exe
  C:\Windows\System\cAPoCqZ.exe
  2⤵
  PID:7928
- C:\Windows\System\MMPjsTL.exe
  C:\Windows\System\MMPjsTL.exe
  2⤵
  PID:8164
- C:\Windows\System\JpIEdQA.exe
  C:\Windows\System\JpIEdQA.exe
  2⤵
  PID:7804
- C:\Windows\System\oPZwDnS.exe
  C:\Windows\System\oPZwDnS.exe
  2⤵
  PID:8196
- C:\Windows\System\Owqflwf.exe
  C:\Windows\System\Owqflwf.exe
  2⤵
  PID:8232
- C:\Windows\System\otUUZqv.exe
  C:\Windows\System\otUUZqv.exe
  2⤵
  PID:8252
- C:\Windows\System\nONQPPj.exe
  C:\Windows\System\nONQPPj.exe
  2⤵
  PID:8280
- C:\Windows\System\gRQrGwb.exe
  C:\Windows\System\gRQrGwb.exe
  2⤵
  PID:8320
- C:\Windows\System\GeeiAeM.exe
  C:\Windows\System\GeeiAeM.exe
  2⤵
  PID:8336
- C:\Windows\System\BixDTVN.exe
  C:\Windows\System\BixDTVN.exe
  2⤵
  PID:8368
- C:\Windows\System\ybsIwGw.exe
  C:\Windows\System\ybsIwGw.exe
  2⤵
  PID:8408
- C:\Windows\System\ewJxBIw.exe
  C:\Windows\System\ewJxBIw.exe
  2⤵
  PID:8424
- C:\Windows\System\FaBUicU.exe
  C:\Windows\System\FaBUicU.exe
  2⤵
  PID:8452
- C:\Windows\System\NVgzJSP.exe
  C:\Windows\System\NVgzJSP.exe
  2⤵
  PID:8480
- C:\Windows\System\xsRrwng.exe
  C:\Windows\System\xsRrwng.exe
  2⤵
  PID:8496
- C:\Windows\System\pvbtRch.exe
  C:\Windows\System\pvbtRch.exe
  2⤵
  PID:8528
- C:\Windows\System\tRdLKTi.exe
  C:\Windows\System\tRdLKTi.exe
  2⤵
  PID:8560
- C:\Windows\System\vzWMRdf.exe
  C:\Windows\System\vzWMRdf.exe
  2⤵
  PID:8600
- C:\Windows\System\dyITrDX.exe
  C:\Windows\System\dyITrDX.exe
  2⤵
  PID:8616
- C:\Windows\System\zQSlmrE.exe
  C:\Windows\System\zQSlmrE.exe
  2⤵
  PID:8632
- C:\Windows\System\SsmNtZP.exe
  C:\Windows\System\SsmNtZP.exe
  2⤵
  PID:8652
- C:\Windows\System\SnhHnkM.exe
  C:\Windows\System\SnhHnkM.exe
  2⤵
  PID:8680
- C:\Windows\System\EnVflGB.exe
  C:\Windows\System\EnVflGB.exe
  2⤵
  PID:8712
- C:\Windows\System\WONVdLy.exe
  C:\Windows\System\WONVdLy.exe
  2⤵
  PID:8744
- C:\Windows\System\MOBxoEU.exe
  C:\Windows\System\MOBxoEU.exe
  2⤵
  PID:8796
- C:\Windows\System\YCcErRz.exe
  C:\Windows\System\YCcErRz.exe
  2⤵
  PID:8812
- C:\Windows\System\SrXPOJk.exe
  C:\Windows\System\SrXPOJk.exe
  2⤵
  PID:8832
- C:\Windows\System\KVLhrJy.exe
  C:\Windows\System\KVLhrJy.exe
  2⤵
  PID:8860
- C:\Windows\System\pKPgWxb.exe
  C:\Windows\System\pKPgWxb.exe
  2⤵
  PID:8904
- C:\Windows\System\nBQLyMj.exe
  C:\Windows\System\nBQLyMj.exe
  2⤵
  PID:8932
- C:\Windows\System\wLwoXad.exe
  C:\Windows\System\wLwoXad.exe
  2⤵
  PID:8968
- C:\Windows\System\bgDVtfA.exe
  C:\Windows\System\bgDVtfA.exe
  2⤵
  PID:8988
- C:\Windows\System\AyWGdzG.exe
  C:\Windows\System\AyWGdzG.exe
  2⤵
  PID:9016
- C:\Windows\System\RSSZgRa.exe
  C:\Windows\System\RSSZgRa.exe
  2⤵
  PID:9056
- C:\Windows\System\saIZnFj.exe
  C:\Windows\System\saIZnFj.exe
  2⤵
  PID:9072
- C:\Windows\System\FDktdXb.exe
  C:\Windows\System\FDktdXb.exe
  2⤵
  PID:9112
- C:\Windows\System\obYdcaw.exe
  C:\Windows\System\obYdcaw.exe
  2⤵
  PID:9128
- C:\Windows\System\qcHgaoD.exe
  C:\Windows\System\qcHgaoD.exe
  2⤵
  PID:9144
- C:\Windows\System\pWiJFCn.exe
  C:\Windows\System\pWiJFCn.exe
  2⤵
  PID:9184
- C:\Windows\System\mfHiWlH.exe
  C:\Windows\System\mfHiWlH.exe
  2⤵
  PID:9212
- C:\Windows\System\YzNmjob.exe
  C:\Windows\System\YzNmjob.exe
  2⤵
  PID:8268
- C:\Windows\System\IZXElGN.exe
  C:\Windows\System\IZXElGN.exe
  2⤵
  PID:8316
- C:\Windows\System\kNJCTZU.exe
  C:\Windows\System\kNJCTZU.exe
  2⤵
  PID:8360
- C:\Windows\System\gqtNIlX.exe
  C:\Windows\System\gqtNIlX.exe
  2⤵
  PID:8436
- C:\Windows\System\ZELmjNG.exe
  C:\Windows\System\ZELmjNG.exe
  2⤵
  PID:8488
- C:\Windows\System\VPspPEg.exe
  C:\Windows\System\VPspPEg.exe
  2⤵
  PID:8508
- C:\Windows\System\TDUPFVC.exe
  C:\Windows\System\TDUPFVC.exe
  2⤵
  PID:8592
- C:\Windows\System\ccYPJFJ.exe
  C:\Windows\System\ccYPJFJ.exe
  2⤵
  PID:8668
- C:\Windows\System\qvHmPET.exe
  C:\Windows\System\qvHmPET.exe
  2⤵
  PID:8732
- C:\Windows\System\KAPLjBO.exe
  C:\Windows\System\KAPLjBO.exe
  2⤵
  PID:8828
- C:\Windows\System\XdLFsxA.exe
  C:\Windows\System\XdLFsxA.exe
  2⤵
  PID:8856
- C:\Windows\System\WhCAneV.exe
  C:\Windows\System\WhCAneV.exe
  2⤵
  PID:8920
- C:\Windows\System\uqZMRRf.exe
  C:\Windows\System\uqZMRRf.exe
  2⤵
  PID:9004
- C:\Windows\System\hPvzxpy.exe
  C:\Windows\System\hPvzxpy.exe
  2⤵
  PID:9064
- C:\Windows\System\HESNLUa.exe
  C:\Windows\System\HESNLUa.exe
  2⤵
  PID:9120
- C:\Windows\System\hSHcvcI.exe
  C:\Windows\System\hSHcvcI.exe
  2⤵
  PID:9172
- C:\Windows\System\UqIEFqK.exe
  C:\Windows\System\UqIEFqK.exe
  2⤵
  PID:9200
- C:\Windows\System\ITWoiVV.exe
  C:\Windows\System\ITWoiVV.exe
  2⤵
  PID:8300
- C:\Windows\System\StoRMcL.exe
  C:\Windows\System\StoRMcL.exe
  2⤵
  PID:8772
- C:\Windows\System\OyJqNxW.exe
  C:\Windows\System\OyJqNxW.exe
  2⤵
  PID:8948
- C:\Windows\System\eyWULys.exe
  C:\Windows\System\eyWULys.exe
  2⤵
  PID:8916
- C:\Windows\System\NVqlqLY.exe
  C:\Windows\System\NVqlqLY.exe
  2⤵
  PID:9124
- C:\Windows\System\kASuTYn.exe
  C:\Windows\System\kASuTYn.exe
  2⤵
  PID:8348
- C:\Windows\System\TqWoGZZ.exe
  C:\Windows\System\TqWoGZZ.exe
  2⤵
  PID:8640
- C:\Windows\System\CXebCrb.exe
  C:\Windows\System\CXebCrb.exe
  2⤵
  PID:8976
- C:\Windows\System\yqILMXq.exe
  C:\Windows\System\yqILMXq.exe
  2⤵
  PID:8740
- C:\Windows\System\VILcolU.exe
  C:\Windows\System\VILcolU.exe
  2⤵
  PID:9232
- C:\Windows\System\juHySPJ.exe
  C:\Windows\System\juHySPJ.exe
  2⤵
  PID:9260
- C:\Windows\System\FLnBqYa.exe
  C:\Windows\System\FLnBqYa.exe
  2⤵
  PID:9288
- C:\Windows\System\BbardDN.exe
  C:\Windows\System\BbardDN.exe
  2⤵
  PID:9316
- C:\Windows\System\xUwGwti.exe
  C:\Windows\System\xUwGwti.exe
  2⤵
  PID:9344
- C:\Windows\System\gOOLssk.exe
  C:\Windows\System\gOOLssk.exe
  2⤵
  PID:9368
- C:\Windows\System\SKbXmPK.exe
  C:\Windows\System\SKbXmPK.exe
  2⤵
  PID:9400
- C:\Windows\System\jPIeYLk.exe
  C:\Windows\System\jPIeYLk.exe
  2⤵
  PID:9440
- C:\Windows\System\soMvEAT.exe
  C:\Windows\System\soMvEAT.exe
  2⤵
  PID:9464
- C:\Windows\System\IUrbjYO.exe
  C:\Windows\System\IUrbjYO.exe
  2⤵
  PID:9492
- C:\Windows\System\RoFwhyN.exe
  C:\Windows\System\RoFwhyN.exe
  2⤵
  PID:9524
- C:\Windows\System\SbIHCKd.exe
  C:\Windows\System\SbIHCKd.exe
  2⤵
  PID:9544
- C:\Windows\System\CuVTcjq.exe
  C:\Windows\System\CuVTcjq.exe
  2⤵
  PID:9568
- C:\Windows\System\OpnvAhg.exe
  C:\Windows\System\OpnvAhg.exe
  2⤵
  PID:9600
- C:\Windows\System\PrEgLOI.exe
  C:\Windows\System\PrEgLOI.exe
  2⤵
  PID:9628
- C:\Windows\System\hBuHhrZ.exe
  C:\Windows\System\hBuHhrZ.exe
  2⤵
  PID:9656
- C:\Windows\System\ISASNsd.exe
  C:\Windows\System\ISASNsd.exe
  2⤵
  PID:9696
- C:\Windows\System\VONhpwi.exe
  C:\Windows\System\VONhpwi.exe
  2⤵
  PID:9712
- C:\Windows\System\GZfeSAb.exe
  C:\Windows\System\GZfeSAb.exe
  2⤵
  PID:9740
- C:\Windows\System\DAbDDun.exe
  C:\Windows\System\DAbDDun.exe
  2⤵
  PID:9780
- C:\Windows\System\scKdcgV.exe
  C:\Windows\System\scKdcgV.exe
  2⤵
  PID:9808
- C:\Windows\System\XsZgOSJ.exe
  C:\Windows\System\XsZgOSJ.exe
  2⤵
  PID:9832
- C:\Windows\System\TQVqOqS.exe
  C:\Windows\System\TQVqOqS.exe
  2⤵
  PID:9856
- C:\Windows\System\VydpTyh.exe
  C:\Windows\System\VydpTyh.exe
  2⤵
  PID:9880
- C:\Windows\System\cmmffTD.exe
  C:\Windows\System\cmmffTD.exe
  2⤵
  PID:9908
- C:\Windows\System\TZUickM.exe
  C:\Windows\System\TZUickM.exe
  2⤵
  PID:9948
- C:\Windows\System\dJSKsSk.exe
  C:\Windows\System\dJSKsSk.exe
  2⤵
  PID:9976
- C:\Windows\System\QBubkNE.exe
  C:\Windows\System\QBubkNE.exe
  2⤵
  PID:10004
- C:\Windows\System\fYeCTRJ.exe
  C:\Windows\System\fYeCTRJ.exe
  2⤵
  PID:10020
- C:\Windows\System\rgxvwwT.exe
  C:\Windows\System\rgxvwwT.exe
  2⤵
  PID:10048
- C:\Windows\System\VlmqtVe.exe
  C:\Windows\System\VlmqtVe.exe
  2⤵
  PID:10076
- C:\Windows\System\NejRKku.exe
  C:\Windows\System\NejRKku.exe
  2⤵
  PID:10104
- C:\Windows\System\sYcNyiW.exe
  C:\Windows\System\sYcNyiW.exe
  2⤵
  PID:10132
- C:\Windows\System\XycAtDO.exe
  C:\Windows\System\XycAtDO.exe
  2⤵
  PID:10160
- C:\Windows\System\fmjUhDv.exe
  C:\Windows\System\fmjUhDv.exe
  2⤵
  PID:10188
- C:\Windows\System\ZmPwtRs.exe
  C:\Windows\System\ZmPwtRs.exe
  2⤵
  PID:10228
- C:\Windows\System\JbaGpzX.exe
  C:\Windows\System\JbaGpzX.exe
  2⤵
  PID:8512
- C:\Windows\System\ckDWlVa.exe
  C:\Windows\System\ckDWlVa.exe
  2⤵
  PID:9244
- C:\Windows\System\FdxinMV.exe
  C:\Windows\System\FdxinMV.exe
  2⤵
  PID:9304
- C:\Windows\System\Oqsozmv.exe
  C:\Windows\System\Oqsozmv.exe
  2⤵
  PID:9452
- C:\Windows\System\bXNfhup.exe
  C:\Windows\System\bXNfhup.exe
  2⤵
  PID:9416
- C:\Windows\System\rdjzwdb.exe
  C:\Windows\System\rdjzwdb.exe
  2⤵
  PID:9520
- C:\Windows\System\vdjWguN.exe
  C:\Windows\System\vdjWguN.exe
  2⤵
  PID:9588
- C:\Windows\System\EmLbOuy.exe
  C:\Windows\System\EmLbOuy.exe
  2⤵
  PID:9676
- C:\Windows\System\DCqVKfL.exe
  C:\Windows\System\DCqVKfL.exe
  2⤵
  PID:9724
- C:\Windows\System\ukjDuAh.exe
  C:\Windows\System\ukjDuAh.exe
  2⤵
  PID:9776
- C:\Windows\System\zNDGrLE.exe
  C:\Windows\System\zNDGrLE.exe
  2⤵
  PID:9864
- C:\Windows\System\CcrpbXq.exe
  C:\Windows\System\CcrpbXq.exe
  2⤵
  PID:9936
- C:\Windows\System\tUIYxip.exe
  C:\Windows\System\tUIYxip.exe
  2⤵
  PID:9972
- C:\Windows\System\YPABOpj.exe
  C:\Windows\System\YPABOpj.exe
  2⤵
  PID:10060
- C:\Windows\System\eDYnYub.exe
  C:\Windows\System\eDYnYub.exe
  2⤵
  PID:10116
- C:\Windows\System\tfKElcz.exe
  C:\Windows\System\tfKElcz.exe
  2⤵
  PID:10208
- C:\Windows\System\BjXjtVX.exe
  C:\Windows\System\BjXjtVX.exe
  2⤵
  PID:9252
- C:\Windows\System\yfNHREl.exe
  C:\Windows\System\yfNHREl.exe
  2⤵
  PID:9380
- C:\Windows\System\sWzThmQ.exe
  C:\Windows\System\sWzThmQ.exe
  2⤵
  PID:9476
- C:\Windows\System\JgZmGfG.exe
  C:\Windows\System\JgZmGfG.exe
  2⤵
  PID:9672
- C:\Windows\System\RRPqOxX.exe
  C:\Windows\System\RRPqOxX.exe
  2⤵
  PID:9772
- C:\Windows\System\tlGqJPt.exe
  C:\Windows\System\tlGqJPt.exe
  2⤵
  PID:9924
- C:\Windows\System\kvZOVmD.exe
  C:\Windows\System\kvZOVmD.exe
  2⤵
  PID:10012
- C:\Windows\System\nCAbMip.exe
  C:\Windows\System\nCAbMip.exe
  2⤵
  PID:10176
- C:\Windows\System\HKiFPAH.exe
  C:\Windows\System\HKiFPAH.exe
  2⤵
  PID:9484
- C:\Windows\System\TQoojUA.exe
  C:\Windows\System\TQoojUA.exe
  2⤵
  PID:10036
- C:\Windows\System\hmnLJaC.exe
  C:\Windows\System\hmnLJaC.exe
  2⤵
  PID:9248
- C:\Windows\System\EcmaaVv.exe
  C:\Windows\System\EcmaaVv.exe
  2⤵
  PID:9792
- C:\Windows\System\PdZMinw.exe
  C:\Windows\System\PdZMinw.exe
  2⤵
  PID:9540
- C:\Windows\System\ydhjKZA.exe
  C:\Windows\System\ydhjKZA.exe
  2⤵
  PID:10268
- C:\Windows\System\EUUhoKF.exe
  C:\Windows\System\EUUhoKF.exe
  2⤵
  PID:10292
- C:\Windows\System\zwArsFA.exe
  C:\Windows\System\zwArsFA.exe
  2⤵
  PID:10324
- C:\Windows\System\jrNObBc.exe
  C:\Windows\System\jrNObBc.exe
  2⤵
  PID:10340
- C:\Windows\System\RyovuZJ.exe
  C:\Windows\System\RyovuZJ.exe
  2⤵
  PID:10392
- C:\Windows\System\AKPJIyp.exe
  C:\Windows\System\AKPJIyp.exe
  2⤵
  PID:10412
- C:\Windows\System\xdwYaMl.exe
  C:\Windows\System\xdwYaMl.exe
  2⤵
  PID:10436
- C:\Windows\System\wDLPBTM.exe
  C:\Windows\System\wDLPBTM.exe
  2⤵
  PID:10452
- C:\Windows\System\glVIBPG.exe
  C:\Windows\System\glVIBPG.exe
  2⤵
  PID:10492
- C:\Windows\System\mXmqAuK.exe
  C:\Windows\System\mXmqAuK.exe
  2⤵
  PID:10536
- C:\Windows\System\GgaorPr.exe
  C:\Windows\System\GgaorPr.exe
  2⤵
  PID:10564
- C:\Windows\System\rBBWOra.exe
  C:\Windows\System\rBBWOra.exe
  2⤵
  PID:10592
- C:\Windows\System\ArwpcGo.exe
  C:\Windows\System\ArwpcGo.exe
  2⤵
  PID:10608
- C:\Windows\System\bVNNDar.exe
  C:\Windows\System\bVNNDar.exe
  2⤵
  PID:10636
- C:\Windows\System\mwWoXRi.exe
  C:\Windows\System\mwWoXRi.exe
  2⤵
  PID:10664
- C:\Windows\System\dMLtSpE.exe
  C:\Windows\System\dMLtSpE.exe
  2⤵
  PID:10704
- C:\Windows\System\DJyzgUT.exe
  C:\Windows\System\DJyzgUT.exe
  2⤵
  PID:10720
- C:\Windows\System\mqNqOPO.exe
  C:\Windows\System\mqNqOPO.exe
  2⤵
  PID:10760
- C:\Windows\System\JskUjGq.exe
  C:\Windows\System\JskUjGq.exe
  2⤵
  PID:10788
- C:\Windows\System\QODGCNQ.exe
  C:\Windows\System\QODGCNQ.exe
  2⤵
  PID:10804
- C:\Windows\System\rBoDbDI.exe
  C:\Windows\System\rBoDbDI.exe
  2⤵
  PID:10820
- C:\Windows\System\UprcApk.exe
  C:\Windows\System\UprcApk.exe
  2⤵
  PID:10872
- C:\Windows\System\aYTHchl.exe
  C:\Windows\System\aYTHchl.exe
  2⤵
  PID:10900
- C:\Windows\System\PjwGTnD.exe
  C:\Windows\System\PjwGTnD.exe
  2⤵
  PID:10916
- C:\Windows\System\geNmUSc.exe
  C:\Windows\System\geNmUSc.exe
  2⤵
  PID:10936
- C:\Windows\System\CoWvZBw.exe
  C:\Windows\System\CoWvZBw.exe
  2⤵
  PID:10960
- C:\Windows\System\rMvrAed.exe
  C:\Windows\System\rMvrAed.exe
  2⤵
  PID:10988
- C:\Windows\System\nLNfYGA.exe
  C:\Windows\System\nLNfYGA.exe
  2⤵
  PID:11012
- C:\Windows\System\AXelLWG.exe
  C:\Windows\System\AXelLWG.exe
  2⤵
  PID:11032
- C:\Windows\System\LARaApL.exe
  C:\Windows\System\LARaApL.exe
  2⤵
  PID:11048
- C:\Windows\System\Agtunep.exe
  C:\Windows\System\Agtunep.exe
  2⤵
  PID:11072
- C:\Windows\System\hKytYFB.exe
  C:\Windows\System\hKytYFB.exe
  2⤵
  PID:11108
- C:\Windows\System\irYaGvb.exe
  C:\Windows\System\irYaGvb.exe
  2⤵
  PID:11168
- C:\Windows\System\eLjywTt.exe
  C:\Windows\System\eLjywTt.exe
  2⤵
  PID:11184
- C:\Windows\System\qXtHEge.exe
  C:\Windows\System\qXtHEge.exe
  2⤵
  PID:11236
- C:\Windows\System\lRnlOvW.exe
  C:\Windows\System\lRnlOvW.exe
  2⤵
  PID:11252
- C:\Windows\System\EvdqCfq.exe
  C:\Windows\System\EvdqCfq.exe
  2⤵
  PID:10252
- C:\Windows\System\oOYVbFg.exe
  C:\Windows\System\oOYVbFg.exe
  2⤵
  PID:10316
- C:\Windows\System\slKKlRT.exe
  C:\Windows\System\slKKlRT.exe
  2⤵
  PID:10432
- C:\Windows\System\kgzNjEh.exe
  C:\Windows\System\kgzNjEh.exe
  2⤵
  PID:10484
- C:\Windows\System\dxtPycw.exe
  C:\Windows\System\dxtPycw.exe
  2⤵
  PID:10532
- C:\Windows\System\dGkPKmX.exe
  C:\Windows\System\dGkPKmX.exe
  2⤵
  PID:10584
- C:\Windows\System\sdpVZGx.exe
  C:\Windows\System\sdpVZGx.exe
  2⤵
  PID:10680
- C:\Windows\System\AeVNUki.exe
  C:\Windows\System\AeVNUki.exe
  2⤵
  PID:10712
- C:\Windows\System\dKUvgkK.exe
  C:\Windows\System\dKUvgkK.exe
  2⤵
  PID:10800
- C:\Windows\System\pDerDUh.exe
  C:\Windows\System\pDerDUh.exe
  2⤵
  PID:10844
- C:\Windows\System\hCkJTUU.exe
  C:\Windows\System\hCkJTUU.exe
  2⤵
  PID:10932
- C:\Windows\System\pCxXGAy.exe
  C:\Windows\System\pCxXGAy.exe
  2⤵
  PID:11004
- C:\Windows\System\BbnAvDf.exe
  C:\Windows\System\BbnAvDf.exe
  2⤵
  PID:11096
- C:\Windows\System\RWYEgeR.exe
  C:\Windows\System\RWYEgeR.exe
  2⤵
  PID:11176
- C:\Windows\System\qDpkxMt.exe
  C:\Windows\System\qDpkxMt.exe
  2⤵
  PID:11228
- C:\Windows\System\SgBetWA.exe
  C:\Windows\System\SgBetWA.exe
  2⤵
  PID:10320
- C:\Windows\System\YARehiH.exe
  C:\Windows\System\YARehiH.exe
  2⤵
  PID:10384
- C:\Windows\System\CtxDVLS.exe
  C:\Windows\System\CtxDVLS.exe
  2⤵
  PID:10448
- C:\Windows\System\NKxBVvN.exe
  C:\Windows\System\NKxBVvN.exe
  2⤵
  PID:10632
- C:\Windows\System\icwvUHr.exe
  C:\Windows\System\icwvUHr.exe
  2⤵
  PID:10884
- C:\Windows\System\fFIZrhn.exe
  C:\Windows\System\fFIZrhn.exe
  2⤵
  PID:11136
- C:\Windows\System\GxlOcGo.exe
  C:\Windows\System\GxlOcGo.exe
  2⤵
  PID:11164
- C:\Windows\System\ieouXhv.exe
  C:\Windows\System\ieouXhv.exe
  2⤵
  PID:10428
- C:\Windows\System\eZnTpPh.exe
  C:\Windows\System\eZnTpPh.exe
  2⤵
  PID:10752
- C:\Windows\System\iojQAhg.exe
  C:\Windows\System\iojQAhg.exe
  2⤵
  PID:11064
- C:\Windows\System\eQvTsux.exe
  C:\Windows\System\eQvTsux.exe
  2⤵
  PID:10776
- C:\Windows\System\RMwGRnL.exe
  C:\Windows\System\RMwGRnL.exe
  2⤵
  PID:11132
- C:\Windows\System\fCVkkuK.exe
  C:\Windows\System\fCVkkuK.exe
  2⤵
  PID:11280
- C:\Windows\System\kOQtcSl.exe
  C:\Windows\System\kOQtcSl.exe
  2⤵
  PID:11300
- C:\Windows\System\KdCjLIi.exe
  C:\Windows\System\KdCjLIi.exe
  2⤵
  PID:11316
- C:\Windows\System\KpYeHFU.exe
  C:\Windows\System\KpYeHFU.exe
  2⤵
  PID:11352
- C:\Windows\System\kIBYzAg.exe
  C:\Windows\System\kIBYzAg.exe
  2⤵
  PID:11396
- C:\Windows\System\MhEngcT.exe
  C:\Windows\System\MhEngcT.exe
  2⤵
  PID:11424
- C:\Windows\System\PllWqSY.exe
  C:\Windows\System\PllWqSY.exe
  2⤵
  PID:11452
- C:\Windows\System\iYgjFVp.exe
  C:\Windows\System\iYgjFVp.exe
  2⤵
  PID:11480
- C:\Windows\System\uyxmpcR.exe
  C:\Windows\System\uyxmpcR.exe
  2⤵
  PID:11512
- C:\Windows\System\tPYzaqt.exe
  C:\Windows\System\tPYzaqt.exe
  2⤵
  PID:11536
- C:\Windows\System\ObvnaCM.exe
  C:\Windows\System\ObvnaCM.exe
  2⤵
  PID:11556
- C:\Windows\System\fMTssVq.exe
  C:\Windows\System\fMTssVq.exe
  2⤵
  PID:11572
- C:\Windows\System\vZefVVZ.exe
  C:\Windows\System\vZefVVZ.exe
  2⤵
  PID:11616
- C:\Windows\System\UTFzGNN.exe
  C:\Windows\System\UTFzGNN.exe
  2⤵
  PID:11648
- C:\Windows\System\gilWTbq.exe
  C:\Windows\System\gilWTbq.exe
  2⤵
  PID:11668
- C:\Windows\System\fIEQHBV.exe
  C:\Windows\System\fIEQHBV.exe
  2⤵
  PID:11696
- C:\Windows\System\LadhaXv.exe
  C:\Windows\System\LadhaXv.exe
  2⤵
  PID:11712
- C:\Windows\System\oVDviYv.exe
  C:\Windows\System\oVDviYv.exe
  2⤵
  PID:11740
- C:\Windows\System\thTcnYw.exe
  C:\Windows\System\thTcnYw.exe
  2⤵
  PID:11780
- C:\Windows\System\OMspDOW.exe
  C:\Windows\System\OMspDOW.exe
  2⤵
  PID:11820
- C:\Windows\System\PtJUAlG.exe
  C:\Windows\System\PtJUAlG.exe
  2⤵
  PID:11840
- C:\Windows\System\oNBGIRI.exe
  C:\Windows\System\oNBGIRI.exe
  2⤵
  PID:11864
- C:\Windows\System\DWEBVFa.exe
  C:\Windows\System\DWEBVFa.exe
  2⤵
  PID:11892
- C:\Windows\System\aylszbX.exe
  C:\Windows\System\aylszbX.exe
  2⤵
  PID:11932
- C:\Windows\System\wQkWHIL.exe
  C:\Windows\System\wQkWHIL.exe
  2⤵
  PID:11948
- C:\Windows\System\gtrvgfe.exe
  C:\Windows\System\gtrvgfe.exe
  2⤵
  PID:11984
- C:\Windows\System\eRnSGsO.exe
  C:\Windows\System\eRnSGsO.exe
  2⤵
  PID:12016
- C:\Windows\System\gCHLlMw.exe
  C:\Windows\System\gCHLlMw.exe
  2⤵
  PID:12040
- C:\Windows\System\ebEBCSt.exe
  C:\Windows\System\ebEBCSt.exe
  2⤵
  PID:12072
- C:\Windows\System\HlRwSVS.exe
  C:\Windows\System\HlRwSVS.exe
  2⤵
  PID:12096
- C:\Windows\System\epeiuhI.exe
  C:\Windows\System\epeiuhI.exe
  2⤵
  PID:12136
- C:\Windows\System\vGvqdYu.exe
  C:\Windows\System\vGvqdYu.exe
  2⤵
  PID:12168
- C:\Windows\System\HWQhRdI.exe
  C:\Windows\System\HWQhRdI.exe
  2⤵
  PID:12184
- C:\Windows\System\EYaZVGo.exe
  C:\Windows\System\EYaZVGo.exe
  2⤵
  PID:12212
- C:\Windows\System\AVnhkyR.exe
  C:\Windows\System\AVnhkyR.exe
  2⤵
  PID:12228
- C:\Windows\System\sPvzbww.exe
  C:\Windows\System\sPvzbww.exe
  2⤵
  PID:12256
- C:\Windows\System\EsIiZWD.exe
  C:\Windows\System\EsIiZWD.exe
  2⤵
  PID:10560
- C:\Windows\System\VeGGsGy.exe
  C:\Windows\System\VeGGsGy.exe
  2⤵
  PID:11340
- C:\Windows\System\kmCZuLw.exe
  C:\Windows\System\kmCZuLw.exe
  2⤵
  PID:11416
- C:\Windows\System\BIMqaHP.exe
  C:\Windows\System\BIMqaHP.exe
  2⤵
  PID:11476
- C:\Windows\System\LBUSVnb.exe
  C:\Windows\System\LBUSVnb.exe
  2⤵
  PID:11552
- C:\Windows\System\bJotxdR.exe
  C:\Windows\System\bJotxdR.exe
  2⤵
  PID:11604
- C:\Windows\System\rRiePGn.exe
  C:\Windows\System\rRiePGn.exe
  2⤵
  PID:11680
- C:\Windows\System\myFUvWI.exe
  C:\Windows\System\myFUvWI.exe
  2⤵
  PID:11764
- C:\Windows\System\orNDFww.exe
  C:\Windows\System\orNDFww.exe
  2⤵
  PID:11832
- C:\Windows\System\VQgPMaf.exe
  C:\Windows\System\VQgPMaf.exe
  2⤵
  PID:11876
- C:\Windows\System\VHPwPSe.exe
  C:\Windows\System\VHPwPSe.exe
  2⤵
  PID:11960
- C:\Windows\System\QdicyoR.exe
  C:\Windows\System\QdicyoR.exe
  2⤵
  PID:12036
- C:\Windows\System\KHsKjTo.exe
  C:\Windows\System\KHsKjTo.exe
  2⤵
  PID:12092
- C:\Windows\System\GIeVlXa.exe
  C:\Windows\System\GIeVlXa.exe
  2⤵
  PID:12164
- C:\Windows\System\RFJzKNS.exe
  C:\Windows\System\RFJzKNS.exe
  2⤵
  PID:12196
- C:\Windows\System\BauRchv.exe
  C:\Windows\System\BauRchv.exe
  2⤵
  PID:12276
- C:\Windows\System\npjYLiT.exe
  C:\Windows\System\npjYLiT.exe
  2⤵
  PID:11312
- C:\Windows\System\IDglukZ.exe
  C:\Windows\System\IDglukZ.exe
  2⤵
  PID:11440
- C:\Windows\System\ezZvEut.exe
  C:\Windows\System\ezZvEut.exe
  2⤵
  PID:11584
- C:\Windows\System\KFGfAzT.exe
  C:\Windows\System\KFGfAzT.exe
  2⤵
  PID:11796
- C:\Windows\System\kecdGmz.exe
  C:\Windows\System\kecdGmz.exe
  2⤵
  PID:11992
- C:\Windows\System\GiKVjBP.exe
  C:\Windows\System\GiKVjBP.exe
  2⤵
  PID:12128
- C:\Windows\System\IwWMVMT.exe
  C:\Windows\System\IwWMVMT.exe
  2⤵
  PID:12248
- C:\Windows\System\oybcdyS.exe
  C:\Windows\System\oybcdyS.exe
  2⤵
  PID:11492
- C:\Windows\System\FZpucUO.exe
  C:\Windows\System\FZpucUO.exe
  2⤵
  PID:11704
- C:\Windows\System\VQOIZCA.exe
  C:\Windows\System\VQOIZCA.exe
  2⤵
  PID:11500
- C:\Windows\System\oyWDTaE.exe
  C:\Windows\System\oyWDTaE.exe
  2⤵
  PID:12300
- C:\Windows\System\OlTBuAe.exe
  C:\Windows\System\OlTBuAe.exe
  2⤵
  PID:12332
- C:\Windows\System\ZGEktyk.exe
  C:\Windows\System\ZGEktyk.exe
  2⤵
  PID:12356
- C:\Windows\System\mwsOsnU.exe
  C:\Windows\System\mwsOsnU.exe
  2⤵
  PID:12396
- C:\Windows\System\cktksdS.exe
  C:\Windows\System\cktksdS.exe
  2⤵
  PID:12436
- C:\Windows\System\QpWqNBV.exe
  C:\Windows\System\QpWqNBV.exe
  2⤵
  PID:12464
- C:\Windows\System\xejUNHH.exe
  C:\Windows\System\xejUNHH.exe
  2⤵
  PID:12488
- C:\Windows\System\IrybVry.exe
  C:\Windows\System\IrybVry.exe
  2⤵
  PID:12520
- C:\Windows\System\YCOMjCg.exe
  C:\Windows\System\YCOMjCg.exe
  2⤵
  PID:12540
- C:\Windows\System\ANsovFY.exe
  C:\Windows\System\ANsovFY.exe
  2⤵
  PID:12564
- C:\Windows\System\SkdKkNf.exe
  C:\Windows\System\SkdKkNf.exe
  2⤵
  PID:12588
- C:\Windows\System\NLDZozH.exe
  C:\Windows\System\NLDZozH.exe
  2⤵
  PID:12620
- C:\Windows\System\lVhlFZu.exe
  C:\Windows\System\lVhlFZu.exe
  2⤵
  PID:12644
- C:\Windows\System\CnPkoRS.exe
  C:\Windows\System\CnPkoRS.exe
  2⤵
  PID:12676
- C:\Windows\System\eHULuHu.exe
  C:\Windows\System\eHULuHu.exe
  2⤵
  PID:12704
- C:\Windows\System\NqgqRlz.exe
  C:\Windows\System\NqgqRlz.exe
  2⤵
  PID:12732
- C:\Windows\System\zSAPOdK.exe
  C:\Windows\System\zSAPOdK.exe
  2⤵
  PID:12772
- C:\Windows\System\YVKlUdw.exe
  C:\Windows\System\YVKlUdw.exe
  2⤵
  PID:12788
- C:\Windows\System\TrNobrf.exe
  C:\Windows\System\TrNobrf.exe
  2⤵
  PID:12816
- C:\Windows\System\lOBJJSt.exe
  C:\Windows\System\lOBJJSt.exe
  2⤵
  PID:12832
- C:\Windows\System\IFaIVdU.exe
  C:\Windows\System\IFaIVdU.exe
  2⤵
  PID:12872
- C:\Windows\System\bOeJusv.exe
  C:\Windows\System\bOeJusv.exe
  2⤵
  PID:12896
- C:\Windows\System\qdodtYX.exe
  C:\Windows\System\qdodtYX.exe
  2⤵
  PID:12928
- C:\Windows\System\LQFdAwZ.exe
  C:\Windows\System\LQFdAwZ.exe
  2⤵
  PID:12944
- C:\Windows\System\zJQDeCG.exe
  C:\Windows\System\zJQDeCG.exe
  2⤵
  PID:12972
- C:\Windows\System\SewvYsI.exe
  C:\Windows\System\SewvYsI.exe
  2⤵
  PID:13008
- C:\Windows\System\HcvhiqM.exe
  C:\Windows\System\HcvhiqM.exe
  2⤵
  PID:13032
- C:\Windows\System\UMWLvbY.exe
  C:\Windows\System\UMWLvbY.exe
  2⤵
  PID:13064
- C:\Windows\System\RjEfKWH.exe
  C:\Windows\System\RjEfKWH.exe
  2⤵
  PID:13104
- C:\Windows\System\KDxkxgu.exe
  C:\Windows\System\KDxkxgu.exe
  2⤵
  PID:13136
- C:\Windows\System\AUMqDCe.exe
  C:\Windows\System\AUMqDCe.exe
  2⤵
  PID:13156
- C:\Windows\System\AqyGZZe.exe
  C:\Windows\System\AqyGZZe.exe
  2⤵
  PID:13184
- C:\Windows\System\kyTqRai.exe
  C:\Windows\System\kyTqRai.exe
  2⤵
  PID:13208
- C:\Windows\System\eNCUowW.exe
  C:\Windows\System\eNCUowW.exe
  2⤵
  PID:13228
- C:\Windows\System\wyAiTJU.exe
  C:\Windows\System\wyAiTJU.exe
  2⤵
  PID:13280
- C:\Windows\System\BPYjNpi.exe
  C:\Windows\System\BPYjNpi.exe
  2⤵
  PID:13308
- C:\Windows\System\WYEHCFw.exe
  C:\Windows\System\WYEHCFw.exe
  2⤵
  PID:12296
- C:\Windows\System\FeynpNm.exe
  C:\Windows\System\FeynpNm.exe
  2⤵
  PID:12316
- C:\Windows\System\nguiGEn.exe
  C:\Windows\System\nguiGEn.exe
  2⤵
  PID:12420
- C:\Windows\System\pgGmRHL.exe
  C:\Windows\System\pgGmRHL.exe
  2⤵
  PID:12456
- C:\Windows\System\FWiVRnI.exe
  C:\Windows\System\FWiVRnI.exe
  2⤵
  PID:12508
- C:\Windows\System\GZXdYBx.exe
  C:\Windows\System\GZXdYBx.exe
  2⤵
  PID:12580
- C:\Windows\System\DlEsrPF.exe
  C:\Windows\System\DlEsrPF.exe
  2⤵
  PID:12688
- C:\Windows\System\BDUVKqE.exe
  C:\Windows\System\BDUVKqE.exe
  2⤵
  PID:12700
- C:\Windows\System\RFYwhBR.exe
  C:\Windows\System\RFYwhBR.exe
  2⤵
  PID:12784
- C:\Windows\System\WjAuxkk.exe
  C:\Windows\System\WjAuxkk.exe
  2⤵
  PID:12828
- C:\Windows\System\XBRTOnp.exe
  C:\Windows\System\XBRTOnp.exe
  2⤵
  PID:12916
- C:\Windows\System\jtqMpQw.exe
  C:\Windows\System\jtqMpQw.exe
  2⤵
  PID:12960
- C:\Windows\System\jbLtqYV.exe
  C:\Windows\System\jbLtqYV.exe
  2⤵
  PID:12984
- C:\Windows\System\jMksGEt.exe
  C:\Windows\System\jMksGEt.exe
  2⤵
  PID:13100
- C:\Windows\System\AACSzfW.exe
  C:\Windows\System\AACSzfW.exe
  2⤵
  PID:13148
- C:\Windows\System\jFHAFDM.exe
  C:\Windows\System\jFHAFDM.exe
  2⤵
  PID:13252
- C:\Windows\System\XBOkhIO.exe
  C:\Windows\System\XBOkhIO.exe
  2⤵
  PID:13292
- C:\Windows\System\VQJKIDm.exe
  C:\Windows\System\VQJKIDm.exe
  2⤵
  PID:12268
- C:\Windows\System\wTeAmpB.exe
  C:\Windows\System\wTeAmpB.exe
  2⤵
  PID:12484
- C:\Windows\System\RiNMmrQ.exe
  C:\Windows\System\RiNMmrQ.exe
  2⤵
  PID:4936
- C:\Windows\System\DwkCbqY.exe
  C:\Windows\System\DwkCbqY.exe
  2⤵
  PID:12720
- C:\Windows\System\txznGSk.exe
  C:\Windows\System\txznGSk.exe
  2⤵
  PID:12804
- C:\Windows\System\nwGfoCd.exe
  C:\Windows\System\nwGfoCd.exe
  2⤵
  PID:13052
- C:\Windows\System\DQRkghJ.exe
  C:\Windows\System\DQRkghJ.exe
  2⤵
  PID:13224
- C:\Windows\System\ZFYQLpp.exe
  C:\Windows\System\ZFYQLpp.exe
  2⤵
  PID:13276
- C:\Windows\System\rwhnXNd.exe
  C:\Windows\System\rwhnXNd.exe
  2⤵
  PID:12480
- C:\Windows\System\LmHMNSJ.exe
  C:\Windows\System\LmHMNSJ.exe
  2⤵
  PID:12612
- C:\Windows\System\fXTZhZB.exe
  C:\Windows\System\fXTZhZB.exe
  2⤵
  PID:13056
- C:\Windows\System\QuEnxxp.exe
  C:\Windows\System\QuEnxxp.exe
  2⤵
  PID:13216
- C:\Windows\System\fvuSgYn.exe
  C:\Windows\System\fvuSgYn.exe
  2⤵
  PID:13340
- C:\Windows\System\IJJxWHm.exe
  C:\Windows\System\IJJxWHm.exe
  2⤵
  PID:13368
- C:\Windows\System\bTURtfO.exe
  C:\Windows\System\bTURtfO.exe
  2⤵
  PID:13388
- C:\Windows\System\qjAKzJs.exe
  C:\Windows\System\qjAKzJs.exe
  2⤵
  PID:13412
- C:\Windows\System\nPfmXuu.exe
  C:\Windows\System\nPfmXuu.exe
  2⤵
  PID:13456
- C:\Windows\System\pYVWRRs.exe
  C:\Windows\System\pYVWRRs.exe
  2⤵
  PID:13480
- C:\Windows\System\OtXbasJ.exe
  C:\Windows\System\OtXbasJ.exe
  2⤵
  PID:13500
- C:\Windows\System\XzaOQYd.exe
  C:\Windows\System\XzaOQYd.exe
  2⤵
  PID:13536
- C:\Windows\System\smyYOfR.exe
  C:\Windows\System\smyYOfR.exe
  2⤵
  PID:13564
- C:\Windows\System\vakpokp.exe
  C:\Windows\System\vakpokp.exe
  2⤵
  PID:13588
- C:\Windows\System\ZfzsMfH.exe
  C:\Windows\System\ZfzsMfH.exe
  2⤵
  PID:13612
- C:\Windows\System\xbwmSkB.exe
  C:\Windows\System\xbwmSkB.exe
  2⤵
  PID:13640
- C:\Windows\System\eWVRrZe.exe
  C:\Windows\System\eWVRrZe.exe
  2⤵
  PID:13692
- C:\Windows\System\OWXkhEW.exe
  C:\Windows\System\OWXkhEW.exe
  2⤵
  PID:13720
- C:\Windows\System\cRiwbbx.exe
  C:\Windows\System\cRiwbbx.exe
  2⤵
  PID:13740
- C:\Windows\System\DtFwFAS.exe
  C:\Windows\System\DtFwFAS.exe
  2⤵
  PID:13768
- C:\Windows\System\QzNBTgE.exe
  C:\Windows\System\QzNBTgE.exe
  2⤵
  PID:13796
- C:\Windows\System\xOskbrU.exe
  C:\Windows\System\xOskbrU.exe
  2⤵
  PID:13812
- C:\Windows\System\lpPddUa.exe
  C:\Windows\System\lpPddUa.exe
  2⤵
  PID:13836
- C:\Windows\System\ymJmGJf.exe
  C:\Windows\System\ymJmGJf.exe
  2⤵
  PID:13864
- C:\Windows\System\nojGVHs.exe
  C:\Windows\System\nojGVHs.exe
  2⤵
  PID:13884
- C:\Windows\System\gGXQTfe.exe
  C:\Windows\System\gGXQTfe.exe
  2⤵
  PID:13948
- C:\Windows\System\LGYUwgK.exe
  C:\Windows\System\LGYUwgK.exe
  2⤵
  PID:13964
- C:\Windows\System\ZcGBroV.exe
  C:\Windows\System\ZcGBroV.exe
  2⤵
  PID:13980
- C:\Windows\System\GmTkahU.exe
  C:\Windows\System\GmTkahU.exe
  2⤵
  PID:14008
- C:\Windows\System\IjkROFF.exe
  C:\Windows\System\IjkROFF.exe
  2⤵
  PID:14040
- C:\Windows\System\AhlZDKk.exe
  C:\Windows\System\AhlZDKk.exe
  2⤵
  PID:14064
- C:\Windows\System\MmauLTP.exe
  C:\Windows\System\MmauLTP.exe
  2⤵
  PID:14096
- C:\Windows\System\iDCBEVC.exe
  C:\Windows\System\iDCBEVC.exe
  2⤵
  PID:14132
- C:\Windows\System\CupFVYA.exe
  C:\Windows\System\CupFVYA.exe
  2⤵
  PID:14156
- C:\Windows\System\iyfJLDY.exe
  C:\Windows\System\iyfJLDY.exe
  2⤵
  PID:14200
- C:\Windows\System\LitSnVl.exe
  C:\Windows\System\LitSnVl.exe
  2⤵
  PID:14216
- C:\Windows\System\oGWUKAt.exe
  C:\Windows\System\oGWUKAt.exe
  2⤵
  PID:14236
- C:\Windows\System\KwjubjR.exe
  C:\Windows\System\KwjubjR.exe
  2⤵
  PID:14264
- C:\Windows\System\XuKzsiU.exe
  C:\Windows\System\XuKzsiU.exe
  2⤵
  PID:14288
- C:\Windows\System\zhiOiue.exe
  C:\Windows\System\zhiOiue.exe
  2⤵
  PID:13332
- C:\Windows\System\SoBzvXS.exe
  C:\Windows\System\SoBzvXS.exe
  2⤵
  PID:13352
- C:\Windows\System\JiQntZy.exe
  C:\Windows\System\JiQntZy.exe
  2⤵
  PID:13464
- C:\Windows\System\xVJeeEs.exe
  C:\Windows\System\xVJeeEs.exe
  2⤵
  PID:13488
- C:\Windows\System\pUVdgjN.exe
  C:\Windows\System\pUVdgjN.exe
  2⤵
  PID:13560
- C:\Windows\System\CDztodt.exe
  C:\Windows\System\CDztodt.exe
  2⤵
  PID:13572
- C:\Windows\System\BviGooc.exe
  C:\Windows\System\BviGooc.exe
  2⤵
  PID:13604
- C:\Windows\System\XOcMVGZ.exe
  C:\Windows\System\XOcMVGZ.exe
  2⤵
  PID:13712
- C:\Windows\System\qDvzoSG.exe
  C:\Windows\System\qDvzoSG.exe
  2⤵
  PID:13808
- C:\Windows\System\rfiBbPF.exe
  C:\Windows\System\rfiBbPF.exe
  2⤵
  PID:13880
- C:\Windows\System\OZSNGVc.exe
  C:\Windows\System\OZSNGVc.exe
  2⤵
  PID:13916
- C:\Windows\System\nCrwkcr.exe
  C:\Windows\System\nCrwkcr.exe
  2⤵
  PID:13992
- C:\Windows\System\mhxzpQz.exe
  C:\Windows\System\mhxzpQz.exe
  2⤵
  PID:14056
- C:\Windows\System\ptLzQKD.exe
  C:\Windows\System\ptLzQKD.exe
  2⤵
  PID:14084
- C:\Windows\System\JTOtrop.exe
  C:\Windows\System\JTOtrop.exe
  2⤵
  PID:14172
- C:\Windows\System\jIblGmo.exe
  C:\Windows\System\jIblGmo.exe
  2⤵
  PID:14248
- C:\Windows\System\mLQvmBM.exe
  C:\Windows\System\mLQvmBM.exe
  2⤵
  PID:14300
- C:\Windows\System\zdjHeGx.exe
  C:\Windows\System\zdjHeGx.exe
  2⤵
  PID:13376
- C:\Windows\System\UPyKvnp.exe
  C:\Windows\System\UPyKvnp.exe
  2⤵
  PID:13476
- C:\Windows\System\lERolQE.exe
  C:\Windows\System\lERolQE.exe
  2⤵
  PID:13660
- C:\Windows\System\FJCKyql.exe
  C:\Windows\System\FJCKyql.exe
  2⤵
  PID:13824
- C:\Windows\System\tWZNJoj.exe
  C:\Windows\System\tWZNJoj.exe
  2⤵
  PID:14140
- C:\Windows\System\dAHgZMK.exe
  C:\Windows\System\dAHgZMK.exe
  2⤵
  PID:14244
- C:\Windows\System\NjhVHrT.exe
  C:\Windows\System\NjhVHrT.exe
  2⤵
  PID:14320
- C:\Windows\System\eaiyfmG.exe
  C:\Windows\System\eaiyfmG.exe
  2⤵
  PID:13784
- C:\Windows\System\LOxpIot.exe
  C:\Windows\System\LOxpIot.exe
  2⤵
  PID:13896
- C:\Windows\System\pdmQkSH.exe
  C:\Windows\System\pdmQkSH.exe
  2⤵
  PID:14104
- C:\Windows\System\qdCplNu.exe
  C:\Windows\System\qdCplNu.exe
  2⤵
  PID:13960
- C:\Windows\System\yZEPvge.exe
  C:\Windows\System\yZEPvge.exe
  2⤵
  PID:14348
- C:\Windows\System\XKedgbv.exe
  C:\Windows\System\XKedgbv.exe
  2⤵
  PID:14372
- C:\Windows\System\tvNlPOa.exe
  C:\Windows\System\tvNlPOa.exe
  2⤵
  PID:14400
- C:\Windows\System\ozhhgKz.exe
  C:\Windows\System\ozhhgKz.exe
  2⤵
  PID:14440
- C:\Windows\System\nUIrIsJ.exe
  C:\Windows\System\nUIrIsJ.exe
  2⤵
  PID:14468
- C:\Windows\System\vdzChlX.exe
  C:\Windows\System\vdzChlX.exe
  2⤵
  PID:14496
- C:\Windows\System\OgErCeM.exe
  C:\Windows\System\OgErCeM.exe
  2⤵
  PID:14520
- C:\Windows\System\WtXPzKd.exe
  C:\Windows\System\WtXPzKd.exe
  2⤵
  PID:14568
- C:\Windows\System\PEAQxHS.exe
  C:\Windows\System\PEAQxHS.exe
  2⤵
  PID:14592
- C:\Windows\System\BkYNmBB.exe
  C:\Windows\System\BkYNmBB.exe
  2⤵
  PID:14616
- C:\Windows\System\GGVZTAY.exe
  C:\Windows\System\GGVZTAY.exe
  2⤵
  PID:14640
- C:\Windows\System\YZIZdHK.exe
  C:\Windows\System\YZIZdHK.exe
  2⤵
  PID:14668
- C:\Windows\System\kLfdwhk.exe
  C:\Windows\System\kLfdwhk.exe
  2⤵
  PID:14684
- C:\Windows\System\gfKKbSP.exe
  C:\Windows\System\gfKKbSP.exe
  2⤵
  PID:14720
- C:\Windows\System\QCyDBoI.exe
  C:\Windows\System\QCyDBoI.exe
  2⤵
  PID:14752
- C:\Windows\System\pDOPxNn.exe
  C:\Windows\System\pDOPxNn.exe
  2⤵
  PID:14768
- C:\Windows\System\FfExAVM.exe
  C:\Windows\System\FfExAVM.exe
  2⤵
  PID:14808
- C:\Windows\System\ROcKcak.exe
  C:\Windows\System\ROcKcak.exe
  2⤵
  PID:14848
- C:\Windows\System\MlSbCJl.exe
  C:\Windows\System\MlSbCJl.exe
  2⤵
  PID:14864
- C:\Windows\System\ZICYkEd.exe
  C:\Windows\System\ZICYkEd.exe
  2⤵
  PID:14896
- C:\Windows\System\pQxOzEZ.exe
  C:\Windows\System\pQxOzEZ.exe
  2⤵
  PID:14920
- C:\Windows\System\YkKDTea.exe
  C:\Windows\System\YkKDTea.exe
  2⤵
  PID:14940
- C:\Windows\System\agbZiMD.exe
  C:\Windows\System\agbZiMD.exe
  2⤵
  PID:14972
- C:\Windows\System\lbhPPxI.exe
  C:\Windows\System\lbhPPxI.exe
  2⤵
  PID:14992
- C:\Windows\System\QWvXgEW.exe
  C:\Windows\System\QWvXgEW.exe
  2⤵
  PID:15044
- C:\Windows\System\ZUrfiFj.exe
  C:\Windows\System\ZUrfiFj.exe
  2⤵
  PID:15072
- C:\Windows\System\WZtZYNY.exe
  C:\Windows\System\WZtZYNY.exe
  2⤵
  PID:15100
- C:\Windows\System\fDtJVEa.exe
  C:\Windows\System\fDtJVEa.exe
  2⤵
  PID:15128
- C:\Windows\System\HGoDOLh.exe
  C:\Windows\System\HGoDOLh.exe
  2⤵
  PID:15148
- C:\Windows\System\fietvGC.exe
  C:\Windows\System\fietvGC.exe
  2⤵
  PID:15184
- C:\Windows\System\cdaKECl.exe
  C:\Windows\System\cdaKECl.exe
  2⤵
  PID:15200
- C:\Windows\System\mSqXUZZ.exe
  C:\Windows\System\mSqXUZZ.exe
  2⤵
  PID:15228
- C:\Windows\System\rprWEpE.exe
  C:\Windows\System\rprWEpE.exe
  2⤵
  PID:15244
- C:\Windows\System\CkTqtXS.exe
  C:\Windows\System\CkTqtXS.exe
  2⤵
  PID:15288
- C:\Windows\System\dqMHMCP.exe
  C:\Windows\System\dqMHMCP.exe
  2⤵
  PID:15312
- C:\Windows\System\YfdBjmg.exe
  C:\Windows\System\YfdBjmg.exe
  2⤵
  PID:15340
- C:\Windows\System\gaQkXDS.exe
  C:\Windows\System\gaQkXDS.exe
  2⤵
  PID:15356
- C:\Windows\System\uKGjUaS.exe
  C:\Windows\System\uKGjUaS.exe
  2⤵
  PID:14360
- C:\Windows\System\XITaBCb.exe
  C:\Windows\System\XITaBCb.exe
  2⤵
  PID:14456
- C:\Windows\System\kJKOiCO.exe
  C:\Windows\System\kJKOiCO.exe
  2⤵
  PID:14556
- C:\Windows\System\iCyNuNf.exe
  C:\Windows\System\iCyNuNf.exe
  2⤵
  PID:14600
- C:\Windows\System\LKnEZoQ.exe
  C:\Windows\System\LKnEZoQ.exe
  2⤵
  PID:14660
- C:\Windows\System\VVjYsnf.exe
  C:\Windows\System\VVjYsnf.exe
  2⤵
  PID:14732
- C:\Windows\System\wiNollh.exe
  C:\Windows\System\wiNollh.exe
  2⤵
  PID:14780
- C:\Windows\System\nlnhSnG.exe
  C:\Windows\System\nlnhSnG.exe
  2⤵
  PID:14856
- C:\Windows\System\GqGggXK.exe
  C:\Windows\System\GqGggXK.exe
  2⤵
  PID:14912
- C:\Windows\System\pNLGLDC.exe
  C:\Windows\System\pNLGLDC.exe
  2⤵
  PID:14928
- C:\Windows\System\kVrBAdK.exe
  C:\Windows\System\kVrBAdK.exe
  2⤵
  PID:15040
- C:\Windows\System\zXKQDlr.exe
  C:\Windows\System\zXKQDlr.exe
  2⤵
  PID:15096
- C:\Windows\System\DHznzAM.exe
  C:\Windows\System\DHznzAM.exe
  2⤵
  PID:15176
- C:\Windows\System\DOpFiOR.exe
  C:\Windows\System\DOpFiOR.exe
  2⤵
  PID:15216
- C:\Windows\System\fIxVtlq.exe
  C:\Windows\System\fIxVtlq.exe
  2⤵
  PID:15272
- C:\Windows\System\LaSYpup.exe
  C:\Windows\System\LaSYpup.exe
  2⤵
  PID:14368
- C:\Windows\System\fxcMFrF.exe
  C:\Windows\System\fxcMFrF.exe
  2⤵
  PID:14516
- C:\Windows\System\QMeeZow.exe
  C:\Windows\System\QMeeZow.exe
  2⤵
  PID:14636
- C:\Windows\System\GFAXViQ.exe
  C:\Windows\System\GFAXViQ.exe
  2⤵
  PID:14760
- C:\Windows\System\uEWrwYt.exe
  C:\Windows\System\uEWrwYt.exe
  2⤵
  PID:14876
- C:\Windows\System\AALOGaB.exe
  C:\Windows\System\AALOGaB.exe
  2⤵
  PID:15008
- C:\Windows\System\YQSSRfJ.exe
  C:\Windows\System\YQSSRfJ.exe
  2⤵
  PID:15192
- C:\Windows\System\mQlMItK.exe
  C:\Windows\System\mQlMItK.exe
  2⤵
  PID:13424
- C:\Windows\System\rttWYaG.exe
  C:\Windows\System\rttWYaG.exe
  2⤵
  PID:14536
- C:\Windows\System\JfwwZAR.exe
  C:\Windows\System\JfwwZAR.exe
  2⤵
  PID:15016
- C:\Windows\System\HJJaJxE.exe
  C:\Windows\System\HJJaJxE.exe
  2⤵
  PID:14964
- C:\Windows\System\jGlSYGR.exe
  C:\Windows\System\jGlSYGR.exe
  2⤵
  PID:14716
- C:\Windows\System\Zounksn.exe
  C:\Windows\System\Zounksn.exe
  2⤵
  PID:15396
- C:\Windows\System\OKLHGSl.exe
  C:\Windows\System\OKLHGSl.exe
  2⤵
  PID:15412
- C:\Windows\System\nUvOXBt.exe
  C:\Windows\System\nUvOXBt.exe
  2⤵
  PID:15448
- C:\Windows\System\ptPYtcX.exe
  C:\Windows\System\ptPYtcX.exe
  2⤵
  PID:15480
- C:\Windows\System\gSZuSHJ.exe
  C:\Windows\System\gSZuSHJ.exe
  2⤵
  PID:15500
- C:\Windows\System\tqKKitB.exe
  C:\Windows\System\tqKKitB.exe
  2⤵
  PID:15520
- C:\Windows\System\Rdbpthb.exe
  C:\Windows\System\Rdbpthb.exe
  2⤵
  PID:15548
- C:\Windows\System\PhZwfNl.exe
  C:\Windows\System\PhZwfNl.exe
  2⤵
  PID:15584
- C:\Windows\System\hbliFDI.exe
  C:\Windows\System\hbliFDI.exe
  2⤵
  PID:15612
- C:\Windows\System\QAyVIqv.exe
  C:\Windows\System\QAyVIqv.exe
  2⤵
  PID:15636
- C:\Windows\System\ChGxFRY.exe
  C:\Windows\System\ChGxFRY.exe
  2⤵
  PID:15676
- C:\Windows\System\ffZxUdE.exe
  C:\Windows\System\ffZxUdE.exe
  2⤵
  PID:15704
- C:\Windows\System\SADNwNZ.exe
  C:\Windows\System\SADNwNZ.exe
  2⤵
  PID:15744
- C:\Windows\System\UEmTqVd.exe
  C:\Windows\System\UEmTqVd.exe
  2⤵
  PID:15772
- C:\Windows\System\ffdhvrO.exe
  C:\Windows\System\ffdhvrO.exe
  2⤵
  PID:15800
- C:\Windows\System\DoZuaUy.exe
  C:\Windows\System\DoZuaUy.exe
  2⤵
  PID:15832
- C:\Windows\System\VtPbiKR.exe
  C:\Windows\System\VtPbiKR.exe
  2⤵
  PID:15860
- C:\Windows\System\EXYiqne.exe
  C:\Windows\System\EXYiqne.exe
  2⤵
  PID:15876
- C:\Windows\System\hDuTKwv.exe
  C:\Windows\System\hDuTKwv.exe
  2⤵
  PID:15916
- C:\Windows\System\ltWUgsr.exe
  C:\Windows\System\ltWUgsr.exe
  2⤵
  PID:15936
- C:\Windows\System\qPuwvqZ.exe
  C:\Windows\System\qPuwvqZ.exe
  2⤵
  PID:15964
- C:\Windows\System\SUsUSTM.exe
  C:\Windows\System\SUsUSTM.exe
  2⤵
  PID:15988
- C:\Windows\System\kLLwIhs.exe
  C:\Windows\System\kLLwIhs.exe
  2⤵
  PID:16028
- C:\Windows\System\JMFvafX.exe
  C:\Windows\System\JMFvafX.exe
  2⤵
  PID:16056
- C:\Windows\System\avWpUAn.exe
  C:\Windows\System\avWpUAn.exe
  2⤵
  PID:16076
- C:\Windows\System\gTgJwvI.exe
  C:\Windows\System\gTgJwvI.exe
  2⤵
  PID:16108
- C:\Windows\System\yOPBTCu.exe
  C:\Windows\System\yOPBTCu.exe
  2⤵
  PID:16128
- C:\Windows\System\yCVTger.exe
  C:\Windows\System\yCVTger.exe
  2⤵
  PID:16144
- C:\Windows\System\qLTHmKO.exe
  C:\Windows\System\qLTHmKO.exe
  2⤵
  PID:16196
- C:\Windows\System\mZAuulD.exe
  C:\Windows\System\mZAuulD.exe
  2⤵
  PID:16224
- C:\Windows\System\GRMxZLp.exe
  C:\Windows\System\GRMxZLp.exe
  2⤵
  PID:16240
- C:\Windows\System\sNTWShs.exe
  C:\Windows\System\sNTWShs.exe
  2⤵
  PID:16284
- C:\Windows\System\dXrLSGg.exe
  C:\Windows\System\dXrLSGg.exe
  2⤵
  PID:16316
- C:\Windows\System\ECwzRZx.exe
  C:\Windows\System\ECwzRZx.exe
  2⤵
  PID:16344
- C:\Windows\System\DnMUUih.exe
  C:\Windows\System\DnMUUih.exe
  2⤵
  PID:16372
- C:\Windows\System\kpFJpeD.exe
  C:\Windows\System\kpFJpeD.exe
  2⤵
  PID:15120
- C:\Windows\System\hVnAyzd.exe
  C:\Windows\System\hVnAyzd.exe
  2⤵
  PID:15404
- C:\Windows\System\XqGvliy.exe
  C:\Windows\System\XqGvliy.exe
  2⤵
  PID:15436
- C:\Windows\System\psbsutj.exe
  C:\Windows\System\psbsutj.exe
  2⤵
  PID:15516
- C:\Windows\System\wMZLaOZ.exe
  C:\Windows\System\wMZLaOZ.exe
  2⤵
  PID:15608
- C:\Windows\System\YDOhYUx.exe
  C:\Windows\System\YDOhYUx.exe
  2⤵
  PID:15624
- C:\Windows\System\GGUhkzW.exe
  C:\Windows\System\GGUhkzW.exe
  2⤵
  PID:15736
- C:\Windows\System\KOSGlqD.exe
  C:\Windows\System\KOSGlqD.exe
  2⤵
  PID:15788
- C:\Windows\System\lcLzTvk.exe
  C:\Windows\System\lcLzTvk.exe
  2⤵
  PID:15844
- C:\Windows\System\vQfBcLp.exe
  C:\Windows\System\vQfBcLp.exe
  2⤵
  PID:15900
- C:\Windows\System\GkJXFcI.exe
  C:\Windows\System\GkJXFcI.exe
  2⤵
  PID:15944
- C:\Windows\System\HCNchgD.exe
  C:\Windows\System\HCNchgD.exe
  2⤵
  PID:16020
- C:\Windows\System\nfZZrbR.exe
  C:\Windows\System\nfZZrbR.exe
  2⤵
  PID:16124
- C:\Windows\System\OsOhpPb.exe
  C:\Windows\System\OsOhpPb.exe
  2⤵
  PID:16192
- C:\Windows\System\QqzmUUv.exe
  C:\Windows\System\QqzmUUv.exe
  2⤵
  PID:16232
- C:\Windows\System\SHydtSZ.exe
  C:\Windows\System\SHydtSZ.exe
  2⤵
  PID:16312
- C:\Windows\System\GZbeOCE.exe
  C:\Windows\System\GZbeOCE.exe
  2⤵
  PID:16336
- C:\Windows\System\JhpzNVh.exe
  C:\Windows\System\JhpzNVh.exe
  2⤵
  PID:15376
- C:\Windows\System\ANkJXYe.exe
  C:\Windows\System\ANkJXYe.exe
  2⤵
  PID:15572
- C:\Windows\System\zinIlgC.exe
  C:\Windows\System\zinIlgC.exe
  2⤵
  PID:15632
- C:\Windows\System\MptqPlJ.exe
  C:\Windows\System\MptqPlJ.exe
  2⤵
  PID:15952
- C:\Windows\System\knlbiLD.exe
  C:\Windows\System\knlbiLD.exe
  2⤵
  PID:16104
- C:\Windows\System\WwKMAqx.exe
  C:\Windows\System\WwKMAqx.exe
  2⤵
  PID:16168
- C:\Windows\System\EHAEFGo.exe
  C:\Windows\System\EHAEFGo.exe
  2⤵
  PID:16340
- C:\Windows\System\GVSRauh.exe
  C:\Windows\System\GVSRauh.exe
  2⤵
  PID:15756
- C:\Windows\System\LAQhAwk.exe
  C:\Windows\System\LAQhAwk.exe
  2⤵
  PID:16092
- C:\Windows\System\ZTKzOGK.exe
  C:\Windows\System\ZTKzOGK.exe
  2⤵
  PID:15468
- C:\Windows\System\sdtmDvb.exe
  C:\Windows\System\sdtmDvb.exe
  2⤵
  PID:16008
- C:\Windows\System\hOyHIBL.exe
  C:\Windows\System\hOyHIBL.exe
  2⤵
  PID:16392
- C:\Windows\System\SCYoxte.exe
  C:\Windows\System\SCYoxte.exe
  2⤵
  PID:16416
- C:\Windows\System\CIZupjG.exe
  C:\Windows\System\CIZupjG.exe
  2⤵
  PID:16436
- C:\Windows\System\LdZvPyG.exe
  C:\Windows\System\LdZvPyG.exe
  2⤵
  PID:16484
- C:\Windows\System\xrdKHVF.exe
  C:\Windows\System\xrdKHVF.exe
  2⤵
  PID:16504
- C:\Windows\System\AJKfhwL.exe
  C:\Windows\System\AJKfhwL.exe
  2⤵
  PID:16524
- C:\Windows\System\pGrmLSk.exe
  C:\Windows\System\pGrmLSk.exe
  2⤵
  PID:16548
- C:\Windows\System\pYbedVw.exe
  C:\Windows\System\pYbedVw.exe
  2⤵
  PID:16584
- C:\Windows\System\ekCkfNK.exe
  C:\Windows\System\ekCkfNK.exe
  2⤵
  PID:16604
- C:\Windows\System\UZwcAdD.exe
  C:\Windows\System\UZwcAdD.exe
  2⤵
  PID:16644
- C:\Windows\System\INxHAmM.exe
  C:\Windows\System\INxHAmM.exe
  2⤵
  PID:16684
- C:\Windows\System\Akgxjrg.exe
  C:\Windows\System\Akgxjrg.exe
  2⤵
  PID:16704
- C:\Windows\System\ZffadzU.exe
  C:\Windows\System\ZffadzU.exe
  2⤵
  PID:16728
- C:\Windows\System\MSzMKZV.exe
  C:\Windows\System\MSzMKZV.exe
  2⤵
  PID:16748

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:17276
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:16356

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:17060

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5364

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1604

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6516

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:7968

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:8344

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:9096

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:10196

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:10404

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:10892

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:812

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3684

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1988

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:12940

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4940

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:16992

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:6008

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:16832

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:16716

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:14988

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6308

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:17072

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:15812

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6968

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:15488

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8760

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8784

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8212

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10920

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11228

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11348

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12688

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13540

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13440

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14348

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7332

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:16056

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14540

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:16436

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4300

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10500

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11580

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4628

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1476

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2520

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5580

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3768

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5956

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:116

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13272

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5612

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:17132

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:16796

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6628

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:16040

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:15808

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\LLDJA3WI\microsoft.windows[1].xml

Filesize
97B

MD5
372706547a804b876522fe741dbfc040

SHA1
9bca733d6804f24c6841ef02b52e8ade1b45d7e4

SHA256
09fe1eb66c953d75dc66ff6df9237cde5f419fb25fab6327de9cde6676219651

SHA512
cc8057de048bf5646e41bed6f01111328bceae9abb4282a4ee1be635d086b6b3647cb5cc17cc3564980e5e31342a767dc639e536edbd3720df6b35ac7ebce34a

Download Submit
C:\Windows\System\BqdBIAU.exe

Filesize
1.6MB

MD5
2c1ecbc5426ac0277e965b2e52ad30c3

SHA1
ef5e0b244a8d8dfcb98b55dd7911385089763997

SHA256
bd4734552f97f6d6813307f66d4bbcf4020fa7c59796714a5fffcf05540cde7b

SHA512
b27b0f1c79a2fa9d7e933c6c16fc4ce6706049052d4094d6cfcaab39f5e876b80a030fff442f4ffb5e0bdbbfd68ea8d96aa9171b7dc30f69780bda07a4d3c851

Download Submit
C:\Windows\System\EgDmIpf.exe

Filesize
1.6MB

MD5
1d01e31a34b95aa3aed30c1d0e9b839a

SHA1
6c3bfb932cab656b6aa4c5e97feaaac4d7af9a4c

SHA256
1ba3ad8553a1951a176263a8ace8c94ad273f1476275b8afa55e3e233581ede3

SHA512
5d52bbbcc27723f2e23a9a75e52e5cc29506ac86ec03a3b010c171208ec5e476f4a90eb8d16278b25c5dca9997abbb971ebb7395517f38f68911d4c284770798

Download Submit
C:\Windows\System\EnQlKll.exe

Filesize
1.6MB

MD5
5256f50c034c2e2147af41302a2e95ec

SHA1
b16c9a1b858111906bd42f5ace97d3d727f2dc31

SHA256
1c48ccbb8e01408dd11d3fd9d72f30dd4b11fedfa039b0ae234f923fd9aabe5f

SHA512
a49c7229e05e1c8b9f4362ce0f84a908852a980e196e94527e3ab8a53fde4f91df776109fe8a69ea15abd3e7d28d5722d6b9c67e3a65b1a555362d971b7dba30

Download Submit
C:\Windows\System\IHiNSrI.exe

Filesize
1.6MB

MD5
f9e765fd4d09afbb8b39072fa7126f04

SHA1
5f59ffcc699bd9ec10411303ae97e4f4234d8f71

SHA256
693260d6c7f04c6647cb03b71cfd56b11c7da890f110a44aa3dc95e36824e33a

SHA512
b5d5d46e8682a8d96c33439bd73c61e91b3572f80ba69c2403bedbb891ba3c00eff3caa2356c4f5ab08a880555711d01e79dc8c25277b5b3fad715181cdf7a04

Download Submit
C:\Windows\System\KCVXgvb.exe

Filesize
1.6MB

MD5
b44562cd6e28efc5a2b86a80400b1006

SHA1
2e5317409a77d9b5d41d3c6734b8c8da61443070

SHA256
b6b71380b654188bffad7e5dde9e4e6ad0a37d6f7b1ed75dbc2f3d811bfa6c18

SHA512
34af22aa6ad9a93b662885040fe840a0a71f5a9235c82945bb4b155723a84ee3ae77c81e035698a330abd9873df8cec63f3ba6ecec515d97536135e07765672a

Download Submit
C:\Windows\System\KGmNMpl.exe

Filesize
1.6MB

MD5
397102a4fdb6f1f8344f8bd9232a28d7

SHA1
d46049516b1ecf69a94da55e1c7b5387155fa273

SHA256
3b490142bc386bbcc7ed1a7d0842974e1c54e3be9f0cf29303f67a3593497b60

SHA512
596f92ab54312f4d36ae1c8becf5aedd0164cb1ae72a3bbf3e0922b3985d1aaec2d383d2ab84626b829e541f3f7e0f192563bd491fcad89a65337489c56a29ce

Download Submit
C:\Windows\System\LVJCKYl.exe

Filesize
1.6MB

MD5
a1b9b1f1e35323819cc970bf319af6cc

SHA1
2e56db0acdfee9192ba88409df847a18834de8e7

SHA256
6604cef152e7249250422407da24bdf2d5c329cf41600a365490eea6d00ad0b2

SHA512
caa23bdd99bb33e4f4dd19642a8301fae453e50028098d9e4fd348985ffbe8e3de00886c71bc095333befd2b4180df21a095534642de5fc54008028dc5506129

Download Submit
C:\Windows\System\SZIPPlE.exe

Filesize
1.6MB

MD5
797f1edf6856da8111a33061daf9eb76

SHA1
8e0e61737b401c209d04e66f50182077b5a691da

SHA256
4032dfaca8cbe9eb01385c8d4487093373de459d96e285e5f527a05e68ce6003

SHA512
d87741a5f86c1ab46f392b88a5aadeb80c1ece8a8ee027013372f63fe7eb264e931a3c7fdbd4427b53fbd5146bf37103c9f859dcedc71853306a9555e896ed49

Download Submit
C:\Windows\System\SrHNdSx.exe

Filesize
1.6MB

MD5
49b6d17cc7ba18375e1919d3c35b6e89

SHA1
8d44960cc95aa9836edb81f64f212bfb6343f319

SHA256
d69d21e26be68ae8a196fcc3dc36e044671182a96a4112f5347a98aaed28c4a7

SHA512
d5ffbfaccbec1be7db6f856da092e923835ac3cbdc799a5ded598526cae12db0e1be4eb74c72d0fbf48c3ca73847cd4053aa14785dc71d1f66e1e4a25f1aec19

Download Submit
C:\Windows\System\TnoWiWm.exe

Filesize
1.6MB

MD5
182bc61b6ea6b9b0fae33211f933bf23

SHA1
b590fab93e20e8a1660f427c75995e5ab9ce1de2

SHA256
a152c673e8d5a5a46df00de83c1632402c319375ae4faaa8e45c9012fc4dafa5

SHA512
29c7b6683efd349bd02df59187bf0f8113d45eb3cc0ef0f8a3e8b2c1123a8bc9342f2429c6a9364450929a89f22967202963378d5ae713687b671606997da5b3

Download Submit
C:\Windows\System\VuHgzUf.exe

Filesize
1.6MB

MD5
6c30755acacec5bcc5935ca9b8d946af

SHA1
d3a43e20f1601a57768fbb58e495e09f035a3a28

SHA256
103987e4bb06845b781995f5dd2714558463c8ba00c4f65be4c40579c7c7c5df

SHA512
2045713be5e8499ffbff51152b9631c882d8c96d3fbca89dad2fbf188365e3c05a18d9cbf2666e57ee6c3265d275a9a3c26312b31143706a19ae15da5b671ea5

Download Submit
C:\Windows\System\bXFMxLj.exe

Filesize
1.6MB

MD5
b0e0e59823b0f5d18008314b9a6f6743

SHA1
7dd75a682bd931000c6c9844b5951becc28ec669

SHA256
c2269b7cea47e35006b1c5c09025aacd43b248fe07fdae3e7e690f05de706079

SHA512
7f0c69775f6c194c3d7294bc3da02cc5b5b8cf2439395bdcc73f628d7cf611d478f6754fc821c83c42ae35e9f53a4f4f045d513576531679ae38fbf6fab0bf78

Download Submit
C:\Windows\System\cenZFZW.exe

Filesize
1.6MB

MD5
53732ea426502c034d9a737eb4106be9

SHA1
09de3fec778012b66cc1fea3a259245b3ea871c0

SHA256
f843fb38d943220a791aeac392efabf274864a8e22aed89b940d72efaf934d39

SHA512
9d7cc2e44582ad1a1db202685d883167d719f767233c4b08290fc01313b8f760290d94de6d6eb8b923997f036d73c71fa61907fe3f045a018cfb7ff3fb1d8370

Download Submit
C:\Windows\System\edWrqJE.exe

Filesize
1.6MB

MD5
b0b5df76e63001718fc32790feb458dd

SHA1
061aab5bcf9bd56a2da4bfa871d699a85ccfeec4

SHA256
e3cceb7fd6cce3e5d938724cf0a4632b23b150fd2b0ef9f2431277954159844d

SHA512
259fe7b92ff1c969d1846d36426725ecd6c9f012529cd25830abfd0e021e9bc65eaad3d5b616e39c6ea9947184d27077c19ab5eea3febb8b6d3f08b07a16f4cd

Download Submit
C:\Windows\System\fwytwqJ.exe

Filesize
1.6MB

MD5
530fd0f038382c73cdb046d92c7ed91e

SHA1
fb84d10552652e3b957460b9a78937b2b3aa307d

SHA256
755187e3291cffd1ed91b40eb8088d6622136c489aeb5e062f9b3948e00c5174

SHA512
a3180fd2740d5ae6cc4ef2cb1bf169e0601721b8a8aa9d400763b90e0806156051cfd26bd882a2dc24def6de4f85204f17c3f3d6478b0e887bbd57a8822512bd

Download Submit
C:\Windows\System\gMgUzgz.exe

Filesize
1.6MB

MD5
76860027c7bad27af82e64179579118b

SHA1
e216b84baf1490f5ed529327d5f6e88408640df8

SHA256
2f30a7b2229cdc0ebeec0b2d85fe9cf46753d0ad151aa0258548f9f7b3c60104

SHA512
630fac5719fa133e839a5eb198cfc04639e93890bbbd3275f2d3489e868ba0ba2c25f136d854331ebf48a9a0423ffbd61983d152e8ca2285db7d8752912f7677

Download Submit
C:\Windows\System\kEKWHzr.exe

Filesize
1.6MB

MD5
49ef9d4d8b2a2f146438ddb54481b073

SHA1
fb310bd3cf160f9a7f600c93c65f370951b9d60f

SHA256
8bcd214a53ed441a9524c60054b366481248ee2b9638dc56f5b2676dfd7834ef

SHA512
7da47430d6b06861b83a364d8e1c22171430ce1818e5dc13460be023df5ebdd2c63b103de02a4aa8a803d11d30434ac36ed7d6a8b69fb9ab93f69f330bddb459

Download Submit
C:\Windows\System\kvgjyEy.exe

Filesize
1.6MB

MD5
2eba944b36e6d8382018eaa172986436

SHA1
9fffd979f8e801786f5325d867de11e7e3dcf418

SHA256
6c9bd7029b21c39ff3731ad32695d90917929b3004a6b27b42305e3542854797

SHA512
7e018d373ac0cd27b75f65da1ac6ef965fa060b5f368b6d69f5d27512c3ec98d4e92e8a992c00710cba706be544f5d5b0c4385740b97a441acf29fdae0ce0f2c

Download Submit
C:\Windows\System\lvnTYNv.exe

Filesize
1.6MB

MD5
71bfe26da772591302bde225de920852

SHA1
a6681f7ec162e45de282a1436f20de1d6f2d6b80

SHA256
a79f7ab431a5607fd7d23c7e8192b0d88c42ec94dedd19cee766d231e861186e

SHA512
b12cbe99db411b547fecda4425189123a3ce8612944e9feebb6a7541e7642060aaa95c85394c7a7f4ea472401aa40d35eb0996f4671da573dd897d4141162ed8

Download Submit
C:\Windows\System\oOnHUqW.exe

Filesize
1.6MB

MD5
8f5afa201e271a14bc4474fd14759ad8

SHA1
4bea814cbcd76ad3855634362b1a90f75a393dda

SHA256
8c9b374b4deb7e03da058632fbc40edcd7da7344476bbcc1b173727657a8b54c

SHA512
9a7633d6edf1db39d46844fb4f57b469115b7bda29bc8a10d4ecffe6a680394d113b868fd6c80f064b0bec8e5b4cb5b90660a390e880ecc5cac3338817768d43

Download Submit
C:\Windows\System\ogXYSPo.exe

Filesize
1.6MB

MD5
7294dc9829ea9d165af1ef882fb32ba5

SHA1
76c990d7f36caf9dd1e3eb5ebd8dd7f69e1a2299

SHA256
55db43b4b90297bb1f43f010d8017feaccfbf7d3b7200860910e75955b482757

SHA512
2d3c267769881406e7eabbfbf730806b41676719a13e41814c96dd9e30736d47e3d0c00a65458a8a6a150d5721d68c33aa638191afdcc0cf4550d976388c56d4

Download Submit
C:\Windows\System\pHjlwvY.exe

Filesize
1.6MB

MD5
1af1b2b10768043af1997a1ce07b8c43

SHA1
f2b16615df087f5dc2290d655a79e63a386fe7d6

SHA256
eb9af1ea9e0385bd3d4a2e0841df93a0aeecc30846ab4fc2a9e2de3590c167a9

SHA512
a2d323ec19b9f8f99b037a4b21a9c26d367de938f2261cf3666ad33169f02c15ea7aae278e47487ff7ebc01008bba7f5a3f902466f92a77085cfdcb81e3dc161

Download Submit
C:\Windows\System\pMFQwNj.exe

Filesize
1.6MB

MD5
c34abaf878ee21caef68cbe3efcf631e

SHA1
84162fdad1903dc4c66b4eea42667bb78aa980e1

SHA256
3c4bb535073310e704610c4ac0433f1583dec25cb903ee5c33bf58c5a36d4232

SHA512
1fd71ab342e3145e0a8459668936167e2e06c3bb1cd559305bb2ba515eeaa5e2bc17afa8645801a3d2438e5263a038f00bed220523aab664201017a062ca610e

Download Submit
C:\Windows\System\rcxOHje.exe

Filesize
1.6MB

MD5
a1cd22b027275e138c94a48448b8359a

SHA1
574ce4dc6b331edc0dd6ed9fc95174163897ba35

SHA256
45fa0767ab60001b6b0c482c8031fee04dc6b661f6d99c3dd00bebab1b1668e0

SHA512
7165d130642b0c419b86e735dc807339934da7dffa22f7e1edb442f225ae69bc1032bbcf40442152d6d1cc7820aaba4c5adb13d090146fee46c78a45b065f39d

Download Submit
C:\Windows\System\uQroEdk.exe

Filesize
1.6MB

MD5
ad6ff2b04dde00690daa92ec421f71a9

SHA1
b60dc79a9c5f712bd7806ec0e4d7a375a660ce16

SHA256
851a9221fa4f6c621f674279f8014b67e1f04223798def7a547939cd1589c6bf

SHA512
8a6cb3ea86ab65a4597d0339bfdde65219779763b95adc117c4c5f35cabbef7236128cf2156c89f96d5a34f92592497da011faac1fe73a599585a729f8160a1c

Download Submit
C:\Windows\System\ubztSdd.exe

Filesize
1.6MB

MD5
47702f994f0c3f34b8ea036f2061f4a8

SHA1
6644341882e9c03404f27af68d5cee7f0e829e96

SHA256
791ee91669321ba1b0cbf891ed2c1d9db4a76fb66f007f11a094c6ff2a0ec004

SHA512
85ed7ac6860aae2263e9ec7cab514e1872cf5b083a89f6511b293d7a036c25eb5f86bbd39f4c31ae5bb36e255862be37311a36d68dadf79fc7a5a09f8103a0a4

Download Submit
C:\Windows\System\urmQIWo.exe

Filesize
1.6MB

MD5
0b3bc80469297a9e716fac17eb6c60d1

SHA1
7a2617a348d66604ee216a9c335b84061c48c262

SHA256
98081401997626c89b91fb2a9cb6647561d490e5d792bb375ec71b97e962f09d

SHA512
27000379d524d5f0524054a97eff1d86518c1ccffb3f2b1a4234c65aed4bcf4d6f5c4cbaa024bc9642d7f850bba130208be4c36931af750c94807af0b1141a21

Download Submit
C:\Windows\System\vDSeWzt.exe

Filesize
1.6MB

MD5
a96f959f0159a8a3a7115e1f7029af3d

SHA1
2712051bce8c7cb89838f0643177f8a4be2e4fe6

SHA256
544b95d837d93fd4b8f4973e2264919b8709ca7c13797dc4f09fdd99034f06e7

SHA512
2d2477e2f782314a50a684df01bad2966ac9978832338d95d005ee959ba0ffb81974cf789396fc1c6d0dbfdb5d571a33747ea8510acfa2c755e6dc2790f39b51

Download Submit
C:\Windows\System\vZzLsDp.exe

Filesize
1.6MB

MD5
1c01fcabad9109b82a51d4dd239e8ac3

SHA1
494535ca26a9d0d4c1d4882f2468013f37248afc

SHA256
6e9364a2e79d8a821c794492cbe136799199e0ce2b469f50194a6061efcfb3a5

SHA512
6ff25ff43f05bf27f6c790a3933edfb8810fc8b707efc735b256bdc2d4778ad0d2fe57e8d54a8e21d19fce7a38c417acf68853203e7c20c9caeed866fa8b3ee7

Download Submit
C:\Windows\System\wQDNYSF.exe

Filesize
1.6MB

MD5
6675c07abd2b1d488a2d83eb410c40e7

SHA1
34a6f96c4fd8acd03dc6b9eeebb3ac0bcbf7f65b

SHA256
d3d666bff3722b5653e2c31f9dbb89d00a19d4a4edf5c42a52e06f3e3528f4d9

SHA512
c56b7693fcfefb5b6ae86608980400ead00c880e40748c6889b4e917b3583c952e4a6b7f60ab8b926fbeecdc8829d4cc380c4a22e7d681b1eccd47b518deedb2

Download Submit
C:\Windows\System\wTsKReN.exe

Filesize
1.6MB

MD5
0f6e6c41f7f98dd08234d6b301e0ed79

SHA1
f94aac3a59751edc96d3476d04f6d776a12dd35d

SHA256
cda180d983f52e3077ff167768563352ae4c31463af48721c28789c26c5fb1b1

SHA512
d628fe91a1130ed0d7a4c95e037d73465be92ead72805d869429bd863f55034f50c3bbe0385259d62b412026c290d2280d7879f26633d1d7d729c32a2772ab22

Download Submit
C:\Windows\System\zBuDTVD.exe

Filesize
1.6MB

MD5
80053d9c969a6ff7638540728e5610e8

SHA1
f8ecb17755518592be820b02bfe70f75f8dba8de

SHA256
b25843fdb32ef7b67d24282af4871f6aa5a406845ce46ec9bcad56c6bdf7ba7f

SHA512
64d1a25a5fb0020152c106bb1d4a2fc23eebd2d026a20dbf14caa418a706f8d4d600382f93669270a010e79cb71dabbed3dccf15da636c2564dd00adabf7d5f3

Download Submit
C:\Windows\System\zTrITgX.exe

Filesize
1.6MB

MD5
a049f66ab14b8a76c6e30247cb11c7ac

SHA1
61a363dafaa1f84018cc0d00d5deda626286e5d6

SHA256
02c729c1b62ed55bca75c2a40ce6a3e210e32639dc835f05a715bd512dffb7b3

SHA512
6397617977e0b1ecb97b677cf9c58e9a1c039961c7debdc35f9ec11e8fc25bbc283dcb22cc180aae680942adcc6004b842e0cd5edc4dddc70786059059b8dfb5

Download Submit
memory/4724-0-0x000001FB357A0000-0x000001FB357B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads