xmrig | 474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
Size

1.8MB
MD5

1ead5cded7df2ceb556331ef03c5e884
SHA1

0bc59da1ee759c5075b87d0aeedff3cba9e3f66a
SHA256

474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0
SHA512

28114581e56202c544144153aa252718e17becb45faecb66935f1742581e8c8f0a760e3a2a0292e023b87a8f96c5782d6ff5f20753ffff3175c0bb07b4286f75
SSDEEP

49152:GezaTF8FcNkNdfE0pZ9ozttwIRRvzc26JxSUi:GemTLkNdfE0pZyH

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 33 IoCs

miner

resource	yara_rule
behavioral2/files/0x000c000000023ba0-3.dat	xmrig
behavioral2/files/0x000a000000023ba9-14.dat	xmrig
behavioral2/files/0x000a000000023baa-15.dat	xmrig
behavioral2/files/0x000a000000023ba8-19.dat	xmrig
behavioral2/files/0x000a000000023bac-25.dat	xmrig
behavioral2/files/0x000b000000023bb0-45.dat	xmrig
behavioral2/files/0x0008000000023bc8-58.dat	xmrig
behavioral2/files/0x0009000000023bce-73.dat	xmrig
behavioral2/files/0x0009000000023bcd-84.dat	xmrig
behavioral2/files/0x0008000000023bd8-100.dat	xmrig
behavioral2/files/0x0008000000023bd9-98.dat	xmrig
behavioral2/files/0x0008000000023bd5-96.dat	xmrig
behavioral2/files/0x000e000000023bd3-94.dat	xmrig
behavioral2/files/0x0009000000023bcf-90.dat	xmrig
behavioral2/files/0x000e000000023bbf-82.dat	xmrig
behavioral2/files/0x000a000000023bb8-61.dat	xmrig
behavioral2/files/0x000b000000023baf-56.dat	xmrig
behavioral2/files/0x000b000000023bae-48.dat	xmrig
behavioral2/files/0x000a000000023bad-46.dat	xmrig
behavioral2/files/0x000a000000023bab-28.dat	xmrig
behavioral2/files/0x0008000000023bda-104.dat	xmrig
behavioral2/files/0x000b000000023ba5-107.dat	xmrig
behavioral2/files/0x0008000000023c0a-122.dat	xmrig
behavioral2/files/0x0008000000023c0e-132.dat	xmrig
behavioral2/files/0x0008000000023c0c-135.dat	xmrig
behavioral2/files/0x0008000000023c15-148.dat	xmrig
behavioral2/files/0x0008000000023c16-153.dat	xmrig
behavioral2/files/0x0008000000023c2e-168.dat	xmrig
behavioral2/files/0x0008000000023c28-156.dat	xmrig
behavioral2/files/0x0008000000023c14-146.dat	xmrig
behavioral2/files/0x0008000000023c0f-144.dat	xmrig
behavioral2/files/0x0008000000023c0d-134.dat	xmrig
behavioral2/files/0x0008000000023c0b-118.dat	xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
4088	uBwRzoM.exe
3708	xEcZDrg.exe
4868	pQHYpgf.exe
3544	NJEoQRl.exe
1724	xUPNMBV.exe
2748	ULTsrNd.exe
392	CPruuFN.exe
232	mckBKra.exe
1400	IFOULNg.exe
3352	iwnPUJD.exe
1632	CsEwqpn.exe
2904	YzsqSZN.exe
3208	WYicdYZ.exe
2024	YoPFzDh.exe
2072	ukIlMoV.exe
2968	HTwWMiT.exe
4988	dJPIQvX.exe
4864	JnUkVPx.exe
2240	xFoFODo.exe
1700	DlleSzy.exe
2648	IZsnpcD.exe
2236	supYWlU.exe
2008	RmONvzj.exe
1012	oNBQoNT.exe
720	kFQyaBO.exe
3376	tJCjPQq.exe
764	UhVGsgc.exe
2916	YiuLRBm.exe
4464	nmcDRPq.exe
5044	BOEYBAd.exe
3084	bmFocec.exe
1864	yapXKGr.exe
2708	rYPXVLn.exe
2204	ClhhYAl.exe
684	JnPVwpy.exe
780	nWUlbXb.exe
4772	GfOZSAr.exe
2592	QkapAnP.exe
3632	OIvUJEu.exe
4100	CPybqSM.exe
3748	SdSUvrZ.exe
4248	pxiLCRe.exe
4428	bGYOLZq.exe
2040	NWdwDLu.exe
3256	ExiAOXt.exe
468	jXiHfmp.exe
4904	OHbGDEP.exe
3452	cyrfoRZ.exe
2844	eggnItv.exe
4756	YIPKpAj.exe
4980	xtofEAz.exe
3740	wWfwEWh.exe
3092	mkBrpZV.exe
968	oyGqMSA.exe
4324	qrDFZqP.exe
2284	nFSmZSi.exe
2924	IZonSTI.exe
4496	fSWyGgE.exe
4480	FMkIqsK.exe
3900	grJzsOM.exe
872	kQERfqK.exe
2372	WTSemcz.exe
3064	bNCBQCE.exe
1460	YqZEIGh.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\BNrqzUJ.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\iBKPvfd.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\hDSSAMd.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\dvIUQQM.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\uXocUiu.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\aGXSjOS.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\CPruuFN.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\pbyraFg.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\UhVGsgc.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\GObnDVb.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\RMqAMop.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\qzEgenR.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\hvEApFv.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\eLxEAhf.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\BNRypyx.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\QdOpBQD.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\HOrlYdx.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\uNVwRiV.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\SBvqfst.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\GUZTtKZ.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\ExrykMH.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\aeBBGrv.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\uBwRzoM.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\FIWRCdR.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\yhCYRHp.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\nEFqxSa.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\GjHkgez.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\KwUkTwF.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\ZtbanjM.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\YwEzzsB.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\PnzhFtJ.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\QkapAnP.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\fVBRNKX.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\BtHsyDx.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\ECbchIe.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\sMePPDA.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\vJAPduX.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\vXYsyup.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\DRIwJIw.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\XGAHHWf.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\oogcCld.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\bTKSIeH.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\vOXXoWh.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\UkzNNPG.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\Lnmkinl.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\YqZEIGh.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\lGQjyFt.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\NvwuSce.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\VTpCufh.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\lrlsPUh.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\mpeYbWG.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\ExlvhfO.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\XsqKtFB.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\kLpxNXt.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\bFKsXwx.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\JmtSjwJ.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\nPvHvoR.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\uBxkoil.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\zPaJzDn.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\GNYUeWs.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\yYyOaSX.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\ChTbUAh.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\bEsnYAZ.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
File created	C:\Windows\System\WWZrPMC.exe	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe

Checks SCSI registry key(s) 3 TTPs 58 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\AI041031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\es-ES\\VoiceActivation_HW_es-ES.dat"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{0B3398EA-00F1-418b-AA31-6F2F9BE5809B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\VoiceActivation_HW_fr-FR.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech HW Voice Activation - Italian (Italy)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\M1041Ayumi"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Universal Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "L3082"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Hortense"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\VoiceActivation_HW_it-IT.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{14E74C62-DC97-43B0-8F2F-581496A65D60}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\es-ES\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\M1041Haruka"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{E164F996-FF93-4675-BDD8-6C47AB0B86B1}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Mark"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "MS-3082-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\es-ES\\VoiceActivation_es-ES.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\AI041036"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2437139445-1151884604-3026847218-1000\{BCAC77EC-E0AE-4CF4-9B13-5E148CC5F175}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Traditional Chinese Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "French Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Male"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\tn3082.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Vous avez sélectionné %1 comme voix par défaut."	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\tn1036.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\r1040sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Ayumi - Japanese (Japan)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{06405088-BC01-4E08-B392-5303E75090C8}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Katja"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Hedda"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Paul"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "L1033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Has seleccionado %1 como voz predeterminada."	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Julie - French (France)"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\r3082sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Pablo"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE/SOFTWARE\\Microsoft\\Speech_OneCore\\AudioOutput\\TokenEnums\\MMAudioOut\\"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "5233694"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\AI041033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Mark - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech SW Voice Activation - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; address=NativeSupported; message=NativeSupported; url=NativeSupported; currency=NativeSupported; alphanumeric=NativeSupported"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Helena"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "410"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 a 000a e 000b i 000c o 000d u 000e t 000f d 0010 p 0011 b 0012 k 0013 g 0014 ch 0015 jj 0016 f 0017 s 0018 x 0019 m 001a n 001b nj 001c l 001d ll 001e r 001f rr 0020 j 0021 w 0022 th 0023"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\VoiceActivation_de-DE.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Helena"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{A79020BC-1F7E-4D20-AC2A-51D73012DDD5}"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "16000"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\L1033"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133727654631017526"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 + 0008 * 0009 1 000A 2 000B 3 000C 4 000D 5 000E a 000F ai 0010 an 0011 ang 0012 ao 0013 ba 0014 bai 0015 ban 0016 bang 0017 bao 0018 bei 0019 ben 001A beng 001B bi 001C bian 001D biao 001E bie 001F bin 0020 bing 0021 bo 0022 bu 0023 ca 0024 cai 0025 can 0026 cang 0027 cao 0028 ce 0029 cen 002A ceng 002B cha 002C chai 002D chan 002E chang 002F chao 0030 che 0031 chen 0032 cheng 0033 chi 0034 chong 0035 chou 0036 chu 0037 chuai 0038 chuan 0039 chuang 003A chui 003B chun 003C chuo 003D ci 003E cong 003F cou 0040 cu 0041 cuan 0042 cui 0043 cun 0044 cuo 0045 da 0046 dai 0047 dan 0048 dang 0049 dao 004A de 004B dei 004C den 004D deng 004E di 004F dia 0050 dian 0051 diao 0052 die 0053 ding 0054 diu 0055 dong 0056 dou 0057 du 0058 duan 0059 dui 005A dun 005B duo 005C e 005D ei 005E en 005F er 0060 fa 0061 fan 0062 fang 0063 fei 0064 fen 0065 feng 0066 fo 0067 fou 0068 fu 0069 ga 006A gai 006B gan 006C gang 006D gao 006E ge 006F gei 0070 gen 0071 geng 0072 gong 0073 gou 0074 gu 0075 gua 0076 guai 0077 guan 0078 guang 0079 gui 007A gun 007B guo 007C ha 007D hai 007E han 007F hang 0080 hao 0081 he 0082 hei 0083 hen 0084 heng 0085 hong 0086 hou 0087 hu 0088 hua 0089 huai 008A huan 008B huang 008C hui 008D hun 008E huo 008F ji 0090 jia 0091 jian 0092 jiang 0093 jiao 0094 jie 0095 jin 0096 jing 0097 jiong 0098 jiu 0099 ju 009A juan 009B jue 009C jun 009D ka 009E kai 009F kan 00A0 kang 00A1 kao 00A2 ke 00A3 kei 00A4 ken 00A5 keng 00A6 kong 00A7 kou 00A8 ku 00A9 kua 00AA kuai 00AB kuan 00AC kuang 00AD kui 00AE kun 00AF kuo 00B0 la 00B1 lai 00B2 lan 00B3 lang 00B4 lao 00B5 le 00B6 lei 00B7 leng 00B8 li 00B9 lia 00BA lian 00BB liang 00BC liao 00BD lie 00BE lin 00BF ling 00C0 liu 00C1 lo 00C2 long 00C3 lou 00C4 lu 00C5 luan 00C6 lue 00C7 lun 00C8 luo 00C9 lv 00CA ma 00CB mai 00CC man 00CD mang 00CE mao 00CF me 00D0 mei 00D1 men 00D2 meng 00D3 mi 00D4 mian 00D5 miao 00D6 mie 00D7 min 00D8 ming 00D9 miu 00DA mo 00DB mou 00DC mu 00DD na 00DE nai 00DF nan 00E0 nang 00E1 nao 00E2 ne 00E3 nei 00E4 nen 00E5 neng 00E6 ni 00E7 nian 00E8 niang 00E9 niao 00EA nie 00EB nin 00EC ning 00ED niu 00EE nong 00EF nou 00F0 nu 00F1 nuan 00F2 nue 00F3 nuo 00F4 nv 00F5 o 00F6 ou 00F7 pa 00F8 pai 00F9 pan 00FA pang 00FB pao 00FC pei 00FD pen 00FE peng 00FF pi 0100 pian 0101 piao 0102 pie 0103 pin 0104 ping 0105 po 0106 pou 0107 pu 0108 qi 0109 qia 010A qian 010B qiang 010C qiao 010D qie 010E qin 010F qing 0110 qiong 0111 qiu 0112 qu 0113 quan 0114 que 0115 qun 0116 ran 0117 rang 0118 rao 0119 re 011A ren 011B reng 011C ri 011D rong 011E rou 011F ru 0120 ruan 0121 rui 0122 run 0123 ruo 0124 sa 0125 sai 0126 san 0127 sang 0128 sao 0129 se 012A sen 012B seng 012C sha 012D shai 012E shan 012F shang 0130 shao 0131 she 0132 shei 0133 shen 0134 sheng 0135 shi 0136 shou 0137 shu 0138 shua 0139 shuai 013A shuan 013B shuang 013C shui 013D shun 013E shuo 013F si 0140 song 0141 sou 0142 su 0143 suan 0144 sui 0145 sun 0146 suo 0147 ta 0148 tai 0149 tan 014A tang 014B tao 014C te 014D tei 014E teng 014F ti 0150 tian 0151 tiao 0152 tie 0153 ting 0154 tong 0155 tou 0156 tu 0157 tuan 0158 tui 0159 tun 015A tuo 015B wa 015C wai 015D wan 015E wang 015F wei 0160 wen 0161 weng 0162 wo 0163 wu 0164 xi 0165 xia 0166 xian 0167 xiang 0168 xiao 0169 xie 016A xin 016B xing 016C xiong 016D xiu 016E xu 016F xuan 0170 xue 0171 xun 0172 ya 0173 yan 0174 yang 0175 yao 0176 ye 0177 yi 0178 yin 0179 ying 017A yo 017B yong 017C you 017D yu 017E yuan 017F yue 0180 yun 0181 za 0182 zai 0183 zan 0184 zang 0185 zao 0186 ze 0187 zei 0188 zen 0189 zeng 018A zha 018B zhai 018C zhan 018D zhang 018E zhao 018F zhe 0190 zhei 0191 zhen 0192 zheng 0193 zhi 0194 zhong 0195 zhou 0196 zhu 0197 zhua 0198 zhuai 0199 zhuan 019A zhuang 019B zhui 019C zhun 019D zhuo 019E zi 019F zong 01A0 zou 01A1 zu 01A2 zuan 01A3 zui 01A4 zun 01A5 zuo 01A6"	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeShutdownPrivilege	17052	explorer.exe
Token: SeCreatePagefilePrivilege	17052	explorer.exe
Token: SeShutdownPrivilege	17052	explorer.exe
Token: SeCreatePagefilePrivilege	17052	explorer.exe
Token: SeShutdownPrivilege	17052	explorer.exe
Token: SeCreatePagefilePrivilege	17052	explorer.exe
Token: SeShutdownPrivilege	17052	explorer.exe
Token: SeCreatePagefilePrivilege	17052	explorer.exe
Token: SeShutdownPrivilege	17052	explorer.exe
Token: SeCreatePagefilePrivilege	17052	explorer.exe
Token: SeShutdownPrivilege	17052	explorer.exe
Token: SeCreatePagefilePrivilege	17052	explorer.exe
Token: SeShutdownPrivilege	17052	explorer.exe
Token: SeCreatePagefilePrivilege	17052	explorer.exe
Token: SeShutdownPrivilege	17052	explorer.exe
Token: SeCreatePagefilePrivilege	17052	explorer.exe
Token: SeShutdownPrivilege	17052	explorer.exe
Token: SeCreatePagefilePrivilege	17052	explorer.exe
Token: SeShutdownPrivilege	17052	explorer.exe
Token: SeCreatePagefilePrivilege	17052	explorer.exe
Token: SeShutdownPrivilege	17052	explorer.exe
Token: SeCreatePagefilePrivilege	17052	explorer.exe
Token: SeShutdownPrivilege	17052	explorer.exe
Token: SeCreatePagefilePrivilege	17052	explorer.exe
Token: SeShutdownPrivilege	17052	explorer.exe
Token: SeCreatePagefilePrivilege	17052	explorer.exe
Token: SeShutdownPrivilege	17052	explorer.exe
Token: SeCreatePagefilePrivilege	17052	explorer.exe
Token: SeShutdownPrivilege	17052	explorer.exe
Token: SeCreatePagefilePrivilege	17052	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
17240	sihost.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe
17052	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4260	StartMenuExperienceHost.exe
4648	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 4088	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	84
PID 1548 wrote to memory of 4088	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	84
PID 1548 wrote to memory of 3708	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	85
PID 1548 wrote to memory of 3708	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	85
PID 1548 wrote to memory of 4868	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	86
PID 1548 wrote to memory of 4868	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	86
PID 1548 wrote to memory of 3544	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	87
PID 1548 wrote to memory of 3544	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	87
PID 1548 wrote to memory of 1724	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	88
PID 1548 wrote to memory of 1724	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	88
PID 1548 wrote to memory of 2748	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	89
PID 1548 wrote to memory of 2748	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	89
PID 1548 wrote to memory of 392	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	90
PID 1548 wrote to memory of 392	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	90
PID 1548 wrote to memory of 232	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	91
PID 1548 wrote to memory of 232	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	91
PID 1548 wrote to memory of 1400	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	92
PID 1548 wrote to memory of 1400	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	92
PID 1548 wrote to memory of 3352	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	93
PID 1548 wrote to memory of 3352	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	93
PID 1548 wrote to memory of 1632	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	94
PID 1548 wrote to memory of 1632	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	94
PID 1548 wrote to memory of 2024	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	95
PID 1548 wrote to memory of 2024	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	95
PID 1548 wrote to memory of 2904	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	96
PID 1548 wrote to memory of 2904	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	96
PID 1548 wrote to memory of 3208	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	97
PID 1548 wrote to memory of 3208	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	97
PID 1548 wrote to memory of 2072	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	98
PID 1548 wrote to memory of 2072	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	98
PID 1548 wrote to memory of 2968	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	99
PID 1548 wrote to memory of 2968	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	99
PID 1548 wrote to memory of 4988	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	100
PID 1548 wrote to memory of 4988	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	100
PID 1548 wrote to memory of 4864	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	101
PID 1548 wrote to memory of 4864	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	101
PID 1548 wrote to memory of 1700	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	102
PID 1548 wrote to memory of 1700	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	102
PID 1548 wrote to memory of 2240	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	103
PID 1548 wrote to memory of 2240	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	103
PID 1548 wrote to memory of 2648	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	104
PID 1548 wrote to memory of 2648	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	104
PID 1548 wrote to memory of 2236	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	105
PID 1548 wrote to memory of 2236	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	105
PID 1548 wrote to memory of 1012	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	106
PID 1548 wrote to memory of 1012	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	106
PID 1548 wrote to memory of 2008	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	107
PID 1548 wrote to memory of 2008	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	107
PID 1548 wrote to memory of 720	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	108
PID 1548 wrote to memory of 720	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	108
PID 1548 wrote to memory of 3376	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	109
PID 1548 wrote to memory of 3376	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	109
PID 1548 wrote to memory of 764	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	110
PID 1548 wrote to memory of 764	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	110
PID 1548 wrote to memory of 2916	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	111
PID 1548 wrote to memory of 2916	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	111
PID 1548 wrote to memory of 4464	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	112
PID 1548 wrote to memory of 4464	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	112
PID 1548 wrote to memory of 5044	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	113
PID 1548 wrote to memory of 5044	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	113
PID 1548 wrote to memory of 3084	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	114
PID 1548 wrote to memory of 3084	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	114
PID 1548 wrote to memory of 1864	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	115
PID 1548 wrote to memory of 1864	1548	474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe
"C:\Users\Admin\AppData\Local\Temp\474c03fbf337c87469393b5035cea023ba25f2aac78c4d890f265dc750cf20b0.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\System\uBwRzoM.exe
  C:\Windows\System\uBwRzoM.exe
  2⤵
  - Executes dropped EXE
  PID:4088
- C:\Windows\System\xEcZDrg.exe
  C:\Windows\System\xEcZDrg.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System\pQHYpgf.exe
  C:\Windows\System\pQHYpgf.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System\NJEoQRl.exe
  C:\Windows\System\NJEoQRl.exe
  2⤵
  - Executes dropped EXE
  PID:3544
- C:\Windows\System\xUPNMBV.exe
  C:\Windows\System\xUPNMBV.exe
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\System\ULTsrNd.exe
  C:\Windows\System\ULTsrNd.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\CPruuFN.exe
  C:\Windows\System\CPruuFN.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System\mckBKra.exe
  C:\Windows\System\mckBKra.exe
  2⤵
  - Executes dropped EXE
  PID:232
- C:\Windows\System\IFOULNg.exe
  C:\Windows\System\IFOULNg.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\System\iwnPUJD.exe
  C:\Windows\System\iwnPUJD.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\System\CsEwqpn.exe
  C:\Windows\System\CsEwqpn.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\System\YoPFzDh.exe
  C:\Windows\System\YoPFzDh.exe
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\System\YzsqSZN.exe
  C:\Windows\System\YzsqSZN.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\WYicdYZ.exe
  C:\Windows\System\WYicdYZ.exe
  2⤵
  - Executes dropped EXE
  PID:3208
- C:\Windows\System\ukIlMoV.exe
  C:\Windows\System\ukIlMoV.exe
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\System\HTwWMiT.exe
  C:\Windows\System\HTwWMiT.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\dJPIQvX.exe
  C:\Windows\System\dJPIQvX.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\JnUkVPx.exe
  C:\Windows\System\JnUkVPx.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\DlleSzy.exe
  C:\Windows\System\DlleSzy.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\System\xFoFODo.exe
  C:\Windows\System\xFoFODo.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System\IZsnpcD.exe
  C:\Windows\System\IZsnpcD.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\supYWlU.exe
  C:\Windows\System\supYWlU.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System\oNBQoNT.exe
  C:\Windows\System\oNBQoNT.exe
  2⤵
  - Executes dropped EXE
  PID:1012
- C:\Windows\System\RmONvzj.exe
  C:\Windows\System\RmONvzj.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System\kFQyaBO.exe
  C:\Windows\System\kFQyaBO.exe
  2⤵
  - Executes dropped EXE
  PID:720
- C:\Windows\System\tJCjPQq.exe
  C:\Windows\System\tJCjPQq.exe
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Windows\System\UhVGsgc.exe
  C:\Windows\System\UhVGsgc.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System\YiuLRBm.exe
  C:\Windows\System\YiuLRBm.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\System\nmcDRPq.exe
  C:\Windows\System\nmcDRPq.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System\BOEYBAd.exe
  C:\Windows\System\BOEYBAd.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System\bmFocec.exe
  C:\Windows\System\bmFocec.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Windows\System\yapXKGr.exe
  C:\Windows\System\yapXKGr.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System\rYPXVLn.exe
  C:\Windows\System\rYPXVLn.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System\ClhhYAl.exe
  C:\Windows\System\ClhhYAl.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System\JnPVwpy.exe
  C:\Windows\System\JnPVwpy.exe
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\System\nWUlbXb.exe
  C:\Windows\System\nWUlbXb.exe
  2⤵
  - Executes dropped EXE
  PID:780
- C:\Windows\System\GfOZSAr.exe
  C:\Windows\System\GfOZSAr.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System\QkapAnP.exe
  C:\Windows\System\QkapAnP.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System\OIvUJEu.exe
  C:\Windows\System\OIvUJEu.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System\CPybqSM.exe
  C:\Windows\System\CPybqSM.exe
  2⤵
  - Executes dropped EXE
  PID:4100
- C:\Windows\System\SdSUvrZ.exe
  C:\Windows\System\SdSUvrZ.exe
  2⤵
  - Executes dropped EXE
  PID:3748
- C:\Windows\System\pxiLCRe.exe
  C:\Windows\System\pxiLCRe.exe
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Windows\System\bGYOLZq.exe
  C:\Windows\System\bGYOLZq.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System\NWdwDLu.exe
  C:\Windows\System\NWdwDLu.exe
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\System\ExiAOXt.exe
  C:\Windows\System\ExiAOXt.exe
  2⤵
  - Executes dropped EXE
  PID:3256
- C:\Windows\System\jXiHfmp.exe
  C:\Windows\System\jXiHfmp.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System\OHbGDEP.exe
  C:\Windows\System\OHbGDEP.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System\cyrfoRZ.exe
  C:\Windows\System\cyrfoRZ.exe
  2⤵
  - Executes dropped EXE
  PID:3452
- C:\Windows\System\eggnItv.exe
  C:\Windows\System\eggnItv.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System\YIPKpAj.exe
  C:\Windows\System\YIPKpAj.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\xtofEAz.exe
  C:\Windows\System\xtofEAz.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\wWfwEWh.exe
  C:\Windows\System\wWfwEWh.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System\mkBrpZV.exe
  C:\Windows\System\mkBrpZV.exe
  2⤵
  - Executes dropped EXE
  PID:3092
- C:\Windows\System\oyGqMSA.exe
  C:\Windows\System\oyGqMSA.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System\qrDFZqP.exe
  C:\Windows\System\qrDFZqP.exe
  2⤵
  - Executes dropped EXE
  PID:4324
- C:\Windows\System\nFSmZSi.exe
  C:\Windows\System\nFSmZSi.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\IZonSTI.exe
  C:\Windows\System\IZonSTI.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\fSWyGgE.exe
  C:\Windows\System\fSWyGgE.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System\FMkIqsK.exe
  C:\Windows\System\FMkIqsK.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System\grJzsOM.exe
  C:\Windows\System\grJzsOM.exe
  2⤵
  - Executes dropped EXE
  PID:3900
- C:\Windows\System\kQERfqK.exe
  C:\Windows\System\kQERfqK.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System\WTSemcz.exe
  C:\Windows\System\WTSemcz.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\bNCBQCE.exe
  C:\Windows\System\bNCBQCE.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\System\YqZEIGh.exe
  C:\Windows\System\YqZEIGh.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System\ZmbNzqq.exe
  C:\Windows\System\ZmbNzqq.exe
  2⤵
  PID:3448
- C:\Windows\System\jPunUVU.exe
  C:\Windows\System\jPunUVU.exe
  2⤵
  PID:3836
- C:\Windows\System\NfvdgOI.exe
  C:\Windows\System\NfvdgOI.exe
  2⤵
  PID:1972
- C:\Windows\System\qPmBOZu.exe
  C:\Windows\System\qPmBOZu.exe
  2⤵
  PID:548
- C:\Windows\System\iRhnhjr.exe
  C:\Windows\System\iRhnhjr.exe
  2⤵
  PID:2408
- C:\Windows\System\ucnolcB.exe
  C:\Windows\System\ucnolcB.exe
  2⤵
  PID:1428
- C:\Windows\System\ALwnvJv.exe
  C:\Windows\System\ALwnvJv.exe
  2⤵
  PID:2268
- C:\Windows\System\sUPGOoe.exe
  C:\Windows\System\sUPGOoe.exe
  2⤵
  PID:1692
- C:\Windows\System\upofLyw.exe
  C:\Windows\System\upofLyw.exe
  2⤵
  PID:3004
- C:\Windows\System\NyfizOU.exe
  C:\Windows\System\NyfizOU.exe
  2⤵
  PID:3832
- C:\Windows\System\ivPKCYm.exe
  C:\Windows\System\ivPKCYm.exe
  2⤵
  PID:4652
- C:\Windows\System\DuHllrE.exe
  C:\Windows\System\DuHllrE.exe
  2⤵
  PID:4224
- C:\Windows\System\PvQVEzT.exe
  C:\Windows\System\PvQVEzT.exe
  2⤵
  PID:2964
- C:\Windows\System\GzsuPVm.exe
  C:\Windows\System\GzsuPVm.exe
  2⤵
  PID:1348
- C:\Windows\System\lxhzTSM.exe
  C:\Windows\System\lxhzTSM.exe
  2⤵
  PID:5016
- C:\Windows\System\GObnDVb.exe
  C:\Windows\System\GObnDVb.exe
  2⤵
  PID:2704
- C:\Windows\System\HnZHZGm.exe
  C:\Windows\System\HnZHZGm.exe
  2⤵
  PID:3500
- C:\Windows\System\YLYmmid.exe
  C:\Windows\System\YLYmmid.exe
  2⤵
  PID:4416
- C:\Windows\System\GmRFzQB.exe
  C:\Windows\System\GmRFzQB.exe
  2⤵
  PID:3404
- C:\Windows\System\PRqHXSB.exe
  C:\Windows\System\PRqHXSB.exe
  2⤵
  PID:2132
- C:\Windows\System\RNjkVfI.exe
  C:\Windows\System\RNjkVfI.exe
  2⤵
  PID:1948
- C:\Windows\System\YoUsNNu.exe
  C:\Windows\System\YoUsNNu.exe
  2⤵
  PID:2760
- C:\Windows\System\KCFqDAc.exe
  C:\Windows\System\KCFqDAc.exe
  2⤵
  PID:2656
- C:\Windows\System\wYiuOhv.exe
  C:\Windows\System\wYiuOhv.exe
  2⤵
  PID:2192
- C:\Windows\System\hDSSAMd.exe
  C:\Windows\System\hDSSAMd.exe
  2⤵
  PID:2764
- C:\Windows\System\BxSvrso.exe
  C:\Windows\System\BxSvrso.exe
  2⤵
  PID:2948
- C:\Windows\System\mjFuEas.exe
  C:\Windows\System\mjFuEas.exe
  2⤵
  PID:3600
- C:\Windows\System\XljsFzQ.exe
  C:\Windows\System\XljsFzQ.exe
  2⤵
  PID:1328
- C:\Windows\System\MExHazs.exe
  C:\Windows\System\MExHazs.exe
  2⤵
  PID:4748
- C:\Windows\System\sGmuVaB.exe
  C:\Windows\System\sGmuVaB.exe
  2⤵
  PID:2468
- C:\Windows\System\NjtRXhM.exe
  C:\Windows\System\NjtRXhM.exe
  2⤵
  PID:2156
- C:\Windows\System\lpMQHOZ.exe
  C:\Windows\System\lpMQHOZ.exe
  2⤵
  PID:4468
- C:\Windows\System\FIWRCdR.exe
  C:\Windows\System\FIWRCdR.exe
  2⤵
  PID:4400
- C:\Windows\System\gQwpLai.exe
  C:\Windows\System\gQwpLai.exe
  2⤵
  PID:1928
- C:\Windows\System\ZSIYHgl.exe
  C:\Windows\System\ZSIYHgl.exe
  2⤵
  PID:5068
- C:\Windows\System\zDBTdiF.exe
  C:\Windows\System\zDBTdiF.exe
  2⤵
  PID:5100
- C:\Windows\System\lGQjyFt.exe
  C:\Windows\System\lGQjyFt.exe
  2⤵
  PID:2972
- C:\Windows\System\pbyraFg.exe
  C:\Windows\System\pbyraFg.exe
  2⤵
  PID:4388
- C:\Windows\System\mNZsvCj.exe
  C:\Windows\System\mNZsvCj.exe
  2⤵
  PID:1916
- C:\Windows\System\kDmurUa.exe
  C:\Windows\System\kDmurUa.exe
  2⤵
  PID:3944
- C:\Windows\System\pWeiJyU.exe
  C:\Windows\System\pWeiJyU.exe
  2⤵
  PID:812
- C:\Windows\System\NdyOfwL.exe
  C:\Windows\System\NdyOfwL.exe
  2⤵
  PID:2676
- C:\Windows\System\YPRBajo.exe
  C:\Windows\System\YPRBajo.exe
  2⤵
  PID:4976
- C:\Windows\System\OJnYrlQ.exe
  C:\Windows\System\OJnYrlQ.exe
  2⤵
  PID:4160
- C:\Windows\System\fpyWkuR.exe
  C:\Windows\System\fpyWkuR.exe
  2⤵
  PID:4348
- C:\Windows\System\vLKArNZ.exe
  C:\Windows\System\vLKArNZ.exe
  2⤵
  PID:3144
- C:\Windows\System\UzINqGW.exe
  C:\Windows\System\UzINqGW.exe
  2⤵
  PID:3160
- C:\Windows\System\qzEgenR.exe
  C:\Windows\System\qzEgenR.exe
  2⤵
  PID:4488
- C:\Windows\System\LcegNwP.exe
  C:\Windows\System\LcegNwP.exe
  2⤵
  PID:3104
- C:\Windows\System\fAbvXTw.exe
  C:\Windows\System\fAbvXTw.exe
  2⤵
  PID:5104
- C:\Windows\System\kegQmbQ.exe
  C:\Windows\System\kegQmbQ.exe
  2⤵
  PID:2196
- C:\Windows\System\hZJrxkm.exe
  C:\Windows\System\hZJrxkm.exe
  2⤵
  PID:5144
- C:\Windows\System\FfiBwmu.exe
  C:\Windows\System\FfiBwmu.exe
  2⤵
  PID:5168
- C:\Windows\System\LjRbMBu.exe
  C:\Windows\System\LjRbMBu.exe
  2⤵
  PID:5196
- C:\Windows\System\pmFuOXW.exe
  C:\Windows\System\pmFuOXW.exe
  2⤵
  PID:5228
- C:\Windows\System\dyXSyZI.exe
  C:\Windows\System\dyXSyZI.exe
  2⤵
  PID:5264
- C:\Windows\System\XkAiuoe.exe
  C:\Windows\System\XkAiuoe.exe
  2⤵
  PID:5284
- C:\Windows\System\awIKVey.exe
  C:\Windows\System\awIKVey.exe
  2⤵
  PID:5308
- C:\Windows\System\IHwpOdl.exe
  C:\Windows\System\IHwpOdl.exe
  2⤵
  PID:5344
- C:\Windows\System\swPYKKw.exe
  C:\Windows\System\swPYKKw.exe
  2⤵
  PID:5376
- C:\Windows\System\dZdfxCq.exe
  C:\Windows\System\dZdfxCq.exe
  2⤵
  PID:5412
- C:\Windows\System\KkWAzgp.exe
  C:\Windows\System\KkWAzgp.exe
  2⤵
  PID:5444
- C:\Windows\System\kRCErtk.exe
  C:\Windows\System\kRCErtk.exe
  2⤵
  PID:5472
- C:\Windows\System\JfqhspH.exe
  C:\Windows\System\JfqhspH.exe
  2⤵
  PID:5500
- C:\Windows\System\qieggQx.exe
  C:\Windows\System\qieggQx.exe
  2⤵
  PID:5528
- C:\Windows\System\FJGicUD.exe
  C:\Windows\System\FJGicUD.exe
  2⤵
  PID:5548
- C:\Windows\System\BNRypyx.exe
  C:\Windows\System\BNRypyx.exe
  2⤵
  PID:5572
- C:\Windows\System\NOeQBwk.exe
  C:\Windows\System\NOeQBwk.exe
  2⤵
  PID:5592
- C:\Windows\System\PFxqdDZ.exe
  C:\Windows\System\PFxqdDZ.exe
  2⤵
  PID:5628
- C:\Windows\System\SeXjsij.exe
  C:\Windows\System\SeXjsij.exe
  2⤵
  PID:5644
- C:\Windows\System\UxbPDma.exe
  C:\Windows\System\UxbPDma.exe
  2⤵
  PID:5676
- C:\Windows\System\eEbwdXa.exe
  C:\Windows\System\eEbwdXa.exe
  2⤵
  PID:5708
- C:\Windows\System\KjKUErS.exe
  C:\Windows\System\KjKUErS.exe
  2⤵
  PID:5740
- C:\Windows\System\rABOMQd.exe
  C:\Windows\System\rABOMQd.exe
  2⤵
  PID:5764
- C:\Windows\System\qyiSbVQ.exe
  C:\Windows\System\qyiSbVQ.exe
  2⤵
  PID:5788
- C:\Windows\System\hSXlDjT.exe
  C:\Windows\System\hSXlDjT.exe
  2⤵
  PID:5824
- C:\Windows\System\TPlKQqR.exe
  C:\Windows\System\TPlKQqR.exe
  2⤵
  PID:5856
- C:\Windows\System\DDiiMZN.exe
  C:\Windows\System\DDiiMZN.exe
  2⤵
  PID:5884
- C:\Windows\System\GDWHCsf.exe
  C:\Windows\System\GDWHCsf.exe
  2⤵
  PID:5908
- C:\Windows\System\WtHCcfe.exe
  C:\Windows\System\WtHCcfe.exe
  2⤵
  PID:5944
- C:\Windows\System\nDuqLcX.exe
  C:\Windows\System\nDuqLcX.exe
  2⤵
  PID:5980
- C:\Windows\System\kfFNpyr.exe
  C:\Windows\System\kfFNpyr.exe
  2⤵
  PID:6000
- C:\Windows\System\JkWstYT.exe
  C:\Windows\System\JkWstYT.exe
  2⤵
  PID:6028
- C:\Windows\System\zjkkQou.exe
  C:\Windows\System\zjkkQou.exe
  2⤵
  PID:6048
- C:\Windows\System\ZtbanjM.exe
  C:\Windows\System\ZtbanjM.exe
  2⤵
  PID:6084
- C:\Windows\System\CDeHZEs.exe
  C:\Windows\System\CDeHZEs.exe
  2⤵
  PID:6124
- C:\Windows\System\mBcjSzV.exe
  C:\Windows\System\mBcjSzV.exe
  2⤵
  PID:6140
- C:\Windows\System\XIXMgJP.exe
  C:\Windows\System\XIXMgJP.exe
  2⤵
  PID:5184
- C:\Windows\System\ZzTTXTB.exe
  C:\Windows\System\ZzTTXTB.exe
  2⤵
  PID:5212
- C:\Windows\System\SJKgtgV.exe
  C:\Windows\System\SJKgtgV.exe
  2⤵
  PID:5304
- C:\Windows\System\kwLHDVC.exe
  C:\Windows\System\kwLHDVC.exe
  2⤵
  PID:5364
- C:\Windows\System\wHOgFRa.exe
  C:\Windows\System\wHOgFRa.exe
  2⤵
  PID:5424
- C:\Windows\System\QpXIxkJ.exe
  C:\Windows\System\QpXIxkJ.exe
  2⤵
  PID:5496
- C:\Windows\System\lArndly.exe
  C:\Windows\System\lArndly.exe
  2⤵
  PID:5564
- C:\Windows\System\JmtSjwJ.exe
  C:\Windows\System\JmtSjwJ.exe
  2⤵
  PID:5612
- C:\Windows\System\tnkFbgL.exe
  C:\Windows\System\tnkFbgL.exe
  2⤵
  PID:5700
- C:\Windows\System\RXItyrl.exe
  C:\Windows\System\RXItyrl.exe
  2⤵
  PID:5772
- C:\Windows\System\GugCjGi.exe
  C:\Windows\System\GugCjGi.exe
  2⤵
  PID:1880
- C:\Windows\System\ZwuDFdr.exe
  C:\Windows\System\ZwuDFdr.exe
  2⤵
  PID:5876
- C:\Windows\System\lFKowBv.exe
  C:\Windows\System\lFKowBv.exe
  2⤵
  PID:5972
- C:\Windows\System\AUyvFQS.exe
  C:\Windows\System\AUyvFQS.exe
  2⤵
  PID:6016
- C:\Windows\System\ExlvhfO.exe
  C:\Windows\System\ExlvhfO.exe
  2⤵
  PID:6108
- C:\Windows\System\jzecWdU.exe
  C:\Windows\System\jzecWdU.exe
  2⤵
  PID:2296
- C:\Windows\System\qDSajjD.exe
  C:\Windows\System\qDSajjD.exe
  2⤵
  PID:5188
- C:\Windows\System\ChpWEJt.exe
  C:\Windows\System\ChpWEJt.exe
  2⤵
  PID:5456
- C:\Windows\System\iQOiUFf.exe
  C:\Windows\System\iQOiUFf.exe
  2⤵
  PID:5608
- C:\Windows\System\mEfBfOh.exe
  C:\Windows\System\mEfBfOh.exe
  2⤵
  PID:5724
- C:\Windows\System\pugPTDW.exe
  C:\Windows\System\pugPTDW.exe
  2⤵
  PID:5896
- C:\Windows\System\ztLxNbc.exe
  C:\Windows\System\ztLxNbc.exe
  2⤵
  PID:6020
- C:\Windows\System\ysRUjHa.exe
  C:\Windows\System\ysRUjHa.exe
  2⤵
  PID:5180
- C:\Windows\System\IlwLtYS.exe
  C:\Windows\System\IlwLtYS.exe
  2⤵
  PID:5484
- C:\Windows\System\LjnTqkv.exe
  C:\Windows\System\LjnTqkv.exe
  2⤵
  PID:5880
- C:\Windows\System\mTnkWGx.exe
  C:\Windows\System\mTnkWGx.exe
  2⤵
  PID:6136
- C:\Windows\System\qjpEboQ.exe
  C:\Windows\System\qjpEboQ.exe
  2⤵
  PID:6072
- C:\Windows\System\EnWKZzQ.exe
  C:\Windows\System\EnWKZzQ.exe
  2⤵
  PID:6160
- C:\Windows\System\oSXZOWk.exe
  C:\Windows\System\oSXZOWk.exe
  2⤵
  PID:6200
- C:\Windows\System\XFNLxZl.exe
  C:\Windows\System\XFNLxZl.exe
  2⤵
  PID:6240
- C:\Windows\System\UFfbLcB.exe
  C:\Windows\System\UFfbLcB.exe
  2⤵
  PID:6256
- C:\Windows\System\VVumzXx.exe
  C:\Windows\System\VVumzXx.exe
  2⤵
  PID:6288
- C:\Windows\System\YXQmFGB.exe
  C:\Windows\System\YXQmFGB.exe
  2⤵
  PID:6320
- C:\Windows\System\bgXrfQA.exe
  C:\Windows\System\bgXrfQA.exe
  2⤵
  PID:6340
- C:\Windows\System\ZtTjyyW.exe
  C:\Windows\System\ZtTjyyW.exe
  2⤵
  PID:6368
- C:\Windows\System\gREirzH.exe
  C:\Windows\System\gREirzH.exe
  2⤵
  PID:6388
- C:\Windows\System\zOMrMlp.exe
  C:\Windows\System\zOMrMlp.exe
  2⤵
  PID:6416
- C:\Windows\System\hagVyEk.exe
  C:\Windows\System\hagVyEk.exe
  2⤵
  PID:6440
- C:\Windows\System\IPhdNAd.exe
  C:\Windows\System\IPhdNAd.exe
  2⤵
  PID:6456
- C:\Windows\System\TjBiLbF.exe
  C:\Windows\System\TjBiLbF.exe
  2⤵
  PID:6492
- C:\Windows\System\bXFDvqt.exe
  C:\Windows\System\bXFDvqt.exe
  2⤵
  PID:6524
- C:\Windows\System\tfoNApK.exe
  C:\Windows\System\tfoNApK.exe
  2⤵
  PID:6552
- C:\Windows\System\kDXBWoR.exe
  C:\Windows\System\kDXBWoR.exe
  2⤵
  PID:6588
- C:\Windows\System\dvIUQQM.exe
  C:\Windows\System\dvIUQQM.exe
  2⤵
  PID:6608
- C:\Windows\System\TzimzrX.exe
  C:\Windows\System\TzimzrX.exe
  2⤵
  PID:6640
- C:\Windows\System\TZWVywZ.exe
  C:\Windows\System\TZWVywZ.exe
  2⤵
  PID:6676
- C:\Windows\System\DPOpWQB.exe
  C:\Windows\System\DPOpWQB.exe
  2⤵
  PID:6704
- C:\Windows\System\GoWuQKi.exe
  C:\Windows\System\GoWuQKi.exe
  2⤵
  PID:6732
- C:\Windows\System\cfQKlTJ.exe
  C:\Windows\System\cfQKlTJ.exe
  2⤵
  PID:6760
- C:\Windows\System\RDPkEcx.exe
  C:\Windows\System\RDPkEcx.exe
  2⤵
  PID:6792
- C:\Windows\System\OKByngk.exe
  C:\Windows\System\OKByngk.exe
  2⤵
  PID:6812
- C:\Windows\System\GBbGPTQ.exe
  C:\Windows\System\GBbGPTQ.exe
  2⤵
  PID:6832
- C:\Windows\System\lwpSdCg.exe
  C:\Windows\System\lwpSdCg.exe
  2⤵
  PID:6860
- C:\Windows\System\fzufZMZ.exe
  C:\Windows\System\fzufZMZ.exe
  2⤵
  PID:6896
- C:\Windows\System\nSntqtd.exe
  C:\Windows\System\nSntqtd.exe
  2⤵
  PID:6916
- C:\Windows\System\WDGStlr.exe
  C:\Windows\System\WDGStlr.exe
  2⤵
  PID:6952
- C:\Windows\System\GTgMQWI.exe
  C:\Windows\System\GTgMQWI.exe
  2⤵
  PID:6976
- C:\Windows\System\IUzbMOF.exe
  C:\Windows\System\IUzbMOF.exe
  2⤵
  PID:7004
- C:\Windows\System\fuXEioZ.exe
  C:\Windows\System\fuXEioZ.exe
  2⤵
  PID:7036
- C:\Windows\System\oogcCld.exe
  C:\Windows\System\oogcCld.exe
  2⤵
  PID:7068
- C:\Windows\System\pbVzmtM.exe
  C:\Windows\System\pbVzmtM.exe
  2⤵
  PID:7088
- C:\Windows\System\aVYpvxj.exe
  C:\Windows\System\aVYpvxj.exe
  2⤵
  PID:7124
- C:\Windows\System\ykwckOU.exe
  C:\Windows\System\ykwckOU.exe
  2⤵
  PID:7152
- C:\Windows\System\AOfOMJn.exe
  C:\Windows\System\AOfOMJn.exe
  2⤵
  PID:6152
- C:\Windows\System\CxGLcDa.exe
  C:\Windows\System\CxGLcDa.exe
  2⤵
  PID:6220
- C:\Windows\System\KIQQGhn.exe
  C:\Windows\System\KIQQGhn.exe
  2⤵
  PID:6276
- C:\Windows\System\uQzpkzx.exe
  C:\Windows\System\uQzpkzx.exe
  2⤵
  PID:6360
- C:\Windows\System\iMegvqw.exe
  C:\Windows\System\iMegvqw.exe
  2⤵
  PID:6408
- C:\Windows\System\EuYGRLt.exe
  C:\Windows\System\EuYGRLt.exe
  2⤵
  PID:6484
- C:\Windows\System\ZdGJnvF.exe
  C:\Windows\System\ZdGJnvF.exe
  2⤵
  PID:6476
- C:\Windows\System\MQkTxWE.exe
  C:\Windows\System\MQkTxWE.exe
  2⤵
  PID:6580
- C:\Windows\System\jnzQYeK.exe
  C:\Windows\System\jnzQYeK.exe
  2⤵
  PID:6624
- C:\Windows\System\ByBfBwA.exe
  C:\Windows\System\ByBfBwA.exe
  2⤵
  PID:6656
- C:\Windows\System\nOhsSYO.exe
  C:\Windows\System\nOhsSYO.exe
  2⤵
  PID:6748
- C:\Windows\System\dcVbObq.exe
  C:\Windows\System\dcVbObq.exe
  2⤵
  PID:6824
- C:\Windows\System\BdCopXY.exe
  C:\Windows\System\BdCopXY.exe
  2⤵
  PID:6844
- C:\Windows\System\qFxLawP.exe
  C:\Windows\System\qFxLawP.exe
  2⤵
  PID:6964
- C:\Windows\System\OtieNUy.exe
  C:\Windows\System\OtieNUy.exe
  2⤵
  PID:7048
- C:\Windows\System\AQcuswx.exe
  C:\Windows\System\AQcuswx.exe
  2⤵
  PID:7144
- C:\Windows\System\qTGCZrv.exe
  C:\Windows\System\qTGCZrv.exe
  2⤵
  PID:6180
- C:\Windows\System\QGIrgII.exe
  C:\Windows\System\QGIrgII.exe
  2⤵
  PID:6316
- C:\Windows\System\ZGAiGru.exe
  C:\Windows\System\ZGAiGru.exe
  2⤵
  PID:6544
- C:\Windows\System\HoQWCgq.exe
  C:\Windows\System\HoQWCgq.exe
  2⤵
  PID:6724
- C:\Windows\System\MkOimkm.exe
  C:\Windows\System\MkOimkm.exe
  2⤵
  PID:6784
- C:\Windows\System\SxgsXse.exe
  C:\Windows\System\SxgsXse.exe
  2⤵
  PID:6852
- C:\Windows\System\OZicsxa.exe
  C:\Windows\System\OZicsxa.exe
  2⤵
  PID:7112
- C:\Windows\System\nPvHvoR.exe
  C:\Windows\System\nPvHvoR.exe
  2⤵
  PID:6396
- C:\Windows\System\XgzfQVT.exe
  C:\Windows\System\XgzfQVT.exe
  2⤵
  PID:6452
- C:\Windows\System\hLGWpad.exe
  C:\Windows\System\hLGWpad.exe
  2⤵
  PID:6716
- C:\Windows\System\mbTyoYT.exe
  C:\Windows\System\mbTyoYT.exe
  2⤵
  PID:1520
- C:\Windows\System\qazGqrj.exe
  C:\Windows\System\qazGqrj.exe
  2⤵
  PID:6600
- C:\Windows\System\jwtoHtT.exe
  C:\Windows\System\jwtoHtT.exe
  2⤵
  PID:7192
- C:\Windows\System\ZxXirXv.exe
  C:\Windows\System\ZxXirXv.exe
  2⤵
  PID:7224
- C:\Windows\System\eSJHoKc.exe
  C:\Windows\System\eSJHoKc.exe
  2⤵
  PID:7260
- C:\Windows\System\swsiPqB.exe
  C:\Windows\System\swsiPqB.exe
  2⤵
  PID:7292
- C:\Windows\System\EjOBnLm.exe
  C:\Windows\System\EjOBnLm.exe
  2⤵
  PID:7312
- C:\Windows\System\ffjrOEN.exe
  C:\Windows\System\ffjrOEN.exe
  2⤵
  PID:7332
- C:\Windows\System\mvKjPZY.exe
  C:\Windows\System\mvKjPZY.exe
  2⤵
  PID:7360
- C:\Windows\System\PmrJgbS.exe
  C:\Windows\System\PmrJgbS.exe
  2⤵
  PID:7384
- C:\Windows\System\sMePPDA.exe
  C:\Windows\System\sMePPDA.exe
  2⤵
  PID:7416
- C:\Windows\System\fqntSlz.exe
  C:\Windows\System\fqntSlz.exe
  2⤵
  PID:7448
- C:\Windows\System\uuLdgoa.exe
  C:\Windows\System\uuLdgoa.exe
  2⤵
  PID:7476
- C:\Windows\System\NMfUzoS.exe
  C:\Windows\System\NMfUzoS.exe
  2⤵
  PID:7504
- C:\Windows\System\gmrmgtQ.exe
  C:\Windows\System\gmrmgtQ.exe
  2⤵
  PID:7528
- C:\Windows\System\BHZVIMB.exe
  C:\Windows\System\BHZVIMB.exe
  2⤵
  PID:7548
- C:\Windows\System\fVBRNKX.exe
  C:\Windows\System\fVBRNKX.exe
  2⤵
  PID:7568
- C:\Windows\System\KBQRtqW.exe
  C:\Windows\System\KBQRtqW.exe
  2⤵
  PID:7600
- C:\Windows\System\pgUCJjv.exe
  C:\Windows\System\pgUCJjv.exe
  2⤵
  PID:7628
- C:\Windows\System\aqNidZP.exe
  C:\Windows\System\aqNidZP.exe
  2⤵
  PID:7660
- C:\Windows\System\xkMGOLw.exe
  C:\Windows\System\xkMGOLw.exe
  2⤵
  PID:7684
- C:\Windows\System\vNndllp.exe
  C:\Windows\System\vNndllp.exe
  2⤵
  PID:7712
- C:\Windows\System\vJAPduX.exe
  C:\Windows\System\vJAPduX.exe
  2⤵
  PID:7744
- C:\Windows\System\qjqNslX.exe
  C:\Windows\System\qjqNslX.exe
  2⤵
  PID:7768
- C:\Windows\System\VFLPJAF.exe
  C:\Windows\System\VFLPJAF.exe
  2⤵
  PID:7800
- C:\Windows\System\RPpfQmr.exe
  C:\Windows\System\RPpfQmr.exe
  2⤵
  PID:7840
- C:\Windows\System\qjlPREk.exe
  C:\Windows\System\qjlPREk.exe
  2⤵
  PID:7864
- C:\Windows\System\rHbrHVT.exe
  C:\Windows\System\rHbrHVT.exe
  2⤵
  PID:7896
- C:\Windows\System\SWZoZLJ.exe
  C:\Windows\System\SWZoZLJ.exe
  2⤵
  PID:7936
- C:\Windows\System\ldfvola.exe
  C:\Windows\System\ldfvola.exe
  2⤵
  PID:7964
- C:\Windows\System\rRpUkmt.exe
  C:\Windows\System\rRpUkmt.exe
  2⤵
  PID:7988
- C:\Windows\System\yhCYRHp.exe
  C:\Windows\System\yhCYRHp.exe
  2⤵
  PID:8020
- C:\Windows\System\cvnSeUU.exe
  C:\Windows\System\cvnSeUU.exe
  2⤵
  PID:8048
- C:\Windows\System\HsKgmES.exe
  C:\Windows\System\HsKgmES.exe
  2⤵
  PID:8076
- C:\Windows\System\wBLtcDp.exe
  C:\Windows\System\wBLtcDp.exe
  2⤵
  PID:8104
- C:\Windows\System\dQNlvXw.exe
  C:\Windows\System\dQNlvXw.exe
  2⤵
  PID:8136
- C:\Windows\System\nMLANIh.exe
  C:\Windows\System\nMLANIh.exe
  2⤵
  PID:8160
- C:\Windows\System\hWUEYgl.exe
  C:\Windows\System\hWUEYgl.exe
  2⤵
  PID:8188
- C:\Windows\System\scEcfKr.exe
  C:\Windows\System\scEcfKr.exe
  2⤵
  PID:7216
- C:\Windows\System\tRdmSqr.exe
  C:\Windows\System\tRdmSqr.exe
  2⤵
  PID:7284
- C:\Windows\System\OXwjMLh.exe
  C:\Windows\System\OXwjMLh.exe
  2⤵
  PID:7324
- C:\Windows\System\HPazWHl.exe
  C:\Windows\System\HPazWHl.exe
  2⤵
  PID:7372
- C:\Windows\System\QkHGyFB.exe
  C:\Windows\System\QkHGyFB.exe
  2⤵
  PID:7468
- C:\Windows\System\hyaPVQZ.exe
  C:\Windows\System\hyaPVQZ.exe
  2⤵
  PID:7500
- C:\Windows\System\idraGbU.exe
  C:\Windows\System\idraGbU.exe
  2⤵
  PID:7524
- C:\Windows\System\iFMGdsb.exe
  C:\Windows\System\iFMGdsb.exe
  2⤵
  PID:7652
- C:\Windows\System\TFResQx.exe
  C:\Windows\System\TFResQx.exe
  2⤵
  PID:7700
- C:\Windows\System\EDrpRFY.exe
  C:\Windows\System\EDrpRFY.exe
  2⤵
  PID:7696
- C:\Windows\System\sESFDBE.exe
  C:\Windows\System\sESFDBE.exe
  2⤵
  PID:7760
- C:\Windows\System\vasOrCI.exe
  C:\Windows\System\vasOrCI.exe
  2⤵
  PID:7884
- C:\Windows\System\FjSojLB.exe
  C:\Windows\System\FjSojLB.exe
  2⤵
  PID:7948
- C:\Windows\System\QHkYQqc.exe
  C:\Windows\System\QHkYQqc.exe
  2⤵
  PID:8008
- C:\Windows\System\amGLYWB.exe
  C:\Windows\System\amGLYWB.exe
  2⤵
  PID:8068
- C:\Windows\System\HhhjSJZ.exe
  C:\Windows\System\HhhjSJZ.exe
  2⤵
  PID:8096
- C:\Windows\System\QtSiUMj.exe
  C:\Windows\System\QtSiUMj.exe
  2⤵
  PID:8172
- C:\Windows\System\idisIvD.exe
  C:\Windows\System\idisIvD.exe
  2⤵
  PID:8184
- C:\Windows\System\fYpTxVZ.exe
  C:\Windows\System\fYpTxVZ.exe
  2⤵
  PID:7308
- C:\Windows\System\YLXDehI.exe
  C:\Windows\System\YLXDehI.exe
  2⤵
  PID:7492
- C:\Windows\System\KYDfzDt.exe
  C:\Windows\System\KYDfzDt.exe
  2⤵
  PID:7608
- C:\Windows\System\lhToTxD.exe
  C:\Windows\System\lhToTxD.exe
  2⤵
  PID:7904
- C:\Windows\System\eTdMdVr.exe
  C:\Windows\System\eTdMdVr.exe
  2⤵
  PID:8032
- C:\Windows\System\CkdkzyI.exe
  C:\Windows\System\CkdkzyI.exe
  2⤵
  PID:8116
- C:\Windows\System\YYSSfel.exe
  C:\Windows\System\YYSSfel.exe
  2⤵
  PID:7724
- C:\Windows\System\vjnpidC.exe
  C:\Windows\System\vjnpidC.exe
  2⤵
  PID:7848
- C:\Windows\System\xdiLdaO.exe
  C:\Windows\System\xdiLdaO.exe
  2⤵
  PID:7980
- C:\Windows\System\BtHsyDx.exe
  C:\Windows\System\BtHsyDx.exe
  2⤵
  PID:8212
- C:\Windows\System\mccDewN.exe
  C:\Windows\System\mccDewN.exe
  2⤵
  PID:8244
- C:\Windows\System\QdOpBQD.exe
  C:\Windows\System\QdOpBQD.exe
  2⤵
  PID:8272
- C:\Windows\System\xzuSqoS.exe
  C:\Windows\System\xzuSqoS.exe
  2⤵
  PID:8288
- C:\Windows\System\JlALngv.exe
  C:\Windows\System\JlALngv.exe
  2⤵
  PID:8304
- C:\Windows\System\yONuQHM.exe
  C:\Windows\System\yONuQHM.exe
  2⤵
  PID:8328
- C:\Windows\System\rfzwdkx.exe
  C:\Windows\System\rfzwdkx.exe
  2⤵
  PID:8344
- C:\Windows\System\HOrlYdx.exe
  C:\Windows\System\HOrlYdx.exe
  2⤵
  PID:8372
- C:\Windows\System\KzIXdih.exe
  C:\Windows\System\KzIXdih.exe
  2⤵
  PID:8392
- C:\Windows\System\lWJVYgh.exe
  C:\Windows\System\lWJVYgh.exe
  2⤵
  PID:8420
- C:\Windows\System\izGpJTy.exe
  C:\Windows\System\izGpJTy.exe
  2⤵
  PID:8440
- C:\Windows\System\nOEtwVX.exe
  C:\Windows\System\nOEtwVX.exe
  2⤵
  PID:8464
- C:\Windows\System\neVxlzL.exe
  C:\Windows\System\neVxlzL.exe
  2⤵
  PID:8480
- C:\Windows\System\nXoNMnv.exe
  C:\Windows\System\nXoNMnv.exe
  2⤵
  PID:8512
- C:\Windows\System\bXCgsQE.exe
  C:\Windows\System\bXCgsQE.exe
  2⤵
  PID:8540
- C:\Windows\System\aBkoJrG.exe
  C:\Windows\System\aBkoJrG.exe
  2⤵
  PID:8564
- C:\Windows\System\RDLWvSi.exe
  C:\Windows\System\RDLWvSi.exe
  2⤵
  PID:8600
- C:\Windows\System\GdBCAUt.exe
  C:\Windows\System\GdBCAUt.exe
  2⤵
  PID:8620
- C:\Windows\System\QLUNwzd.exe
  C:\Windows\System\QLUNwzd.exe
  2⤵
  PID:8652
- C:\Windows\System\CfgjIIj.exe
  C:\Windows\System\CfgjIIj.exe
  2⤵
  PID:8692
- C:\Windows\System\xEUMcWp.exe
  C:\Windows\System\xEUMcWp.exe
  2⤵
  PID:8724
- C:\Windows\System\GzofSxV.exe
  C:\Windows\System\GzofSxV.exe
  2⤵
  PID:8756
- C:\Windows\System\clZhYEE.exe
  C:\Windows\System\clZhYEE.exe
  2⤵
  PID:8776
- C:\Windows\System\TkGsKcW.exe
  C:\Windows\System\TkGsKcW.exe
  2⤵
  PID:8804
- C:\Windows\System\QHWkIpd.exe
  C:\Windows\System\QHWkIpd.exe
  2⤵
  PID:8840
- C:\Windows\System\OZYIyxD.exe
  C:\Windows\System\OZYIyxD.exe
  2⤵
  PID:8876
- C:\Windows\System\TcEKuQq.exe
  C:\Windows\System\TcEKuQq.exe
  2⤵
  PID:8908
- C:\Windows\System\elCyPLY.exe
  C:\Windows\System\elCyPLY.exe
  2⤵
  PID:8932
- C:\Windows\System\RDygqkM.exe
  C:\Windows\System\RDygqkM.exe
  2⤵
  PID:8968
- C:\Windows\System\Pdrhovg.exe
  C:\Windows\System\Pdrhovg.exe
  2⤵
  PID:8996
- C:\Windows\System\mSNXptq.exe
  C:\Windows\System\mSNXptq.exe
  2⤵
  PID:9024
- C:\Windows\System\isRRruA.exe
  C:\Windows\System\isRRruA.exe
  2⤵
  PID:9044
- C:\Windows\System\qTqVLNC.exe
  C:\Windows\System\qTqVLNC.exe
  2⤵
  PID:9072
- C:\Windows\System\DBYiZsl.exe
  C:\Windows\System\DBYiZsl.exe
  2⤵
  PID:9092
- C:\Windows\System\DDEuBYR.exe
  C:\Windows\System\DDEuBYR.exe
  2⤵
  PID:9124
- C:\Windows\System\hDysWFa.exe
  C:\Windows\System\hDysWFa.exe
  2⤵
  PID:9156
- C:\Windows\System\ZeYrkCj.exe
  C:\Windows\System\ZeYrkCj.exe
  2⤵
  PID:8284
- C:\Windows\System\CYBAiwH.exe
  C:\Windows\System\CYBAiwH.exe
  2⤵
  PID:8240
- C:\Windows\System\wYyZLjA.exe
  C:\Windows\System\wYyZLjA.exe
  2⤵
  PID:8384
- C:\Windows\System\kwjZjpo.exe
  C:\Windows\System\kwjZjpo.exe
  2⤵
  PID:8324
- C:\Windows\System\oyCBWEc.exe
  C:\Windows\System\oyCBWEc.exe
  2⤵
  PID:8504
- C:\Windows\System\iIYxSlB.exe
  C:\Windows\System\iIYxSlB.exe
  2⤵
  PID:8556
- C:\Windows\System\BRyjJUX.exe
  C:\Windows\System\BRyjJUX.exe
  2⤵
  PID:8460
- C:\Windows\System\HFYBbxv.exe
  C:\Windows\System\HFYBbxv.exe
  2⤵
  PID:8680
- C:\Windows\System\RAqPxpX.exe
  C:\Windows\System\RAqPxpX.exe
  2⤵
  PID:8676
- C:\Windows\System\lRWacyt.exe
  C:\Windows\System\lRWacyt.exe
  2⤵
  PID:8900
- C:\Windows\System\lNrUzjP.exe
  C:\Windows\System\lNrUzjP.exe
  2⤵
  PID:8920
- C:\Windows\System\aPxRMdw.exe
  C:\Windows\System\aPxRMdw.exe
  2⤵
  PID:8800
- C:\Windows\System\qbbNive.exe
  C:\Windows\System\qbbNive.exe
  2⤵
  PID:8848
- C:\Windows\System\SAIKUVU.exe
  C:\Windows\System\SAIKUVU.exe
  2⤵
  PID:9020
- C:\Windows\System\NSBhjsa.exe
  C:\Windows\System\NSBhjsa.exe
  2⤵
  PID:8948
- C:\Windows\System\hvEApFv.exe
  C:\Windows\System\hvEApFv.exe
  2⤵
  PID:9036
- C:\Windows\System\UPNkNmK.exe
  C:\Windows\System\UPNkNmK.exe
  2⤵
  PID:9148
- C:\Windows\System\YYMBrlH.exe
  C:\Windows\System\YYMBrlH.exe
  2⤵
  PID:8088
- C:\Windows\System\IruiFfu.exe
  C:\Windows\System\IruiFfu.exe
  2⤵
  PID:9176
- C:\Windows\System\usKQoLY.exe
  C:\Windows\System\usKQoLY.exe
  2⤵
  PID:8428
- C:\Windows\System\VlzRZfS.exe
  C:\Windows\System\VlzRZfS.exe
  2⤵
  PID:8548
- C:\Windows\System\RQcUCPA.exe
  C:\Windows\System\RQcUCPA.exe
  2⤵
  PID:8644
- C:\Windows\System\yyBGDet.exe
  C:\Windows\System\yyBGDet.exe
  2⤵
  PID:8744
- C:\Windows\System\qamwIWL.exe
  C:\Windows\System\qamwIWL.exe
  2⤵
  PID:8764
- C:\Windows\System\biBXnfN.exe
  C:\Windows\System\biBXnfN.exe
  2⤵
  PID:9140
- C:\Windows\System\ifvYmGh.exe
  C:\Windows\System\ifvYmGh.exe
  2⤵
  PID:9112
- C:\Windows\System\VOpmUDK.exe
  C:\Windows\System\VOpmUDK.exe
  2⤵
  PID:8956
- C:\Windows\System\SUULnzL.exe
  C:\Windows\System\SUULnzL.exe
  2⤵
  PID:8508
- C:\Windows\System\xvoTtFv.exe
  C:\Windows\System\xvoTtFv.exe
  2⤵
  PID:9244
- C:\Windows\System\qspWERG.exe
  C:\Windows\System\qspWERG.exe
  2⤵
  PID:9272
- C:\Windows\System\FCBPOpk.exe
  C:\Windows\System\FCBPOpk.exe
  2⤵
  PID:9296
- C:\Windows\System\togjxQX.exe
  C:\Windows\System\togjxQX.exe
  2⤵
  PID:9316
- C:\Windows\System\lInnPuJ.exe
  C:\Windows\System\lInnPuJ.exe
  2⤵
  PID:9348
- C:\Windows\System\trrOWGE.exe
  C:\Windows\System\trrOWGE.exe
  2⤵
  PID:9392
- C:\Windows\System\OOwWCmv.exe
  C:\Windows\System\OOwWCmv.exe
  2⤵
  PID:9420
- C:\Windows\System\uQPfxgP.exe
  C:\Windows\System\uQPfxgP.exe
  2⤵
  PID:9448
- C:\Windows\System\lIKiMqL.exe
  C:\Windows\System\lIKiMqL.exe
  2⤵
  PID:9472
- C:\Windows\System\RHBMwHQ.exe
  C:\Windows\System\RHBMwHQ.exe
  2⤵
  PID:9508
- C:\Windows\System\PTpQXSe.exe
  C:\Windows\System\PTpQXSe.exe
  2⤵
  PID:9528
- C:\Windows\System\sxCunYz.exe
  C:\Windows\System\sxCunYz.exe
  2⤵
  PID:9560
- C:\Windows\System\cFdOjWm.exe
  C:\Windows\System\cFdOjWm.exe
  2⤵
  PID:9600
- C:\Windows\System\oypCkss.exe
  C:\Windows\System\oypCkss.exe
  2⤵
  PID:9632
- C:\Windows\System\dmgrher.exe
  C:\Windows\System\dmgrher.exe
  2⤵
  PID:9656
- C:\Windows\System\MnYheby.exe
  C:\Windows\System\MnYheby.exe
  2⤵
  PID:9680
- C:\Windows\System\YwEzzsB.exe
  C:\Windows\System\YwEzzsB.exe
  2⤵
  PID:9704
- C:\Windows\System\CirNmau.exe
  C:\Windows\System\CirNmau.exe
  2⤵
  PID:9732
- C:\Windows\System\AZtjGFn.exe
  C:\Windows\System\AZtjGFn.exe
  2⤵
  PID:9756
- C:\Windows\System\DKUMImZ.exe
  C:\Windows\System\DKUMImZ.exe
  2⤵
  PID:9780
- C:\Windows\System\hFgGnSz.exe
  C:\Windows\System\hFgGnSz.exe
  2⤵
  PID:9816
- C:\Windows\System\KbYFTUV.exe
  C:\Windows\System\KbYFTUV.exe
  2⤵
  PID:9840
- C:\Windows\System\TkSVLxZ.exe
  C:\Windows\System\TkSVLxZ.exe
  2⤵
  PID:9872
- C:\Windows\System\opIoDzs.exe
  C:\Windows\System\opIoDzs.exe
  2⤵
  PID:9908
- C:\Windows\System\nEFqxSa.exe
  C:\Windows\System\nEFqxSa.exe
  2⤵
  PID:9940
- C:\Windows\System\SKESUdG.exe
  C:\Windows\System\SKESUdG.exe
  2⤵
  PID:9968
- C:\Windows\System\uXocUiu.exe
  C:\Windows\System\uXocUiu.exe
  2⤵
  PID:9992
- C:\Windows\System\SnHFfmS.exe
  C:\Windows\System\SnHFfmS.exe
  2⤵
  PID:10028
- C:\Windows\System\LOgnZrb.exe
  C:\Windows\System\LOgnZrb.exe
  2⤵
  PID:10060
- C:\Windows\System\FyMcbTo.exe
  C:\Windows\System\FyMcbTo.exe
  2⤵
  PID:10088
- C:\Windows\System\mXdUbhl.exe
  C:\Windows\System\mXdUbhl.exe
  2⤵
  PID:10108
- C:\Windows\System\aqveNPR.exe
  C:\Windows\System\aqveNPR.exe
  2⤵
  PID:10136
- C:\Windows\System\SBvqfst.exe
  C:\Windows\System\SBvqfst.exe
  2⤵
  PID:10160
- C:\Windows\System\roNIUWs.exe
  C:\Windows\System\roNIUWs.exe
  2⤵
  PID:10188
- C:\Windows\System\jPuxaoq.exe
  C:\Windows\System\jPuxaoq.exe
  2⤵
  PID:10216
- C:\Windows\System\aCzFoIz.exe
  C:\Windows\System\aCzFoIz.exe
  2⤵
  PID:9100
- C:\Windows\System\UongIAG.exe
  C:\Windows\System\UongIAG.exe
  2⤵
  PID:9268
- C:\Windows\System\SaJzKhl.exe
  C:\Windows\System\SaJzKhl.exe
  2⤵
  PID:9284
- C:\Windows\System\wkDuxpI.exe
  C:\Windows\System\wkDuxpI.exe
  2⤵
  PID:9332
- C:\Windows\System\oCZCqWx.exe
  C:\Windows\System\oCZCqWx.exe
  2⤵
  PID:9428
- C:\Windows\System\RMqAMop.exe
  C:\Windows\System\RMqAMop.exe
  2⤵
  PID:9464
- C:\Windows\System\JLeUZXU.exe
  C:\Windows\System\JLeUZXU.exe
  2⤵
  PID:9580
- C:\Windows\System\zVqFOwy.exe
  C:\Windows\System\zVqFOwy.exe
  2⤵
  PID:9516
- C:\Windows\System\cEfgLBV.exe
  C:\Windows\System\cEfgLBV.exe
  2⤵
  PID:9664
- C:\Windows\System\fFAzlGh.exe
  C:\Windows\System\fFAzlGh.exe
  2⤵
  PID:7952
- C:\Windows\System\xyWVNLS.exe
  C:\Windows\System\xyWVNLS.exe
  2⤵
  PID:9824
- C:\Windows\System\RyzAcUF.exe
  C:\Windows\System\RyzAcUF.exe
  2⤵
  PID:9900
- C:\Windows\System\nDYrwNA.exe
  C:\Windows\System\nDYrwNA.exe
  2⤵
  PID:10016
- C:\Windows\System\BkgQbNv.exe
  C:\Windows\System\BkgQbNv.exe
  2⤵
  PID:10056
- C:\Windows\System\ToPoOov.exe
  C:\Windows\System\ToPoOov.exe
  2⤵
  PID:10148
- C:\Windows\System\cfuUeNt.exe
  C:\Windows\System\cfuUeNt.exe
  2⤵
  PID:10180
- C:\Windows\System\IgjCpOo.exe
  C:\Windows\System\IgjCpOo.exe
  2⤵
  PID:10176
- C:\Windows\System\wjNqkic.exe
  C:\Windows\System\wjNqkic.exe
  2⤵
  PID:9324
- C:\Windows\System\aBizmSO.exe
  C:\Windows\System\aBizmSO.exe
  2⤵
  PID:9540
- C:\Windows\System\XuLRpNo.exe
  C:\Windows\System\XuLRpNo.exe
  2⤵
  PID:9368
- C:\Windows\System\caCHnYt.exe
  C:\Windows\System\caCHnYt.exe
  2⤵
  PID:9612
- C:\Windows\System\SXoLRSO.exe
  C:\Windows\System\SXoLRSO.exe
  2⤵
  PID:9932
- C:\Windows\System\fTLHMGt.exe
  C:\Windows\System\fTLHMGt.exe
  2⤵
  PID:9956
- C:\Windows\System\eKDHEiI.exe
  C:\Windows\System\eKDHEiI.exe
  2⤵
  PID:10052
- C:\Windows\System\CMIFVdz.exe
  C:\Windows\System\CMIFVdz.exe
  2⤵
  PID:10200
- C:\Windows\System\WSdmzXe.exe
  C:\Windows\System\WSdmzXe.exe
  2⤵
  PID:9264
- C:\Windows\System\vXYsyup.exe
  C:\Windows\System\vXYsyup.exe
  2⤵
  PID:9868
- C:\Windows\System\jdPztdF.exe
  C:\Windows\System\jdPztdF.exe
  2⤵
  PID:10152
- C:\Windows\System\aRqZJUV.exe
  C:\Windows\System\aRqZJUV.exe
  2⤵
  PID:9496
- C:\Windows\System\ZlqLZRE.exe
  C:\Windows\System\ZlqLZRE.exe
  2⤵
  PID:10256
- C:\Windows\System\BzIPgsj.exe
  C:\Windows\System\BzIPgsj.exe
  2⤵
  PID:10288
- C:\Windows\System\xaGssRD.exe
  C:\Windows\System\xaGssRD.exe
  2⤵
  PID:10312
- C:\Windows\System\oFTYrKT.exe
  C:\Windows\System\oFTYrKT.exe
  2⤵
  PID:10340
- C:\Windows\System\rQGeHDJ.exe
  C:\Windows\System\rQGeHDJ.exe
  2⤵
  PID:10356
- C:\Windows\System\KhxIbEY.exe
  C:\Windows\System\KhxIbEY.exe
  2⤵
  PID:10384
- C:\Windows\System\qVbdqFp.exe
  C:\Windows\System\qVbdqFp.exe
  2⤵
  PID:10408
- C:\Windows\System\nLnOufK.exe
  C:\Windows\System\nLnOufK.exe
  2⤵
  PID:10444
- C:\Windows\System\kMSddkh.exe
  C:\Windows\System\kMSddkh.exe
  2⤵
  PID:10476
- C:\Windows\System\ZUqIiQH.exe
  C:\Windows\System\ZUqIiQH.exe
  2⤵
  PID:10504
- C:\Windows\System\mPaeRgz.exe
  C:\Windows\System\mPaeRgz.exe
  2⤵
  PID:10528
- C:\Windows\System\RBZTYsL.exe
  C:\Windows\System\RBZTYsL.exe
  2⤵
  PID:10556
- C:\Windows\System\bfgZCkm.exe
  C:\Windows\System\bfgZCkm.exe
  2⤵
  PID:10584
- C:\Windows\System\weweZlR.exe
  C:\Windows\System\weweZlR.exe
  2⤵
  PID:10600
- C:\Windows\System\jAznoJN.exe
  C:\Windows\System\jAznoJN.exe
  2⤵
  PID:10624
- C:\Windows\System\zPaJzDn.exe
  C:\Windows\System\zPaJzDn.exe
  2⤵
  PID:10648
- C:\Windows\System\mhxABzn.exe
  C:\Windows\System\mhxABzn.exe
  2⤵
  PID:10680
- C:\Windows\System\nCPilLz.exe
  C:\Windows\System\nCPilLz.exe
  2⤵
  PID:10708
- C:\Windows\System\mslrRqD.exe
  C:\Windows\System\mslrRqD.exe
  2⤵
  PID:10740
- C:\Windows\System\UhRaSyC.exe
  C:\Windows\System\UhRaSyC.exe
  2⤵
  PID:10776
- C:\Windows\System\zojyOvq.exe
  C:\Windows\System\zojyOvq.exe
  2⤵
  PID:10792
- C:\Windows\System\ZZcCwLV.exe
  C:\Windows\System\ZZcCwLV.exe
  2⤵
  PID:10820
- C:\Windows\System\VarCYkM.exe
  C:\Windows\System\VarCYkM.exe
  2⤵
  PID:10848
- C:\Windows\System\bTKSIeH.exe
  C:\Windows\System\bTKSIeH.exe
  2⤵
  PID:10872
- C:\Windows\System\uwIBVMa.exe
  C:\Windows\System\uwIBVMa.exe
  2⤵
  PID:10900
- C:\Windows\System\LvtBdCD.exe
  C:\Windows\System\LvtBdCD.exe
  2⤵
  PID:10920
- C:\Windows\System\GrncuEc.exe
  C:\Windows\System\GrncuEc.exe
  2⤵
  PID:10936
- C:\Windows\System\WNtBFxn.exe
  C:\Windows\System\WNtBFxn.exe
  2⤵
  PID:10960
- C:\Windows\System\LTNRrpP.exe
  C:\Windows\System\LTNRrpP.exe
  2⤵
  PID:10988
- C:\Windows\System\ZxIhPXB.exe
  C:\Windows\System\ZxIhPXB.exe
  2⤵
  PID:11024
- C:\Windows\System\WUzRTDc.exe
  C:\Windows\System\WUzRTDc.exe
  2⤵
  PID:11044
- C:\Windows\System\kGsdPcf.exe
  C:\Windows\System\kGsdPcf.exe
  2⤵
  PID:11072
- C:\Windows\System\KDuEAwL.exe
  C:\Windows\System\KDuEAwL.exe
  2⤵
  PID:11100
- C:\Windows\System\eowuFxm.exe
  C:\Windows\System\eowuFxm.exe
  2⤵
  PID:11128
- C:\Windows\System\ChTbUAh.exe
  C:\Windows\System\ChTbUAh.exe
  2⤵
  PID:11152
- C:\Windows\System\fYtahIH.exe
  C:\Windows\System\fYtahIH.exe
  2⤵
  PID:11176
- C:\Windows\System\VHQwUNi.exe
  C:\Windows\System\VHQwUNi.exe
  2⤵
  PID:11204
- C:\Windows\System\ZpQBJBk.exe
  C:\Windows\System\ZpQBJBk.exe
  2⤵
  PID:11232
- C:\Windows\System\znmblJc.exe
  C:\Windows\System\znmblJc.exe
  2⤵
  PID:9524
- C:\Windows\System\vqaFKfm.exe
  C:\Windows\System\vqaFKfm.exe
  2⤵
  PID:9800
- C:\Windows\System\zywYIAG.exe
  C:\Windows\System\zywYIAG.exe
  2⤵
  PID:10300
- C:\Windows\System\XeewWOG.exe
  C:\Windows\System\XeewWOG.exe
  2⤵
  PID:10456
- C:\Windows\System\vuZuCgy.exe
  C:\Windows\System\vuZuCgy.exe
  2⤵
  PID:10460
- C:\Windows\System\BXanRud.exe
  C:\Windows\System\BXanRud.exe
  2⤵
  PID:10492
- C:\Windows\System\HrxBBSP.exe
  C:\Windows\System\HrxBBSP.exe
  2⤵
  PID:10592
- C:\Windows\System\QxRKlXZ.exe
  C:\Windows\System\QxRKlXZ.exe
  2⤵
  PID:10676
- C:\Windows\System\NOtECiW.exe
  C:\Windows\System\NOtECiW.exe
  2⤵
  PID:10732
- C:\Windows\System\hxmNZFy.exe
  C:\Windows\System\hxmNZFy.exe
  2⤵
  PID:10760
- C:\Windows\System\oRaAKJv.exe
  C:\Windows\System\oRaAKJv.exe
  2⤵
  PID:10784
- C:\Windows\System\bgjfflx.exe
  C:\Windows\System\bgjfflx.exe
  2⤵
  PID:10944
- C:\Windows\System\VxKNAyh.exe
  C:\Windows\System\VxKNAyh.exe
  2⤵
  PID:11036
- C:\Windows\System\MUHYiNt.exe
  C:\Windows\System\MUHYiNt.exe
  2⤵
  PID:11092
- C:\Windows\System\NBoQcCo.exe
  C:\Windows\System\NBoQcCo.exe
  2⤵
  PID:11140
- C:\Windows\System\CkSjWDl.exe
  C:\Windows\System\CkSjWDl.exe
  2⤵
  PID:10972
- C:\Windows\System\hLZcvRZ.exe
  C:\Windows\System\hLZcvRZ.exe
  2⤵
  PID:10248
- C:\Windows\System\gJgRyFv.exe
  C:\Windows\System\gJgRyFv.exe
  2⤵
  PID:9672
- C:\Windows\System\rJKSUUm.exe
  C:\Windows\System\rJKSUUm.exe
  2⤵
  PID:10552
- C:\Windows\System\aGXSjOS.exe
  C:\Windows\System\aGXSjOS.exe
  2⤵
  PID:10280
- C:\Windows\System\fvPrIug.exe
  C:\Windows\System\fvPrIug.exe
  2⤵
  PID:10576
- C:\Windows\System\vOXXoWh.exe
  C:\Windows\System\vOXXoWh.exe
  2⤵
  PID:10828
- C:\Windows\System\bEsnYAZ.exe
  C:\Windows\System\bEsnYAZ.exe
  2⤵
  PID:10808
- C:\Windows\System\eIcTKKD.exe
  C:\Windows\System\eIcTKKD.exe
  2⤵
  PID:10804
- C:\Windows\System\GjHkgez.exe
  C:\Windows\System\GjHkgez.exe
  2⤵
  PID:11148
- C:\Windows\System\LUKmvxL.exe
  C:\Windows\System\LUKmvxL.exe
  2⤵
  PID:10660
- C:\Windows\System\JylPguH.exe
  C:\Windows\System\JylPguH.exe
  2⤵
  PID:10976
- C:\Windows\System\VuLzuIi.exe
  C:\Windows\System\VuLzuIi.exe
  2⤵
  PID:11288
- C:\Windows\System\iCjHuJa.exe
  C:\Windows\System\iCjHuJa.exe
  2⤵
  PID:11324
- C:\Windows\System\cpDxLVO.exe
  C:\Windows\System\cpDxLVO.exe
  2⤵
  PID:11352
- C:\Windows\System\mmDnvgi.exe
  C:\Windows\System\mmDnvgi.exe
  2⤵
  PID:11380
- C:\Windows\System\WthJYzx.exe
  C:\Windows\System\WthJYzx.exe
  2⤵
  PID:11408
- C:\Windows\System\poOgnaV.exe
  C:\Windows\System\poOgnaV.exe
  2⤵
  PID:11432
- C:\Windows\System\vniJkiK.exe
  C:\Windows\System\vniJkiK.exe
  2⤵
  PID:11464
- C:\Windows\System\YnmBpQV.exe
  C:\Windows\System\YnmBpQV.exe
  2⤵
  PID:11484
- C:\Windows\System\GNYUeWs.exe
  C:\Windows\System\GNYUeWs.exe
  2⤵
  PID:11508
- C:\Windows\System\TyCegml.exe
  C:\Windows\System\TyCegml.exe
  2⤵
  PID:11540
- C:\Windows\System\arNZCGN.exe
  C:\Windows\System\arNZCGN.exe
  2⤵
  PID:11572
- C:\Windows\System\HaLPwec.exe
  C:\Windows\System\HaLPwec.exe
  2⤵
  PID:11600
- C:\Windows\System\pgnVxuw.exe
  C:\Windows\System\pgnVxuw.exe
  2⤵
  PID:11628
- C:\Windows\System\qzHIiWe.exe
  C:\Windows\System\qzHIiWe.exe
  2⤵
  PID:11644
- C:\Windows\System\VkPbIDN.exe
  C:\Windows\System\VkPbIDN.exe
  2⤵
  PID:11672
- C:\Windows\System\qhjDyTR.exe
  C:\Windows\System\qhjDyTR.exe
  2⤵
  PID:11704
- C:\Windows\System\kKDHbMC.exe
  C:\Windows\System\kKDHbMC.exe
  2⤵
  PID:11724
- C:\Windows\System\mGJSIrI.exe
  C:\Windows\System\mGJSIrI.exe
  2⤵
  PID:11756
- C:\Windows\System\yzQVzIq.exe
  C:\Windows\System\yzQVzIq.exe
  2⤵
  PID:11784
- C:\Windows\System\MVipVaa.exe
  C:\Windows\System\MVipVaa.exe
  2⤵
  PID:11804
- C:\Windows\System\KtmWaFT.exe
  C:\Windows\System\KtmWaFT.exe
  2⤵
  PID:11824
- C:\Windows\System\srSvjAf.exe
  C:\Windows\System\srSvjAf.exe
  2⤵
  PID:11848
- C:\Windows\System\HrSLOZo.exe
  C:\Windows\System\HrSLOZo.exe
  2⤵
  PID:11884
- C:\Windows\System\lrlsPUh.exe
  C:\Windows\System\lrlsPUh.exe
  2⤵
  PID:11900
- C:\Windows\System\XwoIHhc.exe
  C:\Windows\System\XwoIHhc.exe
  2⤵
  PID:11936
- C:\Windows\System\hNtLNyb.exe
  C:\Windows\System\hNtLNyb.exe
  2⤵
  PID:11960
- C:\Windows\System\fLVNSHT.exe
  C:\Windows\System\fLVNSHT.exe
  2⤵
  PID:11988
- C:\Windows\System\eRdhdzF.exe
  C:\Windows\System\eRdhdzF.exe
  2⤵
  PID:12016
- C:\Windows\System\rlLyyqr.exe
  C:\Windows\System\rlLyyqr.exe
  2⤵
  PID:12052
- C:\Windows\System\GUZTtKZ.exe
  C:\Windows\System\GUZTtKZ.exe
  2⤵
  PID:12080
- C:\Windows\System\ZrQTRwu.exe
  C:\Windows\System\ZrQTRwu.exe
  2⤵
  PID:12108
- C:\Windows\System\aEqHMCQ.exe
  C:\Windows\System\aEqHMCQ.exe
  2⤵
  PID:12132
- C:\Windows\System\mTsGEqr.exe
  C:\Windows\System\mTsGEqr.exe
  2⤵
  PID:12164
- C:\Windows\System\CNLsGgJ.exe
  C:\Windows\System\CNLsGgJ.exe
  2⤵
  PID:12188
- C:\Windows\System\teHgwyh.exe
  C:\Windows\System\teHgwyh.exe
  2⤵
  PID:12216
- C:\Windows\System\QAemoyv.exe
  C:\Windows\System\QAemoyv.exe
  2⤵
  PID:12248
- C:\Windows\System\pyiNAxk.exe
  C:\Windows\System\pyiNAxk.exe
  2⤵
  PID:12272
- C:\Windows\System\TdmlMfO.exe
  C:\Windows\System\TdmlMfO.exe
  2⤵
  PID:10928
- C:\Windows\System\THCflIh.exe
  C:\Windows\System\THCflIh.exe
  2⤵
  PID:10568
- C:\Windows\System\IXbZTfS.exe
  C:\Windows\System\IXbZTfS.exe
  2⤵
  PID:10332
- C:\Windows\System\ClLUCXf.exe
  C:\Windows\System\ClLUCXf.exe
  2⤵
  PID:11268
- C:\Windows\System\xJfSjcv.exe
  C:\Windows\System\xJfSjcv.exe
  2⤵
  PID:11456
- C:\Windows\System\muvPpBt.exe
  C:\Windows\System\muvPpBt.exe
  2⤵
  PID:11596
- C:\Windows\System\JrxSWCr.exe
  C:\Windows\System\JrxSWCr.exe
  2⤵
  PID:11612
- C:\Windows\System\wiDuOMU.exe
  C:\Windows\System\wiDuOMU.exe
  2⤵
  PID:11692
- C:\Windows\System\pWYBfqP.exe
  C:\Windows\System\pWYBfqP.exe
  2⤵
  PID:11780
- C:\Windows\System\eVWgqAc.exe
  C:\Windows\System\eVWgqAc.exe
  2⤵
  PID:11744
- C:\Windows\System\vRxtEam.exe
  C:\Windows\System\vRxtEam.exe
  2⤵
  PID:11912
- C:\Windows\System\cYwGRcW.exe
  C:\Windows\System\cYwGRcW.exe
  2⤵
  PID:11792
- C:\Windows\System\gCNlTHb.exe
  C:\Windows\System\gCNlTHb.exe
  2⤵
  PID:12072
- C:\Windows\System\rMozhpA.exe
  C:\Windows\System\rMozhpA.exe
  2⤵
  PID:12000
- C:\Windows\System\QcVYriM.exe
  C:\Windows\System\QcVYriM.exe
  2⤵
  PID:12092
- C:\Windows\System\UsyylXB.exe
  C:\Windows\System\UsyylXB.exe
  2⤵
  PID:12280
- C:\Windows\System\oNhkPWt.exe
  C:\Windows\System\oNhkPWt.exe
  2⤵
  PID:11300
- C:\Windows\System\ymShWGO.exe
  C:\Windows\System\ymShWGO.exe
  2⤵
  PID:11308
- C:\Windows\System\ImluRCU.exe
  C:\Windows\System\ImluRCU.exe
  2⤵
  PID:11192
- C:\Windows\System\oVYpJXa.exe
  C:\Windows\System\oVYpJXa.exe
  2⤵
  PID:11556
- C:\Windows\System\DFnRtxF.exe
  C:\Windows\System\DFnRtxF.exe
  2⤵
  PID:12028
- C:\Windows\System\HoPJuIT.exe
  C:\Windows\System\HoPJuIT.exe
  2⤵
  PID:12212
- C:\Windows\System\jbujkrN.exe
  C:\Windows\System\jbujkrN.exe
  2⤵
  PID:11980
- C:\Windows\System\PnzhFtJ.exe
  C:\Windows\System\PnzhFtJ.exe
  2⤵
  PID:12284
- C:\Windows\System\wyVOZYg.exe
  C:\Windows\System\wyVOZYg.exe
  2⤵
  PID:10772
- C:\Windows\System\eYiFZlf.exe
  C:\Windows\System\eYiFZlf.exe
  2⤵
  PID:12308
- C:\Windows\System\lfBkJBW.exe
  C:\Windows\System\lfBkJBW.exe
  2⤵
  PID:12348
- C:\Windows\System\tdfhqmd.exe
  C:\Windows\System\tdfhqmd.exe
  2⤵
  PID:12372
- C:\Windows\System\ClrhYdz.exe
  C:\Windows\System\ClrhYdz.exe
  2⤵
  PID:12408
- C:\Windows\System\PklnlNk.exe
  C:\Windows\System\PklnlNk.exe
  2⤵
  PID:12516
- C:\Windows\System\YSUWPtc.exe
  C:\Windows\System\YSUWPtc.exe
  2⤵
  PID:12532
- C:\Windows\System\THRBCdM.exe
  C:\Windows\System\THRBCdM.exe
  2⤵
  PID:12552
- C:\Windows\System\NuDYbYF.exe
  C:\Windows\System\NuDYbYF.exe
  2⤵
  PID:12576
- C:\Windows\System\oZPKZQr.exe
  C:\Windows\System\oZPKZQr.exe
  2⤵
  PID:12596
- C:\Windows\System\fXkaetJ.exe
  C:\Windows\System\fXkaetJ.exe
  2⤵
  PID:12628
- C:\Windows\System\nlPtQCp.exe
  C:\Windows\System\nlPtQCp.exe
  2⤵
  PID:12656
- C:\Windows\System\OaeVHPp.exe
  C:\Windows\System\OaeVHPp.exe
  2⤵
  PID:12680
- C:\Windows\System\cGHffiu.exe
  C:\Windows\System\cGHffiu.exe
  2⤵
  PID:12696
- C:\Windows\System\WWZrPMC.exe
  C:\Windows\System\WWZrPMC.exe
  2⤵
  PID:12720
- C:\Windows\System\NExqCmo.exe
  C:\Windows\System\NExqCmo.exe
  2⤵
  PID:12748
- C:\Windows\System\YVMRCFC.exe
  C:\Windows\System\YVMRCFC.exe
  2⤵
  PID:12780
- C:\Windows\System\degcRSE.exe
  C:\Windows\System\degcRSE.exe
  2⤵
  PID:12812
- C:\Windows\System\NZzaYNm.exe
  C:\Windows\System\NZzaYNm.exe
  2⤵
  PID:12836
- C:\Windows\System\ZyNQWYA.exe
  C:\Windows\System\ZyNQWYA.exe
  2⤵
  PID:12868
- C:\Windows\System\kVMDXfO.exe
  C:\Windows\System\kVMDXfO.exe
  2⤵
  PID:12900
- C:\Windows\System\jQgEFbR.exe
  C:\Windows\System\jQgEFbR.exe
  2⤵
  PID:12916
- C:\Windows\System\yzbaBWv.exe
  C:\Windows\System\yzbaBWv.exe
  2⤵
  PID:12944
- C:\Windows\System\OCrsHvu.exe
  C:\Windows\System\OCrsHvu.exe
  2⤵
  PID:12972
- C:\Windows\System\zcKVoWs.exe
  C:\Windows\System\zcKVoWs.exe
  2⤵
  PID:13004
- C:\Windows\System\qpuzfrC.exe
  C:\Windows\System\qpuzfrC.exe
  2⤵
  PID:13024
- C:\Windows\System\VCvMDqL.exe
  C:\Windows\System\VCvMDqL.exe
  2⤵
  PID:13056
- C:\Windows\System\IYboQJT.exe
  C:\Windows\System\IYboQJT.exe
  2⤵
  PID:13088
- C:\Windows\System\tAOlkje.exe
  C:\Windows\System\tAOlkje.exe
  2⤵
  PID:13104
- C:\Windows\System\PoxtsOy.exe
  C:\Windows\System\PoxtsOy.exe
  2⤵
  PID:13128
- C:\Windows\System\KBlccpX.exe
  C:\Windows\System\KBlccpX.exe
  2⤵
  PID:13148
- C:\Windows\System\HDSkiKi.exe
  C:\Windows\System\HDSkiKi.exe
  2⤵
  PID:13172
- C:\Windows\System\zQhZlXO.exe
  C:\Windows\System\zQhZlXO.exe
  2⤵
  PID:13200
- C:\Windows\System\fCcETIP.exe
  C:\Windows\System\fCcETIP.exe
  2⤵
  PID:13232
- C:\Windows\System\aJquiqJ.exe
  C:\Windows\System\aJquiqJ.exe
  2⤵
  PID:13248
- C:\Windows\System\GJNlptH.exe
  C:\Windows\System\GJNlptH.exe
  2⤵
  PID:13280
- C:\Windows\System\RarXEIL.exe
  C:\Windows\System\RarXEIL.exe
  2⤵
  PID:11732
- C:\Windows\System\KQzjFKH.exe
  C:\Windows\System\KQzjFKH.exe
  2⤵
  PID:11768
- C:\Windows\System\FSaLpWW.exe
  C:\Windows\System\FSaLpWW.exe
  2⤵
  PID:11928
- C:\Windows\System\EAvgYFF.exe
  C:\Windows\System\EAvgYFF.exe
  2⤵
  PID:12304
- C:\Windows\System\nzPjBGz.exe
  C:\Windows\System\nzPjBGz.exe
  2⤵
  PID:12416
- C:\Windows\System\NyeTwQF.exe
  C:\Windows\System\NyeTwQF.exe
  2⤵
  PID:12496
- C:\Windows\System\pVXGvnt.exe
  C:\Windows\System\pVXGvnt.exe
  2⤵
  PID:12548
- C:\Windows\System\JrQpXKv.exe
  C:\Windows\System\JrQpXKv.exe
  2⤵
  PID:12608
- C:\Windows\System\ReQUUHd.exe
  C:\Windows\System\ReQUUHd.exe
  2⤵
  PID:12648
- C:\Windows\System\sMxYfJk.exe
  C:\Windows\System\sMxYfJk.exe
  2⤵
  PID:12736
- C:\Windows\System\RchajdE.exe
  C:\Windows\System\RchajdE.exe
  2⤵
  PID:12796
- C:\Windows\System\bBkMPgE.exe
  C:\Windows\System\bBkMPgE.exe
  2⤵
  PID:12860
- C:\Windows\System\yGsDWDu.exe
  C:\Windows\System\yGsDWDu.exe
  2⤵
  PID:12892
- C:\Windows\System\ZvGTgfw.exe
  C:\Windows\System\ZvGTgfw.exe
  2⤵
  PID:12960
- C:\Windows\System\WlFWzJU.exe
  C:\Windows\System\WlFWzJU.exe
  2⤵
  PID:12936
- C:\Windows\System\NYeOqYy.exe
  C:\Windows\System\NYeOqYy.exe
  2⤵
  PID:13076
- C:\Windows\System\dTkMGzd.exe
  C:\Windows\System\dTkMGzd.exe
  2⤵
  PID:13164
- C:\Windows\System\jXajTzH.exe
  C:\Windows\System\jXajTzH.exe
  2⤵
  PID:13140
- C:\Windows\System\WRObmNq.exe
  C:\Windows\System\WRObmNq.exe
  2⤵
  PID:13264
- C:\Windows\System\wKlstOS.exe
  C:\Windows\System\wKlstOS.exe
  2⤵
  PID:13240
- C:\Windows\System\rWJsShc.exe
  C:\Windows\System\rWJsShc.exe
  2⤵
  PID:12400
- C:\Windows\System\isEAtKS.exe
  C:\Windows\System\isEAtKS.exe
  2⤵
  PID:12464
- C:\Windows\System\ivSiAbS.exe
  C:\Windows\System\ivSiAbS.exe
  2⤵
  PID:12008
- C:\Windows\System\TrWeNyG.exe
  C:\Windows\System\TrWeNyG.exe
  2⤵
  PID:12668
- C:\Windows\System\kRGyagH.exe
  C:\Windows\System\kRGyagH.exe
  2⤵
  PID:13016
- C:\Windows\System\DRIwJIw.exe
  C:\Windows\System\DRIwJIw.exe
  2⤵
  PID:13100
- C:\Windows\System\UkzNNPG.exe
  C:\Windows\System\UkzNNPG.exe
  2⤵
  PID:12956
- C:\Windows\System\CMxBNQh.exe
  C:\Windows\System\CMxBNQh.exe
  2⤵
  PID:11320
- C:\Windows\System\DHnhBgM.exe
  C:\Windows\System\DHnhBgM.exe
  2⤵
  PID:12388
- C:\Windows\System\YCZvbRg.exe
  C:\Windows\System\YCZvbRg.exe
  2⤵
  PID:13332
- C:\Windows\System\NQiRUeE.exe
  C:\Windows\System\NQiRUeE.exe
  2⤵
  PID:13348
- C:\Windows\System\ZvlPBOD.exe
  C:\Windows\System\ZvlPBOD.exe
  2⤵
  PID:13368
- C:\Windows\System\glSFOwd.exe
  C:\Windows\System\glSFOwd.exe
  2⤵
  PID:13384
- C:\Windows\System\nYvWxMS.exe
  C:\Windows\System\nYvWxMS.exe
  2⤵
  PID:13416
- C:\Windows\System\kLPVkxD.exe
  C:\Windows\System\kLPVkxD.exe
  2⤵
  PID:13444
- C:\Windows\System\XGAHHWf.exe
  C:\Windows\System\XGAHHWf.exe
  2⤵
  PID:13476
- C:\Windows\System\NQwBlhM.exe
  C:\Windows\System\NQwBlhM.exe
  2⤵
  PID:13492
- C:\Windows\System\vxkKTSS.exe
  C:\Windows\System\vxkKTSS.exe
  2⤵
  PID:13524
- C:\Windows\System\LRerqMD.exe
  C:\Windows\System\LRerqMD.exe
  2⤵
  PID:13556
- C:\Windows\System\nVzaFHJ.exe
  C:\Windows\System\nVzaFHJ.exe
  2⤵
  PID:13580
- C:\Windows\System\zHUzage.exe
  C:\Windows\System\zHUzage.exe
  2⤵
  PID:13608
- C:\Windows\System\VApqafz.exe
  C:\Windows\System\VApqafz.exe
  2⤵
  PID:13628
- C:\Windows\System\XsqKtFB.exe
  C:\Windows\System\XsqKtFB.exe
  2⤵
  PID:13648
- C:\Windows\System\rpyKvKR.exe
  C:\Windows\System\rpyKvKR.exe
  2⤵
  PID:13672
- C:\Windows\System\fDHzHVd.exe
  C:\Windows\System\fDHzHVd.exe
  2⤵
  PID:13696
- C:\Windows\System\XjnIiAc.exe
  C:\Windows\System\XjnIiAc.exe
  2⤵
  PID:13924
- C:\Windows\System\YZnmdpR.exe
  C:\Windows\System\YZnmdpR.exe
  2⤵
  PID:13940
- C:\Windows\System\SpYiwZm.exe
  C:\Windows\System\SpYiwZm.exe
  2⤵
  PID:13960
- C:\Windows\System\kVxcygF.exe
  C:\Windows\System\kVxcygF.exe
  2⤵
  PID:13984
- C:\Windows\System\ZtpUizv.exe
  C:\Windows\System\ZtpUizv.exe
  2⤵
  PID:14000
- C:\Windows\System\LSPSINm.exe
  C:\Windows\System\LSPSINm.exe
  2⤵
  PID:14016
- C:\Windows\System\jkcJxJa.exe
  C:\Windows\System\jkcJxJa.exe
  2⤵
  PID:14044
- C:\Windows\System\RxfAEeF.exe
  C:\Windows\System\RxfAEeF.exe
  2⤵
  PID:14080
- C:\Windows\System\DUoBRlU.exe
  C:\Windows\System\DUoBRlU.exe
  2⤵
  PID:14100
- C:\Windows\System\kleMpFd.exe
  C:\Windows\System\kleMpFd.exe
  2⤵
  PID:14124
- C:\Windows\System\dUQBLny.exe
  C:\Windows\System\dUQBLny.exe
  2⤵
  PID:14152
- C:\Windows\System\EdbxncL.exe
  C:\Windows\System\EdbxncL.exe
  2⤵
  PID:14180
- C:\Windows\System\slLvdLE.exe
  C:\Windows\System\slLvdLE.exe
  2⤵
  PID:14208
- C:\Windows\System\xXIBbej.exe
  C:\Windows\System\xXIBbej.exe
  2⤵
  PID:14240
- C:\Windows\System\NvwuSce.exe
  C:\Windows\System\NvwuSce.exe
  2⤵
  PID:14264
- C:\Windows\System\skWNPaG.exe
  C:\Windows\System\skWNPaG.exe
  2⤵
  PID:14288
- C:\Windows\System\IvKbRIs.exe
  C:\Windows\System\IvKbRIs.exe
  2⤵
  PID:14312
- C:\Windows\System\PRwWang.exe
  C:\Windows\System\PRwWang.exe
  2⤵
  PID:13288
- C:\Windows\System\uHHyZBD.exe
  C:\Windows\System\uHHyZBD.exe
  2⤵
  PID:12732
- C:\Windows\System\ihdRmrh.exe
  C:\Windows\System\ihdRmrh.exe
  2⤵
  PID:13324
- C:\Windows\System\cRhGYfA.exe
  C:\Windows\System\cRhGYfA.exe
  2⤵
  PID:12356
- C:\Windows\System\ACVvdyO.exe
  C:\Windows\System\ACVvdyO.exe
  2⤵
  PID:13400
- C:\Windows\System\BoLGktz.exe
  C:\Windows\System\BoLGktz.exe
  2⤵
  PID:13484
- C:\Windows\System\blKKvHs.exe
  C:\Windows\System\blKKvHs.exe
  2⤵
  PID:13544
- C:\Windows\System\eHoqQcO.exe
  C:\Windows\System\eHoqQcO.exe
  2⤵
  PID:13380
- C:\Windows\System\HxZPuNf.exe
  C:\Windows\System\HxZPuNf.exe
  2⤵
  PID:13512
- C:\Windows\System\zNXzyev.exe
  C:\Windows\System\zNXzyev.exe
  2⤵
  PID:13576
- C:\Windows\System\DFElZGc.exe
  C:\Windows\System\DFElZGc.exe
  2⤵
  PID:13664
- C:\Windows\System\BqsuTvC.exe
  C:\Windows\System\BqsuTvC.exe
  2⤵
  PID:13764
- C:\Windows\System\PPTULJS.exe
  C:\Windows\System\PPTULJS.exe
  2⤵
  PID:13884
- C:\Windows\System\Aphykja.exe
  C:\Windows\System\Aphykja.exe
  2⤵
  PID:13936
- C:\Windows\System\vStZPaV.exe
  C:\Windows\System\vStZPaV.exe
  2⤵
  PID:14008
- C:\Windows\System\miKIpmt.exe
  C:\Windows\System\miKIpmt.exe
  2⤵
  PID:14028
- C:\Windows\System\iUiwxmi.exe
  C:\Windows\System\iUiwxmi.exe
  2⤵
  PID:14096
- C:\Windows\System\GbBCZqF.exe
  C:\Windows\System\GbBCZqF.exe
  2⤵
  PID:14168
- C:\Windows\System\VTpCufh.exe
  C:\Windows\System\VTpCufh.exe
  2⤵
  PID:14204
- C:\Windows\System\vqCjCvF.exe
  C:\Windows\System\vqCjCvF.exe
  2⤵
  PID:13300
- C:\Windows\System\WHWgWYZ.exe
  C:\Windows\System\WHWgWYZ.exe
  2⤵
  PID:14280
- C:\Windows\System\WNXcICR.exe
  C:\Windows\System\WNXcICR.exe
  2⤵
  PID:12472
- C:\Windows\System\iDvBuhD.exe
  C:\Windows\System\iDvBuhD.exe
  2⤵
  PID:12068
- C:\Windows\System\MIIqBNU.exe
  C:\Windows\System\MIIqBNU.exe
  2⤵
  PID:13724
- C:\Windows\System\MEXjdJT.exe
  C:\Windows\System\MEXjdJT.exe
  2⤵
  PID:13536
- C:\Windows\System\GpBOGLI.exe
  C:\Windows\System\GpBOGLI.exe
  2⤵
  PID:13708
- C:\Windows\System\UTUpfDH.exe
  C:\Windows\System\UTUpfDH.exe
  2⤵
  PID:14040
- C:\Windows\System\ImWcbig.exe
  C:\Windows\System\ImWcbig.exe
  2⤵
  PID:14148
- C:\Windows\System\IevSeiJ.exe
  C:\Windows\System\IevSeiJ.exe
  2⤵
  PID:13712
- C:\Windows\System\MemIdby.exe
  C:\Windows\System\MemIdby.exe
  2⤵
  PID:14092
- C:\Windows\System\VRaoOJI.exe
  C:\Windows\System\VRaoOJI.exe
  2⤵
  PID:13732
- C:\Windows\System\XOzMOID.exe
  C:\Windows\System\XOzMOID.exe
  2⤵
  PID:13784
- C:\Windows\System\GcFzFgZ.exe
  C:\Windows\System\GcFzFgZ.exe
  2⤵
  PID:13328
- C:\Windows\System\hRnClnw.exe
  C:\Windows\System\hRnClnw.exe
  2⤵
  PID:14368
- C:\Windows\System\sjcYEjA.exe
  C:\Windows\System\sjcYEjA.exe
  2⤵
  PID:14384
- C:\Windows\System\nbTavkW.exe
  C:\Windows\System\nbTavkW.exe
  2⤵
  PID:14400
- C:\Windows\System\jGualJD.exe
  C:\Windows\System\jGualJD.exe
  2⤵
  PID:14416
- C:\Windows\System\VrZEJwk.exe
  C:\Windows\System\VrZEJwk.exe
  2⤵
  PID:14432
- C:\Windows\System\JCfChGG.exe
  C:\Windows\System\JCfChGG.exe
  2⤵
  PID:14468
- C:\Windows\System\xvAAQEF.exe
  C:\Windows\System\xvAAQEF.exe
  2⤵
  PID:14496
- C:\Windows\System\qImBDJR.exe
  C:\Windows\System\qImBDJR.exe
  2⤵
  PID:14528
- C:\Windows\System\gBhEnqw.exe
  C:\Windows\System\gBhEnqw.exe
  2⤵
  PID:14548
- C:\Windows\System\qLqzFxf.exe
  C:\Windows\System\qLqzFxf.exe
  2⤵
  PID:14564
- C:\Windows\System\rpBOIWP.exe
  C:\Windows\System\rpBOIWP.exe
  2⤵
  PID:14592
- C:\Windows\System\zgGbUau.exe
  C:\Windows\System\zgGbUau.exe
  2⤵
  PID:14620
- C:\Windows\System\PYWcUhT.exe
  C:\Windows\System\PYWcUhT.exe
  2⤵
  PID:14648
- C:\Windows\System\yIrRneb.exe
  C:\Windows\System\yIrRneb.exe
  2⤵
  PID:14684
- C:\Windows\System\rJCykjG.exe
  C:\Windows\System\rJCykjG.exe
  2⤵
  PID:14712
- C:\Windows\System\HAJyTLE.exe
  C:\Windows\System\HAJyTLE.exe
  2⤵
  PID:14736
- C:\Windows\System\zwcZYrn.exe
  C:\Windows\System\zwcZYrn.exe
  2⤵
  PID:14772
- C:\Windows\System\XwmCpLl.exe
  C:\Windows\System\XwmCpLl.exe
  2⤵
  PID:14800
- C:\Windows\System\HyOVUOY.exe
  C:\Windows\System\HyOVUOY.exe
  2⤵
  PID:14824
- C:\Windows\System\ScfFQQd.exe
  C:\Windows\System\ScfFQQd.exe
  2⤵
  PID:14852
- C:\Windows\System\yNbJDOn.exe
  C:\Windows\System\yNbJDOn.exe
  2⤵
  PID:14888
- C:\Windows\System\oiVTRDJ.exe
  C:\Windows\System\oiVTRDJ.exe
  2⤵
  PID:14920
- C:\Windows\System\DRWuqfA.exe
  C:\Windows\System\DRWuqfA.exe
  2⤵
  PID:14936
- C:\Windows\System\UoqZBid.exe
  C:\Windows\System\UoqZBid.exe
  2⤵
  PID:14964
- C:\Windows\System\agSWouE.exe
  C:\Windows\System\agSWouE.exe
  2⤵
  PID:14988
- C:\Windows\System\dIOASct.exe
  C:\Windows\System\dIOASct.exe
  2⤵
  PID:15008
- C:\Windows\System\kGOJAlu.exe
  C:\Windows\System\kGOJAlu.exe
  2⤵
  PID:15036
- C:\Windows\System\KOxiqfM.exe
  C:\Windows\System\KOxiqfM.exe
  2⤵
  PID:15064
- C:\Windows\System\WIgGeHs.exe
  C:\Windows\System\WIgGeHs.exe
  2⤵
  PID:15096
- C:\Windows\System\sPwcsSN.exe
  C:\Windows\System\sPwcsSN.exe
  2⤵
  PID:15120
- C:\Windows\System\PxTlMTL.exe
  C:\Windows\System\PxTlMTL.exe
  2⤵
  PID:15156
- C:\Windows\System\jhDKoCv.exe
  C:\Windows\System\jhDKoCv.exe
  2⤵
  PID:15188
- C:\Windows\System\zdafSzZ.exe
  C:\Windows\System\zdafSzZ.exe
  2⤵
  PID:15208
- C:\Windows\System\BajZIpU.exe
  C:\Windows\System\BajZIpU.exe
  2⤵
  PID:15252
- C:\Windows\System\ahLFZWs.exe
  C:\Windows\System\ahLFZWs.exe
  2⤵
  PID:15284
- C:\Windows\System\pEfxCVm.exe
  C:\Windows\System\pEfxCVm.exe
  2⤵
  PID:15300
- C:\Windows\System\IGfiLoL.exe
  C:\Windows\System\IGfiLoL.exe
  2⤵
  PID:15320
- C:\Windows\System\nuRlASI.exe
  C:\Windows\System\nuRlASI.exe
  2⤵
  PID:15348
- C:\Windows\System\NBqbDrY.exe
  C:\Windows\System\NBqbDrY.exe
  2⤵
  PID:13436
- C:\Windows\System\lSLxqIV.exe
  C:\Windows\System\lSLxqIV.exe
  2⤵
  PID:12912
- C:\Windows\System\qCTpcsO.exe
  C:\Windows\System\qCTpcsO.exe
  2⤵
  PID:14328
- C:\Windows\System\EFvdeAI.exe
  C:\Windows\System\EFvdeAI.exe
  2⤵
  PID:14428
- C:\Windows\System\PTQcpXQ.exe
  C:\Windows\System\PTQcpXQ.exe
  2⤵
  PID:14520
- C:\Windows\System\XEdNYvN.exe
  C:\Windows\System\XEdNYvN.exe
  2⤵
  PID:14612
- C:\Windows\System\zmcZFrN.exe
  C:\Windows\System\zmcZFrN.exe
  2⤵
  PID:14524
- C:\Windows\System\XVPIyqf.exe
  C:\Windows\System\XVPIyqf.exe
  2⤵
  PID:14724
- C:\Windows\System\qvkImoT.exe
  C:\Windows\System\qvkImoT.exe
  2⤵
  PID:14444
- C:\Windows\System\Jvcfcgy.exe
  C:\Windows\System\Jvcfcgy.exe
  2⤵
  PID:14672
- C:\Windows\System\gZeLeJv.exe
  C:\Windows\System\gZeLeJv.exe
  2⤵
  PID:14880
- C:\Windows\System\KglKpPh.exe
  C:\Windows\System\KglKpPh.exe
  2⤵
  PID:14952
- C:\Windows\System\nVOAQsK.exe
  C:\Windows\System\nVOAQsK.exe
  2⤵
  PID:14872
- C:\Windows\System\Lnmkinl.exe
  C:\Windows\System\Lnmkinl.exe
  2⤵
  PID:14756
- C:\Windows\System\DWALgBt.exe
  C:\Windows\System\DWALgBt.exe
  2⤵
  PID:15140
- C:\Windows\System\FvRnJHk.exe
  C:\Windows\System\FvRnJHk.exe
  2⤵
  PID:15164
- C:\Windows\System\YGPCZZO.exe
  C:\Windows\System\YGPCZZO.exe
  2⤵
  PID:15292
- C:\Windows\System\xsyoglP.exe
  C:\Windows\System\xsyoglP.exe
  2⤵
  PID:14480
- C:\Windows\System\teZsrRB.exe
  C:\Windows\System\teZsrRB.exe
  2⤵
  PID:14348
- C:\Windows\System\eLxEAhf.exe
  C:\Windows\System\eLxEAhf.exe
  2⤵
  PID:14560
- C:\Windows\System\lSWMTJL.exe
  C:\Windows\System\lSWMTJL.exe
  2⤵
  PID:14900
- C:\Windows\System\WWmdbpM.exe
  C:\Windows\System\WWmdbpM.exe
  2⤵
  PID:14396
- C:\Windows\System\XLfNJlc.exe
  C:\Windows\System\XLfNJlc.exe
  2⤵
  PID:14788
- C:\Windows\System\ECbchIe.exe
  C:\Windows\System\ECbchIe.exe
  2⤵
  PID:15204
- C:\Windows\System\NDYHIXi.exe
  C:\Windows\System\NDYHIXi.exe
  2⤵
  PID:15368
- C:\Windows\System\SsQWIrO.exe
  C:\Windows\System\SsQWIrO.exe
  2⤵
  PID:15408
- C:\Windows\System\CfvZgew.exe
  C:\Windows\System\CfvZgew.exe
  2⤵
  PID:15436
- C:\Windows\System\GONOmCw.exe
  C:\Windows\System\GONOmCw.exe
  2⤵
  PID:15468
- C:\Windows\System\zVUWDla.exe
  C:\Windows\System\zVUWDla.exe
  2⤵
  PID:15492
- C:\Windows\System\brIZZMs.exe
  C:\Windows\System\brIZZMs.exe
  2⤵
  PID:15512
- C:\Windows\System\FNuAjQe.exe
  C:\Windows\System\FNuAjQe.exe
  2⤵
  PID:15536
- C:\Windows\System\VbzMvSk.exe
  C:\Windows\System\VbzMvSk.exe
  2⤵
  PID:15568
- C:\Windows\System\xKEVqJC.exe
  C:\Windows\System\xKEVqJC.exe
  2⤵
  PID:15608
- C:\Windows\System\yangzju.exe
  C:\Windows\System\yangzju.exe
  2⤵
  PID:15628
- C:\Windows\System\hIbLIvT.exe
  C:\Windows\System\hIbLIvT.exe
  2⤵
  PID:15644
- C:\Windows\System\IzrOcZG.exe
  C:\Windows\System\IzrOcZG.exe
  2⤵
  PID:15664
- C:\Windows\System\ZfBbXLJ.exe
  C:\Windows\System\ZfBbXLJ.exe
  2⤵
  PID:15692
- C:\Windows\System\kKVgTPf.exe
  C:\Windows\System\kKVgTPf.exe
  2⤵
  PID:15716
- C:\Windows\System\hEFxNkz.exe
  C:\Windows\System\hEFxNkz.exe
  2⤵
  PID:15744
- C:\Windows\System\gNblZqN.exe
  C:\Windows\System\gNblZqN.exe
  2⤵
  PID:15764
- C:\Windows\System\usEbxRo.exe
  C:\Windows\System\usEbxRo.exe
  2⤵
  PID:15792
- C:\Windows\System\rDwXkSi.exe
  C:\Windows\System\rDwXkSi.exe
  2⤵
  PID:15828
- C:\Windows\System\EjdFeHq.exe
  C:\Windows\System\EjdFeHq.exe
  2⤵
  PID:15856
- C:\Windows\System\TLiElbi.exe
  C:\Windows\System\TLiElbi.exe
  2⤵
  PID:15876
- C:\Windows\System\xfCWxaJ.exe
  C:\Windows\System\xfCWxaJ.exe
  2⤵
  PID:15900
- C:\Windows\System\PCCGHKt.exe
  C:\Windows\System\PCCGHKt.exe
  2⤵
  PID:15916
- C:\Windows\System\MvyDtWx.exe
  C:\Windows\System\MvyDtWx.exe
  2⤵
  PID:15936
- C:\Windows\System\QmkvdyA.exe
  C:\Windows\System\QmkvdyA.exe
  2⤵
  PID:15964
- C:\Windows\System\kTvmwot.exe
  C:\Windows\System\kTvmwot.exe
  2⤵
  PID:15992
- C:\Windows\System\IKnvfNB.exe
  C:\Windows\System\IKnvfNB.exe
  2⤵
  PID:16012
- C:\Windows\System\rrdcDcd.exe
  C:\Windows\System\rrdcDcd.exe
  2⤵
  PID:16028
- C:\Windows\System\UsNNJpl.exe
  C:\Windows\System\UsNNJpl.exe
  2⤵
  PID:16060
- C:\Windows\System\JaaXwlm.exe
  C:\Windows\System\JaaXwlm.exe
  2⤵
  PID:16076
- C:\Windows\System\AvSMFnC.exe
  C:\Windows\System\AvSMFnC.exe
  2⤵
  PID:16100
- C:\Windows\System\oXYNGhW.exe
  C:\Windows\System\oXYNGhW.exe
  2⤵
  PID:16116
- C:\Windows\System\dWHlnYf.exe
  C:\Windows\System\dWHlnYf.exe
  2⤵
  PID:16152
- C:\Windows\System\DxYyqaz.exe
  C:\Windows\System\DxYyqaz.exe
  2⤵
  PID:16176
- C:\Windows\System\kFrrpvB.exe
  C:\Windows\System\kFrrpvB.exe
  2⤵
  PID:16200
- C:\Windows\System\HKWMWTP.exe
  C:\Windows\System\HKWMWTP.exe
  2⤵
  PID:16236
- C:\Windows\System\KwUkTwF.exe
  C:\Windows\System\KwUkTwF.exe
  2⤵
  PID:16256
- C:\Windows\System\cmSmBSo.exe
  C:\Windows\System\cmSmBSo.exe
  2⤵
  PID:16284
- C:\Windows\System\gzJWXxI.exe
  C:\Windows\System\gzJWXxI.exe
  2⤵
  PID:16308
- C:\Windows\System\NBFxzCL.exe
  C:\Windows\System\NBFxzCL.exe
  2⤵
  PID:16344
- C:\Windows\System\rHBhkCv.exe
  C:\Windows\System\rHBhkCv.exe
  2⤵
  PID:16372
- C:\Windows\System\GNSsbmb.exe
  C:\Windows\System\GNSsbmb.exe
  2⤵
  PID:14932
- C:\Windows\System\TmTkdhF.exe
  C:\Windows\System\TmTkdhF.exe
  2⤵
  PID:14864
- C:\Windows\System\GDNoLQv.exe
  C:\Windows\System\GDNoLQv.exe
  2⤵
  PID:15364
- C:\Windows\System\LKqTbye.exe
  C:\Windows\System\LKqTbye.exe
  2⤵
  PID:14700
- C:\Windows\System\JsdiRMQ.exe
  C:\Windows\System\JsdiRMQ.exe
  2⤵
  PID:15480
- C:\Windows\System\VCJUZCl.exe
  C:\Windows\System\VCJUZCl.exe
  2⤵
  PID:15392
- C:\Windows\System\Qancuit.exe
  C:\Windows\System\Qancuit.exe
  2⤵
  PID:15604
- C:\Windows\System\IUjrLJY.exe
  C:\Windows\System\IUjrLJY.exe
  2⤵
  PID:15672
- C:\Windows\System\fhJywBe.exe
  C:\Windows\System\fhJywBe.exe
  2⤵
  PID:15732
- C:\Windows\System\dCESecC.exe
  C:\Windows\System\dCESecC.exe
  2⤵
  PID:15816
- C:\Windows\System\FIbhRmB.exe
  C:\Windows\System\FIbhRmB.exe
  2⤵
  PID:15844
- C:\Windows\System\OGpcoWr.exe
  C:\Windows\System\OGpcoWr.exe
  2⤵
  PID:15652
- C:\Windows\System\Dfweoby.exe
  C:\Windows\System\Dfweoby.exe
  2⤵
  PID:15972
- C:\Windows\System\PxAfRde.exe
  C:\Windows\System\PxAfRde.exe
  2⤵
  PID:16020
- C:\Windows\System\hhlpQbB.exe
  C:\Windows\System\hhlpQbB.exe
  2⤵
  PID:4276
- C:\Windows\System\kLpxNXt.exe
  C:\Windows\System\kLpxNXt.exe
  2⤵
  PID:16108
- C:\Windows\System\mFWtgkO.exe
  C:\Windows\System\mFWtgkO.exe
  2⤵
  PID:16000
- C:\Windows\System\TQmaeSb.exe
  C:\Windows\System\TQmaeSb.exe
  2⤵
  PID:16188
- C:\Windows\System\oPPuhda.exe
  C:\Windows\System\oPPuhda.exe
  2⤵
  PID:15912
- C:\Windows\System\zMJYxXp.exe
  C:\Windows\System\zMJYxXp.exe
  2⤵
  PID:16320
- C:\Windows\System\meuxVKN.exe
  C:\Windows\System\meuxVKN.exe
  2⤵
  PID:14616
- C:\Windows\System\eEtfgrR.exe
  C:\Windows\System\eEtfgrR.exe
  2⤵
  PID:16296
- C:\Windows\System\JoeZZWT.exe
  C:\Windows\System\JoeZZWT.exe
  2⤵
  PID:16356
- C:\Windows\System\jGwtTZU.exe
  C:\Windows\System\jGwtTZU.exe
  2⤵
  PID:15244
- C:\Windows\System\JKERXiK.exe
  C:\Windows\System\JKERXiK.exe
  2⤵
  PID:15864
- C:\Windows\System\DMNpall.exe
  C:\Windows\System\DMNpall.exe
  2⤵
  PID:16424
- C:\Windows\System\GEINcmn.exe
  C:\Windows\System\GEINcmn.exe
  2⤵
  PID:16448
- C:\Windows\System\mDySlYF.exe
  C:\Windows\System\mDySlYF.exe
  2⤵
  PID:16476
- C:\Windows\System\rbSCOJZ.exe
  C:\Windows\System\rbSCOJZ.exe
  2⤵
  PID:16504
- C:\Windows\System\VFFoGHe.exe
  C:\Windows\System\VFFoGHe.exe
  2⤵
  PID:16532
- C:\Windows\System\LqjyFFZ.exe
  C:\Windows\System\LqjyFFZ.exe
  2⤵
  PID:16556
- C:\Windows\System\tkYqjTM.exe
  C:\Windows\System\tkYqjTM.exe
  2⤵
  PID:16580
- C:\Windows\System\TLWkseE.exe
  C:\Windows\System\TLWkseE.exe
  2⤵
  PID:16604
- C:\Windows\System\GwdPhLu.exe
  C:\Windows\System\GwdPhLu.exe
  2⤵
  PID:16624
- C:\Windows\System\nDriuSA.exe
  C:\Windows\System\nDriuSA.exe
  2⤵
  PID:16656
- C:\Windows\System\QmPrnVS.exe
  C:\Windows\System\QmPrnVS.exe
  2⤵
  PID:16684
- C:\Windows\System\DQHwQlP.exe
  C:\Windows\System\DQHwQlP.exe
  2⤵
  PID:16708
- C:\Windows\System\HVbWOfS.exe
  C:\Windows\System\HVbWOfS.exe
  2⤵
  PID:16752
- C:\Windows\System\NujNHfr.exe
  C:\Windows\System\NujNHfr.exe
  2⤵
  PID:16780
- C:\Windows\System\DZVoxTx.exe
  C:\Windows\System\DZVoxTx.exe
  2⤵
  PID:16808
- C:\Windows\System\CVdbjKs.exe
  C:\Windows\System\CVdbjKs.exe
  2⤵
  PID:16828
- C:\Windows\System\PdwEfHw.exe
  C:\Windows\System\PdwEfHw.exe
  2⤵
  PID:16852
- C:\Windows\System\GNPhqRx.exe
  C:\Windows\System\GNPhqRx.exe
  2⤵
  PID:16876
- C:\Windows\System\uBxkoil.exe
  C:\Windows\System\uBxkoil.exe
  2⤵
  PID:16904
- C:\Windows\System\jbSYEjw.exe
  C:\Windows\System\jbSYEjw.exe
  2⤵
  PID:16924
- C:\Windows\System\tnImLMv.exe
  C:\Windows\System\tnImLMv.exe
  2⤵
  PID:16944
- C:\Windows\System\fuYQXvV.exe
  C:\Windows\System\fuYQXvV.exe
  2⤵
  PID:16976
- C:\Windows\System\zeQMKiO.exe
  C:\Windows\System\zeQMKiO.exe
  2⤵
  PID:17004
- C:\Windows\System\rknseZz.exe
  C:\Windows\System\rknseZz.exe
  2⤵
  PID:17024
- C:\Windows\System\Rdnqfao.exe
  C:\Windows\System\Rdnqfao.exe
  2⤵
  PID:15680
- C:\Windows\System\pZvThPb.exe
  C:\Windows\System\pZvThPb.exe
  2⤵
  PID:15528
- C:\Windows\System\KRLmePG.exe
  C:\Windows\System\KRLmePG.exe
  2⤵
  PID:15836
- C:\Windows\System\RcCrRrf.exe
  C:\Windows\System\RcCrRrf.exe
  2⤵
  PID:16696
- C:\Windows\System\YMkLZYG.exe
  C:\Windows\System\YMkLZYG.exe
  2⤵
  PID:16140
- C:\Windows\System\wvHfweZ.exe
  C:\Windows\System\wvHfweZ.exe
  2⤵
  PID:16332
- C:\Windows\System\NUhUPUj.exe
  C:\Windows\System\NUhUPUj.exe
  2⤵
  PID:17048
- C:\Windows\System\TrsboBJ.exe
  C:\Windows\System\TrsboBJ.exe
  2⤵
  PID:17072
- C:\Windows\System\OKxGoVr.exe
  C:\Windows\System\OKxGoVr.exe
  2⤵
  PID:17116
- C:\Windows\System\XOYBiHw.exe
  C:\Windows\System\XOYBiHw.exe
  2⤵
  PID:17016
- C:\Windows\System\WBJpdvu.exe
  C:\Windows\System\WBJpdvu.exe
  2⤵
  PID:17168
- C:\Windows\System\wIQycrF.exe
  C:\Windows\System\wIQycrF.exe
  2⤵
  PID:17208
- C:\Windows\System\lUuTgTj.exe
  C:\Windows\System\lUuTgTj.exe
  2⤵
  PID:17220
- C:\Windows\System\nXMAjrA.exe
  C:\Windows\System\nXMAjrA.exe
  2⤵
  PID:17228
- C:\Windows\System\QtrIemX.exe
  C:\Windows\System\QtrIemX.exe
  2⤵
  PID:17328
- C:\Windows\System\gFcXcHO.exe
  C:\Windows\System\gFcXcHO.exe
  2⤵
  PID:15636

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:17204

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:17240
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:17052

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4260

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133795503883047519.txt

Filesize
75KB

MD5
822d6685a1968f49540d0ebaaf8be823

SHA1
67fa22e27c7d098cd45274ae8f0f085e2eacc8ac

SHA256
d744684f2c4d84772a6dfb3317cbdfeaca0f8c9ad4bb67fe35947ddcf93ef4e7

SHA512
5341967cf1ed6d31333fe0f06ee0e682376f1e915cb77dbeda758e84e0660c855c496200e0bf160c79f89bdffe81c86011a26d96e127552e6d0236e38152a2ee

Download Submit
C:\Windows\System\BOEYBAd.exe

Filesize
1.8MB

MD5
5cf9b2d990392932ed76a15831afda01

SHA1
1288a6ce69a6531d410f1f4ca9fae16a180ad7e8

SHA256
e46b7c96fdd23bdc15abbb580fee4d8c0b0a9329bcd62825113eb90763fc8184

SHA512
dad492b37d73a7f2d411e70bbf0f12dbfd15636b8d76c8faab9aaf2f71b77d03d07dd19a913469f8df88d70db143dd4d62ddd7d69ec69eb102ca1e1e4a1d8ef9

Download Submit
C:\Windows\System\CPruuFN.exe

Filesize
1.8MB

MD5
61709b84c6e1020060338cf1b163aee9

SHA1
9f78067fda5e9720f3c28415efa5570950237cfa

SHA256
8594a19e85b0233470d7f14f8dd5b1b75df3afffbed8e2f49e8ffd44c1f9d357

SHA512
8fbf5dcd322ddd2a358d1017064b630cacdd68809d5391a77a93e83374701a8c01679489d0bb85bf1ea3557ed27d64456836cac113930231224f6735de655f13

Download Submit
C:\Windows\System\CsEwqpn.exe

Filesize
1.8MB

MD5
c478a6ef730824934e063e2737ec63d0

SHA1
b2ed9b752179aa56a2394aaec89676f85d5ec1da

SHA256
ee304b9cfd5a2ebb08f56ed607b467a9cfd38ee57131e5f290a49b91daf93a7a

SHA512
e0da7ed1617132d09b7b9060652a1fa3048180e5c37704fa0fbe453d9262c3d027d5ba8d817b07530c070ae5453d64a3db2730fefeb3cb43b123d8f9d1db1fcb

Download Submit
C:\Windows\System\DlleSzy.exe

Filesize
1.8MB

MD5
36facc348a35084a75115c7af6a93f31

SHA1
4ea7f1702229aa13625ee86c0b9a50f461b8f1f1

SHA256
6a320c877aa28773816319a294f4c21fc1c308c1693e7b082213b4a68857970f

SHA512
9d1fe41bd1803b8178eee80eaddad21397fb46b105474ec13dea6a42da51ec6495588734efc0f61ab4bdc913ae802adcdbfc451073abf75e7322e46fe54aa7ce

Download Submit
C:\Windows\System\HTwWMiT.exe

Filesize
1.8MB

MD5
b3d091d61c000db231a868627b24b199

SHA1
e5fe17dbbcd75e2187d258de48bedd8381a2e846

SHA256
05dc6b19bbf63ab56f6c35d73661232ec2023bf5db0237ba6db2a5ecfde6e7ae

SHA512
31c8402be0b66671b1b3aa39bdeeff0f418a7570f30ed544e4a042459f68b26e765b709a458c784cd225b5d001ac9c00112abe79d2b556793b31fe4419699042

Download Submit
C:\Windows\System\IFOULNg.exe

Filesize
1.8MB

MD5
08768eb6391ad520d43e69eba51b2def

SHA1
3421e79a273bb62042059020aa0dc694a499caf4

SHA256
456da977a4ce4ac0f14fdd9f85aa0966b4214a28e95ae12306c42d6f052552d6

SHA512
a2206de03516403923bd261ad50e82b97e58a4b1f0e12cdf0ba4624789bf1721768daf2e0c7923117f85cfed0190c2152bd75973ebf4d61cc48e4e8b0473d54d

Download Submit
C:\Windows\System\IZsnpcD.exe

Filesize
1.8MB

MD5
6d09115cdde1cc0cd45d210e331d78c5

SHA1
aeaf56149645f9a41b60a4e48270b86a75e0ed16

SHA256
3a84483ea55dd073fdad71d6ff74088103df6d7525f3a38fc7186f253394f01d

SHA512
b3568f72fbf0ebda9735e525d3de37702a410e76a45e0fedca245e73423f4b614f9b10fc228f5dff54574bc9ad86da04f46227877213037e2ead06b50b766639

Download Submit
C:\Windows\System\JnUkVPx.exe

Filesize
1.8MB

MD5
6fb78d45a1eed4d3a67c8749675948ae

SHA1
575dfbafa84e08f6ecc94ad08a2eb74b720f168b

SHA256
3e16de33274954eb756d7a5eb91fc9e503b263e4323fe5e838f64fde89288c32

SHA512
fb6ea2a2930b7b8df420c9193f9c4b57af7665195433e922df95a289ac9a3f5522d069f16b38d63d48d907c1954ac590519dc15fa2cccd09208de2837a1b5150

Download Submit
C:\Windows\System\NJEoQRl.exe

Filesize
1.8MB

MD5
0a6c7edfd2566d1e8b8e9b74442c95af

SHA1
f4855832099e6deddd5eb4435725422d54adec29

SHA256
024d9814c7d9ade7478a07ef1bfa5b9a59b9241b01ce8f4aaedcbfb8917242aa

SHA512
2066e09699b2081824eab47674968f07880ffafa8a90ab8bf22e925323bd523136aaebc5bf1802955198eef01c630b8656fc8d04d8693e0423199071b979f5f9

Download Submit
C:\Windows\System\RmONvzj.exe

Filesize
1.8MB

MD5
aad72917c5d29dcf0b90f348e5a10fd4

SHA1
b17853e4d0f7933e88cf09534cc9b818af40073e

SHA256
ab62d4632945c6f638fcc4a32b363bf5451e519bbcb4baa6a70206f005392f1e

SHA512
f3e71dc6a2d0c31c1dd2ea678c29bb606d698dbef88e93e1deb20c99a08a2ac2ab8bef70228ea7a11cff8f2cd62862a78e688271db97980ac8b97892ce52bb8d

Download Submit
C:\Windows\System\ULTsrNd.exe

Filesize
1.8MB

MD5
fd55ee0134a349285785b1744f00ab10

SHA1
55c21acf2e2c01dbd4b666c384e3140bbfcbefc5

SHA256
9f4e68e16ae239647981d8bda3d0bc84d4ebb3338bed212b08b412e6fb4754f2

SHA512
096d79212530297f05377e91401474db4fbb5ced5979468f437acc49a4afa392830b9e1026066352d2c7d0814d6abf978810268ebcacf08ab9a75710ba9278d5

Download Submit
C:\Windows\System\UhVGsgc.exe

Filesize
1.8MB

MD5
29638d5e066fc63e42d2d07b4fb2ca42

SHA1
01776b64ce8bcd1dd34957de4dbf1b66d1f56e42

SHA256
8e9de0403c0e43b86f82cdb31f7044c1da35f7d9184156a5eb7a8a8f1ae9a2d0

SHA512
ea2bc3aeb1d6799c09887c1bb28eecb20035cd0ca6efb1ce36ea1287dc4129463f29e54095a440bd86f6634a46506dabd022124ecd627d00fd91078d60865f86

Download Submit
C:\Windows\System\WYicdYZ.exe

Filesize
1.8MB

MD5
f49c3a5d9068c4b4da26e12ccc58a232

SHA1
6d56ac8a82feb332a105aeee401ffb769f64b9fd

SHA256
e533a561738e98fe1df30fa37549249511c76d0fc6080e067a6884eb26125c2a

SHA512
065c17e555836887a6a2e096860c2bc2d06287014792b0e5fbf8bafe00bbbf90f10f95fbda6513f6415637894a8d27fd85704c2a62107ca47657309d7cf18f23

Download Submit
C:\Windows\System\YiuLRBm.exe

Filesize
1.8MB

MD5
6e130afb0f3ebd47c39bb3c8e891fe0d

SHA1
1e060e89c5f153d378ac68e63d8de1077f84c187

SHA256
32d7456e7c9a61ca24752dc0e4c43cb1ad89f935f5a6b912d902bd9cf9bf0d9a

SHA512
4c2cf37b5bff62e5eaed9fb6f1e91762864f685b29489ac1ffa76472336ae15e694e4c6ce1341454650ede5e74f766230c47c78e841439de213a746acf36e902

Download Submit
C:\Windows\System\YoPFzDh.exe

Filesize
1.8MB

MD5
b548263ab26e49655d7f239f21336126

SHA1
7d5777c39fd33c7a032a6db7c1ad2f16e1e1b05a

SHA256
3fb6d85e75d2a84d56eec1210a654e3baa128d4d87efec047066ce7689d237f4

SHA512
dc3656f37c9ed725c9fcc811945120945827b5e4d07502dd5bc1ecaa58d8226f08e59df588af3ccf94b4940baac064d292451620f69936fc742e2b1ea7fc1aa9

Download Submit
C:\Windows\System\YzsqSZN.exe

Filesize
1.8MB

MD5
20aae8b8d619e964f6c8397b7a0e1418

SHA1
a3df9a21eb4f274ec3f547a5ad155b04a414c4a7

SHA256
32ad62b2b8b20eeead4600455d6eeb3155b3566c786174ef46bc6f5fe320d310

SHA512
b22d16d6c3b78e5997d0176141dc08c828d0a0b2e44796b917c1223edbfd998170abe19b458c21ec3e15acbc3afcb31474b813937b27a5f601c296343e4aae64

Download Submit
C:\Windows\System\bmFocec.exe

Filesize
1.8MB

MD5
a422b7453137027857f91d333fee0c3a

SHA1
c32499219ea43c85cdb57df8cf76f09cad6c02a5

SHA256
c39b77038780846b056c27355d7a4a87bee1a8ca6205f4b491c4493335570f5f

SHA512
42196b38569505ba8ee0a51ab112c8fc40328dadb14fc72e70904793b284d097eecf31a175aed6079c9f4a081fd08fde74a038edf5fc39068cc466aefb4c9830

Download Submit
C:\Windows\System\dJPIQvX.exe

Filesize
1.8MB

MD5
7d433616bf51781a11d1a2483b1d3d51

SHA1
bffbf3b4c065011e20f5aec9ba55cee22c4f736a

SHA256
ad8bc0255f9e81909bb531af22d5da842c21da74ee6971f377c8b810836f8d65

SHA512
014bf336abca8e51de0e96d2ec6e4a428dfd7e2e0b1ad2d6607bd5c1b7bc0bc46ac79a9b994a56a2d9beb44ad23849857e340a84057da628c6cace0fc17dd874

Download Submit
C:\Windows\System\iwnPUJD.exe

Filesize
1.8MB

MD5
6cc8d16c09f3e1b7313d128f3b2dd075

SHA1
39aedbfa912ab8bc2da59835c3628e52803263ab

SHA256
fe6e018b7df8a600707b4018af908ba8417fd32dc8e0bdd4d9e7a24a439ec45a

SHA512
48c12b7a4ddc76128b06e63ba2dca979be0008a7a1ea4dc624d963a139401927629f7d0be38e250f3f0ce0a17fbc20c6995059a29a0a8fa88ec69c1b2d3d3862

Download Submit
C:\Windows\System\kFQyaBO.exe

Filesize
1.8MB

MD5
232d49273763cad509b05e7868539ac3

SHA1
e17895eed041eb6355eb8a442fbdbb0ba0139b6c

SHA256
da45ffc91bd48765145977c401c03a6d75a4a5e5b3c2a010f1348f9a525967a6

SHA512
a657300747f7dbe1df4b94a6e8be088834d1f1e74269f4d00cb281fc5d3196eb537790a49d5f33630f4eb7244f3157e56392d43837e4ab320d1acb9a245c4121

Download Submit
C:\Windows\System\mckBKra.exe

Filesize
1.8MB

MD5
a99f8ad7e4455630c47d8caa1806b79f

SHA1
70ea484336969e7ac740d2a3337ea5ca7056ae6d

SHA256
dcd6b95eba7be401aab8b29199649a43dc9b266009dd5941ec2712052d2af564

SHA512
e391cf37e994b030b122a42ee5b6455067eea2155d2d42fbab422f2b087f02a444e0c37de37fb94bb7f3d4f37c8e70d08318216179eb01841a2c24a76328613d

Download Submit
C:\Windows\System\nmcDRPq.exe

Filesize
1.8MB

MD5
bc6dfa8e83acc7372505ac8b6529f975

SHA1
165a0248388566a91e6468dadfc66596412477aa

SHA256
7312bf46a89aac5b4988ee6947b1e053acc45db410e8ce2fa732996440745048

SHA512
206389f625cb65a43ddd1e8afdc106d0171e4f77e35a473b5d6a42686680d320c613ff412b7bf87cab5ff1ba0ceea68a0691a81be86364273cce04495ff0f841

Download Submit
C:\Windows\System\oNBQoNT.exe

Filesize
1.8MB

MD5
fc657e15afb0dd915d00d2fbc3e8a6d2

SHA1
4b7628ac07a98ee937c04a6b23995f5249c35e3f

SHA256
92b720eb83619282211328e0caf875cc89210d55b04d5a1c6bc90bc74200e508

SHA512
d1beb455ee45180a8e6a5dc17f33cc808d73ca5b89328336c9118ad1fb0a42c3f23a3aec4f0ad9ef1c348160f5468116d8cec92a8ce0b14c7846015e62bcad85

Download Submit
C:\Windows\System\pQHYpgf.exe

Filesize
1.8MB

MD5
076d8cc79eff3c562207e83d73627b7c

SHA1
0c160fd3886b25a7812f2f9b7a1eb13dc608d40a

SHA256
8e37093a6f2b402c2cbd883df4c5e571988970c6a7bf1bf27cd0ff775a0c4aa6

SHA512
c31d405169ddfde7a5ccf2b8f73a7f882dd9e744b2ac0f7d7f3624cd811e333e8d042f62adce2a24c8ab4d19857b1fbb187b38b9039462df57337f3bf3a96f43

Download Submit
C:\Windows\System\rYPXVLn.exe

Filesize
1.8MB

MD5
d00dff6a98cc534a20bdc34164715c0a

SHA1
3d69bf2fe6f8d1b90eef9d51d8e54d87187e3e41

SHA256
a5f43dc7f1195d1b1f09dd794ffd899973006040a5a1142b28fb7b0e2ef496b6

SHA512
7be7a4c367e1022173be6dd083de01f0e89332ff009ace865e3c79a3a3a5ad099a89dfe9b062865359c7d4ee5e917c2ea5ffb57edbfbbc5d8993c09fe57b6500

Download Submit
C:\Windows\System\supYWlU.exe

Filesize
1.8MB

MD5
fe6c83cf49cb4e4af96907b6242680ae

SHA1
d47dcac52af7ac3b5671b10e7b0c697c10ce2333

SHA256
4d5b50ac3e4f61b640e0ced6a7b83bdf0232bde9bb9e64e7d4551d072977db53

SHA512
e40dc8c56f53ccfad42d61715db177256b3b65a75f8c190db0e938d92e7a09759ce5a7cfa731db9833d047849b17ce68b747af05ff9f7a616180e24278defd9e

Download Submit
C:\Windows\System\tJCjPQq.exe

Filesize
1.8MB

MD5
970e9fb829e32811eefa4cd3c57f8789

SHA1
7fe8c14c4433696a5e97df6e33d967331852ddd8

SHA256
30b4eff2e01888cd835ac4c3d1d8f1d61c8e10a2584d8f910f53d1461a02e4af

SHA512
e66904a74bc9262f3f091012efd9a44b99ec6b5a103008be3114c12bdf551b3eaf8fb1494436509a7114cf8d7a770deabaedd0462f4c602b24bc3c60b025713a

Download Submit
C:\Windows\System\uBwRzoM.exe

Filesize
1.8MB

MD5
46f679faab616c611b72036562e93d23

SHA1
cf80a4d9e3fb3f93c860d91e161984116ede833d

SHA256
6e98654cd42359c76f4e5199960898991befb952da270e0c2e1d69f3a99aab2b

SHA512
2f309c4fe666376c5455b870de867b4c8e3ccafc4c13566117fad118e5a1cb0387d1ab915ff5845cdd42b5c216a0551ff4fe48a4c97db7feb478c4606bdffdb1

Download Submit
C:\Windows\System\ukIlMoV.exe

Filesize
1.8MB

MD5
05729de1f9741b2d9083a22b6faccd9e

SHA1
1b331be67f066a9dbd3e448c49125d4e305b8ff7

SHA256
ca5bb2dc15861daa0969bfe20223ab018e866d49e627a8d49642e1cb831c15cf

SHA512
6903135824158776b6b685aa973b3ba1f82c51e250873358ca3fdf771354b028d7ddf810ae8d61bfb2beaf1c77e41a278acb5cd1dcf302cfe46024befe84ce65

Download Submit
C:\Windows\System\xEcZDrg.exe

Filesize
1.8MB

MD5
e89590da7b3660bbdc631c328e979732

SHA1
21588e3aa15509e75bd3717d8f415c4e937747a4

SHA256
776818fcefa36c15b5e974906a4ebbbd4750f2f7b5511da64dff2b95da290f63

SHA512
424d1c59b3d570b64104cb2acb1ff95afdec862beb3f2546ff5b4f8808e35e3fbd860641dc58c257d77f7316e892edf3b6f65672c6b38b37146ea82387958c84

Download Submit
C:\Windows\System\xFoFODo.exe

Filesize
1.8MB

MD5
5a20452af1ec7499d95207d43620f021

SHA1
19423b13f723036e89b8d93e779163447ff2cd00

SHA256
89e48bd2329e759f7a66575cd80393424e04adbb33331f22d7ea7ce560ec021c

SHA512
a3f223440c3680647efd19aef4d6edfe56b31715bc2a0ab918f7673e48d7af57847304f33811ab81375ffa527b0a68cb63a13bc1630ee798df5677bec4935c99

Download Submit
C:\Windows\System\xUPNMBV.exe

Filesize
1.8MB

MD5
6336a56f241cb7b6bbb3e91033372f21

SHA1
66e5f4bc4bcec5c830d9902426c8b55a67f53f69

SHA256
dcefb993cd7d318bba98dad2da0ddb8a339847c05eb24b3d67557644d9a1dd29

SHA512
41d81b13404148825384a29c5e265e0a21d78b3b473a968e1371912950dfd270168ef32696518196556e206c7c580c19f49aefde80a08200c93e79795fc59aba

Download Submit
C:\Windows\System\yapXKGr.exe

Filesize
1.8MB

MD5
0dff07471ffa1e17cb18acb9313e46e4

SHA1
5b3402d310c3dc187ab5b92545802328deece540

SHA256
9ad97425fe7ca63294435326e3bfae1f34bc8c7013595dde8e62248964709767

SHA512
cf41d2561b72ffacc8333cfec2f82fb03f3c54cbc23fd83570cf41457e157351ddffa3f88eecc1a7a9b5166d8dafc44babffd1da0ef380f8651e81690d6fddcf

Download Submit
memory/1548-0-0x000002813A6A0000-0x000002813A6B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads