xmrig | 636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9

Analysis

max time kernel
79s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2025, 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
Size

1.8MB
MD5

0db903fccec3b0bad73966ffb3714ad6
SHA1

2d099dcdde5c0a62663f77f4478ec619bb4e8063
SHA256

636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9
SHA512

fcfb3f9760fb776488f5891092489e9c7fcce0c6706a278c9fd52bf6ffd664c6c27ff6d9ffd1e7934e700f4cb5d5452689a6bd461a8b12386d7f54b5e5bf85a3
SSDEEP

49152:GezaTF8FcNkNdfE0pZ9ozttwIRxj4c5yOBZ/e3QpkJ:GemTLkNdfE0pZyG

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 34 IoCs

miner

resource	yara_rule
behavioral2/files/0x000c000000023aff-3.dat	xmrig
behavioral2/files/0x000b000000023b5b-9.dat	xmrig
behavioral2/files/0x000b000000023b5e-8.dat	xmrig
behavioral2/files/0x000a000000023b60-19.dat	xmrig
behavioral2/files/0x000a000000023b61-25.dat	xmrig
behavioral2/files/0x000a000000023b62-29.dat	xmrig
behavioral2/files/0x000a000000023b63-32.dat	xmrig
behavioral2/files/0x000a000000023b64-37.dat	xmrig
behavioral2/files/0x000a000000023b65-44.dat	xmrig
behavioral2/files/0x000a000000023b69-59.dat	xmrig
behavioral2/files/0x000a000000023b67-63.dat	xmrig
behavioral2/files/0x000a000000023b6a-69.dat	xmrig
behavioral2/files/0x000a000000023b6b-82.dat	xmrig
behavioral2/files/0x000e000000023b7d-99.dat	xmrig
behavioral2/files/0x000a000000023b76-105.dat	xmrig
behavioral2/files/0x000b000000023b6e-103.dat	xmrig
behavioral2/files/0x0008000000023b86-101.dat	xmrig
behavioral2/files/0x000b000000023b6c-97.dat	xmrig
behavioral2/files/0x000b000000023b6d-89.dat	xmrig
behavioral2/files/0x000a000000023b68-65.dat	xmrig
behavioral2/files/0x000a000000023b66-49.dat	xmrig
behavioral2/files/0x0009000000023b8d-125.dat	xmrig
behavioral2/files/0x000e000000023b91-128.dat	xmrig
behavioral2/files/0x0008000000023b93-132.dat	xmrig
behavioral2/files/0x0008000000023bc8-151.dat	xmrig
behavioral2/files/0x0008000000023b97-166.dat	xmrig
behavioral2/files/0x0008000000023bca-165.dat	xmrig
behavioral2/files/0x0008000000023bc9-161.dat	xmrig
behavioral2/files/0x0008000000023b98-158.dat	xmrig
behavioral2/files/0x0008000000023b96-154.dat	xmrig
behavioral2/files/0x0008000000023b99-150.dat	xmrig
behavioral2/files/0x0009000000023b8c-120.dat	xmrig
behavioral2/files/0x000b000000023b5c-115.dat	xmrig
behavioral2/files/0x0009000000023b8b-113.dat	xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 11 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
2828	iYdOdQz.exe
2768	lWkAHLM.exe
3152	kdHrrQp.exe
372	LWiDapb.exe
4616	sigxYLl.exe
1680	sTzcdOE.exe
4336	MRATgOG.exe
368	RuoLtXb.exe
1512	wbSEMZM.exe
1520	OuMVrUs.exe
864	KBtYwtJ.exe
1928	sZGIayE.exe
4148	SrjOfrz.exe
3592	RQHTSKf.exe
4400	wyPxjKn.exe
3004	rGYChCR.exe
1816	jKXMNqI.exe
2132	qxyGCal.exe
2088	diLnxsr.exe
3620	OWvTlFZ.exe
3484	WAdLaGY.exe
4056	lrklHwC.exe
4892	RvYNJxe.exe
2024	pGeoadj.exe
1436	rqqVdCk.exe
2964	irCzoVf.exe
2996	WAcPjEe.exe
4836	XhbOHsM.exe
4868	iOnWMQJ.exe
1460	osjXiJO.exe
116	RgBXYTL.exe
3980	VCbSdta.exe
4544	tarDjMz.exe
2348	lafjuFo.exe
2820	VaFKhGN.exe
1596	kTXHKBQ.exe
3936	FKZctCk.exe
8	eEJGbdO.exe
936	wdxwBdg.exe
724	oFxlESb.exe
4896	kGvEKWX.exe
5072	srWMbtM.exe
2808	uvTkuGn.exe
3388	SjLcNfB.exe
4580	VVObLiK.exe
3316	NZPVgMT.exe
1288	MtgCPBW.exe
4684	AciiJqn.exe
3312	sBMlLLi.exe
856	jRUnOBO.exe
3636	wOaSyyO.exe
4500	ZVEZeVn.exe
1728	yYFyKbV.exe
4716	WpQPVMu.exe
1404	ASTcDXa.exe
2640	puxcyNw.exe
2920	weZlKZA.exe
5100	plVRvQk.exe
3000	MPGicXn.exe
2268	FcxUtHp.exe
4428	NUYltgZ.exe
1236	LXWfciF.exe
2308	wIRkIas.exe
4560	sWHlqTY.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\bXUbKEJ.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\rnfLcIV.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\nepImQt.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\OajLPWR.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\cZfIbcS.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\hgzRAFo.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\bOlqygw.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\oHMnKzg.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\yZhJJEY.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\LVjjgsU.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\FWbJnbm.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\wyPxjKn.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\EfwkXrD.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\QGyuDTl.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\qzBiFhk.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\KvOGBkK.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\nCgcBXN.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\aRQsJcj.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\QmFCDNI.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\gKAsczA.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\aEVkrek.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\hmBafjg.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\MFKMoDo.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\hlUPeKU.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\YmItarZ.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\QbKJUvY.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\jEoftnS.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\ZnMoetH.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\UhRzYXy.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\YINsLQb.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\dTPlVtM.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\AtUlgPV.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\GOdiWvo.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\AiWGzOc.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\hRTAjPs.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\xuknxkV.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\UhLjjtn.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\xuqrOFZ.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\banhObp.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\mCoGTIm.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\BaiJMIc.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\owRPLpR.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\nKcOMBt.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\HMdRHGU.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\zsONOGX.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\fhMRXfe.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\BAZSjyV.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\xFiXgwq.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\vyxLOan.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\cwJvGnX.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\qRkSwzJ.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\vsRqRaF.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\mEzUipD.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\uRBDQpR.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\aOAYhZO.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\cvmURen.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\qxTjJNy.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\mkGaDhM.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\zYhWDxP.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\vXEVMBF.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\eNyzBCD.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\BTfIWBP.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\LyeHmHW.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
File created	C:\Windows\System\vtnYora.exe	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2089655958-977706906-1981639424-1000\{CD3A7E84-878E-4E07-9773-A382C7F9A814}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2089655958-977706906-1981639424-1000\{15673BC8-F73F-4333-87A8-137FEE95DFD5}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2089655958-977706906-1981639424-1000\{C33C92CF-1450-42E5-82BE-EB26D1122419}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	16852	explorer.exe
Token: SeCreatePagefilePrivilege	16852	explorer.exe
Token: SeShutdownPrivilege	16852	explorer.exe
Token: SeCreatePagefilePrivilege	16852	explorer.exe
Token: SeShutdownPrivilege	16852	explorer.exe
Token: SeCreatePagefilePrivilege	16852	explorer.exe
Token: SeShutdownPrivilege	16852	explorer.exe
Token: SeCreatePagefilePrivilege	16852	explorer.exe
Token: SeShutdownPrivilege	16852	explorer.exe
Token: SeCreatePagefilePrivilege	16852	explorer.exe
Token: SeShutdownPrivilege	16852	explorer.exe
Token: SeCreatePagefilePrivilege	16852	explorer.exe
Token: SeShutdownPrivilege	16852	explorer.exe
Token: SeCreatePagefilePrivilege	16852	explorer.exe
Token: SeShutdownPrivilege	16852	explorer.exe
Token: SeCreatePagefilePrivilege	16852	explorer.exe
Token: SeShutdownPrivilege	3212	explorer.exe
Token: SeCreatePagefilePrivilege	3212	explorer.exe
Token: SeShutdownPrivilege	3212	explorer.exe
Token: SeCreatePagefilePrivilege	3212	explorer.exe
Token: SeShutdownPrivilege	3212	explorer.exe
Token: SeCreatePagefilePrivilege	3212	explorer.exe
Token: SeShutdownPrivilege	3212	explorer.exe
Token: SeCreatePagefilePrivilege	3212	explorer.exe
Token: SeShutdownPrivilege	3212	explorer.exe
Token: SeCreatePagefilePrivilege	3212	explorer.exe
Token: SeShutdownPrivilege	3212	explorer.exe
Token: SeCreatePagefilePrivilege	3212	explorer.exe
Token: SeShutdownPrivilege	3212	explorer.exe
Token: SeCreatePagefilePrivilege	3212	explorer.exe
Token: SeShutdownPrivilege	3212	explorer.exe
Token: SeCreatePagefilePrivilege	3212	explorer.exe
Token: SeShutdownPrivilege	3212	explorer.exe
Token: SeCreatePagefilePrivilege	3212	explorer.exe
Token: SeShutdownPrivilege	728	explorer.exe
Token: SeCreatePagefilePrivilege	728	explorer.exe
Token: SeShutdownPrivilege	728	explorer.exe
Token: SeCreatePagefilePrivilege	728	explorer.exe
Token: SeShutdownPrivilege	728	explorer.exe
Token: SeCreatePagefilePrivilege	728	explorer.exe
Token: SeShutdownPrivilege	728	explorer.exe
Token: SeCreatePagefilePrivilege	728	explorer.exe
Token: SeShutdownPrivilege	728	explorer.exe
Token: SeCreatePagefilePrivilege	728	explorer.exe
Token: SeShutdownPrivilege	728	explorer.exe
Token: SeCreatePagefilePrivilege	728	explorer.exe
Token: SeShutdownPrivilege	728	explorer.exe
Token: SeCreatePagefilePrivilege	728	explorer.exe
Token: SeShutdownPrivilege	728	explorer.exe
Token: SeCreatePagefilePrivilege	728	explorer.exe
Token: SeShutdownPrivilege	728	explorer.exe
Token: SeCreatePagefilePrivilege	728	explorer.exe
Token: SeShutdownPrivilege	728	explorer.exe
Token: SeCreatePagefilePrivilege	728	explorer.exe
Token: SeShutdownPrivilege	728	explorer.exe
Token: SeCreatePagefilePrivilege	728	explorer.exe
Token: SeShutdownPrivilege	728	explorer.exe
Token: SeCreatePagefilePrivilege	728	explorer.exe
Token: SeShutdownPrivilege	728	explorer.exe
Token: SeCreatePagefilePrivilege	728	explorer.exe
Token: SeShutdownPrivilege	728	explorer.exe
Token: SeCreatePagefilePrivilege	728	explorer.exe
Token: SeShutdownPrivilege	728	explorer.exe
Token: SeCreatePagefilePrivilege	728	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
16488	sihost.exe
16852	explorer.exe
16852	explorer.exe
16852	explorer.exe
16852	explorer.exe
16852	explorer.exe
16852	explorer.exe
16852	explorer.exe
16852	explorer.exe
16852	explorer.exe
16852	explorer.exe
16852	explorer.exe
16852	explorer.exe
16852	explorer.exe
16852	explorer.exe
16852	explorer.exe
16852	explorer.exe
3212	explorer.exe
3212	explorer.exe
3212	explorer.exe
3212	explorer.exe
3212	explorer.exe
3212	explorer.exe
3212	explorer.exe
3212	explorer.exe
3212	explorer.exe
3212	explorer.exe
3212	explorer.exe
3212	explorer.exe
3212	explorer.exe
3212	explorer.exe
3212	explorer.exe
3212	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
16852	explorer.exe
16852	explorer.exe
16852	explorer.exe
16852	explorer.exe
16852	explorer.exe
16852	explorer.exe
16852	explorer.exe
16852	explorer.exe
16852	explorer.exe
16852	explorer.exe
16852	explorer.exe
3212	explorer.exe
3212	explorer.exe
3212	explorer.exe
3212	explorer.exe
3212	explorer.exe
3212	explorer.exe
3212	explorer.exe
3212	explorer.exe
3212	explorer.exe
3212	explorer.exe
3212	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
728	explorer.exe
388	explorer.exe
388	explorer.exe
388	explorer.exe
388	explorer.exe
388	explorer.exe
388	explorer.exe
388	explorer.exe
388	explorer.exe
388	explorer.exe
388	explorer.exe
388	explorer.exe
388	explorer.exe
388	explorer.exe
388	explorer.exe
388	explorer.exe
388	explorer.exe
388	explorer.exe
388	explorer.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
1924	StartMenuExperienceHost.exe
3900	StartMenuExperienceHost.exe
5484	StartMenuExperienceHost.exe
2376	SearchApp.exe
7656	StartMenuExperienceHost.exe
2784	SearchApp.exe
10456	StartMenuExperienceHost.exe
10944	SearchApp.exe
11708	StartMenuExperienceHost.exe
11452	SearchApp.exe
13248	StartMenuExperienceHost.exe
6644	SearchApp.exe
440	StartMenuExperienceHost.exe
15712	SearchApp.exe
4152	StartMenuExperienceHost.exe
6260	SearchApp.exe
7876	StartMenuExperienceHost.exe
7416	SearchApp.exe
9148	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 2828	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	83
PID 3240 wrote to memory of 2828	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	83
PID 3240 wrote to memory of 2768	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	84
PID 3240 wrote to memory of 2768	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	84
PID 3240 wrote to memory of 3152	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	85
PID 3240 wrote to memory of 3152	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	85
PID 3240 wrote to memory of 372	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	86
PID 3240 wrote to memory of 372	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	86
PID 3240 wrote to memory of 4616	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	87
PID 3240 wrote to memory of 4616	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	87
PID 3240 wrote to memory of 1680	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	88
PID 3240 wrote to memory of 1680	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	88
PID 3240 wrote to memory of 4336	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	89
PID 3240 wrote to memory of 4336	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	89
PID 3240 wrote to memory of 368	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	90
PID 3240 wrote to memory of 368	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	90
PID 3240 wrote to memory of 1512	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	91
PID 3240 wrote to memory of 1512	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	91
PID 3240 wrote to memory of 1520	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	92
PID 3240 wrote to memory of 1520	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	92
PID 3240 wrote to memory of 864	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	93
PID 3240 wrote to memory of 864	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	93
PID 3240 wrote to memory of 1928	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	94
PID 3240 wrote to memory of 1928	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	94
PID 3240 wrote to memory of 4148	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	95
PID 3240 wrote to memory of 4148	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	95
PID 3240 wrote to memory of 3592	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	96
PID 3240 wrote to memory of 3592	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	96
PID 3240 wrote to memory of 4400	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	97
PID 3240 wrote to memory of 4400	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	97
PID 3240 wrote to memory of 3004	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	98
PID 3240 wrote to memory of 3004	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	98
PID 3240 wrote to memory of 1816	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	99
PID 3240 wrote to memory of 1816	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	99
PID 3240 wrote to memory of 2132	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	100
PID 3240 wrote to memory of 2132	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	100
PID 3240 wrote to memory of 3484	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	101
PID 3240 wrote to memory of 3484	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	101
PID 3240 wrote to memory of 2088	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	102
PID 3240 wrote to memory of 2088	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	102
PID 3240 wrote to memory of 3620	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	103
PID 3240 wrote to memory of 3620	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	103
PID 3240 wrote to memory of 4056	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	104
PID 3240 wrote to memory of 4056	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	104
PID 3240 wrote to memory of 4892	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	105
PID 3240 wrote to memory of 4892	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	105
PID 3240 wrote to memory of 2024	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	106
PID 3240 wrote to memory of 2024	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	106
PID 3240 wrote to memory of 1436	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	107
PID 3240 wrote to memory of 1436	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	107
PID 3240 wrote to memory of 2964	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	108
PID 3240 wrote to memory of 2964	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	108
PID 3240 wrote to memory of 2996	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	109
PID 3240 wrote to memory of 2996	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	109
PID 3240 wrote to memory of 4836	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	110
PID 3240 wrote to memory of 4836	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	110
PID 3240 wrote to memory of 4868	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	111
PID 3240 wrote to memory of 4868	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	111
PID 3240 wrote to memory of 1460	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	112
PID 3240 wrote to memory of 1460	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	112
PID 3240 wrote to memory of 116	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	114
PID 3240 wrote to memory of 116	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	114
PID 3240 wrote to memory of 3980	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	115
PID 3240 wrote to memory of 3980	3240	636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe	115

C:\Users\Admin\AppData\Local\Temp\636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe
"C:\Users\Admin\AppData\Local\Temp\636aa1ecca2726996a25ae680a62125be2e5bd016ecc16e3012e679d8fde7fa9.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\System\iYdOdQz.exe
  C:\Windows\System\iYdOdQz.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\lWkAHLM.exe
  C:\Windows\System\lWkAHLM.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System\kdHrrQp.exe
  C:\Windows\System\kdHrrQp.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System\LWiDapb.exe
  C:\Windows\System\LWiDapb.exe
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Windows\System\sigxYLl.exe
  C:\Windows\System\sigxYLl.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\sTzcdOE.exe
  C:\Windows\System\sTzcdOE.exe
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\System\MRATgOG.exe
  C:\Windows\System\MRATgOG.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System\RuoLtXb.exe
  C:\Windows\System\RuoLtXb.exe
  2⤵
  - Executes dropped EXE
  PID:368
- C:\Windows\System\wbSEMZM.exe
  C:\Windows\System\wbSEMZM.exe
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\System\OuMVrUs.exe
  C:\Windows\System\OuMVrUs.exe
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\System\KBtYwtJ.exe
  C:\Windows\System\KBtYwtJ.exe
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Windows\System\sZGIayE.exe
  C:\Windows\System\sZGIayE.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System\SrjOfrz.exe
  C:\Windows\System\SrjOfrz.exe
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Windows\System\RQHTSKf.exe
  C:\Windows\System\RQHTSKf.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System\wyPxjKn.exe
  C:\Windows\System\wyPxjKn.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System\rGYChCR.exe
  C:\Windows\System\rGYChCR.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\jKXMNqI.exe
  C:\Windows\System\jKXMNqI.exe
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\System\qxyGCal.exe
  C:\Windows\System\qxyGCal.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System\WAdLaGY.exe
  C:\Windows\System\WAdLaGY.exe
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\System\diLnxsr.exe
  C:\Windows\System\diLnxsr.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\OWvTlFZ.exe
  C:\Windows\System\OWvTlFZ.exe
  2⤵
  - Executes dropped EXE
  PID:3620
- C:\Windows\System\lrklHwC.exe
  C:\Windows\System\lrklHwC.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System\RvYNJxe.exe
  C:\Windows\System\RvYNJxe.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System\pGeoadj.exe
  C:\Windows\System\pGeoadj.exe
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\System\rqqVdCk.exe
  C:\Windows\System\rqqVdCk.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\irCzoVf.exe
  C:\Windows\System\irCzoVf.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System\WAcPjEe.exe
  C:\Windows\System\WAcPjEe.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\XhbOHsM.exe
  C:\Windows\System\XhbOHsM.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\iOnWMQJ.exe
  C:\Windows\System\iOnWMQJ.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System\osjXiJO.exe
  C:\Windows\System\osjXiJO.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System\RgBXYTL.exe
  C:\Windows\System\RgBXYTL.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\VCbSdta.exe
  C:\Windows\System\VCbSdta.exe
  2⤵
  - Executes dropped EXE
  PID:3980
- C:\Windows\System\tarDjMz.exe
  C:\Windows\System\tarDjMz.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System\lafjuFo.exe
  C:\Windows\System\lafjuFo.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System\VaFKhGN.exe
  C:\Windows\System\VaFKhGN.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\kTXHKBQ.exe
  C:\Windows\System\kTXHKBQ.exe
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\System\FKZctCk.exe
  C:\Windows\System\FKZctCk.exe
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Windows\System\eEJGbdO.exe
  C:\Windows\System\eEJGbdO.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System\wdxwBdg.exe
  C:\Windows\System\wdxwBdg.exe
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\System\oFxlESb.exe
  C:\Windows\System\oFxlESb.exe
  2⤵
  - Executes dropped EXE
  PID:724
- C:\Windows\System\kGvEKWX.exe
  C:\Windows\System\kGvEKWX.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System\srWMbtM.exe
  C:\Windows\System\srWMbtM.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\uvTkuGn.exe
  C:\Windows\System\uvTkuGn.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System\SjLcNfB.exe
  C:\Windows\System\SjLcNfB.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System\VVObLiK.exe
  C:\Windows\System\VVObLiK.exe
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Windows\System\NZPVgMT.exe
  C:\Windows\System\NZPVgMT.exe
  2⤵
  - Executes dropped EXE
  PID:3316
- C:\Windows\System\MtgCPBW.exe
  C:\Windows\System\MtgCPBW.exe
  2⤵
  - Executes dropped EXE
  PID:1288
- C:\Windows\System\AciiJqn.exe
  C:\Windows\System\AciiJqn.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System\sBMlLLi.exe
  C:\Windows\System\sBMlLLi.exe
  2⤵
  - Executes dropped EXE
  PID:3312
- C:\Windows\System\jRUnOBO.exe
  C:\Windows\System\jRUnOBO.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System\wOaSyyO.exe
  C:\Windows\System\wOaSyyO.exe
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Windows\System\ZVEZeVn.exe
  C:\Windows\System\ZVEZeVn.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Windows\System\yYFyKbV.exe
  C:\Windows\System\yYFyKbV.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System\WpQPVMu.exe
  C:\Windows\System\WpQPVMu.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System\ASTcDXa.exe
  C:\Windows\System\ASTcDXa.exe
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\System\puxcyNw.exe
  C:\Windows\System\puxcyNw.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\weZlKZA.exe
  C:\Windows\System\weZlKZA.exe
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\System\plVRvQk.exe
  C:\Windows\System\plVRvQk.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System\MPGicXn.exe
  C:\Windows\System\MPGicXn.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\FcxUtHp.exe
  C:\Windows\System\FcxUtHp.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\NUYltgZ.exe
  C:\Windows\System\NUYltgZ.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System\LXWfciF.exe
  C:\Windows\System\LXWfciF.exe
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\System\wIRkIas.exe
  C:\Windows\System\wIRkIas.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System\sWHlqTY.exe
  C:\Windows\System\sWHlqTY.exe
  2⤵
  - Executes dropped EXE
  PID:4560
- C:\Windows\System\FebyFGh.exe
  C:\Windows\System\FebyFGh.exe
  2⤵
  PID:1724
- C:\Windows\System\TzkoDZA.exe
  C:\Windows\System\TzkoDZA.exe
  2⤵
  PID:4368
- C:\Windows\System\fwXDybI.exe
  C:\Windows\System\fwXDybI.exe
  2⤵
  PID:4044
- C:\Windows\System\aVXNKzG.exe
  C:\Windows\System\aVXNKzG.exe
  2⤵
  PID:3216
- C:\Windows\System\Bzegrbi.exe
  C:\Windows\System\Bzegrbi.exe
  2⤵
  PID:4908
- C:\Windows\System\qvpBNiN.exe
  C:\Windows\System\qvpBNiN.exe
  2⤵
  PID:3776
- C:\Windows\System\tlGJaJF.exe
  C:\Windows\System\tlGJaJF.exe
  2⤵
  PID:1632
- C:\Windows\System\DFdhYuX.exe
  C:\Windows\System\DFdhYuX.exe
  2⤵
  PID:1860
- C:\Windows\System\opsayvU.exe
  C:\Windows\System\opsayvU.exe
  2⤵
  PID:2204
- C:\Windows\System\vAbFWHJ.exe
  C:\Windows\System\vAbFWHJ.exe
  2⤵
  PID:2552
- C:\Windows\System\jKoKtSu.exe
  C:\Windows\System\jKoKtSu.exe
  2⤵
  PID:1756
- C:\Windows\System\MOKNYlZ.exe
  C:\Windows\System\MOKNYlZ.exe
  2⤵
  PID:840
- C:\Windows\System\ktmKxUR.exe
  C:\Windows\System\ktmKxUR.exe
  2⤵
  PID:3836
- C:\Windows\System\kMbJsxG.exe
  C:\Windows\System\kMbJsxG.exe
  2⤵
  PID:832
- C:\Windows\System\scSnSAz.exe
  C:\Windows\System\scSnSAz.exe
  2⤵
  PID:1896
- C:\Windows\System\RtaMBJV.exe
  C:\Windows\System\RtaMBJV.exe
  2⤵
  PID:2148
- C:\Windows\System\RvheLsP.exe
  C:\Windows\System\RvheLsP.exe
  2⤵
  PID:4440
- C:\Windows\System\ldIMqJd.exe
  C:\Windows\System\ldIMqJd.exe
  2⤵
  PID:2032
- C:\Windows\System\ooRkDnu.exe
  C:\Windows\System\ooRkDnu.exe
  2⤵
  PID:1480
- C:\Windows\System\aDFaFDq.exe
  C:\Windows\System\aDFaFDq.exe
  2⤵
  PID:4664
- C:\Windows\System\HtScPoN.exe
  C:\Windows\System\HtScPoN.exe
  2⤵
  PID:440
- C:\Windows\System\fzZwKHd.exe
  C:\Windows\System\fzZwKHd.exe
  2⤵
  PID:4492
- C:\Windows\System\CnOuSYI.exe
  C:\Windows\System\CnOuSYI.exe
  2⤵
  PID:2272
- C:\Windows\System\pVhpYon.exe
  C:\Windows\System\pVhpYon.exe
  2⤵
  PID:1176
- C:\Windows\System\bcsOnZI.exe
  C:\Windows\System\bcsOnZI.exe
  2⤵
  PID:2028
- C:\Windows\System\wlYDIly.exe
  C:\Windows\System\wlYDIly.exe
  2⤵
  PID:2276
- C:\Windows\System\FltRFCs.exe
  C:\Windows\System\FltRFCs.exe
  2⤵
  PID:4812
- C:\Windows\System\bufHwss.exe
  C:\Windows\System\bufHwss.exe
  2⤵
  PID:1916
- C:\Windows\System\ZnMoetH.exe
  C:\Windows\System\ZnMoetH.exe
  2⤵
  PID:3736
- C:\Windows\System\PMXDXps.exe
  C:\Windows\System\PMXDXps.exe
  2⤵
  PID:1656
- C:\Windows\System\ddvLZMZ.exe
  C:\Windows\System\ddvLZMZ.exe
  2⤵
  PID:3144
- C:\Windows\System\EImlYDZ.exe
  C:\Windows\System\EImlYDZ.exe
  2⤵
  PID:3496
- C:\Windows\System\gEaFgPL.exe
  C:\Windows\System\gEaFgPL.exe
  2⤵
  PID:3700
- C:\Windows\System\EsdqTly.exe
  C:\Windows\System\EsdqTly.exe
  2⤵
  PID:2152
- C:\Windows\System\dVXOBjD.exe
  C:\Windows\System\dVXOBjD.exe
  2⤵
  PID:3668
- C:\Windows\System\baFwPzF.exe
  C:\Windows\System\baFwPzF.exe
  2⤵
  PID:384
- C:\Windows\System\gNPcQWq.exe
  C:\Windows\System\gNPcQWq.exe
  2⤵
  PID:4016
- C:\Windows\System\VRTthxB.exe
  C:\Windows\System\VRTthxB.exe
  2⤵
  PID:5132
- C:\Windows\System\LipOzTb.exe
  C:\Windows\System\LipOzTb.exe
  2⤵
  PID:5160
- C:\Windows\System\EJoOEaB.exe
  C:\Windows\System\EJoOEaB.exe
  2⤵
  PID:5196
- C:\Windows\System\aSTCMET.exe
  C:\Windows\System\aSTCMET.exe
  2⤵
  PID:5224
- C:\Windows\System\PXVNyYu.exe
  C:\Windows\System\PXVNyYu.exe
  2⤵
  PID:5256
- C:\Windows\System\ayhYPHs.exe
  C:\Windows\System\ayhYPHs.exe
  2⤵
  PID:5284
- C:\Windows\System\oiOHfFG.exe
  C:\Windows\System\oiOHfFG.exe
  2⤵
  PID:5312
- C:\Windows\System\MHLeSEu.exe
  C:\Windows\System\MHLeSEu.exe
  2⤵
  PID:5340
- C:\Windows\System\iGKHOyi.exe
  C:\Windows\System\iGKHOyi.exe
  2⤵
  PID:5368
- C:\Windows\System\YToTPDX.exe
  C:\Windows\System\YToTPDX.exe
  2⤵
  PID:5396
- C:\Windows\System\hqLAdgD.exe
  C:\Windows\System\hqLAdgD.exe
  2⤵
  PID:5424
- C:\Windows\System\yBKidVP.exe
  C:\Windows\System\yBKidVP.exe
  2⤵
  PID:5468
- C:\Windows\System\vKsNjVd.exe
  C:\Windows\System\vKsNjVd.exe
  2⤵
  PID:5496
- C:\Windows\System\jLvjNEb.exe
  C:\Windows\System\jLvjNEb.exe
  2⤵
  PID:5536
- C:\Windows\System\ChfCvhr.exe
  C:\Windows\System\ChfCvhr.exe
  2⤵
  PID:5576
- C:\Windows\System\aOAYhZO.exe
  C:\Windows\System\aOAYhZO.exe
  2⤵
  PID:5604
- C:\Windows\System\klKkVjS.exe
  C:\Windows\System\klKkVjS.exe
  2⤵
  PID:5632
- C:\Windows\System\zbUmvZD.exe
  C:\Windows\System\zbUmvZD.exe
  2⤵
  PID:5668
- C:\Windows\System\tCGrqly.exe
  C:\Windows\System\tCGrqly.exe
  2⤵
  PID:5700
- C:\Windows\System\vyxLOan.exe
  C:\Windows\System\vyxLOan.exe
  2⤵
  PID:5728
- C:\Windows\System\PWXCUsD.exe
  C:\Windows\System\PWXCUsD.exe
  2⤵
  PID:5756
- C:\Windows\System\XHXxbhq.exe
  C:\Windows\System\XHXxbhq.exe
  2⤵
  PID:5796
- C:\Windows\System\vXEVMBF.exe
  C:\Windows\System\vXEVMBF.exe
  2⤵
  PID:5816
- C:\Windows\System\xWDTtTG.exe
  C:\Windows\System\xWDTtTG.exe
  2⤵
  PID:5840
- C:\Windows\System\YZtUcsa.exe
  C:\Windows\System\YZtUcsa.exe
  2⤵
  PID:5868
- C:\Windows\System\XAEiuIT.exe
  C:\Windows\System\XAEiuIT.exe
  2⤵
  PID:5896
- C:\Windows\System\mvQZklU.exe
  C:\Windows\System\mvQZklU.exe
  2⤵
  PID:5928
- C:\Windows\System\oPminKS.exe
  C:\Windows\System\oPminKS.exe
  2⤵
  PID:5952
- C:\Windows\System\GygPjEg.exe
  C:\Windows\System\GygPjEg.exe
  2⤵
  PID:5980
- C:\Windows\System\jQLnsxl.exe
  C:\Windows\System\jQLnsxl.exe
  2⤵
  PID:6008
- C:\Windows\System\WAhsYCo.exe
  C:\Windows\System\WAhsYCo.exe
  2⤵
  PID:6036
- C:\Windows\System\jdYZDfA.exe
  C:\Windows\System\jdYZDfA.exe
  2⤵
  PID:6064
- C:\Windows\System\OUfagXF.exe
  C:\Windows\System\OUfagXF.exe
  2⤵
  PID:6092
- C:\Windows\System\aEVkrek.exe
  C:\Windows\System\aEVkrek.exe
  2⤵
  PID:6120
- C:\Windows\System\bOlqygw.exe
  C:\Windows\System\bOlqygw.exe
  2⤵
  PID:5124
- C:\Windows\System\MvudTcQ.exe
  C:\Windows\System\MvudTcQ.exe
  2⤵
  PID:5212
- C:\Windows\System\JTpYOGs.exe
  C:\Windows\System\JTpYOGs.exe
  2⤵
  PID:5276
- C:\Windows\System\hwCfjfo.exe
  C:\Windows\System\hwCfjfo.exe
  2⤵
  PID:5352
- C:\Windows\System\drrEAau.exe
  C:\Windows\System\drrEAau.exe
  2⤵
  PID:5436
- C:\Windows\System\YINsLQb.exe
  C:\Windows\System\YINsLQb.exe
  2⤵
  PID:5508
- C:\Windows\System\vQcjhSg.exe
  C:\Windows\System\vQcjhSg.exe
  2⤵
  PID:5592
- C:\Windows\System\IROZDPy.exe
  C:\Windows\System\IROZDPy.exe
  2⤵
  PID:5660
- C:\Windows\System\xaWgxAR.exe
  C:\Windows\System\xaWgxAR.exe
  2⤵
  PID:5744
- C:\Windows\System\LQPROzq.exe
  C:\Windows\System\LQPROzq.exe
  2⤵
  PID:5780
- C:\Windows\System\fPGZmzC.exe
  C:\Windows\System\fPGZmzC.exe
  2⤵
  PID:5864
- C:\Windows\System\tWpULzZ.exe
  C:\Windows\System\tWpULzZ.exe
  2⤵
  PID:5920
- C:\Windows\System\GjUBnnE.exe
  C:\Windows\System\GjUBnnE.exe
  2⤵
  PID:5992
- C:\Windows\System\HOkPSPa.exe
  C:\Windows\System\HOkPSPa.exe
  2⤵
  PID:6056
- C:\Windows\System\pCrvqIr.exe
  C:\Windows\System\pCrvqIr.exe
  2⤵
  PID:6116
- C:\Windows\System\bexIptx.exe
  C:\Windows\System\bexIptx.exe
  2⤵
  PID:5380
- C:\Windows\System\GVLwDaZ.exe
  C:\Windows\System\GVLwDaZ.exe
  2⤵
  PID:5564
- C:\Windows\System\bOvPCtC.exe
  C:\Windows\System\bOvPCtC.exe
  2⤵
  PID:5792
- C:\Windows\System\hQlpxJO.exe
  C:\Windows\System\hQlpxJO.exe
  2⤵
  PID:5944
- C:\Windows\System\esiNwzc.exe
  C:\Windows\System\esiNwzc.exe
  2⤵
  PID:6108
- C:\Windows\System\XDMFeSj.exe
  C:\Windows\System\XDMFeSj.exe
  2⤵
  PID:5492
- C:\Windows\System\nSthQVG.exe
  C:\Windows\System\nSthQVG.exe
  2⤵
  PID:5252
- C:\Windows\System\KbEhtWh.exe
  C:\Windows\System\KbEhtWh.exe
  2⤵
  PID:5916
- C:\Windows\System\QNLDbnx.exe
  C:\Windows\System\QNLDbnx.exe
  2⤵
  PID:5240
- C:\Windows\System\IXrePoF.exe
  C:\Windows\System\IXrePoF.exe
  2⤵
  PID:6152
- C:\Windows\System\jZlADrB.exe
  C:\Windows\System\jZlADrB.exe
  2⤵
  PID:6172
- C:\Windows\System\NHnQhRZ.exe
  C:\Windows\System\NHnQhRZ.exe
  2⤵
  PID:6196
- C:\Windows\System\bWUdOnW.exe
  C:\Windows\System\bWUdOnW.exe
  2⤵
  PID:6220
- C:\Windows\System\qJkdSvp.exe
  C:\Windows\System\qJkdSvp.exe
  2⤵
  PID:6240
- C:\Windows\System\yWEPwds.exe
  C:\Windows\System\yWEPwds.exe
  2⤵
  PID:6272
- C:\Windows\System\AdCVsHa.exe
  C:\Windows\System\AdCVsHa.exe
  2⤵
  PID:6296
- C:\Windows\System\KfKZHvE.exe
  C:\Windows\System\KfKZHvE.exe
  2⤵
  PID:6336
- C:\Windows\System\pbixVCN.exe
  C:\Windows\System\pbixVCN.exe
  2⤵
  PID:6360
- C:\Windows\System\pqgRYrj.exe
  C:\Windows\System\pqgRYrj.exe
  2⤵
  PID:6380
- C:\Windows\System\ghrJqrq.exe
  C:\Windows\System\ghrJqrq.exe
  2⤵
  PID:6404
- C:\Windows\System\wfiapkn.exe
  C:\Windows\System\wfiapkn.exe
  2⤵
  PID:6424
- C:\Windows\System\OwBdGBW.exe
  C:\Windows\System\OwBdGBW.exe
  2⤵
  PID:6448
- C:\Windows\System\oHMnKzg.exe
  C:\Windows\System\oHMnKzg.exe
  2⤵
  PID:6472
- C:\Windows\System\HgBOlZv.exe
  C:\Windows\System\HgBOlZv.exe
  2⤵
  PID:6496
- C:\Windows\System\AgEDtHj.exe
  C:\Windows\System\AgEDtHj.exe
  2⤵
  PID:6520
- C:\Windows\System\wSveAvI.exe
  C:\Windows\System\wSveAvI.exe
  2⤵
  PID:6540
- C:\Windows\System\QyxnqBI.exe
  C:\Windows\System\QyxnqBI.exe
  2⤵
  PID:6564
- C:\Windows\System\RtnmdNQ.exe
  C:\Windows\System\RtnmdNQ.exe
  2⤵
  PID:6596
- C:\Windows\System\hmBafjg.exe
  C:\Windows\System\hmBafjg.exe
  2⤵
  PID:6620
- C:\Windows\System\eNyzBCD.exe
  C:\Windows\System\eNyzBCD.exe
  2⤵
  PID:6652
- C:\Windows\System\sSytzIA.exe
  C:\Windows\System\sSytzIA.exe
  2⤵
  PID:6684
- C:\Windows\System\WwIyGFe.exe
  C:\Windows\System\WwIyGFe.exe
  2⤵
  PID:6736
- C:\Windows\System\aQVQdtM.exe
  C:\Windows\System\aQVQdtM.exe
  2⤵
  PID:6772
- C:\Windows\System\kTiOXJu.exe
  C:\Windows\System\kTiOXJu.exe
  2⤵
  PID:6804
- C:\Windows\System\tyzJJSZ.exe
  C:\Windows\System\tyzJJSZ.exe
  2⤵
  PID:6832
- C:\Windows\System\TYjecIv.exe
  C:\Windows\System\TYjecIv.exe
  2⤵
  PID:6868
- C:\Windows\System\Tkrjeii.exe
  C:\Windows\System\Tkrjeii.exe
  2⤵
  PID:6900
- C:\Windows\System\GlcPGmo.exe
  C:\Windows\System\GlcPGmo.exe
  2⤵
  PID:6932
- C:\Windows\System\LeNbplb.exe
  C:\Windows\System\LeNbplb.exe
  2⤵
  PID:6968
- C:\Windows\System\dOFOqYf.exe
  C:\Windows\System\dOFOqYf.exe
  2⤵
  PID:7004
- C:\Windows\System\XooZJwp.exe
  C:\Windows\System\XooZJwp.exe
  2⤵
  PID:7036
- C:\Windows\System\SxdUDac.exe
  C:\Windows\System\SxdUDac.exe
  2⤵
  PID:7056
- C:\Windows\System\vtnYora.exe
  C:\Windows\System\vtnYora.exe
  2⤵
  PID:7076
- C:\Windows\System\gKeMvae.exe
  C:\Windows\System\gKeMvae.exe
  2⤵
  PID:7108
- C:\Windows\System\WiOdrkP.exe
  C:\Windows\System\WiOdrkP.exe
  2⤵
  PID:7144
- C:\Windows\System\lbMskyq.exe
  C:\Windows\System\lbMskyq.exe
  2⤵
  PID:5304
- C:\Windows\System\oFMNzGT.exe
  C:\Windows\System\oFMNzGT.exe
  2⤵
  PID:6184
- C:\Windows\System\pAzItlV.exe
  C:\Windows\System\pAzItlV.exe
  2⤵
  PID:6216
- C:\Windows\System\bXUbKEJ.exe
  C:\Windows\System\bXUbKEJ.exe
  2⤵
  PID:6328
- C:\Windows\System\NpVlBiP.exe
  C:\Windows\System\NpVlBiP.exe
  2⤵
  PID:6356
- C:\Windows\System\oQGUidn.exe
  C:\Windows\System\oQGUidn.exe
  2⤵
  PID:6536
- C:\Windows\System\dTPlVtM.exe
  C:\Windows\System\dTPlVtM.exe
  2⤵
  PID:6592
- C:\Windows\System\SMzmxzs.exe
  C:\Windows\System\SMzmxzs.exe
  2⤵
  PID:6484
- C:\Windows\System\RHlXfFh.exe
  C:\Windows\System\RHlXfFh.exe
  2⤵
  PID:6660
- C:\Windows\System\qVjJtcj.exe
  C:\Windows\System\qVjJtcj.exe
  2⤵
  PID:6728
- C:\Windows\System\DHaaLoR.exe
  C:\Windows\System\DHaaLoR.exe
  2⤵
  PID:6820
- C:\Windows\System\VmroykQ.exe
  C:\Windows\System\VmroykQ.exe
  2⤵
  PID:6800
- C:\Windows\System\MlKuohr.exe
  C:\Windows\System\MlKuohr.exe
  2⤵
  PID:6856
- C:\Windows\System\Rwntsgo.exe
  C:\Windows\System\Rwntsgo.exe
  2⤵
  PID:6988
- C:\Windows\System\mbWpGpA.exe
  C:\Windows\System\mbWpGpA.exe
  2⤵
  PID:7052
- C:\Windows\System\ntHPQXh.exe
  C:\Windows\System\ntHPQXh.exe
  2⤵
  PID:7116
- C:\Windows\System\LCBlCpJ.exe
  C:\Windows\System\LCBlCpJ.exe
  2⤵
  PID:6164
- C:\Windows\System\cIKFFpR.exe
  C:\Windows\System\cIKFFpR.exe
  2⤵
  PID:6292
- C:\Windows\System\rpqMEOc.exe
  C:\Windows\System\rpqMEOc.exe
  2⤵
  PID:6392
- C:\Windows\System\kdRKmAh.exe
  C:\Windows\System\kdRKmAh.exe
  2⤵
  PID:6612
- C:\Windows\System\OfVJhDn.exe
  C:\Windows\System\OfVJhDn.exe
  2⤵
  PID:6748
- C:\Windows\System\gHfyDwc.exe
  C:\Windows\System\gHfyDwc.exe
  2⤵
  PID:6916
- C:\Windows\System\stFaucL.exe
  C:\Windows\System\stFaucL.exe
  2⤵
  PID:7000
- C:\Windows\System\NwOMnNU.exe
  C:\Windows\System\NwOMnNU.exe
  2⤵
  PID:6288
- C:\Windows\System\nLnPrJS.exe
  C:\Windows\System\nLnPrJS.exe
  2⤵
  PID:6464
- C:\Windows\System\SGkMKSa.exe
  C:\Windows\System\SGkMKSa.exe
  2⤵
  PID:7028
- C:\Windows\System\GKLvWAk.exe
  C:\Windows\System\GKLvWAk.exe
  2⤵
  PID:6964
- C:\Windows\System\UpDkUzp.exe
  C:\Windows\System\UpDkUzp.exe
  2⤵
  PID:6268
- C:\Windows\System\XAzHiNq.exe
  C:\Windows\System\XAzHiNq.exe
  2⤵
  PID:7188
- C:\Windows\System\CKKIZmX.exe
  C:\Windows\System\CKKIZmX.exe
  2⤵
  PID:7224
- C:\Windows\System\IobprpO.exe
  C:\Windows\System\IobprpO.exe
  2⤵
  PID:7252
- C:\Windows\System\ulQiXTr.exe
  C:\Windows\System\ulQiXTr.exe
  2⤵
  PID:7268
- C:\Windows\System\GnvTHQw.exe
  C:\Windows\System\GnvTHQw.exe
  2⤵
  PID:7292
- C:\Windows\System\ClNQgwo.exe
  C:\Windows\System\ClNQgwo.exe
  2⤵
  PID:7312
- C:\Windows\System\zsONOGX.exe
  C:\Windows\System\zsONOGX.exe
  2⤵
  PID:7340
- C:\Windows\System\GIMZUoh.exe
  C:\Windows\System\GIMZUoh.exe
  2⤵
  PID:7376
- C:\Windows\System\MvbwiyS.exe
  C:\Windows\System\MvbwiyS.exe
  2⤵
  PID:7408
- C:\Windows\System\banhObp.exe
  C:\Windows\System\banhObp.exe
  2⤵
  PID:7424
- C:\Windows\System\HxAoxmm.exe
  C:\Windows\System\HxAoxmm.exe
  2⤵
  PID:7468
- C:\Windows\System\oyTvXcP.exe
  C:\Windows\System\oyTvXcP.exe
  2⤵
  PID:7492
- C:\Windows\System\RTWpnmJ.exe
  C:\Windows\System\RTWpnmJ.exe
  2⤵
  PID:7532
- C:\Windows\System\HZLnDVG.exe
  C:\Windows\System\HZLnDVG.exe
  2⤵
  PID:7572
- C:\Windows\System\RJaJPaA.exe
  C:\Windows\System\RJaJPaA.exe
  2⤵
  PID:7588
- C:\Windows\System\RBSBZhH.exe
  C:\Windows\System\RBSBZhH.exe
  2⤵
  PID:7616
- C:\Windows\System\xzudksK.exe
  C:\Windows\System\xzudksK.exe
  2⤵
  PID:7644
- C:\Windows\System\aaRVBPT.exe
  C:\Windows\System\aaRVBPT.exe
  2⤵
  PID:7672
- C:\Windows\System\FNdtHBJ.exe
  C:\Windows\System\FNdtHBJ.exe
  2⤵
  PID:7700
- C:\Windows\System\AyBYOxz.exe
  C:\Windows\System\AyBYOxz.exe
  2⤵
  PID:7736
- C:\Windows\System\TcgRqJC.exe
  C:\Windows\System\TcgRqJC.exe
  2⤵
  PID:7756
- C:\Windows\System\BTfIWBP.exe
  C:\Windows\System\BTfIWBP.exe
  2⤵
  PID:7784
- C:\Windows\System\YmItarZ.exe
  C:\Windows\System\YmItarZ.exe
  2⤵
  PID:7812
- C:\Windows\System\RRcflfA.exe
  C:\Windows\System\RRcflfA.exe
  2⤵
  PID:7832
- C:\Windows\System\xWErDUk.exe
  C:\Windows\System\xWErDUk.exe
  2⤵
  PID:7868
- C:\Windows\System\jFVfpXb.exe
  C:\Windows\System\jFVfpXb.exe
  2⤵
  PID:7896
- C:\Windows\System\AUTUBTZ.exe
  C:\Windows\System\AUTUBTZ.exe
  2⤵
  PID:7932
- C:\Windows\System\RjqQhLf.exe
  C:\Windows\System\RjqQhLf.exe
  2⤵
  PID:7956
- C:\Windows\System\godFObt.exe
  C:\Windows\System\godFObt.exe
  2⤵
  PID:7972
- C:\Windows\System\EXOuNbq.exe
  C:\Windows\System\EXOuNbq.exe
  2⤵
  PID:8000
- C:\Windows\System\TjyYGWm.exe
  C:\Windows\System\TjyYGWm.exe
  2⤵
  PID:8044
- C:\Windows\System\WolxjxC.exe
  C:\Windows\System\WolxjxC.exe
  2⤵
  PID:8076
- C:\Windows\System\gNdGyuC.exe
  C:\Windows\System\gNdGyuC.exe
  2⤵
  PID:8104
- C:\Windows\System\OKEWOeB.exe
  C:\Windows\System\OKEWOeB.exe
  2⤵
  PID:8128
- C:\Windows\System\EYAAHnx.exe
  C:\Windows\System\EYAAHnx.exe
  2⤵
  PID:8156
- C:\Windows\System\fSQRiuO.exe
  C:\Windows\System\fSQRiuO.exe
  2⤵
  PID:8184
- C:\Windows\System\lGxsLti.exe
  C:\Windows\System\lGxsLti.exe
  2⤵
  PID:7180
- C:\Windows\System\fCsYDQj.exe
  C:\Windows\System\fCsYDQj.exe
  2⤵
  PID:7236
- C:\Windows\System\wTQLAWD.exe
  C:\Windows\System\wTQLAWD.exe
  2⤵
  PID:7308
- C:\Windows\System\didDPIt.exe
  C:\Windows\System\didDPIt.exe
  2⤵
  PID:7364
- C:\Windows\System\qRbOMHC.exe
  C:\Windows\System\qRbOMHC.exe
  2⤵
  PID:7456
- C:\Windows\System\hCzoTZZ.exe
  C:\Windows\System\hCzoTZZ.exe
  2⤵
  PID:7480
- C:\Windows\System\PaThFjM.exe
  C:\Windows\System\PaThFjM.exe
  2⤵
  PID:7544
- C:\Windows\System\pmzkMbw.exe
  C:\Windows\System\pmzkMbw.exe
  2⤵
  PID:7608
- C:\Windows\System\tfAjXxA.exe
  C:\Windows\System\tfAjXxA.exe
  2⤵
  PID:7664
- C:\Windows\System\eDEwLgM.exe
  C:\Windows\System\eDEwLgM.exe
  2⤵
  PID:7728
- C:\Windows\System\eBBiUoV.exe
  C:\Windows\System\eBBiUoV.exe
  2⤵
  PID:7824
- C:\Windows\System\hjpATSx.exe
  C:\Windows\System\hjpATSx.exe
  2⤵
  PID:7884
- C:\Windows\System\UhRzYXy.exe
  C:\Windows\System\UhRzYXy.exe
  2⤵
  PID:7948
- C:\Windows\System\LEsBMyV.exe
  C:\Windows\System\LEsBMyV.exe
  2⤵
  PID:8040
- C:\Windows\System\nEqgOar.exe
  C:\Windows\System\nEqgOar.exe
  2⤵
  PID:8084
- C:\Windows\System\syJwxXK.exe
  C:\Windows\System\syJwxXK.exe
  2⤵
  PID:8136
- C:\Windows\System\XOjBsJR.exe
  C:\Windows\System\XOjBsJR.exe
  2⤵
  PID:7212
- C:\Windows\System\LciSoKt.exe
  C:\Windows\System\LciSoKt.exe
  2⤵
  PID:7220
- C:\Windows\System\tDaZpKl.exe
  C:\Windows\System\tDaZpKl.exe
  2⤵
  PID:7504
- C:\Windows\System\NjuNyBk.exe
  C:\Windows\System\NjuNyBk.exe
  2⤵
  PID:7660
- C:\Windows\System\knlSIdH.exe
  C:\Windows\System\knlSIdH.exe
  2⤵
  PID:7768
- C:\Windows\System\IMcJLQp.exe
  C:\Windows\System\IMcJLQp.exe
  2⤵
  PID:7996
- C:\Windows\System\ZUhiWbt.exe
  C:\Windows\System\ZUhiWbt.exe
  2⤵
  PID:8140
- C:\Windows\System\rWtmbKy.exe
  C:\Windows\System\rWtmbKy.exe
  2⤵
  PID:6840
- C:\Windows\System\EXqCuNf.exe
  C:\Windows\System\EXqCuNf.exe
  2⤵
  PID:7744
- C:\Windows\System\EQPvIZv.exe
  C:\Windows\System\EQPvIZv.exe
  2⤵
  PID:8008
- C:\Windows\System\lleGaQX.exe
  C:\Windows\System\lleGaQX.exe
  2⤵
  PID:7800
- C:\Windows\System\HRxmbZs.exe
  C:\Windows\System\HRxmbZs.exe
  2⤵
  PID:7912
- C:\Windows\System\kbHeVCY.exe
  C:\Windows\System\kbHeVCY.exe
  2⤵
  PID:8208
- C:\Windows\System\RPIpkSY.exe
  C:\Windows\System\RPIpkSY.exe
  2⤵
  PID:8236
- C:\Windows\System\IDWkdUP.exe
  C:\Windows\System\IDWkdUP.exe
  2⤵
  PID:8260
- C:\Windows\System\pJgakrc.exe
  C:\Windows\System\pJgakrc.exe
  2⤵
  PID:8284
- C:\Windows\System\mCoGTIm.exe
  C:\Windows\System\mCoGTIm.exe
  2⤵
  PID:8304
- C:\Windows\System\AtUlgPV.exe
  C:\Windows\System\AtUlgPV.exe
  2⤵
  PID:8336
- C:\Windows\System\PsESfnI.exe
  C:\Windows\System\PsESfnI.exe
  2⤵
  PID:8368
- C:\Windows\System\FNQFUXN.exe
  C:\Windows\System\FNQFUXN.exe
  2⤵
  PID:8396
- C:\Windows\System\uwfQWVw.exe
  C:\Windows\System\uwfQWVw.exe
  2⤵
  PID:8416
- C:\Windows\System\aNehyOb.exe
  C:\Windows\System\aNehyOb.exe
  2⤵
  PID:8444
- C:\Windows\System\BWoxhIX.exe
  C:\Windows\System\BWoxhIX.exe
  2⤵
  PID:8476
- C:\Windows\System\qOTWqMb.exe
  C:\Windows\System\qOTWqMb.exe
  2⤵
  PID:8504
- C:\Windows\System\ftURDRf.exe
  C:\Windows\System\ftURDRf.exe
  2⤵
  PID:8536
- C:\Windows\System\EkWGLfN.exe
  C:\Windows\System\EkWGLfN.exe
  2⤵
  PID:8564
- C:\Windows\System\bRQtaxo.exe
  C:\Windows\System\bRQtaxo.exe
  2⤵
  PID:8596
- C:\Windows\System\GZhHcop.exe
  C:\Windows\System\GZhHcop.exe
  2⤵
  PID:8620
- C:\Windows\System\xKNggud.exe
  C:\Windows\System\xKNggud.exe
  2⤵
  PID:8652
- C:\Windows\System\EKbwmyq.exe
  C:\Windows\System\EKbwmyq.exe
  2⤵
  PID:8684
- C:\Windows\System\YXinFEz.exe
  C:\Windows\System\YXinFEz.exe
  2⤵
  PID:8708
- C:\Windows\System\aPUgVaj.exe
  C:\Windows\System\aPUgVaj.exe
  2⤵
  PID:8732
- C:\Windows\System\cvmURen.exe
  C:\Windows\System\cvmURen.exe
  2⤵
  PID:8764
- C:\Windows\System\zRfWpzP.exe
  C:\Windows\System\zRfWpzP.exe
  2⤵
  PID:8792
- C:\Windows\System\vZkUrsX.exe
  C:\Windows\System\vZkUrsX.exe
  2⤵
  PID:8824
- C:\Windows\System\lhXGEaq.exe
  C:\Windows\System\lhXGEaq.exe
  2⤵
  PID:8856
- C:\Windows\System\ACGSYQe.exe
  C:\Windows\System\ACGSYQe.exe
  2⤵
  PID:8892
- C:\Windows\System\WYJLYqr.exe
  C:\Windows\System\WYJLYqr.exe
  2⤵
  PID:8920
- C:\Windows\System\siOhmek.exe
  C:\Windows\System\siOhmek.exe
  2⤵
  PID:8952
- C:\Windows\System\uQxzgUt.exe
  C:\Windows\System\uQxzgUt.exe
  2⤵
  PID:8984
- C:\Windows\System\PtvdwPm.exe
  C:\Windows\System\PtvdwPm.exe
  2⤵
  PID:9008
- C:\Windows\System\SJXjtZp.exe
  C:\Windows\System\SJXjtZp.exe
  2⤵
  PID:9040
- C:\Windows\System\tnQcEZZ.exe
  C:\Windows\System\tnQcEZZ.exe
  2⤵
  PID:9068
- C:\Windows\System\mobJDbj.exe
  C:\Windows\System\mobJDbj.exe
  2⤵
  PID:9100
- C:\Windows\System\QagexjA.exe
  C:\Windows\System\QagexjA.exe
  2⤵
  PID:9132
- C:\Windows\System\yOXUTbk.exe
  C:\Windows\System\yOXUTbk.exe
  2⤵
  PID:9160
- C:\Windows\System\uohOnwh.exe
  C:\Windows\System\uohOnwh.exe
  2⤵
  PID:9180
- C:\Windows\System\Orpwxnm.exe
  C:\Windows\System\Orpwxnm.exe
  2⤵
  PID:9208
- C:\Windows\System\JQexDZa.exe
  C:\Windows\System\JQexDZa.exe
  2⤵
  PID:8228
- C:\Windows\System\gJrmHLV.exe
  C:\Windows\System\gJrmHLV.exe
  2⤵
  PID:8300
- C:\Windows\System\wOmrBoJ.exe
  C:\Windows\System\wOmrBoJ.exe
  2⤵
  PID:8380
- C:\Windows\System\mcLQSOJ.exe
  C:\Windows\System\mcLQSOJ.exe
  2⤵
  PID:8332
- C:\Windows\System\UvpyKkL.exe
  C:\Windows\System\UvpyKkL.exe
  2⤵
  PID:8408
- C:\Windows\System\VOhoOyy.exe
  C:\Windows\System\VOhoOyy.exe
  2⤵
  PID:8528
- C:\Windows\System\MyTIdxm.exe
  C:\Windows\System\MyTIdxm.exe
  2⤵
  PID:8592
- C:\Windows\System\qNeNuPZ.exe
  C:\Windows\System\qNeNuPZ.exe
  2⤵
  PID:8576
- C:\Windows\System\GzcTenu.exe
  C:\Windows\System\GzcTenu.exe
  2⤵
  PID:8696
- C:\Windows\System\oYgGWoO.exe
  C:\Windows\System\oYgGWoO.exe
  2⤵
  PID:8760
- C:\Windows\System\agaeWVs.exe
  C:\Windows\System\agaeWVs.exe
  2⤵
  PID:8868
- C:\Windows\System\CDVJLWd.exe
  C:\Windows\System\CDVJLWd.exe
  2⤵
  PID:8852
- C:\Windows\System\rnfLcIV.exe
  C:\Windows\System\rnfLcIV.exe
  2⤵
  PID:8944
- C:\Windows\System\VLuGjKS.exe
  C:\Windows\System\VLuGjKS.exe
  2⤵
  PID:8996
- C:\Windows\System\vvhVqzP.exe
  C:\Windows\System\vvhVqzP.exe
  2⤵
  PID:9056
- C:\Windows\System\yRCQKeI.exe
  C:\Windows\System\yRCQKeI.exe
  2⤵
  PID:9112
- C:\Windows\System\YZNOQbg.exe
  C:\Windows\System\YZNOQbg.exe
  2⤵
  PID:9144
- C:\Windows\System\JmaNPXl.exe
  C:\Windows\System\JmaNPXl.exe
  2⤵
  PID:8256
- C:\Windows\System\ESfuwDo.exe
  C:\Windows\System\ESfuwDo.exe
  2⤵
  PID:8472
- C:\Windows\System\fhMRXfe.exe
  C:\Windows\System\fhMRXfe.exe
  2⤵
  PID:8660
- C:\Windows\System\kwhkjlM.exe
  C:\Windows\System\kwhkjlM.exe
  2⤵
  PID:8940
- C:\Windows\System\xBnAMRp.exe
  C:\Windows\System\xBnAMRp.exe
  2⤵
  PID:8908
- C:\Windows\System\cxTUzmk.exe
  C:\Windows\System\cxTUzmk.exe
  2⤵
  PID:9152
- C:\Windows\System\fufKOOg.exe
  C:\Windows\System\fufKOOg.exe
  2⤵
  PID:8520
- C:\Windows\System\ZXHxXEE.exe
  C:\Windows\System\ZXHxXEE.exe
  2⤵
  PID:8460
- C:\Windows\System\zndfbJd.exe
  C:\Windows\System\zndfbJd.exe
  2⤵
  PID:8280
- C:\Windows\System\VTPdfOu.exe
  C:\Windows\System\VTPdfOu.exe
  2⤵
  PID:8556
- C:\Windows\System\zYndYYm.exe
  C:\Windows\System\zYndYYm.exe
  2⤵
  PID:9232
- C:\Windows\System\bPyTsqL.exe
  C:\Windows\System\bPyTsqL.exe
  2⤵
  PID:9256
- C:\Windows\System\cIQtuXw.exe
  C:\Windows\System\cIQtuXw.exe
  2⤵
  PID:9300
- C:\Windows\System\sDpSXry.exe
  C:\Windows\System\sDpSXry.exe
  2⤵
  PID:9328
- C:\Windows\System\ljfclyz.exe
  C:\Windows\System\ljfclyz.exe
  2⤵
  PID:9356
- C:\Windows\System\CHqBgkP.exe
  C:\Windows\System\CHqBgkP.exe
  2⤵
  PID:9388
- C:\Windows\System\gjXfAlD.exe
  C:\Windows\System\gjXfAlD.exe
  2⤵
  PID:9412
- C:\Windows\System\OHWEJCv.exe
  C:\Windows\System\OHWEJCv.exe
  2⤵
  PID:9428
- C:\Windows\System\AhEOyDk.exe
  C:\Windows\System\AhEOyDk.exe
  2⤵
  PID:9452
- C:\Windows\System\tqCEvYr.exe
  C:\Windows\System\tqCEvYr.exe
  2⤵
  PID:9492
- C:\Windows\System\UrDqYaH.exe
  C:\Windows\System\UrDqYaH.exe
  2⤵
  PID:9516
- C:\Windows\System\IZDhlla.exe
  C:\Windows\System\IZDhlla.exe
  2⤵
  PID:9544
- C:\Windows\System\mkRskUN.exe
  C:\Windows\System\mkRskUN.exe
  2⤵
  PID:9568
- C:\Windows\System\uubBgGY.exe
  C:\Windows\System\uubBgGY.exe
  2⤵
  PID:9600
- C:\Windows\System\cZfIbcS.exe
  C:\Windows\System\cZfIbcS.exe
  2⤵
  PID:9636
- C:\Windows\System\MZvWIRr.exe
  C:\Windows\System\MZvWIRr.exe
  2⤵
  PID:9680
- C:\Windows\System\WqJFEhP.exe
  C:\Windows\System\WqJFEhP.exe
  2⤵
  PID:9704
- C:\Windows\System\yPqtFHe.exe
  C:\Windows\System\yPqtFHe.exe
  2⤵
  PID:9732
- C:\Windows\System\bhRftDQ.exe
  C:\Windows\System\bhRftDQ.exe
  2⤵
  PID:9768
- C:\Windows\System\QLyLQXN.exe
  C:\Windows\System\QLyLQXN.exe
  2⤵
  PID:9796
- C:\Windows\System\xfrPAXs.exe
  C:\Windows\System\xfrPAXs.exe
  2⤵
  PID:9828
- C:\Windows\System\JWNwWkc.exe
  C:\Windows\System\JWNwWkc.exe
  2⤵
  PID:9856
- C:\Windows\System\gCXmMIk.exe
  C:\Windows\System\gCXmMIk.exe
  2⤵
  PID:9880
- C:\Windows\System\hGSQzmk.exe
  C:\Windows\System\hGSQzmk.exe
  2⤵
  PID:9912
- C:\Windows\System\ItkiMXQ.exe
  C:\Windows\System\ItkiMXQ.exe
  2⤵
  PID:9940
- C:\Windows\System\ptIwtWN.exe
  C:\Windows\System\ptIwtWN.exe
  2⤵
  PID:9972
- C:\Windows\System\EDiWxqO.exe
  C:\Windows\System\EDiWxqO.exe
  2⤵
  PID:9992
- C:\Windows\System\yhwoDgb.exe
  C:\Windows\System\yhwoDgb.exe
  2⤵
  PID:10008
- C:\Windows\System\xOaRwkk.exe
  C:\Windows\System\xOaRwkk.exe
  2⤵
  PID:10032
- C:\Windows\System\tfCYUEz.exe
  C:\Windows\System\tfCYUEz.exe
  2⤵
  PID:10064
- C:\Windows\System\fCyLWKW.exe
  C:\Windows\System\fCyLWKW.exe
  2⤵
  PID:10100
- C:\Windows\System\bgnTddq.exe
  C:\Windows\System\bgnTddq.exe
  2⤵
  PID:10124
- C:\Windows\System\KvOGBkK.exe
  C:\Windows\System\KvOGBkK.exe
  2⤵
  PID:10148
- C:\Windows\System\mBjFYnU.exe
  C:\Windows\System\mBjFYnU.exe
  2⤵
  PID:10180
- C:\Windows\System\xrncuNW.exe
  C:\Windows\System\xrncuNW.exe
  2⤵
  PID:10216
- C:\Windows\System\mVxPvBy.exe
  C:\Windows\System\mVxPvBy.exe
  2⤵
  PID:9192
- C:\Windows\System\QStuMQj.exe
  C:\Windows\System\QStuMQj.exe
  2⤵
  PID:9252
- C:\Windows\System\ptdTOiR.exe
  C:\Windows\System\ptdTOiR.exe
  2⤵
  PID:9340
- C:\Windows\System\QmFCDNI.exe
  C:\Windows\System\QmFCDNI.exe
  2⤵
  PID:9396
- C:\Windows\System\DJVDtLW.exe
  C:\Windows\System\DJVDtLW.exe
  2⤵
  PID:9448
- C:\Windows\System\YyepHVI.exe
  C:\Windows\System\YyepHVI.exe
  2⤵
  PID:9512
- C:\Windows\System\NyGpNNI.exe
  C:\Windows\System\NyGpNNI.exe
  2⤵
  PID:9552
- C:\Windows\System\ubUxLNi.exe
  C:\Windows\System\ubUxLNi.exe
  2⤵
  PID:9652
- C:\Windows\System\KfytxyV.exe
  C:\Windows\System\KfytxyV.exe
  2⤵
  PID:9720
- C:\Windows\System\CFxsEWA.exe
  C:\Windows\System\CFxsEWA.exe
  2⤵
  PID:9788
- C:\Windows\System\vOeQKPa.exe
  C:\Windows\System\vOeQKPa.exe
  2⤵
  PID:9840
- C:\Windows\System\gxvrQXh.exe
  C:\Windows\System\gxvrQXh.exe
  2⤵
  PID:9900
- C:\Windows\System\KmPbLwX.exe
  C:\Windows\System\KmPbLwX.exe
  2⤵
  PID:9980
- C:\Windows\System\fjRpMMk.exe
  C:\Windows\System\fjRpMMk.exe
  2⤵
  PID:10044
- C:\Windows\System\HyMWhtr.exe
  C:\Windows\System\HyMWhtr.exe
  2⤵
  PID:10120
- C:\Windows\System\IXNvXIZ.exe
  C:\Windows\System\IXNvXIZ.exe
  2⤵
  PID:10176
- C:\Windows\System\NzLZqsN.exe
  C:\Windows\System\NzLZqsN.exe
  2⤵
  PID:9220
- C:\Windows\System\HRGiXdQ.exe
  C:\Windows\System\HRGiXdQ.exe
  2⤵
  PID:9372
- C:\Windows\System\pLlkrGH.exe
  C:\Windows\System\pLlkrGH.exe
  2⤵
  PID:9584
- C:\Windows\System\FZVHWwf.exe
  C:\Windows\System\FZVHWwf.exe
  2⤵
  PID:9656
- C:\Windows\System\qfqhBWj.exe
  C:\Windows\System\qfqhBWj.exe
  2⤵
  PID:9892
- C:\Windows\System\pzQJfWM.exe
  C:\Windows\System\pzQJfWM.exe
  2⤵
  PID:9968
- C:\Windows\System\WbrOqWG.exe
  C:\Windows\System\WbrOqWG.exe
  2⤵
  PID:10160
- C:\Windows\System\BaiJMIc.exe
  C:\Windows\System\BaiJMIc.exe
  2⤵
  PID:10228
- C:\Windows\System\BLNJwNl.exe
  C:\Windows\System\BLNJwNl.exe
  2⤵
  PID:9608
- C:\Windows\System\QPsZtPs.exe
  C:\Windows\System\QPsZtPs.exe
  2⤵
  PID:9812
- C:\Windows\System\VCdNOgD.exe
  C:\Windows\System\VCdNOgD.exe
  2⤵
  PID:9244
- C:\Windows\System\VZKPBAo.exe
  C:\Windows\System\VZKPBAo.exe
  2⤵
  PID:9400
- C:\Windows\System\hJRZmKz.exe
  C:\Windows\System\hJRZmKz.exe
  2⤵
  PID:10028
- C:\Windows\System\jbnoHlL.exe
  C:\Windows\System\jbnoHlL.exe
  2⤵
  PID:10272
- C:\Windows\System\UhLjjtn.exe
  C:\Windows\System\UhLjjtn.exe
  2⤵
  PID:10300
- C:\Windows\System\AYcnWKc.exe
  C:\Windows\System\AYcnWKc.exe
  2⤵
  PID:10328
- C:\Windows\System\JxfKuea.exe
  C:\Windows\System\JxfKuea.exe
  2⤵
  PID:10352
- C:\Windows\System\LzEOWpC.exe
  C:\Windows\System\LzEOWpC.exe
  2⤵
  PID:10404
- C:\Windows\System\KZOhQbr.exe
  C:\Windows\System\KZOhQbr.exe
  2⤵
  PID:10432
- C:\Windows\System\mTctMnW.exe
  C:\Windows\System\mTctMnW.exe
  2⤵
  PID:10460
- C:\Windows\System\SBquFbh.exe
  C:\Windows\System\SBquFbh.exe
  2⤵
  PID:10488
- C:\Windows\System\EEuEixr.exe
  C:\Windows\System\EEuEixr.exe
  2⤵
  PID:10520
- C:\Windows\System\bXNykKb.exe
  C:\Windows\System\bXNykKb.exe
  2⤵
  PID:10544
- C:\Windows\System\rVVfwLH.exe
  C:\Windows\System\rVVfwLH.exe
  2⤵
  PID:10572
- C:\Windows\System\qlaPJzN.exe
  C:\Windows\System\qlaPJzN.exe
  2⤵
  PID:10588
- C:\Windows\System\pIThGTJ.exe
  C:\Windows\System\pIThGTJ.exe
  2⤵
  PID:10620
- C:\Windows\System\VHPvspB.exe
  C:\Windows\System\VHPvspB.exe
  2⤵
  PID:10656
- C:\Windows\System\pIsAIdD.exe
  C:\Windows\System\pIsAIdD.exe
  2⤵
  PID:10672
- C:\Windows\System\mVDrsXx.exe
  C:\Windows\System\mVDrsXx.exe
  2⤵
  PID:10712
- C:\Windows\System\ndyVXXs.exe
  C:\Windows\System\ndyVXXs.exe
  2⤵
  PID:10740
- C:\Windows\System\OhjVpvz.exe
  C:\Windows\System\OhjVpvz.exe
  2⤵
  PID:10756
- C:\Windows\System\BAZSjyV.exe
  C:\Windows\System\BAZSjyV.exe
  2⤵
  PID:10780
- C:\Windows\System\TgiKuZZ.exe
  C:\Windows\System\TgiKuZZ.exe
  2⤵
  PID:10812
- C:\Windows\System\zEUxkoS.exe
  C:\Windows\System\zEUxkoS.exe
  2⤵
  PID:10840
- C:\Windows\System\ycOIdcU.exe
  C:\Windows\System\ycOIdcU.exe
  2⤵
  PID:10872
- C:\Windows\System\XURpgIL.exe
  C:\Windows\System\XURpgIL.exe
  2⤵
  PID:10896
- C:\Windows\System\UcVQtOc.exe
  C:\Windows\System\UcVQtOc.exe
  2⤵
  PID:10936
- C:\Windows\System\sYmHbpl.exe
  C:\Windows\System\sYmHbpl.exe
  2⤵
  PID:10972
- C:\Windows\System\cQktmZi.exe
  C:\Windows\System\cQktmZi.exe
  2⤵
  PID:11004
- C:\Windows\System\flwDnMl.exe
  C:\Windows\System\flwDnMl.exe
  2⤵
  PID:11212
- C:\Windows\System\Pitqsfc.exe
  C:\Windows\System\Pitqsfc.exe
  2⤵
  PID:11244
- C:\Windows\System\aSjtbpF.exe
  C:\Windows\System\aSjtbpF.exe
  2⤵
  PID:11260
- C:\Windows\System\wQnBmbC.exe
  C:\Windows\System\wQnBmbC.exe
  2⤵
  PID:10252
- C:\Windows\System\aMtaKfM.exe
  C:\Windows\System\aMtaKfM.exe
  2⤵
  PID:10296
- C:\Windows\System\EfwkXrD.exe
  C:\Windows\System\EfwkXrD.exe
  2⤵
  PID:10312
- C:\Windows\System\KZaXtep.exe
  C:\Windows\System\KZaXtep.exe
  2⤵
  PID:10416
- C:\Windows\System\aeISwql.exe
  C:\Windows\System\aeISwql.exe
  2⤵
  PID:10452
- C:\Windows\System\hvcAWJy.exe
  C:\Windows\System\hvcAWJy.exe
  2⤵
  PID:10512
- C:\Windows\System\owRPLpR.exe
  C:\Windows\System\owRPLpR.exe
  2⤵
  PID:10616
- C:\Windows\System\bCVXTJh.exe
  C:\Windows\System\bCVXTJh.exe
  2⤵
  PID:10692
- C:\Windows\System\ByNpnqO.exe
  C:\Windows\System\ByNpnqO.exe
  2⤵
  PID:10820
- C:\Windows\System\pFLhjKL.exe
  C:\Windows\System\pFLhjKL.exe
  2⤵
  PID:10868
- C:\Windows\System\TjNfycG.exe
  C:\Windows\System\TjNfycG.exe
  2⤵
  PID:10892
- C:\Windows\System\hHnKamZ.exe
  C:\Windows\System\hHnKamZ.exe
  2⤵
  PID:10948
- C:\Windows\System\QQmzcJn.exe
  C:\Windows\System\QQmzcJn.exe
  2⤵
  PID:10992
- C:\Windows\System\LnMzTpu.exe
  C:\Windows\System\LnMzTpu.exe
  2⤵
  PID:11044
- C:\Windows\System\jaLVdbK.exe
  C:\Windows\System\jaLVdbK.exe
  2⤵
  PID:11080
- C:\Windows\System\LsuOPVs.exe
  C:\Windows\System\LsuOPVs.exe
  2⤵
  PID:11112
- C:\Windows\System\YJFJtAS.exe
  C:\Windows\System\YJFJtAS.exe
  2⤵
  PID:11144
- C:\Windows\System\GpyGvaV.exe
  C:\Windows\System\GpyGvaV.exe
  2⤵
  PID:11184
- C:\Windows\System\GbWNSNw.exe
  C:\Windows\System\GbWNSNw.exe
  2⤵
  PID:11208
- C:\Windows\System\MHXXgfb.exe
  C:\Windows\System\MHXXgfb.exe
  2⤵
  PID:8276
- C:\Windows\System\mbcThGd.exe
  C:\Windows\System\mbcThGd.exe
  2⤵
  PID:10344
- C:\Windows\System\yZhJJEY.exe
  C:\Windows\System\yZhJJEY.exe
  2⤵
  PID:10560
- C:\Windows\System\oxkrzgL.exe
  C:\Windows\System\oxkrzgL.exe
  2⤵
  PID:10696
- C:\Windows\System\OPRblsF.exe
  C:\Windows\System\OPRblsF.exe
  2⤵
  PID:10916
- C:\Windows\System\mlOTTyx.exe
  C:\Windows\System\mlOTTyx.exe
  2⤵
  PID:10864
- C:\Windows\System\jmHjFZW.exe
  C:\Windows\System\jmHjFZW.exe
  2⤵
  PID:10952
- C:\Windows\System\lldnkyI.exe
  C:\Windows\System\lldnkyI.exe
  2⤵
  PID:11172
- C:\Windows\System\qUoiREI.exe
  C:\Windows\System\qUoiREI.exe
  2⤵
  PID:11204
- C:\Windows\System\vsRqRaF.exe
  C:\Windows\System\vsRqRaF.exe
  2⤵
  PID:10412
- C:\Windows\System\uKzSaRe.exe
  C:\Windows\System\uKzSaRe.exe
  2⤵
  PID:10748
- C:\Windows\System\UqpkFjq.exe
  C:\Windows\System\UqpkFjq.exe
  2⤵
  PID:11060
- C:\Windows\System\gtEnJiZ.exe
  C:\Windows\System\gtEnJiZ.exe
  2⤵
  PID:10908
- C:\Windows\System\ilYKwNu.exe
  C:\Windows\System\ilYKwNu.exe
  2⤵
  PID:11032
- C:\Windows\System\xLalsvZ.exe
  C:\Windows\System\xLalsvZ.exe
  2⤵
  PID:11312
- C:\Windows\System\VGMuMrb.exe
  C:\Windows\System\VGMuMrb.exe
  2⤵
  PID:11332
- C:\Windows\System\vSQQAQj.exe
  C:\Windows\System\vSQQAQj.exe
  2⤵
  PID:11356
- C:\Windows\System\wYQCuBp.exe
  C:\Windows\System\wYQCuBp.exe
  2⤵
  PID:11372
- C:\Windows\System\TTNtgzq.exe
  C:\Windows\System\TTNtgzq.exe
  2⤵
  PID:11400
- C:\Windows\System\YZMVMkn.exe
  C:\Windows\System\YZMVMkn.exe
  2⤵
  PID:11440
- C:\Windows\System\XgRNnsv.exe
  C:\Windows\System\XgRNnsv.exe
  2⤵
  PID:11468
- C:\Windows\System\Oyyqmrz.exe
  C:\Windows\System\Oyyqmrz.exe
  2⤵
  PID:11496
- C:\Windows\System\bwpVVUb.exe
  C:\Windows\System\bwpVVUb.exe
  2⤵
  PID:11524
- C:\Windows\System\yQXJMBn.exe
  C:\Windows\System\yQXJMBn.exe
  2⤵
  PID:11540
- C:\Windows\System\gnJWpxY.exe
  C:\Windows\System\gnJWpxY.exe
  2⤵
  PID:11576
- C:\Windows\System\jhurhAc.exe
  C:\Windows\System\jhurhAc.exe
  2⤵
  PID:11596
- C:\Windows\System\KzbNXii.exe
  C:\Windows\System\KzbNXii.exe
  2⤵
  PID:11616
- C:\Windows\System\SjnUpkK.exe
  C:\Windows\System\SjnUpkK.exe
  2⤵
  PID:11640
- C:\Windows\System\NZwUBKh.exe
  C:\Windows\System\NZwUBKh.exe
  2⤵
  PID:11684
- C:\Windows\System\YsgsKVs.exe
  C:\Windows\System\YsgsKVs.exe
  2⤵
  PID:11720
- C:\Windows\System\YYYKoyW.exe
  C:\Windows\System\YYYKoyW.exe
  2⤵
  PID:11748
- C:\Windows\System\sJslyaC.exe
  C:\Windows\System\sJslyaC.exe
  2⤵
  PID:11776
- C:\Windows\System\glQdQAc.exe
  C:\Windows\System\glQdQAc.exe
  2⤵
  PID:11804
- C:\Windows\System\YZjHdsq.exe
  C:\Windows\System\YZjHdsq.exe
  2⤵
  PID:11832
- C:\Windows\System\wrZXeex.exe
  C:\Windows\System\wrZXeex.exe
  2⤵
  PID:11860
- C:\Windows\System\gjVwowz.exe
  C:\Windows\System\gjVwowz.exe
  2⤵
  PID:11876
- C:\Windows\System\vOBBjlN.exe
  C:\Windows\System\vOBBjlN.exe
  2⤵
  PID:11896
- C:\Windows\System\zyjZXhI.exe
  C:\Windows\System\zyjZXhI.exe
  2⤵
  PID:11932
- C:\Windows\System\QPXPXFK.exe
  C:\Windows\System\QPXPXFK.exe
  2⤵
  PID:11960
- C:\Windows\System\jtRuNvH.exe
  C:\Windows\System\jtRuNvH.exe
  2⤵
  PID:11988
- C:\Windows\System\wLJsAVd.exe
  C:\Windows\System\wLJsAVd.exe
  2⤵
  PID:12020
- C:\Windows\System\SajBrXP.exe
  C:\Windows\System\SajBrXP.exe
  2⤵
  PID:12052
- C:\Windows\System\SLDIsEz.exe
  C:\Windows\System\SLDIsEz.exe
  2⤵
  PID:12076
- C:\Windows\System\ZgtnFsa.exe
  C:\Windows\System\ZgtnFsa.exe
  2⤵
  PID:12104
- C:\Windows\System\lorwXIm.exe
  C:\Windows\System\lorwXIm.exe
  2⤵
  PID:12128
- C:\Windows\System\LYYGzXw.exe
  C:\Windows\System\LYYGzXw.exe
  2⤵
  PID:12156
- C:\Windows\System\fPKnTXj.exe
  C:\Windows\System\fPKnTXj.exe
  2⤵
  PID:12176
- C:\Windows\System\zbBpUDP.exe
  C:\Windows\System\zbBpUDP.exe
  2⤵
  PID:12200
- C:\Windows\System\KUoFotn.exe
  C:\Windows\System\KUoFotn.exe
  2⤵
  PID:12228
- C:\Windows\System\xEkefVf.exe
  C:\Windows\System\xEkefVf.exe
  2⤵
  PID:12252
- C:\Windows\System\cauklji.exe
  C:\Windows\System\cauklji.exe
  2⤵
  PID:11160
- C:\Windows\System\hgzRAFo.exe
  C:\Windows\System\hgzRAFo.exe
  2⤵
  PID:11276
- C:\Windows\System\NAryLJl.exe
  C:\Windows\System\NAryLJl.exe
  2⤵
  PID:11352
- C:\Windows\System\dHKcJaD.exe
  C:\Windows\System\dHKcJaD.exe
  2⤵
  PID:11396
- C:\Windows\System\wxPecsE.exe
  C:\Windows\System\wxPecsE.exe
  2⤵
  PID:11512
- C:\Windows\System\DpDNKLd.exe
  C:\Windows\System\DpDNKLd.exe
  2⤵
  PID:11556
- C:\Windows\System\PokZjNi.exe
  C:\Windows\System\PokZjNi.exe
  2⤵
  PID:11636
- C:\Windows\System\gGdHEJv.exe
  C:\Windows\System\gGdHEJv.exe
  2⤵
  PID:11676
- C:\Windows\System\QbKJUvY.exe
  C:\Windows\System\QbKJUvY.exe
  2⤵
  PID:11768
- C:\Windows\System\GjwDJoD.exe
  C:\Windows\System\GjwDJoD.exe
  2⤵
  PID:11844
- C:\Windows\System\ngjjNEM.exe
  C:\Windows\System\ngjjNEM.exe
  2⤵
  PID:11904
- C:\Windows\System\BQYkina.exe
  C:\Windows\System\BQYkina.exe
  2⤵
  PID:11976
- C:\Windows\System\TyTklIG.exe
  C:\Windows\System\TyTklIG.exe
  2⤵
  PID:12048
- C:\Windows\System\OtubXPt.exe
  C:\Windows\System\OtubXPt.exe
  2⤵
  PID:12124
- C:\Windows\System\VKKRWMo.exe
  C:\Windows\System\VKKRWMo.exe
  2⤵
  PID:12172
- C:\Windows\System\DynaSmE.exe
  C:\Windows\System\DynaSmE.exe
  2⤵
  PID:12244
- C:\Windows\System\ZsuguUd.exe
  C:\Windows\System\ZsuguUd.exe
  2⤵
  PID:11240
- C:\Windows\System\aRIozor.exe
  C:\Windows\System\aRIozor.exe
  2⤵
  PID:11392
- C:\Windows\System\rmrzGya.exe
  C:\Windows\System\rmrzGya.exe
  2⤵
  PID:11140
- C:\Windows\System\MXUytkp.exe
  C:\Windows\System\MXUytkp.exe
  2⤵
  PID:11628
- C:\Windows\System\PIMyhVP.exe
  C:\Windows\System\PIMyhVP.exe
  2⤵
  PID:11820
- C:\Windows\System\wJaHNFN.exe
  C:\Windows\System\wJaHNFN.exe
  2⤵
  PID:11972
- C:\Windows\System\MFKMoDo.exe
  C:\Windows\System\MFKMoDo.exe
  2⤵
  PID:12188
- C:\Windows\System\xmaFsGN.exe
  C:\Windows\System\xmaFsGN.exe
  2⤵
  PID:12216
- C:\Windows\System\fdkzGfX.exe
  C:\Windows\System\fdkzGfX.exe
  2⤵
  PID:11536
- C:\Windows\System\WXlGHwh.exe
  C:\Windows\System\WXlGHwh.exe
  2⤵
  PID:11944
- C:\Windows\System\CqXrhuD.exe
  C:\Windows\System\CqXrhuD.exe
  2⤵
  PID:11796
- C:\Windows\System\TvMorIk.exe
  C:\Windows\System\TvMorIk.exe
  2⤵
  PID:12296
- C:\Windows\System\vgulHFi.exe
  C:\Windows\System\vgulHFi.exe
  2⤵
  PID:12320
- C:\Windows\System\NUorzRP.exe
  C:\Windows\System\NUorzRP.exe
  2⤵
  PID:12352
- C:\Windows\System\DMeYoBj.exe
  C:\Windows\System\DMeYoBj.exe
  2⤵
  PID:12380
- C:\Windows\System\FmkDKsr.exe
  C:\Windows\System\FmkDKsr.exe
  2⤵
  PID:12408
- C:\Windows\System\rbcQUlP.exe
  C:\Windows\System\rbcQUlP.exe
  2⤵
  PID:12436
- C:\Windows\System\aaAjjSl.exe
  C:\Windows\System\aaAjjSl.exe
  2⤵
  PID:12468
- C:\Windows\System\uDxchGV.exe
  C:\Windows\System\uDxchGV.exe
  2⤵
  PID:12484
- C:\Windows\System\OvjrGwh.exe
  C:\Windows\System\OvjrGwh.exe
  2⤵
  PID:12508
- C:\Windows\System\NLtApps.exe
  C:\Windows\System\NLtApps.exe
  2⤵
  PID:12532
- C:\Windows\System\GpNxEoX.exe
  C:\Windows\System\GpNxEoX.exe
  2⤵
  PID:12564
- C:\Windows\System\gWsUZKo.exe
  C:\Windows\System\gWsUZKo.exe
  2⤵
  PID:12592
- C:\Windows\System\JkLCDCD.exe
  C:\Windows\System\JkLCDCD.exe
  2⤵
  PID:12620
- C:\Windows\System\hRTAjPs.exe
  C:\Windows\System\hRTAjPs.exe
  2⤵
  PID:12652
- C:\Windows\System\oTEUSwQ.exe
  C:\Windows\System\oTEUSwQ.exe
  2⤵
  PID:12688
- C:\Windows\System\YQtOAMO.exe
  C:\Windows\System\YQtOAMO.exe
  2⤵
  PID:12716
- C:\Windows\System\HoSjeWf.exe
  C:\Windows\System\HoSjeWf.exe
  2⤵
  PID:12744
- C:\Windows\System\uKjbNiq.exe
  C:\Windows\System\uKjbNiq.exe
  2⤵
  PID:12784
- C:\Windows\System\nsjvmHy.exe
  C:\Windows\System\nsjvmHy.exe
  2⤵
  PID:12812
- C:\Windows\System\VUTlnBL.exe
  C:\Windows\System\VUTlnBL.exe
  2⤵
  PID:12828
- C:\Windows\System\QjFEyAy.exe
  C:\Windows\System\QjFEyAy.exe
  2⤵
  PID:12852
- C:\Windows\System\PlvMAMQ.exe
  C:\Windows\System\PlvMAMQ.exe
  2⤵
  PID:12868
- C:\Windows\System\TgOIvpF.exe
  C:\Windows\System\TgOIvpF.exe
  2⤵
  PID:12900
- C:\Windows\System\NHNcSpt.exe
  C:\Windows\System\NHNcSpt.exe
  2⤵
  PID:12924
- C:\Windows\System\YYyeSga.exe
  C:\Windows\System\YYyeSga.exe
  2⤵
  PID:12968
- C:\Windows\System\XpszHRT.exe
  C:\Windows\System\XpszHRT.exe
  2⤵
  PID:12996
- C:\Windows\System\OavTjOG.exe
  C:\Windows\System\OavTjOG.exe
  2⤵
  PID:13024
- C:\Windows\System\QGyuDTl.exe
  C:\Windows\System\QGyuDTl.exe
  2⤵
  PID:13040
- C:\Windows\System\xFiXgwq.exe
  C:\Windows\System\xFiXgwq.exe
  2⤵
  PID:13072
- C:\Windows\System\FIjOftQ.exe
  C:\Windows\System\FIjOftQ.exe
  2⤵
  PID:13108
- C:\Windows\System\mkpPGSB.exe
  C:\Windows\System\mkpPGSB.exe
  2⤵
  PID:13136
- C:\Windows\System\KPeROHd.exe
  C:\Windows\System\KPeROHd.exe
  2⤵
  PID:13164
- C:\Windows\System\qxTjJNy.exe
  C:\Windows\System\qxTjJNy.exe
  2⤵
  PID:13204
- C:\Windows\System\ycbfEnH.exe
  C:\Windows\System\ycbfEnH.exe
  2⤵
  PID:13220
- C:\Windows\System\NGoKKNO.exe
  C:\Windows\System\NGoKKNO.exe
  2⤵
  PID:13236
- C:\Windows\System\auTIMWz.exe
  C:\Windows\System\auTIMWz.exe
  2⤵
  PID:13264
- C:\Windows\System\RwgFXku.exe
  C:\Windows\System\RwgFXku.exe
  2⤵
  PID:13296
- C:\Windows\System\gZVtCKF.exe
  C:\Windows\System\gZVtCKF.exe
  2⤵
  PID:12112
- C:\Windows\System\TuxKwNh.exe
  C:\Windows\System\TuxKwNh.exe
  2⤵
  PID:12340
- C:\Windows\System\EMxjapB.exe
  C:\Windows\System\EMxjapB.exe
  2⤵
  PID:12400
- C:\Windows\System\lYYnTFc.exe
  C:\Windows\System\lYYnTFc.exe
  2⤵
  PID:12424
- C:\Windows\System\muvCYsW.exe
  C:\Windows\System\muvCYsW.exe
  2⤵
  PID:12480
- C:\Windows\System\fzhjnkj.exe
  C:\Windows\System\fzhjnkj.exe
  2⤵
  PID:12572
- C:\Windows\System\FFGYfpq.exe
  C:\Windows\System\FFGYfpq.exe
  2⤵
  PID:12616
- C:\Windows\System\HzbNzUQ.exe
  C:\Windows\System\HzbNzUQ.exe
  2⤵
  PID:12768
- C:\Windows\System\tOwIIbu.exe
  C:\Windows\System\tOwIIbu.exe
  2⤵
  PID:12800
- C:\Windows\System\nepImQt.exe
  C:\Windows\System\nepImQt.exe
  2⤵
  PID:12884
- C:\Windows\System\IhCaECa.exe
  C:\Windows\System\IhCaECa.exe
  2⤵
  PID:12912
- C:\Windows\System\iyhqFnM.exe
  C:\Windows\System\iyhqFnM.exe
  2⤵
  PID:12988
- C:\Windows\System\mQcMoSV.exe
  C:\Windows\System\mQcMoSV.exe
  2⤵
  PID:13056
- C:\Windows\System\SefqKzx.exe
  C:\Windows\System\SefqKzx.exe
  2⤵
  PID:13096
- C:\Windows\System\OBJAmzF.exe
  C:\Windows\System\OBJAmzF.exe
  2⤵
  PID:13180
- C:\Windows\System\uGKtKBY.exe
  C:\Windows\System\uGKtKBY.exe
  2⤵
  PID:13292
- C:\Windows\System\MmNfQre.exe
  C:\Windows\System\MmNfQre.exe
  2⤵
  PID:13308
- C:\Windows\System\CXjIIcU.exe
  C:\Windows\System\CXjIIcU.exe
  2⤵
  PID:12448
- C:\Windows\System\SbZVIER.exe
  C:\Windows\System\SbZVIER.exe
  2⤵
  PID:12548
- C:\Windows\System\lwsZSMJ.exe
  C:\Windows\System\lwsZSMJ.exe
  2⤵
  PID:12756
- C:\Windows\System\ZQJooJo.exe
  C:\Windows\System\ZQJooJo.exe
  2⤵
  PID:12916
- C:\Windows\System\jCkrMYZ.exe
  C:\Windows\System\jCkrMYZ.exe
  2⤵
  PID:13016
- C:\Windows\System\GatWaXL.exe
  C:\Windows\System\GatWaXL.exe
  2⤵
  PID:13152
- C:\Windows\System\WGKqsRe.exe
  C:\Windows\System\WGKqsRe.exe
  2⤵
  PID:12312
- C:\Windows\System\sojtwzA.exe
  C:\Windows\System\sojtwzA.exe
  2⤵
  PID:12760
- C:\Windows\System\JWoHYCR.exe
  C:\Windows\System\JWoHYCR.exe
  2⤵
  PID:12984
- C:\Windows\System\XcSWsFL.exe
  C:\Windows\System\XcSWsFL.exe
  2⤵
  PID:12820
- C:\Windows\System\IJFOVpZ.exe
  C:\Windows\System\IJFOVpZ.exe
  2⤵
  PID:13320
- C:\Windows\System\nCgcBXN.exe
  C:\Windows\System\nCgcBXN.exe
  2⤵
  PID:13344
- C:\Windows\System\xQVBhCh.exe
  C:\Windows\System\xQVBhCh.exe
  2⤵
  PID:13376
- C:\Windows\System\vutBRXJ.exe
  C:\Windows\System\vutBRXJ.exe
  2⤵
  PID:13404
- C:\Windows\System\VMnvqCf.exe
  C:\Windows\System\VMnvqCf.exe
  2⤵
  PID:13420
- C:\Windows\System\nSAPeVU.exe
  C:\Windows\System\nSAPeVU.exe
  2⤵
  PID:13444
- C:\Windows\System\RpTPZfI.exe
  C:\Windows\System\RpTPZfI.exe
  2⤵
  PID:13468
- C:\Windows\System\frxFCkQ.exe
  C:\Windows\System\frxFCkQ.exe
  2⤵
  PID:13504
- C:\Windows\System\jrqRgcX.exe
  C:\Windows\System\jrqRgcX.exe
  2⤵
  PID:13532
- C:\Windows\System\abcRCmH.exe
  C:\Windows\System\abcRCmH.exe
  2⤵
  PID:13556
- C:\Windows\System\urENfJL.exe
  C:\Windows\System\urENfJL.exe
  2⤵
  PID:13584
- C:\Windows\System\QxKQQNk.exe
  C:\Windows\System\QxKQQNk.exe
  2⤵
  PID:13620
- C:\Windows\System\tWnUgPG.exe
  C:\Windows\System\tWnUgPG.exe
  2⤵
  PID:13644
- C:\Windows\System\kukjOWe.exe
  C:\Windows\System\kukjOWe.exe
  2⤵
  PID:13672
- C:\Windows\System\UADfCAj.exe
  C:\Windows\System\UADfCAj.exe
  2⤵
  PID:13712
- C:\Windows\System\QQcvfKN.exe
  C:\Windows\System\QQcvfKN.exe
  2⤵
  PID:13756
- C:\Windows\System\eYGeQdl.exe
  C:\Windows\System\eYGeQdl.exe
  2⤵
  PID:13784
- C:\Windows\System\SlKrqSL.exe
  C:\Windows\System\SlKrqSL.exe
  2⤵
  PID:13804
- C:\Windows\System\RuKmYGe.exe
  C:\Windows\System\RuKmYGe.exe
  2⤵
  PID:13840
- C:\Windows\System\nKcOMBt.exe
  C:\Windows\System\nKcOMBt.exe
  2⤵
  PID:13860
- C:\Windows\System\eSjwivz.exe
  C:\Windows\System\eSjwivz.exe
  2⤵
  PID:13884
- C:\Windows\System\xHGtDHf.exe
  C:\Windows\System\xHGtDHf.exe
  2⤵
  PID:13924
- C:\Windows\System\MGXHijo.exe
  C:\Windows\System\MGXHijo.exe
  2⤵
  PID:13952
- C:\Windows\System\NAoqOxS.exe
  C:\Windows\System\NAoqOxS.exe
  2⤵
  PID:13980
- C:\Windows\System\KxCwkpz.exe
  C:\Windows\System\KxCwkpz.exe
  2⤵
  PID:13996
- C:\Windows\System\MkbCach.exe
  C:\Windows\System\MkbCach.exe
  2⤵
  PID:14016
- C:\Windows\System\RGZyjbr.exe
  C:\Windows\System\RGZyjbr.exe
  2⤵
  PID:14032
- C:\Windows\System\ghXEcuX.exe
  C:\Windows\System\ghXEcuX.exe
  2⤵
  PID:14068
- C:\Windows\System\HpLvWlW.exe
  C:\Windows\System\HpLvWlW.exe
  2⤵
  PID:14100
- C:\Windows\System\ENkMZcc.exe
  C:\Windows\System\ENkMZcc.exe
  2⤵
  PID:14124
- C:\Windows\System\QizVAHa.exe
  C:\Windows\System\QizVAHa.exe
  2⤵
  PID:14164
- C:\Windows\System\dIEayqJ.exe
  C:\Windows\System\dIEayqJ.exe
  2⤵
  PID:14192
- C:\Windows\System\BxnyCly.exe
  C:\Windows\System\BxnyCly.exe
  2⤵
  PID:14224
- C:\Windows\System\rXnuYDw.exe
  C:\Windows\System\rXnuYDw.exe
  2⤵
  PID:14252
- C:\Windows\System\TIsFXkk.exe
  C:\Windows\System\TIsFXkk.exe
  2⤵
  PID:14284
- C:\Windows\System\KTmTDhg.exe
  C:\Windows\System\KTmTDhg.exe
  2⤵
  PID:14300
- C:\Windows\System\cqLumXe.exe
  C:\Windows\System\cqLumXe.exe
  2⤵
  PID:14320
- C:\Windows\System\cwJvGnX.exe
  C:\Windows\System\cwJvGnX.exe
  2⤵
  PID:12420
- C:\Windows\System\EmJGFoe.exe
  C:\Windows\System\EmJGFoe.exe
  2⤵
  PID:13332
- C:\Windows\System\OJxcuVX.exe
  C:\Windows\System\OJxcuVX.exe
  2⤵
  PID:13440
- C:\Windows\System\mEzUipD.exe
  C:\Windows\System\mEzUipD.exe
  2⤵
  PID:13476
- C:\Windows\System\COBVVFt.exe
  C:\Windows\System\COBVVFt.exe
  2⤵
  PID:13548
- C:\Windows\System\HMdRHGU.exe
  C:\Windows\System\HMdRHGU.exe
  2⤵
  PID:13604
- C:\Windows\System\zRqoUvu.exe
  C:\Windows\System\zRqoUvu.exe
  2⤵
  PID:13636
- C:\Windows\System\RlFnyHW.exe
  C:\Windows\System\RlFnyHW.exe
  2⤵
  PID:13744
- C:\Windows\System\aRQsJcj.exe
  C:\Windows\System\aRQsJcj.exe
  2⤵
  PID:13836
- C:\Windows\System\OmIIeAV.exe
  C:\Windows\System\OmIIeAV.exe
  2⤵
  PID:13880
- C:\Windows\System\gwdwPkJ.exe
  C:\Windows\System\gwdwPkJ.exe
  2⤵
  PID:13944
- C:\Windows\System\XsHCiRB.exe
  C:\Windows\System\XsHCiRB.exe
  2⤵
  PID:14024
- C:\Windows\System\WhwkHYo.exe
  C:\Windows\System\WhwkHYo.exe
  2⤵
  PID:14052
- C:\Windows\System\qSZtsgQ.exe
  C:\Windows\System\qSZtsgQ.exe
  2⤵
  PID:14144
- C:\Windows\System\nwyMkTB.exe
  C:\Windows\System\nwyMkTB.exe
  2⤵
  PID:14232
- C:\Windows\System\rgXijpu.exe
  C:\Windows\System\rgXijpu.exe
  2⤵
  PID:14264
- C:\Windows\System\jEoftnS.exe
  C:\Windows\System\jEoftnS.exe
  2⤵
  PID:13340
- C:\Windows\System\QqyaNDW.exe
  C:\Windows\System\QqyaNDW.exe
  2⤵
  PID:13580
- C:\Windows\System\bmButWR.exe
  C:\Windows\System\bmButWR.exe
  2⤵
  PID:13656
- C:\Windows\System\rVMeNyA.exe
  C:\Windows\System\rVMeNyA.exe
  2⤵
  PID:13868
- C:\Windows\System\Zigoscy.exe
  C:\Windows\System\Zigoscy.exe
  2⤵
  PID:14004
- C:\Windows\System\CijUduI.exe
  C:\Windows\System\CijUduI.exe
  2⤵
  PID:14216
- C:\Windows\System\QqMdfpF.exe
  C:\Windows\System\QqMdfpF.exe
  2⤵
  PID:14328
- C:\Windows\System\IvZKXot.exe
  C:\Windows\System\IvZKXot.exe
  2⤵
  PID:13660
- C:\Windows\System\tTXwtJP.exe
  C:\Windows\System\tTXwtJP.exe
  2⤵
  PID:13936
- C:\Windows\System\bHqWCCF.exe
  C:\Windows\System\bHqWCCF.exe
  2⤵
  PID:14084
- C:\Windows\System\hLkMwgv.exe
  C:\Windows\System\hLkMwgv.exe
  2⤵
  PID:13400
- C:\Windows\System\CXPIwMV.exe
  C:\Windows\System\CXPIwMV.exe
  2⤵
  PID:14292
- C:\Windows\System\SJpykEx.exe
  C:\Windows\System\SJpykEx.exe
  2⤵
  PID:14364
- C:\Windows\System\SpLEJvP.exe
  C:\Windows\System\SpLEJvP.exe
  2⤵
  PID:14388
- C:\Windows\System\gHqzZKb.exe
  C:\Windows\System\gHqzZKb.exe
  2⤵
  PID:14404
- C:\Windows\System\ataydJs.exe
  C:\Windows\System\ataydJs.exe
  2⤵
  PID:14436
- C:\Windows\System\HsUkOvI.exe
  C:\Windows\System\HsUkOvI.exe
  2⤵
  PID:14472
- C:\Windows\System\bldiQQc.exe
  C:\Windows\System\bldiQQc.exe
  2⤵
  PID:14508
- C:\Windows\System\qxjMANF.exe
  C:\Windows\System\qxjMANF.exe
  2⤵
  PID:14548
- C:\Windows\System\XrWLAtA.exe
  C:\Windows\System\XrWLAtA.exe
  2⤵
  PID:14568
- C:\Windows\System\FpihWye.exe
  C:\Windows\System\FpihWye.exe
  2⤵
  PID:14592
- C:\Windows\System\KUwGEYK.exe
  C:\Windows\System\KUwGEYK.exe
  2⤵
  PID:14612
- C:\Windows\System\QnkMAqH.exe
  C:\Windows\System\QnkMAqH.exe
  2⤵
  PID:14632
- C:\Windows\System\XAOlScD.exe
  C:\Windows\System\XAOlScD.exe
  2⤵
  PID:14660
- C:\Windows\System\LbHXnOi.exe
  C:\Windows\System\LbHXnOi.exe
  2⤵
  PID:14692
- C:\Windows\System\qnmzXAL.exe
  C:\Windows\System\qnmzXAL.exe
  2⤵
  PID:14716
- C:\Windows\System\DqmyiIo.exe
  C:\Windows\System\DqmyiIo.exe
  2⤵
  PID:14748
- C:\Windows\System\lYuOISi.exe
  C:\Windows\System\lYuOISi.exe
  2⤵
  PID:14772
- C:\Windows\System\jmDyPNV.exe
  C:\Windows\System\jmDyPNV.exe
  2⤵
  PID:14804
- C:\Windows\System\DxveJuA.exe
  C:\Windows\System\DxveJuA.exe
  2⤵
  PID:14832
- C:\Windows\System\QJtMfmH.exe
  C:\Windows\System\QJtMfmH.exe
  2⤵
  PID:14860
- C:\Windows\System\eysOvWR.exe
  C:\Windows\System\eysOvWR.exe
  2⤵
  PID:14884
- C:\Windows\System\kYSclUI.exe
  C:\Windows\System\kYSclUI.exe
  2⤵
  PID:14912
- C:\Windows\System\XGvRtQJ.exe
  C:\Windows\System\XGvRtQJ.exe
  2⤵
  PID:14944
- C:\Windows\System\oUuqmkp.exe
  C:\Windows\System\oUuqmkp.exe
  2⤵
  PID:14984
- C:\Windows\System\byDGYTQ.exe
  C:\Windows\System\byDGYTQ.exe
  2⤵
  PID:15016
- C:\Windows\System\oQWAanc.exe
  C:\Windows\System\oQWAanc.exe
  2⤵
  PID:15044
- C:\Windows\System\MOhtepc.exe
  C:\Windows\System\MOhtepc.exe
  2⤵
  PID:15064
- C:\Windows\System\AnJLPTV.exe
  C:\Windows\System\AnJLPTV.exe
  2⤵
  PID:15080
- C:\Windows\System\SogHjCX.exe
  C:\Windows\System\SogHjCX.exe
  2⤵
  PID:15108
- C:\Windows\System\gmXTcMf.exe
  C:\Windows\System\gmXTcMf.exe
  2⤵
  PID:15132
- C:\Windows\System\JJdZysH.exe
  C:\Windows\System\JJdZysH.exe
  2⤵
  PID:15168
- C:\Windows\System\SalFmZF.exe
  C:\Windows\System\SalFmZF.exe
  2⤵
  PID:15192
- C:\Windows\System\FMnxJiq.exe
  C:\Windows\System\FMnxJiq.exe
  2⤵
  PID:15220
- C:\Windows\System\WgGPdrP.exe
  C:\Windows\System\WgGPdrP.exe
  2⤵
  PID:15252
- C:\Windows\System\RGlbWVW.exe
  C:\Windows\System\RGlbWVW.exe
  2⤵
  PID:15280
- C:\Windows\System\TBrzLSP.exe
  C:\Windows\System\TBrzLSP.exe
  2⤵
  PID:15320
- C:\Windows\System\sBJCqNL.exe
  C:\Windows\System\sBJCqNL.exe
  2⤵
  PID:15352
- C:\Windows\System\oOqpDdt.exe
  C:\Windows\System\oOqpDdt.exe
  2⤵
  PID:14384
- C:\Windows\System\eDhUazd.exe
  C:\Windows\System\eDhUazd.exe
  2⤵
  PID:14420
- C:\Windows\System\CsxeeYm.exe
  C:\Windows\System\CsxeeYm.exe
  2⤵
  PID:14536
- C:\Windows\System\eszgbjR.exe
  C:\Windows\System\eszgbjR.exe
  2⤵
  PID:14580
- C:\Windows\System\cHfeula.exe
  C:\Windows\System\cHfeula.exe
  2⤵
  PID:14600
- C:\Windows\System\DVGQZpV.exe
  C:\Windows\System\DVGQZpV.exe
  2⤵
  PID:14708
- C:\Windows\System\NVboIWM.exe
  C:\Windows\System\NVboIWM.exe
  2⤵
  PID:14760
- C:\Windows\System\ooJbuaF.exe
  C:\Windows\System\ooJbuaF.exe
  2⤵
  PID:14824
- C:\Windows\System\nEdgBHj.exe
  C:\Windows\System\nEdgBHj.exe
  2⤵
  PID:14848
- C:\Windows\System\MwiuvIG.exe
  C:\Windows\System\MwiuvIG.exe
  2⤵
  PID:14976
- C:\Windows\System\ONvxmJi.exe
  C:\Windows\System\ONvxmJi.exe
  2⤵
  PID:15028
- C:\Windows\System\sBmWdZS.exe
  C:\Windows\System\sBmWdZS.exe
  2⤵
  PID:15056
- C:\Windows\System\Vqntahd.exe
  C:\Windows\System\Vqntahd.exe
  2⤵
  PID:15160
- C:\Windows\System\zeoVbzW.exe
  C:\Windows\System\zeoVbzW.exe
  2⤵
  PID:15148
- C:\Windows\System\ZShUcpE.exe
  C:\Windows\System\ZShUcpE.exe
  2⤵
  PID:15228
- C:\Windows\System\TEcJMoU.exe
  C:\Windows\System\TEcJMoU.exe
  2⤵
  PID:13796
- C:\Windows\System\uRBDQpR.exe
  C:\Windows\System\uRBDQpR.exe
  2⤵
  PID:14432
- C:\Windows\System\dWjrBVt.exe
  C:\Windows\System\dWjrBVt.exe
  2⤵
  PID:14620
- C:\Windows\System\LSFubza.exe
  C:\Windows\System\LSFubza.exe
  2⤵
  PID:14756
- C:\Windows\System\kaurdVW.exe
  C:\Windows\System\kaurdVW.exe
  2⤵
  PID:14724
- C:\Windows\System\UpXLsDu.exe
  C:\Windows\System\UpXLsDu.exe
  2⤵
  PID:14980
- C:\Windows\System\JWHVVtL.exe
  C:\Windows\System\JWHVVtL.exe
  2⤵
  PID:15124
- C:\Windows\System\yyNABtK.exe
  C:\Windows\System\yyNABtK.exe
  2⤵
  PID:15244
- C:\Windows\System\VaLtzPo.exe
  C:\Windows\System\VaLtzPo.exe
  2⤵
  PID:14516
- C:\Windows\System\LykbXwe.exe
  C:\Windows\System\LykbXwe.exe
  2⤵
  PID:15012
- C:\Windows\System\PdbUTbn.exe
  C:\Windows\System\PdbUTbn.exe
  2⤵
  PID:14700
- C:\Windows\System\FJQokOk.exe
  C:\Windows\System\FJQokOk.exe
  2⤵
  PID:15368
- C:\Windows\System\HAnbSUB.exe
  C:\Windows\System\HAnbSUB.exe
  2⤵
  PID:15400
- C:\Windows\System\qvWHkSK.exe
  C:\Windows\System\qvWHkSK.exe
  2⤵
  PID:15420
- C:\Windows\System\ORvjzHc.exe
  C:\Windows\System\ORvjzHc.exe
  2⤵
  PID:15444
- C:\Windows\System\UcnxDnn.exe
  C:\Windows\System\UcnxDnn.exe
  2⤵
  PID:15472
- C:\Windows\System\WvHXVTW.exe
  C:\Windows\System\WvHXVTW.exe
  2⤵
  PID:15512
- C:\Windows\System\nqiYtyy.exe
  C:\Windows\System\nqiYtyy.exe
  2⤵
  PID:15544
- C:\Windows\System\DfKoLNd.exe
  C:\Windows\System\DfKoLNd.exe
  2⤵
  PID:15568
- C:\Windows\System\CZgiquW.exe
  C:\Windows\System\CZgiquW.exe
  2⤵
  PID:15592
- C:\Windows\System\wSGCOTY.exe
  C:\Windows\System\wSGCOTY.exe
  2⤵
  PID:15624
- C:\Windows\System\eVMbHKv.exe
  C:\Windows\System\eVMbHKv.exe
  2⤵
  PID:15648
- C:\Windows\System\CRGQLtI.exe
  C:\Windows\System\CRGQLtI.exe
  2⤵
  PID:15720
- C:\Windows\System\gljsfUZ.exe
  C:\Windows\System\gljsfUZ.exe
  2⤵
  PID:15736
- C:\Windows\System\PBIcfth.exe
  C:\Windows\System\PBIcfth.exe
  2⤵
  PID:15752
- C:\Windows\System\GXyneXx.exe
  C:\Windows\System\GXyneXx.exe
  2⤵
  PID:15772
- C:\Windows\System\GLQnjDx.exe
  C:\Windows\System\GLQnjDx.exe
  2⤵
  PID:15808
- C:\Windows\System\ESIgtxp.exe
  C:\Windows\System\ESIgtxp.exe
  2⤵
  PID:15836
- C:\Windows\System\EbcuGxe.exe
  C:\Windows\System\EbcuGxe.exe
  2⤵
  PID:15856
- C:\Windows\System\LVjjgsU.exe
  C:\Windows\System\LVjjgsU.exe
  2⤵
  PID:15880
- C:\Windows\System\qfMuvEC.exe
  C:\Windows\System\qfMuvEC.exe
  2⤵
  PID:15912
- C:\Windows\System\ifESwZf.exe
  C:\Windows\System\ifESwZf.exe
  2⤵
  PID:15940
- C:\Windows\System\pplfEdc.exe
  C:\Windows\System\pplfEdc.exe
  2⤵
  PID:15972
- C:\Windows\System\EpcGpXF.exe
  C:\Windows\System\EpcGpXF.exe
  2⤵
  PID:16008
- C:\Windows\System\NzmRjEz.exe
  C:\Windows\System\NzmRjEz.exe
  2⤵
  PID:16032
- C:\Windows\System\EhvFKbh.exe
  C:\Windows\System\EhvFKbh.exe
  2⤵
  PID:16076
- C:\Windows\System\huZGCPk.exe
  C:\Windows\System\huZGCPk.exe
  2⤵
  PID:16104
- C:\Windows\System\VmxoSmk.exe
  C:\Windows\System\VmxoSmk.exe
  2⤵
  PID:16128
- C:\Windows\System\LSJwaVM.exe
  C:\Windows\System\LSJwaVM.exe
  2⤵
  PID:16144
- C:\Windows\System\sQhHUeh.exe
  C:\Windows\System\sQhHUeh.exe
  2⤵
  PID:16164
- C:\Windows\System\MoAhVfF.exe
  C:\Windows\System\MoAhVfF.exe
  2⤵
  PID:16184
- C:\Windows\System\DujPFil.exe
  C:\Windows\System\DujPFil.exe
  2⤵
  PID:16204
- C:\Windows\System\ECawbky.exe
  C:\Windows\System\ECawbky.exe
  2⤵
  PID:16236
- C:\Windows\System\GOdiWvo.exe
  C:\Windows\System\GOdiWvo.exe
  2⤵
  PID:16264
- C:\Windows\System\AjFgFhR.exe
  C:\Windows\System\AjFgFhR.exe
  2⤵
  PID:16288
- C:\Windows\System\cOVGniC.exe
  C:\Windows\System\cOVGniC.exe
  2⤵
  PID:16308
- C:\Windows\System\EgzbXTm.exe
  C:\Windows\System\EgzbXTm.exe
  2⤵
  PID:16340
- C:\Windows\System\rBBAegB.exe
  C:\Windows\System\rBBAegB.exe
  2⤵
  PID:16372
- C:\Windows\System\juGAGii.exe
  C:\Windows\System\juGAGii.exe
  2⤵
  PID:15364
- C:\Windows\System\kUxArVZ.exe
  C:\Windows\System\kUxArVZ.exe
  2⤵
  PID:15412
- C:\Windows\System\nmwhfOJ.exe
  C:\Windows\System\nmwhfOJ.exe
  2⤵
  PID:15460
- C:\Windows\System\UkkgVLi.exe
  C:\Windows\System\UkkgVLi.exe
  2⤵
  PID:15536
- C:\Windows\System\TjwKCmf.exe
  C:\Windows\System\TjwKCmf.exe
  2⤵
  PID:15588
- C:\Windows\System\otwuzJv.exe
  C:\Windows\System\otwuzJv.exe
  2⤵
  PID:15660
- C:\Windows\System\rKwMtfk.exe
  C:\Windows\System\rKwMtfk.exe
  2⤵
  PID:3728
- C:\Windows\System\oVZFGnV.exe
  C:\Windows\System\oVZFGnV.exe
  2⤵
  PID:15748
- C:\Windows\System\FipVOUS.exe
  C:\Windows\System\FipVOUS.exe
  2⤵
  PID:15852
- C:\Windows\System\FWbJnbm.exe
  C:\Windows\System\FWbJnbm.exe
  2⤵
  PID:15872
- C:\Windows\System\vDQLcXs.exe
  C:\Windows\System\vDQLcXs.exe
  2⤵
  PID:15924
- C:\Windows\System\ugcUluD.exe
  C:\Windows\System\ugcUluD.exe
  2⤵
  PID:15980
- C:\Windows\System\OajLPWR.exe
  C:\Windows\System\OajLPWR.exe
  2⤵
  PID:16088
- C:\Windows\System\eyJqFuH.exe
  C:\Windows\System\eyJqFuH.exe
  2⤵
  PID:16120
- C:\Windows\System\UyYadUD.exe
  C:\Windows\System\UyYadUD.exe
  2⤵
  PID:16260
- C:\Windows\System\eAIoTYO.exe
  C:\Windows\System\eAIoTYO.exe
  2⤵
  PID:16224
- C:\Windows\System\gdvXBSk.exe
  C:\Windows\System\gdvXBSk.exe
  2⤵
  PID:16300
- C:\Windows\System\BCnhlwL.exe
  C:\Windows\System\BCnhlwL.exe
  2⤵
  PID:16320
- C:\Windows\System\PdYauYB.exe
  C:\Windows\System\PdYauYB.exe
  2⤵
  PID:15456
- C:\Windows\System\AIMghko.exe
  C:\Windows\System\AIMghko.exe
  2⤵
  PID:15504
- C:\Windows\System\iKwYYuo.exe
  C:\Windows\System\iKwYYuo.exe
  2⤵
  PID:15700
- C:\Windows\System\EaAsENn.exe
  C:\Windows\System\EaAsENn.exe
  2⤵
  PID:15876
- C:\Windows\System\hlUPeKU.exe
  C:\Windows\System\hlUPeKU.exe
  2⤵
  PID:16024
- C:\Windows\System\ltYgxfe.exe
  C:\Windows\System\ltYgxfe.exe
  2⤵
  PID:16048
- C:\Windows\System\knBqfNx.exe
  C:\Windows\System\knBqfNx.exe
  2⤵
  PID:16172
- C:\Windows\System\QAijYtM.exe
  C:\Windows\System\QAijYtM.exe
  2⤵
  PID:14556
- C:\Windows\System\gpkdRLO.exe
  C:\Windows\System\gpkdRLO.exe
  2⤵
  PID:15636
- C:\Windows\System\wDEXcET.exe
  C:\Windows\System\wDEXcET.exe
  2⤵
  PID:15612
- C:\Windows\System\IdTfiGz.exe
  C:\Windows\System\IdTfiGz.exe
  2⤵
  PID:15656
- C:\Windows\System\AiWGzOc.exe
  C:\Windows\System\AiWGzOc.exe
  2⤵
  PID:15664
- C:\Windows\System\TIHHjUU.exe
  C:\Windows\System\TIHHjUU.exe
  2⤵
  PID:16416
- C:\Windows\System\JpqYyOj.exe
  C:\Windows\System\JpqYyOj.exe
  2⤵
  PID:16440
- C:\Windows\System\AGUbtMp.exe
  C:\Windows\System\AGUbtMp.exe
  2⤵
  PID:16476
- C:\Windows\System\nsxOFDg.exe
  C:\Windows\System\nsxOFDg.exe
  2⤵
  PID:16504
- C:\Windows\System\xznkuxY.exe
  C:\Windows\System\xznkuxY.exe
  2⤵
  PID:16524
- C:\Windows\System\SexLUzU.exe
  C:\Windows\System\SexLUzU.exe
  2⤵
  PID:16556
- C:\Windows\System\pykSLLX.exe
  C:\Windows\System\pykSLLX.exe
  2⤵
  PID:16584
- C:\Windows\System\ZfwtIFl.exe
  C:\Windows\System\ZfwtIFl.exe
  2⤵
  PID:16616
- C:\Windows\System\qRkSwzJ.exe
  C:\Windows\System\qRkSwzJ.exe
  2⤵
  PID:16632
- C:\Windows\System\YiHVgcm.exe
  C:\Windows\System\YiHVgcm.exe
  2⤵
  PID:16672
- C:\Windows\System\qzBiFhk.exe
  C:\Windows\System\qzBiFhk.exe
  2⤵
  PID:16704
- C:\Windows\System\OzqlzXs.exe
  C:\Windows\System\OzqlzXs.exe
  2⤵
  PID:16732
- C:\Windows\System\leddMqL.exe
  C:\Windows\System\leddMqL.exe
  2⤵
  PID:16756
- C:\Windows\System\TvRcIuX.exe
  C:\Windows\System\TvRcIuX.exe
  2⤵
  PID:16784
- C:\Windows\System\gSvnbhp.exe
  C:\Windows\System\gSvnbhp.exe
  2⤵
  PID:16808
- C:\Windows\System\ZJzPJPo.exe
  C:\Windows\System\ZJzPJPo.exe
  2⤵
  PID:16828
- C:\Windows\System\wIHnIAm.exe
  C:\Windows\System\wIHnIAm.exe
  2⤵
  PID:16860
- C:\Windows\System\LQQizdr.exe
  C:\Windows\System\LQQizdr.exe
  2⤵
  PID:16892
- C:\Windows\System\ZdcWFvx.exe
  C:\Windows\System\ZdcWFvx.exe
  2⤵
  PID:16912
- C:\Windows\System\zWueLrR.exe
  C:\Windows\System\zWueLrR.exe
  2⤵
  PID:16948
- C:\Windows\System\oScnnQF.exe
  C:\Windows\System\oScnnQF.exe
  2⤵
  PID:16976
- C:\Windows\System\rwDbept.exe
  C:\Windows\System\rwDbept.exe
  2⤵
  PID:16996
- C:\Windows\System\nSgGxBT.exe
  C:\Windows\System\nSgGxBT.exe
  2⤵
  PID:17032
- C:\Windows\System\xuqrOFZ.exe
  C:\Windows\System\xuqrOFZ.exe
  2⤵
  PID:17064
- C:\Windows\System\GNvVtvD.exe
  C:\Windows\System\GNvVtvD.exe
  2⤵
  PID:17096
- C:\Windows\System\gSGHAWV.exe
  C:\Windows\System\gSGHAWV.exe
  2⤵
  PID:17140
- C:\Windows\System\EdnlXbc.exe
  C:\Windows\System\EdnlXbc.exe
  2⤵
  PID:17160
- C:\Windows\System\HubvFeG.exe
  C:\Windows\System\HubvFeG.exe
  2⤵
  PID:17200
- C:\Windows\System\lhJOdcN.exe
  C:\Windows\System\lhJOdcN.exe
  2⤵
  PID:17216
- C:\Windows\System\zYhWDxP.exe
  C:\Windows\System\zYhWDxP.exe
  2⤵
  PID:17256
- C:\Windows\System\cyxoQVv.exe
  C:\Windows\System\cyxoQVv.exe
  2⤵
  PID:17280
- C:\Windows\System\wyitIgP.exe
  C:\Windows\System\wyitIgP.exe
  2⤵
  PID:17300
- C:\Windows\System\LyeHmHW.exe
  C:\Windows\System\LyeHmHW.exe
  2⤵
  PID:17332
- C:\Windows\System\QysZnjq.exe
  C:\Windows\System\QysZnjq.exe
  2⤵
  PID:17356
- C:\Windows\System\IYOGaUG.exe
  C:\Windows\System\IYOGaUG.exe
  2⤵
  PID:17384
- C:\Windows\System\gKAsczA.exe
  C:\Windows\System\gKAsczA.exe
  2⤵
  PID:16200
- C:\Windows\System\KaugsQO.exe
  C:\Windows\System\KaugsQO.exe
  2⤵
  PID:16304
- C:\Windows\System\YyWMNZn.exe
  C:\Windows\System\YyWMNZn.exe
  2⤵
  PID:16460

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:16488
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:16852

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1924

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3212

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3900

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:728

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5484

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2376

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:388

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:7656

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2784

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3744

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:10456

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:10944

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:11824

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:11708

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:11452

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3936

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:13248

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6644

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4076

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:440

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:15712

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3964

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4152

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6260

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:9904

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:7876

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7416

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:8864

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:9148

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7260

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6760

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:16924

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3580

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11868

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11536

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12552

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6888

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13556

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13928

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14708

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13080

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3464

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4000

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:16616

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:16864

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14152

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5108

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2236

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14332

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:14212

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5992

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4192

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:14972

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7020

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9676

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4652

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14248

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8900

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7548

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7136

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9544

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8996

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11876

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11512

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6232

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10700

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:16608

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12172

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14988

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14732

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13380

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:15604

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\0IN8USQP\microsoft.windows[1].xml

Filesize
97B

MD5
1047b4933128cb8c008ea0460c238826

SHA1
4abced55e5283e2eff9cc03335d2f3d47c2c95c1

SHA256
445c461d606b0eeab65c3c606a418abe9e3e87a69116e51d106e4496732a17fe

SHA512
150da1b9cac860943aa006b9b66c4f4bf3b9f26562a5cea99df95fe567bfbf542a3db426362f81e101871c45b9cc417a32ba0aec9bf7c8934b53f8b1e9b11f07

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133830136595505645.txt

Filesize
75KB

MD5
c149ebf19a04f75cd6d83b14b08e5971

SHA1
4413634f39fa0fcc6f993843fd8d96548a7b7aea

SHA256
bd4ac9e3f59b3bf979bf36fa91be53c83291901f2232e2ebf0ccb26f479c4d89

SHA512
e83e141b8ced6fb4846987bcf29f18ad42e31d61934f9a376bb73afe0d970dc48a023b66244d3cedb5457c2a2f5db550f124efe9913ec65e60e8a4afff098cbe

Download Submit
C:\Windows\System\KBtYwtJ.exe

Filesize
1.8MB

MD5
ae64588c949552edf5c1c975e78c0bfe

SHA1
2249ae0b8e4b3db8a69b4d749576f7c658cce7cf

SHA256
64865f7a1abd8ab655b894ce62d14d1f34d2c0079bd027412dc483cdc0e1538c

SHA512
339a1f590b7fa2d77eaf68e674eb8ba5f6eddbb23bdd41959852be646443629bc102598a1226e4c5ac49775f7b49c9bbde8da03584dc9502dde1cf3f92c2731a

Download Submit
C:\Windows\System\LWiDapb.exe

Filesize
1.8MB

MD5
c9afdb1f945e09e3d173f72ddc0d62a3

SHA1
880025f5b2b4f2a669a92f3eeab0583de9ca058a

SHA256
80569d401ee2af7ab3615e7828c5e7dae1920b8df122ff5958440a7694a1528a

SHA512
d603565a1591734712db92cb3d09910ceb46ac2db6063b4cfd2c1f8e570a80388ea62d99859a576fb4981d45b05281a87fa8c98871bf950d71abc3ca7403afe6

Download Submit
C:\Windows\System\MRATgOG.exe

Filesize
1.8MB

MD5
ed5944da254067120a5046b829bfbece

SHA1
2de04b2ce58e4e1b0972c83248371226de22db15

SHA256
b8c36712fa4123bfe964bfb6837653db98025239cf98065c3b9a4cd2baf44f9d

SHA512
8a62016299ecf5fa6d11c7b9bda40cb3f54dc434253c93fa3452845cfc8de242bec0adacf89e5e4130b077cd9232b071b4202a7cb04d1f1d7e5e4b5b891796f6

Download Submit
C:\Windows\System\OWvTlFZ.exe

Filesize
1.8MB

MD5
e463405a25732f542e3545c4985b7b02

SHA1
ac6106f6bec532c556e60ef2030e8c48c4d11668

SHA256
71c89e02d5e7566e212e9600fb092d3fbcc2788c695f0dcea63d6c58c9f66910

SHA512
07a5e421ad8f2e6bb187736cdfe309ad8a1f0299b26ac2ad628c88466edbcd9ab6c5fea50b38182c1002821fea06428afacc18b0915bed0d08ea8e6c142c72b5

Download Submit
C:\Windows\System\OuMVrUs.exe

Filesize
1.8MB

MD5
808cb4a6fb9a1a992a4b1d02f98600c7

SHA1
93541e40686f5870a192e96d2cadd4c09700627e

SHA256
aafcc835a1494a93bd7c2d5611bfde7384e2b95eb43bef4a0dbb73ead8347279

SHA512
4505fbd59367711938f547463f7c4b8397385636685da57d4e1f0045bc78a32f39f51b4da26e3c5c34f7d3dd318ceac8981bd89db83e54d0fecb18faa500ea6a

Download Submit
C:\Windows\System\RQHTSKf.exe

Filesize
1.8MB

MD5
7928b4208344d3a69e78c02cdedf39d1

SHA1
d77aca492ef1efb45824c20d0b8c13f26b15b5b5

SHA256
394e864c4eb05f353bdb6dcf1adfa7a3de164910d65d3ad077c34ca2c25cb417

SHA512
561184b44f0c227252e5a5bede2e30e69bd558475a1c374948b848031ce720d0cc5c8732d60eceb6b7c093267041bcf35d9abddf25c97d9da89499aa88317651

Download Submit
C:\Windows\System\RgBXYTL.exe

Filesize
1.8MB

MD5
8fc20af76d822443fc7f34bafb87d632

SHA1
af963202826a544d2e37c37065d6238a3ca8cfa7

SHA256
f70b44d3ba5f1f38cf98616037b4b9960e2ceaa372a22021571d9cf9f33d60d1

SHA512
9a45cfb9b5137bdb987a4a2503ac46bf500c56d949a0959e86f3cf82dac23116f0d5b9e81395ebf56b893e3773a72f1e1f06e362c0a18ba431efa36ecf2fe882

Download Submit
C:\Windows\System\RuoLtXb.exe

Filesize
1.8MB

MD5
3b3651ac6348d371f6f0c585444ac02e

SHA1
88e2c0bdce1e48d609dc946fbf2c43500aab60ca

SHA256
13bafa3b66e92e5abca9193e7c0aeca1f3b81d8ebfadd537985a6e8d3bd1fe26

SHA512
0b7ea7504f2204d23cc4855a20d5864eeac127564aaa4809149cb69b0ca208e84e9bfcdd8036e3ef1eb4e97e3cb81890938bbc897596cbb68f592eb9e58f5deb

Download Submit
C:\Windows\System\RvYNJxe.exe

Filesize
1.8MB

MD5
f22956c7d60501f13db5df7ccb438b08

SHA1
51736dc0775943e41d085907a59d32501c6bdabb

SHA256
523084677fd73fcd5eb75bd24735d37c6178ecb7e39618e9333d919be2c5e4b7

SHA512
cb3617b005a09d9551f0bc4dbc3ec30653c3ccde50a2480ac037b41ca570f056d15b64030ee52b5202d390297d6655123d166d54a25dfea1a1a6b418f8200e91

Download Submit
C:\Windows\System\SrjOfrz.exe

Filesize
1.8MB

MD5
ef2f686b9800ea86335715a009894a2a

SHA1
57b98fd276c7822ca916601e9b287fc631709f01

SHA256
23d11ecff6217ea21e7d98be4530de17494bc24d2e8095fe57b147067cbd0822

SHA512
38a4fc8695f4e79d0c84b95c4caa4450b0a8806ac96e7733698181ef9964f63f88f3fdb995715db0b3922cca05fd978f080f3a9b56e82c9995bc691dfe5f33c6

Download Submit
C:\Windows\System\VCbSdta.exe

Filesize
1.8MB

MD5
8f5f8377ddb6ed20535cec431e7646e1

SHA1
410fc214c0baa2727f1176afa3620e7b0aa69144

SHA256
6d0cbbd7d37bcefe2039dd33b765a6ea428a1d9c9f28ec460db0481c45f24a90

SHA512
47560473de21eb58507f7f79dd2e1d279b44edd0097c7f71cc714695f4411f82516f9dcb55383387d1071f5e57ccb1a55f1911be4408e9fbcb7c11c9bf1048a0

Download Submit
C:\Windows\System\WAcPjEe.exe

Filesize
1.8MB

MD5
efc2531ca3056d24a710209133281f94

SHA1
5459d1749b3d362280437dd89c3b9ae3e59d2a1d

SHA256
0d1062b2d1f6c01166cd61f618e1c2e80d423452d52844b3fa3d583de6b90f7b

SHA512
c8045885f5743ed16bf805f7d8d820334af27a7cdd27c63af740719d0aa28c887c7603d96e3398652d3f95a38bbf8b52b443a59ff06e013177f5bcfe738d6c5c

Download Submit
C:\Windows\System\WAdLaGY.exe

Filesize
1.8MB

MD5
8fe3ec0ebed2012ccd012333868c5bf4

SHA1
4d6590c24bd5a0b34e0d5164593ea0f2a2990615

SHA256
32897539b36ca967380c65858c0af62af2db5fcc734edd355cf499c85a61c56e

SHA512
efa6c27c1fea70f6826bfd459a989890b770f2278df4713cc1baea77bba67b5ca662ac6c407525b380af698307e97a8ee91519bcf8c6c950fa1b514c9b2d6be9

Download Submit
C:\Windows\System\XhbOHsM.exe

Filesize
1.8MB

MD5
e4db59c2979809bb1ca134111d860dc4

SHA1
7b5395716c8c11fd8f6a6335957dfc5d91ce8f1c

SHA256
a199d71844fe45803ace305388f04baa521f34c7eacf8728c4e1d317b95cc509

SHA512
8cd3bb1c18050621591a04ff596f36fe549ed685b2e8185948b39ea4ce98cbeb18e8da1afac1f1df0eba6bfeca2f6f167d78c769757d0226073e68a42528ae45

Download Submit
C:\Windows\System\diLnxsr.exe

Filesize
1.8MB

MD5
97d3e9a332306e7338c20f8fb7b63f7a

SHA1
5cbc5f173550e4d2565a67ef27c36d9b5df82ac2

SHA256
de91d40dc2b228572528842f3d57a36ec912adfac02b25f6f3fed7629d0e4088

SHA512
79c39e6aa16011f2a68cbb3e30be6ba67d589ab0f7e3e38dce56477349e78ff07f0f6ec022745f2f58aa5435ea68040a9280328b67396487bb3cf3378be98ce6

Download Submit
C:\Windows\System\iOnWMQJ.exe

Filesize
1.8MB

MD5
72906b0f90ba7f0dba2da5f172cc62c9

SHA1
b08d312cb7a59164a86c7d9e56703d54e988c01b

SHA256
84aa1a607c6dda9c20cdeeff90924db13937783bc45c6eac1485bb502d346442

SHA512
b9d063f39986c32f807ddd8dd449c9ef932d162c0c3196f12657a110f4339f02e50d8d4fa0a5adead00d66be6c36390dc1c2db969bba8f5aa54a5f3a71c7d2ea

Download Submit
C:\Windows\System\iYdOdQz.exe

Filesize
1.8MB

MD5
f9f29304fb65929d8f6355f942b4fb6e

SHA1
d17e92ad30d96714fd0863210126d9424bc75e93

SHA256
dafd6aed147ca41b3915e3cc437c8f6adddf7bc3c668bc135b015cb90ac87787

SHA512
9fefd8e0b4c5e00828a4c7c7fc58d89277404288636c684a26e2bc4dfe4bf2be4dd730b3e9791e99f783d8320cc02394e1210fe645780bc886ede82a5975d50c

Download Submit
C:\Windows\System\irCzoVf.exe

Filesize
1.8MB

MD5
efbba13e7537f819fc57e4968729d4b3

SHA1
aad6ab4fc9ce99ee2b177c650278d8bb9f92731a

SHA256
852c5f8753ce3ac560487361859477fa057570dea2489face51ed359be1b2752

SHA512
e789c3b87c61c49f27039570d4a93de6cce9dce6094628f6b6c17999592887664c14c695abf050bb9ebea8ad3275662034959b7593ce4fbd8908677d282fc814

Download Submit
C:\Windows\System\jKXMNqI.exe

Filesize
1.8MB

MD5
1b64d8d1c128b784a19d97078cd5d7f7

SHA1
5a9b5de3ba387794358c9d7e24455f60c2d849c2

SHA256
a6f565cc6a6f6c6fc67646c6c0684b4a3ce784cadd99a08b62a5ee27a55b779d

SHA512
2a8e5edc1dab597b39043db697d8e2788b7702a35240535f89f6d06a619787c954b63ac9f561f8fff9f3c0b03f5c3c9dab3c006e13ba005e7d78a14380dc8c6e

Download Submit
C:\Windows\System\kdHrrQp.exe

Filesize
1.8MB

MD5
7def26f072976088c7a0954cea6ebe6f

SHA1
f3c1745bbfb9e9fd2f76d2505b1d1eeda6661563

SHA256
a6d27d6cb6fe51b1c44fc6ab760718b179fd30569f70cae64845413ff0dbae87

SHA512
c06d21ed25d566ff5800e8812a94040713061da0e291344a458a62a16220e43a1fad64a7d9c5bc1c9d8e92a035ffb8c39783571a6d421afe86690e9a55530ee3

Download Submit
C:\Windows\System\lWkAHLM.exe

Filesize
1.8MB

MD5
28df1d66ea35b8b85edf7a9783cab83d

SHA1
2930a861505962cd2a8e89e0636f7a241d1c78fa

SHA256
d02b347cdec8f927b3b5e455e08664921bf56a0acebfd285dd29a59a3b39bcf6

SHA512
7afdcb58514a5660e903801876e9db10743f261a72ac39ae738c11a35dc3ffad33b00d98071f3fc60646543998939b713363ae85d91efec215f8ab36fac5226d

Download Submit
C:\Windows\System\lafjuFo.exe

Filesize
1.8MB

MD5
89e576f5f71861a441e695534309387c

SHA1
54403db7fc1ab72ad03cfc678523c3aafe85768f

SHA256
b5aabf9a6f6cbb2a49d91445261f2f4a23cc85e11b67a44a8c36b4b32befa0ab

SHA512
e9eb6ecb90febf18955058ceb016a773eff71ae1e9a380b416c262812e8c170f43577d159c7797bbe39340ad41779a325da462f63e98c0bddc6df934fb9847e8

Download Submit
C:\Windows\System\lrklHwC.exe

Filesize
1.8MB

MD5
13384833d1dbf2e43dd5e0167cc5c2cb

SHA1
0f182a9bdb6ed6dab246492ee1290677c810893c

SHA256
538c40d58ebbf92828902e08fe94127ac7e245278d84a6babd201afba2bdc392

SHA512
4dc57391de162df4c6e90d729f9be59da33a7ef071359ee6be58b4737277f96715c09d68638fa7977b3ea653aa4f166ab518cfefbeb70da727d959066257ec72

Download Submit
C:\Windows\System\osjXiJO.exe

Filesize
1.8MB

MD5
7c03cc87627ddc9df92fae500851cab9

SHA1
fb0dcd700a86757598fc8e7a792e1f769fd13963

SHA256
4694102fdb5d65672b29d24c44d6ba8401762a5cf1bb633aa150a6a0941edafd

SHA512
a8106fbe5b4f691261640992e9a5ffe469a11d7450d70c8eb562ab7f32280826d097a9909496cbc4f569f52bbe7522c6bf04328627637dd3107d5407daa08d54

Download Submit
C:\Windows\System\pGeoadj.exe

Filesize
1.8MB

MD5
09ea2d8e52280b9d3313434e246e44f8

SHA1
52668d92914f3fd69c90548d324e45ccaf60d0e6

SHA256
169c47b5a3c79f24a4a8a58d815085e6518668a3e459575cedafc4d8602ca062

SHA512
0447c639db68e150c6ab1cde5c049d2be30ee980883b64172d555fa59bf9bd8d69e77723bfd43232e982b630bee709ba58591dd7f8716cd6ab2ad3c49b84c307

Download Submit
C:\Windows\System\qxyGCal.exe

Filesize
1.8MB

MD5
9f4b147bd0aad8ef10d27b98456c7fb3

SHA1
bc12cc0f2b59118f72f3c847f8ca620a04af566e

SHA256
15b941d3dd015efe465b23449930071ed6ffab3e40a455cb0deca08177784d5e

SHA512
6c13a30c9ffa922abc0464feba69ed98ba72f21665ffe45a6c213824b75fe5e943f7c6dac82772f278d1dcb64e458daf89d3e4dd19a02a5fcf80819df070a835

Download Submit
C:\Windows\System\rGYChCR.exe

Filesize
1.8MB

MD5
723d01c664f7929ce24e6624dae2c672

SHA1
a344756f3fea20ee82879fc3a6e4a09a7105b50c

SHA256
515ed6c236ea2d4d6f14d98c80b7bcaceddb3e43d91e77d36100aa526de33d2f

SHA512
3d3f4171727b2b5116c1e5705351c86317a9c0b20661c78ea2f02749510048ab85ab1aa76e333a8516925131b5750a5531066e93ba624cce14b0b89cb396fe6d

Download Submit
C:\Windows\System\rqqVdCk.exe

Filesize
1.8MB

MD5
fce4bbf23852d3479b26c4e2d7a046e1

SHA1
ebfc6c4a596e53c8f796202abe06785b5b0525d3

SHA256
477d6410ec98192e1cc21708019f4a35078942ce578c932dc6f37123b7dc624a

SHA512
63d6d93fabe34dd34ebba4ec46a5b44cab90c17c326afd8df903ee66c5587308b45d66a5f82785845ab58d59d6d0af176de8b253ce67d3007ac34caa9f3841f9

Download Submit
C:\Windows\System\sTzcdOE.exe

Filesize
1.8MB

MD5
8acdf2f0478fa31696e48b833dc01e68

SHA1
1a5a2be6239438c4daa8da2d42b05a19f7a29b8b

SHA256
c68805a8ecddb4808fbff441ac6fba0606abf3a2b92fa2e9453f77593e921d03

SHA512
8df3c3f47e6a7e25f3a7a180ca3d23d410616e495fcfb473268d654936ef502cd1cd6d4500df8845b2fad6417b71ea529a20e90c56e456d934bb514db589d727

Download Submit
C:\Windows\System\sZGIayE.exe

Filesize
1.8MB

MD5
518c4ee92aff595374df625392620bed

SHA1
b517e47c1d431bbe06c9e17d3804c1ed5507f05d

SHA256
28c096458ac99b234579a2369d0fef53ff9ca9b88bab272150a73be0e7f54c39

SHA512
dd797658f1248278859195ec842528bb357648e6e2e8d231b49c844498a357a41c9b7579d7514dedf4b52802f0184dcebc97302a31175c99e5459ae794a07442

Download Submit
C:\Windows\System\sigxYLl.exe

Filesize
1.8MB

MD5
3d0c0e8c415ebdd63ed48129ce3c86e3

SHA1
43d8daf49713ce3c5eaee8a4ba2dccaac260babc

SHA256
5f6d082cc4a756bb495072c10e874342c50b3b02c2206a47fd0a3a0fac0deeba

SHA512
5907e8d513e51898448e1f3fda7ed9de411c184dbe13345b69b1c5ad20e3199a1363079d66145e3c15e03a2a54e53307a42e30432e4ba9b0669cdfd8dfc1e44c

Download Submit
C:\Windows\System\tarDjMz.exe

Filesize
1.8MB

MD5
c54c0a7e3a752976e606bf3fd302c4be

SHA1
0d7a2044137a6b8cd262cea984ac692ff293fd0d

SHA256
eac8febee1f669d815f4b3a433fffc4887ab15781023d719e913fef4ba50e459

SHA512
a9ce3c896cafdcea0ed5eb03d573276ee8dfa3999f449cb3e50c1830f463973a438f863d1dde740d319be82b47b9db22518a916bc03e9167613c94e7e65df4c8

Download Submit
C:\Windows\System\wbSEMZM.exe

Filesize
1.8MB

MD5
b54b6ebda652004c2e2cb09ebb35d377

SHA1
39f1787812bfed30b80f2f71bfe0c940e68458f8

SHA256
34f00d378ff06730f49653704f11433e650cca6c75493b8276cbd674c8bc1244

SHA512
8decda4d7ad3d1a099b40d3678be9eca2ed3da3d044b0591abf3e4cdad4a48521cc4675cc3cec484be6f74c8d2dac6df187e34e8a39c5fe6961032c23307d560

Download Submit
C:\Windows\System\wyPxjKn.exe

Filesize
1.8MB

MD5
385718b6d5a299b1e48a845edb87ac09

SHA1
f904f6efa02dd75b43d7b32b8f8aadd497ff220b

SHA256
81e936a315d0ffe93e7ed8523b9b6c094ba1616e9603bc7558378bc32e877719

SHA512
e0d1c425117635ee45b3d3cf806aefa3a0cd6ec52acfc075c007a07f7a402f2161076546190af9d81c692ac8a27612400e6eb107e248199b98f8fff46fa8a966

Download Submit
memory/3240-0-0x00000164D8A80000-0x00000164D8A90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads