xmrig | 24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c

Analysis

max time kernel
61s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2025, 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
Size

1.4MB
MD5

47ae13cc614681279f1b1e1aca8ca951
SHA1

0488b09f668753094fb58372dd1a5dc62609a940
SHA256

24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c
SHA512

5f0a603ce9ab4b3890e6987c38b6ffa2652014837a37671b3a9e044e4106cb02aa030664d230eee128f200dbc8ffc6f332507b4c9354f4a0af4705f2ab2566c1
SSDEEP

24576:GezaTnG99Q8FcNrpyNdfE0bLBgDOp2iSLz9LbpwlKenszbWKDNEm/5p904aohckK:GezaTF8FcNkNdfE0pZ9ozttwIRxGDKZW

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 33 IoCs

miner

resource	yara_rule
behavioral2/files/0x000c000000023b95-4.dat	xmrig
behavioral2/files/0x0009000000023c7c-10.dat	xmrig
behavioral2/files/0x0007000000023c88-20.dat	xmrig
behavioral2/files/0x0007000000023c89-24.dat	xmrig
behavioral2/files/0x0007000000023c8b-35.dat	xmrig
behavioral2/files/0x0007000000023c8e-55.dat	xmrig
behavioral2/files/0x0007000000023c94-83.dat	xmrig
behavioral2/files/0x0007000000023c9f-134.dat	xmrig
behavioral2/files/0x0007000000023ca5-162.dat	xmrig
behavioral2/files/0x0007000000023ca3-160.dat	xmrig
behavioral2/files/0x0007000000023ca4-157.dat	xmrig
behavioral2/files/0x0007000000023ca2-155.dat	xmrig
behavioral2/files/0x0007000000023ca1-150.dat	xmrig
behavioral2/files/0x0007000000023ca0-145.dat	xmrig
behavioral2/files/0x0007000000023c9e-132.dat	xmrig
behavioral2/files/0x0007000000023c9d-128.dat	xmrig
behavioral2/files/0x0007000000023c9c-122.dat	xmrig
behavioral2/files/0x0007000000023c9b-118.dat	xmrig
behavioral2/files/0x0007000000023c9a-112.dat	xmrig
behavioral2/files/0x0007000000023c99-108.dat	xmrig
behavioral2/files/0x0007000000023c98-105.dat	xmrig
behavioral2/files/0x0007000000023c97-97.dat	xmrig
behavioral2/files/0x0007000000023c96-93.dat	xmrig
behavioral2/files/0x0007000000023c95-87.dat	xmrig
behavioral2/files/0x0007000000023c93-77.dat	xmrig
behavioral2/files/0x0007000000023c92-73.dat	xmrig
behavioral2/files/0x0007000000023c91-67.dat	xmrig
behavioral2/files/0x0007000000023c90-63.dat	xmrig
behavioral2/files/0x0007000000023c8f-58.dat	xmrig
behavioral2/files/0x0007000000023c8d-47.dat	xmrig
behavioral2/files/0x0007000000023c8c-43.dat	xmrig
behavioral2/files/0x0007000000023c8a-33.dat	xmrig
behavioral2/files/0x0009000000023c84-15.dat	xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
2276	njLMbiO.exe
2016	obNqsMM.exe
2868	cIeQdnw.exe
4276	ZFHcxjW.exe
4868	AuuYbHW.exe
1080	zeBQyGF.exe
2284	zyPWoBG.exe
2324	KUpZZAQ.exe
552	IwXotIe.exe
2076	LNNmtvX.exe
2220	SqQWwtv.exe
2836	QPrJyvj.exe
524	djuDmrY.exe
3356	FheGfug.exe
2948	hGKesYa.exe
4624	BqAnIbf.exe
4152	DNtDapI.exe
2384	XUfLwKK.exe
4208	FabsEUY.exe
2240	oHaItjj.exe
560	KXGjSqf.exe
4456	hJSknZw.exe
1584	OcvkcfT.exe
1536	fAMCSvq.exe
1452	ycgYLdD.exe
1292	AHOmBAB.exe
4980	pbdfKEn.exe
1108	qWEjwNM.exe
1388	VqjSjyp.exe
3884	HIIMCdY.exe
2832	rdyfQsb.exe
2472	BljCvdg.exe
740	Grzagdc.exe
2464	RlfUcQW.exe
4592	MYBfXut.exe
4804	bjgXbWh.exe
4772	NpoIxZn.exe
3260	IiacuVT.exe
428	BvefwQl.exe
1048	xAnAOAX.exe
3808	GrVzBTl.exe
3772	JTVzjVI.exe
3396	ChkWYVV.exe
3084	RkPBJVJ.exe
4328	daWVDrI.exe
1804	TmgxYlg.exe
4304	cZZjTtZ.exe
800	OvdYfGM.exe
2336	DhuYhNl.exe
2912	VaFfzij.exe
2416	bDGWmBm.exe
1084	EeBkunP.exe
4812	LcjSTWK.exe
3032	hRLMsEi.exe
1740	tcqoOJW.exe
736	wBKfKkQ.exe
1756	esaUKUM.exe
3040	iWxaguX.exe
3876	cnDpKZB.exe
2068	tHXvLYU.exe
4132	aFJdgzD.exe
3780	SAjqkrf.exe
1980	WAolBVx.exe
1968	SwrGAJn.exe

Enumerates connected drives 3 TTPs 14 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\yHaBIQf.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\iJphZzl.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\nqaPxGH.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\DmjNpfI.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\dejPSML.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\WSmVANh.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\JEANUhB.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\ArJXMFp.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\mRwjyvv.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\bjgXbWh.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\jZQSzpG.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\kZYQcKl.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\FyLaURk.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\ewTDBmM.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\vCmDeNm.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\ZScXQGj.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\evVaiog.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\KIaxMpP.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\GWmaqvM.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\DNtUAoC.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\MWioFXN.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\dNnjhvF.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\OlwElzG.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\UBqEWZW.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\PPBGttC.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\HJfAYCb.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\QQLgakB.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\oNCtuTf.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\fGYUXDF.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\zmtVFxn.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\FJJinnh.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\LLsRFew.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\nmdujnB.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\BENosHp.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\IPjbsaB.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\XPAJuvQ.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\bdzRoVk.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\hxGglZP.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\egjsbvZ.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\qiWDeWa.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\lGErNvd.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\TrhLRTK.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\ppXbmqv.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\SQiXuyJ.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\UuBpxZq.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\TvCLrfw.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\zfKGwss.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\UXbAQui.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\ERcezhD.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\SpLXsQU.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\xjULFJK.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\LlJNhcM.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\JLmHcKt.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\YEqGlYR.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\mJVrSWe.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\GHMRWmJ.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\bKiftQo.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\PwTLzMu.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\tsdhrDH.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\SuHvIVX.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\YoqxcZV.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\ismrfTq.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\QqIcXhH.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
File created	C:\Windows\System\GyJcnSj.exe	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "14766"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2211717155-842865201-3404093980-1000\{AAC8AA3E-4899-4557-A641-D5150F9E3ACE}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "14799"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	16812	explorer.exe
Token: SeCreatePagefilePrivilege	16812	explorer.exe
Token: SeShutdownPrivilege	16812	explorer.exe
Token: SeCreatePagefilePrivilege	16812	explorer.exe
Token: SeShutdownPrivilege	16812	explorer.exe
Token: SeCreatePagefilePrivilege	16812	explorer.exe
Token: SeShutdownPrivilege	16812	explorer.exe
Token: SeCreatePagefilePrivilege	16812	explorer.exe
Token: SeShutdownPrivilege	16812	explorer.exe
Token: SeCreatePagefilePrivilege	16812	explorer.exe
Token: SeShutdownPrivilege	16812	explorer.exe
Token: SeCreatePagefilePrivilege	16812	explorer.exe
Token: SeShutdownPrivilege	16812	explorer.exe
Token: SeCreatePagefilePrivilege	16812	explorer.exe
Token: SeShutdownPrivilege	16812	explorer.exe
Token: SeCreatePagefilePrivilege	16812	explorer.exe
Token: SeShutdownPrivilege	16812	explorer.exe
Token: SeCreatePagefilePrivilege	16812	explorer.exe
Token: SeShutdownPrivilege	16812	explorer.exe
Token: SeCreatePagefilePrivilege	16812	explorer.exe
Token: SeShutdownPrivilege	3144	explorer.exe
Token: SeCreatePagefilePrivilege	3144	explorer.exe
Token: SeShutdownPrivilege	3144	explorer.exe
Token: SeCreatePagefilePrivilege	3144	explorer.exe
Token: SeShutdownPrivilege	3144	explorer.exe
Token: SeCreatePagefilePrivilege	3144	explorer.exe
Token: SeShutdownPrivilege	3144	explorer.exe
Token: SeCreatePagefilePrivilege	3144	explorer.exe
Token: SeShutdownPrivilege	3144	explorer.exe
Token: SeCreatePagefilePrivilege	3144	explorer.exe
Token: SeShutdownPrivilege	3144	explorer.exe
Token: SeCreatePagefilePrivilege	3144	explorer.exe
Token: SeShutdownPrivilege	3144	explorer.exe
Token: SeCreatePagefilePrivilege	3144	explorer.exe
Token: SeShutdownPrivilege	3144	explorer.exe
Token: SeCreatePagefilePrivilege	3144	explorer.exe
Token: SeShutdownPrivilege	3144	explorer.exe
Token: SeCreatePagefilePrivilege	3144	explorer.exe
Token: SeShutdownPrivilege	3144	explorer.exe
Token: SeCreatePagefilePrivilege	3144	explorer.exe
Token: SeShutdownPrivilege	3144	explorer.exe
Token: SeCreatePagefilePrivilege	3144	explorer.exe
Token: SeShutdownPrivilege	772	explorer.exe
Token: SeCreatePagefilePrivilege	772	explorer.exe
Token: SeShutdownPrivilege	772	explorer.exe
Token: SeCreatePagefilePrivilege	772	explorer.exe
Token: SeShutdownPrivilege	772	explorer.exe
Token: SeCreatePagefilePrivilege	772	explorer.exe
Token: SeShutdownPrivilege	772	explorer.exe
Token: SeCreatePagefilePrivilege	772	explorer.exe
Token: SeShutdownPrivilege	772	explorer.exe
Token: SeCreatePagefilePrivilege	772	explorer.exe
Token: SeShutdownPrivilege	772	explorer.exe
Token: SeCreatePagefilePrivilege	772	explorer.exe
Token: SeShutdownPrivilege	772	explorer.exe
Token: SeCreatePagefilePrivilege	772	explorer.exe
Token: SeShutdownPrivilege	772	explorer.exe
Token: SeCreatePagefilePrivilege	772	explorer.exe
Token: SeShutdownPrivilege	772	explorer.exe
Token: SeCreatePagefilePrivilege	772	explorer.exe
Token: SeShutdownPrivilege	772	explorer.exe
Token: SeCreatePagefilePrivilege	772	explorer.exe
Token: SeShutdownPrivilege	772	explorer.exe
Token: SeCreatePagefilePrivilege	772	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
16408	sihost.exe
16812	explorer.exe
16812	explorer.exe
16812	explorer.exe
16812	explorer.exe
16812	explorer.exe
16812	explorer.exe
16812	explorer.exe
16812	explorer.exe
16812	explorer.exe
16812	explorer.exe
16812	explorer.exe
16812	explorer.exe
16812	explorer.exe
16812	explorer.exe
16812	explorer.exe
16812	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
16812	explorer.exe
16812	explorer.exe
16812	explorer.exe
16812	explorer.exe
16812	explorer.exe
16812	explorer.exe
16812	explorer.exe
16812	explorer.exe
16812	explorer.exe
16812	explorer.exe
16812	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
3144	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
8136	explorer.exe
8136	explorer.exe
8136	explorer.exe
8136	explorer.exe
8136	explorer.exe
8136	explorer.exe
8136	explorer.exe
8136	explorer.exe
8136	explorer.exe
8136	explorer.exe
8136	explorer.exe
8136	explorer.exe
8136	explorer.exe
8136	explorer.exe
8136	explorer.exe
8136	explorer.exe
8136	explorer.exe
8136	explorer.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
17284	StartMenuExperienceHost.exe
660	StartMenuExperienceHost.exe
5476	StartMenuExperienceHost.exe
5500	SearchApp.exe
8312	StartMenuExperienceHost.exe
8816	SearchApp.exe
10464	StartMenuExperienceHost.exe
11116	SearchApp.exe
5080	StartMenuExperienceHost.exe
17244	SearchApp.exe
5344	StartMenuExperienceHost.exe
13824	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 2276	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	84
PID 1060 wrote to memory of 2276	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	84
PID 1060 wrote to memory of 2016	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	85
PID 1060 wrote to memory of 2016	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	85
PID 1060 wrote to memory of 2868	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	86
PID 1060 wrote to memory of 2868	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	86
PID 1060 wrote to memory of 4276	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	88
PID 1060 wrote to memory of 4276	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	88
PID 1060 wrote to memory of 4868	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	89
PID 1060 wrote to memory of 4868	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	89
PID 1060 wrote to memory of 1080	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	90
PID 1060 wrote to memory of 1080	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	90
PID 1060 wrote to memory of 2284	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	91
PID 1060 wrote to memory of 2284	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	91
PID 1060 wrote to memory of 2324	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	92
PID 1060 wrote to memory of 2324	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	92
PID 1060 wrote to memory of 552	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	93
PID 1060 wrote to memory of 552	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	93
PID 1060 wrote to memory of 2076	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	94
PID 1060 wrote to memory of 2076	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	94
PID 1060 wrote to memory of 2220	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	95
PID 1060 wrote to memory of 2220	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	95
PID 1060 wrote to memory of 2836	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	96
PID 1060 wrote to memory of 2836	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	96
PID 1060 wrote to memory of 524	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	97
PID 1060 wrote to memory of 524	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	97
PID 1060 wrote to memory of 3356	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	98
PID 1060 wrote to memory of 3356	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	98
PID 1060 wrote to memory of 2948	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	99
PID 1060 wrote to memory of 2948	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	99
PID 1060 wrote to memory of 4624	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	100
PID 1060 wrote to memory of 4624	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	100
PID 1060 wrote to memory of 4152	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	101
PID 1060 wrote to memory of 4152	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	101
PID 1060 wrote to memory of 2384	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	102
PID 1060 wrote to memory of 2384	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	102
PID 1060 wrote to memory of 4208	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	103
PID 1060 wrote to memory of 4208	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	103
PID 1060 wrote to memory of 2240	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	104
PID 1060 wrote to memory of 2240	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	104
PID 1060 wrote to memory of 560	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	105
PID 1060 wrote to memory of 560	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	105
PID 1060 wrote to memory of 4456	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	106
PID 1060 wrote to memory of 4456	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	106
PID 1060 wrote to memory of 1584	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	107
PID 1060 wrote to memory of 1584	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	107
PID 1060 wrote to memory of 1536	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	108
PID 1060 wrote to memory of 1536	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	108
PID 1060 wrote to memory of 1452	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	109
PID 1060 wrote to memory of 1452	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	109
PID 1060 wrote to memory of 1292	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	110
PID 1060 wrote to memory of 1292	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	110
PID 1060 wrote to memory of 4980	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	111
PID 1060 wrote to memory of 4980	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	111
PID 1060 wrote to memory of 1108	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	112
PID 1060 wrote to memory of 1108	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	112
PID 1060 wrote to memory of 1388	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	113
PID 1060 wrote to memory of 1388	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	113
PID 1060 wrote to memory of 3884	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	114
PID 1060 wrote to memory of 3884	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	114
PID 1060 wrote to memory of 2832	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	115
PID 1060 wrote to memory of 2832	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	115
PID 1060 wrote to memory of 2472	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	116
PID 1060 wrote to memory of 2472	1060	24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe	116

C:\Users\Admin\AppData\Local\Temp\24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe
"C:\Users\Admin\AppData\Local\Temp\24b36375cd8cee80c4c9e6659cf0799e2f01628e13f89c99cba7494e37460d0c.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\System\njLMbiO.exe
  C:\Windows\System\njLMbiO.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System\obNqsMM.exe
  C:\Windows\System\obNqsMM.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System\cIeQdnw.exe
  C:\Windows\System\cIeQdnw.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\ZFHcxjW.exe
  C:\Windows\System\ZFHcxjW.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System\AuuYbHW.exe
  C:\Windows\System\AuuYbHW.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System\zeBQyGF.exe
  C:\Windows\System\zeBQyGF.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System\zyPWoBG.exe
  C:\Windows\System\zyPWoBG.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\KUpZZAQ.exe
  C:\Windows\System\KUpZZAQ.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System\IwXotIe.exe
  C:\Windows\System\IwXotIe.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\System\LNNmtvX.exe
  C:\Windows\System\LNNmtvX.exe
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\System\SqQWwtv.exe
  C:\Windows\System\SqQWwtv.exe
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\System\QPrJyvj.exe
  C:\Windows\System\QPrJyvj.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System\djuDmrY.exe
  C:\Windows\System\djuDmrY.exe
  2⤵
  - Executes dropped EXE
  PID:524
- C:\Windows\System\FheGfug.exe
  C:\Windows\System\FheGfug.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System\hGKesYa.exe
  C:\Windows\System\hGKesYa.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System\BqAnIbf.exe
  C:\Windows\System\BqAnIbf.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System\DNtDapI.exe
  C:\Windows\System\DNtDapI.exe
  2⤵
  - Executes dropped EXE
  PID:4152
- C:\Windows\System\XUfLwKK.exe
  C:\Windows\System\XUfLwKK.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System\FabsEUY.exe
  C:\Windows\System\FabsEUY.exe
  2⤵
  - Executes dropped EXE
  PID:4208
- C:\Windows\System\oHaItjj.exe
  C:\Windows\System\oHaItjj.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System\KXGjSqf.exe
  C:\Windows\System\KXGjSqf.exe
  2⤵
  - Executes dropped EXE
  PID:560
- C:\Windows\System\hJSknZw.exe
  C:\Windows\System\hJSknZw.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System\OcvkcfT.exe
  C:\Windows\System\OcvkcfT.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\System\fAMCSvq.exe
  C:\Windows\System\fAMCSvq.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\System\ycgYLdD.exe
  C:\Windows\System\ycgYLdD.exe
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\System\AHOmBAB.exe
  C:\Windows\System\AHOmBAB.exe
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\System\pbdfKEn.exe
  C:\Windows\System\pbdfKEn.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\qWEjwNM.exe
  C:\Windows\System\qWEjwNM.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\System\VqjSjyp.exe
  C:\Windows\System\VqjSjyp.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System\HIIMCdY.exe
  C:\Windows\System\HIIMCdY.exe
  2⤵
  - Executes dropped EXE
  PID:3884
- C:\Windows\System\rdyfQsb.exe
  C:\Windows\System\rdyfQsb.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\BljCvdg.exe
  C:\Windows\System\BljCvdg.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\Grzagdc.exe
  C:\Windows\System\Grzagdc.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System\RlfUcQW.exe
  C:\Windows\System\RlfUcQW.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System\MYBfXut.exe
  C:\Windows\System\MYBfXut.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System\bjgXbWh.exe
  C:\Windows\System\bjgXbWh.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System\NpoIxZn.exe
  C:\Windows\System\NpoIxZn.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System\IiacuVT.exe
  C:\Windows\System\IiacuVT.exe
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Windows\System\BvefwQl.exe
  C:\Windows\System\BvefwQl.exe
  2⤵
  - Executes dropped EXE
  PID:428
- C:\Windows\System\xAnAOAX.exe
  C:\Windows\System\xAnAOAX.exe
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Windows\System\GrVzBTl.exe
  C:\Windows\System\GrVzBTl.exe
  2⤵
  - Executes dropped EXE
  PID:3808
- C:\Windows\System\JTVzjVI.exe
  C:\Windows\System\JTVzjVI.exe
  2⤵
  - Executes dropped EXE
  PID:3772
- C:\Windows\System\ChkWYVV.exe
  C:\Windows\System\ChkWYVV.exe
  2⤵
  - Executes dropped EXE
  PID:3396
- C:\Windows\System\RkPBJVJ.exe
  C:\Windows\System\RkPBJVJ.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Windows\System\daWVDrI.exe
  C:\Windows\System\daWVDrI.exe
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\System\TmgxYlg.exe
  C:\Windows\System\TmgxYlg.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System\cZZjTtZ.exe
  C:\Windows\System\cZZjTtZ.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System\OvdYfGM.exe
  C:\Windows\System\OvdYfGM.exe
  2⤵
  - Executes dropped EXE
  PID:800
- C:\Windows\System\DhuYhNl.exe
  C:\Windows\System\DhuYhNl.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\VaFfzij.exe
  C:\Windows\System\VaFfzij.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\bDGWmBm.exe
  C:\Windows\System\bDGWmBm.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System\EeBkunP.exe
  C:\Windows\System\EeBkunP.exe
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\System\LcjSTWK.exe
  C:\Windows\System\LcjSTWK.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System\hRLMsEi.exe
  C:\Windows\System\hRLMsEi.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System\tcqoOJW.exe
  C:\Windows\System\tcqoOJW.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System\wBKfKkQ.exe
  C:\Windows\System\wBKfKkQ.exe
  2⤵
  - Executes dropped EXE
  PID:736
- C:\Windows\System\esaUKUM.exe
  C:\Windows\System\esaUKUM.exe
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\System\iWxaguX.exe
  C:\Windows\System\iWxaguX.exe
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\System\cnDpKZB.exe
  C:\Windows\System\cnDpKZB.exe
  2⤵
  - Executes dropped EXE
  PID:3876
- C:\Windows\System\tHXvLYU.exe
  C:\Windows\System\tHXvLYU.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System\aFJdgzD.exe
  C:\Windows\System\aFJdgzD.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System\SAjqkrf.exe
  C:\Windows\System\SAjqkrf.exe
  2⤵
  - Executes dropped EXE
  PID:3780
- C:\Windows\System\WAolBVx.exe
  C:\Windows\System\WAolBVx.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System\SwrGAJn.exe
  C:\Windows\System\SwrGAJn.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System\KrxHaml.exe
  C:\Windows\System\KrxHaml.exe
  2⤵
  PID:2156
- C:\Windows\System\NtyDnKO.exe
  C:\Windows\System\NtyDnKO.exe
  2⤵
  PID:3512
- C:\Windows\System\nNqHALZ.exe
  C:\Windows\System\nNqHALZ.exe
  2⤵
  PID:4076
- C:\Windows\System\DufDxWU.exe
  C:\Windows\System\DufDxWU.exe
  2⤵
  PID:4836
- C:\Windows\System\wZGvBhd.exe
  C:\Windows\System\wZGvBhd.exe
  2⤵
  PID:684
- C:\Windows\System\xLoYBpd.exe
  C:\Windows\System\xLoYBpd.exe
  2⤵
  PID:4120
- C:\Windows\System\DJFUewb.exe
  C:\Windows\System\DJFUewb.exe
  2⤵
  PID:3336
- C:\Windows\System\OAapjAH.exe
  C:\Windows\System\OAapjAH.exe
  2⤵
  PID:2608
- C:\Windows\System\egqgZMZ.exe
  C:\Windows\System\egqgZMZ.exe
  2⤵
  PID:5056
- C:\Windows\System\gHijxSA.exe
  C:\Windows\System\gHijxSA.exe
  2⤵
  PID:60
- C:\Windows\System\YVPOhCU.exe
  C:\Windows\System\YVPOhCU.exe
  2⤵
  PID:3212
- C:\Windows\System\BhITCYN.exe
  C:\Windows\System\BhITCYN.exe
  2⤵
  PID:1660
- C:\Windows\System\kPdrXBB.exe
  C:\Windows\System\kPdrXBB.exe
  2⤵
  PID:2520
- C:\Windows\System\wJBWtbo.exe
  C:\Windows\System\wJBWtbo.exe
  2⤵
  PID:4776
- C:\Windows\System\pyqDgKO.exe
  C:\Windows\System\pyqDgKO.exe
  2⤵
  PID:3784
- C:\Windows\System\LnXHhPw.exe
  C:\Windows\System\LnXHhPw.exe
  2⤵
  PID:4408
- C:\Windows\System\dEmTWgA.exe
  C:\Windows\System\dEmTWgA.exe
  2⤵
  PID:3056
- C:\Windows\System\VENKBXv.exe
  C:\Windows\System\VENKBXv.exe
  2⤵
  PID:8
- C:\Windows\System\jIuPVVL.exe
  C:\Windows\System\jIuPVVL.exe
  2⤵
  PID:4660
- C:\Windows\System\bofWtGU.exe
  C:\Windows\System\bofWtGU.exe
  2⤵
  PID:4108
- C:\Windows\System\hbpTuCI.exe
  C:\Windows\System\hbpTuCI.exe
  2⤵
  PID:1864
- C:\Windows\System\UBfaCqV.exe
  C:\Windows\System\UBfaCqV.exe
  2⤵
  PID:2536
- C:\Windows\System\BtwcIiW.exe
  C:\Windows\System\BtwcIiW.exe
  2⤵
  PID:4340
- C:\Windows\System\wrXFziV.exe
  C:\Windows\System\wrXFziV.exe
  2⤵
  PID:3888
- C:\Windows\System\jjjSgoU.exe
  C:\Windows\System\jjjSgoU.exe
  2⤵
  PID:5144
- C:\Windows\System\vdyhZSK.exe
  C:\Windows\System\vdyhZSK.exe
  2⤵
  PID:5176
- C:\Windows\System\pleZqWD.exe
  C:\Windows\System\pleZqWD.exe
  2⤵
  PID:5204
- C:\Windows\System\CDxcuNo.exe
  C:\Windows\System\CDxcuNo.exe
  2⤵
  PID:5232
- C:\Windows\System\sQKTkXN.exe
  C:\Windows\System\sQKTkXN.exe
  2⤵
  PID:5256
- C:\Windows\System\RHCrNWl.exe
  C:\Windows\System\RHCrNWl.exe
  2⤵
  PID:5288
- C:\Windows\System\OrYChgQ.exe
  C:\Windows\System\OrYChgQ.exe
  2⤵
  PID:5316
- C:\Windows\System\CLmaWij.exe
  C:\Windows\System\CLmaWij.exe
  2⤵
  PID:5344
- C:\Windows\System\LFchzRT.exe
  C:\Windows\System\LFchzRT.exe
  2⤵
  PID:5368
- C:\Windows\System\hKEjvys.exe
  C:\Windows\System\hKEjvys.exe
  2⤵
  PID:5400
- C:\Windows\System\uYMHPxX.exe
  C:\Windows\System\uYMHPxX.exe
  2⤵
  PID:5428
- C:\Windows\System\AWYbvwP.exe
  C:\Windows\System\AWYbvwP.exe
  2⤵
  PID:5456
- C:\Windows\System\JRqPNtQ.exe
  C:\Windows\System\JRqPNtQ.exe
  2⤵
  PID:5480
- C:\Windows\System\jdUJDmb.exe
  C:\Windows\System\jdUJDmb.exe
  2⤵
  PID:5512
- C:\Windows\System\duMUflM.exe
  C:\Windows\System\duMUflM.exe
  2⤵
  PID:5540
- C:\Windows\System\kgkJAjs.exe
  C:\Windows\System\kgkJAjs.exe
  2⤵
  PID:5568
- C:\Windows\System\gPduBoK.exe
  C:\Windows\System\gPduBoK.exe
  2⤵
  PID:5596
- C:\Windows\System\jxcMZxb.exe
  C:\Windows\System\jxcMZxb.exe
  2⤵
  PID:5620
- C:\Windows\System\ltlVCIA.exe
  C:\Windows\System\ltlVCIA.exe
  2⤵
  PID:5656
- C:\Windows\System\WiRtaTg.exe
  C:\Windows\System\WiRtaTg.exe
  2⤵
  PID:5684
- C:\Windows\System\WBvqtWd.exe
  C:\Windows\System\WBvqtWd.exe
  2⤵
  PID:5716
- C:\Windows\System\CKIsiLg.exe
  C:\Windows\System\CKIsiLg.exe
  2⤵
  PID:5740
- C:\Windows\System\OqsJGeU.exe
  C:\Windows\System\OqsJGeU.exe
  2⤵
  PID:5772
- C:\Windows\System\RwqnyLT.exe
  C:\Windows\System\RwqnyLT.exe
  2⤵
  PID:5804
- C:\Windows\System\uddIAed.exe
  C:\Windows\System\uddIAed.exe
  2⤵
  PID:5828
- C:\Windows\System\CVbIcjM.exe
  C:\Windows\System\CVbIcjM.exe
  2⤵
  PID:5860
- C:\Windows\System\QoQmzVp.exe
  C:\Windows\System\QoQmzVp.exe
  2⤵
  PID:5884
- C:\Windows\System\lFdrVJP.exe
  C:\Windows\System\lFdrVJP.exe
  2⤵
  PID:5916
- C:\Windows\System\jFIOQUm.exe
  C:\Windows\System\jFIOQUm.exe
  2⤵
  PID:5940
- C:\Windows\System\PDnCeAu.exe
  C:\Windows\System\PDnCeAu.exe
  2⤵
  PID:5960
- C:\Windows\System\ERcezhD.exe
  C:\Windows\System\ERcezhD.exe
  2⤵
  PID:5988
- C:\Windows\System\QrcDXvs.exe
  C:\Windows\System\QrcDXvs.exe
  2⤵
  PID:6016
- C:\Windows\System\rrNYUdb.exe
  C:\Windows\System\rrNYUdb.exe
  2⤵
  PID:6040
- C:\Windows\System\KERRiWv.exe
  C:\Windows\System\KERRiWv.exe
  2⤵
  PID:6072
- C:\Windows\System\WKebFIB.exe
  C:\Windows\System\WKebFIB.exe
  2⤵
  PID:6100
- C:\Windows\System\xUkyqld.exe
  C:\Windows\System\xUkyqld.exe
  2⤵
  PID:6128
- C:\Windows\System\IOsUkkv.exe
  C:\Windows\System\IOsUkkv.exe
  2⤵
  PID:3388
- C:\Windows\System\ArJXMFp.exe
  C:\Windows\System\ArJXMFp.exe
  2⤵
  PID:1004
- C:\Windows\System\vHWnBUm.exe
  C:\Windows\System\vHWnBUm.exe
  2⤵
  PID:5088
- C:\Windows\System\dKcNZkY.exe
  C:\Windows\System\dKcNZkY.exe
  2⤵
  PID:4584
- C:\Windows\System\FodDPow.exe
  C:\Windows\System\FodDPow.exe
  2⤵
  PID:4508
- C:\Windows\System\hROblgs.exe
  C:\Windows\System\hROblgs.exe
  2⤵
  PID:1680
- C:\Windows\System\AoBRkyY.exe
  C:\Windows\System\AoBRkyY.exe
  2⤵
  PID:3484
- C:\Windows\System\ObFHkXh.exe
  C:\Windows\System\ObFHkXh.exe
  2⤵
  PID:5136
- C:\Windows\System\uZsCCiZ.exe
  C:\Windows\System\uZsCCiZ.exe
  2⤵
  PID:5192
- C:\Windows\System\SAIdJxU.exe
  C:\Windows\System\SAIdJxU.exe
  2⤵
  PID:5252
- C:\Windows\System\HrYvryo.exe
  C:\Windows\System\HrYvryo.exe
  2⤵
  PID:5336
- C:\Windows\System\cLHgNLA.exe
  C:\Windows\System\cLHgNLA.exe
  2⤵
  PID:5388
- C:\Windows\System\wcjRGaz.exe
  C:\Windows\System\wcjRGaz.exe
  2⤵
  PID:5464
- C:\Windows\System\nCWrZDe.exe
  C:\Windows\System\nCWrZDe.exe
  2⤵
  PID:5528
- C:\Windows\System\tOipdPp.exe
  C:\Windows\System\tOipdPp.exe
  2⤵
  PID:5588
- C:\Windows\System\bHOuNeu.exe
  C:\Windows\System\bHOuNeu.exe
  2⤵
  PID:5652
- C:\Windows\System\gYqKgor.exe
  C:\Windows\System\gYqKgor.exe
  2⤵
  PID:5728
- C:\Windows\System\jxVcwyu.exe
  C:\Windows\System\jxVcwyu.exe
  2⤵
  PID:5788
- C:\Windows\System\ySwZKpR.exe
  C:\Windows\System\ySwZKpR.exe
  2⤵
  PID:5848
- C:\Windows\System\zwdVNaR.exe
  C:\Windows\System\zwdVNaR.exe
  2⤵
  PID:5904
- C:\Windows\System\qeEEUMT.exe
  C:\Windows\System\qeEEUMT.exe
  2⤵
  PID:5976
- C:\Windows\System\VaTgjfl.exe
  C:\Windows\System\VaTgjfl.exe
  2⤵
  PID:6032
- C:\Windows\System\STUcNNT.exe
  C:\Windows\System\STUcNNT.exe
  2⤵
  PID:6092
- C:\Windows\System\KhViKXU.exe
  C:\Windows\System\KhViKXU.exe
  2⤵
  PID:4936
- C:\Windows\System\LdISixD.exe
  C:\Windows\System\LdISixD.exe
  2⤵
  PID:1904
- C:\Windows\System\IgWAvZt.exe
  C:\Windows\System\IgWAvZt.exe
  2⤵
  PID:4436
- C:\Windows\System\EuOxWul.exe
  C:\Windows\System\EuOxWul.exe
  2⤵
  PID:1408
- C:\Windows\System\PYYigFB.exe
  C:\Windows\System\PYYigFB.exe
  2⤵
  PID:5184
- C:\Windows\System\cGrGXWE.exe
  C:\Windows\System\cGrGXWE.exe
  2⤵
  PID:5332
- C:\Windows\System\wgYgNrl.exe
  C:\Windows\System\wgYgNrl.exe
  2⤵
  PID:5492
- C:\Windows\System\TBCXzeR.exe
  C:\Windows\System\TBCXzeR.exe
  2⤵
  PID:3184
- C:\Windows\System\ecSNija.exe
  C:\Windows\System\ecSNija.exe
  2⤵
  PID:5696
- C:\Windows\System\ZTkDIJG.exe
  C:\Windows\System\ZTkDIJG.exe
  2⤵
  PID:5824
- C:\Windows\System\faZWWct.exe
  C:\Windows\System\faZWWct.exe
  2⤵
  PID:5952
- C:\Windows\System\pBMBkVv.exe
  C:\Windows\System\pBMBkVv.exe
  2⤵
  PID:6080
- C:\Windows\System\imwlJYX.exe
  C:\Windows\System\imwlJYX.exe
  2⤵
  PID:2488
- C:\Windows\System\dvyVTNg.exe
  C:\Windows\System\dvyVTNg.exe
  2⤵
  PID:4888
- C:\Windows\System\fNkNGrH.exe
  C:\Windows\System\fNkNGrH.exe
  2⤵
  PID:3600
- C:\Windows\System\uqWmjQD.exe
  C:\Windows\System\uqWmjQD.exe
  2⤵
  PID:1412
- C:\Windows\System\hwEMhsz.exe
  C:\Windows\System\hwEMhsz.exe
  2⤵
  PID:5556
- C:\Windows\System\EOGwhMb.exe
  C:\Windows\System\EOGwhMb.exe
  2⤵
  PID:5760
- C:\Windows\System\TYyuHha.exe
  C:\Windows\System\TYyuHha.exe
  2⤵
  PID:5936
- C:\Windows\System\RTXpVbb.exe
  C:\Windows\System\RTXpVbb.exe
  2⤵
  PID:4880
- C:\Windows\System\uJAKeHd.exe
  C:\Windows\System\uJAKeHd.exe
  2⤵
  PID:3328
- C:\Windows\System\qDaVsPO.exe
  C:\Windows\System\qDaVsPO.exe
  2⤵
  PID:3924
- C:\Windows\System\sWSzPpc.exe
  C:\Windows\System\sWSzPpc.exe
  2⤵
  PID:6248
- C:\Windows\System\Xfarpbc.exe
  C:\Windows\System\Xfarpbc.exe
  2⤵
  PID:6284
- C:\Windows\System\vIgjuaK.exe
  C:\Windows\System\vIgjuaK.exe
  2⤵
  PID:6312
- C:\Windows\System\WUkiKMv.exe
  C:\Windows\System\WUkiKMv.exe
  2⤵
  PID:6336
- C:\Windows\System\eeBsTvY.exe
  C:\Windows\System\eeBsTvY.exe
  2⤵
  PID:6356
- C:\Windows\System\NkoTwUb.exe
  C:\Windows\System\NkoTwUb.exe
  2⤵
  PID:6396
- C:\Windows\System\yHaBIQf.exe
  C:\Windows\System\yHaBIQf.exe
  2⤵
  PID:6424
- C:\Windows\System\ZpRNhSb.exe
  C:\Windows\System\ZpRNhSb.exe
  2⤵
  PID:6452
- C:\Windows\System\ZWgPivv.exe
  C:\Windows\System\ZWgPivv.exe
  2⤵
  PID:6504
- C:\Windows\System\GuxtEZS.exe
  C:\Windows\System\GuxtEZS.exe
  2⤵
  PID:6540
- C:\Windows\System\mXVfFtr.exe
  C:\Windows\System\mXVfFtr.exe
  2⤵
  PID:6556
- C:\Windows\System\CUwMipn.exe
  C:\Windows\System\CUwMipn.exe
  2⤵
  PID:6580
- C:\Windows\System\wXgIqVx.exe
  C:\Windows\System\wXgIqVx.exe
  2⤵
  PID:6628
- C:\Windows\System\ryqhOOf.exe
  C:\Windows\System\ryqhOOf.exe
  2⤵
  PID:6684
- C:\Windows\System\OeZFkhZ.exe
  C:\Windows\System\OeZFkhZ.exe
  2⤵
  PID:6704
- C:\Windows\System\RuJGcns.exe
  C:\Windows\System\RuJGcns.exe
  2⤵
  PID:6724
- C:\Windows\System\soNbYik.exe
  C:\Windows\System\soNbYik.exe
  2⤵
  PID:6744
- C:\Windows\System\VnYgTvJ.exe
  C:\Windows\System\VnYgTvJ.exe
  2⤵
  PID:6776
- C:\Windows\System\xlKtnTB.exe
  C:\Windows\System\xlKtnTB.exe
  2⤵
  PID:6800
- C:\Windows\System\YoqxcZV.exe
  C:\Windows\System\YoqxcZV.exe
  2⤵
  PID:6824
- C:\Windows\System\qpBROUb.exe
  C:\Windows\System\qpBROUb.exe
  2⤵
  PID:6840
- C:\Windows\System\kzEfHIh.exe
  C:\Windows\System\kzEfHIh.exe
  2⤵
  PID:6860
- C:\Windows\System\tKbYSDT.exe
  C:\Windows\System\tKbYSDT.exe
  2⤵
  PID:6880
- C:\Windows\System\BUJLvIZ.exe
  C:\Windows\System\BUJLvIZ.exe
  2⤵
  PID:6904
- C:\Windows\System\eiKOANw.exe
  C:\Windows\System\eiKOANw.exe
  2⤵
  PID:6932
- C:\Windows\System\bdzRoVk.exe
  C:\Windows\System\bdzRoVk.exe
  2⤵
  PID:6972
- C:\Windows\System\SvAgpiF.exe
  C:\Windows\System\SvAgpiF.exe
  2⤵
  PID:6996
- C:\Windows\System\qsuLAna.exe
  C:\Windows\System\qsuLAna.exe
  2⤵
  PID:7036
- C:\Windows\System\khKXoqD.exe
  C:\Windows\System\khKXoqD.exe
  2⤵
  PID:7092
- C:\Windows\System\fgvSBYY.exe
  C:\Windows\System\fgvSBYY.exe
  2⤵
  PID:7120
- C:\Windows\System\BfrCDye.exe
  C:\Windows\System\BfrCDye.exe
  2⤵
  PID:7152
- C:\Windows\System\PYszeOJ.exe
  C:\Windows\System\PYszeOJ.exe
  2⤵
  PID:4148
- C:\Windows\System\xQWxtNR.exe
  C:\Windows\System\xQWxtNR.exe
  2⤵
  PID:3044
- C:\Windows\System\YEgOqQQ.exe
  C:\Windows\System\YEgOqQQ.exe
  2⤵
  PID:380
- C:\Windows\System\YUumdmm.exe
  C:\Windows\System\YUumdmm.exe
  2⤵
  PID:2972
- C:\Windows\System\HWaTWNO.exe
  C:\Windows\System\HWaTWNO.exe
  2⤵
  PID:2952
- C:\Windows\System\KEOimTr.exe
  C:\Windows\System\KEOimTr.exe
  2⤵
  PID:620
- C:\Windows\System\XRfAvSr.exe
  C:\Windows\System\XRfAvSr.exe
  2⤵
  PID:912
- C:\Windows\System\JMfiyxw.exe
  C:\Windows\System\JMfiyxw.exe
  2⤵
  PID:6164
- C:\Windows\System\wgnxovp.exe
  C:\Windows\System\wgnxovp.exe
  2⤵
  PID:3532
- C:\Windows\System\DmjNpfI.exe
  C:\Windows\System\DmjNpfI.exe
  2⤵
  PID:6232
- C:\Windows\System\UEhguFY.exe
  C:\Windows\System\UEhguFY.exe
  2⤵
  PID:6352
- C:\Windows\System\pxwOqWn.exe
  C:\Windows\System\pxwOqWn.exe
  2⤵
  PID:6364
- C:\Windows\System\WVWMRwO.exe
  C:\Windows\System\WVWMRwO.exe
  2⤵
  PID:6416
- C:\Windows\System\MeNbKVw.exe
  C:\Windows\System\MeNbKVw.exe
  2⤵
  PID:6444
- C:\Windows\System\YDdfeBn.exe
  C:\Windows\System\YDdfeBn.exe
  2⤵
  PID:6476
- C:\Windows\System\UaJdpnG.exe
  C:\Windows\System\UaJdpnG.exe
  2⤵
  PID:6648
- C:\Windows\System\JFctEFb.exe
  C:\Windows\System\JFctEFb.exe
  2⤵
  PID:6664
- C:\Windows\System\fAhtRZU.exe
  C:\Windows\System\fAhtRZU.exe
  2⤵
  PID:6700
- C:\Windows\System\TvCLrfw.exe
  C:\Windows\System\TvCLrfw.exe
  2⤵
  PID:6784
- C:\Windows\System\TENvkGU.exe
  C:\Windows\System\TENvkGU.exe
  2⤵
  PID:6896
- C:\Windows\System\pclmhBY.exe
  C:\Windows\System\pclmhBY.exe
  2⤵
  PID:6948
- C:\Windows\System\dYWnxMk.exe
  C:\Windows\System\dYWnxMk.exe
  2⤵
  PID:7020
- C:\Windows\System\capttgi.exe
  C:\Windows\System\capttgi.exe
  2⤵
  PID:7140
- C:\Windows\System\zfKGwss.exe
  C:\Windows\System\zfKGwss.exe
  2⤵
  PID:2200
- C:\Windows\System\GVmKKYt.exe
  C:\Windows\System\GVmKKYt.exe
  2⤵
  PID:1076
- C:\Windows\System\cBrhZgk.exe
  C:\Windows\System\cBrhZgk.exe
  2⤵
  PID:1744
- C:\Windows\System\wmogrPP.exe
  C:\Windows\System\wmogrPP.exe
  2⤵
  PID:6180
- C:\Windows\System\zmtVFxn.exe
  C:\Windows\System\zmtVFxn.exe
  2⤵
  PID:6300
- C:\Windows\System\ulRJcDG.exe
  C:\Windows\System\ulRJcDG.exe
  2⤵
  PID:6372
- C:\Windows\System\OLWwwFj.exe
  C:\Windows\System\OLWwwFj.exe
  2⤵
  PID:6548
- C:\Windows\System\etsiYaQ.exe
  C:\Windows\System\etsiYaQ.exe
  2⤵
  PID:6740
- C:\Windows\System\Osslsyb.exe
  C:\Windows\System\Osslsyb.exe
  2⤵
  PID:6812
- C:\Windows\System\tnclUrt.exe
  C:\Windows\System\tnclUrt.exe
  2⤵
  PID:6928
- C:\Windows\System\CQzRpYS.exe
  C:\Windows\System\CQzRpYS.exe
  2⤵
  PID:7164
- C:\Windows\System\vqBkMmt.exe
  C:\Windows\System\vqBkMmt.exe
  2⤵
  PID:6212
- C:\Windows\System\thMpfCw.exe
  C:\Windows\System\thMpfCw.exe
  2⤵
  PID:6320
- C:\Windows\System\EOwwEpX.exe
  C:\Windows\System\EOwwEpX.exe
  2⤵
  PID:6572
- C:\Windows\System\hxGglZP.exe
  C:\Windows\System\hxGglZP.exe
  2⤵
  PID:6764
- C:\Windows\System\FJJinnh.exe
  C:\Windows\System\FJJinnh.exe
  2⤵
  PID:6412
- C:\Windows\System\JLFtLlY.exe
  C:\Windows\System\JLFtLlY.exe
  2⤵
  PID:6992
- C:\Windows\System\dNnjhvF.exe
  C:\Windows\System\dNnjhvF.exe
  2⤵
  PID:7180
- C:\Windows\System\KlQtony.exe
  C:\Windows\System\KlQtony.exe
  2⤵
  PID:7212
- C:\Windows\System\baiqRJT.exe
  C:\Windows\System\baiqRJT.exe
  2⤵
  PID:7232
- C:\Windows\System\HlPfQHt.exe
  C:\Windows\System\HlPfQHt.exe
  2⤵
  PID:7252
- C:\Windows\System\jUotsOB.exe
  C:\Windows\System\jUotsOB.exe
  2⤵
  PID:7288
- C:\Windows\System\qseXEYs.exe
  C:\Windows\System\qseXEYs.exe
  2⤵
  PID:7316
- C:\Windows\System\TaKlHRf.exe
  C:\Windows\System\TaKlHRf.exe
  2⤵
  PID:7356
- C:\Windows\System\mHBKBnS.exe
  C:\Windows\System\mHBKBnS.exe
  2⤵
  PID:7380
- C:\Windows\System\egjsbvZ.exe
  C:\Windows\System\egjsbvZ.exe
  2⤵
  PID:7400
- C:\Windows\System\UJAzCFK.exe
  C:\Windows\System\UJAzCFK.exe
  2⤵
  PID:7428
- C:\Windows\System\mJVrSWe.exe
  C:\Windows\System\mJVrSWe.exe
  2⤵
  PID:7456
- C:\Windows\System\KtyhyjM.exe
  C:\Windows\System\KtyhyjM.exe
  2⤵
  PID:7484
- C:\Windows\System\Gcnlles.exe
  C:\Windows\System\Gcnlles.exe
  2⤵
  PID:7512
- C:\Windows\System\hDKPatj.exe
  C:\Windows\System\hDKPatj.exe
  2⤵
  PID:7540
- C:\Windows\System\BmzvXSD.exe
  C:\Windows\System\BmzvXSD.exe
  2⤵
  PID:7568
- C:\Windows\System\oUedfej.exe
  C:\Windows\System\oUedfej.exe
  2⤵
  PID:7596
- C:\Windows\System\dfPIdJt.exe
  C:\Windows\System\dfPIdJt.exe
  2⤵
  PID:7636
- C:\Windows\System\VdhMjOR.exe
  C:\Windows\System\VdhMjOR.exe
  2⤵
  PID:7652
- C:\Windows\System\BENosHp.exe
  C:\Windows\System\BENosHp.exe
  2⤵
  PID:7680
- C:\Windows\System\FbkyRid.exe
  C:\Windows\System\FbkyRid.exe
  2⤵
  PID:7716
- C:\Windows\System\YDnSeQU.exe
  C:\Windows\System\YDnSeQU.exe
  2⤵
  PID:7732
- C:\Windows\System\GWQtYiI.exe
  C:\Windows\System\GWQtYiI.exe
  2⤵
  PID:7764
- C:\Windows\System\UhIKGxH.exe
  C:\Windows\System\UhIKGxH.exe
  2⤵
  PID:7780
- C:\Windows\System\MMCvxld.exe
  C:\Windows\System\MMCvxld.exe
  2⤵
  PID:7824
- C:\Windows\System\RrnxELZ.exe
  C:\Windows\System\RrnxELZ.exe
  2⤵
  PID:7860
- C:\Windows\System\ovlqhSW.exe
  C:\Windows\System\ovlqhSW.exe
  2⤵
  PID:7876
- C:\Windows\System\IIpuLII.exe
  C:\Windows\System\IIpuLII.exe
  2⤵
  PID:7908
- C:\Windows\System\hdqKgDh.exe
  C:\Windows\System\hdqKgDh.exe
  2⤵
  PID:7932
- C:\Windows\System\ITqqsbO.exe
  C:\Windows\System\ITqqsbO.exe
  2⤵
  PID:7960
- C:\Windows\System\uQpQJlw.exe
  C:\Windows\System\uQpQJlw.exe
  2⤵
  PID:7988
- C:\Windows\System\xsmTWMg.exe
  C:\Windows\System\xsmTWMg.exe
  2⤵
  PID:8028
- C:\Windows\System\xZUBbAA.exe
  C:\Windows\System\xZUBbAA.exe
  2⤵
  PID:8056
- C:\Windows\System\RtXTDir.exe
  C:\Windows\System\RtXTDir.exe
  2⤵
  PID:8084
- C:\Windows\System\zfaInHB.exe
  C:\Windows\System\zfaInHB.exe
  2⤵
  PID:8112
- C:\Windows\System\IXFfrIG.exe
  C:\Windows\System\IXFfrIG.exe
  2⤵
  PID:8128
- C:\Windows\System\gVlKfXF.exe
  C:\Windows\System\gVlKfXF.exe
  2⤵
  PID:8152
- C:\Windows\System\kuWQRbX.exe
  C:\Windows\System\kuWQRbX.exe
  2⤵
  PID:8184
- C:\Windows\System\nMSqsrK.exe
  C:\Windows\System\nMSqsrK.exe
  2⤵
  PID:7208
- C:\Windows\System\LjtBcEE.exe
  C:\Windows\System\LjtBcEE.exe
  2⤵
  PID:7240
- C:\Windows\System\EadfnFh.exe
  C:\Windows\System\EadfnFh.exe
  2⤵
  PID:7340
- C:\Windows\System\bvWOkKy.exe
  C:\Windows\System\bvWOkKy.exe
  2⤵
  PID:7420
- C:\Windows\System\oDGpBKR.exe
  C:\Windows\System\oDGpBKR.exe
  2⤵
  PID:7480
- C:\Windows\System\GOANUrY.exe
  C:\Windows\System\GOANUrY.exe
  2⤵
  PID:7528
- C:\Windows\System\LIcRUPB.exe
  C:\Windows\System\LIcRUPB.exe
  2⤵
  PID:7584
- C:\Windows\System\abOnheA.exe
  C:\Windows\System\abOnheA.exe
  2⤵
  PID:7644
- C:\Windows\System\wqDDyqi.exe
  C:\Windows\System\wqDDyqi.exe
  2⤵
  PID:7724
- C:\Windows\System\wjjZEZk.exe
  C:\Windows\System\wjjZEZk.exe
  2⤵
  PID:7752
- C:\Windows\System\rdyGnNm.exe
  C:\Windows\System\rdyGnNm.exe
  2⤵
  PID:7868
- C:\Windows\System\kayjbgZ.exe
  C:\Windows\System\kayjbgZ.exe
  2⤵
  PID:7892
- C:\Windows\System\PuOAIZF.exe
  C:\Windows\System\PuOAIZF.exe
  2⤵
  PID:7972
- C:\Windows\System\JjhYfRM.exe
  C:\Windows\System\JjhYfRM.exe
  2⤵
  PID:8048
- C:\Windows\System\IgwjTEG.exe
  C:\Windows\System\IgwjTEG.exe
  2⤵
  PID:7060
- C:\Windows\System\ZScXQGj.exe
  C:\Windows\System\ZScXQGj.exe
  2⤵
  PID:7172
- C:\Windows\System\SpLXsQU.exe
  C:\Windows\System\SpLXsQU.exe
  2⤵
  PID:7300
- C:\Windows\System\maRxigR.exe
  C:\Windows\System\maRxigR.exe
  2⤵
  PID:7396
- C:\Windows\System\PoeDixz.exe
  C:\Windows\System\PoeDixz.exe
  2⤵
  PID:7496
- C:\Windows\System\XuQerBX.exe
  C:\Windows\System\XuQerBX.exe
  2⤵
  PID:7628
- C:\Windows\System\PYglrHh.exe
  C:\Windows\System\PYglrHh.exe
  2⤵
  PID:7872
- C:\Windows\System\dejPSML.exe
  C:\Windows\System\dejPSML.exe
  2⤵
  PID:8080
- C:\Windows\System\OixnnZE.exe
  C:\Windows\System\OixnnZE.exe
  2⤵
  PID:8172
- C:\Windows\System\LtcBpyQ.exe
  C:\Windows\System\LtcBpyQ.exe
  2⤵
  PID:7472
- C:\Windows\System\RUtJGwV.exe
  C:\Windows\System\RUtJGwV.exe
  2⤵
  PID:7668
- C:\Windows\System\MSHSlsG.exe
  C:\Windows\System\MSHSlsG.exe
  2⤵
  PID:7844
- C:\Windows\System\qhrgylX.exe
  C:\Windows\System\qhrgylX.exe
  2⤵
  PID:8096
- C:\Windows\System\lEKiidu.exe
  C:\Windows\System\lEKiidu.exe
  2⤵
  PID:7776
- C:\Windows\System\NhnCSTr.exe
  C:\Windows\System\NhnCSTr.exe
  2⤵
  PID:8220
- C:\Windows\System\mcNSqsO.exe
  C:\Windows\System\mcNSqsO.exe
  2⤵
  PID:8248
- C:\Windows\System\IzmwoCz.exe
  C:\Windows\System\IzmwoCz.exe
  2⤵
  PID:8276
- C:\Windows\System\GPuBKuY.exe
  C:\Windows\System\GPuBKuY.exe
  2⤵
  PID:8328
- C:\Windows\System\UklLBJO.exe
  C:\Windows\System\UklLBJO.exe
  2⤵
  PID:8348
- C:\Windows\System\mayBeKR.exe
  C:\Windows\System\mayBeKR.exe
  2⤵
  PID:8372
- C:\Windows\System\AyEtikx.exe
  C:\Windows\System\AyEtikx.exe
  2⤵
  PID:8400
- C:\Windows\System\TSNbfZZ.exe
  C:\Windows\System\TSNbfZZ.exe
  2⤵
  PID:8420
- C:\Windows\System\eUOOJTZ.exe
  C:\Windows\System\eUOOJTZ.exe
  2⤵
  PID:8440
- C:\Windows\System\iJphZzl.exe
  C:\Windows\System\iJphZzl.exe
  2⤵
  PID:8460
- C:\Windows\System\KtaKXNz.exe
  C:\Windows\System\KtaKXNz.exe
  2⤵
  PID:8520
- C:\Windows\System\rpzQmaQ.exe
  C:\Windows\System\rpzQmaQ.exe
  2⤵
  PID:8540
- C:\Windows\System\rZtWIzD.exe
  C:\Windows\System\rZtWIzD.exe
  2⤵
  PID:8572
- C:\Windows\System\nEQQdqF.exe
  C:\Windows\System\nEQQdqF.exe
  2⤵
  PID:8588
- C:\Windows\System\tbEEwkb.exe
  C:\Windows\System\tbEEwkb.exe
  2⤵
  PID:8608
- C:\Windows\System\wGmCUst.exe
  C:\Windows\System\wGmCUst.exe
  2⤵
  PID:8632
- C:\Windows\System\fZuAeeP.exe
  C:\Windows\System\fZuAeeP.exe
  2⤵
  PID:8660
- C:\Windows\System\oIJxcOL.exe
  C:\Windows\System\oIJxcOL.exe
  2⤵
  PID:8716
- C:\Windows\System\QeFgOHn.exe
  C:\Windows\System\QeFgOHn.exe
  2⤵
  PID:8736
- C:\Windows\System\otTgAhP.exe
  C:\Windows\System\otTgAhP.exe
  2⤵
  PID:8768
- C:\Windows\System\HeQUDLE.exe
  C:\Windows\System\HeQUDLE.exe
  2⤵
  PID:8792
- C:\Windows\System\oOiblXS.exe
  C:\Windows\System\oOiblXS.exe
  2⤵
  PID:8820
- C:\Windows\System\crYmgsB.exe
  C:\Windows\System\crYmgsB.exe
  2⤵
  PID:8860
- C:\Windows\System\IufULWl.exe
  C:\Windows\System\IufULWl.exe
  2⤵
  PID:8888
- C:\Windows\System\qPfCFCn.exe
  C:\Windows\System\qPfCFCn.exe
  2⤵
  PID:8912
- C:\Windows\System\rBRgnUN.exe
  C:\Windows\System\rBRgnUN.exe
  2⤵
  PID:8932
- C:\Windows\System\XCDTFaD.exe
  C:\Windows\System\XCDTFaD.exe
  2⤵
  PID:8964
- C:\Windows\System\HNNstkv.exe
  C:\Windows\System\HNNstkv.exe
  2⤵
  PID:8988
- C:\Windows\System\aucPPtX.exe
  C:\Windows\System\aucPPtX.exe
  2⤵
  PID:9012
- C:\Windows\System\aynPakh.exe
  C:\Windows\System\aynPakh.exe
  2⤵
  PID:9044
- C:\Windows\System\IPjbsaB.exe
  C:\Windows\System\IPjbsaB.exe
  2⤵
  PID:9092
- C:\Windows\System\ryUuPcH.exe
  C:\Windows\System\ryUuPcH.exe
  2⤵
  PID:9108
- C:\Windows\System\Nutydqe.exe
  C:\Windows\System\Nutydqe.exe
  2⤵
  PID:9124
- C:\Windows\System\KEAAVPK.exe
  C:\Windows\System\KEAAVPK.exe
  2⤵
  PID:9160
- C:\Windows\System\bkWcLtC.exe
  C:\Windows\System\bkWcLtC.exe
  2⤵
  PID:9180
- C:\Windows\System\EZqHtBU.exe
  C:\Windows\System\EZqHtBU.exe
  2⤵
  PID:7452
- C:\Windows\System\juoKPaL.exe
  C:\Windows\System\juoKPaL.exe
  2⤵
  PID:8236
- C:\Windows\System\zDefgiY.exe
  C:\Windows\System\zDefgiY.exe
  2⤵
  PID:8264
- C:\Windows\System\VjIwkmA.exe
  C:\Windows\System\VjIwkmA.exe
  2⤵
  PID:8324
- C:\Windows\System\slpbJwP.exe
  C:\Windows\System\slpbJwP.exe
  2⤵
  PID:8360
- C:\Windows\System\nqaPxGH.exe
  C:\Windows\System\nqaPxGH.exe
  2⤵
  PID:8428
- C:\Windows\System\CPyCdzV.exe
  C:\Windows\System\CPyCdzV.exe
  2⤵
  PID:8456
- C:\Windows\System\EHlEDWl.exe
  C:\Windows\System\EHlEDWl.exe
  2⤵
  PID:8596
- C:\Windows\System\VDdneSQ.exe
  C:\Windows\System\VDdneSQ.exe
  2⤵
  PID:8648
- C:\Windows\System\WQqpptz.exe
  C:\Windows\System\WQqpptz.exe
  2⤵
  PID:8724
- C:\Windows\System\HDmCqEq.exe
  C:\Windows\System\HDmCqEq.exe
  2⤵
  PID:8788
- C:\Windows\System\ZVKxOhm.exe
  C:\Windows\System\ZVKxOhm.exe
  2⤵
  PID:8856
- C:\Windows\System\GHMRWmJ.exe
  C:\Windows\System\GHMRWmJ.exe
  2⤵
  PID:8904
- C:\Windows\System\neHtbxM.exe
  C:\Windows\System\neHtbxM.exe
  2⤵
  PID:8980
- C:\Windows\System\nOxTrPH.exe
  C:\Windows\System\nOxTrPH.exe
  2⤵
  PID:9036
- C:\Windows\System\dtIpcog.exe
  C:\Windows\System\dtIpcog.exe
  2⤵
  PID:9120
- C:\Windows\System\SAexVoR.exe
  C:\Windows\System\SAexVoR.exe
  2⤵
  PID:8204
- C:\Windows\System\evVaiog.exe
  C:\Windows\System\evVaiog.exe
  2⤵
  PID:8232
- C:\Windows\System\zngAuXd.exe
  C:\Windows\System\zngAuXd.exe
  2⤵
  PID:8384
- C:\Windows\System\fmojNHc.exe
  C:\Windows\System\fmojNHc.exe
  2⤵
  PID:8532
- C:\Windows\System\msELglY.exe
  C:\Windows\System\msELglY.exe
  2⤵
  PID:8712
- C:\Windows\System\CFzgetB.exe
  C:\Windows\System\CFzgetB.exe
  2⤵
  PID:8984
- C:\Windows\System\RRNJJNv.exe
  C:\Windows\System\RRNJJNv.exe
  2⤵
  PID:9080
- C:\Windows\System\UWLeJFU.exe
  C:\Windows\System\UWLeJFU.exe
  2⤵
  PID:8208
- C:\Windows\System\VWCcDbO.exe
  C:\Windows\System\VWCcDbO.exe
  2⤵
  PID:8408
- C:\Windows\System\EipfJxW.exe
  C:\Windows\System\EipfJxW.exe
  2⤵
  PID:8880
- C:\Windows\System\biTSljG.exe
  C:\Windows\System\biTSljG.exe
  2⤵
  PID:8604
- C:\Windows\System\mkIRyVu.exe
  C:\Windows\System\mkIRyVu.exe
  2⤵
  PID:8628
- C:\Windows\System\ZrSRZRC.exe
  C:\Windows\System\ZrSRZRC.exe
  2⤵
  PID:9236
- C:\Windows\System\uTBBgid.exe
  C:\Windows\System\uTBBgid.exe
  2⤵
  PID:9264
- C:\Windows\System\vPAofzq.exe
  C:\Windows\System\vPAofzq.exe
  2⤵
  PID:9288
- C:\Windows\System\qMOxDjk.exe
  C:\Windows\System\qMOxDjk.exe
  2⤵
  PID:9308
- C:\Windows\System\HaXvsnM.exe
  C:\Windows\System\HaXvsnM.exe
  2⤵
  PID:9336
- C:\Windows\System\ismrfTq.exe
  C:\Windows\System\ismrfTq.exe
  2⤵
  PID:9356
- C:\Windows\System\GBoDDwz.exe
  C:\Windows\System\GBoDDwz.exe
  2⤵
  PID:9388
- C:\Windows\System\lqvLkWx.exe
  C:\Windows\System\lqvLkWx.exe
  2⤵
  PID:9416
- C:\Windows\System\xfJOhAE.exe
  C:\Windows\System\xfJOhAE.exe
  2⤵
  PID:9440
- C:\Windows\System\OpsAnmV.exe
  C:\Windows\System\OpsAnmV.exe
  2⤵
  PID:9488
- C:\Windows\System\PLoSkJV.exe
  C:\Windows\System\PLoSkJV.exe
  2⤵
  PID:9508
- C:\Windows\System\zMjfrpU.exe
  C:\Windows\System\zMjfrpU.exe
  2⤵
  PID:9540
- C:\Windows\System\FxSpreF.exe
  C:\Windows\System\FxSpreF.exe
  2⤵
  PID:9564
- C:\Windows\System\KnEeBMC.exe
  C:\Windows\System\KnEeBMC.exe
  2⤵
  PID:9600
- C:\Windows\System\cHKtarC.exe
  C:\Windows\System\cHKtarC.exe
  2⤵
  PID:9616
- C:\Windows\System\QsaiBiJ.exe
  C:\Windows\System\QsaiBiJ.exe
  2⤵
  PID:9644
- C:\Windows\System\YhKISNg.exe
  C:\Windows\System\YhKISNg.exe
  2⤵
  PID:9672
- C:\Windows\System\vArbluv.exe
  C:\Windows\System\vArbluv.exe
  2⤵
  PID:9700
- C:\Windows\System\GNUJUvS.exe
  C:\Windows\System\GNUJUvS.exe
  2⤵
  PID:9740
- C:\Windows\System\sRIilLR.exe
  C:\Windows\System\sRIilLR.exe
  2⤵
  PID:9768
- C:\Windows\System\DUzdatA.exe
  C:\Windows\System\DUzdatA.exe
  2⤵
  PID:9796
- C:\Windows\System\VFMoIWE.exe
  C:\Windows\System\VFMoIWE.exe
  2⤵
  PID:9820
- C:\Windows\System\RnBYiXD.exe
  C:\Windows\System\RnBYiXD.exe
  2⤵
  PID:9848
- C:\Windows\System\bEGPWWi.exe
  C:\Windows\System\bEGPWWi.exe
  2⤵
  PID:9876
- C:\Windows\System\OlwPpbI.exe
  C:\Windows\System\OlwPpbI.exe
  2⤵
  PID:9908
- C:\Windows\System\OlwElzG.exe
  C:\Windows\System\OlwElzG.exe
  2⤵
  PID:9936
- C:\Windows\System\RsgBwwn.exe
  C:\Windows\System\RsgBwwn.exe
  2⤵
  PID:9964
- C:\Windows\System\ReCJIHc.exe
  C:\Windows\System\ReCJIHc.exe
  2⤵
  PID:9992
- C:\Windows\System\bkzlbNi.exe
  C:\Windows\System\bkzlbNi.exe
  2⤵
  PID:10020
- C:\Windows\System\JFBzXba.exe
  C:\Windows\System\JFBzXba.exe
  2⤵
  PID:10048
- C:\Windows\System\fBZLZio.exe
  C:\Windows\System\fBZLZio.exe
  2⤵
  PID:10064
- C:\Windows\System\gPuEmXH.exe
  C:\Windows\System\gPuEmXH.exe
  2⤵
  PID:10096
- C:\Windows\System\dLOJxDj.exe
  C:\Windows\System\dLOJxDj.exe
  2⤵
  PID:10120
- C:\Windows\System\VHrWLBN.exe
  C:\Windows\System\VHrWLBN.exe
  2⤵
  PID:10148
- C:\Windows\System\qiWDeWa.exe
  C:\Windows\System\qiWDeWa.exe
  2⤵
  PID:10164
- C:\Windows\System\rXhFlBL.exe
  C:\Windows\System\rXhFlBL.exe
  2⤵
  PID:10200
- C:\Windows\System\qydgCvX.exe
  C:\Windows\System\qydgCvX.exe
  2⤵
  PID:10232
- C:\Windows\System\vcbzETL.exe
  C:\Windows\System\vcbzETL.exe
  2⤵
  PID:4080
- C:\Windows\System\nKUfbhD.exe
  C:\Windows\System\nKUfbhD.exe
  2⤵
  PID:9328
- C:\Windows\System\EKyTNfJ.exe
  C:\Windows\System\EKyTNfJ.exe
  2⤵
  PID:9412
- C:\Windows\System\qepdUQY.exe
  C:\Windows\System\qepdUQY.exe
  2⤵
  PID:9464
- C:\Windows\System\IoIQaea.exe
  C:\Windows\System\IoIQaea.exe
  2⤵
  PID:9528
- C:\Windows\System\duzuOys.exe
  C:\Windows\System\duzuOys.exe
  2⤵
  PID:9612
- C:\Windows\System\Yfbonyo.exe
  C:\Windows\System\Yfbonyo.exe
  2⤵
  PID:9664
- C:\Windows\System\jZQSzpG.exe
  C:\Windows\System\jZQSzpG.exe
  2⤵
  PID:9732
- C:\Windows\System\ttiDbWU.exe
  C:\Windows\System\ttiDbWU.exe
  2⤵
  PID:9784
- C:\Windows\System\KveAdIu.exe
  C:\Windows\System\KveAdIu.exe
  2⤵
  PID:9832
- C:\Windows\System\xjULFJK.exe
  C:\Windows\System\xjULFJK.exe
  2⤵
  PID:9924
- C:\Windows\System\IYiPbVr.exe
  C:\Windows\System\IYiPbVr.exe
  2⤵
  PID:10004
- C:\Windows\System\uHrpSBw.exe
  C:\Windows\System\uHrpSBw.exe
  2⤵
  PID:10060
- C:\Windows\System\QqIcXhH.exe
  C:\Windows\System\QqIcXhH.exe
  2⤵
  PID:10116
- C:\Windows\System\LahASGp.exe
  C:\Windows\System\LahASGp.exe
  2⤵
  PID:10132
- C:\Windows\System\GQadpeg.exe
  C:\Windows\System\GQadpeg.exe
  2⤵
  PID:9228
- C:\Windows\System\iwUOShH.exe
  C:\Windows\System\iwUOShH.exe
  2⤵
  PID:9300
- C:\Windows\System\TPTfofs.exe
  C:\Windows\System\TPTfofs.exe
  2⤵
  PID:9576
- C:\Windows\System\JhhyXVN.exe
  C:\Windows\System\JhhyXVN.exe
  2⤵
  PID:9696
- C:\Windows\System\hPutXGl.exe
  C:\Windows\System\hPutXGl.exe
  2⤵
  PID:9860
- C:\Windows\System\Couiwby.exe
  C:\Windows\System\Couiwby.exe
  2⤵
  PID:9984
- C:\Windows\System\PFeagrw.exe
  C:\Windows\System\PFeagrw.exe
  2⤵
  PID:10076
- C:\Windows\System\mWqexyj.exe
  C:\Windows\System\mWqexyj.exe
  2⤵
  PID:10188
- C:\Windows\System\twTjdos.exe
  C:\Windows\System\twTjdos.exe
  2⤵
  PID:9468
- C:\Windows\System\oNCtuTf.exe
  C:\Windows\System\oNCtuTf.exe
  2⤵
  PID:9780
- C:\Windows\System\vCzrfMR.exe
  C:\Windows\System\vCzrfMR.exe
  2⤵
  PID:10044
- C:\Windows\System\fhtFttz.exe
  C:\Windows\System\fhtFttz.exe
  2⤵
  PID:9380
- C:\Windows\System\BOXUjPJ.exe
  C:\Windows\System\BOXUjPJ.exe
  2⤵
  PID:10108
- C:\Windows\System\iGSiihY.exe
  C:\Windows\System\iGSiihY.exe
  2⤵
  PID:4032
- C:\Windows\System\KIaxMpP.exe
  C:\Windows\System\KIaxMpP.exe
  2⤵
  PID:10256
- C:\Windows\System\jBfcwJc.exe
  C:\Windows\System\jBfcwJc.exe
  2⤵
  PID:10308
- C:\Windows\System\yQkPOaN.exe
  C:\Windows\System\yQkPOaN.exe
  2⤵
  PID:10336
- C:\Windows\System\AfXgDnO.exe
  C:\Windows\System\AfXgDnO.exe
  2⤵
  PID:10364
- C:\Windows\System\RBTALgg.exe
  C:\Windows\System\RBTALgg.exe
  2⤵
  PID:10392
- C:\Windows\System\zwcUtyy.exe
  C:\Windows\System\zwcUtyy.exe
  2⤵
  PID:10408
- C:\Windows\System\vRieicu.exe
  C:\Windows\System\vRieicu.exe
  2⤵
  PID:10436
- C:\Windows\System\tHIUtAr.exe
  C:\Windows\System\tHIUtAr.exe
  2⤵
  PID:10476
- C:\Windows\System\jjjNDGm.exe
  C:\Windows\System\jjjNDGm.exe
  2⤵
  PID:10496
- C:\Windows\System\ofCVgZF.exe
  C:\Windows\System\ofCVgZF.exe
  2⤵
  PID:10520
- C:\Windows\System\ShIdUpH.exe
  C:\Windows\System\ShIdUpH.exe
  2⤵
  PID:10556
- C:\Windows\System\tUgSDVQ.exe
  C:\Windows\System\tUgSDVQ.exe
  2⤵
  PID:10576
- C:\Windows\System\aFFvgOu.exe
  C:\Windows\System\aFFvgOu.exe
  2⤵
  PID:10596
- C:\Windows\System\NmCnecY.exe
  C:\Windows\System\NmCnecY.exe
  2⤵
  PID:10628
- C:\Windows\System\EnkPHzW.exe
  C:\Windows\System\EnkPHzW.exe
  2⤵
  PID:10656
- C:\Windows\System\lMjEcyH.exe
  C:\Windows\System\lMjEcyH.exe
  2⤵
  PID:10688
- C:\Windows\System\xhfQFJW.exe
  C:\Windows\System\xhfQFJW.exe
  2⤵
  PID:10708
- C:\Windows\System\rMDaTXO.exe
  C:\Windows\System\rMDaTXO.exe
  2⤵
  PID:10740
- C:\Windows\System\DNtUAoC.exe
  C:\Windows\System\DNtUAoC.exe
  2⤵
  PID:10764
- C:\Windows\System\DUqUfCH.exe
  C:\Windows\System\DUqUfCH.exe
  2⤵
  PID:10788
- C:\Windows\System\GrBqlkw.exe
  C:\Windows\System\GrBqlkw.exe
  2⤵
  PID:10812
- C:\Windows\System\MWioFXN.exe
  C:\Windows\System\MWioFXN.exe
  2⤵
  PID:10856
- C:\Windows\System\ZfaXFZG.exe
  C:\Windows\System\ZfaXFZG.exe
  2⤵
  PID:10884
- C:\Windows\System\QZEVWLJ.exe
  C:\Windows\System\QZEVWLJ.exe
  2⤵
  PID:10900
- C:\Windows\System\odONizK.exe
  C:\Windows\System\odONizK.exe
  2⤵
  PID:10916
- C:\Windows\System\jSGPJxx.exe
  C:\Windows\System\jSGPJxx.exe
  2⤵
  PID:10940
- C:\Windows\System\jpwRJNl.exe
  C:\Windows\System\jpwRJNl.exe
  2⤵
  PID:10972
- C:\Windows\System\JuesdKQ.exe
  C:\Windows\System\JuesdKQ.exe
  2⤵
  PID:11000
- C:\Windows\System\pCMkKBH.exe
  C:\Windows\System\pCMkKBH.exe
  2⤵
  PID:11036
- C:\Windows\System\nloQPJy.exe
  C:\Windows\System\nloQPJy.exe
  2⤵
  PID:11072
- C:\Windows\System\HPCBqPx.exe
  C:\Windows\System\HPCBqPx.exe
  2⤵
  PID:11092
- C:\Windows\System\IxjlREM.exe
  C:\Windows\System\IxjlREM.exe
  2⤵
  PID:11128
- C:\Windows\System\QyjmPMk.exe
  C:\Windows\System\QyjmPMk.exe
  2⤵
  PID:11152
- C:\Windows\System\eNcgFCu.exe
  C:\Windows\System\eNcgFCu.exe
  2⤵
  PID:11180
- C:\Windows\System\qcHEKwP.exe
  C:\Windows\System\qcHEKwP.exe
  2⤵
  PID:11204
- C:\Windows\System\HJfAYCb.exe
  C:\Windows\System\HJfAYCb.exe
  2⤵
  PID:11228
- C:\Windows\System\uFQbHGF.exe
  C:\Windows\System\uFQbHGF.exe
  2⤵
  PID:10300
- C:\Windows\System\KTvtjEq.exe
  C:\Windows\System\KTvtjEq.exe
  2⤵
  PID:10324
- C:\Windows\System\MHfbORM.exe
  C:\Windows\System\MHfbORM.exe
  2⤵
  PID:10356
- C:\Windows\System\wjSwCOy.exe
  C:\Windows\System\wjSwCOy.exe
  2⤵
  PID:10404
- C:\Windows\System\lujFvZz.exe
  C:\Windows\System\lujFvZz.exe
  2⤵
  PID:10484
- C:\Windows\System\lpOsioq.exe
  C:\Windows\System\lpOsioq.exe
  2⤵
  PID:10604
- C:\Windows\System\mBevgNd.exe
  C:\Windows\System\mBevgNd.exe
  2⤵
  PID:10672
- C:\Windows\System\wyDNmZU.exe
  C:\Windows\System\wyDNmZU.exe
  2⤵
  PID:10704
- C:\Windows\System\qzAKfxZ.exe
  C:\Windows\System\qzAKfxZ.exe
  2⤵
  PID:10800
- C:\Windows\System\bKiftQo.exe
  C:\Windows\System\bKiftQo.exe
  2⤵
  PID:10840
- C:\Windows\System\KkyquyA.exe
  C:\Windows\System\KkyquyA.exe
  2⤵
  PID:10980
- C:\Windows\System\TGHYhxo.exe
  C:\Windows\System\TGHYhxo.exe
  2⤵
  PID:10932
- C:\Windows\System\DwqEwCw.exe
  C:\Windows\System\DwqEwCw.exe
  2⤵
  PID:11028
- C:\Windows\System\QPPsvGC.exe
  C:\Windows\System\QPPsvGC.exe
  2⤵
  PID:11080
- C:\Windows\System\MmCMZLc.exe
  C:\Windows\System\MmCMZLc.exe
  2⤵
  PID:11168
- C:\Windows\System\CVlSQYC.exe
  C:\Windows\System\CVlSQYC.exe
  2⤵
  PID:11200
- C:\Windows\System\sXwHIdG.exe
  C:\Windows\System\sXwHIdG.exe
  2⤵
  PID:11260
- C:\Windows\System\hDdsSWY.exe
  C:\Windows\System\hDdsSWY.exe
  2⤵
  PID:10460
- C:\Windows\System\XJsjodA.exe
  C:\Windows\System\XJsjodA.exe
  2⤵
  PID:10636
- C:\Windows\System\NNHOzts.exe
  C:\Windows\System\NNHOzts.exe
  2⤵
  PID:10808
- C:\Windows\System\rGRhgkR.exe
  C:\Windows\System\rGRhgkR.exe
  2⤵
  PID:10872
- C:\Windows\System\MiKbfJx.exe
  C:\Windows\System\MiKbfJx.exe
  2⤵
  PID:11048
- C:\Windows\System\zMovHEB.exe
  C:\Windows\System\zMovHEB.exe
  2⤵
  PID:10320
- C:\Windows\System\QuowFXO.exe
  C:\Windows\System\QuowFXO.exe
  2⤵
  PID:10584
- C:\Windows\System\GyJcnSj.exe
  C:\Windows\System\GyJcnSj.exe
  2⤵
  PID:10912
- C:\Windows\System\HsxEEwx.exe
  C:\Windows\System\HsxEEwx.exe
  2⤵
  PID:10252
- C:\Windows\System\tsdhrDH.exe
  C:\Windows\System\tsdhrDH.exe
  2⤵
  PID:11272
- C:\Windows\System\jfeLQvw.exe
  C:\Windows\System\jfeLQvw.exe
  2⤵
  PID:11292
- C:\Windows\System\UynBeXx.exe
  C:\Windows\System\UynBeXx.exe
  2⤵
  PID:11316
- C:\Windows\System\hVhyvGv.exe
  C:\Windows\System\hVhyvGv.exe
  2⤵
  PID:11356
- C:\Windows\System\bmgLBSc.exe
  C:\Windows\System\bmgLBSc.exe
  2⤵
  PID:11388
- C:\Windows\System\CqSSiIl.exe
  C:\Windows\System\CqSSiIl.exe
  2⤵
  PID:11436
- C:\Windows\System\RbHKlSQ.exe
  C:\Windows\System\RbHKlSQ.exe
  2⤵
  PID:11452
- C:\Windows\System\skFDXvx.exe
  C:\Windows\System\skFDXvx.exe
  2⤵
  PID:11480
- C:\Windows\System\ZyYbtXk.exe
  C:\Windows\System\ZyYbtXk.exe
  2⤵
  PID:11496
- C:\Windows\System\xjEDUei.exe
  C:\Windows\System\xjEDUei.exe
  2⤵
  PID:11520
- C:\Windows\System\VjcSOLY.exe
  C:\Windows\System\VjcSOLY.exe
  2⤵
  PID:11544
- C:\Windows\System\NWhQYIE.exe
  C:\Windows\System\NWhQYIE.exe
  2⤵
  PID:11568
- C:\Windows\System\gcZfJEH.exe
  C:\Windows\System\gcZfJEH.exe
  2⤵
  PID:11592
- C:\Windows\System\UMCHUdC.exe
  C:\Windows\System\UMCHUdC.exe
  2⤵
  PID:11620
- C:\Windows\System\nuEalqV.exe
  C:\Windows\System\nuEalqV.exe
  2⤵
  PID:11648
- C:\Windows\System\caBesRI.exe
  C:\Windows\System\caBesRI.exe
  2⤵
  PID:11680
- C:\Windows\System\oiuSRDP.exe
  C:\Windows\System\oiuSRDP.exe
  2⤵
  PID:11700
- C:\Windows\System\VVuIABU.exe
  C:\Windows\System\VVuIABU.exe
  2⤵
  PID:11728
- C:\Windows\System\jeZpZuf.exe
  C:\Windows\System\jeZpZuf.exe
  2⤵
  PID:11756
- C:\Windows\System\zqPyyuR.exe
  C:\Windows\System\zqPyyuR.exe
  2⤵
  PID:11784
- C:\Windows\System\GTeOfgI.exe
  C:\Windows\System\GTeOfgI.exe
  2⤵
  PID:11812
- C:\Windows\System\ijtMJkd.exe
  C:\Windows\System\ijtMJkd.exe
  2⤵
  PID:11840
- C:\Windows\System\fWbcqTb.exe
  C:\Windows\System\fWbcqTb.exe
  2⤵
  PID:11888
- C:\Windows\System\wKxqbxQ.exe
  C:\Windows\System\wKxqbxQ.exe
  2⤵
  PID:11916
- C:\Windows\System\sElwEUD.exe
  C:\Windows\System\sElwEUD.exe
  2⤵
  PID:11944
- C:\Windows\System\wyTRPKa.exe
  C:\Windows\System\wyTRPKa.exe
  2⤵
  PID:11972
- C:\Windows\System\xPXcztS.exe
  C:\Windows\System\xPXcztS.exe
  2⤵
  PID:12000
- C:\Windows\System\ZuzmYRE.exe
  C:\Windows\System\ZuzmYRE.exe
  2⤵
  PID:12028
- C:\Windows\System\soMjkFy.exe
  C:\Windows\System\soMjkFy.exe
  2⤵
  PID:12060
- C:\Windows\System\dkxNqXd.exe
  C:\Windows\System\dkxNqXd.exe
  2⤵
  PID:12084
- C:\Windows\System\fMZumet.exe
  C:\Windows\System\fMZumet.exe
  2⤵
  PID:12100
- C:\Windows\System\DNdCRev.exe
  C:\Windows\System\DNdCRev.exe
  2⤵
  PID:12128
- C:\Windows\System\VzDmlev.exe
  C:\Windows\System\VzDmlev.exe
  2⤵
  PID:12148
- C:\Windows\System\olXfsSt.exe
  C:\Windows\System\olXfsSt.exe
  2⤵
  PID:12180
- C:\Windows\System\hLYvpSu.exe
  C:\Windows\System\hLYvpSu.exe
  2⤵
  PID:12208
- C:\Windows\System\GUNjPtN.exe
  C:\Windows\System\GUNjPtN.exe
  2⤵
  PID:12264
- C:\Windows\System\sgxTySE.exe
  C:\Windows\System\sgxTySE.exe
  2⤵
  PID:10836
- C:\Windows\System\MaYmmGO.exe
  C:\Windows\System\MaYmmGO.exe
  2⤵
  PID:11288
- C:\Windows\System\KgFrqsH.exe
  C:\Windows\System\KgFrqsH.exe
  2⤵
  PID:11352
- C:\Windows\System\qyrClsB.exe
  C:\Windows\System\qyrClsB.exe
  2⤵
  PID:11464
- C:\Windows\System\ucBWKxb.exe
  C:\Windows\System\ucBWKxb.exe
  2⤵
  PID:11532
- C:\Windows\System\dMbmPiz.exe
  C:\Windows\System\dMbmPiz.exe
  2⤵
  PID:11580
- C:\Windows\System\UwCiYIA.exe
  C:\Windows\System\UwCiYIA.exe
  2⤵
  PID:11608
- C:\Windows\System\aoWVaTb.exe
  C:\Windows\System\aoWVaTb.exe
  2⤵
  PID:11708
- C:\Windows\System\oCnimnB.exe
  C:\Windows\System\oCnimnB.exe
  2⤵
  PID:11776
- C:\Windows\System\jCZNgBW.exe
  C:\Windows\System\jCZNgBW.exe
  2⤵
  PID:11852
- C:\Windows\System\CaKFDxQ.exe
  C:\Windows\System\CaKFDxQ.exe
  2⤵
  PID:11900
- C:\Windows\System\DrTZsrS.exe
  C:\Windows\System\DrTZsrS.exe
  2⤵
  PID:11956
- C:\Windows\System\cobGjFZ.exe
  C:\Windows\System\cobGjFZ.exe
  2⤵
  PID:12048
- C:\Windows\System\mGapVcy.exe
  C:\Windows\System\mGapVcy.exe
  2⤵
  PID:12112
- C:\Windows\System\UIrvgbm.exe
  C:\Windows\System\UIrvgbm.exe
  2⤵
  PID:12168
- C:\Windows\System\WjeISPV.exe
  C:\Windows\System\WjeISPV.exe
  2⤵
  PID:12192
- C:\Windows\System\rZxxSYC.exe
  C:\Windows\System\rZxxSYC.exe
  2⤵
  PID:12272
- C:\Windows\System\SmifYhr.exe
  C:\Windows\System\SmifYhr.exe
  2⤵
  PID:11448
- C:\Windows\System\VmugGpH.exe
  C:\Windows\System\VmugGpH.exe
  2⤵
  PID:11536
- C:\Windows\System\jpQgZjo.exe
  C:\Windows\System\jpQgZjo.exe
  2⤵
  PID:11640
- C:\Windows\System\yuAasKj.exe
  C:\Windows\System\yuAasKj.exe
  2⤵
  PID:11864
- C:\Windows\System\LLsRFew.exe
  C:\Windows\System\LLsRFew.exe
  2⤵
  PID:11960
- C:\Windows\System\qtIOjso.exe
  C:\Windows\System\qtIOjso.exe
  2⤵
  PID:12092
- C:\Windows\System\OBcgvmW.exe
  C:\Windows\System\OBcgvmW.exe
  2⤵
  PID:10592
- C:\Windows\System\AGsvCAy.exe
  C:\Windows\System\AGsvCAy.exe
  2⤵
  PID:11744
- C:\Windows\System\QowPWlQ.exe
  C:\Windows\System\QowPWlQ.exe
  2⤵
  PID:11988
- C:\Windows\System\ulsSymo.exe
  C:\Windows\System\ulsSymo.exe
  2⤵
  PID:12280
- C:\Windows\System\dkPpAPo.exe
  C:\Windows\System\dkPpAPo.exe
  2⤵
  PID:11660
- C:\Windows\System\BGopIwF.exe
  C:\Windows\System\BGopIwF.exe
  2⤵
  PID:12312
- C:\Windows\System\PueCnZS.exe
  C:\Windows\System\PueCnZS.exe
  2⤵
  PID:12336
- C:\Windows\System\bbHzMJA.exe
  C:\Windows\System\bbHzMJA.exe
  2⤵
  PID:12368
- C:\Windows\System\PVgeJTl.exe
  C:\Windows\System\PVgeJTl.exe
  2⤵
  PID:12412
- C:\Windows\System\WjHlLdj.exe
  C:\Windows\System\WjHlLdj.exe
  2⤵
  PID:12452
- C:\Windows\System\oJuIDsk.exe
  C:\Windows\System\oJuIDsk.exe
  2⤵
  PID:12468
- C:\Windows\System\dSoNYln.exe
  C:\Windows\System\dSoNYln.exe
  2⤵
  PID:12496
- C:\Windows\System\nxthlTY.exe
  C:\Windows\System\nxthlTY.exe
  2⤵
  PID:12524
- C:\Windows\System\bKjIejE.exe
  C:\Windows\System\bKjIejE.exe
  2⤵
  PID:12560
- C:\Windows\System\stipPzJ.exe
  C:\Windows\System\stipPzJ.exe
  2⤵
  PID:12592
- C:\Windows\System\VaBraIX.exe
  C:\Windows\System\VaBraIX.exe
  2⤵
  PID:12608
- C:\Windows\System\aEKfWgT.exe
  C:\Windows\System\aEKfWgT.exe
  2⤵
  PID:12636
- C:\Windows\System\RwageTr.exe
  C:\Windows\System\RwageTr.exe
  2⤵
  PID:12652
- C:\Windows\System\TUYlnaa.exe
  C:\Windows\System\TUYlnaa.exe
  2⤵
  PID:12696
- C:\Windows\System\JfWpoIb.exe
  C:\Windows\System\JfWpoIb.exe
  2⤵
  PID:12732
- C:\Windows\System\ZIUEJuy.exe
  C:\Windows\System\ZIUEJuy.exe
  2⤵
  PID:12760
- C:\Windows\System\ZjBupsT.exe
  C:\Windows\System\ZjBupsT.exe
  2⤵
  PID:12792
- C:\Windows\System\HUZDPcn.exe
  C:\Windows\System\HUZDPcn.exe
  2⤵
  PID:12808
- C:\Windows\System\jAiBCim.exe
  C:\Windows\System\jAiBCim.exe
  2⤵
  PID:12836
- C:\Windows\System\fQZKMeM.exe
  C:\Windows\System\fQZKMeM.exe
  2⤵
  PID:12856
- C:\Windows\System\TzrvBuo.exe
  C:\Windows\System\TzrvBuo.exe
  2⤵
  PID:12892
- C:\Windows\System\MSduobp.exe
  C:\Windows\System\MSduobp.exe
  2⤵
  PID:12920
- C:\Windows\System\QatPhnO.exe
  C:\Windows\System\QatPhnO.exe
  2⤵
  PID:12960
- C:\Windows\System\hgMUGaR.exe
  C:\Windows\System\hgMUGaR.exe
  2⤵
  PID:12976
- C:\Windows\System\HWCFMur.exe
  C:\Windows\System\HWCFMur.exe
  2⤵
  PID:12992
- C:\Windows\System\ClGrPBc.exe
  C:\Windows\System\ClGrPBc.exe
  2⤵
  PID:13032
- C:\Windows\System\FjkdoIs.exe
  C:\Windows\System\FjkdoIs.exe
  2⤵
  PID:13060
- C:\Windows\System\rNdhxDD.exe
  C:\Windows\System\rNdhxDD.exe
  2⤵
  PID:13092
- C:\Windows\System\LZjIORY.exe
  C:\Windows\System\LZjIORY.exe
  2⤵
  PID:13116
- C:\Windows\System\ZlxLcRN.exe
  C:\Windows\System\ZlxLcRN.exe
  2⤵
  PID:13132
- C:\Windows\System\QBGJbwi.exe
  C:\Windows\System\QBGJbwi.exe
  2⤵
  PID:13148
- C:\Windows\System\GWmaqvM.exe
  C:\Windows\System\GWmaqvM.exe
  2⤵
  PID:13200
- C:\Windows\System\snwbeVg.exe
  C:\Windows\System\snwbeVg.exe
  2⤵
  PID:13220
- C:\Windows\System\neavGsr.exe
  C:\Windows\System\neavGsr.exe
  2⤵
  PID:13268
- C:\Windows\System\zuriWQy.exe
  C:\Windows\System\zuriWQy.exe
  2⤵
  PID:13296
- C:\Windows\System\SuHvIVX.exe
  C:\Windows\System\SuHvIVX.exe
  2⤵
  PID:11400
- C:\Windows\System\dBNMPqm.exe
  C:\Windows\System\dBNMPqm.exe
  2⤵
  PID:12348
- C:\Windows\System\YaKlCEL.exe
  C:\Windows\System\YaKlCEL.exe
  2⤵
  PID:12328
- C:\Windows\System\iWSxboj.exe
  C:\Windows\System\iWSxboj.exe
  2⤵
  PID:12436
- C:\Windows\System\zubVjER.exe
  C:\Windows\System\zubVjER.exe
  2⤵
  PID:12484
- C:\Windows\System\QAFlwlh.exe
  C:\Windows\System\QAFlwlh.exe
  2⤵
  PID:12568
- C:\Windows\System\haULcNd.exe
  C:\Windows\System\haULcNd.exe
  2⤵
  PID:12704
- C:\Windows\System\tjgWGad.exe
  C:\Windows\System\tjgWGad.exe
  2⤵
  PID:12688
- C:\Windows\System\smIrBME.exe
  C:\Windows\System\smIrBME.exe
  2⤵
  PID:12744
- C:\Windows\System\wVfhLea.exe
  C:\Windows\System\wVfhLea.exe
  2⤵
  PID:12824
- C:\Windows\System\uWAwUnQ.exe
  C:\Windows\System\uWAwUnQ.exe
  2⤵
  PID:12876
- C:\Windows\System\KNWxwui.exe
  C:\Windows\System\KNWxwui.exe
  2⤵
  PID:12952
- C:\Windows\System\VRHLENO.exe
  C:\Windows\System\VRHLENO.exe
  2⤵
  PID:12972
- C:\Windows\System\mjtmztJ.exe
  C:\Windows\System\mjtmztJ.exe
  2⤵
  PID:13052
- C:\Windows\System\HkPRonK.exe
  C:\Windows\System\HkPRonK.exe
  2⤵
  PID:13144
- C:\Windows\System\zFkwFQl.exe
  C:\Windows\System\zFkwFQl.exe
  2⤵
  PID:11584
- C:\Windows\System\YbGdeuQ.exe
  C:\Windows\System\YbGdeuQ.exe
  2⤵
  PID:13280
- C:\Windows\System\VNfFShw.exe
  C:\Windows\System\VNfFShw.exe
  2⤵
  PID:12144
- C:\Windows\System\HqdpHjE.exe
  C:\Windows\System\HqdpHjE.exe
  2⤵
  PID:12460
- C:\Windows\System\WtBNXOg.exe
  C:\Windows\System\WtBNXOg.exe
  2⤵
  PID:12576
- C:\Windows\System\YCOrgwa.exe
  C:\Windows\System\YCOrgwa.exe
  2⤵
  PID:12776
- C:\Windows\System\uLBGFUt.exe
  C:\Windows\System\uLBGFUt.exe
  2⤵
  PID:13048
- C:\Windows\System\uzwzAPQ.exe
  C:\Windows\System\uzwzAPQ.exe
  2⤵
  PID:13140
- C:\Windows\System\aeSjSwM.exe
  C:\Windows\System\aeSjSwM.exe
  2⤵
  PID:13244
- C:\Windows\System\gYyNWAi.exe
  C:\Windows\System\gYyNWAi.exe
  2⤵
  PID:12520
- C:\Windows\System\qRqFoTI.exe
  C:\Windows\System\qRqFoTI.exe
  2⤵
  PID:12820
- C:\Windows\System\gZcnKUC.exe
  C:\Windows\System\gZcnKUC.exe
  2⤵
  PID:13168
- C:\Windows\System\OoDtSvJ.exe
  C:\Windows\System\OoDtSvJ.exe
  2⤵
  PID:13112
- C:\Windows\System\EihBAlE.exe
  C:\Windows\System\EihBAlE.exe
  2⤵
  PID:13340
- C:\Windows\System\NHAPsyt.exe
  C:\Windows\System\NHAPsyt.exe
  2⤵
  PID:13360
- C:\Windows\System\NaFLWbs.exe
  C:\Windows\System\NaFLWbs.exe
  2⤵
  PID:13376
- C:\Windows\System\toOUhjZ.exe
  C:\Windows\System\toOUhjZ.exe
  2⤵
  PID:13396
- C:\Windows\System\tlpWEPK.exe
  C:\Windows\System\tlpWEPK.exe
  2⤵
  PID:13416
- C:\Windows\System\YFpBeDU.exe
  C:\Windows\System\YFpBeDU.exe
  2⤵
  PID:13448
- C:\Windows\System\vLHrGIB.exe
  C:\Windows\System\vLHrGIB.exe
  2⤵
  PID:13524
- C:\Windows\System\uwPJyap.exe
  C:\Windows\System\uwPJyap.exe
  2⤵
  PID:13540
- C:\Windows\System\EIMVPSY.exe
  C:\Windows\System\EIMVPSY.exe
  2⤵
  PID:13568
- C:\Windows\System\FyLaURk.exe
  C:\Windows\System\FyLaURk.exe
  2⤵
  PID:13596
- C:\Windows\System\ZoUBuQy.exe
  C:\Windows\System\ZoUBuQy.exe
  2⤵
  PID:13612
- C:\Windows\System\DyVitAv.exe
  C:\Windows\System\DyVitAv.exe
  2⤵
  PID:13636
- C:\Windows\System\viYnFOx.exe
  C:\Windows\System\viYnFOx.exe
  2⤵
  PID:13668
- C:\Windows\System\EBFsMRp.exe
  C:\Windows\System\EBFsMRp.exe
  2⤵
  PID:13708
- C:\Windows\System\WMoHYFZ.exe
  C:\Windows\System\WMoHYFZ.exe
  2⤵
  PID:13724
- C:\Windows\System\rkwNZAY.exe
  C:\Windows\System\rkwNZAY.exe
  2⤵
  PID:13744
- C:\Windows\System\YXFlriY.exe
  C:\Windows\System\YXFlriY.exe
  2⤵
  PID:13772
- C:\Windows\System\toivkzS.exe
  C:\Windows\System\toivkzS.exe
  2⤵
  PID:13796
- C:\Windows\System\LNaozvL.exe
  C:\Windows\System\LNaozvL.exe
  2⤵
  PID:13828
- C:\Windows\System\NMyAiTu.exe
  C:\Windows\System\NMyAiTu.exe
  2⤵
  PID:13864
- C:\Windows\System\nKMbQIP.exe
  C:\Windows\System\nKMbQIP.exe
  2⤵
  PID:13888
- C:\Windows\System\qojaEZJ.exe
  C:\Windows\System\qojaEZJ.exe
  2⤵
  PID:13916
- C:\Windows\System\GYiIxQy.exe
  C:\Windows\System\GYiIxQy.exe
  2⤵
  PID:13948
- C:\Windows\System\ZZNnnKU.exe
  C:\Windows\System\ZZNnnKU.exe
  2⤵
  PID:14000
- C:\Windows\System\IvKopub.exe
  C:\Windows\System\IvKopub.exe
  2⤵
  PID:14016
- C:\Windows\System\GvTrbFX.exe
  C:\Windows\System\GvTrbFX.exe
  2⤵
  PID:14044
- C:\Windows\System\WGTwAkX.exe
  C:\Windows\System\WGTwAkX.exe
  2⤵
  PID:14072
- C:\Windows\System\WdvcmiC.exe
  C:\Windows\System\WdvcmiC.exe
  2⤵
  PID:14088
- C:\Windows\System\dYEppWl.exe
  C:\Windows\System\dYEppWl.exe
  2⤵
  PID:14124
- C:\Windows\System\hvyzIwD.exe
  C:\Windows\System\hvyzIwD.exe
  2⤵
  PID:14152
- C:\Windows\System\ZKuhsNs.exe
  C:\Windows\System\ZKuhsNs.exe
  2⤵
  PID:14184
- C:\Windows\System\ydUUOdG.exe
  C:\Windows\System\ydUUOdG.exe
  2⤵
  PID:14200
- C:\Windows\System\rABZErj.exe
  C:\Windows\System\rABZErj.exe
  2⤵
  PID:14252
- C:\Windows\System\yWvpFDk.exe
  C:\Windows\System\yWvpFDk.exe
  2⤵
  PID:14268
- C:\Windows\System\IqRGlaC.exe
  C:\Windows\System\IqRGlaC.exe
  2⤵
  PID:14292
- C:\Windows\System\ECGhENj.exe
  C:\Windows\System\ECGhENj.exe
  2⤵
  PID:14316
- C:\Windows\System\GLyTWUg.exe
  C:\Windows\System\GLyTWUg.exe
  2⤵
  PID:13320
- C:\Windows\System\jMRYobl.exe
  C:\Windows\System\jMRYobl.exe
  2⤵
  PID:13392
- C:\Windows\System\QWmwYEQ.exe
  C:\Windows\System\QWmwYEQ.exe
  2⤵
  PID:13440
- C:\Windows\System\jERGCSD.exe
  C:\Windows\System\jERGCSD.exe
  2⤵
  PID:13512
- C:\Windows\System\TrhLRTK.exe
  C:\Windows\System\TrhLRTK.exe
  2⤵
  PID:13536
- C:\Windows\System\yQSRkcC.exe
  C:\Windows\System\yQSRkcC.exe
  2⤵
  PID:13632
- C:\Windows\System\fvHzVwM.exe
  C:\Windows\System\fvHzVwM.exe
  2⤵
  PID:13716
- C:\Windows\System\ZQmMHcg.exe
  C:\Windows\System\ZQmMHcg.exe
  2⤵
  PID:13696
- C:\Windows\System\pQepGjX.exe
  C:\Windows\System\pQepGjX.exe
  2⤵
  PID:13752
- C:\Windows\System\CNSqsUM.exe
  C:\Windows\System\CNSqsUM.exe
  2⤵
  PID:13812
- C:\Windows\System\WOAtyTp.exe
  C:\Windows\System\WOAtyTp.exe
  2⤵
  PID:13884
- C:\Windows\System\GszRQEH.exe
  C:\Windows\System\GszRQEH.exe
  2⤵
  PID:13944
- C:\Windows\System\OhCnzIX.exe
  C:\Windows\System\OhCnzIX.exe
  2⤵
  PID:14028
- C:\Windows\System\pOMrgnH.exe
  C:\Windows\System\pOMrgnH.exe
  2⤵
  PID:14148
- C:\Windows\System\THYIsFK.exe
  C:\Windows\System\THYIsFK.exe
  2⤵
  PID:14232
- C:\Windows\System\QQLgakB.exe
  C:\Windows\System\QQLgakB.exe
  2⤵
  PID:14264
- C:\Windows\System\yKTapDR.exe
  C:\Windows\System\yKTapDR.exe
  2⤵
  PID:14284
- C:\Windows\System\pgZYvxI.exe
  C:\Windows\System\pgZYvxI.exe
  2⤵
  PID:13356
- C:\Windows\System\HCRHbrL.exe
  C:\Windows\System\HCRHbrL.exe
  2⤵
  PID:13412
- C:\Windows\System\kclLxRv.exe
  C:\Windows\System\kclLxRv.exe
  2⤵
  PID:13692
- C:\Windows\System\iMncrMw.exe
  C:\Windows\System\iMncrMw.exe
  2⤵
  PID:13848
- C:\Windows\System\xAfeZoO.exe
  C:\Windows\System\xAfeZoO.exe
  2⤵
  PID:13940
- C:\Windows\System\PwTLzMu.exe
  C:\Windows\System\PwTLzMu.exe
  2⤵
  PID:14112
- C:\Windows\System\ddXSyQN.exe
  C:\Windows\System\ddXSyQN.exe
  2⤵
  PID:14244
- C:\Windows\System\KraYWFK.exe
  C:\Windows\System\KraYWFK.exe
  2⤵
  PID:12908
- C:\Windows\System\bWkufSs.exe
  C:\Windows\System\bWkufSs.exe
  2⤵
  PID:13880
- C:\Windows\System\ptSkvdD.exe
  C:\Windows\System\ptSkvdD.exe
  2⤵
  PID:14300
- C:\Windows\System\KONYgWU.exe
  C:\Windows\System\KONYgWU.exe
  2⤵
  PID:14032
- C:\Windows\System\GJWMrjl.exe
  C:\Windows\System\GJWMrjl.exe
  2⤵
  PID:14356
- C:\Windows\System\uMChyzJ.exe
  C:\Windows\System\uMChyzJ.exe
  2⤵
  PID:14380
- C:\Windows\System\gwWAMcQ.exe
  C:\Windows\System\gwWAMcQ.exe
  2⤵
  PID:14404
- C:\Windows\System\MMYEvkK.exe
  C:\Windows\System\MMYEvkK.exe
  2⤵
  PID:14432
- C:\Windows\System\rkneicH.exe
  C:\Windows\System\rkneicH.exe
  2⤵
  PID:14472
- C:\Windows\System\DZSthFy.exe
  C:\Windows\System\DZSthFy.exe
  2⤵
  PID:14496
- C:\Windows\System\JppLnbJ.exe
  C:\Windows\System\JppLnbJ.exe
  2⤵
  PID:14520
- C:\Windows\System\KuytCQm.exe
  C:\Windows\System\KuytCQm.exe
  2⤵
  PID:14568
- C:\Windows\System\HwCNpqq.exe
  C:\Windows\System\HwCNpqq.exe
  2⤵
  PID:14596
- C:\Windows\System\DuUUSAr.exe
  C:\Windows\System\DuUUSAr.exe
  2⤵
  PID:14612
- C:\Windows\System\TdxExwU.exe
  C:\Windows\System\TdxExwU.exe
  2⤵
  PID:14648
- C:\Windows\System\LAoLJXp.exe
  C:\Windows\System\LAoLJXp.exe
  2⤵
  PID:14668
- C:\Windows\System\UXbAQui.exe
  C:\Windows\System\UXbAQui.exe
  2⤵
  PID:14708
- C:\Windows\System\FNYeljY.exe
  C:\Windows\System\FNYeljY.exe
  2⤵
  PID:14736
- C:\Windows\System\xslentc.exe
  C:\Windows\System\xslentc.exe
  2⤵
  PID:14752
- C:\Windows\System\JEnBYdN.exe
  C:\Windows\System\JEnBYdN.exe
  2⤵
  PID:14780
- C:\Windows\System\KgqAluD.exe
  C:\Windows\System\KgqAluD.exe
  2⤵
  PID:14796
- C:\Windows\System\eNAcUgE.exe
  C:\Windows\System\eNAcUgE.exe
  2⤵
  PID:14812
- C:\Windows\System\WrnYvFf.exe
  C:\Windows\System\WrnYvFf.exe
  2⤵
  PID:14836
- C:\Windows\System\mmNNfXi.exe
  C:\Windows\System\mmNNfXi.exe
  2⤵
  PID:14880
- C:\Windows\System\XPAJuvQ.exe
  C:\Windows\System\XPAJuvQ.exe
  2⤵
  PID:14916
- C:\Windows\System\nEOUTrX.exe
  C:\Windows\System\nEOUTrX.exe
  2⤵
  PID:14940
- C:\Windows\System\lGErNvd.exe
  C:\Windows\System\lGErNvd.exe
  2⤵
  PID:14964
- C:\Windows\System\erWLWhJ.exe
  C:\Windows\System\erWLWhJ.exe
  2⤵
  PID:14984
- C:\Windows\System\OEvbYjC.exe
  C:\Windows\System\OEvbYjC.exe
  2⤵
  PID:15008
- C:\Windows\System\NLSGPWt.exe
  C:\Windows\System\NLSGPWt.exe
  2⤵
  PID:15032
- C:\Windows\System\pcwgJzn.exe
  C:\Windows\System\pcwgJzn.exe
  2⤵
  PID:15100
- C:\Windows\System\qcWnPXK.exe
  C:\Windows\System\qcWnPXK.exe
  2⤵
  PID:15116
- C:\Windows\System\XaYOWHx.exe
  C:\Windows\System\XaYOWHx.exe
  2⤵
  PID:15144
- C:\Windows\System\oibRvjL.exe
  C:\Windows\System\oibRvjL.exe
  2⤵
  PID:15160
- C:\Windows\System\aTcsLPP.exe
  C:\Windows\System\aTcsLPP.exe
  2⤵
  PID:15184
- C:\Windows\System\pKInUuJ.exe
  C:\Windows\System\pKInUuJ.exe
  2⤵
  PID:15228
- C:\Windows\System\mRwjyvv.exe
  C:\Windows\System\mRwjyvv.exe
  2⤵
  PID:15244
- C:\Windows\System\ppXbmqv.exe
  C:\Windows\System\ppXbmqv.exe
  2⤵
  PID:15284
- C:\Windows\System\TKuwoPO.exe
  C:\Windows\System\TKuwoPO.exe
  2⤵
  PID:15304
- C:\Windows\System\ftQNKeR.exe
  C:\Windows\System\ftQNKeR.exe
  2⤵
  PID:15332
- C:\Windows\System\SwigTXY.exe
  C:\Windows\System\SwigTXY.exe
  2⤵
  PID:15352
- C:\Windows\System\ctHnAXa.exe
  C:\Windows\System\ctHnAXa.exe
  2⤵
  PID:13368
- C:\Windows\System\JyCgYVU.exe
  C:\Windows\System\JyCgYVU.exe
  2⤵
  PID:14452
- C:\Windows\System\HNlpPJe.exe
  C:\Windows\System\HNlpPJe.exe
  2⤵
  PID:14536
- C:\Windows\System\BTjDzaI.exe
  C:\Windows\System\BTjDzaI.exe
  2⤵
  PID:14556
- C:\Windows\System\wwYaqgK.exe
  C:\Windows\System\wwYaqgK.exe
  2⤵
  PID:14624
- C:\Windows\System\fsNJyup.exe
  C:\Windows\System\fsNJyup.exe
  2⤵
  PID:14704
- C:\Windows\System\OTqppyY.exe
  C:\Windows\System\OTqppyY.exe
  2⤵
  PID:14764
- C:\Windows\System\iZWoJnC.exe
  C:\Windows\System\iZWoJnC.exe
  2⤵
  PID:14820
- C:\Windows\System\yTYOOCD.exe
  C:\Windows\System\yTYOOCD.exe
  2⤵
  PID:14904
- C:\Windows\System\ReaqaUN.exe
  C:\Windows\System\ReaqaUN.exe
  2⤵
  PID:14992
- C:\Windows\System\umtKrIb.exe
  C:\Windows\System\umtKrIb.exe
  2⤵
  PID:15060
- C:\Windows\System\JjlhPZt.exe
  C:\Windows\System\JjlhPZt.exe
  2⤵
  PID:15064
- C:\Windows\System\fRBtUPl.exe
  C:\Windows\System\fRBtUPl.exe
  2⤵
  PID:15136
- C:\Windows\System\IkhtcDf.exe
  C:\Windows\System\IkhtcDf.exe
  2⤵
  PID:15200
- C:\Windows\System\rxafrXW.exe
  C:\Windows\System\rxafrXW.exe
  2⤵
  PID:15276
- C:\Windows\System\UBqEWZW.exe
  C:\Windows\System\UBqEWZW.exe
  2⤵
  PID:13584
- C:\Windows\System\rAxJkxU.exe
  C:\Windows\System\rAxJkxU.exe
  2⤵
  PID:14484
- C:\Windows\System\ACByCJm.exe
  C:\Windows\System\ACByCJm.exe
  2⤵
  PID:14656
- C:\Windows\System\RziOKqS.exe
  C:\Windows\System\RziOKqS.exe
  2⤵
  PID:14792
- C:\Windows\System\zQAECBD.exe
  C:\Windows\System\zQAECBD.exe
  2⤵
  PID:14952
- C:\Windows\System\cxOHGSm.exe
  C:\Windows\System\cxOHGSm.exe
  2⤵
  PID:15000
- C:\Windows\System\LTOuiAl.exe
  C:\Windows\System\LTOuiAl.exe
  2⤵
  PID:15132
- C:\Windows\System\ClULqnQ.exe
  C:\Windows\System\ClULqnQ.exe
  2⤵
  PID:15292
- C:\Windows\System\hZPTJOo.exe
  C:\Windows\System\hZPTJOo.exe
  2⤵
  PID:14560
- C:\Windows\System\dolRddI.exe
  C:\Windows\System\dolRddI.exe
  2⤵
  PID:15112
- C:\Windows\System\FGtVrPP.exe
  C:\Windows\System\FGtVrPP.exe
  2⤵
  PID:14344
- C:\Windows\System\aMTYVSX.exe
  C:\Windows\System\aMTYVSX.exe
  2⤵
  PID:14844
- C:\Windows\System\nuCxfVI.exe
  C:\Windows\System\nuCxfVI.exe
  2⤵
  PID:15392
- C:\Windows\System\LVYAjFj.exe
  C:\Windows\System\LVYAjFj.exe
  2⤵
  PID:15416
- C:\Windows\System\OkXHXtw.exe
  C:\Windows\System\OkXHXtw.exe
  2⤵
  PID:15460
- C:\Windows\System\yVGedwx.exe
  C:\Windows\System\yVGedwx.exe
  2⤵
  PID:15480
- C:\Windows\System\VTVEpKe.exe
  C:\Windows\System\VTVEpKe.exe
  2⤵
  PID:15500
- C:\Windows\System\dmavvDp.exe
  C:\Windows\System\dmavvDp.exe
  2⤵
  PID:15532
- C:\Windows\System\gyUfGzh.exe
  C:\Windows\System\gyUfGzh.exe
  2⤵
  PID:15556
- C:\Windows\System\OjvmwYT.exe
  C:\Windows\System\OjvmwYT.exe
  2⤵
  PID:15584
- C:\Windows\System\IKTSbhV.exe
  C:\Windows\System\IKTSbhV.exe
  2⤵
  PID:15624
- C:\Windows\System\RZzXBVo.exe
  C:\Windows\System\RZzXBVo.exe
  2⤵
  PID:15640
- C:\Windows\System\EstVsgn.exe
  C:\Windows\System\EstVsgn.exe
  2⤵
  PID:15656
- C:\Windows\System\lQKcgPv.exe
  C:\Windows\System\lQKcgPv.exe
  2⤵
  PID:15680
- C:\Windows\System\CIXdAXv.exe
  C:\Windows\System\CIXdAXv.exe
  2⤵
  PID:15748
- C:\Windows\System\JFubrcL.exe
  C:\Windows\System\JFubrcL.exe
  2⤵
  PID:15764
- C:\Windows\System\tHTNcTu.exe
  C:\Windows\System\tHTNcTu.exe
  2⤵
  PID:15792
- C:\Windows\System\nEEOJMA.exe
  C:\Windows\System\nEEOJMA.exe
  2⤵
  PID:15808
- C:\Windows\System\SuKCnSM.exe
  C:\Windows\System\SuKCnSM.exe
  2⤵
  PID:15848
- C:\Windows\System\qiHOLPy.exe
  C:\Windows\System\qiHOLPy.exe
  2⤵
  PID:15868
- C:\Windows\System\yfSrbLB.exe
  C:\Windows\System\yfSrbLB.exe
  2⤵
  PID:15892
- C:\Windows\System\sZzREGo.exe
  C:\Windows\System\sZzREGo.exe
  2⤵
  PID:15912
- C:\Windows\System\fApEqMI.exe
  C:\Windows\System\fApEqMI.exe
  2⤵
  PID:15940
- C:\Windows\System\mBwdKNn.exe
  C:\Windows\System\mBwdKNn.exe
  2⤵
  PID:15960
- C:\Windows\System\UvUCHXz.exe
  C:\Windows\System\UvUCHXz.exe
  2⤵
  PID:15996
- C:\Windows\System\gKHEsrh.exe
  C:\Windows\System\gKHEsrh.exe
  2⤵
  PID:16036
- C:\Windows\System\eqfADCy.exe
  C:\Windows\System\eqfADCy.exe
  2⤵
  PID:16064
- C:\Windows\System\JoVVCYj.exe
  C:\Windows\System\JoVVCYj.exe
  2⤵
  PID:16088
- C:\Windows\System\pwoWOlF.exe
  C:\Windows\System\pwoWOlF.exe
  2⤵
  PID:16140
- C:\Windows\System\UBoUFVX.exe
  C:\Windows\System\UBoUFVX.exe
  2⤵
  PID:16156
- C:\Windows\System\SQiXuyJ.exe
  C:\Windows\System\SQiXuyJ.exe
  2⤵
  PID:16184
- C:\Windows\System\iUwlFBg.exe
  C:\Windows\System\iUwlFBg.exe
  2⤵
  PID:16212
- C:\Windows\System\yzzHAKY.exe
  C:\Windows\System\yzzHAKY.exe
  2⤵
  PID:16240
- C:\Windows\System\jmdjQOD.exe
  C:\Windows\System\jmdjQOD.exe
  2⤵
  PID:16256
- C:\Windows\System\XXtgguQ.exe
  C:\Windows\System\XXtgguQ.exe
  2⤵
  PID:16284
- C:\Windows\System\rfImtbt.exe
  C:\Windows\System\rfImtbt.exe
  2⤵
  PID:16316
- C:\Windows\System\wlmQnjL.exe
  C:\Windows\System\wlmQnjL.exe
  2⤵
  PID:16336
- C:\Windows\System\QEZBEOp.exe
  C:\Windows\System\QEZBEOp.exe
  2⤵
  PID:16364
- C:\Windows\System\eVsadFr.exe
  C:\Windows\System\eVsadFr.exe
  2⤵
  PID:15364
- C:\Windows\System\erhIRjL.exe
  C:\Windows\System\erhIRjL.exe
  2⤵
  PID:15368
- C:\Windows\System\yZsoSwr.exe
  C:\Windows\System\yZsoSwr.exe
  2⤵
  PID:15436
- C:\Windows\System\bCioieQ.exe
  C:\Windows\System\bCioieQ.exe
  2⤵
  PID:15440
- C:\Windows\System\OvAyxdM.exe
  C:\Windows\System\OvAyxdM.exe
  2⤵
  PID:15632
- C:\Windows\System\TvroSeG.exe
  C:\Windows\System\TvroSeG.exe
  2⤵
  PID:15668
- C:\Windows\System\lwnOPQK.exe
  C:\Windows\System\lwnOPQK.exe
  2⤵
  PID:15744
- C:\Windows\System\ZzWoHXx.exe
  C:\Windows\System\ZzWoHXx.exe
  2⤵
  PID:15828
- C:\Windows\System\EqiDbdk.exe
  C:\Windows\System\EqiDbdk.exe
  2⤵
  PID:15956
- C:\Windows\System\MTBYEHg.exe
  C:\Windows\System\MTBYEHg.exe
  2⤵
  PID:3124
- C:\Windows\System\kZYQcKl.exe
  C:\Windows\System\kZYQcKl.exe
  2⤵
  PID:16076
- C:\Windows\System\GksjPyS.exe
  C:\Windows\System\GksjPyS.exe
  2⤵
  PID:16132
- C:\Windows\System\hWuiHvQ.exe
  C:\Windows\System\hWuiHvQ.exe
  2⤵
  PID:16176
- C:\Windows\System\KIGfisa.exe
  C:\Windows\System\KIGfisa.exe
  2⤵
  PID:16224
- C:\Windows\System\wTQlcRq.exe
  C:\Windows\System\wTQlcRq.exe
  2⤵
  PID:16268
- C:\Windows\System\YLIQIPt.exe
  C:\Windows\System\YLIQIPt.exe
  2⤵
  PID:16328
- C:\Windows\System\HANzKVa.exe
  C:\Windows\System\HANzKVa.exe
  2⤵
  PID:14512
- C:\Windows\System\UuBpxZq.exe
  C:\Windows\System\UuBpxZq.exe
  2⤵
  PID:15636
- C:\Windows\System\Nlbqjoc.exe
  C:\Windows\System\Nlbqjoc.exe
  2⤵
  PID:15648
- C:\Windows\System\LlJNhcM.exe
  C:\Windows\System\LlJNhcM.exe
  2⤵
  PID:15820
- C:\Windows\System\GpHPtEE.exe
  C:\Windows\System\GpHPtEE.exe
  2⤵
  PID:896
- C:\Windows\System\AxfZipp.exe
  C:\Windows\System\AxfZipp.exe
  2⤵
  PID:16060
- C:\Windows\System\cMrjycM.exe
  C:\Windows\System\cMrjycM.exe
  2⤵
  PID:14340
- C:\Windows\System\JmfcFKb.exe
  C:\Windows\System\JmfcFKb.exe
  2⤵
  PID:16356
- C:\Windows\System\rLtehGy.exe
  C:\Windows\System\rLtehGy.exe
  2⤵
  PID:15400
- C:\Windows\System\ucenoLC.exe
  C:\Windows\System\ucenoLC.exe
  2⤵
  PID:15920
- C:\Windows\System\uJdHFUG.exe
  C:\Windows\System\uJdHFUG.exe
  2⤵
  PID:16396
- C:\Windows\System\WSmVANh.exe
  C:\Windows\System\WSmVANh.exe
  2⤵
  PID:16424
- C:\Windows\System\dJFdDeL.exe
  C:\Windows\System\dJFdDeL.exe
  2⤵
  PID:16456
- C:\Windows\System\LdwbdAx.exe
  C:\Windows\System\LdwbdAx.exe
  2⤵
  PID:16496
- C:\Windows\System\fNDceeK.exe
  C:\Windows\System\fNDceeK.exe
  2⤵
  PID:16536
- C:\Windows\System\SfGHXIZ.exe
  C:\Windows\System\SfGHXIZ.exe
  2⤵
  PID:16552
- C:\Windows\System\nmdujnB.exe
  C:\Windows\System\nmdujnB.exe
  2⤵
  PID:16580
- C:\Windows\System\NxNDixJ.exe
  C:\Windows\System\NxNDixJ.exe
  2⤵
  PID:16620
- C:\Windows\System\vHMbvgg.exe
  C:\Windows\System\vHMbvgg.exe
  2⤵
  PID:16636
- C:\Windows\System\rYALFWm.exe
  C:\Windows\System\rYALFWm.exe
  2⤵
  PID:16676
- C:\Windows\System\raoTZLF.exe
  C:\Windows\System\raoTZLF.exe
  2⤵
  PID:16696
- C:\Windows\System\QQHPGDV.exe
  C:\Windows\System\QQHPGDV.exe
  2⤵
  PID:16720
- C:\Windows\System\gogBzYv.exe
  C:\Windows\System\gogBzYv.exe
  2⤵
  PID:16748
- C:\Windows\System\ShjrgCr.exe
  C:\Windows\System\ShjrgCr.exe
  2⤵
  PID:16768
- C:\Windows\System\QtsyGha.exe
  C:\Windows\System\QtsyGha.exe
  2⤵
  PID:16788
- C:\Windows\System\ewTDBmM.exe
  C:\Windows\System\ewTDBmM.exe
  2⤵
  PID:16820
- C:\Windows\System\oKytHqi.exe
  C:\Windows\System\oKytHqi.exe
  2⤵
  PID:16852
- C:\Windows\System\OIFsAFv.exe
  C:\Windows\System\OIFsAFv.exe
  2⤵
  PID:16880

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:16408
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:16812

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:17284

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3144

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:660

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:772

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5476

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5500

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:8136

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8312

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8816

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:9868

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:10464

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:11116

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:13108

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5080

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:17244

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:13996

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5344

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:13824

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4420

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6872

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:14420

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6808

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6148

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6716

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7764

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7628

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:460

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8296

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9876

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8752

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11168

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:552

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5736

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2040

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13104

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13256

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12400

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14756

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:15148

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:15640

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:16364

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:16008

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6732

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11384

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:14096

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7332

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5776

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:15192

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7228

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:16520

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9448

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6148

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8964

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3860

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2792

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9364

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10468

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8956

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12224

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2692

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10320

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3284

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11008

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1188

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12996

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13172

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:15588

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:14404

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13620

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:16376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\E1GD9IMX\microsoft.windows[1].xml

Filesize
95B

MD5
7890031c6c3d0d273b0dd0dc40519a06

SHA1
0c6a256a54d3229ec13eedbf1e02b3a3caf1d296

SHA256
3f4a959a4a8f40ed8d6e1ce31fc4f704e9142cbe84078a8f54adc160e9c4157a

SHA512
b58331565cafad0a96e17d1daff0e34889e4878c9c6fa76de201bc879d9178affb8306a2897b5bf19364a8b268362e4da25382f541722364c0c276aeedffa4e3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133830017483387545.txt

Filesize
75KB

MD5
efcbc9a6e9dd282116a5105581fc1736

SHA1
10cd6f3b0c42ed5b7db57f3b65fd367d9d9d0edb

SHA256
c99afbb576bcdebaf801c10a6cdbd0a869b113d2768638adc74b509b01b609f7

SHA512
44846cc341300be5f968f96367b173cee523278f7299fcd917c863ef9f1ae6c3843f44a28aa078f9888669d11ae7e530ee18cc6f068a1a61edb8b2b68429d360

Download Submit
C:\Windows\System\AHOmBAB.exe

Filesize
1.4MB

MD5
057658e8f2a808e95daac2e13b8e8935

SHA1
a76fd6eca06246e42cc6939103e51acc1fbc732a

SHA256
3ee02418c8e4ffa5af724334dea36854f30b42cb13ecfea61d062b314d9c8d1f

SHA512
b60ea24ecbf62c9a651cdb6472d5838b601bf3b3fcbba431e3a7a8cac85b673ee93c216a40044409405b1c9b6deb9927b551daad056b9ee248f73726e640d930

Download Submit
C:\Windows\System\AuuYbHW.exe

Filesize
1.4MB

MD5
935dc3cd8c74d3569b060d2373542c58

SHA1
3362c754291c483a556a516cda471182256093c9

SHA256
6f319f437e700e763f7d6b8eefbdcb6be3e48c99016b6dfc5ca76d0476fd00b4

SHA512
d3a59154e372a678a45b628dac0f6ff94cc1db311055bf67a40c7c3a0c69e8393f63b0dd847bf35318ddc7f474e81a6859b9f95781d6dc9868e9ecdda7e843f5

Download Submit
C:\Windows\System\BljCvdg.exe

Filesize
1.4MB

MD5
56dbb85cf86e94e098fcc453148746c5

SHA1
595caa05f8cefe4d9b002bfc494c61bff111eec2

SHA256
ff2609af14be04f79504eead1ae82a937bea8d2801579edf3f68560aa5ee6085

SHA512
967c4eb8080f64b8ddd3a9d5dc775fecb296a810e57c85f257b59ed5f06e9603746c443f2d6f20a8d2942b50f8d66c6d1188d776535627904e15d7f73bf58552

Download Submit
C:\Windows\System\BqAnIbf.exe

Filesize
1.4MB

MD5
afd9b86b97b529d98d47dd1b204850ab

SHA1
893abc277475deef2793decc3c497a64cccf1389

SHA256
16f2dbbf27587bbfe3cd9e6a635bf967fe9dd51162631e789f97289454987ba4

SHA512
87b6c6356ae60203c2bc1a6c1fb652ed13667aa877c3ae59509e8f9a826cb5a5df655ac6b88618b120aaee5d5406d9a27da2f94d156e7ca5bfea8a9bbf4b5a3e

Download Submit
C:\Windows\System\DNtDapI.exe

Filesize
1.4MB

MD5
78ec47ffbb208c01d7190d2e7dd6d6b8

SHA1
4b8bfa512d0601a3f113e2dac47c325501b05283

SHA256
3853ddb3edd8acf0f476f584074dcf0d43c5c8f2bb0a9c59eeb53581ec921e35

SHA512
9b123781e59895735646f124c3118d5239046e6b5ecbd9b6200d9cc7ee7927f449239d615bed6594c95d4cf05e8271afde78db91bc539dec49a0223618588f16

Download Submit
C:\Windows\System\FabsEUY.exe

Filesize
1.4MB

MD5
d55a62d1ec3bd28364cd047aeffc6746

SHA1
222c338c7d155f010c35ffae4e323ba3a8b675f0

SHA256
72814c82bbb5457d9f7126e435b20acf42292508cc258ffea4248cf81e41368f

SHA512
6bda1bd7df6dbc8e62115f10462ee65d63ad97fd9444b81cc0402a40f3770ebfec7ef5e562fc5967633c0c997dce706e688cd5f28a77c59c993570c728a53e08

Download Submit
C:\Windows\System\FheGfug.exe

Filesize
1.4MB

MD5
21fa57a609ee05b9b02528257f83ed1f

SHA1
06a2886efc290d902751b1ff43e82bcdf70827ba

SHA256
4fb17cfa70b5e944ab299b0c88be404a5481c56445857567f78482353e74488b

SHA512
c8f9de391f5cec7be820059020f72e43f062e2e639b3ed402dd946f42cde1a068b39318cf315b547ac939f5c16bed4480efac6ba797e23254945b901e68ec84b

Download Submit
C:\Windows\System\Grzagdc.exe

Filesize
1.4MB

MD5
28aca9a29384cd9e7b2277a646f6cacb

SHA1
9a46c5233b4b8bfe435e482a095e8bf511313833

SHA256
2310e44bd44132cae96c3c8b55c737cf7d306e389deda918a99c4932e0fc79f7

SHA512
711a7bb6024e76473df0afb6033c5a4142eecf07ede5efc49ae5907cdbf25872fb5737efc182fa420bce52f857972d92549ef040facb01850e716b4e84da50f6

Download Submit
C:\Windows\System\HIIMCdY.exe

Filesize
1.4MB

MD5
72ba81e6af96a69a678d237acb7d6396

SHA1
8d26c5a10fbc31b182e3ab9c2c202c41e1edab28

SHA256
1345fc763a51752ac458f204ec2f4a1032b333b78d854846652d49ab4aa1fc60

SHA512
13cbdf67165b3df5c4ee3ec33f6248b5fe783e843ef980832805494ce50e93c0494795693168efa42727775623e806288ad1b84913a999b85fad9eb23058f591

Download Submit
C:\Windows\System\IwXotIe.exe

Filesize
1.4MB

MD5
c3c10342375a937e96ae9989185649b9

SHA1
a313872078a7a79295d6650b11fe534a1fc120d1

SHA256
0c7a35dced84bf14d34e53f1f501cd8fca8ce779bee76167517d67bb60faafc0

SHA512
e366496a413af8519bbb9e743dba2ac1a85777aa07d57ab5bdbf2f87627c90865ccc720a159a62ce6fb6bab021c49ae21b653caf00846da62dc4609e2659553d

Download Submit
C:\Windows\System\KUpZZAQ.exe

Filesize
1.4MB

MD5
d6706330af29d4eced0052ee7c98fa46

SHA1
eb2febd3de1f8e3efc2416c014f05ffdc8bd8a4f

SHA256
048fb6d62e114239f456e42c153cdb6b8d7a072832be69f3ad68e6146092705a

SHA512
3f276b042780e9e89fef6e163161a850733ceda1d2d04a1d0530f3489b32fb721ea17c256cfb00189ef7656f41bca4059060d84ec336540c61ff57c4247d0ade

Download Submit
C:\Windows\System\KXGjSqf.exe

Filesize
1.4MB

MD5
c32396e33e130a7c5195cdce6b3ba91f

SHA1
5a951826939da37195365a270a49e38966aa983e

SHA256
47f591825b19b8b49f38371e71bdbf0001bac7bd095a7cb2777e2b77cadf5816

SHA512
93fbc89e5ca45b15d893734c662d0340bddb2eb43fd6c34d6695ecce4b5955811ee14a3b4e3976a452c1e36cffe9aa4fabeb47a73945db32922b9c0e249fcc57

Download Submit
C:\Windows\System\LNNmtvX.exe

Filesize
1.4MB

MD5
19dafb069b939e608bcb54bb446b9181

SHA1
c8d415bcb661a0d4424caa11ae2ea938adb5b405

SHA256
93583c29e14a58748fc3b3a60e22bf78f06ab3b38c96cccbde93f1191cfb2852

SHA512
8790b95e5743c480c16f49056475379c70fbb7e097b854b59cda644d6d01e74081734a4cd7dd38f5852247641182cfc3cce399da27125293013b8029dba7131c

Download Submit
C:\Windows\System\OcvkcfT.exe

Filesize
1.4MB

MD5
0f6d07ea890dd60840d7fa10cc59c051

SHA1
e84bcd4394ecf73c8510d99e7b8e29f2ddc2173a

SHA256
5f5c49141aa07d969b3a31841b64312df9f2df903da3bb46b4a8ca8db16877df

SHA512
139369e4d9cd9697e2b62e6cacdf7993fd597f3970bbddeff778f89119b96fb508c2f7a1aaee28c9f323e7a4cb5189b6134f6ee2e7d99180885df5aeb54f4f76

Download Submit
C:\Windows\System\QPrJyvj.exe

Filesize
1.4MB

MD5
cc57585a87542ef16b9baae8bf642ea8

SHA1
034173d68b23e221b3fe575df7a6e47da94bddfa

SHA256
162ce54556fd1778cfef91f49d4d256734fe818b2c25704d54c7fa887558efee

SHA512
46e68aa2c0759d30908bcc01819baee4023cb631d5d458e2f390d3a3a86a58bec187fe45995e5f8cb846b407e9e1397478f3c35aa23b610093869039cee40ef8

Download Submit
C:\Windows\System\SqQWwtv.exe

Filesize
1.4MB

MD5
93605bb92ef0c54136ce830e49444a3c

SHA1
95ab94f88c7f3554b2a095faf5f60f272d7202de

SHA256
afa863856ca65a6d27180f080e44c6e6daa56ed07d64509a31b2b7862181a078

SHA512
248cf90121fd6afa088f73f32d8b663b315099a673a551ff17612b2436f7b11f6138d9c202d802c3a7d56847f02447d30027375d410da483d827454996c4b9d1

Download Submit
C:\Windows\System\VqjSjyp.exe

Filesize
1.4MB

MD5
a29eac552d9bcb3ef00641ba2d3123c2

SHA1
86aa7cf8f9c9256e1ec96a6452c0e5f466521b59

SHA256
d1cb9f28e114f2b86ef19a4b46a99b14ba72f50befbfab73be3f3add6d3f0148

SHA512
97e2829b517671adfcb0ce2ce334baef3e315eff26abcd2572dd2a5b835e58b0d10d4679184c4878e8b1cd354629343f120eb3e4a338f3c3a7f2ffb2ac500879

Download Submit
C:\Windows\System\XUfLwKK.exe

Filesize
1.4MB

MD5
031b14224a3a24420999938802c60519

SHA1
3eb1a292f27e7e24fe110842805b97a6b9bcbd1c

SHA256
329d2c4099ad9d89d8412611c17ddfb26b2a4a4a45999a136172c0424086ea36

SHA512
4c64128cf9096aedfce0589d8f4a3085b735e20c05806562addadeb09a209fb8894102a61cd5514933570faa50da51fa486c42a91716ed4ec0b82747f1ba9f71

Download Submit
C:\Windows\System\ZFHcxjW.exe

Filesize
1.4MB

MD5
284b8ede0cb21a8e3c6ce6908eb9cf0b

SHA1
a742d58df3ae94dc24a636dfb8a37c7ff30d0866

SHA256
57d24a997ae6a77a005ca4459b95fb9bfc76c647e407e5c5964429417cdd5a52

SHA512
cd3c107cd77b6358ad816394f79c8169f24ce3934e8a7b29d18bb06ed16ad5034f8c54fe8235d9e9e75d7149c82405b31fea89d5aa32e2e1be06106a6718e8a1

Download Submit
C:\Windows\System\cIeQdnw.exe

Filesize
1.4MB

MD5
060198df798607e500eae202094581c7

SHA1
155d8f9c24e227137b58fe406a67b6a85a5ce2ee

SHA256
dc305ef8faac1acb3cbac2f646c209c93f4e8ed9400f59ade019a5132065b235

SHA512
6ba5e7ea46cba4eff4e5a26d9c3839325e604bd768a3fb4e65af3f83151e037b021a5d23550b64390785aea76980d936fcc12bd873457a20b26bb5c4620793b2

Download Submit
C:\Windows\System\djuDmrY.exe

Filesize
1.4MB

MD5
540af9665ccab27471553efaa143c106

SHA1
1d9238e38c5b007d706156ee225950736c405f58

SHA256
71a51c797fac58d603775d84cf6b549c426c69e214fc6e49690a9e0955c25c89

SHA512
78a02f87c6ce527a9fef93bff5f7bbd77093ef67c7eec9aeb34e8ee51167d1c8627c4333781c47c49138b0f5d16c91ac3d3c60eec5a3368d63a2e08f29ae7b60

Download Submit
C:\Windows\System\fAMCSvq.exe

Filesize
1.4MB

MD5
3fdf3fb0d209da4a28e6b28ab6596adc

SHA1
24c2484898d111cade5030b98da557c33fae4137

SHA256
e42d10a91cf4bbb006495b4df585db098334872d53d8ac249cd45b1af22bd04f

SHA512
c3d79c1f549db5b961e1659c7b3879d8e62f44e6fae93542b60e1d1fc206c6dc8c9575f0a8106e7513ccbbfa060bc1fca39c2c9bd72c421e33dd4e09a4b1e5c6

Download Submit
C:\Windows\System\hGKesYa.exe

Filesize
1.4MB

MD5
ae4110809d4b78d9a348a371e1cd96c7

SHA1
23efd0b4a95ebb04554c85d0f00d0d447016b1d2

SHA256
5f1aded995a25103de09d2b19bb759a32358a2d070f35638a52bf8bf10934b16

SHA512
2591afe1fb7dfdf2d67058dadb4efa220438a8f3c8ff7551c93c86cebf5e32cffc5bdf7521144fef86cc6fe0cdc710f15ce3b6de51753f72c9ff9abd44a098d2

Download Submit
C:\Windows\System\hJSknZw.exe

Filesize
1.4MB

MD5
23b0b3b40c72cbd7811b2747fc5d5d40

SHA1
28428b9e7ae7134b09d811e39104dd8da64bdabf

SHA256
414576766e75e4ae3e4eec576b2a1e650695e4a0649b82316d5e76ca6c86ba31

SHA512
f4d023db9ba710043ae23e5206f623de332eb0c5bc5efdbb7df75ab7d72e35a457d87c0ff4064c78c56d982084037aae07609a55344847f02fe85692621b2116

Download Submit
C:\Windows\System\njLMbiO.exe

Filesize
1.4MB

MD5
d33f75cb7a8d8a80799df58693c7bcd3

SHA1
6c1a9070fccf5e5b2183f89005ae60ca9c4e55ba

SHA256
909efd0a24a834e57a16854cd0373f9eb742fee15cf222816786f55cf39ff33a

SHA512
65cdddc9d091fb817c7d43f062c556e189cb8f64c3a13fc3213308230823bcf920f7a5c162ad3f2650fd898550f14455eb5e10390b48bb7f8e750154e2fbaf1a

Download Submit
C:\Windows\System\oHaItjj.exe

Filesize
1.4MB

MD5
e0704f0fbeb82cbc72759f064f934876

SHA1
12b90bc456506952190e0882a45c5702aebfee75

SHA256
2a8e6507ed293f0b738e61ea32308837d54ed291d36390d950277af9f0c79dfa

SHA512
ff0c8c00731676adc0dbf8f6256e9b18891be676fd27a13274b29a7b9b424ea6ce8b8cca886ffc4e9658db6c7d78cc0f653d36a9eb1a270b4fbf18380c0e39c0

Download Submit
C:\Windows\System\obNqsMM.exe

Filesize
1.4MB

MD5
f8b2785f1d304373f4e68fd9c25ad0a1

SHA1
7df8f7e367d3316c30d8dc7e0137c544d2509892

SHA256
58ead964d62d84fa04cb8d40713cdf18466f80aedcb4bb490a71c25b6b1cf38e

SHA512
e1b8c62c7a6cec8b5ddad8591452c68fe3c4c14d12199a6be0a9933138196e13f187f193fbc721cb288a334ce1e0df185466fe7098b45294e53a8126d7ce8169

Download Submit
C:\Windows\System\pbdfKEn.exe

Filesize
1.4MB

MD5
77dfbdf1013541e92ecb64acf6bba062

SHA1
d22dc728b671af02abb6599057a1e965f2574f8f

SHA256
1742684c931e4e367e1055c2e33e49da5602ae1d7c932614a27459834bdd8981

SHA512
52b1fce5ea3ffa1dc9f46f4ea7bd80e6dd62432cfd326c700595234db9b850a04e0e724ae75e6f8c4a1de53a4d6a851d65b5f8fed7ee448c22545c21bd635443

Download Submit
C:\Windows\System\qWEjwNM.exe

Filesize
1.4MB

MD5
77a396ed05220915786c48f64230f9a5

SHA1
0bb9079dd275a44a68cf84202aa6852c4c241c64

SHA256
ab536f778033b0a1e31cfb5e2a7ebe658aa99c7eb2ba429082ca8127a4ffed3c

SHA512
75057400a1e5277d670f7638345b5eea2392b92927343ef9b5653455d677c34c59bd088179df0a4c41d30c843a0713ce180ac746e29b60c4a66a6cf542d943bf

Download Submit
C:\Windows\System\rdyfQsb.exe

Filesize
1.4MB

MD5
c8c0e2d904f0c5373bdf2fa0469fc57e

SHA1
11e5a530b560fca1605e4922ce4340bff164b547

SHA256
67e66ef3c34585298e1f709a0a6e00bf1970dd66f8c2e93cb66857ba1f95c2f2

SHA512
f18d89bca3bc5bfeecff78fcdbbeca9c67513a6d3dd9588447c5df33a7b229015baa07e06248afe8d796814823e5a00f58edf901c50fb12ca0bbe8a3c8bdf7c8

Download Submit
C:\Windows\System\ycgYLdD.exe

Filesize
1.4MB

MD5
a6d80f9074b8efa80fc71bb79f05e4e0

SHA1
20c42dc18af6b894d7dd0fbdbec2f0dc6cb1d077

SHA256
2e489ea1547da37715338a36ad4347d8cdabee60e80718e4bdc699b83bd5c2cb

SHA512
a121c84835d3582739c9440432d950dd70cecd82b74e17e07d47e262c15ca8ea06d7fa7587bc4a18f8135abc83259751d16c5a243bcb085b533c3130237169fe

Download Submit
C:\Windows\System\zeBQyGF.exe

Filesize
1.4MB

MD5
8a61bbb6a6838bc1057f56946f39c8a1

SHA1
8eb58b18a72053b6ec7e40d89b42ea94dd93ba4a

SHA256
860787797d761e86bedc6d448db696547fcadf4ac35e1ddd28384430e6fde993

SHA512
ad22c8427e11858cf969906b48dfe4b1b1d5cd408849384270866ce649b6ce94edcc85fa98389bbf22fab7190ee2c2edb186ce89a2a6c77f6bf543449e615359

Download Submit
C:\Windows\System\zyPWoBG.exe

Filesize
1.4MB

MD5
fac9faf53e4ed115bbbb4aa507afe32f

SHA1
e74b7715080a07ff11819d3b257368e5c7e4b5c4

SHA256
3b97bc85a5880b91eea290bec0db77c2e39a1510cccd8b6d0ceb2606e65dcc9a

SHA512
0f599552f2b2e39de0a30661bed65e06d07e69d7cbd2c3146b10873af71f22fb692b124144120dbf4a5fb65464cdac5a5e5f8b13224adf369179735d9402e171

Download Submit
memory/1060-0-0x000001B893500000-0x000001B893510000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads