cobaltstrike | 0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca

Analysis

max time kernel
93s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
Size

6.1MB
MD5

1fc541ec1d7a10e4a2cff495cf5502e3
SHA1

527f534dab9b9bc89d7f99c72f3ed2e9da66cfe6
SHA256

0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca
SHA512

eb6a3701f175bfa3e13f7ff4c971d1622588661179aac166862aba233700af94adeda87aea148c180abfbc0c0f4f0032c64baf4c5f726194fafec00bc7b815ae
SSDEEP

98304:oemTLkNdfE0pZrD56utgpPFotBER/mQ32lUP:T+q56utgpPF8u/7P

Score

10^/10

cobaltstrike xmrig 0 backdoor miner persistence trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 33 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000024043-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024221-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024220-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024222-25.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024223-31.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002421d-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024225-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024226-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024227-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024229-64.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002422e-93.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002422c-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024230-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024232-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024235-143.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024234-141.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024233-139.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024231-122.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002422f-121.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002422d-97.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002422b-83.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002422a-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024228-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024236-151.dat	cobalt_reflective_dll
behavioral2/files/0x000700000001e6e2-156.dat	cobalt_reflective_dll
behavioral2/files/0x0005000000022b5d-167.dat	cobalt_reflective_dll
behavioral2/files/0x0005000000022b5e-183.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024237-187.dat	cobalt_reflective_dll
behavioral2/files/0x00090000000227ba-176.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023fc3-186.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023fc5-185.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024239-203.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024238-195.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4920-0-0x00007FF7A05B0000-0x00007FF7A0904000-memory.dmp	xmrig
behavioral2/files/0x000b000000024043-4.dat	xmrig
behavioral2/memory/1180-8-0x00007FF7EC640000-0x00007FF7EC994000-memory.dmp	xmrig
behavioral2/files/0x0007000000024221-10.dat	xmrig
behavioral2/files/0x0007000000024220-11.dat	xmrig
behavioral2/memory/4252-12-0x00007FF657E20000-0x00007FF658174000-memory.dmp	xmrig
behavioral2/memory/3920-20-0x00007FF7DBA90000-0x00007FF7DBDE4000-memory.dmp	xmrig
behavioral2/memory/2384-24-0x00007FF7CBEC0000-0x00007FF7CC214000-memory.dmp	xmrig
behavioral2/files/0x0007000000024222-25.dat	xmrig
behavioral2/files/0x0007000000024223-31.dat	xmrig
behavioral2/memory/4960-30-0x00007FF6DFF80000-0x00007FF6E02D4000-memory.dmp	xmrig
behavioral2/files/0x000800000002421d-35.dat	xmrig
behavioral2/memory/3552-42-0x00007FF7D97E0000-0x00007FF7D9B34000-memory.dmp	xmrig
behavioral2/files/0x0007000000024225-43.dat	xmrig
behavioral2/memory/3976-38-0x00007FF74F820000-0x00007FF74FB74000-memory.dmp	xmrig
behavioral2/files/0x0007000000024226-47.dat	xmrig
behavioral2/memory/2092-50-0x00007FF7FF4A0000-0x00007FF7FF7F4000-memory.dmp	xmrig
behavioral2/files/0x0007000000024227-53.dat	xmrig
behavioral2/memory/4920-56-0x00007FF7A05B0000-0x00007FF7A0904000-memory.dmp	xmrig
behavioral2/memory/2284-57-0x00007FF7B6870000-0x00007FF7B6BC4000-memory.dmp	xmrig
behavioral2/files/0x0007000000024229-64.dat	xmrig
behavioral2/memory/1420-82-0x00007FF736B80000-0x00007FF736ED4000-memory.dmp	xmrig
behavioral2/files/0x000700000002422e-93.dat	xmrig
behavioral2/files/0x000700000002422c-101.dat	xmrig
behavioral2/files/0x0007000000024230-110.dat	xmrig
behavioral2/files/0x0007000000024232-115.dat	xmrig
behavioral2/memory/4488-125-0x00007FF679F90000-0x00007FF67A2E4000-memory.dmp	xmrig
behavioral2/memory/1952-138-0x00007FF68AD50000-0x00007FF68B0A4000-memory.dmp	xmrig
behavioral2/memory/2960-147-0x00007FF7985D0000-0x00007FF798924000-memory.dmp	xmrig
behavioral2/memory/400-146-0x00007FF6686C0000-0x00007FF668A14000-memory.dmp	xmrig
behavioral2/memory/4496-145-0x00007FF716210000-0x00007FF716564000-memory.dmp	xmrig
behavioral2/files/0x0007000000024235-143.dat	xmrig
behavioral2/files/0x0007000000024234-141.dat	xmrig
behavioral2/files/0x0007000000024233-139.dat	xmrig
behavioral2/memory/3552-137-0x00007FF7D97E0000-0x00007FF7D9B34000-memory.dmp	xmrig
behavioral2/memory/1384-136-0x00007FF7DBA80000-0x00007FF7DBDD4000-memory.dmp	xmrig
behavioral2/memory/4640-123-0x00007FF69CCB0000-0x00007FF69D004000-memory.dmp	xmrig
behavioral2/files/0x0007000000024231-122.dat	xmrig
behavioral2/files/0x000700000002422f-121.dat	xmrig
behavioral2/memory/4368-114-0x00007FF7980E0000-0x00007FF798434000-memory.dmp	xmrig
behavioral2/memory/3976-113-0x00007FF74F820000-0x00007FF74FB74000-memory.dmp	xmrig
behavioral2/memory/5008-107-0x00007FF79A0B0000-0x00007FF79A404000-memory.dmp	xmrig
behavioral2/memory/2772-99-0x00007FF7EA670000-0x00007FF7EA9C4000-memory.dmp	xmrig
behavioral2/files/0x000700000002422d-97.dat	xmrig
behavioral2/memory/4960-92-0x00007FF6DFF80000-0x00007FF6E02D4000-memory.dmp	xmrig
behavioral2/files/0x000700000002422b-83.dat	xmrig
behavioral2/memory/2384-81-0x00007FF7CBEC0000-0x00007FF7CC214000-memory.dmp	xmrig
behavioral2/files/0x000700000002422a-78.dat	xmrig
behavioral2/memory/4092-76-0x00007FF663D70000-0x00007FF6640C4000-memory.dmp	xmrig
behavioral2/memory/3920-74-0x00007FF7DBA90000-0x00007FF7DBDE4000-memory.dmp	xmrig
behavioral2/memory/4168-70-0x00007FF759FB0000-0x00007FF75A304000-memory.dmp	xmrig
behavioral2/memory/4252-69-0x00007FF657E20000-0x00007FF658174000-memory.dmp	xmrig
behavioral2/files/0x0007000000024228-65.dat	xmrig
behavioral2/memory/3144-63-0x00007FF6D06A0000-0x00007FF6D09F4000-memory.dmp	xmrig
behavioral2/memory/2092-148-0x00007FF7FF4A0000-0x00007FF7FF7F4000-memory.dmp	xmrig
behavioral2/files/0x0007000000024236-151.dat	xmrig
behavioral2/files/0x000700000001e6e2-156.dat	xmrig
behavioral2/files/0x0005000000022b5d-167.dat	xmrig
behavioral2/files/0x0005000000022b5e-183.dat	xmrig
behavioral2/files/0x0007000000024237-187.dat	xmrig
behavioral2/memory/4092-181-0x00007FF663D70000-0x00007FF6640C4000-memory.dmp	xmrig
behavioral2/memory/4328-180-0x00007FF6CE370000-0x00007FF6CE6C4000-memory.dmp	xmrig
behavioral2/files/0x00090000000227ba-176.dat	xmrig
behavioral2/memory/4168-168-0x00007FF759FB0000-0x00007FF75A304000-memory.dmp	xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
1180	mIgWtKE.exe
4252	lUhfpwR.exe
3920	fiPuRfW.exe
2384	ReGsrgY.exe
4960	SAPvqhO.exe
3976	bFUlIhG.exe
3552	iKQCNPu.exe
2092	VjwyIYm.exe
2284	cKWmMXB.exe
3144	nhrQWcZ.exe
4168	pNKdLys.exe
4092	BWXetXp.exe
1420	mbulqXA.exe
2772	srWgLJi.exe
4368	nAyrEiD.exe
5008	ROIuonY.exe
4640	svkhVAb.exe
1384	UGvVVTD.exe
4488	QXmhKQh.exe
1952	dlIzmmV.exe
2960	pDYwyeO.exe
4496	wlSQGBc.exe
400	YRlWwPA.exe
1240	jgnclOS.exe
1912	tHeHdEa.exe
232	Tjkzlpy.exe
4328	falgKHe.exe
556	GVELuNX.exe
1132	KBuaQzA.exe
4748	Zeyaixk.exe
3648	sgcsGFE.exe
544	HNJwMMx.exe
4880	WKENkzt.exe
2856	mOQBLPm.exe
2268	VtfMHQg.exe
3168	TfhSSNt.exe
3424	eZCYzco.exe
2100	YFDSkqL.exe
4772	pLebJVG.exe
4064	TYUfkuq.exe
1928	NTExNFl.exe
3744	FNdGLLc.exe
4768	wrqGcLO.exe
920	sKwPhbu.exe
1480	TNCwNFW.exe
4864	TrTrGpo.exe
4892	uobDdLG.exe
4048	LksAEKc.exe
4196	POyCQMk.exe
2516	UUDCmFz.exe
4040	CTnrLND.exe
1472	nfeUBAY.exe
228	lQZtyfJ.exe
3308	TiDfVas.exe
1320	cbwlRti.exe
2600	ckbwYHJ.exe
4836	drSqVRL.exe
2524	QhCrGtn.exe
4012	NqBCquf.exe
4916	YEggJzV.exe
1568	MJiIkOp.exe
3172	eLxNPGv.exe
4456	hWwEUzQ.exe
4760	EgBYwnO.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4920-0-0x00007FF7A05B0000-0x00007FF7A0904000-memory.dmp	upx
behavioral2/files/0x000b000000024043-4.dat	upx
behavioral2/memory/1180-8-0x00007FF7EC640000-0x00007FF7EC994000-memory.dmp	upx
behavioral2/files/0x0007000000024221-10.dat	upx
behavioral2/files/0x0007000000024220-11.dat	upx
behavioral2/memory/4252-12-0x00007FF657E20000-0x00007FF658174000-memory.dmp	upx
behavioral2/memory/3920-20-0x00007FF7DBA90000-0x00007FF7DBDE4000-memory.dmp	upx
behavioral2/memory/2384-24-0x00007FF7CBEC0000-0x00007FF7CC214000-memory.dmp	upx
behavioral2/files/0x0007000000024222-25.dat	upx
behavioral2/files/0x0007000000024223-31.dat	upx
behavioral2/memory/4960-30-0x00007FF6DFF80000-0x00007FF6E02D4000-memory.dmp	upx
behavioral2/files/0x000800000002421d-35.dat	upx
behavioral2/memory/3552-42-0x00007FF7D97E0000-0x00007FF7D9B34000-memory.dmp	upx
behavioral2/files/0x0007000000024225-43.dat	upx
behavioral2/memory/3976-38-0x00007FF74F820000-0x00007FF74FB74000-memory.dmp	upx
behavioral2/files/0x0007000000024226-47.dat	upx
behavioral2/memory/2092-50-0x00007FF7FF4A0000-0x00007FF7FF7F4000-memory.dmp	upx
behavioral2/files/0x0007000000024227-53.dat	upx
behavioral2/memory/4920-56-0x00007FF7A05B0000-0x00007FF7A0904000-memory.dmp	upx
behavioral2/memory/2284-57-0x00007FF7B6870000-0x00007FF7B6BC4000-memory.dmp	upx
behavioral2/files/0x0007000000024229-64.dat	upx
behavioral2/memory/1420-82-0x00007FF736B80000-0x00007FF736ED4000-memory.dmp	upx
behavioral2/files/0x000700000002422e-93.dat	upx
behavioral2/files/0x000700000002422c-101.dat	upx
behavioral2/files/0x0007000000024230-110.dat	upx
behavioral2/files/0x0007000000024232-115.dat	upx
behavioral2/memory/4488-125-0x00007FF679F90000-0x00007FF67A2E4000-memory.dmp	upx
behavioral2/memory/1952-138-0x00007FF68AD50000-0x00007FF68B0A4000-memory.dmp	upx
behavioral2/memory/2960-147-0x00007FF7985D0000-0x00007FF798924000-memory.dmp	upx
behavioral2/memory/400-146-0x00007FF6686C0000-0x00007FF668A14000-memory.dmp	upx
behavioral2/memory/4496-145-0x00007FF716210000-0x00007FF716564000-memory.dmp	upx
behavioral2/files/0x0007000000024235-143.dat	upx
behavioral2/files/0x0007000000024234-141.dat	upx
behavioral2/files/0x0007000000024233-139.dat	upx
behavioral2/memory/3552-137-0x00007FF7D97E0000-0x00007FF7D9B34000-memory.dmp	upx
behavioral2/memory/1384-136-0x00007FF7DBA80000-0x00007FF7DBDD4000-memory.dmp	upx
behavioral2/memory/4640-123-0x00007FF69CCB0000-0x00007FF69D004000-memory.dmp	upx
behavioral2/files/0x0007000000024231-122.dat	upx
behavioral2/files/0x000700000002422f-121.dat	upx
behavioral2/memory/4368-114-0x00007FF7980E0000-0x00007FF798434000-memory.dmp	upx
behavioral2/memory/3976-113-0x00007FF74F820000-0x00007FF74FB74000-memory.dmp	upx
behavioral2/memory/5008-107-0x00007FF79A0B0000-0x00007FF79A404000-memory.dmp	upx
behavioral2/memory/2772-99-0x00007FF7EA670000-0x00007FF7EA9C4000-memory.dmp	upx
behavioral2/files/0x000700000002422d-97.dat	upx
behavioral2/memory/4960-92-0x00007FF6DFF80000-0x00007FF6E02D4000-memory.dmp	upx
behavioral2/files/0x000700000002422b-83.dat	upx
behavioral2/memory/2384-81-0x00007FF7CBEC0000-0x00007FF7CC214000-memory.dmp	upx
behavioral2/files/0x000700000002422a-78.dat	upx
behavioral2/memory/4092-76-0x00007FF663D70000-0x00007FF6640C4000-memory.dmp	upx
behavioral2/memory/3920-74-0x00007FF7DBA90000-0x00007FF7DBDE4000-memory.dmp	upx
behavioral2/memory/4168-70-0x00007FF759FB0000-0x00007FF75A304000-memory.dmp	upx
behavioral2/memory/4252-69-0x00007FF657E20000-0x00007FF658174000-memory.dmp	upx
behavioral2/files/0x0007000000024228-65.dat	upx
behavioral2/memory/3144-63-0x00007FF6D06A0000-0x00007FF6D09F4000-memory.dmp	upx
behavioral2/memory/2092-148-0x00007FF7FF4A0000-0x00007FF7FF7F4000-memory.dmp	upx
behavioral2/files/0x0007000000024236-151.dat	upx
behavioral2/files/0x000700000001e6e2-156.dat	upx
behavioral2/files/0x0005000000022b5d-167.dat	upx
behavioral2/files/0x0005000000022b5e-183.dat	upx
behavioral2/files/0x0007000000024237-187.dat	upx
behavioral2/memory/4092-181-0x00007FF663D70000-0x00007FF6640C4000-memory.dmp	upx
behavioral2/memory/4328-180-0x00007FF6CE370000-0x00007FF6CE6C4000-memory.dmp	upx
behavioral2/files/0x00090000000227ba-176.dat	upx
behavioral2/memory/4168-168-0x00007FF759FB0000-0x00007FF75A304000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\WKENkzt.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\dfBDUFR.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\uzUWenc.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\ecEFjSN.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\DIYGcxi.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\pSQsWRB.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\YHsKbPN.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\sjewygx.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\FVBjpqB.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\QeaAhdo.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\RsXCaOd.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\upSXnJS.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\rQIiSna.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\YRfsfdO.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\qUAxgSj.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\CHPyPBL.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\TQJKSGP.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\CPrzOOG.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\QlfhWVk.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\JJJVWzy.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\NieocUI.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\njEVQOe.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\uBcHARz.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\srWgLJi.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\CZoRQOj.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\aIpOltw.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\HnKRAYe.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\aELPhHp.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\jKDMGsF.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\DxXENjj.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\pwBJhiZ.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\MJiIkOp.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\KjvPnMU.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\xSvnRpu.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\FmlOilz.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\tdUfQcv.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\wcDYPVn.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\WAPfhKR.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\WxcLKdx.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\XzizKFq.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\JuRFfRw.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\ciiSelf.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\KcpwEaf.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\SYrJrIC.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\twfqsqE.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\xsfJEjw.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\NlRajwp.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\lQtjOtN.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\iTwZnMj.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\PWGXIet.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\MhnTCXX.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\Zeyaixk.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\sgcsGFE.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\fiPuRfW.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\SIhFIgy.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\EvZzjwO.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\MWssKza.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\kAbjPQv.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\RaYRxBf.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\JMhephp.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\yMaktlT.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\UYTgEMB.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\AKMbtpI.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
File created	C:\Windows\System\CzPiiqR.exe	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Traditional Chinese Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Japanese Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "L3082"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bb	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bb = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Laura - Spanish (Spain)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "{57523D96-B7F6-4D2C-8AFC-BCC5F5392E94}"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "SpeechUXPlugin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Discrete;Continuous"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Zira"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Speech Recognition Engine - es-ES Embedded DNN v11.1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Laura"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "MS-1041-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "MS-1036-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\r1036sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "SW"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "409;9"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Zira"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "SR de-DE Lookup Lexicon"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bb = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\CortanaVoices\\Tokens\\MSTTS_V110_enUS_EvaM"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "1033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "SR en-US Lts Lexicon"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "{6BFCACDC-A6A6-4343-9CF6-83A83727367B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\VoiceActivation_de-DE.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "HW"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "5248260"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Speech HW Voice Activation - Japanese (Japan)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bb = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-83325578-304917428-1200496059-1000\{959387C3-82DD-4925-B7DC-5F0576A22785}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Spanish Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\r1033sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "SR ja-JP Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; address=NativeSupported; message=NativeSupported; url=NativeSupported; currency=NativeSupported; alphanumeric=NativeSupported"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Ichiro"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost_ = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "16000"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\VoiceActivation_HW_ja-JP.dat"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "English Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Sie haben %1 als Standardstimme ausgewählt."	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Speech SW Voice Activation - French (France)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Cosimo - Italian (Italy)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\AI041041"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3972	explorer.exe
Token: SeCreatePagefilePrivilege	3972	explorer.exe
Token: SeShutdownPrivilege	3972	explorer.exe
Token: SeCreatePagefilePrivilege	3972	explorer.exe
Token: SeShutdownPrivilege	3972	explorer.exe
Token: SeCreatePagefilePrivilege	3972	explorer.exe
Token: SeShutdownPrivilege	3972	explorer.exe
Token: SeCreatePagefilePrivilege	3972	explorer.exe
Token: SeShutdownPrivilege	3972	explorer.exe
Token: SeCreatePagefilePrivilege	3972	explorer.exe
Token: SeShutdownPrivilege	3972	explorer.exe
Token: SeCreatePagefilePrivilege	3972	explorer.exe
Token: SeShutdownPrivilege	3972	explorer.exe
Token: SeCreatePagefilePrivilege	3972	explorer.exe
Token: SeShutdownPrivilege	5780	explorer.exe
Token: SeCreatePagefilePrivilege	5780	explorer.exe
Token: SeShutdownPrivilege	5780	explorer.exe
Token: SeCreatePagefilePrivilege	5780	explorer.exe
Token: SeShutdownPrivilege	5780	explorer.exe
Token: SeCreatePagefilePrivilege	5780	explorer.exe
Token: SeShutdownPrivilege	5780	explorer.exe
Token: SeCreatePagefilePrivilege	5780	explorer.exe
Token: SeShutdownPrivilege	5780	explorer.exe
Token: SeCreatePagefilePrivilege	5780	explorer.exe
Token: SeShutdownPrivilege	5780	explorer.exe
Token: SeCreatePagefilePrivilege	5780	explorer.exe
Token: SeShutdownPrivilege	5780	explorer.exe
Token: SeCreatePagefilePrivilege	5780	explorer.exe
Token: SeShutdownPrivilege	5780	explorer.exe
Token: SeCreatePagefilePrivilege	5780	explorer.exe
Token: SeShutdownPrivilege	5780	explorer.exe
Token: SeCreatePagefilePrivilege	5780	explorer.exe
Token: SeShutdownPrivilege	6608	explorer.exe
Token: SeCreatePagefilePrivilege	6608	explorer.exe
Token: SeShutdownPrivilege	6608	explorer.exe
Token: SeCreatePagefilePrivilege	6608	explorer.exe
Token: SeShutdownPrivilege	6608	explorer.exe
Token: SeCreatePagefilePrivilege	6608	explorer.exe
Token: SeShutdownPrivilege	6608	explorer.exe
Token: SeCreatePagefilePrivilege	6608	explorer.exe
Token: SeShutdownPrivilege	6608	explorer.exe
Token: SeCreatePagefilePrivilege	6608	explorer.exe
Token: SeShutdownPrivilege	6608	explorer.exe
Token: SeCreatePagefilePrivilege	6608	explorer.exe
Token: SeShutdownPrivilege	6608	explorer.exe
Token: SeCreatePagefilePrivilege	6608	explorer.exe
Token: SeShutdownPrivilege	6608	explorer.exe
Token: SeCreatePagefilePrivilege	6608	explorer.exe
Token: SeShutdownPrivilege	6608	explorer.exe
Token: SeCreatePagefilePrivilege	6608	explorer.exe
Token: SeShutdownPrivilege	6608	explorer.exe
Token: SeCreatePagefilePrivilege	6608	explorer.exe
Token: SeShutdownPrivilege	6608	explorer.exe
Token: SeCreatePagefilePrivilege	6608	explorer.exe
Token: SeShutdownPrivilege	6608	explorer.exe
Token: SeCreatePagefilePrivilege	6608	explorer.exe
Token: SeShutdownPrivilege	6608	explorer.exe
Token: SeCreatePagefilePrivilege	6608	explorer.exe
Token: SeShutdownPrivilege	6608	explorer.exe
Token: SeCreatePagefilePrivilege	6608	explorer.exe
Token: SeShutdownPrivilege	6608	explorer.exe
Token: SeCreatePagefilePrivilege	6608	explorer.exe
Token: SeShutdownPrivilege	10016	explorer.exe
Token: SeCreatePagefilePrivilege	10016	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
14888	sihost.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
3972	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
5780	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
6608	explorer.exe
10016	explorer.exe
10016	explorer.exe
10016	explorer.exe
10016	explorer.exe
10016	explorer.exe
10016	explorer.exe
10016	explorer.exe
10016	explorer.exe
10016	explorer.exe
10016	explorer.exe
10016	explorer.exe
10016	explorer.exe
10016	explorer.exe
10016	explorer.exe
10016	explorer.exe
10016	explorer.exe
10016	explorer.exe
10016	explorer.exe
10016	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2964	StartMenuExperienceHost.exe
6332	StartMenuExperienceHost.exe
7508	StartMenuExperienceHost.exe
7900	SearchApp.exe
408	StartMenuExperienceHost.exe
1952	SearchApp.exe
6956	StartMenuExperienceHost.exe
7084	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 1180	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	87
PID 4920 wrote to memory of 1180	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	87
PID 4920 wrote to memory of 4252	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	88
PID 4920 wrote to memory of 4252	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	88
PID 4920 wrote to memory of 3920	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	89
PID 4920 wrote to memory of 3920	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	89
PID 4920 wrote to memory of 2384	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	90
PID 4920 wrote to memory of 2384	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	90
PID 4920 wrote to memory of 4960	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	91
PID 4920 wrote to memory of 4960	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	91
PID 4920 wrote to memory of 3976	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	92
PID 4920 wrote to memory of 3976	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	92
PID 4920 wrote to memory of 3552	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	94
PID 4920 wrote to memory of 3552	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	94
PID 4920 wrote to memory of 2092	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	95
PID 4920 wrote to memory of 2092	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	95
PID 4920 wrote to memory of 2284	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	97
PID 4920 wrote to memory of 2284	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	97
PID 4920 wrote to memory of 3144	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	98
PID 4920 wrote to memory of 3144	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	98
PID 4920 wrote to memory of 4168	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	100
PID 4920 wrote to memory of 4168	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	100
PID 4920 wrote to memory of 4092	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	101
PID 4920 wrote to memory of 4092	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	101
PID 4920 wrote to memory of 1420	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	102
PID 4920 wrote to memory of 1420	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	102
PID 4920 wrote to memory of 5008	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	103
PID 4920 wrote to memory of 5008	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	103
PID 4920 wrote to memory of 2772	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	104
PID 4920 wrote to memory of 2772	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	104
PID 4920 wrote to memory of 4368	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	105
PID 4920 wrote to memory of 4368	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	105
PID 4920 wrote to memory of 4640	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	106
PID 4920 wrote to memory of 4640	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	106
PID 4920 wrote to memory of 1384	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	107
PID 4920 wrote to memory of 1384	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	107
PID 4920 wrote to memory of 4488	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	108
PID 4920 wrote to memory of 4488	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	108
PID 4920 wrote to memory of 1952	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	109
PID 4920 wrote to memory of 1952	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	109
PID 4920 wrote to memory of 2960	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	110
PID 4920 wrote to memory of 2960	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	110
PID 4920 wrote to memory of 4496	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	111
PID 4920 wrote to memory of 4496	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	111
PID 4920 wrote to memory of 400	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	112
PID 4920 wrote to memory of 400	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	112
PID 4920 wrote to memory of 1240	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	115
PID 4920 wrote to memory of 1240	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	115
PID 4920 wrote to memory of 1912	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	116
PID 4920 wrote to memory of 1912	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	116
PID 4920 wrote to memory of 232	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	117
PID 4920 wrote to memory of 232	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	117
PID 4920 wrote to memory of 4328	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	118
PID 4920 wrote to memory of 4328	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	118
PID 4920 wrote to memory of 556	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	119
PID 4920 wrote to memory of 556	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	119
PID 4920 wrote to memory of 4748	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	120
PID 4920 wrote to memory of 4748	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	120
PID 4920 wrote to memory of 1132	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	121
PID 4920 wrote to memory of 1132	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	121
PID 4920 wrote to memory of 3648	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	122
PID 4920 wrote to memory of 3648	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	122
PID 4920 wrote to memory of 544	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	123
PID 4920 wrote to memory of 544	4920	0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe
"C:\Users\Admin\AppData\Local\Temp\0f1e5cc9d8a57d1de31b7fc025811479b40bdf7cae0bfdf30d91ab5e3096c6ca.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Windows\System\mIgWtKE.exe
  C:\Windows\System\mIgWtKE.exe
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\System\lUhfpwR.exe
  C:\Windows\System\lUhfpwR.exe
  2⤵
  - Executes dropped EXE
  PID:4252
- C:\Windows\System\fiPuRfW.exe
  C:\Windows\System\fiPuRfW.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\System\ReGsrgY.exe
  C:\Windows\System\ReGsrgY.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System\SAPvqhO.exe
  C:\Windows\System\SAPvqhO.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System\bFUlIhG.exe
  C:\Windows\System\bFUlIhG.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System\iKQCNPu.exe
  C:\Windows\System\iKQCNPu.exe
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\System\VjwyIYm.exe
  C:\Windows\System\VjwyIYm.exe
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\System\cKWmMXB.exe
  C:\Windows\System\cKWmMXB.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\nhrQWcZ.exe
  C:\Windows\System\nhrQWcZ.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System\pNKdLys.exe
  C:\Windows\System\pNKdLys.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System\BWXetXp.exe
  C:\Windows\System\BWXetXp.exe
  2⤵
  - Executes dropped EXE
  PID:4092
- C:\Windows\System\mbulqXA.exe
  C:\Windows\System\mbulqXA.exe
  2⤵
  - Executes dropped EXE
  PID:1420
- C:\Windows\System\ROIuonY.exe
  C:\Windows\System\ROIuonY.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\srWgLJi.exe
  C:\Windows\System\srWgLJi.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\nAyrEiD.exe
  C:\Windows\System\nAyrEiD.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System\svkhVAb.exe
  C:\Windows\System\svkhVAb.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System\UGvVVTD.exe
  C:\Windows\System\UGvVVTD.exe
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\System\QXmhKQh.exe
  C:\Windows\System\QXmhKQh.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System\dlIzmmV.exe
  C:\Windows\System\dlIzmmV.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System\pDYwyeO.exe
  C:\Windows\System\pDYwyeO.exe
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\System\wlSQGBc.exe
  C:\Windows\System\wlSQGBc.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System\YRlWwPA.exe
  C:\Windows\System\YRlWwPA.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\jgnclOS.exe
  C:\Windows\System\jgnclOS.exe
  2⤵
  - Executes dropped EXE
  PID:1240
- C:\Windows\System\tHeHdEa.exe
  C:\Windows\System\tHeHdEa.exe
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\System\Tjkzlpy.exe
  C:\Windows\System\Tjkzlpy.exe
  2⤵
  - Executes dropped EXE
  PID:232
- C:\Windows\System\falgKHe.exe
  C:\Windows\System\falgKHe.exe
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\System\GVELuNX.exe
  C:\Windows\System\GVELuNX.exe
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\System\Zeyaixk.exe
  C:\Windows\System\Zeyaixk.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System\KBuaQzA.exe
  C:\Windows\System\KBuaQzA.exe
  2⤵
  - Executes dropped EXE
  PID:1132
- C:\Windows\System\sgcsGFE.exe
  C:\Windows\System\sgcsGFE.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System\HNJwMMx.exe
  C:\Windows\System\HNJwMMx.exe
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\System\WKENkzt.exe
  C:\Windows\System\WKENkzt.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System\mOQBLPm.exe
  C:\Windows\System\mOQBLPm.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\VtfMHQg.exe
  C:\Windows\System\VtfMHQg.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\TfhSSNt.exe
  C:\Windows\System\TfhSSNt.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System\eZCYzco.exe
  C:\Windows\System\eZCYzco.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System\YFDSkqL.exe
  C:\Windows\System\YFDSkqL.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System\pLebJVG.exe
  C:\Windows\System\pLebJVG.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System\TYUfkuq.exe
  C:\Windows\System\TYUfkuq.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System\NTExNFl.exe
  C:\Windows\System\NTExNFl.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System\FNdGLLc.exe
  C:\Windows\System\FNdGLLc.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System\wrqGcLO.exe
  C:\Windows\System\wrqGcLO.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System\sKwPhbu.exe
  C:\Windows\System\sKwPhbu.exe
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\System\TNCwNFW.exe
  C:\Windows\System\TNCwNFW.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\System\TrTrGpo.exe
  C:\Windows\System\TrTrGpo.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\uobDdLG.exe
  C:\Windows\System\uobDdLG.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System\LksAEKc.exe
  C:\Windows\System\LksAEKc.exe
  2⤵
  - Executes dropped EXE
  PID:4048
- C:\Windows\System\POyCQMk.exe
  C:\Windows\System\POyCQMk.exe
  2⤵
  - Executes dropped EXE
  PID:4196
- C:\Windows\System\UUDCmFz.exe
  C:\Windows\System\UUDCmFz.exe
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\System\CTnrLND.exe
  C:\Windows\System\CTnrLND.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System\nfeUBAY.exe
  C:\Windows\System\nfeUBAY.exe
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\System\lQZtyfJ.exe
  C:\Windows\System\lQZtyfJ.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System\TiDfVas.exe
  C:\Windows\System\TiDfVas.exe
  2⤵
  - Executes dropped EXE
  PID:3308
- C:\Windows\System\cbwlRti.exe
  C:\Windows\System\cbwlRti.exe
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Windows\System\ckbwYHJ.exe
  C:\Windows\System\ckbwYHJ.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System\drSqVRL.exe
  C:\Windows\System\drSqVRL.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\QhCrGtn.exe
  C:\Windows\System\QhCrGtn.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\NqBCquf.exe
  C:\Windows\System\NqBCquf.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System\YEggJzV.exe
  C:\Windows\System\YEggJzV.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System\MJiIkOp.exe
  C:\Windows\System\MJiIkOp.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System\eLxNPGv.exe
  C:\Windows\System\eLxNPGv.exe
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Windows\System\hWwEUzQ.exe
  C:\Windows\System\hWwEUzQ.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System\EgBYwnO.exe
  C:\Windows\System\EgBYwnO.exe
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Windows\System\BflZLZE.exe
  C:\Windows\System\BflZLZE.exe
  2⤵
  PID:3176
- C:\Windows\System\FVBjpqB.exe
  C:\Windows\System\FVBjpqB.exe
  2⤵
  PID:3268
- C:\Windows\System\epQgQdZ.exe
  C:\Windows\System\epQgQdZ.exe
  2⤵
  PID:3720
- C:\Windows\System\UuYpULA.exe
  C:\Windows\System\UuYpULA.exe
  2⤵
  PID:540
- C:\Windows\System\XLJIVWU.exe
  C:\Windows\System\XLJIVWU.exe
  2⤵
  PID:4424
- C:\Windows\System\Kvsknwg.exe
  C:\Windows\System\Kvsknwg.exe
  2⤵
  PID:4440
- C:\Windows\System\ZZRkiSG.exe
  C:\Windows\System\ZZRkiSG.exe
  2⤵
  PID:4432
- C:\Windows\System\mHkxJiH.exe
  C:\Windows\System\mHkxJiH.exe
  2⤵
  PID:888
- C:\Windows\System\BXrilWr.exe
  C:\Windows\System\BXrilWr.exe
  2⤵
  PID:4612
- C:\Windows\System\abllcKW.exe
  C:\Windows\System\abllcKW.exe
  2⤵
  PID:5112
- C:\Windows\System\koGFaeV.exe
  C:\Windows\System\koGFaeV.exe
  2⤵
  PID:4900
- C:\Windows\System\TTicHKd.exe
  C:\Windows\System\TTicHKd.exe
  2⤵
  PID:3876
- C:\Windows\System\Ogruwaq.exe
  C:\Windows\System\Ogruwaq.exe
  2⤵
  PID:2320
- C:\Windows\System\dUDVINb.exe
  C:\Windows\System\dUDVINb.exe
  2⤵
  PID:5128
- C:\Windows\System\kqowRnJ.exe
  C:\Windows\System\kqowRnJ.exe
  2⤵
  PID:5152
- C:\Windows\System\fqwxceQ.exe
  C:\Windows\System\fqwxceQ.exe
  2⤵
  PID:5176
- C:\Windows\System\iSvSbIZ.exe
  C:\Windows\System\iSvSbIZ.exe
  2⤵
  PID:5208
- C:\Windows\System\YamEkBu.exe
  C:\Windows\System\YamEkBu.exe
  2⤵
  PID:5240
- C:\Windows\System\wqvSiTN.exe
  C:\Windows\System\wqvSiTN.exe
  2⤵
  PID:5268
- C:\Windows\System\IiywxJf.exe
  C:\Windows\System\IiywxJf.exe
  2⤵
  PID:5296
- C:\Windows\System\oPgNPRe.exe
  C:\Windows\System\oPgNPRe.exe
  2⤵
  PID:5324
- C:\Windows\System\KHEBwig.exe
  C:\Windows\System\KHEBwig.exe
  2⤵
  PID:5352
- C:\Windows\System\TQJKSGP.exe
  C:\Windows\System\TQJKSGP.exe
  2⤵
  PID:5380
- C:\Windows\System\INGXWhu.exe
  C:\Windows\System\INGXWhu.exe
  2⤵
  PID:5408
- C:\Windows\System\yYeByBM.exe
  C:\Windows\System\yYeByBM.exe
  2⤵
  PID:5436
- C:\Windows\System\SIhFIgy.exe
  C:\Windows\System\SIhFIgy.exe
  2⤵
  PID:5464
- C:\Windows\System\bEBtJxO.exe
  C:\Windows\System\bEBtJxO.exe
  2⤵
  PID:5492
- C:\Windows\System\cavmMPT.exe
  C:\Windows\System\cavmMPT.exe
  2⤵
  PID:5520
- C:\Windows\System\YWGMIcS.exe
  C:\Windows\System\YWGMIcS.exe
  2⤵
  PID:5548
- C:\Windows\System\ajEDYUu.exe
  C:\Windows\System\ajEDYUu.exe
  2⤵
  PID:5576
- C:\Windows\System\bWZhMtW.exe
  C:\Windows\System\bWZhMtW.exe
  2⤵
  PID:5604
- C:\Windows\System\BXJZLUR.exe
  C:\Windows\System\BXJZLUR.exe
  2⤵
  PID:5632
- C:\Windows\System\hinJLTE.exe
  C:\Windows\System\hinJLTE.exe
  2⤵
  PID:5660
- C:\Windows\System\bmoDsYi.exe
  C:\Windows\System\bmoDsYi.exe
  2⤵
  PID:5688
- C:\Windows\System\VqesTcr.exe
  C:\Windows\System\VqesTcr.exe
  2⤵
  PID:5716
- C:\Windows\System\GnBJZtx.exe
  C:\Windows\System\GnBJZtx.exe
  2⤵
  PID:5744
- C:\Windows\System\JMhephp.exe
  C:\Windows\System\JMhephp.exe
  2⤵
  PID:5772
- C:\Windows\System\PrNbAKA.exe
  C:\Windows\System\PrNbAKA.exe
  2⤵
  PID:5788
- C:\Windows\System\uFzspQC.exe
  C:\Windows\System\uFzspQC.exe
  2⤵
  PID:5844
- C:\Windows\System\ycIoncj.exe
  C:\Windows\System\ycIoncj.exe
  2⤵
  PID:5892
- C:\Windows\System\QakTAMg.exe
  C:\Windows\System\QakTAMg.exe
  2⤵
  PID:5920
- C:\Windows\System\zXocZJi.exe
  C:\Windows\System\zXocZJi.exe
  2⤵
  PID:5948
- C:\Windows\System\GCzCmMF.exe
  C:\Windows\System\GCzCmMF.exe
  2⤵
  PID:5976
- C:\Windows\System\MBsMepM.exe
  C:\Windows\System\MBsMepM.exe
  2⤵
  PID:6004
- C:\Windows\System\PYSrlSZ.exe
  C:\Windows\System\PYSrlSZ.exe
  2⤵
  PID:6032
- C:\Windows\System\WsaBBmJ.exe
  C:\Windows\System\WsaBBmJ.exe
  2⤵
  PID:6060
- C:\Windows\System\FgVQMHx.exe
  C:\Windows\System\FgVQMHx.exe
  2⤵
  PID:6092
- C:\Windows\System\qdnmAib.exe
  C:\Windows\System\qdnmAib.exe
  2⤵
  PID:6112
- C:\Windows\System\ZJfvWyO.exe
  C:\Windows\System\ZJfvWyO.exe
  2⤵
  PID:4596
- C:\Windows\System\NuBjHSK.exe
  C:\Windows\System\NuBjHSK.exe
  2⤵
  PID:5192
- C:\Windows\System\DsLSObQ.exe
  C:\Windows\System\DsLSObQ.exe
  2⤵
  PID:5264
- C:\Windows\System\GZeKhUl.exe
  C:\Windows\System\GZeKhUl.exe
  2⤵
  PID:5312
- C:\Windows\System\TTypgvT.exe
  C:\Windows\System\TTypgvT.exe
  2⤵
  PID:5388
- C:\Windows\System\NUMBAos.exe
  C:\Windows\System\NUMBAos.exe
  2⤵
  PID:5460
- C:\Windows\System\pxIkWLD.exe
  C:\Windows\System\pxIkWLD.exe
  2⤵
  PID:5508
- C:\Windows\System\iCaJLRy.exe
  C:\Windows\System\iCaJLRy.exe
  2⤵
  PID:5584
- C:\Windows\System\YvaPhqy.exe
  C:\Windows\System\YvaPhqy.exe
  2⤵
  PID:5620
- C:\Windows\System\qWBJgxa.exe
  C:\Windows\System\qWBJgxa.exe
  2⤵
  PID:5676
- C:\Windows\System\oEPntEG.exe
  C:\Windows\System\oEPntEG.exe
  2⤵
  PID:5732
- C:\Windows\System\sDPXSlH.exe
  C:\Windows\System\sDPXSlH.exe
  2⤵
  PID:5836
- C:\Windows\System\EKRggjv.exe
  C:\Windows\System\EKRggjv.exe
  2⤵
  PID:5928
- C:\Windows\System\QsUxfmr.exe
  C:\Windows\System\QsUxfmr.exe
  2⤵
  PID:6028
- C:\Windows\System\XQXTeNh.exe
  C:\Windows\System\XQXTeNh.exe
  2⤵
  PID:4084
- C:\Windows\System\sRWZzrA.exe
  C:\Windows\System\sRWZzrA.exe
  2⤵
  PID:1692
- C:\Windows\System\LkyyqeS.exe
  C:\Windows\System\LkyyqeS.exe
  2⤵
  PID:3356
- C:\Windows\System\QqAifZF.exe
  C:\Windows\System\QqAifZF.exe
  2⤵
  PID:3348
- C:\Windows\System\rDHDGHo.exe
  C:\Windows\System\rDHDGHo.exe
  2⤵
  PID:6100
- C:\Windows\System\ujnJTts.exe
  C:\Windows\System\ujnJTts.exe
  2⤵
  PID:5164
- C:\Windows\System\lteNTPm.exe
  C:\Windows\System\lteNTPm.exe
  2⤵
  PID:5320
- C:\Windows\System\FqEqYJN.exe
  C:\Windows\System\FqEqYJN.exe
  2⤵
  PID:5472
- C:\Windows\System\QeaAhdo.exe
  C:\Windows\System\QeaAhdo.exe
  2⤵
  PID:5612
- C:\Windows\System\tFrUGys.exe
  C:\Windows\System\tFrUGys.exe
  2⤵
  PID:5760
- C:\Windows\System\GZUTPEc.exe
  C:\Windows\System\GZUTPEc.exe
  2⤵
  PID:5956
- C:\Windows\System\LxaWmMS.exe
  C:\Windows\System\LxaWmMS.exe
  2⤵
  PID:5028
- C:\Windows\System\VDBhswC.exe
  C:\Windows\System\VDBhswC.exe
  2⤵
  PID:4556
- C:\Windows\System\lUOTecE.exe
  C:\Windows\System\lUOTecE.exe
  2⤵
  PID:6136
- C:\Windows\System\PxHgpiy.exe
  C:\Windows\System\PxHgpiy.exe
  2⤵
  PID:5480
- C:\Windows\System\FTXaKyZ.exe
  C:\Windows\System\FTXaKyZ.exe
  2⤵
  PID:5872
- C:\Windows\System\aNIzQBn.exe
  C:\Windows\System\aNIzQBn.exe
  2⤵
  PID:3208
- C:\Windows\System\IKlPrje.exe
  C:\Windows\System\IKlPrje.exe
  2⤵
  PID:5144
- C:\Windows\System\QJaISnn.exe
  C:\Windows\System\QJaISnn.exe
  2⤵
  PID:5880
- C:\Windows\System\qMnEvYG.exe
  C:\Windows\System\qMnEvYG.exe
  2⤵
  PID:6160
- C:\Windows\System\yQjXmEG.exe
  C:\Windows\System\yQjXmEG.exe
  2⤵
  PID:6200
- C:\Windows\System\TgtPSGj.exe
  C:\Windows\System\TgtPSGj.exe
  2⤵
  PID:6228
- C:\Windows\System\pWHVlir.exe
  C:\Windows\System\pWHVlir.exe
  2⤵
  PID:6256
- C:\Windows\System\UZrcIlb.exe
  C:\Windows\System\UZrcIlb.exe
  2⤵
  PID:6284
- C:\Windows\System\GtxEKbh.exe
  C:\Windows\System\GtxEKbh.exe
  2⤵
  PID:6312
- C:\Windows\System\nZfynZb.exe
  C:\Windows\System\nZfynZb.exe
  2⤵
  PID:6340
- C:\Windows\System\zuuRBGA.exe
  C:\Windows\System\zuuRBGA.exe
  2⤵
  PID:6368
- C:\Windows\System\zEKvvsf.exe
  C:\Windows\System\zEKvvsf.exe
  2⤵
  PID:6396
- C:\Windows\System\AureRAw.exe
  C:\Windows\System\AureRAw.exe
  2⤵
  PID:6424
- C:\Windows\System\yYCkzMd.exe
  C:\Windows\System\yYCkzMd.exe
  2⤵
  PID:6452
- C:\Windows\System\NFgRxUN.exe
  C:\Windows\System\NFgRxUN.exe
  2⤵
  PID:6480
- C:\Windows\System\KjvPnMU.exe
  C:\Windows\System\KjvPnMU.exe
  2⤵
  PID:6508
- C:\Windows\System\IpONHVm.exe
  C:\Windows\System\IpONHVm.exe
  2⤵
  PID:6536
- C:\Windows\System\FYzeNxg.exe
  C:\Windows\System\FYzeNxg.exe
  2⤵
  PID:6564
- C:\Windows\System\gvqbUiu.exe
  C:\Windows\System\gvqbUiu.exe
  2⤵
  PID:6592
- C:\Windows\System\yMaktlT.exe
  C:\Windows\System\yMaktlT.exe
  2⤵
  PID:6616
- C:\Windows\System\faxRvpz.exe
  C:\Windows\System\faxRvpz.exe
  2⤵
  PID:6656
- C:\Windows\System\ENuJFRQ.exe
  C:\Windows\System\ENuJFRQ.exe
  2⤵
  PID:6736
- C:\Windows\System\ehsDQbt.exe
  C:\Windows\System\ehsDQbt.exe
  2⤵
  PID:6760
- C:\Windows\System\CrchOZg.exe
  C:\Windows\System\CrchOZg.exe
  2⤵
  PID:6796
- C:\Windows\System\zUNfjaZ.exe
  C:\Windows\System\zUNfjaZ.exe
  2⤵
  PID:6860
- C:\Windows\System\qEuhyqx.exe
  C:\Windows\System\qEuhyqx.exe
  2⤵
  PID:6900
- C:\Windows\System\PzaktFO.exe
  C:\Windows\System\PzaktFO.exe
  2⤵
  PID:6916
- C:\Windows\System\CkPxWoe.exe
  C:\Windows\System\CkPxWoe.exe
  2⤵
  PID:6944
- C:\Windows\System\twfqsqE.exe
  C:\Windows\System\twfqsqE.exe
  2⤵
  PID:6972
- C:\Windows\System\wpIGAXc.exe
  C:\Windows\System\wpIGAXc.exe
  2⤵
  PID:7024
- C:\Windows\System\dfBDUFR.exe
  C:\Windows\System\dfBDUFR.exe
  2⤵
  PID:7084
- C:\Windows\System\rOWhWHs.exe
  C:\Windows\System\rOWhWHs.exe
  2⤵
  PID:7116
- C:\Windows\System\UEuElKi.exe
  C:\Windows\System\UEuElKi.exe
  2⤵
  PID:7144
- C:\Windows\System\mppAnMf.exe
  C:\Windows\System\mppAnMf.exe
  2⤵
  PID:6152
- C:\Windows\System\mKhfmrn.exe
  C:\Windows\System\mKhfmrn.exe
  2⤵
  PID:6224
- C:\Windows\System\LOGlEwe.exe
  C:\Windows\System\LOGlEwe.exe
  2⤵
  PID:2240
- C:\Windows\System\uEaFvqw.exe
  C:\Windows\System\uEaFvqw.exe
  2⤵
  PID:6348
- C:\Windows\System\xQjGGYk.exe
  C:\Windows\System\xQjGGYk.exe
  2⤵
  PID:6420
- C:\Windows\System\yiaFpRq.exe
  C:\Windows\System\yiaFpRq.exe
  2⤵
  PID:6468
- C:\Windows\System\vWBxxhX.exe
  C:\Windows\System\vWBxxhX.exe
  2⤵
  PID:6544
- C:\Windows\System\aAluJZp.exe
  C:\Windows\System\aAluJZp.exe
  2⤵
  PID:6580
- C:\Windows\System\SESuikL.exe
  C:\Windows\System\SESuikL.exe
  2⤵
  PID:6744
- C:\Windows\System\qTeeWmD.exe
  C:\Windows\System\qTeeWmD.exe
  2⤵
  PID:6832
- C:\Windows\System\iivMzmh.exe
  C:\Windows\System\iivMzmh.exe
  2⤵
  PID:6908
- C:\Windows\System\nNmwsIZ.exe
  C:\Windows\System\nNmwsIZ.exe
  2⤵
  PID:6984
- C:\Windows\System\fofMIBy.exe
  C:\Windows\System\fofMIBy.exe
  2⤵
  PID:3536
- C:\Windows\System\eeqAXam.exe
  C:\Windows\System\eeqAXam.exe
  2⤵
  PID:684
- C:\Windows\System\xHTwMSR.exe
  C:\Windows\System\xHTwMSR.exe
  2⤵
  PID:4840
- C:\Windows\System\gAnomil.exe
  C:\Windows\System\gAnomil.exe
  2⤵
  PID:6252
- C:\Windows\System\mudSFwu.exe
  C:\Windows\System\mudSFwu.exe
  2⤵
  PID:6320
- C:\Windows\System\CZoRQOj.exe
  C:\Windows\System\CZoRQOj.exe
  2⤵
  PID:6440
- C:\Windows\System\fydmiRu.exe
  C:\Windows\System\fydmiRu.exe
  2⤵
  PID:6624
- C:\Windows\System\hVZqIrc.exe
  C:\Windows\System\hVZqIrc.exe
  2⤵
  PID:6912
- C:\Windows\System\IlyyYOO.exe
  C:\Windows\System\IlyyYOO.exe
  2⤵
  PID:7056
- C:\Windows\System\VNerKlR.exe
  C:\Windows\System\VNerKlR.exe
  2⤵
  PID:6188
- C:\Windows\System\UuZVeuk.exe
  C:\Windows\System\UuZVeuk.exe
  2⤵
  PID:4888
- C:\Windows\System\uzUWenc.exe
  C:\Windows\System\uzUWenc.exe
  2⤵
  PID:4120
- C:\Windows\System\aOoffjP.exe
  C:\Windows\System\aOoffjP.exe
  2⤵
  PID:7124
- C:\Windows\System\XAeDDVH.exe
  C:\Windows\System\XAeDDVH.exe
  2⤵
  PID:6532
- C:\Windows\System\dGmoHRY.exe
  C:\Windows\System\dGmoHRY.exe
  2⤵
  PID:6304
- C:\Windows\System\XJidavI.exe
  C:\Windows\System\XJidavI.exe
  2⤵
  PID:6384
- C:\Windows\System\fPjRraJ.exe
  C:\Windows\System\fPjRraJ.exe
  2⤵
  PID:7192
- C:\Windows\System\CNViePi.exe
  C:\Windows\System\CNViePi.exe
  2⤵
  PID:7212
- C:\Windows\System\RsXCaOd.exe
  C:\Windows\System\RsXCaOd.exe
  2⤵
  PID:7240
- C:\Windows\System\RioLeWA.exe
  C:\Windows\System\RioLeWA.exe
  2⤵
  PID:7276
- C:\Windows\System\vZgpmyo.exe
  C:\Windows\System\vZgpmyo.exe
  2⤵
  PID:7308
- C:\Windows\System\RGiBfVK.exe
  C:\Windows\System\RGiBfVK.exe
  2⤵
  PID:7324
- C:\Windows\System\xSvnRpu.exe
  C:\Windows\System\xSvnRpu.exe
  2⤵
  PID:7356
- C:\Windows\System\CymISyX.exe
  C:\Windows\System\CymISyX.exe
  2⤵
  PID:7384
- C:\Windows\System\mflQMXB.exe
  C:\Windows\System\mflQMXB.exe
  2⤵
  PID:7408
- C:\Windows\System\PzUqlEA.exe
  C:\Windows\System\PzUqlEA.exe
  2⤵
  PID:7436
- C:\Windows\System\JAKlCwd.exe
  C:\Windows\System\JAKlCwd.exe
  2⤵
  PID:7464
- C:\Windows\System\YqPtbUF.exe
  C:\Windows\System\YqPtbUF.exe
  2⤵
  PID:7496
- C:\Windows\System\jEbBoOk.exe
  C:\Windows\System\jEbBoOk.exe
  2⤵
  PID:7520
- C:\Windows\System\vGXvtur.exe
  C:\Windows\System\vGXvtur.exe
  2⤵
  PID:7548
- C:\Windows\System\aIpOltw.exe
  C:\Windows\System\aIpOltw.exe
  2⤵
  PID:7580
- C:\Windows\System\OuIrDkO.exe
  C:\Windows\System\OuIrDkO.exe
  2⤵
  PID:7612
- C:\Windows\System\HnKRAYe.exe
  C:\Windows\System\HnKRAYe.exe
  2⤵
  PID:7636
- C:\Windows\System\zrhDGRc.exe
  C:\Windows\System\zrhDGRc.exe
  2⤵
  PID:7660
- C:\Windows\System\ioShfnI.exe
  C:\Windows\System\ioShfnI.exe
  2⤵
  PID:7688
- C:\Windows\System\KdNXXLm.exe
  C:\Windows\System\KdNXXLm.exe
  2⤵
  PID:7716
- C:\Windows\System\KQMMLah.exe
  C:\Windows\System\KQMMLah.exe
  2⤵
  PID:7744
- C:\Windows\System\SljHaUy.exe
  C:\Windows\System\SljHaUy.exe
  2⤵
  PID:7772
- C:\Windows\System\fmeaVgc.exe
  C:\Windows\System\fmeaVgc.exe
  2⤵
  PID:7800
- C:\Windows\System\iNOiXff.exe
  C:\Windows\System\iNOiXff.exe
  2⤵
  PID:7828
- C:\Windows\System\hjUwOgZ.exe
  C:\Windows\System\hjUwOgZ.exe
  2⤵
  PID:7856
- C:\Windows\System\RWVRZOr.exe
  C:\Windows\System\RWVRZOr.exe
  2⤵
  PID:7888
- C:\Windows\System\kXIitkK.exe
  C:\Windows\System\kXIitkK.exe
  2⤵
  PID:7912
- C:\Windows\System\vsEMTkj.exe
  C:\Windows\System\vsEMTkj.exe
  2⤵
  PID:7952
- C:\Windows\System\HDjiFyk.exe
  C:\Windows\System\HDjiFyk.exe
  2⤵
  PID:7992
- C:\Windows\System\ikIbkmH.exe
  C:\Windows\System\ikIbkmH.exe
  2⤵
  PID:8016
- C:\Windows\System\fdPTXZh.exe
  C:\Windows\System\fdPTXZh.exe
  2⤵
  PID:8056
- C:\Windows\System\LJWqKud.exe
  C:\Windows\System\LJWqKud.exe
  2⤵
  PID:8076
- C:\Windows\System\XDZTzIH.exe
  C:\Windows\System\XDZTzIH.exe
  2⤵
  PID:8092
- C:\Windows\System\RdWLfEB.exe
  C:\Windows\System\RdWLfEB.exe
  2⤵
  PID:8132
- C:\Windows\System\NxuIFrp.exe
  C:\Windows\System\NxuIFrp.exe
  2⤵
  PID:8164
- C:\Windows\System\epxRHoK.exe
  C:\Windows\System\epxRHoK.exe
  2⤵
  PID:2272
- C:\Windows\System\nUpiSvs.exe
  C:\Windows\System\nUpiSvs.exe
  2⤵
  PID:7228
- C:\Windows\System\vrDFgCG.exe
  C:\Windows\System\vrDFgCG.exe
  2⤵
  PID:7284
- C:\Windows\System\LxBHIjX.exe
  C:\Windows\System\LxBHIjX.exe
  2⤵
  PID:7336
- C:\Windows\System\qmEUNfu.exe
  C:\Windows\System\qmEUNfu.exe
  2⤵
  PID:7376
- C:\Windows\System\bMVxRWC.exe
  C:\Windows\System\bMVxRWC.exe
  2⤵
  PID:7448
- C:\Windows\System\HTZGWzW.exe
  C:\Windows\System\HTZGWzW.exe
  2⤵
  PID:7516
- C:\Windows\System\ASXPTJE.exe
  C:\Windows\System\ASXPTJE.exe
  2⤵
  PID:7600
- C:\Windows\System\agrNJZT.exe
  C:\Windows\System\agrNJZT.exe
  2⤵
  PID:7680
- C:\Windows\System\SVaPBUE.exe
  C:\Windows\System\SVaPBUE.exe
  2⤵
  PID:7740
- C:\Windows\System\RlXHdSc.exe
  C:\Windows\System\RlXHdSc.exe
  2⤵
  PID:7784
- C:\Windows\System\TFHipkR.exe
  C:\Windows\System\TFHipkR.exe
  2⤵
  PID:7848
- C:\Windows\System\FFNynIO.exe
  C:\Windows\System\FFNynIO.exe
  2⤵
  PID:7968
- C:\Windows\System\iCfLgZZ.exe
  C:\Windows\System\iCfLgZZ.exe
  2⤵
  PID:8028
- C:\Windows\System\NCDcyyu.exe
  C:\Windows\System\NCDcyyu.exe
  2⤵
  PID:8108
- C:\Windows\System\reCVbZz.exe
  C:\Windows\System\reCVbZz.exe
  2⤵
  PID:7208
- C:\Windows\System\FgjvnyU.exe
  C:\Windows\System\FgjvnyU.exe
  2⤵
  PID:7320
- C:\Windows\System\CqnHbzI.exe
  C:\Windows\System\CqnHbzI.exe
  2⤵
  PID:7484
- C:\Windows\System\coiGbeX.exe
  C:\Windows\System\coiGbeX.exe
  2⤵
  PID:7644
- C:\Windows\System\FSdScGU.exe
  C:\Windows\System\FSdScGU.exe
  2⤵
  PID:1808
- C:\Windows\System\VqldxnR.exe
  C:\Windows\System\VqldxnR.exe
  2⤵
  PID:2528
- C:\Windows\System\tYWWnKS.exe
  C:\Windows\System\tYWWnKS.exe
  2⤵
  PID:7736
- C:\Windows\System\KSgsvdB.exe
  C:\Windows\System\KSgsvdB.exe
  2⤵
  PID:7896
- C:\Windows\System\CPrzOOG.exe
  C:\Windows\System\CPrzOOG.exe
  2⤵
  PID:8008
- C:\Windows\System\AuzStcb.exe
  C:\Windows\System\AuzStcb.exe
  2⤵
  PID:7060
- C:\Windows\System\MeNCUmm.exe
  C:\Windows\System\MeNCUmm.exe
  2⤵
  PID:6572
- C:\Windows\System\HcYEwVx.exe
  C:\Windows\System\HcYEwVx.exe
  2⤵
  PID:3280
- C:\Windows\System\JJXtDOu.exe
  C:\Windows\System\JJXtDOu.exe
  2⤵
  PID:3164
- C:\Windows\System\XlyJPjO.exe
  C:\Windows\System\XlyJPjO.exe
  2⤵
  PID:4716
- C:\Windows\System\EzAMtKt.exe
  C:\Windows\System\EzAMtKt.exe
  2⤵
  PID:8088
- C:\Windows\System\upSXnJS.exe
  C:\Windows\System\upSXnJS.exe
  2⤵
  PID:7044
- C:\Windows\System\MBzDjaA.exe
  C:\Windows\System\MBzDjaA.exe
  2⤵
  PID:7712
- C:\Windows\System\HgpCtdf.exe
  C:\Windows\System\HgpCtdf.exe
  2⤵
  PID:3732
- C:\Windows\System\nURUZlL.exe
  C:\Windows\System\nURUZlL.exe
  2⤵
  PID:7288
- C:\Windows\System\aELPhHp.exe
  C:\Windows\System\aELPhHp.exe
  2⤵
  PID:8220
- C:\Windows\System\CnObTuz.exe
  C:\Windows\System\CnObTuz.exe
  2⤵
  PID:8248
- C:\Windows\System\bOftRpB.exe
  C:\Windows\System\bOftRpB.exe
  2⤵
  PID:8276
- C:\Windows\System\cgJHbYb.exe
  C:\Windows\System\cgJHbYb.exe
  2⤵
  PID:8308
- C:\Windows\System\rQIiSna.exe
  C:\Windows\System\rQIiSna.exe
  2⤵
  PID:8332
- C:\Windows\System\OxSIply.exe
  C:\Windows\System\OxSIply.exe
  2⤵
  PID:8360
- C:\Windows\System\KBtHGUA.exe
  C:\Windows\System\KBtHGUA.exe
  2⤵
  PID:8388
- C:\Windows\System\JWecJNX.exe
  C:\Windows\System\JWecJNX.exe
  2⤵
  PID:8420
- C:\Windows\System\PyIrLlN.exe
  C:\Windows\System\PyIrLlN.exe
  2⤵
  PID:8448
- C:\Windows\System\aeKJusD.exe
  C:\Windows\System\aeKJusD.exe
  2⤵
  PID:8476
- C:\Windows\System\jSIQSRI.exe
  C:\Windows\System\jSIQSRI.exe
  2⤵
  PID:8504
- C:\Windows\System\sHKznjO.exe
  C:\Windows\System\sHKznjO.exe
  2⤵
  PID:8532
- C:\Windows\System\fwsZfzT.exe
  C:\Windows\System\fwsZfzT.exe
  2⤵
  PID:8560
- C:\Windows\System\dCuFBqO.exe
  C:\Windows\System\dCuFBqO.exe
  2⤵
  PID:8588
- C:\Windows\System\rCDDuJj.exe
  C:\Windows\System\rCDDuJj.exe
  2⤵
  PID:8616
- C:\Windows\System\wfDdEZJ.exe
  C:\Windows\System\wfDdEZJ.exe
  2⤵
  PID:8644
- C:\Windows\System\strpqhy.exe
  C:\Windows\System\strpqhy.exe
  2⤵
  PID:8672
- C:\Windows\System\JiiANAS.exe
  C:\Windows\System\JiiANAS.exe
  2⤵
  PID:8700
- C:\Windows\System\SDufGCo.exe
  C:\Windows\System\SDufGCo.exe
  2⤵
  PID:8728
- C:\Windows\System\PjqlpmZ.exe
  C:\Windows\System\PjqlpmZ.exe
  2⤵
  PID:8756
- C:\Windows\System\xJgmLux.exe
  C:\Windows\System\xJgmLux.exe
  2⤵
  PID:8784
- C:\Windows\System\GtodJFT.exe
  C:\Windows\System\GtodJFT.exe
  2⤵
  PID:8812
- C:\Windows\System\bVvTgxE.exe
  C:\Windows\System\bVvTgxE.exe
  2⤵
  PID:8840
- C:\Windows\System\qtGzLvT.exe
  C:\Windows\System\qtGzLvT.exe
  2⤵
  PID:8868
- C:\Windows\System\LzyTsqa.exe
  C:\Windows\System\LzyTsqa.exe
  2⤵
  PID:8896
- C:\Windows\System\Wwmkkji.exe
  C:\Windows\System\Wwmkkji.exe
  2⤵
  PID:8924
- C:\Windows\System\BJvjXOp.exe
  C:\Windows\System\BJvjXOp.exe
  2⤵
  PID:8952
- C:\Windows\System\WZDWIwJ.exe
  C:\Windows\System\WZDWIwJ.exe
  2⤵
  PID:8980
- C:\Windows\System\iRDvGgu.exe
  C:\Windows\System\iRDvGgu.exe
  2⤵
  PID:9008
- C:\Windows\System\OBPEJyO.exe
  C:\Windows\System\OBPEJyO.exe
  2⤵
  PID:9048
- C:\Windows\System\UUEJTBs.exe
  C:\Windows\System\UUEJTBs.exe
  2⤵
  PID:9064
- C:\Windows\System\qGIlUwh.exe
  C:\Windows\System\qGIlUwh.exe
  2⤵
  PID:9092
- C:\Windows\System\AKKYHlk.exe
  C:\Windows\System\AKKYHlk.exe
  2⤵
  PID:9120
- C:\Windows\System\xsfJEjw.exe
  C:\Windows\System\xsfJEjw.exe
  2⤵
  PID:9148
- C:\Windows\System\YMNjWcw.exe
  C:\Windows\System\YMNjWcw.exe
  2⤵
  PID:9176
- C:\Windows\System\xNwRuEz.exe
  C:\Windows\System\xNwRuEz.exe
  2⤵
  PID:9204
- C:\Windows\System\eDKHWKu.exe
  C:\Windows\System\eDKHWKu.exe
  2⤵
  PID:8232
- C:\Windows\System\FbtsfgY.exe
  C:\Windows\System\FbtsfgY.exe
  2⤵
  PID:8296
- C:\Windows\System\JuFfCcX.exe
  C:\Windows\System\JuFfCcX.exe
  2⤵
  PID:8356
- C:\Windows\System\BIwAHBP.exe
  C:\Windows\System\BIwAHBP.exe
  2⤵
  PID:8432
- C:\Windows\System\TcdCaIa.exe
  C:\Windows\System\TcdCaIa.exe
  2⤵
  PID:8500
- C:\Windows\System\uPipOGO.exe
  C:\Windows\System\uPipOGO.exe
  2⤵
  PID:8556
- C:\Windows\System\UYGbtOr.exe
  C:\Windows\System\UYGbtOr.exe
  2⤵
  PID:8628
- C:\Windows\System\JVcceYa.exe
  C:\Windows\System\JVcceYa.exe
  2⤵
  PID:8692
- C:\Windows\System\hIZIVCe.exe
  C:\Windows\System\hIZIVCe.exe
  2⤵
  PID:8752
- C:\Windows\System\AqaAQHn.exe
  C:\Windows\System\AqaAQHn.exe
  2⤵
  PID:8824
- C:\Windows\System\WiBInVd.exe
  C:\Windows\System\WiBInVd.exe
  2⤵
  PID:8880
- C:\Windows\System\MFshYqo.exe
  C:\Windows\System\MFshYqo.exe
  2⤵
  PID:8944
- C:\Windows\System\BIZRjpC.exe
  C:\Windows\System\BIZRjpC.exe
  2⤵
  PID:9004
- C:\Windows\System\gEcdasG.exe
  C:\Windows\System\gEcdasG.exe
  2⤵
  PID:9060
- C:\Windows\System\GxMAepi.exe
  C:\Windows\System\GxMAepi.exe
  2⤵
  PID:9132
- C:\Windows\System\WUDMTmB.exe
  C:\Windows\System\WUDMTmB.exe
  2⤵
  PID:9196
- C:\Windows\System\GVlyYqW.exe
  C:\Windows\System\GVlyYqW.exe
  2⤵
  PID:8272
- C:\Windows\System\EJSbzBL.exe
  C:\Windows\System\EJSbzBL.exe
  2⤵
  PID:8416
- C:\Windows\System\GNLsVdd.exe
  C:\Windows\System\GNLsVdd.exe
  2⤵
  PID:8584
- C:\Windows\System\AevtAdh.exe
  C:\Windows\System\AevtAdh.exe
  2⤵
  PID:8740
- C:\Windows\System\fxXAnwt.exe
  C:\Windows\System\fxXAnwt.exe
  2⤵
  PID:8864
- C:\Windows\System\WkwjMYZ.exe
  C:\Windows\System\WkwjMYZ.exe
  2⤵
  PID:9044
- C:\Windows\System\pdNiJEZ.exe
  C:\Windows\System\pdNiJEZ.exe
  2⤵
  PID:9172
- C:\Windows\System\ppWCNSw.exe
  C:\Windows\System\ppWCNSw.exe
  2⤵
  PID:8412
- C:\Windows\System\ArJRMUD.exe
  C:\Windows\System\ArJRMUD.exe
  2⤵
  PID:8804
- C:\Windows\System\DIxDKFm.exe
  C:\Windows\System\DIxDKFm.exe
  2⤵
  PID:9116
- C:\Windows\System\RDOaNkR.exe
  C:\Windows\System\RDOaNkR.exe
  2⤵
  PID:9000
- C:\Windows\System\puqGfiW.exe
  C:\Windows\System\puqGfiW.exe
  2⤵
  PID:8344
- C:\Windows\System\OPoYxLS.exe
  C:\Windows\System\OPoYxLS.exe
  2⤵
  PID:9240
- C:\Windows\System\QnPjdRV.exe
  C:\Windows\System\QnPjdRV.exe
  2⤵
  PID:9268
- C:\Windows\System\CSiOsRf.exe
  C:\Windows\System\CSiOsRf.exe
  2⤵
  PID:9296
- C:\Windows\System\GpetJrX.exe
  C:\Windows\System\GpetJrX.exe
  2⤵
  PID:9324
- C:\Windows\System\wwDbueN.exe
  C:\Windows\System\wwDbueN.exe
  2⤵
  PID:9352
- C:\Windows\System\nOXaiml.exe
  C:\Windows\System\nOXaiml.exe
  2⤵
  PID:9380
- C:\Windows\System\gFPoOHF.exe
  C:\Windows\System\gFPoOHF.exe
  2⤵
  PID:9408
- C:\Windows\System\MrsPokF.exe
  C:\Windows\System\MrsPokF.exe
  2⤵
  PID:9440
- C:\Windows\System\nrWhqbt.exe
  C:\Windows\System\nrWhqbt.exe
  2⤵
  PID:9464
- C:\Windows\System\okDDEXm.exe
  C:\Windows\System\okDDEXm.exe
  2⤵
  PID:9492
- C:\Windows\System\FsGCQEE.exe
  C:\Windows\System\FsGCQEE.exe
  2⤵
  PID:9520
- C:\Windows\System\hFjXsGh.exe
  C:\Windows\System\hFjXsGh.exe
  2⤵
  PID:9548
- C:\Windows\System\sAaLvvs.exe
  C:\Windows\System\sAaLvvs.exe
  2⤵
  PID:9576
- C:\Windows\System\gBDDsTX.exe
  C:\Windows\System\gBDDsTX.exe
  2⤵
  PID:9604
- C:\Windows\System\QlfhWVk.exe
  C:\Windows\System\QlfhWVk.exe
  2⤵
  PID:9632
- C:\Windows\System\FmlOilz.exe
  C:\Windows\System\FmlOilz.exe
  2⤵
  PID:9660
- C:\Windows\System\JxhKjZP.exe
  C:\Windows\System\JxhKjZP.exe
  2⤵
  PID:9688
- C:\Windows\System\puXSFRJ.exe
  C:\Windows\System\puXSFRJ.exe
  2⤵
  PID:9716
- C:\Windows\System\NBchRHK.exe
  C:\Windows\System\NBchRHK.exe
  2⤵
  PID:9744
- C:\Windows\System\jUVDijY.exe
  C:\Windows\System\jUVDijY.exe
  2⤵
  PID:9772
- C:\Windows\System\vYLMozo.exe
  C:\Windows\System\vYLMozo.exe
  2⤵
  PID:9800
- C:\Windows\System\PcRSAaz.exe
  C:\Windows\System\PcRSAaz.exe
  2⤵
  PID:9832
- C:\Windows\System\CnPcrtD.exe
  C:\Windows\System\CnPcrtD.exe
  2⤵
  PID:9856
- C:\Windows\System\bSMoBsb.exe
  C:\Windows\System\bSMoBsb.exe
  2⤵
  PID:9884
- C:\Windows\System\FfNeyRQ.exe
  C:\Windows\System\FfNeyRQ.exe
  2⤵
  PID:9912
- C:\Windows\System\aHAeolj.exe
  C:\Windows\System\aHAeolj.exe
  2⤵
  PID:9940
- C:\Windows\System\CVrrgEz.exe
  C:\Windows\System\CVrrgEz.exe
  2⤵
  PID:9968
- C:\Windows\System\IZVqzfN.exe
  C:\Windows\System\IZVqzfN.exe
  2⤵
  PID:9996
- C:\Windows\System\RldPASX.exe
  C:\Windows\System\RldPASX.exe
  2⤵
  PID:10024
- C:\Windows\System\LOhzfRM.exe
  C:\Windows\System\LOhzfRM.exe
  2⤵
  PID:10052
- C:\Windows\System\aTficOd.exe
  C:\Windows\System\aTficOd.exe
  2⤵
  PID:10080
- C:\Windows\System\XzizKFq.exe
  C:\Windows\System\XzizKFq.exe
  2⤵
  PID:10108
- C:\Windows\System\oZimgvc.exe
  C:\Windows\System\oZimgvc.exe
  2⤵
  PID:10136
- C:\Windows\System\IqTfPca.exe
  C:\Windows\System\IqTfPca.exe
  2⤵
  PID:10164
- C:\Windows\System\sCgDavH.exe
  C:\Windows\System\sCgDavH.exe
  2⤵
  PID:10192
- C:\Windows\System\HDjnUZm.exe
  C:\Windows\System\HDjnUZm.exe
  2⤵
  PID:10220
- C:\Windows\System\GjiISbv.exe
  C:\Windows\System\GjiISbv.exe
  2⤵
  PID:9232
- C:\Windows\System\NNQWhHu.exe
  C:\Windows\System\NNQWhHu.exe
  2⤵
  PID:9292
- C:\Windows\System\NgYqOra.exe
  C:\Windows\System\NgYqOra.exe
  2⤵
  PID:9364
- C:\Windows\System\trpZJPu.exe
  C:\Windows\System\trpZJPu.exe
  2⤵
  PID:9404
- C:\Windows\System\UgLYgOA.exe
  C:\Windows\System\UgLYgOA.exe
  2⤵
  PID:9476
- C:\Windows\System\nZgUfXX.exe
  C:\Windows\System\nZgUfXX.exe
  2⤵
  PID:9540
- C:\Windows\System\JuRFfRw.exe
  C:\Windows\System\JuRFfRw.exe
  2⤵
  PID:9600
- C:\Windows\System\UVFQxSi.exe
  C:\Windows\System\UVFQxSi.exe
  2⤵
  PID:9672
- C:\Windows\System\UKbgfsu.exe
  C:\Windows\System\UKbgfsu.exe
  2⤵
  PID:9736
- C:\Windows\System\YQvlWYR.exe
  C:\Windows\System\YQvlWYR.exe
  2⤵
  PID:9796
- C:\Windows\System\btWnfDx.exe
  C:\Windows\System\btWnfDx.exe
  2⤵
  PID:9868
- C:\Windows\System\TbfmhLr.exe
  C:\Windows\System\TbfmhLr.exe
  2⤵
  PID:9952
- C:\Windows\System\aVdTeuP.exe
  C:\Windows\System\aVdTeuP.exe
  2⤵
  PID:9992
- C:\Windows\System\NlRajwp.exe
  C:\Windows\System\NlRajwp.exe
  2⤵
  PID:10064
- C:\Windows\System\CgeAesY.exe
  C:\Windows\System\CgeAesY.exe
  2⤵
  PID:10128
- C:\Windows\System\PqgQIor.exe
  C:\Windows\System\PqgQIor.exe
  2⤵
  PID:4932
- C:\Windows\System\WLNIdzj.exe
  C:\Windows\System\WLNIdzj.exe
  2⤵
  PID:8684
- C:\Windows\System\JJJVWzy.exe
  C:\Windows\System\JJJVWzy.exe
  2⤵
  PID:9348
- C:\Windows\System\jKDMGsF.exe
  C:\Windows\System\jKDMGsF.exe
  2⤵
  PID:9504
- C:\Windows\System\mlxUzZN.exe
  C:\Windows\System\mlxUzZN.exe
  2⤵
  PID:9652
- C:\Windows\System\mgKCMTc.exe
  C:\Windows\System\mgKCMTc.exe
  2⤵
  PID:9792
- C:\Windows\System\pmnVMjE.exe
  C:\Windows\System\pmnVMjE.exe
  2⤵
  PID:9964
- C:\Windows\System\goyupul.exe
  C:\Windows\System\goyupul.exe
  2⤵
  PID:10104
- C:\Windows\System\dPAefgO.exe
  C:\Windows\System\dPAefgO.exe
  2⤵
  PID:10232
- C:\Windows\System\UYTgEMB.exe
  C:\Windows\System\UYTgEMB.exe
  2⤵
  PID:9568
- C:\Windows\System\hwvAjqy.exe
  C:\Windows\System\hwvAjqy.exe
  2⤵
  PID:9908
- C:\Windows\System\ecEFjSN.exe
  C:\Windows\System\ecEFjSN.exe
  2⤵
  PID:10216
- C:\Windows\System\kahZpwS.exe
  C:\Windows\System\kahZpwS.exe
  2⤵
  PID:10048
- C:\Windows\System\SIGDjju.exe
  C:\Windows\System\SIGDjju.exe
  2⤵
  PID:10252
- C:\Windows\System\xTXTOZP.exe
  C:\Windows\System\xTXTOZP.exe
  2⤵
  PID:10268
- C:\Windows\System\rABkeOy.exe
  C:\Windows\System\rABkeOy.exe
  2⤵
  PID:10296
- C:\Windows\System\kkjgQdN.exe
  C:\Windows\System\kkjgQdN.exe
  2⤵
  PID:10324
- C:\Windows\System\YbQIyww.exe
  C:\Windows\System\YbQIyww.exe
  2⤵
  PID:10352
- C:\Windows\System\HBAGluf.exe
  C:\Windows\System\HBAGluf.exe
  2⤵
  PID:10380
- C:\Windows\System\RiPjYFd.exe
  C:\Windows\System\RiPjYFd.exe
  2⤵
  PID:10408
- C:\Windows\System\JcoeEdZ.exe
  C:\Windows\System\JcoeEdZ.exe
  2⤵
  PID:10436
- C:\Windows\System\mOFqzsA.exe
  C:\Windows\System\mOFqzsA.exe
  2⤵
  PID:10464
- C:\Windows\System\gRimhol.exe
  C:\Windows\System\gRimhol.exe
  2⤵
  PID:10492
- C:\Windows\System\kenQtPA.exe
  C:\Windows\System\kenQtPA.exe
  2⤵
  PID:10520
- C:\Windows\System\tEVOirO.exe
  C:\Windows\System\tEVOirO.exe
  2⤵
  PID:10548
- C:\Windows\System\PTnJnjt.exe
  C:\Windows\System\PTnJnjt.exe
  2⤵
  PID:10576
- C:\Windows\System\udgPFwX.exe
  C:\Windows\System\udgPFwX.exe
  2⤵
  PID:10604
- C:\Windows\System\UYLiDtL.exe
  C:\Windows\System\UYLiDtL.exe
  2⤵
  PID:10632
- C:\Windows\System\nIGEyep.exe
  C:\Windows\System\nIGEyep.exe
  2⤵
  PID:10660
- C:\Windows\System\yfTEOBM.exe
  C:\Windows\System\yfTEOBM.exe
  2⤵
  PID:10688
- C:\Windows\System\DhQAknA.exe
  C:\Windows\System\DhQAknA.exe
  2⤵
  PID:10716
- C:\Windows\System\xlFeLkg.exe
  C:\Windows\System\xlFeLkg.exe
  2⤵
  PID:10744
- C:\Windows\System\MOMAVHJ.exe
  C:\Windows\System\MOMAVHJ.exe
  2⤵
  PID:10772
- C:\Windows\System\jWvSNeT.exe
  C:\Windows\System\jWvSNeT.exe
  2⤵
  PID:10800
- C:\Windows\System\FMahUxq.exe
  C:\Windows\System\FMahUxq.exe
  2⤵
  PID:10828
- C:\Windows\System\tmbsnjY.exe
  C:\Windows\System\tmbsnjY.exe
  2⤵
  PID:10856
- C:\Windows\System\BeNBDHU.exe
  C:\Windows\System\BeNBDHU.exe
  2⤵
  PID:10884
- C:\Windows\System\usFbZbg.exe
  C:\Windows\System\usFbZbg.exe
  2⤵
  PID:10912
- C:\Windows\System\oslkAxA.exe
  C:\Windows\System\oslkAxA.exe
  2⤵
  PID:10940
- C:\Windows\System\QcKExLx.exe
  C:\Windows\System\QcKExLx.exe
  2⤵
  PID:10968
- C:\Windows\System\DekVblf.exe
  C:\Windows\System\DekVblf.exe
  2⤵
  PID:10996
- C:\Windows\System\uwTjixp.exe
  C:\Windows\System\uwTjixp.exe
  2⤵
  PID:11024
- C:\Windows\System\jZXzSyi.exe
  C:\Windows\System\jZXzSyi.exe
  2⤵
  PID:11052
- C:\Windows\System\XsviDFJ.exe
  C:\Windows\System\XsviDFJ.exe
  2⤵
  PID:11080
- C:\Windows\System\ZYWuILN.exe
  C:\Windows\System\ZYWuILN.exe
  2⤵
  PID:11108
- C:\Windows\System\ciiSelf.exe
  C:\Windows\System\ciiSelf.exe
  2⤵
  PID:11136
- C:\Windows\System\FiuVKWI.exe
  C:\Windows\System\FiuVKWI.exe
  2⤵
  PID:11164
- C:\Windows\System\myJuLqi.exe
  C:\Windows\System\myJuLqi.exe
  2⤵
  PID:11192
- C:\Windows\System\NieocUI.exe
  C:\Windows\System\NieocUI.exe
  2⤵
  PID:11220
- C:\Windows\System\gdMYCdE.exe
  C:\Windows\System\gdMYCdE.exe
  2⤵
  PID:11248
- C:\Windows\System\tdUfQcv.exe
  C:\Windows\System\tdUfQcv.exe
  2⤵
  PID:10264
- C:\Windows\System\wcDYPVn.exe
  C:\Windows\System\wcDYPVn.exe
  2⤵
  PID:10336
- C:\Windows\System\zNIbeiS.exe
  C:\Windows\System\zNIbeiS.exe
  2⤵
  PID:10400
- C:\Windows\System\FxifAfU.exe
  C:\Windows\System\FxifAfU.exe
  2⤵
  PID:10460
- C:\Windows\System\dNgLAMc.exe
  C:\Windows\System\dNgLAMc.exe
  2⤵
  PID:10532
- C:\Windows\System\DIYGcxi.exe
  C:\Windows\System\DIYGcxi.exe
  2⤵
  PID:10596
- C:\Windows\System\aOHRmvM.exe
  C:\Windows\System\aOHRmvM.exe
  2⤵
  PID:10656
- C:\Windows\System\ffjcdLI.exe
  C:\Windows\System\ffjcdLI.exe
  2⤵
  PID:10736
- C:\Windows\System\lHBECEW.exe
  C:\Windows\System\lHBECEW.exe
  2⤵
  PID:10792
- C:\Windows\System\PZVJGEz.exe
  C:\Windows\System\PZVJGEz.exe
  2⤵
  PID:10868
- C:\Windows\System\sEpwaMg.exe
  C:\Windows\System\sEpwaMg.exe
  2⤵
  PID:10932
- C:\Windows\System\LrhCBnS.exe
  C:\Windows\System\LrhCBnS.exe
  2⤵
  PID:10992
- C:\Windows\System\jKJqQVN.exe
  C:\Windows\System\jKJqQVN.exe
  2⤵
  PID:11064
- C:\Windows\System\yGqPmwy.exe
  C:\Windows\System\yGqPmwy.exe
  2⤵
  PID:11128
- C:\Windows\System\XAqCEyY.exe
  C:\Windows\System\XAqCEyY.exe
  2⤵
  PID:11188
- C:\Windows\System\xYjWSGo.exe
  C:\Windows\System\xYjWSGo.exe
  2⤵
  PID:11260
- C:\Windows\System\KCdGngX.exe
  C:\Windows\System\KCdGngX.exe
  2⤵
  PID:10376
- C:\Windows\System\AgPKyHs.exe
  C:\Windows\System\AgPKyHs.exe
  2⤵
  PID:10516
- C:\Windows\System\NLhQjjS.exe
  C:\Windows\System\NLhQjjS.exe
  2⤵
  PID:10684
- C:\Windows\System\tneuyUq.exe
  C:\Windows\System\tneuyUq.exe
  2⤵
  PID:10820
- C:\Windows\System\SoBfAwM.exe
  C:\Windows\System\SoBfAwM.exe
  2⤵
  PID:10960
- C:\Windows\System\JrWzaeC.exe
  C:\Windows\System\JrWzaeC.exe
  2⤵
  PID:11048
- C:\Windows\System\hakYumy.exe
  C:\Windows\System\hakYumy.exe
  2⤵
  PID:11244
- C:\Windows\System\xlMOQps.exe
  C:\Windows\System\xlMOQps.exe
  2⤵
  PID:10588
- C:\Windows\System\ohdIFvJ.exe
  C:\Windows\System\ohdIFvJ.exe
  2⤵
  PID:10988
- C:\Windows\System\Idqanbs.exe
  C:\Windows\System\Idqanbs.exe
  2⤵
  PID:11240
- C:\Windows\System\iyaDbvX.exe
  C:\Windows\System\iyaDbvX.exe
  2⤵
  PID:10512
- C:\Windows\System\iFoECRk.exe
  C:\Windows\System\iFoECRk.exe
  2⤵
  PID:4136
- C:\Windows\System\qpRTDyy.exe
  C:\Windows\System\qpRTDyy.exe
  2⤵
  PID:11280
- C:\Windows\System\tOKlkcm.exe
  C:\Windows\System\tOKlkcm.exe
  2⤵
  PID:11308
- C:\Windows\System\JAVKBTC.exe
  C:\Windows\System\JAVKBTC.exe
  2⤵
  PID:11336
- C:\Windows\System\sZIhhKU.exe
  C:\Windows\System\sZIhhKU.exe
  2⤵
  PID:11364
- C:\Windows\System\bpSLdlf.exe
  C:\Windows\System\bpSLdlf.exe
  2⤵
  PID:11392
- C:\Windows\System\ZFWoISA.exe
  C:\Windows\System\ZFWoISA.exe
  2⤵
  PID:11420
- C:\Windows\System\gcSCbzl.exe
  C:\Windows\System\gcSCbzl.exe
  2⤵
  PID:11448
- C:\Windows\System\pSQsWRB.exe
  C:\Windows\System\pSQsWRB.exe
  2⤵
  PID:11476
- C:\Windows\System\pBHNZOZ.exe
  C:\Windows\System\pBHNZOZ.exe
  2⤵
  PID:11504
- C:\Windows\System\NvfBnYg.exe
  C:\Windows\System\NvfBnYg.exe
  2⤵
  PID:11532
- C:\Windows\System\JTneFox.exe
  C:\Windows\System\JTneFox.exe
  2⤵
  PID:11560
- C:\Windows\System\YRfsfdO.exe
  C:\Windows\System\YRfsfdO.exe
  2⤵
  PID:11588
- C:\Windows\System\wqZhYDq.exe
  C:\Windows\System\wqZhYDq.exe
  2⤵
  PID:11616
- C:\Windows\System\QtgcKIB.exe
  C:\Windows\System\QtgcKIB.exe
  2⤵
  PID:11644
- C:\Windows\System\mMNSPwg.exe
  C:\Windows\System\mMNSPwg.exe
  2⤵
  PID:11672
- C:\Windows\System\nFFdXzH.exe
  C:\Windows\System\nFFdXzH.exe
  2⤵
  PID:11700
- C:\Windows\System\uLjuXyE.exe
  C:\Windows\System\uLjuXyE.exe
  2⤵
  PID:11728
- C:\Windows\System\bRtjlbP.exe
  C:\Windows\System\bRtjlbP.exe
  2⤵
  PID:11756
- C:\Windows\System\cRtgZyk.exe
  C:\Windows\System\cRtgZyk.exe
  2⤵
  PID:11784
- C:\Windows\System\AfTcdpv.exe
  C:\Windows\System\AfTcdpv.exe
  2⤵
  PID:11812
- C:\Windows\System\BBoLNAL.exe
  C:\Windows\System\BBoLNAL.exe
  2⤵
  PID:11840
- C:\Windows\System\UjsdBWV.exe
  C:\Windows\System\UjsdBWV.exe
  2⤵
  PID:11868
- C:\Windows\System\hOovEAV.exe
  C:\Windows\System\hOovEAV.exe
  2⤵
  PID:11896
- C:\Windows\System\XmeaqwP.exe
  C:\Windows\System\XmeaqwP.exe
  2⤵
  PID:11924
- C:\Windows\System\YRYmrDf.exe
  C:\Windows\System\YRYmrDf.exe
  2⤵
  PID:11952
- C:\Windows\System\DxXENjj.exe
  C:\Windows\System\DxXENjj.exe
  2⤵
  PID:11980
- C:\Windows\System\IsvXtrp.exe
  C:\Windows\System\IsvXtrp.exe
  2⤵
  PID:12008
- C:\Windows\System\QmDwEtE.exe
  C:\Windows\System\QmDwEtE.exe
  2⤵
  PID:12036
- C:\Windows\System\rAWWnOC.exe
  C:\Windows\System\rAWWnOC.exe
  2⤵
  PID:12064
- C:\Windows\System\YOQcvoP.exe
  C:\Windows\System\YOQcvoP.exe
  2⤵
  PID:12092
- C:\Windows\System\xDBNZrA.exe
  C:\Windows\System\xDBNZrA.exe
  2⤵
  PID:12120
- C:\Windows\System\IYWIOtV.exe
  C:\Windows\System\IYWIOtV.exe
  2⤵
  PID:12148
- C:\Windows\System\UCcHpWn.exe
  C:\Windows\System\UCcHpWn.exe
  2⤵
  PID:12176
- C:\Windows\System\ZdOtOXW.exe
  C:\Windows\System\ZdOtOXW.exe
  2⤵
  PID:12204
- C:\Windows\System\aWviWPU.exe
  C:\Windows\System\aWviWPU.exe
  2⤵
  PID:12232
- C:\Windows\System\kLlqpTm.exe
  C:\Windows\System\kLlqpTm.exe
  2⤵
  PID:12260
- C:\Windows\System\BRMyhxj.exe
  C:\Windows\System\BRMyhxj.exe
  2⤵
  PID:10924
- C:\Windows\System\WVsEVib.exe
  C:\Windows\System\WVsEVib.exe
  2⤵
  PID:11304
- C:\Windows\System\SmaMHba.exe
  C:\Windows\System\SmaMHba.exe
  2⤵
  PID:11376
- C:\Windows\System\ujOBySX.exe
  C:\Windows\System\ujOBySX.exe
  2⤵
  PID:11440
- C:\Windows\System\VhjiIiH.exe
  C:\Windows\System\VhjiIiH.exe
  2⤵
  PID:11500
- C:\Windows\System\HERchvx.exe
  C:\Windows\System\HERchvx.exe
  2⤵
  PID:11572
- C:\Windows\System\kMWVoTZ.exe
  C:\Windows\System\kMWVoTZ.exe
  2⤵
  PID:11636
- C:\Windows\System\dXOUewK.exe
  C:\Windows\System\dXOUewK.exe
  2⤵
  PID:11696
- C:\Windows\System\BibmTDG.exe
  C:\Windows\System\BibmTDG.exe
  2⤵
  PID:11768
- C:\Windows\System\bmQwmZE.exe
  C:\Windows\System\bmQwmZE.exe
  2⤵
  PID:11832
- C:\Windows\System\SUGhSjJ.exe
  C:\Windows\System\SUGhSjJ.exe
  2⤵
  PID:11892
- C:\Windows\System\YmaQnLJ.exe
  C:\Windows\System\YmaQnLJ.exe
  2⤵
  PID:11964
- C:\Windows\System\LifiMGd.exe
  C:\Windows\System\LifiMGd.exe
  2⤵
  PID:12028
- C:\Windows\System\lQtjOtN.exe
  C:\Windows\System\lQtjOtN.exe
  2⤵
  PID:12088
- C:\Windows\System\HkQSsvT.exe
  C:\Windows\System\HkQSsvT.exe
  2⤵
  PID:12160
- C:\Windows\System\tFAoqOT.exe
  C:\Windows\System\tFAoqOT.exe
  2⤵
  PID:12224
- C:\Windows\System\bXREiVc.exe
  C:\Windows\System\bXREiVc.exe
  2⤵
  PID:12284
- C:\Windows\System\EvZzjwO.exe
  C:\Windows\System\EvZzjwO.exe
  2⤵
  PID:11404
- C:\Windows\System\GUTfKeD.exe
  C:\Windows\System\GUTfKeD.exe
  2⤵
  PID:11552
- C:\Windows\System\cYTsOVL.exe
  C:\Windows\System\cYTsOVL.exe
  2⤵
  PID:11752
- C:\Windows\System\NQaFztg.exe
  C:\Windows\System\NQaFztg.exe
  2⤵
  PID:11860
- C:\Windows\System\fApYyiT.exe
  C:\Windows\System\fApYyiT.exe
  2⤵
  PID:11992
- C:\Windows\System\hvzwzvk.exe
  C:\Windows\System\hvzwzvk.exe
  2⤵
  PID:12140
- C:\Windows\System\ghjYfMr.exe
  C:\Windows\System\ghjYfMr.exe
  2⤵
  PID:12280
- C:\Windows\System\xfcypLO.exe
  C:\Windows\System\xfcypLO.exe
  2⤵
  PID:11612
- C:\Windows\System\cXRxEMK.exe
  C:\Windows\System\cXRxEMK.exe
  2⤵
  PID:11944
- C:\Windows\System\gZjaUfM.exe
  C:\Windows\System\gZjaUfM.exe
  2⤵
  PID:12272
- C:\Windows\System\ZLIfzvV.exe
  C:\Windows\System\ZLIfzvV.exe
  2⤵
  PID:12084
- C:\Windows\System\aaGocEx.exe
  C:\Windows\System\aaGocEx.exe
  2⤵
  PID:11888
- C:\Windows\System\NvpHWvK.exe
  C:\Windows\System\NvpHWvK.exe
  2⤵
  PID:12316
- C:\Windows\System\mVPWbnC.exe
  C:\Windows\System\mVPWbnC.exe
  2⤵
  PID:12344
- C:\Windows\System\nbCCQVU.exe
  C:\Windows\System\nbCCQVU.exe
  2⤵
  PID:12372
- C:\Windows\System\zitHyvK.exe
  C:\Windows\System\zitHyvK.exe
  2⤵
  PID:12400
- C:\Windows\System\WgzfafF.exe
  C:\Windows\System\WgzfafF.exe
  2⤵
  PID:12428
- C:\Windows\System\oekxSmR.exe
  C:\Windows\System\oekxSmR.exe
  2⤵
  PID:12456
- C:\Windows\System\sPsNKIB.exe
  C:\Windows\System\sPsNKIB.exe
  2⤵
  PID:12484
- C:\Windows\System\QEzQlpy.exe
  C:\Windows\System\QEzQlpy.exe
  2⤵
  PID:12512
- C:\Windows\System\ofhHUmx.exe
  C:\Windows\System\ofhHUmx.exe
  2⤵
  PID:12540
- C:\Windows\System\VAOhqIw.exe
  C:\Windows\System\VAOhqIw.exe
  2⤵
  PID:12568
- C:\Windows\System\qvFqmsR.exe
  C:\Windows\System\qvFqmsR.exe
  2⤵
  PID:12596
- C:\Windows\System\qUAxgSj.exe
  C:\Windows\System\qUAxgSj.exe
  2⤵
  PID:12624
- C:\Windows\System\cWlVbyx.exe
  C:\Windows\System\cWlVbyx.exe
  2⤵
  PID:12652
- C:\Windows\System\nIrnPcH.exe
  C:\Windows\System\nIrnPcH.exe
  2⤵
  PID:12680
- C:\Windows\System\DpxLxJk.exe
  C:\Windows\System\DpxLxJk.exe
  2⤵
  PID:12708
- C:\Windows\System\OhBxpeh.exe
  C:\Windows\System\OhBxpeh.exe
  2⤵
  PID:12736
- C:\Windows\System\WnrNjKy.exe
  C:\Windows\System\WnrNjKy.exe
  2⤵
  PID:12764
- C:\Windows\System\gddtbUP.exe
  C:\Windows\System\gddtbUP.exe
  2⤵
  PID:12792
- C:\Windows\System\XjxCFSD.exe
  C:\Windows\System\XjxCFSD.exe
  2⤵
  PID:12820
- C:\Windows\System\agbeMai.exe
  C:\Windows\System\agbeMai.exe
  2⤵
  PID:12848
- C:\Windows\System\aBWlVnk.exe
  C:\Windows\System\aBWlVnk.exe
  2⤵
  PID:12876
- C:\Windows\System\nAywMVW.exe
  C:\Windows\System\nAywMVW.exe
  2⤵
  PID:12904
- C:\Windows\System\IlbQtER.exe
  C:\Windows\System\IlbQtER.exe
  2⤵
  PID:12932
- C:\Windows\System\ZlKkyVl.exe
  C:\Windows\System\ZlKkyVl.exe
  2⤵
  PID:12960
- C:\Windows\System\oOnNhkv.exe
  C:\Windows\System\oOnNhkv.exe
  2⤵
  PID:12988
- C:\Windows\System\qbzuJPZ.exe
  C:\Windows\System\qbzuJPZ.exe
  2⤵
  PID:13016
- C:\Windows\System\nUqIFiQ.exe
  C:\Windows\System\nUqIFiQ.exe
  2⤵
  PID:13044
- C:\Windows\System\bdhTyGR.exe
  C:\Windows\System\bdhTyGR.exe
  2⤵
  PID:13080
- C:\Windows\System\oZmUaig.exe
  C:\Windows\System\oZmUaig.exe
  2⤵
  PID:13116
- C:\Windows\System\fOLHKjT.exe
  C:\Windows\System\fOLHKjT.exe
  2⤵
  PID:13144
- C:\Windows\System\bjApIAF.exe
  C:\Windows\System\bjApIAF.exe
  2⤵
  PID:13180
- C:\Windows\System\MNUNPeP.exe
  C:\Windows\System\MNUNPeP.exe
  2⤵
  PID:13208
- C:\Windows\System\dIdRWtX.exe
  C:\Windows\System\dIdRWtX.exe
  2⤵
  PID:13228
- C:\Windows\System\qwHThiv.exe
  C:\Windows\System\qwHThiv.exe
  2⤵
  PID:13276
- C:\Windows\System\NsFzMPN.exe
  C:\Windows\System\NsFzMPN.exe
  2⤵
  PID:13308
- C:\Windows\System\grJjQoV.exe
  C:\Windows\System\grJjQoV.exe
  2⤵
  PID:12356
- C:\Windows\System\AbYGhyu.exe
  C:\Windows\System\AbYGhyu.exe
  2⤵
  PID:12368
- C:\Windows\System\IjjyMIX.exe
  C:\Windows\System\IjjyMIX.exe
  2⤵
  PID:12420
- C:\Windows\System\SPepRCI.exe
  C:\Windows\System\SPepRCI.exe
  2⤵
  PID:12452
- C:\Windows\System\njEVQOe.exe
  C:\Windows\System\njEVQOe.exe
  2⤵
  PID:12580
- C:\Windows\System\lMgeKld.exe
  C:\Windows\System\lMgeKld.exe
  2⤵
  PID:12704
- C:\Windows\System\ZMVLIax.exe
  C:\Windows\System\ZMVLIax.exe
  2⤵
  PID:12776
- C:\Windows\System\YuHhfhw.exe
  C:\Windows\System\YuHhfhw.exe
  2⤵
  PID:12840
- C:\Windows\System\UvJxOpU.exe
  C:\Windows\System\UvJxOpU.exe
  2⤵
  PID:12900
- C:\Windows\System\GxXevks.exe
  C:\Windows\System\GxXevks.exe
  2⤵
  PID:12972
- C:\Windows\System\KQpLOfj.exe
  C:\Windows\System\KQpLOfj.exe
  2⤵
  PID:13036
- C:\Windows\System\MWssKza.exe
  C:\Windows\System\MWssKza.exe
  2⤵
  PID:13068
- C:\Windows\System\chcKFxG.exe
  C:\Windows\System\chcKFxG.exe
  2⤵
  PID:4552
- C:\Windows\System\porKinx.exe
  C:\Windows\System\porKinx.exe
  2⤵
  PID:3464
- C:\Windows\System\PJPIDDB.exe
  C:\Windows\System\PJPIDDB.exe
  2⤵
  PID:2888
- C:\Windows\System\WRvmuIB.exe
  C:\Windows\System\WRvmuIB.exe
  2⤵
  PID:13128
- C:\Windows\System\rqWViUP.exe
  C:\Windows\System\rqWViUP.exe
  2⤵
  PID:1580
- C:\Windows\System\VvLullW.exe
  C:\Windows\System\VvLullW.exe
  2⤵
  PID:13176
- C:\Windows\System\FQxHgdy.exe
  C:\Windows\System\FQxHgdy.exe
  2⤵
  PID:2548
- C:\Windows\System\ixQhkhC.exe
  C:\Windows\System\ixQhkhC.exe
  2⤵
  PID:13168
- C:\Windows\System\VwZbGYa.exe
  C:\Windows\System\VwZbGYa.exe
  2⤵
  PID:4636
- C:\Windows\System\bMCJRcI.exe
  C:\Windows\System\bMCJRcI.exe
  2⤵
  PID:1456
- C:\Windows\System\cRwnhji.exe
  C:\Windows\System\cRwnhji.exe
  2⤵
  PID:2988
- C:\Windows\System\popvWHL.exe
  C:\Windows\System\popvWHL.exe
  2⤵
  PID:13296
- C:\Windows\System\PuoWeWe.exe
  C:\Windows\System\PuoWeWe.exe
  2⤵
  PID:4648
- C:\Windows\System\tbpuzbO.exe
  C:\Windows\System\tbpuzbO.exe
  2⤵
  PID:12560
- C:\Windows\System\domFJEq.exe
  C:\Windows\System\domFJEq.exe
  2⤵
  PID:13288
- C:\Windows\System\szLpaEN.exe
  C:\Windows\System\szLpaEN.exe
  2⤵
  PID:12756
- C:\Windows\System\DbGEUvF.exe
  C:\Windows\System\DbGEUvF.exe
  2⤵
  PID:12896
- C:\Windows\System\iTwZnMj.exe
  C:\Windows\System\iTwZnMj.exe
  2⤵
  PID:952
- C:\Windows\System\mHLfjzw.exe
  C:\Windows\System\mHLfjzw.exe
  2⤵
  PID:13092
- C:\Windows\System\DLbrzCx.exe
  C:\Windows\System\DLbrzCx.exe
  2⤵
  PID:5072
- C:\Windows\System\OsUlmhE.exe
  C:\Windows\System\OsUlmhE.exe
  2⤵
  PID:13196
- C:\Windows\System\ycMsRSR.exe
  C:\Windows\System\ycMsRSR.exe
  2⤵
  PID:4600
- C:\Windows\System\mkURxaG.exe
  C:\Windows\System\mkURxaG.exe
  2⤵
  PID:4436
- C:\Windows\System\CJQwgrs.exe
  C:\Windows\System\CJQwgrs.exe
  2⤵
  PID:12412
- C:\Windows\System\giCfpdz.exe
  C:\Windows\System\giCfpdz.exe
  2⤵
  PID:12700
- C:\Windows\System\VrGJohj.exe
  C:\Windows\System\VrGJohj.exe
  2⤵
  PID:13028
- C:\Windows\System\wyyeRWt.exe
  C:\Windows\System\wyyeRWt.exe
  2⤵
  PID:3220
- C:\Windows\System\aLtNdXE.exe
  C:\Windows\System\aLtNdXE.exe
  2⤵
  PID:13300
- C:\Windows\System\XULkqQf.exe
  C:\Windows\System\XULkqQf.exe
  2⤵
  PID:13292
- C:\Windows\System\rZTXWro.exe
  C:\Windows\System\rZTXWro.exe
  2⤵
  PID:2308
- C:\Windows\System\GrYdGEP.exe
  C:\Windows\System\GrYdGEP.exe
  2⤵
  PID:3436
- C:\Windows\System\bqcAdJU.exe
  C:\Windows\System\bqcAdJU.exe
  2⤵
  PID:13320
- C:\Windows\System\ZNRzzEK.exe
  C:\Windows\System\ZNRzzEK.exe
  2⤵
  PID:13348
- C:\Windows\System\nNsXsPW.exe
  C:\Windows\System\nNsXsPW.exe
  2⤵
  PID:13376
- C:\Windows\System\rzbkeyw.exe
  C:\Windows\System\rzbkeyw.exe
  2⤵
  PID:13404
- C:\Windows\System\bCCRIcx.exe
  C:\Windows\System\bCCRIcx.exe
  2⤵
  PID:13432
- C:\Windows\System\ubKsxnN.exe
  C:\Windows\System\ubKsxnN.exe
  2⤵
  PID:13460
- C:\Windows\System\YHsKbPN.exe
  C:\Windows\System\YHsKbPN.exe
  2⤵
  PID:13500
- C:\Windows\System\uKbqxXt.exe
  C:\Windows\System\uKbqxXt.exe
  2⤵
  PID:13516
- C:\Windows\System\ghwvhDt.exe
  C:\Windows\System\ghwvhDt.exe
  2⤵
  PID:13544
- C:\Windows\System\EISKtQt.exe
  C:\Windows\System\EISKtQt.exe
  2⤵
  PID:13572
- C:\Windows\System\HapugCP.exe
  C:\Windows\System\HapugCP.exe
  2⤵
  PID:13600
- C:\Windows\System\bbAbyTz.exe
  C:\Windows\System\bbAbyTz.exe
  2⤵
  PID:13628
- C:\Windows\System\tArNigU.exe
  C:\Windows\System\tArNigU.exe
  2⤵
  PID:13656
- C:\Windows\System\KHxmqhe.exe
  C:\Windows\System\KHxmqhe.exe
  2⤵
  PID:13684
- C:\Windows\System\ZVALKfg.exe
  C:\Windows\System\ZVALKfg.exe
  2⤵
  PID:13712
- C:\Windows\System\CHPyPBL.exe
  C:\Windows\System\CHPyPBL.exe
  2⤵
  PID:13740
- C:\Windows\System\ODiXvvs.exe
  C:\Windows\System\ODiXvvs.exe
  2⤵
  PID:13768
- C:\Windows\System\izjclgP.exe
  C:\Windows\System\izjclgP.exe
  2⤵
  PID:13796
- C:\Windows\System\UBulxcI.exe
  C:\Windows\System\UBulxcI.exe
  2⤵
  PID:13824
- C:\Windows\System\bTRKBvZ.exe
  C:\Windows\System\bTRKBvZ.exe
  2⤵
  PID:13852
- C:\Windows\System\kwosWMk.exe
  C:\Windows\System\kwosWMk.exe
  2⤵
  PID:13880
- C:\Windows\System\XVmGcnq.exe
  C:\Windows\System\XVmGcnq.exe
  2⤵
  PID:13908
- C:\Windows\System\OOmXzhj.exe
  C:\Windows\System\OOmXzhj.exe
  2⤵
  PID:13936
- C:\Windows\System\ySKzUrw.exe
  C:\Windows\System\ySKzUrw.exe
  2⤵
  PID:13964
- C:\Windows\System\aXvPJcE.exe
  C:\Windows\System\aXvPJcE.exe
  2⤵
  PID:13992
- C:\Windows\System\iRcgsGO.exe
  C:\Windows\System\iRcgsGO.exe
  2⤵
  PID:14020
- C:\Windows\System\sjewygx.exe
  C:\Windows\System\sjewygx.exe
  2⤵
  PID:14048
- C:\Windows\System\GYZTSxH.exe
  C:\Windows\System\GYZTSxH.exe
  2⤵
  PID:14076
- C:\Windows\System\Bkbdcrz.exe
  C:\Windows\System\Bkbdcrz.exe
  2⤵
  PID:14104
- C:\Windows\System\rlNHzzl.exe
  C:\Windows\System\rlNHzzl.exe
  2⤵
  PID:14132
- C:\Windows\System\dEwNzzC.exe
  C:\Windows\System\dEwNzzC.exe
  2⤵
  PID:14160
- C:\Windows\System\kyPFZIp.exe
  C:\Windows\System\kyPFZIp.exe
  2⤵
  PID:14188
- C:\Windows\System\vwaOjdt.exe
  C:\Windows\System\vwaOjdt.exe
  2⤵
  PID:14216
- C:\Windows\System\AKMbtpI.exe
  C:\Windows\System\AKMbtpI.exe
  2⤵
  PID:14244
- C:\Windows\System\zPXexDq.exe
  C:\Windows\System\zPXexDq.exe
  2⤵
  PID:14272
- C:\Windows\System\eHbFDeZ.exe
  C:\Windows\System\eHbFDeZ.exe
  2⤵
  PID:14304
- C:\Windows\System\pwBJhiZ.exe
  C:\Windows\System\pwBJhiZ.exe
  2⤵
  PID:14332
- C:\Windows\System\DOcHXPM.exe
  C:\Windows\System\DOcHXPM.exe
  2⤵
  PID:13368
- C:\Windows\System\YFlmlxp.exe
  C:\Windows\System\YFlmlxp.exe
  2⤵
  PID:13456
- C:\Windows\System\ZrJHKGE.exe
  C:\Windows\System\ZrJHKGE.exe
  2⤵
  PID:13484
- C:\Windows\System\kAbjPQv.exe
  C:\Windows\System\kAbjPQv.exe
  2⤵
  PID:13564
- C:\Windows\System\imWJUkD.exe
  C:\Windows\System\imWJUkD.exe
  2⤵
  PID:13624
- C:\Windows\System\pYCetbK.exe
  C:\Windows\System\pYCetbK.exe
  2⤵
  PID:13696
- C:\Windows\System\foZrBHG.exe
  C:\Windows\System\foZrBHG.exe
  2⤵
  PID:13760
- C:\Windows\System\HuOdccn.exe
  C:\Windows\System\HuOdccn.exe
  2⤵
  PID:13820
- C:\Windows\System\UntMhBt.exe
  C:\Windows\System\UntMhBt.exe
  2⤵
  PID:13892
- C:\Windows\System\IsuRwCJ.exe
  C:\Windows\System\IsuRwCJ.exe
  2⤵
  PID:13956
- C:\Windows\System\jdbsdKo.exe
  C:\Windows\System\jdbsdKo.exe
  2⤵
  PID:14016
- C:\Windows\System\jIgMyUn.exe
  C:\Windows\System\jIgMyUn.exe
  2⤵
  PID:14088
- C:\Windows\System\tDQJwbG.exe
  C:\Windows\System\tDQJwbG.exe
  2⤵
  PID:14152
- C:\Windows\System\JSROgmZ.exe
  C:\Windows\System\JSROgmZ.exe
  2⤵
  PID:14212
- C:\Windows\System\PWGXIet.exe
  C:\Windows\System\PWGXIet.exe
  2⤵
  PID:14284
- C:\Windows\System\gXrphfv.exe
  C:\Windows\System\gXrphfv.exe
  2⤵
  PID:2692
- C:\Windows\System\JDABPZk.exe
  C:\Windows\System\JDABPZk.exe
  2⤵
  PID:14328
- C:\Windows\System\GuGHpFL.exe
  C:\Windows\System\GuGHpFL.exe
  2⤵
  PID:13424
- C:\Windows\System\ZZWZznc.exe
  C:\Windows\System\ZZWZznc.exe
  2⤵
  PID:13612
- C:\Windows\System\MoOJkwx.exe
  C:\Windows\System\MoOJkwx.exe
  2⤵
  PID:13752
- C:\Windows\System\WAPfhKR.exe
  C:\Windows\System\WAPfhKR.exe
  2⤵
  PID:13920
- C:\Windows\System\HFdHopJ.exe
  C:\Windows\System\HFdHopJ.exe
  2⤵
  PID:14068
- C:\Windows\System\TNyRmco.exe
  C:\Windows\System\TNyRmco.exe
  2⤵
  PID:14208
- C:\Windows\System\gjpXAUb.exe
  C:\Windows\System\gjpXAUb.exe
  2⤵
  PID:14296
- C:\Windows\System\oIGRlhd.exe
  C:\Windows\System\oIGRlhd.exe
  2⤵
  PID:13556
- C:\Windows\System\iRJkGEK.exe
  C:\Windows\System\iRJkGEK.exe
  2⤵
  PID:13876
- C:\Windows\System\nFnrOKU.exe
  C:\Windows\System\nFnrOKU.exe
  2⤵
  PID:14268
- C:\Windows\System\yApDHZj.exe
  C:\Windows\System\yApDHZj.exe
  2⤵
  PID:13816
- C:\Windows\System\tdYCJys.exe
  C:\Windows\System\tdYCJys.exe
  2⤵
  PID:13724
- C:\Windows\System\RaYRxBf.exe
  C:\Windows\System\RaYRxBf.exe
  2⤵
  PID:14352
- C:\Windows\System\yFZivun.exe
  C:\Windows\System\yFZivun.exe
  2⤵
  PID:14380
- C:\Windows\System\NNxzofz.exe
  C:\Windows\System\NNxzofz.exe
  2⤵
  PID:14408
- C:\Windows\System\dbmnsMN.exe
  C:\Windows\System\dbmnsMN.exe
  2⤵
  PID:14456
- C:\Windows\System\CzPiiqR.exe
  C:\Windows\System\CzPiiqR.exe
  2⤵
  PID:14484
- C:\Windows\System\fXuEVjA.exe
  C:\Windows\System\fXuEVjA.exe
  2⤵
  PID:14512
- C:\Windows\System\rSPMHys.exe
  C:\Windows\System\rSPMHys.exe
  2⤵
  PID:14540
- C:\Windows\System\UmFJnxJ.exe
  C:\Windows\System\UmFJnxJ.exe
  2⤵
  PID:14568
- C:\Windows\System\sBfYrKL.exe
  C:\Windows\System\sBfYrKL.exe
  2⤵
  PID:14596
- C:\Windows\System\chJvJGx.exe
  C:\Windows\System\chJvJGx.exe
  2⤵
  PID:14624
- C:\Windows\System\ckDdajo.exe
  C:\Windows\System\ckDdajo.exe
  2⤵
  PID:14652
- C:\Windows\System\NSiLAPe.exe
  C:\Windows\System\NSiLAPe.exe
  2⤵
  PID:14680
- C:\Windows\System\oOLjLva.exe
  C:\Windows\System\oOLjLva.exe
  2⤵
  PID:14708
- C:\Windows\System\rsqxbIg.exe
  C:\Windows\System\rsqxbIg.exe
  2⤵
  PID:14736
- C:\Windows\System\MolYosN.exe
  C:\Windows\System\MolYosN.exe
  2⤵
  PID:14764
- C:\Windows\System\dRRvzTY.exe
  C:\Windows\System\dRRvzTY.exe
  2⤵
  PID:14792
- C:\Windows\System\MmGpUgm.exe
  C:\Windows\System\MmGpUgm.exe
  2⤵
  PID:14820
- C:\Windows\System\GGvvkTh.exe
  C:\Windows\System\GGvvkTh.exe
  2⤵
  PID:14848
- C:\Windows\System\cLhqYLM.exe
  C:\Windows\System\cLhqYLM.exe
  2⤵
  PID:14876
- C:\Windows\System\WxcLKdx.exe
  C:\Windows\System\WxcLKdx.exe
  2⤵
  PID:14904
- C:\Windows\System\YKAlPrr.exe
  C:\Windows\System\YKAlPrr.exe
  2⤵
  PID:14932
- C:\Windows\System\vtcBobq.exe
  C:\Windows\System\vtcBobq.exe
  2⤵
  PID:14960
- C:\Windows\System\uBcHARz.exe
  C:\Windows\System\uBcHARz.exe
  2⤵
  PID:14988
- C:\Windows\System\HWDoTMO.exe
  C:\Windows\System\HWDoTMO.exe
  2⤵
  PID:15016
- C:\Windows\System\NVXeyFd.exe
  C:\Windows\System\NVXeyFd.exe
  2⤵
  PID:15044
- C:\Windows\System\netxBec.exe
  C:\Windows\System\netxBec.exe
  2⤵
  PID:15076
- C:\Windows\System\TlCKMDD.exe
  C:\Windows\System\TlCKMDD.exe
  2⤵
  PID:15104
- C:\Windows\System\CBQKtvp.exe
  C:\Windows\System\CBQKtvp.exe
  2⤵
  PID:15132
- C:\Windows\System\IxsPTdz.exe
  C:\Windows\System\IxsPTdz.exe
  2⤵
  PID:15160
- C:\Windows\System\vwvQcWY.exe
  C:\Windows\System\vwvQcWY.exe
  2⤵
  PID:15188
- C:\Windows\System\PCRylSz.exe
  C:\Windows\System\PCRylSz.exe
  2⤵
  PID:15216
- C:\Windows\System\okmcsqm.exe
  C:\Windows\System\okmcsqm.exe
  2⤵
  PID:15244
- C:\Windows\System\aWSyHfP.exe
  C:\Windows\System\aWSyHfP.exe
  2⤵
  PID:15272
- C:\Windows\System\tGvDZEA.exe
  C:\Windows\System\tGvDZEA.exe
  2⤵
  PID:15300
- C:\Windows\System\yiafYRx.exe
  C:\Windows\System\yiafYRx.exe
  2⤵
  PID:15328
- C:\Windows\System\eXOQOhs.exe
  C:\Windows\System\eXOQOhs.exe
  2⤵
  PID:15356

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:14888
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3972

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2964

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5780

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6332

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6608

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7508

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7900

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:10016

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:408

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:6340

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6956

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7084

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:11296

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11736

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1228

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:15228

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6140

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12576

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7164

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9384

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7368

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9392

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9368

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10356

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7944

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14128

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4728

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6112

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5676

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11992

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13084

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4948

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4944

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13408

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6456

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6740

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7392

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3516

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11488

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2896

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5728

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8232

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9172

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12692

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5064

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8520

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10832

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:14140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\OCW8WCW9\microsoft.windows[1].xml

Filesize
97B

MD5
ff57f2ed79a718a086d79233df745b0c

SHA1
364f032900479844bdfdee4e49bf6a3fd41ab833

SHA256
543c84d6cc853caf483d68720925f1e4b34e4319f7317eec24a29f077a32e2be

SHA512
20d7307b3b8af5af2bd251370f0d14bdebdf5e2a8fbc956a7e18985b9f206701ad9b74c6bd6f9161a4013a303b07475eea47d0ae5c277c1f83b7083b1e168a38

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133876408608590458.txt.~tmp

Filesize
88KB

MD5
281bb25fa0e927400ee96ce39d762f42

SHA1
4979f0e5c4affe879a244f1c5ceec02f1f7597ab

SHA256
bb8061ecab2f19832a729f9c8382c59658ee502576cbfbe2b3552fd40d32e963

SHA512
de00be03dd736d5f8407b8311ae1605cdfde7f5bcff24a783ed83f83bfbba47d6bd9f20141e04981d23638b50ea5b838c97afb71884e60d71014e1bb2d00b2f1

Download Submit
C:\Windows\System\BWXetXp.exe

Filesize
6.1MB

MD5
8f52e96ddce710d389710442ef4bac21

SHA1
5cda6f29a3b8292251a71d2ce222f86e6cc61e3b

SHA256
99877281e9e8249a42f6880823e2b65385366ee025ac6e7fc37aba7d095bf1d8

SHA512
b72b08836cfabad5fcbb4606dfecbf023c1be068f2271de0c7afa0384ec5a1b302d5a2af983fee4ade655b365ed76729ef44f3ac17ccb84f9772a528fa0a4bde

Download Submit
C:\Windows\System\GVELuNX.exe

Filesize
6.1MB

MD5
29b555fdf1de55701a4bb7e12b660bcc

SHA1
8dd4515ebd6e526a5e6ab8fe0e41761c3b366576

SHA256
eee1ad4391bd3bfb2748e4ae8262137cccd40f350b1dbc6bf84daaadf32a6b7c

SHA512
e58b825bf544f07347de75779e5ef0499436bb334b689e0d5936670df9ce28c57788c7ec8c2485175f1033c9699e6efc2fcf01c84bf738e2bd4525f502331ef6

Download Submit
C:\Windows\System\HNJwMMx.exe

Filesize
6.1MB

MD5
7068514a6affd3f5239727f3536a85da

SHA1
98c16aa763cca16f3be55374f12b0bcafe2ae685

SHA256
ffc94439ac1d501b7dc78401e9b61238112b7278a04a00487d9f343defec7707

SHA512
eb29166c6faef49f5772fcf9cd60186be5b7d38fc5fa6cf55110f9f483eba438a806f82d22cac8a26233df5e59cd4bfe68b888b1a3fb30b190ff4ce2bfd27ad2

Download Submit
C:\Windows\System\KBuaQzA.exe

Filesize
6.1MB

MD5
4a176ab35b7f34acaf71e83c47e20d57

SHA1
d347e900a501900ba833c7ca78d8ebe429832b9f

SHA256
287619ee0edeaf289544b08532101f7289b074a726e0f9e18a72728828d7e58e

SHA512
33406687e08ed7bd57fdaa5863ad7aabf58f1757ecf50ca586546b7168497352a142b0889b37bead37830114a4f0382572a100230f8e64b8f9dde90fcb2edf02

Download Submit
C:\Windows\System\QXmhKQh.exe

Filesize
6.1MB

MD5
304cfe4f90737c726fef1506a9ddc94b

SHA1
e74ba14d6dd6857b616b7249f65d1607473894c3

SHA256
f62359082a503f56a0df47a56346f38eae7d1236f6e11cf8f41f7972e4350ab4

SHA512
221ee3e3e91e097d6c5f6143187e9ba5d3fddfe5f1c6d73df3a8a3b0df1a7fdc06d13af6e3b4a0e8f498d650392e05731bc1bffca840e4b481d2ee4a36aa655a

Download Submit
C:\Windows\System\ROIuonY.exe

Filesize
6.1MB

MD5
2ad27e1576afb34067bd492a7680ff05

SHA1
5aa4c294ff742a0cec69e8a21f9f0d55aea3c5e3

SHA256
8e94829409017e4662d4875894ef0c670d05045cde953b0503235bde68f4eb38

SHA512
ffffd821228c823fce4a0aa3cb38027958e2f9f55fb4e4eb7c2f547b6f43f9d01f2d27eb8898ae4b2310c86c09b2a8f962c5e55d9f75aead45e205c146962d0f

Download Submit
C:\Windows\System\ReGsrgY.exe

Filesize
6.1MB

MD5
e77202c9d75df8f320ca8618a9d8bf9a

SHA1
edf33ab672e2ebf9e76311f8ac706e2fbc5505e5

SHA256
84e0f244c009d3ddd037dd30f3646c641fef0fff60d6e390a1274d2f844ef286

SHA512
28f0d4b12842fb7383d1a31d64a0f85732a1735da136534522c19314ffac50b88c363add856cfbc41f7320fc7f10d0e8c35ffb60a28636ab673f0df3e0809470

Download Submit
C:\Windows\System\SAPvqhO.exe

Filesize
6.1MB

MD5
bf20afdaf0f76fc0a1f6377ff9fbd8a3

SHA1
22798acd17f475a2e4ba3cbb0a766a4a636b3cc8

SHA256
922834a00d25ce958606fd56983618d4619056504e3a6c703550ab7e97195572

SHA512
3f1f78f8dbcd0c13e18d454e684ec2d4147e797342604d74e25300a826d66d4eb49ceb394a53aa0ae4c5a87a376d23ea45830f1b85ce669bc42f8aafba13ebd4

Download Submit
C:\Windows\System\Tjkzlpy.exe

Filesize
6.1MB

MD5
4da31956d265c04a829ef14650c19596

SHA1
1ebe43fe98e95ef03091d8f6a3bf0df23f556135

SHA256
bfdecc7ba20e46dcf405e424673ec3a9fc66b8c111fb2b11d912ffcf72fd22ce

SHA512
999b67fd140607f6b54e8b8165a9bd5983cb61b04996d92bd28ed83a5b42759f8a3ca95e2952d7b6be76a6f1936b821c82113a9af222bce53ebe5ecd051774b9

Download Submit
C:\Windows\System\UGvVVTD.exe

Filesize
6.1MB

MD5
ed6a0d8f595a2c4af00cb45fa4a62611

SHA1
1015669b3715c40edc2fa014ddbcb02004c53ca9

SHA256
c70988fa8c85c38062ac1ef3ebca9ad0edd7bae0102dfa88592add80bc656697

SHA512
1268b1c9a9c785275ba128643557cc46eb4cb76a46cab08617be1081613424e204870882a530dacf182f6e30bdf72c213a11bf3ad59fab7cf8eead5ec38ec0b9

Download Submit
C:\Windows\System\VjwyIYm.exe

Filesize
6.1MB

MD5
e024eca1680a67d2dea010b9e5e78428

SHA1
044a101def16ad8f1394820c1f799d6892a4096c

SHA256
12961ed384473b44d8757ab2fcc917c509d219d0d918289cf1800eca7114e77d

SHA512
cf71deea8c5baa693472cba78005dcee27a71d73a1bcccd4928dcdf325cc61e696ac789156d55e19038be2a9cafbce9e5f303ad27cafd5e42cf7348886b34e0c

Download Submit
C:\Windows\System\WKENkzt.exe

Filesize
6.1MB

MD5
e3589d44dc43ab3de120b92657eee69d

SHA1
b9e4eab00ac952c07948e3bf387369914ee1cccc

SHA256
29962ed3206bcd3afcd2ea1d55e50104fcea0f537353b15712ceacd63d52247a

SHA512
5db3f901b57409280d3dca3406798ffb9eb4131a8a8f4705181091a043e76c6b2231f73f7646f3c0a1767ccf9c5d1797ab609b1179635db598d2a6ef00883984

Download Submit
C:\Windows\System\YRlWwPA.exe

Filesize
6.1MB

MD5
1e9893fd7743c7a57e88f2a6f988eedb

SHA1
b985a457f26d6e296d5d69f6554bfa4e53e35889

SHA256
7cd0541aa0d1c2ef87286d1231cc1e4b9ad947dd45eef1bcc531cc0f061c848b

SHA512
fa13156ef3b68308e5a15d30febd68e064bb2a348b4e263fd9d31369102481ea8ae25105b1263bf2bf96185b09bf4fb891ea6e8bc2a750d3c99ff253f442e426

Download Submit
C:\Windows\System\Zeyaixk.exe

Filesize
6.1MB

MD5
38787f61d6cc2e6c6e600a0662eefa84

SHA1
3d408a6d1cd19bd27cc1b85ed4074caf6b0ea21c

SHA256
e74534fe5307355f375624eb377139a3e919eff7f44162a76e577192af8bf6b2

SHA512
62232a821bb72685621627654a66a330988944d527e763c7890c082ab14487dd3d5feb57688888d9267f82f1a0269cc7fb5d141689b6a7af4a2877e21961c574

Download Submit
C:\Windows\System\bFUlIhG.exe

Filesize
6.1MB

MD5
2ca0fdeb99c806bb69155013573f1ecf

SHA1
c9edddc375413e1d16a0a2bdb250a7e47d54827c

SHA256
a7377d236d93012b29755b460574db252bfb846d3f5e165cf758db19baa5e49f

SHA512
e87f105fccec4f816410862dc83df588f543c4000e260963f59137aa090d5b70c2ef44b5a12f23abaa9e59e4e8be40e666cf8f5228f789660de1534846778722

Download Submit
C:\Windows\System\cKWmMXB.exe

Filesize
6.1MB

MD5
1efd45001bf8a6771abb0d7f3a12bd13

SHA1
a651a5b0c2ab3ba69876860a960eda4b77499015

SHA256
1ea199f2db47bc88a03058928e25662d53ce57861c6c15cbbc81e0d48062a951

SHA512
ff3763c54ab4f964f925e06c84129057ceeaa016c811100c5fbb23ebada9e5de63d00aadd265a8ad137bc28b06066bbd92337501040f4e9c03d6cb2cc248f072

Download Submit
C:\Windows\System\dlIzmmV.exe

Filesize
6.1MB

MD5
d05128e75bb47ee7aa3ee60fdde69c4e

SHA1
a33daae0aa11bd1b209c0f7b992d07aa6974d15e

SHA256
1ca15db1481bfe848e46e52e13e5fb827e9f35f0a1104a93ad565cdd42b2aaa8

SHA512
8213eb7d0473e83b0398a5c8fbf30c0983270de1fac2d45e7b2116b98576c913e2ade94bb8ad78bf7927b6ad5e8f1a1e9e2c6451bba8f7bf2fcd80bcfe69670c

Download Submit
C:\Windows\System\falgKHe.exe

Filesize
6.1MB

MD5
c94d159036c567da8f48323bca8ff427

SHA1
fbfb3d105d40a71721195a180d3a648a430b733e

SHA256
82a6468cfac3ff38edf249c673e2dd1ebb8a146a00b1c6a8dabd689964388bf7

SHA512
77bcccf85ace788939d364afe9db35d0e6273e15ac8f10dcf48e594e36014b754ec5ab26da7905a17b6924ab8bd1c0472a07be839e9b44d1b9c43ea026f6b70d

Download Submit
C:\Windows\System\fiPuRfW.exe

Filesize
6.1MB

MD5
a8378a7cf479fd3bc40782b958f7cf8a

SHA1
c9d40217cc7e2353f7c0a3492d8284084d41fae2

SHA256
657cec9f907a2a796234804e00fa723710c37bcba53653fa260d168c9d73ccb2

SHA512
9f9d1695c694bb1c415af585977f97760a9c2b1a955ab332efdd5758ca08bf849c3349308f4bc0dc3f61ca249399d274f57154c91a2c90b900ef18facd2fc285

Download Submit
C:\Windows\System\iKQCNPu.exe

Filesize
6.1MB

MD5
0ebc9097952e96d2730e8d5c3dbcd108

SHA1
7b57313ce5ec19a2c6195b45790eda7268b3e937

SHA256
5c7993b35b5146fb6ae84f1c373f70aed9a3eb3856c2f1774e7aa3255a314dca

SHA512
b271cab6cf7005437cad5ea941692b5be3eaa16fd507f2e27adc91b33777790f49d517291f588fc459395ea080c30fa9e7411e36da1804e3e9cf17646fe20075

Download Submit
C:\Windows\System\jgnclOS.exe

Filesize
6.1MB

MD5
95cd8d23318aa3ed8b12638ef1bd8334

SHA1
95c62aa387c439895815733496f022f71755d5ed

SHA256
b1af0c950348bad68bcc397071ced079df3bcef3f60197d8adf3b5739ee05e4a

SHA512
79d99ca8366d14f5e7a7dc250aba320e5da3761b670a3b3bb0bf5f33f18ce61f86026079034eca767caee4119d26f278c09a3a3661ce43138d5ce804a41a6579

Download Submit
C:\Windows\System\lUhfpwR.exe

Filesize
6.1MB

MD5
b85374392ed22f91831c8b1fa39c6c3b

SHA1
894a6230aaedfdaed8075afbd77326bfeab4029c

SHA256
d1c6bfb04f521e8813804e043aa74c454be7edb0828cba9e2698b5d133569936

SHA512
f7c36d88b75030091526053c38a0db01c44946da9a5111bd47ad8f0ecf718eb731936649e53fac95c643e9b0079ce83a566aa1fe5b902c38d26d4b02f2b1d611

Download Submit
C:\Windows\System\mIgWtKE.exe

Filesize
6.1MB

MD5
4ddc253417f68d68bb7e968e9a655608

SHA1
44385145ad90d432370c8d83bae224244e88addb

SHA256
444651554c9b7dd3bc53f1c332ae51b9f97e9c0f8c0c49205facf0a7dcff75d0

SHA512
62a356f6c726efc737b6433b24ce262b88a61b824c7e90a98af6fa0a3fa4f1ee9c4ee5fc539b3ad7f42df25919319af8adaad5c14cdd4f2b0e62651b40233055

Download Submit
C:\Windows\System\mbulqXA.exe

Filesize
6.1MB

MD5
00b112af8429461162ed78d59b734080

SHA1
d8a0adafcac9a46a1becf4d879fef59506ac3799

SHA256
6e847e9ea1b60d7d89532a6a2274b41a97ebe2b7765f6d4d34f05c8a6c6e7785

SHA512
9c8fadb95565468ec4974472f11655365f56893e5dabd7ad90a856669e12ea218c620b376ba6245c58ddc9d91fabb5174ca19bca095bbcb7684c76f67e3ea337

Download Submit
C:\Windows\System\nAyrEiD.exe

Filesize
6.1MB

MD5
320d9a9c0e6d3a75d0d102fe44ddfcc7

SHA1
8f56394db0433bc7b80e62c07c4232699c1ca181

SHA256
874e08c7b6f3457c631d07f3eb3b4305f32107e3592aacdaf4a768c41ce80d38

SHA512
cb09e80d2f3b6db8bab506e9a3c8b8f905cd9485b4a348b92a753f621b3b6b0f6380ef2ef7e6bd0162f9052f9ff33f506ee743e2ce8b130da1cc6196df047705

Download Submit
C:\Windows\System\nhrQWcZ.exe

Filesize
6.1MB

MD5
dab59cf50b37c82253ee755d5b052b18

SHA1
4ee581e599d377ce1aa29402a48d57c4d0bbcb35

SHA256
3baad718d1c5ed9603b8c69ae690cd203b42e26378c03c2047ca2dcaea751893

SHA512
09da3f30e0a8583e894fa7d1fa54a2109bb9c377f0a1cc3c5c38c06485aa1ec5d356ecf4d079074592825af108879a7cf6f1058ab74ee86ae5199b1a260f27d8

Download Submit
C:\Windows\System\pDYwyeO.exe

Filesize
6.1MB

MD5
03977833bab76229ed1b42c7ea670039

SHA1
a3130aab711a8bf5ad160be2ebfdaabc1eb8ac22

SHA256
21c1baa566e973f44156250dce97e8495f59b9bffe7d921ead6d1b71ed9adf3a

SHA512
92307024a4c89e2c1abc4f6454a8ccb3166a6df468f2cbff602cd00ada1b0f9926fe78fe5afa52f0321d0eb6a9613100389db965cb5cccd43af7526e6669e226

Download Submit
C:\Windows\System\pNKdLys.exe

Filesize
6.1MB

MD5
b35e5b2945c86c2664505a31f17b9fed

SHA1
f9c8a362c1cd4c59f50543f9383a7565003b90aa

SHA256
308e1822f37586b25bc54e784aa88c413e4739583ddcd60e21cf4553f09c42ef

SHA512
2b77e2d69fd36b27e1b02402e3e63001e7e3076670a05f2ce06723df2c1fdcced7ada00516520004975d973455458a7f874c6ab584ec14a93a0386b2edaf11e2

Download Submit
C:\Windows\System\sgcsGFE.exe

Filesize
6.1MB

MD5
015380cb313ea14037a285dfa8b8e46d

SHA1
8a1fd87c1a53d8c9460cbd9148fc1a012c57d1b8

SHA256
da73076c3b4b34fb05857be58d918a5a86198a33b481cd8019444cf54dfe7466

SHA512
b3a6a3802934e2b03e775bca66338f8ea0d81bf5a14d9363934176b96b31a9c8896511b44fea213929a819ea09288bf1b96ace2f64317167db2f4f0774188278

Download Submit
C:\Windows\System\srWgLJi.exe

Filesize
6.1MB

MD5
4e29a4ee576057fa217b8b306e2cd3ab

SHA1
96de31c152229fb251f54ae00bd03161fba7a377

SHA256
54d7e67ec1ad4dfb705e20e1d2f9a63a50e398b7eb97c1362956d130fabc371e

SHA512
049de2e97ed9a83d407036f6333e644cdbb15f6d591872d2f5e5ac6d50bf638eee85b38846dcd002fc2285ef765f1ba200c12d9812685f071d1d7f93f5b108f1

Download Submit
C:\Windows\System\svkhVAb.exe

Filesize
6.1MB

MD5
59762a2ae0ac00e5c1651fe7a2bdc5ef

SHA1
b986874ee6648ec78f9c59dc7eae7f147fcf608b

SHA256
8d9c476fdff85f0199d58dff0f96cc5a7338cf4ec57310405aa2b0d430fd2fec

SHA512
01d053625dd95f9d3db94971856ce8302b5662c8f80fc439e59680e467f8e8e0d3b66aaefc2fd602b0db1d99cad3488e22181afed10b3b4820e48b90bfcee676

Download Submit
C:\Windows\System\tHeHdEa.exe

Filesize
6.1MB

MD5
8746898c2be2351c1fcdc017930bc28f

SHA1
846ebc33d4925d1dcb1475788b65c9dd4d0a2c21

SHA256
ba4d6411271f7813fa38588c201e77fcf231e3977af667451c6a03fc2d94b660

SHA512
e4f0edaa78e8a5880ec19b5b1d4b4ed4586b130873c85a027094a139672355558ac5d1d378d1ee267134ddd0136e1e91cc43956550417469e75e80526b351e49

Download Submit
C:\Windows\System\wlSQGBc.exe

Filesize
6.1MB

MD5
9dcc8a13f8e5c4505cf9f176ed9728d1

SHA1
ac269c6f50380b9eb02832d86fbde67cedb75085

SHA256
bb4ad53d0222e33e975159250f979d2931740cb4b435a8903b696cf90da62127

SHA512
96b1b2c067a81eaa9916a81ed57f56afa4e728ca6ca9a09a4df13c8c18cfd1caed2878a707849f3ade9962fefcd4d62e18ad26495affabe8e11aeed34dcf5289

Download Submit
memory/232-173-0x00007FF65B400000-0x00007FF65B754000-memory.dmp

Filesize
3.3MB

Download
memory/232-604-0x00007FF65B400000-0x00007FF65B754000-memory.dmp

Filesize
3.3MB

Download
memory/232-2319-0x00007FF65B400000-0x00007FF65B754000-memory.dmp

Filesize
3.3MB

Download
memory/400-146-0x00007FF6686C0000-0x00007FF668A14000-memory.dmp

Filesize
3.3MB

Download
memory/400-1838-0x00007FF6686C0000-0x00007FF668A14000-memory.dmp

Filesize
3.3MB

Download
memory/556-206-0x00007FF6E9150000-0x00007FF6E94A4000-memory.dmp

Filesize
3.3MB

Download
memory/556-2321-0x00007FF6E9150000-0x00007FF6E94A4000-memory.dmp

Filesize
3.3MB

Download
memory/556-725-0x00007FF6E9150000-0x00007FF6E94A4000-memory.dmp

Filesize
3.3MB

Download
memory/1132-207-0x00007FF6E5E00000-0x00007FF6E6154000-memory.dmp

Filesize
3.3MB

Download
memory/1132-2320-0x00007FF6E5E00000-0x00007FF6E6154000-memory.dmp

Filesize
3.3MB

Download
memory/1180-8-0x00007FF7EC640000-0x00007FF7EC994000-memory.dmp

Filesize
3.3MB

Download
memory/1180-1448-0x00007FF7EC640000-0x00007FF7EC994000-memory.dmp

Filesize
3.3MB

Download
memory/1240-154-0x00007FF64B9C0000-0x00007FF64BD14000-memory.dmp

Filesize
3.3MB

Download
memory/1240-472-0x00007FF64B9C0000-0x00007FF64BD14000-memory.dmp

Filesize
3.3MB

Download
memory/1240-2316-0x00007FF64B9C0000-0x00007FF64BD14000-memory.dmp

Filesize
3.3MB

Download
memory/1384-1823-0x00007FF7DBA80000-0x00007FF7DBDD4000-memory.dmp

Filesize
3.3MB

Download
memory/1384-136-0x00007FF7DBA80000-0x00007FF7DBDD4000-memory.dmp

Filesize
3.3MB

Download
memory/1384-215-0x00007FF7DBA80000-0x00007FF7DBDD4000-memory.dmp

Filesize
3.3MB

Download
memory/1420-1809-0x00007FF736B80000-0x00007FF736ED4000-memory.dmp

Filesize
3.3MB

Download
memory/1420-197-0x00007FF736B80000-0x00007FF736ED4000-memory.dmp

Filesize
3.3MB

Download
memory/1420-82-0x00007FF736B80000-0x00007FF736ED4000-memory.dmp

Filesize
3.3MB

Download
memory/1912-159-0x00007FF60D5F0000-0x00007FF60D944000-memory.dmp

Filesize
3.3MB

Download
memory/1912-2315-0x00007FF60D5F0000-0x00007FF60D944000-memory.dmp

Filesize
3.3MB

Download
memory/1912-538-0x00007FF60D5F0000-0x00007FF60D944000-memory.dmp

Filesize
3.3MB

Download
memory/1952-138-0x00007FF68AD50000-0x00007FF68B0A4000-memory.dmp

Filesize
3.3MB

Download
memory/1952-1822-0x00007FF68AD50000-0x00007FF68B0A4000-memory.dmp

Filesize
3.3MB

Download
memory/2092-148-0x00007FF7FF4A0000-0x00007FF7FF7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2092-50-0x00007FF7FF4A0000-0x00007FF7FF7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2092-1791-0x00007FF7FF4A0000-0x00007FF7FF7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2284-1794-0x00007FF7B6870000-0x00007FF7B6BC4000-memory.dmp

Filesize
3.3MB

Download
memory/2284-57-0x00007FF7B6870000-0x00007FF7B6BC4000-memory.dmp

Filesize
3.3MB

Download
memory/2384-81-0x00007FF7CBEC0000-0x00007FF7CC214000-memory.dmp

Filesize
3.3MB

Download
memory/2384-1501-0x00007FF7CBEC0000-0x00007FF7CC214000-memory.dmp

Filesize
3.3MB

Download
memory/2384-24-0x00007FF7CBEC0000-0x00007FF7CC214000-memory.dmp

Filesize
3.3MB

Download
memory/2772-1806-0x00007FF7EA670000-0x00007FF7EA9C4000-memory.dmp

Filesize
3.3MB

Download
memory/2772-198-0x00007FF7EA670000-0x00007FF7EA9C4000-memory.dmp

Filesize
3.3MB

Download
memory/2772-99-0x00007FF7EA670000-0x00007FF7EA9C4000-memory.dmp

Filesize
3.3MB

Download
memory/2960-1829-0x00007FF7985D0000-0x00007FF798924000-memory.dmp

Filesize
3.3MB

Download
memory/2960-147-0x00007FF7985D0000-0x00007FF798924000-memory.dmp

Filesize
3.3MB

Download
memory/3144-1797-0x00007FF6D06A0000-0x00007FF6D09F4000-memory.dmp

Filesize
3.3MB

Download
memory/3144-157-0x00007FF6D06A0000-0x00007FF6D09F4000-memory.dmp

Filesize
3.3MB

Download
memory/3144-63-0x00007FF6D06A0000-0x00007FF6D09F4000-memory.dmp

Filesize
3.3MB

Download
memory/3552-42-0x00007FF7D97E0000-0x00007FF7D9B34000-memory.dmp

Filesize
3.3MB

Download
memory/3552-1511-0x00007FF7D97E0000-0x00007FF7D9B34000-memory.dmp

Filesize
3.3MB

Download
memory/3552-137-0x00007FF7D97E0000-0x00007FF7D9B34000-memory.dmp

Filesize
3.3MB

Download
memory/3920-1499-0x00007FF7DBA90000-0x00007FF7DBDE4000-memory.dmp

Filesize
3.3MB

Download
memory/3920-74-0x00007FF7DBA90000-0x00007FF7DBDE4000-memory.dmp

Filesize
3.3MB

Download
memory/3920-20-0x00007FF7DBA90000-0x00007FF7DBDE4000-memory.dmp

Filesize
3.3MB

Download
memory/3976-38-0x00007FF74F820000-0x00007FF74FB74000-memory.dmp

Filesize
3.3MB

Download
memory/3976-113-0x00007FF74F820000-0x00007FF74FB74000-memory.dmp

Filesize
3.3MB

Download
memory/3976-1510-0x00007FF74F820000-0x00007FF74FB74000-memory.dmp

Filesize
3.3MB

Download
memory/4092-1801-0x00007FF663D70000-0x00007FF6640C4000-memory.dmp

Filesize
3.3MB

Download
memory/4092-181-0x00007FF663D70000-0x00007FF6640C4000-memory.dmp

Filesize
3.3MB

Download
memory/4092-76-0x00007FF663D70000-0x00007FF6640C4000-memory.dmp

Filesize
3.3MB

Download
memory/4168-70-0x00007FF759FB0000-0x00007FF75A304000-memory.dmp

Filesize
3.3MB

Download
memory/4168-1800-0x00007FF759FB0000-0x00007FF75A304000-memory.dmp

Filesize
3.3MB

Download
memory/4168-168-0x00007FF759FB0000-0x00007FF75A304000-memory.dmp

Filesize
3.3MB

Download
memory/4252-12-0x00007FF657E20000-0x00007FF658174000-memory.dmp

Filesize
3.3MB

Download
memory/4252-1487-0x00007FF657E20000-0x00007FF658174000-memory.dmp

Filesize
3.3MB

Download
memory/4252-69-0x00007FF657E20000-0x00007FF658174000-memory.dmp

Filesize
3.3MB

Download
memory/4328-180-0x00007FF6CE370000-0x00007FF6CE6C4000-memory.dmp

Filesize
3.3MB

Download
memory/4328-2318-0x00007FF6CE370000-0x00007FF6CE6C4000-memory.dmp

Filesize
3.3MB

Download
memory/4368-114-0x00007FF7980E0000-0x00007FF798434000-memory.dmp

Filesize
3.3MB

Download
memory/4368-1817-0x00007FF7980E0000-0x00007FF798434000-memory.dmp

Filesize
3.3MB

Download
memory/4488-1821-0x00007FF679F90000-0x00007FF67A2E4000-memory.dmp

Filesize
3.3MB

Download
memory/4488-214-0x00007FF679F90000-0x00007FF67A2E4000-memory.dmp

Filesize
3.3MB

Download
memory/4488-125-0x00007FF679F90000-0x00007FF67A2E4000-memory.dmp

Filesize
3.3MB

Download
memory/4496-1828-0x00007FF716210000-0x00007FF716564000-memory.dmp

Filesize
3.3MB

Download
memory/4496-145-0x00007FF716210000-0x00007FF716564000-memory.dmp

Filesize
3.3MB

Download
memory/4496-282-0x00007FF716210000-0x00007FF716564000-memory.dmp

Filesize
3.3MB

Download
memory/4640-209-0x00007FF69CCB0000-0x00007FF69D004000-memory.dmp

Filesize
3.3MB

Download
memory/4640-1826-0x00007FF69CCB0000-0x00007FF69D004000-memory.dmp

Filesize
3.3MB

Download
memory/4640-123-0x00007FF69CCB0000-0x00007FF69D004000-memory.dmp

Filesize
3.3MB

Download
memory/4920-1-0x000002261F630000-0x000002261F640000-memory.dmp

Filesize
64KB

Download
memory/4920-56-0x00007FF7A05B0000-0x00007FF7A0904000-memory.dmp

Filesize
3.3MB

Download
memory/4920-0-0x00007FF7A05B0000-0x00007FF7A0904000-memory.dmp

Filesize
3.3MB

Download
memory/4960-1503-0x00007FF6DFF80000-0x00007FF6E02D4000-memory.dmp

Filesize
3.3MB

Download
memory/4960-30-0x00007FF6DFF80000-0x00007FF6E02D4000-memory.dmp

Filesize
3.3MB

Download
memory/4960-92-0x00007FF6DFF80000-0x00007FF6E02D4000-memory.dmp

Filesize
3.3MB

Download
memory/5008-107-0x00007FF79A0B0000-0x00007FF79A404000-memory.dmp

Filesize
3.3MB

Download
memory/5008-1812-0x00007FF79A0B0000-0x00007FF79A404000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads