cobaltstrike | 40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233

Analysis

max time kernel
73s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
Size

6.0MB
MD5

2d7fbd03a32b31e8cb9197eb8e13b0f4
SHA1

85f0879ebe5e581070b5a63e6397242cb35f1ea9
SHA256

40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233
SHA512

53d1cb6c21f9baf6c3302b1c7afdfe62202648088d8815b98e8c4b9d91fd1d482fb95a5e1062175a63537cf6032826adc397c55c8249dcc6d4f73ce55c7f9738
SSDEEP

98304:oemTLkNdfE0pZrD56utgpPFotBER/mQ32lUY:T+q56utgpPF8u/7Y

Score

10^/10

cobaltstrike xmrig 0 backdoor miner persistence trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 34 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000024097-5.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240ef-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240f0-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240f3-35.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240f2-32.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240f1-24.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240f4-42.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000240ec-47.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240f5-52.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240f8-66.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240fe-95.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240ff-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024103-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024102-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024101-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024100-118.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240fd-96.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240fc-88.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240fb-83.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240fa-81.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240f9-79.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000240f6-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024104-141.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024105-148.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024106-152.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024108-168.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024109-185.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002410f-204.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002410c-202.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002410e-200.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002410d-194.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002410b-188.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002410a-179.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024107-165.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2212-0-0x00007FF6108B0000-0x00007FF610C04000-memory.dmp	xmrig
behavioral2/files/0x000a000000024097-5.dat	xmrig
behavioral2/files/0x00070000000240ef-11.dat	xmrig
behavioral2/memory/1036-12-0x00007FF64DE80000-0x00007FF64E1D4000-memory.dmp	xmrig
behavioral2/files/0x00070000000240f0-10.dat	xmrig
behavioral2/memory/692-7-0x00007FF793DD0000-0x00007FF794124000-memory.dmp	xmrig
behavioral2/memory/4104-18-0x00007FF6D4590000-0x00007FF6D48E4000-memory.dmp	xmrig
behavioral2/files/0x00070000000240f3-35.dat	xmrig
behavioral2/memory/2520-38-0x00007FF670D10000-0x00007FF671064000-memory.dmp	xmrig
behavioral2/files/0x00070000000240f2-32.dat	xmrig
behavioral2/memory/2324-30-0x00007FF79B5D0000-0x00007FF79B924000-memory.dmp	xmrig
behavioral2/memory/2428-25-0x00007FF6A3160000-0x00007FF6A34B4000-memory.dmp	xmrig
behavioral2/files/0x00070000000240f1-24.dat	xmrig
behavioral2/files/0x00070000000240f4-42.dat	xmrig
behavioral2/files/0x00080000000240ec-47.dat	xmrig
behavioral2/memory/4660-49-0x00007FF6A60C0000-0x00007FF6A6414000-memory.dmp	xmrig
behavioral2/files/0x00070000000240f5-52.dat	xmrig
behavioral2/files/0x00070000000240f8-66.dat	xmrig
behavioral2/memory/1372-65-0x00007FF6A98F0000-0x00007FF6A9C44000-memory.dmp	xmrig
behavioral2/files/0x00070000000240fe-95.dat	xmrig
behavioral2/files/0x00070000000240ff-111.dat	xmrig
behavioral2/files/0x0007000000024103-125.dat	xmrig
behavioral2/memory/600-130-0x00007FF760AB0000-0x00007FF760E04000-memory.dmp	xmrig
behavioral2/memory/1036-135-0x00007FF64DE80000-0x00007FF64E1D4000-memory.dmp	xmrig
behavioral2/memory/3864-137-0x00007FF767AE0000-0x00007FF767E34000-memory.dmp	xmrig
behavioral2/memory/4652-136-0x00007FF787F00000-0x00007FF788254000-memory.dmp	xmrig
behavioral2/memory/3548-134-0x00007FF6DAD10000-0x00007FF6DB064000-memory.dmp	xmrig
behavioral2/memory/4528-133-0x00007FF6A0490000-0x00007FF6A07E4000-memory.dmp	xmrig
behavioral2/memory/3848-132-0x00007FF619E10000-0x00007FF61A164000-memory.dmp	xmrig
behavioral2/memory/4772-131-0x00007FF7D05F0000-0x00007FF7D0944000-memory.dmp	xmrig
behavioral2/memory/2020-129-0x00007FF744FB0000-0x00007FF745304000-memory.dmp	xmrig
behavioral2/memory/2008-128-0x00007FF785D80000-0x00007FF7860D4000-memory.dmp	xmrig
behavioral2/memory/1872-127-0x00007FF6C6B20000-0x00007FF6C6E74000-memory.dmp	xmrig
behavioral2/files/0x0007000000024102-123.dat	xmrig
behavioral2/files/0x0007000000024101-121.dat	xmrig
behavioral2/memory/368-120-0x00007FF6623C0000-0x00007FF662714000-memory.dmp	xmrig
behavioral2/memory/2416-115-0x00007FF700DB0000-0x00007FF701104000-memory.dmp	xmrig
behavioral2/files/0x0007000000024100-118.dat	xmrig
behavioral2/files/0x00070000000240fd-96.dat	xmrig
behavioral2/files/0x00070000000240fc-88.dat	xmrig
behavioral2/files/0x00070000000240fb-83.dat	xmrig
behavioral2/files/0x00070000000240fa-81.dat	xmrig
behavioral2/files/0x00070000000240f9-79.dat	xmrig
behavioral2/memory/692-73-0x00007FF793DD0000-0x00007FF794124000-memory.dmp	xmrig
behavioral2/files/0x00070000000240f6-70.dat	xmrig
behavioral2/memory/2212-62-0x00007FF6108B0000-0x00007FF610C04000-memory.dmp	xmrig
behavioral2/memory/3844-53-0x00007FF734110000-0x00007FF734464000-memory.dmp	xmrig
behavioral2/memory/2140-44-0x00007FF7E9820000-0x00007FF7E9B74000-memory.dmp	xmrig
behavioral2/memory/4104-138-0x00007FF6D4590000-0x00007FF6D48E4000-memory.dmp	xmrig
behavioral2/files/0x0007000000024104-141.dat	xmrig
behavioral2/files/0x0007000000024105-148.dat	xmrig
behavioral2/files/0x0007000000024106-152.dat	xmrig
behavioral2/files/0x0007000000024108-168.dat	xmrig
behavioral2/files/0x0007000000024109-185.dat	xmrig
behavioral2/memory/1372-191-0x00007FF6A98F0000-0x00007FF6A9C44000-memory.dmp	xmrig
behavioral2/files/0x000700000002410f-204.dat	xmrig
behavioral2/files/0x000700000002410c-202.dat	xmrig
behavioral2/files/0x000700000002410e-200.dat	xmrig
behavioral2/files/0x000700000002410d-194.dat	xmrig
behavioral2/memory/936-190-0x00007FF741890000-0x00007FF741BE4000-memory.dmp	xmrig
behavioral2/files/0x000700000002410b-188.dat	xmrig
behavioral2/memory/3088-183-0x00007FF6EC2E0000-0x00007FF6EC634000-memory.dmp	xmrig
behavioral2/memory/3844-181-0x00007FF734110000-0x00007FF734464000-memory.dmp	xmrig
behavioral2/files/0x000700000002410a-179.dat	xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
692	PDqGqAs.exe
1036	nDhqYuw.exe
4104	ZZnUcKJ.exe
2428	upYUYGk.exe
2324	ftSjMKr.exe
2520	gwFuqtm.exe
2140	rCpkxkt.exe
4660	UsjNGTd.exe
3844	hmeAkmq.exe
1372	UrKuddt.exe
2416	GygAiKp.exe
368	PNkCZBq.exe
4652	dhGzkhg.exe
1872	zUzQNJT.exe
2008	xygYGtM.exe
2020	OeDxsut.exe
600	SczOMZp.exe
4772	Kxqcevk.exe
3848	vXXPOQk.exe
4528	BRtnCQQ.exe
3864	ngdmCGa.exe
3548	dIviTIC.exe
3792	TLEgvna.exe
4724	LXyzqLM.exe
4412	EHdAUAH.exe
3820	BOfEkOd.exe
3096	XmOlpPr.exe
3088	SguPyuE.exe
936	HuuMdJd.exe
2348	KVXHWPH.exe
1460	aqvmniH.exe
1108	tHhddIA.exe
1416	FOATdcp.exe
3024	OwJVWKA.exe
3804	WiqRyut.exe
1928	fldZVIy.exe
4364	lRVkCJM.exe
1068	RMXnZoz.exe
3952	iPYKvwD.exe
3928	zaUORdn.exe
3856	HLixnLa.exe
4140	gqgmmwP.exe
4568	XqbUzLr.exe
2976	RcThyeX.exe
4512	BSyClYg.exe
3884	SKkwFyg.exe
2900	LLLbfxr.exe
2472	DXRDShY.exe
3944	uIHRSov.exe
4600	rxGqnKH.exe
3408	TRnQwRD.exe
4840	CjgGWYz.exe
5020	qjaiQhL.exe
1192	QBHhwDb.exe
3256	TwpcTbX.exe
1404	htXcZAl.exe
680	VPzMPwM.exe
3756	MPuVlnt.exe
1052	ngyGtGp.exe
1808	yeAzDty.exe
2872	ybyKlPQ.exe
3924	OoYtTAj.exe
4908	qsAPWeK.exe
3124	GTIpAOT.exe

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2212-0-0x00007FF6108B0000-0x00007FF610C04000-memory.dmp	upx
behavioral2/files/0x000a000000024097-5.dat	upx
behavioral2/files/0x00070000000240ef-11.dat	upx
behavioral2/memory/1036-12-0x00007FF64DE80000-0x00007FF64E1D4000-memory.dmp	upx
behavioral2/files/0x00070000000240f0-10.dat	upx
behavioral2/memory/692-7-0x00007FF793DD0000-0x00007FF794124000-memory.dmp	upx
behavioral2/memory/4104-18-0x00007FF6D4590000-0x00007FF6D48E4000-memory.dmp	upx
behavioral2/files/0x00070000000240f3-35.dat	upx
behavioral2/memory/2520-38-0x00007FF670D10000-0x00007FF671064000-memory.dmp	upx
behavioral2/files/0x00070000000240f2-32.dat	upx
behavioral2/memory/2324-30-0x00007FF79B5D0000-0x00007FF79B924000-memory.dmp	upx
behavioral2/memory/2428-25-0x00007FF6A3160000-0x00007FF6A34B4000-memory.dmp	upx
behavioral2/files/0x00070000000240f1-24.dat	upx
behavioral2/files/0x00070000000240f4-42.dat	upx
behavioral2/files/0x00080000000240ec-47.dat	upx
behavioral2/memory/4660-49-0x00007FF6A60C0000-0x00007FF6A6414000-memory.dmp	upx
behavioral2/files/0x00070000000240f5-52.dat	upx
behavioral2/files/0x00070000000240f8-66.dat	upx
behavioral2/memory/1372-65-0x00007FF6A98F0000-0x00007FF6A9C44000-memory.dmp	upx
behavioral2/files/0x00070000000240fe-95.dat	upx
behavioral2/files/0x00070000000240ff-111.dat	upx
behavioral2/files/0x0007000000024103-125.dat	upx
behavioral2/memory/600-130-0x00007FF760AB0000-0x00007FF760E04000-memory.dmp	upx
behavioral2/memory/1036-135-0x00007FF64DE80000-0x00007FF64E1D4000-memory.dmp	upx
behavioral2/memory/3864-137-0x00007FF767AE0000-0x00007FF767E34000-memory.dmp	upx
behavioral2/memory/4652-136-0x00007FF787F00000-0x00007FF788254000-memory.dmp	upx
behavioral2/memory/3548-134-0x00007FF6DAD10000-0x00007FF6DB064000-memory.dmp	upx
behavioral2/memory/4528-133-0x00007FF6A0490000-0x00007FF6A07E4000-memory.dmp	upx
behavioral2/memory/3848-132-0x00007FF619E10000-0x00007FF61A164000-memory.dmp	upx
behavioral2/memory/4772-131-0x00007FF7D05F0000-0x00007FF7D0944000-memory.dmp	upx
behavioral2/memory/2020-129-0x00007FF744FB0000-0x00007FF745304000-memory.dmp	upx
behavioral2/memory/2008-128-0x00007FF785D80000-0x00007FF7860D4000-memory.dmp	upx
behavioral2/memory/1872-127-0x00007FF6C6B20000-0x00007FF6C6E74000-memory.dmp	upx
behavioral2/files/0x0007000000024102-123.dat	upx
behavioral2/files/0x0007000000024101-121.dat	upx
behavioral2/memory/368-120-0x00007FF6623C0000-0x00007FF662714000-memory.dmp	upx
behavioral2/memory/2416-115-0x00007FF700DB0000-0x00007FF701104000-memory.dmp	upx
behavioral2/files/0x0007000000024100-118.dat	upx
behavioral2/files/0x00070000000240fd-96.dat	upx
behavioral2/files/0x00070000000240fc-88.dat	upx
behavioral2/files/0x00070000000240fb-83.dat	upx
behavioral2/files/0x00070000000240fa-81.dat	upx
behavioral2/files/0x00070000000240f9-79.dat	upx
behavioral2/memory/692-73-0x00007FF793DD0000-0x00007FF794124000-memory.dmp	upx
behavioral2/files/0x00070000000240f6-70.dat	upx
behavioral2/memory/2212-62-0x00007FF6108B0000-0x00007FF610C04000-memory.dmp	upx
behavioral2/memory/3844-53-0x00007FF734110000-0x00007FF734464000-memory.dmp	upx
behavioral2/memory/2140-44-0x00007FF7E9820000-0x00007FF7E9B74000-memory.dmp	upx
behavioral2/memory/4104-138-0x00007FF6D4590000-0x00007FF6D48E4000-memory.dmp	upx
behavioral2/files/0x0007000000024104-141.dat	upx
behavioral2/files/0x0007000000024105-148.dat	upx
behavioral2/files/0x0007000000024106-152.dat	upx
behavioral2/files/0x0007000000024108-168.dat	upx
behavioral2/files/0x0007000000024109-185.dat	upx
behavioral2/memory/1372-191-0x00007FF6A98F0000-0x00007FF6A9C44000-memory.dmp	upx
behavioral2/files/0x000700000002410f-204.dat	upx
behavioral2/files/0x000700000002410c-202.dat	upx
behavioral2/files/0x000700000002410e-200.dat	upx
behavioral2/files/0x000700000002410d-194.dat	upx
behavioral2/memory/936-190-0x00007FF741890000-0x00007FF741BE4000-memory.dmp	upx
behavioral2/files/0x000700000002410b-188.dat	upx
behavioral2/memory/3088-183-0x00007FF6EC2E0000-0x00007FF6EC634000-memory.dmp	upx
behavioral2/memory/3844-181-0x00007FF734110000-0x00007FF734464000-memory.dmp	upx
behavioral2/files/0x000700000002410a-179.dat	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\DgodgVm.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\bnkXiyZ.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\NDrDJGT.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\NAXiLKi.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\IqxYfVU.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\DRwGtmf.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\SyEmWLz.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\SLQdTyd.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\gdEjvmJ.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\aMDDjQb.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\BWGiEBk.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\vwyKzOZ.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\tHhddIA.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\rpLUSNU.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\BQKRvoQ.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\QyoSDLj.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\bZZCTMe.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\BazDEZB.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\wDLJFoU.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\QnwIzHC.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\PDqGqAs.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\zUzQNJT.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\tkffzSU.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\vpHBGPx.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\SiYysWW.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\xTRWbhx.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\rccKuus.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\Oknyfwe.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\ftSjMKr.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\CwTjeLZ.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\ZElaIDD.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\CmrAyVh.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\FCeRqcl.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\uxKwMur.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\QMwUuiG.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\IrmAXlJ.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\rqOgFLh.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\BGQswBC.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\WzmjOuP.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\rcUMPYp.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\RXymvCi.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\dsCKgSG.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\Ykonfci.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\wvGSjGy.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\BQekfQL.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\OKgNKaP.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\kdeedCP.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\xntyRTm.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\zaUORdn.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\HyKKiQG.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\AolkdDI.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\TwYlIid.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\APdrVst.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\geZvgHo.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\ghTHpyz.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\JiHzJxp.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\MPuVlnt.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\ycJqrKJ.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\dJLgRMs.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\jTlCcsj.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\MDtieDg.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\jykfLsW.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\mArghOM.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
File created	C:\Windows\System\OrxpATS.exe	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR de-DE Lookup Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat.prev"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8382"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SW"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\es-ES\\VoiceActivation_es-ES.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hortense - French (France)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR it-IT Lookup Lexicon"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d8	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Pablo"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\r1036sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - it-IT Embedded DNN v11.1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\r1040sr.lxa"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Near"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Julie"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Cosimo"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Haruka"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 + 0008 * 0009 1 000A 2 000B 3 000C 4 000D 5 000E a 000F ai 0010 an 0011 ang 0012 ao 0013 ba 0014 bai 0015 ban 0016 bang 0017 bao 0018 bei 0019 ben 001A beng 001B bi 001C bian 001D biao 001E bie 001F bin 0020 bing 0021 bo 0022 bu 0023 ca 0024 cai 0025 can 0026 cang 0027 cao 0028 ce 0029 cen 002A ceng 002B cha 002C chai 002D chan 002E chang 002F chao 0030 che 0031 chen 0032 cheng 0033 chi 0034 chong 0035 chou 0036 chu 0037 chuai 0038 chuan 0039 chuang 003A chui 003B chun 003C chuo 003D ci 003E cong 003F cou 0040 cu 0041 cuan 0042 cui 0043 cun 0044 cuo 0045 da 0046 dai 0047 dan 0048 dang 0049 dao 004A de 004B dei 004C den 004D deng 004E di 004F dia 0050 dian 0051 diao 0052 die 0053 ding 0054 diu 0055 dong 0056 dou 0057 du 0058 duan 0059 dui 005A dun 005B duo 005C e 005D ei 005E en 005F er 0060 fa 0061 fan 0062 fang 0063 fei 0064 fen 0065 feng 0066 fo 0067 fou 0068 fu 0069 ga 006A gai 006B gan 006C gang 006D gao 006E ge 006F gei 0070 gen 0071 geng 0072 gong 0073 gou 0074 gu 0075 gua 0076 guai 0077 guan 0078 guang 0079 gui 007A gun 007B guo 007C ha 007D hai 007E han 007F hang 0080 hao 0081 he 0082 hei 0083 hen 0084 heng 0085 hong 0086 hou 0087 hu 0088 hua 0089 huai 008A huan 008B huang 008C hui 008D hun 008E huo 008F ji 0090 jia 0091 jian 0092 jiang 0093 jiao 0094 jie 0095 jin 0096 jing 0097 jiong 0098 jiu 0099 ju 009A juan 009B jue 009C jun 009D ka 009E kai 009F kan 00A0 kang 00A1 kao 00A2 ke 00A3 kei 00A4 ken 00A5 keng 00A6 kong 00A7 kou 00A8 ku 00A9 kua 00AA kuai 00AB kuan 00AC kuang 00AD kui 00AE kun 00AF kuo 00B0 la 00B1 lai 00B2 lan 00B3 lang 00B4 lao 00B5 le 00B6 lei 00B7 leng 00B8 li 00B9 lia 00BA lian 00BB liang 00BC liao 00BD lie 00BE lin 00BF ling 00C0 liu 00C1 lo 00C2 long 00C3 lou 00C4 lu 00C5 luan 00C6 lue 00C7 lun 00C8 luo 00C9 lv 00CA ma 00CB mai 00CC man 00CD mang 00CE mao 00CF me 00D0 mei 00D1 men 00D2 meng 00D3 mi 00D4 mian 00D5 miao 00D6 mie 00D7 min 00D8 ming 00D9 miu 00DA mo 00DB mou 00DC mu 00DD na 00DE nai 00DF nan 00E0 nang 00E1 nao 00E2 ne 00E3 nei 00E4 nen 00E5 neng 00E6 ni 00E7 nian 00E8 niang 00E9 niao 00EA nie 00EB nin 00EC ning 00ED niu 00EE nong 00EF nou 00F0 nu 00F1 nuan 00F2 nue 00F3 nuo 00F4 nv 00F5 o 00F6 ou 00F7 pa 00F8 pai 00F9 pan 00FA pang 00FB pao 00FC pei 00FD pen 00FE peng 00FF pi 0100 pian 0101 piao 0102 pie 0103 pin 0104 ping 0105 po 0106 pou 0107 pu 0108 qi 0109 qia 010A qian 010B qiang 010C qiao 010D qie 010E qin 010F qing 0110 qiong 0111 qiu 0112 qu 0113 quan 0114 que 0115 qun 0116 ran 0117 rang 0118 rao 0119 re 011A ren 011B reng 011C ri 011D rong 011E rou 011F ru 0120 ruan 0121 rui 0122 run 0123 ruo 0124 sa 0125 sai 0126 san 0127 sang 0128 sao 0129 se 012A sen 012B seng 012C sha 012D shai 012E shan 012F shang 0130 shao 0131 she 0132 shei 0133 shen 0134 sheng 0135 shi 0136 shou 0137 shu 0138 shua 0139 shuai 013A shuan 013B shuang 013C shui 013D shun 013E shuo 013F si 0140 song 0141 sou 0142 su 0143 suan 0144 sui 0145 sun 0146 suo 0147 ta 0148 tai 0149 tan 014A tang 014B tao 014C te 014D tei 014E teng 014F ti 0150 tian 0151 tiao 0152 tie 0153 ting 0154 tong 0155 tou 0156 tu 0157 tuan 0158 tui 0159 tun 015A tuo 015B wa 015C wai 015D wan 015E wang 015F wei 0160 wen 0161 weng 0162 wo 0163 wu 0164 xi 0165 xia 0166 xian 0167 xiang 0168 xiao 0169 xie 016A xin 016B xing 016C xiong 016D xiu 016E xu 016F xuan 0170 xue 0171 xun 0172 ya 0173 yan 0174 yang 0175 yao 0176 ye 0177 yi 0178 yin 0179 ying 017A yo 017B yong 017C you 017D yu 017E yuan 017F yue 0180 yun 0181 za 0182 zai 0183 zan 0184 zang 0185 zao 0186 ze 0187 zei 0188 zen 0189 zeng 018A zha 018B zhai 018C zhan 018D zhang 018E zhao 018F zhe 0190 zhei 0191 zhen 0192 zheng 0193 zhi 0194 zhong 0195 zhou 0196 zhu 0197 zhua 0198 zhuai 0199 zhuan 019A zhuang 019B zhui 019C zhun 019D zhuo 019E zi 019F zong 01A0 zou 01A1 zu 01A2 zuan 01A3 zui 01A4 zun 01A5 zuo 01A6"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SpeechUXPlugin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1036-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Cosimo - Italian (Italy)"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-805952410-2104024357-1716932545-1000\{F5F4F8CF-9A33-4BB9-91AE-056AB00C4C7A}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d8 = "1"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Sie haben %1 als Standardstimme ausgewählt."	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Hedda"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\AI043082"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "5218064"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1040-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "11.0.2016.0129"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Zira"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Helena"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{0CFAE939-931E-4305-8D05-8C76C254EB34}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR ja-JP Lookup Lexicon"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d8	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Spanish Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{81218F10-A8AA-44C4-9436-33A42C3852E9}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - es-ES Embedded DNN v11.1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1041"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = 49553b76dbc112bcd96e2ce32f82aa3750d88abb05779f5fac65e84c5363077e	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-805952410-2104024357-1716932545-1000\{04591986-4EEE-40AA-A336-9605B1FAC884}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\r3082sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\M1036Hortense"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "5248260"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR it-IT Locale Handler"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR de-DE Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Vous avez sélectionné %1 comme voix par défaut."	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\sidubm.table"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\AudioInput\\TokenEnums\\MMAudioIn\\"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\tn1031.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "409;9"	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	944	explorer.exe
Token: SeCreatePagefilePrivilege	944	explorer.exe
Token: SeShutdownPrivilege	944	explorer.exe
Token: SeCreatePagefilePrivilege	944	explorer.exe
Token: SeShutdownPrivilege	944	explorer.exe
Token: SeCreatePagefilePrivilege	944	explorer.exe
Token: SeShutdownPrivilege	944	explorer.exe
Token: SeCreatePagefilePrivilege	944	explorer.exe
Token: SeShutdownPrivilege	944	explorer.exe
Token: SeCreatePagefilePrivilege	944	explorer.exe
Token: SeShutdownPrivilege	944	explorer.exe
Token: SeCreatePagefilePrivilege	944	explorer.exe
Token: SeShutdownPrivilege	944	explorer.exe
Token: SeCreatePagefilePrivilege	944	explorer.exe
Token: SeShutdownPrivilege	7384	explorer.exe
Token: SeCreatePagefilePrivilege	7384	explorer.exe
Token: SeShutdownPrivilege	7384	explorer.exe
Token: SeCreatePagefilePrivilege	7384	explorer.exe
Token: SeShutdownPrivilege	7384	explorer.exe
Token: SeCreatePagefilePrivilege	7384	explorer.exe
Token: SeShutdownPrivilege	7384	explorer.exe
Token: SeCreatePagefilePrivilege	7384	explorer.exe
Token: SeShutdownPrivilege	7384	explorer.exe
Token: SeCreatePagefilePrivilege	7384	explorer.exe
Token: SeShutdownPrivilege	7384	explorer.exe
Token: SeCreatePagefilePrivilege	7384	explorer.exe
Token: SeShutdownPrivilege	7384	explorer.exe
Token: SeCreatePagefilePrivilege	7384	explorer.exe
Token: SeShutdownPrivilege	7384	explorer.exe
Token: SeCreatePagefilePrivilege	7384	explorer.exe
Token: SeShutdownPrivilege	7384	explorer.exe
Token: SeCreatePagefilePrivilege	7384	explorer.exe
Token: SeShutdownPrivilege	8324	explorer.exe
Token: SeCreatePagefilePrivilege	8324	explorer.exe
Token: SeShutdownPrivilege	8324	explorer.exe
Token: SeCreatePagefilePrivilege	8324	explorer.exe
Token: SeShutdownPrivilege	8324	explorer.exe
Token: SeCreatePagefilePrivilege	8324	explorer.exe
Token: SeShutdownPrivilege	8324	explorer.exe
Token: SeCreatePagefilePrivilege	8324	explorer.exe
Token: SeShutdownPrivilege	8324	explorer.exe
Token: SeCreatePagefilePrivilege	8324	explorer.exe
Token: SeShutdownPrivilege	8324	explorer.exe
Token: SeCreatePagefilePrivilege	8324	explorer.exe
Token: SeShutdownPrivilege	8324	explorer.exe
Token: SeCreatePagefilePrivilege	8324	explorer.exe
Token: SeShutdownPrivilege	8324	explorer.exe
Token: SeCreatePagefilePrivilege	8324	explorer.exe
Token: SeShutdownPrivilege	8324	explorer.exe
Token: SeCreatePagefilePrivilege	8324	explorer.exe
Token: SeShutdownPrivilege	8324	explorer.exe
Token: SeCreatePagefilePrivilege	8324	explorer.exe
Token: SeShutdownPrivilege	8324	explorer.exe
Token: SeCreatePagefilePrivilege	8324	explorer.exe
Token: SeShutdownPrivilege	8324	explorer.exe
Token: SeCreatePagefilePrivilege	8324	explorer.exe
Token: SeShutdownPrivilege	8324	explorer.exe
Token: SeCreatePagefilePrivilege	8324	explorer.exe
Token: SeShutdownPrivilege	8324	explorer.exe
Token: SeCreatePagefilePrivilege	8324	explorer.exe
Token: SeShutdownPrivilege	8324	explorer.exe
Token: SeCreatePagefilePrivilege	8324	explorer.exe
Token: SeShutdownPrivilege	3284	explorer.exe
Token: SeCreatePagefilePrivilege	3284	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5856	sihost.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
7384	explorer.exe
7384	explorer.exe
7384	explorer.exe
7384	explorer.exe
7384	explorer.exe
7384	explorer.exe
7384	explorer.exe
7384	explorer.exe
7384	explorer.exe
7384	explorer.exe
7384	explorer.exe
7384	explorer.exe
7384	explorer.exe
7384	explorer.exe
7384	explorer.exe
7384	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe

Suspicious use of SendNotifyMessage 60 IoCs

pid	Process
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
944	explorer.exe
7384	explorer.exe
7384	explorer.exe
7384	explorer.exe
7384	explorer.exe
7384	explorer.exe
7384	explorer.exe
7384	explorer.exe
7384	explorer.exe
7384	explorer.exe
7384	explorer.exe
7384	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
8324	explorer.exe
3284	explorer.exe
3284	explorer.exe
3284	explorer.exe
3284	explorer.exe
3284	explorer.exe
3284	explorer.exe
3284	explorer.exe
3284	explorer.exe
3284	explorer.exe
3284	explorer.exe
3284	explorer.exe
3284	explorer.exe
3284	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
6668	StartMenuExperienceHost.exe
7660	StartMenuExperienceHost.exe
8960	StartMenuExperienceHost.exe
8524	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 692	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	88
PID 2212 wrote to memory of 692	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	88
PID 2212 wrote to memory of 1036	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	89
PID 2212 wrote to memory of 1036	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	89
PID 2212 wrote to memory of 4104	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	90
PID 2212 wrote to memory of 4104	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	90
PID 2212 wrote to memory of 2428	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	91
PID 2212 wrote to memory of 2428	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	91
PID 2212 wrote to memory of 2324	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	92
PID 2212 wrote to memory of 2324	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	92
PID 2212 wrote to memory of 2520	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	93
PID 2212 wrote to memory of 2520	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	93
PID 2212 wrote to memory of 2140	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	94
PID 2212 wrote to memory of 2140	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	94
PID 2212 wrote to memory of 4660	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	95
PID 2212 wrote to memory of 4660	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	95
PID 2212 wrote to memory of 3844	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	96
PID 2212 wrote to memory of 3844	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	96
PID 2212 wrote to memory of 1372	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	97
PID 2212 wrote to memory of 1372	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	97
PID 2212 wrote to memory of 2416	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	98
PID 2212 wrote to memory of 2416	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	98
PID 2212 wrote to memory of 368	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	99
PID 2212 wrote to memory of 368	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	99
PID 2212 wrote to memory of 4652	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	100
PID 2212 wrote to memory of 4652	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	100
PID 2212 wrote to memory of 1872	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	101
PID 2212 wrote to memory of 1872	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	101
PID 2212 wrote to memory of 2008	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	806
PID 2212 wrote to memory of 2008	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	806
PID 2212 wrote to memory of 2020	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	103
PID 2212 wrote to memory of 2020	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	103
PID 2212 wrote to memory of 600	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	104
PID 2212 wrote to memory of 600	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	104
PID 2212 wrote to memory of 4772	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	105
PID 2212 wrote to memory of 4772	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	105
PID 2212 wrote to memory of 3848	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	106
PID 2212 wrote to memory of 3848	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	106
PID 2212 wrote to memory of 4528	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	107
PID 2212 wrote to memory of 4528	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	107
PID 2212 wrote to memory of 3864	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	108
PID 2212 wrote to memory of 3864	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	108
PID 2212 wrote to memory of 3548	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	109
PID 2212 wrote to memory of 3548	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	109
PID 2212 wrote to memory of 3792	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	110
PID 2212 wrote to memory of 3792	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	110
PID 2212 wrote to memory of 4724	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	113
PID 2212 wrote to memory of 4724	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	113
PID 2212 wrote to memory of 4412	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	114
PID 2212 wrote to memory of 4412	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	114
PID 2212 wrote to memory of 3820	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	115
PID 2212 wrote to memory of 3820	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	115
PID 2212 wrote to memory of 3096	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	117
PID 2212 wrote to memory of 3096	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	117
PID 2212 wrote to memory of 3088	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	118
PID 2212 wrote to memory of 3088	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	118
PID 2212 wrote to memory of 936	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	119
PID 2212 wrote to memory of 936	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	119
PID 2212 wrote to memory of 2348	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	120
PID 2212 wrote to memory of 2348	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	120
PID 2212 wrote to memory of 1460	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	808
PID 2212 wrote to memory of 1460	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	808
PID 2212 wrote to memory of 1108	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	122
PID 2212 wrote to memory of 1108	2212	40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe
"C:\Users\Admin\AppData\Local\Temp\40fc46c028c1d9c738ce5c415117d644c3f0041ed21d3ec0a8b7548bc4c96233.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\System\PDqGqAs.exe
  C:\Windows\System\PDqGqAs.exe
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Windows\System\nDhqYuw.exe
  C:\Windows\System\nDhqYuw.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System\ZZnUcKJ.exe
  C:\Windows\System\ZZnUcKJ.exe
  2⤵
  - Executes dropped EXE
  PID:4104
- C:\Windows\System\upYUYGk.exe
  C:\Windows\System\upYUYGk.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\ftSjMKr.exe
  C:\Windows\System\ftSjMKr.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System\gwFuqtm.exe
  C:\Windows\System\gwFuqtm.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System\rCpkxkt.exe
  C:\Windows\System\rCpkxkt.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System\UsjNGTd.exe
  C:\Windows\System\UsjNGTd.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System\hmeAkmq.exe
  C:\Windows\System\hmeAkmq.exe
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Windows\System\UrKuddt.exe
  C:\Windows\System\UrKuddt.exe
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\System\GygAiKp.exe
  C:\Windows\System\GygAiKp.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System\PNkCZBq.exe
  C:\Windows\System\PNkCZBq.exe
  2⤵
  - Executes dropped EXE
  PID:368
- C:\Windows\System\dhGzkhg.exe
  C:\Windows\System\dhGzkhg.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System\zUzQNJT.exe
  C:\Windows\System\zUzQNJT.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System\xygYGtM.exe
  C:\Windows\System\xygYGtM.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System\OeDxsut.exe
  C:\Windows\System\OeDxsut.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\SczOMZp.exe
  C:\Windows\System\SczOMZp.exe
  2⤵
  - Executes dropped EXE
  PID:600
- C:\Windows\System\Kxqcevk.exe
  C:\Windows\System\Kxqcevk.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System\vXXPOQk.exe
  C:\Windows\System\vXXPOQk.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System\BRtnCQQ.exe
  C:\Windows\System\BRtnCQQ.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\System\ngdmCGa.exe
  C:\Windows\System\ngdmCGa.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System\dIviTIC.exe
  C:\Windows\System\dIviTIC.exe
  2⤵
  - Executes dropped EXE
  PID:3548
- C:\Windows\System\TLEgvna.exe
  C:\Windows\System\TLEgvna.exe
  2⤵
  - Executes dropped EXE
  PID:3792
- C:\Windows\System\LXyzqLM.exe
  C:\Windows\System\LXyzqLM.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System\EHdAUAH.exe
  C:\Windows\System\EHdAUAH.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System\BOfEkOd.exe
  C:\Windows\System\BOfEkOd.exe
  2⤵
  - Executes dropped EXE
  PID:3820
- C:\Windows\System\XmOlpPr.exe
  C:\Windows\System\XmOlpPr.exe
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Windows\System\SguPyuE.exe
  C:\Windows\System\SguPyuE.exe
  2⤵
  - Executes dropped EXE
  PID:3088
- C:\Windows\System\HuuMdJd.exe
  C:\Windows\System\HuuMdJd.exe
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\System\KVXHWPH.exe
  C:\Windows\System\KVXHWPH.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System\aqvmniH.exe
  C:\Windows\System\aqvmniH.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System\tHhddIA.exe
  C:\Windows\System\tHhddIA.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\System\FOATdcp.exe
  C:\Windows\System\FOATdcp.exe
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Windows\System\OwJVWKA.exe
  C:\Windows\System\OwJVWKA.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System\WiqRyut.exe
  C:\Windows\System\WiqRyut.exe
  2⤵
  - Executes dropped EXE
  PID:3804
- C:\Windows\System\fldZVIy.exe
  C:\Windows\System\fldZVIy.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System\lRVkCJM.exe
  C:\Windows\System\lRVkCJM.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System\RMXnZoz.exe
  C:\Windows\System\RMXnZoz.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System\iPYKvwD.exe
  C:\Windows\System\iPYKvwD.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System\zaUORdn.exe
  C:\Windows\System\zaUORdn.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System\HLixnLa.exe
  C:\Windows\System\HLixnLa.exe
  2⤵
  - Executes dropped EXE
  PID:3856
- C:\Windows\System\gqgmmwP.exe
  C:\Windows\System\gqgmmwP.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System\XqbUzLr.exe
  C:\Windows\System\XqbUzLr.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System\RcThyeX.exe
  C:\Windows\System\RcThyeX.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\System\BSyClYg.exe
  C:\Windows\System\BSyClYg.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System\SKkwFyg.exe
  C:\Windows\System\SKkwFyg.exe
  2⤵
  - Executes dropped EXE
  PID:3884
- C:\Windows\System\LLLbfxr.exe
  C:\Windows\System\LLLbfxr.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System\DXRDShY.exe
  C:\Windows\System\DXRDShY.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\uIHRSov.exe
  C:\Windows\System\uIHRSov.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System\rxGqnKH.exe
  C:\Windows\System\rxGqnKH.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\TRnQwRD.exe
  C:\Windows\System\TRnQwRD.exe
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Windows\System\CjgGWYz.exe
  C:\Windows\System\CjgGWYz.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System\qjaiQhL.exe
  C:\Windows\System\qjaiQhL.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\QBHhwDb.exe
  C:\Windows\System\QBHhwDb.exe
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\System\TwpcTbX.exe
  C:\Windows\System\TwpcTbX.exe
  2⤵
  - Executes dropped EXE
  PID:3256
- C:\Windows\System\htXcZAl.exe
  C:\Windows\System\htXcZAl.exe
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\System\VPzMPwM.exe
  C:\Windows\System\VPzMPwM.exe
  2⤵
  - Executes dropped EXE
  PID:680
- C:\Windows\System\MPuVlnt.exe
  C:\Windows\System\MPuVlnt.exe
  2⤵
  - Executes dropped EXE
  PID:3756
- C:\Windows\System\ngyGtGp.exe
  C:\Windows\System\ngyGtGp.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\yeAzDty.exe
  C:\Windows\System\yeAzDty.exe
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\System\ybyKlPQ.exe
  C:\Windows\System\ybyKlPQ.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System\OoYtTAj.exe
  C:\Windows\System\OoYtTAj.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System\qsAPWeK.exe
  C:\Windows\System\qsAPWeK.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System\GTIpAOT.exe
  C:\Windows\System\GTIpAOT.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System\gvvsqkY.exe
  C:\Windows\System\gvvsqkY.exe
  2⤵
  PID:2184
- C:\Windows\System\nWTQrpC.exe
  C:\Windows\System\nWTQrpC.exe
  2⤵
  PID:376
- C:\Windows\System\gIagLKW.exe
  C:\Windows\System\gIagLKW.exe
  2⤵
  PID:2756
- C:\Windows\System\evGeHrV.exe
  C:\Windows\System\evGeHrV.exe
  2⤵
  PID:2788
- C:\Windows\System\qhdzVjl.exe
  C:\Windows\System\qhdzVjl.exe
  2⤵
  PID:2208
- C:\Windows\System\bmrMpAa.exe
  C:\Windows\System\bmrMpAa.exe
  2⤵
  PID:2252
- C:\Windows\System\WlwvPLW.exe
  C:\Windows\System\WlwvPLW.exe
  2⤵
  PID:5164
- C:\Windows\System\DWzQZRJ.exe
  C:\Windows\System\DWzQZRJ.exe
  2⤵
  PID:5220
- C:\Windows\System\tkffzSU.exe
  C:\Windows\System\tkffzSU.exe
  2⤵
  PID:5264
- C:\Windows\System\jjKiHbf.exe
  C:\Windows\System\jjKiHbf.exe
  2⤵
  PID:5312
- C:\Windows\System\BlyelyL.exe
  C:\Windows\System\BlyelyL.exe
  2⤵
  PID:5364
- C:\Windows\System\HUPkdbe.exe
  C:\Windows\System\HUPkdbe.exe
  2⤵
  PID:5428
- C:\Windows\System\jwvktBD.exe
  C:\Windows\System\jwvktBD.exe
  2⤵
  PID:5456
- C:\Windows\System\LLwedYQ.exe
  C:\Windows\System\LLwedYQ.exe
  2⤵
  PID:5476
- C:\Windows\System\hYdpoLB.exe
  C:\Windows\System\hYdpoLB.exe
  2⤵
  PID:5532
- C:\Windows\System\fmZEFxu.exe
  C:\Windows\System\fmZEFxu.exe
  2⤵
  PID:5564
- C:\Windows\System\OoyeoqI.exe
  C:\Windows\System\OoyeoqI.exe
  2⤵
  PID:5612
- C:\Windows\System\JhGGhCx.exe
  C:\Windows\System\JhGGhCx.exe
  2⤵
  PID:5636
- C:\Windows\System\kNrBfXe.exe
  C:\Windows\System\kNrBfXe.exe
  2⤵
  PID:5672
- C:\Windows\System\OJzszWl.exe
  C:\Windows\System\OJzszWl.exe
  2⤵
  PID:5700
- C:\Windows\System\MgWmKXz.exe
  C:\Windows\System\MgWmKXz.exe
  2⤵
  PID:5728
- C:\Windows\System\DqXKFFo.exe
  C:\Windows\System\DqXKFFo.exe
  2⤵
  PID:5756
- C:\Windows\System\CZHFKlz.exe
  C:\Windows\System\CZHFKlz.exe
  2⤵
  PID:5784
- C:\Windows\System\tnpfyBg.exe
  C:\Windows\System\tnpfyBg.exe
  2⤵
  PID:5812
- C:\Windows\System\wFZVkPR.exe
  C:\Windows\System\wFZVkPR.exe
  2⤵
  PID:5836
- C:\Windows\System\cgmBbeb.exe
  C:\Windows\System\cgmBbeb.exe
  2⤵
  PID:5872
- C:\Windows\System\uQVTBcm.exe
  C:\Windows\System\uQVTBcm.exe
  2⤵
  PID:5892
- C:\Windows\System\qrsQeSz.exe
  C:\Windows\System\qrsQeSz.exe
  2⤵
  PID:5924
- C:\Windows\System\hvyZVFY.exe
  C:\Windows\System\hvyZVFY.exe
  2⤵
  PID:5956
- C:\Windows\System\eJGHiov.exe
  C:\Windows\System\eJGHiov.exe
  2⤵
  PID:5984
- C:\Windows\System\ssmUYGv.exe
  C:\Windows\System\ssmUYGv.exe
  2⤵
  PID:6004
- C:\Windows\System\YwUyVef.exe
  C:\Windows\System\YwUyVef.exe
  2⤵
  PID:6044
- C:\Windows\System\GrDyilF.exe
  C:\Windows\System\GrDyilF.exe
  2⤵
  PID:6072
- C:\Windows\System\jkKBzDK.exe
  C:\Windows\System\jkKBzDK.exe
  2⤵
  PID:6088
- C:\Windows\System\SGcXCFm.exe
  C:\Windows\System\SGcXCFm.exe
  2⤵
  PID:6124
- C:\Windows\System\TodERzN.exe
  C:\Windows\System\TodERzN.exe
  2⤵
  PID:2636
- C:\Windows\System\LYpIrzs.exe
  C:\Windows\System\LYpIrzs.exe
  2⤵
  PID:5260
- C:\Windows\System\crjOQdf.exe
  C:\Windows\System\crjOQdf.exe
  2⤵
  PID:5356
- C:\Windows\System\vUgkwui.exe
  C:\Windows\System\vUgkwui.exe
  2⤵
  PID:5452
- C:\Windows\System\rpLUSNU.exe
  C:\Windows\System\rpLUSNU.exe
  2⤵
  PID:5540
- C:\Windows\System\xEDmVfJ.exe
  C:\Windows\System\xEDmVfJ.exe
  2⤵
  PID:5596
- C:\Windows\System\NlGaIrX.exe
  C:\Windows\System\NlGaIrX.exe
  2⤵
  PID:5680
- C:\Windows\System\lQLlpgt.exe
  C:\Windows\System\lQLlpgt.exe
  2⤵
  PID:5716
- C:\Windows\System\LCfSorl.exe
  C:\Windows\System\LCfSorl.exe
  2⤵
  PID:5768
- C:\Windows\System\DiKNXCj.exe
  C:\Windows\System\DiKNXCj.exe
  2⤵
  PID:5844
- C:\Windows\System\UvBdIQK.exe
  C:\Windows\System\UvBdIQK.exe
  2⤵
  PID:5904
- C:\Windows\System\fRaiOwr.exe
  C:\Windows\System\fRaiOwr.exe
  2⤵
  PID:5992
- C:\Windows\System\LGcxoJn.exe
  C:\Windows\System\LGcxoJn.exe
  2⤵
  PID:6052
- C:\Windows\System\ysstjTx.exe
  C:\Windows\System\ysstjTx.exe
  2⤵
  PID:6100
- C:\Windows\System\QbuDXvU.exe
  C:\Windows\System\QbuDXvU.exe
  2⤵
  PID:5196
- C:\Windows\System\QpaYPOF.exe
  C:\Windows\System\QpaYPOF.exe
  2⤵
  PID:4108
- C:\Windows\System\fDRxnzf.exe
  C:\Windows\System\fDRxnzf.exe
  2⤵
  PID:5628
- C:\Windows\System\ODgacSC.exe
  C:\Windows\System\ODgacSC.exe
  2⤵
  PID:5740
- C:\Windows\System\ycJqrKJ.exe
  C:\Windows\System\ycJqrKJ.exe
  2⤵
  PID:5860
- C:\Windows\System\QWbkokq.exe
  C:\Windows\System\QWbkokq.exe
  2⤵
  PID:2736
- C:\Windows\System\cClRqlh.exe
  C:\Windows\System\cClRqlh.exe
  2⤵
  PID:1628
- C:\Windows\System\zUDdNuX.exe
  C:\Windows\System\zUDdNuX.exe
  2⤵
  PID:2288
- C:\Windows\System\OpnSDfi.exe
  C:\Windows\System\OpnSDfi.exe
  2⤵
  PID:4420
- C:\Windows\System\pVyYpfi.exe
  C:\Windows\System\pVyYpfi.exe
  2⤵
  PID:2164
- C:\Windows\System\IYnCZdv.exe
  C:\Windows\System\IYnCZdv.exe
  2⤵
  PID:4872
- C:\Windows\System\QlBFjNP.exe
  C:\Windows\System\QlBFjNP.exe
  2⤵
  PID:5944
- C:\Windows\System\cexdXNt.exe
  C:\Windows\System\cexdXNt.exe
  2⤵
  PID:3600
- C:\Windows\System\UeFLhre.exe
  C:\Windows\System\UeFLhre.exe
  2⤵
  PID:1908
- C:\Windows\System\QgBCMdU.exe
  C:\Windows\System\QgBCMdU.exe
  2⤵
  PID:5804
- C:\Windows\System\NNxQger.exe
  C:\Windows\System\NNxQger.exe
  2⤵
  PID:4020
- C:\Windows\System\FDzqpIo.exe
  C:\Windows\System\FDzqpIo.exe
  2⤵
  PID:4700
- C:\Windows\System\dJLgRMs.exe
  C:\Windows\System\dJLgRMs.exe
  2⤵
  PID:4904
- C:\Windows\System\yTRKwAk.exe
  C:\Windows\System\yTRKwAk.exe
  2⤵
  PID:4444
- C:\Windows\System\aMGYiyY.exe
  C:\Windows\System\aMGYiyY.exe
  2⤵
  PID:6184
- C:\Windows\System\euZcxmM.exe
  C:\Windows\System\euZcxmM.exe
  2⤵
  PID:6208
- C:\Windows\System\JscIaNG.exe
  C:\Windows\System\JscIaNG.exe
  2⤵
  PID:6244
- C:\Windows\System\ojikErv.exe
  C:\Windows\System\ojikErv.exe
  2⤵
  PID:6272
- C:\Windows\System\cDgALhd.exe
  C:\Windows\System\cDgALhd.exe
  2⤵
  PID:6300
- C:\Windows\System\vREiITq.exe
  C:\Windows\System\vREiITq.exe
  2⤵
  PID:6324
- C:\Windows\System\CfXHcPT.exe
  C:\Windows\System\CfXHcPT.exe
  2⤵
  PID:6356
- C:\Windows\System\zhPgFAE.exe
  C:\Windows\System\zhPgFAE.exe
  2⤵
  PID:6380
- C:\Windows\System\OWzZIaS.exe
  C:\Windows\System\OWzZIaS.exe
  2⤵
  PID:6420
- C:\Windows\System\LXVZXCD.exe
  C:\Windows\System\LXVZXCD.exe
  2⤵
  PID:6444
- C:\Windows\System\YHmtYAp.exe
  C:\Windows\System\YHmtYAp.exe
  2⤵
  PID:6476
- C:\Windows\System\ClpvGRn.exe
  C:\Windows\System\ClpvGRn.exe
  2⤵
  PID:6500
- C:\Windows\System\OJqDOnq.exe
  C:\Windows\System\OJqDOnq.exe
  2⤵
  PID:6520
- C:\Windows\System\rspATWK.exe
  C:\Windows\System\rspATWK.exe
  2⤵
  PID:6560
- C:\Windows\System\mbNfnqE.exe
  C:\Windows\System\mbNfnqE.exe
  2⤵
  PID:6588
- C:\Windows\System\rqOgFLh.exe
  C:\Windows\System\rqOgFLh.exe
  2⤵
  PID:6612
- C:\Windows\System\boFdetw.exe
  C:\Windows\System\boFdetw.exe
  2⤵
  PID:6644
- C:\Windows\System\IZvEFxx.exe
  C:\Windows\System\IZvEFxx.exe
  2⤵
  PID:6672
- C:\Windows\System\xRuFmGX.exe
  C:\Windows\System\xRuFmGX.exe
  2⤵
  PID:6700
- C:\Windows\System\OqyqVop.exe
  C:\Windows\System\OqyqVop.exe
  2⤵
  PID:6732
- C:\Windows\System\TcdIQhO.exe
  C:\Windows\System\TcdIQhO.exe
  2⤵
  PID:6760
- C:\Windows\System\dBkadrG.exe
  C:\Windows\System\dBkadrG.exe
  2⤵
  PID:6792
- C:\Windows\System\MkBBEHh.exe
  C:\Windows\System\MkBBEHh.exe
  2⤵
  PID:6824
- C:\Windows\System\NAXiLKi.exe
  C:\Windows\System\NAXiLKi.exe
  2⤵
  PID:6840
- C:\Windows\System\jPoilHm.exe
  C:\Windows\System\jPoilHm.exe
  2⤵
  PID:6876
- C:\Windows\System\mpPWthi.exe
  C:\Windows\System\mpPWthi.exe
  2⤵
  PID:6912
- C:\Windows\System\eOCCsUG.exe
  C:\Windows\System\eOCCsUG.exe
  2⤵
  PID:6936
- C:\Windows\System\tkWsRmT.exe
  C:\Windows\System\tkWsRmT.exe
  2⤵
  PID:6960
- C:\Windows\System\qNjbRVj.exe
  C:\Windows\System\qNjbRVj.exe
  2⤵
  PID:6992
- C:\Windows\System\iPaCLxZ.exe
  C:\Windows\System\iPaCLxZ.exe
  2⤵
  PID:7020
- C:\Windows\System\PBMxihw.exe
  C:\Windows\System\PBMxihw.exe
  2⤵
  PID:7052
- C:\Windows\System\bgxRuSo.exe
  C:\Windows\System\bgxRuSo.exe
  2⤵
  PID:7080
- C:\Windows\System\SLQdTyd.exe
  C:\Windows\System\SLQdTyd.exe
  2⤵
  PID:7116
- C:\Windows\System\yPkztVM.exe
  C:\Windows\System\yPkztVM.exe
  2⤵
  PID:6228
- C:\Windows\System\oKMIGsD.exe
  C:\Windows\System\oKMIGsD.exe
  2⤵
  PID:6336
- C:\Windows\System\psZZXLy.exe
  C:\Windows\System\psZZXLy.exe
  2⤵
  PID:6432
- C:\Windows\System\CVAqcNA.exe
  C:\Windows\System\CVAqcNA.exe
  2⤵
  PID:6488
- C:\Windows\System\ZTFmBjc.exe
  C:\Windows\System\ZTFmBjc.exe
  2⤵
  PID:6596
- C:\Windows\System\IZpTMBG.exe
  C:\Windows\System\IZpTMBG.exe
  2⤵
  PID:6652
- C:\Windows\System\AhrlkAV.exe
  C:\Windows\System\AhrlkAV.exe
  2⤵
  PID:6740
- C:\Windows\System\IONsRqf.exe
  C:\Windows\System\IONsRqf.exe
  2⤵
  PID:6788
- C:\Windows\System\xyfEBmv.exe
  C:\Windows\System\xyfEBmv.exe
  2⤵
  PID:6852
- C:\Windows\System\qNeebWH.exe
  C:\Windows\System\qNeebWH.exe
  2⤵
  PID:6896
- C:\Windows\System\lRlQNNH.exe
  C:\Windows\System\lRlQNNH.exe
  2⤵
  PID:6980
- C:\Windows\System\miqkxZW.exe
  C:\Windows\System\miqkxZW.exe
  2⤵
  PID:7048
- C:\Windows\System\yUInkqp.exe
  C:\Windows\System\yUInkqp.exe
  2⤵
  PID:7112
- C:\Windows\System\cEHgpgM.exe
  C:\Windows\System\cEHgpgM.exe
  2⤵
  PID:6368
- C:\Windows\System\wFauHNC.exe
  C:\Windows\System\wFauHNC.exe
  2⤵
  PID:6464
- C:\Windows\System\sfwFzUJ.exe
  C:\Windows\System\sfwFzUJ.exe
  2⤵
  PID:6684
- C:\Windows\System\XHINfnV.exe
  C:\Windows\System\XHINfnV.exe
  2⤵
  PID:6816
- C:\Windows\System\lQnDbFL.exe
  C:\Windows\System\lQnDbFL.exe
  2⤵
  PID:7004
- C:\Windows\System\NStTGqa.exe
  C:\Windows\System\NStTGqa.exe
  2⤵
  PID:7104
- C:\Windows\System\DiQjBYF.exe
  C:\Windows\System\DiQjBYF.exe
  2⤵
  PID:3916
- C:\Windows\System\tKWwtwT.exe
  C:\Windows\System\tKWwtwT.exe
  2⤵
  PID:6888
- C:\Windows\System\VZoGEiE.exe
  C:\Windows\System\VZoGEiE.exe
  2⤵
  PID:6456
- C:\Windows\System\pvKIhFn.exe
  C:\Windows\System\pvKIhFn.exe
  2⤵
  PID:3468
- C:\Windows\System\nLrsEty.exe
  C:\Windows\System\nLrsEty.exe
  2⤵
  PID:6752
- C:\Windows\System\hhJawxl.exe
  C:\Windows\System\hhJawxl.exe
  2⤵
  PID:7192
- C:\Windows\System\KcDJpDY.exe
  C:\Windows\System\KcDJpDY.exe
  2⤵
  PID:7216
- C:\Windows\System\sHUUApy.exe
  C:\Windows\System\sHUUApy.exe
  2⤵
  PID:7248
- C:\Windows\System\qEDvwMh.exe
  C:\Windows\System\qEDvwMh.exe
  2⤵
  PID:7276
- C:\Windows\System\RoecshD.exe
  C:\Windows\System\RoecshD.exe
  2⤵
  PID:7304
- C:\Windows\System\kejEbOm.exe
  C:\Windows\System\kejEbOm.exe
  2⤵
  PID:7332
- C:\Windows\System\WkAZPEN.exe
  C:\Windows\System\WkAZPEN.exe
  2⤵
  PID:7360
- C:\Windows\System\suCRCtH.exe
  C:\Windows\System\suCRCtH.exe
  2⤵
  PID:7392
- C:\Windows\System\ArcrjoV.exe
  C:\Windows\System\ArcrjoV.exe
  2⤵
  PID:7416
- C:\Windows\System\gdEjvmJ.exe
  C:\Windows\System\gdEjvmJ.exe
  2⤵
  PID:7452
- C:\Windows\System\WLLgvHt.exe
  C:\Windows\System\WLLgvHt.exe
  2⤵
  PID:7468
- C:\Windows\System\LfaWlsV.exe
  C:\Windows\System\LfaWlsV.exe
  2⤵
  PID:7496
- C:\Windows\System\litGNgd.exe
  C:\Windows\System\litGNgd.exe
  2⤵
  PID:7524
- C:\Windows\System\YwnQyBj.exe
  C:\Windows\System\YwnQyBj.exe
  2⤵
  PID:7552
- C:\Windows\System\WrXyccG.exe
  C:\Windows\System\WrXyccG.exe
  2⤵
  PID:7580
- C:\Windows\System\jTlCcsj.exe
  C:\Windows\System\jTlCcsj.exe
  2⤵
  PID:7616
- C:\Windows\System\CwTjeLZ.exe
  C:\Windows\System\CwTjeLZ.exe
  2⤵
  PID:7636
- C:\Windows\System\bThmqDU.exe
  C:\Windows\System\bThmqDU.exe
  2⤵
  PID:7664
- C:\Windows\System\PbcOPiZ.exe
  C:\Windows\System\PbcOPiZ.exe
  2⤵
  PID:7692
- C:\Windows\System\pvWHham.exe
  C:\Windows\System\pvWHham.exe
  2⤵
  PID:7720
- C:\Windows\System\WLjLtLA.exe
  C:\Windows\System\WLjLtLA.exe
  2⤵
  PID:7748
- C:\Windows\System\egaCPTE.exe
  C:\Windows\System\egaCPTE.exe
  2⤵
  PID:7776
- C:\Windows\System\sgBSJKT.exe
  C:\Windows\System\sgBSJKT.exe
  2⤵
  PID:7804
- C:\Windows\System\gTSdhsN.exe
  C:\Windows\System\gTSdhsN.exe
  2⤵
  PID:7832
- C:\Windows\System\aJAwaYp.exe
  C:\Windows\System\aJAwaYp.exe
  2⤵
  PID:7860
- C:\Windows\System\oqhfDOR.exe
  C:\Windows\System\oqhfDOR.exe
  2⤵
  PID:7888
- C:\Windows\System\UguqPIm.exe
  C:\Windows\System\UguqPIm.exe
  2⤵
  PID:7916
- C:\Windows\System\BNaBbad.exe
  C:\Windows\System\BNaBbad.exe
  2⤵
  PID:7944
- C:\Windows\System\LeJPjBZ.exe
  C:\Windows\System\LeJPjBZ.exe
  2⤵
  PID:7972
- C:\Windows\System\vAdcTKp.exe
  C:\Windows\System\vAdcTKp.exe
  2⤵
  PID:8000
- C:\Windows\System\AiXnSJS.exe
  C:\Windows\System\AiXnSJS.exe
  2⤵
  PID:8028
- C:\Windows\System\kSlnQRq.exe
  C:\Windows\System\kSlnQRq.exe
  2⤵
  PID:8056
- C:\Windows\System\VrkiMBQ.exe
  C:\Windows\System\VrkiMBQ.exe
  2⤵
  PID:8096
- C:\Windows\System\IlKRFGL.exe
  C:\Windows\System\IlKRFGL.exe
  2⤵
  PID:8120
- C:\Windows\System\IvWypGr.exe
  C:\Windows\System\IvWypGr.exe
  2⤵
  PID:8164
- C:\Windows\System\PcHzFUY.exe
  C:\Windows\System\PcHzFUY.exe
  2⤵
  PID:7180
- C:\Windows\System\GeweDxw.exe
  C:\Windows\System\GeweDxw.exe
  2⤵
  PID:7256
- C:\Windows\System\TwoveHv.exe
  C:\Windows\System\TwoveHv.exe
  2⤵
  PID:7312
- C:\Windows\System\vpHBGPx.exe
  C:\Windows\System\vpHBGPx.exe
  2⤵
  PID:7344
- C:\Windows\System\XJZaXzb.exe
  C:\Windows\System\XJZaXzb.exe
  2⤵
  PID:7388
- C:\Windows\System\kVZXQUI.exe
  C:\Windows\System\kVZXQUI.exe
  2⤵
  PID:7480
- C:\Windows\System\AdFeitn.exe
  C:\Windows\System\AdFeitn.exe
  2⤵
  PID:7544
- C:\Windows\System\IBSzXJI.exe
  C:\Windows\System\IBSzXJI.exe
  2⤵
  PID:7632
- C:\Windows\System\qEWAFPA.exe
  C:\Windows\System\qEWAFPA.exe
  2⤵
  PID:7688
- C:\Windows\System\ZEobhUd.exe
  C:\Windows\System\ZEobhUd.exe
  2⤵
  PID:7732
- C:\Windows\System\uyqMGIt.exe
  C:\Windows\System\uyqMGIt.exe
  2⤵
  PID:7772
- C:\Windows\System\tVvTtPn.exe
  C:\Windows\System\tVvTtPn.exe
  2⤵
  PID:7884
- C:\Windows\System\SBPjWmU.exe
  C:\Windows\System\SBPjWmU.exe
  2⤵
  PID:7964
- C:\Windows\System\neNtbyO.exe
  C:\Windows\System\neNtbyO.exe
  2⤵
  PID:264
- C:\Windows\System\gRrNdEB.exe
  C:\Windows\System\gRrNdEB.exe
  2⤵
  PID:2436
- C:\Windows\System\MzaDtHT.exe
  C:\Windows\System\MzaDtHT.exe
  2⤵
  PID:8156
- C:\Windows\System\NJFlheV.exe
  C:\Windows\System\NJFlheV.exe
  2⤵
  PID:7208
- C:\Windows\System\SBtXIiw.exe
  C:\Windows\System\SBtXIiw.exe
  2⤵
  PID:7372
- C:\Windows\System\wqwIeEY.exe
  C:\Windows\System\wqwIeEY.exe
  2⤵
  PID:7520
- C:\Windows\System\wsfhXOA.exe
  C:\Windows\System\wsfhXOA.exe
  2⤵
  PID:7624
- C:\Windows\System\jxnlSUB.exe
  C:\Windows\System\jxnlSUB.exe
  2⤵
  PID:7740
- C:\Windows\System\cAQGKwg.exe
  C:\Windows\System\cAQGKwg.exe
  2⤵
  PID:7912
- C:\Windows\System\BQekfQL.exe
  C:\Windows\System\BQekfQL.exe
  2⤵
  PID:532
- C:\Windows\System\IqxYfVU.exe
  C:\Windows\System\IqxYfVU.exe
  2⤵
  PID:100
- C:\Windows\System\YxhPWMx.exe
  C:\Windows\System\YxhPWMx.exe
  2⤵
  PID:8024
- C:\Windows\System\jBYRbXM.exe
  C:\Windows\System\jBYRbXM.exe
  2⤵
  PID:8104
- C:\Windows\System\LFYdDGK.exe
  C:\Windows\System\LFYdDGK.exe
  2⤵
  PID:7340
- C:\Windows\System\WcKYXvp.exe
  C:\Windows\System\WcKYXvp.exe
  2⤵
  PID:5172
- C:\Windows\System\hoTfheW.exe
  C:\Windows\System\hoTfheW.exe
  2⤵
  PID:7992
- C:\Windows\System\GBWSKVU.exe
  C:\Windows\System\GBWSKVU.exe
  2⤵
  PID:8012
- C:\Windows\System\MsqNvqp.exe
  C:\Windows\System\MsqNvqp.exe
  2⤵
  PID:7268
- C:\Windows\System\yOqqYqs.exe
  C:\Windows\System\yOqqYqs.exe
  2⤵
  PID:3036
- C:\Windows\System\eMlDZlB.exe
  C:\Windows\System\eMlDZlB.exe
  2⤵
  PID:7592
- C:\Windows\System\OwwvZfz.exe
  C:\Windows\System\OwwvZfz.exe
  2⤵
  PID:7236
- C:\Windows\System\QOShMOl.exe
  C:\Windows\System\QOShMOl.exe
  2⤵
  PID:8220
- C:\Windows\System\Bmjdbva.exe
  C:\Windows\System\Bmjdbva.exe
  2⤵
  PID:8256
- C:\Windows\System\YnJFmmL.exe
  C:\Windows\System\YnJFmmL.exe
  2⤵
  PID:8292
- C:\Windows\System\eJcoDMd.exe
  C:\Windows\System\eJcoDMd.exe
  2⤵
  PID:8308
- C:\Windows\System\ePaFqDO.exe
  C:\Windows\System\ePaFqDO.exe
  2⤵
  PID:8336
- C:\Windows\System\fmffZUw.exe
  C:\Windows\System\fmffZUw.exe
  2⤵
  PID:8364
- C:\Windows\System\xExDJlP.exe
  C:\Windows\System\xExDJlP.exe
  2⤵
  PID:8392
- C:\Windows\System\pvBPORF.exe
  C:\Windows\System\pvBPORF.exe
  2⤵
  PID:8420
- C:\Windows\System\IwVSEdg.exe
  C:\Windows\System\IwVSEdg.exe
  2⤵
  PID:8448
- C:\Windows\System\hZkbEDt.exe
  C:\Windows\System\hZkbEDt.exe
  2⤵
  PID:8476
- C:\Windows\System\aMDDjQb.exe
  C:\Windows\System\aMDDjQb.exe
  2⤵
  PID:8504
- C:\Windows\System\CrxYbbK.exe
  C:\Windows\System\CrxYbbK.exe
  2⤵
  PID:8532
- C:\Windows\System\VcQKZqe.exe
  C:\Windows\System\VcQKZqe.exe
  2⤵
  PID:8560
- C:\Windows\System\BQKRvoQ.exe
  C:\Windows\System\BQKRvoQ.exe
  2⤵
  PID:8588
- C:\Windows\System\kWvlBZw.exe
  C:\Windows\System\kWvlBZw.exe
  2⤵
  PID:8620
- C:\Windows\System\StnhPyf.exe
  C:\Windows\System\StnhPyf.exe
  2⤵
  PID:8644
- C:\Windows\System\zrBoOyk.exe
  C:\Windows\System\zrBoOyk.exe
  2⤵
  PID:8672
- C:\Windows\System\QjZOqBs.exe
  C:\Windows\System\QjZOqBs.exe
  2⤵
  PID:8700
- C:\Windows\System\axuBfgP.exe
  C:\Windows\System\axuBfgP.exe
  2⤵
  PID:8728
- C:\Windows\System\ibaepDX.exe
  C:\Windows\System\ibaepDX.exe
  2⤵
  PID:8756
- C:\Windows\System\CkKyCVm.exe
  C:\Windows\System\CkKyCVm.exe
  2⤵
  PID:8784
- C:\Windows\System\rQJOVZE.exe
  C:\Windows\System\rQJOVZE.exe
  2⤵
  PID:8820
- C:\Windows\System\szQtnCz.exe
  C:\Windows\System\szQtnCz.exe
  2⤵
  PID:8840
- C:\Windows\System\nNARwUp.exe
  C:\Windows\System\nNARwUp.exe
  2⤵
  PID:8868
- C:\Windows\System\HLvquXe.exe
  C:\Windows\System\HLvquXe.exe
  2⤵
  PID:8896
- C:\Windows\System\Xhvirfm.exe
  C:\Windows\System\Xhvirfm.exe
  2⤵
  PID:8924
- C:\Windows\System\SAdwLFm.exe
  C:\Windows\System\SAdwLFm.exe
  2⤵
  PID:8952
- C:\Windows\System\wdBhCkk.exe
  C:\Windows\System\wdBhCkk.exe
  2⤵
  PID:8980
- C:\Windows\System\dmjKHTg.exe
  C:\Windows\System\dmjKHTg.exe
  2⤵
  PID:9008
- C:\Windows\System\lVJUQML.exe
  C:\Windows\System\lVJUQML.exe
  2⤵
  PID:9036
- C:\Windows\System\PdMIPar.exe
  C:\Windows\System\PdMIPar.exe
  2⤵
  PID:9064
- C:\Windows\System\YDBfjRQ.exe
  C:\Windows\System\YDBfjRQ.exe
  2⤵
  PID:9092
- C:\Windows\System\MVitCFO.exe
  C:\Windows\System\MVitCFO.exe
  2⤵
  PID:9120
- C:\Windows\System\SkZSjwc.exe
  C:\Windows\System\SkZSjwc.exe
  2⤵
  PID:9148
- C:\Windows\System\OutPzMp.exe
  C:\Windows\System\OutPzMp.exe
  2⤵
  PID:9176
- C:\Windows\System\iDzRpuv.exe
  C:\Windows\System\iDzRpuv.exe
  2⤵
  PID:9204
- C:\Windows\System\MamLbhG.exe
  C:\Windows\System\MamLbhG.exe
  2⤵
  PID:8216
- C:\Windows\System\lSZFblb.exe
  C:\Windows\System\lSZFblb.exe
  2⤵
  PID:8272
- C:\Windows\System\uoVgcgo.exe
  C:\Windows\System\uoVgcgo.exe
  2⤵
  PID:8356
- C:\Windows\System\YsFbyvb.exe
  C:\Windows\System\YsFbyvb.exe
  2⤵
  PID:8416
- C:\Windows\System\tBNefog.exe
  C:\Windows\System\tBNefog.exe
  2⤵
  PID:8488
- C:\Windows\System\yjBaAaA.exe
  C:\Windows\System\yjBaAaA.exe
  2⤵
  PID:8552
- C:\Windows\System\ZjcqnoF.exe
  C:\Windows\System\ZjcqnoF.exe
  2⤵
  PID:8612
- C:\Windows\System\XzQkLWY.exe
  C:\Windows\System\XzQkLWY.exe
  2⤵
  PID:8668
- C:\Windows\System\qXIORoW.exe
  C:\Windows\System\qXIORoW.exe
  2⤵
  PID:8724
- C:\Windows\System\xwQGBiI.exe
  C:\Windows\System\xwQGBiI.exe
  2⤵
  PID:8780
- C:\Windows\System\IUowmaP.exe
  C:\Windows\System\IUowmaP.exe
  2⤵
  PID:8832
- C:\Windows\System\LUxAXnH.exe
  C:\Windows\System\LUxAXnH.exe
  2⤵
  PID:8892
- C:\Windows\System\jHiZfxg.exe
  C:\Windows\System\jHiZfxg.exe
  2⤵
  PID:8964
- C:\Windows\System\MDtieDg.exe
  C:\Windows\System\MDtieDg.exe
  2⤵
  PID:9028
- C:\Windows\System\EDgtxJp.exe
  C:\Windows\System\EDgtxJp.exe
  2⤵
  PID:9088
- C:\Windows\System\dmoFpAm.exe
  C:\Windows\System\dmoFpAm.exe
  2⤵
  PID:9160
- C:\Windows\System\BkXXdXN.exe
  C:\Windows\System\BkXXdXN.exe
  2⤵
  PID:5108
- C:\Windows\System\EQPaOBC.exe
  C:\Windows\System\EQPaOBC.exe
  2⤵
  PID:3624
- C:\Windows\System\IhXmlcF.exe
  C:\Windows\System\IhXmlcF.exe
  2⤵
  PID:8528
- C:\Windows\System\ZElaIDD.exe
  C:\Windows\System\ZElaIDD.exe
  2⤵
  PID:8608
- C:\Windows\System\CfIkdLK.exe
  C:\Windows\System\CfIkdLK.exe
  2⤵
  PID:5336
- C:\Windows\System\HyKKiQG.exe
  C:\Windows\System\HyKKiQG.exe
  2⤵
  PID:8880
- C:\Windows\System\knDCqQW.exe
  C:\Windows\System\knDCqQW.exe
  2⤵
  PID:9004
- C:\Windows\System\jykfLsW.exe
  C:\Windows\System\jykfLsW.exe
  2⤵
  PID:9144
- C:\Windows\System\xlJTOUc.exe
  C:\Windows\System\xlJTOUc.exe
  2⤵
  PID:8384
- C:\Windows\System\JDuQnUX.exe
  C:\Windows\System\JDuQnUX.exe
  2⤵
  PID:8580
- C:\Windows\System\qNBmgNX.exe
  C:\Windows\System\qNBmgNX.exe
  2⤵
  PID:8828
- C:\Windows\System\tnguvGH.exe
  C:\Windows\System\tnguvGH.exe
  2⤵
  PID:9140
- C:\Windows\System\atrlarF.exe
  C:\Windows\System\atrlarF.exe
  2⤵
  PID:8720
- C:\Windows\System\odEEdhd.exe
  C:\Windows\System\odEEdhd.exe
  2⤵
  PID:8444
- C:\Windows\System\VwOCmws.exe
  C:\Windows\System\VwOCmws.exe
  2⤵
  PID:9220
- C:\Windows\System\bQwGYoH.exe
  C:\Windows\System\bQwGYoH.exe
  2⤵
  PID:9248
- C:\Windows\System\YuvMCuK.exe
  C:\Windows\System\YuvMCuK.exe
  2⤵
  PID:9276
- C:\Windows\System\wtyvPaz.exe
  C:\Windows\System\wtyvPaz.exe
  2⤵
  PID:9304
- C:\Windows\System\LrUqiKg.exe
  C:\Windows\System\LrUqiKg.exe
  2⤵
  PID:9332
- C:\Windows\System\WrbPiAB.exe
  C:\Windows\System\WrbPiAB.exe
  2⤵
  PID:9360
- C:\Windows\System\ObGYdJJ.exe
  C:\Windows\System\ObGYdJJ.exe
  2⤵
  PID:9388
- C:\Windows\System\IReNKZg.exe
  C:\Windows\System\IReNKZg.exe
  2⤵
  PID:9416
- C:\Windows\System\SbygWYt.exe
  C:\Windows\System\SbygWYt.exe
  2⤵
  PID:9444
- C:\Windows\System\EGwSyLl.exe
  C:\Windows\System\EGwSyLl.exe
  2⤵
  PID:9472
- C:\Windows\System\DqvMqdm.exe
  C:\Windows\System\DqvMqdm.exe
  2⤵
  PID:9532
- C:\Windows\System\UZuoXAr.exe
  C:\Windows\System\UZuoXAr.exe
  2⤵
  PID:9560
- C:\Windows\System\TngJzmK.exe
  C:\Windows\System\TngJzmK.exe
  2⤵
  PID:9588
- C:\Windows\System\wSewclS.exe
  C:\Windows\System\wSewclS.exe
  2⤵
  PID:9624
- C:\Windows\System\DCXWpFh.exe
  C:\Windows\System\DCXWpFh.exe
  2⤵
  PID:9664
- C:\Windows\System\AolkdDI.exe
  C:\Windows\System\AolkdDI.exe
  2⤵
  PID:9696
- C:\Windows\System\yjFNeJm.exe
  C:\Windows\System\yjFNeJm.exe
  2⤵
  PID:9724
- C:\Windows\System\zNxPyUA.exe
  C:\Windows\System\zNxPyUA.exe
  2⤵
  PID:9752
- C:\Windows\System\XcLIDni.exe
  C:\Windows\System\XcLIDni.exe
  2⤵
  PID:9784
- C:\Windows\System\cRyCbrW.exe
  C:\Windows\System\cRyCbrW.exe
  2⤵
  PID:9812
- C:\Windows\System\RJWOBmv.exe
  C:\Windows\System\RJWOBmv.exe
  2⤵
  PID:9840
- C:\Windows\System\hfmyBkl.exe
  C:\Windows\System\hfmyBkl.exe
  2⤵
  PID:9868
- C:\Windows\System\xJXpkoM.exe
  C:\Windows\System\xJXpkoM.exe
  2⤵
  PID:9896
- C:\Windows\System\aRUvBoI.exe
  C:\Windows\System\aRUvBoI.exe
  2⤵
  PID:9924
- C:\Windows\System\aVImCBa.exe
  C:\Windows\System\aVImCBa.exe
  2⤵
  PID:9964
- C:\Windows\System\DRwGtmf.exe
  C:\Windows\System\DRwGtmf.exe
  2⤵
  PID:9984
- C:\Windows\System\OrlFnLe.exe
  C:\Windows\System\OrlFnLe.exe
  2⤵
  PID:10012
- C:\Windows\System\TiXDXzl.exe
  C:\Windows\System\TiXDXzl.exe
  2⤵
  PID:10044
- C:\Windows\System\GrukDwR.exe
  C:\Windows\System\GrukDwR.exe
  2⤵
  PID:10072
- C:\Windows\System\IkpsizM.exe
  C:\Windows\System\IkpsizM.exe
  2⤵
  PID:10104
- C:\Windows\System\KqzkJFC.exe
  C:\Windows\System\KqzkJFC.exe
  2⤵
  PID:10128
- C:\Windows\System\YkzqpAH.exe
  C:\Windows\System\YkzqpAH.exe
  2⤵
  PID:10156
- C:\Windows\System\CyvwSPk.exe
  C:\Windows\System\CyvwSPk.exe
  2⤵
  PID:10184
- C:\Windows\System\vrKpfXl.exe
  C:\Windows\System\vrKpfXl.exe
  2⤵
  PID:10212
- C:\Windows\System\EfoZCAP.exe
  C:\Windows\System\EfoZCAP.exe
  2⤵
  PID:9116
- C:\Windows\System\MujDHNb.exe
  C:\Windows\System\MujDHNb.exe
  2⤵
  PID:9288
- C:\Windows\System\mlRKUdG.exe
  C:\Windows\System\mlRKUdG.exe
  2⤵
  PID:9352
- C:\Windows\System\ADVfyKy.exe
  C:\Windows\System\ADVfyKy.exe
  2⤵
  PID:9412
- C:\Windows\System\twMowRP.exe
  C:\Windows\System\twMowRP.exe
  2⤵
  PID:9468
- C:\Windows\System\KJfoZUk.exe
  C:\Windows\System\KJfoZUk.exe
  2⤵
  PID:2380
- C:\Windows\System\mETxHfj.exe
  C:\Windows\System\mETxHfj.exe
  2⤵
  PID:9572
- C:\Windows\System\YVzBYhF.exe
  C:\Windows\System\YVzBYhF.exe
  2⤵
  PID:9656
- C:\Windows\System\smqBfwZ.exe
  C:\Windows\System\smqBfwZ.exe
  2⤵
  PID:9720
- C:\Windows\System\HEuOFCB.exe
  C:\Windows\System\HEuOFCB.exe
  2⤵
  PID:9796
- C:\Windows\System\ehsNpdw.exe
  C:\Windows\System\ehsNpdw.exe
  2⤵
  PID:9836
- C:\Windows\System\WWjNGpa.exe
  C:\Windows\System\WWjNGpa.exe
  2⤵
  PID:9864
- C:\Windows\System\TwYlIid.exe
  C:\Windows\System\TwYlIid.exe
  2⤵
  PID:4940
- C:\Windows\System\LskpueD.exe
  C:\Windows\System\LskpueD.exe
  2⤵
  PID:9980
- C:\Windows\System\zYhZvCy.exe
  C:\Windows\System\zYhZvCy.exe
  2⤵
  PID:10084
- C:\Windows\System\FVZzjLG.exe
  C:\Windows\System\FVZzjLG.exe
  2⤵
  PID:10124
- C:\Windows\System\BGQswBC.exe
  C:\Windows\System\BGQswBC.exe
  2⤵
  PID:10196
- C:\Windows\System\CmrAyVh.exe
  C:\Windows\System\CmrAyVh.exe
  2⤵
  PID:10236
- C:\Windows\System\AHyuiTu.exe
  C:\Windows\System\AHyuiTu.exe
  2⤵
  PID:3904
- C:\Windows\System\qiUQJUt.exe
  C:\Windows\System\qiUQJUt.exe
  2⤵
  PID:9524
- C:\Windows\System\TItfveR.exe
  C:\Windows\System\TItfveR.exe
  2⤵
  PID:9636
- C:\Windows\System\bgrKHZx.exe
  C:\Windows\System\bgrKHZx.exe
  2⤵
  PID:9808
- C:\Windows\System\QyoSDLj.exe
  C:\Windows\System\QyoSDLj.exe
  2⤵
  PID:5024
- C:\Windows\System\kBLLtJq.exe
  C:\Windows\System\kBLLtJq.exe
  2⤵
  PID:10036
- C:\Windows\System\RzhMXGK.exe
  C:\Windows\System\RzhMXGK.exe
  2⤵
  PID:10176
- C:\Windows\System\iUpPpLH.exe
  C:\Windows\System\iUpPpLH.exe
  2⤵
  PID:9328
- C:\Windows\System\VrRSAwt.exe
  C:\Windows\System\VrRSAwt.exe
  2⤵
  PID:4768
- C:\Windows\System\FlXoYrX.exe
  C:\Windows\System\FlXoYrX.exe
  2⤵
  PID:9860
- C:\Windows\System\dLPmCFJ.exe
  C:\Windows\System\dLPmCFJ.exe
  2⤵
  PID:10112
- C:\Windows\System\KlBAYzK.exe
  C:\Windows\System\KlBAYzK.exe
  2⤵
  PID:9464
- C:\Windows\System\EDZUhnF.exe
  C:\Windows\System\EDZUhnF.exe
  2⤵
  PID:3372
- C:\Windows\System\ZghjrPE.exe
  C:\Windows\System\ZghjrPE.exe
  2⤵
  PID:9780
- C:\Windows\System\xeGawdh.exe
  C:\Windows\System\xeGawdh.exe
  2⤵
  PID:9716
- C:\Windows\System\gGzfMZT.exe
  C:\Windows\System\gGzfMZT.exe
  2⤵
  PID:1892
- C:\Windows\System\Begchlj.exe
  C:\Windows\System\Begchlj.exe
  2⤵
  PID:10256
- C:\Windows\System\JVEAqJW.exe
  C:\Windows\System\JVEAqJW.exe
  2⤵
  PID:10284
- C:\Windows\System\StGhCKT.exe
  C:\Windows\System\StGhCKT.exe
  2⤵
  PID:10312
- C:\Windows\System\eegqNPh.exe
  C:\Windows\System\eegqNPh.exe
  2⤵
  PID:10340
- C:\Windows\System\oyJOoVr.exe
  C:\Windows\System\oyJOoVr.exe
  2⤵
  PID:10368
- C:\Windows\System\KvAyGNT.exe
  C:\Windows\System\KvAyGNT.exe
  2⤵
  PID:10396
- C:\Windows\System\xivMQmI.exe
  C:\Windows\System\xivMQmI.exe
  2⤵
  PID:10424
- C:\Windows\System\KJJXzku.exe
  C:\Windows\System\KJJXzku.exe
  2⤵
  PID:10452
- C:\Windows\System\VAnknLW.exe
  C:\Windows\System\VAnknLW.exe
  2⤵
  PID:10480
- C:\Windows\System\MOknpZa.exe
  C:\Windows\System\MOknpZa.exe
  2⤵
  PID:10508
- C:\Windows\System\DgodgVm.exe
  C:\Windows\System\DgodgVm.exe
  2⤵
  PID:10536
- C:\Windows\System\bheUaoG.exe
  C:\Windows\System\bheUaoG.exe
  2⤵
  PID:10564
- C:\Windows\System\nffVMgq.exe
  C:\Windows\System\nffVMgq.exe
  2⤵
  PID:10592
- C:\Windows\System\vYgpARY.exe
  C:\Windows\System\vYgpARY.exe
  2⤵
  PID:10620
- C:\Windows\System\VIIQpBI.exe
  C:\Windows\System\VIIQpBI.exe
  2⤵
  PID:10660
- C:\Windows\System\fwySIbZ.exe
  C:\Windows\System\fwySIbZ.exe
  2⤵
  PID:10684
- C:\Windows\System\nRpqccu.exe
  C:\Windows\System\nRpqccu.exe
  2⤵
  PID:10704
- C:\Windows\System\gNXEmyH.exe
  C:\Windows\System\gNXEmyH.exe
  2⤵
  PID:10732
- C:\Windows\System\Nyisibi.exe
  C:\Windows\System\Nyisibi.exe
  2⤵
  PID:10760
- C:\Windows\System\APdrVst.exe
  C:\Windows\System\APdrVst.exe
  2⤵
  PID:10788
- C:\Windows\System\fSBzUrs.exe
  C:\Windows\System\fSBzUrs.exe
  2⤵
  PID:10816
- C:\Windows\System\FCeRqcl.exe
  C:\Windows\System\FCeRqcl.exe
  2⤵
  PID:10844
- C:\Windows\System\HmPnJKE.exe
  C:\Windows\System\HmPnJKE.exe
  2⤵
  PID:10872
- C:\Windows\System\OKgNKaP.exe
  C:\Windows\System\OKgNKaP.exe
  2⤵
  PID:10904
- C:\Windows\System\KBoNgoO.exe
  C:\Windows\System\KBoNgoO.exe
  2⤵
  PID:10928
- C:\Windows\System\VQPAVyh.exe
  C:\Windows\System\VQPAVyh.exe
  2⤵
  PID:10956
- C:\Windows\System\HpOrLda.exe
  C:\Windows\System\HpOrLda.exe
  2⤵
  PID:10984
- C:\Windows\System\mArghOM.exe
  C:\Windows\System\mArghOM.exe
  2⤵
  PID:11012
- C:\Windows\System\IpglVuc.exe
  C:\Windows\System\IpglVuc.exe
  2⤵
  PID:11040
- C:\Windows\System\wMVOeUp.exe
  C:\Windows\System\wMVOeUp.exe
  2⤵
  PID:11068
- C:\Windows\System\jqXmvOb.exe
  C:\Windows\System\jqXmvOb.exe
  2⤵
  PID:11096
- C:\Windows\System\MhbxKDf.exe
  C:\Windows\System\MhbxKDf.exe
  2⤵
  PID:11124
- C:\Windows\System\eXRCKIL.exe
  C:\Windows\System\eXRCKIL.exe
  2⤵
  PID:11152
- C:\Windows\System\GaLUlrB.exe
  C:\Windows\System\GaLUlrB.exe
  2⤵
  PID:11180
- C:\Windows\System\fmVxVTA.exe
  C:\Windows\System\fmVxVTA.exe
  2⤵
  PID:11208
- C:\Windows\System\KxtEXlP.exe
  C:\Windows\System\KxtEXlP.exe
  2⤵
  PID:11236
- C:\Windows\System\dsgBErx.exe
  C:\Windows\System\dsgBErx.exe
  2⤵
  PID:1988
- C:\Windows\System\IAPxknY.exe
  C:\Windows\System\IAPxknY.exe
  2⤵
  PID:1352
- C:\Windows\System\SyEmWLz.exe
  C:\Windows\System\SyEmWLz.exe
  2⤵
  PID:10360
- C:\Windows\System\freFVrP.exe
  C:\Windows\System\freFVrP.exe
  2⤵
  PID:10416
- C:\Windows\System\YnQcGgP.exe
  C:\Windows\System\YnQcGgP.exe
  2⤵
  PID:10476
- C:\Windows\System\PgkGRcO.exe
  C:\Windows\System\PgkGRcO.exe
  2⤵
  PID:10532
- C:\Windows\System\tnbSlZj.exe
  C:\Windows\System\tnbSlZj.exe
  2⤵
  PID:10604
- C:\Windows\System\OqMSPVF.exe
  C:\Windows\System\OqMSPVF.exe
  2⤵
  PID:688
- C:\Windows\System\PwnpZlM.exe
  C:\Windows\System\PwnpZlM.exe
  2⤵
  PID:10752
- C:\Windows\System\JNWSeSx.exe
  C:\Windows\System\JNWSeSx.exe
  2⤵
  PID:10784
- C:\Windows\System\YheryKl.exe
  C:\Windows\System\YheryKl.exe
  2⤵
  PID:10856
- C:\Windows\System\aTeSZHk.exe
  C:\Windows\System\aTeSZHk.exe
  2⤵
  PID:10912
- C:\Windows\System\XFhpwBT.exe
  C:\Windows\System\XFhpwBT.exe
  2⤵
  PID:10952
- C:\Windows\System\IAudVyB.exe
  C:\Windows\System\IAudVyB.exe
  2⤵
  PID:11008
- C:\Windows\System\eZGphRi.exe
  C:\Windows\System\eZGphRi.exe
  2⤵
  PID:11080
- C:\Windows\System\XsBdOlP.exe
  C:\Windows\System\XsBdOlP.exe
  2⤵
  PID:11120
- C:\Windows\System\uQVlnMk.exe
  C:\Windows\System\uQVlnMk.exe
  2⤵
  PID:11192
- C:\Windows\System\kYahEOx.exe
  C:\Windows\System\kYahEOx.exe
  2⤵
  PID:11256
- C:\Windows\System\WzmjOuP.exe
  C:\Windows\System\WzmjOuP.exe
  2⤵
  PID:10352
- C:\Windows\System\cQDlsgL.exe
  C:\Windows\System\cQDlsgL.exe
  2⤵
  PID:10500
- C:\Windows\System\UaBlnih.exe
  C:\Windows\System\UaBlnih.exe
  2⤵
  PID:10656
- C:\Windows\System\fjdDBUN.exe
  C:\Windows\System\fjdDBUN.exe
  2⤵
  PID:10716
- C:\Windows\System\GluuXJq.exe
  C:\Windows\System\GluuXJq.exe
  2⤵
  PID:10896
- C:\Windows\System\UWOrNnC.exe
  C:\Windows\System\UWOrNnC.exe
  2⤵
  PID:11004
- C:\Windows\System\JOktbPX.exe
  C:\Windows\System\JOktbPX.exe
  2⤵
  PID:11164
- C:\Windows\System\BWGiEBk.exe
  C:\Windows\System\BWGiEBk.exe
  2⤵
  PID:10280
- C:\Windows\System\OrxpATS.exe
  C:\Windows\System\OrxpATS.exe
  2⤵
  PID:10588
- C:\Windows\System\VrffNyL.exe
  C:\Windows\System\VrffNyL.exe
  2⤵
  PID:10884
- C:\Windows\System\eTkzywx.exe
  C:\Windows\System\eTkzywx.exe
  2⤵
  PID:11136
- C:\Windows\System\CDsIJug.exe
  C:\Windows\System\CDsIJug.exe
  2⤵
  PID:4504
- C:\Windows\System\LbonLla.exe
  C:\Windows\System\LbonLla.exe
  2⤵
  PID:3396
- C:\Windows\System\UhzBqLF.exe
  C:\Windows\System\UhzBqLF.exe
  2⤵
  PID:11272
- C:\Windows\System\YwmviQW.exe
  C:\Windows\System\YwmviQW.exe
  2⤵
  PID:11300
- C:\Windows\System\ANoxUrk.exe
  C:\Windows\System\ANoxUrk.exe
  2⤵
  PID:11328
- C:\Windows\System\SiYysWW.exe
  C:\Windows\System\SiYysWW.exe
  2⤵
  PID:11356
- C:\Windows\System\RXaveCv.exe
  C:\Windows\System\RXaveCv.exe
  2⤵
  PID:11384
- C:\Windows\System\rLNghzs.exe
  C:\Windows\System\rLNghzs.exe
  2⤵
  PID:11412
- C:\Windows\System\yxYiiHr.exe
  C:\Windows\System\yxYiiHr.exe
  2⤵
  PID:11440
- C:\Windows\System\OJHcqLM.exe
  C:\Windows\System\OJHcqLM.exe
  2⤵
  PID:11468
- C:\Windows\System\WEwTFwX.exe
  C:\Windows\System\WEwTFwX.exe
  2⤵
  PID:11496
- C:\Windows\System\WCLSmnq.exe
  C:\Windows\System\WCLSmnq.exe
  2⤵
  PID:11524
- C:\Windows\System\WlLGoZW.exe
  C:\Windows\System\WlLGoZW.exe
  2⤵
  PID:11552
- C:\Windows\System\GlmzRJh.exe
  C:\Windows\System\GlmzRJh.exe
  2⤵
  PID:11580
- C:\Windows\System\rugCdPR.exe
  C:\Windows\System\rugCdPR.exe
  2⤵
  PID:11608
- C:\Windows\System\keZMFaE.exe
  C:\Windows\System\keZMFaE.exe
  2⤵
  PID:11636
- C:\Windows\System\lqqpOsc.exe
  C:\Windows\System\lqqpOsc.exe
  2⤵
  PID:11664
- C:\Windows\System\KuYjkTp.exe
  C:\Windows\System\KuYjkTp.exe
  2⤵
  PID:11692
- C:\Windows\System\xdvwyzt.exe
  C:\Windows\System\xdvwyzt.exe
  2⤵
  PID:11720
- C:\Windows\System\WZENqix.exe
  C:\Windows\System\WZENqix.exe
  2⤵
  PID:11748
- C:\Windows\System\TwaioEZ.exe
  C:\Windows\System\TwaioEZ.exe
  2⤵
  PID:11776
- C:\Windows\System\HCSLdgM.exe
  C:\Windows\System\HCSLdgM.exe
  2⤵
  PID:11804
- C:\Windows\System\MCLvkvJ.exe
  C:\Windows\System\MCLvkvJ.exe
  2⤵
  PID:11832
- C:\Windows\System\VNnJnwF.exe
  C:\Windows\System\VNnJnwF.exe
  2⤵
  PID:11872
- C:\Windows\System\MeUxrer.exe
  C:\Windows\System\MeUxrer.exe
  2⤵
  PID:11888
- C:\Windows\System\BIgtJjj.exe
  C:\Windows\System\BIgtJjj.exe
  2⤵
  PID:11916
- C:\Windows\System\kunfLcr.exe
  C:\Windows\System\kunfLcr.exe
  2⤵
  PID:11944
- C:\Windows\System\vTUaInU.exe
  C:\Windows\System\vTUaInU.exe
  2⤵
  PID:11972
- C:\Windows\System\geZvgHo.exe
  C:\Windows\System\geZvgHo.exe
  2⤵
  PID:12000
- C:\Windows\System\aSuIyDq.exe
  C:\Windows\System\aSuIyDq.exe
  2⤵
  PID:12028
- C:\Windows\System\OTWbFOI.exe
  C:\Windows\System\OTWbFOI.exe
  2⤵
  PID:12056
- C:\Windows\System\hKdNFWq.exe
  C:\Windows\System\hKdNFWq.exe
  2⤵
  PID:12084
- C:\Windows\System\VPUZgNx.exe
  C:\Windows\System\VPUZgNx.exe
  2⤵
  PID:12112
- C:\Windows\System\bnkXiyZ.exe
  C:\Windows\System\bnkXiyZ.exe
  2⤵
  PID:12140
- C:\Windows\System\yWoWvhw.exe
  C:\Windows\System\yWoWvhw.exe
  2⤵
  PID:12168
- C:\Windows\System\lMJEXQQ.exe
  C:\Windows\System\lMJEXQQ.exe
  2⤵
  PID:12196
- C:\Windows\System\wEgqwEC.exe
  C:\Windows\System\wEgqwEC.exe
  2⤵
  PID:12224
- C:\Windows\System\XnTlPhg.exe
  C:\Windows\System\XnTlPhg.exe
  2⤵
  PID:12252
- C:\Windows\System\VxdEUpW.exe
  C:\Windows\System\VxdEUpW.exe
  2⤵
  PID:12280
- C:\Windows\System\ueRWAZJ.exe
  C:\Windows\System\ueRWAZJ.exe
  2⤵
  PID:11312
- C:\Windows\System\RoPTYgT.exe
  C:\Windows\System\RoPTYgT.exe
  2⤵
  PID:11376
- C:\Windows\System\gGGzVSh.exe
  C:\Windows\System\gGGzVSh.exe
  2⤵
  PID:11436
- C:\Windows\System\lVQdjTF.exe
  C:\Windows\System\lVQdjTF.exe
  2⤵
  PID:11508
- C:\Windows\System\tjtmmJi.exe
  C:\Windows\System\tjtmmJi.exe
  2⤵
  PID:11564
- C:\Windows\System\oOUoXLe.exe
  C:\Windows\System\oOUoXLe.exe
  2⤵
  PID:11628
- C:\Windows\System\bhwkAqk.exe
  C:\Windows\System\bhwkAqk.exe
  2⤵
  PID:11688
- C:\Windows\System\LvENUjs.exe
  C:\Windows\System\LvENUjs.exe
  2⤵
  PID:11760
- C:\Windows\System\GZZawKa.exe
  C:\Windows\System\GZZawKa.exe
  2⤵
  PID:11824
- C:\Windows\System\AIXnFtV.exe
  C:\Windows\System\AIXnFtV.exe
  2⤵
  PID:11884
- C:\Windows\System\GhxYelj.exe
  C:\Windows\System\GhxYelj.exe
  2⤵
  PID:11956
- C:\Windows\System\PpQFass.exe
  C:\Windows\System\PpQFass.exe
  2⤵
  PID:12020
- C:\Windows\System\WNYBytH.exe
  C:\Windows\System\WNYBytH.exe
  2⤵
  PID:12080
- C:\Windows\System\fhalZGa.exe
  C:\Windows\System\fhalZGa.exe
  2⤵
  PID:12152
- C:\Windows\System\uHvHOiW.exe
  C:\Windows\System\uHvHOiW.exe
  2⤵
  PID:12216
- C:\Windows\System\pLPsWFk.exe
  C:\Windows\System\pLPsWFk.exe
  2⤵
  PID:12276
- C:\Windows\System\XbOqGLP.exe
  C:\Windows\System\XbOqGLP.exe
  2⤵
  PID:11404
- C:\Windows\System\vrVqhCH.exe
  C:\Windows\System\vrVqhCH.exe
  2⤵
  PID:11544
- C:\Windows\System\BxnLzpH.exe
  C:\Windows\System\BxnLzpH.exe
  2⤵
  PID:11676
- C:\Windows\System\aZQMITR.exe
  C:\Windows\System\aZQMITR.exe
  2⤵
  PID:11816
- C:\Windows\System\jwxeilK.exe
  C:\Windows\System\jwxeilK.exe
  2⤵
  PID:11984
- C:\Windows\System\ysJPyqm.exe
  C:\Windows\System\ysJPyqm.exe
  2⤵
  PID:12132
- C:\Windows\System\bpAzNDe.exe
  C:\Windows\System\bpAzNDe.exe
  2⤵
  PID:12272
- C:\Windows\System\DCVsmfR.exe
  C:\Windows\System\DCVsmfR.exe
  2⤵
  PID:11592
- C:\Windows\System\ThBkkOC.exe
  C:\Windows\System\ThBkkOC.exe
  2⤵
  PID:11936
- C:\Windows\System\MVSlkwa.exe
  C:\Windows\System\MVSlkwa.exe
  2⤵
  PID:12264
- C:\Windows\System\xTRWbhx.exe
  C:\Windows\System\xTRWbhx.exe
  2⤵
  PID:12076
- C:\Windows\System\FkOKJnX.exe
  C:\Windows\System\FkOKJnX.exe
  2⤵
  PID:11880
- C:\Windows\System\NFpZAEV.exe
  C:\Windows\System\NFpZAEV.exe
  2⤵
  PID:12312
- C:\Windows\System\ijhZkcj.exe
  C:\Windows\System\ijhZkcj.exe
  2⤵
  PID:12340
- C:\Windows\System\fwCfymS.exe
  C:\Windows\System\fwCfymS.exe
  2⤵
  PID:12368
- C:\Windows\System\JRSapFg.exe
  C:\Windows\System\JRSapFg.exe
  2⤵
  PID:12396
- C:\Windows\System\BuxGIiZ.exe
  C:\Windows\System\BuxGIiZ.exe
  2⤵
  PID:12424
- C:\Windows\System\BvPpqeU.exe
  C:\Windows\System\BvPpqeU.exe
  2⤵
  PID:12452
- C:\Windows\System\idtTkti.exe
  C:\Windows\System\idtTkti.exe
  2⤵
  PID:12480
- C:\Windows\System\FTSLBIm.exe
  C:\Windows\System\FTSLBIm.exe
  2⤵
  PID:12508
- C:\Windows\System\bZZCTMe.exe
  C:\Windows\System\bZZCTMe.exe
  2⤵
  PID:12536
- C:\Windows\System\eHggyQe.exe
  C:\Windows\System\eHggyQe.exe
  2⤵
  PID:12564
- C:\Windows\System\rkNDvtJ.exe
  C:\Windows\System\rkNDvtJ.exe
  2⤵
  PID:12592
- C:\Windows\System\FMdCKBd.exe
  C:\Windows\System\FMdCKBd.exe
  2⤵
  PID:12620
- C:\Windows\System\JEBYkeo.exe
  C:\Windows\System\JEBYkeo.exe
  2⤵
  PID:12648
- C:\Windows\System\sionOAj.exe
  C:\Windows\System\sionOAj.exe
  2⤵
  PID:12676
- C:\Windows\System\WpZORUc.exe
  C:\Windows\System\WpZORUc.exe
  2⤵
  PID:12704
- C:\Windows\System\HVuLFuP.exe
  C:\Windows\System\HVuLFuP.exe
  2⤵
  PID:12732
- C:\Windows\System\DgSCcmA.exe
  C:\Windows\System\DgSCcmA.exe
  2⤵
  PID:12760
- C:\Windows\System\AjmdwcY.exe
  C:\Windows\System\AjmdwcY.exe
  2⤵
  PID:12788
- C:\Windows\System\rbmFqZq.exe
  C:\Windows\System\rbmFqZq.exe
  2⤵
  PID:12816
- C:\Windows\System\rccKuus.exe
  C:\Windows\System\rccKuus.exe
  2⤵
  PID:12856
- C:\Windows\System\vurrgvP.exe
  C:\Windows\System\vurrgvP.exe
  2⤵
  PID:12904
- C:\Windows\System\BZzrCHF.exe
  C:\Windows\System\BZzrCHF.exe
  2⤵
  PID:12932
- C:\Windows\System\USooziV.exe
  C:\Windows\System\USooziV.exe
  2⤵
  PID:12964
- C:\Windows\System\GNrBnVV.exe
  C:\Windows\System\GNrBnVV.exe
  2⤵
  PID:12992
- C:\Windows\System\IFqIKJB.exe
  C:\Windows\System\IFqIKJB.exe
  2⤵
  PID:13020
- C:\Windows\System\JZldKiJ.exe
  C:\Windows\System\JZldKiJ.exe
  2⤵
  PID:13048
- C:\Windows\System\luKluYn.exe
  C:\Windows\System\luKluYn.exe
  2⤵
  PID:13076
- C:\Windows\System\hgglbGp.exe
  C:\Windows\System\hgglbGp.exe
  2⤵
  PID:13104
- C:\Windows\System\EDjxGIA.exe
  C:\Windows\System\EDjxGIA.exe
  2⤵
  PID:13132
- C:\Windows\System\Oknyfwe.exe
  C:\Windows\System\Oknyfwe.exe
  2⤵
  PID:13160
- C:\Windows\System\ZTSuyWi.exe
  C:\Windows\System\ZTSuyWi.exe
  2⤵
  PID:13188
- C:\Windows\System\lgYCwwb.exe
  C:\Windows\System\lgYCwwb.exe
  2⤵
  PID:13216
- C:\Windows\System\XiwMTKU.exe
  C:\Windows\System\XiwMTKU.exe
  2⤵
  PID:13244
- C:\Windows\System\bWZqPda.exe
  C:\Windows\System\bWZqPda.exe
  2⤵
  PID:13272
- C:\Windows\System\ghTHpyz.exe
  C:\Windows\System\ghTHpyz.exe
  2⤵
  PID:13300
- C:\Windows\System\VjysqZZ.exe
  C:\Windows\System\VjysqZZ.exe
  2⤵
  PID:12336
- C:\Windows\System\szHVsuK.exe
  C:\Windows\System\szHVsuK.exe
  2⤵
  PID:12408
- C:\Windows\System\lYyUaVV.exe
  C:\Windows\System\lYyUaVV.exe
  2⤵
  PID:12472
- C:\Windows\System\JkzsVTk.exe
  C:\Windows\System\JkzsVTk.exe
  2⤵
  PID:12532
- C:\Windows\System\UWsfrkX.exe
  C:\Windows\System\UWsfrkX.exe
  2⤵
  PID:12604
- C:\Windows\System\UJJuTrB.exe
  C:\Windows\System\UJJuTrB.exe
  2⤵
  PID:12668
- C:\Windows\System\DQmPtrK.exe
  C:\Windows\System\DQmPtrK.exe
  2⤵
  PID:12728
- C:\Windows\System\JiHzJxp.exe
  C:\Windows\System\JiHzJxp.exe
  2⤵
  PID:12808
- C:\Windows\System\eiUfyDV.exe
  C:\Windows\System\eiUfyDV.exe
  2⤵
  PID:12896
- C:\Windows\System\dRdllmL.exe
  C:\Windows\System\dRdllmL.exe
  2⤵
  PID:9608
- C:\Windows\System\VfORxBK.exe
  C:\Windows\System\VfORxBK.exe
  2⤵
  PID:10032
- C:\Windows\System\wUjgHjV.exe
  C:\Windows\System\wUjgHjV.exe
  2⤵
  PID:12988
- C:\Windows\System\iYSQAuE.exe
  C:\Windows\System\iYSQAuE.exe
  2⤵
  PID:13044
- C:\Windows\System\LeBheEF.exe
  C:\Windows\System\LeBheEF.exe
  2⤵
  PID:13116
- C:\Windows\System\bGukcte.exe
  C:\Windows\System\bGukcte.exe
  2⤵
  PID:13180
- C:\Windows\System\WNdyANs.exe
  C:\Windows\System\WNdyANs.exe
  2⤵
  PID:13240
- C:\Windows\System\WJqKTsq.exe
  C:\Windows\System\WJqKTsq.exe
  2⤵
  PID:12296
- C:\Windows\System\hwkNAUs.exe
  C:\Windows\System\hwkNAUs.exe
  2⤵
  PID:12436
- C:\Windows\System\grQeJWN.exe
  C:\Windows\System\grQeJWN.exe
  2⤵
  PID:12584
- C:\Windows\System\BpnADzB.exe
  C:\Windows\System\BpnADzB.exe
  2⤵
  PID:12716
- C:\Windows\System\LEjTUhn.exe
  C:\Windows\System\LEjTUhn.exe
  2⤵
  PID:4764
- C:\Windows\System\ThVQkfd.exe
  C:\Windows\System\ThVQkfd.exe
  2⤵
  PID:9516
- C:\Windows\System\mcXLOaK.exe
  C:\Windows\System\mcXLOaK.exe
  2⤵
  PID:13016
- C:\Windows\System\nVsfELZ.exe
  C:\Windows\System\nVsfELZ.exe
  2⤵
  PID:13100
- C:\Windows\System\zFqwimW.exe
  C:\Windows\System\zFqwimW.exe
  2⤵
  PID:13236
- C:\Windows\System\bMfQgDJ.exe
  C:\Windows\System\bMfQgDJ.exe
  2⤵
  PID:12500
- C:\Windows\System\glzujAN.exe
  C:\Windows\System\glzujAN.exe
  2⤵
  PID:12828
- C:\Windows\System\mvkkDyl.exe
  C:\Windows\System\mvkkDyl.exe
  2⤵
  PID:4428
- C:\Windows\System\isOtRCw.exe
  C:\Windows\System\isOtRCw.exe
  2⤵
  PID:13032
- C:\Windows\System\gVMCJkV.exe
  C:\Windows\System\gVMCJkV.exe
  2⤵
  PID:13228
- C:\Windows\System\rvDsNQd.exe
  C:\Windows\System\rvDsNQd.exe
  2⤵
  PID:12696
- C:\Windows\System\AzIhBYI.exe
  C:\Windows\System\AzIhBYI.exe
  2⤵
  PID:4692
- C:\Windows\System\XeVaoBt.exe
  C:\Windows\System\XeVaoBt.exe
  2⤵
  PID:2808
- C:\Windows\System\mvtzlBJ.exe
  C:\Windows\System\mvtzlBJ.exe
  2⤵
  PID:5104
- C:\Windows\System\FEMomWy.exe
  C:\Windows\System\FEMomWy.exe
  2⤵
  PID:13324
- C:\Windows\System\IJZSKRW.exe
  C:\Windows\System\IJZSKRW.exe
  2⤵
  PID:13340
- C:\Windows\System\rIZaiuQ.exe
  C:\Windows\System\rIZaiuQ.exe
  2⤵
  PID:13368
- C:\Windows\System\JDDLEmc.exe
  C:\Windows\System\JDDLEmc.exe
  2⤵
  PID:13396
- C:\Windows\System\JuBFVSm.exe
  C:\Windows\System\JuBFVSm.exe
  2⤵
  PID:13424
- C:\Windows\System\XAwBekr.exe
  C:\Windows\System\XAwBekr.exe
  2⤵
  PID:13456
- C:\Windows\System\BsJvSQC.exe
  C:\Windows\System\BsJvSQC.exe
  2⤵
  PID:13488
- C:\Windows\System\VreykSn.exe
  C:\Windows\System\VreykSn.exe
  2⤵
  PID:13516
- C:\Windows\System\clNdyle.exe
  C:\Windows\System\clNdyle.exe
  2⤵
  PID:13544
- C:\Windows\System\OoQVCCU.exe
  C:\Windows\System\OoQVCCU.exe
  2⤵
  PID:13572
- C:\Windows\System\kmVxecv.exe
  C:\Windows\System\kmVxecv.exe
  2⤵
  PID:13600
- C:\Windows\System\ByTotDz.exe
  C:\Windows\System\ByTotDz.exe
  2⤵
  PID:13628
- C:\Windows\System\uPfmCSh.exe
  C:\Windows\System\uPfmCSh.exe
  2⤵
  PID:13668
- C:\Windows\System\uxKwMur.exe
  C:\Windows\System\uxKwMur.exe
  2⤵
  PID:13684
- C:\Windows\System\fuZdrBI.exe
  C:\Windows\System\fuZdrBI.exe
  2⤵
  PID:13712
- C:\Windows\System\VInLWVb.exe
  C:\Windows\System\VInLWVb.exe
  2⤵
  PID:13740
- C:\Windows\System\PWREPdo.exe
  C:\Windows\System\PWREPdo.exe
  2⤵
  PID:13772
- C:\Windows\System\NDrDJGT.exe
  C:\Windows\System\NDrDJGT.exe
  2⤵
  PID:13804
- C:\Windows\System\nBIeUCu.exe
  C:\Windows\System\nBIeUCu.exe
  2⤵
  PID:13832
- C:\Windows\System\zhDRgUe.exe
  C:\Windows\System\zhDRgUe.exe
  2⤵
  PID:13860
- C:\Windows\System\IlKVLAB.exe
  C:\Windows\System\IlKVLAB.exe
  2⤵
  PID:13880
- C:\Windows\System\zQTULzL.exe
  C:\Windows\System\zQTULzL.exe
  2⤵
  PID:13924
- C:\Windows\System\qtUIKPI.exe
  C:\Windows\System\qtUIKPI.exe
  2⤵
  PID:13952
- C:\Windows\System\WEtEhIs.exe
  C:\Windows\System\WEtEhIs.exe
  2⤵
  PID:13980
- C:\Windows\System\JgdbuUr.exe
  C:\Windows\System\JgdbuUr.exe
  2⤵
  PID:14008
- C:\Windows\System\YyXYhoA.exe
  C:\Windows\System\YyXYhoA.exe
  2⤵
  PID:14036
- C:\Windows\System\EbZgHfa.exe
  C:\Windows\System\EbZgHfa.exe
  2⤵
  PID:14064
- C:\Windows\System\XUZMSuY.exe
  C:\Windows\System\XUZMSuY.exe
  2⤵
  PID:14092
- C:\Windows\System\KErYzMR.exe
  C:\Windows\System\KErYzMR.exe
  2⤵
  PID:14120
- C:\Windows\System\ARPuFqh.exe
  C:\Windows\System\ARPuFqh.exe
  2⤵
  PID:14148
- C:\Windows\System\OHuUpJN.exe
  C:\Windows\System\OHuUpJN.exe
  2⤵
  PID:14176
- C:\Windows\System\lQpreat.exe
  C:\Windows\System\lQpreat.exe
  2⤵
  PID:14204
- C:\Windows\System\azSlbQP.exe
  C:\Windows\System\azSlbQP.exe
  2⤵
  PID:14232
- C:\Windows\System\jULRcFL.exe
  C:\Windows\System\jULRcFL.exe
  2⤵
  PID:14260
- C:\Windows\System\arpjWEB.exe
  C:\Windows\System\arpjWEB.exe
  2⤵
  PID:14288
- C:\Windows\System\BazDEZB.exe
  C:\Windows\System\BazDEZB.exe
  2⤵
  PID:14320
- C:\Windows\System\uIOlRTl.exe
  C:\Windows\System\uIOlRTl.exe
  2⤵
  PID:13336
- C:\Windows\System\fsvhTME.exe
  C:\Windows\System\fsvhTME.exe
  2⤵
  PID:1760
- C:\Windows\System\ysjpIgu.exe
  C:\Windows\System\ysjpIgu.exe
  2⤵
  PID:1544
- C:\Windows\System\jniCASH.exe
  C:\Windows\System\jniCASH.exe
  2⤵
  PID:13452
- C:\Windows\System\kuIjlyr.exe
  C:\Windows\System\kuIjlyr.exe
  2⤵
  PID:13508
- C:\Windows\System\QGnHIKL.exe
  C:\Windows\System\QGnHIKL.exe
  2⤵
  PID:13596
- C:\Windows\System\UzakPLC.exe
  C:\Windows\System\UzakPLC.exe
  2⤵
  PID:13648
- C:\Windows\System\DVFgtDB.exe
  C:\Windows\System\DVFgtDB.exe
  2⤵
  PID:13696
- C:\Windows\System\ZZzkdfd.exe
  C:\Windows\System\ZZzkdfd.exe
  2⤵
  PID:13736
- C:\Windows\System\tjcbzTd.exe
  C:\Windows\System\tjcbzTd.exe
  2⤵
  PID:13796
- C:\Windows\System\CHQBBEA.exe
  C:\Windows\System\CHQBBEA.exe
  2⤵
  PID:13856
- C:\Windows\System\zznmPXo.exe
  C:\Windows\System\zznmPXo.exe
  2⤵
  PID:13912
- C:\Windows\System\HhNBVTp.exe
  C:\Windows\System\HhNBVTp.exe
  2⤵
  PID:14004
- C:\Windows\System\jvmdyNs.exe
  C:\Windows\System\jvmdyNs.exe
  2⤵
  PID:14056
- C:\Windows\System\otnoqbH.exe
  C:\Windows\System\otnoqbH.exe
  2⤵
  PID:14104
- C:\Windows\System\kxDhqzZ.exe
  C:\Windows\System\kxDhqzZ.exe
  2⤵
  PID:14172
- C:\Windows\System\RsDEHme.exe
  C:\Windows\System\RsDEHme.exe
  2⤵
  PID:14224
- C:\Windows\System\vBpdsLW.exe
  C:\Windows\System\vBpdsLW.exe
  2⤵
  PID:14304
- C:\Windows\System\tnSZCtV.exe
  C:\Windows\System\tnSZCtV.exe
  2⤵
  PID:13392
- C:\Windows\System\PAVCdHD.exe
  C:\Windows\System\PAVCdHD.exe
  2⤵
  PID:13484
- C:\Windows\System\FcfTlIJ.exe
  C:\Windows\System\FcfTlIJ.exe
  2⤵
  PID:2088
- C:\Windows\System\zqqiGMJ.exe
  C:\Windows\System\zqqiGMJ.exe
  2⤵
  PID:13732
- C:\Windows\System\jmTKbUw.exe
  C:\Windows\System\jmTKbUw.exe
  2⤵
  PID:13828
- C:\Windows\System\QMwUuiG.exe
  C:\Windows\System\QMwUuiG.exe
  2⤵
  PID:13948
- C:\Windows\System\sUFZsbB.exe
  C:\Windows\System\sUFZsbB.exe
  2⤵
  PID:4844
- C:\Windows\System\UzGCWat.exe
  C:\Windows\System\UzGCWat.exe
  2⤵
  PID:3664
- C:\Windows\System\HCGWyec.exe
  C:\Windows\System\HCGWyec.exe
  2⤵
  PID:4332
- C:\Windows\System\PpNCnSc.exe
  C:\Windows\System\PpNCnSc.exe
  2⤵
  PID:4192
- C:\Windows\System\spcTyLI.exe
  C:\Windows\System\spcTyLI.exe
  2⤵
  PID:2576
- C:\Windows\System\PvAFHCl.exe
  C:\Windows\System\PvAFHCl.exe
  2⤵
  PID:13436
- C:\Windows\System\pedqiQd.exe
  C:\Windows\System\pedqiQd.exe
  2⤵
  PID:4972
- C:\Windows\System\tELTwcO.exe
  C:\Windows\System\tELTwcO.exe
  2⤵
  PID:3472
- C:\Windows\System\LeOASrw.exe
  C:\Windows\System\LeOASrw.exe
  2⤵
  PID:2268
- C:\Windows\System\vAoWPKU.exe
  C:\Windows\System\vAoWPKU.exe
  2⤵
  PID:13876
- C:\Windows\System\SYTTqAA.exe
  C:\Windows\System\SYTTqAA.exe
  2⤵
  PID:4356
- C:\Windows\System\JAHiChN.exe
  C:\Windows\System\JAHiChN.exe
  2⤵
  PID:2916
- C:\Windows\System\OfYvZaq.exe
  C:\Windows\System\OfYvZaq.exe
  2⤵
  PID:3596
- C:\Windows\System\deFtKJp.exe
  C:\Windows\System\deFtKJp.exe
  2⤵
  PID:2036
- C:\Windows\System\ogtxcYr.exe
  C:\Windows\System\ogtxcYr.exe
  2⤵
  PID:884
- C:\Windows\System\JHLiFdr.exe
  C:\Windows\System\JHLiFdr.exe
  2⤵
  PID:2804
- C:\Windows\System\yxkedYd.exe
  C:\Windows\System\yxkedYd.exe
  2⤵
  PID:2932
- C:\Windows\System\BIXXJlf.exe
  C:\Windows\System\BIXXJlf.exe
  2⤵
  PID:13824
- C:\Windows\System\WbTHEBh.exe
  C:\Windows\System\WbTHEBh.exe
  2⤵
  PID:844
- C:\Windows\System\rAgmOyC.exe
  C:\Windows\System\rAgmOyC.exe
  2⤵
  PID:1884
- C:\Windows\System\Giaxtgz.exe
  C:\Windows\System\Giaxtgz.exe
  2⤵
  PID:5152
- C:\Windows\System\UcVeibW.exe
  C:\Windows\System\UcVeibW.exe
  2⤵
  PID:3588
- C:\Windows\System\IrmAXlJ.exe
  C:\Windows\System\IrmAXlJ.exe
  2⤵
  PID:5284
- C:\Windows\System\HxjfRkY.exe
  C:\Windows\System\HxjfRkY.exe
  2⤵
  PID:5304
- C:\Windows\System\oaUrBBc.exe
  C:\Windows\System\oaUrBBc.exe
  2⤵
  PID:1516
- C:\Windows\System\ZEItLKx.exe
  C:\Windows\System\ZEItLKx.exe
  2⤵
  PID:5212
- C:\Windows\System\dgnOrlW.exe
  C:\Windows\System\dgnOrlW.exe
  2⤵
  PID:5492
- C:\Windows\System\wDLJFoU.exe
  C:\Windows\System\wDLJFoU.exe
  2⤵
  PID:5560
- C:\Windows\System\RKKsEVF.exe
  C:\Windows\System\RKKsEVF.exe
  2⤵
  PID:4296

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:5856
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:944

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6668

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7384

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:7660

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:8324
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 8324 -s 7660
  2⤵
  PID:1460

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:8960

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8524

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2008

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3284

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5896

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2636

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 3284 -ip 3284
1⤵
PID:7080

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6336
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 6336 -s 7556
  2⤵
  PID:7888

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10964

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6556

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11064

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4580

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13964

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11716

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8700

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1672

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9744

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9224

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13208

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10076

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13892

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:14100

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11040

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2672

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10516

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5216

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5784

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13792

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11816

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7108

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12744

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5104

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13628

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8000

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1056

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7316

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9680

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8608

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11712

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13376

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13616

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8264

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6504

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3716

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9116

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3096

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6672

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10608

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2444

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\VQX1G21I\microsoft.windows[1].xml

Filesize
97B

MD5
30f2c9ec9fde35e07c5e294cb7cacdc6

SHA1
369534f00cf17850dd8c1526ed7dd1996d880943

SHA256
ac0a9e3dcaf872fec32415fe0e2e821a5a75f18fd940ed3777c02ac9032c2b46

SHA512
34a1b7612bee443570361cb8f6c3eed38f7a2c34a9dd791edb8ec28c3693d854a1615b9e9ad1e8ed7136832fa510ea246545aec10dc51ece21b4bec317289664

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133876604347673629.txt

Filesize
86KB

MD5
dbb05f808b483453a6205922ddf81804

SHA1
72bc1fc67cf4574ea96585848d67ad8be6931d10

SHA256
bfe2543bfc6d5ecff340c548effa9e85c72fe63fd06bf63ce43be69bb053caff

SHA512
c2122640c201c86b4830117083d28c710838eac98b08b91619ee9cb37ae413cfb42a2f73f071839d4352ac459243b9507e2c481d746b1196034b6cad5ad3ab07

Download Submit
C:\Windows\System\BOfEkOd.exe

Filesize
6.1MB

MD5
3689bee65b728c59a99f3cff5151b496

SHA1
46ae31942882f9dea4ccacd5ba291ce4a2f33f66

SHA256
793ad4bd42ba78d36ef6421c1d8018c8111876c37363df08d7f1156738f9906f

SHA512
b5b6781f90e1cc9bbf657f722599e18034ae050a2cfb58e26140b887187f2383e8af0316a277e1b19b2bfed8dfd2915f8ecf558f568e93d7774bbddb52c6b8ed

Download Submit
C:\Windows\System\BRtnCQQ.exe

Filesize
6.1MB

MD5
79e59b852287d819f825c75f77d976a8

SHA1
2b4388eb81c1a5e82098f278d7f943a410aae0a8

SHA256
7ef8bbe7e0199f156bec438b9850206370ac06b3d7587ee4089d0ae616055dd3

SHA512
30fbd278154949b6f35467e09e03daddd5b6dc4e6bc216b97908993a60547e03f56b5ec2aee51409dcca4907b9b7f152ea54fb843825c7784d62d7eae713767b

Download Submit
C:\Windows\System\EHdAUAH.exe

Filesize
6.1MB

MD5
7d0937b4a19466b9c47982ec5e110957

SHA1
484f8601c4f823e5b3cee642018da98a1ebb3fe8

SHA256
8735134e4ebadecdae29a3cc6379e7dff998268005a336b3b176fad107d1eee4

SHA512
ef1fe13edb6ff1d5b5c65fd7da69668146fb1b6b214df98c6b9cc0ffaffb402c0e9aefd76d7ee51f17d6b00c3964b599e1a7c253a44783593465e12b638d2fb0

Download Submit
C:\Windows\System\FOATdcp.exe

Filesize
6.1MB

MD5
f15a3c4285ac81981607a6b60967ffbc

SHA1
09b87e6e738f08b7e0d7091a2af95638c46da563

SHA256
c06ed39925475fce048a066cba325b1d05eb3b6ebb7dba88832ee6abb7fe4754

SHA512
5638b5b8eaf03fb7d6bdce3c3d364bee2c2e7e834d7081a29e7d7d9e5c174b492510f97dc87f71dcd297ffdb0a680b33341a825ddbbd1ef3747f80642946a708

Download Submit
C:\Windows\System\GygAiKp.exe

Filesize
6.1MB

MD5
3caf490ea440847843bf0af24d6e9fb5

SHA1
4f20675f127ae2605c01be08d248bf6abe262892

SHA256
336409c96d72456072156acc2ddd6ea93dcc1a021b5ef0d5e4759e382588417c

SHA512
4f71de264610d01f7dbfba9ac75e4b8f55e12c679bba39a67499ead0c03b878c5ad27e4d1b4667bd4b0080ccb15ef69a946be54a05e599d2a1a40112fca9c6ed

Download Submit
C:\Windows\System\HuuMdJd.exe

Filesize
6.1MB

MD5
5c936772b03027a75449c7796dfbbe13

SHA1
ed2c22d4a9188cbf668b7a865bc253f1d3b970d9

SHA256
05a2f9246a42add8a8bc5c0b708f262d35f2815c776f251fc9da087755f5b0de

SHA512
82f77aaf6f5e9739af03f430d9f4cb1f1c02e3b3c6131b8310584e89820a1ca27fcc5b86bffed9b827a0b1ad66a3cba639d5bcb3377935ee3efd748962df5f98

Download Submit
C:\Windows\System\KVXHWPH.exe

Filesize
6.1MB

MD5
d9b43ed87c46564c855f1ef5c7915bc3

SHA1
fe54bb28e63a8865e78f88f96baeb371e5ab6a33

SHA256
f50ee694ab19c2831cb4022693375f8435287c59ce1c7eaddf7a6626af90bd8d

SHA512
236ec0a56c62a2051042ea0745a7a56a0050c79be742abeafb9287e26e93863ecf5cf37735dc9592da5ac240e99899e7c2d84812985d0f4441b8b639a172afa9

Download Submit
C:\Windows\System\Kxqcevk.exe

Filesize
6.1MB

MD5
aba65b9bcf35e48d9cc447072dd33662

SHA1
f0bdc8a92cb5ee79793c67307a93b416b494092c

SHA256
6165448643085d9f489806bd995be72ebd302eda5baea832f583d2dfe1934cd8

SHA512
89857b42af545bf08669668549abc0dc990c20d0432cb964ed2baa4ed67551cc45b754174f11fa60b53c2e66c99e703efa96162e5817093d49b0c82eb219f3db

Download Submit
C:\Windows\System\LXyzqLM.exe

Filesize
6.1MB

MD5
96c717ffddf83cb75f2dd2e1f86a4016

SHA1
7eb9bfac4fa3efa0081eda73287c82c02b7b7548

SHA256
cf30c3f648be4df580aab16071d1be65391d926ada6a213bc6260b37c8f90080

SHA512
f2c8e8e60251156c124a519c4c0198ec1afae10bd8a72a56d161e81573a69f5cc34858fad2ffbd871880ea56b2b9a0543b99d7789bdc680e2deb606a4ab13413

Download Submit
C:\Windows\System\OeDxsut.exe

Filesize
6.1MB

MD5
ba49227deb0223fe41e536009f9443ad

SHA1
690279fe841a62745a15ff7a25f0fd6626ebfd71

SHA256
bf311ae99152b4bb136d364b12a6a9f00505d2b1dac136ba02ba050b22b915d9

SHA512
efb93758f3b12bfb884f2787c358e6b76a4e7c0bfc8b3ab162ce9f850ad0923ea5fc48c67a6bf1d721597d45ce76c1eff1d32e7a5339903db329224553189765

Download Submit
C:\Windows\System\OwJVWKA.exe

Filesize
6.1MB

MD5
5b0f3233a395f016cd250eb15dff7e65

SHA1
c021020cea33e7db1d10a7fa45a62f342af8b57c

SHA256
64183cda5a2f0a7182afcda51a8c109f4d24f0827957591b04334fa985bc4bfa

SHA512
05a28e542f94950c35d160f37f5b63527125a4e0fadf65396ed0de4b20e052cbea83a8748eb5c9204b8c645621ff7590ed141e528aedfe6d470b2c2c7c064732

Download Submit
C:\Windows\System\PDqGqAs.exe

Filesize
6.0MB

MD5
9acf79cf9c6ab273b9571b3937db27a8

SHA1
9d2345c289c638c84567acb987aa48d80a583a32

SHA256
ca8a38a1dba6bfffc0c590d60cb7ff5638ac716542a0fff561f24fcc3daf06fd

SHA512
211d930e6dd0a5c00a8300bb83a834299895bb64420d30eeb3f0f5c180db36b98320e503133dded38195a7093397464899e99b85ab0c19b2d593dadef2b1ecab

Download Submit
C:\Windows\System\PNkCZBq.exe

Filesize
6.1MB

MD5
e566f5eceda4708e20acd28b50c607b3

SHA1
458e0a086a77d14fd7f19c37bf94c0a120912c7b

SHA256
72cb4f6b78edfc01c1273170dc929d560b0c8bcc5e09df0e92c62dcdf868d94f

SHA512
5f3ef6cd09fd59628df9f097d10502abc784a39c1fe7032df7d3320bf68f99af25a8a0565cc517ea3d31a26848a86956df074169ad4d5ed04e3f800689b03033

Download Submit
C:\Windows\System\SczOMZp.exe

Filesize
6.1MB

MD5
84531ac82b1abcd500d1f4481da607f7

SHA1
ff0f8d607fab1a7519a88bb6abd5b70adaf850b3

SHA256
da0778db2a089e395e76a5e15581c78a529b7c090701c3ac0c0113ad2b87fd5b

SHA512
bf95b7d727ca2ebf61aa4626b5e08976a41f70a906e2089c2fb0f1f6bfd377b6bfdb8af271ae2c26211a109050fb742487bd97d79e9bc855c45b4a5a0cf19297

Download Submit
C:\Windows\System\SguPyuE.exe

Filesize
6.1MB

MD5
e8c28e7f432782e3acf48b91be7a3b02

SHA1
ddc677a9b972a4e7153bb01f458749fda3048924

SHA256
10dfa6fd96777ce3d8dc6d9cbac26fdcbf7ac0d7f723390200fce6cc130a4434

SHA512
aa39c9219da1961f3ddd5c69a8e55f86a151b04ea257706f582329bd88f8ca600cbe368b8b04b41cc17c1758e893402efc82e9636e0cc778fdd6c8ce949b66e7

Download Submit
C:\Windows\System\TLEgvna.exe

Filesize
6.1MB

MD5
713d7142dda3dad40ae172ee57f69964

SHA1
a7984b04c33d2de67fab1ff2c3f180750fb959e5

SHA256
964cbe7ef7ec6a9746d715e5ff8bb832e692dd46142cbdf6ea93d66c85be0581

SHA512
05a1bf654dac61a6d2db9829ad7bf944cfb8793171bf802e07d9ee2752e223c75c663bded8195b9642989de5bbe5471a9b687d52ff364657d2027e3ee71e0efa

Download Submit
C:\Windows\System\UrKuddt.exe

Filesize
6.1MB

MD5
b916d8049c1149f0fe6f2dc6e05e8f53

SHA1
691d276978b271b3067e9d504df7add759c2245b

SHA256
5ae39497ec900dd59b560f2f2e3ee97670d53bbff66e3a0495cd3a9c6d8f5d5a

SHA512
86321621bf7b2b28929bdfdd2c028ba6a28aa370e87ead8efba5ade223e155af1f7fd8189b419b5442d03026ae6efb6305de00d5dbfb3dfe0e285768daa3d547

Download Submit
C:\Windows\System\UsjNGTd.exe

Filesize
6.1MB

MD5
b09bae3cf96734319ee1da9a94c52313

SHA1
bb74409434129bf356d8cd394b2641168e3063a9

SHA256
eec5b9590e674edc1dd3ecbca375dd45ce556819f6d3d734031712b66c0e7946

SHA512
ee01254c7d3d9909e04fe81ed4237df99a8ff1d25e7da73440543e2b896a8f3d06924ae4d5261e9a73a9e2d00e1f8ae72b1d05731258f9a9faa3122f8fec7ac9

Download Submit
C:\Windows\System\XmOlpPr.exe

Filesize
6.1MB

MD5
35957fd99c9640c4a66d85004c7d5b35

SHA1
5cdec744ef4e88d9d759d13aa95491d268da9481

SHA256
36184e2ec4617599a5e70372156564b6fec3611cb2ab03a7c088d2fc9707220c

SHA512
6066e8e5c5e8a4ed8f6b7b7799ab0d6787b346f791cefc4e08b7672b4b54116625a5a1032185a6fe31991c7d9d6773cd8af75863fc5d741baa0d7f58b0c97bba

Download Submit
C:\Windows\System\ZZnUcKJ.exe

Filesize
6.0MB

MD5
5a2138ed6540951c9a683ccabc3125bc

SHA1
55068d2decf169fcbe55da31d2f859a2adf49238

SHA256
56c4eb25c7cd77e867c1ac4424398621e152d963b6e32964c9929dd055200285

SHA512
338c91d50fe7f40d257013d90118659f6d06f4a2d3e2ad0482b5ea191a339f1bd4eaff11533f9d3015e384c63f7bf6ef7c2db8cedbdf4a79e3243bafa7c693e6

Download Submit
C:\Windows\System\aqvmniH.exe

Filesize
6.1MB

MD5
b172cca8a96a483e1d8cb1adfc012378

SHA1
c1be65ad2b4ba752a29c7a7f12fe44fe53af0723

SHA256
103bbf798fcb980f558726736cb85c15e198de0deeb884da81f05fe6e99772c3

SHA512
797e43fdefd8ce078e9be4c3bcd7ddb2d78242e455d08e2643c8ebb5b58dda4d05cf32b97480368725a5e1bbac21fdeb2e9e39af64aa288f7d17dbb3ad8de855

Download Submit
C:\Windows\System\dIviTIC.exe

Filesize
6.1MB

MD5
586b6fce59bfb185fc627c31c0fac519

SHA1
aad50cf4f0493282723ba83acdc462a436a54a1e

SHA256
42939fc227c5f31186ef9b021b28ff619cf0c4721a7574ec448fa9cf5b931aeb

SHA512
e58c94b02d7ac904e5e6dc558d19e58900bf5ecf6ccda9ff0345ea633cd670c61e561da29f07fd57cb21f3747683cc869edb7cdd7d248ac5164e4f83ec8879e0

Download Submit
C:\Windows\System\dhGzkhg.exe

Filesize
6.1MB

MD5
3766c54788e45f12a2d05fb740522e2e

SHA1
ae468c4acc283bdf9f0bc02409f66086e63864f7

SHA256
ba4cbd04b31cf309e3be099f6f5cf80fbb94d4f1d89e8f494ec8fa383dc6488b

SHA512
37a8e444196f11e96f31dcc3a6e1ab40ac77cd468db2a5670900ed140dd6115d4f130aa11748c62bf53e0927b09f9b94bad17d5e33cb6c8bd18a3a1ef60a30da

Download Submit
C:\Windows\System\ftSjMKr.exe

Filesize
6.0MB

MD5
341d1a92821e0bc2affe1b27aef739ce

SHA1
2a808fcabdf1165ca7408a076131e4eeb6eaf849

SHA256
d43c171dc4e9f7687119c72db1b4cd5472ae0f63d2e09f8c12fae63289378556

SHA512
d2d3a6742d75f3c4f54af4c44c36c061cf2cc9401799858317dfe7ec70ea78c4894cb4e2190587860d668b95ed1279a1b929a4fa913a4508244bfec057c5cb37

Download Submit
C:\Windows\System\gwFuqtm.exe

Filesize
6.1MB

MD5
7c955a542269500773d61f49cab2a5c9

SHA1
c96467499c1121b3563844ba77b569f73406214d

SHA256
fe2943d37f9900f180bb1d78c066472d4159cf4131fd42217a9cf3b288ab6e60

SHA512
137364ba92b32824e051c478f916fc32abf1c852066c63cd561beef759a78cf7b888238807ad95ec6a66760350c4425256a6ddcfc3cea89a10c88fcc2beb8080

Download Submit
C:\Windows\System\hmeAkmq.exe

Filesize
6.1MB

MD5
24b7a67b69a76c1ba973ec5928bac096

SHA1
15a33109c76c4f89e13d72cc8313473167fbfdaa

SHA256
5bb1d90b0ba26fa4c7965317d8b05872f6e3ef9064354d408f41bcb4c45247b9

SHA512
09fdbf4fe69e952b57c6440cf68a8dc027b6671a5e151fd7697d1e242f80964b579bc502ff0b39cbdc9a4e6f5443964c9bcac86e6be1917689d879914c060189

Download Submit
C:\Windows\System\nDhqYuw.exe

Filesize
6.0MB

MD5
9cdd66ea8016853a4ffd8ca66bb88e69

SHA1
a64b1ce91679f18a4a344663f96b7796557548a6

SHA256
55ebd3044551d9a58cc65bdcda26b4afd715800bfdf1b3541e01e67697764747

SHA512
cbfa5df36844ca8b944dc918a0777c53d506b4db1004ebf3a81304b00d6a8b2ea9dfb3b67455c3f70a2e66a7eca65b4b70b013236fb39fd7603cea892f94adba

Download Submit
C:\Windows\System\ngdmCGa.exe

Filesize
6.1MB

MD5
285ca69e2caacc6d547d5f90b57b44e6

SHA1
10af65a9ad98a3a2a21ee79a51397822e68791b6

SHA256
a7721a009d9f4c5f28620063a15d4ba0ae1744cb5d97892279aecdbf9990eff3

SHA512
66c1c7d454df1b51deba9f7e1817a26fc21e304d22c0280a5d252d703ef2412d9a5e4c4c21dbf223982fd6195860e3ba54b4c8507284a83c74bb382c1e58a652

Download Submit
C:\Windows\System\rCpkxkt.exe

Filesize
6.1MB

MD5
030172539085dc5392eac4c65fd34a9c

SHA1
fc423414456d356c87c760758df400df7f694f2b

SHA256
5129b1daafd55e38ee4ba93cbe65592a9a3a7d16ebf701204f93aba765e5e17a

SHA512
91b9dc5bc50d3bfd3c1b6c41496af923f1b475607e77abfbc4398a73b22c512865392567f3ef752eb62b25923ae7dfd89590c4fccced19df60b0146b6bc1455e

Download Submit
C:\Windows\System\tHhddIA.exe

Filesize
6.1MB

MD5
4d2dc94e9c798246c2d90517dbe77206

SHA1
2fcb03802894a25daf5c0383c38bb40156fd53e2

SHA256
09bb87c7a0eb13b97ddd68100733f58790e39ae8808f5adc628d1d76b959d4a3

SHA512
eaae96de94b704c201316284a5d930362e6a348b74b45a3434eb1372f512124ef410a98f4e620d26390ee90b621f63e1ac39b3d5b56a29ade1ed2f8aa1d50f3b

Download Submit
C:\Windows\System\upYUYGk.exe

Filesize
6.0MB

MD5
74a3e77579f58e8a77630bc99c3a0a00

SHA1
1c02ae79dbf46987a2cebcd85ed403f7c2a6dc72

SHA256
5a3755f04b5691928b495939a135e15066ff9c514a15ec295f6c2423f64a8534

SHA512
70276900105290faa58ebefb5ae18c9e83cb59a963576a5b55c0af2300c380b91771bd9a357425995f7a28c46e595d18236d456a991945bfd7d15699fb641b89

Download Submit
C:\Windows\System\vXXPOQk.exe

Filesize
6.1MB

MD5
1c932e9a6a812e90a9a578d8915769a2

SHA1
25c5d307446b22704fac9d0b32bad4b8436eb3ba

SHA256
0f00cb5888ad633f3240d69a5745355f422419a3a59fb190b56760a5220699a6

SHA512
cc3d6c98c7f2f4c8bbc80b43d78725df1a4b9a7f2166f1a1bfea3c45987e8ab5d6832cc9267b86f4ab3f93198d14a577488c9e6f4106f4db421c316add37395b

Download Submit
C:\Windows\System\xygYGtM.exe

Filesize
6.1MB

MD5
6477ca599e4cf577a57846fbb625c323

SHA1
b3b30385091b550180bc482c732b44a3e44eef33

SHA256
1bc89dc622594159b4a3aec869ff80bc9230cf6e51a948e802651743047d011b

SHA512
b50a470f36580c4b601f2c45e408bc53702ccc93d6926a056061e2d3b2358823e2ce3f5b3dda2183317941d4284ac7846b59616fbc1230621af890dcc8054821

Download Submit
C:\Windows\System\zUzQNJT.exe

Filesize
6.1MB

MD5
57fe5fd8b0eea20c16abe5ece1e321e6

SHA1
a38ef1ebb750fe9001fb9f2422b72517c6ba4a6d

SHA256
4d2b6609cf89bab7a37f6151c10fb653464136402d47b3c30e9a3792b3763bf5

SHA512
445b4a952a517f21b558cd9206e3d1695ed09a6a28869b2d6e876975e7f92f5966d9cb808d5baba4f151afb25da85a9e1caacfa92dfa30e7d8e0f6eb98b71731

Download Submit
memory/368-120-0x00007FF6623C0000-0x00007FF662714000-memory.dmp

Filesize
3.3MB

Download
memory/368-2047-0x00007FF6623C0000-0x00007FF662714000-memory.dmp

Filesize
3.3MB

Download
memory/600-130-0x00007FF760AB0000-0x00007FF760E04000-memory.dmp

Filesize
3.3MB

Download
memory/600-2063-0x00007FF760AB0000-0x00007FF760E04000-memory.dmp

Filesize
3.3MB

Download
memory/692-7-0x00007FF793DD0000-0x00007FF794124000-memory.dmp

Filesize
3.3MB

Download
memory/692-1904-0x00007FF793DD0000-0x00007FF794124000-memory.dmp

Filesize
3.3MB

Download
memory/692-73-0x00007FF793DD0000-0x00007FF794124000-memory.dmp

Filesize
3.3MB

Download
memory/936-190-0x00007FF741890000-0x00007FF741BE4000-memory.dmp

Filesize
3.3MB

Download
memory/936-2264-0x00007FF741890000-0x00007FF741BE4000-memory.dmp

Filesize
3.3MB

Download
memory/1036-135-0x00007FF64DE80000-0x00007FF64E1D4000-memory.dmp

Filesize
3.3MB

Download
memory/1036-1908-0x00007FF64DE80000-0x00007FF64E1D4000-memory.dmp

Filesize
3.3MB

Download
memory/1036-12-0x00007FF64DE80000-0x00007FF64E1D4000-memory.dmp

Filesize
3.3MB

Download
memory/1372-2038-0x00007FF6A98F0000-0x00007FF6A9C44000-memory.dmp

Filesize
3.3MB

Download
memory/1372-65-0x00007FF6A98F0000-0x00007FF6A9C44000-memory.dmp

Filesize
3.3MB

Download
memory/1372-191-0x00007FF6A98F0000-0x00007FF6A9C44000-memory.dmp

Filesize
3.3MB

Download
memory/1872-2045-0x00007FF6C6B20000-0x00007FF6C6E74000-memory.dmp

Filesize
3.3MB

Download
memory/1872-127-0x00007FF6C6B20000-0x00007FF6C6E74000-memory.dmp

Filesize
3.3MB

Download
memory/2008-128-0x00007FF785D80000-0x00007FF7860D4000-memory.dmp

Filesize
3.3MB

Download
memory/2008-2055-0x00007FF785D80000-0x00007FF7860D4000-memory.dmp

Filesize
3.3MB

Download
memory/2020-129-0x00007FF744FB0000-0x00007FF745304000-memory.dmp

Filesize
3.3MB

Download
memory/2020-2060-0x00007FF744FB0000-0x00007FF745304000-memory.dmp

Filesize
3.3MB

Download
memory/2140-44-0x00007FF7E9820000-0x00007FF7E9B74000-memory.dmp

Filesize
3.3MB

Download
memory/2140-155-0x00007FF7E9820000-0x00007FF7E9B74000-memory.dmp

Filesize
3.3MB

Download
memory/2140-1999-0x00007FF7E9820000-0x00007FF7E9B74000-memory.dmp

Filesize
3.3MB

Download
memory/2212-62-0x00007FF6108B0000-0x00007FF610C04000-memory.dmp

Filesize
3.3MB

Download
memory/2212-0-0x00007FF6108B0000-0x00007FF610C04000-memory.dmp

Filesize
3.3MB

Download
memory/2212-1-0x000001DD4A130000-0x000001DD4A140000-memory.dmp

Filesize
64KB

Download
memory/2324-1952-0x00007FF79B5D0000-0x00007FF79B924000-memory.dmp

Filesize
3.3MB

Download
memory/2324-30-0x00007FF79B5D0000-0x00007FF79B924000-memory.dmp

Filesize
3.3MB

Download
memory/2324-149-0x00007FF79B5D0000-0x00007FF79B924000-memory.dmp

Filesize
3.3MB

Download
memory/2416-2042-0x00007FF700DB0000-0x00007FF701104000-memory.dmp

Filesize
3.3MB

Download
memory/2416-115-0x00007FF700DB0000-0x00007FF701104000-memory.dmp

Filesize
3.3MB

Download
memory/2428-1943-0x00007FF6A3160000-0x00007FF6A34B4000-memory.dmp

Filesize
3.3MB

Download
memory/2428-142-0x00007FF6A3160000-0x00007FF6A34B4000-memory.dmp

Filesize
3.3MB

Download
memory/2428-25-0x00007FF6A3160000-0x00007FF6A34B4000-memory.dmp

Filesize
3.3MB

Download
memory/2520-1955-0x00007FF670D10000-0x00007FF671064000-memory.dmp

Filesize
3.3MB

Download
memory/2520-154-0x00007FF670D10000-0x00007FF671064000-memory.dmp

Filesize
3.3MB

Download
memory/2520-38-0x00007FF670D10000-0x00007FF671064000-memory.dmp

Filesize
3.3MB

Download
memory/3088-572-0x00007FF6EC2E0000-0x00007FF6EC634000-memory.dmp

Filesize
3.3MB

Download
memory/3088-2265-0x00007FF6EC2E0000-0x00007FF6EC634000-memory.dmp

Filesize
3.3MB

Download
memory/3088-183-0x00007FF6EC2E0000-0x00007FF6EC634000-memory.dmp

Filesize
3.3MB

Download
memory/3096-2266-0x00007FF728520000-0x00007FF728874000-memory.dmp

Filesize
3.3MB

Download
memory/3096-524-0x00007FF728520000-0x00007FF728874000-memory.dmp

Filesize
3.3MB

Download
memory/3096-171-0x00007FF728520000-0x00007FF728874000-memory.dmp

Filesize
3.3MB

Download
memory/3548-134-0x00007FF6DAD10000-0x00007FF6DB064000-memory.dmp

Filesize
3.3MB

Download
memory/3548-2080-0x00007FF6DAD10000-0x00007FF6DB064000-memory.dmp

Filesize
3.3MB

Download
memory/3792-347-0x00007FF653070000-0x00007FF6533C4000-memory.dmp

Filesize
3.3MB

Download
memory/3792-147-0x00007FF653070000-0x00007FF6533C4000-memory.dmp

Filesize
3.3MB

Download
memory/3792-2260-0x00007FF653070000-0x00007FF6533C4000-memory.dmp

Filesize
3.3MB

Download
memory/3820-475-0x00007FF6D53D0000-0x00007FF6D5724000-memory.dmp

Filesize
3.3MB

Download
memory/3820-2263-0x00007FF6D53D0000-0x00007FF6D5724000-memory.dmp

Filesize
3.3MB

Download
memory/3820-164-0x00007FF6D53D0000-0x00007FF6D5724000-memory.dmp

Filesize
3.3MB

Download
memory/3844-181-0x00007FF734110000-0x00007FF734464000-memory.dmp

Filesize
3.3MB

Download
memory/3844-53-0x00007FF734110000-0x00007FF734464000-memory.dmp

Filesize
3.3MB

Download
memory/3844-2016-0x00007FF734110000-0x00007FF734464000-memory.dmp

Filesize
3.3MB

Download
memory/3848-132-0x00007FF619E10000-0x00007FF61A164000-memory.dmp

Filesize
3.3MB

Download
memory/3848-2074-0x00007FF619E10000-0x00007FF61A164000-memory.dmp

Filesize
3.3MB

Download
memory/3864-137-0x00007FF767AE0000-0x00007FF767E34000-memory.dmp

Filesize
3.3MB

Download
memory/3864-2079-0x00007FF767AE0000-0x00007FF767E34000-memory.dmp

Filesize
3.3MB

Download
memory/4104-138-0x00007FF6D4590000-0x00007FF6D48E4000-memory.dmp

Filesize
3.3MB

Download
memory/4104-1938-0x00007FF6D4590000-0x00007FF6D48E4000-memory.dmp

Filesize
3.3MB

Download
memory/4104-18-0x00007FF6D4590000-0x00007FF6D48E4000-memory.dmp

Filesize
3.3MB

Download
memory/4412-450-0x00007FF64B0F0000-0x00007FF64B444000-memory.dmp

Filesize
3.3MB

Download
memory/4412-2262-0x00007FF64B0F0000-0x00007FF64B444000-memory.dmp

Filesize
3.3MB

Download
memory/4412-158-0x00007FF64B0F0000-0x00007FF64B444000-memory.dmp

Filesize
3.3MB

Download
memory/4528-133-0x00007FF6A0490000-0x00007FF6A07E4000-memory.dmp

Filesize
3.3MB

Download
memory/4528-2082-0x00007FF6A0490000-0x00007FF6A07E4000-memory.dmp

Filesize
3.3MB

Download
memory/4652-136-0x00007FF787F00000-0x00007FF788254000-memory.dmp

Filesize
3.3MB

Download
memory/4652-2043-0x00007FF787F00000-0x00007FF788254000-memory.dmp

Filesize
3.3MB

Download
memory/4660-49-0x00007FF6A60C0000-0x00007FF6A6414000-memory.dmp

Filesize
3.3MB

Download
memory/4660-2007-0x00007FF6A60C0000-0x00007FF6A6414000-memory.dmp

Filesize
3.3MB

Download
memory/4660-170-0x00007FF6A60C0000-0x00007FF6A6414000-memory.dmp

Filesize
3.3MB

Download
memory/4724-2261-0x00007FF7FCB30000-0x00007FF7FCE84000-memory.dmp

Filesize
3.3MB

Download
memory/4724-350-0x00007FF7FCB30000-0x00007FF7FCE84000-memory.dmp

Filesize
3.3MB

Download
memory/4724-153-0x00007FF7FCB30000-0x00007FF7FCE84000-memory.dmp

Filesize
3.3MB

Download
memory/4772-2069-0x00007FF7D05F0000-0x00007FF7D0944000-memory.dmp

Filesize
3.3MB

Download
memory/4772-131-0x00007FF7D05F0000-0x00007FF7D0944000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads