xmrig | f1a1dcc7752b787f2a00b2d3c729c4b644e19fce70f3bbe0d82a1fd621623f4f

Analysis

max time kernel
91s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
Size

5.7MB
MD5

e759f83e64dcf662b7495c721d80c7ae
SHA1

1fdf23d021e3f8bc9074173e1be67884ff06acd1
SHA256

f1a1dcc7752b787f2a00b2d3c729c4b644e19fce70f3bbe0d82a1fd621623f4f
SHA512

bdb0751f40c9f0849ecb09623eca96426d77af6f77d9816c61a0569ba7fbb74916a5dd77ca08e102c124368aa94c3b19df5470adfc90ba174318cf4332264b48
SSDEEP

98304:z1ONtyBeSFkXV1etEKLlWUTOfeiRA2R76zHr8L:zbBeSFkx

Score

10^/10

xmrig execution miner persistence upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1112-0-0x00007FF7FC520000-0x00007FF7FC913000-memory.dmp	xmrig
behavioral2/files/0x00070000000241a5-7.dat	xmrig
behavioral2/files/0x00070000000241a4-11.dat	xmrig
behavioral2/files/0x000d000000023f96-5.dat	xmrig
behavioral2/files/0x00070000000241a7-24.dat	xmrig
behavioral2/files/0x00070000000241a6-25.dat	xmrig
behavioral2/memory/4092-27-0x00007FF603E70000-0x00007FF604263000-memory.dmp	xmrig
behavioral2/files/0x00070000000241a8-46.dat	xmrig
behavioral2/memory/5084-48-0x00007FF7E6B60000-0x00007FF7E6F53000-memory.dmp	xmrig
behavioral2/memory/5040-50-0x00007FF771670000-0x00007FF771A63000-memory.dmp	xmrig
behavioral2/files/0x00080000000241a9-65.dat	xmrig
behavioral2/files/0x00070000000241ac-72.dat	xmrig
behavioral2/memory/2060-80-0x00007FF7F5360000-0x00007FF7F5753000-memory.dmp	xmrig
behavioral2/memory/2896-86-0x00007FF6C9790000-0x00007FF6C9B83000-memory.dmp	xmrig
behavioral2/files/0x00070000000241b0-94.dat	xmrig
behavioral2/files/0x00070000000241b1-101.dat	xmrig
behavioral2/memory/4920-109-0x00007FF631AF0000-0x00007FF631EE3000-memory.dmp	xmrig
behavioral2/memory/1976-110-0x00007FF74BAA0000-0x00007FF74BE93000-memory.dmp	xmrig
behavioral2/memory/2440-111-0x00007FF7824C0000-0x00007FF7828B3000-memory.dmp	xmrig
behavioral2/memory/1032-108-0x00007FF7D67A0000-0x00007FF7D6B93000-memory.dmp	xmrig
behavioral2/memory/8-105-0x00007FF683910000-0x00007FF683D03000-memory.dmp	xmrig
behavioral2/memory/2804-102-0x00007FF7503B0000-0x00007FF7507A3000-memory.dmp	xmrig
behavioral2/memory/4664-99-0x00007FF7BBB20000-0x00007FF7BBF13000-memory.dmp	xmrig
behavioral2/files/0x00070000000241af-96.dat	xmrig
behavioral2/memory/2268-93-0x00007FF713870000-0x00007FF713C63000-memory.dmp	xmrig
behavioral2/memory/1516-91-0x00007FF77A920000-0x00007FF77AD13000-memory.dmp	xmrig
behavioral2/files/0x00070000000241ae-89.dat	xmrig
behavioral2/files/0x00070000000241ad-83.dat	xmrig
behavioral2/files/0x00080000000241a1-87.dat	xmrig
behavioral2/memory/1536-82-0x00007FF72CC60000-0x00007FF72D053000-memory.dmp	xmrig
behavioral2/files/0x00070000000241ab-67.dat	xmrig
behavioral2/files/0x00080000000241aa-52.dat	xmrig
behavioral2/memory/1744-9-0x00007FF7734A0000-0x00007FF773893000-memory.dmp	xmrig
behavioral2/files/0x00070000000241b3-123.dat	xmrig
behavioral2/memory/2200-131-0x00007FF7812E0000-0x00007FF7816D3000-memory.dmp	xmrig
behavioral2/files/0x00070000000241b6-138.dat	xmrig
behavioral2/files/0x00070000000241b5-134.dat	xmrig
behavioral2/memory/4092-166-0x00007FF603E70000-0x00007FF604263000-memory.dmp	xmrig
behavioral2/memory/2336-183-0x00007FF769330000-0x00007FF769723000-memory.dmp	xmrig
behavioral2/files/0x00070000000241be-189.dat	xmrig
behavioral2/files/0x00070000000241bf-194.dat	xmrig
behavioral2/files/0x00070000000241bd-187.dat	xmrig
behavioral2/files/0x00070000000241bc-185.dat	xmrig
behavioral2/files/0x00070000000241bb-177.dat	xmrig
behavioral2/memory/2584-176-0x00007FF6750A0000-0x00007FF675493000-memory.dmp	xmrig
behavioral2/files/0x00070000000241ba-173.dat	xmrig
behavioral2/files/0x00070000000241b9-170.dat	xmrig
behavioral2/memory/1744-163-0x00007FF7734A0000-0x00007FF773893000-memory.dmp	xmrig
behavioral2/memory/2260-161-0x00007FF6BAF80000-0x00007FF6BB373000-memory.dmp	xmrig
behavioral2/files/0x00070000000241b8-155.dat	xmrig
behavioral2/files/0x00070000000241b7-153.dat	xmrig
behavioral2/memory/2472-150-0x00007FF70EAB0000-0x00007FF70EEA3000-memory.dmp	xmrig
behavioral2/files/0x00070000000241c1-204.dat	xmrig
behavioral2/files/0x00070000000241c0-199.dat	xmrig
behavioral2/memory/1112-141-0x00007FF7FC520000-0x00007FF7FC913000-memory.dmp	xmrig
behavioral2/memory/4812-139-0x00007FF67D620000-0x00007FF67DA13000-memory.dmp	xmrig
behavioral2/files/0x00070000000241b4-129.dat	xmrig
behavioral2/memory/752-125-0x00007FF749510000-0x00007FF749903000-memory.dmp	xmrig
behavioral2/memory/2508-120-0x00007FF7167E0000-0x00007FF716BD3000-memory.dmp	xmrig
behavioral2/files/0x00070000000241b2-117.dat	xmrig
behavioral2/memory/2200-649-0x00007FF7812E0000-0x00007FF7816D3000-memory.dmp	xmrig
behavioral2/memory/2260-749-0x00007FF6BAF80000-0x00007FF6BB373000-memory.dmp	xmrig
behavioral2/memory/2336-931-0x00007FF769330000-0x00007FF769723000-memory.dmp	xmrig
behavioral2/memory/752-3808-0x00007FF749510000-0x00007FF749903000-memory.dmp	xmrig

Blocklisted process makes network request 23 IoCs

flow	pid	Process
7	3268	powershell.exe
9	3268	powershell.exe
11	3268	powershell.exe
12	3268	powershell.exe
17	3268	powershell.exe
18	3268	powershell.exe
20	3268	powershell.exe
29	3268	powershell.exe
45	3268	powershell.exe
46	3268	powershell.exe
61	3268	powershell.exe
62	3268	powershell.exe
63	3268	powershell.exe
64	3268	powershell.exe
65	3268	powershell.exe
66	3268	powershell.exe
67	3268	powershell.exe
68	3268	powershell.exe
69	3268	powershell.exe
70	3268	powershell.exe
71	3268	powershell.exe
72	3268	powershell.exe
73	3268	powershell.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3268	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
1744	YNZpvor.exe
4092	PNipYrv.exe
4664	XBSFwJx.exe
5084	AGxRzIy.exe
5040	MfQNsjD.exe
2804	SguDxlk.exe
2060	MtspIPW.exe
8	PMqqudU.exe
1536	rwdbLOZ.exe
2896	mbvJNZv.exe
1516	adayqSn.exe
2268	LYJcbDI.exe
1032	zIAeYMo.exe
4920	mKYlPvH.exe
1976	wxrtoie.exe
2440	IJYDQPL.exe
2508	zOZNeJF.exe
752	zbCRGrR.exe
2200	zeQfxGV.exe
4812	VOIdoyu.exe
2472	KSRzpvc.exe
2584	rQIFNBy.exe
2260	QFKIciu.exe
2336	gEBaSrX.exe
728	KqjhNFF.exe
820	joxPUkp.exe
4488	jWaIhmH.exe
3504	HXYeERL.exe
3240	NeLGYAx.exe
4860	nWjSSgQ.exe
3912	IaWIPXl.exe
4428	Jhrtime.exe
5076	jgEzkdH.exe
3636	esOKOsJ.exe
3720	ppUNCnv.exe
4192	PutpLiQ.exe
552	dsxxCkt.exe
3096	ymvgOkf.exe
1908	MJSQMrE.exe
2708	NDzdsHz.exe
1828	xmGvltw.exe
3632	rFDTGTi.exe
2932	JzUeVKA.exe
3384	IaGRDYS.exe
3460	OwkJOKK.exe
2488	kwwvtiV.exe
4700	RynCcPu.exe
4400	vPUzQvp.exe
1768	LzBpiJt.exe
1036	UYbnkri.exe
2928	MCuZidn.exe
2976	WdykXQo.exe
3188	LHZdiYU.exe
4348	YkFcHCV.exe
3044	tSZfCjA.exe
2388	nCgjHQc.exe
1608	wWaMdIL.exe
3084	IJcGLtm.exe
4464	SoyAZwZ.exe
4936	TlAudhr.exe
380	ptHJxha.exe
2428	yNpYLsH.exe
5008	NtHaMvw.exe
1864	BoHfwaC.exe

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1112-0-0x00007FF7FC520000-0x00007FF7FC913000-memory.dmp	upx
behavioral2/files/0x00070000000241a5-7.dat	upx
behavioral2/files/0x00070000000241a4-11.dat	upx
behavioral2/files/0x000d000000023f96-5.dat	upx
behavioral2/files/0x00070000000241a7-24.dat	upx
behavioral2/files/0x00070000000241a6-25.dat	upx
behavioral2/memory/4092-27-0x00007FF603E70000-0x00007FF604263000-memory.dmp	upx
behavioral2/files/0x00070000000241a8-46.dat	upx
behavioral2/memory/5084-48-0x00007FF7E6B60000-0x00007FF7E6F53000-memory.dmp	upx
behavioral2/memory/5040-50-0x00007FF771670000-0x00007FF771A63000-memory.dmp	upx
behavioral2/files/0x00080000000241a9-65.dat	upx
behavioral2/files/0x00070000000241ac-72.dat	upx
behavioral2/memory/2060-80-0x00007FF7F5360000-0x00007FF7F5753000-memory.dmp	upx
behavioral2/memory/2896-86-0x00007FF6C9790000-0x00007FF6C9B83000-memory.dmp	upx
behavioral2/files/0x00070000000241b0-94.dat	upx
behavioral2/files/0x00070000000241b1-101.dat	upx
behavioral2/memory/4920-109-0x00007FF631AF0000-0x00007FF631EE3000-memory.dmp	upx
behavioral2/memory/1976-110-0x00007FF74BAA0000-0x00007FF74BE93000-memory.dmp	upx
behavioral2/memory/2440-111-0x00007FF7824C0000-0x00007FF7828B3000-memory.dmp	upx
behavioral2/memory/1032-108-0x00007FF7D67A0000-0x00007FF7D6B93000-memory.dmp	upx
behavioral2/memory/8-105-0x00007FF683910000-0x00007FF683D03000-memory.dmp	upx
behavioral2/memory/2804-102-0x00007FF7503B0000-0x00007FF7507A3000-memory.dmp	upx
behavioral2/memory/4664-99-0x00007FF7BBB20000-0x00007FF7BBF13000-memory.dmp	upx
behavioral2/files/0x00070000000241af-96.dat	upx
behavioral2/memory/2268-93-0x00007FF713870000-0x00007FF713C63000-memory.dmp	upx
behavioral2/memory/1516-91-0x00007FF77A920000-0x00007FF77AD13000-memory.dmp	upx
behavioral2/files/0x00070000000241ae-89.dat	upx
behavioral2/files/0x00070000000241ad-83.dat	upx
behavioral2/files/0x00080000000241a1-87.dat	upx
behavioral2/memory/1536-82-0x00007FF72CC60000-0x00007FF72D053000-memory.dmp	upx
behavioral2/files/0x00070000000241ab-67.dat	upx
behavioral2/files/0x00080000000241aa-52.dat	upx
behavioral2/memory/1744-9-0x00007FF7734A0000-0x00007FF773893000-memory.dmp	upx
behavioral2/files/0x00070000000241b3-123.dat	upx
behavioral2/memory/2200-131-0x00007FF7812E0000-0x00007FF7816D3000-memory.dmp	upx
behavioral2/files/0x00070000000241b6-138.dat	upx
behavioral2/files/0x00070000000241b5-134.dat	upx
behavioral2/memory/4092-166-0x00007FF603E70000-0x00007FF604263000-memory.dmp	upx
behavioral2/memory/2336-183-0x00007FF769330000-0x00007FF769723000-memory.dmp	upx
behavioral2/files/0x00070000000241be-189.dat	upx
behavioral2/files/0x00070000000241bf-194.dat	upx
behavioral2/files/0x00070000000241bd-187.dat	upx
behavioral2/files/0x00070000000241bc-185.dat	upx
behavioral2/files/0x00070000000241bb-177.dat	upx
behavioral2/memory/2584-176-0x00007FF6750A0000-0x00007FF675493000-memory.dmp	upx
behavioral2/files/0x00070000000241ba-173.dat	upx
behavioral2/files/0x00070000000241b9-170.dat	upx
behavioral2/memory/1744-163-0x00007FF7734A0000-0x00007FF773893000-memory.dmp	upx
behavioral2/memory/2260-161-0x00007FF6BAF80000-0x00007FF6BB373000-memory.dmp	upx
behavioral2/files/0x00070000000241b8-155.dat	upx
behavioral2/files/0x00070000000241b7-153.dat	upx
behavioral2/memory/2472-150-0x00007FF70EAB0000-0x00007FF70EEA3000-memory.dmp	upx
behavioral2/files/0x00070000000241c1-204.dat	upx
behavioral2/files/0x00070000000241c0-199.dat	upx
behavioral2/memory/1112-141-0x00007FF7FC520000-0x00007FF7FC913000-memory.dmp	upx
behavioral2/memory/4812-139-0x00007FF67D620000-0x00007FF67DA13000-memory.dmp	upx
behavioral2/files/0x00070000000241b4-129.dat	upx
behavioral2/memory/752-125-0x00007FF749510000-0x00007FF749903000-memory.dmp	upx
behavioral2/memory/2508-120-0x00007FF7167E0000-0x00007FF716BD3000-memory.dmp	upx
behavioral2/files/0x00070000000241b2-117.dat	upx
behavioral2/memory/2200-649-0x00007FF7812E0000-0x00007FF7816D3000-memory.dmp	upx
behavioral2/memory/2260-749-0x00007FF6BAF80000-0x00007FF6BB373000-memory.dmp	upx
behavioral2/memory/2336-931-0x00007FF769330000-0x00007FF769723000-memory.dmp	upx
behavioral2/memory/752-3808-0x00007FF749510000-0x00007FF749903000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\NKWanlt.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\nDQMkFS.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\FDmlKPu.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\vszcMka.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\PDOVfhr.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\BzXXzRW.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\opPBHXL.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\zaRNChl.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\yNpYLsH.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\rVJfInP.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\PtlJSJc.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\KDYsKBQ.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\jYURsSX.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\ZgGdgsE.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\CrIcEpB.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\ZYrXDSn.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\wKeUnBV.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\kbwEaro.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\JzUeVKA.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\vmrAOoU.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\SVTXCYi.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\XdWXsmR.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\MIYSywf.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\biTiows.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\poGVKYS.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\DGxneui.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\lNCpOgz.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\pGuyOYE.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\DMnKona.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\cuFkEaP.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\huCIRqF.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\LqwPNhA.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\jVBnTyS.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\QawMopj.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\PLwlLpR.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\nuKnkoZ.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\fqbOYIN.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\TWWaWHP.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\kUACrIw.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\HfdwnMA.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\llUbwhQ.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\yjleTlF.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\vsNzSRO.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\zolExLu.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\VMeWOiW.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\LhizYnW.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\kecxHmH.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\eLDBVlY.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\abxWDQf.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\ueUlzpb.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\vjGgaLA.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\clkUHFE.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\jZHuUKc.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\LUqucPK.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\rELTXpp.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\piXULTN.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\iQCiQdZ.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\fsmpCTo.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\RrsdpGW.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\sQWNBmT.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\WOqtNkW.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\ytGChAR.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\ECTZEzO.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
File created	C:\Windows\System\JlHSxzx.exe	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\c1040.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "SR it-IT Locale Handler"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "40C"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "C0A"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Pablo - Spanish (Spain)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Helena"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Elsa"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "MS-1036-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\r1031sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\AI041033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Elsa - Italian (Italy)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Speech SW Voice Activation - Japanese (Japan)"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "407"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "{15E16AEC-F2F0-4E52-B0DF-029D11E58E4B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "L1033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\c1041.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\VoiceActivation_ja-JP.dat"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\M1036Hortense"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Speech SW Voice Activation - Italian (Italy)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Ichiro - Japanese (Japan)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bb	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "L1031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "SR es-ES Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\MSTTSLocesES.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "English Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Hedda"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Mark - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; message=NativeSupported; computer=NativeSupported"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\AI041036"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost_ = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "40A;C0A"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "16000"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\c1033.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "409;9"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-83325578-304917428-1200496059-1000\{5393E119-AA53-4E5D-9C67-0157B8460747}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\VoiceActivation_HW_de-DE.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "MS-3082-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\r1040sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\AI041041"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\VoiceActivation_HW_ja-JP.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "002D 002D 0021 0021 0026 0026 002C 002C 002E 002E 003F 003F 005F 005F 002B 002B 002A 002A 02C9 02C9 02CA 02CA 02C7 02C7 02CB 02CB 02D9 02D9 3000 3000 3105 3105 3106 3106 3107 3107 3108 3108 3109 3109 310A 310A 310B 310B 310C 310C 310D 310D 310E 310E 310F 310F 3110 3110 3111 3111 3112 3112 3113 3113 3114 3114 3115 3115 3116 3116 3117 3117 3118 3118 3119 3119 3127 3127 3128 3128 3129 3129 311A 311A 311B 311B 311C 311C 311D 311D 311E 311E 311F 311F 3120 3120 3121 3121 3122 3122 3123 3123 3124 3124 3125 3125 3126 3126"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Katja"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "HW"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Zira - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; net=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; Name=NativeSupported; media=NativeSupported; message=NativeSupported; companyName=NativeSupported; computer=NativeSupported; math=NativeSupported; duration=NativeSupported"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3268	powershell.exe
3268	powershell.exe
3268	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
Token: SeLockMemoryPrivilege	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeShutdownPrivilege	13444	explorer.exe
Token: SeCreatePagefilePrivilege	13444	explorer.exe
Token: SeShutdownPrivilege	13444	explorer.exe
Token: SeCreatePagefilePrivilege	13444	explorer.exe
Token: SeShutdownPrivilege	13444	explorer.exe
Token: SeCreatePagefilePrivilege	13444	explorer.exe
Token: SeShutdownPrivilege	13444	explorer.exe
Token: SeCreatePagefilePrivilege	13444	explorer.exe
Token: SeShutdownPrivilege	13444	explorer.exe
Token: SeCreatePagefilePrivilege	13444	explorer.exe
Token: SeShutdownPrivilege	13444	explorer.exe
Token: SeCreatePagefilePrivilege	13444	explorer.exe
Token: SeShutdownPrivilege	13444	explorer.exe
Token: SeCreatePagefilePrivilege	13444	explorer.exe
Token: SeShutdownPrivilege	13444	explorer.exe
Token: SeCreatePagefilePrivilege	13444	explorer.exe
Token: SeShutdownPrivilege	4188	explorer.exe
Token: SeCreatePagefilePrivilege	4188	explorer.exe
Token: SeShutdownPrivilege	4188	explorer.exe
Token: SeCreatePagefilePrivilege	4188	explorer.exe
Token: SeShutdownPrivilege	4188	explorer.exe
Token: SeCreatePagefilePrivilege	4188	explorer.exe
Token: SeShutdownPrivilege	4188	explorer.exe
Token: SeCreatePagefilePrivilege	4188	explorer.exe
Token: SeShutdownPrivilege	4188	explorer.exe
Token: SeCreatePagefilePrivilege	4188	explorer.exe
Token: SeShutdownPrivilege	4188	explorer.exe
Token: SeCreatePagefilePrivilege	4188	explorer.exe
Token: SeShutdownPrivilege	4188	explorer.exe
Token: SeCreatePagefilePrivilege	4188	explorer.exe
Token: SeShutdownPrivilege	4188	explorer.exe
Token: SeCreatePagefilePrivilege	4188	explorer.exe
Token: SeShutdownPrivilege	4188	explorer.exe
Token: SeCreatePagefilePrivilege	4188	explorer.exe
Token: SeShutdownPrivilege	4188	explorer.exe
Token: SeCreatePagefilePrivilege	4188	explorer.exe
Token: SeShutdownPrivilege	4188	explorer.exe
Token: SeCreatePagefilePrivilege	4188	explorer.exe
Token: SeShutdownPrivilege	12992	explorer.exe
Token: SeCreatePagefilePrivilege	12992	explorer.exe
Token: SeShutdownPrivilege	12992	explorer.exe
Token: SeCreatePagefilePrivilege	12992	explorer.exe
Token: SeShutdownPrivilege	12992	explorer.exe
Token: SeCreatePagefilePrivilege	12992	explorer.exe
Token: SeShutdownPrivilege	12992	explorer.exe
Token: SeCreatePagefilePrivilege	12992	explorer.exe
Token: SeShutdownPrivilege	12992	explorer.exe
Token: SeCreatePagefilePrivilege	12992	explorer.exe
Token: SeShutdownPrivilege	12992	explorer.exe
Token: SeCreatePagefilePrivilege	12992	explorer.exe
Token: SeShutdownPrivilege	12992	explorer.exe
Token: SeCreatePagefilePrivilege	12992	explorer.exe
Token: SeShutdownPrivilege	12992	explorer.exe
Token: SeCreatePagefilePrivilege	12992	explorer.exe
Token: SeShutdownPrivilege	12992	explorer.exe
Token: SeCreatePagefilePrivilege	12992	explorer.exe
Token: SeShutdownPrivilege	12992	explorer.exe
Token: SeCreatePagefilePrivilege	12992	explorer.exe
Token: SeShutdownPrivilege	12992	explorer.exe
Token: SeCreatePagefilePrivilege	12992	explorer.exe
Token: SeShutdownPrivilege	12992	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
7396	sihost.exe
13444	explorer.exe
13444	explorer.exe
13444	explorer.exe
13444	explorer.exe
13444	explorer.exe
13444	explorer.exe
13444	explorer.exe
13444	explorer.exe
13444	explorer.exe
13444	explorer.exe
13444	explorer.exe
13444	explorer.exe
13444	explorer.exe
13444	explorer.exe
13444	explorer.exe
13444	explorer.exe
13444	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
13444	explorer.exe
13444	explorer.exe
13444	explorer.exe
13444	explorer.exe
13444	explorer.exe
13444	explorer.exe
13444	explorer.exe
13444	explorer.exe
13444	explorer.exe
13444	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
4188	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
12992	explorer.exe
14652	explorer.exe
14652	explorer.exe
14652	explorer.exe
14652	explorer.exe
14652	explorer.exe
14652	explorer.exe
14652	explorer.exe
14652	explorer.exe
14652	explorer.exe
14652	explorer.exe
14652	explorer.exe
14652	explorer.exe
14652	explorer.exe
6780	explorer.exe
6780	explorer.exe
6780	explorer.exe
6780	explorer.exe
6780	explorer.exe
6780	explorer.exe
6780	explorer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
11856	StartMenuExperienceHost.exe
7336	StartMenuExperienceHost.exe
2144	StartMenuExperienceHost.exe
13840	SearchApp.exe
14808	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 3268	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	87
PID 1112 wrote to memory of 3268	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	87
PID 1112 wrote to memory of 1744	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	88
PID 1112 wrote to memory of 1744	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	88
PID 1112 wrote to memory of 4092	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	89
PID 1112 wrote to memory of 4092	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	89
PID 1112 wrote to memory of 4664	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	90
PID 1112 wrote to memory of 4664	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	90
PID 1112 wrote to memory of 5084	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	91
PID 1112 wrote to memory of 5084	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	91
PID 1112 wrote to memory of 5040	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	92
PID 1112 wrote to memory of 5040	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	92
PID 1112 wrote to memory of 2804	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	93
PID 1112 wrote to memory of 2804	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	93
PID 1112 wrote to memory of 2060	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	94
PID 1112 wrote to memory of 2060	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	94
PID 1112 wrote to memory of 1536	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	95
PID 1112 wrote to memory of 1536	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	95
PID 1112 wrote to memory of 8	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	96
PID 1112 wrote to memory of 8	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	96
PID 1112 wrote to memory of 2896	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	97
PID 1112 wrote to memory of 2896	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	97
PID 1112 wrote to memory of 1516	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	98
PID 1112 wrote to memory of 1516	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	98
PID 1112 wrote to memory of 2268	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	99
PID 1112 wrote to memory of 2268	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	99
PID 1112 wrote to memory of 1032	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	100
PID 1112 wrote to memory of 1032	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	100
PID 1112 wrote to memory of 4920	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	101
PID 1112 wrote to memory of 4920	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	101
PID 1112 wrote to memory of 1976	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	102
PID 1112 wrote to memory of 1976	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	102
PID 1112 wrote to memory of 2440	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	103
PID 1112 wrote to memory of 2440	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	103
PID 1112 wrote to memory of 2508	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	104
PID 1112 wrote to memory of 2508	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	104
PID 1112 wrote to memory of 752	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	105
PID 1112 wrote to memory of 752	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	105
PID 1112 wrote to memory of 2200	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	106
PID 1112 wrote to memory of 2200	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	106
PID 1112 wrote to memory of 4812	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	107
PID 1112 wrote to memory of 4812	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	107
PID 1112 wrote to memory of 2472	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	108
PID 1112 wrote to memory of 2472	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	108
PID 1112 wrote to memory of 2584	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	109
PID 1112 wrote to memory of 2584	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	109
PID 1112 wrote to memory of 2260	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	110
PID 1112 wrote to memory of 2260	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	110
PID 1112 wrote to memory of 2336	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	111
PID 1112 wrote to memory of 2336	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	111
PID 1112 wrote to memory of 728	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	113
PID 1112 wrote to memory of 728	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	113
PID 1112 wrote to memory of 820	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	114
PID 1112 wrote to memory of 820	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	114
PID 1112 wrote to memory of 4488	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	115
PID 1112 wrote to memory of 4488	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	115
PID 1112 wrote to memory of 3504	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	116
PID 1112 wrote to memory of 3504	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	116
PID 1112 wrote to memory of 3240	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	117
PID 1112 wrote to memory of 3240	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	117
PID 1112 wrote to memory of 4860	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	118
PID 1112 wrote to memory of 4860	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	118
PID 1112 wrote to memory of 3912	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	119
PID 1112 wrote to memory of 3912	1112	2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_e759f83e64dcf662b7495c721d80c7ae_aspxspy_black-basta_ezcob_imuler_xmrig.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3268
- C:\Windows\System\YNZpvor.exe
  C:\Windows\System\YNZpvor.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System\PNipYrv.exe
  C:\Windows\System\PNipYrv.exe
  2⤵
  - Executes dropped EXE
  PID:4092
- C:\Windows\System\XBSFwJx.exe
  C:\Windows\System\XBSFwJx.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System\AGxRzIy.exe
  C:\Windows\System\AGxRzIy.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\MfQNsjD.exe
  C:\Windows\System\MfQNsjD.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\SguDxlk.exe
  C:\Windows\System\SguDxlk.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\MtspIPW.exe
  C:\Windows\System\MtspIPW.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\rwdbLOZ.exe
  C:\Windows\System\rwdbLOZ.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\System\PMqqudU.exe
  C:\Windows\System\PMqqudU.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System\mbvJNZv.exe
  C:\Windows\System\mbvJNZv.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System\adayqSn.exe
  C:\Windows\System\adayqSn.exe
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\System\LYJcbDI.exe
  C:\Windows\System\LYJcbDI.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\zIAeYMo.exe
  C:\Windows\System\zIAeYMo.exe
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\System\mKYlPvH.exe
  C:\Windows\System\mKYlPvH.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System\wxrtoie.exe
  C:\Windows\System\wxrtoie.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\IJYDQPL.exe
  C:\Windows\System\IJYDQPL.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System\zOZNeJF.exe
  C:\Windows\System\zOZNeJF.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System\zbCRGrR.exe
  C:\Windows\System\zbCRGrR.exe
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Windows\System\zeQfxGV.exe
  C:\Windows\System\zeQfxGV.exe
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\System\VOIdoyu.exe
  C:\Windows\System\VOIdoyu.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System\KSRzpvc.exe
  C:\Windows\System\KSRzpvc.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\rQIFNBy.exe
  C:\Windows\System\rQIFNBy.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\QFKIciu.exe
  C:\Windows\System\QFKIciu.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\System\gEBaSrX.exe
  C:\Windows\System\gEBaSrX.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\KqjhNFF.exe
  C:\Windows\System\KqjhNFF.exe
  2⤵
  - Executes dropped EXE
  PID:728
- C:\Windows\System\joxPUkp.exe
  C:\Windows\System\joxPUkp.exe
  2⤵
  - Executes dropped EXE
  PID:820
- C:\Windows\System\jWaIhmH.exe
  C:\Windows\System\jWaIhmH.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System\HXYeERL.exe
  C:\Windows\System\HXYeERL.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System\NeLGYAx.exe
  C:\Windows\System\NeLGYAx.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System\nWjSSgQ.exe
  C:\Windows\System\nWjSSgQ.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System\IaWIPXl.exe
  C:\Windows\System\IaWIPXl.exe
  2⤵
  - Executes dropped EXE
  PID:3912
- C:\Windows\System\Jhrtime.exe
  C:\Windows\System\Jhrtime.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System\jgEzkdH.exe
  C:\Windows\System\jgEzkdH.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System\esOKOsJ.exe
  C:\Windows\System\esOKOsJ.exe
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Windows\System\ppUNCnv.exe
  C:\Windows\System\ppUNCnv.exe
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Windows\System\PutpLiQ.exe
  C:\Windows\System\PutpLiQ.exe
  2⤵
  - Executes dropped EXE
  PID:4192
- C:\Windows\System\dsxxCkt.exe
  C:\Windows\System\dsxxCkt.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\System\ymvgOkf.exe
  C:\Windows\System\ymvgOkf.exe
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Windows\System\MJSQMrE.exe
  C:\Windows\System\MJSQMrE.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System\NDzdsHz.exe
  C:\Windows\System\NDzdsHz.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System\xmGvltw.exe
  C:\Windows\System\xmGvltw.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\System\rFDTGTi.exe
  C:\Windows\System\rFDTGTi.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System\JzUeVKA.exe
  C:\Windows\System\JzUeVKA.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\IaGRDYS.exe
  C:\Windows\System\IaGRDYS.exe
  2⤵
  - Executes dropped EXE
  PID:3384
- C:\Windows\System\OwkJOKK.exe
  C:\Windows\System\OwkJOKK.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System\kwwvtiV.exe
  C:\Windows\System\kwwvtiV.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System\RynCcPu.exe
  C:\Windows\System\RynCcPu.exe
  2⤵
  - Executes dropped EXE
  PID:4700
- C:\Windows\System\vPUzQvp.exe
  C:\Windows\System\vPUzQvp.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System\LzBpiJt.exe
  C:\Windows\System\LzBpiJt.exe
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\System\UYbnkri.exe
  C:\Windows\System\UYbnkri.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System\MCuZidn.exe
  C:\Windows\System\MCuZidn.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System\WdykXQo.exe
  C:\Windows\System\WdykXQo.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\System\LHZdiYU.exe
  C:\Windows\System\LHZdiYU.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System\YkFcHCV.exe
  C:\Windows\System\YkFcHCV.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System\tSZfCjA.exe
  C:\Windows\System\tSZfCjA.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\nCgjHQc.exe
  C:\Windows\System\nCgjHQc.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System\wWaMdIL.exe
  C:\Windows\System\wWaMdIL.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System\IJcGLtm.exe
  C:\Windows\System\IJcGLtm.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Windows\System\SoyAZwZ.exe
  C:\Windows\System\SoyAZwZ.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System\TlAudhr.exe
  C:\Windows\System\TlAudhr.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System\ptHJxha.exe
  C:\Windows\System\ptHJxha.exe
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\System\yNpYLsH.exe
  C:\Windows\System\yNpYLsH.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\NtHaMvw.exe
  C:\Windows\System\NtHaMvw.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\BoHfwaC.exe
  C:\Windows\System\BoHfwaC.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System\hpdJSVo.exe
  C:\Windows\System\hpdJSVo.exe
  2⤵
  PID:3724
- C:\Windows\System\iyIiMoT.exe
  C:\Windows\System\iyIiMoT.exe
  2⤵
  PID:2596
- C:\Windows\System\gIasONU.exe
  C:\Windows\System\gIasONU.exe
  2⤵
  PID:3820
- C:\Windows\System\lgjXQry.exe
  C:\Windows\System\lgjXQry.exe
  2⤵
  PID:2164
- C:\Windows\System\gbeBXmF.exe
  C:\Windows\System\gbeBXmF.exe
  2⤵
  PID:1548
- C:\Windows\System\jlOuDhr.exe
  C:\Windows\System\jlOuDhr.exe
  2⤵
  PID:4768
- C:\Windows\System\leFLjgG.exe
  C:\Windows\System\leFLjgG.exe
  2⤵
  PID:1624
- C:\Windows\System\YrECvGi.exe
  C:\Windows\System\YrECvGi.exe
  2⤵
  PID:5124
- C:\Windows\System\PKojJAe.exe
  C:\Windows\System\PKojJAe.exe
  2⤵
  PID:5180
- C:\Windows\System\SrlYPJW.exe
  C:\Windows\System\SrlYPJW.exe
  2⤵
  PID:5196
- C:\Windows\System\MYqNFLm.exe
  C:\Windows\System\MYqNFLm.exe
  2⤵
  PID:5244
- C:\Windows\System\DJZjsas.exe
  C:\Windows\System\DJZjsas.exe
  2⤵
  PID:5292
- C:\Windows\System\RbpZnXs.exe
  C:\Windows\System\RbpZnXs.exe
  2⤵
  PID:5332
- C:\Windows\System\ZtgLVoZ.exe
  C:\Windows\System\ZtgLVoZ.exe
  2⤵
  PID:5372
- C:\Windows\System\ebEJCkV.exe
  C:\Windows\System\ebEJCkV.exe
  2⤵
  PID:5392
- C:\Windows\System\XZWbAyq.exe
  C:\Windows\System\XZWbAyq.exe
  2⤵
  PID:5444
- C:\Windows\System\nglDTVJ.exe
  C:\Windows\System\nglDTVJ.exe
  2⤵
  PID:5484
- C:\Windows\System\QDKdCow.exe
  C:\Windows\System\QDKdCow.exe
  2⤵
  PID:5508
- C:\Windows\System\gqXrpVv.exe
  C:\Windows\System\gqXrpVv.exe
  2⤵
  PID:5540
- C:\Windows\System\rYMLRiZ.exe
  C:\Windows\System\rYMLRiZ.exe
  2⤵
  PID:5568
- C:\Windows\System\qEoVIyZ.exe
  C:\Windows\System\qEoVIyZ.exe
  2⤵
  PID:5596
- C:\Windows\System\ogPKsYq.exe
  C:\Windows\System\ogPKsYq.exe
  2⤵
  PID:5624
- C:\Windows\System\hOQJBLo.exe
  C:\Windows\System\hOQJBLo.exe
  2⤵
  PID:5644
- C:\Windows\System\OOnLXHp.exe
  C:\Windows\System\OOnLXHp.exe
  2⤵
  PID:5692
- C:\Windows\System\HkiQHoy.exe
  C:\Windows\System\HkiQHoy.exe
  2⤵
  PID:5732
- C:\Windows\System\VQWSHdO.exe
  C:\Windows\System\VQWSHdO.exe
  2⤵
  PID:5760
- C:\Windows\System\qZBHZbb.exe
  C:\Windows\System\qZBHZbb.exe
  2⤵
  PID:5788
- C:\Windows\System\nNHVLYx.exe
  C:\Windows\System\nNHVLYx.exe
  2⤵
  PID:5816
- C:\Windows\System\hwWoArB.exe
  C:\Windows\System\hwWoArB.exe
  2⤵
  PID:5848
- C:\Windows\System\rELTXpp.exe
  C:\Windows\System\rELTXpp.exe
  2⤵
  PID:5876
- C:\Windows\System\ZqjiGtt.exe
  C:\Windows\System\ZqjiGtt.exe
  2⤵
  PID:5904
- C:\Windows\System\sEKapMw.exe
  C:\Windows\System\sEKapMw.exe
  2⤵
  PID:5932
- C:\Windows\System\okVBlja.exe
  C:\Windows\System\okVBlja.exe
  2⤵
  PID:5960
- C:\Windows\System\yqdHMHv.exe
  C:\Windows\System\yqdHMHv.exe
  2⤵
  PID:5988
- C:\Windows\System\gVJceVR.exe
  C:\Windows\System\gVJceVR.exe
  2⤵
  PID:6016
- C:\Windows\System\YIkmJyx.exe
  C:\Windows\System\YIkmJyx.exe
  2⤵
  PID:6044
- C:\Windows\System\LPzKyLX.exe
  C:\Windows\System\LPzKyLX.exe
  2⤵
  PID:6072
- C:\Windows\System\PDThFwv.exe
  C:\Windows\System\PDThFwv.exe
  2⤵
  PID:6100
- C:\Windows\System\LoyKGbk.exe
  C:\Windows\System\LoyKGbk.exe
  2⤵
  PID:6132
- C:\Windows\System\rLoCHGP.exe
  C:\Windows\System\rLoCHGP.exe
  2⤵
  PID:5144
- C:\Windows\System\MmSYbTS.exe
  C:\Windows\System\MmSYbTS.exe
  2⤵
  PID:5172
- C:\Windows\System\yTIUsTq.exe
  C:\Windows\System\yTIUsTq.exe
  2⤵
  PID:5252
- C:\Windows\System\dtDqESn.exe
  C:\Windows\System\dtDqESn.exe
  2⤵
  PID:5316
- C:\Windows\System\epoBnRa.exe
  C:\Windows\System\epoBnRa.exe
  2⤵
  PID:5360
- C:\Windows\System\eYvXETp.exe
  C:\Windows\System\eYvXETp.exe
  2⤵
  PID:5420
- C:\Windows\System\CoftmlC.exe
  C:\Windows\System\CoftmlC.exe
  2⤵
  PID:5464
- C:\Windows\System\XftcOJn.exe
  C:\Windows\System\XftcOJn.exe
  2⤵
  PID:5516
- C:\Windows\System\lzJdMOg.exe
  C:\Windows\System\lzJdMOg.exe
  2⤵
  PID:5608
- C:\Windows\System\TOmqbmi.exe
  C:\Windows\System\TOmqbmi.exe
  2⤵
  PID:5656
- C:\Windows\System\CZHmGig.exe
  C:\Windows\System\CZHmGig.exe
  2⤵
  PID:5740
- C:\Windows\System\eLDBVlY.exe
  C:\Windows\System\eLDBVlY.exe
  2⤵
  PID:5796
- C:\Windows\System\sgaBBUl.exe
  C:\Windows\System\sgaBBUl.exe
  2⤵
  PID:5864
- C:\Windows\System\aoQwtbC.exe
  C:\Windows\System\aoQwtbC.exe
  2⤵
  PID:6004
- C:\Windows\System\AwdUgJC.exe
  C:\Windows\System\AwdUgJC.exe
  2⤵
  PID:6088
- C:\Windows\System\EpCICQz.exe
  C:\Windows\System\EpCICQz.exe
  2⤵
  PID:5160
- C:\Windows\System\CADUtyd.exe
  C:\Windows\System\CADUtyd.exe
  2⤵
  PID:5224
- C:\Windows\System\SGHcCms.exe
  C:\Windows\System\SGHcCms.exe
  2⤵
  PID:5436
- C:\Windows\System\JcYSqaY.exe
  C:\Windows\System\JcYSqaY.exe
  2⤵
  PID:5548
- C:\Windows\System\sadclZO.exe
  C:\Windows\System\sadclZO.exe
  2⤵
  PID:4316
- C:\Windows\System\RIaFrnd.exe
  C:\Windows\System\RIaFrnd.exe
  2⤵
  PID:3184
- C:\Windows\System\DrQqDmV.exe
  C:\Windows\System\DrQqDmV.exe
  2⤵
  PID:1440
- C:\Windows\System\MdbeeoL.exe
  C:\Windows\System\MdbeeoL.exe
  2⤵
  PID:5276
- C:\Windows\System\GpIeYdL.exe
  C:\Windows\System\GpIeYdL.exe
  2⤵
  PID:5640
- C:\Windows\System\vRxyjzo.exe
  C:\Windows\System\vRxyjzo.exe
  2⤵
  PID:5984
- C:\Windows\System\OdTKIAh.exe
  C:\Windows\System\OdTKIAh.exe
  2⤵
  PID:6060
- C:\Windows\System\rUsOoBv.exe
  C:\Windows\System\rUsOoBv.exe
  2⤵
  PID:2660
- C:\Windows\System\zFtaFlV.exe
  C:\Windows\System\zFtaFlV.exe
  2⤵
  PID:5348
- C:\Windows\System\uhDunrQ.exe
  C:\Windows\System\uhDunrQ.exe
  2⤵
  PID:4480
- C:\Windows\System\SAIQHaY.exe
  C:\Windows\System\SAIQHaY.exe
  2⤵
  PID:2888
- C:\Windows\System\ReyKUdA.exe
  C:\Windows\System\ReyKUdA.exe
  2⤵
  PID:6188
- C:\Windows\System\eLMWAEy.exe
  C:\Windows\System\eLMWAEy.exe
  2⤵
  PID:6228
- C:\Windows\System\PDvvPfB.exe
  C:\Windows\System\PDvvPfB.exe
  2⤵
  PID:6288
- C:\Windows\System\fkHTDxI.exe
  C:\Windows\System\fkHTDxI.exe
  2⤵
  PID:6368
- C:\Windows\System\XfmSZdz.exe
  C:\Windows\System\XfmSZdz.exe
  2⤵
  PID:6460
- C:\Windows\System\zUsrhnq.exe
  C:\Windows\System\zUsrhnq.exe
  2⤵
  PID:6564
- C:\Windows\System\PqFjTaH.exe
  C:\Windows\System\PqFjTaH.exe
  2⤵
  PID:6624
- C:\Windows\System\yjleTlF.exe
  C:\Windows\System\yjleTlF.exe
  2⤵
  PID:6640
- C:\Windows\System\VDBZZGu.exe
  C:\Windows\System\VDBZZGu.exe
  2⤵
  PID:6676
- C:\Windows\System\gDWdxzD.exe
  C:\Windows\System\gDWdxzD.exe
  2⤵
  PID:6716
- C:\Windows\System\kTnRANe.exe
  C:\Windows\System\kTnRANe.exe
  2⤵
  PID:6756
- C:\Windows\System\bHGziDX.exe
  C:\Windows\System\bHGziDX.exe
  2⤵
  PID:6804
- C:\Windows\System\egULvVR.exe
  C:\Windows\System\egULvVR.exe
  2⤵
  PID:6844
- C:\Windows\System\fAyiRqe.exe
  C:\Windows\System\fAyiRqe.exe
  2⤵
  PID:6868
- C:\Windows\System\abxWDQf.exe
  C:\Windows\System\abxWDQf.exe
  2⤵
  PID:6896
- C:\Windows\System\QbNCisT.exe
  C:\Windows\System\QbNCisT.exe
  2⤵
  PID:6916
- C:\Windows\System\EIvcWsR.exe
  C:\Windows\System\EIvcWsR.exe
  2⤵
  PID:6952
- C:\Windows\System\KiziZLS.exe
  C:\Windows\System\KiziZLS.exe
  2⤵
  PID:6988
- C:\Windows\System\HlfebLI.exe
  C:\Windows\System\HlfebLI.exe
  2⤵
  PID:7012
- C:\Windows\System\zpNIEeG.exe
  C:\Windows\System\zpNIEeG.exe
  2⤵
  PID:7040
- C:\Windows\System\dxaTOFA.exe
  C:\Windows\System\dxaTOFA.exe
  2⤵
  PID:7072
- C:\Windows\System\IOGgSkp.exe
  C:\Windows\System\IOGgSkp.exe
  2⤵
  PID:7108
- C:\Windows\System\feIslZj.exe
  C:\Windows\System\feIslZj.exe
  2⤵
  PID:7136
- C:\Windows\System\nDQMkFS.exe
  C:\Windows\System\nDQMkFS.exe
  2⤵
  PID:7164
- C:\Windows\System\TCdxdwh.exe
  C:\Windows\System\TCdxdwh.exe
  2⤵
  PID:6212
- C:\Windows\System\VSoUXsp.exe
  C:\Windows\System\VSoUXsp.exe
  2⤵
  PID:6340
- C:\Windows\System\WYIyXxr.exe
  C:\Windows\System\WYIyXxr.exe
  2⤵
  PID:6392
- C:\Windows\System\dzANHXx.exe
  C:\Windows\System\dzANHXx.exe
  2⤵
  PID:6572
- C:\Windows\System\kZQqvmH.exe
  C:\Windows\System\kZQqvmH.exe
  2⤵
  PID:6744
- C:\Windows\System\ceVGSno.exe
  C:\Windows\System\ceVGSno.exe
  2⤵
  PID:6836
- C:\Windows\System\OlwLpDt.exe
  C:\Windows\System\OlwLpDt.exe
  2⤵
  PID:6908
- C:\Windows\System\wGAWqGC.exe
  C:\Windows\System\wGAWqGC.exe
  2⤵
  PID:7024
- C:\Windows\System\ZogrGNa.exe
  C:\Windows\System\ZogrGNa.exe
  2⤵
  PID:7132
- C:\Windows\System\pSnROZH.exe
  C:\Windows\System\pSnROZH.exe
  2⤵
  PID:6168
- C:\Windows\System\rMJPJsk.exe
  C:\Windows\System\rMJPJsk.exe
  2⤵
  PID:6336
- C:\Windows\System\WtMtUTP.exe
  C:\Windows\System\WtMtUTP.exe
  2⤵
  PID:6400
- C:\Windows\System\ubFTaqv.exe
  C:\Windows\System\ubFTaqv.exe
  2⤵
  PID:6612
- C:\Windows\System\UVSZYWM.exe
  C:\Windows\System\UVSZYWM.exe
  2⤵
  PID:6696
- C:\Windows\System\RQDOaoY.exe
  C:\Windows\System\RQDOaoY.exe
  2⤵
  PID:6812
- C:\Windows\System\fBwQyfM.exe
  C:\Windows\System\fBwQyfM.exe
  2⤵
  PID:6940
- C:\Windows\System\TgKQlSX.exe
  C:\Windows\System\TgKQlSX.exe
  2⤵
  PID:7052
- C:\Windows\System\xEfqHKW.exe
  C:\Windows\System\xEfqHKW.exe
  2⤵
  PID:6160
- C:\Windows\System\ZgGdgsE.exe
  C:\Windows\System\ZgGdgsE.exe
  2⤵
  PID:6360
- C:\Windows\System\bMjvrZO.exe
  C:\Windows\System\bMjvrZO.exe
  2⤵
  PID:6632
- C:\Windows\System\lsfMYxA.exe
  C:\Windows\System\lsfMYxA.exe
  2⤵
  PID:3652
- C:\Windows\System\uWHDHlp.exe
  C:\Windows\System\uWHDHlp.exe
  2⤵
  PID:6984
- C:\Windows\System\jKUGdjV.exe
  C:\Windows\System\jKUGdjV.exe
  2⤵
  PID:6356
- C:\Windows\System\oOpewNY.exe
  C:\Windows\System\oOpewNY.exe
  2⤵
  PID:6800
- C:\Windows\System\ZYZQnWj.exe
  C:\Windows\System\ZYZQnWj.exe
  2⤵
  PID:3712
- C:\Windows\System\XrvqNCY.exe
  C:\Windows\System\XrvqNCY.exe
  2⤵
  PID:6500
- C:\Windows\System\ghNfIMO.exe
  C:\Windows\System\ghNfIMO.exe
  2⤵
  PID:6772
- C:\Windows\System\BuppJrI.exe
  C:\Windows\System\BuppJrI.exe
  2⤵
  PID:7176
- C:\Windows\System\kscJtqi.exe
  C:\Windows\System\kscJtqi.exe
  2⤵
  PID:7204
- C:\Windows\System\llKHCCY.exe
  C:\Windows\System\llKHCCY.exe
  2⤵
  PID:7232
- C:\Windows\System\AqNVQau.exe
  C:\Windows\System\AqNVQau.exe
  2⤵
  PID:7260
- C:\Windows\System\qkAqJiB.exe
  C:\Windows\System\qkAqJiB.exe
  2⤵
  PID:7292
- C:\Windows\System\mxTEvxi.exe
  C:\Windows\System\mxTEvxi.exe
  2⤵
  PID:7312
- C:\Windows\System\HwyfTdQ.exe
  C:\Windows\System\HwyfTdQ.exe
  2⤵
  PID:7340
- C:\Windows\System\otKsyRU.exe
  C:\Windows\System\otKsyRU.exe
  2⤵
  PID:7376
- C:\Windows\System\nsmkDgZ.exe
  C:\Windows\System\nsmkDgZ.exe
  2⤵
  PID:7404
- C:\Windows\System\GsYwkld.exe
  C:\Windows\System\GsYwkld.exe
  2⤵
  PID:7436
- C:\Windows\System\ZzfHjQX.exe
  C:\Windows\System\ZzfHjQX.exe
  2⤵
  PID:7464
- C:\Windows\System\wKLJAxi.exe
  C:\Windows\System\wKLJAxi.exe
  2⤵
  PID:7528
- C:\Windows\System\amoGrtL.exe
  C:\Windows\System\amoGrtL.exe
  2⤵
  PID:7556
- C:\Windows\System\brAymIY.exe
  C:\Windows\System\brAymIY.exe
  2⤵
  PID:7580
- C:\Windows\System\WDgRHMI.exe
  C:\Windows\System\WDgRHMI.exe
  2⤵
  PID:7612
- C:\Windows\System\NJFWcjw.exe
  C:\Windows\System\NJFWcjw.exe
  2⤵
  PID:7640
- C:\Windows\System\cFMBXEU.exe
  C:\Windows\System\cFMBXEU.exe
  2⤵
  PID:7668
- C:\Windows\System\bCabfow.exe
  C:\Windows\System\bCabfow.exe
  2⤵
  PID:7696
- C:\Windows\System\QePzQHA.exe
  C:\Windows\System\QePzQHA.exe
  2⤵
  PID:7724
- C:\Windows\System\XXLYcEd.exe
  C:\Windows\System\XXLYcEd.exe
  2⤵
  PID:7752
- C:\Windows\System\pZlqMjL.exe
  C:\Windows\System\pZlqMjL.exe
  2⤵
  PID:7780
- C:\Windows\System\hNnJjKa.exe
  C:\Windows\System\hNnJjKa.exe
  2⤵
  PID:7808
- C:\Windows\System\yAdyTAM.exe
  C:\Windows\System\yAdyTAM.exe
  2⤵
  PID:7836
- C:\Windows\System\kjHbnPD.exe
  C:\Windows\System\kjHbnPD.exe
  2⤵
  PID:7864
- C:\Windows\System\XplPrXl.exe
  C:\Windows\System\XplPrXl.exe
  2⤵
  PID:7892
- C:\Windows\System\rUysLaD.exe
  C:\Windows\System\rUysLaD.exe
  2⤵
  PID:7920
- C:\Windows\System\YYjHCki.exe
  C:\Windows\System\YYjHCki.exe
  2⤵
  PID:7940
- C:\Windows\System\QJjGMPN.exe
  C:\Windows\System\QJjGMPN.exe
  2⤵
  PID:7968
- C:\Windows\System\hMrtRuC.exe
  C:\Windows\System\hMrtRuC.exe
  2⤵
  PID:7996
- C:\Windows\System\pwkTOtA.exe
  C:\Windows\System\pwkTOtA.exe
  2⤵
  PID:8024
- C:\Windows\System\OeXEbwU.exe
  C:\Windows\System\OeXEbwU.exe
  2⤵
  PID:8052
- C:\Windows\System\uvvZEbs.exe
  C:\Windows\System\uvvZEbs.exe
  2⤵
  PID:8084
- C:\Windows\System\LXidKVd.exe
  C:\Windows\System\LXidKVd.exe
  2⤵
  PID:8112
- C:\Windows\System\XsRfxJL.exe
  C:\Windows\System\XsRfxJL.exe
  2⤵
  PID:8140
- C:\Windows\System\UcDQqFj.exe
  C:\Windows\System\UcDQqFj.exe
  2⤵
  PID:8164
- C:\Windows\System\jKaQdHo.exe
  C:\Windows\System\jKaQdHo.exe
  2⤵
  PID:7172
- C:\Windows\System\YwmzMDd.exe
  C:\Windows\System\YwmzMDd.exe
  2⤵
  PID:7220
- C:\Windows\System\ngvTpgA.exe
  C:\Windows\System\ngvTpgA.exe
  2⤵
  PID:4432
- C:\Windows\System\bByTeMU.exe
  C:\Windows\System\bByTeMU.exe
  2⤵
  PID:2264
- C:\Windows\System\CrFNSyH.exe
  C:\Windows\System\CrFNSyH.exe
  2⤵
  PID:2456
- C:\Windows\System\fOLRQQe.exe
  C:\Windows\System\fOLRQQe.exe
  2⤵
  PID:5664
- C:\Windows\System\VmdYFwH.exe
  C:\Windows\System\VmdYFwH.exe
  2⤵
  PID:7272
- C:\Windows\System\adxqLtZ.exe
  C:\Windows\System\adxqLtZ.exe
  2⤵
  PID:7324
- C:\Windows\System\MSdxAmw.exe
  C:\Windows\System\MSdxAmw.exe
  2⤵
  PID:7392
- C:\Windows\System\fMABWlj.exe
  C:\Windows\System\fMABWlj.exe
  2⤵
  PID:7460
- C:\Windows\System\CoqemkA.exe
  C:\Windows\System\CoqemkA.exe
  2⤵
  PID:7544
- C:\Windows\System\gsCpspF.exe
  C:\Windows\System\gsCpspF.exe
  2⤵
  PID:7620
- C:\Windows\System\FmACsKO.exe
  C:\Windows\System\FmACsKO.exe
  2⤵
  PID:7676
- C:\Windows\System\cUbnToL.exe
  C:\Windows\System\cUbnToL.exe
  2⤵
  PID:7720
- C:\Windows\System\ZQBtsVd.exe
  C:\Windows\System\ZQBtsVd.exe
  2⤵
  PID:7788
- C:\Windows\System\UFHvnVe.exe
  C:\Windows\System\UFHvnVe.exe
  2⤵
  PID:7860
- C:\Windows\System\XaTTCNq.exe
  C:\Windows\System\XaTTCNq.exe
  2⤵
  PID:7928
- C:\Windows\System\TTZPQTp.exe
  C:\Windows\System\TTZPQTp.exe
  2⤵
  PID:7988
- C:\Windows\System\FADHWxm.exe
  C:\Windows\System\FADHWxm.exe
  2⤵
  PID:8072
- C:\Windows\System\DgPlaUB.exe
  C:\Windows\System\DgPlaUB.exe
  2⤵
  PID:8120
- C:\Windows\System\cSNTrSS.exe
  C:\Windows\System\cSNTrSS.exe
  2⤵
  PID:8184
- C:\Windows\System\zSmlJNm.exe
  C:\Windows\System\zSmlJNm.exe
  2⤵
  PID:4136
- C:\Windows\System\foucbvE.exe
  C:\Windows\System\foucbvE.exe
  2⤵
  PID:2984
- C:\Windows\System\kSSXlIQ.exe
  C:\Windows\System\kSSXlIQ.exe
  2⤵
  PID:7308
- C:\Windows\System\ljGcaTY.exe
  C:\Windows\System\ljGcaTY.exe
  2⤵
  PID:7536
- C:\Windows\System\fSSLvuA.exe
  C:\Windows\System\fSSLvuA.exe
  2⤵
  PID:7648
- C:\Windows\System\BPXFUdH.exe
  C:\Windows\System\BPXFUdH.exe
  2⤵
  PID:7776
- C:\Windows\System\RlmZuCl.exe
  C:\Windows\System\RlmZuCl.exe
  2⤵
  PID:7880
- C:\Windows\System\MvigeuN.exe
  C:\Windows\System\MvigeuN.exe
  2⤵
  PID:8036
- C:\Windows\System\DtcWfhO.exe
  C:\Windows\System\DtcWfhO.exe
  2⤵
  PID:8176
- C:\Windows\System\OVaicmV.exe
  C:\Windows\System\OVaicmV.exe
  2⤵
  PID:4852
- C:\Windows\System\krCIvjL.exe
  C:\Windows\System\krCIvjL.exe
  2⤵
  PID:6932
- C:\Windows\System\mlKxnfD.exe
  C:\Windows\System\mlKxnfD.exe
  2⤵
  PID:4916
- C:\Windows\System\cdSsrGK.exe
  C:\Windows\System\cdSsrGK.exe
  2⤵
  PID:8148
- C:\Windows\System\UwouvAh.exe
  C:\Windows\System\UwouvAh.exe
  2⤵
  PID:7424
- C:\Windows\System\oENwvac.exe
  C:\Windows\System\oENwvac.exe
  2⤵
  PID:7364
- C:\Windows\System\vCbwdFR.exe
  C:\Windows\System\vCbwdFR.exe
  2⤵
  PID:8100
- C:\Windows\System\MvmaFmw.exe
  C:\Windows\System\MvmaFmw.exe
  2⤵
  PID:8220
- C:\Windows\System\PSbFFiM.exe
  C:\Windows\System\PSbFFiM.exe
  2⤵
  PID:8248
- C:\Windows\System\APcipgK.exe
  C:\Windows\System\APcipgK.exe
  2⤵
  PID:8284
- C:\Windows\System\pjZJcxf.exe
  C:\Windows\System\pjZJcxf.exe
  2⤵
  PID:8304
- C:\Windows\System\YDPKfTU.exe
  C:\Windows\System\YDPKfTU.exe
  2⤵
  PID:8332
- C:\Windows\System\kvrHCgw.exe
  C:\Windows\System\kvrHCgw.exe
  2⤵
  PID:8364
- C:\Windows\System\HPRZBDt.exe
  C:\Windows\System\HPRZBDt.exe
  2⤵
  PID:8388
- C:\Windows\System\wQylhyZ.exe
  C:\Windows\System\wQylhyZ.exe
  2⤵
  PID:8424
- C:\Windows\System\IuRzlow.exe
  C:\Windows\System\IuRzlow.exe
  2⤵
  PID:8452
- C:\Windows\System\RSaaVDf.exe
  C:\Windows\System\RSaaVDf.exe
  2⤵
  PID:8480
- C:\Windows\System\MKwusKW.exe
  C:\Windows\System\MKwusKW.exe
  2⤵
  PID:8512
- C:\Windows\System\IrNtDva.exe
  C:\Windows\System\IrNtDva.exe
  2⤵
  PID:8536
- C:\Windows\System\GwfZUVe.exe
  C:\Windows\System\GwfZUVe.exe
  2⤵
  PID:8564
- C:\Windows\System\VmKYrLF.exe
  C:\Windows\System\VmKYrLF.exe
  2⤵
  PID:8584
- C:\Windows\System\wcagLjU.exe
  C:\Windows\System\wcagLjU.exe
  2⤵
  PID:8620
- C:\Windows\System\tlyzvtN.exe
  C:\Windows\System\tlyzvtN.exe
  2⤵
  PID:8648
- C:\Windows\System\HPQXuct.exe
  C:\Windows\System\HPQXuct.exe
  2⤵
  PID:8724
- C:\Windows\System\ipOkHeK.exe
  C:\Windows\System\ipOkHeK.exe
  2⤵
  PID:8796
- C:\Windows\System\XxUTqVX.exe
  C:\Windows\System\XxUTqVX.exe
  2⤵
  PID:8836
- C:\Windows\System\PeGqbUq.exe
  C:\Windows\System\PeGqbUq.exe
  2⤵
  PID:8856
- C:\Windows\System\TvLPATW.exe
  C:\Windows\System\TvLPATW.exe
  2⤵
  PID:8900
- C:\Windows\System\ODaGgdV.exe
  C:\Windows\System\ODaGgdV.exe
  2⤵
  PID:8936
- C:\Windows\System\zCUbGTc.exe
  C:\Windows\System\zCUbGTc.exe
  2⤵
  PID:8964
- C:\Windows\System\TCWyMXZ.exe
  C:\Windows\System\TCWyMXZ.exe
  2⤵
  PID:8988
- C:\Windows\System\UwrCDOH.exe
  C:\Windows\System\UwrCDOH.exe
  2⤵
  PID:9012
- C:\Windows\System\fYnGppr.exe
  C:\Windows\System\fYnGppr.exe
  2⤵
  PID:9048
- C:\Windows\System\qJvDHRD.exe
  C:\Windows\System\qJvDHRD.exe
  2⤵
  PID:9068
- C:\Windows\System\YyZBPDr.exe
  C:\Windows\System\YyZBPDr.exe
  2⤵
  PID:9096
- C:\Windows\System\OXGgINc.exe
  C:\Windows\System\OXGgINc.exe
  2⤵
  PID:9124
- C:\Windows\System\fqjugSt.exe
  C:\Windows\System\fqjugSt.exe
  2⤵
  PID:9152
- C:\Windows\System\sgGTEeK.exe
  C:\Windows\System\sgGTEeK.exe
  2⤵
  PID:9180
- C:\Windows\System\kiBLtzh.exe
  C:\Windows\System\kiBLtzh.exe
  2⤵
  PID:9208
- C:\Windows\System\YlIVemr.exe
  C:\Windows\System\YlIVemr.exe
  2⤵
  PID:8240
- C:\Windows\System\HglYHWw.exe
  C:\Windows\System\HglYHWw.exe
  2⤵
  PID:8300
- C:\Windows\System\faHozVm.exe
  C:\Windows\System\faHozVm.exe
  2⤵
  PID:8372
- C:\Windows\System\FCgDwGj.exe
  C:\Windows\System\FCgDwGj.exe
  2⤵
  PID:8440
- C:\Windows\System\wDLviPY.exe
  C:\Windows\System\wDLviPY.exe
  2⤵
  PID:8492
- C:\Windows\System\cUeZjxJ.exe
  C:\Windows\System\cUeZjxJ.exe
  2⤵
  PID:8552
- C:\Windows\System\viddtCW.exe
  C:\Windows\System\viddtCW.exe
  2⤵
  PID:8628
- C:\Windows\System\BPvXOLJ.exe
  C:\Windows\System\BPvXOLJ.exe
  2⤵
  PID:8744
- C:\Windows\System\DPfdZHe.exe
  C:\Windows\System\DPfdZHe.exe
  2⤵
  PID:8868
- C:\Windows\System\mPIdGox.exe
  C:\Windows\System\mPIdGox.exe
  2⤵
  PID:8948
- C:\Windows\System\zQMDjFB.exe
  C:\Windows\System\zQMDjFB.exe
  2⤵
  PID:8996
- C:\Windows\System\pIpMUTu.exe
  C:\Windows\System\pIpMUTu.exe
  2⤵
  PID:9056
- C:\Windows\System\OnmRnCD.exe
  C:\Windows\System\OnmRnCD.exe
  2⤵
  PID:9116
- C:\Windows\System\IjxUZVB.exe
  C:\Windows\System\IjxUZVB.exe
  2⤵
  PID:9176
- C:\Windows\System\tYwhXnK.exe
  C:\Windows\System\tYwhXnK.exe
  2⤵
  PID:8268
- C:\Windows\System\giMwHXV.exe
  C:\Windows\System\giMwHXV.exe
  2⤵
  PID:8412
- C:\Windows\System\HveAxvU.exe
  C:\Windows\System\HveAxvU.exe
  2⤵
  PID:8604
- C:\Windows\System\PWxzpde.exe
  C:\Windows\System\PWxzpde.exe
  2⤵
  PID:8892
- C:\Windows\System\sgRTQnc.exe
  C:\Windows\System\sgRTQnc.exe
  2⤵
  PID:4312
- C:\Windows\System\QBWjqpa.exe
  C:\Windows\System\QBWjqpa.exe
  2⤵
  PID:9092
- C:\Windows\System\hsOmOIl.exe
  C:\Windows\System\hsOmOIl.exe
  2⤵
  PID:8328
- C:\Windows\System\GWdOXRO.exe
  C:\Windows\System\GWdOXRO.exe
  2⤵
  PID:9008
- C:\Windows\System\kaykdPV.exe
  C:\Windows\System\kaykdPV.exe
  2⤵
  PID:8488
- C:\Windows\System\azahRzg.exe
  C:\Windows\System\azahRzg.exe
  2⤵
  PID:8216
- C:\Windows\System\GfgLGEw.exe
  C:\Windows\System\GfgLGEw.exe
  2⤵
  PID:8980
- C:\Windows\System\RokKnGK.exe
  C:\Windows\System\RokKnGK.exe
  2⤵
  PID:9236
- C:\Windows\System\KqiYrbb.exe
  C:\Windows\System\KqiYrbb.exe
  2⤵
  PID:9264
- C:\Windows\System\kbTisyq.exe
  C:\Windows\System\kbTisyq.exe
  2⤵
  PID:9296
- C:\Windows\System\zZYcWpU.exe
  C:\Windows\System\zZYcWpU.exe
  2⤵
  PID:9320
- C:\Windows\System\iQSmoVW.exe
  C:\Windows\System\iQSmoVW.exe
  2⤵
  PID:9348
- C:\Windows\System\tytuJlc.exe
  C:\Windows\System\tytuJlc.exe
  2⤵
  PID:9376
- C:\Windows\System\AAefYOj.exe
  C:\Windows\System\AAefYOj.exe
  2⤵
  PID:9404
- C:\Windows\System\ipfVAtm.exe
  C:\Windows\System\ipfVAtm.exe
  2⤵
  PID:9432
- C:\Windows\System\fJZxJxk.exe
  C:\Windows\System\fJZxJxk.exe
  2⤵
  PID:9460
- C:\Windows\System\yAgQAee.exe
  C:\Windows\System\yAgQAee.exe
  2⤵
  PID:9488
- C:\Windows\System\vbcClaf.exe
  C:\Windows\System\vbcClaf.exe
  2⤵
  PID:9516
- C:\Windows\System\YVCBvdm.exe
  C:\Windows\System\YVCBvdm.exe
  2⤵
  PID:9544
- C:\Windows\System\mXvdxFS.exe
  C:\Windows\System\mXvdxFS.exe
  2⤵
  PID:9572
- C:\Windows\System\ECTZEzO.exe
  C:\Windows\System\ECTZEzO.exe
  2⤵
  PID:9600
- C:\Windows\System\xhmixFn.exe
  C:\Windows\System\xhmixFn.exe
  2⤵
  PID:9628
- C:\Windows\System\hDYOZam.exe
  C:\Windows\System\hDYOZam.exe
  2⤵
  PID:9656
- C:\Windows\System\dLIIQdr.exe
  C:\Windows\System\dLIIQdr.exe
  2⤵
  PID:9684
- C:\Windows\System\CrIcEpB.exe
  C:\Windows\System\CrIcEpB.exe
  2⤵
  PID:9712
- C:\Windows\System\orxfNwS.exe
  C:\Windows\System\orxfNwS.exe
  2⤵
  PID:9740
- C:\Windows\System\lZRXgGn.exe
  C:\Windows\System\lZRXgGn.exe
  2⤵
  PID:9768
- C:\Windows\System\JLaBlGX.exe
  C:\Windows\System\JLaBlGX.exe
  2⤵
  PID:9796
- C:\Windows\System\CDrONQH.exe
  C:\Windows\System\CDrONQH.exe
  2⤵
  PID:9824
- C:\Windows\System\lMoZfuF.exe
  C:\Windows\System\lMoZfuF.exe
  2⤵
  PID:9852
- C:\Windows\System\fEgsnHN.exe
  C:\Windows\System\fEgsnHN.exe
  2⤵
  PID:9880
- C:\Windows\System\rjeqQVL.exe
  C:\Windows\System\rjeqQVL.exe
  2⤵
  PID:9912
- C:\Windows\System\AQcGDiq.exe
  C:\Windows\System\AQcGDiq.exe
  2⤵
  PID:9936
- C:\Windows\System\SPiLMui.exe
  C:\Windows\System\SPiLMui.exe
  2⤵
  PID:9964
- C:\Windows\System\QbOvLMo.exe
  C:\Windows\System\QbOvLMo.exe
  2⤵
  PID:9992
- C:\Windows\System\zWpmUOx.exe
  C:\Windows\System\zWpmUOx.exe
  2⤵
  PID:10020
- C:\Windows\System\wKafdrb.exe
  C:\Windows\System\wKafdrb.exe
  2⤵
  PID:10048
- C:\Windows\System\qaApRCn.exe
  C:\Windows\System\qaApRCn.exe
  2⤵
  PID:10076
- C:\Windows\System\gIyQqcd.exe
  C:\Windows\System\gIyQqcd.exe
  2⤵
  PID:10104
- C:\Windows\System\yiVzURA.exe
  C:\Windows\System\yiVzURA.exe
  2⤵
  PID:10132
- C:\Windows\System\eeaEAho.exe
  C:\Windows\System\eeaEAho.exe
  2⤵
  PID:10172
- C:\Windows\System\gOFOvoy.exe
  C:\Windows\System\gOFOvoy.exe
  2⤵
  PID:10188
- C:\Windows\System\nPBUciZ.exe
  C:\Windows\System\nPBUciZ.exe
  2⤵
  PID:10216
- C:\Windows\System\vuHSBtD.exe
  C:\Windows\System\vuHSBtD.exe
  2⤵
  PID:9248
- C:\Windows\System\BfDDbGv.exe
  C:\Windows\System\BfDDbGv.exe
  2⤵
  PID:9316
- C:\Windows\System\UgAXMPH.exe
  C:\Windows\System\UgAXMPH.exe
  2⤵
  PID:9360
- C:\Windows\System\lztPPri.exe
  C:\Windows\System\lztPPri.exe
  2⤵
  PID:9424
- C:\Windows\System\PQpvaUn.exe
  C:\Windows\System\PQpvaUn.exe
  2⤵
  PID:9484
- C:\Windows\System\igxuISN.exe
  C:\Windows\System\igxuISN.exe
  2⤵
  PID:9556
- C:\Windows\System\XCvmTwQ.exe
  C:\Windows\System\XCvmTwQ.exe
  2⤵
  PID:9624
- C:\Windows\System\jMZDCpj.exe
  C:\Windows\System\jMZDCpj.exe
  2⤵
  PID:9680
- C:\Windows\System\GEihHUN.exe
  C:\Windows\System\GEihHUN.exe
  2⤵
  PID:9752
- C:\Windows\System\ubGtTde.exe
  C:\Windows\System\ubGtTde.exe
  2⤵
  PID:9816
- C:\Windows\System\YodnlkK.exe
  C:\Windows\System\YodnlkK.exe
  2⤵
  PID:9876
- C:\Windows\System\SOcdYsU.exe
  C:\Windows\System\SOcdYsU.exe
  2⤵
  PID:9948
- C:\Windows\System\VfWAtWd.exe
  C:\Windows\System\VfWAtWd.exe
  2⤵
  PID:10012
- C:\Windows\System\UcgybPh.exe
  C:\Windows\System\UcgybPh.exe
  2⤵
  PID:10072
- C:\Windows\System\IiLjRby.exe
  C:\Windows\System\IiLjRby.exe
  2⤵
  PID:10144
- C:\Windows\System\ylBKRJO.exe
  C:\Windows\System\ylBKRJO.exe
  2⤵
  PID:10208
- C:\Windows\System\GmvoOjL.exe
  C:\Windows\System\GmvoOjL.exe
  2⤵
  PID:6220
- C:\Windows\System\jjOOqUb.exe
  C:\Windows\System\jjOOqUb.exe
  2⤵
  PID:6204
- C:\Windows\System\DgOcDRF.exe
  C:\Windows\System\DgOcDRF.exe
  2⤵
  PID:5900
- C:\Windows\System\IRvrgvF.exe
  C:\Windows\System\IRvrgvF.exe
  2⤵
  PID:9344
- C:\Windows\System\lBidszl.exe
  C:\Windows\System\lBidszl.exe
  2⤵
  PID:9512
- C:\Windows\System\bIKZbpp.exe
  C:\Windows\System\bIKZbpp.exe
  2⤵
  PID:9668
- C:\Windows\System\biTiows.exe
  C:\Windows\System\biTiows.exe
  2⤵
  PID:9808
- C:\Windows\System\pDhoFBf.exe
  C:\Windows\System\pDhoFBf.exe
  2⤵
  PID:9932
- C:\Windows\System\rlRQkLU.exe
  C:\Windows\System\rlRQkLU.exe
  2⤵
  PID:10100
- C:\Windows\System\zQrUGGc.exe
  C:\Windows\System\zQrUGGc.exe
  2⤵
  PID:9220
- C:\Windows\System\uYGkcUp.exe
  C:\Windows\System\uYGkcUp.exe
  2⤵
  PID:5940
- C:\Windows\System\ASiVcJp.exe
  C:\Windows\System\ASiVcJp.exe
  2⤵
  PID:9612
- C:\Windows\System\SppVXlA.exe
  C:\Windows\System\SppVXlA.exe
  2⤵
  PID:9904
- C:\Windows\System\tugWkTY.exe
  C:\Windows\System\tugWkTY.exe
  2⤵
  PID:5828
- C:\Windows\System\zQCoTCp.exe
  C:\Windows\System\zQCoTCp.exe
  2⤵
  PID:9864
- C:\Windows\System\haJUIsI.exe
  C:\Windows\System\haJUIsI.exe
  2⤵
  PID:10200
- C:\Windows\System\EGRCAnr.exe
  C:\Windows\System\EGRCAnr.exe
  2⤵
  PID:10248
- C:\Windows\System\TFzVqqK.exe
  C:\Windows\System\TFzVqqK.exe
  2⤵
  PID:10276
- C:\Windows\System\vVlQPCe.exe
  C:\Windows\System\vVlQPCe.exe
  2⤵
  PID:10304
- C:\Windows\System\zzWlSWb.exe
  C:\Windows\System\zzWlSWb.exe
  2⤵
  PID:10332
- C:\Windows\System\ceSXyxx.exe
  C:\Windows\System\ceSXyxx.exe
  2⤵
  PID:10360
- C:\Windows\System\KXHljhL.exe
  C:\Windows\System\KXHljhL.exe
  2⤵
  PID:10388
- C:\Windows\System\xLUbBty.exe
  C:\Windows\System\xLUbBty.exe
  2⤵
  PID:10416
- C:\Windows\System\eUUWbXO.exe
  C:\Windows\System\eUUWbXO.exe
  2⤵
  PID:10468
- C:\Windows\System\kegHydM.exe
  C:\Windows\System\kegHydM.exe
  2⤵
  PID:10504
- C:\Windows\System\tJumSgq.exe
  C:\Windows\System\tJumSgq.exe
  2⤵
  PID:10532
- C:\Windows\System\poGVKYS.exe
  C:\Windows\System\poGVKYS.exe
  2⤵
  PID:10568
- C:\Windows\System\dzgtIOQ.exe
  C:\Windows\System\dzgtIOQ.exe
  2⤵
  PID:10596
- C:\Windows\System\nfucyDs.exe
  C:\Windows\System\nfucyDs.exe
  2⤵
  PID:10628
- C:\Windows\System\ZSvwQgO.exe
  C:\Windows\System\ZSvwQgO.exe
  2⤵
  PID:10656
- C:\Windows\System\RqWyQHK.exe
  C:\Windows\System\RqWyQHK.exe
  2⤵
  PID:10684
- C:\Windows\System\DnWftro.exe
  C:\Windows\System\DnWftro.exe
  2⤵
  PID:10712
- C:\Windows\System\NskuxrE.exe
  C:\Windows\System\NskuxrE.exe
  2⤵
  PID:10744
- C:\Windows\System\NbSRRCe.exe
  C:\Windows\System\NbSRRCe.exe
  2⤵
  PID:10772
- C:\Windows\System\aYSuIfV.exe
  C:\Windows\System\aYSuIfV.exe
  2⤵
  PID:10800
- C:\Windows\System\IZKePro.exe
  C:\Windows\System\IZKePro.exe
  2⤵
  PID:10828
- C:\Windows\System\OkBfZNo.exe
  C:\Windows\System\OkBfZNo.exe
  2⤵
  PID:10856
- C:\Windows\System\PYrPfaN.exe
  C:\Windows\System\PYrPfaN.exe
  2⤵
  PID:10884
- C:\Windows\System\JEbgLLI.exe
  C:\Windows\System\JEbgLLI.exe
  2⤵
  PID:10916
- C:\Windows\System\vdZurdq.exe
  C:\Windows\System\vdZurdq.exe
  2⤵
  PID:10944
- C:\Windows\System\MkJCfdJ.exe
  C:\Windows\System\MkJCfdJ.exe
  2⤵
  PID:10972
- C:\Windows\System\OtODdBi.exe
  C:\Windows\System\OtODdBi.exe
  2⤵
  PID:11004
- C:\Windows\System\vsNzSRO.exe
  C:\Windows\System\vsNzSRO.exe
  2⤵
  PID:11040
- C:\Windows\System\BwCzaAZ.exe
  C:\Windows\System\BwCzaAZ.exe
  2⤵
  PID:11068
- C:\Windows\System\rCBHPEW.exe
  C:\Windows\System\rCBHPEW.exe
  2⤵
  PID:11096
- C:\Windows\System\xakwxoN.exe
  C:\Windows\System\xakwxoN.exe
  2⤵
  PID:11140
- C:\Windows\System\htKUJbo.exe
  C:\Windows\System\htKUJbo.exe
  2⤵
  PID:11156
- C:\Windows\System\ORwLpnX.exe
  C:\Windows\System\ORwLpnX.exe
  2⤵
  PID:11184
- C:\Windows\System\DXZyvSP.exe
  C:\Windows\System\DXZyvSP.exe
  2⤵
  PID:11212
- C:\Windows\System\ulVMdUb.exe
  C:\Windows\System\ulVMdUb.exe
  2⤵
  PID:11240
- C:\Windows\System\qPCWbTz.exe
  C:\Windows\System\qPCWbTz.exe
  2⤵
  PID:10244
- C:\Windows\System\bJosKgJ.exe
  C:\Windows\System\bJosKgJ.exe
  2⤵
  PID:10316
- C:\Windows\System\WOXtVlT.exe
  C:\Windows\System\WOXtVlT.exe
  2⤵
  PID:10380
- C:\Windows\System\bwCyYSF.exe
  C:\Windows\System\bwCyYSF.exe
  2⤵
  PID:3296
- C:\Windows\System\tOQuzoN.exe
  C:\Windows\System\tOQuzoN.exe
  2⤵
  PID:4396
- C:\Windows\System\xiuuOfn.exe
  C:\Windows\System\xiuuOfn.exe
  2⤵
  PID:10528
- C:\Windows\System\wzYKZcw.exe
  C:\Windows\System\wzYKZcw.exe
  2⤵
  PID:10592
- C:\Windows\System\ucEOAFZ.exe
  C:\Windows\System\ucEOAFZ.exe
  2⤵
  PID:10668
- C:\Windows\System\ZcFCABP.exe
  C:\Windows\System\ZcFCABP.exe
  2⤵
  PID:10736
- C:\Windows\System\kcywZjq.exe
  C:\Windows\System\kcywZjq.exe
  2⤵
  PID:10796
- C:\Windows\System\WpzencT.exe
  C:\Windows\System\WpzencT.exe
  2⤵
  PID:1988
- C:\Windows\System\vyrXfiO.exe
  C:\Windows\System\vyrXfiO.exe
  2⤵
  PID:10908
- C:\Windows\System\TDeSjhN.exe
  C:\Windows\System\TDeSjhN.exe
  2⤵
  PID:10968
- C:\Windows\System\kULNcge.exe
  C:\Windows\System\kULNcge.exe
  2⤵
  PID:11052
- C:\Windows\System\UFTutqA.exe
  C:\Windows\System\UFTutqA.exe
  2⤵
  PID:11108
- C:\Windows\System\KKdTXjX.exe
  C:\Windows\System\KKdTXjX.exe
  2⤵
  PID:11152
- C:\Windows\System\zQbncle.exe
  C:\Windows\System\zQbncle.exe
  2⤵
  PID:11232
- C:\Windows\System\EZNDckG.exe
  C:\Windows\System\EZNDckG.exe
  2⤵
  PID:10296
- C:\Windows\System\VeuNjAx.exe
  C:\Windows\System\VeuNjAx.exe
  2⤵
  PID:10428
- C:\Windows\System\XdbhFjL.exe
  C:\Windows\System\XdbhFjL.exe
  2⤵
  PID:10556
- C:\Windows\System\iqJyABg.exe
  C:\Windows\System\iqJyABg.exe
  2⤵
  PID:10708
- C:\Windows\System\LYnAcpu.exe
  C:\Windows\System\LYnAcpu.exe
  2⤵
  PID:10824
- C:\Windows\System\EjivjbN.exe
  C:\Windows\System\EjivjbN.exe
  2⤵
  PID:10964
- C:\Windows\System\DktENDe.exe
  C:\Windows\System\DktENDe.exe
  2⤵
  PID:11092
- C:\Windows\System\sHdVLwX.exe
  C:\Windows\System\sHdVLwX.exe
  2⤵
  PID:1348
- C:\Windows\System\LMsUEQV.exe
  C:\Windows\System\LMsUEQV.exe
  2⤵
  PID:3440
- C:\Windows\System\ectaOED.exe
  C:\Windows\System\ectaOED.exe
  2⤵
  PID:10792
- C:\Windows\System\mxOIJSb.exe
  C:\Windows\System\mxOIJSb.exe
  2⤵
  PID:11088
- C:\Windows\System\OWqqUse.exe
  C:\Windows\System\OWqqUse.exe
  2⤵
  PID:10624
- C:\Windows\System\ZVWmXvw.exe
  C:\Windows\System\ZVWmXvw.exe
  2⤵
  PID:10400
- C:\Windows\System\nJWCeLC.exe
  C:\Windows\System\nJWCeLC.exe
  2⤵
  PID:11272
- C:\Windows\System\svZghoo.exe
  C:\Windows\System\svZghoo.exe
  2⤵
  PID:11300
- C:\Windows\System\YrXEuGy.exe
  C:\Windows\System\YrXEuGy.exe
  2⤵
  PID:11328
- C:\Windows\System\tBFFmtX.exe
  C:\Windows\System\tBFFmtX.exe
  2⤵
  PID:11356
- C:\Windows\System\IsSoXYD.exe
  C:\Windows\System\IsSoXYD.exe
  2⤵
  PID:11384
- C:\Windows\System\AAGYxni.exe
  C:\Windows\System\AAGYxni.exe
  2⤵
  PID:11424
- C:\Windows\System\zqVNSpB.exe
  C:\Windows\System\zqVNSpB.exe
  2⤵
  PID:11448
- C:\Windows\System\feoiDoW.exe
  C:\Windows\System\feoiDoW.exe
  2⤵
  PID:11468
- C:\Windows\System\aZKWhNZ.exe
  C:\Windows\System\aZKWhNZ.exe
  2⤵
  PID:11496
- C:\Windows\System\jciLCHd.exe
  C:\Windows\System\jciLCHd.exe
  2⤵
  PID:11524
- C:\Windows\System\fwAbvXS.exe
  C:\Windows\System\fwAbvXS.exe
  2⤵
  PID:11552
- C:\Windows\System\yXYlkPR.exe
  C:\Windows\System\yXYlkPR.exe
  2⤵
  PID:11580
- C:\Windows\System\vQfLdVW.exe
  C:\Windows\System\vQfLdVW.exe
  2⤵
  PID:11608
- C:\Windows\System\jjunIKA.exe
  C:\Windows\System\jjunIKA.exe
  2⤵
  PID:11636
- C:\Windows\System\uVcdOUM.exe
  C:\Windows\System\uVcdOUM.exe
  2⤵
  PID:11664
- C:\Windows\System\GISldUv.exe
  C:\Windows\System\GISldUv.exe
  2⤵
  PID:11692
- C:\Windows\System\mQiEDFl.exe
  C:\Windows\System\mQiEDFl.exe
  2⤵
  PID:11720
- C:\Windows\System\rqNokRD.exe
  C:\Windows\System\rqNokRD.exe
  2⤵
  PID:11748
- C:\Windows\System\WrKekAz.exe
  C:\Windows\System\WrKekAz.exe
  2⤵
  PID:11776
- C:\Windows\System\ZKNYMhe.exe
  C:\Windows\System\ZKNYMhe.exe
  2⤵
  PID:11804
- C:\Windows\System\bRPbuUH.exe
  C:\Windows\System\bRPbuUH.exe
  2⤵
  PID:11836
- C:\Windows\System\NGRbQqW.exe
  C:\Windows\System\NGRbQqW.exe
  2⤵
  PID:11860
- C:\Windows\System\McyaYUf.exe
  C:\Windows\System\McyaYUf.exe
  2⤵
  PID:11888
- C:\Windows\System\gxSwKlq.exe
  C:\Windows\System\gxSwKlq.exe
  2⤵
  PID:11916
- C:\Windows\System\NefzDpn.exe
  C:\Windows\System\NefzDpn.exe
  2⤵
  PID:11944
- C:\Windows\System\TvPEHxU.exe
  C:\Windows\System\TvPEHxU.exe
  2⤵
  PID:11972
- C:\Windows\System\uclgXfn.exe
  C:\Windows\System\uclgXfn.exe
  2⤵
  PID:12000
- C:\Windows\System\WcfatqR.exe
  C:\Windows\System\WcfatqR.exe
  2⤵
  PID:12028
- C:\Windows\System\BrJSLyB.exe
  C:\Windows\System\BrJSLyB.exe
  2⤵
  PID:12056
- C:\Windows\System\hDOqWrA.exe
  C:\Windows\System\hDOqWrA.exe
  2⤵
  PID:12084
- C:\Windows\System\ephyNoe.exe
  C:\Windows\System\ephyNoe.exe
  2⤵
  PID:12112
- C:\Windows\System\vlCkyIG.exe
  C:\Windows\System\vlCkyIG.exe
  2⤵
  PID:12140
- C:\Windows\System\kXYPExy.exe
  C:\Windows\System\kXYPExy.exe
  2⤵
  PID:12168
- C:\Windows\System\UPwGVXi.exe
  C:\Windows\System\UPwGVXi.exe
  2⤵
  PID:12196
- C:\Windows\System\ignjHrs.exe
  C:\Windows\System\ignjHrs.exe
  2⤵
  PID:12224
- C:\Windows\System\MfQTXQv.exe
  C:\Windows\System\MfQTXQv.exe
  2⤵
  PID:12252
- C:\Windows\System\rZpFoeX.exe
  C:\Windows\System\rZpFoeX.exe
  2⤵
  PID:12280
- C:\Windows\System\aKOURmu.exe
  C:\Windows\System\aKOURmu.exe
  2⤵
  PID:11312
- C:\Windows\System\PlJeONl.exe
  C:\Windows\System\PlJeONl.exe
  2⤵
  PID:11376
- C:\Windows\System\gCrPvUf.exe
  C:\Windows\System\gCrPvUf.exe
  2⤵
  PID:11436
- C:\Windows\System\SWjTpxL.exe
  C:\Windows\System\SWjTpxL.exe
  2⤵
  PID:11508
- C:\Windows\System\dZWcXbU.exe
  C:\Windows\System\dZWcXbU.exe
  2⤵
  PID:11572
- C:\Windows\System\flxQLBG.exe
  C:\Windows\System\flxQLBG.exe
  2⤵
  PID:11632
- C:\Windows\System\TdqdtXq.exe
  C:\Windows\System\TdqdtXq.exe
  2⤵
  PID:11704
- C:\Windows\System\llcaGaq.exe
  C:\Windows\System\llcaGaq.exe
  2⤵
  PID:11768
- C:\Windows\System\ciRTjkg.exe
  C:\Windows\System\ciRTjkg.exe
  2⤵
  PID:11828
- C:\Windows\System\msTpwAb.exe
  C:\Windows\System\msTpwAb.exe
  2⤵
  PID:11900
- C:\Windows\System\dFVvGrv.exe
  C:\Windows\System\dFVvGrv.exe
  2⤵
  PID:11964
- C:\Windows\System\LbJIDHM.exe
  C:\Windows\System\LbJIDHM.exe
  2⤵
  PID:12024
- C:\Windows\System\QFCpOke.exe
  C:\Windows\System\QFCpOke.exe
  2⤵
  PID:12096
- C:\Windows\System\eVvooWw.exe
  C:\Windows\System\eVvooWw.exe
  2⤵
  PID:12160
- C:\Windows\System\hekUnbq.exe
  C:\Windows\System\hekUnbq.exe
  2⤵
  PID:12220
- C:\Windows\System\oBKwtVy.exe
  C:\Windows\System\oBKwtVy.exe
  2⤵
  PID:11268
- C:\Windows\System\dgnNQlK.exe
  C:\Windows\System\dgnNQlK.exe
  2⤵
  PID:11408
- C:\Windows\System\peMCbcI.exe
  C:\Windows\System\peMCbcI.exe
  2⤵
  PID:11564
- C:\Windows\System\TOcjUVy.exe
  C:\Windows\System\TOcjUVy.exe
  2⤵
  PID:11732
- C:\Windows\System\BJwCpsx.exe
  C:\Windows\System\BJwCpsx.exe
  2⤵
  PID:11880
- C:\Windows\System\iZoxWGH.exe
  C:\Windows\System\iZoxWGH.exe
  2⤵
  PID:12020
- C:\Windows\System\UjyFSEi.exe
  C:\Windows\System\UjyFSEi.exe
  2⤵
  PID:12188
- C:\Windows\System\yFkASUJ.exe
  C:\Windows\System\yFkASUJ.exe
  2⤵
  PID:11368
- C:\Windows\System\Uscqyjr.exe
  C:\Windows\System\Uscqyjr.exe
  2⤵
  PID:11688
- C:\Windows\System\GlXHvpa.exe
  C:\Windows\System\GlXHvpa.exe
  2⤵
  PID:12080
- C:\Windows\System\RqXYTQr.exe
  C:\Windows\System\RqXYTQr.exe
  2⤵
  PID:11628
- C:\Windows\System\HldqCly.exe
  C:\Windows\System\HldqCly.exe
  2⤵
  PID:11536
- C:\Windows\System\NLXLmpZ.exe
  C:\Windows\System\NLXLmpZ.exe
  2⤵
  PID:12304
- C:\Windows\System\SsJgCwx.exe
  C:\Windows\System\SsJgCwx.exe
  2⤵
  PID:12332
- C:\Windows\System\LqwPNhA.exe
  C:\Windows\System\LqwPNhA.exe
  2⤵
  PID:12360
- C:\Windows\System\OyeiMBH.exe
  C:\Windows\System\OyeiMBH.exe
  2⤵
  PID:12388
- C:\Windows\System\mEVfErr.exe
  C:\Windows\System\mEVfErr.exe
  2⤵
  PID:12416
- C:\Windows\System\syXKssV.exe
  C:\Windows\System\syXKssV.exe
  2⤵
  PID:12444
- C:\Windows\System\lNYwmrm.exe
  C:\Windows\System\lNYwmrm.exe
  2⤵
  PID:12472
- C:\Windows\System\NQQBsJn.exe
  C:\Windows\System\NQQBsJn.exe
  2⤵
  PID:12500
- C:\Windows\System\tYhlWMB.exe
  C:\Windows\System\tYhlWMB.exe
  2⤵
  PID:12528
- C:\Windows\System\srYaYsD.exe
  C:\Windows\System\srYaYsD.exe
  2⤵
  PID:12556
- C:\Windows\System\raGgYRw.exe
  C:\Windows\System\raGgYRw.exe
  2⤵
  PID:12588
- C:\Windows\System\PfeWbSx.exe
  C:\Windows\System\PfeWbSx.exe
  2⤵
  PID:12616
- C:\Windows\System\piXULTN.exe
  C:\Windows\System\piXULTN.exe
  2⤵
  PID:12644
- C:\Windows\System\PtoscoX.exe
  C:\Windows\System\PtoscoX.exe
  2⤵
  PID:12672
- C:\Windows\System\nEjRSmW.exe
  C:\Windows\System\nEjRSmW.exe
  2⤵
  PID:12700
- C:\Windows\System\UtZKScv.exe
  C:\Windows\System\UtZKScv.exe
  2⤵
  PID:12740
- C:\Windows\System\iQCiQdZ.exe
  C:\Windows\System\iQCiQdZ.exe
  2⤵
  PID:12756
- C:\Windows\System\qkWAoDQ.exe
  C:\Windows\System\qkWAoDQ.exe
  2⤵
  PID:12784
- C:\Windows\System\YHqAEER.exe
  C:\Windows\System\YHqAEER.exe
  2⤵
  PID:12812
- C:\Windows\System\tiRjIps.exe
  C:\Windows\System\tiRjIps.exe
  2⤵
  PID:12840
- C:\Windows\System\nhYhKuu.exe
  C:\Windows\System\nhYhKuu.exe
  2⤵
  PID:12868
- C:\Windows\System\FWjOhBH.exe
  C:\Windows\System\FWjOhBH.exe
  2⤵
  PID:12896
- C:\Windows\System\vEBpcos.exe
  C:\Windows\System\vEBpcos.exe
  2⤵
  PID:12924
- C:\Windows\System\fubgeBu.exe
  C:\Windows\System\fubgeBu.exe
  2⤵
  PID:12952
- C:\Windows\System\GgdNVLB.exe
  C:\Windows\System\GgdNVLB.exe
  2⤵
  PID:12980
- C:\Windows\System\AtYdjOo.exe
  C:\Windows\System\AtYdjOo.exe
  2⤵
  PID:13008
- C:\Windows\System\rBtoIBA.exe
  C:\Windows\System\rBtoIBA.exe
  2⤵
  PID:13036
- C:\Windows\System\vUiGHhg.exe
  C:\Windows\System\vUiGHhg.exe
  2⤵
  PID:13064
- C:\Windows\System\SaoLzly.exe
  C:\Windows\System\SaoLzly.exe
  2⤵
  PID:13092
- C:\Windows\System\kqSrvGV.exe
  C:\Windows\System\kqSrvGV.exe
  2⤵
  PID:13120
- C:\Windows\System\vboFfTG.exe
  C:\Windows\System\vboFfTG.exe
  2⤵
  PID:13148
- C:\Windows\System\CKTMGwO.exe
  C:\Windows\System\CKTMGwO.exe
  2⤵
  PID:13176
- C:\Windows\System\EPIMbyw.exe
  C:\Windows\System\EPIMbyw.exe
  2⤵
  PID:13204
- C:\Windows\System\WYAQPTM.exe
  C:\Windows\System\WYAQPTM.exe
  2⤵
  PID:13232
- C:\Windows\System\QOAPiCu.exe
  C:\Windows\System\QOAPiCu.exe
  2⤵
  PID:13260
- C:\Windows\System\CwdqqdM.exe
  C:\Windows\System\CwdqqdM.exe
  2⤵
  PID:13288
- C:\Windows\System\yGOcnul.exe
  C:\Windows\System\yGOcnul.exe
  2⤵
  PID:12296
- C:\Windows\System\jFNtyuQ.exe
  C:\Windows\System\jFNtyuQ.exe
  2⤵
  PID:12356
- C:\Windows\System\JEULnog.exe
  C:\Windows\System\JEULnog.exe
  2⤵
  PID:12428
- C:\Windows\System\aECXHBO.exe
  C:\Windows\System\aECXHBO.exe
  2⤵
  PID:12492
- C:\Windows\System\lEGtLdU.exe
  C:\Windows\System\lEGtLdU.exe
  2⤵
  PID:12552
- C:\Windows\System\IpKTMPh.exe
  C:\Windows\System\IpKTMPh.exe
  2⤵
  PID:2980
- C:\Windows\System\goVMDtC.exe
  C:\Windows\System\goVMDtC.exe
  2⤵
  PID:12608
- C:\Windows\System\avieOkO.exe
  C:\Windows\System\avieOkO.exe
  2⤵
  PID:12668
- C:\Windows\System\XmztlXV.exe
  C:\Windows\System\XmztlXV.exe
  2⤵
  PID:12724
- C:\Windows\System\LXWGzeg.exe
  C:\Windows\System\LXWGzeg.exe
  2⤵
  PID:12804
- C:\Windows\System\pthZXZs.exe
  C:\Windows\System\pthZXZs.exe
  2⤵
  PID:12864
- C:\Windows\System\nQVYVVe.exe
  C:\Windows\System\nQVYVVe.exe
  2⤵
  PID:12936
- C:\Windows\System\BQXOTeL.exe
  C:\Windows\System\BQXOTeL.exe
  2⤵
  PID:13000
- C:\Windows\System\bzbHgSs.exe
  C:\Windows\System\bzbHgSs.exe
  2⤵
  PID:13060
- C:\Windows\System\rEPfcqH.exe
  C:\Windows\System\rEPfcqH.exe
  2⤵
  PID:13132
- C:\Windows\System\CypVPgc.exe
  C:\Windows\System\CypVPgc.exe
  2⤵
  PID:13224
- C:\Windows\System\wtJWFdI.exe
  C:\Windows\System\wtJWFdI.exe
  2⤵
  PID:13256
- C:\Windows\System\GYayrrS.exe
  C:\Windows\System\GYayrrS.exe
  2⤵
  PID:12344
- C:\Windows\System\gWIHvoP.exe
  C:\Windows\System\gWIHvoP.exe
  2⤵
  PID:12468
- C:\Windows\System\ducVfhf.exe
  C:\Windows\System\ducVfhf.exe
  2⤵
  PID:12584
- C:\Windows\System\LWbqpCs.exe
  C:\Windows\System\LWbqpCs.exe
  2⤵
  PID:12916
- C:\Windows\System\eNAbyiX.exe
  C:\Windows\System\eNAbyiX.exe
  2⤵
  PID:13088
- C:\Windows\System\jazsZYO.exe
  C:\Windows\System\jazsZYO.exe
  2⤵
  PID:13244
- C:\Windows\System\lLpcemX.exe
  C:\Windows\System\lLpcemX.exe
  2⤵
  PID:12520
- C:\Windows\System\QaLFilg.exe
  C:\Windows\System\QaLFilg.exe
  2⤵
  PID:12860
- C:\Windows\System\wuvKgjj.exe
  C:\Windows\System\wuvKgjj.exe
  2⤵
  PID:10456
- C:\Windows\System\sXVMVJr.exe
  C:\Windows\System\sXVMVJr.exe
  2⤵
  PID:10444
- C:\Windows\System\PPbqAjU.exe
  C:\Windows\System\PPbqAjU.exe
  2⤵
  PID:2540
- C:\Windows\System\QkeZwwz.exe
  C:\Windows\System\QkeZwwz.exe
  2⤵
  PID:10564
- C:\Windows\System\EGlxhFt.exe
  C:\Windows\System\EGlxhFt.exe
  2⤵
  PID:10460
- C:\Windows\System\dvMkVoG.exe
  C:\Windows\System\dvMkVoG.exe
  2⤵
  PID:12412
- C:\Windows\System\UPXbYPV.exe
  C:\Windows\System\UPXbYPV.exe
  2⤵
  PID:13340
- C:\Windows\System\uOcixNb.exe
  C:\Windows\System\uOcixNb.exe
  2⤵
  PID:13368
- C:\Windows\System\imwSfyi.exe
  C:\Windows\System\imwSfyi.exe
  2⤵
  PID:13396
- C:\Windows\System\nsvDMrP.exe
  C:\Windows\System\nsvDMrP.exe
  2⤵
  PID:13424
- C:\Windows\System\ahziJue.exe
  C:\Windows\System\ahziJue.exe
  2⤵
  PID:13452
- C:\Windows\System\HKyWJwk.exe
  C:\Windows\System\HKyWJwk.exe
  2⤵
  PID:13480
- C:\Windows\System\SdaUwns.exe
  C:\Windows\System\SdaUwns.exe
  2⤵
  PID:13508
- C:\Windows\System\RKCPyGG.exe
  C:\Windows\System\RKCPyGG.exe
  2⤵
  PID:13536
- C:\Windows\System\EipbXeA.exe
  C:\Windows\System\EipbXeA.exe
  2⤵
  PID:13564
- C:\Windows\System\uSOBCQK.exe
  C:\Windows\System\uSOBCQK.exe
  2⤵
  PID:13592
- C:\Windows\System\CdRYBBT.exe
  C:\Windows\System\CdRYBBT.exe
  2⤵
  PID:13620
- C:\Windows\System\UvkiMRS.exe
  C:\Windows\System\UvkiMRS.exe
  2⤵
  PID:13648
- C:\Windows\System\jNHebEA.exe
  C:\Windows\System\jNHebEA.exe
  2⤵
  PID:13676
- C:\Windows\System\DcjZHjj.exe
  C:\Windows\System\DcjZHjj.exe
  2⤵
  PID:13704
- C:\Windows\System\EqkBuSY.exe
  C:\Windows\System\EqkBuSY.exe
  2⤵
  PID:13732
- C:\Windows\System\gcdZJYx.exe
  C:\Windows\System\gcdZJYx.exe
  2⤵
  PID:13760
- C:\Windows\System\miZjhns.exe
  C:\Windows\System\miZjhns.exe
  2⤵
  PID:13788
- C:\Windows\System\wyAeQFv.exe
  C:\Windows\System\wyAeQFv.exe
  2⤵
  PID:13816
- C:\Windows\System\KDrzitq.exe
  C:\Windows\System\KDrzitq.exe
  2⤵
  PID:13844
- C:\Windows\System\NsHhPMv.exe
  C:\Windows\System\NsHhPMv.exe
  2⤵
  PID:14140
- C:\Windows\System\kIDXddI.exe
  C:\Windows\System\kIDXddI.exe
  2⤵
  PID:14236
- C:\Windows\System\YwiAcDT.exe
  C:\Windows\System\YwiAcDT.exe
  2⤵
  PID:14276
- C:\Windows\System\ntlNCKI.exe
  C:\Windows\System\ntlNCKI.exe
  2⤵
  PID:14332
- C:\Windows\System\TfMQDmP.exe
  C:\Windows\System\TfMQDmP.exe
  2⤵
  PID:13420
- C:\Windows\System\ECEslKJ.exe
  C:\Windows\System\ECEslKJ.exe
  2⤵
  PID:13632
- C:\Windows\System\sSVRYZX.exe
  C:\Windows\System\sSVRYZX.exe
  2⤵
  PID:13700
- C:\Windows\System\jgeJYse.exe
  C:\Windows\System\jgeJYse.exe
  2⤵
  PID:13780
- C:\Windows\System\BOVnIdg.exe
  C:\Windows\System\BOVnIdg.exe
  2⤵
  PID:13828
- C:\Windows\System\SBEdRtt.exe
  C:\Windows\System\SBEdRtt.exe
  2⤵
  PID:1600
- C:\Windows\System\AXLoDun.exe
  C:\Windows\System\AXLoDun.exe
  2⤵
  PID:13960
- C:\Windows\System\AQfKsoq.exe
  C:\Windows\System\AQfKsoq.exe
  2⤵
  PID:13996
- C:\Windows\System\DBuBlFv.exe
  C:\Windows\System\DBuBlFv.exe
  2⤵
  PID:1672
- C:\Windows\System\BzXXzRW.exe
  C:\Windows\System\BzXXzRW.exe
  2⤵
  PID:13364
- C:\Windows\System\wodaROn.exe
  C:\Windows\System\wodaROn.exe
  2⤵
  PID:3200
- C:\Windows\System\KEqKzpY.exe
  C:\Windows\System\KEqKzpY.exe
  2⤵
  PID:1572
- C:\Windows\System\GKJSHkz.exe
  C:\Windows\System\GKJSHkz.exe
  2⤵
  PID:2468
- C:\Windows\System\bDgGhel.exe
  C:\Windows\System\bDgGhel.exe
  2⤵
  PID:788
- C:\Windows\System\tSuxtyE.exe
  C:\Windows\System\tSuxtyE.exe
  2⤵
  PID:1568
- C:\Windows\System\XtgUOdD.exe
  C:\Windows\System\XtgUOdD.exe
  2⤵
  PID:4420
- C:\Windows\System\cMORVVA.exe
  C:\Windows\System\cMORVVA.exe
  2⤵
  PID:5432
- C:\Windows\System\IbIyzZZ.exe
  C:\Windows\System\IbIyzZZ.exe
  2⤵
  PID:2296
- C:\Windows\System\tGInJal.exe
  C:\Windows\System\tGInJal.exe
  2⤵
  PID:4864
- C:\Windows\System\IsbUHvW.exe
  C:\Windows\System\IsbUHvW.exe
  2⤵
  PID:13892
- C:\Windows\System\ozoxgUU.exe
  C:\Windows\System\ozoxgUU.exe
  2⤵
  PID:13900
- C:\Windows\System\HWcvdfi.exe
  C:\Windows\System\HWcvdfi.exe
  2⤵
  PID:13908
- C:\Windows\System\ggqgYRD.exe
  C:\Windows\System\ggqgYRD.exe
  2⤵
  PID:1464
- C:\Windows\System\eUFihBx.exe
  C:\Windows\System\eUFihBx.exe
  2⤵
  PID:3292
- C:\Windows\System\FNfJACl.exe
  C:\Windows\System\FNfJACl.exe
  2⤵
  PID:5836
- C:\Windows\System\wsZaunJ.exe
  C:\Windows\System\wsZaunJ.exe
  2⤵
  PID:14188
- C:\Windows\System\RWWspyq.exe
  C:\Windows\System\RWWspyq.exe
  2⤵
  PID:13660
- C:\Windows\System\ltwhHtu.exe
  C:\Windows\System\ltwhHtu.exe
  2⤵
  PID:3996
- C:\Windows\System\YYuqAFf.exe
  C:\Windows\System\YYuqAFf.exe
  2⤵
  PID:5704
- C:\Windows\System\rfkRSUc.exe
  C:\Windows\System\rfkRSUc.exe
  2⤵
  PID:4424
- C:\Windows\System\yeDZERg.exe
  C:\Windows\System\yeDZERg.exe
  2⤵
  PID:6732
- C:\Windows\System\vOgZRbV.exe
  C:\Windows\System\vOgZRbV.exe
  2⤵
  PID:4880
- C:\Windows\System\cJxLsGY.exe
  C:\Windows\System\cJxLsGY.exe
  2⤵
  PID:7000
- C:\Windows\System\HFGOVfK.exe
  C:\Windows\System\HFGOVfK.exe
  2⤵
  PID:2244
- C:\Windows\System\jYURsSX.exe
  C:\Windows\System\jYURsSX.exe
  2⤵
  PID:5956
- C:\Windows\System\AviOHDp.exe
  C:\Windows\System\AviOHDp.exe
  2⤵
  PID:4068
- C:\Windows\System\xuXqrOJ.exe
  C:\Windows\System\xuXqrOJ.exe
  2⤵
  PID:13896
- C:\Windows\System\GwnAWFL.exe
  C:\Windows\System\GwnAWFL.exe
  2⤵
  PID:6284
- C:\Windows\System\VsiNTaw.exe
  C:\Windows\System\VsiNTaw.exe
  2⤵
  PID:4800
- C:\Windows\System\ixzKQoW.exe
  C:\Windows\System\ixzKQoW.exe
  2⤵
  PID:6828
- C:\Windows\System\SYVCvtm.exe
  C:\Windows\System\SYVCvtm.exe
  2⤵
  PID:1660
- C:\Windows\System\xDOnxlc.exe
  C:\Windows\System\xDOnxlc.exe
  2⤵
  PID:464
- C:\Windows\System\pogUyCj.exe
  C:\Windows\System\pogUyCj.exe
  2⤵
  PID:2236
- C:\Windows\System\NVqiOeB.exe
  C:\Windows\System\NVqiOeB.exe
  2⤵
  PID:4460
- C:\Windows\System\jyGeYOV.exe
  C:\Windows\System\jyGeYOV.exe
  2⤵
  PID:13972
- C:\Windows\System\LwFptuU.exe
  C:\Windows\System\LwFptuU.exe
  2⤵
  PID:3900
- C:\Windows\System\oZbpvzE.exe
  C:\Windows\System\oZbpvzE.exe
  2⤵
  PID:6688
- C:\Windows\System\jqQZuJK.exe
  C:\Windows\System\jqQZuJK.exe
  2⤵
  PID:6092
- C:\Windows\System\SzJNLIr.exe
  C:\Windows\System\SzJNLIr.exe
  2⤵
  PID:4308
- C:\Windows\System\kemfNXb.exe
  C:\Windows\System\kemfNXb.exe
  2⤵
  PID:668
- C:\Windows\System\hoSXTYy.exe
  C:\Windows\System\hoSXTYy.exe
  2⤵
  PID:1824
- C:\Windows\System\AwBHzpR.exe
  C:\Windows\System\AwBHzpR.exe
  2⤵
  PID:5284
- C:\Windows\System\PlBXTSq.exe
  C:\Windows\System\PlBXTSq.exe
  2⤵
  PID:3940
- C:\Windows\System\Bjewxae.exe
  C:\Windows\System\Bjewxae.exe
  2⤵
  PID:5480
- C:\Windows\System\vvvZeBZ.exe
  C:\Windows\System\vvvZeBZ.exe
  2⤵
  PID:2956
- C:\Windows\System\uXtyAiS.exe
  C:\Windows\System\uXtyAiS.exe
  2⤵
  PID:6300
- C:\Windows\System\EOKDxEp.exe
  C:\Windows\System\EOKDxEp.exe
  2⤵
  PID:13988
- C:\Windows\System\EkivRlx.exe
  C:\Windows\System\EkivRlx.exe
  2⤵
  PID:14012
- C:\Windows\System\foEFoIU.exe
  C:\Windows\System\foEFoIU.exe
  2⤵
  PID:14020
- C:\Windows\System\mXByWKo.exe
  C:\Windows\System\mXByWKo.exe
  2⤵
  PID:14040
- C:\Windows\System\OMHDyzJ.exe
  C:\Windows\System\OMHDyzJ.exe
  2⤵
  PID:6544
- C:\Windows\System\sSOrELE.exe
  C:\Windows\System\sSOrELE.exe
  2⤵
  PID:5344
- C:\Windows\System\kOfZNtX.exe
  C:\Windows\System\kOfZNtX.exe
  2⤵
  PID:7244
- C:\Windows\System\vOMEIlj.exe
  C:\Windows\System\vOMEIlj.exe
  2⤵
  PID:2788
- C:\Windows\System\Ydcrsem.exe
  C:\Windows\System\Ydcrsem.exe
  2⤵
  PID:6608
- C:\Windows\System\SbIZgsS.exe
  C:\Windows\System\SbIZgsS.exe
  2⤵
  PID:14088
- C:\Windows\System\zZrOWZw.exe
  C:\Windows\System\zZrOWZw.exe
  2⤵
  PID:3920
- C:\Windows\System\ByPGosR.exe
  C:\Windows\System\ByPGosR.exe
  2⤵
  PID:14120
- C:\Windows\System\bpDyHgE.exe
  C:\Windows\System\bpDyHgE.exe
  2⤵
  PID:14128
- C:\Windows\System\vvjWRIg.exe
  C:\Windows\System\vvjWRIg.exe
  2⤵
  PID:7320
- C:\Windows\System\PzHCgmI.exe
  C:\Windows\System\PzHCgmI.exe
  2⤵
  PID:5500
- C:\Windows\System\OfkNokf.exe
  C:\Windows\System\OfkNokf.exe
  2⤵
  PID:5560
- C:\Windows\System\QSeryAP.exe
  C:\Windows\System\QSeryAP.exe
  2⤵
  PID:7400
- C:\Windows\System\eMFLSkB.exe
  C:\Windows\System\eMFLSkB.exe
  2⤵
  PID:7428
- C:\Windows\System\ySmTOSf.exe
  C:\Windows\System\ySmTOSf.exe
  2⤵
  PID:5700
- C:\Windows\System\klxPLXf.exe
  C:\Windows\System\klxPLXf.exe
  2⤵
  PID:7448
- C:\Windows\System\igljmev.exe
  C:\Windows\System\igljmev.exe
  2⤵
  PID:14224
- C:\Windows\System\ShSTXkw.exe
  C:\Windows\System\ShSTXkw.exe
  2⤵
  PID:14212
- C:\Windows\System\gyIysNY.exe
  C:\Windows\System\gyIysNY.exe
  2⤵
  PID:7512
- C:\Windows\System\IpdYcjh.exe
  C:\Windows\System\IpdYcjh.exe
  2⤵
  PID:6888
- C:\Windows\System\hMocQux.exe
  C:\Windows\System\hMocQux.exe
  2⤵
  PID:2652
- C:\Windows\System\vHrdHli.exe
  C:\Windows\System\vHrdHli.exe
  2⤵
  PID:5724
- C:\Windows\System\yJaZcPI.exe
  C:\Windows\System\yJaZcPI.exe
  2⤵
  PID:14284
- C:\Windows\System\yntjWPI.exe
  C:\Windows\System\yntjWPI.exe
  2⤵
  PID:7652
- C:\Windows\System\EdkkiOE.exe
  C:\Windows\System\EdkkiOE.exe
  2⤵
  PID:5844
- C:\Windows\System\WypGGoP.exe
  C:\Windows\System\WypGGoP.exe
  2⤵
  PID:14328
- C:\Windows\System\YxpewmP.exe
  C:\Windows\System\YxpewmP.exe
  2⤵
  PID:7708
- C:\Windows\System\zxrokEp.exe
  C:\Windows\System\zxrokEp.exe
  2⤵
  PID:4676
- C:\Windows\System\AyKTpaW.exe
  C:\Windows\System\AyKTpaW.exe
  2⤵
  PID:972
- C:\Windows\System\xGjskal.exe
  C:\Windows\System\xGjskal.exe
  2⤵
  PID:6068
- C:\Windows\System\fPGjNKD.exe
  C:\Windows\System\fPGjNKD.exe
  2⤵
  PID:5772
- C:\Windows\System\nDtOgIP.exe
  C:\Windows\System\nDtOgIP.exe
  2⤵
  PID:7820
- C:\Windows\System\jCusoTb.exe
  C:\Windows\System\jCusoTb.exe
  2⤵
  PID:7120
- C:\Windows\System\UjAsKfK.exe
  C:\Windows\System\UjAsKfK.exe
  2⤵
  PID:7848
- C:\Windows\System\ftKgAdK.exe
  C:\Windows\System\ftKgAdK.exe
  2⤵
  PID:1804
- C:\Windows\System\BUjYarA.exe
  C:\Windows\System\BUjYarA.exe
  2⤵
  PID:7912
- C:\Windows\System\QJFntsO.exe
  C:\Windows\System\QJFntsO.exe
  2⤵
  PID:13576
- C:\Windows\System\QeqmjlQ.exe
  C:\Windows\System\QeqmjlQ.exe
  2⤵
  PID:6164
- C:\Windows\System\tWwvuys.exe
  C:\Windows\System\tWwvuys.exe
  2⤵
  PID:13604
- C:\Windows\System\sNoSOXx.exe
  C:\Windows\System\sNoSOXx.exe
  2⤵
  PID:8068
- C:\Windows\System\zhQyvOw.exe
  C:\Windows\System\zhQyvOw.exe
  2⤵
  PID:5456
- C:\Windows\System\afVpXoU.exe
  C:\Windows\System\afVpXoU.exe
  2⤵
  PID:6364
- C:\Windows\System\glMHQhZ.exe
  C:\Windows\System\glMHQhZ.exe
  2⤵
  PID:8172
- C:\Windows\System\oXFvrhR.exe
  C:\Windows\System\oXFvrhR.exe
  2⤵
  PID:3444
- C:\Windows\System\RTnvBVi.exe
  C:\Windows\System\RTnvBVi.exe
  2⤵
  PID:2484
- C:\Windows\System\qyITquL.exe
  C:\Windows\System\qyITquL.exe
  2⤵
  PID:7416
- C:\Windows\System\lehElTq.exe
  C:\Windows\System\lehElTq.exe
  2⤵
  PID:7748
- C:\Windows\System\BSQsHnN.exe
  C:\Windows\System\BSQsHnN.exe
  2⤵
  PID:7936
- C:\Windows\System\UwPwaKE.exe
  C:\Windows\System\UwPwaKE.exe
  2⤵
  PID:8132
- C:\Windows\System\SmhunWu.exe
  C:\Windows\System\SmhunWu.exe
  2⤵
  PID:7304
- C:\Windows\System\AcaHuaW.exe
  C:\Windows\System\AcaHuaW.exe
  2⤵
  PID:4708
- C:\Windows\System\ELrbarD.exe
  C:\Windows\System\ELrbarD.exe
  2⤵
  PID:116
- C:\Windows\System\WpWxksT.exe
  C:\Windows\System\WpWxksT.exe
  2⤵
  PID:7740
- C:\Windows\System\PbqHrLA.exe
  C:\Windows\System\PbqHrLA.exe
  2⤵
  PID:8228
- C:\Windows\System\VMlqlYv.exe
  C:\Windows\System\VMlqlYv.exe
  2⤵
  PID:8276
- C:\Windows\System\bTDYRsB.exe
  C:\Windows\System\bTDYRsB.exe
  2⤵
  PID:8416
- C:\Windows\System\iDpDSnA.exe
  C:\Windows\System\iDpDSnA.exe
  2⤵
  PID:8472
- C:\Windows\System\nuKnkoZ.exe
  C:\Windows\System\nuKnkoZ.exe
  2⤵
  PID:8616
- C:\Windows\System\CdSwToP.exe
  C:\Windows\System\CdSwToP.exe
  2⤵
  PID:8804
- C:\Windows\System\BksvtlL.exe
  C:\Windows\System\BksvtlL.exe
  2⤵
  PID:8916
- C:\Windows\System\KmbJaDd.exe
  C:\Windows\System\KmbJaDd.exe
  2⤵
  PID:9020
- C:\Windows\System\XGmHEEH.exe
  C:\Windows\System\XGmHEEH.exe
  2⤵
  PID:1788
- C:\Windows\System\rtCxnaU.exe
  C:\Windows\System\rtCxnaU.exe
  2⤵
  PID:4884
- C:\Windows\System\ppPNzel.exe
  C:\Windows\System\ppPNzel.exe
  2⤵
  PID:6784
- C:\Windows\System\IAmLxjO.exe
  C:\Windows\System\IAmLxjO.exe
  2⤵
  PID:9196
- C:\Windows\System\TTrIrVA.exe
  C:\Windows\System\TTrIrVA.exe
  2⤵
  PID:1664
- C:\Windows\System\sYdipYw.exe
  C:\Windows\System\sYdipYw.exe
  2⤵
  PID:8324
- C:\Windows\System\FfBCOim.exe
  C:\Windows\System\FfBCOim.exe
  2⤵
  PID:8496
- C:\Windows\System\EMrbmBc.exe
  C:\Windows\System\EMrbmBc.exe
  2⤵
  PID:5944
- C:\Windows\System\uGtcqxi.exe
  C:\Windows\System\uGtcqxi.exe
  2⤵
  PID:2148
- C:\Windows\System\sMDYkXr.exe
  C:\Windows\System\sMDYkXr.exe
  2⤵
  PID:9004
- C:\Windows\System\dzLmwEp.exe
  C:\Windows\System\dzLmwEp.exe
  2⤵
  PID:9148
- C:\Windows\System\OAYPmZA.exe
  C:\Windows\System\OAYPmZA.exe
  2⤵
  PID:8296
- C:\Windows\System\TsnbUPU.exe
  C:\Windows\System\TsnbUPU.exe
  2⤵
  PID:13936
- C:\Windows\System\wgVRfLO.exe
  C:\Windows\System\wgVRfLO.exe
  2⤵
  PID:8920
- C:\Windows\System\SJmJKLE.exe
  C:\Windows\System\SJmJKLE.exe
  2⤵
  PID:8408
- C:\Windows\System\dKwNPCB.exe
  C:\Windows\System\dKwNPCB.exe
  2⤵
  PID:6272
- C:\Windows\System\JfCjhSF.exe
  C:\Windows\System\JfCjhSF.exe
  2⤵
  PID:13948
- C:\Windows\System\bXjsnzt.exe
  C:\Windows\System\bXjsnzt.exe
  2⤵
  PID:5048
- C:\Windows\System\UnrZvxk.exe
  C:\Windows\System\UnrZvxk.exe
  2⤵
  PID:9336
- C:\Windows\System\vPbfAAd.exe
  C:\Windows\System\vPbfAAd.exe
  2⤵
  PID:9384
- C:\Windows\System\PkSqhqk.exe
  C:\Windows\System\PkSqhqk.exe
  2⤵
  PID:9448
- C:\Windows\System\zEpDkrF.exe
  C:\Windows\System\zEpDkrF.exe
  2⤵
  PID:5176
- C:\Windows\System\VdXSphC.exe
  C:\Windows\System\VdXSphC.exe
  2⤵
  PID:9552
- C:\Windows\System\NFTHmKE.exe
  C:\Windows\System\NFTHmKE.exe
  2⤵
  PID:6180
- C:\Windows\System\KyBEkkS.exe
  C:\Windows\System\KyBEkkS.exe
  2⤵
  PID:5324
- C:\Windows\System\gGaRpqz.exe
  C:\Windows\System\gGaRpqz.exe
  2⤵
  PID:9756
- C:\Windows\System\YUVSxZQ.exe
  C:\Windows\System\YUVSxZQ.exe
  2⤵
  PID:9812
- C:\Windows\System\pTYQfFb.exe
  C:\Windows\System\pTYQfFb.exe
  2⤵
  PID:9832
- C:\Windows\System\MpdjjCu.exe
  C:\Windows\System\MpdjjCu.exe
  2⤵
  PID:5504
- C:\Windows\System\tbcVDOK.exe
  C:\Windows\System\tbcVDOK.exe
  2⤵
  PID:6912
- C:\Windows\System\PXLMPVA.exe
  C:\Windows\System\PXLMPVA.exe
  2⤵
  PID:5264
- C:\Windows\System\AjbDAAo.exe
  C:\Windows\System\AjbDAAo.exe
  2⤵
  PID:10056
- C:\Windows\System\qsSIVuw.exe
  C:\Windows\System\qsSIVuw.exe
  2⤵
  PID:7196
- C:\Windows\System\DOjXqkT.exe
  C:\Windows\System\DOjXqkT.exe
  2⤵
  PID:5552
- C:\Windows\System\MlcqPNi.exe
  C:\Windows\System\MlcqPNi.exe
  2⤵
  PID:4260
- C:\Windows\System\EUfXvrH.exe
  C:\Windows\System\EUfXvrH.exe
  2⤵
  PID:9232
- C:\Windows\System\OmKCwDQ.exe
  C:\Windows\System\OmKCwDQ.exe
  2⤵
  PID:7276
- C:\Windows\System\rtObAgV.exe
  C:\Windows\System\rtObAgV.exe
  2⤵
  PID:9508
- C:\Windows\System\vwfWWEs.exe
  C:\Windows\System\vwfWWEs.exe
  2⤵
  PID:9640
- C:\Windows\System\BnTrczk.exe
  C:\Windows\System\BnTrczk.exe
  2⤵
  PID:9764
- C:\Windows\System\wDdHqkG.exe
  C:\Windows\System\wDdHqkG.exe
  2⤵
  PID:14112
- C:\Windows\System\EnFnYfN.exe
  C:\Windows\System\EnFnYfN.exe
  2⤵
  PID:10032
- C:\Windows\System\XsGIXCz.exe
  C:\Windows\System\XsGIXCz.exe
  2⤵
  PID:10180
- C:\Windows\System\nghUQEZ.exe
  C:\Windows\System\nghUQEZ.exe
  2⤵
  PID:10228
- C:\Windows\System\DLBCfvs.exe
  C:\Windows\System\DLBCfvs.exe
  2⤵
  PID:5604
- C:\Windows\System\XbmXBfL.exe
  C:\Windows\System\XbmXBfL.exe
  2⤵
  PID:6796
- C:\Windows\System\nSMZdCc.exe
  C:\Windows\System\nSMZdCc.exe
  2⤵
  PID:3048
- C:\Windows\System\AQqqVkq.exe
  C:\Windows\System\AQqqVkq.exe
  2⤵
  PID:9732
- C:\Windows\System\HFUsvBX.exe
  C:\Windows\System\HFUsvBX.exe
  2⤵
  PID:7300
- C:\Windows\System\Ldscoox.exe
  C:\Windows\System\Ldscoox.exe
  2⤵
  PID:4356
- C:\Windows\System\LvWiRlz.exe
  C:\Windows\System\LvWiRlz.exe
  2⤵
  PID:10256
- C:\Windows\System\fqbOYIN.exe
  C:\Windows\System\fqbOYIN.exe
  2⤵
  PID:10312
- C:\Windows\System\yyuGRaU.exe
  C:\Windows\System\yyuGRaU.exe
  2⤵
  PID:5856
- C:\Windows\System\nwRfezC.exe
  C:\Windows\System\nwRfezC.exe
  2⤵
  PID:10424
- C:\Windows\System\OCMwlZb.exe
  C:\Windows\System\OCMwlZb.exe
  2⤵
  PID:10540
- C:\Windows\System\Klgfvcm.exe
  C:\Windows\System\Klgfvcm.exe
  2⤵
  PID:10612
- C:\Windows\System\CMGEIlA.exe
  C:\Windows\System\CMGEIlA.exe
  2⤵
  PID:3560
- C:\Windows\System\SCuwVpw.exe
  C:\Windows\System\SCuwVpw.exe
  2⤵
  PID:10788
- C:\Windows\System\xFNOdxI.exe
  C:\Windows\System\xFNOdxI.exe
  2⤵
  PID:10872
- C:\Windows\System\tBhkJjU.exe
  C:\Windows\System\tBhkJjU.exe
  2⤵
  PID:4000
- C:\Windows\System\RrsAeOc.exe
  C:\Windows\System\RrsAeOc.exe
  2⤵
  PID:13388
- C:\Windows\System\UssBQFD.exe
  C:\Windows\System\UssBQFD.exe
  2⤵
  PID:11128
- C:\Windows\System\LnpwnoL.exe
  C:\Windows\System\LnpwnoL.exe
  2⤵
  PID:11172
- C:\Windows\System\oFKihDt.exe
  C:\Windows\System\oFKihDt.exe
  2⤵
  PID:11220
- C:\Windows\System\hYlMIgD.exe
  C:\Windows\System\hYlMIgD.exe
  2⤵
  PID:10640
- C:\Windows\System\XTBgNBH.exe
  C:\Windows\System\XTBgNBH.exe
  2⤵
  PID:8096
- C:\Windows\System\fvytZQd.exe
  C:\Windows\System\fvytZQd.exe
  2⤵
  PID:10852
- C:\Windows\System\UUocQGp.exe
  C:\Windows\System\UUocQGp.exe
  2⤵
  PID:11060
- C:\Windows\System\TzFQpjA.exe
  C:\Windows\System\TzFQpjA.exe
  2⤵
  PID:232
- C:\Windows\System\UeJPqJG.exe
  C:\Windows\System\UeJPqJG.exe
  2⤵
  PID:7360
- C:\Windows\System\rXtEXTF.exe
  C:\Windows\System\rXtEXTF.exe
  2⤵
  PID:10648
- C:\Windows\System\CpsHzrK.exe
  C:\Windows\System\CpsHzrK.exe
  2⤵
  PID:11180
- C:\Windows\System\dNHrdLQ.exe
  C:\Windows\System\dNHrdLQ.exe
  2⤵
  PID:1888
- C:\Windows\System\RmtqlyR.exe
  C:\Windows\System\RmtqlyR.exe
  2⤵
  PID:4632
- C:\Windows\System\bnHagpZ.exe
  C:\Windows\System\bnHagpZ.exe
  2⤵
  PID:7444
- C:\Windows\System\EwBSZAi.exe
  C:\Windows\System\EwBSZAi.exe
  2⤵
  PID:7712
- C:\Windows\System\BwSHNfs.exe
  C:\Windows\System\BwSHNfs.exe
  2⤵
  PID:8236
- C:\Windows\System\wqaJyVF.exe
  C:\Windows\System\wqaJyVF.exe
  2⤵
  PID:11484
- C:\Windows\System\zRPncWo.exe
  C:\Windows\System\zRPncWo.exe
  2⤵
  PID:11588
- C:\Windows\System\nhgqXzf.exe
  C:\Windows\System\nhgqXzf.exe
  2⤵
  PID:11708
- C:\Windows\System\bCmZNrW.exe
  C:\Windows\System\bCmZNrW.exe
  2⤵
  PID:11792
- C:\Windows\System\JWIHzJs.exe
  C:\Windows\System\JWIHzJs.exe
  2⤵
  PID:4020
- C:\Windows\System\kEBcHQX.exe
  C:\Windows\System\kEBcHQX.exe
  2⤵
  PID:11896
- C:\Windows\System\tYuVuGI.exe
  C:\Windows\System\tYuVuGI.exe
  2⤵
  PID:6832
- C:\Windows\System\tJYEqon.exe
  C:\Windows\System\tJYEqon.exe
  2⤵
  PID:12016
- C:\Windows\System\muCBkfg.exe
  C:\Windows\System\muCBkfg.exe
  2⤵
  PID:12120
- C:\Windows\System\DjTqCXu.exe
  C:\Windows\System\DjTqCXu.exe
  2⤵
  PID:12268
- C:\Windows\System\BYYZOGr.exe
  C:\Windows\System\BYYZOGr.exe
  2⤵
  PID:11284
- C:\Windows\System\vJKYmdg.exe
  C:\Windows\System\vJKYmdg.exe
  2⤵
  PID:9064
- C:\Windows\System\rxrdUNp.exe
  C:\Windows\System\rxrdUNp.exe
  2⤵
  PID:9200
- C:\Windows\System\xQtzdpJ.exe
  C:\Windows\System\xQtzdpJ.exe
  2⤵
  PID:11852
- C:\Windows\System\RdoWkdo.exe
  C:\Windows\System\RdoWkdo.exe
  2⤵
  PID:12132
- C:\Windows\System\uFVcupl.exe
  C:\Windows\System\uFVcupl.exe
  2⤵
  PID:11352
- C:\Windows\System\QObCuAb.exe
  C:\Windows\System\QObCuAb.exe
  2⤵
  PID:11660
- C:\Windows\System\lPBONyC.exe
  C:\Windows\System\lPBONyC.exe
  2⤵
  PID:11940
- C:\Windows\System\QjXiLRh.exe
  C:\Windows\System\QjXiLRh.exe
  2⤵
  PID:12348
- C:\Windows\System\VqWJzTI.exe
  C:\Windows\System\VqWJzTI.exe
  2⤵
  PID:12604
- C:\Windows\System\copBhjO.exe
  C:\Windows\System\copBhjO.exe
  2⤵
  PID:12728
- C:\Windows\System\HAOqXIG.exe
  C:\Windows\System\HAOqXIG.exe
  2⤵
  PID:12792
- C:\Windows\System\PyjKuAt.exe
  C:\Windows\System\PyjKuAt.exe
  2⤵
  PID:12884
- C:\Windows\System\cbBYqjZ.exe
  C:\Windows\System\cbBYqjZ.exe
  2⤵
  PID:13052
- C:\Windows\System\KlIPuYu.exe
  C:\Windows\System\KlIPuYu.exe
  2⤵
  PID:9664
- C:\Windows\System\Wrlncxn.exe
  C:\Windows\System\Wrlncxn.exe
  2⤵
  PID:13296
- C:\Windows\System\zmKSCWy.exe
  C:\Windows\System\zmKSCWy.exe
  2⤵
  PID:4888
- C:\Windows\System\eLttpKP.exe
  C:\Windows\System\eLttpKP.exe
  2⤵
  PID:244
- C:\Windows\System\LhMCMYB.exe
  C:\Windows\System\LhMCMYB.exe
  2⤵
  PID:6376
- C:\Windows\System\NmjTsGr.exe
  C:\Windows\System\NmjTsGr.exe
  2⤵
  PID:10036
- C:\Windows\System\rLlvRUf.exe
  C:\Windows\System\rLlvRUf.exe
  2⤵
  PID:10120
- C:\Windows\System\kqaluev.exe
  C:\Windows\System\kqaluev.exe
  2⤵
  PID:5356
- C:\Windows\System\EdXLrOf.exe
  C:\Windows\System\EdXLrOf.exe
  2⤵
  PID:9456
- C:\Windows\System\mDFVSnu.exe
  C:\Windows\System\mDFVSnu.exe
  2⤵
  PID:9724
- C:\Windows\System\hXnhoUd.exe
  C:\Windows\System\hXnhoUd.exe
  2⤵
  PID:12548
- C:\Windows\System\JcNbhOR.exe
  C:\Windows\System\JcNbhOR.exe
  2⤵
  PID:12964
- C:\Windows\System\lPAgheH.exe
  C:\Windows\System\lPAgheH.exe
  2⤵
  PID:4548
- C:\Windows\System\kNziLaz.exe
  C:\Windows\System\kNziLaz.exe
  2⤵
  PID:3196
- C:\Windows\System\lcLyTMr.exe
  C:\Windows\System\lcLyTMr.exe
  2⤵
  PID:13160
- C:\Windows\System\apFCUeJ.exe
  C:\Windows\System\apFCUeJ.exe
  2⤵
  PID:6008
- C:\Windows\System\EQUISSj.exe
  C:\Windows\System\EQUISSj.exe
  2⤵
  PID:3168
- C:\Windows\System\Azfgnmn.exe
  C:\Windows\System\Azfgnmn.exe
  2⤵
  PID:4900
- C:\Windows\System\TcPtwYY.exe
  C:\Windows\System\TcPtwYY.exe
  2⤵
  PID:6408
- C:\Windows\System\bxNCDiw.exe
  C:\Windows\System\bxNCDiw.exe
  2⤵
  PID:14216
- C:\Windows\System\Qqhpvuw.exe
  C:\Windows\System\Qqhpvuw.exe
  2⤵
  PID:13432
- C:\Windows\System\xMqBhcE.exe
  C:\Windows\System\xMqBhcE.exe
  2⤵
  PID:14264
- C:\Windows\System\BrJOQAu.exe
  C:\Windows\System\BrJOQAu.exe
  2⤵
  PID:13524
- C:\Windows\System\DiYAqFL.exe
  C:\Windows\System\DiYAqFL.exe
  2⤵
  PID:13600
- C:\Windows\System\FGPeSUY.exe
  C:\Windows\System\FGPeSUY.exe
  2⤵
  PID:3688
- C:\Windows\System\TAPAJrr.exe
  C:\Windows\System\TAPAJrr.exe
  2⤵
  PID:208
- C:\Windows\System\iWiSCzw.exe
  C:\Windows\System\iWiSCzw.exe
  2⤵
  PID:1736
- C:\Windows\System\WaolYDU.exe
  C:\Windows\System\WaolYDU.exe
  2⤵
  PID:10520
- C:\Windows\System\JUCuani.exe
  C:\Windows\System\JUCuani.exe
  2⤵
  PID:3500
- C:\Windows\System\juEebUy.exe
  C:\Windows\System\juEebUy.exe
  2⤵
  PID:2668
- C:\Windows\System\LUqucPK.exe
  C:\Windows\System\LUqucPK.exe
  2⤵
  PID:1012
- C:\Windows\System\odhXqNX.exe
  C:\Windows\System\odhXqNX.exe
  2⤵
  PID:13872
- C:\Windows\System\iQeeQpu.exe
  C:\Windows\System\iQeeQpu.exe
  2⤵
  PID:10980
- C:\Windows\System\DgKAzrA.exe
  C:\Windows\System\DgKAzrA.exe
  2⤵
  PID:7148
- C:\Windows\System\AIileyg.exe
  C:\Windows\System\AIileyg.exe
  2⤵
  PID:2400
- C:\Windows\System\XHoAxgj.exe
  C:\Windows\System\XHoAxgj.exe
  2⤵
  PID:11064
- C:\Windows\System\uxFvoFr.exe
  C:\Windows\System\uxFvoFr.exe
  2⤵
  PID:2964
- C:\Windows\System\MoGTVdM.exe
  C:\Windows\System\MoGTVdM.exe
  2⤵
  PID:8908
- C:\Windows\System\ojlNhtt.exe
  C:\Windows\System\ojlNhtt.exe
  2⤵
  PID:11672
- C:\Windows\System\CqKaxKb.exe
  C:\Windows\System\CqKaxKb.exe
  2⤵
  PID:11868
- C:\Windows\System\mgMhCWK.exe
  C:\Windows\System\mgMhCWK.exe
  2⤵
  PID:12044
- C:\Windows\System\JoVxUJs.exe
  C:\Windows\System\JoVxUJs.exe
  2⤵
  PID:11592
- C:\Windows\System\qpKCJds.exe
  C:\Windows\System\qpKCJds.exe
  2⤵
  PID:12076
- C:\Windows\System\PFDMlZw.exe
  C:\Windows\System\PFDMlZw.exe
  2⤵
  PID:11396
- C:\Windows\System\XzHKtGq.exe
  C:\Windows\System\XzHKtGq.exe
  2⤵
  PID:12800
- C:\Windows\System\KpWAzqj.exe
  C:\Windows\System\KpWAzqj.exe
  2⤵
  PID:9580
- C:\Windows\System\DUwzSlh.exe
  C:\Windows\System\DUwzSlh.exe
  2⤵
  PID:9728
- C:\Windows\System\cJkAduW.exe
  C:\Windows\System\cJkAduW.exe
  2⤵
  PID:13024
- C:\Windows\System\CoqwhVc.exe
  C:\Windows\System\CoqwhVc.exe
  2⤵
  PID:13072
- C:\Windows\System\pvUdtse.exe
  C:\Windows\System\pvUdtse.exe
  2⤵
  PID:12692
- C:\Windows\System\mBuSJKO.exe
  C:\Windows\System\mBuSJKO.exe
  2⤵
  PID:10084
- C:\Windows\System\UTrENAc.exe
  C:\Windows\System\UTrENAc.exe
  2⤵
  PID:13448
- C:\Windows\System\vqaAeDc.exe
  C:\Windows\System\vqaAeDc.exe
  2⤵
  PID:13744
- C:\Windows\System\ZRUUtPc.exe
  C:\Windows\System\ZRUUtPc.exe
  2⤵
  PID:13976
- C:\Windows\System\XInpyYq.exe
  C:\Windows\System\XInpyYq.exe
  2⤵
  PID:11308
- C:\Windows\System\ZngMPPH.exe
  C:\Windows\System\ZngMPPH.exe
  2⤵
  PID:3056
- C:\Windows\System\KtZtSQZ.exe
  C:\Windows\System\KtZtSQZ.exe
  2⤵
  PID:7628
- C:\Windows\System\elcQWjA.exe
  C:\Windows\System\elcQWjA.exe
  2⤵
  PID:7908
- C:\Windows\System\pBnUbTm.exe
  C:\Windows\System\pBnUbTm.exe
  2⤵
  PID:11444
- C:\Windows\System\nwZQKvy.exe
  C:\Windows\System\nwZQKvy.exe
  2⤵
  PID:8612
- C:\Windows\System\SrpezNB.exe
  C:\Windows\System\SrpezNB.exe
  2⤵
  PID:10408
- C:\Windows\System\YWkAMtI.exe
  C:\Windows\System\YWkAMtI.exe
  2⤵
  PID:4284
- C:\Windows\System\NgfTaUA.exe
  C:\Windows\System\NgfTaUA.exe
  2⤵
  PID:13032
- C:\Windows\System\rumsxjy.exe
  C:\Windows\System\rumsxjy.exe
  2⤵
  PID:14272
- C:\Windows\System\EpDtUjV.exe
  C:\Windows\System\EpDtUjV.exe
  2⤵
  PID:13664
- C:\Windows\System\WjxvZCa.exe
  C:\Windows\System\WjxvZCa.exe
  2⤵
  PID:13748
- C:\Windows\System\xQzsiVk.exe
  C:\Windows\System\xQzsiVk.exe
  2⤵
  PID:12432
- C:\Windows\System\jQLQZep.exe
  C:\Windows\System\jQLQZep.exe
  2⤵
  PID:8544
- C:\Windows\System\fCllORV.exe
  C:\Windows\System\fCllORV.exe
  2⤵
  PID:13016
- C:\Windows\System\hhhzZlo.exe
  C:\Windows\System\hhhzZlo.exe
  2⤵
  PID:12404
- C:\Windows\System\gLFrfef.exe
  C:\Windows\System\gLFrfef.exe
  2⤵
  PID:13504
- C:\Windows\System\fDpQPub.exe
  C:\Windows\System\fDpQPub.exe
  2⤵
  PID:11076
- C:\Windows\System\nioAJAA.exe
  C:\Windows\System\nioAJAA.exe
  2⤵
  PID:1620
- C:\Windows\System\uXIYmsY.exe
  C:\Windows\System\uXIYmsY.exe
  2⤵
  PID:1408
- C:\Windows\System\OFRuikU.exe
  C:\Windows\System\OFRuikU.exe
  2⤵
  PID:4956
- C:\Windows\System\nrRakmw.exe
  C:\Windows\System\nrRakmw.exe
  2⤵
  PID:12128
- C:\Windows\System\cYaeoLg.exe
  C:\Windows\System\cYaeoLg.exe
  2⤵
  PID:13888
- C:\Windows\System\LmEbGts.exe
  C:\Windows\System\LmEbGts.exe
  2⤵
  PID:12232
- C:\Windows\System\OGXreff.exe
  C:\Windows\System\OGXreff.exe
  2⤵
  PID:13276
- C:\Windows\System\rRJoTGS.exe
  C:\Windows\System\rRJoTGS.exe
  2⤵
  PID:12752
- C:\Windows\System\wIWxTni.exe
  C:\Windows\System\wIWxTni.exe
  2⤵
  PID:12456
- C:\Windows\System\vunvcsi.exe
  C:\Windows\System\vunvcsi.exe
  2⤵
  PID:10644
- C:\Windows\System\goZWUYD.exe
  C:\Windows\System\goZWUYD.exe
  2⤵
  PID:4100
- C:\Windows\System\KZDCCcr.exe
  C:\Windows\System\KZDCCcr.exe
  2⤵
  PID:10636
- C:\Windows\System\WwBCNuA.exe
  C:\Windows\System\WwBCNuA.exe
  2⤵
  PID:7772
- C:\Windows\System\QvbpKKd.exe
  C:\Windows\System\QvbpKKd.exe
  2⤵
  PID:1056
- C:\Windows\System\dycWBcF.exe
  C:\Windows\System\dycWBcF.exe
  2⤵
  PID:11980
- C:\Windows\System\zbBkpXV.exe
  C:\Windows\System\zbBkpXV.exe
  2⤵
  PID:11348
- C:\Windows\System\odJRsNP.exe
  C:\Windows\System\odJRsNP.exe
  2⤵
  PID:220
- C:\Windows\System\jbDEtun.exe
  C:\Windows\System\jbDEtun.exe
  2⤵
  PID:2828
- C:\Windows\System\VJjuOCD.exe
  C:\Windows\System\VJjuOCD.exe
  2⤵
  PID:7336
- C:\Windows\System\dgHINUT.exe
  C:\Windows\System\dgHINUT.exe
  2⤵
  PID:4376
- C:\Windows\System\nGBXlyl.exe
  C:\Windows\System\nGBXlyl.exe
  2⤵
  PID:13684
- C:\Windows\System\qAWMyLY.exe
  C:\Windows\System\qAWMyLY.exe
  2⤵
  PID:12396
- C:\Windows\System\gtwdNdQ.exe
  C:\Windows\System\gtwdNdQ.exe
  2⤵
  PID:10680
- C:\Windows\System\tRDhpDO.exe
  C:\Windows\System\tRDhpDO.exe
  2⤵
  PID:12940
- C:\Windows\System\TWWaWHP.exe
  C:\Windows\System\TWWaWHP.exe
  2⤵
  PID:3932
- C:\Windows\System\DIkEhsn.exe
  C:\Windows\System\DIkEhsn.exe
  2⤵
  PID:13552
- C:\Windows\System\SdpvApZ.exe
  C:\Windows\System\SdpvApZ.exe
  2⤵
  PID:440
- C:\Windows\System\fOsKJrc.exe
  C:\Windows\System\fOsKJrc.exe
  2⤵
  PID:11872
- C:\Windows\System\tvnQmft.exe
  C:\Windows\System\tvnQmft.exe
  2⤵
  PID:14532
- C:\Windows\System\IlFWvjI.exe
  C:\Windows\System\IlFWvjI.exe
  2⤵
  PID:14620
- C:\Windows\System\PaNapdR.exe
  C:\Windows\System\PaNapdR.exe
  2⤵
  PID:14724
- C:\Windows\System\VucEcFe.exe
  C:\Windows\System\VucEcFe.exe
  2⤵
  PID:14764
- C:\Windows\System\jlIznYo.exe
  C:\Windows\System\jlIznYo.exe
  2⤵
  PID:14820
- C:\Windows\System\vZoabgs.exe
  C:\Windows\System\vZoabgs.exe
  2⤵
  PID:14876
- C:\Windows\System\FPxJyTB.exe
  C:\Windows\System\FPxJyTB.exe
  2⤵
  PID:14908
- C:\Windows\System\KoihCxM.exe
  C:\Windows\System\KoihCxM.exe
  2⤵
  PID:14932
- C:\Windows\System\zqQIewL.exe
  C:\Windows\System\zqQIewL.exe
  2⤵
  PID:14992
- C:\Windows\System\yDuKIah.exe
  C:\Windows\System\yDuKIah.exe
  2⤵
  PID:15048
- C:\Windows\System\zMxDBCY.exe
  C:\Windows\System\zMxDBCY.exe
  2⤵
  PID:15084
- C:\Windows\System\juZMfgx.exe
  C:\Windows\System\juZMfgx.exe
  2⤵
  PID:15136
- C:\Windows\System\KGekmNG.exe
  C:\Windows\System\KGekmNG.exe
  2⤵
  PID:15156
- C:\Windows\System\QpHcbGd.exe
  C:\Windows\System\QpHcbGd.exe
  2⤵
  PID:15300
- C:\Windows\System\sdOTmec.exe
  C:\Windows\System\sdOTmec.exe
  2⤵
  PID:15332
- C:\Windows\System\qOXLtil.exe
  C:\Windows\System\qOXLtil.exe
  2⤵
  PID:13376
- C:\Windows\System\wdrCzmV.exe
  C:\Windows\System\wdrCzmV.exe
  2⤵
  PID:14348
- C:\Windows\System\LOjnqQg.exe
  C:\Windows\System\LOjnqQg.exe
  2⤵
  PID:3788
- C:\Windows\System\bSuRshL.exe
  C:\Windows\System\bSuRshL.exe
  2⤵
  PID:14516
- C:\Windows\System\pDILUVh.exe
  C:\Windows\System\pDILUVh.exe
  2⤵
  PID:2012
- C:\Windows\System\LwmczmU.exe
  C:\Windows\System\LwmczmU.exe
  2⤵
  PID:5636
- C:\Windows\System\ZldMZEl.exe
  C:\Windows\System\ZldMZEl.exe
  2⤵
  PID:14492
- C:\Windows\System\zZqVvlr.exe
  C:\Windows\System\zZqVvlr.exe
  2⤵
  PID:14512
- C:\Windows\System\jLsLlJO.exe
  C:\Windows\System\jLsLlJO.exe
  2⤵
  PID:14576
- C:\Windows\System\IlmTYgH.exe
  C:\Windows\System\IlmTYgH.exe
  2⤵
  PID:14408
- C:\Windows\System\ZVumdZT.exe
  C:\Windows\System\ZVumdZT.exe
  2⤵
  PID:14440
- C:\Windows\System\imaZzqd.exe
  C:\Windows\System\imaZzqd.exe
  2⤵
  PID:1476
- C:\Windows\System\GPtYMkf.exe
  C:\Windows\System\GPtYMkf.exe
  2⤵
  PID:11820
- C:\Windows\System\YFxHuEZ.exe
  C:\Windows\System\YFxHuEZ.exe
  2⤵
  PID:14612
- C:\Windows\System\Wuffkzo.exe
  C:\Windows\System\Wuffkzo.exe
  2⤵
  PID:14680
- C:\Windows\System\UMBteYh.exe
  C:\Windows\System\UMBteYh.exe
  2⤵
  PID:14956
- C:\Windows\System\OdeUxIA.exe
  C:\Windows\System\OdeUxIA.exe
  2⤵
  PID:15036
- C:\Windows\System\ElffDpN.exe
  C:\Windows\System\ElffDpN.exe
  2⤵
  PID:4188
- C:\Windows\System\owhIQCH.exe
  C:\Windows\System\owhIQCH.exe
  2⤵
  PID:15148
- C:\Windows\System\dWxNOqU.exe
  C:\Windows\System\dWxNOqU.exe
  2⤵
  PID:15244
- C:\Windows\System\NKWanlt.exe
  C:\Windows\System\NKWanlt.exe
  2⤵
  PID:15240
- C:\Windows\System\hspXQAM.exe
  C:\Windows\System\hspXQAM.exe
  2⤵
  PID:15284
- C:\Windows\System\vpYjUmZ.exe
  C:\Windows\System\vpYjUmZ.exe
  2⤵
  PID:11928
- C:\Windows\System\IANTmPr.exe
  C:\Windows\System\IANTmPr.exe
  2⤵
  PID:3888
- C:\Windows\System\vCgbvTN.exe
  C:\Windows\System\vCgbvTN.exe
  2⤵
  PID:14552
- C:\Windows\System\DWurLVW.exe
  C:\Windows\System\DWurLVW.exe
  2⤵
  PID:14436
- C:\Windows\System\ZQNlOmD.exe
  C:\Windows\System\ZQNlOmD.exe
  2⤵
  PID:12376
- C:\Windows\System\RNfqGLI.exe
  C:\Windows\System\RNfqGLI.exe
  2⤵
  PID:8984
- C:\Windows\System\REzekWr.exe
  C:\Windows\System\REzekWr.exe
  2⤵
  PID:12656
- C:\Windows\System\HlIkNjb.exe
  C:\Windows\System\HlIkNjb.exe
  2⤵
  PID:13116
- C:\Windows\System\eLhhzDO.exe
  C:\Windows\System\eLhhzDO.exe
  2⤵
  PID:14184
- C:\Windows\System\CzDJvsl.exe
  C:\Windows\System\CzDJvsl.exe
  2⤵
  PID:13548
- C:\Windows\System\QzyKhpf.exe
  C:\Windows\System\QzyKhpf.exe
  2⤵
  PID:14156
- C:\Windows\System\RBeJYHU.exe
  C:\Windows\System\RBeJYHU.exe
  2⤵
  PID:15064
- C:\Windows\System\OqQPnFU.exe
  C:\Windows\System\OqQPnFU.exe
  2⤵
  PID:14780
- C:\Windows\System\XECaNqa.exe
  C:\Windows\System\XECaNqa.exe
  2⤵
  PID:3100
- C:\Windows\System\XXUCbyb.exe
  C:\Windows\System\XXUCbyb.exe
  2⤵
  PID:10236
- C:\Windows\System\SEWZLok.exe
  C:\Windows\System\SEWZLok.exe
  2⤵
  PID:13444
- C:\Windows\System\sYdmIlP.exe
  C:\Windows\System\sYdmIlP.exe
  2⤵
  PID:13812
- C:\Windows\System\dCPUtqS.exe
  C:\Windows\System\dCPUtqS.exe
  2⤵
  PID:13864
- C:\Windows\System\GHCMKzP.exe
  C:\Windows\System\GHCMKzP.exe
  2⤵
  PID:8180
- C:\Windows\System\pbJnDlv.exe
  C:\Windows\System\pbJnDlv.exe
  2⤵
  PID:11596
- C:\Windows\System\UHnTqrg.exe
  C:\Windows\System\UHnTqrg.exe
  2⤵
  PID:14420
- C:\Windows\System\kVSSOWg.exe
  C:\Windows\System\kVSSOWg.exe
  2⤵
  PID:3596
- C:\Windows\System\DLzeKlh.exe
  C:\Windows\System\DLzeKlh.exe
  2⤵
  PID:14384
- C:\Windows\System\qQGoZii.exe
  C:\Windows\System\qQGoZii.exe
  2⤵
  PID:14480
- C:\Windows\System\XisfeaN.exe
  C:\Windows\System\XisfeaN.exe
  2⤵
  PID:15316
- C:\Windows\System\psLjMZO.exe
  C:\Windows\System\psLjMZO.exe
  2⤵
  PID:13956
- C:\Windows\System\mlQMGge.exe
  C:\Windows\System\mlQMGge.exe
  2⤵
  PID:13468
- C:\Windows\System\QXeHiGX.exe
  C:\Windows\System\QXeHiGX.exe
  2⤵
  PID:3672
- C:\Windows\System\yaARKzl.exe
  C:\Windows\System\yaARKzl.exe
  2⤵
  PID:9272
- C:\Windows\System\ZKRsKiQ.exe
  C:\Windows\System\ZKRsKiQ.exe
  2⤵
  PID:9476
- C:\Windows\System\MsDiFRR.exe
  C:\Windows\System\MsDiFRR.exe
  2⤵
  PID:5408
- C:\Windows\System\OvlGIZQ.exe
  C:\Windows\System\OvlGIZQ.exe
  2⤵
  PID:15152
- C:\Windows\System\CvRGMkX.exe
  C:\Windows\System\CvRGMkX.exe
  2⤵
  PID:14004
- C:\Windows\System\lMxAOta.exe
  C:\Windows\System\lMxAOta.exe
  2⤵
  PID:2700
- C:\Windows\System\rYuiEgK.exe
  C:\Windows\System\rYuiEgK.exe
  2⤵
  PID:7224
- C:\Windows\System\CHDZqqA.exe
  C:\Windows\System\CHDZqqA.exe
  2⤵
  PID:7356
- C:\Windows\System\KVLMGcl.exe
  C:\Windows\System\KVLMGcl.exe
  2⤵
  PID:7480
- C:\Windows\System\qUzQOdc.exe
  C:\Windows\System\qUzQOdc.exe
  2⤵
  PID:8080
- C:\Windows\System\TWYPPPk.exe
  C:\Windows\System\TWYPPPk.exe
  2⤵
  PID:14268
- C:\Windows\System\AICOccZ.exe
  C:\Windows\System\AICOccZ.exe
  2⤵
  PID:4716
- C:\Windows\System\AdkSnxE.exe
  C:\Windows\System\AdkSnxE.exe
  2⤵
  PID:6948
- C:\Windows\System\qqsSeWG.exe
  C:\Windows\System\qqsSeWG.exe
  2⤵
  PID:8776
- C:\Windows\System\ICzmQdI.exe
  C:\Windows\System\ICzmQdI.exe
  2⤵
  PID:4720
- C:\Windows\System\huOrexH.exe
  C:\Windows\System\huOrexH.exe
  2⤵
  PID:4876
- C:\Windows\System\orurcSm.exe
  C:\Windows\System\orurcSm.exe
  2⤵
  PID:14916
- C:\Windows\System\apImoEA.exe
  C:\Windows\System\apImoEA.exe
  2⤵
  PID:6856
- C:\Windows\System\xuKtfsj.exe
  C:\Windows\System\xuKtfsj.exe
  2⤵
  PID:14812
- C:\Windows\System\aHsQRDO.exe
  C:\Windows\System\aHsQRDO.exe
  2⤵
  PID:14828
- C:\Windows\System\wzLMcuz.exe
  C:\Windows\System\wzLMcuz.exe
  2⤵
  PID:13924
- C:\Windows\System\NvyBZzg.exe
  C:\Windows\System\NvyBZzg.exe
  2⤵
  PID:4652
- C:\Windows\System\ilCQFxL.exe
  C:\Windows\System\ilCQFxL.exe
  2⤵
  PID:14892
- C:\Windows\System\DBJTvnx.exe
  C:\Windows\System\DBJTvnx.exe
  2⤵
  PID:14860

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:7396
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:13444

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:11856

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4188

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:7336

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:12992

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2144

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:13840

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:14652

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:14808

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:6780

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\OCW8WCW9\microsoft.windows[1].xml

Filesize
97B

MD5
ff57f2ed79a718a086d79233df745b0c

SHA1
364f032900479844bdfdee4e49bf6a3fd41ab833

SHA256
543c84d6cc853caf483d68720925f1e4b34e4319f7317eec24a29f077a32e2be

SHA512
20d7307b3b8af5af2bd251370f0d14bdebdf5e2a8fbc956a7e18985b9f206701ad9b74c6bd6f9161a4013a303b07475eea47d0ae5c277c1f83b7083b1e168a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5dgftf25.m2p.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AGxRzIy.exe

Filesize
5.7MB

MD5
5b535f25112df47530fe8d69f2381924

SHA1
51408a084f9b0ebe85dd6be238603bf73ea9f239

SHA256
9b842f082aab82493cb62f360387901dfdc31ef776702977c112ffe5ef3dd8dd

SHA512
8cf461f438a8f1b9e6443a13fc2da7d42c3d2f290857cbb6b82f588ed4d648dc6fe6f1b397b83c193d332c3a517e9d818c9026526cb688192eb7632c067f03fc

Download Submit
C:\Windows\System\FBOyzQD.exe

Filesize
8B

MD5
b00d06b75f1541b38fd025720a24a292

SHA1
e6c4b4383b5f6c994f03304ae6ce327120447ffa

SHA256
53288ef1c75ef5e3ad3e20e2dc6bbaa2d350806c888b94505dec70a5f5322e1c

SHA512
60a02be4e13fc78cadc45baf188c9f871ddb974882db82fbff0628292efacae8b29baed5536abde170ecb70b6071f65dca75a0aded139c62d9c7af45a9ba24e9

Download Submit
C:\Windows\System\HXYeERL.exe

Filesize
5.8MB

MD5
f891e5afb72bd108b064ac3314ab5535

SHA1
2a9e155d6f32bf21b5b2f8acbd44a96192992f61

SHA256
37fac54dfb31c743bd31cc3b5d6a8fa5194198b2ebb7be63cfcf61bce0e8211a

SHA512
7f5be70575dc29e02a9a05871911826f794f86141d9150f27e605f112a6e84972c07cee39f4ba4d34b449a683611d14dca37e1606b47f2bd0428a818e799a749

Download Submit
C:\Windows\System\IJYDQPL.exe

Filesize
5.8MB

MD5
f3c38c13e3274594b64d3b37223f0446

SHA1
0e5871066020244f6c85458a98f7dffa6340c12a

SHA256
f08b3337555234b3df665b074c4f1cb4bb4ef151147290fceb3c95559081c969

SHA512
83f89fb0f1de70ebb89098eba68907939d7be88a509a634951fae399435420eee4753593249d23d8ad9845d7b31acb4ee5f18276ae1441af61cf3838554b0b65

Download Submit
C:\Windows\System\IaWIPXl.exe

Filesize
5.8MB

MD5
08d423e484fa47fecf4f0245896e0b87

SHA1
971536d2cc5b9320e1da7c3da0d5bbbd16b8c45d

SHA256
d8532c388577722e126764a82f6a53bb4bbd8d10ea74e17cdd0a99ded391fe6b

SHA512
77e636331d460498d3b4aacd701768eb790459f35ae79fbe4020e5c6f68bec74ccc6cd66300904fc76d384fda8016fe67b3a20dfd070c8a676df6fd3605049ab

Download Submit
C:\Windows\System\Jhrtime.exe

Filesize
5.8MB

MD5
686e98d0f1a00bec3c7f29feb2800f02

SHA1
5b494ef9a7fc10f0a0e2f859100c8ec8330939d2

SHA256
8d9d1c895860f888b070aa27235759c77f599be517eb651b66b61ef27320c379

SHA512
d8eab6451c6848de11eedd18b850145f3ba0c635003be5b6eee3c070f9981e48ebab686b81ca383fc59593c8eec8e126b8834e4ca2f5e6af6069f5d5bbe6d196

Download Submit
C:\Windows\System\KSRzpvc.exe

Filesize
5.8MB

MD5
b6197c95de8c28912764940d3f3063be

SHA1
37d62342dbe01fb38aa9e619533d5d9c809c3d16

SHA256
b4ab389d2ad416f59b2cbb528f3ed8742dff1d84c06668af4f5431d4856566c0

SHA512
13a538c8cb01901ff12ae65677d6a7a502d86231ae2717c8852fb918c9f26cd233f6c2295b4cad3e124cdeee33effb3a69edef43293c836d93805b33a45c08bf

Download Submit
C:\Windows\System\KqjhNFF.exe

Filesize
5.8MB

MD5
b2f601152a9f9e8098be700379700150

SHA1
1b1bab9665bf71c027c2f8725bebc509b90e0381

SHA256
51324b645ca1c8eed4a3a0b12d6967e15e3e30b42492960bfb47aebcc6786e16

SHA512
29aa55c7f251e55bd18da63721dbf284ccd833bce360cc2a56b215450dea1c9356e1063e625574d055e87c9ba40153dac9ff224332db0cb8e73a12f6569fd60f

Download Submit
C:\Windows\System\LYJcbDI.exe

Filesize
5.8MB

MD5
f1a4a9499f8aa42919050a5e139d4e3e

SHA1
a5d7430e4267d404f06d1d825b3b991f92a6e593

SHA256
4c9526ddc2771af2504f8a3c4fe2f1a12a64720052c522be68055d89774e1af6

SHA512
b0732524f2743d0de84763d74de128288d9fe94fcd167a4a278382bf461f91d775cc00f9cc4a297e4277cc20973be30bba4558127730d810d5b733a2bc9966e7

Download Submit
C:\Windows\System\MfQNsjD.exe

Filesize
5.7MB

MD5
f8928e4257f679b14070363caf644749

SHA1
bea8aa59a0b13c4d4b508af7a8f37cd874187387

SHA256
c3b8d81539b805a85e5907b17da3c1c08b3ba01b8bcc38f469d577e1a5852dd2

SHA512
9987030a671d01a98487c794953db80d1f5bde315ad9ee7992fad4e5d03cf077c63f31ce9a6404ca562a5c2fa994cbd3fc27e711bf7f4989602155b3d3795c23

Download Submit
C:\Windows\System\MtspIPW.exe

Filesize
5.7MB

MD5
a98e65246ed905b622e86c3e9ebf5d8b

SHA1
b7c1032f15408cdcbfdf4f15e45bf14ef16fff30

SHA256
391871f8f2a345ac03d9323e89105802a97bc420c2075eb57236d1b0290d0360

SHA512
ae40a3e0ec319410033823e345c10669de279299ed50d158758277a84c67e47f6a9e5dfda0905890de75d9dfd8ef5b5ff2f84d91a0789c3345a53beffe6c6133

Download Submit
C:\Windows\System\NeLGYAx.exe

Filesize
5.8MB

MD5
b654d314de7e32ace7a5a09af7c21f2e

SHA1
f157d44186d0b10bb88bdc9a4daee5a6aa24b84c

SHA256
61c24d40b0632cdc33d376cf5f598b44a01789be8ea3d9f94053bf5de5a7dc55

SHA512
aebfc779b982819155f0a7c09a328f303bfda2d0c9bf32be652b6536becf9efaeceddbd112087b1b47b9c886888b01890a99297b407482277c1c4e850d949bb3

Download Submit
C:\Windows\System\PMqqudU.exe

Filesize
5.7MB

MD5
790a3bbff30aaee8391b0db0cab73521

SHA1
044ae0096577ebf60f4da9508bcfe55d5f7f04b6

SHA256
ecd42c2c8cf4483e7e99ef8d37680335616b489115aa30b46e81736d8f13425e

SHA512
3ce7ecfbf9c90633b369d0f3466fabe2fec1d061a9564dc154957fad80c9e05bdbbfe120ab0922a473f03d423813797eb703dec5a2639c9f7a99285a3fd601aa

Download Submit
C:\Windows\System\PNipYrv.exe

Filesize
5.7MB

MD5
7507843df67886117e0f8c6fc1fc32fc

SHA1
d9316e57632d00ce2455c16ad724a71f8daa56bb

SHA256
3d83d69597c7b83e62f4fafe1a62d53246537ba0466e68928a5512613452e470

SHA512
eea2835178cbad0213a678f0c581e26f7096ceefff514cb758974f879871e0151b9cf8ccf19942f12c522dbf629c85566a431a9b8c54a91ecbe9eaa1604133e6

Download Submit
C:\Windows\System\QFKIciu.exe

Filesize
5.8MB

MD5
7ffd7d92bda46a0acf1b4b493fc9fc47

SHA1
4c2fc7d75e5b204ad6eda9f09197e7c2ce70a6f4

SHA256
04ce2c153aac3d5c09a3b7663a991122714f9ada14a8046c2a844dcff88f7829

SHA512
58984c3aa101295b58315bff740215ea0bc1ab6e5fd0829f3aa76222a14222f67fd27bec66932bfe7e845c93dad2cd0e5067d03709df89552c2632b41e7f6dbd

Download Submit
C:\Windows\System\SguDxlk.exe

Filesize
5.7MB

MD5
bacf2fe6594a22036cb60b01467463c1

SHA1
7b1cc308b144cd4e2944c800d009ab5c11b94569

SHA256
e7a9b1049f03a1938fff5fe85ec70be8c4a3278f3a237783ed0efa706a0548a8

SHA512
e356d16d8a5ce0b3af2c9b50bd798face9ac25bb1c294d9f646eaaf28fd46bbf78f2fe103c8703b84ab0cc043dde56957dc107ccbea86f0c60e715d31e7baae0

Download Submit
C:\Windows\System\VOIdoyu.exe

Filesize
5.8MB

MD5
0a16fd6e1b9939c0753db1a011261bfc

SHA1
ab0dd45967315d706c279064a66c96e8b9de6d86

SHA256
48959575f6edec0b1aa0c5c44008a0f326e7bddbe62bde47d110f3e700f33bb0

SHA512
c4fc594c7d2298283b61ed42e421b4b6e0d3d966b0dace432396f0370f46d4a7c201a2f98f1ca8459220044ea6ac75a6f69d0a5b6d3ade83e6082ffe8596e454

Download Submit
C:\Windows\System\XBSFwJx.exe

Filesize
5.7MB

MD5
702816736588ce952f36fff8ae4ca0a5

SHA1
a6c7abd3dc0509d85eb1ad03842fca2d06e5c84b

SHA256
0e418996007273588d1894ea35aaf163b837721a5d6907fb93f708630cc2f7b0

SHA512
31eabcb9a98943e1378affcd067117715235203cffe8833e3d02297524c34effa8a9610a1dce52f1697fe09d356cfd446bff6116d474abe6033616d659557f29

Download Submit
C:\Windows\System\YNZpvor.exe

Filesize
5.7MB

MD5
f55a02356fb816a718c7f5e3b700e4f5

SHA1
0c61842d77a75de476507c829ed3fc89445ae7cd

SHA256
4070f113f9a25b39464a6a26cc52abf63dc203278b337432f8433cf3107f3d92

SHA512
ea046626ed7500cad8a13671e21de20dc869669ff297d590d7074795cd21456e24bd95869a762dfcaccf5893de5f7e418fd9c019887151311c60c85d84f0a1de

Download Submit
C:\Windows\System\adayqSn.exe

Filesize
5.8MB

MD5
3e37d6063c8bdbeff62f2e902fcabccd

SHA1
f1d898dcebd6343382b5fce033722fd8eb304575

SHA256
f5fe72876d2827efec90f1829dbb0fde373f51f3351369d5811fc92b7c0476c4

SHA512
89b6c7bd77f9e3eb6399c1f360afa3cc72b54accca74a753da6af76c29fefc33d8404a34778703c7b0bc3af2c92f914df36cc224f9fb98284a8eed0c93f8b7da

Download Submit
C:\Windows\System\gEBaSrX.exe

Filesize
5.8MB

MD5
3cf7b470689433a6f05adf387a26df65

SHA1
e7ee120ce0f46c7c764cbe7fc94169e8478ca3a7

SHA256
6e04a202e2696de3b11883d8d5881d1a52dac5162619576b73665efcc0a91395

SHA512
a46c825db70477b2820db3a1efb6a5085f393eec53442696e29e77bc3b0473476ce4da845a53fa93c81f522c8a4a7408d7555df4804970d5edfbf2fe9c3b6191

Download Submit
C:\Windows\System\ibyxmLR.exe

Filesize
18B

MD5
b26ff59845991041689735c3b349a09b

SHA1
30b4e359aa09bb3d1f2fb1b8d112dacceaebecf8

SHA256
1841b9079fb389eb1565f9dd4e394ec6335fd17606a57f73a416b7224b36fa25

SHA512
cb80a38c9dd912307047dcd32d42cf3d30bc1e3c6bb0572679f2de7a601b5181af0fc1dc01a43f59ef8f5385bb862a2ccbe2383863153b1756a97095689162c4

Download Submit
C:\Windows\System\jWaIhmH.exe

Filesize
5.8MB

MD5
ce5d8522661e426875f2293d82d10cc8

SHA1
d995e78f3c03a9dcb7ccad0be444a9c9bcdf0c6a

SHA256
e3db18d11da37ac3c3ed98494b2143dfb53b76582792cf4fdc3c96b6a0936bc7

SHA512
6400e414cb53ff75a86f2599b21fd76233eb52f4c13aadd0bad9e62e14568db23983cb137b445b782175938948964d641046e0ef1acdc8ccf92cc66ddd3e8cc6

Download Submit
C:\Windows\System\joxPUkp.exe

Filesize
5.8MB

MD5
483f2f1b9b9bd7217cf80806f8c13060

SHA1
ed1336e55ed71a149ae02e58d96c0644a2e246c7

SHA256
a2f2e36ac10f99a886ebc8d826ffa6bed53ec17fa1c82371b104e3f5d85f0e9f

SHA512
2b8331c877b30b0787db4fe592dfa33a6528433da915e3172d5dfa89c5d9ce65fecc371f4f88db20fee539393742a1b56d49bbcd6a83fd742e6f24bdbc3c721e

Download Submit
C:\Windows\System\mKYlPvH.exe

Filesize
5.8MB

MD5
a17e69a1921527e5ab67388a257147b8

SHA1
371b381013074da8c9a625265f91a47d816cb66e

SHA256
3e380bcc2b83a31884be562396abc562beddc9cd728577435546ead6cd4816f4

SHA512
f429be7c42f71cb29ce0cdbb350295fcf61ead91af67b2bed1f48e65ab2eb2b06c2d8cf9805363780cb621f7dc472e778ec0517b31df51c01d6584586a22d4c2

Download Submit
C:\Windows\System\mbvJNZv.exe

Filesize
5.8MB

MD5
77fd83e3bc39d579586bf4741e56199a

SHA1
afe94461531dbb7e9aae5a43b0a7fdf76973371a

SHA256
4515e1978f81bed0437d79c18c2108deb24f9daebea82e2e2257257923382dbc

SHA512
5b8b1dd81a527d7c33e88366372ca13134942d74fb3dea262e63f05128a681ea3432b84d72cdea65408b44102ddf0979f9aee90e0e360d319629dc9438eedd60

Download Submit
C:\Windows\System\nWjSSgQ.exe

Filesize
5.8MB

MD5
c074cfda1fd1b2d9ae00ef9e9e246d0e

SHA1
8e136e4548ba31a1fa38a713e436289f23b30386

SHA256
199d937ef5d8cb632bbd044a9dbd4b808ffa7df6b85e60db0fbe4f54b3be6ff3

SHA512
15968c380255b9f88558c3ddfcdca5da86f03249efa1cb01fa1fb2a72b3fac0647ba109f0ee89fa5d1362c9514827ccc3d3a24b0a9065a902e0854a2c5f992b3

Download Submit
C:\Windows\System\rQIFNBy.exe

Filesize
5.8MB

MD5
aaf4edb86f23b78e11b18de8eee7f317

SHA1
01374208819b91f40fdc68bba14420e207217a12

SHA256
d11e0a899a4a087bd73c47098c0b294f4910d5bd3faf39b542365bf54be503cc

SHA512
57d96b4d6cd0f5246bf8aa258fe2e1ef143e342fa51272767c174103572618e6c96031d85be1114a060c6354400be4b8a7a7c1067fdb68276abcb76d638c8fcb

Download Submit
C:\Windows\System\rwdbLOZ.exe

Filesize
5.7MB

MD5
86963c8641410566a9c6c7436d161a64

SHA1
f7d207ef26d3a7c64e6ba0ff7e2f4b1c34e2c7cc

SHA256
2c64bc79df92d84786f93ab005402d8e6e4f06a7faab297c7349604915e5eff0

SHA512
137ce630dff0de44869cfd809e0cdfd920cc7070eca756f3bdbacff1871566ec3dc22a89bf06920800b53e7800d2b745ef7858beeaf67b10eefaca3dcffd3660

Download Submit
C:\Windows\System\wxrtoie.exe

Filesize
5.8MB

MD5
c30ceb052875cba79ab684313f8088a5

SHA1
542ea1fde959eb9fde57a49578981a8bc5c97080

SHA256
6bc5500a843080d1eafea0adc67fd33b3f2ce3580a7dc2380c1eed26fe74b328

SHA512
3d8746510626b43527344c7bfe0c663abb03b29f995c09036c4ef91467b707e5ab748c9a5ad151729e91c67c16a473675972bdaddceefd540a6402dc8f480437

Download Submit
C:\Windows\System\zIAeYMo.exe

Filesize
5.8MB

MD5
2f8b7091dff5c359ca2d6fa97629766a

SHA1
c86508c8a0821b93cffd48171224f5e76b9a89cc

SHA256
a0ec860e462bb3995ad14a37c6bb654dc5b39aa7a5b73d201dee6a33b8f037bd

SHA512
d3a3780e9aa0fb780fb66eb3fae2437aa4cd1455b31e5c480b5ad8a61e7d9611d2c1fa7d357675db33d5be4c0f69b20ec4e1dd2785ab7f1755653e76ed1fe3b3

Download Submit
C:\Windows\System\zOZNeJF.exe

Filesize
5.8MB

MD5
953a34d74052db27a180458476adcfe6

SHA1
c9a0b5b0c992ab0249b11a602202af872f5b551d

SHA256
1fd0fe01302f1e526534959413fcb571fbae8696cbe511fbd9134a511c80b5fb

SHA512
adf34aa1c2b92347d85f0b8dd9ad9dbe9c2b5526881e5e21a3479dd6f283e698ceae906f17f002fa8d0ce4843e5dec88d8fa5e1b0ebb318912c701e156d47447

Download Submit
C:\Windows\System\zbCRGrR.exe

Filesize
5.8MB

MD5
7f1d89ff30da949750f25aaa4d5fdc25

SHA1
1682158b0bc2d4d146999b24a25153da131c8396

SHA256
d8bd1338c6959be77528a90f096e79e81220b68d895603e26479bdbae564c682

SHA512
658ef424636f51ddca0d5b086a59072d3358fb98a7c13e03501146b69b5ff037b85547f256db31db2e0dc40cb9f984c2b698cda6eca8928b085622629163837a

Download Submit
C:\Windows\System\zeQfxGV.exe

Filesize
5.8MB

MD5
c99b2896a5c2e183eac99796257f0c25

SHA1
4028387caf3d17be0207109122174146c4f0a3bb

SHA256
184f7fbdbd59f846f3dbb06f13d36a538524e62c5f666feda6db06ec1d24c926

SHA512
596a10a7665338c7f76bb1b0cbf992c79d6bb33c51db6229b44a8092f32f43965a18ca99a27e1d4ecc038d7e02ef299de22e516295e049f74365e1f1e91807c5

Download Submit
memory/8-105-0x00007FF683910000-0x00007FF683D03000-memory.dmp

Filesize
3.9MB

Download
memory/752-125-0x00007FF749510000-0x00007FF749903000-memory.dmp

Filesize
3.9MB

Download
memory/752-3808-0x00007FF749510000-0x00007FF749903000-memory.dmp

Filesize
3.9MB

Download
memory/1032-108-0x00007FF7D67A0000-0x00007FF7D6B93000-memory.dmp

Filesize
3.9MB

Download
memory/1112-1-0x0000015530150000-0x0000015530160000-memory.dmp

Filesize
64KB

Download
memory/1112-141-0x00007FF7FC520000-0x00007FF7FC913000-memory.dmp

Filesize
3.9MB

Download
memory/1112-0-0x00007FF7FC520000-0x00007FF7FC913000-memory.dmp

Filesize
3.9MB

Download
memory/1516-91-0x00007FF77A920000-0x00007FF77AD13000-memory.dmp

Filesize
3.9MB

Download
memory/1536-82-0x00007FF72CC60000-0x00007FF72D053000-memory.dmp

Filesize
3.9MB

Download
memory/1744-9-0x00007FF7734A0000-0x00007FF773893000-memory.dmp

Filesize
3.9MB

Download
memory/1744-163-0x00007FF7734A0000-0x00007FF773893000-memory.dmp

Filesize
3.9MB

Download
memory/1976-110-0x00007FF74BAA0000-0x00007FF74BE93000-memory.dmp

Filesize
3.9MB

Download
memory/2060-80-0x00007FF7F5360000-0x00007FF7F5753000-memory.dmp

Filesize
3.9MB

Download
memory/2200-131-0x00007FF7812E0000-0x00007FF7816D3000-memory.dmp

Filesize
3.9MB

Download
memory/2200-649-0x00007FF7812E0000-0x00007FF7816D3000-memory.dmp

Filesize
3.9MB

Download
memory/2260-3870-0x00007FF6BAF80000-0x00007FF6BB373000-memory.dmp

Filesize
3.9MB

Download
memory/2260-749-0x00007FF6BAF80000-0x00007FF6BB373000-memory.dmp

Filesize
3.9MB

Download
memory/2260-161-0x00007FF6BAF80000-0x00007FF6BB373000-memory.dmp

Filesize
3.9MB

Download
memory/2268-93-0x00007FF713870000-0x00007FF713C63000-memory.dmp

Filesize
3.9MB

Download
memory/2336-931-0x00007FF769330000-0x00007FF769723000-memory.dmp

Filesize
3.9MB

Download
memory/2336-183-0x00007FF769330000-0x00007FF769723000-memory.dmp

Filesize
3.9MB

Download
memory/2440-111-0x00007FF7824C0000-0x00007FF7828B3000-memory.dmp

Filesize
3.9MB

Download
memory/2472-150-0x00007FF70EAB0000-0x00007FF70EEA3000-memory.dmp

Filesize
3.9MB

Download
memory/2508-120-0x00007FF7167E0000-0x00007FF716BD3000-memory.dmp

Filesize
3.9MB

Download
memory/2584-176-0x00007FF6750A0000-0x00007FF675493000-memory.dmp

Filesize
3.9MB

Download
memory/2804-102-0x00007FF7503B0000-0x00007FF7507A3000-memory.dmp

Filesize
3.9MB

Download
memory/2896-86-0x00007FF6C9790000-0x00007FF6C9B83000-memory.dmp

Filesize
3.9MB

Download
memory/3268-167-0x00007FFEB3C00000-0x00007FFEB46C1000-memory.dmp

Filesize
10.8MB

Download
memory/3268-206-0x00007FFEB3C03000-0x00007FFEB3C05000-memory.dmp

Filesize
8KB

Download
memory/3268-37-0x0000017A586F0000-0x0000017A58712000-memory.dmp

Filesize
136KB

Download
memory/3268-75-0x00007FFEB3C00000-0x00007FFEB46C1000-memory.dmp

Filesize
10.8MB

Download
memory/3268-28-0x00007FFEB3C03000-0x00007FFEB3C05000-memory.dmp

Filesize
8KB

Download
memory/3268-43-0x00007FFEB3C00000-0x00007FFEB46C1000-memory.dmp

Filesize
10.8MB

Download
memory/3268-112-0x0000017A71DD0000-0x0000017A72576000-memory.dmp

Filesize
7.6MB

Download
memory/4092-27-0x00007FF603E70000-0x00007FF604263000-memory.dmp

Filesize
3.9MB

Download
memory/4092-166-0x00007FF603E70000-0x00007FF604263000-memory.dmp

Filesize
3.9MB

Download
memory/4664-99-0x00007FF7BBB20000-0x00007FF7BBF13000-memory.dmp

Filesize
3.9MB

Download
memory/4812-139-0x00007FF67D620000-0x00007FF67DA13000-memory.dmp

Filesize
3.9MB

Download
memory/4920-109-0x00007FF631AF0000-0x00007FF631EE3000-memory.dmp

Filesize
3.9MB

Download
memory/5040-50-0x00007FF771670000-0x00007FF771A63000-memory.dmp

Filesize
3.9MB

Download
memory/5084-48-0x00007FF7E6B60000-0x00007FF7E6F53000-memory.dmp

Filesize
3.9MB

Download