xmrig | 75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c

Analysis

max time kernel
79s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
Size

1.4MB
MD5

33143f5fb33e9aeb79d9b53b760da4d6
SHA1

3e3426a3702b20b179fa16dd052f39b22560c179
SHA256

75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c
SHA512

d61a979ffa260324c728fcb76133a7b58aba09003c9e6a3accd6633feadb19b60401e8ece52093dae705749b64c3542573399898e692fdddd1f2ffe56931d283
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlia+zzDwD/YCgU+Lqq6a9bIA2SoJhl9gotfP26:knw9oUUEEDlnDwq6fXs+6

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/1416-0-0x00007FF72D3D0000-0x00007FF72D7C1000-memory.dmp	UPX
behavioral2/files/0x000400000001e5eb-5.dat	UPX
behavioral2/files/0x0008000000023226-8.dat	UPX
behavioral2/memory/4588-14-0x00007FF62C560000-0x00007FF62C951000-memory.dmp	UPX
behavioral2/files/0x000900000002321f-11.dat	UPX
behavioral2/files/0x000700000002322a-18.dat	UPX
behavioral2/files/0x000700000002322a-25.dat	UPX
behavioral2/files/0x000700000002322b-34.dat	UPX
behavioral2/files/0x000700000002322c-36.dat	UPX
behavioral2/files/0x000700000002322e-40.dat	UPX
behavioral2/files/0x000700000002322d-43.dat	UPX
behavioral2/memory/3552-51-0x00007FF747F50000-0x00007FF748341000-memory.dmp	UPX
behavioral2/files/0x000700000002322f-53.dat	UPX
behavioral2/files/0x0008000000023227-68.dat	UPX
behavioral2/files/0x0007000000023232-73.dat	UPX
behavioral2/files/0x0007000000023234-81.dat	UPX
behavioral2/files/0x0007000000023239-108.dat	UPX
behavioral2/files/0x000700000002323e-134.dat	UPX
behavioral2/files/0x0007000000023241-148.dat	UPX
behavioral2/files/0x0007000000023243-158.dat	UPX
behavioral2/files/0x0007000000023245-169.dat	UPX
behavioral2/memory/1396-299-0x00007FF740260000-0x00007FF740651000-memory.dmp	UPX
behavioral2/memory/940-300-0x00007FF6F85D0000-0x00007FF6F89C1000-memory.dmp	UPX
behavioral2/memory/2432-301-0x00007FF64B510000-0x00007FF64B901000-memory.dmp	UPX
behavioral2/memory/2788-303-0x00007FF7BF7E0000-0x00007FF7BFBD1000-memory.dmp	UPX
behavioral2/memory/2640-302-0x00007FF6FDD70000-0x00007FF6FE161000-memory.dmp	UPX
behavioral2/memory/1468-305-0x00007FF7A1E40000-0x00007FF7A2231000-memory.dmp	UPX
behavioral2/memory/3672-304-0x00007FF6CD200000-0x00007FF6CD5F1000-memory.dmp	UPX
behavioral2/memory/2376-306-0x00007FF7554F0000-0x00007FF7558E1000-memory.dmp	UPX
behavioral2/memory/3464-326-0x00007FF6B51F0000-0x00007FF6B55E1000-memory.dmp	UPX
behavioral2/memory/1308-333-0x00007FF7D7960000-0x00007FF7D7D51000-memory.dmp	UPX
behavioral2/memory/1788-344-0x00007FF6FBD60000-0x00007FF6FC151000-memory.dmp	UPX
behavioral2/memory/1016-355-0x00007FF7512C0000-0x00007FF7516B1000-memory.dmp	UPX
behavioral2/memory/4648-367-0x00007FF795810000-0x00007FF795C01000-memory.dmp	UPX
behavioral2/memory/4916-380-0x00007FF7D5BC0000-0x00007FF7D5FB1000-memory.dmp	UPX
behavioral2/memory/1944-388-0x00007FF60D690000-0x00007FF60DA81000-memory.dmp	UPX
behavioral2/memory/2796-420-0x00007FF729CB0000-0x00007FF72A0A1000-memory.dmp	UPX
behavioral2/memory/1480-433-0x00007FF712F40000-0x00007FF713331000-memory.dmp	UPX
behavioral2/memory/2956-440-0x00007FF6BE0A0000-0x00007FF6BE491000-memory.dmp	UPX
behavioral2/memory/436-449-0x00007FF7D3240000-0x00007FF7D3631000-memory.dmp	UPX
behavioral2/memory/1464-467-0x00007FF7A8CA0000-0x00007FF7A9091000-memory.dmp	UPX
behavioral2/memory/4616-475-0x00007FF681B20000-0x00007FF681F11000-memory.dmp	UPX
behavioral2/memory/3512-487-0x00007FF71B120000-0x00007FF71B511000-memory.dmp	UPX
behavioral2/memory/3524-504-0x00007FF72BFA0000-0x00007FF72C391000-memory.dmp	UPX
behavioral2/memory/3008-519-0x00007FF6DE0D0000-0x00007FF6DE4C1000-memory.dmp	UPX
behavioral2/memory/3840-665-0x00007FF6D2880000-0x00007FF6D2C71000-memory.dmp	UPX
behavioral2/memory/2212-667-0x00007FF60FAA0000-0x00007FF60FE91000-memory.dmp	UPX
behavioral2/memory/1168-670-0x00007FF688030000-0x00007FF688421000-memory.dmp	UPX
behavioral2/memory/1880-671-0x00007FF725C20000-0x00007FF726011000-memory.dmp	UPX
behavioral2/memory/3632-673-0x00007FF6A8890000-0x00007FF6A8C81000-memory.dmp	UPX
behavioral2/memory/4960-675-0x00007FF600EE0000-0x00007FF6012D1000-memory.dmp	UPX
behavioral2/memory/3064-678-0x00007FF78F9C0000-0x00007FF78FDB1000-memory.dmp	UPX
behavioral2/memory/4980-681-0x00007FF6362E0000-0x00007FF6366D1000-memory.dmp	UPX
behavioral2/memory/320-682-0x00007FF695C00000-0x00007FF695FF1000-memory.dmp	UPX
behavioral2/memory/4796-680-0x00007FF6D4A20000-0x00007FF6D4E11000-memory.dmp	UPX
behavioral2/memory/2840-679-0x00007FF66CAF0000-0x00007FF66CEE1000-memory.dmp	UPX
behavioral2/memory/5072-677-0x00007FF6865B0000-0x00007FF6869A1000-memory.dmp	UPX
behavioral2/memory/2484-676-0x00007FF69BE70000-0x00007FF69C261000-memory.dmp	UPX
behavioral2/memory/2552-674-0x00007FF7B6780000-0x00007FF7B6B71000-memory.dmp	UPX
behavioral2/memory/3440-672-0x00007FF6C2F80000-0x00007FF6C3371000-memory.dmp	UPX
behavioral2/memory/3088-669-0x00007FF7067D0000-0x00007FF706BC1000-memory.dmp	UPX
behavioral2/memory/2312-668-0x00007FF698110000-0x00007FF698501000-memory.dmp	UPX
behavioral2/memory/1548-666-0x00007FF6D4F70000-0x00007FF6D5361000-memory.dmp	UPX
behavioral2/memory/4304-514-0x00007FF773500000-0x00007FF7738F1000-memory.dmp	UPX

XMRig Miner payload 63 IoCs

miner

resource	yara_rule
behavioral2/memory/4588-14-0x00007FF62C560000-0x00007FF62C951000-memory.dmp	xmrig
behavioral2/memory/3552-51-0x00007FF747F50000-0x00007FF748341000-memory.dmp	xmrig
behavioral2/memory/1396-299-0x00007FF740260000-0x00007FF740651000-memory.dmp	xmrig
behavioral2/memory/940-300-0x00007FF6F85D0000-0x00007FF6F89C1000-memory.dmp	xmrig
behavioral2/memory/2432-301-0x00007FF64B510000-0x00007FF64B901000-memory.dmp	xmrig
behavioral2/memory/2788-303-0x00007FF7BF7E0000-0x00007FF7BFBD1000-memory.dmp	xmrig
behavioral2/memory/2640-302-0x00007FF6FDD70000-0x00007FF6FE161000-memory.dmp	xmrig
behavioral2/memory/1468-305-0x00007FF7A1E40000-0x00007FF7A2231000-memory.dmp	xmrig
behavioral2/memory/3672-304-0x00007FF6CD200000-0x00007FF6CD5F1000-memory.dmp	xmrig
behavioral2/memory/2376-306-0x00007FF7554F0000-0x00007FF7558E1000-memory.dmp	xmrig
behavioral2/memory/3464-326-0x00007FF6B51F0000-0x00007FF6B55E1000-memory.dmp	xmrig
behavioral2/memory/1308-333-0x00007FF7D7960000-0x00007FF7D7D51000-memory.dmp	xmrig
behavioral2/memory/1788-344-0x00007FF6FBD60000-0x00007FF6FC151000-memory.dmp	xmrig
behavioral2/memory/1016-355-0x00007FF7512C0000-0x00007FF7516B1000-memory.dmp	xmrig
behavioral2/memory/4648-367-0x00007FF795810000-0x00007FF795C01000-memory.dmp	xmrig
behavioral2/memory/4916-380-0x00007FF7D5BC0000-0x00007FF7D5FB1000-memory.dmp	xmrig
behavioral2/memory/1944-388-0x00007FF60D690000-0x00007FF60DA81000-memory.dmp	xmrig
behavioral2/memory/2796-420-0x00007FF729CB0000-0x00007FF72A0A1000-memory.dmp	xmrig
behavioral2/memory/1480-433-0x00007FF712F40000-0x00007FF713331000-memory.dmp	xmrig
behavioral2/memory/2956-440-0x00007FF6BE0A0000-0x00007FF6BE491000-memory.dmp	xmrig
behavioral2/memory/436-449-0x00007FF7D3240000-0x00007FF7D3631000-memory.dmp	xmrig
behavioral2/memory/1464-467-0x00007FF7A8CA0000-0x00007FF7A9091000-memory.dmp	xmrig
behavioral2/memory/4616-475-0x00007FF681B20000-0x00007FF681F11000-memory.dmp	xmrig
behavioral2/memory/3512-487-0x00007FF71B120000-0x00007FF71B511000-memory.dmp	xmrig
behavioral2/memory/3524-504-0x00007FF72BFA0000-0x00007FF72C391000-memory.dmp	xmrig
behavioral2/memory/3008-519-0x00007FF6DE0D0000-0x00007FF6DE4C1000-memory.dmp	xmrig
behavioral2/memory/3840-665-0x00007FF6D2880000-0x00007FF6D2C71000-memory.dmp	xmrig
behavioral2/memory/2212-667-0x00007FF60FAA0000-0x00007FF60FE91000-memory.dmp	xmrig
behavioral2/memory/1168-670-0x00007FF688030000-0x00007FF688421000-memory.dmp	xmrig
behavioral2/memory/1880-671-0x00007FF725C20000-0x00007FF726011000-memory.dmp	xmrig
behavioral2/memory/3632-673-0x00007FF6A8890000-0x00007FF6A8C81000-memory.dmp	xmrig
behavioral2/memory/4960-675-0x00007FF600EE0000-0x00007FF6012D1000-memory.dmp	xmrig
behavioral2/memory/3064-678-0x00007FF78F9C0000-0x00007FF78FDB1000-memory.dmp	xmrig
behavioral2/memory/4980-681-0x00007FF6362E0000-0x00007FF6366D1000-memory.dmp	xmrig
behavioral2/memory/320-682-0x00007FF695C00000-0x00007FF695FF1000-memory.dmp	xmrig
behavioral2/memory/4796-680-0x00007FF6D4A20000-0x00007FF6D4E11000-memory.dmp	xmrig
behavioral2/memory/2840-679-0x00007FF66CAF0000-0x00007FF66CEE1000-memory.dmp	xmrig
behavioral2/memory/5072-677-0x00007FF6865B0000-0x00007FF6869A1000-memory.dmp	xmrig
behavioral2/memory/2484-676-0x00007FF69BE70000-0x00007FF69C261000-memory.dmp	xmrig
behavioral2/memory/2552-674-0x00007FF7B6780000-0x00007FF7B6B71000-memory.dmp	xmrig
behavioral2/memory/3440-672-0x00007FF6C2F80000-0x00007FF6C3371000-memory.dmp	xmrig
behavioral2/memory/3088-669-0x00007FF7067D0000-0x00007FF706BC1000-memory.dmp	xmrig
behavioral2/memory/2312-668-0x00007FF698110000-0x00007FF698501000-memory.dmp	xmrig
behavioral2/memory/1548-666-0x00007FF6D4F70000-0x00007FF6D5361000-memory.dmp	xmrig
behavioral2/memory/4304-514-0x00007FF773500000-0x00007FF7738F1000-memory.dmp	xmrig
behavioral2/memory/3828-506-0x00007FF63D280000-0x00007FF63D671000-memory.dmp	xmrig
behavioral2/memory/5068-492-0x00007FF76B2E0000-0x00007FF76B6D1000-memory.dmp	xmrig
behavioral2/memory/852-489-0x00007FF6EA3F0000-0x00007FF6EA7E1000-memory.dmp	xmrig
behavioral2/memory/4864-484-0x00007FF6A3B50000-0x00007FF6A3F41000-memory.dmp	xmrig
behavioral2/memory/2324-478-0x00007FF730350000-0x00007FF730741000-memory.dmp	xmrig
behavioral2/memory/4240-462-0x00007FF738F60000-0x00007FF739351000-memory.dmp	xmrig
behavioral2/memory/4976-446-0x00007FF728190000-0x00007FF728581000-memory.dmp	xmrig
behavioral2/memory/4920-414-0x00007FF6AC430000-0x00007FF6AC821000-memory.dmp	xmrig
behavioral2/memory/2716-396-0x00007FF683340000-0x00007FF683731000-memory.dmp	xmrig
behavioral2/memory/2800-375-0x00007FF7CC8D0000-0x00007FF7CCCC1000-memory.dmp	xmrig
behavioral2/memory/572-363-0x00007FF706E10000-0x00007FF707201000-memory.dmp	xmrig
behavioral2/memory/3140-351-0x00007FF6CF8F0000-0x00007FF6CFCE1000-memory.dmp	xmrig
behavioral2/memory/1568-317-0x00007FF764A00000-0x00007FF764DF1000-memory.dmp	xmrig
behavioral2/memory/3924-57-0x00007FF7F1060000-0x00007FF7F1451000-memory.dmp	xmrig
behavioral2/memory/3724-46-0x00007FF6D55D0000-0x00007FF6D59C1000-memory.dmp	xmrig
behavioral2/memory/3408-42-0x00007FF652B90000-0x00007FF652F81000-memory.dmp	xmrig
behavioral2/memory/2524-38-0x00007FF789260000-0x00007FF789651000-memory.dmp	xmrig
behavioral2/memory/4896-22-0x00007FF739E00000-0x00007FF73A1F1000-memory.dmp	xmrig

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
4588	IsVCADb.exe
4896	lvTKjts.exe
2524	btFiYin.exe
3924	HNHICWS.exe
1396	xXXNFeW.exe
3408	hLrVcZD.exe
3724	oEsuXtu.exe
3552	veHboPr.exe
940	RKYsdmn.exe
3776	TXVPJCZ.exe
2432	xMVtVBu.exe
2640	vwNnmiR.exe
2788	ogGwvPK.exe
3672	uiWAHXW.exe
1468	UtJybbZ.exe
2376	dnRlABY.exe
1568	KJpAIJK.exe
3464	sPDPDPI.exe
1308	uuTWGwA.exe
1788	PSOUvll.exe
3140	SegYpHE.exe
1016	YttrULc.exe
572	vYUVrlT.exe
4648	SFGYnYN.exe
2800	ctHfolz.exe
4916	IgOXRFb.exe
1944	IkWFLUz.exe
2716	VswWkEQ.exe
4920	BzFBSRa.exe
2796	ijiOUaV.exe
1480	nTROHKa.exe
2956	MtgTjue.exe
4976	gidALCm.exe
436	eikKHlq.exe
4240	bIkzQdS.exe
1464	aqcOLxo.exe
4616	tkpScvw.exe
2324	djfXRXY.exe
4864	TOEpsZD.exe
3512	HkMJxGu.exe
852	aiuYnob.exe
5068	eNstrUr.exe
3524	lNNaVCz.exe
3828	pvshYvc.exe
4304	myxtykp.exe
3008	htPhPlt.exe
3840	TZuOooR.exe
1548	PMVOaql.exe
2212	oQDQIpg.exe
2312	dHoFGOp.exe
3088	zzTdHkI.exe
1168	CQLpKGc.exe
1880	RcfTZnr.exe
3440	uicAZPw.exe
3632	XnajLGV.exe
2552	DszIHWw.exe
4960	hFtgeTa.exe
2484	VmJtWcx.exe
5072	xtSbruw.exe
3064	ypzkPZL.exe
2840	fPYYMVd.exe
4796	PXsxsFP.exe
4980	sHVBFBF.exe
320	IHkFNxU.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1416-0-0x00007FF72D3D0000-0x00007FF72D7C1000-memory.dmp	upx
behavioral2/files/0x000400000001e5eb-5.dat	upx
behavioral2/files/0x0008000000023226-8.dat	upx
behavioral2/memory/4588-14-0x00007FF62C560000-0x00007FF62C951000-memory.dmp	upx
behavioral2/files/0x000900000002321f-11.dat	upx
behavioral2/files/0x000700000002322a-18.dat	upx
behavioral2/files/0x000700000002322a-25.dat	upx
behavioral2/files/0x000700000002322b-34.dat	upx
behavioral2/files/0x000700000002322c-36.dat	upx
behavioral2/files/0x000700000002322e-40.dat	upx
behavioral2/files/0x000700000002322d-43.dat	upx
behavioral2/memory/3552-51-0x00007FF747F50000-0x00007FF748341000-memory.dmp	upx
behavioral2/files/0x000700000002322f-53.dat	upx
behavioral2/files/0x0008000000023227-68.dat	upx
behavioral2/files/0x0007000000023232-73.dat	upx
behavioral2/files/0x0007000000023234-81.dat	upx
behavioral2/files/0x0007000000023239-108.dat	upx
behavioral2/files/0x000700000002323e-134.dat	upx
behavioral2/files/0x0007000000023241-148.dat	upx
behavioral2/files/0x0007000000023243-158.dat	upx
behavioral2/files/0x0007000000023245-169.dat	upx
behavioral2/memory/1396-299-0x00007FF740260000-0x00007FF740651000-memory.dmp	upx
behavioral2/memory/940-300-0x00007FF6F85D0000-0x00007FF6F89C1000-memory.dmp	upx
behavioral2/memory/2432-301-0x00007FF64B510000-0x00007FF64B901000-memory.dmp	upx
behavioral2/memory/2788-303-0x00007FF7BF7E0000-0x00007FF7BFBD1000-memory.dmp	upx
behavioral2/memory/2640-302-0x00007FF6FDD70000-0x00007FF6FE161000-memory.dmp	upx
behavioral2/memory/1468-305-0x00007FF7A1E40000-0x00007FF7A2231000-memory.dmp	upx
behavioral2/memory/3672-304-0x00007FF6CD200000-0x00007FF6CD5F1000-memory.dmp	upx
behavioral2/memory/2376-306-0x00007FF7554F0000-0x00007FF7558E1000-memory.dmp	upx
behavioral2/memory/3464-326-0x00007FF6B51F0000-0x00007FF6B55E1000-memory.dmp	upx
behavioral2/memory/1308-333-0x00007FF7D7960000-0x00007FF7D7D51000-memory.dmp	upx
behavioral2/memory/1788-344-0x00007FF6FBD60000-0x00007FF6FC151000-memory.dmp	upx
behavioral2/memory/1016-355-0x00007FF7512C0000-0x00007FF7516B1000-memory.dmp	upx
behavioral2/memory/4648-367-0x00007FF795810000-0x00007FF795C01000-memory.dmp	upx
behavioral2/memory/4916-380-0x00007FF7D5BC0000-0x00007FF7D5FB1000-memory.dmp	upx
behavioral2/memory/1944-388-0x00007FF60D690000-0x00007FF60DA81000-memory.dmp	upx
behavioral2/memory/2796-420-0x00007FF729CB0000-0x00007FF72A0A1000-memory.dmp	upx
behavioral2/memory/1480-433-0x00007FF712F40000-0x00007FF713331000-memory.dmp	upx
behavioral2/memory/2956-440-0x00007FF6BE0A0000-0x00007FF6BE491000-memory.dmp	upx
behavioral2/memory/436-449-0x00007FF7D3240000-0x00007FF7D3631000-memory.dmp	upx
behavioral2/memory/1464-467-0x00007FF7A8CA0000-0x00007FF7A9091000-memory.dmp	upx
behavioral2/memory/4616-475-0x00007FF681B20000-0x00007FF681F11000-memory.dmp	upx
behavioral2/memory/3512-487-0x00007FF71B120000-0x00007FF71B511000-memory.dmp	upx
behavioral2/memory/3524-504-0x00007FF72BFA0000-0x00007FF72C391000-memory.dmp	upx
behavioral2/memory/3008-519-0x00007FF6DE0D0000-0x00007FF6DE4C1000-memory.dmp	upx
behavioral2/memory/3840-665-0x00007FF6D2880000-0x00007FF6D2C71000-memory.dmp	upx
behavioral2/memory/2212-667-0x00007FF60FAA0000-0x00007FF60FE91000-memory.dmp	upx
behavioral2/memory/1168-670-0x00007FF688030000-0x00007FF688421000-memory.dmp	upx
behavioral2/memory/1880-671-0x00007FF725C20000-0x00007FF726011000-memory.dmp	upx
behavioral2/memory/3632-673-0x00007FF6A8890000-0x00007FF6A8C81000-memory.dmp	upx
behavioral2/memory/4960-675-0x00007FF600EE0000-0x00007FF6012D1000-memory.dmp	upx
behavioral2/memory/3064-678-0x00007FF78F9C0000-0x00007FF78FDB1000-memory.dmp	upx
behavioral2/memory/4980-681-0x00007FF6362E0000-0x00007FF6366D1000-memory.dmp	upx
behavioral2/memory/320-682-0x00007FF695C00000-0x00007FF695FF1000-memory.dmp	upx
behavioral2/memory/4796-680-0x00007FF6D4A20000-0x00007FF6D4E11000-memory.dmp	upx
behavioral2/memory/2840-679-0x00007FF66CAF0000-0x00007FF66CEE1000-memory.dmp	upx
behavioral2/memory/5072-677-0x00007FF6865B0000-0x00007FF6869A1000-memory.dmp	upx
behavioral2/memory/2484-676-0x00007FF69BE70000-0x00007FF69C261000-memory.dmp	upx
behavioral2/memory/2552-674-0x00007FF7B6780000-0x00007FF7B6B71000-memory.dmp	upx
behavioral2/memory/3440-672-0x00007FF6C2F80000-0x00007FF6C3371000-memory.dmp	upx
behavioral2/memory/3088-669-0x00007FF7067D0000-0x00007FF706BC1000-memory.dmp	upx
behavioral2/memory/2312-668-0x00007FF698110000-0x00007FF698501000-memory.dmp	upx
behavioral2/memory/1548-666-0x00007FF6D4F70000-0x00007FF6D5361000-memory.dmp	upx
behavioral2/memory/4304-514-0x00007FF773500000-0x00007FF7738F1000-memory.dmp	upx

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\gROiiZS.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\ZfLUPLe.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\zFEkmUv.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\IkWFLUz.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\tkpScvw.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\bvHEkOs.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\WDKTnTZ.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\RRLvoFi.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\CQLpKGc.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\XnajLGV.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\jxOKspE.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\TOEpsZD.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\vtFPDcp.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\oSKSgvL.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\CFdEkjH.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\gjAQIwg.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\HOKsccn.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\LJNbcmh.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\VkgtbmL.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\qlOshPS.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\WJNtejm.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\CrnCJjD.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\tUxEscj.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\BnGVCiE.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\ogGwvPK.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\QNsvsTF.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\SESRmNk.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\oFrfHgC.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\cknhmhO.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\GxUdsCv.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\xnZcQcg.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\SqBQJtS.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\GuZjuAx.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\mXIONAu.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\fdsWEzF.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\zzTdHkI.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\vtWZtzz.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\wAlNCdZ.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\IgOXRFb.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\yrMHOQS.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\BolVERi.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\wAYXcSZ.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\kkUwxhi.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\drdPEaZ.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\POmYPAm.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\eyhsorg.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\IsVCADb.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\axhosFU.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\BDppvol.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\xbHQSfz.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\oMozOnc.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\YdyRzwj.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\BzFBSRa.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\XjCSCFw.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\IWRRmDY.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\mTNNEYP.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\ipwGcGW.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\BwtbXMb.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\uZUNvom.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\oyZvpWp.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\DaJmGCF.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\adVzkQV.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\DszIHWw.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
File created	C:\Windows\System32\PULjxJR.exe	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-983155329-280873152-1838004294-1000\{347BF3F5-5BBA-44DD-BF85-0A1DFCAA240C}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-983155329-280873152-1838004294-1000\{77264EE2-5B4A-48F7-A4EA-9651106C45B0}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-983155329-280873152-1838004294-1000\{932C13C4-1E76-4258-AC34-723F686513BC}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-983155329-280873152-1838004294-1000\{3514ECD7-8D78-4D66-BD3D-DAF4EB405053}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	940	explorer.exe
Token: SeCreatePagefilePrivilege	940	explorer.exe
Token: SeShutdownPrivilege	940	explorer.exe
Token: SeCreatePagefilePrivilege	940	explorer.exe
Token: SeShutdownPrivilege	940	explorer.exe
Token: SeCreatePagefilePrivilege	940	explorer.exe
Token: SeShutdownPrivilege	940	explorer.exe
Token: SeCreatePagefilePrivilege	940	explorer.exe
Token: SeShutdownPrivilege	940	explorer.exe
Token: SeCreatePagefilePrivilege	940	explorer.exe
Token: SeShutdownPrivilege	940	explorer.exe
Token: SeCreatePagefilePrivilege	940	explorer.exe
Token: SeShutdownPrivilege	940	explorer.exe
Token: SeCreatePagefilePrivilege	940	explorer.exe
Token: SeShutdownPrivilege	940	explorer.exe
Token: SeCreatePagefilePrivilege	940	explorer.exe
Token: SeShutdownPrivilege	940	explorer.exe
Token: SeCreatePagefilePrivilege	940	explorer.exe
Token: SeShutdownPrivilege	940	explorer.exe
Token: SeCreatePagefilePrivilege	940	explorer.exe
Token: SeShutdownPrivilege	2164	explorer.exe
Token: SeCreatePagefilePrivilege	2164	explorer.exe
Token: SeShutdownPrivilege	2164	explorer.exe
Token: SeCreatePagefilePrivilege	2164	explorer.exe
Token: SeShutdownPrivilege	2164	explorer.exe
Token: SeCreatePagefilePrivilege	2164	explorer.exe
Token: SeShutdownPrivilege	2164	explorer.exe
Token: SeCreatePagefilePrivilege	2164	explorer.exe
Token: SeShutdownPrivilege	2164	explorer.exe
Token: SeCreatePagefilePrivilege	2164	explorer.exe
Token: SeShutdownPrivilege	2164	explorer.exe
Token: SeCreatePagefilePrivilege	2164	explorer.exe
Token: SeShutdownPrivilege	2164	explorer.exe
Token: SeCreatePagefilePrivilege	2164	explorer.exe
Token: SeShutdownPrivilege	2164	explorer.exe
Token: SeCreatePagefilePrivilege	2164	explorer.exe
Token: SeShutdownPrivilege	2164	explorer.exe
Token: SeCreatePagefilePrivilege	2164	explorer.exe
Token: SeShutdownPrivilege	2164	explorer.exe
Token: SeCreatePagefilePrivilege	2164	explorer.exe
Token: SeShutdownPrivilege	10048	explorer.exe
Token: SeCreatePagefilePrivilege	10048	explorer.exe
Token: SeShutdownPrivilege	10048	explorer.exe
Token: SeCreatePagefilePrivilege	10048	explorer.exe
Token: SeShutdownPrivilege	10048	explorer.exe
Token: SeCreatePagefilePrivilege	10048	explorer.exe
Token: SeShutdownPrivilege	10048	explorer.exe
Token: SeCreatePagefilePrivilege	10048	explorer.exe
Token: SeShutdownPrivilege	10048	explorer.exe
Token: SeCreatePagefilePrivilege	10048	explorer.exe
Token: SeShutdownPrivilege	10048	explorer.exe
Token: SeCreatePagefilePrivilege	10048	explorer.exe
Token: SeShutdownPrivilege	10048	explorer.exe
Token: SeCreatePagefilePrivilege	10048	explorer.exe
Token: SeShutdownPrivilege	10048	explorer.exe
Token: SeCreatePagefilePrivilege	10048	explorer.exe
Token: SeShutdownPrivilege	10048	explorer.exe
Token: SeCreatePagefilePrivilege	10048	explorer.exe
Token: SeShutdownPrivilege	10048	explorer.exe
Token: SeCreatePagefilePrivilege	10048	explorer.exe
Token: SeShutdownPrivilege	10048	explorer.exe
Token: SeCreatePagefilePrivilege	10048	explorer.exe
Token: SeShutdownPrivilege	10048	explorer.exe
Token: SeCreatePagefilePrivilege	10048	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
9744	sihost.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe

Suspicious use of SendNotifyMessage 59 IoCs

pid	Process
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
940	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
10048	explorer.exe
9680	explorer.exe
9680	explorer.exe
9680	explorer.exe
9680	explorer.exe
9680	explorer.exe
9680	explorer.exe
9680	explorer.exe
9680	explorer.exe
9680	explorer.exe
9680	explorer.exe
9680	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
9384	StartMenuExperienceHost.exe
5140	StartMenuExperienceHost.exe
3160	SearchApp.exe
6816	StartMenuExperienceHost.exe
4136	SearchApp.exe
6796	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 4588	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	89
PID 1416 wrote to memory of 4588	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	89
PID 1416 wrote to memory of 4896	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	90
PID 1416 wrote to memory of 4896	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	90
PID 1416 wrote to memory of 2524	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	91
PID 1416 wrote to memory of 2524	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	91
PID 1416 wrote to memory of 3924	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	92
PID 1416 wrote to memory of 3924	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	92
PID 1416 wrote to memory of 1396	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	93
PID 1416 wrote to memory of 1396	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	93
PID 1416 wrote to memory of 3408	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	94
PID 1416 wrote to memory of 3408	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	94
PID 1416 wrote to memory of 3724	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	95
PID 1416 wrote to memory of 3724	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	95
PID 1416 wrote to memory of 3552	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	96
PID 1416 wrote to memory of 3552	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	96
PID 1416 wrote to memory of 940	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	97
PID 1416 wrote to memory of 940	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	97
PID 1416 wrote to memory of 3776	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	98
PID 1416 wrote to memory of 3776	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	98
PID 1416 wrote to memory of 2432	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	99
PID 1416 wrote to memory of 2432	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	99
PID 1416 wrote to memory of 2640	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	100
PID 1416 wrote to memory of 2640	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	100
PID 1416 wrote to memory of 2788	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	101
PID 1416 wrote to memory of 2788	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	101
PID 1416 wrote to memory of 3672	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	102
PID 1416 wrote to memory of 3672	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	102
PID 1416 wrote to memory of 1468	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	103
PID 1416 wrote to memory of 1468	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	103
PID 1416 wrote to memory of 2376	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	104
PID 1416 wrote to memory of 2376	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	104
PID 1416 wrote to memory of 1568	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	105
PID 1416 wrote to memory of 1568	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	105
PID 1416 wrote to memory of 3464	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	106
PID 1416 wrote to memory of 3464	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	106
PID 1416 wrote to memory of 1308	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	107
PID 1416 wrote to memory of 1308	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	107
PID 1416 wrote to memory of 1788	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	108
PID 1416 wrote to memory of 1788	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	108
PID 1416 wrote to memory of 3140	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	109
PID 1416 wrote to memory of 3140	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	109
PID 1416 wrote to memory of 1016	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	110
PID 1416 wrote to memory of 1016	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	110
PID 1416 wrote to memory of 572	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	111
PID 1416 wrote to memory of 572	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	111
PID 1416 wrote to memory of 4648	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	112
PID 1416 wrote to memory of 4648	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	112
PID 1416 wrote to memory of 2800	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	113
PID 1416 wrote to memory of 2800	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	113
PID 1416 wrote to memory of 4916	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	114
PID 1416 wrote to memory of 4916	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	114
PID 1416 wrote to memory of 1944	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	115
PID 1416 wrote to memory of 1944	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	115
PID 1416 wrote to memory of 2716	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	116
PID 1416 wrote to memory of 2716	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	116
PID 1416 wrote to memory of 4920	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	117
PID 1416 wrote to memory of 4920	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	117
PID 1416 wrote to memory of 2796	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	118
PID 1416 wrote to memory of 2796	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	118
PID 1416 wrote to memory of 1480	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	119
PID 1416 wrote to memory of 1480	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	119
PID 1416 wrote to memory of 2956	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	120
PID 1416 wrote to memory of 2956	1416	75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe
"C:\Users\Admin\AppData\Local\Temp\75e7906645d60fd19bf4f06251b4e7d1789da440b145383752944fb78927db2c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\System32\IsVCADb.exe
  C:\Windows\System32\IsVCADb.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System32\lvTKjts.exe
  C:\Windows\System32\lvTKjts.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System32\btFiYin.exe
  C:\Windows\System32\btFiYin.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System32\HNHICWS.exe
  C:\Windows\System32\HNHICWS.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System32\xXXNFeW.exe
  C:\Windows\System32\xXXNFeW.exe
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\System32\hLrVcZD.exe
  C:\Windows\System32\hLrVcZD.exe
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Windows\System32\oEsuXtu.exe
  C:\Windows\System32\oEsuXtu.exe
  2⤵
  - Executes dropped EXE
  PID:3724
- C:\Windows\System32\veHboPr.exe
  C:\Windows\System32\veHboPr.exe
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\System32\RKYsdmn.exe
  C:\Windows\System32\RKYsdmn.exe
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\System32\TXVPJCZ.exe
  C:\Windows\System32\TXVPJCZ.exe
  2⤵
  - Executes dropped EXE
  PID:3776
- C:\Windows\System32\xMVtVBu.exe
  C:\Windows\System32\xMVtVBu.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System32\vwNnmiR.exe
  C:\Windows\System32\vwNnmiR.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System32\ogGwvPK.exe
  C:\Windows\System32\ogGwvPK.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System32\uiWAHXW.exe
  C:\Windows\System32\uiWAHXW.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System32\UtJybbZ.exe
  C:\Windows\System32\UtJybbZ.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\System32\dnRlABY.exe
  C:\Windows\System32\dnRlABY.exe
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\System32\KJpAIJK.exe
  C:\Windows\System32\KJpAIJK.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System32\sPDPDPI.exe
  C:\Windows\System32\sPDPDPI.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System32\uuTWGwA.exe
  C:\Windows\System32\uuTWGwA.exe
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\System32\PSOUvll.exe
  C:\Windows\System32\PSOUvll.exe
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\System32\SegYpHE.exe
  C:\Windows\System32\SegYpHE.exe
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\System32\YttrULc.exe
  C:\Windows\System32\YttrULc.exe
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\System32\vYUVrlT.exe
  C:\Windows\System32\vYUVrlT.exe
  2⤵
  - Executes dropped EXE
  PID:572
- C:\Windows\System32\SFGYnYN.exe
  C:\Windows\System32\SFGYnYN.exe
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Windows\System32\ctHfolz.exe
  C:\Windows\System32\ctHfolz.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System32\IgOXRFb.exe
  C:\Windows\System32\IgOXRFb.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System32\IkWFLUz.exe
  C:\Windows\System32\IkWFLUz.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System32\VswWkEQ.exe
  C:\Windows\System32\VswWkEQ.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System32\BzFBSRa.exe
  C:\Windows\System32\BzFBSRa.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System32\ijiOUaV.exe
  C:\Windows\System32\ijiOUaV.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System32\nTROHKa.exe
  C:\Windows\System32\nTROHKa.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\System32\MtgTjue.exe
  C:\Windows\System32\MtgTjue.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System32\gidALCm.exe
  C:\Windows\System32\gidALCm.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System32\eikKHlq.exe
  C:\Windows\System32\eikKHlq.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System32\bIkzQdS.exe
  C:\Windows\System32\bIkzQdS.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System32\aqcOLxo.exe
  C:\Windows\System32\aqcOLxo.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System32\tkpScvw.exe
  C:\Windows\System32\tkpScvw.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System32\djfXRXY.exe
  C:\Windows\System32\djfXRXY.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System32\TOEpsZD.exe
  C:\Windows\System32\TOEpsZD.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System32\HkMJxGu.exe
  C:\Windows\System32\HkMJxGu.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System32\aiuYnob.exe
  C:\Windows\System32\aiuYnob.exe
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\System32\eNstrUr.exe
  C:\Windows\System32\eNstrUr.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System32\lNNaVCz.exe
  C:\Windows\System32\lNNaVCz.exe
  2⤵
  - Executes dropped EXE
  PID:3524
- C:\Windows\System32\pvshYvc.exe
  C:\Windows\System32\pvshYvc.exe
  2⤵
  - Executes dropped EXE
  PID:3828
- C:\Windows\System32\myxtykp.exe
  C:\Windows\System32\myxtykp.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System32\htPhPlt.exe
  C:\Windows\System32\htPhPlt.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System32\TZuOooR.exe
  C:\Windows\System32\TZuOooR.exe
  2⤵
  - Executes dropped EXE
  PID:3840
- C:\Windows\System32\PMVOaql.exe
  C:\Windows\System32\PMVOaql.exe
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\System32\oQDQIpg.exe
  C:\Windows\System32\oQDQIpg.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System32\dHoFGOp.exe
  C:\Windows\System32\dHoFGOp.exe
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\System32\zzTdHkI.exe
  C:\Windows\System32\zzTdHkI.exe
  2⤵
  - Executes dropped EXE
  PID:3088
- C:\Windows\System32\CQLpKGc.exe
  C:\Windows\System32\CQLpKGc.exe
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\System32\RcfTZnr.exe
  C:\Windows\System32\RcfTZnr.exe
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\System32\uicAZPw.exe
  C:\Windows\System32\uicAZPw.exe
  2⤵
  - Executes dropped EXE
  PID:3440
- C:\Windows\System32\XnajLGV.exe
  C:\Windows\System32\XnajLGV.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System32\DszIHWw.exe
  C:\Windows\System32\DszIHWw.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System32\hFtgeTa.exe
  C:\Windows\System32\hFtgeTa.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System32\VmJtWcx.exe
  C:\Windows\System32\VmJtWcx.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System32\xtSbruw.exe
  C:\Windows\System32\xtSbruw.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System32\ypzkPZL.exe
  C:\Windows\System32\ypzkPZL.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\System32\fPYYMVd.exe
  C:\Windows\System32\fPYYMVd.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System32\PXsxsFP.exe
  C:\Windows\System32\PXsxsFP.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System32\sHVBFBF.exe
  C:\Windows\System32\sHVBFBF.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System32\IHkFNxU.exe
  C:\Windows\System32\IHkFNxU.exe
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\System32\ySMvYEw.exe
  C:\Windows\System32\ySMvYEw.exe
  2⤵
  PID:4652
- C:\Windows\System32\lkWsSvo.exe
  C:\Windows\System32\lkWsSvo.exe
  2⤵
  PID:3404
- C:\Windows\System32\svLnzMH.exe
  C:\Windows\System32\svLnzMH.exe
  2⤵
  PID:1924
- C:\Windows\System32\AcIJrMv.exe
  C:\Windows\System32\AcIJrMv.exe
  2⤵
  PID:3732
- C:\Windows\System32\PULjxJR.exe
  C:\Windows\System32\PULjxJR.exe
  2⤵
  PID:3092
- C:\Windows\System32\bZebIKN.exe
  C:\Windows\System32\bZebIKN.exe
  2⤵
  PID:4768
- C:\Windows\System32\vtWZtzz.exe
  C:\Windows\System32\vtWZtzz.exe
  2⤵
  PID:1164
- C:\Windows\System32\AIQubZb.exe
  C:\Windows\System32\AIQubZb.exe
  2⤵
  PID:380
- C:\Windows\System32\vyBIInE.exe
  C:\Windows\System32\vyBIInE.exe
  2⤵
  PID:3504
- C:\Windows\System32\lMDYpab.exe
  C:\Windows\System32\lMDYpab.exe
  2⤵
  PID:1560
- C:\Windows\System32\XREkDsj.exe
  C:\Windows\System32\XREkDsj.exe
  2⤵
  PID:1080
- C:\Windows\System32\VGOqzcT.exe
  C:\Windows\System32\VGOqzcT.exe
  2⤵
  PID:2244
- C:\Windows\System32\iMFDcPp.exe
  C:\Windows\System32\iMFDcPp.exe
  2⤵
  PID:720
- C:\Windows\System32\DeUpsvW.exe
  C:\Windows\System32\DeUpsvW.exe
  2⤵
  PID:3600
- C:\Windows\System32\agkNpDb.exe
  C:\Windows\System32\agkNpDb.exe
  2⤵
  PID:2964
- C:\Windows\System32\kCpIreL.exe
  C:\Windows\System32\kCpIreL.exe
  2⤵
  PID:2208
- C:\Windows\System32\vdwbYvo.exe
  C:\Windows\System32\vdwbYvo.exe
  2⤵
  PID:1460
- C:\Windows\System32\fVTGuZc.exe
  C:\Windows\System32\fVTGuZc.exe
  2⤵
  PID:4912
- C:\Windows\System32\tqwCEkj.exe
  C:\Windows\System32\tqwCEkj.exe
  2⤵
  PID:4892
- C:\Windows\System32\lFphGmd.exe
  C:\Windows\System32\lFphGmd.exe
  2⤵
  PID:4968
- C:\Windows\System32\PjYylCv.exe
  C:\Windows\System32\PjYylCv.exe
  2⤵
  PID:3016
- C:\Windows\System32\VGFcLZX.exe
  C:\Windows\System32\VGFcLZX.exe
  2⤵
  PID:1184
- C:\Windows\System32\DxwnSRB.exe
  C:\Windows\System32\DxwnSRB.exe
  2⤵
  PID:4984
- C:\Windows\System32\ewYRGBP.exe
  C:\Windows\System32\ewYRGBP.exe
  2⤵
  PID:2688
- C:\Windows\System32\vtFPDcp.exe
  C:\Windows\System32\vtFPDcp.exe
  2⤵
  PID:1408
- C:\Windows\System32\XjCSCFw.exe
  C:\Windows\System32\XjCSCFw.exe
  2⤵
  PID:5128
- C:\Windows\System32\qrnjSEW.exe
  C:\Windows\System32\qrnjSEW.exe
  2⤵
  PID:5160
- C:\Windows\System32\fxfMRvj.exe
  C:\Windows\System32\fxfMRvj.exe
  2⤵
  PID:5224
- C:\Windows\System32\OABZXVi.exe
  C:\Windows\System32\OABZXVi.exe
  2⤵
  PID:5252
- C:\Windows\System32\grlyeEU.exe
  C:\Windows\System32\grlyeEU.exe
  2⤵
  PID:5300
- C:\Windows\System32\oEgpFPd.exe
  C:\Windows\System32\oEgpFPd.exe
  2⤵
  PID:5324
- C:\Windows\System32\SIkHxyS.exe
  C:\Windows\System32\SIkHxyS.exe
  2⤵
  PID:5344
- C:\Windows\System32\qPSsAOq.exe
  C:\Windows\System32\qPSsAOq.exe
  2⤵
  PID:5364
- C:\Windows\System32\bPvNUkG.exe
  C:\Windows\System32\bPvNUkG.exe
  2⤵
  PID:5424
- C:\Windows\System32\pNjoSIA.exe
  C:\Windows\System32\pNjoSIA.exe
  2⤵
  PID:5444
- C:\Windows\System32\PQsuRTN.exe
  C:\Windows\System32\PQsuRTN.exe
  2⤵
  PID:5460
- C:\Windows\System32\TfzjomJ.exe
  C:\Windows\System32\TfzjomJ.exe
  2⤵
  PID:5496
- C:\Windows\System32\LMZByEW.exe
  C:\Windows\System32\LMZByEW.exe
  2⤵
  PID:5516
- C:\Windows\System32\hVLqRtB.exe
  C:\Windows\System32\hVLqRtB.exe
  2⤵
  PID:5536
- C:\Windows\System32\ZBmhjFb.exe
  C:\Windows\System32\ZBmhjFb.exe
  2⤵
  PID:5552
- C:\Windows\System32\ockaFCB.exe
  C:\Windows\System32\ockaFCB.exe
  2⤵
  PID:5576
- C:\Windows\System32\MAoAHDF.exe
  C:\Windows\System32\MAoAHDF.exe
  2⤵
  PID:5596
- C:\Windows\System32\uIuUHQD.exe
  C:\Windows\System32\uIuUHQD.exe
  2⤵
  PID:5612
- C:\Windows\System32\CBbZsTE.exe
  C:\Windows\System32\CBbZsTE.exe
  2⤵
  PID:5632
- C:\Windows\System32\dyshWpt.exe
  C:\Windows\System32\dyshWpt.exe
  2⤵
  PID:5648
- C:\Windows\System32\JahjInQ.exe
  C:\Windows\System32\JahjInQ.exe
  2⤵
  PID:5668
- C:\Windows\System32\techMUS.exe
  C:\Windows\System32\techMUS.exe
  2⤵
  PID:5736
- C:\Windows\System32\dFnAxSD.exe
  C:\Windows\System32\dFnAxSD.exe
  2⤵
  PID:5816
- C:\Windows\System32\WuhzVXW.exe
  C:\Windows\System32\WuhzVXW.exe
  2⤵
  PID:5832
- C:\Windows\System32\uZUNvom.exe
  C:\Windows\System32\uZUNvom.exe
  2⤵
  PID:5860
- C:\Windows\System32\fjMyzdp.exe
  C:\Windows\System32\fjMyzdp.exe
  2⤵
  PID:5940
- C:\Windows\System32\IWRRmDY.exe
  C:\Windows\System32\IWRRmDY.exe
  2⤵
  PID:5968
- C:\Windows\System32\tQxvJwF.exe
  C:\Windows\System32\tQxvJwF.exe
  2⤵
  PID:5984
- C:\Windows\System32\LWfsFhA.exe
  C:\Windows\System32\LWfsFhA.exe
  2⤵
  PID:6012
- C:\Windows\System32\FhqHBsC.exe
  C:\Windows\System32\FhqHBsC.exe
  2⤵
  PID:6052
- C:\Windows\System32\pHJRBAi.exe
  C:\Windows\System32\pHJRBAi.exe
  2⤵
  PID:6072
- C:\Windows\System32\umBWFEu.exe
  C:\Windows\System32\umBWFEu.exe
  2⤵
  PID:6092
- C:\Windows\System32\fXLKUHK.exe
  C:\Windows\System32\fXLKUHK.exe
  2⤵
  PID:6108
- C:\Windows\System32\rSpzaVW.exe
  C:\Windows\System32\rSpzaVW.exe
  2⤵
  PID:6124
- C:\Windows\System32\bvHEkOs.exe
  C:\Windows\System32\bvHEkOs.exe
  2⤵
  PID:6140
- C:\Windows\System32\GUMsspO.exe
  C:\Windows\System32\GUMsspO.exe
  2⤵
  PID:4820
- C:\Windows\System32\izUXxeP.exe
  C:\Windows\System32\izUXxeP.exe
  2⤵
  PID:5232
- C:\Windows\System32\qHrrsuQ.exe
  C:\Windows\System32\qHrrsuQ.exe
  2⤵
  PID:5384
- C:\Windows\System32\FAicgQy.exe
  C:\Windows\System32\FAicgQy.exe
  2⤵
  PID:5412
- C:\Windows\System32\ltgnPZp.exe
  C:\Windows\System32\ltgnPZp.exe
  2⤵
  PID:5564
- C:\Windows\System32\ftwvKTF.exe
  C:\Windows\System32\ftwvKTF.exe
  2⤵
  PID:5620
- C:\Windows\System32\kAmywsR.exe
  C:\Windows\System32\kAmywsR.exe
  2⤵
  PID:5688
- C:\Windows\System32\MxTkaST.exe
  C:\Windows\System32\MxTkaST.exe
  2⤵
  PID:5716
- C:\Windows\System32\ENSOKfa.exe
  C:\Windows\System32\ENSOKfa.exe
  2⤵
  PID:5748
- C:\Windows\System32\SJrwuvU.exe
  C:\Windows\System32\SJrwuvU.exe
  2⤵
  PID:5916
- C:\Windows\System32\MBqHKVD.exe
  C:\Windows\System32\MBqHKVD.exe
  2⤵
  PID:5840
- C:\Windows\System32\TdZnjRl.exe
  C:\Windows\System32\TdZnjRl.exe
  2⤵
  PID:6028
- C:\Windows\System32\LcEvxTT.exe
  C:\Windows\System32\LcEvxTT.exe
  2⤵
  PID:6104
- C:\Windows\System32\apdxmbo.exe
  C:\Windows\System32\apdxmbo.exe
  2⤵
  PID:5352
- C:\Windows\System32\eHXodFG.exe
  C:\Windows\System32\eHXodFG.exe
  2⤵
  PID:5684
- C:\Windows\System32\LtqAyJk.exe
  C:\Windows\System32\LtqAyJk.exe
  2⤵
  PID:5744
- C:\Windows\System32\KEIHuhx.exe
  C:\Windows\System32\KEIHuhx.exe
  2⤵
  PID:5812
- C:\Windows\System32\JZisvsv.exe
  C:\Windows\System32\JZisvsv.exe
  2⤵
  PID:5220
- C:\Windows\System32\dMJYzvs.exe
  C:\Windows\System32\dMJYzvs.exe
  2⤵
  PID:5436
- C:\Windows\System32\axhosFU.exe
  C:\Windows\System32\axhosFU.exe
  2⤵
  PID:5532
- C:\Windows\System32\BXIamdN.exe
  C:\Windows\System32\BXIamdN.exe
  2⤵
  PID:5592
- C:\Windows\System32\dvjfyxn.exe
  C:\Windows\System32\dvjfyxn.exe
  2⤵
  PID:5760
- C:\Windows\System32\KvNoiah.exe
  C:\Windows\System32\KvNoiah.exe
  2⤵
  PID:6176
- C:\Windows\System32\XjuZvTY.exe
  C:\Windows\System32\XjuZvTY.exe
  2⤵
  PID:6192
- C:\Windows\System32\DJXCtuw.exe
  C:\Windows\System32\DJXCtuw.exe
  2⤵
  PID:6212
- C:\Windows\System32\qlOshPS.exe
  C:\Windows\System32\qlOshPS.exe
  2⤵
  PID:6232
- C:\Windows\System32\PIVxkxg.exe
  C:\Windows\System32\PIVxkxg.exe
  2⤵
  PID:6248
- C:\Windows\System32\FuGaOJe.exe
  C:\Windows\System32\FuGaOJe.exe
  2⤵
  PID:6332
- C:\Windows\System32\DrepZfP.exe
  C:\Windows\System32\DrepZfP.exe
  2⤵
  PID:6356
- C:\Windows\System32\oSKSgvL.exe
  C:\Windows\System32\oSKSgvL.exe
  2⤵
  PID:6376
- C:\Windows\System32\rKoVGNL.exe
  C:\Windows\System32\rKoVGNL.exe
  2⤵
  PID:6404
- C:\Windows\System32\ifUiBXm.exe
  C:\Windows\System32\ifUiBXm.exe
  2⤵
  PID:6424
- C:\Windows\System32\SxpWiOg.exe
  C:\Windows\System32\SxpWiOg.exe
  2⤵
  PID:6444
- C:\Windows\System32\WJNtejm.exe
  C:\Windows\System32\WJNtejm.exe
  2⤵
  PID:6464
- C:\Windows\System32\qLhPadn.exe
  C:\Windows\System32\qLhPadn.exe
  2⤵
  PID:6524
- C:\Windows\System32\WnjwBLb.exe
  C:\Windows\System32\WnjwBLb.exe
  2⤵
  PID:6608
- C:\Windows\System32\CFdEkjH.exe
  C:\Windows\System32\CFdEkjH.exe
  2⤵
  PID:6632
- C:\Windows\System32\SESRmNk.exe
  C:\Windows\System32\SESRmNk.exe
  2⤵
  PID:6648
- C:\Windows\System32\ufYbcyC.exe
  C:\Windows\System32\ufYbcyC.exe
  2⤵
  PID:6672
- C:\Windows\System32\wAlNCdZ.exe
  C:\Windows\System32\wAlNCdZ.exe
  2⤵
  PID:6688
- C:\Windows\System32\jSAtyjR.exe
  C:\Windows\System32\jSAtyjR.exe
  2⤵
  PID:6704
- C:\Windows\System32\aDgKJdA.exe
  C:\Windows\System32\aDgKJdA.exe
  2⤵
  PID:6720
- C:\Windows\System32\EhndtBr.exe
  C:\Windows\System32\EhndtBr.exe
  2⤵
  PID:6736
- C:\Windows\System32\SvCqNux.exe
  C:\Windows\System32\SvCqNux.exe
  2⤵
  PID:6752
- C:\Windows\System32\FbQqlFn.exe
  C:\Windows\System32\FbQqlFn.exe
  2⤵
  PID:6772
- C:\Windows\System32\gjAQIwg.exe
  C:\Windows\System32\gjAQIwg.exe
  2⤵
  PID:6788
- C:\Windows\System32\VIbihQo.exe
  C:\Windows\System32\VIbihQo.exe
  2⤵
  PID:6804
- C:\Windows\System32\juPZeKi.exe
  C:\Windows\System32\juPZeKi.exe
  2⤵
  PID:6876
- C:\Windows\System32\CGrxekm.exe
  C:\Windows\System32\CGrxekm.exe
  2⤵
  PID:6976
- C:\Windows\System32\FyAAjpi.exe
  C:\Windows\System32\FyAAjpi.exe
  2⤵
  PID:6992
- C:\Windows\System32\YafgGoA.exe
  C:\Windows\System32\YafgGoA.exe
  2⤵
  PID:7012
- C:\Windows\System32\yrMHOQS.exe
  C:\Windows\System32\yrMHOQS.exe
  2⤵
  PID:7104
- C:\Windows\System32\djFZQgb.exe
  C:\Windows\System32\djFZQgb.exe
  2⤵
  PID:6656
- C:\Windows\System32\JfEuORm.exe
  C:\Windows\System32\JfEuORm.exe
  2⤵
  PID:6604
- C:\Windows\System32\igxAbbr.exe
  C:\Windows\System32\igxAbbr.exe
  2⤵
  PID:6716
- C:\Windows\System32\mTNNEYP.exe
  C:\Windows\System32\mTNNEYP.exe
  2⤵
  PID:6844
- C:\Windows\System32\hnFGZMF.exe
  C:\Windows\System32\hnFGZMF.exe
  2⤵
  PID:6812
- C:\Windows\System32\NfrwMYz.exe
  C:\Windows\System32\NfrwMYz.exe
  2⤵
  PID:6728
- C:\Windows\System32\kSQiWLq.exe
  C:\Windows\System32\kSQiWLq.exe
  2⤵
  PID:6956
- C:\Windows\System32\tVmobEe.exe
  C:\Windows\System32\tVmobEe.exe
  2⤵
  PID:7068
- C:\Windows\System32\gROiiZS.exe
  C:\Windows\System32\gROiiZS.exe
  2⤵
  PID:7096
- C:\Windows\System32\wpUgylf.exe
  C:\Windows\System32\wpUgylf.exe
  2⤵
  PID:6160
- C:\Windows\System32\iXkgyWq.exe
  C:\Windows\System32\iXkgyWq.exe
  2⤵
  PID:6260
- C:\Windows\System32\knQzDIF.exe
  C:\Windows\System32\knQzDIF.exe
  2⤵
  PID:5288
- C:\Windows\System32\XhLuUsF.exe
  C:\Windows\System32\XhLuUsF.exe
  2⤵
  PID:6240
- C:\Windows\System32\CmlHxus.exe
  C:\Windows\System32\CmlHxus.exe
  2⤵
  PID:2816
- C:\Windows\System32\YNmovzm.exe
  C:\Windows\System32\YNmovzm.exe
  2⤵
  PID:4808
- C:\Windows\System32\oFrfHgC.exe
  C:\Windows\System32\oFrfHgC.exe
  2⤵
  PID:4392
- C:\Windows\System32\dnBuwtx.exe
  C:\Windows\System32\dnBuwtx.exe
  2⤵
  PID:6644
- C:\Windows\System32\oarvyyH.exe
  C:\Windows\System32\oarvyyH.exe
  2⤵
  PID:6864
- C:\Windows\System32\CKXNAuQ.exe
  C:\Windows\System32\CKXNAuQ.exe
  2⤵
  PID:6800
- C:\Windows\System32\ygPvswn.exe
  C:\Windows\System32\ygPvswn.exe
  2⤵
  PID:6660
- C:\Windows\System32\MaEDfHI.exe
  C:\Windows\System32\MaEDfHI.exe
  2⤵
  PID:7080
- C:\Windows\System32\BDppvol.exe
  C:\Windows\System32\BDppvol.exe
  2⤵
  PID:4624
- C:\Windows\System32\xbHQSfz.exe
  C:\Windows\System32\xbHQSfz.exe
  2⤵
  PID:6540
- C:\Windows\System32\pPmssno.exe
  C:\Windows\System32\pPmssno.exe
  2⤵
  PID:4168
- C:\Windows\System32\zpVltcb.exe
  C:\Windows\System32\zpVltcb.exe
  2⤵
  PID:7136
- C:\Windows\System32\ZfLUPLe.exe
  C:\Windows\System32\ZfLUPLe.exe
  2⤵
  PID:5980
- C:\Windows\System32\BolVERi.exe
  C:\Windows\System32\BolVERi.exe
  2⤵
  PID:4508
- C:\Windows\System32\jHyCMro.exe
  C:\Windows\System32\jHyCMro.exe
  2⤵
  PID:1092
- C:\Windows\System32\pYeothA.exe
  C:\Windows\System32\pYeothA.exe
  2⤵
  PID:5492
- C:\Windows\System32\XFjiyMP.exe
  C:\Windows\System32\XFjiyMP.exe
  2⤵
  PID:6780
- C:\Windows\System32\QXHvXMp.exe
  C:\Windows\System32\QXHvXMp.exe
  2⤵
  PID:6020
- C:\Windows\System32\ipwGcGW.exe
  C:\Windows\System32\ipwGcGW.exe
  2⤵
  PID:6856
- C:\Windows\System32\wjmsjar.exe
  C:\Windows\System32\wjmsjar.exe
  2⤵
  PID:5172
- C:\Windows\System32\WtOQmCv.exe
  C:\Windows\System32\WtOQmCv.exe
  2⤵
  PID:5560
- C:\Windows\System32\qDyCdSI.exe
  C:\Windows\System32\qDyCdSI.exe
  2⤵
  PID:5200
- C:\Windows\System32\RiJxmPL.exe
  C:\Windows\System32\RiJxmPL.exe
  2⤵
  PID:5284
- C:\Windows\System32\SCxKhdf.exe
  C:\Windows\System32\SCxKhdf.exe
  2⤵
  PID:5572
- C:\Windows\System32\oyZvpWp.exe
  C:\Windows\System32\oyZvpWp.exe
  2⤵
  PID:4924
- C:\Windows\System32\gyzeEdF.exe
  C:\Windows\System32\gyzeEdF.exe
  2⤵
  PID:7124
- C:\Windows\System32\ndjBHWz.exe
  C:\Windows\System32\ndjBHWz.exe
  2⤵
  PID:900
- C:\Windows\System32\zvQTlqI.exe
  C:\Windows\System32\zvQTlqI.exe
  2⤵
  PID:7212
- C:\Windows\System32\ECSXSgX.exe
  C:\Windows\System32\ECSXSgX.exe
  2⤵
  PID:7228
- C:\Windows\System32\WVkcSRS.exe
  C:\Windows\System32\WVkcSRS.exe
  2⤵
  PID:7280
- C:\Windows\System32\xVOPMCR.exe
  C:\Windows\System32\xVOPMCR.exe
  2⤵
  PID:7300
- C:\Windows\System32\NaMVZqo.exe
  C:\Windows\System32\NaMVZqo.exe
  2⤵
  PID:7348
- C:\Windows\System32\oIHvhZw.exe
  C:\Windows\System32\oIHvhZw.exe
  2⤵
  PID:7396
- C:\Windows\System32\wVPEWmZ.exe
  C:\Windows\System32\wVPEWmZ.exe
  2⤵
  PID:7412
- C:\Windows\System32\drqNtLN.exe
  C:\Windows\System32\drqNtLN.exe
  2⤵
  PID:7484
- C:\Windows\System32\GGimrIP.exe
  C:\Windows\System32\GGimrIP.exe
  2⤵
  PID:7516
- C:\Windows\System32\cBMupcT.exe
  C:\Windows\System32\cBMupcT.exe
  2⤵
  PID:7536
- C:\Windows\System32\eMGPrZC.exe
  C:\Windows\System32\eMGPrZC.exe
  2⤵
  PID:7552
- C:\Windows\System32\GeMPJzV.exe
  C:\Windows\System32\GeMPJzV.exe
  2⤵
  PID:7572
- C:\Windows\System32\ORIcfeW.exe
  C:\Windows\System32\ORIcfeW.exe
  2⤵
  PID:7592
- C:\Windows\System32\BpSBPrK.exe
  C:\Windows\System32\BpSBPrK.exe
  2⤵
  PID:7636
- C:\Windows\System32\ToVcEFN.exe
  C:\Windows\System32\ToVcEFN.exe
  2⤵
  PID:7660
- C:\Windows\System32\xpnckZh.exe
  C:\Windows\System32\xpnckZh.exe
  2⤵
  PID:7680
- C:\Windows\System32\jxOKspE.exe
  C:\Windows\System32\jxOKspE.exe
  2⤵
  PID:7696
- C:\Windows\System32\TDLNOOp.exe
  C:\Windows\System32\TDLNOOp.exe
  2⤵
  PID:7716
- C:\Windows\System32\CrnCJjD.exe
  C:\Windows\System32\CrnCJjD.exe
  2⤵
  PID:7784
- C:\Windows\System32\wAYXcSZ.exe
  C:\Windows\System32\wAYXcSZ.exe
  2⤵
  PID:7800
- C:\Windows\System32\SepTTxp.exe
  C:\Windows\System32\SepTTxp.exe
  2⤵
  PID:7856
- C:\Windows\System32\xnZcQcg.exe
  C:\Windows\System32\xnZcQcg.exe
  2⤵
  PID:7876
- C:\Windows\System32\IYMtQdF.exe
  C:\Windows\System32\IYMtQdF.exe
  2⤵
  PID:7892
- C:\Windows\System32\BwtbXMb.exe
  C:\Windows\System32\BwtbXMb.exe
  2⤵
  PID:7948
- C:\Windows\System32\sfKKaCc.exe
  C:\Windows\System32\sfKKaCc.exe
  2⤵
  PID:7996
- C:\Windows\System32\nZnEIIq.exe
  C:\Windows\System32\nZnEIIq.exe
  2⤵
  PID:8012
- C:\Windows\System32\PFlfkoz.exe
  C:\Windows\System32\PFlfkoz.exe
  2⤵
  PID:8048
- C:\Windows\System32\NpeQpRV.exe
  C:\Windows\System32\NpeQpRV.exe
  2⤵
  PID:8068
- C:\Windows\System32\GyCFmpC.exe
  C:\Windows\System32\GyCFmpC.exe
  2⤵
  PID:8108
- C:\Windows\System32\gbkmCyF.exe
  C:\Windows\System32\gbkmCyF.exe
  2⤵
  PID:8144
- C:\Windows\System32\swzYBBi.exe
  C:\Windows\System32\swzYBBi.exe
  2⤵
  PID:8160
- C:\Windows\System32\oMozOnc.exe
  C:\Windows\System32\oMozOnc.exe
  2⤵
  PID:8180
- C:\Windows\System32\DaJmGCF.exe
  C:\Windows\System32\DaJmGCF.exe
  2⤵
  PID:6760
- C:\Windows\System32\HOKsccn.exe
  C:\Windows\System32\HOKsccn.exe
  2⤵
  PID:7220
- C:\Windows\System32\NxOiONM.exe
  C:\Windows\System32\NxOiONM.exe
  2⤵
  PID:7368
- C:\Windows\System32\WRrmVCR.exe
  C:\Windows\System32\WRrmVCR.exe
  2⤵
  PID:7448
- C:\Windows\System32\DOmxysh.exe
  C:\Windows\System32\DOmxysh.exe
  2⤵
  PID:7460
- C:\Windows\System32\fTjHXbP.exe
  C:\Windows\System32\fTjHXbP.exe
  2⤵
  PID:7500
- C:\Windows\System32\GWQdwBw.exe
  C:\Windows\System32\GWQdwBw.exe
  2⤵
  PID:7604
- C:\Windows\System32\qbMzgPw.exe
  C:\Windows\System32\qbMzgPw.exe
  2⤵
  PID:7544
- C:\Windows\System32\RapsIix.exe
  C:\Windows\System32\RapsIix.exe
  2⤵
  PID:7672
- C:\Windows\System32\nrpFPiX.exe
  C:\Windows\System32\nrpFPiX.exe
  2⤵
  PID:7824
- C:\Windows\System32\nnRhuLJ.exe
  C:\Windows\System32\nnRhuLJ.exe
  2⤵
  PID:7848
- C:\Windows\System32\IhlAEum.exe
  C:\Windows\System32\IhlAEum.exe
  2⤵
  PID:7900
- C:\Windows\System32\WHPgtqc.exe
  C:\Windows\System32\WHPgtqc.exe
  2⤵
  PID:6984
- C:\Windows\System32\kYlUqBr.exe
  C:\Windows\System32\kYlUqBr.exe
  2⤵
  PID:7932
- C:\Windows\System32\KeyoYmn.exe
  C:\Windows\System32\KeyoYmn.exe
  2⤵
  PID:8028
- C:\Windows\System32\GZeflrF.exe
  C:\Windows\System32\GZeflrF.exe
  2⤵
  PID:7992
- C:\Windows\System32\XIfaoaK.exe
  C:\Windows\System32\XIfaoaK.exe
  2⤵
  PID:8060
- C:\Windows\System32\kkUwxhi.exe
  C:\Windows\System32\kkUwxhi.exe
  2⤵
  PID:8116
- C:\Windows\System32\KtDbwuU.exe
  C:\Windows\System32\KtDbwuU.exe
  2⤵
  PID:7224
- C:\Windows\System32\jGJKhZY.exe
  C:\Windows\System32\jGJKhZY.exe
  2⤵
  PID:7584
- C:\Windows\System32\TgYuFDM.exe
  C:\Windows\System32\TgYuFDM.exe
  2⤵
  PID:7580
- C:\Windows\System32\eEJkbJS.exe
  C:\Windows\System32\eEJkbJS.exe
  2⤵
  PID:7828
- C:\Windows\System32\YITAJUK.exe
  C:\Windows\System32\YITAJUK.exe
  2⤵
  PID:7668
- C:\Windows\System32\cknhmhO.exe
  C:\Windows\System32\cknhmhO.exe
  2⤵
  PID:7744
- C:\Windows\System32\YdyRzwj.exe
  C:\Windows\System32\YdyRzwj.exe
  2⤵
  PID:7836
- C:\Windows\System32\drdPEaZ.exe
  C:\Windows\System32\drdPEaZ.exe
  2⤵
  PID:8080
- C:\Windows\System32\ZAWOlkA.exe
  C:\Windows\System32\ZAWOlkA.exe
  2⤵
  PID:7980
- C:\Windows\System32\dApTIAN.exe
  C:\Windows\System32\dApTIAN.exe
  2⤵
  PID:7964
- C:\Windows\System32\bfrordP.exe
  C:\Windows\System32\bfrordP.exe
  2⤵
  PID:5768
- C:\Windows\System32\nVFBAQP.exe
  C:\Windows\System32\nVFBAQP.exe
  2⤵
  PID:7736
- C:\Windows\System32\ylHKrtD.exe
  C:\Windows\System32\ylHKrtD.exe
  2⤵
  PID:5360
- C:\Windows\System32\zoMJUqV.exe
  C:\Windows\System32\zoMJUqV.exe
  2⤵
  PID:7888
- C:\Windows\System32\ASYdElJ.exe
  C:\Windows\System32\ASYdElJ.exe
  2⤵
  PID:8024
- C:\Windows\System32\PxRtNeB.exe
  C:\Windows\System32\PxRtNeB.exe
  2⤵
  PID:7384
- C:\Windows\System32\LBQlLzn.exe
  C:\Windows\System32\LBQlLzn.exe
  2⤵
  PID:8140
- C:\Windows\System32\ZYSfNST.exe
  C:\Windows\System32\ZYSfNST.exe
  2⤵
  PID:8212
- C:\Windows\System32\iPHcsMZ.exe
  C:\Windows\System32\iPHcsMZ.exe
  2⤵
  PID:8232
- C:\Windows\System32\POmYPAm.exe
  C:\Windows\System32\POmYPAm.exe
  2⤵
  PID:8252
- C:\Windows\System32\rMAgsAP.exe
  C:\Windows\System32\rMAgsAP.exe
  2⤵
  PID:8328
- C:\Windows\System32\SqBQJtS.exe
  C:\Windows\System32\SqBQJtS.exe
  2⤵
  PID:8348
- C:\Windows\System32\iNIIUle.exe
  C:\Windows\System32\iNIIUle.exe
  2⤵
  PID:8380
- C:\Windows\System32\luugImM.exe
  C:\Windows\System32\luugImM.exe
  2⤵
  PID:8404
- C:\Windows\System32\wCzUrfQ.exe
  C:\Windows\System32\wCzUrfQ.exe
  2⤵
  PID:8452
- C:\Windows\System32\UitQvBs.exe
  C:\Windows\System32\UitQvBs.exe
  2⤵
  PID:8472
- C:\Windows\System32\kZkgKnR.exe
  C:\Windows\System32\kZkgKnR.exe
  2⤵
  PID:8496
- C:\Windows\System32\tUxEscj.exe
  C:\Windows\System32\tUxEscj.exe
  2⤵
  PID:8516
- C:\Windows\System32\HxBiJxD.exe
  C:\Windows\System32\HxBiJxD.exe
  2⤵
  PID:8536
- C:\Windows\System32\vbbgTmL.exe
  C:\Windows\System32\vbbgTmL.exe
  2⤵
  PID:8552
- C:\Windows\System32\yVpdKQd.exe
  C:\Windows\System32\yVpdKQd.exe
  2⤵
  PID:8572
- C:\Windows\System32\YKSUcfM.exe
  C:\Windows\System32\YKSUcfM.exe
  2⤵
  PID:8588
- C:\Windows\System32\PrPXhPY.exe
  C:\Windows\System32\PrPXhPY.exe
  2⤵
  PID:8608
- C:\Windows\System32\GxUdsCv.exe
  C:\Windows\System32\GxUdsCv.exe
  2⤵
  PID:8648
- C:\Windows\System32\tmjipwW.exe
  C:\Windows\System32\tmjipwW.exe
  2⤵
  PID:8668
- C:\Windows\System32\vzIvtWW.exe
  C:\Windows\System32\vzIvtWW.exe
  2⤵
  PID:8688
- C:\Windows\System32\IMmyMBa.exe
  C:\Windows\System32\IMmyMBa.exe
  2⤵
  PID:8708
- C:\Windows\System32\jiGEtyi.exe
  C:\Windows\System32\jiGEtyi.exe
  2⤵
  PID:8728
- C:\Windows\System32\YgwPDYZ.exe
  C:\Windows\System32\YgwPDYZ.exe
  2⤵
  PID:8744
- C:\Windows\System32\DLFgodZ.exe
  C:\Windows\System32\DLFgodZ.exe
  2⤵
  PID:8764
- C:\Windows\System32\DBNDmfA.exe
  C:\Windows\System32\DBNDmfA.exe
  2⤵
  PID:8788
- C:\Windows\System32\laKqQen.exe
  C:\Windows\System32\laKqQen.exe
  2⤵
  PID:8900
- C:\Windows\System32\XCqRPtJ.exe
  C:\Windows\System32\XCqRPtJ.exe
  2⤵
  PID:8940
- C:\Windows\System32\zFEkmUv.exe
  C:\Windows\System32\zFEkmUv.exe
  2⤵
  PID:8996
- C:\Windows\System32\gpQyjLB.exe
  C:\Windows\System32\gpQyjLB.exe
  2⤵
  PID:9020
- C:\Windows\System32\lPhsxgD.exe
  C:\Windows\System32\lPhsxgD.exe
  2⤵
  PID:9036
- C:\Windows\System32\eyhsorg.exe
  C:\Windows\System32\eyhsorg.exe
  2⤵
  PID:9056
- C:\Windows\System32\JXbxEOQ.exe
  C:\Windows\System32\JXbxEOQ.exe
  2⤵
  PID:9072
- C:\Windows\System32\qaENbyL.exe
  C:\Windows\System32\qaENbyL.exe
  2⤵
  PID:9088
- C:\Windows\System32\gFsvhgh.exe
  C:\Windows\System32\gFsvhgh.exe
  2⤵
  PID:9152
- C:\Windows\System32\lTVWQXT.exe
  C:\Windows\System32\lTVWQXT.exe
  2⤵
  PID:8208
- C:\Windows\System32\dabykEL.exe
  C:\Windows\System32\dabykEL.exe
  2⤵
  PID:8248
- C:\Windows\System32\KgbBLnW.exe
  C:\Windows\System32\KgbBLnW.exe
  2⤵
  PID:8284
- C:\Windows\System32\jgZZRMb.exe
  C:\Windows\System32\jgZZRMb.exe
  2⤵
  PID:8360
- C:\Windows\System32\yAOKTXc.exe
  C:\Windows\System32\yAOKTXc.exe
  2⤵
  PID:8432
- C:\Windows\System32\NlyvhUZ.exe
  C:\Windows\System32\NlyvhUZ.exe
  2⤵
  PID:8560
- C:\Windows\System32\bZeLYhY.exe
  C:\Windows\System32\bZeLYhY.exe
  2⤵
  PID:6208
- C:\Windows\System32\bsxBXox.exe
  C:\Windows\System32\bsxBXox.exe
  2⤵
  PID:8532
- C:\Windows\System32\LJNbcmh.exe
  C:\Windows\System32\LJNbcmh.exe
  2⤵
  PID:8636
- C:\Windows\System32\BujTgXs.exe
  C:\Windows\System32\BujTgXs.exe
  2⤵
  PID:8660
- C:\Windows\System32\EIyQYQu.exe
  C:\Windows\System32\EIyQYQu.exe
  2⤵
  PID:8852
- C:\Windows\System32\dGCPLtk.exe
  C:\Windows\System32\dGCPLtk.exe
  2⤵
  PID:8760
- C:\Windows\System32\tILLRjI.exe
  C:\Windows\System32\tILLRjI.exe
  2⤵
  PID:8824
- C:\Windows\System32\cCdhbhv.exe
  C:\Windows\System32\cCdhbhv.exe
  2⤵
  PID:8984
- C:\Windows\System32\dbtKEyQ.exe
  C:\Windows\System32\dbtKEyQ.exe
  2⤵
  PID:8888
- C:\Windows\System32\PgtRoKk.exe
  C:\Windows\System32\PgtRoKk.exe
  2⤵
  PID:9124
- C:\Windows\System32\vUKqNUV.exe
  C:\Windows\System32\vUKqNUV.exe
  2⤵
  PID:9140
- C:\Windows\System32\SoMYKxO.exe
  C:\Windows\System32\SoMYKxO.exe
  2⤵
  PID:9096
- C:\Windows\System32\gjMsXJv.exe
  C:\Windows\System32\gjMsXJv.exe
  2⤵
  PID:9200
- C:\Windows\System32\pIiVcDQ.exe
  C:\Windows\System32\pIiVcDQ.exe
  2⤵
  PID:9208
- C:\Windows\System32\oikVNuQ.exe
  C:\Windows\System32\oikVNuQ.exe
  2⤵
  PID:7772
- C:\Windows\System32\SqsDFgI.exe
  C:\Windows\System32\SqsDFgI.exe
  2⤵
  PID:7864
- C:\Windows\System32\GVyjJAi.exe
  C:\Windows\System32\GVyjJAi.exe
  2⤵
  PID:8356
- C:\Windows\System32\tIPRVKz.exe
  C:\Windows\System32\tIPRVKz.exe
  2⤵
  PID:8448
- C:\Windows\System32\adVzkQV.exe
  C:\Windows\System32\adVzkQV.exe
  2⤵
  PID:8508
- C:\Windows\System32\TyDPqbx.exe
  C:\Windows\System32\TyDPqbx.exe
  2⤵
  PID:5824
- C:\Windows\System32\IDBJsSQ.exe
  C:\Windows\System32\IDBJsSQ.exe
  2⤵
  PID:8756
- C:\Windows\System32\GuZjuAx.exe
  C:\Windows\System32\GuZjuAx.exe
  2⤵
  PID:8240
- C:\Windows\System32\dOlNuMZ.exe
  C:\Windows\System32\dOlNuMZ.exe
  2⤵
  PID:9108
- C:\Windows\System32\sFHMZjl.exe
  C:\Windows\System32\sFHMZjl.exe
  2⤵
  PID:8372
- C:\Windows\System32\QNsvsTF.exe
  C:\Windows\System32\QNsvsTF.exe
  2⤵
  PID:9220
- C:\Windows\System32\eBLuJOZ.exe
  C:\Windows\System32\eBLuJOZ.exe
  2⤵
  PID:9240
- C:\Windows\System32\alVVoLo.exe
  C:\Windows\System32\alVVoLo.exe
  2⤵
  PID:9260
- C:\Windows\System32\TnXVPCX.exe
  C:\Windows\System32\TnXVPCX.exe
  2⤵
  PID:9284
- C:\Windows\System32\XOZHdCU.exe
  C:\Windows\System32\XOZHdCU.exe
  2⤵
  PID:9300
- C:\Windows\System32\qeAtCUU.exe
  C:\Windows\System32\qeAtCUU.exe
  2⤵
  PID:9340
- C:\Windows\System32\XlYxsOO.exe
  C:\Windows\System32\XlYxsOO.exe
  2⤵
  PID:9364
- C:\Windows\System32\BnvnQuz.exe
  C:\Windows\System32\BnvnQuz.exe
  2⤵
  PID:9448
- C:\Windows\System32\VAMiPmM.exe
  C:\Windows\System32\VAMiPmM.exe
  2⤵
  PID:9468
- C:\Windows\System32\LYfEzrj.exe
  C:\Windows\System32\LYfEzrj.exe
  2⤵
  PID:9488
- C:\Windows\System32\IUsFtKt.exe
  C:\Windows\System32\IUsFtKt.exe
  2⤵
  PID:9608
- C:\Windows\System32\SOVarWQ.exe
  C:\Windows\System32\SOVarWQ.exe
  2⤵
  PID:9628
- C:\Windows\System32\vUGOpik.exe
  C:\Windows\System32\vUGOpik.exe
  2⤵
  PID:9648
- C:\Windows\System32\UESALBD.exe
  C:\Windows\System32\UESALBD.exe
  2⤵
  PID:9724
- C:\Windows\System32\WDKTnTZ.exe
  C:\Windows\System32\WDKTnTZ.exe
  2⤵
  PID:9756
- C:\Windows\System32\UixfLjI.exe
  C:\Windows\System32\UixfLjI.exe
  2⤵
  PID:9796
- C:\Windows\System32\GauZFGX.exe
  C:\Windows\System32\GauZFGX.exe
  2⤵
  PID:9824
- C:\Windows\System32\VwUSGul.exe
  C:\Windows\System32\VwUSGul.exe
  2⤵
  PID:9856
- C:\Windows\System32\bHQCTJw.exe
  C:\Windows\System32\bHQCTJw.exe
  2⤵
  PID:9872
- C:\Windows\System32\JwphQxn.exe
  C:\Windows\System32\JwphQxn.exe
  2⤵
  PID:9888
- C:\Windows\System32\RirKeOu.exe
  C:\Windows\System32\RirKeOu.exe
  2⤵
  PID:9920
- C:\Windows\System32\MvWafnO.exe
  C:\Windows\System32\MvWafnO.exe
  2⤵
  PID:9956
- C:\Windows\System32\cjkrTWl.exe
  C:\Windows\System32\cjkrTWl.exe
  2⤵
  PID:9992
- C:\Windows\System32\WmwQwkh.exe
  C:\Windows\System32\WmwQwkh.exe
  2⤵
  PID:10040

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:9744
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Modifies Installed Components in the registry
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:940

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:9384

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2164

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5140

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3160

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:10048

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6816

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4136

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:9680

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6796

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7144

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2384

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5492

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5200

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5720

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3464

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7620

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5908

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8576

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8828

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8532

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9900

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9332

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9988

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4228

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6344

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4352

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2516

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3512

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6440

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1476

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6844

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7556

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5248

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7936

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7924

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7856

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8120

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4824

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8588

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8512

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6360

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4028

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6576

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9796

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10056

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5384

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4048

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4VHCF0PY\microsoft.windows[1].xml

Filesize
97B

MD5
b00643a38637847dab98bfa6c2d53f4e

SHA1
983055bd38dff9849c550ae053cd3592db217147

SHA256
a64b8e9193f1537d2bb5f68c17018abf732832ebe4885933819f019ff9410841

SHA512
9acf44ec12ef307e812442dfd45408a6d6db702b698ae1b47b9ea8643fb0747d38baae833e8e1b9d2b540c1bfb5e2e34698c7cf6cb73555075a17fd0da7db9e2

Download Submit
C:\Windows\System32\BzFBSRa.exe

Filesize
1.4MB

MD5
93e45be250edd83bdca08c754e2c2256

SHA1
f38f7dedbc139a43889f228afdae584461841c0e

SHA256
bc9680f66185f60dd4b32e0021201d125ceb4997321c7806fecb432d02433fca

SHA512
5204d702f8078a10234b5d76721d96ff97861aa4d7389fab789fef4edca7079d70668548f83ba7b7d04421d9814af5768ae1b3dcf3a74dc08a969a815bcf0e0a

Download Submit
C:\Windows\System32\HNHICWS.exe

Filesize
1.4MB

MD5
d8412cd48c8eb8f0e8423c9c9181e444

SHA1
de8eda768dceae5a4f2309f9f5a39c960b3b2ce6

SHA256
6d0f5bf25e50f93500aab9ea1f77aeb0c9199596c1763dce2f9d9e674649f037

SHA512
fa23888abc94f348636a11b0e7a4c8e6ad0fa410fbe29e4f16f77442e1ece2c7e980cc97a5afce20055cec2c85b7ddbd7e0ae957ecc3b28b0200e3b21f33af5e

Download Submit
C:\Windows\System32\HNHICWS.exe

Filesize
833KB

MD5
a2396531f1b2c498ac73e4c9c56474be

SHA1
4f15163a454d2aa0e4c7ef4a53ea785379f6d08e

SHA256
45b053927742cc66b62b38096d7ee077c5147f8db35ea078ca895b90c27403c2

SHA512
542be8d93564c288ceb05c2bba54b5df0074d3bb16fe4e4433f01be534e4fa7246e970bca72aa0f498d9ccfdc9c8bb5d190fc976997f84d56cf75bba78e2b3de

Download Submit
C:\Windows\System32\IgOXRFb.exe

Filesize
1.4MB

MD5
3f7281f123f8ed244fa9058fbfd45f07

SHA1
42e54ca53d77f4ad359b0780a2508cb50e77c44c

SHA256
c5887e5f9317ca60c32b4697d03b990bda7bcc584e29d1d8b9e1069bdf3bb93c

SHA512
7820d264d272b71cdcfc8dd56db785b244849f552f5943f47b514d40eae61b7a9f81262fdb973592b6e6fbda250e2b5e257a8eb9abc356a8acc803f935d7cb99

Download Submit
C:\Windows\System32\IkWFLUz.exe

Filesize
1.4MB

MD5
5eb02e44f3c6d6bd768f751bfc66bd2a

SHA1
62d2ddff9cfb23d582986985e56b0b6af1d9c73c

SHA256
c49c6d1fb4b454f514b50eb28826913c4feb02c8d493f66d05293efc693317f7

SHA512
ca0a54313daea0ac9a4788c617c48ba9beda64ccf514530163e24b819b26c49be3bee99ab52e3ced6b79eccd5a1cbe57afd7244fccb6a5ec9ee2d08c8186742b

Download Submit
C:\Windows\System32\IsVCADb.exe

Filesize
1.0MB

MD5
b87fd80d5cbbc5059ba0427c0fafec1e

SHA1
2bda8768cf7fcf446e9e8c255fe6e7f5c847a6e4

SHA256
6cc5367aecc1cab7ac17ca521dc17f3d2750ccacb7438ae8ab427ce26b7d6ee0

SHA512
51ca9ba60e33cee293351950f9e9980174ec35ddd20c127f004290ac5b87864d8ef1d659fbba1a77e41b4f6ffd7fee50e42fe03fdeca200c1aa314f64be6846f

Download Submit
C:\Windows\System32\IsVCADb.exe

Filesize
1.4MB

MD5
fc971dcdf1e0ceb7b84fb79529396864

SHA1
30510efe908bc1abe2d46d714c9310e9bc2195b3

SHA256
ac1bbb2fe5509242a9caf70fc47c3409c3d2676d3def96ddc45ddf180abcd668

SHA512
ce954a2ce91c2298397737e6834035e819960fe24be69502a4ed19938f420d15422171f7b1cd6894a3b62dd07f8a7b232fd571e0976319566dbf37f501e18f82

Download Submit
C:\Windows\System32\KJpAIJK.exe

Filesize
1.4MB

MD5
535f663e77311e5c9648c0c5d470deda

SHA1
b91041188a98ebef12d54f4349e4368fa8b0bfbd

SHA256
51c8f9a64e4cffd491febe18515ab2568aa112cb3faa966b0125c1ea33cdf858

SHA512
dcfab61a67007cb6d9e1c8b6e8a93fe96833ca3cf91ff82a1b94ba83463872bbc515c631d67f99cc76c0b012d41af181368e947069f069bad75735a43982845e

Download Submit
C:\Windows\System32\MtgTjue.exe

Filesize
1.4MB

MD5
08440ee2c10697ab09d37e4a29dd89d6

SHA1
9d99899be321123b54fd1f595afb741a3e0b2923

SHA256
192aca329bb3f123edf4762e37ef162ba47e61df3c38d338e98674fbd8bdc903

SHA512
0f487dd3c333cc760f9e0619f866bd3e7f6973fb94a9d9d5de270908b46c5f0c54e21d96e3281a6e7499bf85232970b2ab792cae4f27e441d052f3f4b843d1bb

Download Submit
C:\Windows\System32\MtgTjue.exe

Filesize
31KB

MD5
748591c3e55b78fe081d092ab7fbc815

SHA1
6eddab3f0ea63a0f2d4e7b0f6cf6979ebca961fa

SHA256
c10a6f60b37763c857919020574eb3cd75bc4c3079041f5f453d5e47dccfd8cb

SHA512
39a2446118263750d11f0cee4cf17b51d2b12221709bd434cc9f01a85da2a06e8e8cd3650d917edf521456552c551710cd39ae29725e3957cf6de66f99b1ada5

Download Submit
C:\Windows\System32\PSOUvll.exe

Filesize
1.4MB

MD5
74a1ed281144754d73707e4ccbe54f49

SHA1
8c838db6168dcf45be43f18f9b770c282623ef80

SHA256
24289a98a5aa818f3f885130b9d0839ab1d037ee84c70632a0f33a749d64f768

SHA512
e3e11acbd93b582aaa81ec9370ca19b480fbc5a7701f9d30892f92354a3ac8ff8f2bf92143d89aa9cb8e815ddde22087aedfc03199ed259aaf9916eb0771cbe8

Download Submit
C:\Windows\System32\PSOUvll.exe

Filesize
36KB

MD5
d21e37c313243b43eb60e500ec7cf6f4

SHA1
85017e324a9a6b91d338ff0d610ae6afc2d4da9f

SHA256
a9a1a921055ca9606e48576bd72b264e25b4d7409ceedc68c29a109adfdf2c25

SHA512
6ba4f1479a3ab8eab23d6cf13fd536e42deffb84938cd2d55e2d3afb7091d413e0971e812dacc3b8d22e28e21d2e24bb1112cb7590ff68e0369a62f2165a2c21

Download Submit
C:\Windows\System32\RKYsdmn.exe

Filesize
1.4MB

MD5
5de53e581a06eb30b0f53a8d0493a8dd

SHA1
2cebfcd6933aa570a210092021b689d32f79616c

SHA256
a8b41cca26b5d82955a2db23361811d8dabe66f95ed089fe879c8c1260d2316d

SHA512
ce84b703b060759428c7ffeffb95aabc8dc157fc5c37a9f643ef4c9a533e616e58fd4e3a0d61ea18fecbb09f5552b3d7a33fdd1ceef87d017169ad2604b486ee

Download Submit
C:\Windows\System32\RKYsdmn.exe

Filesize
512KB

MD5
a4e995ee600ddecab470bb378ee48b43

SHA1
7b6eaee5d75fae894a0f898357ad640c3110580c

SHA256
e1b35fc069e0ab462c778b1d8349f1cd0d9ad5788ca4258a4f50d99b66e89dc9

SHA512
1aad98c8db4d98de6674935de7214ec8d93e4293b27f12310eb78a929c97781c256e27e36b99f3181067f113a8041d1964b8609865067e1937c4adcf2ad4b7e2

Download Submit
C:\Windows\System32\SFGYnYN.exe

Filesize
1.4MB

MD5
9391de7df0e316e3b67ec73a18d925dd

SHA1
a044a56da9e6612584f090a80b776c9c6321e084

SHA256
1ea8f6e1354c2aad18a994294492705993414f56cd5a0bd4c72db6cb12fe9702

SHA512
7841a15af158960dee007ce423b061a4200a750b7101e341a6e0b9502fc7fcfebe0e455b16fa468c32ba935d438aaa221b2bc38ec660140a13026baa056be211

Download Submit
C:\Windows\System32\SegYpHE.exe

Filesize
1.4MB

MD5
f6e103e40063f2c1fa8a86cd99c028b4

SHA1
dc8f3b3c095e52366bf1e5e1ddb6adf70f3305bf

SHA256
8a668f193e311fb4b4614a00e0f659466817df9cc833d286fa9a4a1b22308e76

SHA512
8af82105be39f431edea95b06513c479c88ac378ca756bf6be96148d8b0c613941f97bd93b636a729863992651c1f9ac5ebe2865192ba0a42d9ab3bdec870bd7

Download Submit
C:\Windows\System32\TXVPJCZ.exe

Filesize
1.4MB

MD5
96376fd6132271c8d72b5faac28f4ce1

SHA1
d9b49d00f8f2c61c50c35124b8d253ac4eecfa5a

SHA256
7be17474afa1998d9c78922cd8c4f43363016fb58c937699e4c27ea9fc123b49

SHA512
8d44a8e122fbed5ec123d9a03fb97e00f38b2579b421e3465b1adc9577aba95bb98c7f8e16d9ff9afebb3ba82e97f931d95c1cd630e61cb85ef494bda03c2abd

Download Submit
C:\Windows\System32\UtJybbZ.exe

Filesize
192KB

MD5
3c1559cfb02707f81049bda2678be952

SHA1
10baf3dc95cb8ee1a83cff398f95f6af7cbc39b1

SHA256
9a41196929cfde6c0fe754df0c7b0d8a4174f82724ed2244e8400dc2a75367b6

SHA512
94ca57d0e06fc4f5244ca0bdcc5bdada6be2c24dd1281765fa5167ce19c827d63c242c9d9fe92e0fe66682dd4901c89c4b083630086aafa03eecf70150f08cc8

Download Submit
C:\Windows\System32\UtJybbZ.exe

Filesize
1.4MB

MD5
5611746b3853d8ac82943d7fe3c9fe0a

SHA1
666c377289d638c344048331bfe07f4c1c5412e1

SHA256
85c9d95d8c2b551ff7f68a76a359096f3ce66ee4ce3cca2601932aa33c215a42

SHA512
b1f47028783c837a261ef2b054a9128b781fd1532c05edabdb6c3ab8682db5992b5e635a14b514441d18aa6904bbaf3ed91b4a6e12e5988d3172bd02dba88a20

Download Submit
C:\Windows\System32\VswWkEQ.exe

Filesize
1.4MB

MD5
353a096b60698826cb6761b2ad358ff1

SHA1
4836d45f4cd55a636a94e855f9aa1a39faa30ae2

SHA256
41441f4b57d898a92a4e20de4f033c4fcb23093a2e59d0da35ab32597cf4ee1e

SHA512
ad19edeef55a2482e8d0613e4b2a5f00352ce2721f0f4aea2127bc2d58bf3b79e410e682a373b8559eebf6945334951ee11a9800cce3735e248579acc115d68a

Download Submit
C:\Windows\System32\VswWkEQ.exe

Filesize
42KB

MD5
6de21d6d3780149eeff09545e2c2b560

SHA1
c94b196b668fe5d8621d383b1078bc2523aa4c5d

SHA256
cb1f93020960239eae70df656d2b17220aa58c194497f94997aa28869cd79a93

SHA512
ddb8d27ef89c5a01d244c73f518c591f34be2ad8ace17e8ae082e04ae2150ad53ab6ab0129288bfe81d45f7d70c1cf492e414031cd4247d5202fead1b90bb4b1

Download Submit
C:\Windows\System32\YttrULc.exe

Filesize
1.4MB

MD5
64a228ef73a9e02cb7530ba974b48f4e

SHA1
6f89cbff0269d37d8f18df854b6e53d8f470281f

SHA256
8bb8840d12a83a8036ddb37deaf4fad0bfa2dae35e2860360a9660786b111efc

SHA512
4a87b19b520732fe8532169987cfa1a3fd1150e622a27857daca3ca1922d8fd5561375390e9fade2052e6f2abdef449d40726715f754c8575e93b52029c987c1

Download Submit
C:\Windows\System32\btFiYin.exe

Filesize
1.4MB

MD5
5d94b4db3904c6570dc8d59e180905cf

SHA1
17314a1543025eb27ea354f8d0c5899bb489d408

SHA256
9aa8d4114e28b88e3d3fc9bca9c4aa10d513bcc6b841b110011442fe51309922

SHA512
23f8e7f88d472c39a83f2e7a8e6f087d7bc1a93e3b54dfe9e2cdda84a8e95adb9e7205c12decb8f3c1306db76a88d66988eaf07e2c78193397a484916ed8b1b4

Download Submit
C:\Windows\System32\btFiYin.exe

Filesize
1.1MB

MD5
70122b71f468c00d5210c73e3e221cc7

SHA1
54b14e816012c5b49b64710d61907b8ba94a7fd1

SHA256
f5dac756d1c89601e45009f496252fa29df562e6f47ff6b90dd84922462f3c29

SHA512
fdc1eef5e68a0485a68fb76948d7fb7513c5e2c7ef6c02ede5f591ca2f7dcd53c0138849e70e45e50eed00b4ccc1c9e97f1a61fdb72ab96653f7dba87c9e16f4

Download Submit
C:\Windows\System32\ctHfolz.exe

Filesize
1.4MB

MD5
32f09734076736a73373f1cf8d2631d1

SHA1
6dd2ce8fda0d6c193247b97a4cf1ea3af70f740a

SHA256
26a863bf8c648cd2b267ec3ecad6e8ae663fa324e24515c29a609bb0dc5cb368

SHA512
34ae7896501d1f9388c51f2e77e8270bf1e55f1344e0190f03722fcf234a7c63cf530958d1cb80065f2deb006b1493e8050d83ecb8ea5b3fe500aff33ab5ff62

Download Submit
C:\Windows\System32\dnRlABY.exe

Filesize
1.4MB

MD5
4d8e8bf7bda15d4a3949bcb3e7ab5e72

SHA1
5ea49ccb087a220ec5a3ed4f65caaaebcd291c8f

SHA256
b07be4e6518ff055776dfcec65a434d74601554e9eeb4dc0becdddf6f026a141

SHA512
8bdf89e170f793a634873078dfc112f3ce8c9e757d0baf0a0f947fcbd2c9fd2d8a2059e2d374ca6351fa45c79f24472f082c045a195acdb0a717a6c7a8b245c0

Download Submit
C:\Windows\System32\hLrVcZD.exe

Filesize
1.4MB

MD5
cf76271bca7b0f5b3458c21b05f65434

SHA1
c06da299193b1d5936bc0e6a9b617850c661938e

SHA256
ee76111049f8f32a5b5421074cec72523408b0733dfdaa494e8354b24cea7deb

SHA512
e4dd7ab5dc2ddae92b585e43482faa262d25d64d0e7722eee1d587a8f26280ba573a5abc26d8258500348ac72240d2d8807da5e22b30938bd585983799f0e960

Download Submit
C:\Windows\System32\hLrVcZD.exe

Filesize
583KB

MD5
2ce9faaf2cea7aca528383a3ca01f0a9

SHA1
dac2e78dabb9a0864075834f172aa6f6afd92f2f

SHA256
3cdbe0bce70c3d36ed9ca8fc170871d9cd667de4bb96c33891a88c65ab7fe373

SHA512
98c1f1bf33e68f669054851484438166fae027219b3ec1139a7a98b85f49504170c29d1f62196ff9c05a7912a03edbfc83445d2552d18218ff72d279a3aaed64

Download Submit
C:\Windows\System32\ijiOUaV.exe

Filesize
1.4MB

MD5
5735cfee4f6d81bb7b1e9542f3c8d74b

SHA1
04ed2ebda267f48234509d74e76e62d0e7ec15a2

SHA256
fb04f5b393028c7de6d63fd23e5206282e73c88586368bb840199b83cc777d2e

SHA512
71bc9b03b3dd4c73827556d260154610b54a5a108825c0d6a91130ef03825e9033b0dcad224c9acb730b795c382b12b7c9e31cc5579ccf6924c9a21ae632dc19

Download Submit
C:\Windows\System32\ijiOUaV.exe

Filesize
5KB

MD5
a32f4036e35c680d9f567abeae8a00bc

SHA1
c851eabf8b50f1cead73577320533b264ca6d263

SHA256
d20cd4bfedb643246544380058181f32df73f4f7becc6b12bf0e6443e3870d0e

SHA512
4b9d11d25613340b374b4f788293a45976c7c78f99a7d94dba09c7a8e9621d0aa762c1275a4af79fadab3cae7e729be81ce75464599d14c6e109d83253503bd4

Download Submit
C:\Windows\System32\lvTKjts.exe

Filesize
1.4MB

MD5
c39fb03bae492652abf3b7442e19ddc1

SHA1
ec40e30a5ad9361b208ced1615a518baeb50c46c

SHA256
856c0539df7bbeaf7bac3288960d8816bb28c571d2fb9f17210722efadb2411e

SHA512
8de15b37b4a650312b43cb266551c72e67265b3110692f7b62b6f9642bd5cfa6a86297fddd0c2086c3f2bebec3e497ab41d18617c1a8b07ac13e9556fa1d5715

Download Submit
C:\Windows\System32\lvTKjts.exe

Filesize
1005KB

MD5
972afc84a5a2327d4d863f0349b0a766

SHA1
56e30bcfd888074c3be110613b7bcfe5cfd1479e

SHA256
2f4c7f661ab7e65e427cd00872b6a09eff1175561f529eabe2cddb70d2e8afc3

SHA512
bad485fe7abca8a4f099603567cc155e6a355f40a90ddd8c6bf2c00826fec0df97f52bb6edd691469ddabbe781360bb5161ce9689308aaa7a0d775125505e3ba

Download Submit
C:\Windows\System32\nTROHKa.exe

Filesize
1.4MB

MD5
a4ba63ef6d42b53f082af86c0f5a68dd

SHA1
ecf9fde02f09cccfd70b28075d2c47c8cb1f1dde

SHA256
3702e034ee9602e1c9f331f558426a3c656be813f6ab2dc03d0d33f4269973b4

SHA512
94d606465a734d509d7f9593d46d47530001de091a47390d3c92cbf33a8d0e4f92cc906cc8665714a0c1419021127500f4dd2067841a5024a8ac9a8cf792978e

Download Submit
C:\Windows\System32\oEsuXtu.exe

Filesize
1.4MB

MD5
cc3d8bab5712d7341922def0da85f01b

SHA1
56b9366a5d8842e7f6b979f7193e04d3373b85c9

SHA256
e574a20e6c78683a05363920cba95e5945c9870ee95be5098086ee03a1902004

SHA512
91468d551b0a94c2e0c1159d415df2276203c5dd468d9ca1788b87be0bb3913f3501ae3e795d5e06850ec222f6a46ca7b843f2703b996e18b00d483189a6e564

Download Submit
C:\Windows\System32\oEsuXtu.exe

Filesize
576KB

MD5
9bde42a3ac1c1c2501849110323ee747

SHA1
9d8879a2724fc7500d9c6256702ed340dfefc322

SHA256
d98ae752f93a5850c8fa34b29f1df7cf53239e5138b8af5ab8d4df766ba43928

SHA512
6e6a0bb95375c93b336ac4f8c71b476e3c0b62776a6dbea62bc48ada5be9723598eea7f1001508c4d2cd00975b21e803a851bafef62dde86143820e690dc1b78

Download Submit
C:\Windows\System32\ogGwvPK.exe

Filesize
1.4MB

MD5
0416b809f943b921f02a2eac141f36c0

SHA1
fc977f7b6cbaa3834ee3b3e0caf635237c6d48ef

SHA256
2f407c63296a677f65cc50d61fd85f7e18b0f33bb7d01d8b446d5feed88c3cf5

SHA512
133e396a7c96098817288055e5a3e309d4b18cefdabaa60c1b74ef477153c378bfb904d53803017aaaba1a343eb5860b75d6abc16b04a0444c4f98c7ef997c65

Download Submit
C:\Windows\System32\ogGwvPK.exe

Filesize
128KB

MD5
18bd523bb2a1a1369bb861c2beda1bc3

SHA1
159ae1849d055c1d8bb25e42b0e54ed974d7314d

SHA256
12ad6f35b7fdd28af2b7c5797d1f91e4834bef196506c91686fa763f49df8e50

SHA512
e46efb48b6f9a49b07b22487034e5c017ad4a36bd99d35dd05d2c587eb6b3734064c55ef0a3736ebf2791f6c83e5c5733adf99ea9ff7946e625fb17da3bf781d

Download Submit
C:\Windows\System32\sPDPDPI.exe

Filesize
1.4MB

MD5
7b44736f78fc714294cd05f3b610d1e8

SHA1
0c658582d2233e574cf5a15f11621fd59044e396

SHA256
50204f94820baae5c570c9022bb1ea78b28a304dfd41aa6da1cf0746d32fd57c

SHA512
8359874196c628d47bab1cfd533c786781ead36e98d232235b2c2db13de1146b8861ed67561956ecef5e227f21c5866a797df58bdd6b1f0a262a6840a461087f

Download Submit
C:\Windows\System32\uiWAHXW.exe

Filesize
1.4MB

MD5
2290fe508944db9be3eaddd238a0c2b4

SHA1
c5b941ff8819f656072acf1a0602297e97ec306f

SHA256
feeecddc7b9f4145a0bb6d8420a25f7464373cd6fac8d2097ebc356a58f07555

SHA512
33f1fa4627a7e2682b3e3c893840bf928739c53591e0d8aaa92645e27722e55135ea9c4870ee5ff1b0d25b59454a0608d67c22ece9cbcad969da88df46139eb3

Download Submit
C:\Windows\System32\uuTWGwA.exe

Filesize
1.4MB

MD5
15bef78e1ce3f85b1f630a4f82c84eec

SHA1
1de6201d9a6ae4646bfb8971e00167cab9a1349d

SHA256
75cbe7008a7c26a4db15de1fec3456dde3f6d3f85077b42058061270fe16af3e

SHA512
72db4b5fa25d182ad677661dc3900229f19819e49e61ad2ba150e0ecea73184609160e10fb16fab65e7097778b6b891adcc4e571b8be7d54c817bf7b0b91a033

Download Submit
C:\Windows\System32\vYUVrlT.exe

Filesize
1.4MB

MD5
bf0a51dd0cc60d2e9aab02e02779998d

SHA1
ce73bdd3c761a76ffd460f977b1fdf17843e0d5d

SHA256
c3b1a5cbdf54886d43e825c97717454ca946d828c7b633ec5ace27c39a52414b

SHA512
931e3ca03358fc14844db58b8675a12fa67aa9ae57bdef81eeaf32e7ad55c0aac2d9de7b5909e04380ea438174a940293b80c89dd7373e07a841dbfc482155ad

Download Submit
C:\Windows\System32\veHboPr.exe

Filesize
560KB

MD5
17a332cc06d253f3be6c32ce6c7e98f3

SHA1
20ae7d3845f3af265114f956c2e39d502b34e0ab

SHA256
8c057e4b5004017c8c29008ca6d1f506ab2f521bee8e141212c3012f7c768850

SHA512
7b26e7f1729ac9f87836fc1780cd7b414f3f2d450b158f416fb741c0c6fee4b6cea4691ee44f9bcecee32b41741ad9255bd5709e9768ee6b0fc59a02f1322760

Download Submit
C:\Windows\System32\veHboPr.exe

Filesize
1.4MB

MD5
07924a5950fd1ce490ff14ef77e68add

SHA1
b144bbf9092b0709fccd2985221504569e460612

SHA256
f593e2b2f1eaecc7afbdfcef057aa905a26ab008fbad6a487652e2177f7bd5fa

SHA512
8354972595fd43e5331a1dafa7e4d97e7d31b85687f006b5633ccd20427cb76d2796d576ea6ddcede68357ac0517417553f00ef0a7343c12a79dd6462b5d7cc7

Download Submit
C:\Windows\System32\vwNnmiR.exe

Filesize
1.4MB

MD5
05e5c0b30f262cb99f4c04ae94adecd2

SHA1
4cf81873c7a5bbaf32402cbedda3add78e2c1482

SHA256
1c9cae30d6945ef10c3637d625efe93de031dfced6e8fe5294ec7c72958ea414

SHA512
f64121aae4dbfca26f9b5f70cb1ecfec38aaa01d9f98a082d73c114a732864415e18652aa70d192b7f131959de2274fafadf0848d296a4e0a44bda2eb5b55d09

Download Submit
C:\Windows\System32\vwNnmiR.exe

Filesize
166KB

MD5
08b0feaea4ae2bc916f11b43a1b6e17b

SHA1
05ce6417d9e023d082e064cd33fac92e782dcaee

SHA256
a2b8ac1a1a6d3bf32736923e8dbc3fb41926a9885ca13f7628f830652e00272b

SHA512
d78be223cfcd7c27fb8b3bc98c533665dd9c0de95fb89ef251d1259a3a84bd9e2d52fda445e3d8d7d06b3b0524abb6c3a5cc38554b6adb6acf387d564a77221a

Download Submit
C:\Windows\System32\xMVtVBu.exe

Filesize
1.4MB

MD5
57dc2df417146311365d36a1e1959a0a

SHA1
911d29b65384d4d228dea40495c6623b46649d6e

SHA256
d90244656f68cdf58526dd7df1d175e0f71c6ab8ac12a277d5a56a8e6476ed0f

SHA512
9321f90ed8f0b09434c01f9375c72c33a42f3e66e9b78b36cb567ec04e301949c55dbe3b0117026e40faf2c8c4973823e32b82542ee2cdfc1e2b3b924a2feffc

Download Submit
C:\Windows\System32\xXXNFeW.exe

Filesize
1.4MB

MD5
50d0ba5946b6a6d00bdc654bf6bc9781

SHA1
407d325a19a99b45bf14ee06ac557b43ca391c92

SHA256
97da2d351677a89772504b7276ed5fe626cf33666a0cdd2eb9cfad910c11709b

SHA512
9307b267bd19199c616f256f20ea03decd28e544afc42b1fb8d20c01e27295c34692deb09f4ba42aae86e511723370b892f59a5bfcf98f14dfa2e60d3c59c76b

Download Submit
C:\Windows\System32\xXXNFeW.exe

Filesize
704KB

MD5
d6c2abb87759de885424e78fe7bc10df

SHA1
280255ca9be90ccea3faa666dd996332a572922f

SHA256
271f64b80731dff3220693a86427bfe3f7068f25d35ddc8062418793ebcbba71

SHA512
a31a76e8d319c7ce4bf2a5ad222b775c7df4fc6cab2744719134d07f63dfe6d0c084757e7b6abd759e4d28b73255e652afb83c9554f295f127c05678657d04fa

Download Submit
memory/320-682-0x00007FF695C00000-0x00007FF695FF1000-memory.dmp

Filesize
3.9MB

Download
memory/436-449-0x00007FF7D3240000-0x00007FF7D3631000-memory.dmp

Filesize
3.9MB

Download
memory/572-363-0x00007FF706E10000-0x00007FF707201000-memory.dmp

Filesize
3.9MB

Download
memory/852-489-0x00007FF6EA3F0000-0x00007FF6EA7E1000-memory.dmp

Filesize
3.9MB

Download
memory/940-300-0x00007FF6F85D0000-0x00007FF6F89C1000-memory.dmp

Filesize
3.9MB

Download
memory/1016-355-0x00007FF7512C0000-0x00007FF7516B1000-memory.dmp

Filesize
3.9MB

Download
memory/1168-670-0x00007FF688030000-0x00007FF688421000-memory.dmp

Filesize
3.9MB

Download
memory/1308-333-0x00007FF7D7960000-0x00007FF7D7D51000-memory.dmp

Filesize
3.9MB

Download
memory/1396-299-0x00007FF740260000-0x00007FF740651000-memory.dmp

Filesize
3.9MB

Download
memory/1416-0-0x00007FF72D3D0000-0x00007FF72D7C1000-memory.dmp

Filesize
3.9MB

Download
memory/1416-1-0x00000215B4240000-0x00000215B4250000-memory.dmp

Filesize
64KB

Download
memory/1464-467-0x00007FF7A8CA0000-0x00007FF7A9091000-memory.dmp

Filesize
3.9MB

Download
memory/1468-305-0x00007FF7A1E40000-0x00007FF7A2231000-memory.dmp

Filesize
3.9MB

Download
memory/1480-433-0x00007FF712F40000-0x00007FF713331000-memory.dmp

Filesize
3.9MB

Download
memory/1548-666-0x00007FF6D4F70000-0x00007FF6D5361000-memory.dmp

Filesize
3.9MB

Download
memory/1568-317-0x00007FF764A00000-0x00007FF764DF1000-memory.dmp

Filesize
3.9MB

Download
memory/1788-344-0x00007FF6FBD60000-0x00007FF6FC151000-memory.dmp

Filesize
3.9MB

Download
memory/1880-671-0x00007FF725C20000-0x00007FF726011000-memory.dmp

Filesize
3.9MB

Download
memory/1944-388-0x00007FF60D690000-0x00007FF60DA81000-memory.dmp

Filesize
3.9MB

Download
memory/2212-667-0x00007FF60FAA0000-0x00007FF60FE91000-memory.dmp

Filesize
3.9MB

Download
memory/2312-668-0x00007FF698110000-0x00007FF698501000-memory.dmp

Filesize
3.9MB

Download
memory/2324-478-0x00007FF730350000-0x00007FF730741000-memory.dmp

Filesize
3.9MB

Download
memory/2376-306-0x00007FF7554F0000-0x00007FF7558E1000-memory.dmp

Filesize
3.9MB

Download
memory/2432-301-0x00007FF64B510000-0x00007FF64B901000-memory.dmp

Filesize
3.9MB

Download
memory/2484-676-0x00007FF69BE70000-0x00007FF69C261000-memory.dmp

Filesize
3.9MB

Download
memory/2524-38-0x00007FF789260000-0x00007FF789651000-memory.dmp

Filesize
3.9MB

Download
memory/2552-674-0x00007FF7B6780000-0x00007FF7B6B71000-memory.dmp

Filesize
3.9MB

Download
memory/2640-302-0x00007FF6FDD70000-0x00007FF6FE161000-memory.dmp

Filesize
3.9MB

Download
memory/2716-396-0x00007FF683340000-0x00007FF683731000-memory.dmp

Filesize
3.9MB

Download
memory/2788-303-0x00007FF7BF7E0000-0x00007FF7BFBD1000-memory.dmp

Filesize
3.9MB

Download
memory/2796-420-0x00007FF729CB0000-0x00007FF72A0A1000-memory.dmp

Filesize
3.9MB

Download
memory/2800-375-0x00007FF7CC8D0000-0x00007FF7CCCC1000-memory.dmp

Filesize
3.9MB

Download
memory/2840-679-0x00007FF66CAF0000-0x00007FF66CEE1000-memory.dmp

Filesize
3.9MB

Download
memory/2956-440-0x00007FF6BE0A0000-0x00007FF6BE491000-memory.dmp

Filesize
3.9MB

Download
memory/3008-519-0x00007FF6DE0D0000-0x00007FF6DE4C1000-memory.dmp

Filesize
3.9MB

Download
memory/3064-678-0x00007FF78F9C0000-0x00007FF78FDB1000-memory.dmp

Filesize
3.9MB

Download
memory/3088-669-0x00007FF7067D0000-0x00007FF706BC1000-memory.dmp

Filesize
3.9MB

Download
memory/3140-351-0x00007FF6CF8F0000-0x00007FF6CFCE1000-memory.dmp

Filesize
3.9MB

Download
memory/3408-42-0x00007FF652B90000-0x00007FF652F81000-memory.dmp

Filesize
3.9MB

Download
memory/3440-672-0x00007FF6C2F80000-0x00007FF6C3371000-memory.dmp

Filesize
3.9MB

Download
memory/3464-326-0x00007FF6B51F0000-0x00007FF6B55E1000-memory.dmp

Filesize
3.9MB

Download
memory/3512-487-0x00007FF71B120000-0x00007FF71B511000-memory.dmp

Filesize
3.9MB

Download
memory/3524-504-0x00007FF72BFA0000-0x00007FF72C391000-memory.dmp

Filesize
3.9MB

Download
memory/3552-51-0x00007FF747F50000-0x00007FF748341000-memory.dmp

Filesize
3.9MB

Download
memory/3632-673-0x00007FF6A8890000-0x00007FF6A8C81000-memory.dmp

Filesize
3.9MB

Download
memory/3672-304-0x00007FF6CD200000-0x00007FF6CD5F1000-memory.dmp

Filesize
3.9MB

Download
memory/3724-46-0x00007FF6D55D0000-0x00007FF6D59C1000-memory.dmp

Filesize
3.9MB

Download
memory/3828-506-0x00007FF63D280000-0x00007FF63D671000-memory.dmp

Filesize
3.9MB

Download
memory/3840-665-0x00007FF6D2880000-0x00007FF6D2C71000-memory.dmp

Filesize
3.9MB

Download
memory/3924-57-0x00007FF7F1060000-0x00007FF7F1451000-memory.dmp

Filesize
3.9MB

Download
memory/4240-462-0x00007FF738F60000-0x00007FF739351000-memory.dmp

Filesize
3.9MB

Download
memory/4304-514-0x00007FF773500000-0x00007FF7738F1000-memory.dmp

Filesize
3.9MB

Download
memory/4588-14-0x00007FF62C560000-0x00007FF62C951000-memory.dmp

Filesize
3.9MB

Download
memory/4616-475-0x00007FF681B20000-0x00007FF681F11000-memory.dmp

Filesize
3.9MB

Download
memory/4648-367-0x00007FF795810000-0x00007FF795C01000-memory.dmp

Filesize
3.9MB

Download
memory/4796-680-0x00007FF6D4A20000-0x00007FF6D4E11000-memory.dmp

Filesize
3.9MB

Download
memory/4864-484-0x00007FF6A3B50000-0x00007FF6A3F41000-memory.dmp

Filesize
3.9MB

Download
memory/4896-22-0x00007FF739E00000-0x00007FF73A1F1000-memory.dmp

Filesize
3.9MB

Download
memory/4916-380-0x00007FF7D5BC0000-0x00007FF7D5FB1000-memory.dmp

Filesize
3.9MB

Download
memory/4920-414-0x00007FF6AC430000-0x00007FF6AC821000-memory.dmp

Filesize
3.9MB

Download
memory/4960-675-0x00007FF600EE0000-0x00007FF6012D1000-memory.dmp

Filesize
3.9MB

Download
memory/4976-446-0x00007FF728190000-0x00007FF728581000-memory.dmp

Filesize
3.9MB

Download
memory/4980-681-0x00007FF6362E0000-0x00007FF6366D1000-memory.dmp

Filesize
3.9MB

Download
memory/5068-492-0x00007FF76B2E0000-0x00007FF76B6D1000-memory.dmp

Filesize
3.9MB

Download
memory/5072-677-0x00007FF6865B0000-0x00007FF6869A1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads