xmrig | c2cdfe0df3732ca086ea8c5485b4d7ffabfc9c719e333ce1cb46a59a1f96b01e

Analysis

max time kernel
55s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
Size

1.2MB
MD5

47c43f81cb2a1efee20c87706cd21b0c
SHA1

3419fb89a39c9081196b5b1297f044ac48838801
SHA256

c2cdfe0df3732ca086ea8c5485b4d7ffabfc9c719e333ce1cb46a59a1f96b01e
SHA512

8f0f63ee57ee8d10a77efc2cfb5ae4decc2508a7eb2b402917cc1339a14de01c2ce3024c94aee8fba0644546a1d193376812ed355a8cf6976634b63380ed8f46
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XCej5CnGJIOjfB7:knw9oUUEEDlGUrM5Cn2t

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/3564-12-0x00007FF7A10A0000-0x00007FF7A1491000-memory.dmp	xmrig
behavioral2/memory/3900-71-0x00007FF7C8310000-0x00007FF7C8701000-memory.dmp	xmrig
behavioral2/memory/4804-285-0x00007FF6E8FF0000-0x00007FF6E93E1000-memory.dmp	xmrig
behavioral2/memory/1776-288-0x00007FF6D2700000-0x00007FF6D2AF1000-memory.dmp	xmrig
behavioral2/memory/3156-289-0x00007FF695270000-0x00007FF695661000-memory.dmp	xmrig
behavioral2/memory/648-296-0x00007FF708710000-0x00007FF708B01000-memory.dmp	xmrig
behavioral2/memory/4188-302-0x00007FF783A20000-0x00007FF783E11000-memory.dmp	xmrig
behavioral2/memory/5108-308-0x00007FF7BF4B0000-0x00007FF7BF8A1000-memory.dmp	xmrig
behavioral2/memory/4584-314-0x00007FF70E1B0000-0x00007FF70E5A1000-memory.dmp	xmrig
behavioral2/memory/1344-312-0x00007FF7BBEE0000-0x00007FF7BC2D1000-memory.dmp	xmrig
behavioral2/memory/3672-326-0x00007FF7A6020000-0x00007FF7A6411000-memory.dmp	xmrig
behavioral2/memory/3292-328-0x00007FF6D5B10000-0x00007FF6D5F01000-memory.dmp	xmrig
behavioral2/memory/748-334-0x00007FF7C2300000-0x00007FF7C26F1000-memory.dmp	xmrig
behavioral2/memory/5092-292-0x00007FF690EF0000-0x00007FF6912E1000-memory.dmp	xmrig
behavioral2/memory/2120-72-0x00007FF77A680000-0x00007FF77AA71000-memory.dmp	xmrig
behavioral2/memory/1276-70-0x00007FF75E080000-0x00007FF75E471000-memory.dmp	xmrig
behavioral2/memory/400-53-0x00007FF6B6B70000-0x00007FF6B6F61000-memory.dmp	xmrig
behavioral2/memory/2488-1373-0x00007FF69F180000-0x00007FF69F571000-memory.dmp	xmrig
behavioral2/memory/4360-1822-0x00007FF7FDCE0000-0x00007FF7FE0D1000-memory.dmp	xmrig
behavioral2/memory/2068-1820-0x00007FF75AFC0000-0x00007FF75B3B1000-memory.dmp	xmrig
behavioral2/memory/3272-1991-0x00007FF67E530000-0x00007FF67E921000-memory.dmp	xmrig
behavioral2/memory/1132-2008-0x00007FF7C2810000-0x00007FF7C2C01000-memory.dmp	xmrig
behavioral2/memory/2484-2009-0x00007FF6E3A80000-0x00007FF6E3E71000-memory.dmp	xmrig
behavioral2/memory/4512-2023-0x00007FF671BB0000-0x00007FF671FA1000-memory.dmp	xmrig
behavioral2/memory/1276-2026-0x00007FF75E080000-0x00007FF75E471000-memory.dmp	xmrig
behavioral2/memory/3564-2179-0x00007FF7A10A0000-0x00007FF7A1491000-memory.dmp	xmrig
behavioral2/memory/3900-2181-0x00007FF7C8310000-0x00007FF7C8701000-memory.dmp	xmrig
behavioral2/memory/2488-2183-0x00007FF69F180000-0x00007FF69F571000-memory.dmp	xmrig
behavioral2/memory/2068-2215-0x00007FF75AFC0000-0x00007FF75B3B1000-memory.dmp	xmrig
behavioral2/memory/4360-2217-0x00007FF7FDCE0000-0x00007FF7FE0D1000-memory.dmp	xmrig
behavioral2/memory/3272-2219-0x00007FF67E530000-0x00007FF67E921000-memory.dmp	xmrig
behavioral2/memory/400-2221-0x00007FF6B6B70000-0x00007FF6B6F61000-memory.dmp	xmrig
behavioral2/memory/2884-2223-0x00007FF6B94C0000-0x00007FF6B98B1000-memory.dmp	xmrig
behavioral2/memory/2120-2232-0x00007FF77A680000-0x00007FF77AA71000-memory.dmp	xmrig
behavioral2/memory/2484-2231-0x00007FF6E3A80000-0x00007FF6E3E71000-memory.dmp	xmrig
behavioral2/memory/4804-2237-0x00007FF6E8FF0000-0x00007FF6E93E1000-memory.dmp	xmrig
behavioral2/memory/4512-2240-0x00007FF671BB0000-0x00007FF671FA1000-memory.dmp	xmrig
behavioral2/memory/4188-2244-0x00007FF783A20000-0x00007FF783E11000-memory.dmp	xmrig
behavioral2/memory/5092-2242-0x00007FF690EF0000-0x00007FF6912E1000-memory.dmp	xmrig
behavioral2/memory/1344-2250-0x00007FF7BBEE0000-0x00007FF7BC2D1000-memory.dmp	xmrig
behavioral2/memory/5108-2248-0x00007FF7BF4B0000-0x00007FF7BF8A1000-memory.dmp	xmrig
behavioral2/memory/4584-2252-0x00007FF70E1B0000-0x00007FF70E5A1000-memory.dmp	xmrig
behavioral2/memory/648-2247-0x00007FF708710000-0x00007FF708B01000-memory.dmp	xmrig
behavioral2/memory/1776-2239-0x00007FF6D2700000-0x00007FF6D2AF1000-memory.dmp	xmrig
behavioral2/memory/3156-2235-0x00007FF695270000-0x00007FF695661000-memory.dmp	xmrig
behavioral2/memory/3292-2260-0x00007FF6D5B10000-0x00007FF6D5F01000-memory.dmp	xmrig
behavioral2/memory/748-2258-0x00007FF7C2300000-0x00007FF7C26F1000-memory.dmp	xmrig
behavioral2/memory/3672-2257-0x00007FF7A6020000-0x00007FF7A6411000-memory.dmp	xmrig
behavioral2/memory/1132-2334-0x00007FF7C2810000-0x00007FF7C2C01000-memory.dmp	xmrig

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
3564	yZlJUJe.exe
3900	MWMixeV.exe
2488	DlqcvdC.exe
2068	OKaCKXR.exe
4360	rVBASuA.exe
3272	QGpoaHk.exe
2884	doxjyKA.exe
400	ylhlvJB.exe
1132	ndXvTHX.exe
2484	ytGOHSo.exe
2120	cfOTCUU.exe
4512	hWSaKEm.exe
4804	yNvtfuG.exe
1776	NRlplqg.exe
3156	hvoPDnI.exe
5092	aVJNxYA.exe
648	qGHwAvg.exe
4188	pIoQAAE.exe
5108	YDrlKBC.exe
1344	wAfhsVt.exe
4584	pxlvADI.exe
3672	aXyhXvl.exe
3292	bZddQzz.exe
748	IlHJRPD.exe
3320	brbjdkD.exe
4376	dPqvvNk.exe
440	EyRPOOC.exe
860	TgKsHMU.exe
2088	vRZtKYY.exe
1824	JyOvHDF.exe
4664	KqLXBvj.exe
4668	AzFHEtj.exe
4864	AYkfbGN.exe
4928	JkUXPhl.exe
4824	vQnSgne.exe
1960	WrmjAbE.exe
832	xOdewoh.exe
4736	bFjNjcB.exe
5084	VWtYgIa.exe
3400	MujNtsD.exe
4468	lkypLyL.exe
4752	gFAzwnx.exe
2288	QEdqaUi.exe
4152	FfTNDGn.exe
4712	NArzKXM.exe
1388	MRmLCja.exe
2108	UDuBHtN.exe
2676	gwOGfrN.exe
700	TWmlSxS.exe
3756	GncfDtj.exe
3584	VwFRWKm.exe
4604	gsgaPEo.exe
1692	aQTzOJP.exe
4336	nbFpHKW.exe
1904	vOmbqIN.exe
3568	aLpFUcH.exe
1916	ikJJaQu.exe
2848	UAmyTUv.exe
4356	mxzvVwl.exe
2412	raJWegn.exe
228	OGBUKfl.exe
4868	vWAesxw.exe
4740	zTKhVOs.exe
2352	hNBXCKz.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1276-0-0x00007FF75E080000-0x00007FF75E471000-memory.dmp	upx
behavioral2/files/0x000700000002327d-5.dat	upx
behavioral2/files/0x0007000000023439-9.dat	upx
behavioral2/memory/3900-16-0x00007FF7C8310000-0x00007FF7C8701000-memory.dmp	upx
behavioral2/memory/2488-20-0x00007FF69F180000-0x00007FF69F571000-memory.dmp	upx
behavioral2/files/0x0008000000023438-15.dat	upx
behavioral2/memory/3564-12-0x00007FF7A10A0000-0x00007FF7A1491000-memory.dmp	upx
behavioral2/files/0x000700000002343a-23.dat	upx
behavioral2/files/0x000700000002343b-29.dat	upx
behavioral2/files/0x0008000000023436-36.dat	upx
behavioral2/files/0x000700000002343c-35.dat	upx
behavioral2/memory/4360-39-0x00007FF7FDCE0000-0x00007FF7FE0D1000-memory.dmp	upx
behavioral2/files/0x000700000002343d-49.dat	upx
behavioral2/memory/1132-57-0x00007FF7C2810000-0x00007FF7C2C01000-memory.dmp	upx
behavioral2/memory/2484-61-0x00007FF6E3A80000-0x00007FF6E3E71000-memory.dmp	upx
behavioral2/files/0x0007000000023440-64.dat	upx
behavioral2/files/0x0007000000023441-67.dat	upx
behavioral2/memory/3900-71-0x00007FF7C8310000-0x00007FF7C8701000-memory.dmp	upx
behavioral2/files/0x0007000000023443-79.dat	upx
behavioral2/files/0x0007000000023448-104.dat	upx
behavioral2/files/0x000700000002344b-119.dat	upx
behavioral2/files/0x000700000002344d-129.dat	upx
behavioral2/files/0x000700000002344f-139.dat	upx
behavioral2/files/0x0007000000023453-159.dat	upx
behavioral2/memory/4804-285-0x00007FF6E8FF0000-0x00007FF6E93E1000-memory.dmp	upx
behavioral2/memory/1776-288-0x00007FF6D2700000-0x00007FF6D2AF1000-memory.dmp	upx
behavioral2/memory/3156-289-0x00007FF695270000-0x00007FF695661000-memory.dmp	upx
behavioral2/memory/648-296-0x00007FF708710000-0x00007FF708B01000-memory.dmp	upx
behavioral2/memory/4188-302-0x00007FF783A20000-0x00007FF783E11000-memory.dmp	upx
behavioral2/memory/5108-308-0x00007FF7BF4B0000-0x00007FF7BF8A1000-memory.dmp	upx
behavioral2/memory/4584-314-0x00007FF70E1B0000-0x00007FF70E5A1000-memory.dmp	upx
behavioral2/memory/1344-312-0x00007FF7BBEE0000-0x00007FF7BC2D1000-memory.dmp	upx
behavioral2/memory/3672-326-0x00007FF7A6020000-0x00007FF7A6411000-memory.dmp	upx
behavioral2/memory/3292-328-0x00007FF6D5B10000-0x00007FF6D5F01000-memory.dmp	upx
behavioral2/memory/748-334-0x00007FF7C2300000-0x00007FF7C26F1000-memory.dmp	upx
behavioral2/memory/5092-292-0x00007FF690EF0000-0x00007FF6912E1000-memory.dmp	upx
behavioral2/files/0x0007000000023456-174.dat	upx
behavioral2/files/0x0007000000023455-172.dat	upx
behavioral2/files/0x0007000000023454-164.dat	upx
behavioral2/files/0x0007000000023452-157.dat	upx
behavioral2/files/0x0007000000023451-149.dat	upx
behavioral2/files/0x0007000000023450-144.dat	upx
behavioral2/files/0x000700000002344e-134.dat	upx
behavioral2/files/0x000700000002344c-124.dat	upx
behavioral2/files/0x000700000002344a-114.dat	upx
behavioral2/files/0x0007000000023449-109.dat	upx
behavioral2/files/0x0007000000023447-99.dat	upx
behavioral2/files/0x0007000000023446-94.dat	upx
behavioral2/files/0x0007000000023445-89.dat	upx
behavioral2/files/0x0007000000023444-84.dat	upx
behavioral2/memory/4512-74-0x00007FF671BB0000-0x00007FF671FA1000-memory.dmp	upx
behavioral2/memory/2120-72-0x00007FF77A680000-0x00007FF77AA71000-memory.dmp	upx
behavioral2/memory/1276-70-0x00007FF75E080000-0x00007FF75E471000-memory.dmp	upx
behavioral2/files/0x000700000002343f-63.dat	upx
behavioral2/files/0x000700000002343e-60.dat	upx
behavioral2/memory/400-53-0x00007FF6B6B70000-0x00007FF6B6F61000-memory.dmp	upx
behavioral2/memory/3272-43-0x00007FF67E530000-0x00007FF67E921000-memory.dmp	upx
behavioral2/memory/2884-41-0x00007FF6B94C0000-0x00007FF6B98B1000-memory.dmp	upx
behavioral2/memory/2068-32-0x00007FF75AFC0000-0x00007FF75B3B1000-memory.dmp	upx
behavioral2/memory/2488-1373-0x00007FF69F180000-0x00007FF69F571000-memory.dmp	upx
behavioral2/memory/4360-1822-0x00007FF7FDCE0000-0x00007FF7FE0D1000-memory.dmp	upx
behavioral2/memory/2068-1820-0x00007FF75AFC0000-0x00007FF75B3B1000-memory.dmp	upx
behavioral2/memory/3272-1991-0x00007FF67E530000-0x00007FF67E921000-memory.dmp	upx
behavioral2/memory/1132-2008-0x00007FF7C2810000-0x00007FF7C2C01000-memory.dmp	upx

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\RyMrnyz.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\zAyNzWy.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\HYscdsj.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\mpdlXPg.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\wzfJrsh.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\ObHAaJH.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\hvoPDnI.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\blrwkaF.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\TbNrHOi.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\cfOTCUU.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\yNvtfuG.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\iSRQpRt.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\RQLGBhI.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\NRlplqg.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\vuYlIQz.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\xraOdoJ.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\aVIclht.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\azthRPQ.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\gFoTvik.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\pQxAdeW.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\kaFeVPa.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\KsghsFG.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\WAizdAv.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\yXijHMh.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\HKLStwt.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\rPKUGCh.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\kcOELra.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\RuTlEHe.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\GrRtMBK.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\CBxhAsX.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\hMTDzJD.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\cpokBYj.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\WxuHyWu.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\dKRwnTR.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\zAYPFLw.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\fZTWgPX.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\AYyAXCk.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\KqLXBvj.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\MujNtsD.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\VoGsinH.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\nlxqatL.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\aARiSyS.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\wepJXDj.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\IHDyIWx.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\KqiSFEV.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\aQTzOJP.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\hDINTwd.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\cBCgwNh.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\sTtzJUj.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\xTgiYcI.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\AbrcXzD.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\vaBecXD.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\pIYZDTF.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\MveMMNi.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\cUXLWMD.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\ndRTqIY.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\PvXTERG.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\ylhlvJB.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\dALQOKv.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\fqobzyN.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\vBqKjGG.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\kOeuONl.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\aAMtouW.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
File created	C:\Windows\System32\yiMRUlB.exe	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{F555633D-A84A-4697-9F9B-DD4E2F002046}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{1EDDFE34-71C2-490F-98A0-D3546FDD7D19}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{57E4ED73-63E6-482A-8A0D-8B3F96917B2D}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{C7D0D771-6659-47A9-8AE8-8E32656EA579}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	14060	explorer.exe
Token: SeCreatePagefilePrivilege	14060	explorer.exe
Token: SeShutdownPrivilege	14060	explorer.exe
Token: SeCreatePagefilePrivilege	14060	explorer.exe
Token: SeShutdownPrivilege	14060	explorer.exe
Token: SeCreatePagefilePrivilege	14060	explorer.exe
Token: SeShutdownPrivilege	14060	explorer.exe
Token: SeCreatePagefilePrivilege	14060	explorer.exe
Token: SeShutdownPrivilege	14060	explorer.exe
Token: SeCreatePagefilePrivilege	14060	explorer.exe
Token: SeShutdownPrivilege	14060	explorer.exe
Token: SeCreatePagefilePrivilege	14060	explorer.exe
Token: SeShutdownPrivilege	14060	explorer.exe
Token: SeCreatePagefilePrivilege	14060	explorer.exe
Token: SeShutdownPrivilege	14060	explorer.exe
Token: SeCreatePagefilePrivilege	14060	explorer.exe
Token: SeShutdownPrivilege	14060	explorer.exe
Token: SeCreatePagefilePrivilege	14060	explorer.exe
Token: SeShutdownPrivilege	14060	explorer.exe
Token: SeCreatePagefilePrivilege	14060	explorer.exe
Token: SeShutdownPrivilege	14060	explorer.exe
Token: SeCreatePagefilePrivilege	14060	explorer.exe
Token: SeShutdownPrivilege	14060	explorer.exe
Token: SeCreatePagefilePrivilege	14060	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe
Token: SeShutdownPrivilege	2400	explorer.exe
Token: SeCreatePagefilePrivilege	2400	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
13680	sihost.exe
14060	explorer.exe
14060	explorer.exe
14060	explorer.exe
14060	explorer.exe
14060	explorer.exe
14060	explorer.exe
14060	explorer.exe
14060	explorer.exe
14060	explorer.exe
14060	explorer.exe
14060	explorer.exe
14060	explorer.exe
14060	explorer.exe
14060	explorer.exe
14060	explorer.exe
14060	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
14060	explorer.exe
14060	explorer.exe
14060	explorer.exe
14060	explorer.exe
14060	explorer.exe
14060	explorer.exe
14060	explorer.exe
14060	explorer.exe
14060	explorer.exe
14060	explorer.exe
14060	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
2400	explorer.exe
8536	explorer.exe
8536	explorer.exe
8536	explorer.exe
8536	explorer.exe
8536	explorer.exe
8536	explorer.exe
8536	explorer.exe
8536	explorer.exe
8536	explorer.exe
8536	explorer.exe
8536	explorer.exe
8936	explorer.exe
8936	explorer.exe
8936	explorer.exe
8936	explorer.exe
8936	explorer.exe
8936	explorer.exe
8936	explorer.exe
8936	explorer.exe
8936	explorer.exe
8936	explorer.exe
8936	explorer.exe
8936	explorer.exe
8936	explorer.exe
8936	explorer.exe
8936	explorer.exe
8936	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4300	StartMenuExperienceHost.exe
4420	StartMenuExperienceHost.exe
14080	SearchApp.exe
6820	StartMenuExperienceHost.exe
7152	StartMenuExperienceHost.exe
4460	SearchApp.exe
3592	StartMenuExperienceHost.exe
13560	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 3564	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	83
PID 1276 wrote to memory of 3564	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	83
PID 1276 wrote to memory of 3900	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	84
PID 1276 wrote to memory of 3900	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	84
PID 1276 wrote to memory of 2488	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	85
PID 1276 wrote to memory of 2488	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	85
PID 1276 wrote to memory of 2068	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	86
PID 1276 wrote to memory of 2068	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	86
PID 1276 wrote to memory of 4360	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	87
PID 1276 wrote to memory of 4360	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	87
PID 1276 wrote to memory of 3272	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	88
PID 1276 wrote to memory of 3272	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	88
PID 1276 wrote to memory of 2884	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	89
PID 1276 wrote to memory of 2884	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	89
PID 1276 wrote to memory of 400	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	90
PID 1276 wrote to memory of 400	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	90
PID 1276 wrote to memory of 1132	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	91
PID 1276 wrote to memory of 1132	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	91
PID 1276 wrote to memory of 2484	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	92
PID 1276 wrote to memory of 2484	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	92
PID 1276 wrote to memory of 2120	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	93
PID 1276 wrote to memory of 2120	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	93
PID 1276 wrote to memory of 4512	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	94
PID 1276 wrote to memory of 4512	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	94
PID 1276 wrote to memory of 4804	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	95
PID 1276 wrote to memory of 4804	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	95
PID 1276 wrote to memory of 1776	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	96
PID 1276 wrote to memory of 1776	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	96
PID 1276 wrote to memory of 3156	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	97
PID 1276 wrote to memory of 3156	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	97
PID 1276 wrote to memory of 5092	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	98
PID 1276 wrote to memory of 5092	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	98
PID 1276 wrote to memory of 648	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	99
PID 1276 wrote to memory of 648	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	99
PID 1276 wrote to memory of 4188	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	100
PID 1276 wrote to memory of 4188	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	100
PID 1276 wrote to memory of 5108	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	101
PID 1276 wrote to memory of 5108	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	101
PID 1276 wrote to memory of 1344	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	102
PID 1276 wrote to memory of 1344	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	102
PID 1276 wrote to memory of 4584	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	103
PID 1276 wrote to memory of 4584	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	103
PID 1276 wrote to memory of 3672	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	104
PID 1276 wrote to memory of 3672	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	104
PID 1276 wrote to memory of 3292	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	105
PID 1276 wrote to memory of 3292	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	105
PID 1276 wrote to memory of 748	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	106
PID 1276 wrote to memory of 748	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	106
PID 1276 wrote to memory of 3320	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	107
PID 1276 wrote to memory of 3320	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	107
PID 1276 wrote to memory of 4376	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	108
PID 1276 wrote to memory of 4376	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	108
PID 1276 wrote to memory of 440	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	109
PID 1276 wrote to memory of 440	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	109
PID 1276 wrote to memory of 860	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	110
PID 1276 wrote to memory of 860	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	110
PID 1276 wrote to memory of 2088	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	111
PID 1276 wrote to memory of 2088	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	111
PID 1276 wrote to memory of 1824	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	112
PID 1276 wrote to memory of 1824	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	112
PID 1276 wrote to memory of 4664	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	113
PID 1276 wrote to memory of 4664	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	113
PID 1276 wrote to memory of 4668	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	114
PID 1276 wrote to memory of 4668	1276	47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\47c43f81cb2a1efee20c87706cd21b0c_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\System32\yZlJUJe.exe
  C:\Windows\System32\yZlJUJe.exe
  2⤵
  - Executes dropped EXE
  PID:3564
- C:\Windows\System32\MWMixeV.exe
  C:\Windows\System32\MWMixeV.exe
  2⤵
  - Executes dropped EXE
  PID:3900
- C:\Windows\System32\DlqcvdC.exe
  C:\Windows\System32\DlqcvdC.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System32\OKaCKXR.exe
  C:\Windows\System32\OKaCKXR.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System32\rVBASuA.exe
  C:\Windows\System32\rVBASuA.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System32\QGpoaHk.exe
  C:\Windows\System32\QGpoaHk.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System32\doxjyKA.exe
  C:\Windows\System32\doxjyKA.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System32\ylhlvJB.exe
  C:\Windows\System32\ylhlvJB.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System32\ndXvTHX.exe
  C:\Windows\System32\ndXvTHX.exe
  2⤵
  - Executes dropped EXE
  PID:1132
- C:\Windows\System32\ytGOHSo.exe
  C:\Windows\System32\ytGOHSo.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System32\cfOTCUU.exe
  C:\Windows\System32\cfOTCUU.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System32\hWSaKEm.exe
  C:\Windows\System32\hWSaKEm.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System32\yNvtfuG.exe
  C:\Windows\System32\yNvtfuG.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System32\NRlplqg.exe
  C:\Windows\System32\NRlplqg.exe
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\System32\hvoPDnI.exe
  C:\Windows\System32\hvoPDnI.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System32\aVJNxYA.exe
  C:\Windows\System32\aVJNxYA.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System32\qGHwAvg.exe
  C:\Windows\System32\qGHwAvg.exe
  2⤵
  - Executes dropped EXE
  PID:648
- C:\Windows\System32\pIoQAAE.exe
  C:\Windows\System32\pIoQAAE.exe
  2⤵
  - Executes dropped EXE
  PID:4188
- C:\Windows\System32\YDrlKBC.exe
  C:\Windows\System32\YDrlKBC.exe
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\System32\wAfhsVt.exe
  C:\Windows\System32\wAfhsVt.exe
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\System32\pxlvADI.exe
  C:\Windows\System32\pxlvADI.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System32\aXyhXvl.exe
  C:\Windows\System32\aXyhXvl.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System32\bZddQzz.exe
  C:\Windows\System32\bZddQzz.exe
  2⤵
  - Executes dropped EXE
  PID:3292
- C:\Windows\System32\IlHJRPD.exe
  C:\Windows\System32\IlHJRPD.exe
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\System32\brbjdkD.exe
  C:\Windows\System32\brbjdkD.exe
  2⤵
  - Executes dropped EXE
  PID:3320
- C:\Windows\System32\dPqvvNk.exe
  C:\Windows\System32\dPqvvNk.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System32\EyRPOOC.exe
  C:\Windows\System32\EyRPOOC.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\System32\TgKsHMU.exe
  C:\Windows\System32\TgKsHMU.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System32\vRZtKYY.exe
  C:\Windows\System32\vRZtKYY.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System32\JyOvHDF.exe
  C:\Windows\System32\JyOvHDF.exe
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\System32\KqLXBvj.exe
  C:\Windows\System32\KqLXBvj.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System32\AzFHEtj.exe
  C:\Windows\System32\AzFHEtj.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Windows\System32\AYkfbGN.exe
  C:\Windows\System32\AYkfbGN.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System32\JkUXPhl.exe
  C:\Windows\System32\JkUXPhl.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System32\vQnSgne.exe
  C:\Windows\System32\vQnSgne.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System32\WrmjAbE.exe
  C:\Windows\System32\WrmjAbE.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System32\xOdewoh.exe
  C:\Windows\System32\xOdewoh.exe
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Windows\System32\bFjNjcB.exe
  C:\Windows\System32\bFjNjcB.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System32\VWtYgIa.exe
  C:\Windows\System32\VWtYgIa.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System32\MujNtsD.exe
  C:\Windows\System32\MujNtsD.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System32\lkypLyL.exe
  C:\Windows\System32\lkypLyL.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System32\gFAzwnx.exe
  C:\Windows\System32\gFAzwnx.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\System32\QEdqaUi.exe
  C:\Windows\System32\QEdqaUi.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System32\FfTNDGn.exe
  C:\Windows\System32\FfTNDGn.exe
  2⤵
  - Executes dropped EXE
  PID:4152
- C:\Windows\System32\NArzKXM.exe
  C:\Windows\System32\NArzKXM.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\System32\MRmLCja.exe
  C:\Windows\System32\MRmLCja.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System32\UDuBHtN.exe
  C:\Windows\System32\UDuBHtN.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System32\gwOGfrN.exe
  C:\Windows\System32\gwOGfrN.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System32\TWmlSxS.exe
  C:\Windows\System32\TWmlSxS.exe
  2⤵
  - Executes dropped EXE
  PID:700
- C:\Windows\System32\GncfDtj.exe
  C:\Windows\System32\GncfDtj.exe
  2⤵
  - Executes dropped EXE
  PID:3756
- C:\Windows\System32\VwFRWKm.exe
  C:\Windows\System32\VwFRWKm.exe
  2⤵
  - Executes dropped EXE
  PID:3584
- C:\Windows\System32\gsgaPEo.exe
  C:\Windows\System32\gsgaPEo.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System32\aQTzOJP.exe
  C:\Windows\System32\aQTzOJP.exe
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\System32\nbFpHKW.exe
  C:\Windows\System32\nbFpHKW.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System32\vOmbqIN.exe
  C:\Windows\System32\vOmbqIN.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System32\aLpFUcH.exe
  C:\Windows\System32\aLpFUcH.exe
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Windows\System32\ikJJaQu.exe
  C:\Windows\System32\ikJJaQu.exe
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\System32\UAmyTUv.exe
  C:\Windows\System32\UAmyTUv.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System32\mxzvVwl.exe
  C:\Windows\System32\mxzvVwl.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System32\raJWegn.exe
  C:\Windows\System32\raJWegn.exe
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\System32\OGBUKfl.exe
  C:\Windows\System32\OGBUKfl.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System32\vWAesxw.exe
  C:\Windows\System32\vWAesxw.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System32\zTKhVOs.exe
  C:\Windows\System32\zTKhVOs.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System32\hNBXCKz.exe
  C:\Windows\System32\hNBXCKz.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System32\HXxFqOo.exe
  C:\Windows\System32\HXxFqOo.exe
  2⤵
  PID:1380
- C:\Windows\System32\WRtlMFg.exe
  C:\Windows\System32\WRtlMFg.exe
  2⤵
  PID:1356
- C:\Windows\System32\rvoLlSs.exe
  C:\Windows\System32\rvoLlSs.exe
  2⤵
  PID:2808
- C:\Windows\System32\kQojHor.exe
  C:\Windows\System32\kQojHor.exe
  2⤵
  PID:3348
- C:\Windows\System32\uZLhkGY.exe
  C:\Windows\System32\uZLhkGY.exe
  2⤵
  PID:1384
- C:\Windows\System32\wnrpIWD.exe
  C:\Windows\System32\wnrpIWD.exe
  2⤵
  PID:368
- C:\Windows\System32\eCqqZAK.exe
  C:\Windows\System32\eCqqZAK.exe
  2⤵
  PID:2044
- C:\Windows\System32\Ulzmomm.exe
  C:\Windows\System32\Ulzmomm.exe
  2⤵
  PID:3592
- C:\Windows\System32\pLszXxN.exe
  C:\Windows\System32\pLszXxN.exe
  2⤵
  PID:4316
- C:\Windows\System32\TCXkYGz.exe
  C:\Windows\System32\TCXkYGz.exe
  2⤵
  PID:3404
- C:\Windows\System32\msIvrom.exe
  C:\Windows\System32\msIvrom.exe
  2⤵
  PID:2752
- C:\Windows\System32\ULlNQTg.exe
  C:\Windows\System32\ULlNQTg.exe
  2⤵
  PID:4452
- C:\Windows\System32\hDINTwd.exe
  C:\Windows\System32\hDINTwd.exe
  2⤵
  PID:4536
- C:\Windows\System32\pWGtYdq.exe
  C:\Windows\System32\pWGtYdq.exe
  2⤵
  PID:4456
- C:\Windows\System32\iVcZiFc.exe
  C:\Windows\System32\iVcZiFc.exe
  2⤵
  PID:1600
- C:\Windows\System32\QNMsgiK.exe
  C:\Windows\System32\QNMsgiK.exe
  2⤵
  PID:4216
- C:\Windows\System32\vIlHfFb.exe
  C:\Windows\System32\vIlHfFb.exe
  2⤵
  PID:2512
- C:\Windows\System32\MRfjKYH.exe
  C:\Windows\System32\MRfjKYH.exe
  2⤵
  PID:4252
- C:\Windows\System32\PIhKOZa.exe
  C:\Windows\System32\PIhKOZa.exe
  2⤵
  PID:1200
- C:\Windows\System32\LVFnLMG.exe
  C:\Windows\System32\LVFnLMG.exe
  2⤵
  PID:964
- C:\Windows\System32\PMLrYkf.exe
  C:\Windows\System32\PMLrYkf.exe
  2⤵
  PID:1664
- C:\Windows\System32\AcPpGHh.exe
  C:\Windows\System32\AcPpGHh.exe
  2⤵
  PID:3004
- C:\Windows\System32\gYuRlPL.exe
  C:\Windows\System32\gYuRlPL.exe
  2⤵
  PID:4100
- C:\Windows\System32\rVKBuyv.exe
  C:\Windows\System32\rVKBuyv.exe
  2⤵
  PID:2368
- C:\Windows\System32\pHggPMw.exe
  C:\Windows\System32\pHggPMw.exe
  2⤵
  PID:2900
- C:\Windows\System32\HFFixTg.exe
  C:\Windows\System32\HFFixTg.exe
  2⤵
  PID:1464
- C:\Windows\System32\MduYoss.exe
  C:\Windows\System32\MduYoss.exe
  2⤵
  PID:4760
- C:\Windows\System32\VhkQjRI.exe
  C:\Windows\System32\VhkQjRI.exe
  2⤵
  PID:4924
- C:\Windows\System32\bkTJCMy.exe
  C:\Windows\System32\bkTJCMy.exe
  2⤵
  PID:2144
- C:\Windows\System32\FwPHZBq.exe
  C:\Windows\System32\FwPHZBq.exe
  2⤵
  PID:1816
- C:\Windows\System32\pQSJtNE.exe
  C:\Windows\System32\pQSJtNE.exe
  2⤵
  PID:4032
- C:\Windows\System32\azthRPQ.exe
  C:\Windows\System32\azthRPQ.exe
  2⤵
  PID:3280
- C:\Windows\System32\VcfEJHL.exe
  C:\Windows\System32\VcfEJHL.exe
  2⤵
  PID:3764
- C:\Windows\System32\XPaVyFB.exe
  C:\Windows\System32\XPaVyFB.exe
  2⤵
  PID:4312
- C:\Windows\System32\ACuczdq.exe
  C:\Windows\System32\ACuczdq.exe
  2⤵
  PID:5140
- C:\Windows\System32\EYXhdQG.exe
  C:\Windows\System32\EYXhdQG.exe
  2⤵
  PID:5208
- C:\Windows\System32\hDFPpzd.exe
  C:\Windows\System32\hDFPpzd.exe
  2⤵
  PID:5252
- C:\Windows\System32\zAYPFLw.exe
  C:\Windows\System32\zAYPFLw.exe
  2⤵
  PID:5292
- C:\Windows\System32\fdnDZoy.exe
  C:\Windows\System32\fdnDZoy.exe
  2⤵
  PID:5320
- C:\Windows\System32\yFlUwCV.exe
  C:\Windows\System32\yFlUwCV.exe
  2⤵
  PID:5344
- C:\Windows\System32\hjxZJGX.exe
  C:\Windows\System32\hjxZJGX.exe
  2⤵
  PID:5384
- C:\Windows\System32\uQAlVKQ.exe
  C:\Windows\System32\uQAlVKQ.exe
  2⤵
  PID:5408
- C:\Windows\System32\gPSGmHf.exe
  C:\Windows\System32\gPSGmHf.exe
  2⤵
  PID:5428
- C:\Windows\System32\hALPbTj.exe
  C:\Windows\System32\hALPbTj.exe
  2⤵
  PID:5452
- C:\Windows\System32\UBJyPSc.exe
  C:\Windows\System32\UBJyPSc.exe
  2⤵
  PID:5504
- C:\Windows\System32\xfxaUcW.exe
  C:\Windows\System32\xfxaUcW.exe
  2⤵
  PID:5544
- C:\Windows\System32\LsasiCG.exe
  C:\Windows\System32\LsasiCG.exe
  2⤵
  PID:5568
- C:\Windows\System32\QqkpsXW.exe
  C:\Windows\System32\QqkpsXW.exe
  2⤵
  PID:5592
- C:\Windows\System32\CvgidqF.exe
  C:\Windows\System32\CvgidqF.exe
  2⤵
  PID:5628
- C:\Windows\System32\dALQOKv.exe
  C:\Windows\System32\dALQOKv.exe
  2⤵
  PID:5644
- C:\Windows\System32\IFPdiDn.exe
  C:\Windows\System32\IFPdiDn.exe
  2⤵
  PID:5680
- C:\Windows\System32\mjyuanm.exe
  C:\Windows\System32\mjyuanm.exe
  2⤵
  PID:5720
- C:\Windows\System32\qtkgSsm.exe
  C:\Windows\System32\qtkgSsm.exe
  2⤵
  PID:5764
- C:\Windows\System32\xLRGfSS.exe
  C:\Windows\System32\xLRGfSS.exe
  2⤵
  PID:5784
- C:\Windows\System32\tvsCZKP.exe
  C:\Windows\System32\tvsCZKP.exe
  2⤵
  PID:5800
- C:\Windows\System32\lPgZSbp.exe
  C:\Windows\System32\lPgZSbp.exe
  2⤵
  PID:5820
- C:\Windows\System32\JdrJyeA.exe
  C:\Windows\System32\JdrJyeA.exe
  2⤵
  PID:5836
- C:\Windows\System32\BZERoWO.exe
  C:\Windows\System32\BZERoWO.exe
  2⤵
  PID:5896
- C:\Windows\System32\ceKcuRS.exe
  C:\Windows\System32\ceKcuRS.exe
  2⤵
  PID:5924
- C:\Windows\System32\ulZpwPG.exe
  C:\Windows\System32\ulZpwPG.exe
  2⤵
  PID:5948
- C:\Windows\System32\DrrzeTc.exe
  C:\Windows\System32\DrrzeTc.exe
  2⤵
  PID:5964
- C:\Windows\System32\opHukYP.exe
  C:\Windows\System32\opHukYP.exe
  2⤵
  PID:5992
- C:\Windows\System32\lcMTtQd.exe
  C:\Windows\System32\lcMTtQd.exe
  2⤵
  PID:6020
- C:\Windows\System32\tjTxKXz.exe
  C:\Windows\System32\tjTxKXz.exe
  2⤵
  PID:6060
- C:\Windows\System32\bCfHUPq.exe
  C:\Windows\System32\bCfHUPq.exe
  2⤵
  PID:6088
- C:\Windows\System32\MpLwkBG.exe
  C:\Windows\System32\MpLwkBG.exe
  2⤵
  PID:6108
- C:\Windows\System32\ctgnxdi.exe
  C:\Windows\System32\ctgnxdi.exe
  2⤵
  PID:6136
- C:\Windows\System32\lIIenwh.exe
  C:\Windows\System32\lIIenwh.exe
  2⤵
  PID:912
- C:\Windows\System32\sIqakks.exe
  C:\Windows\System32\sIqakks.exe
  2⤵
  PID:4204
- C:\Windows\System32\rNDEecG.exe
  C:\Windows\System32\rNDEecG.exe
  2⤵
  PID:5180
- C:\Windows\System32\diiIQKx.exe
  C:\Windows\System32\diiIQKx.exe
  2⤵
  PID:5224
- C:\Windows\System32\yQVjMtZ.exe
  C:\Windows\System32\yQVjMtZ.exe
  2⤵
  PID:5336
- C:\Windows\System32\WzAicXD.exe
  C:\Windows\System32\WzAicXD.exe
  2⤵
  PID:5368
- C:\Windows\System32\TjCDgoI.exe
  C:\Windows\System32\TjCDgoI.exe
  2⤵
  PID:1712
- C:\Windows\System32\YIcrKla.exe
  C:\Windows\System32\YIcrKla.exe
  2⤵
  PID:5516
- C:\Windows\System32\WxuHyWu.exe
  C:\Windows\System32\WxuHyWu.exe
  2⤵
  PID:5540
- C:\Windows\System32\kraWusi.exe
  C:\Windows\System32\kraWusi.exe
  2⤵
  PID:5360
- C:\Windows\System32\ocHQgER.exe
  C:\Windows\System32\ocHQgER.exe
  2⤵
  PID:3176
- C:\Windows\System32\wgHNxyl.exe
  C:\Windows\System32\wgHNxyl.exe
  2⤵
  PID:5696
- C:\Windows\System32\GMlPlaz.exe
  C:\Windows\System32\GMlPlaz.exe
  2⤵
  PID:5828
- C:\Windows\System32\traFKKK.exe
  C:\Windows\System32\traFKKK.exe
  2⤵
  PID:5816
- C:\Windows\System32\XhKbiSl.exe
  C:\Windows\System32\XhKbiSl.exe
  2⤵
  PID:1348
- C:\Windows\System32\vwsNnPx.exe
  C:\Windows\System32\vwsNnPx.exe
  2⤵
  PID:6000
- C:\Windows\System32\gTGZLgk.exe
  C:\Windows\System32\gTGZLgk.exe
  2⤵
  PID:6072
- C:\Windows\System32\uLmUzaJ.exe
  C:\Windows\System32\uLmUzaJ.exe
  2⤵
  PID:6128
- C:\Windows\System32\tzqkJTC.exe
  C:\Windows\System32\tzqkJTC.exe
  2⤵
  PID:5164
- C:\Windows\System32\byuAizU.exe
  C:\Windows\System32\byuAizU.exe
  2⤵
  PID:5288
- C:\Windows\System32\GZOHBCC.exe
  C:\Windows\System32\GZOHBCC.exe
  2⤵
  PID:5436
- C:\Windows\System32\VdHPJTV.exe
  C:\Windows\System32\VdHPJTV.exe
  2⤵
  PID:5468
- C:\Windows\System32\RraKpEq.exe
  C:\Windows\System32\RraKpEq.exe
  2⤵
  PID:2320
- C:\Windows\System32\wzfJrsh.exe
  C:\Windows\System32\wzfJrsh.exe
  2⤵
  PID:4576
- C:\Windows\System32\ydZqPSN.exe
  C:\Windows\System32\ydZqPSN.exe
  2⤵
  PID:5692
- C:\Windows\System32\YRSurlk.exe
  C:\Windows\System32\YRSurlk.exe
  2⤵
  PID:5776
- C:\Windows\System32\DgoXCVH.exe
  C:\Windows\System32\DgoXCVH.exe
  2⤵
  PID:5956
- C:\Windows\System32\KzAhKXT.exe
  C:\Windows\System32\KzAhKXT.exe
  2⤵
  PID:6076
- C:\Windows\System32\sShYhPD.exe
  C:\Windows\System32\sShYhPD.exe
  2⤵
  PID:4776
- C:\Windows\System32\bqRAPbq.exe
  C:\Windows\System32\bqRAPbq.exe
  2⤵
  PID:5380
- C:\Windows\System32\SCMTkiR.exe
  C:\Windows\System32\SCMTkiR.exe
  2⤵
  PID:5844
- C:\Windows\System32\oAeelUo.exe
  C:\Windows\System32\oAeelUo.exe
  2⤵
  PID:5564
- C:\Windows\System32\HKLStwt.exe
  C:\Windows\System32\HKLStwt.exe
  2⤵
  PID:5304
- C:\Windows\System32\GQnMNUg.exe
  C:\Windows\System32\GQnMNUg.exe
  2⤵
  PID:6180
- C:\Windows\System32\gFoTvik.exe
  C:\Windows\System32\gFoTvik.exe
  2⤵
  PID:6236
- C:\Windows\System32\cCVwyAf.exe
  C:\Windows\System32\cCVwyAf.exe
  2⤵
  PID:6284
- C:\Windows\System32\cgAckaK.exe
  C:\Windows\System32\cgAckaK.exe
  2⤵
  PID:6304
- C:\Windows\System32\uICbPFh.exe
  C:\Windows\System32\uICbPFh.exe
  2⤵
  PID:6324
- C:\Windows\System32\dKRwnTR.exe
  C:\Windows\System32\dKRwnTR.exe
  2⤵
  PID:6352
- C:\Windows\System32\shUDUrb.exe
  C:\Windows\System32\shUDUrb.exe
  2⤵
  PID:6368
- C:\Windows\System32\PviMHMF.exe
  C:\Windows\System32\PviMHMF.exe
  2⤵
  PID:6408
- C:\Windows\System32\kijFfqj.exe
  C:\Windows\System32\kijFfqj.exe
  2⤵
  PID:6464
- C:\Windows\System32\hmkAZxk.exe
  C:\Windows\System32\hmkAZxk.exe
  2⤵
  PID:6480
- C:\Windows\System32\ZOFidjr.exe
  C:\Windows\System32\ZOFidjr.exe
  2⤵
  PID:6516
- C:\Windows\System32\oMnVEKD.exe
  C:\Windows\System32\oMnVEKD.exe
  2⤵
  PID:6556
- C:\Windows\System32\bRdhosK.exe
  C:\Windows\System32\bRdhosK.exe
  2⤵
  PID:6580
- C:\Windows\System32\kYjXvsj.exe
  C:\Windows\System32\kYjXvsj.exe
  2⤵
  PID:6604
- C:\Windows\System32\TRGutmY.exe
  C:\Windows\System32\TRGutmY.exe
  2⤵
  PID:6632
- C:\Windows\System32\egHIyiN.exe
  C:\Windows\System32\egHIyiN.exe
  2⤵
  PID:6660
- C:\Windows\System32\fSGsUFk.exe
  C:\Windows\System32\fSGsUFk.exe
  2⤵
  PID:6688
- C:\Windows\System32\ZIEOGZM.exe
  C:\Windows\System32\ZIEOGZM.exe
  2⤵
  PID:6716
- C:\Windows\System32\BxOsQkC.exe
  C:\Windows\System32\BxOsQkC.exe
  2⤵
  PID:6760
- C:\Windows\System32\kbZUPsm.exe
  C:\Windows\System32\kbZUPsm.exe
  2⤵
  PID:6776
- C:\Windows\System32\KTErTYM.exe
  C:\Windows\System32\KTErTYM.exe
  2⤵
  PID:6796
- C:\Windows\System32\VBDNYxo.exe
  C:\Windows\System32\VBDNYxo.exe
  2⤵
  PID:6840
- C:\Windows\System32\iCKSgoL.exe
  C:\Windows\System32\iCKSgoL.exe
  2⤵
  PID:6856
- C:\Windows\System32\QZXzPKd.exe
  C:\Windows\System32\QZXzPKd.exe
  2⤵
  PID:6880
- C:\Windows\System32\TBHSRZj.exe
  C:\Windows\System32\TBHSRZj.exe
  2⤵
  PID:6908
- C:\Windows\System32\bhqtgCy.exe
  C:\Windows\System32\bhqtgCy.exe
  2⤵
  PID:6928
- C:\Windows\System32\ROWVGKc.exe
  C:\Windows\System32\ROWVGKc.exe
  2⤵
  PID:6960
- C:\Windows\System32\pULsNiG.exe
  C:\Windows\System32\pULsNiG.exe
  2⤵
  PID:7004
- C:\Windows\System32\BPJgafS.exe
  C:\Windows\System32\BPJgafS.exe
  2⤵
  PID:7024
- C:\Windows\System32\bLexGbH.exe
  C:\Windows\System32\bLexGbH.exe
  2⤵
  PID:7048
- C:\Windows\System32\UmsMTRy.exe
  C:\Windows\System32\UmsMTRy.exe
  2⤵
  PID:7068
- C:\Windows\System32\jVwdYUB.exe
  C:\Windows\System32\jVwdYUB.exe
  2⤵
  PID:7084
- C:\Windows\System32\vfKlbHe.exe
  C:\Windows\System32\vfKlbHe.exe
  2⤵
  PID:7104
- C:\Windows\System32\fZTWgPX.exe
  C:\Windows\System32\fZTWgPX.exe
  2⤵
  PID:7160
- C:\Windows\System32\bkFBvsU.exe
  C:\Windows\System32\bkFBvsU.exe
  2⤵
  PID:6152
- C:\Windows\System32\AOtVBBE.exe
  C:\Windows\System32\AOtVBBE.exe
  2⤵
  PID:6252
- C:\Windows\System32\NpvjkZL.exe
  C:\Windows\System32\NpvjkZL.exe
  2⤵
  PID:6228
- C:\Windows\System32\jDNSGwl.exe
  C:\Windows\System32\jDNSGwl.exe
  2⤵
  PID:6364
- C:\Windows\System32\GogxYAJ.exe
  C:\Windows\System32\GogxYAJ.exe
  2⤵
  PID:6312
- C:\Windows\System32\dwGzgtW.exe
  C:\Windows\System32\dwGzgtW.exe
  2⤵
  PID:6504
- C:\Windows\System32\rsxLeVH.exe
  C:\Windows\System32\rsxLeVH.exe
  2⤵
  PID:6552
- C:\Windows\System32\wcvZkul.exe
  C:\Windows\System32\wcvZkul.exe
  2⤵
  PID:6568
- C:\Windows\System32\hBKcMfr.exe
  C:\Windows\System32\hBKcMfr.exe
  2⤵
  PID:6592
- C:\Windows\System32\kcOELra.exe
  C:\Windows\System32\kcOELra.exe
  2⤵
  PID:6700
- C:\Windows\System32\txTCxnn.exe
  C:\Windows\System32\txTCxnn.exe
  2⤵
  PID:6772
- C:\Windows\System32\XcqbkRu.exe
  C:\Windows\System32\XcqbkRu.exe
  2⤵
  PID:6828
- C:\Windows\System32\eIrEnvr.exe
  C:\Windows\System32\eIrEnvr.exe
  2⤵
  PID:6920
- C:\Windows\System32\rinBKWD.exe
  C:\Windows\System32\rinBKWD.exe
  2⤵
  PID:6896
- C:\Windows\System32\lujlwKm.exe
  C:\Windows\System32\lujlwKm.exe
  2⤵
  PID:6968
- C:\Windows\System32\gvFZFuA.exe
  C:\Windows\System32\gvFZFuA.exe
  2⤵
  PID:7076
- C:\Windows\System32\UhpJPWO.exe
  C:\Windows\System32\UhpJPWO.exe
  2⤵
  PID:7120
- C:\Windows\System32\CpLRuDB.exe
  C:\Windows\System32\CpLRuDB.exe
  2⤵
  PID:5472
- C:\Windows\System32\IkOVnDz.exe
  C:\Windows\System32\IkOVnDz.exe
  2⤵
  PID:2080
- C:\Windows\System32\sNniAaE.exe
  C:\Windows\System32\sNniAaE.exe
  2⤵
  PID:6332
- C:\Windows\System32\BNqDdVZ.exe
  C:\Windows\System32\BNqDdVZ.exe
  2⤵
  PID:6344
- C:\Windows\System32\pKVzfej.exe
  C:\Windows\System32\pKVzfej.exe
  2⤵
  PID:6572
- C:\Windows\System32\ETHXzDE.exe
  C:\Windows\System32\ETHXzDE.exe
  2⤵
  PID:6748
- C:\Windows\System32\TZQhwqF.exe
  C:\Windows\System32\TZQhwqF.exe
  2⤵
  PID:6980
- C:\Windows\System32\ZApHCdS.exe
  C:\Windows\System32\ZApHCdS.exe
  2⤵
  PID:7020
- C:\Windows\System32\aVrPSFi.exe
  C:\Windows\System32\aVrPSFi.exe
  2⤵
  PID:6212
- C:\Windows\System32\IWfmVvi.exe
  C:\Windows\System32\IWfmVvi.exe
  2⤵
  PID:6492
- C:\Windows\System32\MlAiLJU.exe
  C:\Windows\System32\MlAiLJU.exe
  2⤵
  PID:7092
- C:\Windows\System32\sprVUNe.exe
  C:\Windows\System32\sprVUNe.exe
  2⤵
  PID:6360
- C:\Windows\System32\VfCOqPy.exe
  C:\Windows\System32\VfCOqPy.exe
  2⤵
  PID:6824
- C:\Windows\System32\PMZHeqy.exe
  C:\Windows\System32\PMZHeqy.exe
  2⤵
  PID:7176
- C:\Windows\System32\oQcWmYS.exe
  C:\Windows\System32\oQcWmYS.exe
  2⤵
  PID:7196
- C:\Windows\System32\PEeYrHN.exe
  C:\Windows\System32\PEeYrHN.exe
  2⤵
  PID:7240
- C:\Windows\System32\WStoLLT.exe
  C:\Windows\System32\WStoLLT.exe
  2⤵
  PID:7264
- C:\Windows\System32\ObHAaJH.exe
  C:\Windows\System32\ObHAaJH.exe
  2⤵
  PID:7284
- C:\Windows\System32\HgLMxKB.exe
  C:\Windows\System32\HgLMxKB.exe
  2⤵
  PID:7304
- C:\Windows\System32\UbXAYNa.exe
  C:\Windows\System32\UbXAYNa.exe
  2⤵
  PID:7336
- C:\Windows\System32\TMvEgsD.exe
  C:\Windows\System32\TMvEgsD.exe
  2⤵
  PID:7352
- C:\Windows\System32\jODEYcp.exe
  C:\Windows\System32\jODEYcp.exe
  2⤵
  PID:7380
- C:\Windows\System32\ymOhfhL.exe
  C:\Windows\System32\ymOhfhL.exe
  2⤵
  PID:7404
- C:\Windows\System32\cBDTZcm.exe
  C:\Windows\System32\cBDTZcm.exe
  2⤵
  PID:7472
- C:\Windows\System32\MFnKOui.exe
  C:\Windows\System32\MFnKOui.exe
  2⤵
  PID:7496
- C:\Windows\System32\TRtPfJj.exe
  C:\Windows\System32\TRtPfJj.exe
  2⤵
  PID:7520
- C:\Windows\System32\XvwhOxJ.exe
  C:\Windows\System32\XvwhOxJ.exe
  2⤵
  PID:7540
- C:\Windows\System32\vBXrVCH.exe
  C:\Windows\System32\vBXrVCH.exe
  2⤵
  PID:7560
- C:\Windows\System32\EOHaBpo.exe
  C:\Windows\System32\EOHaBpo.exe
  2⤵
  PID:7576
- C:\Windows\System32\XPJSEQl.exe
  C:\Windows\System32\XPJSEQl.exe
  2⤵
  PID:7604
- C:\Windows\System32\vHmBiEe.exe
  C:\Windows\System32\vHmBiEe.exe
  2⤵
  PID:7620
- C:\Windows\System32\PxLxXhD.exe
  C:\Windows\System32\PxLxXhD.exe
  2⤵
  PID:7660
- C:\Windows\System32\QSClVPy.exe
  C:\Windows\System32\QSClVPy.exe
  2⤵
  PID:7716
- C:\Windows\System32\eDxlvBx.exe
  C:\Windows\System32\eDxlvBx.exe
  2⤵
  PID:7736
- C:\Windows\System32\uRryhCS.exe
  C:\Windows\System32\uRryhCS.exe
  2⤵
  PID:7756
- C:\Windows\System32\cuPdhkX.exe
  C:\Windows\System32\cuPdhkX.exe
  2⤵
  PID:7784
- C:\Windows\System32\AXxXhsS.exe
  C:\Windows\System32\AXxXhsS.exe
  2⤵
  PID:7800
- C:\Windows\System32\HWAKuQt.exe
  C:\Windows\System32\HWAKuQt.exe
  2⤵
  PID:7828
- C:\Windows\System32\kXXmnsv.exe
  C:\Windows\System32\kXXmnsv.exe
  2⤵
  PID:7844
- C:\Windows\System32\nGPRyro.exe
  C:\Windows\System32\nGPRyro.exe
  2⤵
  PID:7868
- C:\Windows\System32\FZjYVrg.exe
  C:\Windows\System32\FZjYVrg.exe
  2⤵
  PID:7916
- C:\Windows\System32\pZOrgnr.exe
  C:\Windows\System32\pZOrgnr.exe
  2⤵
  PID:7972
- C:\Windows\System32\VCyuPrr.exe
  C:\Windows\System32\VCyuPrr.exe
  2⤵
  PID:7988
- C:\Windows\System32\FXOmDCy.exe
  C:\Windows\System32\FXOmDCy.exe
  2⤵
  PID:8004
- C:\Windows\System32\wIzyUjv.exe
  C:\Windows\System32\wIzyUjv.exe
  2⤵
  PID:8028
- C:\Windows\System32\dNIHzEw.exe
  C:\Windows\System32\dNIHzEw.exe
  2⤵
  PID:8052
- C:\Windows\System32\OWuSTFB.exe
  C:\Windows\System32\OWuSTFB.exe
  2⤵
  PID:8080
- C:\Windows\System32\PLEoCBZ.exe
  C:\Windows\System32\PLEoCBZ.exe
  2⤵
  PID:8132
- C:\Windows\System32\zEuclzK.exe
  C:\Windows\System32\zEuclzK.exe
  2⤵
  PID:8156
- C:\Windows\System32\ShhPUGJ.exe
  C:\Windows\System32\ShhPUGJ.exe
  2⤵
  PID:8180
- C:\Windows\System32\kOeuONl.exe
  C:\Windows\System32\kOeuONl.exe
  2⤵
  PID:7220
- C:\Windows\System32\lYCSrtY.exe
  C:\Windows\System32\lYCSrtY.exe
  2⤵
  PID:7292
- C:\Windows\System32\mmqqrTb.exe
  C:\Windows\System32\mmqqrTb.exe
  2⤵
  PID:7296
- C:\Windows\System32\XoVtpsf.exe
  C:\Windows\System32\XoVtpsf.exe
  2⤵
  PID:7348
- C:\Windows\System32\PNvlfMW.exe
  C:\Windows\System32\PNvlfMW.exe
  2⤵
  PID:7484
- C:\Windows\System32\jDfeDTb.exe
  C:\Windows\System32\jDfeDTb.exe
  2⤵
  PID:7536
- C:\Windows\System32\SXdQQqR.exe
  C:\Windows\System32\SXdQQqR.exe
  2⤵
  PID:7572
- C:\Windows\System32\YgThgAx.exe
  C:\Windows\System32\YgThgAx.exe
  2⤵
  PID:7556
- C:\Windows\System32\aAMtouW.exe
  C:\Windows\System32\aAMtouW.exe
  2⤵
  PID:7712
- C:\Windows\System32\GscTxss.exe
  C:\Windows\System32\GscTxss.exe
  2⤵
  PID:7732
- C:\Windows\System32\ZwuneZc.exe
  C:\Windows\System32\ZwuneZc.exe
  2⤵
  PID:7808
- C:\Windows\System32\PAALbPn.exe
  C:\Windows\System32\PAALbPn.exe
  2⤵
  PID:7792
- C:\Windows\System32\GBXlslT.exe
  C:\Windows\System32\GBXlslT.exe
  2⤵
  PID:7952
- C:\Windows\System32\wCrVYlp.exe
  C:\Windows\System32\wCrVYlp.exe
  2⤵
  PID:8000
- C:\Windows\System32\VoGsinH.exe
  C:\Windows\System32\VoGsinH.exe
  2⤵
  PID:8076
- C:\Windows\System32\QdIqSKy.exe
  C:\Windows\System32\QdIqSKy.exe
  2⤵
  PID:8140
- C:\Windows\System32\zPuDARx.exe
  C:\Windows\System32\zPuDARx.exe
  2⤵
  PID:7228
- C:\Windows\System32\xraOdoJ.exe
  C:\Windows\System32\xraOdoJ.exe
  2⤵
  PID:7392
- C:\Windows\System32\GxAXIOm.exe
  C:\Windows\System32\GxAXIOm.exe
  2⤵
  PID:7532
- C:\Windows\System32\BAcOdYU.exe
  C:\Windows\System32\BAcOdYU.exe
  2⤵
  PID:7748
- C:\Windows\System32\JAPROWt.exe
  C:\Windows\System32\JAPROWt.exe
  2⤵
  PID:7964
- C:\Windows\System32\XzapuCD.exe
  C:\Windows\System32\XzapuCD.exe
  2⤵
  PID:8044
- C:\Windows\System32\EYvnBkc.exe
  C:\Windows\System32\EYvnBkc.exe
  2⤵
  PID:8148
- C:\Windows\System32\bDozXHE.exe
  C:\Windows\System32\bDozXHE.exe
  2⤵
  PID:7516
- C:\Windows\System32\CPFdhNC.exe
  C:\Windows\System32\CPFdhNC.exe
  2⤵
  PID:7880
- C:\Windows\System32\tiRNVYD.exe
  C:\Windows\System32\tiRNVYD.exe
  2⤵
  PID:8040
- C:\Windows\System32\tEpcjvY.exe
  C:\Windows\System32\tEpcjvY.exe
  2⤵
  PID:8196
- C:\Windows\System32\nlxqatL.exe
  C:\Windows\System32\nlxqatL.exe
  2⤵
  PID:8216
- C:\Windows\System32\xUrwMVk.exe
  C:\Windows\System32\xUrwMVk.exe
  2⤵
  PID:8232
- C:\Windows\System32\zYSmoux.exe
  C:\Windows\System32\zYSmoux.exe
  2⤵
  PID:8256
- C:\Windows\System32\xwCtoBC.exe
  C:\Windows\System32\xwCtoBC.exe
  2⤵
  PID:8280
- C:\Windows\System32\YbWPIMD.exe
  C:\Windows\System32\YbWPIMD.exe
  2⤵
  PID:8316
- C:\Windows\System32\SBqAAxx.exe
  C:\Windows\System32\SBqAAxx.exe
  2⤵
  PID:8336
- C:\Windows\System32\MgzSjUI.exe
  C:\Windows\System32\MgzSjUI.exe
  2⤵
  PID:8388
- C:\Windows\System32\GGFWswr.exe
  C:\Windows\System32\GGFWswr.exe
  2⤵
  PID:8416
- C:\Windows\System32\vuYlIQz.exe
  C:\Windows\System32\vuYlIQz.exe
  2⤵
  PID:8440
- C:\Windows\System32\OReMJpL.exe
  C:\Windows\System32\OReMJpL.exe
  2⤵
  PID:8456
- C:\Windows\System32\aKsysAe.exe
  C:\Windows\System32\aKsysAe.exe
  2⤵
  PID:8504
- C:\Windows\System32\NVhvWsZ.exe
  C:\Windows\System32\NVhvWsZ.exe
  2⤵
  PID:8524
- C:\Windows\System32\QvtDHhS.exe
  C:\Windows\System32\QvtDHhS.exe
  2⤵
  PID:8552
- C:\Windows\System32\TeSxHPf.exe
  C:\Windows\System32\TeSxHPf.exe
  2⤵
  PID:8580
- C:\Windows\System32\WBwxAoK.exe
  C:\Windows\System32\WBwxAoK.exe
  2⤵
  PID:8600
- C:\Windows\System32\NjqilTZ.exe
  C:\Windows\System32\NjqilTZ.exe
  2⤵
  PID:8632
- C:\Windows\System32\YLpcqoR.exe
  C:\Windows\System32\YLpcqoR.exe
  2⤵
  PID:8668
- C:\Windows\System32\QMMKFHG.exe
  C:\Windows\System32\QMMKFHG.exe
  2⤵
  PID:8696
- C:\Windows\System32\rPKUGCh.exe
  C:\Windows\System32\rPKUGCh.exe
  2⤵
  PID:8716
- C:\Windows\System32\LFZSZfO.exe
  C:\Windows\System32\LFZSZfO.exe
  2⤵
  PID:8748
- C:\Windows\System32\XdcpQOb.exe
  C:\Windows\System32\XdcpQOb.exe
  2⤵
  PID:8784
- C:\Windows\System32\eINDVUe.exe
  C:\Windows\System32\eINDVUe.exe
  2⤵
  PID:8800
- C:\Windows\System32\bFKkoqW.exe
  C:\Windows\System32\bFKkoqW.exe
  2⤵
  PID:8848
- C:\Windows\System32\yviWESU.exe
  C:\Windows\System32\yviWESU.exe
  2⤵
  PID:8876
- C:\Windows\System32\QviuNxz.exe
  C:\Windows\System32\QviuNxz.exe
  2⤵
  PID:8900
- C:\Windows\System32\fToSXCq.exe
  C:\Windows\System32\fToSXCq.exe
  2⤵
  PID:8916
- C:\Windows\System32\PIrAadd.exe
  C:\Windows\System32\PIrAadd.exe
  2⤵
  PID:8940
- C:\Windows\System32\CGVIDpJ.exe
  C:\Windows\System32\CGVIDpJ.exe
  2⤵
  PID:8988
- C:\Windows\System32\fdDBrDd.exe
  C:\Windows\System32\fdDBrDd.exe
  2⤵
  PID:9008
- C:\Windows\System32\cUXLWMD.exe
  C:\Windows\System32\cUXLWMD.exe
  2⤵
  PID:9028
- C:\Windows\System32\hAhsGdg.exe
  C:\Windows\System32\hAhsGdg.exe
  2⤵
  PID:9060
- C:\Windows\System32\rsFhRmB.exe
  C:\Windows\System32\rsFhRmB.exe
  2⤵
  PID:9100
- C:\Windows\System32\kDeiGqB.exe
  C:\Windows\System32\kDeiGqB.exe
  2⤵
  PID:9132
- C:\Windows\System32\DFFRWuI.exe
  C:\Windows\System32\DFFRWuI.exe
  2⤵
  PID:9148
- C:\Windows\System32\pApWNiX.exe
  C:\Windows\System32\pApWNiX.exe
  2⤵
  PID:9188
- C:\Windows\System32\RyMrnyz.exe
  C:\Windows\System32\RyMrnyz.exe
  2⤵
  PID:8168
- C:\Windows\System32\BCCClyn.exe
  C:\Windows\System32\BCCClyn.exe
  2⤵
  PID:8252
- C:\Windows\System32\dSPKVcI.exe
  C:\Windows\System32\dSPKVcI.exe
  2⤵
  PID:8272
- C:\Windows\System32\TfgdUfm.exe
  C:\Windows\System32\TfgdUfm.exe
  2⤵
  PID:8304
- C:\Windows\System32\aVIclht.exe
  C:\Windows\System32\aVIclht.exe
  2⤵
  PID:8376
- C:\Windows\System32\mwmsZlG.exe
  C:\Windows\System32\mwmsZlG.exe
  2⤵
  PID:8432
- C:\Windows\System32\EMJTjSg.exe
  C:\Windows\System32\EMJTjSg.exe
  2⤵
  PID:8540
- C:\Windows\System32\sDYibDb.exe
  C:\Windows\System32\sDYibDb.exe
  2⤵
  PID:8620
- C:\Windows\System32\clNWjuY.exe
  C:\Windows\System32\clNWjuY.exe
  2⤵
  PID:8680
- C:\Windows\System32\gcKuTNt.exe
  C:\Windows\System32\gcKuTNt.exe
  2⤵
  PID:8704
- C:\Windows\System32\VzeuyFR.exe
  C:\Windows\System32\VzeuyFR.exe
  2⤵
  PID:8824
- C:\Windows\System32\dQPTRGV.exe
  C:\Windows\System32\dQPTRGV.exe
  2⤵
  PID:8888
- C:\Windows\System32\ojRNOXV.exe
  C:\Windows\System32\ojRNOXV.exe
  2⤵
  PID:8928
- C:\Windows\System32\aarFQOW.exe
  C:\Windows\System32\aarFQOW.exe
  2⤵
  PID:8968
- C:\Windows\System32\pYYkkzz.exe
  C:\Windows\System32\pYYkkzz.exe
  2⤵
  PID:9052
- C:\Windows\System32\lcIrFYK.exe
  C:\Windows\System32\lcIrFYK.exe
  2⤵
  PID:9128
- C:\Windows\System32\NShPzcX.exe
  C:\Windows\System32\NShPzcX.exe
  2⤵
  PID:9212
- C:\Windows\System32\jTphZYb.exe
  C:\Windows\System32\jTphZYb.exe
  2⤵
  PID:8328
- C:\Windows\System32\RcGxPmZ.exe
  C:\Windows\System32\RcGxPmZ.exe
  2⤵
  PID:8332
- C:\Windows\System32\ZcvGTxr.exe
  C:\Windows\System32\ZcvGTxr.exe
  2⤵
  PID:8568
- C:\Windows\System32\ddPdMCH.exe
  C:\Windows\System32\ddPdMCH.exe
  2⤵
  PID:8728
- C:\Windows\System32\JojUySm.exe
  C:\Windows\System32\JojUySm.exe
  2⤵
  PID:8908
- C:\Windows\System32\eJFwoJt.exe
  C:\Windows\System32\eJFwoJt.exe
  2⤵
  PID:9056
- C:\Windows\System32\mDZlXTM.exe
  C:\Windows\System32\mDZlXTM.exe
  2⤵
  PID:9076
- C:\Windows\System32\mmDQvVN.exe
  C:\Windows\System32\mmDQvVN.exe
  2⤵
  PID:8368
- C:\Windows\System32\FSDCyWS.exe
  C:\Windows\System32\FSDCyWS.exe
  2⤵
  PID:8400
- C:\Windows\System32\xVaVZQr.exe
  C:\Windows\System32\xVaVZQr.exe
  2⤵
  PID:8828
- C:\Windows\System32\SKZtJsE.exe
  C:\Windows\System32\SKZtJsE.exe
  2⤵
  PID:9228
- C:\Windows\System32\zAyNzWy.exe
  C:\Windows\System32\zAyNzWy.exe
  2⤵
  PID:9268
- C:\Windows\System32\QlOdrTo.exe
  C:\Windows\System32\QlOdrTo.exe
  2⤵
  PID:9288
- C:\Windows\System32\dOQgrrc.exe
  C:\Windows\System32\dOQgrrc.exe
  2⤵
  PID:9312
- C:\Windows\System32\iGVrZVx.exe
  C:\Windows\System32\iGVrZVx.exe
  2⤵
  PID:9352
- C:\Windows\System32\MmtqvOI.exe
  C:\Windows\System32\MmtqvOI.exe
  2⤵
  PID:9376
- C:\Windows\System32\FRZVLmg.exe
  C:\Windows\System32\FRZVLmg.exe
  2⤵
  PID:9392
- C:\Windows\System32\ZiGdpnI.exe
  C:\Windows\System32\ZiGdpnI.exe
  2⤵
  PID:9416
- C:\Windows\System32\BtNBftR.exe
  C:\Windows\System32\BtNBftR.exe
  2⤵
  PID:9440
- C:\Windows\System32\qOVvNkz.exe
  C:\Windows\System32\qOVvNkz.exe
  2⤵
  PID:9484
- C:\Windows\System32\WpNWlVv.exe
  C:\Windows\System32\WpNWlVv.exe
  2⤵
  PID:9508
- C:\Windows\System32\IAmOTMj.exe
  C:\Windows\System32\IAmOTMj.exe
  2⤵
  PID:9528
- C:\Windows\System32\aJYTMAX.exe
  C:\Windows\System32\aJYTMAX.exe
  2⤵
  PID:9556
- C:\Windows\System32\RuTlEHe.exe
  C:\Windows\System32\RuTlEHe.exe
  2⤵
  PID:9580
- C:\Windows\System32\MzriyKq.exe
  C:\Windows\System32\MzriyKq.exe
  2⤵
  PID:9624
- C:\Windows\System32\GNltWqo.exe
  C:\Windows\System32\GNltWqo.exe
  2⤵
  PID:9640
- C:\Windows\System32\ecTfxnc.exe
  C:\Windows\System32\ecTfxnc.exe
  2⤵
  PID:9660
- C:\Windows\System32\HYscdsj.exe
  C:\Windows\System32\HYscdsj.exe
  2⤵
  PID:9704
- C:\Windows\System32\xXKriiY.exe
  C:\Windows\System32\xXKriiY.exe
  2⤵
  PID:9724
- C:\Windows\System32\yCkWRZH.exe
  C:\Windows\System32\yCkWRZH.exe
  2⤵
  PID:9744
- C:\Windows\System32\KaluGnE.exe
  C:\Windows\System32\KaluGnE.exe
  2⤵
  PID:9788
- C:\Windows\System32\XsBfYhQ.exe
  C:\Windows\System32\XsBfYhQ.exe
  2⤵
  PID:9808
- C:\Windows\System32\TsnjQCm.exe
  C:\Windows\System32\TsnjQCm.exe
  2⤵
  PID:9828
- C:\Windows\System32\fDTZfwt.exe
  C:\Windows\System32\fDTZfwt.exe
  2⤵
  PID:9860
- C:\Windows\System32\pYZkpVo.exe
  C:\Windows\System32\pYZkpVo.exe
  2⤵
  PID:9900
- C:\Windows\System32\yMyIWHP.exe
  C:\Windows\System32\yMyIWHP.exe
  2⤵
  PID:9920
- C:\Windows\System32\RAdEfcX.exe
  C:\Windows\System32\RAdEfcX.exe
  2⤵
  PID:9940
- C:\Windows\System32\VcPonvJ.exe
  C:\Windows\System32\VcPonvJ.exe
  2⤵
  PID:9960
- C:\Windows\System32\aXylLxU.exe
  C:\Windows\System32\aXylLxU.exe
  2⤵
  PID:10008
- C:\Windows\System32\OyUJgsu.exe
  C:\Windows\System32\OyUJgsu.exe
  2⤵
  PID:10040
- C:\Windows\System32\YHqOxis.exe
  C:\Windows\System32\YHqOxis.exe
  2⤵
  PID:10072
- C:\Windows\System32\ySypabt.exe
  C:\Windows\System32\ySypabt.exe
  2⤵
  PID:10108
- C:\Windows\System32\aARiSyS.exe
  C:\Windows\System32\aARiSyS.exe
  2⤵
  PID:10132
- C:\Windows\System32\UKmXWRs.exe
  C:\Windows\System32\UKmXWRs.exe
  2⤵
  PID:10160
- C:\Windows\System32\zdyyPfx.exe
  C:\Windows\System32\zdyyPfx.exe
  2⤵
  PID:10192
- C:\Windows\System32\CKuuQrg.exe
  C:\Windows\System32\CKuuQrg.exe
  2⤵
  PID:10216
- C:\Windows\System32\hrGCYiq.exe
  C:\Windows\System32\hrGCYiq.exe
  2⤵
  PID:8500
- C:\Windows\System32\wfAjLcH.exe
  C:\Windows\System32\wfAjLcH.exe
  2⤵
  PID:9276
- C:\Windows\System32\TETLaLO.exe
  C:\Windows\System32\TETLaLO.exe
  2⤵
  PID:9360
- C:\Windows\System32\WAizdAv.exe
  C:\Windows\System32\WAizdAv.exe
  2⤵
  PID:9460
- C:\Windows\System32\mKoUkXP.exe
  C:\Windows\System32\mKoUkXP.exe
  2⤵
  PID:9496
- C:\Windows\System32\XFyoMOR.exe
  C:\Windows\System32\XFyoMOR.exe
  2⤵
  PID:9588
- C:\Windows\System32\GXlPsrQ.exe
  C:\Windows\System32\GXlPsrQ.exe
  2⤵
  PID:9652
- C:\Windows\System32\TRqgXHU.exe
  C:\Windows\System32\TRqgXHU.exe
  2⤵
  PID:9756
- C:\Windows\System32\zAQJCnN.exe
  C:\Windows\System32\zAQJCnN.exe
  2⤵
  PID:9760
- C:\Windows\System32\XnjAsJF.exe
  C:\Windows\System32\XnjAsJF.exe
  2⤵
  PID:9816
- C:\Windows\System32\XaoPrJx.exe
  C:\Windows\System32\XaoPrJx.exe
  2⤵
  PID:9912
- C:\Windows\System32\FVORTVQ.exe
  C:\Windows\System32\FVORTVQ.exe
  2⤵
  PID:9956
- C:\Windows\System32\hDWYDHE.exe
  C:\Windows\System32\hDWYDHE.exe
  2⤵
  PID:10064
- C:\Windows\System32\KPbEqks.exe
  C:\Windows\System32\KPbEqks.exe
  2⤵
  PID:10120
- C:\Windows\System32\loHULfN.exe
  C:\Windows\System32\loHULfN.exe
  2⤵
  PID:10172
- C:\Windows\System32\yiMRUlB.exe
  C:\Windows\System32\yiMRUlB.exe
  2⤵
  PID:9248
- C:\Windows\System32\FMFkjmH.exe
  C:\Windows\System32\FMFkjmH.exe
  2⤵
  PID:9400
- C:\Windows\System32\xRWzvuz.exe
  C:\Windows\System32\xRWzvuz.exe
  2⤵
  PID:9576
- C:\Windows\System32\wDlbHPh.exe
  C:\Windows\System32\wDlbHPh.exe
  2⤵
  PID:9608
- C:\Windows\System32\shTHoxQ.exe
  C:\Windows\System32\shTHoxQ.exe
  2⤵
  PID:9888
- C:\Windows\System32\Clhmbrl.exe
  C:\Windows\System32\Clhmbrl.exe
  2⤵
  PID:10020
- C:\Windows\System32\SbQeNBc.exe
  C:\Windows\System32\SbQeNBc.exe
  2⤵
  PID:10100
- C:\Windows\System32\KBaAExw.exe
  C:\Windows\System32\KBaAExw.exe
  2⤵
  PID:10252
- C:\Windows\System32\QzemSRT.exe
  C:\Windows\System32\QzemSRT.exe
  2⤵
  PID:10296
- C:\Windows\System32\nNYrDIT.exe
  C:\Windows\System32\nNYrDIT.exe
  2⤵
  PID:10312
- C:\Windows\System32\pIYZDTF.exe
  C:\Windows\System32\pIYZDTF.exe
  2⤵
  PID:10328
- C:\Windows\System32\MveMMNi.exe
  C:\Windows\System32\MveMMNi.exe
  2⤵
  PID:10344
- C:\Windows\System32\wepJXDj.exe
  C:\Windows\System32\wepJXDj.exe
  2⤵
  PID:10400
- C:\Windows\System32\aSVuiVb.exe
  C:\Windows\System32\aSVuiVb.exe
  2⤵
  PID:10420
- C:\Windows\System32\PsXYMEG.exe
  C:\Windows\System32\PsXYMEG.exe
  2⤵
  PID:10440
- C:\Windows\System32\VcomHaT.exe
  C:\Windows\System32\VcomHaT.exe
  2⤵
  PID:10492
- C:\Windows\System32\ndRTqIY.exe
  C:\Windows\System32\ndRTqIY.exe
  2⤵
  PID:10568
- C:\Windows\System32\LiQbfLv.exe
  C:\Windows\System32\LiQbfLv.exe
  2⤵
  PID:10600
- C:\Windows\System32\WnFAgse.exe
  C:\Windows\System32\WnFAgse.exe
  2⤵
  PID:10616
- C:\Windows\System32\jobRuUu.exe
  C:\Windows\System32\jobRuUu.exe
  2⤵
  PID:10656
- C:\Windows\System32\IHDyIWx.exe
  C:\Windows\System32\IHDyIWx.exe
  2⤵
  PID:10676
- C:\Windows\System32\ZyfUCUO.exe
  C:\Windows\System32\ZyfUCUO.exe
  2⤵
  PID:10700
- C:\Windows\System32\NnofmXR.exe
  C:\Windows\System32\NnofmXR.exe
  2⤵
  PID:10720
- C:\Windows\System32\aZYnFML.exe
  C:\Windows\System32\aZYnFML.exe
  2⤵
  PID:10736
- C:\Windows\System32\kaFeVPa.exe
  C:\Windows\System32\kaFeVPa.exe
  2⤵
  PID:10788
- C:\Windows\System32\MtzsrXl.exe
  C:\Windows\System32\MtzsrXl.exe
  2⤵
  PID:10816
- C:\Windows\System32\eGvzwkD.exe
  C:\Windows\System32\eGvzwkD.exe
  2⤵
  PID:10832
- C:\Windows\System32\GfxQKer.exe
  C:\Windows\System32\GfxQKer.exe
  2⤵
  PID:10856
- C:\Windows\System32\SzJyAvo.exe
  C:\Windows\System32\SzJyAvo.exe
  2⤵
  PID:10888
- C:\Windows\System32\qXLmUYh.exe
  C:\Windows\System32\qXLmUYh.exe
  2⤵
  PID:10928
- C:\Windows\System32\IQqVNWb.exe
  C:\Windows\System32\IQqVNWb.exe
  2⤵
  PID:10944
- C:\Windows\System32\iWtOktq.exe
  C:\Windows\System32\iWtOktq.exe
  2⤵
  PID:11016
- C:\Windows\System32\CKQNlzp.exe
  C:\Windows\System32\CKQNlzp.exe
  2⤵
  PID:11044
- C:\Windows\System32\WTnuVXQ.exe
  C:\Windows\System32\WTnuVXQ.exe
  2⤵
  PID:11076
- C:\Windows\System32\KqiSFEV.exe
  C:\Windows\System32\KqiSFEV.exe
  2⤵
  PID:11136
- C:\Windows\System32\ZRNJpWr.exe
  C:\Windows\System32\ZRNJpWr.exe
  2⤵
  PID:11168
- C:\Windows\System32\kqjjTKo.exe
  C:\Windows\System32\kqjjTKo.exe
  2⤵
  PID:11192
- C:\Windows\System32\oPqggvh.exe
  C:\Windows\System32\oPqggvh.exe
  2⤵
  PID:11236
- C:\Windows\System32\sTVYZwz.exe
  C:\Windows\System32\sTVYZwz.exe
  2⤵
  PID:9492
- C:\Windows\System32\FAOtuNi.exe
  C:\Windows\System32\FAOtuNi.exe
  2⤵
  PID:10004
- C:\Windows\System32\YrCeXJR.exe
  C:\Windows\System32\YrCeXJR.exe
  2⤵
  PID:10208
- C:\Windows\System32\XTItEKX.exe
  C:\Windows\System32\XTItEKX.exe
  2⤵
  PID:10364
- C:\Windows\System32\fqobzyN.exe
  C:\Windows\System32\fqobzyN.exe
  2⤵
  PID:10248
- C:\Windows\System32\yKkVEgU.exe
  C:\Windows\System32\yKkVEgU.exe
  2⤵
  PID:10356
- C:\Windows\System32\pDRoNcn.exe
  C:\Windows\System32\pDRoNcn.exe
  2⤵
  PID:10408
- C:\Windows\System32\PAeqhpn.exe
  C:\Windows\System32\PAeqhpn.exe
  2⤵
  PID:10468
- C:\Windows\System32\UOisHzR.exe
  C:\Windows\System32\UOisHzR.exe
  2⤵
  PID:10540
- C:\Windows\System32\qySrJgk.exe
  C:\Windows\System32\qySrJgk.exe
  2⤵
  PID:10592
- C:\Windows\System32\LMSLfUR.exe
  C:\Windows\System32\LMSLfUR.exe
  2⤵
  PID:10644
- C:\Windows\System32\TfuRIaf.exe
  C:\Windows\System32\TfuRIaf.exe
  2⤵
  PID:10696
- C:\Windows\System32\DkoPuai.exe
  C:\Windows\System32\DkoPuai.exe
  2⤵
  PID:10796
- C:\Windows\System32\CpqrrLf.exe
  C:\Windows\System32\CpqrrLf.exe
  2⤵
  PID:10900
- C:\Windows\System32\LHmFjGs.exe
  C:\Windows\System32\LHmFjGs.exe
  2⤵
  PID:10940
- C:\Windows\System32\sZFHmUP.exe
  C:\Windows\System32\sZFHmUP.exe
  2⤵
  PID:11108
- C:\Windows\System32\zbPLbPd.exe
  C:\Windows\System32\zbPLbPd.exe
  2⤵
  PID:10428
- C:\Windows\System32\SOkftaF.exe
  C:\Windows\System32\SOkftaF.exe
  2⤵
  PID:9752
- C:\Windows\System32\QnbUIcE.exe
  C:\Windows\System32\QnbUIcE.exe
  2⤵
  PID:10304
- C:\Windows\System32\QwPPKKL.exe
  C:\Windows\System32\QwPPKKL.exe
  2⤵
  PID:10268
- C:\Windows\System32\RFBTcIN.exe
  C:\Windows\System32\RFBTcIN.exe
  2⤵
  PID:10360
- C:\Windows\System32\gqJejAq.exe
  C:\Windows\System32\gqJejAq.exe
  2⤵
  PID:10672
- C:\Windows\System32\xsLcZfp.exe
  C:\Windows\System32\xsLcZfp.exe
  2⤵
  PID:10752
- C:\Windows\System32\BVCmnln.exe
  C:\Windows\System32\BVCmnln.exe
  2⤵
  PID:10952
- C:\Windows\System32\yNEPiCs.exe
  C:\Windows\System32\yNEPiCs.exe
  2⤵
  PID:11256
- C:\Windows\System32\ghkoZRH.exe
  C:\Windows\System32\ghkoZRH.exe
  2⤵
  PID:11360
- C:\Windows\System32\uMrpwXT.exe
  C:\Windows\System32\uMrpwXT.exe
  2⤵
  PID:11376
- C:\Windows\System32\uaxIssi.exe
  C:\Windows\System32\uaxIssi.exe
  2⤵
  PID:11392
- C:\Windows\System32\AbHQFKq.exe
  C:\Windows\System32\AbHQFKq.exe
  2⤵
  PID:11424
- C:\Windows\System32\rpxUmVI.exe
  C:\Windows\System32\rpxUmVI.exe
  2⤵
  PID:11464
- C:\Windows\System32\vBqKjGG.exe
  C:\Windows\System32\vBqKjGG.exe
  2⤵
  PID:11484
- C:\Windows\System32\zdkHRrm.exe
  C:\Windows\System32\zdkHRrm.exe
  2⤵
  PID:11516
- C:\Windows\System32\pDpqaor.exe
  C:\Windows\System32\pDpqaor.exe
  2⤵
  PID:11536
- C:\Windows\System32\blrwkaF.exe
  C:\Windows\System32\blrwkaF.exe
  2⤵
  PID:11580
- C:\Windows\System32\VWDzQXm.exe
  C:\Windows\System32\VWDzQXm.exe
  2⤵
  PID:11620
- C:\Windows\System32\PtetUUz.exe
  C:\Windows\System32\PtetUUz.exe
  2⤵
  PID:11636
- C:\Windows\System32\UmDLczI.exe
  C:\Windows\System32\UmDLczI.exe
  2⤵
  PID:11652
- C:\Windows\System32\pNchrwy.exe
  C:\Windows\System32\pNchrwy.exe
  2⤵
  PID:11692
- C:\Windows\System32\WQWmzRW.exe
  C:\Windows\System32\WQWmzRW.exe
  2⤵
  PID:11748
- C:\Windows\System32\bOzwudd.exe
  C:\Windows\System32\bOzwudd.exe
  2⤵
  PID:11772
- C:\Windows\System32\OHfDKSj.exe
  C:\Windows\System32\OHfDKSj.exe
  2⤵
  PID:11796
- C:\Windows\System32\SPIypjG.exe
  C:\Windows\System32\SPIypjG.exe
  2⤵
  PID:11836
- C:\Windows\System32\TvBpJkK.exe
  C:\Windows\System32\TvBpJkK.exe
  2⤵
  PID:11860
- C:\Windows\System32\GrRtMBK.exe
  C:\Windows\System32\GrRtMBK.exe
  2⤵
  PID:11884
- C:\Windows\System32\lsebYjn.exe
  C:\Windows\System32\lsebYjn.exe
  2⤵
  PID:11908
- C:\Windows\System32\bZolhyZ.exe
  C:\Windows\System32\bZolhyZ.exe
  2⤵
  PID:11932
- C:\Windows\System32\HUOUmfu.exe
  C:\Windows\System32\HUOUmfu.exe
  2⤵
  PID:11960
- C:\Windows\System32\eKDMDMW.exe
  C:\Windows\System32\eKDMDMW.exe
  2⤵
  PID:12024
- C:\Windows\System32\OmyJTCg.exe
  C:\Windows\System32\OmyJTCg.exe
  2⤵
  PID:12044
- C:\Windows\System32\CzIpLJm.exe
  C:\Windows\System32\CzIpLJm.exe
  2⤵
  PID:12076
- C:\Windows\System32\yBbZDaF.exe
  C:\Windows\System32\yBbZDaF.exe
  2⤵
  PID:12096
- C:\Windows\System32\oTSOHqE.exe
  C:\Windows\System32\oTSOHqE.exe
  2⤵
  PID:12124
- C:\Windows\System32\ulwabCr.exe
  C:\Windows\System32\ulwabCr.exe
  2⤵
  PID:12144
- C:\Windows\System32\iSRQpRt.exe
  C:\Windows\System32\iSRQpRt.exe
  2⤵
  PID:12172
- C:\Windows\System32\KFWfLKL.exe
  C:\Windows\System32\KFWfLKL.exe
  2⤵
  PID:12188
- C:\Windows\System32\KaAWWPC.exe
  C:\Windows\System32\KaAWWPC.exe
  2⤵
  PID:12216
- C:\Windows\System32\LRuFlHz.exe
  C:\Windows\System32\LRuFlHz.exe
  2⤵
  PID:12236
- C:\Windows\System32\nNsKBaz.exe
  C:\Windows\System32\nNsKBaz.exe
  2⤵
  PID:11248
- C:\Windows\System32\RQLGBhI.exe
  C:\Windows\System32\RQLGBhI.exe
  2⤵
  PID:11272
- C:\Windows\System32\lNdNlbd.exe
  C:\Windows\System32\lNdNlbd.exe
  2⤵
  PID:11284
- C:\Windows\System32\KsghsFG.exe
  C:\Windows\System32\KsghsFG.exe
  2⤵
  PID:11308
- C:\Windows\System32\tomICec.exe
  C:\Windows\System32\tomICec.exe
  2⤵
  PID:11324
- C:\Windows\System32\lgsORZm.exe
  C:\Windows\System32\lgsORZm.exe
  2⤵
  PID:10396
- C:\Windows\System32\yJsdKde.exe
  C:\Windows\System32\yJsdKde.exe
  2⤵
  PID:11440
- C:\Windows\System32\NPTTwxw.exe
  C:\Windows\System32\NPTTwxw.exe
  2⤵
  PID:11664
- C:\Windows\System32\ybncrbF.exe
  C:\Windows\System32\ybncrbF.exe
  2⤵
  PID:11688
- C:\Windows\System32\OMgZcpv.exe
  C:\Windows\System32\OMgZcpv.exe
  2⤵
  PID:11792
- C:\Windows\System32\NexnZmI.exe
  C:\Windows\System32\NexnZmI.exe
  2⤵
  PID:11832
- C:\Windows\System32\LNNBEBE.exe
  C:\Windows\System32\LNNBEBE.exe
  2⤵
  PID:11896
- C:\Windows\System32\qHefunZ.exe
  C:\Windows\System32\qHefunZ.exe
  2⤵
  PID:11944
- C:\Windows\System32\AYyAXCk.exe
  C:\Windows\System32\AYyAXCk.exe
  2⤵
  PID:12036
- C:\Windows\System32\UnAdmxr.exe
  C:\Windows\System32\UnAdmxr.exe
  2⤵
  PID:12064
- C:\Windows\System32\pjBoIFe.exe
  C:\Windows\System32\pjBoIFe.exe
  2⤵
  PID:12140
- C:\Windows\System32\NfYMKgu.exe
  C:\Windows\System32\NfYMKgu.exe
  2⤵
  PID:12180
- C:\Windows\System32\ygSRmcz.exe
  C:\Windows\System32\ygSRmcz.exe
  2⤵
  PID:12276
- C:\Windows\System32\LZlLPyE.exe
  C:\Windows\System32\LZlLPyE.exe
  2⤵
  PID:10852
- C:\Windows\System32\edhICTh.exe
  C:\Windows\System32\edhICTh.exe
  2⤵
  PID:10436
- C:\Windows\System32\HrRyUWV.exe
  C:\Windows\System32\HrRyUWV.exe
  2⤵
  PID:11568
- C:\Windows\System32\IRTvgGY.exe
  C:\Windows\System32\IRTvgGY.exe
  2⤵
  PID:10320
- C:\Windows\System32\jXXcxUG.exe
  C:\Windows\System32\jXXcxUG.exe
  2⤵
  PID:11676
- C:\Windows\System32\dDnNSUG.exe
  C:\Windows\System32\dDnNSUG.exe
  2⤵
  PID:11704
- C:\Windows\System32\ihJTEUZ.exe
  C:\Windows\System32\ihJTEUZ.exe
  2⤵
  PID:12032
- C:\Windows\System32\PvXTERG.exe
  C:\Windows\System32\PvXTERG.exe
  2⤵
  PID:12084
- C:\Windows\System32\oolfKBP.exe
  C:\Windows\System32\oolfKBP.exe
  2⤵
  PID:12228
- C:\Windows\System32\MWgCFWd.exe
  C:\Windows\System32\MWgCFWd.exe
  2⤵
  PID:11268
- C:\Windows\System32\LHZzKUp.exe
  C:\Windows\System32\LHZzKUp.exe
  2⤵
  PID:11644
- C:\Windows\System32\xBdDizO.exe
  C:\Windows\System32\xBdDizO.exe
  2⤵
  PID:11764
- C:\Windows\System32\BoYEZgx.exe
  C:\Windows\System32\BoYEZgx.exe
  2⤵
  PID:12196
- C:\Windows\System32\oFYEKON.exe
  C:\Windows\System32\oFYEKON.exe
  2⤵
  PID:11576
- C:\Windows\System32\PGCYkdM.exe
  C:\Windows\System32\PGCYkdM.exe
  2⤵
  PID:12292
- C:\Windows\System32\YZOkssz.exe
  C:\Windows\System32\YZOkssz.exe
  2⤵
  PID:12308
- C:\Windows\System32\uFDyCmR.exe
  C:\Windows\System32\uFDyCmR.exe
  2⤵
  PID:12348
- C:\Windows\System32\sgyBxUg.exe
  C:\Windows\System32\sgyBxUg.exe
  2⤵
  PID:12376
- C:\Windows\System32\wpjfxqw.exe
  C:\Windows\System32\wpjfxqw.exe
  2⤵
  PID:12396
- C:\Windows\System32\CBxhAsX.exe
  C:\Windows\System32\CBxhAsX.exe
  2⤵
  PID:12444
- C:\Windows\System32\PVZAFtu.exe
  C:\Windows\System32\PVZAFtu.exe
  2⤵
  PID:12472
- C:\Windows\System32\jMhUDvL.exe
  C:\Windows\System32\jMhUDvL.exe
  2⤵
  PID:12488
- C:\Windows\System32\oEJEftl.exe
  C:\Windows\System32\oEJEftl.exe
  2⤵
  PID:12520
- C:\Windows\System32\TUGqiiS.exe
  C:\Windows\System32\TUGqiiS.exe
  2⤵
  PID:12544
- C:\Windows\System32\ROHlFMY.exe
  C:\Windows\System32\ROHlFMY.exe
  2⤵
  PID:12568
- C:\Windows\System32\aPrxIRW.exe
  C:\Windows\System32\aPrxIRW.exe
  2⤵
  PID:12608
- C:\Windows\System32\BRlYmaI.exe
  C:\Windows\System32\BRlYmaI.exe
  2⤵
  PID:12632
- C:\Windows\System32\dwbodkp.exe
  C:\Windows\System32\dwbodkp.exe
  2⤵
  PID:12648
- C:\Windows\System32\ttWOgOL.exe
  C:\Windows\System32\ttWOgOL.exe
  2⤵
  PID:12680
- C:\Windows\System32\yXijHMh.exe
  C:\Windows\System32\yXijHMh.exe
  2⤵
  PID:12712
- C:\Windows\System32\gCkoRtY.exe
  C:\Windows\System32\gCkoRtY.exe
  2⤵
  PID:12756
- C:\Windows\System32\qdYdQYx.exe
  C:\Windows\System32\qdYdQYx.exe
  2⤵
  PID:12776
- C:\Windows\System32\MxNKySS.exe
  C:\Windows\System32\MxNKySS.exe
  2⤵
  PID:12812
- C:\Windows\System32\gYgKxQL.exe
  C:\Windows\System32\gYgKxQL.exe
  2⤵
  PID:12836
- C:\Windows\System32\uwJWcER.exe
  C:\Windows\System32\uwJWcER.exe
  2⤵
  PID:12864
- C:\Windows\System32\ybefOGS.exe
  C:\Windows\System32\ybefOGS.exe
  2⤵
  PID:12880
- C:\Windows\System32\zOfRaqE.exe
  C:\Windows\System32\zOfRaqE.exe
  2⤵
  PID:12904
- C:\Windows\System32\xTgiYcI.exe
  C:\Windows\System32\xTgiYcI.exe
  2⤵
  PID:12936
- C:\Windows\System32\ymCArDf.exe
  C:\Windows\System32\ymCArDf.exe
  2⤵
  PID:12960
- C:\Windows\System32\OyRLStN.exe
  C:\Windows\System32\OyRLStN.exe
  2⤵
  PID:13028
- C:\Windows\System32\XPMwjBs.exe
  C:\Windows\System32\XPMwjBs.exe
  2⤵
  PID:13052
- C:\Windows\System32\boCmLSS.exe
  C:\Windows\System32\boCmLSS.exe
  2⤵
  PID:13072
- C:\Windows\System32\AudrtsE.exe
  C:\Windows\System32\AudrtsE.exe
  2⤵
  PID:13100
- C:\Windows\System32\CTFtdvx.exe
  C:\Windows\System32\CTFtdvx.exe
  2⤵
  PID:13124
- C:\Windows\System32\OUquFcx.exe
  C:\Windows\System32\OUquFcx.exe
  2⤵
  PID:13144
- C:\Windows\System32\cTqfxEo.exe
  C:\Windows\System32\cTqfxEo.exe
  2⤵
  PID:13204
- C:\Windows\System32\VIZPLNU.exe
  C:\Windows\System32\VIZPLNU.exe
  2⤵
  PID:13240
- C:\Windows\System32\mboOdig.exe
  C:\Windows\System32\mboOdig.exe
  2⤵
  PID:13268
- C:\Windows\System32\mxBzYqb.exe
  C:\Windows\System32\mxBzYqb.exe
  2⤵
  PID:12136
- C:\Windows\System32\ipYERQW.exe
  C:\Windows\System32\ipYERQW.exe
  2⤵
  PID:11868
- C:\Windows\System32\TQWLnRa.exe
  C:\Windows\System32\TQWLnRa.exe
  2⤵
  PID:12316
- C:\Windows\System32\biNeNam.exe
  C:\Windows\System32\biNeNam.exe
  2⤵
  PID:12388
- C:\Windows\System32\djbHZKR.exe
  C:\Windows\System32\djbHZKR.exe
  2⤵
  PID:12496
- C:\Windows\System32\TBpYLaW.exe
  C:\Windows\System32\TBpYLaW.exe
  2⤵
  PID:12480
- C:\Windows\System32\TbNrHOi.exe
  C:\Windows\System32\TbNrHOi.exe
  2⤵
  PID:12556
- C:\Windows\System32\GOpEUah.exe
  C:\Windows\System32\GOpEUah.exe
  2⤵
  PID:12664
- C:\Windows\System32\yGmYmNJ.exe
  C:\Windows\System32\yGmYmNJ.exe
  2⤵
  PID:12728
- C:\Windows\System32\wkHortm.exe
  C:\Windows\System32\wkHortm.exe
  2⤵
  PID:12748
- C:\Windows\System32\JmWABRA.exe
  C:\Windows\System32\JmWABRA.exe
  2⤵
  PID:2788
- C:\Windows\System32\XFgQaeg.exe
  C:\Windows\System32\XFgQaeg.exe
  2⤵
  PID:12876
- C:\Windows\System32\RaXeMry.exe
  C:\Windows\System32\RaXeMry.exe
  2⤵
  PID:12948
- C:\Windows\System32\NWQGGHF.exe
  C:\Windows\System32\NWQGGHF.exe
  2⤵
  PID:12992
- C:\Windows\System32\tgTCmtL.exe
  C:\Windows\System32\tgTCmtL.exe
  2⤵
  PID:13060
- C:\Windows\System32\TmlXmgP.exe
  C:\Windows\System32\TmlXmgP.exe
  2⤵
  PID:13136
- C:\Windows\System32\hMTDzJD.exe
  C:\Windows\System32\hMTDzJD.exe
  2⤵
  PID:13216
- C:\Windows\System32\JxgORdC.exe
  C:\Windows\System32\JxgORdC.exe
  2⤵
  PID:13260
- C:\Windows\System32\DOHTxKj.exe
  C:\Windows\System32\DOHTxKj.exe
  2⤵
  PID:12300
- C:\Windows\System32\ZzNiLzY.exe
  C:\Windows\System32\ZzNiLzY.exe
  2⤵
  PID:12504
- C:\Windows\System32\SAaMHwM.exe
  C:\Windows\System32\SAaMHwM.exe
  2⤵
  PID:12644
- C:\Windows\System32\NlGJVQd.exe
  C:\Windows\System32\NlGJVQd.exe
  2⤵
  PID:3700
- C:\Windows\System32\iDboRbd.exe
  C:\Windows\System32\iDboRbd.exe
  2⤵
  PID:12924
- C:\Windows\System32\cBCgwNh.exe
  C:\Windows\System32\cBCgwNh.exe
  2⤵
  PID:13016
- C:\Windows\System32\RPSOSrE.exe
  C:\Windows\System32\RPSOSrE.exe
  2⤵
  PID:1984
- C:\Windows\System32\zTVqxxr.exe
  C:\Windows\System32\zTVqxxr.exe
  2⤵
  PID:12120
- C:\Windows\System32\omhwqzJ.exe
  C:\Windows\System32\omhwqzJ.exe
  2⤵
  PID:12704
- C:\Windows\System32\NLAsAAN.exe
  C:\Windows\System32\NLAsAAN.exe
  2⤵
  PID:12912
- C:\Windows\System32\VGaOqtO.exe
  C:\Windows\System32\VGaOqtO.exe
  2⤵
  PID:13236
- C:\Windows\System32\UZZPNwi.exe
  C:\Windows\System32\UZZPNwi.exe
  2⤵
  PID:13168

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:13680
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Modifies Installed Components in the registry
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:14060

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4300

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2400

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4420

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:14080

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:8536

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6820

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:8936

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7152

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4460

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:6172

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3592

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:13560

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5924

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6196

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9284

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10152

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5020

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8156

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7260

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10260

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13720

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8428

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8844

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9704

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1344

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1956

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12340

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11428

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11752

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11912

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9048

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5608

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13100

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12384

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13168

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6680

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5312

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7720

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6692

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13572

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7872

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2084

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2572

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6668

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8788

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9028

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4932

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9920

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10108

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11888

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11628

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12292

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14316

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3924

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11876

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1944

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6292

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3416

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13440

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2068

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3044

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6896

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8424

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3900

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10808

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8552

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10420

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5620

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9156

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1740

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1020

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5148

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\3MKUANJA\microsoft.windows[1].xml

Filesize
97B

MD5
6a517bf11dbd236d703ed9898dd3f910

SHA1
f8d64563b0eaba616dc29496c51f795ede02d767

SHA256
d7b7aa87d942a062dd03f78ade8fab7d8efcba60b8c44c52326eea574eeb182b

SHA512
04f15407222285b97dfff27db7320a590d20c7982d13e2eabc68d3b99fce2863951de8321780e7e70d0d187297c6ee6202014dc0ac6d30a7010bff59be769058

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133602764864559107.txt

Filesize
75KB

MD5
8cdd0e31fdc880d03dd47abc4b0efbf9

SHA1
37648604549b090bc8683dffda89fe8338b18d9c

SHA256
edf5f36d377aa149ebfbf55c896fe8716ea11f49a9ec61df2d327bc43c835bab

SHA512
b7cb49eb50e7b5e0d36c7e971b39bde726d36383f5723ad5bb082c266435550030d5a8b53eda5c2ddfc720d73007aba4ffd36b32949161876104328d98a9a511

Download Submit
C:\Windows\System32\AzFHEtj.exe

Filesize
1.2MB

MD5
389319cf484e058a1f600dc4c95b9c6b

SHA1
2456d2ceec8f53c7d560dd4c1150062993237b92

SHA256
20e8705900241fa7ba465b6895d021a4ee37134baefce11a01491c937d8c7d1d

SHA512
048bef192d7cafff471105d3319590948a113f404bd0d01095431a92cc9c75ea9acae6bdbc2acead226d95fae4bcd6f0d69de74bb9415c4daf62dfc479515e3b

Download Submit
C:\Windows\System32\DlqcvdC.exe

Filesize
1.2MB

MD5
9a2b706930e7e3d1a8a8ddb05aa504e7

SHA1
6ee057b8d40813c9ce65bfbaf33179ffa3507164

SHA256
61decb3c30321345e97ed0b0328f345b15776972c00f1fe27f3ce8cdffd831bc

SHA512
66564bf6f5039787fffeb2bb96edffa551d104a62723367fa9acde57978342458bfb1feef3a90a7c50a6ecf5205cb98044ca690ab95dc6730188bc58bb2c485a

Download Submit
C:\Windows\System32\EyRPOOC.exe

Filesize
1.2MB

MD5
8f0c5a7b30824ebc9102650cf68b84b0

SHA1
c102e302de55638ee2ff73eca79ca32fd0a6e810

SHA256
601ddc9acabcf81d109c320c784d1269ac01132c3d6602e991501b80e4921816

SHA512
0d1916eb516e637369269757f563ba720285174dbbac6951432afa64309d04fe48bb253956a734c57d4c07e682d0590ae777f778d71b9bb0f4f8cd5a32625e88

Download Submit
C:\Windows\System32\IlHJRPD.exe

Filesize
1.2MB

MD5
9caf76a7cfc2534049b459d184cd301d

SHA1
90d231074b46bc0b547921ba3f1e266c7916f732

SHA256
555ab0029ca4f907efa3db5312164742929eef0267e9cfb704c665f7c8b41eaf

SHA512
ec4d01ab58180684d6e2aea1805d4f73fd53f6c403de32923a4aca9e3fa3942441d2bc5d528787bc1928cae579662c6af46345c915d364a32c63319b0a8e3c28

Download Submit
C:\Windows\System32\JyOvHDF.exe

Filesize
1.2MB

MD5
bb19d388bec056ff7cc71df0a6aefff0

SHA1
5a045e6727b318dc65a60b758668da97ff53611c

SHA256
65a7951a71391f8c96393ec5a5e884858b3eee93f50d77d6c4f60fa1b4deca8c

SHA512
33f6466f93dfaa95a3e5eddaed29512acf9fb10d1a662d0cfa3b0a45422bace7c6d5df5a06ae2edd75f3bf4b4bc95b22f28d5c7b370afd213b37b167cd78949e

Download Submit
C:\Windows\System32\KqLXBvj.exe

Filesize
1.2MB

MD5
478352d98517ccfbce1348e16579f64e

SHA1
18ad02246505a9c8ad6d176286258882855244f8

SHA256
3784cc333a21e069a9ada9abc594603fe30e84f9c439566fb4c56d404bc3ebce

SHA512
55818df8b63c9da482c4866e1a0762df8cf0186c24983c67025c6f76a2ba84cd19c7cde997289e9c95641cb2a7c07273c4ca466530e7cd298d26496cb2af71ed

Download Submit
C:\Windows\System32\MWMixeV.exe

Filesize
1.2MB

MD5
b6e127b1eebe47e66e54c15430901909

SHA1
1d34f25767ea20fba3f50d90b9f048511bc86557

SHA256
6a26131248c925d0131330a5bdd57ce3f0b383e14794ba5ad0ed4567efbcb2e8

SHA512
7a8268a71220964b22c48704d3bdf3af6626c9646d9560db152231a6707239425d1c8e326ca4f2735255dc2b806cdd5fb62970ebd118aa9f2f961ffeef65b4fb

Download Submit
C:\Windows\System32\NRlplqg.exe

Filesize
1.2MB

MD5
cdb7e983a75b3e02aba2deb3190d0010

SHA1
7572c7a41ecbf4b83840abb700ff51ca556a692b

SHA256
fd8bfa79bc593ebbe3a649d36c5496eb59ca39637e08a938e30c84016fd0e3aa

SHA512
d096dd5f76f1c0339a40439bd9b3e8fa7458798d8c26fcd28b0e0b7c50cb6b04a89add5450c15e51ea90bf55329767dc7c856e56a81e8f99c6da65a9c6b9823a

Download Submit
C:\Windows\System32\OKaCKXR.exe

Filesize
1.2MB

MD5
551dc42d85a4ababba94f9f985067962

SHA1
c84119b2508233c7d78d7ff5fcad4e7f658662ca

SHA256
55d45fbd18ae946fb414984e276bf0c40f673d43f107f0ce40ed26f3bfafa66d

SHA512
0029642dcb91988b139aa0f579f26b4a7a796c201eee0381dda14ee30c6b9170a95287392d2f5447e8d7d3e22b935d53dbcc5e75672791f763376300e38addda

Download Submit
C:\Windows\System32\QGpoaHk.exe

Filesize
1.2MB

MD5
15e118d5b9b8e20c34a4477f14446470

SHA1
752fc0175c62ad5bd58808ae982807da44af7663

SHA256
8785ecc373767eeb331eceb5911c72651030a05a0ebcfee0fb86505ff33fc0f1

SHA512
0edabda442eedc4dd4c576924a5064091032f26015e0a6ab3a47431b0be9350d48a621726d396265e58170c3b1dc179d6eeb22bc1420d4fb0b3edf3c80903e58

Download Submit
C:\Windows\System32\TgKsHMU.exe

Filesize
1.2MB

MD5
ab5dd8eaab0427c27342cc63b00886dc

SHA1
c2d5f4c3964bd93bfc15b1cf762385a0dfcc25c5

SHA256
de8b8b001c40abe0d98a6ec5b1c38eed8f6ce206768de6a8003f362da329366f

SHA512
842b37d79038fcc276e2060227d6aea234aacc1a7f204fecf149cb23cec98a6bd2e5bd22e0b1dc28b9474783c9ca1aae32a04d58375ac8f34d923f2fdf66f193

Download Submit
C:\Windows\System32\YDrlKBC.exe

Filesize
1.2MB

MD5
c95b95a43e6d9aa4f1970b1785e9e4a5

SHA1
f6cd3041485a1003d74c0d9f3c0763db9cb721aa

SHA256
af523fe30f64f818d17f9dfa66943d7f5af1990ffa78381845cf5f169ce50091

SHA512
c247d18dfde108627c4009663a3c8d9bb4d55f574120e1440f3a91bb39e8dc473cb6b17f722693514edbbb9f17756f20320872e9c582c1274fcc3db770e0bb79

Download Submit
C:\Windows\System32\aVJNxYA.exe

Filesize
1.2MB

MD5
a81978ef7a2bdbdb4eb85d424ec6e4aa

SHA1
bf324b0499544a51742f027d7ad451990c2ab13f

SHA256
83805d5883c80653022b4fb003a375fb7639e9ee8fdf83e06fe11f85ae494ad7

SHA512
0b9a4887bb0a3f006dc3f85c23670ef5b2f9ca7c2f194b3607a259667555e2cb4d24986f972f77ade9873e20634e732be0bba22f857be9bea05cc39caff5d23f

Download Submit
C:\Windows\System32\aXyhXvl.exe

Filesize
1.2MB

MD5
26dcfa82e375c4d5eaacc21a4d6d2398

SHA1
b4a4406b7e73ddb12cacd40a190bfd2ec97a35cc

SHA256
cdd42933cf81bd2f7721a262ea1428343a20d8eab1122ce9d7f335d62107fe4c

SHA512
5208b01a18dbb06853167fea0a19e7027f359907f79fdc6c6b42b270baac85abc1db98e0da9390ea3c95a28962fa4417a4a3af3ab7c5a573df1582bde2872157

Download Submit
C:\Windows\System32\bZddQzz.exe

Filesize
1.2MB

MD5
a55665288a54aedd7ea8c1b719a576b1

SHA1
104c43523369a7ceb1855ac237e313aedf799b28

SHA256
e8d4d99a4397f2849521cdce588771a6f9e440d659dbc4d80f098acb88a0a613

SHA512
14c0830225335102c982b1a2b9318ecffe646f4e9951657c6d41191125a76f8746ee7e1a6eb11db3c37edb3ab838159a8539aa328685b6e05746008ac1be640a

Download Submit
C:\Windows\System32\brbjdkD.exe

Filesize
1.2MB

MD5
569f86764b552d0324fa0d6f82cec24a

SHA1
994c0dd432197939e5f6d5e9fb41c7b4636d9a13

SHA256
0690471333bfedcebdae6fb4ad14033f6d06871f1e45c7a00ad366139db611cf

SHA512
1a0fc94634c051aa0e9c1a98853cfc6ee40809ee3151e4ecd4f82aa9817afcc268567f6c18dbbe6b2a874fe6fcb00da3f422d6250e0f129b2b661c5de5cd7c76

Download Submit
C:\Windows\System32\cfOTCUU.exe

Filesize
1.2MB

MD5
256ee10812a081e01723687ea0a9fe30

SHA1
0cd76bc019ae9946f89bdf0df872dff3a38ee925

SHA256
9b95b19795b56468f19ef8101462efcd7c03be6e490e24fadbcb5f8643c67c92

SHA512
6317cf8056e8e14b635bde67f2b2b1667296554b6a25e60221310c22103289f78a4c3d4e5b2c7b49b9cf07ee8eec1cc9a7bccb3f404718c5fa977fffab2eb18e

Download Submit
C:\Windows\System32\dPqvvNk.exe

Filesize
1.2MB

MD5
0b7265284fac8fc4816789e7ade0f332

SHA1
1fbbf62940a97d42e5f310f53d8d384423c36528

SHA256
a20510047a8bf30b298b0858167d40bb4ff2f466797721c3d8e95c122b79f54b

SHA512
0e51f2e2c613eda7672ffb0453152af6036871470a261a514758a8f5e76de4595751aa0f583f4998d55e739fd99df51012cd85af012f2e11b3992e23364d7784

Download Submit
C:\Windows\System32\doxjyKA.exe

Filesize
1.2MB

MD5
822150771df58caa4f2d48e0dfee0897

SHA1
5215d1de83e5890a13654e7a6cd96b9c0bcea75d

SHA256
b36689cb5e7a2ae3f4b4f8be20855bbf5c8fe5901700e7c09782c56b41f2a6fb

SHA512
130516fd0cb4df6300bbb311e2ebb70b75dd4cf5c26470f3d2ad70e45ed3de354d49ee900c5105a736c34be543a5d4013cf3331bd724ebd7cd04c04bbcecc2ea

Download Submit
C:\Windows\System32\hWSaKEm.exe

Filesize
1.2MB

MD5
61606ad29e490796646bf32dba856213

SHA1
791e6fdb6cbce9ac44ceeba728118a258f696065

SHA256
de44ab5b06e152591c4ebe2c0d73eb264dca6b57a3741c79bcd48387fdef4667

SHA512
07e4d0da8e764c02b7e188b2915e815da3f6ad8f7624a0a299650ffb0e94356c1056f8bbb1ce5fc2cbd451f2f45ae2746c7966dd87a7924529b4890d2a38a738

Download Submit
C:\Windows\System32\hvoPDnI.exe

Filesize
1.2MB

MD5
c67eb7a481550b5ec2e5d2b7293dd60f

SHA1
052fb9a0811c2c767a15354e15afbdbb5705bb53

SHA256
12d91ad2b0243f38efaa151c073feee6cae35df52138b4687b4f72d04cd842d8

SHA512
81ff579039d5801ffb5635f4cef2c9a45c2675faf2727b8846c6830a94ba648ad834551307aa7704a3ecc2224fce466f9893f4402aa1ace93332803d5b4c1258

Download Submit
C:\Windows\System32\ndXvTHX.exe

Filesize
1.2MB

MD5
451c8187a9d407cd5698b59076cbc608

SHA1
96dc37e41db72bfa29d3e40de5acf6a09b83be80

SHA256
4246048ecdf82a613ebb69aa0fc7eb0e337e3872df5e1ad7fc17d3e714e63d8e

SHA512
5cbc2567d8fe029ba008f5d8ee1c870ab141bed399b25684a12ab309317c5fc28ab13868891749500607acfdaad5452bd167acc3063e6ccb69338ca58b06daa2

Download Submit
C:\Windows\System32\pIoQAAE.exe

Filesize
1.2MB

MD5
1ab072902ace616e0747b2b4596dc977

SHA1
572bfbc1ad30c9f6bc34852cc659cbfbb71809b8

SHA256
018ecf2e0ac236d2d741b985ae7208ddcde68f6af3a1588a80ec5f08d2b60e75

SHA512
3272c887dc4812218081951ca6d0f3a3887bdacc3eebf87f5e393bd436918d588ac58f758df5e20bf11fe3d08609ffaac8afbdfed67dc4b2814b6e4a83194397

Download Submit
C:\Windows\System32\pxlvADI.exe

Filesize
1.2MB

MD5
2cdd804ca64e5f06c66586295ff3256f

SHA1
51337f801016c068ec4a41d92a4552c9414036ab

SHA256
3ca08d266ea6abcc99c0750c0084025771005997dffbe75b4c0131e7127cb68d

SHA512
3ad507a9e1bfcde4400f169bd1cd3ef216d1ce8d84bb1cd549b1019e37be1abd03032eede5bbf874404acbd5ddd8f3c7ad8a5d7fe8fd94b991551c97c67f0b89

Download Submit
C:\Windows\System32\qGHwAvg.exe

Filesize
1.2MB

MD5
1d5e61d067cd4d344d27df46baf650bb

SHA1
407741e60d16483c3d2bd7565d191ade546eeba9

SHA256
069ba63da1aaf61939061a90ff488a164aae8dc9c3d6c67a06d7b1c8e6976633

SHA512
64affeb027b28487ce8df5c7912f1d4cb9eb87e62a89bd5647a2bf50712e4d9fbc887b32f6a8443dd7c7d6bcb2e2964e6ea19065e3b13f9eddc4734c68b4a998

Download Submit
C:\Windows\System32\rVBASuA.exe

Filesize
1.2MB

MD5
baa86549a174a1fa64ae9d2a514b8d2a

SHA1
373d8f011994be68710fd026bf53b71f343d98f1

SHA256
7cc40b9ae98b9216e4e242ad7ec2ad65e6002a521829e14df7647a2cbeac909b

SHA512
1a6a171db72493fbc87479135a8b283d93e605450899a776e382c826c4d370decdfdf8fc1d212e8594389ebb65e2324699da74c85a91f54f3ec3df6efaa26e46

Download Submit
C:\Windows\System32\vRZtKYY.exe

Filesize
1.2MB

MD5
660b1e2b4f34ab2d3c2b4ffed9ff334f

SHA1
5d7bd55e539d4c8ef7351c457c6f2f7fd8e78efd

SHA256
83d869f2ebc29e09e427a38e2c0be26be167ca5654688390077927d1a5732996

SHA512
c8ba3831f7ca6e519ebe3c413d587e59ba0564fc6ec8c20ec86b93a725ec4a4cd91cb53397970dc923f9b6b4e4823f4f62bc78f7d35ad41911cce066c805fabc

Download Submit
C:\Windows\System32\wAfhsVt.exe

Filesize
1.2MB

MD5
334cf9ff8e2d89cce99f25ec8a36b04a

SHA1
b8899fb8cd04aefbcc9e26200ca05c845f9a85f5

SHA256
521d18c318a96fa3af145ae2435fe2a8447a3437bcde24633b7a043161c6f6dd

SHA512
3b1478384edd61b515f03697b43198421baaead3bead6ef9d8b51824d9cb61d3e318bb6b7f372e7edf6d2e11ac2c525335e01a7d84960e43a17b39fffaa905de

Download Submit
C:\Windows\System32\yNvtfuG.exe

Filesize
1.2MB

MD5
784f751ff18816dcd61a4319fcfac8ad

SHA1
040c35f43a52df11f0ab39a5a1f204ccad1c5663

SHA256
6bc7e8feaa22c2c4174a23eb7f99cafbece10973e8d705b9d06d0553a28292c6

SHA512
49ad007f5a715a158c6411267a127812aa14f1feb82b694b61b95fcd510e1e9472dcd8349cb1609702421d5ae1c3b255680d13e9e7b77c66c6300004b95201de

Download Submit
C:\Windows\System32\yZlJUJe.exe

Filesize
1.2MB

MD5
577def9f569bb5b884b0b56746d53a58

SHA1
45856e189f86efac1cf3c5e9677a2d38e42ca847

SHA256
b1d4d7abc7ca6f5d341986c4be0272f7b93e3606c836fea7a36c6deb243abcfb

SHA512
111675857a12aa9b71b674499fd8f90779971bbfbfd02cee44578c1b30bd51e54b114e65d5a6fbf83062e01a39eb746ce7930122645eba0cdb9455c66deaa3a0

Download Submit
C:\Windows\System32\ylhlvJB.exe

Filesize
1.2MB

MD5
0bb0aff1b37ee65d5f34174c1f7b9282

SHA1
dfeb9843a962af680025d4ae9e274099cdc09b88

SHA256
1a85aa70cfcf79fdf83f1cfaebe1d5085762b6bcad340175d9d9792b8d323779

SHA512
e79eee69e802dbc654a37e3e0e9116dc577aaaa7a880612f1b78b958a42121569913c02e934b20cbdb58da45871af03118fe0ca0a4af3153d6e381980ce2cbe1

Download Submit
C:\Windows\System32\ytGOHSo.exe

Filesize
1.2MB

MD5
4dbacca97003c0c420a28dee57716aab

SHA1
dce051309075fdde671545786e45d97afb907d21

SHA256
956d07a2e61b43db04badbd45d7e24a2ab1938bf118a4a2c576bf4a98460f4e8

SHA512
a095229031861359c319a36691d3997cc5c44322140bda807992bb5a4e1d529297385e43dc95070b0110e2d82f0bf7d5d61ece7a8a6918d35076d466cbd38394

Download Submit
memory/400-2221-0x00007FF6B6B70000-0x00007FF6B6F61000-memory.dmp

Filesize
3.9MB

Download
memory/400-53-0x00007FF6B6B70000-0x00007FF6B6F61000-memory.dmp

Filesize
3.9MB

Download
memory/648-2247-0x00007FF708710000-0x00007FF708B01000-memory.dmp

Filesize
3.9MB

Download
memory/648-296-0x00007FF708710000-0x00007FF708B01000-memory.dmp

Filesize
3.9MB

Download
memory/748-334-0x00007FF7C2300000-0x00007FF7C26F1000-memory.dmp

Filesize
3.9MB

Download
memory/748-2258-0x00007FF7C2300000-0x00007FF7C26F1000-memory.dmp

Filesize
3.9MB

Download
memory/1132-57-0x00007FF7C2810000-0x00007FF7C2C01000-memory.dmp

Filesize
3.9MB

Download
memory/1132-2008-0x00007FF7C2810000-0x00007FF7C2C01000-memory.dmp

Filesize
3.9MB

Download
memory/1132-2334-0x00007FF7C2810000-0x00007FF7C2C01000-memory.dmp

Filesize
3.9MB

Download
memory/1276-1-0x00000114225F0000-0x0000011422600000-memory.dmp

Filesize
64KB

Download
memory/1276-70-0x00007FF75E080000-0x00007FF75E471000-memory.dmp

Filesize
3.9MB

Download
memory/1276-0-0x00007FF75E080000-0x00007FF75E471000-memory.dmp

Filesize
3.9MB

Download
memory/1276-2026-0x00007FF75E080000-0x00007FF75E471000-memory.dmp

Filesize
3.9MB

Download
memory/1344-312-0x00007FF7BBEE0000-0x00007FF7BC2D1000-memory.dmp

Filesize
3.9MB

Download
memory/1344-2250-0x00007FF7BBEE0000-0x00007FF7BC2D1000-memory.dmp

Filesize
3.9MB

Download
memory/1776-288-0x00007FF6D2700000-0x00007FF6D2AF1000-memory.dmp

Filesize
3.9MB

Download
memory/1776-2239-0x00007FF6D2700000-0x00007FF6D2AF1000-memory.dmp

Filesize
3.9MB

Download
memory/2068-2215-0x00007FF75AFC0000-0x00007FF75B3B1000-memory.dmp

Filesize
3.9MB

Download
memory/2068-32-0x00007FF75AFC0000-0x00007FF75B3B1000-memory.dmp

Filesize
3.9MB

Download
memory/2068-1820-0x00007FF75AFC0000-0x00007FF75B3B1000-memory.dmp

Filesize
3.9MB

Download
memory/2120-72-0x00007FF77A680000-0x00007FF77AA71000-memory.dmp

Filesize
3.9MB

Download
memory/2120-2232-0x00007FF77A680000-0x00007FF77AA71000-memory.dmp

Filesize
3.9MB

Download
memory/2484-2231-0x00007FF6E3A80000-0x00007FF6E3E71000-memory.dmp

Filesize
3.9MB

Download
memory/2484-2009-0x00007FF6E3A80000-0x00007FF6E3E71000-memory.dmp

Filesize
3.9MB

Download
memory/2484-61-0x00007FF6E3A80000-0x00007FF6E3E71000-memory.dmp

Filesize
3.9MB

Download
memory/2488-1373-0x00007FF69F180000-0x00007FF69F571000-memory.dmp

Filesize
3.9MB

Download
memory/2488-20-0x00007FF69F180000-0x00007FF69F571000-memory.dmp

Filesize
3.9MB

Download
memory/2488-2183-0x00007FF69F180000-0x00007FF69F571000-memory.dmp

Filesize
3.9MB

Download
memory/2884-2223-0x00007FF6B94C0000-0x00007FF6B98B1000-memory.dmp

Filesize
3.9MB

Download
memory/2884-41-0x00007FF6B94C0000-0x00007FF6B98B1000-memory.dmp

Filesize
3.9MB

Download
memory/3156-289-0x00007FF695270000-0x00007FF695661000-memory.dmp

Filesize
3.9MB

Download
memory/3156-2235-0x00007FF695270000-0x00007FF695661000-memory.dmp

Filesize
3.9MB

Download
memory/3272-43-0x00007FF67E530000-0x00007FF67E921000-memory.dmp

Filesize
3.9MB

Download
memory/3272-1991-0x00007FF67E530000-0x00007FF67E921000-memory.dmp

Filesize
3.9MB

Download
memory/3272-2219-0x00007FF67E530000-0x00007FF67E921000-memory.dmp

Filesize
3.9MB

Download
memory/3292-2260-0x00007FF6D5B10000-0x00007FF6D5F01000-memory.dmp

Filesize
3.9MB

Download
memory/3292-328-0x00007FF6D5B10000-0x00007FF6D5F01000-memory.dmp

Filesize
3.9MB

Download
memory/3564-2179-0x00007FF7A10A0000-0x00007FF7A1491000-memory.dmp

Filesize
3.9MB

Download
memory/3564-12-0x00007FF7A10A0000-0x00007FF7A1491000-memory.dmp

Filesize
3.9MB

Download
memory/3672-2257-0x00007FF7A6020000-0x00007FF7A6411000-memory.dmp

Filesize
3.9MB

Download
memory/3672-326-0x00007FF7A6020000-0x00007FF7A6411000-memory.dmp

Filesize
3.9MB

Download
memory/3900-2181-0x00007FF7C8310000-0x00007FF7C8701000-memory.dmp

Filesize
3.9MB

Download
memory/3900-16-0x00007FF7C8310000-0x00007FF7C8701000-memory.dmp

Filesize
3.9MB

Download
memory/3900-71-0x00007FF7C8310000-0x00007FF7C8701000-memory.dmp

Filesize
3.9MB

Download
memory/4188-2244-0x00007FF783A20000-0x00007FF783E11000-memory.dmp

Filesize
3.9MB

Download
memory/4188-302-0x00007FF783A20000-0x00007FF783E11000-memory.dmp

Filesize
3.9MB

Download
memory/4360-1822-0x00007FF7FDCE0000-0x00007FF7FE0D1000-memory.dmp

Filesize
3.9MB

Download
memory/4360-39-0x00007FF7FDCE0000-0x00007FF7FE0D1000-memory.dmp

Filesize
3.9MB

Download
memory/4360-2217-0x00007FF7FDCE0000-0x00007FF7FE0D1000-memory.dmp

Filesize
3.9MB

Download
memory/4512-74-0x00007FF671BB0000-0x00007FF671FA1000-memory.dmp

Filesize
3.9MB

Download
memory/4512-2023-0x00007FF671BB0000-0x00007FF671FA1000-memory.dmp

Filesize
3.9MB

Download
memory/4512-2240-0x00007FF671BB0000-0x00007FF671FA1000-memory.dmp

Filesize
3.9MB

Download
memory/4584-2252-0x00007FF70E1B0000-0x00007FF70E5A1000-memory.dmp

Filesize
3.9MB

Download
memory/4584-314-0x00007FF70E1B0000-0x00007FF70E5A1000-memory.dmp

Filesize
3.9MB

Download
memory/4804-285-0x00007FF6E8FF0000-0x00007FF6E93E1000-memory.dmp

Filesize
3.9MB

Download
memory/4804-2237-0x00007FF6E8FF0000-0x00007FF6E93E1000-memory.dmp

Filesize
3.9MB

Download
memory/5092-292-0x00007FF690EF0000-0x00007FF6912E1000-memory.dmp

Filesize
3.9MB

Download
memory/5092-2242-0x00007FF690EF0000-0x00007FF6912E1000-memory.dmp

Filesize
3.9MB

Download
memory/5108-2248-0x00007FF7BF4B0000-0x00007FF7BF8A1000-memory.dmp

Filesize
3.9MB

Download
memory/5108-308-0x00007FF7BF4B0000-0x00007FF7BF8A1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads