xmrig | 8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155

Analysis

max time kernel
68s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
Size

1.6MB
MD5

0a472e4bdd8d288dd5217e6de55b6df1
SHA1

2e62652dbe7b5d14e48adc67eb5f0b8a72b3a6b4
SHA256

8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155
SHA512

4a47ed24f158dca4605d64f433b8a23ab5bbb18a484a2fc32c5b9a58a26d01ba806f09b8a6e3ca14a5e25dd820cd5ba2f0c8c02d48c9058d594e3e33a011a4b9
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlia+zzDwD/YCgU+Lqq6a9xyCyt0RCciNHV2mZuDcoY:knw9oUUEEDlnDwq6Sd0R7qV2Y9i8

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3408-0-0x00007FF648DE0000-0x00007FF6491D1000-memory.dmp	UPX
C:\Windows\System32\KLHFBYf.exe	UPX
behavioral2/memory/1408-7-0x00007FF6DD980000-0x00007FF6DDD71000-memory.dmp	UPX
C:\Windows\System32\VSVgBEA.exe	UPX
behavioral2/memory/4848-14-0x00007FF7B6160000-0x00007FF7B6551000-memory.dmp	UPX
C:\Windows\System32\SubCzmp.exe	UPX
behavioral2/memory/4492-15-0x00007FF712560000-0x00007FF712951000-memory.dmp	UPX
C:\Windows\System32\wUyTRPS.exe	UPX
C:\Windows\System32\VEHymEF.exe	UPX
behavioral2/memory/2184-45-0x00007FF65A990000-0x00007FF65AD81000-memory.dmp	UPX
behavioral2/memory/540-50-0x00007FF7432D0000-0x00007FF7436C1000-memory.dmp	UPX
C:\Windows\System32\UwVXofQ.exe	UPX
behavioral2/memory/3076-58-0x00007FF6482F0000-0x00007FF6486E1000-memory.dmp	UPX
C:\Windows\System32\IoNtrDa.exe	UPX
C:\Windows\System32\wTXfPOn.exe	UPX
C:\Windows\System32\RRpZEwP.exe	UPX
C:\Windows\System32\LSBDrvf.exe	UPX
C:\Windows\System32\anoAvVv.exe	UPX
C:\Windows\System32\eAPssCu.exe	UPX
C:\Windows\System32\oIiBNMR.exe	UPX
C:\Windows\System32\RsuzfPs.exe	UPX
C:\Windows\System32\ExxPNiM.exe	UPX
behavioral2/memory/3408-415-0x00007FF648DE0000-0x00007FF6491D1000-memory.dmp	UPX
behavioral2/memory/4560-417-0x00007FF703880000-0x00007FF703C71000-memory.dmp	UPX
behavioral2/memory/1408-416-0x00007FF6DD980000-0x00007FF6DDD71000-memory.dmp	UPX
C:\Windows\System32\NugPeKO.exe	UPX
behavioral2/memory/640-428-0x00007FF7C18C0000-0x00007FF7C1CB1000-memory.dmp	UPX
behavioral2/memory/4652-422-0x00007FF637260000-0x00007FF637651000-memory.dmp	UPX
C:\Windows\System32\TrfHOWk.exe	UPX
C:\Windows\System32\QTaxLIi.exe	UPX
C:\Windows\System32\tCeAcyA.exe	UPX
C:\Windows\System32\vUrskUJ.exe	UPX
C:\Windows\System32\JYeMJNO.exe	UPX
C:\Windows\System32\BLizoOF.exe	UPX
C:\Windows\System32\dzyIeui.exe	UPX
C:\Windows\System32\rdUMzOS.exe	UPX
C:\Windows\System32\ATyfeJM.exe	UPX
C:\Windows\System32\qxmsLJO.exe	UPX
C:\Windows\System32\wYnudrx.exe	UPX
C:\Windows\System32\wpZgTxA.exe	UPX
behavioral2/memory/1352-62-0x00007FF79B1C0000-0x00007FF79B5B1000-memory.dmp	UPX
C:\Windows\System32\snctYmh.exe	UPX
C:\Windows\System32\FsNTOMS.exe	UPX
behavioral2/memory/3092-41-0x00007FF7FC9E0000-0x00007FF7FCDD1000-memory.dmp	UPX
behavioral2/memory/3216-38-0x00007FF6928A0000-0x00007FF692C91000-memory.dmp	UPX
behavioral2/memory/4888-36-0x00007FF66FBF0000-0x00007FF66FFE1000-memory.dmp	UPX
C:\Windows\System32\qZTnPVR.exe	UPX
C:\Windows\System32\TlJdjOV.exe	UPX
behavioral2/memory/4792-432-0x00007FF760050000-0x00007FF760441000-memory.dmp	UPX
behavioral2/memory/3600-437-0x00007FF75A310000-0x00007FF75A701000-memory.dmp	UPX
behavioral2/memory/2760-440-0x00007FF7B4C40000-0x00007FF7B5031000-memory.dmp	UPX
behavioral2/memory/1168-442-0x00007FF750540000-0x00007FF750931000-memory.dmp	UPX
behavioral2/memory/4248-453-0x00007FF7BB190000-0x00007FF7BB581000-memory.dmp	UPX
behavioral2/memory/2100-456-0x00007FF6AE870000-0x00007FF6AEC61000-memory.dmp	UPX
behavioral2/memory/1492-465-0x00007FF6DDC20000-0x00007FF6DE011000-memory.dmp	UPX
behavioral2/memory/1284-462-0x00007FF62F4C0000-0x00007FF62F8B1000-memory.dmp	UPX
behavioral2/memory/1652-452-0x00007FF6DE410000-0x00007FF6DE801000-memory.dmp	UPX
behavioral2/memory/1848-450-0x00007FF7F6670000-0x00007FF7F6A61000-memory.dmp	UPX
behavioral2/memory/4680-441-0x00007FF6D7870000-0x00007FF6D7C61000-memory.dmp	UPX
behavioral2/memory/4848-1015-0x00007FF7B6160000-0x00007FF7B6551000-memory.dmp	UPX
behavioral2/memory/4492-1911-0x00007FF712560000-0x00007FF712951000-memory.dmp	UPX
behavioral2/memory/2184-1996-0x00007FF65A990000-0x00007FF65AD81000-memory.dmp	UPX
behavioral2/memory/540-1997-0x00007FF7432D0000-0x00007FF7436C1000-memory.dmp	UPX
behavioral2/memory/3076-2003-0x00007FF6482F0000-0x00007FF6486E1000-memory.dmp	UPX

XMRig Miner payload 50 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3408-415-0x00007FF648DE0000-0x00007FF6491D1000-memory.dmp	xmrig
behavioral2/memory/4560-417-0x00007FF703880000-0x00007FF703C71000-memory.dmp	xmrig
behavioral2/memory/1408-416-0x00007FF6DD980000-0x00007FF6DDD71000-memory.dmp	xmrig
behavioral2/memory/640-428-0x00007FF7C18C0000-0x00007FF7C1CB1000-memory.dmp	xmrig
behavioral2/memory/4652-422-0x00007FF637260000-0x00007FF637651000-memory.dmp	xmrig
behavioral2/memory/3092-41-0x00007FF7FC9E0000-0x00007FF7FCDD1000-memory.dmp	xmrig
behavioral2/memory/3216-38-0x00007FF6928A0000-0x00007FF692C91000-memory.dmp	xmrig
behavioral2/memory/4888-36-0x00007FF66FBF0000-0x00007FF66FFE1000-memory.dmp	xmrig
behavioral2/memory/4792-432-0x00007FF760050000-0x00007FF760441000-memory.dmp	xmrig
behavioral2/memory/3600-437-0x00007FF75A310000-0x00007FF75A701000-memory.dmp	xmrig
behavioral2/memory/2760-440-0x00007FF7B4C40000-0x00007FF7B5031000-memory.dmp	xmrig
behavioral2/memory/1168-442-0x00007FF750540000-0x00007FF750931000-memory.dmp	xmrig
behavioral2/memory/4248-453-0x00007FF7BB190000-0x00007FF7BB581000-memory.dmp	xmrig
behavioral2/memory/2100-456-0x00007FF6AE870000-0x00007FF6AEC61000-memory.dmp	xmrig
behavioral2/memory/1492-465-0x00007FF6DDC20000-0x00007FF6DE011000-memory.dmp	xmrig
behavioral2/memory/1284-462-0x00007FF62F4C0000-0x00007FF62F8B1000-memory.dmp	xmrig
behavioral2/memory/1652-452-0x00007FF6DE410000-0x00007FF6DE801000-memory.dmp	xmrig
behavioral2/memory/1848-450-0x00007FF7F6670000-0x00007FF7F6A61000-memory.dmp	xmrig
behavioral2/memory/4680-441-0x00007FF6D7870000-0x00007FF6D7C61000-memory.dmp	xmrig
behavioral2/memory/4848-1015-0x00007FF7B6160000-0x00007FF7B6551000-memory.dmp	xmrig
behavioral2/memory/4492-1911-0x00007FF712560000-0x00007FF712951000-memory.dmp	xmrig
behavioral2/memory/2184-1996-0x00007FF65A990000-0x00007FF65AD81000-memory.dmp	xmrig
behavioral2/memory/540-1997-0x00007FF7432D0000-0x00007FF7436C1000-memory.dmp	xmrig
behavioral2/memory/3076-2003-0x00007FF6482F0000-0x00007FF6486E1000-memory.dmp	xmrig
behavioral2/memory/1352-2031-0x00007FF79B1C0000-0x00007FF79B5B1000-memory.dmp	xmrig
behavioral2/memory/3408-2033-0x00007FF648DE0000-0x00007FF6491D1000-memory.dmp	xmrig
behavioral2/memory/1408-2046-0x00007FF6DD980000-0x00007FF6DDD71000-memory.dmp	xmrig
behavioral2/memory/4848-2049-0x00007FF7B6160000-0x00007FF7B6551000-memory.dmp	xmrig
behavioral2/memory/4492-2050-0x00007FF712560000-0x00007FF712951000-memory.dmp	xmrig
behavioral2/memory/4888-2052-0x00007FF66FBF0000-0x00007FF66FFE1000-memory.dmp	xmrig
behavioral2/memory/3092-2056-0x00007FF7FC9E0000-0x00007FF7FCDD1000-memory.dmp	xmrig
behavioral2/memory/3216-2054-0x00007FF6928A0000-0x00007FF692C91000-memory.dmp	xmrig
behavioral2/memory/640-2071-0x00007FF7C18C0000-0x00007FF7C1CB1000-memory.dmp	xmrig
behavioral2/memory/540-2067-0x00007FF7432D0000-0x00007FF7436C1000-memory.dmp	xmrig
behavioral2/memory/4560-2063-0x00007FF703880000-0x00007FF703C71000-memory.dmp	xmrig
behavioral2/memory/2184-2059-0x00007FF65A990000-0x00007FF65AD81000-memory.dmp	xmrig
behavioral2/memory/4652-2074-0x00007FF637260000-0x00007FF637651000-memory.dmp	xmrig
behavioral2/memory/4680-2078-0x00007FF6D7870000-0x00007FF6D7C61000-memory.dmp	xmrig
behavioral2/memory/2100-2088-0x00007FF6AE870000-0x00007FF6AEC61000-memory.dmp	xmrig
behavioral2/memory/1284-2090-0x00007FF62F4C0000-0x00007FF62F8B1000-memory.dmp	xmrig
behavioral2/memory/1492-2092-0x00007FF6DDC20000-0x00007FF6DE011000-memory.dmp	xmrig
behavioral2/memory/4248-2086-0x00007FF7BB190000-0x00007FF7BB581000-memory.dmp	xmrig
behavioral2/memory/1652-2084-0x00007FF6DE410000-0x00007FF6DE801000-memory.dmp	xmrig
behavioral2/memory/1168-2082-0x00007FF750540000-0x00007FF750931000-memory.dmp	xmrig
behavioral2/memory/1848-2081-0x00007FF7F6670000-0x00007FF7F6A61000-memory.dmp	xmrig
behavioral2/memory/2760-2076-0x00007FF7B4C40000-0x00007FF7B5031000-memory.dmp	xmrig
behavioral2/memory/4792-2073-0x00007FF760050000-0x00007FF760441000-memory.dmp	xmrig
behavioral2/memory/3600-2068-0x00007FF75A310000-0x00007FF75A701000-memory.dmp	xmrig
behavioral2/memory/1352-2065-0x00007FF79B1C0000-0x00007FF79B5B1000-memory.dmp	xmrig
behavioral2/memory/3076-2061-0x00007FF6482F0000-0x00007FF6486E1000-memory.dmp	xmrig

Modifies Installed Components in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

Processes:

KLHFBYf.exeSubCzmp.exeVSVgBEA.exeTlJdjOV.exewUyTRPS.exeqZTnPVR.exeVEHymEF.exeUwVXofQ.exeFsNTOMS.exesnctYmh.exeIoNtrDa.exewTXfPOn.exewpZgTxA.exeRRpZEwP.exeLSBDrvf.exewYnudrx.exeqxmsLJO.exeanoAvVv.exeATyfeJM.exeeAPssCu.exeoIiBNMR.exerdUMzOS.exedzyIeui.exeBLizoOF.exeJYeMJNO.exeRsuzfPs.exevUrskUJ.exetCeAcyA.exeQTaxLIi.exeTrfHOWk.exeExxPNiM.exeNugPeKO.exeBGhzkLB.exeBsDcsIT.exedyrGjoe.exepEVGYJF.exeQBuYTVS.exereUEFjC.exeJqDANMS.execNYJUoj.execZkBPIH.exeZHXfKiX.exeEHOnjwP.exenywxvZO.exeZOmKesJ.exeiKPAYNL.exedERgqaC.exeoNmttZA.exeGQNYGaR.exexwitnEI.exeydzUsvi.exezEhgawQ.exejQkSKwj.exeVOxIVXd.exezzsTyeO.exeGSfnAgT.exewShqlkX.exehDasfhg.exeqdUBaqM.exeMVJQLzH.exeGOlaSsv.exeaKeDXnf.exesmZGRbl.exetHoexXL.exe

pid	process
1408	KLHFBYf.exe
4848	SubCzmp.exe
4492	VSVgBEA.exe
4888	TlJdjOV.exe
3216	wUyTRPS.exe
3092	qZTnPVR.exe
2184	VEHymEF.exe
540	UwVXofQ.exe
3076	FsNTOMS.exe
1352	snctYmh.exe
4560	IoNtrDa.exe
4652	wTXfPOn.exe
640	wpZgTxA.exe
4792	RRpZEwP.exe
3600	LSBDrvf.exe
2760	wYnudrx.exe
4680	qxmsLJO.exe
1168	anoAvVv.exe
1848	ATyfeJM.exe
1652	eAPssCu.exe
4248	oIiBNMR.exe
2100	rdUMzOS.exe
1284	dzyIeui.exe
1492	BLizoOF.exe
4100	JYeMJNO.exe
1124	RsuzfPs.exe
3984	vUrskUJ.exe
5028	tCeAcyA.exe
4000	QTaxLIi.exe
3500	TrfHOWk.exe
2052	ExxPNiM.exe
4816	NugPeKO.exe
4736	BGhzkLB.exe
3504	BsDcsIT.exe
4880	dyrGjoe.exe
4124	pEVGYJF.exe
4120	QBuYTVS.exe
2208	reUEFjC.exe
3172	JqDANMS.exe
4724	cNYJUoj.exe
2176	cZkBPIH.exe
1812	ZHXfKiX.exe
228	EHOnjwP.exe
4292	nywxvZO.exe
1824	ZOmKesJ.exe
4964	iKPAYNL.exe
4948	dERgqaC.exe
2488	oNmttZA.exe
4828	GQNYGaR.exe
932	xwitnEI.exe
912	ydzUsvi.exe
4664	zEhgawQ.exe
3676	jQkSKwj.exe
4188	VOxIVXd.exe
1200	zzsTyeO.exe
3788	GSfnAgT.exe
1372	wShqlkX.exe
4052	hDasfhg.exe
1964	qdUBaqM.exe
4872	MVJQLzH.exe
4684	GOlaSsv.exe
4336	aKeDXnf.exe
5008	smZGRbl.exe
3584	tHoexXL.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3408-0-0x00007FF648DE0000-0x00007FF6491D1000-memory.dmp	upx
C:\Windows\System32\KLHFBYf.exe	upx
behavioral2/memory/1408-7-0x00007FF6DD980000-0x00007FF6DDD71000-memory.dmp	upx
C:\Windows\System32\VSVgBEA.exe	upx
behavioral2/memory/4848-14-0x00007FF7B6160000-0x00007FF7B6551000-memory.dmp	upx
C:\Windows\System32\SubCzmp.exe	upx
behavioral2/memory/4492-15-0x00007FF712560000-0x00007FF712951000-memory.dmp	upx
C:\Windows\System32\wUyTRPS.exe	upx
C:\Windows\System32\VEHymEF.exe	upx
behavioral2/memory/2184-45-0x00007FF65A990000-0x00007FF65AD81000-memory.dmp	upx
behavioral2/memory/540-50-0x00007FF7432D0000-0x00007FF7436C1000-memory.dmp	upx
C:\Windows\System32\UwVXofQ.exe	upx
behavioral2/memory/3076-58-0x00007FF6482F0000-0x00007FF6486E1000-memory.dmp	upx
C:\Windows\System32\IoNtrDa.exe	upx
C:\Windows\System32\wTXfPOn.exe	upx
C:\Windows\System32\RRpZEwP.exe	upx
C:\Windows\System32\LSBDrvf.exe	upx
C:\Windows\System32\anoAvVv.exe	upx
C:\Windows\System32\eAPssCu.exe	upx
C:\Windows\System32\oIiBNMR.exe	upx
C:\Windows\System32\RsuzfPs.exe	upx
C:\Windows\System32\ExxPNiM.exe	upx
behavioral2/memory/3408-415-0x00007FF648DE0000-0x00007FF6491D1000-memory.dmp	upx
behavioral2/memory/4560-417-0x00007FF703880000-0x00007FF703C71000-memory.dmp	upx
behavioral2/memory/1408-416-0x00007FF6DD980000-0x00007FF6DDD71000-memory.dmp	upx
C:\Windows\System32\NugPeKO.exe	upx
behavioral2/memory/640-428-0x00007FF7C18C0000-0x00007FF7C1CB1000-memory.dmp	upx
behavioral2/memory/4652-422-0x00007FF637260000-0x00007FF637651000-memory.dmp	upx
C:\Windows\System32\TrfHOWk.exe	upx
C:\Windows\System32\QTaxLIi.exe	upx
C:\Windows\System32\tCeAcyA.exe	upx
C:\Windows\System32\vUrskUJ.exe	upx
C:\Windows\System32\JYeMJNO.exe	upx
C:\Windows\System32\BLizoOF.exe	upx
C:\Windows\System32\dzyIeui.exe	upx
C:\Windows\System32\rdUMzOS.exe	upx
C:\Windows\System32\ATyfeJM.exe	upx
C:\Windows\System32\qxmsLJO.exe	upx
C:\Windows\System32\wYnudrx.exe	upx
C:\Windows\System32\wpZgTxA.exe	upx
behavioral2/memory/1352-62-0x00007FF79B1C0000-0x00007FF79B5B1000-memory.dmp	upx
C:\Windows\System32\snctYmh.exe	upx
C:\Windows\System32\FsNTOMS.exe	upx
behavioral2/memory/3092-41-0x00007FF7FC9E0000-0x00007FF7FCDD1000-memory.dmp	upx
behavioral2/memory/3216-38-0x00007FF6928A0000-0x00007FF692C91000-memory.dmp	upx
behavioral2/memory/4888-36-0x00007FF66FBF0000-0x00007FF66FFE1000-memory.dmp	upx
C:\Windows\System32\qZTnPVR.exe	upx
C:\Windows\System32\TlJdjOV.exe	upx
behavioral2/memory/4792-432-0x00007FF760050000-0x00007FF760441000-memory.dmp	upx
behavioral2/memory/3600-437-0x00007FF75A310000-0x00007FF75A701000-memory.dmp	upx
behavioral2/memory/2760-440-0x00007FF7B4C40000-0x00007FF7B5031000-memory.dmp	upx
behavioral2/memory/1168-442-0x00007FF750540000-0x00007FF750931000-memory.dmp	upx
behavioral2/memory/4248-453-0x00007FF7BB190000-0x00007FF7BB581000-memory.dmp	upx
behavioral2/memory/2100-456-0x00007FF6AE870000-0x00007FF6AEC61000-memory.dmp	upx
behavioral2/memory/1492-465-0x00007FF6DDC20000-0x00007FF6DE011000-memory.dmp	upx
behavioral2/memory/1284-462-0x00007FF62F4C0000-0x00007FF62F8B1000-memory.dmp	upx
behavioral2/memory/1652-452-0x00007FF6DE410000-0x00007FF6DE801000-memory.dmp	upx
behavioral2/memory/1848-450-0x00007FF7F6670000-0x00007FF7F6A61000-memory.dmp	upx
behavioral2/memory/4680-441-0x00007FF6D7870000-0x00007FF6D7C61000-memory.dmp	upx
behavioral2/memory/4848-1015-0x00007FF7B6160000-0x00007FF7B6551000-memory.dmp	upx
behavioral2/memory/4492-1911-0x00007FF712560000-0x00007FF712951000-memory.dmp	upx
behavioral2/memory/2184-1996-0x00007FF65A990000-0x00007FF65AD81000-memory.dmp	upx
behavioral2/memory/540-1997-0x00007FF7432D0000-0x00007FF7436C1000-memory.dmp	upx
behavioral2/memory/3076-2003-0x00007FF6482F0000-0x00007FF6486E1000-memory.dmp	upx

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Drops file in System32 directory 64 IoCs

Processes:

8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe

description	ioc	process
File created	C:\Windows\System32\YmVccdv.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\NvHgDKj.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\IMrWyLS.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\bECMrYF.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\TPccVKY.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\tYtNaAy.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\MZzfKTG.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\BbnXSkM.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\smZGRbl.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\AlJpyEy.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\dHJvbWi.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\CoCuVAo.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\vsWCDRb.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\dbrQPbZ.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\QuVpHUe.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\HXBLJSJ.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\cbvfDXL.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\YGKEbvJ.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\pRtAKka.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\JAlbNux.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\zzsTyeO.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\yqVoFxk.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\DmwWcGU.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\hNElotA.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\JxqOzDa.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\wShqlkX.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\nyFuGuE.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\LYSmpjm.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\YCIENSN.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\hbvzagM.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\ItZwaUx.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\VGUgZbN.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\EdhinfY.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\XOiFHHQ.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\YXKdvts.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\WMHTmHu.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\RxcDgZZ.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\QbxPycM.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\ZHvfxpq.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\SdXTWnk.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\XUrmvCR.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\iyZKise.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\CzntdKw.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\nerCDVs.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\NEflKPQ.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\ahbqVmf.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\ZZPmsei.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\iDqrkOV.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\eIqLLMj.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\ZyBWpwa.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\jSZoQDx.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\DKhAWZP.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\ATyfeJM.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\VxPHCaU.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\NAnTwqO.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\OrGLFUi.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\okgdZvT.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\CJasNjG.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\nxraMpC.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\fuotCxR.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\rDyVQoa.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\QTXCKBx.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\GRnAaYm.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
File created	C:\Windows\System32\ZymryWt.exe	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

Processes:

explorer.exeSearchApp.exeexplorer.exeSearchApp.exeexplorer.exeexplorer.exeexplorer.exeSearchApp.exeSearchApp.exeexplorer.exeStartMenuExperienceHost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{20495D49-3333-4E65-9AF1-ACD8A1AD675F}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{D8AA5B1E-0F7C-42AC-B4D6-755CB7C7FCE3}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{A71EBE7D-0DE6-4098-B0BB-7232C25435C8}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

explorer.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	13744	explorer.exe
Token: SeCreatePagefilePrivilege	13744	explorer.exe
Token: SeShutdownPrivilege	13744	explorer.exe
Token: SeCreatePagefilePrivilege	13744	explorer.exe
Token: SeShutdownPrivilege	13744	explorer.exe
Token: SeCreatePagefilePrivilege	13744	explorer.exe
Token: SeShutdownPrivilege	13744	explorer.exe
Token: SeCreatePagefilePrivilege	13744	explorer.exe
Token: SeShutdownPrivilege	13744	explorer.exe
Token: SeCreatePagefilePrivilege	13744	explorer.exe
Token: SeShutdownPrivilege	13744	explorer.exe
Token: SeCreatePagefilePrivilege	13744	explorer.exe
Token: SeShutdownPrivilege	13744	explorer.exe
Token: SeCreatePagefilePrivilege	13744	explorer.exe
Token: SeShutdownPrivilege	13744	explorer.exe
Token: SeCreatePagefilePrivilege	13744	explorer.exe
Token: SeShutdownPrivilege	13744	explorer.exe
Token: SeCreatePagefilePrivilege	13744	explorer.exe
Token: SeShutdownPrivilege	13744	explorer.exe
Token: SeCreatePagefilePrivilege	13744	explorer.exe
Token: SeShutdownPrivilege	4064	explorer.exe
Token: SeCreatePagefilePrivilege	4064	explorer.exe
Token: SeShutdownPrivilege	4064	explorer.exe
Token: SeCreatePagefilePrivilege	4064	explorer.exe
Token: SeShutdownPrivilege	4064	explorer.exe
Token: SeCreatePagefilePrivilege	4064	explorer.exe
Token: SeShutdownPrivilege	4064	explorer.exe
Token: SeCreatePagefilePrivilege	4064	explorer.exe
Token: SeShutdownPrivilege	4064	explorer.exe
Token: SeCreatePagefilePrivilege	4064	explorer.exe
Token: SeShutdownPrivilege	4064	explorer.exe
Token: SeCreatePagefilePrivilege	4064	explorer.exe
Token: SeShutdownPrivilege	4064	explorer.exe
Token: SeCreatePagefilePrivilege	4064	explorer.exe
Token: SeShutdownPrivilege	4064	explorer.exe
Token: SeCreatePagefilePrivilege	4064	explorer.exe
Token: SeShutdownPrivilege	4064	explorer.exe
Token: SeCreatePagefilePrivilege	4064	explorer.exe
Token: SeShutdownPrivilege	4064	explorer.exe
Token: SeCreatePagefilePrivilege	4064	explorer.exe
Token: SeShutdownPrivilege	4064	explorer.exe
Token: SeCreatePagefilePrivilege	4064	explorer.exe
Token: SeShutdownPrivilege	4064	explorer.exe
Token: SeCreatePagefilePrivilege	4064	explorer.exe
Token: SeShutdownPrivilege	4064	explorer.exe
Token: SeCreatePagefilePrivilege	4064	explorer.exe
Token: SeShutdownPrivilege	4064	explorer.exe
Token: SeCreatePagefilePrivilege	4064	explorer.exe
Token: SeShutdownPrivilege	4064	explorer.exe
Token: SeCreatePagefilePrivilege	4064	explorer.exe
Token: SeShutdownPrivilege	4064	explorer.exe
Token: SeCreatePagefilePrivilege	4064	explorer.exe
Token: SeShutdownPrivilege	4064	explorer.exe
Token: SeCreatePagefilePrivilege	4064	explorer.exe
Token: SeShutdownPrivilege	4064	explorer.exe
Token: SeCreatePagefilePrivilege	4064	explorer.exe
Token: SeShutdownPrivilege	4064	explorer.exe
Token: SeCreatePagefilePrivilege	4064	explorer.exe
Token: SeShutdownPrivilege	4064	explorer.exe
Token: SeCreatePagefilePrivilege	4064	explorer.exe
Token: SeShutdownPrivilege	4064	explorer.exe
Token: SeCreatePagefilePrivilege	4064	explorer.exe
Token: SeShutdownPrivilege	4064	explorer.exe
Token: SeCreatePagefilePrivilege	4064	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

sihost.exeexplorer.exeexplorer.exe

pid	process
13452	sihost.exe
13744	explorer.exe
13744	explorer.exe
13744	explorer.exe
13744	explorer.exe
13744	explorer.exe
13744	explorer.exe
13744	explorer.exe
13744	explorer.exe
13744	explorer.exe
13744	explorer.exe
13744	explorer.exe
13744	explorer.exe
13744	explorer.exe
13744	explorer.exe
13744	explorer.exe
13744	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
13744	explorer.exe
13744	explorer.exe
13744	explorer.exe
13744	explorer.exe
13744	explorer.exe
13744	explorer.exe
13744	explorer.exe
13744	explorer.exe
13744	explorer.exe
13744	explorer.exe
13744	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
4064	explorer.exe
2192	explorer.exe
2192	explorer.exe
2192	explorer.exe
2192	explorer.exe
2192	explorer.exe
2192	explorer.exe
2192	explorer.exe
2192	explorer.exe
2192	explorer.exe
2192	explorer.exe
2192	explorer.exe
2192	explorer.exe
2192	explorer.exe
2192	explorer.exe
2192	explorer.exe
2192	explorer.exe
2192	explorer.exe
2192	explorer.exe
2192	explorer.exe
2192	explorer.exe
2192	explorer.exe
2192	explorer.exe
2192	explorer.exe
2192	explorer.exe
2192	explorer.exe
2192	explorer.exe
10368	explorer.exe
10368	explorer.exe
10368	explorer.exe
10368	explorer.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

StartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exe

pid	process
14248	StartMenuExperienceHost.exe
6432	StartMenuExperienceHost.exe
6588	SearchApp.exe
4600	StartMenuExperienceHost.exe
8988	SearchApp.exe
7052	StartMenuExperienceHost.exe
3596	SearchApp.exe
4112	StartMenuExperienceHost.exe
1172	SearchApp.exe
6348	StartMenuExperienceHost.exe
4552	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe

description	pid	process	target process
PID 3408 wrote to memory of 1408	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	KLHFBYf.exe
PID 3408 wrote to memory of 1408	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	KLHFBYf.exe
PID 3408 wrote to memory of 4848	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	SubCzmp.exe
PID 3408 wrote to memory of 4848	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	SubCzmp.exe
PID 3408 wrote to memory of 4492	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	VSVgBEA.exe
PID 3408 wrote to memory of 4492	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	VSVgBEA.exe
PID 3408 wrote to memory of 4888	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	TlJdjOV.exe
PID 3408 wrote to memory of 4888	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	TlJdjOV.exe
PID 3408 wrote to memory of 3216	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	wUyTRPS.exe
PID 3408 wrote to memory of 3216	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	wUyTRPS.exe
PID 3408 wrote to memory of 3092	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	qZTnPVR.exe
PID 3408 wrote to memory of 3092	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	qZTnPVR.exe
PID 3408 wrote to memory of 2184	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	VEHymEF.exe
PID 3408 wrote to memory of 2184	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	VEHymEF.exe
PID 3408 wrote to memory of 540	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	UwVXofQ.exe
PID 3408 wrote to memory of 540	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	UwVXofQ.exe
PID 3408 wrote to memory of 3076	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	FsNTOMS.exe
PID 3408 wrote to memory of 3076	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	FsNTOMS.exe
PID 3408 wrote to memory of 1352	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	snctYmh.exe
PID 3408 wrote to memory of 1352	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	snctYmh.exe
PID 3408 wrote to memory of 4560	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	IoNtrDa.exe
PID 3408 wrote to memory of 4560	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	IoNtrDa.exe
PID 3408 wrote to memory of 4652	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	wTXfPOn.exe
PID 3408 wrote to memory of 4652	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	wTXfPOn.exe
PID 3408 wrote to memory of 640	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	wpZgTxA.exe
PID 3408 wrote to memory of 640	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	wpZgTxA.exe
PID 3408 wrote to memory of 4792	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	RRpZEwP.exe
PID 3408 wrote to memory of 4792	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	RRpZEwP.exe
PID 3408 wrote to memory of 3600	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	LSBDrvf.exe
PID 3408 wrote to memory of 3600	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	LSBDrvf.exe
PID 3408 wrote to memory of 2760	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	wYnudrx.exe
PID 3408 wrote to memory of 2760	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	wYnudrx.exe
PID 3408 wrote to memory of 4680	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	qxmsLJO.exe
PID 3408 wrote to memory of 4680	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	qxmsLJO.exe
PID 3408 wrote to memory of 1168	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	anoAvVv.exe
PID 3408 wrote to memory of 1168	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	anoAvVv.exe
PID 3408 wrote to memory of 1848	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	ATyfeJM.exe
PID 3408 wrote to memory of 1848	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	ATyfeJM.exe
PID 3408 wrote to memory of 1652	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	eAPssCu.exe
PID 3408 wrote to memory of 1652	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	eAPssCu.exe
PID 3408 wrote to memory of 4248	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	oIiBNMR.exe
PID 3408 wrote to memory of 4248	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	oIiBNMR.exe
PID 3408 wrote to memory of 2100	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	rdUMzOS.exe
PID 3408 wrote to memory of 2100	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	rdUMzOS.exe
PID 3408 wrote to memory of 1284	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	dzyIeui.exe
PID 3408 wrote to memory of 1284	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	dzyIeui.exe
PID 3408 wrote to memory of 1492	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	BLizoOF.exe
PID 3408 wrote to memory of 1492	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	BLizoOF.exe
PID 3408 wrote to memory of 4100	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	JYeMJNO.exe
PID 3408 wrote to memory of 4100	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	JYeMJNO.exe
PID 3408 wrote to memory of 1124	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	RsuzfPs.exe
PID 3408 wrote to memory of 1124	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	RsuzfPs.exe
PID 3408 wrote to memory of 3984	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	vUrskUJ.exe
PID 3408 wrote to memory of 3984	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	vUrskUJ.exe
PID 3408 wrote to memory of 5028	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	tCeAcyA.exe
PID 3408 wrote to memory of 5028	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	tCeAcyA.exe
PID 3408 wrote to memory of 4000	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	QTaxLIi.exe
PID 3408 wrote to memory of 4000	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	QTaxLIi.exe
PID 3408 wrote to memory of 3500	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	TrfHOWk.exe
PID 3408 wrote to memory of 3500	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	TrfHOWk.exe
PID 3408 wrote to memory of 2052	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	ExxPNiM.exe
PID 3408 wrote to memory of 2052	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	ExxPNiM.exe
PID 3408 wrote to memory of 4816	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	NugPeKO.exe
PID 3408 wrote to memory of 4816	3408	8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe	NugPeKO.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe
"C:\Users\Admin\AppData\Local\Temp\8e4fdbd766237e11f07ad2c9244376728616af559b676e4112e7f4d55da2d155.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\System32\KLHFBYf.exe
C:\Windows\System32\KLHFBYf.exe
2⤵
- Executes dropped EXE
PID:1408

C:\Windows\System32\SubCzmp.exe
C:\Windows\System32\SubCzmp.exe
2⤵
- Executes dropped EXE
PID:4848

C:\Windows\System32\VSVgBEA.exe
C:\Windows\System32\VSVgBEA.exe
2⤵
- Executes dropped EXE
PID:4492

C:\Windows\System32\TlJdjOV.exe
C:\Windows\System32\TlJdjOV.exe
2⤵
- Executes dropped EXE
PID:4888

C:\Windows\System32\wUyTRPS.exe
C:\Windows\System32\wUyTRPS.exe
2⤵
- Executes dropped EXE
PID:3216

C:\Windows\System32\qZTnPVR.exe
C:\Windows\System32\qZTnPVR.exe
2⤵
- Executes dropped EXE
PID:3092

C:\Windows\System32\VEHymEF.exe
C:\Windows\System32\VEHymEF.exe
2⤵
- Executes dropped EXE
PID:2184

C:\Windows\System32\UwVXofQ.exe
C:\Windows\System32\UwVXofQ.exe
2⤵
- Executes dropped EXE
PID:540

C:\Windows\System32\FsNTOMS.exe
C:\Windows\System32\FsNTOMS.exe
2⤵
- Executes dropped EXE
PID:3076

C:\Windows\System32\snctYmh.exe
C:\Windows\System32\snctYmh.exe
2⤵
- Executes dropped EXE
PID:1352

C:\Windows\System32\IoNtrDa.exe
C:\Windows\System32\IoNtrDa.exe
2⤵
- Executes dropped EXE
PID:4560

C:\Windows\System32\wTXfPOn.exe
C:\Windows\System32\wTXfPOn.exe
2⤵
- Executes dropped EXE
PID:4652

C:\Windows\System32\wpZgTxA.exe
C:\Windows\System32\wpZgTxA.exe
2⤵
- Executes dropped EXE
PID:640

C:\Windows\System32\RRpZEwP.exe
C:\Windows\System32\RRpZEwP.exe
2⤵
- Executes dropped EXE
PID:4792

C:\Windows\System32\LSBDrvf.exe
C:\Windows\System32\LSBDrvf.exe
2⤵
- Executes dropped EXE
PID:3600

C:\Windows\System32\wYnudrx.exe
C:\Windows\System32\wYnudrx.exe
2⤵
- Executes dropped EXE
PID:2760

C:\Windows\System32\qxmsLJO.exe
C:\Windows\System32\qxmsLJO.exe
2⤵
- Executes dropped EXE
PID:4680

C:\Windows\System32\anoAvVv.exe
C:\Windows\System32\anoAvVv.exe
2⤵
- Executes dropped EXE
PID:1168

C:\Windows\System32\ATyfeJM.exe
C:\Windows\System32\ATyfeJM.exe
2⤵
- Executes dropped EXE
PID:1848

C:\Windows\System32\eAPssCu.exe
C:\Windows\System32\eAPssCu.exe
2⤵
- Executes dropped EXE
PID:1652

C:\Windows\System32\oIiBNMR.exe
C:\Windows\System32\oIiBNMR.exe
2⤵
- Executes dropped EXE
PID:4248

C:\Windows\System32\rdUMzOS.exe
C:\Windows\System32\rdUMzOS.exe
2⤵
- Executes dropped EXE
PID:2100

C:\Windows\System32\dzyIeui.exe
C:\Windows\System32\dzyIeui.exe
2⤵
- Executes dropped EXE
PID:1284

C:\Windows\System32\BLizoOF.exe
C:\Windows\System32\BLizoOF.exe
2⤵
- Executes dropped EXE
PID:1492

C:\Windows\System32\JYeMJNO.exe
C:\Windows\System32\JYeMJNO.exe
2⤵
- Executes dropped EXE
PID:4100

C:\Windows\System32\RsuzfPs.exe
C:\Windows\System32\RsuzfPs.exe
2⤵
- Executes dropped EXE
PID:1124

C:\Windows\System32\vUrskUJ.exe
C:\Windows\System32\vUrskUJ.exe
2⤵
- Executes dropped EXE
PID:3984

C:\Windows\System32\tCeAcyA.exe
C:\Windows\System32\tCeAcyA.exe
2⤵
- Executes dropped EXE
PID:5028

C:\Windows\System32\QTaxLIi.exe
C:\Windows\System32\QTaxLIi.exe
2⤵
- Executes dropped EXE
PID:4000

C:\Windows\System32\TrfHOWk.exe
C:\Windows\System32\TrfHOWk.exe
2⤵
- Executes dropped EXE
PID:3500

C:\Windows\System32\ExxPNiM.exe
C:\Windows\System32\ExxPNiM.exe
2⤵
- Executes dropped EXE
PID:2052

C:\Windows\System32\NugPeKO.exe
C:\Windows\System32\NugPeKO.exe
2⤵
- Executes dropped EXE
PID:4816

C:\Windows\System32\BGhzkLB.exe
C:\Windows\System32\BGhzkLB.exe
2⤵
- Executes dropped EXE
PID:4736

C:\Windows\System32\BsDcsIT.exe
C:\Windows\System32\BsDcsIT.exe
2⤵
- Executes dropped EXE
PID:3504

C:\Windows\System32\dyrGjoe.exe
C:\Windows\System32\dyrGjoe.exe
2⤵
- Executes dropped EXE
PID:4880

C:\Windows\System32\pEVGYJF.exe
C:\Windows\System32\pEVGYJF.exe
2⤵
- Executes dropped EXE
PID:4124

C:\Windows\System32\QBuYTVS.exe
C:\Windows\System32\QBuYTVS.exe
2⤵
- Executes dropped EXE
PID:4120

C:\Windows\System32\reUEFjC.exe
C:\Windows\System32\reUEFjC.exe
2⤵
- Executes dropped EXE
PID:2208

C:\Windows\System32\JqDANMS.exe
C:\Windows\System32\JqDANMS.exe
2⤵
- Executes dropped EXE
PID:3172

C:\Windows\System32\cNYJUoj.exe
C:\Windows\System32\cNYJUoj.exe
2⤵
- Executes dropped EXE
PID:4724

C:\Windows\System32\cZkBPIH.exe
C:\Windows\System32\cZkBPIH.exe
2⤵
- Executes dropped EXE
PID:2176

C:\Windows\System32\ZHXfKiX.exe
C:\Windows\System32\ZHXfKiX.exe
2⤵
- Executes dropped EXE
PID:1812

C:\Windows\System32\EHOnjwP.exe
C:\Windows\System32\EHOnjwP.exe
2⤵
- Executes dropped EXE
PID:228

C:\Windows\System32\nywxvZO.exe
C:\Windows\System32\nywxvZO.exe
2⤵
- Executes dropped EXE
PID:4292

C:\Windows\System32\ZOmKesJ.exe
C:\Windows\System32\ZOmKesJ.exe
2⤵
- Executes dropped EXE
PID:1824

C:\Windows\System32\iKPAYNL.exe
C:\Windows\System32\iKPAYNL.exe
2⤵
- Executes dropped EXE
PID:4964

C:\Windows\System32\dERgqaC.exe
C:\Windows\System32\dERgqaC.exe
2⤵
- Executes dropped EXE
PID:4948

C:\Windows\System32\oNmttZA.exe
C:\Windows\System32\oNmttZA.exe
2⤵
- Executes dropped EXE
PID:2488

C:\Windows\System32\GQNYGaR.exe
C:\Windows\System32\GQNYGaR.exe
2⤵
- Executes dropped EXE
PID:4828

C:\Windows\System32\xwitnEI.exe
C:\Windows\System32\xwitnEI.exe
2⤵
- Executes dropped EXE
PID:932

C:\Windows\System32\ydzUsvi.exe
C:\Windows\System32\ydzUsvi.exe
2⤵
- Executes dropped EXE
PID:912

C:\Windows\System32\zEhgawQ.exe
C:\Windows\System32\zEhgawQ.exe
2⤵
- Executes dropped EXE
PID:4664

C:\Windows\System32\jQkSKwj.exe
C:\Windows\System32\jQkSKwj.exe
2⤵
- Executes dropped EXE
PID:3676

C:\Windows\System32\VOxIVXd.exe
C:\Windows\System32\VOxIVXd.exe
2⤵
- Executes dropped EXE
PID:4188

C:\Windows\System32\zzsTyeO.exe
C:\Windows\System32\zzsTyeO.exe
2⤵
- Executes dropped EXE
PID:1200

C:\Windows\System32\GSfnAgT.exe
C:\Windows\System32\GSfnAgT.exe
2⤵
- Executes dropped EXE
PID:3788

C:\Windows\System32\wShqlkX.exe
C:\Windows\System32\wShqlkX.exe
2⤵
- Executes dropped EXE
PID:1372

C:\Windows\System32\hDasfhg.exe
C:\Windows\System32\hDasfhg.exe
2⤵
- Executes dropped EXE
PID:4052

C:\Windows\System32\qdUBaqM.exe
C:\Windows\System32\qdUBaqM.exe
2⤵
- Executes dropped EXE
PID:1964

C:\Windows\System32\MVJQLzH.exe
C:\Windows\System32\MVJQLzH.exe
2⤵
- Executes dropped EXE
PID:4872

C:\Windows\System32\GOlaSsv.exe
C:\Windows\System32\GOlaSsv.exe
2⤵
- Executes dropped EXE
PID:4684

C:\Windows\System32\aKeDXnf.exe
C:\Windows\System32\aKeDXnf.exe
2⤵
- Executes dropped EXE
PID:4336

C:\Windows\System32\smZGRbl.exe
C:\Windows\System32\smZGRbl.exe
2⤵
- Executes dropped EXE
PID:5008

C:\Windows\System32\tHoexXL.exe
C:\Windows\System32\tHoexXL.exe
2⤵
- Executes dropped EXE
PID:3584

C:\Windows\System32\ItqXJfX.exe
C:\Windows\System32\ItqXJfX.exe
2⤵
PID:4716

C:\Windows\System32\GUnwJfY.exe
C:\Windows\System32\GUnwJfY.exe
2⤵
PID:4360

C:\Windows\System32\wCNGtbz.exe
C:\Windows\System32\wCNGtbz.exe
2⤵
PID:4272

C:\Windows\System32\LUkxXJq.exe
C:\Windows\System32\LUkxXJq.exe
2⤵
PID:4016

C:\Windows\System32\Qmausco.exe
C:\Windows\System32\Qmausco.exe
2⤵
PID:3156

C:\Windows\System32\fYXrtWg.exe
C:\Windows\System32\fYXrtWg.exe
2⤵
PID:4960

C:\Windows\System32\TXlIuQf.exe
C:\Windows\System32\TXlIuQf.exe
2⤵
PID:3752

C:\Windows\System32\shqielG.exe
C:\Windows\System32\shqielG.exe
2⤵
PID:548

C:\Windows\System32\VEzrbfy.exe
C:\Windows\System32\VEzrbfy.exe
2⤵
PID:1744

C:\Windows\System32\ZFYhiFO.exe
C:\Windows\System32\ZFYhiFO.exe
2⤵
PID:3624

C:\Windows\System32\semmfdP.exe
C:\Windows\System32\semmfdP.exe
2⤵
PID:1788

C:\Windows\System32\BtRfbfM.exe
C:\Windows\System32\BtRfbfM.exe
2⤵
PID:2296

C:\Windows\System32\tnsmlkK.exe
C:\Windows\System32\tnsmlkK.exe
2⤵
PID:1920

C:\Windows\System32\HAcjWEx.exe
C:\Windows\System32\HAcjWEx.exe
2⤵
PID:1312

C:\Windows\System32\mgoRSJQ.exe
C:\Windows\System32\mgoRSJQ.exe
2⤵
PID:1204

C:\Windows\System32\rEKDyib.exe
C:\Windows\System32\rEKDyib.exe
2⤵
PID:5124

C:\Windows\System32\gFQJyLn.exe
C:\Windows\System32\gFQJyLn.exe
2⤵
PID:5140

C:\Windows\System32\xkqqWii.exe
C:\Windows\System32\xkqqWii.exe
2⤵
PID:5180

C:\Windows\System32\wHiKdBJ.exe
C:\Windows\System32\wHiKdBJ.exe
2⤵
PID:5196

C:\Windows\System32\pGbRZSy.exe
C:\Windows\System32\pGbRZSy.exe
2⤵
PID:5236

C:\Windows\System32\iKzidGa.exe
C:\Windows\System32\iKzidGa.exe
2⤵
PID:5252

C:\Windows\System32\ZBrvHmm.exe
C:\Windows\System32\ZBrvHmm.exe
2⤵
PID:5280

C:\Windows\System32\RcYpGoD.exe
C:\Windows\System32\RcYpGoD.exe
2⤵
PID:5308

C:\Windows\System32\dagmIbj.exe
C:\Windows\System32\dagmIbj.exe
2⤵
PID:5336

C:\Windows\System32\eGUsKPY.exe
C:\Windows\System32\eGUsKPY.exe
2⤵
PID:5364

C:\Windows\System32\WhVIveG.exe
C:\Windows\System32\WhVIveG.exe
2⤵
PID:5392

C:\Windows\System32\YBKmqrj.exe
C:\Windows\System32\YBKmqrj.exe
2⤵
PID:5420

C:\Windows\System32\ErnPdqQ.exe
C:\Windows\System32\ErnPdqQ.exe
2⤵
PID:5460

C:\Windows\System32\krHPzfM.exe
C:\Windows\System32\krHPzfM.exe
2⤵
PID:5476

C:\Windows\System32\DcCIARJ.exe
C:\Windows\System32\DcCIARJ.exe
2⤵
PID:5504

C:\Windows\System32\QYnIXej.exe
C:\Windows\System32\QYnIXej.exe
2⤵
PID:5544

C:\Windows\System32\GEoazTi.exe
C:\Windows\System32\GEoazTi.exe
2⤵
PID:5560

C:\Windows\System32\iFwcpwZ.exe
C:\Windows\System32\iFwcpwZ.exe
2⤵
PID:5588

C:\Windows\System32\BtrjnlA.exe
C:\Windows\System32\BtrjnlA.exe
2⤵
PID:5616

C:\Windows\System32\OEYIQTr.exe
C:\Windows\System32\OEYIQTr.exe
2⤵
PID:5656

C:\Windows\System32\scUuUbr.exe
C:\Windows\System32\scUuUbr.exe
2⤵
PID:5672

C:\Windows\System32\nXxmaHA.exe
C:\Windows\System32\nXxmaHA.exe
2⤵
PID:5712

C:\Windows\System32\bSoMrnu.exe
C:\Windows\System32\bSoMrnu.exe
2⤵
PID:5728

C:\Windows\System32\VrPUvTc.exe
C:\Windows\System32\VrPUvTc.exe
2⤵
PID:5768

C:\Windows\System32\hkecgtr.exe
C:\Windows\System32\hkecgtr.exe
2⤵
PID:5796

C:\Windows\System32\iclPXPS.exe
C:\Windows\System32\iclPXPS.exe
2⤵
PID:5812

C:\Windows\System32\dGmWcHU.exe
C:\Windows\System32\dGmWcHU.exe
2⤵
PID:5852

C:\Windows\System32\TNtfjEY.exe
C:\Windows\System32\TNtfjEY.exe
2⤵
PID:5880

C:\Windows\System32\ODEGCqa.exe
C:\Windows\System32\ODEGCqa.exe
2⤵
PID:5908

C:\Windows\System32\SCOEuHR.exe
C:\Windows\System32\SCOEuHR.exe
2⤵
PID:5936

C:\Windows\System32\tMrUkSh.exe
C:\Windows\System32\tMrUkSh.exe
2⤵
PID:5952

C:\Windows\System32\EvjCSWs.exe
C:\Windows\System32\EvjCSWs.exe
2⤵
PID:5992

C:\Windows\System32\lxoUJui.exe
C:\Windows\System32\lxoUJui.exe
2⤵
PID:6008

C:\Windows\System32\gcXNqeX.exe
C:\Windows\System32\gcXNqeX.exe
2⤵
PID:6048

C:\Windows\System32\xvIDczd.exe
C:\Windows\System32\xvIDczd.exe
2⤵
PID:6064

C:\Windows\System32\nosAFeF.exe
C:\Windows\System32\nosAFeF.exe
2⤵
PID:6120

C:\Windows\System32\sAWxTCm.exe
C:\Windows\System32\sAWxTCm.exe
2⤵
PID:6140

C:\Windows\System32\AfHeSoo.exe
C:\Windows\System32\AfHeSoo.exe
2⤵
PID:924

C:\Windows\System32\evlDmRr.exe
C:\Windows\System32\evlDmRr.exe
2⤵
PID:1808

C:\Windows\System32\ZHvfxpq.exe
C:\Windows\System32\ZHvfxpq.exe
2⤵
PID:1944

C:\Windows\System32\OnKSWYb.exe
C:\Windows\System32\OnKSWYb.exe
2⤵
PID:4328

C:\Windows\System32\HXBLJSJ.exe
C:\Windows\System32\HXBLJSJ.exe
2⤵
PID:5188

C:\Windows\System32\xoIEfJW.exe
C:\Windows\System32\xoIEfJW.exe
2⤵
PID:5320

C:\Windows\System32\RCmOAqK.exe
C:\Windows\System32\RCmOAqK.exe
2⤵
PID:5444

C:\Windows\System32\AlJpyEy.exe
C:\Windows\System32\AlJpyEy.exe
2⤵
PID:5488

C:\Windows\System32\KwbwDxT.exe
C:\Windows\System32\KwbwDxT.exe
2⤵
PID:5520

C:\Windows\System32\cbvfDXL.exe
C:\Windows\System32\cbvfDXL.exe
2⤵
PID:5576

C:\Windows\System32\TbfDkRt.exe
C:\Windows\System32\TbfDkRt.exe
2⤵
PID:5640

C:\Windows\System32\xpzgypf.exe
C:\Windows\System32\xpzgypf.exe
2⤵
PID:5684

C:\Windows\System32\dtJsKPg.exe
C:\Windows\System32\dtJsKPg.exe
2⤵
PID:2376

C:\Windows\System32\fXlsBsP.exe
C:\Windows\System32\fXlsBsP.exe
2⤵
PID:5776

C:\Windows\System32\dHgFQcf.exe
C:\Windows\System32\dHgFQcf.exe
2⤵
PID:5820

C:\Windows\System32\ldzwnOl.exe
C:\Windows\System32\ldzwnOl.exe
2⤵
PID:5892

C:\Windows\System32\mkEPTTa.exe
C:\Windows\System32\mkEPTTa.exe
2⤵
PID:2560

C:\Windows\System32\DlzcTMJ.exe
C:\Windows\System32\DlzcTMJ.exe
2⤵
PID:5016

C:\Windows\System32\xTjxGED.exe
C:\Windows\System32\xTjxGED.exe
2⤵
PID:5984

C:\Windows\System32\GmhHohJ.exe
C:\Windows\System32\GmhHohJ.exe
2⤵
PID:6004

C:\Windows\System32\nyFuGuE.exe
C:\Windows\System32\nyFuGuE.exe
2⤵
PID:6040

C:\Windows\System32\YsaPfHL.exe
C:\Windows\System32\YsaPfHL.exe
2⤵
PID:2340

C:\Windows\System32\mMMxqPb.exe
C:\Windows\System32\mMMxqPb.exe
2⤵
PID:3828

C:\Windows\System32\KKvKRVv.exe
C:\Windows\System32\KKvKRVv.exe
2⤵
PID:6116

C:\Windows\System32\qWkhjbM.exe
C:\Windows\System32\qWkhjbM.exe
2⤵
PID:4168

C:\Windows\System32\YaKIRhu.exe
C:\Windows\System32\YaKIRhu.exe
2⤵
PID:672

C:\Windows\System32\IMrWyLS.exe
C:\Windows\System32\IMrWyLS.exe
2⤵
PID:5268

C:\Windows\System32\TNTxGsU.exe
C:\Windows\System32\TNTxGsU.exe
2⤵
PID:6088

C:\Windows\System32\prKBmVh.exe
C:\Windows\System32\prKBmVh.exe
2⤵
PID:6092

C:\Windows\System32\dJFhYkh.exe
C:\Windows\System32\dJFhYkh.exe
2⤵
PID:2188

C:\Windows\System32\yMwmgrT.exe
C:\Windows\System32\yMwmgrT.exe
2⤵
PID:5380

C:\Windows\System32\WgURSWs.exe
C:\Windows\System32\WgURSWs.exe
2⤵
PID:5688

C:\Windows\System32\mmhFAzL.exe
C:\Windows\System32\mmhFAzL.exe
2⤵
PID:5808

C:\Windows\System32\mMzXhuZ.exe
C:\Windows\System32\mMzXhuZ.exe
2⤵
PID:5928

C:\Windows\System32\RQyTHrC.exe
C:\Windows\System32\RQyTHrC.exe
2⤵
PID:6020

C:\Windows\System32\hSRyoqG.exe
C:\Windows\System32\hSRyoqG.exe
2⤵
PID:3912

C:\Windows\System32\HPDnVGR.exe
C:\Windows\System32\HPDnVGR.exe
2⤵
PID:6132

C:\Windows\System32\tUieHQw.exe
C:\Windows\System32\tUieHQw.exe
2⤵
PID:5332

C:\Windows\System32\huDKQIU.exe
C:\Windows\System32\huDKQIU.exe
2⤵
PID:5360

C:\Windows\System32\KSabubx.exe
C:\Windows\System32\KSabubx.exe
2⤵
PID:5600

C:\Windows\System32\QcVGavK.exe
C:\Windows\System32\QcVGavK.exe
2⤵
PID:5804

C:\Windows\System32\HNoGQJc.exe
C:\Windows\System32\HNoGQJc.exe
2⤵
PID:684

C:\Windows\System32\ziJYGWr.exe
C:\Windows\System32\ziJYGWr.exe
2⤵
PID:4884

C:\Windows\System32\xCxDsTH.exe
C:\Windows\System32\xCxDsTH.exe
2⤵
PID:5436

C:\Windows\System32\TDAFaCM.exe
C:\Windows\System32\TDAFaCM.exe
2⤵
PID:1356

C:\Windows\System32\zbuoxcV.exe
C:\Windows\System32\zbuoxcV.exe
2⤵
PID:6024

C:\Windows\System32\XDcUFIF.exe
C:\Windows\System32\XDcUFIF.exe
2⤵
PID:6160

C:\Windows\System32\GzYVhRX.exe
C:\Windows\System32\GzYVhRX.exe
2⤵
PID:6180

C:\Windows\System32\vhiNwgm.exe
C:\Windows\System32\vhiNwgm.exe
2⤵
PID:6200

C:\Windows\System32\DIphmzZ.exe
C:\Windows\System32\DIphmzZ.exe
2⤵
PID:6216

C:\Windows\System32\cfjXTcD.exe
C:\Windows\System32\cfjXTcD.exe
2⤵
PID:6280

C:\Windows\System32\vsWCDRb.exe
C:\Windows\System32\vsWCDRb.exe
2⤵
PID:6304

C:\Windows\System32\aRdcsXL.exe
C:\Windows\System32\aRdcsXL.exe
2⤵
PID:6324

C:\Windows\System32\upYPEWF.exe
C:\Windows\System32\upYPEWF.exe
2⤵
PID:6340

C:\Windows\System32\HXDRFqt.exe
C:\Windows\System32\HXDRFqt.exe
2⤵
PID:6364

C:\Windows\System32\ozsHJkw.exe
C:\Windows\System32\ozsHJkw.exe
2⤵
PID:6384

C:\Windows\System32\sXAdVkJ.exe
C:\Windows\System32\sXAdVkJ.exe
2⤵
PID:6404

C:\Windows\System32\MxgMFDM.exe
C:\Windows\System32\MxgMFDM.exe
2⤵
PID:6468

C:\Windows\System32\VxPHCaU.exe
C:\Windows\System32\VxPHCaU.exe
2⤵
PID:6484

C:\Windows\System32\YvYaxtj.exe
C:\Windows\System32\YvYaxtj.exe
2⤵
PID:6504

C:\Windows\System32\BEZBHef.exe
C:\Windows\System32\BEZBHef.exe
2⤵
PID:6520

C:\Windows\System32\RrdLPdC.exe
C:\Windows\System32\RrdLPdC.exe
2⤵
PID:6540

C:\Windows\System32\SrTJGMl.exe
C:\Windows\System32\SrTJGMl.exe
2⤵
PID:6592

C:\Windows\System32\RuWlqdd.exe
C:\Windows\System32\RuWlqdd.exe
2⤵
PID:6616

C:\Windows\System32\LPpYsSB.exe
C:\Windows\System32\LPpYsSB.exe
2⤵
PID:6660

C:\Windows\System32\LnImIXu.exe
C:\Windows\System32\LnImIXu.exe
2⤵
PID:6704

C:\Windows\System32\WKzeUMU.exe
C:\Windows\System32\WKzeUMU.exe
2⤵
PID:6724

C:\Windows\System32\vhAzfSn.exe
C:\Windows\System32\vhAzfSn.exe
2⤵
PID:6740

C:\Windows\System32\RnNcSBs.exe
C:\Windows\System32\RnNcSBs.exe
2⤵
PID:6764

C:\Windows\System32\eLgCvcM.exe
C:\Windows\System32\eLgCvcM.exe
2⤵
PID:6784

C:\Windows\System32\lQmxiYn.exe
C:\Windows\System32\lQmxiYn.exe
2⤵
PID:6808

C:\Windows\System32\QcZrWlW.exe
C:\Windows\System32\QcZrWlW.exe
2⤵
PID:6840

C:\Windows\System32\DzKgAJr.exe
C:\Windows\System32\DzKgAJr.exe
2⤵
PID:6872

C:\Windows\System32\QCDSRoF.exe
C:\Windows\System32\QCDSRoF.exe
2⤵
PID:6888

C:\Windows\System32\aSVfAEG.exe
C:\Windows\System32\aSVfAEG.exe
2⤵
PID:6916

C:\Windows\System32\mHbQayY.exe
C:\Windows\System32\mHbQayY.exe
2⤵
PID:6960

C:\Windows\System32\QRIRsXg.exe
C:\Windows\System32\QRIRsXg.exe
2⤵
PID:7016

C:\Windows\System32\lPdFpef.exe
C:\Windows\System32\lPdFpef.exe
2⤵
PID:7036

C:\Windows\System32\bwcCGBK.exe
C:\Windows\System32\bwcCGBK.exe
2⤵
PID:7056

C:\Windows\System32\TmmANKy.exe
C:\Windows\System32\TmmANKy.exe
2⤵
PID:7092

C:\Windows\System32\krohQuI.exe
C:\Windows\System32\krohQuI.exe
2⤵
PID:7124

C:\Windows\System32\DIgsTbx.exe
C:\Windows\System32\DIgsTbx.exe
2⤵
PID:7164

C:\Windows\System32\yrUyAoi.exe
C:\Windows\System32\yrUyAoi.exe
2⤵
PID:6156

C:\Windows\System32\IlyBJkv.exe
C:\Windows\System32\IlyBJkv.exe
2⤵
PID:6196

C:\Windows\System32\pXQRBeA.exe
C:\Windows\System32\pXQRBeA.exe
2⤵
PID:6300

C:\Windows\System32\bszjLMg.exe
C:\Windows\System32\bszjLMg.exe
2⤵
PID:6336

C:\Windows\System32\pShCczo.exe
C:\Windows\System32\pShCczo.exe
2⤵
PID:6348

C:\Windows\System32\VZBpHTk.exe
C:\Windows\System32\VZBpHTk.exe
2⤵
PID:6516

C:\Windows\System32\klkXzPm.exe
C:\Windows\System32\klkXzPm.exe
2⤵
PID:6480

C:\Windows\System32\NCBidfx.exe
C:\Windows\System32\NCBidfx.exe
2⤵
PID:6632

C:\Windows\System32\NDOTHxv.exe
C:\Windows\System32\NDOTHxv.exe
2⤵
PID:6672

C:\Windows\System32\MGSBJta.exe
C:\Windows\System32\MGSBJta.exe
2⤵
PID:6756

C:\Windows\System32\CHpMnXD.exe
C:\Windows\System32\CHpMnXD.exe
2⤵
PID:6836

C:\Windows\System32\CzntdKw.exe
C:\Windows\System32\CzntdKw.exe
2⤵
PID:6908

C:\Windows\System32\tdgIeQA.exe
C:\Windows\System32\tdgIeQA.exe
2⤵
PID:6880

C:\Windows\System32\XXMNxjp.exe
C:\Windows\System32\XXMNxjp.exe
2⤵
PID:7028

C:\Windows\System32\vCqWyLY.exe
C:\Windows\System32\vCqWyLY.exe
2⤵
PID:7048

C:\Windows\System32\eNiRsLO.exe
C:\Windows\System32\eNiRsLO.exe
2⤵
PID:7080

C:\Windows\System32\IaMnBHj.exe
C:\Windows\System32\IaMnBHj.exe
2⤵
PID:6208

C:\Windows\System32\bKLXCQY.exe
C:\Windows\System32\bKLXCQY.exe
2⤵
PID:6372

C:\Windows\System32\bSdOpJr.exe
C:\Windows\System32\bSdOpJr.exe
2⤵
PID:6532

C:\Windows\System32\guNSOVi.exe
C:\Windows\System32\guNSOVi.exe
2⤵
PID:6612

C:\Windows\System32\kgOPBru.exe
C:\Windows\System32\kgOPBru.exe
2⤵
PID:6832

C:\Windows\System32\bTEtZwl.exe
C:\Windows\System32\bTEtZwl.exe
2⤵
PID:7004

C:\Windows\System32\SReuJzZ.exe
C:\Windows\System32\SReuJzZ.exe
2⤵
PID:6176

C:\Windows\System32\NAnTwqO.exe
C:\Windows\System32\NAnTwqO.exe
2⤵
PID:6716

C:\Windows\System32\dbrQPbZ.exe
C:\Windows\System32\dbrQPbZ.exe
2⤵
PID:6972

C:\Windows\System32\UsxWIxr.exe
C:\Windows\System32\UsxWIxr.exe
2⤵
PID:6804

C:\Windows\System32\GfnyxpM.exe
C:\Windows\System32\GfnyxpM.exe
2⤵
PID:7180

C:\Windows\System32\VJMKiWP.exe
C:\Windows\System32\VJMKiWP.exe
2⤵
PID:7204

C:\Windows\System32\FLdqIna.exe
C:\Windows\System32\FLdqIna.exe
2⤵
PID:7228

C:\Windows\System32\Ihvwrhp.exe
C:\Windows\System32\Ihvwrhp.exe
2⤵
PID:7264

C:\Windows\System32\gohXRgg.exe
C:\Windows\System32\gohXRgg.exe
2⤵
PID:7292

C:\Windows\System32\SdhMSYt.exe
C:\Windows\System32\SdhMSYt.exe
2⤵
PID:7312

C:\Windows\System32\nerCDVs.exe
C:\Windows\System32\nerCDVs.exe
2⤵
PID:7340

C:\Windows\System32\KkRltTE.exe
C:\Windows\System32\KkRltTE.exe
2⤵
PID:7380

C:\Windows\System32\ahaNGQK.exe
C:\Windows\System32\ahaNGQK.exe
2⤵
PID:7396

C:\Windows\System32\nxraMpC.exe
C:\Windows\System32\nxraMpC.exe
2⤵
PID:7428

C:\Windows\System32\YGKEbvJ.exe
C:\Windows\System32\YGKEbvJ.exe
2⤵
PID:7444

C:\Windows\System32\NuoUKCw.exe
C:\Windows\System32\NuoUKCw.exe
2⤵
PID:7472

C:\Windows\System32\PkAvTgS.exe
C:\Windows\System32\PkAvTgS.exe
2⤵
PID:7488

C:\Windows\System32\iYVzcJK.exe
C:\Windows\System32\iYVzcJK.exe
2⤵
PID:7532

C:\Windows\System32\mhyEUjy.exe
C:\Windows\System32\mhyEUjy.exe
2⤵
PID:7576

C:\Windows\System32\gYCZHfV.exe
C:\Windows\System32\gYCZHfV.exe
2⤵
PID:7600

C:\Windows\System32\VGUgZbN.exe
C:\Windows\System32\VGUgZbN.exe
2⤵
PID:7620

C:\Windows\System32\PfTwOKv.exe
C:\Windows\System32\PfTwOKv.exe
2⤵
PID:7652

C:\Windows\System32\VTMwVoQ.exe
C:\Windows\System32\VTMwVoQ.exe
2⤵
PID:7676

C:\Windows\System32\GHixpQn.exe
C:\Windows\System32\GHixpQn.exe
2⤵
PID:7700

C:\Windows\System32\yXYEinC.exe
C:\Windows\System32\yXYEinC.exe
2⤵
PID:7728

C:\Windows\System32\uKolgqs.exe
C:\Windows\System32\uKolgqs.exe
2⤵
PID:7760

C:\Windows\System32\WnDkNAc.exe
C:\Windows\System32\WnDkNAc.exe
2⤵
PID:7788

C:\Windows\System32\aQLyfLk.exe
C:\Windows\System32\aQLyfLk.exe
2⤵
PID:7804

C:\Windows\System32\viupkBq.exe
C:\Windows\System32\viupkBq.exe
2⤵
PID:7824

C:\Windows\System32\UGGdpiK.exe
C:\Windows\System32\UGGdpiK.exe
2⤵
PID:7860

C:\Windows\System32\fuotCxR.exe
C:\Windows\System32\fuotCxR.exe
2⤵
PID:7916

C:\Windows\System32\nhpHzih.exe
C:\Windows\System32\nhpHzih.exe
2⤵
PID:7936

C:\Windows\System32\diEFsYD.exe
C:\Windows\System32\diEFsYD.exe
2⤵
PID:7960

C:\Windows\System32\UNkNUJp.exe
C:\Windows\System32\UNkNUJp.exe
2⤵
PID:7988

C:\Windows\System32\bkzzNPx.exe
C:\Windows\System32\bkzzNPx.exe
2⤵
PID:8016

C:\Windows\System32\MCSZxVl.exe
C:\Windows\System32\MCSZxVl.exe
2⤵
PID:8056

C:\Windows\System32\Lmgpvgx.exe
C:\Windows\System32\Lmgpvgx.exe
2⤵
PID:8076

C:\Windows\System32\YQXoLkq.exe
C:\Windows\System32\YQXoLkq.exe
2⤵
PID:8096

C:\Windows\System32\WOnsXQC.exe
C:\Windows\System32\WOnsXQC.exe
2⤵
PID:8120

C:\Windows\System32\wImHbYh.exe
C:\Windows\System32\wImHbYh.exe
2⤵
PID:8144

C:\Windows\System32\cSKRhqC.exe
C:\Windows\System32\cSKRhqC.exe
2⤵
PID:8188

C:\Windows\System32\dHJvbWi.exe
C:\Windows\System32\dHJvbWi.exe
2⤵
PID:7220

C:\Windows\System32\epuGbWC.exe
C:\Windows\System32\epuGbWC.exe
2⤵
PID:7336

C:\Windows\System32\oDBpdui.exe
C:\Windows\System32\oDBpdui.exe
2⤵
PID:7364

C:\Windows\System32\umDIyfi.exe
C:\Windows\System32\umDIyfi.exe
2⤵
PID:7392

C:\Windows\System32\bECMrYF.exe
C:\Windows\System32\bECMrYF.exe
2⤵
PID:7452

C:\Windows\System32\EmjYOVJ.exe
C:\Windows\System32\EmjYOVJ.exe
2⤵
PID:7544

C:\Windows\System32\Uuwovaf.exe
C:\Windows\System32\Uuwovaf.exe
2⤵
PID:7612

C:\Windows\System32\EdhinfY.exe
C:\Windows\System32\EdhinfY.exe
2⤵
PID:7664

C:\Windows\System32\sJoiClK.exe
C:\Windows\System32\sJoiClK.exe
2⤵
PID:7716

C:\Windows\System32\pRtAKka.exe
C:\Windows\System32\pRtAKka.exe
2⤵
PID:7772

C:\Windows\System32\blDDzUw.exe
C:\Windows\System32\blDDzUw.exe
2⤵
PID:7912

C:\Windows\System32\SjTYeaK.exe
C:\Windows\System32\SjTYeaK.exe
2⤵
PID:7948

C:\Windows\System32\QKDAqST.exe
C:\Windows\System32\QKDAqST.exe
2⤵
PID:7976

C:\Windows\System32\FfCsPAK.exe
C:\Windows\System32\FfCsPAK.exe
2⤵
PID:8052

C:\Windows\System32\GWtdFFw.exe
C:\Windows\System32\GWtdFFw.exe
2⤵
PID:8104

C:\Windows\System32\JOxcwuJ.exe
C:\Windows\System32\JOxcwuJ.exe
2⤵
PID:7256

C:\Windows\System32\tpSQslt.exe
C:\Windows\System32\tpSQslt.exe
2⤵
PID:7324

C:\Windows\System32\NHqYEUe.exe
C:\Windows\System32\NHqYEUe.exe
2⤵
PID:7484

C:\Windows\System32\SDQncsb.exe
C:\Windows\System32\SDQncsb.exe
2⤵
PID:7648

C:\Windows\System32\xskpulY.exe
C:\Windows\System32\xskpulY.exe
2⤵
PID:7688

C:\Windows\System32\xKaoMYY.exe
C:\Windows\System32\xKaoMYY.exe
2⤵
PID:7836

C:\Windows\System32\wioaRBk.exe
C:\Windows\System32\wioaRBk.exe
2⤵
PID:7140

C:\Windows\System32\jcecpKW.exe
C:\Windows\System32\jcecpKW.exe
2⤵
PID:8132

C:\Windows\System32\dPdxipP.exe
C:\Windows\System32\dPdxipP.exe
2⤵
PID:7568

C:\Windows\System32\OpyoxzR.exe
C:\Windows\System32\OpyoxzR.exe
2⤵
PID:7900

C:\Windows\System32\OrGLFUi.exe
C:\Windows\System32\OrGLFUi.exe
2⤵
PID:7524

C:\Windows\System32\xQLmSOg.exe
C:\Windows\System32\xQLmSOg.exe
2⤵
PID:7748

C:\Windows\System32\oKaykIH.exe
C:\Windows\System32\oKaykIH.exe
2⤵
PID:8208

C:\Windows\System32\NEflKPQ.exe
C:\Windows\System32\NEflKPQ.exe
2⤵
PID:8232

C:\Windows\System32\YjFJrqk.exe
C:\Windows\System32\YjFJrqk.exe
2⤵
PID:8272

C:\Windows\System32\gJrfWIK.exe
C:\Windows\System32\gJrfWIK.exe
2⤵
PID:8292

C:\Windows\System32\asqFRWS.exe
C:\Windows\System32\asqFRWS.exe
2⤵
PID:8316

C:\Windows\System32\QRyErKL.exe
C:\Windows\System32\QRyErKL.exe
2⤵
PID:8336

C:\Windows\System32\BADkFnM.exe
C:\Windows\System32\BADkFnM.exe
2⤵
PID:8360

C:\Windows\System32\SZNWXQo.exe
C:\Windows\System32\SZNWXQo.exe
2⤵
PID:8404

C:\Windows\System32\MsaOlts.exe
C:\Windows\System32\MsaOlts.exe
2⤵
PID:8448

C:\Windows\System32\uSlGDVr.exe
C:\Windows\System32\uSlGDVr.exe
2⤵
PID:8524

C:\Windows\System32\WpAqQzu.exe
C:\Windows\System32\WpAqQzu.exe
2⤵
PID:8548

C:\Windows\System32\dTYxhpy.exe
C:\Windows\System32\dTYxhpy.exe
2⤵
PID:8616

C:\Windows\System32\nqKnYrO.exe
C:\Windows\System32\nqKnYrO.exe
2⤵
PID:8632

C:\Windows\System32\rDyVQoa.exe
C:\Windows\System32\rDyVQoa.exe
2⤵
PID:8648

C:\Windows\System32\usVkHZi.exe
C:\Windows\System32\usVkHZi.exe
2⤵
PID:8664

C:\Windows\System32\FrWllQT.exe
C:\Windows\System32\FrWllQT.exe
2⤵
PID:8680

C:\Windows\System32\UbunMcB.exe
C:\Windows\System32\UbunMcB.exe
2⤵
PID:8728

C:\Windows\System32\yswMEBx.exe
C:\Windows\System32\yswMEBx.exe
2⤵
PID:8744

C:\Windows\System32\KrDRULA.exe
C:\Windows\System32\KrDRULA.exe
2⤵
PID:8760

C:\Windows\System32\dfLBSQz.exe
C:\Windows\System32\dfLBSQz.exe
2⤵
PID:8876

C:\Windows\System32\vAipnnH.exe
C:\Windows\System32\vAipnnH.exe
2⤵
PID:8904

C:\Windows\System32\JLoLEiY.exe
C:\Windows\System32\JLoLEiY.exe
2⤵
PID:8920

C:\Windows\System32\GUjqXdi.exe
C:\Windows\System32\GUjqXdi.exe
2⤵
PID:8964

C:\Windows\System32\VHxCOTN.exe
C:\Windows\System32\VHxCOTN.exe
2⤵
PID:8996

C:\Windows\System32\LzLBsRe.exe
C:\Windows\System32\LzLBsRe.exe
2⤵
PID:9016

C:\Windows\System32\XOiFHHQ.exe
C:\Windows\System32\XOiFHHQ.exe
2⤵
PID:9032

C:\Windows\System32\VRdqKUf.exe
C:\Windows\System32\VRdqKUf.exe
2⤵
PID:9064

C:\Windows\System32\ZxuwaYC.exe
C:\Windows\System32\ZxuwaYC.exe
2⤵
PID:9104

C:\Windows\System32\tfQMLNQ.exe
C:\Windows\System32\tfQMLNQ.exe
2⤵
PID:9136

C:\Windows\System32\LZRnEmo.exe
C:\Windows\System32\LZRnEmo.exe
2⤵
PID:9156

C:\Windows\System32\YpSWvuv.exe
C:\Windows\System32\YpSWvuv.exe
2⤵
PID:9172

C:\Windows\System32\TefMQkO.exe
C:\Windows\System32\TefMQkO.exe
2⤵
PID:9196

C:\Windows\System32\RzjlIpp.exe
C:\Windows\System32\RzjlIpp.exe
2⤵
PID:8248

C:\Windows\System32\kdHlZkl.exe
C:\Windows\System32\kdHlZkl.exe
2⤵
PID:8308

C:\Windows\System32\OZEIkph.exe
C:\Windows\System32\OZEIkph.exe
2⤵
PID:8412

C:\Windows\System32\kZpNvin.exe
C:\Windows\System32\kZpNvin.exe
2⤵
PID:8432

C:\Windows\System32\ReGrYmY.exe
C:\Windows\System32\ReGrYmY.exe
2⤵
PID:8480

C:\Windows\System32\nMJmJiR.exe
C:\Windows\System32\nMJmJiR.exe
2⤵
PID:8396

C:\Windows\System32\yuRusEB.exe
C:\Windows\System32\yuRusEB.exe
2⤵
PID:8520

C:\Windows\System32\gnDDYWc.exe
C:\Windows\System32\gnDDYWc.exe
2⤵
PID:8500

C:\Windows\System32\rEJuPhK.exe
C:\Windows\System32\rEJuPhK.exe
2⤵
PID:8556

C:\Windows\System32\BFubFCG.exe
C:\Windows\System32\BFubFCG.exe
2⤵
PID:8560

C:\Windows\System32\FRIgquC.exe
C:\Windows\System32\FRIgquC.exe
2⤵
PID:8580

C:\Windows\System32\FTGWEFt.exe
C:\Windows\System32\FTGWEFt.exe
2⤵
PID:8672

C:\Windows\System32\BpsOehX.exe
C:\Windows\System32\BpsOehX.exe
2⤵
PID:8784

C:\Windows\System32\PanvIIF.exe
C:\Windows\System32\PanvIIF.exe
2⤵
PID:8836

C:\Windows\System32\RCxARUM.exe
C:\Windows\System32\RCxARUM.exe
2⤵
PID:8940

C:\Windows\System32\mffPkSO.exe
C:\Windows\System32\mffPkSO.exe
2⤵
PID:9052

C:\Windows\System32\NJJHFKr.exe
C:\Windows\System32\NJJHFKr.exe
2⤵
PID:9120

C:\Windows\System32\QxIwiYj.exe
C:\Windows\System32\QxIwiYj.exe
2⤵
PID:9184

C:\Windows\System32\jyiGTOD.exe
C:\Windows\System32\jyiGTOD.exe
2⤵
PID:8220

C:\Windows\System32\xGRViHh.exe
C:\Windows\System32\xGRViHh.exe
2⤵
PID:8264

C:\Windows\System32\YTBAEzm.exe
C:\Windows\System32\YTBAEzm.exe
2⤵
PID:8376

C:\Windows\System32\LYSmpjm.exe
C:\Windows\System32\LYSmpjm.exe
2⤵
PID:3844

C:\Windows\System32\eOwEhRP.exe
C:\Windows\System32\eOwEhRP.exe
2⤵
PID:8564

C:\Windows\System32\uQnzVTB.exe
C:\Windows\System32\uQnzVTB.exe
2⤵
PID:8640

C:\Windows\System32\jxPDUFT.exe
C:\Windows\System32\jxPDUFT.exe
2⤵
PID:8992

C:\Windows\System32\vqaMayy.exe
C:\Windows\System32\vqaMayy.exe
2⤵
PID:9128

C:\Windows\System32\ZZPmsei.exe
C:\Windows\System32\ZZPmsei.exe
2⤵
PID:8300

C:\Windows\System32\rLQaehW.exe
C:\Windows\System32\rLQaehW.exe
2⤵
PID:8444

C:\Windows\System32\FWVZTNO.exe
C:\Windows\System32\FWVZTNO.exe
2⤵
PID:8568

C:\Windows\System32\iNFkwFy.exe
C:\Windows\System32\iNFkwFy.exe
2⤵
PID:8928

C:\Windows\System32\SVwHACd.exe
C:\Windows\System32\SVwHACd.exe
2⤵
PID:8740

C:\Windows\System32\zwLwIeZ.exe
C:\Windows\System32\zwLwIeZ.exe
2⤵
PID:8576

C:\Windows\System32\CoCuVAo.exe
C:\Windows\System32\CoCuVAo.exe
2⤵
PID:9232

C:\Windows\System32\pHofNmS.exe
C:\Windows\System32\pHofNmS.exe
2⤵
PID:9272

C:\Windows\System32\RQXutfm.exe
C:\Windows\System32\RQXutfm.exe
2⤵
PID:9288

C:\Windows\System32\YXKdvts.exe
C:\Windows\System32\YXKdvts.exe
2⤵
PID:9308

C:\Windows\System32\VwqWYnk.exe
C:\Windows\System32\VwqWYnk.exe
2⤵
PID:9332

C:\Windows\System32\hbvzagM.exe
C:\Windows\System32\hbvzagM.exe
2⤵
PID:9356

C:\Windows\System32\FAnyQxu.exe
C:\Windows\System32\FAnyQxu.exe
2⤵
PID:9372

C:\Windows\System32\nrLsXQp.exe
C:\Windows\System32\nrLsXQp.exe
2⤵
PID:9396

C:\Windows\System32\ahbqVmf.exe
C:\Windows\System32\ahbqVmf.exe
2⤵
PID:9432

C:\Windows\System32\inxslVV.exe
C:\Windows\System32\inxslVV.exe
2⤵
PID:9480

C:\Windows\System32\JmgRoaX.exe
C:\Windows\System32\JmgRoaX.exe
2⤵
PID:9512

C:\Windows\System32\USJhAhP.exe
C:\Windows\System32\USJhAhP.exe
2⤵
PID:9536

C:\Windows\System32\cpyQQkP.exe
C:\Windows\System32\cpyQQkP.exe
2⤵
PID:9556

C:\Windows\System32\ojzzkPM.exe
C:\Windows\System32\ojzzkPM.exe
2⤵
PID:9596

C:\Windows\System32\ZeFMjLM.exe
C:\Windows\System32\ZeFMjLM.exe
2⤵
PID:9632

C:\Windows\System32\TidPavd.exe
C:\Windows\System32\TidPavd.exe
2⤵
PID:9652

C:\Windows\System32\XOdaQeE.exe
C:\Windows\System32\XOdaQeE.exe
2⤵
PID:9672

C:\Windows\System32\OBTcJXa.exe
C:\Windows\System32\OBTcJXa.exe
2⤵
PID:9700

C:\Windows\System32\IsYDRRU.exe
C:\Windows\System32\IsYDRRU.exe
2⤵
PID:9748

C:\Windows\System32\vNgkPRl.exe
C:\Windows\System32\vNgkPRl.exe
2⤵
PID:9772

C:\Windows\System32\wpSYnJR.exe
C:\Windows\System32\wpSYnJR.exe
2⤵
PID:9800

C:\Windows\System32\fvTxWze.exe
C:\Windows\System32\fvTxWze.exe
2⤵
PID:9820

C:\Windows\System32\sioQqHK.exe
C:\Windows\System32\sioQqHK.exe
2⤵
PID:9848

C:\Windows\System32\FTNPNpJ.exe
C:\Windows\System32\FTNPNpJ.exe
2⤵
PID:9864

C:\Windows\System32\bLYdMer.exe
C:\Windows\System32\bLYdMer.exe
2⤵
PID:9900

C:\Windows\System32\wWFbIGS.exe
C:\Windows\System32\wWFbIGS.exe
2⤵
PID:9932

C:\Windows\System32\lsbJRjl.exe
C:\Windows\System32\lsbJRjl.exe
2⤵
PID:9972

C:\Windows\System32\iPGkRjd.exe
C:\Windows\System32\iPGkRjd.exe
2⤵
PID:10000

C:\Windows\System32\ZgWRRNB.exe
C:\Windows\System32\ZgWRRNB.exe
2⤵
PID:10032

C:\Windows\System32\FFSSZRJ.exe
C:\Windows\System32\FFSSZRJ.exe
2⤵
PID:10056

C:\Windows\System32\EhYtemD.exe
C:\Windows\System32\EhYtemD.exe
2⤵
PID:10076

C:\Windows\System32\ISeZZAv.exe
C:\Windows\System32\ISeZZAv.exe
2⤵
PID:10108

C:\Windows\System32\rCDpJIL.exe
C:\Windows\System32\rCDpJIL.exe
2⤵
PID:10128

C:\Windows\System32\ZymryWt.exe
C:\Windows\System32\ZymryWt.exe
2⤵
PID:10148

C:\Windows\System32\XUrmvCR.exe
C:\Windows\System32\XUrmvCR.exe
2⤵
PID:10168

C:\Windows\System32\rFFHsJu.exe
C:\Windows\System32\rFFHsJu.exe
2⤵
PID:10188

C:\Windows\System32\TTBynIW.exe
C:\Windows\System32\TTBynIW.exe
2⤵
PID:9224

C:\Windows\System32\bPGBoTD.exe
C:\Windows\System32\bPGBoTD.exe
2⤵
PID:9260

C:\Windows\System32\IpvmBeK.exe
C:\Windows\System32\IpvmBeK.exe
2⤵
PID:9284

C:\Windows\System32\KDqKSxv.exe
C:\Windows\System32\KDqKSxv.exe
2⤵
PID:9392

C:\Windows\System32\CgsYeDV.exe
C:\Windows\System32\CgsYeDV.exe
2⤵
PID:9412

C:\Windows\System32\nfZsHnL.exe
C:\Windows\System32\nfZsHnL.exe
2⤵
PID:9520

C:\Windows\System32\riHqWCH.exe
C:\Windows\System32\riHqWCH.exe
2⤵
PID:9572

C:\Windows\System32\yqVoFxk.exe
C:\Windows\System32\yqVoFxk.exe
2⤵
PID:9684

C:\Windows\System32\mqBYMJO.exe
C:\Windows\System32\mqBYMJO.exe
2⤵
PID:9764

C:\Windows\System32\lWSnwTa.exe
C:\Windows\System32\lWSnwTa.exe
2⤵
PID:9816

C:\Windows\System32\bxkoqkT.exe
C:\Windows\System32\bxkoqkT.exe
2⤵
PID:9832

C:\Windows\System32\TPccVKY.exe
C:\Windows\System32\TPccVKY.exe
2⤵
PID:9892

C:\Windows\System32\WBcpeGL.exe
C:\Windows\System32\WBcpeGL.exe
2⤵
PID:9988

C:\Windows\System32\UtcpwKW.exe
C:\Windows\System32\UtcpwKW.exe
2⤵
PID:10064

C:\Windows\System32\pxVRGTp.exe
C:\Windows\System32\pxVRGTp.exe
2⤵
PID:10164

C:\Windows\System32\vGGAhWg.exe
C:\Windows\System32\vGGAhWg.exe
2⤵
PID:10176

C:\Windows\System32\oNEGgTU.exe
C:\Windows\System32\oNEGgTU.exe
2⤵
PID:9248

C:\Windows\System32\VhJkriN.exe
C:\Windows\System32\VhJkriN.exe
2⤵
PID:9316

C:\Windows\System32\jYKDejK.exe
C:\Windows\System32\jYKDejK.exe
2⤵
PID:9328

C:\Windows\System32\rmUStgY.exe
C:\Windows\System32\rmUStgY.exe
2⤵
PID:9500

C:\Windows\System32\NExNbLs.exe
C:\Windows\System32\NExNbLs.exe
2⤵
PID:9880

C:\Windows\System32\SHXlKag.exe
C:\Windows\System32\SHXlKag.exe
2⤵
PID:10068

C:\Windows\System32\QNUInSU.exe
C:\Windows\System32\QNUInSU.exe
2⤵
PID:10184

C:\Windows\System32\xNDIAQc.exe
C:\Windows\System32\xNDIAQc.exe
2⤵
PID:9280

C:\Windows\System32\edMuytI.exe
C:\Windows\System32\edMuytI.exe
2⤵
PID:9668

C:\Windows\System32\CUwkjgG.exe
C:\Windows\System32\CUwkjgG.exe
2⤵
PID:9996

C:\Windows\System32\pdfOEkx.exe
C:\Windows\System32\pdfOEkx.exe
2⤵
PID:9380

C:\Windows\System32\qMNDuoq.exe
C:\Windows\System32\qMNDuoq.exe
2⤵
PID:10252

C:\Windows\System32\Pkaijwn.exe
C:\Windows\System32\Pkaijwn.exe
2⤵
PID:10272

C:\Windows\System32\vPsOMMz.exe
C:\Windows\System32\vPsOMMz.exe
2⤵
PID:10292

C:\Windows\System32\jFDVKOc.exe
C:\Windows\System32\jFDVKOc.exe
2⤵
PID:10316

C:\Windows\System32\LEGDciN.exe
C:\Windows\System32\LEGDciN.exe
2⤵
PID:10344

C:\Windows\System32\qRDICSL.exe
C:\Windows\System32\qRDICSL.exe
2⤵
PID:10396

C:\Windows\System32\RYApFvr.exe
C:\Windows\System32\RYApFvr.exe
2⤵
PID:10424

C:\Windows\System32\xbrLMQl.exe
C:\Windows\System32\xbrLMQl.exe
2⤵
PID:10464

C:\Windows\System32\GBMoHeO.exe
C:\Windows\System32\GBMoHeO.exe
2⤵
PID:10484

C:\Windows\System32\DJUJSBs.exe
C:\Windows\System32\DJUJSBs.exe
2⤵
PID:10500

C:\Windows\System32\MZzfKTG.exe
C:\Windows\System32\MZzfKTG.exe
2⤵
PID:10528

C:\Windows\System32\WOSNnfo.exe
C:\Windows\System32\WOSNnfo.exe
2⤵
PID:10568

C:\Windows\System32\HxtJclJ.exe
C:\Windows\System32\HxtJclJ.exe
2⤵
PID:10588

C:\Windows\System32\nUpzgwb.exe
C:\Windows\System32\nUpzgwb.exe
2⤵
PID:10620

C:\Windows\System32\vXcJyyB.exe
C:\Windows\System32\vXcJyyB.exe
2⤵
PID:10644

C:\Windows\System32\XSYUVNk.exe
C:\Windows\System32\XSYUVNk.exe
2⤵
PID:10668

C:\Windows\System32\CJtLxNj.exe
C:\Windows\System32\CJtLxNj.exe
2⤵
PID:10688

C:\Windows\System32\YAzAhdA.exe
C:\Windows\System32\YAzAhdA.exe
2⤵
PID:10712

C:\Windows\System32\jgoXiAA.exe
C:\Windows\System32\jgoXiAA.exe
2⤵
PID:10764

C:\Windows\System32\PecDeFI.exe
C:\Windows\System32\PecDeFI.exe
2⤵
PID:10792

C:\Windows\System32\deZzSqZ.exe
C:\Windows\System32\deZzSqZ.exe
2⤵
PID:10808

C:\Windows\System32\jDcEKWm.exe
C:\Windows\System32\jDcEKWm.exe
2⤵
PID:10828

C:\Windows\System32\INfrpce.exe
C:\Windows\System32\INfrpce.exe
2⤵
PID:10864

C:\Windows\System32\CcYeKls.exe
C:\Windows\System32\CcYeKls.exe
2⤵
PID:10904

C:\Windows\System32\jHvHSei.exe
C:\Windows\System32\jHvHSei.exe
2⤵
PID:10928

C:\Windows\System32\BxglKjA.exe
C:\Windows\System32\BxglKjA.exe
2⤵
PID:10964

C:\Windows\System32\FnJXQTN.exe
C:\Windows\System32\FnJXQTN.exe
2⤵
PID:10980

C:\Windows\System32\OcreTnX.exe
C:\Windows\System32\OcreTnX.exe
2⤵
PID:11008

C:\Windows\System32\WMHTmHu.exe
C:\Windows\System32\WMHTmHu.exe
2⤵
PID:11048

C:\Windows\System32\fVekrkx.exe
C:\Windows\System32\fVekrkx.exe
2⤵
PID:11064

C:\Windows\System32\OHMPbrL.exe
C:\Windows\System32\OHMPbrL.exe
2⤵
PID:11104

C:\Windows\System32\OOzcjzB.exe
C:\Windows\System32\OOzcjzB.exe
2⤵
PID:11132

C:\Windows\System32\BbnXSkM.exe
C:\Windows\System32\BbnXSkM.exe
2⤵
PID:11152

C:\Windows\System32\XjmUYeL.exe
C:\Windows\System32\XjmUYeL.exe
2⤵
PID:11176

C:\Windows\System32\ARezmIZ.exe
C:\Windows\System32\ARezmIZ.exe
2⤵
PID:11216

C:\Windows\System32\dcoVWwd.exe
C:\Windows\System32\dcoVWwd.exe
2⤵
PID:11236

C:\Windows\System32\icRZSEw.exe
C:\Windows\System32\icRZSEw.exe
2⤵
PID:10244

C:\Windows\System32\GoRzJtN.exe
C:\Windows\System32\GoRzJtN.exe
2⤵
PID:10288

C:\Windows\System32\zFXYUYv.exe
C:\Windows\System32\zFXYUYv.exe
2⤵
PID:10332

C:\Windows\System32\OrpyjlN.exe
C:\Windows\System32\OrpyjlN.exe
2⤵
PID:10404

C:\Windows\System32\BzMmXXe.exe
C:\Windows\System32\BzMmXXe.exe
2⤵
PID:10472

C:\Windows\System32\QTXCKBx.exe
C:\Windows\System32\QTXCKBx.exe
2⤵
PID:10556

C:\Windows\System32\vxSODax.exe
C:\Windows\System32\vxSODax.exe
2⤵
PID:10576

C:\Windows\System32\arYNcJk.exe
C:\Windows\System32\arYNcJk.exe
2⤵
PID:10664

C:\Windows\System32\qvXCQOK.exe
C:\Windows\System32\qvXCQOK.exe
2⤵
PID:10752

C:\Windows\System32\tUBsBxo.exe
C:\Windows\System32\tUBsBxo.exe
2⤵
PID:10800

C:\Windows\System32\WdZXIMp.exe
C:\Windows\System32\WdZXIMp.exe
2⤵
PID:10896

C:\Windows\System32\duMAYmw.exe
C:\Windows\System32\duMAYmw.exe
2⤵
PID:10924

C:\Windows\System32\pnkaMpy.exe
C:\Windows\System32\pnkaMpy.exe
2⤵
PID:10992

C:\Windows\System32\YFTcwjY.exe
C:\Windows\System32\YFTcwjY.exe
2⤵
PID:11044

C:\Windows\System32\yVWdmGW.exe
C:\Windows\System32\yVWdmGW.exe
2⤵
PID:11076

C:\Windows\System32\xlahNar.exe
C:\Windows\System32\xlahNar.exe
2⤵
PID:11192

C:\Windows\System32\YozXclp.exe
C:\Windows\System32\YozXclp.exe
2⤵
PID:11256

C:\Windows\System32\VwFtWxB.exe
C:\Windows\System32\VwFtWxB.exe
2⤵
PID:10364

C:\Windows\System32\phpdPFi.exe
C:\Windows\System32\phpdPFi.exe
2⤵
PID:10436

C:\Windows\System32\SpZftto.exe
C:\Windows\System32\SpZftto.exe
2⤵
PID:10660

C:\Windows\System32\pRvOwZX.exe
C:\Windows\System32\pRvOwZX.exe
2⤵
PID:10788

C:\Windows\System32\NSFKjIP.exe
C:\Windows\System32\NSFKjIP.exe
2⤵
PID:10856

C:\Windows\System32\yADrOFr.exe
C:\Windows\System32\yADrOFr.exe
2⤵
PID:11032

C:\Windows\System32\XxYcMIa.exe
C:\Windows\System32\XxYcMIa.exe
2⤵
PID:11244

C:\Windows\System32\LZipTIo.exe
C:\Windows\System32\LZipTIo.exe
2⤵
PID:10560

C:\Windows\System32\kxalNXf.exe
C:\Windows\System32\kxalNXf.exe
2⤵
PID:10700

C:\Windows\System32\xhosUvg.exe
C:\Windows\System32\xhosUvg.exe
2⤵
PID:11144

C:\Windows\System32\nsxMtUs.exe
C:\Windows\System32\nsxMtUs.exe
2⤵
PID:10628

C:\Windows\System32\SlRsutX.exe
C:\Windows\System32\SlRsutX.exe
2⤵
PID:10680

C:\Windows\System32\DzJxqmQ.exe
C:\Windows\System32\DzJxqmQ.exe
2⤵
PID:11296

C:\Windows\System32\iYZiWNJ.exe
C:\Windows\System32\iYZiWNJ.exe
2⤵
PID:11336

C:\Windows\System32\tYtNaAy.exe
C:\Windows\System32\tYtNaAy.exe
2⤵
PID:11364

C:\Windows\System32\wcOdLTH.exe
C:\Windows\System32\wcOdLTH.exe
2⤵
PID:11384

C:\Windows\System32\vLvwIkR.exe
C:\Windows\System32\vLvwIkR.exe
2⤵
PID:11420

C:\Windows\System32\lDlEuLX.exe
C:\Windows\System32\lDlEuLX.exe
2⤵
PID:11452

C:\Windows\System32\okgdZvT.exe
C:\Windows\System32\okgdZvT.exe
2⤵
PID:11476

C:\Windows\System32\hAyhKvv.exe
C:\Windows\System32\hAyhKvv.exe
2⤵
PID:11500

C:\Windows\System32\botVBog.exe
C:\Windows\System32\botVBog.exe
2⤵
PID:11528

C:\Windows\System32\eHfxWMr.exe
C:\Windows\System32\eHfxWMr.exe
2⤵
PID:11568

C:\Windows\System32\EUyXpvG.exe
C:\Windows\System32\EUyXpvG.exe
2⤵
PID:11596

C:\Windows\System32\YGiYaum.exe
C:\Windows\System32\YGiYaum.exe
2⤵
PID:11624

C:\Windows\System32\uMeorzA.exe
C:\Windows\System32\uMeorzA.exe
2⤵
PID:11652

C:\Windows\System32\lBdzJjr.exe
C:\Windows\System32\lBdzJjr.exe
2⤵
PID:11672

C:\Windows\System32\IRwcPxn.exe
C:\Windows\System32\IRwcPxn.exe
2⤵
PID:11700

C:\Windows\System32\HeQhgJF.exe
C:\Windows\System32\HeQhgJF.exe
2⤵
PID:11728

C:\Windows\System32\ZYmPHAj.exe
C:\Windows\System32\ZYmPHAj.exe
2⤵
PID:11764

C:\Windows\System32\RmLTlvW.exe
C:\Windows\System32\RmLTlvW.exe
2⤵
PID:11784

C:\Windows\System32\jIqcCcA.exe
C:\Windows\System32\jIqcCcA.exe
2⤵
PID:11808

C:\Windows\System32\ORiOCIX.exe
C:\Windows\System32\ORiOCIX.exe
2⤵
PID:11840

C:\Windows\System32\DmwWcGU.exe
C:\Windows\System32\DmwWcGU.exe
2⤵
PID:11868

C:\Windows\System32\YCIENSN.exe
C:\Windows\System32\YCIENSN.exe
2⤵
PID:11896

C:\Windows\System32\rIQjDDB.exe
C:\Windows\System32\rIQjDDB.exe
2⤵
PID:11920

C:\Windows\System32\WYbUvRH.exe
C:\Windows\System32\WYbUvRH.exe
2⤵
PID:11980

C:\Windows\System32\rGiUBSm.exe
C:\Windows\System32\rGiUBSm.exe
2⤵
PID:11996

C:\Windows\System32\oBkpfoT.exe
C:\Windows\System32\oBkpfoT.exe
2⤵
PID:12016

C:\Windows\System32\cZeNYLV.exe
C:\Windows\System32\cZeNYLV.exe
2⤵
PID:12040

C:\Windows\System32\pLkOEXF.exe
C:\Windows\System32\pLkOEXF.exe
2⤵
PID:12080

C:\Windows\System32\GnYUftu.exe
C:\Windows\System32\GnYUftu.exe
2⤵
PID:12108

C:\Windows\System32\qgFpWHs.exe
C:\Windows\System32\qgFpWHs.exe
2⤵
PID:12132

C:\Windows\System32\QniulRR.exe
C:\Windows\System32\QniulRR.exe
2⤵
PID:12160

C:\Windows\System32\kAyriml.exe
C:\Windows\System32\kAyriml.exe
2⤵
PID:12184

C:\Windows\System32\SrOrPul.exe
C:\Windows\System32\SrOrPul.exe
2⤵
PID:12220

C:\Windows\System32\DkVgiEA.exe
C:\Windows\System32\DkVgiEA.exe
2⤵
PID:12256

C:\Windows\System32\owzGnmF.exe
C:\Windows\System32\owzGnmF.exe
2⤵
PID:12272

C:\Windows\System32\HhRzdUH.exe
C:\Windows\System32\HhRzdUH.exe
2⤵
PID:10392

C:\Windows\System32\ueUiScY.exe
C:\Windows\System32\ueUiScY.exe
2⤵
PID:11348

C:\Windows\System32\iuceWyd.exe
C:\Windows\System32\iuceWyd.exe
2⤵
PID:11408

C:\Windows\System32\icYcjJG.exe
C:\Windows\System32\icYcjJG.exe
2⤵
PID:11468

C:\Windows\System32\NRDVEPV.exe
C:\Windows\System32\NRDVEPV.exe
2⤵
PID:11520

C:\Windows\System32\GFGHDIY.exe
C:\Windows\System32\GFGHDIY.exe
2⤵
PID:11608

C:\Windows\System32\Ijqynwy.exe
C:\Windows\System32\Ijqynwy.exe
2⤵
PID:11664

C:\Windows\System32\utIqKON.exe
C:\Windows\System32\utIqKON.exe
2⤵
PID:11772

C:\Windows\System32\lMmjkfd.exe
C:\Windows\System32\lMmjkfd.exe
2⤵
PID:11824

C:\Windows\System32\hiTidWz.exe
C:\Windows\System32\hiTidWz.exe
2⤵
PID:11888

C:\Windows\System32\iyZKise.exe
C:\Windows\System32\iyZKise.exe
2⤵
PID:11944

C:\Windows\System32\dSkfXzs.exe
C:\Windows\System32\dSkfXzs.exe
2⤵
PID:11992

C:\Windows\System32\YDpjHTU.exe
C:\Windows\System32\YDpjHTU.exe
2⤵
PID:4268

C:\Windows\System32\UDahnls.exe
C:\Windows\System32\UDahnls.exe
2⤵
PID:12144

C:\Windows\System32\hWDJrMe.exe
C:\Windows\System32\hWDJrMe.exe
2⤵
PID:12196

C:\Windows\System32\FWgsahN.exe
C:\Windows\System32\FWgsahN.exe
2⤵
PID:12280

C:\Windows\System32\hNElotA.exe
C:\Windows\System32\hNElotA.exe
2⤵
PID:11320

C:\Windows\System32\MnhKUCP.exe
C:\Windows\System32\MnhKUCP.exe
2⤵
PID:11460

C:\Windows\System32\prqOLFW.exe
C:\Windows\System32\prqOLFW.exe
2⤵
PID:11648

C:\Windows\System32\gYHyJIz.exe
C:\Windows\System32\gYHyJIz.exe
2⤵
PID:12012

C:\Windows\System32\hZIIary.exe
C:\Windows\System32\hZIIary.exe
2⤵
PID:11932

C:\Windows\System32\wiAjwfQ.exe
C:\Windows\System32\wiAjwfQ.exe
2⤵
PID:12264

C:\Windows\System32\jSZoQDx.exe
C:\Windows\System32\jSZoQDx.exe
2⤵
PID:11016

C:\Windows\System32\YeylNsF.exe
C:\Windows\System32\YeylNsF.exe
2⤵
PID:11636

C:\Windows\System32\IklWzsb.exe
C:\Windows\System32\IklWzsb.exe
2⤵
PID:11960

C:\Windows\System32\wtxOnDK.exe
C:\Windows\System32\wtxOnDK.exe
2⤵
PID:12176

C:\Windows\System32\XVzbqHI.exe
C:\Windows\System32\XVzbqHI.exe
2⤵
PID:12208

C:\Windows\System32\tmwGnjF.exe
C:\Windows\System32\tmwGnjF.exe
2⤵
PID:12300

C:\Windows\System32\vTXPRUh.exe
C:\Windows\System32\vTXPRUh.exe
2⤵
PID:12316

C:\Windows\System32\egxAznv.exe
C:\Windows\System32\egxAznv.exe
2⤵
PID:12344

C:\Windows\System32\KNtxywr.exe
C:\Windows\System32\KNtxywr.exe
2⤵
PID:12384

C:\Windows\System32\tSFeRpI.exe
C:\Windows\System32\tSFeRpI.exe
2⤵
PID:12404

C:\Windows\System32\VDWKKKk.exe
C:\Windows\System32\VDWKKKk.exe
2⤵
PID:12440

C:\Windows\System32\KphFFYQ.exe
C:\Windows\System32\KphFFYQ.exe
2⤵
PID:12464

C:\Windows\System32\TaaKMDq.exe
C:\Windows\System32\TaaKMDq.exe
2⤵
PID:12484

C:\Windows\System32\fQhRTvT.exe
C:\Windows\System32\fQhRTvT.exe
2⤵
PID:12508

C:\Windows\System32\mAHcEOc.exe
C:\Windows\System32\mAHcEOc.exe
2⤵
PID:12532

C:\Windows\System32\CJasNjG.exe
C:\Windows\System32\CJasNjG.exe
2⤵
PID:12548

C:\Windows\System32\FuCXmfl.exe
C:\Windows\System32\FuCXmfl.exe
2⤵
PID:12572

C:\Windows\System32\XysvLFX.exe
C:\Windows\System32\XysvLFX.exe
2⤵
PID:12592

C:\Windows\System32\hdbrEUo.exe
C:\Windows\System32\hdbrEUo.exe
2⤵
PID:12632

C:\Windows\System32\vBoiIsl.exe
C:\Windows\System32\vBoiIsl.exe
2⤵
PID:12648

C:\Windows\System32\nCnkJQn.exe
C:\Windows\System32\nCnkJQn.exe
2⤵
PID:12716

C:\Windows\System32\JWcnjBz.exe
C:\Windows\System32\JWcnjBz.exe
2⤵
PID:12744

C:\Windows\System32\UzRAzQL.exe
C:\Windows\System32\UzRAzQL.exe
2⤵
PID:12768

C:\Windows\System32\xwFMnoU.exe
C:\Windows\System32\xwFMnoU.exe
2⤵
PID:12824

C:\Windows\System32\YmVccdv.exe
C:\Windows\System32\YmVccdv.exe
2⤵
PID:12856

C:\Windows\System32\EnFQhhw.exe
C:\Windows\System32\EnFQhhw.exe
2⤵
PID:12896

C:\Windows\System32\NvHgDKj.exe
C:\Windows\System32\NvHgDKj.exe
2⤵
PID:12928

C:\Windows\System32\EiTGKUy.exe
C:\Windows\System32\EiTGKUy.exe
2⤵
PID:12948

C:\Windows\System32\zyEhukl.exe
C:\Windows\System32\zyEhukl.exe
2⤵
PID:12992

C:\Windows\System32\TuVrKLP.exe
C:\Windows\System32\TuVrKLP.exe
2⤵
PID:13020

C:\Windows\System32\GWCSXvE.exe
C:\Windows\System32\GWCSXvE.exe
2⤵
PID:13040

C:\Windows\System32\UGLTlwy.exe
C:\Windows\System32\UGLTlwy.exe
2⤵
PID:13064

C:\Windows\System32\sLtIVfW.exe
C:\Windows\System32\sLtIVfW.exe
2⤵
PID:13080

C:\Windows\System32\DezJkdI.exe
C:\Windows\System32\DezJkdI.exe
2⤵
PID:13120

C:\Windows\System32\QuVpHUe.exe
C:\Windows\System32\QuVpHUe.exe
2⤵
PID:13148

C:\Windows\System32\KaQpipr.exe
C:\Windows\System32\KaQpipr.exe
2⤵
PID:13164

C:\Windows\System32\eXuyLrD.exe
C:\Windows\System32\eXuyLrD.exe
2⤵
PID:13188

C:\Windows\System32\JasATvL.exe
C:\Windows\System32\JasATvL.exe
2⤵
PID:13216

C:\Windows\System32\YuTFFTi.exe
C:\Windows\System32\YuTFFTi.exe
2⤵
PID:13232

C:\Windows\System32\BmKWkeW.exe
C:\Windows\System32\BmKWkeW.exe
2⤵
PID:13296

C:\Windows\System32\wLaHkmg.exe
C:\Windows\System32\wLaHkmg.exe
2⤵
PID:12312

C:\Windows\System32\hpsdASJ.exe
C:\Windows\System32\hpsdASJ.exe
2⤵
PID:12340

C:\Windows\System32\ItZwaUx.exe
C:\Windows\System32\ItZwaUx.exe
2⤵
PID:12436

C:\Windows\System32\HhZazuC.exe
C:\Windows\System32\HhZazuC.exe
2⤵
PID:12516

C:\Windows\System32\UOCwUxl.exe
C:\Windows\System32\UOCwUxl.exe
2⤵
PID:12540

C:\Windows\System32\iDqrkOV.exe
C:\Windows\System32\iDqrkOV.exe
2⤵
PID:12608

C:\Windows\System32\PjhpPOE.exe
C:\Windows\System32\PjhpPOE.exe
2⤵
PID:4984

C:\Windows\System32\nuhrVMZ.exe
C:\Windows\System32\nuhrVMZ.exe
2⤵
PID:12640

C:\Windows\System32\Ovzsego.exe
C:\Windows\System32\Ovzsego.exe
2⤵
PID:12764

C:\Windows\System32\sXRdnRb.exe
C:\Windows\System32\sXRdnRb.exe
2⤵
PID:12848

C:\Windows\System32\DKhAWZP.exe
C:\Windows\System32\DKhAWZP.exe
2⤵
PID:12892

C:\Windows\System32\LBnNsPu.exe
C:\Windows\System32\LBnNsPu.exe
2⤵
PID:12940

C:\Windows\System32\RqAxAim.exe
C:\Windows\System32\RqAxAim.exe
2⤵
PID:13008

C:\Windows\System32\plgyLpl.exe
C:\Windows\System32\plgyLpl.exe
2⤵
PID:13052

C:\Windows\System32\YktpEUv.exe
C:\Windows\System32\YktpEUv.exe
2⤵
PID:13108

C:\Windows\System32\fjdHrvC.exe
C:\Windows\System32\fjdHrvC.exe
2⤵
PID:13240

C:\Windows\System32\bDxEjhH.exe
C:\Windows\System32\bDxEjhH.exe
2⤵
PID:12456

C:\Windows\System32\wsBTCWl.exe
C:\Windows\System32\wsBTCWl.exe
2⤵
PID:12604

C:\Windows\System32\TjiBNZM.exe
C:\Windows\System32\TjiBNZM.exe
2⤵
PID:12588

C:\Windows\System32\UMefBiL.exe
C:\Windows\System32\UMefBiL.exe
2⤵
PID:12920

C:\Windows\System32\yOaAaAF.exe
C:\Windows\System32\yOaAaAF.exe
2⤵
PID:13176

C:\Windows\System32\RxcDgZZ.exe
C:\Windows\System32\RxcDgZZ.exe
2⤵
PID:13264

C:\Windows\System32\wRwXldn.exe
C:\Windows\System32\wRwXldn.exe
2⤵
PID:12544

C:\Windows\System32\oKCJESx.exe
C:\Windows\System32\oKCJESx.exe
2⤵
PID:12756

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:13452

C:\Windows\explorer.exe
explorer.exe /LOADSAVEDWINDOWS
2⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:13744

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:14248

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4064

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6432

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6588

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:2192

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4600

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8988

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:10368

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:7052

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3596

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4428

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4112

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1172

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:9496

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6348

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4552

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7192

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5692

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8596

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8372

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9292

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9676

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3556

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12088

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11908

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4300

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11708

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12808

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7844

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12384

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12596

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6328

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2132

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6136

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3696

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5316

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5288

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8748

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9172

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4592

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3496

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10320

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3212

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10576

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13408

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10396

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7996

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3544

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10700

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12424

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12452

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8756

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12476

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13036

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12544

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7076

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7448

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8232

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8688

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9656

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1640

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8044

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10116

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4712

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12852

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\U23Z080G\microsoft.windows[1].xml
Filesize
97B

MD5
292a283bdecf4cd89c3ad863a28bc72f

SHA1
18e896fec5f8b3ea2963d0a5cb45a244050c35c1

SHA256
09794c6006f357000111d7d13c1c20075eaea58f68df78e118d14b4547835ec2

SHA512
71349774dcf41cd9e72c881cd374ffaf2527b2156a616cc064f10f34e7bbf0ea6174916acb2b8b06428f2b2f29315359e66dde317965463ea1eb70fef52beaaa

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133608202958615201.txt
Filesize
75KB

MD5
ce88a108043a3d69e5325754ba9c7181

SHA1
c64f06b8081f5ec0ae7c0e1fe7b0f248aa6550c4

SHA256
b2552766ebb3469549cea5b6b609077fa6e38c000eba6befadfd275e11a8095e

SHA512
cb5e53fb1520b68178ad465cde801ed779521b843de44f894fc8fdbd071f33f663a60f570b134ff0996bf407ef9ecee72810b16dd9276469e6b0efb5d5c85829

Download Submit
C:\Windows\System32\ATyfeJM.exe
Filesize
1.6MB

MD5
f7bca02a8cb367f589a9cb4948a77092

SHA1
f144eb49c4a74e6265f4e1df345922a3518a7824

SHA256
e07916a44c198b017ab7fe9a359167a91dcd8f404c2b658edfd2290aabb94030

SHA512
517d1a13a31c98c8acaa2292693a8f83f0f6d531678c9038dcbc2d772997e296b713def330f4e7544fd33160bc97d44c58651ce54cdf6ab05d6336d58fcc63de

Download Submit
C:\Windows\System32\BLizoOF.exe
Filesize
1.6MB

MD5
5e82a31b821ca70d7811c4018f90a5d2

SHA1
4aaaa33c69981e04519da0a284dc96ab09a2c435

SHA256
c23c4d62a13549e9eb70372d835efcf23f74c00431f3caed3d878a19eb24d95f

SHA512
09f3f2ff993254d14c6d0af4266aa02f0c3faf181809c4d54f6493eff573ead4e6efb5965fba07721a25905f31400d12dee24609764b8d5edb46d90e09227ead

Download Submit
C:\Windows\System32\ExxPNiM.exe
Filesize
1.6MB

MD5
15c93570136ffe2277f110bfc5c6e625

SHA1
81321e7b877f1a983765ca3d8f931aca7375b770

SHA256
c6f2bc83df054fcd4036383471b3c282362bc396f6df72f933a106d78c9baf72

SHA512
720ee2b06e702131e54d6712c52130661ed074a8a70032ddd5abf3ecfaf9a9ba94d3cfa2bbfa45dbad38d7de36c38cfaff7805da5bc728c219d765bd85a19dec

Download Submit
C:\Windows\System32\FsNTOMS.exe
Filesize
1.6MB

MD5
ecb9f988f55c1730c3c3dcf710520336

SHA1
95cea6a56dd451f3502cf9dd8c9a99121557d096

SHA256
93018934f815ebb8fd31688eea6c20c5ab7555e6eadbba898f84f07df1205633

SHA512
4173442aeee0ef75aeb89144c36b613c7a95e701c9f748312631a1780721182faad5d64edfeafc5c2bf6de59abb7b828694a4f5fd8b5a7012ac1dd16c86d6185

Download Submit
C:\Windows\System32\IoNtrDa.exe
Filesize
1.6MB

MD5
80d2c1e4fec0d447f84d4198732f7fab

SHA1
599ba7007e53b86329bc36af7d8abd8b8ca1bf85

SHA256
151af018e1bf45250a91348c65d81ad4be63f6c5d6518f1f2f7622abf9bcf4cb

SHA512
36b555f520cab27d66037f349fb1cbf418f1e1dda604c8ae778659e7e8b41ebc9f1a13dce5e015c3bcdbd3f72fd49e7063cfc7a60f41142755a55af3ab6880e7

Download Submit
C:\Windows\System32\JYeMJNO.exe
Filesize
1.6MB

MD5
0876f51c80a2f155e7935d61431f3413

SHA1
ddfc182a6386e28fecd9e55236db7022385df3b9

SHA256
5a40740619bb0e6c8faf644447d241b0fd41c34e2c4d7b134f9c2f9c1eaabd9d

SHA512
4185818368324b9db03255901f5d7e5bd16e95ada6b8722505dae0ef1810508799f2e64c5bd5b6dc6b221dfe9346bbbe85e0e7288b68dce491294383f360547f

Download Submit
C:\Windows\System32\KLHFBYf.exe
Filesize
1.6MB

MD5
e1b598041ab89729c389f90e982293f9

SHA1
f1001db5e464ac8135fc977ce3284559e42ebc43

SHA256
915b3b13d8e86b85e3f6f65a70622223e8c59580231f860d133d4c561f38ed3e

SHA512
05c8f979fa8a2ff21910fee7e335bb9043fe91380a23c468975ab53e76360bdabfba983d299d86cff26b63f95fd7dc412931ba624a12597362e540444cc6d6f0

Download Submit
C:\Windows\System32\LSBDrvf.exe
Filesize
1.6MB

MD5
177e7ee93d712ec3d7fa3ce852db2102

SHA1
fab8f1063f1ea586e3b26f4d2b51f95910515572

SHA256
632f239a2110ddbc5fdd316a205a4d6a7c2eafb8d22ddeee53964c93e88bb831

SHA512
b5a59b0fe76deaf9f0e7e233e384445be41d023cb02a656a323d9b36437450de8e6b11be09342b3b83495f4c74797f4f05d4c6d23c2a16a8be4aa3d6d4acdd2b

Download Submit
C:\Windows\System32\NugPeKO.exe
Filesize
1.6MB

MD5
afa3e32fde3d6733bc2e6e832110504b

SHA1
3519157221e9757ee21cd988bc4d666d65201406

SHA256
c51f158c119d0afb7cddd0bf8a08226fe7125248d468d48238bbea215ef97984

SHA512
b8349fe766974b7bbb28624494f643ce2776442a9e113b32a6e96e93a45d61788cbabea264f3f67187b669f1475714cce068a292de8a2f715e6125d6a98bd767

Download Submit
C:\Windows\System32\QTaxLIi.exe
Filesize
1.6MB

MD5
fce53c1397139b62f7ef127d05b1117c

SHA1
a685653fad010ea4981f42c373d2e8d3c9f09eb8

SHA256
c05ce496f6baaee7cec9704e8240cba2eae79665334e0415d6254d4c08a93811

SHA512
630465d9f0e86bf7463ec4cd79e1f90c15794ff010bc74177ddbe6209a7fed57a075e7f1770a76b44e258d49d36321107c3a35dd91797799f1020c9bff702e4e

Download Submit
C:\Windows\System32\RRpZEwP.exe
Filesize
1.6MB

MD5
478331d73ade021f78d36ac61b284038

SHA1
7ba9609eb87fa689652e960e6dba4d5ee812d337

SHA256
fda7bbd9cf264ea432afdc1277bdc4b2eaaac6ce50f04337c42e474f242ad6be

SHA512
eba7ab979b98275f3bc50a71814335f0c618ef736cd4a310f74fbdcc27f40365d51f37a35212a1e98f955daf997e711aa0359ebe2f72847d0332a2976cc722f7

Download Submit
C:\Windows\System32\RsuzfPs.exe
Filesize
1.6MB

MD5
ee116d6fd7acce8b02b7bc1d6b7735d5

SHA1
f5b6e3661fa17559f6f58b06e5df76620ae7ae0b

SHA256
f89c118f1cf60599f87943225d7511c5e014c747d057d3ab033adba461822341

SHA512
c92ea09d69c6c02c57bdaa8c963e137077a8b721d3bd5d200f15ff0406020eb72e5c208c2638a3c8e03b574215d71615d10f2c880b96cde6715ecacffaa75505

Download Submit
C:\Windows\System32\SubCzmp.exe
Filesize
1.6MB

MD5
fa6356a0881421daf1f5a765fce0ca93

SHA1
50c476bce0caf3904fdac64a491dcd7ae6467f10

SHA256
03925608af2add983dd63bbc230bb702640c6a825b7aaaab56381f19336b4dae

SHA512
8bbb858ee5793df7c1d29c359f80582aeb938f486482e2f73b9b7927ca7e9e50bac8a39a02cfbb3185e4b3be63c06a11b277821dcb0413be676d7bee3efc289a

Download Submit
C:\Windows\System32\TlJdjOV.exe
Filesize
1.6MB

MD5
e480255fb202c8c61612a8a3db1f86a2

SHA1
e3ac2b5ca2b5c0858c65922f6ebf0b6baedf7d50

SHA256
48ecb576f145835640e93ffe7a106468ad58dada64b15f2ac1727c520d9f2411

SHA512
38f312af6bf8701388ad046647aa60e6a22283a2a2297a2522f0ff57733049be02e06cbf914c4a5b50f9a8020560fb5c1e70edbf79fa4b4ebc5cc4442a81efb2

Download Submit
C:\Windows\System32\TrfHOWk.exe
Filesize
1.6MB

MD5
f7b56bf438de0029634b9384c22bc8d6

SHA1
8c9a5f1cf3346ce52e3a294cba80899efaf1f0d7

SHA256
746ffabfae4856815542868610f151d15587019e0d03b71e1f65a9b7c5950576

SHA512
0c3d12d87bee430d9e8bceabb9c027a49832e010de1399febe455cfdbadf17cfb35729c2dc4f570b27d4fae872ef129f71cdfea98fc6a30c250683ad9d9c0d22

Download Submit
C:\Windows\System32\UwVXofQ.exe
Filesize
1.6MB

MD5
abfc5eb15e4bdfaa9f23db43e970c84d

SHA1
f75bf7b290df054df40561974a788cf1e66db5f3

SHA256
6937aae4a6a6430541f6da0485be2e1b92d878df05c7edee71b608d8ec61f93a

SHA512
feecea8b477ed365a7f291a57663accc648f9224091b07aae15ccc95bac6db777794a9f8526539c8ec83c55f32db0ce19d475471f32566f6ac69fabbc04a2da2

Download Submit
C:\Windows\System32\VEHymEF.exe
Filesize
1.6MB

MD5
f1652857d6b932bfc41b25a568039078

SHA1
ab5ab6996e0f21ad5f72bc5102571281351ebf49

SHA256
503e2d6c220f32e8e11be00d34b3be7db35b57eea546842ff94ccf76c3ab8dda

SHA512
bb3eaece18455128e3b5e68d1886c7d3d18a9a847b54d40f862f9c2b8dfb3f335eb003568ede9dda1d9f853eca228026977031c917008a072c614c6523a821dd

Download Submit
C:\Windows\System32\VSVgBEA.exe
Filesize
1.6MB

MD5
96c27acd49ac5dbce38007387935547d

SHA1
169050db3536d684ff733c13922ae8dc5a65b53d

SHA256
95ca67cea9b316d930a0044f11c247743ca6fee97382c72f5f7bad4bbafda756

SHA512
b3242b401be9205af541d7b9c7ec3d10bd093cb44c861061feffa02c1a0f42b062271987112863cc72d24f13897d5825ecb11aa28165305a0bb556119439d4bb

Download Submit
C:\Windows\System32\anoAvVv.exe
Filesize
1.6MB

MD5
15c7d464b287a7abf07c7fc464ecfe8a

SHA1
24b3289c1e3bedbd10b6b92df801c66fccb594f8

SHA256
6e076cb12a57054faba384324e461b44187db99bcdf348d656820c67398dedce

SHA512
21176d266e3ca9a2d034d9a9bea9f6fa7267fb3e843b08dc98898e37cc7dd7cd0186f994d4ee26bc51da83eb29d9c3d6a4a8e5fe05be7ab65d4d29abc14516af

Download Submit
C:\Windows\System32\dzyIeui.exe
Filesize
1.6MB

MD5
44560afd19f7ae01a7944495b545431b

SHA1
c1e49ee873b74a7c1d09c346aa73b3d9ffb4e2ce

SHA256
ebd83706c2ff5fb5b2365d5979669c84d54ac0281c0811664f063f65038197e5

SHA512
9ab979eaca154485cc31e607ffa86af24b432f8abc0bcb7fc0055bbc5861482f1c21636c335daaba381fb9d7eb3fd2a32b322a4b990af33e1d05608d1590ecb7

Download Submit
C:\Windows\System32\eAPssCu.exe
Filesize
1.6MB

MD5
917796914936df0572208682ce419fd1

SHA1
0b9961e872d49e5bbcc4bbe0905230ab365f0d1c

SHA256
a68470577875cf29fb21660ffd502c446cd3a7c7ce86056c60d33ad8439c8479

SHA512
684920402dee98188b5a2f8142e2f45e80648abea848e900f6f2456962c3c1e771cac45683c31500327b5fbe10418c3d9dae5cb368aa5ad45af1a1a0f1cd73f6

Download Submit
C:\Windows\System32\oIiBNMR.exe
Filesize
1.6MB

MD5
301d3846e128969345a57253b5d4ff56

SHA1
22c1df8499613303f5e5a516af082c3fdfd358bf

SHA256
45ec6d7edaf9c9d4c625ddb3266105f45578e9735d7577d9616401dd0033c9b8

SHA512
6627335c6dfa759887a32f62bab92e37e2b65f9c5e3c570f70d687a6b5b33087eff2280a718991287c01d8a47b5d85363062a79f3a5a06c9ffbd0ad08350c219

Download Submit
C:\Windows\System32\qZTnPVR.exe
Filesize
1.6MB

MD5
cfd1a232ff6389a42148e62a5668e37b

SHA1
5ebdb854e6057573417c1ac7a06802735450d48c

SHA256
6b982ba19129b9ab3fa7dd4ed9355e575b52fb1defa4630eefbce86d4d4699e2

SHA512
ff103f1bb0c03b14aa7270c94cc78ba4e10482a335b9b605e1ff4883a0d6992535c1d3588deed03ba8327bf51c855f322b27e91a28e3e59018068ac2e575c28b

Download Submit
C:\Windows\System32\qxmsLJO.exe
Filesize
1.6MB

MD5
52dcc5859995e12581e42fe9e9d50bf8

SHA1
ef58379bdd7f20bb0393bbc2f67bb83cdc6ef07c

SHA256
abc00391d3ecdc48528079715ee0e0df6fef7281a2193b078c9798206df10865

SHA512
76a2230d5b92e70ab31cb813e1eaf6d50e9a7e6682d44f2d896cb8669e1bd55f8354c3f139165c9868d92870f182d9c37c6bf7b21cee0d5465e81eacc06bd11b

Download Submit
C:\Windows\System32\rdUMzOS.exe
Filesize
1.6MB

MD5
c75e0f7962588ecbe217de70fb3cc100

SHA1
91aeec4bbbbe0d30fe05c0e172c640cd5e18c260

SHA256
9dda8cdd4de32151eb8ec9e84f6a0bb4489aa473f0b3d3c02ab3f074919be0fe

SHA512
34f704be9f7f5268bac66259b21f612caf312537b74f280d5b0ab2e529dd1ee8e95b48d58ae222176176b5fd333d59bd0e62d1c44dede58d10fc89e88f592cfe

Download Submit
C:\Windows\System32\snctYmh.exe
Filesize
1.6MB

MD5
7afa893a3e9aa5a09b83a7cd4b300491

SHA1
f6e7ced95e32768abb6a8e36932f0ddefea5781c

SHA256
4e120bd95131cab75e66230911699448530643154bfe0e6604786fad9abcbe8c

SHA512
36687c213f28658770f08c0e2afb42533ea0876dc82a20234d4550950416e576f23c527b0e2e453b58a3b536dbba6ae15296ef0626a052fd267f9b9ead92c9ed

Download Submit
C:\Windows\System32\tCeAcyA.exe
Filesize
1.6MB

MD5
057fb4dac45622a7825b55eb2f54af74

SHA1
a0e985f89fe65077727be87922f4cfa0f2434195

SHA256
e70a45e87829e05ecf6232a34cc731c20482e56008ef433409177ba9a981ab09

SHA512
169325e52231a06a3980dacf9ca63a5f2959a1da57139705a6348468ab64afc6c7d15cec38014b65745cb862fa39963ff089d645f26458a3c53347a09827671d

Download Submit
C:\Windows\System32\vUrskUJ.exe
Filesize
1.6MB

MD5
14c476587feaae16ff4946683f5ba868

SHA1
f1797efca5d0728d8b8e3df5bd81fdeadf8aa69f

SHA256
dbee99d6d28491c27411c4a18ff4671e411037b035bad504c484cb28cd5f4d3f

SHA512
1772a5713b70ea0ddf43b9f4b958395b2a17158ccc7c2c58e5e62424e670211da24e0316155dda7d226ebc2692e8a0c44cc4673de2d7a31a01844a7aa4d538db

Download Submit
C:\Windows\System32\wTXfPOn.exe
Filesize
1.6MB

MD5
99e77beb14bd6af52ca74559852ecdca

SHA1
128a9bf964aae1405821ac8245c5ad29e0621e7e

SHA256
33c09d2994d0abe868bc28e32a6074d09c209a5bcdfa03887e9321d1c9ed23aa

SHA512
57b8736b3e581b8a7f2e864dd1aac27c445a595195fcfb84658f2de7e58db5dc93caf7a6cb487624c776f7bbbea88f07667b906d6fcd6ed78d368cab07499771

Download Submit
C:\Windows\System32\wUyTRPS.exe
Filesize
1.6MB

MD5
8bfdd08992f40a6945ff57cbaa118f88

SHA1
ce4b8fe2455e5d57394483675224be1cfbcc031b

SHA256
18d2ee4178f7458c4b61414c1daa7787eb29f4d02d69686b3546a902724c049b

SHA512
69a99fe8d4fd722bb60d5dcdba071e538da01f36b108058c7eff16e0b231ff836bafe2af97b9e5f0e1b6ba4e445f6f59cfbd9f23fa32b76c9a34ab8a06ef1484

Download Submit
C:\Windows\System32\wYnudrx.exe
Filesize
1.6MB

MD5
4196178d4a51231d3942c222cb9b2656

SHA1
ba09501406c02c325e925edd656b87d8880f5edc

SHA256
5dd5dff7aceade3167386027bf976a9ada841ae9ed46053ce0d57aaca1dc38ca

SHA512
172e57c3f190f1d4ff2107a3c7d2db1488820976f6febd01e66e7268aa7962fb053cd4c5193ef757381a7f00ce322b049d9ef6bce67d1f5ef89d89bfe5a733d3

Download Submit
C:\Windows\System32\wpZgTxA.exe
Filesize
1.6MB

MD5
65419a70be339cf549e49002729d1035

SHA1
980595e38a85cb046178fd78ae74137c38224f87

SHA256
5df39837d8dacf131a1dffe9449631cc7e9953a7850c3c93c6b871674895d630

SHA512
90ac16f96af06f7eb4d976e13a553dce3deec328d289ceaa2dbc777ea4312d087bc0cf507c3530e6aa5b26e41552ca75135fbc3127b062c5bd303157031a2aa6

Download Submit
memory/540-2067-0x00007FF7432D0000-0x00007FF7436C1000-memory.dmp

Filesize
3.9MB

Download
memory/540-50-0x00007FF7432D0000-0x00007FF7436C1000-memory.dmp

Filesize
3.9MB

Download
memory/540-1997-0x00007FF7432D0000-0x00007FF7436C1000-memory.dmp

Filesize
3.9MB

Download
memory/640-428-0x00007FF7C18C0000-0x00007FF7C1CB1000-memory.dmp

Filesize
3.9MB

Download
memory/640-2071-0x00007FF7C18C0000-0x00007FF7C1CB1000-memory.dmp

Filesize
3.9MB

Download
memory/1168-2082-0x00007FF750540000-0x00007FF750931000-memory.dmp

Filesize
3.9MB

Download
memory/1168-442-0x00007FF750540000-0x00007FF750931000-memory.dmp

Filesize
3.9MB

Download
memory/1284-462-0x00007FF62F4C0000-0x00007FF62F8B1000-memory.dmp

Filesize
3.9MB

Download
memory/1284-2090-0x00007FF62F4C0000-0x00007FF62F8B1000-memory.dmp

Filesize
3.9MB

Download
memory/1352-62-0x00007FF79B1C0000-0x00007FF79B5B1000-memory.dmp

Filesize
3.9MB

Download
memory/1352-2065-0x00007FF79B1C0000-0x00007FF79B5B1000-memory.dmp

Filesize
3.9MB

Download
memory/1352-2031-0x00007FF79B1C0000-0x00007FF79B5B1000-memory.dmp

Filesize
3.9MB

Download
memory/1408-416-0x00007FF6DD980000-0x00007FF6DDD71000-memory.dmp

Filesize
3.9MB

Download
memory/1408-7-0x00007FF6DD980000-0x00007FF6DDD71000-memory.dmp

Filesize
3.9MB

Download
memory/1408-2046-0x00007FF6DD980000-0x00007FF6DDD71000-memory.dmp

Filesize
3.9MB

Download
memory/1492-2092-0x00007FF6DDC20000-0x00007FF6DE011000-memory.dmp

Filesize
3.9MB

Download
memory/1492-465-0x00007FF6DDC20000-0x00007FF6DE011000-memory.dmp

Filesize
3.9MB

Download
memory/1652-2084-0x00007FF6DE410000-0x00007FF6DE801000-memory.dmp

Filesize
3.9MB

Download
memory/1652-452-0x00007FF6DE410000-0x00007FF6DE801000-memory.dmp

Filesize
3.9MB

Download
memory/1848-450-0x00007FF7F6670000-0x00007FF7F6A61000-memory.dmp

Filesize
3.9MB

Download
memory/1848-2081-0x00007FF7F6670000-0x00007FF7F6A61000-memory.dmp

Filesize
3.9MB

Download
memory/2100-2088-0x00007FF6AE870000-0x00007FF6AEC61000-memory.dmp

Filesize
3.9MB

Download
memory/2100-456-0x00007FF6AE870000-0x00007FF6AEC61000-memory.dmp

Filesize
3.9MB

Download
memory/2184-1996-0x00007FF65A990000-0x00007FF65AD81000-memory.dmp

Filesize
3.9MB

Download
memory/2184-2059-0x00007FF65A990000-0x00007FF65AD81000-memory.dmp

Filesize
3.9MB

Download
memory/2184-45-0x00007FF65A990000-0x00007FF65AD81000-memory.dmp

Filesize
3.9MB

Download
memory/2760-440-0x00007FF7B4C40000-0x00007FF7B5031000-memory.dmp

Filesize
3.9MB

Download
memory/2760-2076-0x00007FF7B4C40000-0x00007FF7B5031000-memory.dmp

Filesize
3.9MB

Download
memory/3076-2061-0x00007FF6482F0000-0x00007FF6486E1000-memory.dmp

Filesize
3.9MB

Download
memory/3076-2003-0x00007FF6482F0000-0x00007FF6486E1000-memory.dmp

Filesize
3.9MB

Download
memory/3076-58-0x00007FF6482F0000-0x00007FF6486E1000-memory.dmp

Filesize
3.9MB

Download
memory/3092-2056-0x00007FF7FC9E0000-0x00007FF7FCDD1000-memory.dmp

Filesize
3.9MB

Download
memory/3092-41-0x00007FF7FC9E0000-0x00007FF7FCDD1000-memory.dmp

Filesize
3.9MB

Download
memory/3216-38-0x00007FF6928A0000-0x00007FF692C91000-memory.dmp

Filesize
3.9MB

Download
memory/3216-2054-0x00007FF6928A0000-0x00007FF692C91000-memory.dmp

Filesize
3.9MB

Download
memory/3408-415-0x00007FF648DE0000-0x00007FF6491D1000-memory.dmp

Filesize
3.9MB

Download
memory/3408-1-0x0000017F0EDD0000-0x0000017F0EDE0000-memory.dmp

Filesize
64KB

Download
memory/3408-2033-0x00007FF648DE0000-0x00007FF6491D1000-memory.dmp

Filesize
3.9MB

Download
memory/3408-0-0x00007FF648DE0000-0x00007FF6491D1000-memory.dmp

Filesize
3.9MB

Download
memory/3600-2068-0x00007FF75A310000-0x00007FF75A701000-memory.dmp

Filesize
3.9MB

Download
memory/3600-437-0x00007FF75A310000-0x00007FF75A701000-memory.dmp

Filesize
3.9MB

Download
memory/4248-453-0x00007FF7BB190000-0x00007FF7BB581000-memory.dmp

Filesize
3.9MB

Download
memory/4248-2086-0x00007FF7BB190000-0x00007FF7BB581000-memory.dmp

Filesize
3.9MB

Download
memory/4492-2050-0x00007FF712560000-0x00007FF712951000-memory.dmp

Filesize
3.9MB

Download
memory/4492-1911-0x00007FF712560000-0x00007FF712951000-memory.dmp

Filesize
3.9MB

Download
memory/4492-15-0x00007FF712560000-0x00007FF712951000-memory.dmp

Filesize
3.9MB

Download
memory/4560-2063-0x00007FF703880000-0x00007FF703C71000-memory.dmp

Filesize
3.9MB

Download
memory/4560-417-0x00007FF703880000-0x00007FF703C71000-memory.dmp

Filesize
3.9MB

Download
memory/4652-422-0x00007FF637260000-0x00007FF637651000-memory.dmp

Filesize
3.9MB

Download
memory/4652-2074-0x00007FF637260000-0x00007FF637651000-memory.dmp

Filesize
3.9MB

Download
memory/4680-441-0x00007FF6D7870000-0x00007FF6D7C61000-memory.dmp

Filesize
3.9MB

Download
memory/4680-2078-0x00007FF6D7870000-0x00007FF6D7C61000-memory.dmp

Filesize
3.9MB

Download
memory/4792-432-0x00007FF760050000-0x00007FF760441000-memory.dmp

Filesize
3.9MB

Download
memory/4792-2073-0x00007FF760050000-0x00007FF760441000-memory.dmp

Filesize
3.9MB

Download
memory/4848-1015-0x00007FF7B6160000-0x00007FF7B6551000-memory.dmp

Filesize
3.9MB

Download
memory/4848-14-0x00007FF7B6160000-0x00007FF7B6551000-memory.dmp

Filesize
3.9MB

Download
memory/4848-2049-0x00007FF7B6160000-0x00007FF7B6551000-memory.dmp

Filesize
3.9MB

Download
memory/4888-36-0x00007FF66FBF0000-0x00007FF66FFE1000-memory.dmp

Filesize
3.9MB

Download
memory/4888-2052-0x00007FF66FBF0000-0x00007FF66FFE1000-memory.dmp

Filesize
3.9MB

Download