xmrig | b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f

Analysis

max time kernel
64s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
Size

1.9MB
MD5

b9f0d1750a5d788a3356bc609ecd1afc
SHA1

b14a278098b6a57d92d4134b7206beb7184d912d
SHA256

b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f
SHA512

a3b699370e1fe7596c8c52f648e3aa62a56804c62e98e1fa5a32f3fb2053e00cb5920788815df7a83e8578a325a6685611f3f6af1a577b5b25b9d7dc3349a2d4
SSDEEP

49152:knw9oUUEEDl+xTMSqm3gZE+8qdN/3tWkxjS:kQUEEi

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/1952-0-0x00007FF72DE80000-0x00007FF72E271000-memory.dmp	UPX
behavioral2/files/0x000800000002341f-4.dat	UPX
behavioral2/memory/1916-12-0x00007FF75F490000-0x00007FF75F881000-memory.dmp	UPX
behavioral2/files/0x0007000000023425-17.dat	UPX
behavioral2/files/0x0007000000023423-18.dat	UPX
behavioral2/memory/528-30-0x00007FF743120000-0x00007FF743511000-memory.dmp	UPX
behavioral2/memory/2600-32-0x00007FF79BFF0000-0x00007FF79C3E1000-memory.dmp	UPX
behavioral2/memory/1740-46-0x00007FF766730000-0x00007FF766B21000-memory.dmp	UPX
behavioral2/memory/2576-48-0x00007FF648890000-0x00007FF648C81000-memory.dmp	UPX
behavioral2/files/0x000700000002342a-51.dat	UPX
behavioral2/files/0x000700000002342e-71.dat	UPX
behavioral2/files/0x0007000000023432-94.dat	UPX
behavioral2/files/0x0007000000023435-109.dat	UPX
behavioral2/files/0x0007000000023438-127.dat	UPX
behavioral2/files/0x0007000000023442-170.dat	UPX
behavioral2/memory/4788-299-0x00007FF627340000-0x00007FF627731000-memory.dmp	UPX
behavioral2/memory/1152-307-0x00007FF6A4330000-0x00007FF6A4721000-memory.dmp	UPX
behavioral2/memory/760-314-0x00007FF6DDD10000-0x00007FF6DE101000-memory.dmp	UPX
behavioral2/memory/1560-324-0x00007FF7DCD50000-0x00007FF7DD141000-memory.dmp	UPX
behavioral2/memory/1120-336-0x00007FF63E4F0000-0x00007FF63E8E1000-memory.dmp	UPX
behavioral2/memory/3080-339-0x00007FF66CD20000-0x00007FF66D111000-memory.dmp	UPX
behavioral2/memory/840-345-0x00007FF6E4340000-0x00007FF6E4731000-memory.dmp	UPX
behavioral2/memory/2968-349-0x00007FF78A790000-0x00007FF78AB81000-memory.dmp	UPX
behavioral2/memory/2884-350-0x00007FF778F20000-0x00007FF779311000-memory.dmp	UPX
behavioral2/memory/2176-347-0x00007FF6D2000000-0x00007FF6D23F1000-memory.dmp	UPX
behavioral2/memory/4020-334-0x00007FF702DB0000-0x00007FF7031A1000-memory.dmp	UPX
behavioral2/memory/4680-333-0x00007FF72DAF0000-0x00007FF72DEE1000-memory.dmp	UPX
behavioral2/memory/2756-330-0x00007FF602640000-0x00007FF602A31000-memory.dmp	UPX
behavioral2/memory/3832-351-0x00007FF72C580000-0x00007FF72C971000-memory.dmp	UPX
behavioral2/memory/4780-352-0x00007FF649920000-0x00007FF649D11000-memory.dmp	UPX
behavioral2/memory/3656-353-0x00007FF683910000-0x00007FF683D01000-memory.dmp	UPX
behavioral2/files/0x0007000000023440-167.dat	UPX
behavioral2/files/0x0007000000023441-165.dat	UPX
behavioral2/files/0x000700000002343f-162.dat	UPX
behavioral2/files/0x000700000002343e-157.dat	UPX
behavioral2/files/0x000700000002343d-152.dat	UPX
behavioral2/files/0x000700000002343c-147.dat	UPX
behavioral2/files/0x000700000002343b-142.dat	UPX
behavioral2/files/0x000700000002343a-137.dat	UPX
behavioral2/files/0x0007000000023439-132.dat	UPX
behavioral2/files/0x0007000000023437-122.dat	UPX
behavioral2/files/0x0007000000023436-117.dat	UPX
behavioral2/files/0x0007000000023434-104.dat	UPX
behavioral2/files/0x0007000000023433-99.dat	UPX
behavioral2/files/0x0007000000023431-92.dat	UPX
behavioral2/files/0x0007000000023430-84.dat	UPX
behavioral2/files/0x000700000002342f-82.dat	UPX
behavioral2/files/0x000700000002342d-69.dat	UPX
behavioral2/files/0x000700000002342c-67.dat	UPX
behavioral2/files/0x000700000002342b-62.dat	UPX
behavioral2/files/0x0007000000023429-54.dat	UPX
behavioral2/files/0x0007000000023428-50.dat	UPX
behavioral2/memory/3664-49-0x00007FF726740000-0x00007FF726B31000-memory.dmp	UPX
behavioral2/memory/4924-41-0x00007FF67DF20000-0x00007FF67E311000-memory.dmp	UPX
behavioral2/files/0x0007000000023426-35.dat	UPX
behavioral2/files/0x0007000000023427-31.dat	UPX
behavioral2/memory/2936-26-0x00007FF66FF60000-0x00007FF670351000-memory.dmp	UPX
behavioral2/files/0x0007000000023424-22.dat	UPX
behavioral2/memory/1952-1975-0x00007FF72DE80000-0x00007FF72E271000-memory.dmp	UPX
behavioral2/memory/4924-1987-0x00007FF67DF20000-0x00007FF67E311000-memory.dmp	UPX
behavioral2/memory/2600-1986-0x00007FF79BFF0000-0x00007FF79C3E1000-memory.dmp	UPX
behavioral2/memory/2576-2016-0x00007FF648890000-0x00007FF648C81000-memory.dmp	UPX
behavioral2/memory/3664-2017-0x00007FF726740000-0x00007FF726B31000-memory.dmp	UPX
behavioral2/memory/4788-2018-0x00007FF627340000-0x00007FF627731000-memory.dmp	UPX

XMRig Miner payload 50 IoCs

miner

resource	yara_rule
behavioral2/memory/528-30-0x00007FF743120000-0x00007FF743511000-memory.dmp	xmrig
behavioral2/memory/1740-46-0x00007FF766730000-0x00007FF766B21000-memory.dmp	xmrig
behavioral2/memory/4788-299-0x00007FF627340000-0x00007FF627731000-memory.dmp	xmrig
behavioral2/memory/1152-307-0x00007FF6A4330000-0x00007FF6A4721000-memory.dmp	xmrig
behavioral2/memory/760-314-0x00007FF6DDD10000-0x00007FF6DE101000-memory.dmp	xmrig
behavioral2/memory/1560-324-0x00007FF7DCD50000-0x00007FF7DD141000-memory.dmp	xmrig
behavioral2/memory/1120-336-0x00007FF63E4F0000-0x00007FF63E8E1000-memory.dmp	xmrig
behavioral2/memory/3080-339-0x00007FF66CD20000-0x00007FF66D111000-memory.dmp	xmrig
behavioral2/memory/840-345-0x00007FF6E4340000-0x00007FF6E4731000-memory.dmp	xmrig
behavioral2/memory/2968-349-0x00007FF78A790000-0x00007FF78AB81000-memory.dmp	xmrig
behavioral2/memory/2884-350-0x00007FF778F20000-0x00007FF779311000-memory.dmp	xmrig
behavioral2/memory/2176-347-0x00007FF6D2000000-0x00007FF6D23F1000-memory.dmp	xmrig
behavioral2/memory/4020-334-0x00007FF702DB0000-0x00007FF7031A1000-memory.dmp	xmrig
behavioral2/memory/4680-333-0x00007FF72DAF0000-0x00007FF72DEE1000-memory.dmp	xmrig
behavioral2/memory/2756-330-0x00007FF602640000-0x00007FF602A31000-memory.dmp	xmrig
behavioral2/memory/3832-351-0x00007FF72C580000-0x00007FF72C971000-memory.dmp	xmrig
behavioral2/memory/4780-352-0x00007FF649920000-0x00007FF649D11000-memory.dmp	xmrig
behavioral2/memory/3656-353-0x00007FF683910000-0x00007FF683D01000-memory.dmp	xmrig
behavioral2/memory/4924-41-0x00007FF67DF20000-0x00007FF67E311000-memory.dmp	xmrig
behavioral2/memory/2936-26-0x00007FF66FF60000-0x00007FF670351000-memory.dmp	xmrig
behavioral2/memory/1952-1975-0x00007FF72DE80000-0x00007FF72E271000-memory.dmp	xmrig
behavioral2/memory/4924-1987-0x00007FF67DF20000-0x00007FF67E311000-memory.dmp	xmrig
behavioral2/memory/2600-1986-0x00007FF79BFF0000-0x00007FF79C3E1000-memory.dmp	xmrig
behavioral2/memory/2576-2016-0x00007FF648890000-0x00007FF648C81000-memory.dmp	xmrig
behavioral2/memory/3664-2017-0x00007FF726740000-0x00007FF726B31000-memory.dmp	xmrig
behavioral2/memory/4788-2018-0x00007FF627340000-0x00007FF627731000-memory.dmp	xmrig
behavioral2/memory/1916-2191-0x00007FF75F490000-0x00007FF75F881000-memory.dmp	xmrig
behavioral2/memory/2936-2216-0x00007FF66FF60000-0x00007FF670351000-memory.dmp	xmrig
behavioral2/memory/4924-2219-0x00007FF67DF20000-0x00007FF67E311000-memory.dmp	xmrig
behavioral2/memory/528-2220-0x00007FF743120000-0x00007FF743511000-memory.dmp	xmrig
behavioral2/memory/2600-2222-0x00007FF79BFF0000-0x00007FF79C3E1000-memory.dmp	xmrig
behavioral2/memory/1740-2224-0x00007FF766730000-0x00007FF766B21000-memory.dmp	xmrig
behavioral2/memory/2576-2232-0x00007FF648890000-0x00007FF648C81000-memory.dmp	xmrig
behavioral2/memory/2756-2243-0x00007FF602640000-0x00007FF602A31000-memory.dmp	xmrig
behavioral2/memory/4788-2241-0x00007FF627340000-0x00007FF627731000-memory.dmp	xmrig
behavioral2/memory/3664-2231-0x00007FF726740000-0x00007FF726B31000-memory.dmp	xmrig
behavioral2/memory/3656-2229-0x00007FF683910000-0x00007FF683D01000-memory.dmp	xmrig
behavioral2/memory/4680-2246-0x00007FF72DAF0000-0x00007FF72DEE1000-memory.dmp	xmrig
behavioral2/memory/1560-2247-0x00007FF7DCD50000-0x00007FF7DD141000-memory.dmp	xmrig
behavioral2/memory/4020-2249-0x00007FF702DB0000-0x00007FF7031A1000-memory.dmp	xmrig
behavioral2/memory/1120-2251-0x00007FF63E4F0000-0x00007FF63E8E1000-memory.dmp	xmrig
behavioral2/memory/3080-2253-0x00007FF66CD20000-0x00007FF66D111000-memory.dmp	xmrig
behavioral2/memory/840-2255-0x00007FF6E4340000-0x00007FF6E4731000-memory.dmp	xmrig
behavioral2/memory/1152-2227-0x00007FF6A4330000-0x00007FF6A4721000-memory.dmp	xmrig
behavioral2/memory/760-2234-0x00007FF6DDD10000-0x00007FF6DE101000-memory.dmp	xmrig
behavioral2/memory/4780-2269-0x00007FF649920000-0x00007FF649D11000-memory.dmp	xmrig
behavioral2/memory/2176-2267-0x00007FF6D2000000-0x00007FF6D23F1000-memory.dmp	xmrig
behavioral2/memory/2968-2263-0x00007FF78A790000-0x00007FF78AB81000-memory.dmp	xmrig
behavioral2/memory/2884-2261-0x00007FF778F20000-0x00007FF779311000-memory.dmp	xmrig
behavioral2/memory/3832-2259-0x00007FF72C580000-0x00007FF72C971000-memory.dmp	xmrig

Modifies Installed Components in the registry 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
1916	OalgORR.exe
2936	etihECK.exe
528	MEdMXWT.exe
2600	TqMZPxO.exe
1740	xMpGakI.exe
4924	zydmcaC.exe
4788	SSsABUS.exe
2576	zHXGIkn.exe
3664	AshrQjF.exe
3656	yGYbECp.exe
1152	txpzTcb.exe
760	ZYMQaEu.exe
1560	lriHial.exe
2756	ZFbqWPU.exe
4680	YPgeNzv.exe
4020	LRgZYZA.exe
1120	THnZGPJ.exe
3080	aHuFxgl.exe
840	DmqgMXw.exe
2176	rwFaZzM.exe
2968	EVCidBs.exe
2884	JZNyXGa.exe
3832	PoOQJRC.exe
4780	jhPbBsC.exe
3408	qIrnTTz.exe
5056	IqDnxKb.exe
2672	ekOjzZp.exe
4492	cqVSvqj.exe
2912	cBGQygZ.exe
1664	fjzGefd.exe
3528	ziiQpke.exe
2112	ZUjLYZg.exe
4440	IdJYjTT.exe
2736	zjqkeqg.exe
3336	ygJboDQ.exe
2180	SubrIME.exe
2668	MqrKlhg.exe
4384	ZNyWJGt.exe
2004	whvxjYE.exe
3292	XKdlNOA.exe
512	aqWzkfB.exe
3892	dcBNJzv.exe
4224	usaRypI.exe
3352	ZVsuLWF.exe
1720	BqFtDai.exe
1572	TuwyWeq.exe
4312	jCuEwai.exe
3684	bRcwzYJ.exe
3848	DUXhzFr.exe
3124	PJredBU.exe
1384	iynyRhk.exe
1528	NYGgbiw.exe
3508	gFuoPvQ.exe
2192	MMnpnBe.exe
3008	FSIsSto.exe
4584	OrtQsLA.exe
5028	qiJgrJo.exe
4544	wythpGi.exe
1464	YhcChps.exe
884	DwrpgPY.exe
732	QYGYFZv.exe
3532	eXroBrW.exe
2724	QstJwrh.exe
3980	vDyfTsk.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1952-0-0x00007FF72DE80000-0x00007FF72E271000-memory.dmp	upx
behavioral2/files/0x000800000002341f-4.dat	upx
behavioral2/memory/1916-12-0x00007FF75F490000-0x00007FF75F881000-memory.dmp	upx
behavioral2/files/0x0007000000023425-17.dat	upx
behavioral2/files/0x0007000000023423-18.dat	upx
behavioral2/memory/528-30-0x00007FF743120000-0x00007FF743511000-memory.dmp	upx
behavioral2/memory/2600-32-0x00007FF79BFF0000-0x00007FF79C3E1000-memory.dmp	upx
behavioral2/memory/1740-46-0x00007FF766730000-0x00007FF766B21000-memory.dmp	upx
behavioral2/memory/2576-48-0x00007FF648890000-0x00007FF648C81000-memory.dmp	upx
behavioral2/files/0x000700000002342a-51.dat	upx
behavioral2/files/0x000700000002342e-71.dat	upx
behavioral2/files/0x0007000000023432-94.dat	upx
behavioral2/files/0x0007000000023435-109.dat	upx
behavioral2/files/0x0007000000023438-127.dat	upx
behavioral2/files/0x0007000000023442-170.dat	upx
behavioral2/memory/4788-299-0x00007FF627340000-0x00007FF627731000-memory.dmp	upx
behavioral2/memory/1152-307-0x00007FF6A4330000-0x00007FF6A4721000-memory.dmp	upx
behavioral2/memory/760-314-0x00007FF6DDD10000-0x00007FF6DE101000-memory.dmp	upx
behavioral2/memory/1560-324-0x00007FF7DCD50000-0x00007FF7DD141000-memory.dmp	upx
behavioral2/memory/1120-336-0x00007FF63E4F0000-0x00007FF63E8E1000-memory.dmp	upx
behavioral2/memory/3080-339-0x00007FF66CD20000-0x00007FF66D111000-memory.dmp	upx
behavioral2/memory/840-345-0x00007FF6E4340000-0x00007FF6E4731000-memory.dmp	upx
behavioral2/memory/2968-349-0x00007FF78A790000-0x00007FF78AB81000-memory.dmp	upx
behavioral2/memory/2884-350-0x00007FF778F20000-0x00007FF779311000-memory.dmp	upx
behavioral2/memory/2176-347-0x00007FF6D2000000-0x00007FF6D23F1000-memory.dmp	upx
behavioral2/memory/4020-334-0x00007FF702DB0000-0x00007FF7031A1000-memory.dmp	upx
behavioral2/memory/4680-333-0x00007FF72DAF0000-0x00007FF72DEE1000-memory.dmp	upx
behavioral2/memory/2756-330-0x00007FF602640000-0x00007FF602A31000-memory.dmp	upx
behavioral2/memory/3832-351-0x00007FF72C580000-0x00007FF72C971000-memory.dmp	upx
behavioral2/memory/4780-352-0x00007FF649920000-0x00007FF649D11000-memory.dmp	upx
behavioral2/memory/3656-353-0x00007FF683910000-0x00007FF683D01000-memory.dmp	upx
behavioral2/files/0x0007000000023440-167.dat	upx
behavioral2/files/0x0007000000023441-165.dat	upx
behavioral2/files/0x000700000002343f-162.dat	upx
behavioral2/files/0x000700000002343e-157.dat	upx
behavioral2/files/0x000700000002343d-152.dat	upx
behavioral2/files/0x000700000002343c-147.dat	upx
behavioral2/files/0x000700000002343b-142.dat	upx
behavioral2/files/0x000700000002343a-137.dat	upx
behavioral2/files/0x0007000000023439-132.dat	upx
behavioral2/files/0x0007000000023437-122.dat	upx
behavioral2/files/0x0007000000023436-117.dat	upx
behavioral2/files/0x0007000000023434-104.dat	upx
behavioral2/files/0x0007000000023433-99.dat	upx
behavioral2/files/0x0007000000023431-92.dat	upx
behavioral2/files/0x0007000000023430-84.dat	upx
behavioral2/files/0x000700000002342f-82.dat	upx
behavioral2/files/0x000700000002342d-69.dat	upx
behavioral2/files/0x000700000002342c-67.dat	upx
behavioral2/files/0x000700000002342b-62.dat	upx
behavioral2/files/0x0007000000023429-54.dat	upx
behavioral2/files/0x0007000000023428-50.dat	upx
behavioral2/memory/3664-49-0x00007FF726740000-0x00007FF726B31000-memory.dmp	upx
behavioral2/memory/4924-41-0x00007FF67DF20000-0x00007FF67E311000-memory.dmp	upx
behavioral2/files/0x0007000000023426-35.dat	upx
behavioral2/files/0x0007000000023427-31.dat	upx
behavioral2/memory/2936-26-0x00007FF66FF60000-0x00007FF670351000-memory.dmp	upx
behavioral2/files/0x0007000000023424-22.dat	upx
behavioral2/memory/1952-1975-0x00007FF72DE80000-0x00007FF72E271000-memory.dmp	upx
behavioral2/memory/4924-1987-0x00007FF67DF20000-0x00007FF67E311000-memory.dmp	upx
behavioral2/memory/2600-1986-0x00007FF79BFF0000-0x00007FF79C3E1000-memory.dmp	upx
behavioral2/memory/2576-2016-0x00007FF648890000-0x00007FF648C81000-memory.dmp	upx
behavioral2/memory/3664-2017-0x00007FF726740000-0x00007FF726B31000-memory.dmp	upx
behavioral2/memory/4788-2018-0x00007FF627340000-0x00007FF627731000-memory.dmp	upx

Enumerates connected drives 3 TTPs 20 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\MEdMXWT.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\eszXOEI.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\MSsRLII.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\bgBgPFe.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\TqMZPxO.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\elQOfuy.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\CjeHKWz.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\dnlgWls.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\JBXGuPW.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\Befekrd.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\AshrQjF.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\YaIYDpf.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\MoBpFru.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\RXNZjkN.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\XsRlPsx.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\ekOjzZp.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\TBFyldJ.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\gsTaElB.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\UuBKSxL.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\hioudGT.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\LwhgyFi.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\LSYGPrq.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\xLTZCbc.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\lFFiDMK.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\Rdpasvf.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\NnKgMnb.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\qiTCueD.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\DvkcwPg.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\rUmawTw.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\LYRtXUZ.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\GfZWCNZ.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\uISKVRt.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\qSgPGKa.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\cujqFSF.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\qIrnTTz.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\mNqJzvm.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\RtxQgCe.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\GXPbwns.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\MYhZmsf.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\wTkdRNi.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\RfLShgd.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\whvxjYE.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\HaAYGSy.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\JXgQHES.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\UTxGlTl.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\fvomtVu.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\NXIfPNQ.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\OrtQsLA.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\DFLWfuP.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\uQNbfck.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\OglnFAb.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\UFAbLDK.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\KtvwVKB.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\uORPSRi.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\GiPkCQn.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\oOOrEWg.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\DabUusy.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\AeNczqq.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\BUHuJbm.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\NbONaWK.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\ezCsAdH.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\PoOQJRC.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\KLdWOUL.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
File created	C:\Windows\System32\UQXOVht.exe	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{2E2A32C3-2444-4E99-9687-7B38521E346C}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{F93EE52A-DFF7-4C97-9400-AEB5B3F51F3C}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{4E50EDFE-85D4-4101-960D-46F8F37DF724}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{381E4595-4D09-40C7-94B0-B7C7FBF26F0A}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	12700	explorer.exe
Token: SeCreatePagefilePrivilege	12700	explorer.exe
Token: SeShutdownPrivilege	12700	explorer.exe
Token: SeCreatePagefilePrivilege	12700	explorer.exe
Token: SeShutdownPrivilege	12700	explorer.exe
Token: SeCreatePagefilePrivilege	12700	explorer.exe
Token: SeShutdownPrivilege	12700	explorer.exe
Token: SeCreatePagefilePrivilege	12700	explorer.exe
Token: SeShutdownPrivilege	12700	explorer.exe
Token: SeCreatePagefilePrivilege	12700	explorer.exe
Token: SeShutdownPrivilege	12700	explorer.exe
Token: SeCreatePagefilePrivilege	12700	explorer.exe
Token: SeShutdownPrivilege	12700	explorer.exe
Token: SeCreatePagefilePrivilege	12700	explorer.exe
Token: SeShutdownPrivilege	12700	explorer.exe
Token: SeCreatePagefilePrivilege	12700	explorer.exe
Token: SeShutdownPrivilege	13380	explorer.exe
Token: SeCreatePagefilePrivilege	13380	explorer.exe
Token: SeShutdownPrivilege	13380	explorer.exe
Token: SeCreatePagefilePrivilege	13380	explorer.exe
Token: SeShutdownPrivilege	13380	explorer.exe
Token: SeCreatePagefilePrivilege	13380	explorer.exe
Token: SeShutdownPrivilege	13380	explorer.exe
Token: SeCreatePagefilePrivilege	13380	explorer.exe
Token: SeShutdownPrivilege	13380	explorer.exe
Token: SeCreatePagefilePrivilege	13380	explorer.exe
Token: SeShutdownPrivilege	13380	explorer.exe
Token: SeCreatePagefilePrivilege	13380	explorer.exe
Token: SeShutdownPrivilege	13380	explorer.exe
Token: SeCreatePagefilePrivilege	13380	explorer.exe
Token: SeShutdownPrivilege	13380	explorer.exe
Token: SeCreatePagefilePrivilege	13380	explorer.exe
Token: SeShutdownPrivilege	13380	explorer.exe
Token: SeCreatePagefilePrivilege	13380	explorer.exe
Token: SeShutdownPrivilege	13380	explorer.exe
Token: SeCreatePagefilePrivilege	13380	explorer.exe
Token: SeShutdownPrivilege	2128	explorer.exe
Token: SeCreatePagefilePrivilege	2128	explorer.exe
Token: SeShutdownPrivilege	2128	explorer.exe
Token: SeCreatePagefilePrivilege	2128	explorer.exe
Token: SeShutdownPrivilege	2128	explorer.exe
Token: SeCreatePagefilePrivilege	2128	explorer.exe
Token: SeShutdownPrivilege	2128	explorer.exe
Token: SeCreatePagefilePrivilege	2128	explorer.exe
Token: SeShutdownPrivilege	2128	explorer.exe
Token: SeCreatePagefilePrivilege	2128	explorer.exe
Token: SeShutdownPrivilege	2128	explorer.exe
Token: SeCreatePagefilePrivilege	2128	explorer.exe
Token: SeShutdownPrivilege	2128	explorer.exe
Token: SeCreatePagefilePrivilege	2128	explorer.exe
Token: SeShutdownPrivilege	2128	explorer.exe
Token: SeCreatePagefilePrivilege	2128	explorer.exe
Token: SeShutdownPrivilege	2128	explorer.exe
Token: SeCreatePagefilePrivilege	2128	explorer.exe
Token: SeShutdownPrivilege	2128	explorer.exe
Token: SeCreatePagefilePrivilege	2128	explorer.exe
Token: SeShutdownPrivilege	2128	explorer.exe
Token: SeCreatePagefilePrivilege	2128	explorer.exe
Token: SeShutdownPrivilege	2128	explorer.exe
Token: SeCreatePagefilePrivilege	2128	explorer.exe
Token: SeShutdownPrivilege	2260	explorer.exe
Token: SeCreatePagefilePrivilege	2260	explorer.exe
Token: SeShutdownPrivilege	2260	explorer.exe
Token: SeCreatePagefilePrivilege	2260	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2100	sihost.exe
12700	explorer.exe
12700	explorer.exe
12700	explorer.exe
12700	explorer.exe
12700	explorer.exe
12700	explorer.exe
12700	explorer.exe
12700	explorer.exe
12700	explorer.exe
12700	explorer.exe
12700	explorer.exe
12700	explorer.exe
12700	explorer.exe
12700	explorer.exe
12700	explorer.exe
12700	explorer.exe
13380	explorer.exe
13380	explorer.exe
13380	explorer.exe
13380	explorer.exe
13380	explorer.exe
13380	explorer.exe
13380	explorer.exe
13380	explorer.exe
13380	explorer.exe
13380	explorer.exe
13380	explorer.exe
13380	explorer.exe
13380	explorer.exe
13380	explorer.exe
13380	explorer.exe
13380	explorer.exe
13380	explorer.exe
13380	explorer.exe
2128	explorer.exe
2128	explorer.exe
2128	explorer.exe
2128	explorer.exe
2128	explorer.exe
2128	explorer.exe
2128	explorer.exe
2128	explorer.exe
2128	explorer.exe
2128	explorer.exe
2128	explorer.exe
2128	explorer.exe
2128	explorer.exe
2128	explorer.exe
2128	explorer.exe
2128	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
12700	explorer.exe
12700	explorer.exe
12700	explorer.exe
12700	explorer.exe
12700	explorer.exe
12700	explorer.exe
12700	explorer.exe
12700	explorer.exe
12700	explorer.exe
12700	explorer.exe
12700	explorer.exe
13380	explorer.exe
13380	explorer.exe
13380	explorer.exe
13380	explorer.exe
13380	explorer.exe
13380	explorer.exe
13380	explorer.exe
13380	explorer.exe
13380	explorer.exe
13380	explorer.exe
13380	explorer.exe
2128	explorer.exe
2128	explorer.exe
2128	explorer.exe
2128	explorer.exe
2128	explorer.exe
2128	explorer.exe
2128	explorer.exe
2128	explorer.exe
2128	explorer.exe
2128	explorer.exe
2128	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
2260	explorer.exe
14324	explorer.exe
14324	explorer.exe
14324	explorer.exe
14324	explorer.exe
14324	explorer.exe
14324	explorer.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3732	StartMenuExperienceHost.exe
13648	StartMenuExperienceHost.exe
2568	StartMenuExperienceHost.exe
13436	StartMenuExperienceHost.exe
13356	SearchApp.exe
4288	StartMenuExperienceHost.exe
3628	SearchApp.exe
13748	StartMenuExperienceHost.exe
7932	SearchApp.exe
7156	StartMenuExperienceHost.exe
10220	SearchApp.exe
5372	StartMenuExperienceHost.exe
5648	SearchApp.exe
12880	StartMenuExperienceHost.exe
8216	StartMenuExperienceHost.exe
9816	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 1916	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	83
PID 1952 wrote to memory of 1916	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	83
PID 1952 wrote to memory of 2936	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	84
PID 1952 wrote to memory of 2936	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	84
PID 1952 wrote to memory of 528	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	85
PID 1952 wrote to memory of 528	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	85
PID 1952 wrote to memory of 2600	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	86
PID 1952 wrote to memory of 2600	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	86
PID 1952 wrote to memory of 1740	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	87
PID 1952 wrote to memory of 1740	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	87
PID 1952 wrote to memory of 4924	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	88
PID 1952 wrote to memory of 4924	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	88
PID 1952 wrote to memory of 4788	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	89
PID 1952 wrote to memory of 4788	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	89
PID 1952 wrote to memory of 2576	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	90
PID 1952 wrote to memory of 2576	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	90
PID 1952 wrote to memory of 3664	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	91
PID 1952 wrote to memory of 3664	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	91
PID 1952 wrote to memory of 3656	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	92
PID 1952 wrote to memory of 3656	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	92
PID 1952 wrote to memory of 1152	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	93
PID 1952 wrote to memory of 1152	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	93
PID 1952 wrote to memory of 760	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	94
PID 1952 wrote to memory of 760	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	94
PID 1952 wrote to memory of 1560	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	95
PID 1952 wrote to memory of 1560	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	95
PID 1952 wrote to memory of 2756	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	96
PID 1952 wrote to memory of 2756	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	96
PID 1952 wrote to memory of 4680	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	97
PID 1952 wrote to memory of 4680	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	97
PID 1952 wrote to memory of 4020	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	98
PID 1952 wrote to memory of 4020	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	98
PID 1952 wrote to memory of 1120	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	99
PID 1952 wrote to memory of 1120	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	99
PID 1952 wrote to memory of 3080	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	100
PID 1952 wrote to memory of 3080	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	100
PID 1952 wrote to memory of 840	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	101
PID 1952 wrote to memory of 840	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	101
PID 1952 wrote to memory of 2176	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	102
PID 1952 wrote to memory of 2176	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	102
PID 1952 wrote to memory of 2968	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	103
PID 1952 wrote to memory of 2968	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	103
PID 1952 wrote to memory of 2884	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	104
PID 1952 wrote to memory of 2884	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	104
PID 1952 wrote to memory of 3832	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	105
PID 1952 wrote to memory of 3832	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	105
PID 1952 wrote to memory of 4780	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	106
PID 1952 wrote to memory of 4780	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	106
PID 1952 wrote to memory of 3408	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	107
PID 1952 wrote to memory of 3408	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	107
PID 1952 wrote to memory of 5056	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	108
PID 1952 wrote to memory of 5056	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	108
PID 1952 wrote to memory of 2672	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	109
PID 1952 wrote to memory of 2672	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	109
PID 1952 wrote to memory of 4492	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	110
PID 1952 wrote to memory of 4492	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	110
PID 1952 wrote to memory of 2912	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	111
PID 1952 wrote to memory of 2912	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	111
PID 1952 wrote to memory of 1664	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	112
PID 1952 wrote to memory of 1664	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	112
PID 1952 wrote to memory of 3528	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	113
PID 1952 wrote to memory of 3528	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	113
PID 1952 wrote to memory of 2112	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	114
PID 1952 wrote to memory of 2112	1952	b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe
"C:\Users\Admin\AppData\Local\Temp\b427bf82f818a2b8550e1ff4461319f1e715d59ce8366a82195e86f6b428272f.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\System32\OalgORR.exe
  C:\Windows\System32\OalgORR.exe
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\System32\etihECK.exe
  C:\Windows\System32\etihECK.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System32\MEdMXWT.exe
  C:\Windows\System32\MEdMXWT.exe
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\System32\TqMZPxO.exe
  C:\Windows\System32\TqMZPxO.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System32\xMpGakI.exe
  C:\Windows\System32\xMpGakI.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System32\zydmcaC.exe
  C:\Windows\System32\zydmcaC.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System32\SSsABUS.exe
  C:\Windows\System32\SSsABUS.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System32\zHXGIkn.exe
  C:\Windows\System32\zHXGIkn.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\System32\AshrQjF.exe
  C:\Windows\System32\AshrQjF.exe
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\System32\yGYbECp.exe
  C:\Windows\System32\yGYbECp.exe
  2⤵
  - Executes dropped EXE
  PID:3656
- C:\Windows\System32\txpzTcb.exe
  C:\Windows\System32\txpzTcb.exe
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\System32\ZYMQaEu.exe
  C:\Windows\System32\ZYMQaEu.exe
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\System32\lriHial.exe
  C:\Windows\System32\lriHial.exe
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\System32\ZFbqWPU.exe
  C:\Windows\System32\ZFbqWPU.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System32\YPgeNzv.exe
  C:\Windows\System32\YPgeNzv.exe
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Windows\System32\LRgZYZA.exe
  C:\Windows\System32\LRgZYZA.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\System32\THnZGPJ.exe
  C:\Windows\System32\THnZGPJ.exe
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\System32\aHuFxgl.exe
  C:\Windows\System32\aHuFxgl.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System32\DmqgMXw.exe
  C:\Windows\System32\DmqgMXw.exe
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\System32\rwFaZzM.exe
  C:\Windows\System32\rwFaZzM.exe
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\System32\EVCidBs.exe
  C:\Windows\System32\EVCidBs.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System32\JZNyXGa.exe
  C:\Windows\System32\JZNyXGa.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System32\PoOQJRC.exe
  C:\Windows\System32\PoOQJRC.exe
  2⤵
  - Executes dropped EXE
  PID:3832
- C:\Windows\System32\jhPbBsC.exe
  C:\Windows\System32\jhPbBsC.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System32\qIrnTTz.exe
  C:\Windows\System32\qIrnTTz.exe
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Windows\System32\IqDnxKb.exe
  C:\Windows\System32\IqDnxKb.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System32\ekOjzZp.exe
  C:\Windows\System32\ekOjzZp.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System32\cqVSvqj.exe
  C:\Windows\System32\cqVSvqj.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System32\cBGQygZ.exe
  C:\Windows\System32\cBGQygZ.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System32\fjzGefd.exe
  C:\Windows\System32\fjzGefd.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System32\ziiQpke.exe
  C:\Windows\System32\ziiQpke.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System32\ZUjLYZg.exe
  C:\Windows\System32\ZUjLYZg.exe
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\System32\IdJYjTT.exe
  C:\Windows\System32\IdJYjTT.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System32\zjqkeqg.exe
  C:\Windows\System32\zjqkeqg.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System32\ygJboDQ.exe
  C:\Windows\System32\ygJboDQ.exe
  2⤵
  - Executes dropped EXE
  PID:3336
- C:\Windows\System32\SubrIME.exe
  C:\Windows\System32\SubrIME.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System32\MqrKlhg.exe
  C:\Windows\System32\MqrKlhg.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\System32\ZNyWJGt.exe
  C:\Windows\System32\ZNyWJGt.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System32\whvxjYE.exe
  C:\Windows\System32\whvxjYE.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System32\XKdlNOA.exe
  C:\Windows\System32\XKdlNOA.exe
  2⤵
  - Executes dropped EXE
  PID:3292
- C:\Windows\System32\aqWzkfB.exe
  C:\Windows\System32\aqWzkfB.exe
  2⤵
  - Executes dropped EXE
  PID:512
- C:\Windows\System32\dcBNJzv.exe
  C:\Windows\System32\dcBNJzv.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System32\usaRypI.exe
  C:\Windows\System32\usaRypI.exe
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Windows\System32\ZVsuLWF.exe
  C:\Windows\System32\ZVsuLWF.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\System32\BqFtDai.exe
  C:\Windows\System32\BqFtDai.exe
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\System32\TuwyWeq.exe
  C:\Windows\System32\TuwyWeq.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System32\jCuEwai.exe
  C:\Windows\System32\jCuEwai.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\System32\bRcwzYJ.exe
  C:\Windows\System32\bRcwzYJ.exe
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Windows\System32\DUXhzFr.exe
  C:\Windows\System32\DUXhzFr.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System32\PJredBU.exe
  C:\Windows\System32\PJredBU.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System32\iynyRhk.exe
  C:\Windows\System32\iynyRhk.exe
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\System32\NYGgbiw.exe
  C:\Windows\System32\NYGgbiw.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\System32\gFuoPvQ.exe
  C:\Windows\System32\gFuoPvQ.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System32\MMnpnBe.exe
  C:\Windows\System32\MMnpnBe.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System32\FSIsSto.exe
  C:\Windows\System32\FSIsSto.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System32\OrtQsLA.exe
  C:\Windows\System32\OrtQsLA.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System32\qiJgrJo.exe
  C:\Windows\System32\qiJgrJo.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System32\wythpGi.exe
  C:\Windows\System32\wythpGi.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System32\YhcChps.exe
  C:\Windows\System32\YhcChps.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System32\DwrpgPY.exe
  C:\Windows\System32\DwrpgPY.exe
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\System32\QYGYFZv.exe
  C:\Windows\System32\QYGYFZv.exe
  2⤵
  - Executes dropped EXE
  PID:732
- C:\Windows\System32\eXroBrW.exe
  C:\Windows\System32\eXroBrW.exe
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Windows\System32\QstJwrh.exe
  C:\Windows\System32\QstJwrh.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System32\vDyfTsk.exe
  C:\Windows\System32\vDyfTsk.exe
  2⤵
  - Executes dropped EXE
  PID:3980
- C:\Windows\System32\HGbnhSL.exe
  C:\Windows\System32\HGbnhSL.exe
  2⤵
  PID:3456
- C:\Windows\System32\dpIIxRN.exe
  C:\Windows\System32\dpIIxRN.exe
  2⤵
  PID:4052
- C:\Windows\System32\IcfqnCx.exe
  C:\Windows\System32\IcfqnCx.exe
  2⤵
  PID:2664
- C:\Windows\System32\yogguAA.exe
  C:\Windows\System32\yogguAA.exe
  2⤵
  PID:2240
- C:\Windows\System32\MKxWItb.exe
  C:\Windows\System32\MKxWItb.exe
  2⤵
  PID:2508
- C:\Windows\System32\jvyimRi.exe
  C:\Windows\System32\jvyimRi.exe
  2⤵
  PID:3004
- C:\Windows\System32\eszXOEI.exe
  C:\Windows\System32\eszXOEI.exe
  2⤵
  PID:4144
- C:\Windows\System32\VzzyyNu.exe
  C:\Windows\System32\VzzyyNu.exe
  2⤵
  PID:2144
- C:\Windows\System32\FGHqePL.exe
  C:\Windows\System32\FGHqePL.exe
  2⤵
  PID:4368
- C:\Windows\System32\rIekFcF.exe
  C:\Windows\System32\rIekFcF.exe
  2⤵
  PID:4596
- C:\Windows\System32\wLtTxQb.exe
  C:\Windows\System32\wLtTxQb.exe
  2⤵
  PID:1260
- C:\Windows\System32\JLSmMEu.exe
  C:\Windows\System32\JLSmMEu.exe
  2⤵
  PID:4908
- C:\Windows\System32\COzMNii.exe
  C:\Windows\System32\COzMNii.exe
  2⤵
  PID:2148
- C:\Windows\System32\HbIJYMT.exe
  C:\Windows\System32\HbIJYMT.exe
  2⤵
  PID:4608
- C:\Windows\System32\NNBGiop.exe
  C:\Windows\System32\NNBGiop.exe
  2⤵
  PID:3212
- C:\Windows\System32\qyIhOvj.exe
  C:\Windows\System32\qyIhOvj.exe
  2⤵
  PID:4320
- C:\Windows\System32\WSjowSm.exe
  C:\Windows\System32\WSjowSm.exe
  2⤵
  PID:3400
- C:\Windows\System32\HlrKkiE.exe
  C:\Windows\System32\HlrKkiE.exe
  2⤵
  PID:3276
- C:\Windows\System32\TBFyldJ.exe
  C:\Windows\System32\TBFyldJ.exe
  2⤵
  PID:1408
- C:\Windows\System32\Cnevgpw.exe
  C:\Windows\System32\Cnevgpw.exe
  2⤵
  PID:664
- C:\Windows\System32\TbdHptX.exe
  C:\Windows\System32\TbdHptX.exe
  2⤵
  PID:1404
- C:\Windows\System32\aSVVOSB.exe
  C:\Windows\System32\aSVVOSB.exe
  2⤵
  PID:1132
- C:\Windows\System32\RalfSPR.exe
  C:\Windows\System32\RalfSPR.exe
  2⤵
  PID:3020
- C:\Windows\System32\rrCdmdx.exe
  C:\Windows\System32\rrCdmdx.exe
  2⤵
  PID:5188
- C:\Windows\System32\OFhWPey.exe
  C:\Windows\System32\OFhWPey.exe
  2⤵
  PID:5288
- C:\Windows\System32\gTpbqFj.exe
  C:\Windows\System32\gTpbqFj.exe
  2⤵
  PID:5336
- C:\Windows\System32\cYyWlRj.exe
  C:\Windows\System32\cYyWlRj.exe
  2⤵
  PID:5356
- C:\Windows\System32\DdvMAFA.exe
  C:\Windows\System32\DdvMAFA.exe
  2⤵
  PID:5376
- C:\Windows\System32\nymrAXy.exe
  C:\Windows\System32\nymrAXy.exe
  2⤵
  PID:5416
- C:\Windows\System32\MInoTex.exe
  C:\Windows\System32\MInoTex.exe
  2⤵
  PID:5440
- C:\Windows\System32\yHegVyv.exe
  C:\Windows\System32\yHegVyv.exe
  2⤵
  PID:5460
- C:\Windows\System32\duWPrWK.exe
  C:\Windows\System32\duWPrWK.exe
  2⤵
  PID:5480
- C:\Windows\System32\XxfVheZ.exe
  C:\Windows\System32\XxfVheZ.exe
  2⤵
  PID:5496
- C:\Windows\System32\owEkJSF.exe
  C:\Windows\System32\owEkJSF.exe
  2⤵
  PID:5540
- C:\Windows\System32\ANUGoNh.exe
  C:\Windows\System32\ANUGoNh.exe
  2⤵
  PID:5564
- C:\Windows\System32\nYqTBoL.exe
  C:\Windows\System32\nYqTBoL.exe
  2⤵
  PID:5592
- C:\Windows\System32\PnKhhWX.exe
  C:\Windows\System32\PnKhhWX.exe
  2⤵
  PID:5632
- C:\Windows\System32\pLLLMSJ.exe
  C:\Windows\System32\pLLLMSJ.exe
  2⤵
  PID:5664
- C:\Windows\System32\TtAOVHm.exe
  C:\Windows\System32\TtAOVHm.exe
  2⤵
  PID:5684
- C:\Windows\System32\nzqmXlp.exe
  C:\Windows\System32\nzqmXlp.exe
  2⤵
  PID:5716
- C:\Windows\System32\GhmFKWK.exe
  C:\Windows\System32\GhmFKWK.exe
  2⤵
  PID:5756
- C:\Windows\System32\yuaebRj.exe
  C:\Windows\System32\yuaebRj.exe
  2⤵
  PID:5772
- C:\Windows\System32\yNhFtwY.exe
  C:\Windows\System32\yNhFtwY.exe
  2⤵
  PID:5808
- C:\Windows\System32\FSQjNqs.exe
  C:\Windows\System32\FSQjNqs.exe
  2⤵
  PID:5828
- C:\Windows\System32\oqfspgA.exe
  C:\Windows\System32\oqfspgA.exe
  2⤵
  PID:5852
- C:\Windows\System32\oOOrEWg.exe
  C:\Windows\System32\oOOrEWg.exe
  2⤵
  PID:5884
- C:\Windows\System32\ZYIRkwk.exe
  C:\Windows\System32\ZYIRkwk.exe
  2⤵
  PID:5904
- C:\Windows\System32\LAXUHuA.exe
  C:\Windows\System32\LAXUHuA.exe
  2⤵
  PID:5976
- C:\Windows\System32\kwXInWt.exe
  C:\Windows\System32\kwXInWt.exe
  2⤵
  PID:6008
- C:\Windows\System32\SDYkbpl.exe
  C:\Windows\System32\SDYkbpl.exe
  2⤵
  PID:6024
- C:\Windows\System32\wTkdRNi.exe
  C:\Windows\System32\wTkdRNi.exe
  2⤵
  PID:6052
- C:\Windows\System32\tnKytaw.exe
  C:\Windows\System32\tnKytaw.exe
  2⤵
  PID:6076
- C:\Windows\System32\EbnIBXy.exe
  C:\Windows\System32\EbnIBXy.exe
  2⤵
  PID:6096
- C:\Windows\System32\ywvFhaO.exe
  C:\Windows\System32\ywvFhaO.exe
  2⤵
  PID:6124
- C:\Windows\System32\CqNSLPO.exe
  C:\Windows\System32\CqNSLPO.exe
  2⤵
  PID:4900
- C:\Windows\System32\tTOfByV.exe
  C:\Windows\System32\tTOfByV.exe
  2⤵
  PID:2284
- C:\Windows\System32\lupGMPR.exe
  C:\Windows\System32\lupGMPR.exe
  2⤵
  PID:5200
- C:\Windows\System32\sfelXJr.exe
  C:\Windows\System32\sfelXJr.exe
  2⤵
  PID:3012
- C:\Windows\System32\LlMVfJd.exe
  C:\Windows\System32\LlMVfJd.exe
  2⤵
  PID:396
- C:\Windows\System32\pJGmepb.exe
  C:\Windows\System32\pJGmepb.exe
  2⤵
  PID:4892
- C:\Windows\System32\haHUiOJ.exe
  C:\Windows\System32\haHUiOJ.exe
  2⤵
  PID:3200
- C:\Windows\System32\GfZWCNZ.exe
  C:\Windows\System32\GfZWCNZ.exe
  2⤵
  PID:4748
- C:\Windows\System32\oglpayX.exe
  C:\Windows\System32\oglpayX.exe
  2⤵
  PID:4264
- C:\Windows\System32\cDbIwZy.exe
  C:\Windows\System32\cDbIwZy.exe
  2⤵
  PID:4524
- C:\Windows\System32\HaAYGSy.exe
  C:\Windows\System32\HaAYGSy.exe
  2⤵
  PID:3872
- C:\Windows\System32\EjjywPD.exe
  C:\Windows\System32\EjjywPD.exe
  2⤵
  PID:2400
- C:\Windows\System32\pvfTeOv.exe
  C:\Windows\System32\pvfTeOv.exe
  2⤵
  PID:5364
- C:\Windows\System32\ombppRU.exe
  C:\Windows\System32\ombppRU.exe
  2⤵
  PID:972
- C:\Windows\System32\iTftKOC.exe
  C:\Windows\System32\iTftKOC.exe
  2⤵
  PID:5428
- C:\Windows\System32\pFvzgfb.exe
  C:\Windows\System32\pFvzgfb.exe
  2⤵
  PID:5476
- C:\Windows\System32\jnGDgmJ.exe
  C:\Windows\System32\jnGDgmJ.exe
  2⤵
  PID:5516
- C:\Windows\System32\wmlJbCd.exe
  C:\Windows\System32\wmlJbCd.exe
  2⤵
  PID:5624
- C:\Windows\System32\FkoHQmj.exe
  C:\Windows\System32\FkoHQmj.exe
  2⤵
  PID:2132
- C:\Windows\System32\bdxNUWR.exe
  C:\Windows\System32\bdxNUWR.exe
  2⤵
  PID:540
- C:\Windows\System32\cbDaRXU.exe
  C:\Windows\System32\cbDaRXU.exe
  2⤵
  PID:5652
- C:\Windows\System32\MeDuLLX.exe
  C:\Windows\System32\MeDuLLX.exe
  2⤵
  PID:5724
- C:\Windows\System32\zvGUnha.exe
  C:\Windows\System32\zvGUnha.exe
  2⤵
  PID:5768
- C:\Windows\System32\wpUoDWA.exe
  C:\Windows\System32\wpUoDWA.exe
  2⤵
  PID:5840
- C:\Windows\System32\NnKgMnb.exe
  C:\Windows\System32\NnKgMnb.exe
  2⤵
  PID:5872
- C:\Windows\System32\LwhgyFi.exe
  C:\Windows\System32\LwhgyFi.exe
  2⤵
  PID:5912
- C:\Windows\System32\UqzoKbg.exe
  C:\Windows\System32\UqzoKbg.exe
  2⤵
  PID:5996
- C:\Windows\System32\UkOKehb.exe
  C:\Windows\System32\UkOKehb.exe
  2⤵
  PID:6064
- C:\Windows\System32\oHfvRbt.exe
  C:\Windows\System32\oHfvRbt.exe
  2⤵
  PID:6132
- C:\Windows\System32\oSLVkRN.exe
  C:\Windows\System32\oSLVkRN.exe
  2⤵
  PID:1748
- C:\Windows\System32\LgJDLZd.exe
  C:\Windows\System32\LgJDLZd.exe
  2⤵
  PID:3076
- C:\Windows\System32\NvdeKNi.exe
  C:\Windows\System32\NvdeKNi.exe
  2⤵
  PID:5520
- C:\Windows\System32\ixsQTge.exe
  C:\Windows\System32\ixsQTge.exe
  2⤵
  PID:4820
- C:\Windows\System32\ALXyNuk.exe
  C:\Windows\System32\ALXyNuk.exe
  2⤵
  PID:1412
- C:\Windows\System32\ArSTsTS.exe
  C:\Windows\System32\ArSTsTS.exe
  2⤵
  PID:5620
- C:\Windows\System32\wylPUAA.exe
  C:\Windows\System32\wylPUAA.exe
  2⤵
  PID:5764
- C:\Windows\System32\sHANtxQ.exe
  C:\Windows\System32\sHANtxQ.exe
  2⤵
  PID:5880
- C:\Windows\System32\IMsUOCu.exe
  C:\Windows\System32\IMsUOCu.exe
  2⤵
  PID:5992
- C:\Windows\System32\idodYvO.exe
  C:\Windows\System32\idodYvO.exe
  2⤵
  PID:6060
- C:\Windows\System32\DabUusy.exe
  C:\Windows\System32\DabUusy.exe
  2⤵
  PID:2256
- C:\Windows\System32\vsiptzZ.exe
  C:\Windows\System32\vsiptzZ.exe
  2⤵
  PID:5448
- C:\Windows\System32\XxinxLo.exe
  C:\Windows\System32\XxinxLo.exe
  2⤵
  PID:6164
- C:\Windows\System32\kOIGXnx.exe
  C:\Windows\System32\kOIGXnx.exe
  2⤵
  PID:6180
- C:\Windows\System32\FnIMYfx.exe
  C:\Windows\System32\FnIMYfx.exe
  2⤵
  PID:6204
- C:\Windows\System32\fgcpOvB.exe
  C:\Windows\System32\fgcpOvB.exe
  2⤵
  PID:6224
- C:\Windows\System32\eyqFfCH.exe
  C:\Windows\System32\eyqFfCH.exe
  2⤵
  PID:6244
- C:\Windows\System32\GGGUTkK.exe
  C:\Windows\System32\GGGUTkK.exe
  2⤵
  PID:6276
- C:\Windows\System32\pYkplkE.exe
  C:\Windows\System32\pYkplkE.exe
  2⤵
  PID:6296
- C:\Windows\System32\YGtVXZt.exe
  C:\Windows\System32\YGtVXZt.exe
  2⤵
  PID:6312
- C:\Windows\System32\xPgubsx.exe
  C:\Windows\System32\xPgubsx.exe
  2⤵
  PID:6336
- C:\Windows\System32\dtpcETc.exe
  C:\Windows\System32\dtpcETc.exe
  2⤵
  PID:6352
- C:\Windows\System32\LSYGPrq.exe
  C:\Windows\System32\LSYGPrq.exe
  2⤵
  PID:6376
- C:\Windows\System32\yxioPwZ.exe
  C:\Windows\System32\yxioPwZ.exe
  2⤵
  PID:6400
- C:\Windows\System32\vbHVpzg.exe
  C:\Windows\System32\vbHVpzg.exe
  2⤵
  PID:6420
- C:\Windows\System32\fVHVmVO.exe
  C:\Windows\System32\fVHVmVO.exe
  2⤵
  PID:6440
- C:\Windows\System32\MSsRLII.exe
  C:\Windows\System32\MSsRLII.exe
  2⤵
  PID:6460
- C:\Windows\System32\uWEnAID.exe
  C:\Windows\System32\uWEnAID.exe
  2⤵
  PID:6500
- C:\Windows\System32\kKniEUz.exe
  C:\Windows\System32\kKniEUz.exe
  2⤵
  PID:6560
- C:\Windows\System32\znjJssg.exe
  C:\Windows\System32\znjJssg.exe
  2⤵
  PID:6600
- C:\Windows\System32\SUMSMdZ.exe
  C:\Windows\System32\SUMSMdZ.exe
  2⤵
  PID:6628
- C:\Windows\System32\nWWAkOs.exe
  C:\Windows\System32\nWWAkOs.exe
  2⤵
  PID:6676
- C:\Windows\System32\AKTwrXS.exe
  C:\Windows\System32\AKTwrXS.exe
  2⤵
  PID:6732
- C:\Windows\System32\YjqbJzv.exe
  C:\Windows\System32\YjqbJzv.exe
  2⤵
  PID:6764
- C:\Windows\System32\DFLWfuP.exe
  C:\Windows\System32\DFLWfuP.exe
  2⤵
  PID:6784
- C:\Windows\System32\eHFhBSN.exe
  C:\Windows\System32\eHFhBSN.exe
  2⤵
  PID:6804
- C:\Windows\System32\lUbtXVR.exe
  C:\Windows\System32\lUbtXVR.exe
  2⤵
  PID:6832
- C:\Windows\System32\OSAZxfM.exe
  C:\Windows\System32\OSAZxfM.exe
  2⤵
  PID:6872
- C:\Windows\System32\MZBUDYz.exe
  C:\Windows\System32\MZBUDYz.exe
  2⤵
  PID:6892
- C:\Windows\System32\OTYShqr.exe
  C:\Windows\System32\OTYShqr.exe
  2⤵
  PID:6932
- C:\Windows\System32\KqNxUxU.exe
  C:\Windows\System32\KqNxUxU.exe
  2⤵
  PID:6952
- C:\Windows\System32\veqomQH.exe
  C:\Windows\System32\veqomQH.exe
  2⤵
  PID:6976
- C:\Windows\System32\YrCAlKZ.exe
  C:\Windows\System32\YrCAlKZ.exe
  2⤵
  PID:7024
- C:\Windows\System32\GhZnZXC.exe
  C:\Windows\System32\GhZnZXC.exe
  2⤵
  PID:7048
- C:\Windows\System32\OSKPvzn.exe
  C:\Windows\System32\OSKPvzn.exe
  2⤵
  PID:7068
- C:\Windows\System32\KLdWOUL.exe
  C:\Windows\System32\KLdWOUL.exe
  2⤵
  PID:7104
- C:\Windows\System32\MALbelC.exe
  C:\Windows\System32\MALbelC.exe
  2⤵
  PID:7120
- C:\Windows\System32\mfIoLXp.exe
  C:\Windows\System32\mfIoLXp.exe
  2⤵
  PID:7160
- C:\Windows\System32\gwfbmPd.exe
  C:\Windows\System32\gwfbmPd.exe
  2⤵
  PID:6148
- C:\Windows\System32\mRDXNDw.exe
  C:\Windows\System32\mRDXNDw.exe
  2⤵
  PID:6200
- C:\Windows\System32\BqrNTSm.exe
  C:\Windows\System32\BqrNTSm.exe
  2⤵
  PID:6236
- C:\Windows\System32\AeNczqq.exe
  C:\Windows\System32\AeNczqq.exe
  2⤵
  PID:6328
- C:\Windows\System32\oDInirX.exe
  C:\Windows\System32\oDInirX.exe
  2⤵
  PID:6372
- C:\Windows\System32\vJREqmd.exe
  C:\Windows\System32\vJREqmd.exe
  2⤵
  PID:6428
- C:\Windows\System32\xEPJCgs.exe
  C:\Windows\System32\xEPJCgs.exe
  2⤵
  PID:6516
- C:\Windows\System32\ZGSVgnX.exe
  C:\Windows\System32\ZGSVgnX.exe
  2⤵
  PID:6528
- C:\Windows\System32\qhceHoa.exe
  C:\Windows\System32\qhceHoa.exe
  2⤵
  PID:6596
- C:\Windows\System32\dvKvbxK.exe
  C:\Windows\System32\dvKvbxK.exe
  2⤵
  PID:6672
- C:\Windows\System32\bjzxOXr.exe
  C:\Windows\System32\bjzxOXr.exe
  2⤵
  PID:6744
- C:\Windows\System32\bJrSnLY.exe
  C:\Windows\System32\bJrSnLY.exe
  2⤵
  PID:6776
- C:\Windows\System32\URoCNPM.exe
  C:\Windows\System32\URoCNPM.exe
  2⤵
  PID:6860
- C:\Windows\System32\cxDShjV.exe
  C:\Windows\System32\cxDShjV.exe
  2⤵
  PID:6940
- C:\Windows\System32\uGOVSDt.exe
  C:\Windows\System32\uGOVSDt.exe
  2⤵
  PID:7016
- C:\Windows\System32\CXRzvhw.exe
  C:\Windows\System32\CXRzvhw.exe
  2⤵
  PID:7056
- C:\Windows\System32\YhLUVvT.exe
  C:\Windows\System32\YhLUVvT.exe
  2⤵
  PID:7128
- C:\Windows\System32\zHXyRqa.exe
  C:\Windows\System32\zHXyRqa.exe
  2⤵
  PID:7112
- C:\Windows\System32\XvkDnKl.exe
  C:\Windows\System32\XvkDnKl.exe
  2⤵
  PID:5264
- C:\Windows\System32\lkadFSg.exe
  C:\Windows\System32\lkadFSg.exe
  2⤵
  PID:5180
- C:\Windows\System32\mNqJzvm.exe
  C:\Windows\System32\mNqJzvm.exe
  2⤵
  PID:6344
- C:\Windows\System32\FpHIiKI.exe
  C:\Windows\System32\FpHIiKI.exe
  2⤵
  PID:6568
- C:\Windows\System32\xLTZCbc.exe
  C:\Windows\System32\xLTZCbc.exe
  2⤵
  PID:6608
- C:\Windows\System32\boMifit.exe
  C:\Windows\System32\boMifit.exe
  2⤵
  PID:5136
- C:\Windows\System32\pLZFdqB.exe
  C:\Windows\System32\pLZFdqB.exe
  2⤵
  PID:6968
- C:\Windows\System32\elQOfuy.exe
  C:\Windows\System32\elQOfuy.exe
  2⤵
  PID:4868
- C:\Windows\System32\xAflUbV.exe
  C:\Windows\System32\xAflUbV.exe
  2⤵
  PID:6272
- C:\Windows\System32\vNhrupl.exe
  C:\Windows\System32\vNhrupl.exe
  2⤵
  PID:6656
- C:\Windows\System32\NqveqkN.exe
  C:\Windows\System32\NqveqkN.exe
  2⤵
  PID:6796
- C:\Windows\System32\YaIYDpf.exe
  C:\Windows\System32\YaIYDpf.exe
  2⤵
  PID:6984
- C:\Windows\System32\DENPJjB.exe
  C:\Windows\System32\DENPJjB.exe
  2⤵
  PID:6468
- C:\Windows\System32\TKjDLdI.exe
  C:\Windows\System32\TKjDLdI.exe
  2⤵
  PID:7172
- C:\Windows\System32\EEtHBiV.exe
  C:\Windows\System32\EEtHBiV.exe
  2⤵
  PID:7192
- C:\Windows\System32\iboqYxR.exe
  C:\Windows\System32\iboqYxR.exe
  2⤵
  PID:7228
- C:\Windows\System32\mqIcWpk.exe
  C:\Windows\System32\mqIcWpk.exe
  2⤵
  PID:7244
- C:\Windows\System32\EfVNvcx.exe
  C:\Windows\System32\EfVNvcx.exe
  2⤵
  PID:7264
- C:\Windows\System32\CloyGPR.exe
  C:\Windows\System32\CloyGPR.exe
  2⤵
  PID:7292
- C:\Windows\System32\eRgjvro.exe
  C:\Windows\System32\eRgjvro.exe
  2⤵
  PID:7312
- C:\Windows\System32\VgoSWtN.exe
  C:\Windows\System32\VgoSWtN.exe
  2⤵
  PID:7356
- C:\Windows\System32\XaAmHjE.exe
  C:\Windows\System32\XaAmHjE.exe
  2⤵
  PID:7396
- C:\Windows\System32\csusdfq.exe
  C:\Windows\System32\csusdfq.exe
  2⤵
  PID:7436
- C:\Windows\System32\jZwaKDc.exe
  C:\Windows\System32\jZwaKDc.exe
  2⤵
  PID:7464
- C:\Windows\System32\jCJIDwN.exe
  C:\Windows\System32\jCJIDwN.exe
  2⤵
  PID:7484
- C:\Windows\System32\CUhyBhI.exe
  C:\Windows\System32\CUhyBhI.exe
  2⤵
  PID:7504
- C:\Windows\System32\pGJENHR.exe
  C:\Windows\System32\pGJENHR.exe
  2⤵
  PID:7528
- C:\Windows\System32\IbfzpQR.exe
  C:\Windows\System32\IbfzpQR.exe
  2⤵
  PID:7548
- C:\Windows\System32\ePtyUOC.exe
  C:\Windows\System32\ePtyUOC.exe
  2⤵
  PID:7584
- C:\Windows\System32\vDNSRCy.exe
  C:\Windows\System32\vDNSRCy.exe
  2⤵
  PID:7612
- C:\Windows\System32\KtvwVKB.exe
  C:\Windows\System32\KtvwVKB.exe
  2⤵
  PID:7632
- C:\Windows\System32\FlvKwkl.exe
  C:\Windows\System32\FlvKwkl.exe
  2⤵
  PID:7660
- C:\Windows\System32\jeiseMv.exe
  C:\Windows\System32\jeiseMv.exe
  2⤵
  PID:7680
- C:\Windows\System32\tIihrMm.exe
  C:\Windows\System32\tIihrMm.exe
  2⤵
  PID:7704
- C:\Windows\System32\RfLShgd.exe
  C:\Windows\System32\RfLShgd.exe
  2⤵
  PID:7756
- C:\Windows\System32\vJTNTRF.exe
  C:\Windows\System32\vJTNTRF.exe
  2⤵
  PID:7804
- C:\Windows\System32\tRCuGgH.exe
  C:\Windows\System32\tRCuGgH.exe
  2⤵
  PID:7828
- C:\Windows\System32\LLPvJeP.exe
  C:\Windows\System32\LLPvJeP.exe
  2⤵
  PID:7848
- C:\Windows\System32\JXgQHES.exe
  C:\Windows\System32\JXgQHES.exe
  2⤵
  PID:7872
- C:\Windows\System32\VUPHsSR.exe
  C:\Windows\System32\VUPHsSR.exe
  2⤵
  PID:7916
- C:\Windows\System32\lPwUEsT.exe
  C:\Windows\System32\lPwUEsT.exe
  2⤵
  PID:7940
- C:\Windows\System32\EGwRwne.exe
  C:\Windows\System32\EGwRwne.exe
  2⤵
  PID:7960
- C:\Windows\System32\QiiNlAd.exe
  C:\Windows\System32\QiiNlAd.exe
  2⤵
  PID:7996
- C:\Windows\System32\TUyRUgS.exe
  C:\Windows\System32\TUyRUgS.exe
  2⤵
  PID:8016
- C:\Windows\System32\wyuwesY.exe
  C:\Windows\System32\wyuwesY.exe
  2⤵
  PID:8044
- C:\Windows\System32\YVzTMPm.exe
  C:\Windows\System32\YVzTMPm.exe
  2⤵
  PID:8072
- C:\Windows\System32\gKFxeMY.exe
  C:\Windows\System32\gKFxeMY.exe
  2⤵
  PID:8104
- C:\Windows\System32\OdYNwdv.exe
  C:\Windows\System32\OdYNwdv.exe
  2⤵
  PID:8132
- C:\Windows\System32\QwzASwL.exe
  C:\Windows\System32\QwzASwL.exe
  2⤵
  PID:8148
- C:\Windows\System32\fgDTOJe.exe
  C:\Windows\System32\fgDTOJe.exe
  2⤵
  PID:8172
- C:\Windows\System32\AStwJMl.exe
  C:\Windows\System32\AStwJMl.exe
  2⤵
  PID:4112
- C:\Windows\System32\IzaWCRQ.exe
  C:\Windows\System32\IzaWCRQ.exe
  2⤵
  PID:7180
- C:\Windows\System32\XFdUGbP.exe
  C:\Windows\System32\XFdUGbP.exe
  2⤵
  PID:7324
- C:\Windows\System32\qiTCueD.exe
  C:\Windows\System32\qiTCueD.exe
  2⤵
  PID:7344
- C:\Windows\System32\asAkXHL.exe
  C:\Windows\System32\asAkXHL.exe
  2⤵
  PID:7452
- C:\Windows\System32\PwMCCkx.exe
  C:\Windows\System32\PwMCCkx.exe
  2⤵
  PID:7472
- C:\Windows\System32\FxGXaKL.exe
  C:\Windows\System32\FxGXaKL.exe
  2⤵
  PID:7576
- C:\Windows\System32\kfbeOSK.exe
  C:\Windows\System32\kfbeOSK.exe
  2⤵
  PID:7592
- C:\Windows\System32\pkloDeW.exe
  C:\Windows\System32\pkloDeW.exe
  2⤵
  PID:7604
- C:\Windows\System32\vdjgxoH.exe
  C:\Windows\System32\vdjgxoH.exe
  2⤵
  PID:7712
- C:\Windows\System32\peIrZlL.exe
  C:\Windows\System32\peIrZlL.exe
  2⤵
  PID:8056
- C:\Windows\System32\EJCbPkM.exe
  C:\Windows\System32\EJCbPkM.exe
  2⤵
  PID:8096
- C:\Windows\System32\uIjMuEI.exe
  C:\Windows\System32\uIjMuEI.exe
  2⤵
  PID:8144
- C:\Windows\System32\ZoKshKv.exe
  C:\Windows\System32\ZoKshKv.exe
  2⤵
  PID:7140
- C:\Windows\System32\UQXOVht.exe
  C:\Windows\System32\UQXOVht.exe
  2⤵
  PID:7252
- C:\Windows\System32\DvkcwPg.exe
  C:\Windows\System32\DvkcwPg.exe
  2⤵
  PID:7480
- C:\Windows\System32\MGuMIsz.exe
  C:\Windows\System32\MGuMIsz.exe
  2⤵
  PID:7564
- C:\Windows\System32\orEPZvf.exe
  C:\Windows\System32\orEPZvf.exe
  2⤵
  PID:7676
- C:\Windows\System32\CjeHKWz.exe
  C:\Windows\System32\CjeHKWz.exe
  2⤵
  PID:7936
- C:\Windows\System32\UTxGlTl.exe
  C:\Windows\System32\UTxGlTl.exe
  2⤵
  PID:7948
- C:\Windows\System32\HqVvYza.exe
  C:\Windows\System32\HqVvYza.exe
  2⤵
  PID:7780
- C:\Windows\System32\bVdGlKt.exe
  C:\Windows\System32\bVdGlKt.exe
  2⤵
  PID:8168
- C:\Windows\System32\ZaWbQZK.exe
  C:\Windows\System32\ZaWbQZK.exe
  2⤵
  PID:7656
- C:\Windows\System32\FCtSDVG.exe
  C:\Windows\System32\FCtSDVG.exe
  2⤵
  PID:7988
- C:\Windows\System32\kFmkhaC.exe
  C:\Windows\System32\kFmkhaC.exe
  2⤵
  PID:7972
- C:\Windows\System32\bXtsyPr.exe
  C:\Windows\System32\bXtsyPr.exe
  2⤵
  PID:8028
- C:\Windows\System32\eQBhhEp.exe
  C:\Windows\System32\eQBhhEp.exe
  2⤵
  PID:7340
- C:\Windows\System32\XtyICwj.exe
  C:\Windows\System32\XtyICwj.exe
  2⤵
  PID:8200
- C:\Windows\System32\UHoCNYp.exe
  C:\Windows\System32\UHoCNYp.exe
  2⤵
  PID:8228
- C:\Windows\System32\iXwTAyn.exe
  C:\Windows\System32\iXwTAyn.exe
  2⤵
  PID:8248
- C:\Windows\System32\nAkAzXl.exe
  C:\Windows\System32\nAkAzXl.exe
  2⤵
  PID:8272
- C:\Windows\System32\afNSepQ.exe
  C:\Windows\System32\afNSepQ.exe
  2⤵
  PID:8296
- C:\Windows\System32\lVuRfSV.exe
  C:\Windows\System32\lVuRfSV.exe
  2⤵
  PID:8324
- C:\Windows\System32\HpnwTwG.exe
  C:\Windows\System32\HpnwTwG.exe
  2⤵
  PID:8352
- C:\Windows\System32\kXKwscs.exe
  C:\Windows\System32\kXKwscs.exe
  2⤵
  PID:8404
- C:\Windows\System32\VuEzKnk.exe
  C:\Windows\System32\VuEzKnk.exe
  2⤵
  PID:8424
- C:\Windows\System32\flgxNZS.exe
  C:\Windows\System32\flgxNZS.exe
  2⤵
  PID:8456
- C:\Windows\System32\gsTaElB.exe
  C:\Windows\System32\gsTaElB.exe
  2⤵
  PID:8484
- C:\Windows\System32\EiaAoOA.exe
  C:\Windows\System32\EiaAoOA.exe
  2⤵
  PID:8520
- C:\Windows\System32\UuBKSxL.exe
  C:\Windows\System32\UuBKSxL.exe
  2⤵
  PID:8548
- C:\Windows\System32\TABdwVf.exe
  C:\Windows\System32\TABdwVf.exe
  2⤵
  PID:8572
- C:\Windows\System32\hnGVnjw.exe
  C:\Windows\System32\hnGVnjw.exe
  2⤵
  PID:8588
- C:\Windows\System32\jAvqamt.exe
  C:\Windows\System32\jAvqamt.exe
  2⤵
  PID:8608
- C:\Windows\System32\YyXClWH.exe
  C:\Windows\System32\YyXClWH.exe
  2⤵
  PID:8628
- C:\Windows\System32\eEKYFAK.exe
  C:\Windows\System32\eEKYFAK.exe
  2⤵
  PID:8664
- C:\Windows\System32\KZJIRkK.exe
  C:\Windows\System32\KZJIRkK.exe
  2⤵
  PID:8720
- C:\Windows\System32\dnlgWls.exe
  C:\Windows\System32\dnlgWls.exe
  2⤵
  PID:8744
- C:\Windows\System32\atxCuAV.exe
  C:\Windows\System32\atxCuAV.exe
  2⤵
  PID:8768
- C:\Windows\System32\hFgTFkB.exe
  C:\Windows\System32\hFgTFkB.exe
  2⤵
  PID:8792
- C:\Windows\System32\FSpiaRn.exe
  C:\Windows\System32\FSpiaRn.exe
  2⤵
  PID:8812
- C:\Windows\System32\Lwwkvra.exe
  C:\Windows\System32\Lwwkvra.exe
  2⤵
  PID:8832
- C:\Windows\System32\jZvPbPD.exe
  C:\Windows\System32\jZvPbPD.exe
  2⤵
  PID:8876
- C:\Windows\System32\zMSZbkW.exe
  C:\Windows\System32\zMSZbkW.exe
  2⤵
  PID:8916
- C:\Windows\System32\MoBpFru.exe
  C:\Windows\System32\MoBpFru.exe
  2⤵
  PID:8932
- C:\Windows\System32\JjZczdD.exe
  C:\Windows\System32\JjZczdD.exe
  2⤵
  PID:8960
- C:\Windows\System32\DUbRzsk.exe
  C:\Windows\System32\DUbRzsk.exe
  2⤵
  PID:8980
- C:\Windows\System32\rxgbWSp.exe
  C:\Windows\System32\rxgbWSp.exe
  2⤵
  PID:9012
- C:\Windows\System32\LcaNOGe.exe
  C:\Windows\System32\LcaNOGe.exe
  2⤵
  PID:9052
- C:\Windows\System32\NqKTZSN.exe
  C:\Windows\System32\NqKTZSN.exe
  2⤵
  PID:9076
- C:\Windows\System32\PmUOOXj.exe
  C:\Windows\System32\PmUOOXj.exe
  2⤵
  PID:9096
- C:\Windows\System32\ZhQhITk.exe
  C:\Windows\System32\ZhQhITk.exe
  2⤵
  PID:9120
- C:\Windows\System32\acehheh.exe
  C:\Windows\System32\acehheh.exe
  2⤵
  PID:9172
- C:\Windows\System32\CKjNmzC.exe
  C:\Windows\System32\CKjNmzC.exe
  2⤵
  PID:9196
- C:\Windows\System32\hLcyytn.exe
  C:\Windows\System32\hLcyytn.exe
  2⤵
  PID:7840
- C:\Windows\System32\prrMxmy.exe
  C:\Windows\System32\prrMxmy.exe
  2⤵
  PID:8264
- C:\Windows\System32\DNiSuNg.exe
  C:\Windows\System32\DNiSuNg.exe
  2⤵
  PID:8288
- C:\Windows\System32\uISKVRt.exe
  C:\Windows\System32\uISKVRt.exe
  2⤵
  PID:8308
- C:\Windows\System32\sRGLmay.exe
  C:\Windows\System32\sRGLmay.exe
  2⤵
  PID:8420
- C:\Windows\System32\NzVLgQV.exe
  C:\Windows\System32\NzVLgQV.exe
  2⤵
  PID:8492
- C:\Windows\System32\qIIoQEY.exe
  C:\Windows\System32\qIIoQEY.exe
  2⤵
  PID:8532
- C:\Windows\System32\RXNZjkN.exe
  C:\Windows\System32\RXNZjkN.exe
  2⤵
  PID:8600
- C:\Windows\System32\zZTTGLl.exe
  C:\Windows\System32\zZTTGLl.exe
  2⤵
  PID:8752
- C:\Windows\System32\vFEMbJY.exe
  C:\Windows\System32\vFEMbJY.exe
  2⤵
  PID:8808
- C:\Windows\System32\NxiXdMG.exe
  C:\Windows\System32\NxiXdMG.exe
  2⤵
  PID:8872
- C:\Windows\System32\kYjkfMM.exe
  C:\Windows\System32\kYjkfMM.exe
  2⤵
  PID:8908
- C:\Windows\System32\rBAFDmj.exe
  C:\Windows\System32\rBAFDmj.exe
  2⤵
  PID:8976
- C:\Windows\System32\QcutfGB.exe
  C:\Windows\System32\QcutfGB.exe
  2⤵
  PID:9004
- C:\Windows\System32\irwpDXs.exe
  C:\Windows\System32\irwpDXs.exe
  2⤵
  PID:9044
- C:\Windows\System32\YFimTuP.exe
  C:\Windows\System32\YFimTuP.exe
  2⤵
  PID:9136
- C:\Windows\System32\jqGAjWO.exe
  C:\Windows\System32\jqGAjWO.exe
  2⤵
  PID:9168
- C:\Windows\System32\HUoeDal.exe
  C:\Windows\System32\HUoeDal.exe
  2⤵
  PID:8284
- C:\Windows\System32\KNoDUqY.exe
  C:\Windows\System32\KNoDUqY.exe
  2⤵
  PID:8604
- C:\Windows\System32\wsHQRqb.exe
  C:\Windows\System32\wsHQRqb.exe
  2⤵
  PID:8564
- C:\Windows\System32\tMcSJIZ.exe
  C:\Windows\System32\tMcSJIZ.exe
  2⤵
  PID:8800
- C:\Windows\System32\hdiqgvF.exe
  C:\Windows\System32\hdiqgvF.exe
  2⤵
  PID:9036
- C:\Windows\System32\MKUehWQ.exe
  C:\Windows\System32\MKUehWQ.exe
  2⤵
  PID:9068
- C:\Windows\System32\UdRuDpM.exe
  C:\Windows\System32\UdRuDpM.exe
  2⤵
  PID:9132
- C:\Windows\System32\WfvOpch.exe
  C:\Windows\System32\WfvOpch.exe
  2⤵
  PID:8840
- C:\Windows\System32\HfPhLXP.exe
  C:\Windows\System32\HfPhLXP.exe
  2⤵
  PID:8948
- C:\Windows\System32\YgRhLiM.exe
  C:\Windows\System32\YgRhLiM.exe
  2⤵
  PID:8684
- C:\Windows\System32\VhJKXcx.exe
  C:\Windows\System32\VhJKXcx.exe
  2⤵
  PID:9228
- C:\Windows\System32\ITIccGO.exe
  C:\Windows\System32\ITIccGO.exe
  2⤵
  PID:9264
- C:\Windows\System32\bZibQEm.exe
  C:\Windows\System32\bZibQEm.exe
  2⤵
  PID:9296
- C:\Windows\System32\zJKPOsU.exe
  C:\Windows\System32\zJKPOsU.exe
  2⤵
  PID:9316
- C:\Windows\System32\GWfhGUI.exe
  C:\Windows\System32\GWfhGUI.exe
  2⤵
  PID:9340
- C:\Windows\System32\QshczFM.exe
  C:\Windows\System32\QshczFM.exe
  2⤵
  PID:9368
- C:\Windows\System32\orJHjqo.exe
  C:\Windows\System32\orJHjqo.exe
  2⤵
  PID:9416
- C:\Windows\System32\lFFiDMK.exe
  C:\Windows\System32\lFFiDMK.exe
  2⤵
  PID:9440
- C:\Windows\System32\jaVqQiS.exe
  C:\Windows\System32\jaVqQiS.exe
  2⤵
  PID:9464
- C:\Windows\System32\DPlbLrn.exe
  C:\Windows\System32\DPlbLrn.exe
  2⤵
  PID:9484
- C:\Windows\System32\auqOexj.exe
  C:\Windows\System32\auqOexj.exe
  2⤵
  PID:9508
- C:\Windows\System32\BUHuJbm.exe
  C:\Windows\System32\BUHuJbm.exe
  2⤵
  PID:9536
- C:\Windows\System32\UfLSVPZ.exe
  C:\Windows\System32\UfLSVPZ.exe
  2⤵
  PID:9556
- C:\Windows\System32\psscsrY.exe
  C:\Windows\System32\psscsrY.exe
  2⤵
  PID:9584
- C:\Windows\System32\SwCFVMp.exe
  C:\Windows\System32\SwCFVMp.exe
  2⤵
  PID:9628
- C:\Windows\System32\TDJRScE.exe
  C:\Windows\System32\TDJRScE.exe
  2⤵
  PID:9648
- C:\Windows\System32\gXjxrjB.exe
  C:\Windows\System32\gXjxrjB.exe
  2⤵
  PID:9676
- C:\Windows\System32\lHFygnf.exe
  C:\Windows\System32\lHFygnf.exe
  2⤵
  PID:9708
- C:\Windows\System32\IwSSZbR.exe
  C:\Windows\System32\IwSSZbR.exe
  2⤵
  PID:9736
- C:\Windows\System32\crFlJlq.exe
  C:\Windows\System32\crFlJlq.exe
  2⤵
  PID:9776
- C:\Windows\System32\eEbUDPL.exe
  C:\Windows\System32\eEbUDPL.exe
  2⤵
  PID:9796
- C:\Windows\System32\CShcqmF.exe
  C:\Windows\System32\CShcqmF.exe
  2⤵
  PID:9820
- C:\Windows\System32\rUmawTw.exe
  C:\Windows\System32\rUmawTw.exe
  2⤵
  PID:9872
- C:\Windows\System32\DiXxqjf.exe
  C:\Windows\System32\DiXxqjf.exe
  2⤵
  PID:9900
- C:\Windows\System32\dIDofDx.exe
  C:\Windows\System32\dIDofDx.exe
  2⤵
  PID:9916
- C:\Windows\System32\VNtGsYj.exe
  C:\Windows\System32\VNtGsYj.exe
  2⤵
  PID:9944
- C:\Windows\System32\ghQLTPc.exe
  C:\Windows\System32\ghQLTPc.exe
  2⤵
  PID:9964
- C:\Windows\System32\HWNqNdz.exe
  C:\Windows\System32\HWNqNdz.exe
  2⤵
  PID:10012
- C:\Windows\System32\vfxqMII.exe
  C:\Windows\System32\vfxqMII.exe
  2⤵
  PID:10036
- C:\Windows\System32\adOaYIE.exe
  C:\Windows\System32\adOaYIE.exe
  2⤵
  PID:10056
- C:\Windows\System32\zRcQZDm.exe
  C:\Windows\System32\zRcQZDm.exe
  2⤵
  PID:10076
- C:\Windows\System32\mtluFmM.exe
  C:\Windows\System32\mtluFmM.exe
  2⤵
  PID:10100
- C:\Windows\System32\jdnmSNX.exe
  C:\Windows\System32\jdnmSNX.exe
  2⤵
  PID:10136
- C:\Windows\System32\KxePDgg.exe
  C:\Windows\System32\KxePDgg.exe
  2⤵
  PID:10156
- C:\Windows\System32\ynyzycf.exe
  C:\Windows\System32\ynyzycf.exe
  2⤵
  PID:10188
- C:\Windows\System32\wVjlcQm.exe
  C:\Windows\System32\wVjlcQm.exe
  2⤵
  PID:10228
- C:\Windows\System32\rciHWhy.exe
  C:\Windows\System32\rciHWhy.exe
  2⤵
  PID:9252
- C:\Windows\System32\emWPPsi.exe
  C:\Windows\System32\emWPPsi.exe
  2⤵
  PID:9288
- C:\Windows\System32\qujgdXH.exe
  C:\Windows\System32\qujgdXH.exe
  2⤵
  PID:9324
- C:\Windows\System32\ZUGymwu.exe
  C:\Windows\System32\ZUGymwu.exe
  2⤵
  PID:9452
- C:\Windows\System32\KNQYbDv.exe
  C:\Windows\System32\KNQYbDv.exe
  2⤵
  PID:9448
- C:\Windows\System32\TlejxaZ.exe
  C:\Windows\System32\TlejxaZ.exe
  2⤵
  PID:9572
- C:\Windows\System32\OKlbtLB.exe
  C:\Windows\System32\OKlbtLB.exe
  2⤵
  PID:9596
- C:\Windows\System32\WxtskEf.exe
  C:\Windows\System32\WxtskEf.exe
  2⤵
  PID:9704
- C:\Windows\System32\MdUZBnR.exe
  C:\Windows\System32\MdUZBnR.exe
  2⤵
  PID:9752
- C:\Windows\System32\NbONaWK.exe
  C:\Windows\System32\NbONaWK.exe
  2⤵
  PID:9792
- C:\Windows\System32\WgYAarF.exe
  C:\Windows\System32\WgYAarF.exe
  2⤵
  PID:9832
- C:\Windows\System32\hlckyCL.exe
  C:\Windows\System32\hlckyCL.exe
  2⤵
  PID:9912
- C:\Windows\System32\okkZjbe.exe
  C:\Windows\System32\okkZjbe.exe
  2⤵
  PID:9956
- C:\Windows\System32\mYLrtRx.exe
  C:\Windows\System32\mYLrtRx.exe
  2⤵
  PID:9984
- C:\Windows\System32\EPVTiXp.exe
  C:\Windows\System32\EPVTiXp.exe
  2⤵
  PID:10128
- C:\Windows\System32\xkCaNXs.exe
  C:\Windows\System32\xkCaNXs.exe
  2⤵
  PID:10148
- C:\Windows\System32\qSgPGKa.exe
  C:\Windows\System32\qSgPGKa.exe
  2⤵
  PID:10208
- C:\Windows\System32\iJXtOPN.exe
  C:\Windows\System32\iJXtOPN.exe
  2⤵
  PID:3760
- C:\Windows\System32\PFzXNfG.exe
  C:\Windows\System32\PFzXNfG.exe
  2⤵
  PID:9400
- C:\Windows\System32\bfEQEPn.exe
  C:\Windows\System32\bfEQEPn.exe
  2⤵
  PID:9620
- C:\Windows\System32\bEJoWRy.exe
  C:\Windows\System32\bEJoWRy.exe
  2⤵
  PID:9880
- C:\Windows\System32\XsRlPsx.exe
  C:\Windows\System32\XsRlPsx.exe
  2⤵
  PID:9980
- C:\Windows\System32\VYtSxAS.exe
  C:\Windows\System32\VYtSxAS.exe
  2⤵
  PID:10068
- C:\Windows\System32\RtxQgCe.exe
  C:\Windows\System32\RtxQgCe.exe
  2⤵
  PID:9472
- C:\Windows\System32\GXPbwns.exe
  C:\Windows\System32\GXPbwns.exe
  2⤵
  PID:9328
- C:\Windows\System32\mdyjkES.exe
  C:\Windows\System32\mdyjkES.exe
  2⤵
  PID:10024
- C:\Windows\System32\vfBSMVz.exe
  C:\Windows\System32\vfBSMVz.exe
  2⤵
  PID:9240
- C:\Windows\System32\UxkCozO.exe
  C:\Windows\System32\UxkCozO.exe
  2⤵
  PID:10252
- C:\Windows\System32\RdEioRg.exe
  C:\Windows\System32\RdEioRg.exe
  2⤵
  PID:10284
- C:\Windows\System32\iDrvJpF.exe
  C:\Windows\System32\iDrvJpF.exe
  2⤵
  PID:10300
- C:\Windows\System32\NPEFpux.exe
  C:\Windows\System32\NPEFpux.exe
  2⤵
  PID:10320
- C:\Windows\System32\kIFWzSq.exe
  C:\Windows\System32\kIFWzSq.exe
  2⤵
  PID:10348
- C:\Windows\System32\YganEDl.exe
  C:\Windows\System32\YganEDl.exe
  2⤵
  PID:10392
- C:\Windows\System32\vekjoqt.exe
  C:\Windows\System32\vekjoqt.exe
  2⤵
  PID:10408
- C:\Windows\System32\gzanipr.exe
  C:\Windows\System32\gzanipr.exe
  2⤵
  PID:10436
- C:\Windows\System32\DlGyYOj.exe
  C:\Windows\System32\DlGyYOj.exe
  2⤵
  PID:10484
- C:\Windows\System32\byuXXdI.exe
  C:\Windows\System32\byuXXdI.exe
  2⤵
  PID:10504
- C:\Windows\System32\GfsXsDx.exe
  C:\Windows\System32\GfsXsDx.exe
  2⤵
  PID:10540
- C:\Windows\System32\enQpkkS.exe
  C:\Windows\System32\enQpkkS.exe
  2⤵
  PID:10560
- C:\Windows\System32\fXtshZq.exe
  C:\Windows\System32\fXtshZq.exe
  2⤵
  PID:10584
- C:\Windows\System32\yDDoixD.exe
  C:\Windows\System32\yDDoixD.exe
  2⤵
  PID:10616
- C:\Windows\System32\kuEGzoq.exe
  C:\Windows\System32\kuEGzoq.exe
  2⤵
  PID:10644
- C:\Windows\System32\ByRoxXC.exe
  C:\Windows\System32\ByRoxXC.exe
  2⤵
  PID:10664
- C:\Windows\System32\dbneJOb.exe
  C:\Windows\System32\dbneJOb.exe
  2⤵
  PID:10700
- C:\Windows\System32\uQNbfck.exe
  C:\Windows\System32\uQNbfck.exe
  2⤵
  PID:10748
- C:\Windows\System32\XCCBRgU.exe
  C:\Windows\System32\XCCBRgU.exe
  2⤵
  PID:10772
- C:\Windows\System32\mvoZhVl.exe
  C:\Windows\System32\mvoZhVl.exe
  2⤵
  PID:10800
- C:\Windows\System32\HXfFnmu.exe
  C:\Windows\System32\HXfFnmu.exe
  2⤵
  PID:10860
- C:\Windows\System32\Rdpasvf.exe
  C:\Windows\System32\Rdpasvf.exe
  2⤵
  PID:10884
- C:\Windows\System32\MDQYqOb.exe
  C:\Windows\System32\MDQYqOb.exe
  2⤵
  PID:10900
- C:\Windows\System32\kObxlXH.exe
  C:\Windows\System32\kObxlXH.exe
  2⤵
  PID:10916
- C:\Windows\System32\vCBICDU.exe
  C:\Windows\System32\vCBICDU.exe
  2⤵
  PID:10968
- C:\Windows\System32\EHpUSWc.exe
  C:\Windows\System32\EHpUSWc.exe
  2⤵
  PID:10984
- C:\Windows\System32\nkwFYxn.exe
  C:\Windows\System32\nkwFYxn.exe
  2⤵
  PID:11000
- C:\Windows\System32\wieOAgX.exe
  C:\Windows\System32\wieOAgX.exe
  2⤵
  PID:11016
- C:\Windows\System32\fCCKrrb.exe
  C:\Windows\System32\fCCKrrb.exe
  2⤵
  PID:11032
- C:\Windows\System32\gkWFQlG.exe
  C:\Windows\System32\gkWFQlG.exe
  2⤵
  PID:11060
- C:\Windows\System32\buojJFC.exe
  C:\Windows\System32\buojJFC.exe
  2⤵
  PID:11156
- C:\Windows\System32\bgBgPFe.exe
  C:\Windows\System32\bgBgPFe.exe
  2⤵
  PID:11180
- C:\Windows\System32\LGVRAMz.exe
  C:\Windows\System32\LGVRAMz.exe
  2⤵
  PID:11236
- C:\Windows\System32\xSzrnIo.exe
  C:\Windows\System32\xSzrnIo.exe
  2⤵
  PID:9360
- C:\Windows\System32\SCuIrRY.exe
  C:\Windows\System32\SCuIrRY.exe
  2⤵
  PID:9608
- C:\Windows\System32\dSchdkC.exe
  C:\Windows\System32\dSchdkC.exe
  2⤵
  PID:10292
- C:\Windows\System32\ZgEjCGr.exe
  C:\Windows\System32\ZgEjCGr.exe
  2⤵
  PID:10336
- C:\Windows\System32\CaVVIJX.exe
  C:\Windows\System32\CaVVIJX.exe
  2⤵
  PID:10376
- C:\Windows\System32\dyLtEoW.exe
  C:\Windows\System32\dyLtEoW.exe
  2⤵
  PID:10420
- C:\Windows\System32\sXJeblg.exe
  C:\Windows\System32\sXJeblg.exe
  2⤵
  PID:10596
- C:\Windows\System32\GKSQgxm.exe
  C:\Windows\System32\GKSQgxm.exe
  2⤵
  PID:10636
- C:\Windows\System32\uksUvKI.exe
  C:\Windows\System32\uksUvKI.exe
  2⤵
  PID:10708
- C:\Windows\System32\aggqzCD.exe
  C:\Windows\System32\aggqzCD.exe
  2⤵
  PID:10760
- C:\Windows\System32\eNYYPAb.exe
  C:\Windows\System32\eNYYPAb.exe
  2⤵
  PID:10812
- C:\Windows\System32\KtoIjkx.exe
  C:\Windows\System32\KtoIjkx.exe
  2⤵
  PID:10828
- C:\Windows\System32\CgiXrQS.exe
  C:\Windows\System32\CgiXrQS.exe
  2⤵
  PID:10912
- C:\Windows\System32\mqdMXHZ.exe
  C:\Windows\System32\mqdMXHZ.exe
  2⤵
  PID:11048
- C:\Windows\System32\VKFKwiu.exe
  C:\Windows\System32\VKFKwiu.exe
  2⤵
  PID:10996
- C:\Windows\System32\YlzBLOS.exe
  C:\Windows\System32\YlzBLOS.exe
  2⤵
  PID:11044
- C:\Windows\System32\AXrAKOu.exe
  C:\Windows\System32\AXrAKOu.exe
  2⤵
  PID:11140
- C:\Windows\System32\OglnFAb.exe
  C:\Windows\System32\OglnFAb.exe
  2⤵
  PID:11144
- C:\Windows\System32\KfQrEuq.exe
  C:\Windows\System32\KfQrEuq.exe
  2⤵
  PID:11248
- C:\Windows\System32\wMzllAg.exe
  C:\Windows\System32\wMzllAg.exe
  2⤵
  PID:10296
- C:\Windows\System32\jruNVXU.exe
  C:\Windows\System32\jruNVXU.exe
  2⤵
  PID:10364
- C:\Windows\System32\AQMjXrF.exe
  C:\Windows\System32\AQMjXrF.exe
  2⤵
  PID:10624
- C:\Windows\System32\LMkQyFb.exe
  C:\Windows\System32\LMkQyFb.exe
  2⤵
  PID:10716
- C:\Windows\System32\KuTaUTr.exe
  C:\Windows\System32\KuTaUTr.exe
  2⤵
  PID:10928
- C:\Windows\System32\SaBTalI.exe
  C:\Windows\System32\SaBTalI.exe
  2⤵
  PID:11056
- C:\Windows\System32\dNTGwRM.exe
  C:\Windows\System32\dNTGwRM.exe
  2⤵
  PID:11088
- C:\Windows\System32\onlEGsY.exe
  C:\Windows\System32\onlEGsY.exe
  2⤵
  PID:10520
- C:\Windows\System32\cujqFSF.exe
  C:\Windows\System32\cujqFSF.exe
  2⤵
  PID:10548
- C:\Windows\System32\uRZUdLi.exe
  C:\Windows\System32\uRZUdLi.exe
  2⤵
  PID:10344
- C:\Windows\System32\YeAGjjI.exe
  C:\Windows\System32\YeAGjjI.exe
  2⤵
  PID:10360
- C:\Windows\System32\rdlRTTn.exe
  C:\Windows\System32\rdlRTTn.exe
  2⤵
  PID:10908
- C:\Windows\System32\qabRWeC.exe
  C:\Windows\System32\qabRWeC.exe
  2⤵
  PID:11028
- C:\Windows\System32\qDgWfGK.exe
  C:\Windows\System32\qDgWfGK.exe
  2⤵
  PID:11288
- C:\Windows\System32\gVkiMsb.exe
  C:\Windows\System32\gVkiMsb.exe
  2⤵
  PID:11304
- C:\Windows\System32\ZipziCS.exe
  C:\Windows\System32\ZipziCS.exe
  2⤵
  PID:11328
- C:\Windows\System32\fOSALMG.exe
  C:\Windows\System32\fOSALMG.exe
  2⤵
  PID:11368
- C:\Windows\System32\wulOIoE.exe
  C:\Windows\System32\wulOIoE.exe
  2⤵
  PID:11400
- C:\Windows\System32\GLKbdeV.exe
  C:\Windows\System32\GLKbdeV.exe
  2⤵
  PID:11416
- C:\Windows\System32\kukwTRG.exe
  C:\Windows\System32\kukwTRG.exe
  2⤵
  PID:11448
- C:\Windows\System32\XCUmZOx.exe
  C:\Windows\System32\XCUmZOx.exe
  2⤵
  PID:11468
- C:\Windows\System32\bUBrlTB.exe
  C:\Windows\System32\bUBrlTB.exe
  2⤵
  PID:11496
- C:\Windows\System32\ihZBiTQ.exe
  C:\Windows\System32\ihZBiTQ.exe
  2⤵
  PID:11528
- C:\Windows\System32\uQJhKse.exe
  C:\Windows\System32\uQJhKse.exe
  2⤵
  PID:11572
- C:\Windows\System32\moltjPn.exe
  C:\Windows\System32\moltjPn.exe
  2⤵
  PID:11608
- C:\Windows\System32\nLXchNb.exe
  C:\Windows\System32\nLXchNb.exe
  2⤵
  PID:11632
- C:\Windows\System32\alHGHWR.exe
  C:\Windows\System32\alHGHWR.exe
  2⤵
  PID:11660
- C:\Windows\System32\EDNGQmH.exe
  C:\Windows\System32\EDNGQmH.exe
  2⤵
  PID:11708
- C:\Windows\System32\pfelZby.exe
  C:\Windows\System32\pfelZby.exe
  2⤵
  PID:11736
- C:\Windows\System32\RfFMBpm.exe
  C:\Windows\System32\RfFMBpm.exe
  2⤵
  PID:11764
- C:\Windows\System32\FIMIRFk.exe
  C:\Windows\System32\FIMIRFk.exe
  2⤵
  PID:11780
- C:\Windows\System32\iHDFPBf.exe
  C:\Windows\System32\iHDFPBf.exe
  2⤵
  PID:11812
- C:\Windows\System32\auCYJPa.exe
  C:\Windows\System32\auCYJPa.exe
  2⤵
  PID:11848
- C:\Windows\System32\TmbUVCZ.exe
  C:\Windows\System32\TmbUVCZ.exe
  2⤵
  PID:11868
- C:\Windows\System32\RsWVCRD.exe
  C:\Windows\System32\RsWVCRD.exe
  2⤵
  PID:11888
- C:\Windows\System32\DqsXtip.exe
  C:\Windows\System32\DqsXtip.exe
  2⤵
  PID:11924
- C:\Windows\System32\uKeNOyH.exe
  C:\Windows\System32\uKeNOyH.exe
  2⤵
  PID:11952
- C:\Windows\System32\McAHzii.exe
  C:\Windows\System32\McAHzii.exe
  2⤵
  PID:11968
- C:\Windows\System32\xghuvmq.exe
  C:\Windows\System32\xghuvmq.exe
  2⤵
  PID:11988
- C:\Windows\System32\aYnqCqA.exe
  C:\Windows\System32\aYnqCqA.exe
  2⤵
  PID:12024
- C:\Windows\System32\stFBTxn.exe
  C:\Windows\System32\stFBTxn.exe
  2⤵
  PID:12052
- C:\Windows\System32\MYhZmsf.exe
  C:\Windows\System32\MYhZmsf.exe
  2⤵
  PID:12072
- C:\Windows\System32\SsuOmtN.exe
  C:\Windows\System32\SsuOmtN.exe
  2⤵
  PID:12092
- C:\Windows\System32\UFAbLDK.exe
  C:\Windows\System32\UFAbLDK.exe
  2⤵
  PID:12116
- C:\Windows\System32\OYAgoBM.exe
  C:\Windows\System32\OYAgoBM.exe
  2⤵
  PID:12140
- C:\Windows\System32\chQgVTw.exe
  C:\Windows\System32\chQgVTw.exe
  2⤵
  PID:12160
- C:\Windows\System32\XRUgGmo.exe
  C:\Windows\System32\XRUgGmo.exe
  2⤵
  PID:12188
- C:\Windows\System32\WgVswhI.exe
  C:\Windows\System32\WgVswhI.exe
  2⤵
  PID:12224
- C:\Windows\System32\YBsBvAA.exe
  C:\Windows\System32\YBsBvAA.exe
  2⤵
  PID:12280
- C:\Windows\System32\ARDRpnH.exe
  C:\Windows\System32\ARDRpnH.exe
  2⤵
  PID:11296
- C:\Windows\System32\uBPDOLw.exe
  C:\Windows\System32\uBPDOLw.exe
  2⤵
  PID:11412
- C:\Windows\System32\TWcYPqM.exe
  C:\Windows\System32\TWcYPqM.exe
  2⤵
  PID:11440
- C:\Windows\System32\dYNTZks.exe
  C:\Windows\System32\dYNTZks.exe
  2⤵
  PID:11504
- C:\Windows\System32\uORPSRi.exe
  C:\Windows\System32\uORPSRi.exe
  2⤵
  PID:11560
- C:\Windows\System32\eVLQPCd.exe
  C:\Windows\System32\eVLQPCd.exe
  2⤵
  PID:11652
- C:\Windows\System32\JBXGuPW.exe
  C:\Windows\System32\JBXGuPW.exe
  2⤵
  PID:11752
- C:\Windows\System32\TPkPkYH.exe
  C:\Windows\System32\TPkPkYH.exe
  2⤵
  PID:11796
- C:\Windows\System32\mCwZZkE.exe
  C:\Windows\System32\mCwZZkE.exe
  2⤵
  PID:11860
- C:\Windows\System32\NoIwlnW.exe
  C:\Windows\System32\NoIwlnW.exe
  2⤵
  PID:11896
- C:\Windows\System32\JdsMUNr.exe
  C:\Windows\System32\JdsMUNr.exe
  2⤵
  PID:11940
- C:\Windows\System32\ddUsmgP.exe
  C:\Windows\System32\ddUsmgP.exe
  2⤵
  PID:11984
- C:\Windows\System32\VbnrzJT.exe
  C:\Windows\System32\VbnrzJT.exe
  2⤵
  PID:12108
- C:\Windows\System32\nmsLsLp.exe
  C:\Windows\System32\nmsLsLp.exe
  2⤵
  PID:12156
- C:\Windows\System32\srCswjR.exe
  C:\Windows\System32\srCswjR.exe
  2⤵
  PID:12212
- C:\Windows\System32\DpxQjlQ.exe
  C:\Windows\System32\DpxQjlQ.exe
  2⤵
  PID:12260
- C:\Windows\System32\ulfUVrG.exe
  C:\Windows\System32\ulfUVrG.exe
  2⤵
  PID:11476
- C:\Windows\System32\gnsOosM.exe
  C:\Windows\System32\gnsOosM.exe
  2⤵
  PID:11596
- C:\Windows\System32\chvTpXv.exe
  C:\Windows\System32\chvTpXv.exe
  2⤵
  PID:11772
- C:\Windows\System32\IQWBhMZ.exe
  C:\Windows\System32\IQWBhMZ.exe
  2⤵
  PID:10808
- C:\Windows\System32\SKbicVa.exe
  C:\Windows\System32\SKbicVa.exe
  2⤵
  PID:12012
- C:\Windows\System32\UdbPELP.exe
  C:\Windows\System32\UdbPELP.exe
  2⤵
  PID:2556
- C:\Windows\System32\JPYSACT.exe
  C:\Windows\System32\JPYSACT.exe
  2⤵
  PID:3500
- C:\Windows\System32\Lmbfxam.exe
  C:\Windows\System32\Lmbfxam.exe
  2⤵
  PID:11340
- C:\Windows\System32\BYnrTlx.exe
  C:\Windows\System32\BYnrTlx.exe
  2⤵
  PID:11824
- C:\Windows\System32\hMRdvkA.exe
  C:\Windows\System32\hMRdvkA.exe
  2⤵
  PID:12128
- C:\Windows\System32\RpfoVBa.exe
  C:\Windows\System32\RpfoVBa.exe
  2⤵
  PID:12236
- C:\Windows\System32\nvCdEcY.exe
  C:\Windows\System32\nvCdEcY.exe
  2⤵
  PID:11884
- C:\Windows\System32\PLSMFfl.exe
  C:\Windows\System32\PLSMFfl.exe
  2⤵
  PID:11904
- C:\Windows\System32\LdKLCbk.exe
  C:\Windows\System32\LdKLCbk.exe
  2⤵
  PID:12304
- C:\Windows\System32\gVHfEFM.exe
  C:\Windows\System32\gVHfEFM.exe
  2⤵
  PID:12320
- C:\Windows\System32\hioudGT.exe
  C:\Windows\System32\hioudGT.exe
  2⤵
  PID:12344
- C:\Windows\System32\zVjfYDY.exe
  C:\Windows\System32\zVjfYDY.exe
  2⤵
  PID:12384
- C:\Windows\System32\LYRtXUZ.exe
  C:\Windows\System32\LYRtXUZ.exe
  2⤵
  PID:12416
- C:\Windows\System32\RaMjTdQ.exe
  C:\Windows\System32\RaMjTdQ.exe
  2⤵
  PID:12448
- C:\Windows\System32\aaxnsEi.exe
  C:\Windows\System32\aaxnsEi.exe
  2⤵
  PID:12476
- C:\Windows\System32\chFCVSS.exe
  C:\Windows\System32\chFCVSS.exe
  2⤵
  PID:12492
- C:\Windows\System32\CJLfkbt.exe
  C:\Windows\System32\CJLfkbt.exe
  2⤵
  PID:12508
- C:\Windows\System32\cyKVJqs.exe
  C:\Windows\System32\cyKVJqs.exe
  2⤵
  PID:12532
- C:\Windows\System32\tbuuDhe.exe
  C:\Windows\System32\tbuuDhe.exe
  2⤵
  PID:12580
- C:\Windows\System32\rortsAh.exe
  C:\Windows\System32\rortsAh.exe
  2⤵
  PID:12612
- C:\Windows\System32\TcZrnub.exe
  C:\Windows\System32\TcZrnub.exe
  2⤵
  PID:12632
- C:\Windows\System32\hhbEaxP.exe
  C:\Windows\System32\hhbEaxP.exe
  2⤵
  PID:12656
- C:\Windows\System32\AvDwpSf.exe
  C:\Windows\System32\AvDwpSf.exe
  2⤵
  PID:12684
- C:\Windows\System32\wZyAuqM.exe
  C:\Windows\System32\wZyAuqM.exe
  2⤵
  PID:12720
- C:\Windows\System32\ssIBveL.exe
  C:\Windows\System32\ssIBveL.exe
  2⤵
  PID:12736
- C:\Windows\System32\AHNawHf.exe
  C:\Windows\System32\AHNawHf.exe
  2⤵
  PID:12756
- C:\Windows\System32\WizCYwK.exe
  C:\Windows\System32\WizCYwK.exe
  2⤵
  PID:12776
- C:\Windows\System32\ITMsIiI.exe
  C:\Windows\System32\ITMsIiI.exe
  2⤵
  PID:12800
- C:\Windows\System32\hxJOgpE.exe
  C:\Windows\System32\hxJOgpE.exe
  2⤵
  PID:12840
- C:\Windows\System32\awQUvSb.exe
  C:\Windows\System32\awQUvSb.exe
  2⤵
  PID:12888
- C:\Windows\System32\nfXHECc.exe
  C:\Windows\System32\nfXHECc.exe
  2⤵
  PID:12908
- C:\Windows\System32\cTAJbiw.exe
  C:\Windows\System32\cTAJbiw.exe
  2⤵
  PID:12928
- C:\Windows\System32\FjYGQnJ.exe
  C:\Windows\System32\FjYGQnJ.exe
  2⤵
  PID:12952
- C:\Windows\System32\WdjPUzW.exe
  C:\Windows\System32\WdjPUzW.exe
  2⤵
  PID:12980
- C:\Windows\System32\xNmrLEL.exe
  C:\Windows\System32\xNmrLEL.exe
  2⤵
  PID:13024
- C:\Windows\System32\WBdasVd.exe
  C:\Windows\System32\WBdasVd.exe
  2⤵
  PID:13044
- C:\Windows\System32\Befekrd.exe
  C:\Windows\System32\Befekrd.exe
  2⤵
  PID:13064
- C:\Windows\System32\Vwslflt.exe
  C:\Windows\System32\Vwslflt.exe
  2⤵
  PID:13116
- C:\Windows\System32\RZKdxsP.exe
  C:\Windows\System32\RZKdxsP.exe
  2⤵
  PID:13140
- C:\Windows\System32\faqcXec.exe
  C:\Windows\System32\faqcXec.exe
  2⤵
  PID:13172
- C:\Windows\System32\YefHrPH.exe
  C:\Windows\System32\YefHrPH.exe
  2⤵
  PID:13196
- C:\Windows\System32\aLStktn.exe
  C:\Windows\System32\aLStktn.exe
  2⤵
  PID:13224
- C:\Windows\System32\ngxGXKo.exe
  C:\Windows\System32\ngxGXKo.exe
  2⤵
  PID:13272
- C:\Windows\System32\onqOwHQ.exe
  C:\Windows\System32\onqOwHQ.exe
  2⤵
  PID:13304
- C:\Windows\System32\PovDlgs.exe
  C:\Windows\System32\PovDlgs.exe
  2⤵
  PID:12316
- C:\Windows\System32\KoBpuYs.exe
  C:\Windows\System32\KoBpuYs.exe
  2⤵
  PID:12336
- C:\Windows\System32\fLozQRn.exe
  C:\Windows\System32\fLozQRn.exe
  2⤵
  PID:12400
- C:\Windows\System32\QBsKrkX.exe
  C:\Windows\System32\QBsKrkX.exe
  2⤵
  PID:12464
- C:\Windows\System32\mZoZCWf.exe
  C:\Windows\System32\mZoZCWf.exe
  2⤵
  PID:12568
- C:\Windows\System32\SwyKhZH.exe
  C:\Windows\System32\SwyKhZH.exe
  2⤵
  PID:12624
- C:\Windows\System32\EfqxsFM.exe
  C:\Windows\System32\EfqxsFM.exe
  2⤵
  PID:12672
- C:\Windows\System32\FxBUsuZ.exe
  C:\Windows\System32\FxBUsuZ.exe
  2⤵
  PID:12668
- C:\Windows\System32\PXSqHss.exe
  C:\Windows\System32\PXSqHss.exe
  2⤵
  PID:12768
- C:\Windows\System32\WbVxfEL.exe
  C:\Windows\System32\WbVxfEL.exe
  2⤵
  PID:12852
- C:\Windows\System32\xpCkIst.exe
  C:\Windows\System32\xpCkIst.exe
  2⤵
  PID:12896
- C:\Windows\System32\jlpVwkT.exe
  C:\Windows\System32\jlpVwkT.exe
  2⤵
  PID:12944
- C:\Windows\System32\gDoeSeu.exe
  C:\Windows\System32\gDoeSeu.exe
  2⤵
  PID:13036
- C:\Windows\System32\gzQBAip.exe
  C:\Windows\System32\gzQBAip.exe
  2⤵
  PID:13032

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:2100
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Modifies Installed Components in the registry
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:12700

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3732

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:13380

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:13648

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13784

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2128

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2568

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2260

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:13436

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:13356

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:14324

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4288

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3628

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:7856

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:13748

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7932

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:744

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:7156

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:10220

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:8852

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5372

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5648

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:5820

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:12880

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:6956

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:8216

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:9816

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2600

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2660

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7996

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8936

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3788

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13700

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3020

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8156

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8616

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6620

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10128

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5484

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10568

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10944

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11272

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6016

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12188

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8940

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5608

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5636

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5152

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3688

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9592

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13736

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3364

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7932

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4112

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1260

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:14152

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3788

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9424

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9708

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6924

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3928

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1128

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4804

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5364

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11220

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12304

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5708

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3104

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13104

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5548

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8884

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8940

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2432

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3592

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8520

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13952

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\3MKUANJA\microsoft.windows[1].xml

Filesize
97B

MD5
6a517bf11dbd236d703ed9898dd3f910

SHA1
f8d64563b0eaba616dc29496c51f795ede02d767

SHA256
d7b7aa87d942a062dd03f78ade8fab7d8efcba60b8c44c52326eea574eeb182b

SHA512
04f15407222285b97dfff27db7320a590d20c7982d13e2eabc68d3b99fce2863951de8321780e7e70d0d187297c6ee6202014dc0ac6d30a7010bff59be769058

Download Submit
C:\Windows\System32\AshrQjF.exe

Filesize
1.9MB

MD5
9e634ce2f663fc2b7a02f489fa2830c8

SHA1
d9d3a6e21f4fcfaeb4196f5e48e6ba2ed24510c9

SHA256
932d04d7619dfc8a49283402c9c72caec3bf63df0ac7698452a6dedc0e0d4901

SHA512
5c99f444fc3900f4c8d4cd74233cbbec2d61fc463b324ea14bcfdc4f65c4d23c94cc4f9b9f16fe170d856681327822f0999febe5a9a10415320f8ddf53879bef

Download Submit
C:\Windows\System32\DmqgMXw.exe

Filesize
1.9MB

MD5
a9d825f2dc4be091563f3e758d622205

SHA1
a0d0f16bf617cea56650fc7d6c881ea02e0dc415

SHA256
4b549df66a2291c6c1c2a32c86bc360f7f4fed3e8c343f3285ab2f556aa92420

SHA512
da450c266974b564b63fe822692484498753c2f274b3dc3edae615518e29044df33e87ac088ac75999cc17f7ebbe24674d087f95f61683eee1fdffa66bcb199b

Download Submit
C:\Windows\System32\EVCidBs.exe

Filesize
1.9MB

MD5
55393b91cfe214f266a4666e20cef79a

SHA1
689e765c91eb55f776043b1f1af8d0e61d25423c

SHA256
675fcee524bec1867e19e4151f4ff08942a075581abe5f47b5d4df4c9560b7ec

SHA512
70b05e257bcda0c678117464e47216f933f08ec659331339f801389d1635cd9a00ab87d5791bf9902a141727ff4376c980c9092d0716e822ad3f82738298211e

Download Submit
C:\Windows\System32\IdJYjTT.exe

Filesize
1.9MB

MD5
da4e8e3697706f69b5640cffe86946c6

SHA1
cd279ddeaf045de738ce3386605dc5f15642aecb

SHA256
d2dab6bbfb43444f1ac7ec736f9610e83c43c50e7964bc7ee0a7d75e300485c4

SHA512
721958cd97c51b794301dd3f3baf39a9b6df1ee4b10ab46410a4a8567c5e22e8a5f06c118dd5d2c2357f03c06653d090a78a50f0eabab0bc9ed0334981689eda

Download Submit
C:\Windows\System32\IqDnxKb.exe

Filesize
1.9MB

MD5
6738bbc3e453605780f24fc4534b9a85

SHA1
1c915841de6964b75732228c3f1894541c055f1a

SHA256
1f187ad81f9071ac88106cd6c78ae5d9f85e92adb765aac48ac6c24a147456b7

SHA512
5295228a4bf0beb6fe1d8bb3f1f111d9d93696e1b4fe5939f8c026c4bc1bad1c388f2c4829fe1af0dbdf357ff8b922237db1b1b2b34aa3f0c589680a23ab4dc5

Download Submit
C:\Windows\System32\JZNyXGa.exe

Filesize
1.9MB

MD5
4e280306c1309f4d72f058239824a9ed

SHA1
df8aeaf2997b8ee44a31099ca4d4284a9863a63c

SHA256
24b10b7b07899b694b7832006ba2daacdd064a4f8e70337acf6c382dd0d7be45

SHA512
4d18cae57a8db0e8a6eaefd5cc8a377545e3da10d3093ed1870eb96dd795d2d57501bc6626e7f5751ea8ae14fb5a55f69dbdb26c76d8c88a7481afbcb02e0927

Download Submit
C:\Windows\System32\LRgZYZA.exe

Filesize
1.9MB

MD5
86ad58b1c365ff504c931e04a9ed5c37

SHA1
d13aaf8e1a5e2ba3084ff23f6e897de5496d66c7

SHA256
25c8c2a0147c7f26f80e6892dcebb9226eeb990956340d75dc3fa42261808bc9

SHA512
a63743e62bd05f0ed9b11632854a5ec6f6c4c0134df99d0ee6cbacf1a3c98e851b9a67719ee0177904839db53a313a2bcd4bc62654bd5a7ba04826547f489181

Download Submit
C:\Windows\System32\MEdMXWT.exe

Filesize
1.9MB

MD5
b33306f903fe8dba5677248994292b67

SHA1
a4228fc2f14a2b7b4be3de056b6c77e76cf1c793

SHA256
3a77ce1de239109fe4bbe764082f20e79152291f631b9710e4ea185f34a3ab2b

SHA512
2059543e0ed4968051da082509e9914c776d6b317833f5a36d1057f76f273cb68649fd79074faf1ad61a3fc972ec4bbe9a6285691d9cc1c7709f9def080e7ca8

Download Submit
C:\Windows\System32\OalgORR.exe

Filesize
1.9MB

MD5
fcab859b9ea197e48ba9c2f1b2eefbc2

SHA1
bc0c3aee7d6726f96d4b4eb7a4d6b2868800aee9

SHA256
b261e567b5a05f07875706fe95d6246869d8ea91bbf55b684c78119bdb4334b9

SHA512
645717a077298e85082f92299f7b46b0ae6a2d3fe79aa0449da73557b06ba7709c168ed0e7bf2abdaf9eedb92cb7111f238706cad77d125bd8cb33603cb7b29a

Download Submit
C:\Windows\System32\PoOQJRC.exe

Filesize
1.9MB

MD5
7822838048843e190519dae90cc2e6c5

SHA1
13c8bf980036a1b11f24652c93f2653cd599257c

SHA256
046e08a1d5024c7249819e062f41976f056d997c6561ea873d48725870f07682

SHA512
14f903864eb35055217c7d64950115dc6d46b11eb45a475e0b023f291c90c41ccca1ebec5a5dfb593f75acf89572f9eceecd3cb70f4a74f6ca5111cb9392fb5b

Download Submit
C:\Windows\System32\SSsABUS.exe

Filesize
1.9MB

MD5
a737749ecdb502be4b633bcdea2fd7dc

SHA1
3747e4d626620bd1aed03993582ab6ef7677eb84

SHA256
e5fc71cf03e043f1564f166f2581f35c11cfc0e9f3df16fb775572a706d99282

SHA512
26e5d62830354218064033c55a8bad8be028d0915a99cf4c53cdcaa9413fdbfbfefb1472d904d82ec483dfee9f82144c43cbb1de9a9ffd3edc7588e5942cfc3f

Download Submit
C:\Windows\System32\THnZGPJ.exe

Filesize
1.9MB

MD5
31007b8087ba003fff5248e461418407

SHA1
685276bb3e13de7aebe683285615bc41f3d47cc9

SHA256
14a82a59f40240d1ef5bafb081a8f64cee915a8f4d8a7f69f602246c041eeb3c

SHA512
af40eee71178bb8ae6aefd05709f6b66a6e340398a84f315afbf2de199c888635a978fd71cd4311f23d198f1517271cbb56f8784d70843f4a4a7b412fb511438

Download Submit
C:\Windows\System32\TqMZPxO.exe

Filesize
1.9MB

MD5
254b829690cb8a553ea7431c36564bd1

SHA1
2e99aa44b6d9e05a3681199f69990d0de920d898

SHA256
8a541402becdf2f34fecdf89cf17c7141b326d07b7591da10126a2e4ddf75a51

SHA512
c7b015ca65ee3d31670d6af12acaf13627cd4fc8529d6716587fd694442d157c966d26ec09b7502a9d31f30434bb27b0cbc9988a25a23edcc6d190b62206760f

Download Submit
C:\Windows\System32\YPgeNzv.exe

Filesize
1.9MB

MD5
94d5ba76b2e1e9e91c0c9e8dcdd34616

SHA1
abe3e50951f9ed385f6dfcbb22a6f4ce1ef7e5cd

SHA256
22b511a5ba2ae023ce1eb8087d7895ece7886af4c656f8620b50118e69a4a701

SHA512
dccc6a3118ada38abe8ad0c92bd27f16a2e9c69be14f7a4c54122aa8068fbcd89ad4227b03009b5fd4bac58c1aed7aa4fbc21cb91a079920dae3bc49b8b17ad9

Download Submit
C:\Windows\System32\ZFbqWPU.exe

Filesize
1.9MB

MD5
f0ed359ec350802939d93f40e274ac3a

SHA1
47b563d2f4dc628feda2b8ea29bb6ccf3a1312c8

SHA256
1298cdfb02bc29c638df5fc801091e5c650ac66fc02b4bb09b0b49a2aa5ecc43

SHA512
dd86ea674e7f8634bd55707255b24e9d7ded15105f952d26959d2c1ee9bda3610bb959700436c6c9c3bee495218c119126a3c443d20904f32eff879a4a404628

Download Submit
C:\Windows\System32\ZUjLYZg.exe

Filesize
1.9MB

MD5
4cb21a072b2ca28312bd2d3425167b70

SHA1
c6ca5fcbe03f376676e07cf6f9cf7938f28b5548

SHA256
1cdca0a6c9faae48f49a2644cf5a87c92c467049c3925de2330a97d19fd58e66

SHA512
c1229e107f5d608351e3d965211700bd361ef6f3bad8f0f07e4822a191ff2c9de9564af9358044d0c65fde48eec68f7f26c321f5e5b29979fb0c1d58fef6e8af

Download Submit
C:\Windows\System32\ZYMQaEu.exe

Filesize
1.9MB

MD5
bae7a4673666398be1ac9cfcdf371758

SHA1
8fcd31d04a9553b2479eda144b341a874455b013

SHA256
d349ec048db14f5cbb5ee09050a83afea07c2bf46eb45a875e22d69c0ed7a6f8

SHA512
a8e77145b3448962017f5413d83ae11fb89aecd30304df09cd2e1f6794f2321e3aa213e16bb514114f9f96ceedb8d88d5e47f5e3eb9fa9ae7c8fc36c71ed2911

Download Submit
C:\Windows\System32\aHuFxgl.exe

Filesize
1.9MB

MD5
082d30703e38af19fcd7495a809cfffe

SHA1
ed1158d362b152c2c34d9a7db018f49feaf19123

SHA256
44af1d45cc752b69d4e5dbd072a61b173bc1a2b666c2833cf0871c634908983d

SHA512
106ba7dfd14f0051d5108143684c49011f98dd732ebc8d872b1849174f008682eb317102f09cb169dd0ffa89d1a7a8f6e7b8e79ed6175d6ea7d7e9d3560f5fc7

Download Submit
C:\Windows\System32\cBGQygZ.exe

Filesize
1.9MB

MD5
31f253753882b5472580d9b7fc96a36c

SHA1
707f0ab0bb2d5ee4b74000dc0148a8376d2ec4f7

SHA256
6dbf88bc84f96538c9a54de477fe56eb561da2074c754aafb8654ec12311d232

SHA512
6d6bc6765f5f80f0961b9c7e64bcd532000dec8a53224f7333bdbf5c1b88dcdf8e19db1f21ce2928071e9b4407ef2758df09ad7af4de65add0d4c6e129417d21

Download Submit
C:\Windows\System32\cqVSvqj.exe

Filesize
1.9MB

MD5
ab6e0faae3a61554fe6b7320c0e82fe0

SHA1
0de5603c13994ecf8964ac1dd3ac83b14c534a69

SHA256
ddd654ed0969e0e5d083234bff41d7f653d3f4ddcb98f69f099501b6167c4151

SHA512
3cf71dc82f6fe0527e1ec1fad2b603144e172f37e69eb54b522f9707b27b474a62ed408d4cc06614a5bc76ff1205c314990c0313f4ebd4700842cae0a3272f1d

Download Submit
C:\Windows\System32\ekOjzZp.exe

Filesize
1.9MB

MD5
f5a282b5505d55acfa830ebede03e16d

SHA1
7a40e8ec5cd1ef02f2c059b580df195762907f35

SHA256
17d3d63da5b3ea4e87b991afec83522031cbbd5e0f4c3f64d814206985d89f49

SHA512
296c1dee722dcc51423a448b4f2dfa4b828858314905d45414b967e9e431ed54d9c04bd868037525a182e7a9ada5743b4347af788ea2a5d6de4ee682df40fa9e

Download Submit
C:\Windows\System32\etihECK.exe

Filesize
1.9MB

MD5
da38c1af7936a2eb700cba33a70d8197

SHA1
54e41833fa5c05ee7ca105db4edfa2d02222e9ee

SHA256
de2ccc3932e2f4d199a430c9d20b084dd87a24bb3e82292b44637434391e9bb7

SHA512
e32378d41f2e488c2b4acacdea2b67d094f1c1ba69d94a1ad76eca3d9372fd1eb5f8166f03fc81ff91d343e7a97352604ce934c0aafc5f0d823c633028b52a35

Download Submit
C:\Windows\System32\fjzGefd.exe

Filesize
1.9MB

MD5
1d49d5be87455827eed77f758d6ce1b7

SHA1
d91524f95fc29a7b55164b2a794e3504bf2dc90c

SHA256
cc3691e70904b7ab65f40cc9677e2776fbf1e4e4678929d977760e0894dc40a2

SHA512
8f3a7108ef20357b8aeb5d0a083e0db9af8605c7bf4235803cf154d45a6f5d133693d8f294492a1c24895d279e0db6906fa03a028b6fdd38d9450b0c84e46f00

Download Submit
C:\Windows\System32\jhPbBsC.exe

Filesize
1.9MB

MD5
30e9c619adf46ccde453f9c5060d915e

SHA1
890fbac1edd4bee3e672fedacb73db9105cc3f3e

SHA256
f12ee3d77fa95065d4715db5ff27df1944dc4555e509bcea9c2a32eda01835f4

SHA512
da14c55d466ca8f5ee6413fde8f2974712916adf63286325c7954e9be3b6a83f7b6a58c0f72f1b310a563c31dad5b8b04e7db776ba1a926c08d44948457f08df

Download Submit
C:\Windows\System32\lriHial.exe

Filesize
1.9MB

MD5
298b9f9ce205c0b5200fb4090a4d3c97

SHA1
26a5bb5926a0d27834a82b294df1aa0a1aa9b38a

SHA256
f3183170cb4347971348eaed6a1c51eb6a12db23c25798ebae7086fd265118f9

SHA512
7134823238dbd606ec3f244ed47a76da5813718912c6901cd0dc873117c68a3a701e9407258835668f4254836053f551c663b9399c2fff9ebb0c61340784d41d

Download Submit
C:\Windows\System32\qIrnTTz.exe

Filesize
1.9MB

MD5
2f7a1bec1ffe8dc5a7045cfbf602a60e

SHA1
911cc18c974cacab8835a348603fa259521cd1a0

SHA256
14ea8841ffa6d5e3921dbc5ab3679d18ed2e72e9059581c7fd34457aa51a9d3a

SHA512
f11e10b9e4974ce17fb71df3618035bf7b217c59b2364b20a846f74ee6d76042a661c67bd7b26df81bd56e6bf60e51e7aea35ab97cb91fd7488e7247dff976d8

Download Submit
C:\Windows\System32\rwFaZzM.exe

Filesize
1.9MB

MD5
8ccaed1fe906a5f85420a5bb63a938a0

SHA1
190c51d845db8856731b1947c92a4ca3575d8177

SHA256
c59d95c24816593f5589e30540e1003a71349f17d8b07da28dcb28dde6e7870d

SHA512
d6b154531654091b2194c8aa71d6cb830ec8329d3dc60e515e96be86d07348461756e4f79e59c3fd3bf53e32a9622de93651a5168200c9b03412c2d9c59d5972

Download Submit
C:\Windows\System32\txpzTcb.exe

Filesize
1.9MB

MD5
a44ed5234a0a4ead0ff81da1f51b2745

SHA1
e803dd72910b70497f794cfafe972c5e52806f95

SHA256
e41ac86447bf3197f05e31ff059063954e5e6bafe4709bd3625638e092b29033

SHA512
489b9e81c89d70e9482758a784a830212fdd06f07aab135dcaa9c8d1fa4c27024c4a12a88ec674fb32a32bc92301dbf7da9fd2e6faabb778f32678f6674e5b8f

Download Submit
C:\Windows\System32\xMpGakI.exe

Filesize
1.9MB

MD5
0bd6a18f319899f6c5d31eb4c4b9f4f0

SHA1
d848e5a646423a0f52e58880c1ccf588e8933ae7

SHA256
1bbd765f013b62d8d2cfe497cfbe4e4ce759c84299c19d65e5e8ea1acaf90bf5

SHA512
be196ea81bd3e4ca353ae94967a77799a629428f60d60aefaa04d9288a1502e92c9593b766952f624b0ee15d15c4afe871d38ddf32fe1e33dfc2d68752c73f97

Download Submit
C:\Windows\System32\yGYbECp.exe

Filesize
1.9MB

MD5
a9cbed96861388eda4c4a82c2067544c

SHA1
471b7ba527406808e64fbb4c947eada5e0ba5099

SHA256
12be4686764ac9f04b9e694b9e72aaa4e61e9baf6f8c5cfdb48ef0a14c33413a

SHA512
10397a39f095735a05e4fb2f834345f8b8b82bc8721d64747065920c6c1c45385e2668c7f85051c586fa33d76f695a51954484f67cec50345646413e28b813cd

Download Submit
C:\Windows\System32\zHXGIkn.exe

Filesize
1.9MB

MD5
3c4785fa728e89d88133ec8962899140

SHA1
5541b86c3a70f5321fec0d8501cf44085b429842

SHA256
49265b39b71edf2f0795a005c012a9c1ddc4fdd202c57246f612817e3d56d61a

SHA512
0b5058b102df0a65014dbe5319aeea5fa5eca5afcad2552de2c8b7926d647c637b03135fe1097bd23bec7b4520f7b9d124047b6ef0bf2307ea9229cf87076e71

Download Submit
C:\Windows\System32\ziiQpke.exe

Filesize
1.9MB

MD5
edd4fb75373793cb137c8a56604e2a55

SHA1
e6352f6196438e39763c591d1f9ac2467a909e90

SHA256
dd2fcb0bc82ae1c16dd1aa1b35e53f46940fc0541caa47c553569da24d887083

SHA512
269fe04cd745e4ab9382cd4903927be23b8c24445cabe3add7dc6f3dbfaec1549d6aafe184a58dd3368bb76070715492c0d6beed2b106fa0274af430dc730126

Download Submit
C:\Windows\System32\zydmcaC.exe

Filesize
1.9MB

MD5
df73f9fe672ec5d5319619b0b2e32b22

SHA1
1bf61a16227a87093795958d6d2ae4b6c9a505ed

SHA256
4ee6afc75e10a0d51af2d984bb4dbdeec6caf5c7f1cfac8a9e76af58f50ac41a

SHA512
78e0237e32de88ebf685b939ed26327ee5ca62f1c91c64491c96916f2264c17c95c8325f74b8aa158f10e65f5b2117002cad6a9de0fb4c6351d408440c675f26

Download Submit
memory/528-30-0x00007FF743120000-0x00007FF743511000-memory.dmp

Filesize
3.9MB

Download
memory/528-2220-0x00007FF743120000-0x00007FF743511000-memory.dmp

Filesize
3.9MB

Download
memory/760-2234-0x00007FF6DDD10000-0x00007FF6DE101000-memory.dmp

Filesize
3.9MB

Download
memory/760-314-0x00007FF6DDD10000-0x00007FF6DE101000-memory.dmp

Filesize
3.9MB

Download
memory/840-2255-0x00007FF6E4340000-0x00007FF6E4731000-memory.dmp

Filesize
3.9MB

Download
memory/840-345-0x00007FF6E4340000-0x00007FF6E4731000-memory.dmp

Filesize
3.9MB

Download
memory/1120-2251-0x00007FF63E4F0000-0x00007FF63E8E1000-memory.dmp

Filesize
3.9MB

Download
memory/1120-336-0x00007FF63E4F0000-0x00007FF63E8E1000-memory.dmp

Filesize
3.9MB

Download
memory/1152-2227-0x00007FF6A4330000-0x00007FF6A4721000-memory.dmp

Filesize
3.9MB

Download
memory/1152-307-0x00007FF6A4330000-0x00007FF6A4721000-memory.dmp

Filesize
3.9MB

Download
memory/1560-324-0x00007FF7DCD50000-0x00007FF7DD141000-memory.dmp

Filesize
3.9MB

Download
memory/1560-2247-0x00007FF7DCD50000-0x00007FF7DD141000-memory.dmp

Filesize
3.9MB

Download
memory/1740-2224-0x00007FF766730000-0x00007FF766B21000-memory.dmp

Filesize
3.9MB

Download
memory/1740-46-0x00007FF766730000-0x00007FF766B21000-memory.dmp

Filesize
3.9MB

Download
memory/1916-2191-0x00007FF75F490000-0x00007FF75F881000-memory.dmp

Filesize
3.9MB

Download
memory/1916-12-0x00007FF75F490000-0x00007FF75F881000-memory.dmp

Filesize
3.9MB

Download
memory/1952-1-0x0000021CD3830000-0x0000021CD3840000-memory.dmp

Filesize
64KB

Download
memory/1952-0-0x00007FF72DE80000-0x00007FF72E271000-memory.dmp

Filesize
3.9MB

Download
memory/1952-1975-0x00007FF72DE80000-0x00007FF72E271000-memory.dmp

Filesize
3.9MB

Download
memory/2176-2267-0x00007FF6D2000000-0x00007FF6D23F1000-memory.dmp

Filesize
3.9MB

Download
memory/2176-347-0x00007FF6D2000000-0x00007FF6D23F1000-memory.dmp

Filesize
3.9MB

Download
memory/2576-2016-0x00007FF648890000-0x00007FF648C81000-memory.dmp

Filesize
3.9MB

Download
memory/2576-2232-0x00007FF648890000-0x00007FF648C81000-memory.dmp

Filesize
3.9MB

Download
memory/2576-48-0x00007FF648890000-0x00007FF648C81000-memory.dmp

Filesize
3.9MB

Download
memory/2600-1986-0x00007FF79BFF0000-0x00007FF79C3E1000-memory.dmp

Filesize
3.9MB

Download
memory/2600-2222-0x00007FF79BFF0000-0x00007FF79C3E1000-memory.dmp

Filesize
3.9MB

Download
memory/2600-32-0x00007FF79BFF0000-0x00007FF79C3E1000-memory.dmp

Filesize
3.9MB

Download
memory/2756-2243-0x00007FF602640000-0x00007FF602A31000-memory.dmp

Filesize
3.9MB

Download
memory/2756-330-0x00007FF602640000-0x00007FF602A31000-memory.dmp

Filesize
3.9MB

Download
memory/2884-350-0x00007FF778F20000-0x00007FF779311000-memory.dmp

Filesize
3.9MB

Download
memory/2884-2261-0x00007FF778F20000-0x00007FF779311000-memory.dmp

Filesize
3.9MB

Download
memory/2936-2216-0x00007FF66FF60000-0x00007FF670351000-memory.dmp

Filesize
3.9MB

Download
memory/2936-26-0x00007FF66FF60000-0x00007FF670351000-memory.dmp

Filesize
3.9MB

Download
memory/2968-2263-0x00007FF78A790000-0x00007FF78AB81000-memory.dmp

Filesize
3.9MB

Download
memory/2968-349-0x00007FF78A790000-0x00007FF78AB81000-memory.dmp

Filesize
3.9MB

Download
memory/3080-2253-0x00007FF66CD20000-0x00007FF66D111000-memory.dmp

Filesize
3.9MB

Download
memory/3080-339-0x00007FF66CD20000-0x00007FF66D111000-memory.dmp

Filesize
3.9MB

Download
memory/3656-2229-0x00007FF683910000-0x00007FF683D01000-memory.dmp

Filesize
3.9MB

Download
memory/3656-353-0x00007FF683910000-0x00007FF683D01000-memory.dmp

Filesize
3.9MB

Download
memory/3664-2017-0x00007FF726740000-0x00007FF726B31000-memory.dmp

Filesize
3.9MB

Download
memory/3664-49-0x00007FF726740000-0x00007FF726B31000-memory.dmp

Filesize
3.9MB

Download
memory/3664-2231-0x00007FF726740000-0x00007FF726B31000-memory.dmp

Filesize
3.9MB

Download
memory/3832-2259-0x00007FF72C580000-0x00007FF72C971000-memory.dmp

Filesize
3.9MB

Download
memory/3832-351-0x00007FF72C580000-0x00007FF72C971000-memory.dmp

Filesize
3.9MB

Download
memory/4020-2249-0x00007FF702DB0000-0x00007FF7031A1000-memory.dmp

Filesize
3.9MB

Download
memory/4020-334-0x00007FF702DB0000-0x00007FF7031A1000-memory.dmp

Filesize
3.9MB

Download
memory/4680-2246-0x00007FF72DAF0000-0x00007FF72DEE1000-memory.dmp

Filesize
3.9MB

Download
memory/4680-333-0x00007FF72DAF0000-0x00007FF72DEE1000-memory.dmp

Filesize
3.9MB

Download
memory/4780-352-0x00007FF649920000-0x00007FF649D11000-memory.dmp

Filesize
3.9MB

Download
memory/4780-2269-0x00007FF649920000-0x00007FF649D11000-memory.dmp

Filesize
3.9MB

Download
memory/4788-2018-0x00007FF627340000-0x00007FF627731000-memory.dmp

Filesize
3.9MB

Download
memory/4788-2241-0x00007FF627340000-0x00007FF627731000-memory.dmp

Filesize
3.9MB

Download
memory/4788-299-0x00007FF627340000-0x00007FF627731000-memory.dmp

Filesize
3.9MB

Download
memory/4924-41-0x00007FF67DF20000-0x00007FF67E311000-memory.dmp

Filesize
3.9MB

Download
memory/4924-1987-0x00007FF67DF20000-0x00007FF67E311000-memory.dmp

Filesize
3.9MB

Download
memory/4924-2219-0x00007FF67DF20000-0x00007FF67E311000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads