xmrig | 54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b

Analysis

max time kernel
50s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
Size

1.3MB
MD5

e3fcd25f23c259360572c8bdf6a35cf2
SHA1

2458778b9b8ba9850c2833959b0ab9ff917f2c81
SHA256

54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b
SHA512

528f6ae4445acb6cb588831d2484cc10b6b1d7e91485daa8eb4ddbc7c88a2d44f62797cfcbd79608b17415515e741e632b83d49164d353908ed17aea2d9ed01b
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5PbcqDWzgqsmJox1fLt8K2932p9VZVBr5T:knw9oUUEEDl37jcqDrUS1nHn

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 52 IoCs

miner

resource	yara_rule
behavioral2/memory/2480-46-0x00007FF7019B0000-0x00007FF701DA1000-memory.dmp	xmrig
behavioral2/memory/1376-329-0x00007FF6E6D30000-0x00007FF6E7121000-memory.dmp	xmrig
behavioral2/memory/3024-355-0x00007FF70B120000-0x00007FF70B511000-memory.dmp	xmrig
behavioral2/memory/208-360-0x00007FF65AC60000-0x00007FF65B051000-memory.dmp	xmrig
behavioral2/memory/116-368-0x00007FF640BE0000-0x00007FF640FD1000-memory.dmp	xmrig
behavioral2/memory/5028-387-0x00007FF756480000-0x00007FF756871000-memory.dmp	xmrig
behavioral2/memory/4048-400-0x00007FF6691D0000-0x00007FF6695C1000-memory.dmp	xmrig
behavioral2/memory/4388-424-0x00007FF79E950000-0x00007FF79ED41000-memory.dmp	xmrig
behavioral2/memory/2624-430-0x00007FF691CB0000-0x00007FF6920A1000-memory.dmp	xmrig
behavioral2/memory/2912-451-0x00007FF6397B0000-0x00007FF639BA1000-memory.dmp	xmrig
behavioral2/memory/3528-471-0x00007FF68EB80000-0x00007FF68EF71000-memory.dmp	xmrig
behavioral2/memory/2680-475-0x00007FF606F20000-0x00007FF607311000-memory.dmp	xmrig
behavioral2/memory/4328-480-0x00007FF655530000-0x00007FF655921000-memory.dmp	xmrig
behavioral2/memory/1080-467-0x00007FF748780000-0x00007FF748B71000-memory.dmp	xmrig
behavioral2/memory/2188-446-0x00007FF6266B0000-0x00007FF626AA1000-memory.dmp	xmrig
behavioral2/memory/1344-426-0x00007FF699340000-0x00007FF699731000-memory.dmp	xmrig
behavioral2/memory/3860-419-0x00007FF74FE90000-0x00007FF750281000-memory.dmp	xmrig
behavioral2/memory/224-406-0x00007FF748450000-0x00007FF748841000-memory.dmp	xmrig
behavioral2/memory/1748-395-0x00007FF6504C0000-0x00007FF6508B1000-memory.dmp	xmrig
behavioral2/memory/2280-338-0x00007FF621E20000-0x00007FF622211000-memory.dmp	xmrig
behavioral2/memory/2896-328-0x00007FF69E5B0000-0x00007FF69E9A1000-memory.dmp	xmrig
behavioral2/memory/864-23-0x00007FF6D7A50000-0x00007FF6D7E41000-memory.dmp	xmrig
behavioral2/memory/3412-12-0x00007FF701830000-0x00007FF701C21000-memory.dmp	xmrig
behavioral2/memory/1228-2049-0x00007FF60E150000-0x00007FF60E541000-memory.dmp	xmrig
behavioral2/memory/3412-2050-0x00007FF701830000-0x00007FF701C21000-memory.dmp	xmrig
behavioral2/memory/1312-2053-0x00007FF7750B0000-0x00007FF7754A1000-memory.dmp	xmrig
behavioral2/memory/2480-2054-0x00007FF7019B0000-0x00007FF701DA1000-memory.dmp	xmrig
behavioral2/memory/864-2052-0x00007FF6D7A50000-0x00007FF6D7E41000-memory.dmp	xmrig
behavioral2/memory/1080-2077-0x00007FF748780000-0x00007FF748B71000-memory.dmp	xmrig
behavioral2/memory/2896-2085-0x00007FF69E5B0000-0x00007FF69E9A1000-memory.dmp	xmrig
behavioral2/memory/1376-2093-0x00007FF6E6D30000-0x00007FF6E7121000-memory.dmp	xmrig
behavioral2/memory/4328-2090-0x00007FF655530000-0x00007FF655921000-memory.dmp	xmrig
behavioral2/memory/2680-2087-0x00007FF606F20000-0x00007FF607311000-memory.dmp	xmrig
behavioral2/memory/2280-2196-0x00007FF621E20000-0x00007FF622211000-memory.dmp	xmrig
behavioral2/memory/224-2219-0x00007FF748450000-0x00007FF748841000-memory.dmp	xmrig
behavioral2/memory/3860-2221-0x00007FF74FE90000-0x00007FF750281000-memory.dmp	xmrig
behavioral2/memory/4388-2223-0x00007FF79E950000-0x00007FF79ED41000-memory.dmp	xmrig
behavioral2/memory/1344-2227-0x00007FF699340000-0x00007FF699731000-memory.dmp	xmrig
behavioral2/memory/2624-2229-0x00007FF691CB0000-0x00007FF6920A1000-memory.dmp	xmrig
behavioral2/memory/2912-2233-0x00007FF6397B0000-0x00007FF639BA1000-memory.dmp	xmrig
behavioral2/memory/2188-2231-0x00007FF6266B0000-0x00007FF626AA1000-memory.dmp	xmrig
behavioral2/memory/4048-2217-0x00007FF6691D0000-0x00007FF6695C1000-memory.dmp	xmrig
behavioral2/memory/1748-2215-0x00007FF6504C0000-0x00007FF6508B1000-memory.dmp	xmrig
behavioral2/memory/5028-2213-0x00007FF756480000-0x00007FF756871000-memory.dmp	xmrig
behavioral2/memory/116-2211-0x00007FF640BE0000-0x00007FF640FD1000-memory.dmp	xmrig
behavioral2/memory/208-2209-0x00007FF65AC60000-0x00007FF65B051000-memory.dmp	xmrig
behavioral2/memory/3024-2207-0x00007FF70B120000-0x00007FF70B511000-memory.dmp	xmrig
behavioral2/memory/3528-2080-0x00007FF68EB80000-0x00007FF68EF71000-memory.dmp	xmrig
behavioral2/memory/2480-2083-0x00007FF7019B0000-0x00007FF701DA1000-memory.dmp	xmrig
behavioral2/memory/1312-2081-0x00007FF7750B0000-0x00007FF7754A1000-memory.dmp	xmrig
behavioral2/memory/864-2075-0x00007FF6D7A50000-0x00007FF6D7E41000-memory.dmp	xmrig
behavioral2/memory/3412-2073-0x00007FF701830000-0x00007FF701C21000-memory.dmp	xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
3412	UsjTEKF.exe
864	JbcJNvw.exe
1080	lrmGGnl.exe
1312	HoRMREB.exe
2480	OZykEhH.exe
3528	GdzTqqn.exe
2896	tBElLKz.exe
2680	lfeMWEy.exe
4328	aMePKXo.exe
1376	mUgOech.exe
2280	lteseKV.exe
3024	fPjSZqj.exe
208	pGeNtlm.exe
116	LhMTqGv.exe
5028	qBJwrlB.exe
1748	FuKmzwX.exe
4048	aiswWFu.exe
224	ddSPsLE.exe
3860	fNVtLYE.exe
4388	PvBPmXL.exe
1344	jhxChEc.exe
2624	HrotQWq.exe
2188	tOKWMmE.exe
2912	WUYOjpr.exe
5044	fLopCzt.exe
696	YQxSVXX.exe
548	SGSbNDy.exe
3064	CGOYgrX.exe
4516	MoLysWg.exe
2440	JRjAhdx.exe
4412	BRsRfUs.exe
2316	hoJERgH.exe
4624	PTtADRX.exe
2944	kATJTxn.exe
1744	XfiRqnl.exe
1348	RPuNghs.exe
4880	WdWvOFy.exe
4404	GbnJmcw.exe
4940	KegpsMm.exe
5064	oLGKIke.exe
5012	xvAVUXf.exe
3256	VvXhGru.exe
1972	jEBCQhy.exe
3920	EfgpPgy.exe
1372	sCsfyYz.exe
3932	XFQAXEw.exe
3844	lAqamOG.exe
4536	dzCQLba.exe
4256	JQChkVL.exe
1980	goDjGVe.exe
4448	NwUZrdk.exe
2836	wiGWkNv.exe
540	xMbngWt.exe
4344	QZjjRvi.exe
3476	HtQIBAL.exe
1540	kfDMbRI.exe
3768	ESBvGRh.exe
1408	kJZOnuK.exe
4768	qoujMqN.exe
220	ZDvIELQ.exe
3432	aystMZV.exe
4100	JjBDKsl.exe
1988	sUmDdLs.exe
3660	YrnRTVG.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1228-0-0x00007FF60E150000-0x00007FF60E541000-memory.dmp	upx
behavioral2/files/0x00060000000232d4-6.dat	upx
behavioral2/files/0x0008000000023513-10.dat	upx
behavioral2/files/0x0007000000023517-26.dat	upx
behavioral2/files/0x0007000000023516-25.dat	upx
behavioral2/files/0x0007000000023515-29.dat	upx
behavioral2/memory/1312-35-0x00007FF7750B0000-0x00007FF7754A1000-memory.dmp	upx
behavioral2/files/0x0007000000023518-42.dat	upx
behavioral2/files/0x000700000002351b-57.dat	upx
behavioral2/files/0x000700000002351c-56.dat	upx
behavioral2/files/0x000700000002351a-53.dat	upx
behavioral2/memory/2480-46-0x00007FF7019B0000-0x00007FF701DA1000-memory.dmp	upx
behavioral2/files/0x0007000000023523-92.dat	upx
behavioral2/files/0x0007000000023524-97.dat	upx
behavioral2/files/0x0007000000023525-105.dat	upx
behavioral2/files/0x0007000000023526-110.dat	upx
behavioral2/files/0x0007000000023527-118.dat	upx
behavioral2/files/0x000700000002352a-133.dat	upx
behavioral2/files/0x000700000002352f-155.dat	upx
behavioral2/files/0x0007000000023531-165.dat	upx
behavioral2/memory/1376-329-0x00007FF6E6D30000-0x00007FF6E7121000-memory.dmp	upx
behavioral2/memory/3024-355-0x00007FF70B120000-0x00007FF70B511000-memory.dmp	upx
behavioral2/memory/208-360-0x00007FF65AC60000-0x00007FF65B051000-memory.dmp	upx
behavioral2/memory/116-368-0x00007FF640BE0000-0x00007FF640FD1000-memory.dmp	upx
behavioral2/memory/5028-387-0x00007FF756480000-0x00007FF756871000-memory.dmp	upx
behavioral2/memory/4048-400-0x00007FF6691D0000-0x00007FF6695C1000-memory.dmp	upx
behavioral2/memory/4388-424-0x00007FF79E950000-0x00007FF79ED41000-memory.dmp	upx
behavioral2/memory/2624-430-0x00007FF691CB0000-0x00007FF6920A1000-memory.dmp	upx
behavioral2/memory/2912-451-0x00007FF6397B0000-0x00007FF639BA1000-memory.dmp	upx
behavioral2/memory/3528-471-0x00007FF68EB80000-0x00007FF68EF71000-memory.dmp	upx
behavioral2/memory/2680-475-0x00007FF606F20000-0x00007FF607311000-memory.dmp	upx
behavioral2/memory/4328-480-0x00007FF655530000-0x00007FF655921000-memory.dmp	upx
behavioral2/memory/1080-467-0x00007FF748780000-0x00007FF748B71000-memory.dmp	upx
behavioral2/memory/2188-446-0x00007FF6266B0000-0x00007FF626AA1000-memory.dmp	upx
behavioral2/memory/1344-426-0x00007FF699340000-0x00007FF699731000-memory.dmp	upx
behavioral2/memory/3860-419-0x00007FF74FE90000-0x00007FF750281000-memory.dmp	upx
behavioral2/memory/224-406-0x00007FF748450000-0x00007FF748841000-memory.dmp	upx
behavioral2/memory/1748-395-0x00007FF6504C0000-0x00007FF6508B1000-memory.dmp	upx
behavioral2/memory/2280-338-0x00007FF621E20000-0x00007FF622211000-memory.dmp	upx
behavioral2/memory/2896-328-0x00007FF69E5B0000-0x00007FF69E9A1000-memory.dmp	upx
behavioral2/files/0x0007000000023530-160.dat	upx
behavioral2/files/0x000700000002352e-150.dat	upx
behavioral2/files/0x000700000002352d-148.dat	upx
behavioral2/files/0x000700000002352c-140.dat	upx
behavioral2/files/0x000700000002352b-138.dat	upx
behavioral2/files/0x0007000000023529-125.dat	upx
behavioral2/files/0x0007000000023528-120.dat	upx
behavioral2/files/0x0007000000023522-90.dat	upx
behavioral2/files/0x0007000000023521-88.dat	upx
behavioral2/files/0x0007000000023520-80.dat	upx
behavioral2/files/0x000700000002351f-78.dat	upx
behavioral2/files/0x000700000002351e-73.dat	upx
behavioral2/files/0x000700000002351d-65.dat	upx
behavioral2/files/0x0007000000023519-44.dat	upx
behavioral2/memory/864-23-0x00007FF6D7A50000-0x00007FF6D7E41000-memory.dmp	upx
behavioral2/files/0x0007000000023514-19.dat	upx
behavioral2/memory/3412-12-0x00007FF701830000-0x00007FF701C21000-memory.dmp	upx
behavioral2/memory/1228-2049-0x00007FF60E150000-0x00007FF60E541000-memory.dmp	upx
behavioral2/memory/3412-2050-0x00007FF701830000-0x00007FF701C21000-memory.dmp	upx
behavioral2/memory/1312-2053-0x00007FF7750B0000-0x00007FF7754A1000-memory.dmp	upx
behavioral2/memory/2480-2054-0x00007FF7019B0000-0x00007FF701DA1000-memory.dmp	upx
behavioral2/memory/864-2052-0x00007FF6D7A50000-0x00007FF6D7E41000-memory.dmp	upx
behavioral2/memory/1080-2077-0x00007FF748780000-0x00007FF748B71000-memory.dmp	upx
behavioral2/memory/2896-2085-0x00007FF69E5B0000-0x00007FF69E9A1000-memory.dmp	upx

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\RPuNghs.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\lwNoauQ.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\UPugaUm.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\qYcepaI.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\UMiBQKo.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\nNLfpuY.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\sxgRUow.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\BRsRfUs.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\jVOgbVj.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\MKVLDiD.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\fhrytkZ.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\XFQAXEw.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\lwQvMNM.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\aRtTvzz.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\ycaBMkv.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\oVoGutl.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\qKJuURa.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\ZYEPmtO.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\ccEORoK.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\bASBOrn.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\RSvcPap.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\bHonwRh.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\sdVbxjU.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\yoUYgaT.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\TEsnIrl.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\byrhCJa.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\NwUZrdk.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\Hknabdi.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\uHhoNSu.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\RqIXRuA.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\NrmnEQp.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\fgkQJPk.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\TGnJVGK.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\kqdSozF.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\ULVrSnS.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\bMZJvnO.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\SsZjQGg.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\WNmhmUP.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\bQujbfW.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\nmOhiIo.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\AUHAPZj.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\LbrwlmK.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\fqpiJyk.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\BtAuLar.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\lgKnhqO.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\cOHHGNi.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\mLUBxyC.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\SIjKCbH.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\SqCdIUS.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\aMePKXo.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\RXVzTKa.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\eggVkjx.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\waNPkKR.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\nJeZtFc.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\ELlECBq.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\dthXILX.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\qBJwrlB.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\ilsWNXp.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\ClPikUB.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\zmvziqe.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\CzBxMUZ.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\xFbooEm.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\ZNJZLDm.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
File created	C:\Windows\System32\limHrhi.exe	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2494989678-839960665-2515455429-1000\{F1E0A3E7-6E1C-4C86-A4AE-2D0E44607C1F}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2494989678-839960665-2515455429-1000\{EA3BD9CE-52E9-44C9-AB35-6AF3D1D288C1}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2494989678-839960665-2515455429-1000\{A263CF50-B64A-4FC3-88FD-C7AD1F91FE1C}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2494989678-839960665-2515455429-1000\{F8BBDA7B-A678-46CD-B317-31317251C065}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	13164	explorer.exe
Token: SeCreatePagefilePrivilege	13164	explorer.exe
Token: SeShutdownPrivilege	13164	explorer.exe
Token: SeCreatePagefilePrivilege	13164	explorer.exe
Token: SeShutdownPrivilege	13164	explorer.exe
Token: SeCreatePagefilePrivilege	13164	explorer.exe
Token: SeShutdownPrivilege	13164	explorer.exe
Token: SeCreatePagefilePrivilege	13164	explorer.exe
Token: SeShutdownPrivilege	13164	explorer.exe
Token: SeCreatePagefilePrivilege	13164	explorer.exe
Token: SeShutdownPrivilege	13164	explorer.exe
Token: SeCreatePagefilePrivilege	13164	explorer.exe
Token: SeShutdownPrivilege	13164	explorer.exe
Token: SeCreatePagefilePrivilege	13164	explorer.exe
Token: SeShutdownPrivilege	13164	explorer.exe
Token: SeCreatePagefilePrivilege	13164	explorer.exe
Token: SeShutdownPrivilege	13164	explorer.exe
Token: SeCreatePagefilePrivilege	13164	explorer.exe
Token: SeShutdownPrivilege	13164	explorer.exe
Token: SeCreatePagefilePrivilege	13164	explorer.exe
Token: SeShutdownPrivilege	13164	explorer.exe
Token: SeCreatePagefilePrivilege	13164	explorer.exe
Token: SeShutdownPrivilege	13164	explorer.exe
Token: SeCreatePagefilePrivilege	13164	explorer.exe
Token: SeShutdownPrivilege	13164	explorer.exe
Token: SeCreatePagefilePrivilege	13164	explorer.exe
Token: SeShutdownPrivilege	13164	explorer.exe
Token: SeCreatePagefilePrivilege	13164	explorer.exe
Token: SeShutdownPrivilege	13164	explorer.exe
Token: SeCreatePagefilePrivilege	13164	explorer.exe
Token: SeShutdownPrivilege	13372	explorer.exe
Token: SeCreatePagefilePrivilege	13372	explorer.exe
Token: SeShutdownPrivilege	13372	explorer.exe
Token: SeCreatePagefilePrivilege	13372	explorer.exe
Token: SeShutdownPrivilege	13372	explorer.exe
Token: SeCreatePagefilePrivilege	13372	explorer.exe
Token: SeShutdownPrivilege	13372	explorer.exe
Token: SeCreatePagefilePrivilege	13372	explorer.exe
Token: SeShutdownPrivilege	13372	explorer.exe
Token: SeCreatePagefilePrivilege	13372	explorer.exe
Token: SeShutdownPrivilege	13372	explorer.exe
Token: SeCreatePagefilePrivilege	13372	explorer.exe
Token: SeShutdownPrivilege	13372	explorer.exe
Token: SeCreatePagefilePrivilege	13372	explorer.exe
Token: SeShutdownPrivilege	13372	explorer.exe
Token: SeCreatePagefilePrivilege	13372	explorer.exe
Token: SeShutdownPrivilege	13372	explorer.exe
Token: SeCreatePagefilePrivilege	13372	explorer.exe
Token: SeShutdownPrivilege	13372	explorer.exe
Token: SeCreatePagefilePrivilege	13372	explorer.exe
Token: SeShutdownPrivilege	13372	explorer.exe
Token: SeCreatePagefilePrivilege	13372	explorer.exe
Token: SeShutdownPrivilege	13372	explorer.exe
Token: SeCreatePagefilePrivilege	13372	explorer.exe
Token: SeShutdownPrivilege	13372	explorer.exe
Token: SeCreatePagefilePrivilege	13372	explorer.exe
Token: SeShutdownPrivilege	13372	explorer.exe
Token: SeCreatePagefilePrivilege	13372	explorer.exe
Token: SeShutdownPrivilege	13372	explorer.exe
Token: SeCreatePagefilePrivilege	13372	explorer.exe
Token: SeShutdownPrivilege	13372	explorer.exe
Token: SeCreatePagefilePrivilege	13372	explorer.exe
Token: SeShutdownPrivilege	13372	explorer.exe
Token: SeCreatePagefilePrivilege	13372	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
12656	sihost.exe
13164	explorer.exe
13164	explorer.exe
13164	explorer.exe
13164	explorer.exe
13164	explorer.exe
13164	explorer.exe
13164	explorer.exe
13164	explorer.exe
13164	explorer.exe
13164	explorer.exe
13164	explorer.exe
13164	explorer.exe
13164	explorer.exe
13164	explorer.exe
13164	explorer.exe
13164	explorer.exe
13164	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
13164	explorer.exe
13164	explorer.exe
13164	explorer.exe
13164	explorer.exe
13164	explorer.exe
13164	explorer.exe
13164	explorer.exe
13164	explorer.exe
13164	explorer.exe
13164	explorer.exe
13164	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
13372	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
6968	explorer.exe
6968	explorer.exe
6968	explorer.exe
6968	explorer.exe
6968	explorer.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4204	StartMenuExperienceHost.exe
13768	StartMenuExperienceHost.exe
13944	SearchApp.exe
4772	StartMenuExperienceHost.exe
13820	SearchApp.exe
13836	StartMenuExperienceHost.exe
1684	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 3412	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	83
PID 1228 wrote to memory of 3412	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	83
PID 1228 wrote to memory of 864	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	84
PID 1228 wrote to memory of 864	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	84
PID 1228 wrote to memory of 1080	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	85
PID 1228 wrote to memory of 1080	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	85
PID 1228 wrote to memory of 3528	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	86
PID 1228 wrote to memory of 3528	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	86
PID 1228 wrote to memory of 1312	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	87
PID 1228 wrote to memory of 1312	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	87
PID 1228 wrote to memory of 2480	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	88
PID 1228 wrote to memory of 2480	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	88
PID 1228 wrote to memory of 2896	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	89
PID 1228 wrote to memory of 2896	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	89
PID 1228 wrote to memory of 2680	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	90
PID 1228 wrote to memory of 2680	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	90
PID 1228 wrote to memory of 4328	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	91
PID 1228 wrote to memory of 4328	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	91
PID 1228 wrote to memory of 1376	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	92
PID 1228 wrote to memory of 1376	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	92
PID 1228 wrote to memory of 2280	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	93
PID 1228 wrote to memory of 2280	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	93
PID 1228 wrote to memory of 3024	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	94
PID 1228 wrote to memory of 3024	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	94
PID 1228 wrote to memory of 208	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	95
PID 1228 wrote to memory of 208	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	95
PID 1228 wrote to memory of 116	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	96
PID 1228 wrote to memory of 116	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	96
PID 1228 wrote to memory of 5028	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	97
PID 1228 wrote to memory of 5028	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	97
PID 1228 wrote to memory of 1748	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	98
PID 1228 wrote to memory of 1748	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	98
PID 1228 wrote to memory of 4048	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	99
PID 1228 wrote to memory of 4048	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	99
PID 1228 wrote to memory of 224	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	100
PID 1228 wrote to memory of 224	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	100
PID 1228 wrote to memory of 3860	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	101
PID 1228 wrote to memory of 3860	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	101
PID 1228 wrote to memory of 4388	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	102
PID 1228 wrote to memory of 4388	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	102
PID 1228 wrote to memory of 1344	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	103
PID 1228 wrote to memory of 1344	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	103
PID 1228 wrote to memory of 2624	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	104
PID 1228 wrote to memory of 2624	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	104
PID 1228 wrote to memory of 2188	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	105
PID 1228 wrote to memory of 2188	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	105
PID 1228 wrote to memory of 2912	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	106
PID 1228 wrote to memory of 2912	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	106
PID 1228 wrote to memory of 5044	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	107
PID 1228 wrote to memory of 5044	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	107
PID 1228 wrote to memory of 696	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	108
PID 1228 wrote to memory of 696	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	108
PID 1228 wrote to memory of 548	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	109
PID 1228 wrote to memory of 548	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	109
PID 1228 wrote to memory of 3064	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	110
PID 1228 wrote to memory of 3064	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	110
PID 1228 wrote to memory of 4516	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	111
PID 1228 wrote to memory of 4516	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	111
PID 1228 wrote to memory of 2440	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	112
PID 1228 wrote to memory of 2440	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	112
PID 1228 wrote to memory of 4412	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	113
PID 1228 wrote to memory of 4412	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	113
PID 1228 wrote to memory of 2316	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	114
PID 1228 wrote to memory of 2316	1228	54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe	114

C:\Users\Admin\AppData\Local\Temp\54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe
"C:\Users\Admin\AppData\Local\Temp\54d8600e2b34d402a3ea342de8094187d27840b660cf7070fb783cae28bbf08b.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\System32\UsjTEKF.exe
  C:\Windows\System32\UsjTEKF.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System32\JbcJNvw.exe
  C:\Windows\System32\JbcJNvw.exe
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Windows\System32\lrmGGnl.exe
  C:\Windows\System32\lrmGGnl.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System32\GdzTqqn.exe
  C:\Windows\System32\GdzTqqn.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System32\HoRMREB.exe
  C:\Windows\System32\HoRMREB.exe
  2⤵
  - Executes dropped EXE
  PID:1312
- C:\Windows\System32\OZykEhH.exe
  C:\Windows\System32\OZykEhH.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System32\tBElLKz.exe
  C:\Windows\System32\tBElLKz.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System32\lfeMWEy.exe
  C:\Windows\System32\lfeMWEy.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System32\aMePKXo.exe
  C:\Windows\System32\aMePKXo.exe
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\System32\mUgOech.exe
  C:\Windows\System32\mUgOech.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System32\lteseKV.exe
  C:\Windows\System32\lteseKV.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\System32\fPjSZqj.exe
  C:\Windows\System32\fPjSZqj.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System32\pGeNtlm.exe
  C:\Windows\System32\pGeNtlm.exe
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\System32\LhMTqGv.exe
  C:\Windows\System32\LhMTqGv.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System32\qBJwrlB.exe
  C:\Windows\System32\qBJwrlB.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System32\FuKmzwX.exe
  C:\Windows\System32\FuKmzwX.exe
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\System32\aiswWFu.exe
  C:\Windows\System32\aiswWFu.exe
  2⤵
  - Executes dropped EXE
  PID:4048
- C:\Windows\System32\ddSPsLE.exe
  C:\Windows\System32\ddSPsLE.exe
  2⤵
  - Executes dropped EXE
  PID:224
- C:\Windows\System32\fNVtLYE.exe
  C:\Windows\System32\fNVtLYE.exe
  2⤵
  - Executes dropped EXE
  PID:3860
- C:\Windows\System32\PvBPmXL.exe
  C:\Windows\System32\PvBPmXL.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System32\jhxChEc.exe
  C:\Windows\System32\jhxChEc.exe
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\System32\HrotQWq.exe
  C:\Windows\System32\HrotQWq.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System32\tOKWMmE.exe
  C:\Windows\System32\tOKWMmE.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System32\WUYOjpr.exe
  C:\Windows\System32\WUYOjpr.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System32\fLopCzt.exe
  C:\Windows\System32\fLopCzt.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System32\YQxSVXX.exe
  C:\Windows\System32\YQxSVXX.exe
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\System32\SGSbNDy.exe
  C:\Windows\System32\SGSbNDy.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System32\CGOYgrX.exe
  C:\Windows\System32\CGOYgrX.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\System32\MoLysWg.exe
  C:\Windows\System32\MoLysWg.exe
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Windows\System32\JRjAhdx.exe
  C:\Windows\System32\JRjAhdx.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System32\BRsRfUs.exe
  C:\Windows\System32\BRsRfUs.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System32\hoJERgH.exe
  C:\Windows\System32\hoJERgH.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System32\PTtADRX.exe
  C:\Windows\System32\PTtADRX.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System32\kATJTxn.exe
  C:\Windows\System32\kATJTxn.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System32\XfiRqnl.exe
  C:\Windows\System32\XfiRqnl.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System32\RPuNghs.exe
  C:\Windows\System32\RPuNghs.exe
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\System32\WdWvOFy.exe
  C:\Windows\System32\WdWvOFy.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System32\GbnJmcw.exe
  C:\Windows\System32\GbnJmcw.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System32\KegpsMm.exe
  C:\Windows\System32\KegpsMm.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Windows\System32\oLGKIke.exe
  C:\Windows\System32\oLGKIke.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System32\xvAVUXf.exe
  C:\Windows\System32\xvAVUXf.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System32\VvXhGru.exe
  C:\Windows\System32\VvXhGru.exe
  2⤵
  - Executes dropped EXE
  PID:3256
- C:\Windows\System32\jEBCQhy.exe
  C:\Windows\System32\jEBCQhy.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System32\EfgpPgy.exe
  C:\Windows\System32\EfgpPgy.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\System32\sCsfyYz.exe
  C:\Windows\System32\sCsfyYz.exe
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\System32\XFQAXEw.exe
  C:\Windows\System32\XFQAXEw.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System32\lAqamOG.exe
  C:\Windows\System32\lAqamOG.exe
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Windows\System32\dzCQLba.exe
  C:\Windows\System32\dzCQLba.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System32\JQChkVL.exe
  C:\Windows\System32\JQChkVL.exe
  2⤵
  - Executes dropped EXE
  PID:4256
- C:\Windows\System32\goDjGVe.exe
  C:\Windows\System32\goDjGVe.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System32\NwUZrdk.exe
  C:\Windows\System32\NwUZrdk.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\System32\wiGWkNv.exe
  C:\Windows\System32\wiGWkNv.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System32\xMbngWt.exe
  C:\Windows\System32\xMbngWt.exe
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Windows\System32\QZjjRvi.exe
  C:\Windows\System32\QZjjRvi.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System32\HtQIBAL.exe
  C:\Windows\System32\HtQIBAL.exe
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Windows\System32\kfDMbRI.exe
  C:\Windows\System32\kfDMbRI.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System32\ESBvGRh.exe
  C:\Windows\System32\ESBvGRh.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Windows\System32\kJZOnuK.exe
  C:\Windows\System32\kJZOnuK.exe
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\System32\qoujMqN.exe
  C:\Windows\System32\qoujMqN.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System32\ZDvIELQ.exe
  C:\Windows\System32\ZDvIELQ.exe
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Windows\System32\aystMZV.exe
  C:\Windows\System32\aystMZV.exe
  2⤵
  - Executes dropped EXE
  PID:3432
- C:\Windows\System32\JjBDKsl.exe
  C:\Windows\System32\JjBDKsl.exe
  2⤵
  - Executes dropped EXE
  PID:4100
- C:\Windows\System32\sUmDdLs.exe
  C:\Windows\System32\sUmDdLs.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System32\YrnRTVG.exe
  C:\Windows\System32\YrnRTVG.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System32\baWOCon.exe
  C:\Windows\System32\baWOCon.exe
  2⤵
  PID:5060
- C:\Windows\System32\jTQWtUd.exe
  C:\Windows\System32\jTQWtUd.exe
  2⤵
  PID:2116
- C:\Windows\System32\QIcKRMF.exe
  C:\Windows\System32\QIcKRMF.exe
  2⤵
  PID:3484
- C:\Windows\System32\yuZQSoD.exe
  C:\Windows\System32\yuZQSoD.exe
  2⤵
  PID:4424
- C:\Windows\System32\dJAagdj.exe
  C:\Windows\System32\dJAagdj.exe
  2⤵
  PID:1692
- C:\Windows\System32\TmzrIgz.exe
  C:\Windows\System32\TmzrIgz.exe
  2⤵
  PID:1976
- C:\Windows\System32\YWaAgVn.exe
  C:\Windows\System32\YWaAgVn.exe
  2⤵
  PID:732
- C:\Windows\System32\IOGUJPu.exe
  C:\Windows\System32\IOGUJPu.exe
  2⤵
  PID:2120
- C:\Windows\System32\GTRGTVY.exe
  C:\Windows\System32\GTRGTVY.exe
  2⤵
  PID:2764
- C:\Windows\System32\sklvqrY.exe
  C:\Windows\System32\sklvqrY.exe
  2⤵
  PID:4576
- C:\Windows\System32\Urguwfa.exe
  C:\Windows\System32\Urguwfa.exe
  2⤵
  PID:2712
- C:\Windows\System32\gSwBoub.exe
  C:\Windows\System32\gSwBoub.exe
  2⤵
  PID:3640
- C:\Windows\System32\eOFfSIN.exe
  C:\Windows\System32\eOFfSIN.exe
  2⤵
  PID:2204
- C:\Windows\System32\ZuRuVAv.exe
  C:\Windows\System32\ZuRuVAv.exe
  2⤵
  PID:4376
- C:\Windows\System32\AqtkiKb.exe
  C:\Windows\System32\AqtkiKb.exe
  2⤵
  PID:3152
- C:\Windows\System32\OJVNrdT.exe
  C:\Windows\System32\OJVNrdT.exe
  2⤵
  PID:900
- C:\Windows\System32\HVnZMxs.exe
  C:\Windows\System32\HVnZMxs.exe
  2⤵
  PID:868
- C:\Windows\System32\kqdHEuq.exe
  C:\Windows\System32\kqdHEuq.exe
  2⤵
  PID:700
- C:\Windows\System32\BtAuLar.exe
  C:\Windows\System32\BtAuLar.exe
  2⤵
  PID:4904
- C:\Windows\System32\sbFtUBn.exe
  C:\Windows\System32\sbFtUBn.exe
  2⤵
  PID:4828
- C:\Windows\System32\MadCHiD.exe
  C:\Windows\System32\MadCHiD.exe
  2⤵
  PID:428
- C:\Windows\System32\btHHxzm.exe
  C:\Windows\System32\btHHxzm.exe
  2⤵
  PID:2200
- C:\Windows\System32\Lyvozjc.exe
  C:\Windows\System32\Lyvozjc.exe
  2⤵
  PID:1332
- C:\Windows\System32\qmHVVPF.exe
  C:\Windows\System32\qmHVVPF.exe
  2⤵
  PID:1848
- C:\Windows\System32\ilsWNXp.exe
  C:\Windows\System32\ilsWNXp.exe
  2⤵
  PID:2196
- C:\Windows\System32\AWLHBVl.exe
  C:\Windows\System32\AWLHBVl.exe
  2⤵
  PID:3220
- C:\Windows\System32\uTchzPS.exe
  C:\Windows\System32\uTchzPS.exe
  2⤵
  PID:1912
- C:\Windows\System32\iYASthw.exe
  C:\Windows\System32\iYASthw.exe
  2⤵
  PID:3616
- C:\Windows\System32\WfhjIUZ.exe
  C:\Windows\System32\WfhjIUZ.exe
  2⤵
  PID:4628
- C:\Windows\System32\ZkxqTma.exe
  C:\Windows\System32\ZkxqTma.exe
  2⤵
  PID:4052
- C:\Windows\System32\RXVzTKa.exe
  C:\Windows\System32\RXVzTKa.exe
  2⤵
  PID:5112
- C:\Windows\System32\VXOSDCU.exe
  C:\Windows\System32\VXOSDCU.exe
  2⤵
  PID:1620
- C:\Windows\System32\gVGREMR.exe
  C:\Windows\System32\gVGREMR.exe
  2⤵
  PID:3676
- C:\Windows\System32\ClPikUB.exe
  C:\Windows\System32\ClPikUB.exe
  2⤵
  PID:4032
- C:\Windows\System32\SGkOmjJ.exe
  C:\Windows\System32\SGkOmjJ.exe
  2⤵
  PID:1616
- C:\Windows\System32\QMTFnIc.exe
  C:\Windows\System32\QMTFnIc.exe
  2⤵
  PID:2012
- C:\Windows\System32\GszCDOP.exe
  C:\Windows\System32\GszCDOP.exe
  2⤵
  PID:4488
- C:\Windows\System32\msszuBs.exe
  C:\Windows\System32\msszuBs.exe
  2⤵
  PID:348
- C:\Windows\System32\KizcXqA.exe
  C:\Windows\System32\KizcXqA.exe
  2⤵
  PID:3636
- C:\Windows\System32\rsfizWA.exe
  C:\Windows\System32\rsfizWA.exe
  2⤵
  PID:2368
- C:\Windows\System32\ZlDcnEg.exe
  C:\Windows\System32\ZlDcnEg.exe
  2⤵
  PID:2220
- C:\Windows\System32\wimYVKo.exe
  C:\Windows\System32\wimYVKo.exe
  2⤵
  PID:4996
- C:\Windows\System32\MVROVqG.exe
  C:\Windows\System32\MVROVqG.exe
  2⤵
  PID:5244
- C:\Windows\System32\BFuZMnB.exe
  C:\Windows\System32\BFuZMnB.exe
  2⤵
  PID:5268
- C:\Windows\System32\EgvBAtL.exe
  C:\Windows\System32\EgvBAtL.exe
  2⤵
  PID:5292
- C:\Windows\System32\lgKnhqO.exe
  C:\Windows\System32\lgKnhqO.exe
  2⤵
  PID:5312
- C:\Windows\System32\SOSNZAt.exe
  C:\Windows\System32\SOSNZAt.exe
  2⤵
  PID:5352
- C:\Windows\System32\HVrSKlK.exe
  C:\Windows\System32\HVrSKlK.exe
  2⤵
  PID:5372
- C:\Windows\System32\lwNoauQ.exe
  C:\Windows\System32\lwNoauQ.exe
  2⤵
  PID:5388
- C:\Windows\System32\uTSbuuN.exe
  C:\Windows\System32\uTSbuuN.exe
  2⤵
  PID:5404
- C:\Windows\System32\WuETUew.exe
  C:\Windows\System32\WuETUew.exe
  2⤵
  PID:5432
- C:\Windows\System32\TqNnKwE.exe
  C:\Windows\System32\TqNnKwE.exe
  2⤵
  PID:5452
- C:\Windows\System32\cleEsID.exe
  C:\Windows\System32\cleEsID.exe
  2⤵
  PID:5472
- C:\Windows\System32\yXoziyV.exe
  C:\Windows\System32\yXoziyV.exe
  2⤵
  PID:5508
- C:\Windows\System32\xfajVdk.exe
  C:\Windows\System32\xfajVdk.exe
  2⤵
  PID:5552
- C:\Windows\System32\kZSDWFL.exe
  C:\Windows\System32\kZSDWFL.exe
  2⤵
  PID:5588
- C:\Windows\System32\sOGmrxa.exe
  C:\Windows\System32\sOGmrxa.exe
  2⤵
  PID:5604
- C:\Windows\System32\WuRZtYz.exe
  C:\Windows\System32\WuRZtYz.exe
  2⤵
  PID:5620
- C:\Windows\System32\wcSvVqA.exe
  C:\Windows\System32\wcSvVqA.exe
  2⤵
  PID:5656
- C:\Windows\System32\JnejGBb.exe
  C:\Windows\System32\JnejGBb.exe
  2⤵
  PID:5672
- C:\Windows\System32\rGSexlH.exe
  C:\Windows\System32\rGSexlH.exe
  2⤵
  PID:5700
- C:\Windows\System32\ecBeeYM.exe
  C:\Windows\System32\ecBeeYM.exe
  2⤵
  PID:5724
- C:\Windows\System32\TGnJVGK.exe
  C:\Windows\System32\TGnJVGK.exe
  2⤵
  PID:5744
- C:\Windows\System32\CyOUcwS.exe
  C:\Windows\System32\CyOUcwS.exe
  2⤵
  PID:5764
- C:\Windows\System32\Hknabdi.exe
  C:\Windows\System32\Hknabdi.exe
  2⤵
  PID:5856
- C:\Windows\System32\otQDaFY.exe
  C:\Windows\System32\otQDaFY.exe
  2⤵
  PID:5912
- C:\Windows\System32\zUivhTu.exe
  C:\Windows\System32\zUivhTu.exe
  2⤵
  PID:5960
- C:\Windows\System32\kbAjIxv.exe
  C:\Windows\System32\kbAjIxv.exe
  2⤵
  PID:5984
- C:\Windows\System32\eUXwYGf.exe
  C:\Windows\System32\eUXwYGf.exe
  2⤵
  PID:6032
- C:\Windows\System32\CjMpkjY.exe
  C:\Windows\System32\CjMpkjY.exe
  2⤵
  PID:6048
- C:\Windows\System32\ohDkorW.exe
  C:\Windows\System32\ohDkorW.exe
  2⤵
  PID:6072
- C:\Windows\System32\DRjIOsI.exe
  C:\Windows\System32\DRjIOsI.exe
  2⤵
  PID:6088
- C:\Windows\System32\HviJABo.exe
  C:\Windows\System32\HviJABo.exe
  2⤵
  PID:6132
- C:\Windows\System32\RSvcPap.exe
  C:\Windows\System32\RSvcPap.exe
  2⤵
  PID:2404
- C:\Windows\System32\aozIzZe.exe
  C:\Windows\System32\aozIzZe.exe
  2⤵
  PID:3964
- C:\Windows\System32\WzHVLYM.exe
  C:\Windows\System32\WzHVLYM.exe
  2⤵
  PID:4840
- C:\Windows\System32\eSHNsYe.exe
  C:\Windows\System32\eSHNsYe.exe
  2⤵
  PID:5156
- C:\Windows\System32\nDMCYJI.exe
  C:\Windows\System32\nDMCYJI.exe
  2⤵
  PID:4492
- C:\Windows\System32\vokuBdW.exe
  C:\Windows\System32\vokuBdW.exe
  2⤵
  PID:2240
- C:\Windows\System32\SyoxMHa.exe
  C:\Windows\System32\SyoxMHa.exe
  2⤵
  PID:5360
- C:\Windows\System32\yVQzyTV.exe
  C:\Windows\System32\yVQzyTV.exe
  2⤵
  PID:5448
- C:\Windows\System32\mGITZZL.exe
  C:\Windows\System32\mGITZZL.exe
  2⤵
  PID:5440
- C:\Windows\System32\mBrrVwH.exe
  C:\Windows\System32\mBrrVwH.exe
  2⤵
  PID:5640
- C:\Windows\System32\Sczcmyk.exe
  C:\Windows\System32\Sczcmyk.exe
  2⤵
  PID:5540
- C:\Windows\System32\xWrlxlU.exe
  C:\Windows\System32\xWrlxlU.exe
  2⤵
  PID:5600
- C:\Windows\System32\YHofmvl.exe
  C:\Windows\System32\YHofmvl.exe
  2⤵
  PID:5636
- C:\Windows\System32\CeBABYk.exe
  C:\Windows\System32\CeBABYk.exe
  2⤵
  PID:5788
- C:\Windows\System32\dubrtpR.exe
  C:\Windows\System32\dubrtpR.exe
  2⤵
  PID:5804
- C:\Windows\System32\OjjCcCh.exe
  C:\Windows\System32\OjjCcCh.exe
  2⤵
  PID:5832
- C:\Windows\System32\vyYoCzl.exe
  C:\Windows\System32\vyYoCzl.exe
  2⤵
  PID:5872
- C:\Windows\System32\WmnnmUs.exe
  C:\Windows\System32\WmnnmUs.exe
  2⤵
  PID:6040
- C:\Windows\System32\fqpiJyk.exe
  C:\Windows\System32\fqpiJyk.exe
  2⤵
  PID:6140
- C:\Windows\System32\aEbIGBA.exe
  C:\Windows\System32\aEbIGBA.exe
  2⤵
  PID:2528
- C:\Windows\System32\DnOKfCq.exe
  C:\Windows\System32\DnOKfCq.exe
  2⤵
  PID:5200
- C:\Windows\System32\mmksyHo.exe
  C:\Windows\System32\mmksyHo.exe
  2⤵
  PID:5364
- C:\Windows\System32\RBPXDVn.exe
  C:\Windows\System32\RBPXDVn.exe
  2⤵
  PID:5652
- C:\Windows\System32\GEWEdiQ.exe
  C:\Windows\System32\GEWEdiQ.exe
  2⤵
  PID:5696
- C:\Windows\System32\mRnmeAB.exe
  C:\Windows\System32\mRnmeAB.exe
  2⤵
  PID:5612
- C:\Windows\System32\nmOhiIo.exe
  C:\Windows\System32\nmOhiIo.exe
  2⤵
  PID:5932
- C:\Windows\System32\kyhLeTs.exe
  C:\Windows\System32\kyhLeTs.exe
  2⤵
  PID:5968
- C:\Windows\System32\pLAumzD.exe
  C:\Windows\System32\pLAumzD.exe
  2⤵
  PID:3388
- C:\Windows\System32\POTvOxx.exe
  C:\Windows\System32\POTvOxx.exe
  2⤵
  PID:5308
- C:\Windows\System32\mjBhkbC.exe
  C:\Windows\System32\mjBhkbC.exe
  2⤵
  PID:5424
- C:\Windows\System32\REbtAdY.exe
  C:\Windows\System32\REbtAdY.exe
  2⤵
  PID:5280
- C:\Windows\System32\rztJyEC.exe
  C:\Windows\System32\rztJyEC.exe
  2⤵
  PID:3368
- C:\Windows\System32\DbKfwlR.exe
  C:\Windows\System32\DbKfwlR.exe
  2⤵
  PID:6172
- C:\Windows\System32\bRiGGEF.exe
  C:\Windows\System32\bRiGGEF.exe
  2⤵
  PID:6196
- C:\Windows\System32\PfrSQoA.exe
  C:\Windows\System32\PfrSQoA.exe
  2⤵
  PID:6228
- C:\Windows\System32\bQujbfW.exe
  C:\Windows\System32\bQujbfW.exe
  2⤵
  PID:6280
- C:\Windows\System32\AgKYVWx.exe
  C:\Windows\System32\AgKYVWx.exe
  2⤵
  PID:6300
- C:\Windows\System32\PMgmvpM.exe
  C:\Windows\System32\PMgmvpM.exe
  2⤵
  PID:6316
- C:\Windows\System32\FKQHmzP.exe
  C:\Windows\System32\FKQHmzP.exe
  2⤵
  PID:6344
- C:\Windows\System32\yolqvSq.exe
  C:\Windows\System32\yolqvSq.exe
  2⤵
  PID:6360
- C:\Windows\System32\jYWLDUX.exe
  C:\Windows\System32\jYWLDUX.exe
  2⤵
  PID:6400
- C:\Windows\System32\zmvziqe.exe
  C:\Windows\System32\zmvziqe.exe
  2⤵
  PID:6452
- C:\Windows\System32\zvqxLCZ.exe
  C:\Windows\System32\zvqxLCZ.exe
  2⤵
  PID:6480
- C:\Windows\System32\DkeNCXP.exe
  C:\Windows\System32\DkeNCXP.exe
  2⤵
  PID:6504
- C:\Windows\System32\OiMKWrF.exe
  C:\Windows\System32\OiMKWrF.exe
  2⤵
  PID:6520
- C:\Windows\System32\BCtjZUy.exe
  C:\Windows\System32\BCtjZUy.exe
  2⤵
  PID:6544
- C:\Windows\System32\SLuhGmE.exe
  C:\Windows\System32\SLuhGmE.exe
  2⤵
  PID:6604
- C:\Windows\System32\RimOTzQ.exe
  C:\Windows\System32\RimOTzQ.exe
  2⤵
  PID:6628
- C:\Windows\System32\ealUhDe.exe
  C:\Windows\System32\ealUhDe.exe
  2⤵
  PID:6648
- C:\Windows\System32\lWfKmnB.exe
  C:\Windows\System32\lWfKmnB.exe
  2⤵
  PID:6684
- C:\Windows\System32\bHonwRh.exe
  C:\Windows\System32\bHonwRh.exe
  2⤵
  PID:6700
- C:\Windows\System32\LMwXjlj.exe
  C:\Windows\System32\LMwXjlj.exe
  2⤵
  PID:6720
- C:\Windows\System32\tWCqUbi.exe
  C:\Windows\System32\tWCqUbi.exe
  2⤵
  PID:6756
- C:\Windows\System32\PSNAwNc.exe
  C:\Windows\System32\PSNAwNc.exe
  2⤵
  PID:6784
- C:\Windows\System32\nvtTHHg.exe
  C:\Windows\System32\nvtTHHg.exe
  2⤵
  PID:6824
- C:\Windows\System32\QXWXmsA.exe
  C:\Windows\System32\QXWXmsA.exe
  2⤵
  PID:6856
- C:\Windows\System32\ouUvNsx.exe
  C:\Windows\System32\ouUvNsx.exe
  2⤵
  PID:6872
- C:\Windows\System32\UawyiSu.exe
  C:\Windows\System32\UawyiSu.exe
  2⤵
  PID:6900
- C:\Windows\System32\ClGoeFH.exe
  C:\Windows\System32\ClGoeFH.exe
  2⤵
  PID:6920
- C:\Windows\System32\mWiBagy.exe
  C:\Windows\System32\mWiBagy.exe
  2⤵
  PID:6948
- C:\Windows\System32\uhmTfQE.exe
  C:\Windows\System32\uhmTfQE.exe
  2⤵
  PID:6976
- C:\Windows\System32\lkGeQLe.exe
  C:\Windows\System32\lkGeQLe.exe
  2⤵
  PID:6992
- C:\Windows\System32\wuELHdp.exe
  C:\Windows\System32\wuELHdp.exe
  2⤵
  PID:7016
- C:\Windows\System32\lMxfgYk.exe
  C:\Windows\System32\lMxfgYk.exe
  2⤵
  PID:7068
- C:\Windows\System32\JCIZwip.exe
  C:\Windows\System32\JCIZwip.exe
  2⤵
  PID:7096
- C:\Windows\System32\HbWJXTn.exe
  C:\Windows\System32\HbWJXTn.exe
  2⤵
  PID:7112
- C:\Windows\System32\drAjYRZ.exe
  C:\Windows\System32\drAjYRZ.exe
  2⤵
  PID:7160
- C:\Windows\System32\pzKLsAW.exe
  C:\Windows\System32\pzKLsAW.exe
  2⤵
  PID:5536
- C:\Windows\System32\bdZoOVd.exe
  C:\Windows\System32\bdZoOVd.exe
  2⤵
  PID:5864
- C:\Windows\System32\jmROyzt.exe
  C:\Windows\System32\jmROyzt.exe
  2⤵
  PID:6224
- C:\Windows\System32\puoUPpS.exe
  C:\Windows\System32\puoUPpS.exe
  2⤵
  PID:6328
- C:\Windows\System32\ptMPeof.exe
  C:\Windows\System32\ptMPeof.exe
  2⤵
  PID:6416
- C:\Windows\System32\mBkSuCp.exe
  C:\Windows\System32\mBkSuCp.exe
  2⤵
  PID:6436
- C:\Windows\System32\ueacbYf.exe
  C:\Windows\System32\ueacbYf.exe
  2⤵
  PID:6528
- C:\Windows\System32\IxrBuBd.exe
  C:\Windows\System32\IxrBuBd.exe
  2⤵
  PID:6552
- C:\Windows\System32\RgkwVAL.exe
  C:\Windows\System32\RgkwVAL.exe
  2⤵
  PID:6616
- C:\Windows\System32\LeiolWl.exe
  C:\Windows\System32\LeiolWl.exe
  2⤵
  PID:6732
- C:\Windows\System32\bASBOrn.exe
  C:\Windows\System32\bASBOrn.exe
  2⤵
  PID:6804
- C:\Windows\System32\ogrxCoY.exe
  C:\Windows\System32\ogrxCoY.exe
  2⤵
  PID:6888
- C:\Windows\System32\UlnjdcV.exe
  C:\Windows\System32\UlnjdcV.exe
  2⤵
  PID:6884
- C:\Windows\System32\ZqukgOv.exe
  C:\Windows\System32\ZqukgOv.exe
  2⤵
  PID:6940
- C:\Windows\System32\dcikeBQ.exe
  C:\Windows\System32\dcikeBQ.exe
  2⤵
  PID:7028
- C:\Windows\System32\BxgjkCp.exe
  C:\Windows\System32\BxgjkCp.exe
  2⤵
  PID:7104
- C:\Windows\System32\CzBxMUZ.exe
  C:\Windows\System32\CzBxMUZ.exe
  2⤵
  PID:7140
- C:\Windows\System32\ybhDPsD.exe
  C:\Windows\System32\ybhDPsD.exe
  2⤵
  PID:6260
- C:\Windows\System32\IKaaxvu.exe
  C:\Windows\System32\IKaaxvu.exe
  2⤵
  PID:6368
- C:\Windows\System32\ACBAoZw.exe
  C:\Windows\System32\ACBAoZw.exe
  2⤵
  PID:6584
- C:\Windows\System32\OLEogPD.exe
  C:\Windows\System32\OLEogPD.exe
  2⤵
  PID:6600
- C:\Windows\System32\aHEelMD.exe
  C:\Windows\System32\aHEelMD.exe
  2⤵
  PID:6664
- C:\Windows\System32\NeJtoVs.exe
  C:\Windows\System32\NeJtoVs.exe
  2⤵
  PID:1576
- C:\Windows\System32\FQGeXMM.exe
  C:\Windows\System32\FQGeXMM.exe
  2⤵
  PID:7056
- C:\Windows\System32\KIVQSeU.exe
  C:\Windows\System32\KIVQSeU.exe
  2⤵
  PID:6192
- C:\Windows\System32\eggVkjx.exe
  C:\Windows\System32\eggVkjx.exe
  2⤵
  PID:6420
- C:\Windows\System32\sdVbxjU.exe
  C:\Windows\System32\sdVbxjU.exe
  2⤵
  PID:6772
- C:\Windows\System32\OSQAaYt.exe
  C:\Windows\System32\OSQAaYt.exe
  2⤵
  PID:6956
- C:\Windows\System32\BKpPDOE.exe
  C:\Windows\System32\BKpPDOE.exe
  2⤵
  PID:7128
- C:\Windows\System32\tvitgWT.exe
  C:\Windows\System32\tvitgWT.exe
  2⤵
  PID:7204
- C:\Windows\System32\GELplXp.exe
  C:\Windows\System32\GELplXp.exe
  2⤵
  PID:7228
- C:\Windows\System32\TuNJDRG.exe
  C:\Windows\System32\TuNJDRG.exe
  2⤵
  PID:7256
- C:\Windows\System32\iXNtDeC.exe
  C:\Windows\System32\iXNtDeC.exe
  2⤵
  PID:7276
- C:\Windows\System32\lwQvMNM.exe
  C:\Windows\System32\lwQvMNM.exe
  2⤵
  PID:7296
- C:\Windows\System32\mrQhgwP.exe
  C:\Windows\System32\mrQhgwP.exe
  2⤵
  PID:7332
- C:\Windows\System32\OZmwnpr.exe
  C:\Windows\System32\OZmwnpr.exe
  2⤵
  PID:7348
- C:\Windows\System32\wckcHcA.exe
  C:\Windows\System32\wckcHcA.exe
  2⤵
  PID:7368
- C:\Windows\System32\EkBeOeq.exe
  C:\Windows\System32\EkBeOeq.exe
  2⤵
  PID:7408
- C:\Windows\System32\vJCcZcC.exe
  C:\Windows\System32\vJCcZcC.exe
  2⤵
  PID:7428
- C:\Windows\System32\BFRszna.exe
  C:\Windows\System32\BFRszna.exe
  2⤵
  PID:7460
- C:\Windows\System32\kqdSozF.exe
  C:\Windows\System32\kqdSozF.exe
  2⤵
  PID:7480
- C:\Windows\System32\XNeeqLF.exe
  C:\Windows\System32\XNeeqLF.exe
  2⤵
  PID:7504
- C:\Windows\System32\eSzxYyE.exe
  C:\Windows\System32\eSzxYyE.exe
  2⤵
  PID:7524
- C:\Windows\System32\EGmrHTg.exe
  C:\Windows\System32\EGmrHTg.exe
  2⤵
  PID:7544
- C:\Windows\System32\jbzEWMu.exe
  C:\Windows\System32\jbzEWMu.exe
  2⤵
  PID:7596
- C:\Windows\System32\itEytib.exe
  C:\Windows\System32\itEytib.exe
  2⤵
  PID:7656
- C:\Windows\System32\WvRilFM.exe
  C:\Windows\System32\WvRilFM.exe
  2⤵
  PID:7672
- C:\Windows\System32\tEomZsE.exe
  C:\Windows\System32\tEomZsE.exe
  2⤵
  PID:7692
- C:\Windows\System32\yVmrauF.exe
  C:\Windows\System32\yVmrauF.exe
  2⤵
  PID:7724
- C:\Windows\System32\gwGclxl.exe
  C:\Windows\System32\gwGclxl.exe
  2⤵
  PID:7748
- C:\Windows\System32\jqSdtte.exe
  C:\Windows\System32\jqSdtte.exe
  2⤵
  PID:7788
- C:\Windows\System32\gLxqCOI.exe
  C:\Windows\System32\gLxqCOI.exe
  2⤵
  PID:7812
- C:\Windows\System32\anHKpWb.exe
  C:\Windows\System32\anHKpWb.exe
  2⤵
  PID:7828
- C:\Windows\System32\waNPkKR.exe
  C:\Windows\System32\waNPkKR.exe
  2⤵
  PID:7844
- C:\Windows\System32\FabeIpf.exe
  C:\Windows\System32\FabeIpf.exe
  2⤵
  PID:7860
- C:\Windows\System32\yYmmnID.exe
  C:\Windows\System32\yYmmnID.exe
  2⤵
  PID:7904
- C:\Windows\System32\KqZNMfu.exe
  C:\Windows\System32\KqZNMfu.exe
  2⤵
  PID:7940
- C:\Windows\System32\zPaIFrV.exe
  C:\Windows\System32\zPaIFrV.exe
  2⤵
  PID:7960
- C:\Windows\System32\rYHpyGW.exe
  C:\Windows\System32\rYHpyGW.exe
  2⤵
  PID:8000
- C:\Windows\System32\ppNuiqg.exe
  C:\Windows\System32\ppNuiqg.exe
  2⤵
  PID:8024
- C:\Windows\System32\sZmiXtI.exe
  C:\Windows\System32\sZmiXtI.exe
  2⤵
  PID:8064
- C:\Windows\System32\NuqxLLb.exe
  C:\Windows\System32\NuqxLLb.exe
  2⤵
  PID:8100
- C:\Windows\System32\PgJWEKL.exe
  C:\Windows\System32\PgJWEKL.exe
  2⤵
  PID:8120
- C:\Windows\System32\NpUDNUJ.exe
  C:\Windows\System32\NpUDNUJ.exe
  2⤵
  PID:8152
- C:\Windows\System32\XYJxMtH.exe
  C:\Windows\System32\XYJxMtH.exe
  2⤵
  PID:8172
- C:\Windows\System32\MkYUfzG.exe
  C:\Windows\System32\MkYUfzG.exe
  2⤵
  PID:5240
- C:\Windows\System32\omcnbLN.exe
  C:\Windows\System32\omcnbLN.exe
  2⤵
  PID:7224
- C:\Windows\System32\HprCCwF.exe
  C:\Windows\System32\HprCCwF.exe
  2⤵
  PID:7292
- C:\Windows\System32\GidpWzt.exe
  C:\Windows\System32\GidpWzt.exe
  2⤵
  PID:7344
- C:\Windows\System32\zmzxlSm.exe
  C:\Windows\System32\zmzxlSm.exe
  2⤵
  PID:7380
- C:\Windows\System32\RrOQvHA.exe
  C:\Windows\System32\RrOQvHA.exe
  2⤵
  PID:7448
- C:\Windows\System32\ULVrSnS.exe
  C:\Windows\System32\ULVrSnS.exe
  2⤵
  PID:7496
- C:\Windows\System32\kBJzmjw.exe
  C:\Windows\System32\kBJzmjw.exe
  2⤵
  PID:7488
- C:\Windows\System32\GWDTITk.exe
  C:\Windows\System32\GWDTITk.exe
  2⤵
  PID:7636
- C:\Windows\System32\wqIvGoD.exe
  C:\Windows\System32\wqIvGoD.exe
  2⤵
  PID:7764
- C:\Windows\System32\xlbPcwc.exe
  C:\Windows\System32\xlbPcwc.exe
  2⤵
  PID:7796
- C:\Windows\System32\KFCJukJ.exe
  C:\Windows\System32\KFCJukJ.exe
  2⤵
  PID:7840
- C:\Windows\System32\yoUYgaT.exe
  C:\Windows\System32\yoUYgaT.exe
  2⤵
  PID:5544
- C:\Windows\System32\PoyycPC.exe
  C:\Windows\System32\PoyycPC.exe
  2⤵
  PID:7916
- C:\Windows\System32\MxUaXkO.exe
  C:\Windows\System32\MxUaXkO.exe
  2⤵
  PID:7972
- C:\Windows\System32\FBPtkbc.exe
  C:\Windows\System32\FBPtkbc.exe
  2⤵
  PID:8052
- C:\Windows\System32\DwqiqRY.exe
  C:\Windows\System32\DwqiqRY.exe
  2⤵
  PID:8168
- C:\Windows\System32\cGdCqxA.exe
  C:\Windows\System32\cGdCqxA.exe
  2⤵
  PID:7212
- C:\Windows\System32\ytehVVr.exe
  C:\Windows\System32\ytehVVr.exe
  2⤵
  PID:7308
- C:\Windows\System32\zzQuGyl.exe
  C:\Windows\System32\zzQuGyl.exe
  2⤵
  PID:7400
- C:\Windows\System32\dogGRlL.exe
  C:\Windows\System32\dogGRlL.exe
  2⤵
  PID:7608
- C:\Windows\System32\BkfMrLj.exe
  C:\Windows\System32\BkfMrLj.exe
  2⤵
  PID:7824
- C:\Windows\System32\QHxDQUQ.exe
  C:\Windows\System32\QHxDQUQ.exe
  2⤵
  PID:8140
- C:\Windows\System32\voPnoRI.exe
  C:\Windows\System32\voPnoRI.exe
  2⤵
  PID:7552
- C:\Windows\System32\ZiYEpQe.exe
  C:\Windows\System32\ZiYEpQe.exe
  2⤵
  PID:5460
- C:\Windows\System32\HDjTeJq.exe
  C:\Windows\System32\HDjTeJq.exe
  2⤵
  PID:5716
- C:\Windows\System32\GPJTOcR.exe
  C:\Windows\System32\GPJTOcR.exe
  2⤵
  PID:8016
- C:\Windows\System32\tlHbYWK.exe
  C:\Windows\System32\tlHbYWK.exe
  2⤵
  PID:8208
- C:\Windows\System32\iKuvSWg.exe
  C:\Windows\System32\iKuvSWg.exe
  2⤵
  PID:8224
- C:\Windows\System32\wZVkoSo.exe
  C:\Windows\System32\wZVkoSo.exe
  2⤵
  PID:8240
- C:\Windows\System32\TKhpBEd.exe
  C:\Windows\System32\TKhpBEd.exe
  2⤵
  PID:8256
- C:\Windows\System32\zBYCEdV.exe
  C:\Windows\System32\zBYCEdV.exe
  2⤵
  PID:8272
- C:\Windows\System32\aRtTvzz.exe
  C:\Windows\System32\aRtTvzz.exe
  2⤵
  PID:8296
- C:\Windows\System32\duKhchC.exe
  C:\Windows\System32\duKhchC.exe
  2⤵
  PID:8400
- C:\Windows\System32\eroINQR.exe
  C:\Windows\System32\eroINQR.exe
  2⤵
  PID:8472
- C:\Windows\System32\nGgpGNq.exe
  C:\Windows\System32\nGgpGNq.exe
  2⤵
  PID:8500
- C:\Windows\System32\rDVMhis.exe
  C:\Windows\System32\rDVMhis.exe
  2⤵
  PID:8520
- C:\Windows\System32\mTawhOg.exe
  C:\Windows\System32\mTawhOg.exe
  2⤵
  PID:8540
- C:\Windows\System32\brHOvbD.exe
  C:\Windows\System32\brHOvbD.exe
  2⤵
  PID:8556
- C:\Windows\System32\JiQeDbJ.exe
  C:\Windows\System32\JiQeDbJ.exe
  2⤵
  PID:8580
- C:\Windows\System32\YJKwMWI.exe
  C:\Windows\System32\YJKwMWI.exe
  2⤵
  PID:8608
- C:\Windows\System32\YWCMubu.exe
  C:\Windows\System32\YWCMubu.exe
  2⤵
  PID:8648
- C:\Windows\System32\JZSJaGh.exe
  C:\Windows\System32\JZSJaGh.exe
  2⤵
  PID:8692
- C:\Windows\System32\mBrDlvk.exe
  C:\Windows\System32\mBrDlvk.exe
  2⤵
  PID:8724
- C:\Windows\System32\xikQzWr.exe
  C:\Windows\System32\xikQzWr.exe
  2⤵
  PID:8752
- C:\Windows\System32\xjaMRsZ.exe
  C:\Windows\System32\xjaMRsZ.exe
  2⤵
  PID:8776
- C:\Windows\System32\ZmylhVX.exe
  C:\Windows\System32\ZmylhVX.exe
  2⤵
  PID:8804
- C:\Windows\System32\RcgDqPF.exe
  C:\Windows\System32\RcgDqPF.exe
  2⤵
  PID:8840
- C:\Windows\System32\pYMsyFY.exe
  C:\Windows\System32\pYMsyFY.exe
  2⤵
  PID:8864
- C:\Windows\System32\pqAMKxU.exe
  C:\Windows\System32\pqAMKxU.exe
  2⤵
  PID:8884
- C:\Windows\System32\jatsqfC.exe
  C:\Windows\System32\jatsqfC.exe
  2⤵
  PID:8928
- C:\Windows\System32\REaDXTy.exe
  C:\Windows\System32\REaDXTy.exe
  2⤵
  PID:8948
- C:\Windows\System32\OMunlKa.exe
  C:\Windows\System32\OMunlKa.exe
  2⤵
  PID:8972
- C:\Windows\System32\kedRcqX.exe
  C:\Windows\System32\kedRcqX.exe
  2⤵
  PID:8992
- C:\Windows\System32\vnLizFD.exe
  C:\Windows\System32\vnLizFD.exe
  2⤵
  PID:9016
- C:\Windows\System32\sBpxYiN.exe
  C:\Windows\System32\sBpxYiN.exe
  2⤵
  PID:9044
- C:\Windows\System32\VaxauRC.exe
  C:\Windows\System32\VaxauRC.exe
  2⤵
  PID:9112
- C:\Windows\System32\qkyiAzm.exe
  C:\Windows\System32\qkyiAzm.exe
  2⤵
  PID:9144
- C:\Windows\System32\lrmZyVZ.exe
  C:\Windows\System32\lrmZyVZ.exe
  2⤵
  PID:9180
- C:\Windows\System32\UzNDVJA.exe
  C:\Windows\System32\UzNDVJA.exe
  2⤵
  PID:9212
- C:\Windows\System32\PvYFsUn.exe
  C:\Windows\System32\PvYFsUn.exe
  2⤵
  PID:7248
- C:\Windows\System32\TZxHKSd.exe
  C:\Windows\System32\TZxHKSd.exe
  2⤵
  PID:7708
- C:\Windows\System32\uHhoNSu.exe
  C:\Windows\System32\uHhoNSu.exe
  2⤵
  PID:6428
- C:\Windows\System32\ELNBCCz.exe
  C:\Windows\System32\ELNBCCz.exe
  2⤵
  PID:8236
- C:\Windows\System32\ycaBMkv.exe
  C:\Windows\System32\ycaBMkv.exe
  2⤵
  PID:8216
- C:\Windows\System32\OFGybGY.exe
  C:\Windows\System32\OFGybGY.exe
  2⤵
  PID:8284
- C:\Windows\System32\dmPZPXO.exe
  C:\Windows\System32\dmPZPXO.exe
  2⤵
  PID:8380
- C:\Windows\System32\noJEJSf.exe
  C:\Windows\System32\noJEJSf.exe
  2⤵
  PID:8452
- C:\Windows\System32\eiTklQp.exe
  C:\Windows\System32\eiTklQp.exe
  2⤵
  PID:8600
- C:\Windows\System32\AKZALcb.exe
  C:\Windows\System32\AKZALcb.exe
  2⤵
  PID:8620
- C:\Windows\System32\NFeINcI.exe
  C:\Windows\System32\NFeINcI.exe
  2⤵
  PID:8680
- C:\Windows\System32\fZHRMQn.exe
  C:\Windows\System32\fZHRMQn.exe
  2⤵
  PID:8744
- C:\Windows\System32\KGKoCrE.exe
  C:\Windows\System32\KGKoCrE.exe
  2⤵
  PID:8816
- C:\Windows\System32\TEhIOoo.exe
  C:\Windows\System32\TEhIOoo.exe
  2⤵
  PID:8876
- C:\Windows\System32\ClTJLYS.exe
  C:\Windows\System32\ClTJLYS.exe
  2⤵
  PID:8940
- C:\Windows\System32\RRvNKvF.exe
  C:\Windows\System32\RRvNKvF.exe
  2⤵
  PID:9040
- C:\Windows\System32\OcKUwWB.exe
  C:\Windows\System32\OcKUwWB.exe
  2⤵
  PID:9104
- C:\Windows\System32\IYpuOOq.exe
  C:\Windows\System32\IYpuOOq.exe
  2⤵
  PID:9204
- C:\Windows\System32\lJzvcpj.exe
  C:\Windows\System32\lJzvcpj.exe
  2⤵
  PID:7456
- C:\Windows\System32\nmJNlDZ.exe
  C:\Windows\System32\nmJNlDZ.exe
  2⤵
  PID:8220
- C:\Windows\System32\QqNekcp.exe
  C:\Windows\System32\QqNekcp.exe
  2⤵
  PID:8508
- C:\Windows\System32\kDXfLhz.exe
  C:\Windows\System32\kDXfLhz.exe
  2⤵
  PID:8736
- C:\Windows\System32\rHQtABt.exe
  C:\Windows\System32\rHQtABt.exe
  2⤵
  PID:8800
- C:\Windows\System32\NIzmEsc.exe
  C:\Windows\System32\NIzmEsc.exe
  2⤵
  PID:8968
- C:\Windows\System32\bMZJvnO.exe
  C:\Windows\System32\bMZJvnO.exe
  2⤵
  PID:9012
- C:\Windows\System32\UkGzPKU.exe
  C:\Windows\System32\UkGzPKU.exe
  2⤵
  PID:9120
- C:\Windows\System32\vnCWjGw.exe
  C:\Windows\System32\vnCWjGw.exe
  2⤵
  PID:5868
- C:\Windows\System32\raUlCYS.exe
  C:\Windows\System32\raUlCYS.exe
  2⤵
  PID:8768
- C:\Windows\System32\eyFNaUL.exe
  C:\Windows\System32\eyFNaUL.exe
  2⤵
  PID:9084
- C:\Windows\System32\jxIZhBo.exe
  C:\Windows\System32\jxIZhBo.exe
  2⤵
  PID:9072
- C:\Windows\System32\NOCmOwX.exe
  C:\Windows\System32\NOCmOwX.exe
  2⤵
  PID:9228
- C:\Windows\System32\ONIRvSh.exe
  C:\Windows\System32\ONIRvSh.exe
  2⤵
  PID:9248
- C:\Windows\System32\yHZNRob.exe
  C:\Windows\System32\yHZNRob.exe
  2⤵
  PID:9272
- C:\Windows\System32\xxmvJqt.exe
  C:\Windows\System32\xxmvJqt.exe
  2⤵
  PID:9288
- C:\Windows\System32\ZCkDvVU.exe
  C:\Windows\System32\ZCkDvVU.exe
  2⤵
  PID:9320
- C:\Windows\System32\cOHHGNi.exe
  C:\Windows\System32\cOHHGNi.exe
  2⤵
  PID:9340
- C:\Windows\System32\dbnBhvG.exe
  C:\Windows\System32\dbnBhvG.exe
  2⤵
  PID:9356
- C:\Windows\System32\muOWvyC.exe
  C:\Windows\System32\muOWvyC.exe
  2⤵
  PID:9404
- C:\Windows\System32\dPSsIwh.exe
  C:\Windows\System32\dPSsIwh.exe
  2⤵
  PID:9444
- C:\Windows\System32\PgnzxtU.exe
  C:\Windows\System32\PgnzxtU.exe
  2⤵
  PID:9464
- C:\Windows\System32\qApneNI.exe
  C:\Windows\System32\qApneNI.exe
  2⤵
  PID:9488
- C:\Windows\System32\MHJAWNg.exe
  C:\Windows\System32\MHJAWNg.exe
  2⤵
  PID:9504
- C:\Windows\System32\nJeZtFc.exe
  C:\Windows\System32\nJeZtFc.exe
  2⤵
  PID:9524
- C:\Windows\System32\NpgyULf.exe
  C:\Windows\System32\NpgyULf.exe
  2⤵
  PID:9560
- C:\Windows\System32\DNcThjQ.exe
  C:\Windows\System32\DNcThjQ.exe
  2⤵
  PID:9584
- C:\Windows\System32\jXMZnLM.exe
  C:\Windows\System32\jXMZnLM.exe
  2⤵
  PID:9640
- C:\Windows\System32\teKWWIA.exe
  C:\Windows\System32\teKWWIA.exe
  2⤵
  PID:9656
- C:\Windows\System32\aDdEeWP.exe
  C:\Windows\System32\aDdEeWP.exe
  2⤵
  PID:9676
- C:\Windows\System32\zWwpmLw.exe
  C:\Windows\System32\zWwpmLw.exe
  2⤵
  PID:9696
- C:\Windows\System32\AuXDrzR.exe
  C:\Windows\System32\AuXDrzR.exe
  2⤵
  PID:9716
- C:\Windows\System32\WliHkJq.exe
  C:\Windows\System32\WliHkJq.exe
  2⤵
  PID:9740
- C:\Windows\System32\ySefUFg.exe
  C:\Windows\System32\ySefUFg.exe
  2⤵
  PID:9812
- C:\Windows\System32\XHQRFgM.exe
  C:\Windows\System32\XHQRFgM.exe
  2⤵
  PID:9840
- C:\Windows\System32\YshsPPX.exe
  C:\Windows\System32\YshsPPX.exe
  2⤵
  PID:9868
- C:\Windows\System32\yTlywUj.exe
  C:\Windows\System32\yTlywUj.exe
  2⤵
  PID:9896
- C:\Windows\System32\GJvuwKB.exe
  C:\Windows\System32\GJvuwKB.exe
  2⤵
  PID:9924
- C:\Windows\System32\IJKOjWC.exe
  C:\Windows\System32\IJKOjWC.exe
  2⤵
  PID:9952
- C:\Windows\System32\TEsnIrl.exe
  C:\Windows\System32\TEsnIrl.exe
  2⤵
  PID:9972
- C:\Windows\System32\YDLPPZP.exe
  C:\Windows\System32\YDLPPZP.exe
  2⤵
  PID:9996
- C:\Windows\System32\mLUBxyC.exe
  C:\Windows\System32\mLUBxyC.exe
  2⤵
  PID:10020
- C:\Windows\System32\sSFyqij.exe
  C:\Windows\System32\sSFyqij.exe
  2⤵
  PID:10060
- C:\Windows\System32\zisRpDS.exe
  C:\Windows\System32\zisRpDS.exe
  2⤵
  PID:10080
- C:\Windows\System32\UQHvfPE.exe
  C:\Windows\System32\UQHvfPE.exe
  2⤵
  PID:10124
- C:\Windows\System32\KhndXYs.exe
  C:\Windows\System32\KhndXYs.exe
  2⤵
  PID:10168
- C:\Windows\System32\pMCAlyJ.exe
  C:\Windows\System32\pMCAlyJ.exe
  2⤵
  PID:10188
- C:\Windows\System32\VYUQaul.exe
  C:\Windows\System32\VYUQaul.exe
  2⤵
  PID:10212
- C:\Windows\System32\UZRjcnD.exe
  C:\Windows\System32\UZRjcnD.exe
  2⤵
  PID:10228
- C:\Windows\System32\gNkeBVB.exe
  C:\Windows\System32\gNkeBVB.exe
  2⤵
  PID:9240
- C:\Windows\System32\pMlzjTI.exe
  C:\Windows\System32\pMlzjTI.exe
  2⤵
  PID:9268
- C:\Windows\System32\VutSWIr.exe
  C:\Windows\System32\VutSWIr.exe
  2⤵
  PID:9376
- C:\Windows\System32\FaHDFLN.exe
  C:\Windows\System32\FaHDFLN.exe
  2⤵
  PID:9428
- C:\Windows\System32\eajRzGN.exe
  C:\Windows\System32\eajRzGN.exe
  2⤵
  PID:9532
- C:\Windows\System32\EtfOuee.exe
  C:\Windows\System32\EtfOuee.exe
  2⤵
  PID:9536
- C:\Windows\System32\SnJgNdE.exe
  C:\Windows\System32\SnJgNdE.exe
  2⤵
  PID:9652
- C:\Windows\System32\jcwVPcF.exe
  C:\Windows\System32\jcwVPcF.exe
  2⤵
  PID:9732
- C:\Windows\System32\IbEDzpN.exe
  C:\Windows\System32\IbEDzpN.exe
  2⤵
  PID:9772
- C:\Windows\System32\ovDKDSg.exe
  C:\Windows\System32\ovDKDSg.exe
  2⤵
  PID:9768
- C:\Windows\System32\DYciIbw.exe
  C:\Windows\System32\DYciIbw.exe
  2⤵
  PID:9828
- C:\Windows\System32\lsrCbdb.exe
  C:\Windows\System32\lsrCbdb.exe
  2⤵
  PID:9968
- C:\Windows\System32\mFqjtsx.exe
  C:\Windows\System32\mFqjtsx.exe
  2⤵
  PID:9960
- C:\Windows\System32\WLsctHe.exe
  C:\Windows\System32\WLsctHe.exe
  2⤵
  PID:10032
- C:\Windows\System32\oVoGutl.exe
  C:\Windows\System32\oVoGutl.exe
  2⤵
  PID:10116
- C:\Windows\System32\OSsllEo.exe
  C:\Windows\System32\OSsllEo.exe
  2⤵
  PID:10184
- C:\Windows\System32\olbtXrJ.exe
  C:\Windows\System32\olbtXrJ.exe
  2⤵
  PID:9456
- C:\Windows\System32\KEqYxaT.exe
  C:\Windows\System32\KEqYxaT.exe
  2⤵
  PID:9480
- C:\Windows\System32\KATGOhd.exe
  C:\Windows\System32\KATGOhd.exe
  2⤵
  PID:9572
- C:\Windows\System32\AjSVwzw.exe
  C:\Windows\System32\AjSVwzw.exe
  2⤵
  PID:9692
- C:\Windows\System32\sxrTJls.exe
  C:\Windows\System32\sxrTJls.exe
  2⤵
  PID:9920
- C:\Windows\System32\ciiUVRu.exe
  C:\Windows\System32\ciiUVRu.exe
  2⤵
  PID:10148
- C:\Windows\System32\uUsGsxz.exe
  C:\Windows\System32\uUsGsxz.exe
  2⤵
  PID:10220
- C:\Windows\System32\LnVGCzA.exe
  C:\Windows\System32\LnVGCzA.exe
  2⤵
  PID:9416
- C:\Windows\System32\vvKbtoi.exe
  C:\Windows\System32\vvKbtoi.exe
  2⤵
  PID:9748
- C:\Windows\System32\cGBUeKg.exe
  C:\Windows\System32\cGBUeKg.exe
  2⤵
  PID:10224
- C:\Windows\System32\kdyAzti.exe
  C:\Windows\System32\kdyAzti.exe
  2⤵
  PID:10248
- C:\Windows\System32\AUHAPZj.exe
  C:\Windows\System32\AUHAPZj.exe
  2⤵
  PID:10264
- C:\Windows\System32\saGUacT.exe
  C:\Windows\System32\saGUacT.exe
  2⤵
  PID:10284
- C:\Windows\System32\lreKQyk.exe
  C:\Windows\System32\lreKQyk.exe
  2⤵
  PID:10300
- C:\Windows\System32\tjjhXqM.exe
  C:\Windows\System32\tjjhXqM.exe
  2⤵
  PID:10336
- C:\Windows\System32\AHkvnZY.exe
  C:\Windows\System32\AHkvnZY.exe
  2⤵
  PID:10368
- C:\Windows\System32\kZPLKKF.exe
  C:\Windows\System32\kZPLKKF.exe
  2⤵
  PID:10392
- C:\Windows\System32\YhwIyyF.exe
  C:\Windows\System32\YhwIyyF.exe
  2⤵
  PID:10412
- C:\Windows\System32\wLFOWNJ.exe
  C:\Windows\System32\wLFOWNJ.exe
  2⤵
  PID:10444
- C:\Windows\System32\zLrEIdz.exe
  C:\Windows\System32\zLrEIdz.exe
  2⤵
  PID:10484
- C:\Windows\System32\cqMrKTK.exe
  C:\Windows\System32\cqMrKTK.exe
  2⤵
  PID:10500
- C:\Windows\System32\UUQVjyG.exe
  C:\Windows\System32\UUQVjyG.exe
  2⤵
  PID:10524
- C:\Windows\System32\NuJrcUH.exe
  C:\Windows\System32\NuJrcUH.exe
  2⤵
  PID:10560
- C:\Windows\System32\PNcRztO.exe
  C:\Windows\System32\PNcRztO.exe
  2⤵
  PID:10596
- C:\Windows\System32\gfviGxg.exe
  C:\Windows\System32\gfviGxg.exe
  2⤵
  PID:10616
- C:\Windows\System32\sHYUOPM.exe
  C:\Windows\System32\sHYUOPM.exe
  2⤵
  PID:10636
- C:\Windows\System32\UlkATxK.exe
  C:\Windows\System32\UlkATxK.exe
  2⤵
  PID:10668
- C:\Windows\System32\ReCvmLO.exe
  C:\Windows\System32\ReCvmLO.exe
  2⤵
  PID:10692
- C:\Windows\System32\TWhzfmh.exe
  C:\Windows\System32\TWhzfmh.exe
  2⤵
  PID:10716
- C:\Windows\System32\UUQbOkg.exe
  C:\Windows\System32\UUQbOkg.exe
  2⤵
  PID:10752
- C:\Windows\System32\OLxhFaS.exe
  C:\Windows\System32\OLxhFaS.exe
  2⤵
  PID:10780
- C:\Windows\System32\wwwmKoZ.exe
  C:\Windows\System32\wwwmKoZ.exe
  2⤵
  PID:10800
- C:\Windows\System32\rTQSfIk.exe
  C:\Windows\System32\rTQSfIk.exe
  2⤵
  PID:10820
- C:\Windows\System32\WcyYQBz.exe
  C:\Windows\System32\WcyYQBz.exe
  2⤵
  PID:10836
- C:\Windows\System32\ttQZyjN.exe
  C:\Windows\System32\ttQZyjN.exe
  2⤵
  PID:10856
- C:\Windows\System32\ELlECBq.exe
  C:\Windows\System32\ELlECBq.exe
  2⤵
  PID:10920
- C:\Windows\System32\HWbWdgI.exe
  C:\Windows\System32\HWbWdgI.exe
  2⤵
  PID:10952
- C:\Windows\System32\MUzNCmX.exe
  C:\Windows\System32\MUzNCmX.exe
  2⤵
  PID:10976
- C:\Windows\System32\ZknaaQl.exe
  C:\Windows\System32\ZknaaQl.exe
  2⤵
  PID:10992
- C:\Windows\System32\rPyiZnI.exe
  C:\Windows\System32\rPyiZnI.exe
  2⤵
  PID:11008
- C:\Windows\System32\uDstXnZ.exe
  C:\Windows\System32\uDstXnZ.exe
  2⤵
  PID:11032
- C:\Windows\System32\RqIXRuA.exe
  C:\Windows\System32\RqIXRuA.exe
  2⤵
  PID:11048
- C:\Windows\System32\ZLbxYqj.exe
  C:\Windows\System32\ZLbxYqj.exe
  2⤵
  PID:11096
- C:\Windows\System32\uvkldLF.exe
  C:\Windows\System32\uvkldLF.exe
  2⤵
  PID:11144
- C:\Windows\System32\gcyhXFF.exe
  C:\Windows\System32\gcyhXFF.exe
  2⤵
  PID:11180
- C:\Windows\System32\OnwLPcZ.exe
  C:\Windows\System32\OnwLPcZ.exe
  2⤵
  PID:11204
- C:\Windows\System32\nqAzCXD.exe
  C:\Windows\System32\nqAzCXD.exe
  2⤵
  PID:11236
- C:\Windows\System32\AFaXaLx.exe
  C:\Windows\System32\AFaXaLx.exe
  2⤵
  PID:9224
- C:\Windows\System32\fhrytkZ.exe
  C:\Windows\System32\fhrytkZ.exe
  2⤵
  PID:10296
- C:\Windows\System32\mcTYpRm.exe
  C:\Windows\System32\mcTYpRm.exe
  2⤵
  PID:10332
- C:\Windows\System32\mrmUQsn.exe
  C:\Windows\System32\mrmUQsn.exe
  2⤵
  PID:10376
- C:\Windows\System32\xFbooEm.exe
  C:\Windows\System32\xFbooEm.exe
  2⤵
  PID:10452
- C:\Windows\System32\GFXvMWL.exe
  C:\Windows\System32\GFXvMWL.exe
  2⤵
  PID:10540
- C:\Windows\System32\VOmnpth.exe
  C:\Windows\System32\VOmnpth.exe
  2⤵
  PID:10592
- C:\Windows\System32\SsZjQGg.exe
  C:\Windows\System32\SsZjQGg.exe
  2⤵
  PID:10612
- C:\Windows\System32\XEBlgKq.exe
  C:\Windows\System32\XEBlgKq.exe
  2⤵
  PID:10644
- C:\Windows\System32\RwecbfY.exe
  C:\Windows\System32\RwecbfY.exe
  2⤵
  PID:10712
- C:\Windows\System32\HEKuHbo.exe
  C:\Windows\System32\HEKuHbo.exe
  2⤵
  PID:10768
- C:\Windows\System32\bzZlyYQ.exe
  C:\Windows\System32\bzZlyYQ.exe
  2⤵
  PID:10868
- C:\Windows\System32\QlLjsLa.exe
  C:\Windows\System32\QlLjsLa.exe
  2⤵
  PID:10788
- C:\Windows\System32\kurfHsW.exe
  C:\Windows\System32\kurfHsW.exe
  2⤵
  PID:10984
- C:\Windows\System32\wZaKYFt.exe
  C:\Windows\System32\wZaKYFt.exe
  2⤵
  PID:11196
- C:\Windows\System32\IKAerBN.exe
  C:\Windows\System32\IKAerBN.exe
  2⤵
  PID:11248
- C:\Windows\System32\xncphKN.exe
  C:\Windows\System32\xncphKN.exe
  2⤵
  PID:10308
- C:\Windows\System32\UPugaUm.exe
  C:\Windows\System32\UPugaUm.exe
  2⤵
  PID:10344
- C:\Windows\System32\SHloBHU.exe
  C:\Windows\System32\SHloBHU.exe
  2⤵
  PID:10400
- C:\Windows\System32\hbxeNjk.exe
  C:\Windows\System32\hbxeNjk.exe
  2⤵
  PID:10688
- C:\Windows\System32\XvkEesy.exe
  C:\Windows\System32\XvkEesy.exe
  2⤵
  PID:10728
- C:\Windows\System32\gXuuMYL.exe
  C:\Windows\System32\gXuuMYL.exe
  2⤵
  PID:10880
- C:\Windows\System32\kvHXMgx.exe
  C:\Windows\System32\kvHXMgx.exe
  2⤵
  PID:11060
- C:\Windows\System32\EKzcCFU.exe
  C:\Windows\System32\EKzcCFU.exe
  2⤵
  PID:10292
- C:\Windows\System32\dUqkgLp.exe
  C:\Windows\System32\dUqkgLp.exe
  2⤵
  PID:10608
- C:\Windows\System32\lbPYmdg.exe
  C:\Windows\System32\lbPYmdg.exe
  2⤵
  PID:4372
- C:\Windows\System32\rSTQBGh.exe
  C:\Windows\System32\rSTQBGh.exe
  2⤵
  PID:11000
- C:\Windows\System32\uZSphbc.exe
  C:\Windows\System32\uZSphbc.exe
  2⤵
  PID:11056
- C:\Windows\System32\dFFtmfx.exe
  C:\Windows\System32\dFFtmfx.exe
  2⤵
  PID:11280
- C:\Windows\System32\LDrpAdZ.exe
  C:\Windows\System32\LDrpAdZ.exe
  2⤵
  PID:11300
- C:\Windows\System32\bJyHhlD.exe
  C:\Windows\System32\bJyHhlD.exe
  2⤵
  PID:11324
- C:\Windows\System32\godbCDZ.exe
  C:\Windows\System32\godbCDZ.exe
  2⤵
  PID:11348
- C:\Windows\System32\gpnQrgT.exe
  C:\Windows\System32\gpnQrgT.exe
  2⤵
  PID:11364
- C:\Windows\System32\PyKHare.exe
  C:\Windows\System32\PyKHare.exe
  2⤵
  PID:11384
- C:\Windows\System32\BMDhCfx.exe
  C:\Windows\System32\BMDhCfx.exe
  2⤵
  PID:11440
- C:\Windows\System32\rhdjEKx.exe
  C:\Windows\System32\rhdjEKx.exe
  2⤵
  PID:11460
- C:\Windows\System32\MEtnuaD.exe
  C:\Windows\System32\MEtnuaD.exe
  2⤵
  PID:11504
- C:\Windows\System32\nZrcjYU.exe
  C:\Windows\System32\nZrcjYU.exe
  2⤵
  PID:11536
- C:\Windows\System32\JSImOPr.exe
  C:\Windows\System32\JSImOPr.exe
  2⤵
  PID:11560
- C:\Windows\System32\ZIliwYL.exe
  C:\Windows\System32\ZIliwYL.exe
  2⤵
  PID:11600
- C:\Windows\System32\FBMgkNf.exe
  C:\Windows\System32\FBMgkNf.exe
  2⤵
  PID:11628
- C:\Windows\System32\ubrFdPW.exe
  C:\Windows\System32\ubrFdPW.exe
  2⤵
  PID:11652
- C:\Windows\System32\dYaryJl.exe
  C:\Windows\System32\dYaryJl.exe
  2⤵
  PID:11696
- C:\Windows\System32\pDSValp.exe
  C:\Windows\System32\pDSValp.exe
  2⤵
  PID:11712
- C:\Windows\System32\PcukMzq.exe
  C:\Windows\System32\PcukMzq.exe
  2⤵
  PID:11732
- C:\Windows\System32\tqnjqKI.exe
  C:\Windows\System32\tqnjqKI.exe
  2⤵
  PID:11760
- C:\Windows\System32\gxYjrWx.exe
  C:\Windows\System32\gxYjrWx.exe
  2⤵
  PID:11784
- C:\Windows\System32\TCKnsPC.exe
  C:\Windows\System32\TCKnsPC.exe
  2⤵
  PID:11844
- C:\Windows\System32\gwgbsWF.exe
  C:\Windows\System32\gwgbsWF.exe
  2⤵
  PID:11864
- C:\Windows\System32\viTNeLX.exe
  C:\Windows\System32\viTNeLX.exe
  2⤵
  PID:11880
- C:\Windows\System32\WRnAKZy.exe
  C:\Windows\System32\WRnAKZy.exe
  2⤵
  PID:11908
- C:\Windows\System32\OcJlMrM.exe
  C:\Windows\System32\OcJlMrM.exe
  2⤵
  PID:11936
- C:\Windows\System32\tOhNawK.exe
  C:\Windows\System32\tOhNawK.exe
  2⤵
  PID:11964
- C:\Windows\System32\eVsYMwv.exe
  C:\Windows\System32\eVsYMwv.exe
  2⤵
  PID:11992
- C:\Windows\System32\YbgbqIv.exe
  C:\Windows\System32\YbgbqIv.exe
  2⤵
  PID:12024
- C:\Windows\System32\yzpwVmT.exe
  C:\Windows\System32\yzpwVmT.exe
  2⤵
  PID:12060
- C:\Windows\System32\YseHPcI.exe
  C:\Windows\System32\YseHPcI.exe
  2⤵
  PID:12080
- C:\Windows\System32\uKcAewe.exe
  C:\Windows\System32\uKcAewe.exe
  2⤵
  PID:12096
- C:\Windows\System32\OjpKMsZ.exe
  C:\Windows\System32\OjpKMsZ.exe
  2⤵
  PID:12136
- C:\Windows\System32\bSJLEPH.exe
  C:\Windows\System32\bSJLEPH.exe
  2⤵
  PID:12176
- C:\Windows\System32\XuBOwno.exe
  C:\Windows\System32\XuBOwno.exe
  2⤵
  PID:12200
- C:\Windows\System32\MEQHKNB.exe
  C:\Windows\System32\MEQHKNB.exe
  2⤵
  PID:12220
- C:\Windows\System32\yNGqXnz.exe
  C:\Windows\System32\yNGqXnz.exe
  2⤵
  PID:12256
- C:\Windows\System32\omjDIwX.exe
  C:\Windows\System32\omjDIwX.exe
  2⤵
  PID:12280
- C:\Windows\System32\QRuKLBi.exe
  C:\Windows\System32\QRuKLBi.exe
  2⤵
  PID:11336
- C:\Windows\System32\SIjKCbH.exe
  C:\Windows\System32\SIjKCbH.exe
  2⤵
  PID:11416
- C:\Windows\System32\fRLGnOP.exe
  C:\Windows\System32\fRLGnOP.exe
  2⤵
  PID:11468
- C:\Windows\System32\bwiMFbX.exe
  C:\Windows\System32\bwiMFbX.exe
  2⤵
  PID:11484
- C:\Windows\System32\suPFEip.exe
  C:\Windows\System32\suPFEip.exe
  2⤵
  PID:11588
- C:\Windows\System32\TQFggYR.exe
  C:\Windows\System32\TQFggYR.exe
  2⤵
  PID:11644
- C:\Windows\System32\SqCdIUS.exe
  C:\Windows\System32\SqCdIUS.exe
  2⤵
  PID:11680
- C:\Windows\System32\qKJuURa.exe
  C:\Windows\System32\qKJuURa.exe
  2⤵
  PID:11740
- C:\Windows\System32\PkYyxyA.exe
  C:\Windows\System32\PkYyxyA.exe
  2⤵
  PID:11820
- C:\Windows\System32\EAQZFFS.exe
  C:\Windows\System32\EAQZFFS.exe
  2⤵
  PID:11892
- C:\Windows\System32\iWsvmvx.exe
  C:\Windows\System32\iWsvmvx.exe
  2⤵
  PID:11916
- C:\Windows\System32\pcQivAx.exe
  C:\Windows\System32\pcQivAx.exe
  2⤵
  PID:11984
- C:\Windows\System32\SIzPShm.exe
  C:\Windows\System32\SIzPShm.exe
  2⤵
  PID:12068
- C:\Windows\System32\rAGkVDG.exe
  C:\Windows\System32\rAGkVDG.exe
  2⤵
  PID:12212
- C:\Windows\System32\CVQRgnJ.exe
  C:\Windows\System32\CVQRgnJ.exe
  2⤵
  PID:10556
- C:\Windows\System32\qYcepaI.exe
  C:\Windows\System32\qYcepaI.exe
  2⤵
  PID:11360
- C:\Windows\System32\dthXILX.exe
  C:\Windows\System32\dthXILX.exe
  2⤵
  PID:11516
- C:\Windows\System32\fsoCnSC.exe
  C:\Windows\System32\fsoCnSC.exe
  2⤵
  PID:11548
- C:\Windows\System32\HeOFdzy.exe
  C:\Windows\System32\HeOFdzy.exe
  2⤵
  PID:11812
- C:\Windows\System32\ZNJZLDm.exe
  C:\Windows\System32\ZNJZLDm.exe
  2⤵
  PID:11860
- C:\Windows\System32\WcKbIbm.exe
  C:\Windows\System32\WcKbIbm.exe
  2⤵
  PID:11920
- C:\Windows\System32\limHrhi.exe
  C:\Windows\System32\limHrhi.exe
  2⤵
  PID:12216
- C:\Windows\System32\ozcZJge.exe
  C:\Windows\System32\ozcZJge.exe
  2⤵
  PID:11292
- C:\Windows\System32\FeWFKhT.exe
  C:\Windows\System32\FeWFKhT.exe
  2⤵
  PID:11256
- C:\Windows\System32\MBhbBhm.exe
  C:\Windows\System32\MBhbBhm.exe
  2⤵
  PID:11976
- C:\Windows\System32\KZJRYDo.exe
  C:\Windows\System32\KZJRYDo.exe
  2⤵
  PID:12228
- C:\Windows\System32\vzSSbKq.exe
  C:\Windows\System32\vzSSbKq.exe
  2⤵
  PID:11524
- C:\Windows\System32\NdFsJYv.exe
  C:\Windows\System32\NdFsJYv.exe
  2⤵
  PID:11616
- C:\Windows\System32\OFqvKWO.exe
  C:\Windows\System32\OFqvKWO.exe
  2⤵
  PID:12264
- C:\Windows\System32\rdFztUc.exe
  C:\Windows\System32\rdFztUc.exe
  2⤵
  PID:12304
- C:\Windows\System32\xiaTjkJ.exe
  C:\Windows\System32\xiaTjkJ.exe
  2⤵
  PID:12324
- C:\Windows\System32\aQXoXNU.exe
  C:\Windows\System32\aQXoXNU.exe
  2⤵
  PID:12344
- C:\Windows\System32\BnQzRdG.exe
  C:\Windows\System32\BnQzRdG.exe
  2⤵
  PID:12364
- C:\Windows\System32\NrmnEQp.exe
  C:\Windows\System32\NrmnEQp.exe
  2⤵
  PID:12392
- C:\Windows\System32\fgkQJPk.exe
  C:\Windows\System32\fgkQJPk.exe
  2⤵
  PID:12424
- C:\Windows\System32\vuAtQft.exe
  C:\Windows\System32\vuAtQft.exe
  2⤵
  PID:12456
- C:\Windows\System32\YBUWlIp.exe
  C:\Windows\System32\YBUWlIp.exe
  2⤵
  PID:12484
- C:\Windows\System32\uZUfjDy.exe
  C:\Windows\System32\uZUfjDy.exe
  2⤵
  PID:12500
- C:\Windows\System32\JYpfmpV.exe
  C:\Windows\System32\JYpfmpV.exe
  2⤵
  PID:12532
- C:\Windows\System32\tgxVBde.exe
  C:\Windows\System32\tgxVBde.exe
  2⤵
  PID:12556
- C:\Windows\System32\wJSEDLl.exe
  C:\Windows\System32\wJSEDLl.exe
  2⤵
  PID:12584
- C:\Windows\System32\HWjMNtr.exe
  C:\Windows\System32\HWjMNtr.exe
  2⤵
  PID:12608
- C:\Windows\System32\PfHzcSB.exe
  C:\Windows\System32\PfHzcSB.exe
  2⤵
  PID:12628
- C:\Windows\System32\kyqrERz.exe
  C:\Windows\System32\kyqrERz.exe
  2⤵
  PID:12660
- C:\Windows\System32\hFLYnUI.exe
  C:\Windows\System32\hFLYnUI.exe
  2⤵
  PID:12716
- C:\Windows\System32\dCrRZMi.exe
  C:\Windows\System32\dCrRZMi.exe
  2⤵
  PID:12752
- C:\Windows\System32\TRdoSFR.exe
  C:\Windows\System32\TRdoSFR.exe
  2⤵
  PID:12776
- C:\Windows\System32\fMowxkX.exe
  C:\Windows\System32\fMowxkX.exe
  2⤵
  PID:12796
- C:\Windows\System32\UMiBQKo.exe
  C:\Windows\System32\UMiBQKo.exe
  2⤵
  PID:12836
- C:\Windows\System32\ZEOIvnf.exe
  C:\Windows\System32\ZEOIvnf.exe
  2⤵
  PID:12880
- C:\Windows\System32\DfJzbEa.exe
  C:\Windows\System32\DfJzbEa.exe
  2⤵
  PID:12904
- C:\Windows\System32\ZDgWmBj.exe
  C:\Windows\System32\ZDgWmBj.exe
  2⤵
  PID:12932
- C:\Windows\System32\prVSLLp.exe
  C:\Windows\System32\prVSLLp.exe
  2⤵
  PID:12956
- C:\Windows\System32\OEojOff.exe
  C:\Windows\System32\OEojOff.exe
  2⤵
  PID:12972
- C:\Windows\System32\PfpJTpd.exe
  C:\Windows\System32\PfpJTpd.exe
  2⤵
  PID:12992
- C:\Windows\System32\zZkJxVv.exe
  C:\Windows\System32\zZkJxVv.exe
  2⤵
  PID:13016
- C:\Windows\System32\ZOQhbDd.exe
  C:\Windows\System32\ZOQhbDd.exe
  2⤵
  PID:13052
- C:\Windows\System32\JnsPSiV.exe
  C:\Windows\System32\JnsPSiV.exe
  2⤵
  PID:13076
- C:\Windows\System32\ZYEPmtO.exe
  C:\Windows\System32\ZYEPmtO.exe
  2⤵
  PID:13092
- C:\Windows\System32\LQsGaTE.exe
  C:\Windows\System32\LQsGaTE.exe
  2⤵
  PID:13112
- C:\Windows\System32\zavnkMa.exe
  C:\Windows\System32\zavnkMa.exe
  2⤵
  PID:13132
- C:\Windows\System32\RJZITDQ.exe
  C:\Windows\System32\RJZITDQ.exe
  2⤵
  PID:13228
- C:\Windows\System32\kBLOryB.exe
  C:\Windows\System32\kBLOryB.exe
  2⤵
  PID:13256
- C:\Windows\System32\GtwBvNg.exe
  C:\Windows\System32\GtwBvNg.exe
  2⤵
  PID:13280
- C:\Windows\System32\CDNFAhh.exe
  C:\Windows\System32\CDNFAhh.exe
  2⤵
  PID:12360
- C:\Windows\System32\aZHaRUj.exe
  C:\Windows\System32\aZHaRUj.exe
  2⤵
  PID:12412
- C:\Windows\System32\hsJgNod.exe
  C:\Windows\System32\hsJgNod.exe
  2⤵
  PID:12512
- C:\Windows\System32\tVRRoWW.exe
  C:\Windows\System32\tVRRoWW.exe
  2⤵
  PID:12492
- C:\Windows\System32\fxPKFpB.exe
  C:\Windows\System32\fxPKFpB.exe
  2⤵
  PID:12728
- C:\Windows\System32\AvCAKpe.exe
  C:\Windows\System32\AvCAKpe.exe
  2⤵
  PID:13156
- C:\Windows\System32\MeZDZCu.exe
  C:\Windows\System32\MeZDZCu.exe
  2⤵
  PID:13104

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:12656
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:13164

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4204

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:13372

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:13768

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:13944

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4260

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4772

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:13820

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:6968

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:13836

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1684

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:13996

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1528

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1288

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14276

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9364

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5848

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13724

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7176

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6316

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6972

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3660

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9384

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7544

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9792

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8616

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8520

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5144

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9084

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9248

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12464

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1860

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10348

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5988

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10400

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10624

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11492

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12208

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6256

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6372

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12292

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6924

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6740

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12384

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4844

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7320

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9736

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9168

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8044

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5172

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3344

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10228

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13292

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13528

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:14200

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11244

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11772

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11968

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13776

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5748

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7984

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3432

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8088

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6152

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7900

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6600

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8404

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8776

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8496

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9620

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5300

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3840

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\VIUC5FTS\microsoft.windows[1].xml

Filesize
97B

MD5
ce527660e2911a10ed141408c168cf08

SHA1
f7fe6ba011d45a0c61019bf136273e318d5fad14

SHA256
a5d01801a99d822ce5a8ecddb064e434c324728eef5ca56a75c1f9b21ade2f38

SHA512
e325e3ee565b10e99c3e657513a68c083a83bc1965f067a6f8b0ebbc00af3d61b02317155086c8d9220f7bccfd945fe6249b711cf1f461785a2152d67179054a

Download Submit
C:\Windows\System32\BRsRfUs.exe

Filesize
1.3MB

MD5
f7ac42ed067e8c78931f2e911ff31ba6

SHA1
8c3d7834d47b9f1bcfcdbac11befbd32b526eea5

SHA256
389ab5cfc940d3c3c230da88078cf4a28f14ff5c2f7ba9c25c33d53f27d0bc37

SHA512
89509dfeca5bb416210a914143ba27b4f2340308d1a6b66bc0fb3348844b250d429f06365668ff45db075ec51c84acae3a7b3ea27f565bc4eff2fbe1d212e3de

Download Submit
C:\Windows\System32\CGOYgrX.exe

Filesize
1.3MB

MD5
22ab2c6bc37f6dc19a7acb83fa653233

SHA1
20ba96568b39015c568f963d16e652f05715d07e

SHA256
22a15d8dc6ad9b527efe5b8f770af465f9f95b58a27d30a13b3d85bffc1d449f

SHA512
ed1d31f0578b74dd8daf785f20b1bed71222a8451a24a76318f6ee8dc621e630f75414162e6cdb70c8eecfd6d7b42d6dc4cf6039a8a2b0952127dc6467e2ee0e

Download Submit
C:\Windows\System32\FuKmzwX.exe

Filesize
1.3MB

MD5
4540d05f1da01c3e8d93aa975518971b

SHA1
873c6f7892b2c2864e615e7d076ca0c148fc0d99

SHA256
dd8c22623b360559b798d49452d2aa964135b92a1535ebaa6d23098c3bd42803

SHA512
d0e8ffa9aa6d0e7740e9d67399501006e7c3368c748ef73091b7aab350ee700fa157fd1fcb54ba374508b8018f4c1b065ce367c2d67ffd00eea918a91881a160

Download Submit
C:\Windows\System32\GdzTqqn.exe

Filesize
1.3MB

MD5
b7d77d0e9009d0e50a8140bfc3545f29

SHA1
2908979462e10ca6628e1ef6258aa85493e448ae

SHA256
fcdbc920a1beb367dbd3eba714d86dbb14fba11951d293f16cb3076a9f789727

SHA512
7df913e6814b533628a82284040fe7e25d9bd7389fb7c1531841ee1fc08e95c28800de93aeb07408a24a3f9a142eb6e22a30992ccc3079609a4a9164eb74d6c5

Download Submit
C:\Windows\System32\HoRMREB.exe

Filesize
1.3MB

MD5
2f3bb55090eb8830b1c5a827f1910bf0

SHA1
c27c17683f57862433a7b19baca9e935a7be5175

SHA256
5abae0c4362548daed74754f5779700a9b15cbf99fe2c6a767f6424dfea00264

SHA512
d6a1d6c6e925b7e092384db27ffcb2158a3b2610d86762730551d2f4f2f779ffeb3d7fa07cb5ca0fb610dfb64620283ffcf4367e388e8c6b462adb5172628a37

Download Submit
C:\Windows\System32\HrotQWq.exe

Filesize
1.3MB

MD5
b3f9ce4894159acdd13f6cbe4614b750

SHA1
23dfff389dcc91735e360cedf76113a8f31926f4

SHA256
e760ff321c91aa82899ed4a78e2e5ab35473240a259baa246e5c54dc39b2b647

SHA512
d6fa494ccd36302a3bdd24ff253b2fccd22dd360a062ea9d35c1012e7f9d86adaccf1cf6614c20a1788ea788e5637671ce3b86e6c34449c64c94eec579ef09eb

Download Submit
C:\Windows\System32\JRjAhdx.exe

Filesize
1.3MB

MD5
3adf4e50faebaea4c3e52eb60f19d8fd

SHA1
27c03174b0b2e8b69fb7889815ce704a1a92ce37

SHA256
447482c28077a6a48f44d3da609056752b80c9e626edf2a52c7bd86a5c0731f0

SHA512
385f84f8ae22333e495600be338cc527721667da12c110df5a2cbe1cc56863c2b202e934bcbdaa5de98dfcec7b103fe4af2f6d6d983b8aae76233575122d6fc2

Download Submit
C:\Windows\System32\JbcJNvw.exe

Filesize
1.3MB

MD5
b63ead0099b4cde1c19e333f512bfee6

SHA1
7ac3e0b4e51230e4765dedccd8bb1456eff31776

SHA256
12cb91e8870ce28dd3c440c05097e3acdad8ba48171ee4bdee2798826735f2a9

SHA512
35424d6d7234e2778bed7532abba2d5713eaf0525f7a5c84864f6a5b6c1c84593031da35b71f2d122f4a5520adf0fcc71799ab803d4f298782629ede3d797184

Download Submit
C:\Windows\System32\LhMTqGv.exe

Filesize
1.3MB

MD5
017e2824c3e6a1862cb54a637108d56e

SHA1
0de0624b7cfe9368596a10075740cd994746df54

SHA256
748cbd492379c8fbeda66908422cd001365191137cc175cf305da41c9a094580

SHA512
bc76b154e53bc5ddbbb069b70bb10cc6bb4bf2c4c649c5ed1c5c2cda8cfaa677fb88aa0da2024796a9f88c392e760a95cbb5244947c98f0f8843632063a71920

Download Submit
C:\Windows\System32\MoLysWg.exe

Filesize
1.3MB

MD5
d7bdb9a6b3d743d0756fdf5a306ef37b

SHA1
30738639cd880c4334b944215e59397c4ba159ae

SHA256
5a18ca2e1cd95c25eca10dcab9fee627086e9769ff5dc4eea58edad2fa2189a2

SHA512
ea0535d90f28503f49921e5999a8fbdbc4444e5ac3cd3a9126701371ee965bb35ebdfca347831c71c09b032c21bd663f90d0882b543dff5ac2110e67c3afa191

Download Submit
C:\Windows\System32\OZykEhH.exe

Filesize
1.3MB

MD5
ab91a734d886d352d3e586fca6d9e3aa

SHA1
9ba0faedd97b66d62e1438395c19fd382a87479d

SHA256
22d22729e519784ea3b0566be5cffe59e7e1d000e826cbb5b6a5563bdbe9b747

SHA512
0175354f6d3164f8cc6b169fc38531064169c1425aa4b30bbe6740f6c17260702a45e6092b7b28667989119aaae5da565320bec25a6f237f547ea4ae7829fa3d

Download Submit
C:\Windows\System32\PvBPmXL.exe

Filesize
1.3MB

MD5
7bd8c4facc678c3f93611cad5ebc51b7

SHA1
28bbc92faa32d5b9c1a85f2568b1b42373543d36

SHA256
0b08fc030ce7a686fbfa0da0a950e9d136bf8a0e9aec4b98af4779707d469794

SHA512
aff47474f8f85c88ed258e46bfafc9dab9c56ba3727b0423437b7de22b117e080ce7ce07798e77b890b0aed385340ec0930c1c81d611ae6136125ee6cd714a10

Download Submit
C:\Windows\System32\SGSbNDy.exe

Filesize
1.3MB

MD5
bf9a28e3da6e0274c5a1ad035aecfd8e

SHA1
de9b1d6ea97e57544c6557de998771dbd8b2e259

SHA256
54ab87612ef339c9f6e1fd978618ff1bb3b82a64369455f04c0b723b7dcd78be

SHA512
19a6bb2b9acab3ec7685d675d02255b02b739b368b03365d7d4eae3fa1225887966692a64edbd64d59b045a7532fcb33fc6c86bac0d26ac0dfa15348c15e6c24

Download Submit
C:\Windows\System32\UsjTEKF.exe

Filesize
1.3MB

MD5
52b116862232328e894ceab09c07f34b

SHA1
ab84d08448837edc1129af016d6d1c1e4a8b439a

SHA256
3473d51983ec29050c4cf6347e8e6f531fd5de805b14eef44dcc5fdadb8d550a

SHA512
61aca075e89d4311586ccc5f797862aaf9bd9828d73343c480260299ab7a9c8a100186584fbddbb8fe3a0a9546cc6cf2e8284f7fc0ce41c4c1b5c29a1cdafa23

Download Submit
C:\Windows\System32\WUYOjpr.exe

Filesize
1.3MB

MD5
2d1e54324c9fdc8e6d6008d008d4b0f4

SHA1
a9883722c97eb59a65ad1237370fac944db1750c

SHA256
157a446b636dc62bb5189702c10f4551e8b20413dc1356123e6fd4d638847b1e

SHA512
bdaa370876fe6f8ea6917fcb9b1965dbb96f578558c223a8b88e838966116860aa9e3dba2c7c734e4bfba6a293ab6b440f723614718487896a6f4cc6b33180ef

Download Submit
C:\Windows\System32\YQxSVXX.exe

Filesize
1.3MB

MD5
de25ef8843ebfa7300178c89217a82e7

SHA1
6a71855a957d51dac6262129a59e34fd3af4cbfc

SHA256
dd3730f62c137fd9d014dbdd56c6bd21808145c99ab283aea5b64d224081dde8

SHA512
fd408a5fac92ee4afc572c8d47102b5bab924d53af6e440f64a68c0a86109e6e4db8d0ecc1f92b73c170713a22b73520d0d4eb5b71d0385d2eba5ac9d5a7a06c

Download Submit
C:\Windows\System32\aMePKXo.exe

Filesize
1.3MB

MD5
96694eb025ed9cc38c7464b8ab208d8b

SHA1
8c9f4a47a90c39f9b1fca3dc36b2e47949ef99b7

SHA256
6676356ca42b67c73e6682e051a7f81a275920a8abff0a0de69e0f600a29237a

SHA512
96082cf5aec654310c6f58288308f7b0dea3b25519c8b044522f6847470c44b946a5652669bf5bc443d38208eaea5c200acfa4f2856386abe8595379105eb353

Download Submit
C:\Windows\System32\aiswWFu.exe

Filesize
1.3MB

MD5
8c4f0e32e4ea4afc7917ccfb0b2ef341

SHA1
a746805e0e1cc8f8ebfd6078ee7ed7705cdf8d46

SHA256
3b95226ac99f4ccebe0ed905d8325a4934c066b94ef1a697bfccb7b3097e0cc6

SHA512
8c3a4a6ce519f3ba1f7c87f735c5320379cbedbd1f9e3dd267d00d9abfdb9609e11399cc5d84271e332daf9b73e96e9ca22669933db71d04b1c678717643325e

Download Submit
C:\Windows\System32\ddSPsLE.exe

Filesize
1.3MB

MD5
60cf5b36e0aefec003bd61369e77cdd6

SHA1
815e9366d33cb00c4444c6876593eef0a9248861

SHA256
dad7d952a1a28479887da5d756ae09060dd712cc301b9b3307405d22a373eda5

SHA512
0529dcceaff33b5fc75efce79d17ce9da2cdbccba90521c44a4e606568285553f00fe5faba29be43559894c5f0bb3f7620dc8e6796a82633637598c67015fe38

Download Submit
C:\Windows\System32\fLopCzt.exe

Filesize
1.3MB

MD5
fe35a6ed13032552cb515b57c579d728

SHA1
9da569bdd88f112760269ec6c320217c36e6b501

SHA256
2b5c303501d593f57ffb7633db02ba674571621b98dd96db07476a522eadcaff

SHA512
f5d895e0af9620da51387812d9f25dbdd0fe5c4378cfffb3c09cceb9ee886f7b967f1f6ff378823d30f563ca64f30d677ef075150d5628d7dfa85d5d6b546d70

Download Submit
C:\Windows\System32\fNVtLYE.exe

Filesize
1.3MB

MD5
1175b467301cb8cae4d7aee966af6dfa

SHA1
68e6098540d7754616f63d69ea7e9514a31b8b9d

SHA256
59a52639e104b0412650c35e5022c0b392b079b358e265206ea2a7fc704adb80

SHA512
e56783268cd8db73d8be9a8afd891446cd502a3e4763d85e098307c362ecb6bd124dcaeecd2435b1506841e0caa21cde987664ad67face3405127a6b739bdf7a

Download Submit
C:\Windows\System32\fPjSZqj.exe

Filesize
1.3MB

MD5
f96865262e13f681a23bc2f56c697b6f

SHA1
3850e04b233b10f622ed2e5b6e4acf202a72f5ad

SHA256
c1748a7e0a12c504ab3301a2a34585378be491f60e024135dfc59e60ee9b61f9

SHA512
9af60003738c809a7641bba1f69ac9a9ab70e6331bf207a68af4a15a0762cc608930fab2bba1632e191fb86ede2f0d90844faae8369ea9b3ff3dc4d45c71856e

Download Submit
C:\Windows\System32\hoJERgH.exe

Filesize
1.3MB

MD5
06e57727cd65adeab45ed6d01c2a4208

SHA1
d01eebce7aecb65d41ffe4f500a4710d3dbf7c93

SHA256
079f9b20a78a715c64423bdf0ae58ac202b93dbed67bac6b488e308667c9937a

SHA512
b2962cffc8f2c641181cb682149557389bb70e3e586691f6fcbc7ae8ff26b4523b19bf70b8cf9efed39338847a5fef21110b82f1ed6eeb884f086a2323566873

Download Submit
C:\Windows\System32\jhxChEc.exe

Filesize
1.3MB

MD5
6487134215ae14c1e6a9a425e488d532

SHA1
3ed850d761762fbc41832610d2452c863a765ae4

SHA256
89f57f761b294ea4a20133d1b0fd6cbd11a22037c286ce864131b21bf55be38a

SHA512
1c03ed5934cefbceb8195cd68d2deed47f6a7a58ef1ea79095d45b28b4024f8533102d71546b98087335732c8d01e923b38bc4e76347afae2a0897d7d929901c

Download Submit
C:\Windows\System32\lfeMWEy.exe

Filesize
1.3MB

MD5
97d8125a43249b487ae6ba89c8bfa5c8

SHA1
bc52a52c838b8a3158b01b047660628fbdb8dcd1

SHA256
a17aa2783414ac3d9670df66b55b7164f2513207dbaf64974caadb846755ffd5

SHA512
0173e5019f8c75d47015e5d29553f7b812ba15282a9463bf07ccfd8cf9e2b8a02b810fec049999eb28951f534dc9f8126034afaa18b608bb8504d62f4ac75880

Download Submit
C:\Windows\System32\lrmGGnl.exe

Filesize
1.3MB

MD5
252049c7cd76fe06efb6153b822097f7

SHA1
e8575c0bb14898b5f18da4053089ed6b9959dae2

SHA256
07c889f07e19a71823c094d43f15f4478a865dbbc1e9f844bd3059058eecadb9

SHA512
e8192ba88c8955ab2d5fe02b754698763800fab5a5ce45de7e5987cfe8785b07bc982614ab27dee335c20135c369717206656dd7daeb4075b5980d893ca6db7a

Download Submit
C:\Windows\System32\lteseKV.exe

Filesize
1.3MB

MD5
7153a68b4c11f97ecf8f7271c2109c9f

SHA1
ab6789ef570df395a3ad5c1e7fceefd4b7f9753e

SHA256
4995da08ffde873d08c3a7e72ac1f2f1997d884882f180d59ff4c16e73cdcff5

SHA512
fa1584b87ae7b5c9983524087bc07341c4a45f0b4a9ee542277ffe487e85c34fbe30ef787ae79dd13e5fdf057a5b428830a6a8076f0b3cdbfb04d318d5815089

Download Submit
C:\Windows\System32\mUgOech.exe

Filesize
1.3MB

MD5
f319e46eec9c7f8af28ddbfbdee31796

SHA1
33b2c220213d1648070b5c5d3d7a7ad0d7e7852b

SHA256
18ef6e9d4e21347035a6822e3221d4fde53c618ad3b58b08db227942640f0e6e

SHA512
6d7983ea40e758710fdc8d10baceb04a5c8f3af2f9ce9a255dffd9f598bf2622ad0eddd2a4c07a2b33f65e12a553334e078910f898e9db8d82aa75dd3d6677f3

Download Submit
C:\Windows\System32\pGeNtlm.exe

Filesize
1.3MB

MD5
0aacca515f5b9d4a6d64a2a2723aa5ea

SHA1
fc773174b5073c60cf784ad41988fcd3cf9ef167

SHA256
fd88a96f848bc48724c1c399fe09af2b559c53087d82e91a8b793231c3a65b13

SHA512
84b08483ae612979c46ac94264545842a0665439819d90808589393afe89bb9373e8c82aac2e0122410535badfff2474e1b0cbc7f59518e6fee46dd101817c3c

Download Submit
C:\Windows\System32\qBJwrlB.exe

Filesize
1.3MB

MD5
858d92dffff63a97ebce43517cb1036a

SHA1
02a436266bad0e778be2c9fb61ab4312b8ed1aa3

SHA256
135958d7affa79fcc7d522eda8268b53d2ba8924efd6b400b861ffe92b5d67ca

SHA512
86d269cf71aa07f4b08ea18ffb9881ca2dea12a9a52c4324d5d71ed0b962e0cb96f865d1e6fdada2d34f4c2213d31dfc202761eaa70e52771253d5e5a74325ce

Download Submit
C:\Windows\System32\tBElLKz.exe

Filesize
1.3MB

MD5
b5da269d0786e0349e89df7a6e9fae3b

SHA1
d662b8ef327b360ca1566092b5458a9facd87d69

SHA256
ebbe108f526b3302d2d7393d4189b25f465ba91a97f5cf18aa771f61e3977517

SHA512
43ffbd0fe2fb4c727c9e9e4f8be10608cc0ae8ea21da0137dc4daa88c6cf9b255029dcc217c11511ab8affe1fb8645513deb71923fbacb5a8efcbd3076b057fe

Download Submit
C:\Windows\System32\tOKWMmE.exe

Filesize
1.3MB

MD5
596a782976b382823063ce7c49f34914

SHA1
1fa965d0ca9ded5852235bf2795c8307beb9f987

SHA256
c8e5353e026fce0604b5398b18dcd14451ca106e246e04c7e5ce4359130501bc

SHA512
94a06f6d6615b63d05616ad5bb8c34684bc6ea36ac77f3d1625e53d0d45f20aa1f395917fc3d4604dffed39d5e21f2c219b7a8a389e6f9aa2e3918bcf8a9f1c7

Download Submit
memory/116-368-0x00007FF640BE0000-0x00007FF640FD1000-memory.dmp

Filesize
3.9MB

Download
memory/116-2211-0x00007FF640BE0000-0x00007FF640FD1000-memory.dmp

Filesize
3.9MB

Download
memory/208-360-0x00007FF65AC60000-0x00007FF65B051000-memory.dmp

Filesize
3.9MB

Download
memory/208-2209-0x00007FF65AC60000-0x00007FF65B051000-memory.dmp

Filesize
3.9MB

Download
memory/224-406-0x00007FF748450000-0x00007FF748841000-memory.dmp

Filesize
3.9MB

Download
memory/224-2219-0x00007FF748450000-0x00007FF748841000-memory.dmp

Filesize
3.9MB

Download
memory/864-2052-0x00007FF6D7A50000-0x00007FF6D7E41000-memory.dmp

Filesize
3.9MB

Download
memory/864-2075-0x00007FF6D7A50000-0x00007FF6D7E41000-memory.dmp

Filesize
3.9MB

Download
memory/864-23-0x00007FF6D7A50000-0x00007FF6D7E41000-memory.dmp

Filesize
3.9MB

Download
memory/1080-2077-0x00007FF748780000-0x00007FF748B71000-memory.dmp

Filesize
3.9MB

Download
memory/1080-467-0x00007FF748780000-0x00007FF748B71000-memory.dmp

Filesize
3.9MB

Download
memory/1228-2049-0x00007FF60E150000-0x00007FF60E541000-memory.dmp

Filesize
3.9MB

Download
memory/1228-1-0x000001D4DF380000-0x000001D4DF390000-memory.dmp

Filesize
64KB

Download
memory/1228-0-0x00007FF60E150000-0x00007FF60E541000-memory.dmp

Filesize
3.9MB

Download
memory/1312-2081-0x00007FF7750B0000-0x00007FF7754A1000-memory.dmp

Filesize
3.9MB

Download
memory/1312-35-0x00007FF7750B0000-0x00007FF7754A1000-memory.dmp

Filesize
3.9MB

Download
memory/1312-2053-0x00007FF7750B0000-0x00007FF7754A1000-memory.dmp

Filesize
3.9MB

Download
memory/1344-426-0x00007FF699340000-0x00007FF699731000-memory.dmp

Filesize
3.9MB

Download
memory/1344-2227-0x00007FF699340000-0x00007FF699731000-memory.dmp

Filesize
3.9MB

Download
memory/1376-2093-0x00007FF6E6D30000-0x00007FF6E7121000-memory.dmp

Filesize
3.9MB

Download
memory/1376-329-0x00007FF6E6D30000-0x00007FF6E7121000-memory.dmp

Filesize
3.9MB

Download
memory/1748-2215-0x00007FF6504C0000-0x00007FF6508B1000-memory.dmp

Filesize
3.9MB

Download
memory/1748-395-0x00007FF6504C0000-0x00007FF6508B1000-memory.dmp

Filesize
3.9MB

Download
memory/2188-2231-0x00007FF6266B0000-0x00007FF626AA1000-memory.dmp

Filesize
3.9MB

Download
memory/2188-446-0x00007FF6266B0000-0x00007FF626AA1000-memory.dmp

Filesize
3.9MB

Download
memory/2280-338-0x00007FF621E20000-0x00007FF622211000-memory.dmp

Filesize
3.9MB

Download
memory/2280-2196-0x00007FF621E20000-0x00007FF622211000-memory.dmp

Filesize
3.9MB

Download
memory/2480-2054-0x00007FF7019B0000-0x00007FF701DA1000-memory.dmp

Filesize
3.9MB

Download
memory/2480-2083-0x00007FF7019B0000-0x00007FF701DA1000-memory.dmp

Filesize
3.9MB

Download
memory/2480-46-0x00007FF7019B0000-0x00007FF701DA1000-memory.dmp

Filesize
3.9MB

Download
memory/2624-2229-0x00007FF691CB0000-0x00007FF6920A1000-memory.dmp

Filesize
3.9MB

Download
memory/2624-430-0x00007FF691CB0000-0x00007FF6920A1000-memory.dmp

Filesize
3.9MB

Download
memory/2680-475-0x00007FF606F20000-0x00007FF607311000-memory.dmp

Filesize
3.9MB

Download
memory/2680-2087-0x00007FF606F20000-0x00007FF607311000-memory.dmp

Filesize
3.9MB

Download
memory/2896-328-0x00007FF69E5B0000-0x00007FF69E9A1000-memory.dmp

Filesize
3.9MB

Download
memory/2896-2085-0x00007FF69E5B0000-0x00007FF69E9A1000-memory.dmp

Filesize
3.9MB

Download
memory/2912-2233-0x00007FF6397B0000-0x00007FF639BA1000-memory.dmp

Filesize
3.9MB

Download
memory/2912-451-0x00007FF6397B0000-0x00007FF639BA1000-memory.dmp

Filesize
3.9MB

Download
memory/3024-355-0x00007FF70B120000-0x00007FF70B511000-memory.dmp

Filesize
3.9MB

Download
memory/3024-2207-0x00007FF70B120000-0x00007FF70B511000-memory.dmp

Filesize
3.9MB

Download
memory/3412-12-0x00007FF701830000-0x00007FF701C21000-memory.dmp

Filesize
3.9MB

Download
memory/3412-2050-0x00007FF701830000-0x00007FF701C21000-memory.dmp

Filesize
3.9MB

Download
memory/3412-2073-0x00007FF701830000-0x00007FF701C21000-memory.dmp

Filesize
3.9MB

Download
memory/3528-471-0x00007FF68EB80000-0x00007FF68EF71000-memory.dmp

Filesize
3.9MB

Download
memory/3528-2080-0x00007FF68EB80000-0x00007FF68EF71000-memory.dmp

Filesize
3.9MB

Download
memory/3860-419-0x00007FF74FE90000-0x00007FF750281000-memory.dmp

Filesize
3.9MB

Download
memory/3860-2221-0x00007FF74FE90000-0x00007FF750281000-memory.dmp

Filesize
3.9MB

Download
memory/4048-2217-0x00007FF6691D0000-0x00007FF6695C1000-memory.dmp

Filesize
3.9MB

Download
memory/4048-400-0x00007FF6691D0000-0x00007FF6695C1000-memory.dmp

Filesize
3.9MB

Download
memory/4328-2090-0x00007FF655530000-0x00007FF655921000-memory.dmp

Filesize
3.9MB

Download
memory/4328-480-0x00007FF655530000-0x00007FF655921000-memory.dmp

Filesize
3.9MB

Download
memory/4388-424-0x00007FF79E950000-0x00007FF79ED41000-memory.dmp

Filesize
3.9MB

Download
memory/4388-2223-0x00007FF79E950000-0x00007FF79ED41000-memory.dmp

Filesize
3.9MB

Download
memory/5028-2213-0x00007FF756480000-0x00007FF756871000-memory.dmp

Filesize
3.9MB

Download
memory/5028-387-0x00007FF756480000-0x00007FF756871000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads