xmrig | d5bc49f5e6839a22344f3d938c8bc94902d9dbf0a3109c3f3636e175c6627041

Analysis

max time kernel
39s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1084c1ae3bc47570f5328522d6ff7c30N.exe
Size

1.9MB
MD5

1084c1ae3bc47570f5328522d6ff7c30
SHA1

faa1dad41c8b8a911c6f945f4c229f169992b9d1
SHA256

d5bc49f5e6839a22344f3d938c8bc94902d9dbf0a3109c3f3636e175c6627041
SHA512

ad8596fd32d7ad43c3dc2e6a10d8d242c7b5872fc7c5965d8271ab581b89f157b6372289acdf987975761207cae17f4cad46b4babca8cd6a0d3138b08f49979d
SSDEEP

49152:ROdWCCi7/rahlqOdg6VLEL3e73DpSRdya5:RWWBiba+

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 51 IoCs

miner

resource	yara_rule
behavioral2/memory/4528-271-0x00007FF6AC530000-0x00007FF6AC881000-memory.dmp	xmrig
behavioral2/memory/1116-318-0x00007FF70B510000-0x00007FF70B861000-memory.dmp	xmrig
behavioral2/memory/2768-345-0x00007FF7F30E0000-0x00007FF7F3431000-memory.dmp	xmrig
behavioral2/memory/4868-354-0x00007FF7E07C0000-0x00007FF7E0B11000-memory.dmp	xmrig
behavioral2/memory/3048-370-0x00007FF7190C0000-0x00007FF719411000-memory.dmp	xmrig
behavioral2/memory/3324-371-0x00007FF66A550000-0x00007FF66A8A1000-memory.dmp	xmrig
behavioral2/memory/748-369-0x00007FF6C51D0000-0x00007FF6C5521000-memory.dmp	xmrig
behavioral2/memory/4572-368-0x00007FF6F4290000-0x00007FF6F45E1000-memory.dmp	xmrig
behavioral2/memory/4780-367-0x00007FF64BB30000-0x00007FF64BE81000-memory.dmp	xmrig
behavioral2/memory/3864-366-0x00007FF6F4A60000-0x00007FF6F4DB1000-memory.dmp	xmrig
behavioral2/memory/3640-365-0x00007FF797A30000-0x00007FF797D81000-memory.dmp	xmrig
behavioral2/memory/1888-364-0x00007FF76FC00000-0x00007FF76FF51000-memory.dmp	xmrig
behavioral2/memory/5032-363-0x00007FF6D3C20000-0x00007FF6D3F71000-memory.dmp	xmrig
behavioral2/memory/4488-344-0x00007FF79B070000-0x00007FF79B3C1000-memory.dmp	xmrig
behavioral2/memory/1876-335-0x00007FF6EA660000-0x00007FF6EA9B1000-memory.dmp	xmrig
behavioral2/memory/4544-334-0x00007FF68EF70000-0x00007FF68F2C1000-memory.dmp	xmrig
behavioral2/memory/3152-308-0x00007FF676EC0000-0x00007FF677211000-memory.dmp	xmrig
behavioral2/memory/2872-267-0x00007FF7CFAA0000-0x00007FF7CFDF1000-memory.dmp	xmrig
behavioral2/memory/2364-228-0x00007FF7815B0000-0x00007FF781901000-memory.dmp	xmrig
behavioral2/memory/4720-189-0x00007FF6719A0000-0x00007FF671CF1000-memory.dmp	xmrig
behavioral2/memory/4152-70-0x00007FF7D7D30000-0x00007FF7D8081000-memory.dmp	xmrig
behavioral2/memory/4372-2122-0x00007FF637B80000-0x00007FF637ED1000-memory.dmp	xmrig
behavioral2/memory/4832-2511-0x00007FF61F060000-0x00007FF61F3B1000-memory.dmp	xmrig
behavioral2/memory/4152-2513-0x00007FF7D7D30000-0x00007FF7D8081000-memory.dmp	xmrig
behavioral2/memory/3028-2515-0x00007FF666460000-0x00007FF6667B1000-memory.dmp	xmrig
behavioral2/memory/4780-2517-0x00007FF64BB30000-0x00007FF64BE81000-memory.dmp	xmrig
behavioral2/memory/3388-2519-0x00007FF6BE1A0000-0x00007FF6BE4F1000-memory.dmp	xmrig
behavioral2/memory/1504-2521-0x00007FF78FD80000-0x00007FF7900D1000-memory.dmp	xmrig
behavioral2/memory/4572-2523-0x00007FF6F4290000-0x00007FF6F45E1000-memory.dmp	xmrig
behavioral2/memory/4720-2525-0x00007FF6719A0000-0x00007FF671CF1000-memory.dmp	xmrig
behavioral2/memory/4520-2529-0x00007FF735EA0000-0x00007FF7361F1000-memory.dmp	xmrig
behavioral2/memory/1412-2531-0x00007FF6DFAF0000-0x00007FF6DFE41000-memory.dmp	xmrig
behavioral2/memory/2364-2534-0x00007FF7815B0000-0x00007FF781901000-memory.dmp	xmrig
behavioral2/memory/4488-2527-0x00007FF79B070000-0x00007FF79B3C1000-memory.dmp	xmrig
behavioral2/memory/3324-2588-0x00007FF66A550000-0x00007FF66A8A1000-memory.dmp	xmrig
behavioral2/memory/3152-2585-0x00007FF676EC0000-0x00007FF677211000-memory.dmp	xmrig
behavioral2/memory/2768-2581-0x00007FF7F30E0000-0x00007FF7F3431000-memory.dmp	xmrig
behavioral2/memory/2872-2579-0x00007FF7CFAA0000-0x00007FF7CFDF1000-memory.dmp	xmrig
behavioral2/memory/1116-2577-0x00007FF70B510000-0x00007FF70B861000-memory.dmp	xmrig
behavioral2/memory/4528-2575-0x00007FF6AC530000-0x00007FF6AC881000-memory.dmp	xmrig
behavioral2/memory/1876-2573-0x00007FF6EA660000-0x00007FF6EA9B1000-memory.dmp	xmrig
behavioral2/memory/4868-2569-0x00007FF7E07C0000-0x00007FF7E0B11000-memory.dmp	xmrig
behavioral2/memory/4544-2564-0x00007FF68EF70000-0x00007FF68F2C1000-memory.dmp	xmrig
behavioral2/memory/3640-2556-0x00007FF797A30000-0x00007FF797D81000-memory.dmp	xmrig
behavioral2/memory/3048-2583-0x00007FF7190C0000-0x00007FF719411000-memory.dmp	xmrig
behavioral2/memory/1888-2571-0x00007FF76FC00000-0x00007FF76FF51000-memory.dmp	xmrig
behavioral2/memory/748-2567-0x00007FF6C51D0000-0x00007FF6C5521000-memory.dmp	xmrig
behavioral2/memory/1200-2535-0x00007FF767D50000-0x00007FF7680A1000-memory.dmp	xmrig
behavioral2/memory/5032-2607-0x00007FF6D3C20000-0x00007FF6D3F71000-memory.dmp	xmrig
behavioral2/memory/3864-2636-0x00007FF6F4A60000-0x00007FF6F4DB1000-memory.dmp	xmrig
behavioral2/memory/4060-2605-0x00007FF675490000-0x00007FF6757E1000-memory.dmp	xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
4832	AqAhIlU.exe
3028	UizPyfr.exe
4780	XqudVqT.exe
3388	zziklvF.exe
1200	hWXUXpV.exe
4152	APIkpgT.exe
1504	XcWhuNP.exe
4572	PdYKCJI.exe
4520	XkeFHpJ.exe
1412	tglygOL.exe
4060	lPiGAey.exe
4720	DvWTZOR.exe
2364	lxVlbuP.exe
2872	rmWHQzK.exe
4528	JqwASVb.exe
748	YtoIdKa.exe
3152	HoAgYkT.exe
1116	sZnbIVT.exe
4544	lYuHnBe.exe
1876	eGaDwwb.exe
3048	uXsQjqa.exe
4488	nGGmzks.exe
2768	nbIGUet.exe
4868	WKYOhdH.exe
5032	ccfSdYp.exe
1888	fFJwUWu.exe
3640	pDHAXTU.exe
3324	ySSiLMx.exe
3864	RghyLKC.exe
408	SZuEBzt.exe
1612	HkOiSxW.exe
1704	DbdiYyF.exe
4828	vSwocCd.exe
952	RSGNflV.exe
3952	MHmzJDX.exe
4492	ydkyIqX.exe
1580	gPlnQZC.exe
2228	JXfMSaR.exe
4280	kAlfWRU.exe
4100	iGvuKbO.exe
1144	prjOCVA.exe
4384	lhZzfdm.exe
780	tFyvFcW.exe
4240	OmVHXFE.exe
2724	JFGkxep.exe
3576	UxXDTlY.exe
3948	fmBNjBE.exe
2352	BHLZzmt.exe
2428	DNwZodb.exe
4568	xjJgzaL.exe
2216	XwIzvPA.exe
1672	FNbxrLc.exe
4368	jzsoyaW.exe
4960	ZVJWQwh.exe
4128	eqGcPvB.exe
4340	YFUPVBE.exe
4228	vqOnrfq.exe
552	mqZvNwJ.exe
3120	MGuiBJX.exe
5028	bPzpvUj.exe
5048	WJSefWK.exe
1496	TmUsypJ.exe
5040	bttHJWV.exe
3544	gkrCZCA.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4372-0-0x00007FF637B80000-0x00007FF637ED1000-memory.dmp	upx
behavioral2/files/0x000900000002340e-5.dat	upx
behavioral2/files/0x0007000000023421-58.dat	upx
behavioral2/files/0x0007000000023422-62.dat	upx
behavioral2/files/0x0007000000023436-178.dat	upx
behavioral2/memory/4528-271-0x00007FF6AC530000-0x00007FF6AC881000-memory.dmp	upx
behavioral2/memory/1116-318-0x00007FF70B510000-0x00007FF70B861000-memory.dmp	upx
behavioral2/memory/2768-345-0x00007FF7F30E0000-0x00007FF7F3431000-memory.dmp	upx
behavioral2/memory/4868-354-0x00007FF7E07C0000-0x00007FF7E0B11000-memory.dmp	upx
behavioral2/memory/3048-370-0x00007FF7190C0000-0x00007FF719411000-memory.dmp	upx
behavioral2/memory/3324-371-0x00007FF66A550000-0x00007FF66A8A1000-memory.dmp	upx
behavioral2/memory/748-369-0x00007FF6C51D0000-0x00007FF6C5521000-memory.dmp	upx
behavioral2/memory/4572-368-0x00007FF6F4290000-0x00007FF6F45E1000-memory.dmp	upx
behavioral2/memory/4780-367-0x00007FF64BB30000-0x00007FF64BE81000-memory.dmp	upx
behavioral2/memory/3864-366-0x00007FF6F4A60000-0x00007FF6F4DB1000-memory.dmp	upx
behavioral2/memory/3640-365-0x00007FF797A30000-0x00007FF797D81000-memory.dmp	upx
behavioral2/memory/1888-364-0x00007FF76FC00000-0x00007FF76FF51000-memory.dmp	upx
behavioral2/memory/5032-363-0x00007FF6D3C20000-0x00007FF6D3F71000-memory.dmp	upx
behavioral2/memory/4488-344-0x00007FF79B070000-0x00007FF79B3C1000-memory.dmp	upx
behavioral2/memory/1876-335-0x00007FF6EA660000-0x00007FF6EA9B1000-memory.dmp	upx
behavioral2/memory/4544-334-0x00007FF68EF70000-0x00007FF68F2C1000-memory.dmp	upx
behavioral2/memory/3152-308-0x00007FF676EC0000-0x00007FF677211000-memory.dmp	upx
behavioral2/memory/2872-267-0x00007FF7CFAA0000-0x00007FF7CFDF1000-memory.dmp	upx
behavioral2/memory/2364-228-0x00007FF7815B0000-0x00007FF781901000-memory.dmp	upx
behavioral2/files/0x000700000002342a-200.dat	upx
behavioral2/files/0x0007000000023428-195.dat	upx
behavioral2/memory/4060-187-0x00007FF675490000-0x00007FF6757E1000-memory.dmp	upx
behavioral2/files/0x000700000002343b-186.dat	upx
behavioral2/files/0x000700000002343a-185.dat	upx
behavioral2/files/0x0007000000023439-183.dat	upx
behavioral2/files/0x0007000000023438-182.dat	upx
behavioral2/files/0x0007000000023427-180.dat	upx
behavioral2/files/0x0007000000023425-170.dat	upx
behavioral2/files/0x0007000000023424-160.dat	upx
behavioral2/files/0x000700000002342b-158.dat	upx
behavioral2/files/0x0007000000023434-157.dat	upx
behavioral2/files/0x0007000000023433-156.dat	upx
behavioral2/files/0x0007000000023431-153.dat	upx
behavioral2/files/0x0007000000023430-152.dat	upx
behavioral2/memory/4720-189-0x00007FF6719A0000-0x00007FF671CF1000-memory.dmp	upx
behavioral2/files/0x0007000000023437-179.dat	upx
behavioral2/memory/1412-148-0x00007FF6DFAF0000-0x00007FF6DFE41000-memory.dmp	upx
behavioral2/files/0x000700000002342e-142.dat	upx
behavioral2/files/0x000700000002342d-139.dat	upx
behavioral2/files/0x0007000000023426-133.dat	upx
behavioral2/files/0x000700000002342c-130.dat	upx
behavioral2/files/0x0007000000023420-124.dat	upx
behavioral2/files/0x0007000000023423-154.dat	upx
behavioral2/files/0x000700000002341f-114.dat	upx
behavioral2/files/0x000700000002341a-110.dat	upx
behavioral2/files/0x0007000000023429-104.dat	upx
behavioral2/files/0x000700000002341e-103.dat	upx
behavioral2/files/0x000700000002342f-151.dat	upx
behavioral2/memory/4520-100-0x00007FF735EA0000-0x00007FF7361F1000-memory.dmp	upx
behavioral2/memory/1504-97-0x00007FF78FD80000-0x00007FF7900D1000-memory.dmp	upx
behavioral2/files/0x000700000002341d-88.dat	upx
behavioral2/files/0x000700000002341c-83.dat	upx
behavioral2/files/0x000700000002341b-79.dat	upx
behavioral2/files/0x0007000000023418-77.dat	upx
behavioral2/memory/4152-70-0x00007FF7D7D30000-0x00007FF7D8081000-memory.dmp	upx
behavioral2/files/0x0007000000023416-63.dat	upx
behavioral2/files/0x0007000000023417-71.dat	upx
behavioral2/memory/1200-67-0x00007FF767D50000-0x00007FF7680A1000-memory.dmp	upx
behavioral2/memory/3028-39-0x00007FF666460000-0x00007FF6667B1000-memory.dmp	upx

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\KOVvqtx.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\ffHmGUF.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\PpZRdll.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\OSjpJMK.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\OmbAUjz.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\hWXUXpV.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\lPiGAey.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\iGvuKbO.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\oUcAuyU.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\PNosWSD.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\wSUbMLd.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\OKPxBDO.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\VoUaGIj.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\UizPyfr.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\WKYOhdH.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\yUhtZAa.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\EgybkAh.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\BumnvLd.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\pmXySvW.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\fYtIVly.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\jBwjbhx.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\fcbmvBM.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\UacpxVH.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\tglygOL.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\NIOQoTV.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\COTJlyj.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\shUOWqX.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\OMRFKSQ.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\XersVmf.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\kdvCJVG.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\iuFkXdL.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\lNtBDmV.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\avaEdQJ.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\XseQGdO.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\XgTMoce.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\jsXEhxP.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\WKbBDJi.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\nCZAulk.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\qbdaiwf.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\euBygRp.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\vWQgUxc.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\aNWxTbx.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\TmBVToT.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\uexCXQZ.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\bUjPjnu.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\qcnIOkd.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\PVugTQe.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\thcWdvX.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\lZlQKRt.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\sLIXRmT.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\YFUPVBE.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\izwOEAW.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\YjDUJcW.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\IjyRNYn.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\qMZmqRY.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\JqwASVb.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\HipygEq.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\KoEHkDv.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\FMNCzlI.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\iHbpRXO.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\tCPVEtU.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\vSwocCd.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\jEKvHTi.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe
File created	C:\Windows\System\kRtUUWJ.exe	1084c1ae3bc47570f5328522d6ff7c30N.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 62 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-464762018-485119342-1613148473-1000\{3159201B-800D-4D46-A3D5-C0FCA3386B01}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-464762018-485119342-1613148473-1000\{33E66D20-359E-4218-88EE-7AB2D9D347FE}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-464762018-485119342-1613148473-1000\{FDF94873-1393-483B-8636-77E6633943B7}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-464762018-485119342-1613148473-1000\{5AAB94AC-759B-4287-824A-F3BEA5C4F89B}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	14180	explorer.exe
Token: SeCreatePagefilePrivilege	14180	explorer.exe
Token: SeShutdownPrivilege	14180	explorer.exe
Token: SeCreatePagefilePrivilege	14180	explorer.exe
Token: SeShutdownPrivilege	14180	explorer.exe
Token: SeCreatePagefilePrivilege	14180	explorer.exe
Token: SeShutdownPrivilege	14180	explorer.exe
Token: SeCreatePagefilePrivilege	14180	explorer.exe
Token: SeShutdownPrivilege	14180	explorer.exe
Token: SeCreatePagefilePrivilege	14180	explorer.exe
Token: SeShutdownPrivilege	14180	explorer.exe
Token: SeCreatePagefilePrivilege	14180	explorer.exe
Token: SeShutdownPrivilege	14180	explorer.exe
Token: SeCreatePagefilePrivilege	14180	explorer.exe
Token: SeShutdownPrivilege	14180	explorer.exe
Token: SeCreatePagefilePrivilege	14180	explorer.exe
Token: SeShutdownPrivilege	14180	explorer.exe
Token: SeCreatePagefilePrivilege	14180	explorer.exe
Token: SeShutdownPrivilege	14180	explorer.exe
Token: SeCreatePagefilePrivilege	14180	explorer.exe
Token: SeShutdownPrivilege	14180	explorer.exe
Token: SeCreatePagefilePrivilege	14180	explorer.exe
Token: SeShutdownPrivilege	13328	explorer.exe
Token: SeCreatePagefilePrivilege	13328	explorer.exe
Token: SeShutdownPrivilege	13328	explorer.exe
Token: SeCreatePagefilePrivilege	13328	explorer.exe
Token: SeShutdownPrivilege	13328	explorer.exe
Token: SeCreatePagefilePrivilege	13328	explorer.exe
Token: SeShutdownPrivilege	13328	explorer.exe
Token: SeCreatePagefilePrivilege	13328	explorer.exe
Token: SeShutdownPrivilege	13328	explorer.exe
Token: SeCreatePagefilePrivilege	13328	explorer.exe
Token: SeShutdownPrivilege	13328	explorer.exe
Token: SeCreatePagefilePrivilege	13328	explorer.exe
Token: SeShutdownPrivilege	13328	explorer.exe
Token: SeCreatePagefilePrivilege	13328	explorer.exe
Token: SeShutdownPrivilege	13328	explorer.exe
Token: SeCreatePagefilePrivilege	13328	explorer.exe
Token: SeShutdownPrivilege	13328	explorer.exe
Token: SeCreatePagefilePrivilege	13328	explorer.exe
Token: SeShutdownPrivilege	13328	explorer.exe
Token: SeCreatePagefilePrivilege	13328	explorer.exe
Token: SeShutdownPrivilege	13328	explorer.exe
Token: SeCreatePagefilePrivilege	13328	explorer.exe
Token: SeShutdownPrivilege	13328	explorer.exe
Token: SeCreatePagefilePrivilege	13328	explorer.exe
Token: SeShutdownPrivilege	13328	explorer.exe
Token: SeCreatePagefilePrivilege	13328	explorer.exe
Token: SeShutdownPrivilege	13328	explorer.exe
Token: SeCreatePagefilePrivilege	13328	explorer.exe
Token: SeShutdownPrivilege	13328	explorer.exe
Token: SeCreatePagefilePrivilege	13328	explorer.exe
Token: SeShutdownPrivilege	13328	explorer.exe
Token: SeCreatePagefilePrivilege	13328	explorer.exe
Token: SeShutdownPrivilege	13328	explorer.exe
Token: SeCreatePagefilePrivilege	13328	explorer.exe
Token: SeShutdownPrivilege	13328	explorer.exe
Token: SeCreatePagefilePrivilege	13328	explorer.exe
Token: SeShutdownPrivilege	13328	explorer.exe
Token: SeCreatePagefilePrivilege	13328	explorer.exe
Token: SeShutdownPrivilege	13328	explorer.exe
Token: SeCreatePagefilePrivilege	13328	explorer.exe
Token: SeShutdownPrivilege	13328	explorer.exe
Token: SeCreatePagefilePrivilege	13328	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
11872	sihost.exe
14180	explorer.exe
14180	explorer.exe
14180	explorer.exe
14180	explorer.exe
14180	explorer.exe
14180	explorer.exe
14180	explorer.exe
14180	explorer.exe
14180	explorer.exe
14180	explorer.exe
14180	explorer.exe
14180	explorer.exe
14180	explorer.exe
14180	explorer.exe
14180	explorer.exe
14180	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe

Suspicious use of SendNotifyMessage 55 IoCs

pid	Process
14180	explorer.exe
14180	explorer.exe
14180	explorer.exe
14180	explorer.exe
14180	explorer.exe
14180	explorer.exe
14180	explorer.exe
14180	explorer.exe
14180	explorer.exe
14180	explorer.exe
14180	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
13328	explorer.exe
10736	explorer.exe
10736	explorer.exe
10736	explorer.exe
10736	explorer.exe
10736	explorer.exe
10736	explorer.exe
10736	explorer.exe
10736	explorer.exe
10736	explorer.exe
10736	explorer.exe
10736	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe
4752	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
15248	StartMenuExperienceHost.exe
3780	StartMenuExperienceHost.exe
14568	SearchApp.exe
14880	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 4832	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	85
PID 4372 wrote to memory of 4832	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	85
PID 4372 wrote to memory of 3028	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	86
PID 4372 wrote to memory of 3028	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	86
PID 4372 wrote to memory of 4780	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	87
PID 4372 wrote to memory of 4780	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	87
PID 4372 wrote to memory of 3388	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	88
PID 4372 wrote to memory of 3388	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	88
PID 4372 wrote to memory of 1200	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	89
PID 4372 wrote to memory of 1200	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	89
PID 4372 wrote to memory of 4152	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	90
PID 4372 wrote to memory of 4152	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	90
PID 4372 wrote to memory of 1412	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	91
PID 4372 wrote to memory of 1412	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	91
PID 4372 wrote to memory of 1504	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	92
PID 4372 wrote to memory of 1504	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	92
PID 4372 wrote to memory of 4720	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	93
PID 4372 wrote to memory of 4720	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	93
PID 4372 wrote to memory of 4572	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	94
PID 4372 wrote to memory of 4572	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	94
PID 4372 wrote to memory of 4520	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	95
PID 4372 wrote to memory of 4520	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	95
PID 4372 wrote to memory of 4060	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	96
PID 4372 wrote to memory of 4060	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	96
PID 4372 wrote to memory of 2364	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	97
PID 4372 wrote to memory of 2364	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	97
PID 4372 wrote to memory of 2872	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	98
PID 4372 wrote to memory of 2872	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	98
PID 4372 wrote to memory of 4528	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	99
PID 4372 wrote to memory of 4528	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	99
PID 4372 wrote to memory of 748	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	100
PID 4372 wrote to memory of 748	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	100
PID 4372 wrote to memory of 3152	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	101
PID 4372 wrote to memory of 3152	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	101
PID 4372 wrote to memory of 1116	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	102
PID 4372 wrote to memory of 1116	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	102
PID 4372 wrote to memory of 4544	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	103
PID 4372 wrote to memory of 4544	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	103
PID 4372 wrote to memory of 1876	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	104
PID 4372 wrote to memory of 1876	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	104
PID 4372 wrote to memory of 3048	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	105
PID 4372 wrote to memory of 3048	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	105
PID 4372 wrote to memory of 4488	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	106
PID 4372 wrote to memory of 4488	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	106
PID 4372 wrote to memory of 2768	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	107
PID 4372 wrote to memory of 2768	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	107
PID 4372 wrote to memory of 4868	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	108
PID 4372 wrote to memory of 4868	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	108
PID 4372 wrote to memory of 5032	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	109
PID 4372 wrote to memory of 5032	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	109
PID 4372 wrote to memory of 1888	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	110
PID 4372 wrote to memory of 1888	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	110
PID 4372 wrote to memory of 3640	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	111
PID 4372 wrote to memory of 3640	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	111
PID 4372 wrote to memory of 3324	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	112
PID 4372 wrote to memory of 3324	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	112
PID 4372 wrote to memory of 3864	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	113
PID 4372 wrote to memory of 3864	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	113
PID 4372 wrote to memory of 408	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	114
PID 4372 wrote to memory of 408	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	114
PID 4372 wrote to memory of 4280	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	115
PID 4372 wrote to memory of 4280	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	115
PID 4372 wrote to memory of 1612	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	116
PID 4372 wrote to memory of 1612	4372	1084c1ae3bc47570f5328522d6ff7c30N.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1084c1ae3bc47570f5328522d6ff7c30N.exe
"C:\Users\Admin\AppData\Local\Temp\1084c1ae3bc47570f5328522d6ff7c30N.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Windows\System\AqAhIlU.exe
  C:\Windows\System\AqAhIlU.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System\UizPyfr.exe
  C:\Windows\System\UizPyfr.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\XqudVqT.exe
  C:\Windows\System\XqudVqT.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System\zziklvF.exe
  C:\Windows\System\zziklvF.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System\hWXUXpV.exe
  C:\Windows\System\hWXUXpV.exe
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\System\APIkpgT.exe
  C:\Windows\System\APIkpgT.exe
  2⤵
  - Executes dropped EXE
  PID:4152
- C:\Windows\System\tglygOL.exe
  C:\Windows\System\tglygOL.exe
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\System\XcWhuNP.exe
  C:\Windows\System\XcWhuNP.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System\DvWTZOR.exe
  C:\Windows\System\DvWTZOR.exe
  2⤵
  - Executes dropped EXE
  PID:4720
- C:\Windows\System\PdYKCJI.exe
  C:\Windows\System\PdYKCJI.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\XkeFHpJ.exe
  C:\Windows\System\XkeFHpJ.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System\lPiGAey.exe
  C:\Windows\System\lPiGAey.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System\lxVlbuP.exe
  C:\Windows\System\lxVlbuP.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System\rmWHQzK.exe
  C:\Windows\System\rmWHQzK.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System\JqwASVb.exe
  C:\Windows\System\JqwASVb.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\System\YtoIdKa.exe
  C:\Windows\System\YtoIdKa.exe
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\System\HoAgYkT.exe
  C:\Windows\System\HoAgYkT.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System\sZnbIVT.exe
  C:\Windows\System\sZnbIVT.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System\lYuHnBe.exe
  C:\Windows\System\lYuHnBe.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System\eGaDwwb.exe
  C:\Windows\System\eGaDwwb.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System\uXsQjqa.exe
  C:\Windows\System\uXsQjqa.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System\nGGmzks.exe
  C:\Windows\System\nGGmzks.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System\nbIGUet.exe
  C:\Windows\System\nbIGUet.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System\WKYOhdH.exe
  C:\Windows\System\WKYOhdH.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System\ccfSdYp.exe
  C:\Windows\System\ccfSdYp.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System\fFJwUWu.exe
  C:\Windows\System\fFJwUWu.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\System\pDHAXTU.exe
  C:\Windows\System\pDHAXTU.exe
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Windows\System\ySSiLMx.exe
  C:\Windows\System\ySSiLMx.exe
  2⤵
  - Executes dropped EXE
  PID:3324
- C:\Windows\System\RghyLKC.exe
  C:\Windows\System\RghyLKC.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System\SZuEBzt.exe
  C:\Windows\System\SZuEBzt.exe
  2⤵
  - Executes dropped EXE
  PID:408
- C:\Windows\System\kAlfWRU.exe
  C:\Windows\System\kAlfWRU.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System\HkOiSxW.exe
  C:\Windows\System\HkOiSxW.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System\DbdiYyF.exe
  C:\Windows\System\DbdiYyF.exe
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\System\tFyvFcW.exe
  C:\Windows\System\tFyvFcW.exe
  2⤵
  - Executes dropped EXE
  PID:780
- C:\Windows\System\vSwocCd.exe
  C:\Windows\System\vSwocCd.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System\RSGNflV.exe
  C:\Windows\System\RSGNflV.exe
  2⤵
  - Executes dropped EXE
  PID:952
- C:\Windows\System\MHmzJDX.exe
  C:\Windows\System\MHmzJDX.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System\ydkyIqX.exe
  C:\Windows\System\ydkyIqX.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\gPlnQZC.exe
  C:\Windows\System\gPlnQZC.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System\JXfMSaR.exe
  C:\Windows\System\JXfMSaR.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System\iGvuKbO.exe
  C:\Windows\System\iGvuKbO.exe
  2⤵
  - Executes dropped EXE
  PID:4100
- C:\Windows\System\prjOCVA.exe
  C:\Windows\System\prjOCVA.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\System\lhZzfdm.exe
  C:\Windows\System\lhZzfdm.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System\ZVJWQwh.exe
  C:\Windows\System\ZVJWQwh.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System\eqGcPvB.exe
  C:\Windows\System\eqGcPvB.exe
  2⤵
  - Executes dropped EXE
  PID:4128
- C:\Windows\System\OmVHXFE.exe
  C:\Windows\System\OmVHXFE.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System\JFGkxep.exe
  C:\Windows\System\JFGkxep.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\UxXDTlY.exe
  C:\Windows\System\UxXDTlY.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System\fmBNjBE.exe
  C:\Windows\System\fmBNjBE.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Windows\System\BHLZzmt.exe
  C:\Windows\System\BHLZzmt.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\DNwZodb.exe
  C:\Windows\System\DNwZodb.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\xjJgzaL.exe
  C:\Windows\System\xjJgzaL.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System\XwIzvPA.exe
  C:\Windows\System\XwIzvPA.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System\FNbxrLc.exe
  C:\Windows\System\FNbxrLc.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\System\jzsoyaW.exe
  C:\Windows\System\jzsoyaW.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System\YFUPVBE.exe
  C:\Windows\System\YFUPVBE.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System\vqOnrfq.exe
  C:\Windows\System\vqOnrfq.exe
  2⤵
  - Executes dropped EXE
  PID:4228
- C:\Windows\System\mqZvNwJ.exe
  C:\Windows\System\mqZvNwJ.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\System\MGuiBJX.exe
  C:\Windows\System\MGuiBJX.exe
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Windows\System\bPzpvUj.exe
  C:\Windows\System\bPzpvUj.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System\WJSefWK.exe
  C:\Windows\System\WJSefWK.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System\TmUsypJ.exe
  C:\Windows\System\TmUsypJ.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System\bttHJWV.exe
  C:\Windows\System\bttHJWV.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\gkrCZCA.exe
  C:\Windows\System\gkrCZCA.exe
  2⤵
  - Executes dropped EXE
  PID:3544
- C:\Windows\System\YXExZUq.exe
  C:\Windows\System\YXExZUq.exe
  2⤵
  PID:3064
- C:\Windows\System\HoaMtJu.exe
  C:\Windows\System\HoaMtJu.exe
  2⤵
  PID:4392
- C:\Windows\System\FANMJqk.exe
  C:\Windows\System\FANMJqk.exe
  2⤵
  PID:3608
- C:\Windows\System\PDKCaYG.exe
  C:\Windows\System\PDKCaYG.exe
  2⤵
  PID:3816
- C:\Windows\System\AJQUQjx.exe
  C:\Windows\System\AJQUQjx.exe
  2⤵
  PID:4408
- C:\Windows\System\RaoOtxv.exe
  C:\Windows\System\RaoOtxv.exe
  2⤵
  PID:4168
- C:\Windows\System\iczsbgs.exe
  C:\Windows\System\iczsbgs.exe
  2⤵
  PID:508
- C:\Windows\System\ZpKylUC.exe
  C:\Windows\System\ZpKylUC.exe
  2⤵
  PID:2144
- C:\Windows\System\XlBLxeo.exe
  C:\Windows\System\XlBLxeo.exe
  2⤵
  PID:4556
- C:\Windows\System\JAgLlLj.exe
  C:\Windows\System\JAgLlLj.exe
  2⤵
  PID:3400
- C:\Windows\System\DCAEIwP.exe
  C:\Windows\System\DCAEIwP.exe
  2⤵
  PID:4864
- C:\Windows\System\ZknSPTe.exe
  C:\Windows\System\ZknSPTe.exe
  2⤵
  PID:4540
- C:\Windows\System\kYffMrT.exe
  C:\Windows\System\kYffMrT.exe
  2⤵
  PID:1596
- C:\Windows\System\ehcIgED.exe
  C:\Windows\System\ehcIgED.exe
  2⤵
  PID:432
- C:\Windows\System\ThPzPfJ.exe
  C:\Windows\System\ThPzPfJ.exe
  2⤵
  PID:4460
- C:\Windows\System\OQkvjTE.exe
  C:\Windows\System\OQkvjTE.exe
  2⤵
  PID:368
- C:\Windows\System\pMAqiGi.exe
  C:\Windows\System\pMAqiGi.exe
  2⤵
  PID:312
- C:\Windows\System\NZQwBUd.exe
  C:\Windows\System\NZQwBUd.exe
  2⤵
  PID:956
- C:\Windows\System\vFsFATq.exe
  C:\Windows\System\vFsFATq.exe
  2⤵
  PID:5132
- C:\Windows\System\yUhtZAa.exe
  C:\Windows\System\yUhtZAa.exe
  2⤵
  PID:5156
- C:\Windows\System\ecxzlMj.exe
  C:\Windows\System\ecxzlMj.exe
  2⤵
  PID:5248
- C:\Windows\System\uVKztMO.exe
  C:\Windows\System\uVKztMO.exe
  2⤵
  PID:5268
- C:\Windows\System\tEcvCRN.exe
  C:\Windows\System\tEcvCRN.exe
  2⤵
  PID:5292
- C:\Windows\System\KVYDydN.exe
  C:\Windows\System\KVYDydN.exe
  2⤵
  PID:5312
- C:\Windows\System\SXPpQru.exe
  C:\Windows\System\SXPpQru.exe
  2⤵
  PID:5332
- C:\Windows\System\JAkWDKQ.exe
  C:\Windows\System\JAkWDKQ.exe
  2⤵
  PID:5360
- C:\Windows\System\MwbxgbA.exe
  C:\Windows\System\MwbxgbA.exe
  2⤵
  PID:5380
- C:\Windows\System\dYVlQTz.exe
  C:\Windows\System\dYVlQTz.exe
  2⤵
  PID:5400
- C:\Windows\System\OVVULYR.exe
  C:\Windows\System\OVVULYR.exe
  2⤵
  PID:5432
- C:\Windows\System\MdWMYwQ.exe
  C:\Windows\System\MdWMYwQ.exe
  2⤵
  PID:6000
- C:\Windows\System\rQJcRdy.exe
  C:\Windows\System\rQJcRdy.exe
  2⤵
  PID:6016
- C:\Windows\System\dMDURGl.exe
  C:\Windows\System\dMDURGl.exe
  2⤵
  PID:6036
- C:\Windows\System\gaMRCDj.exe
  C:\Windows\System\gaMRCDj.exe
  2⤵
  PID:6064
- C:\Windows\System\GhibXVj.exe
  C:\Windows\System\GhibXVj.exe
  2⤵
  PID:6088
- C:\Windows\System\YCnPLpL.exe
  C:\Windows\System\YCnPLpL.exe
  2⤵
  PID:6108
- C:\Windows\System\WoaICQj.exe
  C:\Windows\System\WoaICQj.exe
  2⤵
  PID:6124
- C:\Windows\System\XDlPPnP.exe
  C:\Windows\System\XDlPPnP.exe
  2⤵
  PID:6140
- C:\Windows\System\IiXgnus.exe
  C:\Windows\System\IiXgnus.exe
  2⤵
  PID:2568
- C:\Windows\System\jrYyDUK.exe
  C:\Windows\System\jrYyDUK.exe
  2⤵
  PID:2620
- C:\Windows\System\FebUPta.exe
  C:\Windows\System\FebUPta.exe
  2⤵
  PID:2952
- C:\Windows\System\YYMumDL.exe
  C:\Windows\System\YYMumDL.exe
  2⤵
  PID:4916
- C:\Windows\System\AjPQudL.exe
  C:\Windows\System\AjPQudL.exe
  2⤵
  PID:4380
- C:\Windows\System\EzxzaOg.exe
  C:\Windows\System\EzxzaOg.exe
  2⤵
  PID:4904
- C:\Windows\System\RCkmCqL.exe
  C:\Windows\System\RCkmCqL.exe
  2⤵
  PID:4312
- C:\Windows\System\zjMZTDi.exe
  C:\Windows\System\zjMZTDi.exe
  2⤵
  PID:2420
- C:\Windows\System\ZJUruTv.exe
  C:\Windows\System\ZJUruTv.exe
  2⤵
  PID:2404
- C:\Windows\System\XSZOAPa.exe
  C:\Windows\System\XSZOAPa.exe
  2⤵
  PID:4716
- C:\Windows\System\ZpSbOrW.exe
  C:\Windows\System\ZpSbOrW.exe
  2⤵
  PID:4112
- C:\Windows\System\hAJOcNz.exe
  C:\Windows\System\hAJOcNz.exe
  2⤵
  PID:2288
- C:\Windows\System\EeQxHQk.exe
  C:\Windows\System\EeQxHQk.exe
  2⤵
  PID:4740
- C:\Windows\System\bJvWcHU.exe
  C:\Windows\System\bJvWcHU.exe
  2⤵
  PID:2712
- C:\Windows\System\daHQqlk.exe
  C:\Windows\System\daHQqlk.exe
  2⤵
  PID:3000
- C:\Windows\System\rWjHeOA.exe
  C:\Windows\System\rWjHeOA.exe
  2⤵
  PID:4500
- C:\Windows\System\xFbkHNa.exe
  C:\Windows\System\xFbkHNa.exe
  2⤵
  PID:2744
- C:\Windows\System\FMJdAlU.exe
  C:\Windows\System\FMJdAlU.exe
  2⤵
  PID:3996
- C:\Windows\System\CixrtFC.exe
  C:\Windows\System\CixrtFC.exe
  2⤵
  PID:1448
- C:\Windows\System\sRkumrC.exe
  C:\Windows\System\sRkumrC.exe
  2⤵
  PID:4984
- C:\Windows\System\AFCHBef.exe
  C:\Windows\System\AFCHBef.exe
  2⤵
  PID:5152
- C:\Windows\System\GDZgXfj.exe
  C:\Windows\System\GDZgXfj.exe
  2⤵
  PID:5228
- C:\Windows\System\JFvzQhD.exe
  C:\Windows\System\JFvzQhD.exe
  2⤵
  PID:5284
- C:\Windows\System\NJiACXO.exe
  C:\Windows\System\NJiACXO.exe
  2⤵
  PID:5324
- C:\Windows\System\wWOMoji.exe
  C:\Windows\System\wWOMoji.exe
  2⤵
  PID:5368
- C:\Windows\System\rulymxk.exe
  C:\Windows\System\rulymxk.exe
  2⤵
  PID:5440
- C:\Windows\System\KtCZGcr.exe
  C:\Windows\System\KtCZGcr.exe
  2⤵
  PID:5532
- C:\Windows\System\JvnmlsQ.exe
  C:\Windows\System\JvnmlsQ.exe
  2⤵
  PID:5588
- C:\Windows\System\KbeuyWV.exe
  C:\Windows\System\KbeuyWV.exe
  2⤵
  PID:5696
- C:\Windows\System\TmBVToT.exe
  C:\Windows\System\TmBVToT.exe
  2⤵
  PID:5720
- C:\Windows\System\JPqvTtr.exe
  C:\Windows\System\JPqvTtr.exe
  2⤵
  PID:5776
- C:\Windows\System\OOpFicw.exe
  C:\Windows\System\OOpFicw.exe
  2⤵
  PID:5812
- C:\Windows\System\QBDSZIs.exe
  C:\Windows\System\QBDSZIs.exe
  2⤵
  PID:1004
- C:\Windows\System\nAEXSsr.exe
  C:\Windows\System\nAEXSsr.exe
  2⤵
  PID:2732
- C:\Windows\System\vmypJLo.exe
  C:\Windows\System\vmypJLo.exe
  2⤵
  PID:3192
- C:\Windows\System\ADTaRnA.exe
  C:\Windows\System\ADTaRnA.exe
  2⤵
  PID:2840
- C:\Windows\System\EomSesJ.exe
  C:\Windows\System\EomSesJ.exe
  2⤵
  PID:2388
- C:\Windows\System\acylsmA.exe
  C:\Windows\System\acylsmA.exe
  2⤵
  PID:3012
- C:\Windows\System\kdvCJVG.exe
  C:\Windows\System\kdvCJVG.exe
  2⤵
  PID:3292
- C:\Windows\System\jEKvHTi.exe
  C:\Windows\System\jEKvHTi.exe
  2⤵
  PID:1396
- C:\Windows\System\YQJFPbM.exe
  C:\Windows\System\YQJFPbM.exe
  2⤵
  PID:3160
- C:\Windows\System\yEQvjqa.exe
  C:\Windows\System\yEQvjqa.exe
  2⤵
  PID:760
- C:\Windows\System\HYVjjbq.exe
  C:\Windows\System\HYVjjbq.exe
  2⤵
  PID:3632
- C:\Windows\System\vEEJwkm.exe
  C:\Windows\System\vEEJwkm.exe
  2⤵
  PID:3416
- C:\Windows\System\quNwxKN.exe
  C:\Windows\System\quNwxKN.exe
  2⤵
  PID:3828
- C:\Windows\System\lUnNnMB.exe
  C:\Windows\System\lUnNnMB.exe
  2⤵
  PID:3376
- C:\Windows\System\WNDylKf.exe
  C:\Windows\System\WNDylKf.exe
  2⤵
  PID:5352
- C:\Windows\System\iGKghBT.exe
  C:\Windows\System\iGKghBT.exe
  2⤵
  PID:5656
- C:\Windows\System\uHKUDpQ.exe
  C:\Windows\System\uHKUDpQ.exe
  2⤵
  PID:5936
- C:\Windows\System\iUKhUkx.exe
  C:\Windows\System\iUKhUkx.exe
  2⤵
  PID:3976
- C:\Windows\System\OdWHlAY.exe
  C:\Windows\System\OdWHlAY.exe
  2⤵
  PID:5996
- C:\Windows\System\lFvbDDA.exe
  C:\Windows\System\lFvbDDA.exe
  2⤵
  PID:6060
- C:\Windows\System\GnYurlp.exe
  C:\Windows\System\GnYurlp.exe
  2⤵
  PID:6072
- C:\Windows\System\CCkLzDL.exe
  C:\Windows\System\CCkLzDL.exe
  2⤵
  PID:6080
- C:\Windows\System\KZuIltl.exe
  C:\Windows\System\KZuIltl.exe
  2⤵
  PID:1960
- C:\Windows\System\frpVAsl.exe
  C:\Windows\System\frpVAsl.exe
  2⤵
  PID:4084
- C:\Windows\System\gxEsJyj.exe
  C:\Windows\System\gxEsJyj.exe
  2⤵
  PID:3912
- C:\Windows\System\nzgRMSe.exe
  C:\Windows\System\nzgRMSe.exe
  2⤵
  PID:3656
- C:\Windows\System\PNosWSD.exe
  C:\Windows\System\PNosWSD.exe
  2⤵
  PID:1444
- C:\Windows\System\CDWYgaO.exe
  C:\Windows\System\CDWYgaO.exe
  2⤵
  PID:5024
- C:\Windows\System\rfzdmuP.exe
  C:\Windows\System\rfzdmuP.exe
  2⤵
  PID:424
- C:\Windows\System\vTzjwHg.exe
  C:\Windows\System\vTzjwHg.exe
  2⤵
  PID:5036
- C:\Windows\System\gNBoQYU.exe
  C:\Windows\System\gNBoQYU.exe
  2⤵
  PID:2976
- C:\Windows\System\GYEWGhZ.exe
  C:\Windows\System\GYEWGhZ.exe
  2⤵
  PID:4592
- C:\Windows\System\MuKlVEt.exe
  C:\Windows\System\MuKlVEt.exe
  2⤵
  PID:5260
- C:\Windows\System\DyKElBT.exe
  C:\Windows\System\DyKElBT.exe
  2⤵
  PID:5128
- C:\Windows\System\pmXySvW.exe
  C:\Windows\System\pmXySvW.exe
  2⤵
  PID:5104
- C:\Windows\System\MhmJWUm.exe
  C:\Windows\System\MhmJWUm.exe
  2⤵
  PID:3312
- C:\Windows\System\qLGQMcA.exe
  C:\Windows\System\qLGQMcA.exe
  2⤵
  PID:2604
- C:\Windows\System\wWeRqpM.exe
  C:\Windows\System\wWeRqpM.exe
  2⤵
  PID:1968
- C:\Windows\System\uexCXQZ.exe
  C:\Windows\System\uexCXQZ.exe
  2⤵
  PID:4424
- C:\Windows\System\gCjIRav.exe
  C:\Windows\System\gCjIRav.exe
  2⤵
  PID:1084
- C:\Windows\System\Vfzcpqf.exe
  C:\Windows\System\Vfzcpqf.exe
  2⤵
  PID:1604
- C:\Windows\System\vHSreYZ.exe
  C:\Windows\System\vHSreYZ.exe
  2⤵
  PID:1588
- C:\Windows\System\iuFkXdL.exe
  C:\Windows\System\iuFkXdL.exe
  2⤵
  PID:3256
- C:\Windows\System\NhQjcaj.exe
  C:\Windows\System\NhQjcaj.exe
  2⤵
  PID:2748
- C:\Windows\System\HKhsliZ.exe
  C:\Windows\System\HKhsliZ.exe
  2⤵
  PID:5072
- C:\Windows\System\vWuVZfZ.exe
  C:\Windows\System\vWuVZfZ.exe
  2⤵
  PID:5308
- C:\Windows\System\ahVUQGY.exe
  C:\Windows\System\ahVUQGY.exe
  2⤵
  PID:6044
- C:\Windows\System\SQTByUr.exe
  C:\Windows\System\SQTByUr.exe
  2⤵
  PID:5736
- C:\Windows\System\mFmnfFM.exe
  C:\Windows\System\mFmnfFM.exe
  2⤵
  PID:6120
- C:\Windows\System\YkEDSZo.exe
  C:\Windows\System\YkEDSZo.exe
  2⤵
  PID:5804
- C:\Windows\System\LtrCawH.exe
  C:\Windows\System\LtrCawH.exe
  2⤵
  PID:1184
- C:\Windows\System\GvkhcwO.exe
  C:\Windows\System\GvkhcwO.exe
  2⤵
  PID:6160
- C:\Windows\System\FZMkOmL.exe
  C:\Windows\System\FZMkOmL.exe
  2⤵
  PID:6180
- C:\Windows\System\QmMTuEi.exe
  C:\Windows\System\QmMTuEi.exe
  2⤵
  PID:6204
- C:\Windows\System\AOKGFqU.exe
  C:\Windows\System\AOKGFqU.exe
  2⤵
  PID:6228
- C:\Windows\System\HdWnenY.exe
  C:\Windows\System\HdWnenY.exe
  2⤵
  PID:6244
- C:\Windows\System\nCZAulk.exe
  C:\Windows\System\nCZAulk.exe
  2⤵
  PID:6268
- C:\Windows\System\cCiuGJj.exe
  C:\Windows\System\cCiuGJj.exe
  2⤵
  PID:6284
- C:\Windows\System\QzhSIOw.exe
  C:\Windows\System\QzhSIOw.exe
  2⤵
  PID:6308
- C:\Windows\System\UuozdBg.exe
  C:\Windows\System\UuozdBg.exe
  2⤵
  PID:6332
- C:\Windows\System\AkLYYie.exe
  C:\Windows\System\AkLYYie.exe
  2⤵
  PID:6356
- C:\Windows\System\lNtBDmV.exe
  C:\Windows\System\lNtBDmV.exe
  2⤵
  PID:6372
- C:\Windows\System\UpgxDLh.exe
  C:\Windows\System\UpgxDLh.exe
  2⤵
  PID:6396
- C:\Windows\System\NTmpKhC.exe
  C:\Windows\System\NTmpKhC.exe
  2⤵
  PID:6420
- C:\Windows\System\liwFVkK.exe
  C:\Windows\System\liwFVkK.exe
  2⤵
  PID:6440
- C:\Windows\System\LyryQKC.exe
  C:\Windows\System\LyryQKC.exe
  2⤵
  PID:6460
- C:\Windows\System\ZtTaXMZ.exe
  C:\Windows\System\ZtTaXMZ.exe
  2⤵
  PID:6484
- C:\Windows\System\yUjiBZc.exe
  C:\Windows\System\yUjiBZc.exe
  2⤵
  PID:6512
- C:\Windows\System\ihcDkMC.exe
  C:\Windows\System\ihcDkMC.exe
  2⤵
  PID:6528
- C:\Windows\System\dcVoxPr.exe
  C:\Windows\System\dcVoxPr.exe
  2⤵
  PID:6548
- C:\Windows\System\vUCmyoP.exe
  C:\Windows\System\vUCmyoP.exe
  2⤵
  PID:6568
- C:\Windows\System\BJBlUSI.exe
  C:\Windows\System\BJBlUSI.exe
  2⤵
  PID:6592
- C:\Windows\System\nONGxfH.exe
  C:\Windows\System\nONGxfH.exe
  2⤵
  PID:6616
- C:\Windows\System\viNmAuF.exe
  C:\Windows\System\viNmAuF.exe
  2⤵
  PID:6640
- C:\Windows\System\rWfupPy.exe
  C:\Windows\System\rWfupPy.exe
  2⤵
  PID:6660
- C:\Windows\System\QHNkuni.exe
  C:\Windows\System\QHNkuni.exe
  2⤵
  PID:6684
- C:\Windows\System\eBTNGbA.exe
  C:\Windows\System\eBTNGbA.exe
  2⤵
  PID:6704
- C:\Windows\System\zQrTXxP.exe
  C:\Windows\System\zQrTXxP.exe
  2⤵
  PID:6728
- C:\Windows\System\FpAoyBY.exe
  C:\Windows\System\FpAoyBY.exe
  2⤵
  PID:6752
- C:\Windows\System\xQALedp.exe
  C:\Windows\System\xQALedp.exe
  2⤵
  PID:6772
- C:\Windows\System\ZEoBRIv.exe
  C:\Windows\System\ZEoBRIv.exe
  2⤵
  PID:6800
- C:\Windows\System\fzDzNsz.exe
  C:\Windows\System\fzDzNsz.exe
  2⤵
  PID:6816
- C:\Windows\System\RGwktzD.exe
  C:\Windows\System\RGwktzD.exe
  2⤵
  PID:6844
- C:\Windows\System\qbdaiwf.exe
  C:\Windows\System\qbdaiwf.exe
  2⤵
  PID:6864
- C:\Windows\System\TngZBzA.exe
  C:\Windows\System\TngZBzA.exe
  2⤵
  PID:6892
- C:\Windows\System\kRtUUWJ.exe
  C:\Windows\System\kRtUUWJ.exe
  2⤵
  PID:6912
- C:\Windows\System\cayfCHY.exe
  C:\Windows\System\cayfCHY.exe
  2⤵
  PID:6936
- C:\Windows\System\HfdTnwt.exe
  C:\Windows\System\HfdTnwt.exe
  2⤵
  PID:6952
- C:\Windows\System\CsJcXpI.exe
  C:\Windows\System\CsJcXpI.exe
  2⤵
  PID:6980
- C:\Windows\System\KZRrSBd.exe
  C:\Windows\System\KZRrSBd.exe
  2⤵
  PID:7000
- C:\Windows\System\JgxKJlY.exe
  C:\Windows\System\JgxKJlY.exe
  2⤵
  PID:7020
- C:\Windows\System\ekGTqtl.exe
  C:\Windows\System\ekGTqtl.exe
  2⤵
  PID:7044
- C:\Windows\System\nSoxgZl.exe
  C:\Windows\System\nSoxgZl.exe
  2⤵
  PID:7072
- C:\Windows\System\fJACfwj.exe
  C:\Windows\System\fJACfwj.exe
  2⤵
  PID:7096
- C:\Windows\System\MduQaxy.exe
  C:\Windows\System\MduQaxy.exe
  2⤵
  PID:7116
- C:\Windows\System\Uasubjm.exe
  C:\Windows\System\Uasubjm.exe
  2⤵
  PID:7140
- C:\Windows\System\utOyPyT.exe
  C:\Windows\System\utOyPyT.exe
  2⤵
  PID:7164
- C:\Windows\System\pkrnAbN.exe
  C:\Windows\System\pkrnAbN.exe
  2⤵
  PID:3524
- C:\Windows\System\gwkPnYI.exe
  C:\Windows\System\gwkPnYI.exe
  2⤵
  PID:2076
- C:\Windows\System\GqkdRnA.exe
  C:\Windows\System\GqkdRnA.exe
  2⤵
  PID:6152
- C:\Windows\System\INLWDOw.exe
  C:\Windows\System\INLWDOw.exe
  2⤵
  PID:1584
- C:\Windows\System\izwOEAW.exe
  C:\Windows\System\izwOEAW.exe
  2⤵
  PID:6236
- C:\Windows\System\VdRqdfo.exe
  C:\Windows\System\VdRqdfo.exe
  2⤵
  PID:5524
- C:\Windows\System\ApjlcBC.exe
  C:\Windows\System\ApjlcBC.exe
  2⤵
  PID:4536
- C:\Windows\System\Dtvlbqz.exe
  C:\Windows\System\Dtvlbqz.exe
  2⤵
  PID:6628
- C:\Windows\System\FLldsXf.exe
  C:\Windows\System\FLldsXf.exe
  2⤵
  PID:3440
- C:\Windows\System\fYtIVly.exe
  C:\Windows\System\fYtIVly.exe
  2⤵
  PID:6676
- C:\Windows\System\mexwvgk.exe
  C:\Windows\System\mexwvgk.exe
  2⤵
  PID:6200
- C:\Windows\System\tbkEZql.exe
  C:\Windows\System\tbkEZql.exe
  2⤵
  PID:6276
- C:\Windows\System\aEyKwbo.exe
  C:\Windows\System\aEyKwbo.exe
  2⤵
  PID:7184
- C:\Windows\System\GvcbWLm.exe
  C:\Windows\System\GvcbWLm.exe
  2⤵
  PID:7204
- C:\Windows\System\pTLxlmV.exe
  C:\Windows\System\pTLxlmV.exe
  2⤵
  PID:7224
- C:\Windows\System\NEAGGGo.exe
  C:\Windows\System\NEAGGGo.exe
  2⤵
  PID:7252
- C:\Windows\System\ICmZvuL.exe
  C:\Windows\System\ICmZvuL.exe
  2⤵
  PID:7272
- C:\Windows\System\AstulJv.exe
  C:\Windows\System\AstulJv.exe
  2⤵
  PID:7292
- C:\Windows\System\akYzjJT.exe
  C:\Windows\System\akYzjJT.exe
  2⤵
  PID:7316
- C:\Windows\System\aCzcgKB.exe
  C:\Windows\System\aCzcgKB.exe
  2⤵
  PID:7332
- C:\Windows\System\amflkcb.exe
  C:\Windows\System\amflkcb.exe
  2⤵
  PID:7356
- C:\Windows\System\SCXCFBp.exe
  C:\Windows\System\SCXCFBp.exe
  2⤵
  PID:7372
- C:\Windows\System\lvXJQaR.exe
  C:\Windows\System\lvXJQaR.exe
  2⤵
  PID:7404
- C:\Windows\System\TEwYfdm.exe
  C:\Windows\System\TEwYfdm.exe
  2⤵
  PID:7424
- C:\Windows\System\XSDRGCX.exe
  C:\Windows\System\XSDRGCX.exe
  2⤵
  PID:7444
- C:\Windows\System\dupRfSk.exe
  C:\Windows\System\dupRfSk.exe
  2⤵
  PID:7464
- C:\Windows\System\JEEgUbz.exe
  C:\Windows\System\JEEgUbz.exe
  2⤵
  PID:7488
- C:\Windows\System\qNVbUVx.exe
  C:\Windows\System\qNVbUVx.exe
  2⤵
  PID:7508
- C:\Windows\System\CaSPsKy.exe
  C:\Windows\System\CaSPsKy.exe
  2⤵
  PID:7532
- C:\Windows\System\MPkbzHM.exe
  C:\Windows\System\MPkbzHM.exe
  2⤵
  PID:7560
- C:\Windows\System\HipygEq.exe
  C:\Windows\System\HipygEq.exe
  2⤵
  PID:7576
- C:\Windows\System\HeEAhZg.exe
  C:\Windows\System\HeEAhZg.exe
  2⤵
  PID:7600
- C:\Windows\System\swlcLkS.exe
  C:\Windows\System\swlcLkS.exe
  2⤵
  PID:7624
- C:\Windows\System\CVsJHRt.exe
  C:\Windows\System\CVsJHRt.exe
  2⤵
  PID:7644
- C:\Windows\System\qrmGYwW.exe
  C:\Windows\System\qrmGYwW.exe
  2⤵
  PID:7664
- C:\Windows\System\cDPuUoR.exe
  C:\Windows\System\cDPuUoR.exe
  2⤵
  PID:7684
- C:\Windows\System\bJRdoXZ.exe
  C:\Windows\System\bJRdoXZ.exe
  2⤵
  PID:7708
- C:\Windows\System\hvLODAE.exe
  C:\Windows\System\hvLODAE.exe
  2⤵
  PID:7728
- C:\Windows\System\oLlVysp.exe
  C:\Windows\System\oLlVysp.exe
  2⤵
  PID:7752
- C:\Windows\System\IbDTDoJ.exe
  C:\Windows\System\IbDTDoJ.exe
  2⤵
  PID:7772
- C:\Windows\System\pLcezfM.exe
  C:\Windows\System\pLcezfM.exe
  2⤵
  PID:7792
- C:\Windows\System\kslLUJU.exe
  C:\Windows\System\kslLUJU.exe
  2⤵
  PID:7812
- C:\Windows\System\yxSjLQX.exe
  C:\Windows\System\yxSjLQX.exe
  2⤵
  PID:7832
- C:\Windows\System\WkaBIzB.exe
  C:\Windows\System\WkaBIzB.exe
  2⤵
  PID:7852
- C:\Windows\System\YcHLZsT.exe
  C:\Windows\System\YcHLZsT.exe
  2⤵
  PID:7876
- C:\Windows\System\NhnGmVe.exe
  C:\Windows\System\NhnGmVe.exe
  2⤵
  PID:7896
- C:\Windows\System\oUHYJYn.exe
  C:\Windows\System\oUHYJYn.exe
  2⤵
  PID:7924
- C:\Windows\System\IYVCXzW.exe
  C:\Windows\System\IYVCXzW.exe
  2⤵
  PID:7948
- C:\Windows\System\HRqUiOh.exe
  C:\Windows\System\HRqUiOh.exe
  2⤵
  PID:7968
- C:\Windows\System\sgSkLQI.exe
  C:\Windows\System\sgSkLQI.exe
  2⤵
  PID:7992
- C:\Windows\System\BLBNsju.exe
  C:\Windows\System\BLBNsju.exe
  2⤵
  PID:8016
- C:\Windows\System\gptSMMi.exe
  C:\Windows\System\gptSMMi.exe
  2⤵
  PID:8036
- C:\Windows\System\NpnPWgK.exe
  C:\Windows\System\NpnPWgK.exe
  2⤵
  PID:8060
- C:\Windows\System\kddWGaf.exe
  C:\Windows\System\kddWGaf.exe
  2⤵
  PID:8084
- C:\Windows\System\bHDMoXn.exe
  C:\Windows\System\bHDMoXn.exe
  2⤵
  PID:8112
- C:\Windows\System\ByxoExg.exe
  C:\Windows\System\ByxoExg.exe
  2⤵
  PID:8132
- C:\Windows\System\qmMwnEW.exe
  C:\Windows\System\qmMwnEW.exe
  2⤵
  PID:8152
- C:\Windows\System\mgMGufz.exe
  C:\Windows\System\mgMGufz.exe
  2⤵
  PID:8172
- C:\Windows\System\kAZWXqS.exe
  C:\Windows\System\kAZWXqS.exe
  2⤵
  PID:6368
- C:\Windows\System\vZuIfoG.exe
  C:\Windows\System\vZuIfoG.exe
  2⤵
  PID:1892
- C:\Windows\System\SIZvvER.exe
  C:\Windows\System\SIZvvER.exe
  2⤵
  PID:6452
- C:\Windows\System\NIOQoTV.exe
  C:\Windows\System\NIOQoTV.exe
  2⤵
  PID:6472
- C:\Windows\System\dqtpSEG.exe
  C:\Windows\System\dqtpSEG.exe
  2⤵
  PID:6136
- C:\Windows\System\hrCnkqy.exe
  C:\Windows\System\hrCnkqy.exe
  2⤵
  PID:4124
- C:\Windows\System\dpaytJz.exe
  C:\Windows\System\dpaytJz.exe
  2⤵
  PID:1060
- C:\Windows\System\PeeRSIl.exe
  C:\Windows\System\PeeRSIl.exe
  2⤵
  PID:6716
- C:\Windows\System\RVIBoLs.exe
  C:\Windows\System\RVIBoLs.exe
  2⤵
  PID:6252
- C:\Windows\System\KoEHkDv.exe
  C:\Windows\System\KoEHkDv.exe
  2⤵
  PID:6784
- C:\Windows\System\tISEoSf.exe
  C:\Windows\System\tISEoSf.exe
  2⤵
  PID:6856
- C:\Windows\System\pTDmmQg.exe
  C:\Windows\System\pTDmmQg.exe
  2⤵
  PID:6388
- C:\Windows\System\IqsYFiE.exe
  C:\Windows\System\IqsYFiE.exe
  2⤵
  PID:6428
- C:\Windows\System\WyfnpMA.exe
  C:\Windows\System\WyfnpMA.exe
  2⤵
  PID:6996
- C:\Windows\System\shUOWqX.exe
  C:\Windows\System\shUOWqX.exe
  2⤵
  PID:7304
- C:\Windows\System\HjSWBFM.exe
  C:\Windows\System\HjSWBFM.exe
  2⤵
  PID:7368
- C:\Windows\System\pVlxWvt.exe
  C:\Windows\System\pVlxWvt.exe
  2⤵
  PID:7160
- C:\Windows\System\XtXLOWk.exe
  C:\Windows\System\XtXLOWk.exe
  2⤵
  PID:7440
- C:\Windows\System\lgKeYeG.exe
  C:\Windows\System\lgKeYeG.exe
  2⤵
  PID:7544
- C:\Windows\System\yIrLQxE.exe
  C:\Windows\System\yIrLQxE.exe
  2⤵
  PID:7596
- C:\Windows\System\AAfPVHC.exe
  C:\Windows\System\AAfPVHC.exe
  2⤵
  PID:6624
- C:\Windows\System\qZcmSAH.exe
  C:\Windows\System\qZcmSAH.exe
  2⤵
  PID:1556
- C:\Windows\System\fgLGgoz.exe
  C:\Windows\System\fgLGgoz.exe
  2⤵
  PID:6760
- C:\Windows\System\tlolSCe.exe
  C:\Windows\System\tlolSCe.exe
  2⤵
  PID:7764
- C:\Windows\System\PEKKtQh.exe
  C:\Windows\System\PEKKtQh.exe
  2⤵
  PID:6836
- C:\Windows\System\WECSRpm.exe
  C:\Windows\System\WECSRpm.exe
  2⤵
  PID:7872
- C:\Windows\System\XuwVnwO.exe
  C:\Windows\System\XuwVnwO.exe
  2⤵
  PID:6920
- C:\Windows\System\ARDhRpP.exe
  C:\Windows\System\ARDhRpP.exe
  2⤵
  PID:7240
- C:\Windows\System\PmddLFQ.exe
  C:\Windows\System\PmddLFQ.exe
  2⤵
  PID:8220
- C:\Windows\System\KxRokqC.exe
  C:\Windows\System\KxRokqC.exe
  2⤵
  PID:8240
- C:\Windows\System\swlBiwI.exe
  C:\Windows\System\swlBiwI.exe
  2⤵
  PID:8256
- C:\Windows\System\mauehuC.exe
  C:\Windows\System\mauehuC.exe
  2⤵
  PID:8280
- C:\Windows\System\TCCZTro.exe
  C:\Windows\System\TCCZTro.exe
  2⤵
  PID:8308
- C:\Windows\System\EnjsyXo.exe
  C:\Windows\System\EnjsyXo.exe
  2⤵
  PID:8328
- C:\Windows\System\Tnsvbql.exe
  C:\Windows\System\Tnsvbql.exe
  2⤵
  PID:8348
- C:\Windows\System\yIXxaUv.exe
  C:\Windows\System\yIXxaUv.exe
  2⤵
  PID:8376
- C:\Windows\System\YiMmLzB.exe
  C:\Windows\System\YiMmLzB.exe
  2⤵
  PID:8400
- C:\Windows\System\LyXEgvA.exe
  C:\Windows\System\LyXEgvA.exe
  2⤵
  PID:8420
- C:\Windows\System\agGDgLa.exe
  C:\Windows\System\agGDgLa.exe
  2⤵
  PID:8444
- C:\Windows\System\fbGvQdj.exe
  C:\Windows\System\fbGvQdj.exe
  2⤵
  PID:8472
- C:\Windows\System\cmLGzED.exe
  C:\Windows\System\cmLGzED.exe
  2⤵
  PID:8500
- C:\Windows\System\Nuebmaf.exe
  C:\Windows\System\Nuebmaf.exe
  2⤵
  PID:8524
- C:\Windows\System\STSRwvR.exe
  C:\Windows\System\STSRwvR.exe
  2⤵
  PID:8544
- C:\Windows\System\MhXucJi.exe
  C:\Windows\System\MhXucJi.exe
  2⤵
  PID:8568
- C:\Windows\System\teevydI.exe
  C:\Windows\System\teevydI.exe
  2⤵
  PID:8588
- C:\Windows\System\icUExGR.exe
  C:\Windows\System\icUExGR.exe
  2⤵
  PID:8612
- C:\Windows\System\FMNCzlI.exe
  C:\Windows\System\FMNCzlI.exe
  2⤵
  PID:8628
- C:\Windows\System\EUMCgSa.exe
  C:\Windows\System\EUMCgSa.exe
  2⤵
  PID:8656
- C:\Windows\System\euBygRp.exe
  C:\Windows\System\euBygRp.exe
  2⤵
  PID:8672
- C:\Windows\System\WZFDQCl.exe
  C:\Windows\System\WZFDQCl.exe
  2⤵
  PID:8692
- C:\Windows\System\BKXuISS.exe
  C:\Windows\System\BKXuISS.exe
  2⤵
  PID:8712
- C:\Windows\System\mLhMxec.exe
  C:\Windows\System\mLhMxec.exe
  2⤵
  PID:8736
- C:\Windows\System\uCWLCyK.exe
  C:\Windows\System\uCWLCyK.exe
  2⤵
  PID:8764
- C:\Windows\System\arYgIHL.exe
  C:\Windows\System\arYgIHL.exe
  2⤵
  PID:8784
- C:\Windows\System\YnVCzsP.exe
  C:\Windows\System\YnVCzsP.exe
  2⤵
  PID:8808
- C:\Windows\System\zUxSzhg.exe
  C:\Windows\System\zUxSzhg.exe
  2⤵
  PID:8828
- C:\Windows\System\xDkcNue.exe
  C:\Windows\System\xDkcNue.exe
  2⤵
  PID:8844
- C:\Windows\System\YjDUJcW.exe
  C:\Windows\System\YjDUJcW.exe
  2⤵
  PID:8864
- C:\Windows\System\KOVvqtx.exe
  C:\Windows\System\KOVvqtx.exe
  2⤵
  PID:8888
- C:\Windows\System\qYCpJGc.exe
  C:\Windows\System\qYCpJGc.exe
  2⤵
  PID:8912
- C:\Windows\System\btpLGFg.exe
  C:\Windows\System\btpLGFg.exe
  2⤵
  PID:8932
- C:\Windows\System\iHbpRXO.exe
  C:\Windows\System\iHbpRXO.exe
  2⤵
  PID:8952
- C:\Windows\System\HWKGxwi.exe
  C:\Windows\System\HWKGxwi.exe
  2⤵
  PID:8976
- C:\Windows\System\PhnpIYd.exe
  C:\Windows\System\PhnpIYd.exe
  2⤵
  PID:8996
- C:\Windows\System\DfPxoom.exe
  C:\Windows\System\DfPxoom.exe
  2⤵
  PID:9016
- C:\Windows\System\eLsUPCy.exe
  C:\Windows\System\eLsUPCy.exe
  2⤵
  PID:9036
- C:\Windows\System\JMrGJvS.exe
  C:\Windows\System\JMrGJvS.exe
  2⤵
  PID:9060
- C:\Windows\System\oqosOKJ.exe
  C:\Windows\System\oqosOKJ.exe
  2⤵
  PID:9080
- C:\Windows\System\PCCZSow.exe
  C:\Windows\System\PCCZSow.exe
  2⤵
  PID:9100
- C:\Windows\System\uoclFyJ.exe
  C:\Windows\System\uoclFyJ.exe
  2⤵
  PID:9120
- C:\Windows\System\LRANvVh.exe
  C:\Windows\System\LRANvVh.exe
  2⤵
  PID:9140
- C:\Windows\System\yWQGOLo.exe
  C:\Windows\System\yWQGOLo.exe
  2⤵
  PID:9164
- C:\Windows\System\RYzZXME.exe
  C:\Windows\System\RYzZXME.exe
  2⤵
  PID:9188
- C:\Windows\System\rQeRqnI.exe
  C:\Windows\System\rQeRqnI.exe
  2⤵
  PID:9208
- C:\Windows\System\rnEYFPP.exe
  C:\Windows\System\rnEYFPP.exe
  2⤵
  PID:7260
- C:\Windows\System\TVQOOOU.exe
  C:\Windows\System\TVQOOOU.exe
  2⤵
  PID:8004
- C:\Windows\System\kkJOQvE.exe
  C:\Windows\System\kkJOQvE.exe
  2⤵
  PID:7060
- C:\Windows\System\UpRUjCC.exe
  C:\Windows\System\UpRUjCC.exe
  2⤵
  PID:8052
- C:\Windows\System\lHtcXrf.exe
  C:\Windows\System\lHtcXrf.exe
  2⤵
  PID:7380
- C:\Windows\System\ffHmGUF.exe
  C:\Windows\System\ffHmGUF.exe
  2⤵
  PID:7112
- C:\Windows\System\pQDuFDT.exe
  C:\Windows\System\pQDuFDT.exe
  2⤵
  PID:7156
- C:\Windows\System\UUCwtgd.exe
  C:\Windows\System\UUCwtgd.exe
  2⤵
  PID:7432
- C:\Windows\System\UUbLzUa.exe
  C:\Windows\System\UUbLzUa.exe
  2⤵
  PID:5548
- C:\Windows\System\JYgrhdX.exe
  C:\Windows\System\JYgrhdX.exe
  2⤵
  PID:7500
- C:\Windows\System\iqhwGad.exe
  C:\Windows\System\iqhwGad.exe
  2⤵
  PID:7540
- C:\Windows\System\AGKBAnw.exe
  C:\Windows\System\AGKBAnw.exe
  2⤵
  PID:6416
- C:\Windows\System\iJjswHE.exe
  C:\Windows\System\iJjswHE.exe
  2⤵
  PID:2156
- C:\Windows\System\ezrKtef.exe
  C:\Windows\System\ezrKtef.exe
  2⤵
  PID:6600
- C:\Windows\System\vwOFGIr.exe
  C:\Windows\System\vwOFGIr.exe
  2⤵
  PID:7572
- C:\Windows\System\ufCGabu.exe
  C:\Windows\System\ufCGabu.exe
  2⤵
  PID:6768
- C:\Windows\System\kgYzDLp.exe
  C:\Windows\System\kgYzDLp.exe
  2⤵
  PID:7180
- C:\Windows\System\xvGYUCh.exe
  C:\Windows\System\xvGYUCh.exe
  2⤵
  PID:7232
- C:\Windows\System\NWzeACe.exe
  C:\Windows\System\NWzeACe.exe
  2⤵
  PID:8296
- C:\Windows\System\VONJBkJ.exe
  C:\Windows\System\VONJBkJ.exe
  2⤵
  PID:8368
- C:\Windows\System\iWbshbV.exe
  C:\Windows\System\iWbshbV.exe
  2⤵
  PID:8124
- C:\Windows\System\bjjqAlQ.exe
  C:\Windows\System\bjjqAlQ.exe
  2⤵
  PID:9236
- C:\Windows\System\bGTSiLt.exe
  C:\Windows\System\bGTSiLt.exe
  2⤵
  PID:9260
- C:\Windows\System\dzWHtNN.exe
  C:\Windows\System\dzWHtNN.exe
  2⤵
  PID:9280
- C:\Windows\System\QOutMdT.exe
  C:\Windows\System\QOutMdT.exe
  2⤵
  PID:9308
- C:\Windows\System\awFfyOH.exe
  C:\Windows\System\awFfyOH.exe
  2⤵
  PID:9328
- C:\Windows\System\NDnQwYj.exe
  C:\Windows\System\NDnQwYj.exe
  2⤵
  PID:9348
- C:\Windows\System\NtMjbbb.exe
  C:\Windows\System\NtMjbbb.exe
  2⤵
  PID:9364
- C:\Windows\System\egZeaEE.exe
  C:\Windows\System\egZeaEE.exe
  2⤵
  PID:9384
- C:\Windows\System\XxFWTwc.exe
  C:\Windows\System\XxFWTwc.exe
  2⤵
  PID:9408
- C:\Windows\System\cEQGxZG.exe
  C:\Windows\System\cEQGxZG.exe
  2⤵
  PID:9432
- C:\Windows\System\yDCrVwP.exe
  C:\Windows\System\yDCrVwP.exe
  2⤵
  PID:9452
- C:\Windows\System\juXeGVw.exe
  C:\Windows\System\juXeGVw.exe
  2⤵
  PID:9476
- C:\Windows\System\ZiVWcjh.exe
  C:\Windows\System\ZiVWcjh.exe
  2⤵
  PID:9500
- C:\Windows\System\HHXQPNG.exe
  C:\Windows\System\HHXQPNG.exe
  2⤵
  PID:9528
- C:\Windows\System\GDDevtl.exe
  C:\Windows\System\GDDevtl.exe
  2⤵
  PID:9548
- C:\Windows\System\XHVpygs.exe
  C:\Windows\System\XHVpygs.exe
  2⤵
  PID:9572
- C:\Windows\System\bUjPjnu.exe
  C:\Windows\System\bUjPjnu.exe
  2⤵
  PID:9592
- C:\Windows\System\vizudkX.exe
  C:\Windows\System\vizudkX.exe
  2⤵
  PID:9616
- C:\Windows\System\NzBLWMz.exe
  C:\Windows\System\NzBLWMz.exe
  2⤵
  PID:9636
- C:\Windows\System\yldKtgk.exe
  C:\Windows\System\yldKtgk.exe
  2⤵
  PID:9664
- C:\Windows\System\iBFqwYn.exe
  C:\Windows\System\iBFqwYn.exe
  2⤵
  PID:9688
- C:\Windows\System\UQlsdMt.exe
  C:\Windows\System\UQlsdMt.exe
  2⤵
  PID:9708
- C:\Windows\System\tKWZMpf.exe
  C:\Windows\System\tKWZMpf.exe
  2⤵
  PID:9728
- C:\Windows\System\artRLsX.exe
  C:\Windows\System\artRLsX.exe
  2⤵
  PID:9748
- C:\Windows\System\xgtWcgr.exe
  C:\Windows\System\xgtWcgr.exe
  2⤵
  PID:10080
- C:\Windows\System\vOqffbL.exe
  C:\Windows\System\vOqffbL.exe
  2⤵
  PID:10096
- C:\Windows\System\YHtlgwu.exe
  C:\Windows\System\YHtlgwu.exe
  2⤵
  PID:10116
- C:\Windows\System\PdFDjNX.exe
  C:\Windows\System\PdFDjNX.exe
  2⤵
  PID:10136
- C:\Windows\System\lOyxJIo.exe
  C:\Windows\System\lOyxJIo.exe
  2⤵
  PID:10164
- C:\Windows\System\STzMuKT.exe
  C:\Windows\System\STzMuKT.exe
  2⤵
  PID:10192
- C:\Windows\System\YrJhNdc.exe
  C:\Windows\System\YrJhNdc.exe
  2⤵
  PID:10208
- C:\Windows\System\eFHEyeg.exe
  C:\Windows\System\eFHEyeg.exe
  2⤵
  PID:10232
- C:\Windows\System\Xjfmokm.exe
  C:\Windows\System\Xjfmokm.exe
  2⤵
  PID:8560
- C:\Windows\System\MpHREvI.exe
  C:\Windows\System\MpHREvI.exe
  2⤵
  PID:3468
- C:\Windows\System\hJDSFXE.exe
  C:\Windows\System\hJDSFXE.exe
  2⤵
  PID:7016
- C:\Windows\System\fWFjEOZ.exe
  C:\Windows\System\fWFjEOZ.exe
  2⤵
  PID:6700
- C:\Windows\System\NsCIvLt.exe
  C:\Windows\System\NsCIvLt.exe
  2⤵
  PID:8776
- C:\Windows\System\wscoHzB.exe
  C:\Windows\System\wscoHzB.exe
  2⤵
  PID:8880
- C:\Windows\System\AMgjJQp.exe
  C:\Windows\System\AMgjJQp.exe
  2⤵
  PID:8928
- C:\Windows\System\ylIUgOV.exe
  C:\Windows\System\ylIUgOV.exe
  2⤵
  PID:7700
- C:\Windows\System\MvTYHOe.exe
  C:\Windows\System\MvTYHOe.exe
  2⤵
  PID:8948
- C:\Windows\System\PpZRdll.exe
  C:\Windows\System\PpZRdll.exe
  2⤵
  PID:9108
- C:\Windows\System\ghUFeyg.exe
  C:\Windows\System\ghUFeyg.exe
  2⤵
  PID:6960
- C:\Windows\System\wSUbMLd.exe
  C:\Windows\System\wSUbMLd.exe
  2⤵
  PID:8232
- C:\Windows\System\jBwjbhx.exe
  C:\Windows\System\jBwjbhx.exe
  2⤵
  PID:6280
- C:\Windows\System\TrCNYrj.exe
  C:\Windows\System\TrCNYrj.exe
  2⤵
  PID:8480
- C:\Windows\System\fsaFMuk.exe
  C:\Windows\System\fsaFMuk.exe
  2⤵
  PID:8180
- C:\Windows\System\vEgiMBo.exe
  C:\Windows\System\vEgiMBo.exe
  2⤵
  PID:6972
- C:\Windows\System\eElIaSk.exe
  C:\Windows\System\eElIaSk.exe
  2⤵
  PID:9484
- C:\Windows\System\MuEUHxF.exe
  C:\Windows\System\MuEUHxF.exe
  2⤵
  PID:9564
- C:\Windows\System\BZaTqSR.exe
  C:\Windows\System\BZaTqSR.exe
  2⤵
  PID:8708
- C:\Windows\System\midrCxR.exe
  C:\Windows\System\midrCxR.exe
  2⤵
  PID:9628
- C:\Windows\System\xbwAaiC.exe
  C:\Windows\System\xbwAaiC.exe
  2⤵
  PID:9716
- C:\Windows\System\wkzSNNC.exe
  C:\Windows\System\wkzSNNC.exe
  2⤵
  PID:6880
- C:\Windows\System\AuYBnrJ.exe
  C:\Windows\System\AuYBnrJ.exe
  2⤵
  PID:9720
- C:\Windows\System\gZJvYXy.exe
  C:\Windows\System\gZJvYXy.exe
  2⤵
  PID:6564
- C:\Windows\System\COTJlyj.exe
  C:\Windows\System\COTJlyj.exe
  2⤵
  PID:9032
- C:\Windows\System\vWNgzWm.exe
  C:\Windows\System\vWNgzWm.exe
  2⤵
  PID:10248
- C:\Windows\System\qcnIOkd.exe
  C:\Windows\System\qcnIOkd.exe
  2⤵
  PID:10272
- C:\Windows\System\sTWzmpu.exe
  C:\Windows\System\sTWzmpu.exe
  2⤵
  PID:10296
- C:\Windows\System\XkfAnAh.exe
  C:\Windows\System\XkfAnAh.exe
  2⤵
  PID:10320
- C:\Windows\System\iLqWPnb.exe
  C:\Windows\System\iLqWPnb.exe
  2⤵
  PID:10356
- C:\Windows\System\OKPxBDO.exe
  C:\Windows\System\OKPxBDO.exe
  2⤵
  PID:10380
- C:\Windows\System\mfzYbrD.exe
  C:\Windows\System\mfzYbrD.exe
  2⤵
  PID:10408
- C:\Windows\System\fmJconA.exe
  C:\Windows\System\fmJconA.exe
  2⤵
  PID:10436
- C:\Windows\System\teToQBb.exe
  C:\Windows\System\teToQBb.exe
  2⤵
  PID:10472
- C:\Windows\System\OMRFKSQ.exe
  C:\Windows\System\OMRFKSQ.exe
  2⤵
  PID:10496
- C:\Windows\System\sOdhmHo.exe
  C:\Windows\System\sOdhmHo.exe
  2⤵
  PID:10520
- C:\Windows\System\IzyBIVj.exe
  C:\Windows\System\IzyBIVj.exe
  2⤵
  PID:10536
- C:\Windows\System\qNPYjJP.exe
  C:\Windows\System\qNPYjJP.exe
  2⤵
  PID:10552
- C:\Windows\System\UTMHJXL.exe
  C:\Windows\System\UTMHJXL.exe
  2⤵
  PID:10576
- C:\Windows\System\gHnezdR.exe
  C:\Windows\System\gHnezdR.exe
  2⤵
  PID:10600
- C:\Windows\System\DsMcHKz.exe
  C:\Windows\System\DsMcHKz.exe
  2⤵
  PID:10620
- C:\Windows\System\dmymzsx.exe
  C:\Windows\System\dmymzsx.exe
  2⤵
  PID:10636
- C:\Windows\System\nRPMSdq.exe
  C:\Windows\System\nRPMSdq.exe
  2⤵
  PID:10656
- C:\Windows\System\JfwuGPK.exe
  C:\Windows\System\JfwuGPK.exe
  2⤵
  PID:10676
- C:\Windows\System\kSebwOU.exe
  C:\Windows\System\kSebwOU.exe
  2⤵
  PID:10696
- C:\Windows\System\gwNSSgC.exe
  C:\Windows\System\gwNSSgC.exe
  2⤵
  PID:10716
- C:\Windows\System\ECtzwlF.exe
  C:\Windows\System\ECtzwlF.exe
  2⤵
  PID:10740
- C:\Windows\System\yKwVMJN.exe
  C:\Windows\System\yKwVMJN.exe
  2⤵
  PID:10760
- C:\Windows\System\nSHSHjU.exe
  C:\Windows\System\nSHSHjU.exe
  2⤵
  PID:10776
- C:\Windows\System\OSjpJMK.exe
  C:\Windows\System\OSjpJMK.exe
  2⤵
  PID:10796
- C:\Windows\System\cCGptiF.exe
  C:\Windows\System\cCGptiF.exe
  2⤵
  PID:10812
- C:\Windows\System\yqTtfhI.exe
  C:\Windows\System\yqTtfhI.exe
  2⤵
  PID:10828
- C:\Windows\System\vScwjzX.exe
  C:\Windows\System\vScwjzX.exe
  2⤵
  PID:10848
- C:\Windows\System\avaEdQJ.exe
  C:\Windows\System\avaEdQJ.exe
  2⤵
  PID:10872
- C:\Windows\System\RcLPAsh.exe
  C:\Windows\System\RcLPAsh.exe
  2⤵
  PID:10896
- C:\Windows\System\LHBPXpG.exe
  C:\Windows\System\LHBPXpG.exe
  2⤵
  PID:10916
- C:\Windows\System\HSycnvE.exe
  C:\Windows\System\HSycnvE.exe
  2⤵
  PID:10940
- C:\Windows\System\fcbmvBM.exe
  C:\Windows\System\fcbmvBM.exe
  2⤵
  PID:10960
- C:\Windows\System\EEkkwuD.exe
  C:\Windows\System\EEkkwuD.exe
  2⤵
  PID:10992
- C:\Windows\System\bwsQeZL.exe
  C:\Windows\System\bwsQeZL.exe
  2⤵
  PID:11008
- C:\Windows\System\iPRkoXi.exe
  C:\Windows\System\iPRkoXi.exe
  2⤵
  PID:11024
- C:\Windows\System\lnyDXyB.exe
  C:\Windows\System\lnyDXyB.exe
  2⤵
  PID:11044
- C:\Windows\System\UacpxVH.exe
  C:\Windows\System\UacpxVH.exe
  2⤵
  PID:11068
- C:\Windows\System\TvXuOBS.exe
  C:\Windows\System\TvXuOBS.exe
  2⤵
  PID:11100
- C:\Windows\System\HyrYpgB.exe
  C:\Windows\System\HyrYpgB.exe
  2⤵
  PID:11120
- C:\Windows\System\ameMdjq.exe
  C:\Windows\System\ameMdjq.exe
  2⤵
  PID:11148
- C:\Windows\System\MIDvJMh.exe
  C:\Windows\System\MIDvJMh.exe
  2⤵
  PID:11180
- C:\Windows\System\ZckSpLT.exe
  C:\Windows\System\ZckSpLT.exe
  2⤵
  PID:11204
- C:\Windows\System\jcFsXMe.exe
  C:\Windows\System\jcFsXMe.exe
  2⤵
  PID:11220
- C:\Windows\System\seCtPBZ.exe
  C:\Windows\System\seCtPBZ.exe
  2⤵
  PID:11244
- C:\Windows\System\MscIGzm.exe
  C:\Windows\System\MscIGzm.exe
  2⤵
  PID:9096
- C:\Windows\System\SnXblYB.exe
  C:\Windows\System\SnXblYB.exe
  2⤵
  PID:9184
- C:\Windows\System\uNTxvTH.exe
  C:\Windows\System\uNTxvTH.exe
  2⤵
  PID:7056
- C:\Windows\System\fWxJXBu.exe
  C:\Windows\System\fWxJXBu.exe
  2⤵
  PID:7132
- C:\Windows\System\QvvQMYu.exe
  C:\Windows\System\QvvQMYu.exe
  2⤵
  PID:8324
- C:\Windows\System\JTQAECq.exe
  C:\Windows\System\JTQAECq.exe
  2⤵
  PID:8344
- C:\Windows\System\YRqLaVX.exe
  C:\Windows\System\YRqLaVX.exe
  2⤵
  PID:7788
- C:\Windows\System\OzNzuWt.exe
  C:\Windows\System\OzNzuWt.exe
  2⤵
  PID:7892
- C:\Windows\System\XqxPtjL.exe
  C:\Windows\System\XqxPtjL.exe
  2⤵
  PID:8464
- C:\Windows\System\kECgoEN.exe
  C:\Windows\System\kECgoEN.exe
  2⤵
  PID:8108
- C:\Windows\System\RCnomMm.exe
  C:\Windows\System\RCnomMm.exe
  2⤵
  PID:9296
- C:\Windows\System\EPIVZDs.exe
  C:\Windows\System\EPIVZDs.exe
  2⤵
  PID:9344
- C:\Windows\System\OmbAUjz.exe
  C:\Windows\System\OmbAUjz.exe
  2⤵
  PID:9404
- C:\Windows\System\YBvcMyO.exe
  C:\Windows\System\YBvcMyO.exe
  2⤵
  PID:9448
- C:\Windows\System\PVugTQe.exe
  C:\Windows\System\PVugTQe.exe
  2⤵
  PID:10108
- C:\Windows\System\eQaziAG.exe
  C:\Windows\System\eQaziAG.exe
  2⤵
  PID:9536
- C:\Windows\System\FSHhtIH.exe
  C:\Windows\System\FSHhtIH.exe
  2⤵
  PID:8748
- C:\Windows\System\DNWdkRI.exe
  C:\Windows\System\DNWdkRI.exe
  2⤵
  PID:7452
- C:\Windows\System\qPgTGER.exe
  C:\Windows\System\qPgTGER.exe
  2⤵
  PID:6524
- C:\Windows\System\xsXYMYJ.exe
  C:\Windows\System\xsXYMYJ.exe
  2⤵
  PID:8840
- C:\Windows\System\KZQwfwW.exe
  C:\Windows\System\KZQwfwW.exe
  2⤵
  PID:11272
- C:\Windows\System\AHglNWx.exe
  C:\Windows\System\AHglNWx.exe
  2⤵
  PID:11292
- C:\Windows\System\bBjDOPo.exe
  C:\Windows\System\bBjDOPo.exe
  2⤵
  PID:11312
- C:\Windows\System\jKlojXC.exe
  C:\Windows\System\jKlojXC.exe
  2⤵
  PID:11336
- C:\Windows\System\thcWdvX.exe
  C:\Windows\System\thcWdvX.exe
  2⤵
  PID:11364
- C:\Windows\System\kqGcyYd.exe
  C:\Windows\System\kqGcyYd.exe
  2⤵
  PID:11384
- C:\Windows\System\HaEXSUS.exe
  C:\Windows\System\HaEXSUS.exe
  2⤵
  PID:11408
- C:\Windows\System\UpZJGTV.exe
  C:\Windows\System\UpZJGTV.exe
  2⤵
  PID:11432
- C:\Windows\System\PmZcZpC.exe
  C:\Windows\System\PmZcZpC.exe
  2⤵
  PID:11460
- C:\Windows\System\YvEjmIP.exe
  C:\Windows\System\YvEjmIP.exe
  2⤵
  PID:11476
- C:\Windows\System\XdJgjpE.exe
  C:\Windows\System\XdJgjpE.exe
  2⤵
  PID:11508
- C:\Windows\System\vwYWrxi.exe
  C:\Windows\System\vwYWrxi.exe
  2⤵
  PID:11536
- C:\Windows\System\FIbvfBc.exe
  C:\Windows\System\FIbvfBc.exe
  2⤵
  PID:11564
- C:\Windows\System\AZDBbos.exe
  C:\Windows\System\AZDBbos.exe
  2⤵
  PID:11592
- C:\Windows\System\rtUAZvF.exe
  C:\Windows\System\rtUAZvF.exe
  2⤵
  PID:11608
- C:\Windows\System\faIWVjw.exe
  C:\Windows\System\faIWVjw.exe
  2⤵
  PID:11624
- C:\Windows\System\vLokEhg.exe
  C:\Windows\System\vLokEhg.exe
  2⤵
  PID:11644
- C:\Windows\System\iAakHES.exe
  C:\Windows\System\iAakHES.exe
  2⤵
  PID:11668
- C:\Windows\System\cqCIYnI.exe
  C:\Windows\System\cqCIYnI.exe
  2⤵
  PID:11692
- C:\Windows\System\krgzPzV.exe
  C:\Windows\System\krgzPzV.exe
  2⤵
  PID:11712
- C:\Windows\System\DzKlAra.exe
  C:\Windows\System\DzKlAra.exe
  2⤵
  PID:11736
- C:\Windows\System\zfaZrTT.exe
  C:\Windows\System\zfaZrTT.exe
  2⤵
  PID:11772
- C:\Windows\System\KRoPMtd.exe
  C:\Windows\System\KRoPMtd.exe
  2⤵
  PID:11788
- C:\Windows\System\DIetJZF.exe
  C:\Windows\System\DIetJZF.exe
  2⤵
  PID:11816
- C:\Windows\System\yKTVKWh.exe
  C:\Windows\System\yKTVKWh.exe
  2⤵
  PID:11840
- C:\Windows\System\BbJZIhD.exe
  C:\Windows\System\BbJZIhD.exe
  2⤵
  PID:11864
- C:\Windows\System\BSKrxff.exe
  C:\Windows\System\BSKrxff.exe
  2⤵
  PID:11888
- C:\Windows\System\LYLGmMh.exe
  C:\Windows\System\LYLGmMh.exe
  2⤵
  PID:11908
- C:\Windows\System\PoGBgwT.exe
  C:\Windows\System\PoGBgwT.exe
  2⤵
  PID:11928
- C:\Windows\System\RunxSjb.exe
  C:\Windows\System\RunxSjb.exe
  2⤵
  PID:11952
- C:\Windows\System\xZXRvlT.exe
  C:\Windows\System\xZXRvlT.exe
  2⤵
  PID:11968
- C:\Windows\System\gxyJksO.exe
  C:\Windows\System\gxyJksO.exe
  2⤵
  PID:11984
- C:\Windows\System\TSvaecc.exe
  C:\Windows\System\TSvaecc.exe
  2⤵
  PID:12000
- C:\Windows\System\bFhLjLq.exe
  C:\Windows\System\bFhLjLq.exe
  2⤵
  PID:12016
- C:\Windows\System\wPeIarg.exe
  C:\Windows\System\wPeIarg.exe
  2⤵
  PID:12036
- C:\Windows\System\XseQGdO.exe
  C:\Windows\System\XseQGdO.exe
  2⤵
  PID:12056
- C:\Windows\System\aVWqZti.exe
  C:\Windows\System\aVWqZti.exe
  2⤵
  PID:12080
- C:\Windows\System\lZlQKRt.exe
  C:\Windows\System\lZlQKRt.exe
  2⤵
  PID:12104
- C:\Windows\System\vaodMGL.exe
  C:\Windows\System\vaodMGL.exe
  2⤵
  PID:12124
- C:\Windows\System\vWQgUxc.exe
  C:\Windows\System\vWQgUxc.exe
  2⤵
  PID:12144
- C:\Windows\System\eYDSWPQ.exe
  C:\Windows\System\eYDSWPQ.exe
  2⤵
  PID:12164
- C:\Windows\System\LUcDccI.exe
  C:\Windows\System\LUcDccI.exe
  2⤵
  PID:12184
- C:\Windows\System\HEsYnnj.exe
  C:\Windows\System\HEsYnnj.exe
  2⤵
  PID:12200
- C:\Windows\System\FepVIzD.exe
  C:\Windows\System\FepVIzD.exe
  2⤵
  PID:12216
- C:\Windows\System\aShidnf.exe
  C:\Windows\System\aShidnf.exe
  2⤵
  PID:12236
- C:\Windows\System\phNTNIJ.exe
  C:\Windows\System\phNTNIJ.exe
  2⤵
  PID:12260
- C:\Windows\System\XgTMoce.exe
  C:\Windows\System\XgTMoce.exe
  2⤵
  PID:12280
- C:\Windows\System\tCPVEtU.exe
  C:\Windows\System\tCPVEtU.exe
  2⤵
  PID:8540
- C:\Windows\System\QabhvyD.exe
  C:\Windows\System\QabhvyD.exe
  2⤵
  PID:3396
- C:\Windows\System\aBQWaUy.exe
  C:\Windows\System\aBQWaUy.exe
  2⤵
  PID:3628
- C:\Windows\System\TMfIKOh.exe
  C:\Windows\System\TMfIKOh.exe
  2⤵
  PID:1828
- C:\Windows\System\wEoGxgt.exe
  C:\Windows\System\wEoGxgt.exe
  2⤵
  PID:10268
- C:\Windows\System\hEDQKZv.exe
  C:\Windows\System\hEDQKZv.exe
  2⤵
  PID:1764
- C:\Windows\System\NfPGwYP.exe
  C:\Windows\System\NfPGwYP.exe
  2⤵
  PID:12120
- C:\Windows\System\MuKjNQO.exe
  C:\Windows\System\MuKjNQO.exe
  2⤵
  PID:12300
- C:\Windows\System\dTOfXPI.exe
  C:\Windows\System\dTOfXPI.exe
  2⤵
  PID:12324
- C:\Windows\System\GRwnAPM.exe
  C:\Windows\System\GRwnAPM.exe
  2⤵
  PID:12348
- C:\Windows\System\aJKszJf.exe
  C:\Windows\System\aJKszJf.exe
  2⤵
  PID:12372
- C:\Windows\System\uTPsDHK.exe
  C:\Windows\System\uTPsDHK.exe
  2⤵
  PID:12400
- C:\Windows\System\jNFthxZ.exe
  C:\Windows\System\jNFthxZ.exe
  2⤵
  PID:12424
- C:\Windows\System\QQeZbiV.exe
  C:\Windows\System\QQeZbiV.exe
  2⤵
  PID:12452
- C:\Windows\System\wzBrnHf.exe
  C:\Windows\System\wzBrnHf.exe
  2⤵
  PID:12484
- C:\Windows\System\tYhOSqu.exe
  C:\Windows\System\tYhOSqu.exe
  2⤵
  PID:12512
- C:\Windows\System\ddzLArl.exe
  C:\Windows\System\ddzLArl.exe
  2⤵
  PID:12532
- C:\Windows\System\YYSqGnV.exe
  C:\Windows\System\YYSqGnV.exe
  2⤵
  PID:12556
- C:\Windows\System\gRvRPWs.exe
  C:\Windows\System\gRvRPWs.exe
  2⤵
  PID:12580
- C:\Windows\System\EgybkAh.exe
  C:\Windows\System\EgybkAh.exe
  2⤵
  PID:12608
- C:\Windows\System\HlVBNBQ.exe
  C:\Windows\System\HlVBNBQ.exe
  2⤵
  PID:12632
- C:\Windows\System\yHQyYMR.exe
  C:\Windows\System\yHQyYMR.exe
  2⤵
  PID:12648
- C:\Windows\System\bxkRMTh.exe
  C:\Windows\System\bxkRMTh.exe
  2⤵
  PID:12664
- C:\Windows\System\nOzxmcj.exe
  C:\Windows\System\nOzxmcj.exe
  2⤵
  PID:12680
- C:\Windows\System\paazwHM.exe
  C:\Windows\System\paazwHM.exe
  2⤵
  PID:12696
- C:\Windows\System\rtNOBEv.exe
  C:\Windows\System\rtNOBEv.exe
  2⤵
  PID:12712
- C:\Windows\System\TBMbroR.exe
  C:\Windows\System\TBMbroR.exe
  2⤵
  PID:12732
- C:\Windows\System\ImaCxme.exe
  C:\Windows\System\ImaCxme.exe
  2⤵
  PID:12756
- C:\Windows\System\fAiaNUw.exe
  C:\Windows\System\fAiaNUw.exe
  2⤵
  PID:12772
- C:\Windows\System\LwcDRzS.exe
  C:\Windows\System\LwcDRzS.exe
  2⤵
  PID:12788
- C:\Windows\System\xqSIXoe.exe
  C:\Windows\System\xqSIXoe.exe
  2⤵
  PID:12804
- C:\Windows\System\GipFBba.exe
  C:\Windows\System\GipFBba.exe
  2⤵
  PID:12820
- C:\Windows\System\wyojmMF.exe
  C:\Windows\System\wyojmMF.exe
  2⤵
  PID:12836
- C:\Windows\System\DHiOEYQ.exe
  C:\Windows\System\DHiOEYQ.exe
  2⤵
  PID:12852
- C:\Windows\System\GnJQazR.exe
  C:\Windows\System\GnJQazR.exe
  2⤵
  PID:12872
- C:\Windows\System\FocYvBp.exe
  C:\Windows\System\FocYvBp.exe
  2⤵
  PID:12900
- C:\Windows\System\xeDZxkb.exe
  C:\Windows\System\xeDZxkb.exe
  2⤵
  PID:12920
- C:\Windows\System\YohSBhU.exe
  C:\Windows\System\YohSBhU.exe
  2⤵
  PID:12952
- C:\Windows\System\iMmKVZZ.exe
  C:\Windows\System\iMmKVZZ.exe
  2⤵
  PID:12980
- C:\Windows\System\QZNfLDB.exe
  C:\Windows\System\QZNfLDB.exe
  2⤵
  PID:13004
- C:\Windows\System\huoIAjt.exe
  C:\Windows\System\huoIAjt.exe
  2⤵
  PID:13028
- C:\Windows\System\sLIXRmT.exe
  C:\Windows\System\sLIXRmT.exe
  2⤵
  PID:13052
- C:\Windows\System\VZgcZwB.exe
  C:\Windows\System\VZgcZwB.exe
  2⤵
  PID:13076
- C:\Windows\System\lJuNTNc.exe
  C:\Windows\System\lJuNTNc.exe
  2⤵
  PID:13100
- C:\Windows\System\kJUBlnf.exe
  C:\Windows\System\kJUBlnf.exe
  2⤵
  PID:13124
- C:\Windows\System\bsovccq.exe
  C:\Windows\System\bsovccq.exe
  2⤵
  PID:13144
- C:\Windows\System\oUcAuyU.exe
  C:\Windows\System\oUcAuyU.exe
  2⤵
  PID:13176
- C:\Windows\System\aBoTaKy.exe
  C:\Windows\System\aBoTaKy.exe
  2⤵
  PID:13228
- C:\Windows\System\eWnpEYE.exe
  C:\Windows\System\eWnpEYE.exe
  2⤵
  PID:13268
- C:\Windows\System\qpvFiBL.exe
  C:\Windows\System\qpvFiBL.exe
  2⤵
  PID:13308
- C:\Windows\System\HPKItVv.exe
  C:\Windows\System\HPKItVv.exe
  2⤵
  PID:12276
- C:\Windows\System\VmSsIzn.exe
  C:\Windows\System\VmSsIzn.exe
  2⤵
  PID:9076
- C:\Windows\System\BumnvLd.exe
  C:\Windows\System\BumnvLd.exe
  2⤵
  PID:8792
- C:\Windows\System\lCjfYjS.exe
  C:\Windows\System\lCjfYjS.exe
  2⤵
  PID:9468
- C:\Windows\System\lVKCCGE.exe
  C:\Windows\System\lVKCCGE.exe
  2⤵
  PID:7516
- C:\Windows\System\PDhUpUP.exe
  C:\Windows\System\PDhUpUP.exe
  2⤵
  PID:12268
- C:\Windows\System\oKQXUjb.exe
  C:\Windows\System\oKQXUjb.exe
  2⤵
  PID:12136
- C:\Windows\System\siAOBhq.exe
  C:\Windows\System\siAOBhq.exe
  2⤵
  PID:12008
- C:\Windows\System\QcUDQwP.exe
  C:\Windows\System\QcUDQwP.exe
  2⤵
  PID:11876
- C:\Windows\System\dPxBLvB.exe
  C:\Windows\System\dPxBLvB.exe
  2⤵
  PID:11680
- C:\Windows\System\oLFGvzY.exe
  C:\Windows\System\oLFGvzY.exe
  2⤵
  PID:11376
- C:\Windows\System\BkugVdR.exe
  C:\Windows\System\BkugVdR.exe
  2⤵
  PID:10404
- C:\Windows\System\JxJiZoj.exe
  C:\Windows\System\JxJiZoj.exe
  2⤵
  PID:3680
- C:\Windows\System\IEQdesA.exe
  C:\Windows\System\IEQdesA.exe
  2⤵
  PID:10616
- C:\Windows\System\UBhSdWW.exe
  C:\Windows\System\UBhSdWW.exe
  2⤵
  PID:10880
- C:\Windows\System\EiXccSP.exe
  C:\Windows\System\EiXccSP.exe
  2⤵
  PID:11116
- C:\Windows\System\vghLeiw.exe
  C:\Windows\System\vghLeiw.exe
  2⤵
  PID:6588
- C:\Windows\System\vqzJdwY.exe
  C:\Windows\System\vqzJdwY.exe
  2⤵
  PID:9744
- C:\Windows\System\iePUuNY.exe
  C:\Windows\System\iePUuNY.exe
  2⤵
  PID:13344
- C:\Windows\System\VoUaGIj.exe
  C:\Windows\System\VoUaGIj.exe
  2⤵
  PID:13364
- C:\Windows\System\deWYcqu.exe
  C:\Windows\System\deWYcqu.exe
  2⤵
  PID:13384
- C:\Windows\System\GSSfVzx.exe
  C:\Windows\System\GSSfVzx.exe
  2⤵
  PID:13404
- C:\Windows\System\QOXJMrd.exe
  C:\Windows\System\QOXJMrd.exe
  2⤵
  PID:13428
- C:\Windows\System\ihPtpDw.exe
  C:\Windows\System\ihPtpDw.exe
  2⤵
  PID:13452
- C:\Windows\System\DKdqTwp.exe
  C:\Windows\System\DKdqTwp.exe
  2⤵
  PID:13472
- C:\Windows\System\rILhbXD.exe
  C:\Windows\System\rILhbXD.exe
  2⤵
  PID:13500
- C:\Windows\System\QkxOhlj.exe
  C:\Windows\System\QkxOhlj.exe
  2⤵
  PID:13520
- C:\Windows\System\hFPlAKM.exe
  C:\Windows\System\hFPlAKM.exe
  2⤵
  PID:13540
- C:\Windows\System\isrGqPK.exe
  C:\Windows\System\isrGqPK.exe
  2⤵
  PID:13564
- C:\Windows\System\cnfQDmS.exe
  C:\Windows\System\cnfQDmS.exe
  2⤵
  PID:13588
- C:\Windows\System\bYGXswi.exe
  C:\Windows\System\bYGXswi.exe
  2⤵
  PID:13612
- C:\Windows\System\TTkKaNg.exe
  C:\Windows\System\TTkKaNg.exe
  2⤵
  PID:13632
- C:\Windows\System\frywSBh.exe
  C:\Windows\System\frywSBh.exe
  2⤵
  PID:13652
- C:\Windows\System\DjTnqVa.exe
  C:\Windows\System\DjTnqVa.exe
  2⤵
  PID:13672
- C:\Windows\System\jGizcvl.exe
  C:\Windows\System\jGizcvl.exe
  2⤵
  PID:13692
- C:\Windows\System\YwiDfHD.exe
  C:\Windows\System\YwiDfHD.exe
  2⤵
  PID:13708
- C:\Windows\System\MAcdhWM.exe
  C:\Windows\System\MAcdhWM.exe
  2⤵
  PID:13724
- C:\Windows\System\KITFvPj.exe
  C:\Windows\System\KITFvPj.exe
  2⤵
  PID:13740
- C:\Windows\System\IjyRNYn.exe
  C:\Windows\System\IjyRNYn.exe
  2⤵
  PID:13756
- C:\Windows\System\rhXCbCj.exe
  C:\Windows\System\rhXCbCj.exe
  2⤵
  PID:13772
- C:\Windows\System\KVpWery.exe
  C:\Windows\System\KVpWery.exe
  2⤵
  PID:13788
- C:\Windows\System\CWLprNg.exe
  C:\Windows\System\CWLprNg.exe
  2⤵
  PID:13804
- C:\Windows\System\OuMgwuw.exe
  C:\Windows\System\OuMgwuw.exe
  2⤵
  PID:13820
- C:\Windows\System\fzEjKXM.exe
  C:\Windows\System\fzEjKXM.exe
  2⤵
  PID:13836
- C:\Windows\System\UCYgDVy.exe
  C:\Windows\System\UCYgDVy.exe
  2⤵
  PID:13852
- C:\Windows\System\pdmZjel.exe
  C:\Windows\System\pdmZjel.exe
  2⤵
  PID:13872
- C:\Windows\System\mgKHvul.exe
  C:\Windows\System\mgKHvul.exe
  2⤵
  PID:13888
- C:\Windows\System\SkFauuT.exe
  C:\Windows\System\SkFauuT.exe
  2⤵
  PID:13912
- C:\Windows\System\PqZqmKL.exe
  C:\Windows\System\PqZqmKL.exe
  2⤵
  PID:13936
- C:\Windows\System\lKxJyjW.exe
  C:\Windows\System\lKxJyjW.exe
  2⤵
  PID:13960
- C:\Windows\System\onzaNxf.exe
  C:\Windows\System\onzaNxf.exe
  2⤵
  PID:13980
- C:\Windows\System\jsXEhxP.exe
  C:\Windows\System\jsXEhxP.exe
  2⤵
  PID:14136
- C:\Windows\System\qMZmqRY.exe
  C:\Windows\System\qMZmqRY.exe
  2⤵
  PID:14152
- C:\Windows\System\KurQwAv.exe
  C:\Windows\System\KurQwAv.exe
  2⤵
  PID:14192
- C:\Windows\System\BfQUHbS.exe
  C:\Windows\System\BfQUHbS.exe
  2⤵
  PID:14220
- C:\Windows\System\WOLAxRE.exe
  C:\Windows\System\WOLAxRE.exe
  2⤵
  PID:14240
- C:\Windows\System\MlsVFit.exe
  C:\Windows\System\MlsVFit.exe
  2⤵
  PID:14256
- C:\Windows\System\PjxghMd.exe
  C:\Windows\System\PjxghMd.exe
  2⤵
  PID:14276
- C:\Windows\System\VkGDOcI.exe
  C:\Windows\System\VkGDOcI.exe
  2⤵
  PID:14296
- C:\Windows\System\FHQdvfd.exe
  C:\Windows\System\FHQdvfd.exe
  2⤵
  PID:14320
- C:\Windows\System\thHaEOe.exe
  C:\Windows\System\thHaEOe.exe
  2⤵
  PID:10752
- C:\Windows\System\XersVmf.exe
  C:\Windows\System\XersVmf.exe
  2⤵
  PID:12368
- C:\Windows\System\vRAoAtT.exe
  C:\Windows\System\vRAoAtT.exe
  2⤵
  PID:12548
- C:\Windows\System\ISgGPJA.exe
  C:\Windows\System\ISgGPJA.exe
  2⤵
  PID:12596
- C:\Windows\System\qyHYJKg.exe
  C:\Windows\System\qyHYJKg.exe
  2⤵
  PID:12656
- C:\Windows\System\WotcmiG.exe
  C:\Windows\System\WotcmiG.exe
  2⤵
  PID:12720
- C:\Windows\System\LlMkdpb.exe
  C:\Windows\System\LlMkdpb.exe
  2⤵
  PID:12752
- C:\Windows\System\azfwriT.exe
  C:\Windows\System\azfwriT.exe
  2⤵
  PID:12784
- C:\Windows\System\PNRROEs.exe
  C:\Windows\System\PNRROEs.exe
  2⤵
  PID:12972
- C:\Windows\System\WKbBDJi.exe
  C:\Windows\System\WKbBDJi.exe
  2⤵
  PID:13044
- C:\Windows\System\wcLTTfT.exe
  C:\Windows\System\wcLTTfT.exe
  2⤵
  PID:13092
- C:\Windows\System\Ghxxmbr.exe
  C:\Windows\System\Ghxxmbr.exe
  2⤵
  PID:8440
- C:\Windows\System\lmJAufx.exe
  C:\Windows\System\lmJAufx.exe
  2⤵
  PID:13260
- C:\Windows\System\wRsmPUw.exe
  C:\Windows\System\wRsmPUw.exe
  2⤵
  PID:11260
- C:\Windows\System\kRpZjrw.exe
  C:\Windows\System\kRpZjrw.exe
  2⤵
  PID:11556

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:11872
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:14180

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:15248

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:13328

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:11680

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3780

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:14568

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:13520

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:10736

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:14880

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4752

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:14256

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4192

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5000

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12328

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4220

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4368

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4152

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13936

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13424

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:15304

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5388

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3412

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4640

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:15136

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7640

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9464

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5668

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7596

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10504

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9212

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9280

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11448

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1100

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8464

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5440

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:12104

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5692

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:10444

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14400

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12716

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11720

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:15252

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:13568

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:15288

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5644

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6204

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6268

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:14792

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7520

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4408

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2952

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11416

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2136

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\HJ7J86Y5\microsoft.windows[1].xml

Filesize
97B

MD5
a1d5ffdb726a9647b35792c516a012fc

SHA1
ff330c546ecec38f962e90594f70abe2539f23e5

SHA256
770d9ad3f136a240e498181127342c8282467e14b6dbe6cad10b20c5cba1ec09

SHA512
ead7820a41f5e5e31b2b0b1c0b6bd441899b57fe549f685edda664272ef75e58e4598f2fe4d595bde1cb8c54aa244dda8577f3c10c66b49cc8c1815df02a6a94

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133660700974950546.txt

Filesize
75KB

MD5
af57e67456efd305d46e23149c8018d0

SHA1
92d8f2bb204a0e2c73f080485302331630ca3eca

SHA256
adcd926ddffa3e9e3d2565d4988eefb6f1cecffae7b496b854156703accacad9

SHA512
2ccf0a3e78f012e28f4611d35537d7a695c31c1d98ecab2cfc1167cfe5faf9b6b3f6f10f2f01b95fa7ca2b5fea85a0dbc115e375fcac5860fa6892664566d6b8

Download Submit
C:\Windows\System\APIkpgT.exe

Filesize
1.9MB

MD5
4f069e45ddf4e757f9d0ea55e6c7e58d

SHA1
bf9d1660a47158f7d335655a5f4260a65e82a504

SHA256
1fbe4f206ada12a9b6e37dfc8e70e631164f2ec44c3b3666d84a538543079395

SHA512
17d4dbfe240183f39c09cbebaf08c318a585cef9f9ccc79b6c8258a0e55f6420348bebf6a7ba91623321af95ca37699df7ea5ee74008d31e6d635cea2dcde90d

Download Submit
C:\Windows\System\AqAhIlU.exe

Filesize
1.9MB

MD5
5d1a60c63074ea6888fe25bcaef082f2

SHA1
4f2c0ac3721e7918b4a01c40afd94a828072b66c

SHA256
00024155cab8399039c2f628da7bbf0b28826dd5b4d2c47e0fdbf342bbfac349

SHA512
32da2b1595183ae186789a530030f1f27656e7400818bafcea19e06c2e44d659d76e0ad80e405d79f3c776952b9aed2d77c061db900c13567b33982593ae40d4

Download Submit
C:\Windows\System\DbdiYyF.exe

Filesize
1.9MB

MD5
a49198190781bbbd47381381529fd5af

SHA1
3161998ce75cc09afa806b861acd322cb10cfbb3

SHA256
a0e3058ca244e5630bd01bf6db63d3d2716b55fb1618d0a4da876f7f2ce0595b

SHA512
69ca9dfeffd3a8acacdb8a8bb224841a3acacbb896d3c8c611c1c1f20b3dea13aad2eeb005bbd09375ecb8483243939d6a956b001ce3651439d395ed488fda10

Download Submit
C:\Windows\System\DvWTZOR.exe

Filesize
1.9MB

MD5
301367509101f19ee054c7b8aa5ab272

SHA1
943bcc3015d38d2f6b589906c308cc6a8383ce12

SHA256
f2aa1d5c8df7cf837e4ab031010d412d916e2c8c8853406a6f9c3d81afb761fe

SHA512
aed3e7867013b683afaafe5892d299b3f1ba45fdb255bfc6f35d1cc07c7b12fd03c2ac463ef31aa91bd9c57e89c6a43fb6e99bdda1ca08a5e85f22909dc1b79f

Download Submit
C:\Windows\System\HkOiSxW.exe

Filesize
1.9MB

MD5
241346142b331be4d2ffe0844e07cac4

SHA1
345140bf21e9a3f84150260c0d806ed5394baccc

SHA256
19abd0b2d0b3fda54991c55e883dc75763638b3ed0281d3ba7200483cee274f2

SHA512
8b27b1cbe5d155e0a247fe8ecef0391bb6701d4178f065e725bb5c6e1ac6fc0995d7c738232ac3e7645a2add61b5e263f575c7a59e80ab473c24677df9a7101a

Download Submit
C:\Windows\System\HoAgYkT.exe

Filesize
1.9MB

MD5
87fbcebe2871ab698d39acec4c58402d

SHA1
ecd3aedd49fa8b009eff3e1fa8f9c38ae1b6b039

SHA256
441f93f1e3cdb2aef83ec86fbc9ec7950605da5703f8d23b1e89a1492dc2dc44

SHA512
66171ac810f44e209fced44b8178da5d1bc15af539157b8bfc17bb6b7ce2bf55657ac9a36932f5aded6e57d83bc369676c640544af9ea91893de1c5c4612c5a8

Download Submit
C:\Windows\System\JXfMSaR.exe

Filesize
1.9MB

MD5
dea52b28b5acd4ad718e015c88ca28d5

SHA1
f9684286bac71c3f615d6eaffeb6910def609388

SHA256
cc7029cb13dfe2e4297a0aee6e725e12032158d1a0fbdad559cd9079a9ecac01

SHA512
f66ab03d83c5fa53870b2981f3b8e07a89c0b57b284556c28af1c5eeb5f1c6d071d74ddda715a58fcdb03894c4dc59937876b40818edc964bb9907cd9520c528

Download Submit
C:\Windows\System\JqwASVb.exe

Filesize
1.9MB

MD5
008d219bcde82d40d95f334ed62c6cc2

SHA1
4acd54d0663ef1a7be24c331d8de7d9d4ab4126d

SHA256
ab6aa326033258d46ffbbb7283ca12aff511c741f30c6da89d9210d50c24947e

SHA512
9a88f1bb385895926da5bdeaa5dd613ff323dcd0c6a938a8deec0ac763d5cd6af072f334d3db0e405d95a2aaff3b8e1540c72d5fbc57e64f50a91edc5d6f5ea8

Download Submit
C:\Windows\System\MHmzJDX.exe

Filesize
1.9MB

MD5
984ecec9d3fbb314d62ba0265c541a4e

SHA1
3ec0ed0c9f28e0e3c33b3e7922d1c71200ff0c57

SHA256
4cff5d43679f793e8244e9d55bca784fd5c61f84bacff0de9397e0a80aa347ab

SHA512
507cc83e68e2817a10ac146522cf6c593eed3b2ab3bac665b5e503f5a89f6d6fc76e5d4a4b513e911b64a65baa751d83c658cda7a4f3b79d732e41d5b17ffe30

Download Submit
C:\Windows\System\PdYKCJI.exe

Filesize
1.9MB

MD5
f4d4df83f193545f72d336504415c025

SHA1
e352f47206182ab87879f263d99057db1981c3c7

SHA256
7353c94063db6ba5149a3edd34ac1604aa5fb9aa97c00eda2a2edf27688fb811

SHA512
5890c83581734f0ff7da4a70021d2b27555ffbc04f43fd257c51848f43b98d78643607416937e1cab97bef9a51f1e19101401b7c720d4870c89a4d8ac0406b11

Download Submit
C:\Windows\System\RSGNflV.exe

Filesize
1.9MB

MD5
348b337c152607affc89c7daa5f4efc0

SHA1
bb179826a75cbb9823be25d41c5bc53c405e0f77

SHA256
3d5c8567e247346a3b7b48fa9d47b6cd6b9e71afc38b06c796462c0c32f75107

SHA512
c23ae42a1489074fa65f3767456adb3892f406a8c4eec53f944365c5f704cac324ff2ddd33a63bc306eb5206a2f007ede7be3a02beab76c31b42f4e7b076b293

Download Submit
C:\Windows\System\RghyLKC.exe

Filesize
1.9MB

MD5
5ff8cd3261162b294d0b4f2a41f0edb0

SHA1
451d88fe039fd8eb5f001ec1df6b2f70a7ea805d

SHA256
70469e798bd1fd23396123c95c5633d3e722096fd75cf12780e9c2dbb366a393

SHA512
33f0ddbd9602b0396e19dd599818b65c5df36d6ec38e5f36c94d7d418590e1c628e01468354a4919d8db6cfa2f9c56a52fa920d27471f4c60e3e9a79e6708ed8

Download Submit
C:\Windows\System\SZuEBzt.exe

Filesize
1.9MB

MD5
615472e6f1e2a2ce9c0e83477cef89ae

SHA1
3e3316deb53e9d0d5044e28f8e3edd6a43d064c0

SHA256
e51538a98510bfe6dc9738947aa9dff13871dbc182d3913921a0ff004946d7ea

SHA512
bf4382e21a0183f40e8c680ae24fca0009172236ee3092f7bfda536cdf27377f1528a227168c7e92d6dcf75f3cd62ee0dc7b6870e5c770da866294b2f03e3142

Download Submit
C:\Windows\System\UizPyfr.exe

Filesize
1.9MB

MD5
525cdaff1f2b7910fbd228cd7649e1a4

SHA1
6cbd4162b63d6f9c44b1773bb608b2fe39217901

SHA256
d7db3198701f6ab03d6dd0a3264bc9b58ea20e8506ab0feb3c1d70c05c6801b9

SHA512
4216bfa082811a0551aa3e44a981d18fff1d9b5c63273296c18b51a5a7e6f5b5a11a8e4099b9a5a0c92ea0b64a746635335603756a2948c6f396b61d30907984

Download Submit
C:\Windows\System\WKYOhdH.exe

Filesize
1.9MB

MD5
c001fb970d213cb8d250a7f87cd53c1b

SHA1
0ffacd7c74daf21f56d886a6c00560e3fadd2b12

SHA256
747fa4ecef4718819ea6572977ad030c70d91c7eed126e04e4baabe772ceec37

SHA512
6d198213ccee80508f63458290bfd7ad827def97a92fcd137c593315cd05d9506d5a1a0a37dda76def7154410959ba5e19f825621e290496c19df057343cbadd

Download Submit
C:\Windows\System\XcWhuNP.exe

Filesize
1.9MB

MD5
81a58369108c7491a1a054d978d48619

SHA1
7cb6fdfe97254224f49e914815c6c2ea481de6ab

SHA256
f76b179d2ed6e2ef8deefdc5f9a0f7f16826c5111aaab77c0072ea7caeeb0299

SHA512
786129fbc36dd426b380e603e92c287188cf6c2b404e9f83b5a56559ff739e62c84d793b8954ac067a12d5b3730558c497e1e2efa203ffeaada5009862f8f353

Download Submit
C:\Windows\System\XkeFHpJ.exe

Filesize
1.9MB

MD5
66528f9e5ae5733acd4707056a6ec88e

SHA1
b045ed8fe80cbab42a9dc1b144066b18967b756b

SHA256
1a16363ab1d415372b76e462bbedaa14dc3c0f410ce11bd39698f41d5426edc1

SHA512
464c31bdfbb6e7211b2d57cdf7289de7e23a9c7265747f738f320684803fb55aabebbcbd9f46b524cc0fb6096b344506014cd1959e1b9dabe128ba62e6605b77

Download Submit
C:\Windows\System\XqudVqT.exe

Filesize
1.9MB

MD5
0cefc003346c9cd11863c1b2c6cb41e3

SHA1
ce91f8a39c7bc74212c47461abdfc25928f56557

SHA256
437aaa7b58bd28acf4e805c768938c0608582560564a205f5ec863d169b618bb

SHA512
83225bccabf727f4486722231f0a9859a152c6c2aa152a988fc93afcb719a6f2a3b2ccbc0a45f9464f31b6f28bdb20d846da9790d4a82a5f6fb28b314a4daab8

Download Submit
C:\Windows\System\YtoIdKa.exe

Filesize
1.9MB

MD5
07e104279b3c68e4999ff9db1a12ebbb

SHA1
268998121de579ef4260fcd9c2f4d0f8212d60ee

SHA256
1abd4844c7f3d1b75ce2526eddb3112f44fb03595e8119ecee8ccf7c1afc37b7

SHA512
54c4625f2e289bc6a40b5fd00cfdc5184fedbd51c0d15c5cf1fe22e161ad9770837b3e1211e01140cfbab4d18ea86d2ca12d83ec0a09bb4b94ffd42e07f72e05

Download Submit
C:\Windows\System\ccfSdYp.exe

Filesize
1.9MB

MD5
921c3e99bac8c45ec10f20e6a7f5b22a

SHA1
afbb8acf8d546863c702d84995276be1833e645e

SHA256
c6417dcb7724659b96537ec8115d9d1d9e2b5d9024203728239dd81a84a2adc0

SHA512
b1e64933861a0f864d0c9e28f8dcf6864c07be0a480640f0c2ef486fdd8bc918c0a8e654da4fe2338f9bf23c0713bd117e3446da071132c2601910ad367de026

Download Submit
C:\Windows\System\eGaDwwb.exe

Filesize
1.9MB

MD5
5f1224f66feae1049cd0b4b9c29dd836

SHA1
117d8d4d313661a9bc87f75b2a44d9008790be8c

SHA256
a64e87aac7c71528d221bc42c3fad7b044aeaf35aa88a3e87d6a9e932d133b24

SHA512
bcfca053ea1427c1472d964d61551f0f65b26e0ac193b35edf97714609ea8d98e3be4b00ca8ea6c300b85ed64eeca9e4b95ac0ec6eb0b708a3115dbc41a4a0b1

Download Submit
C:\Windows\System\fFJwUWu.exe

Filesize
1.9MB

MD5
99f3f31cbaae69fdf2fce6663bfe7b69

SHA1
7913d4e06c87e279838109af6cbb3a0376728dbe

SHA256
b3e67748a825a07c4e4e883fd162aa51456a8cc2e97ce82fda8fc65307ab5d61

SHA512
167d08d330fa55d6f08c275a981255f23193e4a9058542fc336a32afe8cb38b8b59e44fb61fd3a2134886644b3f80d871b4f8edee2076076baba2f69a3af3aca

Download Submit
C:\Windows\System\gPlnQZC.exe

Filesize
1.9MB

MD5
01aa937e9f228748c6817e7b5494b9a3

SHA1
0de09bfcabb6cb9213880ffd662ccdb1b5917e28

SHA256
11419e077e8c0037538286a3d97d71fb706509e6633347c6a77470ff5ffe1090

SHA512
94708a529d8a08b0952367647d5f57c0fa099bf23a63bbe6a0b05a138e45dda955c10dd862f1106d5df9b9473fa4cc0b953ad4318f999ac78aa4d74e80f7be59

Download Submit
C:\Windows\System\hWXUXpV.exe

Filesize
1.9MB

MD5
5cf3d2b746efceaa202953ddcb60281b

SHA1
aac110fa77666c17401d78642a3ee48ba5217691

SHA256
489536a049cd299b9cd030b5d944b344b02ce642ce4e02f8bccb94f9a0b1e62b

SHA512
3d6e43ab18c09fb46b9e4aea9429322f8df2bdd81a354899d9f98a4a85f6eefad66572aed1a36c6df1e156c46806559cd962f9010886bd92fde676eaa864a8f4

Download Submit
C:\Windows\System\lPiGAey.exe

Filesize
1.9MB

MD5
81a14250ef997930583ca087f7b40afe

SHA1
a26f2d44860de89a86133f672f8810fa916945d9

SHA256
1ce9c26fa85c2d56baff87cf8d8daccd9276dc24fac302119c1211ee2bc03418

SHA512
406ad730f37b826f57afc6a5835fcdded82344120799dc44d6920d032e59d351c1cd72e496a518bc929aa38127ff35dbacfd5043c4fce06c605fad11a565bc39

Download Submit
C:\Windows\System\lYuHnBe.exe

Filesize
1.9MB

MD5
913a271f00bd920355dbb129eb69de77

SHA1
24015f7e417a4a39face89c4afea2eeda12bf948

SHA256
9ebaff7abecd5e398c77f1eb0d3b25028408c663549ae0932942855c4921cae2

SHA512
9d2b98b4aacf3c3f8a93b20efd84f2d9b885bd759b9b695afed7ad1656258c335a165bbc4abe673813877e2db9406d80539d7a18fc8b41dc014a40d2f87f4b35

Download Submit
C:\Windows\System\lxVlbuP.exe

Filesize
1.9MB

MD5
51a7778523a6be23597af45c5a64df46

SHA1
7deabeafc0314d6ad996e56046c022401dd8dda1

SHA256
36bb67b08ecf401e58aac2cbba5fb5ae9bfd001d0658f63068fd0c0030066127

SHA512
e0aaeaf4078ca739399f699643c63cddba7c776f049ee09b5db64fc0ecdc1ca9305717389cca80b8c5a09dc0f3dda82eb4968317845982205afe0c1b335b9d9d

Download Submit
C:\Windows\System\nGGmzks.exe

Filesize
1.9MB

MD5
010837be3b3f524f6845ef05e095f174

SHA1
e76e2c10b6e92bc6fa80ee6612c9f4ceb91d1c55

SHA256
168ef06e09730517d83e11c779325ce304a764d8bbc937eae093a5f47bff95cd

SHA512
0ec3c7f9d19b588c216671afe141274ee3183b7462cbe22c0c218f418c24d5f2c0d4946b6c61d86dee967a35103d48eb1f80356e0cf9b8511b3a0d9813f368d6

Download Submit
C:\Windows\System\nbIGUet.exe

Filesize
1.9MB

MD5
5919c8f598d2bb804c32e590b7b9630e

SHA1
e645932d70e8971367527f917295d80e3592112a

SHA256
93b2eccf2c5e5849c58a38cca626da10a75653408d0ecc7fbd535b348a824a80

SHA512
4cd5aebbd73319442bfb40d27bbd5ec20c1c200f333b2c90800d5657ae1ce8484026eaffc0ace99614496d7f41df4deb52c2d670636803dd916be0e5582c0150

Download Submit
C:\Windows\System\pDHAXTU.exe

Filesize
1.9MB

MD5
2ed6bcaf0a9ae46080f553e84f28d871

SHA1
2e52fa17102b6ecdec154e9ca1cbd09a05938134

SHA256
cf7c3e2f76b64c90a2fead878954fe96e8364bae5054bff8aee15556657fbf79

SHA512
8785158add5957361e046e4b018a39ef493f1af428b68df1c7bf1c457e90eeb7682854bca495931c151397f56280c9be0c3cb9af7544a7ba6bf5ab66052e54c7

Download Submit
C:\Windows\System\rmWHQzK.exe

Filesize
1.9MB

MD5
01954343d6ed6ff1a56bf9ef1eb45ca1

SHA1
8660e5493aa5418c2980a88532004b7d4e4f625a

SHA256
d50c6c972e6389108c4b94d66c04b70bab1cc904ed944f08b72e7f89220f5358

SHA512
52464ccab9f416bff16bcd83681a87c5c52ed5a0adea251a84abe2806b23d74724386a4a7345bf750f9e2b1206dbe7ee9914794ab8e52c2891d42cdce9a44733

Download Submit
C:\Windows\System\sZnbIVT.exe

Filesize
1.9MB

MD5
96a49810927ed16ff6abe862b9c9a291

SHA1
1d8bec2f5822bea9b3863fe0e92f3bfaa97edaa9

SHA256
8f3230a4e398b04dfd058f81ff93bfe6f5e39f31fd9335494e4f001dcd22a2c5

SHA512
873a0beda67c6e5302c688cf997c6c708d2e378656033c570e3ef63093f46a15ec190fad18d55a9dc531768d694db036c23ae9f130db1410311836002e6a195c

Download Submit
C:\Windows\System\tglygOL.exe

Filesize
1.9MB

MD5
de4982d8cc8bac7f2dd4f20c392c85f1

SHA1
39094697b34441c366ae50cee8df47e7b33d84b5

SHA256
843b0a9f6cdb4f8370dd759e72d395ea9086d53c2e928dfa8c52675412c4b794

SHA512
4b05c970493f7399613dda40ade7515f7de9892624956857bed666e0f0056d05132b18df975caae55d3c3c9befcb497120dd468692ec2ba3ec8ae8cd2b41d883

Download Submit
C:\Windows\System\uXsQjqa.exe

Filesize
1.9MB

MD5
f7e88b195e35abb4b17830aca512118d

SHA1
9e9adc0d2f194c38c6d7d0c516f3639681bef5bb

SHA256
e4e1ef1a8abad28309a89fc43a7a0e99600942e4977f1f06ec17046578a9fa5d

SHA512
ce809bd32d477345eec1fc0cdfb865e7c7d607c72244e652008f9adb0597c312616c2172a9201f3c16b889a954ffbdbc04b6d57fe39686d7ccbcfb45ddb64678

Download Submit
C:\Windows\System\vSwocCd.exe

Filesize
1.9MB

MD5
7e13360d665ae9e933c9b60b3cc4baae

SHA1
2dc3f8b35a497915af8a49926053a84a38b06dcf

SHA256
09def39ef133e41c52e29d5a05868b899a041a2eced0170bb1701e2d8bdef790

SHA512
1d56d0371fdc07b91cf64eafdf4ac15120fc70b377f7159a0ace47f1d6a38517b8fae65b0e1bee08c85d0a5f2fcfa0603616af4cda2e054685adedcf875b6997

Download Submit
C:\Windows\System\ySSiLMx.exe

Filesize
1.9MB

MD5
e66ba9df9077072a1fd6067b0e503dc5

SHA1
3ad77979163c28d71cf5ab9e742086f4f4ffdb18

SHA256
39acb53973edb0fc8c37748d1154652c75e1d42f8583c89abb4b61ba6530f4fa

SHA512
fb6950750516eff918e8936b077a1f62170b57825e7f3ebe37a7f5ae71c1a34adc71ecae3df6b615a269c33edea32b39e3facac1ca61e7c7dee96057e21c61bf

Download Submit
C:\Windows\System\ydkyIqX.exe

Filesize
1.9MB

MD5
2223386ae5a06c8fee38de8ffe41051e

SHA1
4bfdf67f29699648126f2ba668af80123fc2b862

SHA256
6fbf98a7bb6f542da313727290129df39d59412731262b51d8391ee2763abfa7

SHA512
0f82a669a7d6f97d9cc67e378d69e5e5542d256fe5f93a884e613cefd0bce5918076f6e06548326454d7a46a883296ea49b560070e2945cf4fb1609203289de8

Download Submit
C:\Windows\System\zziklvF.exe

Filesize
1.9MB

MD5
15e4087139409095c669780805eb22ea

SHA1
0f8a505655004255c40520cf964f0cfa5abbb6a9

SHA256
134d2d6241ae64e49b7a04761948127005c4b27e9e2411da061b870fb6c36e4d

SHA512
6e800faca0ce59c9784d7cbd9e03f3b4b447f77f1a54ad87a0f1d712c89942d790010887700ea9e692ec27bd448ec3dcc049a16e90d8fa1434215668e1cac786

Download Submit
memory/748-2567-0x00007FF6C51D0000-0x00007FF6C5521000-memory.dmp

Filesize
3.3MB

Download
memory/748-369-0x00007FF6C51D0000-0x00007FF6C5521000-memory.dmp

Filesize
3.3MB

Download
memory/1116-318-0x00007FF70B510000-0x00007FF70B861000-memory.dmp

Filesize
3.3MB

Download
memory/1116-2577-0x00007FF70B510000-0x00007FF70B861000-memory.dmp

Filesize
3.3MB

Download
memory/1200-67-0x00007FF767D50000-0x00007FF7680A1000-memory.dmp

Filesize
3.3MB

Download
memory/1200-2535-0x00007FF767D50000-0x00007FF7680A1000-memory.dmp

Filesize
3.3MB

Download
memory/1412-148-0x00007FF6DFAF0000-0x00007FF6DFE41000-memory.dmp

Filesize
3.3MB

Download
memory/1412-2531-0x00007FF6DFAF0000-0x00007FF6DFE41000-memory.dmp

Filesize
3.3MB

Download
memory/1504-2521-0x00007FF78FD80000-0x00007FF7900D1000-memory.dmp

Filesize
3.3MB

Download
memory/1504-97-0x00007FF78FD80000-0x00007FF7900D1000-memory.dmp

Filesize
3.3MB

Download
memory/1876-2573-0x00007FF6EA660000-0x00007FF6EA9B1000-memory.dmp

Filesize
3.3MB

Download
memory/1876-335-0x00007FF6EA660000-0x00007FF6EA9B1000-memory.dmp

Filesize
3.3MB

Download
memory/1888-364-0x00007FF76FC00000-0x00007FF76FF51000-memory.dmp

Filesize
3.3MB

Download
memory/1888-2571-0x00007FF76FC00000-0x00007FF76FF51000-memory.dmp

Filesize
3.3MB

Download
memory/2364-228-0x00007FF7815B0000-0x00007FF781901000-memory.dmp

Filesize
3.3MB

Download
memory/2364-2534-0x00007FF7815B0000-0x00007FF781901000-memory.dmp

Filesize
3.3MB

Download
memory/2768-345-0x00007FF7F30E0000-0x00007FF7F3431000-memory.dmp

Filesize
3.3MB

Download
memory/2768-2581-0x00007FF7F30E0000-0x00007FF7F3431000-memory.dmp

Filesize
3.3MB

Download
memory/2872-2579-0x00007FF7CFAA0000-0x00007FF7CFDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2872-267-0x00007FF7CFAA0000-0x00007FF7CFDF1000-memory.dmp

Filesize
3.3MB

Download
memory/3028-39-0x00007FF666460000-0x00007FF6667B1000-memory.dmp

Filesize
3.3MB

Download
memory/3028-2515-0x00007FF666460000-0x00007FF6667B1000-memory.dmp

Filesize
3.3MB

Download
memory/3048-370-0x00007FF7190C0000-0x00007FF719411000-memory.dmp

Filesize
3.3MB

Download
memory/3048-2583-0x00007FF7190C0000-0x00007FF719411000-memory.dmp

Filesize
3.3MB

Download
memory/3152-2585-0x00007FF676EC0000-0x00007FF677211000-memory.dmp

Filesize
3.3MB

Download
memory/3152-308-0x00007FF676EC0000-0x00007FF677211000-memory.dmp

Filesize
3.3MB

Download
memory/3324-371-0x00007FF66A550000-0x00007FF66A8A1000-memory.dmp

Filesize
3.3MB

Download
memory/3324-2588-0x00007FF66A550000-0x00007FF66A8A1000-memory.dmp

Filesize
3.3MB

Download
memory/3388-42-0x00007FF6BE1A0000-0x00007FF6BE4F1000-memory.dmp

Filesize
3.3MB

Download
memory/3388-2519-0x00007FF6BE1A0000-0x00007FF6BE4F1000-memory.dmp

Filesize
3.3MB

Download
memory/3640-2556-0x00007FF797A30000-0x00007FF797D81000-memory.dmp

Filesize
3.3MB

Download
memory/3640-365-0x00007FF797A30000-0x00007FF797D81000-memory.dmp

Filesize
3.3MB

Download
memory/3864-2636-0x00007FF6F4A60000-0x00007FF6F4DB1000-memory.dmp

Filesize
3.3MB

Download
memory/3864-366-0x00007FF6F4A60000-0x00007FF6F4DB1000-memory.dmp

Filesize
3.3MB

Download
memory/4060-2605-0x00007FF675490000-0x00007FF6757E1000-memory.dmp

Filesize
3.3MB

Download
memory/4060-187-0x00007FF675490000-0x00007FF6757E1000-memory.dmp

Filesize
3.3MB

Download
memory/4152-2513-0x00007FF7D7D30000-0x00007FF7D8081000-memory.dmp

Filesize
3.3MB

Download
memory/4152-70-0x00007FF7D7D30000-0x00007FF7D8081000-memory.dmp

Filesize
3.3MB

Download
memory/4372-2122-0x00007FF637B80000-0x00007FF637ED1000-memory.dmp

Filesize
3.3MB

Download
memory/4372-0-0x00007FF637B80000-0x00007FF637ED1000-memory.dmp

Filesize
3.3MB

Download
memory/4372-1-0x0000015F955C0000-0x0000015F955D0000-memory.dmp

Filesize
64KB

Download
memory/4488-344-0x00007FF79B070000-0x00007FF79B3C1000-memory.dmp

Filesize
3.3MB

Download
memory/4488-2527-0x00007FF79B070000-0x00007FF79B3C1000-memory.dmp

Filesize
3.3MB

Download
memory/4520-2529-0x00007FF735EA0000-0x00007FF7361F1000-memory.dmp

Filesize
3.3MB

Download
memory/4520-100-0x00007FF735EA0000-0x00007FF7361F1000-memory.dmp

Filesize
3.3MB

Download
memory/4528-271-0x00007FF6AC530000-0x00007FF6AC881000-memory.dmp

Filesize
3.3MB

Download
memory/4528-2575-0x00007FF6AC530000-0x00007FF6AC881000-memory.dmp

Filesize
3.3MB

Download
memory/4544-2564-0x00007FF68EF70000-0x00007FF68F2C1000-memory.dmp

Filesize
3.3MB

Download
memory/4544-334-0x00007FF68EF70000-0x00007FF68F2C1000-memory.dmp

Filesize
3.3MB

Download
memory/4572-2523-0x00007FF6F4290000-0x00007FF6F45E1000-memory.dmp

Filesize
3.3MB

Download
memory/4572-368-0x00007FF6F4290000-0x00007FF6F45E1000-memory.dmp

Filesize
3.3MB

Download
memory/4720-189-0x00007FF6719A0000-0x00007FF671CF1000-memory.dmp

Filesize
3.3MB

Download
memory/4720-2525-0x00007FF6719A0000-0x00007FF671CF1000-memory.dmp

Filesize
3.3MB

Download
memory/4780-2517-0x00007FF64BB30000-0x00007FF64BE81000-memory.dmp

Filesize
3.3MB

Download
memory/4780-367-0x00007FF64BB30000-0x00007FF64BE81000-memory.dmp

Filesize
3.3MB

Download
memory/4832-2511-0x00007FF61F060000-0x00007FF61F3B1000-memory.dmp

Filesize
3.3MB

Download
memory/4832-14-0x00007FF61F060000-0x00007FF61F3B1000-memory.dmp

Filesize
3.3MB

Download
memory/4868-354-0x00007FF7E07C0000-0x00007FF7E0B11000-memory.dmp

Filesize
3.3MB

Download
memory/4868-2569-0x00007FF7E07C0000-0x00007FF7E0B11000-memory.dmp

Filesize
3.3MB

Download
memory/5032-2607-0x00007FF6D3C20000-0x00007FF6D3F71000-memory.dmp

Filesize
3.3MB

Download
memory/5032-363-0x00007FF6D3C20000-0x00007FF6D3F71000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads