xmrig | b48985082f9fc595d021a4b8aea4b74621510fac209597bf2282c3d6c6a6d072

Analysis

max time kernel
54s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 09:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b7633f2751eb4060672c4b0ae0eb22b0N.exe
Size

1.7MB
MD5

b7633f2751eb4060672c4b0ae0eb22b0
SHA1

466e0bf76857307d218cbbbb018279bc80374564
SHA256

b48985082f9fc595d021a4b8aea4b74621510fac209597bf2282c3d6c6a6d072
SHA512

e96f57ef0de134c8b5d8fe1d919c56a615149e3eeced3243b9299cfde9db92523b8707eeeb7ff33fee716bea906d1ea6f0f6e8a21ce0fc6e2f88561e36952b3c
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5PbcquVoVbvVkNgoZ1ssoPi75BYMZVCDVZX9i:knw9oUUEEDl37jcquVoVJjDNOhQXg

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/1984-360-0x00007FF718780000-0x00007FF718B71000-memory.dmp	xmrig
behavioral2/memory/112-355-0x00007FF755500000-0x00007FF7558F1000-memory.dmp	xmrig
behavioral2/memory/5104-364-0x00007FF73E8C0000-0x00007FF73ECB1000-memory.dmp	xmrig
behavioral2/memory/32-381-0x00007FF6275C0000-0x00007FF6279B1000-memory.dmp	xmrig
behavioral2/memory/3740-384-0x00007FF6849B0000-0x00007FF684DA1000-memory.dmp	xmrig
behavioral2/memory/3904-397-0x00007FF752AE0000-0x00007FF752ED1000-memory.dmp	xmrig
behavioral2/memory/2312-395-0x00007FF7A8C90000-0x00007FF7A9081000-memory.dmp	xmrig
behavioral2/memory/2364-392-0x00007FF7353F0000-0x00007FF7357E1000-memory.dmp	xmrig
behavioral2/memory/4316-391-0x00007FF6F4940000-0x00007FF6F4D31000-memory.dmp	xmrig
behavioral2/memory/4348-375-0x00007FF6BB550000-0x00007FF6BB941000-memory.dmp	xmrig
behavioral2/memory/748-409-0x00007FF649660000-0x00007FF649A51000-memory.dmp	xmrig
behavioral2/memory/1380-420-0x00007FF7BA510000-0x00007FF7BA901000-memory.dmp	xmrig
behavioral2/memory/4948-421-0x00007FF7A1BC0000-0x00007FF7A1FB1000-memory.dmp	xmrig
behavioral2/memory/4084-414-0x00007FF7E99F0000-0x00007FF7E9DE1000-memory.dmp	xmrig
behavioral2/memory/2420-426-0x00007FF7C32C0000-0x00007FF7C36B1000-memory.dmp	xmrig
behavioral2/memory/3876-432-0x00007FF66E270000-0x00007FF66E661000-memory.dmp	xmrig
behavioral2/memory/1348-433-0x00007FF722CB0000-0x00007FF7230A1000-memory.dmp	xmrig
behavioral2/memory/2500-434-0x00007FF73F000000-0x00007FF73F3F1000-memory.dmp	xmrig
behavioral2/memory/4140-440-0x00007FF6DD3E0000-0x00007FF6DD7D1000-memory.dmp	xmrig
behavioral2/memory/1608-444-0x00007FF6EFE10000-0x00007FF6F0201000-memory.dmp	xmrig
behavioral2/memory/1232-1956-0x00007FF782560000-0x00007FF782951000-memory.dmp	xmrig
behavioral2/memory/4404-1957-0x00007FF646850000-0x00007FF646C41000-memory.dmp	xmrig
behavioral2/memory/4504-1982-0x00007FF62D4B0000-0x00007FF62D8A1000-memory.dmp	xmrig
behavioral2/memory/4988-1984-0x00007FF795A70000-0x00007FF795E61000-memory.dmp	xmrig
behavioral2/memory/1232-2024-0x00007FF782560000-0x00007FF782951000-memory.dmp	xmrig
behavioral2/memory/4404-2089-0x00007FF646850000-0x00007FF646C41000-memory.dmp	xmrig
behavioral2/memory/4504-2076-0x00007FF62D4B0000-0x00007FF62D8A1000-memory.dmp	xmrig
behavioral2/memory/4988-2118-0x00007FF795A70000-0x00007FF795E61000-memory.dmp	xmrig
behavioral2/memory/5104-2132-0x00007FF73E8C0000-0x00007FF73ECB1000-memory.dmp	xmrig
behavioral2/memory/4348-2134-0x00007FF6BB550000-0x00007FF6BB941000-memory.dmp	xmrig
behavioral2/memory/32-2136-0x00007FF6275C0000-0x00007FF6279B1000-memory.dmp	xmrig
behavioral2/memory/1984-2130-0x00007FF718780000-0x00007FF718B71000-memory.dmp	xmrig
behavioral2/memory/112-2128-0x00007FF755500000-0x00007FF7558F1000-memory.dmp	xmrig
behavioral2/memory/1608-2126-0x00007FF6EFE10000-0x00007FF6F0201000-memory.dmp	xmrig
behavioral2/memory/2420-2155-0x00007FF7C32C0000-0x00007FF7C36B1000-memory.dmp	xmrig
behavioral2/memory/4084-2153-0x00007FF7E99F0000-0x00007FF7E9DE1000-memory.dmp	xmrig
behavioral2/memory/2500-2163-0x00007FF73F000000-0x00007FF73F3F1000-memory.dmp	xmrig
behavioral2/memory/4140-2166-0x00007FF6DD3E0000-0x00007FF6DD7D1000-memory.dmp	xmrig
behavioral2/memory/1348-2160-0x00007FF722CB0000-0x00007FF7230A1000-memory.dmp	xmrig
behavioral2/memory/3876-2158-0x00007FF66E270000-0x00007FF66E661000-memory.dmp	xmrig
behavioral2/memory/748-2156-0x00007FF649660000-0x00007FF649A51000-memory.dmp	xmrig
behavioral2/memory/1380-2149-0x00007FF7BA510000-0x00007FF7BA901000-memory.dmp	xmrig
behavioral2/memory/3904-2147-0x00007FF752AE0000-0x00007FF752ED1000-memory.dmp	xmrig
behavioral2/memory/2364-2145-0x00007FF7353F0000-0x00007FF7357E1000-memory.dmp	xmrig
behavioral2/memory/2312-2143-0x00007FF7A8C90000-0x00007FF7A9081000-memory.dmp	xmrig
behavioral2/memory/4316-2140-0x00007FF6F4940000-0x00007FF6F4D31000-memory.dmp	xmrig
behavioral2/memory/4948-2151-0x00007FF7A1BC0000-0x00007FF7A1FB1000-memory.dmp	xmrig
behavioral2/memory/3740-2138-0x00007FF6849B0000-0x00007FF684DA1000-memory.dmp	xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
1232	ryuafRK.exe
4504	cYLhdCA.exe
4404	ZJiEZrn.exe
4988	OVBEcme.exe
1608	itKCifk.exe
112	SOJtKdn.exe
1984	TPiDCkQ.exe
5104	EslbaAx.exe
4348	xRYhznN.exe
32	wDraFrv.exe
3740	eSCbHMA.exe
4316	aJuXtog.exe
2364	oZGZPDQ.exe
2312	mvDsaie.exe
3904	SuJBKQN.exe
748	DQMZHsf.exe
4084	fwrUYaC.exe
1380	qcgWqDt.exe
4948	cWIqMLL.exe
2420	SdEhSBM.exe
3876	pEdACKX.exe
1348	COHcMGo.exe
2500	tmkRlDb.exe
4140	MpFcRQr.exe
3608	JCVIGkU.exe
4512	HevjMkg.exe
5052	ErCDXYw.exe
3272	tTqNQAJ.exe
2472	GhFusSS.exe
1056	kBAZeOo.exe
4168	BiSVZZf.exe
2504	GdegPct.exe
1868	qqkfvyk.exe
4536	BWqWLaC.exe
2660	TvbnxqV.exe
3348	UjOdyCP.exe
432	MsRHjWl.exe
3056	LMNanIW.exe
1356	LyJoTiv.exe
2960	kaizjcE.exe
3164	lsvzVfV.exe
3676	adgSYpo.exe
2684	njVWSjM.exe
2596	uZbGrOD.exe
2024	iljkYUU.exe
2388	oMNpPwQ.exe
3400	caZdyTw.exe
3900	gFgJrSs.exe
4396	DzuDXcG.exe
4496	InPsmoN.exe
1904	BOfDWSD.exe
2928	WTWpkrP.exe
3188	ncuFtWn.exe
4724	KssqoWJ.exe
1572	MxiRmWB.exe
2972	CosdWeI.exe
4932	pnwODXi.exe
3240	gDFKxKC.exe
2608	wfytLVt.exe
64	XxLYUJl.exe
4464	ezPtgiX.exe
3612	dDQUElX.exe
4600	YuzvPNi.exe
1688	uztxGLd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3408-0-0x00007FF641A00000-0x00007FF641DF1000-memory.dmp	upx
behavioral2/files/0x00080000000234bc-5.dat	upx
behavioral2/memory/1232-6-0x00007FF782560000-0x00007FF782951000-memory.dmp	upx
behavioral2/files/0x00070000000234c1-9.dat	upx
behavioral2/files/0x00070000000234c0-11.dat	upx
behavioral2/memory/4504-17-0x00007FF62D4B0000-0x00007FF62D8A1000-memory.dmp	upx
behavioral2/files/0x00070000000234c3-27.dat	upx
behavioral2/files/0x00070000000234c2-26.dat	upx
behavioral2/files/0x00070000000234c4-35.dat	upx
behavioral2/files/0x00070000000234c6-45.dat	upx
behavioral2/files/0x00070000000234c7-50.dat	upx
behavioral2/files/0x00070000000234c8-55.dat	upx
behavioral2/files/0x00070000000234c9-60.dat	upx
behavioral2/files/0x00070000000234ca-65.dat	upx
behavioral2/files/0x00070000000234cd-80.dat	upx
behavioral2/files/0x00070000000234d4-115.dat	upx
behavioral2/files/0x00070000000234d6-125.dat	upx
behavioral2/files/0x00070000000234db-150.dat	upx
behavioral2/files/0x00070000000234dd-160.dat	upx
behavioral2/memory/1984-360-0x00007FF718780000-0x00007FF718B71000-memory.dmp	upx
behavioral2/memory/112-355-0x00007FF755500000-0x00007FF7558F1000-memory.dmp	upx
behavioral2/memory/5104-364-0x00007FF73E8C0000-0x00007FF73ECB1000-memory.dmp	upx
behavioral2/memory/32-381-0x00007FF6275C0000-0x00007FF6279B1000-memory.dmp	upx
behavioral2/memory/3740-384-0x00007FF6849B0000-0x00007FF684DA1000-memory.dmp	upx
behavioral2/memory/3904-397-0x00007FF752AE0000-0x00007FF752ED1000-memory.dmp	upx
behavioral2/memory/2312-395-0x00007FF7A8C90000-0x00007FF7A9081000-memory.dmp	upx
behavioral2/memory/2364-392-0x00007FF7353F0000-0x00007FF7357E1000-memory.dmp	upx
behavioral2/memory/4316-391-0x00007FF6F4940000-0x00007FF6F4D31000-memory.dmp	upx
behavioral2/memory/4348-375-0x00007FF6BB550000-0x00007FF6BB941000-memory.dmp	upx
behavioral2/memory/748-409-0x00007FF649660000-0x00007FF649A51000-memory.dmp	upx
behavioral2/memory/1380-420-0x00007FF7BA510000-0x00007FF7BA901000-memory.dmp	upx
behavioral2/memory/4948-421-0x00007FF7A1BC0000-0x00007FF7A1FB1000-memory.dmp	upx
behavioral2/memory/4084-414-0x00007FF7E99F0000-0x00007FF7E9DE1000-memory.dmp	upx
behavioral2/memory/2420-426-0x00007FF7C32C0000-0x00007FF7C36B1000-memory.dmp	upx
behavioral2/memory/3876-432-0x00007FF66E270000-0x00007FF66E661000-memory.dmp	upx
behavioral2/memory/1348-433-0x00007FF722CB0000-0x00007FF7230A1000-memory.dmp	upx
behavioral2/memory/2500-434-0x00007FF73F000000-0x00007FF73F3F1000-memory.dmp	upx
behavioral2/memory/4140-440-0x00007FF6DD3E0000-0x00007FF6DD7D1000-memory.dmp	upx
behavioral2/memory/1608-444-0x00007FF6EFE10000-0x00007FF6F0201000-memory.dmp	upx
behavioral2/files/0x00070000000234de-165.dat	upx
behavioral2/files/0x00070000000234dc-155.dat	upx
behavioral2/files/0x00070000000234da-145.dat	upx
behavioral2/files/0x00070000000234d9-140.dat	upx
behavioral2/files/0x00070000000234d8-135.dat	upx
behavioral2/files/0x00070000000234d7-130.dat	upx
behavioral2/files/0x00070000000234d5-120.dat	upx
behavioral2/files/0x00070000000234d3-110.dat	upx
behavioral2/files/0x00070000000234d2-105.dat	upx
behavioral2/files/0x00070000000234d1-100.dat	upx
behavioral2/files/0x00070000000234d0-95.dat	upx
behavioral2/files/0x00070000000234cf-90.dat	upx
behavioral2/files/0x00070000000234ce-85.dat	upx
behavioral2/files/0x00070000000234cc-75.dat	upx
behavioral2/files/0x00070000000234cb-70.dat	upx
behavioral2/files/0x00070000000234c5-40.dat	upx
behavioral2/memory/4988-31-0x00007FF795A70000-0x00007FF795E61000-memory.dmp	upx
behavioral2/memory/4404-23-0x00007FF646850000-0x00007FF646C41000-memory.dmp	upx
behavioral2/memory/1232-1956-0x00007FF782560000-0x00007FF782951000-memory.dmp	upx
behavioral2/memory/4404-1957-0x00007FF646850000-0x00007FF646C41000-memory.dmp	upx
behavioral2/memory/4504-1982-0x00007FF62D4B0000-0x00007FF62D8A1000-memory.dmp	upx
behavioral2/memory/4988-1984-0x00007FF795A70000-0x00007FF795E61000-memory.dmp	upx
behavioral2/memory/1232-2024-0x00007FF782560000-0x00007FF782951000-memory.dmp	upx
behavioral2/memory/4404-2089-0x00007FF646850000-0x00007FF646C41000-memory.dmp	upx
behavioral2/memory/4504-2076-0x00007FF62D4B0000-0x00007FF62D8A1000-memory.dmp	upx

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\xfYAJhC.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\NQrlbxa.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\AGnnwyX.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\fdWhTdw.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\cYLhdCA.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\ILMnviS.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\tYIbOKW.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\fvzdkfL.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\aJcaznX.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\kaizjcE.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\oairqlr.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\UggIbzC.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\ErCDXYw.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\mIlQPCz.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\EtjTezV.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\ERlEXhy.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\EWnIvlu.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\RNnptgK.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\lcKIwGp.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\tmkRlDb.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\CosdWeI.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\ivpsFJb.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\OyAKrFd.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\caZdyTw.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\ToVgzmh.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\lKJCSiW.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\FtlIXLi.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\xHaPpgu.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\dHuRRAK.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\InPsmoN.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\fKnSXdY.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\sjtvjiB.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\EGbOVaz.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\YvtXqbk.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\JLyyyJz.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\tTqNQAJ.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\bLwymFk.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\RCxmfJv.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\dwkMdtn.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\pMnbLKq.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\yoOCbGF.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\psPMAwN.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\aAYgFBc.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\nNMxmdo.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\Sjempgw.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\DmxROVU.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\ymfJttw.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\RokwNfz.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\cdgaisG.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\VWjFbEH.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\bHALzVt.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\AyAjcBW.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\qizHtJz.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\TqREYxz.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\ktszbwK.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\MfkUEOp.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\eBqnnQu.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\ZDiqFVB.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\AhVgdEg.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\kFJkBMG.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\ZwsxxbO.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\fXedAAd.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\rTsuUPO.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe
File created	C:\Windows\System32\BoMuMRw.exe	b7633f2751eb4060672c4b0ae0eb22b0N.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1705699165-553239100-4129523827-1000\{AE726790-DC97-42B3-8729-C878233E30B6}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1705699165-553239100-4129523827-1000\{D06D0BDA-C36C-4E7D-988B-79D5353CCBCC}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1705699165-553239100-4129523827-1000\{FA94F198-87B9-4AAB-AB7A-6E44664F45BC}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1705699165-553239100-4129523827-1000\{E16A5C63-4808-4141-89DC-D3540D58AA13}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	12708	explorer.exe
Token: SeCreatePagefilePrivilege	12708	explorer.exe
Token: SeShutdownPrivilege	12708	explorer.exe
Token: SeCreatePagefilePrivilege	12708	explorer.exe
Token: SeShutdownPrivilege	12708	explorer.exe
Token: SeCreatePagefilePrivilege	12708	explorer.exe
Token: SeShutdownPrivilege	12708	explorer.exe
Token: SeCreatePagefilePrivilege	12708	explorer.exe
Token: SeShutdownPrivilege	12708	explorer.exe
Token: SeCreatePagefilePrivilege	12708	explorer.exe
Token: SeShutdownPrivilege	12708	explorer.exe
Token: SeCreatePagefilePrivilege	12708	explorer.exe
Token: SeShutdownPrivilege	12708	explorer.exe
Token: SeCreatePagefilePrivilege	12708	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	60	explorer.exe
Token: SeCreatePagefilePrivilege	60	explorer.exe
Token: SeShutdownPrivilege	8640	explorer.exe
Token: SeCreatePagefilePrivilege	8640	explorer.exe
Token: SeShutdownPrivilege	8640	explorer.exe
Token: SeCreatePagefilePrivilege	8640	explorer.exe
Token: SeShutdownPrivilege	8640	explorer.exe
Token: SeCreatePagefilePrivilege	8640	explorer.exe
Token: SeShutdownPrivilege	8640	explorer.exe
Token: SeCreatePagefilePrivilege	8640	explorer.exe
Token: SeShutdownPrivilege	8640	explorer.exe
Token: SeCreatePagefilePrivilege	8640	explorer.exe
Token: SeShutdownPrivilege	8640	explorer.exe
Token: SeCreatePagefilePrivilege	8640	explorer.exe
Token: SeShutdownPrivilege	8640	explorer.exe
Token: SeCreatePagefilePrivilege	8640	explorer.exe
Token: SeShutdownPrivilege	8640	explorer.exe
Token: SeCreatePagefilePrivilege	8640	explorer.exe
Token: SeShutdownPrivilege	8640	explorer.exe
Token: SeCreatePagefilePrivilege	8640	explorer.exe
Token: SeShutdownPrivilege	8640	explorer.exe
Token: SeCreatePagefilePrivilege	8640	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
12820	sihost.exe
12708	explorer.exe
12708	explorer.exe
12708	explorer.exe
12708	explorer.exe
12708	explorer.exe
12708	explorer.exe
12708	explorer.exe
12708	explorer.exe
12708	explorer.exe
12708	explorer.exe
12708	explorer.exe
12708	explorer.exe
12708	explorer.exe
12708	explorer.exe
12708	explorer.exe
12708	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
12708	explorer.exe
12708	explorer.exe
12708	explorer.exe
12708	explorer.exe
12708	explorer.exe
12708	explorer.exe
12708	explorer.exe
12708	explorer.exe
12708	explorer.exe
12708	explorer.exe
12708	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
60	explorer.exe
8640	explorer.exe
8640	explorer.exe
8640	explorer.exe
8640	explorer.exe
8640	explorer.exe
8640	explorer.exe
8640	explorer.exe
8640	explorer.exe
8640	explorer.exe
8640	explorer.exe
8640	explorer.exe
8640	explorer.exe
8640	explorer.exe
8640	explorer.exe
8640	explorer.exe
8640	explorer.exe
8640	explorer.exe
8640	explorer.exe
8640	explorer.exe
8640	explorer.exe
8640	explorer.exe
8640	explorer.exe
8640	explorer.exe
8640	explorer.exe
8640	explorer.exe
8640	explorer.exe
10764	explorer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4076	StartMenuExperienceHost.exe
3092	StartMenuExperienceHost.exe
6132	SearchApp.exe
1556	StartMenuExperienceHost.exe
9756	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3408 wrote to memory of 1232	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	85
PID 3408 wrote to memory of 1232	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	85
PID 3408 wrote to memory of 4504	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	86
PID 3408 wrote to memory of 4504	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	86
PID 3408 wrote to memory of 4404	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	87
PID 3408 wrote to memory of 4404	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	87
PID 3408 wrote to memory of 4988	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	88
PID 3408 wrote to memory of 4988	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	88
PID 3408 wrote to memory of 1608	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	89
PID 3408 wrote to memory of 1608	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	89
PID 3408 wrote to memory of 112	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	90
PID 3408 wrote to memory of 112	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	90
PID 3408 wrote to memory of 1984	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	91
PID 3408 wrote to memory of 1984	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	91
PID 3408 wrote to memory of 5104	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	92
PID 3408 wrote to memory of 5104	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	92
PID 3408 wrote to memory of 4348	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	93
PID 3408 wrote to memory of 4348	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	93
PID 3408 wrote to memory of 32	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	94
PID 3408 wrote to memory of 32	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	94
PID 3408 wrote to memory of 3740	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	95
PID 3408 wrote to memory of 3740	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	95
PID 3408 wrote to memory of 4316	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	96
PID 3408 wrote to memory of 4316	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	96
PID 3408 wrote to memory of 2364	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	97
PID 3408 wrote to memory of 2364	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	97
PID 3408 wrote to memory of 2312	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	98
PID 3408 wrote to memory of 2312	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	98
PID 3408 wrote to memory of 3904	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	99
PID 3408 wrote to memory of 3904	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	99
PID 3408 wrote to memory of 748	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	100
PID 3408 wrote to memory of 748	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	100
PID 3408 wrote to memory of 4084	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	101
PID 3408 wrote to memory of 4084	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	101
PID 3408 wrote to memory of 1380	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	102
PID 3408 wrote to memory of 1380	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	102
PID 3408 wrote to memory of 4948	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	103
PID 3408 wrote to memory of 4948	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	103
PID 3408 wrote to memory of 2420	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	104
PID 3408 wrote to memory of 2420	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	104
PID 3408 wrote to memory of 3876	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	105
PID 3408 wrote to memory of 3876	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	105
PID 3408 wrote to memory of 1348	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	106
PID 3408 wrote to memory of 1348	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	106
PID 3408 wrote to memory of 2500	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	107
PID 3408 wrote to memory of 2500	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	107
PID 3408 wrote to memory of 4140	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	108
PID 3408 wrote to memory of 4140	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	108
PID 3408 wrote to memory of 3608	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	109
PID 3408 wrote to memory of 3608	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	109
PID 3408 wrote to memory of 4512	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	110
PID 3408 wrote to memory of 4512	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	110
PID 3408 wrote to memory of 5052	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	111
PID 3408 wrote to memory of 5052	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	111
PID 3408 wrote to memory of 3272	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	112
PID 3408 wrote to memory of 3272	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	112
PID 3408 wrote to memory of 2472	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	113
PID 3408 wrote to memory of 2472	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	113
PID 3408 wrote to memory of 1056	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	114
PID 3408 wrote to memory of 1056	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	114
PID 3408 wrote to memory of 4168	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	115
PID 3408 wrote to memory of 4168	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	115
PID 3408 wrote to memory of 2504	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	116
PID 3408 wrote to memory of 2504	3408	b7633f2751eb4060672c4b0ae0eb22b0N.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b7633f2751eb4060672c4b0ae0eb22b0N.exe
"C:\Users\Admin\AppData\Local\Temp\b7633f2751eb4060672c4b0ae0eb22b0N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Windows\System32\ryuafRK.exe
  C:\Windows\System32\ryuafRK.exe
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Windows\System32\cYLhdCA.exe
  C:\Windows\System32\cYLhdCA.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System32\ZJiEZrn.exe
  C:\Windows\System32\ZJiEZrn.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System32\OVBEcme.exe
  C:\Windows\System32\OVBEcme.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System32\itKCifk.exe
  C:\Windows\System32\itKCifk.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System32\SOJtKdn.exe
  C:\Windows\System32\SOJtKdn.exe
  2⤵
  - Executes dropped EXE
  PID:112
- C:\Windows\System32\TPiDCkQ.exe
  C:\Windows\System32\TPiDCkQ.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System32\EslbaAx.exe
  C:\Windows\System32\EslbaAx.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Windows\System32\xRYhznN.exe
  C:\Windows\System32\xRYhznN.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System32\wDraFrv.exe
  C:\Windows\System32\wDraFrv.exe
  2⤵
  - Executes dropped EXE
  PID:32
- C:\Windows\System32\eSCbHMA.exe
  C:\Windows\System32\eSCbHMA.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System32\aJuXtog.exe
  C:\Windows\System32\aJuXtog.exe
  2⤵
  - Executes dropped EXE
  PID:4316
- C:\Windows\System32\oZGZPDQ.exe
  C:\Windows\System32\oZGZPDQ.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System32\mvDsaie.exe
  C:\Windows\System32\mvDsaie.exe
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\System32\SuJBKQN.exe
  C:\Windows\System32\SuJBKQN.exe
  2⤵
  - Executes dropped EXE
  PID:3904
- C:\Windows\System32\DQMZHsf.exe
  C:\Windows\System32\DQMZHsf.exe
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\System32\fwrUYaC.exe
  C:\Windows\System32\fwrUYaC.exe
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Windows\System32\qcgWqDt.exe
  C:\Windows\System32\qcgWqDt.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System32\cWIqMLL.exe
  C:\Windows\System32\cWIqMLL.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System32\SdEhSBM.exe
  C:\Windows\System32\SdEhSBM.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System32\pEdACKX.exe
  C:\Windows\System32\pEdACKX.exe
  2⤵
  - Executes dropped EXE
  PID:3876
- C:\Windows\System32\COHcMGo.exe
  C:\Windows\System32\COHcMGo.exe
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\System32\tmkRlDb.exe
  C:\Windows\System32\tmkRlDb.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System32\MpFcRQr.exe
  C:\Windows\System32\MpFcRQr.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System32\JCVIGkU.exe
  C:\Windows\System32\JCVIGkU.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System32\HevjMkg.exe
  C:\Windows\System32\HevjMkg.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System32\ErCDXYw.exe
  C:\Windows\System32\ErCDXYw.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System32\tTqNQAJ.exe
  C:\Windows\System32\tTqNQAJ.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System32\GhFusSS.exe
  C:\Windows\System32\GhFusSS.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System32\kBAZeOo.exe
  C:\Windows\System32\kBAZeOo.exe
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\System32\BiSVZZf.exe
  C:\Windows\System32\BiSVZZf.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System32\GdegPct.exe
  C:\Windows\System32\GdegPct.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System32\qqkfvyk.exe
  C:\Windows\System32\qqkfvyk.exe
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\System32\BWqWLaC.exe
  C:\Windows\System32\BWqWLaC.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System32\TvbnxqV.exe
  C:\Windows\System32\TvbnxqV.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System32\UjOdyCP.exe
  C:\Windows\System32\UjOdyCP.exe
  2⤵
  - Executes dropped EXE
  PID:3348
- C:\Windows\System32\MsRHjWl.exe
  C:\Windows\System32\MsRHjWl.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System32\LMNanIW.exe
  C:\Windows\System32\LMNanIW.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System32\LyJoTiv.exe
  C:\Windows\System32\LyJoTiv.exe
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\System32\kaizjcE.exe
  C:\Windows\System32\kaizjcE.exe
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\System32\lsvzVfV.exe
  C:\Windows\System32\lsvzVfV.exe
  2⤵
  - Executes dropped EXE
  PID:3164
- C:\Windows\System32\adgSYpo.exe
  C:\Windows\System32\adgSYpo.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System32\njVWSjM.exe
  C:\Windows\System32\njVWSjM.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System32\uZbGrOD.exe
  C:\Windows\System32\uZbGrOD.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System32\iljkYUU.exe
  C:\Windows\System32\iljkYUU.exe
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\System32\oMNpPwQ.exe
  C:\Windows\System32\oMNpPwQ.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System32\caZdyTw.exe
  C:\Windows\System32\caZdyTw.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System32\gFgJrSs.exe
  C:\Windows\System32\gFgJrSs.exe
  2⤵
  - Executes dropped EXE
  PID:3900
- C:\Windows\System32\DzuDXcG.exe
  C:\Windows\System32\DzuDXcG.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System32\InPsmoN.exe
  C:\Windows\System32\InPsmoN.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System32\BOfDWSD.exe
  C:\Windows\System32\BOfDWSD.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System32\WTWpkrP.exe
  C:\Windows\System32\WTWpkrP.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System32\ncuFtWn.exe
  C:\Windows\System32\ncuFtWn.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System32\KssqoWJ.exe
  C:\Windows\System32\KssqoWJ.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System32\MxiRmWB.exe
  C:\Windows\System32\MxiRmWB.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System32\CosdWeI.exe
  C:\Windows\System32\CosdWeI.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System32\pnwODXi.exe
  C:\Windows\System32\pnwODXi.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System32\gDFKxKC.exe
  C:\Windows\System32\gDFKxKC.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System32\wfytLVt.exe
  C:\Windows\System32\wfytLVt.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System32\XxLYUJl.exe
  C:\Windows\System32\XxLYUJl.exe
  2⤵
  - Executes dropped EXE
  PID:64
- C:\Windows\System32\ezPtgiX.exe
  C:\Windows\System32\ezPtgiX.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System32\dDQUElX.exe
  C:\Windows\System32\dDQUElX.exe
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Windows\System32\YuzvPNi.exe
  C:\Windows\System32\YuzvPNi.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System32\uztxGLd.exe
  C:\Windows\System32\uztxGLd.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System32\XeBEeKS.exe
  C:\Windows\System32\XeBEeKS.exe
  2⤵
  PID:1016
- C:\Windows\System32\LnrHkTM.exe
  C:\Windows\System32\LnrHkTM.exe
  2⤵
  PID:4560
- C:\Windows\System32\LpHtnum.exe
  C:\Windows\System32\LpHtnum.exe
  2⤵
  PID:1264
- C:\Windows\System32\ENBneUD.exe
  C:\Windows\System32\ENBneUD.exe
  2⤵
  PID:3352
- C:\Windows\System32\rqRqdVZ.exe
  C:\Windows\System32\rqRqdVZ.exe
  2⤵
  PID:3344
- C:\Windows\System32\IYgDOmk.exe
  C:\Windows\System32\IYgDOmk.exe
  2⤵
  PID:2708
- C:\Windows\System32\YACFQpf.exe
  C:\Windows\System32\YACFQpf.exe
  2⤵
  PID:3944
- C:\Windows\System32\YJYUjvt.exe
  C:\Windows\System32\YJYUjvt.exe
  2⤵
  PID:4412
- C:\Windows\System32\XHQvycm.exe
  C:\Windows\System32\XHQvycm.exe
  2⤵
  PID:2932
- C:\Windows\System32\vKMarhk.exe
  C:\Windows\System32\vKMarhk.exe
  2⤵
  PID:3548
- C:\Windows\System32\lNZGCcO.exe
  C:\Windows\System32\lNZGCcO.exe
  2⤵
  PID:1956
- C:\Windows\System32\nTloJlY.exe
  C:\Windows\System32\nTloJlY.exe
  2⤵
  PID:4936
- C:\Windows\System32\CkWluAj.exe
  C:\Windows\System32\CkWluAj.exe
  2⤵
  PID:4320
- C:\Windows\System32\cTeQiqz.exe
  C:\Windows\System32\cTeQiqz.exe
  2⤵
  PID:5032
- C:\Windows\System32\nIKkHzf.exe
  C:\Windows\System32\nIKkHzf.exe
  2⤵
  PID:1168
- C:\Windows\System32\GCoeuCT.exe
  C:\Windows\System32\GCoeuCT.exe
  2⤵
  PID:2400
- C:\Windows\System32\SVRUxfv.exe
  C:\Windows\System32\SVRUxfv.exe
  2⤵
  PID:2536
- C:\Windows\System32\rXUUZmG.exe
  C:\Windows\System32\rXUUZmG.exe
  2⤵
  PID:3560
- C:\Windows\System32\ObjJsvh.exe
  C:\Windows\System32\ObjJsvh.exe
  2⤵
  PID:3684
- C:\Windows\System32\NwdTppz.exe
  C:\Windows\System32\NwdTppz.exe
  2⤵
  PID:3636
- C:\Windows\System32\woTbAFA.exe
  C:\Windows\System32\woTbAFA.exe
  2⤵
  PID:4648
- C:\Windows\System32\KJxrXby.exe
  C:\Windows\System32\KJxrXby.exe
  2⤵
  PID:220
- C:\Windows\System32\BxUvjtz.exe
  C:\Windows\System32\BxUvjtz.exe
  2⤵
  PID:3448
- C:\Windows\System32\iaRZqqD.exe
  C:\Windows\System32\iaRZqqD.exe
  2⤵
  PID:3644
- C:\Windows\System32\WftcBty.exe
  C:\Windows\System32\WftcBty.exe
  2⤵
  PID:3316
- C:\Windows\System32\OmdguBi.exe
  C:\Windows\System32\OmdguBi.exe
  2⤵
  PID:5140
- C:\Windows\System32\jnWrqgL.exe
  C:\Windows\System32\jnWrqgL.exe
  2⤵
  PID:5168
- C:\Windows\System32\aUAVrSx.exe
  C:\Windows\System32\aUAVrSx.exe
  2⤵
  PID:5204
- C:\Windows\System32\KphCFVZ.exe
  C:\Windows\System32\KphCFVZ.exe
  2⤵
  PID:5224
- C:\Windows\System32\qoXzWnv.exe
  C:\Windows\System32\qoXzWnv.exe
  2⤵
  PID:5252
- C:\Windows\System32\UJLOcEJ.exe
  C:\Windows\System32\UJLOcEJ.exe
  2⤵
  PID:5284
- C:\Windows\System32\bKFoFbE.exe
  C:\Windows\System32\bKFoFbE.exe
  2⤵
  PID:5300
- C:\Windows\System32\xOgDFpf.exe
  C:\Windows\System32\xOgDFpf.exe
  2⤵
  PID:5320
- C:\Windows\System32\bHALzVt.exe
  C:\Windows\System32\bHALzVt.exe
  2⤵
  PID:5340
- C:\Windows\System32\kliisQr.exe
  C:\Windows\System32\kliisQr.exe
  2⤵
  PID:5360
- C:\Windows\System32\NQrlbxa.exe
  C:\Windows\System32\NQrlbxa.exe
  2⤵
  PID:5380
- C:\Windows\System32\PRDjBNT.exe
  C:\Windows\System32\PRDjBNT.exe
  2⤵
  PID:5408
- C:\Windows\System32\vXppfXS.exe
  C:\Windows\System32\vXppfXS.exe
  2⤵
  PID:5428
- C:\Windows\System32\BKPPWLx.exe
  C:\Windows\System32\BKPPWLx.exe
  2⤵
  PID:5504
- C:\Windows\System32\jEsXweb.exe
  C:\Windows\System32\jEsXweb.exe
  2⤵
  PID:5548
- C:\Windows\System32\kFJkBMG.exe
  C:\Windows\System32\kFJkBMG.exe
  2⤵
  PID:5572
- C:\Windows\System32\uEhnRzi.exe
  C:\Windows\System32\uEhnRzi.exe
  2⤵
  PID:5620
- C:\Windows\System32\kFwdbFG.exe
  C:\Windows\System32\kFwdbFG.exe
  2⤵
  PID:5656
- C:\Windows\System32\sqIqgby.exe
  C:\Windows\System32\sqIqgby.exe
  2⤵
  PID:5680
- C:\Windows\System32\LLBSmNh.exe
  C:\Windows\System32\LLBSmNh.exe
  2⤵
  PID:5700
- C:\Windows\System32\bvnYMUe.exe
  C:\Windows\System32\bvnYMUe.exe
  2⤵
  PID:5724
- C:\Windows\System32\sUQyScn.exe
  C:\Windows\System32\sUQyScn.exe
  2⤵
  PID:5744
- C:\Windows\System32\QXUjBZF.exe
  C:\Windows\System32\QXUjBZF.exe
  2⤵
  PID:5788
- C:\Windows\System32\IGxJsbE.exe
  C:\Windows\System32\IGxJsbE.exe
  2⤵
  PID:5852
- C:\Windows\System32\lAqRxGE.exe
  C:\Windows\System32\lAqRxGE.exe
  2⤵
  PID:5872
- C:\Windows\System32\nNMxmdo.exe
  C:\Windows\System32\nNMxmdo.exe
  2⤵
  PID:5916
- C:\Windows\System32\DYxkGgc.exe
  C:\Windows\System32\DYxkGgc.exe
  2⤵
  PID:5940
- C:\Windows\System32\DELFdaV.exe
  C:\Windows\System32\DELFdaV.exe
  2⤵
  PID:5972
- C:\Windows\System32\glbbTNw.exe
  C:\Windows\System32\glbbTNw.exe
  2⤵
  PID:6012
- C:\Windows\System32\lTYqagl.exe
  C:\Windows\System32\lTYqagl.exe
  2⤵
  PID:6040
- C:\Windows\System32\cGZJffK.exe
  C:\Windows\System32\cGZJffK.exe
  2⤵
  PID:6088
- C:\Windows\System32\fKnSXdY.exe
  C:\Windows\System32\fKnSXdY.exe
  2⤵
  PID:6116
- C:\Windows\System32\UvDsVIV.exe
  C:\Windows\System32\UvDsVIV.exe
  2⤵
  PID:2744
- C:\Windows\System32\ZDiqFVB.exe
  C:\Windows\System32\ZDiqFVB.exe
  2⤵
  PID:1884
- C:\Windows\System32\gtBXJrZ.exe
  C:\Windows\System32\gtBXJrZ.exe
  2⤵
  PID:5132
- C:\Windows\System32\yIFMOFM.exe
  C:\Windows\System32\yIFMOFM.exe
  2⤵
  PID:5160
- C:\Windows\System32\bAWpRyt.exe
  C:\Windows\System32\bAWpRyt.exe
  2⤵
  PID:5196
- C:\Windows\System32\lKJCSiW.exe
  C:\Windows\System32\lKJCSiW.exe
  2⤵
  PID:3276
- C:\Windows\System32\lkbyhId.exe
  C:\Windows\System32\lkbyhId.exe
  2⤵
  PID:1124
- C:\Windows\System32\MkWuDXS.exe
  C:\Windows\System32\MkWuDXS.exe
  2⤵
  PID:5312
- C:\Windows\System32\NuzWRJl.exe
  C:\Windows\System32\NuzWRJl.exe
  2⤵
  PID:5416
- C:\Windows\System32\nckbfUo.exe
  C:\Windows\System32\nckbfUo.exe
  2⤵
  PID:5452
- C:\Windows\System32\bIjcbpo.exe
  C:\Windows\System32\bIjcbpo.exe
  2⤵
  PID:5488
- C:\Windows\System32\bLwymFk.exe
  C:\Windows\System32\bLwymFk.exe
  2⤵
  PID:5584
- C:\Windows\System32\ncFouTW.exe
  C:\Windows\System32\ncFouTW.exe
  2⤵
  PID:5588
- C:\Windows\System32\VHSHtDO.exe
  C:\Windows\System32\VHSHtDO.exe
  2⤵
  PID:4912
- C:\Windows\System32\KJbGdZK.exe
  C:\Windows\System32\KJbGdZK.exe
  2⤵
  PID:5696
- C:\Windows\System32\SsiXnMH.exe
  C:\Windows\System32\SsiXnMH.exe
  2⤵
  PID:8
- C:\Windows\System32\otFPKov.exe
  C:\Windows\System32\otFPKov.exe
  2⤵
  PID:1508
- C:\Windows\System32\HfEuBmB.exe
  C:\Windows\System32\HfEuBmB.exe
  2⤵
  PID:4692
- C:\Windows\System32\mIlQPCz.exe
  C:\Windows\System32\mIlQPCz.exe
  2⤵
  PID:5720
- C:\Windows\System32\icaqFnb.exe
  C:\Windows\System32\icaqFnb.exe
  2⤵
  PID:860
- C:\Windows\System32\UtHqNiU.exe
  C:\Windows\System32\UtHqNiU.exe
  2⤵
  PID:4392
- C:\Windows\System32\obSLeyM.exe
  C:\Windows\System32\obSLeyM.exe
  2⤵
  PID:5888
- C:\Windows\System32\gUvYCak.exe
  C:\Windows\System32\gUvYCak.exe
  2⤵
  PID:5948
- C:\Windows\System32\dpiMhkP.exe
  C:\Windows\System32\dpiMhkP.exe
  2⤵
  PID:5984
- C:\Windows\System32\rSELNvs.exe
  C:\Windows\System32\rSELNvs.exe
  2⤵
  PID:6112
- C:\Windows\System32\rEqWZGI.exe
  C:\Windows\System32\rEqWZGI.exe
  2⤵
  PID:2424
- C:\Windows\System32\EfZQylO.exe
  C:\Windows\System32\EfZQylO.exe
  2⤵
  PID:5176
- C:\Windows\System32\dogTGqm.exe
  C:\Windows\System32\dogTGqm.exe
  2⤵
  PID:5212
- C:\Windows\System32\Sjempgw.exe
  C:\Windows\System32\Sjempgw.exe
  2⤵
  PID:5332
- C:\Windows\System32\efhrAnj.exe
  C:\Windows\System32\efhrAnj.exe
  2⤵
  PID:5388
- C:\Windows\System32\XmYgvah.exe
  C:\Windows\System32\XmYgvah.exe
  2⤵
  PID:5628
- C:\Windows\System32\gqTPabw.exe
  C:\Windows\System32\gqTPabw.exe
  2⤵
  PID:4828
- C:\Windows\System32\zCTKJsS.exe
  C:\Windows\System32\zCTKJsS.exe
  2⤵
  PID:5860
- C:\Windows\System32\ZiygCWY.exe
  C:\Windows\System32\ZiygCWY.exe
  2⤵
  PID:6000
- C:\Windows\System32\UbNflcR.exe
  C:\Windows\System32\UbNflcR.exe
  2⤵
  PID:5156
- C:\Windows\System32\FtlIXLi.exe
  C:\Windows\System32\FtlIXLi.exe
  2⤵
  PID:5240
- C:\Windows\System32\lEocQkx.exe
  C:\Windows\System32\lEocQkx.exe
  2⤵
  PID:5336
- C:\Windows\System32\MDReGPW.exe
  C:\Windows\System32\MDReGPW.exe
  2⤵
  PID:1028
- C:\Windows\System32\DDziHBp.exe
  C:\Windows\System32\DDziHBp.exe
  2⤵
  PID:5296
- C:\Windows\System32\wVeCegZ.exe
  C:\Windows\System32\wVeCegZ.exe
  2⤵
  PID:6056
- C:\Windows\System32\kkysMrR.exe
  C:\Windows\System32\kkysMrR.exe
  2⤵
  PID:6148
- C:\Windows\System32\wqwDcxn.exe
  C:\Windows\System32\wqwDcxn.exe
  2⤵
  PID:6168
- C:\Windows\System32\aYmETtY.exe
  C:\Windows\System32\aYmETtY.exe
  2⤵
  PID:6200
- C:\Windows\System32\IXmsrir.exe
  C:\Windows\System32\IXmsrir.exe
  2⤵
  PID:6220
- C:\Windows\System32\EtjTezV.exe
  C:\Windows\System32\EtjTezV.exe
  2⤵
  PID:6256
- C:\Windows\System32\DgjAlwE.exe
  C:\Windows\System32\DgjAlwE.exe
  2⤵
  PID:6272
- C:\Windows\System32\ZvgMzza.exe
  C:\Windows\System32\ZvgMzza.exe
  2⤵
  PID:6336
- C:\Windows\System32\nMVEAFX.exe
  C:\Windows\System32\nMVEAFX.exe
  2⤵
  PID:6352
- C:\Windows\System32\FnRYeEF.exe
  C:\Windows\System32\FnRYeEF.exe
  2⤵
  PID:6376
- C:\Windows\System32\bgilRYr.exe
  C:\Windows\System32\bgilRYr.exe
  2⤵
  PID:6424
- C:\Windows\System32\HWjRvrF.exe
  C:\Windows\System32\HWjRvrF.exe
  2⤵
  PID:6464
- C:\Windows\System32\XoquerY.exe
  C:\Windows\System32\XoquerY.exe
  2⤵
  PID:6484
- C:\Windows\System32\vsaKUEP.exe
  C:\Windows\System32\vsaKUEP.exe
  2⤵
  PID:6504
- C:\Windows\System32\YdcytNC.exe
  C:\Windows\System32\YdcytNC.exe
  2⤵
  PID:6524
- C:\Windows\System32\TxnBPKb.exe
  C:\Windows\System32\TxnBPKb.exe
  2⤵
  PID:6540
- C:\Windows\System32\tiGmbeG.exe
  C:\Windows\System32\tiGmbeG.exe
  2⤵
  PID:6592
- C:\Windows\System32\RJbHpfB.exe
  C:\Windows\System32\RJbHpfB.exe
  2⤵
  PID:6616
- C:\Windows\System32\DUZIXKS.exe
  C:\Windows\System32\DUZIXKS.exe
  2⤵
  PID:6636
- C:\Windows\System32\sjtvjiB.exe
  C:\Windows\System32\sjtvjiB.exe
  2⤵
  PID:6656
- C:\Windows\System32\qxphqtQ.exe
  C:\Windows\System32\qxphqtQ.exe
  2⤵
  PID:6684
- C:\Windows\System32\nINboxM.exe
  C:\Windows\System32\nINboxM.exe
  2⤵
  PID:6704
- C:\Windows\System32\OoliwLs.exe
  C:\Windows\System32\OoliwLs.exe
  2⤵
  PID:6740
- C:\Windows\System32\YRBShui.exe
  C:\Windows\System32\YRBShui.exe
  2⤵
  PID:6800
- C:\Windows\System32\ZwsxxbO.exe
  C:\Windows\System32\ZwsxxbO.exe
  2⤵
  PID:6820
- C:\Windows\System32\mzgOyIe.exe
  C:\Windows\System32\mzgOyIe.exe
  2⤵
  PID:6836
- C:\Windows\System32\EWqbCAP.exe
  C:\Windows\System32\EWqbCAP.exe
  2⤵
  PID:6876
- C:\Windows\System32\GLQBQNJ.exe
  C:\Windows\System32\GLQBQNJ.exe
  2⤵
  PID:6904
- C:\Windows\System32\oSyIpOk.exe
  C:\Windows\System32\oSyIpOk.exe
  2⤵
  PID:6920
- C:\Windows\System32\Cbumorr.exe
  C:\Windows\System32\Cbumorr.exe
  2⤵
  PID:6960
- C:\Windows\System32\zkgXnzl.exe
  C:\Windows\System32\zkgXnzl.exe
  2⤵
  PID:6996
- C:\Windows\System32\ZJdoeSL.exe
  C:\Windows\System32\ZJdoeSL.exe
  2⤵
  PID:7012
- C:\Windows\System32\xEhbvoS.exe
  C:\Windows\System32\xEhbvoS.exe
  2⤵
  PID:7032
- C:\Windows\System32\lhPSySZ.exe
  C:\Windows\System32\lhPSySZ.exe
  2⤵
  PID:7056
- C:\Windows\System32\mDIjPUe.exe
  C:\Windows\System32\mDIjPUe.exe
  2⤵
  PID:7072
- C:\Windows\System32\vonVefs.exe
  C:\Windows\System32\vonVefs.exe
  2⤵
  PID:7124
- C:\Windows\System32\FpWcWXs.exe
  C:\Windows\System32\FpWcWXs.exe
  2⤵
  PID:7152
- C:\Windows\System32\yyLPkNb.exe
  C:\Windows\System32\yyLPkNb.exe
  2⤵
  PID:6156
- C:\Windows\System32\AhVgdEg.exe
  C:\Windows\System32\AhVgdEg.exe
  2⤵
  PID:6264
- C:\Windows\System32\XqKSEwY.exe
  C:\Windows\System32\XqKSEwY.exe
  2⤵
  PID:6328
- C:\Windows\System32\RCxmfJv.exe
  C:\Windows\System32\RCxmfJv.exe
  2⤵
  PID:6372
- C:\Windows\System32\JUapBqP.exe
  C:\Windows\System32\JUapBqP.exe
  2⤵
  PID:6452
- C:\Windows\System32\EGbOVaz.exe
  C:\Windows\System32\EGbOVaz.exe
  2⤵
  PID:6480
- C:\Windows\System32\tXWvsLx.exe
  C:\Windows\System32\tXWvsLx.exe
  2⤵
  PID:6548
- C:\Windows\System32\VAqlZZZ.exe
  C:\Windows\System32\VAqlZZZ.exe
  2⤵
  PID:6572
- C:\Windows\System32\cZxHKHR.exe
  C:\Windows\System32\cZxHKHR.exe
  2⤵
  PID:6716
- C:\Windows\System32\SxLgPlp.exe
  C:\Windows\System32\SxLgPlp.exe
  2⤵
  PID:6732
- C:\Windows\System32\VCOnbcj.exe
  C:\Windows\System32\VCOnbcj.exe
  2⤵
  PID:6652
- C:\Windows\System32\AyAjcBW.exe
  C:\Windows\System32\AyAjcBW.exe
  2⤵
  PID:5356
- C:\Windows\System32\ixUYpKD.exe
  C:\Windows\System32\ixUYpKD.exe
  2⤵
  PID:6832
- C:\Windows\System32\rCEDyey.exe
  C:\Windows\System32\rCEDyey.exe
  2⤵
  PID:6976
- C:\Windows\System32\IfmRuQo.exe
  C:\Windows\System32\IfmRuQo.exe
  2⤵
  PID:7024
- C:\Windows\System32\VtJIVWa.exe
  C:\Windows\System32\VtJIVWa.exe
  2⤵
  PID:7020
- C:\Windows\System32\nTkPuuN.exe
  C:\Windows\System32\nTkPuuN.exe
  2⤵
  PID:6032
- C:\Windows\System32\ILMnviS.exe
  C:\Windows\System32\ILMnviS.exe
  2⤵
  PID:5868
- C:\Windows\System32\mLWAFAg.exe
  C:\Windows\System32\mLWAFAg.exe
  2⤵
  PID:7140
- C:\Windows\System32\mzyGRQZ.exe
  C:\Windows\System32\mzyGRQZ.exe
  2⤵
  PID:6100
- C:\Windows\System32\PSoZcpE.exe
  C:\Windows\System32\PSoZcpE.exe
  2⤵
  PID:6388
- C:\Windows\System32\diCiCaP.exe
  C:\Windows\System32\diCiCaP.exe
  2⤵
  PID:6492
- C:\Windows\System32\GcbFpOt.exe
  C:\Windows\System32\GcbFpOt.exe
  2⤵
  PID:5396
- C:\Windows\System32\PAUOaPo.exe
  C:\Windows\System32\PAUOaPo.exe
  2⤵
  PID:6816
- C:\Windows\System32\USmElhL.exe
  C:\Windows\System32\USmElhL.exe
  2⤵
  PID:7008
- C:\Windows\System32\kiuimOW.exe
  C:\Windows\System32\kiuimOW.exe
  2⤵
  PID:7068
- C:\Windows\System32\ZxZYtZj.exe
  C:\Windows\System32\ZxZYtZj.exe
  2⤵
  PID:5316
- C:\Windows\System32\kSOxVDW.exe
  C:\Windows\System32\kSOxVDW.exe
  2⤵
  PID:6536
- C:\Windows\System32\bpvrtnL.exe
  C:\Windows\System32\bpvrtnL.exe
  2⤵
  PID:6856
- C:\Windows\System32\ODLJJYp.exe
  C:\Windows\System32\ODLJJYp.exe
  2⤵
  PID:6364
- C:\Windows\System32\oairqlr.exe
  C:\Windows\System32\oairqlr.exe
  2⤵
  PID:6612
- C:\Windows\System32\DoIHndY.exe
  C:\Windows\System32\DoIHndY.exe
  2⤵
  PID:7100
- C:\Windows\System32\pgGhzqw.exe
  C:\Windows\System32\pgGhzqw.exe
  2⤵
  PID:7184
- C:\Windows\System32\dxUsmyC.exe
  C:\Windows\System32\dxUsmyC.exe
  2⤵
  PID:7228
- C:\Windows\System32\lCRqWmU.exe
  C:\Windows\System32\lCRqWmU.exe
  2⤵
  PID:7256
- C:\Windows\System32\qizHtJz.exe
  C:\Windows\System32\qizHtJz.exe
  2⤵
  PID:7276
- C:\Windows\System32\fKCrbHa.exe
  C:\Windows\System32\fKCrbHa.exe
  2⤵
  PID:7316
- C:\Windows\System32\xClKbVZ.exe
  C:\Windows\System32\xClKbVZ.exe
  2⤵
  PID:7348
- C:\Windows\System32\yrDMhUo.exe
  C:\Windows\System32\yrDMhUo.exe
  2⤵
  PID:7364
- C:\Windows\System32\dGcfCol.exe
  C:\Windows\System32\dGcfCol.exe
  2⤵
  PID:7384
- C:\Windows\System32\bvXnihE.exe
  C:\Windows\System32\bvXnihE.exe
  2⤵
  PID:7412
- C:\Windows\System32\sgStuOx.exe
  C:\Windows\System32\sgStuOx.exe
  2⤵
  PID:7452
- C:\Windows\System32\ZTdJCRT.exe
  C:\Windows\System32\ZTdJCRT.exe
  2⤵
  PID:7476
- C:\Windows\System32\nxBWBto.exe
  C:\Windows\System32\nxBWBto.exe
  2⤵
  PID:7504
- C:\Windows\System32\DKJehNf.exe
  C:\Windows\System32\DKJehNf.exe
  2⤵
  PID:7528
- C:\Windows\System32\CkZAVuS.exe
  C:\Windows\System32\CkZAVuS.exe
  2⤵
  PID:7556
- C:\Windows\System32\GRbRewJ.exe
  C:\Windows\System32\GRbRewJ.exe
  2⤵
  PID:7576
- C:\Windows\System32\LxSrTuQ.exe
  C:\Windows\System32\LxSrTuQ.exe
  2⤵
  PID:7612
- C:\Windows\System32\LRfOEcz.exe
  C:\Windows\System32\LRfOEcz.exe
  2⤵
  PID:7628
- C:\Windows\System32\AnyCZNP.exe
  C:\Windows\System32\AnyCZNP.exe
  2⤵
  PID:7684
- C:\Windows\System32\PMmdjHg.exe
  C:\Windows\System32\PMmdjHg.exe
  2⤵
  PID:7700
- C:\Windows\System32\kdiDyUr.exe
  C:\Windows\System32\kdiDyUr.exe
  2⤵
  PID:7768
- C:\Windows\System32\rzRWALM.exe
  C:\Windows\System32\rzRWALM.exe
  2⤵
  PID:7784
- C:\Windows\System32\pylaNBn.exe
  C:\Windows\System32\pylaNBn.exe
  2⤵
  PID:7812
- C:\Windows\System32\YvtXqbk.exe
  C:\Windows\System32\YvtXqbk.exe
  2⤵
  PID:7844
- C:\Windows\System32\NkAFgxF.exe
  C:\Windows\System32\NkAFgxF.exe
  2⤵
  PID:7868
- C:\Windows\System32\tNziedV.exe
  C:\Windows\System32\tNziedV.exe
  2⤵
  PID:7892
- C:\Windows\System32\yZGkvYP.exe
  C:\Windows\System32\yZGkvYP.exe
  2⤵
  PID:7916
- C:\Windows\System32\dOfuqfi.exe
  C:\Windows\System32\dOfuqfi.exe
  2⤵
  PID:7940
- C:\Windows\System32\EWJntNl.exe
  C:\Windows\System32\EWJntNl.exe
  2⤵
  PID:7968
- C:\Windows\System32\rYfcbZp.exe
  C:\Windows\System32\rYfcbZp.exe
  2⤵
  PID:7988
- C:\Windows\System32\InQHIOL.exe
  C:\Windows\System32\InQHIOL.exe
  2⤵
  PID:8028
- C:\Windows\System32\nvoFQZk.exe
  C:\Windows\System32\nvoFQZk.exe
  2⤵
  PID:8064
- C:\Windows\System32\aSEHcvj.exe
  C:\Windows\System32\aSEHcvj.exe
  2⤵
  PID:8084
- C:\Windows\System32\dfgyRCI.exe
  C:\Windows\System32\dfgyRCI.exe
  2⤵
  PID:8124
- C:\Windows\System32\ToVgzmh.exe
  C:\Windows\System32\ToVgzmh.exe
  2⤵
  PID:8148
- C:\Windows\System32\nXULjmd.exe
  C:\Windows\System32\nXULjmd.exe
  2⤵
  PID:8172
- C:\Windows\System32\tHJxCmD.exe
  C:\Windows\System32\tHJxCmD.exe
  2⤵
  PID:8188
- C:\Windows\System32\bjGtVKN.exe
  C:\Windows\System32\bjGtVKN.exe
  2⤵
  PID:6476
- C:\Windows\System32\LJdQKlm.exe
  C:\Windows\System32\LJdQKlm.exe
  2⤵
  PID:7296
- C:\Windows\System32\gnZNnYc.exe
  C:\Windows\System32\gnZNnYc.exe
  2⤵
  PID:6940
- C:\Windows\System32\PYFwxUx.exe
  C:\Windows\System32\PYFwxUx.exe
  2⤵
  PID:7400
- C:\Windows\System32\UawkJTS.exe
  C:\Windows\System32\UawkJTS.exe
  2⤵
  PID:7420
- C:\Windows\System32\ZtlRcxB.exe
  C:\Windows\System32\ZtlRcxB.exe
  2⤵
  PID:7524
- C:\Windows\System32\IkgjAIA.exe
  C:\Windows\System32\IkgjAIA.exe
  2⤵
  PID:7636
- C:\Windows\System32\NijINai.exe
  C:\Windows\System32\NijINai.exe
  2⤵
  PID:7696
- C:\Windows\System32\Xoflqrd.exe
  C:\Windows\System32\Xoflqrd.exe
  2⤵
  PID:7756
- C:\Windows\System32\VXqmAFM.exe
  C:\Windows\System32\VXqmAFM.exe
  2⤵
  PID:7836
- C:\Windows\System32\EFAxZgm.exe
  C:\Windows\System32\EFAxZgm.exe
  2⤵
  PID:7908
- C:\Windows\System32\cZaOdYf.exe
  C:\Windows\System32\cZaOdYf.exe
  2⤵
  PID:7984
- C:\Windows\System32\VNzExPl.exe
  C:\Windows\System32\VNzExPl.exe
  2⤵
  PID:8020
- C:\Windows\System32\WJYGNBU.exe
  C:\Windows\System32\WJYGNBU.exe
  2⤵
  PID:8076
- C:\Windows\System32\EZoFLMQ.exe
  C:\Windows\System32\EZoFLMQ.exe
  2⤵
  PID:8156
- C:\Windows\System32\FCvjfmy.exe
  C:\Windows\System32\FCvjfmy.exe
  2⤵
  PID:8160
- C:\Windows\System32\JGtOQVH.exe
  C:\Windows\System32\JGtOQVH.exe
  2⤵
  PID:7312
- C:\Windows\System32\cyJyDgv.exe
  C:\Windows\System32\cyJyDgv.exe
  2⤵
  PID:7572
- C:\Windows\System32\YkaGssk.exe
  C:\Windows\System32\YkaGssk.exe
  2⤵
  PID:7732
- C:\Windows\System32\vcDOeSE.exe
  C:\Windows\System32\vcDOeSE.exe
  2⤵
  PID:8116
- C:\Windows\System32\nHSMcuQ.exe
  C:\Windows\System32\nHSMcuQ.exe
  2⤵
  PID:7172
- C:\Windows\System32\dwkMdtn.exe
  C:\Windows\System32\dwkMdtn.exe
  2⤵
  PID:7444
- C:\Windows\System32\ReCLJqD.exe
  C:\Windows\System32\ReCLJqD.exe
  2⤵
  PID:7792
- C:\Windows\System32\suXWPKf.exe
  C:\Windows\System32\suXWPKf.exe
  2⤵
  PID:8204
- C:\Windows\System32\JXBjzxj.exe
  C:\Windows\System32\JXBjzxj.exe
  2⤵
  PID:8224
- C:\Windows\System32\HhkgutA.exe
  C:\Windows\System32\HhkgutA.exe
  2⤵
  PID:8268
- C:\Windows\System32\fdQgXol.exe
  C:\Windows\System32\fdQgXol.exe
  2⤵
  PID:8300
- C:\Windows\System32\KGheamP.exe
  C:\Windows\System32\KGheamP.exe
  2⤵
  PID:8364
- C:\Windows\System32\bGrFDeD.exe
  C:\Windows\System32\bGrFDeD.exe
  2⤵
  PID:8408
- C:\Windows\System32\JLboRzn.exe
  C:\Windows\System32\JLboRzn.exe
  2⤵
  PID:8488
- C:\Windows\System32\IdtVVaL.exe
  C:\Windows\System32\IdtVVaL.exe
  2⤵
  PID:8516
- C:\Windows\System32\HmTJRyH.exe
  C:\Windows\System32\HmTJRyH.exe
  2⤵
  PID:8540
- C:\Windows\System32\jROzRMV.exe
  C:\Windows\System32\jROzRMV.exe
  2⤵
  PID:8580
- C:\Windows\System32\CNTdatB.exe
  C:\Windows\System32\CNTdatB.exe
  2⤵
  PID:8604
- C:\Windows\System32\SDlRuiq.exe
  C:\Windows\System32\SDlRuiq.exe
  2⤵
  PID:8632
- C:\Windows\System32\SEMleTz.exe
  C:\Windows\System32\SEMleTz.exe
  2⤵
  PID:8652
- C:\Windows\System32\MARHHtE.exe
  C:\Windows\System32\MARHHtE.exe
  2⤵
  PID:8692
- C:\Windows\System32\FldPyMT.exe
  C:\Windows\System32\FldPyMT.exe
  2⤵
  PID:8716
- C:\Windows\System32\JZrFtCZ.exe
  C:\Windows\System32\JZrFtCZ.exe
  2⤵
  PID:8736
- C:\Windows\System32\JZqhtIF.exe
  C:\Windows\System32\JZqhtIF.exe
  2⤵
  PID:8760
- C:\Windows\System32\HsqCSZj.exe
  C:\Windows\System32\HsqCSZj.exe
  2⤵
  PID:8788
- C:\Windows\System32\EQItzzc.exe
  C:\Windows\System32\EQItzzc.exe
  2⤵
  PID:8808
- C:\Windows\System32\hoefkCB.exe
  C:\Windows\System32\hoefkCB.exe
  2⤵
  PID:8856
- C:\Windows\System32\TaeSloD.exe
  C:\Windows\System32\TaeSloD.exe
  2⤵
  PID:8876
- C:\Windows\System32\bMwUzch.exe
  C:\Windows\System32\bMwUzch.exe
  2⤵
  PID:8916
- C:\Windows\System32\CAeAcYJ.exe
  C:\Windows\System32\CAeAcYJ.exe
  2⤵
  PID:8940
- C:\Windows\System32\gwyRNLk.exe
  C:\Windows\System32\gwyRNLk.exe
  2⤵
  PID:8960
- C:\Windows\System32\fPWMeSY.exe
  C:\Windows\System32\fPWMeSY.exe
  2⤵
  PID:8996
- C:\Windows\System32\LrGXenI.exe
  C:\Windows\System32\LrGXenI.exe
  2⤵
  PID:9016
- C:\Windows\System32\dKEmcYw.exe
  C:\Windows\System32\dKEmcYw.exe
  2⤵
  PID:9036
- C:\Windows\System32\rqrvmhL.exe
  C:\Windows\System32\rqrvmhL.exe
  2⤵
  PID:9060
- C:\Windows\System32\BisgwWg.exe
  C:\Windows\System32\BisgwWg.exe
  2⤵
  PID:9080
- C:\Windows\System32\NACxvGG.exe
  C:\Windows\System32\NACxvGG.exe
  2⤵
  PID:9104
- C:\Windows\System32\NrMglGd.exe
  C:\Windows\System32\NrMglGd.exe
  2⤵
  PID:9136
- C:\Windows\System32\HksqQST.exe
  C:\Windows\System32\HksqQST.exe
  2⤵
  PID:9188
- C:\Windows\System32\yCLCWeM.exe
  C:\Windows\System32\yCLCWeM.exe
  2⤵
  PID:7500
- C:\Windows\System32\NoaWVSM.exe
  C:\Windows\System32\NoaWVSM.exe
  2⤵
  PID:8164
- C:\Windows\System32\YqkRKuN.exe
  C:\Windows\System32\YqkRKuN.exe
  2⤵
  PID:7716
- C:\Windows\System32\QUzcUfw.exe
  C:\Windows\System32\QUzcUfw.exe
  2⤵
  PID:7976
- C:\Windows\System32\mQVPOdW.exe
  C:\Windows\System32\mQVPOdW.exe
  2⤵
  PID:8004
- C:\Windows\System32\WZldYIZ.exe
  C:\Windows\System32\WZldYIZ.exe
  2⤵
  PID:7404
- C:\Windows\System32\HWzssbD.exe
  C:\Windows\System32\HWzssbD.exe
  2⤵
  PID:8288
- C:\Windows\System32\JBuZLiO.exe
  C:\Windows\System32\JBuZLiO.exe
  2⤵
  PID:8340
- C:\Windows\System32\WOfvLDP.exe
  C:\Windows\System32\WOfvLDP.exe
  2⤵
  PID:8444
- C:\Windows\System32\BqBhVMN.exe
  C:\Windows\System32\BqBhVMN.exe
  2⤵
  PID:8484
- C:\Windows\System32\pMnbLKq.exe
  C:\Windows\System32\pMnbLKq.exe
  2⤵
  PID:8552
- C:\Windows\System32\cuSCOpO.exe
  C:\Windows\System32\cuSCOpO.exe
  2⤵
  PID:8592
- C:\Windows\System32\zvPNSKW.exe
  C:\Windows\System32\zvPNSKW.exe
  2⤵
  PID:8668
- C:\Windows\System32\pjlYYDS.exe
  C:\Windows\System32\pjlYYDS.exe
  2⤵
  PID:8732
- C:\Windows\System32\pHZZnsV.exe
  C:\Windows\System32\pHZZnsV.exe
  2⤵
  PID:8852
- C:\Windows\System32\ZDaUtTq.exe
  C:\Windows\System32\ZDaUtTq.exe
  2⤵
  PID:8912
- C:\Windows\System32\GgkJVbg.exe
  C:\Windows\System32\GgkJVbg.exe
  2⤵
  PID:8984
- C:\Windows\System32\DQqQrLA.exe
  C:\Windows\System32\DQqQrLA.exe
  2⤵
  PID:9004
- C:\Windows\System32\mtUezRl.exe
  C:\Windows\System32\mtUezRl.exe
  2⤵
  PID:9088
- C:\Windows\System32\pdtPSAw.exe
  C:\Windows\System32\pdtPSAw.exe
  2⤵
  PID:9116
- C:\Windows\System32\dGmKhjH.exe
  C:\Windows\System32\dGmKhjH.exe
  2⤵
  PID:7380
- C:\Windows\System32\ERlEXhy.exe
  C:\Windows\System32\ERlEXhy.exe
  2⤵
  PID:7900
- C:\Windows\System32\lxqQhTX.exe
  C:\Windows\System32\lxqQhTX.exe
  2⤵
  PID:8336
- C:\Windows\System32\NCKbKje.exe
  C:\Windows\System32\NCKbKje.exe
  2⤵
  PID:8500
- C:\Windows\System32\ZzCUsIL.exe
  C:\Windows\System32\ZzCUsIL.exe
  2⤵
  PID:8612
- C:\Windows\System32\SziTRuY.exe
  C:\Windows\System32\SziTRuY.exe
  2⤵
  PID:8724
- C:\Windows\System32\ZOPKsQh.exe
  C:\Windows\System32\ZOPKsQh.exe
  2⤵
  PID:8908
- C:\Windows\System32\kdPWiqr.exe
  C:\Windows\System32\kdPWiqr.exe
  2⤵
  PID:9044
- C:\Windows\System32\CgODCmV.exe
  C:\Windows\System32\CgODCmV.exe
  2⤵
  PID:9096
- C:\Windows\System32\slwSyYF.exe
  C:\Windows\System32\slwSyYF.exe
  2⤵
  PID:8236
- C:\Windows\System32\PjHOTBr.exe
  C:\Windows\System32\PjHOTBr.exe
  2⤵
  PID:8528
- C:\Windows\System32\lQjsNSd.exe
  C:\Windows\System32\lQjsNSd.exe
  2⤵
  PID:9076
- C:\Windows\System32\xHNfDRc.exe
  C:\Windows\System32\xHNfDRc.exe
  2⤵
  PID:8104
- C:\Windows\System32\awJYqhQ.exe
  C:\Windows\System32\awJYqhQ.exe
  2⤵
  PID:8892
- C:\Windows\System32\fXedAAd.exe
  C:\Windows\System32\fXedAAd.exe
  2⤵
  PID:7912
- C:\Windows\System32\inQBbkK.exe
  C:\Windows\System32\inQBbkK.exe
  2⤵
  PID:9224
- C:\Windows\System32\bozTzZw.exe
  C:\Windows\System32\bozTzZw.exe
  2⤵
  PID:9252
- C:\Windows\System32\KVCxiWp.exe
  C:\Windows\System32\KVCxiWp.exe
  2⤵
  PID:9276
- C:\Windows\System32\pgkvgFI.exe
  C:\Windows\System32\pgkvgFI.exe
  2⤵
  PID:9316
- C:\Windows\System32\BVhSRtT.exe
  C:\Windows\System32\BVhSRtT.exe
  2⤵
  PID:9332
- C:\Windows\System32\rTsuUPO.exe
  C:\Windows\System32\rTsuUPO.exe
  2⤵
  PID:9384
- C:\Windows\System32\hUBHILB.exe
  C:\Windows\System32\hUBHILB.exe
  2⤵
  PID:9420
- C:\Windows\System32\BccAtTO.exe
  C:\Windows\System32\BccAtTO.exe
  2⤵
  PID:9452
- C:\Windows\System32\nRduuPn.exe
  C:\Windows\System32\nRduuPn.exe
  2⤵
  PID:9468
- C:\Windows\System32\GCJMLTD.exe
  C:\Windows\System32\GCJMLTD.exe
  2⤵
  PID:9496
- C:\Windows\System32\RvxuHCg.exe
  C:\Windows\System32\RvxuHCg.exe
  2⤵
  PID:9524
- C:\Windows\System32\bMeZspZ.exe
  C:\Windows\System32\bMeZspZ.exe
  2⤵
  PID:9560
- C:\Windows\System32\YotPpSQ.exe
  C:\Windows\System32\YotPpSQ.exe
  2⤵
  PID:9576
- C:\Windows\System32\JIIgMXd.exe
  C:\Windows\System32\JIIgMXd.exe
  2⤵
  PID:9600
- C:\Windows\System32\LhHPQch.exe
  C:\Windows\System32\LhHPQch.exe
  2⤵
  PID:9624
- C:\Windows\System32\wPEcCvz.exe
  C:\Windows\System32\wPEcCvz.exe
  2⤵
  PID:9660
- C:\Windows\System32\ohPPIUo.exe
  C:\Windows\System32\ohPPIUo.exe
  2⤵
  PID:9704
- C:\Windows\System32\WHuGURn.exe
  C:\Windows\System32\WHuGURn.exe
  2⤵
  PID:9736
- C:\Windows\System32\kNaGMor.exe
  C:\Windows\System32\kNaGMor.exe
  2⤵
  PID:9764
- C:\Windows\System32\JvryGbM.exe
  C:\Windows\System32\JvryGbM.exe
  2⤵
  PID:9788
- C:\Windows\System32\cLdFBYd.exe
  C:\Windows\System32\cLdFBYd.exe
  2⤵
  PID:9808
- C:\Windows\System32\TnDkoIM.exe
  C:\Windows\System32\TnDkoIM.exe
  2⤵
  PID:9836
- C:\Windows\System32\uIDKxmm.exe
  C:\Windows\System32\uIDKxmm.exe
  2⤵
  PID:9856
- C:\Windows\System32\AGnnwyX.exe
  C:\Windows\System32\AGnnwyX.exe
  2⤵
  PID:9892
- C:\Windows\System32\byDKBLO.exe
  C:\Windows\System32\byDKBLO.exe
  2⤵
  PID:9920
- C:\Windows\System32\DEVrgJQ.exe
  C:\Windows\System32\DEVrgJQ.exe
  2⤵
  PID:9944
- C:\Windows\System32\SuDHWMv.exe
  C:\Windows\System32\SuDHWMv.exe
  2⤵
  PID:9988
- C:\Windows\System32\FgpUODH.exe
  C:\Windows\System32\FgpUODH.exe
  2⤵
  PID:10008
- C:\Windows\System32\PhkDWDF.exe
  C:\Windows\System32\PhkDWDF.exe
  2⤵
  PID:10028
- C:\Windows\System32\KQuMqDb.exe
  C:\Windows\System32\KQuMqDb.exe
  2⤵
  PID:10060
- C:\Windows\System32\BoMuMRw.exe
  C:\Windows\System32\BoMuMRw.exe
  2⤵
  PID:10092
- C:\Windows\System32\bOfAUMV.exe
  C:\Windows\System32\bOfAUMV.exe
  2⤵
  PID:10116
- C:\Windows\System32\VbcKPZr.exe
  C:\Windows\System32\VbcKPZr.exe
  2⤵
  PID:10148
- C:\Windows\System32\QCOppWo.exe
  C:\Windows\System32\QCOppWo.exe
  2⤵
  PID:10168
- C:\Windows\System32\bWlWeKZ.exe
  C:\Windows\System32\bWlWeKZ.exe
  2⤵
  PID:10192
- C:\Windows\System32\rZCGQNs.exe
  C:\Windows\System32\rZCGQNs.exe
  2⤵
  PID:10232
- C:\Windows\System32\JOccoAW.exe
  C:\Windows\System32\JOccoAW.exe
  2⤵
  PID:9232
- C:\Windows\System32\DjzoHMS.exe
  C:\Windows\System32\DjzoHMS.exe
  2⤵
  PID:9292
- C:\Windows\System32\NupeOAa.exe
  C:\Windows\System32\NupeOAa.exe
  2⤵
  PID:9364
- C:\Windows\System32\tnccRsM.exe
  C:\Windows\System32\tnccRsM.exe
  2⤵
  PID:9412
- C:\Windows\System32\tTEaCfL.exe
  C:\Windows\System32\tTEaCfL.exe
  2⤵
  PID:9460
- C:\Windows\System32\yoOCbGF.exe
  C:\Windows\System32\yoOCbGF.exe
  2⤵
  PID:9520
- C:\Windows\System32\rRwPNIe.exe
  C:\Windows\System32\rRwPNIe.exe
  2⤵
  PID:9572
- C:\Windows\System32\psPMAwN.exe
  C:\Windows\System32\psPMAwN.exe
  2⤵
  PID:9592
- C:\Windows\System32\ehYGwze.exe
  C:\Windows\System32\ehYGwze.exe
  2⤵
  PID:9696
- C:\Windows\System32\nbXljFP.exe
  C:\Windows\System32\nbXljFP.exe
  2⤵
  PID:9760
- C:\Windows\System32\aAYgFBc.exe
  C:\Windows\System32\aAYgFBc.exe
  2⤵
  PID:9828
- C:\Windows\System32\qXFPekX.exe
  C:\Windows\System32\qXFPekX.exe
  2⤵
  PID:9972
- C:\Windows\System32\zASZKQR.exe
  C:\Windows\System32\zASZKQR.exe
  2⤵
  PID:9996
- C:\Windows\System32\JLyyyJz.exe
  C:\Windows\System32\JLyyyJz.exe
  2⤵
  PID:10136
- C:\Windows\System32\XDvfgjW.exe
  C:\Windows\System32\XDvfgjW.exe
  2⤵
  PID:10164
- C:\Windows\System32\cbOdpyM.exe
  C:\Windows\System32\cbOdpyM.exe
  2⤵
  PID:10224
- C:\Windows\System32\dzTHqvC.exe
  C:\Windows\System32\dzTHqvC.exe
  2⤵
  PID:8752
- C:\Windows\System32\ifCnEuH.exe
  C:\Windows\System32\ifCnEuH.exe
  2⤵
  PID:9448
- C:\Windows\System32\irCCueL.exe
  C:\Windows\System32\irCCueL.exe
  2⤵
  PID:9612
- C:\Windows\System32\mCynSyN.exe
  C:\Windows\System32\mCynSyN.exe
  2⤵
  PID:9728
- C:\Windows\System32\QFCNXQp.exe
  C:\Windows\System32\QFCNXQp.exe
  2⤵
  PID:9748
- C:\Windows\System32\fEQRqkh.exe
  C:\Windows\System32\fEQRqkh.exe
  2⤵
  PID:9916
- C:\Windows\System32\EWnIvlu.exe
  C:\Windows\System32\EWnIvlu.exe
  2⤵
  PID:10200
- C:\Windows\System32\RhFGHAm.exe
  C:\Windows\System32\RhFGHAm.exe
  2⤵
  PID:9912
- C:\Windows\System32\LlIRlUE.exe
  C:\Windows\System32\LlIRlUE.exe
  2⤵
  PID:9668
- C:\Windows\System32\ruNrKcI.exe
  C:\Windows\System32\ruNrKcI.exe
  2⤵
  PID:9800
- C:\Windows\System32\JuWSNDH.exe
  C:\Windows\System32\JuWSNDH.exe
  2⤵
  PID:10248
- C:\Windows\System32\dUnCuCc.exe
  C:\Windows\System32\dUnCuCc.exe
  2⤵
  PID:10276
- C:\Windows\System32\ivpsFJb.exe
  C:\Windows\System32\ivpsFJb.exe
  2⤵
  PID:10300
- C:\Windows\System32\WKvdEXq.exe
  C:\Windows\System32\WKvdEXq.exe
  2⤵
  PID:10340
- C:\Windows\System32\ZjyPrdH.exe
  C:\Windows\System32\ZjyPrdH.exe
  2⤵
  PID:10368
- C:\Windows\System32\dOaxUft.exe
  C:\Windows\System32\dOaxUft.exe
  2⤵
  PID:10388
- C:\Windows\System32\tYIbOKW.exe
  C:\Windows\System32\tYIbOKW.exe
  2⤵
  PID:10456
- C:\Windows\System32\xHaPpgu.exe
  C:\Windows\System32\xHaPpgu.exe
  2⤵
  PID:10472
- C:\Windows\System32\jwcxAEn.exe
  C:\Windows\System32\jwcxAEn.exe
  2⤵
  PID:10500
- C:\Windows\System32\HjytWfJ.exe
  C:\Windows\System32\HjytWfJ.exe
  2⤵
  PID:10528
- C:\Windows\System32\oRuWggx.exe
  C:\Windows\System32\oRuWggx.exe
  2⤵
  PID:10552
- C:\Windows\System32\UkJMBqB.exe
  C:\Windows\System32\UkJMBqB.exe
  2⤵
  PID:10572
- C:\Windows\System32\bAnhluk.exe
  C:\Windows\System32\bAnhluk.exe
  2⤵
  PID:10592
- C:\Windows\System32\KxxpFbm.exe
  C:\Windows\System32\KxxpFbm.exe
  2⤵
  PID:10612
- C:\Windows\System32\abnOKDQ.exe
  C:\Windows\System32\abnOKDQ.exe
  2⤵
  PID:10656
- C:\Windows\System32\JBzdObu.exe
  C:\Windows\System32\JBzdObu.exe
  2⤵
  PID:10676
- C:\Windows\System32\BXfqmtJ.exe
  C:\Windows\System32\BXfqmtJ.exe
  2⤵
  PID:10708
- C:\Windows\System32\rnrIihI.exe
  C:\Windows\System32\rnrIihI.exe
  2⤵
  PID:10724
- C:\Windows\System32\ElGKPmL.exe
  C:\Windows\System32\ElGKPmL.exe
  2⤵
  PID:10780
- C:\Windows\System32\nEmjXoY.exe
  C:\Windows\System32\nEmjXoY.exe
  2⤵
  PID:10800
- C:\Windows\System32\xkZqUXB.exe
  C:\Windows\System32\xkZqUXB.exe
  2⤵
  PID:10828
- C:\Windows\System32\VFlOOCF.exe
  C:\Windows\System32\VFlOOCF.exe
  2⤵
  PID:10844
- C:\Windows\System32\PCsHVYn.exe
  C:\Windows\System32\PCsHVYn.exe
  2⤵
  PID:10864
- C:\Windows\System32\sSuzNaM.exe
  C:\Windows\System32\sSuzNaM.exe
  2⤵
  PID:10892
- C:\Windows\System32\TIfVBCV.exe
  C:\Windows\System32\TIfVBCV.exe
  2⤵
  PID:10912
- C:\Windows\System32\euxJwFz.exe
  C:\Windows\System32\euxJwFz.exe
  2⤵
  PID:10960
- C:\Windows\System32\XphNvOo.exe
  C:\Windows\System32\XphNvOo.exe
  2⤵
  PID:10976
- C:\Windows\System32\gqpHRbe.exe
  C:\Windows\System32\gqpHRbe.exe
  2⤵
  PID:11016
- C:\Windows\System32\TqREYxz.exe
  C:\Windows\System32\TqREYxz.exe
  2⤵
  PID:11040
- C:\Windows\System32\yLDWKxo.exe
  C:\Windows\System32\yLDWKxo.exe
  2⤵
  PID:11056
- C:\Windows\System32\DrZilmG.exe
  C:\Windows\System32\DrZilmG.exe
  2⤵
  PID:11088
- C:\Windows\System32\WdXycdx.exe
  C:\Windows\System32\WdXycdx.exe
  2⤵
  PID:11152
- C:\Windows\System32\vnOivyG.exe
  C:\Windows\System32\vnOivyG.exe
  2⤵
  PID:11172
- C:\Windows\System32\ZOWAWxG.exe
  C:\Windows\System32\ZOWAWxG.exe
  2⤵
  PID:11208
- C:\Windows\System32\MkebhHq.exe
  C:\Windows\System32\MkebhHq.exe
  2⤵
  PID:11232
- C:\Windows\System32\RwbjUEP.exe
  C:\Windows\System32\RwbjUEP.exe
  2⤵
  PID:11252
- C:\Windows\System32\cFmqCYs.exe
  C:\Windows\System32\cFmqCYs.exe
  2⤵
  PID:10244
- C:\Windows\System32\MfDXuvU.exe
  C:\Windows\System32\MfDXuvU.exe
  2⤵
  PID:10284
- C:\Windows\System32\hrtIpUf.exe
  C:\Windows\System32\hrtIpUf.exe
  2⤵
  PID:10408
- C:\Windows\System32\BKZwlNF.exe
  C:\Windows\System32\BKZwlNF.exe
  2⤵
  PID:10432
- C:\Windows\System32\oBAZweJ.exe
  C:\Windows\System32\oBAZweJ.exe
  2⤵
  PID:10508
- C:\Windows\System32\caJZUZk.exe
  C:\Windows\System32\caJZUZk.exe
  2⤵
  PID:10560
- C:\Windows\System32\XbFJGUc.exe
  C:\Windows\System32\XbFJGUc.exe
  2⤵
  PID:10688
- C:\Windows\System32\rMbpVUx.exe
  C:\Windows\System32\rMbpVUx.exe
  2⤵
  PID:10716
- C:\Windows\System32\RhRhYxF.exe
  C:\Windows\System32\RhRhYxF.exe
  2⤵
  PID:10792
- C:\Windows\System32\NWXKRHk.exe
  C:\Windows\System32\NWXKRHk.exe
  2⤵
  PID:10908
- C:\Windows\System32\FcRmPun.exe
  C:\Windows\System32\FcRmPun.exe
  2⤵
  PID:10956
- C:\Windows\System32\RlMEImV.exe
  C:\Windows\System32\RlMEImV.exe
  2⤵
  PID:11008
- C:\Windows\System32\PDTlHcC.exe
  C:\Windows\System32\PDTlHcC.exe
  2⤵
  PID:11048
- C:\Windows\System32\gRlhuZH.exe
  C:\Windows\System32\gRlhuZH.exe
  2⤵
  PID:11132
- C:\Windows\System32\JBSKUgC.exe
  C:\Windows\System32\JBSKUgC.exe
  2⤵
  PID:11200
- C:\Windows\System32\oEmoLlm.exe
  C:\Windows\System32\oEmoLlm.exe
  2⤵
  PID:10268
- C:\Windows\System32\zDAFPNd.exe
  C:\Windows\System32\zDAFPNd.exe
  2⤵
  PID:9480
- C:\Windows\System32\EAslXNO.exe
  C:\Windows\System32\EAslXNO.exe
  2⤵
  PID:10492
- C:\Windows\System32\jlEreOw.exe
  C:\Windows\System32\jlEreOw.exe
  2⤵
  PID:10480
- C:\Windows\System32\XksCWJb.exe
  C:\Windows\System32\XksCWJb.exe
  2⤵
  PID:10872
- C:\Windows\System32\QLmSswz.exe
  C:\Windows\System32\QLmSswz.exe
  2⤵
  PID:10884
- C:\Windows\System32\AWwqBnu.exe
  C:\Windows\System32\AWwqBnu.exe
  2⤵
  PID:11112
- C:\Windows\System32\YenLmfn.exe
  C:\Windows\System32\YenLmfn.exe
  2⤵
  PID:11168
- C:\Windows\System32\XoikMZa.exe
  C:\Windows\System32\XoikMZa.exe
  2⤵
  PID:10448
- C:\Windows\System32\KRkwKHi.exe
  C:\Windows\System32\KRkwKHi.exe
  2⤵
  PID:10512
- C:\Windows\System32\cdgaisG.exe
  C:\Windows\System32\cdgaisG.exe
  2⤵
  PID:10972
- C:\Windows\System32\rzkQONR.exe
  C:\Windows\System32\rzkQONR.exe
  2⤵
  PID:11268
- C:\Windows\System32\RkbKQco.exe
  C:\Windows\System32\RkbKQco.exe
  2⤵
  PID:11292
- C:\Windows\System32\vcSagLY.exe
  C:\Windows\System32\vcSagLY.exe
  2⤵
  PID:11324
- C:\Windows\System32\ymfJttw.exe
  C:\Windows\System32\ymfJttw.exe
  2⤵
  PID:11368
- C:\Windows\System32\KyQDSxk.exe
  C:\Windows\System32\KyQDSxk.exe
  2⤵
  PID:11396
- C:\Windows\System32\UcIkdmK.exe
  C:\Windows\System32\UcIkdmK.exe
  2⤵
  PID:11412
- C:\Windows\System32\ZXsFPpp.exe
  C:\Windows\System32\ZXsFPpp.exe
  2⤵
  PID:11456
- C:\Windows\System32\WHWaYZa.exe
  C:\Windows\System32\WHWaYZa.exe
  2⤵
  PID:11480
- C:\Windows\System32\kEfyUuS.exe
  C:\Windows\System32\kEfyUuS.exe
  2⤵
  PID:11508
- C:\Windows\System32\vRPCBSg.exe
  C:\Windows\System32\vRPCBSg.exe
  2⤵
  PID:11528
- C:\Windows\System32\fvzdkfL.exe
  C:\Windows\System32\fvzdkfL.exe
  2⤵
  PID:11552
- C:\Windows\System32\PmazvlO.exe
  C:\Windows\System32\PmazvlO.exe
  2⤵
  PID:11596
- C:\Windows\System32\SHFJUSa.exe
  C:\Windows\System32\SHFJUSa.exe
  2⤵
  PID:11616
- C:\Windows\System32\wGFNgrU.exe
  C:\Windows\System32\wGFNgrU.exe
  2⤵
  PID:11636
- C:\Windows\System32\qsSqCPH.exe
  C:\Windows\System32\qsSqCPH.exe
  2⤵
  PID:11664
- C:\Windows\System32\xJBxQtP.exe
  C:\Windows\System32\xJBxQtP.exe
  2⤵
  PID:11704
- C:\Windows\System32\aJcaznX.exe
  C:\Windows\System32\aJcaznX.exe
  2⤵
  PID:11720
- C:\Windows\System32\hEYeKCW.exe
  C:\Windows\System32\hEYeKCW.exe
  2⤵
  PID:11748
- C:\Windows\System32\RNnptgK.exe
  C:\Windows\System32\RNnptgK.exe
  2⤵
  PID:11776
- C:\Windows\System32\cDxcKRH.exe
  C:\Windows\System32\cDxcKRH.exe
  2⤵
  PID:11816
- C:\Windows\System32\dHuRRAK.exe
  C:\Windows\System32\dHuRRAK.exe
  2⤵
  PID:11844
- C:\Windows\System32\fdWhTdw.exe
  C:\Windows\System32\fdWhTdw.exe
  2⤵
  PID:11860
- C:\Windows\System32\XtDKCwT.exe
  C:\Windows\System32\XtDKCwT.exe
  2⤵
  PID:11892
- C:\Windows\System32\ScWGJRL.exe
  C:\Windows\System32\ScWGJRL.exe
  2⤵
  PID:11924
- C:\Windows\System32\AiXexNo.exe
  C:\Windows\System32\AiXexNo.exe
  2⤵
  PID:11948
- C:\Windows\System32\xmXJotg.exe
  C:\Windows\System32\xmXJotg.exe
  2⤵
  PID:11968
- C:\Windows\System32\CdytVde.exe
  C:\Windows\System32\CdytVde.exe
  2⤵
  PID:11988
- C:\Windows\System32\mObANPl.exe
  C:\Windows\System32\mObANPl.exe
  2⤵
  PID:12004
- C:\Windows\System32\ktszbwK.exe
  C:\Windows\System32\ktszbwK.exe
  2⤵
  PID:12048
- C:\Windows\System32\nkwNDWq.exe
  C:\Windows\System32\nkwNDWq.exe
  2⤵
  PID:12096
- C:\Windows\System32\RokwNfz.exe
  C:\Windows\System32\RokwNfz.exe
  2⤵
  PID:12124
- C:\Windows\System32\vojzUbN.exe
  C:\Windows\System32\vojzUbN.exe
  2⤵
  PID:12152
- C:\Windows\System32\xJBxorD.exe
  C:\Windows\System32\xJBxorD.exe
  2⤵
  PID:12176
- C:\Windows\System32\GzSCZCX.exe
  C:\Windows\System32\GzSCZCX.exe
  2⤵
  PID:12200
- C:\Windows\System32\MfkUEOp.exe
  C:\Windows\System32\MfkUEOp.exe
  2⤵
  PID:12224
- C:\Windows\System32\tWYtKvh.exe
  C:\Windows\System32\tWYtKvh.exe
  2⤵
  PID:12264
- C:\Windows\System32\aURACix.exe
  C:\Windows\System32\aURACix.exe
  2⤵
  PID:12280
- C:\Windows\System32\wuLXAtb.exe
  C:\Windows\System32\wuLXAtb.exe
  2⤵
  PID:11276
- C:\Windows\System32\iKpBtCY.exe
  C:\Windows\System32\iKpBtCY.exe
  2⤵
  PID:11356
- C:\Windows\System32\dfagfBV.exe
  C:\Windows\System32\dfagfBV.exe
  2⤵
  PID:11428
- C:\Windows\System32\PZKVWzS.exe
  C:\Windows\System32\PZKVWzS.exe
  2⤵
  PID:10816
- C:\Windows\System32\zfYbCuU.exe
  C:\Windows\System32\zfYbCuU.exe
  2⤵
  PID:11492
- C:\Windows\System32\tVutrrJ.exe
  C:\Windows\System32\tVutrrJ.exe
  2⤵
  PID:11548
- C:\Windows\System32\eBqnnQu.exe
  C:\Windows\System32\eBqnnQu.exe
  2⤵
  PID:11580
- C:\Windows\System32\lcKIwGp.exe
  C:\Windows\System32\lcKIwGp.exe
  2⤵
  PID:11688
- C:\Windows\System32\rcddAEv.exe
  C:\Windows\System32\rcddAEv.exe
  2⤵
  PID:11760
- C:\Windows\System32\EoveSFc.exe
  C:\Windows\System32\EoveSFc.exe
  2⤵
  PID:11852
- C:\Windows\System32\XuMfgnD.exe
  C:\Windows\System32\XuMfgnD.exe
  2⤵
  PID:11944
- C:\Windows\System32\qHeHSfv.exe
  C:\Windows\System32\qHeHSfv.exe
  2⤵
  PID:11976
- C:\Windows\System32\MeKPQQb.exe
  C:\Windows\System32\MeKPQQb.exe
  2⤵
  PID:12032
- C:\Windows\System32\rngnDeS.exe
  C:\Windows\System32\rngnDeS.exe
  2⤵
  PID:12076
- C:\Windows\System32\lPOxyIE.exe
  C:\Windows\System32\lPOxyIE.exe
  2⤵
  PID:12184
- C:\Windows\System32\szbiFZy.exe
  C:\Windows\System32\szbiFZy.exe
  2⤵
  PID:12240
- C:\Windows\System32\FdNbZMS.exe
  C:\Windows\System32\FdNbZMS.exe
  2⤵
  PID:12272
- C:\Windows\System32\TumqdXV.exe
  C:\Windows\System32\TumqdXV.exe
  2⤵
  PID:11320
- C:\Windows\System32\VWjFbEH.exe
  C:\Windows\System32\VWjFbEH.exe
  2⤵
  PID:11632
- C:\Windows\System32\LGFADnP.exe
  C:\Windows\System32\LGFADnP.exe
  2⤵
  PID:11736
- C:\Windows\System32\UggIbzC.exe
  C:\Windows\System32\UggIbzC.exe
  2⤵
  PID:11824
- C:\Windows\System32\BsZznUx.exe
  C:\Windows\System32\BsZznUx.exe
  2⤵
  PID:11996
- C:\Windows\System32\aSNKgxR.exe
  C:\Windows\System32\aSNKgxR.exe
  2⤵
  PID:12140
- C:\Windows\System32\SqJwraJ.exe
  C:\Windows\System32\SqJwraJ.exe
  2⤵
  PID:468
- C:\Windows\System32\ydvcyIY.exe
  C:\Windows\System32\ydvcyIY.exe
  2⤵
  PID:11220
- C:\Windows\System32\YSesQJy.exe
  C:\Windows\System32\YSesQJy.exe
  2⤵
  PID:11792
- C:\Windows\System32\TfUdXYc.exe
  C:\Windows\System32\TfUdXYc.exe
  2⤵
  PID:11956
- C:\Windows\System32\qVsIYnk.exe
  C:\Windows\System32\qVsIYnk.exe
  2⤵
  PID:2136
- C:\Windows\System32\MPboQDM.exe
  C:\Windows\System32\MPboQDM.exe
  2⤵
  PID:11540
- C:\Windows\System32\LOaiByy.exe
  C:\Windows\System32\LOaiByy.exe
  2⤵
  PID:3836
- C:\Windows\System32\dhMwJXa.exe
  C:\Windows\System32\dhMwJXa.exe
  2⤵
  PID:11584
- C:\Windows\System32\DmxROVU.exe
  C:\Windows\System32\DmxROVU.exe
  2⤵
  PID:12312
- C:\Windows\System32\NqMcQkX.exe
  C:\Windows\System32\NqMcQkX.exe
  2⤵
  PID:12340
- C:\Windows\System32\tFYWZNe.exe
  C:\Windows\System32\tFYWZNe.exe
  2⤵
  PID:12360
- C:\Windows\System32\UqDSSra.exe
  C:\Windows\System32\UqDSSra.exe
  2⤵
  PID:12384
- C:\Windows\System32\hHNWCHn.exe
  C:\Windows\System32\hHNWCHn.exe
  2⤵
  PID:12444
- C:\Windows\System32\iKRtnfv.exe
  C:\Windows\System32\iKRtnfv.exe
  2⤵
  PID:12468
- C:\Windows\System32\VzpJoVE.exe
  C:\Windows\System32\VzpJoVE.exe
  2⤵
  PID:12492
- C:\Windows\System32\OOnWoBA.exe
  C:\Windows\System32\OOnWoBA.exe
  2⤵
  PID:12520
- C:\Windows\System32\IIVTkPq.exe
  C:\Windows\System32\IIVTkPq.exe
  2⤵
  PID:12536
- C:\Windows\System32\wdcMHfB.exe
  C:\Windows\System32\wdcMHfB.exe
  2⤵
  PID:12560
- C:\Windows\System32\dlvbuoi.exe
  C:\Windows\System32\dlvbuoi.exe
  2⤵
  PID:12608
- C:\Windows\System32\kWTcnjI.exe
  C:\Windows\System32\kWTcnjI.exe
  2⤵
  PID:12636
- C:\Windows\System32\xgpLRFD.exe
  C:\Windows\System32\xgpLRFD.exe
  2⤵
  PID:12660
- C:\Windows\System32\qFfmpKR.exe
  C:\Windows\System32\qFfmpKR.exe
  2⤵
  PID:12692
- C:\Windows\System32\QrvaolU.exe
  C:\Windows\System32\QrvaolU.exe
  2⤵
  PID:12728
- C:\Windows\System32\tDvafnn.exe
  C:\Windows\System32\tDvafnn.exe
  2⤵
  PID:12748
- C:\Windows\System32\izAPJqM.exe
  C:\Windows\System32\izAPJqM.exe
  2⤵
  PID:12772
- C:\Windows\System32\FalcrYU.exe
  C:\Windows\System32\FalcrYU.exe
  2⤵
  PID:12792
- C:\Windows\System32\ytClfYA.exe
  C:\Windows\System32\ytClfYA.exe
  2⤵
  PID:12824
- C:\Windows\System32\TifxXoE.exe
  C:\Windows\System32\TifxXoE.exe
  2⤵
  PID:12848
- C:\Windows\System32\cyOSWNm.exe
  C:\Windows\System32\cyOSWNm.exe
  2⤵
  PID:12904
- C:\Windows\System32\fZhLGDD.exe
  C:\Windows\System32\fZhLGDD.exe
  2⤵
  PID:12920
- C:\Windows\System32\QKKzCGd.exe
  C:\Windows\System32\QKKzCGd.exe
  2⤵
  PID:12964
- C:\Windows\System32\wbcEPCB.exe
  C:\Windows\System32\wbcEPCB.exe
  2⤵
  PID:12992
- C:\Windows\System32\hgdsmDD.exe
  C:\Windows\System32\hgdsmDD.exe
  2⤵
  PID:13008
- C:\Windows\System32\RWgEJwP.exe
  C:\Windows\System32\RWgEJwP.exe
  2⤵
  PID:13036
- C:\Windows\System32\AAmQotr.exe
  C:\Windows\System32\AAmQotr.exe
  2⤵
  PID:13076
- C:\Windows\System32\xfYAJhC.exe
  C:\Windows\System32\xfYAJhC.exe
  2⤵
  PID:13100
- C:\Windows\System32\JvNqYLj.exe
  C:\Windows\System32\JvNqYLj.exe
  2⤵
  PID:13120
- C:\Windows\System32\wQuaxwY.exe
  C:\Windows\System32\wQuaxwY.exe
  2⤵
  PID:13148
- C:\Windows\System32\gTivQbu.exe
  C:\Windows\System32\gTivQbu.exe
  2⤵
  PID:13180
- C:\Windows\System32\UiabSMO.exe
  C:\Windows\System32\UiabSMO.exe
  2⤵
  PID:13216
- C:\Windows\System32\CZHfRAD.exe
  C:\Windows\System32\CZHfRAD.exe
  2⤵
  PID:13244
- C:\Windows\System32\qIzHVoK.exe
  C:\Windows\System32\qIzHVoK.exe
  2⤵
  PID:13264
- C:\Windows\System32\FBtEHsz.exe
  C:\Windows\System32\FBtEHsz.exe
  2⤵
  PID:13296
- C:\Windows\System32\zlikabF.exe
  C:\Windows\System32\zlikabF.exe
  2⤵
  PID:2892
- C:\Windows\System32\vjGfpvu.exe
  C:\Windows\System32\vjGfpvu.exe
  2⤵
  PID:12320
- C:\Windows\System32\HmlhKsG.exe
  C:\Windows\System32\HmlhKsG.exe
  2⤵
  PID:12400
- C:\Windows\System32\NZxpulb.exe
  C:\Windows\System32\NZxpulb.exe
  2⤵
  PID:12372

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:12820
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:12708

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4076

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:60

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3092

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6132

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:8640

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1556

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:9756

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:10764

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7356

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2000

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11876

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1124

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6708

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2600

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6580

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7452

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:7868

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3076

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9820

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:8764

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11216

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9580

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11676

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9520

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10800

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10016

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:11252

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:10264

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3052

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12888

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13040

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9416

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4484

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5964

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6432

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7188

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4148

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4980

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8804

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8572

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:9252

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9352

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5792

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:10388

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3372

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:11416

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:11988

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:12180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\IPWDBVC8\microsoft.windows[1].xml

Filesize
97B

MD5
2065215028a7b049f3c2fb76ba1546ba

SHA1
93635d3fb4aad5e8c7e0e587aaf361e4fea59d15

SHA256
eb95953230a3e16e917b8d37b9ec78ff50b28b0467cbff3774aa8b96cb13aa60

SHA512
c2f97a1ebc3a5a3f98eea57b7f8e4c73ba452581ba905eab90395640fdc5c34d0bab07307a250543c424d5d44e7549724ff5c8e3958eeb1583426613eb68d0ad

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133664599604825620.txt

Filesize
76KB

MD5
83e330790609610282cf9c442f2258c3

SHA1
efd23804c48fab449855cb775d0f4851c4890b24

SHA256
784c6cdb77cc04f03353cf0662943eb651ef91874d4dbf2c423c67dbb0488727

SHA512
58e68407ade0c0ce9fa2095a45f946e5424575e8aba5116090d3b39dfbfadd89d0d77896c724834d59c2c8589eae5ed022420c1af286f37e17dfb649c1b013dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
22KB

MD5
8db1454dc945f33cc7943f89b23553c6

SHA1
0bbb1b5dc0dd4e7e047498645c22b10998cb636e

SHA256
774bd19e19fe55f29372f406369a536214650677228952d37179563437e1745a

SHA512
a08be0547ba87f229dda28d2063e67ec26bdeca6f6597208a661d0d3507f2bdc8e5eca69a1e43302a52e5213c798a9d60fdd52804e14cd4b0dc2d9c7d6b46e82

Download Submit
C:\Windows\System32\BiSVZZf.exe

Filesize
1.7MB

MD5
97d440efd5672cc666490c3064af7a78

SHA1
ea4b4480e22dd1803e35d858fc1e73db2f27f744

SHA256
98ce8e0b1af062d6a0f545851b293bf48100b2375d2b3cbbb99791cb98b4c31f

SHA512
49e85118d78dbf5480f25919d7d4ab61047b85bb320a4f9f4f52d5120690f546d570da6af185d401a040f5b1e9def3bbcb2a01764ad40f83d096aa8d8c597b94

Download Submit
C:\Windows\System32\COHcMGo.exe

Filesize
1.7MB

MD5
fd68056d425aa82880ef44fb9f6d3550

SHA1
09f261835f1c8b2be2823427f8b21fa555ba1c32

SHA256
27e07984c0fb4261e27da15d2a193e0de89826c2b1bf3f36b7953f39353723f2

SHA512
3532878d65ce9ad35b611d51a9630ebb39060cf3dba4c3030b47885704f5df45a34261ecb9e075bb07e7df9c2d26b2d7adddfb8723e7400ef0ccc10cdff8a388

Download Submit
C:\Windows\System32\DQMZHsf.exe

Filesize
1.7MB

MD5
853b70d58baf0336c94716e98d69faa6

SHA1
2702fbeb379640294f5896cd7f2d26d9f257a1aa

SHA256
2cd3c6895f7e36b3c1e80854736591a27465a568c52ad90bc971bab0e389fff3

SHA512
83897fd7d1882e052cdd0f1f9bf6a3dcc0673b5abd7ce78a0fdd92bfcf8ecd20604d92e10f7b26a816499e308a9e04d485bc0eaf332ebef269608e4bcf3ebd0e

Download Submit
C:\Windows\System32\ErCDXYw.exe

Filesize
1.7MB

MD5
12b286fca76e5382d8f4cd4ffba5d5dd

SHA1
dd105aa0359a44f1369f45b608d9ed5d0953610a

SHA256
9177d4d23b7448323bc7d82a164839a76f2206bcc8c9c501bd071657bb5000c0

SHA512
1410d51a94b6dbafc28b2245638792c6277196cd46e466bc98ea1422c4f6b26d42003d5990d2152677d4bdef87fbf07d55ae26c71aa11c18d22142cb573ceac0

Download Submit
C:\Windows\System32\EslbaAx.exe

Filesize
1.7MB

MD5
917cee02b479837e596315b6c6e9ff20

SHA1
7024af1e15bcc476ecd9f1452063f5bab13e3115

SHA256
a30fa26bcd781c7676bf5cea88ae1164a10577532ea174cab1add9430aed1691

SHA512
95f56432e56e6bff16b5c96828aadb19feae6fd2d2989c80049f6d1da20a3b542508fe919b89519250661ffb3d379749fa9a9a3d0e86714ff1d7001d1d4999cb

Download Submit
C:\Windows\System32\GdegPct.exe

Filesize
1.7MB

MD5
19087d8666341fcd15387a30ec18a2ea

SHA1
6188a0d25831c5554a75dff74ccab87e5c288b7b

SHA256
863d4e600ff93cc0da21b519bdff3072028c8672cce5534c69499b23c6f06a37

SHA512
6d177fc36faebcd9b050bf6a4a36120b1476cab4059e01a8176fc073c95d060907f0e57cc45849a8189d133570d35346056c76132be2c9ea1f699d9b3d8d8d5c

Download Submit
C:\Windows\System32\GhFusSS.exe

Filesize
1.7MB

MD5
4f144345402417794f3672562f8da21e

SHA1
9144769ae565e1b070fb11bacdcc419637f40d2a

SHA256
278f317885394841d6641d4a5fc4995186164804ecad02f4f52cc295ab9b37cb

SHA512
9fd74aa60e719b01c808709c37aff2592800929c9672373d26ccc60090acd48d50b97caf9284d091a41e8a13d2b00d891e91a94458748e3b0baa993fe4d03d07

Download Submit
C:\Windows\System32\HevjMkg.exe

Filesize
1.7MB

MD5
6a1596306dbad7b9d9b59a919b666c62

SHA1
6d7952e8fe8073817878c27b90d569aac559d46f

SHA256
62160ea31d26ef16c05c7ce26a34f6d2dd033d4c2a454727bbcbf9b24ac82e76

SHA512
1c976d2facb672800a84c81c7ed914e5257bb099342a53ca6f48ce0f5843aad58a921661bfb451f7e789cedc3632cadc4dc0750d140ced03d4538262ae441ab6

Download Submit
C:\Windows\System32\JCVIGkU.exe

Filesize
1.7MB

MD5
f805f56801e95be4c5ff172f6289c1cd

SHA1
457108ecf7eb9639c02b79162844e04b4850bc28

SHA256
ddd767a6a47405d0a822ab6413ae3332575fd974f625868fbc719f8e408cf442

SHA512
662d9d09c82681f9301755f745a2090e9a1f2bca8e2336a5b8b53804a3a27fe9b78dec7c2ed47443db63f4acd1c70b0f4e5255925c143e715d92f4cc39e3de24

Download Submit
C:\Windows\System32\MpFcRQr.exe

Filesize
1.7MB

MD5
b441c8332609fa2c28c168c8104d7814

SHA1
0880eb6407ec1902dc242f8c4735edcbe481cad4

SHA256
e547778a0180208ae59c88dd21a9dae644889855d754b3ba24d3415c3b58a151

SHA512
67b9472c4108fe377ccacfc6fdb7f3a550f45c5078ace35b1af67e704d2101936f3eaa2bfd8a0eacdcdae152cab54503a480427ca1cdbfb7483308064d79999e

Download Submit
C:\Windows\System32\OVBEcme.exe

Filesize
1.7MB

MD5
b0c291c564cfecf3df0e6e7f5bbd2841

SHA1
aa3cf4599d4133212471960e39dc3627e24a5e2b

SHA256
bfb255eb1b99b8fd08b750f48f101e824c42606d2bcc31eefcfea3f488526011

SHA512
fb9e9ac87ca28f06a4502c201f8096e11cf60b926e1993070442f76527ce4108eea5af6d8e8df3df94a297dc5b19941aaad393dd5765730e1f5421e62baae3ec

Download Submit
C:\Windows\System32\SOJtKdn.exe

Filesize
1.7MB

MD5
2d35469d6ad7246d7f717ea9bb0a5827

SHA1
0a8d5066a27ca0a3557b2985e3c47a1cf140b888

SHA256
93786e6c3103e68c510085cb4457e52d5653378dfe65b1ad0b4feba0cd4ab488

SHA512
a4520eb23a90970729ad23b13a78ba99f180c4eea904a85a2a94c86c81b078aba289e35d127e5f07bff632b916b8b7743fe50e0975c8bdcbfa0ce152d6c8247b

Download Submit
C:\Windows\System32\SdEhSBM.exe

Filesize
1.7MB

MD5
2714abfcbf8e893d64ec0ed9a2a6b6d6

SHA1
1e4fca50f88fef8e20c161c98faa95894a531a56

SHA256
348046c829256c54be54260f27b37d45b0fc77b0b60b8012e5c050364efafc0d

SHA512
c8447008e5be9c2244b16279d5f7a6457c87193e97fc32a67f8b3ca275dbd2007b66b7f6443203bd0915e822913c381d4a9733c1903aa6c74e27b2e5a0a73a67

Download Submit
C:\Windows\System32\SuJBKQN.exe

Filesize
1.7MB

MD5
dacea533917ab234e4b926af53787b67

SHA1
94081a78fa1c474760f27a88535977b7b5694ef7

SHA256
84be848111a01288cb491b75183dffd0af2abdf6a45ad65c06b28b60b272e6ad

SHA512
578778221b3279a6208201e41abf1cbe7df17e1b1997ba554319a019828c9c5e0f221edd25452a18a7718789fba970c5db6b657e0fa38e9be7fad6b8e74c0e8d

Download Submit
C:\Windows\System32\TPiDCkQ.exe

Filesize
1.7MB

MD5
489b6d6de319f75ff6370098cd537f16

SHA1
e913486de096bfb9bbeb4c49d5a276f3adb3b564

SHA256
ced067e86f1a6f3babf91c740f6376a7a4a9856047a02a87102cf45287e02824

SHA512
8b72ac28075fb8c72e27df8f117978e9266003f2696632733c69ee33564a978f9ca65e30b9e194e1a3bec0c7940bdb8d277e511564bfd778707c63ce635928a4

Download Submit
C:\Windows\System32\ZJiEZrn.exe

Filesize
1.7MB

MD5
e3932a71d658c83457e9c4adf0474f4c

SHA1
fe4f1f32dd01a766fa5a0316ecc7e26d983200ce

SHA256
dd49504523e5a984f9466cd28ee6bd1918e345806ab48df6ae8a34e8efd64b5e

SHA512
f740d84912542efc42f3f44bd42f397a06ccfb72dd30078bec3b3c62d20a1c3a6c7a9724ad19d57904bde38ed5aadf2a04b5ecc83c168c00ccc8941a5b2ae64c

Download Submit
C:\Windows\System32\aJuXtog.exe

Filesize
1.7MB

MD5
f836d450ae968850bec19c3ade676f0d

SHA1
3c5ea571069826d7df61c7322e648a07a805344a

SHA256
43a2969b5676018184446ad9bc205fb8865de57fd647abac02d66880e2f7f77b

SHA512
4bfb898e64d0b5557198fbb1d36a7bee1d2edf7a9608b776c34fa6d7b11568d80375bc874474445bf354dfcb5dc01e5756915ddbfd5b48dfd118b081190551b1

Download Submit
C:\Windows\System32\cWIqMLL.exe

Filesize
1.7MB

MD5
7e14b58caab5041dcd0fc4374bcb82e8

SHA1
56c835f1269d84af87be3d955522d9dd824aafed

SHA256
ce24f4c40ef77a14dd600dc94d1fa8530382eb9e27b74df05889ade7d29f5ea3

SHA512
1fe83cd1fbc54fc29fc549e9606f85b7a8bcaaf5c4d5e8a0d4544879c3b449359e4668bbb72fdcaa7fdf5edeb80aeedf08c3b37272caf16351ba651b7a607a18

Download Submit
C:\Windows\System32\cYLhdCA.exe

Filesize
1.7MB

MD5
b17833a6e50539ef71dd90e83ebb04d7

SHA1
d27d4ab3be782c1e8f8d6c89466d238f85952aea

SHA256
c0839d06cfc5664c556b9efc57259dc098899a1a1e7191c2dc3e420853319fd8

SHA512
073d33b42ce3d807656b3b2411f0fb0311e32d2cee5565c6e3e7b25c6aad4a78dfac24f78887617279fd391fd2e39ce50c3d46df65b0eb6d0c48f370b5ca3b4c

Download Submit
C:\Windows\System32\eSCbHMA.exe

Filesize
1.7MB

MD5
8449e43d51efcd362c863be5caf2d0ee

SHA1
d11f0eed9709c85a5a59321a56861516947d9d29

SHA256
33b715f728962d09241bc2a66280cb4df4bed0ac5ea1d1baa4efe353f01859a1

SHA512
8af1520135d8c580d70247b363063415489c6f139516a4941ad1f620a406edb815a2700e2c77362df549c78f37df070710a698a92aa3dc371fb8570275604266

Download Submit
C:\Windows\System32\fwrUYaC.exe

Filesize
1.7MB

MD5
5a03d7db0595d468668587e8d14f7b50

SHA1
ece5e46ea1120a97cf04fd16843aba05f38c4792

SHA256
2bcbaf72c8af137fa6750dd521be2e7367196216f1039b10b50bea115ee0f5ab

SHA512
226667e1af0a0c4f0e696523399d55a9511bcfce6950671cebc36294187f585f09f8b6a3a509fb0dd80d0f82da0da97231794499a6374c95c682fe064654c1e5

Download Submit
C:\Windows\System32\itKCifk.exe

Filesize
1.7MB

MD5
e2168ea899476372a0962a3ddd5b73f3

SHA1
628af5a5679e98e4380d6c34ad3e42927b752776

SHA256
42cfbac365b37948cb6986b489ec9188feb0256d0a0082fee227e5a6f5f9c405

SHA512
3cbad97056052c94b447b04617c05bd4a306fcdbca2bde9916525f20ee7192573e150c5127c08746d0be30896aabb067286ae5b64b637a687b227009ffa94cc4

Download Submit
C:\Windows\System32\kBAZeOo.exe

Filesize
1.7MB

MD5
92e6ce951cb6247b9c106b91ea1024b0

SHA1
563d7aece407096ef8ebcb8cfc8fe53951e58450

SHA256
d85d4ab61ecaee37ec065e9cd16021a226191af5f6abd3d6d8612d272896c44e

SHA512
a16acadff26a93c48ee8d3b8689cec811027204a5d155abf3dc093dac2608487abb229e4629e9b519c8565ba14f7703c686cadb204dffaf24b20292e6ac71f57

Download Submit
C:\Windows\System32\mvDsaie.exe

Filesize
1.7MB

MD5
407d87c20362a2268e20b2da24381553

SHA1
e549437d5daa6df16d3611c51144c4321728817f

SHA256
dc0138147cdfccbf17c2cda5d4010b65373a83baa8ab24f2265fb5f844b092bf

SHA512
52dd7d04140332ac9917523a473458f6494dfd280cb603f64c9397b04c06f6c5eb345b1a0ff899e5ca2e6ef8a594476bf28c1be3649c23e41d2d0a71d2005fd0

Download Submit
C:\Windows\System32\oZGZPDQ.exe

Filesize
1.7MB

MD5
05098e8e106643bb9244e16c5d0d2aac

SHA1
63d935c378a357d65c0064868068de38dcb49ff8

SHA256
b9b7bc483f70de59427ecbda0748e1965d1d254fee3df9d0207843f5c3c62a67

SHA512
0aacaf16789b7baed138364df7075e0f1ec7f26bd59a3ff398e13d938d00db82e25d7c43779224231b175c150aa4b457991690162e96395726d787e0ae9452c8

Download Submit
C:\Windows\System32\pEdACKX.exe

Filesize
1.7MB

MD5
f271e179fec60eedcd1a64ac21f03b8a

SHA1
0326254172b7e368352cec325fca39156f96ed87

SHA256
2b4e6330f1bf28666b16de640c45bd2434e7d152e6a20bd2ec59a7a175d8316a

SHA512
8d398d9a12b4e84d574c93b04f6969d07441220f06e15a3a86cee346c00d353bfc7b2ccecb63bf58cc65b7ad8daa664543170548344ed252dbfa78ea1917e2f4

Download Submit
C:\Windows\System32\qcgWqDt.exe

Filesize
1.7MB

MD5
e525f781137d8867b629134f62504f6c

SHA1
005ac0d636807493c679d5f845783769eb3ce73e

SHA256
8adcb48860907a6ed3e11f80fe13db38c469d5d65578a248c46664994317bd9e

SHA512
cbad3afca309261a7f02a8060711b7aba528d3809045a0cc1e3830595bc223eb8ba104fcd45f06cceeef404a1449b47621c5b54e91a1b2d2d34af26ac761c9e0

Download Submit
C:\Windows\System32\ryuafRK.exe

Filesize
1.7MB

MD5
126272cc11b7a11deb8e0b2c536336b8

SHA1
648e94cc42270ee3a43e67a41a1db55fbeca173a

SHA256
58fa4a652522774381771114ebc5c787c4e00332ebb9b9f518b4271949359f07

SHA512
d47831ef66dd4df91adebd24310700f17af246bb7057a1540a044602db108287f1ce5f1a5a8e4d72b981b59c342833f94d7252be8bc9f730a676d6c5c1562de1

Download Submit
C:\Windows\System32\tTqNQAJ.exe

Filesize
1.7MB

MD5
7c7458df2a56c7ee642753146c577fe4

SHA1
aa31fc11b6cf5a615dfa42839227480a87f3f4e8

SHA256
95fa39e250674b937ced8cdcee313930129ab9f9500417bbad00d8a7741d483e

SHA512
e78bc9eb18940bdb8d593882c0d1af316e0576d9415945e791e569bd6596de8fbcac503312ea2dc7fab3935ffe4c6a4a974af8874a993129701e3c42b26c56d9

Download Submit
C:\Windows\System32\tmkRlDb.exe

Filesize
1.7MB

MD5
8c30d72188aa4dc5a2acf6be1667d617

SHA1
96f083587d5dab67b99ef7a0d02c5f1f9924633c

SHA256
a7dd5914e1fe2dbc2ab6d364c7e2ef312c25ef4da50e3038ae7b2f76acc1660f

SHA512
01ad0413e47672ac1301d8c96ec29ecaa1f86dedcaaae7604bf95c843e7a00c4bad31f81363e67316b24e90977c0d91029fa09f4deae2aad703b9bfa0f6654ac

Download Submit
C:\Windows\System32\wDraFrv.exe

Filesize
1.7MB

MD5
baf6f5352d5aa9f300e325a5ac5bd566

SHA1
e4ff61d8c10fa404e5c43fd99bbdc2f477a713f1

SHA256
7f487af2016f9293de71547131806d60c1909a48eb2b03bc78e76290cae49857

SHA512
8ec81a3001675d39e5ae349cb7275451dd7ae7ad5a6829fd200908416b5d42e6308efe8e21ab937dd77544c0a5f499e496886446fce5f0de13b2ab52f9447553

Download Submit
C:\Windows\System32\xRYhznN.exe

Filesize
1.7MB

MD5
dba2324db1ecd6fc6dca6ad9eb2fe93f

SHA1
6f1a1801ab5e8a94812c30d7e996eab7e4477d8f

SHA256
83abca3d32fa56a6d2172db8d5c5c5341f7e19d2665eb54d8fc4beda7524681d

SHA512
a8987883a3aeff23f545c008b2cea0284e89785b632c40ea90b6e68e167c6374bf522a430fb612a4747996e6b88f4e3f1fa9d3028f75757ab8a19390f6989cf4

Download Submit
memory/32-381-0x00007FF6275C0000-0x00007FF6279B1000-memory.dmp

Filesize
3.9MB

Download
memory/32-2136-0x00007FF6275C0000-0x00007FF6279B1000-memory.dmp

Filesize
3.9MB

Download
memory/112-355-0x00007FF755500000-0x00007FF7558F1000-memory.dmp

Filesize
3.9MB

Download
memory/112-2128-0x00007FF755500000-0x00007FF7558F1000-memory.dmp

Filesize
3.9MB

Download
memory/748-409-0x00007FF649660000-0x00007FF649A51000-memory.dmp

Filesize
3.9MB

Download
memory/748-2156-0x00007FF649660000-0x00007FF649A51000-memory.dmp

Filesize
3.9MB

Download
memory/1232-6-0x00007FF782560000-0x00007FF782951000-memory.dmp

Filesize
3.9MB

Download
memory/1232-1956-0x00007FF782560000-0x00007FF782951000-memory.dmp

Filesize
3.9MB

Download
memory/1232-2024-0x00007FF782560000-0x00007FF782951000-memory.dmp

Filesize
3.9MB

Download
memory/1348-433-0x00007FF722CB0000-0x00007FF7230A1000-memory.dmp

Filesize
3.9MB

Download
memory/1348-2160-0x00007FF722CB0000-0x00007FF7230A1000-memory.dmp

Filesize
3.9MB

Download
memory/1380-2149-0x00007FF7BA510000-0x00007FF7BA901000-memory.dmp

Filesize
3.9MB

Download
memory/1380-420-0x00007FF7BA510000-0x00007FF7BA901000-memory.dmp

Filesize
3.9MB

Download
memory/1608-444-0x00007FF6EFE10000-0x00007FF6F0201000-memory.dmp

Filesize
3.9MB

Download
memory/1608-2126-0x00007FF6EFE10000-0x00007FF6F0201000-memory.dmp

Filesize
3.9MB

Download
memory/1984-360-0x00007FF718780000-0x00007FF718B71000-memory.dmp

Filesize
3.9MB

Download
memory/1984-2130-0x00007FF718780000-0x00007FF718B71000-memory.dmp

Filesize
3.9MB

Download
memory/2312-2143-0x00007FF7A8C90000-0x00007FF7A9081000-memory.dmp

Filesize
3.9MB

Download
memory/2312-395-0x00007FF7A8C90000-0x00007FF7A9081000-memory.dmp

Filesize
3.9MB

Download
memory/2364-392-0x00007FF7353F0000-0x00007FF7357E1000-memory.dmp

Filesize
3.9MB

Download
memory/2364-2145-0x00007FF7353F0000-0x00007FF7357E1000-memory.dmp

Filesize
3.9MB

Download
memory/2420-2155-0x00007FF7C32C0000-0x00007FF7C36B1000-memory.dmp

Filesize
3.9MB

Download
memory/2420-426-0x00007FF7C32C0000-0x00007FF7C36B1000-memory.dmp

Filesize
3.9MB

Download
memory/2500-434-0x00007FF73F000000-0x00007FF73F3F1000-memory.dmp

Filesize
3.9MB

Download
memory/2500-2163-0x00007FF73F000000-0x00007FF73F3F1000-memory.dmp

Filesize
3.9MB

Download
memory/3408-0-0x00007FF641A00000-0x00007FF641DF1000-memory.dmp

Filesize
3.9MB

Download
memory/3408-1-0x000001FDCB450000-0x000001FDCB460000-memory.dmp

Filesize
64KB

Download
memory/3740-2138-0x00007FF6849B0000-0x00007FF684DA1000-memory.dmp

Filesize
3.9MB

Download
memory/3740-384-0x00007FF6849B0000-0x00007FF684DA1000-memory.dmp

Filesize
3.9MB

Download
memory/3876-2158-0x00007FF66E270000-0x00007FF66E661000-memory.dmp

Filesize
3.9MB

Download
memory/3876-432-0x00007FF66E270000-0x00007FF66E661000-memory.dmp

Filesize
3.9MB

Download
memory/3904-2147-0x00007FF752AE0000-0x00007FF752ED1000-memory.dmp

Filesize
3.9MB

Download
memory/3904-397-0x00007FF752AE0000-0x00007FF752ED1000-memory.dmp

Filesize
3.9MB

Download
memory/4084-2153-0x00007FF7E99F0000-0x00007FF7E9DE1000-memory.dmp

Filesize
3.9MB

Download
memory/4084-414-0x00007FF7E99F0000-0x00007FF7E9DE1000-memory.dmp

Filesize
3.9MB

Download
memory/4140-440-0x00007FF6DD3E0000-0x00007FF6DD7D1000-memory.dmp

Filesize
3.9MB

Download
memory/4140-2166-0x00007FF6DD3E0000-0x00007FF6DD7D1000-memory.dmp

Filesize
3.9MB

Download
memory/4316-391-0x00007FF6F4940000-0x00007FF6F4D31000-memory.dmp

Filesize
3.9MB

Download
memory/4316-2140-0x00007FF6F4940000-0x00007FF6F4D31000-memory.dmp

Filesize
3.9MB

Download
memory/4348-375-0x00007FF6BB550000-0x00007FF6BB941000-memory.dmp

Filesize
3.9MB

Download
memory/4348-2134-0x00007FF6BB550000-0x00007FF6BB941000-memory.dmp

Filesize
3.9MB

Download
memory/4404-2089-0x00007FF646850000-0x00007FF646C41000-memory.dmp

Filesize
3.9MB

Download
memory/4404-1957-0x00007FF646850000-0x00007FF646C41000-memory.dmp

Filesize
3.9MB

Download
memory/4404-23-0x00007FF646850000-0x00007FF646C41000-memory.dmp

Filesize
3.9MB

Download
memory/4504-1982-0x00007FF62D4B0000-0x00007FF62D8A1000-memory.dmp

Filesize
3.9MB

Download
memory/4504-17-0x00007FF62D4B0000-0x00007FF62D8A1000-memory.dmp

Filesize
3.9MB

Download
memory/4504-2076-0x00007FF62D4B0000-0x00007FF62D8A1000-memory.dmp

Filesize
3.9MB

Download
memory/4948-2151-0x00007FF7A1BC0000-0x00007FF7A1FB1000-memory.dmp

Filesize
3.9MB

Download
memory/4948-421-0x00007FF7A1BC0000-0x00007FF7A1FB1000-memory.dmp

Filesize
3.9MB

Download
memory/4988-31-0x00007FF795A70000-0x00007FF795E61000-memory.dmp

Filesize
3.9MB

Download
memory/4988-1984-0x00007FF795A70000-0x00007FF795E61000-memory.dmp

Filesize
3.9MB

Download
memory/4988-2118-0x00007FF795A70000-0x00007FF795E61000-memory.dmp

Filesize
3.9MB

Download
memory/5104-364-0x00007FF73E8C0000-0x00007FF73ECB1000-memory.dmp

Filesize
3.9MB

Download
memory/5104-2132-0x00007FF73E8C0000-0x00007FF73ECB1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads